diff --git a/.changeset/agent-skills.md b/.changeset/agent-skills.md
new file mode 100644
index 00000000000..5ed3b11fc2f
--- /dev/null
+++ b/.changeset/agent-skills.md
@@ -0,0 +1,16 @@
+---
+"@trigger.dev/sdk": patch
+"@trigger.dev/core": patch
+"@trigger.dev/build": patch
+"trigger.dev": patch
+---
+
+Add Agent Skills for `chat.agent`. Drop a folder with a `SKILL.md` and any helper scripts/references next to your task code, register it with `skills.define({ id, path })`, and the CLI bundles it into the deploy image automatically — no `trigger.config.ts` changes. The agent gets a one-line summary in its system prompt and discovers full instructions on demand via `loadSkill`, with `bash` and `readFile` tools scoped per-skill (path-traversal guards, output caps, abort-signal propagation).
+
+```ts
+const pdfSkill = skills.define({ id: "pdf-extract", path: "./skills/pdf-extract" });
+
+chat.skills.set([await pdfSkill.local()]);
+```
+
+Built on the [AI SDK cookbook pattern](https://ai-sdk.dev/cookbook/guides/agent-skills) — portable across providers. SDK + CLI only for now; dashboard-editable `SKILL.md` text is on the roadmap.
diff --git a/.changeset/ai-prompts.md b/.changeset/ai-prompts.md
new file mode 100644
index 00000000000..511aa303097
--- /dev/null
+++ b/.changeset/ai-prompts.md
@@ -0,0 +1,52 @@
+---
+"@trigger.dev/sdk": minor
+---
+
+**AI Prompts** — define prompt templates as code alongside your tasks, version them on deploy, and override the text or model from the dashboard without redeploying. Prompts integrate with the Vercel AI SDK via `toAISDKTelemetry()` (links every generation span back to the prompt) and with `chat.agent` via `chat.prompt.set()` + `chat.toStreamTextOptions()`.
+
+```ts
+import { prompts } from "@trigger.dev/sdk";
+import { generateText } from "ai";
+import { openai } from "@ai-sdk/openai";
+import { z } from "zod";
+
+export const supportPrompt = prompts.define({
+  id: "customer-support",
+  model: "gpt-4o",
+  config: { temperature: 0.7 },
+  variables: z.object({
+    customerName: z.string(),
+    plan: z.string(),
+    issue: z.string(),
+  }),
+  content: `You are a support agent for Acme.
+
+Customer: {{customerName}} ({{plan}} plan)
+Issue: {{issue}}`,
+});
+
+const resolved = await supportPrompt.resolve({
+  customerName: "Alice",
+  plan: "Pro",
+  issue: "Can't access billing",
+});
+
+const result = await generateText({
+  model: openai(resolved.model ?? "gpt-4o"),
+  system: resolved.text,
+  prompt: "Can't access billing",
+  ...resolved.toAISDKTelemetry(),
+});
+```
+
+**What you get:**
+
+- **Code-defined, deploy-versioned templates** — define with `prompts.define({ id, model, config, variables, content })`. Every deploy creates a new version visible in the dashboard. Mustache-style placeholders (`{{var}}`, `{{#cond}}...{{/cond}}`) with Zod / ArkType / Valibot-typed variables.
+- **Dashboard overrides** — change a prompt's text or model from the dashboard without redeploying. Overrides take priority over the deployed "current" version and are environment-scoped (dev / staging / production independent).
+- **Resolve API** — `prompt.resolve(vars, { version?, label? })` returns the compiled `text`, resolved `model`, `version`, and labels. Standalone `prompts.resolve<typeof handle>(slug, vars)` for cross-file resolution with full type inference on slug and variable shape.
+- **AI SDK integration** — spread `resolved.toAISDKTelemetry({ ...extra })` into any `generateText` / `streamText` call and every generation span links to the prompt in the dashboard alongside its input variables, model, tokens, and cost.
+- **`chat.agent` integration** — `chat.prompt.set(resolved)` stores the resolved prompt run-scoped; `chat.toStreamTextOptions({ registry })` pulls `system`, `model` (resolved via the AI SDK provider registry), `temperature` / `maxTokens` / etc., and telemetry into a single spread for `streamText`.
+- **Management SDK** — `prompts.list()`, `prompts.versions(slug)`, `prompts.promote(slug, version)`, `prompts.createOverride(slug, body)`, `prompts.updateOverride(slug, body)`, `prompts.removeOverride(slug)`, `prompts.reactivateOverride(slug, version)`.
+- **Dashboard** — prompts list with per-prompt usage sparklines; per-prompt detail with Template / Details / Versions / Generations / Metrics tabs. AI generation spans get a custom inspector showing the linked prompt's metadata, input variables, and template content alongside model, tokens, cost, and the message thread.
+
+See [/docs/ai/prompts](https://trigger.dev/docs/ai/prompts) for the full reference — template syntax, version resolution order, override workflow, and type utilities (`PromptHandle`, `PromptIdentifier`, `PromptVariables`).
diff --git a/.changeset/ai-sdk-7-support.md b/.changeset/ai-sdk-7-support.md
new file mode 100644
index 00000000000..9f81c50973f
--- /dev/null
+++ b/.changeset/ai-sdk-7-support.md
@@ -0,0 +1,5 @@
+---
+"@trigger.dev/sdk": patch
+---
+
+Adds AI SDK 7 support. The `ai` peer range now includes v7, and the `chat.agent` / chat surfaces work against v7's ESM-only build. On v7, install `@ai-sdk/otel` alongside `ai` and the SDK registers it for you so `experimental_telemetry` spans keep flowing into your run traces (v7 stopped emitting them from `ai` core). v5 and v6 keep working unchanged.
diff --git a/.changeset/ai-tool-helpers.md b/.changeset/ai-tool-helpers.md
new file mode 100644
index 00000000000..09e3b612ada
--- /dev/null
+++ b/.changeset/ai-tool-helpers.md
@@ -0,0 +1,15 @@
+---
+"@trigger.dev/sdk": patch
+---
+
+Add `ai.toolExecute(task)` so you can wire a Trigger subtask in as the `execute` handler of an AI SDK `tool()` while defining `description` and `inputSchema` yourself — useful when you want full control over the tool surface and just need Trigger's subtask machinery for the body.
+
+```ts
+const myTool = tool({
+  description: "...",
+  inputSchema: z.object({ ... }),
+  execute: ai.toolExecute(mySubtask),
+});
+```
+
+`ai.tool(task)` (`toolFromTask`) keeps doing the all-in-one wrap and now aligns its return type with AI SDK's `ToolSet`. Minimum `ai` peer raised to `^6.0.116` to avoid cross-version `ToolSet` mismatches in monorepos.
diff --git a/.changeset/backpressure-scale-up-freeze.md b/.changeset/backpressure-scale-up-freeze.md
new file mode 100644
index 00000000000..b69fad0f262
--- /dev/null
+++ b/.changeset/backpressure-scale-up-freeze.md
@@ -0,0 +1,5 @@
+---
+"@trigger.dev/core": patch
+---
+
+Add optional `shouldPauseScaling` to the supervisor consumer pool scaling options to freeze scale-up while it returns true (scale-down stays allowed).
diff --git a/.changeset/bundle-skills-single-pass.md b/.changeset/bundle-skills-single-pass.md
new file mode 100644
index 00000000000..30b2c428b22
--- /dev/null
+++ b/.changeset/bundle-skills-single-pass.md
@@ -0,0 +1,5 @@
+---
+"trigger.dev": patch
+---
+
+Fix `chat.agent` skills silently missing in `trigger dev` for projects whose task files read `process.env` at module top level (e.g. a third-party SDK client initialized at import). Skill folders now bundle into `.trigger/skills/` reliably regardless of which env vars are set when the CLI launches.
diff --git a/.changeset/cap-idempotency-key-length.md b/.changeset/cap-idempotency-key-length.md
new file mode 100644
index 00000000000..d1360369148
--- /dev/null
+++ b/.changeset/cap-idempotency-key-length.md
@@ -0,0 +1,5 @@
+---
+"@trigger.dev/core": patch
+---
+
+Reject overlong `idempotencyKey` values at the API boundary so they no longer trip an internal size limit on the underlying unique index and surface as a generic 500. Inputs are capped at 2048 characters — well above what `idempotencyKeys.create()` produces (a 64-character hash) and above any realistic raw key. Applies to `tasks.trigger`, `tasks.batchTrigger`, `batch.create` (Phase 1 streaming batches), `wait.createToken`, `wait.forDuration`, and the input/session stream waitpoint endpoints. Over-limit requests now return a structured 400 instead.
diff --git a/.changeset/chat-agent-hardening.md b/.changeset/chat-agent-hardening.md
new file mode 100644
index 00000000000..0ea82c0617e
--- /dev/null
+++ b/.changeset/chat-agent-hardening.md
@@ -0,0 +1,6 @@
+---
+"@trigger.dev/sdk": patch
+"@trigger.dev/core": patch
+---
+
+Reliability fixes for `chat.agent`. A user message sent while the agent is streaming is no longer delivered twice (which could run a duplicate turn), input appends now carry an idempotency key so a retried send can't duplicate a message, stopping a generation clears the streaming state so a page reload doesn't replay the stopped turn, and runs can now carry the full set of dashboard tags instead of being silently truncated. `onTurnComplete` now fires on errored turns (with the thrown error attached) and the failed turn's user message is persisted so it isn't lost on the next run. Custom agents and manual `chat.writeTurnComplete` callers now trim the output stream, sending a custom action no longer leaves a second stream reader running, and a long-lived `watch` subscription no longer grows its dedupe set without bound.
diff --git a/.changeset/chat-agent-on-boot-hook.md b/.changeset/chat-agent-on-boot-hook.md
new file mode 100644
index 00000000000..5eaa078e65e
--- /dev/null
+++ b/.changeset/chat-agent-on-boot-hook.md
@@ -0,0 +1,21 @@
+---
+"@trigger.dev/sdk": minor
+---
+
+Adds `onBoot` to `chat.agent` — a lifecycle hook that fires once per worker process picking up the chat. Runs for the initial run, preloaded runs, AND reactive continuation runs (post-cancel, crash, `endRun`, `requestUpgrade`, OOM retry), before any other hook. Use it to initialize `chat.local`, open per-process resources, or re-hydrate state from your DB on continuation — anywhere the SAME run picking up after suspend/resume isn't enough.
+
+```ts
+const userContext = chat.local<{ name: string; plan: string }>({ id: "userContext" });
+
+export const myChat = chat.agent({
+  id: "my-chat",
+  onBoot: async ({ clientData, continuation }) => {
+    const user = await db.user.findUnique({ where: { id: clientData.userId } });
+    userContext.init({ name: user.name, plan: user.plan });
+  },
+  run: async ({ messages, signal }) =>
+    streamText({ model: openai("gpt-4o"), messages, abortSignal: signal }),
+});
+```
+
+Use `onBoot` (not `onChatStart`) for state setup that must run every time a worker picks up the chat — `onChatStart` fires once per chat and won't run on continuation, leaving `chat.local` uninitialized when `run()` tries to use it.
diff --git a/.changeset/chat-agent-tools.md b/.changeset/chat-agent-tools.md
new file mode 100644
index 00000000000..1d44ea2a659
--- /dev/null
+++ b/.changeset/chat-agent-tools.md
@@ -0,0 +1,15 @@
+---
+"@trigger.dev/sdk": patch
+---
+
+Add a `tools` option to `chat.agent`. Declaring your tools here threads them into the SDK's internal `convertToModelMessages`, so each tool's `toModelOutput` is re-applied when prior-turn history is re-converted.
+
+```ts
+chat.agent({
+  tools: { readFile, search },
+  run: async ({ messages, tools, signal }) =>
+    streamText({ model, messages, tools, abortSignal: signal }),
+});
+```
+
+Also exports `InferChatUIMessageFromTools<typeof tools>` to derive the chat `UIMessage` type (typed tool parts) directly from a tool set.
diff --git a/.changeset/chat-agent.md b/.changeset/chat-agent.md
new file mode 100644
index 00000000000..733a8ab22e4
--- /dev/null
+++ b/.changeset/chat-agent.md
@@ -0,0 +1,44 @@
+---
+"@trigger.dev/sdk": minor
+"@trigger.dev/core": patch
+---
+
+**AI Agents** — run AI SDK chat completions as durable Trigger.dev agents instead of fragile API routes. Define an agent in one function, point `useChat` at it from React, and the conversation survives page refreshes, network blips, and process restarts.
+
+```ts
+import { chat } from "@trigger.dev/sdk/ai";
+import { streamText } from "ai";
+import { openai } from "@ai-sdk/openai";
+
+export const myChat = chat.agent({
+  id: "my-chat",
+  run: async ({ messages, signal }) =>
+    streamText({ model: openai("gpt-4o"), messages, abortSignal: signal }),
+});
+```
+
+```tsx
+import { useChat } from "@ai-sdk/react";
+import { useTriggerChatTransport } from "@trigger.dev/sdk/chat/react";
+
+const transport = useTriggerChatTransport({ task: "my-chat", accessToken, startSession });
+const { messages, sendMessage } = useChat({ transport });
+```
+
+**What you get:**
+
+- **AI SDK `useChat` integration** — a custom [`ChatTransport`](https://sdk.vercel.ai/docs/ai-sdk-ui/transport) (`useTriggerChatTransport`) plugs straight into Vercel AI SDK's `useChat` hook. Text streaming, tool calls, reasoning, and `data-*` parts all work natively over Trigger.dev's realtime streams. No custom API routes needed.
+- **First-turn fast path (`chat.headStart`)** — opt-in handler that runs the first turn's `streamText` step in your warm server process while the agent run boots in parallel, cutting cold-start TTFC by roughly half (measured 2801ms → 1218ms on `claude-sonnet-4-6`). The agent owns step 2+ (tool execution, persistence, hooks) so heavy deps stay where they belong. Web Fetch handler works natively in Next.js, Hono, SvelteKit, Remix, Workers, etc.; bridge to Express/Fastify/Koa via `chat.toNodeListener`. New `@trigger.dev/sdk/chat-server` subpath.
+- **Multi-turn durability via Sessions** — every chat is backed by a durable Session that outlives any individual run. Conversations resume across page refreshes, idle timeout, crashes, and deploys; `resume: true` reconnects via `lastEventId` so clients only see new chunks. `sessions.list` enumerates chats for inbox-style UIs.
+- **Auto-accumulated history, delta-only wire** — the backend accumulates the full conversation across turns; clients only ship the new message each turn. Long chats never hit the 512 KiB body cap. Register `hydrateMessages` to be the source of truth yourself.
+- **Lifecycle hooks** — `onPreload`, `onChatStart`, `onValidateMessages`, `hydrateMessages`, `onTurnStart`, `onBeforeTurnComplete`, `onTurnComplete`, `onChatSuspend`, `onChatResume` — for persistence, validation, and post-turn work.
+- **Stop generation** — client-driven `transport.stopGeneration(chatId)` aborts mid-stream; the run stays alive for the next message, partial response is captured, and aborted parts (stuck `partial-call` tools, in-progress reasoning) are auto-cleaned.
+- **Tool approvals (HITL)** — tools with `needsApproval: true` pause until the user approves or denies via `addToolApprovalResponse`. The runtime reconciles the updated assistant message by ID and continues `streamText`.
+- **Steering and background injection** — `pendingMessages` injects user messages between tool-call steps so users can steer the agent mid-execution; `chat.inject()` + `chat.defer()` adds context from background work (self-review, RAG, safety checks) between turns.
+- **Actions** — non-turn frontend commands (undo, rollback, regenerate, edit) sent via `transport.sendAction`. Fire `hydrateMessages` + `onAction` only — no turn hooks, no `run()`. `onAction` can return a `StreamTextResult` for a model response, or `void` for side-effect-only.
+- **Typed state primitives** — `chat.local<T>` for per-run state accessible from hooks, `run()`, tools, and subtasks (auto-serialized through `ai.toolExecute`); `chat.store` for typed shared data between agent and client; `chat.history` for reading and mutating the message chain; `clientDataSchema` for typed `clientData` in every hook.
+- **`chat.toStreamTextOptions()`** — one spread into `streamText` wires up versioned system [Prompts](https://trigger.dev/docs/ai/prompts), model resolution, telemetry metadata, compaction, steering, and background injection.
+- **Multi-tab coordination** — `multiTab: true` + `useMultiTabChat` prevents duplicate sends and syncs state across browser tabs via `BroadcastChannel`. Non-active tabs go read-only with live updates.
+- **Network resilience** — built-in indefinite retry with bounded backoff, reconnect on `online` / tab refocus / bfcache restore, `Last-Event-ID` mid-stream resume. No app code needed.
+
+See [/docs/ai-chat](https://trigger.dev/docs/ai-chat/overview) for the full surface — quick start, three backend approaches (`chat.agent`, `chat.createSession`, raw task), persistence and code-sandbox patterns, type-level guides, and API reference.
diff --git a/.changeset/chat-boot-cursor.md b/.changeset/chat-boot-cursor.md
new file mode 100644
index 00000000000..eb1b7a41c98
--- /dev/null
+++ b/.changeset/chat-boot-cursor.md
@@ -0,0 +1,6 @@
+---
+"@trigger.dev/sdk": patch
+"@trigger.dev/core": patch
+---
+
+Continuation chat boots no longer stall for around 10 seconds before the first turn. The `session.in` resume cursor is now found with a non-blocking records read instead of draining an SSE long-poll (which always waited out its full 5 second inactivity window, twice per boot), the boot reads run concurrently, and chat snapshots carry the cursor so subsequent boots skip the scan entirely.
diff --git a/.changeset/chat-headstart-hydrate.md b/.changeset/chat-headstart-hydrate.md
new file mode 100644
index 00000000000..49e9bb926ee
--- /dev/null
+++ b/.changeset/chat-headstart-hydrate.md
@@ -0,0 +1,5 @@
+---
+"@trigger.dev/sdk": patch
+---
+
+Fix `chat.headStart` when `hydrateMessages` is registered. The warm route's step-1 partial now reaches the agent's accumulator on the hydrate path, so `onTurnComplete` carries the full first turn (the head-start user message included), tool-call handovers resume from step 2 instead of re-running step 1, and the assistant `messageId` stays stable across the handover.
diff --git a/.changeset/chat-headstart-reasoning.md b/.changeset/chat-headstart-reasoning.md
new file mode 100644
index 00000000000..a53d388c561
--- /dev/null
+++ b/.changeset/chat-headstart-reasoning.md
@@ -0,0 +1,5 @@
+---
+"@trigger.dev/sdk": patch
+---
+
+Preserve reasoning parts across the `chat.headStart` handover. Extended-thinking models' step-1 reasoning now lands in the durable session history (and `onTurnComplete`) under the same assistant `messageId`, with provider metadata intact so Anthropic thinking signatures survive replays.
diff --git a/.changeset/chat-history-read-primitives.md b/.changeset/chat-history-read-primitives.md
new file mode 100644
index 00000000000..fd26ad8548b
--- /dev/null
+++ b/.changeset/chat-history-read-primitives.md
@@ -0,0 +1,21 @@
+---
+"@trigger.dev/sdk": minor
+---
+
+Add read primitives to `chat.history` for HITL flows: `getPendingToolCalls()`, `getResolvedToolCalls()`, `extractNewToolResults(message)`, `getChain()`, and `findMessage(messageId)`. These lift the accumulator-walking logic that customers building human-in-the-loop tools were re-implementing into the SDK.
+
+Use `getPendingToolCalls()` to gate fresh user turns while a tool call is awaiting an answer. Use `extractNewToolResults(message)` to dedup tool results when persisting to your own store — the helper returns only the parts whose `toolCallId` is not already resolved on the chain.
+
+```ts
+const pending = chat.history.getPendingToolCalls();
+if (pending.length > 0) {
+  // an addToolOutput is expected before a new user message
+}
+
+onTurnComplete: async ({ responseMessage }) => {
+  const newResults = chat.history.extractNewToolResults(responseMessage);
+  for (const r of newResults) {
+    await db.toolResults.upsert({ id: r.toolCallId, output: r.output, errorText: r.errorText });
+  }
+};
+```
diff --git a/.changeset/chat-session-attributes.md b/.changeset/chat-session-attributes.md
new file mode 100644
index 00000000000..ec4c6a54076
--- /dev/null
+++ b/.changeset/chat-session-attributes.md
@@ -0,0 +1,6 @@
+---
+"@trigger.dev/sdk": patch
+"@trigger.dev/core": patch
+---
+
+Stamp `gen_ai.conversation.id` (the chat id) on every span and metric emitted from inside a `chat.task` or `chat.agent` run. Lets you filter dashboard spans, runs, and metrics by the chat conversation that produced them — independent of the run boundary, so multi-run chats correlate cleanly. No code changes required on the user side.
diff --git a/.changeset/chat-slim-wire-merge.md b/.changeset/chat-slim-wire-merge.md
new file mode 100644
index 00000000000..19ea48a8cdd
--- /dev/null
+++ b/.changeset/chat-slim-wire-merge.md
@@ -0,0 +1,31 @@
+---
+"@trigger.dev/sdk": patch
+---
+
+Fix `chat.agent` HITL continuations on reasoning-heavy turns. Two changes that work together:
+
+- The per-turn merge now overlays the wire copy's tool-part state advancement onto the agent's existing chain — `state` + the matching resolution field (`output` / `errorText` / `approval`) come from the wire, everything else (text, reasoning, tool `input`, provider metadata) stays whatever the snapshot or `hydrateMessages` returned. Previously a full-message replace overwrote those fields with whatever the client shipped, so a slimmed wire copy landed a tool call with no `arguments` on the next LLM call. Covers `output-available` / `output-error` (HITL `addToolOutput`) and `approval-responded` / `output-denied` (approval flow).
+- `TriggerChatTransport.sendMessages` and `AgentChat.sendRaw` now slim assistant messages that carry advanced tool parts. The wire payload is just `{ id, role, parts: [<state + resolution field>] }` for `submit-message` continuations; everything else passes through. Reasoning blobs and full tool inputs no longer ride the wire on every `addToolOutput` / `addToolApproveResponse`, so continuation payloads stay well under the `.in/append` cap on long agent loops.
+
+Note: `onValidateMessages` receives the slim wire on HITL turns. If you call `validateUIMessages` from `ai` against the full `messages` array it will reject the slim assistant; filter to user messages (or skip on HITL turns) — see the updated docstring on `onValidateMessages` for the recommended pattern.
+
+For `hydrateMessages` hooks that persist the chain, this release also adds a small helper to the `@trigger.dev/sdk/ai` surface:
+
+```ts
+import { chat, upsertIncomingMessage } from "@trigger.dev/sdk/ai";
+
+chat.agent({
+  hydrateMessages: async ({ chatId, trigger, incomingMessages }) => {
+    const record = await db.chat.findUnique({ where: { id: chatId } });
+    const stored = record?.messages ?? [];
+    if (upsertIncomingMessage(stored, { trigger, incomingMessages })) {
+      await db.chat.update({ where: { id: chatId }, data: { messages: stored } });
+    }
+    return stored;
+  },
+});
+```
+
+It pushes fresh user messages by id, no-ops on HITL continuations (the incoming shares an id with the existing assistant — the runtime overlays the new tool-state advance), and skips on non-`submit-message` triggers. Returns `true` if it mutated `stored` so the caller knows whether to persist.
+
+Net effect: `chat.addToolOutput(...)` / `chat.addToolApproveResponse(...)` on multi-step reasoning agents (OpenAI Responses with `store: false`, Anthropic extended thinking, etc.) no longer blows the cap and no longer corrupts the LLM input.
diff --git a/.changeset/chat-start-session-action-typed-client-data.md b/.changeset/chat-start-session-action-typed-client-data.md
new file mode 100644
index 00000000000..acd75037caf
--- /dev/null
+++ b/.changeset/chat-start-session-action-typed-client-data.md
@@ -0,0 +1,22 @@
+---
+"@trigger.dev/sdk": patch
+---
+
+Type `chat.createStartSessionAction` against your chat agent so `clientData` is typed end-to-end on the first turn:
+
+```ts
+import { chat } from "@trigger.dev/sdk/ai";
+import type { myChat } from "@/trigger/chat";
+
+export const startChatSession = chat.createStartSessionAction<typeof myChat>("my-chat");
+
+// In the browser, threaded from the transport's typed startSession callback:
+const transport = useTriggerChatTransport<typeof myChat>({
+  task: "my-chat",
+  startSession: ({ chatId, clientData }) =>
+    startChatSession({ chatId, clientData }),
+  // ...
+});
+```
+
+`ChatStartSessionParams` gains a typed `clientData` field — folded into the first run's `payload.metadata` so `onPreload` / `onChatStart` see the same shape per-turn `metadata` carries via the transport. The opaque session-level `metadata` field is unchanged.
diff --git a/.changeset/chat-transport-recreate-missing-session.md b/.changeset/chat-transport-recreate-missing-session.md
new file mode 100644
index 00000000000..dba916e9442
--- /dev/null
+++ b/.changeset/chat-transport-recreate-missing-session.md
@@ -0,0 +1,5 @@
+---
+"@trigger.dev/sdk": patch
+---
+
+`useTriggerChatTransport` now recovers when restored session state points at a session that no longer exists in the current environment
diff --git a/.changeset/cli-deploy-skip-rewrite-timestamp.md b/.changeset/cli-deploy-skip-rewrite-timestamp.md
new file mode 100644
index 00000000000..60e82732dce
--- /dev/null
+++ b/.changeset/cli-deploy-skip-rewrite-timestamp.md
@@ -0,0 +1,5 @@
+---
+"trigger.dev": patch
+---
+
+Add `TRIGGER_BUILD_SKIP_REWRITE_TIMESTAMP=1` escape hatch for local self-hosted builds whose buildx driver doesn't support `rewrite-timestamp` alongside push (e.g. orbstack's default `docker` driver).
diff --git a/.changeset/cli-init-ai-tooling.md b/.changeset/cli-init-ai-tooling.md
new file mode 100644
index 00000000000..a7a4c8be14a
--- /dev/null
+++ b/.changeset/cli-init-ai-tooling.md
@@ -0,0 +1,5 @@
+---
+"trigger.dev": patch
+---
+
+`trigger init` now sets up your AI coding assistant as part of project setup: pick the MCP server, the agent skills, or both, then scaffold with the CLI or hand off to your assistant. Adds a new `getting-started` agent skill that teaches assistants how to bootstrap Trigger.dev (install the SDK, write `trigger.config.ts`, create a first task, run `trigger dev`), so the AI-driven setup path works end to end. It ships in the CLI alongside the existing skills, version-matched to your SDK.
diff --git a/.changeset/coerce-concurrency-key-to-string.md b/.changeset/coerce-concurrency-key-to-string.md
new file mode 100644
index 00000000000..faccf7a48bf
--- /dev/null
+++ b/.changeset/coerce-concurrency-key-to-string.md
@@ -0,0 +1,5 @@
+---
+"@trigger.dev/core": patch
+---
+
+Coerce numeric `concurrencyKey` values to string at the API boundary across `tasks.trigger`, `tasks.batchTrigger`, and the Phase-2 streaming batch endpoint.
diff --git a/.changeset/dequeue-latency-histogram.md b/.changeset/dequeue-latency-histogram.md
new file mode 100644
index 00000000000..0b69b8c98a9
--- /dev/null
+++ b/.changeset/dequeue-latency-histogram.md
@@ -0,0 +1,5 @@
+---
+"@trigger.dev/core": patch
+---
+
+Record client-side dequeue API latency in the supervisor consumer pool as a Prometheus histogram (`queue_consumer_pool_dequeue_duration_seconds`, labelled by `outcome`: success/empty/error).
diff --git a/.changeset/duplicate-task-ids.md b/.changeset/duplicate-task-ids.md
new file mode 100644
index 00000000000..c68724bfedd
--- /dev/null
+++ b/.changeset/duplicate-task-ids.md
@@ -0,0 +1,6 @@
+---
+"@trigger.dev/core": patch
+"trigger.dev": patch
+---
+
+`dev` and `deploy` now fail with a clear error when two tasks are defined with the same id, including across different task types (e.g. a scheduled task and a regular task sharing an id). Previously the second definition silently overwrote the first, so one of the tasks would vanish with no warning. Task ids are detected as duplicates during indexing (naming each offending id and the files it was found in), and the same rule is enforced server-side when the background worker is registered.
diff --git a/.changeset/env-vars-tracing-forceflush-typecheck.md b/.changeset/env-vars-tracing-forceflush-typecheck.md
new file mode 100644
index 00000000000..9d90c0383d7
--- /dev/null
+++ b/.changeset/env-vars-tracing-forceflush-typecheck.md
@@ -0,0 +1,5 @@
+---
+"@trigger.dev/core": patch
+---
+
+Fix `@trigger.dev/core` build: cast the underlying log record exporter when calling `forceFlush` so it typechecks against the updated OpenTelemetry `LogRecordExporter` type (which no longer declares `forceFlush`).
diff --git a/.changeset/envvars-import-is-secret.md b/.changeset/envvars-import-is-secret.md
new file mode 100644
index 00000000000..5fbe70f43ae
--- /dev/null
+++ b/.changeset/envvars-import-is-secret.md
@@ -0,0 +1,12 @@
+---
+"@trigger.dev/core": patch
+---
+
+`envvars.upload` now accepts an optional `isSecret` flag, letting you create the imported variables as secret (redacted) environment variables. When omitted, variables default to non-secret.
+
+```ts
+await envvars.upload("proj_1234", "prod", {
+  variables: { STRIPE_SECRET_KEY: "sk_live_..." },
+  isSecret: true,
+});
+```
diff --git a/.changeset/large-trigger-payload-offload.md b/.changeset/large-trigger-payload-offload.md
new file mode 100644
index 00000000000..e8d87947166
--- /dev/null
+++ b/.changeset/large-trigger-payload-offload.md
@@ -0,0 +1,8 @@
+---
+"@trigger.dev/core": patch
+"@trigger.dev/sdk": patch
+---
+
+Offload large trigger payloads to object storage before sending the trigger API request. The SDK uploads packets at or above the existing 128KB limit and sends an `application/store` pointer instead of embedding large JSON in the request body. `TriggerTaskRequestBody` now validates that `application/store` payloads are non-empty storage paths.
+
+Payload uploads use the same resolved `ApiClient` as the trigger call (including `requestOptions.clientConfig`), not only the global `apiClientManager.client` — so custom `baseURL`, access token, and preview branch apply to both presign and trigger.
diff --git a/.changeset/locals-key-dual-package-fix.md b/.changeset/locals-key-dual-package-fix.md
new file mode 100644
index 00000000000..38d42e19dfb
--- /dev/null
+++ b/.changeset/locals-key-dual-package-fix.md
@@ -0,0 +1,5 @@
+---
+"@trigger.dev/core": patch
+---
+
+Fix `LocalsKey<T>` type incompatibility across dual-package builds. The phantom value-type brand no longer uses a module-level `unique symbol`, so a single TypeScript compilation that resolves the type from both the ESM and CJS outputs (which can happen under certain pnpm hoisting layouts) no longer sees two structurally-incompatible variants of the same type.
diff --git a/.changeset/mcp-agent-chat-sessions.md b/.changeset/mcp-agent-chat-sessions.md
new file mode 100644
index 00000000000..c3f01aebf28
--- /dev/null
+++ b/.changeset/mcp-agent-chat-sessions.md
@@ -0,0 +1,5 @@
+---
+"trigger.dev": patch
+---
+
+The CLI MCP server's agent-chat tools (`start_agent_chat`, `send_agent_message`, `close_agent_chat`) now run on the new Sessions primitive, so AI assistants driving a `chat.agent` get the same idempotent-by-`chatId`, durable-across-runs behavior the browser transport gets. Required PAT scopes go from `write:inputStreams` to `read:sessions` + `write:sessions`.
diff --git a/.changeset/mcp-list-runs-region.md b/.changeset/mcp-list-runs-region.md
new file mode 100644
index 00000000000..b72cfb23c97
--- /dev/null
+++ b/.changeset/mcp-list-runs-region.md
@@ -0,0 +1,5 @@
+---
+"trigger.dev": patch
+---
+
+MCP `list_runs` tool: add a `region` filter input and surface each run's executing region in the formatted summary.
diff --git a/.changeset/mcp-trigger-task-no-default-wait.md b/.changeset/mcp-trigger-task-no-default-wait.md
new file mode 100644
index 00000000000..396c68bd005
--- /dev/null
+++ b/.changeset/mcp-trigger-task-no-default-wait.md
@@ -0,0 +1,5 @@
+---
+"trigger.dev": patch
+---
+
+The MCP server no longer tells the AI agent to wait for a run to complete after every `trigger_task` call. Waiting is now opt-in: the agent only waits when you ask it to (for example "trigger and then wait for it to finish"). This avoids burning tokens polling runs you didn't need to block on and keeps responses clearer.
diff --git a/.changeset/mock-chat-agent-test-harness.md b/.changeset/mock-chat-agent-test-harness.md
new file mode 100644
index 00000000000..9876e56a9f7
--- /dev/null
+++ b/.changeset/mock-chat-agent-test-harness.md
@@ -0,0 +1,8 @@
+---
+"@trigger.dev/sdk": patch
+"@trigger.dev/core": patch
+---
+
+Unit-test `chat.agent` definitions offline with `mockChatAgent` from `@trigger.dev/sdk/ai/test`. Drives a real agent's turn loop in-process — no network, no task runtime — so you can send messages, actions, and stop signals via driver methods, inspect captured output chunks, and verify hooks fire. Pairs with `MockLanguageModelV3` from `ai/test` for model mocking. `setupLocals` lets you pre-seed `locals` (DB clients, service stubs) before `run()` starts.
+
+The broader `runInMockTaskContext` harness it's built on lives at `@trigger.dev/core/v3/test` — useful for unit-testing any task code, not just chat.
diff --git a/.changeset/mollifier-buffer-pipeline-list-entries.md b/.changeset/mollifier-buffer-pipeline-list-entries.md
new file mode 100644
index 00000000000..2c55d9b18a8
--- /dev/null
+++ b/.changeset/mollifier-buffer-pipeline-list-entries.md
@@ -0,0 +1,5 @@
+---
+"@trigger.dev/redis-worker": patch
+---
+
+Pipeline the per-entry `HGETALL` fetches in `MollifierBuffer.listEntriesForEnv`. The previous serial implementation issued one Redis round-trip per runId returned by `LRANGE`, which dominated stale-sweep wall-time at any meaningful backlog (at the sweep's default maxCount=1000, this is ~1000 RTTs per env per pass). Behaviour is unchanged — entries are still skipped when the entry hash has been torn down by a concurrent drainer ack/fail between the LRANGE and the HGETALL.
diff --git a/.changeset/mollifier-configurable-constants.md b/.changeset/mollifier-configurable-constants.md
new file mode 100644
index 00000000000..e9943e9b190
--- /dev/null
+++ b/.changeset/mollifier-configurable-constants.md
@@ -0,0 +1,5 @@
+---
+"@trigger.dev/redis-worker": patch
+---
+
+Make mollifier buffer and drainer internals configurable. `MollifierBuffer` now accepts `ackGraceTtlSeconds`, `maxRetriesPerRequest`, `reconnectStepMs`, and `reconnectMaxMs` options, and `MollifierDrainer` accepts `maxBackoffMs` and `backoffFloorMs`. All default to their previous hardcoded values, so existing behaviour is unchanged.
diff --git a/.changeset/mollifier-drain-batch-size.md b/.changeset/mollifier-drain-batch-size.md
new file mode 100644
index 00000000000..9e848b5011d
--- /dev/null
+++ b/.changeset/mollifier-drain-batch-size.md
@@ -0,0 +1,5 @@
+---
+"@trigger.dev/redis-worker": patch
+---
+
+`MollifierDrainer` accepts a `drainBatchSize` option (default 1) that controls how many entries are popped per env per tick — in-flight handlers remain capped by the global `concurrency`. `MollifierBuffer` also gains `getDrainingCount()` / `listStaleDraining()`, backed by a new `mollifier:draining` ZSET maintained atomically with pop/ack/fail/requeue (observability-only).
diff --git a/.changeset/mollifier-redis-worker-primitives.md b/.changeset/mollifier-redis-worker-primitives.md
new file mode 100644
index 00000000000..a209e530c24
--- /dev/null
+++ b/.changeset/mollifier-redis-worker-primitives.md
@@ -0,0 +1,9 @@
+---
+"@trigger.dev/redis-worker": patch
+---
+
+Add MollifierBuffer and MollifierDrainer primitives for trigger burst smoothing.
+
+MollifierBuffer (`accept`, `pop`, `ack`, `requeue`, `fail`, `evaluateTrip`) is a per-env FIFO over Redis with atomic Lua transitions for status tracking. `evaluateTrip` is a sliding-window trip evaluator the webapp gate uses to detect per-env trigger bursts.
+
+MollifierDrainer pops entries through a polling loop with a user-supplied handler. The loop survives transient Redis errors via capped exponential backoff (up to 5s), and per-env pop failures don't poison the rest of the batch — one env's blip is logged and counted as failed for that tick. Rotation is two-level: orgs at the top, envs within each org. The buffer maintains `mollifier:orgs` and `mollifier:org-envs:${orgId}` atomically with per-env queues, so the drainer walks orgs → envs directly without an in-memory cache. The `maxOrgsPerTick` option (default 500) caps how many orgs are scheduled per tick; for each picked org, one env is popped (rotating round-robin within the org). An org with N envs gets the same per-tick scheduling slot as an org with 1 env, so tenant-level drainage throughput is determined by org count rather than env count.
diff --git a/.changeset/mollifier-tag-cap.md b/.changeset/mollifier-tag-cap.md
new file mode 100644
index 00000000000..b9057664fa7
--- /dev/null
+++ b/.changeset/mollifier-tag-cap.md
@@ -0,0 +1,5 @@
+---
+"@trigger.dev/redis-worker": patch
+---
+
+Mollifier `mutateSnapshot` now enforces a tag cap: an `append_tags` patch carrying `maxTags` returns `"limit_exceeded"` (writing nothing) when the deduped tag count would exceed the limit, so a buffered run can't accumulate more tags via the tags API than the trigger validator allows at creation.
diff --git a/.changeset/otel-suite-0218.md b/.changeset/otel-suite-0218.md
new file mode 100644
index 00000000000..38b71ceeec1
--- /dev/null
+++ b/.changeset/otel-suite-0218.md
@@ -0,0 +1,7 @@
+---
+"@trigger.dev/core": patch
+"trigger.dev": patch
+"@trigger.dev/sdk": patch
+---
+
+Update the bundled OpenTelemetry packages to their latest releases (`@opentelemetry/sdk-node` 0.218.0, `@opentelemetry/core` 2.7.1, `@opentelemetry/host-metrics` 0.38.3).
diff --git a/.changeset/plugin-auth-path.md b/.changeset/plugin-auth-path.md
new file mode 100644
index 00000000000..7ce08b71a33
--- /dev/null
+++ b/.changeset/plugin-auth-path.md
@@ -0,0 +1,5 @@
+---
+"@trigger.dev/plugins": patch
+---
+
+The public interfaces for a plugin system. Initially consolidated authentication and authorization interfaces.
diff --git a/.changeset/pre.json b/.changeset/pre.json
new file mode 100644
index 00000000000..818658e8972
--- /dev/null
+++ b/.changeset/pre.json
@@ -0,0 +1,64 @@
+{
+  "mode": "pre",
+  "tag": "rc",
+  "initialVersions": {
+    "coordinator": "0.0.1",
+    "docker-provider": "0.0.1",
+    "kubernetes-provider": "0.0.1",
+    "supervisor": "0.0.1",
+    "webapp": "1.0.0",
+    "@trigger.dev/build": "4.4.6",
+    "trigger.dev": "4.4.6",
+    "@trigger.dev/core": "4.4.6",
+    "@trigger.dev/plugins": "4.4.6",
+    "@trigger.dev/python": "4.4.6",
+    "@trigger.dev/react-hooks": "4.4.6",
+    "@trigger.dev/redis-worker": "4.4.6",
+    "@trigger.dev/rsc": "4.4.6",
+    "@trigger.dev/schema-to-json": "4.4.6",
+    "@trigger.dev/sdk": "4.4.6"
+  },
+  "changesets": [
+    "agent-skills",
+    "ai-prompts",
+    "ai-sdk-7-support",
+    "ai-tool-helpers",
+    "backpressure-scale-up-freeze",
+    "bundle-skills-single-pass",
+    "cap-idempotency-key-length",
+    "chat-agent-on-boot-hook",
+    "chat-agent-tools",
+    "chat-agent",
+    "chat-history-read-primitives",
+    "chat-session-attributes",
+    "chat-slim-wire-merge",
+    "chat-start-session-action-typed-client-data",
+    "chat-transport-recreate-missing-session",
+    "cli-deploy-skip-rewrite-timestamp",
+    "coerce-concurrency-key-to-string",
+    "env-vars-tracing-forceflush-typecheck",
+    "envvars-import-is-secret",
+    "large-trigger-payload-offload",
+    "locals-key-dual-package-fix",
+    "mcp-agent-chat-sessions",
+    "mcp-list-runs-region",
+    "mcp-trigger-task-no-default-wait",
+    "mock-chat-agent-test-harness",
+    "mollifier-buffer-pipeline-list-entries",
+    "mollifier-configurable-constants",
+    "mollifier-drain-batch-size",
+    "mollifier-redis-worker-primitives",
+    "mollifier-tag-cap",
+    "otel-suite-0218",
+    "plugin-auth-path",
+    "resource-catalog-runtime-registration",
+    "retry-middleware-errors",
+    "retry-sigsegv",
+    "runs-list-region-filter",
+    "s2-batch-transform-linger-fix",
+    "sessions-primitive",
+    "trigger-client",
+    "unflatten-attributes-conflict",
+    "warm-start-external-trace-context-leak"
+  ]
+}
diff --git a/.changeset/project-environments-endpoint.md b/.changeset/project-environments-endpoint.md
new file mode 100644
index 00000000000..9059c548245
--- /dev/null
+++ b/.changeset/project-environments-endpoint.md
@@ -0,0 +1,5 @@
+---
+"@trigger.dev/core": patch
+---
+
+Add `GetProjectEnvironmentsResponseBody` and `ProjectEnvironment` schemas for the new `GET /api/v1/projects/{projectRef}/environments` endpoint, which lists the parent environments (dev, staging, preview, prod) a personal access token can access for a project. Dev is scoped to the token owner and branch (preview child) environments are excluded.
diff --git a/.changeset/resource-catalog-runtime-registration.md b/.changeset/resource-catalog-runtime-registration.md
new file mode 100644
index 00000000000..5046f09e1f1
--- /dev/null
+++ b/.changeset/resource-catalog-runtime-registration.md
@@ -0,0 +1,6 @@
+---
+"@trigger.dev/core": patch
+"trigger.dev": patch
+---
+
+Fix `COULD_NOT_FIND_EXECUTOR` when a task's definition is loaded via `await import(...)` from inside another task's `run()`. The runtime workers now register such tasks with a sentinel file context, and the catalog logs a one-time warning per task id.
diff --git a/.changeset/retry-middleware-errors.md b/.changeset/retry-middleware-errors.md
new file mode 100644
index 00000000000..2267b4d724c
--- /dev/null
+++ b/.changeset/retry-middleware-errors.md
@@ -0,0 +1,5 @@
+---
+"@trigger.dev/core": patch
+---
+
+Retry `TASK_MIDDLEWARE_ERROR` under the task's retry policy instead of failing the run on the first attempt. The error was already classified as retryable by `shouldRetryError`, but `shouldLookupRetrySettings` did not include it, so the retry flow fell through to `fail_run`. Fixes #3231.
diff --git a/.changeset/retry-sigsegv.md b/.changeset/retry-sigsegv.md
new file mode 100644
index 00000000000..5a53c351efe
--- /dev/null
+++ b/.changeset/retry-sigsegv.md
@@ -0,0 +1,5 @@
+---
+"@trigger.dev/core": patch
+---
+
+Retry `TASK_PROCESS_SIGSEGV` task crashes under the user's retry policy instead of failing the run on the first segfault. SIGSEGV in Node tasks is frequently non-deterministic (native addon races, JIT/GC interaction, near-OOM in native code, host issues), so retrying on a fresh process often succeeds. The retry is gated by the task's existing `retry` config + `maxAttempts` — same path `TASK_PROCESS_SIGTERM` and uncaught exceptions already use — so tasks without a retry policy still fail fast.
diff --git a/.changeset/runs-list-region-filter.md b/.changeset/runs-list-region-filter.md
new file mode 100644
index 00000000000..c487e2d632c
--- /dev/null
+++ b/.changeset/runs-list-region-filter.md
@@ -0,0 +1,6 @@
+---
+"@trigger.dev/core": patch
+"@trigger.dev/sdk": patch
+---
+
+Add `region` to the runs list / retrieve API: filter runs by region (`runs.list({ region: "..." })` / `filter[region]=<masterQueue>`) and read each run's executing region from the new `region` field on the response.
diff --git a/.changeset/s2-batch-transform-linger-fix.md b/.changeset/s2-batch-transform-linger-fix.md
new file mode 100644
index 00000000000..f1e9bab34aa
--- /dev/null
+++ b/.changeset/s2-batch-transform-linger-fix.md
@@ -0,0 +1,6 @@
+---
+"@trigger.dev/core": patch
+"trigger.dev": patch
+---
+
+Bump `@s2-dev/streamstore` to `0.22.10` to fix a `TASK_RUN_UNCAUGHT_EXCEPTION` ("Invalid state: Unable to enqueue") when a `chat.agent` turn is aborted mid-stream.
diff --git a/.changeset/sessions-primitive.md b/.changeset/sessions-primitive.md
new file mode 100644
index 00000000000..79a6ca48f65
--- /dev/null
+++ b/.changeset/sessions-primitive.md
@@ -0,0 +1,26 @@
+---
+"@trigger.dev/sdk": minor
+"@trigger.dev/core": patch
+---
+
+**Sessions** — a durable, run-aware stream channel keyed on a stable `externalId`. A Session is the unit of state that owns a multi-run conversation: messages flow through `.in`, responses through `.out`, both survive run boundaries. Sessions back the new `chat.agent` runtime, and you can build on them directly for any pattern that needs durable bi-directional streaming across runs.
+
+```ts
+import { sessions, tasks } from "@trigger.dev/sdk";
+
+// Trigger a task and subscribe to its session output in one call
+const { runId, stream } = await tasks.triggerAndSubscribe("my-task", payload, {
+  externalId: "user-456",
+});
+
+for await (const chunk of stream) {
+  // ...
+}
+
+// Enumerate existing sessions (powers inbox-style UIs without a separate index)
+for await (const s of sessions.list({ type: "chat.agent", tag: "user:user-456" })) {
+  console.log(s.id, s.externalId, s.createdAt, s.closedAt);
+}
+```
+
+See [/docs/ai-chat/overview](https://trigger.dev/docs/ai-chat/overview) for the full surface — Sessions powers the durable, resumable chat runtime described there.
diff --git a/.changeset/trigger-client.md b/.changeset/trigger-client.md
new file mode 100644
index 00000000000..75699471ba2
--- /dev/null
+++ b/.changeset/trigger-client.md
@@ -0,0 +1,18 @@
+---
+"@trigger.dev/sdk": patch
+---
+
+Add `TriggerClient` for running multiple SDK clients side-by-side, each with its own auth, preview branch, and baseURL. Useful when a single process needs to trigger tasks or read runs across multiple projects, environments, or preview branches without mutating shared global state.
+
+```ts
+import { TriggerClient } from "@trigger.dev/sdk";
+
+const prod = new TriggerClient({ accessToken: process.env.TRIGGER_PROD_KEY });
+const preview = new TriggerClient({
+  accessToken: process.env.TRIGGER_PREVIEW_KEY,
+  previewBranch: "signup-flow",
+});
+
+await prod.tasks.trigger("send-email", payload);
+await preview.runs.list({ status: ["COMPLETED"] });
+```
diff --git a/.changeset/trigger-skills-installer.md b/.changeset/trigger-skills-installer.md
new file mode 100644
index 00000000000..4e05b125919
--- /dev/null
+++ b/.changeset/trigger-skills-installer.md
@@ -0,0 +1,11 @@
+---
+"trigger.dev": patch
+---
+
+`trigger skills` installs Trigger.dev agent skills into your coding agent so it knows how to write tasks, schedules, realtime, and chat.agent code. The skills ship with the CLI and are copied into each tool's native skills directory (Claude Code, Cursor, GitHub Copilot, and Codex / AGENTS.md), and `trigger dev` offers to install them on first run.
+
+```bash
+trigger skills --target claude-code
+```
+
+Replaces the previous `install-rules` command, which stays as an alias.
diff --git a/.changeset/unflatten-attributes-conflict.md b/.changeset/unflatten-attributes-conflict.md
new file mode 100644
index 00000000000..9df627f2630
--- /dev/null
+++ b/.changeset/unflatten-attributes-conflict.md
@@ -0,0 +1,5 @@
+---
+"@trigger.dev/core": patch
+---
+
+Fix `TypeError` in `unflattenAttributes` when the input attribute map contains conflicting dotted key paths (e.g. both `a.b` set to a scalar and `a.b.c` set to a value). The path-walk loop now applies last-write-wins when a prior key wrote a primitive, null, or array at an intermediate slot, matching the existing precedent in `AttributeFlattener.addAttribute`. Callers no longer crash when handed malformed external attribute inputs.
diff --git a/.changeset/warm-start-external-trace-context-leak.md b/.changeset/warm-start-external-trace-context-leak.md
new file mode 100644
index 00000000000..84f91de7689
--- /dev/null
+++ b/.changeset/warm-start-external-trace-context-leak.md
@@ -0,0 +1,5 @@
+---
+"@trigger.dev/core": patch
+---
+
+Fix external trace context leaking across runs on warm-started workers with `processKeepAlive` enabled. Every subsequent run's attempt span was being exported with the first run's `traceId` and `parentSpanId`, breaking causal-chain navigation in external APM tools. Runs without an external trace context are unaffected.
diff --git a/.claude/REVIEW.md b/.claude/REVIEW.md
new file mode 100644
index 00000000000..19edf00a52e
--- /dev/null
+++ b/.claude/REVIEW.md
@@ -0,0 +1,50 @@
+# REVIEW.md — Trigger.dev OSS
+
+Repo-specific signal for anyone (human or agent) reviewing a PR in this codebase. Calibrates what counts as critical, what to always check, and what to skip.
+
+## What makes a 🔴 Important finding here
+
+Reserve 🔴 for things that would page someone or block a rollback. In this codebase, that means:
+
+- **Rolling-deploy breakage.** Old and new versions of the webapp/supervisor run side-by-side during deploys. A change is broken if:
+  - A Lua script's behavior changes for a given key set without versioning (rename the script with a behavior-descriptive suffix like `Tracked` rather than `V2` — both versions must coexist safely).
+  - A Redis data shape used by both versions changes in place. New shapes need a new key namespace.
+  - A migration is not backward-compatible with the prior image.
+- **Schema / migration safety.** Prisma migrations must be backward-compatible with the prior deploy. Adding NOT NULL without a default, dropping a column an old image still reads, renaming a column — all 🔴.
+- **ClickHouse migration ordering + idempotency.** Goose runs in strict mode in the deploy pipeline and refuses to apply a missing version below the current version — slotting a new file in below the latest already-applied version blocks the deploy. New ClickHouse migration files MUST use the next available number (`max(files in internal-packages/clickhouse/schema/) + 1`); if main has added migrations while you've been on a branch, renumber yours. DDL must also be idempotent (`ADD COLUMN IF NOT EXISTS`, `DROP COLUMN IF EXISTS`, `CREATE TABLE IF NOT EXISTS`, `ADD INDEX IF NOT EXISTS`) so a partial / `--allow-missing` apply elsewhere doesn't fail on retry. Either fault is 🔴 — both break test/prod deploys. Rules live in `internal-packages/clickhouse/CLAUDE.md`.
+- **Queue / concurrency correctness.** RunQueue, MarQS (V1, legacy), redis-worker — any change to enqueue / dequeue / locking semantics. Re-derive the invariant on paper before flagging or accepting.
+- **Missing index on a hot table.** New Prisma queries against `TaskRun`, `TaskRunExecutionSnapshot`, `JobRun`, `Project`, etc. must use an existing index. Check `internal-packages/database/prisma/schema.prisma` for the relevant `@@index` lines — don't guess and don't propose `EXPLAIN`.
+- **Recovery-path queries.** Any `TaskRun.findFirst` / `findMany` added to a schedule, run-recovery, or restart loop. Recovery fan-outs (Redis crash, restart storms) turn "rare indexed query" into a DB incident. 🔴 even if indexed.
+- **Aggregations on hot tables.** No `COUNT` / `GROUP BY` on `TaskRun` or other multi-million-row tables. Use Redis or ClickHouse for counts.
+- **Prod Redis blast-radius.** New code paths that `SCAN` with broad patterns (`*foo*`) on prod-shaped Redis, or `EVAL` Lua with `SCAN` loops inside. Both are 🔴.
+- **`@trigger.dev/core` direct import** from anywhere outside the SDK package. Always import from `@trigger.dev/sdk`. Core direct imports are 🔴 — they break the public API contract.
+- **Heavy execute-deps imported into request-handler bundles.** Specifically `chat.handover` and similar split-bundle entry points must not transitively import the agent task's execute path. Watch for new imports added at module top-level of route files.
+- **V1 engine code modified in a "V2 only" PR.** The `apps/webapp/app/v3/` directory contains both. If the PR description says V2-only but it touches `triggerTaskV1`, `cancelTaskRunV1`, `MarQS`, etc. — 🔴.
+
+## Always check
+
+- **Tests use testcontainers, not mocks.** Vitest with `redisTest` / `postgresTest` / `containerTest` from `@internal/testcontainers`. Any new `vi.mock(...)` on Redis, Postgres, BullMQ, or other infra is wrong here — 🔴 if added in production-path tests, 🟡 if isolated unit test.
+- **Public-package changes have a changeset.** `pnpm run changeset:add` produces `.changeset/*.md`. Required for any edit under `packages/*`. Missing → 🟡; missing on a breaking change → 🔴.
+- **Server-only changes have `.server-changes/*.md`.** Required for `apps/webapp/`, `apps/supervisor/` edits with no public-package change. Body should be 1-2 sentences (it has to fit as one bullet in a future changelog). Missing → 🟡.
+- **Lua script naming.** Coexisting scripts use behavior-descriptive suffixes (`Tracked`), never `V2`. Old name must keep working until the next deploy clears it.
+- **RunQueue payload shape.** V2 run-queue payload's `projectId` is consumed by `workerQueueResolver` for override matching. If a PR drops it from the payload, 🔴.
+- **`safeSend` scope.** Defensive IPC wrappers belong on loop / interval / handler contexts, not one-shot terminal sends. If the PR adds `safeSend` to a single terminal call for consistency, 🟡 with a "remove this" suggestion.
+- **Zod version.** Pinned to `3.25.76` monorepo-wide. New package adding zod with a different version or range — 🔴.
+
+## Skip (do NOT flag)
+
+- Anything Prettier / ESLint catches. CI runs both.
+- TypeScript style preferences (`type` vs `interface`) — already covered by repo standards.
+- Test coverage exhortations as a generic suggestion. Only flag missing tests when a specific code path is genuinely untested and the path has prior incidents.
+- `agentcrumbs` markers (`// @crumbs`, `// #region @crumbs`) and `agentcrumbs` imports — these are temporary debug instrumentation stripped before merge.
+- `// removed comments for removed code`, renamed `_unused` vars, re-exported types as "backwards compatibility shims" — also covered by repo standards.
+- Suggestions to "add error handling" without naming a specific scenario that breaks.
+- Documentation prose nitpicks in `docs/*` MDX files unless factually wrong.
+
+## Things V1/legacy that should NOT block a PR
+
+The `apps/webapp/app/v3/` directory name is misleading — most code there is V2. Only specific files are V1-only legacy: `MarQS` queue, `triggerTaskV1`, `cancelTaskRunV1`, and a handful of others (see `apps/webapp/CLAUDE.md` for the exact list). Don't flag "you should refactor this to use V2" on those — they're frozen.
+
+## Confidence calibration for this repo
+
+The most common false-positive pattern: speculating about race conditions in code paths the agent doesn't have runtime visibility into. If the only evidence is "this *could* race", drop it. If you can point to a specific interleaving with file:line for each step, surface it.
diff --git a/.claude/review-guides/chat-agent-sessions-row-agnostic.md b/.claude/review-guides/chat-agent-sessions-row-agnostic.md
new file mode 100644
index 00000000000..7fb9851f308
--- /dev/null
+++ b/.claude/review-guides/chat-agent-sessions-row-agnostic.md
@@ -0,0 +1,287 @@
+# Review guide — chat.agent on Sessions, row-agnostic addressing
+
+Scope: the 12 uncommitted files. **No new behaviour beyond the public surface
+already on this branch** — this is plumbing cleanup that:
+
+1. Eliminates the transport's session-creation step
+2. Makes `chatId` the universal addressing string everywhere
+3. Makes the server-side stream/append/wait routes row-agnostic
+
+## The two design moves
+
+**Move 1 — agent owns session lifecycle.** `chat.agent` and
+`chat.customAgent` upsert the backing `Session` row at bind, fire-and-forget,
+keyed on `externalId = payload.chatId`. The transport, server-side
+`AgentChat`, and `chat.createTriggerAction` no longer create sessions at all.
+Browsers cannot mint sessions either (`POST /api/v1/sessions` is now
+secret-key-only). One owner, one path.
+
+**Move 2 — `chatId` is the only address.** The transport, server-side
+`AgentChat`, JWT scopes, and S2 stream paths all use `chatId` directly. The
+Session's friendlyId is informational. To make this safe, the three stream
+routes (`.in/.out` PUT, GET, POST append, plus the run-engine `wait`
+endpoint) became "row-optional" and derive a *canonical addressing key*
+(`row.externalId ?? row.friendlyId`, fallback to the URL param when the row
+hasn't been upserted yet). Same canonical key is used to build the S2 stream
+path, the waitpoint cache key, and the JWT resource set — so any caller
+addressing by either form converges on the same physical stream.
+
+Together these remove an entire class of "did the row land yet?" races. The
+transport can subscribe to `/sessions/{chatId}/out` before the agent boots,
+the agent's `void sessions.create({externalId: chatId})` lands a moment
+later, and any earlier reads/writes are already on the right S2 key.
+
+---
+
+## Read in this order
+
+### 1. `apps/webapp/app/services/realtime/sessions.server.ts` (+34 lines)
+
+The new primitive. Two helpers:
+
+- `isSessionFriendlyIdForm(value)` — `value.startsWith("session_")`. Used to
+  decide whether a missing row is a hard 404 (opaque friendlyId) or a soft
+  "row will land later" (externalId form).
+- `canonicalSessionAddressingKey(row, paramSession)` — `row.externalId ??
+  row.friendlyId` if the row exists, else `paramSession`. **This is the load-
+  bearing function.** Read its docstring.
+
+**Question to ask:** can two callers addressing the "same" session ever get
+different canonical keys? Only if the row exists for one and not the other,
+*and* the URL forms differ — but in that case the row-less caller used the
+externalId form (friendlyId-form would have 404'd earlier), and the row-ful
+caller computes `row.externalId ?? row.friendlyId`. If the row's externalId
+matches the URL, they converge. If it doesn't, there's no row to find by
+that string anyway. The interesting edge is "row exists with no externalId",
+addressed via friendlyId — both sides read `row.friendlyId`. ✓
+
+### 2. `apps/webapp/app/routes/realtime.v1.sessions.$session.$io.ts` (+47/-12)
+
+PUT initialize + GET subscribe (SSE). Both use the helper. The interesting
+part is the loader's `findResource` + `authorization.resource`:
+
+```ts
+findResource: async (params, auth) => {
+  const row = await resolveSessionByIdOrExternalId(...);
+  if (!row && isSessionFriendlyIdForm(params.session)) return undefined; // 404
+  return { row, addressingKey: canonicalSessionAddressingKey(row, params.session) };
+},
+authorization: {
+  resource: ({ row, addressingKey }) => {
+    const ids = new Set<string>([addressingKey]);
+    if (row) {
+      ids.add(row.friendlyId);
+      if (row.externalId) ids.add(row.externalId);
+    }
+    return { sessions: [...ids] };
+  },
+  superScopes: ["read:sessions", "read:all", "admin"],
+},
+```
+
+**Why three IDs in the resource set?** `checkAuthorization` is "any-match"
+across the resource values. We want a JWT scoped to *either* form to
+authorize *either* URL form. Smoke test verified the 4-cell matrix passes.
+
+**The PUT path** (action handler) is simpler — it just resolves the row,
+builds an addressing key, and hands it to `initializeSessionStream`. Worth
+noting the `closedAt` check is now `maybeSession?.closedAt` — no row means
+no closedAt to enforce.
+
+### 3. `apps/webapp/app/routes/realtime.v1.sessions.$session.$io.append.ts` (+22/-13)
+
+POST append (browser writes a record to `.in` or server writes to `.out`).
+Same row-optional pattern. Both the S2 append and the waitpoint drain use
+`addressingKey`.
+
+**Question to ask:** what fires the waitpoint? An agent's
+`session.in.wait()` registers a waitpoint keyed on `(addressingKey, io)` via
+the wait endpoint (file 4). The append handler drains by the *same* key —
+even if the agent registered with externalId form and the transport
+appended via friendlyId form, both compute the same canonical key, so they
+converge. ✓
+
+### 4. `apps/webapp/app/routes/api.v1.runs.$runFriendlyId.session-streams.wait.ts` (+18/-13)
+
+The agent's `.in.wait()` endpoint. Run-engine creates the waitpoint, then
+registers it in Redis under `(addressingKey, io)`. The race-check that runs
+right after creation reads from S2 by the same key. Three call sites —
+`addSessionStreamWaitpoint`, `readSessionStreamRecords`,
+`removeSessionStreamWaitpoint` — all consistent.
+
+### 5. `apps/webapp/app/routes/api.v1.sessions.ts` (+4/-2)
+
+**Security tightening.** Removed `allowJWT: true` and `corsStrategy: "all"`
+from the `POST /api/v1/sessions` action — secret-key only now.
+
+**Question to ask:** was the JWT path actually used? Until this branch, the
+transport called it via `ensureSession` (now deleted). After this branch,
+nobody reaches it from the browser. `chat.createTriggerAction` (server
+secret key) is the only browser-adjacent path.
+
+### 6. `packages/trigger-sdk/src/v3/ai.ts` (+62/-39)
+
+Two near-identical edits — one in `chatAgent`, one in `chatCustomAgent`.
+Both bind on `payload.chatId` and fire-and-forget the upsert:
+
+```ts
+locals.set(chatSessionHandleKey, sessions.open(payload.chatId));
+void sessions
+  .create({ type: "chat.agent", externalId: payload.chatId })
+  .catch(() => { /* best effort */ });
+```
+
+**Question to ask:** why `void`-and-`catch`? Awaiting the upsert would gate
+the agent's bind on a network round-trip that doesn't unblock anything
+user-visible — `.in/.out` routes are row-agnostic and the waitpoint cache
+is keyed on the addressing string, not the row id. If the upsert genuinely
+fails, the next bind retries the same idempotent call (`sessions.create`
+upserts on `externalId`, so concurrent triggers on one chatId converge to
+one row). The row matters for downstream metadata + listing, not for live
+addressing.
+
+The PAT scope minting in `chatAgent` (two call sites — preload and
+sendMessage) now uses `payload.chatId` for the `sessions:` resource. That
+matches what the transport/AgentChat use as the JWT resource and what the
+JWT's resource set in the loader includes. Cross-form addressing works
+either way (smoke-tested), but using `chatId` keeps the chain tight.
+
+`createChatTriggerAction` is the most visibly trimmed: no pre-create, no
+threading `sessionId` into payload, scope mint uses `chatId`. Return type
+no longer carries `sessionId` — note `TriggerChatTaskResult.sessionId` was
+already declared optional, so this isn't a public-API break.
+
+**Stale docstring to flag:** `chat.ts:59` and `chat.ts:112` still describe
+PAT scopes as `read:sessions:{sessionId}` and
+`write:sessions:{sessionId}`. Functionally either ID works (row lookup
+canonicalises), but the doc text is now out of date — it should say
+`{chatId}`. Worth a tidy-up before merge but not blocking.
+
+### 7. `packages/trigger-sdk/src/v3/chat.ts` (+63/-117)
+
+**The biggest mechanical edit.** Net -54 lines from deleting `ensureSession`
+and untangling its callers.
+
+What disappeared:
+- `private async ensureSession(chatId)` — gone
+- The "lazy upsert from the browser if no triggerTask callback" branch in
+  `sendMessages` and `preload` — gone
+- The "throw if neither path surfaced a sessionId" guard — gone
+- All `state.sessionId` URL params replaced with `chatId`
+- `subscribeToSessionStream`'s `chatId?` (optional) is now `chatId` (required)
+
+What stayed:
+- `state.sessionId` in `ChatSessionState` — optional, informational
+- The `restore from external storage` branch in the constructor still
+  hydrates `sessionId` if persisted, just doesn't *require* it
+- `notifySessionChange` still surfaces `sessionId` if known
+
+**Question to ask:** does the transport ever still need the friendlyId? The
+only place is the `onSessionChange` callback's payload (so consumers
+persisting state can save it for later display). The transport itself never
+puts it in a URL or a waitpoint key.
+
+The `sendMessages` path is worth re-reading: when state.runId is set, it
+appends to `.in/append` and subscribes to `.out`. If the append fails with
+a non-auth error, it falls through to triggering a new run (legacy "run is
+dead" detection — unchanged from pre-Sessions, doesn't depend on
+addressing).
+
+### 8. `packages/trigger-sdk/src/v3/chat-client.ts` (+34/-33)
+
+Server-side `AgentChat`. Mirrors the transport changes — every URL uses
+`this.chatId`. `triggerNewRun` no longer pre-creates a session. `ChatSession`
+and internal `SessionState` types now have optional `sessionId`.
+
+The shape of the diff is identical to the transport: delete the upsert,
+swap addressing identifiers, optionalise the friendlyId. If you've read
+`chat.ts` carefully, this one is mostly mechanical confirmation that both
+client surfaces (browser transport + server-side AgentChat) speak the same
+addressing protocol.
+
+### 9. Test infrastructure — `sessions.ts` (+18) + `mock-chat-agent.ts` (+25)
+
+`__setSessionCreateImplForTests` mirrors the existing
+`__setSessionOpenImplForTests`. `mockChatAgent` installs a no-op create stub
+returning a synthetic `CreatedSessionResponseBody` so the agent's bind-time
+`void sessions.create(...)` doesn't try to hit a real API. Cleanup runs in
+the same `.finally` as the open override.
+
+**Question to ask:** is the synthetic response shape correct? It mirrors
+`CreatedSessionResponseBody` — `id`, `externalId`, `type`, `tags`,
+`metadata`, `closedAt`, `closedReason`, `expiresAt`, `createdAt`,
+`updatedAt`, `isCached`. Tests don't currently assert on this object, so
+the bar is "doesn't crash + matches the type". Met.
+
+### 10. `packages/trigger-sdk/src/v3/chat.test.ts` (+13/-12)
+
+Three classes of test edits, all consequences:
+
+- Stream URL assertion: `chat-1` (the chatId) instead of
+  `session_streamurl` (the friendlyId)
+- `renewRunAccessToken` callback: `sessionId: undefined` (was
+  `DEFAULT_SESSION_ID` because the mocked trigger doesn't surface it)
+- Token resolve count: `1` (was `2` — second resolve was for `ensureSession`)
+- One `onSessionChange` matchObject loses `sessionId`
+
+### 11. `apps/webapp/app/routes/_app.../playground/.../route.tsx` (1 line)
+
+`sessionId: string` → `sessionId?: string` in the playground sidebar prop
+to track the transport type change.
+
+---
+
+## Edge cases I checked, so you don't have to
+
+- **Cross-form JWT auth (curl matrix).** JWT scoped to externalId can call
+  externalId URL ✓ and friendlyId URL ✓. JWT scoped to friendlyId can call
+  externalId URL ✓ and friendlyId URL ✓. Smoke-tested.
+- **Row materialises after subscribe.** Transport opens
+  `GET /sessions/{chatId}/out` before agent's bind upsert lands → 200 OK,
+  `addressingKey = chatId` (paramSession fallback). Once the row lands
+  with `externalId = chatId`, addressingKey resolves to the same value via
+  `row.externalId`. Same S2 key throughout.
+- **Concurrent triggers on one chatId.** Two browser tabs trigger two runs
+  → two binds → two `sessions.create({externalId: chatId})` calls. Upsert
+  semantics: both return the same row.
+- **Closed session enforcement.** Still enforced when a row exists.
+  `maybeSession?.closedAt` is null-safe; no row = no close-state to honour.
+- **Agent run cancellation.** Frontend doesn't auto-detect — unchanged from
+  pre-Sessions; messages sit in S2 until the next trigger (the existing
+  run-PAT auth-error path is the only reaper). Out of scope for this branch.
+- **Idle timeout in dev.** Runs stay `EXECUTING_WITH_WAITPOINTS` past the
+  configured idle because dev runs don't snapshot/restore; the in-process
+  idle clock advances locally without touching the row. Expected, not a
+  regression.
+
+## Things explicitly **not** in this branch
+
+- Run-state subscription on the transport side (the "run died, re-trigger
+  silently" UX gap)
+- Session auto-close on agent exit (still client-driven by design)
+- Any change to `Session` schema, `sessions.create` semantics, or
+  `chatAccessTokenTTL`
+- Docstring updates for `read:sessions:{sessionId}` / `write:sessions:{sessionId}`
+  in `chat.ts:59` and `chat.ts:112` (functional but textually stale —
+  follow-up nit)
+
+---
+
+## What I'd be ready to answer cold
+
+- Why fire-and-forget upsert (vs. `await`) in the agent's bind step
+- Why the route's authorization resource set has three IDs (cross-form JWT
+  auth)
+- Why `POST /api/v1/sessions` lost `allowJWT` (security tightening — no
+  caller needs it after the transport's `ensureSession` is gone)
+- What converges two callers using different URL forms onto the same S2
+  stream (`canonicalSessionAddressingKey`, identical computation on both
+  sides for any given row)
+- What makes `sessions.create` race-safe under concurrent triggers
+  (`externalId` upsert)
+- Why `state.sessionId` stayed on `ChatSessionState` at all (pure
+  informational, surfaced via `onSessionChange` for consumer persistence;
+  zero addressing role)
+- Why the chat-client (server-side AgentChat) and chat (transport) edits
+  look near-identical (they implement the same client protocol against the
+  same row-agnostic routes)
diff --git a/.claude/rules/package-installation.md b/.claude/rules/package-installation.md
new file mode 100644
index 00000000000..310074823c5
--- /dev/null
+++ b/.claude/rules/package-installation.md
@@ -0,0 +1,22 @@
+---
+paths:
+  - "**/package.json"
+---
+
+# Installing Packages
+
+When adding a new dependency to any package.json in the monorepo:
+
+1. **Look up the latest version** on npm before adding:
+   ```bash
+   pnpm view <package-name> version
+   ```
+   If unsure which version to use (e.g. major version compatibility), confirm with the user.
+
+2. **Edit the package.json directly** — do NOT use `pnpm add` as it can cause issues in the monorepo. Add the dependency with the correct version range (typically `^x.y.z`).
+
+3. **Run `pnpm i` from the repo root** after editing to install and update the lockfile:
+   ```bash
+   pnpm i
+   ```
+   Always run from the repo root, not from the package directory.
diff --git a/.claude/rules/sdk-packages.md b/.claude/rules/sdk-packages.md
index 549eb341809..343be2045f8 100644
--- a/.claude/rules/sdk-packages.md
+++ b/.claude/rules/sdk-packages.md
@@ -9,4 +9,4 @@ paths:
 - Default to **patch**. Get maintainer approval for minor. Never select major without explicit approval.
 - `@trigger.dev/core`: **Never import the root**. Always use subpath imports (e.g., `@trigger.dev/core/v3`).
 - Do NOT update `rules/` or `.claude/skills/trigger-dev-tasks/` unless explicitly asked. These are maintained in separate dedicated passes.
-- Test changes using `references/hello-world` reference project.
+- Test changes using the `hello-world` project in the [`triggerdotdev/references`](https://github.com/triggerdotdev/references) repo.
diff --git a/.cursor/mcp.json b/.cursor/mcp.json
index da39e4ffafe..c4b06a67630 100644
--- a/.cursor/mcp.json
+++ b/.cursor/mcp.json
@@ -1,3 +1,7 @@
 {
-  "mcpServers": {}
+  "mcpServers": {
+    "linear": {
+      "url": "https://mcp.linear.app/mcp"
+    }
+  }
 }
diff --git a/.cursor/rules/webapp.mdc b/.cursor/rules/webapp.mdc
index a362f14fe12..f1333febdc0 100644
--- a/.cursor/rules/webapp.mdc
+++ b/.cursor/rules/webapp.mdc
@@ -4,7 +4,7 @@ globs: apps/webapp/**/*.tsx,apps/webapp/**/*.ts
 alwaysApply: false
 ---
 
-The main trigger.dev webapp, which powers it's API and dashboard and makes up the docker image that is produced as an OSS image, is a Remix 2.1.0 app that uses an express server, written in TypeScript. The following subsystems are either included in the webapp or are used by the webapp in another part of the monorepo:
+The main trigger.dev webapp, which powers it's API and dashboard and makes up the docker image that is produced as an OSS image, is a Remix 2.17.4 app that uses an express server, written in TypeScript. The following subsystems are either included in the webapp or are used by the webapp in another part of the monorepo:
 
 - `@trigger.dev/database` exports a Prisma 6.14.0 client that is used extensively in the webapp to access a PostgreSQL instance. The schema file is [schema.prisma](mdc:internal-packages/database/prisma/schema.prisma)
 - `@trigger.dev/core` is a published package and is used to share code between the `@trigger.dev/sdk` and the webapp. It includes functionality but also a load of Zod schemas for data validation. When importing from `@trigger.dev/core` in the webapp, we never import the root `@trigger.dev/core` path, instead we favor one of the subpath exports that you can find in [package.json](mdc:packages/core/package.json)
diff --git a/.env.example b/.env.example
index 69d5acdc560..c6980d7d77a 100644
--- a/.env.example
+++ b/.env.example
@@ -17,6 +17,11 @@ NODE_ENV=development
 CLICKHOUSE_URL=http://default:password@localhost:8123
 RUN_REPLICATION_CLICKHOUSE_URL=http://default:password@localhost:8123
 RUN_REPLICATION_ENABLED=1
+# Store task run spans/traces in ClickHouse so the dashboard trace view is
+# populated in local dev. The local stack is ClickHouse-backed (see above), so
+# leaving this unset falls back to the "postgres" store and dev run traces show
+# up empty even though the run itself appears.
+EVENT_REPOSITORY_DEFAULT_STORE=clickhouse_v2
 
 # Set this to UTC because Node.js uses the system timezone
 TZ="UTC"
@@ -29,6 +34,52 @@ REDIS_TLS_DISABLED="true"
 DEV_OTEL_EXPORTER_OTLP_ENDPOINT="http://localhost:3030/otel"
 DEV_OTEL_BATCH_PROCESSING_ENABLED="0"
 
+# Realtime streams v2 (Sessions, chat.agent, large stream backfills) backed
+# by S2 (https://s2.dev). The `s2` service in docker/docker-compose.yml runs
+# the open-source s2-lite binary and pre-creates a basin named `trigger-local`
+# (see docker/config/s2-spec.json). Comment these out to fall back to v1
+# (Redis-only) streams; Sessions and chat.agent then become unavailable.
+REALTIME_STREAMS_S2_BASIN=trigger-local
+REALTIME_STREAMS_S2_ACCESS_TOKEN=ignored
+REALTIME_STREAMS_S2_ENDPOINT=http://localhost:4566/v1
+REALTIME_STREAMS_S2_SKIP_ACCESS_TOKENS=true
+REALTIME_STREAMS_DEFAULT_VERSION=v2
+
+# Running multiple instances side by side (worktrees, branch experiments)
+#
+# Every host port in docker/docker-compose.yml is `${VAR:-default}` and the
+# project name comes from `COMPOSE_PROJECT_NAME`. To stand up a second stack
+# alongside the default one, uncomment the block below in this clone's `.env`
+# (pick any offset that doesn't clash with anything else running), then update
+# the URL/PORT vars further up to match. Default values are commented for
+# reference.
+#
+# --- core (pnpm run docker) ---
+# COMPOSE_PROJECT_NAME=triggerdotdev-docker-alt
+# CONTAINER_PREFIX=alt-
+# POSTGRES_HOST_PORT=15432           # default 5432
+# REDIS_HOST_PORT=16379              # default 6379
+# ELECTRIC_HOST_PORT=13060           # default 3060
+# MINIO_API_HOST_PORT=19005          # default 9005
+# MINIO_CONSOLE_HOST_PORT=19006      # default 9006
+# CLICKHOUSE_HTTP_HOST_PORT=18123    # default 8123
+# CLICKHOUSE_TCP_HOST_PORT=19000     # default 9000
+# S2_HOST_PORT=14566                 # default 4566
+# REMIX_APP_PORT=13030               # default 3030
+# --- extras (only needed if you also run `pnpm run docker:full`) ---
+# ELECTRIC_SHARD_1_HOST_PORT=13061   # default 3061
+# CH_UI_HOST_PORT=15521              # default 5521
+# TOXIPROXY_PROXY_HOST_PORT=40303    # default 30303
+# TOXIPROXY_API_HOST_PORT=18474      # default 8474
+# NGINX_H2_HOST_PORT=18443           # default 8443
+# OTEL_GRPC_HOST_PORT=14317          # default 4317
+# OTEL_HTTP_HOST_PORT=14318          # default 4318
+# OTEL_PROMETHEUS_HOST_PORT=18889    # default 8889
+# PROMETHEUS_HOST_PORT=19090         # default 9090
+# GRAFANA_HOST_PORT=13001            # default 3001
+# (and update DATABASE_URL / CLICKHOUSE_URL / REDIS_PORT / APP_ORIGIN /
+#  LOGIN_ORIGIN / ELECTRIC_ORIGIN / REALTIME_STREAMS_S2_ENDPOINT to match)
+
 # When the domain is set to `localhost` the CLI deploy command will only --load the image by default and not --push it
 DEPLOY_REGISTRY_HOST=localhost:5000
 
@@ -106,7 +157,7 @@ POSTHOG_PROJECT_KEY=
 # INTERNAL_OTEL_TRACE_LOGGING_ENABLED=1
 # INTERNAL_OTEL_TRACE_INSTRUMENT_PRISMA_ENABLED=0
 
-# Enable local observability stack (requires `pnpm run docker` to start otel-collector)
+# Enable local observability stack (requires `pnpm run docker:full` to bring up otel-collector + prometheus + grafana)
 # Uncomment these to send metrics to the local Prometheus via OTEL Collector:
 # INTERNAL_OTEL_METRIC_EXPORTER_ENABLED=1
 # INTERNAL_OTEL_METRIC_EXPORTER_URL=http://localhost:4318/v1/metrics
diff --git a/.github/VOUCHED.td b/.github/VOUCHED.td
index ce96548aa6f..922ca13cd65 100644
--- a/.github/VOUCHED.td
+++ b/.github/VOUCHED.td
@@ -11,10 +11,15 @@ myftija
 nicktrn
 samejr
 isshaddad
+# Bots
+devin-ai-integration[bot]
+dependabot[bot]
 # Outside contributors
 gautamsi
 capaj
 chengzp
 bharathkumar39293
 bhekanik
-jrossi
\ No newline at end of file
+jrossi
+ThullyoCunha
+ConProgramming
\ No newline at end of file
diff --git a/.github/actions/get-image-tag/action.yml b/.github/actions/get-image-tag/action.yml
index e0646230463..7f1505a0c11 100644
--- a/.github/actions/get-image-tag/action.yml
+++ b/.github/actions/get-image-tag/action.yml
@@ -23,35 +23,37 @@ runs:
       id: get_tag
       shell: bash
       run: |
-        if [[ -n "${{ inputs.tag }}" ]]; then
-          tag="${{ inputs.tag }}"
-        elif [[ "${{ github.ref_type }}" == "tag" ]]; then
-          if [[ "${{ github.ref_name }}" == infra-*-* ]]; then
-            env=$(echo ${{ github.ref_name }} | cut -d- -f2)
-            sha=$(echo ${{ github.sha }} | head -c7)
+        if [[ -n "${INPUTS_TAG}" ]]; then
+          tag="${INPUTS_TAG}"
+        elif [[ "${GITHUB_REF_TYPE}" == "tag" ]]; then
+          if [[ "${GITHUB_REF_NAME}" == infra-*-* ]]; then
+            env=$(echo ${GITHUB_REF_NAME} | cut -d- -f2)
+            sha=$(echo "${GITHUB_SHA}" | head -c7)
             ts=$(date +%s)
             tag=${env}-${sha}-${ts}
-          elif [[ "${{ github.ref_name }}" == re2-*-* ]]; then
-            env=$(echo ${{ github.ref_name }} | cut -d- -f2)
-            sha=$(echo ${{ github.sha }} | head -c7)
+          elif [[ "${GITHUB_REF_NAME}" == re2-*-* ]]; then
+            env=$(echo ${GITHUB_REF_NAME} | cut -d- -f2)
+            sha=$(echo "${GITHUB_SHA}" | head -c7)
             ts=$(date +%s)
             tag=${env}-${sha}-${ts}
-          elif [[ "${{ github.ref_name }}" == v.docker.* ]]; then
+          elif [[ "${GITHUB_REF_NAME}" == v.docker.* ]]; then
             version="${GITHUB_REF_NAME#v.docker.}"
             tag="v${version}"
-          elif [[ "${{ github.ref_name }}" == build-* ]]; then
+          elif [[ "${GITHUB_REF_NAME}" == build-* ]]; then
             tag="${GITHUB_REF_NAME#build-}"
           else
-            echo "Invalid git tag: ${{ github.ref_name }}"
+            echo "Invalid git tag: ${GITHUB_REF_NAME}"
             exit 1
           fi
-        elif [[ "${{ github.ref_name }}" == "main" ]]; then
+        elif [[ "${GITHUB_REF_NAME}" == "main" ]]; then
           tag="main"
         else
-          echo "Invalid git ref: ${{ github.ref }}"
+          echo "Invalid git ref: ${GITHUB_REF}"
           exit 1
         fi
         echo "tag=${tag}" >> "$GITHUB_OUTPUT"
+      env:
+        INPUTS_TAG: ${{ inputs.tag }}
 
     - name: 🔍 Check for validity
       id: check_validity
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 00000000000..7bb64f36744
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,12 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 7
+    groups:
+      github-actions:
+        patterns:
+          - "*"
diff --git a/.github/workflows/changesets-pr.yml b/.github/workflows/changesets-pr.yml
index c7fc4e07136..e80ab04e7f1 100644
--- a/.github/workflows/changesets-pr.yml
+++ b/.github/workflows/changesets-pr.yml
@@ -22,20 +22,21 @@ jobs:
     permissions:
       contents: write
       pull-requests: write
+      checks: write
     if: github.repository == 'triggerdotdev/trigger.dev'
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # zizmor: ignore[artipacked] changesets/action pushes the release branch; no artifact upload here so no leak path
         with:
           fetch-depth: 0
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
 
       - name: Setup node
-        uses: buildjet/setup-node@v4
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 20.20.0
+          node-version: 20.20.2
           cache: "pnpm"
 
       - name: Install dependencies
@@ -43,7 +44,7 @@ jobs:
 
       - name: Create release PR
         id: changesets
-        uses: changesets/action@v1
+        uses: changesets/action@63a615b9cd06ba9a3e6d13796c7fbcb080a60a0b # v1.8.0
         with:
           version: pnpm run changeset:version
           commit: "chore: release"
@@ -73,51 +74,26 @@ jobs:
             fi
           fi
 
-  update-lockfile:
-    name: Update lockfile on release PR
-    runs-on: ubuntu-latest
-    needs: release-pr
-    permissions:
-      contents: write
-    steps:
-      - name: Checkout release branch
-        uses: actions/checkout@v4
-        with:
-          ref: changeset-release/main
-
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v4
-        with:
-          version: 10.23.0
-
-      - name: Setup node
-        uses: buildjet/setup-node@v4
-        with:
-          node-version: 20.20.0
-
-      - name: Install and update lockfile
-        run: pnpm install --no-frozen-lockfile
-
-      - name: Clean up consumed .server-changes/ files
-        run: |
-          set -e
-          shopt -s nullglob
-          files=(.server-changes/*.md)
-          for f in "${files[@]}"; do
-            if [ "$(basename "$f")" != "README.md" ]; then
-              git rm --ignore-unmatch "$f"
-            fi
-          done
-
-      - name: Commit and push lockfile + server-changes cleanup
+      # The changesets bot authors release PRs with GITHUB_TOKEN, which by GitHub
+      # design cannot trigger downstream workflows. That leaves the required
+      # "All PR Checks" status permanently Expected and the PR unmergeable.
+      # The release PR only bumps package.json + lockfile + CHANGELOGs from
+      # changesets already on main, so we self-report the required check as
+      # success. If a human ever pushes to changeset-release/main, the real
+      # pr_checks.yml fires and its result overwrites this one (last write wins
+      # for the same context on the same SHA).
+      - name: Self-report "All PR Checks" success on release PR
+        if: steps.changesets.outputs.published != 'true'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          set -e
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
-          git add pnpm-lock.yaml
-          if ! git diff --cached --quiet; then
-            git commit -m "chore: update lockfile and clean up .server-changes/ for release"
-            git push origin changeset-release/main
-          else
-            echo "No changes to commit"
-          fi
+          PR_NUMBER=$(gh pr list --head changeset-release/main --json number --jq '.[0].number')
+          if [ -z "$PR_NUMBER" ]; then exit 0; fi
+          HEAD_SHA=$(gh pr view "$PR_NUMBER" --json headRefOid --jq '.headRefOid')
+          gh api -X POST repos/${{ github.repository }}/check-runs \
+            -f name="All PR Checks" \
+            -f head_sha="$HEAD_SHA" \
+            -f status=completed \
+            -f conclusion=success \
+            -f 'output[title]=Auto-pass for changeset release PR' \
+            -f 'output[summary]=Required check auto-satisfied for changeset-release/main PRs. Full CI ran on the underlying commits before they landed on main.'
diff --git a/.github/workflows/check-review-md.yml b/.github/workflows/check-review-md.yml
new file mode 100644
index 00000000000..fb093ac9a1c
--- /dev/null
+++ b/.github/workflows/check-review-md.yml
@@ -0,0 +1,92 @@
+name: 🔎 REVIEW.md Drift Audit
+
+on:
+  pull_request:
+    types: [opened, ready_for_review, synchronize]
+    paths-ignore:
+      - "docs/**"
+      - ".changeset/**"
+      - ".server-changes/**"
+
+concurrency:
+  group: review-md-drift-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  audit:
+    if: >-
+      github.event.pull_request.draft == false &&
+      github.event.pull_request.head.repo.full_name == github.repository
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      id-token: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Run Claude Code
+        id: claude
+        uses: anthropics/claude-code-action@787c5a0ce96a9a6cfb050ea0c8f4c05f2447c251 # v1.0.133
+        with:
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          use_sticky_comment: true
+          allowed_bots: "devin-ai-integration[bot]"
+
+          claude_args: |
+            --max-turns 30
+            --allowedTools "Read,Glob,Grep,Bash(git diff:*)"
+
+          prompt: |
+            You are auditing this PR for drift against `.claude/REVIEW.md`.
+
+            ## Context
+
+            `.claude/REVIEW.md` is the repo's source of truth for what AI / agent code reviewers should treat as critical findings (rolling-deploy safety, hot-table indexes, recovery-path queries, testcontainers usage, Lua versioning, etc.). It is consumed by review agents to calibrate severity. If REVIEW.md goes stale, every future agent review degrades.
+
+            ## Strategy — read this first
+
+            You have a hard turn budget. Spend it on signal, not coverage. The audit is allowed to miss things; it is NOT allowed to time out.
+
+            1. Read `.claude/REVIEW.md` once, in full.
+            2. Run `git diff origin/main...HEAD --name-only` to get the list of changed files. Do NOT read the diff content yet.
+            3. Scan the file-list for relevance to REVIEW.md scope. Relevance signals: changes to Prisma schema, Redis / queue / Lua code, hot tables, recovery / restart loops, new packages, deletions of paths REVIEW.md cites. Skim everything else.
+            4. Open at most **5 files** total — only the ones most likely to surface a real signal. If nothing in the file-list looks relevant to any REVIEW.md rule, do NOT read any files; go straight to the verdict.
+            5. Form a verdict and stop. Do not exhaust the turn budget exploring.
+
+            Large PRs (>50 files changed) are a strong signal to be MORE selective, not more thorough. Pick 3-5 files at most.
+
+            ## What to look for
+
+            - **Stale references** — does any REVIEW.md rule cite a file, directory, function, table, Prisma model, or package name that has been removed or renamed in this PR (or is already gone from `main`)?
+            - **Contradictions** — does code in this PR clearly violate a current REVIEW.md rule? (Don't re-review the PR. Only flag if REVIEW.md and the PR plainly disagree.)
+            - **Missing rules** — does this PR introduce a new pattern future reviewers should know about? Examples: a new hot table, a new Lua-script versioning convention, a new safety wrapper, a new "must always check" invariant.
+            - **Obsolete rules** — has the repo moved past a constraint REVIEW.md still asserts? (e.g. a deprecated path is gone, a pattern is now linted, V1 code is deleted.)
+
+            ## Response format
+
+            If nothing needs changing:
+
+            ✅ REVIEW.md looks current for this PR.
+
+            Otherwise:
+
+            📝 **REVIEW.md updates suggested:**
+
+            - **[stale]** `<rule excerpt>` — <what's stale and why>
+            - **[contradiction]** `<rule excerpt>` — <what in this PR disagrees>
+            - **[missing]** under `## <section>` — <one-sentence draft rule>
+            - **[obsolete]** `<rule excerpt>` — <why this rule no longer applies>
+
+            ## Rules
+
+            - Maximum 3 suggestions per audit. Pick the highest-signal ones.
+            - Only flag things that would actually mislead a future reviewer. Style and wording do not count.
+            - Do NOT review the PR itself. Do NOT propose rules outside REVIEW.md's existing sections.
+            - Do NOT propose rules for one-off PR specifics that don't generalize to future PRs.
+            - If REVIEW.md does not exist in the repo, respond with `(skip)` and stop.
+            - When in doubt between "one more file read" and "finish now" — finish now.
diff --git a/.github/workflows/claude-md-audit.yml b/.github/workflows/claude-md-audit.yml
index a80bbca0f52..32240ba5ea8 100644
--- a/.github/workflows/claude-md-audit.yml
+++ b/.github/workflows/claude-md-audit.yml
@@ -8,7 +8,6 @@ on:
       - ".changeset/**"
       - ".server-changes/**"
       - "**/*.md"
-      - "references/**"
 
 concurrency:
   group: claude-md-audit-${{ github.event.pull_request.number }}
@@ -16,7 +15,9 @@ concurrency:
 
 jobs:
   audit:
-    if: github.event.pull_request.draft == false
+    if: >-
+      github.event.pull_request.draft == false &&
+      github.event.pull_request.head.repo.full_name == github.repository
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -25,16 +26,18 @@ jobs:
       id-token: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Run Claude Code
         id: claude
-        uses: anthropics/claude-code-action@v1
+        uses: anthropics/claude-code-action@787c5a0ce96a9a6cfb050ea0c8f4c05f2447c251 # v1.0.133
         with:
-          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
           use_sticky_comment: true
+          allowed_bots: "devin-ai-integration[bot]"
 
           claude_args: |
             --max-turns 15
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
index cadbe31773f..1c783e7ef6d 100644
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -19,26 +19,27 @@ jobs:
       (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
     runs-on: ubuntu-latest
     permissions:
-      contents: read
-      pull-requests: read
-      issues: read
+      contents: write
+      pull-requests: write
+      issues: write
       id-token: write
       actions: read # Required for Claude to read CI results on PRs
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 1
+          persist-credentials: false
 
       - name: ⎔ Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
         with:
-          version: 10.23.0
+          version: 10.33.2
 
       - name: ⎔ Setup node
-        uses: buildjet/setup-node@v4
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 20.20.0
+          node-version: 20.20.2
           cache: "pnpm"
 
       - name: 📥 Download deps
@@ -49,9 +50,9 @@ jobs:
 
       - name: Run Claude Code
         id: claude
-        uses: anthropics/claude-code-action@v1
+        uses: anthropics/claude-code-action@787c5a0ce96a9a6cfb050ea0c8f4c05f2447c251 # v1.0.133
         with:
-          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
 
           # This is an optional setting that allows Claude to read CI results on PRs
           additional_permissions: |
diff --git a/.github/workflows/dependabot-critical-alerts.yml b/.github/workflows/dependabot-critical-alerts.yml
new file mode 100644
index 00000000000..a71b14bebf9
--- /dev/null
+++ b/.github/workflows/dependabot-critical-alerts.yml
@@ -0,0 +1,83 @@
+name: Dependabot Critical Alerts
+
+on:
+  schedule:
+    - cron: "0 8 * * *"  # Daily 08:00 UTC
+  workflow_dispatch:
+    inputs:
+      severity:
+        description: "Severity to alert on"
+        type: choice
+        options:
+          - critical
+          - high
+          - medium
+          - low
+        default: critical
+
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: false
+
+permissions:
+  contents: read
+
+jobs:
+  alert:
+    name: Post critical alerts
+    runs-on: ubuntu-latest
+    environment: dependabot-summary
+    env:
+      SEVERITY: ${{ inputs.severity || 'critical' }}
+    steps:
+      - name: Fetch alerts
+        id: alerts
+        env:
+          GH_TOKEN: ${{ secrets.DEPENDABOT_ALERTS_TOKEN }}
+          REPO: ${{ github.repository }}
+        run: |
+          set -euo pipefail
+          gh api -X GET "/repos/$REPO/dependabot/alerts" \
+            -F state=open -F severity="$SEVERITY" --paginate > pages.json
+          jq -s 'add' pages.json > alerts.json
+          TOTAL=$(jq 'length' alerts.json)
+          echo "total=$TOTAL" >> "$GITHUB_OUTPUT"
+          if [ "$TOTAL" = "0" ]; then
+            exit 0
+          fi
+          LIST=$(jq -r '
+            map("• <\(.html_url)|#\(.number)> *\(.dependency.package.name)* - \(.security_advisory.summary)")
+            | join("\n")
+          ' alerts.json)
+          {
+            echo "list<<EOF"
+            echo "$LIST"
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Build Slack payload
+        if: steps.alerts.outputs.total != '0'
+        env:
+          REPO: ${{ github.repository }}
+          CHANNEL: ${{ vars.SLACK_CHANNEL_ID }}
+          TOTAL: ${{ steps.alerts.outputs.total }}
+          LIST: ${{ steps.alerts.outputs.list }}
+        run: |
+          jq -n \
+            --arg channel "$CHANNEL" \
+            --arg repo "$REPO" \
+            --arg total "$TOTAL" \
+            --arg list "$LIST" \
+            --arg severity "$SEVERITY" \
+            '{
+              channel: $channel,
+              text: ":bufo-alarma: `\($repo)` - *\($total) open \($severity) alert(s)*\n\($list)\n\n<https://github.com/\($repo)/security/dependabot?q=is%3Aopen+severity%3A\($severity)|View \($severity) alerts>"
+            }' > payload.json
+
+      - name: Post Slack alert
+        if: steps.alerts.outputs.total != '0'
+        uses: slackapi/slack-github-action@45a88b9581bfab2566dc881e2cd66d334e621e2c # v3.0.3
+        with:
+          method: chat.postMessage
+          token: ${{ secrets.SLACK_BOT_TOKEN }}
+          payload-file-path: payload.json
diff --git a/.github/workflows/dependabot-weekly-summary.yml b/.github/workflows/dependabot-weekly-summary.yml
new file mode 100644
index 00000000000..fb2717e2fb0
--- /dev/null
+++ b/.github/workflows/dependabot-weekly-summary.yml
@@ -0,0 +1,206 @@
+name: Dependabot Weekly Summary
+
+on:
+  schedule:
+    - cron: "0 8 * * 1"  # Mon 08:00 UTC
+  workflow_dispatch:
+
+# Single-purpose monitoring workflow; serialise on workflow name only - we never
+# want two concurrent summary runs racing to post the same digest.
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: false
+
+permissions:
+  contents: read       # gh CLI baseline
+  pull-requests: read  # gh pr list (open dependabot PRs)
+  actions: read        # gh run list / view (parse latest dependabot run logs)
+
+jobs:
+  summary:
+    name: Post weekly Dependabot summary
+    runs-on: ubuntu-latest
+    environment: dependabot-summary
+    env:
+      # Severities surface in the actions list when their remaining TTR drops
+      # below this many days. Override via repo/env var ACTION_THRESHOLD_DAYS.
+      THRESHOLD_DAYS: ${{ vars.ACTION_THRESHOLD_DAYS || '7' }}
+    steps:
+      - name: Fetch alerts and compute summaries
+        id: alerts
+        env:
+          GH_TOKEN: ${{ secrets.DEPENDABOT_ALERTS_TOKEN }}
+          REPO: ${{ github.repository }}
+        run: |
+          if ! gh api -X GET "/repos/$REPO/dependabot/alerts" --paginate > pages.json 2> err.txt; then
+            echo "total=?" >> "$GITHUB_OUTPUT"
+            ERR=$(head -c 200 err.txt | tr '\n' ' ')
+            echo "by_severity=:x: _failed to fetch alerts: ${ERR}_" >> "$GITHUB_OUTPUT"
+            echo "actions=:x: _alerts unavailable_" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          jq -s '[.[][] | select(.state == "open")]' pages.json > open.json
+
+          TOTAL=$(jq 'length' open.json)
+          echo "total=$TOTAL" >> "$GITHUB_OUTPUT"
+
+          if [ "$TOTAL" = "0" ]; then
+            echo "by_severity=:white_check_mark: No open alerts." >> "$GITHUB_OUTPUT"
+            echo "actions=_None_" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          # Severity breakdown - real newlines so jq --arg in the payload
+          # builder encodes them as proper \n in JSON (Slack renders as breaks).
+          BY_SEV=$(jq -r '
+            group_by(.security_advisory.severity)
+            | map({sev: .[0].security_advisory.severity,
+                   count: length,
+                   weight: ({"critical":0,"high":1,"medium":2,"low":3}[.[0].security_advisory.severity])})
+            | sort_by(.weight)
+            | map("• *\(.count)* \(.sev)")
+            | join("\n")
+          ' open.json)
+          {
+            echo "by_severity<<EOF"
+            echo "$BY_SEV"
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
+
+          # Actions: alerts within THRESHOLD_DAYS of their TTR (P0=7d, P1=30d, P2=90d, P3=no deadline)
+          # Grouped by (package, severity); shows earliest deadline per group.
+          ACTIONS=$(jq -r --argjson threshold "$THRESHOLD_DAYS" '
+            [.[]
+              | (.security_advisory.severity) as $sev
+              | ({"critical":7,"high":30,"medium":90,"low":null}[$sev]) as $ttr
+              | select($ttr != null)
+              | ((now - (.created_at | fromdateiso8601)) / 86400 | floor) as $age
+              | {pkg: .dependency.package.name, sev: $sev, remaining: ($ttr - $age)}
+            ]
+            | group_by([.pkg, .sev])
+            | map({pkg: .[0].pkg, sev: .[0].sev, count: length, min_remaining: ([.[].remaining] | min)})
+            | map(select(.min_remaining < $threshold))
+            | sort_by(.min_remaining)
+            | if length == 0 then "_None_"
+              else (map(
+                "• *\(.pkg)* (\(.sev))" +
+                (if .count > 1 then " ×\(.count)" else "" end) + " - " +
+                (if .min_remaining < 0 then "*OVERDUE* by \(-.min_remaining)d"
+                 else "\(.min_remaining)d remaining" end)
+              ) | join("\n"))
+              end
+          ' open.json)
+          {
+            echo "actions<<EOF"
+            echo "$ACTIONS"
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Fetch open dependabot PRs
+        id: prs
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPO: ${{ github.repository }}
+          REPO_URL: https://github.com/${{ github.repository }}
+        run: |
+          if ! PR_JSON=$(gh pr list --repo "$REPO" --state open --author "app/dependabot" --json number,title 2> err.txt); then
+            ERR=$(head -c 200 err.txt | tr '\n' ' ')
+            echo "list=:x: _failed to fetch PRs: ${ERR}_" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          LIST=$(echo "$PR_JSON" | jq -r --arg url "$REPO_URL" '
+            if length == 0 then "_None_"
+            else (map("• <\($url)/pull/\(.number)|#\(.number)> \(.title)") | join("\n"))
+            end
+          ')
+          {
+            echo "list<<EOF"
+            echo "$LIST"
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Find latest npm dependabot run
+        id: latest
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPO: ${{ github.repository }}
+        run: |
+          # Repos without a dependabot.yml have no "Dependabot Updates" workflow;
+          # treat the lookup failure as "no recent run found" rather than failing.
+          if ! RUN_ID=$(gh run list --repo "$REPO" --workflow "Dependabot Updates" --status success --limit 30 --json databaseId,name --jq 'first(.[] | select(.name | startswith("npm_and_yarn")) | .databaseId) // empty' 2>/dev/null); then
+            RUN_ID=""
+          fi
+          echo "run_id=$RUN_ID" >> "$GITHUB_OUTPUT"
+
+      - name: Extract stuck deps (only if actions pending)
+        id: stuck
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPO: ${{ github.repository }}
+          RUN_ID: ${{ steps.latest.outputs.run_id }}
+          ACTIONS: ${{ steps.alerts.outputs.actions }}
+        run: |
+          # Skip the stuck section entirely when nothing in the actions list
+          # - keeps the digest tidy when there's nothing to actually act on.
+          if [ "$ACTIONS" = "_None_" ]; then
+            echo "section=" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          HEADER=$'\n\n*Couldn\'t auto-fix (need manual `pnpm.overrides`):*\n'
+          if [ -z "$RUN_ID" ]; then
+            {
+              echo "section<<EOF"
+              echo "${HEADER}_(no recent npm run found)_"
+              echo "EOF"
+            } >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          gh run view "$RUN_ID" --repo "$REPO" --log > log.txt 2>&1 || true
+          STUCK=$(grep -oE "No update possible for [^[:space:]]+ [0-9][^[:space:]]*" log.txt | sed 's/No update possible for //' | sort -u || true)
+          if [ -z "$STUCK" ]; then
+            {
+              echo "section<<EOF"
+              echo "${HEADER}_None_"
+              echo "EOF"
+            } >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          LIST=$(echo "$STUCK" | awk 'NR>1{printf "\n"} {printf "• *%s* %s", $1, $2}')
+          {
+            echo "section<<EOF"
+            echo "${HEADER}${LIST}"
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Build Slack payload
+        env:
+          REPO: ${{ github.repository }}
+          CHANNEL: ${{ vars.SLACK_CHANNEL_ID }}
+          TOTAL: ${{ steps.alerts.outputs.total }}
+          BY_SEVERITY: ${{ steps.alerts.outputs.by_severity }}
+          PRS_LIST: ${{ steps.prs.outputs.list }}
+          ACTIONS: ${{ steps.alerts.outputs.actions }}
+          STUCK: ${{ steps.stuck.outputs.section }}
+        run: |
+          # Build payload via jq so PR titles or error strings containing
+          # quotes/backslashes/newlines can't break the JSON.
+          jq -n \
+            --arg channel "$CHANNEL" \
+            --arg repo "$REPO" \
+            --arg total "$TOTAL" \
+            --arg by_severity "$BY_SEVERITY" \
+            --arg prs_list "$PRS_LIST" \
+            --arg actions "$ACTIONS" \
+            --arg stuck "$STUCK" \
+            --arg threshold "$THRESHOLD_DAYS" \
+            '{
+              channel: $channel,
+              text: ":calendar: *Weekly Dependabot summary* - `\($repo)`\n\n*Open alerts (\($total)):*\n\($by_severity)\n\n*Open Dependabot PRs:*\n\($prs_list)\n\n*Actions needed (<\($threshold)d remaining):*\n\($actions)\($stuck)\n\n<https://github.com/\($repo)/security/dependabot|Dependabot alerts>"
+            }' > payload.json
+
+      - name: Post Slack summary
+        uses: slackapi/slack-github-action@45a88b9581bfab2566dc881e2cd66d334e621e2c # v3.0.3
+        with:
+          method: chat.postMessage
+          token: ${{ secrets.SLACK_BOT_TOKEN }}
+          payload-file-path: payload.json
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index bef575c353a..0cac7c8595f 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -26,10 +26,12 @@ jobs:
         working-directory: ./docs
     steps:
       - name: 📥 Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: 📦 Cache npm
-        uses: actions/cache@v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: |
             ~/.npm
diff --git a/.github/workflows/e2e-webapp-auth-full.yml b/.github/workflows/e2e-webapp-auth-full.yml
new file mode 100644
index 00000000000..de9d66c07e9
--- /dev/null
+++ b/.github/workflows/e2e-webapp-auth-full.yml
@@ -0,0 +1,120 @@
+name: "🛡️ E2E Tests: Webapp Auth (full)"
+
+# Comprehensive RBAC auth test suite — see TRI-8731. Runs separately from
+# the smoke e2e-webapp.yml because it covers every route family with a
+# pass/fail matrix and would otherwise dominate per-PR CI time.
+#
+# Triggered:
+#   - Manually via workflow_dispatch.
+#   - Nightly via schedule.
+#   - On pull requests touching auth-relevant files only (paths filter).
+
+permissions:
+  contents: read
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 4 * * *" # 04:00 UTC daily
+  pull_request:
+    paths:
+      - "apps/webapp/app/services/routeBuilders/**"
+      - "apps/webapp/app/services/rbac.server.ts"
+      - "apps/webapp/app/services/apiAuth.server.ts"
+      - "apps/webapp/app/services/personalAccessToken.server.ts"
+      - "apps/webapp/app/services/sessionStorage.server.ts"
+      - "apps/webapp/app/routes/api.v*.**"
+      - "apps/webapp/app/routes/realtime.v*.**"
+      - "apps/webapp/test/**/*.e2e.full.test.ts"
+      - "apps/webapp/test/setup/global-e2e-full-setup.ts"
+      - "apps/webapp/test/helpers/sharedTestServer.ts"
+      - "apps/webapp/test/helpers/seedTestSession.ts"
+      - "apps/webapp/vitest.e2e.full.config.ts"
+      - "internal-packages/rbac/**"
+      - "packages/plugins/**"
+      - ".github/workflows/e2e-webapp-auth-full.yml"
+
+jobs:
+  e2eAuthFull:
+    name: "🛡️ E2E Auth Tests (full)"
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    env:
+      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+    steps:
+      - name: 🔧 Disable IPv6
+        run: |
+          sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
+          sudo sysctl -w net.ipv6.conf.default.disable_ipv6=1
+          sudo sysctl -w net.ipv6.conf.lo.disable_ipv6=1
+
+      - name: 🔧 Configure docker address pool
+        run: |
+          CONFIG='{
+            "default-address-pools" : [
+              {
+                "base" : "172.17.0.0/12",
+                "size" : 20
+              },
+              {
+                "base" : "192.168.0.0/16",
+                "size" : 24
+              }
+            ]
+          }'
+          mkdir -p /etc/docker
+          echo "$CONFIG" | sudo tee /etc/docker/daemon.json
+
+      - name: 🔧 Restart docker daemon
+        run: sudo systemctl restart docker
+
+      - name: ⬇️ Checkout repo
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+          # Don't leave the GITHUB_TOKEN in .git/config — this job
+          # doesn't need to push and the persisted creds would be
+          # readable from any subsequent step (zizmor/artipacked).
+          persist-credentials: false
+
+      - name: ⎔ Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+        with:
+          version: 10.33.2
+
+      - name: ⎔ Setup node
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          node-version: 20.20.2
+          cache: "pnpm"
+
+      - name: 🐳 Login to DockerHub
+        if: ${{ env.DOCKERHUB_USERNAME }}
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: 🐳 Skipping DockerHub login (no secrets available)
+        if: ${{ !env.DOCKERHUB_USERNAME }}
+        run: echo "DockerHub login skipped because secrets are not available."
+
+      - name: 🐳 Pre-pull testcontainer images
+        if: ${{ env.DOCKERHUB_USERNAME }}
+        run: |
+          docker pull postgres:14
+          docker pull redis:7.2
+          docker pull testcontainers/ryuk:0.11.0
+
+      - name: 📥 Download deps
+        run: pnpm install --frozen-lockfile
+
+      - name: 📀 Generate Prisma Client
+        run: pnpm run generate
+
+      - name: 🏗️ Build Webapp
+        run: pnpm run build --filter webapp
+
+      - name: 🛡️ Run Webapp Full Auth E2E Tests
+        run: cd apps/webapp && pnpm exec vitest run --config vitest.e2e.full.config.ts --reporter=default
+        env:
+          WEBAPP_TEST_VERBOSE: "1"
diff --git a/.github/workflows/e2e-webapp.yml b/.github/workflows/e2e-webapp.yml
new file mode 100644
index 00000000000..f306a86cd28
--- /dev/null
+++ b/.github/workflows/e2e-webapp.yml
@@ -0,0 +1,97 @@
+name: "🧪 E2E Tests: Webapp"
+
+permissions:
+  contents: read
+
+on:
+  workflow_call:
+    secrets:
+      DOCKERHUB_USERNAME:
+        required: false
+      DOCKERHUB_TOKEN:
+        required: false
+
+jobs:
+  e2eTests:
+    name: "🧪 E2E Tests: Webapp"
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    env:
+      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+    steps:
+      - name: 🔧 Disable IPv6
+        run: |
+          sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
+          sudo sysctl -w net.ipv6.conf.default.disable_ipv6=1
+          sudo sysctl -w net.ipv6.conf.lo.disable_ipv6=1
+
+      - name: 🔧 Configure docker address pool
+        run: |
+          CONFIG='{
+            "default-address-pools" : [
+              {
+                "base" : "172.17.0.0/12",
+                "size" : 20
+              },
+              {
+                "base" : "192.168.0.0/16",
+                "size" : 24
+              }
+            ]
+          }'
+          mkdir -p /etc/docker
+          echo "$CONFIG" | sudo tee /etc/docker/daemon.json
+
+      - name: 🔧 Restart docker daemon
+        run: sudo systemctl restart docker
+
+      - name: ⬇️ Checkout repo
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: ⎔ Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+        with:
+          version: 10.33.2
+
+      - name: ⎔ Setup node
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          node-version: 20.20.2
+          cache: "pnpm"
+
+      # ..to avoid rate limits when pulling images
+      - name: 🐳 Login to DockerHub
+        if: ${{ env.DOCKERHUB_USERNAME }}
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: 🐳 Skipping DockerHub login (no secrets available)
+        if: ${{ !env.DOCKERHUB_USERNAME }}
+        run: echo "DockerHub login skipped because secrets are not available."
+
+      - name: 🐳 Pre-pull testcontainer images
+        if: ${{ env.DOCKERHUB_USERNAME }}
+        run: |
+          echo "Pre-pulling Docker images with authenticated session..."
+          docker pull postgres:14
+          docker pull redis:7.2
+          docker pull testcontainers/ryuk:0.11.0
+          echo "Image pre-pull complete"
+
+      - name: 📥 Download deps
+        run: pnpm install --frozen-lockfile
+
+      - name: 📀 Generate Prisma Client
+        run: pnpm run generate
+
+      - name: 🏗️ Build Webapp
+        run: pnpm run build --filter webapp
+
+      - name: 🧪 Run Webapp E2E Tests
+        run: cd apps/webapp && pnpm exec vitest run --config vitest.e2e.config.ts --reporter=default
+        env:
+          WEBAPP_TEST_VERBOSE: "1"
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
index 9518ca6157c..a70f0400e0a 100644
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -24,19 +24,20 @@ jobs:
         package-manager: ["npm", "pnpm"]
     steps:
       - name: ⬇️ Checkout repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: ⎔ Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
         with:
-          version: 10.23.0
+          version: 10.33.2
 
       - name: ⎔ Setup node
-        uses: buildjet/setup-node@v4
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 20.20.0
+          node-version: 20.20.2
 
       - name: 📥 Download deps
         run: pnpm install --frozen-lockfile --filter trigger.dev...
@@ -48,7 +49,7 @@ jobs:
         run: pnpm run build --filter trigger.dev^...
 
       - name: 🔧 Build worker template files
-        run: pnpm --filter trigger.dev run build:workers
+        run: pnpm --filter trigger.dev run --if-present build:workers
 
       - name: Enable corepack
         run: corepack enable
diff --git a/.github/workflows/helm-pr-prerelease.yml b/.github/workflows/helm-pr-prerelease.yml
deleted file mode 100644
index 8df045945e6..00000000000
--- a/.github/workflows/helm-pr-prerelease.yml
+++ /dev/null
@@ -1,138 +0,0 @@
-name: 🧭 Helm Chart PR Prerelease
-
-on:
-  pull_request:
-    types: [opened, synchronize, reopened]
-    paths:
-      - "hosting/k8s/helm/**"
-
-concurrency:
-  group: helm-prerelease-${{ github.event.pull_request.number }}
-  cancel-in-progress: true
-
-env:
-  REGISTRY: ghcr.io
-  CHART_NAME: trigger
-
-jobs:
-  lint-and-test:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Set up Helm
-        uses: azure/setup-helm@v4
-        with:
-          version: "3.18.3"
-
-      - name: Build dependencies
-        run: helm dependency build ./hosting/k8s/helm/
-
-      - name: Extract dependency charts
-        run: |
-          cd ./hosting/k8s/helm/
-          for file in ./charts/*.tgz; do echo "Extracting $file"; tar -xzf "$file" -C ./charts; done
-
-      - name: Lint Helm Chart
-        run: |
-          helm lint ./hosting/k8s/helm/
-
-      - name: Render templates
-        run: |
-          helm template test-release ./hosting/k8s/helm/ \
-            --values ./hosting/k8s/helm/values.yaml \
-            --output-dir ./helm-output
-
-      - name: Validate manifests
-        uses: docker://ghcr.io/yannh/kubeconform:v0.7.0
-        with:
-          entrypoint: "/kubeconform"
-          args: "-summary -output json ./helm-output"
-
-  prerelease:
-    needs: lint-and-test
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-      pull-requests: write
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Set up Helm
-        uses: azure/setup-helm@v4
-        with:
-          version: "3.18.3"
-
-      - name: Build dependencies
-        run: helm dependency build ./hosting/k8s/helm/
-
-      - name: Extract dependency charts
-        run: |
-          cd ./hosting/k8s/helm/
-          for file in ./charts/*.tgz; do echo "Extracting $file"; tar -xzf "$file" -C ./charts; done
-
-      - name: Log in to Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Generate prerelease version
-        id: version
-        run: |
-          BASE_VERSION=$(grep '^version:' ./hosting/k8s/helm/Chart.yaml | awk '{print $2}')
-          PR_NUMBER=${{ github.event.pull_request.number }}
-          SHORT_SHA=$(echo "${{ github.event.pull_request.head.sha }}" | cut -c1-7)
-          PRERELEASE_VERSION="${BASE_VERSION}-pr${PR_NUMBER}.${SHORT_SHA}"
-          echo "version=$PRERELEASE_VERSION" >> $GITHUB_OUTPUT
-          echo "Prerelease version: $PRERELEASE_VERSION"
-
-      - name: Update Chart.yaml with prerelease version
-        run: |
-          sed -i "s/^version:.*/version: ${{ steps.version.outputs.version }}/" ./hosting/k8s/helm/Chart.yaml
-
-      - name: Package Helm Chart
-        run: |
-          helm package ./hosting/k8s/helm/ --destination /tmp/
-
-      - name: Push Helm Chart to GHCR
-        run: |
-          VERSION="${{ steps.version.outputs.version }}"
-          CHART_PACKAGE="/tmp/${{ env.CHART_NAME }}-${VERSION}.tgz"
-
-          # Push to GHCR OCI registry
-          helm push "$CHART_PACKAGE" "oci://${{ env.REGISTRY }}/${{ github.repository_owner }}/charts"
-
-      - name: Find existing comment
-        uses: peter-evans/find-comment@v3
-        id: find-comment
-        with:
-          issue-number: ${{ github.event.pull_request.number }}
-          comment-author: "github-actions[bot]"
-          body-includes: "Helm Chart Prerelease Published"
-
-      - name: Create or update PR comment
-        uses: peter-evans/create-or-update-comment@v4
-        with:
-          comment-id: ${{ steps.find-comment.outputs.comment-id }}
-          issue-number: ${{ github.event.pull_request.number }}
-          body: |
-            ### 🧭 Helm Chart Prerelease Published
-
-            **Version:** `${{ steps.version.outputs.version }}`
-
-            **Install:**
-            ```bash
-            helm upgrade --install trigger \
-              oci://ghcr.io/${{ github.repository_owner }}/charts/trigger \
-              --version "${{ steps.version.outputs.version }}"
-            ```
-
-            > ⚠️ This is a prerelease for testing. Do not use in production.
-          edit-mode: replace
diff --git a/.github/workflows/helm-prerelease.yml b/.github/workflows/helm-prerelease.yml
new file mode 100644
index 00000000000..ff2c8f5a614
--- /dev/null
+++ b/.github/workflows/helm-prerelease.yml
@@ -0,0 +1,200 @@
+name: 🧭 Helm Chart Prerelease
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+    paths:
+      - "hosting/k8s/helm/**"
+  push:
+    branches:
+      - main
+    paths:
+      - "hosting/k8s/helm/**"
+  workflow_dispatch:
+    inputs:
+      app_version:
+        description: "Override appVersion (e.g. 'main', 'v4.4.4'). Leave empty to keep Chart.yaml value."
+        required: false
+        type: string
+        default: ""
+
+concurrency:
+  group: helm-prerelease-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+env:
+  REGISTRY: ghcr.io
+  CHART_NAME: trigger
+
+jobs:
+  lint-and-test:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Set up Helm
+        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
+        with:
+          version: "3.18.3"
+
+      - name: Build dependencies
+        run: helm dependency build ./hosting/k8s/helm/
+
+      - name: Extract dependency charts
+        run: |
+          cd ./hosting/k8s/helm/
+          for file in ./charts/*.tgz; do echo "Extracting $file"; tar -xzf "$file" -C ./charts; done
+
+      - name: Lint Helm Chart
+        run: |
+          helm lint ./hosting/k8s/helm/
+
+      - name: Render templates
+        run: |
+          helm template test-release ./hosting/k8s/helm/ \
+            --values ./hosting/k8s/helm/values.yaml \
+            --output-dir ./helm-output
+
+      - name: Validate manifests
+        uses: docker://ghcr.io/yannh/kubeconform:v0.7.0@sha256:85dbef6b4b312b99133decc9c6fc9495e9fc5f92293d4ff3b7e1b30f5611823c
+        with:
+          entrypoint: "/kubeconform"
+          args: "-summary -output json ./helm-output"
+
+  prerelease:
+    needs: lint-and-test
+    if: |
+      (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) ||
+      github.event_name == 'push' ||
+      github.event_name == 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      pull-requests: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Set up Helm
+        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
+        with:
+          version: "3.18.3"
+
+      - name: Build dependencies
+        run: helm dependency build ./hosting/k8s/helm/
+
+      - name: Extract dependency charts
+        run: |
+          cd ./hosting/k8s/helm/
+          for file in ./charts/*.tgz; do echo "Extracting $file"; tar -xzf "$file" -C ./charts; done
+
+      - name: Log in to Container Registry
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Generate prerelease version
+        id: version
+        run: |
+          BASE_VERSION=$(grep '^version:' ./hosting/k8s/helm/Chart.yaml | awk '{print $2}')
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            PR_NUMBER=${{ github.event.pull_request.number }}
+            SHORT_SHA=$(echo "${{ github.event.pull_request.head.sha }}" | cut -c1-7)
+            PRERELEASE_VERSION="${BASE_VERSION}-pr${PR_NUMBER}.${SHORT_SHA}"
+          elif [[ "${{ github.event_name }}" == "push" ]]; then
+            SHORT_SHA=$(echo "${GITHUB_SHA}" | cut -c1-7)
+            PRERELEASE_VERSION="${BASE_VERSION}-main.${SHORT_SHA}"
+          else
+            SHORT_SHA=$(echo "${GITHUB_SHA}" | cut -c1-7)
+            REF_SLUG=$(echo "${GITHUB_REF_NAME}" | tr '/' '-' | tr -cd 'a-zA-Z0-9-')
+            if [[ -z "$REF_SLUG" ]]; then
+              REF_SLUG="manual"
+            fi
+            PRERELEASE_VERSION="${BASE_VERSION}-${REF_SLUG}.${SHORT_SHA}"
+          fi
+          echo "version=$PRERELEASE_VERSION" >> "$GITHUB_OUTPUT"
+          echo "Prerelease version: $PRERELEASE_VERSION"
+
+      - name: Update Chart.yaml with prerelease version
+        run: |
+          sed -i "s/^version:.*/version: ${STEPS_VERSION_OUTPUTS_VERSION}/" ./hosting/k8s/helm/Chart.yaml
+        env:
+          STEPS_VERSION_OUTPUTS_VERSION: ${{ steps.version.outputs.version }}
+
+      - name: Override appVersion
+        if: github.event_name == 'workflow_dispatch' && inputs.app_version != ''
+        env:
+          APP_VERSION: ${{ inputs.app_version }}
+        run: |
+          yq -i '.appVersion = strenv(APP_VERSION)' ./hosting/k8s/helm/Chart.yaml
+
+      - name: Package Helm Chart
+        run: |
+          helm package ./hosting/k8s/helm/ --destination /tmp/
+
+      - name: Push Helm Chart to GHCR
+        run: |
+          VERSION="${STEPS_VERSION_OUTPUTS_VERSION}"
+          CHART_PACKAGE="/tmp/${{ env.CHART_NAME }}-${VERSION}.tgz"
+
+          # Push to GHCR OCI registry
+          helm push "$CHART_PACKAGE" "oci://${{ env.REGISTRY }}/${{ github.repository_owner }}/charts"
+        env:
+          STEPS_VERSION_OUTPUTS_VERSION: ${{ steps.version.outputs.version }}
+
+      - name: Write run summary
+        run: |
+          {
+            echo "### 🧭 Helm Chart Prerelease Published"
+            echo ""
+            echo "**Version:** \`${STEPS_VERSION_OUTPUTS_VERSION}\`"
+            echo ""
+            echo "**Install:**"
+            echo '```bash'
+            echo "helm upgrade --install trigger \\"
+            echo "  oci://${{ env.REGISTRY }}/${{ github.repository_owner }}/charts/${{ env.CHART_NAME }} \\"
+            echo "  --version \"${STEPS_VERSION_OUTPUTS_VERSION}\""
+            echo '```'
+          } >> "$GITHUB_STEP_SUMMARY"
+        env:
+          STEPS_VERSION_OUTPUTS_VERSION: ${{ steps.version.outputs.version }}
+
+      - name: Find existing comment
+        if: github.event_name == 'pull_request'
+        uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4.0.0
+        id: find-comment
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          comment-author: "github-actions[bot]"
+          body-includes: "Helm Chart Prerelease Published"
+
+      - name: Create or update PR comment
+        if: github.event_name == 'pull_request'
+        uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
+        with:
+          comment-id: ${{ steps.find-comment.outputs.comment-id }}
+          issue-number: ${{ github.event.pull_request.number }}
+          body: |
+            ### 🧭 Helm Chart Prerelease Published
+
+            **Version:** `${{ steps.version.outputs.version }}`
+
+            **Install:**
+            ```bash
+            helm upgrade --install trigger \
+              oci://ghcr.io/${{ github.repository_owner }}/charts/trigger \
+              --version "${{ steps.version.outputs.version }}"
+            ```
+
+            > ⚠️ This is a prerelease for testing. Do not use in production.
+          edit-mode: replace
diff --git a/.github/workflows/pr_checks.yml b/.github/workflows/pr_checks.yml
index dab18223e35..95805539807 100644
--- a/.github/workflows/pr_checks.yml
+++ b/.github/workflows/pr_checks.yml
@@ -3,9 +3,6 @@ name: 🤖 PR Checks
 on:
   pull_request:
     types: [opened, synchronize, reopened]
-    paths-ignore:
-      - "docs/**"
-      - ".changeset/**"
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -13,23 +10,169 @@ concurrency:
 
 permissions:
   contents: read
-  id-token: write
+  pull-requests: read
 
 jobs:
+  changes:
+    name: Detect changes
+    runs-on: ubuntu-latest
+    outputs:
+      code: ${{ steps.code_filter.outputs.code }}
+      typecheck_self: ${{ steps.filter.outputs.typecheck_self }}
+      webapp: ${{ steps.filter.outputs.webapp }}
+      packages: ${{ steps.filter.outputs.packages }}
+      internal: ${{ steps.filter.outputs.internal }}
+      cli: ${{ steps.filter.outputs.cli }}
+      sdk: ${{ steps.filter.outputs.sdk }}
+    steps:
+      # `code` uses `every` semantics so the negation patterns actually subtract.
+      # With the default `some` quantifier, `**` matches every file and the
+      # subsequent `!...` patterns are no-ops (each pattern is OR'd, not AND'd).
+      - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
+        id: code_filter
+        with:
+          predicate-quantifier: every
+          filters: |
+            code:
+              - '**'
+              - '!docs/**'
+              - '!.changeset/**'
+              - '!hosting/**'
+              - '!.github/**'
+              - '!**/*.md'
+              - '!**/.env.example'
+      - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
+        id: filter
+        with:
+          filters: |
+            typecheck_self:
+              - '.github/workflows/pr_checks.yml'
+              - '.github/workflows/typecheck.yml'
+            webapp:
+              - 'apps/webapp/**'
+              - 'packages/**'
+              - 'internal-packages/**'
+              - '.github/workflows/pr_checks.yml'
+              - '.github/workflows/unit-tests-webapp.yml'
+              - '.github/workflows/e2e-webapp.yml'
+              - '.configs/**'
+              - 'package.json'
+              - 'pnpm-lock.yaml'
+              - 'pnpm-workspace.yaml'
+              - 'turbo.json'
+            packages:
+              - 'packages/**'
+              - '.github/workflows/pr_checks.yml'
+              - '.github/workflows/unit-tests-packages.yml'
+              - '.configs/**'
+              - 'package.json'
+              - 'pnpm-lock.yaml'
+              - 'pnpm-workspace.yaml'
+              - 'turbo.json'
+            internal:
+              - 'internal-packages/**'
+              - 'packages/**'
+              - '.github/workflows/pr_checks.yml'
+              - '.github/workflows/unit-tests-internal.yml'
+              - '.configs/**'
+              - 'package.json'
+              - 'pnpm-lock.yaml'
+              - 'pnpm-workspace.yaml'
+              - 'turbo.json'
+            cli:
+              - 'packages/cli-v3/**'
+              - 'packages/build/**'
+              - 'packages/core/**'
+              - 'packages/schema-to-json/**'
+              - '.github/workflows/pr_checks.yml'
+              - '.github/workflows/e2e.yml'
+              - '.configs/**'
+              - 'package.json'
+              - 'pnpm-lock.yaml'
+              - 'pnpm-workspace.yaml'
+              - 'turbo.json'
+            sdk:
+              - 'packages/trigger-sdk/**'
+              - 'packages/core/**'
+              - '.github/workflows/pr_checks.yml'
+              - '.github/workflows/sdk-compat.yml'
+              - '.configs/**'
+              - 'package.json'
+              - 'pnpm-lock.yaml'
+              - 'pnpm-workspace.yaml'
+              - 'turbo.json'
+
   typecheck:
+    needs: changes
+    if: needs.changes.outputs.code == 'true' || needs.changes.outputs.typecheck_self == 'true'
     uses: ./.github/workflows/typecheck.yml
-    secrets: inherit
 
-  units:
-    uses: ./.github/workflows/unit-tests.yml
-    secrets: inherit
+  webapp:
+    needs: changes
+    if: needs.changes.outputs.webapp == 'true'
+    uses: ./.github/workflows/unit-tests-webapp.yml
+    secrets:
+      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
+
+  e2e-webapp:
+    needs: changes
+    if: needs.changes.outputs.webapp == 'true'
+    uses: ./.github/workflows/e2e-webapp.yml
+    secrets:
+      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
+
+  packages:
+    needs: changes
+    if: needs.changes.outputs.packages == 'true'
+    uses: ./.github/workflows/unit-tests-packages.yml
+    secrets:
+      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
+
+  internal:
+    needs: changes
+    if: needs.changes.outputs.internal == 'true'
+    uses: ./.github/workflows/unit-tests-internal.yml
+    secrets:
+      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
 
   e2e:
+    needs: changes
+    if: needs.changes.outputs.cli == 'true'
     uses: ./.github/workflows/e2e.yml
     with:
       package: cli-v3
-    secrets: inherit
 
   sdk-compat:
+    needs: changes
+    if: needs.changes.outputs.sdk == 'true'
     uses: ./.github/workflows/sdk-compat.yml
-    secrets: inherit
+
+  all-checks:
+    name: All PR Checks
+    needs:
+      - changes
+      - typecheck
+      - webapp
+      - e2e-webapp
+      - packages
+      - internal
+      - e2e
+      - sdk-compat
+    if: always()
+    runs-on: ubuntu-latest
+    steps:
+      - name: Verify all checks
+        run: |
+          if [[ "${{ contains(needs.*.result, 'failure') }}" == "true" ]]; then
+            echo "One or more checks failed"
+            exit 1
+          fi
+          if [[ "${{ contains(needs.*.result, 'cancelled') }}" == "true" ]]; then
+            echo "One or more checks were cancelled"
+            exit 1
+          fi
+          echo "All checks passed or were skipped due to path filters"
diff --git a/.github/workflows/preview-dispatch.yml b/.github/workflows/preview-dispatch.yml
new file mode 100644
index 00000000000..3f26c66cf33
--- /dev/null
+++ b/.github/workflows/preview-dispatch.yml
@@ -0,0 +1,76 @@
+name: 🌱 Preview environment dispatch
+
+# Opt-in per-PR preview environments
+
+on:
+  pull_request:
+    types: [opened, reopened, synchronize, closed, labeled, unlabeled]
+
+# Serialize a PR's events so dispatches arrive in order. Cloud-side concurrency
+# collapses by branch but can't fix out-of-order arrival — e.g. a push racing a
+# close could cancel the in-flight destroy and leak the preview. One short API
+# call, so queuing is cheap; cancel-in-progress: false lets an in-flight
+# dispatch finish (GitHub keeps only the latest pending, the desired behavior).
+concurrency:
+  group: preview-dispatch-${{ github.event.pull_request.number }}
+  cancel-in-progress: false
+
+permissions: {}
+
+jobs:
+  dispatch:
+    name: Dispatch preview-deploy to cloud
+    runs-on: ubuntu-latest
+    #   label added             -> create
+    #   new commit while labeled -> update
+    #   label removed / PR closed -> destroy
+    if: >-
+      github.event.pull_request.head.repo.full_name == github.repository &&
+      (
+        (github.event.action == 'labeled' && github.event.label.name == 'preview') ||
+        (github.event.action == 'unlabeled' && github.event.label.name == 'preview') ||
+        (
+          contains(github.event.pull_request.labels.*.name, 'preview') &&
+          contains(fromJSON('["opened","reopened","synchronize","closed"]'), github.event.action)
+        )
+      )
+    steps:
+      - name: Build dispatch payload
+        id: payload
+        env:
+          ACTION: ${{ github.event.action }}
+          BRANCH: ${{ github.event.pull_request.head.ref }}
+          COMMIT: ${{ github.event.pull_request.head.sha }}
+        run: |
+          set -euo pipefail
+          # Map the GitHub PR action to the cloud pipeline's lifecycle event.
+          case "$ACTION" in
+            labeled | opened | reopened) EVENT=opened ;;
+            synchronize) EVENT=synchronize ;;
+            unlabeled | closed) EVENT=closed ;;
+            *) echo "unexpected action: $ACTION" >&2; exit 1 ;;
+          esac
+          # jq --arg JSON-escapes every value, so a branch name containing
+          # quotes/braces can't break or inject into the client payload.
+          payload=$(jq -nc \
+            --arg b "$BRANCH" \
+            --arg c "$COMMIT" \
+            --arg e "$EVENT" \
+            '{branch_name: $b, commit: $c, pull_request_event: $e}')
+          {
+            echo "client_payload=$payload"
+            echo "summary=$EVENT for $BRANCH @ ${COMMIT:0:7}"
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Log dispatch
+        env:
+          SUMMARY: ${{ steps.payload.outputs.summary }}
+        run: echo "Dispatching preview-deploy event ($SUMMARY)"
+
+      - name: Send repository_dispatch
+        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
+        with:
+          token: ${{ secrets.CROSS_REPO_PAT }}
+          repository: triggerdotdev/cloud
+          event-type: preview-deploy
+          client-payload: ${{ steps.payload.outputs.client_payload }}
diff --git a/.github/workflows/preview-packages.yml b/.github/workflows/preview-packages.yml
new file mode 100644
index 00000000000..f4dd5b39930
--- /dev/null
+++ b/.github/workflows/preview-packages.yml
@@ -0,0 +1,83 @@
+name: 📦 Preview packages (pkg.pr.new)
+
+# Publishes installable preview builds of the public @trigger.dev/* packages
+# for every push to a branch, via https://pkg.pr.new. These are NOT published
+# to npm — pkg.pr.new serves them by commit SHA and drops install instructions
+# in a comment on the associated PR, e.g.
+#   npm i https://pkg.pr.new/@trigger.dev/sdk@<sha>
+#
+# Prerequisites:
+#   - The pkg.pr.new GitHub App must be installed on triggerdotdev/trigger.dev
+#     (https://github.com/apps/pkg-pr-new). Publishing fails until it is.
+#
+# Fork note: pkg.pr.new authenticates with a GitHub Actions OIDC token, which
+# GitHub does not issue to pull_request workflows from forks. This `push`
+# trigger therefore covers branches pushed to this repo (the core team), not
+# external fork PRs. Adding fork coverage would require a workflow_run two-stage
+# setup.
+
+on:
+  push:
+    branches-ignore:
+      - main
+      - changeset-release/main
+    paths:
+      - "package.json"
+      - "packages/**"
+      - "pnpm-lock.yaml"
+      - "pnpm-workspace.yaml"
+      - "turbo.json"
+      - ".github/workflows/preview-packages.yml"
+      - "scripts/stamp-preview-version.mjs"
+      - "scripts/updateVersion.ts"
+
+concurrency:
+  group: preview-packages-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+  id-token: write # OIDC token used by pkg.pr.new to authenticate the publish
+
+jobs:
+  publish:
+    name: Build and publish previews
+    runs-on: ubuntu-latest
+    if: github.repository == 'triggerdotdev/trigger.dev'
+    steps:
+      - name: ⬇️ Checkout repo
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: ⎔ Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+        with:
+          version: 10.33.2
+
+      - name: ⎔ Setup node
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          node-version: 20.20.0
+          cache: "pnpm"
+
+      - name: 📥 Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: 📀 Generate Prisma client
+        run: pnpm run generate
+
+      # Stamp a unique 0.0.0-preview-<sha> version before building so it can't
+      # collide with real npm versions and so updateVersion.ts bakes it into the
+      # runtime VERSION constant. See scripts/stamp-preview-version.mjs.
+      - name: 🏷️ Stamp preview version
+        run: node scripts/stamp-preview-version.mjs
+        env:
+          GITHUB_SHA: ${{ github.sha }}
+
+      - name: 🔨 Build packages
+        run: pnpm run build --filter "@trigger.dev/*" --filter "trigger.dev"
+
+      - name: 🚀 Publish previews to pkg.pr.new
+        run: pnpm exec pkg-pr-new publish --pnpm --compact --commentWithSha './packages/*'
diff --git a/.github/workflows/publish-webapp.yml b/.github/workflows/publish-webapp.yml
index 6fcc30209ab..5a604e26082 100644
--- a/.github/workflows/publish-webapp.yml
+++ b/.github/workflows/publish-webapp.yml
@@ -4,6 +4,7 @@ permissions:
   contents: read
   packages: write
   id-token: write
+  attestations: write
 
 on:
   workflow_call:
@@ -13,6 +14,27 @@ on:
         type: string
         required: false
         default: ""
+      image_registry:
+        description: The registry namespace to publish under (e.g. ghcr.io/<owner>)
+        type: string
+        required: false
+        default: ""
+    outputs:
+      version:
+        description: The published image tag
+        value: ${{ jobs.publish.outputs.version }}
+      short_sha:
+        description: Short commit SHA of the published build
+        value: ${{ jobs.publish.outputs.short_sha }}
+      image_repo:
+        description: The image repository the build was published to (without tag)
+        value: ${{ jobs.publish.outputs.image_repo }}
+      digest:
+        description: Multi-arch index digest (sha256:...) of the published image
+        value: ${{ jobs.publish.outputs.digest }}
+    secrets:
+      SENTRY_AUTH_TOKEN:
+        required: false
 
 jobs:
   publish:
@@ -22,14 +44,17 @@ jobs:
     outputs:
       version: ${{ steps.get_tag.outputs.tag }}
       short_sha: ${{ steps.get_commit.outputs.sha_short }}
+      image_repo: ${{ steps.set_tags.outputs.image_repo }}
+      digest: ${{ steps.build_push.outputs.digest }}
     steps:
       - name: 🏭 Setup Depot CLI
-        uses: depot/setup-action@v1
+        uses: depot/setup-action@15c09a5f77a0840ad4bce955686522a257853461 # v1.7.1
 
       - name: ⬇️ Checkout repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           submodules: recursive
+          persist-credentials: false
 
       - name: "#️⃣ Get the image tag"
         id: get_tag
@@ -40,42 +65,57 @@ jobs:
       - name: 🔢 Get the commit hash
         id: get_commit
         run: |
-          echo "sha_short=$(echo ${{ github.sha }} | cut -c1-7)" >> "$GITHUB_OUTPUT"
+          echo "sha_short=$(echo "${GITHUB_SHA}" | cut -c1-7)" >> "$GITHUB_OUTPUT"
 
       - name: 📛 Set the tags
         id: set_tags
         run: |
-          ref_without_tag=ghcr.io/triggerdotdev/trigger.dev
-          image_tags=$ref_without_tag:${{ steps.get_tag.outputs.tag }}
+          # The registry namespace is resolved by the caller (defaulting to
+          # ghcr.io/<owner>, overridable via the IMAGE_REGISTRY repository
+          # variable); the webapp image lives at <registry>/<repo-name>. A fork
+          # therefore publishes to its own package automatically.
+          image_tags=$REF_WITHOUT_TAG:${STEPS_GET_TAG_OUTPUTS_TAG}
 
-          # if tag is a semver, also tag it as v4
-          if [[ "${{ steps.get_tag.outputs.is_semver }}" == true ]]; then
-            # TODO: switch to v4 tag on GA
-            image_tags=$image_tags,$ref_without_tag:v4-beta
+          # when pushing the mutable main tag, also push an immutable-by-convention
+          # full-commit-sha tag so a commit can be resolved to a specific digest
+          if [[ "${STEPS_GET_TAG_OUTPUTS_TAG}" == "main" ]]; then
+            image_tags=$image_tags,$REF_WITHOUT_TAG:${GITHUB_SHA}
           fi
 
           echo "image_tags=${image_tags}" >> "$GITHUB_OUTPUT"
+          echo "image_repo=${REF_WITHOUT_TAG}" >> "$GITHUB_OUTPUT"
+        env:
+          REF_WITHOUT_TAG: ${{ format('{0}/{1}', inputs.image_registry || vars.IMAGE_REGISTRY || format('ghcr.io/{0}', github.repository_owner), github.event.repository.name) }}
+          STEPS_GET_TAG_OUTPUTS_TAG: ${{ steps.get_tag.outputs.tag }}
+          STEPS_GET_TAG_OUTPUTS_IS_SEMVER: ${{ steps.get_tag.outputs.is_semver }}
 
       - name: 📝 Set the build info
         id: set_build_info
         run: |
-          tag=${{ steps.get_tag.outputs.tag }}
-          if [[ "${{ steps.get_tag.outputs.is_semver }}" == true ]]; then
-            echo "BUILD_APP_VERSION=${tag}" >> "$GITHUB_OUTPUT"
-          fi
-          echo "BUILD_GIT_SHA=${{ github.sha }}" >> "$GITHUB_OUTPUT"
-          echo "BUILD_GIT_REF_NAME=${{ github.ref_name }}" >> "$GITHUB_OUTPUT"
-          echo "BUILD_TIMESTAMP_SECONDS=$(date +%s)" >> "$GITHUB_OUTPUT"
+          {
+            tag="${STEPS_GET_TAG_OUTPUTS_TAG}"
+            if [[ "${STEPS_GET_TAG_OUTPUTS_IS_SEMVER}" == true ]]; then
+              echo "BUILD_APP_VERSION=${tag}"
+            fi
+            echo "BUILD_GIT_SHA=${GITHUB_SHA}"
+            echo "BUILD_GIT_REF_NAME=${GITHUB_REF_NAME}"
+            echo "BUILD_TIMESTAMP_SECONDS=$(date +%s)"
+            echo "BUILD_TIMESTAMP_RFC3339=$(date -u +%Y-%m-%dT%H:%M:%SZ)"
+          } >> "$GITHUB_OUTPUT"
+        env:
+          STEPS_GET_TAG_OUTPUTS_TAG: ${{ steps.get_tag.outputs.tag }}
+          STEPS_GET_TAG_OUTPUTS_IS_SEMVER: ${{ steps.get_tag.outputs.is_semver }}
 
       - name: 🐙 Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: 🐳 Build image and push to GitHub Container Registry
-        uses: depot/build-push-action@v1
+        id: build_push
+        uses: depot/build-push-action@98e78adca7817480b8185f474a400b451d74e287 # v1.18.0
         with:
           file: ./docker/Dockerfile
           platforms: linux/amd64,linux/arm64
@@ -86,8 +126,20 @@ jobs:
             BUILD_GIT_SHA=${{ steps.set_build_info.outputs.BUILD_GIT_SHA }}
             BUILD_GIT_REF_NAME=${{ steps.set_build_info.outputs.BUILD_GIT_REF_NAME }}
             BUILD_TIMESTAMP_SECONDS=${{ steps.set_build_info.outputs.BUILD_TIMESTAMP_SECONDS }}
+            BUILD_TIMESTAMP_RFC3339=${{ steps.set_build_info.outputs.BUILD_TIMESTAMP_RFC3339 }}
             SENTRY_RELEASE=${{ steps.set_build_info.outputs.BUILD_GIT_SHA }}
             SENTRY_ORG=triggerdev
             SENTRY_PROJECT=trigger-cloud
           secrets: |
             sentry_auth_token=${{ secrets.SENTRY_AUTH_TOKEN }}
+
+      - name: 🪪 Attest build provenance
+        # Image is already pushed by this point — don't fail releases (and the
+        # downstream publish-helm job) on a Sigstore/GHCR-referrer hiccup. Real
+        # config errors still surface as a step warning in the workflow run.
+        continue-on-error: true
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
+        with:
+          subject-name: ${{ steps.set_tags.outputs.image_repo }}
+          subject-digest: ${{ steps.build_push.outputs.digest }}
+          push-to-registry: true
diff --git a/.github/workflows/publish-worker-v4.yml b/.github/workflows/publish-worker-v4.yml
index 4a2853da081..85ca903a8d6 100644
--- a/.github/workflows/publish-worker-v4.yml
+++ b/.github/workflows/publish-worker-v4.yml
@@ -8,6 +8,11 @@ on:
         type: string
         required: false
         default: ""
+      image_registry:
+        description: The registry namespace to publish under (e.g. ghcr.io/<owner>)
+        type: string
+        required: false
+        default: ""
   push:
     tags:
       - "re2-test-*"
@@ -37,19 +42,22 @@ jobs:
       DOCKER_BUILDKIT: "1"
     steps:
       - name: 🏭 Setup Depot CLI
-        uses: depot/setup-action@v1
+        uses: depot/setup-action@15c09a5f77a0840ad4bce955686522a257853461 # v1.7.1
 
       - name: ⬇️ Checkout git repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: 📦 Get image repo
         id: get_repository
+        env:
+          PACKAGE: ${{ matrix.package }}
         run: |
-          if [[ "${{ matrix.package }}" == *-provider ]]; then
-            provider_type=$(echo "${{ matrix.package }}" | cut -d- -f1)
-            repo=provider/${provider_type}
+          if [[ "$PACKAGE" == *-provider ]]; then
+            repo="provider/${PACKAGE%-provider}"
           else
-            repo="${{ matrix.package }}"
+            repo="$PACKAGE"
           fi
           echo "repo=${repo}" >> "$GITHUB_OUTPUT"
 
@@ -62,26 +70,28 @@ jobs:
       - name: 📛 Set tags to push
         id: set_tags
         run: |
-          ref_without_tag=ghcr.io/triggerdotdev/${{ steps.get_repository.outputs.repo }}
-          image_tags=$ref_without_tag:${{ steps.get_tag.outputs.tag }}
-
-          # if tag is a semver, also tag it as v4
-          if [[ "${{ steps.get_tag.outputs.is_semver }}" == true ]]; then
-            # TODO: switch to v4 tag on GA
-            image_tags=$image_tags,$ref_without_tag:v4-beta
-          fi
+          # Resolved by the caller when invoked from publish.yml; falls back to the
+          # IMAGE_REGISTRY repository variable (or ghcr.io/<owner>) for the direct
+          # push triggers above, so a fork publishes to its own namespace.
+          ref_without_tag=${IMAGE_REGISTRY}/${STEPS_GET_REPOSITORY_OUTPUTS_REPO}
+          image_tags=$ref_without_tag:${STEPS_GET_TAG_OUTPUTS_TAG}
 
           echo "image_tags=${image_tags}" >> "$GITHUB_OUTPUT"
+        env:
+          IMAGE_REGISTRY: ${{ inputs.image_registry || vars.IMAGE_REGISTRY || format('ghcr.io/{0}', github.repository_owner) }}
+          STEPS_GET_REPOSITORY_OUTPUTS_REPO: ${{ steps.get_repository.outputs.repo }}
+          STEPS_GET_TAG_OUTPUTS_TAG: ${{ steps.get_tag.outputs.tag }}
+          STEPS_GET_TAG_OUTPUTS_IS_SEMVER: ${{ steps.get_tag.outputs.is_semver }}
 
       - name: 🐙 Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: 🐳 Build image and push to GitHub Container Registry
-        uses: depot/build-push-action@v1
+        uses: depot/build-push-action@98e78adca7817480b8185f474a400b451d74e287 # v1.18.0
         with:
           file: ./apps/${{ matrix.package }}/Containerfile
           platforms: linux/amd64,linux/arm64
diff --git a/.github/workflows/publish-worker.yml b/.github/workflows/publish-worker.yml
index 74a70d83667..f443e5dab1e 100644
--- a/.github/workflows/publish-worker.yml
+++ b/.github/workflows/publish-worker.yml
@@ -8,6 +8,16 @@ on:
         type: string
         required: false
         default: ""
+      image_registry:
+        description: The registry namespace to publish under (e.g. ghcr.io/<owner>)
+        type: string
+        required: false
+        default: ""
+    secrets:
+      DOCKERHUB_USERNAME:
+        required: false
+      DOCKERHUB_TOKEN:
+        required: false
   push:
     tags:
       - "infra-dev-*"
@@ -26,18 +36,22 @@ jobs:
     runs-on: ubuntu-latest
     env:
       DOCKER_BUILDKIT: "1"
+      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
     steps:
       - name: ⬇️ Checkout git repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: 📦 Get image repo
         id: get_repository
+        env:
+          PACKAGE: ${{ matrix.package }}
         run: |
-          if [[ "${{ matrix.package }}" == *-provider ]]; then
-            provider_type=$(echo "${{ matrix.package }}" | cut -d- -f1)
-            repo=provider/${provider_type}
+          if [[ "$PACKAGE" == *-provider ]]; then
+            repo="provider/${PACKAGE%-provider}"
           else
-            repo="${{ matrix.package }}"
+            repo="$PACKAGE"
           fi
           echo "repo=${repo}" >> "$GITHUB_OUTPUT"
 
@@ -47,11 +61,12 @@ jobs:
           tag: ${{ inputs.image_tag }}
 
       - name: 🐋 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
 
       # ..to avoid rate limits when pulling images
       - name: 🐳 Login to DockerHub
-        uses: docker/login-action@v3
+        if: ${{ env.DOCKERHUB_USERNAME }}
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -62,7 +77,7 @@ jobs:
 
       # ..to push image
       - name: 🐙 Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
@@ -73,7 +88,10 @@ jobs:
           docker tag infra_image "$REGISTRY/$REPOSITORY:$IMAGE_TAG"
           docker push "$REGISTRY/$REPOSITORY:$IMAGE_TAG"
         env:
-          REGISTRY: ghcr.io/triggerdotdev
+          # Resolved by the caller when invoked from publish.yml; falls back to the
+          # IMAGE_REGISTRY repository variable (or ghcr.io/<owner>) for the direct
+          # push triggers above, so a fork publishes to its own namespace.
+          REGISTRY: ${{ inputs.image_registry || vars.IMAGE_REGISTRY || format('ghcr.io/{0}', github.repository_owner) }}
           REPOSITORY: ${{ steps.get_repository.outputs.repo }}
           IMAGE_TAG: ${{ steps.get_tag.outputs.tag }}
 
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 6213499c5ad..2f2744c7702 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -8,6 +8,15 @@ on:
         description: The image tag to publish
         required: true
         type: string
+    secrets:
+      DOCKERHUB_USERNAME:
+        required: false
+      DOCKERHUB_TOKEN:
+        required: false
+      SENTRY_AUTH_TOKEN:
+        required: false
+      CROSS_REPO_PAT:
+        required: false
   push:
     branches:
       - main
@@ -37,8 +46,6 @@ on:
       - "tests/**"
 
 permissions:
-  id-token: write
-  packages: write
   contents: read
 
 concurrency:
@@ -50,29 +57,107 @@ env:
 jobs:
   typecheck:
     uses: ./.github/workflows/typecheck.yml
-    secrets: inherit
 
   units:
     uses: ./.github/workflows/unit-tests.yml
-    secrets: inherit
+    secrets:
+      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
 
   publish-webapp:
     needs: [typecheck]
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      attestations: write
     uses: ./.github/workflows/publish-webapp.yml
-    secrets: inherit
+    secrets:
+      SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
     with:
       image_tag: ${{ inputs.image_tag }}
+      # Target registry namespace. Defaults to ghcr.io/<owner> so a fork publishes
+      # to its own namespace; set the IMAGE_REGISTRY repository variable to override.
+      image_registry: ${{ vars.IMAGE_REGISTRY || format('ghcr.io/{0}', github.repository_owner) }}
 
   publish-worker:
     needs: [typecheck]
+    permissions:
+      contents: read
+      packages: write
     uses: ./.github/workflows/publish-worker.yml
-    secrets: inherit
+    secrets:
+      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
     with:
       image_tag: ${{ inputs.image_tag }}
+      image_registry: ${{ vars.IMAGE_REGISTRY || format('ghcr.io/{0}', github.repository_owner) }}
 
   publish-worker-v4:
     needs: [typecheck]
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
     uses: ./.github/workflows/publish-worker-v4.yml
-    secrets: inherit
     with:
       image_tag: ${{ inputs.image_tag }}
+      image_registry: ${{ vars.IMAGE_REGISTRY || format('ghcr.io/{0}', github.repository_owner) }}
+
+  # OS-level CVE scan of the image just published above. Report-only (writes to
+  # the run summary); runs alongside the worker publishes and never blocks them.
+  scan-webapp:
+    needs: [publish-webapp]
+    permissions:
+      contents: read
+      packages: read # pull the just-published image from GHCR
+    uses: ./.github/workflows/trivy-image-webapp.yml
+    with:
+      image-ref: ${{ needs.publish-webapp.outputs.image_repo }}:${{ needs.publish-webapp.outputs.version }}
+
+  # Announce the freshly published mutable `main` webapp image to subscriber
+  # repos via repository_dispatch, handing them a digest-pinned ref to build or
+  # deploy from. The repo, ref prefix, and dispatch target all default to the
+  # canonical values and can be overridden by repository variables.
+  #
+  # `push` only: release builds reach publish.yml via workflow_call (from
+  # release.yml) with an explicit image_tag while github.ref_name is still
+  # `main`, so gate on the event to avoid dispatching — and failing on the
+  # absent CROSS_REPO_PAT — during a release.
+  dispatch-main-image:
+    name: 📣 Dispatch main image
+    needs: [publish-webapp]
+    if: github.repository == (vars.MAIN_IMAGE_DISPATCH_REPO || 'triggerdotdev/trigger.dev') && github.event_name == 'push' && startsWith(github.ref_name, vars.MAIN_IMAGE_DISPATCH_REF_PREFIX || 'main')
+    runs-on: ubuntu-latest
+    permissions: {}
+    steps:
+      - name: Build dispatch payload
+        id: payload
+        env:
+          IMAGE_REPO: ${{ needs.publish-webapp.outputs.image_repo }}
+          DIGEST: ${{ needs.publish-webapp.outputs.digest }}
+          COMMIT: ${{ github.sha }}
+        run: |
+          set -euo pipefail
+          # Pin to the exact multi-arch index just pushed so subscribers resolve a
+          # single immutable artifact rather than chasing the moving `main` tag.
+          if [[ -z "${DIGEST}" ]]; then
+            echo "::error::publish-webapp produced no image digest; refusing to dispatch"
+            exit 1
+          fi
+          image="${IMAGE_REPO}@${DIGEST}"
+          # jq --arg JSON-escapes every value, so the ref/commit can't break out of
+          # or inject into the client payload.
+          payload=$(jq -nc \
+            --arg img "$image" \
+            --arg c "$COMMIT" \
+            '{image: $img, commit: $c}')
+          echo "client_payload=$payload" >> "$GITHUB_OUTPUT"
+
+      - name: Send repository_dispatch
+        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
+        with:
+          token: ${{ secrets.CROSS_REPO_PAT }}
+          repository: ${{ vars.MAIN_IMAGE_DISPATCH_TARGET || 'triggerdotdev/cloud' }}
+          event-type: main-image-published
+          client-payload: ${{ steps.payload.outputs.client_payload }}
diff --git a/.github/workflows/release-helm.yml b/.github/workflows/release-helm.yml
index c6efd382ff6..13d28545e7f 100644
--- a/.github/workflows/release-helm.yml
+++ b/.github/workflows/release-helm.yml
@@ -4,6 +4,12 @@ on:
   push:
     tags:
       - 'helm-v*'
+  workflow_call:
+    inputs:
+      chart_version:
+        description: 'Chart version to release'
+        required: true
+        type: string
   workflow_dispatch:
     inputs:
       chart_version:
@@ -22,10 +28,12 @@ jobs:
       contents: read
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Set up Helm
-        uses: azure/setup-helm@v4
+        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
         with:
           version: "3.18.3"
 
@@ -48,7 +56,7 @@ jobs:
             --output-dir ./helm-output
 
       - name: Validate manifests
-        uses: docker://ghcr.io/yannh/kubeconform:v0.7.0
+        uses: docker://ghcr.io/yannh/kubeconform:v0.7.0@sha256:85dbef6b4b312b99133decc9c6fc9495e9fc5f92293d4ff3b7e1b30f5611823c
         with:
           entrypoint: '/kubeconform'
           args: "-summary -output json ./helm-output"
@@ -61,10 +69,12 @@ jobs:
       packages: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Set up Helm
-        uses: azure/setup-helm@v4
+        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
         with:
           version: "3.18.3"
 
@@ -77,7 +87,7 @@ jobs:
           for file in ./charts/*.tgz; do echo "Extracting $file"; tar -xzf "$file" -C ./charts; done
 
       - name: Log in to Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -86,18 +96,20 @@ jobs:
       - name: Extract version from tag or input
         id: version
         run: |
-          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-            VERSION="${{ github.event.inputs.chart_version }}"
+          if [ -n "${INPUTS_CHART_VERSION}" ]; then
+            VERSION="${INPUTS_CHART_VERSION}"
           else
-            VERSION="${{ github.ref_name }}"
+            VERSION="${GITHUB_REF_NAME}"
             VERSION="${VERSION#helm-v}"
           fi
-          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
           echo "Releasing version: $VERSION"
+        env:
+          INPUTS_CHART_VERSION: ${{ inputs.chart_version }}
 
       - name: Check Chart.yaml version matches release version
         run: |
-          VERSION="${{ steps.version.outputs.version }}"
+          VERSION="${STEPS_VERSION_OUTPUTS_VERSION}"
           CHART_VERSION=$(grep '^version:' ./hosting/k8s/helm/Chart.yaml | awk '{print $2}')
           echo "Chart.yaml version: $CHART_VERSION"
           echo "Release version: $VERSION"
@@ -106,6 +118,8 @@ jobs:
             exit 1
           fi
           echo "✅ Chart.yaml version matches release version."
+        env:
+          STEPS_VERSION_OUTPUTS_VERSION: ${{ steps.version.outputs.version }}
 
       - name: Package Helm Chart
         run: |
@@ -113,18 +127,19 @@ jobs:
 
       - name: Push Helm Chart to GHCR
         run: |
-          VERSION="${{ steps.version.outputs.version }}"
+          VERSION="${STEPS_VERSION_OUTPUTS_VERSION}"
           CHART_PACKAGE="/tmp/${{ env.CHART_NAME }}-${VERSION}.tgz"
           
           # Push to GHCR OCI registry
           helm push "$CHART_PACKAGE" "oci://${{ env.REGISTRY }}/${{ github.repository_owner }}/charts"
+        env:
+          STEPS_VERSION_OUTPUTS_VERSION: ${{ steps.version.outputs.version }}
 
       - name: Create GitHub Release
         id: release
-        uses: softprops/action-gh-release@v1
-        if: github.event_name == 'push'
+        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
         with:
-          tag_name: ${{ github.ref_name }}
+          tag_name: helm-v${{ steps.version.outputs.version }}
           name: "Helm Chart ${{ steps.version.outputs.version }}"
           body: |
             ### Installation
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 79b113b0f2a..e3b339dfca7 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -33,6 +33,7 @@ jobs:
   show-release-summary:
     name: 📋 Release Summary
     runs-on: ubuntu-latest
+    permissions: {}
     if: |
       github.repository == 'triggerdotdev/trigger.dev' &&
       github.event_name == 'pull_request' &&
@@ -43,7 +44,7 @@ jobs:
         env:
           PR_BODY: ${{ github.event.pull_request.body }}
         run: |
-          echo "$PR_BODY" | sed -n '/^# Releases/,$p' >> $GITHUB_STEP_SUMMARY
+          echo "$PR_BODY" | sed -n '/^# Releases/,$p' >> "$GITHUB_STEP_SUMMARY"
 
   release:
     name: 🚀 Release npm packages
@@ -63,9 +64,10 @@ jobs:
       published: ${{ steps.changesets.outputs.published }}
       published_packages: ${{ steps.changesets.outputs.publishedPackages }}
       published_package_version: ${{ steps.get_version.outputs.package_version }}
+      is_prerelease: ${{ steps.get_version.outputs.is_prerelease }}
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # zizmor: ignore[artipacked] needs persisted git creds for tag push; no artifact upload here so no leak path
         with:
           fetch-depth: 0
           ref: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.ref || github.sha }}
@@ -73,20 +75,22 @@ jobs:
       - name: Verify ref is on main
         if: github.event_name == 'workflow_dispatch'
         run: |
-          if ! git merge-base --is-ancestor ${{ github.event.inputs.ref }} origin/main; then
+          if ! git merge-base --is-ancestor "${GITHUB_EVENT_INPUTS_REF}" origin/main; then
             echo "Error: ref must be an ancestor of main (i.e., already merged)"
             exit 1
           fi
+        env:
+          GITHUB_EVENT_INPUTS_REF: ${{ github.event.inputs.ref }}
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
         with:
-          version: 10.23.0
+          version: 10.33.2
 
       - name: Setup node
-        uses: buildjet/setup-node@v4
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 20.20.0
+          node-version: 20.20.2
           cache: "pnpm"
 
       # npm v11.5.1 or newer is required for OIDC support
@@ -108,7 +112,7 @@ jobs:
 
       - name: Publish
         id: changesets
-        uses: changesets/action@v1
+        uses: changesets/action@63a615b9cd06ba9a3e6d13796c7fbcb080a60a0b # v1.8.0
         with:
           publish: pnpm run changeset:release
           createGithubReleases: false
@@ -119,28 +123,54 @@ jobs:
         if: steps.changesets.outputs.published == 'true'
         id: get_version
         run: |
-          package_version=$(echo '${{ steps.changesets.outputs.publishedPackages }}' | jq -r '.[0].version')
+          package_version=$(echo "${STEPS_CHANGESETS_OUTPUTS_PUBLISHEDPACKAGES}" | jq -r '.[0].version')
           echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
+          # Any semver with a hyphen is a prerelease (e.g. 4.5.0-rc.0, 0.0.0-snapshot-...)
+          if [[ "${package_version}" == *-* ]]; then
+            echo "is_prerelease=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "is_prerelease=false" >> "$GITHUB_OUTPUT"
+          fi
+        env:
+          STEPS_CHANGESETS_OUTPUTS_PUBLISHEDPACKAGES: ${{ steps.changesets.outputs.publishedPackages }}
 
       - name: Create unified GitHub release
         if: steps.changesets.outputs.published == 'true'
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           RELEASE_PR_BODY: ${{ github.event.pull_request.body }}
+          STEPS_GET_VERSION_OUTPUTS_PACKAGE_VERSION: ${{ steps.get_version.outputs.package_version }}
+          STEPS_GET_VERSION_OUTPUTS_IS_PRERELEASE: ${{ steps.get_version.outputs.is_prerelease }}
         run: |
-          VERSION="${{ steps.get_version.outputs.package_version }}"
+          VERSION="${STEPS_GET_VERSION_OUTPUTS_PACKAGE_VERSION}"
           node scripts/generate-github-release.mjs "$VERSION" > /tmp/release-body.md
+          PRERELEASE_FLAG=""
+          if [ "${STEPS_GET_VERSION_OUTPUTS_IS_PRERELEASE}" = "true" ]; then
+            PRERELEASE_FLAG="--prerelease"
+          fi
           gh release create "v${VERSION}" \
             --title "trigger.dev v${VERSION}" \
             --notes-file /tmp/release-body.md \
-            --target main
+            --target main \
+            $PRERELEASE_FLAG
 
       - name: Create and push Docker tag
         if: steps.changesets.outputs.published == 'true'
         run: |
           set -e
-          git tag "v.docker.${{ steps.get_version.outputs.package_version }}"
-          git push origin "v.docker.${{ steps.get_version.outputs.package_version }}"
+          git tag "v.docker.${STEPS_GET_VERSION_OUTPUTS_PACKAGE_VERSION}"
+          git push origin "v.docker.${STEPS_GET_VERSION_OUTPUTS_PACKAGE_VERSION}"
+        env:
+          STEPS_GET_VERSION_OUTPUTS_PACKAGE_VERSION: ${{ steps.get_version.outputs.package_version }}
+
+      - name: Create and push Helm chart tag
+        if: steps.changesets.outputs.published == 'true'
+        run: |
+          set -e
+          git tag "helm-v${STEPS_GET_VERSION_OUTPUTS_PACKAGE_VERSION}"
+          git push origin "helm-v${STEPS_GET_VERSION_OUTPUTS_PACKAGE_VERSION}"
+        env:
+          STEPS_GET_VERSION_OUTPUTS_PACKAGE_VERSION: ${{ steps.get_version.outputs.package_version }}
 
   # Trigger Docker builds directly via workflow_call since tags pushed with
   # GITHUB_TOKEN don't trigger other workflows (GitHub Actions limitation).
@@ -148,11 +178,33 @@ jobs:
     name: 🐳 Publish Docker images
     needs: release
     if: needs.release.outputs.published == 'true'
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      attestations: write
     uses: ./.github/workflows/publish.yml
-    secrets: inherit
+    secrets:
+      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
+      SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
     with:
       image_tag: v${{ needs.release.outputs.published_package_version }}
 
+  # Trigger Helm chart release directly via workflow_call (same GITHUB_TOKEN
+  # limitation as the Docker path). Runs after Docker images are published so
+  # the chart never references images that don't exist yet.
+  publish-helm:
+    name: 🧭 Publish Helm chart
+    needs: [release, publish-docker]
+    if: needs.release.outputs.published == 'true'
+    permissions:
+      contents: write
+      packages: write
+    uses: ./.github/workflows/release-helm.yml
+    with:
+      chart_version: ${{ needs.release.outputs.published_package_version }}
+
   # After Docker images are published, update the GitHub release with the exact GHCR tag URL.
   # The GHCR package version ID is only known after the image is pushed, so we query for it here.
   update-release:
@@ -167,9 +219,10 @@ jobs:
       - name: Update GitHub release with Docker image link
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NEEDS_RELEASE_OUTPUTS_PUBLISHED_PACKAGE_VERSION: ${{ needs.release.outputs.published_package_version }}
         run: |
           set -e
-          VERSION="${{ needs.release.outputs.published_package_version }}"
+          VERSION="${NEEDS_RELEASE_OUTPUTS_PUBLISHED_PACKAGE_VERSION}"
           TAG="v${VERSION}"
 
           # Query GHCR for the version ID matching this tag
@@ -199,10 +252,11 @@ jobs:
   dispatch-changelog:
     name: 📝 Dispatch changelog PR
     needs: [release, update-release]
-    if: needs.release.outputs.published == 'true'
+    if: needs.release.outputs.published == 'true' && needs.release.outputs.is_prerelease != 'true'
     runs-on: ubuntu-latest
+    permissions: {}
     steps:
-      - uses: peter-evans/repository-dispatch@v3
+      - uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
         with:
           token: ${{ secrets.CROSS_REPO_PAT }}
           repository: triggerdotdev/trigger.dev-site-v3
@@ -220,20 +274,21 @@ jobs:
     if: github.repository == 'triggerdotdev/trigger.dev' && github.event_name == 'workflow_dispatch' && github.event.inputs.type == 'prerelease'
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
           ref: ${{ github.event.inputs.ref }}
+          persist-credentials: false
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
         with:
-          version: 10.23.0
+          version: 10.33.2
 
       - name: Setup node
-        uses: buildjet/setup-node@v4
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 20.20.0
+          node-version: 20.20.2
           cache: "pnpm"
 
       # npm v11.5.1 or newer is required for OIDC support
@@ -247,10 +302,18 @@ jobs:
       - name: Generate Prisma Client
         run: pnpm run generate
 
+      - name: Exit changeset pre mode (if active)
+        run: |
+          if [ -f .changeset/pre.json ]; then
+            echo "Repo is in changeset pre mode; exiting so snapshot release can run"
+            pnpm exec changeset pre exit
+          fi
+
       - name: Snapshot version
-        run: pnpm exec changeset version --snapshot ${{ github.event.inputs.prerelease_tag }}
+        run: pnpm exec changeset version --snapshot "${GITHUB_EVENT_INPUTS_PRERELEASE_TAG}"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_EVENT_INPUTS_PRERELEASE_TAG: ${{ github.event.inputs.prerelease_tag }}
 
       - name: Clean
         run: pnpm run clean --filter "@trigger.dev/*" --filter "trigger.dev"
@@ -259,6 +322,7 @@ jobs:
         run: pnpm run build --filter "@trigger.dev/*" --filter "trigger.dev"
 
       - name: Publish prerelease
-        run: pnpm exec changeset publish --no-git-tag --snapshot --tag ${{ github.event.inputs.prerelease_tag }}
+        run: pnpm exec changeset publish --no-git-tag --snapshot --tag "${GITHUB_EVENT_INPUTS_PRERELEASE_TAG}"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_EVENT_INPUTS_PRERELEASE_TAG: ${{ github.event.inputs.prerelease_tag }}
diff --git a/.github/workflows/sdk-compat.yml b/.github/workflows/sdk-compat.yml
index eb347c0f771..1510af23181 100644
--- a/.github/workflows/sdk-compat.yml
+++ b/.github/workflows/sdk-compat.yml
@@ -18,17 +18,18 @@ jobs:
 
     steps:
       - name: ⬇️ Checkout repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: ⎔ Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
         with:
-          version: 10.23.0
+          version: 10.33.2
 
       - name: ⎔ Setup node
-        uses: buildjet/setup-node@v4
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: ${{ matrix.node }}
           cache: "pnpm"
@@ -56,23 +57,24 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: ⬇️ Checkout repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: ⎔ Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
         with:
-          version: 10.23.0
+          version: 10.33.2
 
       - name: ⎔ Setup node
-        uses: buildjet/setup-node@v4
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 20.20.0
+          node-version: 20.20.2
           cache: "pnpm"
 
       - name: 🥟 Setup Bun
-        uses: oven-sh/setup-bun@v2
+        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
         with:
           bun-version: latest
 
@@ -97,23 +99,24 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: ⬇️ Checkout repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: ⎔ Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
         with:
-          version: 10.23.0
+          version: 10.33.2
 
       - name: ⎔ Setup node
-        uses: buildjet/setup-node@v4
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 20.20.0
+          node-version: 20.20.2
           cache: "pnpm"
 
       - name: 🦕 Setup Deno
-        uses: denoland/setup-deno@v2
+        uses: denoland/setup-deno@667a34cdef165d8d2b2e98dde39547c9daac7282 # v2.0.4
         with:
           deno-version: v2.x
 
@@ -142,19 +145,20 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: ⬇️ Checkout repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: ⎔ Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
         with:
-          version: 10.23.0
+          version: 10.33.2
 
       - name: ⎔ Setup node
-        uses: buildjet/setup-node@v4
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 20.20.0
+          node-version: 20.20.2
           cache: "pnpm"
 
       - name: 📥 Download deps
diff --git a/.github/workflows/trivy-image-webapp.yml b/.github/workflows/trivy-image-webapp.yml
new file mode 100644
index 00000000000..7dae65ef2bf
--- /dev/null
+++ b/.github/workflows/trivy-image-webapp.yml
@@ -0,0 +1,75 @@
+name: Trivy Image Scan (webapp)
+
+# OS-level CVE scan of a published webapp image. Called by the publish pipeline
+# (publish.yml) to scan each build right after it's pushed to GHCR — so every
+# main build and every release is scanned, not rebuilt. Also runnable ad-hoc
+# via workflow_dispatch against any image ref.
+#
+# Report-only: writes a table to the run summary. No SARIF upload, no gate.
+# Library/dependency CVEs are covered by Dependabot, so this is restricted to
+# OS packages (`vuln-type: os`) to avoid double-reporting.
+
+on:
+  workflow_call:
+    inputs:
+      image-ref:
+        description: "Full image ref to scan (e.g. ghcr.io/triggerdotdev/trigger.dev:main)"
+        type: string
+        required: true
+  workflow_dispatch:
+    inputs:
+      image-ref:
+        description: "Full image ref to scan"
+        type: string
+        required: false
+        default: "ghcr.io/triggerdotdev/trigger.dev:main"
+
+permissions: {}
+
+concurrency:
+  group: trivy-image-webapp-${{ inputs.image-ref }}
+  cancel-in-progress: true
+
+jobs:
+  scan:
+    name: Scan
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: read # pull the image from GHCR
+    steps:
+      # Authenticate to GHCR so the scan also works for private images
+      # (GITHUB_TOKEN isn't forwarded to Docker automatically). Harmless for
+      # public images. Pairs with the packages: read permission above.
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run Trivy image scan
+        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
+        with:
+          scan-type: image
+          image-ref: ${{ inputs.image-ref }}
+          # vuln-type maps to --pkg-types: OS packages only (library deps are
+          # Dependabot's job). ignore-unfixed drops vulns with no patch yet.
+          vuln-type: os
+          ignore-unfixed: true
+          severity: HIGH,CRITICAL
+          format: table
+          output: trivy-image-webapp.txt
+
+      - name: Job summary
+        if: always()
+        env:
+          IMAGE_REF: ${{ inputs.image-ref }}
+        run: |
+          {
+            echo "## Trivy Image Scan (webapp) — \`${IMAGE_REF}\`"
+            echo '```'
+            # GitHub step summary is capped at 1 MiB; truncate large reports.
+            head -c 900000 trivy-image-webapp.txt 2>/dev/null || echo "(no report produced)"
+            echo '```'
+          } >> "$GITHUB_STEP_SUMMARY"
diff --git a/.github/workflows/typecheck.yml b/.github/workflows/typecheck.yml
index 665d54b2563..91ec46f3a9a 100644
--- a/.github/workflows/typecheck.yml
+++ b/.github/workflows/typecheck.yml
@@ -12,19 +12,20 @@ jobs:
 
     steps:
       - name: ⬇️ Checkout repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: ⎔ Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
         with:
-          version: 10.23.0
+          version: 10.33.2
 
       - name: ⎔ Setup node
-        uses: buildjet/setup-node@v4
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 20.20.0
+          node-version: 20.20.2
           cache: "pnpm"
 
       - name: 📥 Download deps
diff --git a/.github/workflows/unit-tests-internal.yml b/.github/workflows/unit-tests-internal.yml
index 92b951e8aa0..e2aae11b846 100644
--- a/.github/workflows/unit-tests-internal.yml
+++ b/.github/workflows/unit-tests-internal.yml
@@ -5,15 +5,22 @@ permissions:
 
 on:
   workflow_call:
+    secrets:
+      DOCKERHUB_USERNAME:
+        required: false
+      DOCKERHUB_TOKEN:
+        required: false
 
 jobs:
   unitTests:
     name: "🧪 Unit Tests: Internal"
     runs-on: ubuntu-latest
     strategy:
+      # one flaky shard shouldn't cancel its siblings - lets us re-run only the failed shard
+      fail-fast: false
       matrix:
-        shardIndex: [1, 2, 3, 4, 5, 6, 7, 8]
-        shardTotal: [8]
+        shardIndex: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12]
+        shardTotal: [12]
     env:
       DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
       SHARD_INDEX: ${{ matrix.shardIndex }}
@@ -46,25 +53,26 @@ jobs:
         run: sudo systemctl restart docker
 
       - name: ⬇️ Checkout repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          fetch-depth: 0
+          fetch-depth: 1
+          persist-credentials: false
 
       - name: ⎔ Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
         with:
-          version: 10.23.0
+          version: 10.33.2
 
       - name: ⎔ Setup node
-        uses: buildjet/setup-node@v4
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 20.20.0
+          node-version: 20.20.2
           cache: "pnpm"
 
       # ..to avoid rate limits when pulling images
       - name: 🐳 Login to DockerHub
         if: ${{ env.DOCKERHUB_USERNAME }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -75,12 +83,22 @@ jobs:
       - name: 🐳 Pre-pull testcontainer images
         if: ${{ env.DOCKERHUB_USERNAME }}
         run: |
+          # Retry each pull - DockerHub registry timeouts are a recurring transient CI flake.
+          pull() {
+            for attempt in 1 2 3; do
+              docker pull "$1" && return 0
+              echo "::warning::docker pull $1 failed (attempt ${attempt}/3); retrying in 10s"
+              sleep 10
+            done
+            echo "::error::docker pull $1 failed after 3 attempts"
+            return 1
+          }
           echo "Pre-pulling Docker images with authenticated session..."
-          docker pull postgres:14
-          docker pull clickhouse/clickhouse-server:25.4-alpine
-          docker pull redis:7-alpine
-          docker pull testcontainers/ryuk:0.11.0
-          docker pull electricsql/electric:1.2.4
+          pull postgres:14
+          pull clickhouse/clickhouse-server:25.4-alpine
+          pull redis:7.2
+          pull testcontainers/ryuk:0.14.0
+          pull electricsql/electric:1.2.4
           echo "Image pre-pull complete"
 
       - name: 📥 Download deps
@@ -90,7 +108,7 @@ jobs:
         run: pnpm run generate
 
       - name: 🧪 Run Internal Unit Tests
-        run: pnpm run test:internal --reporter=default --reporter=blob --shard=${{ matrix.shardIndex }}/${{ matrix.shardTotal }}
+        run: pnpm run test:internal --reporter=default --reporter=blob --shard=${{ matrix.shardIndex }}/${{ matrix.shardTotal }} --passWithNoTests
 
       - name: Gather all reports
         if: ${{ !cancelled() }}
@@ -101,7 +119,7 @@ jobs:
 
       - name: Upload blob reports to GitHub Actions Artifacts
         if: ${{ !cancelled() }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: internal-blob-report-${{ matrix.shardIndex }}
           path: .vitest-reports/*
@@ -115,27 +133,28 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: ⬇️ Checkout repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          fetch-depth: 0
+          fetch-depth: 1
+          persist-credentials: false
 
       - name: ⎔ Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
         with:
-          version: 10.23.0
+          version: 10.33.2
 
       - name: ⎔ Setup node
-        uses: buildjet/setup-node@v4
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 20.20.0
+          node-version: 20.20.2
           # no cache enabled, we're not installing deps
 
       - name: Download blob reports from GitHub Actions Artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           path: .vitest-reports
           pattern: internal-blob-report-*
           merge-multiple: true
 
       - name: Merge reports
-        run: pnpm dlx vitest@3.1.4 run --merge-reports --pass-with-no-tests
+        run: pnpm dlx vitest@4.1.7 run --merge-reports --pass-with-no-tests
diff --git a/.github/workflows/unit-tests-packages.yml b/.github/workflows/unit-tests-packages.yml
index 78474e03f27..6642f2443c4 100644
--- a/.github/workflows/unit-tests-packages.yml
+++ b/.github/workflows/unit-tests-packages.yml
@@ -5,15 +5,22 @@ permissions:
 
 on:
   workflow_call:
+    secrets:
+      DOCKERHUB_USERNAME:
+        required: false
+      DOCKERHUB_TOKEN:
+        required: false
 
 jobs:
   unitTests:
     name: "🧪 Unit Tests: Packages"
     runs-on: ubuntu-latest
     strategy:
+      # one flaky shard shouldn't cancel its siblings - lets us re-run only the failed shard
+      fail-fast: false
       matrix:
-        shardIndex: [1]
-        shardTotal: [1]
+        shardIndex: [1, 2, 3]
+        shardTotal: [3]
     env:
       DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
       SHARD_INDEX: ${{ matrix.shardIndex }}
@@ -46,25 +53,26 @@ jobs:
         run: sudo systemctl restart docker
 
       - name: ⬇️ Checkout repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          fetch-depth: 0
+          fetch-depth: 1
+          persist-credentials: false
 
       - name: ⎔ Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
         with:
-          version: 10.23.0
+          version: 10.33.2
 
       - name: ⎔ Setup node
-        uses: buildjet/setup-node@v4
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 20.20.0
+          node-version: 20.20.2
           cache: "pnpm"
 
       # ..to avoid rate limits when pulling images
       - name: 🐳 Login to DockerHub
         if: ${{ env.DOCKERHUB_USERNAME }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -75,12 +83,22 @@ jobs:
       - name: 🐳 Pre-pull testcontainer images
         if: ${{ env.DOCKERHUB_USERNAME }}
         run: |
+          # Retry each pull - DockerHub registry timeouts are a recurring transient CI flake.
+          pull() {
+            for attempt in 1 2 3; do
+              docker pull "$1" && return 0
+              echo "::warning::docker pull $1 failed (attempt ${attempt}/3); retrying in 10s"
+              sleep 10
+            done
+            echo "::error::docker pull $1 failed after 3 attempts"
+            return 1
+          }
           echo "Pre-pulling Docker images with authenticated session..."
-          docker pull postgres:14
-          docker pull clickhouse/clickhouse-server:25.4-alpine
-          docker pull redis:7-alpine
-          docker pull testcontainers/ryuk:0.11.0
-          docker pull electricsql/electric:1.2.4
+          pull postgres:14
+          pull clickhouse/clickhouse-server:25.4-alpine
+          pull redis:7.2
+          pull testcontainers/ryuk:0.14.0
+          pull electricsql/electric:1.2.4
           echo "Image pre-pull complete"
 
       - name: 📥 Download deps
@@ -90,7 +108,7 @@ jobs:
         run: pnpm run generate
 
       - name: 🧪 Run Package Unit Tests
-        run: pnpm run test:packages --reporter=default --reporter=blob --shard=${{ matrix.shardIndex }}/${{ matrix.shardTotal }}
+        run: pnpm run test:packages --reporter=default --reporter=blob --shard=${{ matrix.shardIndex }}/${{ matrix.shardTotal }} --passWithNoTests
 
       - name: Gather all reports
         if: ${{ !cancelled() }}
@@ -101,7 +119,7 @@ jobs:
 
       - name: Upload blob reports to GitHub Actions Artifacts
         if: ${{ !cancelled() }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: packages-blob-report-${{ matrix.shardIndex }}
           path: .vitest-reports/*
@@ -115,27 +133,28 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: ⬇️ Checkout repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          fetch-depth: 0
+          fetch-depth: 1
+          persist-credentials: false
 
       - name: ⎔ Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
         with:
-          version: 10.23.0
+          version: 10.33.2
 
       - name: ⎔ Setup node
-        uses: buildjet/setup-node@v4
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 20.20.0
+          node-version: 20.20.2
           # no cache enabled, we're not installing deps
 
       - name: Download blob reports from GitHub Actions Artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           path: .vitest-reports
           pattern: packages-blob-report-*
           merge-multiple: true
 
       - name: Merge reports
-        run: pnpm dlx vitest@3.1.4 run --merge-reports --pass-with-no-tests
+        run: pnpm dlx vitest@4.1.7 run --merge-reports --pass-with-no-tests
diff --git a/.github/workflows/unit-tests-webapp.yml b/.github/workflows/unit-tests-webapp.yml
index 523a1887db8..dc1cc978f35 100644
--- a/.github/workflows/unit-tests-webapp.yml
+++ b/.github/workflows/unit-tests-webapp.yml
@@ -5,15 +5,22 @@ permissions:
 
 on:
   workflow_call:
+    secrets:
+      DOCKERHUB_USERNAME:
+        required: false
+      DOCKERHUB_TOKEN:
+        required: false
 
 jobs:
   unitTests:
     name: "🧪 Unit Tests: Webapp"
     runs-on: ubuntu-latest
     strategy:
+      # one flaky shard shouldn't cancel its siblings - lets us re-run only the failed shard
+      fail-fast: false
       matrix:
-        shardIndex: [1, 2, 3, 4, 5, 6, 7, 8]
-        shardTotal: [8]
+        shardIndex: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10]
+        shardTotal: [10]
     env:
       DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
       SHARD_INDEX: ${{ matrix.shardIndex }}
@@ -46,25 +53,26 @@ jobs:
         run: sudo systemctl restart docker
 
       - name: ⬇️ Checkout repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          fetch-depth: 0
+          fetch-depth: 1
+          persist-credentials: false
 
       - name: ⎔ Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
         with:
-          version: 10.23.0
+          version: 10.33.2
 
       - name: ⎔ Setup node
-        uses: buildjet/setup-node@v4
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 20.20.0
+          node-version: 20.20.2
           cache: "pnpm"
 
       # ..to avoid rate limits when pulling images
       - name: 🐳 Login to DockerHub
         if: ${{ env.DOCKERHUB_USERNAME }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -75,12 +83,23 @@ jobs:
       - name: 🐳 Pre-pull testcontainer images
         if: ${{ env.DOCKERHUB_USERNAME }}
         run: |
+          # Retry each pull - DockerHub registry timeouts are a recurring transient CI flake.
+          pull() {
+            for attempt in 1 2 3; do
+              docker pull "$1" && return 0
+              echo "::warning::docker pull $1 failed (attempt ${attempt}/3); retrying in 10s"
+              sleep 10
+            done
+            echo "::error::docker pull $1 failed after 3 attempts"
+            return 1
+          }
           echo "Pre-pulling Docker images with authenticated session..."
-          docker pull postgres:14
-          docker pull clickhouse/clickhouse-server:25.4-alpine
-          docker pull redis:7-alpine
-          docker pull testcontainers/ryuk:0.11.0
-          docker pull electricsql/electric:1.2.4
+          pull postgres:14
+          pull clickhouse/clickhouse-server:25.4-alpine
+          pull redis:7.2
+          pull testcontainers/ryuk:0.14.0
+          pull electricsql/electric:1.2.4
+          pull minio/minio:latest
           echo "Image pre-pull complete"
 
       - name: 📥 Download deps
@@ -90,7 +109,7 @@ jobs:
         run: pnpm run generate
 
       - name: 🧪 Run Webapp Unit Tests
-        run: pnpm run test:webapp --reporter=default --reporter=blob --shard=${{ matrix.shardIndex }}/${{ matrix.shardTotal }}
+        run: pnpm run test:webapp --reporter=default --reporter=blob --shard=${{ matrix.shardIndex }}/${{ matrix.shardTotal }} --passWithNoTests
         env:
           DATABASE_URL: postgresql://postgres:postgres@localhost:5432/postgres
           DIRECT_URL: postgresql://postgres:postgres@localhost:5432/postgres
@@ -109,7 +128,7 @@ jobs:
 
       - name: Upload blob reports to GitHub Actions Artifacts
         if: ${{ !cancelled() }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: webapp-blob-report-${{ matrix.shardIndex }}
           path: .vitest-reports/*
@@ -123,27 +142,28 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: ⬇️ Checkout repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          fetch-depth: 0
+          fetch-depth: 1
+          persist-credentials: false
 
       - name: ⎔ Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
         with:
-          version: 10.23.0
+          version: 10.33.2
 
       - name: ⎔ Setup node
-        uses: buildjet/setup-node@v4
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 20.20.0
+          node-version: 20.20.2
           # no cache enabled, we're not installing deps
 
       - name: Download blob reports from GitHub Actions Artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           path: .vitest-reports
           pattern: webapp-blob-report-*
           merge-multiple: true
 
       - name: Merge reports
-        run: pnpm dlx vitest@3.1.4 run --merge-reports --pass-with-no-tests
+        run: pnpm dlx vitest@4.1.7 run --merge-reports --pass-with-no-tests
diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml
index 7c90a5a30ad..96e76279c82 100644
--- a/.github/workflows/unit-tests.yml
+++ b/.github/workflows/unit-tests.yml
@@ -5,14 +5,30 @@ permissions:
 
 on:
   workflow_call:
+    secrets:
+      DOCKERHUB_USERNAME:
+        required: false
+      DOCKERHUB_TOKEN:
+        required: false
 
 jobs:
   webapp:
     uses: ./.github/workflows/unit-tests-webapp.yml
-    secrets: inherit
+    secrets:
+      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
+  e2e-webapp:
+    uses: ./.github/workflows/e2e-webapp.yml
+    secrets:
+      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
   packages:
     uses: ./.github/workflows/unit-tests-packages.yml
-    secrets: inherit
+    secrets:
+      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
   internal:
     uses: ./.github/workflows/unit-tests-internal.yml
-    secrets: inherit
+    secrets:
+      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
diff --git a/.github/workflows/vouch-check-pr.yml b/.github/workflows/vouch-check-pr.yml
index 21597cf467a..d854b1e0ce6 100644
--- a/.github/workflows/vouch-check-pr.yml
+++ b/.github/workflows/vouch-check-pr.yml
@@ -1,17 +1,18 @@
 name: Vouch - Check PR
 
 on:
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers] needed to comment/close fork PRs; safe because we never check out PR HEAD ref so no fork-controlled code runs
     types: [opened, reopened]
 
-permissions:
-  contents: read
-  pull-requests: write
-  issues: read
+permissions: {}
 
 jobs:
   check-vouch:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write # auto-close unvouched PRs
+      issues: read
     steps:
       - uses: mitchellh/vouch/action/check-pr@c6d80ead49839655b61b422700b7a3bc9d0804a9 # v1.4.2
         with:
@@ -23,11 +24,16 @@ jobs:
 
   require-draft:
     needs: check-vouch
+    permissions:
+      pull-requests: write # close non-draft PRs with a comment
     if: >
       github.event.pull_request.draft == false &&
       github.event.pull_request.author_association != 'MEMBER' &&
       github.event.pull_request.author_association != 'OWNER' &&
-      github.event.pull_request.author_association != 'COLLABORATOR'
+      github.event.pull_request.author_association != 'COLLABORATOR' &&
+      github.event.pull_request.user.login != 'devin-ai-integration[bot]' &&
+      github.event.pull_request.user.login != 'dependabot[bot]' &&
+      github.event.pull_request.user.login != 'github-actions[bot]'
     runs-on: ubuntu-latest
     steps:
       - name: Close non-draft PR
diff --git a/.github/workflows/workflow-checks.yml b/.github/workflows/workflow-checks.yml
new file mode 100644
index 00000000000..a11918c04fe
--- /dev/null
+++ b/.github/workflows/workflow-checks.yml
@@ -0,0 +1,51 @@
+name: Workflow Checks
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - '.github/workflows/**'
+      - '.github/actions/**'
+      - '.github/zizmor.yml'
+  pull_request:
+    paths:
+      - '.github/workflows/**'
+      - '.github/actions/**'
+      - '.github/zizmor.yml'
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  actionlint:
+    name: Actionlint
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run actionlint
+        uses: docker://rhysd/actionlint:1.7.12@sha256:b1934ee5f1c509618f2508e6eb47ee0d3520686341fec936f3b79331f9315667
+
+  zizmor:
+    name: Zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # Upload SARIF to GitHub Security tab
+      contents: read # Read workflow files for analysis
+      actions: read # Read workflow run metadata
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
new file mode 100644
index 00000000000..2fcbb540127
--- /dev/null
+++ b/.github/zizmor.yml
@@ -0,0 +1,5 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        '*': hash-pin
diff --git a/.gitignore b/.gitignore
index 5f6adddba0a..d5f0c945ad1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -65,7 +65,13 @@ apps/**/public/build
 /packages/trigger-sdk/src/package.json
 /packages/python/src/package.json
 **/.claude/settings.local.json
+.claude/architecture/
+.claude/docs-plans/
+.claude/review-guides/
+.claude/scheduled_tasks.lock
 .mcp.log
 .mcp.json
 .cursor/debug.log
-ailogger-output.log
\ No newline at end of file
+ailogger-output.log
+# per-package vitest timing capture (transient; merged into root test-timings.json)
+.vitest-timing.json
diff --git a/.nvmrc b/.nvmrc
index 7c663e0a0bd..c675bca8de0 100644
--- a/.nvmrc
+++ b/.nvmrc
@@ -1 +1 @@
-v20.20.0
\ No newline at end of file
+v20.20.2
diff --git a/.server-changes/README.md b/.server-changes/README.md
index 82716de981c..2b0eeade36b 100644
--- a/.server-changes/README.md
+++ b/.server-changes/README.md
@@ -38,6 +38,14 @@ Speed up batch queue processing by removing stalls and fixing retry race
 
 The body text (below the frontmatter) is a one-line description of the change. Keep it concise — it will appear in release notes.
 
+### Writing guidance
+
+These entries are public-facing - they ship verbatim in user-visible release notes. A few rules to keep them clean:
+
+- **One sentence is usually enough.** The body is the bullet in the changelog. If you need a paragraph, you're probably describing the implementation rather than the change.
+- **Describe behavior, not implementation.** Skip internal scopes, middleware names, library specifics, framework internals. Users care about what's different for them, not how it's wired.
+- **Never name internal tools or infra.** Observability stacks, internal services, infra components, monitoring backends, CI surfaces, AWS specifics - none of these belong in user-facing notes.
+
 ## Lifecycle
 
 1. Engineer adds a `.server-changes/` file in their PR
diff --git a/.server-changes/batch-fast-fail-queue-size-limit.md b/.server-changes/batch-fast-fail-queue-size-limit.md
deleted file mode 100644
index 77b926a5a80..00000000000
--- a/.server-changes/batch-fast-fail-queue-size-limit.md
+++ /dev/null
@@ -1,7 +0,0 @@
----
-area: webapp
-type: fix
----
-
-Batch items that hit the environment queue size limit now fast-fail without
-retries and without creating pre-failed TaskRuns.
diff --git a/.server-changes/bulk-action-cursor-pagination.md b/.server-changes/bulk-action-cursor-pagination.md
new file mode 100644
index 00000000000..5f506493d11
--- /dev/null
+++ b/.server-changes/bulk-action-cursor-pagination.md
@@ -0,0 +1,6 @@
+---
+area: webapp
+type: fix
+---
+
+Fix run pagination that could duplicate or skip runs: the query orders by `(created_at, run_id)` but the cursor cut on `run_id` alone, which diverges when run_id order doesn't match created_at order (e.g. bulk replay re-processing runs). Cursors now encode the composite key as an opaque token and cut on the matching tuple; legacy bare-run_id cursors stay supported for in-flight pagination.
diff --git a/.server-changes/cancel-stale-delayed-snapshots.md b/.server-changes/cancel-stale-delayed-snapshots.md
new file mode 100644
index 00000000000..9a167c613b1
--- /dev/null
+++ b/.server-changes/cancel-stale-delayed-snapshots.md
@@ -0,0 +1,6 @@
+---
+area: supervisor
+type: fix
+---
+
+Cancel pending delayed snapshots when a run completes or disconnects, preventing stale snapshots from pausing microVMs that have moved on to new work.
diff --git a/.server-changes/compute-network-labels.md b/.server-changes/compute-network-labels.md
new file mode 100644
index 00000000000..874081885d5
--- /dev/null
+++ b/.server-changes/compute-network-labels.md
@@ -0,0 +1,6 @@
+---
+area: supervisor
+type: feature
+---
+
+Forward per-run identity labels to the compute provider on create and restore, letting network policy select runs (e.g. private link).
diff --git a/.server-changes/compute-org-label.md b/.server-changes/compute-org-label.md
new file mode 100644
index 00000000000..9306a0e2dc3
--- /dev/null
+++ b/.server-changes/compute-org-label.md
@@ -0,0 +1,8 @@
+---
+area: supervisor
+type: improvement
+---
+
+Compute workload manager now sets an `org` label on every run (create +
+restore) for network-policy selection, instead of a plan-gated label. The
+Kubernetes workload manager is unchanged.
diff --git a/.server-changes/env-vars-page-scope-values-to-visible-environments.md b/.server-changes/env-vars-page-scope-values-to-visible-environments.md
new file mode 100644
index 00000000000..067c04661b7
--- /dev/null
+++ b/.server-changes/env-vars-page-scope-values-to-visible-environments.md
@@ -0,0 +1,6 @@
+---
+area: webapp
+type: fix
+---
+
+Speed up the environment variables page for projects with many archived preview branches. The page now only loads variable values for the environments it displays instead of every value ever created, including those left behind by archived branches.
diff --git a/.server-changes/hipaa-addon-pricing-cta.md b/.server-changes/hipaa-addon-pricing-cta.md
new file mode 100644
index 00000000000..8dc4a41f8b2
--- /dev/null
+++ b/.server-changes/hipaa-addon-pricing-cta.md
@@ -0,0 +1,6 @@
+---
+area: webapp
+type: feature
+---
+
+Request a HIPAA BAA add-on directly from any paid pricing tier in the dashboard.
diff --git a/.server-changes/include-prisma-cli-in-prod-image.md b/.server-changes/include-prisma-cli-in-prod-image.md
new file mode 100644
index 00000000000..888544239fe
--- /dev/null
+++ b/.server-changes/include-prisma-cli-in-prod-image.md
@@ -0,0 +1,6 @@
+---
+area: webapp
+type: fix
+---
+
+Fix database migrations failing to run in the production image because the Prisma CLI was missing from the build.
diff --git a/.server-changes/mollifier-decision-enrolled-org-labels.md b/.server-changes/mollifier-decision-enrolled-org-labels.md
new file mode 100644
index 00000000000..b9e8a11f84a
--- /dev/null
+++ b/.server-changes/mollifier-decision-enrolled-org-labels.md
@@ -0,0 +1,6 @@
+---
+area: webapp
+type: improvement
+---
+
+Add bounded `enrolled` and `org` labels to the `mollifier.decisions` metric so per-enrolled-org pass-through vs mollify is visible (the `org` label is attached only for the enrolled cohort to keep cardinality bounded).
diff --git a/.server-changes/react-router-route-matching-perf.md b/.server-changes/react-router-route-matching-perf.md
new file mode 100644
index 00000000000..a264835af55
--- /dev/null
+++ b/.server-changes/react-router-route-matching-perf.md
@@ -0,0 +1,6 @@
+---
+area: webapp
+type: improvement
+---
+
+Speed up the dashboard and API under high request load by memoizing react-router's per-request route matching, which previously re-flattened, re-ranked, and recompiled the entire route table on every request.
diff --git a/.server-changes/realtime-replica-read-consistency.md b/.server-changes/realtime-replica-read-consistency.md
new file mode 100644
index 00000000000..d23c73e682d
--- /dev/null
+++ b/.server-changes/realtime-replica-read-consistency.md
@@ -0,0 +1,6 @@
+---
+area: webapp
+type: fix
+---
+
+Realtime feed reads now wait out measured read-replica lag and retry stale reads, so subscribers receive each change's current content instead of trailing one change behind when a read replica races the write.
diff --git a/.server-changes/realtime-runs-subscription-scalability.md b/.server-changes/realtime-runs-subscription-scalability.md
new file mode 100644
index 00000000000..5de00aae675
--- /dev/null
+++ b/.server-changes/realtime-runs-subscription-scalability.md
@@ -0,0 +1,6 @@
+---
+area: webapp
+type: feature
+---
+
+Add a new backend for the realtime runs feed (single runs, tags, and batches) that scales under high concurrency, available behind a feature flag
diff --git a/.server-changes/require-plugins-fail-fast.md b/.server-changes/require-plugins-fail-fast.md
new file mode 100644
index 00000000000..591cd47c402
--- /dev/null
+++ b/.server-changes/require-plugins-fail-fast.md
@@ -0,0 +1,8 @@
+---
+area: webapp
+type: feature
+---
+
+Add `REQUIRE_PLUGINS=1` env var. When set, the RBAC plugin loader throws instead of silently falling back to the default implementation if the plugin module fails to load (missing, broken transitive dep, etc.). The webapp's `/healthcheck` route now resolves the lazy plugin controller so the throw surfaces during readiness probes — a deploy where the plugin didn't load fails the probe and is rolled back.
+
+Self-hosters leave `REQUIRE_PLUGINS` unset and continue to use the fallback when no plugin is installed.
diff --git a/.server-changes/retry-transient-instance-create-failures.md b/.server-changes/retry-transient-instance-create-failures.md
new file mode 100644
index 00000000000..f7b9c7afd11
--- /dev/null
+++ b/.server-changes/retry-transient-instance-create-failures.md
@@ -0,0 +1,6 @@
+---
+area: supervisor
+type: fix
+---
+
+Retry transient instance create failures during cold starts instead of waiting minutes for the run to be requeued.
diff --git a/.server-changes/runs-backward-pagination-slice.md b/.server-changes/runs-backward-pagination-slice.md
new file mode 100644
index 00000000000..41695f4e159
--- /dev/null
+++ b/.server-changes/runs-backward-pagination-slice.md
@@ -0,0 +1,14 @@
+---
+area: webapp
+type: fix
+---
+
+Fix an off-by-one in `ClickHouseRunsRepository.listRunIds` backward pagination.
+When paging backward with more rows before the page (`hasMore`), the displayed
+page was sliced as `rows.slice(1, size + 1)`, which dropped the row closest to
+the cursor and kept the extra "has-more" sentinel — returning a page that
+straddled two logical pages (one row from the correct previous page plus one
+from the page before it). The result set is always the first `page.size` rows
+(the sentinel is the trailing element in both directions), so the slice is now
+`rows.slice(0, size)` for forward and backward alike. Forward pagination and the
+cursor values were already correct and are unchanged.
diff --git a/.server-changes/runs-bulk-action-no-reload.md b/.server-changes/runs-bulk-action-no-reload.md
new file mode 100644
index 00000000000..1926ab20b75
--- /dev/null
+++ b/.server-changes/runs-bulk-action-no-reload.md
@@ -0,0 +1,6 @@
+---
+area: webapp
+type: fix
+---
+
+Stop reloading the runs list when opening or closing the bulk action inspector
diff --git a/.server-changes/sanitize-agent-view-urls.md b/.server-changes/sanitize-agent-view-urls.md
new file mode 100644
index 00000000000..c534a03623d
--- /dev/null
+++ b/.server-changes/sanitize-agent-view-urls.md
@@ -0,0 +1,6 @@
+---
+area: webapp
+type: fix
+---
+
+Sanitize URLs from streamed agent and tool data before rendering them in the dashboard's Agent view, so an unsafe scheme such as `javascript:` can no longer produce a clickable link or image source.
diff --git a/.server-changes/scheduled-run-region-display.md b/.server-changes/scheduled-run-region-display.md
new file mode 100644
index 00000000000..dca41c4341e
--- /dev/null
+++ b/.server-changes/scheduled-run-region-display.md
@@ -0,0 +1,6 @@
+---
+area: webapp
+type: fix
+---
+
+Scheduled runs now show under their correct region in the dashboard, run details, and the API, and match region filters, instead of appearing under a separate region.
diff --git a/.server-changes/session-route-hardening.md b/.server-changes/session-route-hardening.md
new file mode 100644
index 00000000000..2734b35a784
--- /dev/null
+++ b/.server-changes/session-route-hardening.md
@@ -0,0 +1,6 @@
+---
+area: webapp
+type: fix
+---
+
+Hardening fixes for realtime sessions: stricter authorization on snapshot URLs and out-channel appends, environment-scoped message delivery for waiting runs, and idempotent appends via the X-Part-Id header. Session creation now rejects expired sessions, externalId can no longer be changed after creation, and the sessions list returns friendly run ids.
diff --git a/.server-changes/snapshots-since-replica-primary-fallback.md b/.server-changes/snapshots-since-replica-primary-fallback.md
new file mode 100644
index 00000000000..9b8257f6410
--- /dev/null
+++ b/.server-changes/snapshots-since-replica-primary-fallback.md
@@ -0,0 +1,6 @@
+---
+area: webapp
+type: improvement
+---
+
+Run snapshot polling no longer errors or pays extra latency when the database read replica hasn't yet replicated the snapshot the runner is polling from (`RUN_ENGINE_READ_REPLICA_SNAPSHOTS_SINCE_ENABLED`): the read is briefly retried on the replica and served from the primary if it still hasn't caught up. Polling also now rejects a since-snapshot id that doesn't belong to the run being polled.
diff --git a/.server-changes/stop-creating-taskruntag-records.md b/.server-changes/stop-creating-taskruntag-records.md
deleted file mode 100644
index 0b068d3c3ac..00000000000
--- a/.server-changes/stop-creating-taskruntag-records.md
+++ /dev/null
@@ -1,6 +0,0 @@
----
-area: webapp
-type: improvement
----
-
-Stop creating TaskRunTag records and _TaskRunToTaskRunTag join table entries during task triggering. The denormalized runTags string array on TaskRun already stores tag names, making the M2M relation redundant write overhead.
diff --git a/.server-changes/trace-export-formats.md b/.server-changes/trace-export-formats.md
new file mode 100644
index 00000000000..ff15483003f
--- /dev/null
+++ b/.server-changes/trace-export-formats.md
@@ -0,0 +1,6 @@
+---
+area: webapp
+type: feature
+---
+
+Export a run's full trace from the run page as a downloadable Log, Markdown, or JSON Lines file, or copy it to the clipboard for pasting into an AI assistant. The export streams straight from the store, so even very large runs export reliably.
diff --git a/.server-changes/trace-page-payload-diet.md b/.server-changes/trace-page-payload-diet.md
new file mode 100644
index 00000000000..9f84e4b22db
--- /dev/null
+++ b/.server-changes/trace-page-payload-diet.md
@@ -0,0 +1,6 @@
+---
+area: webapp
+type: improvement
+---
+
+Shrinks the run trace page loader payload by keeping raw span events server-side and makes large trace trees render more efficiently. Also adds an optional `TRACE_VIEW_EMERGENCY_SPAN_CAP` env var that clamps trace summary and detailed summary span limits on both event store paths.
diff --git a/.server-changes/trigger-worker-queue-db-error-leak.md b/.server-changes/trigger-worker-queue-db-error-leak.md
new file mode 100644
index 00000000000..9725ef9f2eb
--- /dev/null
+++ b/.server-changes/trigger-worker-queue-db-error-leak.md
@@ -0,0 +1,6 @@
+---
+area: webapp
+type: fix
+---
+
+Stop `trigger()` from leaking raw database connection errors to API clients during a database outage; infrastructure errors now return a generic, retryable 500.
diff --git a/.server-changes/vercel-auto-promote-toggle.md b/.server-changes/vercel-auto-promote-toggle.md
deleted file mode 100644
index bb5f25a21c1..00000000000
--- a/.server-changes/vercel-auto-promote-toggle.md
+++ /dev/null
@@ -1,6 +0,0 @@
----
-area: webapp
-type: feature
----
-
-Vercel integration option to disable auto promotions
diff --git a/.vouch.yml b/.vouch.yml
index 8a9668392d3..ec6e85aa705 100644
--- a/.vouch.yml
+++ b/.vouch.yml
@@ -1,2 +1,4 @@
 vouch:
   - github: edosrecki
+  - github: GautamBytes
+  - github: ConProgramming
diff --git a/.vscode/launch.json b/.vscode/launch.json
index 71a76904a2b..1044443e197 100644
--- a/.vscode/launch.json
+++ b/.vscode/launch.json
@@ -47,78 +47,6 @@
       "url": "http://localhost:3030",
       "webRoot": "${workspaceFolder}/apps/webapp/app"
     },
-    {
-      "type": "node-terminal",
-      "request": "launch",
-      "name": "Debug V3 init CLI",
-      "command": "pnpm exec trigger init",
-      "cwd": "${workspaceFolder}/references/init-shell",
-      "sourceMaps": true
-    },
-    {
-      "type": "node-terminal",
-      "request": "launch",
-      "name": "Debug V3 init dev CLI",
-      "command": "pnpm exec trigger dev",
-      "cwd": "${workspaceFolder}/references/init-shell",
-      "sourceMaps": true
-    },
-    {
-      "type": "node-terminal",
-      "request": "launch",
-      "name": "Debug V3 Dev CLI",
-      "command": "pnpm exec trigger dev",
-      "cwd": "${workspaceFolder}/references/hello-world",
-      "sourceMaps": true
-    },
-    {
-      "type": "node-terminal",
-      "request": "launch",
-      "name": "Debug Dev Next.js Realtime",
-      "command": "pnpm exec trigger dev",
-      "cwd": "${workspaceFolder}/references/nextjs-realtime",
-      "sourceMaps": true
-    },
-    {
-      "type": "node-terminal",
-      "request": "launch",
-      "name": "Debug prisma-catalog deploy CLI",
-      "command": "pnpm exec trigger deploy --self-hosted --load-image",
-      "cwd": "${workspaceFolder}/references/prisma-catalog",
-      "sourceMaps": true
-    },
-    {
-      "type": "node-terminal",
-      "request": "launch",
-      "name": "Debug V3 Deploy CLI",
-      "command": "pnpm exec trigger deploy --self-hosted --load-image",
-      "cwd": "${workspaceFolder}/references/hello-world",
-      "sourceMaps": true
-    },
-    {
-      "type": "node-terminal",
-      "request": "launch",
-      "name": "Debug V3 list-profiles CLI",
-      "command": "pnpm exec trigger list-profiles --log-level debug",
-      "cwd": "${workspaceFolder}/references/hello-world",
-      "sourceMaps": true
-    },
-    {
-      "type": "node-terminal",
-      "request": "launch",
-      "name": "Debug V3 update CLI",
-      "command": "pnpm exec trigger update",
-      "cwd": "${workspaceFolder}/references/hello-world",
-      "sourceMaps": true
-    },
-    {
-      "type": "node-terminal",
-      "request": "launch",
-      "name": "Debug V3 Management",
-      "command": "pnpm run management",
-      "cwd": "${workspaceFolder}/references/hello-world",
-      "sourceMaps": true
-    },
     {
       "type": "node",
       "request": "attach",
@@ -135,14 +63,6 @@
       "cwd": "${workspaceFolder}/packages/cli-v3",
       "sourceMaps": true
     },
-    {
-      "type": "node-terminal",
-      "request": "launch",
-      "name": "debug v3 hello-world dev",
-      "command": "pnpm exec trigger dev",
-      "cwd": "${workspaceFolder}/references/hello-world",
-      "sourceMaps": true
-    },
     {
       "type": "node-terminal",
       "request": "launch",
@@ -158,14 +78,6 @@
       "command": "pnpm run test ./src/run-queue/index.test.ts --run",
       "cwd": "${workspaceFolder}/internal-packages/run-engine",
       "sourceMaps": true
-    },
-    {
-      "type": "node-terminal",
-      "request": "launch",
-      "name": "Debug d3-demo",
-      "command": "pnpm exec trigger dev",
-      "cwd": "${workspaceFolder}/references/d3-demo",
-      "sourceMaps": true
     }
   ]
 }
diff --git a/.vscode/settings.json b/.vscode/settings.json
index fd9f3dcde0c..f969bb6d5de 100644
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -1,5 +1,5 @@
 {
-  "deno.enablePaths": ["references/deno-reference", "runtime_tests/tests/deno"],
+  "deno.enablePaths": ["runtime_tests/tests/deno"],
   "debug.toolBarLocation": "commandCenter",
   "typescript.tsdk": "node_modules/typescript/lib",
   "search.exclude": {
diff --git a/AGENTS.md b/AGENTS.md
index 99496f91bde..8ff9f18663c 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -7,18 +7,19 @@ This repository is a pnpm monorepo managed with Turbo. It contains multiple apps
 - `apps/supervisor` – Node application for executing built tasks.
 - `packages/*` – Published packages such as `@trigger.dev/sdk`, the CLI (`trigger.dev`), and shared libraries.
 - `internal-packages/*` – Internal-only packages used by the webapp and other apps.
-- `references/*` – Example projects for manual testing and development of new features.
+- Example/reference projects for manual testing live in a separate repo: [`triggerdotdev/references`](https://github.com/triggerdotdev/references).
 - `ai/references` – Contains additional documentation including an overview (`repo.md`) and testing guidelines (`tests.md`).
 
 See `ai/references/repo.md` for a more complete explanation of the workspaces.
 
 ## Development setup
-1. Install dependencies with `pnpm i` (pnpm `10.23.0` and Node.js `20.20.0` are required).
+1. Install dependencies with `pnpm i` (pnpm `10.33.2` and Node.js `20.20.2` are required).
 2. Copy `.env.example` to `.env` and generate a random 16 byte hex string for `ENCRYPTION_KEY` (`openssl rand -hex 16`). Update other secrets if needed.
 3. Start the local services with Docker:
    ```bash
    pnpm run docker
    ```
+   Add `:full` (`pnpm run docker:full`) for the optional observability + chaos tooling. See `docker/docker-compose.extras.yml`.
 4. Run database migrations:
    ```bash
    pnpm run db:migrate
@@ -64,5 +65,5 @@ Refer to `ai/references/tests.md` for details on writing tests. Tests should avo
   ```bash
   pnpm run dev --filter docs
   ```
-- `references/README.md` explains how to create new reference projects for manual testing.
+- The [`triggerdotdev/references`](https://github.com/triggerdotdev/references) repo's README explains how to create new reference projects for manual testing.
 
diff --git a/CLAUDE.md b/CLAUDE.md
index 0a54cced672..c0fd82fb368 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -4,10 +4,13 @@ This file provides guidance to Claude Code when working with this repository. Su
 
 ## Build and Development Commands
 
-This is a pnpm 10.23.0 monorepo using Turborepo. Run commands from root with `pnpm run`.
+This is a pnpm 10.33.2 monorepo using Turborepo. Run commands from root with `pnpm run`.
+
+**Adding dependencies:** Edit `package.json` directly instead of using `pnpm add`, then run `pnpm i` from the repo root. See `.claude/rules/package-installation.md` for the full process.
 
 ```bash
-pnpm run docker              # Start Docker services (PostgreSQL, Redis, Electric)
+pnpm run docker              # Core dev services (Postgres, Redis, Electric, MinIO, ClickHouse, s2-lite)
+# pnpm run docker:full       # Same + observability stack (Prometheus, Grafana, OTEL) and chaos tooling
 pnpm run db:migrate           # Run database migrations
 pnpm run db:seed              # Seed the database (required for reference projects)
 
@@ -66,6 +69,17 @@ containerTest("should use both", async ({ prisma, redisOptions }) => {
 });
 ```
 
+## Code Style
+
+### Imports
+
+**Prefer static imports over dynamic imports.** Only use dynamic `import()` when:
+- Circular dependencies cannot be resolved otherwise
+- Code splitting is genuinely needed for performance
+- The module must be loaded conditionally at runtime
+
+Dynamic imports add unnecessary overhead in hot paths and make code harder to analyze. If you find yourself using `await import()`, ask if a regular `import` statement would work instead.
+
 ## Changesets and Server Changes
 
 When modifying any public package (`packages/*` or `integrations/*`), add a changeset:
@@ -92,7 +106,7 @@ User API call -> Webapp routes -> Services -> RunEngine -> Redis Queue -> Superv
 
 ### Apps
 
-- **apps/webapp**: Remix 2.1.0 app - main API, dashboard, orchestration. Uses Express server.
+- **apps/webapp**: Remix 2.17.4 app - main API, dashboard, orchestration. Uses Express server.
 - **apps/supervisor**: Manages task execution containers (Docker/Kubernetes).
 
 ### Public Packages
@@ -124,7 +138,7 @@ Docs live in `docs/` as a Mintlify site (MDX format). See `docs/CLAUDE.md` for c
 
 ### Reference Projects
 
-The `references/` directory contains test workspaces for testing SDK and platform features. Use `references/hello-world` to manually test changes before submitting PRs.
+Reference/example projects for testing SDK and platform features live in a separate repo: [`triggerdotdev/references`](https://github.com/triggerdotdev/references). Clone it alongside this repo and use its `projects/hello-world` to manually test changes before submitting PRs. See that repo's README for setup and linking to a local monorepo build.
 
 ## Docker Image Guidelines
 
@@ -153,15 +167,17 @@ export const myTask = task({
 
 The `rules/` directory contains versioned SDK documentation distributed via the SDK installer. Current version: `rules/manifest.json`. Do NOT update `rules/` or `.claude/skills/trigger-dev-tasks/` unless explicitly asked - these are maintained in separate dedicated passes.
 
-## Testing with hello-world Reference Project
+## Testing with the hello-world Reference Project
+
+The reference projects live in the separate [`triggerdotdev/references`](https://github.com/triggerdotdev/references) repo - clone it alongside this repo.
 
 First-time setup:
 
-1. `pnpm run db:seed` to seed the database
-2. Build CLI: `pnpm run build --filter trigger.dev && pnpm i`
-3. Authorize: `cd references/hello-world && pnpm exec trigger login -a http://localhost:3030`
+1. `pnpm run db:seed` to seed the database (creates the References org + hello-world project)
+2. Build the CLI/packages you want to test: `pnpm run build --filter trigger.dev`
+3. In your `references` clone, follow its README to link to your local monorepo build, then authorize: `cd projects/hello-world && pnpm exec trigger login -a http://localhost:3030`
 
-Running: `cd references/hello-world && pnpm exec trigger dev`
+Running (from your `references` clone): `cd projects/hello-world && pnpm exec trigger dev`
 
 ## Local Task Testing Workflow
 
@@ -176,7 +192,8 @@ curl -s http://localhost:3030/healthcheck  # Verify running
 ### Step 2: Start Trigger Dev in Background
 
 ```bash
-cd references/hello-world && pnpm exec trigger dev
+# in your triggerdotdev/references clone
+cd projects/hello-world && pnpm exec trigger dev
 # Wait for "Local worker ready [node]"
 ```
 
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 88e24cba4f0..cddb974417d 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -29,8 +29,8 @@ branch are tagged into a release periodically.
 
 ### Prerequisites
 
-- [Node.js](https://nodejs.org/en) version 20.20.0
-- [pnpm package manager](https://pnpm.io/installation) version 10.23.0
+- [Node.js](https://nodejs.org/en) version 20.20.2
+- [pnpm package manager](https://pnpm.io/installation) version 10.33.2
 - [Docker](https://www.docker.com/get-started/)
 - [protobuf](https://github.com/protocolbuffers/protobuf)
 
@@ -49,9 +49,9 @@ branch are tagged into a release periodically.
    ```
    cd trigger.dev
    ```
-3. Ensure you are on the correct version of Node.js (20.20.0). If you are using `nvm`, there is an `.nvmrc` file that will automatically select the correct version of Node.js when you navigate to the repository.
+3. Ensure you are on the correct version of Node.js (20.20.2). If you are using `nvm`, there is an `.nvmrc` file that will automatically select the correct version of Node.js when you navigate to the repository.
 
-4. Run `corepack enable` to use the correct version of pnpm (`10.23.0`) as specified in the root `package.json` file.
+4. Run `corepack enable` to use the correct version of pnpm (`10.33.2`) as specified in the root `package.json` file.
 
 5. Install the required packages using pnpm.
    ```
@@ -71,21 +71,27 @@ branch are tagged into a release periodically.
 
    Feel free to update `SESSION_SECRET` and `MAGIC_LINK_SECRET` as well using the same method.
 
-8. Start Docker. This starts the required services like Postgres & Redis. If this is your first time using Docker, consider going through this [guide](DOCKER_INSTALLATION.md)
+8. Start Docker. This starts the core dev services (Postgres, Redis, Electric, MinIO, ClickHouse, s2-lite) and runs the ClickHouse migrator once on first start. If this is your first time using Docker, consider going through this [guide](DOCKER_INSTALLATION.md).
 
    ```
    pnpm run docker
    ```
 
+   For the observability stack (Prometheus, Grafana, OTEL collector) and other optional tooling (Toxiproxy, nginx-h2, ch-ui, extra electric shard), use `pnpm run docker:full` instead. See `docker/docker-compose.extras.yml` for the full list.
+
 9. Migrate the database
    ```
    pnpm run db:migrate
    ```
-10. Build everything
+10. Build the webapp, CLI, and SDK
+    ```
+    pnpm run build --filter webapp --filter trigger.dev --filter @trigger.dev/sdk
     ```
-    pnpm run build --filter webapp && pnpm run build --filter trigger.dev && pnpm run build --filter @trigger.dev/sdk
+11. Seed the database. This creates a local user, a `References` org, and the reference projects (including `hello-world`) with stable IDs.
     ```
-11. Run the app. See the section below.
+    pnpm run db:seed
+    ```
+12. Run the app. See the section below.
 
 ## Running
 
@@ -101,29 +107,32 @@ branch are tagged into a release periodically.
 
 ## Manual testing using hello-world
 
-We use the `<root>/references/hello-world` subdirectory as a staging ground for testing changes to the SDK (`@trigger.dev/sdk` at `<root>/packages/trigger-sdk`), the Core package (`@trigger.dev/core` at `<root>packages/core`), the CLI (`trigger.dev` at `<root>/packages/cli-v3`) and the platform (The remix app at `<root>/apps/webapp`). The instructions below will get you started on using the `hello-world` for local development of Trigger.dev.
+The `hello-world` reference project (and the others) live in a separate repo:
+[`triggerdotdev/references`](https://github.com/triggerdotdev/references). Clone it
+alongside this repo. It's the staging ground for testing changes to the SDK
+(`@trigger.dev/sdk` at `<root>/packages/trigger-sdk`), the Core package
+(`@trigger.dev/core` at `<root>/packages/core`), the CLI (`trigger.dev` at
+`<root>/packages/cli-v3`) and the platform (the Remix app at `<root>/apps/webapp`).
+To exercise your local monorepo changes, the reference project links to your local
+build — see the references repo's README for the `pnpm run link` flow.
 
-### First-time setup
+> Paths below such as `projects/hello-world` are relative to your `references`
+> clone, not this repo.
 
-First, make sure you are running the webapp according to the instructions above. Then:
-
-1. Visit http://localhost:3030 in your browser and create a new project called "hello-world".
+### First-time setup
 
-2. In Postgres go to the "Projects" table and for the project you create change the `externalRef` to `proj_rrkpdguyagvsoktglnod`.
+First, make sure you are running the webapp according to the instructions above. The seed step from setup already created a `hello-world` project under the `References` org with the stable ref `proj_rrkpdguyagvsoktglnod` — log in at http://localhost:3030 with any email to access it. Then:
 
-3. Build the CLI
+1. Build the CLI and packages (skip if you already ran the build step in setup)
 
 ```sh
-# Build the CLI
-pnpm run build --filter trigger.dev
-# Make it accessible to `pnpm exec`
-pnpm i
+pnpm run build --filter trigger.dev --filter "@trigger.dev/*"
 ```
 
-4. Change into the `<root>/references/hello-world` directory and authorize the CLI to the local server:
+2. In your `references` clone, link to your local monorepo build (see its README), then change into `projects/hello-world` and authorize the CLI to the local server:
 
 ```sh
-cd references/hello-world
+cd projects/hello-world
 cp .env.example .env
 pnpm exec trigger login -a http://localhost:3030
 ```
@@ -133,7 +142,7 @@ This will open a new browser window and authorize the CLI against your local use
 You can optionally pass a `--profile` flag to the `login` command, which will allow you to use the CLI with separate accounts/servers. We suggest using a profile called `local` for your local development:
 
 ```sh
-cd references/hello-world
+cd projects/hello-world
 pnpm exec trigger login -a http://localhost:3030 --profile local
 # later when you run the dev or deploy command:
 pnpm exec trigger dev --profile local
@@ -146,46 +155,46 @@ The following steps should be followed any time you start working on a new featu
 
 1. Make sure the webapp is running on localhost:3030
 
-2. Open a terminal window and build the CLI and packages and watch for changes
+2. In this repo, open a terminal window and build the CLI and packages and watch for changes (the reference project links against this build)
 
 ```sh
 pnpm run dev --filter trigger.dev --filter "@trigger.dev/*"
 ```
 
-3. Open another terminal window, and change into the `<root>/references/hello-world` directory.
+3. Open another terminal window, and change into `projects/hello-world` in your `references` clone.
 
 4. Run the `dev` command, which will register all the local tasks with the platform and allow you to start testing task execution:
 
 ```sh
-# in <root>/references/hello-world
+# in <references-clone>/projects/hello-world
 pnpm exec trigger dev
 ```
 
 If you want additional debug logging, you can use the `--log-level debug` flag:
 
 ```sh
-# in <root>/references/hello-world
+# in <references-clone>/projects/hello-world
 pnpm exec trigger dev --log-level debug
 ```
 
-6. If you make any changes in the CLI/Core/SDK, you'll need to `CTRL+C` to exit the `dev` command and restart it to pickup changes. Any changes to the files inside of the `hello-world/src/trigger` dir will automatically be rebuilt by the `dev` command.
+5. If you make any changes in the CLI/Core/SDK, you'll need to `CTRL+C` to exit the `dev` command and restart it to pickup changes. Any changes to the files inside the reference project's `src/trigger` dir will automatically be rebuilt by the `dev` command.
 
-7. Navigate to the `hello-world` project in your local dashboard at localhost:3030 and you should see the list of tasks.
+6. Navigate to the `hello-world` project in your local dashboard at localhost:3030 and you should see the list of tasks.
 
-8. Go to the "Test" page in the sidebar and select a task. Then enter a payload and click "Run test". You can tell what the payloads should be by looking at the relevant task file inside the `/references/hello-world/src/trigger` folder. Many of them accept an empty payload.
+7. Go to the "Test" page in the sidebar and select a task. Then enter a payload and click "Run test". You can tell what the payloads should be by looking at the relevant task file inside the reference project's `src/trigger` folder. Many of them accept an empty payload.
 
-9. Feel free to add additional files in `hello-world/src/trigger` to test out specific aspects of the system, or add in edge cases.
+8. Feel free to add additional files in the reference project's `src/trigger` dir to test out specific aspects of the system, or add in edge cases.
 
 ## Adding and running migrations
 
-1. Modify internal-packages/database/prisma/schema.prisma file
-2. Change directory to the packages/database folder
+1. Modify `internal-packages/database/prisma/schema.prisma`.
+2. Change directory to the database package:
 
    ```sh
-   cd packages/database
+   cd internal-packages/database
    ```
 
-3. Create a migration
+3. Create a migration:
 
    ```
    pnpm run db:migrate:dev:create
@@ -193,50 +202,17 @@ pnpm exec trigger dev --log-level debug
 
    This creates a migration file. Check the migration file does only what you want. If you're adding any database indexes they must use `CONCURRENTLY`, otherwise they'll lock the table when executed.
 
-4. Run the migration.
-
-```
-pnpm run db:migrate:deploy
-pnpm run generate
-```
-
-This executes the migrations against your database and applies changes to the database schema(s), and then regenerates the Prisma client.
-
-4. Commit generated migrations as well as changes to the schema.prisma file
-5. If you're using VSCode you may need to restart the Typescript server in the webapp to get updated type inference. Open a TypeScript file, then open the Command Palette (View > Command Palette) and run `TypeScript: Restart TS server`.
-
-## Add sample jobs
-
-The [references/job-catalog](./references/job-catalog/) project defines simple jobs you can get started with.
-
-1. `cd` into `references/job-catalog`
-2. Create a `.env` file with the following content,
-   replacing `<TRIGGER_DEV_API_KEY>` with an actual key:
+4. Run the migration:
 
-```env
-TRIGGER_API_KEY=[TRIGGER_DEV_API_KEY]
-TRIGGER_API_URL=http://localhost:3030
-```
-
-`TRIGGER_API_URL` is used to configure the URL for your Trigger.dev instance,
-where the jobs will be registered.
-
-3. Run one of the the `job-catalog` files:
-
-```sh
-pnpm run events
-```
-
-This will open up a local server using `express` on port 8080. Then in a new terminal window you can run the trigger-cli dev command:
-
-```sh
-pnpm run dev:trigger
-```
+   ```
+   pnpm run db:migrate:deploy
+   pnpm run generate
+   ```
 
-See the [Job Catalog](./references/job-catalog/README.md) file for more.
+   This executes the migrations against your database and applies changes to the database schema(s), and then regenerates the Prisma client.
 
-4. Navigate to your trigger.dev instance ([http://localhost:3030](http://localhost:3030/)), to see the jobs.
-   You can use the test feature to trigger them.
+5. Commit the generated migration files as well as the changes to `schema.prisma`.
+6. If you're using VSCode you may need to restart the TypeScript server in the webapp to get updated type inference. Open a TypeScript file, then open the Command Palette (View > Command Palette) and run `TypeScript: Restart TS server`.
 
 ## Making a pull request
 
@@ -334,3 +310,7 @@ The process running on port `3030` should be destroyed.
    ```sh
    sudo kill -9 <PID>
    ```
+
+### Running two clones side by side (worktree, branch experiment)
+
+The default `pnpm run docker` uses the project name `triggerdotdev-docker` and the standard host ports (5432, 6379, 3060, 4566, 8123, 9000, 9005, 9006). To stand up a second instance in another clone without clashing, set a different `COMPOSE_PROJECT_NAME` and the offset host ports in that clone's `.env`. The "Running multiple instances side by side" block in `.env.example` lists every overridable env var with its default for reference; uncomment the lines you need and update `DATABASE_URL` / `CLICKHOUSE_URL` / `REDIS_PORT` / `APP_ORIGIN` / `LOGIN_ORIGIN` / `ELECTRIC_ORIGIN` / `REALTIME_STREAMS_S2_ENDPOINT` to match.
diff --git a/ai/references/repo.md b/ai/references/repo.md
index 4f67bde2b4b..6e0ff056716 100644
--- a/ai/references/repo.md
+++ b/ai/references/repo.md
@@ -1,6 +1,6 @@
 ## Repo Overview
 
-This is a pnpm 10.23.0 monorepo that uses turborepo @turbo.json. The following workspaces are relevant
+This is a pnpm 10.33.2 monorepo that uses turborepo @turbo.json. The following workspaces are relevant
 
 ## Apps
 
diff --git a/apps/supervisor/Containerfile b/apps/supervisor/Containerfile
index d5bb5862e96..5b3b148a7cb 100644
--- a/apps/supervisor/Containerfile
+++ b/apps/supervisor/Containerfile
@@ -16,7 +16,7 @@ COPY --from=pruner --chown=node:node /app/out/json/ .
 COPY --from=pruner --chown=node:node /app/out/pnpm-lock.yaml ./pnpm-lock.yaml
 COPY --from=pruner --chown=node:node /app/out/pnpm-workspace.yaml ./pnpm-workspace.yaml
 
-RUN corepack enable && corepack prepare pnpm@10.23.0 --activate
+RUN corepack enable && corepack prepare pnpm@10.33.2 --activate
 
 FROM base AS deps-fetcher
 RUN apk add --no-cache python3-dev py3-setuptools make g++ gcc linux-headers
diff --git a/apps/supervisor/package.json b/apps/supervisor/package.json
index 7456d421850..2725fe2b729 100644
--- a/apps/supervisor/package.json
+++ b/apps/supervisor/package.json
@@ -18,6 +18,7 @@
     "@kubernetes/client-node": "^1.0.0",
     "@trigger.dev/core": "workspace:*",
     "dockerode": "^4.0.6",
+    "ioredis": "~5.6.0",
     "p-limit": "^6.2.0",
     "prom-client": "^15.1.0",
     "socket.io": "4.7.4",
@@ -25,6 +26,7 @@
     "zod": "3.25.76"
   },
   "devDependencies": {
+    "@internal/testcontainers": "workspace:*",
     "@types/dockerode": "^3.3.33"
   }
 }
diff --git a/apps/supervisor/src/backpressure/backpressureMetrics.ts b/apps/supervisor/src/backpressure/backpressureMetrics.ts
new file mode 100644
index 00000000000..ffe57628548
--- /dev/null
+++ b/apps/supervisor/src/backpressure/backpressureMetrics.ts
@@ -0,0 +1,34 @@
+import { Counter, Gauge, type Registry } from "prom-client";
+
+/** Prometheus metrics for dequeue backpressure. */
+export class BackpressureMetrics {
+  /** 1 while backpressure is engaged (computed signal, set even in dry-run). */
+  readonly engaged: Gauge<string>;
+  /** 1 when running in dry-run (gates inert). */
+  readonly dryRun: Gauge<string>;
+  /** Dequeue attempts the gate skipped - or would have, in dry-run (labelled). */
+  readonly skipsTotal: Counter<string>;
+
+  constructor(opts: { register: Registry; prefix?: string }) {
+    const prefix = opts.prefix ?? "supervisor_backpressure";
+
+    this.engaged = new Gauge({
+      name: `${prefix}_engaged`,
+      help: "1 while dequeue backpressure is engaged (computed signal, regardless of dry-run)",
+      registers: [opts.register],
+    });
+
+    this.dryRun = new Gauge({
+      name: `${prefix}_dry_run`,
+      help: "1 when dequeue backpressure is in dry-run mode (gates inert)",
+      registers: [opts.register],
+    });
+
+    this.skipsTotal = new Counter({
+      name: `${prefix}_skipped_dequeues_total`,
+      help: "Dequeue attempts skipped by backpressure (or would be, in dry-run)",
+      labelNames: ["dry_run"],
+      registers: [opts.register],
+    });
+  }
+}
diff --git a/apps/supervisor/src/backpressure/backpressureMonitor.test.ts b/apps/supervisor/src/backpressure/backpressureMonitor.test.ts
new file mode 100644
index 00000000000..7af28ffc9f5
--- /dev/null
+++ b/apps/supervisor/src/backpressure/backpressureMonitor.test.ts
@@ -0,0 +1,353 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
+import { Registry } from "prom-client";
+import { BackpressureMonitor, type BackpressureSignalSource } from "./backpressureMonitor.js";
+import { BackpressureMetrics } from "./backpressureMetrics.js";
+
+function countingSource(verdict: { engaged: boolean } | null): {
+  source: BackpressureSignalSource;
+  reads: () => number;
+} {
+  let reads = 0;
+  return {
+    source: {
+      read: async () => {
+        reads++;
+        return verdict;
+      },
+    },
+    reads: () => reads,
+  };
+}
+
+describe("BackpressureMonitor", () => {
+  beforeEach(() => {
+    vi.useFakeTimers();
+  });
+
+  afterEach(() => {
+    vi.useRealTimers();
+  });
+
+  it("when disabled, never skips dequeue and never reads the signal source", () => {
+    // Even though the source would report "engaged", a disabled monitor must be
+    // a complete no-op: this is the backwards-compatibility guarantee.
+    const { source, reads } = countingSource({ engaged: true });
+    const monitor = new BackpressureMonitor({ enabled: false, source });
+
+    monitor.start();
+
+    expect(monitor.shouldSkipDequeue()).toBe(false);
+    expect(reads()).toBe(0);
+
+    monitor.stop();
+  });
+
+  it("when enabled and the source reports engaged, skips dequeue after a refresh", async () => {
+    const { source } = countingSource({ engaged: true });
+    const monitor = new BackpressureMonitor({ enabled: true, source, refreshIntervalMs: 1000 });
+
+    monitor.start();
+    await vi.advanceTimersByTimeAsync(0); // flush the initial async read
+
+    expect(monitor.shouldSkipDequeue()).toBe(true);
+
+    monitor.stop();
+  });
+
+  it("when enabled and the source reports clear, does not skip dequeue", async () => {
+    const { source } = countingSource({ engaged: false });
+    const monitor = new BackpressureMonitor({ enabled: true, source, refreshIntervalMs: 1000 });
+
+    monitor.start();
+    await vi.advanceTimersByTimeAsync(0);
+
+    expect(monitor.shouldSkipDequeue()).toBe(false);
+
+    monitor.stop();
+  });
+
+  it("fails open (stops skipping) when the source throws", async () => {
+    let call = 0;
+    const source: BackpressureSignalSource = {
+      read: async () => {
+        call++;
+        if (call === 1) {
+          return { engaged: true };
+        }
+        throw new Error("signal source unreachable");
+      },
+    };
+    const monitor = new BackpressureMonitor({ enabled: true, source, refreshIntervalMs: 1000 });
+
+    monitor.start();
+    await vi.advanceTimersByTimeAsync(0);
+    expect(monitor.shouldSkipDequeue()).toBe(true); // engaged from the first read
+
+    await vi.advanceTimersByTimeAsync(1000); // next refresh throws
+    expect(monitor.shouldSkipDequeue()).toBe(false); // fail-open: a dead source must not pin the brake
+
+    monitor.stop();
+  });
+
+  it("fails open when the source reports unknown (null)", async () => {
+    const { source } = countingSource(null);
+    const monitor = new BackpressureMonitor({ enabled: true, source, refreshIntervalMs: 1000 });
+
+    monitor.start();
+    await vi.advanceTimersByTimeAsync(0);
+
+    expect(monitor.shouldSkipDequeue()).toBe(false);
+
+    monitor.stop();
+  });
+
+  it("fails open when the cached verdict goes stale (older than max age)", async () => {
+    // Source stops updating (e.g. hangs) after the first read; the verdict ages out.
+    const source: BackpressureSignalSource = {
+      read: async () => ({ engaged: true, ts: Date.now() }),
+    };
+    const monitor = new BackpressureMonitor({
+      enabled: true,
+      source,
+      refreshIntervalMs: 1_000_000, // effectively only the initial read fires
+      maxVerdictAgeMs: 15_000,
+    });
+
+    monitor.start();
+    await vi.advanceTimersByTimeAsync(0);
+    expect(monitor.shouldSkipDequeue()).toBe(true);
+
+    await vi.advanceTimersByTimeAsync(15_001); // verdict now older than max age
+    expect(monitor.shouldSkipDequeue()).toBe(false);
+
+    monitor.stop();
+  });
+
+  it("does not read the source on the hot path (reads are driven by the refresh tick)", async () => {
+    const { source, reads } = countingSource({ engaged: true });
+    const monitor = new BackpressureMonitor({ enabled: true, source, refreshIntervalMs: 1000 });
+
+    monitor.start();
+    await vi.advanceTimersByTimeAsync(0);
+    expect(reads()).toBe(1); // just the initial refresh
+
+    for (let i = 0; i < 1000; i++) {
+      monitor.shouldSkipDequeue();
+    }
+
+    expect(reads()).toBe(1); // hot-path calls performed zero I/O
+
+    monitor.stop();
+  });
+
+  it("does not start an overlapping refresh while one is in flight", async () => {
+    let reads = 0;
+    const source: BackpressureSignalSource = {
+      // Never resolves - simulates a hung read.
+      read: () => {
+        reads++;
+        return new Promise<{ engaged: boolean } | null>(() => {});
+      },
+    };
+    const monitor = new BackpressureMonitor({ enabled: true, source, refreshIntervalMs: 1000 });
+
+    monitor.start();
+    await vi.advanceTimersByTimeAsync(3000); // several intervals while the first read hangs
+
+    expect(reads).toBe(1); // in-flight guard prevents stacking
+
+    monitor.stop();
+  });
+
+  it("stops refreshing after stop()", async () => {
+    const { source, reads } = countingSource({ engaged: true });
+    const monitor = new BackpressureMonitor({ enabled: true, source, refreshIntervalMs: 1000 });
+
+    monitor.start();
+    await vi.advanceTimersByTimeAsync(0);
+    const readsAtStop = reads();
+
+    monitor.stop();
+    await vi.advanceTimersByTimeAsync(5000);
+
+    expect(reads()).toBe(readsAtStop);
+  });
+
+  it("isEngaged reflects the hard engaged state (the signal for freezing scale-up)", async () => {
+    const { source } = countingSource({ engaged: true });
+    const monitor = new BackpressureMonitor({ enabled: true, source, refreshIntervalMs: 1000 });
+
+    monitor.start();
+    await vi.advanceTimersByTimeAsync(0);
+
+    expect(monitor.isEngaged()).toBe(true);
+
+    monitor.stop();
+  });
+
+  it("isEngaged is false when clear and when stale", async () => {
+    const source: BackpressureSignalSource = {
+      read: async () => ({ engaged: true, ts: Date.now() }),
+    };
+    const monitor = new BackpressureMonitor({
+      enabled: true,
+      source,
+      refreshIntervalMs: 1_000_000,
+      maxVerdictAgeMs: 15_000,
+    });
+
+    monitor.start();
+    await vi.advanceTimersByTimeAsync(0);
+    expect(monitor.isEngaged()).toBe(true);
+
+    await vi.advanceTimersByTimeAsync(15_001); // stale → fail-open
+    expect(monitor.isEngaged()).toBe(false);
+
+    monitor.stop();
+  });
+
+  it("ramps the dequeue gate after release instead of resuming instantly", async () => {
+    let engaged = true;
+    let rnd = 0.5;
+    const source: BackpressureSignalSource = { read: async () => ({ engaged }) };
+    const monitor = new BackpressureMonitor({
+      enabled: true,
+      source,
+      refreshIntervalMs: 1000,
+      rampMs: 10_000,
+      random: () => rnd,
+    });
+
+    monitor.start();
+    await vi.advanceTimersByTimeAsync(0);
+    expect(monitor.shouldSkipDequeue()).toBe(true); // hard engaged
+
+    // Release: the next refresh observes the clear verdict and starts the ramp.
+    engaged = false;
+    await vi.advanceTimersByTimeAsync(1000);
+    expect(monitor.isEngaged()).toBe(false);
+
+    // Just after release (progress ~0): skip probability ~1, so skip regardless.
+    rnd = 0.99;
+    expect(monitor.shouldSkipDequeue()).toBe(true);
+
+    // Halfway through the ramp (progress 0.5): skip probability 0.5.
+    await vi.advanceTimersByTimeAsync(5000);
+    rnd = 0.4;
+    expect(monitor.shouldSkipDequeue()).toBe(true); // 0.4 < 0.5 → skip
+    rnd = 0.6;
+    expect(monitor.shouldSkipDequeue()).toBe(false); // 0.6 ≥ 0.5 → allow
+
+    // Past the ramp window: never skip.
+    await vi.advanceTimersByTimeAsync(5000);
+    rnd = 0.0;
+    expect(monitor.shouldSkipDequeue()).toBe(false);
+
+    monitor.stop();
+  });
+
+  it("fails open on an engaged verdict with no timestamp when staleness is enforced", async () => {
+    // A verdict claiming engaged but carrying no ts can't be checked for freshness;
+    // when maxVerdictAgeMs is set we must not trust it (else a dead producer could
+    // pin the brake forever).
+    const { source } = countingSource({ engaged: true }); // no ts
+    const monitor = new BackpressureMonitor({
+      enabled: true,
+      source,
+      refreshIntervalMs: 1000,
+      maxVerdictAgeMs: 15_000,
+    });
+
+    monitor.start();
+    await vi.advanceTimersByTimeAsync(0);
+
+    expect(monitor.computeEngaged()).toBe(false);
+    expect(monitor.shouldSkipDequeue()).toBe(false);
+
+    monitor.stop();
+  });
+
+  it("in dry-run, the gates are inert but computeEngaged still reflects the real signal", async () => {
+    const { source } = countingSource({ engaged: true });
+    const monitor = new BackpressureMonitor({
+      enabled: true,
+      source,
+      refreshIntervalMs: 1000,
+      dryRun: true,
+    });
+
+    monitor.start();
+    await vi.advanceTimersByTimeAsync(0);
+
+    expect(monitor.computeEngaged()).toBe(true); // real signal, for observability/metrics
+    expect(monitor.isEngaged()).toBe(false); // inert: no scale-up freeze
+    expect(monitor.shouldSkipDequeue()).toBe(false); // inert: no dequeue skip
+
+    monitor.stop();
+  });
+
+  it("logs on verdict transitions", async () => {
+    let engaged = true;
+    const source: BackpressureSignalSource = { read: async () => ({ engaged }) };
+    const logs: Array<{ message: string; meta?: Record<string, unknown> }> = [];
+    const logger = {
+      info: (message: string, meta?: Record<string, unknown>) => logs.push({ message, meta }),
+    };
+    const monitor = new BackpressureMonitor({
+      enabled: true,
+      source,
+      refreshIntervalMs: 1000,
+      logger,
+    });
+
+    monitor.start();
+    await vi.advanceTimersByTimeAsync(0);
+    expect(logs.some((l) => l.meta?.engaged === true)).toBe(true);
+
+    engaged = false;
+    await vi.advanceTimersByTimeAsync(1000);
+    expect(logs.some((l) => l.meta?.engaged === false)).toBe(true);
+
+    monitor.stop();
+  });
+
+  it("records prometheus metrics", async () => {
+    const { source } = countingSource({ engaged: true });
+    const register = new Registry();
+    const metrics = new BackpressureMetrics({ register });
+    const monitor = new BackpressureMonitor({
+      enabled: true,
+      source,
+      refreshIntervalMs: 1000,
+      metrics,
+    });
+
+    monitor.start();
+    await vi.advanceTimersByTimeAsync(0);
+
+    expect(await register.metrics()).toContain("supervisor_backpressure_engaged 1");
+
+    monitor.shouldSkipDequeue();
+    expect(await register.metrics()).toMatch(
+      /supervisor_backpressure_skipped_dequeues_total\{dry_run="false"\} [1-9]/
+    );
+
+    monitor.stop();
+  });
+
+  it("resumes instantly when no ramp is configured", async () => {
+    let engaged = true;
+    const source: BackpressureSignalSource = { read: async () => ({ engaged }) };
+    const monitor = new BackpressureMonitor({ enabled: true, source, refreshIntervalMs: 1000 });
+
+    monitor.start();
+    await vi.advanceTimersByTimeAsync(0);
+    expect(monitor.shouldSkipDequeue()).toBe(true);
+
+    engaged = false;
+    await vi.advanceTimersByTimeAsync(1000);
+    expect(monitor.shouldSkipDequeue()).toBe(false); // no ramp → instant resume
+
+    monitor.stop();
+  });
+});
diff --git a/apps/supervisor/src/backpressure/backpressureMonitor.ts b/apps/supervisor/src/backpressure/backpressureMonitor.ts
new file mode 100644
index 00000000000..6b4170697e5
--- /dev/null
+++ b/apps/supervisor/src/backpressure/backpressureMonitor.ts
@@ -0,0 +1,179 @@
+import type { BackpressureMetrics } from "./backpressureMetrics.js";
+
+export interface BackpressureLogger {
+  info(message: string, meta?: Record<string, unknown>): void;
+}
+
+export type BackpressureVerdict = {
+  engaged: boolean;
+  /** Epoch ms the verdict was produced. Used for consumer-side staleness fail-open. */
+  ts?: number;
+};
+
+/**
+ * Source of the current backpressure verdict. `read()` returns `null` when the
+ * verdict is unknown (missing/unreadable) - the monitor treats unknown as
+ * "not engaged" (fail-open).
+ */
+export interface BackpressureSignalSource {
+  read(): Promise<BackpressureVerdict | null>;
+}
+
+export type BackpressureMonitorOptions = {
+  enabled: boolean;
+  source: BackpressureSignalSource;
+  refreshIntervalMs?: number;
+  /**
+   * If set, a cached verdict older than this is treated as unknown (fail-open).
+   * Guards against the source silently going stale (e.g. hanging reads).
+   */
+  maxVerdictAgeMs?: number;
+  /**
+   * If set, after backpressure releases the dequeue gate stays partially engaged
+   * for this long, skipping a linearly-decaying fraction of attempts so the
+   * aggregate dequeue rate ramps from ~0 to full instead of snapping to full and
+   * re-flooding a freshly-recovered cluster. 0/unset = instant resume.
+   */
+  rampMs?: number;
+  /** Injectable RNG for the resume ramp; defaults to Math.random. */
+  random?: () => number;
+  /**
+   * When true, the gates are inert (never skip dequeues, never freeze scale-up).
+   * computeEngaged() still reflects the real signal so it can be observed.
+   */
+  dryRun?: boolean;
+  logger?: BackpressureLogger;
+  metrics?: BackpressureMetrics;
+};
+
+const DEFAULT_REFRESH_INTERVAL_MS = 1000;
+
+export class BackpressureMonitor {
+  private verdict: BackpressureVerdict | null = null;
+  private timer?: ReturnType<typeof setInterval>;
+  private refreshInFlight = false;
+  private wasEngaged = false;
+  private releasedAt?: number;
+
+  constructor(private readonly opts: BackpressureMonitorOptions) {
+    this.opts.metrics?.dryRun.set(this.opts.dryRun ? 1 : 0);
+  }
+
+  start(): void {
+    if (!this.opts.enabled) {
+      return;
+    }
+
+    void this.refreshTick();
+    this.timer = setInterval(
+      () => void this.refreshTick(),
+      this.opts.refreshIntervalMs ?? DEFAULT_REFRESH_INTERVAL_MS
+    );
+  }
+
+  /** Skip a tick if the previous refresh is still in flight, so slow/hung reads can't stack. */
+  private async refreshTick(): Promise<void> {
+    if (this.refreshInFlight) {
+      return;
+    }
+    this.refreshInFlight = true;
+    try {
+      await this.refresh();
+    } finally {
+      this.refreshInFlight = false;
+    }
+  }
+
+  stop(): void {
+    if (this.timer) {
+      clearInterval(this.timer);
+      this.timer = undefined;
+    }
+  }
+
+  /**
+   * Raw hard backpressure state: true while the (fresh) verdict says engaged,
+   * ignoring dry-run. Used for observability/metrics so the real signal is
+   * visible even when the gates are inert.
+   */
+  computeEngaged(): boolean {
+    const verdict = this.verdict;
+    if (verdict?.engaged !== true) {
+      return false;
+    }
+
+    // When staleness enforcement is on, an engaged verdict must carry a fresh
+    // timestamp. A missing or stale ts can't be trusted (a dead producer could
+    // otherwise pin the brake forever), so fail open.
+    const maxAge = this.opts.maxVerdictAgeMs;
+    if (maxAge !== undefined) {
+      if (verdict.ts === undefined || Date.now() - verdict.ts > maxAge) {
+        return false;
+      }
+    }
+
+    return true;
+  }
+
+  /**
+   * Effective hard state: the signal for freezing consumer-pool scale-up. Inert
+   * (false) in dry-run. Hot-path read, no I/O.
+   */
+  isEngaged(): boolean {
+    return this.opts.dryRun ? false : this.computeEngaged();
+  }
+
+  /** Hot-path read: synchronous, never performs I/O. Inert (false) in dry-run. */
+  shouldSkipDequeue(): boolean {
+    const wouldSkip = this.computeShouldSkip();
+    if (wouldSkip) {
+      this.opts.metrics?.skipsTotal.inc({ dry_run: this.opts.dryRun ? "true" : "false" });
+    }
+    return this.opts.dryRun ? false : wouldSkip;
+  }
+
+  private computeShouldSkip(): boolean {
+    if (this.computeEngaged()) {
+      return true;
+    }
+
+    // Post-release ramp: skip a linearly-decaying fraction of attempts so the
+    // aggregate dequeue rate climbs back to full over rampMs rather than snapping.
+    const rampMs = this.opts.rampMs;
+    if (rampMs && this.releasedAt !== undefined) {
+      const elapsed = Date.now() - this.releasedAt;
+      if (elapsed < rampMs) {
+        const skipProbability = 1 - elapsed / rampMs;
+        return (this.opts.random ?? Math.random)() < skipProbability;
+      }
+    }
+
+    return false;
+  }
+
+  private async refresh(): Promise<void> {
+    try {
+      this.verdict = await this.opts.source.read();
+    } catch {
+      // Fail-open: a dead/unreachable source must never pin the brake. Treat as
+      // unknown (no verdict) so dequeue resumes as if backpressure were off.
+      this.verdict = null;
+    }
+
+    // Track the engaged→released transition to anchor the resume ramp. Use the
+    // staleness-aware state so a stale verdict doesn't pin wasEngaged / the gauge.
+    const nowEngaged = this.computeEngaged();
+    this.opts.metrics?.engaged.set(nowEngaged ? 1 : 0);
+
+    if (nowEngaged !== this.wasEngaged) {
+      this.opts.logger?.info("backpressure verdict changed", {
+        engaged: nowEngaged,
+        dryRun: !!this.opts.dryRun,
+      });
+    }
+    if (this.wasEngaged && !nowEngaged) {
+      this.releasedAt = Date.now();
+    }
+    this.wasEngaged = nowEngaged;
+  }
+}
diff --git a/apps/supervisor/src/backpressure/redisBackpressureSignalSource.test.ts b/apps/supervisor/src/backpressure/redisBackpressureSignalSource.test.ts
new file mode 100644
index 00000000000..77a7457b13c
--- /dev/null
+++ b/apps/supervisor/src/backpressure/redisBackpressureSignalSource.test.ts
@@ -0,0 +1,62 @@
+import { redisTest } from "@internal/testcontainers";
+import { Redis } from "ioredis";
+import { describe, expect } from "vitest";
+import { RedisBackpressureSignalSource } from "./redisBackpressureSignalSource.js";
+
+const KEY = "backpressure:test";
+
+describe("RedisBackpressureSignalSource", () => {
+  redisTest("returns null when the key is absent", async ({ redisOptions }) => {
+    const redis = new Redis(redisOptions);
+    try {
+      const source = new RedisBackpressureSignalSource(redis, KEY);
+      expect(await source.read()).toBeNull();
+    } finally {
+      await redis.quit();
+    }
+  });
+
+  redisTest("parses a valid engaged verdict", async ({ redisOptions }) => {
+    const redis = new Redis(redisOptions);
+    try {
+      await redis.set(KEY, JSON.stringify({ engaged: true, ts: 1_700_000_000_000 }));
+      const source = new RedisBackpressureSignalSource(redis, KEY);
+      expect(await source.read()).toEqual({ engaged: true, ts: 1_700_000_000_000 });
+    } finally {
+      await redis.quit();
+    }
+  });
+
+  redisTest("parses a clear verdict", async ({ redisOptions }) => {
+    const redis = new Redis(redisOptions);
+    try {
+      await redis.set(KEY, JSON.stringify({ engaged: false }));
+      const source = new RedisBackpressureSignalSource(redis, KEY);
+      expect(await source.read()).toEqual({ engaged: false });
+    } finally {
+      await redis.quit();
+    }
+  });
+
+  redisTest("returns null for malformed JSON (fail-open)", async ({ redisOptions }) => {
+    const redis = new Redis(redisOptions);
+    try {
+      await redis.set(KEY, "not json {");
+      const source = new RedisBackpressureSignalSource(redis, KEY);
+      expect(await source.read()).toBeNull();
+    } finally {
+      await redis.quit();
+    }
+  });
+
+  redisTest("returns null for valid JSON of the wrong shape (fail-open)", async ({ redisOptions }) => {
+    const redis = new Redis(redisOptions);
+    try {
+      await redis.set(KEY, JSON.stringify({ foo: "bar" }));
+      const source = new RedisBackpressureSignalSource(redis, KEY);
+      expect(await source.read()).toBeNull();
+    } finally {
+      await redis.quit();
+    }
+  });
+});
diff --git a/apps/supervisor/src/backpressure/redisBackpressureSignalSource.ts b/apps/supervisor/src/backpressure/redisBackpressureSignalSource.ts
new file mode 100644
index 00000000000..4f8a54c6247
--- /dev/null
+++ b/apps/supervisor/src/backpressure/redisBackpressureSignalSource.ts
@@ -0,0 +1,35 @@
+import type { Redis } from "ioredis";
+import { z } from "zod";
+import type { BackpressureSignalSource, BackpressureVerdict } from "./backpressureMonitor.js";
+
+const VerdictSchema = z.object({
+  engaged: z.boolean(),
+  ts: z.number().optional(),
+});
+
+/** Reads the backpressure verdict from a Redis key written by the cluster-side aggregator. */
+export class RedisBackpressureSignalSource implements BackpressureSignalSource {
+  constructor(
+    private readonly redis: Redis,
+    private readonly key: string
+  ) {}
+
+  async read(): Promise<BackpressureVerdict | null> {
+    const raw = await this.redis.get(this.key);
+    if (raw === null) {
+      return null;
+    }
+
+    // A malformed or wrong-shaped value is treated as unknown (null) so the
+    // monitor fails open rather than acting on garbage.
+    let json: unknown;
+    try {
+      json = JSON.parse(raw);
+    } catch {
+      return null;
+    }
+
+    const parsed = VerdictSchema.safeParse(json);
+    return parsed.success ? parsed.data : null;
+  }
+}
diff --git a/apps/supervisor/src/env.ts b/apps/supervisor/src/env.ts
index b69fb24d73f..3919e73a7ee 100644
--- a/apps/supervisor/src/env.ts
+++ b/apps/supervisor/src/env.ts
@@ -34,6 +34,10 @@ const Env = z
 
     // Dequeue settings (provider mode)
     TRIGGER_DEQUEUE_ENABLED: BoolEnv.default(true),
+    // Which worker-queue class this supervisor fleet serves. "default" pulls the
+    // region queue (standard/agent runs); "scheduled" pulls the dedicated
+    // scheduled-lineage queue. Run a separate fleet per class for isolation.
+    TRIGGER_WORKER_QUEUE_CLASS: z.enum(["default", "scheduled"]).default("default"),
     TRIGGER_DEQUEUE_INTERVAL_MS: z.coerce.number().int().default(250),
     TRIGGER_DEQUEUE_IDLE_INTERVAL_MS: z.coerce.number().int().default(1000),
     TRIGGER_DEQUEUE_MAX_RUN_COUNT: z.coerce.number().int().default(1),
@@ -47,6 +51,29 @@ const Env = z
     TRIGGER_DEQUEUE_SCALING_BATCH_WINDOW_MS: z.coerce.number().int().positive().default(1000), // Batch window for metrics processing (ms)
     TRIGGER_DEQUEUE_SCALING_DAMPING_FACTOR: z.coerce.number().min(0).max(1).default(0.7), // Smooths consumer count changes after EWMA (0=no scaling, 1=immediate)
 
+    // Dequeue backpressure - off by default. When enabled, the supervisor reads a
+    // verdict from Redis (written by the cluster-side aggregator) and pauses dequeues
+    // while the worker cluster can't schedule pods. Disabled = total no-op: no Redis
+    // client is created, no reads happen, and the dequeue loop is unaffected.
+    TRIGGER_DEQUEUE_BACKPRESSURE_ENABLED: BoolEnv.default(false),
+    // Safety default: even when enabled, backpressure only logs what it would do.
+    // Set to false to actually skip dequeues / freeze scale-up.
+    TRIGGER_DEQUEUE_BACKPRESSURE_DRY_RUN: BoolEnv.default(true),
+    TRIGGER_DEQUEUE_BACKPRESSURE_REDIS_KEY: z.string().default("engine:dequeue:backpressure"),
+    TRIGGER_DEQUEUE_BACKPRESSURE_REFRESH_MS: z.coerce.number().int().positive().default(1000),
+    TRIGGER_DEQUEUE_BACKPRESSURE_RAMP_MS: z.coerce.number().int().min(0).default(30_000), // Resume ramp window after release; 0 = instant resume
+
+    TRIGGER_DEQUEUE_BACKPRESSURE_MAX_VERDICT_AGE_MS: z.coerce
+      .number()
+      .int()
+      .positive()
+      .default(15_000), // Stale verdict → fail-open (treat as not engaged)
+    TRIGGER_DEQUEUE_BACKPRESSURE_REDIS_HOST: z.string().optional(),
+    TRIGGER_DEQUEUE_BACKPRESSURE_REDIS_PORT: z.coerce.number().int().optional(),
+    TRIGGER_DEQUEUE_BACKPRESSURE_REDIS_USERNAME: z.string().optional(),
+    TRIGGER_DEQUEUE_BACKPRESSURE_REDIS_PASSWORD: z.string().optional(),
+    TRIGGER_DEQUEUE_BACKPRESSURE_REDIS_TLS_DISABLED: BoolEnv.default(false),
+
     // Optional services
     TRIGGER_WARM_START_URL: z.string().optional(),
     TRIGGER_CHECKPOINT_URL: z.string().optional(),
@@ -87,6 +114,14 @@ const Env = z
     COMPUTE_TRACE_OTLP_ENDPOINT: z.string().url().optional(), // Override for span export (derived from TRIGGER_API_URL if unset)
     COMPUTE_SNAPSHOT_DELAY_MS: z.coerce.number().int().min(0).max(60_000).default(5_000),
     COMPUTE_SNAPSHOT_DISPATCH_LIMIT: z.coerce.number().int().min(1).max(100).default(10),
+    // Instance create retries for transient placement failures (1 = no retries)
+    COMPUTE_INSTANCE_CREATE_MAX_ATTEMPTS: z.coerce.number().int().min(1).max(10).default(3),
+    COMPUTE_INSTANCE_CREATE_RETRY_BASE_DELAY_MS: z.coerce
+      .number()
+      .int()
+      .min(0)
+      .max(10_000)
+      .default(250),
 
     // Kubernetes settings
     KUBERNETES_FORCE_ENABLED: BoolEnv.default(false),
@@ -121,6 +156,16 @@ const Env = z
 
     KUBERNETES_MEMORY_OVERHEAD_GB: z.coerce.number().min(0).optional(), // Optional memory overhead to add to the limit in GB
     KUBERNETES_SCHEDULER_NAME: z.string().optional(), // Custom scheduler name for pods
+
+    // Pod DNS config — override the cluster default ndots to `KUBERNETES_POD_DNS_NDOTS`.
+    // Default k8s ndots is 5: any name with fewer than 5 dots (e.g. `api.example.com`, 2 dots) is first walked
+    // through every entry in the cluster search list (`<ns>.svc.cluster.local`, `svc.cluster.local`, `cluster.local`)
+    // before being tried as-is, turning one resolution into 4+ CoreDNS queries (×2 with A+AAAA).
+    // Overriding the default can be useful to cut CoreDNS query amplification for external domains.
+    // Note: before enabling, make sure no code path relies on search-list expansion for names with dots ≥ the value
+    // set here — those names will now hit their as-is form first and could resolve externally before falling back.
+    KUBERNETES_POD_DNS_NDOTS_OVERRIDE_ENABLED: BoolEnv.default(false),
+    KUBERNETES_POD_DNS_NDOTS: z.coerce.number().int().min(1).max(15).default(2),
     // Large machine affinity settings - large-* presets prefer a dedicated pool
     KUBERNETES_LARGE_MACHINE_AFFINITY_ENABLED: BoolEnv.default(false),
     KUBERNETES_LARGE_MACHINE_AFFINITY_POOL_LABEL_KEY: z
@@ -189,7 +234,9 @@ const Env = z
             if (!validEffects.includes(effect)) {
               ctx.addIssue({
                 code: z.ZodIssueCode.custom,
-                message: `Invalid toleration effect "${effect}" in "${entry}". Must be one of: ${validEffects.join(", ")}`,
+                message: `Invalid toleration effect "${effect}" in "${entry}". Must be one of: ${validEffects.join(
+                  ", "
+                )}`,
               });
               return z.NEVER;
             }
@@ -244,6 +291,15 @@ const Env = z
     // Debug
     DEBUG: BoolEnv.default(false),
     SEND_RUN_DEBUG_LOGS: BoolEnv.default(false),
+
+    // Wide-event observability - off by default. Emits one flat-keyed JSON
+    // line per natural unit of work (dequeue iteration, HTTP request, socket
+    // lifecycle). High-QPS hotpath, so the kill switch must be honoured.
+    TRIGGER_WIDE_EVENTS_ENABLED: BoolEnv.default(false),
+    // When true, also emit wide events for high-frequency HTTP routes
+    // (heartbeat, snapshots-since, logs/debug). Off in prod to keep event
+    // volume manageable; on in test environments for full-fidelity debugging.
+    TRIGGER_WIDE_EVENTS_NOISY_ROUTES: BoolEnv.default(false),
   })
   .superRefine((data, ctx) => {
     if (data.COMPUTE_SNAPSHOTS_ENABLED && !data.TRIGGER_METADATA_URL) {
@@ -260,6 +316,14 @@ const Env = z
         path: ["TRIGGER_WORKLOAD_API_DOMAIN"],
       });
     }
+    if (data.TRIGGER_DEQUEUE_BACKPRESSURE_ENABLED && !data.TRIGGER_DEQUEUE_BACKPRESSURE_REDIS_HOST) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message:
+          "TRIGGER_DEQUEUE_BACKPRESSURE_REDIS_HOST is required when TRIGGER_DEQUEUE_BACKPRESSURE_ENABLED is true",
+        path: ["TRIGGER_DEQUEUE_BACKPRESSURE_REDIS_HOST"],
+      });
+    }
   })
   .transform((data) => ({
     ...data,
diff --git a/apps/supervisor/src/index.ts b/apps/supervisor/src/index.ts
index 6f5913c47ca..e97c4c7bb96 100644
--- a/apps/supervisor/src/index.ts
+++ b/apps/supervisor/src/index.ts
@@ -28,6 +28,18 @@ import { FailedPodHandler } from "./services/failedPodHandler.js";
 import { getWorkerToken } from "./workerToken.js";
 import { OtlpTraceService } from "./services/otlpTraceService.js";
 import { extractTraceparent, getRestoreRunnerId } from "./util.js";
+import { Redis } from "ioredis";
+import { BackpressureMonitor } from "./backpressure/backpressureMonitor.js";
+import { RedisBackpressureSignalSource } from "./backpressure/redisBackpressureSignalSource.js";
+import { BackpressureMetrics } from "./backpressure/backpressureMetrics.js";
+import {
+  fromContext,
+  recordPhaseSince,
+  runWideEvent,
+  setExtra,
+  setMeta,
+  type WideEventOptions,
+} from "./wideEvents/index.js";
 
 if (env.METRICS_COLLECT_DEFAULTS) {
   collectDefaultMetrics({ register });
@@ -46,15 +58,28 @@ class ManagedSupervisor {
   private readonly podCleaner?: PodCleaner;
   private readonly failedPodHandler?: FailedPodHandler;
   private readonly tracing?: OtlpTraceService;
+  private readonly backpressureMonitor?: BackpressureMonitor;
+  private readonly backpressureRedis?: Redis;
 
   private readonly isKubernetes = isKubernetesEnvironment(env.KUBERNETES_FORCE_ENABLED);
   private readonly warmStartUrl = env.TRIGGER_WARM_START_URL;
 
+  private readonly wideEventOpts: WideEventOptions = {
+    service: "supervisor",
+    env: { nodeId: env.TRIGGER_WORKER_INSTANCE_NAME },
+    enabled: env.TRIGGER_WIDE_EVENTS_ENABLED,
+  };
+  private readonly wideEventsNoisyRoutes = env.TRIGGER_WIDE_EVENTS_NOISY_ROUTES;
+
   constructor() {
+    // Strip secret-like env vars before debug-logging the rest. Add any new
+    // secret env var here so it never lands in the DEBUG "Starting up" log.
     const {
       TRIGGER_WORKER_TOKEN,
       MANAGED_WORKER_SECRET,
       COMPUTE_GATEWAY_AUTH_TOKEN,
+      DOCKER_REGISTRY_PASSWORD,
+      TRIGGER_DEQUEUE_BACKPRESSURE_REDIS_PASSWORD,
       ...envWithoutSecrets
     } = env;
 
@@ -119,6 +144,10 @@ class ManagedSupervisor {
           otelEndpoint: env.OTEL_EXPORTER_OTLP_ENDPOINT,
           prettyLogs: env.RUNNER_PRETTY_LOGS,
         },
+        createRetry: {
+          maxAttempts: env.COMPUTE_INSTANCE_CREATE_MAX_ATTEMPTS,
+          baseDelayMs: env.COMPUTE_INSTANCE_CREATE_RETRY_BASE_DELAY_MS,
+        },
       });
       this.computeManager = computeManager;
       this.workloadManager = computeManager;
@@ -166,6 +195,42 @@ class ManagedSupervisor {
       );
     }
 
+    if (env.TRIGGER_DEQUEUE_BACKPRESSURE_ENABLED) {
+      this.backpressureRedis = new Redis({
+        host: env.TRIGGER_DEQUEUE_BACKPRESSURE_REDIS_HOST,
+        port: env.TRIGGER_DEQUEUE_BACKPRESSURE_REDIS_PORT,
+        username: env.TRIGGER_DEQUEUE_BACKPRESSURE_REDIS_USERNAME,
+        password: env.TRIGGER_DEQUEUE_BACKPRESSURE_REDIS_PASSWORD,
+        ...(env.TRIGGER_DEQUEUE_BACKPRESSURE_REDIS_TLS_DISABLED ? {} : { tls: {} }),
+        maxRetriesPerRequest: null,
+      });
+      this.backpressureRedis.on("error", (error) =>
+        this.logger.error("Backpressure redis error", { error: error.message })
+      );
+
+      this.backpressureMonitor = new BackpressureMonitor({
+        enabled: true,
+        source: new RedisBackpressureSignalSource(
+          this.backpressureRedis,
+          env.TRIGGER_DEQUEUE_BACKPRESSURE_REDIS_KEY
+        ),
+        refreshIntervalMs: env.TRIGGER_DEQUEUE_BACKPRESSURE_REFRESH_MS,
+        maxVerdictAgeMs: env.TRIGGER_DEQUEUE_BACKPRESSURE_MAX_VERDICT_AGE_MS,
+        rampMs: env.TRIGGER_DEQUEUE_BACKPRESSURE_RAMP_MS,
+        dryRun: env.TRIGGER_DEQUEUE_BACKPRESSURE_DRY_RUN,
+        logger: this.logger,
+        metrics: new BackpressureMetrics({ register }),
+      });
+
+      this.logger.log("🛑 Dequeue backpressure enabled", {
+        key: env.TRIGGER_DEQUEUE_BACKPRESSURE_REDIS_KEY,
+        refreshIntervalMs: env.TRIGGER_DEQUEUE_BACKPRESSURE_REFRESH_MS,
+        maxVerdictAgeMs: env.TRIGGER_DEQUEUE_BACKPRESSURE_MAX_VERDICT_AGE_MS,
+        rampMs: env.TRIGGER_DEQUEUE_BACKPRESSURE_RAMP_MS,
+        dryRun: env.TRIGGER_DEQUEUE_BACKPRESSURE_DRY_RUN,
+      });
+    }
+
     this.workerSession = new SupervisorSession({
       workerToken: getWorkerToken(),
       apiUrl: env.TRIGGER_API_URL,
@@ -175,6 +240,7 @@ class ManagedSupervisor {
       dequeueIdleIntervalMs: env.TRIGGER_DEQUEUE_IDLE_INTERVAL_MS,
       queueConsumerEnabled: env.TRIGGER_DEQUEUE_ENABLED,
       maxRunCount: env.TRIGGER_DEQUEUE_MAX_RUN_COUNT,
+      queueClass: env.TRIGGER_WORKER_QUEUE_CLASS,
       metricsRegistry: register,
       scaling: {
         strategy: env.TRIGGER_DEQUEUE_SCALING_STRATEGY,
@@ -186,18 +252,20 @@ class ManagedSupervisor {
         ewmaAlpha: env.TRIGGER_DEQUEUE_SCALING_EWMA_ALPHA,
         batchWindowMs: env.TRIGGER_DEQUEUE_SCALING_BATCH_WINDOW_MS,
         dampingFactor: env.TRIGGER_DEQUEUE_SCALING_DAMPING_FACTOR,
+        // Freeze scale-up while backpressure is hard-engaged (not during the resume
+        // ramp). Undefined when backpressure is disabled → no effect on scaling.
+        shouldPauseScaling: () => this.backpressureMonitor?.isEngaged() ?? false,
       },
       runNotificationsEnabled: env.TRIGGER_WORKLOAD_API_ENABLED,
       heartbeatIntervalSeconds: env.TRIGGER_WORKER_HEARTBEAT_INTERVAL_SECONDS,
       sendRunDebugLogs: env.SEND_RUN_DEBUG_LOGS,
       preDequeue: async () => {
-        if (!env.RESOURCE_MONITOR_ENABLED) {
-          return {};
-        }
+        // Synchronous, hot-path-safe cached read; undefined when backpressure is disabled.
+        const skipForBackpressure = this.backpressureMonitor?.shouldSkipDequeue() ?? false;
 
-        if (this.isKubernetes) {
-          // Not used in k8s for now
-          return {};
+        if (!env.RESOURCE_MONITOR_ENABLED || this.isKubernetes) {
+          // Resource monitor is not used in k8s; backpressure is the only gate there.
+          return { skipDequeue: skipForBackpressure };
         }
 
         const resources = await this.resourceMonitor.getNodeResources();
@@ -207,7 +275,10 @@ class ManagedSupervisor {
             cpu: resources.cpuAvailable,
             memory: resources.memoryAvailable,
           },
-          skipDequeue: resources.cpuAvailable < 0.25 || resources.memoryAvailable < 0.25,
+          skipDequeue:
+            skipForBackpressure ||
+            resources.cpuAvailable < 0.25 ||
+            resources.memoryAvailable < 0.25,
         };
       },
       preSkip: async () => {
@@ -239,149 +310,205 @@ class ManagedSupervisor {
       async ({ time, message, dequeueResponseMs, pollingIntervalMs }) => {
         this.logger.verbose(`Received message with timestamp ${time.toLocaleString()}`, message);
 
-        if (message.completedWaitpoints.length > 0) {
-          this.logger.debug("Run has completed waitpoints", {
-            runId: message.run.id,
-            completedWaitpoints: message.completedWaitpoints.length,
-          });
-        }
-
-        if (!message.image) {
-          this.logger.error("Run has no image", { runId: message.run.id });
-          return;
-        }
-
-        const { checkpoint, ...rest } = message;
-
-        // Register trace context early so snapshot spans work for all paths
-        // (cold create, restore, warm start). Re-registration on restore is safe
-        // since dequeue always provides fresh context.
-        if (this.computeManager?.traceSpansEnabled) {
-          const traceparent = extractTraceparent(message.run.traceContext);
-
-          if (traceparent) {
-            this.workloadServer.registerRunTraceContext(message.run.friendlyId, {
-              traceparent,
-              envId: message.environment.id,
-              orgId: message.organization.id,
-              projectId: message.project.id,
-            });
-          }
-        }
+        const traceparent = extractTraceparent(message.run.traceContext);
+
+        await runWideEvent(
+          {
+            ...this.wideEventOpts,
+            op: "dequeue",
+            kind: "inbound",
+            traceparent,
+            setup: (state) => {
+              setMeta(state, "run_id", message.run.friendlyId);
+              setMeta(state, "env_id", message.environment.id);
+              setMeta(state, "org_id", message.organization.id);
+              setMeta(state, "project_id", message.project.id);
+              if (message.deployment.friendlyId) {
+                setMeta(state, "deployment_id", message.deployment.friendlyId);
+              }
+              setMeta(state, "machine_preset", message.run.machine.name);
+              state.extras.iteration = "dequeue";
+              state.extras.dequeue_response_ms = dequeueResponseMs;
+              state.extras.polling_interval_ms = pollingIntervalMs;
+              state.extras.completed_waitpoints = message.completedWaitpoints.length;
+            },
+          },
+          async () => {
+            if (message.completedWaitpoints.length > 0) {
+              this.logger.debug("Run has completed waitpoints", {
+                runId: message.run.id,
+                completedWaitpoints: message.completedWaitpoints.length,
+              });
+            }
 
-        if (checkpoint) {
-          this.logger.debug("Restoring run", { runId: message.run.id });
+            if (!message.image) {
+              setExtra(fromContext(), "path_taken", "skipped_no_image");
+              this.logger.error("Run has no image", { runId: message.run.id });
+              return;
+            }
 
-          if (this.computeManager) {
-            try {
-              const runnerId = getRestoreRunnerId(message.run.friendlyId, checkpoint.id);
+            const { checkpoint, ...rest } = message;
 
-              const didRestore = await this.computeManager.restore({
-                snapshotId: checkpoint.location,
-                runnerId,
-                runFriendlyId: message.run.friendlyId,
-                snapshotFriendlyId: message.snapshot.friendlyId,
-                machine: message.run.machine,
-                traceContext: message.run.traceContext,
+            // Register trace context early so snapshot spans work for all paths
+            // (cold create, restore, warm start). Re-registration on restore is safe
+            // since dequeue always provides fresh context.
+            if (this.computeManager?.traceSpansEnabled && traceparent) {
+              this.workloadServer.registerRunTraceContext(message.run.friendlyId, {
+                traceparent,
                 envId: message.environment.id,
                 orgId: message.organization.id,
                 projectId: message.project.id,
-                dequeuedAt: message.dequeuedAt,
               });
+            }
 
-              if (didRestore) {
-                this.logger.debug("Compute restore successful", {
-                  runId: message.run.id,
-                  runnerId,
+            if (checkpoint) {
+              setExtra(fromContext(), "path_taken", "restore");
+              this.logger.debug("Restoring run", { runId: message.run.id });
+
+              if (this.computeManager) {
+                const restoreStart = performance.now();
+                try {
+                  const runnerId = getRestoreRunnerId(message.run.friendlyId, checkpoint.id);
+
+                  const didRestore = await this.computeManager.restore({
+                    snapshotId: checkpoint.location,
+                    runnerId,
+                    runFriendlyId: message.run.friendlyId,
+                    snapshotFriendlyId: message.snapshot.friendlyId,
+                    machine: message.run.machine,
+                    traceContext: message.run.traceContext,
+                    envId: message.environment.id,
+                    orgId: message.organization.id,
+                    projectId: message.project.id,
+                    hasPrivateLink: message.organization.hasPrivateLink,
+                    dequeuedAt: message.dequeuedAt,
+                  });
+                  recordPhaseSince("restore", restoreStart, undefined);
+                  setExtra(fromContext(), "did_restore", didRestore);
+
+                  if (didRestore) {
+                    this.logger.debug("Compute restore successful", {
+                      runId: message.run.id,
+                      runnerId,
+                    });
+                  } else {
+                    this.logger.error("Compute restore failed", {
+                      runId: message.run.id,
+                      runnerId,
+                    });
+                  }
+                } catch (error) {
+                  recordPhaseSince(
+                    "restore",
+                    restoreStart,
+                    error instanceof Error ? error : new Error(String(error))
+                  );
+                  this.logger.error("Failed to restore run (compute)", { error });
+                }
+
+                return;
+              }
+
+              if (!this.checkpointClient) {
+                this.logger.error("No checkpoint client", { runId: message.run.id });
+                return;
+              }
+
+              const restoreStart = performance.now();
+              try {
+                const didRestore = await this.checkpointClient.restoreRun({
+                  runFriendlyId: message.run.friendlyId,
+                  snapshotFriendlyId: message.snapshot.friendlyId,
+                  body: {
+                    ...rest,
+                    checkpoint,
+                  },
                 });
-              } else {
-                this.logger.error("Compute restore failed", { runId: message.run.id, runnerId });
+                recordPhaseSince("restore", restoreStart, undefined);
+                setExtra(fromContext(), "did_restore", didRestore);
+
+                if (didRestore) {
+                  this.logger.debug("Restore successful", { runId: message.run.id });
+                } else {
+                  this.logger.error("Restore failed", { runId: message.run.id });
+                }
+              } catch (error) {
+                recordPhaseSince(
+                  "restore",
+                  restoreStart,
+                  error instanceof Error ? error : new Error(String(error))
+                );
+                this.logger.error("Failed to restore run", { error });
               }
-            } catch (error) {
-              this.logger.error("Failed to restore run (compute)", { error });
+
+              return;
             }
 
-            return;
-          }
+            this.logger.debug("Scheduling run", { runId: message.run.id });
 
-          if (!this.checkpointClient) {
-            this.logger.error("No checkpoint client", { runId: message.run.id });
-            return;
-          }
+            const warmStartStart = performance.now();
+            const didWarmStart = await this.tryWarmStart(message, traceparent);
+            const warmStartCheckMs = Math.round(performance.now() - warmStartStart);
+            recordPhaseSince("warm_start", warmStartStart, undefined);
+            setExtra(fromContext(), "did_warm_start", didWarmStart);
 
-          try {
-            const didRestore = await this.checkpointClient.restoreRun({
-              runFriendlyId: message.run.friendlyId,
-              snapshotFriendlyId: message.snapshot.friendlyId,
-              body: {
-                ...rest,
-                checkpoint,
-              },
-            });
-
-            if (didRestore) {
-              this.logger.debug("Restore successful", { runId: message.run.id });
-            } else {
-              this.logger.error("Restore failed", { runId: message.run.id });
+            if (didWarmStart) {
+              setExtra(fromContext(), "path_taken", "warm_start");
+              this.logger.debug("Warm start successful", { runId: message.run.id });
+              return;
             }
-          } catch (error) {
-            this.logger.error("Failed to restore run", { error });
-          }
-
-          return;
-        }
 
-        this.logger.debug("Scheduling run", { runId: message.run.id });
+            setExtra(fromContext(), "path_taken", "cold_create");
 
-        const warmStartStart = performance.now();
-        const didWarmStart = await this.tryWarmStart(message);
-        const warmStartCheckMs = Math.round(performance.now() - warmStartStart);
+            const createStart = performance.now();
+            try {
+              if (!message.deployment.friendlyId) {
+                // mostly a type guard, deployments always exists for deployed environments
+                // a proper fix would be to use a discriminated union schema to differentiate between dequeued runs in dev and in deployed environments.
+                throw new Error("Deployment is missing");
+              }
 
-        if (didWarmStart) {
-          this.logger.debug("Warm start successful", { runId: message.run.id });
-          return;
-        }
+              await this.workloadManager.create({
+                dequeuedAt: message.dequeuedAt,
+                dequeueResponseMs,
+                pollingIntervalMs,
+                warmStartCheckMs,
+                envId: message.environment.id,
+                envType: message.environment.type,
+                image: message.image,
+                machine: message.run.machine,
+                orgId: message.organization.id,
+                projectId: message.project.id,
+                deploymentFriendlyId: message.deployment.friendlyId,
+                deploymentVersion: message.backgroundWorker.version,
+                runId: message.run.id,
+                runFriendlyId: message.run.friendlyId,
+                version: message.version,
+                nextAttemptNumber: message.run.attemptNumber,
+                snapshotId: message.snapshot.id,
+                snapshotFriendlyId: message.snapshot.friendlyId,
+                placementTags: message.placementTags,
+                traceContext: message.run.traceContext,
+                annotations: message.run.annotations,
+                hasPrivateLink: message.organization.hasPrivateLink,
+              });
+              recordPhaseSince("workload_create", createStart, undefined);
 
-        try {
-          if (!message.deployment.friendlyId) {
-            // mostly a type guard, deployments always exists for deployed environments
-            // a proper fix would be to use a discriminated union schema to differentiate between dequeued runs in dev and in deployed environments.
-            throw new Error("Deployment is missing");
+              // Disabled for now
+              // this.resourceMonitor.blockResources({
+              //   cpu: message.run.machine.cpu,
+              //   memory: message.run.machine.memory,
+              // });
+            } catch (error) {
+              recordPhaseSince(
+                "workload_create",
+                createStart,
+                error instanceof Error ? error : new Error(String(error))
+              );
+              this.logger.error("Failed to create workload", { error });
+            }
           }
-
-          await this.workloadManager.create({
-            dequeuedAt: message.dequeuedAt,
-            dequeueResponseMs,
-            pollingIntervalMs,
-            warmStartCheckMs,
-            envId: message.environment.id,
-            envType: message.environment.type,
-            image: message.image,
-            machine: message.run.machine,
-            orgId: message.organization.id,
-            projectId: message.project.id,
-            deploymentFriendlyId: message.deployment.friendlyId,
-            deploymentVersion: message.backgroundWorker.version,
-            runId: message.run.id,
-            runFriendlyId: message.run.friendlyId,
-            version: message.version,
-            nextAttemptNumber: message.run.attemptNumber,
-            snapshotId: message.snapshot.id,
-            snapshotFriendlyId: message.snapshot.friendlyId,
-            placementTags: message.placementTags,
-            traceContext: message.run.traceContext,
-            annotations: message.run.annotations,
-            hasPrivateLink: message.organization.hasPrivateLink,
-          });
-
-          // Disabled for now
-          // this.resourceMonitor.blockResources({
-          //   cpu: message.run.machine.cpu,
-          //   memory: message.run.machine.memory,
-          // });
-        } catch (error) {
-          this.logger.error("Failed to create workload", { error });
-        }
+        );
       }
     );
 
@@ -404,6 +531,8 @@ class ManagedSupervisor {
       checkpointClient: this.checkpointClient,
       computeManager: this.computeManager,
       tracing: this.tracing,
+      wideEventOpts: this.wideEventOpts,
+      wideEventsNoisyRoutes: this.wideEventsNoisyRoutes,
     });
 
     this.workloadServer.on("runConnected", this.onRunConnected.bind(this));
@@ -420,19 +549,31 @@ class ManagedSupervisor {
     this.workerSession.unsubscribeFromRunNotifications([run.friendlyId]);
   }
 
-  private async tryWarmStart(dequeuedMessage: DequeuedMessage): Promise<boolean> {
+  private async tryWarmStart(
+    dequeuedMessage: DequeuedMessage,
+    traceparent: string | undefined
+  ): Promise<boolean> {
     if (!this.warmStartUrl) {
       return false;
     }
 
     const warmStartUrlWithPath = new URL("/warm-start", this.warmStartUrl);
 
+    const headers: Record<string, string> = {
+      "Content-Type": "application/json",
+    };
+    // Propagate the inbound W3C traceparent so the upstream warm-start
+    // receiver continues the same trace instead of minting a new one. Gated
+    // by the same kill switch as the wide-event emission so the whole PR is
+    // a no-op on the wire when disabled.
+    if (this.wideEventOpts.enabled && traceparent) {
+      headers.traceparent = traceparent;
+    }
+
     try {
       const res = await fetch(warmStartUrlWithPath.href, {
         method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-        },
+        headers,
         body: JSON.stringify({ dequeuedMessage }),
       });
 
@@ -468,6 +609,7 @@ class ManagedSupervisor {
     this.logger.log("Starting up");
 
     // Optional services
+    this.backpressureMonitor?.start();
     await this.podCleaner?.start();
     await this.failedPodHandler?.start();
     await this.metricsServer?.start();
@@ -492,6 +634,8 @@ class ManagedSupervisor {
     await this.workerSession.stop();
 
     // Optional services
+    this.backpressureMonitor?.stop();
+    await this.backpressureRedis?.quit();
     await this.podCleaner?.stop();
     await this.failedPodHandler?.stop();
     await this.metricsServer?.stop();
diff --git a/apps/supervisor/src/services/computeSnapshotService.test.ts b/apps/supervisor/src/services/computeSnapshotService.test.ts
new file mode 100644
index 00000000000..b039b63bd4d
--- /dev/null
+++ b/apps/supervisor/src/services/computeSnapshotService.test.ts
@@ -0,0 +1,130 @@
+import { describe, expect, it, vi } from "vitest";
+import { setTimeout as sleep } from "node:timers/promises";
+import { ComputeSnapshotService } from "./computeSnapshotService.js";
+import type { ComputeWorkloadManager } from "../workloadManager/compute.js";
+import type { SupervisorHttpClient } from "@trigger.dev/core/v3/workers";
+
+// The TimerWheel ticks every 100ms, so a 200ms delay dispatches within ~300ms.
+const DELAY_MS = 200;
+// Long enough that a pending snapshot would certainly have dispatched.
+const SETTLE_MS = 600;
+
+function createService() {
+  const snapshot = vi.fn(async (_opts: { runnerId: string; metadata: Record<string, string> }) => true);
+
+  const computeManager = {
+    snapshotDelayMs: DELAY_MS,
+    snapshotDispatchLimit: 1,
+    snapshot,
+  } as unknown as ComputeWorkloadManager;
+
+  const service = new ComputeSnapshotService({
+    computeManager,
+    workerClient: {} as SupervisorHttpClient,
+    wideEventOpts: { service: "supervisor-test", env: {}, enabled: false },
+  });
+
+  return { service, snapshot };
+}
+
+function delayedSnapshot(runnerId = "runner-1") {
+  return {
+    runnerId,
+    runFriendlyId: "run_1",
+    snapshotFriendlyId: "snapshot_1",
+  };
+}
+
+describe("ComputeSnapshotService", () => {
+  it("dispatches a scheduled snapshot after the delay", async () => {
+    const { service, snapshot } = createService();
+    try {
+      service.schedule("run_1", delayedSnapshot());
+
+      await vi.waitFor(() => expect(snapshot).toHaveBeenCalledTimes(1), { timeout: 2_000 });
+      expect(snapshot).toHaveBeenCalledWith({
+        runnerId: "runner-1",
+        metadata: { runId: "run_1", snapshotFriendlyId: "snapshot_1" },
+      });
+    } finally {
+      service.stop();
+    }
+  });
+
+  it("cancel before the delay expires prevents the dispatch", async () => {
+    const { service, snapshot } = createService();
+    try {
+      service.schedule("run_1", delayedSnapshot());
+
+      expect(service.cancel("run_1")).toBe(true);
+
+      await sleep(SETTLE_MS);
+      expect(snapshot).not.toHaveBeenCalled();
+    } finally {
+      service.stop();
+    }
+  });
+
+  it("cancel returns false when nothing is pending", () => {
+    const { service } = createService();
+    try {
+      expect(service.cancel("run_1")).toBe(false);
+    } finally {
+      service.stop();
+    }
+  });
+
+  it("cancel with a matching runnerId cancels the pending snapshot", async () => {
+    const { service, snapshot } = createService();
+    try {
+      service.schedule("run_1", delayedSnapshot("runner-a"));
+
+      expect(service.cancel("run_1", "runner-a")).toBe(true);
+
+      await sleep(SETTLE_MS);
+      expect(snapshot).not.toHaveBeenCalled();
+    } finally {
+      service.stop();
+    }
+  });
+
+  it("cancel with a different runnerId leaves the pending snapshot alone", async () => {
+    const { service, snapshot } = createService();
+    try {
+      service.schedule("run_1", delayedSnapshot("runner-a"));
+
+      // A stale runner for a reassigned run must not cancel the new runner's snapshot.
+      expect(service.cancel("run_1", "runner-b")).toBe(false);
+
+      await vi.waitFor(() => expect(snapshot).toHaveBeenCalledTimes(1), { timeout: 2_000 });
+      expect(snapshot).toHaveBeenCalledWith(
+        expect.objectContaining({ runnerId: "runner-a" })
+      );
+    } finally {
+      service.stop();
+    }
+  });
+
+  it("re-scheduling the same run replaces the pending snapshot", async () => {
+    const { service, snapshot } = createService();
+    try {
+      service.schedule("run_1", delayedSnapshot());
+      service.schedule("run_1", {
+        runnerId: "runner-1",
+        runFriendlyId: "run_1",
+        snapshotFriendlyId: "snapshot_2",
+      });
+
+      await vi.waitFor(() => expect(snapshot).toHaveBeenCalledTimes(1), { timeout: 2_000 });
+      await sleep(SETTLE_MS);
+
+      expect(snapshot).toHaveBeenCalledTimes(1);
+      expect(snapshot).toHaveBeenCalledWith({
+        runnerId: "runner-1",
+        metadata: { runId: "run_1", snapshotFriendlyId: "snapshot_2" },
+      });
+    } finally {
+      service.stop();
+    }
+  });
+});
diff --git a/apps/supervisor/src/services/computeSnapshotService.ts b/apps/supervisor/src/services/computeSnapshotService.ts
index 041e2902c75..216753fc12d 100644
--- a/apps/supervisor/src/services/computeSnapshotService.ts
+++ b/apps/supervisor/src/services/computeSnapshotService.ts
@@ -6,6 +6,15 @@ import { type SnapshotCallbackPayload } from "@internal/compute";
 import type { ComputeWorkloadManager } from "../workloadManager/compute.js";
 import { TimerWheel } from "./timerWheel.js";
 import type { OtlpTraceService } from "./otlpTraceService.js";
+import {
+  emitOneShot,
+  fromContext,
+  recordPhaseSince,
+  runWideEvent,
+  setExtra,
+  setMeta,
+  type WideEventOptions,
+} from "../wideEvents/index.js";
 
 type DelayedSnapshot = {
   runnerId: string;
@@ -24,6 +33,7 @@ export type ComputeSnapshotServiceOptions = {
   computeManager: ComputeWorkloadManager;
   workerClient: SupervisorHttpClient;
   tracing?: OtlpTraceService;
+  wideEventOpts: WideEventOptions;
 };
 
 export class ComputeSnapshotService {
@@ -37,11 +47,13 @@ export class ComputeSnapshotService {
   private readonly computeManager: ComputeWorkloadManager;
   private readonly workerClient: SupervisorHttpClient;
   private readonly tracing?: OtlpTraceService;
+  private readonly wideEventOpts: WideEventOptions;
 
   constructor(opts: ComputeSnapshotServiceOptions) {
     this.computeManager = opts.computeManager;
     this.workerClient = opts.workerClient;
     this.tracing = opts.tracing;
+    this.wideEventOpts = opts.wideEventOpts;
 
     this.dispatchLimit = pLimit(this.computeManager.snapshotDispatchLimit);
     this.timerWheel = new TimerWheel<DelayedSnapshot>({
@@ -62,6 +74,17 @@ export class ComputeSnapshotService {
   /** Schedule a delayed snapshot for a run. Replaces any pending snapshot for the same run. */
   schedule(runFriendlyId: string, data: DelayedSnapshot) {
     this.timerWheel.submit(runFriendlyId, data);
+    emitOneShot({
+      ...this.wideEventOpts,
+      op: "snapshot.schedule",
+      kind: "event",
+      populate: (state) => {
+        state.meta.run_id = runFriendlyId;
+        state.meta.snapshot_id = data.snapshotFriendlyId;
+        state.extras.runner_id = data.runnerId;
+        state.extras.delay_ms = this.computeManager.snapshotDelayMs;
+      },
+    });
     this.logger.debug("Snapshot scheduled", {
       runFriendlyId,
       snapshotFriendlyId: data.snapshotFriendlyId,
@@ -69,10 +92,29 @@ export class ComputeSnapshotService {
     });
   }
 
-  /** Cancel a pending delayed snapshot. Returns true if one was cancelled. */
-  cancel(runFriendlyId: string): boolean {
+  /**
+   * Cancel a pending delayed snapshot. Returns true if one was cancelled.
+   * When `runnerId` is given, only a snapshot scheduled for that same runner
+   * is cancelled - a stale runner for a run that has since been reassigned
+   * must not cancel the new runner's pending snapshot.
+   */
+  cancel(runFriendlyId: string, runnerId?: string): boolean {
+    if (runnerId) {
+      const pending = this.timerWheel.peek(runFriendlyId);
+      if (pending && pending.data.runnerId !== runnerId) {
+        return false;
+      }
+    }
     const cancelled = this.timerWheel.cancel(runFriendlyId);
     if (cancelled) {
+      emitOneShot({
+        ...this.wideEventOpts,
+        op: "snapshot.canceled",
+        kind: "event",
+        populate: (state) => {
+          state.meta.run_id = runFriendlyId;
+        },
+      });
       this.logger.debug("Snapshot cancelled", { runFriendlyId });
     }
     return cancelled;
@@ -81,6 +123,23 @@ export class ComputeSnapshotService {
   /** Handle the callback from the gateway after a snapshot completes or fails. */
   async handleCallback(body: SnapshotCallbackPayload) {
     const snapshotId = body.status === "completed" ? body.snapshot_id : undefined;
+    const runId = body.metadata?.runId;
+    const snapshotFriendlyId = body.metadata?.snapshotFriendlyId;
+
+    // Enrich the wrapping route's wide event with snapshot metadata. The
+    // `/api/v1/compute/snapshot-complete` route is registered with `wideRoute`,
+    // so `fromContext()` returns the State of that route and these calls
+    // become extras/meta on the same wide event - no nested emission.
+    const state = fromContext();
+    if (state) {
+      state.extras["snapshot.status"] = body.status;
+      if (body.instance_id) state.extras["snapshot.instance_id"] = body.instance_id;
+      if (body.duration_ms !== undefined) state.extras["snapshot.duration_ms"] = body.duration_ms;
+      if (snapshotId) state.extras["snapshot.id"] = snapshotId;
+      if (body.status === "failed" && body.error) state.extras["snapshot.error"] = body.error;
+    }
+    if (runId) setMeta(state, "run_id", runId);
+    if (snapshotFriendlyId) setMeta(state, "snapshot_id", snapshotFriendlyId);
 
     this.logger.debug("Snapshot callback", {
       snapshotId,
@@ -91,9 +150,6 @@ export class ComputeSnapshotService {
       durationMs: body.duration_ms,
     });
 
-    const runId = body.metadata?.runId;
-    const snapshotFriendlyId = body.metadata?.snapshotFriendlyId;
-
     if (!runId || !snapshotFriendlyId) {
       this.logger.error("Snapshot callback missing metadata", { body });
       return { ok: false as const, status: 400 };
@@ -102,6 +158,7 @@ export class ComputeSnapshotService {
     this.#emitSnapshotSpan(runId, body.duration_ms, snapshotId);
 
     if (body.status === "completed") {
+      const submitStart = performance.now();
       const result = await this.workerClient.submitSuspendCompletion({
         runId,
         snapshotId: snapshotFriendlyId,
@@ -113,6 +170,11 @@ export class ComputeSnapshotService {
           },
         },
       });
+      recordPhaseSince(
+        "submit_completion",
+        submitStart,
+        result.success ? undefined : new Error(String(result.error))
+      );
 
       if (result.success) {
         this.logger.debug("Suspend completion submitted", {
@@ -121,6 +183,7 @@ export class ComputeSnapshotService {
           snapshotId: body.snapshot_id,
         });
       } else {
+        setExtra(state, "submit_completion.error", String(result.error));
         this.logger.error("Failed to submit suspend completion", {
           runId,
           snapshotFriendlyId,
@@ -128,6 +191,7 @@ export class ComputeSnapshotService {
         });
       }
     } else {
+      const submitStart = performance.now();
       const result = await this.workerClient.submitSuspendCompletion({
         runId,
         snapshotId: snapshotFriendlyId,
@@ -136,8 +200,14 @@ export class ComputeSnapshotService {
           error: body.error ?? "Snapshot failed",
         },
       });
+      recordPhaseSince(
+        "submit_completion",
+        submitStart,
+        result.success ? undefined : new Error(String(result.error))
+      );
 
       if (!result.success) {
+        setExtra(state, "submit_completion.error", String(result.error));
         this.logger.error("Failed to submit suspend failure", {
           runId,
           snapshotFriendlyId,
@@ -184,20 +254,31 @@ export class ComputeSnapshotService {
 
   /** Dispatch a snapshot request to the gateway. */
   private async dispatch(snapshot: DelayedSnapshot): Promise<void> {
-    const result = await this.computeManager.snapshot({
-      runnerId: snapshot.runnerId,
-      metadata: {
-        runId: snapshot.runFriendlyId,
-        snapshotFriendlyId: snapshot.snapshotFriendlyId,
+    await runWideEvent(
+      {
+        ...this.wideEventOpts,
+        op: "snapshot.dispatch",
+        kind: "scheduled",
+        setup: (state) => {
+          state.meta.run_id = snapshot.runFriendlyId;
+          state.meta.snapshot_id = snapshot.snapshotFriendlyId;
+          state.extras.runner_id = snapshot.runnerId;
+        },
       },
-    });
+      async () => {
+        const result = await this.computeManager.snapshot({
+          runnerId: snapshot.runnerId,
+          metadata: {
+            runId: snapshot.runFriendlyId,
+            snapshotFriendlyId: snapshot.snapshotFriendlyId,
+          },
+        });
 
-    if (!result) {
-      this.logger.error("Failed to request snapshot", {
-        runId: snapshot.runFriendlyId,
-        runnerId: snapshot.runnerId,
-      });
-    }
+        if (!result) {
+          throw new Error("Snapshot dispatch returned no result");
+        }
+      }
+    );
   }
 
   #emitSnapshotSpan(runFriendlyId: string, durationMs?: number, snapshotId?: string) {
diff --git a/apps/supervisor/src/services/timerWheel.test.ts b/apps/supervisor/src/services/timerWheel.test.ts
index 3f6bb9aa19b..e685a26b1b4 100644
--- a/apps/supervisor/src/services/timerWheel.test.ts
+++ b/apps/supervisor/src/services/timerWheel.test.ts
@@ -51,6 +51,23 @@ describe("TimerWheel", () => {
     wheel.stop();
   });
 
+  it("peek returns the pending item without removing it", () => {
+    const wheel = new TimerWheel<string>({ delayMs: 3000, onExpire: () => {} });
+
+    wheel.start();
+    wheel.submit("run-1", "data");
+
+    expect(wheel.peek("run-1")).toEqual({ key: "run-1", data: "data" });
+    expect(wheel.size).toBe(1);
+    expect(wheel.peek("run-2")).toBeUndefined();
+
+    // Dispatched items are no longer peekable
+    vi.advanceTimersByTime(3100);
+    expect(wheel.peek("run-1")).toBeUndefined();
+
+    wheel.stop();
+  });
+
   it("cancel returns false for unknown key", () => {
     const wheel = new TimerWheel<string>({
       delayMs: 3000,
diff --git a/apps/supervisor/src/services/timerWheel.ts b/apps/supervisor/src/services/timerWheel.ts
index 9584423824d..cab5a5d7a25 100644
--- a/apps/supervisor/src/services/timerWheel.ts
+++ b/apps/supervisor/src/services/timerWheel.ts
@@ -121,6 +121,12 @@ export class TimerWheel<T> {
     return true;
   }
 
+  /** Look up a pending item without removing it. */
+  peek(key: string): TimerWheelItem<T> | undefined {
+    const entry = this.entries.get(key);
+    return entry ? { key, data: entry.data } : undefined;
+  }
+
   /** Number of pending items in the wheel. */
   get size(): number {
     return this.entries.size;
diff --git a/apps/supervisor/src/wideEvents/baggage.test.ts b/apps/supervisor/src/wideEvents/baggage.test.ts
new file mode 100644
index 00000000000..0579533345e
--- /dev/null
+++ b/apps/supervisor/src/wideEvents/baggage.test.ts
@@ -0,0 +1,44 @@
+import { describe, it, expect } from "vitest";
+import { encodeBaggage } from "./baggage.js";
+
+describe("encodeBaggage", () => {
+  it("returns empty string for an empty map", () => {
+    expect(encodeBaggage({})).toBe("");
+  });
+
+  it("encodes a single entry as k=v", () => {
+    expect(encodeBaggage({ run_id: "run-1" })).toBe("run_id=run-1");
+  });
+
+  it("sorts keys for stable output across hops", () => {
+    expect(encodeBaggage({ b: "2", a: "1", c: "3" })).toBe("a=1,b=2,c=3");
+  });
+
+  it("skips empty keys and empty values", () => {
+    expect(encodeBaggage({ "": "v", k: "", real: "x" })).toBe("real=x");
+  });
+
+  it("truncates values longer than the cap", () => {
+    const long = "x".repeat(1024);
+    const got = encodeBaggage({ k: long });
+    const value = got.slice("k=".length);
+    expect(value.length).toBe(256);
+  });
+
+  it("caps multibyte values by UTF-8 bytes, not code units", () => {
+    const long = "あ".repeat(512); // 3 UTF-8 bytes each
+    const got = encodeBaggage({ k: long });
+    const value = got.slice("k=".length);
+    expect(Buffer.byteLength(value, "utf8")).toBeLessThanOrEqual(256);
+  });
+
+  it("caps the number of entries", () => {
+    const meta: Record<string, string> = {};
+    for (let i = 0; i < 50; i++) {
+      // Sortable two-digit keys so we know which 32 survive.
+      meta[`k${String(i).padStart(2, "0")}`] = "v";
+    }
+    const got = encodeBaggage(meta);
+    expect(got.split(",").length).toBe(32);
+  });
+});
diff --git a/apps/supervisor/src/wideEvents/baggage.ts b/apps/supervisor/src/wideEvents/baggage.ts
new file mode 100644
index 00000000000..7750ac79303
--- /dev/null
+++ b/apps/supervisor/src/wideEvents/baggage.ts
@@ -0,0 +1,45 @@
+/**
+ * W3C Baggage (https://www.w3.org/TR/baggage/) encoding for outbound peer
+ * calls. Serialises a State's `meta` map into a `Baggage` header value so
+ * the downstream service auto-stamps the same labels onto its own wide
+ * events - even on early-error paths that bail before parsing the request
+ * body.
+ *
+ * Outbound discipline: only call this on peer-to-peer hops within the trust
+ * boundary. External-endpoint calls (image registries, cloud-provider
+ * APIs, third-party webhooks) must not include the Baggage header.
+ */
+
+import { truncateUtf8 } from "./truncate.js";
+
+/**
+ * Cap the number of entries serialised onto the header. A misbehaving
+ * caller's `meta` map shouldn't blow up downstream event width.
+ */
+const MAX_BAGGAGE_ENTRIES = 32;
+
+/**
+ * Cap each value's length. Defense against an upstream that stuffs
+ * unbounded payloads into a meta value.
+ */
+const MAX_BAGGAGE_VALUE_BYTES = 256;
+
+/**
+ * Encode a `meta` map as a Baggage header value (`k1=v1,k2=v2`). Keys are
+ * sorted for stable output across hops; an empty input yields the empty
+ * string so the caller can skip emitting the header entirely.
+ */
+export function encodeBaggage(meta: Record<string, string>): string {
+  const entries = Object.entries(meta).filter(([k, v]) => k && v);
+  if (entries.length === 0) return "";
+
+  entries.sort(([a], [b]) => (a < b ? -1 : a > b ? 1 : 0));
+
+  const out: string[] = [];
+  for (const [k, raw] of entries) {
+    if (out.length >= MAX_BAGGAGE_ENTRIES) break;
+    const v = truncateUtf8(raw, MAX_BAGGAGE_VALUE_BYTES);
+    out.push(`${k}=${v}`);
+  }
+  return out.join(",");
+}
diff --git a/apps/supervisor/src/wideEvents/context.ts b/apps/supervisor/src/wideEvents/context.ts
new file mode 100644
index 00000000000..a89859c2707
--- /dev/null
+++ b/apps/supervisor/src/wideEvents/context.ts
@@ -0,0 +1,14 @@
+import { AsyncLocalStorage } from "node:async_hooks";
+import type { State } from "./state.js";
+
+/**
+ * AsyncLocalStorage threading per-operation `State` through the call stack.
+ * Wrappers enter a state via `wideEventStorage.run(state, () => fn())` and
+ * any code in the async call tree retrieves it via `fromContext()`.
+ */
+export const wideEventStorage = new AsyncLocalStorage<State>();
+
+/** Returns the State attached to the current async context, or null. */
+export function fromContext(): State | null {
+  return wideEventStorage.getStore() ?? null;
+}
diff --git a/apps/supervisor/src/wideEvents/emit.test.ts b/apps/supervisor/src/wideEvents/emit.test.ts
new file mode 100644
index 00000000000..0daefa64873
--- /dev/null
+++ b/apps/supervisor/src/wideEvents/emit.test.ts
@@ -0,0 +1,134 @@
+import { describe, it, expect } from "vitest";
+import { emit, EmitMessage } from "./emit.js";
+import { newState } from "./new.js";
+
+function captureEmit(state: Parameters<typeof emit>[0]): Record<string, unknown> {
+  const captured: string[] = [];
+  const origWrite = process.stdout.write;
+  process.stdout.write = ((chunk: unknown) => {
+    captured.push(String(chunk));
+    return true;
+  }) as typeof process.stdout.write;
+  try {
+    emit(state);
+  } finally {
+    process.stdout.write = origWrite;
+  }
+  expect(captured).toHaveLength(1);
+  const line = captured[0];
+  if (!line) throw new Error("no captured line");
+  return JSON.parse(line) as Record<string, unknown>;
+}
+
+describe("emit", () => {
+  it("emits a single line with the stable message + request_id", () => {
+    const s = newState({ service: "supervisor", env: {} });
+    s.statusCode = 200;
+    s.ok = true;
+    s.durationMs = 5;
+    const out = captureEmit(s);
+    expect(out.msg).toBe(EmitMessage);
+    expect(out.request_id).toBe(s.requestId);
+    expect(out.service).toBe("supervisor");
+    expect(out.ok).toBe(true);
+    expect(out.status).toBe(200);
+    expect(out.duration_ms).toBe(5);
+  });
+
+  it("emits start_time as an ISO timestamp set by newState", () => {
+    const s = newState({ service: "supervisor", env: {} });
+    s.statusCode = 200;
+    s.ok = true;
+    const out = captureEmit(s);
+    expect(typeof out.start_time).toBe("string");
+    // Microsecond-precision RFC3339 (6 fractional digits), parseable as a date.
+    expect(out.start_time).toMatch(/^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{6}Z$/);
+    expect(Number.isNaN(new Date(out.start_time as string).getTime())).toBe(false);
+  });
+
+  it("omits start_time when unset", () => {
+    const s = newState({ service: "supervisor", env: {} });
+    delete s.startTime;
+    s.statusCode = 200;
+    s.ok = true;
+    const out = captureEmit(s);
+    expect(out).not.toHaveProperty("start_time");
+  });
+
+  it("omits empty optional fields", () => {
+    const s = newState({ service: "supervisor", env: {} });
+    s.statusCode = 200;
+    s.ok = true;
+    const out = captureEmit(s);
+    expect(out).not.toHaveProperty("trace_id");
+    expect(out).not.toHaveProperty("version");
+    expect(out).not.toHaveProperty("commit_sha");
+    expect(out).not.toHaveProperty("error.code");
+  });
+
+  it("flattens meta keys as meta.<key>", () => {
+    const s = newState({ service: "supervisor", env: {} });
+    s.statusCode = 200;
+    s.ok = true;
+    s.meta.run_id = "run_abc";
+    s.meta.deployment_id = "dep_xyz";
+    const out = captureEmit(s);
+    expect(out["meta.run_id"]).toBe("run_abc");
+    expect(out["meta.deployment_id"]).toBe("dep_xyz");
+    expect(out).not.toHaveProperty("meta");
+  });
+
+  it("flattens phases as phase.<name>.<field>", () => {
+    const s = newState({ service: "supervisor", env: {} });
+    s.statusCode = 200;
+    s.ok = true;
+    s.phases.push({ name: "warm_start", durationMs: 12, ok: true, attempts: 1 });
+    s.phases.push({
+      name: "workload_create",
+      durationMs: 3,
+      ok: false,
+      attempts: 2,
+      errorCode: "Error",
+      errorMsg: "boom",
+      sub: { create_ms: 1 },
+    });
+    const out = captureEmit(s);
+    expect(out["phase.warm_start.duration_ms"]).toBe(12);
+    expect(out["phase.warm_start.ok"]).toBe(true);
+    expect(out["phase.warm_start.attempts"]).toBe(1);
+    expect(out["phase.workload_create.duration_ms"]).toBe(3);
+    expect(out["phase.workload_create.ok"]).toBe(false);
+    expect(out["phase.workload_create.attempts"]).toBe(2);
+    expect(out["phase.workload_create.error_code"]).toBe("Error");
+    expect(out["phase.workload_create.error_message"]).toBe("boom");
+    expect(out["phase.workload_create.create_ms"]).toBe(1);
+  });
+
+  it("includes error.code/message/kind when state.error is set", () => {
+    const s = newState({ service: "supervisor", env: {} });
+    s.statusCode = 500;
+    s.error = { code: "InternalError", message: "kaboom", kind: "internal" };
+    const out = captureEmit(s);
+    expect(out["error.code"]).toBe("InternalError");
+    expect(out["error.message"]).toBe("kaboom");
+    expect(out["error.kind"]).toBe("internal");
+  });
+
+  it("truncates very long error messages", () => {
+    const s = newState({ service: "supervisor", env: {} });
+    s.error = { code: "Big", message: "x".repeat(2000), kind: "internal" };
+    const out = captureEmit(s);
+    expect((out["error.message"] as string).length).toBe(512);
+  });
+
+  it("flattens extras at the top level", () => {
+    const s = newState({ service: "supervisor", env: {} });
+    s.statusCode = 200;
+    s.ok = true;
+    s.extras.route = "/health";
+    s.extras["dispatch.result"] = "hit";
+    const out = captureEmit(s);
+    expect(out.route).toBe("/health");
+    expect(out["dispatch.result"]).toBe("hit");
+  });
+});
diff --git a/apps/supervisor/src/wideEvents/emit.ts b/apps/supervisor/src/wideEvents/emit.ts
new file mode 100644
index 00000000000..bfb03ad36c4
--- /dev/null
+++ b/apps/supervisor/src/wideEvents/emit.ts
@@ -0,0 +1,84 @@
+import type { State } from "./state.js";
+import { truncateUtf8 } from "./truncate.js";
+
+/**
+ * Stable slog message string for every wide event. Downstream filters (jq,
+ * Axiom queries, Vector pipelines) pin to this constant. The `service` field
+ * disambiguates which service emitted it.
+ */
+export const EmitMessage = "wide_event";
+
+const MAX_ERROR_MSG_BYTES = 512;
+
+/**
+ * Serializes a State as a single flat-keyed JSON line on stdout. Keys are
+ * flat (no nested objects) to keep jq filtering and Axiom indexing cheap.
+ * Empty optional fields are omitted.
+ */
+export function emit(state: State): void {
+  // Best-effort: an observability failure (serialization, stdout write) must
+  // never break or mask the caller's operation. Every call site relies on this.
+  try {
+    const out: Record<string, unknown> = {
+      msg: EmitMessage,
+      request_id: state.requestId,
+    };
+
+    if (state.traceId) out.trace_id = state.traceId;
+    appendIfSet(out, "start_time", state.startTime);
+    appendIfSet(out, "service", state.service);
+    appendIfSet(out, "version", state.version);
+    appendIfSet(out, "commit_sha", state.commitSha);
+    appendIfSet(out, "region", state.region);
+    appendIfSet(out, "node_id", state.nodeId);
+
+    appendIfSet(out, "op", state.op);
+    appendIfSet(out, "kind", state.kind);
+
+    out.ok = state.ok;
+    if (state.statusCode !== 0) out.status = state.statusCode;
+    out.duration_ms = state.durationMs;
+
+    if (state.error) {
+      appendIfSet(out, "error.code", state.error.code);
+      appendIfSet(out, "error.message", truncateUtf8(state.error.message, MAX_ERROR_MSG_BYTES));
+      appendIfSet(out, "error.kind", state.error.kind);
+    }
+
+    for (const [k, v] of Object.entries(state.meta)) {
+      out["meta." + k] = v;
+    }
+
+    for (const p of state.phases) {
+      const prefix = "phase." + p.name + ".";
+      out[prefix + "duration_ms"] = p.durationMs;
+      out[prefix + "ok"] = p.ok;
+      out[prefix + "attempts"] = p.attempts;
+      if (p.errorCode) out[prefix + "error_code"] = p.errorCode;
+      if (p.errorMsg) out[prefix + "error_message"] = p.errorMsg;
+      if (p.sub) {
+        for (const [sk, sv] of Object.entries(p.sub)) {
+          out[prefix + sk] = sv;
+        }
+      }
+    }
+
+    for (const [k, v] of Object.entries(state.extras)) {
+      out[k] = v;
+    }
+
+    process.stdout.write(JSON.stringify(out) + "\n");
+  } catch (err) {
+    try {
+      process.stderr.write(
+        `wide_event_emit_failed: ${err instanceof Error ? err.message : String(err)}\n`
+      );
+    } catch {
+      // last resort - drop the event rather than throw
+    }
+  }
+}
+
+function appendIfSet(out: Record<string, unknown>, key: string, value: string | undefined): void {
+  if (value) out[key] = value;
+}
diff --git a/apps/supervisor/src/wideEvents/index.ts b/apps/supervisor/src/wideEvents/index.ts
new file mode 100644
index 00000000000..4eda429a50a
--- /dev/null
+++ b/apps/supervisor/src/wideEvents/index.ts
@@ -0,0 +1,29 @@
+/**
+ * Wide-event observability surface for the supervisor. One flat-keyed JSON
+ * line per natural unit of work (HTTP request, dequeue iteration, socket
+ * lifecycle event). Events join across services via `trace_id` (parsed from
+ * the inbound W3C `traceparent`) and `meta.run_id`.
+ *
+ * Off by default behind a kill switch - the dispatch hotpath runs at high
+ * QPS, so logging pressure must be cleanly removable.
+ */
+export { type Env, isValidRequestId, newState, type NewStateOptions } from "./new.js";
+export { emit, EmitMessage } from "./emit.js";
+export { parseTraceId } from "./traceparent.js";
+export { fromContext, wideEventStorage } from "./context.js";
+export {
+  type PhaseOpt,
+  recordPhase,
+  recordPhaseSince,
+  timePhase,
+} from "./record.js";
+export {
+  emitOneShot,
+  runWideEvent,
+  setExtra,
+  setMeta,
+  type WideEventLifecycleOptions,
+  type WideEventOptions,
+} from "./middleware.js";
+export type { ErrorInfo, PhaseRecord, State } from "./state.js";
+export { encodeBaggage } from "./baggage.js";
diff --git a/apps/supervisor/src/wideEvents/middleware.test.ts b/apps/supervisor/src/wideEvents/middleware.test.ts
new file mode 100644
index 00000000000..afb59f43d6e
--- /dev/null
+++ b/apps/supervisor/src/wideEvents/middleware.test.ts
@@ -0,0 +1,207 @@
+import { describe, it, expect } from "vitest";
+import { fromContext } from "./context.js";
+import { emitOneShot, runWideEvent, setMeta } from "./middleware.js";
+
+function captureStdout(fn: () => Promise<unknown> | unknown): Promise<string[]> {
+  const captured: string[] = [];
+  const orig = process.stdout.write;
+  process.stdout.write = ((chunk: unknown) => {
+    captured.push(String(chunk));
+    return true;
+  }) as typeof process.stdout.write;
+  return Promise.resolve(fn())
+    .finally(() => {
+      process.stdout.write = orig;
+    })
+    .then(() => captured);
+}
+
+describe("runWideEvent", () => {
+  it("emits one event with ok=true when no statusCode is set", async () => {
+    const lines = await captureStdout(async () => {
+      await runWideEvent(
+        { service: "supervisor", env: {}, enabled: true, op: "test", route: "/x", method: "POST" },
+        async () => undefined
+      );
+    });
+    expect(lines).toHaveLength(1);
+    const line = lines[0];
+    if (!line) throw new Error("no line");
+    const ev = JSON.parse(line) as Record<string, unknown>;
+    expect(ev.ok).toBe(true);
+    expect(ev.service).toBe("supervisor");
+    expect(ev.route).toBe("/x");
+    expect(ev.method).toBe("POST");
+    expect(typeof ev.duration_ms).toBe("number");
+    expect(typeof ev.request_id).toBe("string");
+  });
+
+  it("derives ok from statusCode set via finalize", async () => {
+    const lines = await captureStdout(async () => {
+      await runWideEvent(
+        { service: "supervisor", env: {}, enabled: true, op: "test" },
+        async () => undefined,
+        (state) => {
+          state.statusCode = 200;
+        }
+      );
+    });
+    const line = lines[0];
+    if (!line) throw new Error("no line");
+    const ev = JSON.parse(line) as Record<string, unknown>;
+    expect(ev.ok).toBe(true);
+    expect(ev.status).toBe(200);
+  });
+
+  it("treats 4xx as ok=false", async () => {
+    const lines = await captureStdout(async () => {
+      await runWideEvent(
+        { service: "supervisor", env: {}, enabled: true, op: "test" },
+        async () => undefined,
+        (state) => {
+          state.statusCode = 400;
+        }
+      );
+    });
+    const line = lines[0];
+    if (!line) throw new Error("no line");
+    const ev = JSON.parse(line) as Record<string, unknown>;
+    expect(ev.ok).toBe(false);
+    expect(ev.status).toBe(400);
+  });
+
+  it("emits ok=false with error.kind=internal on throw", async () => {
+    const lines = await captureStdout(async () => {
+      await runWideEvent(
+        { service: "supervisor", env: {}, enabled: true, op: "test" },
+        async () => {
+          throw new Error("boom");
+        }
+      ).catch(() => undefined);
+    });
+    const line = lines[0];
+    if (!line) throw new Error("no line");
+    const ev = JSON.parse(line) as Record<string, unknown>;
+    expect(ev.ok).toBe(false);
+    expect(ev.status).toBe(500);
+    expect(ev["error.kind"]).toBe("internal");
+    expect(ev["error.message"]).toBe("boom");
+  });
+
+  it("threads state through AsyncLocalStorage", async () => {
+    const lines = await captureStdout(async () => {
+      await runWideEvent(
+        { service: "supervisor", env: {}, enabled: true, op: "test" },
+        async () => {
+          setMeta(fromContext(), "run_id", "run_abc");
+        }
+      );
+    });
+    const line = lines[0];
+    if (!line) throw new Error("no line");
+    const ev = JSON.parse(line) as Record<string, unknown>;
+    expect(ev["meta.run_id"]).toBe("run_abc");
+    expect(ev.ok).toBe(true);
+  });
+
+  it("picks up inbound traceparent for trace_id", async () => {
+    const tp = "00-4bf92f3577b34da6a3ce929d0e0e4736-00f067aa0ba902b7-01";
+    const lines = await captureStdout(async () => {
+      await runWideEvent(
+        { service: "supervisor", env: {}, enabled: true, op: "test", traceparent: tp },
+        async () => undefined
+      );
+    });
+    const line = lines[0];
+    if (!line) throw new Error("no line");
+    const ev = JSON.parse(line) as Record<string, unknown>;
+    expect(ev.trace_id).toBe("4bf92f3577b34da6a3ce929d0e0e4736");
+  });
+
+  it("honours setup() to attach meta and extras before fn runs", async () => {
+    const lines = await captureStdout(async () => {
+      await runWideEvent(
+        {
+          service: "supervisor",
+          env: {},
+          enabled: true, op: "test",
+          setup: (state) => {
+            state.meta.run_id = "run_abc";
+            state.extras.iteration = "dequeue";
+          },
+        },
+        async () => undefined
+      );
+    });
+    const line = lines[0];
+    if (!line) throw new Error("no line");
+    const ev = JSON.parse(line) as Record<string, unknown>;
+    expect(ev["meta.run_id"]).toBe("run_abc");
+    expect(ev.iteration).toBe("dequeue");
+  });
+
+  it("short-circuits to pass-through when enabled=false", async () => {
+    let seenState: ReturnType<typeof fromContext> = null;
+    const lines = await captureStdout(async () => {
+      await runWideEvent(
+        { service: "supervisor", env: {}, enabled: false, op: "test" },
+        async () => {
+          seenState = fromContext();
+        }
+      );
+    });
+    expect(lines).toHaveLength(0);
+    expect(seenState).toBe(null);
+  });
+
+  it("isolates state across concurrent invocations", async () => {
+    const lines = await captureStdout(async () => {
+      await Promise.all(
+        ["a", "b", "c"].map((tag) =>
+          runWideEvent(
+            { service: "supervisor", env: {}, enabled: true, op: "test" },
+            async () => {
+              const s = fromContext();
+              if (!s) throw new Error("no state");
+              s.meta.tag = tag;
+              await new Promise((r) => setTimeout(r, 5));
+              expect(s.meta.tag).toBe(tag);
+            }
+          )
+        )
+      );
+    });
+    const tags = lines.map((l) => (JSON.parse(l) as Record<string, unknown>)["meta.tag"]);
+    expect(tags.sort()).toEqual(["a", "b", "c"]);
+  });
+});
+
+describe("emitOneShot", () => {
+  it("emits a single event with populated meta when enabled", async () => {
+    const lines = await captureStdout(() => {
+      emitOneShot({
+        service: "supervisor",
+        env: {},
+        enabled: true, op: "test",
+        populate: (s) => {
+          s.meta.run_id = "run_abc";
+          s.extras.event = "run:start";
+        },
+      });
+    });
+    expect(lines).toHaveLength(1);
+    const line = lines[0];
+    if (!line) throw new Error("no line");
+    const ev = JSON.parse(line) as Record<string, unknown>;
+    expect(ev.ok).toBe(true);
+    expect(ev["meta.run_id"]).toBe("run_abc");
+    expect(ev.event).toBe("run:start");
+  });
+
+  it("emits nothing when disabled", async () => {
+    const lines = await captureStdout(() => {
+      emitOneShot({ service: "supervisor", env: {}, enabled: false, op: "test" });
+    });
+    expect(lines).toHaveLength(0);
+  });
+});
diff --git a/apps/supervisor/src/wideEvents/middleware.ts b/apps/supervisor/src/wideEvents/middleware.ts
new file mode 100644
index 00000000000..034c136414f
--- /dev/null
+++ b/apps/supervisor/src/wideEvents/middleware.ts
@@ -0,0 +1,132 @@
+import { emit } from "./emit.js";
+import { newState, type Env } from "./new.js";
+import { wideEventStorage } from "./context.js";
+import type { State } from "./state.js";
+
+/** Options common to every wide-event lifecycle. */
+export type WideEventOptions = {
+  service: string;
+  env: Env;
+  /**
+   * Kill switch. When false, lifecycles degenerate into transparent
+   * pass-through - no State allocation, no AsyncLocalStorage run, no emit.
+   * Important for the dispatch hotpath where logging pressure must be
+   * cleanly removable.
+   */
+  enabled: boolean;
+};
+
+/** Per-invocation options layered on top of `WideEventOptions`. */
+export type WideEventLifecycleOptions = WideEventOptions & {
+  /** Operation discriminator (`instance.create`, `dequeue`, ...). Required. */
+  op: string;
+  /** Event shape: `inbound` | `outbound` | `event` | `scheduled`. Optional. */
+  kind?: string;
+  /** Route template (HTTP only) captured into `extras.route`. */
+  route?: string;
+  /** HTTP method captured into `extras.method`. */
+  method?: string;
+  /** Inbound W3C traceparent (HTTP header, queue message field). */
+  traceparent?: string;
+  /** Inbound request id (e.g. `x-request-id` header). */
+  inboundRequestId?: string;
+  /** Runs after the state is built, before the wrapped fn. Use to attach meta. */
+  setup?: (state: State) => void;
+};
+
+/**
+ * Runs `fn` inside an AsyncLocalStorage state and emits one wide event on
+ * completion or error. `finalize` runs after `fn` returns but before emit -
+ * use it to read out-of-band outcome info (e.g. `res.statusCode` for an HTTP
+ * route) and assign to `state.statusCode`. The wrapper computes `ok` from
+ * `statusCode` if it's set; otherwise it defaults to true on success.
+ *
+ * Returns the original `fn` result. When `enabled=false`, `fn` runs unchanged
+ * with no event emitted.
+ */
+export async function runWideEvent<T>(
+  opts: WideEventLifecycleOptions,
+  fn: () => Promise<T> | T,
+  finalize?: (state: State) => void
+): Promise<T> {
+  if (!opts.enabled) {
+    return fn();
+  }
+
+  const state = newState({
+    service: opts.service,
+    env: opts.env,
+    inboundRequestId: opts.inboundRequestId,
+    traceparent: opts.traceparent,
+    op: opts.op,
+    kind: opts.kind,
+  });
+  if (opts.route) state.extras.route = opts.route;
+  if (opts.method) state.extras.method = opts.method;
+
+  const start = performance.now();
+  try {
+    if (opts.setup) opts.setup(state);
+    const result = await wideEventStorage.run(state, () => Promise.resolve(fn()));
+    state.durationMs = Math.round(performance.now() - start);
+    if (finalize) finalize(state);
+    if (state.statusCode !== 0) {
+      state.ok = state.statusCode >= 200 && state.statusCode < 300;
+    } else {
+      state.ok = true;
+    }
+    emit(state);
+    return result;
+  } catch (err) {
+    state.durationMs = Math.round(performance.now() - start);
+    const e = err instanceof Error ? err : new Error(String(err));
+    if (state.statusCode === 0) state.statusCode = 500;
+    state.ok = false;
+    state.error = {
+      code: e.name || "Error",
+      message: e.message,
+      kind: "internal",
+    };
+    emit(state);
+    throw err;
+  }
+}
+
+/**
+ * One-shot wide event with no wrapped operation. Use for socket lifecycle
+ * events (`run:start`, `run:stop`) where there is no surrounding async unit
+ * of work to time. `populate` runs synchronously to attach meta/extras
+ * before emit.
+ */
+export function emitOneShot(
+  opts: WideEventOptions & {
+    op: string;
+    kind?: string;
+    traceparent?: string;
+    populate?: (state: State) => void;
+  }
+): void {
+  if (!opts.enabled) return;
+  const state = newState({
+    service: opts.service,
+    env: opts.env,
+    traceparent: opts.traceparent,
+    op: opts.op,
+    kind: opts.kind,
+  });
+  if (opts.populate) opts.populate(state);
+  state.ok = true;
+  emit(state);
+}
+
+/** Convenience accessor for in-handler meta mutation. */
+export function setMeta(state: State | null, key: string, value: string): void {
+  if (!state) return;
+  state.meta[key] = value;
+}
+
+/** Convenience for free-form fields (did_warm_start, dispatch.result, ...). */
+export function setExtra(state: State | null, key: string, value: unknown): void {
+  if (!state) return;
+  state.extras[key] = value;
+}
diff --git a/apps/supervisor/src/wideEvents/new.test.ts b/apps/supervisor/src/wideEvents/new.test.ts
new file mode 100644
index 00000000000..476c49c3d0e
--- /dev/null
+++ b/apps/supervisor/src/wideEvents/new.test.ts
@@ -0,0 +1,81 @@
+import { describe, it, expect } from "vitest";
+import { isValidRequestId, newState } from "./new.js";
+
+describe("isValidRequestId", () => {
+  it("accepts visible ASCII", () => {
+    expect(isValidRequestId("req-abc-123_456.7")).toBe(true);
+    expect(isValidRequestId("a")).toBe(true);
+  });
+
+  it("rejects empty string", () => {
+    expect(isValidRequestId("")).toBe(false);
+  });
+
+  it("rejects overlong strings (>128 bytes)", () => {
+    expect(isValidRequestId("a".repeat(128))).toBe(true);
+    expect(isValidRequestId("a".repeat(129))).toBe(false);
+  });
+
+  it("rejects whitespace, newlines, control chars", () => {
+    expect(isValidRequestId("has space")).toBe(false);
+    expect(isValidRequestId("has\ttab")).toBe(false);
+    expect(isValidRequestId("has\nnewline")).toBe(false);
+    expect(isValidRequestId("\x00null")).toBe(false);
+  });
+
+  it("rejects high-bit / non-ASCII", () => {
+    expect(isValidRequestId("café")).toBe(false);
+    expect(isValidRequestId("a\x7f")).toBe(false);
+  });
+});
+
+describe("newState", () => {
+  const env = { version: "1.0.0", commitSha: "abc123", region: "us-east-1", nodeId: "node-1" };
+
+  it("populates service identity from env", () => {
+    const s = newState({ service: "supervisor", env });
+    expect(s.service).toBe("supervisor");
+    expect(s.version).toBe("1.0.0");
+    expect(s.commitSha).toBe("abc123");
+    expect(s.region).toBe("us-east-1");
+    expect(s.nodeId).toBe("node-1");
+  });
+
+  it("mints a fresh request id when none provided", () => {
+    const s = newState({ service: "test", env: {} });
+    expect(s.requestId).toMatch(/^req-[0-9a-f]{32}$/);
+  });
+
+  it("honours a valid inbound request id", () => {
+    const s = newState({ service: "test", env: {}, inboundRequestId: "trace-abc-123" });
+    expect(s.requestId).toBe("trace-abc-123");
+  });
+
+  it("rejects unsafe inbound request id and mints a fresh one", () => {
+    const s = newState({ service: "test", env: {}, inboundRequestId: "has space" });
+    expect(s.requestId).toMatch(/^req-[0-9a-f]{32}$/);
+  });
+
+  it("parses traceparent into traceId and preserves the raw header", () => {
+    const tp = "00-4bf92f3577b34da6a3ce929d0e0e4736-00f067aa0ba902b7-01";
+    const s = newState({ service: "test", env: {}, traceparent: tp });
+    expect(s.traceId).toBe("4bf92f3577b34da6a3ce929d0e0e4736");
+    expect(s.traceparent).toBe(tp);
+  });
+
+  it("leaves traceId empty when no traceparent provided", () => {
+    const s = newState({ service: "test", env: {} });
+    expect(s.traceId).toBe("");
+    expect(s.traceparent).toBe("");
+  });
+
+  it("initialises empty meta/extras/phases", () => {
+    const s = newState({ service: "test", env: {} });
+    expect(s.meta).toEqual({});
+    expect(s.extras).toEqual({});
+    expect(s.phases).toEqual([]);
+    expect(s.ok).toBe(false);
+    expect(s.statusCode).toBe(0);
+    expect(s.durationMs).toBe(0);
+  });
+});
diff --git a/apps/supervisor/src/wideEvents/new.ts b/apps/supervisor/src/wideEvents/new.ts
new file mode 100644
index 00000000000..7a4dba8a09c
--- /dev/null
+++ b/apps/supervisor/src/wideEvents/new.ts
@@ -0,0 +1,96 @@
+import { randomBytes } from "node:crypto";
+import { parseTraceId } from "./traceparent.js";
+import type { State } from "./state.js";
+
+const MAX_REQUEST_ID_LEN = 128;
+
+/**
+ * Validates an inbound request id. Non-empty, no longer than 128 bytes,
+ * composed entirely of visible ASCII (0x21..0x7E). Rejects newlines, control
+ * characters, whitespace, DEL, high-bit bytes - any of which could poison the
+ * log pipeline if echoed back verbatim.
+ */
+export function isValidRequestId(s: string): boolean {
+  if (s.length === 0 || s.length > MAX_REQUEST_ID_LEN) return false;
+  for (let i = 0; i < s.length; i++) {
+    const c = s.charCodeAt(i);
+    if (c < 0x21 || c > 0x7e) return false;
+  }
+  return true;
+}
+
+/**
+ * Service-level identity that's constant for the lifetime of the process.
+ * Populated once at startup, copied into every State.
+ */
+export type Env = {
+  version?: string;
+  commitSha?: string;
+  region?: string;
+  nodeId?: string;
+};
+
+export type NewStateOptions = {
+  service: string;
+  env: Env;
+  /** Optional inbound request id (e.g. from `x-request-id`). If unsafe or absent, a fresh `req-<hex>` is minted. */
+  inboundRequestId?: string;
+  /** Optional inbound W3C traceparent (HTTP header, queue message field). */
+  traceparent?: string;
+  /** Operation discriminator. Dotted `noun.verb`. Defaults to empty (set later). */
+  op?: string;
+  /** Event shape: `inbound` | `outbound` | `event` | `scheduled`. Defaults to empty. */
+  kind?: string;
+};
+
+/**
+ * Builds a State for a wide-event lifecycle.
+ *
+ *   - requestId: honours `inboundRequestId` if present and safe; otherwise
+ *     mints a fresh `req-<hex>` id.
+ *   - traceId: parsed from the provided traceparent (graceful empty if
+ *     absent or malformed).
+ *   - traceparent: preserved verbatim for downstream propagation.
+ */
+export function newState(opts: NewStateOptions): State {
+  const traceparent = opts.traceparent ?? "";
+  const inbound = opts.inboundRequestId ?? "";
+  const requestId = isValidRequestId(inbound) ? inbound : newRequestId();
+
+  return {
+    startTime: nowRfc3339(),
+    requestId,
+    traceId: parseTraceId(traceparent),
+    traceparent,
+    service: opts.service,
+    version: opts.env.version,
+    commitSha: opts.env.commitSha,
+    region: opts.env.region,
+    nodeId: opts.env.nodeId,
+    op: opts.op ?? "",
+    kind: opts.kind ?? "",
+    meta: {},
+    phases: [],
+    ok: false,
+    statusCode: 0,
+    durationMs: 0,
+    extras: {},
+  };
+}
+
+function newRequestId(): string {
+  return "req-" + randomBytes(16).toString("hex");
+}
+
+/**
+ * Current wall-clock time as an RFC3339 string with microsecond precision.
+ * `Date.toISOString()` only has millisecond resolution, which is too coarse to
+ * order multiple wide events emitted within the same millisecond.
+ * `performance.timeOrigin + performance.now()` gives a sub-millisecond wall-clock
+ * reading; we append the microsecond digits to the millisecond ISO string.
+ */
+function nowRfc3339(): string {
+  const ms = performance.timeOrigin + performance.now();
+  const micros = Math.floor((ms % 1) * 1000); // microseconds within the millisecond (0..999)
+  return new Date(ms).toISOString().slice(0, -1) + String(micros).padStart(3, "0") + "Z";
+}
diff --git a/apps/supervisor/src/wideEvents/record.test.ts b/apps/supervisor/src/wideEvents/record.test.ts
new file mode 100644
index 00000000000..beeb0fff221
--- /dev/null
+++ b/apps/supervisor/src/wideEvents/record.test.ts
@@ -0,0 +1,112 @@
+import { describe, it, expect } from "vitest";
+import { fromContext, wideEventStorage } from "./context.js";
+import { recordPhase, recordPhaseSince, timePhase } from "./record.js";
+import { newState } from "./new.js";
+import type { State } from "./state.js";
+
+function makeState(): State {
+  return newState({ service: "test", env: {} });
+}
+
+describe("recordPhase", () => {
+  it("appends a successful phase", () => {
+    const s = makeState();
+    recordPhase(s, "lookup", performance.now() - 50, undefined);
+    expect(s.phases).toHaveLength(1);
+    const phase = s.phases[0];
+    if (!phase) throw new Error("missing phase");
+    expect(phase.name).toBe("lookup");
+    expect(phase.ok).toBe(true);
+    expect(phase.attempts).toBe(1);
+    expect(phase.durationMs).toBeGreaterThanOrEqual(45);
+  });
+
+  it("appends a failed phase with error code/message", () => {
+    const s = makeState();
+    recordPhase(s, "dispatch", performance.now(), new Error("nope"));
+    const phase = s.phases[0];
+    if (!phase) throw new Error("missing phase");
+    expect(phase.ok).toBe(false);
+    expect(phase.errorCode).toBe("Error");
+    expect(phase.errorMsg).toBe("nope");
+  });
+
+  it("truncates very long error messages", () => {
+    const s = makeState();
+    recordPhase(s, "x", performance.now(), new Error("y".repeat(2000)));
+    const phase = s.phases[0];
+    if (!phase) throw new Error("missing phase");
+    expect(phase.errorMsg?.length).toBe(512);
+  });
+
+  it("honours opts.attempts", () => {
+    const s = makeState();
+    recordPhase(s, "retry", performance.now(), undefined, { attempts: 3 });
+    expect(s.phases[0]?.attempts).toBe(3);
+  });
+
+  it("attaches sub-timings", () => {
+    const s = makeState();
+    recordPhase(s, "complex", performance.now(), undefined, { sub: { setup_ms: 10, work_ms: 5 } });
+    expect(s.phases[0]?.sub).toEqual({ setup_ms: 10, work_ms: 5 });
+  });
+
+  it("is a no-op when state is null", () => {
+    expect(() => recordPhase(null, "x", performance.now(), undefined)).not.toThrow();
+  });
+});
+
+describe("timePhase + AsyncLocalStorage threading", () => {
+  it("records via fromContext on success", async () => {
+    const s = makeState();
+    const value = await wideEventStorage.run(s, () => timePhase("work", async () => 42));
+    expect(value).toBe(42);
+    expect(s.phases).toHaveLength(1);
+    expect(s.phases[0]?.ok).toBe(true);
+  });
+
+  it("records via fromContext on error and rethrows", async () => {
+    const s = makeState();
+    await expect(
+      wideEventStorage.run(s, () =>
+        timePhase("work", async () => {
+          throw new Error("boom");
+        })
+      )
+    ).rejects.toThrow("boom");
+    expect(s.phases).toHaveLength(1);
+    expect(s.phases[0]?.ok).toBe(false);
+    expect(s.phases[0]?.errorMsg).toBe("boom");
+  });
+
+  it("runs fn unchanged when no state on context", async () => {
+    const value = await timePhase("work", async () => "ok");
+    expect(value).toBe("ok");
+  });
+});
+
+describe("recordPhaseSince", () => {
+  it("records using a caller-captured start time", async () => {
+    const s = makeState();
+    await wideEventStorage.run(s, async () => {
+      const start = performance.now();
+      await new Promise((r) => setTimeout(r, 10));
+      recordPhaseSince("spanning", start, undefined);
+    });
+    expect(s.phases).toHaveLength(1);
+    expect(s.phases[0]?.durationMs).toBeGreaterThanOrEqual(8);
+  });
+});
+
+describe("fromContext", () => {
+  it("returns null when no state attached", () => {
+    expect(fromContext()).toBe(null);
+  });
+
+  it("returns the state when inside wideEventStorage.run", () => {
+    const s = makeState();
+    wideEventStorage.run(s, () => {
+      expect(fromContext()).toBe(s);
+    });
+  });
+});
diff --git a/apps/supervisor/src/wideEvents/record.ts b/apps/supervisor/src/wideEvents/record.ts
new file mode 100644
index 00000000000..b7b59089a0e
--- /dev/null
+++ b/apps/supervisor/src/wideEvents/record.ts
@@ -0,0 +1,82 @@
+import { fromContext } from "./context.js";
+import type { PhaseRecord, State } from "./state.js";
+import { truncateUtf8 } from "./truncate.js";
+
+const MAX_ERROR_MSG_BYTES = 512;
+
+/** Optional knobs for a phase record. */
+export type PhaseOpt = {
+  /** Attempt count for the phase (default 1). */
+  attempts?: number;
+  /** Sub-timings to fold into `phase.<name>.<key>`. */
+  sub?: Record<string, number>;
+};
+
+/**
+ * Appends a phase outcome to `state.phases`. Safe to call on success
+ * (`err === undefined`) and error paths. `errorMsg` is truncated to 512 bytes
+ * to keep the wide event compact. No-op if state is null.
+ */
+export function recordPhase(
+  state: State | null,
+  name: string,
+  startMs: number,
+  err: Error | undefined,
+  opts: PhaseOpt = {}
+): void {
+  if (!state) return;
+  const p: PhaseRecord = {
+    name,
+    durationMs: Math.round(performance.now() - startMs),
+    ok: err === undefined,
+    attempts: opts.attempts ?? 1,
+  };
+  if (err) {
+    p.errorCode = err.name || "Error";
+    p.errorMsg = truncateUtf8(err.message, MAX_ERROR_MSG_BYTES);
+  }
+  if (opts.sub) p.sub = opts.sub;
+  state.phases.push(p);
+}
+
+/**
+ * Runs `fn` and appends a phase outcome to the State attached to the current
+ * async context. If no state is on context (test paths, background work),
+ * `fn` runs unchanged. The phase is recorded on both success and error paths
+ * so failed phases still appear in the wide event with duration_ms +
+ * error_code.
+ */
+export async function timePhase<T>(
+  name: string,
+  fn: () => Promise<T> | T,
+  opts: PhaseOpt = {}
+): Promise<T> {
+  const start = performance.now();
+  try {
+    const result = await fn();
+    recordPhase(fromContext(), name, start, undefined, opts);
+    return result;
+  } catch (err) {
+    recordPhase(fromContext(), name, start, asError(err), opts);
+    throw err;
+  }
+}
+
+/**
+ * Appends a phase outcome to the State attached to the current async context
+ * using a `startMs` captured by the caller. Use when the phase boundary spans
+ * multiple calls with intermediate error handling that can't fit inside a
+ * single `timePhase` closure. Nil-state safe.
+ */
+export function recordPhaseSince(
+  name: string,
+  startMs: number,
+  err: Error | undefined,
+  opts: PhaseOpt = {}
+): void {
+  recordPhase(fromContext(), name, startMs, err, opts);
+}
+
+function asError(e: unknown): Error {
+  return e instanceof Error ? e : new Error(String(e));
+}
diff --git a/apps/supervisor/src/wideEvents/state.ts b/apps/supervisor/src/wideEvents/state.ts
new file mode 100644
index 00000000000..dece3a3f5fd
--- /dev/null
+++ b/apps/supervisor/src/wideEvents/state.ts
@@ -0,0 +1,84 @@
+/**
+ * Per-event accumulator backing a single wide event. The supervisor emits one
+ * flat-keyed JSON line per natural unit of work (dequeue iteration, HTTP
+ * request, socket lifecycle event). Optional fields are omitted on emit so
+ * events stay compact.
+ */
+export type State = {
+  /**
+   * Wall-clock time the event began, as an ISO-8601 string. Emitted as
+   * `start_time` so log collection orders events by when work started rather
+   * than by the collector's ingestion time.
+   */
+  startTime?: string;
+
+  // Cross-stack correlation.
+  requestId: string;
+  traceId: string;
+  /**
+   * Raw inbound W3C `traceparent`, preserved verbatim so outbound calls can
+   * propagate the same trace context without losing the parent span-id.
+   * Empty when no inbound traceparent was set.
+   */
+  traceparent: string;
+
+  // Service identity (set by `newState` from Env).
+  service: string;
+  version?: string;
+  commitSha?: string;
+  region?: string;
+  nodeId?: string;
+
+  /**
+   * Operation discriminator. Dotted `noun.verb` (e.g. `instance.create`,
+   * `snapshot.dispatch`). Low cardinality - bounded set per service, not
+   * unbounded. Empty allowed during construction but expected to be set
+   * before emit.
+   */
+  op: string;
+
+  /**
+   * Event shape. `inbound` for received requests, `outbound` for outgoing
+   * calls, `event` for ambient occurrences with no meaningful duration,
+   * `scheduled` for timer-driven work. Empty allowed; omitted from emit
+   * when empty.
+   */
+  kind: string;
+
+  // Caller-attached opaque metadata, flattened to `meta.<key>` on emit.
+  meta: Record<string, string>;
+
+  // Per-phase outcomes, in completion order.
+  phases: PhaseRecord[];
+
+  // Top-level outcome (set after the wrapped operation returns).
+  ok: boolean;
+  statusCode: number;
+  durationMs: number;
+  error?: ErrorInfo;
+
+  // Free-form ad-hoc additions (route, method, did_warm_start, ...).
+  extras: Record<string, unknown>;
+};
+
+/**
+ * Single named phase outcome. Retries collapse into `attempts > 1` with the
+ * last error reflected in errorCode/errorMsg.
+ */
+export type PhaseRecord = {
+  name: string;
+  durationMs: number;
+  ok: boolean;
+  attempts: number;
+  errorCode?: string;
+  errorMsg?: string;
+  sub?: Record<string, number>;
+};
+
+/** Top-level error summary for a failed operation. */
+export type ErrorInfo = {
+  code: string;
+  message: string;
+  /** Coarse classification - "client" | "upstream" | "internal" | "timeout". */
+  kind: string;
+};
diff --git a/apps/supervisor/src/wideEvents/traceparent.test.ts b/apps/supervisor/src/wideEvents/traceparent.test.ts
new file mode 100644
index 00000000000..85ed31c3b6f
--- /dev/null
+++ b/apps/supervisor/src/wideEvents/traceparent.test.ts
@@ -0,0 +1,43 @@
+import { describe, it, expect } from "vitest";
+import { parseTraceId } from "./traceparent.js";
+
+describe("parseTraceId", () => {
+  const validTraceId = "4bf92f3577b34da6a3ce929d0e0e4736";
+  const validHeader = `00-${validTraceId}-00f067aa0ba902b7-01`;
+
+  it("extracts the trace-id from a valid W3C traceparent", () => {
+    expect(parseTraceId(validHeader)).toBe(validTraceId);
+  });
+
+  it("returns empty string for empty/null/undefined input", () => {
+    expect(parseTraceId("")).toBe("");
+    expect(parseTraceId(null)).toBe("");
+    expect(parseTraceId(undefined)).toBe("");
+  });
+
+  it("returns empty for wrong segment count", () => {
+    expect(parseTraceId("00-abc-def")).toBe("");
+    expect(parseTraceId("00-abc-def-01-extra")).toBe("");
+  });
+
+  it("returns empty for non-zero version byte", () => {
+    expect(parseTraceId(`01-${validTraceId}-00f067aa0ba902b7-01`)).toBe("");
+  });
+
+  it("returns empty for wrong-length trace-id", () => {
+    expect(parseTraceId("00-abc-00f067aa0ba902b7-01")).toBe("");
+  });
+
+  it("returns empty for non-hex trace-id", () => {
+    expect(parseTraceId("00-zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz-00f067aa0ba902b7-01")).toBe("");
+  });
+
+  it("returns empty for all-zero trace-id", () => {
+    expect(parseTraceId("00-00000000000000000000000000000000-00f067aa0ba902b7-01")).toBe("");
+  });
+
+  it("accepts uppercase hex", () => {
+    const tid = "4BF92F3577B34DA6A3CE929D0E0E4736";
+    expect(parseTraceId(`00-${tid}-00f067aa0ba902b7-01`)).toBe(tid);
+  });
+});
diff --git a/apps/supervisor/src/wideEvents/traceparent.ts b/apps/supervisor/src/wideEvents/traceparent.ts
new file mode 100644
index 00000000000..9e84294f067
--- /dev/null
+++ b/apps/supervisor/src/wideEvents/traceparent.ts
@@ -0,0 +1,39 @@
+/**
+ * Extracts the trace-id from a W3C `traceparent` header. Returns "" when the
+ * header is absent, malformed, or carries an all-zero trace-id.
+ *
+ * Format: `<version>-<trace-id>-<span-id>-<flags>`
+ *   version : 2 hex chars, must be "00"
+ *   trace-id: 32 hex chars, non-zero
+ *   span-id : 16 hex chars (not validated - we only need trace-id)
+ *   flags   : 2 hex chars (not validated)
+ */
+export function parseTraceId(header: string | null | undefined): string {
+  if (!header) return "";
+  const parts = header.split("-");
+  if (parts.length !== 4) return "";
+  if (parts[0] !== "00") return "";
+  const tid = parts[1];
+  if (!tid || tid.length !== 32) return "";
+  if (!isHex(tid)) return "";
+  if (isAllZero(tid)) return "";
+  return tid;
+}
+
+function isHex(s: string): boolean {
+  for (let i = 0; i < s.length; i++) {
+    const c = s.charCodeAt(i);
+    const isDigit = c >= 0x30 && c <= 0x39;
+    const isLower = c >= 0x61 && c <= 0x66;
+    const isUpper = c >= 0x41 && c <= 0x46;
+    if (!isDigit && !isLower && !isUpper) return false;
+  }
+  return true;
+}
+
+function isAllZero(s: string): boolean {
+  for (let i = 0; i < s.length; i++) {
+    if (s.charCodeAt(i) !== 0x30) return false;
+  }
+  return true;
+}
diff --git a/apps/supervisor/src/wideEvents/truncate.test.ts b/apps/supervisor/src/wideEvents/truncate.test.ts
new file mode 100644
index 00000000000..4eb272f1e60
--- /dev/null
+++ b/apps/supervisor/src/wideEvents/truncate.test.ts
@@ -0,0 +1,30 @@
+import { describe, it, expect } from "vitest";
+import { truncateUtf8 } from "./truncate.js";
+
+describe("truncateUtf8", () => {
+  it("returns short ASCII unchanged", () => {
+    expect(truncateUtf8("hello", 512)).toBe("hello");
+  });
+
+  it("truncates ASCII to the byte cap", () => {
+    expect(truncateUtf8("x".repeat(1024), 256)).toBe("x".repeat(256));
+  });
+
+  it("never exceeds the byte cap for multibyte input", () => {
+    // "あ" is 3 UTF-8 bytes; 200 of them = 600 bytes.
+    const got = truncateUtf8("あ".repeat(200), 256);
+    expect(Buffer.byteLength(got, "utf8")).toBeLessThanOrEqual(256);
+  });
+
+  it("does not split a multibyte sequence", () => {
+    // 256 / 3 bytes = 85 whole chars (255 bytes), the 86th would overflow.
+    expect(truncateUtf8("あ".repeat(200), 256)).toBe("あ".repeat(85));
+  });
+
+  it("does not split a surrogate pair", () => {
+    // "😀" is 2 UTF-16 units / 4 UTF-8 bytes; only one fits under a 5-byte cap.
+    const got = truncateUtf8("😀😀", 5);
+    expect(got).toBe("😀");
+    expect(Buffer.byteLength(got, "utf8")).toBe(4);
+  });
+});
diff --git a/apps/supervisor/src/wideEvents/truncate.ts b/apps/supervisor/src/wideEvents/truncate.ts
new file mode 100644
index 00000000000..417735fe77d
--- /dev/null
+++ b/apps/supervisor/src/wideEvents/truncate.ts
@@ -0,0 +1,20 @@
+/**
+ * Truncate `value` to at most `maxBytes` UTF-8 bytes without splitting a
+ * multi-byte sequence or surrogate pair. Plain `.slice()` counts UTF-16 code
+ * units, so multibyte text can blow past a byte cap and cutting mid-pair
+ * leaves a lone surrogate that downstream JSON / Postgres consumers reject.
+ */
+export function truncateUtf8(value: string, maxBytes: number): string {
+  if (Buffer.byteLength(value, "utf8") <= maxBytes) return value;
+
+  let bytes = 0;
+  let end = 0;
+  // `for..of` yields whole code points, so a surrogate pair is never split.
+  for (const ch of value) {
+    const size = Buffer.byteLength(ch, "utf8");
+    if (bytes + size > maxBytes) break;
+    bytes += size;
+    end += ch.length;
+  }
+  return value.slice(0, end);
+}
diff --git a/apps/supervisor/src/workloadManager/compute.test.ts b/apps/supervisor/src/workloadManager/compute.test.ts
new file mode 100644
index 00000000000..ea5ddabf285
--- /dev/null
+++ b/apps/supervisor/src/workloadManager/compute.test.ts
@@ -0,0 +1,56 @@
+import { describe, expect, it } from "vitest";
+import { ComputeClientError } from "@internal/compute";
+import { isRetryableCreateError, runnerNameForAttempt } from "./compute.js";
+
+describe("runnerNameForAttempt", () => {
+  it("keeps the unsuffixed name for the first attempt", () => {
+    expect(runnerNameForAttempt("runner-abc123", 1)).toBe("runner-abc123");
+  });
+
+  it("suffixes retry attempts deterministically", () => {
+    expect(runnerNameForAttempt("runner-abc123", 2)).toBe("runner-abc123-r2");
+    expect(runnerNameForAttempt("runner-abc123", 3)).toBe("runner-abc123-r3");
+  });
+});
+
+describe("isRetryableCreateError", () => {
+  it("retries statuses where the create definitely did not commit", () => {
+    expect(isRetryableCreateError(new ComputeClientError(500, "tap busy", "http://gw"))).toBe(
+      true
+    );
+    expect(isRetryableCreateError(new ComputeClientError(503, "no placement", "http://gw"))).toBe(
+      true
+    );
+  });
+
+  it("does not retry lost-response statuses (create may have committed)", () => {
+    expect(isRetryableCreateError(new ComputeClientError(502, "bad gateway", "http://gw"))).toBe(
+      false
+    );
+    expect(
+      isRetryableCreateError(new ComputeClientError(504, "gateway timeout", "http://gw"))
+    ).toBe(false);
+  });
+
+  it("does not retry 4xx responses", () => {
+    expect(isRetryableCreateError(new ComputeClientError(400, "bad request", "http://gw"))).toBe(
+      false
+    );
+    expect(isRetryableCreateError(new ComputeClientError(409, "conflict", "http://gw"))).toBe(
+      false
+    );
+  });
+
+  it("does not retry timeouts (instance may still be provisioning)", () => {
+    expect(isRetryableCreateError(new DOMException("timed out", "TimeoutError"))).toBe(false);
+  });
+
+  it("retries network-level fetch failures", () => {
+    expect(isRetryableCreateError(new TypeError("fetch failed"))).toBe(true);
+  });
+
+  it("does not retry unknown errors", () => {
+    expect(isRetryableCreateError(new Error("something else"))).toBe(false);
+    expect(isRetryableCreateError("string error")).toBe(false);
+  });
+});
diff --git a/apps/supervisor/src/workloadManager/compute.ts b/apps/supervisor/src/workloadManager/compute.ts
index 1c00f33aad3..88c7645bbdf 100644
--- a/apps/supervisor/src/workloadManager/compute.ts
+++ b/apps/supervisor/src/workloadManager/compute.ts
@@ -6,10 +6,57 @@ import {
   type WorkloadManagerCreateOptions,
   type WorkloadManagerOptions,
 } from "./types.js";
-import { ComputeClient, stripImageDigest } from "@internal/compute";
+import { ComputeClient, ComputeClientError, stripImageDigest } from "@internal/compute";
+import { setTimeout as sleep } from "node:timers/promises";
 import { extractTraceparent, getRunnerId } from "../util.js";
 import type { OtlpTraceService } from "../services/otlpTraceService.js";
 import { tryCatch } from "@trigger.dev/core";
+import { encodeBaggage, fromContext } from "../wideEvents/index.js";
+
+const DEFAULT_CREATE_MAX_ATTEMPTS = 3;
+const DEFAULT_CREATE_RETRY_BASE_DELAY_MS = 250;
+
+/**
+ * TEMPORARY (TRI-10293): a failed create can leave its instance name
+ * registered gateway/fcrun-side until async cleanup runs, so a same-name
+ * retry can 409 against our own residue. Until the gateway cleans up
+ * failed-create registrations properly, retry attempts get a deterministic
+ * suffix. Attempt 1 keeps the unsuffixed name so the non-retry path is
+ * unchanged; the suffixed name flows into both the instance name and
+ * TRIGGER_RUNNER_ID, which downstream flows treat as one opaque
+ * self-reported token. Only attempts following a ComputeClientError are
+ * suffixed - network-failure retries keep the same name on purpose, because
+ * the gateway's name-collision 409 is their safety net against
+ * double-creating an instance whose create response was lost.
+ */
+export function runnerNameForAttempt(runnerId: string, attempt: number): string {
+  return attempt === 1 ? runnerId : `${runnerId}-r${attempt}`;
+}
+
+/**
+ * Whether a failed instance create is worth retrying. Only statuses where
+ * the create definitely did NOT commit are retried: 500 means the agent or
+ * fcrun returned a create error (e.g. a netns slot holding the tap busy, a
+ * full node disk - placement may differ on retry), 503 means the gateway
+ * had nowhere to place it. 502/504 are excluded: the gateway emits those
+ * when it fails to reach the node or read its response, which can happen
+ * AFTER the agent committed the create - and the gateway only records the
+ * instance name on a clean 201, so a same-name retry would miss the
+ * collision check and could double-create the VM on another node. 4xx won't
+ * heal on retry, and timeouts may still be provisioning. Network-level
+ * fetch failures are safe: if the gateway processed the create, its name
+ * index is populated and the retry 409s harmlessly.
+ */
+export function isRetryableCreateError(error: unknown): boolean {
+  if (error instanceof ComputeClientError) {
+    return error.status === 500 || error.status === 503;
+  }
+  if (error instanceof DOMException && error.name === "TimeoutError") {
+    return false;
+  }
+  // Network-level fetch failures (gateway briefly unreachable)
+  return error instanceof TypeError;
+}
 
 type ComputeWorkloadManagerOptions = WorkloadManagerOptions & {
   gateway: {
@@ -29,13 +76,23 @@ type ComputeWorkloadManagerOptions = WorkloadManagerOptions & {
     otelEndpoint: string;
     prettyLogs: boolean;
   };
+  createRetry?: {
+    maxAttempts: number;
+    baseDelayMs: number;
+  };
 };
 
 export class ComputeWorkloadManager implements WorkloadManager {
   private readonly logger = new SimpleStructuredLogger("compute-workload-manager");
   private readonly compute: ComputeClient;
+  private readonly createMaxAttempts: number;
+  private readonly createRetryBaseDelayMs: number;
 
   constructor(private opts: ComputeWorkloadManagerOptions) {
+    this.createMaxAttempts = opts.createRetry?.maxAttempts ?? DEFAULT_CREATE_MAX_ATTEMPTS;
+    this.createRetryBaseDelayMs =
+      opts.createRetry?.baseDelayMs ?? DEFAULT_CREATE_RETRY_BASE_DELAY_MS;
+
     if (opts.workloadApiDomain) {
       this.logger.warn("⚠️ Custom workload API domain", {
         domain: opts.workloadApiDomain,
@@ -46,6 +103,26 @@ export class ComputeWorkloadManager implements WorkloadManager {
       gatewayUrl: opts.gateway.url,
       authToken: opts.gateway.authToken,
       timeoutMs: opts.gateway.timeoutMs,
+      // Forward the current wide-event scope's traceparent + request_id so the
+      // downstream service continues the same trace and joins its own wide
+      // events to ours. Additionally serialize caller-supplied meta labels
+      // into the W3C Baggage header so the downstream service auto-stamps
+      // them even on early-error paths that bail before parsing the body.
+      // When called outside a wide-event scope (or when wide events are
+      // disabled), `fromContext` returns undefined and propagation is skipped.
+      getPropagationHeaders: () => {
+        const state = fromContext();
+        if (!state) return {};
+        const headers: Record<string, string> = { "x-request-id": state.requestId };
+        if (state.traceparent) {
+          headers.traceparent = state.traceparent;
+        }
+        const baggage = encodeBaggage(state.meta);
+        if (baggage) {
+          headers.baggage = baggage;
+        }
+        return headers;
+      },
     });
   }
 
@@ -112,6 +189,12 @@ export class ComputeWorkloadManager implements WorkloadManager {
     // Strip image digest - resolve by tag, not digest
     const imageRef = stripImageDigest(opts.image);
 
+    // Labels forwarded to the compute provider for network-policy selection.
+    // `org` is always set so every run carries its org identity.
+    const labels: Record<string, string> = {
+      org: opts.orgId,
+    };
+
     // Wide event: single canonical log line emitted in finally
     const event: Record<string, unknown> = {
       // High-cardinality identifiers
@@ -136,26 +219,71 @@ export class ComputeWorkloadManager implements WorkloadManager {
     const startMs = performance.now();
 
     try {
-      const [error, data] = await tryCatch(
-        this.compute.instances.create({
-          name: runnerId,
-          image: imageRef,
-          env: envVars,
-          cpu: opts.machine.cpu,
-          memory_gb: opts.machine.memory,
-          metadata: {
-            runId: opts.runFriendlyId,
-            envId: opts.envId,
-            envType: opts.envType,
-            orgId: opts.orgId,
-            projectId: opts.projectId,
-            deploymentVersion: opts.deploymentVersion,
-            machine: opts.machine.name,
-          },
-        })
-      );
+      const createRequest = {
+        name: runnerId,
+        image: imageRef,
+        env: envVars,
+        cpu: opts.machine.cpu,
+        memory_gb: opts.machine.memory,
+        metadata: {
+          runId: opts.runFriendlyId,
+          envId: opts.envId,
+          envType: opts.envType,
+          orgId: opts.orgId,
+          projectId: opts.projectId,
+          deploymentVersion: opts.deploymentVersion,
+          machine: opts.machine.name,
+        },
+        ...(Object.keys(labels).length > 0 ? { labels } : {}),
+      };
+
+      // Retry transient placement failures instead of abandoning the run: a
+      // swallowed create error leaves the run waiting for the run engine's
+      // PENDING_EXECUTING timeout (minutes) before it is redriven, while a
+      // retried create typically succeeds in under a second (TRI-10293).
+      let error: unknown;
+      let data: Awaited<ReturnType<typeof this.compute.instances.create>> | null | undefined;
+      let attempt = 1;
+      // Set after a ComputeClientError: the failed create may have left its
+      // name registered, so subsequent attempts use a suffixed name.
+      let suffixAttempts = false;
+      for (; attempt <= this.createMaxAttempts; attempt++) {
+        const attemptRunnerId = suffixAttempts
+          ? runnerNameForAttempt(runnerId, attempt)
+          : runnerId;
+        [error, data] = await tryCatch(
+          this.compute.instances.create(
+            attemptRunnerId === runnerId
+              ? createRequest
+              : {
+                  ...createRequest,
+                  name: attemptRunnerId,
+                  env: { ...envVars, TRIGGER_RUNNER_ID: attemptRunnerId },
+                }
+          )
+        );
+
+        if (!error) {
+          event.runnerId = attemptRunnerId;
+          break;
+        }
+
+        if (error instanceof ComputeClientError) {
+          suffixAttempts = true;
+        }
+
+        this.logger.warn("create instance attempt failed", {
+          runnerId: attemptRunnerId,
+          attempt,
+          error: error instanceof Error ? error.message : String(error),
+        });
+
+        if (!isRetryableCreateError(error) || attempt === this.createMaxAttempts) break;
+        await sleep(this.createRetryBaseDelayMs * attempt);
+      }
+      event.createAttempts = attempt;
 
-      if (error) {
+      if (error || !data) {
         event.error = error instanceof Error ? error.message : String(error);
         event.errorType =
           error instanceof DOMException && error.name === "TimeoutError" ? "timeout" : "fetch";
@@ -276,6 +404,7 @@ export class ComputeWorkloadManager implements WorkloadManager {
     envId?: string;
     orgId?: string;
     projectId?: string;
+    hasPrivateLink?: boolean;
     dequeuedAt?: Date;
   }): Promise<boolean> {
     const metadata: Record<string, string> = {
@@ -288,6 +417,13 @@ export class ComputeWorkloadManager implements WorkloadManager {
       TRIGGER_WORKER_INSTANCE_NAME: this.opts.runner.instanceName,
     };
 
+    // Resupply labels on restore (the provider doesn't persist them across a
+    // snapshot). orgId is optional on the restore opts type, so guard it.
+    const labels: Record<string, string> = {};
+    if (opts.orgId) {
+      labels.org = opts.orgId;
+    }
+
     this.logger.verbose("restore request body", {
       snapshotId: opts.snapshotId,
       runnerId: opts.runnerId,
@@ -301,6 +437,7 @@ export class ComputeWorkloadManager implements WorkloadManager {
         metadata,
         cpu: opts.machine.cpu,
         memory_gb: opts.machine.memory,
+        ...(Object.keys(labels).length > 0 ? { labels } : {}),
       })
     );
 
diff --git a/apps/supervisor/src/workloadManager/kubernetes.ts b/apps/supervisor/src/workloadManager/kubernetes.ts
index ec089267219..b2ed05c9f11 100644
--- a/apps/supervisor/src/workloadManager/kubernetes.ts
+++ b/apps/supervisor/src/workloadManager/kubernetes.ts
@@ -321,6 +321,13 @@ export class KubernetesWorkloadManager implements WorkloadManager {
             },
           }
         : {}),
+      ...(env.KUBERNETES_POD_DNS_NDOTS_OVERRIDE_ENABLED
+        ? {
+            dnsConfig: {
+              options: [{ name: "ndots", value: `${env.KUBERNETES_POD_DNS_NDOTS}` }],
+            },
+          }
+        : {}),
     };
   }
 
diff --git a/apps/supervisor/src/workloadServer/index.ts b/apps/supervisor/src/workloadServer/index.ts
index bd38cc8700f..bf4b38012d5 100644
--- a/apps/supervisor/src/workloadServer/index.ts
+++ b/apps/supervisor/src/workloadServer/index.ts
@@ -31,6 +31,14 @@ import {
 } from "../services/computeSnapshotService.js";
 import type { ComputeWorkloadManager } from "../workloadManager/compute.js";
 import type { OtlpTraceService } from "../services/otlpTraceService.js";
+import type { ServerResponse } from "node:http";
+import {
+  emitOneShot,
+  runWideEvent,
+  setMeta,
+  type State,
+  type WideEventOptions,
+} from "../wideEvents/index.js";
 
 // Use the official export when upgrading to socket.io@4.8.0
 interface DefaultEventsMap {
@@ -43,6 +51,18 @@ const WorkloadActionParams = z.object({
   snapshotFriendlyId: z.string(),
 });
 
+// Workloads bundled into customer task images before CLI v4.4.4 use a strict
+// zod enum for checkpoint type that only allows DOCKER and KUBERNETES. The
+// workload never reads this field - it only validates the response shape - so
+// rewriting it to a known value keeps older runners working without affecting
+// the value stored in the database or seen by internal services.
+function legacifyCheckpointType<T extends { checkpoint?: { type: string } | null }>(item: T): T {
+  if (item.checkpoint?.type === "COMPUTE") {
+    return { ...item, checkpoint: { ...item.checkpoint, type: "KUBERNETES" } } as T;
+  }
+  return item;
+}
+
 type WorkloadServerEvents = {
   runConnected: [
     {
@@ -67,6 +87,9 @@ type WorkloadServerOptions = {
   checkpointClient?: CheckpointClient;
   computeManager?: ComputeWorkloadManager;
   tracing?: OtlpTraceService;
+  wideEventOpts: WideEventOptions;
+  /** When true, high-frequency HTTP routes also emit wide events. */
+  wideEventsNoisyRoutes: boolean;
 };
 
 export class WorkloadServer extends EventEmitter<WorkloadServerEvents> {
@@ -74,6 +97,8 @@ export class WorkloadServer extends EventEmitter<WorkloadServerEvents> {
   private readonly snapshotService?: ComputeSnapshotService;
 
   private readonly logger = new SimpleStructuredLogger("workload-server");
+  private readonly wideEventOpts: WideEventOptions;
+  private readonly wideEventsNoisyRoutes: boolean;
 
   private readonly httpServer: HttpServer;
   private readonly websocketServer: Namespace<
@@ -103,12 +128,15 @@ export class WorkloadServer extends EventEmitter<WorkloadServerEvents> {
 
     this.workerClient = opts.workerClient;
     this.checkpointClient = opts.checkpointClient;
+    this.wideEventOpts = opts.wideEventOpts;
+    this.wideEventsNoisyRoutes = opts.wideEventsNoisyRoutes;
 
     if (opts.computeManager?.snapshotsEnabled) {
       this.snapshotService = new ComputeSnapshotService({
         computeManager: opts.computeManager,
         workerClient: opts.workerClient,
         tracing: opts.tracing,
+        wideEventOpts: this.wideEventOpts,
       });
     }
 
@@ -142,6 +170,59 @@ export class WorkloadServer extends EventEmitter<WorkloadServerEvents> {
     return this.headerValueFromRequest(req, WORKLOAD_HEADERS.PROJECT_REF);
   }
 
+  /**
+   * Sets common route meta on the wide-event state from URL params.
+   */
+  private attachRouteMeta(state: State, params: unknown): void {
+    if (!params || typeof params !== "object") return;
+    const p = params as Record<string, unknown>;
+    if (typeof p.runFriendlyId === "string") setMeta(state, "run_id", p.runFriendlyId);
+    if (typeof p.snapshotFriendlyId === "string") {
+      setMeta(state, "snapshot_id", p.snapshotFriendlyId);
+    }
+    if (typeof p.deploymentId === "string") setMeta(state, "deployment_id", p.deploymentId);
+  }
+
+  /**
+   * Wraps an HTTP route handler body with the wide-event lifecycle. Reads
+   * `traceparent` and `x-request-id` from `req.headers`, attaches `run_id` /
+   * `snapshot_id` / `deployment_id` meta from `params` when present, and
+   * captures the response status from `res.statusCode` after `fn` returns.
+   *
+   * Pass `highFrequency: true` for noisy routes (heartbeat, polling). Those
+   * still go through the wrapper but only emit when
+   * `TRIGGER_WIDE_EVENTS_NOISY_ROUTES` is on, so prod can keep them dark
+   * while test envs capture full-fidelity traffic for debugging.
+   */
+  private wideRoute<T>(
+    ctx: { req: IncomingMessage; res: ServerResponse; params?: unknown },
+    op: string,
+    route: string,
+    method: string,
+    fn: () => Promise<T> | T,
+    routeOpts: { highFrequency?: boolean } = {}
+  ): Promise<T> {
+    const enabled =
+      this.wideEventOpts.enabled && (!routeOpts.highFrequency || this.wideEventsNoisyRoutes);
+    return runWideEvent(
+      {
+        ...this.wideEventOpts,
+        enabled,
+        op,
+        kind: "inbound",
+        route,
+        method,
+        traceparent: this.headerValueFromRequest(ctx.req, "traceparent"),
+        inboundRequestId: this.headerValueFromRequest(ctx.req, "x-request-id"),
+        setup: (state) => this.attachRouteMeta(state, ctx.params),
+      },
+      fn,
+      (state) => {
+        state.statusCode = ctx.res.statusCode;
+      }
+    );
+  }
+
   private createHttpServer({ host, port }: { host: string; port: number }) {
     const httpServer = new HttpServer({
       port,
@@ -162,26 +243,34 @@ export class WorkloadServer extends EventEmitter<WorkloadServerEvents> {
         {
           paramsSchema: WorkloadActionParams,
           bodySchema: WorkloadRunAttemptStartRequestBody,
-          handler: async ({ req, reply, params, body }) => {
-            const startResponse = await this.workerClient.startRunAttempt(
-              params.runFriendlyId,
-              params.snapshotFriendlyId,
-              body,
-              this.runnerIdFromRequest(req)
-            );
-
-            if (!startResponse.success) {
-              this.logger.error("Failed to start run", {
-                params,
-                error: startResponse.error,
-              });
-              reply.empty(500);
-              return;
-            }
-
-            reply.json(startResponse.data satisfies WorkloadRunAttemptStartResponseBody);
-            return;
-          },
+          handler: async (ctx) =>
+            this.wideRoute(
+              ctx,
+              "attempt.start",
+              "/api/v1/workload-actions/runs/:runFriendlyId/snapshots/:snapshotFriendlyId/attempts/start",
+              "POST",
+              async () => {
+                const { req, reply, params, body } = ctx;
+                const startResponse = await this.workerClient.startRunAttempt(
+                  params.runFriendlyId,
+                  params.snapshotFriendlyId,
+                  body,
+                  this.runnerIdFromRequest(req)
+                );
+
+                if (!startResponse.success) {
+                  this.logger.error("Failed to start run", {
+                    params,
+                    error: startResponse.error,
+                  });
+                  reply.empty(500);
+                  return;
+                }
+
+                reply.json(startResponse.data satisfies WorkloadRunAttemptStartResponseBody);
+                return;
+              }
+            ),
         }
       )
       .route(
@@ -190,26 +279,50 @@ export class WorkloadServer extends EventEmitter<WorkloadServerEvents> {
         {
           paramsSchema: WorkloadActionParams,
           bodySchema: WorkloadRunAttemptCompleteRequestBody,
-          handler: async ({ req, reply, params, body }) => {
-            const completeResponse = await this.workerClient.completeRunAttempt(
-              params.runFriendlyId,
-              params.snapshotFriendlyId,
-              body,
-              this.runnerIdFromRequest(req)
-            );
-
-            if (!completeResponse.success) {
-              this.logger.error("Failed to complete run", {
-                params,
-                error: completeResponse.error,
-              });
-              reply.empty(500);
-              return;
-            }
-
-            reply.json(completeResponse.data satisfies WorkloadRunAttemptCompleteResponseBody);
-            return;
-          },
+          handler: async (ctx) =>
+            this.wideRoute(
+              ctx,
+              "attempt.complete",
+              "/api/v1/workload-actions/runs/:runFriendlyId/snapshots/:snapshotFriendlyId/attempts/complete",
+              "POST",
+              async () => {
+                const { req, reply, params, body } = ctx;
+                const runnerId = this.runnerIdFromRequest(req);
+
+                // A completion attempt invalidates any pending delayed snapshot
+                // regardless of outcome: the runner has finished executing, so the
+                // suspended state the snapshot was scheduled to capture no longer
+                // exists. Cancel BEFORE the async completion call - the timer
+                // wheel can tick during the await, so cancelling after it leaves
+                // a real window for a due snapshot to dispatch and pause a VM
+                // that has moved on. The runnerId guard keeps a stale duplicate
+                // runner's completion from cancelling a fresh runner's snapshot,
+                // and the runner can't schedule a new suspend until it receives
+                // this route's reply, so nothing legitimate can be cancelled here.
+                this.snapshotService?.cancel(params.runFriendlyId, runnerId);
+
+                const completeResponse = await this.workerClient.completeRunAttempt(
+                  params.runFriendlyId,
+                  params.snapshotFriendlyId,
+                  body,
+                  runnerId
+                );
+
+                if (!completeResponse.success) {
+                  this.logger.error("Failed to complete run", {
+                    params,
+                    error: completeResponse.error,
+                  });
+                  reply.empty(500);
+                  return;
+                }
+
+                reply.json(
+                  completeResponse.data satisfies WorkloadRunAttemptCompleteResponseBody
+                );
+                return;
+              }
+            ),
         }
       )
       .route(
@@ -218,27 +331,36 @@ export class WorkloadServer extends EventEmitter<WorkloadServerEvents> {
         {
           paramsSchema: WorkloadActionParams,
           bodySchema: WorkloadHeartbeatRequestBody,
-          handler: async ({ req, reply, params, body }) => {
-            const heartbeatResponse = await this.workerClient.heartbeatRun(
-              params.runFriendlyId,
-              params.snapshotFriendlyId,
-              body,
-              this.runnerIdFromRequest(req)
-            );
-
-            if (!heartbeatResponse.success) {
-              this.logger.error("Failed to heartbeat run", {
-                params,
-                error: heartbeatResponse.error,
-              });
-              reply.empty(500);
-              return;
-            }
-
-            reply.json({
-              ok: true,
-            } satisfies WorkloadHeartbeatResponseBody);
-          },
+          handler: async (ctx) =>
+            this.wideRoute(
+              ctx,
+              "heartbeat",
+              "/api/v1/workload-actions/runs/:runFriendlyId/snapshots/:snapshotFriendlyId/heartbeat",
+              "POST",
+              async () => {
+                const { req, reply, params, body } = ctx;
+                const heartbeatResponse = await this.workerClient.heartbeatRun(
+                  params.runFriendlyId,
+                  params.snapshotFriendlyId,
+                  body,
+                  this.runnerIdFromRequest(req)
+                );
+
+                if (!heartbeatResponse.success) {
+                  this.logger.error("Failed to heartbeat run", {
+                    params,
+                    error: heartbeatResponse.error,
+                  });
+                  reply.empty(500);
+                  return;
+                }
+
+                reply.json({
+                  ok: true,
+                } satisfies WorkloadHeartbeatResponseBody);
+              },
+              { highFrequency: true }
+            ),
         }
       )
       .route(
@@ -246,87 +368,95 @@ export class WorkloadServer extends EventEmitter<WorkloadServerEvents> {
         "GET",
         {
           paramsSchema: WorkloadActionParams,
-          handler: async ({ reply, params, req }) => {
-            const runnerId = this.runnerIdFromRequest(req);
-            const deploymentVersion = this.deploymentVersionFromRequest(req);
-            const projectRef = this.projectRefFromRequest(req);
-
-            this.logger.debug("Suspend request", {
-              params,
-              runnerId,
-              deploymentVersion,
-              projectRef,
-            });
-
-            if (!runnerId || !deploymentVersion || !projectRef) {
-              this.logger.error("Invalid headers for suspend request", {
-                ...params,
-                runnerId,
-                deploymentVersion,
-                projectRef,
-              });
-              reply.json(
-                {
-                  ok: false,
-                  error: "Invalid headers",
-                } satisfies WorkloadSuspendRunResponseBody,
-                false,
-                400
-              );
-              return;
-            }
-
-            if (this.snapshotService) {
-              // Compute mode: delay snapshot to avoid wasted work on short-lived waitpoints.
-              // If the run continues before the delay expires, the snapshot is cancelled.
-              reply.json({ ok: true } satisfies WorkloadSuspendRunResponseBody, false, 202);
-
-              this.snapshotService.schedule(params.runFriendlyId, {
-                runnerId,
-                runFriendlyId: params.runFriendlyId,
-                snapshotFriendlyId: params.snapshotFriendlyId,
-              });
-
-              return;
-            }
-
-            if (!this.checkpointClient) {
-              reply.json(
-                {
-                  ok: false,
-                  error: "Checkpoints disabled",
-                } satisfies WorkloadSuspendRunResponseBody,
-                false,
-                400
-              );
-              return;
-            }
-
-            reply.json(
-              {
-                ok: true,
-              } satisfies WorkloadSuspendRunResponseBody,
-              false,
-              202
-            );
-
-            const suspendResult = await this.checkpointClient.suspendRun({
-              runFriendlyId: params.runFriendlyId,
-              snapshotFriendlyId: params.snapshotFriendlyId,
-              body: {
-                runnerId,
-                runId: params.runFriendlyId,
-                snapshotId: params.snapshotFriendlyId,
-                projectRef,
-                deploymentVersion,
-              },
-            });
-
-            if (!suspendResult) {
-              this.logger.error("Failed to suspend run", { params });
-              return;
-            }
-          },
+          handler: async (ctx) =>
+            this.wideRoute(
+              ctx,
+              "suspend",
+              "/api/v1/workload-actions/runs/:runFriendlyId/snapshots/:snapshotFriendlyId/suspend",
+              "GET",
+              async () => {
+                const { reply, params, req } = ctx;
+                const runnerId = this.runnerIdFromRequest(req);
+                const deploymentVersion = this.deploymentVersionFromRequest(req);
+                const projectRef = this.projectRefFromRequest(req);
+
+                this.logger.debug("Suspend request", {
+                  params,
+                  runnerId,
+                  deploymentVersion,
+                  projectRef,
+                });
+
+                if (!runnerId || !deploymentVersion || !projectRef) {
+                  this.logger.error("Invalid headers for suspend request", {
+                    ...params,
+                    runnerId,
+                    deploymentVersion,
+                    projectRef,
+                  });
+                  reply.json(
+                    {
+                      ok: false,
+                      error: "Invalid headers",
+                    } satisfies WorkloadSuspendRunResponseBody,
+                    false,
+                    400
+                  );
+                  return;
+                }
+
+                if (this.snapshotService) {
+                  // Compute mode: delay snapshot to avoid wasted work on short-lived waitpoints.
+                  // If the run continues before the delay expires, the snapshot is cancelled.
+                  reply.json({ ok: true } satisfies WorkloadSuspendRunResponseBody, false, 202);
+
+                  this.snapshotService.schedule(params.runFriendlyId, {
+                    runnerId,
+                    runFriendlyId: params.runFriendlyId,
+                    snapshotFriendlyId: params.snapshotFriendlyId,
+                  });
+
+                  return;
+                }
+
+                if (!this.checkpointClient) {
+                  reply.json(
+                    {
+                      ok: false,
+                      error: "Checkpoints disabled",
+                    } satisfies WorkloadSuspendRunResponseBody,
+                    false,
+                    400
+                  );
+                  return;
+                }
+
+                reply.json(
+                  {
+                    ok: true,
+                  } satisfies WorkloadSuspendRunResponseBody,
+                  false,
+                  202
+                );
+
+                const suspendResult = await this.checkpointClient.suspendRun({
+                  runFriendlyId: params.runFriendlyId,
+                  snapshotFriendlyId: params.snapshotFriendlyId,
+                  body: {
+                    runnerId,
+                    runId: params.runFriendlyId,
+                    snapshotId: params.snapshotFriendlyId,
+                    projectRef,
+                    deploymentVersion,
+                  },
+                });
+
+                if (!suspendResult) {
+                  this.logger.error("Failed to suspend run", { params });
+                  return;
+                }
+              }
+            ),
         }
       )
       .route(
@@ -334,33 +464,41 @@ export class WorkloadServer extends EventEmitter<WorkloadServerEvents> {
         "GET",
         {
           paramsSchema: WorkloadActionParams,
-          handler: async ({ req, reply, params }) => {
-            this.logger.debug("Run continuation request", { params });
-
-            // Cancel any pending delayed snapshot for this run
-            this.snapshotService?.cancel(params.runFriendlyId);
-
-            const continuationResult = await this.workerClient.continueRunExecution(
-              params.runFriendlyId,
-              params.snapshotFriendlyId,
-              this.runnerIdFromRequest(req)
-            );
-
-            if (!continuationResult.success) {
-              this.logger.error("Failed to continue run execution", { params });
-              reply.json(
-                {
-                  ok: false,
-                  error: "Failed to continue run execution",
-                },
-                false,
-                400
-              );
-              return;
-            }
-
-            reply.json(continuationResult.data as WorkloadContinueRunExecutionResponseBody);
-          },
+          handler: async (ctx) =>
+            this.wideRoute(
+              ctx,
+              "continue",
+              "/api/v1/workload-actions/runs/:runFriendlyId/snapshots/:snapshotFriendlyId/continue",
+              "GET",
+              async () => {
+                const { req, reply, params } = ctx;
+                this.logger.debug("Run continuation request", { params });
+
+                // Cancel any pending delayed snapshot for this run
+                this.snapshotService?.cancel(params.runFriendlyId);
+
+                const continuationResult = await this.workerClient.continueRunExecution(
+                  params.runFriendlyId,
+                  params.snapshotFriendlyId,
+                  this.runnerIdFromRequest(req)
+                );
+
+                if (!continuationResult.success) {
+                  this.logger.error("Failed to continue run execution", { params });
+                  reply.json(
+                    {
+                      ok: false,
+                      error: "Failed to continue run execution",
+                    },
+                    false,
+                    400
+                  );
+                  return;
+                }
+
+                reply.json(continuationResult.data as WorkloadContinueRunExecutionResponseBody);
+              }
+            ),
         }
       )
       .route(
@@ -368,24 +506,35 @@ export class WorkloadServer extends EventEmitter<WorkloadServerEvents> {
         "GET",
         {
           paramsSchema: WorkloadActionParams,
-          handler: async ({ req, reply, params }) => {
-            const sinceSnapshotResponse = await this.workerClient.getSnapshotsSince(
-              params.runFriendlyId,
-              params.snapshotFriendlyId,
-              this.runnerIdFromRequest(req)
-            );
-
-            if (!sinceSnapshotResponse.success) {
-              this.logger.error("Failed to get snapshots since", {
-                runId: params.runFriendlyId,
-                error: sinceSnapshotResponse.error,
-              });
-              reply.empty(500);
-              return;
-            }
-
-            reply.json(sinceSnapshotResponse.data satisfies WorkloadRunSnapshotsSinceResponseBody);
-          },
+          handler: async (ctx) =>
+            this.wideRoute(
+              ctx,
+              "snapshots.since",
+              "/api/v1/workload-actions/runs/:runFriendlyId/snapshots/since/:snapshotFriendlyId",
+              "GET",
+              async () => {
+                const { req, reply, params } = ctx;
+                const sinceSnapshotResponse = await this.workerClient.getSnapshotsSince(
+                  params.runFriendlyId,
+                  params.snapshotFriendlyId,
+                  this.runnerIdFromRequest(req)
+                );
+
+                if (!sinceSnapshotResponse.success) {
+                  this.logger.error("Failed to get snapshots since", {
+                    runId: params.runFriendlyId,
+                    error: sinceSnapshotResponse.error,
+                  });
+                  reply.empty(500);
+                  return;
+                }
+
+                reply.json({
+                  snapshots: sinceSnapshotResponse.data.snapshots.map(legacifyCheckpointType),
+                } satisfies WorkloadRunSnapshotsSinceResponseBody);
+              },
+              { highFrequency: true }
+            ),
         }
       )
       .route("/api/v1/workload-actions/deployments/:deploymentId/dequeue", "GET", {
@@ -393,61 +542,90 @@ export class WorkloadServer extends EventEmitter<WorkloadServerEvents> {
           deploymentId: z.string(),
         }),
 
-        handler: async ({ req, reply, params }) => {
-          const dequeueResponse = await this.workerClient.dequeueFromVersion(
-            params.deploymentId,
-            1,
-            this.runnerIdFromRequest(req)
-          );
-
-          if (!dequeueResponse.success) {
-            this.logger.error("Failed to get latest snapshot", {
-              deploymentId: params.deploymentId,
-              error: dequeueResponse.error,
-            });
-            reply.empty(500);
-            return;
-          }
+        handler: async (ctx) =>
+          this.wideRoute(
+            ctx,
+            "deployment.dequeue",
+            "/api/v1/workload-actions/deployments/:deploymentId/dequeue",
+            "GET",
+            async () => {
+              const { req, reply, params } = ctx;
+              const dequeueResponse = await this.workerClient.dequeueFromVersion(
+                params.deploymentId,
+                1,
+                this.runnerIdFromRequest(req)
+              );
 
-          reply.json(dequeueResponse.data satisfies WorkloadDequeueFromVersionResponseBody);
-        },
+              if (!dequeueResponse.success) {
+                this.logger.error("Failed to get latest snapshot", {
+                  deploymentId: params.deploymentId,
+                  error: dequeueResponse.error,
+                });
+                reply.empty(500);
+                return;
+              }
+
+              reply.json(
+                dequeueResponse.data.map(legacifyCheckpointType) satisfies WorkloadDequeueFromVersionResponseBody
+              );
+            }
+          ),
       });
 
     if (env.SEND_RUN_DEBUG_LOGS) {
       httpServer.route("/api/v1/workload-actions/runs/:runFriendlyId/logs/debug", "POST", {
         paramsSchema: WorkloadActionParams.pick({ runFriendlyId: true }),
         bodySchema: WorkloadDebugLogRequestBody,
-        handler: async ({ req, reply, params, body }) => {
-          reply.empty(204);
-
-          await this.workerClient.sendDebugLog(
-            params.runFriendlyId,
-            body,
-            this.runnerIdFromRequest(req)
-          );
-        },
+        handler: async (ctx) =>
+          this.wideRoute(
+            ctx,
+            "logs.debug",
+            "/api/v1/workload-actions/runs/:runFriendlyId/logs/debug",
+            "POST",
+            async () => {
+              const { req, reply, params, body } = ctx;
+              reply.empty(204);
+
+              await this.workerClient.sendDebugLog(
+                params.runFriendlyId,
+                body,
+                this.runnerIdFromRequest(req)
+              );
+            },
+            { highFrequency: true }
+          ),
       });
     } else {
       // Lightweight mock route without schemas
       httpServer.route("/api/v1/workload-actions/runs/:runFriendlyId/logs/debug", "POST", {
-        handler: async ({ reply }) => {
-          reply.empty(204);
-        },
+        handler: async (ctx) =>
+          this.wideRoute(
+            ctx,
+            "logs.debug",
+            "/api/v1/workload-actions/runs/:runFriendlyId/logs/debug",
+            "POST",
+            async () => {
+              ctx.reply.empty(204);
+            },
+            { highFrequency: true }
+          ),
       });
     }
 
-    // Compute snapshot callback endpoint
+    // Snapshot callback endpoint (inbound from compute path)
     httpServer.route("/api/v1/compute/snapshot-complete", "POST", {
       bodySchema: SnapshotCallbackPayloadSchema,
-      handler: async ({ reply, body }) => {
-        if (!this.snapshotService) {
-          reply.empty(404);
-          return;
-        }
+      handler: async (ctx) =>
+        this.wideRoute(ctx, "snapshot.callback", "/api/v1/compute/snapshot-complete", "POST", async () => {
+          const { reply, body } = ctx;
+          if (!this.snapshotService) {
+            reply.empty(404);
+            return;
+          }
 
-        const result = await this.snapshotService.handleCallback(body);
-        reply.empty(result.status);
-      },
+          const result = await this.snapshotService.handleCallback(body);
+          reply.empty(result.status);
+        }),
     });
 
     return httpServer;
@@ -520,6 +698,28 @@ export class WorkloadServer extends EventEmitter<WorkloadServerEvents> {
         };
       };
 
+      const emitSocketLifecycle = (
+        event: "run_connected" | "run_disconnected",
+        friendlyId: string,
+        disconnectReason?: string
+      ) => {
+        emitOneShot({
+          ...this.wideEventOpts,
+          op: event === "run_connected" ? "socket.run.connected" : "socket.run.disconnected",
+          kind: "event",
+          populate: (state) => {
+            state.extras.event = event;
+            setMeta(state, "run_id", friendlyId);
+            if (socket.data.deploymentId) {
+              setMeta(state, "deployment_id", socket.data.deploymentId);
+            }
+            if (socket.data.runnerId) setMeta(state, "runner_id", socket.data.runnerId);
+            state.extras.socket_id = socket.id;
+            if (disconnectReason) state.extras.disconnect_reason = disconnectReason;
+          },
+        });
+      };
+
       const runConnected = (friendlyId: string) => {
         socketLogger.debug("runConnected", { ...getSocketMetadata() });
 
@@ -530,20 +730,35 @@ export class WorkloadServer extends EventEmitter<WorkloadServerEvents> {
             newRunId: friendlyId,
             oldRunId: socket.data.runFriendlyId,
           });
-          runDisconnected(socket.data.runFriendlyId);
+          runDisconnected(socket.data.runFriendlyId, "socket_run_replaced");
         }
 
         this.runSockets.set(friendlyId, socket);
         this.emit("runConnected", { run: { friendlyId } });
         socket.data.runFriendlyId = friendlyId;
+        emitSocketLifecycle("run_connected", friendlyId);
       };
 
-      const runDisconnected = (friendlyId: string) => {
+      const runDisconnected = (friendlyId: string, reason: string) => {
         socketLogger.debug("runDisconnected", { ...getSocketMetadata() });
 
+        // The run is gone from this runner (crash, exit, or replaced by a new
+        // run), so a pending delayed snapshot for it is stale. Genuine
+        // waitpoint suspensions keep the socket connected, so this doesn't
+        // cancel a snapshot that's still wanted; the runnerId match guards
+        // against a stale duplicate runner cancelling a fresh runner's
+        // snapshot after the run was reassigned. Caveat: socket.data.runnerId
+        // is frozen at the websocket handshake, so after a same-supervisor
+        // restore (new runner id, socket not recreated) this guard refuses
+        // the cancel - a missed cancel, never a wrong one. The
+        // attempt.complete cancel uses the runner's current HTTP header id
+        // and is unaffected.
+        this.snapshotService?.cancel(friendlyId, socket.data.runnerId);
+
         this.runSockets.delete(friendlyId);
         this.emit("runDisconnected", { run: { friendlyId } });
         socket.data.runFriendlyId = undefined;
+        emitSocketLifecycle("run_disconnected", friendlyId, reason);
       };
 
       socketLogger.debug("wsServer socket connected", { ...getSocketMetadata() });
@@ -561,7 +776,7 @@ export class WorkloadServer extends EventEmitter<WorkloadServerEvents> {
         });
 
         if (socket.data.runFriendlyId) {
-          runDisconnected(socket.data.runFriendlyId);
+          runDisconnected(socket.data.runFriendlyId, `socket_disconnecting:${reason}`);
         }
       });
 
@@ -606,7 +821,7 @@ export class WorkloadServer extends EventEmitter<WorkloadServerEvents> {
         log.debug("Handling run:stop");
 
         try {
-          runDisconnected(message.run.friendlyId);
+          runDisconnected(message.run.friendlyId, "run_stop_message");
           // Don't delete trace context here - run:stop fires after each snapshot/shutdown
           // but the run may be restored on a new VM and snapshot again. Trace context is
           // re-populated on dequeue, and entries are small (4 strings per run).
diff --git a/apps/webapp/CLAUDE.md b/apps/webapp/CLAUDE.md
index b0f5e09b829..a4de6ab57b7 100644
--- a/apps/webapp/CLAUDE.md
+++ b/apps/webapp/CLAUDE.md
@@ -1,6 +1,6 @@
 # Webapp
 
-Remix 2.1.0 app serving as the main API, dashboard, and orchestration engine. Uses an Express server (`server.ts`).
+Remix 2.17.4 app serving as the main API, dashboard, and orchestration engine. Uses an Express server (`server.ts`).
 
 ## Verifying Changes
 
@@ -59,6 +59,17 @@ Use the `chrome-devtools` MCP server to visually verify local dashboard changes.
 Routes use Remix flat-file convention with dot-separated segments:
 `api.v1.tasks.$taskId.trigger.ts` -> `/api/v1/tasks/:taskId/trigger`
 
+## Abort Signals
+
+**Never use `request.signal`** for detecting client disconnects. It is broken due to a Node.js bug ([nodejs/node#55428](https://github.com/nodejs/node/issues/55428)) where the AbortSignal chain is severed when Remix internally clones the Request object. Instead, use `getRequestAbortSignal()` from `app/services/httpAsyncStorage.server.ts`, which is wired directly to Express `res.on("close")` and fires reliably.
+
+```typescript
+import { getRequestAbortSignal } from "~/services/httpAsyncStorage.server";
+
+// In route handlers, SSE streams, or any server-side code:
+const signal = getRequestAbortSignal();
+```
+
 ## Environment Variables
 
 Access via `env` export from `app/env.server.ts`. **Never use `process.env` directly.**
diff --git a/apps/webapp/app/clientBeforeFirstRender.ts b/apps/webapp/app/clientBeforeFirstRender.ts
new file mode 100644
index 00000000000..3275c54423a
--- /dev/null
+++ b/apps/webapp/app/clientBeforeFirstRender.ts
@@ -0,0 +1,38 @@
+/**
+ * Runs once on the client, synchronously, before React hydrates the app.
+ * Reserved for housekeeping that must happen before any component mounts.
+ */
+export function clientBeforeFirstRender() {
+  cleanupLegacyResizablePanelStorage();
+}
+
+/**
+ * Earlier versions of the resizable panel library wrote a per-session
+ * localStorage entry for every PanelGroup, including ones without an
+ * `autosaveId`. The keys look like `panel-group-react-aria<n>-:<rid>:`
+ * and accumulate without bound across sessions until they exhaust the
+ * ~5 MB origin quota and break subsequent `setItem` calls.
+ *
+ * The library no longer behaves this way, but existing users still carry
+ * the residue. Evict it (plus the orphaned `panel-run-parent-v2` key from
+ * the v2→v3 autosaveId bump) once on load.
+ */
+function cleanupLegacyResizablePanelStorage() {
+  try {
+    const toRemove: string[] = [];
+    for (let i = 0; i < window.localStorage.length; i++) {
+      const key = window.localStorage.key(i);
+      if (
+        key &&
+        (key.startsWith("panel-group-react-aria") || key === "panel-run-parent-v2")
+      ) {
+        toRemove.push(key);
+      }
+    }
+    for (const key of toRemove) {
+      window.localStorage.removeItem(key);
+    }
+  } catch {
+    // localStorage may be disabled (private browsing, security policy)
+  }
+}
diff --git a/apps/webapp/app/components/BlankStatePanels.tsx b/apps/webapp/app/components/BlankStatePanels.tsx
index fe39f6785c5..9a4884e09d3 100644
--- a/apps/webapp/app/components/BlankStatePanels.tsx
+++ b/apps/webapp/app/components/BlankStatePanels.tsx
@@ -1,4 +1,5 @@
 import {
+  ArrowsRightLeftIcon,
   BeakerIcon,
   BellAlertIcon,
   BookOpenIcon,
@@ -189,6 +190,28 @@ export function BatchesNone() {
   );
 }
 
+export function SessionsNone() {
+  return (
+    <InfoPanel
+      title="Sessions"
+      icon={ArrowsRightLeftIcon}
+      iconClassName="text-teal-500"
+      panelClassName="max-w-full"
+      accessory={
+        <LinkButton to={docsPath("/ai-chat/overview")} variant="docs/small" LeadingIcon={BookOpenIcon}>
+          Sessions docs
+        </LinkButton>
+      }
+    >
+      <Paragraph spacing variant="small">
+        You have no sessions in this environment. Sessions are durable, typed, bidirectional I/O
+        primitives that outlive a single run — used by <InlineCode>chat.agent</InlineCode> and any
+        long-running task that needs streaming input and output.
+      </Paragraph>
+    </InfoPanel>
+  );
+}
+
 export function TestHasNoTasks() {
   const organization = useOrganization();
   const project = useProject();
diff --git a/apps/webapp/app/components/BulkActionFilterSummary.tsx b/apps/webapp/app/components/BulkActionFilterSummary.tsx
index a230e70b346..a2eabc879de 100644
--- a/apps/webapp/app/components/BulkActionFilterSummary.tsx
+++ b/apps/webapp/app/components/BulkActionFilterSummary.tsx
@@ -215,6 +215,19 @@ export function BulkActionFilterSummary({
                     />
                   );
                 }
+                case "regions": {
+                  const values = Array.isArray(value) ? value : [`${value}`];
+                  return (
+                    <AppliedFilter
+                      variant="minimal/medium"
+                      key={key}
+                      label={filterTitle(key)}
+                      icon={filterIcon(key)}
+                      value={appliedSummary(values)}
+                      removable={false}
+                    />
+                  );
+                }
                 case "machines": {
                   const values = Array.isArray(value) ? value : [`${value}`];
                   return (
@@ -240,6 +253,19 @@ export function BulkActionFilterSummary({
                     />
                   );
                 }
+                case "sources": {
+                  const values = Array.isArray(value) ? value : [`${value}`];
+                  return (
+                    <AppliedFilter
+                      variant="minimal/medium"
+                      key={key}
+                      label={filterTitle(key)}
+                      icon={filterIcon(key)}
+                      value={appliedSummary(values)}
+                      removable={false}
+                    />
+                  );
+                }
                 default: {
                   assertNever(typedKey);
                 }
diff --git a/apps/webapp/app/components/DefinitionTooltip.tsx b/apps/webapp/app/components/DefinitionTooltip.tsx
index 5bb3a713997..d91cce92c99 100644
--- a/apps/webapp/app/components/DefinitionTooltip.tsx
+++ b/apps/webapp/app/components/DefinitionTooltip.tsx
@@ -6,14 +6,16 @@ export function DefinitionTip({
   content,
   children,
   title,
+  disableHoverableContent = true,
 }: {
   content: React.ReactNode;
   children: React.ReactNode;
   title: React.ReactNode;
+  disableHoverableContent?: boolean;
 }) {
   return (
     <TooltipProvider>
-      <Tooltip disableHoverableContent>
+      <Tooltip disableHoverableContent={disableHoverableContent}>
         <TooltipTrigger className="text-left">
           <span className="cursor-default underline decoration-charcoal-500 decoration-dashed underline-offset-4 transition hover:decoration-charcoal-400">
             {children}
diff --git a/apps/webapp/app/components/Feedback.tsx b/apps/webapp/app/components/Feedback.tsx
index ecfd4e88c9a..0848359e219 100644
--- a/apps/webapp/app/components/Feedback.tsx
+++ b/apps/webapp/app/components/Feedback.tsx
@@ -1,10 +1,10 @@
 import { conform, useForm } from "@conform-to/react";
 import { parse } from "@conform-to/zod";
 import { InformationCircleIcon, ArrowUpCircleIcon } from "@heroicons/react/20/solid";
-import { EnvelopeIcon } from "@heroicons/react/24/solid";
+import { EnvelopeIcon, ShieldCheckIcon } from "@heroicons/react/24/solid";
 import { Form, useActionData, useLocation, useNavigation, useSearchParams } from "@remix-run/react";
 import { type ReactNode, useEffect, useState } from "react";
-import { type FeedbackType, feedbackTypeLabel, schema } from "~/routes/resources.feedback";
+import { type FeedbackType, feedbackTypes, schema } from "~/routes/resources.feedback";
 import { Button } from "./primitives/Buttons";
 import { Dialog, DialogContent, DialogHeader, DialogTrigger } from "./primitives/Dialog";
 import { Fieldset } from "./primitives/Fieldset";
@@ -84,9 +84,12 @@ export function Feedback({ button, defaultValue = "bug", onOpenChange }: Feedbac
               How can we help? We read every message and will respond as quickly as we can.
             </Paragraph>
           </div>
-          {!(type === "feature" || type === "help" || type === "concurrency") && (
-            <hr className="border-grid-dimmed" />
-          )}
+          {!(
+            type === "feature" ||
+            type === "help" ||
+            type === "concurrency" ||
+            type === "hipaa"
+          ) && <hr className="border-grid-dimmed" />}
           <Form method="post" action="/resources/feedback" {...form.props} className="w-full">
             <Fieldset className="max-w-full gap-y-3">
               <input value={location.pathname} {...conform.input(path, { type: "hidden" })} />
@@ -132,6 +135,19 @@ export function Feedback({ button, defaultValue = "bug", onOpenChange }: Feedbac
                     </Paragraph>
                   </InfoPanel>
                 )}
+                {type === "hipaa" && (
+                  <InfoPanel
+                    icon={ShieldCheckIcon}
+                    iconClassName="text-green-500"
+                    panelClassName="w-full mb-2"
+                  >
+                    <Paragraph variant="small">
+                      We offer a signed Business Associate Agreement (BAA) as a paid add-on on any
+                      paid plan. To help us get back to you quickly, please include your company
+                      name, and a brief description of the PHI workload you plan to run.
+                    </Paragraph>
+                  </InfoPanel>
+                )}
                 <Select
                   {...conform.select(feedbackType)}
                   variant="tertiary/medium"
@@ -139,12 +155,12 @@ export function Feedback({ button, defaultValue = "bug", onOpenChange }: Feedbac
                   defaultValue={type}
                   setValue={(v) => setType(v as FeedbackType)}
                   placeholder="Select type"
-                  text={(value) => feedbackTypeLabel[value as FeedbackType]}
+                  text={(value) => feedbackTypes[value as FeedbackType].label}
                   dropdownIcon
                 >
-                  {Object.entries(feedbackTypeLabel).map(([name, title]) => (
+                  {Object.entries(feedbackTypes).map(([name, { label }]) => (
                     <SelectItem key={name} value={name}>
-                      {title}
+                      {label}
                     </SelectItem>
                   ))}
                 </Select>
diff --git a/apps/webapp/app/components/MachineLabelCombo.tsx b/apps/webapp/app/components/MachineLabelCombo.tsx
index 3d22ca527d0..485f6094cf0 100644
--- a/apps/webapp/app/components/MachineLabelCombo.tsx
+++ b/apps/webapp/app/components/MachineLabelCombo.tsx
@@ -31,7 +31,9 @@ export function MachineLabel({
   className?: string;
 }) {
   return (
-    <span className={cn("text-text-dimmed", className)}>{formatMachinePresetName(preset)}</span>
+    <span className={cn("text-text-dimmed group-hover/table-row:text-text-bright", className)}>
+      {formatMachinePresetName(preset)}
+    </span>
   );
 }
 
diff --git a/apps/webapp/app/components/admin/backOffice/ApiRateLimitSection.server.ts b/apps/webapp/app/components/admin/backOffice/ApiRateLimitSection.server.ts
new file mode 100644
index 00000000000..4855c4c2465
--- /dev/null
+++ b/apps/webapp/app/components/admin/backOffice/ApiRateLimitSection.server.ts
@@ -0,0 +1,55 @@
+import { prisma } from "~/db.server";
+import { env } from "~/env.server";
+import { logger } from "~/services/logger.server";
+import { type Duration } from "~/services/rateLimiter.server";
+import { API_RATE_LIMIT_INTENT } from "./ApiRateLimitSection";
+import {
+  handleRateLimitAction,
+  resolveEffectiveRateLimit,
+  type RateLimitActionResult,
+  type RateLimitDomain,
+} from "./RateLimitSection.server";
+import type { EffectiveRateLimit } from "./RateLimitSection";
+
+export const apiRateLimitDomain: RateLimitDomain = {
+  intent: API_RATE_LIMIT_INTENT,
+  systemDefault: () => ({
+    type: "tokenBucket",
+    refillRate: env.API_RATE_LIMIT_REFILL_RATE,
+    interval: env.API_RATE_LIMIT_REFILL_INTERVAL as Duration,
+    maxTokens: env.API_RATE_LIMIT_MAX,
+  }),
+  apply: async (orgId, next, adminUserId) => {
+    const existing = await prisma.organization.findFirst({
+      where: { id: orgId },
+      select: { apiRateLimiterConfig: true },
+    });
+    if (!existing) {
+      throw new Response(null, { status: 404 });
+    }
+    await prisma.organization.update({
+      where: { id: orgId },
+      data: { apiRateLimiterConfig: next as any },
+    });
+    logger.info("admin.backOffice.apiRateLimit", {
+      adminUserId,
+      orgId,
+      previous: existing.apiRateLimiterConfig,
+      next,
+    });
+  },
+};
+
+export function resolveEffectiveApiRateLimit(
+  override: unknown
+): EffectiveRateLimit {
+  return resolveEffectiveRateLimit(override, apiRateLimitDomain);
+}
+
+export function handleApiRateLimitAction(
+  formData: FormData,
+  orgId: string,
+  adminUserId: string
+): Promise<RateLimitActionResult> {
+  return handleRateLimitAction(formData, orgId, adminUserId, apiRateLimitDomain);
+}
diff --git a/apps/webapp/app/components/admin/backOffice/ApiRateLimitSection.tsx b/apps/webapp/app/components/admin/backOffice/ApiRateLimitSection.tsx
new file mode 100644
index 00000000000..b27956f4360
--- /dev/null
+++ b/apps/webapp/app/components/admin/backOffice/ApiRateLimitSection.tsx
@@ -0,0 +1,17 @@
+import {
+  RateLimitSection,
+  type RateLimitWrapperProps,
+} from "./RateLimitSection";
+
+export const API_RATE_LIMIT_INTENT = "set-rate-limit";
+export const API_RATE_LIMIT_SAVED_VALUE = "rate-limit";
+
+export function ApiRateLimitSection(props: RateLimitWrapperProps) {
+  return (
+    <RateLimitSection
+      title="API rate limit"
+      intent={API_RATE_LIMIT_INTENT}
+      {...props}
+    />
+  );
+}
diff --git a/apps/webapp/app/components/admin/backOffice/BatchRateLimitSection.server.ts b/apps/webapp/app/components/admin/backOffice/BatchRateLimitSection.server.ts
new file mode 100644
index 00000000000..83a368094a9
--- /dev/null
+++ b/apps/webapp/app/components/admin/backOffice/BatchRateLimitSection.server.ts
@@ -0,0 +1,55 @@
+import { prisma } from "~/db.server";
+import { env } from "~/env.server";
+import { logger } from "~/services/logger.server";
+import { type Duration } from "~/services/rateLimiter.server";
+import { BATCH_RATE_LIMIT_INTENT } from "./BatchRateLimitSection";
+import {
+  handleRateLimitAction,
+  resolveEffectiveRateLimit,
+  type RateLimitActionResult,
+  type RateLimitDomain,
+} from "./RateLimitSection.server";
+import type { EffectiveRateLimit } from "./RateLimitSection";
+
+export const batchRateLimitDomain: RateLimitDomain = {
+  intent: BATCH_RATE_LIMIT_INTENT,
+  systemDefault: () => ({
+    type: "tokenBucket",
+    refillRate: env.BATCH_RATE_LIMIT_REFILL_RATE,
+    interval: env.BATCH_RATE_LIMIT_REFILL_INTERVAL as Duration,
+    maxTokens: env.BATCH_RATE_LIMIT_MAX,
+  }),
+  apply: async (orgId, next, adminUserId) => {
+    const existing = await prisma.organization.findFirst({
+      where: { id: orgId },
+      select: { batchRateLimitConfig: true },
+    });
+    if (!existing) {
+      throw new Response(null, { status: 404 });
+    }
+    await prisma.organization.update({
+      where: { id: orgId },
+      data: { batchRateLimitConfig: next as any },
+    });
+    logger.info("admin.backOffice.batchRateLimit", {
+      adminUserId,
+      orgId,
+      previous: existing.batchRateLimitConfig,
+      next,
+    });
+  },
+};
+
+export function resolveEffectiveBatchRateLimit(
+  override: unknown
+): EffectiveRateLimit {
+  return resolveEffectiveRateLimit(override, batchRateLimitDomain);
+}
+
+export function handleBatchRateLimitAction(
+  formData: FormData,
+  orgId: string,
+  adminUserId: string
+): Promise<RateLimitActionResult> {
+  return handleRateLimitAction(formData, orgId, adminUserId, batchRateLimitDomain);
+}
diff --git a/apps/webapp/app/components/admin/backOffice/BatchRateLimitSection.tsx b/apps/webapp/app/components/admin/backOffice/BatchRateLimitSection.tsx
new file mode 100644
index 00000000000..0e52124d290
--- /dev/null
+++ b/apps/webapp/app/components/admin/backOffice/BatchRateLimitSection.tsx
@@ -0,0 +1,17 @@
+import {
+  RateLimitSection,
+  type RateLimitWrapperProps,
+} from "./RateLimitSection";
+
+export const BATCH_RATE_LIMIT_INTENT = "set-batch-rate-limit";
+export const BATCH_RATE_LIMIT_SAVED_VALUE = "batch-rate-limit";
+
+export function BatchRateLimitSection(props: RateLimitWrapperProps) {
+  return (
+    <RateLimitSection
+      title="Batch rate limit"
+      intent={BATCH_RATE_LIMIT_INTENT}
+      {...props}
+    />
+  );
+}
diff --git a/apps/webapp/app/components/admin/backOffice/MaxProjectsSection.server.ts b/apps/webapp/app/components/admin/backOffice/MaxProjectsSection.server.ts
new file mode 100644
index 00000000000..ec27234a306
--- /dev/null
+++ b/apps/webapp/app/components/admin/backOffice/MaxProjectsSection.server.ts
@@ -0,0 +1,48 @@
+import { z } from "zod";
+import { prisma } from "~/db.server";
+import { logger } from "~/services/logger.server";
+import { MAX_PROJECTS_INTENT } from "./MaxProjectsSection";
+
+const SetMaxProjectsSchema = z.object({
+  intent: z.literal(MAX_PROJECTS_INTENT),
+  // Capped at PostgreSQL INTEGER max (Prisma Int) so oversized input fails
+  // validation cleanly instead of crashing the update.
+  maximumProjectCount: z.coerce.number().int().min(1).max(2_147_483_647),
+});
+
+export type MaxProjectsActionResult =
+  | { ok: true }
+  | { ok: false; errors: Record<string, string[] | undefined> };
+
+export async function handleMaxProjectsAction(
+  formData: FormData,
+  orgId: string,
+  adminUserId: string
+): Promise<MaxProjectsActionResult> {
+  const submission = SetMaxProjectsSchema.safeParse(Object.fromEntries(formData));
+  if (!submission.success) {
+    return { ok: false, errors: submission.error.flatten().fieldErrors };
+  }
+
+  const existing = await prisma.organization.findFirst({
+    where: { id: orgId },
+    select: { maximumProjectCount: true },
+  });
+  if (!existing) {
+    throw new Response(null, { status: 404 });
+  }
+
+  await prisma.organization.update({
+    where: { id: orgId },
+    data: { maximumProjectCount: submission.data.maximumProjectCount },
+  });
+
+  logger.info("admin.backOffice.maxProjects", {
+    adminUserId,
+    orgId,
+    previous: existing.maximumProjectCount,
+    next: submission.data.maximumProjectCount,
+  });
+
+  return { ok: true };
+}
diff --git a/apps/webapp/app/components/admin/backOffice/MaxProjectsSection.tsx b/apps/webapp/app/components/admin/backOffice/MaxProjectsSection.tsx
new file mode 100644
index 00000000000..bf8ecf83161
--- /dev/null
+++ b/apps/webapp/app/components/admin/backOffice/MaxProjectsSection.tsx
@@ -0,0 +1,115 @@
+import { Form } from "@remix-run/react";
+import { useEffect, useState } from "react";
+import { Button } from "~/components/primitives/Buttons";
+import { FormError } from "~/components/primitives/FormError";
+import { Header2 } from "~/components/primitives/Headers";
+import { Input } from "~/components/primitives/Input";
+import { Label } from "~/components/primitives/Label";
+import { Paragraph } from "~/components/primitives/Paragraph";
+import * as Property from "~/components/primitives/PropertyTable";
+
+export const MAX_PROJECTS_INTENT = "set-max-projects";
+export const MAX_PROJECTS_SAVED_VALUE = "max-projects";
+
+type FieldErrors = Record<string, string[] | undefined> | null;
+
+type Props = {
+  maximumProjectCount: number;
+  errors: FieldErrors;
+  savedJustNow: boolean;
+  isSubmitting: boolean;
+};
+
+export function MaxProjectsSection({
+  maximumProjectCount,
+  errors,
+  savedJustNow,
+  isSubmitting,
+}: Props) {
+  const hasFieldErrors = !!errors && Object.keys(errors).length > 0;
+  const fieldError = (field: string) =>
+    errors && field in errors ? errors[field]?.[0] : undefined;
+
+  const [isEditing, setIsEditing] = useState(hasFieldErrors);
+  const [value, setValue] = useState(String(maximumProjectCount));
+
+  useEffect(() => {
+    if (hasFieldErrors) setIsEditing(true);
+  }, [hasFieldErrors]);
+
+  useEffect(() => {
+    if (savedJustNow && !hasFieldErrors) setIsEditing(false);
+  }, [savedJustNow, hasFieldErrors]);
+
+  return (
+    <section className="flex flex-col gap-3 rounded-md border border-charcoal-700 bg-charcoal-800 p-4">
+      <div className="flex items-center justify-between">
+        <Header2>Maximum projects</Header2>
+        {!isEditing && (
+          <Button
+            variant="tertiary/small"
+            onClick={() => setIsEditing(true)}
+            disabled={isSubmitting}
+          >
+            Edit
+          </Button>
+        )}
+      </div>
+
+      {savedJustNow && (
+        <div className="rounded-md border border-green-600/40 bg-green-600/10 px-3 py-2">
+          <Paragraph variant="small" className="text-green-500">
+            Saved.
+          </Paragraph>
+        </div>
+      )}
+
+      {!isEditing ? (
+        <Property.Table>
+          <Property.Item>
+            <Property.Label>Limit</Property.Label>
+            <Property.Value>
+              {maximumProjectCount.toLocaleString()}
+            </Property.Value>
+          </Property.Item>
+        </Property.Table>
+      ) : (
+        <Form method="post" className="flex flex-col gap-3 pt-2">
+          <input type="hidden" name="intent" value={MAX_PROJECTS_INTENT} />
+          <div className="flex flex-col gap-1">
+            <Label>Maximum projects</Label>
+            <Input
+              name="maximumProjectCount"
+              type="number"
+              min={1}
+              value={value}
+              onChange={(e) => setValue(e.target.value)}
+              required
+            />
+            <FormError>{fieldError("maximumProjectCount")}</FormError>
+          </div>
+          <div className="flex items-center gap-2">
+            <Button
+              type="submit"
+              variant="primary/medium"
+              disabled={isSubmitting || !value.trim()}
+            >
+              Save
+            </Button>
+            <Button
+              type="button"
+              variant="tertiary/medium"
+              onClick={() => {
+                setValue(String(maximumProjectCount));
+                setIsEditing(false);
+              }}
+              disabled={isSubmitting}
+            >
+              Cancel
+            </Button>
+          </div>
+        </Form>
+      )}
+    </section>
+  );
+}
diff --git a/apps/webapp/app/components/admin/backOffice/RateLimitSection.server.ts b/apps/webapp/app/components/admin/backOffice/RateLimitSection.server.ts
new file mode 100644
index 00000000000..799fc3605df
--- /dev/null
+++ b/apps/webapp/app/components/admin/backOffice/RateLimitSection.server.ts
@@ -0,0 +1,76 @@
+import { z } from "zod";
+import {
+  RateLimitTokenBucketConfig,
+  RateLimiterConfig,
+} from "~/services/authorizationRateLimitMiddleware.server";
+import {
+  parseDurationToMs,
+  type EffectiveRateLimit,
+} from "./RateLimitSection";
+
+export type RateLimitDomain = {
+  intent: string;
+  systemDefault: () => RateLimiterConfig;
+  apply: (
+    orgId: string,
+    next: RateLimitTokenBucketConfig,
+    adminUserId: string
+  ) => Promise<void>;
+};
+
+export function resolveEffectiveRateLimit(
+  override: unknown,
+  domain: RateLimitDomain
+): EffectiveRateLimit {
+  if (override == null) {
+    return { source: "default", config: domain.systemDefault() };
+  }
+  const parsed = RateLimiterConfig.safeParse(override);
+  if (parsed.success) {
+    return { source: "override", config: parsed.data };
+  }
+  // Column holds malformed JSON — fall back silently. Admin must investigate
+  // at the DB level; this UI can't recover it.
+  return { source: "default", config: domain.systemDefault() };
+}
+
+export type RateLimitActionResult =
+  | { ok: true }
+  | { ok: false; errors: Record<string, string[] | undefined> };
+
+export async function handleRateLimitAction(
+  formData: FormData,
+  orgId: string,
+  adminUserId: string,
+  domain: RateLimitDomain
+): Promise<RateLimitActionResult> {
+  const schema = z.object({
+    intent: z.literal(domain.intent),
+    refillRate: z.coerce.number().int().min(1),
+    interval: z
+      .string()
+      .trim()
+      .refine((v) => parseDurationToMs(v) > 0, {
+        message: "Must be a duration like 10s, 1m, 500ms.",
+      }),
+    maxTokens: z.coerce.number().int().min(1),
+  });
+
+  const submission = schema.safeParse(Object.fromEntries(formData));
+  if (!submission.success) {
+    return { ok: false, errors: submission.error.flatten().fieldErrors };
+  }
+
+  const built = RateLimitTokenBucketConfig.safeParse({
+    type: "tokenBucket",
+    refillRate: submission.data.refillRate,
+    interval: submission.data.interval,
+    maxTokens: submission.data.maxTokens,
+  });
+  if (!built.success) {
+    return { ok: false, errors: built.error.flatten().fieldErrors };
+  }
+
+  await domain.apply(orgId, built.data, adminUserId);
+  return { ok: true };
+}
diff --git a/apps/webapp/app/components/admin/backOffice/RateLimitSection.tsx b/apps/webapp/app/components/admin/backOffice/RateLimitSection.tsx
new file mode 100644
index 00000000000..1af8abab3d9
--- /dev/null
+++ b/apps/webapp/app/components/admin/backOffice/RateLimitSection.tsx
@@ -0,0 +1,306 @@
+import { Form } from "@remix-run/react";
+import { useEffect, useState } from "react";
+import { Button } from "~/components/primitives/Buttons";
+import { FormError } from "~/components/primitives/FormError";
+import { Header2 } from "~/components/primitives/Headers";
+import { Input } from "~/components/primitives/Input";
+import { Label } from "~/components/primitives/Label";
+import { Paragraph } from "~/components/primitives/Paragraph";
+import * as Property from "~/components/primitives/PropertyTable";
+
+// Local shape mirrors the server-side discriminated union just enough for this
+// view. Decoupled from the .server module so the component stays client-safe.
+// Duration fields are always suffixed strings — the server's DurationSchema
+// rejects anything else, so non-string overrides fall back to the default.
+export type RateLimitConfig =
+  | {
+      type: "tokenBucket";
+      refillRate: number;
+      interval: string;
+      maxTokens: number;
+    }
+  | {
+      type: "fixedWindow" | "slidingWindow";
+      window: string;
+      tokens: number;
+    };
+
+export type EffectiveRateLimit = {
+  source: "override" | "default";
+  config: RateLimitConfig;
+};
+
+export type FieldErrors = Record<string, string[] | undefined> | null;
+
+// Props shared by every per-domain wrapper (Api / Batch / future ones).
+export type RateLimitWrapperProps = {
+  effective: EffectiveRateLimit;
+  errors: FieldErrors;
+  savedJustNow: boolean;
+  isSubmitting: boolean;
+};
+
+type Props = RateLimitWrapperProps & {
+  title: string;
+  intent: string;
+};
+
+export function RateLimitSection({
+  title,
+  intent,
+  effective,
+  errors,
+  savedJustNow,
+  isSubmitting,
+}: Props) {
+  const hasFieldErrors = !!errors && Object.keys(errors).length > 0;
+  const fieldError = (field: string) =>
+    errors && field in errors ? errors[field]?.[0] : undefined;
+
+  const current =
+    effective.config.type === "tokenBucket" ? effective.config : null;
+
+  const [isEditing, setIsEditing] = useState(hasFieldErrors);
+  const [refillRate, setRefillRate] = useState(
+    current ? String(current.refillRate) : ""
+  );
+  const [intervalStr, setIntervalStr] = useState(
+    current ? String(current.interval) : ""
+  );
+  const [maxTokens, setMaxTokens] = useState(
+    current ? String(current.maxTokens) : ""
+  );
+
+  useEffect(() => {
+    if (hasFieldErrors) setIsEditing(true);
+  }, [hasFieldErrors]);
+
+  useEffect(() => {
+    if (savedJustNow && !hasFieldErrors) setIsEditing(false);
+  }, [savedJustNow, hasFieldErrors]);
+
+  const currentDescription = current
+    ? describeRateLimit(
+        current.refillRate,
+        parseDurationToMs(String(current.interval)),
+        current.maxTokens
+      )
+    : null;
+
+  const previewDescription = describeRateLimit(
+    Number(refillRate) || 0,
+    parseDurationToMs(intervalStr),
+    Number(maxTokens) || 0
+  );
+
+  const cancelEdit = () => {
+    setRefillRate(current ? String(current.refillRate) : "");
+    setIntervalStr(current ? String(current.interval) : "");
+    setMaxTokens(current ? String(current.maxTokens) : "");
+    setIsEditing(false);
+  };
+
+  return (
+    <section className="flex flex-col gap-3 rounded-md border border-charcoal-700 bg-charcoal-800 p-4">
+      <div className="flex items-center justify-between">
+        <Header2>{title}</Header2>
+        {!isEditing && (
+          <Button
+            variant="tertiary/small"
+            onClick={() => setIsEditing(true)}
+            disabled={isSubmitting || effective.config.type !== "tokenBucket"}
+          >
+            Edit
+          </Button>
+        )}
+      </div>
+
+      {savedJustNow && (
+        <div className="rounded-md border border-green-600/40 bg-green-600/10 px-3 py-2">
+          <Paragraph variant="small" className="text-green-500">
+            Saved.
+          </Paragraph>
+        </div>
+      )}
+
+      <Paragraph variant="small">
+        Status:{" "}
+        {effective.source === "override"
+          ? "Custom override active."
+          : "Using system default."}
+      </Paragraph>
+
+      {!isEditing ? (
+        <>
+          <Property.Table>
+            {effective.config.type === "tokenBucket" ? (
+              currentDescription ? (
+                <>
+                  <Property.Item>
+                    <Property.Label>Sustained rate</Property.Label>
+                    <Property.Value>
+                      {currentDescription.sustained}
+                    </Property.Value>
+                  </Property.Item>
+                  <Property.Item>
+                    <Property.Label>Burst allowance</Property.Label>
+                    <Property.Value>{currentDescription.burst}</Property.Value>
+                  </Property.Item>
+                </>
+              ) : (
+                <Property.Item>
+                  <Property.Value>
+                    Invalid interval on the stored config.
+                  </Property.Value>
+                </Property.Item>
+              )
+            ) : (
+              <>
+                <Property.Item>
+                  <Property.Label>Type</Property.Label>
+                  <Property.Value>{effective.config.type}</Property.Value>
+                </Property.Item>
+                <Property.Item>
+                  <Property.Label>Window</Property.Label>
+                  <Property.Value>{String(effective.config.window)}</Property.Value>
+                </Property.Item>
+                <Property.Item>
+                  <Property.Label>Tokens</Property.Label>
+                  <Property.Value>
+                    {effective.config.tokens.toLocaleString()}
+                  </Property.Value>
+                </Property.Item>
+              </>
+            )}
+          </Property.Table>
+          {effective.config.type !== "tokenBucket" && (
+            <Paragraph variant="small" className="text-amber-500">
+              This override is a {effective.config.type} limit and can't be
+              edited from this form. Change it in the database directly.
+            </Paragraph>
+          )}
+        </>
+      ) : (
+        <Form method="post" className="flex flex-col gap-3 pt-2">
+          <input type="hidden" name="intent" value={intent} />
+
+          <div className="flex flex-col gap-1">
+            <Label>Refill rate (tokens per interval)</Label>
+            <Input
+              name="refillRate"
+              type="number"
+              min={1}
+              value={refillRate}
+              onChange={(e) => setRefillRate(e.target.value)}
+              required
+            />
+            <FormError>{fieldError("refillRate")}</FormError>
+          </div>
+
+          <div className="flex flex-col gap-1">
+            <Label>Interval (e.g. 10s, 1m)</Label>
+            <Input
+              name="interval"
+              type="text"
+              value={intervalStr}
+              onChange={(e) => setIntervalStr(e.target.value)}
+              required
+            />
+            <FormError>{fieldError("interval")}</FormError>
+          </div>
+
+          <div className="flex flex-col gap-1">
+            <Label>Max tokens (burst allowance)</Label>
+            <Input
+              name="maxTokens"
+              type="number"
+              min={1}
+              value={maxTokens}
+              onChange={(e) => setMaxTokens(e.target.value)}
+              required
+            />
+            <FormError>{fieldError("maxTokens")}</FormError>
+          </div>
+
+          <Paragraph variant="small" className="text-text-dimmed">
+            {previewDescription
+              ? `Preview: ${previewDescription.sustained} · ${previewDescription.burst}.`
+              : "Preview: enter valid values to see the effective limit."}
+          </Paragraph>
+
+          <div className="flex items-center gap-2">
+            <Button
+              type="submit"
+              variant="primary/medium"
+              disabled={
+                isSubmitting ||
+                !refillRate.trim() ||
+                !intervalStr.trim() ||
+                !maxTokens.trim()
+              }
+            >
+              Save
+            </Button>
+            <Button
+              type="button"
+              variant="tertiary/medium"
+              onClick={cancelEdit}
+              disabled={isSubmitting}
+            >
+              Cancel
+            </Button>
+          </div>
+        </Form>
+      )}
+    </section>
+  );
+}
+
+export function parseDurationToMs(duration: string): number {
+  const match = duration.trim().match(/^(\d+)\s*(ms|s|m|h|d)$/);
+  if (!match) return 0;
+  const value = parseInt(match[1], 10);
+  switch (match[2]) {
+    case "ms":
+      return value;
+    case "s":
+      return value * 1_000;
+    case "m":
+      return value * 60_000;
+    case "h":
+      return value * 3_600_000;
+    case "d":
+      return value * 86_400_000;
+    default:
+      return 0;
+  }
+}
+
+function describeRateLimit(
+  refillRate: number,
+  intervalMs: number,
+  maxTokens: number
+): { sustained: string; burst: string } | null {
+  if (refillRate <= 0 || intervalMs <= 0 || maxTokens <= 0) return null;
+  const perMin = (refillRate * 60_000) / intervalMs;
+  let sustained: string;
+  if (perMin >= 1) {
+    sustained = `${formatRateValue(perMin)} requests per minute`;
+  } else {
+    const perHour = perMin * 60;
+    if (perHour >= 1) {
+      sustained = `${formatRateValue(perHour)} requests per hour`;
+    } else {
+      const perDay = perHour * 24;
+      sustained = `${formatRateValue(perDay)} requests per day`;
+    }
+  }
+  return {
+    sustained,
+    burst: `${maxTokens.toLocaleString()} request burst allowance`,
+  };
+}
+
+function formatRateValue(value: number): string {
+  return value >= 10 ? Math.round(value).toLocaleString() : value.toFixed(1);
+}
diff --git a/apps/webapp/app/components/code/AIQueryInput.tsx b/apps/webapp/app/components/code/AIQueryInput.tsx
index 0775ec2c2a0..cd5e9db3bd8 100644
--- a/apps/webapp/app/components/code/AIQueryInput.tsx
+++ b/apps/webapp/app/components/code/AIQueryInput.tsx
@@ -1,25 +1,15 @@
 import { CheckIcon, PencilSquareIcon, PlusIcon, XMarkIcon } from "@heroicons/react/20/solid";
 import { AnimatePresence, motion } from "framer-motion";
-import { Suspense, lazy, useCallback, useEffect, useRef, useState } from "react";
+import { Suspense, useCallback, useEffect, useRef, useState } from "react";
 import { Button } from "~/components/primitives/Buttons";
 import { Spinner } from "~/components/primitives/Spinner";
+import { StreamdownRenderer } from "~/components/code/StreamdownRenderer";
 import { useEnvironment } from "~/hooks/useEnvironment";
 import { useOrganization } from "~/hooks/useOrganizations";
 import { useProject } from "~/hooks/useProject";
 import type { AITimeFilter } from "~/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.query/types";
 import { cn } from "~/utils/cn";
 
-// Lazy load streamdown components to avoid SSR issues
-const StreamdownRenderer = lazy(() =>
-  import("streamdown").then((mod) => ({
-    default: ({ children, isAnimating }: { children: string; isAnimating: boolean }) => (
-      <mod.ShikiThemeContext.Provider value={["one-dark-pro", "one-dark-pro"]}>
-        <mod.Streamdown isAnimating={isAnimating}>{children}</mod.Streamdown>
-      </mod.ShikiThemeContext.Provider>
-    ),
-  }))
-);
-
 type StreamEventType =
   | { type: "thinking"; content: string }
   | { type: "tool_call"; tool: string; args: unknown }
diff --git a/apps/webapp/app/components/code/StreamdownRenderer.tsx b/apps/webapp/app/components/code/StreamdownRenderer.tsx
new file mode 100644
index 00000000000..996234ab180
--- /dev/null
+++ b/apps/webapp/app/components/code/StreamdownRenderer.tsx
@@ -0,0 +1,29 @@
+import { lazy } from "react";
+import type { CodeHighlighterPlugin } from "streamdown";
+
+export const StreamdownRenderer = lazy(() =>
+  Promise.all([import("streamdown"), import("@streamdown/code"), import("./shikiTheme")]).then(
+    ([{ Streamdown }, { createCodePlugin }, { triggerDarkTheme }]) => {
+      // Type assertion needed: @streamdown/code and streamdown resolve different shiki
+      // versions under pnpm, causing structurally-identical CodeHighlighterPlugin types
+      // to be considered incompatible (different BundledLanguage string unions).
+      const codePlugin = createCodePlugin({
+        themes: [triggerDarkTheme, triggerDarkTheme],
+      }) as unknown as CodeHighlighterPlugin;
+
+      return {
+        default: ({
+          children,
+          isAnimating = false,
+        }: {
+          children: string;
+          isAnimating?: boolean;
+        }) => (
+          <Streamdown isAnimating={isAnimating} plugins={{ code: codePlugin }}>
+            {children}
+          </Streamdown>
+        ),
+      };
+    }
+  )
+);
diff --git a/apps/webapp/app/components/code/shikiTheme.ts b/apps/webapp/app/components/code/shikiTheme.ts
new file mode 100644
index 00000000000..5d47155b979
--- /dev/null
+++ b/apps/webapp/app/components/code/shikiTheme.ts
@@ -0,0 +1,222 @@
+import type { ThemeRegistrationAny } from "streamdown";
+
+// Custom Shiki theme matching the Trigger.dev VS Code dark theme.
+// Colors taken directly from the VS Code extension's tokenColors.
+export const triggerDarkTheme: ThemeRegistrationAny = {
+  name: "trigger-dark",
+  type: "dark",
+  colors: {
+    "editor.background": "#212327",
+    "editor.foreground": "#878C99",
+    "editorLineNumber.foreground": "#484c54",
+  },
+  tokenColors: [
+    // Control flow keywords: pink-purple
+    {
+      scope: [
+        "keyword.control",
+        "keyword.operator.delete",
+        "keyword.other.using",
+        "keyword.other.operator",
+        "entity.name.operator",
+      ],
+      settings: { foreground: "#E888F8" },
+    },
+    // Storage type (const, let, var, function, class): purple
+    {
+      scope: "storage.type",
+      settings: { foreground: "#8271ED" },
+    },
+    // Storage modifiers (async, export, etc.): purple
+    {
+      scope: ["storage.modifier", "keyword.operator.noexcept"],
+      settings: { foreground: "#8271ED" },
+    },
+    // Keyword operator expressions (new, typeof, instanceof, etc.): purple
+    {
+      scope: [
+        "keyword.operator.new",
+        "keyword.operator.expression",
+        "keyword.operator.cast",
+        "keyword.operator.sizeof",
+        "keyword.operator.instanceof",
+        "keyword.operator.logical.python",
+        "keyword.operator.wordlike",
+      ],
+      settings: { foreground: "#8271ED" },
+    },
+    // Types and namespaces: hot pink
+    {
+      scope: [
+        "support.class",
+        "support.type",
+        "entity.name.type",
+        "entity.name.namespace",
+        "entity.name.scope-resolution",
+        "entity.name.class",
+        "entity.other.inherited-class",
+      ],
+      settings: { foreground: "#F770C6" },
+    },
+    // Functions: lime/yellow-green
+    {
+      scope: ["entity.name.function", "support.function"],
+      settings: { foreground: "#D9F07C" },
+    },
+    // Variables and parameters: light lavender
+    {
+      scope: [
+        "variable",
+        "meta.definition.variable.name",
+        "support.variable",
+        "entity.name.variable",
+        "constant.other.placeholder",
+      ],
+      settings: { foreground: "#CCCBFF" },
+    },
+    // Constants and enums: medium purple
+    {
+      scope: ["variable.other.constant", "variable.other.enummember"],
+      settings: { foreground: "#9C9AF2" },
+    },
+    // this/self: purple-blue
+    {
+      scope: "variable.language",
+      settings: { foreground: "#9B99FF" },
+    },
+    // Object literal keys: medium purple-blue
+    {
+      scope: "meta.object-literal.key",
+      settings: { foreground: "#8B89FF" },
+    },
+    // Strings: sage green
+    {
+      scope: ["string", "meta.embedded.assembly"],
+      settings: { foreground: "#AFEC73" },
+    },
+    // String interpolation punctuation: blue-purple
+    {
+      scope: [
+        "punctuation.definition.template-expression.begin",
+        "punctuation.definition.template-expression.end",
+        "punctuation.section.embedded",
+      ],
+      settings: { foreground: "#7A78EA" },
+    },
+    // Template expression reset
+    {
+      scope: "meta.template.expression",
+      settings: { foreground: "#d4d4d4" },
+    },
+    // Operators: gray (same as foreground)
+    {
+      scope: "keyword.operator",
+      settings: { foreground: "#878C99" },
+    },
+    // Comments: olive gray
+    {
+      scope: "comment",
+      settings: { foreground: "#6f736d" },
+    },
+    // Language constants (true, false, null, undefined): purple-blue
+    {
+      scope: "constant.language",
+      settings: { foreground: "#9B99FF" },
+    },
+    // Numeric constants: light green
+    {
+      scope: [
+        "constant.numeric",
+        "keyword.operator.plus.exponent",
+        "keyword.operator.minus.exponent",
+      ],
+      settings: { foreground: "#b5cea8" },
+    },
+    // Regex: dark red
+    {
+      scope: "constant.regexp",
+      settings: { foreground: "#646695" },
+    },
+    // HTML/JSX tags: purple-blue
+    {
+      scope: "entity.name.tag",
+      settings: { foreground: "#9B99FF" },
+    },
+    // Tag brackets: dark gray
+    {
+      scope: "punctuation.definition.tag",
+      settings: { foreground: "#5F6570" },
+    },
+    // HTML/JSX attributes: light purple
+    {
+      scope: "entity.other.attribute-name",
+      settings: { foreground: "#C39EFF" },
+    },
+    // Escape characters: gold
+    {
+      scope: "constant.character.escape",
+      settings: { foreground: "#d7ba7d" },
+    },
+    // Regex string: dark red
+    {
+      scope: "string.regexp",
+      settings: { foreground: "#d16969" },
+    },
+    // Storage: purple-blue
+    {
+      scope: "storage",
+      settings: { foreground: "#9B99FF" },
+    },
+    // TS-specific: type casts, math/dom/json constants
+    {
+      scope: [
+        "meta.type.cast.expr",
+        "meta.type.new.expr",
+        "support.constant.math",
+        "support.constant.dom",
+        "support.constant.json",
+      ],
+      settings: { foreground: "#9B99FF" },
+    },
+    // Markdown headings: purple-blue bold
+    {
+      scope: "markup.heading",
+      settings: { foreground: "#9B99FF", fontStyle: "bold" },
+    },
+    // Markup bold: purple-blue
+    {
+      scope: "markup.bold",
+      settings: { foreground: "#9B99FF", fontStyle: "bold" },
+    },
+    // Markup inline raw: sage green
+    {
+      scope: "markup.inline.raw",
+      settings: { foreground: "#AFEC73" },
+    },
+    // Markup inserted: light green
+    {
+      scope: "markup.inserted",
+      settings: { foreground: "#b5cea8" },
+    },
+    // Markup deleted: sage green
+    {
+      scope: "markup.deleted",
+      settings: { foreground: "#AFEC73" },
+    },
+    // Markup changed: purple-blue
+    {
+      scope: "markup.changed",
+      settings: { foreground: "#9B99FF" },
+    },
+    // Invalid: red
+    {
+      scope: "invalid",
+      settings: { foreground: "#f44747" },
+    },
+    // JSX text content
+    {
+      scope: ["meta.jsx.children"],
+      settings: { foreground: "#D7D9DD" },
+    },
+  ],
+};
diff --git a/apps/webapp/app/components/environments/RegenerateApiKeyModal.tsx b/apps/webapp/app/components/environments/RegenerateApiKeyModal.tsx
index 439fd892f91..52e1f499cbe 100644
--- a/apps/webapp/app/components/environments/RegenerateApiKeyModal.tsx
+++ b/apps/webapp/app/components/environments/RegenerateApiKeyModal.tsx
@@ -75,8 +75,9 @@ const RegenerateApiKeyModalContent = ({
   return (
     <div className="flex flex-col items-center gap-y-4 pt-4">
       <Callout variant="warning">
-        {`Regenerating the keys for this environment will temporarily break any live tasks in the
-        ${title} environment until the new API keys are set in the relevant environment variables.`}
+        {`A new API key will be issued for the ${title} environment. The previous key stays valid
+        for 24 hours so you can roll out the new key in your environment variables without downtime.
+        After 24 hours, the previous key stops working.`}
       </Callout>
       <fetcher.Form
         method="post"
diff --git a/apps/webapp/app/components/errors/ConfigureErrorAlerts.tsx b/apps/webapp/app/components/errors/ConfigureErrorAlerts.tsx
index dc586c89438..32ed778f877 100644
--- a/apps/webapp/app/components/errors/ConfigureErrorAlerts.tsx
+++ b/apps/webapp/app/components/errors/ConfigureErrorAlerts.tsx
@@ -196,7 +196,7 @@ export function ConfigureErrorAlerts({
                       name={slackChannel.name}
                       placeholder={<span className="text-text-dimmed">Select a Slack channel</span>}
                       heading="Filter channels…"
-                      defaultValue={selectedSlackChannelValue}
+                      value={selectedSlackChannelValue ?? ""}
                       dropdownIcon
                       variant="tertiary/medium"
                       items={slack.channels}
@@ -218,6 +218,15 @@ export function ConfigureErrorAlerts({
                     >
                       {(matches) => (
                         <>
+                          <SelectItem
+                            value=""
+                            className="border-b border-grid-bright text-text-dimmed"
+                          >
+                            <div className="flex items-center gap-1.5">
+                              <XMarkIcon className="size-4" />
+                              <span>No channel</span>
+                            </div>
+                          </SelectItem>
                           {matches?.map((channel) => (
                             <SelectItem
                               key={channel.id}
diff --git a/apps/webapp/app/components/integrations/VercelBuildSettings.tsx b/apps/webapp/app/components/integrations/VercelBuildSettings.tsx
index d665a53f1a1..d8e9f3fe3f8 100644
--- a/apps/webapp/app/components/integrations/VercelBuildSettings.tsx
+++ b/apps/webapp/app/components/integrations/VercelBuildSettings.tsx
@@ -23,6 +23,14 @@ type BuildSettingsFieldsProps = {
   disabledEnvSlugs?: Partial<Record<EnvSlug, string>>;
   autoPromote?: boolean;
   onAutoPromoteChange?: (value: boolean) => void;
+  /** The currently pinned TRIGGER_VERSION on Vercel production, if any. Shown under the
+   * Atomic deployments toggle so the user knows what version is set on Vercel right now. */
+  currentTriggerVersion?: string | null;
+  /** True when the Vercel lookup for TRIGGER_VERSION failed. We show this so the user knows
+   * the pin status is unknown — distinct from "not set". */
+  currentTriggerVersionFetchFailed?: boolean;
+  /** Hide the section-level master toggles for "Pull env vars" and "Discover new env vars". */
+  hideSectionToggles?: boolean;
 };
 
 export function BuildSettingsFields({
@@ -37,6 +45,9 @@ export function BuildSettingsFields({
   disabledEnvSlugs,
   autoPromote,
   onAutoPromoteChange,
+  currentTriggerVersion,
+  currentTriggerVersionFetchFailed,
+  hideSectionToggles,
 }: BuildSettingsFieldsProps) {
   const isSlugDisabled = (slug: EnvSlug) => !!disabledEnvSlugs?.[slug];
   const enabledSlugs = availableEnvSlugs.filter((s) => !isSlugDisabled(s));
@@ -48,7 +59,7 @@ export function BuildSettingsFields({
         <div className="mb-2">
           <div className="flex items-center justify-between">
             <Label>Pull env vars before build</Label>
-            {availableEnvSlugs.length > 1 && (
+            {!hideSectionToggles && availableEnvSlugs.length > 1 && (
               <Switch
                 variant="small"
                 checked={
@@ -116,7 +127,7 @@ export function BuildSettingsFields({
         <div className="mb-2">
           <div className="flex items-center justify-between">
             <Label>Discover new env vars</Label>
-            {availableEnvSlugs.length > 1 && (
+            {!hideSectionToggles && availableEnvSlugs.length > 1 && (
               <Switch
                 variant="small"
                 checked={
@@ -205,6 +216,20 @@ export function BuildSettingsFields({
           </TextLink>
           .
         </Hint>
+        {currentTriggerVersion && (
+          <Hint className="pr-6">
+            Currently pinned to{" "}
+            <span className="font-mono text-text-bright">{currentTriggerVersion}</span> in Vercel
+            production.
+          </Hint>
+        )}
+        {!currentTriggerVersion && currentTriggerVersionFetchFailed && (
+          <Hint className="pr-6 text-warning">
+            Couldn't read{" "}
+            <span className="font-mono text-text-bright">TRIGGER_VERSION</span> from Vercel —
+            check the Vercel dashboard to confirm the production pin.
+          </Hint>
+        )}
       </div>
 
       {/* Auto promotion — only visible when atomic deployments are on */}
diff --git a/apps/webapp/app/components/integrations/VercelOnboardingModal.tsx b/apps/webapp/app/components/integrations/VercelOnboardingModal.tsx
index 7ff99d7d448..21734c5c038 100644
--- a/apps/webapp/app/components/integrations/VercelOnboardingModal.tsx
+++ b/apps/webapp/app/components/integrations/VercelOnboardingModal.tsx
@@ -600,6 +600,20 @@ export function VercelOnboardingModal({
     }
   }, [completeOnboardingFetcher.data, completeOnboardingFetcher.state, state]);
 
+  useEffect(() => {
+    if (state === "github-connection" && isGitHubConnectedForOnboarding) {
+      trackOnboarding("vercel onboarding github completed");
+      if (fromMarketplaceContext && nextUrl) {
+        const validUrl = safeRedirectUrl(nextUrl);
+        if (validUrl) {
+          window.location.href = validUrl;
+          return;
+        }
+      }
+      setState("completed");
+    }
+  }, [state, isGitHubConnectedForOnboarding, fromMarketplaceContext, nextUrl, trackOnboarding]);
+
   useEffect(() => {
     if (state === "completed" && !hasTrackedCompletionRef.current) {
       hasTrackedCompletionRef.current = true;
@@ -1114,6 +1128,7 @@ export function VercelOnboardingModal({
                   redirectParams.set("next", nextUrl);
                 }
                 const redirectUrlWithContext = `${baseSettingsPath}?${redirectParams.toString()}`;
+                const nextDirectRedirect = nextUrl ? safeRedirectUrl(nextUrl) : null;
 
                 return gitHubAppInstallations.length === 0 ? (
                   <div className="flex flex-col gap-3">
@@ -1137,7 +1152,10 @@ export function VercelOnboardingModal({
                         organizationSlug={organizationSlug}
                         projectSlug={projectSlug}
                         environmentSlug={environmentSlug}
-                        redirectUrl={redirectUrlWithContext}
+                        redirectUrl={
+                          nextDirectRedirect ??
+                          (fromMarketplaceContext ? redirectUrlWithContext : baseSettingsPath)
+                        }
                         preventDismiss={fromMarketplaceContext}
                       />
                       <span className="flex items-center gap-1 text-xs text-text-dimmed">
diff --git a/apps/webapp/app/components/logs/LogsLevelFilter.tsx b/apps/webapp/app/components/logs/LogsLevelFilter.tsx
index 947bef88fcc..c61da4d3084 100644
--- a/apps/webapp/app/components/logs/LogsLevelFilter.tsx
+++ b/apps/webapp/app/components/logs/LogsLevelFilter.tsx
@@ -53,7 +53,7 @@ export function LogsLevelFilter() {
   const hasLevels = selectedLevels.length > 0 && selectedLevels.some((v) => v !== "");
 
   if (hasLevels) {
-    return <AppliedLevelFilter/>;
+    return <AppliedLevelFilter />;
   }
 
   return (
@@ -64,19 +64,16 @@ export function LogsLevelFilter() {
           variant="secondary/small"
           shortcut={shortcut}
           tooltipTitle="Filter by level"
+          className="pl-1.5"
         >
-          Level
+          <span className="ml-1">Level</span>
         </SelectTrigger>
       }
     />
   );
 }
 
-function LevelDropdown({
-  trigger,
-}: {
-  trigger: ReactNode;
-}) {
+function LevelDropdown({ trigger }: { trigger: ReactNode }) {
   const { values, replace } = useSearchParams();
 
   const handleChange = (values: string[]) => {
diff --git a/apps/webapp/app/components/logs/LogsRunIdFilter.tsx b/apps/webapp/app/components/logs/LogsRunIdFilter.tsx
index 857e623d7c9..e23c39534a6 100644
--- a/apps/webapp/app/components/logs/LogsRunIdFilter.tsx
+++ b/apps/webapp/app/components/logs/LogsRunIdFilter.tsx
@@ -6,11 +6,7 @@ import { Button } from "~/components/primitives/Buttons";
 import { FormError } from "~/components/primitives/FormError";
 import { Input } from "~/components/primitives/Input";
 import { Label } from "~/components/primitives/Label";
-import {
-  SelectPopover,
-  SelectProvider,
-  SelectTrigger,
-} from "~/components/primitives/Select";
+import { SelectPopover, SelectProvider, SelectTrigger } from "~/components/primitives/Select";
 import { useSearchParams } from "~/hooks/useSearchParam";
 import { FilterMenuProvider } from "~/components/runs/v3/SharedFilters";
 
@@ -34,8 +30,9 @@ export function LogsRunIdFilter() {
               variant="secondary/small"
               shortcut={shortcut}
               tooltipTitle="Filter by run ID"
+              className="pl-1.5"
             >
-              Run ID
+              <span className="ml-1">Run ID</span>
             </SelectTrigger>
           }
           clearSearchValue={() => setSearch("")}
diff --git a/apps/webapp/app/components/logs/LogsTaskFilter.tsx b/apps/webapp/app/components/logs/LogsTaskFilter.tsx
index fa64eff7bd3..6c15464cc49 100644
--- a/apps/webapp/app/components/logs/LogsTaskFilter.tsx
+++ b/apps/webapp/app/components/logs/LogsTaskFilter.tsx
@@ -4,6 +4,8 @@ import { useMemo } from "react";
 import * as Ariakit from "@ariakit/react";
 import {
   ComboBox,
+  SelectGroup,
+  SelectGroupLabel,
   SelectItem,
   SelectList,
   SelectPopover,
@@ -21,6 +23,7 @@ const shortcut = { key: "t" };
 type TaskOption = {
   slug: string;
   triggerSource: TaskTriggerSource;
+  isInLatestDeployment: boolean;
 };
 
 interface LogsTaskFilterProps {
@@ -42,8 +45,9 @@ export function LogsTaskFilter({ possibleTasks }: LogsTaskFilterProps) {
                 variant="secondary/small"
                 shortcut={shortcut}
                 tooltipTitle="Filter by task"
+                className="pl-1.5"
               >
-                <span className="ml-0.5">Tasks</span>
+                <span className="ml-1">Tasks</span>
               </SelectTrigger>
             }
             searchValue={search}
@@ -126,17 +130,44 @@ function TasksDropdown({
       >
         <ComboBox placeholder={"Filter by task..."} value={searchValue} />
         <SelectList>
-          {filtered.map((item, index) => (
-            <SelectItem
-              key={`${item.triggerSource}-${item.slug}`}
-              value={item.slug}
-              icon={
-                <TaskTriggerSourceIcon source={item.triggerSource} className="size-4 flex-none" />
-              }
-            >
-              {item.slug}
-            </SelectItem>
-          ))}
+          {filtered
+            .filter((item) => item.isInLatestDeployment)
+            .map((item) => (
+              <SelectItem
+                key={`${item.triggerSource}-${item.slug}`}
+                value={item.slug}
+                className="text-text-bright"
+                icon={
+                  <TaskTriggerSourceIcon source={item.triggerSource} className="size-4 flex-none" />
+                }
+              >
+                {item.slug}
+              </SelectItem>
+            ))}
+          {filtered.some((item) => !item.isInLatestDeployment) && (
+            <SelectGroup>
+              <SelectGroupLabel>Archived</SelectGroupLabel>
+              {filtered
+                .filter((item) => !item.isInLatestDeployment)
+                .map((item) => (
+                  <SelectItem
+                    key={`${item.triggerSource}-${item.slug}`}
+                    value={item.slug}
+                    className="text-text-bright"
+                    icon={
+                      <span className="opacity-50">
+                        <TaskTriggerSourceIcon
+                          source={item.triggerSource}
+                          className="size-4 flex-none"
+                        />
+                      </span>
+                    }
+                  >
+                    {item.slug}
+                  </SelectItem>
+                ))}
+            </SelectGroup>
+          )}
         </SelectList>
       </SelectPopover>
     </SelectProvider>
diff --git a/apps/webapp/app/components/logs/LogsVersionFilter.tsx b/apps/webapp/app/components/logs/LogsVersionFilter.tsx
index 4cc10545060..a5a83f6eda4 100644
--- a/apps/webapp/app/components/logs/LogsVersionFilter.tsx
+++ b/apps/webapp/app/components/logs/LogsVersionFilter.tsx
@@ -22,8 +22,9 @@ export function LogsVersionFilter() {
                 variant="secondary/small"
                 shortcut={shortcut}
                 tooltipTitle="Filter by version"
+                className="pl-1.5"
               >
-                <span className="ml-0.5">Versions</span>
+                <span className="ml-1">Versions</span>
               </SelectTrigger>
             }
             searchValue={search}
diff --git a/apps/webapp/app/components/metrics/ModelsFilter.tsx b/apps/webapp/app/components/metrics/ModelsFilter.tsx
index e641f826ae3..9b330834c84 100644
--- a/apps/webapp/app/components/metrics/ModelsFilter.tsx
+++ b/apps/webapp/app/components/metrics/ModelsFilter.tsx
@@ -16,7 +16,7 @@ import { tablerIcons } from "~/utils/tablerIcons";
 import tablerSpritePath from "~/components/primitives/tabler-sprite.svg";
 import { AnthropicLogoIcon } from "~/assets/icons/AnthropicLogoIcon";
 
-const shortcut = { key: "l" };
+const shortcut = { key: "m" };
 
 export type ModelOption = {
   model: string;
@@ -38,19 +38,19 @@ function modelIcon(system: string, model: string): ReactNode {
 
   // Special case: Anthropic uses a custom SVG icon
   if (provider === "anthropic") {
-    return <AnthropicLogoIcon className="size-4 shrink-0" />;
+    return <AnthropicLogoIcon className="size-4 shrink-0 text-text-dimmed" />;
   }
 
   const iconName = `tabler-brand-${provider}`;
   if (tablerIcons.has(iconName)) {
     return (
-      <svg className="size-4 shrink-0 stroke-[1.5]">
+      <svg className="size-4 shrink-0 stroke-[1.5] text-text-dimmed">
         <use xlinkHref={`${tablerSpritePath}#${iconName}`} />
       </svg>
     );
   }
 
-  return <CubeIcon className="size-4 shrink-0" />;
+  return <CubeIcon className="size-4 shrink-0 text-text-dimmed" />;
 }
 
 export function ModelsFilter({ possibleModels }: ModelsFilterProps) {
@@ -68,8 +68,9 @@ export function ModelsFilter({ possibleModels }: ModelsFilterProps) {
                 variant="secondary/small"
                 shortcut={shortcut}
                 tooltipTitle="Filter by model"
+                className="pl-1.5"
               >
-                <span className="ml-0.5">Models</span>
+                <span className="ml-1">Models</span>
               </SelectTrigger>
             }
             searchValue={search}
@@ -147,7 +148,7 @@ function ModelsDropdown({
         <ComboBox placeholder="Filter by model..." value={searchValue} />
         <SelectList>
           {filtered.map((m) => (
-            <SelectItem key={m.model} value={m.model} icon={modelIcon(m.system, m.model)}>
+            <SelectItem key={m.model} value={m.model} className="text-text-bright" icon={modelIcon(m.system, m.model)}>
               {m.model}
             </SelectItem>
           ))}
diff --git a/apps/webapp/app/components/metrics/OperationsFilter.tsx b/apps/webapp/app/components/metrics/OperationsFilter.tsx
index 679332fc3c4..679e73ccb7f 100644
--- a/apps/webapp/app/components/metrics/OperationsFilter.tsx
+++ b/apps/webapp/app/components/metrics/OperationsFilter.tsx
@@ -13,7 +13,7 @@ import {
 import { useSearchParams } from "~/hooks/useSearchParam";
 import { appliedSummary, FilterMenuProvider } from "~/components/runs/v3/SharedFilters";
 
-const shortcut = { key: "n" };
+const shortcut = { key: "o" };
 
 interface OperationsFilterProps {
   possibleOperations: string[];
@@ -45,8 +45,9 @@ export function OperationsFilter({ possibleOperations }: OperationsFilterProps)
                 variant="secondary/small"
                 shortcut={shortcut}
                 tooltipTitle="Filter by operation"
+                className="pl-1.5"
               >
-                <span className="ml-0.5">Operations</span>
+                <span className="ml-1">Operations</span>
               </SelectTrigger>
             }
             searchValue={search}
@@ -125,7 +126,7 @@ function OperationsDropdown({
         <ComboBox placeholder="Filter by operation..." value={searchValue} />
         <SelectList>
           {filtered.map((op) => (
-            <SelectItem key={op} value={op} icon={<CommandLineIcon className="size-4" />}>
+            <SelectItem key={op} value={op} className="text-text-bright" icon={<CommandLineIcon className="size-4 text-text-dimmed" />}>
               {formatOperation(op)}
             </SelectItem>
           ))}
diff --git a/apps/webapp/app/components/metrics/PromptsFilter.tsx b/apps/webapp/app/components/metrics/PromptsFilter.tsx
index a4ad8a00045..09a91f4f1fd 100644
--- a/apps/webapp/app/components/metrics/PromptsFilter.tsx
+++ b/apps/webapp/app/components/metrics/PromptsFilter.tsx
@@ -34,8 +34,9 @@ export function PromptsFilter({ possiblePrompts }: PromptsFilterProps) {
                 variant="secondary/small"
                 shortcut={shortcut}
                 tooltipTitle="Filter by prompt"
+                className="pl-1.5"
               >
-                <span className="ml-0.5">Prompts</span>
+                <span className="ml-1">Prompts</span>
               </SelectTrigger>
             }
             searchValue={search}
@@ -113,7 +114,7 @@ function PromptsDropdown({
         <ComboBox placeholder="Filter by prompt..." value={searchValue} />
         <SelectList>
           {filtered.map((slug) => (
-            <SelectItem key={slug} value={slug} icon={<DocumentTextIcon className="size-4" />}>
+            <SelectItem key={slug} value={slug} className="text-text-bright" icon={<DocumentTextIcon className="size-4 text-text-dimmed" />}>
               {slug}
             </SelectItem>
           ))}
diff --git a/apps/webapp/app/components/metrics/ProvidersFilter.tsx b/apps/webapp/app/components/metrics/ProvidersFilter.tsx
index fe018eefb98..d22bec8f70b 100644
--- a/apps/webapp/app/components/metrics/ProvidersFilter.tsx
+++ b/apps/webapp/app/components/metrics/ProvidersFilter.tsx
@@ -34,8 +34,9 @@ export function ProvidersFilter({ possibleProviders }: ProvidersFilterProps) {
                 variant="secondary/small"
                 shortcut={shortcut}
                 tooltipTitle="Filter by provider"
+                className="pl-1.5"
               >
-                <span className="ml-0.5">Providers</span>
+                <span className="ml-1">Providers</span>
               </SelectTrigger>
             }
             searchValue={search}
@@ -111,7 +112,7 @@ function ProvidersDropdown({
         <ComboBox placeholder="Filter by provider..." value={searchValue} />
         <SelectList>
           {filtered.map((provider) => (
-            <SelectItem key={provider} value={provider} icon={<ServerIcon className="size-4" />}>
+            <SelectItem key={provider} value={provider} className="text-text-bright" icon={<ServerIcon className="size-4 text-text-dimmed" />}>
               {provider}
             </SelectItem>
           ))}
diff --git a/apps/webapp/app/components/metrics/QueuesFilter.tsx b/apps/webapp/app/components/metrics/QueuesFilter.tsx
index 87d7a612547..3da71e0c7d0 100644
--- a/apps/webapp/app/components/metrics/QueuesFilter.tsx
+++ b/apps/webapp/app/components/metrics/QueuesFilter.tsx
@@ -39,6 +39,7 @@ export function QueuesFilter() {
                 variant="secondary/small"
                 shortcut={shortcut}
                 tooltipTitle="Filter by queue"
+                className="pl-1.5"
               >
                 <span className="ml-1">Queues</span>
               </SelectTrigger>
@@ -190,6 +191,7 @@ function QueuesDropdown({
                 <SelectItem
                   key={queue.value}
                   value={queue.value}
+                  className="text-text-bright"
                   icon={
                     queue.type === "task" ? (
                       <TaskIcon className="size-4 shrink-0 text-blue-500" />
diff --git a/apps/webapp/app/components/metrics/ScopeFilter.tsx b/apps/webapp/app/components/metrics/ScopeFilter.tsx
index 1bf6b685676..0cdaa4adb32 100644
--- a/apps/webapp/app/components/metrics/ScopeFilter.tsx
+++ b/apps/webapp/app/components/metrics/ScopeFilter.tsx
@@ -1,14 +1,17 @@
 import * as Ariakit from "@ariakit/react";
-import { EnvironmentLabel } from "~/components/environments/EnvironmentLabel";
+import { FolderIcon } from "@heroicons/react/20/solid";
+import { useRef } from "react";
+import { EnvironmentIcon, EnvironmentLabel } from "~/components/environments/EnvironmentLabel";
 import { AppliedFilter } from "~/components/primitives/AppliedFilter";
+import { Avatar } from "~/components/primitives/Avatar";
 import { SelectItem, SelectPopover, SelectProvider } from "~/components/primitives/Select";
+import { ShortcutKey } from "~/components/primitives/ShortcutKey";
 import { useEnvironment } from "~/hooks/useEnvironment";
 import { useOrganization } from "~/hooks/useOrganizations";
 import { useProject } from "~/hooks/useProject";
 import { useSearchParams } from "~/hooks/useSearchParam";
+import { type ShortcutDefinition, useShortcutKeys } from "~/hooks/useShortcutKeys";
 import type { QueryScope } from "~/services/queryService.server";
-import { CubeTransparentIcon, GlobeAltIcon } from "@heroicons/react/20/solid";
-import { IconListLetters } from "@tabler/icons-react";
 
 const scopeOptions = [
   { value: "environment", label: "Environment" },
@@ -16,29 +19,76 @@ const scopeOptions = [
   { value: "organization", label: "Organization" },
 ] as const;
 
-export function ScopeFilter() {
-  const { value, replace } = useSearchParams();
-  const scope = (value("scope") as QueryScope) ?? "environment";
+export type ScopeFilterProps = {
+  shortcut?: ShortcutDefinition;
+  /** Controlled value. If provided, the filter uses controlled mode and ignores search params. */
+  value?: QueryScope;
+  /** Called when the user selects a new scope. Required when `value` is provided. */
+  onValueChange?: (scope: QueryScope) => void;
+};
+
+export function ScopeFilter({ shortcut, value, onValueChange }: ScopeFilterProps = {}) {
+  const { value: paramValue, replace } = useSearchParams();
+  const isControlled = value !== undefined;
+  const scope: QueryScope = isControlled
+    ? value
+    : ((paramValue("scope") as QueryScope) ?? "environment");
+  const triggerRef = useRef<HTMLButtonElement>(null);
 
   const handleChange = (newScope: string) => {
+    if (isControlled) {
+      onValueChange?.(newScope as QueryScope);
+      return;
+    }
     replace({ scope: newScope === "environment" ? undefined : newScope });
   };
 
+  useShortcutKeys({
+    shortcut,
+    action: (e) => {
+      e.preventDefault();
+      e.stopPropagation();
+      triggerRef.current?.click();
+    },
+    disabled: !shortcut,
+  });
+
   return (
     <SelectProvider value={scope} setValue={handleChange}>
-      <Ariakit.Select render={<div className="group cursor-pointer focus-custom" />}>
-        <AppliedFilter
-          label="Scope"
-          icon={<CubeTransparentIcon className="size-4" />}
-          value={<ScopeItem scope={scope} />}
-          removable={false}
-          variant="secondary/small"
-        />
-      </Ariakit.Select>
+      <Ariakit.TooltipProvider timeout={200} hideTimeout={0}>
+        <Ariakit.TooltipAnchor
+          render={
+            <Ariakit.Select
+              ref={triggerRef}
+              render={<div className="group cursor-pointer focus-custom" />}
+            />
+          }
+        >
+          <AppliedFilter
+            label="Scope"
+            value={<ScopeItem scope={scope} />}
+            removable={false}
+            variant="secondary/small"
+          />
+        </Ariakit.TooltipAnchor>
+        {shortcut && (
+          <Ariakit.Tooltip className="z-40 cursor-default rounded border border-charcoal-700 bg-background-bright py-1.5 pl-2.5 pr-2 text-xs text-text-dimmed">
+            <div className="flex items-center gap-1.5">
+              <span>Change scope</span>
+              <ShortcutKey className="size-4 flex-none" shortcut={shortcut} variant="small" />
+            </div>
+          </Ariakit.Tooltip>
+        )}
+      </Ariakit.TooltipProvider>
       <SelectPopover className="min-w-0 max-w-[min(240px,var(--popover-available-width))]">
         {scopeOptions.map((option) => (
-          <SelectItem key={option.value} value={option.value}>
-            <ScopeItem scope={option.value} />
+          <SelectItem
+            key={option.value}
+            value={option.value}
+            className="gap-x-2 text-text-bright"
+            icon={<ScopeIcon scope={option.value} />}
+          >
+            <ScopeLabel scope={option.value} />
           </SelectItem>
         ))}
       </SelectPopover>
@@ -46,19 +96,44 @@ export function ScopeFilter() {
   );
 }
 
-function ScopeItem({ scope }: { scope: QueryScope }) {
+function ScopeIcon({ scope }: { scope: QueryScope }) {
+  const organization = useOrganization();
+  const environment = useEnvironment();
+
+  switch (scope) {
+    case "organization":
+      return <Avatar avatar={organization.avatar} size={1} orgName={organization.title} />;
+    case "project":
+      return <FolderIcon className="size-4 text-indigo-500" />;
+    case "environment":
+      return <EnvironmentIcon environment={environment} className="size-4" />;
+    default:
+      return null;
+  }
+}
+
+function ScopeLabel({ scope }: { scope: QueryScope }) {
   const organization = useOrganization();
   const project = useProject();
   const environment = useEnvironment();
 
   switch (scope) {
     case "organization":
-      return `Org: ${organization.title}`;
+      return <span className="text-text-bright">{organization.title}</span>;
     case "project":
-      return `Project: ${project.name}`;
+      return <span className="text-text-bright">{project.name}</span>;
     case "environment":
-      return <EnvironmentLabel environment={environment} />;
+      return <EnvironmentLabel environment={environment} disableTooltip />;
     default:
       return scope;
   }
 }
+
+function ScopeItem({ scope }: { scope: QueryScope }) {
+  return (
+    <span className="flex items-center gap-1">
+      <ScopeIcon scope={scope} />
+      <ScopeLabel scope={scope} />
+    </span>
+  );
+}
diff --git a/apps/webapp/app/components/navigation/DashboardDialogs.tsx b/apps/webapp/app/components/navigation/DashboardDialogs.tsx
index f0cdd0406e0..6466038400c 100644
--- a/apps/webapp/app/components/navigation/DashboardDialogs.tsx
+++ b/apps/webapp/app/components/navigation/DashboardDialogs.tsx
@@ -4,6 +4,7 @@ import { motion } from "framer-motion";
 import { ArrowUpCircleIcon } from "@heroicons/react/24/outline";
 import { PlusIcon } from "@heroicons/react/20/solid";
 import { useEffect, useState } from "react";
+import { type ShortcutDefinition } from "~/hooks/useShortcutKeys";
 import { type MatchedOrganization, useDashboardLimits } from "~/hooks/useOrganizations";
 import { useCurrentPlan } from "~/routes/_app.orgs.$organizationSlug/route";
 import { Feedback } from "~/components/Feedback";
@@ -118,17 +119,19 @@ export function CreateDashboardPageButton({
   organization,
   project,
   environment,
+  shortcut,
 }: {
   organization: { slug: string };
   project: { slug: string };
   environment: { slug: string };
+  shortcut?: ShortcutDefinition;
 }) {
   const dashboard = useCreateDashboard({ organization, project, environment });
 
   return (
     <Dialog open={dashboard.isOpen} onOpenChange={dashboard.setIsOpen}>
       <DialogTrigger asChild>
-        <Button variant="primary/small" LeadingIcon={PlusIcon}>
+        <Button variant="primary/small" LeadingIcon={PlusIcon} shortcut={shortcut} className="pr-2">
           Create custom dashboard
         </Button>
       </DialogTrigger>
@@ -162,7 +165,6 @@ function CreateDashboardUpgradeDialog({
   isFreePlan: boolean;
   organization: { slug: string };
 }) {
-
   if (isFreePlan) {
     return (
       <DialogContent>
diff --git a/apps/webapp/app/components/navigation/NotificationCard.tsx b/apps/webapp/app/components/navigation/NotificationCard.tsx
new file mode 100644
index 00000000000..8b03c27fff9
--- /dev/null
+++ b/apps/webapp/app/components/navigation/NotificationCard.tsx
@@ -0,0 +1,142 @@
+import { XMarkIcon } from "@heroicons/react/20/solid";
+import { useLayoutEffect, useRef, useState } from "react";
+import ReactMarkdown from "react-markdown";
+import { cn } from "~/utils/cn";
+
+export function NotificationCard({
+  title,
+  description,
+  image,
+  actionUrl,
+  onDismiss,
+  onCardClick,
+  onLinkClick,
+}: {
+  title: string;
+  description: string;
+  image?: string;
+  actionUrl?: string;
+  onDismiss?: () => void;
+  onCardClick?: () => void;
+  onLinkClick?: () => void;
+}) {
+  const [isExpanded, setIsExpanded] = useState(false);
+  const [isOverflowing, setIsOverflowing] = useState(false);
+  const descriptionRef = useRef<HTMLDivElement>(null);
+
+  useLayoutEffect(() => {
+    const el = descriptionRef.current;
+    if (!el) return;
+
+    const check = () => setIsOverflowing(el.scrollHeight - el.clientHeight > 1);
+    check();
+
+    const observer = new ResizeObserver(check);
+    observer.observe(el);
+    return () => observer.disconnect();
+  }, [description]);
+
+  const handleDismiss = (e: React.MouseEvent) => {
+    e.preventDefault();
+    e.stopPropagation();
+    onDismiss?.();
+  };
+
+  const handleToggleExpand = (e: React.MouseEvent) => {
+    e.preventDefault();
+    e.stopPropagation();
+    setIsExpanded((v) => !v);
+  };
+
+  const safeActionUrl = sanitizeUrl(actionUrl);
+  const safeImage = sanitizeUrl(image);
+
+  return (
+    <div className="group/card relative overflow-hidden rounded border border-charcoal-650 bg-charcoal-700/50 shadow-lg">
+      {safeActionUrl && (
+        <a
+          href={safeActionUrl}
+          target="_blank"
+          rel="noopener noreferrer"
+          aria-label={title}
+          onClick={onCardClick}
+          className="absolute inset-0 z-10"
+        />
+      )}
+
+      <div className="flex items-start gap-1 px-2.5 pt-2">
+        <p className="flex-1 text-[13px] font-medium leading-normal text-text-bright">{title}</p>
+        <button
+          type="button"
+          onClick={handleDismiss}
+          aria-label="Dismiss notification"
+          title="Dismiss notification"
+          className="relative z-20 -mr-1 shrink-0 rounded p-0.5 text-text-dimmed opacity-0 transition group-hover/card:opacity-100 hover:bg-charcoal-700 hover:text-text-bright focus-visible:opacity-100"
+        >
+          <XMarkIcon className="size-3.5" />
+        </button>
+      </div>
+
+      <div className="px-2.5 pb-2">
+        <div ref={descriptionRef} className={cn(!isExpanded && "line-clamp-3")}>
+          <ReactMarkdown components={getMarkdownComponents(onLinkClick)}>
+            {description}
+          </ReactMarkdown>
+        </div>
+        {(isOverflowing || isExpanded) && (
+          <button
+            type="button"
+            onClick={handleToggleExpand}
+            className="relative z-20 mt-0.5 text-xs text-indigo-400 hover:text-indigo-300"
+          >
+            {isExpanded ? "Show less" : "Show more"}
+          </button>
+        )}
+
+        {safeImage && <img src={safeImage} alt="" className="mt-1.5 rounded" />}
+      </div>
+    </div>
+  );
+}
+
+function getMarkdownComponents(onLinkClick?: () => void) {
+  return {
+    p: ({ children }: { children?: React.ReactNode }) => (
+      <p className="my-0.5 text-xs leading-normal text-text-dimmed">{children}</p>
+    ),
+    a: ({ href, children }: { href?: string; children?: React.ReactNode }) => (
+      <a
+        href={href}
+        target="_blank"
+        rel="noopener noreferrer"
+        className="relative z-20 text-indigo-400 underline transition-colors hover:text-indigo-300"
+        onClick={(e) => {
+          e.stopPropagation();
+          onLinkClick?.();
+        }}
+      >
+        {children}
+      </a>
+    ),
+    strong: ({ children }: { children?: React.ReactNode }) => (
+      <strong className="font-semibold text-text-bright">{children}</strong>
+    ),
+    em: ({ children }: { children?: React.ReactNode }) => <em>{children}</em>,
+    code: ({ children }: { children?: React.ReactNode }) => (
+      <code className="rounded bg-charcoal-700 px-1 py-0.5 text-[11px]">{children}</code>
+    ),
+  };
+}
+
+const SAFE_URL_PROTOCOLS = new Set(["http:", "https:", "mailto:", "tel:"]);
+
+/** Sanitize a URL to prevent XSS via javascript: or data: URIs. Returns "" if invalid. */
+function sanitizeUrl(url: string | undefined): string {
+  if (!url) return "";
+  try {
+    const parsed = new URL(url);
+    return SAFE_URL_PROTOCOLS.has(parsed.protocol) ? parsed.href : "";
+  } catch {
+    return "";
+  }
+}
diff --git a/apps/webapp/app/components/navigation/NotificationPanel.tsx b/apps/webapp/app/components/navigation/NotificationPanel.tsx
index fdfbb2f8742..15af60fde35 100644
--- a/apps/webapp/app/components/navigation/NotificationPanel.tsx
+++ b/apps/webapp/app/components/navigation/NotificationPanel.tsx
@@ -1,13 +1,12 @@
-import { BellAlertIcon, ChevronRightIcon, XMarkIcon } from "@heroicons/react/20/solid";
+import { BellAlertIcon } from "@heroicons/react/20/solid";
 import { useFetcher } from "@remix-run/react";
-import { motion } from "framer-motion";
-import { useCallback, useEffect, useLayoutEffect, useRef, useState } from "react";
-import ReactMarkdown from "react-markdown";
-import { Header3 } from "~/components/primitives/Headers";
+import { useCallback, useEffect, useRef, useState } from "react";
+import simplur from "simplur";
+import { Button } from "~/components/primitives/Buttons";
 import { Popover, PopoverContent, PopoverTrigger } from "~/components/primitives/Popover";
 import { SimpleTooltip } from "~/components/primitives/Tooltip";
 import { usePlatformNotifications } from "~/routes/resources.platform-notifications";
-import { cn } from "~/utils/cn";
+import { NotificationCard } from "./NotificationCard";
 
 type Notification = {
   id: string;
@@ -102,211 +101,57 @@ export function NotificationPanel({
     return null;
   }
 
+  const { title, description, image, actionUrl, dismissOnAction } = notification.payload.data;
   const card = (
     <NotificationCard
-      notification={notification}
-      onDismiss={handleDismiss}
+      title={title}
+      description={description}
+      image={image}
+      actionUrl={actionUrl}
+      onDismiss={() => handleDismiss(notification.id)}
+      onCardClick={() => {
+        fireClickBeacon(notification.id);
+        if (dismissOnAction) {
+          handleDismiss(notification.id);
+        }
+      }}
       onLinkClick={() => fireClickBeacon(notification.id)}
     />
   );
 
   return (
     <Popover>
-      <div className="p-1">
-        {/* Expanded sidebar: show card directly */}
-        <motion.div
-          initial={false}
-          animate={{
-            height: isCollapsed ? 0 : "auto",
-            opacity: isCollapsed ? 0 : 1,
-          }}
-          transition={{ duration: 0.15 }}
-          className="overflow-hidden"
-        >
-          {card}
-        </motion.div>
-
-        {/* Collapsed sidebar: show bell icon that opens popover */}
-        <motion.div
-          initial={false}
-          animate={{
-            height: isCollapsed ? "auto" : 0,
-            opacity: isCollapsed ? 1 : 0,
-          }}
-          transition={{ duration: 0.15 }}
-          className="overflow-hidden"
-        >
+      <div className={isCollapsed ? "p-1" : "p-2"}>
+        {isCollapsed ? (
           <SimpleTooltip
+            asChild
             button={
-              <PopoverTrigger className="flex !h-8 w-full items-center justify-center rounded border border-charcoal-650 bg-charcoal-750/50 transition-colors hover:border-charcoal-600 hover:bg-charcoal-700/50">
-                <div className="relative">
-                  <BellAlertIcon className="size-5 text-text-dimmed" />
-                  <span
-                    className="absolute -right-1.5 -top-1.5 flex h-4 min-w-4 items-center justify-center rounded-full px-1 text-[10px] font-medium text-white"
-                    style={{ backgroundColor: "#6366f1" }}
-                  >
-                    {visibleNotifications.length}
-                  </span>
-                </div>
-              </PopoverTrigger>
+              <div className="relative">
+                <PopoverTrigger asChild>
+                  <Button variant="small-menu-item" className="h-8 w-[2.1875rem] justify-center">
+                    <BellAlertIcon className="size-5" />
+                  </Button>
+                </PopoverTrigger>
+                <span
+                  className="pointer-events-none absolute -top-[0.2rem] right-0 flex h-4 min-w-4 items-center justify-center rounded-full px-1 text-[0.625rem] font-medium text-text-bright"
+                  style={{ backgroundColor: "#6366f1" }}
+                >
+                  {visibleNotifications.length}
+                </span>
+              </div>
             }
-            content="Notifications"
+            content={simplur`${visibleNotifications.length} notification[|s]`}
             side="right"
             sideOffset={8}
             disableHoverableContent
-            asChild
           />
-        </motion.div>
+        ) : (
+          card
+        )}
       </div>
-      <PopoverContent side="right" sideOffset={8} align="start" className="w-56 !min-w-0 p-0">
+      <PopoverContent side="right" sideOffset={8} align="end" className="w-56 !min-w-0 p-0">
         {card}
       </PopoverContent>
     </Popover>
   );
 }
-
-function NotificationCard({
-  notification,
-  onDismiss,
-  onLinkClick,
-}: {
-  notification: Notification;
-  onDismiss: (id: string) => void;
-  onLinkClick: () => void;
-}) {
-  const { title, description, image, actionUrl, dismissOnAction } = notification.payload.data;
-  const [isExpanded, setIsExpanded] = useState(false);
-  const [isOverflowing, setIsOverflowing] = useState(false);
-  const descriptionRef = useRef<HTMLDivElement>(null);
-
-  useLayoutEffect(() => {
-    const el = descriptionRef.current;
-    if (el) {
-      setIsOverflowing(el.scrollHeight > el.clientHeight);
-    }
-  }, [description]);
-
-  const handleDismiss = (e: React.MouseEvent) => {
-    e.preventDefault();
-    e.stopPropagation();
-    onDismiss(notification.id);
-  };
-
-  const handleToggleExpand = (e: React.MouseEvent) => {
-    e.preventDefault();
-    e.stopPropagation();
-    setIsExpanded((v) => !v);
-  };
-
-  const handleCardClick = () => {
-    onLinkClick();
-    if (dismissOnAction) {
-      onDismiss(notification.id);
-    }
-  };
-
-  const Wrapper = actionUrl ? "a" : "div";
-  const wrapperProps = actionUrl
-    ? {
-        href: actionUrl,
-        target: "_blank" as const,
-        rel: "noopener noreferrer" as const,
-        onClick: handleCardClick,
-      }
-    : {};
-
-  return (
-    <Wrapper
-      {...wrapperProps}
-      className="group/card group relative block overflow-hidden rounded border transition-colors border-grid-bright bg-charcoal-750/50 no-underline"
-    >
-      {/* Header: title + dismiss */}
-      <div className="relative flex items-start gap-1 px-2 pt-1.5">
-        <Header3 className="flex-1 !text-xs">
-          {title}
-        </Header3>
-        <button
-          type="button"
-          onClick={handleDismiss}
-          className="shrink-0 rounded p-0.5 text-text-dimmed transition-colors hover:bg-charcoal-700 hover:text-text-bright"
-        >
-          <XMarkIcon className="size-3.5" />
-        </button>
-      </div>
-
-      {/* Body: description + chevron */}
-      <div className="relative px-2 pb-2">
-        <div className="flex gap-1">
-          <div className="min-w-0 flex-1">
-            <div
-              ref={descriptionRef}
-              className={cn(!isExpanded && "line-clamp-3")}
-            >
-              <ReactMarkdown components={getMarkdownComponents(onLinkClick)}>{description}</ReactMarkdown>
-            </div>
-            {(isOverflowing || isExpanded) && (
-              <button
-                type="button"
-                onClick={handleToggleExpand}
-                className="mt-0.5 text-xs text-indigo-400 hover:text-indigo-300"
-              >
-                {isExpanded ? "Show less" : "Show more"}
-              </button>
-            )}
-          </div>
-          {actionUrl && (
-            <div className="mt-1 flex shrink-0 items-center pb-1 text-text-dimmed group-hover/card:text-text-bright transition-colors">
-              <ChevronRightIcon className="size-4" />
-            </div>
-          )}
-        </div>
-
-        {image && (
-          <img src={sanitizeImageUrl(image)} alt="" className="mt-1.5 rounded" />
-        )}
-      </div>
-    </Wrapper>
-  );
-}
-
-/** Sanitize image URL to prevent XSS via javascript: or data: URIs. */
-function sanitizeImageUrl(url: string): string {
-  try {
-    const parsed = new URL(url);
-    if (parsed.protocol === "https:" || parsed.protocol === "http:") {
-      return parsed.href;
-    }
-    return "";
-  } catch {
-    return "";
-  }
-}
-
-function getMarkdownComponents(onLinkClick: () => void) {
-  return {
-    p: ({ children }: { children?: React.ReactNode }) => (
-      <p className="my-0.5 text-xs leading-relaxed text-text-dimmed">{children}</p>
-    ),
-    a: ({ href, children }: { href?: string; children?: React.ReactNode }) => (
-      <a
-        href={href}
-        target="_blank"
-        rel="noopener noreferrer"
-        className="text-indigo-400 underline hover:text-indigo-300 transition-colors"
-        onClick={(e) => {
-          e.stopPropagation();
-          onLinkClick();
-        }}
-      >
-        {children}
-      </a>
-    ),
-    strong: ({ children }: { children?: React.ReactNode }) => (
-      <strong className="font-semibold text-text-bright">{children}</strong>
-    ),
-    em: ({ children }: { children?: React.ReactNode }) => <em>{children}</em>,
-    code: ({ children }: { children?: React.ReactNode }) => (
-      <code className="rounded bg-charcoal-700 px-1 py-0.5 text-[11px]">{children}</code>
-    ),
-  };
-}
diff --git a/apps/webapp/app/components/navigation/OrganizationSettingsSideMenu.tsx b/apps/webapp/app/components/navigation/OrganizationSettingsSideMenu.tsx
index c8cd131d962..3c17ff482ba 100644
--- a/apps/webapp/app/components/navigation/OrganizationSettingsSideMenu.tsx
+++ b/apps/webapp/app/components/navigation/OrganizationSettingsSideMenu.tsx
@@ -4,6 +4,7 @@ import {
   Cog8ToothIcon,
   CreditCardIcon,
   LockClosedIcon,
+  ShieldCheckIcon,
   UserGroupIcon,
 } from "@heroicons/react/20/solid";
 import { ArrowLeftIcon } from "@heroicons/react/24/solid";
@@ -14,6 +15,7 @@ import { useFeatures } from "~/hooks/useFeatures";
 import { type MatchedOrganization } from "~/hooks/useOrganizations";
 import { cn } from "~/utils/cn";
 import {
+  organizationRolesPath,
   organizationSettingsPath,
   organizationSlackIntegrationPath,
   organizationTeamPath,
@@ -45,9 +47,11 @@ export type BuildInfo = {
 export function OrganizationSettingsSideMenu({
   organization,
   buildInfo,
+  isUsingPlugin,
 }: {
   organization: MatchedOrganization;
   buildInfo: BuildInfo;
+  isUsingPlugin: boolean;
 }) {
   const { isManagedCloud } = useFeatures();
   const featureFlags = useFeatureFlags();
@@ -128,6 +132,16 @@ export function OrganizationSettingsSideMenu({
             to={organizationTeamPath(organization)}
             data-action="team"
           />
+          {isUsingPlugin && (
+            <SideMenuItem
+              name="Roles"
+              icon={ShieldCheckIcon}
+              activeIconColor="text-sky-500"
+              inactiveIconColor="text-sky-500"
+              to={organizationRolesPath(organization)}
+              data-action="roles"
+            />
+          )}
           <SideMenuItem
             name="Settings"
             icon={Cog8ToothIcon}
diff --git a/apps/webapp/app/components/navigation/SideMenu.tsx b/apps/webapp/app/components/navigation/SideMenu.tsx
index dbc4c213f08..b8cf5c8e72e 100644
--- a/apps/webapp/app/components/navigation/SideMenu.tsx
+++ b/apps/webapp/app/components/navigation/SideMenu.tsx
@@ -2,6 +2,7 @@ import {
   AdjustmentsHorizontalIcon,
   ArrowPathRoundedSquareIcon,
   ArrowRightOnRectangleIcon,
+  ArrowsRightLeftIcon,
   ArrowTopRightOnSquareIcon,
   BeakerIcon,
   BellAlertIcon,
@@ -10,6 +11,7 @@ import {
   ClockIcon,
   Cog8ToothIcon,
   CogIcon,
+  CpuChipIcon,
   CubeIcon,
   ExclamationTriangleIcon,
   FolderIcon,
@@ -69,7 +71,9 @@ import {
   organizationTeamPath,
   queryPath,
   regionsPath,
+  v3AgentsPath,
   v3ApiKeysPath,
+  v3PlaygroundPath,
   v3BatchesPath,
   v3BillingPath,
   v3BuiltInDashboardPath,
@@ -88,6 +92,7 @@ import {
   v3QueuesPath,
   v3RunsPath,
   v3SchedulesPath,
+  v3SessionsPath,
   v3TestPath,
   v3UsagePath,
   v3WaitpointTokensPath,
@@ -467,6 +472,31 @@ export function SideMenu({
                 initialCollapsed={getSectionCollapsed(user.dashboardPreferences.sideMenu, "ai")}
                 onCollapseToggle={handleSectionToggle("ai")}
               >
+                <SideMenuItem
+                  name="Agents"
+                  icon={CpuChipIcon}
+                  activeIconColor="text-indigo-500"
+                  inactiveIconColor="text-indigo-500"
+                  to={v3AgentsPath(organization, project, environment)}
+                  isCollapsed={isCollapsed}
+                />
+                <SideMenuItem
+                  name="Sessions"
+                  icon={ArrowsRightLeftIcon}
+                  activeIconColor="text-teal-500"
+                  inactiveIconColor="text-teal-500"
+                  to={v3SessionsPath(organization, project, environment)}
+                  data-action="sessions"
+                  isCollapsed={isCollapsed}
+                />
+                <SideMenuItem
+                  name="Playground"
+                  icon={BeakerIcon}
+                  activeIconColor="text-indigo-400"
+                  inactiveIconColor="text-indigo-400"
+                  to={v3PlaygroundPath(organization, project, environment)}
+                  isCollapsed={isCollapsed}
+                />
                 <SideMenuItem
                   name="Prompts"
                   icon={AIPromptsIcon}
@@ -489,7 +519,7 @@ export function SideMenu({
                   />
                 )}
                 <SideMenuItem
-                  name="AI Metrics"
+                  name="AI metrics"
                   icon={AIMetricsIcon}
                   trailingIconClassName="size-5"
                   activeIconColor="text-aiMetrics"
@@ -524,17 +554,15 @@ export function SideMenu({
                     isCollapsed={isCollapsed}
                   />
                 )}
-                {(user.admin || user.isImpersonating) && (
-                  <SideMenuItem
-                    name="Errors"
-                    icon={IconBugFilled}
-                    activeIconColor="text-errors"
-                    inactiveIconColor="text-errors"
-                    to={v3ErrorsPath(organization, project, environment)}
-                    data-action="errors"
-                    isCollapsed={isCollapsed}
-                  />
-                )}
+                <SideMenuItem
+                  name="Errors"
+                  icon={IconBugFilled}
+                  activeIconColor="text-errors"
+                  inactiveIconColor="text-errors"
+                  to={v3ErrorsPath(organization, project, environment)}
+                  data-action="errors"
+                  isCollapsed={isCollapsed}
+                />
                 <SideMenuItem
                   name="Query"
                   icon={TableCellsIcon}
diff --git a/apps/webapp/app/components/primitives/Buttons.tsx b/apps/webapp/app/components/primitives/Buttons.tsx
index 86e23801e72..0f9f4e9a4d7 100644
--- a/apps/webapp/app/components/primitives/Buttons.tsx
+++ b/apps/webapp/app/components/primitives/Buttons.tsx
@@ -305,7 +305,7 @@ export function ButtonContent(props: ButtonContentPropsType) {
       <TooltipProvider>
         <Tooltip>
           <TooltipTrigger asChild>{buttonContent}</TooltipTrigger>
-          <TooltipContent className="flex items-center gap-3 py-1.5 pl-2.5 pr-3 text-xs text-text-bright">
+          <TooltipContent className="flex items-center gap-1.5 py-1.5 pl-2.5 pr-2 text-xs text-text-bright">
             {tooltip} {shortcut && renderShortcutKey()}
           </TooltipContent>
         </Tooltip>
@@ -318,12 +318,12 @@ export function ButtonContent(props: ButtonContentPropsType) {
 
 type ButtonPropsType = Pick<
   JSX.IntrinsicElements["button"],
-  "type" | "disabled" | "onClick" | "name" | "value" | "form" | "autoFocus"
+  "type" | "disabled" | "onClick" | "name" | "value" | "form" | "autoFocus" | "aria-label"
 > &
   React.ComponentProps<typeof ButtonContent>;
 
 export const Button = forwardRef<HTMLButtonElement, ButtonPropsType>(
-  ({ type, disabled, autoFocus, onClick, ...props }, ref) => {
+  ({ type, disabled, autoFocus, onClick, "aria-label": ariaLabel, ...props }, ref) => {
     const innerRef = useRef<HTMLButtonElement>(null);
     useImperativeHandle(ref, () => innerRef.current as HTMLButtonElement);
 
@@ -352,8 +352,13 @@ export const Button = forwardRef<HTMLButtonElement, ButtonPropsType>(
         ref={innerRef}
         form={props.form}
         autoFocus={autoFocus}
+        aria-label={ariaLabel}
       >
-        <ButtonContent {...props} tooltip={undefined} />
+        <ButtonContent
+          {...props}
+          tooltip={undefined}
+          hideShortcutKey={props.tooltip ? true : props.hideShortcutKey}
+        />
       </button>
     );
 
@@ -362,13 +367,13 @@ export const Button = forwardRef<HTMLButtonElement, ButtonPropsType>(
         <TooltipProvider>
           <Tooltip>
             <TooltipTrigger asChild>
-              <span className={isDisabled ? "cursor-default" : undefined}>
+              <span className={cn("flex", isDisabled && "cursor-default")}>
                 {buttonElement}
               </span>
             </TooltipTrigger>
-            <TooltipContent className="flex items-center gap-3 py-1.5 pl-2.5 pr-3 text-xs text-text-bright">
+            <TooltipContent className="flex items-center gap-1.5 py-1.5 pl-2.5 pr-2 text-xs text-text-bright">
               {props.tooltip} {props.shortcut && !props.hideShortcutKey && (
-                <ShortcutKey shortcut={props.shortcut} variant="medium" className="ml-1" />
+                <ShortcutKey shortcut={props.shortcut} variant="medium" />
               )}
             </TooltipContent>
           </Tooltip>
diff --git a/apps/webapp/app/components/primitives/Input.tsx b/apps/webapp/app/components/primitives/Input.tsx
index 3364e48bed2..15a7592c32f 100644
--- a/apps/webapp/app/components/primitives/Input.tsx
+++ b/apps/webapp/app/components/primitives/Input.tsx
@@ -67,6 +67,7 @@ const variants = {
 export type InputProps = React.InputHTMLAttributes<HTMLInputElement> & {
   variant?: keyof typeof variants;
   icon?: RenderIcon;
+  iconClassName?: string;
   accessory?: React.ReactNode;
   fullWidth?: boolean;
   containerClassName?: string;
@@ -81,6 +82,7 @@ const Input = React.forwardRef<HTMLInputElement, InputProps>(
       fullWidth = true,
       variant = "medium",
       icon,
+      iconClassName,
       containerClassName,
       ...props
     },
@@ -91,7 +93,7 @@ const Input = React.forwardRef<HTMLInputElement, InputProps>(
 
     const variantContainerClassName = variants[variant].container;
     const inputClassName = variants[variant].input;
-    const iconClassName = variants[variant].iconSize;
+    const variantIconClassName = variants[variant].iconSize;
 
     return (
       <div
@@ -106,7 +108,10 @@ const Input = React.forwardRef<HTMLInputElement, InputProps>(
       >
         {icon && (
           <div className="pointer-events-none flex items-center">
-            <Icon icon={icon} className={cn(iconClassName, "text-text-dimmed")} />
+            <Icon
+              icon={icon}
+              className={cn(variantIconClassName, "text-text-dimmed", iconClassName)}
+            />
           </div>
         )}
         <input
diff --git a/apps/webapp/app/components/primitives/PulsingDot.tsx b/apps/webapp/app/components/primitives/PulsingDot.tsx
new file mode 100644
index 00000000000..97c2a109306
--- /dev/null
+++ b/apps/webapp/app/components/primitives/PulsingDot.tsx
@@ -0,0 +1,23 @@
+import { cn } from "~/utils/cn";
+
+export function PulsingDot({
+  className,
+  ringClassName,
+  dotClassName,
+}: {
+  className?: string;
+  ringClassName?: string;
+  dotClassName?: string;
+}) {
+  return (
+    <span className={cn("relative flex size-2", className)}>
+      <span
+        className={cn(
+          "absolute h-full w-full animate-ping rounded-full border border-blue-500 opacity-100 duration-1000",
+          ringClassName
+        )}
+      />
+      <span className={cn("size-2 rounded-full bg-blue-500", dotClassName)} />
+    </span>
+  );
+}
diff --git a/apps/webapp/app/components/primitives/Resizable.tsx b/apps/webapp/app/components/primitives/Resizable.tsx
index 2efaae4258e..b2964c8e958 100644
--- a/apps/webapp/app/components/primitives/Resizable.tsx
+++ b/apps/webapp/app/components/primitives/Resizable.tsx
@@ -1,7 +1,7 @@
 "use client";
 
 import React, { useRef } from "react";
-import { PanelGroup, Panel, PanelResizer } from "react-window-splitter";
+import { PanelGroup, Panel, PanelResizer } from "@window-splitter/react";
 import { cn } from "~/utils/cn";
 
 const ResizablePanelGroup = ({ className, ...props }: React.ComponentProps<typeof PanelGroup>) => (
@@ -69,10 +69,14 @@ const ResizableHandle = ({
   </PanelResizer>
 );
 
-const RESIZABLE_PANEL_ANIMATION = {
-  easing: "ease-in-out" as const,
-  duration: 200,
-};
+// react-window-splitter drives the collapse animation through @react-spring/rafz,
+// which has timing/interaction issues with Firefox that produce visual glitches
+// (alternating frames, panels stuck at min, panelHasSpace invariant violations).
+// Disable the animation on Firefox; it works correctly in Chromium and Safari.
+const RESIZABLE_PANEL_ANIMATION =
+  typeof navigator !== "undefined" && /firefox/i.test(navigator.userAgent)
+    ? undefined
+    : ({ easing: "ease-in-out", duration: 300 } as const);
 
 const COLLAPSIBLE_HANDLE_CLASSNAME = "transition-opacity duration-200";
 
diff --git a/apps/webapp/app/components/primitives/SearchInput.tsx b/apps/webapp/app/components/primitives/SearchInput.tsx
index 639a4d1a737..3c31cf788b7 100644
--- a/apps/webapp/app/components/primitives/SearchInput.tsx
+++ b/apps/webapp/app/components/primitives/SearchInput.tsx
@@ -1,13 +1,16 @@
 import { MagnifyingGlassIcon, XMarkIcon } from "@heroicons/react/20/solid";
 import { motion } from "framer-motion";
-import { useCallback, useEffect, useRef, useState } from "react";
+import { useEffect, useRef, useState } from "react";
 import { Input } from "~/components/primitives/Input";
 import { ShortcutKey } from "~/components/primitives/ShortcutKey";
+import { SimpleTooltip } from "~/components/primitives/Tooltip";
 import { useSearchParams } from "~/hooks/useSearchParam";
 import { cn } from "~/utils/cn";
 
 export type SearchInputProps = {
   placeholder?: string;
+  /** The URL search param name to read/write. Defaults to "search". */
+  paramName?: string;
   /** Additional URL params to reset when searching or clearing (e.g. pagination). Defaults to ["cursor", "direction"]. */
   resetParams?: string[];
   autoFocus?: boolean;
@@ -15,6 +18,7 @@ export type SearchInputProps = {
 
 export function SearchInput({
   placeholder = "Search logs…",
+  paramName = "search",
   resetParams = ["cursor", "direction"],
   autoFocus,
 }: SearchInputProps) {
@@ -22,36 +26,31 @@ export function SearchInput({
 
   const { value, replace, del } = useSearchParams();
 
-  const initialSearch = value("search") ?? "";
+  const initialSearch = value(paramName) ?? "";
 
   const [text, setText] = useState(initialSearch);
   const [isFocused, setIsFocused] = useState(false);
 
   useEffect(() => {
-    const urlSearch = value("search") ?? "";
+    const urlSearch = value(paramName) ?? "";
     if (urlSearch !== text && !isFocused) {
       setText(urlSearch);
     }
-  }, [value, text, isFocused]);
+  }, [value, text, isFocused, paramName]);
 
-  const handleSubmit = useCallback(() => {
+  const handleSubmit = () => {
     const resetValues = Object.fromEntries(resetParams.map((p) => [p, undefined]));
     if (text.trim()) {
-      replace({ search: text.trim(), ...resetValues });
+      replace({ [paramName]: text.trim(), ...resetValues });
     } else {
-      del(["search", ...resetParams]);
+      del([paramName, ...resetParams]);
     }
-  }, [text, replace, del, resetParams]);
+  };
 
-  const handleClear = useCallback(
-    (e: React.MouseEvent<HTMLButtonElement>) => {
-      e.preventDefault();
-      e.stopPropagation();
-      setText("");
-      del(["search", ...resetParams]);
-    },
-    [del, resetParams]
-  );
+  const handleClear = () => {
+    setText("");
+    del([paramName, ...resetParams]);
+  };
 
   return (
     <div className="flex items-center gap-1">
@@ -81,24 +80,42 @@ export function SearchInput({
               handleSubmit();
             }
             if (e.key === "Escape") {
-              e.currentTarget.blur();
+              if (text.length > 0) {
+                e.stopPropagation();
+                handleClear();
+              } else {
+                e.currentTarget.blur();
+              }
             }
           }}
           onFocus={() => setIsFocused(true)}
           onBlur={() => setIsFocused(false)}
-          icon={<MagnifyingGlassIcon className="size-4" />}
+          icon={<MagnifyingGlassIcon className="size-4 text-text-bright" />}
           accessory={
             text.length > 0 ? (
               <div className="-mr-1 flex items-center gap-1.5">
                 <ShortcutKey shortcut={{ key: "enter" }} variant="medium" className="border-none" />
-                <button
-                  type="button"
-                  onClick={handleClear}
-                  className="flex size-4.5 items-center justify-center rounded-[2px] border border-text-dimmed/40 text-text-dimmed transition hover:bg-charcoal-600 hover:text-text-bright"
-                  title="Clear search"
-                >
-                  <XMarkIcon className="size-3" />
-                </button>
+                <SimpleTooltip
+                  asChild
+                  button={
+                    <button
+                      type="button"
+                      onMouseDown={(e) => e.preventDefault()}
+                      onClick={() => handleClear()}
+                      className="flex size-4.5 items-center justify-center rounded-[2px] border border-text-dimmed/40 text-text-dimmed transition hover:bg-charcoal-600 hover:text-text-bright"
+                    >
+                      <XMarkIcon className="size-3" />
+                    </button>
+                  }
+                  content={
+                    <div className="flex items-center gap-1">
+                      <span className="text-text-dimmed">Clear field</span>
+                      <ShortcutKey shortcut={{ key: "esc" }} variant="small" />
+                    </div>
+                  }
+                  className="px-2 py-1.5 text-xs"
+                  disableHoverableContent
+                />
               </div>
             ) : undefined
           }
diff --git a/apps/webapp/app/components/primitives/Select.tsx b/apps/webapp/app/components/primitives/Select.tsx
index d3e4c866891..23c587621c4 100644
--- a/apps/webapp/app/components/primitives/Select.tsx
+++ b/apps/webapp/app/components/primitives/Select.tsx
@@ -104,6 +104,7 @@ export interface SelectProps<TValue extends string | string[], TItem>
   open?: boolean;
   setOpen?: (open: boolean) => void;
   shortcut?: ShortcutDefinition;
+  tooltipTitle?: string;
   allowItemShortcuts?: boolean;
   clearSearchOnSelection?: boolean;
   dropdownIcon?: boolean | React.ReactNode;
@@ -127,6 +128,7 @@ export function Select<TValue extends string | string[], TItem>({
   open,
   setOpen,
   shortcut,
+  tooltipTitle,
   allowItemShortcuts = true,
   disabled,
   clearSearchOnSelection = true,
@@ -206,6 +208,7 @@ export function Select<TValue extends string | string[], TItem>({
         text={text}
         placeholder={placeholder}
         shortcut={shortcut}
+        tooltipTitle={tooltipTitle}
         disabled={disabled}
         dropdownIcon={dropdownIcon}
         {...props}
@@ -354,7 +357,7 @@ export function SelectTrigger({
       </Ariakit.TooltipAnchor>
       {showTooltip && (
         <Ariakit.Tooltip
-          disabled={shortcut === undefined}
+          disabled={!tooltipTitle && !shortcut}
           className="z-40 cursor-default rounded border border-charcoal-700 bg-background-bright px-2 py-1.5 text-xs"
         >
           <div className="flex items-center gap-2">
@@ -460,7 +463,15 @@ export function SelectItem({
   ...props
 }: SelectItemProps) {
   const combobox = Ariakit.useComboboxContext();
-  const render = combobox ? <Ariakit.ComboboxItem render={props.render} /> : undefined;
+  // In a Combobox context we wrap the caller's render in ComboboxItem
+  // so combobox keyboard nav still works. Outside a Combobox we pass
+  // the render through verbatim — without this, callers like
+  // SelectLinkItem (which uses render to swap in a <Link>) get their
+  // render prop silently dropped, which is why those rows looked
+  // clickable but didn't navigate.
+  const render = combobox
+    ? <Ariakit.ComboboxItem render={props.render} />
+    : props.render;
   const ref = React.useRef<HTMLDivElement>(null);
   const select = Ariakit.useSelectContext();
   const selectValue = select?.useState("value");
diff --git a/apps/webapp/app/components/primitives/Table.tsx b/apps/webapp/app/components/primitives/Table.tsx
index 1a30bc82b8a..bd3a27868aa 100644
--- a/apps/webapp/app/components/primitives/Table.tsx
+++ b/apps/webapp/app/components/primitives/Table.tsx
@@ -65,6 +65,7 @@ type TableProps = {
   children: ReactNode;
   fullWidth?: boolean;
   showTopBorder?: boolean;
+  stickyHeader?: boolean;
 };
 
 // Add TableContext
@@ -79,6 +80,7 @@ export const Table = forwardRef<HTMLTableElement, TableProps & { variant?: Table
       fullWidth,
       variant = "dimmed",
       showTopBorder = true,
+      stickyHeader = false,
     },
     ref
   ) => {
@@ -86,7 +88,8 @@ export const Table = forwardRef<HTMLTableElement, TableProps & { variant?: Table
       <TableContext.Provider value={{ variant }}>
         <div
           className={cn(
-            "overflow-x-auto whitespace-nowrap scrollbar-thin scrollbar-track-transparent scrollbar-thumb-charcoal-600",
+            "whitespace-nowrap scrollbar-thin scrollbar-track-transparent scrollbar-thumb-charcoal-600",
+            stickyHeader ? "overflow-visible" : "overflow-x-auto",
             showTopBorder && "border-t",
             containerClassName,
             fullWidth && "w-full"
@@ -127,12 +130,13 @@ export const TableHeader = forwardRef<HTMLTableSectionElement, TableHeaderProps>
 type TableBodyProps = {
   className?: string;
   children?: ReactNode;
+  style?: React.CSSProperties;
 };
 
 export const TableBody = forwardRef<HTMLTableSectionElement, TableBodyProps>(
-  ({ className, children }, ref) => {
+  ({ className, children, style }, ref) => {
     return (
-      <tbody ref={ref} className={cn("relative overflow-y-auto", className)}>
+      <tbody ref={ref} className={cn("relative overflow-y-auto", className)} style={style}>
         {children}
       </tbody>
     );
diff --git a/apps/webapp/app/components/primitives/Tabs.tsx b/apps/webapp/app/components/primitives/Tabs.tsx
index cbc5cf42752..0fb8a020a7b 100644
--- a/apps/webapp/app/components/primitives/Tabs.tsx
+++ b/apps/webapp/app/components/primitives/Tabs.tsx
@@ -11,6 +11,7 @@ export type TabsProps = {
   tabs: {
     label: string;
     to: string;
+    end?: boolean;
   }[];
   className?: string;
   layoutId: string;
@@ -21,7 +22,13 @@ export function Tabs({ tabs, className, layoutId, variant = "underline" }: TabsP
   return (
     <TabContainer className={className} variant={variant}>
       {tabs.map((tab, index) => (
-        <TabLink key={index} to={tab.to} layoutId={layoutId} variant={variant}>
+        <TabLink
+          key={index}
+          to={tab.to}
+          layoutId={layoutId}
+          variant={variant}
+          end={tab.end ?? true}
+        >
           {tab.label}
         </TabLink>
       ))}
@@ -62,18 +69,20 @@ export function TabLink({
   children,
   layoutId,
   variant = "underline",
+  end = true,
 }: {
   to: string;
   children: ReactNode;
   layoutId: string;
   variant?: Variants;
+  end?: boolean;
 }) {
   if (variant === "segmented") {
     return (
       <NavLink
         to={to}
         className="group relative flex h-full grow items-center justify-center focus-custom"
-        end
+        end={end}
       >
         {({ isActive, isPending }) => {
           const active = isActive || isPending;
@@ -110,7 +119,7 @@ export function TabLink({
       <NavLink
         to={to}
         className="group flex flex-col items-center border-r border-charcoal-700 px-2 pt-1 focus-custom first:pl-0 last:border-none"
-        end
+        end={end}
       >
         {({ isActive, isPending }) => {
           const active = isActive || isPending;
@@ -131,7 +140,7 @@ export function TabLink({
 
   // underline variant (default)
   return (
-    <NavLink to={to} className="group flex flex-col items-center pt-1 focus-custom" end>
+    <NavLink to={to} className="group flex flex-col items-center pt-1 focus-custom" end={end}>
       {({ isActive, isPending }) => {
         return (
           <>
diff --git a/apps/webapp/app/components/primitives/Tooltip.tsx b/apps/webapp/app/components/primitives/Tooltip.tsx
index c03492abcfd..92f95babce0 100644
--- a/apps/webapp/app/components/primitives/Tooltip.tsx
+++ b/apps/webapp/app/components/primitives/Tooltip.tsx
@@ -66,6 +66,7 @@ function SimpleTooltip({
   sideOffset,
   open,
   onOpenChange,
+  delayDuration,
 }: {
   button: React.ReactNode;
   content: React.ReactNode;
@@ -80,12 +81,13 @@ function SimpleTooltip({
   sideOffset?: number;
   open?: boolean;
   onOpenChange?: (open: boolean) => void;
+  delayDuration?: number;
 }) {
   return (
     <TooltipProvider disableHoverableContent={disableHoverableContent}>
-      <Tooltip open={open} onOpenChange={onOpenChange}>
+      <Tooltip open={open} onOpenChange={onOpenChange} delayDuration={delayDuration}>
         <TooltipTrigger
-          type="button"
+          type={asChild ? undefined : "button"}
           tabIndex={-1}
           className={cn(!asChild && "h-fit", buttonClassName)}
           style={buttonStyle}
diff --git a/apps/webapp/app/components/primitives/TreeView/TreeView.tsx b/apps/webapp/app/components/primitives/TreeView/TreeView.tsx
index 5f720c24fe9..39a236aef6f 100644
--- a/apps/webapp/app/components/primitives/TreeView/TreeView.tsx
+++ b/apps/webapp/app/components/primitives/TreeView/TreeView.tsx
@@ -1,6 +1,14 @@
 import { VirtualItem, Virtualizer, useVirtualizer } from "@tanstack/react-virtual";
 import { motion } from "framer-motion";
-import { MutableRefObject, RefObject, useCallback, useEffect, useReducer, useRef } from "react";
+import {
+  MutableRefObject,
+  RefObject,
+  useCallback,
+  useEffect,
+  useMemo,
+  useReducer,
+  useRef,
+} from "react";
 import { cn } from "~/utils/cn";
 import { NodeState, NodesState, reducer } from "./reducer";
 import { concreteStateFromInput, selectedIdFromState } from "./utils";
@@ -47,6 +55,16 @@ export function TreeView<TData>({
 
   const virtualItems = virtualizer.getVirtualItems();
 
+  // id -> node lookup so each virtual row resolves in O(1) instead of
+  // scanning the whole tree per row.
+  const nodesById = useMemo(() => {
+    const map = new Map<string, FlatTreeItem<TData>>();
+    for (const node of tree) {
+      map.set(node.id, node);
+    }
+    return map;
+  }, [tree]);
+
   const scrollCallback = useCallback(
     (event: Event) => {
       if (!onScroll) return;
@@ -99,7 +117,7 @@ export function TreeView<TData>({
           }}
         >
           {virtualItems.map((virtualItem) => {
-            const node = tree.find((node) => node.id === virtualItem.key);
+            const node = nodesById.get(virtualItem.key as string);
             if (!node) return null;
             const state = nodes[node.id];
             if (!state) return null;
@@ -197,6 +215,16 @@ export function useTree<TData, TFilterValue>({
     concreteStateFromInput({ tree, selectedId, collapsedIds, filter })
   );
 
+  // id -> index lookup so getNodeProps resolves in O(1) instead of scanning
+  // the whole tree per rendered row.
+  const treeIndexById = useMemo(() => {
+    const map = new Map<string, number>();
+    tree.forEach((node, index) => {
+      map.set(node.id, index);
+    });
+    return map;
+  }, [tree]);
+
   //sync external selectedId prop into internal state
   useEffect(() => {
     const internalSelectedId = selectedIdFromState(state.nodes);
@@ -497,7 +525,7 @@ export function useTree<TData, TFilterValue>({
     (id: string) => {
       const node = state.nodes[id];
       if (!node) return {};
-      const treeItemIndex = tree.findIndex((node) => node.id === id);
+      const treeItemIndex = treeIndexById.get(id) ?? -1;
       const treeItem = tree[treeItemIndex];
       return {
         "aria-expanded": node.expanded,
@@ -506,7 +534,7 @@ export function useTree<TData, TFilterValue>({
         tabIndex: node.selected ? -1 : undefined,
       };
     },
-    [state]
+    [state, treeIndexById]
   );
 
   return {
diff --git a/apps/webapp/app/components/query/QueryEditor.tsx b/apps/webapp/app/components/query/QueryEditor.tsx
index bb9ed036267..e7098b94c59 100644
--- a/apps/webapp/app/components/query/QueryEditor.tsx
+++ b/apps/webapp/app/components/query/QueryEditor.tsx
@@ -37,6 +37,7 @@ import {
   type QueryWidgetData,
 } from "~/components/metrics/QueryWidget";
 import { SaveToDashboardDialog } from "~/components/metrics/SaveToDashboardDialog";
+import { ScopeFilter } from "~/components/metrics/ScopeFilter";
 import { Button, LinkButton } from "~/components/primitives/Buttons";
 import { Callout } from "~/components/primitives/Callout";
 import {
@@ -89,12 +90,6 @@ function toISOString(value: Date | string): string {
   return value.toISOString();
 }
 
-const scopeOptions = [
-  { value: "environment", label: "Environment" },
-  { value: "project", label: "Project" },
-  { value: "organization", label: "Organization" },
-] as const;
-
 // Type for the query action response
 type QueryActionResponse = {
   error: string | null;
@@ -277,7 +272,7 @@ const QueryEditorForm = forwardRef<
         <input type="hidden" name="from" value={from ?? ""} />
         <input type="hidden" name="to" value={to ?? ""} />
         <QueryHistoryPopover history={history} onQuerySelected={handleHistorySelected} />
-        <div className="flex items-center gap-1">
+        <div className="flex items-center gap-1.5">
           {isAdmin && (
             <Button
               type="submit"
@@ -289,24 +284,11 @@ const QueryEditorForm = forwardRef<
               Explain
             </Button>
           )}
-          <Select
+          <ScopeFilter
             value={scope}
-            setValue={(value) => setScope(value as QueryScope)}
-            variant="secondary/small"
-            dropdownIcon={true}
-            items={[...scopeOptions]}
-            text={(value) => {
-              return <ScopeItem scope={value as QueryScope} />;
-            }}
-          >
-            {(items) =>
-              items.map((item) => (
-                <SelectItem key={item.value} value={item.value}>
-                  <ScopeItem scope={item.value as QueryScope} />
-                </SelectItem>
-              ))
-            }
-          </Select>
+            onValueChange={setScope}
+            shortcut={{ key: "e" }}
+          />
           {queryHasTriggeredAt ? (
             <SimpleTooltip
               asChild
@@ -335,6 +317,7 @@ const QueryEditorForm = forwardRef<
               period={period}
               from={from}
               to={to}
+              shortcut={{ key: "d" }}
               applyShortcut={{ key: "enter", enabledOnInputElements: true }}
               onValueChange={(values) => {
                 flushSync(() => {
@@ -1133,27 +1116,6 @@ function ExportResultsButton({
   );
 }
 
-function ScopeItem({ scope }: { scope: QueryScope }) {
-  const organization = useOrganization();
-  const project = useProject();
-  const environment = useEnvironment();
-
-  switch (scope) {
-    case "organization":
-      return <span className="text-text-bright">{`Org: ${organization.title}`}</span>;
-    case "project":
-      return <span className="text-text-bright">{`Project: ${project.name}`}</span>;
-    case "environment":
-      return (
-        <span className="text-text-bright">
-          Env: <EnvironmentLabel environment={environment} />
-        </span>
-      );
-    default:
-      return <span className="text-text-bright">{scope}</span>;
-  }
-}
-
 function QueryResultsCallouts({
   hiddenColumns,
   periodClipped,
diff --git a/apps/webapp/app/components/runs/v3/AIFilterInput.tsx b/apps/webapp/app/components/runs/v3/AIFilterInput.tsx
index ef8384894da..f2a01d27c6c 100644
--- a/apps/webapp/app/components/runs/v3/AIFilterInput.tsx
+++ b/apps/webapp/app/components/runs/v3/AIFilterInput.tsx
@@ -1,3 +1,4 @@
+import { XMarkIcon } from "@heroicons/react/20/solid";
 import { useFetcher, useNavigate } from "@remix-run/react";
 import { AnimatePresence, motion } from "framer-motion";
 import { useEffect, useRef, useState } from "react";
@@ -6,6 +7,7 @@ import { Input } from "~/components/primitives/Input";
 import { Popover, PopoverContent, PopoverTrigger } from "~/components/primitives/Popover";
 import { ShortcutKey } from "~/components/primitives/ShortcutKey";
 import { Spinner } from "~/components/primitives/Spinner";
+import { SimpleTooltip } from "~/components/primitives/Tooltip";
 import { useEnvironment } from "~/hooks/useEnvironment";
 import { useOrganization } from "~/hooks/useOrganizations";
 import { useProject } from "~/hooks/useProject";
@@ -107,6 +109,11 @@ export function AIFilterInput() {
                     form.requestSubmit();
                   }
                 }
+                if (e.key === "Escape") {
+                  e.stopPropagation();
+                  setText("");
+                  e.currentTarget.blur();
+                }
               }}
               onFocus={() => setIsFocused(true)}
               onBlur={() => {
@@ -125,11 +132,34 @@ export function AIFilterInput() {
                     className="size-4 opacity-80"
                   />
                 ) : text.length > 0 ? (
-                  <ShortcutKey
-                    shortcut={{ key: "enter" }}
-                    variant="small"
-                    className={cn("transition-opacity", text.length === 0 && "opacity-0")}
-                  />
+                  <div className="-mr-1 flex items-center gap-1.5">
+                    <ShortcutKey
+                      shortcut={{ key: "enter" }}
+                      variant="medium"
+                      className="border-none"
+                    />
+                    <SimpleTooltip
+                      asChild
+                      button={
+                        <button
+                          type="button"
+                          onMouseDown={(e) => e.preventDefault()}
+                          onClick={() => setText("")}
+                          className="flex size-4.5 items-center justify-center rounded-[2px] border border-text-dimmed/40 text-text-dimmed transition hover:bg-charcoal-600 hover:text-text-bright"
+                        >
+                          <XMarkIcon className="size-3" />
+                        </button>
+                      }
+                      content={
+                        <div className="flex items-center gap-1">
+                          <span className="text-text-dimmed">Clear field</span>
+                          <ShortcutKey shortcut={{ key: "esc" }} variant="small" />
+                        </div>
+                      }
+                      className="px-2 py-1.5 text-xs"
+                      disableHoverableContent
+                    />
+                  </div>
                 ) : undefined
               }
             />
diff --git a/apps/webapp/app/components/runs/v3/BatchFilters.tsx b/apps/webapp/app/components/runs/v3/BatchFilters.tsx
index e0d417ddec4..2c2f15b4584 100644
--- a/apps/webapp/app/components/runs/v3/BatchFilters.tsx
+++ b/apps/webapp/app/components/runs/v3/BatchFilters.tsx
@@ -8,25 +8,18 @@ import {
 } from "@heroicons/react/20/solid";
 import { Form } from "@remix-run/react";
 import type { BatchTaskRunStatus, RuntimeEnvironment } from "@trigger.dev/database";
-import { ListFilterIcon } from "lucide-react";
-import type { ReactNode } from "react";
-import { useCallback, useMemo, useState } from "react";
+import { type ReactNode, useCallback, useRef, useState } from "react";
 import { z } from "zod";
 import { AppliedFilter } from "~/components/primitives/AppliedFilter";
-import { FormError } from "~/components/primitives/FormError";
-import { Input } from "~/components/primitives/Input";
-import { Label } from "~/components/primitives/Label";
 import { Paragraph } from "~/components/primitives/Paragraph";
 import {
-  ComboBox,
-  SelectButtonItem,
   SelectItem,
   SelectList,
   SelectPopover,
   SelectProvider,
-  SelectTrigger,
   shortcutFromIndex,
 } from "~/components/primitives/Select";
+import { ShortcutKey } from "~/components/primitives/ShortcutKey";
 import {
   Tooltip,
   TooltipContent,
@@ -35,6 +28,7 @@ import {
 } from "~/components/primitives/Tooltip";
 import { useOptimisticLocation } from "~/hooks/useOptimisticLocation";
 import { useSearchParams } from "~/hooks/useSearchParam";
+import { useShortcutKeys } from "~/hooks/useShortcutKeys";
 import { Button } from "../../primitives/Buttons";
 import {
   allBatchStatuses,
@@ -42,7 +36,13 @@ import {
   batchStatusTitle,
   descriptionForBatchStatus,
 } from "./BatchStatus";
-import { TimeFilter, appliedSummary, FilterMenuProvider } from "./SharedFilters";
+import {
+  TimeFilter,
+  appliedSummary,
+  FilterMenuProvider,
+  IdFilterDropdown,
+  type IdFilterDropdownProps,
+} from "./SharedFilters";
 import { StatusIcon } from "~/assets/icons/StatusIcon";
 
 export const BatchStatus = z.enum(allBatchStatuses);
@@ -69,133 +69,33 @@ type BatchFiltersProps = {
 export function BatchFilters(props: BatchFiltersProps) {
   const location = useOptimisticLocation();
   const searchParams = new URLSearchParams(location.search);
-  const hasFilters = searchParams.has("statuses") || searchParams.has("id");
+  const hasFilters =
+    searchParams.has("statuses") ||
+    searchParams.has("id") ||
+    searchParams.has("period") ||
+    searchParams.has("from") ||
+    searchParams.has("to");
 
   return (
-    <div className="flex flex-row flex-wrap items-center gap-1">
-      <FilterMenu {...props} />
-      <TimeFilter />
-      <AppliedFilters />
+    <div className="flex flex-row flex-wrap items-center gap-1.5">
+      <PermanentStatusFilter />
+      <PermanentBatchIdFilter />
+      <TimeFilter shortcut={{ key: "d" }} />
       {hasFilters && (
-        <Form className="h-6">
-          <Button variant="secondary/small" LeadingIcon={XMarkIcon} tooltip="Clear all filters" />
+        <Form className="-ml-1 h-6">
+          <Button
+            variant="minimal/small"
+            LeadingIcon={XMarkIcon}
+            tooltip="Clear all filters"
+            className="group-hover/button:bg-transparent"
+            leadingIconClassName="group-hover/button:text-text-bright"
+          />
         </Form>
       )}
     </div>
   );
 }
 
-const filterTypes = [
-  {
-    name: "statuses",
-    title: "Status",
-    icon: (
-      <div className="flex size-4 items-center justify-center">
-        <div className="size-3 rounded-full border-2 border-text-dimmed" />
-      </div>
-    ),
-  },
-  { name: "batch", title: "Batch ID", icon: <Squares2X2Icon className="size-4" /> },
-] as const;
-
-type FilterType = (typeof filterTypes)[number]["name"];
-
-const shortcut = { key: "f" };
-
-function FilterMenu(props: BatchFiltersProps) {
-  const [filterType, setFilterType] = useState<FilterType | undefined>();
-
-  const filterTrigger = (
-    <SelectTrigger
-      icon={
-        <div className="flex size-4 items-center justify-center">
-          <ListFilterIcon className="size-3.5" />
-        </div>
-      }
-      variant={"secondary/small"}
-      shortcut={shortcut}
-      tooltipTitle={"Filter batches"}
-    >
-      Filter
-    </SelectTrigger>
-  );
-
-  return (
-    <FilterMenuProvider onClose={() => setFilterType(undefined)}>
-      {(search, setSearch) => (
-        <Menu
-          searchValue={search}
-          clearSearchValue={() => setSearch("")}
-          trigger={filterTrigger}
-          filterType={filterType}
-          setFilterType={setFilterType}
-          {...props}
-        />
-      )}
-    </FilterMenuProvider>
-  );
-}
-
-function AppliedFilters() {
-  return (
-    <>
-      <AppliedStatusFilter />
-      <AppliedBatchIdFilter />
-    </>
-  );
-}
-
-type MenuProps = {
-  searchValue: string;
-  clearSearchValue: () => void;
-  trigger: React.ReactNode;
-  filterType: FilterType | undefined;
-  setFilterType: (filterType: FilterType | undefined) => void;
-} & BatchFiltersProps;
-
-function Menu(props: MenuProps) {
-  switch (props.filterType) {
-    case undefined:
-      return <MainMenu {...props} />;
-    case "statuses":
-      return <StatusDropdown onClose={() => props.setFilterType(undefined)} {...props} />;
-    case "batch":
-      return <BatchIdDropdown onClose={() => props.setFilterType(undefined)} {...props} />;
-  }
-}
-
-function MainMenu({ searchValue, trigger, clearSearchValue, setFilterType }: MenuProps) {
-  const filtered = useMemo(() => {
-    return filterTypes.filter((item) => {
-      return item.title.toLowerCase().includes(searchValue.toLowerCase());
-    });
-  }, [searchValue]);
-
-  return (
-    <SelectProvider virtualFocus={true}>
-      {trigger}
-      <SelectPopover>
-        <ComboBox placeholder={"Filter by..."} shortcut={shortcut} value={searchValue} />
-        <SelectList>
-          {filtered.map((type, index) => (
-            <SelectButtonItem
-              key={type.name}
-              onClick={() => {
-                clearSearchValue();
-                setFilterType(type.name);
-              }}
-              icon={type.icon}
-              shortcut={shortcutFromIndex(index, { shortcutsEnabled: true })}
-            >
-              {type.title}
-            </SelectButtonItem>
-          ))}
-        </SelectList>
-      </SelectPopover>
-    </SelectProvider>
-  );
-}
-
 const statuses = allBatchStatuses.map((status) => ({
   title: batchStatusTitle(status),
   value: status,
@@ -219,10 +119,6 @@ function StatusDropdown({
     replace({ statuses: values, cursor: undefined, direction: undefined });
   };
 
-  const filtered = useMemo(() => {
-    return statuses.filter((item) => item.title.toLowerCase().includes(searchValue.toLowerCase()));
-  }, [searchValue]);
-
   return (
     <SelectProvider value={values("statuses")} setValue={handleChange} virtualFocus={true}>
       {trigger}
@@ -237,9 +133,8 @@ function StatusDropdown({
           return true;
         }}
       >
-        <ComboBox placeholder={"Filter by status..."} value={searchValue} />
         <SelectList>
-          {filtered.map((item, index) => (
+          {statuses.map((item, index) => (
             <SelectItem
               key={item.value}
               value={item.value}
@@ -265,30 +160,68 @@ function StatusDropdown({
   );
 }
 
-function AppliedStatusFilter() {
+const statusShortcut = { key: "s" };
+
+function PermanentStatusFilter() {
   const { values, del } = useSearchParams();
   const statuses = values("statuses");
-
-  if (statuses.length === 0) {
-    return null;
-  }
+  const hasStatuses = statuses.length > 0;
+  const triggerRef = useRef<HTMLButtonElement>(null);
+
+  useShortcutKeys({
+    shortcut: statusShortcut,
+    action: (e) => {
+      e.preventDefault();
+      e.stopPropagation();
+      triggerRef.current?.click();
+    },
+  });
 
   return (
     <FilterMenuProvider>
       {(search, setSearch) => (
         <StatusDropdown
           trigger={
-            <Ariakit.Select render={<div className="group cursor-pointer focus-custom" />}>
-              <AppliedFilter
-                label="Status"
-                icon={<StatusIcon className="size-3.5" />}
-                value={appliedSummary(
-                  statuses.map((v) => batchStatusTitle(v as BatchTaskRunStatus))
+            <Ariakit.TooltipProvider timeout={200}>
+              <Ariakit.TooltipAnchor
+                render={
+                  <Ariakit.Select
+                    ref={triggerRef}
+                    render={<div className="group cursor-pointer focus-custom" />}
+                  />
+                }
+              >
+                {hasStatuses ? (
+                  <AppliedFilter
+                    label="Status"
+                    icon={<StatusIcon className="size-3.5" />}
+                    value={appliedSummary(
+                      statuses.map((v) => batchStatusTitle(v as BatchTaskRunStatus))
+                    )}
+                    onRemove={() => del(["statuses", "cursor", "direction"])}
+                    variant="secondary/small"
+                    className="pl-1"
+                  />
+                ) : (
+                  <div className="flex h-6 items-center gap-1 rounded border border-charcoal-600 bg-secondary pl-1 pr-2 text-xs text-text-bright transition group-hover:border-charcoal-550 group-hover:bg-charcoal-600">
+                    <div className="grid size-4 place-items-center">
+                      <div className="size-[75%] rounded-full border-2 border-text-bright" />
+                    </div>
+                    <span>Status</span>
+                  </div>
                 )}
-                onRemove={() => del(["statuses", "cursor", "direction"])}
-                variant="secondary/small"
-              />
-            </Ariakit.Select>
+              </Ariakit.TooltipAnchor>
+              <Ariakit.Tooltip className="z-40 cursor-default rounded border border-charcoal-700 bg-background-bright px-2 py-1.5 text-xs">
+                <div className="flex items-center gap-2">
+                  <span>Filter by status</span>
+                  <ShortcutKey
+                    className="size-4 flex-none"
+                    shortcut={statusShortcut}
+                    variant="small"
+                  />
+                </div>
+              </Ariakit.Tooltip>
+            </Ariakit.TooltipProvider>
           }
           searchValue={search}
           clearSearchValue={() => setSearch("")}
@@ -298,117 +231,83 @@ function AppliedStatusFilter() {
   );
 }
 
-function BatchIdDropdown({
-  trigger,
-  clearSearchValue,
-  searchValue,
-  onClose,
-}: {
-  trigger: ReactNode;
-  clearSearchValue: () => void;
-  searchValue: string;
-  onClose?: () => void;
-}) {
-  const [open, setOpen] = useState<boolean | undefined>();
-  const { value, replace } = useSearchParams();
-  const batchIdValue = value("id");
-
-  const [batchId, setBatchId] = useState(batchIdValue);
-
-  const apply = useCallback(() => {
-    clearSearchValue();
-    replace({
-      cursor: undefined,
-      direction: undefined,
-      id: batchId === "" ? undefined : batchId?.toString(),
-    });
-
-    setOpen(false);
-  }, [batchId, replace]);
-
-  let error: string | undefined = undefined;
-  if (batchId) {
-    if (!batchId.startsWith("batch_")) {
-      error = "Batch IDs start with 'batch_'";
-    } else if (batchId.length !== 27 && batchId.length !== 31) {
-      error = "Batch IDs are 27/32 characters long";
-    }
-  }
+function validateBatchId(value: string): string | undefined {
+  if (!value.startsWith("batch_")) return "Batch IDs start with 'batch_'";
+  if (value.length !== 27 && value.length !== 31) return "Batch IDs are 27 or 31 characters long";
+}
 
+function BatchIdDropdown(
+  props: Omit<IdFilterDropdownProps, "label" | "placeholder" | "paramKey" | "validate">
+) {
   return (
-    <SelectProvider virtualFocus={true} open={open} setOpen={setOpen}>
-      {trigger}
-      <SelectPopover
-        hideOnEnter={false}
-        hideOnEscape={() => {
-          if (onClose) {
-            onClose();
-            return false;
-          }
-
-          return true;
-        }}
-        className="max-w-[min(32ch,var(--popover-available-width))]"
-      >
-        <div className="flex flex-col gap-4 p-3">
-          <div className="flex flex-col gap-1">
-            <Label>Batch ID</Label>
-            <Input
-              placeholder="batch_"
-              value={batchId ?? ""}
-              onChange={(e) => setBatchId(e.target.value)}
-              variant="small"
-              className="w-[29ch] font-mono"
-              spellCheck={false}
-            />
-            {error ? <FormError>{error}</FormError> : null}
-          </div>
-          <div className="flex justify-between gap-1 border-t border-grid-dimmed pt-3">
-            <Button variant="tertiary/small" onClick={() => setOpen(false)}>
-              Cancel
-            </Button>
-            <Button
-              disabled={error !== undefined || !batchId}
-              variant="secondary/small"
-              shortcut={{
-                modifiers: ["mod"],
-                key: "Enter",
-                enabledOnInputElements: true,
-              }}
-              onClick={() => apply()}
-            >
-              Apply
-            </Button>
-          </div>
-        </div>
-      </SelectPopover>
-    </SelectProvider>
+    <IdFilterDropdown
+      {...props}
+      label="Batch ID"
+      placeholder="batch_"
+      paramKey="id"
+      validate={validateBatchId}
+    />
   );
 }
 
-function AppliedBatchIdFilter() {
-  const { value, del } = useSearchParams();
-
-  if (value("id") === undefined) {
-    return null;
-  }
+const batchIdShortcut = { key: "b" };
 
+function PermanentBatchIdFilter() {
+  const { value, del } = useSearchParams();
   const batchId = value("id");
+  const hasBatchId = batchId !== undefined;
+  const triggerRef = useRef<HTMLButtonElement>(null);
+
+  useShortcutKeys({
+    shortcut: batchIdShortcut,
+    action: (e) => {
+      e.preventDefault();
+      e.stopPropagation();
+      triggerRef.current?.click();
+    },
+  });
 
   return (
     <FilterMenuProvider>
       {(search, setSearch) => (
         <BatchIdDropdown
           trigger={
-            <Ariakit.Select render={<div className="group cursor-pointer focus-custom" />}>
-              <AppliedFilter
-                label="Batch ID"
-                icon={<Squares2X2Icon className="size-3.5" />}
-                value={batchId}
-                onRemove={() => del(["id", "cursor", "direction"])}
-                variant="secondary/small"
-              />
-            </Ariakit.Select>
+            <Ariakit.TooltipProvider timeout={200}>
+              <Ariakit.TooltipAnchor
+                render={
+                  <Ariakit.Select
+                    ref={triggerRef}
+                    render={<div className="group cursor-pointer focus-custom" />}
+                  />
+                }
+              >
+                {hasBatchId ? (
+                  <AppliedFilter
+                    label="Batch ID"
+                    icon={<Squares2X2Icon className="size-3.5" />}
+                    value={batchId}
+                    onRemove={() => del(["id", "cursor", "direction"])}
+                    variant="secondary/small"
+                    className="pl-1"
+                  />
+                ) : (
+                  <div className="flex h-6 items-center gap-1.5 rounded border border-charcoal-600 bg-secondary pl-1 pr-2 text-xs text-text-bright transition group-hover:border-charcoal-550 group-hover:bg-charcoal-600">
+                    <Squares2X2Icon className="size-3.5" />
+                    <span>Batch ID</span>
+                  </div>
+                )}
+              </Ariakit.TooltipAnchor>
+              <Ariakit.Tooltip className="z-40 cursor-default rounded border border-charcoal-700 bg-background-bright px-2 py-1.5 text-xs">
+                <div className="flex items-center gap-2">
+                  <span>Filter by batch ID</span>
+                  <ShortcutKey
+                    className="size-4 flex-none"
+                    shortcut={batchIdShortcut}
+                    variant="small"
+                  />
+                </div>
+              </Ariakit.Tooltip>
+            </Ariakit.TooltipProvider>
           }
           searchValue={search}
           clearSearchValue={() => setSearch("")}
diff --git a/apps/webapp/app/components/runs/v3/CancelRunDialog.tsx b/apps/webapp/app/components/runs/v3/CancelRunDialog.tsx
index facff746c5e..566bc787daa 100644
--- a/apps/webapp/app/components/runs/v3/CancelRunDialog.tsx
+++ b/apps/webapp/app/components/runs/v3/CancelRunDialog.tsx
@@ -10,9 +10,18 @@ import { SpinnerWhite } from "~/components/primitives/Spinner";
 type CancelRunDialogProps = {
   runFriendlyId: string;
   redirectPath: string;
+  // Fired on submit so the parent can close the Radix Dialog without
+  // wrapping the submit button in `DialogClose` — that wrapper races
+  // submit (close fires first, unmounts the form, and the cancel POST
+  // never lands). Optional so existing call sites still type-check.
+  onCancelSubmitted?: () => void;
 };
 
-export function CancelRunDialog({ runFriendlyId, redirectPath }: CancelRunDialogProps) {
+export function CancelRunDialog({
+  runFriendlyId,
+  redirectPath,
+  onCancelSubmitted,
+}: CancelRunDialogProps) {
   const navigation = useNavigation();
 
   const formAction = `/resources/taskruns/${runFriendlyId}/cancel`;
@@ -27,7 +36,11 @@ export function CancelRunDialog({ runFriendlyId, redirectPath }: CancelRunDialog
         </Paragraph>
         <FormButtons
           confirmButton={
-            <Form action={`/resources/taskruns/${runFriendlyId}/cancel`} method="post">
+            <Form
+              action={`/resources/taskruns/${runFriendlyId}/cancel`}
+              method="post"
+              onSubmit={() => onCancelSubmitted?.()}
+            >
               <Button
                 type="submit"
                 name="redirectUrl"
diff --git a/apps/webapp/app/components/runs/v3/PromptSpanDetails.tsx b/apps/webapp/app/components/runs/v3/PromptSpanDetails.tsx
index 9645087b859..a78a0e183ed 100644
--- a/apps/webapp/app/components/runs/v3/PromptSpanDetails.tsx
+++ b/apps/webapp/app/components/runs/v3/PromptSpanDetails.tsx
@@ -1,5 +1,6 @@
-import { lazy, Suspense, useState } from "react";
+import { Suspense, useState } from "react";
 import { CodeBlock } from "~/components/code/CodeBlock";
+import { StreamdownRenderer } from "~/components/code/StreamdownRenderer";
 import { Header3 } from "~/components/primitives/Headers";
 import { TextLink } from "~/components/primitives/TextLink";
 import { tryPrettyJson } from "./ai/aiHelpers";
@@ -12,16 +13,6 @@ import { TabButton, TabContainer } from "~/components/primitives/Tabs";
 import type { PromptSpanData } from "~/presenters/v3/SpanPresenter.server";
 import { SpanHorizontalTimeline } from "~/components/runs/v3/SpanHorizontalTimeline";
 
-const StreamdownRenderer = lazy(() =>
-  import("streamdown").then((mod) => ({
-    default: ({ children }: { children: string }) => (
-      <mod.ShikiThemeContext.Provider value={["one-dark-pro", "one-dark-pro"]}>
-        <mod.Streamdown isAnimating={false}>{children}</mod.Streamdown>
-      </mod.ShikiThemeContext.Provider>
-    ),
-  }))
-);
-
 type PromptTab = "overview" | "input" | "template";
 
 export function PromptSpanDetails({
diff --git a/apps/webapp/app/components/runs/v3/RegionLabel.tsx b/apps/webapp/app/components/runs/v3/RegionLabel.tsx
new file mode 100644
index 00000000000..015e8fe9152
--- /dev/null
+++ b/apps/webapp/app/components/runs/v3/RegionLabel.tsx
@@ -0,0 +1,22 @@
+import { FlagIcon } from "~/assets/icons/RegionIcons";
+import { cn } from "~/utils/cn";
+
+type RegionLabelProps = {
+  region: {
+    name: string;
+    location?: string | null;
+  };
+  className?: string;
+  iconClassName?: string;
+};
+
+export function RegionLabel({ region, className, iconClassName }: RegionLabelProps) {
+  return (
+    <span className={cn("flex items-center gap-1", className)}>
+      {region.location ? (
+        <FlagIcon region={region.location} className={cn("size-5", iconClassName)} />
+      ) : null}
+      {region.name}
+    </span>
+  );
+}
diff --git a/apps/webapp/app/components/runs/v3/RunFilters.tsx b/apps/webapp/app/components/runs/v3/RunFilters.tsx
index dc3657b42a9..097b388caaa 100644
--- a/apps/webapp/app/components/runs/v3/RunFilters.tsx
+++ b/apps/webapp/app/components/runs/v3/RunFilters.tsx
@@ -2,7 +2,10 @@ import * as Ariakit from "@ariakit/react";
 import {
   CalendarIcon,
   ClockIcon,
+  CpuChipIcon,
   FingerPrintIcon,
+  GlobeAltIcon,
+  PlusIcon,
   RectangleStackIcon,
   Squares2X2Icon,
   TagIcon,
@@ -12,9 +15,8 @@ import { Form, useFetcher } from "@remix-run/react";
 import { IconBugFilled, IconRotateClockwise2, IconToggleLeft } from "@tabler/icons-react";
 import { MachinePresetName } from "@trigger.dev/core/v3";
 import type { BulkActionType, TaskRunStatus, TaskTriggerSource } from "@trigger.dev/database";
-import { ListFilterIcon } from "lucide-react";
 import { matchSorter } from "match-sorter";
-import { type ReactNode, useCallback, useEffect, useMemo, useState } from "react";
+import { type ReactNode, useCallback, useEffect, useMemo, useRef, useState } from "react";
 import { z } from "zod";
 import { ListCheckedIcon } from "~/assets/icons/ListCheckedIcon";
 import { MachineDefaultIcon } from "~/assets/icons/MachineIcon";
@@ -28,14 +30,13 @@ import {
 import { AppliedFilter } from "~/components/primitives/AppliedFilter";
 import { Badge } from "~/components/primitives/Badge";
 import { DateTime } from "~/components/primitives/DateTime";
-import { FormError } from "~/components/primitives/FormError";
-import { Input } from "~/components/primitives/Input";
-import { Label } from "~/components/primitives/Label";
 import { MiddleTruncate } from "~/components/primitives/MiddleTruncate";
 import { Paragraph } from "~/components/primitives/Paragraph";
 import {
   ComboBox,
   SelectButtonItem,
+  SelectGroup,
+  SelectGroupLabel,
   SelectItem,
   SelectList,
   SelectPopover,
@@ -57,13 +58,24 @@ import { useOptimisticLocation } from "~/hooks/useOptimisticLocation";
 import { useOrganization } from "~/hooks/useOrganizations";
 import { useProject } from "~/hooks/useProject";
 import { useSearchParams } from "~/hooks/useSearchParam";
+import { useShortcutKeys } from "~/hooks/useShortcutKeys";
+import { ShortcutKey } from "~/components/primitives/ShortcutKey";
+import { type loader as tagsLoader } from "~/routes/resources.environments.$envId.runs.tags";
 import { type loader as queuesLoader } from "~/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.queues";
+import { useRegions } from "~/hooks/useRegions";
+import { RegionLabel } from "./RegionLabel";
 import { type loader as versionsLoader } from "~/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.versions";
-import { type loader as tagsLoader } from "~/routes/resources.environments.$envId.runs.tags";
 import { Button } from "../../primitives/Buttons";
-import { BulkActionTypeCombo } from "./BulkAction";
-import { appliedSummary, FilterMenuProvider, TimeFilter, timeFilters } from "./SharedFilters";
 import { AIFilterInput } from "./AIFilterInput";
+import { BulkActionTypeCombo } from "./BulkAction";
+import {
+  IdFilterDropdown,
+  type IdFilterDropdownProps,
+  appliedSummary,
+  FilterMenuProvider,
+  TimeFilter,
+  timeFilters,
+} from "./SharedFilters";
 import {
   allTaskRunStatuses,
   descriptionForTaskRunStatus,
@@ -178,10 +190,16 @@ export const TaskRunListSearchFilters = z.object({
       "Schedule ID to filter by - shows runs from a specific schedule. They start with sched_"
     ),
   queues: StringOrStringArray.describe("Queue names to filter by (these are user-defined names)"),
+  regions: StringOrStringArray.describe(
+    "Region master-queue identifiers to filter by (the worker instance group masterQueue values)"
+  ),
   machines: MachinePresetOrMachinePresetArray.describe(
     `Machine presets to filter by (${machines.join(", ")})`
   ),
   errorId: z.string().optional().describe("Error ID to filter runs by (e.g. error_abc123)"),
+  sources: StringOrStringArray.describe(
+    "Task trigger sources to filter by (STANDARD, SCHEDULED, AGENT)"
+  ),
 });
 
 export type TaskRunListSearchFilters = z.infer<typeof TaskRunListSearchFilters>;
@@ -217,12 +235,16 @@ export function filterTitle(filterKey: string) {
       return "Schedule ID";
     case "queues":
       return "Queues";
+    case "regions":
+      return "Region";
     case "machines":
       return "Machine";
     case "versions":
       return "Version";
     case "errorId":
       return "Error ID";
+    case "sources":
+      return "Source";
     default:
       return filterKey;
   }
@@ -257,12 +279,16 @@ export function filterIcon(filterKey: string): ReactNode | undefined {
       return <ClockIcon className="size-4" />;
     case "queues":
       return <RectangleStackIcon className="size-4" />;
+    case "regions":
+      return <GlobeAltIcon className="size-4" />;
     case "machines":
       return <MachineDefaultIcon className="size-4" />;
     case "versions":
       return <IconRotateClockwise2 className="size-4" />;
     case "errorId":
       return <IconBugFilled className="size-4" />;
+    case "sources":
+      return <CpuChipIcon className="size-4" />;
     default:
       return undefined;
   }
@@ -301,6 +327,10 @@ export function getRunFiltersFromSearchParams(
       searchParams.getAll("queues").filter((v) => v.length > 0).length > 0
         ? searchParams.getAll("queues")
         : undefined,
+    regions:
+      searchParams.getAll("regions").filter((v) => v.length > 0).length > 0
+        ? searchParams.getAll("regions")
+        : undefined,
     machines:
       searchParams.getAll("machines").filter((v) => v.length > 0).length > 0
         ? searchParams.getAll("machines")
@@ -310,6 +340,10 @@ export function getRunFiltersFromSearchParams(
         ? searchParams.getAll("versions")
         : undefined,
     errorId: searchParams.get("errorId") ?? undefined,
+    sources:
+      searchParams.getAll("sources").filter((v) => v.length > 0).length > 0
+        ? searchParams.getAll("sources")
+        : undefined,
   };
 
   const parsed = TaskRunListSearchFilters.safeParse(params);
@@ -322,7 +356,7 @@ export function getRunFiltersFromSearchParams(
 }
 
 type RunFiltersProps = {
-  possibleTasks: { slug: string; triggerSource: TaskTriggerSource }[];
+  possibleTasks: { slug: string; triggerSource: TaskTriggerSource; isInLatestDeployment: boolean }[];
   bulkActions: {
     id: string;
     type: BulkActionType;
@@ -349,23 +383,30 @@ export function RunsFilters(props: RunFiltersProps) {
     searchParams.has("runId") ||
     searchParams.has("scheduleId") ||
     searchParams.has("queues") ||
+    searchParams.has("regions") ||
     searchParams.has("machines") ||
     searchParams.has("versions") ||
-    searchParams.has("errorId");
+    searchParams.has("errorId") ||
+    searchParams.has("sources");
 
   return (
-    <div className="flex flex-row flex-wrap items-center gap-1">
-      <FilterMenu {...props} />
+    <div className="flex flex-row flex-wrap items-center gap-1.5">
       {!props.hideSearch && <AIFilterInput />}
+      <PermanentStatusFilter />
+      <PermanentTasksFilter possibleTasks={props.possibleTasks} />
+      <TimeFilter defaultPeriod={props.defaultPeriod} shortcut={{ key: "d" }} />
       <RootOnlyToggle defaultValue={props.rootOnlyDefault} />
-      <TimeFilter defaultPeriod={props.defaultPeriod} />
       <AppliedFilters {...props} />
+      <FilterMenu {...props} />
       {hasFilters && (
-        <Form className="h-6">
-          {searchParams.has("rootOnly") && (
-            <input type="hidden" name="rootOnly" value={searchParams.get("rootOnly") as string} />
-          )}
-          <Button variant="secondary/small" LeadingIcon={XMarkIcon} tooltip="Clear all filters" />
+        <Form className="-ml-1 h-6">
+          <Button
+            variant="minimal/small"
+            LeadingIcon={XMarkIcon}
+            tooltip="Clear all filters"
+            className="group-hover/button:bg-transparent"
+            leadingIconClassName="group-hover/button:text-text-bright"
+          />
         </Form>
       )}
     </div>
@@ -373,21 +414,17 @@ export function RunsFilters(props: RunFiltersProps) {
 }
 
 const filterTypes = [
-  {
-    name: "statuses",
-    title: "Status",
-    icon: <StatusIcon className="size-4 border-text-bright" />,
-  },
-  { name: "tasks", title: "Tasks", icon: <TaskIcon className="size-4" /> },
   { name: "tags", title: "Tags", icon: <TagIcon className="size-4" /> },
   { name: "versions", title: "Versions", icon: <IconRotateClockwise2 className="size-4" /> },
   { name: "queues", title: "Queues", icon: <RectangleStackIcon className="size-4" /> },
+  { name: "regions", title: "Region", icon: <GlobeAltIcon className="size-4" /> },
   { name: "machines", title: "Machines", icon: <MachineDefaultIcon className="size-4" /> },
   { name: "run", title: "Run ID", icon: <FingerPrintIcon className="size-4" /> },
   { name: "batch", title: "Batch ID", icon: <Squares2X2Icon className="size-4" /> },
   { name: "schedule", title: "Schedule ID", icon: <ClockIcon className="size-4" /> },
   { name: "bulk", title: "Bulk action", icon: <ListCheckedIcon className="size-4" /> },
   { name: "error", title: "Error ID", icon: <IconBugFilled className="size-4" /> },
+  { name: "source", title: "Source", icon: <CpuChipIcon className="size-4" /> },
 ] as const;
 
 type FilterType = (typeof filterTypes)[number]["name"];
@@ -401,15 +438,15 @@ function FilterMenu(props: RunFiltersProps) {
     <SelectTrigger
       icon={
         <div className="flex size-4 items-center justify-center">
-          <ListFilterIcon className="size-3.5" />
+          <PlusIcon className="size-3.5" />
         </div>
       }
       variant={"secondary/small"}
       shortcut={shortcut}
-      tooltipTitle={"Filter runs"}
-      className="pr-0.5"
+      tooltipTitle={"More filters"}
+      className="pl-1 pr-2"
     >
-      <></>
+      More filters
     </SelectTrigger>
   );
 
@@ -429,20 +466,20 @@ function FilterMenu(props: RunFiltersProps) {
   );
 }
 
-function AppliedFilters({ possibleTasks, bulkActions }: RunFiltersProps) {
+function AppliedFilters({ bulkActions }: RunFiltersProps) {
   return (
     <>
-      <AppliedStatusFilter />
-      <AppliedTaskFilter possibleTasks={possibleTasks} />
       <AppliedTagsFilter />
       <AppliedVersionsFilter />
       <AppliedQueuesFilter />
+      <AppliedRegionsFilter />
       <AppliedMachinesFilter />
       <AppliedRunIdFilter />
       <AppliedBatchIdFilter />
       <AppliedScheduleIdFilter />
       <AppliedBulkActionsFilter bulkActions={bulkActions} />
       <AppliedErrorIdFilter />
+      <AppliedSourceFilter />
     </>
   );
 }
@@ -459,16 +496,14 @@ function Menu(props: MenuProps) {
   switch (props.filterType) {
     case undefined:
       return <MainMenu {...props} />;
-    case "statuses":
-      return <StatusDropdown onClose={() => props.setFilterType(undefined)} {...props} />;
-    case "tasks":
-      return <TasksDropdown onClose={() => props.setFilterType(undefined)} {...props} />;
     case "bulk":
       return <BulkActionsDropdown onClose={() => props.setFilterType(undefined)} {...props} />;
     case "tags":
       return <TagsDropdown onClose={() => props.setFilterType(undefined)} {...props} />;
     case "queues":
       return <QueuesDropdown onClose={() => props.setFilterType(undefined)} {...props} />;
+    case "regions":
+      return <RegionsDropdown onClose={() => props.setFilterType(undefined)} {...props} />;
     case "machines":
       return <MachinesDropdown onClose={() => props.setFilterType(undefined)} {...props} />;
     case "run":
@@ -481,15 +516,20 @@ function Menu(props: MenuProps) {
       return <VersionsDropdown onClose={() => props.setFilterType(undefined)} {...props} />;
     case "error":
       return <ErrorIdDropdown onClose={() => props.setFilterType(undefined)} {...props} />;
+    case "source":
+      return <SourceDropdown onClose={() => props.setFilterType(undefined)} {...props} />;
   }
 }
 
 function MainMenu({ searchValue, trigger, clearSearchValue, setFilterType }: MenuProps) {
+  const environment = useEnvironment();
+  const showRegion = environment.type !== "DEVELOPMENT";
   const filtered = useMemo(() => {
     return filterTypes.filter((item) => {
+      if (item.name === "regions" && !showRegion) return false;
       return item.title.toLowerCase().includes(searchValue.toLowerCase());
     });
-  }, [searchValue]);
+  }, [searchValue, showRegion]);
 
   return (
     <SelectProvider virtualFocus={true}>
@@ -507,7 +547,7 @@ function MainMenu({ searchValue, trigger, clearSearchValue, setFilterType }: Men
               icon={type.icon}
               shortcut={shortcutFromIndex(index, { shortcutsEnabled: true })}
             >
-              {type.title}
+              <span className="text-text-bright">{type.title}</span>
             </SelectButtonItem>
           ))}
         </SelectList>
@@ -585,28 +625,67 @@ function StatusDropdown({
   );
 }
 
-function AppliedStatusFilter() {
+const statusShortcut = { key: "s" };
+
+function PermanentStatusFilter() {
   const { values, del } = useSearchParams();
   const statuses = values("statuses");
-
-  if (statuses.length === 0 || statuses.every((v) => v === "")) {
-    return null;
-  }
+  const hasStatuses = statuses.length > 0 && !statuses.every((v) => v === "");
+  const triggerRef = useRef<HTMLButtonElement>(null);
+
+  useShortcutKeys({
+    shortcut: statusShortcut,
+    action: (e) => {
+      e.preventDefault();
+      e.stopPropagation();
+      triggerRef.current?.click();
+    },
+  });
 
   return (
     <FilterMenuProvider>
       {(search, setSearch) => (
         <StatusDropdown
           trigger={
-            <Ariakit.Select render={<div className="group cursor-pointer focus-custom" />}>
-              <AppliedFilter
-                label="Status"
-                icon={filterIcon("statuses")}
-                value={appliedSummary(statuses.map((v) => runStatusTitle(v as TaskRunStatus)))}
-                onRemove={() => del(["statuses", "cursor", "direction"])}
-                variant="secondary/small"
-              />
-            </Ariakit.Select>
+            <Ariakit.TooltipProvider timeout={200}>
+              <Ariakit.TooltipAnchor
+                render={
+                  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+                  <Ariakit.Select
+                    ref={triggerRef as any}
+                    render={<div className="group cursor-pointer focus-custom" />}
+                  />
+                }
+              >
+                {hasStatuses ? (
+                  <AppliedFilter
+                    label="Status"
+                    icon={filterIcon("statuses")}
+                    value={appliedSummary(statuses.map((v) => runStatusTitle(v as TaskRunStatus)))}
+                    onRemove={() => del(["statuses", "cursor", "direction"])}
+                    variant="secondary/small"
+                    className="pl-1"
+                  />
+                ) : (
+                  <div className="flex h-6 items-center gap-1 rounded border border-charcoal-600 bg-secondary pl-1 pr-2 text-xs text-text-bright transition group-hover:border-charcoal-550 group-hover:bg-charcoal-600">
+                    <div className="grid size-4 place-items-center">
+                      <div className="size-[75%] rounded-full border-2 border-text-bright" />
+                    </div>
+                    <span>Status</span>
+                  </div>
+                )}
+              </Ariakit.TooltipAnchor>
+              <Ariakit.Tooltip className="z-40 cursor-default rounded border border-charcoal-700 bg-background-bright px-2 py-1.5 text-xs">
+                <div className="flex items-center gap-2">
+                  <span>Filter by status</span>
+                  <ShortcutKey
+                    className="size-4 flex-none"
+                    shortcut={statusShortcut}
+                    variant="small"
+                  />
+                </div>
+              </Ariakit.Tooltip>
+            </Ariakit.TooltipProvider>
           }
           searchValue={search}
           clearSearchValue={() => setSearch("")}
@@ -627,13 +706,27 @@ function TasksDropdown({
   clearSearchValue: () => void;
   searchValue: string;
   onClose?: () => void;
-  possibleTasks: { slug: string; triggerSource: TaskTriggerSource }[];
+  possibleTasks: { slug: string; triggerSource: TaskTriggerSource; isInLatestDeployment: boolean }[];
 }) {
   const { values, replace } = useSearchParams();
 
-  const handleChange = (values: string[]) => {
+  const handleChange = (newValues: string[]) => {
     clearSearchValue();
-    replace({ tasks: values, cursor: undefined, direction: undefined });
+    const previousTasks = values("tasks");
+    const wasEmpty = previousTasks.length === 0 || previousTasks.every((v) => v === "");
+    const isEmpty = newValues.length === 0 || newValues.every((v) => v === "");
+    // empty -> tasks: temporarily force rootOnly off so child runs of the selected
+    // task are visible. tasks -> empty: drop rootOnly so the toggle reverts to the
+    // user's saved session preference. Neither writes to the cookie (see loader).
+    const transitioningToTasks = wasEmpty && !isEmpty;
+    const transitioningToNoTasks = !wasEmpty && isEmpty;
+    replace({
+      tasks: newValues,
+      cursor: undefined,
+      direction: undefined,
+      ...(transitioningToTasks ? { rootOnly: "false" } : {}),
+      ...(transitioningToNoTasks ? { rootOnly: undefined } : {}),
+    });
   };
 
   const filtered = useMemo(() => {
@@ -658,49 +751,114 @@ function TasksDropdown({
       >
         <ComboBox placeholder={"Filter by task..."} value={searchValue} />
         <SelectList>
-          {filtered.map((item, index) => (
-            <SelectItem
-              key={`${item.triggerSource}-${item.slug}`}
-              value={item.slug}
-              icon={
-                <TaskTriggerSourceIcon source={item.triggerSource} className="size-4 flex-none" />
-              }
-            >
-              <MiddleTruncate text={item.slug} />
-            </SelectItem>
-          ))}
+          {filtered
+            .filter((item) => item.isInLatestDeployment)
+            .map((item) => (
+              <SelectItem
+                key={`${item.triggerSource}-${item.slug}`}
+                value={item.slug}
+                icon={
+                  <TaskTriggerSourceIcon source={item.triggerSource} className="size-4 flex-none" />
+                }
+                className="text-text-bright"
+              >
+                <MiddleTruncate text={item.slug} />
+              </SelectItem>
+            ))}
+          {filtered.some((item) => !item.isInLatestDeployment) && (
+            <SelectGroup>
+              <SelectGroupLabel>Archived</SelectGroupLabel>
+              {filtered
+                .filter((item) => !item.isInLatestDeployment)
+                .map((item) => (
+                  <SelectItem
+                    key={`${item.triggerSource}-${item.slug}`}
+                    value={item.slug}
+                    icon={
+                      <span className="opacity-50">
+                        <TaskTriggerSourceIcon
+                          source={item.triggerSource}
+                          className="size-4 flex-none"
+                        />
+                      </span>
+                    }
+                    className="text-text-bright"
+                  >
+                    <MiddleTruncate text={item.slug} />
+                  </SelectItem>
+                ))}
+            </SelectGroup>
+          )}
         </SelectList>
       </SelectPopover>
     </SelectProvider>
   );
 }
 
-function AppliedTaskFilter({ possibleTasks }: Pick<RunFiltersProps, "possibleTasks">) {
-  const { values, del } = useSearchParams();
+const tasksShortcut = { key: "t" };
 
-  if (values("tasks").length === 0 || values("tasks").every((v) => v === "")) {
-    return null;
-  }
+function PermanentTasksFilter({ possibleTasks }: Pick<RunFiltersProps, "possibleTasks">) {
+  const { values, del } = useSearchParams();
+  const tasks = values("tasks");
+  const hasTasks = tasks.length > 0 && !tasks.every((v) => v === "");
+  const triggerRef = useRef<HTMLButtonElement>(null);
+
+  useShortcutKeys({
+    shortcut: tasksShortcut,
+    action: (e) => {
+      e.preventDefault();
+      e.stopPropagation();
+      triggerRef.current?.click();
+    },
+  });
 
   return (
     <FilterMenuProvider>
       {(search, setSearch) => (
         <TasksDropdown
           trigger={
-            <Ariakit.Select render={<div className="group cursor-pointer focus-custom" />}>
-              <AppliedFilter
-                label="Task"
-                icon={filterIcon("tasks")}
-                value={appliedSummary(
-                  values("tasks").map((v) => {
-                    const task = possibleTasks.find((task) => task.slug === v);
-                    return task ? task.slug : v;
-                  })
+            <Ariakit.TooltipProvider timeout={200}>
+              <Ariakit.TooltipAnchor
+                render={
+                  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+                  <Ariakit.Select
+                    ref={triggerRef as any}
+                    render={<div className="group cursor-pointer focus-custom" />}
+                  />
+                }
+              >
+                {hasTasks ? (
+                  <AppliedFilter
+                    label="Task"
+                    icon={filterIcon("tasks")}
+                    value={appliedSummary(
+                      tasks.map((v) => {
+                        const task = possibleTasks.find((task) => task.slug === v);
+                        return task ? task.slug : v;
+                      })
+                    )}
+                    onRemove={() => del(["tasks", "cursor", "direction", "rootOnly"])}
+                    variant="secondary/small"
+                    className="pl-1"
+                  />
+                ) : (
+                  <div className="flex h-6 items-center gap-1.5 rounded border border-charcoal-600 bg-secondary pl-1 pr-2 text-xs text-text-bright transition group-hover:border-charcoal-550 group-hover:bg-charcoal-600">
+                    {filterIcon("tasks")}
+                    <span>Tasks</span>
+                  </div>
                 )}
-                onRemove={() => del(["tasks", "cursor", "direction"])}
-                variant="secondary/small"
-              />
-            </Ariakit.Select>
+              </Ariakit.TooltipAnchor>
+              <Ariakit.Tooltip className="z-40 cursor-default rounded border border-charcoal-700 bg-background-bright px-2 py-1.5 text-xs">
+                <div className="flex items-center gap-2">
+                  <span>Filter by task</span>
+                  <ShortcutKey
+                    className="size-4 flex-none"
+                    shortcut={tasksShortcut}
+                    variant="small"
+                  />
+                </div>
+              </Ariakit.Tooltip>
+            </Ariakit.TooltipProvider>
           }
           searchValue={search}
           clearSearchValue={() => setSearch("")}
@@ -895,15 +1053,17 @@ function TagsDropdown({
           return true;
         }}
       >
-        <ComboBox
-          value={searchValue}
-          render={(props) => (
-            <div className="flex items-center justify-stretch">
-              <input {...props} placeholder={"Filter by tags..."} />
-              {fetcher.state === "loading" && <Spinner color="muted" />}
-            </div>
-          )}
-        />
+        {(filtered.length > 0 || fetcher.state === "loading" || searchValue.length > 0) && (
+          <ComboBox
+            value={searchValue}
+            render={(props) => (
+              <div className="flex items-center justify-stretch">
+                <input {...props} placeholder={"Filter by tags..."} />
+                {fetcher.state === "loading" && <Spinner color="muted" />}
+              </div>
+            )}
+          />
+        )}
         <SelectList>
           {filtered.length > 0
             ? filtered.map((tag, index) => (
@@ -1075,6 +1235,7 @@ function QueuesDropdown({
                       <RectangleStackIcon className="size-4 shrink-0 text-purple-500" />
                     )
                   }
+                  className="text-text-bright"
                 >
                   {queue.name}
                 </SelectItem>
@@ -1121,6 +1282,138 @@ function AppliedQueuesFilter() {
   );
 }
 
+function RegionsDropdown({
+  trigger,
+  clearSearchValue,
+  searchValue,
+  onClose,
+}: {
+  trigger: ReactNode;
+  clearSearchValue: () => void;
+  searchValue: string;
+  onClose?: () => void;
+}) {
+  const { values, replace } = useSearchParams();
+  const regions = useRegions();
+
+  const handleChange = (values: string[]) => {
+    clearSearchValue();
+    replace({
+      regions: values.length > 0 ? values : undefined,
+      cursor: undefined,
+      direction: undefined,
+    });
+  };
+
+  const selected = values("regions").filter((v) => v !== "");
+
+  const filtered = useMemo(() => {
+    type RegionItem = { masterQueue: string; name: string; location?: string };
+    const items: RegionItem[] = [];
+
+    for (const masterQueue of selected) {
+      const known = regions.find((r) => r.masterQueue === masterQueue);
+      if (!known) {
+        items.push({ masterQueue, name: masterQueue });
+      }
+    }
+
+    for (const region of regions) {
+      if (!items.some((i) => i.masterQueue === region.masterQueue)) {
+        items.push({
+          masterQueue: region.masterQueue,
+          name: region.name,
+          location: region.location,
+        });
+      }
+    }
+
+    return matchSorter(items, searchValue, { keys: ["name", "masterQueue"] });
+  }, [searchValue, regions, selected.join(",")]);
+
+  return (
+    <SelectProvider value={selected} setValue={handleChange} virtualFocus={true}>
+      {trigger}
+      <SelectPopover
+        className="min-w-0 max-w-[min(320px,var(--popover-available-width))]"
+        hideOnEscape={() => {
+          if (onClose) {
+            onClose();
+            return false;
+          }
+          return true;
+        }}
+      >
+        <ComboBox
+          value={searchValue}
+          render={(props) => (
+            <div className="flex items-center justify-stretch">
+              <input {...props} placeholder={"Filter by region..."} />
+            </div>
+          )}
+        />
+        <SelectList>
+          {filtered.length > 0
+            ? filtered.map((region) => (
+                <SelectItem
+                  key={region.masterQueue}
+                  value={region.masterQueue}
+                  className="text-text-bright"
+                >
+                  <RegionLabel region={region} iconClassName="size-4" />
+                </SelectItem>
+              ))
+            : null}
+          {filtered.length === 0 && <SelectItem disabled>No regions found</SelectItem>}
+        </SelectList>
+      </SelectPopover>
+    </SelectProvider>
+  );
+}
+
+function AppliedRegionsFilter() {
+  const { values, del } = useSearchParams();
+  const environment = useEnvironment();
+  const knownRegions = useRegions();
+
+  const regions = values("regions");
+
+  if (environment.type === "DEVELOPMENT") {
+    return null;
+  }
+
+  if (regions.length === 0 || regions.every((v) => v === "")) {
+    return null;
+  }
+
+  const labels = regions.map((mq) => {
+    const match = knownRegions.find((r) => r.masterQueue === mq);
+    return match?.name ?? mq;
+  });
+
+  return (
+    <FilterMenuProvider>
+      {(search, setSearch) => (
+        <RegionsDropdown
+          trigger={
+            <Ariakit.Select render={<div className="group cursor-pointer focus-custom" />}>
+              <AppliedFilter
+                label="Region"
+                icon={filterIcon("regions")}
+                value={appliedSummary(labels)}
+                onRemove={() => del(["regions", "cursor", "direction"])}
+                variant="secondary/small"
+              />
+            </Ariakit.Select>
+          }
+          searchValue={search}
+          clearSearchValue={() => setSearch("")}
+        />
+      )}
+    </FilterMenuProvider>
+  );
+}
+
 function MachinesDropdown({
   trigger,
   clearSearchValue,
@@ -1160,15 +1453,15 @@ function MachinesDropdown({
           return true;
         }}
       >
-        <ComboBox placeholder={"Filter by machine..."} value={searchValue} />
         <SelectList>
           {filtered.map((item, index) => (
             <SelectItem
               key={item}
               value={item}
               shortcut={shortcutFromIndex(index, { shortcutsEnabled: true })}
+              className="text-text-bright"
             >
-              <MachineLabelCombo preset={item} />
+              <MachineLabelCombo preset={item} labelClassName="text-text-bright" />
             </SelectItem>
           ))}
         </SelectList>
@@ -1316,7 +1609,12 @@ export function VersionsDropdown({
         <SelectList>
           {filtered.length > 0
             ? filtered.map((version) => (
-                <SelectItem key={version.version} value={version.version}>
+                <SelectItem
+                  key={version.version}
+                  value={version.version}
+                  icon={<IconRotateClockwise2 className="size-4 flex-none text-text-dimmed" />}
+                  className="text-text-bright"
+                >
                   <span className="flex items-center gap-2">
                     <span className="grow truncate">{version.version}</span>
                     {version.isCurrent ? <Badge variant="extra-small">Current</Badge> : null}
@@ -1365,118 +1663,67 @@ function AppliedVersionsFilter() {
   );
 }
 
+const rootOnlyShortcut = { key: "o" };
+
 function RootOnlyToggle({ defaultValue }: { defaultValue: boolean }) {
-  const { value, values, replace } = useSearchParams();
+  const { value, replace } = useSearchParams();
   const searchValue = value("rootOnly");
   const rootOnly = searchValue !== undefined ? searchValue === "true" : defaultValue;
 
   const batchId = value("batchId");
   const runId = value("runId");
   const scheduleId = value("scheduleId");
-  const tasks = values("tasks");
 
-  const disabled = !!batchId || !!runId || !!scheduleId || tasks.length > 0;
+  const disabled = !!batchId || !!runId || !!scheduleId;
 
   return (
-    <Switch
-      disabled={disabled}
-      variant="secondary/small"
-      label="Root only"
-      checked={disabled ? false : rootOnly}
-      onCheckedChange={(checked) => {
-        replace({
-          rootOnly: checked ? "true" : "false",
-        });
-      }}
-    />
+    <Ariakit.TooltipProvider timeout={200}>
+      <Ariakit.TooltipAnchor render={<div />}>
+        <Switch
+          disabled={disabled}
+          variant="secondary/small"
+          label="Root only"
+          checked={disabled ? false : rootOnly}
+          shortcut={rootOnlyShortcut}
+          onCheckedChange={(checked) => {
+            replace({
+              rootOnly: checked ? "true" : "false",
+              cursor: undefined,
+              direction: undefined,
+            });
+          }}
+        />
+      </Ariakit.TooltipAnchor>
+      <Ariakit.Tooltip className="z-40 cursor-default rounded border border-charcoal-700 bg-background-bright px-2 py-1.5 text-xs">
+        <div className="flex items-center gap-2">
+          <span>Toggle root only</span>
+          <ShortcutKey className="size-4 flex-none" shortcut={rootOnlyShortcut} variant="small" />
+        </div>
+      </Ariakit.Tooltip>
+    </Ariakit.TooltipProvider>
   );
 }
 
-function RunIdDropdown({
-  trigger,
-  clearSearchValue,
-  searchValue,
-  onClose,
-}: {
-  trigger: ReactNode;
-  clearSearchValue: () => void;
-  searchValue: string;
-  onClose?: () => void;
-}) {
-  const [open, setOpen] = useState<boolean | undefined>();
-  const { value, replace } = useSearchParams();
-  const runIdValue = value("runId");
-
-  const [runId, setRunId] = useState(runIdValue);
-
-  const apply = useCallback(() => {
-    clearSearchValue();
-    replace({
-      cursor: undefined,
-      direction: undefined,
-      runId: runId === "" ? undefined : runId?.toString(),
-    });
-
-    setOpen(false);
-  }, [runId, replace]);
-
-  let error: string | undefined = undefined;
-  if (runId) {
-    if (!runId.startsWith("run_")) {
-      error = "Run IDs start with 'run_'";
-    } else if (runId.length !== 25 && runId.length !== 29) {
-      error = "Run IDs are 25/30 characters long";
-    }
-  }
+function validateRunId(value: string): string | undefined {
+  if (!value.startsWith("run_")) return "Run IDs start with 'run_'";
+  if (value.length !== 25 && value.length !== 29) return "Run IDs are 25 or 29 characters long";
+}
 
+function RunIdDropdown(
+  props: Omit<
+    IdFilterDropdownProps,
+    "label" | "placeholder" | "paramKey" | "validate" | "inputWidth"
+  >
+) {
   return (
-    <SelectProvider virtualFocus={true} open={open} setOpen={setOpen}>
-      {trigger}
-      <SelectPopover
-        hideOnEnter={false}
-        hideOnEscape={() => {
-          if (onClose) {
-            onClose();
-            return false;
-          }
-
-          return true;
-        }}
-        className="max-w-[min(32ch,var(--popover-available-width))]"
-      >
-        <div className="flex flex-col gap-4 p-3">
-          <div className="flex flex-col gap-1">
-            <Label>Run ID</Label>
-            <Input
-              placeholder="run_"
-              value={runId ?? ""}
-              onChange={(e) => setRunId(e.target.value)}
-              variant="small"
-              className="w-[27ch] font-mono"
-              spellCheck={false}
-            />
-            {error ? <FormError>{error}</FormError> : null}
-          </div>
-          <div className="flex justify-between gap-1 border-t border-grid-dimmed pt-3">
-            <Button variant="tertiary/small" onClick={() => setOpen(false)}>
-              Cancel
-            </Button>
-            <Button
-              disabled={error !== undefined || !runId}
-              variant="secondary/small"
-              shortcut={{
-                modifiers: ["mod"],
-                key: "Enter",
-                enabledOnInputElements: true,
-              }}
-              onClick={() => apply()}
-            >
-              Apply
-            </Button>
-          </div>
-        </div>
-      </SelectPopover>
-    </SelectProvider>
+    <IdFilterDropdown
+      {...props}
+      label="Run ID"
+      placeholder="run_"
+      paramKey="runId"
+      validate={validateRunId}
+      inputWidth="w-[27ch]"
+    />
   );
 }
 
@@ -1512,91 +1759,22 @@ function AppliedRunIdFilter() {
   );
 }
 
-function BatchIdDropdown({
-  trigger,
-  clearSearchValue,
-  searchValue,
-  onClose,
-}: {
-  trigger: ReactNode;
-  clearSearchValue: () => void;
-  searchValue: string;
-  onClose?: () => void;
-}) {
-  const [open, setOpen] = useState<boolean | undefined>();
-  const { value, replace } = useSearchParams();
-  const batchIdValue = value("batchId");
-
-  const [batchId, setBatchId] = useState(batchIdValue);
-
-  const apply = useCallback(() => {
-    clearSearchValue();
-    replace({
-      cursor: undefined,
-      direction: undefined,
-      batchId: batchId === "" ? undefined : batchId?.toString(),
-    });
-
-    setOpen(false);
-  }, [batchId, replace]);
-
-  let error: string | undefined = undefined;
-  if (batchId) {
-    if (!batchId.startsWith("batch_")) {
-      error = "Batch IDs start with 'batch_'";
-    } else if (batchId.length !== 27 && batchId.length !== 31) {
-      error = "Batch IDs are 27 or 31 characters long";
-    }
-  }
+function validateBatchId(value: string): string | undefined {
+  if (!value.startsWith("batch_")) return "Batch IDs start with 'batch_'";
+  if (value.length !== 27 && value.length !== 31) return "Batch IDs are 27 or 31 characters long";
+}
 
+function BatchIdDropdown(
+  props: Omit<IdFilterDropdownProps, "label" | "placeholder" | "paramKey" | "validate">
+) {
   return (
-    <SelectProvider virtualFocus={true} open={open} setOpen={setOpen}>
-      {trigger}
-      <SelectPopover
-        hideOnEnter={false}
-        hideOnEscape={() => {
-          if (onClose) {
-            onClose();
-            return false;
-          }
-
-          return true;
-        }}
-        className="max-w-[min(32ch,var(--popover-available-width))]"
-      >
-        <div className="flex flex-col gap-4 p-3">
-          <div className="flex flex-col gap-1">
-            <Label>Batch ID</Label>
-            <Input
-              placeholder="batch_"
-              value={batchId ?? ""}
-              onChange={(e) => setBatchId(e.target.value)}
-              variant="small"
-              className="w-[29ch] font-mono"
-              spellCheck={false}
-            />
-            {error ? <FormError>{error}</FormError> : null}
-          </div>
-          <div className="flex justify-between gap-1 border-t border-grid-dimmed pt-3">
-            <Button variant="tertiary/small" onClick={() => setOpen(false)}>
-              Cancel
-            </Button>
-            <Button
-              disabled={error !== undefined || !batchId}
-              variant="secondary/small"
-              shortcut={{
-                modifiers: ["mod"],
-                key: "Enter",
-                enabledOnInputElements: true,
-              }}
-              onClick={() => apply()}
-            >
-              Apply
-            </Button>
-          </div>
-        </div>
-      </SelectPopover>
-    </SelectProvider>
+    <IdFilterDropdown
+      {...props}
+      label="Batch ID"
+      placeholder="batch_"
+      paramKey="batchId"
+      validate={validateBatchId}
+    />
   );
 }
 
@@ -1632,91 +1810,22 @@ function AppliedBatchIdFilter() {
   );
 }
 
-function ScheduleIdDropdown({
-  trigger,
-  clearSearchValue,
-  searchValue,
-  onClose,
-}: {
-  trigger: ReactNode;
-  clearSearchValue: () => void;
-  searchValue: string;
-  onClose?: () => void;
-}) {
-  const [open, setOpen] = useState<boolean | undefined>();
-  const { value, replace } = useSearchParams();
-  const scheduleIdValue = value("scheduleId");
-
-  const [scheduleId, setScheduleId] = useState(scheduleIdValue);
-
-  const apply = useCallback(() => {
-    clearSearchValue();
-    replace({
-      cursor: undefined,
-      direction: undefined,
-      scheduleId: scheduleId === "" ? undefined : scheduleId?.toString(),
-    });
-
-    setOpen(false);
-  }, [scheduleId, replace]);
-
-  let error: string | undefined = undefined;
-  if (scheduleId) {
-    if (!scheduleId.startsWith("sched")) {
-      error = "Schedule IDs start with 'sched_'";
-    } else if (scheduleId.length !== 27) {
-      error = "Schedule IDs are 27 characters long";
-    }
-  }
+function validateScheduleId(value: string): string | undefined {
+  if (!value.startsWith("sched_")) return "Schedule IDs start with 'sched_'";
+  if (value.length !== 27) return "Schedule IDs are 27 characters long";
+}
 
+function ScheduleIdDropdown(
+  props: Omit<IdFilterDropdownProps, "label" | "placeholder" | "paramKey" | "validate">
+) {
   return (
-    <SelectProvider virtualFocus={true} open={open} setOpen={setOpen}>
-      {trigger}
-      <SelectPopover
-        hideOnEnter={false}
-        hideOnEscape={() => {
-          if (onClose) {
-            onClose();
-            return false;
-          }
-
-          return true;
-        }}
-        className="max-w-[min(32ch,var(--popover-available-width))]"
-      >
-        <div className="flex flex-col gap-4 p-3">
-          <div className="flex flex-col gap-1">
-            <Label>Schedule ID</Label>
-            <Input
-              placeholder="sched_"
-              value={scheduleId ?? ""}
-              onChange={(e) => setScheduleId(e.target.value)}
-              variant="small"
-              className="w-[29ch] font-mono"
-              spellCheck={false}
-            />
-            {error ? <FormError>{error}</FormError> : null}
-          </div>
-          <div className="flex justify-between gap-1 border-t border-grid-dimmed pt-3">
-            <Button variant="tertiary/small" onClick={() => setOpen(false)}>
-              Cancel
-            </Button>
-            <Button
-              disabled={error !== undefined || !scheduleId}
-              variant="secondary/small"
-              shortcut={{
-                modifiers: ["mod"],
-                key: "Enter",
-                enabledOnInputElements: true,
-              }}
-              onClick={() => apply()}
-            >
-              Apply
-            </Button>
-          </div>
-        </div>
-      </SelectPopover>
-    </SelectProvider>
+    <IdFilterDropdown
+      {...props}
+      label="Schedule ID"
+      placeholder="sched_"
+      paramKey="scheduleId"
+      validate={validateScheduleId}
+    />
   );
 }
 
@@ -1752,7 +1861,63 @@ function AppliedScheduleIdFilter() {
   );
 }
 
-function ErrorIdDropdown({
+function validateErrorId(value: string): string | undefined {
+  if (!value.startsWith("error_")) return "Error IDs start with 'error_'";
+}
+
+function ErrorIdDropdown(
+  props: Omit<IdFilterDropdownProps, "label" | "placeholder" | "paramKey" | "validate">
+) {
+  return (
+    <IdFilterDropdown
+      {...props}
+      label="Error ID"
+      placeholder="error_"
+      paramKey="errorId"
+      validate={validateErrorId}
+    />
+  );
+}
+
+function AppliedErrorIdFilter() {
+  const { value, del } = useSearchParams();
+
+  if (value("errorId") === undefined) {
+    return null;
+  }
+
+  const errorId = value("errorId");
+
+  return (
+    <FilterMenuProvider>
+      {(search, setSearch) => (
+        <ErrorIdDropdown
+          trigger={
+            <Ariakit.Select render={<div className="group cursor-pointer focus-custom" />}>
+              <AppliedFilter
+                label="Error ID"
+                icon={filterIcon("errorId")}
+                value={errorId}
+                onRemove={() => del(["errorId", "cursor", "direction"])}
+                variant="secondary/small"
+              />
+            </Ariakit.Select>
+          }
+          searchValue={search}
+          clearSearchValue={() => setSearch("")}
+        />
+      )}
+    </FilterMenuProvider>
+  );
+}
+
+const sourceOptions: { value: TaskTriggerSource; title: string }[] = [
+  { value: "STANDARD", title: "Standard" },
+  { value: "SCHEDULED", title: "Scheduled" },
+  { value: "AGENT", title: "Agent" },
+];
+
+function SourceDropdown({
   trigger,
   clearSearchValue,
   searchValue,
@@ -1763,101 +1928,75 @@ function ErrorIdDropdown({
   searchValue: string;
   onClose?: () => void;
 }) {
-  const [open, setOpen] = useState<boolean | undefined>();
-  const { value, replace } = useSearchParams();
-  const errorIdValue = value("errorId");
-
-  const [errorId, setErrorId] = useState(errorIdValue);
+  const { values, replace } = useSearchParams();
 
-  const apply = useCallback(() => {
+  const handleChange = (values: string[]) => {
     clearSearchValue();
-    replace({
-      cursor: undefined,
-      direction: undefined,
-      errorId: errorId === "" ? undefined : errorId?.toString(),
-    });
-
-    setOpen(false);
-  }, [errorId, replace]);
+    replace({ sources: values, cursor: undefined, direction: undefined });
+  };
 
-  let error: string | undefined = undefined;
-  if (errorId) {
-    if (!errorId.startsWith("error_")) {
-      error = "Error IDs start with 'error_'";
-    }
-  }
+  const filtered = useMemo(() => {
+    return sourceOptions.filter((item) =>
+      item.title.toLowerCase().includes(searchValue.toLowerCase())
+    );
+  }, [searchValue]);
 
   return (
-    <SelectProvider virtualFocus={true} open={open} setOpen={setOpen}>
+    <SelectProvider value={values("sources")} setValue={handleChange} virtualFocus={true}>
       {trigger}
       <SelectPopover
-        hideOnEnter={false}
+        className="min-w-0 max-w-[min(240px,var(--popover-available-width))]"
         hideOnEscape={() => {
           if (onClose) {
             onClose();
             return false;
           }
-
           return true;
         }}
-        className="max-w-[min(32ch,var(--popover-available-width))]"
       >
-        <div className="flex flex-col gap-4 p-3">
-          <div className="flex flex-col gap-1">
-            <Label>Error ID</Label>
-            <Input
-              placeholder="error_"
-              value={errorId ?? ""}
-              onChange={(e) => setErrorId(e.target.value)}
-              variant="small"
-              className="w-[29ch] font-mono"
-              spellCheck={false}
-            />
-            {error ? <FormError>{error}</FormError> : null}
-          </div>
-          <div className="flex justify-between gap-1 border-t border-grid-dimmed pt-3">
-            <Button variant="tertiary/small" onClick={() => setOpen(false)}>
-              Cancel
-            </Button>
-            <Button
-              disabled={error !== undefined || !errorId}
-              variant="secondary/small"
-              shortcut={{
-                modifiers: ["mod"],
-                key: "Enter",
-                enabledOnInputElements: true,
-              }}
-              onClick={() => apply()}
+        <ComboBox placeholder={"Filter by source..."} value={searchValue} />
+        <SelectList>
+          {filtered.map((item, index) => (
+            <SelectItem
+              key={item.value}
+              value={item.value}
+              icon={
+                <TaskTriggerSourceIcon source={item.value} className="size-4 flex-none" />
+              }
+              shortcut={shortcutFromIndex(index, { shortcutsEnabled: true })}
             >
-              Apply
-            </Button>
-          </div>
-        </div>
+              {item.title}
+            </SelectItem>
+          ))}
+        </SelectList>
       </SelectPopover>
     </SelectProvider>
   );
 }
 
-function AppliedErrorIdFilter() {
-  const { value, del } = useSearchParams();
+function AppliedSourceFilter() {
+  const { values, del } = useSearchParams();
+  const sources = values("sources");
 
-  if (value("errorId") === undefined) {
+  if (sources.length === 0 || sources.every((v) => v === "")) {
     return null;
   }
 
-  const errorId = value("errorId");
-
   return (
     <FilterMenuProvider>
       {(search, setSearch) => (
-        <ErrorIdDropdown
+        <SourceDropdown
           trigger={
             <Ariakit.Select render={<div className="group cursor-pointer focus-custom" />}>
               <AppliedFilter
-                label="Error ID"
-                icon={filterIcon("errorId")}
-                value={errorId}
-                onRemove={() => del(["errorId", "cursor", "direction"])}
+                label="Source"
+                icon={<CpuChipIcon className="size-4" />}
+                value={appliedSummary(
+                  sources.map(
+                    (v) => sourceOptions.find((o) => o.value === v)?.title ?? v
+                  )
+                )}
+                onRemove={() => del(["sources", "cursor", "direction"])}
                 variant="secondary/small"
               />
             </Ariakit.Select>
diff --git a/apps/webapp/app/components/runs/v3/RunStatusCellTooltip.tsx b/apps/webapp/app/components/runs/v3/RunStatusCellTooltip.tsx
new file mode 100644
index 00000000000..fad6b15bcf7
--- /dev/null
+++ b/apps/webapp/app/components/runs/v3/RunStatusCellTooltip.tsx
@@ -0,0 +1,249 @@
+import { useFetcher } from "@remix-run/react";
+import { AnimatePresence, motion } from "framer-motion";
+import { useCallback, useEffect, useMemo, useRef, useState } from "react";
+import { SimpleTooltip } from "~/components/primitives/Tooltip";
+import type { NextRunListItem } from "~/presenters/v3/NextRunListPresenter.server";
+import type { loader as childStatusesLoader } from "~/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.children-statuses";
+import { isFinalRunStatus } from "~/v3/taskStatus";
+import {
+  allTaskRunStatuses,
+  descriptionForTaskRunStatus,
+  TaskRunStatusCombo,
+} from "./TaskRunStatus";
+
+const TOOLTIP_OPEN_DELAY_MS = 400;
+const TOOLTIP_POLL_INTERVAL_MS = 3000;
+
+type ChildStatusEntry = { status: NextRunListItem["status"]; count: number };
+
+// Compare status/count pairs so unchanged polling responses don't
+// re-render or re-animate the tooltip.
+function childStatusesKey(statuses: ChildStatusEntry[]) {
+  return [...statuses]
+    .sort((a, b) => a.status.localeCompare(b.status))
+    .map((entry) => `${entry.status}:${entry.count}`)
+    .join("|");
+}
+
+function areChildStatusesEqual(previous: ChildStatusEntry[] | undefined, next: ChildStatusEntry[]) {
+  if (previous === undefined) return false;
+  return childStatusesKey(previous) === childStatusesKey(next);
+}
+
+function hasActiveChildStatuses(statuses: ChildStatusEntry[] | undefined) {
+  if (statuses === undefined) return false;
+
+  return statuses.some((entry) => entry.count > 0 && !isFinalRunStatus(entry.status));
+}
+
+function shouldPollWhileTooltipOpen(
+  statuses: ChildStatusEntry[] | undefined,
+  rootHasFinished: boolean
+) {
+  if (statuses === undefined) return true;
+  // Empty child statuses while the root is still running can mean
+  // children have not been created yet, so keep polling.
+  if (statuses.length === 0) return !rootHasFinished;
+
+  // All current children may be final while the root is still running — more
+  // dependents can still be created.
+  return hasActiveChildStatuses(statuses) || !rootHasFinished;
+}
+
+function ChildStatusBreakdown({
+  orderedChildStatuses,
+}: {
+  orderedChildStatuses: { status: NextRunListItem["status"]; count: number }[];
+}) {
+  return (
+    <div className="flex min-w-[10rem] flex-col gap-1 p-1">
+      <p className="mb-1 text-xs text-text-dimmed">Child run statuses</p>
+      <AnimatePresence initial={false} mode="popLayout">
+        {orderedChildStatuses.map((entry) => (
+          <motion.div
+            key={entry.status}
+            layout
+            initial={{ opacity: 0, y: -4 }}
+            animate={{ opacity: 1, y: 0 }}
+            exit={{ opacity: 0, y: 4 }}
+            transition={{ duration: 0.2, ease: "easeOut" }}
+            className="flex items-center justify-between gap-2"
+          >
+            <TaskRunStatusCombo status={entry.status} />
+            <motion.span
+              key={entry.count}
+              layout
+              initial={{ opacity: 0.6, scale: 0.95 }}
+              animate={{ opacity: 1, scale: 1 }}
+              transition={{ duration: 0.15, ease: "easeOut" }}
+              className="text-xs tabular-nums text-text-bright"
+            >
+              {entry.count}
+            </motion.span>
+          </motion.div>
+        ))}
+      </AnimatePresence>
+    </div>
+  );
+}
+
+function useChildRunStatusesTooltip({
+  friendlyId,
+  hasFinished,
+  childrenStatusesBasePath,
+}: {
+  friendlyId: string;
+  hasFinished: boolean;
+  childrenStatusesBasePath: string;
+}) {
+  const fetcher = useFetcher<typeof childStatusesLoader>({
+    key: `child-statuses-${friendlyId}`,
+  });
+  const fetcherStateRef = useRef(fetcher.state);
+  fetcherStateRef.current = fetcher.state;
+
+  const [childStatuses, setChildStatuses] = useState<ChildStatusEntry[] | undefined>();
+  const isOpenRef = useRef(false);
+  const pollIntervalRef = useRef<ReturnType<typeof setInterval>>();
+  const prevHasFinishedRef = useRef(hasFinished);
+
+  const childrenStatusesUrl = useMemo(
+    () => `${childrenStatusesBasePath}/children-statuses?runIds=${encodeURIComponent(friendlyId)}`,
+    [childrenStatusesBasePath, friendlyId]
+  );
+
+  const loadChildStatuses = useCallback(() => {
+    if (fetcherStateRef.current !== "idle") return;
+    fetcher.load(childrenStatusesUrl);
+  }, [childrenStatusesUrl, fetcher]);
+
+  // Keep the latest loader callback available to the polling interval
+  // without recreating the interval on every render.
+  const loadChildStatusesRef = useRef(loadChildStatuses);
+  loadChildStatusesRef.current = loadChildStatuses;
+
+  const stopPolling = useCallback(() => {
+    if (pollIntervalRef.current) {
+      clearInterval(pollIntervalRef.current);
+      pollIntervalRef.current = undefined;
+    }
+  }, []);
+
+  const startPolling = useCallback(() => {
+    if (pollIntervalRef.current) return;
+
+    pollIntervalRef.current = setInterval(() => {
+      if (document.visibilityState !== "visible") return;
+      loadChildStatusesRef.current();
+    }, TOOLTIP_POLL_INTERVAL_MS);
+  }, []);
+
+  useEffect(() => {
+    if (!fetcher.data?.runs) return;
+
+    const entry = fetcher.data.runs.find((run) => run.friendlyId === friendlyId);
+    if (!entry) return;
+
+    setChildStatuses((previous) =>
+      areChildStatusesEqual(previous, entry.statuses) ? previous : entry.statuses
+    );
+
+    if (isOpenRef.current && !shouldPollWhileTooltipOpen(entry.statuses, hasFinished)) {
+      stopPolling();
+    }
+  }, [fetcher.data, friendlyId, hasFinished, stopPolling]);
+
+  const onOpenChange = useCallback(
+    (open: boolean) => {
+      isOpenRef.current = open;
+      if (open) {
+        loadChildStatuses();
+        startPolling();
+      } else {
+        stopPolling();
+      }
+    },
+    [loadChildStatuses, startPolling, stopPolling]
+  );
+
+  useEffect(() => {
+    prevHasFinishedRef.current = hasFinished;
+    stopPolling();
+    setChildStatuses(undefined);
+    if (isOpenRef.current) {
+      loadChildStatuses();
+      startPolling();
+    }
+    // Only reset when the hovered run changes, not when hasFinished toggles.
+    // eslint-disable-next-line react-hooks/exhaustive-deps -- friendlyId
+  }, [friendlyId]);
+
+  useEffect(() => {
+    if (!isOpenRef.current) return;
+    if (prevHasFinishedRef.current === hasFinished) return;
+
+    prevHasFinishedRef.current = hasFinished;
+    loadChildStatuses();
+  }, [hasFinished, loadChildStatuses]);
+
+  useEffect(() => () => stopPolling(), [stopPolling]);
+
+  return {
+    childStatuses,
+    onOpenChange,
+  };
+}
+
+export function RunStatusCellTooltip({
+  friendlyId,
+  status,
+  hasFinished,
+  childrenStatusesBasePath,
+}: {
+  friendlyId: string;
+  status: NextRunListItem["status"];
+  hasFinished: boolean;
+  childrenStatusesBasePath: string;
+}) {
+  const { childStatuses, onOpenChange } = useChildRunStatusesTooltip({
+    friendlyId,
+    hasFinished,
+    childrenStatusesBasePath,
+  });
+
+  const orderedChildStatuses = useMemo(() => {
+    const childStatusesMap = new Map(
+      (childStatuses ?? []).map((entry) => [entry.status, entry.count])
+    );
+
+    return allTaskRunStatuses
+      .map((s) => ({
+        status: s,
+        count: childStatusesMap.get(s) ?? 0,
+      }))
+      .filter((entry) => entry.count > 0);
+  }, [childStatuses]);
+
+  const hasChildStatuses = orderedChildStatuses.length > 0;
+
+  return (
+    <SimpleTooltip
+      asChild
+      delayDuration={TOOLTIP_OPEN_DELAY_MS}
+      onOpenChange={onOpenChange}
+      content={
+        hasChildStatuses ? (
+          <ChildStatusBreakdown orderedChildStatuses={orderedChildStatuses} />
+        ) : (
+          descriptionForTaskRunStatus(status)
+        )
+      }
+      disableHoverableContent
+      button={
+        <span className="inline-flex min-w-full items-center">
+          <TaskRunStatusCombo status={status} />
+        </span>
+      }
+    />
+  );
+}
diff --git a/apps/webapp/app/components/runs/v3/ScheduleFilters.tsx b/apps/webapp/app/components/runs/v3/ScheduleFilters.tsx
index 3a30e0cb37e..e0fb819c8d1 100644
--- a/apps/webapp/app/components/runs/v3/ScheduleFilters.tsx
+++ b/apps/webapp/app/components/runs/v3/ScheduleFilters.tsx
@@ -1,21 +1,22 @@
-import { MagnifyingGlassIcon, XMarkIcon } from "@heroicons/react/20/solid";
+import * as Ariakit from "@ariakit/react";
+import { ClockIcon, XMarkIcon } from "@heroicons/react/20/solid";
 import { useNavigate } from "@remix-run/react";
-import { useCallback } from "react";
+import { useCallback, useRef } from "react";
 import { z } from "zod";
-import { Input } from "~/components/primitives/Input";
-import { useOptimisticLocation } from "~/hooks/useOptimisticLocation";
-import { useThrottle } from "~/hooks/useThrottle";
-import { Button } from "../../primitives/Buttons";
-import { Paragraph } from "../../primitives/Paragraph";
+import { AppliedFilter } from "~/components/primitives/AppliedFilter";
+import { SearchInput } from "~/components/primitives/SearchInput";
 import {
-  Select,
-  SelectContent,
-  SelectGroup,
   SelectItem,
-  SelectTrigger,
-  SelectValue,
-} from "../../primitives/SimpleSelect";
-import { ScheduleTypeCombo } from "./ScheduleType";
+  SelectList,
+  SelectPopover,
+  SelectProvider,
+} from "~/components/primitives/Select";
+import { ShortcutKey } from "~/components/primitives/ShortcutKey";
+import { useOptimisticLocation } from "~/hooks/useOptimisticLocation";
+import { useShortcutKeys } from "~/hooks/useShortcutKeys";
+import { Button } from "../../primitives/Buttons";
+import { ScheduleTypeIcon, scheduleTypeName } from "./ScheduleType";
+import { FilterMenuProvider } from "./SharedFilters";
 
 export const ScheduleListFilters = z.object({
   page: z.coerce.number().default(1),
@@ -29,120 +30,232 @@ export const ScheduleListFilters = z.object({
 
 export type ScheduleListFilters = z.infer<typeof ScheduleListFilters>;
 
-const All = "ALL";
-
 type ScheduleFiltersProps = {
   possibleTasks: string[];
 };
 
 export function ScheduleFilters({ possibleTasks }: ScheduleFiltersProps) {
-  const navigate = useNavigate();
   const location = useOptimisticLocation();
   const searchParams = new URLSearchParams(location.search);
-  const { tasks, page, search, type } = ScheduleListFilters.parse(
-    Object.fromEntries(searchParams.entries())
+  const hasFilters =
+    searchParams.has("tasks") || searchParams.has("search") || searchParams.has("type");
+
+  return (
+    <div className="flex flex-row flex-wrap items-center gap-1.5">
+      <ScheduleSearchInput />
+      <PermanentTaskFilter possibleTasks={possibleTasks} />
+      <PermanentTypeFilter />
+      {hasFilters && <ClearFiltersButton />}
+    </div>
   );
+}
 
-  const hasFilters = searchParams.has("tasks") || searchParams.has("search");
+function ScheduleSearchInput() {
+  return <SearchInput placeholder="Search schedules…" resetParams={["page"]} />;
+}
 
-  const handleFilterChange = useCallback((filterType: string, value: string | undefined) => {
-    if (value) {
-      searchParams.set(filterType, value);
-    } else {
-      searchParams.delete(filterType);
-    }
-    searchParams.delete("page");
-    navigate(`${location.pathname}?${searchParams.toString()}`);
-  }, []);
+const typeShortcut = { key: "y" };
 
-  const handleTaskChange = useCallback((value: string | typeof All) => {
-    handleFilterChange("tasks", value === "ALL" ? undefined : value);
-  }, []);
+function PermanentTypeFilter() {
+  const navigate = useNavigate();
+  const location = useOptimisticLocation();
+  const searchParams = new URLSearchParams(location.search);
+  const currentType = searchParams.get("type") ?? undefined;
+  const triggerRef = useRef<HTMLButtonElement>(null);
 
-  const handleTypeChange = useCallback((value: string | typeof All) => {
-    handleFilterChange("type", value === "ALL" ? undefined : value);
-  }, []);
+  useShortcutKeys({
+    shortcut: typeShortcut,
+    action: (e) => {
+      e.preventDefault();
+      e.stopPropagation();
+      triggerRef.current?.click();
+    },
+  });
 
-  const handleSearchChange = useThrottle((value: string) => {
-    handleFilterChange("search", value.length === 0 ? undefined : value);
-  }, 300);
+  const handleChange = useCallback(
+    (value: string | string[]) => {
+      const selected = Array.isArray(value) ? value[0] : value;
+      const params = new URLSearchParams(location.search);
+      if (!selected || selected === "ALL") {
+        params.delete("type");
+      } else {
+        params.set("type", selected);
+      }
+      params.delete("page");
+      navigate(`${location.pathname}?${params.toString()}`);
+    },
+    [location, navigate]
+  );
 
-  const clearFilters = useCallback(() => {
-    searchParams.delete("page");
-    searchParams.delete("enabled");
-    searchParams.delete("tasks");
-    searchParams.delete("search");
-    navigate(`${location.pathname}?${searchParams.toString()}`);
-  }, []);
+  const typeLabel = currentType
+    ? scheduleTypeName(currentType.toUpperCase() as "IMPERATIVE" | "DECLARATIVE")
+    : "All types";
 
   return (
-    <div className="flex w-full">
-      <Input
-        name="search"
-        placeholder="Search schedule id, external id, deduplication id or CRON pattern"
-        icon={MagnifyingGlassIcon}
-        variant="tertiary"
-        className="grow"
-        defaultValue={search}
-        onChange={(e) => handleSearchChange(e.target.value)}
-      />
-      <SelectGroup className="ml-2">
-        <Select name="type" value={type ?? "ALL"} onValueChange={handleTypeChange}>
-          <SelectTrigger size="minimal" width="full">
-            <SelectValue placeholder={"Select type"} className="ml-2 whitespace-nowrap p-0" />
-          </SelectTrigger>
-          <SelectContent>
-            <SelectItem value={"ALL"}>
-              <Paragraph
-                variant="extra-small"
-                className="whitespace-nowrap pl-0.5 transition group-hover:text-text-bright"
-              >
+    <FilterMenuProvider>
+      {() => (
+        <SelectProvider value={currentType ?? "ALL"} setValue={handleChange} virtualFocus={true}>
+          <Ariakit.TooltipProvider timeout={200}>
+            <Ariakit.TooltipAnchor
+              render={
+                // eslint-disable-next-line @typescript-eslint/no-explicit-any
+                <Ariakit.Select
+                  ref={triggerRef as any}
+                  render={<div className="group cursor-pointer focus-custom" />}
+                />
+              }
+            >
+              <AppliedFilter
+                label="Type"
+                value={typeLabel}
+                removable={!!currentType}
+                onRemove={() => handleChange("ALL")}
+                variant="secondary/small"
+              />
+            </Ariakit.TooltipAnchor>
+            <Ariakit.Tooltip className="z-40 cursor-default rounded border border-charcoal-700 bg-background-bright px-2 py-1.5 text-xs">
+              <div className="flex items-center gap-2">
+                <span>Filter by type</span>
+                <ShortcutKey className="size-4 flex-none" shortcut={typeShortcut} variant="small" />
+              </div>
+            </Ariakit.Tooltip>
+          </Ariakit.TooltipProvider>
+          <SelectPopover className="min-w-0 max-w-[min(240px,var(--popover-available-width))]">
+            <SelectList>
+              <SelectItem value="ALL" className="text-text-bright">
                 All types
-              </Paragraph>
-            </SelectItem>
-            <SelectItem value={"declarative"}>
-              <ScheduleTypeCombo type="DECLARATIVE" className="text-xs text-text-dimmed" />
-            </SelectItem>
-            <SelectItem value={"imperative"}>
-              <ScheduleTypeCombo type="IMPERATIVE" className="text-xs text-text-dimmed" />
-            </SelectItem>
-          </SelectContent>
-        </Select>
-      </SelectGroup>
-
-      <SelectGroup>
-        <Select name="tasks" value={tasks?.at(0) ?? "ALL"} onValueChange={handleTaskChange}>
-          <SelectTrigger size="minimal" width="full">
-            <SelectValue placeholder="Select task" className="ml-2 p-0" />
-          </SelectTrigger>
-          <SelectContent>
-            <SelectItem value={"ALL"}>
-              <Paragraph
-                variant="extra-small"
-                className="whitespace-nowrap pl-0.5 transition group-hover:text-text-bright"
-              >
+              </SelectItem>
+              <SelectItem value="declarative">
+                <div className="flex items-center gap-1">
+                  <ScheduleTypeIcon type="DECLARATIVE" className="text-text-dimmed" />
+                  <span className="text-text-bright">{scheduleTypeName("DECLARATIVE")}</span>
+                </div>
+              </SelectItem>
+              <SelectItem value="imperative">
+                <div className="flex items-center gap-1">
+                  <ScheduleTypeIcon type="IMPERATIVE" className="text-text-dimmed" />
+                  <span className="text-text-bright">{scheduleTypeName("IMPERATIVE")}</span>
+                </div>
+              </SelectItem>
+            </SelectList>
+          </SelectPopover>
+        </SelectProvider>
+      )}
+    </FilterMenuProvider>
+  );
+}
+
+const taskShortcut = { key: "t" };
+
+function PermanentTaskFilter({ possibleTasks }: { possibleTasks: string[] }) {
+  const navigate = useNavigate();
+  const location = useOptimisticLocation();
+  const searchParams = new URLSearchParams(location.search);
+  const currentTask = searchParams.get("tasks") ?? undefined;
+  const triggerRef = useRef<HTMLButtonElement>(null);
+
+  useShortcutKeys({
+    shortcut: taskShortcut,
+    action: (e) => {
+      e.preventDefault();
+      e.stopPropagation();
+      triggerRef.current?.click();
+    },
+  });
+
+  const handleChange = useCallback(
+    (value: string | string[]) => {
+      const selected = Array.isArray(value) ? value[0] : value;
+      const params = new URLSearchParams(location.search);
+      if (!selected || selected === "ALL") {
+        params.delete("tasks");
+      } else {
+        params.set("tasks", selected);
+      }
+      params.delete("page");
+      navigate(`${location.pathname}?${params.toString()}`);
+    },
+    [location, navigate]
+  );
+
+  const taskLabel = currentTask ?? "All tasks";
+
+  return (
+    <FilterMenuProvider>
+      {() => (
+        <SelectProvider value={currentTask ?? "ALL"} setValue={handleChange} virtualFocus={true}>
+          <Ariakit.TooltipProvider timeout={200}>
+            <Ariakit.TooltipAnchor
+              render={
+                // eslint-disable-next-line @typescript-eslint/no-explicit-any
+                <Ariakit.Select
+                  ref={triggerRef as any}
+                  render={<div className="group cursor-pointer focus-custom" />}
+                />
+              }
+            >
+              <AppliedFilter
+                label="Task"
+                icon={<ClockIcon className="size-4" />}
+                value={taskLabel}
+                removable={!!currentTask}
+                onRemove={() => handleChange("ALL")}
+                variant="secondary/small"
+              />
+            </Ariakit.TooltipAnchor>
+            <Ariakit.Tooltip className="z-40 cursor-default rounded border border-charcoal-700 bg-background-bright px-2 py-1.5 text-xs">
+              <div className="flex items-center gap-2">
+                <span>Filter by task</span>
+                <ShortcutKey className="size-4 flex-none" shortcut={taskShortcut} variant="small" />
+              </div>
+            </Ariakit.Tooltip>
+          </Ariakit.TooltipProvider>
+          <SelectPopover className="min-w-0 max-w-[min(360px,var(--popover-available-width))]">
+            <SelectList>
+              <SelectItem value="ALL" className="text-text-bright">
                 All tasks
-              </Paragraph>
-            </SelectItem>
-            {possibleTasks.map((task) => (
-              <SelectItem key={task} value={task}>
-                <Paragraph
-                  variant="extra-small"
-                  className="whitespace-nowrap pl-0.5 transition group-hover:text-text-bright"
+              </SelectItem>
+              {possibleTasks.map((task) => (
+                <SelectItem
+                  key={task}
+                  value={task}
+                  icon={<ClockIcon className="size-4 text-schedules" />}
+                  className="text-text-bright"
                 >
                   {task}
-                </Paragraph>
-              </SelectItem>
-            ))}
-          </SelectContent>
-        </Select>
-      </SelectGroup>
-
-      {hasFilters && (
-        <Button variant="minimal/small" onClick={() => clearFilters()} LeadingIcon={XMarkIcon}>
-          Clear all
-        </Button>
+                </SelectItem>
+              ))}
+            </SelectList>
+          </SelectPopover>
+        </SelectProvider>
       )}
+    </FilterMenuProvider>
+  );
+}
+
+function ClearFiltersButton() {
+  const navigate = useNavigate();
+  const location = useOptimisticLocation();
+
+  const clearFilters = useCallback(() => {
+    const params = new URLSearchParams(location.search);
+    params.delete("page");
+    params.delete("tasks");
+    params.delete("search");
+    params.delete("type");
+    navigate(`${location.pathname}?${params.toString()}`);
+  }, [location, navigate]);
+
+  return (
+    <div className="-ml-1 h-6">
+      <Button
+        variant="minimal/small"
+        onClick={clearFilters}
+        LeadingIcon={XMarkIcon}
+        tooltip="Clear all filters"
+        className="group-hover/button:bg-transparent"
+        leadingIconClassName="group-hover/button:text-text-bright"
+      />
     </div>
   );
 }
diff --git a/apps/webapp/app/components/runs/v3/SharedFilters.tsx b/apps/webapp/app/components/runs/v3/SharedFilters.tsx
index 3e24f601f2a..0bdd7c4ac5f 100644
--- a/apps/webapp/app/components/runs/v3/SharedFilters.tsx
+++ b/apps/webapp/app/components/runs/v3/SharedFilters.tsx
@@ -1,5 +1,4 @@
 import * as Ariakit from "@ariakit/react";
-import type { RuntimeEnvironment } from "@trigger.dev/database";
 import {
   endOfDay,
   endOfMonth,
@@ -11,20 +10,23 @@ import {
   subWeeks,
 } from "date-fns";
 import parse from "parse-duration";
-import { startTransition, useCallback, useEffect, useRef, useState, type ReactNode } from "react";
+import { type ReactNode, startTransition, useCallback, useEffect, useRef, useState } from "react";
 import simplur from "simplur";
 import { AppliedFilter } from "~/components/primitives/AppliedFilter";
 import { Callout } from "~/components/primitives/Callout";
 import { DateTime } from "~/components/primitives/DateTime";
 import { DateTimePicker } from "~/components/primitives/DateTimePicker";
+import { FormError } from "~/components/primitives/FormError";
+import { Header3 } from "~/components/primitives/Headers";
+import { Input } from "~/components/primitives/Input";
 import { Label } from "~/components/primitives/Label";
 import { Paragraph } from "~/components/primitives/Paragraph";
 import { RadioButtonCircle } from "~/components/primitives/RadioButton";
 import { ComboboxProvider, SelectPopover, SelectProvider } from "~/components/primitives/Select";
+import { ShortcutKey } from "~/components/primitives/ShortcutKey";
 import { useOptionalOrganization } from "~/hooks/useOrganizations";
 import { useSearchParams } from "~/hooks/useSearchParam";
 import { type ShortcutDefinition, useShortcutKeys } from "~/hooks/useShortcutKeys";
-import { ShortcutKey } from "~/components/primitives/ShortcutKey";
 import { cn } from "~/utils/cn";
 import { organizationBillingPath } from "~/utils/pathBuilder";
 import { Button, LinkButton } from "../../primitives/Buttons";
@@ -422,11 +424,7 @@ export function TimeFilter({
                 <Ariakit.Tooltip className="z-40 cursor-default rounded border border-charcoal-700 bg-background-bright px-2 py-1.5 text-xs">
                   <div className="flex items-center gap-2">
                     <span>Filter by time period</span>
-                    <ShortcutKey
-                      className="size-4 flex-none"
-                      shortcut={shortcut}
-                      variant="small"
-                    />
+                    <ShortcutKey className="size-4 flex-none" shortcut={shortcut} variant="small" />
                   </div>
                 </Ariakit.Tooltip>
               )}
@@ -1005,3 +1003,102 @@ function QuickDateButton({
     </Button>
   );
 }
+
+export type IdFilterDropdownProps = {
+  trigger: ReactNode;
+  clearSearchValue: () => void;
+  searchValue: string;
+  onClose?: () => void;
+  label: string;
+  placeholder: string;
+  paramKey: string;
+  validate?: (value: string) => string | undefined;
+  inputWidth?: string;
+};
+
+export function IdFilterDropdown({
+  trigger,
+  clearSearchValue,
+  onClose,
+  label,
+  placeholder,
+  paramKey,
+  validate,
+  inputWidth = "w-[29ch]",
+}: IdFilterDropdownProps) {
+  const [open, setOpen] = useState<boolean | undefined>();
+  const { value, replace } = useSearchParams();
+  const currentValue = value(paramKey);
+
+  const [inputValue, setInputValue] = useState(currentValue);
+  const [prevOpen, setPrevOpen] = useState(open);
+  if (open !== prevOpen) {
+    setPrevOpen(open);
+    if (open) setInputValue(currentValue);
+  }
+
+  const apply = () => {
+    clearSearchValue();
+    replace({
+      cursor: undefined,
+      direction: undefined,
+      [paramKey]: inputValue === "" ? undefined : inputValue?.toString(),
+    });
+
+    setOpen(false);
+  };
+
+  const error = inputValue ? validate?.(inputValue) : undefined;
+
+  return (
+    <SelectProvider virtualFocus={true} open={open} setOpen={setOpen}>
+      {trigger}
+      <SelectPopover
+        hideOnEnter={false}
+        hideOnEscape={() => {
+          if (onClose) {
+            onClose();
+            return false;
+          }
+
+          return true;
+        }}
+        className="max-w-[min(32ch,var(--popover-available-width))]"
+      >
+        <div className="flex flex-col gap-3 p-3 pt-2">
+          <div className="flex flex-col gap-1">
+            <Paragraph variant="extra-small/bright" className="mb-0.5">
+              {label}
+            </Paragraph>
+            <Input
+              placeholder={placeholder}
+              value={inputValue ?? ""}
+              onChange={(e) => setInputValue(e.target.value)}
+              variant="small"
+              className={cn(inputWidth, "font-mono")}
+              spellCheck={false}
+            />
+            {error ? <FormError>{error}</FormError> : null}
+          </div>
+          <div className="flex justify-between gap-1">
+            <Button variant="secondary/small" onClick={() => setOpen(false)}>
+              Cancel
+            </Button>
+            <Button
+              disabled={error !== undefined || !inputValue}
+              variant="secondary/small"
+              shortcut={{
+                modifiers: ["mod"],
+                key: "Enter",
+                enabledOnInputElements: true,
+              }}
+              onClick={() => apply()}
+            >
+              Apply
+            </Button>
+          </div>
+        </div>
+      </SelectPopover>
+    </SelectProvider>
+  );
+}
diff --git a/apps/webapp/app/components/runs/v3/SpanTitle.tsx b/apps/webapp/app/components/runs/v3/SpanTitle.tsx
index 4c25fc7b9ae..0b9273cd481 100644
--- a/apps/webapp/app/components/runs/v3/SpanTitle.tsx
+++ b/apps/webapp/app/components/runs/v3/SpanTitle.tsx
@@ -55,20 +55,24 @@ function SpanAccessory({
     case "pills": {
       return (
         <span className="flex items-center gap-1">
-          {accessory.items.map((item, index) => (
-            <SpanPill key={index} text={item.text} icon={item.icon} />
-          ))}
+          {accessory.items
+            .filter((item) => typeof item.text === "string")
+            .map((item, index) => (
+              <SpanPill key={index} text={item.text} icon={item.icon} />
+            ))}
         </span>
       );
     }
     default: {
       return (
         <span className={cn("flex gap-1")}>
-          {accessory.items.map((item, index) => (
-            <span key={index} className={cn("inline-flex items-center gap-1")}>
-              {item.text}
-            </span>
-          ))}
+          {accessory.items
+            .filter((item) => typeof item.text === "string")
+            .map((item, index) => (
+              <span key={index} className={cn("inline-flex items-center gap-1")}>
+                {item.text}
+              </span>
+            ))}
         </span>
       );
     }
@@ -104,16 +108,18 @@ export function SpanCodePathAccessory({
         className
       )}
     >
-      {accessory.items.map((item, index) => (
-        <Fragment key={index}>
-          <span className={cn("truncate", "text-text-dimmed")}>{item.text}</span>
-          {index < accessory.items.length - 1 && (
-            <span className="text-text-dimmed">
-              <ChevronRightIcon className="size-4" />
-            </span>
-          )}
-        </Fragment>
-      ))}
+      {accessory.items
+        .filter((item) => typeof item.text === "string")
+        .map((item, index, filtered) => (
+          <Fragment key={index}>
+            <span className={cn("truncate", "text-text-dimmed")}>{item.text}</span>
+            {index < filtered.length - 1 && (
+              <span className="text-text-dimmed">
+                <ChevronRightIcon className="size-4" />
+              </span>
+            )}
+          </Fragment>
+        ))}
     </code>
   );
 }
diff --git a/apps/webapp/app/components/runs/v3/TaskRunsTable.tsx b/apps/webapp/app/components/runs/v3/TaskRunsTable.tsx
index fbede0e7cec..9c670864900 100644
--- a/apps/webapp/app/components/runs/v3/TaskRunsTable.tsx
+++ b/apps/webapp/app/components/runs/v3/TaskRunsTable.tsx
@@ -23,6 +23,7 @@ import { useSelectedItems } from "~/components/primitives/SelectedItemsProvider"
 import { SimpleTooltip } from "~/components/primitives/Tooltip";
 import { TruncatedCopyableValue } from "~/components/primitives/TruncatedCopyableValue";
 import { useEnvironment } from "~/hooks/useEnvironment";
+import { useRegions } from "~/hooks/useRegions";
 import { useFeatures } from "~/hooks/useFeatures";
 import { useOrganization } from "~/hooks/useOrganizations";
 import { useProject } from "~/hooks/useProject";
@@ -31,7 +32,7 @@ import {
   type NextRunListItem,
 } from "~/presenters/v3/NextRunListPresenter.server";
 import { formatCurrencyAccurate } from "~/utils/numberFormatter";
-import { docsPath, v3RunSpanPath, v3TestPath,v3TestTaskPath } from "~/utils/pathBuilder";
+import { docsPath, v3RunSpanPath, v3TestPath, v3TestTaskPath } from "~/utils/pathBuilder";
 import { DateTime } from "../../primitives/DateTime";
 import { Paragraph } from "../../primitives/Paragraph";
 import { Spinner } from "../../primitives/Spinner";
@@ -47,6 +48,7 @@ import {
   type TableVariant,
 } from "../../primitives/Table";
 import { CancelRunDialog } from "./CancelRunDialog";
+import { RegionLabel } from "./RegionLabel";
 import { LiveTimer } from "./LiveTimer";
 import { ReplayRunDialog } from "./ReplayRunDialog";
 import { RunTag } from "./RunTag";
@@ -55,8 +57,11 @@ import {
   filterableTaskRunStatuses,
   TaskRunStatusCombo,
 } from "./TaskRunStatus";
+import { RunStatusCellTooltip } from "./RunStatusCellTooltip";
+import { TaskTriggerSourceIcon } from "./TaskTriggerSource";
 import { useOptimisticLocation } from "~/hooks/useOptimisticLocation";
 import { useSearchParams } from "~/hooks/useSearchParam";
+import type { TaskTriggerSource } from "@trigger.dev/database";
 
 type RunsTableProps = {
   total: number;
@@ -70,6 +75,7 @@ type RunsTableProps = {
   variant?: TableVariant;
   disableAdjacentRows?: boolean;
   additionalTableState?: Record<string, string>;
+  childrenStatusesBasePath?: string;
 };
 
 export function TaskRunsTable({
@@ -83,9 +89,13 @@ export function TaskRunsTable({
   allowSelection = false,
   variant = "dimmed",
   additionalTableState,
+  childrenStatusesBasePath,
 }: RunsTableProps) {
+  const regions = useRegions();
+  const regionByMasterQueue = new Map(regions.map((r) => [r.masterQueue, r] as const));
   const organization = useOrganization();
   const project = useProject();
+  const environment = useEnvironment();
   const checkboxes = useRef<(HTMLInputElement | null)[]>([]);
   const { has, hasAll, select, deselect, toggle } = useSelectedItems(allowSelection);
   const { isManagedCloud } = useFeatures();
@@ -102,9 +112,10 @@ export function TaskRunsTable({
   }
   const search = params.toString();
   /** TableState has to be encoded as a separate URI component, so it's merged under one, 'tableState' param */
-  const tableStateParam = disableAdjacentRows ? '' : encodeURIComponent(search);
+  const tableStateParam = disableAdjacentRows ? "" : encodeURIComponent(search);
 
   const showCompute = isManagedCloud;
+  const showRegion = environment.type !== "DEVELOPMENT";
 
   const navigateCheckboxes = useCallback(
     (event: React.KeyboardEvent<HTMLInputElement>, index: number) => {
@@ -162,6 +173,7 @@ export function TaskRunsTable({
           <TableHeaderCell>Task</TableHeaderCell>
           <TableHeaderCell>Version</TableHeaderCell>
           <TableHeaderCell
+            disableTooltipHoverableContent
             tooltip={
               <div className="flex flex-col divide-y divide-grid-dimmed">
                 {filterableTaskRunStatuses.map((status) => (
@@ -185,6 +197,7 @@ export function TaskRunsTable({
           <TableHeaderCell>Started</TableHeaderCell>
           <TableHeaderCell
             colSpan={3}
+            disableTooltipHoverableContent
             tooltip={
               <div className="flex max-w-xs flex-col gap-4 p-1">
                 <div>
@@ -229,6 +242,7 @@ export function TaskRunsTable({
             Machine
           </TableHeaderCell>
           <TableHeaderCell>Queue</TableHeaderCell>
+          {showRegion && <TableHeaderCell>Region</TableHeaderCell>}
           <TableHeaderCell>Test</TableHeaderCell>
           <TableHeaderCell>Created at</TableHeaderCell>
           <TableHeaderCell
@@ -308,20 +322,27 @@ export function TaskRunsTable({
       </TableHeader>
       <TableBody>
         {total === 0 && !hasFilters ? (
-          <TableBlankRow colSpan={15}>
+          <TableBlankRow colSpan={showRegion ? 16 : 15}>
             {!isLoading && <NoRuns title="No runs found" />}
           </TableBlankRow>
         ) : runs.length === 0 ? (
-          <BlankState isLoading={isLoading} filters={filters} />
+          <BlankState isLoading={isLoading} filters={filters} showRegion={showRegion} />
         ) : (
           runs.map((run, index) => {
             const searchParams = new URLSearchParams();
             if (tableStateParam) {
               searchParams.set("tableState", tableStateParam);
             }
-            const path = v3RunSpanPath(organization, project, run.environment, run, {
-              spanId: run.spanId,
-            }, searchParams);
+            const path = v3RunSpanPath(
+              organization,
+              project,
+              run.environment,
+              run,
+              {
+                spanId: run.spanId,
+              },
+              searchParams
+            );
             return (
               <TableRow key={run.id}>
                 {allowSelection && (
@@ -343,17 +364,30 @@ export function TaskRunsTable({
                 </TableCell>
                 <TableCell to={path}>
                   <span className="flex items-center gap-x-1">
+                    <TaskTriggerSourceIcon
+                      source={run.taskKind as TaskTriggerSource}
+                      className="size-3.5 flex-none"
+                    />
                     {run.taskIdentifier}
                     {run.rootTaskRunId === null ? <Badge variant="extra-small">Root</Badge> : null}
                   </span>
                 </TableCell>
                 <TableCell to={path}>{run.version ?? "–"}</TableCell>
                 <TableCell to={path}>
-                  <SimpleTooltip
-                    content={descriptionForTaskRunStatus(run.status)}
-                    disableHoverableContent
-                    button={<TaskRunStatusCombo status={run.status} />}
-                  />
+                  {run.rootTaskRunId === null && childrenStatusesBasePath ? (
+                    <RunStatusCellTooltip
+                      friendlyId={run.friendlyId}
+                      status={run.status}
+                      hasFinished={run.hasFinished}
+                      childrenStatusesBasePath={childrenStatusesBasePath}
+                    />
+                  ) : (
+                    <SimpleTooltip
+                      content={descriptionForTaskRunStatus(run.status)}
+                      disableHoverableContent
+                      button={<TaskRunStatusCombo status={run.status} />}
+                    />
+                  )}
                 </TableCell>
                 <TableCell to={path}>
                   {run.startedAt ? <DateTime date={run.startedAt} /> : "–"}
@@ -426,8 +460,26 @@ export function TaskRunsTable({
                     <span>{run.queue.name}</span>
                   </span>
                 </TableCell>
+                {showRegion && (
+                  <TableCell to={path}>
+                    {run.region ? (
+                      <RegionLabel
+                        region={
+                          regionByMasterQueue.get(run.region) ?? { name: run.region }
+                        }
+                        iconClassName="size-4"
+                      />
+                    ) : (
+                      "–"
+                    )}
+                  </TableCell>
+                )}
                 <TableCell to={path}>
-                  {run.isTest ? <CheckIcon className="size-4 text-charcoal-400" /> : "–"}
+                  {run.isTest ? (
+                    <CheckIcon className="size-4 text-charcoal-400 group-hover/table-row:text-text-bright" />
+                  ) : (
+                    "–"
+                  )}
                 </TableCell>
                 <TableCell to={path}>
                   {run.createdAt ? <DateTime date={run.createdAt} /> : "–"}
@@ -448,8 +500,8 @@ export function TaskRunsTable({
         )}
         {isLoading && (
           <TableBlankRow
-            colSpan={15}
-            className="absolute left-0 top-0 flex h-full w-full items-center justify-center gap-2 bg-charcoal-900/90"
+            colSpan={showRegion ? 16 : 15}
+            className="absolute left-0 top-0 flex h-full w-full items-center justify-center gap-2 bg-background-dimmed"
           >
             <Spinner /> <span className="text-text-dimmed">Loading…</span>
           </TableBlankRow>
@@ -584,15 +636,22 @@ function NoRuns({ title }: { title: string }) {
   );
 }
 
-function BlankState({ isLoading, filters }: Pick<RunsTableProps, "isLoading" | "filters">) {
+function BlankState({
+  isLoading,
+  filters,
+  showRegion,
+}: Pick<RunsTableProps, "isLoading" | "filters"> & { showRegion: boolean }) {
   const organization = useOrganization();
   const project = useProject();
   const environment = useEnvironment();
-  if (isLoading) return <TableBlankRow colSpan={15}></TableBlankRow>;
+  const colSpan = showRegion ? 16 : 15;
+  if (isLoading) return <TableBlankRow colSpan={colSpan}></TableBlankRow>;
 
   const { tasks, from, to, ...otherFilters } = filters;
   const singleTaskFromFilters = filters.tasks.length === 1 ? filters.tasks[0] : null;
-  const testPath = singleTaskFromFilters ? v3TestTaskPath(organization, project, environment, {taskIdentifier: singleTaskFromFilters}) : v3TestPath(organization, project, environment);
+  const testPath = singleTaskFromFilters
+    ? v3TestTaskPath(organization, project, environment, { taskIdentifier: singleTaskFromFilters })
+    : v3TestPath(organization, project, environment);
 
   if (
     filters.tasks.length === 1 &&
@@ -601,7 +660,7 @@ function BlankState({ isLoading, filters }: Pick<RunsTableProps, "isLoading" | "
     Object.values(otherFilters).every((filterArray) => filterArray.length === 0)
   ) {
     return (
-      <TableBlankRow colSpan={15}>
+      <TableBlankRow colSpan={colSpan}>
         <Paragraph className="w-auto" variant="base/bright" spacing>
           There are no runs for {filters.tasks[0]}
         </Paragraph>
@@ -629,7 +688,7 @@ function BlankState({ isLoading, filters }: Pick<RunsTableProps, "isLoading" | "
   }
 
   return (
-    <TableBlankRow colSpan={15}>
+    <TableBlankRow colSpan={colSpan}>
       <div className="flex flex-col items-center justify-center gap-6">
         <Paragraph className="w-auto" variant="base/bright">
           No runs match your filters. Try refreshing, modifying your filters or run a test.
@@ -645,11 +704,7 @@ function BlankState({ isLoading, filters }: Pick<RunsTableProps, "isLoading" | "
             Refresh
           </Button>
           <Paragraph>or</Paragraph>
-          <LinkButton
-            LeadingIcon={BeakerIcon}
-            variant="tertiary/medium"
-            to={testPath}
-          >
+          <LinkButton LeadingIcon={BeakerIcon} variant="tertiary/medium" to={testPath}>
             Run a test
           </LinkButton>
         </div>
diff --git a/apps/webapp/app/components/runs/v3/TaskTriggerSource.tsx b/apps/webapp/app/components/runs/v3/TaskTriggerSource.tsx
index 8d81e2f36c3..cb06c8e2a92 100644
--- a/apps/webapp/app/components/runs/v3/TaskTriggerSource.tsx
+++ b/apps/webapp/app/components/runs/v3/TaskTriggerSource.tsx
@@ -1,4 +1,4 @@
-import { ClockIcon } from "@heroicons/react/20/solid";
+import { ClockIcon, CpuChipIcon } from "@heroicons/react/20/solid";
 import type { TaskTriggerSource } from "@trigger.dev/database";
 import { TaskIconSmall } from "~/assets/icons/TaskIcon";
 import { cn } from "~/utils/cn";
@@ -12,13 +12,20 @@ export function TaskTriggerSourceIcon({
 }) {
   switch (source) {
     case "STANDARD": {
-      return <TaskIconSmall className="size-[1.125rem] min-w-[1.125rem] text-tasks" />;
+      return (
+        <TaskIconSmall className={cn("size-[1.125rem] min-w-[1.125rem] text-tasks", className)} />
+      );
     }
     case "SCHEDULED": {
       return (
         <ClockIcon className={cn("size-[1.125rem] min-w-[1.125rem] text-schedules", className)} />
       );
     }
+    case "AGENT": {
+      return (
+        <CpuChipIcon className={cn("size-[1.125rem] min-w-[1.125rem] text-indigo-500", className)} />
+      );
+    }
   }
 }
 
@@ -30,5 +37,8 @@ export function taskTriggerSourceDescription(source: TaskTriggerSource) {
     case "SCHEDULED": {
       return "Scheduled task";
     }
+    case "AGENT": {
+      return "Agent";
+    }
   }
 }
diff --git a/apps/webapp/app/components/runs/v3/WaitpointTokenFilters.tsx b/apps/webapp/app/components/runs/v3/WaitpointTokenFilters.tsx
index ae416394147..3868a496d79 100644
--- a/apps/webapp/app/components/runs/v3/WaitpointTokenFilters.tsx
+++ b/apps/webapp/app/components/runs/v3/WaitpointTokenFilters.tsx
@@ -1,28 +1,24 @@
 import * as Ariakit from "@ariakit/react";
-import { CalendarIcon, FingerPrintIcon, TagIcon, TrashIcon } from "@heroicons/react/20/solid";
+import { FingerPrintIcon, TagIcon, XMarkIcon } from "@heroicons/react/20/solid";
 import { Form, useFetcher } from "@remix-run/react";
 import { WaitpointTokenStatus, waitpointTokenStatuses } from "@trigger.dev/core/v3";
-import { ListChecks, ListFilterIcon } from "lucide-react";
+import { ListChecks } from "lucide-react";
 import { matchSorter } from "match-sorter";
-import { type ReactNode, useCallback, useEffect, useMemo, useState } from "react";
+import { type ReactNode, useCallback, useEffect, useMemo, useRef, useState } from "react";
 import { z } from "zod";
 import { StatusIcon } from "~/assets/icons/StatusIcon";
 import { AppliedFilter } from "~/components/primitives/AppliedFilter";
 import { Button } from "~/components/primitives/Buttons";
-import { FormError } from "~/components/primitives/FormError";
-import { Input } from "~/components/primitives/Input";
-import { Label } from "~/components/primitives/Label";
 import { Paragraph } from "~/components/primitives/Paragraph";
 import {
   ComboBox,
-  SelectButtonItem,
   SelectItem,
   SelectList,
   SelectPopover,
   SelectProvider,
-  SelectTrigger,
   shortcutFromIndex,
 } from "~/components/primitives/Select";
+import { ShortcutKey } from "~/components/primitives/ShortcutKey";
 import { Spinner } from "~/components/primitives/Spinner";
 import {
   Tooltip,
@@ -35,8 +31,15 @@ import { useOptimisticLocation } from "~/hooks/useOptimisticLocation";
 import { useOrganization } from "~/hooks/useOrganizations";
 import { useProject } from "~/hooks/useProject";
 import { useSearchParams } from "~/hooks/useSearchParam";
+import { useShortcutKeys } from "~/hooks/useShortcutKeys";
 import { type loader as tagsLoader } from "~/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.waitpoints.tags";
-import { TimeFilter, appliedSummary, FilterMenuProvider } from "./SharedFilters";
+import {
+  IdFilterDropdown,
+  type IdFilterDropdownProps,
+  appliedSummary,
+  FilterMenuProvider,
+  TimeFilter,
+} from "./SharedFilters";
 import { WaitpointStatusCombo, waitpointStatusTitle } from "./WaitpointStatus";
 
 export const WaitpointSearchParamsSchema = z.object({
@@ -66,136 +69,33 @@ export function WaitpointTokenFilters(props: WaitpointTokenFiltersProps) {
     searchParams.has("statuses") ||
     searchParams.has("tags") ||
     searchParams.has("id") ||
-    searchParams.has("idempotencyKey");
+    searchParams.has("idempotencyKey") ||
+    searchParams.has("period") ||
+    searchParams.has("from") ||
+    searchParams.has("to");
 
   return (
-    <div className="flex flex-row flex-wrap items-center gap-1">
-      <FilterMenu />
-      <TimeFilter />
-      <AppliedFilters />
+    <div className="flex flex-row flex-wrap items-center gap-1.5">
+      <PermanentStatusFilter />
+      <PermanentTagsFilter />
+      <PermanentWaitpointIdFilter />
+      <PermanentIdempotencyKeyFilter />
+      <TimeFilter shortcut={{ key: "d" }} />
       {hasFilters && (
-        <Form className="h-6">
-          <Button variant="minimal/small" LeadingIcon={TrashIcon} tooltip="Clear all filters" />
+        <Form className="-ml-1 h-6">
+          <Button
+            variant="minimal/small"
+            LeadingIcon={XMarkIcon}
+            tooltip="Clear all filters"
+            className="group-hover/button:bg-transparent"
+            leadingIconClassName="group-hover/button:text-text-bright"
+          />
         </Form>
       )}
     </div>
   );
 }
 
-const filterTypes = [
-  {
-    name: "statuses",
-    title: "Status",
-    icon: <StatusIcon className="size-4" />,
-  },
-  { name: "tags", title: "Tags", icon: <TagIcon className="size-4" /> },
-  { name: "id", title: "Waitpoint ID", icon: <FingerPrintIcon className="size-4" /> },
-  { name: "idempotencyKey", title: "Idempotency key", icon: <ListChecks className="size-4" /> },
-] as const;
-
-type FilterType = (typeof filterTypes)[number]["name"];
-
-const shortcut = { key: "f" };
-
-function FilterMenu() {
-  const [filterType, setFilterType] = useState<FilterType | undefined>();
-
-  const filterTrigger = (
-    <SelectTrigger
-      icon={
-        <div className="flex size-4 items-center justify-center">
-          <ListFilterIcon className="size-3.5" />
-        </div>
-      }
-      variant={"secondary/small"}
-      shortcut={shortcut}
-      tooltipTitle={"Filter runs"}
-    >
-      Filter
-    </SelectTrigger>
-  );
-
-  return (
-    <FilterMenuProvider onClose={() => setFilterType(undefined)}>
-      {(search, setSearch) => (
-        <Menu
-          searchValue={search}
-          clearSearchValue={() => setSearch("")}
-          trigger={filterTrigger}
-          filterType={filterType}
-          setFilterType={setFilterType}
-        />
-      )}
-    </FilterMenuProvider>
-  );
-}
-
-function AppliedFilters() {
-  return (
-    <>
-      <AppliedStatusFilter />
-      <AppliedTagsFilter />
-      <AppliedWaitpointIdFilter />
-      <AppliedIdempotencyKeyFilter />
-    </>
-  );
-}
-
-type MenuProps = {
-  searchValue: string;
-  clearSearchValue: () => void;
-  trigger: React.ReactNode;
-  filterType: FilterType | undefined;
-  setFilterType: (filterType: FilterType | undefined) => void;
-};
-
-function Menu(props: MenuProps) {
-  switch (props.filterType) {
-    case undefined:
-      return <MainMenu {...props} />;
-    case "statuses":
-      return <StatusDropdown onClose={() => props.setFilterType(undefined)} {...props} />;
-    case "tags":
-      return <TagsDropdown onClose={() => props.setFilterType(undefined)} {...props} />;
-    case "id":
-      return <WaitpointIdDropdown onClose={() => props.setFilterType(undefined)} {...props} />;
-    case "idempotencyKey":
-      return <IdempotencyKeyDropdown onClose={() => props.setFilterType(undefined)} {...props} />;
-  }
-}
-
-function MainMenu({ searchValue, trigger, clearSearchValue, setFilterType }: MenuProps) {
-  const filtered = useMemo(() => {
-    return filterTypes.filter((item) => {
-      return item.title.toLowerCase().includes(searchValue.toLowerCase());
-    });
-  }, [searchValue]);
-
-  return (
-    <SelectProvider virtualFocus={true}>
-      {trigger}
-      <SelectPopover>
-        <ComboBox placeholder={"Filter by..."} shortcut={shortcut} value={searchValue} />
-        <SelectList>
-          {filtered.map((type, index) => (
-            <SelectButtonItem
-              key={type.name}
-              onClick={() => {
-                clearSearchValue();
-                setFilterType(type.name);
-              }}
-              icon={type.icon}
-              shortcut={shortcutFromIndex(index, { shortcutsEnabled: true })}
-            >
-              {type.title}
-            </SelectButtonItem>
-          ))}
-        </SelectList>
-      </SelectPopover>
-    </SelectProvider>
-  );
-}
-
 const statuses = waitpointTokenStatuses.map((status) => ({
   title: waitpointStatusTitle(status),
   value: status,
@@ -237,7 +137,6 @@ function StatusDropdown({
           return true;
         }}
       >
-        <ComboBox placeholder={"Filter by status..."} value={searchValue} />
         <SelectList>
           {filtered.map((item, index) => {
             return (
@@ -249,7 +148,7 @@ function StatusDropdown({
                 <TooltipProvider>
                   <Tooltip>
                     <TooltipTrigger className="group flex w-full flex-col py-0">
-                      <WaitpointStatusCombo status={item.value} />
+                      <WaitpointStatusCombo status={item.value} iconClassName="animate-none" />
                     </TooltipTrigger>
                     <TooltipContent side="right" sideOffset={50}>
                       <Paragraph variant="extra-small">
@@ -267,30 +166,68 @@ function StatusDropdown({
   );
 }
 
-function AppliedStatusFilter() {
-  const { values, del } = useSearchParams();
-  const statuses = values("statuses");
+const statusShortcut = { key: "s" };
 
-  if (statuses.length === 0) {
-    return null;
-  }
+function PermanentStatusFilter() {
+  const { values, del } = useSearchParams();
+  const selectedStatuses = values("statuses");
+  const hasStatuses = selectedStatuses.length > 0 && !selectedStatuses.every((v) => v === "");
+  const triggerRef = useRef<HTMLButtonElement>(null);
+
+  useShortcutKeys({
+    shortcut: statusShortcut,
+    action: (e) => {
+      e.preventDefault();
+      e.stopPropagation();
+      triggerRef.current?.click();
+    },
+  });
 
   return (
     <FilterMenuProvider>
       {(search, setSearch) => (
         <StatusDropdown
           trigger={
-            <Ariakit.Select render={<div className="group cursor-pointer focus-custom" />}>
-              <AppliedFilter
-                label="Status"
-                icon={<StatusIcon className="size-3.5" />}
-                value={appliedSummary(
-                  statuses.map((v) => waitpointStatusTitle(v as WaitpointTokenStatus))
+            <Ariakit.TooltipProvider timeout={200} hideTimeout={0}>
+              <Ariakit.TooltipAnchor
+                render={
+                  <Ariakit.Select
+                    ref={triggerRef as any}
+                    render={<div className="group cursor-pointer focus-custom" />}
+                  />
+                }
+              >
+                {hasStatuses ? (
+                  <AppliedFilter
+                    label="Status"
+                    icon={<StatusIcon className="size-3.5" />}
+                    value={appliedSummary(
+                      selectedStatuses.map((v) => waitpointStatusTitle(v as WaitpointTokenStatus))
+                    )}
+                    onRemove={() => del(["statuses", "cursor", "direction"])}
+                    variant="secondary/small"
+                    className="pl-1"
+                  />
+                ) : (
+                  <div className="flex h-6 items-center gap-1 rounded border border-charcoal-600 bg-secondary pl-1 pr-2 text-xs text-text-bright transition group-hover:border-charcoal-550 group-hover:bg-charcoal-600">
+                    <div className="grid size-4 place-items-center">
+                      <div className="size-[75%] rounded-full border-2 border-text-bright" />
+                    </div>
+                    <span>Status</span>
+                  </div>
                 )}
-                onRemove={() => del(["statuses", "cursor", "direction"])}
-                variant="secondary/small"
-              />
-            </Ariakit.Select>
+              </Ariakit.TooltipAnchor>
+              <Ariakit.Tooltip className="z-40 cursor-default rounded border border-charcoal-700 bg-background-bright px-2 py-1.5 text-xs">
+                <div className="flex items-center gap-2">
+                  <span>Filter by status</span>
+                  <ShortcutKey
+                    className="size-4 flex-none"
+                    shortcut={statusShortcut}
+                    variant="small"
+                  />
+                </div>
+              </Ariakit.Tooltip>
+            </Ariakit.TooltipProvider>
           }
           searchValue={search}
           clearSearchValue={() => setSearch("")}
@@ -366,19 +303,21 @@ function TagsDropdown({
           return true;
         }}
       >
-        <ComboBox
-          value={searchValue}
-          render={(props) => (
-            <div className="flex items-center justify-stretch">
-              <input {...props} placeholder={"Filter by tags..."} />
-              {fetcher.state === "loading" && <Spinner color="muted" />}
-            </div>
-          )}
-        />
+        {!(filtered.length === 0 && fetcher.state !== "loading" && searchValue === "") && (
+          <ComboBox
+            value={searchValue}
+            render={(props) => (
+              <div className="flex items-center justify-stretch">
+                <input {...props} placeholder={"Filter by tags..."} />
+                {fetcher.state === "loading" && <Spinner color="muted" />}
+              </div>
+            )}
+          />
+        )}
         <SelectList>
           {filtered.length > 0
-            ? filtered.map((tag, index) => (
-                <SelectItem key={tag} value={tag}>
+            ? filtered.map((tag) => (
+                <SelectItem key={tag} value={tag} className="text-text-bright">
                   {tag}
                 </SelectItem>
               ))
@@ -392,29 +331,64 @@ function TagsDropdown({
   );
 }
 
-function AppliedTagsFilter() {
-  const { values, del } = useSearchParams();
+const tagsShortcut = { key: "g" };
 
+function PermanentTagsFilter() {
+  const { values, del } = useSearchParams();
   const tags = values("tags");
-
-  if (tags.length === 0) {
-    return null;
-  }
+  const hasTags = tags.length > 0 && !tags.every((v) => v === "");
+  const triggerRef = useRef<HTMLButtonElement>(null);
+
+  useShortcutKeys({
+    shortcut: tagsShortcut,
+    action: (e) => {
+      e.preventDefault();
+      e.stopPropagation();
+      triggerRef.current?.click();
+    },
+  });
 
   return (
     <FilterMenuProvider>
       {(search, setSearch) => (
         <TagsDropdown
           trigger={
-            <Ariakit.Select render={<div className="group cursor-pointer focus-custom" />}>
-              <AppliedFilter
-                label="Tags"
-                icon={<TagIcon className="size-3.5" />}
-                value={appliedSummary(values("tags"))}
-                onRemove={() => del(["tags", "cursor", "direction"])}
-                variant="secondary/small"
-              />
-            </Ariakit.Select>
+            <Ariakit.TooltipProvider timeout={200} hideTimeout={0}>
+              <Ariakit.TooltipAnchor
+                render={
+                  <Ariakit.Select
+                    ref={triggerRef as any}
+                    render={<div className="group cursor-pointer focus-custom" />}
+                  />
+                }
+              >
+                {hasTags ? (
+                  <AppliedFilter
+                    label="Tags"
+                    icon={<TagIcon className="size-3.5" />}
+                    value={appliedSummary(tags)}
+                    onRemove={() => del(["tags", "cursor", "direction"])}
+                    variant="secondary/small"
+                    className="pl-1"
+                  />
+                ) : (
+                  <div className="flex h-6 items-center gap-1.5 rounded border border-charcoal-600 bg-secondary pl-1 pr-2 text-xs text-text-bright transition group-hover:border-charcoal-550 group-hover:bg-charcoal-600">
+                    <TagIcon className="size-4" />
+                    <span>Tags</span>
+                  </div>
+                )}
+              </Ariakit.TooltipAnchor>
+              <Ariakit.Tooltip className="z-40 cursor-default rounded border border-charcoal-700 bg-background-bright px-2 py-1.5 text-xs">
+                <div className="flex items-center gap-2">
+                  <span>Filter by tags</span>
+                  <ShortcutKey
+                    className="size-4 flex-none"
+                    shortcut={tagsShortcut}
+                    variant="small"
+                  />
+                </div>
+              </Ariakit.Tooltip>
+            </Ariakit.TooltipProvider>
           }
           searchValue={search}
           clearSearchValue={() => setSearch("")}
@@ -424,117 +398,82 @@ function AppliedTagsFilter() {
   );
 }
 
-function WaitpointIdDropdown({
-  trigger,
-  clearSearchValue,
-  searchValue,
-  onClose,
-}: {
-  trigger: ReactNode;
-  clearSearchValue: () => void;
-  searchValue: string;
-  onClose?: () => void;
-}) {
-  const [open, setOpen] = useState<boolean | undefined>();
-  const { value, replace } = useSearchParams();
-  const idValue = value("id");
-
-  const [id, setId] = useState(idValue);
-
-  const apply = useCallback(() => {
-    clearSearchValue();
-    replace({
-      cursor: undefined,
-      direction: undefined,
-      id: id === "" ? undefined : id?.toString(),
-    });
-
-    setOpen(false);
-  }, [id, replace]);
-
-  let error: string | undefined = undefined;
-  if (id) {
-    if (!id.startsWith("waitpoint_")) {
-      error = "Waitpoint IDs start with 'waitpoint_'";
-    } else if (id.length !== 35) {
-      error = "Waitpoint IDs are 35 characters long";
-    }
-  }
-
+function WaitpointIdDropdown(
+  props: Omit<IdFilterDropdownProps, "label" | "placeholder" | "paramKey" | "validate">
+) {
   return (
-    <SelectProvider virtualFocus={true} open={open} setOpen={setOpen}>
-      {trigger}
-      <SelectPopover
-        hideOnEnter={false}
-        hideOnEscape={() => {
-          if (onClose) {
-            onClose();
-            return false;
-          }
-
-          return true;
-        }}
-        className="max-w-[min(32ch,var(--popover-available-width))]"
-      >
-        <div className="flex flex-col gap-4 p-3">
-          <div className="flex flex-col gap-1">
-            <Label>Waitpoint ID</Label>
-            <Input
-              placeholder="run_"
-              value={id ?? ""}
-              onChange={(e) => setId(e.target.value)}
-              variant="small"
-              className="w-[27ch] font-mono"
-              spellCheck={false}
-            />
-            {error ? <FormError>{error}</FormError> : null}
-          </div>
-          <div className="flex justify-between gap-1 border-t border-grid-dimmed pt-3">
-            <Button variant="tertiary/small" onClick={() => setOpen(false)}>
-              Cancel
-            </Button>
-            <Button
-              disabled={error !== undefined || !id}
-              variant="secondary/small"
-              shortcut={{
-                modifiers: ["mod"],
-                key: "Enter",
-                enabledOnInputElements: true,
-              }}
-              onClick={() => apply()}
-            >
-              Apply
-            </Button>
-          </div>
-        </div>
-      </SelectPopover>
-    </SelectProvider>
+    <IdFilterDropdown
+      {...props}
+      label="Waitpoint ID"
+      placeholder="waitpoint_"
+      paramKey="id"
+      validate={(v) => {
+        if (!v.startsWith("waitpoint_")) return "Waitpoint IDs start with 'waitpoint_'";
+        if (v.length !== 35) return "Waitpoint IDs are 35 characters long";
+        return undefined;
+      }}
+    />
   );
 }
 
-function AppliedWaitpointIdFilter() {
-  const { value, del } = useSearchParams();
-
-  if (value("id") === undefined) {
-    return null;
-  }
+const waitpointIdShortcut = { key: "w" };
 
+function PermanentWaitpointIdFilter() {
+  const { value, del } = useSearchParams();
   const id = value("id");
+  const hasId = id !== undefined;
+  const triggerRef = useRef<HTMLButtonElement>(null);
+
+  useShortcutKeys({
+    shortcut: waitpointIdShortcut,
+    action: (e) => {
+      e.preventDefault();
+      e.stopPropagation();
+      triggerRef.current?.click();
+    },
+  });
 
   return (
     <FilterMenuProvider>
       {(search, setSearch) => (
         <WaitpointIdDropdown
           trigger={
-            <Ariakit.Select render={<div className="group cursor-pointer focus-custom" />}>
-              <AppliedFilter
-                label="ID"
-                icon={<FingerPrintIcon className="size-3.5" />}
-                value={id}
-                onRemove={() => del(["id", "cursor", "direction"])}
-                variant="secondary/small"
-              />
-            </Ariakit.Select>
+            <Ariakit.TooltipProvider timeout={200} hideTimeout={0}>
+              <Ariakit.TooltipAnchor
+                render={
+                  <Ariakit.Select
+                    ref={triggerRef as any}
+                    render={<div className="group cursor-pointer focus-custom" />}
+                  />
+                }
+              >
+                {hasId ? (
+                  <AppliedFilter
+                    label="ID"
+                    icon={<FingerPrintIcon className="size-3.5" />}
+                    value={id}
+                    onRemove={() => del(["id", "cursor", "direction"])}
+                    variant="secondary/small"
+                    className="pl-1"
+                  />
+                ) : (
+                  <div className="flex h-6 items-center gap-1.5 rounded border border-charcoal-600 bg-secondary pl-1 pr-2 text-xs text-text-bright transition group-hover:border-charcoal-550 group-hover:bg-charcoal-600">
+                    <FingerPrintIcon className="size-4" />
+                    <span>Waitpoint ID</span>
+                  </div>
+                )}
+              </Ariakit.TooltipAnchor>
+              <Ariakit.Tooltip className="z-40 cursor-default rounded border border-charcoal-700 bg-background-bright px-2 py-1.5 text-xs">
+                <div className="flex items-center gap-2">
+                  <span>Filter by waitpoint ID</span>
+                  <ShortcutKey
+                    className="size-4 flex-none"
+                    shortcut={waitpointIdShortcut}
+                    variant="small"
+                  />
+                </div>
+              </Ariakit.Tooltip>
+            </Ariakit.TooltipProvider>
           }
           searchValue={search}
           clearSearchValue={() => setSearch("")}
@@ -544,115 +483,81 @@ function AppliedWaitpointIdFilter() {
   );
 }
 
-function IdempotencyKeyDropdown({
-  trigger,
-  clearSearchValue,
-  searchValue,
-  onClose,
-}: {
-  trigger: ReactNode;
-  clearSearchValue: () => void;
-  searchValue: string;
-  onClose?: () => void;
-}) {
-  const [open, setOpen] = useState<boolean | undefined>();
-  const { value, replace } = useSearchParams();
-  const idValue = value("idempotencyKey");
-
-  const [idempotencyKey, setIdempotencyKey] = useState(idValue);
-
-  const apply = useCallback(() => {
-    clearSearchValue();
-    replace({
-      cursor: undefined,
-      direction: undefined,
-      idempotencyKey: idempotencyKey === "" ? undefined : idempotencyKey?.toString(),
-    });
-
-    setOpen(false);
-  }, [idempotencyKey, replace]);
-
-  let error: string | undefined = undefined;
-  if (idempotencyKey) {
-    if (idempotencyKey.length === 0) {
-      error = "Idempotency keys need to be at least 1 character in length";
-    }
-  }
-
+function IdempotencyKeyDropdown(
+  props: Omit<IdFilterDropdownProps, "label" | "placeholder" | "paramKey" | "validate">
+) {
   return (
-    <SelectProvider virtualFocus={true} open={open} setOpen={setOpen}>
-      {trigger}
-      <SelectPopover
-        hideOnEnter={false}
-        hideOnEscape={() => {
-          if (onClose) {
-            onClose();
-            return false;
-          }
-
-          return true;
-        }}
-        className="max-w-[min(32ch,var(--popover-available-width))]"
-      >
-        <div className="flex flex-col gap-4 p-3">
-          <div className="flex flex-col gap-1">
-            <Label>Idempotency key</Label>
-            <Input
-              placeholder=""
-              value={idempotencyKey ?? ""}
-              onChange={(e) => setIdempotencyKey(e.target.value)}
-              variant="small"
-              className="w-[27ch] font-mono"
-              spellCheck={false}
-            />
-            {error ? <FormError>{error}</FormError> : null}
-          </div>
-          <div className="flex justify-between gap-1 border-t border-grid-dimmed pt-3">
-            <Button variant="tertiary/small" onClick={() => setOpen(false)}>
-              Cancel
-            </Button>
-            <Button
-              disabled={error !== undefined || !idempotencyKey}
-              variant="secondary/small"
-              shortcut={{
-                modifiers: ["mod"],
-                key: "Enter",
-                enabledOnInputElements: true,
-              }}
-              onClick={() => apply()}
-            >
-              Apply
-            </Button>
-          </div>
-        </div>
-      </SelectPopover>
-    </SelectProvider>
+    <IdFilterDropdown
+      {...props}
+      label="Idempotency key"
+      placeholder=""
+      paramKey="idempotencyKey"
+      validate={(v) => {
+        if (v.length === 0) return "Idempotency keys need to be at least 1 character in length";
+        return undefined;
+      }}
+    />
   );
 }
 
-function AppliedIdempotencyKeyFilter() {
-  const { value, del } = useSearchParams();
-
-  if (value("idempotencyKey") === undefined) {
-    return null;
-  }
+const idempotencyKeyShortcut = { key: "i" };
 
+function PermanentIdempotencyKeyFilter() {
+  const { value, del } = useSearchParams();
   const idempotencyKey = value("idempotencyKey");
+  const hasKey = idempotencyKey !== undefined;
+  const triggerRef = useRef<HTMLButtonElement>(null);
+
+  useShortcutKeys({
+    shortcut: idempotencyKeyShortcut,
+    action: (e) => {
+      e.preventDefault();
+      e.stopPropagation();
+      triggerRef.current?.click();
+    },
+  });
 
   return (
     <FilterMenuProvider>
       {(search, setSearch) => (
         <IdempotencyKeyDropdown
           trigger={
-            <Ariakit.Select render={<div className="group cursor-pointer focus-custom" />}>
-              <AppliedFilter
-                label="Idempotency key"
-                icon={<ListChecks className="size-3.5" />}
-                value={idempotencyKey}
-                onRemove={() => del(["idempotencyKey", "cursor", "direction"])}
-                variant="secondary/small"
-              />
-            </Ariakit.Select>
+            <Ariakit.TooltipProvider timeout={200} hideTimeout={0}>
+              <Ariakit.TooltipAnchor
+                render={
+                  <Ariakit.Select
+                    ref={triggerRef as any}
+                    render={<div className="group cursor-pointer focus-custom" />}
+                  />
+                }
+              >
+                {hasKey ? (
+                  <AppliedFilter
+                    label="Idempotency key"
+                    icon={<ListChecks className="size-3.5" />}
+                    value={idempotencyKey}
+                    onRemove={() => del(["idempotencyKey", "cursor", "direction"])}
+                    variant="secondary/small"
+                    className="pl-1"
+                  />
+                ) : (
+                  <div className="flex h-6 items-center gap-1.5 rounded border border-charcoal-600 bg-secondary pl-1 pr-2 text-xs text-text-bright transition group-hover:border-charcoal-550 group-hover:bg-charcoal-600">
+                    <ListChecks className="size-4" />
+                    <span>Idempotency key</span>
+                  </div>
+                )}
+              </Ariakit.TooltipAnchor>
+              <Ariakit.Tooltip className="z-40 cursor-default rounded border border-charcoal-700 bg-background-bright px-2 py-1.5 text-xs">
+                <div className="flex items-center gap-2">
+                  <span>Filter by idempotency key</span>
+                  <ShortcutKey
+                    className="size-4 flex-none"
+                    shortcut={idempotencyKeyShortcut}
+                    variant="small"
+                  />
+                </div>
+              </Ariakit.Tooltip>
+            </Ariakit.TooltipProvider>
           }
           searchValue={search}
           clearSearchValue={() => setSearch("")}
diff --git a/apps/webapp/app/components/runs/v3/agent/AgentMessageView.tsx b/apps/webapp/app/components/runs/v3/agent/AgentMessageView.tsx
new file mode 100644
index 00000000000..fbd7faf2298
--- /dev/null
+++ b/apps/webapp/app/components/runs/v3/agent/AgentMessageView.tsx
@@ -0,0 +1,306 @@
+import type { UIMessage } from "@ai-sdk/react";
+import { memo } from "react";
+import {
+  AssistantResponse,
+  ChatBubble,
+  ToolUseRow,
+} from "~/components/runs/v3/ai/AIChatMessages";
+import { Popover, PopoverContent, PopoverTrigger } from "~/components/primitives/Popover";
+
+// ---------------------------------------------------------------------------
+// AgentMessageView — renders an AI SDK UIMessage[] conversation.
+//
+// Extracted from the playground route so it can be reused on the run details
+// page when the user picks the Agent view.
+//
+// UIMessage part types (AI SDK):
+//   text            — markdown text content
+//   reasoning       — model reasoning/thinking
+//   tool-{name}     — tool call with input/output/state
+//   source-url      — citation link
+//   source-document — citation document reference
+//   file            — file attachment (image, etc.)
+//   step-start      — visual separator between steps
+//   data-{name}     — custom data parts (rendered as a small popover)
+// ---------------------------------------------------------------------------
+
+export function AgentMessageView({ messages }: { messages: UIMessage[] }) {
+  return (
+    <div className="mx-auto flex w-full min-w-0 max-w-[800px] flex-col gap-2">
+      {messages.map((msg) => (
+        <MessageBubble key={msg.id} message={msg} />
+      ))}
+    </div>
+  );
+}
+
+// Memoized so stable messages (anything older than the one currently
+// streaming) don't re-render on every chunk. This matters a lot during
+// `resumeStream()` history replay, where each re-render would otherwise
+// re-run Prism highlighting on every tool-call CodeBlock in the list.
+//
+// Default shallow prop comparison is fine: AI SDK's useChat keeps stable
+// references for messages that haven't changed, so only the last message
+// (the one receiving new chunks) re-renders.
+export const MessageBubble = memo(function MessageBubble({
+  message,
+}: {
+  message: UIMessage;
+}) {
+  if (message.role === "user") {
+    const text =
+      message.parts
+        ?.filter((p) => p.type === "text")
+        .map((p) => (p as { type: "text"; text: string }).text)
+        .join("") ?? "";
+
+    return (
+      <div className="flex min-w-0 justify-end">
+        <div className="max-w-[80%] rounded-lg bg-indigo-600 px-4 py-2.5 text-sm text-white">
+          <div className="whitespace-pre-wrap [overflow-wrap:anywhere]">{text}</div>
+        </div>
+      </div>
+    );
+  }
+
+  if (message.role === "assistant") {
+    const hasContent = message.parts && message.parts.length > 0;
+    if (!hasContent) return null;
+
+    return (
+      <div className="space-y-2">
+        {message.parts?.map((part, i) => renderPart(part, i))}
+      </div>
+    );
+  }
+
+  return null;
+});
+
+// URLs in `source-url`/`file` parts come from streamed agent/tool data, so an
+// unsafe scheme like `javascript:` would become a clickable XSS payload once it
+// reaches an href/src. Allow only http(s)/blob (and data: for inline images),
+// and return null for anything else so the caller can skip the link/image.
+export function toSafeUrl(value: unknown, allowDataImage = false): string | null {
+  if (typeof value !== "string") return null;
+  let parsed: URL;
+  try {
+    parsed = new URL(value);
+  } catch {
+    return null;
+  }
+  if (parsed.protocol === "http:" || parsed.protocol === "https:" || parsed.protocol === "blob:") {
+    return value;
+  }
+  if (allowDataImage && parsed.protocol === "data:" && /^data:image\//i.test(value)) {
+    return value;
+  }
+  return null;
+}
+
+export function renderPart(part: UIMessage["parts"][number], i: number) {
+  const p = part as any;
+  const type = part.type as string;
+
+  // Text — markdown rendered via AssistantResponse
+  if (type === "text") {
+    return p.text ? <AssistantResponse key={i} text={p.text} headerLabel="" /> : null;
+  }
+
+  // Reasoning — amber-bordered italic block
+  if (type === "reasoning") {
+    return (
+      <div key={i} className="border-l-2 border-amber-500/40 pl-2">
+        <ChatBubble>
+          <div className="whitespace-pre-wrap text-xs italic text-amber-200/70">
+            {p.text ?? ""}
+          </div>
+        </ChatBubble>
+      </div>
+    );
+  }
+
+  // Tool call — type: "tool-{name}" with toolCallId, input, output, state
+  if (type.startsWith("tool-")) {
+    const toolName = type.slice(5);
+
+    // Sub-agent tool: output is a UIMessage with parts
+    const isSubAgent =
+      p.output != null && typeof p.output === "object" && Array.isArray(p.output.parts);
+
+    // For sub-agent tools, show the last text part as the "output" tab
+    // (mirrors what toModelOutput typically sends to the parent LLM)
+    // instead of dumping the full UIMessage JSON.
+    let resultOutput: string | undefined;
+    if (isSubAgent) {
+      const lastText = (p.output.parts as any[])
+        .filter((part: any) => part.type === "text" && part.text)
+        .pop();
+      resultOutput = lastText?.text ?? undefined;
+    } else if (p.output != null) {
+      resultOutput =
+        typeof p.output === "string" ? p.output : JSON.stringify(p.output, null, 2);
+    }
+
+    // Status label for the tool row. AI SDK 7 HITL adds the
+    // approval-requested / approval-responded states between input-available
+    // and output-available, so surface those alongside the existing states.
+    let resultSummary: string | undefined;
+    if (p.state === "input-streaming" || p.state === "input-available") {
+      resultSummary = "calling...";
+    } else if (p.state === "approval-requested") {
+      resultSummary = "awaiting approval";
+    } else if (p.state === "approval-responded" || p.state === "output-denied") {
+      resultSummary = p.approval?.approved
+        ? "approved"
+        : `denied${p.approval?.reason ? `: ${p.approval.reason}` : ""}`;
+    } else if (p.state === "output-error") {
+      resultSummary = `error: ${p.errorText ?? "unknown"}`;
+    }
+
+    return (
+      <ToolUseRow
+        key={i}
+        tool={{
+          toolCallId: p.toolCallId ?? `tool-${i}`,
+          toolName,
+          inputJson: JSON.stringify(p.input ?? {}, null, 2),
+          resultOutput,
+          resultSummary,
+          subAgent: isSubAgent
+            ? {
+                parts: p.output.parts,
+                isStreaming: p.state === "output-available" && p.preliminary === true,
+              }
+            : undefined,
+        }}
+      />
+    );
+  }
+
+  // Source URL — clickable citation link
+  if (type === "source-url") {
+    const safeUrl = toSafeUrl(p.url);
+    const label = p.title || p.url;
+    // Unsafe scheme: render the citation text without a clickable link.
+    if (!safeUrl) {
+      return label ? (
+        <div key={i} className="text-xs text-text-dimmed">
+          {label}
+        </div>
+      ) : null;
+    }
+    return (
+      <div key={i} className="text-xs">
+        <a
+          href={safeUrl}
+          target="_blank"
+          rel="noopener noreferrer"
+          className="text-indigo-400 underline hover:text-indigo-300"
+        >
+          {label}
+        </a>
+      </div>
+    );
+  }
+
+  // Source document — citation label
+  if (type === "source-document") {
+    return (
+      <div key={i} className="text-xs text-text-dimmed">
+        {p.title}
+        {p.mediaType ? ` (${p.mediaType})` : ""}
+      </div>
+    );
+  }
+
+  // File — render as image if image type, otherwise as download link
+  if (type === "file") {
+    const isImage = typeof p.mediaType === "string" && p.mediaType.startsWith("image/");
+    if (isImage) {
+      const safeSrc = toSafeUrl(p.url, true); // allow data: URIs for inline images
+      // Unsafe scheme: fall back to the filename, matching the non-image branch.
+      if (!safeSrc) {
+        return p.filename ? (
+          <div key={i} className="text-xs text-text-dimmed">
+            {p.filename}
+          </div>
+        ) : null;
+      }
+      return (
+        <img
+          key={i}
+          src={safeSrc}
+          alt={p.filename ?? "file"}
+          className="max-h-64 rounded border border-charcoal-650"
+        />
+      );
+    }
+    const safeUrl = toSafeUrl(p.url);
+    // Unsafe scheme: show the filename without a clickable download link.
+    if (!safeUrl) {
+      return p.filename ? (
+        <div key={i} className="text-xs text-text-dimmed">
+          {p.filename}
+        </div>
+      ) : null;
+    }
+    return (
+      <div key={i} className="text-xs">
+        <a
+          href={safeUrl}
+          target="_blank"
+          rel="noopener noreferrer"
+          className="text-indigo-400 underline hover:text-indigo-300"
+        >
+          {p.filename ?? "Download file"}
+        </a>
+      </div>
+    );
+  }
+
+  // Step start — subtle dashed separator with centered label
+  if (type === "step-start") {
+    return (
+      <div key={i} className="flex items-center gap-2 py-0.5">
+        <div className="flex-1 border-t border-dashed border-charcoal-650" />
+        <span className="text-[10px] text-charcoal-500">step</span>
+        <div className="flex-1 border-t border-dashed border-charcoal-650" />
+      </div>
+    );
+  }
+
+  // Data parts — type: "data-{name}", show as labeled JSON popover
+  if (type.startsWith("data-")) {
+    const dataName = type.slice(5);
+    return <DataPartPopover key={i} name={dataName} data={p.data} />;
+  }
+
+  return null;
+}
+
+function DataPartPopover({ name, data }: { name: string; data: unknown }) {
+  const formatted = JSON.stringify(data, null, 2);
+
+  return (
+    <Popover>
+      <PopoverTrigger asChild>
+        <button
+          type="button"
+          className="inline-flex items-center gap-1 rounded border border-charcoal-650 bg-charcoal-800 px-1.5 py-0.5 font-mono text-[10px] text-text-dimmed transition-colors hover:border-charcoal-500 hover:text-text-bright"
+        >
+          <span className="text-purple-400">{name}</span>
+          <span className="text-charcoal-500">{"{}"}</span>
+        </button>
+      </PopoverTrigger>
+      <PopoverContent className="w-auto max-w-md p-0" align="start" sideOffset={4}>
+        <div className="flex items-center justify-between border-b border-charcoal-650 px-2.5 py-1.5">
+          <span className="text-[10px] font-medium text-text-dimmed">data-{name}</span>
+        </div>
+        <div className="max-h-60 overflow-auto scrollbar-thin scrollbar-track-transparent scrollbar-thumb-charcoal-600">
+          <pre className="p-2.5 text-[11px] leading-relaxed text-text-bright">{formatted}</pre>
+        </div>
+      </PopoverContent>
+    </Popover>
+  );
+}
diff --git a/apps/webapp/app/components/runs/v3/agent/AgentView.tsx b/apps/webapp/app/components/runs/v3/agent/AgentView.tsx
new file mode 100644
index 00000000000..49b34db14c3
--- /dev/null
+++ b/apps/webapp/app/components/runs/v3/agent/AgentView.tsx
@@ -0,0 +1,932 @@
+import type { UIMessage } from "@ai-sdk/react";
+import { ChatSnapshotV1Schema, SSEStreamSubscription } from "@trigger.dev/core/v3";
+import { useEffect, useMemo, useRef, useState } from "react";
+import { Paragraph } from "~/components/primitives/Paragraph";
+import { Spinner } from "~/components/primitives/Spinner";
+import { AgentMessageView } from "~/components/runs/v3/agent/AgentMessageView";
+import { useAutoScrollToBottom } from "~/hooks/useAutoScrollToBottom";
+import { useEnvironment } from "~/hooks/useEnvironment";
+import { useOrganization } from "~/hooks/useOrganizations";
+import { useProject } from "~/hooks/useProject";
+
+export type AgentViewAuth = {
+  publicAccessToken: string;
+  apiOrigin: string;
+  /**
+   * Session identifier the AgentView uses to address the backing
+   * {@link Session} when subscribing to `.in` / `.out`. Accepts either
+   * a `session_*` friendlyId or the transport-supplied externalId
+   * (typically the browser's `chatId`) — the dashboard resource route
+   * resolves either form via `resolveSessionByIdOrExternalId`.
+   */
+  sessionId: string;
+  /**
+   * User messages extracted from the run's task payload at load time.
+   * Empty array for runs started with `trigger: "preload"` — in that
+   * case the first user message arrives over the session's `.in`
+   * channel and is merged in by the AgentView subscription.
+   */
+  initialMessages: UIMessage[];
+  /**
+   * Presigned GET URL for the session's chat-snapshot S3 blob (written
+   * by the agent after each turn-complete; see `ChatSnapshotV1`).
+   * Optional — sessions that registered a `hydrateMessages` hook skip
+   * snapshot writes and the URL fetch will 404. In that case the
+   * dashboard falls back to seq=0 SSE (which, post-trim, shows only the
+   * most recent turn). Generated server-side by `SessionPresenter`.
+   */
+  snapshotPresignedUrl?: string;
+};
+
+/**
+ * Max state-update interval while assistant chunks are streaming. Matches
+ * the `experimental_throttle: 100` we previously passed to `useChat`.
+ * Chunks mutate a staging ref synchronously; a throttled flush copies the
+ * ref into React state at most ~10x/sec so tool-call Prism highlighting
+ * etc. doesn't re-run on every single text-delta.
+ */
+const STATE_FLUSH_THROTTLE_MS = 100;
+
+/**
+ * Sentinel timestamp for messages that came from the run's initial task
+ * payload — they predate any stream activity, so 0 guarantees they sort
+ * first regardless of stream race order.
+ */
+const INITIAL_PAYLOAD_TIMESTAMP = 0;
+
+/**
+ * Renders a Session's chat conversation as it unfolds.
+ *
+ * Subscribes to both channels of the {@link Session}:
+ * - **`.out`** delivers assistant `UIMessageChunk`s (text deltas, tool
+ *   calls, reasoning, etc.) produced by the agent's
+ *   `chatStream.writer(...)` calls — objects, already parsed by the S2
+ *   SSE reader.
+ * - **`.in`** delivers {@link ChatInputChunk}s sent by
+ *   {@link TriggerChatTransport} (or any other session writer). Each
+ *   chunk is a tagged union (`{kind: "message", payload}` for user
+ *   turns, `{kind: "stop"}` for stop signals) — the AgentView only
+ *   cares about `kind: "message"` and pulls `.payload.messages`.
+ *
+ * Both streams are read directly via `SSEStreamSubscription` through the
+ * dashboard's session-authed resource routes — not through `useChat` or
+ * `TriggerChatTransport`. This gives us per-chunk server-side timestamps
+ * (S2 sequence numbers) from both streams, which we use to produce a
+ * chronologically correct merged message list that works for replays,
+ * multi-message turns, cross-run session resumes, and steering messages.
+ *
+ * Intended to be mounted inside a scrollable container — the component
+ * does not own its own scrollbar.
+ */
+export function AgentView({ agentView }: { agentView: AgentViewAuth }) {
+  const organization = useOrganization();
+  const project = useProject();
+  const environment = useEnvironment();
+
+  const messages = useAgentSessionMessages({
+    sessionId: agentView.sessionId,
+    apiOrigin: agentView.apiOrigin,
+    orgSlug: organization.slug,
+    projectSlug: project.slug,
+    envSlug: environment.slug,
+    initialMessages: agentView.initialMessages,
+    snapshotPresignedUrl: agentView.snapshotPresignedUrl,
+  });
+
+  // Sticky-bottom auto-scroll: walks up to find the inspector's scroll
+  // container, then scrolls to bottom whenever `messages` changes — but
+  // only if the user was at (or near) the bottom at the time. Scrolling
+  // away pauses auto-scroll; scrolling back resumes it.
+  const rootRef = useAutoScrollToBottom([messages]);
+
+  return (
+    <div ref={rootRef} className="py-3">
+      {messages.length === 0 ? (
+        <div className="flex h-full min-h-[12rem] items-center justify-center">
+          <div className="flex flex-col items-center gap-3">
+            <Spinner className="size-5" color="muted" />
+            <Paragraph variant="small" className="text-text-dimmed">
+              Loading conversation…
+            </Paragraph>
+          </div>
+        </div>
+      ) : (
+        <AgentMessageView messages={messages} />
+      )}
+    </div>
+  );
+}
+
+// ---------------------------------------------------------------------------
+// useAgentSessionMessages — reads both realtime streams for a session and
+// maintains a chronologically ordered, merged message list.
+// ---------------------------------------------------------------------------
+
+/**
+ * Shape of each chunk on the session's `.in` channel. Mirrors the
+ * `ChatInputChunk` tagged union produced by {@link TriggerChatTransport}:
+ * - `kind: "message"` carries a `ChatTaskWirePayload` in `.payload`
+ *   (user-submitted messages or regenerate calls); we dedupe by id.
+ * - `kind: "stop"` is a stop signal — no messages, nothing to render
+ *   here, so it's filtered.
+ *
+ * Wire payloads are slim-wire (one new UIMessage per record, on
+ * `payload.message`). The legacy `payload.messages` array shape is kept
+ * here as a fallback so any historical records on a long-lived session
+ * still render.
+ *
+ * The server wraps records in `{data, id}` and writes `data` as a JSON
+ * string; SSE v2 delivers the parsed string back. {@link parseChunkPayload}
+ * re-parses to recover the object.
+ */
+type InputStreamChunk = {
+  kind?: "message" | "stop";
+  payload?: {
+    message?: { id?: string; role?: string; parts?: unknown[] };
+    messages?: Array<{ id?: string; role?: string; parts?: unknown[] }>;
+    trigger?: string;
+  };
+  message?: string;
+};
+
+/**
+ * Minimal typing for the chunks we care about on the chat output stream.
+ * Covers the AI SDK `UIMessageChunk` variants that `renderPart` actually
+ * knows how to display, plus the Trigger.dev control chunks that we filter.
+ */
+type OutputChunk = { type: string; [key: string]: unknown };
+
+/**
+ * Per-message orchestration state for the output stream accumulator. Mirrors
+ * the active-part tracking that AI SDK's `processUIMessageStream` keeps in
+ * its `state` object: a registry of streaming text/reasoning parts so deltas
+ * can be matched to the right part by id, plus a way to clear them at step
+ * boundaries (`finish-step`) so the next step's `text-start`/`reasoning-start`
+ * with the same id starts a fresh part instead of appending to the previous
+ * step's part.
+ */
+/**
+ * Per-message orchestration state — index-based active-part tracking.
+ *
+ * Each map points from a part id (text or reasoning) to **the index of the
+ * currently-streaming part with that id in `message.parts`**. We need
+ * indexes (not just a `Set` of "active ids") because part ids are *only
+ * unique within a step*: the SDK happily reuses `text-start id="0"` after
+ * a `finish-step` boundary. Without index tracking, a `text-delta` for the
+ * reused id would have to find the right part by id alone — and a search
+ * would match BOTH the previous step's frozen part and the current step's
+ * fresh one, which produces a duplication where the previous text gets
+ * the new content appended to it AND a fresh part with the same content
+ * also appears.
+ *
+ * Mirrors AI SDK's `processUIMessageStream`'s `state.activeTextParts` /
+ * `state.activeReasoningParts` (which hold direct references in the
+ * mutating canonical impl). We use indexes here because we do immutable
+ * updates and need indices that survive `parts.map()` rewrites — adding
+ * new parts and updating existing ones never reorders, so an index is
+ * stable for the lifetime of the part.
+ */
+type MessageOrchestrationState = {
+  activeTextPartIndexes: Map<string, number>;
+  activeReasoningPartIndexes: Map<string, number>;
+};
+
+/**
+ * `SSEStreamSubscription`'s v2 batch path delivers `parsedBody.data` as-is
+ * — but session channels diverge by direction:
+ *
+ * - `.in`: {@link TriggerChatTransport.serializeInputChunk} writes the
+ *   `ChatInputChunk` as a JSON **string**, so `data` is a string that
+ *   needs a second `JSON.parse` to recover the tagged union.
+ * - `.out`: the agent's `chatStream.writer(...)` writes
+ *   {@link UIMessageChunk} **objects** directly; `data` arrives
+ *   already-parsed.
+ *
+ * This helper accepts both shapes defensively: a string is parsed; an
+ * object is returned as-is. Returns `null` for unparseable payloads.
+ */
+function parseChunkPayload(raw: unknown): Record<string, unknown> | null {
+  if (raw == null) return null;
+  if (typeof raw === "string") {
+    try {
+      const parsed = JSON.parse(raw);
+      return parsed && typeof parsed === "object" ? (parsed as Record<string, unknown>) : null;
+    } catch {
+      return null;
+    }
+  }
+  if (typeof raw === "object") return raw as Record<string, unknown>;
+  return null;
+}
+
+function createOrchestrationState(): MessageOrchestrationState {
+  return {
+    activeTextPartIndexes: new Map(),
+    activeReasoningPartIndexes: new Map(),
+  };
+}
+
+function useAgentSessionMessages({
+  sessionId,
+  apiOrigin,
+  orgSlug,
+  projectSlug,
+  envSlug,
+  initialMessages,
+  snapshotPresignedUrl,
+}: {
+  sessionId: string;
+  apiOrigin: string;
+  orgSlug: string;
+  projectSlug: string;
+  envSlug: string;
+  initialMessages: UIMessage[];
+  snapshotPresignedUrl?: string;
+}): UIMessage[] {
+  // Seed with the user messages from the run's task payload.
+  const seedMessages = useMemo(
+    () => initialMessages.filter((m) => m.role === "user"),
+    [initialMessages]
+  );
+
+  // `pendingRef` is the authoritative, eagerly-updated message state:
+  // chunks mutate this synchronously as they arrive. A throttled flush
+  // copies it into React state so UI updates are capped at ~10x/sec.
+  const pendingRef = useRef<Map<string, UIMessage>>(
+    new Map(seedMessages.map((m) => [m.id, m]))
+  );
+  const timestampsRef = useRef<Map<string, number>>(
+    new Map(seedMessages.map((m) => [m.id, INITIAL_PAYLOAD_TIMESTAMP]))
+  );
+  // Side-table of orchestration state, keyed by assistant message id. Lives
+  // outside the UIMessage so React doesn't see it as a renderable prop.
+  const orchestrationRef = useRef<Map<string, MessageOrchestrationState>>(new Map());
+
+  // Buffered HITL resolutions keyed by toolCallId. `addToolApprovalResponse` /
+  // `addToolOutput` send a slim assistant message on the `.in` channel carrying
+  // just the resolved tool part; the agent never echoes these on `.out`. We
+  // stash them here and overlay onto the matching tool part once it exists, so
+  // a denial/approval lands regardless of which stream arrives first.
+  const pendingResolutionsRef = useRef<Map<string, Record<string, unknown>>>(new Map());
+
+  // React state snapshot of pendingRef. Only updated via the throttled
+  // `scheduleFlush`. The Map *reference* changes on every flush so React
+  // detects the state update and the downstream `useMemo` recomputes.
+  const [messagesById, setMessagesById] = useState<Map<string, UIMessage>>(
+    () => new Map(pendingRef.current)
+  );
+
+  // Throttled flush scheduler — leading edge within a single throttle
+  // window: the first chunk after a quiet period flushes immediately, then
+  // subsequent chunks coalesce until the next window opens.
+  const lastFlushAtRef = useRef<number>(0);
+  const pendingTimerRef = useRef<ReturnType<typeof setTimeout> | null>(null);
+  const scheduleFlush = useRef<() => void>(() => {});
+  scheduleFlush.current = () => {
+    if (pendingTimerRef.current !== null) return; // already scheduled
+    const now = Date.now();
+    const sinceLast = now - lastFlushAtRef.current;
+    const delay = Math.max(0, STATE_FLUSH_THROTTLE_MS - sinceLast);
+    pendingTimerRef.current = setTimeout(() => {
+      pendingTimerRef.current = null;
+      lastFlushAtRef.current = Date.now();
+      setMessagesById(new Map(pendingRef.current));
+    }, delay);
+  };
+
+  useEffect(() => {
+    const abort = new AbortController();
+
+    // Overlay a buffered HITL resolution (approval/output delivered on `.in`)
+    // onto the matching tool part. Returns true if a part changed. Safe to call
+    // repeatedly — after each `.out` tool chunk and whenever a `.in` resolution
+    // arrives — so the resolution lands regardless of cross-stream ordering.
+    // Never downgrades a part that already reached a terminal output state (so
+    // an approved-then-executed tool keeps its `output-available` + output).
+    const applyToolResolution = (toolCallId: string): boolean => {
+      const res = pendingResolutionsRef.current.get(toolCallId);
+      if (!res) return false;
+      for (const [mid, msg] of pendingRef.current) {
+        const parts = (msg.parts ?? []) as Array<Record<string, unknown>>;
+        const idx = parts.findIndex((p) => (p as { toolCallId?: string }).toolCallId === toolCallId);
+        if (idx < 0) continue;
+        const cur = parts[idx]!;
+        const terminal =
+          cur.state === "output-available" ||
+          cur.state === "output-error" ||
+          cur.state === "output-denied";
+        const nextState = res.state != null && !terminal ? res.state : cur.state;
+        const sameApproval = JSON.stringify(cur.approval) === JSON.stringify(res.approval);
+        if (
+          nextState === cur.state &&
+          sameApproval &&
+          res.output === undefined &&
+          res.errorText === undefined
+        ) {
+          return false; // already applied
+        }
+        const next = parts.slice();
+        next[idx] = {
+          ...cur,
+          ...(res.approval != null ? { approval: res.approval } : {}),
+          ...(res.output !== undefined ? { output: res.output } : {}),
+          ...(res.errorText !== undefined ? { errorText: res.errorText } : {}),
+          state: nextState,
+        };
+        pendingRef.current.set(mid, { ...msg, parts: next } as UIMessage);
+        return true;
+      }
+      return false;
+    };
+
+    const encodedSession = encodeURIComponent(sessionId);
+    // Always use the page's own origin to avoid CORS preflight failures
+    // when the configured `apiOrigin` (e.g. `localhost`) differs from the
+    // origin the dashboard was loaded from (e.g. `127.0.0.1`). The dashboard
+    // resource route is same-origin by construction.
+    const origin = typeof window !== "undefined" ? window.location.origin : apiOrigin;
+    const sessionBase =
+      `${origin}/resources/orgs/${orgSlug}/projects/${projectSlug}/env/${envSlug}` +
+      `/sessions/${encodedSession}/realtime/v1`;
+
+    const outputUrl = `${sessionBase}/out`;
+    const inputUrl = `${sessionBase}/in`;
+
+    /**
+     * Try to seed `pendingRef` from the agent's S3 snapshot blob and return
+     * the snapshot's `lastOutEventId` so the `.out` SSE subscription resumes
+     * just past the snapshot. Returns undefined for sessions that don't
+     * have a snapshot (e.g. `hydrateMessages` customers, or sessions that
+     * have never completed a turn).
+     */
+    const loadSnapshot = async (): Promise<string | undefined> => {
+      if (!snapshotPresignedUrl) return undefined;
+      try {
+        const resp = await fetch(snapshotPresignedUrl, { signal: abort.signal });
+        if (!resp.ok) return undefined;
+        const json = (await resp.json()) as unknown;
+        const parsed = ChatSnapshotV1Schema.safeParse(json);
+        if (!parsed.success) return undefined;
+        const snapshot = parsed.data;
+        // Preserve the snapshot's array order in the final render by
+        // giving each message a unique, monotonically increasing
+        // timestamp from `(savedAt - count + index)`. Real chunk
+        // timestamps from the SSE path use S2 arrival ms (positive
+        // numbers in the present), so anything below `savedAt` sorts
+        // before live chunks while preserving snapshot order among
+        // themselves.
+        const count = snapshot.messages.length;
+        snapshot.messages.forEach((raw, i) => {
+          const message = raw as UIMessage;
+          if (!message?.id) return;
+          // The snapshot's seed wins over the task-payload seed for any
+          // overlapping ids (the snapshot represents the agent's
+          // canonical accumulator, post-turn).
+          pendingRef.current.set(message.id, message);
+          if (!timestampsRef.current.has(message.id)) {
+            timestampsRef.current.set(message.id, snapshot.savedAt - count + i);
+          }
+        });
+        scheduleFlush.current();
+        return snapshot.lastOutEventId;
+      } catch {
+        // 404 / network / parse / abort — fall back to seq=0 SSE
+        return undefined;
+      }
+    };
+
+    const outputSubOptions = (lastEventId: string | undefined) =>
+      ({
+        signal: abort.signal,
+        timeoutInSeconds: 120,
+        ...(lastEventId !== undefined ? { lastEventId } : {}),
+      }) as const;
+
+    const commonSubOptions = {
+      signal: abort.signal,
+      timeoutInSeconds: 120,
+    } as const;
+
+    // ---- Output stream: assistant messages ---------------------------------
+    //
+    // The output stream delivers data records (UIMessageChunks) interleaved
+    // with Trigger control records (`turn-complete`, `upgrade-required`) and
+    // S2 command records (`trim`). Control + command records ride on
+    // `record.headers` with empty bodies; the SSE parser strips S2 command
+    // records entirely, and control records arrive with `value.chunk ===
+    // undefined`, which `parseChunkPayload` drops below.
+    //
+    // We fold everything else into an assistant `UIMessage` via our own
+    // `applyOutputChunk` accumulator — the AI SDK's `readUIMessageStream`
+    // helper is only available in `ai@6`, and the webapp is pinned to
+    // `ai@4`, so we re-implement just the chunk types that `renderPart`
+    // actually displays.
+    //
+    // We capture the **server timestamp of each assistant message's first
+    // `start` chunk** so later sort-by-timestamp merges with the input
+    // stream correctly.
+    const runOutput = async () => {
+      try {
+        // Seed messages from the snapshot first (if available), then
+        // resume the SSE from the snapshot's last event id so we don't
+        // re-stream chunks already represented in the snapshot. If no
+        // snapshot exists (no URL, 404, parse failure), the SSE opens
+        // at seq=0 — which, post-trim, contains roughly one turn of
+        // records (acceptable fallback for `hydrateMessages` sessions
+        // and fresh sessions).
+        const snapshotLastEventId = await loadSnapshot();
+        if (abort.signal.aborted) return;
+
+        const sub = new SSEStreamSubscription(outputUrl, outputSubOptions(snapshotLastEventId));
+        const raw = await sub.subscribe();
+        const reader = raw.getReader();
+
+        let currentMessageId: string | null = null;
+
+        try {
+          while (!abort.signal.aborted) {
+            const { done, value } = await reader.read();
+            if (done) return;
+
+            const chunk = parseChunkPayload(value.chunk) as OutputChunk | null;
+            if (!chunk || typeof chunk.type !== "string") continue;
+            // Legacy belt-and-suspenders: prior versions of the SDK
+            // emitted `trigger:turn-complete` / `trigger:upgrade-required`
+            // as data records (`type` field). Current versions use
+            // header-form control records, which `parseChunkPayload`
+            // drops above. Keep this filter to handle any in-flight
+            // sessions whose `.out` was populated by the older SDK.
+            if (chunk.type.startsWith("trigger:")) continue;
+
+            if (chunk.type === "start") {
+              const messageId =
+                typeof chunk.messageId === "string" && chunk.messageId.length > 0
+                  ? chunk.messageId
+                  : `asst-${crypto.randomUUID()}`;
+              currentMessageId = messageId;
+
+              if (!timestampsRef.current.has(messageId)) {
+                timestampsRef.current.set(messageId, value.timestamp);
+              }
+
+              const existing = pendingRef.current.get(messageId);
+              if (existing) {
+                // Same message id seen again — merge metadata only, keep
+                // existing parts (canonical `processUIMessageStream` does
+                // the same on a repeated `start`).
+                if (chunk.messageMetadata != null) {
+                  pendingRef.current.set(messageId, {
+                    ...existing,
+                    metadata: {
+                      ...((existing as { metadata?: Record<string, unknown> }).metadata ?? {}),
+                      ...(chunk.messageMetadata as Record<string, unknown>),
+                    },
+                  } as UIMessage);
+                  scheduleFlush.current();
+                }
+              } else {
+                const message: UIMessage = {
+                  id: messageId,
+                  role: "assistant",
+                  parts: [],
+                  ...(chunk.messageMetadata != null
+                    ? { metadata: chunk.messageMetadata as UIMessage["metadata"] }
+                    : {}),
+                } as UIMessage;
+                pendingRef.current.set(messageId, message);
+                orchestrationRef.current.set(messageId, createOrchestrationState());
+                scheduleFlush.current();
+              }
+              continue;
+            }
+
+            if (currentMessageId === null) continue;
+            const existing = pendingRef.current.get(currentMessageId);
+            if (!existing) continue;
+            let orchestration = orchestrationRef.current.get(currentMessageId);
+            if (!orchestration) {
+              // Defensive: a chunk arrived for a message we never saw a
+              // `start` for. Lazily create orchestration state so we can
+              // still display the parts.
+              orchestration = createOrchestrationState();
+              orchestrationRef.current.set(currentMessageId, orchestration);
+            }
+
+            const updated = applyOutputChunk(existing, chunk, orchestration);
+            if (updated !== existing) {
+              pendingRef.current.set(currentMessageId, updated);
+              scheduleFlush.current();
+            }
+
+            // A `.out` chunk just established/updated a tool part — (re)apply any
+            // buffered `.in` resolution for it. Covers the `.in`-before-`.out`
+            // order and corrects a `.out` chunk that downgraded the state (e.g.
+            // a replayed `tool-approval-request` arriving after the denial).
+            const outToolCallId = (chunk as { toolCallId?: string }).toolCallId;
+            if (typeof outToolCallId === "string" && applyToolResolution(outToolCallId)) {
+              scheduleFlush.current();
+            }
+          }
+        } finally {
+          try {
+            reader.releaseLock();
+          } catch {
+            // Lock may already be released.
+          }
+        }
+      } catch (err) {
+        if (abort.signal.aborted) return;
+        // eslint-disable-next-line no-console
+        console.debug("[AgentView] output stream subscription failed", err);
+      }
+    };
+
+    // ---- Input channel: user messages (`ChatInputChunk`) -------------------
+    //
+    // The transport appends a `{kind: "message", payload}` ChatInputChunk
+    // for every user turn (and `{kind: "stop"}` for stop signals). We pull
+    // user messages out of `payload.messages` for `kind: "message"` chunks
+    // and ignore the rest.
+    const runInput = async () => {
+      try {
+        const sub = new SSEStreamSubscription(inputUrl, commonSubOptions);
+        const raw = await sub.subscribe();
+        const reader = raw.getReader();
+        try {
+          while (!abort.signal.aborted) {
+            const { done, value } = await reader.read();
+            if (done) return;
+
+            const chunk = parseChunkPayload(value.chunk) as InputStreamChunk | null;
+            if (!chunk || chunk.kind !== "message") continue;
+            const payload = chunk.payload;
+            if (!payload) continue;
+
+            // Slim-wire is one UIMessage on `payload.message`; legacy
+            // payloads carried an array on `payload.messages`. Accept
+            // either so historical records on a long-lived session still
+            // render.
+            const candidates = Array.isArray(payload.messages)
+              ? payload.messages
+              : payload.message
+                ? [payload.message]
+                : [];
+
+            let changed = false;
+
+            // New user turns — merge in (dedupe by id).
+            for (const m of candidates) {
+              if (m == null || (m as { role?: string }).role !== "user" || typeof m.id !== "string") {
+                continue;
+              }
+              if (pendingRef.current.has(m.id)) continue;
+              pendingRef.current.set(m.id, m as UIMessage);
+              timestampsRef.current.set(m.id, value.timestamp);
+              changed = true;
+            }
+
+            // HITL resolutions ride on `.in` as a slim *assistant* message
+            // carrying just the resolved tool part (state + approval/output).
+            // Buffer each by toolCallId and overlay onto the matching tool part
+            // (which usually arrived on `.out` as `tool-approval-request`).
+            for (const m of candidates) {
+              if (m == null || (m as { role?: string }).role !== "assistant") continue;
+              const parts = (m as { parts?: unknown[] }).parts;
+              if (!Array.isArray(parts)) continue;
+              for (const sp of parts) {
+                const part = sp as Record<string, unknown>;
+                if (typeof part.type !== "string" || !part.type.startsWith("tool-")) continue;
+                const tcId = (part as { toolCallId?: string }).toolCallId;
+                if (typeof tcId !== "string") continue;
+                pendingResolutionsRef.current.set(tcId, part);
+                if (applyToolResolution(tcId)) changed = true;
+              }
+            }
+
+            if (changed) scheduleFlush.current();
+          }
+        } finally {
+          try {
+            reader.releaseLock();
+          } catch {
+            // Lock may already be released.
+          }
+        }
+      } catch (err) {
+        if (abort.signal.aborted) return;
+        // eslint-disable-next-line no-console
+        console.debug("[AgentView] input stream subscription failed", err);
+      }
+    };
+
+    void runOutput();
+    void runInput();
+
+    return () => {
+      abort.abort();
+      if (pendingTimerRef.current !== null) {
+        clearTimeout(pendingTimerRef.current);
+        pendingTimerRef.current = null;
+      }
+    };
+  }, [sessionId, apiOrigin, orgSlug, projectSlug, envSlug, snapshotPresignedUrl]);
+
+  return useMemo(() => {
+    const timestamps = timestampsRef.current;
+    const arr = Array.from(messagesById.values());
+    arr.sort((a, b) => {
+      const ta = timestamps.get(a.id) ?? 0;
+      const tb = timestamps.get(b.id) ?? 0;
+      if (ta !== tb) return ta - tb;
+      // Tie-breaker for messages sharing a stream ID bucket (rare): fall
+      // back to message id string order so the output is deterministic.
+      return a.id < b.id ? -1 : a.id > b.id ? 1 : 0;
+    });
+    return arr;
+  }, [messagesById]);
+}
+
+// ---------------------------------------------------------------------------
+// applyOutputChunk — minimal UIMessageChunk → UIMessage accumulator.
+// ---------------------------------------------------------------------------
+//
+// A pared-down re-implementation of AI SDK's `processUIMessageStream` (in
+// `ai@6`'s `index.mjs`). The webapp is pinned to `ai@4`, which doesn't ship
+// the v5+ chunk-stream helpers, so we vendor the bits we actually use.
+//
+// Scope vs. canonical:
+// - We render only the chunk shapes that `AgentMessageView`/`renderPart`
+//   actually display: text, reasoning, tool-* (input-{start,delta,available}
+//   + output-{available,error}), source-url, source-document, file,
+//   step-start/finish-step, data-*, plus metadata/finish lifecycle.
+// - Unknown chunk types fall through as no-ops — defensive on purpose for a
+//   read-only viewer.
+// - We **do not parse partial JSON for streaming tool inputs.** Canonical
+//   uses `parsePartialJson` (which depends on a 300-line `fixJson` state
+//   machine to repair incomplete JSON) so users see the input growing
+//   character-by-character. We skip it: tool inputs stay `undefined`
+//   throughout streaming and snap to the final value when
+//   `tool-input-available` lands. Acceptable for a viewer; can be added
+//   later by vendoring `fixJson` if the UX warrants it.
+//
+// `orchestration` carries per-message active-part trackers that mirror
+// canonical's `state.activeTextParts` / `state.activeReasoningParts`. They
+// let `text-delta` find the right text part by id and let `finish-step`
+// clear them so a new step can re-use the same id without colliding.
+//
+// Returns the same object reference when nothing changes so the caller can
+// skip unnecessary state flushes + React re-renders.
+
+type AnyPart = { [key: string]: unknown; type: string };
+
+function applyOutputChunk(
+  msg: UIMessage,
+  chunk: OutputChunk,
+  orchestration: MessageOrchestrationState
+): UIMessage {
+  const type = chunk.type;
+
+  // Text parts ---------------------------------------------------------------
+  //
+  // Track each streaming text part by its index in `msg.parts`. Part ids
+  // are only unique *within a step* — the SDK happily reuses `text-start
+  // id="0"` after a `finish-step` boundary — so a delta arriving for a
+  // reused id needs to land on the *current* part, not every prior part
+  // that ever shared that id. The index map gives us O(1) "which slot is
+  // currently streaming this id" without any id-based search.
+  if (type === "text-start") {
+    const id = chunk.id as string;
+    const newIndex = (msg.parts ?? []).length; // index AFTER push
+    orchestration.activeTextPartIndexes.set(id, newIndex);
+    return withNewPart(msg, {
+      type: "text",
+      id,
+      text: "",
+      state: "streaming",
+    });
+  }
+  if (type === "text-delta") {
+    const id = chunk.id as string;
+    const index = orchestration.activeTextPartIndexes.get(id);
+    if (index === undefined) return msg; // delta with no start — drop.
+    return updatePartAt(msg, index, (p) => ({
+      ...p,
+      text: ((p as { text?: string }).text ?? "") + String(chunk.delta ?? ""),
+    }));
+  }
+  if (type === "text-end") {
+    const id = chunk.id as string;
+    const index = orchestration.activeTextPartIndexes.get(id);
+    if (index === undefined) return msg;
+    orchestration.activeTextPartIndexes.delete(id);
+    return updatePartAt(msg, index, (p) => ({ ...p, state: "done" }));
+  }
+
+  // Reasoning parts ----------------------------------------------------------
+  if (type === "reasoning-start") {
+    const id = chunk.id as string;
+    const newIndex = (msg.parts ?? []).length;
+    orchestration.activeReasoningPartIndexes.set(id, newIndex);
+    return withNewPart(msg, {
+      type: "reasoning",
+      id,
+      text: "",
+      state: "streaming",
+    });
+  }
+  if (type === "reasoning-delta") {
+    const id = chunk.id as string;
+    const index = orchestration.activeReasoningPartIndexes.get(id);
+    if (index === undefined) return msg;
+    return updatePartAt(msg, index, (p) => ({
+      ...p,
+      text: ((p as { text?: string }).text ?? "") + String(chunk.delta ?? ""),
+    }));
+  }
+  if (type === "reasoning-end") {
+    const id = chunk.id as string;
+    const index = orchestration.activeReasoningPartIndexes.get(id);
+    if (index === undefined) return msg;
+    orchestration.activeReasoningPartIndexes.delete(id);
+    return updatePartAt(msg, index, (p) => ({ ...p, state: "done" }));
+  }
+
+  // Tool call parts ----------------------------------------------------------
+  if (type === "tool-input-start") {
+    const toolName = String(chunk.toolName ?? "");
+    return withNewPart(msg, {
+      type: `tool-${toolName}`,
+      toolCallId: chunk.toolCallId,
+      toolName,
+      state: "input-streaming",
+      input: undefined,
+    });
+  }
+  if (type === "tool-input-delta") {
+    // We don't parse partial JSON, so streaming tool input deltas are a
+    // no-op. The full input snaps in when `tool-input-available` arrives.
+    return msg;
+  }
+  if (type === "tool-input-available") {
+    const toolName = String(chunk.toolName ?? "");
+    const existingIdx = indexOfPart(
+      msg,
+      (p) => (p as { toolCallId?: string }).toolCallId === chunk.toolCallId
+    );
+    if (existingIdx >= 0) {
+      return updatePartAt(msg, existingIdx, (p) => ({
+        ...p,
+        state: "input-available",
+        input: chunk.input,
+      }));
+    }
+    // Tool input arrived without a preceding tool-input-start (some
+    // providers do this for fast tools) — synthesize a new part.
+    return withNewPart(msg, {
+      type: `tool-${toolName}`,
+      toolCallId: chunk.toolCallId,
+      toolName,
+      state: "input-available",
+      input: chunk.input,
+    });
+  }
+  if (type === "tool-output-available") {
+    return updatePart(msg, (p) =>
+      (p as { toolCallId?: string }).toolCallId === chunk.toolCallId
+        ? {
+            ...p,
+            state: "output-available",
+            output: chunk.output,
+            ...(chunk.preliminary === true ? { preliminary: true } : {}),
+          }
+        : null
+    );
+  }
+  if (type === "tool-output-error") {
+    return updatePart(msg, (p) =>
+      (p as { toolCallId?: string }).toolCallId === chunk.toolCallId
+        ? { ...p, state: "output-error", errorText: chunk.errorText }
+        : null
+    );
+  }
+
+  // HITL approval (AI SDK 7) -------------------------------------------------
+  //
+  // v7 added human-in-the-loop tool approval. A `needsApproval` tool emits a
+  // `tool-approval-request` after its input is available; the tool then waits
+  // for a `tool-approval-response` (approve/deny) before executing. Mirror AI
+  // SDK 7's `processUIMessageStream`: the request marks the matching part
+  // `approval-requested` and records `approval.id`; the response (matched by
+  // that id) marks it `approval-responded` with the verdict. An approved tool
+  // then proceeds to `tool-output-available` as usual.
+  if (type === "tool-approval-request") {
+    return updatePart(msg, (p) =>
+      (p as { toolCallId?: string }).toolCallId === chunk.toolCallId
+        ? {
+            ...p,
+            state: "approval-requested",
+            approval: {
+              id: chunk.approvalId,
+              ...(chunk.isAutomatic === true ? { isAutomatic: true } : {}),
+            },
+          }
+        : null
+    );
+  }
+  if (type === "tool-approval-response") {
+    return updatePart(msg, (p) => {
+      const approval = (p as { approval?: { id?: string; isAutomatic?: boolean } }).approval;
+      if (!approval || approval.id !== chunk.approvalId) return null;
+      return {
+        ...p,
+        state: "approval-responded",
+        approval: {
+          ...approval,
+          id: chunk.approvalId,
+          approved: chunk.approved,
+          ...(chunk.reason != null ? { reason: chunk.reason } : {}),
+        },
+      };
+    });
+  }
+
+  // Source / file / step / data parts — pass through as a whole -------------
+  if (type === "source-url" || type === "source-document" || type === "file") {
+    return withNewPart(msg, chunk as unknown as AnyPart);
+  }
+  if (type === "start-step") {
+    return withNewPart(msg, { type: "step-start" });
+  }
+  if (type === "finish-step") {
+    // Step boundary — canonical clears the active part trackers so a new
+    // step can re-use the same text/reasoning part IDs cleanly. The
+    // message itself doesn't structurally change; the previous step's
+    // parts stay frozen at their indexes in `msg.parts`.
+    orchestration.activeTextPartIndexes.clear();
+    orchestration.activeReasoningPartIndexes.clear();
+    return msg;
+  }
+  if (type.startsWith("data-")) {
+    return withNewPart(msg, chunk as unknown as AnyPart);
+  }
+
+  // Metadata / lifecycle -----------------------------------------------------
+  if (type === "finish" || type === "message-metadata") {
+    if (chunk.messageMetadata == null) return msg;
+    return {
+      ...msg,
+      metadata: {
+        ...((msg as { metadata?: Record<string, unknown> }).metadata ?? {}),
+        ...(chunk.messageMetadata as Record<string, unknown>),
+      },
+    } as UIMessage;
+  }
+
+  // Abort / error / unknown — no structural change. (`start` is handled at
+  // the orchestration level in the output reader, not here.)
+  return msg;
+}
+
+// --- Small immutable helpers for UIMessage.parts mutation -------------------
+
+function withNewPart(msg: UIMessage, part: AnyPart): UIMessage {
+  return {
+    ...msg,
+    parts: [...((msg.parts ?? []) as AnyPart[]), part],
+  } as UIMessage;
+}
+
+function updatePart(
+  msg: UIMessage,
+  updater: (part: AnyPart) => AnyPart | null
+): UIMessage {
+  const parts = (msg.parts ?? []) as AnyPart[];
+  let changed = false;
+  const next = parts.map((p) => {
+    const updated = updater(p);
+    if (updated === null) return p;
+    changed = true;
+    return updated;
+  });
+  return changed ? ({ ...msg, parts: next } as UIMessage) : msg;
+}
+
+function indexOfPart(msg: UIMessage, predicate: (part: AnyPart) => boolean): number {
+  const parts = (msg.parts ?? []) as AnyPart[];
+  for (let i = 0; i < parts.length; i++) {
+    if (predicate(parts[i]!)) return i;
+  }
+  return -1;
+}
+
+function updatePartAt(
+  msg: UIMessage,
+  index: number,
+  updater: (part: AnyPart) => AnyPart
+): UIMessage {
+  const parts = (msg.parts ?? []) as AnyPart[];
+  if (index < 0 || index >= parts.length) return msg;
+  const next = parts.slice();
+  next[index] = updater(parts[index]!);
+  return { ...msg, parts: next } as UIMessage;
+}
diff --git a/apps/webapp/app/components/runs/v3/ai/AIChatMessages.tsx b/apps/webapp/app/components/runs/v3/ai/AIChatMessages.tsx
index 297234b8d05..72539cd7910 100644
--- a/apps/webapp/app/components/runs/v3/ai/AIChatMessages.tsx
+++ b/apps/webapp/app/components/runs/v3/ai/AIChatMessages.tsx
@@ -5,24 +5,14 @@ import {
   ClipboardDocumentIcon,
   CodeBracketSquareIcon,
 } from "@heroicons/react/20/solid";
-import { lazy, Suspense, useState } from "react";
+import { Suspense, useEffect, useState } from "react";
 import { CodeBlock } from "~/components/code/CodeBlock";
+import { StreamdownRenderer } from "~/components/code/StreamdownRenderer";
 import { Button, LinkButton } from "~/components/primitives/Buttons";
 import { Header3 } from "~/components/primitives/Headers";
 import tablerSpritePath from "~/components/primitives/tabler-sprite.svg";
 import type { DisplayItem, ToolUse } from "./types";
 
-// Lazy load streamdown to avoid SSR issues
-const StreamdownRenderer = lazy(() =>
-  import("streamdown").then((mod) => ({
-    default: ({ children }: { children: string }) => (
-      <mod.ShikiThemeContext.Provider value={["one-dark-pro", "one-dark-pro"]}>
-        <mod.Streamdown isAnimating={false}>{children}</mod.Streamdown>
-      </mod.ShikiThemeContext.Provider>
-    ),
-  }))
-);
-
 export type PromptLink = {
   slug: string;
   version?: string;
@@ -221,7 +211,7 @@ export function AssistantResponse({
       />
       {mode === "rendered" ? (
         <ChatBubble>
-          <div className="font-sans text-sm font-normal text-text-dimmed streamdown-container">
+          <div className="streamdown-container min-w-0 font-sans text-sm font-normal text-text-dimmed [overflow-wrap:anywhere]">
             <Suspense fallback={<span className="whitespace-pre-wrap">{text}</span>}>
               <StreamdownRenderer>{text}</StreamdownRenderer>
             </Suspense>
@@ -257,30 +247,59 @@ function ToolUseSection({ tools }: { tools: ToolUse[] }) {
   );
 }
 
-type ToolTab = "input" | "output" | "details";
+type ToolTab = "input" | "output" | "details" | "agent";
 
-function ToolUseRow({ tool }: { tool: ToolUse }) {
+export function ToolUseRow({ tool }: { tool: ToolUse }) {
   const hasInput = tool.inputJson !== "{}";
   const hasResult = !!tool.resultOutput;
   const hasDetails = !!tool.description || !!tool.parametersJson;
+  const hasSubAgent = !!tool.subAgent;
 
   const availableTabs: ToolTab[] = [
+    ...(hasSubAgent ? (["agent"] as const) : []),
     ...(hasInput ? (["input"] as const) : []),
     ...(hasResult ? (["output"] as const) : []),
     ...(hasDetails ? (["details"] as const) : []),
   ];
 
-  const defaultTab: ToolTab | null = hasInput ? "input" : null;
-  const [activeTab, setActiveTab] = useState<ToolTab | null>(defaultTab);
+  const [activeTab, setActiveTab] = useState<ToolTab | null>(
+    hasSubAgent ? "agent" : hasInput ? "input" : null
+  );
+
+  // Auto-select input tab when input arrives after initial render (e.g. streaming tool calls)
+  useEffect(() => {
+    if (!hasSubAgent && hasInput && activeTab === null) {
+      setActiveTab("input");
+    }
+  }, [hasInput, hasSubAgent]);
 
   function handleTabClick(tab: ToolTab) {
     setActiveTab(activeTab === tab ? null : tab);
   }
 
   return (
-    <div className="rounded-sm border border-grid-bright bg-charcoal-800/40">
+    <div
+      className={`rounded-sm border bg-charcoal-800/40 ${
+        hasSubAgent ? "border-indigo-500/30" : "border-grid-bright"
+      }`}
+    >
       <div className="flex items-center gap-2 px-2.5 py-1.5">
-        <code className="font-mono text-xs text-text-bright">{tool.toolName}</code>
+        {hasSubAgent && (
+          <svg className="size-3.5 text-indigo-400" viewBox="0 0 24 24" fill="none" stroke="currentColor" strokeWidth={1.5}>
+            <path strokeLinecap="round" strokeLinejoin="round" d="M8.25 3v1.5M4.5 8.25H3m18 0h-1.5M4.5 12H3m18 0h-1.5m-15 3.75H3m18 0h-1.5M8.25 19.5V21M12 3v1.5m0 15V21m3.75-18v1.5m0 15V21m-9-1.5h10.5a2.25 2.25 0 0 0 2.25-2.25V6.75a2.25 2.25 0 0 0-2.25-2.25H6.75A2.25 2.25 0 0 0 4.5 6.75v10.5a2.25 2.25 0 0 0 2.25 2.25Zm.75-12h9v9h-9v-9Z" />
+          </svg>
+        )}
+        <code
+          className={`font-mono text-xs ${hasSubAgent ? "text-indigo-300" : "text-text-bright"}`}
+        >
+          {tool.toolName}
+        </code>
+        {hasSubAgent && tool.subAgent?.isStreaming && (
+          <span className="flex items-center gap-1 text-[10px] text-indigo-400">
+            <span className="inline-block size-1.5 animate-pulse rounded-full bg-indigo-400" />
+            streaming
+          </span>
+        )}
         {tool.resultSummary && (
           <span className="ml-auto text-[10px] text-text-dimmed">{tool.resultSummary}</span>
         )}
@@ -288,7 +307,11 @@ function ToolUseRow({ tool }: { tool: ToolUse }) {
 
       {availableTabs.length > 0 && (
         <>
-          <div className="flex gap-0 border-t border-grid-bright">
+          <div
+            className={`flex gap-0 border-t ${
+              hasSubAgent ? "border-indigo-500/20" : "border-grid-bright"
+            }`}
+          >
             {availableTabs.map((tab) => (
               <button
                 key={tab}
@@ -304,6 +327,10 @@ function ToolUseRow({ tool }: { tool: ToolUse }) {
             ))}
           </div>
 
+          {activeTab === "agent" && hasSubAgent && (
+            <SubAgentContent parts={tool.subAgent!.parts} />
+          )}
+
           {activeTab === "input" && hasInput && (
             <div className="border-t border-grid-dimmed">
               <CodeBlock
@@ -317,12 +344,24 @@ function ToolUseRow({ tool }: { tool: ToolUse }) {
 
           {activeTab === "output" && hasResult && (
             <div className="border-t border-grid-dimmed">
-              <CodeBlock
-                code={tool.resultOutput!}
-                maxLines={16}
-                showLineNumbers={false}
-                showCopyButton
-              />
+              {isJsonString(tool.resultOutput!) ? (
+                <CodeBlock
+                  code={tool.resultOutput!}
+                  maxLines={16}
+                  showLineNumbers={false}
+                  showCopyButton
+                />
+              ) : (
+                <div className="p-2.5 font-sans text-sm font-normal text-text-dimmed streamdown-container">
+                  <Suspense
+                    fallback={
+                      <span className="whitespace-pre-wrap">{tool.resultOutput}</span>
+                    }
+                  >
+                    <StreamdownRenderer>{tool.resultOutput!}</StreamdownRenderer>
+                  </Suspense>
+                </div>
+              )}
             </div>
           )}
 
@@ -351,3 +390,85 @@ function ToolUseRow({ tool }: { tool: ToolUse }) {
     </div>
   );
 }
+
+function SubAgentContent({ parts }: { parts: any[] }) {
+  // Extract sub-agent run ID from injected metadata part
+  const runPart = parts.find(
+    (p: any) => p.type === "data-subagent-run" && p.data?.runId
+  );
+  const subAgentRunId = runPart?.data?.runId as string | undefined;
+
+  return (
+    <div className="space-y-2 border-t border-indigo-500/20 p-2.5">
+      {subAgentRunId && (
+        <div className="flex justify-end">
+          <LinkButton
+            to={`/runs/${subAgentRunId}`}
+            variant="tertiary/small"
+            target="_blank"
+          >
+            View sub-agent run
+          </LinkButton>
+        </div>
+      )}
+      {parts.map((part: any, j: number) => {
+        const partType = part.type as string;
+
+        // Skip the injected metadata part — already rendered above
+        if (partType === "data-subagent-run") return null;
+
+        if (partType === "text" && part.text) {
+          return <AssistantResponse key={j} text={part.text} headerLabel="" />;
+        }
+
+        if (partType === "step-start") {
+          return (
+            <div key={j} className="flex items-center gap-2 py-0.5">
+              <div className="flex-1 border-t border-dashed border-charcoal-650" />
+              <span className="text-[10px] text-charcoal-500">step</span>
+              <div className="flex-1 border-t border-dashed border-charcoal-650" />
+            </div>
+          );
+        }
+
+        if (partType.startsWith("tool-")) {
+          const subToolName = partType.slice(5);
+          return (
+            <ToolUseRow
+              key={j}
+              tool={{
+                toolCallId: part.toolCallId ?? `sub-tool-${j}`,
+                toolName: subToolName,
+                inputJson: JSON.stringify(part.input ?? {}, null, 2),
+                resultOutput:
+                  part.output != null
+                    ? typeof part.output === "string"
+                      ? part.output
+                      : JSON.stringify(part.output, null, 2)
+                    : undefined,
+                resultSummary:
+                  part.state === "input-streaming" || part.state === "input-available"
+                    ? "calling..."
+                    : part.state === "output-error"
+                    ? `error: ${part.errorText ?? "unknown"}`
+                    : undefined,
+              }}
+            />
+          );
+        }
+
+        if (partType === "reasoning" && part.text) {
+          return (
+            <div key={j} className="border-l-2 border-amber-500/40 pl-2">
+              <div className="whitespace-pre-wrap text-xs italic text-amber-200/70">
+                {part.text}
+              </div>
+            </div>
+          );
+        }
+
+        return null;
+      })}
+    </div>
+  );
+}
diff --git a/apps/webapp/app/components/runs/v3/ai/AISpanDetails.tsx b/apps/webapp/app/components/runs/v3/ai/AISpanDetails.tsx
index 5e8bb65688f..c243a1e4d9b 100644
--- a/apps/webapp/app/components/runs/v3/ai/AISpanDetails.tsx
+++ b/apps/webapp/app/components/runs/v3/ai/AISpanDetails.tsx
@@ -1,6 +1,7 @@
 import { CheckIcon, ClipboardDocumentIcon } from "@heroicons/react/20/solid";
-import { lazy, Suspense, useState } from "react";
+import { Suspense, useState } from "react";
 import { Button } from "~/components/primitives/Buttons";
+import { StreamdownRenderer } from "~/components/code/StreamdownRenderer";
 import { Header3 } from "~/components/primitives/Headers";
 import { Paragraph } from "~/components/primitives/Paragraph";
 import { TabButton, TabContainer } from "~/components/primitives/Tabs";
@@ -20,16 +21,6 @@ import type { AISpanData, DisplayItem } from "./types";
 import type { PromptSpanData } from "~/presenters/v3/SpanPresenter.server";
 import { SpanHorizontalTimeline } from "~/components/runs/v3/SpanHorizontalTimeline";
 
-const StreamdownRenderer = lazy(() =>
-  import("streamdown").then((mod) => ({
-    default: ({ children }: { children: string }) => (
-      <mod.ShikiThemeContext.Provider value={["one-dark-pro", "one-dark-pro"]}>
-        <mod.Streamdown isAnimating={false}>{children}</mod.Streamdown>
-      </mod.ShikiThemeContext.Provider>
-    ),
-  }))
-);
-
 type AITab = "overview" | "messages" | "tools" | "prompt";
 
 export function AISpanDetails({
diff --git a/apps/webapp/app/components/runs/v3/ai/extractAISpanData.ts b/apps/webapp/app/components/runs/v3/ai/extractAISpanData.ts
index 73c5418e488..853f75c493f 100644
--- a/apps/webapp/app/components/runs/v3/ai/extractAISpanData.ts
+++ b/apps/webapp/app/components/runs/v3/ai/extractAISpanData.ts
@@ -26,6 +26,10 @@ export function extractAISpanData(
   const gRequest = rec(g.request);
   const gUsage = rec(g.usage);
   const gOperation = rec(g.operation);
+  const gProvider = rec(g.provider);
+  const gInput = rec(g.input);
+  const gOutput = rec(g.output);
+  const gTool = rec(g.tool);
   const aiModel = rec(ai.model);
   const aiResponse = rec(ai.response);
   const aiPrompt = rec(ai.prompt);
@@ -49,7 +53,17 @@ export function extractAISpanData(
       ? Math.round((outputTokens / (durationMs / 1000)) * 10) / 10
       : undefined);
 
-  const toolDefs = parseToolDefinitions(aiPrompt.tools);
+  // AI SDK 7 moves span emission into `@ai-sdk/otel`, which emits OTel GenAI
+  // semantic-convention attributes (gen_ai.input/output.messages, gen_ai.provider.name,
+  // gen_ai.tool.definitions, gen_ai.response.finish_reasons). AI SDK 6 emits the older
+  // `ai.*` keys (ai.prompt.messages, ai.response.text/toolCalls/finishReason). Customers
+  // run either major, so detect the shape and read both.
+  const isV7 =
+    typeof gInput.messages === "string" ||
+    typeof gOutput.messages === "string" ||
+    typeof gProvider.name === "string";
+
+  const toolDefs = parseToolDefinitions(isV7 ? gTool.definitions : aiPrompt.tools);
   const providerMeta = parseProviderMetadata(aiResponse.providerMetadata);
   const aiTelemetry = rec(ai.telemetry);
   const telemetryMetaRaw = rec(aiTelemetry.metadata);
@@ -63,15 +77,15 @@ export function extractAISpanData(
 
   return {
     model,
-    provider: str(g.system) ?? "unknown",
+    provider: str(gProvider.name) ?? str(g.system) ?? str(aiModel.provider) ?? "unknown",
     operationName: str(gOperation.name) ?? str(ai.operationId) ?? "",
     responseId: str(gResponse.id) || undefined,
-    finishReason: str(aiResponse.finishReason),
+    finishReason: isV7 ? firstFinishReason(gResponse.finish_reasons) : str(aiResponse.finishReason),
     serviceTier: providerMeta?.serviceTier,
     resolvedProvider: providerMeta?.resolvedProvider,
     toolChoice: parseToolChoice(aiPrompt.toolChoice),
     toolCount: toolDefs?.length,
-    messageCount: countMessages(aiPrompt.messages),
+    messageCount: isV7 ? countGenAiMessages(gInput.messages) : countMessages(aiPrompt.messages),
     telemetryMetadata: telemetryMeta,
     promptSlug: promptSlug || undefined,
     promptVersion: promptVersion || undefined,
@@ -81,9 +95,14 @@ export function extractAISpanData(
     inputTokens,
     outputTokens,
     totalTokens,
-    cachedTokens: num(aiUsage.cachedInputTokens) ?? num(gUsage.cache_read_input_tokens),
+    cachedTokens:
+      num(aiUsage.cachedInputTokens) ??
+      num(gUsage.cache_read_input_tokens) ??
+      num(rec(gUsage.cache_read).input_tokens),
     cacheCreationTokens:
-      num(aiUsage.cacheCreationInputTokens) ?? num(gUsage.cache_creation_input_tokens),
+      num(aiUsage.cacheCreationInputTokens) ??
+      num(gUsage.cache_creation_input_tokens) ??
+      num(rec(gUsage.cache_creation).input_tokens),
     reasoningTokens: num(aiUsage.reasoningTokens) ?? num(gUsage.reasoning_tokens),
     tokensPerSecond,
     msToFirstChunk: num(aiResponse.msToFirstChunk),
@@ -91,10 +110,14 @@ export function extractAISpanData(
     inputCost: num(triggerLlm.input_cost),
     outputCost: num(triggerLlm.output_cost),
     totalCost: num(triggerLlm.total_cost),
-    responseText: str(aiResponse.text) || undefined,
+    responseText: isV7
+      ? extractGenAiAssistantText(gOutput.messages) || undefined
+      : str(aiResponse.text) || undefined,
     responseObject: str(aiResponse.object) || undefined,
     toolDefinitions: toolDefs,
-    items: buildDisplayItems(aiPrompt.messages, aiResponse.toolCalls, toolDefs),
+    items: isV7
+      ? buildGenAiDisplayItems(g.system_instructions, gInput.messages, gOutput.messages, toolDefs)
+      : buildDisplayItems(aiPrompt.messages, aiResponse.toolCalls, toolDefs),
   };
 }
 
@@ -450,3 +473,213 @@ function countMessages(raw: unknown): number | undefined {
   }
 }
 
+// ---------------------------------------------------------------------------
+// AI SDK 7 — @ai-sdk/otel GenAI semantic-convention shape
+// ---------------------------------------------------------------------------
+//
+// v7 moved span emission out of `ai` core into `@ai-sdk/otel`, which emits OTel
+// GenAI semantic-convention attributes instead of the v6 `ai.*` keys:
+//   gen_ai.input.messages        JSON string: [{ role, parts: [...] }]
+//   gen_ai.output.messages       JSON string: [{ role:"assistant", parts, finish_reason }]
+//   gen_ai.system_instructions   system prompt (plain string, or [{ type:"text", content }])
+// Message parts (per @ai-sdk/otel's convertMessagePartToSemConv):
+//   { type:"text" | "reasoning", content }
+//   { type:"tool_call", id, name, arguments }
+//   { type:"tool_call_response", id, response }   // response already unwrapped from the AI SDK envelope
+// Media / approval / custom parts are not surfaced in the display yet.
+
+type GenAiMessage = { role: string; parts: Record<string, unknown>[]; finishReason?: string };
+
+function parseGenAiMessages(raw: unknown): GenAiMessage[] | undefined {
+  if (typeof raw !== "string") return undefined;
+  try {
+    const parsed = JSON.parse(raw);
+    if (!Array.isArray(parsed)) return undefined;
+    return parsed.map((m) => {
+      const o = rec(m);
+      return {
+        role: str(o.role) ?? "user",
+        parts: Array.isArray(o.parts) ? o.parts.map(rec) : [],
+        finishReason: str(o.finish_reason),
+      };
+    });
+  } catch {
+    return undefined;
+  }
+}
+
+/** `gen_ai.response.finish_reasons` arrives as a JSON array string (e.g. `["stop"]`); take the first. */
+function firstFinishReason(raw: unknown): string | undefined {
+  if (typeof raw !== "string") return undefined;
+  try {
+    const parsed = JSON.parse(raw);
+    if (Array.isArray(parsed)) {
+      const first = parsed.find((r) => typeof r === "string");
+      return typeof first === "string" ? first : undefined;
+    }
+    if (typeof parsed === "string") return parsed || undefined;
+  } catch {
+    return raw || undefined;
+  }
+  return undefined;
+}
+
+function countGenAiMessages(raw: unknown): number | undefined {
+  const msgs = parseGenAiMessages(raw);
+  return msgs && msgs.length > 0 ? msgs.length : undefined;
+}
+
+/** Concatenated text of all `text` parts across the assistant output messages. */
+function extractGenAiAssistantText(outputRaw: unknown): string {
+  const msgs = parseGenAiMessages(outputRaw);
+  if (!msgs) return "";
+  const texts: string[] = [];
+  for (const m of msgs) {
+    if (m.role !== "assistant") continue;
+    for (const p of m.parts) {
+      if (p.type === "text" && typeof p.content === "string") texts.push(p.content);
+    }
+  }
+  return texts.join("\n");
+}
+
+/** Plain text of a message's `text` parts (reasoning parts aren't surfaced yet). */
+function genAiMessageText(parts: Record<string, unknown>[]): string {
+  const texts: string[] = [];
+  for (const p of parts) {
+    if (p.type === "text" && typeof p.content === "string") texts.push(p.content);
+  }
+  return texts.join("\n");
+}
+
+/** Parse `gen_ai.system_instructions` (plain string, or a JSON array of `{ type:"text", content }`). */
+function parseSystemInstructions(raw: unknown): string | undefined {
+  if (typeof raw !== "string") return undefined;
+  const trimmed = raw.trim();
+  if (trimmed.startsWith("[")) {
+    try {
+      const parsed = JSON.parse(trimmed);
+      if (Array.isArray(parsed)) {
+        const text = parsed
+          .map((p) => str(rec(p).content))
+          .filter((t): t is string => Boolean(t))
+          .join("\n");
+        return text || undefined;
+      }
+    } catch {
+      // fall through to raw
+    }
+  }
+  return raw || undefined;
+}
+
+/**
+ * Build display items from the v7 GenAI message attributes: the system prompt,
+ * the input message history, and the assistant's output for this span. Assistant
+ * tool_call parts are paired with tool_call_response parts from following tool messages.
+ */
+function buildGenAiDisplayItems(
+  systemInstructionsRaw: unknown,
+  inputMessagesRaw: unknown,
+  outputMessagesRaw: unknown,
+  toolDefs?: ToolDefinition[]
+): DisplayItem[] | undefined {
+  const items: DisplayItem[] = [];
+
+  const systemText = parseSystemInstructions(systemInstructionsRaw);
+  if (systemText) items.push({ type: "system", text: systemText });
+
+  const messages = [
+    ...(parseGenAiMessages(inputMessagesRaw) ?? []),
+    ...(parseGenAiMessages(outputMessagesRaw) ?? []),
+  ];
+  appendGenAiMessages(items, messages);
+
+  if (toolDefs && toolDefs.length > 0) {
+    const defsByName = new Map(toolDefs.map((d) => [d.name, d]));
+    for (const item of items) {
+      if (item.type === "tool-use") {
+        for (const tool of item.tools) {
+          const def = defsByName.get(tool.toolName);
+          if (def) {
+            tool.description = def.description;
+            tool.parametersJson = def.parametersJson;
+          }
+        }
+      }
+    }
+  }
+
+  return items.length > 0 ? items : undefined;
+}
+
+function appendGenAiMessages(items: DisplayItem[], messages: GenAiMessage[]): void {
+  let i = 0;
+  while (i < messages.length) {
+    const msg = messages[i];
+
+    if (msg.role === "system") {
+      const text = genAiMessageText(msg.parts);
+      if (text) items.push({ type: "system", text });
+      i++;
+      continue;
+    }
+
+    if (msg.role === "user") {
+      const text = genAiMessageText(msg.parts);
+      if (text) items.push({ type: "user", text });
+      i++;
+      continue;
+    }
+
+    if (msg.role === "assistant") {
+      const text = genAiMessageText(msg.parts);
+      if (text) items.push({ type: "assistant", text });
+
+      const toolCalls = msg.parts.filter((p) => p.type === "tool_call");
+      if (toolCalls.length > 0) {
+        // Collect tool_call_response parts from the tool messages that follow.
+        const responsesById = new Map<string, unknown>();
+        let j = i + 1;
+        while (j < messages.length && messages[j].role === "tool") {
+          for (const p of messages[j].parts) {
+            if (p.type === "tool_call_response") {
+              const id = str(p.id);
+              if (id) responsesById.set(id, p.response);
+            }
+          }
+          j++;
+        }
+
+        const tools: ToolUse[] = toolCalls.map((tc) => {
+          const id = str(tc.id) ?? "";
+          let resultSummary: string | undefined;
+          let resultOutput: string | undefined;
+          if (id && responsesById.has(id)) {
+            const summarized = summarizeToolOutput(responsesById.get(id));
+            resultSummary = summarized.summary;
+            resultOutput = summarized.formattedOutput;
+          }
+          return {
+            toolCallId: id,
+            toolName: str(tc.name) ?? "",
+            inputJson: JSON.stringify(tc.arguments ?? {}, null, 2),
+            resultSummary,
+            resultOutput,
+          };
+        });
+
+        items.push({ type: "tool-use", tools });
+        i = j;
+        continue;
+      }
+
+      i++;
+      continue;
+    }
+
+    // tool-role messages are consumed via the assistant pairing above; skip stragglers.
+    i++;
+  }
+}
+
diff --git a/apps/webapp/app/components/runs/v3/ai/types.ts b/apps/webapp/app/components/runs/v3/ai/types.ts
index bb0fd7e74b1..c59c87865d2 100644
--- a/apps/webapp/app/components/runs/v3/ai/types.ts
+++ b/apps/webapp/app/components/runs/v3/ai/types.ts
@@ -22,6 +22,11 @@ export type ToolUse = {
   resultSummary?: string;
   /** Full formatted result for display in a code block */
   resultOutput?: string;
+  /** Sub-agent output — when the tool result is a UIMessage with parts */
+  subAgent?: {
+    parts: any[];
+    isStreaming: boolean;
+  };
 };
 
 // ---------------------------------------------------------------------------
diff --git a/apps/webapp/app/components/sessions/v1/CloseSessionDialog.tsx b/apps/webapp/app/components/sessions/v1/CloseSessionDialog.tsx
new file mode 100644
index 00000000000..7feba8e6db5
--- /dev/null
+++ b/apps/webapp/app/components/sessions/v1/CloseSessionDialog.tsx
@@ -0,0 +1,72 @@
+import { XCircleIcon } from "@heroicons/react/24/solid";
+import { DialogClose } from "@radix-ui/react-dialog";
+import { Form, useNavigation } from "@remix-run/react";
+import { Button } from "~/components/primitives/Buttons";
+import { DialogContent, DialogHeader } from "~/components/primitives/Dialog";
+import { FormButtons } from "~/components/primitives/FormButtons";
+import { Input } from "~/components/primitives/Input";
+import { Label } from "~/components/primitives/Label";
+import { Paragraph } from "~/components/primitives/Paragraph";
+import { SpinnerWhite } from "~/components/primitives/Spinner";
+
+type CloseSessionDialogProps = {
+  sessionParam: string;
+  environmentId: string;
+  redirectPath: string;
+};
+
+export function CloseSessionDialog({
+  sessionParam,
+  environmentId,
+  redirectPath,
+}: CloseSessionDialogProps) {
+  const navigation = useNavigation();
+
+  const formAction = `/resources/sessions/${encodeURIComponent(sessionParam)}/close`;
+  const isLoading = navigation.formAction === formAction;
+
+  return (
+    <DialogContent key="close-session">
+      <DialogHeader>Close this session?</DialogHeader>
+      <div className="flex flex-col gap-3 pt-3">
+        <Paragraph>
+          Closing a session is permanent. The session will no longer accept new input or trigger
+          new runs. Any in-flight run continues until it finishes on its own.
+        </Paragraph>
+        <Form action={formAction} method="post" className="flex flex-col gap-3">
+          <input type="hidden" name="redirectUrl" value={redirectPath} />
+          <input type="hidden" name="environmentId" value={environmentId} />
+          <div className="flex flex-col gap-1">
+            <Label htmlFor="close-session-reason">Reason (optional)</Label>
+            <Input
+              id="close-session-reason"
+              name="reason"
+              placeholder="e.g. user signed out, ticket resolved"
+              variant="medium"
+              spellCheck={false}
+              autoFocus
+            />
+          </div>
+          <FormButtons
+            confirmButton={
+              <Button
+                type="submit"
+                variant="danger/medium"
+                LeadingIcon={isLoading ? SpinnerWhite : XCircleIcon}
+                disabled={isLoading}
+                shortcut={{ modifiers: ["mod"], key: "enter" }}
+              >
+                {isLoading ? "Closing..." : "Close session"}
+              </Button>
+            }
+            cancelButton={
+              <DialogClose asChild>
+                <Button variant={"tertiary/medium"}>Cancel</Button>
+              </DialogClose>
+            }
+          />
+        </Form>
+      </div>
+    </DialogContent>
+  );
+}
diff --git a/apps/webapp/app/components/sessions/v1/SessionFilters.tsx b/apps/webapp/app/components/sessions/v1/SessionFilters.tsx
new file mode 100644
index 00000000000..9c13b7b4b3f
--- /dev/null
+++ b/apps/webapp/app/components/sessions/v1/SessionFilters.tsx
@@ -0,0 +1,764 @@
+import * as Ariakit from "@ariakit/react";
+import {
+  CpuChipIcon,
+  FingerPrintIcon,
+  TagIcon,
+  XMarkIcon,
+} from "@heroicons/react/20/solid";
+import { Form } from "@remix-run/react";
+import { ListFilterIcon } from "lucide-react";
+import { type ReactNode, useCallback, useMemo, useState } from "react";
+import { z } from "zod";
+import { StatusIcon } from "~/assets/icons/StatusIcon";
+import { TaskIcon } from "~/assets/icons/TaskIcon";
+import { AppliedFilter } from "~/components/primitives/AppliedFilter";
+import { Input } from "~/components/primitives/Input";
+import { Label } from "~/components/primitives/Label";
+import { Paragraph } from "~/components/primitives/Paragraph";
+import {
+  ComboBox,
+  SelectButtonItem,
+  SelectItem,
+  SelectList,
+  SelectPopover,
+  SelectProvider,
+  SelectTrigger,
+  shortcutFromIndex,
+} from "~/components/primitives/Select";
+import {
+  Tooltip,
+  TooltipContent,
+  TooltipProvider,
+  TooltipTrigger,
+} from "~/components/primitives/Tooltip";
+import { useOptimisticLocation } from "~/hooks/useOptimisticLocation";
+import { useSearchParams } from "~/hooks/useSearchParam";
+import { Button } from "../../primitives/Buttons";
+import {
+  appliedSummary,
+  FilterMenuProvider,
+  TimeFilter,
+} from "../../runs/v3/SharedFilters";
+import {
+  allSessionStatuses,
+  descriptionForSessionStatus,
+  SessionStatusCombo,
+  sessionStatusTitle,
+} from "./SessionStatus";
+
+const StringOrStringArray = z.preprocess(
+  (value) => (typeof value === "string" ? [value] : value),
+  z.array(z.string()).optional()
+);
+
+export const SessionStatus = z.enum(allSessionStatuses);
+
+export const SessionListSearchFilters = z.object({
+  cursor: z.string().optional(),
+  direction: z.enum(["forward", "backward"]).optional(),
+  statuses: z.preprocess(
+    (value) => (typeof value === "string" ? [value] : value),
+    SessionStatus.array().optional()
+  ),
+  types: StringOrStringArray,
+  taskIdentifiers: StringOrStringArray,
+  externalId: z.string().optional(),
+  tags: StringOrStringArray,
+  period: z.preprocess((value) => (value === "all" ? undefined : value), z.string().optional()),
+  from: z.coerce.number().optional(),
+  to: z.coerce.number().optional(),
+});
+
+export type SessionListSearchFilters = z.infer<typeof SessionListSearchFilters>;
+export type SessionListSearchFilterKey = keyof SessionListSearchFilters;
+
+export function getSessionFiltersFromSearchParams(
+  searchParams: URLSearchParams
+): SessionListSearchFilters {
+  function listOrUndefined(key: string) {
+    const values = searchParams.getAll(key).filter((v) => v.length > 0);
+    return values.length > 0 ? values : undefined;
+  }
+
+  const params = {
+    cursor: searchParams.get("cursor") ?? undefined,
+    direction: searchParams.get("direction") ?? undefined,
+    statuses: listOrUndefined("statuses"),
+    types: listOrUndefined("types"),
+    taskIdentifiers: listOrUndefined("taskIdentifiers"),
+    externalId: searchParams.get("externalId") ?? undefined,
+    tags: listOrUndefined("tags"),
+    period: searchParams.get("period") ?? undefined,
+    from: searchParams.get("from") ?? undefined,
+    to: searchParams.get("to") ?? undefined,
+  };
+
+  const parsed = SessionListSearchFilters.safeParse(params);
+  if (!parsed.success) {
+    return {};
+  }
+  return parsed.data;
+}
+
+type SessionFiltersProps = {
+  hasFilters: boolean;
+  possibleTypes?: string[];
+};
+
+export function SessionFilters(props: SessionFiltersProps) {
+  const location = useOptimisticLocation();
+  const searchParams = new URLSearchParams(location.search);
+  const hasFilters =
+    searchParams.has("statuses") ||
+    searchParams.has("types") ||
+    searchParams.has("taskIdentifiers") ||
+    searchParams.has("externalId") ||
+    searchParams.has("tags");
+
+  return (
+    <div className="flex flex-row flex-wrap items-center gap-1">
+      <FilterMenu {...props} />
+      <TimeFilter />
+      <AppliedFilters />
+      {hasFilters && (
+        <Form className="h-6">
+          <Button variant="secondary/small" LeadingIcon={XMarkIcon} tooltip="Clear all filters" />
+        </Form>
+      )}
+    </div>
+  );
+}
+
+const filterTypes = [
+  {
+    name: "statuses",
+    title: "Status",
+    icon: <StatusIcon className="size-4 border-text-bright" />,
+  },
+  { name: "types", title: "Type", icon: <CpuChipIcon className="size-4" /> },
+  {
+    name: "taskIdentifiers",
+    title: "Task",
+    icon: <TaskIcon className="size-4" />,
+  },
+  {
+    name: "externalId",
+    title: "External ID",
+    icon: <FingerPrintIcon className="size-4" />,
+  },
+  { name: "tags", title: "Tags", icon: <TagIcon className="size-4" /> },
+] as const;
+
+type FilterType = (typeof filterTypes)[number]["name"];
+
+const shortcut = { key: "f" };
+
+function FilterMenu(props: SessionFiltersProps) {
+  const [filterType, setFilterType] = useState<FilterType | undefined>();
+
+  const filterTrigger = (
+    <SelectTrigger
+      icon={
+        <div className="flex size-4 items-center justify-center">
+          <ListFilterIcon className="size-3.5" />
+        </div>
+      }
+      variant={"secondary/small"}
+      shortcut={shortcut}
+      tooltipTitle={"Filter sessions"}
+    >
+      Filter
+    </SelectTrigger>
+  );
+
+  return (
+    <FilterMenuProvider onClose={() => setFilterType(undefined)}>
+      {(search, setSearch) => (
+        <Menu
+          searchValue={search}
+          clearSearchValue={() => setSearch("")}
+          trigger={filterTrigger}
+          filterType={filterType}
+          setFilterType={setFilterType}
+          {...props}
+        />
+      )}
+    </FilterMenuProvider>
+  );
+}
+
+function AppliedFilters() {
+  return (
+    <>
+      <AppliedStatusFilter />
+      <AppliedTypeFilter />
+      <AppliedTaskIdentifierFilter />
+      <AppliedExternalIdFilter />
+      <AppliedTagsFilter />
+    </>
+  );
+}
+
+type MenuProps = {
+  searchValue: string;
+  clearSearchValue: () => void;
+  trigger: React.ReactNode;
+  filterType: FilterType | undefined;
+  setFilterType: (filterType: FilterType | undefined) => void;
+} & SessionFiltersProps;
+
+function Menu(props: MenuProps) {
+  switch (props.filterType) {
+    case undefined:
+      return <MainMenu {...props} />;
+    case "statuses":
+      return <StatusDropdown onClose={() => props.setFilterType(undefined)} {...props} />;
+    case "types":
+      return <TypeDropdown onClose={() => props.setFilterType(undefined)} {...props} />;
+    case "taskIdentifiers":
+      return (
+        <TaskIdentifierDropdown onClose={() => props.setFilterType(undefined)} {...props} />
+      );
+    case "externalId":
+      return <ExternalIdDropdown onClose={() => props.setFilterType(undefined)} {...props} />;
+    case "tags":
+      return <TagsDropdown onClose={() => props.setFilterType(undefined)} {...props} />;
+  }
+}
+
+function MainMenu({ searchValue, trigger, clearSearchValue, setFilterType }: MenuProps) {
+  const filtered = useMemo(() => {
+    return filterTypes.filter((item) =>
+      item.title.toLowerCase().includes(searchValue.toLowerCase())
+    );
+  }, [searchValue]);
+
+  return (
+    <SelectProvider virtualFocus={true}>
+      {trigger}
+      <SelectPopover>
+        <ComboBox placeholder={"Filter by..."} shortcut={shortcut} value={searchValue} />
+        <SelectList>
+          {filtered.map((type, index) => (
+            <SelectButtonItem
+              key={type.name}
+              onClick={() => {
+                clearSearchValue();
+                setFilterType(type.name);
+              }}
+              icon={type.icon}
+              shortcut={shortcutFromIndex(index, { shortcutsEnabled: true })}
+            >
+              {type.title}
+            </SelectButtonItem>
+          ))}
+        </SelectList>
+      </SelectPopover>
+    </SelectProvider>
+  );
+}
+
+const statusItems = allSessionStatuses.map((status) => ({
+  title: sessionStatusTitle(status),
+  value: status,
+}));
+
+function StatusDropdown({
+  trigger,
+  clearSearchValue,
+  searchValue,
+  onClose,
+}: {
+  trigger: ReactNode;
+  clearSearchValue: () => void;
+  searchValue: string;
+  onClose?: () => void;
+}) {
+  const { values, replace } = useSearchParams();
+
+  const handleChange = (next: string[]) => {
+    clearSearchValue();
+    replace({ statuses: next, cursor: undefined, direction: undefined });
+  };
+
+  const filtered = useMemo(() => {
+    return statusItems.filter((item) =>
+      item.title.toLowerCase().includes(searchValue.toLowerCase())
+    );
+  }, [searchValue]);
+
+  return (
+    <SelectProvider value={values("statuses")} setValue={handleChange} virtualFocus={true}>
+      {trigger}
+      <SelectPopover
+        className="min-w-0 max-w-[min(240px,var(--popover-available-width))]"
+        hideOnEscape={() => {
+          if (onClose) {
+            onClose();
+            return false;
+          }
+          return true;
+        }}
+      >
+        <ComboBox placeholder={"Filter by status..."} value={searchValue} />
+        <SelectList>
+          {filtered.map((item, index) => (
+            <SelectItem
+              key={item.value}
+              value={item.value}
+              shortcut={shortcutFromIndex(index, { shortcutsEnabled: true })}
+            >
+              <TooltipProvider>
+                <Tooltip>
+                  <TooltipTrigger className="group flex w-full flex-col py-0">
+                    <SessionStatusCombo status={item.value} iconClassName="animate-none" />
+                  </TooltipTrigger>
+                  <TooltipContent side="right" sideOffset={9}>
+                    <Paragraph variant="extra-small">
+                      {descriptionForSessionStatus(item.value)}
+                    </Paragraph>
+                  </TooltipContent>
+                </Tooltip>
+              </TooltipProvider>
+            </SelectItem>
+          ))}
+        </SelectList>
+      </SelectPopover>
+    </SelectProvider>
+  );
+}
+
+function AppliedStatusFilter() {
+  const { values, del } = useSearchParams();
+  const statuses = values("statuses");
+
+  if (statuses.length === 0) return null;
+
+  return (
+    <FilterMenuProvider>
+      {(search, setSearch) => (
+        <StatusDropdown
+          trigger={
+            <Ariakit.Select render={<div className="group cursor-pointer focus-custom" />}>
+              <AppliedFilter
+                label="Status"
+                icon={<StatusIcon className="size-3.5" />}
+                value={appliedSummary(
+                  statuses.map((v) => sessionStatusTitle(v as (typeof allSessionStatuses)[number]))
+                )}
+                onRemove={() => del(["statuses", "cursor", "direction"])}
+                variant="secondary/small"
+              />
+            </Ariakit.Select>
+          }
+          searchValue={search}
+          clearSearchValue={() => setSearch("")}
+        />
+      )}
+    </FilterMenuProvider>
+  );
+}
+
+function TypeDropdown({
+  trigger,
+  searchValue,
+  clearSearchValue,
+  possibleTypes,
+  onClose,
+}: {
+  trigger: ReactNode;
+  searchValue: string;
+  clearSearchValue: () => void;
+  possibleTypes?: string[];
+  onClose?: () => void;
+}) {
+  const { values, replace } = useSearchParams();
+
+  const handleChange = (next: string[]) => {
+    clearSearchValue();
+    replace({ types: next, cursor: undefined, direction: undefined });
+  };
+
+  const items = useMemo(() => {
+    const all = possibleTypes && possibleTypes.length > 0 ? possibleTypes : ["chat"];
+    const seen = new Set(all);
+    for (const v of values("types")) {
+      if (!seen.has(v)) {
+        all.push(v);
+        seen.add(v);
+      }
+    }
+    return all.filter((t) => t.toLowerCase().includes(searchValue.toLowerCase()));
+  }, [possibleTypes, searchValue, values]);
+
+  return (
+    <SelectProvider value={values("types")} setValue={handleChange} virtualFocus={true}>
+      {trigger}
+      <SelectPopover
+        className="min-w-0 max-w-[min(240px,var(--popover-available-width))]"
+        hideOnEscape={() => {
+          if (onClose) {
+            onClose();
+            return false;
+          }
+          return true;
+        }}
+      >
+        <ComboBox placeholder={"Filter by type..."} value={searchValue} />
+        <SelectList>
+          {items.map((value, index) => (
+            <SelectItem
+              key={value}
+              value={value}
+              shortcut={shortcutFromIndex(index, { shortcutsEnabled: true })}
+            >
+              <span className="font-mono text-xs">{value}</span>
+            </SelectItem>
+          ))}
+        </SelectList>
+      </SelectPopover>
+    </SelectProvider>
+  );
+}
+
+function AppliedTypeFilter() {
+  const { values, del } = useSearchParams();
+  const types = values("types");
+  if (types.length === 0) return null;
+
+  return (
+    <FilterMenuProvider>
+      {(search, setSearch) => (
+        <TypeDropdown
+          trigger={
+            <Ariakit.Select render={<div className="group cursor-pointer focus-custom" />}>
+              <AppliedFilter
+                label="Type"
+                icon={<CpuChipIcon className="size-3.5" />}
+                value={appliedSummary(types)}
+                onRemove={() => del(["types", "cursor", "direction"])}
+                variant="secondary/small"
+              />
+            </Ariakit.Select>
+          }
+          searchValue={search}
+          clearSearchValue={() => setSearch("")}
+        />
+      )}
+    </FilterMenuProvider>
+  );
+}
+
+function TaskIdentifierDropdown({
+  trigger,
+  searchValue,
+  clearSearchValue,
+  onClose,
+}: {
+  trigger: ReactNode;
+  searchValue: string;
+  clearSearchValue: () => void;
+  onClose?: () => void;
+}) {
+  const [open, setOpen] = useState<boolean | undefined>();
+  const { value, replace } = useSearchParams();
+  const current = value("taskIdentifiers");
+  const [draft, setDraft] = useState(current ?? "");
+
+  const apply = useCallback(() => {
+    clearSearchValue();
+    replace({
+      taskIdentifiers: draft.trim() === "" ? undefined : [draft.trim()],
+      cursor: undefined,
+      direction: undefined,
+    });
+    setOpen(false);
+  }, [clearSearchValue, draft, replace]);
+
+  return (
+    <SelectProvider virtualFocus={true} open={open} setOpen={setOpen}>
+      {trigger}
+      <SelectPopover
+        hideOnEnter={false}
+        hideOnEscape={() => {
+          if (onClose) {
+            onClose();
+            return false;
+          }
+          return true;
+        }}
+        className="max-w-[min(32ch,var(--popover-available-width))]"
+      >
+        <div className="flex flex-col gap-4 p-3">
+          <div className="flex flex-col gap-1">
+            <Label>Task identifier</Label>
+            <Input
+              placeholder="my-task"
+              value={draft}
+              onChange={(e) => setDraft(e.target.value)}
+              variant="small"
+              className="w-[29ch] font-mono"
+              spellCheck={false}
+            />
+          </div>
+          <div className="flex justify-between gap-1 border-t border-grid-dimmed pt-3">
+            <Button variant="tertiary/small" onClick={() => setOpen(false)}>
+              Cancel
+            </Button>
+            <Button
+              variant="secondary/small"
+              shortcut={{
+                modifiers: ["mod"],
+                key: "Enter",
+                enabledOnInputElements: true,
+              }}
+              onClick={apply}
+            >
+              Apply
+            </Button>
+          </div>
+        </div>
+      </SelectPopover>
+    </SelectProvider>
+  );
+}
+
+function AppliedTaskIdentifierFilter() {
+  const { values, del } = useSearchParams();
+  const taskIdentifiers = values("taskIdentifiers");
+  if (taskIdentifiers.length === 0) return null;
+
+  return (
+    <FilterMenuProvider>
+      {(search, setSearch) => (
+        <TaskIdentifierDropdown
+          trigger={
+            <Ariakit.Select render={<div className="group cursor-pointer focus-custom" />}>
+              <AppliedFilter
+                label="Task"
+                icon={<TaskIcon className="size-3.5" />}
+                value={appliedSummary(taskIdentifiers)}
+                onRemove={() => del(["taskIdentifiers", "cursor", "direction"])}
+                variant="secondary/small"
+              />
+            </Ariakit.Select>
+          }
+          searchValue={search}
+          clearSearchValue={() => setSearch("")}
+        />
+      )}
+    </FilterMenuProvider>
+  );
+}
+
+function ExternalIdDropdown({
+  trigger,
+  searchValue,
+  clearSearchValue,
+  onClose,
+}: {
+  trigger: ReactNode;
+  searchValue: string;
+  clearSearchValue: () => void;
+  onClose?: () => void;
+}) {
+  const [open, setOpen] = useState<boolean | undefined>();
+  const { value, replace } = useSearchParams();
+  const current = value("externalId");
+  const [draft, setDraft] = useState(current ?? "");
+
+  const apply = useCallback(() => {
+    clearSearchValue();
+    replace({
+      externalId: draft.trim() === "" ? undefined : draft.trim(),
+      cursor: undefined,
+      direction: undefined,
+    });
+    setOpen(false);
+  }, [clearSearchValue, draft, replace]);
+
+  return (
+    <SelectProvider virtualFocus={true} open={open} setOpen={setOpen}>
+      {trigger}
+      <SelectPopover
+        hideOnEnter={false}
+        hideOnEscape={() => {
+          if (onClose) {
+            onClose();
+            return false;
+          }
+          return true;
+        }}
+        className="max-w-[min(36ch,var(--popover-available-width))]"
+      >
+        <div className="flex flex-col gap-4 p-3">
+          <div className="flex flex-col gap-1">
+            <Label>External ID</Label>
+            <Input
+              placeholder="user-supplied id"
+              value={draft}
+              onChange={(e) => setDraft(e.target.value)}
+              variant="small"
+              className="w-[33ch] font-mono"
+              spellCheck={false}
+            />
+          </div>
+          <div className="flex justify-between gap-1 border-t border-grid-dimmed pt-3">
+            <Button variant="tertiary/small" onClick={() => setOpen(false)}>
+              Cancel
+            </Button>
+            <Button
+              variant="secondary/small"
+              shortcut={{
+                modifiers: ["mod"],
+                key: "Enter",
+                enabledOnInputElements: true,
+              }}
+              onClick={apply}
+            >
+              Apply
+            </Button>
+          </div>
+        </div>
+      </SelectPopover>
+    </SelectProvider>
+  );
+}
+
+function AppliedExternalIdFilter() {
+  const { value, del } = useSearchParams();
+  const externalId = value("externalId");
+  if (!externalId) return null;
+
+  return (
+    <FilterMenuProvider>
+      {(search, setSearch) => (
+        <ExternalIdDropdown
+          trigger={
+            <Ariakit.Select render={<div className="group cursor-pointer focus-custom" />}>
+              <AppliedFilter
+                label="External ID"
+                icon={<FingerPrintIcon className="size-3.5" />}
+                value={externalId}
+                onRemove={() => del(["externalId", "cursor", "direction"])}
+                variant="secondary/small"
+              />
+            </Ariakit.Select>
+          }
+          searchValue={search}
+          clearSearchValue={() => setSearch("")}
+        />
+      )}
+    </FilterMenuProvider>
+  );
+}
+
+function TagsDropdown({
+  trigger,
+  searchValue,
+  clearSearchValue,
+  onClose,
+}: {
+  trigger: ReactNode;
+  searchValue: string;
+  clearSearchValue: () => void;
+  onClose?: () => void;
+}) {
+  const [open, setOpen] = useState<boolean | undefined>();
+  const { values, replace } = useSearchParams();
+  const current = values("tags");
+  const [draft, setDraft] = useState(current.join(", "));
+
+  const apply = useCallback(() => {
+    clearSearchValue();
+    const next = draft
+      .split(/[,\n]/)
+      .map((t) => t.trim())
+      .filter((t) => t.length > 0);
+    replace({
+      tags: next.length === 0 ? undefined : next,
+      cursor: undefined,
+      direction: undefined,
+    });
+    setOpen(false);
+  }, [clearSearchValue, draft, replace]);
+
+  return (
+    <SelectProvider virtualFocus={true} open={open} setOpen={setOpen}>
+      {trigger}
+      <SelectPopover
+        hideOnEnter={false}
+        hideOnEscape={() => {
+          if (onClose) {
+            onClose();
+            return false;
+          }
+          return true;
+        }}
+        className="max-w-[min(40ch,var(--popover-available-width))]"
+      >
+        <div className="flex flex-col gap-4 p-3">
+          <div className="flex flex-col gap-1">
+            <Label>Tags</Label>
+            <Input
+              placeholder="tag1, tag2"
+              value={draft}
+              onChange={(e) => setDraft(e.target.value)}
+              variant="small"
+              className="w-[37ch] font-mono"
+              spellCheck={false}
+            />
+            <Paragraph variant="extra-small/dimmed">
+              Comma-separated. Matches sessions with any of these tags.
+            </Paragraph>
+          </div>
+          <div className="flex justify-between gap-1 border-t border-grid-dimmed pt-3">
+            <Button variant="tertiary/small" onClick={() => setOpen(false)}>
+              Cancel
+            </Button>
+            <Button
+              variant="secondary/small"
+              shortcut={{
+                modifiers: ["mod"],
+                key: "Enter",
+                enabledOnInputElements: true,
+              }}
+              onClick={apply}
+            >
+              Apply
+            </Button>
+          </div>
+        </div>
+      </SelectPopover>
+    </SelectProvider>
+  );
+}
+
+function AppliedTagsFilter() {
+  const { values, del } = useSearchParams();
+  const tags = values("tags");
+  if (tags.length === 0) return null;
+
+  return (
+    <FilterMenuProvider>
+      {(search, setSearch) => (
+        <TagsDropdown
+          trigger={
+            <Ariakit.Select render={<div className="group cursor-pointer focus-custom" />}>
+              <AppliedFilter
+                label="Tags"
+                icon={<TagIcon className="size-3.5" />}
+                value={appliedSummary(tags)}
+                onRemove={() => del(["tags", "cursor", "direction"])}
+                variant="secondary/small"
+              />
+            </Ariakit.Select>
+          }
+          searchValue={search}
+          clearSearchValue={() => setSearch("")}
+        />
+      )}
+    </FilterMenuProvider>
+  );
+}
+
diff --git a/apps/webapp/app/components/sessions/v1/SessionStatus.tsx b/apps/webapp/app/components/sessions/v1/SessionStatus.tsx
new file mode 100644
index 00000000000..a4e17affd83
--- /dev/null
+++ b/apps/webapp/app/components/sessions/v1/SessionStatus.tsx
@@ -0,0 +1,89 @@
+import { CheckCircleIcon, ClockIcon } from "@heroicons/react/20/solid";
+import assertNever from "assert-never";
+import { type SessionStatus } from "~/services/sessionsRepository/sessionsRepository.server";
+import { cn } from "~/utils/cn";
+
+export const allSessionStatuses = ["ACTIVE", "CLOSED", "EXPIRED"] as const satisfies Readonly<
+  Array<SessionStatus>
+>;
+
+const descriptions: Record<SessionStatus, string> = {
+  ACTIVE: "The session is open and can receive input or schedule new runs.",
+  CLOSED: "The session was closed; no further input or runs can be triggered against it.",
+  EXPIRED: "The session passed its expiry time without being closed explicitly.",
+};
+
+export function descriptionForSessionStatus(status: SessionStatus): string {
+  return descriptions[status];
+}
+
+export function sessionStatusTitle(status: SessionStatus): string {
+  switch (status) {
+    case "ACTIVE":
+      return "Active";
+    case "CLOSED":
+      return "Closed";
+    case "EXPIRED":
+      return "Expired";
+    default:
+      assertNever(status);
+  }
+}
+
+export function sessionStatusColor(status: SessionStatus): string {
+  switch (status) {
+    case "ACTIVE":
+      return "text-pending";
+    case "CLOSED":
+      return "text-success";
+    case "EXPIRED":
+      return "text-text-dimmed";
+    default:
+      assertNever(status);
+  }
+}
+
+export function SessionStatusIcon({
+  status,
+  className,
+}: {
+  status: SessionStatus;
+  className: string;
+}) {
+  switch (status) {
+    case "ACTIVE":
+      return (
+        <span className={cn("inline-flex items-center justify-center", className)}>
+          <span className="size-2 rounded-full bg-pending" />
+        </span>
+      );
+    case "CLOSED":
+      return <CheckCircleIcon className={cn(sessionStatusColor(status), className)} />;
+    case "EXPIRED":
+      return <ClockIcon className={cn(sessionStatusColor(status), className)} />;
+    default:
+      assertNever(status);
+  }
+}
+
+export function SessionStatusLabel({ status }: { status: SessionStatus }) {
+  return <span className={sessionStatusColor(status)}>{sessionStatusTitle(status)}</span>;
+}
+
+export function SessionStatusCombo({
+  status,
+  className,
+  iconClassName,
+}: {
+  status: SessionStatus;
+  className?: string;
+  iconClassName?: string;
+}) {
+  return (
+    <span className={cn("flex items-center gap-1", className)}>
+      <SessionStatusIcon status={status} className={cn("h-4 w-4", iconClassName)} />
+      <SessionStatusLabel status={status} />
+    </span>
+  );
+}
+
diff --git a/apps/webapp/app/components/sessions/v1/SessionsTable.tsx b/apps/webapp/app/components/sessions/v1/SessionsTable.tsx
new file mode 100644
index 00000000000..fb83f2d03eb
--- /dev/null
+++ b/apps/webapp/app/components/sessions/v1/SessionsTable.tsx
@@ -0,0 +1,224 @@
+import { ArrowRightIcon } from "@heroicons/react/20/solid";
+import { useLocation, useNavigation } from "@remix-run/react";
+import { formatDuration } from "@trigger.dev/core/v3/utils/durations";
+import { ListBulletIcon } from "~/assets/icons/ListBulletIcon";
+import { MiddleTruncate } from "~/components/primitives/MiddleTruncate";
+import { DateTime } from "~/components/primitives/DateTime";
+import { Paragraph } from "~/components/primitives/Paragraph";
+import { PopoverMenuItem } from "~/components/primitives/Popover";
+import { Spinner } from "~/components/primitives/Spinner";
+import {
+  Table,
+  TableBlankRow,
+  TableBody,
+  TableCell,
+  TableCellMenu,
+  TableHeader,
+  TableHeaderCell,
+  TableRow,
+} from "~/components/primitives/Table";
+import { SimpleTooltip } from "~/components/primitives/Tooltip";
+import { LiveTimer } from "~/components/runs/v3/LiveTimer";
+import { RunTag } from "~/components/runs/v3/RunTag";
+import { useEnvironment } from "~/hooks/useEnvironment";
+import { useOrganization } from "~/hooks/useOrganizations";
+import { useProject } from "~/hooks/useProject";
+import {
+  type SessionListItem,
+  type SessionList,
+} from "~/presenters/v3/SessionListPresenter.server";
+import { v3RunPath, v3RunsPath, v3SessionPath } from "~/utils/pathBuilder";
+import {
+  descriptionForSessionStatus,
+  SessionStatusCombo,
+  allSessionStatuses,
+} from "./SessionStatus";
+
+type SessionsTableProps = Pick<SessionList, "sessions" | "filters" | "hasFilters">;
+
+export function SessionsTable({ sessions, hasFilters }: SessionsTableProps) {
+  const navigation = useNavigation();
+  const location = useLocation();
+  const isLoading =
+    navigation.state !== "idle" && navigation.location?.pathname === location.pathname;
+
+  const organization = useOrganization();
+  const project = useProject();
+  const environment = useEnvironment();
+
+  return (
+    <Table className="max-h-full overflow-y-auto">
+      <TableHeader>
+        <TableRow>
+          <TableHeaderCell>ID</TableHeaderCell>
+          <TableHeaderCell
+            tooltip={
+              <div className="flex flex-col divide-y divide-grid-dimmed">
+                {allSessionStatuses.map((status) => (
+                  <div
+                    key={status}
+                    className="grid grid-cols-[6rem_1fr] gap-x-2 py-2 first:pt-1 last:pb-1"
+                  >
+                    <div className="mb-0.5 flex items-center gap-1.5 whitespace-nowrap">
+                      <SessionStatusCombo status={status} iconClassName="animate-none" />
+                    </div>
+                    <Paragraph variant="extra-small" className="!text-wrap text-text-dimmed">
+                      {descriptionForSessionStatus(status)}
+                    </Paragraph>
+                  </div>
+                ))}
+              </div>
+            }
+          >
+            Status
+          </TableHeaderCell>
+          <TableHeaderCell>Type</TableHeaderCell>
+          <TableHeaderCell>Task</TableHeaderCell>
+          <TableHeaderCell>Tags</TableHeaderCell>
+          <TableHeaderCell>Created</TableHeaderCell>
+          <TableHeaderCell>Duration</TableHeaderCell>
+          <TableHeaderCell>
+            <span className="sr-only">Actions</span>
+          </TableHeaderCell>
+        </TableRow>
+      </TableHeader>
+      <TableBody>
+        {sessions.length === 0 ? (
+          <TableBlankRow colSpan={8}>
+            <div className="flex items-center justify-center">
+              <Paragraph className="w-auto">
+                {hasFilters
+                  ? "No sessions match these filters"
+                  : "No sessions in this environment yet"}
+              </Paragraph>
+            </div>
+          </TableBlankRow>
+        ) : (
+          sessions.map((session) => {
+            const runPath = session.currentRunFriendlyId
+              ? v3RunPath(organization, project, environment, {
+                  friendlyId: session.currentRunFriendlyId,
+                })
+              : undefined;
+
+            const displayId = session.externalId ?? session.friendlyId;
+            const sessionPath = v3SessionPath(organization, project, environment, {
+              friendlyId: session.friendlyId,
+            });
+            const allRunsPath = v3RunsPath(organization, project, environment, {
+              tags: [`chat:${displayId}`],
+            });
+
+            return (
+              <TableRow key={session.id}>
+                <TableCell to={sessionPath} isTabbableCell>
+                  <div className="w-[28ch]">
+                    <MiddleTruncate text={displayId} className="font-mono text-xs" />
+                  </div>
+                </TableCell>
+                <TableCell to={sessionPath}>
+                  <SimpleTooltip
+                    content={descriptionForSessionStatus(session.status)}
+                    disableHoverableContent
+                    button={<SessionStatusCombo status={session.status} />}
+                  />
+                </TableCell>
+                <TableCell to={sessionPath}>
+                  <span className="font-mono text-xs">{session.type}</span>
+                </TableCell>
+                <TableCell to={sessionPath}>
+                  <div className="w-[24ch]">
+                    <MiddleTruncate
+                      text={session.taskIdentifier}
+                      className="font-mono text-xs"
+                    />
+                  </div>
+                </TableCell>
+                <TableCell to={sessionPath}>
+                  {session.tags.length > 0 ? (
+                    <div className="flex flex-wrap gap-1">
+                      {session.tags.map((tag) => (
+                        <RunTag key={tag} tag={tag} />
+                      ))}
+                    </div>
+                  ) : (
+                    <span className="text-text-dimmed">–</span>
+                  )}
+                </TableCell>
+                <TableCell to={sessionPath}>
+                  <DateTime date={session.createdAt} />
+                </TableCell>
+                <TableCell
+                  to={sessionPath}
+                  className="w-[1%]"
+                  actionClassName="pr-0 tabular-nums"
+                >
+                  <SessionDuration session={session} />
+                </TableCell>
+                <SessionActionsCell runPath={runPath} allRunsPath={allRunsPath} />
+              </TableRow>
+            );
+          })
+        )}
+        {isLoading && (
+          <TableBlankRow
+            colSpan={8}
+            className="absolute left-0 top-0 flex h-full w-full items-center justify-center gap-2 bg-charcoal-900/90"
+          >
+            <Spinner /> <span className="text-text-dimmed">Loading…</span>
+          </TableBlankRow>
+        )}
+      </TableBody>
+    </Table>
+  );
+}
+
+function SessionDuration({ session }: { session: SessionListItem }) {
+  // Active sessions tick live; closed/expired sessions freeze at the
+  // moment they ended (closedAt for explicit closes, expiresAt when the
+  // TTL ran out without a close call).
+  const endedAt =
+    session.status === "CLOSED"
+      ? session.closedAt
+      : session.status === "EXPIRED"
+        ? session.expiresAt
+        : undefined;
+
+  if (endedAt) {
+    return <>{formatDuration(new Date(session.createdAt), new Date(endedAt), { style: "short" })}</>;
+  }
+
+  return <LiveTimer startTime={new Date(session.createdAt)} />;
+}
+
+function SessionActionsCell({
+  runPath,
+  allRunsPath,
+}: {
+  runPath?: string;
+  allRunsPath: string;
+}) {
+  return (
+    <TableCellMenu
+      isSticky
+      popoverContent={
+        <>
+          {runPath && (
+            <PopoverMenuItem
+              to={runPath}
+              icon={ArrowRightIcon}
+              leadingIconClassName="text-runs"
+              title="View current run"
+            />
+          )}
+          <PopoverMenuItem
+            to={allRunsPath}
+            icon={ListBulletIcon}
+            leadingIconClassName="text-runs"
+            title="View all runs"
+          />
+        </>
+      }
+    />
+  );
+}
diff --git a/apps/webapp/app/db.server.ts b/apps/webapp/app/db.server.ts
index 4668b58fb02..96f6307f576 100644
--- a/apps/webapp/app/db.server.ts
+++ b/apps/webapp/app/db.server.ts
@@ -13,8 +13,8 @@ import { env } from "./env.server";
 import { logger } from "./services/logger.server";
 import { isValidDatabaseUrl } from "./utils/db";
 import { singleton } from "./utils/singleton";
-import { startActiveSpan } from "./v3/tracer.server";
-import { Span } from "@opentelemetry/api";
+import { DATASOURCE_CONTEXT_KEY, startActiveSpan } from "./v3/tracer.server";
+import { context, Span, trace } from "@opentelemetry/api";
 import { queryPerformanceMonitor } from "./utils/queryPerformanceMonitor.server";
 
 export type {
@@ -98,12 +98,30 @@ export async function $transaction<R>(
 
 export { Prisma };
 
-export const prisma = singleton("prisma", getClient);
+function tagDatasource<T extends PrismaClient>(
+  datasource: "writer" | "replica",
+  client: T
+): T {
+  return client.$extends({
+    name: "datasource-tagger",
+    query: {
+      $allOperations: ({ query, args }) => {
+        trace.getActiveSpan()?.setAttribute("db.datasource", datasource);
+        return context.with(
+          context.active().setValue(DATASOURCE_CONTEXT_KEY, datasource),
+          async () => await query(args)
+        );
+      },
+    },
+  }) as unknown as T;
+}
 
-export const $replica: PrismaReplicaClient = singleton(
-  "replica",
-  () => getReplicaClient() ?? prisma
-);
+export const prisma = singleton("prisma", () => tagDatasource("writer", getClient()));
+
+export const $replica: PrismaReplicaClient = singleton("replica", () => {
+  const replica = getReplicaClient();
+  return replica ? tagDatasource("replica", replica) : prisma;
+});
 
 function getClient() {
   const { DATABASE_URL } = process.env;
diff --git a/apps/webapp/app/entry.client.tsx b/apps/webapp/app/entry.client.tsx
index 46c2919b832..e0d0f0ac076 100644
--- a/apps/webapp/app/entry.client.tsx
+++ b/apps/webapp/app/entry.client.tsx
@@ -1,8 +1,11 @@
 import { RemixBrowser } from "@remix-run/react";
 import { hydrateRoot } from "react-dom/client";
+import { clientBeforeFirstRender } from "./clientBeforeFirstRender";
 import { LocaleContextProvider } from "./components/primitives/LocaleProvider";
 import { OperatingSystemContextProvider } from "./components/primitives/OperatingSystemProvider";
 
+clientBeforeFirstRender();
+
 hydrateRoot(
   document,
   <OperatingSystemContextProvider
diff --git a/apps/webapp/app/entry.server.tsx b/apps/webapp/app/entry.server.tsx
index 4ee4f252a32..1282127cb20 100644
--- a/apps/webapp/app/entry.server.tsx
+++ b/apps/webapp/app/entry.server.tsx
@@ -1,11 +1,15 @@
 import { createReadableStreamFromReadable, type EntryContext } from "@remix-run/node"; // or cloudflare/deno
 import { RemixServer } from "@remix-run/react";
+import * as Sentry from "@sentry/remix";
 import { wrapHandleErrorWithSentry } from "@sentry/remix";
+import { addTenantContextToEvent } from "~/utils/sentryTenantContext.server";
 import { parseAcceptLanguage } from "intl-parse-accept-language";
 import isbot from "isbot";
 import { renderToPipeableStream } from "react-dom/server";
 import { PassThrough } from "stream";
 import * as Worker from "~/services/worker.server";
+import { initMollifierDrainerWorker } from "~/v3/mollifierDrainerWorker.server";
+import { initMollifierStaleSweepWorker } from "~/v3/mollifierStaleSweepWorker.server";
 import { bootstrap } from "./bootstrap";
 import { LocaleContextProvider } from "./components/primitives/LocaleProvider";
 import {
@@ -23,6 +27,22 @@ import {
   registerRunEngineEventBusHandlers,
   setupBatchQueueCallbacks,
 } from "./v3/runEngineHandlers.server";
+import { registerRunChangeNotifierHandlers } from "./services/realtime/runChangeNotifierHandlers.server";
+// Touch the sessions replication singleton at entry so it boots deterministically
+// on webapp startup. The singleton's initializer wires start (gated on
+// `clickhouseFactory.isReady()`) and SIGTERM/SIGINT shutdown — mirrors
+// runsReplicationInstance.
+//
+// IMPORTANT: do NOT replace this with `void sessionsReplicationInstance;`.
+// `apps/webapp/package.json` declares `"sideEffects": false`, so esbuild
+// treats `void <identifier>;` as a pure expression statement and tree-shakes
+// the entire import — the singleton's initializer never fires and the
+// sessions→ClickHouse logical replication slot stops being consumed. Assigning
+// to globalThis is an unambiguous side effect the bundler must preserve. See
+// TRI-9864 for the incident write-up.
+import { sessionsReplicationInstance } from "./services/sessionsReplicationInstance.server";
+(globalThis as Record<string, unknown>).__sessionsReplicationInstance =
+  sessionsReplicationInstance;
 
 const ABORT_DELAY = 30000;
 
@@ -83,6 +103,10 @@ function handleBotRequest(
 ) {
   return new Promise((resolve, reject) => {
     let shellRendered = false;
+    // Timer handle is cleared in every terminal callback so the abort closure
+    // (which captures the full React render tree + remixContext) doesn't pin
+    // memory for 30s per successful request. See react-router PR #14200.
+    let abortTimer: NodeJS.Timeout | undefined;
     const { pipe, abort } = renderToPipeableStream(
       <OperatingSystemContextProvider platform={platform}>
         <LocaleContextProvider locales={locales}>
@@ -105,8 +129,10 @@ function handleBotRequest(
           );
 
           pipe(body);
+          clearTimeout(abortTimer);
         },
         onShellError(error: unknown) {
+          clearTimeout(abortTimer);
           reject(error);
         },
         onError(error: unknown) {
@@ -121,7 +147,7 @@ function handleBotRequest(
       }
     );
 
-    setTimeout(abort, ABORT_DELAY);
+    abortTimer = setTimeout(abort, ABORT_DELAY);
   });
 }
 
@@ -135,6 +161,10 @@ function handleBrowserRequest(
 ) {
   return new Promise((resolve, reject) => {
     let shellRendered = false;
+    // Timer handle is cleared in every terminal callback so the abort closure
+    // (which captures the full React render tree + remixContext) doesn't pin
+    // memory for 30s per successful request. See react-router PR #14200.
+    let abortTimer: NodeJS.Timeout | undefined;
     const { pipe, abort } = renderToPipeableStream(
       <OperatingSystemContextProvider platform={platform}>
         <LocaleContextProvider locales={locales}>
@@ -157,8 +187,10 @@ function handleBrowserRequest(
           );
 
           pipe(body);
+          clearTimeout(abortTimer);
         },
         onShellError(error: unknown) {
+          clearTimeout(abortTimer);
           reject(error);
         },
         onError(error: unknown) {
@@ -173,7 +205,7 @@ function handleBrowserRequest(
       }
     );
 
-    setTimeout(abort, ABORT_DELAY);
+    abortTimer = setTimeout(abort, ABORT_DELAY);
   });
 }
 
@@ -197,6 +229,9 @@ Worker.init().catch((error) => {
   logError(error);
 });
 
+initMollifierDrainerWorker();
+initMollifierStaleSweepWorker();
+
 bootstrap().catch((error) => {
   logError(error);
 });
@@ -235,10 +270,28 @@ process.on("uncaughtException", (error, origin) => {
 
 singleton("RunEngineEventBusHandlers", registerRunEngineEventBusHandlers);
 singleton("SetupBatchQueueCallbacks", setupBatchQueueCallbacks);
+// Attach the realtime run-changed publish delegations to the engine event bus.
+// No-ops (registers nothing) unless REALTIME_BACKEND_NATIVE_ENABLED=1.
+singleton("RunChangeNotifierHandlers", registerRunChangeNotifierHandlers);
+
+// Wrapped in singleton() so Remix's dev-mode CJS reloads don't append
+// duplicate copies of the processor — Sentry's processor list lives in
+// node_modules and persists across module reloads. Idempotent at runtime
+// (the processor is a pure read+stamp), but the pattern matches the rest
+// of this file.
+singleton("SentryTenantContextProcessor", () => {
+  if (env.SENTRY_DSN) {
+    Sentry.addEventProcessor(addTenantContextToEvent);
+  }
+  // Return a truthy value — `singleton()` uses `??=` so a `void`
+  // callback would re-execute (and re-register) on every dev reload.
+  return true;
+});
 
 export { apiRateLimiter } from "./services/apiRateLimit.server";
 export { engineRateLimiter } from "./services/engineRateLimit.server";
 export { runWithHttpContext } from "./services/httpAsyncStorage.server";
+export { tenantContextMiddleware } from "./services/tenantContextResolver.server";
 export { socketIo } from "./v3/handleSocketIo.server";
 export { wss } from "./v3/handleWebsockets.server";
 
diff --git a/apps/webapp/app/env.server.ts b/apps/webapp/app/env.server.ts
index 8d72b2e51b2..d9c97711940 100644
--- a/apps/webapp/app/env.server.ts
+++ b/apps/webapp/app/env.server.ts
@@ -1,7 +1,50 @@
 import { z } from "zod";
+import { MachinePresetName } from "@trigger.dev/core/v3";
 import { BoolEnv } from "./utils/boolEnv";
 import { isValidDatabaseUrl } from "./utils/db";
 import { isValidRegex } from "./utils/regex";
+import { isValidDuration } from "./services/realtime/duration.server";
+
+// `z.string()` constrained to a `parseDuration`-parseable string (e.g.
+// `7d`, `1h`). Validated at boot so a typo'd duration fails fast.
+function durationString() {
+  return z
+    .string()
+    .refine(isValidDuration, "must be a duration like 7d, 30d, 365d, 1h, 1y");
+}
+
+// Parses a CSV of machine preset names (e.g. "small-1x,small-2x") into a
+// non-empty array of MachinePresetName. Used by COMPUTE_TEMPLATE_MACHINE_PRESETS
+// and its _REQUIRED variant. Adds zod issues for empty input or unknown names.
+const parseMachinePresetCsv = (
+  raw: string,
+  ctx: z.RefinementCtx
+): MachinePresetName[] => {
+  const names = raw
+    .split(",")
+    .map((s) => s.trim())
+    .filter(Boolean);
+  if (names.length === 0) {
+    ctx.addIssue({
+      code: z.ZodIssueCode.custom,
+      message: "must list at least one machine preset",
+    });
+    return z.NEVER;
+  }
+  const out: MachinePresetName[] = [];
+  for (const name of names) {
+    const parsed = MachinePresetName.safeParse(name);
+    if (!parsed.success) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: `unknown machine preset: "${name}"`,
+      });
+      return z.NEVER;
+    }
+    out.push(parsed.data);
+  }
+  return out;
+};
 
 const GithubAppEnvSchema = z.preprocess(
   (val) => {
@@ -91,6 +134,7 @@ const EnvironmentSchema = z
     ELECTRIC_ORIGIN_SHARDS: z.string().optional(),
     APP_ENV: z.string().default(process.env.NODE_ENV),
     SERVICE_NAME: z.string().default("trigger.dev webapp"),
+    SENTRY_DSN: z.string().optional(),
     POSTHOG_PROJECT_KEY: z.string().default("phc_LFH7kJiGhdIlnO22hTAKgHpaKhpM8gkzWAFvHmf5vfS"),
     TRIGGER_TELEMETRY_DISABLED: z.string().optional(),
     AUTH_GITHUB_CLIENT_ID: z.string().optional(),
@@ -108,6 +152,9 @@ const EnvironmentSchema = z
     SMTP_PASSWORD: z.string().optional(),
 
     PLAIN_API_KEY: z.string().optional(),
+    PLAIN_CUSTOMER_CARDS_SECRET: z.string().optional(),
+    PLAIN_CUSTOMER_CARDS_KEY: z.string().optional(),
+    PLAIN_CUSTOMER_CARDS_HEADERS: z.string().optional(),
     WORKER_SCHEMA: z.string().default("graphile_worker"),
     WORKER_CONCURRENCY: z.coerce.number().int().default(10),
     WORKER_POLL_INTERVAL: z.coerce.number().int().default(1000),
@@ -189,6 +236,30 @@ const EnvironmentSchema = z
     CACHE_REDIS_TLS_DISABLED: z.string().default(process.env.REDIS_TLS_DISABLED ?? "false"),
     CACHE_REDIS_CLUSTER_MODE_ENABLED: z.string().default("0"),
 
+    TASK_META_CACHE_REDIS_HOST: z
+      .string()
+      .optional()
+      .transform((v) => v ?? process.env.REDIS_HOST),
+    TASK_META_CACHE_REDIS_PORT: z.coerce
+      .number()
+      .optional()
+      .transform(
+        (v) => v ?? (process.env.REDIS_PORT ? parseInt(process.env.REDIS_PORT) : undefined)
+      ),
+    TASK_META_CACHE_REDIS_USERNAME: z
+      .string()
+      .optional()
+      .transform((v) => v ?? process.env.REDIS_USERNAME),
+    TASK_META_CACHE_REDIS_PASSWORD: z
+      .string()
+      .optional()
+      .transform((v) => v ?? process.env.REDIS_PASSWORD),
+    TASK_META_CACHE_REDIS_TLS_DISABLED: z
+      .string()
+      .default(process.env.REDIS_TLS_DISABLED ?? "false"),
+    TASK_META_CACHE_CURRENT_ENV_TTL_SECONDS: z.coerce.number().default(86400),
+    TASK_META_CACHE_BY_WORKER_TTL_SECONDS: z.coerce.number().default(2592000),
+
     REALTIME_STREAMS_REDIS_HOST: z
       .string()
       .optional()
@@ -229,6 +300,67 @@ const EnvironmentSchema = z
       .int()
       .default(24 * 60 * 60 * 1000), // 1 day in milliseconds
 
+    // Master switch for the native realtime backend; off = Electric serves everything, publishes no-op.
+    REALTIME_BACKEND_NATIVE_ENABLED: z.string().default("0"),
+    // Live long-poll backstop hold (ms); matches Electric's ~20s cadence.
+    REALTIME_BACKEND_NATIVE_LIVE_POLL_TIMEOUT_MS: z.coerce.number().int().default(20_000),
+    // Jitter ratio on the live-poll hold (0.15 = ±15%) to avoid synchronized refetch herds.
+    REALTIME_BACKEND_NATIVE_LIVE_POLL_JITTER_RATIO: z.coerce.number().default(0.15),
+    // Hard cap on the tag-list snapshot size.
+    REALTIME_BACKEND_NATIVE_MAX_LIST_RESULTS: z.coerce.number().int().default(1_000),
+    // TTL/size of the coalescing cache for the multi-run resolve+hydrate (same-filter feeds share one query).
+    REALTIME_BACKEND_NATIVE_RUNSET_CACHE_TTL_MS: z.coerce.number().int().default(1_000),
+    REALTIME_BACKEND_NATIVE_RUNSET_CACHE_MAX_ENTRIES: z.coerce.number().int().default(5_000),
+    // Size/TTL of the per-handle working-set cache used to diff multi-run live polls.
+    REALTIME_BACKEND_NATIVE_WORKING_SET_MAX_ENTRIES: z.coerce.number().int().default(10_000),
+    REALTIME_BACKEND_NATIVE_WORKING_SET_TTL_MS: z.coerce.number().int().default(300_000),
+    // Bucket (ms) the tag-list createdAt floor is quantized to so same-tag feeds share a cache entry; 0 disables.
+    REALTIME_BACKEND_NATIVE_RUNSET_CREATED_AT_BUCKET_MS: z.coerce.number().int().default(60_000),
+    // Leading-edge throttle (ms) on per-env wake delivery; 0 wakes on every change.
+    REALTIME_BACKEND_NATIVE_ENV_WAKE_COALESCE_WINDOW_MS: z.coerce.number().int().default(250),
+    // "1" shares per-connection replay cursors fleet-wide via Redis, so a load-balancer hop reads the connection's true inter-poll gap instead of cold-resolving.
+    REALTIME_BACKEND_NATIVE_SHARED_REPLAY_CURSORS: z.string().default("1"),
+    // "1" holds a multi-run live poll open on a non-matching wake instead of replying up-to-date.
+    REALTIME_BACKEND_NATIVE_HOLD_ON_EMPTY: z.string().default("1"),
+    // Max concurrent fresh ClickHouse resolves per instance (reconnect-stampede gate); 0 disables.
+    REALTIME_BACKEND_NATIVE_RESOLVE_ADMISSION_LIMIT: z.coerce.number().int().default(16),
+    // Replay window (ms) for buffered change records delivered to newly-armed feeds; 0 disables.
+    REALTIME_BACKEND_NATIVE_REPLAY_WINDOW_MS: z.coerce.number().int().default(2_000),
+    // Cap on buffered recent records per env (latest record per run).
+    REALTIME_BACKEND_NATIVE_REPLAY_MAX_RUNS: z.coerce.number().int().default(512),
+    // Keep an env subscribed + buffering this long (ms) after its last feed closes; 0 disables.
+    REALTIME_BACKEND_NATIVE_UNSUBSCRIBE_LINGER_MS: z.coerce.number().int().default(5_000),
+    // Fallback per-env concurrent-connection limit when the org has none configured.
+    REALTIME_BACKEND_NATIVE_DEFAULT_CONCURRENCY_LIMIT: z.coerce.number().int().default(100_000),
+    // TTL/size of the single-run read-through cache that collapses duplicate refetch bursts.
+    REALTIME_BACKEND_NATIVE_RUN_CACHE_TTL_MS: z.coerce.number().int().default(250),
+    REALTIME_BACKEND_NATIVE_RUN_CACHE_MAX_ENTRIES: z.coerce.number().int().default(5_000),
+    // TTL/size of the per-org realtimeBackend flag cache used to pick the serving backend.
+    REALTIME_BACKEND_FLAG_CACHE_TTL_MS: z.coerce.number().int().default(30_000),
+    REALTIME_BACKEND_FLAG_CACHE_MAX_ENTRIES: z.coerce.number().int().default(50_000),
+    // "1" enables the read-your-writes gate: wake hydrates wait out the measured replica lag
+    // (anchored to the change record's updatedAtMs) and stale reads are retried.
+    REALTIME_BACKEND_NATIVE_REPLICA_LAG_GATE_ENABLED: z.string().default("1"),
+    // Reader-side lag probe cadence while the router is active; probing pauses when idle.
+    REALTIME_BACKEND_NATIVE_REPLICA_LAG_SAMPLE_INTERVAL_MS: z.coerce.number().int().default(250),
+    REALTIME_BACKEND_NATIVE_REPLICA_LAG_IDLE_AFTER_MS: z.coerce.number().int().default(30_000),
+    // The lag estimate is the max sample inside this window (spikes widen it immediately).
+    REALTIME_BACKEND_NATIVE_REPLICA_LAG_WINDOW_MS: z.coerce.number().int().default(5_000),
+    // Estimate before the first sample lands (and the floor when probing is unavailable).
+    REALTIME_BACKEND_NATIVE_REPLICA_LAG_DEFAULT_MS: z.coerce.number().int().default(30),
+    // Safety margin (clock skew + scheduling) added on top of the lag estimate.
+    REALTIME_BACKEND_NATIVE_REPLICA_LAG_MARGIN_MS: z.coerce.number().int().default(10),
+    // Hard cap on any single gate delay — a sick replica degrades freshness, never liveness.
+    REALTIME_BACKEND_NATIVE_REPLICA_LAG_MAX_DELAY_MS: z.coerce.number().int().default(1_000),
+    // Re-hydrate attempts for rows the tripwire still finds stale after the delay.
+    REALTIME_BACKEND_NATIVE_STALE_HYDRATE_RETRIES: z.coerce.number().int().default(3),
+    // How long a tripwire-observed staleness floors the lag estimate (vanilla-PG replicas
+    // can't measure mid-apply lag, so observations carry the estimate between races).
+    REALTIME_BACKEND_NATIVE_REPLICA_LAG_OBSERVED_FLOOR_TTL_MS: z.coerce
+      .number()
+      .int()
+      .default(60_000),
+
     PUBSUB_REDIS_HOST: z
       .string()
       .optional()
@@ -261,6 +393,36 @@ const EnvironmentSchema = z
     PUBSUB_REDIS_TLS_DISABLED: z.string().default(process.env.REDIS_TLS_DISABLED ?? "false"),
     PUBSUB_REDIS_CLUSTER_MODE_ENABLED: z.string().default("0"),
 
+    // Dedicated pub/sub Redis for the native realtime backend; falls back to PUBSUB_REDIS_* then REDIS_*.
+    REALTIME_BACKEND_NATIVE_PUBSUB_REDIS_HOST: z
+      .string()
+      .optional()
+      .transform((v) => v ?? process.env.PUBSUB_REDIS_HOST ?? process.env.REDIS_HOST),
+    REALTIME_BACKEND_NATIVE_PUBSUB_REDIS_PORT: z.coerce
+      .number()
+      .optional()
+      .transform((v) => {
+        if (v !== undefined) return v;
+        const raw = process.env.PUBSUB_REDIS_PORT ?? process.env.REDIS_PORT;
+        return raw ? parseInt(raw) : undefined;
+      }),
+    REALTIME_BACKEND_NATIVE_PUBSUB_REDIS_USERNAME: z
+      .string()
+      .optional()
+      .transform((v) => v ?? process.env.PUBSUB_REDIS_USERNAME ?? process.env.REDIS_USERNAME),
+    REALTIME_BACKEND_NATIVE_PUBSUB_REDIS_PASSWORD: z
+      .string()
+      .optional()
+      .transform((v) => v ?? process.env.PUBSUB_REDIS_PASSWORD ?? process.env.REDIS_PASSWORD),
+    REALTIME_BACKEND_NATIVE_PUBSUB_REDIS_TLS_DISABLED: z
+      .string()
+      .default(process.env.PUBSUB_REDIS_TLS_DISABLED ?? process.env.REDIS_TLS_DISABLED ?? "false"),
+    REALTIME_BACKEND_NATIVE_PUBSUB_REDIS_CLUSTER_MODE_ENABLED: z
+      .string()
+      .default(process.env.PUBSUB_REDIS_CLUSTER_MODE_ENABLED ?? "0"),
+    // Use sharded pub/sub (SSUBSCRIBE/SPUBLISH) in cluster mode; "0" forces classic pub/sub.
+    REALTIME_BACKEND_NATIVE_PUBSUB_REDIS_SHARDED_ENABLED: z.string().default("1"),
+
     DEFAULT_ENV_EXECUTION_CONCURRENCY_LIMIT: z.coerce.number().int().default(100),
     DEFAULT_ENV_EXECUTION_CONCURRENCY_BURST_FACTOR: z.coerce.number().default(1.0),
     DEFAULT_ORG_EXECUTION_CONCURRENCY_LIMIT: z.coerce.number().int().default(300),
@@ -300,6 +462,7 @@ const EnvironmentSchema = z
     DEPLOY_REGISTRY_ECR_TAGS: z.string().optional(), // csv, for example: "key1=value1,key2=value2"
     DEPLOY_REGISTRY_ECR_ASSUME_ROLE_ARN: z.string().optional(),
     DEPLOY_REGISTRY_ECR_ASSUME_ROLE_EXTERNAL_ID: z.string().optional(),
+    DEPLOY_REGISTRY_ECR_DEFAULT_REPOSITORY_POLICY: z.string().optional(), // raw IAM policy JSON applied to every repo created by the webapp
 
     // Deployment registry (v4) - falls back to v3 registry if not specified
     V4_DEPLOY_REGISTRY_HOST: z
@@ -332,11 +495,34 @@ const EnvironmentSchema = z
       .string()
       .optional()
       .transform((v) => v ?? process.env.DEPLOY_REGISTRY_ECR_ASSUME_ROLE_EXTERNAL_ID),
+    V4_DEPLOY_REGISTRY_ECR_DEFAULT_REPOSITORY_POLICY: z
+      .string()
+      .optional()
+      .transform((v) => v ?? process.env.DEPLOY_REGISTRY_ECR_DEFAULT_REPOSITORY_POLICY),
 
     // Compute gateway (template creation during deploy finalize)
     COMPUTE_GATEWAY_URL: z.string().optional(),
     COMPUTE_GATEWAY_AUTH_TOKEN: z.string().optional(),
     COMPUTE_TEMPLATE_SHADOW_ROLLOUT_PCT: z.string().optional(),
+    // Comma-separated machine preset names to build boot snapshots for on
+    // deploy (e.g. "small-1x,small-2x,medium-1x"). Default: "small-1x".
+    COMPUTE_TEMPLATE_MACHINE_PRESETS: z
+      .string()
+      .default("small-1x")
+      .transform(parseMachinePresetCsv),
+    // Subset of COMPUTE_TEMPLATE_MACHINE_PRESETS that must succeed for a
+    // required-mode deploy to be considered successful. Failures of presets
+    // outside this list are logged but don't fail the deploy. Defaults to the
+    // full COMPUTE_TEMPLATE_MACHINE_PRESETS list when unset (everything required).
+    COMPUTE_TEMPLATE_MACHINE_PRESETS_REQUIRED: z
+      .string()
+      .optional()
+      .transform((v, ctx) =>
+        parseMachinePresetCsv(
+          v ?? process.env.COMPUTE_TEMPLATE_MACHINE_PRESETS ?? "small-1x",
+          ctx
+        )
+      ),
 
     DEPLOY_IMAGE_PLATFORM: z.string().default("linux/amd64"),
     DEPLOY_TIMEOUT_MS: z.coerce
@@ -348,6 +534,12 @@ const EnvironmentSchema = z
       .int()
       .default(60 * 1000 * 15), // 15 minutes
 
+    // When enabled, reject deploys made by v3 CLI versions (i.e. payloads that
+    // omit the `type` field). v4 CLI versions always send `type` ("MANAGED" or "V1"),
+    // so they are unaffected. Defaults to off so detection can run in
+    // log-only mode before enforcement.
+    DEPRECATE_V3_CLI_DEPLOYS_ENABLED: z.string().default("0"),
+
     OBJECT_STORE_BASE_URL: z.string().optional(),
     OBJECT_STORE_BUCKET: z.string().optional(),
     OBJECT_STORE_ACCESS_KEY_ID: z.string().optional(),
@@ -359,7 +551,10 @@ const EnvironmentSchema = z
     // If specified, you must configure the corresponding provider using OBJECT_STORE_{PROTOCOL}_* env vars.
     // Example: OBJECT_STORE_DEFAULT_PROTOCOL=s3 requires OBJECT_STORE_S3_BASE_URL, OBJECT_STORE_S3_ACCESS_KEY_ID, etc.
     // Enables zero-downtime migration between providers (old data keeps working, new data uses new provider).
-    OBJECT_STORE_DEFAULT_PROTOCOL: z.string().regex(/^[a-z0-9]+$/).optional(),
+    OBJECT_STORE_DEFAULT_PROTOCOL: z
+      .string()
+      .regex(/^[a-z0-9]+$/)
+      .optional(),
 
     ARTIFACTS_OBJECT_STORE_BUCKET: z.string().optional(),
     ARTIFACTS_OBJECT_STORE_BASE_URL: z.string().optional(),
@@ -432,6 +627,7 @@ const EnvironmentSchema = z
     INTERNAL_OTEL_TRACE_SAMPLING_RATE: z.string().default("20"),
     INTERNAL_OTEL_TRACE_INSTRUMENT_PRISMA_ENABLED: z.string().default("0"),
     INTERNAL_OTEL_TRACE_DISABLED: z.string().default("0"),
+    DISABLE_HTTP_INSTRUMENTATION: BoolEnv.default(false),
 
     INTERNAL_OTEL_LOG_EXPORTER_URL: z.string().optional(),
     INTERNAL_OTEL_METRIC_EXPORTER_URL: z.string().optional(),
@@ -552,6 +748,9 @@ const EnvironmentSchema = z
     MAXIMUM_LIVE_RELOADING_EVENTS: z.coerce.number().int().default(1000),
     MAXIMUM_TRACE_SUMMARY_VIEW_COUNT: z.coerce.number().int().default(25_000),
     MAXIMUM_TRACE_DETAILED_SUMMARY_VIEW_COUNT: z.coerce.number().int().default(10_000),
+    // Emergency circuit breaker: when set, clamps the trace summary and detailed
+    // summary span limits on both event store paths to this value. Unset = disabled.
+    TRACE_VIEW_EMERGENCY_SPAN_CAP: z.coerce.number().int().positive().optional(),
     TASK_PAYLOAD_OFFLOAD_THRESHOLD: z.coerce.number().int().default(524_288), // 512KB
     BATCH_PAYLOAD_OFFLOAD_THRESHOLD: z.coerce.number().int().optional(), // Defaults to TASK_PAYLOAD_OFFLOAD_THRESHOLD if not set
     TASK_PAYLOAD_MAXIMUM_SIZE: z.coerce.number().int().default(3_145_728), // 3MB
@@ -659,6 +858,21 @@ const EnvironmentSchema = z
       .int()
       .default(60_000 * 60), // 1 hour
 
+    /**
+     * Bucket size in milliseconds used to quantize the newly computed `delayUntil`
+     * in the debounce system. Quantization collapses concurrent triggers on the
+     * same hot debounce key onto the same target time so the unlocked fast-path
+     * skip is effective. Set to 0 to disable. Default: 1000ms (1s).
+     */
+    RUN_ENGINE_DEBOUNCE_QUANTIZE_NEW_DELAY_UNTIL_MS: z.coerce.number().int().min(0).default(1000),
+
+    /**
+     * Whether the unlocked fast-path skip is enabled in the debounce system.
+     * Acts as a kill switch in case the fast-path needs to be disabled in
+     * production without a redeploy. Default: "1" (enabled).
+     */
+    RUN_ENGINE_DEBOUNCE_FAST_PATH_SKIP_ENABLED: z.string().default("1"),
+
     RUN_ENGINE_WORKER_REDIS_HOST: z
       .string()
       .optional()
@@ -829,6 +1043,10 @@ const EnvironmentSchema = z
       .enum(["log", "error", "warn", "info", "debug"])
       .default("info"),
     RUN_ENGINE_TREAT_PRODUCTION_EXECUTION_STALLS_AS_OOM: z.string().default("0"),
+    RUN_ENGINE_READ_REPLICA_SNAPSHOTS_SINCE_ENABLED: z.string().default("0"),
+    RUN_ENGINE_SNAPSHOTS_SINCE_REPLICA_RETRY_MIN_MS: z.coerce.number().int().default(50),
+    RUN_ENGINE_SNAPSHOTS_SINCE_REPLICA_RETRY_MAX_MS: z.coerce.number().int().default(200),
+    RUN_ENGINE_DEBOUNCE_USE_REPLICA_FOR_FAST_PATH_READ: z.string().default("0"),
 
     /** How long should the presence ttl last */
     DEV_PRESENCE_SSE_TIMEOUT: z.coerce.number().int().default(30_000),
@@ -894,6 +1112,7 @@ const EnvironmentSchema = z
 
     LEGACY_RUN_ENGINE_WAITING_FOR_DEPLOY_BATCH_SIZE: z.coerce.number().int().default(100),
     LEGACY_RUN_ENGINE_WAITING_FOR_DEPLOY_BATCH_STAGGER_MS: z.coerce.number().int().default(1_000),
+    LEGACY_RUN_ENGINE_WAITING_FOR_DEPLOY_DISABLED: z.string().default("0"),
 
     COMMON_WORKER_ENABLED: z.string().default(process.env.WORKER_ENABLED ?? "true"),
     COMMON_WORKER_CONCURRENCY_WORKERS: z.coerce.number().int().default(2),
@@ -936,6 +1155,167 @@ const EnvironmentSchema = z
     COMMON_WORKER_REDIS_TLS_DISABLED: z.string().default(process.env.REDIS_TLS_DISABLED ?? "false"),
     COMMON_WORKER_REDIS_CLUSTER_MODE_ENABLED: z.string().default("0"),
 
+    // Global default for the scheduled worker-queue split. When "1", runs in a
+    // scheduled lineage (rootTriggerSource === "schedule") are routed to a
+    // dedicated `<region>:scheduled` worker queue so a separate consumer fleet
+    // can dequeue them independently of standard/agent runs. The per-org
+    // `workerQueueScheduledSplitEnabled` feature flag overrides this default in
+    // BOTH directions (an org set to false stays on the single queue even when
+    // this is "1"; an org set to true splits even when this is "0"). Never
+    // applies to DEVELOPMENT environments.
+    TRIGGER_WORKER_QUEUE_SCHEDULED_SPLIT_ENABLED: z.string().default("0"),
+
+    TRIGGER_MOLLIFIER_ENABLED: z.string().default("0"),
+    // Separate switch for the drainer (consumer side) so it can be split
+    // off onto a dedicated worker service. Unset → inherits
+    // TRIGGER_MOLLIFIER_ENABLED, so single-container self-hosters don't have to
+    // flip two switches. Multi-replica drainers are correct — `popAndMarkDraining`
+    // is an atomic RPOP + status flip in one Lua call, so only one replica
+    // can win any given entry — but inefficient: polling load (SMEMBERS +
+    // per-env scans) multiplies by N, and `TRIGGER_MOLLIFIER_DRAIN_CONCURRENCY`
+    // is per-process so engine load also multiplies. Splitting the drainer
+    // onto a dedicated worker keeps that traffic off the request-serving
+    // replicas. `TRIGGER_MOLLIFIER_ENABLED` is still the master kill switch;
+    // setting this to "1" while `TRIGGER_MOLLIFIER_ENABLED` is "0" is a
+    // no-op because the gate-side singleton refuses to construct a buffer
+    // when the system is off.
+    TRIGGER_MOLLIFIER_DRAINER_ENABLED: z.string().default(process.env.TRIGGER_MOLLIFIER_ENABLED ?? "0"),
+    TRIGGER_MOLLIFIER_SHADOW_MODE: z.string().default("0"),
+    TRIGGER_MOLLIFIER_REDIS_HOST: z
+      .string()
+      .optional()
+      .transform((v) => v ?? process.env.REDIS_HOST),
+    TRIGGER_MOLLIFIER_REDIS_PORT: z.coerce
+      .number()
+      .optional()
+      .transform(
+        (v) => v ?? (process.env.REDIS_PORT ? parseInt(process.env.REDIS_PORT) : undefined),
+      ),
+    TRIGGER_MOLLIFIER_REDIS_USERNAME: z
+      .string()
+      .optional()
+      .transform((v) => v ?? process.env.REDIS_USERNAME),
+    TRIGGER_MOLLIFIER_REDIS_PASSWORD: z
+      .string()
+      .optional()
+      .transform((v) => v ?? process.env.REDIS_PASSWORD),
+    TRIGGER_MOLLIFIER_REDIS_TLS_DISABLED: z.string().default(process.env.REDIS_TLS_DISABLED ?? "false"),
+    TRIGGER_MOLLIFIER_TRIP_WINDOW_MS: z.coerce.number().int().positive().default(200),
+    TRIGGER_MOLLIFIER_TRIP_THRESHOLD: z.coerce.number().int().positive().default(100),
+    TRIGGER_MOLLIFIER_HOLD_MS: z.coerce.number().int().positive().default(500),
+    TRIGGER_MOLLIFIER_DRAIN_CONCURRENCY: z.coerce.number().int().positive().default(50),
+    TRIGGER_MOLLIFIER_DRAIN_MAX_ATTEMPTS: z.coerce.number().int().positive().default(3),
+    TRIGGER_MOLLIFIER_DRAIN_SHUTDOWN_TIMEOUT_MS: z.coerce.number().int().positive().default(30_000),
+    TRIGGER_MOLLIFIER_DRAIN_MAX_ORGS_PER_TICK: z.coerce.number().int().positive().default(500),
+    // Per-env per-tick pop cap. The drainer rotates one env per org per
+    // tick; this bounds how many entries it pops from that env before
+    // dispatching them through the shared `DRAIN_CONCURRENCY`-bounded
+    // limiter. Default matches `DRAIN_CONCURRENCY` so a single-env burst
+    // uses the full handler-parallelism budget — for 20k buffered on one
+    // env this is the difference between ~17m (one-pop-per-tick × ~50ms)
+    // and ~20s (400 ticks × concurrent engine.trigger). Org/env fairness
+    // is preserved because the per-tick env selection is unchanged; only
+    // the in-env pop count grows.
+    TRIGGER_MOLLIFIER_DRAIN_BATCH_SIZE: z.coerce.number().int().positive().default(50),
+    // Periodic sweep that scans buffer queue LISTs for entries whose
+    // dwell exceeds the stale threshold. Independent of the drainer —
+    // its job is exactly to make a stuck/offline drainer visible to
+    // ops. Defaults: explicitly opt-in (a separate kill switch from
+    // the mollifier itself), run every 5 minutes, alert on anything
+    // that's been dwelling for 5+ minutes (matches the sweep interval
+    // — "anything still here when we check" is the simplest threshold
+    // that converges).
+    //
+    // The sweep was previously defaulting to inherit
+    // `TRIGGER_MOLLIFIER_ENABLED`, which meant any deployment already
+    // running with the mollifier on would auto-start the sweep worker
+    // on upgrade — turning on new background load with no explicit
+    // rollout step. Hard-defaulting to "0" preserves the intent of
+    // exposing the sweep as a separate switch.
+    TRIGGER_MOLLIFIER_STALE_SWEEP_ENABLED: z.string().default("0"),
+    TRIGGER_MOLLIFIER_STALE_SWEEP_INTERVAL_MS: z.coerce
+      .number()
+      .int()
+      .positive()
+      .default(5 * 60_000),
+    TRIGGER_MOLLIFIER_STALE_SWEEP_THRESHOLD_MS: z.coerce
+      .number()
+      .int()
+      .positive()
+      .default(5 * 60_000),
+    // Bounds for one stale-sweep pass (see mollifierStaleSweep.server.ts).
+    // Max entries scanned per env and max orgs visited per tick — together
+    // they cap the Redis traffic / wall-time of a single sweep pass.
+    TRIGGER_MOLLIFIER_STALE_SWEEP_MAX_ENTRIES_PER_ENV: z.coerce
+      .number()
+      .int()
+      .positive()
+      .default(1000),
+    TRIGGER_MOLLIFIER_STALE_SWEEP_MAX_ORGS_PER_PASS: z.coerce
+      .number()
+      .int()
+      .positive()
+      .default(100),
+
+    // --- Mollifier buffer internals (wired into MollifierBuffer in
+    // mollifierBuffer.server.ts). ---
+    // Grace TTL applied to the entry hash on drainer ack so direct reads
+    // (retrieve, trace) have a safety net while PG replica lag settles.
+    TRIGGER_MOLLIFIER_ACK_GRACE_TTL_SECONDS: z.coerce.number().int().positive().default(30),
+    // ioredis per-request retry limit on the buffer's Redis client.
+    TRIGGER_MOLLIFIER_REDIS_MAX_RETRIES_PER_REQUEST: z.coerce
+      .number()
+      .int()
+      .positive()
+      .default(20),
+    // ioredis reconnect backoff envelope for the buffer client: the base
+    // grows by `STEP_MS` per attempt, capped at `MAX_MS`, then equal-jittered.
+    TRIGGER_MOLLIFIER_REDIS_RECONNECT_STEP_MS: z.coerce.number().int().positive().default(50),
+    TRIGGER_MOLLIFIER_REDIS_RECONNECT_MAX_MS: z.coerce.number().int().positive().default(1000),
+
+    // --- Mollifier drainer loop internals (wired into MollifierDrainer in
+    // mollifierDrainer.server.ts). ---
+    // Tick gap when a tick drained nothing; under backlog ticks run back-to-back.
+    TRIGGER_MOLLIFIER_DRAIN_POLL_INTERVAL_MS: z.coerce.number().int().positive().default(100),
+    // Cap on the drainer's exponential backoff after consecutive runOnce errors.
+    TRIGGER_MOLLIFIER_DRAIN_MAX_BACKOFF_MS: z.coerce.number().int().positive().default(5_000),
+    // Floor for the drainer's backoff base (so a tiny poll interval doesn't
+    // collapse the backoff to near-zero during a sustained outage).
+    TRIGGER_MOLLIFIER_DRAIN_BACKOFF_FLOOR_MS: z.coerce.number().int().positive().default(100),
+    // Required margin between the drainer's shutdown deadline and
+    // GRACEFUL_SHUTDOWN_TIMEOUT; boot fails loud if the timeout leaves less.
+    TRIGGER_MOLLIFIER_DRAIN_SHUTDOWN_MARGIN_MS: z.coerce.number().int().positive().default(1_000),
+
+    // How often the draining-tracker ZSET cardinality is polled into the gauge.
+    TRIGGER_MOLLIFIER_DRAINING_GAUGE_INTERVAL_MS: z.coerce
+      .number()
+      .int()
+      .positive()
+      .default(15_000),
+
+    // --- Pre-gate idempotency claim (idempotencyClaim.server.ts). ---
+    // TTL on the claim key (and the upper clamp on the customer-derived
+    // claim TTL), how long a waiter blocks before timing out, and the
+    // waiter poll interval.
+    TRIGGER_MOLLIFIER_CLAIM_TTL_SECONDS: z.coerce.number().int().positive().default(30),
+    TRIGGER_MOLLIFIER_CLAIM_WAIT_MS: z.coerce.number().int().positive().default(5_000),
+    TRIGGER_MOLLIFIER_CLAIM_POLL_MS: z.coerce.number().int().positive().default(25),
+
+    // --- Buffered-run mutate-with-fallback wait loop (mutateWithFallback.server.ts). ---
+    // Ceiling on the wait-for-materialisation loop, initial poll gap, the
+    // backoff ceiling, and the exponential growth factor (a float).
+    TRIGGER_MOLLIFIER_MUTATE_SAFETY_NET_MS: z.coerce.number().int().positive().default(2_000),
+    TRIGGER_MOLLIFIER_MUTATE_POLL_STEP_MS: z.coerce.number().int().positive().default(20),
+    TRIGGER_MOLLIFIER_MUTATE_MAX_POLL_STEP_MS: z.coerce.number().int().positive().default(250),
+    TRIGGER_MOLLIFIER_MUTATE_BACKOFF_FACTOR: z.coerce.number().gt(1).default(1.7),
+
+    // --- Buffered-run metadata CAS retry loop (applyMetadataMutation.server.ts). ---
+    // Retry budget for concurrent metadata writers, and the jittered
+    // conflict-backoff envelope: random in [0, base + attempt * step) ms.
+    TRIGGER_MOLLIFIER_METADATA_MAX_RETRIES: z.coerce.number().int().positive().default(12),
+    TRIGGER_MOLLIFIER_METADATA_BACKOFF_BASE_MS: z.coerce.number().int().positive().default(5),
+    TRIGGER_MOLLIFIER_METADATA_BACKOFF_STEP_MS: z.coerce.number().int().positive().default(5),
+
     BATCH_TRIGGER_PROCESS_JOB_VISIBILITY_TIMEOUT_MS: z.coerce
       .number()
       .int()
@@ -1213,6 +1593,38 @@ const EnvironmentSchema = z
     RUN_REPLICATION_DISABLE_PAYLOAD_INSERT: z.string().default("0"),
     RUN_REPLICATION_DISABLE_ERROR_FINGERPRINTING: z.string().default("0"),
 
+    // Session replication (Postgres → ClickHouse sessions_v1). Shares Redis
+    // with the runs replicator for leader locking but has its own slot and
+    // publication so the two consume independently.
+    SESSION_REPLICATION_CLICKHOUSE_URL: z.string().optional(),
+    SESSION_REPLICATION_ENABLED: z.string().default("0"),
+    SESSION_REPLICATION_SLOT_NAME: z.string().default("sessions_to_clickhouse_v1"),
+    SESSION_REPLICATION_PUBLICATION_NAME: z
+      .string()
+      .default("sessions_to_clickhouse_v1_publication"),
+    SESSION_REPLICATION_MAX_FLUSH_CONCURRENCY: z.coerce.number().int().default(1),
+    SESSION_REPLICATION_FLUSH_INTERVAL_MS: z.coerce.number().int().default(1000),
+    SESSION_REPLICATION_FLUSH_BATCH_SIZE: z.coerce.number().int().default(100),
+    SESSION_REPLICATION_LEADER_LOCK_TIMEOUT_MS: z.coerce.number().int().default(30_000),
+    SESSION_REPLICATION_LEADER_LOCK_EXTEND_INTERVAL_MS: z.coerce.number().int().default(10_000),
+    SESSION_REPLICATION_LEADER_LOCK_ADDITIONAL_TIME_MS: z.coerce.number().int().default(10_000),
+    SESSION_REPLICATION_LEADER_LOCK_RETRY_INTERVAL_MS: z.coerce.number().int().default(500),
+    SESSION_REPLICATION_ACK_INTERVAL_SECONDS: z.coerce.number().int().default(10),
+    SESSION_REPLICATION_LOG_LEVEL: z
+      .enum(["log", "error", "warn", "info", "debug"])
+      .default("info"),
+    SESSION_REPLICATION_CLICKHOUSE_LOG_LEVEL: z
+      .enum(["log", "error", "warn", "info", "debug"])
+      .default("info"),
+    SESSION_REPLICATION_WAIT_FOR_ASYNC_INSERT: z.string().default("0"),
+    SESSION_REPLICATION_KEEP_ALIVE_ENABLED: z.string().default("0"),
+    SESSION_REPLICATION_KEEP_ALIVE_IDLE_SOCKET_TTL_MS: z.coerce.number().int().optional(),
+    SESSION_REPLICATION_MAX_OPEN_CONNECTIONS: z.coerce.number().int().default(10),
+    SESSION_REPLICATION_INSERT_STRATEGY: z.enum(["insert", "insert_async"]).default("insert"),
+    SESSION_REPLICATION_INSERT_MAX_RETRIES: z.coerce.number().int().default(3),
+    SESSION_REPLICATION_INSERT_BASE_DELAY_MS: z.coerce.number().int().default(100),
+    SESSION_REPLICATION_INSERT_MAX_DELAY_MS: z.coerce.number().int().default(2000),
+
     // Clickhouse
     CLICKHOUSE_URL: z.string(),
     CLICKHOUSE_KEEP_ALIVE_ENABLED: z.string().default("1"),
@@ -1277,6 +1689,33 @@ const EnvironmentSchema = z
     EVENTS_CLICKHOUSE_MAX_OPEN_CONNECTIONS: z.coerce.number().int().default(10),
     EVENTS_CLICKHOUSE_LOG_LEVEL: z.enum(["log", "error", "warn", "info", "debug"]).default("info"),
     EVENTS_CLICKHOUSE_COMPRESSION_REQUEST: z.string().default("1"),
+    // ClickHouse client used by @internal/run-engine's PendingVersionSystem.
+    // Kept on its own URL + pool so this low-QPS path can't contend with
+    // the main analytics client (CLICKHOUSE_URL). Falls back to the main
+    // URL when unset so unconfigured environments still work.
+    RUN_ENGINE_CLICKHOUSE_URL: z
+      .string()
+      .optional()
+      .transform((v) => v ?? process.env.CLICKHOUSE_URL),
+    RUN_ENGINE_CLICKHOUSE_KEEP_ALIVE_ENABLED: z.string().default("1"),
+    RUN_ENGINE_CLICKHOUSE_KEEP_ALIVE_IDLE_SOCKET_TTL_MS: z.coerce.number().int().optional(),
+    RUN_ENGINE_CLICKHOUSE_MAX_OPEN_CONNECTIONS: z.coerce.number().int().default(5),
+    RUN_ENGINE_CLICKHOUSE_LOG_LEVEL: z
+      .enum(["log", "error", "warn", "info", "debug"])
+      .default("info"),
+    RUN_ENGINE_CLICKHOUSE_COMPRESSION_REQUEST: z.string().default("1"),
+    // Dedicated ClickHouse pool for the native backend's tag/batch id resolution; falls back to CLICKHOUSE_URL.
+    REALTIME_BACKEND_NATIVE_CLICKHOUSE_URL: z
+      .string()
+      .optional()
+      .transform((v) => v ?? process.env.CLICKHOUSE_URL),
+    REALTIME_BACKEND_NATIVE_CLICKHOUSE_KEEP_ALIVE_ENABLED: z.string().default("1"),
+    REALTIME_BACKEND_NATIVE_CLICKHOUSE_KEEP_ALIVE_IDLE_SOCKET_TTL_MS: z.coerce.number().int().optional(),
+    REALTIME_BACKEND_NATIVE_CLICKHOUSE_MAX_OPEN_CONNECTIONS: z.coerce.number().int().default(10),
+    REALTIME_BACKEND_NATIVE_CLICKHOUSE_LOG_LEVEL: z
+      .enum(["log", "error", "warn", "info", "debug"])
+      .default("info"),
+    REALTIME_BACKEND_NATIVE_CLICKHOUSE_COMPRESSION_REQUEST: z.string().default("1"),
     EVENTS_CLICKHOUSE_BATCH_SIZE: z.coerce.number().int().default(1000),
     EVENTS_CLICKHOUSE_FLUSH_INTERVAL_MS: z.coerce.number().int().default(1000),
     METRICS_CLICKHOUSE_BATCH_SIZE: z.coerce.number().int().default(10000),
@@ -1298,9 +1737,26 @@ const EnvironmentSchema = z
     EVENTS_CLICKHOUSE_MAX_TRACE_DETAILED_SUMMARY_VIEW_COUNT: z.coerce.number().int().default(5_000),
     EVENTS_CLICKHOUSE_MAX_LIVE_RELOADING_SETTING: z.coerce.number().int().default(2000),
 
+    // Organization data stores registry
+    ORGANIZATION_DATA_STORES_RELOAD_INTERVAL_MS: z.coerce
+      .number()
+      .int()
+      .default(60 * 1000), // 1 minute
+
     // LLM cost tracking
     LLM_COST_TRACKING_ENABLED: BoolEnv.default(true),
-    LLM_PRICING_RELOAD_INTERVAL_MS: z.coerce.number().int().default(5 * 60 * 1000), // 5 minutes
+    LLM_PRICING_RELOAD_INTERVAL_MS: z.coerce
+      .number()
+      .int()
+      .default(5 * 60 * 1000), // 5 minutes
+    LLM_PRICING_RELOAD_CHANNEL: z.string().default("llm-registry:reload"),
+    LLM_PRICING_RELOAD_DEBOUNCE_MS: z.coerce.number().int().default(1000),
+    // Whether to subscribe this process to the LLM_PRICING_RELOAD_CHANNEL.
+    // Default off — only OTel-ingesting services need real-time pricing
+    // freshness; dashboard/worker processes are fine on the existing
+    // 5-minute periodic reload. In multi-service deployments, set this to
+    // true on the span-ingesting services.
+    LLM_PRICING_RELOAD_PUBSUB_ENABLED: BoolEnv.default(false),
     LLM_PRICING_SEED_ON_STARTUP: BoolEnv.default(false),
     LLM_PRICING_READY_TIMEOUT_MS: z.coerce.number().int().default(500),
     LLM_METRICS_BATCH_SIZE: z.coerce.number().int().default(5000),
@@ -1392,15 +1848,40 @@ const EnvironmentSchema = z
     REALTIME_STREAMS_S2_FLUSH_INTERVAL_MS: z.coerce.number().int().default(100),
     REALTIME_STREAMS_S2_MAX_RETRIES: z.coerce.number().int().default(10),
     REALTIME_STREAMS_S2_WAIT_SECONDS: z.coerce.number().int().default(60),
+    // When "true", provision a dedicated S2 basin per org and stamp
+    // `streamBasinName` on new rows. Off keeps everything on the single
+    // basin defined by `REALTIME_STREAMS_S2_BASIN`.
+    REALTIME_STREAMS_PER_ORG_BASINS_ENABLED: z.enum(["true", "false"]).default("false"),
+    // Per-org basin name = `{prefix}-{env}-org-{orgId}`.
+    REALTIME_STREAMS_BASIN_NAME_PREFIX: z.string().default("triggerdotdev"),
+    REALTIME_STREAMS_BASIN_NAME_ENV: z.string().default("dev"),
+    REALTIME_STREAMS_BASIN_DEFAULT_RETENTION: durationString().default("30d"),
+    REALTIME_STREAMS_BASIN_STORAGE_CLASS: z.enum(["express", "standard"]).default("express"),
+    REALTIME_STREAMS_BASIN_DELETE_ON_EMPTY_MIN_AGE: durationString().default("1h"),
     REALTIME_STREAMS_DEFAULT_VERSION: z.enum(["v1", "v2"]).default("v1"),
     WAIT_UNTIL_TIMEOUT_MS: z.coerce.number().int().default(600_000),
 
     // Private connections
     PRIVATE_CONNECTIONS_ENABLED: z.string().optional(),
     PRIVATE_CONNECTIONS_AWS_ACCOUNT_IDS: z.string().optional(),
+
+    // Force RBAC to not use the plugin
+    RBAC_FORCE_FALLBACK: BoolEnv.default(false),
   })
   .and(GithubAppEnvSchema)
-  .and(S2EnvSchema);
+  .and(S2EnvSchema)
+  .superRefine((env, ctx) => {
+    const presets = new Set(env.COMPUTE_TEMPLATE_MACHINE_PRESETS);
+    for (const required of env.COMPUTE_TEMPLATE_MACHINE_PRESETS_REQUIRED) {
+      if (!presets.has(required)) {
+        ctx.addIssue({
+          code: z.ZodIssueCode.custom,
+          path: ["COMPUTE_TEMPLATE_MACHINE_PRESETS_REQUIRED"],
+          message: `"${required}" is not in COMPUTE_TEMPLATE_MACHINE_PRESETS`,
+        });
+      }
+    }
+  });
 
 export type Environment = z.infer<typeof EnvironmentSchema>;
 export const env = EnvironmentSchema.parse(process.env);
diff --git a/apps/webapp/app/eventLoopMonitor.server.ts b/apps/webapp/app/eventLoopMonitor.server.ts
index 0a1b33690bb..2c536e7bb35 100644
--- a/apps/webapp/app/eventLoopMonitor.server.ts
+++ b/apps/webapp/app/eventLoopMonitor.server.ts
@@ -124,7 +124,7 @@ function startEventLoopUtilizationMonitoring() {
     const utilization = Number.isFinite(diff.utilization) ? diff.utilization : 0;
 
     if (Math.random() < env.EVENT_LOOP_MONITOR_UTILIZATION_SAMPLE_RATE) {
-      logger.info("nodejs.event_loop.utilization", { utilization });
+      logger.debug("nodejs.event_loop.utilization", { utilization });
     }
 
     lastEventLoopUtilization = currentEventLoopUtilization;
diff --git a/apps/webapp/app/hooks/useAutoScrollToBottom.ts b/apps/webapp/app/hooks/useAutoScrollToBottom.ts
new file mode 100644
index 00000000000..b8e59687ed6
--- /dev/null
+++ b/apps/webapp/app/hooks/useAutoScrollToBottom.ts
@@ -0,0 +1,104 @@
+import { useEffect, useLayoutEffect, useRef } from "react";
+
+const AT_BOTTOM_TOLERANCE_PX = 16;
+
+/**
+ * Chat-style sticky-bottom auto-scroll behavior.
+ *
+ * Behavior:
+ * - On mount, finds the closest scrollable ancestor of the returned ref
+ *   (the inspector content panel, the playground messages panel, etc.).
+ * - Tracks whether the user is currently "at the bottom" of that scroll
+ *   container via a passive scroll listener. Default is `true` so the very
+ *   first render of an existing conversation lands at the bottom, and the
+ *   "content fits without scrolling" case stays in auto-scroll mode.
+ * - Whenever the dependency array changes (typically the messages array),
+ *   if the user was at the bottom, programmatically scrolls to the new
+ *   bottom. Uses `useLayoutEffect` so the scroll happens before paint and
+ *   there's no one-frame flicker showing new content above the viewport.
+ * - Scrolling away from the bottom flips the ref to `false` → auto-scroll
+ *   pauses. Scrolling back into the bottom band (within
+ *   `AT_BOTTOM_TOLERANCE_PX`) flips it back to `true` → auto-scroll
+ *   resumes.
+ *
+ * The programmatic scroll fires its own scroll event, which immediately
+ * re-runs the stickiness check and confirms we're still at the bottom
+ * (distance ≈ 0 ≤ tolerance), so the ref stays `true`. No special
+ * "ignore programmatic scroll" flag needed.
+ *
+ * @param deps  Pass the rendered list (or any dependency that should
+ *              trigger a re-scroll). Typically `[messages]`.
+ * @returns     A ref to attach to the component's root element. The hook
+ *              walks up from this element's parent to locate the scroll
+ *              container, so the root must be mounted *inside* the
+ *              scrollable region.
+ *
+ * @example
+ * ```tsx
+ * function ChatPanel({ messages }) {
+ *   const rootRef = useAutoScrollToBottom([messages]);
+ *   return (
+ *     <div className="overflow-y-auto h-full">
+ *       <div ref={rootRef}>
+ *         {messages.map((m) => <Message key={m.id} message={m} />)}
+ *       </div>
+ *     </div>
+ *   );
+ * }
+ * ```
+ */
+export function useAutoScrollToBottom(deps: ReadonlyArray<unknown>) {
+  const rootRef = useRef<HTMLDivElement | null>(null);
+  const containerRef = useRef<HTMLElement | null>(null);
+  // Default true so initial mount + replay land at the bottom, and the
+  // no-overflow case stays sticky once content starts to grow.
+  const stickToBottomRef = useRef(true);
+
+  // Locate the scroll container on mount and attach a passive scroll
+  // listener that updates `stickToBottomRef`.
+  useEffect(() => {
+    const findScrollContainer = (start: HTMLElement | null): HTMLElement | null => {
+      let current: HTMLElement | null = start;
+      while (current) {
+        const style = getComputedStyle(current);
+        const overflowY = style.overflowY;
+        if (overflowY === "auto" || overflowY === "scroll") return current;
+        current = current.parentElement;
+      }
+      return null;
+    };
+
+    const container = findScrollContainer(rootRef.current?.parentElement ?? null);
+    if (!container) return;
+    containerRef.current = container;
+
+    const updateStickiness = () => {
+      const distanceFromBottom =
+        container.scrollHeight - container.scrollTop - container.clientHeight;
+      stickToBottomRef.current = distanceFromBottom <= AT_BOTTOM_TOLERANCE_PX;
+    };
+
+    // Seed from current position so the first messages-effect uses an
+    // accurate value rather than the default `true` if the user happened
+    // to mount the view already scrolled.
+    updateStickiness();
+
+    container.addEventListener("scroll", updateStickiness, { passive: true });
+    return () => {
+      container.removeEventListener("scroll", updateStickiness);
+      containerRef.current = null;
+    };
+  }, []);
+
+  // After each commit that changes the deps (typically the messages
+  // array), if we were at the bottom, scroll to the new bottom.
+  useLayoutEffect(() => {
+    if (!stickToBottomRef.current) return;
+    const container = containerRef.current;
+    if (!container) return;
+    container.scrollTop = container.scrollHeight;
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, deps);
+
+  return rootRef;
+}
diff --git a/apps/webapp/app/hooks/useFuzzyFilter.ts b/apps/webapp/app/hooks/useFuzzyFilter.ts
index 3f0797179f2..ff4504ce8c2 100644
--- a/apps/webapp/app/hooks/useFuzzyFilter.ts
+++ b/apps/webapp/app/hooks/useFuzzyFilter.ts
@@ -10,8 +10,9 @@ import { matchSorter } from "match-sorter";
  * @param params.items - Array of objects to filter
  * @param params.keys - Array of object keys to perform the fuzzy search on (supports dot-notation for nested properties)
  * @returns An object containing:
- *   - filterText: The current filter text
- *   - setFilterText: Function to update the filter text
+ *   - filterText: The current filter text (the controlled value if provided, otherwise the internal state)
+ *   - setFilterText: Updates the internal filter text. No-op when `filterText` is provided
+ *     (controlled mode) — the parent owns the value in that case.
  *   - filteredItems: The filtered array of items based on the current filter text
  *
  * @example
@@ -26,11 +27,15 @@ import { matchSorter } from "match-sorter";
 export function useFuzzyFilter<T extends Object>({
   items,
   keys,
+  filterText: controlledFilterText,
 }: {
   items: T[];
   keys: (Extract<keyof T, string> | (string & {}))[];
+  /** Optional controlled filter text. If provided, internal state is ignored. */
+  filterText?: string;
 }) {
-  const [filterText, setFilterText] = useState("");
+  const [internalFilterText, setInternalFilterText] = useState("");
+  const filterText = controlledFilterText ?? internalFilterText;
 
   const filteredItems = useMemo<T[]>(() => {
     const filterTerms = filterText
@@ -43,7 +48,6 @@ export function useFuzzyFilter<T extends Object>({
       return items;
     }
 
-    // sort by the score of the first term
     return filterTerms.reduceRight(
       (results, term) =>
         matchSorter(results, term, {
@@ -55,7 +59,7 @@ export function useFuzzyFilter<T extends Object>({
 
   return {
     filterText,
-    setFilterText,
+    setFilterText: setInternalFilterText,
     filteredItems,
   };
 }
diff --git a/apps/webapp/app/hooks/useInterval.ts b/apps/webapp/app/hooks/useInterval.ts
index 4d5413e977e..b59884d455a 100644
--- a/apps/webapp/app/hooks/useInterval.ts
+++ b/apps/webapp/app/hooks/useInterval.ts
@@ -6,6 +6,8 @@ type UseIntervalOptions = {
   onLoad?: boolean;
   onFocus?: boolean;
   disabled?: boolean;
+  /** Skip interval ticks while the document tab is hidden */
+  pauseWhenHidden?: boolean;
   callback: () => void;
 };
 
@@ -14,6 +16,7 @@ export function useInterval({
   onLoad = true,
   onFocus = true,
   disabled = false,
+  pauseWhenHidden = false,
   callback,
 }: UseIntervalOptions) {
   // Always keep the latest callback in a ref so the effects below
@@ -28,11 +31,14 @@ export function useInterval({
     if (!interval || interval <= 0 || disabled) return;
 
     const intervalId = setInterval(() => {
+      if (pauseWhenHidden && document.visibilityState !== "visible") {
+        return;
+      }
       latestCallback.current();
     }, interval);
 
     return () => clearInterval(intervalId);
-  }, [interval, disabled]);
+  }, [interval, disabled, pauseWhenHidden]);
 
   // On focus
   useEffect(() => {
diff --git a/apps/webapp/app/hooks/useRegions.tsx b/apps/webapp/app/hooks/useRegions.tsx
new file mode 100644
index 00000000000..fe696440473
--- /dev/null
+++ b/apps/webapp/app/hooks/useRegions.tsx
@@ -0,0 +1,16 @@
+import { type UIMatch } from "@remix-run/react";
+import { type UseDataFunctionReturn } from "remix-typedjson";
+import type { loader as orgLoader } from "~/routes/_app.orgs.$organizationSlug/route";
+import { organizationMatchId } from "./useOrganizations";
+import { useTypedMatchesData } from "./useTypedMatchData";
+
+export type MatchedRegion = UseDataFunctionReturn<typeof orgLoader>["regions"][number];
+
+export function useRegions(matches?: UIMatch[]): MatchedRegion[] {
+  const routeMatch = useTypedMatchesData<typeof orgLoader>({
+    id: organizationMatchId,
+    matches,
+  });
+
+  return routeMatch?.regions ?? [];
+}
diff --git a/apps/webapp/app/models/admin.server.ts b/apps/webapp/app/models/admin.server.ts
index bd3adc8cbf2..8620ea6a244 100644
--- a/apps/webapp/app/models/admin.server.ts
+++ b/apps/webapp/app/models/admin.server.ts
@@ -210,8 +210,13 @@ export async function adminGetOrganizations(userId: string, { page, search }: Se
   };
 }
 
-export async function redirectWithImpersonation(request: Request, userId: string, path: string) {
-  const user = await requireUser(request);
+export async function redirectWithImpersonation(
+  request: Request,
+  userId: string,
+  path: string,
+  currentUser?: { id: string; admin: boolean }
+) {
+  const user = currentUser ?? (await requireUser(request));
   if (!user.admin) {
     throw new Error("Unauthorized");
   }
diff --git a/apps/webapp/app/models/api-key.server.ts b/apps/webapp/app/models/api-key.server.ts
index 86609cc01d7..b5f2bd0f7d9 100644
--- a/apps/webapp/app/models/api-key.server.ts
+++ b/apps/webapp/app/models/api-key.server.ts
@@ -8,6 +8,8 @@ const apiKeyId = customAlphabet(
   12
 );
 
+const REVOKED_API_KEY_GRACE_PERIOD_MS = 24 * 60 * 60 * 1000;
+
 type RegenerateAPIKeyInput = {
   userId: string;
   environmentId: string;
@@ -63,14 +65,26 @@ export async function regenerateApiKey({ userId, environmentId }: RegenerateAPIK
   const newApiKey = createApiKeyForEnv(environment.type);
   const newPkApiKey = createPkApiKeyForEnv(environment.type);
 
-  const updatedEnviroment = await prisma.runtimeEnvironment.update({
-    data: {
-      apiKey: newApiKey,
-      pkApiKey: newPkApiKey,
-    },
-    where: {
-      id: environmentId,
-    },
+  const revokedApiKeyExpiresAt = new Date(Date.now() + REVOKED_API_KEY_GRACE_PERIOD_MS);
+
+  const updatedEnviroment = await prisma.$transaction(async (tx) => {
+    await tx.revokedApiKey.create({
+      data: {
+        apiKey: environment.apiKey,
+        runtimeEnvironmentId: environment.id,
+        expiresAt: revokedApiKeyExpiresAt,
+      },
+    });
+
+    return tx.runtimeEnvironment.update({
+      data: {
+        apiKey: newApiKey,
+        pkApiKey: newPkApiKey,
+      },
+      where: {
+        id: environmentId,
+      },
+    });
   });
 
   return updatedEnviroment;
diff --git a/apps/webapp/app/models/member.server.ts b/apps/webapp/app/models/member.server.ts
index 04c1df1b41f..b88fc7e11c0 100644
--- a/apps/webapp/app/models/member.server.ts
+++ b/apps/webapp/app/models/member.server.ts
@@ -1,6 +1,8 @@
 import { type Prisma, prisma } from "~/db.server";
 import { createEnvironment } from "./organization.server";
 import { customAlphabet } from "nanoid";
+import { logger } from "~/services/logger.server";
+import { rbac } from "~/services/rbac.server";
 
 const tokenValueLength = 40;
 const tokenGenerator = customAlphabet("123456789abcdefghijkmnopqrstuvwxyz", tokenValueLength);
@@ -86,10 +88,19 @@ export async function inviteMembers({
   slug,
   emails,
   userId,
+  rbacRoleId,
 }: {
   slug: string;
   emails: string[];
   userId: string;
+  /**
+   * Optional RBAC role to attach to the invite. When set, accepted
+   * invites trigger `rbac.setUserRole(rbacRoleId)` after the OrgMember
+   * is created.
+   *
+   * `OrgMemberInvite.role` is still set if the plugin isn't installed.
+   */
+  rbacRoleId?: string | null;
 }) {
   const org = await prisma.organization.findFirst({
     where: { slug, members: { some: { userId } } },
@@ -107,6 +118,7 @@ export async function inviteMembers({
         organizationId: org.id,
         inviterId: userId,
         role: "MEMBER",
+        rbacRoleId: rbacRoleId ?? null,
       } satisfies Prisma.OrgMemberInviteCreateManyInput)
   );
 
@@ -163,7 +175,7 @@ export async function acceptInvite({
   user: { id: string; email: string };
   inviteId: string;
 }) {
-  return await prisma.$transaction(async (tx) => {
+  const result = await prisma.$transaction(async (tx) => {
     // 1. Delete the invite and get the invite details
     const invite = await tx.orgMemberInvite.delete({
       where: {
@@ -207,8 +219,32 @@ export async function acceptInvite({
       },
     });
 
-    return { remainingInvites, organization: invite.organization };
+    return {
+      remainingInvites,
+      organization: invite.organization,
+      inviteRole: invite.role,
+      rbacRoleId: invite.rbacRoleId,
+    };
   });
+
+  // If the invite carried an explicit RBAC role. Errors are logged, not fatal.
+  if (result.rbacRoleId) {
+    const roleResult = await rbac.setUserRole({
+      userId: user.id,
+      organizationId: result.organization.id,
+      roleId: result.rbacRoleId,
+    });
+    if (!roleResult.ok) {
+      logger.error("acceptInvite: skipped RBAC role assignment", {
+        organizationId: result.organization.id,
+        userId: user.id,
+        rbacRoleId: result.rbacRoleId,
+        reason: roleResult.error,
+      });
+    }
+  }
+
+  return { remainingInvites: result.remainingInvites, organization: result.organization };
 }
 
 export async function declineInvite({
diff --git a/apps/webapp/app/models/project.server.ts b/apps/webapp/app/models/project.server.ts
index 0dc634b5ab7..d084bec8add 100644
--- a/apps/webapp/app/models/project.server.ts
+++ b/apps/webapp/app/models/project.server.ts
@@ -4,7 +4,7 @@ import { $replica, prisma } from "~/db.server";
 import type { Prisma, Project } from "@trigger.dev/database";
 import { type Organization, createEnvironment } from "./organization.server";
 import { env } from "~/env.server";
-import { projectCreated } from "~/services/platform.v3.server";
+import { projectCreated } from "~/services/projectCreated.server";
 export type { Project } from "@trigger.dev/database";
 
 const externalRefGenerator = customAlphabet("abcdefghijklmnopqrstuvwxyz", 20);
diff --git a/apps/webapp/app/models/runtimeEnvironment.server.ts b/apps/webapp/app/models/runtimeEnvironment.server.ts
index f65112b71fc..be05adaa8a7 100644
--- a/apps/webapp/app/models/runtimeEnvironment.server.ts
+++ b/apps/webapp/app/models/runtimeEnvironment.server.ts
@@ -3,35 +3,138 @@ import type { Prisma, PrismaClientOrTransaction, RuntimeEnvironment } from "@tri
 import { $replica, prisma } from "~/db.server";
 import { logger } from "~/services/logger.server";
 import { getUsername } from "~/utils/username";
-import { sanitizeBranchName } from "~/v3/gitBranch";
+import { sanitizeBranchName } from "@trigger.dev/core/v3/utils/gitBranch";
 
 export type { RuntimeEnvironment };
 
+// Prisma include shape that maps cleanly to the slim AuthenticatedEnvironment.
+// Use this everywhere we fetch an env that flows to handlers — keeps the
+// returned shape consistent (and the Decimal coercion in toAuthenticated()
+// strips Prisma's Decimal class from the public surface).
+export const authIncludeBase = {
+  project: true,
+  organization: true,
+  orgMember: {
+    select: {
+      userId: true,
+      user: { select: { id: true, displayName: true, name: true } },
+    },
+  },
+} satisfies Prisma.RuntimeEnvironmentInclude;
+
+export const authIncludeWithParent = {
+  ...authIncludeBase,
+  parentEnvironment: { select: { id: true, apiKey: true } },
+} satisfies Prisma.RuntimeEnvironmentInclude;
+
+type PrismaEnvWithAuth = Prisma.RuntimeEnvironmentGetPayload<{ include: typeof authIncludeBase }>;
+type PrismaEnvWithAuthAndParent = Prisma.RuntimeEnvironmentGetPayload<{
+  include: typeof authIncludeWithParent;
+}>;
+
+// Coerce a Prisma RuntimeEnvironment payload to the slim
+// AuthenticatedEnvironment shape. Drops the columns handlers don't read
+// and converts `concurrencyLimitBurstFactor` from Prisma's Decimal to a
+// plain number (lossless at this scale). The optional union accepts both
+// query shapes — with parentEnvironment loaded, or without it.
+export function toAuthenticated(
+  env: PrismaEnvWithAuth | PrismaEnvWithAuthAndParent,
+): AuthenticatedEnvironment {
+  return {
+    id: env.id,
+    slug: env.slug,
+    type: env.type,
+    apiKey: env.apiKey,
+    organizationId: env.organizationId,
+    projectId: env.projectId,
+    orgMemberId: env.orgMemberId,
+    parentEnvironmentId: env.parentEnvironmentId,
+    branchName: env.branchName,
+    archivedAt: env.archivedAt,
+    paused: env.paused,
+    shortcode: env.shortcode,
+    maximumConcurrencyLimit: env.maximumConcurrencyLimit,
+    // Coerce Prisma's Decimal to a plain number — the slim type accepts
+    // both, but downstream consumers shouldn't have to narrow before
+    // doing arithmetic. Lossless at this scale (Decimal(4,2)).
+    concurrencyLimitBurstFactor: env.concurrencyLimitBurstFactor.toNumber(),
+    builtInEnvironmentVariableOverrides: env.builtInEnvironmentVariableOverrides,
+    createdAt: env.createdAt,
+    updatedAt: env.updatedAt,
+    project: {
+      id: env.project.id,
+      slug: env.project.slug,
+      name: env.project.name,
+      externalRef: env.project.externalRef,
+      engine: env.project.engine,
+      deletedAt: env.project.deletedAt,
+      defaultWorkerGroupId: env.project.defaultWorkerGroupId,
+      organizationId: env.project.organizationId,
+      builderProjectId: env.project.builderProjectId,
+    },
+    organization: {
+      id: env.organization.id,
+      slug: env.organization.slug,
+      title: env.organization.title,
+      streamBasinName: env.organization.streamBasinName,
+      maximumConcurrencyLimit: env.organization.maximumConcurrencyLimit,
+      runsEnabled: env.organization.runsEnabled,
+      maximumDevQueueSize: env.organization.maximumDevQueueSize,
+      maximumDeployedQueueSize: env.organization.maximumDeployedQueueSize,
+      featureFlags: env.organization.featureFlags,
+      apiRateLimiterConfig: env.organization.apiRateLimiterConfig,
+      batchRateLimitConfig: env.organization.batchRateLimitConfig,
+      batchQueueConcurrencyConfig: env.organization.batchQueueConcurrencyConfig,
+    },
+    orgMember: env.orgMember,
+    parentEnvironment: "parentEnvironment" in env ? env.parentEnvironment : null,
+  };
+}
+
 export async function findEnvironmentByApiKey(
   apiKey: string,
   branchName: string | undefined
 ): Promise<AuthenticatedEnvironment | null> {
-  const environment = await $replica.runtimeEnvironment.findFirst({
+  const include = {
+    ...authIncludeBase,
+    childEnvironments: branchName
+      ? {
+          where: {
+            branchName: sanitizeBranchName(branchName),
+            archivedAt: null,
+          },
+        }
+      : undefined,
+  } satisfies Prisma.RuntimeEnvironmentInclude;
+
+  let environment = await $replica.runtimeEnvironment.findFirst({
     where: {
       apiKey,
     },
-    include: {
-      project: true,
-      organization: true,
-      orgMember: true,
-      childEnvironments: branchName
-        ? {
-            where: {
-              branchName: sanitizeBranchName(branchName),
-              archivedAt: null,
-            },
-          }
-        : undefined,
-    },
+    include,
   });
 
+  // Fall back to keys that were revoked within the grace window
+  if (!environment) {
+    const revokedApiKey = await $replica.revokedApiKey.findFirst({
+      where: {
+        apiKey,
+        expiresAt: { gt: new Date() },
+      },
+      include: {
+        runtimeEnvironment: { include },
+      },
+    });
+
+    environment = revokedApiKey?.runtimeEnvironment ?? null;
+  }
+
+  if (!environment) {
+    return null;
+  }
+
   //don't return deleted projects
-  if (environment?.project.deletedAt !== null) {
+  if (environment.project.deletedAt !== null) {
     return null;
   }
 
@@ -43,26 +146,36 @@ export async function findEnvironmentByApiKey(
       return null;
     }
 
-    const childEnvironment = environment?.childEnvironments.at(0);
+    const childEnvironment = environment.childEnvironments.at(0);
 
     if (childEnvironment) {
-      return {
+      return toAuthenticated({
         ...childEnvironment,
         apiKey: environment.apiKey,
         orgMember: environment.orgMember,
         organization: environment.organization,
         project: environment.project,
-      };
+      });
     }
 
     //A branch was specified but no child environment was found
     return null;
   }
 
-  return environment;
+  return toAuthenticated(environment);
 }
 
-/** @deprecated We don't use public api keys anymore */
+/**
+ * @deprecated We don't use public API keys (`pk_*` tokens) anymore — public
+ * access goes through public JWTs (see `isPublicJWT` / `validatePublicJwtKey`).
+ *
+ * Still exported because a handful of pre-RBAC routes that haven't been
+ * migrated to the apiBuilder still wire this lookup into their
+ * `authenticateApiKey` / `authenticateApiKeyWithFailure` flow. The new RBAC
+ * fallback (`internal-packages/rbac/src/fallback.ts`) intentionally does NOT
+ * call this — any pk_*-authenticated request that hits an apiBuilder route
+ * returns 401. That's a deliberate cutover, not an oversight.
+ */
 export async function findEnvironmentByPublicApiKey(
   apiKey: string,
   branchName: string | undefined
@@ -71,46 +184,29 @@ export async function findEnvironmentByPublicApiKey(
     where: {
       pkApiKey: apiKey,
     },
-    include: {
-      project: true,
-      organization: true,
-      orgMember: true,
-    },
+    include: authIncludeBase,
   });
 
-  //don't return deleted projects
-  if (environment?.project.deletedAt !== null) {
+  if (!environment || environment.project.deletedAt !== null) {
     return null;
   }
 
-  return environment;
+  return toAuthenticated(environment);
 }
 
-export async function findEnvironmentById(
-  id: string
-): Promise<(AuthenticatedEnvironment & { parentEnvironment: { apiKey: string } | null }) | null> {
+export async function findEnvironmentById(id: string): Promise<AuthenticatedEnvironment | null> {
   const environment = await $replica.runtimeEnvironment.findFirst({
     where: {
       id,
     },
-    include: {
-      project: true,
-      organization: true,
-      orgMember: true,
-      parentEnvironment: {
-        select: {
-          apiKey: true,
-        },
-      },
-    },
+    include: authIncludeWithParent,
   });
 
-  //don't return deleted projects
-  if (environment?.project.deletedAt !== null) {
+  if (!environment || environment.project.deletedAt !== null) {
     return null;
   }
 
-  return environment;
+  return toAuthenticated(environment);
 }
 
 export async function findEnvironmentBySlug(
@@ -118,7 +214,7 @@ export async function findEnvironmentBySlug(
   envSlug: string,
   userId: string
 ): Promise<AuthenticatedEnvironment | null> {
-  return $replica.runtimeEnvironment.findFirst({
+  const environment = await $replica.runtimeEnvironment.findFirst({
     where: {
       projectId: projectId,
       slug: envSlug,
@@ -136,41 +232,47 @@ export async function findEnvironmentBySlug(
         },
       ],
     },
-    include: {
-      project: true,
-      organization: true,
-      orgMember: true,
-    },
+    include: authIncludeBase,
   });
+  return environment ? toAuthenticated(environment) : null;
 }
 
+// The authenticated environment plus the run scalars the realtime publish needs.
+// Both come from one taskRun read — see findEnvironmentFromRun.
+export type EnvironmentFromRun = {
+  environment: AuthenticatedEnvironment;
+  runTags: string[];
+  batchId: string | null;
+};
+
 export async function findEnvironmentFromRun(
   runId: string,
   tx?: PrismaClientOrTransaction
-): Promise<AuthenticatedEnvironment | null> {
+): Promise<EnvironmentFromRun | null> {
+  // The include (no select) already pulls every taskRun scalar, so runTags/batchId
+  // ride along for free — no extra query for the realtime publish to send a full record.
   const taskRun = await (tx ?? $replica).taskRun.findFirst({
     where: {
       id: runId,
     },
     include: {
-      runtimeEnvironment: {
-        include: {
-          project: true,
-          organization: true,
-          orgMember: true,
-        },
-      },
+      runtimeEnvironment: { include: authIncludeBase },
     },
   });
-
-  if (!taskRun) {
+  if (!taskRun?.runtimeEnvironment) {
     return null;
   }
-
-  return taskRun?.runtimeEnvironment;
+  return {
+    environment: toAuthenticated(taskRun.runtimeEnvironment),
+    runTags: taskRun.runTags,
+    batchId: taskRun.batchId,
+  };
 }
 
-export async function createNewSession(environment: RuntimeEnvironment, ipAddress: string) {
+export async function createNewSession(
+  environment: Pick<RuntimeEnvironment, "id">,
+  ipAddress: string
+) {
   const session = await prisma.runtimeEnvironmentSession.create({
     data: {
       environmentId: environment.id,
diff --git a/apps/webapp/app/models/task.server.ts b/apps/webapp/app/models/task.server.ts
index b696bac6039..aab3b3bcfc1 100644
--- a/apps/webapp/app/models/task.server.ts
+++ b/apps/webapp/app/models/task.server.ts
@@ -1,6 +1,9 @@
 import type { TaskTriggerSource } from "@trigger.dev/database";
 import { PrismaClientOrTransaction, sqlDatabaseSchema } from "~/db.server";
 
+export { getTaskIdentifiers } from "~/services/taskIdentifierRegistry.server";
+export type { TaskIdentifierEntry } from "~/services/taskIdentifierCache.server";
+
 /**
  *
  * @param prisma An efficient query to get all task identifiers for a project.
diff --git a/apps/webapp/app/models/user.server.ts b/apps/webapp/app/models/user.server.ts
index 68550f6e98c..c48221c4b61 100644
--- a/apps/webapp/app/models/user.server.ts
+++ b/apps/webapp/app/models/user.server.ts
@@ -233,7 +233,7 @@ export async function findOrCreateGoogleUser({
     // Check if email user and auth user are the same
     if (existingEmailUser.id !== existingUser.id) {
       // Different users: email is taken by one user, Google auth belongs to another
-      logger.error(
+      logger.warn(
         `Google auth conflict: Google ID ${authenticationProfile.id} belongs to user ${existingUser.id} but email ${email} is taken by user ${existingEmailUser.id}`,
         {
           email,
diff --git a/apps/webapp/app/models/vercelIntegration.server.ts b/apps/webapp/app/models/vercelIntegration.server.ts
index 82bedc6430f..5acaea50afe 100644
--- a/apps/webapp/app/models/vercelIntegration.server.ts
+++ b/apps/webapp/app/models/vercelIntegration.server.ts
@@ -197,6 +197,26 @@ export type VercelEnvironmentVariableValue = {
   isSecret: boolean;
 };
 
+/** Minimal shape of a shared (team-level) env var record from `GET /v1/env`. */
+const RawSharedEnvVarSchema = z
+  .object({
+    id: z.string().optional(),
+    key: z.string().optional(),
+    type: z.string().optional(),
+    target: z.union([z.array(z.string()), z.string()]).optional(),
+    value: z.string().optional(),
+    applyToAllCustomEnvironments: z.boolean().optional(),
+  })
+  .passthrough();
+
+type RawSharedEnvVar = z.infer<typeof RawSharedEnvVarSchema>;
+
+/** Page shape of `GET /v1/env` (shared env vars), validated at the boundary. */
+const SharedEnvPageSchema = z.object({
+  data: z.array(RawSharedEnvVarSchema).default([]),
+  pagination: z.object({ next: z.number().nullish() }).nullish(),
+});
+
 /** Narrowed Vercel project type – only id and name. */
 export type VercelProject = Pick<ResponseBodyProjects, "id" | "name">;
 
@@ -298,6 +318,17 @@ export class VercelIntegrationRepository {
   static getVercelClient(
     integration: OrganizationIntegration & { tokenReference: SecretReference }
   ): ResultAsync<Vercel, VercelApiError> {
+    return this.getVercelClientAndToken(integration).map(({ client }) => client);
+  }
+
+  /**
+   * Resolve both the Vercel SDK client and the raw bearer token. The raw token
+   * is needed to paginate shared env vars via `fetch`, since the SDK's
+   * `listSharedEnvVariable` exposes no `until` cursor param.
+   */
+  static getVercelClientAndToken(
+    integration: OrganizationIntegration & { tokenReference: SecretReference }
+  ): ResultAsync<{ client: Vercel; accessToken: string }, VercelApiError> {
     return ResultAsync.fromPromise(
       (async () => {
         const secretStore = getSecretStore(integration.tokenReference.provider);
@@ -308,7 +339,7 @@ export class VercelIntegrationRepository {
         if (!secret) {
           throw new Error("Failed to get Vercel access token");
         }
-        return new Vercel({ bearerToken: secret.accessToken });
+        return { client: new Vercel({ bearerToken: secret.accessToken }), accessToken: secret.accessToken };
       })(),
       (error) => toVercelApiError(error)
     );
@@ -558,8 +589,68 @@ export class VercelIntegrationRepository {
     };
   }
 
+  /**
+   * Fetch ALL shared (team-level) env var records, following pagination.
+   *
+   * Unlike the project env endpoint, the shared endpoint (`/v1/env`) DOES
+   * paginate (≈25/page) and the SDK's `listSharedEnvVariable` exposes no cursor
+   * param — so we walk pages via a raw fetch using `pagination.next` (a
+   * millisecond-timestamp cursor) until it is null. Shared vars are an edge
+   * case, so we load every page up front and return the full set.
+   */
+  static #fetchAllSharedEnvsRaw(params: {
+    accessToken: string;
+    teamId: string;
+    projectId?: string;
+  }): ResultAsync<RawSharedEnvVar[], VercelApiError> {
+    const { accessToken, teamId, projectId } = params;
+    return ResultAsync.fromPromise(
+      (async () => {
+        const all: RawSharedEnvVar[] = [];
+        let until: number | undefined = undefined;
+        const MAX_PAGES = 200; // safety cap (1000-var ceiling / ~25 per page)
+
+        for (let page = 0; page < MAX_PAGES; page++) {
+          const url = new URL("https://api.vercel.com/v1/env");
+          url.searchParams.set("teamId", teamId);
+          if (projectId) url.searchParams.set("projectId", projectId);
+          if (until !== undefined) url.searchParams.set("until", String(until));
+
+          const response = await fetch(url.toString(), {
+            method: "GET",
+            headers: { Authorization: `Bearer ${accessToken}` },
+          });
+
+          if (!response.ok) {
+            const body = await response.text().catch(() => "");
+            const error = new Error(
+              `Failed to fetch Vercel shared environment variables: ${response.status} ${response.statusText} — ${body}`
+            ) as Error & { status?: number };
+            error.status = response.status;
+            throw error;
+          }
+
+          const json = SharedEnvPageSchema.parse(await response.json());
+          all.push(...json.data);
+
+          // `next` is a millisecond-timestamp cursor; treat 0/null/undefined as "done".
+          const next = json.pagination?.next;
+          if (!next) break;
+          until = next;
+
+          if (page === MAX_PAGES - 1) {
+            logger.warn("Vercel shared env var pagination hit max page cap", { teamId, projectId });
+          }
+        }
+
+        return all;
+      })(),
+      (error) => toVercelApiError(error)
+    );
+  }
+
   static getVercelSharedEnvironmentVariables(
-    client: Vercel,
+    accessToken: string,
     teamId: string,
     projectId?: string // Optional: filter by project
   ): ResultAsync<Array<{
@@ -569,19 +660,9 @@ export class VercelIntegrationRepository {
       isSecret: boolean;
       target: string[];
     }>, VercelApiError> {
-    return wrapVercelCallWithRecovery(
-      client.environment.listSharedEnvVariable({
-        teamId,
-        ...(projectId && { projectId }),
-      }),
-      VercelSchemas.listSharedEnvVariable,
-      "Failed to fetch Vercel shared environment variables",
-      { teamId, projectId },
-      toVercelApiError
-    ).map((response) => {
-      const envVars = response.data || [];
+    return this.#fetchAllSharedEnvsRaw({ accessToken, teamId, projectId }).map((envVars) => {
       return envVars
-        .filter((env): env is typeof env & { id: string; key: string } =>
+        .filter((env): env is RawSharedEnvVar & { id: string; key: string } =>
           typeof env.id === "string" && typeof env.key === "string"
         )
         .map((env) => {
@@ -599,6 +680,7 @@ export class VercelIntegrationRepository {
 
   static getVercelSharedEnvironmentVariableValues(
     client: Vercel,
+    accessToken: string,
     teamId: string,
     projectId?: string // Optional: filter by project
   ): ResultAsync<
@@ -612,17 +694,7 @@ export class VercelIntegrationRepository {
     }>,
     VercelApiError
   > {
-    return wrapVercelCallWithRecovery(
-      client.environment.listSharedEnvVariable({
-        teamId,
-        ...(projectId && { projectId }),
-      }),
-      VercelSchemas.listSharedEnvVariable,
-      "Failed to fetch Vercel shared environment variable values",
-      { teamId, projectId },
-      toVercelApiError
-    ).andThen((listResponse) => {
-      const envVars = listResponse.data || [];
+    return this.#fetchAllSharedEnvsRaw({ accessToken, teamId, projectId }).andThen((envVars) => {
       if (envVars.length === 0) {
         return okAsync([]);
       }
@@ -641,8 +713,8 @@ export class VercelIntegrationRepository {
 
               if (isSecret) return null;
 
-              const listValue = (env as any).value as string | undefined;
-              const applyToAllCustomEnvs = (env as any).applyToAllCustomEnvironments as boolean | undefined;
+              const listValue = env.value;
+              const applyToAllCustomEnvs = env.applyToAllCustomEnvironments;
 
               if (listValue) {
                 return {
@@ -960,7 +1032,7 @@ export class VercelIntegrationRepository {
               key: "TRIGGER_SECRET_KEY",
               value: runtimeEnv.apiKey,
               target: vercelTarget,
-              type: "encrypted",
+              type: "sensitive",
               environmentType: runtimeEnv.type,
             });
           }
@@ -1061,7 +1133,7 @@ export class VercelIntegrationRepository {
           key: "TRIGGER_SECRET_KEY",
           value: params.apiKey,
           target: vercelTarget,
-          type: "encrypted",
+          type: "sensitive",
         });
 
         logger.info("Synced regenerated API key to Vercel", {
@@ -1115,28 +1187,26 @@ export class VercelIntegrationRepository {
             return (env as any).customEnvironmentIds?.includes(customEnvironmentId);
           });
 
+          // Always delete-then-create rather than editProjectEnv, because Vercel rejects
+          // in-place type changes (e.g. encrypted -> sensitive).
           if (existingEnv && existingEnv.id) {
-            await client.projects.editProjectEnv({
-              idOrName: vercelProjectId,
-              id: existingEnv.id,
-              ...(teamId && { teamId }),
-              requestBody: {
-                value,
-                type,
-              },
-            });
-          } else {
-            await client.projects.createProjectEnv({
+            await client.projects.batchRemoveProjectEnv({
               idOrName: vercelProjectId,
               ...(teamId && { teamId }),
-              requestBody: {
-                key,
-                value,
-                type,
-                customEnvironmentIds: [customEnvironmentId],
-              } as any,
+              requestBody: { ids: [existingEnv.id] },
             });
           }
+
+          await client.projects.createProjectEnv({
+            idOrName: vercelProjectId,
+            ...(teamId && { teamId }),
+            requestBody: {
+              key,
+              value,
+              type,
+              customEnvironmentIds: [customEnvironmentId],
+            } as any,
+          });
         })(),
         (error) => toVercelApiError(error)
       )
@@ -1203,7 +1273,7 @@ export class VercelIntegrationRepository {
       syncEnvVarsMappingKeys: Object.keys(params.syncEnvVarsMapping),
     });
 
-    return this.getVercelClient(params.orgIntegration).andThen((client) =>
+    return this.getVercelClientAndToken(params.orgIntegration).andThen(({ client, accessToken }) =>
       ResultAsync.fromPromise(
         (async () => {
           const errors: string[] = [];
@@ -1269,6 +1339,7 @@ export class VercelIntegrationRepository {
           if (params.teamId) {
             const sharedResult = await this.getVercelSharedEnvironmentVariableValues(
               client,
+              accessToken,
               params.teamId,
               params.vercelProjectId
             );
@@ -1709,29 +1780,27 @@ export class VercelIntegrationRepository {
       return target.length === envTargets.length && target.every((t) => envTargets.includes(t));
     });
 
+    // Always delete-then-create rather than editProjectEnv, because Vercel rejects
+    // in-place type changes (e.g. encrypted -> sensitive). Same approach used by
+    // syncApiKeysToVercel via removeAllVercelEnvVarsByKey.
     if (existingEnv && existingEnv.id) {
-      await client.projects.editProjectEnv({
+      await client.projects.batchRemoveProjectEnv({
         idOrName: vercelProjectId,
-        id: existingEnv.id,
         ...(teamId && { teamId }),
-        requestBody: {
-          value,
-          target: target as any,
-          type,
-        },
-      });
-    } else {
-      await client.projects.createProjectEnv({
-        idOrName: vercelProjectId,
-        ...(teamId && { teamId }),
-        requestBody: {
-          key,
-          value,
-          target: target as any,
-          type,
-        },
+        requestBody: { ids: [existingEnv.id] },
       });
     }
+
+    await client.projects.createProjectEnv({
+      idOrName: vercelProjectId,
+      ...(teamId && { teamId }),
+      requestBody: {
+        key,
+        value,
+        target: target as any,
+        type,
+      },
+    });
   }
 
   static getAutoAssignCustomDomains(
diff --git a/apps/webapp/app/presenters/RunFilters.server.ts b/apps/webapp/app/presenters/RunFilters.server.ts
index ff9f53429eb..4254dc83e61 100644
--- a/apps/webapp/app/presenters/RunFilters.server.ts
+++ b/apps/webapp/app/presenters/RunFilters.server.ts
@@ -34,8 +34,10 @@ export async function getRunFiltersFromRequest(request: Request): Promise<Filter
     batchId,
     scheduleId,
     queues,
+    regions,
     machines,
     errorId,
+    sources,
   } = TaskRunListSearchFilters.parse(s);
 
   return {
@@ -54,7 +56,9 @@ export async function getRunFiltersFromRequest(request: Request): Promise<Filter
     direction: direction,
     cursor: cursor,
     queues,
+    regions,
     machines,
     errorId,
+    sources,
   };
 }
diff --git a/apps/webapp/app/presenters/SessionFilters.server.ts b/apps/webapp/app/presenters/SessionFilters.server.ts
new file mode 100644
index 00000000000..81e12af67e3
--- /dev/null
+++ b/apps/webapp/app/presenters/SessionFilters.server.ts
@@ -0,0 +1,18 @@
+import {
+  getSessionFiltersFromSearchParams,
+  SessionListSearchFilters,
+} from "~/components/sessions/v1/SessionFilters";
+import { type SessionStatus } from "~/services/sessionsRepository/sessionsRepository.server";
+
+export type SessionFiltersFromRequest = SessionListSearchFilters & {
+  statuses?: SessionStatus[];
+};
+
+export function getSessionFiltersFromRequest(request: Request): SessionFiltersFromRequest {
+  const url = new URL(request.url);
+  const s = getSessionFiltersFromSearchParams(url.searchParams);
+  return {
+    ...s,
+    statuses: s.statuses as SessionStatus[] | undefined,
+  };
+}
diff --git a/apps/webapp/app/presenters/TeamPresenter.server.ts b/apps/webapp/app/presenters/TeamPresenter.server.ts
index 8b84a65a67c..f2e5da61a87 100644
--- a/apps/webapp/app/presenters/TeamPresenter.server.ts
+++ b/apps/webapp/app/presenters/TeamPresenter.server.ts
@@ -1,4 +1,5 @@
 import { getTeamMembersAndInvites } from "~/models/member.server";
+import { rbac } from "~/services/rbac.server";
 import { getCurrentPlan, getLimit, getPlans } from "~/services/platform.v3.server";
 import { BasePresenter } from "./v3/basePresenter.server";
 
@@ -13,11 +14,30 @@ export class TeamPresenter extends BasePresenter {
       return;
     }
 
-    const [baseLimit, currentPlan, plans] = await Promise.all([
-      getLimit(organizationId, "teamMembers", 100_000_000),
-      getCurrentPlan(organizationId),
-      getPlans(),
-    ]);
+    const [baseLimit, currentPlan, plans, roles, assignableRoleIds, memberRoleMap] =
+      await Promise.all([
+        getLimit(organizationId, "teamMembers", 100_000_000),
+        getCurrentPlan(organizationId),
+        getPlans(),
+        // RBAC role catalogue (system roles + any org-defined custom
+        // roles). The default fallback returns []; an installed plugin
+        // may return the seeded system roles plus any custom roles.
+        rbac.allRoles(organizationId),
+        // Plan-gated subset — the Teams page disables dropdown options not
+        // in this set. Server-side enforcement is independent (setUserRole
+        // rejects a plan-gated assignment regardless of UI state).
+        rbac.getAssignableRoleIds(organizationId),
+        // Per-member current role in a single round-trip.
+        rbac.getUserRoles(
+          result.members.map((m) => m.user.id),
+          organizationId
+        ),
+      ]);
+
+    const memberRoles = result.members.map((m) => ({
+      userId: m.user.id,
+      role: memberRoleMap.get(m.user.id) ?? null,
+    }));
 
     const canPurchaseSeats =
       currentPlan?.v3Subscription?.plan?.limits.teamMembers.canExceed === true;
@@ -38,6 +58,9 @@ export class TeamPresenter extends BasePresenter {
       seatPricing,
       maxSeatQuota,
       planSeatLimit,
+      roles,
+      assignableRoleIds,
+      memberRoles,
     };
   }
 }
diff --git a/apps/webapp/app/presenters/v3/AgentListPresenter.server.ts b/apps/webapp/app/presenters/v3/AgentListPresenter.server.ts
new file mode 100644
index 00000000000..fe813ca08b4
--- /dev/null
+++ b/apps/webapp/app/presenters/v3/AgentListPresenter.server.ts
@@ -0,0 +1,294 @@
+import {
+  type PrismaClientOrTransaction,
+  type RuntimeEnvironmentType,
+  type TaskTriggerSource,
+} from "@trigger.dev/database";
+import { type ClickHouse } from "@internal/clickhouse";
+import { z } from "zod";
+import { $replica } from "~/db.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
+import { singleton } from "~/utils/singleton";
+import { findCurrentWorkerFromEnvironment } from "~/v3/models/workerDeployment.server";
+
+export type AgentListItem = {
+  slug: string;
+  filePath: string;
+  createdAt: Date;
+  triggerSource: TaskTriggerSource;
+  config: unknown;
+};
+
+export type AgentActiveState = {
+  running: number;
+  suspended: number;
+};
+
+export class AgentListPresenter {
+  constructor(private readonly _replica: PrismaClientOrTransaction) {}
+
+  public async call({
+    organizationId,
+    projectId,
+    environmentId,
+    environmentType,
+  }: {
+    organizationId: string;
+    projectId: string;
+    environmentId: string;
+    environmentType: RuntimeEnvironmentType;
+  }) {
+    const clickhouse = await clickhouseFactory.getClickhouseForOrganization(
+      organizationId,
+      "standard"
+    );
+
+    const currentWorker = await findCurrentWorkerFromEnvironment(
+      {
+        id: environmentId,
+        type: environmentType,
+      },
+      this._replica
+    );
+
+    if (!currentWorker) {
+      return {
+        agents: [],
+        activeStates: Promise.resolve({} as Record<string, AgentActiveState>),
+        conversationSparklines: Promise.resolve({} as Record<string, number[]>),
+        costSparklines: Promise.resolve({} as Record<string, number[]>),
+        tokenSparklines: Promise.resolve({} as Record<string, number[]>),
+      };
+    }
+
+    const agents = await this._replica.backgroundWorkerTask.findMany({
+      where: {
+        workerId: currentWorker.id,
+        triggerSource: "AGENT",
+      },
+      select: {
+        id: true,
+        slug: true,
+        filePath: true,
+        triggerSource: true,
+        config: true,
+        createdAt: true,
+      },
+      orderBy: {
+        slug: "asc",
+      },
+    });
+
+    const slugs = agents.map((a) => a.slug);
+
+    if (slugs.length === 0) {
+      return {
+        agents,
+        activeStates: Promise.resolve({} as Record<string, AgentActiveState>),
+        conversationSparklines: Promise.resolve({} as Record<string, number[]>),
+        costSparklines: Promise.resolve({} as Record<string, number[]>),
+        tokenSparklines: Promise.resolve({} as Record<string, number[]>),
+      };
+    }
+
+    // All queries are deferred for streaming
+    const activeStates = this.#getActiveStates(clickhouse, environmentId, slugs);
+    const conversationSparklines = this.#getConversationSparklines(clickhouse, environmentId, slugs);
+    const costSparklines = this.#getCostSparklines(clickhouse, environmentId, slugs);
+    const tokenSparklines = this.#getTokenSparklines(clickhouse, environmentId, slugs);
+
+    return { agents, activeStates, conversationSparklines, costSparklines, tokenSparklines };
+  }
+
+  /** Count runs currently executing vs suspended per agent */
+  async #getActiveStates(
+    clickhouse: ClickHouse,
+    environmentId: string,
+    slugs: string[]
+  ): Promise<Record<string, AgentActiveState>> {
+    const queryFn = clickhouse.reader.query({
+      name: "agentActiveStates",
+      query: `SELECT
+          task_identifier,
+          countIf(status = 'EXECUTING') AS running,
+          countIf(status IN ('WAITING_TO_RESUME', 'QUEUED_EXECUTING')) AS suspended
+        FROM trigger_dev.task_runs_v2
+        WHERE environment_id = {environmentId: String}
+          AND task_identifier IN {slugs: Array(String)}
+          AND task_kind = 'AGENT'
+          AND status IN ('EXECUTING', 'WAITING_TO_RESUME', 'QUEUED_EXECUTING')
+        GROUP BY task_identifier`,
+      params: z.object({
+        environmentId: z.string(),
+        slugs: z.array(z.string()),
+      }),
+      schema: z.object({
+        task_identifier: z.string(),
+        running: z.coerce.number(),
+        suspended: z.coerce.number(),
+      }),
+    });
+
+    const [error, rows] = await queryFn({ environmentId, slugs });
+    if (error) {
+      console.error("Agent active states query failed:", error);
+      return {};
+    }
+
+    const result: Record<string, AgentActiveState> = {};
+    for (const row of rows) {
+      result[row.task_identifier] = { running: row.running, suspended: row.suspended };
+    }
+    return result;
+  }
+
+  /** 24h hourly sparkline of conversation (run) count per agent */
+  async #getConversationSparklines(
+    clickhouse: ClickHouse,
+    environmentId: string,
+    slugs: string[]
+  ): Promise<Record<string, number[]>> {
+    const queryFn = clickhouse.reader.query({
+      name: "agentConversationSparklines",
+      query: `SELECT
+          task_identifier,
+          toStartOfHour(created_at) AS bucket,
+          count() AS val
+        FROM trigger_dev.task_runs_v2
+        WHERE environment_id = {environmentId: String}
+          AND task_identifier IN {slugs: Array(String)}
+          AND task_kind = 'AGENT'
+          AND created_at >= now() - INTERVAL 24 HOUR
+        GROUP BY task_identifier, bucket
+        ORDER BY task_identifier, bucket`,
+      params: z.object({
+        environmentId: z.string(),
+        slugs: z.array(z.string()),
+      }),
+      schema: z.object({
+        task_identifier: z.string(),
+        bucket: z.string(),
+        val: z.coerce.number(),
+      }),
+    });
+
+    return this.#buildSparklineMap(await queryFn({ environmentId, slugs }), slugs);
+  }
+
+  /** 24h hourly sparkline of LLM cost per agent */
+  async #getCostSparklines(
+    clickhouse: ClickHouse,
+    environmentId: string,
+    slugs: string[]
+  ): Promise<Record<string, number[]>> {
+    const queryFn = clickhouse.reader.query({
+      name: "agentCostSparklines",
+      query: `SELECT
+          task_identifier,
+          toStartOfHour(start_time) AS bucket,
+          sum(total_cost) AS val
+        FROM trigger_dev.llm_metrics_v1
+        WHERE environment_id = {environmentId: String}
+          AND task_identifier IN {slugs: Array(String)}
+          AND start_time >= now() - INTERVAL 24 HOUR
+        GROUP BY task_identifier, bucket
+        ORDER BY task_identifier, bucket`,
+      params: z.object({
+        environmentId: z.string(),
+        slugs: z.array(z.string()),
+      }),
+      schema: z.object({
+        task_identifier: z.string(),
+        bucket: z.string(),
+        val: z.coerce.number(),
+      }),
+    });
+
+    return this.#buildSparklineMap(await queryFn({ environmentId, slugs }), slugs);
+  }
+
+  /** 24h hourly sparkline of total tokens per agent */
+  async #getTokenSparklines(
+    clickhouse: ClickHouse,
+    environmentId: string,
+    slugs: string[]
+  ): Promise<Record<string, number[]>> {
+    const queryFn = clickhouse.reader.query({
+      name: "agentTokenSparklines",
+      query: `SELECT
+          task_identifier,
+          toStartOfHour(start_time) AS bucket,
+          sum(total_tokens) AS val
+        FROM trigger_dev.llm_metrics_v1
+        WHERE environment_id = {environmentId: String}
+          AND task_identifier IN {slugs: Array(String)}
+          AND start_time >= now() - INTERVAL 24 HOUR
+        GROUP BY task_identifier, bucket
+        ORDER BY task_identifier, bucket`,
+      params: z.object({
+        environmentId: z.string(),
+        slugs: z.array(z.string()),
+      }),
+      schema: z.object({
+        task_identifier: z.string(),
+        bucket: z.string(),
+        val: z.coerce.number(),
+      }),
+    });
+
+    return this.#buildSparklineMap(await queryFn({ environmentId, slugs }), slugs);
+  }
+
+  /** Convert ClickHouse query result to sparkline map with zero-filled 24 hourly buckets */
+  #buildSparklineMap(
+    queryResult: [Error, null] | [null, { task_identifier: string; bucket: string; val: number }[]],
+    slugs: string[]
+  ): Record<string, number[]> {
+    const [error, rows] = queryResult;
+    if (error) {
+      console.error("Agent sparkline query failed:", error);
+      return {};
+    }
+    return this.#buildSparklineFromRows(rows, slugs);
+  }
+
+  #buildSparklineFromRows(
+    rows: { task_identifier: string; bucket: string; val: number }[],
+    slugs: string[]
+  ): Record<string, number[]> {
+    const now = new Date();
+    const startHour = new Date(
+      Date.UTC(
+        now.getUTCFullYear(),
+        now.getUTCMonth(),
+        now.getUTCDate(),
+        now.getUTCHours() - 23,
+        0,
+        0,
+        0
+      )
+    );
+
+    const bucketKeys: string[] = [];
+    for (let i = 0; i < 24; i++) {
+      const h = new Date(startHour.getTime() + i * 3600_000);
+      bucketKeys.push(h.toISOString().slice(0, 13).replace("T", " ") + ":00:00");
+    }
+
+    const rowMap = new Map<string, number>();
+    for (const row of rows) {
+      rowMap.set(`${row.task_identifier}|${row.bucket}`, row.val);
+    }
+
+    const result: Record<string, number[]> = {};
+    for (const slug of slugs) {
+      result[slug] = bucketKeys.map((key) => rowMap.get(`${slug}|${key}`) ?? 0);
+    }
+    return result;
+  }
+}
+
+export const agentListPresenter = singleton("agentListPresenter", setupAgentListPresenter);
+
+function setupAgentListPresenter() {
+  return new AgentListPresenter($replica);
+}
diff --git a/apps/webapp/app/presenters/v3/ApiRetrieveRunPresenter.server.ts b/apps/webapp/app/presenters/v3/ApiRetrieveRunPresenter.server.ts
index ebac8e089f5..00290b36203 100644
--- a/apps/webapp/app/presenters/v3/ApiRetrieveRunPresenter.server.ts
+++ b/apps/webapp/app/presenters/v3/ApiRetrieveRunPresenter.server.ts
@@ -9,12 +9,18 @@ import {
   logger,
 } from "@trigger.dev/core/v3";
 import { parsePacketAsJson } from "@trigger.dev/core/v3/utils/ioSerialization";
+import { BatchId } from "@trigger.dev/core/v3/isomorphic";
 import { getUserProvidedIdempotencyKey } from "@trigger.dev/core/v3/serverOnly";
 import { Prisma, TaskRunAttemptStatus, TaskRunStatus } from "@trigger.dev/database";
 import assertNever from "assert-never";
 import { API_VERSIONS, CURRENT_API_VERSION, RunStatusUnspecifiedApiVersion } from "~/api/versions";
 import { $replica, prisma } from "~/db.server";
+import { baseWorkerQueue } from "~/runEngine/concerns/workerQueueSplit.server";
 import { AuthenticatedEnvironment } from "~/services/apiAuth.server";
+import {
+  findRunByIdWithMollifierFallback,
+  type SyntheticRun,
+} from "~/v3/mollifier/readFallback.server";
 import { generatePresignedUrl } from "~/v3/objectStore.server";
 import { tracer } from "~/v3/tracer.server";
 import { startSpanWithEnv } from "~/v3/tracing.server";
@@ -42,6 +48,7 @@ const commonRunSelect = {
   isTest: true,
   depth: true,
   scheduleId: true,
+  workerQueue: true,
   lockedToVersion: {
     select: {
       version: true,
@@ -63,13 +70,46 @@ type CommonRelatedRun = Prisma.Result<
   "findFirstOrThrow"
 >;
 
-type FoundRun = NonNullable<Awaited<ReturnType<typeof ApiRetrieveRunPresenter.findRun>>>;
+// Full shape returned by findRun() — the commonRunSelect fields plus the
+// extras the route handler reads. Declared explicitly (not inferred via
+// ReturnType<typeof findRun>) so findRun can return a synthesised buffered
+// run without the type becoming self-referential.
+// Exported so the buffer-synthesis helper below can be unit-tested
+// against a stable shape without re-deriving it (FoundRun's exact field
+// list is what the buffered run must match for `call()` not to surprise).
+export type FoundRun = CommonRelatedRun & {
+  traceId: string;
+  payload: string;
+  payloadType: string;
+  output: string | null;
+  outputType: string;
+  error: Prisma.JsonValue;
+  attempts: { id: string }[];
+  attemptNumber: number | null;
+  engine: "V1" | "V2";
+  taskEventStore: string;
+  parentTaskRun: CommonRelatedRun | null;
+  rootTaskRun: CommonRelatedRun | null;
+  childRuns: CommonRelatedRun[];
+  // True when this run was synthesised from the mollifier buffer rather
+  // than read from Postgres. Callers that would otherwise query backing
+  // stores keyed on PG identifiers (e.g. ClickHouse event lookups by
+  // traceId) can short-circuit to an empty response — buffered runs
+  // haven't executed and have no events to fetch. Devin's analysis on
+  // PR #3755 (events endpoint) flagged the pre-fix code as making a
+  // wasted ClickHouse round-trip when this is set; gate on this flag
+  // instead.
+  isBuffered: boolean;
+};
 
 export class ApiRetrieveRunPresenter {
   constructor(private readonly apiVersion: API_VERSIONS) {}
 
-  public static async findRun(friendlyId: string, env: AuthenticatedEnvironment) {
-    return $replica.taskRun.findFirst({
+  public static async findRun(
+    friendlyId: string,
+    env: AuthenticatedEnvironment,
+  ): Promise<FoundRun | null> {
+    const pgRow = await $replica.taskRun.findFirst({
       where: {
         friendlyId,
         runtimeEnvironmentId: env.id,
@@ -101,6 +141,23 @@ export class ApiRetrieveRunPresenter {
         },
       },
     });
+
+    if (pgRow) return { ...pgRow, isBuffered: false };
+
+    // Postgres miss → fall back to the mollifier buffer. When the gate
+    // diverted a trigger, the run lives in Redis until the drainer replays
+    // it through engine.trigger. Synthesise the FoundRun shape so call()
+    // returns a `QUEUED` (or `FAILED`) response with empty output, no
+    // attempts, no relations.
+    const buffered = await findRunByIdWithMollifierFallback({
+      runId: friendlyId,
+      environmentId: env.id,
+      organizationId: env.organizationId,
+    });
+
+    if (!buffered) return null;
+
+    return synthesiseFoundRunFromBuffer(buffered);
   }
 
   public async call(taskRun: FoundRun, env: AuthenticatedEnvironment) {
@@ -463,6 +520,7 @@ async function createCommonRunStructure(run: CommonRelatedRun, apiVersion: API_V
     triggerFunction: resolveTriggerFunction(run),
     batchId: run.batch?.friendlyId,
     metadata,
+    region: run.workerQueue ? baseWorkerQueue(run.workerQueue) : undefined,
   };
 }
 
@@ -473,3 +531,162 @@ function resolveTriggerFunction(run: CommonRelatedRun): TriggerFunction {
     return run.resumeParentOnCompletion ? "triggerAndWait" : "trigger";
   }
 }
+
+// Build a FoundRun-shaped object from a buffered (mollified) run. The run
+// is in the Redis buffer; engine.trigger hasn't created the Postgres row
+// yet, so every field that comes from execution state (output, attempts,
+// completedAt, cost, relations) takes a default. The presenter's call()
+// handles QUEUED-state runs without surprise.
+function bufferedStatusToTaskRunStatus(status: SyntheticRun["status"]): TaskRunStatus {
+  switch (status) {
+    case "FAILED":
+      return "SYSTEM_FAILURE";
+    case "CANCELED":
+      return "CANCELED";
+    default:
+      return "PENDING";
+  }
+}
+
+// The PG path stores `TaskRun.payload` as `String?`, so in production
+// the buffered snapshot's `payload` is always a string. We defensively
+// coerce other types instead of silently dropping them: an object gets
+// JSON-stringified (matches how the trigger path would serialise it),
+// anything truly unrenderable falls back to an empty string. The log
+// line surfaces format drift to ops without crashing the read path.
+function synthesisePayload(buffered: SyntheticRun): string {
+  const payload = buffered.payload;
+  if (typeof payload === "string") return payload;
+  if (payload === undefined || payload === null) return "";
+  try {
+    const serialised = JSON.stringify(payload);
+    logger.warn("ApiRetrieveRunPresenter: buffered snapshot.payload non-string coerced", {
+      runFriendlyId: buffered.friendlyId,
+      payloadType: typeof payload,
+    });
+    return typeof serialised === "string" ? serialised : "";
+  } catch {
+    logger.error("ApiRetrieveRunPresenter: buffered snapshot.payload unserialisable", {
+      runFriendlyId: buffered.friendlyId,
+      payloadType: typeof payload,
+    });
+    return "";
+  }
+}
+
+// Mirror synthesisePayload for metadata. The PG path stores
+// `TaskRun.metadata` as `String?`, and the snapshot writes it from
+// `metadataPacket.data` (also a string), so in production it is always a
+// string or absent. We coerce defensively — an object gets JSON-stringified
+// (matching how the trigger path serialises it) rather than silently
+// dropped to null, and the log line surfaces format drift to ops.
+function synthesiseMetadata(buffered: SyntheticRun): string | null {
+  const metadata = buffered.metadata;
+  if (typeof metadata === "string") return metadata;
+  if (metadata === undefined || metadata === null) return null;
+  try {
+    const serialised = JSON.stringify(metadata);
+    logger.warn("ApiRetrieveRunPresenter: buffered snapshot.metadata non-string coerced", {
+      runFriendlyId: buffered.friendlyId,
+      metadataType: typeof metadata,
+    });
+    return typeof serialised === "string" ? serialised : null;
+  } catch {
+    logger.error("ApiRetrieveRunPresenter: buffered snapshot.metadata unserialisable", {
+      runFriendlyId: buffered.friendlyId,
+      metadataType: typeof metadata,
+    });
+    return null;
+  }
+}
+
+// Exported for unit testing. Used by `findRun()` above when the
+// Postgres lookup misses and the buffer carries the run — keep the shape
+// in lockstep with `FoundRun`'s field list so `call()` treats a synthesised
+// buffered run identically to a freshly-triggered PG row.
+export function synthesiseFoundRunFromBuffer(buffered: SyntheticRun): FoundRun {
+  const status: TaskRunStatus = bufferedStatusToTaskRunStatus(buffered.status);
+
+  const errorJson: Prisma.JsonValue = buffered.error
+    ? {
+        type: "STRING_ERROR",
+        raw: `${buffered.error.code}: ${buffered.error.message}`,
+      }
+    : null;
+
+  const metadata: string | null = synthesiseMetadata(buffered);
+
+  return {
+    // `id` is the internal cuid (Prisma TaskRun.id column), `friendlyId`
+    // is the user-facing `run_xxx` token. Downstream logging keyed off
+    // `taskRun.id` correlates with other systems via the cuid — using
+    // the friendlyId here breaks log correlation. `SyntheticRun` carries
+    // the cuid alongside the friendlyId for exactly this reason
+    // (RunId.fromFriendlyId in readFallback.server.ts).
+    id: buffered.id,
+    friendlyId: buffered.friendlyId,
+    status,
+    taskIdentifier: buffered.taskIdentifier ?? "",
+    createdAt: buffered.createdAt,
+    startedAt: null,
+    updatedAt: buffered.cancelledAt ?? buffered.createdAt,
+    // PG-resident SYSTEM_FAILURE rows always have `completedAt` set by
+    // the engine; the buffer-synth path must match so SDK consumers
+    // that poll on `isCompleted` and then read `finishedAt` see a real
+    // timestamp instead of `undefined`. CANCELED already had this via
+    // `buffered.cancelledAt`; fall back to `buffered.createdAt` for
+    // FAILED (the buffer entry has no separate "failedAt" — the
+    // best-available approximation of when the terminal state landed
+    // is the entry's creation time).
+    completedAt:
+      buffered.cancelledAt ?? (status === "SYSTEM_FAILURE" ? buffered.createdAt : null),
+    expiredAt: null,
+    delayUntil: buffered.delayUntil ?? null,
+    metadata,
+    metadataType: buffered.metadataType ?? "application/json",
+    ttl: buffered.ttl ?? null,
+    costInCents: 0,
+    baseCostInCents: 0,
+    usageDurationMs: 0,
+    idempotencyKey: buffered.idempotencyKey ?? null,
+    idempotencyKeyOptions: buffered.idempotencyKeyOptions ?? null,
+    isTest: buffered.isTest,
+    depth: buffered.depth,
+    // Scheduled triggers go through the same TriggerTaskService path as
+    // API triggers and aren't bypassed by the mollifier gate, so a
+    // scheduled run can land in the buffer with its scheduleId set on the
+    // snapshot. Forward it so resolveSchedule() can hydrate the `schedule`
+    // field in the API response instead of silently dropping it until the
+    // drainer materialises.
+    scheduleId: buffered.scheduleId ?? null,
+    lockedToVersion: buffered.lockedToVersion ? { version: buffered.lockedToVersion } : null,
+    resumeParentOnCompletion: buffered.resumeParentOnCompletion,
+    // Reconstruct the batch from the snapshot's internal id so a buffered
+    // run reports the same `batchId` / triggerFunction as it will once
+    // materialised, and so batch-scoped JWTs authorise against it (the
+    // route authorization callbacks read `run.batch?.friendlyId`).
+    batch: buffered.batchId
+      ? { id: buffered.batchId, friendlyId: BatchId.toFriendlyId(buffered.batchId) }
+      : null,
+    runTags: buffered.tags,
+    traceId: buffered.traceId ?? "",
+    payload: synthesisePayload(buffered),
+    payloadType: buffered.payloadType ?? "application/json",
+    output: null,
+    outputType: "application/json",
+    error: errorJson,
+    attempts: [],
+    attemptNumber: null,
+    engine: "V2",
+    taskEventStore: "taskEvent",
+    // Empty string when absent (matches syntheticSpanRun.server.ts and lets
+    // `createCommonRunStructure`'s `run.workerQueue || undefined` coerce the
+    // API response's `region` to undefined instead of advertising a
+    // misleading "main" region for a not-yet-assigned buffered run).
+    workerQueue: buffered.workerQueue ?? "",
+    parentTaskRun: null,
+    rootTaskRun: null,
+    childRuns: [],
+    isBuffered: true,
+  };
+}
diff --git a/apps/webapp/app/presenters/v3/ApiRunListPresenter.server.ts b/apps/webapp/app/presenters/v3/ApiRunListPresenter.server.ts
index 254ec18d1c0..0e7077b3dfc 100644
--- a/apps/webapp/app/presenters/v3/ApiRunListPresenter.server.ts
+++ b/apps/webapp/app/presenters/v3/ApiRunListPresenter.server.ts
@@ -9,7 +9,7 @@ import { type Project, type RuntimeEnvironment, type TaskRunStatus } from "@trig
 import assertNever from "assert-never";
 import { z } from "zod";
 import { API_VERSIONS, RunStatusUnspecifiedApiVersion } from "~/api/versions";
-import { clickhouseClient } from "~/services/clickhouseInstance.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
 import { logger } from "~/services/logger.server";
 import { CoercedDate } from "~/utils/zod";
 import { ServiceValidationError } from "~/v3/services/baseService.server";
@@ -116,6 +116,12 @@ export const ApiRunListSearchParams = z.object({
     .transform((value) => {
       return value ? value.split(",") : undefined;
     }),
+  "filter[region]": z
+    .string()
+    .optional()
+    .transform((value) => {
+      return value ? value.split(",") : undefined;
+    }),
   "filter[machine]": z
     .string()
     .optional()
@@ -149,10 +155,10 @@ type ApiRunListSearchParams = z.infer<typeof ApiRunListSearchParams>;
 
 export class ApiRunListPresenter extends BasePresenter {
   public async call(
-    project: Project,
+    project: Pick<Project, "id">,
     searchParams: ApiRunListSearchParams,
     apiVersion: API_VERSIONS,
-    environment?: RuntimeEnvironment
+    environment?: Pick<RuntimeEnvironment, "id" | "organizationId">
   ) {
     return this.trace("call", async (span) => {
       const options: RunListOptions = {
@@ -255,11 +261,16 @@ export class ApiRunListPresenter extends BasePresenter {
         options.queues = searchParams["filter[queue]"];
       }
 
+      if (searchParams["filter[region]"]) {
+        options.regions = searchParams["filter[region]"];
+      }
+
       if (searchParams["filter[machine]"]) {
         options.machines = searchParams["filter[machine]"];
       }
 
-      const presenter = new NextRunListPresenter(this._replica, clickhouseClient);
+      const clickhouse = await clickhouseFactory.getClickhouseForOrganization(organizationId, "standard");
+      const presenter = new NextRunListPresenter(this._replica, clickhouse);
 
       logger.debug("Calling RunListPresenter", { options });
 
@@ -304,6 +315,11 @@ export class ApiRunListPresenter extends BasePresenter {
             durationMs: run.usageDurationMs,
             depth: run.depth,
             metadata,
+            // ClickHouse defaults `task_kind` to "" for pre-migration rows.
+            // Match `NextRunListPresenter`'s "STANDARD" fallback so API
+            // consumers and the dashboard see the same value.
+            taskKind: run.taskKind || "STANDARD",
+            region: run.region ?? undefined,
             ...ApiRetrieveRunPresenter.apiBooleanHelpersFromRunStatus(
               ApiRetrieveRunPresenter.apiStatusFromRunStatus(run.status, apiVersion)
             ),
diff --git a/apps/webapp/app/presenters/v3/BuiltInDashboards.server.ts b/apps/webapp/app/presenters/v3/BuiltInDashboards.server.ts
index 2ec34614533..a6374c60be2 100644
--- a/apps/webapp/app/presenters/v3/BuiltInDashboards.server.ts
+++ b/apps/webapp/app/presenters/v3/BuiltInDashboards.server.ts
@@ -216,7 +216,7 @@ const overviewDashboard: BuiltInDashboard = {
 
 const llmDashboard: BuiltInDashboard = {
   key: "llm",
-  title: "AI Metrics",
+  title: "AI metrics",
   filters: ["tasks", "models", "prompts", "operations", "providers"],
   layout: {
     version: "1",
diff --git a/apps/webapp/app/presenters/v3/CreateBulkActionPresenter.server.ts b/apps/webapp/app/presenters/v3/CreateBulkActionPresenter.server.ts
index acf511f0f5e..c3c62cd5d95 100644
--- a/apps/webapp/app/presenters/v3/CreateBulkActionPresenter.server.ts
+++ b/apps/webapp/app/presenters/v3/CreateBulkActionPresenter.server.ts
@@ -1,6 +1,6 @@
 import { type PrismaClient } from "@trigger.dev/database";
 import { CreateBulkActionSearchParams } from "~/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.bulkaction";
-import { clickhouseClient } from "~/services/clickhouseInstance.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
 import { RunsRepository } from "~/services/runsRepository/runsRepository.server";
 import { getRunFiltersFromRequest } from "../RunFilters.server";
 import { BasePresenter } from "./basePresenter.server";
@@ -24,8 +24,9 @@ export class CreateBulkActionPresenter extends BasePresenter {
       Object.fromEntries(new URL(request.url).searchParams)
     );
 
+    const clickhouse = await clickhouseFactory.getClickhouseForOrganization(organizationId, "standard");
     const runsRepository = new RunsRepository({
-      clickhouse: clickhouseClient,
+      clickhouse,
       prisma: this._replica as PrismaClient,
     });
 
diff --git a/apps/webapp/app/presenters/v3/DevPresence.server.ts b/apps/webapp/app/presenters/v3/DevPresence.server.ts
index fa606cf9f1b..d751b6d7114 100644
--- a/apps/webapp/app/presenters/v3/DevPresence.server.ts
+++ b/apps/webapp/app/presenters/v3/DevPresence.server.ts
@@ -1,4 +1,5 @@
 import Redis, { type RedisOptions } from "ioredis";
+import { defaultReconnectOnError } from "@internal/redis";
 import { env } from "~/env.server";
 
 const PRESENCE_KEY_PREFIX = "dev-presence:connection:";
@@ -7,7 +8,7 @@ export class DevPresence {
   private redis: Redis;
 
   constructor(options: RedisOptions) {
-    this.redis = new Redis(options);
+    this.redis = new Redis({ reconnectOnError: defaultReconnectOnError, ...options });
   }
 
   async isConnected(environmentId: string) {
diff --git a/apps/webapp/app/presenters/v3/EnvironmentQueuePresenter.server.ts b/apps/webapp/app/presenters/v3/EnvironmentQueuePresenter.server.ts
index 10201094376..5bcdee6b0a9 100644
--- a/apps/webapp/app/presenters/v3/EnvironmentQueuePresenter.server.ts
+++ b/apps/webapp/app/presenters/v3/EnvironmentQueuePresenter.server.ts
@@ -47,7 +47,10 @@ export class EnvironmentQueuePresenter extends BasePresenter {
       running,
       queued,
       concurrencyLimit: environment.maximumConcurrencyLimit,
-      burstFactor: environment.concurrencyLimitBurstFactor.toNumber(),
+      burstFactor:
+        typeof environment.concurrencyLimitBurstFactor === "number"
+          ? environment.concurrencyLimitBurstFactor
+          : environment.concurrencyLimitBurstFactor.toNumber(),
       runsEnabled: environment.type === "DEVELOPMENT" || organization.runsEnabled,
       queueSizeLimit,
     };
diff --git a/apps/webapp/app/presenters/v3/EnvironmentVariablesPresenter.server.ts b/apps/webapp/app/presenters/v3/EnvironmentVariablesPresenter.server.ts
index aff55263fec..720bfda8db7 100644
--- a/apps/webapp/app/presenters/v3/EnvironmentVariablesPresenter.server.ts
+++ b/apps/webapp/app/presenters/v3/EnvironmentVariablesPresenter.server.ts
@@ -1,7 +1,6 @@
-import { PrismaClient, prisma } from "~/db.server";
+import { $replica, PrismaClient, PrismaReplicaClient, prisma } from "~/db.server";
 import { Project } from "~/models/project.server";
 import { User } from "~/models/user.server";
-import { filterOrphanedEnvironments, sortEnvironments } from "~/utils/environmentSort";
 import { EnvironmentVariablesRepository } from "~/v3/environmentVariables/environmentVariablesRepository.server";
 import type { EnvironmentVariableUpdater } from "~/v3/environmentVariables/repository";
 import {
@@ -9,19 +8,22 @@ import {
   EnvSlug,
 } from "~/v3/vercel/vercelProjectIntegrationSchema";
 import { VercelIntegrationService } from "~/services/vercelIntegration.server";
+import { loadEnvironmentVariablesEnvironments } from "./environmentVariablesEnvironments.server";
 
 type Result = Awaited<ReturnType<EnvironmentVariablesPresenter["call"]>>;
 export type EnvironmentVariableWithSetValues = Result["environmentVariables"][number];
 
 export class EnvironmentVariablesPresenter {
   #prismaClient: PrismaClient;
+  #replicaClient: PrismaReplicaClient;
 
-  constructor(prismaClient: PrismaClient = prisma) {
+  constructor(prismaClient: PrismaClient = prisma, replicaClient: PrismaReplicaClient = $replica) {
     this.#prismaClient = prismaClient;
+    this.#replicaClient = replicaClient;
   }
 
   public async call({ userId, projectSlug }: { userId: User["id"]; projectSlug: Project["slug"] }) {
-    const project = await this.#prismaClient.project.findFirst({
+    const project = await this.#replicaClient.project.findFirst({
       select: {
         id: true,
       },
@@ -41,7 +43,18 @@ export class EnvironmentVariablesPresenter {
       throw new Error("Project not found");
     }
 
-    const environmentVariables = await this.#prismaClient.environmentVariable.findMany({
+    const { environments: sortedEnvironments, hasStaging } =
+      await loadEnvironmentVariablesEnvironments(
+        this.#replicaClient,
+        { userId, projectId: project.id },
+        { skipProjectAccessCheck: true }
+      );
+
+    // Only load values for the environments we display. Projects can accumulate
+    // values in archived branch environments, which would otherwise all be loaded here.
+    const environmentIds = sortedEnvironments.map((env) => env.id);
+
+    const environmentVariables = await this.#replicaClient.environmentVariable.findMany({
       select: {
         id: true,
         key: true,
@@ -59,20 +72,16 @@ export class EnvironmentVariablesPresenter {
             },
             isSecret: true,
           },
-        },
-      },
-      where: {
-        project: {
-          slug: projectSlug,
-          organization: {
-            members: {
-              some: {
-                userId,
-              },
+          where: {
+            environmentId: {
+              in: environmentIds,
             },
           },
         },
       },
+      where: {
+        projectId: project.id,
+      },
     });
 
     const userIds = new Set(
@@ -93,7 +102,7 @@ export class EnvironmentVariablesPresenter {
 
     const users =
       userIds.size > 0
-        ? await this.#prismaClient.user.findMany({
+        ? await this.#replicaClient.user.findMany({
             where: {
               id: {
                 in: Array.from(userIds),
@@ -111,32 +120,22 @@ export class EnvironmentVariablesPresenter {
     const usersRecord: Record<string, { id: string; name: string | null; displayName: string | null; avatarUrl: string | null }> =
       Object.fromEntries(users.map((u) => [u.id, u]));
 
-    const environments = await this.#prismaClient.runtimeEnvironment.findMany({
-      select: {
-        id: true,
-        type: true,
-        isBranchableEnvironment: true,
-        branchName: true,
-        orgMember: {
-          select: {
-            userId: true,
-          },
-        },
-      },
-      where: {
-        project: {
-          slug: projectSlug,
-        },
-        archivedAt: null,
-      },
-    });
+    const repository = new EnvironmentVariablesRepository(this.#prismaClient, this.#replicaClient);
 
-    const sortedEnvironments = sortEnvironments(filterOrphanedEnvironments(environments)).filter(
-      (e) => e.orgMember?.userId === userId || e.orgMember === null
-    );
+    const nonSecretItems: Array<{ environmentId: string; key: string }> = [];
+    for (const environmentVariable of environmentVariables) {
+      for (const env of sortedEnvironments) {
+        const valueRecord = environmentVariable.values.find((v) => v.environmentId === env.id);
+        if (valueRecord && !valueRecord.isSecret) {
+          nonSecretItems.push({ environmentId: env.id, key: environmentVariable.key });
+        }
+      }
+    }
 
-    const repository = new EnvironmentVariablesRepository(this.#prismaClient);
-    const variables = await repository.getProject(project.id);
+    const variableValuesByEnvAndKey = await repository.getVariableValuesForKeys(
+      project.id,
+      nonSecretItems
+    );
 
     // Get Vercel integration data if it exists
     const vercelService = new VercelIntegrationService(this.#prismaClient);
@@ -153,14 +152,19 @@ export class EnvironmentVariablesPresenter {
     return {
       environmentVariables: environmentVariables
         .flatMap((environmentVariable) => {
-          const variable = variables.find((v) => v.key === environmentVariable.key);
-
           return sortedEnvironments.flatMap((env) => {
-            const val = variable?.values.find((v) => v.environment.id === env.id);
             const valueRecord = environmentVariable.values.find((v) => v.environmentId === env.id);
             const isSecret = valueRecord?.isSecret ?? false;
 
-            if (!val || !valueRecord) {
+            if (!valueRecord) {
+              return [];
+            }
+
+            const val = isSecret
+              ? undefined
+              : variableValuesByEnvAndKey.get(`${env.id}:${environmentVariable.key}`);
+
+            if (!isSecret && val === undefined) {
               return [];
             }
 
@@ -185,7 +189,7 @@ export class EnvironmentVariablesPresenter {
                 id: environmentVariable.id,
                 key: environmentVariable.key,
                 environment: { type: env.type, id: env.id, branchName: env.branchName },
-                value: isSecret ? "" : val.value,
+                value: isSecret ? "" : val!,
                 isSecret,
                 version: valueRecord.version,
                 lastUpdatedBy,
@@ -196,13 +200,8 @@ export class EnvironmentVariablesPresenter {
           });
         })
         .sort((a, b) => a.key.localeCompare(b.key)),
-      environments: sortedEnvironments.map((environment) => ({
-        id: environment.id,
-        type: environment.type,
-        isBranchableEnvironment: environment.isBranchableEnvironment,
-        branchName: environment.branchName,
-      })),
-      hasStaging: environments.some((environment) => environment.type === "STAGING"),
+      environments: sortedEnvironments,
+      hasStaging,
       // Vercel integration data
       vercelIntegration: vercelIntegration
         ? {
diff --git a/apps/webapp/app/presenters/v3/ErrorGroupPresenter.server.ts b/apps/webapp/app/presenters/v3/ErrorGroupPresenter.server.ts
index 5e9df362e4c..d2f6bbfcbe3 100644
--- a/apps/webapp/app/presenters/v3/ErrorGroupPresenter.server.ts
+++ b/apps/webapp/app/presenters/v3/ErrorGroupPresenter.server.ts
@@ -242,10 +242,15 @@ export class ErrorGroupPresenter extends BasePresenter {
 
     const sortedVersions = sortVersionsDescending([...versionSet]);
 
+    // Build the data for the graph
+    // For each time bucket, if a value exists for a version set the value (don't add zeros)
     const data = buckets.map((epoch) => {
       const point: Record<string, number | Date> = { date: new Date(epoch * 1000) };
       for (const version of sortedVersions) {
-        point[version] = byBucketVersion.get(`${epoch}:${version}`) ?? 0;
+        const versionValue = byBucketVersion.get(`${epoch}:${version}`);
+        if (versionValue) {
+          point[version] = versionValue;
+        }
       }
       return point;
     });
diff --git a/apps/webapp/app/presenters/v3/ErrorsListPresenter.server.ts b/apps/webapp/app/presenters/v3/ErrorsListPresenter.server.ts
index 13da4ff91f8..ea6e522dbd5 100644
--- a/apps/webapp/app/presenters/v3/ErrorsListPresenter.server.ts
+++ b/apps/webapp/app/presenters/v3/ErrorsListPresenter.server.ts
@@ -13,7 +13,7 @@ import { type ErrorGroupStatus, type PrismaClientOrTransaction } from "@trigger.
 import { type Direction } from "~/components/ListPagination";
 import { timeFilterFromTo } from "~/components/runs/v3/SharedFilters";
 import { findDisplayableEnvironment } from "~/models/runtimeEnvironment.server";
-import { getAllTaskIdentifiers } from "~/models/task.server";
+import { getTaskIdentifiers } from "~/models/task.server";
 import { ServiceValidationError } from "~/v3/services/baseService.server";
 import { BasePresenter } from "~/presenters/v3/basePresenter.server";
 
@@ -170,7 +170,7 @@ export class ErrorsListPresenter extends BasePresenter {
       (search !== undefined && search !== "") ||
       (statuses !== undefined && statuses.length > 0);
 
-    const possibleTasksAsync = getAllTaskIdentifiers(this.replica, environmentId);
+    const possibleTasksAsync = getTaskIdentifiers(environmentId);
 
     // Pre-filter by status: since status lives in Postgres (ErrorGroupState) and the error
     // list comes from ClickHouse, we resolve inclusion/exclusion sets upfront so that
diff --git a/apps/webapp/app/presenters/v3/LimitsPresenter.server.ts b/apps/webapp/app/presenters/v3/LimitsPresenter.server.ts
index cca3522dc4e..192fbc87f4f 100644
--- a/apps/webapp/app/presenters/v3/LimitsPresenter.server.ts
+++ b/apps/webapp/app/presenters/v3/LimitsPresenter.server.ts
@@ -375,7 +375,7 @@ export class LimitsPresenter extends BasePresenter {
           name: "Support level",
           description: "Type of support available for your plan",
           enabled: true,
-          value: supportLevel === "slack" ? "Slack" : "Community",
+          value: supportLevel === "slack" ? "Priority" : "Community",
         },
         includedUsage: {
           name: "Included compute",
diff --git a/apps/webapp/app/presenters/v3/LogsListPresenter.server.ts b/apps/webapp/app/presenters/v3/LogsListPresenter.server.ts
index 8a3bf692b5b..517c586e4e7 100644
--- a/apps/webapp/app/presenters/v3/LogsListPresenter.server.ts
+++ b/apps/webapp/app/presenters/v3/LogsListPresenter.server.ts
@@ -7,7 +7,7 @@ import parseDuration from "parse-duration";
 import { type Direction } from "~/components/ListPagination";
 import { timeFilterFromTo, timeFilters } from "~/components/runs/v3/SharedFilters";
 import { findDisplayableEnvironment } from "~/models/runtimeEnvironment.server";
-import { getAllTaskIdentifiers } from "~/models/task.server";
+import { getTaskIdentifiers } from "~/models/task.server";
 import { ServiceValidationError } from "~/v3/services/baseService.server";
 import { kindToLevel, type LogLevel, LogLevelSchema } from "~/utils/logUtils";
 import { BasePresenter } from "~/presenters/v3/basePresenter.server";
@@ -176,7 +176,7 @@ export class LogsListPresenter extends BasePresenter {
       (search !== undefined && search !== "") ||
       !time.isDefault;
 
-    const possibleTasksAsync = getAllTaskIdentifiers(this.replica, environmentId);
+    const possibleTasksAsync = getTaskIdentifiers(environmentId);
 
     const bulkActionsAsync = this.replica.bulkActionGroup.findMany({
       select: {
@@ -386,12 +386,7 @@ export class LogsListPresenter extends BasePresenter {
         next: nextCursor,
         previous: undefined, // For now, only support forward pagination
       },
-      possibleTasks: possibleTasks
-        .map((task) => ({
-          slug: task.slug,
-          triggerSource: task.triggerSource,
-        }))
-        .sort((a, b) => a.slug.localeCompare(b.slug)),
+      possibleTasks,
       bulkActions: bulkActions.map((bulkAction) => ({
         id: bulkAction.friendlyId,
         type: bulkAction.type,
diff --git a/apps/webapp/app/presenters/v3/NextRunListPresenter.server.ts b/apps/webapp/app/presenters/v3/NextRunListPresenter.server.ts
index f22c7ccf340..8d1b8c13883 100644
--- a/apps/webapp/app/presenters/v3/NextRunListPresenter.server.ts
+++ b/apps/webapp/app/presenters/v3/NextRunListPresenter.server.ts
@@ -1,5 +1,6 @@
 import { type ClickHouse } from "@internal/clickhouse";
 import { MachinePresetName } from "@trigger.dev/core/v3";
+import { RunAnnotations } from "@trigger.dev/core/v3/schemas";
 import {
   type PrismaClient,
   type PrismaClientOrTransaction,
@@ -8,8 +9,9 @@ import {
 import { type Direction } from "~/components/ListPagination";
 import { timeFilters } from "~/components/runs/v3/SharedFilters";
 import { findDisplayableEnvironment } from "~/models/runtimeEnvironment.server";
-import { getAllTaskIdentifiers } from "~/models/task.server";
+import { getTaskIdentifiers } from "~/models/task.server";
 import { RunsRepository } from "~/services/runsRepository/runsRepository.server";
+import { baseWorkerQueue } from "~/runEngine/concerns/workerQueueSplit.server";
 import { machinePresetFromRun } from "~/v3/machinePresets.server";
 import { ServiceValidationError } from "~/v3/services/baseService.server";
 import { isCancellableRunStatus, isFinalRunStatus, isPendingRunStatus } from "~/v3/taskStatus";
@@ -32,8 +34,10 @@ export type RunListOptions = {
   batchId?: string;
   runId?: string[];
   queues?: string[];
+  regions?: string[];
   machines?: MachinePresetName[];
   errorId?: string;
+  sources?: string[];
   //pagination
   direction?: Direction;
   cursor?: string;
@@ -70,8 +74,10 @@ export class NextRunListPresenter {
       batchId,
       runId,
       queues,
+      regions,
       machines,
       errorId,
+      sources,
       from,
       to,
       direction = "forward",
@@ -89,6 +95,7 @@ export class NextRunListPresenter {
     const hasStatusFilters = statuses && statuses.length > 0;
 
     const hasFilters =
+      (sources !== undefined && sources.length > 0) ||
       (tasks !== undefined && tasks.length > 0) ||
       (versions !== undefined && versions.length > 0) ||
       hasStatusFilters ||
@@ -98,6 +105,7 @@ export class NextRunListPresenter {
       batchId !== undefined ||
       (runId !== undefined && runId.length > 0) ||
       (queues !== undefined && queues.length > 0) ||
+      (regions !== undefined && regions.length > 0) ||
       (machines !== undefined && machines.length > 0) ||
       (errorId !== undefined && errorId !== "") ||
       typeof isTest === "boolean" ||
@@ -105,7 +113,7 @@ export class NextRunListPresenter {
       !time.isDefault;
 
     //get all possible tasks
-    const possibleTasksAsync = getAllTaskIdentifiers(this.replica, environmentId);
+    const possibleTasksAsync = getTaskIdentifiers(environmentId);
 
     //get possible bulk actions
     const bulkActionsAsync = this.replica.bulkActionGroup.findMany({
@@ -184,8 +192,10 @@ export class NextRunListPresenter {
       runId,
       bulkId,
       queues,
+      regions,
       machines,
       errorId,
+      taskKinds: sources,
       page: {
         size: pageSize,
         cursor,
@@ -250,17 +260,15 @@ export class NextRunListPresenter {
             name: run.queue.replace("task/", ""),
             type: run.queue.startsWith("task/") ? "task" : "custom",
           },
+          region: run.workerQueue ? baseWorkerQueue(run.workerQueue) : undefined,
+          taskKind: RunAnnotations.safeParse(run.annotations).data?.taskKind ?? "STANDARD",
         };
       }),
       pagination: {
         next: pagination.nextCursor ?? undefined,
         previous: pagination.previousCursor ?? undefined,
       },
-      possibleTasks: possibleTasks
-        .map((task) => ({ slug: task.slug, triggerSource: task.triggerSource }))
-        .sort((a, b) => {
-          return a.slug.localeCompare(b.slug);
-        }),
+      possibleTasks,
       bulkActions: bulkActions.map((bulkAction) => ({
         id: bulkAction.friendlyId,
         type: bulkAction.type,
diff --git a/apps/webapp/app/presenters/v3/PlaygroundPresenter.server.ts b/apps/webapp/app/presenters/v3/PlaygroundPresenter.server.ts
new file mode 100644
index 00000000000..656bc425cdf
--- /dev/null
+++ b/apps/webapp/app/presenters/v3/PlaygroundPresenter.server.ts
@@ -0,0 +1,147 @@
+import type { RuntimeEnvironmentType, TaskRunStatus, TaskTriggerSource } from "@trigger.dev/database";
+import { $replica } from "~/db.server";
+import { findCurrentWorkerFromEnvironment } from "~/v3/models/workerDeployment.server";
+import { isFinalRunStatus } from "~/v3/taskStatus";
+
+export type PlaygroundAgent = {
+  slug: string;
+  filePath: string;
+  triggerSource: TaskTriggerSource;
+  config: unknown;
+  payloadSchema: unknown;
+};
+
+export type PlaygroundConversation = {
+  id: string;
+  chatId: string;
+  title: string;
+  agentSlug: string;
+  runFriendlyId: string | null;
+  runStatus: TaskRunStatus | null;
+  clientData: unknown;
+  messages: unknown;
+  lastEventId: string | null;
+  isActive: boolean;
+  createdAt: Date;
+  updatedAt: Date;
+};
+
+export class PlaygroundPresenter {
+  async listAgents({
+    environmentId,
+    environmentType,
+  }: {
+    environmentId: string;
+    environmentType: RuntimeEnvironmentType;
+  }): Promise<PlaygroundAgent[]> {
+    const currentWorker = await findCurrentWorkerFromEnvironment(
+      { id: environmentId, type: environmentType },
+      $replica
+    );
+
+    if (!currentWorker) return [];
+
+    return $replica.backgroundWorkerTask.findMany({
+      where: {
+        workerId: currentWorker.id,
+        triggerSource: "AGENT",
+      },
+      select: {
+        slug: true,
+        filePath: true,
+        triggerSource: true,
+        config: true,
+        payloadSchema: true,
+      },
+      orderBy: { slug: "asc" },
+    });
+  }
+
+  async getAgent({
+    environmentId,
+    environmentType,
+    agentSlug,
+  }: {
+    environmentId: string;
+    environmentType: RuntimeEnvironmentType;
+    agentSlug: string;
+  }): Promise<PlaygroundAgent | null> {
+    const currentWorker = await findCurrentWorkerFromEnvironment(
+      { id: environmentId, type: environmentType },
+      $replica
+    );
+
+    if (!currentWorker) return null;
+
+    return $replica.backgroundWorkerTask.findFirst({
+      where: {
+        workerId: currentWorker.id,
+        triggerSource: "AGENT",
+        slug: agentSlug,
+      },
+      select: {
+        slug: true,
+        filePath: true,
+        triggerSource: true,
+        config: true,
+        payloadSchema: true,
+      },
+    });
+  }
+
+  async getRecentConversations({
+    environmentId,
+    agentSlug,
+    userId,
+    limit = 10,
+  }: {
+    environmentId: string;
+    agentSlug: string;
+    userId: string;
+    limit?: number;
+  }): Promise<PlaygroundConversation[]> {
+    const conversations = await $replica.playgroundConversation.findMany({
+      where: {
+        runtimeEnvironmentId: environmentId,
+        agentSlug,
+        userId,
+      },
+      select: {
+        id: true,
+        chatId: true,
+        title: true,
+        agentSlug: true,
+        clientData: true,
+        messages: true,
+        lastEventId: true,
+        createdAt: true,
+        updatedAt: true,
+        run: {
+          select: {
+            friendlyId: true,
+            status: true,
+          },
+        },
+      },
+      orderBy: { updatedAt: "desc" },
+      take: limit,
+    });
+
+    return conversations.map((c) => ({
+      id: c.id,
+      chatId: c.chatId,
+      title: c.title,
+      agentSlug: c.agentSlug,
+      runFriendlyId: c.run?.friendlyId ?? null,
+      runStatus: c.run?.status ?? null,
+      clientData: c.clientData,
+      messages: c.messages,
+      lastEventId: c.lastEventId,
+      isActive: c.run?.status ? !isFinalRunStatus(c.run.status) : false,
+      createdAt: c.createdAt,
+      updatedAt: c.updatedAt,
+    }));
+  }
+}
+
+export const playgroundPresenter = new PlaygroundPresenter();
diff --git a/apps/webapp/app/presenters/v3/RegionsPresenter.server.ts b/apps/webapp/app/presenters/v3/RegionsPresenter.server.ts
index 55bd30e33be..2dd5a448cb4 100644
--- a/apps/webapp/app/presenters/v3/RegionsPresenter.server.ts
+++ b/apps/webapp/app/presenters/v3/RegionsPresenter.server.ts
@@ -1,3 +1,4 @@
+import { type WorkloadType } from "@trigger.dev/database";
 import { type Project } from "~/models/project.server";
 import { type User } from "~/models/user.server";
 import { FEATURE_FLAG } from "~/v3/featureFlags";
@@ -9,12 +10,14 @@ import { getCurrentPlan } from "~/services/platform.v3.server";
 export type Region = {
   id: string;
   name: string;
+  masterQueue: string;
   description?: string;
   cloudProvider?: string;
   location?: string;
   staticIPs?: string | null;
   isDefault: boolean;
   isHidden: boolean;
+  workloadType: WorkloadType;
 };
 
 export class RegionsPresenter extends BasePresenter {
@@ -71,11 +74,13 @@ export class RegionsPresenter extends BasePresenter {
       select: {
         id: true,
         name: true,
+        masterQueue: true,
         description: true,
         cloudProvider: true,
         location: true,
         staticIPs: true,
         hidden: true,
+        workloadType: true,
       },
       where: isAdmin
         ? undefined
@@ -93,12 +98,14 @@ export class RegionsPresenter extends BasePresenter {
     const regions: Region[] = visibleRegions.map((region) => ({
       id: region.id,
       name: region.name,
+      masterQueue: region.masterQueue,
       description: region.description ?? undefined,
       cloudProvider: region.cloudProvider ?? undefined,
       location: region.location ?? undefined,
       staticIPs: region.staticIPs ?? undefined,
       isDefault: region.id === defaultWorkerInstanceGroupId,
       isHidden: region.hidden,
+      workloadType: region.workloadType,
     }));
 
     if (project.defaultWorkerGroupId) {
@@ -106,11 +113,13 @@ export class RegionsPresenter extends BasePresenter {
         select: {
           id: true,
           name: true,
+          masterQueue: true,
           description: true,
           cloudProvider: true,
           location: true,
           staticIPs: true,
           hidden: true,
+          workloadType: true,
         },
         where: { id: project.defaultWorkerGroupId },
       });
@@ -125,12 +134,14 @@ export class RegionsPresenter extends BasePresenter {
         regions.push({
           id: defaultWorkerGroup.id,
           name: defaultWorkerGroup.name,
+          masterQueue: defaultWorkerGroup.masterQueue,
           description: defaultWorkerGroup.description ?? undefined,
           cloudProvider: defaultWorkerGroup.cloudProvider ?? undefined,
           location: defaultWorkerGroup.location ?? undefined,
           staticIPs: defaultWorkerGroup.staticIPs ?? undefined,
           isDefault: true,
           isHidden: defaultWorkerGroup.hidden,
+          workloadType: defaultWorkerGroup.workloadType,
         });
       }
     }
diff --git a/apps/webapp/app/presenters/v3/RunPresenter.server.ts b/apps/webapp/app/presenters/v3/RunPresenter.server.ts
index 5e8dab2d0b6..365206ee75d 100644
--- a/apps/webapp/app/presenters/v3/RunPresenter.server.ts
+++ b/apps/webapp/app/presenters/v3/RunPresenter.server.ts
@@ -3,11 +3,11 @@ import { createTreeFromFlatItems, flattenTree } from "~/components/primitives/Tr
 import { prisma, type PrismaClient } from "~/db.server";
 import { createTimelineSpanEventsFromSpanEvents } from "~/utils/timelineSpanEvents";
 import { getUsername } from "~/utils/username";
-import { resolveEventRepositoryForStore } from "~/v3/eventRepository/index.server";
 import { SpanSummary } from "~/v3/eventRepository/eventRepository.types";
 import { getTaskEventStoreTableForRun } from "~/v3/taskEventStore.server";
 import { isFinalRunStatus } from "~/v3/taskStatus";
 import { env } from "~/env.server";
+import { getEventRepositoryForStore } from "~/v3/eventRepository/index.server";
 
 type Result = Awaited<ReturnType<RunPresenter["call"]>>;
 export type Run = Result["run"];
@@ -20,6 +20,20 @@ export class RunEnvironmentMismatchError extends Error {
   }
 }
 
+// Thrown by `call()` when the run isn't in PG. The route loader catches
+// this and falls back to the mollifier buffer via `tryMollifiedRunFallback`.
+// Using a typed error (rather than Prisma's `findFirstOrThrow` exception)
+// keeps the buffered case off the PrismaClient error path — that path
+// emits a `PrismaClient error` log every time it fires, which on the
+// run-detail page polls becomes per-tick log spam and Sentry noise for
+// any run that legitimately lives in the buffer.
+export class RunNotInPgError extends Error {
+  constructor(public readonly runFriendlyId: string) {
+    super(`Run ${runFriendlyId} not in PG`);
+    this.name = "RunNotInPgError";
+  }
+}
+
 export class RunPresenter {
   #prismaClient: PrismaClient;
 
@@ -42,7 +56,13 @@ export class RunPresenter {
     showDeletedLogs: boolean;
     showDebug: boolean;
   }) {
-    const run = await this.#prismaClient.taskRun.findFirstOrThrow({
+    // `findFirst` + explicit null check (not `findFirstOrThrow`) because
+    // a missing PG row is the *expected* path for buffered runs — the
+    // route catches `RunNotInPgError` and falls back to the synthesised
+    // buffer view. `findFirstOrThrow` would log a `PrismaClient error`
+    // every tick of the page poll, masking real DB issues with synthetic
+    // not-found noise.
+    const run = await this.#prismaClient.taskRun.findFirst({
       select: {
         id: true,
         createdAt: true,
@@ -106,6 +126,10 @@ export class RunPresenter {
       },
     });
 
+    if (!run) {
+      throw new RunNotInPgError(runFriendlyId);
+    }
+
     if (environmentSlug !== run.runtimeEnvironment.slug) {
       throw new RunEnvironmentMismatchError(
         `Run ${runFriendlyId} is not in environment ${environmentSlug}`
@@ -145,10 +169,13 @@ export class RunPresenter {
       };
     }
 
-    const eventRepository = resolveEventRepositoryForStore(run.taskEventStore);
+    const repository = await getEventRepositoryForStore(
+      run.taskEventStore,
+      run.runtimeEnvironment.organizationId
+    );
 
     // get the events
-    let traceSummary = await eventRepository.getTraceSummary(
+    let traceSummary = await repository.getTraceSummary(
       getTaskEventStoreTableForRun(run),
       run.runtimeEnvironment.id,
       run.traceId,
@@ -228,12 +255,16 @@ export class RunPresenter {
             linkedRunIdBySpanId[n.id] = n.runId;
           }
 
+          // Raw span events are only needed server-side (to derive timelineEvents);
+          // keep them out of the serialized loader payload.
+          const { events: spanEvents, ...data } = n.data;
+
           return {
             ...n,
             data: {
-              ...n.data,
+              ...data,
               timelineEvents: createTimelineSpanEventsFromSpanEvents(
-                n.data.events,
+                spanEvents,
                 user?.admin ?? false,
                 treeRootStartTimeMs
               ),
@@ -272,7 +303,7 @@ export class RunPresenter {
         overridesBySpanId: traceSummary.overridesBySpanId,
         linkedRunIdBySpanId,
       },
-      maximumLiveReloadingSetting: eventRepository.maximumLiveReloadingSetting,
+      maximumLiveReloadingSetting: repository.maximumLiveReloadingSetting,
     };
   }
 }
diff --git a/apps/webapp/app/presenters/v3/RunStreamPresenter.server.ts b/apps/webapp/app/presenters/v3/RunStreamPresenter.server.ts
index 1dd4edc6233..e0e88e4dd02 100644
--- a/apps/webapp/app/presenters/v3/RunStreamPresenter.server.ts
+++ b/apps/webapp/app/presenters/v3/RunStreamPresenter.server.ts
@@ -1,8 +1,11 @@
 import { type PrismaClient, prisma } from "~/db.server";
 import { logger } from "~/services/logger.server";
+import { requireUserId } from "~/services/session.server";
 import { singleton } from "~/utils/singleton";
-import { createSSELoader, SendFunction } from "~/utils/sse";
+import { ABORT_REASON_SEND_ERROR, createSSELoader, SendFunction } from "~/utils/sse";
 import { throttle } from "~/utils/throttle";
+import { getMollifierBuffer } from "~/v3/mollifier/mollifierBuffer.server";
+import { deserialiseMollifierSnapshot } from "~/v3/mollifier/mollifierSnapshot.server";
 import { tracePubSub } from "~/v3/services/tracePubSub.server";
 
 const PING_INTERVAL = 5_000;
@@ -28,26 +31,79 @@ export class RunStreamPresenter {
           throw new Response("Missing runParam", { status: 400 });
         }
 
+        const userId = await requireUserId(context.request);
+
+        // Scope the lookup to organizations the requesting user is a member
+        // of, matching RunPresenter's run lookup. Unauthorized and missing
+        // runs are indistinguishable (both 404).
         const run = await prismaClient.taskRun.findFirst({
           where: {
             friendlyId: runFriendlyId,
+            project: {
+              organization: {
+                members: {
+                  some: {
+                    userId,
+                  },
+                },
+              },
+            },
           },
           select: {
             traceId: true,
           },
         });
 
-        if (!run) {
+        // Fall back to the mollifier buffer when the run isn't in PG yet.
+        // The buffered run has no execution events to stream, but we still
+        // attach a trace-pubsub subscription using the snapshot's traceId
+        // so that the moment the drainer materialises the row and execution
+        // begins, those events flow to this open SSE connection. Closing
+        // with 404 would force the dashboard to keep retrying.
+        let traceId: string | null = run?.traceId ?? null;
+        if (!traceId) {
+          const buffer = getMollifierBuffer();
+          if (buffer) {
+            try {
+              const entry = await buffer.getEntry(runFriendlyId);
+              // Same membership scoping as the PG lookup above — the buffer
+              // entry carries the owning org's id.
+              const isMember = entry
+                ? (await prismaClient.orgMember.findFirst({
+                    where: { organizationId: entry.orgId, userId },
+                    select: { id: true },
+                  })) !== null
+                : false;
+              if (entry && isMember) {
+                // Go through the webapp wrapper so this read-side module
+                // shares a single deserialisation path with readFallback —
+                // see the contract comment in syntheticRedirectInfo.server.ts.
+                const snapshot = deserialiseMollifierSnapshot(entry.payload);
+                if (typeof snapshot.traceId === "string") {
+                  traceId = snapshot.traceId;
+                }
+              }
+            } catch (err) {
+              logger.warn("RunStreamPresenter buffer fallback failed", {
+                runFriendlyId,
+                err: err instanceof Error ? err.message : String(err),
+              });
+            }
+          }
+        }
+
+        if (!traceId) {
           throw new Response("Not found", { status: 404 });
         }
+        const resolvedRun = { traceId };
 
         logger.info("RunStreamPresenter.start", {
           runFriendlyId,
-          traceId: run.traceId,
+          traceId: resolvedRun.traceId,
         });
 
         // Subscribe to trace updates
-        const { unsubscribe, eventEmitter } = await tracePubSub.subscribeToTrace(run.traceId);
+        const { unsubscribe, eventEmitter } = await tracePubSub.subscribeToTrace(resolvedRun.traceId);
 
         // Only send max every 1 second
         const throttledSend = throttle(
@@ -66,8 +122,10 @@ export class RunStreamPresenter {
                   });
                 }
               }
-              // Abort the stream on send error
-              context.controller.abort("Send error");
+              // Abort the stream on send error. Uses a stackless string sentinel
+              // from sse.ts — a no-arg abort() would create a DOMException with a
+              // stack trace, which is unnecessary retention on the signal.reason.
+              context.controller.abort(ABORT_REASON_SEND_ERROR);
             }
           },
           1000
@@ -103,7 +161,7 @@ export class RunStreamPresenter {
           cleanup: () => {
             logger.info("RunStreamPresenter.cleanup", {
               runFriendlyId,
-              traceId: run.traceId,
+              traceId: resolvedRun.traceId,
             });
 
             // Remove message listener
@@ -117,13 +175,13 @@ export class RunStreamPresenter {
               .then(() => {
                 logger.info("RunStreamPresenter.cleanup.unsubscribe succeeded", {
                   runFriendlyId,
-                  traceId: run.traceId,
+                  traceId: resolvedRun.traceId,
                 });
               })
               .catch((error) => {
                 logger.error("RunStreamPresenter.cleanup.unsubscribe failed", {
                   runFriendlyId,
-                  traceId: run.traceId,
+                  traceId: resolvedRun.traceId,
                   error: {
                     name: error.name,
                     message: error.message,
diff --git a/apps/webapp/app/presenters/v3/RunTagListPresenter.server.ts b/apps/webapp/app/presenters/v3/RunTagListPresenter.server.ts
index e9de368eceb..c4b524ec329 100644
--- a/apps/webapp/app/presenters/v3/RunTagListPresenter.server.ts
+++ b/apps/webapp/app/presenters/v3/RunTagListPresenter.server.ts
@@ -1,6 +1,6 @@
 import { RunsRepository } from "~/services/runsRepository/runsRepository.server";
 import { BasePresenter } from "./basePresenter.server";
-import { clickhouseClient } from "~/services/clickhouseInstance.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
 import { type PrismaClient } from "@trigger.dev/database";
 import { timeFilters } from "~/components/runs/v3/SharedFilters";
 
@@ -37,8 +37,9 @@ export class RunTagListPresenter extends BasePresenter {
   }: TagListOptions) {
     const hasFilters = Boolean(name?.trim());
 
+    const clickhouse = await clickhouseFactory.getClickhouseForOrganization(organizationId, "standard");
     const runsRepository = new RunsRepository({
-      clickhouse: clickhouseClient,
+      clickhouse,
       prisma: this._replica as PrismaClient,
     });
 
diff --git a/apps/webapp/app/presenters/v3/ScheduleListPresenter.server.ts b/apps/webapp/app/presenters/v3/ScheduleListPresenter.server.ts
index 053414dcfc7..19812b0a548 100644
--- a/apps/webapp/app/presenters/v3/ScheduleListPresenter.server.ts
+++ b/apps/webapp/app/presenters/v3/ScheduleListPresenter.server.ts
@@ -1,11 +1,15 @@
 import { type RuntimeEnvironmentType, type ScheduleType } from "@trigger.dev/database";
 import { type ScheduleListFilters } from "~/components/runs/v3/ScheduleFilters";
 import { displayableEnvironment } from "~/models/runtimeEnvironment.server";
+import { getTaskIdentifiers } from "~/models/task.server";
 import { getLimit } from "~/services/platform.v3.server";
 import { findCurrentWorkerFromEnvironment } from "~/v3/models/workerDeployment.server";
 import { ServiceValidationError } from "~/v3/services/baseService.server";
 import { CheckScheduleService } from "~/v3/services/checkSchedule.server";
-import { calculateNextScheduledTimestampFromNow } from "~/v3/utils/calculateNextSchedule.server";
+import {
+  calculateNextScheduledTimestampFromNow,
+  previousScheduledTimestamp,
+} from "~/v3/utils/calculateNextSchedule.server";
 import { BasePresenter } from "./basePresenter.server";
 
 type ScheduleListOptions = {
@@ -123,14 +127,10 @@ export class ScheduleListPresenter extends BasePresenter {
     }
 
     //get all possible scheduled tasks
-    const possibleTasks = await this._replica.backgroundWorkerTask.findMany({
-      where: {
-        workerId: latestWorker.id,
-        projectId: project.id,
-        runtimeEnvironmentId: environmentId,
-        triggerSource: "SCHEDULED",
-      },
-    });
+    const allIdentifiers = await getTaskIdentifiers(environmentId);
+    const possibleTasks = allIdentifiers
+      .filter((t) => t.triggerSource === "SCHEDULED" && t.isInLatestDeployment)
+      .map((t) => ({ slug: t.slug }));
 
     //do this here to protect against SQL injection
     search = search && search !== "" ? `%${search}%` : undefined;
@@ -196,8 +196,8 @@ export class ScheduleListPresenter extends BasePresenter {
           },
         },
         active: true,
-        lastRunTriggeredAt: true,
         createdAt: true,
+        updatedAt: true,
       },
       where: {
         projectId: project.id,
@@ -247,6 +247,29 @@ export class ScheduleListPresenter extends BasePresenter {
     });
 
     const schedules: ScheduleListItem[] = rawSchedules.map((schedule) => {
+      // Approximate "last run" from the cron's previous slot. Skip inactive
+      // schedules — the cron's previous slot reflects what *would* have
+      // fired, but a deactivated schedule didn't actually fire there. Skip
+      // when the cron's previous slot predates `updatedAt`: any config
+      // change (cron edited, timezone changed, deactivate/reactivate)
+      // bumps updatedAt, and a slot from before the most recent change
+      // didn't fire under the current configuration. cron-parser throws
+      // on malformed expressions, so degrade to undefined per-row rather
+      // than failing the whole list. UI is best-effort; the runs page is
+      // the source of truth.
+      let lastRun: Date | undefined;
+      if (schedule.active) {
+        try {
+          const cronPrev = previousScheduledTimestamp(
+            schedule.generatorExpression,
+            schedule.timezone
+          );
+          lastRun = cronPrev.getTime() > schedule.updatedAt.getTime() ? cronPrev : undefined;
+        } catch {
+          lastRun = undefined;
+        }
+      }
+
       return {
         id: schedule.id,
         type: schedule.type,
@@ -259,7 +282,7 @@ export class ScheduleListPresenter extends BasePresenter {
         timezone: schedule.timezone,
         active: schedule.active,
         externalId: schedule.externalId,
-        lastRun: schedule.lastRunTriggeredAt ?? undefined,
+        lastRun,
         nextRun: calculateNextScheduledTimestampFromNow(
           schedule.generatorExpression,
           schedule.timezone
@@ -285,7 +308,7 @@ export class ScheduleListPresenter extends BasePresenter {
       totalPages: Math.ceil(totalCount / pageSize),
       totalCount: totalCount,
       schedules,
-      possibleTasks: possibleTasks.map((task) => task.slug).sort((a, b) => a.localeCompare(b)),
+      possibleTasks: possibleTasks.map((task) => task.slug),
       hasFilters,
       limits: {
         used: schedulesCount,
diff --git a/apps/webapp/app/presenters/v3/SessionListPresenter.server.ts b/apps/webapp/app/presenters/v3/SessionListPresenter.server.ts
new file mode 100644
index 00000000000..df68569c85d
--- /dev/null
+++ b/apps/webapp/app/presenters/v3/SessionListPresenter.server.ts
@@ -0,0 +1,227 @@
+import { type Span } from "@opentelemetry/api";
+import { type ClickHouse } from "@internal/clickhouse";
+import { type PrismaClient, type PrismaClientOrTransaction } from "@trigger.dev/database";
+import { type Direction } from "~/components/ListPagination";
+import { timeFilters } from "~/components/runs/v3/SharedFilters";
+import { findDisplayableEnvironment } from "~/models/runtimeEnvironment.server";
+import {
+  type SessionStatus,
+  SessionsRepository,
+} from "~/services/sessionsRepository/sessionsRepository.server";
+import { ServiceValidationError } from "~/v3/services/baseService.server";
+import { startActiveSpan } from "~/v3/tracer.server";
+
+export type SessionListOptions = {
+  userId?: string;
+  projectId: string;
+  // filters
+  types?: string[];
+  taskIdentifiers?: string[];
+  externalId?: string;
+  tags?: string[];
+  statuses?: SessionStatus[];
+  period?: string;
+  from?: number;
+  to?: number;
+  // pagination
+  direction?: Direction;
+  cursor?: string;
+  pageSize?: number;
+};
+
+const DEFAULT_PAGE_SIZE = 25;
+
+export type SessionList = Awaited<ReturnType<SessionListPresenter["call"]>>;
+export type SessionListItem = SessionList["sessions"][0];
+export type SessionListAppliedFilters = SessionList["filters"];
+
+export class SessionListPresenter {
+  constructor(
+    private readonly replica: PrismaClientOrTransaction,
+    private readonly clickhouse: ClickHouse
+  ) {}
+
+  public async call(
+    organizationId: string,
+    environmentId: string,
+    options: SessionListOptions
+  ) {
+    return startActiveSpan(
+      "SessionListPresenter.call",
+      (span) => this.#call(organizationId, environmentId, options, span),
+      {
+        attributes: {
+          organizationId,
+          environmentId,
+          projectId: options.projectId,
+        },
+      }
+    );
+  }
+
+  async #call(
+    organizationId: string,
+    environmentId: string,
+    {
+      userId,
+      projectId,
+      types,
+      taskIdentifiers,
+      externalId,
+      tags,
+      statuses,
+      period,
+      from,
+      to,
+      direction = "forward",
+      cursor,
+      pageSize = DEFAULT_PAGE_SIZE,
+    }: SessionListOptions,
+    rootSpan: Span
+  ) {
+    const time = timeFilters({ period, from, to });
+
+    const hasFilters =
+      (types !== undefined && types.length > 0) ||
+      (taskIdentifiers !== undefined && taskIdentifiers.length > 0) ||
+      (externalId !== undefined && externalId !== "") ||
+      (tags !== undefined && tags.length > 0) ||
+      (statuses !== undefined && statuses.length > 0) ||
+      !time.isDefault;
+
+    rootSpan.setAttribute("filters.hasFilters", hasFilters);
+    rootSpan.setAttribute("page.size", pageSize);
+    if (cursor) rootSpan.setAttribute("page.cursor", cursor);
+
+    const displayableEnvironment = await startActiveSpan(
+      "SessionListPresenter.findDisplayableEnvironment",
+      () => findDisplayableEnvironment(environmentId, userId)
+    );
+    if (!displayableEnvironment) {
+      throw new ServiceValidationError("No environment found");
+    }
+
+    const sessionsRepository = new SessionsRepository({
+      clickhouse: this.clickhouse,
+      prisma: this.replica as PrismaClient,
+    });
+
+    function clampToNow(date: Date): Date {
+      const now = new Date();
+      return date > now ? now : date;
+    }
+
+    const { sessions, pagination } = await sessionsRepository.listSessions({
+      organizationId,
+      projectId,
+      environmentId,
+      types,
+      taskIdentifiers,
+      externalId,
+      tags,
+      statuses,
+      period,
+      from: time.from ? time.from.getTime() : undefined,
+      to: time.to ? clampToNow(time.to).getTime() : undefined,
+      page: {
+        size: pageSize,
+        cursor,
+        direction,
+      },
+    });
+
+    rootSpan.setAttribute("page.count", sessions.length);
+
+    let hasAnySessions = sessions.length > 0;
+    if (!hasAnySessions) {
+      const firstSession = await startActiveSpan(
+        "SessionListPresenter.hasAnySessions",
+        () =>
+          this.replica.session.findFirst({
+            where: { runtimeEnvironmentId: environmentId },
+            select: { id: true },
+          })
+      );
+      if (firstSession) {
+        hasAnySessions = true;
+      }
+    }
+
+    // Resolve current-run friendlyIds in one query so each row can link to
+    // its live run. Status is intentionally not joined yet — that lives in
+    // ClickHouse and would mean a second query per page; the link itself
+    // is the value most viewers want first.
+    const currentRunIds = sessions
+      .map((s) => s.currentRunId)
+      .filter((id): id is string => Boolean(id));
+
+    const currentRuns = await startActiveSpan(
+      "SessionListPresenter.findCurrentRuns",
+      async (span) => {
+        span.setAttribute("currentRunIds.count", currentRunIds.length);
+        // Scope by projectId + runtimeEnvironmentId — Session.currentRunId
+        // is a plain string column without an FK, so a stale or corrupted
+        // pointer could surface another tenant's run. The list query above
+        // is already env-scoped; the run lookup needs the same fence.
+        return currentRunIds.length > 0
+          ? this.replica.taskRun.findMany({
+              where: {
+                id: { in: currentRunIds },
+                projectId,
+                runtimeEnvironmentId: environmentId,
+              },
+              select: { id: true, friendlyId: true },
+            })
+          : [];
+      }
+    );
+    const runById = new Map(currentRuns.map((r) => [r.id, r] as const));
+
+    const now = Date.now();
+
+    return {
+      sessions: sessions.map((session) => {
+        const status: SessionStatus =
+          session.closedAt != null
+            ? "CLOSED"
+            : session.expiresAt != null && session.expiresAt.getTime() < now
+              ? "EXPIRED"
+              : "ACTIVE";
+
+        const currentRun = session.currentRunId ? runById.get(session.currentRunId) : undefined;
+
+        return {
+          id: session.id,
+          friendlyId: session.friendlyId,
+          externalId: session.externalId,
+          type: session.type,
+          taskIdentifier: session.taskIdentifier,
+          tags: session.tags ? [...session.tags].sort((a, b) => a.localeCompare(b)) : [],
+          status,
+          closedAt: session.closedAt ? session.closedAt.toISOString() : undefined,
+          closedReason: session.closedReason ?? undefined,
+          expiresAt: session.expiresAt ? session.expiresAt.toISOString() : undefined,
+          createdAt: session.createdAt.toISOString(),
+          updatedAt: session.updatedAt.toISOString(),
+          environment: displayableEnvironment,
+          currentRunFriendlyId: currentRun?.friendlyId,
+        };
+      }),
+      pagination: {
+        next: pagination.nextCursor ?? undefined,
+        previous: pagination.previousCursor ?? undefined,
+      },
+      filters: {
+        types: types ?? [],
+        taskIdentifiers: taskIdentifiers ?? [],
+        externalId,
+        tags: tags ?? [],
+        statuses: statuses ?? [],
+        from: time.from,
+        to: time.to,
+      },
+      hasFilters,
+      hasAnySessions,
+    };
+  }
+}
diff --git a/apps/webapp/app/presenters/v3/SessionPresenter.server.ts b/apps/webapp/app/presenters/v3/SessionPresenter.server.ts
new file mode 100644
index 00000000000..c63f9e39a2a
--- /dev/null
+++ b/apps/webapp/app/presenters/v3/SessionPresenter.server.ts
@@ -0,0 +1,206 @@
+import { type Span } from "@opentelemetry/api";
+import { type PrismaClientOrTransaction } from "@trigger.dev/database";
+import { env } from "~/env.server";
+import { findDisplayableEnvironment } from "~/models/runtimeEnvironment.server";
+import { chatSnapshotStorageKey } from "~/services/realtime/chatSnapshot.server";
+import { resolveSessionByIdOrExternalId } from "~/services/realtime/sessions.server";
+import { logger } from "~/services/logger.server";
+import { generatePresignedUrl } from "~/v3/objectStore.server";
+import { ServiceValidationError } from "~/v3/services/baseService.server";
+import { startActiveSpan } from "~/v3/tracer.server";
+
+export type SessionDetail = NonNullable<Awaited<ReturnType<SessionPresenter["call"]>>>;
+
+export class SessionPresenter {
+  constructor(private readonly replica: PrismaClientOrTransaction) {}
+
+  public async call(args: {
+    userId: string;
+    environmentId: string;
+    sessionParam: string;
+    projectExternalRef: string;
+    environmentSlug: string;
+  }) {
+    return startActiveSpan(
+      "SessionPresenter.call",
+      (span) => this.#call(args, span),
+      {
+        attributes: {
+          environmentId: args.environmentId,
+          sessionParam: args.sessionParam,
+        },
+      }
+    );
+  }
+
+  async #call(
+    {
+      userId,
+      environmentId,
+      sessionParam,
+      projectExternalRef,
+      environmentSlug,
+    }: {
+      userId: string;
+      environmentId: string;
+      sessionParam: string;
+      projectExternalRef: string;
+      environmentSlug: string;
+    },
+    rootSpan: Span
+  ) {
+    const session = await startActiveSpan(
+      "SessionPresenter.resolveSession",
+      () => resolveSessionByIdOrExternalId(this.replica, environmentId, sessionParam)
+    );
+    if (!session) {
+      rootSpan.setAttribute("session.found", false);
+      return null;
+    }
+    rootSpan.setAttribute("session.found", true);
+    rootSpan.setAttribute("session.id", session.id);
+
+    const displayableEnvironment = await startActiveSpan(
+      "SessionPresenter.findDisplayableEnvironment",
+      () => findDisplayableEnvironment(environmentId, userId)
+    );
+    if (!displayableEnvironment) {
+      throw new ServiceValidationError("No environment found");
+    }
+
+    // Run history is append-only; latest first matches the runs list.
+    // 50 covers the vast majority of sessions; longer histories link out
+    // to the runs page via tag filter.
+    const sessionRuns = await startActiveSpan(
+      "SessionPresenter.findSessionRuns",
+      async (span) => {
+        const rows = await this.replica.sessionRun.findMany({
+          where: { sessionId: session.id },
+          orderBy: { triggeredAt: "desc" },
+          take: 50,
+          select: {
+            id: true,
+            runId: true,
+            reason: true,
+            triggeredAt: true,
+          },
+        });
+        span.setAttribute("sessionRuns.count", rows.length);
+        return rows;
+      }
+    );
+
+    const runIds = sessionRuns.map((r) => r.runId);
+    const runs = await startActiveSpan(
+      "SessionPresenter.findRuns",
+      async (span) => {
+        span.setAttribute("runIds.count", runIds.length);
+        return runIds.length > 0
+          ? this.replica.taskRun.findMany({
+              where: { id: { in: runIds } },
+              select: { id: true, friendlyId: true, status: true },
+            })
+          : [];
+      }
+    );
+    const runsById = new Map(runs.map((r) => [r.id, r] as const));
+
+    const currentRun = session.currentRunId
+      ? runsById.get(session.currentRunId) ??
+        (await startActiveSpan(
+          "SessionPresenter.findCurrentRunFallback",
+          () =>
+            this.replica.taskRun.findFirst({
+              where: { id: session.currentRunId! },
+              select: { id: true, friendlyId: true, status: true },
+            })
+        ))
+      : null;
+
+    // The dashboard SSE route is cookie-authed, so `publicAccessToken` is
+    // unused — kept here to match the existing `AgentViewAuth` shape.
+    const addressingKey = session.externalId ?? session.friendlyId;
+
+    // Presign a GET URL for the agent's S3 snapshot blob. The browser
+    // fetches it directly, parses + validates, and seeds the
+    // TriggerChatTransport with the full history + lastEventId before
+    // opening the SSE. Presign succeeds regardless of whether the blob
+    // exists; the frontend handles 404 gracefully.
+    //
+    // Snapshots are only written when no `hydrateMessages` hook is
+    // registered — sessions that use `hydrateMessages` will 404 here
+    // and the dashboard falls back to seq=0 SSE (which, post-trim,
+    // shows only the most recent turn — accepted, those customers
+    // have their own DB-backed dashboards).
+    // Resolve the snapshot key via the SAME helper the SDK write + boot read
+    // use (`chatSnapshotStorageKey`), so the dashboard GET hits the exact
+    // object (and object store) the snapshot was written to. Recomputing a
+    // bare key here was the bug: an unqualified key reads the base store while
+    // the write applied OBJECT_STORE_DEFAULT_PROTOCOL, so they could diverge.
+    let snapshotPresignedUrl: string | undefined;
+    try {
+      const signed = await startActiveSpan(
+        "SessionPresenter.presignSnapshot",
+        async () =>
+          generatePresignedUrl(
+            projectExternalRef,
+            environmentSlug,
+            chatSnapshotStorageKey(session),
+            "GET"
+          )
+      );
+      if (signed.success) {
+        snapshotPresignedUrl = signed.url;
+      } else {
+        logger.warn("SessionPresenter: snapshot presign failed", {
+          sessionId: session.id,
+          error: signed.error,
+        });
+      }
+    } catch (error) {
+      logger.warn("SessionPresenter: snapshot presign threw", {
+        sessionId: session.id,
+        error: error instanceof Error ? error.message : String(error),
+      });
+    }
+
+    return {
+      id: session.id,
+      friendlyId: session.friendlyId,
+      externalId: session.externalId,
+      type: session.type,
+      taskIdentifier: session.taskIdentifier,
+      tags: session.tags ? [...session.tags].sort((a, b) => a.localeCompare(b)) : [],
+      metadata: session.metadata,
+      triggerConfig: session.triggerConfig,
+      streamBasinName: session.streamBasinName,
+      closedAt: session.closedAt ? session.closedAt.toISOString() : undefined,
+      closedReason: session.closedReason ?? undefined,
+      expiresAt: session.expiresAt ? session.expiresAt.toISOString() : undefined,
+      createdAt: session.createdAt.toISOString(),
+      updatedAt: session.updatedAt.toISOString(),
+      environment: displayableEnvironment,
+      currentRun: currentRun
+        ? { friendlyId: currentRun.friendlyId, status: currentRun.status }
+        : null,
+      runs: sessionRuns.map((r) => {
+        const run = runsById.get(r.runId);
+        return {
+          id: r.id,
+          reason: r.reason,
+          triggeredAt: r.triggeredAt.toISOString(),
+          run: run
+            ? { friendlyId: run.friendlyId, status: run.status }
+            : null,
+        };
+      }),
+      agentView: {
+        publicAccessToken: "",
+        apiOrigin: env.API_ORIGIN || env.LOGIN_ORIGIN,
+        sessionId: addressingKey,
+        initialMessages: [],
+        snapshotPresignedUrl,
+      },
+    };
+  }
+}
diff --git a/apps/webapp/app/presenters/v3/SpanPresenter.server.ts b/apps/webapp/app/presenters/v3/SpanPresenter.server.ts
index 0ea9b37ab7f..bd0ac5c540a 100644
--- a/apps/webapp/app/presenters/v3/SpanPresenter.server.ts
+++ b/apps/webapp/app/presenters/v3/SpanPresenter.server.ts
@@ -1,18 +1,21 @@
 import {
   type MachinePreset,
   prettyPrintPacket,
+  RunAnnotations,
   SemanticInternalAttributes,
   type TaskRunContext,
   TaskRunError,
   TriggerTraceContext,
   type V3TaskRunContext,
 } from "@trigger.dev/core/v3";
+
 import { AttemptId, getMaxDuration, parseTraceparent } from "@trigger.dev/core/v3/isomorphic";
 import {
   extractIdempotencyKeyScope,
   getUserProvidedIdempotencyKey,
 } from "@trigger.dev/core/v3/serverOnly";
 import { RUNNING_STATUSES } from "~/components/runs/v3/TaskRunStatus";
+import { baseWorkerQueue } from "~/runEngine/concerns/workerQueueSplit.server";
 import { logger } from "~/services/logger.server";
 import { rehydrateAttribute } from "~/v3/eventRepository/eventRepository.server";
 import { machinePresetFromRun } from "~/v3/machinePresets.server";
@@ -21,7 +24,6 @@ import { isFailedRunStatus, isFinalRunStatus } from "~/v3/taskStatus";
 import { BasePresenter } from "./basePresenter.server";
 import { WaitpointPresenter } from "./WaitpointPresenter.server";
 import { engine } from "~/v3/runEngine.server";
-import { resolveEventRepositoryForStore } from "~/v3/eventRepository/index.server";
 import { IEventRepository, SpanDetail } from "~/v3/eventRepository/eventRepository.types";
 import { safeJsonParse } from "~/utils/json";
 import {
@@ -30,6 +32,9 @@ import {
   extractAIToolCallData,
   extractAIEmbedData,
 } from "~/components/runs/v3/ai";
+import { getEventRepositoryForStore } from "~/v3/eventRepository/index.server";
+import { findRunByIdWithMollifierFallback } from "~/v3/mollifier/readFallback.server";
+import { buildSyntheticSpanRun } from "~/v3/mollifier/syntheticSpanRun.server";
 
 export type PromptSpanData = {
   slug: string;
@@ -42,9 +47,7 @@ export type PromptSpanData = {
   config?: string;
 };
 
-function extractPromptSpanData(
-  properties: Record<string, unknown>
-): PromptSpanData | undefined {
+function extractPromptSpanData(properties: Record<string, unknown>): PromptSpanData | undefined {
   // Properties come as an unflattened nested object from ClickHouse,
   // e.g. { prompt: { slug: "...", version: 3, ... } }
   const prompt = properties.prompt;
@@ -72,9 +75,21 @@ function extractPromptSpanData(
   };
 }
 
+// SpanRun is grounded in the PG-path `getRun` method rather than
+// inferred from `call`'s return type. The buffered branch of `call`
+// routes through `buildSyntheticSpanRun`, and that helper is annotated
+// `Promise<SpanRun>` — if SpanRun were derived from `call` it would
+// close a loop TS no longer tolerates ("Type alias 'Result' circularly
+// references itself"). `getRun` is the canonical source for the shape
+// (the synthetic helper just rebuilds the same shape from a buffer
+// snapshot), and it doesn't recurse, so grounding here breaks the
+// cycle while keeping Span available off `call` (Span's path through
+// `#getSpan` has no synthetic indirection).
+export type SpanRun = NonNullable<
+  Awaited<ReturnType<InstanceType<typeof SpanPresenter>["getRun"]>>
+>;
 type Result = Awaited<ReturnType<SpanPresenter["call"]>>;
 export type Span = NonNullable<NonNullable<Result>["span"]>;
-export type SpanRun = NonNullable<NonNullable<Result>["run"]>;
 type FindRunResult = NonNullable<
   Awaited<ReturnType<InstanceType<typeof SpanPresenter>["findRun"]>>
 >;
@@ -84,12 +99,18 @@ export class SpanPresenter extends BasePresenter {
   public async call({
     userId,
     projectSlug,
+    envSlug,
     spanId,
     runFriendlyId,
     linkedRunId,
   }: {
     userId: string;
     projectSlug: string;
+    // Optional for backwards compatibility, required for the mollifier
+    // buffer fallback when the parent run isn't yet in PG — we need to
+    // resolve the env id to satisfy `findRunByIdWithMollifierFallback`'s
+    // auth check.
+    envSlug?: string;
     spanId: string;
     runFriendlyId: string;
     linkedRunId?: string;
@@ -127,19 +148,47 @@ export class SpanPresenter extends BasePresenter {
     });
 
     if (!parentRun) {
-      return;
+      // PG miss → fall back to the mollifier buffer. Without this the
+      // right-side span detail panel on the run-detail page never
+      // resolves for buffered runs: `call()` returns undefined, the
+      // resource route redirects with an "Event not found" toast, the
+      // run-detail page reloads, the toast fires again — a perpetual
+      // spin until the drainer materialises the row. Synthesise a
+      // SpanRun straight from the buffer snapshot, reusing
+      // `buildSyntheticSpanRun` (the same helper the run-detail
+      // loader's header fallback already uses).
+      if (!envSlug) return;
+      const envRow = await this._replica.runtimeEnvironment.findFirst({
+        where: { project: { id: project.id }, slug: envSlug },
+        select: { id: true, slug: true, type: true, organizationId: true },
+      });
+      if (!envRow) return;
+      const buffered = await findRunByIdWithMollifierFallback({
+        runId: runFriendlyId,
+        environmentId: envRow.id,
+        organizationId: envRow.organizationId,
+      });
+      if (!buffered) return;
+      const synth = await buildSyntheticSpanRun({
+        run: buffered,
+        environment: { id: envRow.id, slug: envRow.slug, type: envRow.type },
+      });
+      return { type: "run" as const, run: synth };
     }
 
     const { traceId } = parentRun;
 
-    const eventRepository = resolveEventRepositoryForStore(parentRun.taskEventStore);
+    const repository = await getEventRepositoryForStore(
+      parentRun.taskEventStore,
+      project.organizationId
+    );
 
     const eventStore = getTaskEventStoreTableForRun(parentRun);
 
     const run = await this.getRun({
       eventStore,
       traceId,
-      eventRepository,
+      eventRepository: repository,
       spanId,
       linkedRunId,
       createdAt: parentRun.createdAt,
@@ -161,7 +210,7 @@ export class SpanPresenter extends BasePresenter {
       projectId: parentRun.projectId,
       createdAt: parentRun.createdAt,
       completedAt: parentRun.completedAt,
-      eventRepository,
+      eventRepository: repository,
     });
 
     if (!span) {
@@ -242,6 +291,9 @@ export class SpanPresenter extends BasePresenter {
 
     const externalTraceId = this.#getExternalTraceId(run.traceContext);
 
+    const taskKind = RunAnnotations.safeParse(run.annotations).data?.taskKind;
+    const isAgentRun = taskKind === "AGENT";
+
     let region: { name: string; location: string | null } | null = null;
 
     if (run.runtimeEnvironment.type !== "DEVELOPMENT" && run.engine !== "V1") {
@@ -251,13 +303,55 @@ export class SpanPresenter extends BasePresenter {
           location: true,
         },
         where: {
-          masterQueue: run.workerQueue,
+          masterQueue: baseWorkerQueue(run.workerQueue),
         },
       });
 
       region = workerGroup ?? null;
     }
 
+    // Only AGENT-tagged runs (chat.agent and friends) can be session-bound,
+    // so skip the SessionRun lookup for the much larger set of standard runs.
+    // Lookup is by the unique `runId` index, but the cheapest query is the
+    // one we don't run.
+    const sessionRun = isAgentRun
+      ? await this._replica.sessionRun.findFirst({
+          where: { runId: run.id },
+          select: {
+            reason: true,
+            triggeredAt: true,
+            session: {
+              select: {
+                friendlyId: true,
+                externalId: true,
+                type: true,
+                taskIdentifier: true,
+                closedAt: true,
+                expiresAt: true,
+              },
+            },
+          },
+        })
+      : null;
+
+    const session = sessionRun
+      ? {
+          friendlyId: sessionRun.session.friendlyId,
+          externalId: sessionRun.session.externalId,
+          type: sessionRun.session.type,
+          taskIdentifier: sessionRun.session.taskIdentifier,
+          status:
+            sessionRun.session.closedAt != null
+              ? ("CLOSED" as const)
+              : sessionRun.session.expiresAt != null &&
+                sessionRun.session.expiresAt.getTime() < Date.now()
+              ? ("EXPIRED" as const)
+              : ("ACTIVE" as const),
+          reason: sessionRun.reason,
+          triggeredAt: sessionRun.triggeredAt,
+        }
+      : undefined;
+
     return {
       id: run.id,
       friendlyId: run.friendlyId,
@@ -299,6 +393,7 @@ export class SpanPresenter extends BasePresenter {
       isFinished,
       isRunning: RUNNING_STATUSES.includes(run.status),
       isError: isFailedRunStatus(run.status),
+      isAgentRun,
       payload,
       payloadType: run.payloadType,
       output,
@@ -317,12 +412,14 @@ export class SpanPresenter extends BasePresenter {
       metadata,
       maxDurationInSeconds: getMaxDuration(run.maxDurationInSeconds),
       batch: run.batch ? { friendlyId: run.batch.friendlyId } : undefined,
+      session,
       engine: run.engine,
       region,
       workerQueue: run.workerQueue,
       traceId: run.traceId,
       spanId: run.spanId,
       isCached: !!linkedRunId,
+      isBuffered: false,
       machinePreset: machine?.name,
       taskEventStore: run.taskEventStore,
       externalTraceId,
@@ -457,6 +554,7 @@ export class SpanPresenter extends BasePresenter {
         payloadType: true,
         metadata: true,
         metadataType: true,
+        annotations: true,
         maxAttempts: true,
         project: {
           include: {
@@ -592,10 +690,7 @@ export class SpanPresenter extends BasePresenter {
       triggeredRuns,
       aiData:
         span.properties && typeof span.properties === "object"
-          ? extractAISpanData(
-              span.properties as Record<string, unknown>,
-              span.duration / 1_000_000
-            )
+          ? extractAISpanData(span.properties as Record<string, unknown>, span.duration / 1_000_000)
           : undefined,
     };
 
@@ -739,10 +834,7 @@ export class SpanPresenter extends BasePresenter {
           "ai.streamObject",
         ];
 
-        if (
-          typeof span.message === "string" &&
-          AI_SUMMARY_MESSAGES.includes(span.message)
-        ) {
+        if (typeof span.message === "string" && AI_SUMMARY_MESSAGES.includes(span.message)) {
           const aiSummaryData = extractAISummarySpanData(
             span.properties as Record<string, unknown>,
             span.duration / 1_000_000
@@ -899,6 +991,7 @@ export class SpanPresenter extends BasePresenter {
         createdAt: run.createdAt,
         tags: run.runTags,
         isTest: run.isTest,
+        isReplay: !!run.replayedFromTaskRunFriendlyId,
         idempotencyKey: getUserProvidedIdempotencyKey(run) ?? undefined,
         startedAt: run.startedAt ?? run.createdAt,
         durationMs: run.usageDurationMs,
diff --git a/apps/webapp/app/presenters/v3/TaskListPresenter.server.ts b/apps/webapp/app/presenters/v3/TaskListPresenter.server.ts
index f1635f23375..5d1d4c45d45 100644
--- a/apps/webapp/app/presenters/v3/TaskListPresenter.server.ts
+++ b/apps/webapp/app/presenters/v3/TaskListPresenter.server.ts
@@ -4,7 +4,7 @@ import {
   type TaskTriggerSource,
 } from "@trigger.dev/database";
 import { $replica } from "~/db.server";
-import { clickhouseClient } from "~/services/clickhouseInstance.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
 import {
   type AverageDurations,
   ClickHouseEnvironmentMetricsRepository,
@@ -25,10 +25,7 @@ export type TaskListItem = {
 export type TaskActivity = DailyTaskActivity[string];
 
 export class TaskListPresenter {
-  constructor(
-    private readonly environmentMetricsRepository: EnvironmentMetricsRepository,
-    private readonly _replica: PrismaClientOrTransaction
-  ) {}
+  constructor(private readonly _replica: PrismaClientOrTransaction) {}
 
   public async call({
     organizationId,
@@ -61,6 +58,7 @@ export class TaskListPresenter {
     const tasks = await this._replica.backgroundWorkerTask.findMany({
       where: {
         workerId: currentWorker.id,
+        triggerSource: { not: "AGENT" },
       },
       select: {
         id: true,
@@ -76,9 +74,15 @@ export class TaskListPresenter {
 
     const slugs = tasks.map((t) => t.slug);
 
+    // Create org-specific environment metrics repository
+    const clickhouse = await clickhouseFactory.getClickhouseForOrganization(organizationId, "standard");
+    const environmentMetricsRepository = new ClickHouseEnvironmentMetricsRepository({
+      clickhouse,
+    });
+
     // IMPORTANT: Don't await these, we want to return the promises
     // so we can defer the loading of the data
-    const activity = this.environmentMetricsRepository.getDailyTaskActivity({
+    const activity = environmentMetricsRepository.getDailyTaskActivity({
       organizationId,
       projectId,
       environmentId,
@@ -86,7 +90,7 @@ export class TaskListPresenter {
       tasks: slugs,
     });
 
-    const runningStats = this.environmentMetricsRepository.getCurrentRunningStats({
+    const runningStats = environmentMetricsRepository.getCurrentRunningStats({
       organizationId,
       projectId,
       environmentId,
@@ -94,7 +98,7 @@ export class TaskListPresenter {
       tasks: slugs,
     });
 
-    const durations = this.environmentMetricsRepository.getAverageDurations({
+    const durations = environmentMetricsRepository.getAverageDurations({
       organizationId,
       projectId,
       environmentId,
@@ -109,9 +113,5 @@ export class TaskListPresenter {
 export const taskListPresenter = singleton("taskListPresenter", setupTaskListPresenter);
 
 function setupTaskListPresenter() {
-  const environmentMetricsRepository = new ClickHouseEnvironmentMetricsRepository({
-    clickhouse: clickhouseClient,
-  });
-
-  return new TaskListPresenter(environmentMetricsRepository, $replica);
+  return new TaskListPresenter($replica);
 }
diff --git a/apps/webapp/app/presenters/v3/TasksStreamPresenter.server.ts b/apps/webapp/app/presenters/v3/TasksStreamPresenter.server.ts
index d690b3d083f..17a5bda620a 100644
--- a/apps/webapp/app/presenters/v3/TasksStreamPresenter.server.ts
+++ b/apps/webapp/app/presenters/v3/TasksStreamPresenter.server.ts
@@ -1,6 +1,7 @@
 import { type TaskRunAttempt } from "@trigger.dev/database";
 import { eventStream } from "remix-utils/sse/server";
 import { type PrismaClient, prisma } from "~/db.server";
+import { getRequestAbortSignal } from "~/services/httpAsyncStorage.server";
 import { logger } from "~/services/logger.server";
 import { projectPubSub } from "~/v3/services/projectPubSub.server";
 
@@ -63,7 +64,9 @@ export class TasksStreamPresenter {
 
     const subscriber = await projectPubSub.subscribe(`project:${project.id}:*`);
 
-    return eventStream(request.signal, (send, close) => {
+    const signal = getRequestAbortSignal();
+
+    return eventStream(signal, (send, close) => {
       const safeSend = (args: { event?: string; data: string }) => {
         try {
           send(args);
@@ -95,7 +98,7 @@ export class TasksStreamPresenter {
       });
 
       pinger = setInterval(() => {
-        if (request.signal.aborted) {
+        if (signal.aborted) {
           return close();
         }
 
diff --git a/apps/webapp/app/presenters/v3/TestPresenter.server.ts b/apps/webapp/app/presenters/v3/TestPresenter.server.ts
index af5bb93a7e7..b817bbf155e 100644
--- a/apps/webapp/app/presenters/v3/TestPresenter.server.ts
+++ b/apps/webapp/app/presenters/v3/TestPresenter.server.ts
@@ -19,15 +19,13 @@ export class TestPresenter extends BasePresenter {
     const tasks = await this.#getTasks(environmentId, isDev);
 
     return {
-      tasks: tasks.map((task) => {
-        return {
-          id: task.id,
-          taskIdentifier: task.slug,
-          filePath: task.filePath,
-          friendlyId: task.friendlyId,
-          triggerSource: task.triggerSource,
-        };
-      }),
+      tasks: tasks.map((task) => ({
+        id: task.id,
+        taskIdentifier: task.slug,
+        filePath: task.filePath,
+        friendlyId: task.friendlyId,
+        triggerSource: task.triggerSource,
+      })),
     };
   }
 
@@ -54,10 +52,13 @@ export class TestPresenter extends BasePresenter {
         SELECT bwt.id, version, slug, "filePath", bwt."friendlyId", bwt."triggerSource"
         FROM latest_workers
         JOIN ${sqlDatabaseSchema}."BackgroundWorkerTask" bwt ON bwt."workerId" = latest_workers.id
+        WHERE bwt."triggerSource" != 'AGENT'
         ORDER BY slug ASC;`;
     } else {
       const currentDeployment = await findCurrentWorkerDeployment({ environmentId: envId });
-      return currentDeployment?.worker?.tasks ?? [];
+      return (currentDeployment?.worker?.tasks ?? []).filter(
+        (t) => t.triggerSource !== "AGENT"
+      );
     }
   }
 }
diff --git a/apps/webapp/app/presenters/v3/TestTaskPresenter.server.ts b/apps/webapp/app/presenters/v3/TestTaskPresenter.server.ts
index 09abb22639e..a9381ab60d2 100644
--- a/apps/webapp/app/presenters/v3/TestTaskPresenter.server.ts
+++ b/apps/webapp/app/presenters/v3/TestTaskPresenter.server.ts
@@ -203,7 +203,7 @@ export class TestTaskPresenter {
       prisma: this.replica as PrismaClient,
     });
 
-    const runIds = await runsRepository.listRunIds({
+    const { runIds } = await runsRepository.listRunIds({
       organizationId: environment.organizationId,
       environmentId: environment.id,
       projectId: environment.projectId,
@@ -373,6 +373,10 @@ export class TestTaskPresenter {
           ),
         };
       }
+      case "AGENT": {
+        // AGENT tasks are filtered out by TestPresenter and shouldn't reach here
+        return { foundTask: false };
+      }
       default: {
         return task.triggerSource satisfies never;
       }
diff --git a/apps/webapp/app/presenters/v3/UsagePresenter.server.ts b/apps/webapp/app/presenters/v3/UsagePresenter.server.ts
index 2fac95617a6..f04e53496a2 100644
--- a/apps/webapp/app/presenters/v3/UsagePresenter.server.ts
+++ b/apps/webapp/app/presenters/v3/UsagePresenter.server.ts
@@ -4,7 +4,7 @@ import { getUsage, getUsageSeries } from "~/services/platform.v3.server";
 import { createTimeSeriesData } from "~/utils/graphs";
 import { BasePresenter } from "./basePresenter.server";
 import { DataPoint, linear } from "regression";
-import { clickhouseClient } from "~/services/clickhouseInstance.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
 
 type Options = {
   organizationId: string;
@@ -124,7 +124,8 @@ async function getTaskUsageByOrganization(
   endOfMonth: Date,
   replica: PrismaClientOrTransaction
 ) {
-  const [queryError, tasks] = await clickhouseClient.taskRuns.getTaskUsageByOrganization({
+  const clickhouse = await clickhouseFactory.getClickhouseForOrganization(organizationId, "standard");
+  const [queryError, tasks] = await clickhouse.taskRuns.getTaskUsageByOrganization({
     startTime: startOfMonth.getTime(),
     endTime: endOfMonth.getTime(),
     organizationId,
diff --git a/apps/webapp/app/presenters/v3/VercelSettingsPresenter.server.ts b/apps/webapp/app/presenters/v3/VercelSettingsPresenter.server.ts
index 4a57e3ec0ef..ea2462816e5 100644
--- a/apps/webapp/app/presenters/v3/VercelSettingsPresenter.server.ts
+++ b/apps/webapp/app/presenters/v3/VercelSettingsPresenter.server.ts
@@ -42,6 +42,13 @@ export type VercelSettingsResult = {
   autoAssignCustomDomains?: boolean | null;
   /** URL to manage Vercel integration access (project sharing) on vercel.com */
   vercelManageAccessUrl?: string;
+  /** The currently pinned TRIGGER_VERSION on Vercel production, if set. Used to surface
+   * the pin in the UI and prompt the user to clear it when atomic deployments are disabled. */
+  currentTriggerVersion?: string | null;
+  /** True when the Vercel lookup for TRIGGER_VERSION failed (network/auth/etc). Distinct
+   * from "no pin set" — the UI uses this to warn the user and still prompt them on disable
+   * so they can manually verify that production isn't pinned. */
+  currentTriggerVersionFetchFailed?: boolean;
 };
 
 export type VercelAvailableProject = {
@@ -248,13 +255,17 @@ export class VercelSettingsPresenter extends BasePresenter {
           customEnvironments: VercelCustomEnvironment[];
           autoAssignCustomDomains: boolean | null;
           vercelManageAccessUrl?: string;
+          currentTriggerVersion: string | null;
+          currentTriggerVersionFetchFailed: boolean;
         }> => {
           if (!orgIntegration) {
-            return { customEnvironments: [], autoAssignCustomDomains: null };
+            return { customEnvironments: [], autoAssignCustomDomains: null, currentTriggerVersion: null, currentTriggerVersionFetchFailed: false };
           }
           const clientResult = await VercelIntegrationRepository.getVercelClient(orgIntegration);
           if (clientResult.isErr()) {
-            return { customEnvironments: [], autoAssignCustomDomains: null };
+            // We couldn't even build a Vercel client — treat as fetch failure so the UI
+            // still prompts the user when they disable atomic deployments.
+            return { customEnvironments: [], autoAssignCustomDomains: null, currentTriggerVersion: null, currentTriggerVersionFetchFailed: true };
           }
           const client = clientResult.value;
           const teamId = await VercelIntegrationRepository.getTeamIdFromIntegration(orgIntegration);
@@ -275,10 +286,10 @@ export class VercelSettingsPresenter extends BasePresenter {
           }
 
           if (!connectedProject) {
-            return { customEnvironments: [], autoAssignCustomDomains: null, vercelManageAccessUrl };
+            return { customEnvironments: [], autoAssignCustomDomains: null, vercelManageAccessUrl, currentTriggerVersion: null, currentTriggerVersionFetchFailed: false };
           }
 
-          const [customEnvsResult, autoAssignResult] = await Promise.all([
+          const [customEnvsResult, autoAssignResult, triggerVersionResult] = await Promise.all([
             VercelIntegrationRepository.getVercelCustomEnvironments(
               client,
               connectedProject.vercelProjectId,
@@ -289,18 +300,44 @@ export class VercelSettingsPresenter extends BasePresenter {
               connectedProject.vercelProjectId,
               teamId
             ),
+            VercelIntegrationRepository.getVercelEnvironmentVariableValues(
+              client,
+              connectedProject.vercelProjectId,
+              teamId,
+              "production",
+              (key) => key === "TRIGGER_VERSION"
+            ),
           ]);
+
+          let currentTriggerVersion: string | null = null;
+          let currentTriggerVersionFetchFailed = false;
+          if (triggerVersionResult.isOk()) {
+            const match = triggerVersionResult.value.find(
+              (envVar) => envVar.key === "TRIGGER_VERSION" && envVar.target.includes("production")
+            );
+            currentTriggerVersion = match?.value ?? null;
+          } else {
+            currentTriggerVersionFetchFailed = true;
+            logger.warn("Failed to fetch current TRIGGER_VERSION from Vercel — surfacing as unknown", {
+              projectId,
+              vercelProjectId: connectedProject.vercelProjectId,
+              error: triggerVersionResult.error.message,
+            });
+          }
+
           return {
             customEnvironments: customEnvsResult.isOk() ? customEnvsResult.value : [],
             autoAssignCustomDomains: autoAssignResult.isOk() ? autoAssignResult.value : null,
             vercelManageAccessUrl,
+            currentTriggerVersion,
+            currentTriggerVersionFetchFailed,
           };
         };
 
         return fromPromise(
           fetchVercelData(),
           (error) => ({ type: "other" as const, cause: error })
-        ).map(({ customEnvironments, autoAssignCustomDomains, vercelManageAccessUrl }) => ({
+        ).map(({ customEnvironments, autoAssignCustomDomains, vercelManageAccessUrl, currentTriggerVersion, currentTriggerVersionFetchFailed }) => ({
           enabled: true,
           hasOrgIntegration,
           authInvalid: false,
@@ -311,6 +348,8 @@ export class VercelSettingsPresenter extends BasePresenter {
           customEnvironments,
           autoAssignCustomDomains,
           vercelManageAccessUrl,
+          currentTriggerVersion,
+          currentTriggerVersionFetchFailed,
         } as VercelSettingsResult));
       }).mapErr((error) => {
         // Log the error and return a safe fallback
@@ -419,7 +458,7 @@ export class VercelSettingsPresenter extends BasePresenter {
           };
         }
 
-        const clientResult = await VercelIntegrationRepository.getVercelClient(orgIntegration);
+        const clientResult = await VercelIntegrationRepository.getVercelClientAndToken(orgIntegration);
         if (clientResult.isErr()) {
           return {
             customEnvironments: [],
@@ -434,7 +473,7 @@ export class VercelSettingsPresenter extends BasePresenter {
             isOnboardingComplete: false,
           };
         }
-        const client = clientResult.value;
+        const { client, accessToken } = clientResult.value;
         const teamId = await VercelIntegrationRepository.getTeamIdFromIntegration(orgIntegration);
 
         const projectIntegration = await (this._replica as PrismaClient).organizationProjectIntegration.findFirst({
@@ -492,7 +531,7 @@ export class VercelSettingsPresenter extends BasePresenter {
         // Only fetch shared env vars if teamId is available
           teamId
             ? VercelIntegrationRepository.getVercelSharedEnvironmentVariables(
-                client,
+                accessToken,
                 teamId,
                 projectIntegration.externalEntityId
               )
diff --git a/apps/webapp/app/presenters/v3/ViewSchedulePresenter.server.ts b/apps/webapp/app/presenters/v3/ViewSchedulePresenter.server.ts
index f0e955fd04d..dbb1123c488 100644
--- a/apps/webapp/app/presenters/v3/ViewSchedulePresenter.server.ts
+++ b/apps/webapp/app/presenters/v3/ViewSchedulePresenter.server.ts
@@ -1,7 +1,7 @@
 import { ScheduleObject } from "@trigger.dev/core/v3";
 import { PrismaClient, prisma } from "~/db.server";
 import { displayableEnvironment } from "~/models/runtimeEnvironment.server";
-import { clickhouseClient } from "~/services/clickhouseInstance.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
 import { nextScheduledTimestamps } from "~/v3/utils/calculateNextSchedule.server";
 import { NextRunListPresenter } from "./NextRunListPresenter.server";
 import { scheduleWhereClause } from "~/models/schedules.server";
@@ -75,7 +75,8 @@ export class ViewSchedulePresenter {
       ? nextScheduledTimestamps(schedule.generatorExpression, schedule.timezone, new Date(), 5)
       : [];
 
-    const runPresenter = new NextRunListPresenter(this.#prismaClient, clickhouseClient);
+    const clickhouse = await clickhouseFactory.getClickhouseForOrganization(schedule.project.organizationId, "standard");
+    const runPresenter = new NextRunListPresenter(this.#prismaClient, clickhouse);
     const { runs } = await runPresenter.call(schedule.project.organizationId, environmentId, {
       projectId: schedule.project.id,
       scheduleId: schedule.id,
diff --git a/apps/webapp/app/presenters/v3/WaitpointPresenter.server.ts b/apps/webapp/app/presenters/v3/WaitpointPresenter.server.ts
index 9abcdf32215..7877c2cc0c8 100644
--- a/apps/webapp/app/presenters/v3/WaitpointPresenter.server.ts
+++ b/apps/webapp/app/presenters/v3/WaitpointPresenter.server.ts
@@ -1,5 +1,5 @@
 import { isWaitpointOutputTimeout, prettyPrintPacket } from "@trigger.dev/core/v3";
-import { clickhouseClient } from "~/services/clickhouseInstance.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
 import { generateHttpCallbackUrl } from "~/services/httpCallback.server";
 import { logger } from "~/services/logger.server";
 import { BasePresenter } from "./basePresenter.server";
@@ -79,7 +79,8 @@ export class WaitpointPresenter extends BasePresenter {
     const connectedRuns: NextRunListItem[] = [];
 
     if (connectedRunIds.length > 0) {
-      const runPresenter = new NextRunListPresenter(this._prisma, clickhouseClient);
+      const clickhouse = await clickhouseFactory.getClickhouseForOrganization(waitpoint.environment.organizationId, "standard");
+      const runPresenter = new NextRunListPresenter(this._prisma, clickhouse);
       const { runs } = await runPresenter.call(
         waitpoint.environment.organizationId,
         environmentId,
diff --git a/apps/webapp/app/presenters/v3/environmentVariablesEnvironments.server.ts b/apps/webapp/app/presenters/v3/environmentVariablesEnvironments.server.ts
new file mode 100644
index 00000000000..9473127df05
--- /dev/null
+++ b/apps/webapp/app/presenters/v3/environmentVariablesEnvironments.server.ts
@@ -0,0 +1,75 @@
+import type { RuntimeEnvironmentType } from "@trigger.dev/database";
+import { type PrismaReplicaClient } from "~/db.server";
+import { filterOrphanedEnvironments, sortEnvironments } from "~/utils/environmentSort";
+
+export type EnvironmentVariablesEnvironment = {
+  id: string;
+  type: RuntimeEnvironmentType;
+  isBranchableEnvironment: boolean;
+  branchName: string | null;
+};
+
+export type EnvironmentVariablesEnvironmentsResult = {
+  environments: EnvironmentVariablesEnvironment[];
+  hasStaging: boolean;
+};
+
+export async function loadEnvironmentVariablesEnvironments(
+  prismaClient: PrismaReplicaClient,
+  { userId, projectId }: { userId: string; projectId: string },
+  options?: { skipProjectAccessCheck?: boolean }
+): Promise<EnvironmentVariablesEnvironmentsResult> {
+  if (!options?.skipProjectAccessCheck) {
+    const project = await prismaClient.project.findFirst({
+      select: {
+        id: true,
+      },
+      where: {
+        id: projectId,
+        organization: {
+          members: {
+            some: {
+              userId,
+            },
+          },
+        },
+      },
+    });
+
+    if (!project) {
+      throw new Error("Project not found");
+    }
+  }
+
+  const environments = await prismaClient.runtimeEnvironment.findMany({
+    select: {
+      id: true,
+      type: true,
+      isBranchableEnvironment: true,
+      branchName: true,
+      orgMember: {
+        select: {
+          userId: true,
+        },
+      },
+    },
+    where: {
+      projectId,
+      archivedAt: null,
+    },
+  });
+
+  const sortedEnvironments = sortEnvironments(filterOrphanedEnvironments(environments)).filter(
+    (environment) => environment.orgMember?.userId === userId || environment.orgMember === null
+  );
+
+  return {
+    environments: sortedEnvironments.map((environment) => ({
+      id: environment.id,
+      type: environment.type,
+      isBranchableEnvironment: environment.isBranchableEnvironment,
+      branchName: environment.branchName,
+    })),
+    hasStaging: environments.some((environment) => environment.type === "STAGING"),
+  };
+}
diff --git a/apps/webapp/app/presenters/v3/mapRunToLiveFields.server.ts b/apps/webapp/app/presenters/v3/mapRunToLiveFields.server.ts
new file mode 100644
index 00000000000..abbf1db7fd3
--- /dev/null
+++ b/apps/webapp/app/presenters/v3/mapRunToLiveFields.server.ts
@@ -0,0 +1,21 @@
+import { isCancellableRunStatus, isFinalRunStatus, isPendingRunStatus } from "~/v3/taskStatus";
+import type { ListedRun } from "~/services/runsRepository/runsRepository.server";
+
+export function mapRunToLiveFields(run: ListedRun) {
+  const hasFinished = isFinalRunStatus(run.status);
+  const startedAt = run.startedAt ?? run.lockedAt;
+
+  return {
+    friendlyId: run.friendlyId,
+    status: run.status,
+    updatedAt: run.updatedAt.toISOString(),
+    startedAt: startedAt?.toISOString(),
+    finishedAt: hasFinished ? run.completedAt?.toISOString() ?? run.updatedAt.toISOString() : undefined,
+    hasFinished,
+    isCancellable: isCancellableRunStatus(run.status),
+    isPending: isPendingRunStatus(run.status),
+    usageDurationMs: Number(run.usageDurationMs),
+    costInCents: run.costInCents,
+    baseCostInCents: run.baseCostInCents,
+  };
+}
diff --git a/apps/webapp/app/redis.server.ts b/apps/webapp/app/redis.server.ts
index 55d490821e3..01efa0d3e68 100644
--- a/apps/webapp/app/redis.server.ts
+++ b/apps/webapp/app/redis.server.ts
@@ -1,4 +1,5 @@
 import { Cluster, Redis, type ClusterNode, type ClusterOptions } from "ioredis";
+import { defaultReconnectOnError } from "@internal/redis";
 import { logger } from "./services/logger.server";
 
 export type RedisWithClusterOptions = {
@@ -42,6 +43,7 @@ export function createRedisClient(
         username: options.username,
         password: options.password,
         enableAutoPipelining: true,
+        reconnectOnError: defaultReconnectOnError,
         ...(options.tlsDisabled
           ? {
               checkServerIdentity: () => {
@@ -69,6 +71,7 @@ export function createRedisClient(
       password: options.password,
       enableAutoPipelining: true,
       keyPrefix: options.keyPrefix,
+      reconnectOnError: defaultReconnectOnError,
       ...(options.tlsDisabled ? {} : { tls: {} }),
     });
   }
diff --git a/apps/webapp/app/root.tsx b/apps/webapp/app/root.tsx
index c6027b1a6d3..db2d3db22b8 100644
--- a/apps/webapp/app/root.tsx
+++ b/apps/webapp/app/root.tsx
@@ -58,9 +58,14 @@ export const loader = async ({ request }: LoaderFunctionArgs) => {
     websiteId: env.KAPA_AI_WEBSITE_ID,
   };
 
+  const user = await getUser(request);
+
+  const headers = new Headers();
+  headers.append("Set-Cookie", await commitSession(session));
+
   return typedjson(
     {
-      user: await getUser(request),
+      user,
       toastMessage,
       posthogProjectKey,
       features,
@@ -70,7 +75,7 @@ export const loader = async ({ request }: LoaderFunctionArgs) => {
       kapa,
       timezone,
     },
-    { headers: { "Set-Cookie": await commitSession(session) } }
+    { headers }
   );
 };
 
diff --git a/apps/webapp/app/routes/@.runs.$runParam.ts b/apps/webapp/app/routes/@.runs.$runParam.ts
index a52600628d8..a709191271e 100644
--- a/apps/webapp/app/routes/@.runs.$runParam.ts
+++ b/apps/webapp/app/routes/@.runs.$runParam.ts
@@ -3,7 +3,8 @@ import { z } from "zod";
 import { prisma } from "~/db.server";
 import { redirectWithErrorMessage } from "~/models/message.server";
 import { requireUser } from "~/services/session.server";
-import { impersonate, rootPath, v3RunPath } from "~/utils/pathBuilder";
+import { impersonate, rootPath, v3RunPath, v3RunSpanPath } from "~/utils/pathBuilder";
+import { findBufferedRunRedirectInfo } from "~/v3/mollifier/syntheticRedirectInfo.server";
 
 const ParamsSchema = z.object({
   runParam: z.string(),
@@ -32,6 +33,7 @@ export async function loader({ params, request }: LoaderFunctionArgs) {
       friendlyId: runParam,
     },
     select: {
+      spanId: true,
       runtimeEnvironment: {
         select: {
           slug: true,
@@ -51,16 +53,45 @@ export async function loader({ params, request }: LoaderFunctionArgs) {
   });
 
   if (!run) {
+    // Admin impersonation route — bypass org membership so admins can
+    // open any buffered run by friendlyId, mirroring the existing PG
+    // behaviour above (no membership filter on the find).
+    const buffered = await findBufferedRunRedirectInfo({
+      runFriendlyId: runParam,
+      userId: user.id,
+      skipOrgMembershipCheck: true,
+    });
+    if (buffered) {
+      // Preselect the root span so the run-detail trace tree opens with
+      // the buffered run's span highlighted, matching the sibling
+      // redirect routes (runs.$runParam.ts, projects.v3.$projectRef…).
+      const path = buffered.spanId
+        ? v3RunSpanPath(
+            { slug: buffered.organizationSlug },
+            { slug: buffered.projectSlug },
+            { slug: buffered.environmentSlug },
+            { friendlyId: runParam },
+            { spanId: buffered.spanId }
+          )
+        : v3RunPath(
+            { slug: buffered.organizationSlug },
+            { slug: buffered.projectSlug },
+            { slug: buffered.environmentSlug },
+            { friendlyId: runParam }
+          );
+      return redirect(impersonate(path));
+    }
     return redirectWithErrorMessage(rootPath(), request, "Run doesn't exist", {
       ephemeral: false,
     });
   }
 
-  const path = v3RunPath(
+  const path = v3RunSpanPath(
     { slug: run.project.organization.slug },
     { slug: run.project.slug },
     { slug: run.runtimeEnvironment.slug },
-    { friendlyId: runParam }
+    { friendlyId: runParam },
+    { spanId: run.spanId }
   );
 
   return redirect(impersonate(path));
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.invite/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.invite/route.tsx
index 44990abaa6e..f77c19ffbdd 100644
--- a/apps/webapp/app/routes/_app.orgs.$organizationSlug.invite/route.tsx
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.invite/route.tsx
@@ -25,13 +25,15 @@ import { Input } from "~/components/primitives/Input";
 import { InputGroup } from "~/components/primitives/InputGroup";
 import { Label } from "~/components/primitives/Label";
 import { Paragraph } from "~/components/primitives/Paragraph";
+import { Select, SelectItem } from "~/components/primitives/Select";
 import { $replica } from "~/db.server";
 import { env } from "~/env.server";
 import { useOrganization } from "~/hooks/useOrganizations";
 import { inviteMembers } from "~/models/member.server";
 import { redirectWithSuccessMessage } from "~/models/message.server";
 import { TeamPresenter } from "~/presenters/TeamPresenter.server";
-import { scheduleEmail } from "~/services/email.server";
+import { scheduleEmail } from "~/services/scheduleEmail.server";
+import { rbac } from "~/services/rbac.server";
 import { requireUserId } from "~/services/session.server";
 import { acceptInvitePath, organizationTeamPath, v3BillingPath } from "~/utils/pathBuilder";
 import { PurchaseSeatsModal } from "../_app.orgs.$organizationSlug.settings.team/route";
@@ -63,9 +65,77 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
     throw new Response("Not Found", { status: 404 });
   }
 
-  return typedjson(result);
+  // Inviter's own role drives the "below their level" filter on the
+  // dropdown. Plus assignable role IDs already encode the org's plan
+  // tier — the intersection is what we offer.
+  const [inviterRole, assignableRoleIds, systemRoles] = await Promise.all([
+    rbac.getUserRole({ userId, organizationId: organization.id }),
+    rbac.getAssignableRoleIds(organization.id),
+    rbac.systemRoles(organization.id),
+  ]);
+
+  // Build the dropdown's offerable set server-side: roles that are
+  // (a) assignable on the current plan AND (b) at or below the
+  // inviter's own level. The client just renders these — it doesn't
+  // need to know about the system-role catalogue or the ladder.
+  const assignableSet = new Set(assignableRoleIds);
+  const offerableRoleIds = systemRoles
+    ? result.roles
+        .filter(
+          (r) =>
+            assignableSet.has(r.id) &&
+            isAtOrBelow(systemRoles, inviterRole?.id ?? null, r.id)
+        )
+        .map((r) => r.id)
+    : [];
+
+  return typedjson({ ...result, offerableRoleIds });
 };
 
+// Sentinel for "no RBAC role attached to invite" — the runtime
+// fallback will derive a role from the legacy OrgMember.role write at
+// accept time. Used when the org has no RBAC plugin installed (the
+// dropdown is hidden) or as a defensive default.
+const NO_RBAC_ROLE = "__no_rbac_role__";
+
+// An inviter can only assign a role at or below their own. The
+// plugin's systemRoles array is in canonical order (highest authority
+// first), so array index drives the ladder — earlier index = higher
+// rank. Plan-tier filtering happens separately via assignableRoleIds;
+// the ladder is the absolute hierarchy. Custom roles aren't in the
+// table and are refused (TRI-8747's follow-up will handle them).
+type LadderRole = { id: string };
+
+function buildRoleLevel(roles: ReadonlyArray<LadderRole>): Record<string, number> {
+  const level: Record<string, number> = {};
+  roles.forEach((r, i) => {
+    // Top of the array = highest level. Subtract from length so larger
+    // numbers always mean "more authority" — no off-by-one when a role
+    // is added or removed.
+    level[r.id] = roles.length - i;
+  });
+  return level;
+}
+
+function isAtOrBelow(
+  roles: ReadonlyArray<LadderRole>,
+  inviterRoleId: string | null,
+  invitedRoleId: string
+): boolean {
+  // No RBAC role on inviter (e.g. the runtime fallback couldn't derive
+  // one) → fall back to the legacy OrgMember.role check the calling
+  // code already enforces. Allow the invite to proceed; the action
+  // would have already failed earlier if the inviter wasn't allowed
+  // to invite at all.
+  if (!inviterRoleId) return true;
+  const level = buildRoleLevel(roles);
+  const inviter = level[inviterRoleId];
+  const invited = level[invitedRoleId];
+  // Custom roles aren't in the level table — refuse.
+  if (inviter === undefined || invited === undefined) return false;
+  return invited <= inviter;
+}
+
 const schema = z.object({
   emails: z.preprocess((i) => {
     if (typeof i === "string") return [i];
@@ -80,6 +150,7 @@ const schema = z.object({
 
     return [""];
   }, z.string().email().array().nonempty("At least one email is required")),
+  rbacRoleId: z.string().optional(),
 });
 
 export const action: ActionFunction = async ({ request, params }) => {
@@ -94,11 +165,62 @@ export const action: ActionFunction = async ({ request, params }) => {
     return json(submission);
   }
 
+  // Resolve the RBAC role choice. NO_RBAC_ROLE / undefined / unknown
+  // role → don't pass one through; the runtime fallback handles it.
+  // Validation: the chosen role must be in the org's assignable set
+  // (plan-tier) and at or below the inviter's own level.
+  let resolvedRbacRoleId: string | null = null;
+  const submittedRbacRoleId = submission.value.rbacRoleId;
+  if (
+    submittedRbacRoleId &&
+    submittedRbacRoleId !== NO_RBAC_ROLE
+  ) {
+    const org = await $replica.organization.findFirst({
+      where: { slug: organizationSlug },
+      select: { id: true },
+    });
+    if (!org) {
+      return json({ errors: { body: "Organization not found" } }, { status: 404 });
+    }
+    const [inviterRole, assignableRoleIds, systemRoles] = await Promise.all([
+      rbac.getUserRole({ userId, organizationId: org.id }),
+      rbac.getAssignableRoleIds(org.id),
+      rbac.systemRoles(org.id),
+    ]);
+    if (!systemRoles) {
+      // No plugin installed but the form somehow submitted a role id —
+      // ignore it (fall through to legacy behaviour rather than 400).
+      resolvedRbacRoleId = null;
+    } else {
+      const assignable = new Set(assignableRoleIds);
+      if (!assignable.has(submittedRbacRoleId)) {
+        return json(
+          { errors: { body: "You can't invite someone with this role on your current plan" } },
+          { status: 400 }
+        );
+      }
+      if (
+        !isAtOrBelow(
+          systemRoles,
+          inviterRole?.id ?? null,
+          submittedRbacRoleId
+        )
+      ) {
+        return json(
+          { errors: { body: "You can only invite members at or below your own role" } },
+          { status: 403 }
+        );
+      }
+      resolvedRbacRoleId = submittedRbacRoleId;
+    }
+  }
+
   try {
     const invites = await inviteMembers({
       slug: organizationSlug,
       emails: submission.value.emails,
       userId,
+      rbacRoleId: resolvedRbacRoleId,
     });
 
     for (const invite of invites) {
@@ -128,12 +250,35 @@ export const action: ActionFunction = async ({ request, params }) => {
 };
 
 export default function Page() {
-  const { limits, canPurchaseSeats, seatPricing, extraSeats, maxSeatQuota, planSeatLimit } =
-    useTypedLoaderData<typeof loader>();
+  const {
+    limits,
+    canPurchaseSeats,
+    seatPricing,
+    extraSeats,
+    maxSeatQuota,
+    planSeatLimit,
+    roles,
+    offerableRoleIds,
+  } = useTypedLoaderData<typeof loader>();
   const [total, setTotal] = useState(limits.used);
   const organization = useOrganization();
   const lastSubmission = useActionData();
 
+  // The loader filtered the catalogue to roles this inviter can
+  // actually assign (plan tier × strict-below-my-level). With no plugin
+  // installed, offerableRoleIds is [] and the picker hides entirely.
+  const offerableSet = new Set(offerableRoleIds);
+  const offerable = roles.filter((r) => offerableSet.has(r.id));
+  const showRolePicker = offerable.length > 0;
+
+  // Default to the lowest-tier offered role (the loader returns roles
+  // in its allRoles order, which the plugin emits Owner→Member; the
+  // last entry is the most restrictive).
+  const defaultRoleId = showRolePicker
+    ? offerable[offerable.length - 1].id
+    : NO_RBAC_ROLE;
+  const [selectedRoleId, setSelectedRoleId] = useState(defaultRoleId);
+
   const [form, { emails }] = useForm({
     id: "invite-members",
     // TODO: type this
@@ -232,6 +377,36 @@ export default function Page() {
                 </Fragment>
               ))}
             </InputGroup>
+            {showRolePicker ? (
+              <InputGroup>
+                <Label htmlFor="rbacRoleId">Role</Label>
+                <input type="hidden" name="rbacRoleId" value={selectedRoleId} />
+                <Select<string, (typeof offerable)[number]>
+                  defaultValue={defaultRoleId}
+                  items={offerable}
+                  variant="tertiary/medium"
+                  dropdownIcon
+                  text={(v) =>
+                    offerable.find((r) => r.id === v)?.name ?? "Pick a role"
+                  }
+                  setValue={(next) => {
+                    if (typeof next === "string") setSelectedRoleId(next);
+                  }}
+                >
+                  {(items) =>
+                    items.map((role) => (
+                      <SelectItem key={role.id} value={role.id}>
+                        {role.name}
+                      </SelectItem>
+                    ))
+                  }
+                </Select>
+                <Paragraph variant="extra-small" className="text-text-dimmed">
+                  Invitees join with this role. They can be promoted later
+                  from the Team page.
+                </Paragraph>
+              </InputGroup>
+            ) : null}
             <FormButtons
               confirmButton={
                 <Button type="submit" variant={"primary/small"} disabled={total > limits.limit}>
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam._index/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam._index/route.tsx
index 2cf8b844a9e..f8e28fc6888 100644
--- a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam._index/route.tsx
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam._index/route.tsx
@@ -5,8 +5,6 @@ import {
   ChevronUpIcon,
   ExclamationTriangleIcon,
   LightBulbIcon,
-  MagnifyingGlassIcon,
-  XMarkIcon,
   UserPlusIcon,
   VideoCameraIcon,
 } from "@heroicons/react/20/solid";
@@ -17,7 +15,7 @@ import { DiscordIcon } from "@trigger.dev/companyicons";
 import { formatDurationMilliseconds } from "@trigger.dev/core/v3";
 import type { TaskRunStatus } from "@trigger.dev/database";
 import { Fragment, Suspense, useCallback, useEffect, useRef, useState } from "react";
-import type { PanelHandle } from "react-window-splitter";
+import type { PanelHandle } from "@window-splitter/react";
 import { Bar, BarChart, ResponsiveContainer, Tooltip, type TooltipProps } from "recharts";
 import { TypedAwait, typeddefer, useTypedLoaderData } from "remix-typedjson";
 import { ExitIcon } from "~/assets/icons/ExitIcon";
@@ -38,7 +36,6 @@ import { Callout } from "~/components/primitives/Callout";
 import { formatDateTime } from "~/components/primitives/DateTime";
 import { Dialog, DialogContent, DialogHeader, DialogTitle } from "~/components/primitives/Dialog";
 import { Header2, Header3 } from "~/components/primitives/Headers";
-import { Input } from "~/components/primitives/Input";
 import { NavBar, PageAccessories, PageTitle } from "~/components/primitives/PageHeader";
 import { Paragraph } from "~/components/primitives/Paragraph";
 import { PopoverMenuItem } from "~/components/primitives/Popover";
@@ -50,6 +47,7 @@ import {
   ResizablePanelGroup,
   collapsibleHandleClassName,
 } from "~/components/primitives/Resizable";
+import { SearchInput } from "~/components/primitives/SearchInput";
 import { Spinner } from "~/components/primitives/Spinner";
 import { StepNumber } from "~/components/primitives/StepNumber";
 import {
@@ -75,6 +73,7 @@ import { useEventSource } from "~/hooks/useEventSource";
 import { useFuzzyFilter } from "~/hooks/useFuzzyFilter";
 import { useOrganization } from "~/hooks/useOrganizations";
 import { useProject } from "~/hooks/useProject";
+import { useSearchParams } from "~/hooks/useSearchParam";
 import { findProjectBySlug } from "~/models/project.server";
 import { findEnvironmentBySlug } from "~/models/runtimeEnvironment.server";
 import {
@@ -88,7 +87,6 @@ import {
   uiPreferencesStorage,
 } from "~/services/preferences/uiPreferences.server";
 import { requireUserId } from "~/services/session.server";
-import { motion } from "framer-motion";
 import { cn } from "~/utils/cn";
 import {
   docsPath,
@@ -176,9 +174,11 @@ export default function Page() {
   const environment = useEnvironment();
   const { tasks, activity, runningStats, durations, usefulLinksPreference } =
     useTypedLoaderData<typeof loader>();
-  const { filterText, setFilterText, filteredItems } = useFuzzyFilter<TaskListItem>({
+  const { value } = useSearchParams();
+  const { filteredItems } = useFuzzyFilter<TaskListItem>({
     items: tasks,
     keys: ["slug", "filePath", "triggerSource"],
+    filterText: value("search") ?? "",
   });
 
   const hasTasks = tasks.length > 0;
@@ -244,16 +244,12 @@ export default function Page() {
                   {tasks.length === 0 ? <UserHasNoTasks /> : null}
                   <div className="max-h-full overflow-hidden">
                     <div className="flex items-center justify-between gap-1 p-2">
-                      <AnimatedSearchField
-                        value={filterText}
-                        onChange={setFilterText}
-                        placeholder="Search tasks…"
-                        autoFocus
-                      />
-                        {!showUsefulLinks && (
+                      <SearchInput placeholder="Search tasks…" autoFocus />
+                      {!showUsefulLinks && (
                         <Button
                           variant="secondary/small"
                           TrailingIcon={LightBulbIcon}
+                          trailingIconClassName="text-text-dimmed"
                           onClick={() => toggleUsefulLinks(true)}
                           className="px-2.5"
                         />
@@ -443,9 +439,7 @@ export default function Page() {
             collapseAnimation={RESIZABLE_PANEL_ANIMATION}
           >
             <div className="h-full" style={{ minWidth: 400 }}>
-              {hasTasks && (
-                <HelpfulInfoHasTasks onClose={() => toggleUsefulLinks(false)} />
-              )}
+              {hasTasks && <HelpfulInfoHasTasks onClose={() => toggleUsefulLinks(false)} />}
             </div>
           </ResizablePanel>
         </ResizablePanelGroup>
@@ -868,53 +862,3 @@ function FailedToLoadStats() {
   );
 }
 
-function AnimatedSearchField({
-  value,
-  onChange,
-  placeholder,
-  autoFocus,
-}: {
-  value: string;
-  onChange: (value: string) => void;
-  placeholder?: string;
-  autoFocus?: boolean;
-}) {
-  const [isFocused, setIsFocused] = useState(false);
-
-  return (
-    <motion.div
-      initial={{ width: "auto" }}
-      animate={{ width: isFocused && value.length > 0 ? "24rem" : "auto" }}
-      transition={{ type: "spring", stiffness: 300, damping: 30 }}
-      className="relative h-6 min-w-52"
-    >
-      <Input
-        type="text"
-        variant="secondary-small"
-        placeholder={placeholder}
-        value={value}
-        onChange={(e) => onChange(e.target.value)}
-        fullWidth
-        autoFocus={autoFocus}
-        className={cn(isFocused && "placeholder:text-text-dimmed/70")}
-        onFocus={() => setIsFocused(true)}
-        onBlur={() => setIsFocused(false)}
-        onKeyDown={(e) => {
-          if (e.key === "Escape") e.currentTarget.blur();
-        }}
-        icon={<MagnifyingGlassIcon className="size-4" />}
-        accessory={
-          value.length > 0 ? (
-            <button
-              type="button"
-              onClick={() => onChange("")}
-              className="flex size-4.5 items-center justify-center rounded-[2px] border border-text-dimmed/40 text-text-dimmed transition hover:bg-charcoal-600 hover:text-text-bright"
-            >
-              <XMarkIcon className="size-3" />
-            </button>
-          ) : undefined
-        }
-      />
-    </motion.div>
-  );
-}
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.agents/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.agents/route.tsx
new file mode 100644
index 00000000000..deedafd9879
--- /dev/null
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.agents/route.tsx
@@ -0,0 +1,360 @@
+import { BeakerIcon, CpuChipIcon, MagnifyingGlassIcon } from "@heroicons/react/20/solid";
+import { type MetaFunction } from "@remix-run/node";
+import { type LoaderFunctionArgs } from "@remix-run/server-runtime";
+import { Suspense } from "react";
+import { TypedAwait, typeddefer, useTypedLoaderData } from "remix-typedjson";
+import { RunsIcon } from "~/assets/icons/RunsIcon";
+import { MainCenteredContainer, PageBody, PageContainer } from "~/components/layout/AppLayout";
+import { Badge } from "~/components/primitives/Badge";
+import { Header2 } from "~/components/primitives/Headers";
+import { Input } from "~/components/primitives/Input";
+import { LinkButton } from "~/components/primitives/Buttons";
+import { NavBar, PageTitle } from "~/components/primitives/PageHeader";
+import { Paragraph } from "~/components/primitives/Paragraph";
+import { Spinner } from "~/components/primitives/Spinner";
+import {
+  Table,
+  TableBlankRow,
+  TableBody,
+  TableCell,
+  TableCellMenu,
+  TableHeader,
+  TableHeaderCell,
+  TableRow,
+} from "~/components/primitives/Table";
+import { SimpleTooltip } from "~/components/primitives/Tooltip";
+import { PopoverMenuItem } from "~/components/primitives/Popover";
+import { TaskFileName } from "~/components/runs/v3/TaskPath";
+import { useFuzzyFilter } from "~/hooks/useFuzzyFilter";
+import { useEnvironment } from "~/hooks/useEnvironment";
+import { useOrganization } from "~/hooks/useOrganizations";
+import { useProject } from "~/hooks/useProject";
+import { findProjectBySlug } from "~/models/project.server";
+import { findEnvironmentBySlug } from "~/models/runtimeEnvironment.server";
+import {
+  type AgentListItem,
+  type AgentActiveState,
+  agentListPresenter,
+} from "~/presenters/v3/AgentListPresenter.server";
+import { requireUserId } from "~/services/session.server";
+import { EnvironmentParamSchema, v3RunsPath, v3PlaygroundAgentPath } from "~/utils/pathBuilder";
+import { cn } from "~/utils/cn";
+
+export const meta: MetaFunction = () => {
+  return [{ title: "Agents | Trigger.dev" }];
+};
+
+export const loader = async ({ request, params }: LoaderFunctionArgs) => {
+  const userId = await requireUserId(request);
+  const { organizationSlug, projectParam, envParam } = EnvironmentParamSchema.parse(params);
+
+  const project = await findProjectBySlug(organizationSlug, projectParam, userId);
+  if (!project) {
+    throw new Response(undefined, { status: 404, statusText: "Project not found" });
+  }
+
+  const environment = await findEnvironmentBySlug(project.id, envParam, userId);
+  if (!environment) {
+    throw new Response(undefined, { status: 404, statusText: "Environment not found" });
+  }
+
+  const result = await agentListPresenter.call({
+    organizationId: project.organizationId,
+    projectId: project.id,
+    environmentId: environment.id,
+    environmentType: environment.type,
+  });
+
+  return typeddefer(result);
+};
+
+export default function AgentsPage() {
+  const { agents, activeStates, conversationSparklines, costSparklines, tokenSparklines } =
+    useTypedLoaderData<typeof loader>();
+  const organization = useOrganization();
+  const project = useProject();
+  const environment = useEnvironment();
+
+  const { filterText, setFilterText, filteredItems } = useFuzzyFilter({
+    items: agents,
+    keys: ["slug", "filePath"],
+  });
+
+  if (agents.length === 0) {
+    return (
+      <PageContainer>
+        <NavBar>
+          <PageTitle title="Agents" />
+        </NavBar>
+        <PageBody>
+          <MainCenteredContainer>
+            <div className="flex flex-col items-center gap-4 py-20">
+              <CpuChipIcon className="size-12 text-indigo-500" />
+              <Header2>No agents deployed</Header2>
+              <Paragraph variant="small" className="max-w-md text-center">
+                Create a chat agent using <code>chat.agent()</code> from{" "}
+                <code>@trigger.dev/sdk/ai</code> and deploy it to see it here.
+              </Paragraph>
+            </div>
+          </MainCenteredContainer>
+        </PageBody>
+      </PageContainer>
+    );
+  }
+
+  return (
+    <PageContainer>
+      <NavBar>
+        <PageTitle title="Agents" />
+      </NavBar>
+      <PageBody scrollable={false}>
+        <div className="grid h-full grid-rows-1">
+          <div className="flex min-w-0 max-w-full flex-col">
+            <div className="max-h-full overflow-hidden">
+              <div className="flex items-center gap-1 p-2">
+                <Input
+                  placeholder="Search agents"
+                  variant="tertiary"
+                  icon={MagnifyingGlassIcon}
+                  fullWidth={true}
+                  value={filterText}
+                  onChange={(e) => setFilterText(e.target.value)}
+                  autoFocus
+                />
+              </div>
+              <Table containerClassName="max-h-full pb-[2.5rem]">
+                <TableHeader>
+                  <TableRow>
+                    <TableHeaderCell>ID</TableHeaderCell>
+                    <TableHeaderCell>Type</TableHeaderCell>
+                    <TableHeaderCell>File</TableHeaderCell>
+                    <TableHeaderCell>Active</TableHeaderCell>
+                    <TableHeaderCell>Conversations (24h)</TableHeaderCell>
+                    <TableHeaderCell>Cost (24h)</TableHeaderCell>
+                    <TableHeaderCell>Tokens (24h)</TableHeaderCell>
+                    <TableHeaderCell hiddenLabel>Go to page</TableHeaderCell>
+                  </TableRow>
+                </TableHeader>
+                <TableBody>
+                  {filteredItems.length > 0 ? (
+                    filteredItems.map((agent) => {
+                      const path = v3RunsPath(organization, project, environment, {
+                        tasks: [agent.slug],
+                      });
+                      const agentType =
+                        (agent.config as { type?: string } | null)?.type ?? "unknown";
+
+                      return (
+                        <TableRow key={agent.slug} className="group">
+                          <TableCell to={path} isTabbableCell>
+                            <div className="flex items-center gap-2">
+                              <SimpleTooltip
+                                button={
+                                  <CpuChipIcon className="size-[1.125rem] min-w-[1.125rem] text-indigo-500" />
+                                }
+                                content="Agent"
+                              />
+                              <span>{agent.slug}</span>
+                            </div>
+                          </TableCell>
+                          <TableCell to={path}>
+                            <Badge variant="extra-small">{formatAgentType(agentType)}</Badge>
+                          </TableCell>
+                          <TableCell to={path}>
+                            <TaskFileName fileName={agent.filePath} variant="extra-extra-small" />
+                          </TableCell>
+                          <TableCell to={path}>
+                            <Suspense fallback={<Spinner color="muted" />}>
+                              <TypedAwait resolve={activeStates} errorElement={<>–</>}>
+                                {(data) => {
+                                  const state = data[agent.slug];
+                                  if (!state || (state.running === 0 && state.suspended === 0)) {
+                                    return (
+                                      <span className="text-text-dimmed">–</span>
+                                    );
+                                  }
+                                  return (
+                                    <span className="flex items-center gap-1.5 text-xs">
+                                      {state.running > 0 && (
+                                        <span className="flex items-center gap-0.5">
+                                          <span className="size-1.5 rounded-full bg-success" />
+                                          <span>{state.running}</span>
+                                        </span>
+                                      )}
+                                      {state.running > 0 && state.suspended > 0 && (
+                                        <span className="text-text-dimmed">·</span>
+                                      )}
+                                      {state.suspended > 0 && (
+                                        <span className="flex items-center gap-0.5">
+                                          <span className="size-1.5 rounded-full bg-blue-500" />
+                                          <span>{state.suspended}</span>
+                                        </span>
+                                      )}
+                                    </span>
+                                  );
+                                }}
+                              </TypedAwait>
+                            </Suspense>
+                          </TableCell>
+                          <TableCell to={path} actionClassName="py-1.5">
+                            <Suspense fallback={<SparklinePlaceholder />}>
+                              <TypedAwait resolve={conversationSparklines} errorElement={<>–</>}>
+                                {(data) => (
+                                  <SparklineWithTotal
+                                    data={data[agent.slug]}
+                                    formatTotal={formatCount}
+                                  />
+                                )}
+                              </TypedAwait>
+                            </Suspense>
+                          </TableCell>
+                          <TableCell to={path} actionClassName="py-1.5">
+                            <Suspense fallback={<SparklinePlaceholder />}>
+                              <TypedAwait resolve={costSparklines} errorElement={<>–</>}>
+                                {(data) => (
+                                  <SparklineWithTotal
+                                    data={data[agent.slug]}
+                                    formatTotal={formatCost}
+                                    color="text-amber-400"
+                                    barColor="#F59E0B"
+                                  />
+                                )}
+                              </TypedAwait>
+                            </Suspense>
+                          </TableCell>
+                          <TableCell to={path} actionClassName="py-1.5">
+                            <Suspense fallback={<SparklinePlaceholder />}>
+                              <TypedAwait resolve={tokenSparklines} errorElement={<>–</>}>
+                                {(data) => (
+                                  <SparklineWithTotal
+                                    data={data[agent.slug]}
+                                    formatTotal={formatTokens}
+                                    color="text-purple-400"
+                                    barColor="#A855F7"
+                                  />
+                                )}
+                              </TypedAwait>
+                            </Suspense>
+                          </TableCell>
+                          <TableCellMenu
+                            isSticky
+                            popoverContent={
+                              <>
+                                <PopoverMenuItem
+                                  icon={RunsIcon}
+                                  to={path}
+                                  title="View runs"
+                                  leadingIconClassName="text-runs"
+                                />
+                                <PopoverMenuItem
+                                  icon={BeakerIcon}
+                                  to={v3PlaygroundAgentPath(organization, project, environment, agent.slug)}
+                                  title="Playground"
+                                  leadingIconClassName="text-indigo-400"
+                                />
+                              </>
+                            }
+                            hiddenButtons={
+                              <LinkButton
+                                variant="minimal/small"
+                                LeadingIcon={BeakerIcon}
+                                leadingIconClassName="text-text-bright"
+                                to={v3PlaygroundAgentPath(organization, project, environment, agent.slug)}
+                              >
+                                Playground
+                              </LinkButton>
+                            }
+                          />
+                        </TableRow>
+                      );
+                    })
+                  ) : (
+                    <TableBlankRow colSpan={8}>
+                      <Paragraph variant="small" className="flex items-center justify-center">
+                        No agents match your filters
+                      </Paragraph>
+                    </TableBlankRow>
+                  )}
+                </TableBody>
+              </Table>
+            </div>
+          </div>
+        </div>
+      </PageBody>
+    </PageContainer>
+  );
+}
+
+function formatAgentType(type: string): string {
+  switch (type) {
+    case "ai-sdk-chat":
+      return "AI SDK Chat";
+    default:
+      return type;
+  }
+}
+
+function formatCount(total: number): string {
+  if (total === 0) return "0";
+  if (total >= 1000) return `${(total / 1000).toFixed(1)}k`;
+  return total.toString();
+}
+
+function formatCost(total: number): string {
+  if (total === 0) return "$0";
+  if (total < 0.01) return `$${total.toFixed(4)}`;
+  if (total < 1) return `$${total.toFixed(2)}`;
+  return `$${total.toFixed(2)}`;
+}
+
+function formatTokens(total: number): string {
+  if (total === 0) return "0";
+  if (total >= 1_000_000) return `${(total / 1_000_000).toFixed(1)}M`;
+  if (total >= 1000) return `${(total / 1000).toFixed(1)}k`;
+  return total.toString();
+}
+
+function SparklinePlaceholder() {
+  return <div className="h-6 w-24" />;
+}
+
+function SparklineWithTotal({
+  data,
+  formatTotal,
+  color = "text-text-bright",
+  barColor = "#3B82F6",
+}: {
+  data?: number[];
+  formatTotal: (total: number) => string;
+  color?: string;
+  barColor?: string;
+}) {
+  if (!data || data.every((v) => v === 0)) {
+    return <span className="text-text-dimmed">–</span>;
+  }
+
+  const total = data.reduce((sum, v) => sum + v, 0);
+  const max = Math.max(...data);
+
+  return (
+    <div className="flex items-center gap-2">
+      <div className="flex h-5 items-end gap-px">
+        {data.map((value, i) => {
+          const height = max > 0 ? Math.max((value / max) * 100, value > 0 ? 8 : 0) : 0;
+          return (
+            <div
+              key={i}
+              className="w-[3px] rounded-t-[1px]"
+              style={{
+                height: `${height}%`,
+                backgroundColor: value > 0 ? barColor : "transparent",
+                opacity: value > 0 ? 0.8 : 0,
+              }}
+            />
+          );
+        })}
+      </div>
+      <span className={cn("text-xs tabular-nums", color)}>{formatTotal(total)}</span>
+    </div>
+  );
+}
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.batches/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.batches/route.tsx
index eaa040c4081..47318edd355 100644
--- a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.batches/route.tsx
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.batches/route.tsx
@@ -30,6 +30,7 @@ import {
   TableHeader,
   TableHeaderCell,
   TableRow,
+  CopyableTableCell,
 } from "~/components/primitives/Table";
 import { SimpleTooltip } from "~/components/primitives/Tooltip";
 import { BatchFilters, BatchListFilters } from "~/components/runs/v3/BatchFilters";
@@ -53,6 +54,7 @@ import {
   v3BatchPath,
   v3BatchRunsPath,
 } from "~/utils/pathBuilder";
+import { throwNotFound } from "~/utils/httpErrors";
 
 export const meta: MetaFunction = () => {
   return [
@@ -73,7 +75,7 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
 
   const environment = await findEnvironmentBySlug(project.id, envParam, userId);
   if (!environment) {
-    throw new Error("Environment not found");
+    throwNotFound("Environment not found");
   }
 
   const url = new URL(request.url);
@@ -234,9 +236,9 @@ function BatchesTable({ batches, hasFilters, filters }: BatchList) {
 
             return (
               <TableRow key={batch.id} className={isSelected ? "bg-grid-dimmed" : undefined}>
-                <TableCell to={inspectorPath} isTabbableCell>
+                <CopyableTableCell value={batch.friendlyId} to={inspectorPath} isTabbableCell>
                   {batch.friendlyId}
-                </TableCell>
+                </CopyableTableCell>
 
                 <TableCell to={inspectorPath}>
                   {batch.batchVersion === "v1" ? (
@@ -286,7 +288,7 @@ function BatchesTable({ batches, hasFilters, filters }: BatchList) {
         {isLoading && (
           <TableBlankRow
             colSpan={8}
-            className="absolute left-0 top-0 flex h-full w-full items-center justify-center gap-2 bg-charcoal-900/90"
+            className="absolute left-0 top-0 flex h-full w-full items-center justify-center gap-2 bg-background-dimmed/90"
           >
             <Spinner /> <span className="text-text-dimmed">Loading…</span>
           </TableBlankRow>
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.branches/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.branches/route.tsx
index c7d54d1842e..39db1d96f3a 100644
--- a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.branches/route.tsx
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.branches/route.tsx
@@ -132,10 +132,7 @@ const PurchaseSchema = z.discriminatedUnion("action", [
   }),
   z.object({
     action: z.literal("quota-increase"),
-    amount: z.coerce
-      .number()
-      .int("Must be a whole number")
-      .min(1, "Amount must be greater than 0"),
+    amount: z.coerce.number().int("Must be a whole number").min(1, "Amount must be greater than 0"),
   }),
 ]);
 
@@ -329,23 +326,16 @@ export default function Page() {
             </MainCenteredContainer>
           ) : (
             <>
-              <div className="flex items-center justify-between gap-x-2 p-2">
+              <div className="flex items-center justify-between gap-x-1.5 p-2">
                 <BranchFilters />
-                <div className="flex items-center justify-end gap-x-2">
-                  <PaginationControls
-                    currentPage={currentPage}
-                    totalPages={totalPages}
-                    showPageNumbers={false}
-                  />
-                </div>
+                <PaginationControls
+                  currentPage={currentPage}
+                  totalPages={totalPages}
+                  showPageNumbers={false}
+                />
               </div>
 
-              <div
-                className={cn(
-                  "grid max-h-full min-h-full overflow-x-auto",
-                  totalPages > 1 ? "grid-rows-[1fr_auto]" : "grid-rows-[1fr]"
-                )}
-              >
+              <div className="grid max-h-full min-h-full grid-rows-[1fr] overflow-x-auto">
                 <Table>
                   <TableHeader>
                     <TableRow>
@@ -438,14 +428,6 @@ export default function Page() {
                     )}
                   </TableBody>
                 </Table>
-                <div
-                  className={cn(
-                    "flex min-h-full",
-                    totalPages > 1 && "justify-end border-t border-grid-dimmed px-2 py-3"
-                  )}
-                >
-                  <PaginationControls currentPage={currentPage} totalPages={totalPages} />
-                </div>
               </div>
 
               <div className="flex w-full items-start justify-between">
@@ -545,12 +527,12 @@ export function BranchFilters() {
 
   return (
     <div className="flex w-full items-center justify-between gap-2">
-      <SearchInput placeholder="Search branch name" resetParams={["page"]} />
+      <SearchInput placeholder="Search branch name…" resetParams={["page"]} />
       <Switch
         checked={showArchived ?? false}
         onCheckedChange={handleArchivedChange}
         label="Show archived"
-        variant="small"
+        variant="secondary/small"
       />
     </div>
   );
@@ -673,7 +655,13 @@ function PurchaseBranchesModal({
   const [open, setOpen] = useState(false);
   useEffect(() => {
     const data = fetcher.data;
-    if (fetcher.state === "idle" && data !== null && typeof data === "object" && "ok" in data && data.ok) {
+    if (
+      fetcher.state === "idle" &&
+      data !== null &&
+      typeof data === "object" &&
+      "ok" in data &&
+      data.ok
+    ) {
       setOpen(false);
     }
   }, [fetcher.state, fetcher.data]);
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.dashboards.$dashboardKey/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.dashboards.$dashboardKey/route.tsx
index 57b6b71db6f..3f922351bfb 100644
--- a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.dashboards.$dashboardKey/route.tsx
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.dashboards.$dashboardKey/route.tsx
@@ -1,6 +1,8 @@
+import { XMarkIcon } from "@heroicons/react/20/solid";
 import { type LoaderFunctionArgs } from "@remix-run/node";
+import { Form } from "@remix-run/react";
 import type { TaskTriggerSource } from "@trigger.dev/database";
-import { useCallback, useEffect, useMemo, useRef, useState } from "react";
+import { type ReactNode, useCallback, useEffect, useMemo, useRef, useState } from "react";
 import ReactGridLayout from "react-grid-layout";
 import { typedjson, useTypedLoaderData } from "remix-typedjson";
 import { z } from "zod";
@@ -15,16 +17,16 @@ import { QueuesFilter } from "~/components/metrics/QueuesFilter";
 import { ScopeFilter } from "~/components/metrics/ScopeFilter";
 import { TitleWidget } from "~/components/metrics/TitleWidget";
 import { CreateDashboardPageButton } from "~/components/navigation/DashboardDialogs";
-import { NavBar, PageAccessories, PageTitle } from "~/components/primitives/PageHeader";
+import { Button } from "~/components/primitives/Buttons";
+import { NavBar, PageTitle } from "~/components/primitives/PageHeader";
 import { TimeFilter } from "~/components/runs/v3/SharedFilters";
-import { $replica } from "~/db.server";
 import { useEnvironment } from "~/hooks/useEnvironment";
 import { useOrganization } from "~/hooks/useOrganizations";
 import { useProject } from "~/hooks/useProject";
 import { useSearchParams } from "~/hooks/useSearchParam";
 import { findProjectBySlug } from "~/models/project.server";
 import { findEnvironmentBySlug } from "~/models/runtimeEnvironment.server";
-import { getAllTaskIdentifiers } from "~/models/task.server";
+import { getTaskIdentifiers } from "~/models/task.server";
 import {
   type BuiltInDashboardFilter,
   type LayoutItem,
@@ -32,7 +34,7 @@ import {
   MetricDashboardPresenter,
 } from "~/presenters/v3/MetricDashboardPresenter.server";
 import { PromptPresenter } from "~/presenters/v3/PromptPresenter.server";
-import { clickhouseClient } from "~/services/clickhouseInstance.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
 import { requireUser } from "~/services/session.server";
 import { cn } from "~/utils/cn";
 import { EnvironmentParamSchema } from "~/utils/pathBuilder";
@@ -70,15 +72,17 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
       organizationId: project.organizationId,
       key: dashboardKey,
     }),
-    getAllTaskIdentifiers($replica, environment.id),
+    getTaskIdentifiers(environment.id),
   ]);
 
   const filters = dashboard.filters ?? ["tasks", "queues"];
 
+  const clickhouse = await clickhouseFactory.getClickhouseForOrganization(project.organizationId, "standard");
+
   // Load distinct models from ClickHouse if the dashboard has a models filter
   let possibleModels: { model: string; system: string }[] = [];
   if (filters.includes("models")) {
-    const queryFn = clickhouseClient.reader.query({
+    const queryFn = clickhouse.reader.query({
       name: "getDistinctModels",
       query: `SELECT response_model, any(gen_ai_system) AS gen_ai_system FROM trigger_dev.llm_metrics_v1 WHERE organization_id = {organizationId: String} AND project_id = {projectId: String} AND environment_id = {environmentId: String} AND response_model != '' GROUP BY response_model ORDER BY response_model`,
       params: z.object({
@@ -98,7 +102,7 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
     }
   }
 
-  const promptPresenter = new PromptPresenter(clickhouseClient);
+  const promptPresenter = new PromptPresenter(clickhouse);
   const [possiblePrompts, possibleOperations, possibleProviders] = await Promise.all([
     filters.includes("prompts")
       ? promptPresenter.getDistinctPromptSlugs(project.organizationId, project.id, environment.id)
@@ -114,9 +118,7 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
   return typedjson({
     ...dashboard,
     filters,
-    possibleTasks: possibleTasks
-      .map((task) => ({ slug: task.slug, triggerSource: task.triggerSource }))
-      .sort((a, b) => a.slug.localeCompare(b.slug)),
+    possibleTasks,
     possibleModels,
     possiblePrompts,
     possibleOperations,
@@ -146,13 +148,6 @@ export default function Page() {
     <PageContainer>
       <NavBar>
         <PageTitle title={title} />
-        <PageAccessories>
-          <CreateDashboardPageButton
-            organization={organization}
-            project={project}
-            environment={environment}
-          />
-        </PageAccessories>
       </NavBar>
       <PageBody scrollable={false}>
         <div className="h-full">
@@ -168,6 +163,14 @@ export default function Page() {
             possiblePrompts={possiblePrompts}
             possibleOperations={possibleOperations}
             possibleProviders={possibleProviders}
+            filterAccessories={
+              <CreateDashboardPageButton
+                organization={organization}
+                project={project}
+                environment={environment}
+                shortcut={{ key: "n" }}
+              />
+            }
           />
         </div>
       </PageBody>
@@ -191,6 +194,7 @@ export function MetricDashboard({
   onRenameWidget,
   onDeleteWidget,
   onDuplicateWidget,
+  filterAccessories,
 }: {
   /** The layout items (positions/sizes) - fully controlled from parent */
   layout: LayoutItem[];
@@ -201,7 +205,7 @@ export function MetricDashboard({
   /** Which filters to show. Defaults to ["tasks", "queues"]. */
   filters?: BuiltInDashboardFilter[];
   /** Possible tasks for filtering */
-  possibleTasks?: { slug: string; triggerSource: TaskTriggerSource }[];
+  possibleTasks?: { slug: string; triggerSource: TaskTriggerSource; isInLatestDeployment: boolean }[];
   /** Possible models for filtering */
   possibleModels?: ModelOption[];
   /** Possible prompt slugs for filtering */
@@ -215,6 +219,7 @@ export function MetricDashboard({
   onRenameWidget?: (widgetId: string, newTitle: string) => void;
   onDeleteWidget?: (widgetId: string) => void;
   onDuplicateWidget?: (widgetId: string, widget: WidgetData) => void;
+  filterAccessories?: ReactNode;
 }) {
   const { value, values } = useSearchParams();
   const { width, containerRef, mounted } = useContainerWidth();
@@ -242,6 +247,13 @@ export function MetricDashboard({
   const providers = values("providers").filter((v) => v !== "");
 
   const activeFilters = filterConfig ?? ["tasks", "queues"];
+  const hasAppliedFilters =
+    tasks.length > 0 ||
+    queues.length > 0 ||
+    models.length > 0 ||
+    prompts.length > 0 ||
+    operations.length > 0 ||
+    providers.length > 0;
 
   const handleLayoutChange = useCallback(
     (newLayout: readonly LayoutItem[]) => {
@@ -266,31 +278,48 @@ export function MetricDashboard({
 
   return (
     <div className="grid max-h-full grid-rows-[auto_1fr] overflow-hidden">
-      <div className="flex items-center gap-1 border-b border-b-grid-bright py-2 pl-2 pr-3">
-        <ScopeFilter />
-        {activeFilters.includes("tasks") && (
-          <LogsTaskFilter possibleTasks={possibleTasks ?? []} />
-        )}
-        {activeFilters.includes("queues") && <QueuesFilter />}
-        {activeFilters.includes("models") && (
-          <ModelsFilter possibleModels={possibleModels ?? []} />
-        )}
-        {activeFilters.includes("prompts") && (
-          <PromptsFilter possiblePrompts={possiblePrompts ?? []} />
-        )}
-        {activeFilters.includes("operations") && (
-          <OperationsFilter possibleOperations={possibleOperations ?? []} />
-        )}
-        {activeFilters.includes("providers") && (
-          <ProvidersFilter possibleProviders={possibleProviders ?? []} />
+      <div className="flex items-center justify-between gap-x-2 border-b border-b-grid-bright py-2 pl-2 pr-3">
+        <div className="flex flex-wrap items-center gap-x-1.5 gap-y-1">
+          <ScopeFilter shortcut={{ key: "s" }} />
+          {activeFilters.includes("tasks") && (
+            <LogsTaskFilter possibleTasks={possibleTasks ?? []} />
+          )}
+          {activeFilters.includes("queues") && <QueuesFilter />}
+          {activeFilters.includes("models") && (
+            <ModelsFilter possibleModels={possibleModels ?? []} />
+          )}
+          {activeFilters.includes("prompts") && (
+            <PromptsFilter possiblePrompts={possiblePrompts ?? []} />
+          )}
+          {activeFilters.includes("operations") && (
+            <OperationsFilter possibleOperations={possibleOperations ?? []} />
+          )}
+          {activeFilters.includes("providers") && (
+            <ProvidersFilter possibleProviders={possibleProviders ?? []} />
+          )}
+          <TimeFilter
+            defaultPeriod={defaultPeriod}
+            labelName="Period"
+            hideLabel
+            maxPeriodDays={maxPeriodDays}
+            valueClassName="text-text-bright"
+            shortcut={{ key: "d" }}
+          />
+          {hasAppliedFilters && (
+            <Form className="-ml-1 h-6">
+              <Button
+                variant="minimal/small"
+                LeadingIcon={XMarkIcon}
+                tooltip="Clear all filters"
+                className="group-hover/button:bg-transparent"
+                leadingIconClassName="group-hover/button:text-text-bright"
+              />
+            </Form>
+          )}
+        </div>
+        {filterAccessories && (
+          <div className="flex shrink-0 items-center">{filterAccessories}</div>
         )}
-        <TimeFilter
-          defaultPeriod={defaultPeriod}
-          labelName="Period"
-          hideLabel
-          maxPeriodDays={maxPeriodDays}
-          valueClassName="text-text-bright"
-        />
       </div>
       <div
         ref={containerRef}
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.dashboards.custom.$dashboardId/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.dashboards.custom.$dashboardId/route.tsx
index 051ea7a8a28..3236f432e53 100644
--- a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.dashboards.custom.$dashboardId/route.tsx
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.dashboards.custom.$dashboardId/route.tsx
@@ -35,7 +35,7 @@ import { Sheet, SheetContent } from "~/components/primitives/SheetV3";
 import { useToast } from "~/components/primitives/Toast";
 import { SimpleTooltip } from "~/components/primitives/Tooltip";
 import { QueryEditor, type QueryEditorSaveData } from "~/components/query/QueryEditor";
-import { $replica, prisma } from "~/db.server";
+import { prisma } from "~/db.server";
 import { env } from "~/env.server";
 import { useDashboardEditor } from "~/hooks/useDashboardEditor";
 import { useEnvironment } from "~/hooks/useEnvironment";
@@ -44,7 +44,7 @@ import { useProject } from "~/hooks/useProject";
 import { redirectWithSuccessMessage } from "~/models/message.server";
 import { findProjectBySlug } from "~/models/project.server";
 import { findEnvironmentBySlug } from "~/models/runtimeEnvironment.server";
-import { getAllTaskIdentifiers } from "~/models/task.server";
+import { getTaskIdentifiers } from "~/models/task.server";
 import { MetricDashboardPresenter } from "~/presenters/v3/MetricDashboardPresenter.server";
 import { QueryPresenter } from "~/presenters/v3/QueryPresenter.server";
 import { requireUser, requireUserId } from "~/services/session.server";
@@ -93,7 +93,7 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
     queryPresenter.call({
       organizationId: project.organizationId,
     }),
-    getAllTaskIdentifiers($replica, environment.id),
+    getTaskIdentifiers(environment.id),
   ]);
 
   // Admins and impersonating users can use EXPLAIN
@@ -109,9 +109,7 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
     queryHistory: history,
     isAdmin,
     maxRows: env.QUERY_CLICKHOUSE_MAX_RETURNED_ROWS,
-    possibleTasks: possibleTasks
-      .map((task) => ({ slug: task.slug, triggerSource: task.triggerSource }))
-      .sort((a, b) => a.slug.localeCompare(b.slug)),
+    possibleTasks,
     widgetCount,
   });
 };
@@ -207,19 +205,22 @@ export default function Page() {
 
   const toast = useToast();
 
-  const handleSyncError = useCallback((error: Error, action: string) => {
-    const actionMessages: Record<string, string> = {
-      add: "Failed to add widget",
-      update: "Failed to update widget",
-      delete: "Failed to delete widget",
-      duplicate: "Failed to duplicate widget",
-      layout: "Failed to save layout",
-    };
+  const handleSyncError = useCallback(
+    (error: Error, action: string) => {
+      const actionMessages: Record<string, string> = {
+        add: "Failed to add widget",
+        update: "Failed to update widget",
+        delete: "Failed to delete widget",
+        duplicate: "Failed to duplicate widget",
+        layout: "Failed to save layout",
+      };
 
-    const message = actionMessages[action] || "Failed to save changes";
+      const message = actionMessages[action] || "Failed to save changes";
 
-    toast.error(`${message}. Your changes may not be saved.`, { title: "Sync Error" });
-  }, [toast]);
+      toast.error(`${message}. Your changes may not be saved.`, { title: "Sync Error" });
+    },
+    [toast]
+  );
 
   // Add title dialog state
   const [showAddTitleDialog, setShowAddTitleDialog] = useState(false);
@@ -351,88 +352,99 @@ export default function Page() {
       })()
     : null;
 
+  const dashboardMenu = (
+    <Popover>
+      <PopoverVerticalEllipseTrigger variant="secondary" />
+      <PopoverContent className="w-fit min-w-[10rem] p-1" align="end">
+        <div className="flex flex-col gap-1">
+          <RenameDashboardDialog title={title} />
+          <DeleteDashboardDialog title={title} />
+        </div>
+      </PopoverContent>
+    </Popover>
+  );
+
+  const filterAccessories = (
+    <div className="flex items-center gap-x-1.5">
+      {widgetIsAtLimit ? (
+        <>
+          <Dialog>
+            <DialogTrigger asChild>
+              <Button variant="primary/small" LeadingIcon={PlusIcon} shortcut={{ key: "c" }}>
+                Add chart
+              </Button>
+            </DialogTrigger>
+            <DialogContent>
+              <DialogHeader>You've exceeded your widget limit</DialogHeader>
+              <DialogDescription>
+                You've used {widgetLimits.used}/{widgetLimits.limit} widgets on this dashboard.
+              </DialogDescription>
+              <DialogFooter>
+                {widgetCanUpgrade ? (
+                  <LinkButton variant="primary/small" to={v3BillingPath(organization)}>
+                    Upgrade
+                  </LinkButton>
+                ) : (
+                  <Feedback
+                    button={<Button variant="primary/small">Request more</Button>}
+                    defaultValue="help"
+                  />
+                )}
+              </DialogFooter>
+            </DialogContent>
+          </Dialog>
+          <Button
+            variant="secondary/small"
+            LeadingIcon={Type}
+            className="pl-1.5"
+            iconSpacing="gap-x-1"
+            tooltip="Add section title"
+            shortcut={{ key: "h" }}
+            onClick={() => {
+              setNewTitleValue("");
+              setShowAddTitleDialog(true);
+            }}
+          >
+            Add title
+          </Button>
+        </>
+      ) : (
+        <>
+          <Button
+            variant="primary/small"
+            LeadingIcon={IconChartHistogram}
+            className="pl-1.5"
+            iconSpacing="gap-x-1.5"
+            shortcut={{ key: "c" }}
+            onClick={actions.openAddEditor}
+          >
+            Add chart
+          </Button>
+          <Button
+            variant="secondary/small"
+            LeadingIcon={Type}
+            className="pl-1.5"
+            iconSpacing="gap-x-1"
+            tooltip="Add section title"
+            shortcut={{ key: "h" }}
+            onClick={() => {
+              setNewTitleValue("");
+              setShowAddTitleDialog(true);
+            }}
+          >
+            Add title
+          </Button>
+        </>
+      )}
+      {dashboardMenu}
+    </div>
+  );
+
   return (
     <PageContainer>
       <NavBar>
         <PageTitle title={title} />
-        <PageAccessories>
-          {totalWidgetCount > 0 &&
-            (widgetIsAtLimit ? (
-              <>
-                <Dialog>
-                  <DialogTrigger asChild>
-                    <Button variant="primary/small" LeadingIcon={PlusIcon}>
-                      Add chart
-                    </Button>
-                  </DialogTrigger>
-                  <DialogContent>
-                    <DialogHeader>You've exceeded your widget limit</DialogHeader>
-                    <DialogDescription>
-                      You've used {widgetLimits.used}/{widgetLimits.limit} widgets on this
-                      dashboard.
-                    </DialogDescription>
-                    <DialogFooter>
-                      {widgetCanUpgrade ? (
-                        <LinkButton variant="primary/small" to={v3BillingPath(organization)}>
-                          Upgrade
-                        </LinkButton>
-                      ) : (
-                        <Feedback
-                          button={<Button variant="primary/small">Request more</Button>}
-                          defaultValue="help"
-                        />
-                      )}
-                    </DialogFooter>
-                  </DialogContent>
-                </Dialog>
-                <Button
-                  variant="secondary/small"
-                  LeadingIcon={Type}
-                  className="pl-1.5"
-                  iconSpacing="gap-x-1"
-                  onClick={() => {
-                    setNewTitleValue("");
-                    setShowAddTitleDialog(true);
-                  }}
-                >
-                  Add title
-                </Button>
-              </>
-            ) : (
-              <>
-                <Button
-                  variant="primary/small"
-                  LeadingIcon={IconChartHistogram}
-                  className="pl-1.5"
-                  iconSpacing="gap-x-1.5"
-                  onClick={actions.openAddEditor}
-                >
-                  Add chart
-                </Button>
-                <Button
-                  variant="secondary/small"
-                  LeadingIcon={Type}
-                  className="pl-1.5"
-                  iconSpacing="gap-x-1"
-                  onClick={() => {
-                    setNewTitleValue("");
-                    setShowAddTitleDialog(true);
-                  }}
-                >
-                  Add title
-                </Button>
-              </>
-            ))}
-          <Popover>
-            <PopoverVerticalEllipseTrigger variant="secondary" />
-            <PopoverContent className="w-fit min-w-[10rem] p-1" align="end">
-              <div className="flex flex-col gap-1">
-                <RenameDashboardDialog title={title} />
-                <DeleteDashboardDialog title={title} />
-              </div>
-            </PopoverContent>
-          </Popover>
-        </PageAccessories>
+        <PageAccessories>{totalWidgetCount === 0 && dashboardMenu}</PageAccessories>
       </NavBar>
       <PageBody scrollable={false}>
         <div className="flex h-full flex-col">
@@ -473,6 +485,7 @@ export default function Page() {
                 onRenameWidget={actions.renameWidget}
                 onDeleteWidget={actions.deleteWidget}
                 onDuplicateWidget={actions.duplicateWidget}
+                filterAccessories={filterAccessories}
               />
             )}
           </div>
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.environment-variables.new/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.environment-variables.new/route.tsx
index 86bd5bbc95d..4c318323b58 100644
--- a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.environment-variables.new/route.tsx
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.environment-variables.new/route.tsx
@@ -9,10 +9,11 @@ import {
 import { parse } from "@conform-to/zod";
 import { LockClosedIcon, LockOpenIcon, PlusIcon, XMarkIcon } from "@heroicons/react/20/solid";
 import { Form, useActionData, useNavigate, useNavigation } from "@remix-run/react";
-import { type ActionFunctionArgs, type LoaderFunctionArgs, json } from "@remix-run/server-runtime";
+import { type ActionFunctionArgs, json } from "@remix-run/server-runtime";
 import dotenv from "dotenv";
-import { type RefObject, useCallback, useEffect, useRef, useState } from "react";
-import { redirect, typedjson, useTypedLoaderData } from "remix-typedjson";
+import { type RefObject, useCallback, useRef, useState } from "react";
+import { redirect } from "remix-typedjson";
+import invariant from "tiny-invariant";
 import { z } from "zod";
 import { EnvironmentLabel } from "~/components/environments/EnvironmentLabel";
 import { Button, LinkButton } from "~/components/primitives/Buttons";
@@ -39,13 +40,15 @@ import { useEnvironment } from "~/hooks/useEnvironment";
 import { useList } from "~/hooks/useList";
 import { useOrganization } from "~/hooks/useOrganizations";
 import { useProject } from "~/hooks/useProject";
-import { EnvironmentVariablesPresenter } from "~/presenters/v3/EnvironmentVariablesPresenter.server";
-import { logger } from "~/services/logger.server";
+import { useTypedMatchesData } from "~/hooks/useTypedMatchData";
 import { requireUserId } from "~/services/session.server";
 import { cn } from "~/utils/cn";
+import {
+  environmentVariablesRouteId,
+  type loader as environmentVariablesLoader,
+} from "~/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.environment-variables/route";
 import {
   EnvironmentParamSchema,
-  ProjectParamSchema,
   v3BillingPath,
   v3EnvironmentVariablesPath,
 } from "~/utils/pathBuilder";
@@ -53,29 +56,6 @@ import { EnvironmentVariablesRepository } from "~/v3/environmentVariables/enviro
 import { EnvironmentVariableKey } from "~/v3/environmentVariables/repository";
 import { Select, SelectItem } from "~/components/primitives/Select";
 
-export const loader = async ({ request, params }: LoaderFunctionArgs) => {
-  const userId = await requireUserId(request);
-  const { projectParam } = ProjectParamSchema.parse(params);
-
-  try {
-    const presenter = new EnvironmentVariablesPresenter();
-    const { environments, hasStaging } = await presenter.call({
-      userId,
-      projectSlug: projectParam,
-    });
-
-    return typedjson({
-      environments,
-      hasStaging,
-    });
-  } catch (error) {
-    throw new Response(undefined, {
-      status: 400,
-      statusText: "Something went wrong, if this problem persists please contact support.",
-    });
-  }
-};
-
 const Variable = z.object({
   key: EnvironmentVariableKey,
   value: z.string().nonempty("Value is required"),
@@ -185,8 +165,15 @@ export const action = async ({ request, params }: ActionFunctionArgs) => {
 };
 
 export default function Page() {
-  const [isOpen, setIsOpen] = useState(false);
-  const { environments, hasStaging } = useTypedLoaderData<typeof loader>();
+  const [isOpen, setIsOpen] = useState(true);
+  const parentData = useTypedMatchesData<typeof environmentVariablesLoader>({
+    id: environmentVariablesRouteId,
+  });
+  invariant(
+    parentData,
+    "Environment variables page loader data must be defined when rendering the create dialog"
+  );
+  const { environments, hasStaging } = parentData;
   const lastSubmission = useActionData();
   const navigation = useNavigation();
   const navigate = useNavigate();
@@ -259,10 +246,6 @@ export default function Page() {
 
   const [revealAll, setRevealAll] = useState(true);
 
-  useEffect(() => {
-    setIsOpen(true);
-  }, []);
-
   return (
     <Dialog
       open={isOpen}
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.environment-variables/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.environment-variables/route.tsx
index f7f91f33274..389551fc75f 100644
--- a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.environment-variables/route.tsx
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.environment-variables/route.tsx
@@ -4,18 +4,29 @@ import {
   BookOpenIcon,
   InformationCircleIcon,
   LockClosedIcon,
-  MagnifyingGlassIcon,
   PencilSquareIcon,
   PlusIcon,
   TrashIcon,
 } from "@heroicons/react/20/solid";
-import { Form, type MetaFunction, Outlet, useActionData, useFetcher, useNavigation, useRevalidator } from "@remix-run/react";
 import {
-  type ActionFunctionArgs,
-  type LoaderFunctionArgs,
-  json,
-} from "@remix-run/server-runtime";
-import { useEffect, useMemo, useState } from "react";
+  Form,
+  type MetaFunction,
+  Outlet,
+  useActionData,
+  useFetcher,
+  useNavigation,
+  useRevalidator,
+} from "@remix-run/react";
+import { type ActionFunctionArgs, type LoaderFunctionArgs, json } from "@remix-run/server-runtime";
+import { useVirtualizer } from "@tanstack/react-virtual";
+import {
+  useEffect,
+  useLayoutEffect,
+  useMemo,
+  useRef,
+  useState,
+  type RefObject,
+} from "react";
 import { typedjson, useTypedLoaderData } from "remix-typedjson";
 import { z } from "zod";
 import { EnvironmentCombo } from "~/components/environments/EnvironmentLabel";
@@ -30,9 +41,9 @@ import { Fieldset } from "~/components/primitives/Fieldset";
 import { FormButtons } from "~/components/primitives/FormButtons";
 import { FormError } from "~/components/primitives/FormError";
 import { Header2 } from "~/components/primitives/Headers";
-import { InfoPanel } from "~/components/primitives/InfoPanel";
 import { Input } from "~/components/primitives/Input";
 import { InputGroup } from "~/components/primitives/InputGroup";
+import { SearchInput } from "~/components/primitives/SearchInput";
 import { Label } from "~/components/primitives/Label";
 import { NavBar, PageAccessories, PageTitle } from "~/components/primitives/PageHeader";
 import { Paragraph } from "~/components/primitives/Paragraph";
@@ -50,6 +61,7 @@ import { SimpleTooltip } from "~/components/primitives/Tooltip";
 import { prisma } from "~/db.server";
 import { useEnvironment } from "~/hooks/useEnvironment";
 import { useFuzzyFilter } from "~/hooks/useFuzzyFilter";
+import { useSearchParams } from "~/hooks/useSearchParam";
 import { useOrganization } from "~/hooks/useOrganizations";
 import { useProject } from "~/hooks/useProject";
 import { redirectWithSuccessMessage } from "~/models/message.server";
@@ -57,6 +69,7 @@ import {
   type EnvironmentVariableWithSetValues,
   EnvironmentVariablesPresenter,
 } from "~/presenters/v3/EnvironmentVariablesPresenter.server";
+import { type EnvironmentVariablesEnvironment } from "~/presenters/v3/environmentVariablesEnvironments.server";
 import { requireUserId } from "~/services/session.server";
 import { cn } from "~/utils/cn";
 import {
@@ -76,7 +89,11 @@ import { UserAvatar } from "~/components/UserProfilePhoto";
 import { VercelIntegrationService } from "~/services/vercelIntegration.server";
 import { fromPromise } from "neverthrow";
 import { logger } from "~/services/logger.server";
-import { shouldSyncEnvVar, isPullEnvVarsEnabledForEnvironment, type TriggerEnvironmentType } from "~/v3/vercel/vercelProjectIntegrationSchema";
+import {
+  shouldSyncEnvVar,
+  isPullEnvVarsEnabledForEnvironment,
+  type TriggerEnvironmentType,
+} from "~/v3/vercel/vercelProjectIntegrationSchema";
 
 export const meta: MetaFunction = () => {
   return [
@@ -86,16 +103,31 @@ export const meta: MetaFunction = () => {
   ];
 };
 
+type PageVercelIntegration = NonNullable<
+  Awaited<ReturnType<EnvironmentVariablesPresenter["call"]>>["vercelIntegration"]
+>;
+
+export type EnvironmentVariablesPageLoaderData = {
+  environmentVariables: EnvironmentVariableWithSetValues[];
+  environments: EnvironmentVariablesEnvironment[];
+  hasStaging: boolean;
+  vercelIntegration: PageVercelIntegration | null;
+};
+
+export const environmentVariablesRouteId =
+  "routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.environment-variables";
+
 export const loader = async ({ request, params }: LoaderFunctionArgs) => {
   const userId = await requireUserId(request);
   const { projectParam } = ProjectParamSchema.parse(params);
 
   try {
     const presenter = new EnvironmentVariablesPresenter();
-    const { environmentVariables, environments, hasStaging, vercelIntegration } = await presenter.call({
-      userId,
-      projectSlug: projectParam,
-    });
+    const { environmentVariables, environments, hasStaging, vercelIntegration } =
+      await presenter.call({
+        userId,
+        projectSlug: projectParam,
+      });
 
     return typedjson({
       environmentVariables,
@@ -123,7 +155,9 @@ const schema = z.discriminatedUnion("action", [
     action: z.literal("update-vercel-sync"),
     key: z.string(),
     environmentType: z.enum(["PRODUCTION", "STAGING", "PREVIEW", "DEVELOPMENT"]),
-    syncEnabled: z.union([z.literal("true"), z.literal("false")]).transform((val) => val === "true"),
+    syncEnabled: z
+      .union([z.literal("true"), z.literal("false")])
+      .transform((val) => val === "true"),
   }),
 ]);
 
@@ -247,21 +281,45 @@ export const action = async ({ request, params }: ActionFunctionArgs) => {
   }
 };
 
+const SSR_ROW_WINDOW = 50;
+const ROW_ESTIMATE_HEIGHT = 44;
+const VIRTUAL_OVERSCAN = 10;
+
+type GroupedEnvironmentVariable = EnvironmentVariableWithSetValues & {
+  isFirstTime: boolean;
+  isLastTime: boolean;
+  occurences: number;
+};
+
 export default function Page() {
+  const loaderData = useTypedLoaderData<EnvironmentVariablesPageLoaderData>();
+
+  return <EnvironmentVariablesListPage loaderData={loaderData} />;
+}
+
+function EnvironmentVariablesListPage({
+  loaderData,
+}: {
+  loaderData: EnvironmentVariablesPageLoaderData;
+}) {
   const [revealAll, setRevealAll] = useState(false);
-  const { environmentVariables, environments, vercelIntegration } = useTypedLoaderData<typeof loader>();
+  const { environmentVariables, vercelIntegration } = loaderData;
   const organization = useOrganization();
   const project = useProject();
   const environment = useEnvironment();
-  const { filterText, setFilterText, filteredItems } =
-    useFuzzyFilter<EnvironmentVariableWithSetValues>({
-      items: environmentVariables,
-      keys: ["key", "value", "environment.type", "environment.branchName"],
-    });
+  const { value } = useSearchParams();
+  const urlSearch = value("search") ?? "";
+  const { filteredItems } = useFuzzyFilter<EnvironmentVariableWithSetValues>({
+    items: environmentVariables,
+    keys: ["key", "value", "environment.type", "environment.branchName"],
+    filterText: urlSearch,
+  });
+
+  const tableScrollRef = useRef<HTMLDivElement>(null);
 
   // Add isFirst and isLast to each environment variable
   // They're set based on if they're the first or last time that `key` has been seen in the list
-  const groupedEnvironmentVariables = useMemo(() => {
+  const groupedEnvironmentVariables = useMemo((): GroupedEnvironmentVariable[] => {
     // Create a map to track occurrences of each key
     const keyOccurrences = new Map<string, number>();
 
@@ -296,6 +354,22 @@ export default function Page() {
     });
   }, [filteredItems]);
 
+  const shouldVirtualize = groupedEnvironmentVariables.length > SSR_ROW_WINDOW;
+  const [isVirtualized, setIsVirtualized] = useState(false);
+
+  useLayoutEffect(() => {
+    setIsVirtualized(shouldVirtualize);
+  }, [shouldVirtualize]);
+
+  const staticRows = useMemo(() => {
+    if (shouldVirtualize) {
+      return groupedEnvironmentVariables.slice(0, SSR_ROW_WINDOW);
+    }
+    return groupedEnvironmentVariables;
+  }, [groupedEnvironmentVariables, shouldVirtualize]);
+
+  const vercelColumnCount = vercelIntegration?.enabled ? 6 : 5;
+
   return (
     <PageContainer>
       <NavBar>
@@ -311,21 +385,13 @@ export default function Page() {
         </PageAccessories>
       </NavBar>
       <PageBody scrollable={false}>
-        <div className={cn("flex h-full flex-col")}>
+        <div className={cn("flex h-full min-h-0 flex-col")}>
           {environmentVariables.length > 0 && (
             <div className="flex items-center justify-between gap-2 px-2 py-2">
-              <Input
-                placeholder="Search variables"
-                variant="tertiary"
-                icon={MagnifyingGlassIcon}
-                fullWidth={true}
-                value={filterText}
-                onChange={(e) => setFilterText(e.target.value)}
-                autoFocus
-              />
-              <div className="flex items-center justify-end gap-2">
+              <SearchInput placeholder="Search variables…" autoFocus />
+              <div className="flex items-center justify-end gap-1.5">
                 <Switch
-                  variant="small"
+                  variant="secondary/small"
                   label="Reveal values"
                   checked={revealAll}
                   onCheckedChange={(e) => setRevealAll(e.valueOf())}
@@ -341,193 +407,285 @@ export default function Page() {
               </div>
             </div>
           )}
-          <Table containerClassName={cn(filteredItems.length === 0 && "border-t-0")}>
-            <TableHeader>
-              <TableRow>
-                <TableHeaderCell className={vercelIntegration?.enabled ? "w-[22%]" : "w-[25%]"}>
-                  Key
-                </TableHeaderCell>
-                <TableHeaderCell className={vercelIntegration?.enabled ? "w-[32%]" : "w-[37%]"}>
-                  Value
-                </TableHeaderCell>
-                <TableHeaderCell className={vercelIntegration?.enabled ? "w-[13%]" : "w-[15%]"}>
-                  Environment
-                </TableHeaderCell>
-                {vercelIntegration?.enabled && (
-                  <TableHeaderCell className="w-[8%]">
+          <div
+            ref={tableScrollRef}
+            className="min-h-0 flex-1 overflow-auto scrollbar-thin scrollbar-track-transparent scrollbar-thumb-charcoal-600"
+          >
+            <Table
+              containerClassName={cn(
+                filteredItems.length === 0 && "border-t-0",
+                "overflow-visible"
+              )}
+            >
+              <TableHeader>
+                <TableRow>
+                  <TableHeaderCell className={vercelIntegration?.enabled ? "w-[22%]" : "w-[25%]"}>
+                    Key
+                  </TableHeaderCell>
+                  <TableHeaderCell className={vercelIntegration?.enabled ? "w-[32%]" : "w-[37%]"}>
+                    Value
+                  </TableHeaderCell>
+                  <TableHeaderCell className={vercelIntegration?.enabled ? "w-[13%]" : "w-[15%]"}>
                     <SimpleTooltip
                       button={
                         <span className="flex items-center gap-1">
-                          Sync
+                          Environment
                           <InformationCircleIcon className="size-4 text-text-dimmed" />
                         </span>
                       }
-                      content="When enabled, this variable will be pulled from Vercel during builds. Requires 'Pull env vars before build' to be enabled in settings."
+                      content="Dev environment variables specified here will be overridden by ones in your .env file when running locally."
+                      className="max-w-60"
                     />
                   </TableHeaderCell>
-                )}
-                <TableHeaderCell className={vercelIntegration?.enabled ? "w-[24%]" : "w-[22%]"}>
-                  Updated
-                </TableHeaderCell>
-                <TableHeaderCell hiddenLabel className="w-0">
-                  Actions
-                </TableHeaderCell>
-              </TableRow>
-            </TableHeader>
-            <TableBody>
-              {groupedEnvironmentVariables.length > 0 ? (
-                groupedEnvironmentVariables.map((variable) => {
-                  const cellClassName = "py-2";
-                  let borderedCellClassName = "";
-
-                  if (variable.occurences > 1) {
-                    borderedCellClassName =
-                      "relative after:absolute after:bottom-0 after:left-0 after:right-0 after:h-px after:bg-grid-bright group-hover/table-row:after:bg-grid-bright group-hover/table-row:before:bg-grid-bright";
-                    if (variable.isLastTime) {
-                      borderedCellClassName = "";
-                    } else if (variable.isFirstTime) {
-                    }
-                  } else {
-                  }
-
-                  return (
-                    <TableRow
-                      key={`${variable.id}-${variable.environment.id}`}
-                      className={
-                        variable.isLastTime ? "after:bg-charcoal-600" : "after:bg-transparent"
-                      }
-                    >
-                      <TableCell className={cellClassName}>
-                        {variable.isFirstTime ? (
-                          <CopyableText value={variable.key} className="font-mono" />
-                        ) : null}
-                      </TableCell>
-                      <TableCell
-                        className={cn(cellClassName, borderedCellClassName, "after:left-3")}
-                      >
-                        {variable.isSecret ? (
-                          <SimpleTooltip
-                            button={
-                              <div className="flex items-center gap-x-1">
-                                <LockClosedIcon className="size-3 text-text-dimmed" />
-                                <span className="text-xs text-text-dimmed">Secret</span>
-                              </div>
-                            }
-                            content="This variable is secret and cannot be revealed."
-                          />
-                        ) : (
-                          <ClipboardField
-                            secure={!revealAll}
-                            value={variable.value}
-                            variant={"secondary/small"}
-                            fullWidth={true}
-                          />
-                        )}
-                      </TableCell>
-
-                      <TableCell className={cn(cellClassName, borderedCellClassName)}>
-                        <EnvironmentCombo environment={variable.environment} className="text-sm" />
-                      </TableCell>
-                      {vercelIntegration?.enabled && (
-                        <TableCell className={cn(cellClassName, borderedCellClassName)}>
-                          {variable.environment.type !== "DEVELOPMENT" && (
-                            <VercelSyncCheckbox
-                              envVarKey={variable.key}
-                              environmentType={variable.environment.type as TriggerEnvironmentType}
-                              syncEnabled={shouldSyncEnvVar(
-                                vercelIntegration.syncEnvVarsMapping,
-                                variable.key,
-                                variable.environment.type as TriggerEnvironmentType
-                              )}
-                              pullEnvVarsEnabledForEnv={isPullEnvVarsEnabledForEnvironment(
-                                vercelIntegration.pullEnvVarsBeforeBuild,
-                                variable.environment.type as TriggerEnvironmentType
-                              )}
-                            />
-                          )}
-                        </TableCell>
-                      )}
-                      <TableCell className={cn(cellClassName, borderedCellClassName)}>
-                        <div className="flex items-center gap-3">
-                          {variable.updatedByUser ? (
-                            <div className="flex items-center gap-2">
-                              <UserAvatar
-                                avatarUrl={variable.updatedByUser.avatarUrl}
-                                name={variable.updatedByUser.name}
-                                className="size-5"
-                              />
-                              <span className="text-sm">{variable.updatedByUser.name}</span>
-                            </div>
-                          ) : (variable.lastUpdatedBy?.type === "integration" && variable.lastUpdatedBy?.integration === 'vercel' ) ? (
-                            <div className="flex items-center gap-2">
-                              <VercelLogo className="size-4 text-text-dimmed group-hover/table-row:text-text-bright transition-colors" />
-                              <span className="text-sm text-text-dimmed group-hover/table-row:text-text-bright capitalize transition-colors">
-                                {variable.lastUpdatedBy.integration}
-                              </span>
-                            </div>
-                          ) : null}
-                          {variable.updatedAt ? (
-                            <span className="text-sm text-text-dimmed">
-                              <DateTime date={variable.updatedAt} includeSeconds={false} />
-                            </span>
-                          ) : null}
-                        </div>
-                      </TableCell>
-                      <TableCellMenu
-                        isSticky
-                        className="w-0 [&:has(.group-hover/table-row:block)]:w-auto"
-                        hiddenButtons={
-                          <>
-                            <EditEnvironmentVariablePanel
-                              variable={variable}
-                              revealAll={revealAll}
-                            />
-                            <DeleteEnvironmentVariableButton variable={variable} />
-                          </>
+                  {vercelIntegration?.enabled && (
+                    <TableHeaderCell className="w-[8%]">
+                      <SimpleTooltip
+                        button={
+                          <span className="flex items-center gap-1">
+                            Sync
+                            <InformationCircleIcon className="size-4 text-text-dimmed" />
+                          </span>
                         }
+                        content="When enabled, this variable will be pulled from Vercel during builds. Requires 'Pull env vars before build' to be enabled in settings."
                       />
-                    </TableRow>
-                  );
-                })
-              ) : (
-                <TableRow>
-                  <TableCell colSpan={vercelIntegration?.enabled ? 6 : 5}>
-                    {environmentVariables.length === 0 ? (
-                      <div className="flex flex-col items-center justify-center gap-y-4 py-8">
-                        <Header2>You haven't set any environment variables yet.</Header2>
-                        <LinkButton
-                          to={v3NewEnvironmentVariablesPath(organization, project, environment)}
-                          variant="primary/medium"
-                          LeadingIcon={PlusIcon}
-                          shortcut={{ key: "n" }}
-                        >
-                          Add new
-                        </LinkButton>
-                      </div>
-                    ) : (
-                      <div className="flex flex-col items-center justify-center gap-y-4 py-8">
-                        <Paragraph>No variables match your search.</Paragraph>
-                      </div>
-                    )}
-                  </TableCell>
+                    </TableHeaderCell>
+                  )}
+                  <TableHeaderCell className={vercelIntegration?.enabled ? "w-[24%]" : "w-[22%]"}>
+                    Updated
+                  </TableHeaderCell>
+                  <TableHeaderCell hiddenLabel className="w-0">
+                    Actions
+                  </TableHeaderCell>
                 </TableRow>
+              </TableHeader>
+              {groupedEnvironmentVariables.length > 0 ? (
+                isVirtualized && shouldVirtualize ? (
+                  <EnvironmentVariablesVirtualTableBody
+                    groupedEnvironmentVariables={groupedEnvironmentVariables}
+                    scrollRef={tableScrollRef}
+                    revealAll={revealAll}
+                    vercelIntegration={vercelIntegration}
+                    columnCount={vercelColumnCount}
+                  />
+                ) : (
+                  <TableBody>
+                    {staticRows.map((variable) => (
+                      <EnvironmentVariableTableRow
+                        key={`${variable.id}-${variable.environment.id}`}
+                        variable={variable}
+                        revealAll={revealAll}
+                        vercelIntegration={vercelIntegration}
+                      />
+                    ))}
+                  </TableBody>
+                )
+              ) : (
+                <TableBody>
+                  <TableRow>
+                    <TableCell colSpan={vercelColumnCount}>
+                      {environmentVariables.length === 0 ? (
+                        <div className="flex flex-col items-center justify-center gap-y-4 py-8">
+                          <Header2>You haven't set any environment variables yet.</Header2>
+                          <LinkButton
+                            to={v3NewEnvironmentVariablesPath(organization, project, environment)}
+                            variant="primary/medium"
+                            LeadingIcon={PlusIcon}
+                            shortcut={{ key: "n" }}
+                          >
+                            Add new
+                          </LinkButton>
+                        </div>
+                      ) : (
+                        <div className="flex flex-col items-center justify-center gap-y-4 py-8">
+                          <Paragraph>No variables match your search.</Paragraph>
+                        </div>
+                      )}
+                    </TableCell>
+                  </TableRow>
+                </TableBody>
               )}
-            </TableBody>
-          </Table>
-
-          <div className="-mt-px w-full border-t border-grid-dimmed">
-            <InfoPanel icon={InformationCircleIcon} variant="minimal" panelClassName="max-w-fit">
-              Dev environment variables specified here will be overridden by ones in your .env file
-              when running locally.
-            </InfoPanel>
+            </Table>
           </div>
         </div>
-        <Outlet />
       </PageBody>
+      <Outlet />
     </PageContainer>
   );
 }
 
+function getBorderedCellClassName(variable: GroupedEnvironmentVariable) {
+  if (variable.occurences <= 1) {
+    return "";
+  }
+
+  if (variable.isLastTime) {
+    return "";
+  }
+
+  return "relative after:absolute after:bottom-0 after:left-0 after:right-0 after:h-px after:bg-grid-bright group-hover/table-row:after:bg-grid-bright group-hover/table-row:before:bg-grid-bright";
+}
+
+function EnvironmentVariableTableRow({
+  variable,
+  revealAll,
+  vercelIntegration,
+}: {
+  variable: GroupedEnvironmentVariable;
+  revealAll: boolean;
+  vercelIntegration: PageVercelIntegration | null;
+}) {
+  const cellClassName = "py-2";
+  const borderedCellClassName = getBorderedCellClassName(variable);
+
+  return (
+    <TableRow
+      className={variable.isLastTime ? "after:bg-charcoal-600" : "after:bg-transparent"}
+    >
+      <TableCell className={cellClassName}>
+        {variable.isFirstTime ? (
+          <CopyableText value={variable.key} className="font-mono" />
+        ) : null}
+      </TableCell>
+      <TableCell className={cn(cellClassName, borderedCellClassName, "after:left-3")}>
+        {variable.isSecret ? (
+          <SimpleTooltip
+            button={
+              <div className="flex items-center gap-x-1">
+                <LockClosedIcon className="size-3 text-text-dimmed" />
+                <span className="text-xs text-text-dimmed">Secret</span>
+              </div>
+            }
+            content="This variable is secret and cannot be revealed."
+          />
+        ) : (
+          <ClipboardField
+            secure={!revealAll}
+            value={variable.value}
+            variant={"secondary/small"}
+            fullWidth={true}
+          />
+        )}
+      </TableCell>
+
+      <TableCell className={cn(cellClassName, borderedCellClassName)}>
+        <EnvironmentCombo environment={variable.environment} className="text-sm" />
+      </TableCell>
+      {vercelIntegration?.enabled && (
+        <TableCell className={cn(cellClassName, borderedCellClassName)}>
+          {variable.environment.type !== "DEVELOPMENT" && (
+            <VercelSyncCheckbox
+              envVarKey={variable.key}
+              environmentType={variable.environment.type as TriggerEnvironmentType}
+              syncEnabled={shouldSyncEnvVar(
+                vercelIntegration.syncEnvVarsMapping,
+                variable.key,
+                variable.environment.type as TriggerEnvironmentType
+              )}
+              pullEnvVarsEnabledForEnv={isPullEnvVarsEnabledForEnvironment(
+                vercelIntegration.pullEnvVarsBeforeBuild,
+                variable.environment.type as TriggerEnvironmentType
+              )}
+            />
+          )}
+        </TableCell>
+      )}
+      <TableCell className={cn(cellClassName, borderedCellClassName)}>
+        <div className="flex items-center gap-3">
+          {variable.updatedAt ? (
+            <span className="shrink-0 text-sm tabular-nums text-text-dimmed">
+              <DateTime date={variable.updatedAt} includeSeconds={false} />
+            </span>
+          ) : null}
+          {variable.updatedByUser ? (
+            <div className="flex min-w-0 items-center gap-2">
+              <UserAvatar
+                avatarUrl={variable.updatedByUser.avatarUrl}
+                name={variable.updatedByUser.name}
+                className="size-5 shrink-0"
+              />
+              <span className="truncate text-sm">{variable.updatedByUser.name}</span>
+            </div>
+          ) : variable.lastUpdatedBy?.type === "integration" &&
+            variable.lastUpdatedBy?.integration === "vercel" ? (
+            <div className="flex min-w-0 items-center gap-2">
+              <VercelLogo className="size-4 shrink-0 text-text-dimmed transition-colors group-hover/table-row:text-text-bright" />
+              <span className="truncate text-sm capitalize text-text-dimmed transition-colors group-hover/table-row:text-text-bright">
+                {variable.lastUpdatedBy.integration}
+              </span>
+            </div>
+          ) : null}
+        </div>
+      </TableCell>
+      <TableCellMenu
+        isSticky
+        className="[&:has(.group-hover/table-row:block)]:w-auto w-0"
+        hiddenButtons={
+          <>
+            <EditEnvironmentVariablePanel variable={variable} revealAll={revealAll} />
+            <DeleteEnvironmentVariableButton variable={variable} />
+          </>
+        }
+      />
+    </TableRow>
+  );
+}
+
+function EnvironmentVariablesVirtualTableBody({
+  groupedEnvironmentVariables,
+  scrollRef,
+  revealAll,
+  vercelIntegration,
+  columnCount,
+}: {
+  groupedEnvironmentVariables: GroupedEnvironmentVariable[];
+  scrollRef: RefObject<HTMLDivElement | null>;
+  revealAll: boolean;
+  vercelIntegration: PageVercelIntegration | null;
+  columnCount: number;
+}) {
+  const rowVirtualizer = useVirtualizer({
+    count: groupedEnvironmentVariables.length,
+    getScrollElement: () => scrollRef.current,
+    estimateSize: () => ROW_ESTIMATE_HEIGHT,
+    overscan: VIRTUAL_OVERSCAN,
+  });
+
+  const virtualItems = rowVirtualizer.getVirtualItems();
+  const topSpacerHeight = virtualItems[0]?.start ?? 0;
+  const bottomSpacerHeight =
+    rowVirtualizer.getTotalSize() - (virtualItems.at(-1)?.end ?? 0);
+
+  return (
+    <TableBody>
+      {topSpacerHeight > 0 && (
+        <tr aria-hidden style={{ height: topSpacerHeight }}>
+          <td colSpan={columnCount} />
+        </tr>
+      )}
+      {virtualItems.map((virtualRow) => {
+        const variable = groupedEnvironmentVariables[virtualRow.index];
+        if (!variable) {
+          return null;
+        }
+
+        return (
+          <EnvironmentVariableTableRow
+            key={`${variable.id}-${variable.environment.id}`}
+            variable={variable}
+            revealAll={revealAll}
+            vercelIntegration={vercelIntegration}
+          />
+        );
+      })}
+      {bottomSpacerHeight > 0 && (
+        <tr aria-hidden style={{ height: bottomSpacerHeight }}>
+          <td colSpan={columnCount} />
+        </tr>
+      )}
+    </TableBody>
+  );
+}
+
 function EditEnvironmentVariablePanel({
   variable,
   revealAll,
@@ -561,9 +719,12 @@ function EditEnvironmentVariablePanel({
   return (
     <Dialog open={isOpen} onOpenChange={setIsOpen}>
       <DialogTrigger asChild>
-        <Button variant="small-menu-item" LeadingIcon={PencilSquareIcon} fullWidth textAlignLeft>
-          
-        </Button>
+        <Button
+          variant="small-menu-item"
+          LeadingIcon={PencilSquareIcon}
+          fullWidth
+          textAlignLeft
+        ></Button>
       </DialogTrigger>
       <DialogContent>
         <DialogHeader>Edit environment variable</DialogHeader>
@@ -715,14 +876,7 @@ function VercelSyncCheckbox({
   if (!pullEnvVarsEnabledForEnv) {
     return (
       <SimpleTooltip
-        button={
-          <Switch
-            variant="small"
-            checked={false}
-            disabled
-            onCheckedChange={() => {}}
-          />
-        }
+        button={<Switch variant="small" checked={false} disabled onCheckedChange={() => {}} />}
         content="Enable 'Pull env vars before build' for this environment in Vercel settings."
       />
     );
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.errors.$fingerprint/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.errors.$fingerprint/route.tsx
index f42c73b5ea3..f65de7bc8c1 100644
--- a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.errors.$fingerprint/route.tsx
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.errors.$fingerprint/route.tsx
@@ -1,52 +1,16 @@
-import { type LoaderFunctionArgs, type ActionFunctionArgs, json } from "@remix-run/server-runtime";
-import { type MetaFunction, useFetcher, useRevalidator } from "@remix-run/react";
-import { BellAlertIcon } from "@heroicons/react/20/solid";
-import { IconAlarmSnooze as IconAlarmSnoozeBase, IconCircleDotted } from "@tabler/icons-react";
 import { parse } from "@conform-to/zod";
-import { z } from "zod";
-import { ErrorStatusBadge } from "~/components/errors/ErrorStatusBadge";
-import { ServiceValidationError } from "~/v3/services/baseService.server";
-import { TypedAwait, typeddefer, useTypedLoaderData } from "remix-typedjson";
-import { requireUser, requireUserId } from "~/services/session.server";
-import {
-  EnvironmentParamSchema,
-  v3CreateBulkActionPath,
-  v3ErrorsPath,
-  v3RunsPath,
-} from "~/utils/pathBuilder";
-import { findProjectBySlug } from "~/models/project.server";
-import { findEnvironmentBySlug } from "~/models/runtimeEnvironment.server";
-import {
-  ErrorGroupPresenter,
-  type ErrorGroupActivity,
-  type ErrorGroupActivityVersions,
-  type ErrorGroupOccurrences,
-  type ErrorGroupSummary,
-  type ErrorGroupState,
-} from "~/presenters/v3/ErrorGroupPresenter.server";
-import { type NextRunList } from "~/presenters/v3/NextRunListPresenter.server";
-import { $replica } from "~/db.server";
-import { logsClickhouseClient, clickhouseClient } from "~/services/clickhouseInstance.server";
-import { NavBar, PageTitle } from "~/components/primitives/PageHeader";
-import { PageBody } from "~/components/layout/AppLayout";
+import { BellAlertIcon } from "@heroicons/react/20/solid";
+import { type MetaFunction, useFetcher, useRevalidator } from "@remix-run/react";
+import { type ActionFunctionArgs, json, type LoaderFunctionArgs } from "@remix-run/server-runtime";
 import {
-  ResizableHandle,
-  ResizablePanel,
-  ResizablePanelGroup,
-} from "~/components/primitives/Resizable";
+  IconAlarmSnooze as IconAlarmSnoozeBase,
+  IconBugFilled,
+  IconCircleDotted,
+} from "@tabler/icons-react";
+import { ErrorId } from "@trigger.dev/core/v3/isomorphic";
+import { isPast } from "date-fns";
 import { AnimatePresence, motion } from "framer-motion";
 import { Suspense, useEffect, useMemo, useRef, useState } from "react";
-import { Spinner } from "~/components/primitives/Spinner";
-import { Paragraph } from "~/components/primitives/Paragraph";
-import { Callout } from "~/components/primitives/Callout";
-import { Header2, Header3 } from "~/components/primitives/Headers";
-
-import { formatDistanceToNow, isPast } from "date-fns";
-
-import * as Property from "~/components/primitives/PropertyTable";
-import { TaskRunsTable } from "~/components/runs/v3/TaskRunsTable";
-import { DateTime, RelativeDateTime } from "~/components/primitives/DateTime";
-import { ErrorId } from "@trigger.dev/core/v3/isomorphic";
 import {
   Bar,
   BarChart,
@@ -57,31 +21,68 @@ import {
   XAxis,
   YAxis,
 } from "recharts";
-import TooltipPortal from "~/components/primitives/TooltipPortal";
-import { TimeFilter, timeFilterFromTo } from "~/components/runs/v3/SharedFilters";
-import { useOptimisticLocation } from "~/hooks/useOptimisticLocation";
-import { DirectionSchema, ListPagination } from "~/components/ListPagination";
-import { Button, LinkButton } from "~/components/primitives/Buttons";
+import { TypedAwait, typeddefer, useTypedLoaderData } from "remix-typedjson";
+import { z } from "zod";
 import { ListCheckedIcon } from "~/assets/icons/ListCheckedIcon";
-import { useOrganization } from "~/hooks/useOrganizations";
-import { useProject } from "~/hooks/useProject";
-import { useEnvironment } from "~/hooks/useEnvironment";
 import { RunsIcon } from "~/assets/icons/RunsIcon";
-import type { TaskRunListSearchFilters } from "~/components/runs/v3/RunFilters";
-import { useSearchParams } from "~/hooks/useSearchParam";
-import { CopyableText } from "~/components/primitives/CopyableText";
-import { cn } from "~/utils/cn";
-import { LogsVersionFilter } from "~/components/logs/LogsVersionFilter";
 import { CodeBlock } from "~/components/code/CodeBlock";
-
-import { Popover, PopoverArrowTrigger, PopoverContent } from "~/components/primitives/Popover";
-import { ErrorGroupActions } from "~/v3/services/errorGroupActions.server";
+import { ErrorStatusBadge } from "~/components/errors/ErrorStatusBadge";
 import {
-  ErrorStatusMenuItems,
   CustomIgnoreDialog,
+  ErrorStatusMenuItems,
   statusActionToastMessage,
 } from "~/components/errors/ErrorStatusMenu";
+import { PageBody } from "~/components/layout/AppLayout";
+import { DirectionSchema, ListPagination } from "~/components/ListPagination";
+import { LogsVersionFilter } from "~/components/logs/LogsVersionFilter";
+import { LinkButton } from "~/components/primitives/Buttons";
+import { Callout } from "~/components/primitives/Callout";
+import { CopyableText } from "~/components/primitives/CopyableText";
+import { DateTime, RelativeDateTime } from "~/components/primitives/DateTime";
+import { Header2, Header3 } from "~/components/primitives/Headers";
+import { NavBar, PageAccessories, PageTitle } from "~/components/primitives/PageHeader";
+import { Paragraph } from "~/components/primitives/Paragraph";
+import { Popover, PopoverArrowTrigger, PopoverContent } from "~/components/primitives/Popover";
+import * as Property from "~/components/primitives/PropertyTable";
+import {
+  ResizableHandle,
+  ResizablePanel,
+  ResizablePanelGroup,
+} from "~/components/primitives/Resizable";
+import { Spinner } from "~/components/primitives/Spinner";
 import { useToast } from "~/components/primitives/Toast";
+import TooltipPortal from "~/components/primitives/TooltipPortal";
+import type { TaskRunListSearchFilters } from "~/components/runs/v3/RunFilters";
+import { TimeFilter, timeFilterFromTo } from "~/components/runs/v3/SharedFilters";
+import { TaskRunsTable } from "~/components/runs/v3/TaskRunsTable";
+import { $replica } from "~/db.server";
+import { useEnvironment } from "~/hooks/useEnvironment";
+import { useOptimisticLocation } from "~/hooks/useOptimisticLocation";
+import { useOrganization } from "~/hooks/useOrganizations";
+import { useProject } from "~/hooks/useProject";
+import { useSearchParams } from "~/hooks/useSearchParam";
+import { findProjectBySlug } from "~/models/project.server";
+import { findEnvironmentBySlug } from "~/models/runtimeEnvironment.server";
+import {
+  type ErrorGroupActivity,
+  type ErrorGroupActivityVersions,
+  type ErrorGroupOccurrences,
+  ErrorGroupPresenter,
+  type ErrorGroupState,
+  type ErrorGroupSummary,
+} from "~/presenters/v3/ErrorGroupPresenter.server";
+import { type NextRunList } from "~/presenters/v3/NextRunListPresenter.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
+import { requireUser, requireUserId } from "~/services/session.server";
+import { cn } from "~/utils/cn";
+import {
+  EnvironmentParamSchema,
+  v3CreateBulkActionPath,
+  v3ErrorsPath,
+  v3RunsPath,
+} from "~/utils/pathBuilder";
+import { ServiceValidationError } from "~/v3/services/baseService.server";
+import { ErrorGroupActions } from "~/v3/services/errorGroupActions.server";
 
 export const meta: MetaFunction<typeof loader> = ({ data }) => {
   return [
@@ -163,6 +164,11 @@ export const action = async ({ request, params }: ActionFunctionArgs) => {
       let occurrenceCountAtIgnoreTime: number | undefined;
 
       if (submission.value.totalOccurrences) {
+        const clickhouseClient = await clickhouseFactory.getClickhouseForOrganization(
+          environment.organizationId,
+          "query"
+        );
+
         const qb = clickhouseClient.errors.listQueryBuilder();
         qb.where("organization_id = {organizationId: String}", {
           organizationId: project.organizationId,
@@ -236,6 +242,11 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
   const directionRaw = url.searchParams.get("direction") ?? undefined;
   const direction = directionRaw ? DirectionSchema.parse(directionRaw) : undefined;
 
+  const [logsClickhouseClient, clickhouseClient] = await Promise.all([
+    clickhouseFactory.getClickhouseForOrganization(environment.organizationId, "logs"),
+    clickhouseFactory.getClickhouseForOrganization(environment.organizationId, "standard"),
+  ]);
+
   const presenter = new ErrorGroupPresenter($replica, logsClickhouseClient, clickhouseClient);
 
   const detailPromise = presenter
@@ -324,13 +335,23 @@ export default function Page() {
           }}
           title={<span className="font-mono text-xs">{ErrorId.toFriendlyId(fingerprint)}</span>}
         />
+        <PageAccessories>
+          <LinkButton
+            to={alertsHref}
+            variant="secondary/small"
+            LeadingIcon={BellAlertIcon}
+            leadingIconClassName="text-alerts"
+          >
+            Configure alerts…
+          </LinkButton>
+        </PageAccessories>
       </NavBar>
 
       <PageBody scrollable={false}>
         <Suspense
           fallback={
-            <div className="my-2 flex items-center justify-center">
-              <div className="mx-auto flex items-center gap-2">
+            <div className="flex h-full items-center justify-center">
+              <div className="flex items-center gap-2">
                 <Spinner />
                 <Paragraph variant="small">Loading error details…</Paragraph>
               </div>
@@ -366,7 +387,6 @@ export default function Page() {
                   projectParam={projectParam}
                   envParam={envParam}
                   fingerprint={fingerprint}
-                  alertsHref={alertsHref}
                 />
               );
             }}
@@ -385,7 +405,6 @@ function ErrorGroupDetail({
   projectParam,
   envParam,
   fingerprint,
-  alertsHref,
 }: {
   errorGroup: ErrorGroupSummary | undefined;
   runList: NextRunList | undefined;
@@ -394,7 +413,6 @@ function ErrorGroupDetail({
   projectParam: string;
   envParam: string;
   fingerprint: string;
-  alertsHref: string;
 }) {
   const { value, values } = useSearchParams();
   const organization = useOrganization();
@@ -499,9 +517,12 @@ function ErrorGroupDetail({
                 additionalTableState={{ errorId: ErrorId.toFriendlyId(fingerprint) }}
               />
             ) : (
-              <Paragraph variant="small" className="p-4 text-text-dimmed">
-                No runs found for this error.
-              </Paragraph>
+              <div className="flex flex-1 flex-col items-center justify-center gap-3">
+                <IconBugFilled className="size-16 text-charcoal-650" />
+                <Paragraph className="max-w-32 text-center text-text-dimmed">
+                  No runs found for this error.
+                </Paragraph>
+              </div>
             )}
           </div>
         </div>
@@ -510,11 +531,7 @@ function ErrorGroupDetail({
       {/* Right-hand detail sidebar */}
       <ResizableHandle id="error-detail-handle" />
       <ResizablePanel id="error-detail" min="280px" default="380px" max="500px" isStaticAtRest>
-        <ErrorDetailSidebar
-          errorGroup={errorGroup}
-          fingerprint={fingerprint}
-          alertsHref={alertsHref}
-        />
+        <ErrorDetailSidebar errorGroup={errorGroup} fingerprint={fingerprint} />
       </ResizablePanel>
     </ResizablePanelGroup>
   );
@@ -523,24 +540,14 @@ function ErrorGroupDetail({
 function ErrorDetailSidebar({
   errorGroup,
   fingerprint,
-  alertsHref,
 }: {
   errorGroup: ErrorGroupSummary;
   fingerprint: string;
-  alertsHref: string;
 }) {
   return (
     <div className="grid h-full grid-rows-[auto_1fr] overflow-hidden bg-background-bright">
-      <div className="flex items-center justify-between border-b border-grid-dimmed py-2 pl-3 pr-2">
+      <div className="border-b border-grid-dimmed px-3 py-2">
         <Header2 className="truncate">Details</Header2>
-        <LinkButton
-          to={alertsHref}
-          variant="secondary/small"
-          LeadingIcon={BellAlertIcon}
-          leadingIconClassName="text-alerts"
-        >
-          Configure alerts
-        </LinkButton>
       </div>
       <div className="overflow-y-auto px-3 py-3 scrollbar-thin scrollbar-track-transparent scrollbar-thumb-charcoal-600">
         <div className="flex flex-col gap-4">
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.errors._index/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.errors._index/route.tsx
index e92b5b34644..385f0cd8b19 100644
--- a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.errors._index/route.tsx
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.errors._index/route.tsx
@@ -55,6 +55,7 @@ import {
   statusActionToastMessage,
 } from "~/components/errors/ErrorStatusMenu";
 import { useToast } from "~/components/primitives/Toast";
+import { SimpleTooltip } from "~/components/primitives/Tooltip";
 import TooltipPortal from "~/components/primitives/TooltipPortal";
 import { appliedSummary, FilterMenuProvider, TimeFilter } from "~/components/runs/v3/SharedFilters";
 import { $replica } from "~/db.server";
@@ -70,7 +71,7 @@ import {
   type ErrorOccurrences,
   type ErrorsList as ErrorsListData,
 } from "~/presenters/v3/ErrorsListPresenter.server";
-import { logsClickhouseClient } from "~/services/clickhouseInstance.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
 import { getCurrentPlan } from "~/services/platform.v3.server";
 import { requireUser } from "~/services/session.server";
 import { formatNumberCompact } from "~/utils/numberFormatter";
@@ -123,6 +124,10 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
   const plan = await getCurrentPlan(project.organizationId);
   const retentionLimitDays = plan?.v3Subscription?.plan?.limits.logRetentionDays.number ?? 30;
 
+  const logsClickhouseClient = await clickhouseFactory.getClickhouseForOrganization(
+    project.organizationId,
+    "logs"
+  );
   const presenter = new ErrorsListPresenter($replica, logsClickhouseClient);
 
   const listPromise = presenter
@@ -289,6 +294,8 @@ const errorStatusOptions = [
 
 const statusIcon = <IconBugFilled className="size-4" />;
 const statusShortcut = { key: "s" };
+const timeShortcut = { key: "d" };
+const alertsShortcut = { key: "c" };
 
 function StatusFilter() {
   const { values, del } = useSearchParams();
@@ -305,8 +312,9 @@ function StatusFilter() {
                 variant="secondary/small"
                 shortcut={statusShortcut}
                 tooltipTitle="Filter by status"
+                className="pl-1.5"
               >
-                <span className="ml-0.5">Status</span>
+                <span className="ml-1">Status</span>
               </SelectTrigger>
             }
             searchValue={search}
@@ -415,9 +423,10 @@ function FiltersBar({
 
   return (
     <div className="flex items-start justify-between gap-x-2 border-b border-grid-bright p-2">
-      <div className="flex flex-row flex-wrap items-center gap-2">
+      <div className="flex flex-row flex-wrap items-center gap-1.5">
         {list ? (
           <>
+            <SearchInput placeholder="Search errors…" />
             <StatusFilter />
             <LogsTaskFilter possibleTasks={list.filters.possibleTasks} />
             <LogsVersionFilter />
@@ -425,45 +434,55 @@ function FiltersBar({
               defaultPeriod={defaultPeriod}
               maxPeriodDays={retentionLimitDays}
               labelName="Occurred"
+              shortcut={timeShortcut}
             />
-            <SearchInput placeholder="Search errors…" />
             {hasFilters && (
-              <Form className="h-6">
+              <Form className="-ml-1 h-6">
                 <Button
-                  variant="secondary/small"
+                  variant="minimal/small"
                   LeadingIcon={XMarkIcon}
                   tooltip="Clear all filters"
+                  className="group-hover/button:bg-transparent"
+                  leadingIconClassName="group-hover/button:text-text-bright"
                 />
               </Form>
             )}
           </>
         ) : (
           <>
+            <SearchInput placeholder="Search errors…" />
             <StatusFilter />
             <LogsTaskFilter possibleTasks={[]} />
             <LogsVersionFilter />
-            <TimeFilter defaultPeriod={defaultPeriod} maxPeriodDays={retentionLimitDays} />
-            <SearchInput placeholder="Search errors…" />
+            <TimeFilter
+              defaultPeriod={defaultPeriod}
+              maxPeriodDays={retentionLimitDays}
+              shortcut={timeShortcut}
+            />
             {hasFilters && (
-              <Form className="h-6">
+              <Form className="-ml-1 h-6">
                 <Button
-                  variant="secondary/small"
+                  variant="minimal/small"
                   LeadingIcon={XMarkIcon}
                   tooltip="Clear all filters"
+                  className="group-hover/button:bg-transparent"
+                  leadingIconClassName="group-hover/button:text-text-bright"
                 />
               </Form>
             )}
           </>
         )}
       </div>
-      <div className="flex shrink-0 items-center gap-2">
+      <div className="flex shrink-0 items-center gap-1.5">
         <LinkButton
           to={alertsHref}
           variant="secondary/small"
           LeadingIcon={BellAlertIcon}
           leadingIconClassName="text-alerts"
+          shortcut={alertsShortcut}
+          tooltip="Configure alerts"
         >
-          Configure alerts
+          Configure alerts…
         </LinkButton>
         {list && <ListPagination list={list} />}
       </div>
@@ -706,9 +725,15 @@ function ErrorActivityGraph({ activity }: { activity: ErrorOccurrenceActivity })
           </BarChart>
         </ResponsiveContainer>
       </div>
-      <span className="-mt-1 text-xxs tabular-nums text-text-dimmed">
-        {formatNumberCompact(maxCount)}
-      </span>
+      <SimpleTooltip
+        asChild
+        button={
+          <span className="-mt-1 text-xxs tabular-nums text-text-dimmed">
+            {formatNumberCompact(maxCount)}
+          </span>
+        }
+        content="Peak occurrences in a single time bucket"
+      />
     </div>
   );
 }
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.logs/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.logs/route.tsx
index af3cc30a246..c913623ebab 100644
--- a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.logs/route.tsx
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.logs/route.tsx
@@ -16,7 +16,7 @@ import { findEnvironmentBySlug } from "~/models/runtimeEnvironment.server";
 import { LogsListPresenter, LogEntry } from "~/presenters/v3/LogsListPresenter.server";
 import type { LogLevel } from "~/utils/logUtils";
 import { $replica, prisma } from "~/db.server";
-import { logsClickhouseClient } from "~/services/clickhouseInstance.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
 import { NavBar, PageTitle } from "~/components/primitives/PageHeader";
 import { PageBody, PageContainer } from "~/components/layout/AppLayout";
 import { Suspense, useCallback, useEffect, useMemo, useRef, useState, useTransition } from "react";
@@ -137,7 +137,8 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
   const plan = await getCurrentPlan(project.organizationId);
   const retentionLimitDays = plan?.v3Subscription?.plan?.limits.logRetentionDays.number ?? 30;
 
-  const presenter = new LogsListPresenter($replica, logsClickhouseClient);
+  const logsClickhouse = await clickhouseFactory.getClickhouseForOrganization(project.organizationId, "logs");
+  const presenter = new LogsListPresenter($replica, logsClickhouse);
 
   const listPromise = presenter
     .call(project.organizationId, environment.id, {
@@ -260,20 +261,22 @@ function FiltersBar({
 
   return (
     <div className="flex items-start justify-between gap-x-2 border-b border-grid-bright p-2">
-      <div className="flex flex-row flex-wrap items-center gap-1">
+      <div className="flex flex-row flex-wrap items-center gap-1.5">
         {list ? (
           <>
+            <SearchInput />
             <LogsTaskFilter possibleTasks={list.possibleTasks} />
             <LogsRunIdFilter />
             <TimeFilter defaultPeriod={defaultPeriod} maxPeriodDays={retentionLimitDays} />
             <LogsLevelFilter />
-            <SearchInput />
             {hasFilters && (
-              <Form className="h-6">
+              <Form className="-ml-1 h-6">
                 <Button
-                  variant="secondary/small"
+                  variant="minimal/small"
                   LeadingIcon={XMarkIcon}
                   tooltip="Clear all filters"
+                  className="group-hover/button:bg-transparent"
+                  leadingIconClassName="group-hover/button:text-text-bright"
                 />
               </Form>
             )}
@@ -286,11 +289,13 @@ function FiltersBar({
             <LogsLevelFilter />
             <SearchInput />
             {hasFilters && (
-              <Form className="h-6">
+              <Form className="-ml-1 h-6">
                 <Button
-                  variant="secondary/small"
+                  variant="minimal/small"
                   LeadingIcon={XMarkIcon}
                   tooltip="Clear all filters"
+                  className="group-hover/button:bg-transparent"
+                  leadingIconClassName="group-hover/button:text-text-bright"
                 />
               </Form>
             )}
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.models.$modelId/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.models.$modelId/route.tsx
index 7a25f996d4d..f4248aa64b6 100644
--- a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.models.$modelId/route.tsx
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.models.$modelId/route.tsx
@@ -28,7 +28,7 @@ import type { QueryWidgetConfig } from "~/components/metrics/QueryWidget";
 import { findProjectBySlug } from "~/models/project.server";
 import { findEnvironmentBySlug } from "~/models/runtimeEnvironment.server";
 import { ModelRegistryPresenter } from "~/presenters/v3/ModelRegistryPresenter.server";
-import { clickhouseClient } from "~/services/clickhouseInstance.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
 import { requireUserId } from "~/services/session.server";
 import { useOrganization } from "~/hooks/useOrganizations";
 import { useProject } from "~/hooks/useProject";
@@ -68,7 +68,8 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
     throw new Response("Environment not found", { status: 404 });
   }
 
-  const presenter = new ModelRegistryPresenter(clickhouseClient);
+  const clickhouse = await clickhouseFactory.getClickhouseForOrganization(project.organizationId, "standard");
+  const presenter = new ModelRegistryPresenter(clickhouse);
   const model = await presenter.getModelDetail(modelId);
 
   if (!model) {
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.models._index/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.models._index/route.tsx
index 7bf257f987b..9140b37dc95 100644
--- a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.models._index/route.tsx
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.models._index/route.tsx
@@ -8,7 +8,7 @@ import * as Ariakit from "@ariakit/react";
 import { Form, type MetaFunction, useFetcher } from "@remix-run/react";
 import { type LoaderFunctionArgs } from "@remix-run/server-runtime";
 import { AnimatePresence, motion } from "framer-motion";
-import { useEffect, useMemo, useState } from "react";
+import { useEffect, useMemo, useRef, useState } from "react";
 import { typedjson, useTypedLoaderData } from "remix-typedjson";
 import {
   AnthropicIcon,
@@ -44,6 +44,7 @@ import {
   useFrozenValue,
 } from "~/components/primitives/Resizable";
 import { SearchInput } from "~/components/primitives/SearchInput";
+import { ShortcutKey } from "~/components/primitives/ShortcutKey";
 import { Switch } from "~/components/primitives/Switch";
 import {
   SelectProvider,
@@ -62,6 +63,7 @@ import {
 import { TabButton, TabContainer } from "~/components/primitives/Tabs";
 import { appliedSummary } from "~/components/runs/v3/SharedFilters";
 import { useSearchParams } from "~/hooks/useSearchParam";
+import { useShortcutKeys } from "~/hooks/useShortcutKeys";
 import { useOptimisticLocation } from "~/hooks/useOptimisticLocation";
 import { findProjectBySlug } from "~/models/project.server";
 import { findEnvironmentBySlug } from "~/models/runtimeEnvironment.server";
@@ -71,7 +73,7 @@ import {
   type PopularModel,
   ModelRegistryPresenter,
 } from "~/presenters/v3/ModelRegistryPresenter.server";
-import { clickhouseClient } from "~/services/clickhouseInstance.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
 import { requireUserId } from "~/services/session.server";
 import { useEnvironment } from "~/hooks/useEnvironment";
 import { useOrganization } from "~/hooks/useOrganizations";
@@ -90,6 +92,7 @@ import { MetricWidget } from "~/routes/resources.metric";
 import type { QueryWidgetConfig } from "~/components/metrics/QueryWidget";
 
 import { type loader as compareLoader } from "~/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.models.compare/route";
+import { IconColumns3 } from "@tabler/icons-react";
 
 export const meta: MetaFunction = () => {
   return [{ title: "Models | Trigger.dev" }];
@@ -109,7 +112,8 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
     throw new Response("Environment not found", { status: 404 });
   }
 
-  const presenter = new ModelRegistryPresenter(clickhouseClient);
+  const clickhouse = await clickhouseFactory.getClickhouseForOrganization(project.organizationId, "standard");
+  const presenter = new ModelRegistryPresenter(clickhouse);
   const catalog = await presenter.getModelCatalog();
 
   const now = new Date();
@@ -147,32 +151,59 @@ const providerIcons: Record<string, (props: { className?: string }) => JSX.Eleme
 
 function providerIcon(slug: string) {
   const Icon = providerIcons[slug] ?? CubeIcon;
-  return <Icon className="size-4" />;
+  return <Icon className="size-4 text-text-dimmed" />;
 }
 
 // --- Filter Components ---
 
+const providerShortcut = { key: "p" };
+
 function ProviderFilter({ providers }: { providers: string[] }) {
   const { values, replace, del } = useSearchParams();
   const selected = values("providers");
   const hasFilter = selected.length > 0;
+  const triggerRef = useRef<HTMLButtonElement>(null);
+
+  useShortcutKeys({
+    shortcut: providerShortcut,
+    action: (e) => {
+      e.preventDefault();
+      e.stopPropagation();
+      triggerRef.current?.click();
+    },
+  });
 
   return (
     <SelectProvider value={selected} setValue={(v) => replace({ providers: v })}>
-      <Ariakit.Select render={<div className="group cursor-pointer focus-custom" />}>
-        <AppliedFilter
-          icon={<CubeIcon className="size-4" />}
-          label={hasFilter ? "Provider" : undefined}
-          value={hasFilter ? appliedSummary(selected.map(formatProviderName))! : "Provider"}
-          valueClassName={hasFilter ? undefined : "text-text-bright"}
-          removable={hasFilter}
-          onRemove={() => del("providers")}
-        />
-      </Ariakit.Select>
+      <Ariakit.TooltipProvider timeout={200} hideTimeout={0}>
+        <Ariakit.TooltipAnchor
+          render={
+            <Ariakit.Select
+              ref={triggerRef as any}
+              render={<div className="group cursor-pointer focus-custom" />}
+            />
+          }
+        >
+          <AppliedFilter
+            icon={<CubeIcon className="size-4" />}
+            label={hasFilter ? "Provider" : undefined}
+            value={hasFilter ? appliedSummary(selected.map(formatProviderName))! : "Provider"}
+            valueClassName={hasFilter ? undefined : "text-text-bright"}
+            removable={hasFilter}
+            onRemove={() => del("providers")}
+          />
+        </Ariakit.TooltipAnchor>
+        <Ariakit.Tooltip className="z-40 cursor-default rounded border border-charcoal-700 bg-background-bright py-1.5 pl-2.5 pr-3 text-xs text-text-dimmed">
+          <div className="flex items-center gap-3">
+            <span>Filter by provider</span>
+            <ShortcutKey className="size-4 flex-none" shortcut={providerShortcut} variant="small" />
+          </div>
+        </Ariakit.Tooltip>
+      </Ariakit.TooltipProvider>
       <SelectPopover>
         <SelectList>
           {providers.map((p) => (
-            <SelectItem key={p} value={p} icon={providerIcon(p)}>
+            <SelectItem key={p} value={p} icon={providerIcon(p)} className="text-text-bright">
               {formatProviderName(p)}
             </SelectItem>
           ))}
@@ -182,27 +213,54 @@ function ProviderFilter({ providers }: { providers: string[] }) {
   );
 }
 
+const featuresShortcut = { key: "f" };
+
 function FeaturesFilter({ features }: { features: string[] }) {
   const { values, replace, del } = useSearchParams();
   const selected = values("features");
   const hasFilter = selected.length > 0;
+  const triggerRef = useRef<HTMLButtonElement>(null);
+
+  useShortcutKeys({
+    shortcut: featuresShortcut,
+    action: (e) => {
+      e.preventDefault();
+      e.stopPropagation();
+      triggerRef.current?.click();
+    },
+  });
 
   return (
     <SelectProvider value={selected} setValue={(v) => replace({ features: v })}>
-      <Ariakit.Select render={<div className="group cursor-pointer focus-custom" />}>
-        <AppliedFilter
-          icon={<AdjustmentsHorizontalIcon className="size-4" />}
-          label={hasFilter ? "Features" : undefined}
-          value={hasFilter ? appliedSummary(selected.map(formatFeature))! : "Features"}
-          valueClassName={hasFilter ? undefined : "text-text-bright"}
-          removable={hasFilter}
-          onRemove={() => del("features")}
-        />
-      </Ariakit.Select>
+      <Ariakit.TooltipProvider timeout={200} hideTimeout={0}>
+        <Ariakit.TooltipAnchor
+          render={
+            <Ariakit.Select
+              ref={triggerRef as any}
+              render={<div className="group cursor-pointer focus-custom" />}
+            />
+          }
+        >
+          <AppliedFilter
+            icon={<AdjustmentsHorizontalIcon className="size-4" />}
+            label={hasFilter ? "Features" : undefined}
+            value={hasFilter ? appliedSummary(selected.map(formatFeature))! : "Features"}
+            valueClassName={hasFilter ? undefined : "text-text-bright"}
+            removable={hasFilter}
+            onRemove={() => del("features")}
+          />
+        </Ariakit.TooltipAnchor>
+        <Ariakit.Tooltip className="z-40 cursor-default rounded border border-charcoal-700 bg-background-bright py-1.5 pl-2.5 pr-3 text-xs text-text-dimmed">
+          <div className="flex items-center gap-3">
+            <span>Filter by features</span>
+            <ShortcutKey className="size-4 flex-none" shortcut={featuresShortcut} variant="small" />
+          </div>
+        </Ariakit.Tooltip>
+      </Ariakit.TooltipProvider>
       <SelectPopover>
         <SelectList>
           {features.map((f) => (
-            <SelectItem key={f} value={f}>
+            <SelectItem key={f} value={f} className="text-text-bright">
               {formatFeature(f)}
             </SelectItem>
           ))}
@@ -235,26 +293,59 @@ function FiltersBar({
     searchParams.has("providers") || searchParams.has("features") || searchParams.has("search");
 
   const compareDisabled = compareSet.size < 2;
+  const compareShortcut = { key: "c" };
+  const detailsShortcut = { key: "d" };
+
+  useShortcutKeys({
+    shortcut: compareShortcut,
+    action: (e) => {
+      e.preventDefault();
+      e.stopPropagation();
+      onCompare();
+    },
+    disabled: compareDisabled,
+  });
 
   return (
     <div className="flex items-start justify-between gap-x-2 border-b border-grid-bright p-2">
-      <div className="flex flex-row flex-wrap items-center gap-2">
+      <div className="flex flex-row flex-wrap items-center gap-1.5">
+        <SearchInput placeholder="Search models…" />
         <ProviderFilter providers={allProviders} />
         <FeaturesFilter features={allFeatures} />
-        <SearchInput placeholder="Search models…" />
         {hasFilters && (
           <Form className="-ml-1 h-6">
-            <Button variant="minimal/small" LeadingIcon={XMarkIcon} tooltip="Clear all filters" />
+            <Button
+              variant="minimal/small"
+              LeadingIcon={XMarkIcon}
+              tooltip="Clear all filters"
+              className="group-hover/button:bg-transparent"
+              leadingIconClassName="group-hover/button:text-text-bright"
+            />
           </Form>
         )}
       </div>
-      <div className="flex shrink-0 items-center gap-2">
+      <div className="flex shrink-0 flex-wrap items-center gap-1.5">
         <Button
           variant="secondary/small"
           disabled={compareDisabled}
-          className="px-1.5"
-          tooltip={compareDisabled ? "Choose 2–4 models to compare" : "Compare selected models"}
+          className="pl-1 pr-1.5"
+          tooltip={
+            compareDisabled ? (
+              <span className="text-text-dimmed">Choose 2–4 models to compare</span>
+            ) : (
+              <span className="flex items-center gap-3 text-text-dimmed">
+                Compare selected models
+                <ShortcutKey
+                  className="size-4 flex-none"
+                  shortcut={compareShortcut}
+                  variant="small"
+                />
+              </span>
+            )
+          }
           onClick={compareDisabled ? undefined : onCompare}
+          LeadingIcon={IconColumns3}
+          leadingIconClassName="-mr-2"
         >
           <span className="flex items-center overflow-hidden">
             <span className={!compareDisabled ? "text-text-bright" : undefined}>Compare</span>
@@ -274,12 +365,27 @@ function FiltersBar({
             </AnimatePresence>
           </span>
         </Button>
-        <Switch
-          variant="secondary/small"
-          label="All details"
-          checked={showAllDetails}
-          onCheckedChange={onToggleAllDetails}
-        />
+        <Ariakit.TooltipProvider timeout={200} hideTimeout={0}>
+          <Ariakit.TooltipAnchor render={<div />}>
+            <Switch
+              variant="secondary/small"
+              label="All details"
+              checked={showAllDetails}
+              onCheckedChange={onToggleAllDetails}
+              shortcut={detailsShortcut}
+            />
+          </Ariakit.TooltipAnchor>
+          <Ariakit.Tooltip className="z-40 cursor-default rounded border border-charcoal-700 bg-background-bright py-1.5 pl-2.5 pr-3 text-xs text-text-dimmed">
+            <div className="flex items-center gap-3">
+              <span>Toggle all details</span>
+              <ShortcutKey
+                className="size-4 flex-none"
+                shortcut={detailsShortcut}
+                variant="small"
+              />
+            </div>
+          </Ariakit.Tooltip>
+        </Ariakit.TooltipProvider>
       </div>
     </div>
   );
@@ -585,13 +691,13 @@ function CompareDialog({
 
   return (
     <Dialog open={open} onOpenChange={onOpenChange}>
-      <DialogContent className="!w-fit !px-0 !pb-0 sm:!max-w-[90vw]">
-        <DialogHeader className="px-4">
+      <DialogContent className="!w-fit gap-[0.4375rem] !px-0 !pb-0 !pt-0 sm:!max-w-[90vw]">
+        <DialogHeader className="h-11 justify-center px-4">
           <DialogTitle>Compare models</DialogTitle>
         </DialogHeader>
         {rows.length > 0 ? (
           <div className="-mt-[0.375rem] max-h-[70vh] overflow-auto scrollbar-thin scrollbar-track-transparent scrollbar-thumb-charcoal-600 [&_tbody_tr:last-child]:after:hidden">
-            <Table>
+            <Table stickyHeader showTopBorder={false}>
               <TableHeader>
                 <TableRow>
                   <TableHeaderCell>Metric</TableHeaderCell>
@@ -1116,7 +1222,7 @@ export default function ModelsPage() {
       <PageBody scrollable={false}>
         <ResizablePanelGroup orientation="horizontal" className="max-h-full">
           <ResizablePanel id="models-main" min="100px">
-            <div className="grid h-full max-h-full grid-rows-[2.5rem_1fr] overflow-hidden">
+            <div className="grid h-full max-h-full grid-rows-[auto_1fr] overflow-hidden">
               <FiltersBar
                 allProviders={allProviders}
                 allFeatures={allFeatures}
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.models.compare/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.models.compare/route.tsx
index 661fb294268..1f8748f08cf 100644
--- a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.models.compare/route.tsx
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.models.compare/route.tsx
@@ -20,7 +20,7 @@ import {
   type ModelComparisonItem,
   ModelRegistryPresenter,
 } from "~/presenters/v3/ModelRegistryPresenter.server";
-import { clickhouseClient } from "~/services/clickhouseInstance.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
 import { requireUserId } from "~/services/session.server";
 import { useOrganization } from "~/hooks/useOrganizations";
 import { useProject } from "~/hooks/useProject";
@@ -55,7 +55,8 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
     return typedjson({ comparison: [] as ModelComparisonItem[], models: responseModels });
   }
 
-  const presenter = new ModelRegistryPresenter(clickhouseClient);
+  const clickhouse = await clickhouseFactory.getClickhouseForOrganization(project.organizationId, "standard");
+  const presenter = new ModelRegistryPresenter(clickhouse);
   const now = new Date();
   const sevenDaysAgo = new Date(now.getTime() - 7 * 24 * 60 * 60 * 1000);
 
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.playground.$agentParam/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.playground.$agentParam/route.tsx
new file mode 100644
index 00000000000..7c37089bf63
--- /dev/null
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.playground.$agentParam/route.tsx
@@ -0,0 +1,1238 @@
+import {
+  ArrowUpIcon,
+  BoltIcon,
+  CpuChipIcon,
+  StopIcon,
+  ArrowPathIcon,
+  TrashIcon,
+} from "@heroicons/react/20/solid";
+import { type MetaFunction } from "@remix-run/node";
+import { Link, useFetcher, useNavigate, useRouteLoaderData } from "@remix-run/react";
+import { typedjson, useTypedLoaderData } from "remix-typedjson";
+import { type LoaderFunctionArgs } from "@remix-run/server-runtime";
+import { useCallback, useEffect, useRef, useState } from "react";
+import { useChat } from "@ai-sdk/react";
+import { TriggerChatTransport } from "@trigger.dev/sdk/chat";
+import { MainCenteredContainer } from "~/components/layout/AppLayout";
+import { Badge } from "~/components/primitives/Badge";
+import { Button, LinkButton } from "~/components/primitives/Buttons";
+import { CopyButton } from "~/components/primitives/CopyButton";
+import { DurationPicker } from "~/components/primitives/DurationPicker";
+import { Header3 } from "~/components/primitives/Headers";
+import { Hint } from "~/components/primitives/Hint";
+import { Input } from "~/components/primitives/Input";
+import { InputGroup } from "~/components/primitives/InputGroup";
+import { Label } from "~/components/primitives/Label";
+import { Paragraph } from "~/components/primitives/Paragraph";
+import { Spinner } from "~/components/primitives/Spinner";
+import { Popover, PopoverContent, PopoverTrigger } from "~/components/primitives/Popover";
+import { ClockRotateLeftIcon } from "~/assets/icons/ClockRotateLeftIcon";
+import type { PlaygroundConversation } from "~/presenters/v3/PlaygroundPresenter.server";
+import { DateTime } from "~/components/primitives/DateTime";
+import { cn } from "~/utils/cn";
+import { JSONEditor } from "~/components/code/JSONEditor";
+import { ToolUseRow, AssistantResponse, ChatBubble } from "~/components/runs/v3/ai/AIChatMessages";
+import { MessageBubble } from "~/components/runs/v3/agent/AgentMessageView";
+import { useAutoScrollToBottom } from "~/hooks/useAutoScrollToBottom";
+import {
+  ResizableHandle,
+  ResizablePanel,
+  ResizablePanelGroup,
+} from "~/components/primitives/Resizable";
+import {
+  ClientTabs,
+  ClientTabsContent,
+  ClientTabsList,
+  ClientTabsTrigger,
+} from "~/components/primitives/ClientTabs";
+import { useEnvironment } from "~/hooks/useEnvironment";
+import { useOrganization } from "~/hooks/useOrganizations";
+import { useProject } from "~/hooks/useProject";
+import { findProjectBySlug } from "~/models/project.server";
+import { findEnvironmentBySlug } from "~/models/runtimeEnvironment.server";
+import { playgroundPresenter } from "~/presenters/v3/PlaygroundPresenter.server";
+import { requireUserId } from "~/services/session.server";
+import { RunTagInput } from "~/components/runs/v3/RunTagInput";
+import { Select, SelectItem } from "~/components/primitives/Select";
+import { EnvironmentParamSchema, v3PlaygroundAgentPath } from "~/utils/pathBuilder";
+import { env as serverEnv } from "~/env.server";
+import { generateJWT as internal_generateJWT, MachinePresetName } from "@trigger.dev/core/v3";
+import { extractJwtSigningSecretKey } from "~/services/realtime/jwtAuth.server";
+import { SchemaTabContent } from "~/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.test.tasks.$taskParam/SchemaTabContent";
+import { AIPayloadTabContent } from "~/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.test.tasks.$taskParam/AIPayloadTabContent";
+import type { UIMessage } from "@ai-sdk/react";
+
+export const meta: MetaFunction = () => {
+  return [{ title: "Playground | Trigger.dev" }];
+};
+
+export const loader = async ({ request, params }: LoaderFunctionArgs) => {
+  const userId = await requireUserId(request);
+  const { organizationSlug, projectParam, envParam } = EnvironmentParamSchema.parse(params);
+  const agentSlug = params.agentParam;
+
+  if (!agentSlug) {
+    throw new Response(undefined, { status: 404, statusText: "Agent not specified" });
+  }
+
+  const project = await findProjectBySlug(organizationSlug, projectParam, userId);
+  if (!project) {
+    throw new Response(undefined, { status: 404, statusText: "Project not found" });
+  }
+
+  const environment = await findEnvironmentBySlug(project.id, envParam, userId);
+  if (!environment) {
+    throw new Response(undefined, { status: 404, statusText: "Environment not found" });
+  }
+
+  const agent = await playgroundPresenter.getAgent({
+    environmentId: environment.id,
+    environmentType: environment.type,
+    agentSlug,
+  });
+
+  if (!agent) {
+    throw new Response(undefined, { status: 404, statusText: "Agent not found" });
+  }
+
+  const agentConfig = agent.config as { type?: string } | null;
+  const apiOrigin = serverEnv.API_ORIGIN || serverEnv.LOGIN_ORIGIN || "http://localhost:3030";
+
+  const recentConversations = await playgroundPresenter.getRecentConversations({
+    environmentId: environment.id,
+    agentSlug,
+    userId,
+  });
+
+  // Check for ?conversation= param to resume an existing conversation
+  const url = new URL(request.url);
+  const conversationId = url.searchParams.get("conversation");
+
+  let activeConversation: {
+    chatId: string;
+    runFriendlyId: string | null;
+    publicAccessToken: string | null;
+    clientData: unknown;
+    messages: unknown;
+    lastEventId: string | null;
+  } | null = null;
+
+  if (conversationId) {
+    const conv = recentConversations.find((c) => c.id === conversationId);
+    if (conv) {
+      let jwt: string | null = null;
+      if (conv.isActive && conv.runFriendlyId) {
+        jwt = await internal_generateJWT({
+          secretKey: extractJwtSigningSecretKey(environment),
+          payload: {
+            sub: environment.id,
+            pub: true,
+            scopes: [`read:runs:${conv.runFriendlyId}`, `write:inputStreams:${conv.runFriendlyId}`],
+          },
+          expirationTime: "1h",
+        });
+      }
+
+      activeConversation = {
+        chatId: conv.chatId,
+        runFriendlyId: conv.runFriendlyId,
+        publicAccessToken: jwt,
+        clientData: conv.clientData,
+        messages: conv.messages,
+        lastEventId: conv.lastEventId,
+      };
+    }
+  }
+
+  return typedjson({
+    agent: {
+      slug: agent.slug,
+      filePath: agent.filePath,
+      type: agentConfig?.type ?? "unknown",
+      clientDataSchema: agent.payloadSchema ?? null,
+    },
+    apiOrigin,
+    recentConversations,
+    activeConversation,
+  });
+};
+
+export default function PlaygroundAgentPage() {
+  const { agent, activeConversation } = useTypedLoaderData<typeof loader>();
+  // Key on agent slug + conversation chatId so React remounts all stateful
+  // children when switching agents or navigating between conversations.
+  // Without the agent slug, switching agents keeps key="new" and React
+  // reuses the component — useState initializers don't re-run.
+  const conversationKey = `${agent.slug}:${activeConversation?.chatId ?? "new"}`;
+  return <PlaygroundChat key={conversationKey} />;
+}
+
+const PARENT_ROUTE_ID =
+  "routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.playground";
+
+function PlaygroundChat() {
+  const { agent, apiOrigin, recentConversations, activeConversation } =
+    useTypedLoaderData<typeof loader>();
+  const parentData = useRouteLoaderData(PARENT_ROUTE_ID) as
+    | {
+        agents: Array<{ slug: string }>;
+        versions: string[];
+        regions: Array<{
+          id: string;
+          name: string;
+          description?: string;
+          isDefault: boolean;
+        }>;
+        isDev: boolean;
+      }
+    | undefined;
+  const agents = parentData?.agents ?? [];
+  const versions = parentData?.versions ?? [];
+  const regions = parentData?.regions ?? [];
+  const isDev = parentData?.isDev ?? false;
+  const defaultRegion = regions.find((r) => r.isDefault);
+  const navigate = useNavigate();
+  const organization = useOrganization();
+  const project = useProject();
+  const environment = useEnvironment();
+
+  const [conversationId, setConversationId] = useState<string | null>(() =>
+    activeConversation
+      ? recentConversations.find((c) => c.chatId === activeConversation.chatId)?.id ?? null
+      : null
+  );
+  const [chatId, setChatId] = useState(() => activeConversation?.chatId ?? crypto.randomUUID());
+  const [clientDataJson, setClientDataJson] = useState(() =>
+    activeConversation?.clientData ? JSON.stringify(activeConversation.clientData, null, 2) : "{}"
+  );
+  const clientDataJsonRef = useRef(clientDataJson);
+  clientDataJsonRef.current = clientDataJson;
+  const [machine, setMachine] = useState<string | undefined>(undefined);
+  const [tags, setTags] = useState<string[]>([]);
+  const [maxAttempts, setMaxAttempts] = useState<number | undefined>(undefined);
+  const [maxDuration, setMaxDuration] = useState<number | undefined>(undefined);
+  const [version, setVersion] = useState<string | undefined>(undefined);
+  const [region, setRegion] = useState<string | undefined>(() =>
+    isDev ? undefined : defaultRegion?.name
+  );
+
+  const actionPath = `/resources/orgs/${organization.slug}/projects/${project.slug}/env/${environment.slug}/playground/action`;
+
+  // Server-side `start` via Remix action — atomically creates the
+  // backing Session for `chatId` and triggers the first run, returns
+  // the session-scoped PAT. Idempotent: called on initial use AND on
+  // 401, so the same code path serves both first-run and PAT renewal.
+  const startSession = useCallback(
+    async (): Promise<string> => {
+      const formData = new FormData();
+      formData.set("intent", "start");
+      formData.set("agentSlug", agent.slug);
+      formData.set("chatId", chatId);
+      formData.set("clientData", clientDataJsonRef.current);
+      if (tags.length > 0) formData.set("tags", tags.join(","));
+      if (machine) formData.set("machine", machine);
+      if (maxAttempts) formData.set("maxAttempts", String(maxAttempts));
+      if (maxDuration) formData.set("maxDuration", String(maxDuration));
+      if (version) formData.set("version", version);
+      if (region) formData.set("region", region);
+
+      const response = await fetch(actionPath, { method: "POST", body: formData });
+      const data = (await response.json()) as {
+        runId?: string;
+        publicAccessToken?: string;
+        conversationId?: string;
+        error?: string;
+      };
+
+      if (!response.ok || !data.publicAccessToken) {
+        throw new Error(data.error ?? "Failed to start chat session");
+      }
+
+      if (data.conversationId) {
+        setConversationId(data.conversationId);
+      }
+
+      return data.publicAccessToken;
+    },
+    [actionPath, agent.slug, chatId, tags, machine, maxAttempts, maxDuration, version, region]
+  );
+
+  // Resource route prefix — all realtime traffic goes through session-authed routes
+  const playgroundBaseURL = `${apiOrigin}/resources/orgs/${organization.slug}/projects/${project.slug}/env/${environment.slug}/playground`;
+
+  // The transport is constructed once (guarded ref below); reading
+  // `startSession` directly there would freeze its closure to the
+  // first render's sidebar values, so subsequent edits to tags /
+  // machine / maxAttempts / maxDuration / version / region would be
+  // silently ignored on the first send. Mirror the `clientDataJsonRef`
+  // pattern so the transport always calls the latest `startSession`.
+  const startSessionRef = useRef(startSession);
+  startSessionRef.current = startSession;
+
+  // Create TriggerChatTransport directly (not via useTriggerChatTransport hook
+  // to avoid React version mismatch between SDK and webapp)
+  const transportRef = useRef<TriggerChatTransport | null>(null);
+  if (transportRef.current === null) {
+    transportRef.current = new TriggerChatTransport({
+      task: agent.slug,
+      // The Remix action is idempotent on `(env, externalId)` and
+      // returns a fresh session PAT every time, so it serves both
+      // first-run create and PAT renewal. `startSession` runs on
+      // `transport.preload(chatId)` and lazily on the first
+      // `sendMessage`; `accessToken` runs on a 401/403 from any
+      // session-PAT-authed request. Wiring the same call to both
+      // keeps the Preload button working without a separate refresh
+      // route.
+      startSession: async () => ({ publicAccessToken: await startSessionRef.current() }),
+      accessToken: () => startSessionRef.current(),
+      baseURL: playgroundBaseURL,
+      // Use safeParseJson so a mid-edit invalid JSON state in the editor
+      // doesn't throw and crash the component during transport construction.
+      clientData: safeParseJson(clientDataJson),
+      ...(activeConversation?.publicAccessToken
+        ? {
+            sessions: {
+              [activeConversation.chatId]: {
+                publicAccessToken: activeConversation.publicAccessToken,
+                lastEventId: activeConversation.lastEventId ?? undefined,
+              },
+            },
+          }
+        : {}),
+    });
+  }
+  const transport = transportRef.current;
+
+  // Keep the transport's `defaultMetadata` in sync with the JSON editor.
+  // Without this the transport uses the value captured at construction for
+  // every per-turn metadata merge, even after the user edits the JSON.
+  // `startSession` reads from `clientDataJsonRef.current` directly so session
+  // creation is unaffected — this only fixes the per-turn metadata path.
+  useEffect(() => {
+    // JSONEditor fires onChange on every keystroke — intermediate values
+    // like `{"key":` are syntactically invalid. `safeParseJson` returns
+    // `{}` on parse failure so the next valid keystroke lands the update
+    // without crashing the component mid-edit.
+    transport.setClientData(safeParseJson(clientDataJson));
+  }, [clientDataJson, transport]);
+
+  // Initial messages from persisted conversation (for resume)
+  const initialMessages = activeConversation?.messages
+    ? (activeConversation.messages as UIMessage[])
+    : [];
+
+  // Track the initial message count so we only save after genuinely new turns
+  // (not during resume replay which re-fires onFinish for replayed turns)
+  const initialMessageCountRef = useRef(initialMessages?.length ?? 0);
+
+  // Save messages after each turn completes
+  const saveMessages = useCallback(
+    (allMessages: UIMessage[]) => {
+      // Skip saves during resume replay — only save when we have more messages than we started with
+      if (allMessages.length <= initialMessageCountRef.current) return;
+
+      const currentSession = transport.getSession(chatId);
+      const lastEventId = currentSession?.lastEventId;
+
+      const formData = new FormData();
+      formData.set("intent", "save");
+      formData.set("agentSlug", agent.slug);
+      formData.set("chatId", chatId);
+      formData.set("messages", JSON.stringify(allMessages));
+      if (lastEventId) formData.set("lastEventId", lastEventId);
+
+      // Fire and forget
+      fetch(actionPath, { method: "POST", body: formData }).catch(() => {});
+
+      // Update the baseline so subsequent saves work correctly
+      initialMessageCountRef.current = allMessages.length;
+    },
+    [chatId, agent.slug, actionPath, transport]
+  );
+
+  // useChat from AI SDK — handles message accumulation, streaming, stop
+  const { messages, sendMessage, stop, status, error } = useChat({
+    id: chatId,
+    messages: initialMessages,
+    transport,
+    onFinish: ({ messages: allMessages }) => {
+      saveMessages(allMessages);
+    },
+  });
+
+  const isStreaming = status === "streaming";
+  const isSubmitted = status === "submitted";
+
+  // Sticky-bottom auto-scroll for the messages list. The hook walks up to
+  // the surrounding `overflow-y-auto` panel and follows the conversation
+  // as new chunks stream in — pauses if you scroll up to read history,
+  // resumes when you scroll back into the bottom band. Same behavior as
+  // the run-inspector Agent tab.
+  const messagesRootRef = useAutoScrollToBottom([messages, isSubmitted]);
+
+  // Pending messages — steering during streaming
+  const pending = usePlaygroundPendingMessages({
+    transport,
+    chatId,
+    status,
+    messages,
+    sendMessage,
+    metadata: safeParseJson(clientDataJson),
+  });
+
+  const [input, setInput] = useState("");
+  const [preloading, setPreloading] = useState(false);
+  const [preloaded, setPreloaded] = useState(false);
+  const inputRef = useRef<HTMLTextAreaElement>(null);
+
+  const session = transport.getSession(chatId);
+
+  const handlePreload = useCallback(async () => {
+    setPreloading(true);
+    try {
+      await transport.preload(chatId);
+      setPreloaded(true);
+      inputRef.current?.focus();
+    } finally {
+      setPreloading(false);
+    }
+  }, [transport, chatId]);
+
+  const handleNewConversation = useCallback(() => {
+    // Navigate without ?conversation= so the loader returns activeConversation=null
+    // and the key changes to "new", causing a full remount with fresh state.
+    navigate(window.location.pathname);
+  }, [navigate]);
+
+  const handleDeleteConversation = useCallback(async () => {
+    if (!conversationId) return;
+
+    const formData = new FormData();
+    formData.set("intent", "delete");
+    formData.set("agentSlug", agent.slug);
+    formData.set("deleteConversationId", conversationId);
+
+    await fetch(actionPath, { method: "POST", body: formData });
+    handleNewConversation();
+  }, [conversationId, agent.slug, actionPath, handleNewConversation]);
+
+  const handleSend = useCallback(() => {
+    const trimmed = input.trim();
+    if (!trimmed) return;
+
+    setInput("");
+    // steer() handles both cases: sends via input stream during streaming,
+    // or sends as a normal message when ready
+    pending.steer(trimmed);
+  }, [input, pending]);
+
+  const handleKeyDown = useCallback(
+    (e: React.KeyboardEvent) => {
+      if (e.key === "Enter" && !e.shiftKey) {
+        e.preventDefault();
+        handleSend();
+      }
+    },
+    [handleSend]
+  );
+
+  return (
+    <ResizablePanelGroup orientation="horizontal" className="h-full">
+      <ResizablePanel id="playground-chat" min="300px">
+        <div className="flex h-full flex-col">
+          {/* Header */}
+          <div className="flex items-center justify-between border-b border-grid-bright px-4 py-2">
+            <div className="flex items-center gap-2">
+              <Select
+                value={agent.slug}
+                setValue={(slug) => {
+                  if (slug && typeof slug === "string" && slug !== agent.slug) {
+                    navigate(v3PlaygroundAgentPath(organization, project, environment, slug));
+                  }
+                }}
+                icon={<CpuChipIcon className="size-4 text-indigo-500" />}
+                text={(val) => val || undefined}
+                variant="tertiary/small"
+                items={agents}
+                filter={(item, search) =>
+                  item.slug.toLowerCase().includes(search.toLowerCase())
+                }
+              >
+                {(matches) =>
+                  matches.map((a) => (
+                    <SelectItem key={a.slug} value={a.slug}>
+                      <div className="flex items-center gap-2">
+                        <CpuChipIcon className="size-3.5 text-indigo-500" />
+                        <span>{a.slug}</span>
+                      </div>
+                    </SelectItem>
+                  ))
+                }
+              </Select>
+              <Badge variant="extra-small">{formatAgentType(agent.type)}</Badge>
+            </div>
+            <div className="flex items-center gap-2">
+              {activeConversation?.runFriendlyId && (
+                <LinkButton
+                  to={`/runs/${activeConversation.runFriendlyId}`}
+                  variant="tertiary/small"
+                >
+                  View run
+                </LinkButton>
+              )}
+              {messages.length > 0 && (
+                <CopyButton
+                  value={JSON.stringify(messages, null, 2)}
+                  variant="button"
+                  size="extra-small"
+                  showTooltip={false}
+                >
+                  Copy raw
+                </CopyButton>
+              )}
+              <RecentConversationsPopover
+                conversations={recentConversations}
+                actionPath={actionPath}
+              />
+              {conversationId && (
+                <Button
+                  variant="tertiary/small"
+                  LeadingIcon={TrashIcon}
+                  onClick={handleDeleteConversation}
+                />
+              )}
+              <Button
+                variant="tertiary/small"
+                LeadingIcon={ArrowPathIcon}
+                onClick={handleNewConversation}
+              >
+                New conversation
+              </Button>
+            </div>
+          </div>
+
+          {/* Messages */}
+          <div className="flex-1 overflow-y-auto p-4 scrollbar-thin scrollbar-track-transparent scrollbar-thumb-charcoal-600">
+            {/* Always-mounted scroll-target wrapper so useAutoScrollToBottom
+                can find its container from `rootRef.current.parentElement`
+                on mount, even before any messages exist. */}
+            <div ref={messagesRootRef}>
+              {messages.length === 0 ? (
+                <MainCenteredContainer>
+                  <div className="flex flex-col items-center gap-3 py-16">
+                    {preloaded ? (
+                      <>
+                        <BoltIcon className="size-10 text-success/50" />
+                        <Header3 className="text-text-dimmed">Preloaded</Header3>
+                        <Paragraph variant="small" className="max-w-sm text-center text-text-dimmed">
+                          Agent is warmed up and waiting. Type a message below to start.
+                        </Paragraph>
+                      </>
+                    ) : (
+                      <>
+                        <CpuChipIcon className="size-10 text-indigo-500/50" />
+                        <Header3 className="text-text-dimmed">Start a conversation</Header3>
+                        <Paragraph variant="small" className="max-w-sm text-center text-text-dimmed">
+                          Type a message below to start testing{" "}
+                          <code className="text-text-bright">{agent.slug}</code>
+                        </Paragraph>
+                        {!session && (
+                          <Button
+                            variant="tertiary/small"
+                            LeadingIcon={preloading ? Spinner : BoltIcon}
+                            onClick={handlePreload}
+                            disabled={preloading}
+                          >
+                            {preloading ? "Preloading..." : "Preload"}
+                          </Button>
+                        )}
+                      </>
+                    )}
+                  </div>
+                </MainCenteredContainer>
+              ) : (
+                <div className="mx-auto w-full max-w-4xl space-y-4">
+                  {messages.map((msg) => (
+                    <MessageBubble key={msg.id} message={msg} />
+                  ))}
+                  {isSubmitted && (
+                    <div className="flex justify-start">
+                      <div className="flex items-center gap-2 rounded-lg bg-charcoal-750 px-4 py-2.5">
+                        <Spinner className="size-3" />
+                        <span className="text-sm text-text-dimmed">Thinking...</span>
+                      </div>
+                    </div>
+                  )}
+                </div>
+              )}
+            </div>
+          </div>
+
+          {/* Error */}
+          {error && (
+            <div className="mx-4 mb-2 flex items-start gap-2 rounded border border-error/30 bg-error/10 px-3 py-2">
+              <span className="flex-1 text-xs text-error">{error.message}</span>
+            </div>
+          )}
+
+          {/* Input */}
+          <div className="border-t border-grid-bright p-4">
+            <div className="mx-auto flex max-w-3xl items-end gap-2">
+              <textarea
+                ref={inputRef}
+                value={input}
+                onChange={(e) => setInput(e.target.value)}
+                onKeyDown={handleKeyDown}
+                placeholder={isStreaming ? "Send a steering message..." : "Type a message..."}
+                rows={1}
+                className="flex-1 resize-none rounded-lg border border-charcoal-650 bg-charcoal-850 px-3 py-2.5 text-sm text-text-bright placeholder-text-dimmed focus:border-indigo-500 focus:outline-none"
+                style={{ minHeight: "40px", maxHeight: "120px" }}
+              />
+              <div className="flex items-end gap-1.5">
+                {isStreaming && (
+                  <Button variant="danger/small" LeadingIcon={StopIcon} onClick={stop}>
+                    Stop
+                  </Button>
+                )}
+                <Button
+                  variant={isStreaming ? "tertiary/small" : "primary/small"}
+                  LeadingIcon={ArrowUpIcon}
+                  onClick={handleSend}
+                  disabled={!input.trim()}
+                >
+                  {isStreaming ? "Steer" : "Send"}
+                </Button>
+              </div>
+            </div>
+            {/* Pending messages overlay */}
+            {pending.pending.length > 0 && (
+              <div className="mx-auto mt-1.5 max-w-3xl space-y-1">
+                {pending.pending.map((msg) => (
+                  <div key={msg.id} className="flex items-center gap-2 text-[10px]">
+                    <span
+                      className={cn(
+                        "rounded px-1.5 py-0.5",
+                        msg.mode === "steering"
+                          ? "bg-amber-500/10 text-amber-400"
+                          : "bg-charcoal-700 text-text-dimmed"
+                      )}
+                    >
+                      {msg.mode === "steering" ? "Steering" : "Queued"}
+                    </span>
+                    <span className="truncate text-text-dimmed">{msg.text}</span>
+                    {msg.injected && <span className="text-success">Injected</span>}
+                  </div>
+                ))}
+              </div>
+            )}
+            <div className="mx-auto mt-1.5 max-w-3xl">
+              <span className="text-[10px] text-text-dimmed">
+                {isStreaming
+                  ? "Send a steering message to guide the agent between tool calls"
+                  : "Press Enter to send, Shift+Enter for new line"}
+              </span>
+            </div>
+          </div>
+        </div>
+      </ResizablePanel>
+      <ResizableHandle id="playground-sidebar-handle" />
+      <ResizablePanel id="playground-sidebar" default="420px" min="360px" max="720px">
+        <PlaygroundSidebar
+          clientDataJson={clientDataJson}
+          onClientDataChange={setClientDataJson}
+          getCurrentClientData={() => clientDataJsonRef.current}
+          clientDataSchema={agent.clientDataSchema}
+          agentSlug={agent.slug}
+          machine={machine}
+          onMachineChange={setMachine}
+          tags={tags}
+          onTagsChange={setTags}
+          maxAttempts={maxAttempts}
+          onMaxAttemptsChange={setMaxAttempts}
+          maxDuration={maxDuration}
+          onMaxDurationChange={setMaxDuration}
+          version={version}
+          onVersionChange={setVersion}
+          versions={versions}
+          region={region}
+          onRegionChange={setRegion}
+          regions={regions}
+          isDev={isDev}
+          session={session}
+          runFriendlyId={activeConversation?.runFriendlyId ?? undefined}
+          messageCount={messages.length}
+          isStreaming={isStreaming}
+          status={status}
+        />
+      </ResizablePanel>
+    </ResizablePanelGroup>
+  );
+}
+
+function formatAgentType(type: string): string {
+  switch (type) {
+    case "ai-sdk-chat":
+      return "AI SDK Chat";
+    default:
+      return type;
+  }
+}
+
+// Message rendering — `MessageBubble` is imported from
+// `~/components/runs/v3/agent/AgentMessageView`. The same module is used by
+// the run details Agent view so both surfaces stay in sync.
+
+// ---------------------------------------------------------------------------
+// Sidebar
+// ---------------------------------------------------------------------------
+
+const machinePresets = Object.values(MachinePresetName.enum);
+
+function PlaygroundSidebar({
+  clientDataJson,
+  onClientDataChange,
+  getCurrentClientData,
+  clientDataSchema,
+  agentSlug,
+  machine,
+  onMachineChange,
+  tags,
+  onTagsChange,
+  maxAttempts,
+  onMaxAttemptsChange,
+  maxDuration,
+  onMaxDurationChange,
+  version,
+  onVersionChange,
+  versions,
+  region,
+  onRegionChange,
+  regions,
+  isDev,
+  session,
+  runFriendlyId,
+  messageCount,
+  isStreaming,
+  status,
+}: {
+  clientDataJson: string;
+  onClientDataChange: (val: string) => void;
+  getCurrentClientData: () => string;
+  clientDataSchema: unknown;
+  agentSlug: string;
+  machine: string | undefined;
+  onMachineChange: (val: string | undefined) => void;
+  tags: string[];
+  onTagsChange: (val: string[]) => void;
+  maxAttempts: number | undefined;
+  onMaxAttemptsChange: (val: number | undefined) => void;
+  maxDuration: number | undefined;
+  onMaxDurationChange: (val: number | undefined) => void;
+  version: string | undefined;
+  onVersionChange: (val: string | undefined) => void;
+  versions: string[];
+  region: string | undefined;
+  onRegionChange: (val: string | undefined) => void;
+  regions: Array<{ id: string; name: string; description?: string; isDefault: boolean }>;
+  isDev: boolean;
+  session:
+    | {
+        publicAccessToken: string;
+        lastEventId?: string;
+        isStreaming?: boolean;
+      }
+    | undefined;
+  /**
+   * Friendly id of the latest run for this conversation (drawn from the
+   * playground's own `playgroundConversation` table, which mirrors the
+   * Session's `currentRunId`). Optional because a conversation may
+   * exist briefly before the first run lands.
+   */
+  runFriendlyId: string | undefined;
+  messageCount: number;
+  isStreaming: boolean;
+  status: string;
+}) {
+  const regionItems = regions.map((r) => ({
+    value: r.name,
+    label: r.description ? `${r.name} — ${r.description}` : r.name,
+  }));
+  return (
+    <div className="flex h-full flex-col border-l border-grid-bright">
+      <ClientTabs
+        defaultValue="clientData"
+        className="flex h-full min-h-0 flex-col overflow-hidden pt-1"
+      >
+        <div className="h-fit overflow-x-auto scrollbar-thin scrollbar-track-transparent scrollbar-thumb-charcoal-600">
+          <ClientTabsList variant="underline" className="mx-3 shrink-0">
+            <ClientTabsTrigger
+              value="clientData"
+              variant="underline"
+              layoutId="playground-sidebar-tabs"
+              className="shrink-0"
+            >
+              Client Data
+            </ClientTabsTrigger>
+            <ClientTabsTrigger
+              value="options"
+              variant="underline"
+              layoutId="playground-sidebar-tabs"
+              className="shrink-0"
+            >
+              Options
+            </ClientTabsTrigger>
+            <ClientTabsTrigger
+              value="session"
+              variant="underline"
+              layoutId="playground-sidebar-tabs"
+              className="shrink-0"
+            >
+              Session
+            </ClientTabsTrigger>
+          </ClientTabsList>
+        </div>
+
+        {/* Client Data tab */}
+        <ClientTabsContent
+          value="clientData"
+          className="min-h-0 flex-1 overflow-y-auto scrollbar-thin scrollbar-track-transparent scrollbar-thumb-charcoal-600"
+        >
+          <div className="min-w-64 space-y-4 p-3">
+            <div>
+              <p className="mb-2 text-xs text-text-dimmed">
+                Custom metadata sent with each conversation turn.
+              </p>
+              <div className="overflow-hidden rounded border border-charcoal-650">
+                <JSONEditor
+                  defaultValue={clientDataJson}
+                  readOnly={false}
+                  onChange={onClientDataChange}
+                  minHeight="120px"
+                  maxHeight="300px"
+                  showClearButton={true}
+                  showCopyButton={true}
+                />
+              </div>
+            </div>
+
+            <AIPayloadTabContent
+              onPayloadGenerated={onClientDataChange}
+              payloadSchema={clientDataSchema ?? undefined}
+              taskIdentifier={agentSlug}
+              getCurrentPayload={getCurrentClientData}
+              generateButtonLabel="Generate client data"
+              placeholder="e.g. generate client data for a free-tier user"
+              isAgent={true}
+              examplePromptsOverride={[
+                "Generate valid client data",
+                "Generate client data with all fields",
+                "Generate client data with edge cases",
+              ]}
+            />
+
+            {clientDataSchema != null && (
+              <SchemaTabContent
+                schema={clientDataSchema}
+                title="Schema"
+                description="JSON Schema for the agent's client data."
+                showDocsLink={false}
+              />
+            )}
+          </div>
+        </ClientTabsContent>
+
+        {/* Options tab */}
+        <ClientTabsContent
+          value="options"
+          className="min-h-0 flex-1 overflow-y-auto scrollbar-thin scrollbar-track-transparent scrollbar-thumb-charcoal-600"
+        >
+          <div className="space-y-4 p-3">
+            <InputGroup fullWidth>
+              <Label variant="small" required={false}>
+                Machine
+              </Label>
+              <Select
+                value={machine ?? ""}
+                setValue={(val) =>
+                  onMachineChange(val && typeof val === "string" ? val : undefined)
+                }
+                placeholder="Default"
+                variant="tertiary/small"
+                items={machinePresets}
+                filter={(item, search) => item.toLowerCase().includes(search.toLowerCase())}
+              >
+                {(matches) =>
+                  matches.map((preset) => (
+                    <SelectItem key={preset} value={preset}>
+                      {preset}
+                    </SelectItem>
+                  ))
+                }
+              </Select>
+              <Hint>Overrides the machine preset.</Hint>
+            </InputGroup>
+
+            <InputGroup fullWidth>
+              <Label variant="small" required={false}>
+                Tags
+              </Label>
+              <RunTagInput
+                tags={tags}
+                onTagsChange={onTagsChange}
+                variant="small"
+                maxTags={3}
+                placeholder="Add tag..."
+              />
+              <Hint>Add tags to easily filter runs. 3 max (2 added automatically).</Hint>
+            </InputGroup>
+
+            <InputGroup fullWidth>
+              <Label variant="small" required={false}>
+                Max attempts
+              </Label>
+              <Input
+                type="number"
+                variant="small"
+                min={1}
+                placeholder="Default"
+                value={maxAttempts ?? ""}
+                onChange={(e) => {
+                  const val = e.target.value;
+                  onMaxAttemptsChange(val ? parseInt(val, 10) : undefined);
+                }}
+              />
+              <Hint>Retries failed runs up to the specified number of attempts.</Hint>
+            </InputGroup>
+
+            <InputGroup fullWidth>
+              <Label variant="small" required={false}>
+                Max duration
+              </Label>
+              <DurationPicker
+                value={maxDuration}
+                onChange={onMaxDurationChange}
+                variant="small"
+              />
+              <Hint>Overrides the maximum compute time limit for the run.</Hint>
+            </InputGroup>
+
+            {versions.length > 0 && (
+              <InputGroup fullWidth>
+                <Label variant="small" required={false}>
+                  Version
+                </Label>
+                <Select
+                  value={version ?? ""}
+                  setValue={(val) =>
+                    onVersionChange(val && typeof val === "string" ? val : undefined)
+                  }
+                  placeholder="Latest"
+                  variant="tertiary/small"
+                  disabled={isDev}
+                  items={versions}
+                  filter={(item, search) => item.toLowerCase().includes(search.toLowerCase())}
+                >
+                  {(matches) =>
+                    matches.map((v, i) => (
+                      <SelectItem key={v} value={v}>
+                        {i === 0 ? `${v} (latest)` : v}
+                      </SelectItem>
+                    ))
+                  }
+                </Select>
+                <Hint>
+                  {isDev
+                    ? "Version is determined by the running dev server."
+                    : "Lock the run to a specific deployed version."}
+                </Hint>
+              </InputGroup>
+            )}
+
+            {regionItems.length > 1 && (
+              <InputGroup fullWidth>
+                <Label variant="small" required={false}>
+                  Region
+                </Label>
+                <Select
+                  value={region ?? ""}
+                  setValue={(val) =>
+                    onRegionChange(val && typeof val === "string" ? val : undefined)
+                  }
+                  text={(val) => val || undefined}
+                  placeholder={isDev ? "–" : "Default"}
+                  variant="tertiary/small"
+                  disabled={isDev}
+                  items={regionItems}
+                  filter={(item, search) =>
+                    item.label.toLowerCase().includes(search.toLowerCase())
+                  }
+                >
+                  {(matches) =>
+                    matches.map((r) => (
+                      <SelectItem key={r.value} value={r.value}>
+                        {r.label}
+                      </SelectItem>
+                    ))
+                  }
+                </Select>
+                <Hint>
+                  {isDev
+                    ? "Region is not applicable in development."
+                    : "Run the agent in a specific region."}
+                </Hint>
+              </InputGroup>
+            )}
+          </div>
+        </ClientTabsContent>
+
+        {/* Session tab */}
+        <ClientTabsContent
+          value="session"
+          className="min-h-0 flex-1 overflow-y-auto scrollbar-thin scrollbar-track-transparent scrollbar-thumb-charcoal-600"
+        >
+          <div className="min-w-64 space-y-3 p-3">
+            {session ? (
+              <>
+                {runFriendlyId && (
+                  <SessionField label="Run ID" value={runFriendlyId} />
+                )}
+                <SessionField label="Messages" value={String(messageCount)} />
+                <div>
+                  <label className="mb-0.5 block text-[10px] font-medium uppercase tracking-wider text-text-dimmed">
+                    Status
+                  </label>
+                  <span className="flex items-center gap-1.5 text-xs">
+                    <span
+                      className={cn(
+                        "size-1.5 rounded-full",
+                        isStreaming ? "animate-pulse bg-success" : "bg-blue-500"
+                      )}
+                    />
+                    <span className="capitalize text-text-bright">{status}</span>
+                  </span>
+                </div>
+              </>
+            ) : (
+              <p className="text-xs text-text-dimmed">
+                No active session. Send a message to start a conversation.
+              </p>
+            )}
+          </div>
+        </ClientTabsContent>
+      </ClientTabs>
+    </div>
+  );
+}
+
+// ---------------------------------------------------------------------------
+// Pending messages hook (reimplemented to avoid React version mismatch)
+// ---------------------------------------------------------------------------
+
+const PENDING_MESSAGE_INJECTED_TYPE = "data-pending-message-injected";
+
+type PendingMessageEntry = {
+  id: string;
+  text: string;
+  mode: "steering" | "queued";
+  injected: boolean;
+};
+
+function usePlaygroundPendingMessages({
+  transport,
+  chatId,
+  status,
+  messages,
+  sendMessage,
+  metadata,
+}: {
+  transport: TriggerChatTransport;
+  chatId: string;
+  status: string;
+  messages: UIMessage[];
+  sendMessage: (msg: { text: string }, opts?: { metadata?: Record<string, unknown> }) => void;
+  metadata?: Record<string, unknown>;
+}) {
+  type InternalMsg = {
+    id: string;
+    role: "user";
+    parts: { type: "text"; text: string }[];
+    _mode: "steering" | "queued";
+  };
+  const [pendingMsgs, setPendingMsgs] = useState<InternalMsg[]>([]);
+  const injectedIdsRef = useRef<Set<string>>(new Set());
+  const prevStatusRef = useRef(status);
+
+  // Watch for injection confirmation chunks
+  useEffect(() => {
+    if (status !== "streaming") return;
+    let newlyInjected = false;
+    for (const msg of messages) {
+      if (msg.role !== "assistant") continue;
+      for (const part of msg.parts ?? []) {
+        if ((part as any).type === PENDING_MESSAGE_INJECTED_TYPE) {
+          const messageIds = (part as any).data?.messageIds as string[] | undefined;
+          if (Array.isArray(messageIds)) {
+            for (const id of messageIds) {
+              if (!injectedIdsRef.current.has(id)) {
+                injectedIdsRef.current.add(id);
+                newlyInjected = true;
+              }
+            }
+          }
+        }
+      }
+    }
+    if (newlyInjected) {
+      setPendingMsgs((prev) => prev.filter((m) => !injectedIdsRef.current.has(m.id)));
+    }
+  }, [status, messages]);
+
+  // Handle turn completion — auto-send non-injected messages as next turn
+  useEffect(() => {
+    const turnCompleted = prevStatusRef.current === "streaming" && status === "ready";
+    prevStatusRef.current = status;
+    if (!turnCompleted) return;
+
+    const toSend = pendingMsgs.filter((m) => !injectedIdsRef.current.has(m.id));
+    setPendingMsgs([]);
+    injectedIdsRef.current.clear();
+
+    if (toSend.length > 0) {
+      const text = toSend.map((m) => m.parts[0]?.text ?? "").join("\n");
+      sendMessage({ text }, metadata ? { metadata } : undefined);
+    }
+  }, [status, pendingMsgs, sendMessage, metadata, messages]);
+
+  const steer = useCallback(
+    (text: string) => {
+      if (status === "streaming") {
+        const msg: InternalMsg = {
+          id: crypto.randomUUID(),
+          role: "user",
+          parts: [{ type: "text", text }],
+          _mode: "steering",
+        };
+        transport.sendPendingMessage(chatId, msg as any, metadata);
+        setPendingMsgs((prev) => [...prev, msg]);
+      } else {
+        sendMessage({ text }, metadata ? { metadata } : undefined);
+      }
+    },
+    [status, transport, chatId, sendMessage, metadata]
+  );
+
+  const pending: PendingMessageEntry[] = pendingMsgs.map((m) => ({
+    id: m.id,
+    text: m.parts[0]?.text ?? "",
+    mode: m._mode,
+    injected: injectedIdsRef.current.has(m.id),
+  }));
+
+  return { pending, steer };
+}
+
+function RecentConversationsPopover({
+  conversations,
+  actionPath,
+}: {
+  conversations: PlaygroundConversation[];
+  actionPath: string;
+}) {
+  const fetcher = useFetcher();
+  const [isOpen, setIsOpen] = useState(false);
+
+  const deletingId =
+    fetcher.state !== "idle" ? (fetcher.formData?.get("deleteConversationId") as string) : null;
+
+  const handleDelete = useCallback(
+    (e: React.MouseEvent, conv: PlaygroundConversation) => {
+      e.preventDefault();
+      e.stopPropagation();
+
+      fetcher.submit(
+        {
+          intent: "delete",
+          agentSlug: conv.agentSlug,
+          deleteConversationId: conv.id,
+        },
+        { method: "POST", action: actionPath }
+      );
+      setIsOpen(false);
+    },
+    [actionPath, fetcher]
+  );
+
+  return (
+    <Popover open={isOpen} onOpenChange={setIsOpen}>
+      <PopoverTrigger asChild>
+        <Button
+          type="button"
+          variant="tertiary/small"
+          LeadingIcon={ClockRotateLeftIcon}
+          disabled={conversations.length === 0}
+        >
+          Recent
+        </Button>
+      </PopoverTrigger>
+      <PopoverContent className="min-w-[320px] p-0" align="end" sideOffset={6}>
+        <div className="max-h-80 overflow-y-auto scrollbar-thin scrollbar-track-transparent scrollbar-thumb-charcoal-600">
+          <div className="p-1">
+            {conversations.map((conv) => (
+              <div
+                key={conv.id}
+                className={cn(
+                  "group flex items-center gap-1 rounded-sm px-2 py-2 transition-colors hover:bg-charcoal-900",
+                  deletingId === conv.id && "pointer-events-none opacity-50"
+                )}
+              >
+                <Link
+                  to={`?conversation=${conv.id}`}
+                  onClick={() => setIsOpen(false)}
+                  className="flex min-w-0 flex-1 flex-col items-start gap-0.5 outline-none focus-custom"
+                >
+                  <Paragraph variant="small/bright" className="line-clamp-1 text-left">
+                    {conv.title}
+                  </Paragraph>
+                  <div className="text-xs text-text-dimmed">
+                    <DateTime date={conv.updatedAt} showTooltip={false} />
+                  </div>
+                </Link>
+                <button
+                  type="button"
+                  onClick={(e) => handleDelete(e, conv)}
+                  className="shrink-0 rounded p-1 text-text-dimmed opacity-0 transition-opacity group-hover:opacity-100 hover:text-error"
+                >
+                  <TrashIcon className="size-3.5" />
+                </button>
+              </div>
+            ))}
+            {conversations.length === 0 && (
+              <div className="px-2 py-3 text-center text-xs text-text-dimmed">
+                No recent conversations
+              </div>
+            )}
+          </div>
+        </div>
+      </PopoverContent>
+    </Popover>
+  );
+}
+
+function safeParseJson(json: string): Record<string, unknown> {
+  try {
+    return JSON.parse(json || "{}") as Record<string, unknown>;
+  } catch {
+    return {};
+  }
+}
+
+function SessionField({ label, value }: { label: string; value: string }) {
+  return (
+    <div>
+      <label className="mb-0.5 block text-[10px] font-medium uppercase tracking-wider text-text-dimmed">
+        {label}
+      </label>
+      <code className="block truncate text-xs text-text-bright">{value}</code>
+    </div>
+  );
+}
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.playground/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.playground/route.tsx
new file mode 100644
index 00000000000..08856f65aca
--- /dev/null
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.playground/route.tsx
@@ -0,0 +1,189 @@
+import { BookOpenIcon, CpuChipIcon } from "@heroicons/react/20/solid";
+import { json, type MetaFunction } from "@remix-run/node";
+import { Outlet, useNavigate, useParams, useLoaderData } from "@remix-run/react";
+import { type LoaderFunctionArgs } from "@remix-run/server-runtime";
+import { CodeBlock } from "~/components/code/CodeBlock";
+import { InlineCode } from "~/components/code/InlineCode";
+import { MainCenteredContainer, PageBody, PageContainer } from "~/components/layout/AppLayout";
+import { LinkButton } from "~/components/primitives/Buttons";
+import { Header2 } from "~/components/primitives/Headers";
+import { InfoPanel } from "~/components/primitives/InfoPanel";
+import { NavBar, PageTitle } from "~/components/primitives/PageHeader";
+import { Paragraph } from "~/components/primitives/Paragraph";
+import {
+  Select,
+  SelectItem,
+} from "~/components/primitives/Select";
+import { $replica } from "~/db.server";
+import { useEnvironment } from "~/hooks/useEnvironment";
+import { useOrganization } from "~/hooks/useOrganizations";
+import { useProject } from "~/hooks/useProject";
+import { findProjectBySlug } from "~/models/project.server";
+import { findEnvironmentBySlug } from "~/models/runtimeEnvironment.server";
+import { playgroundPresenter } from "~/presenters/v3/PlaygroundPresenter.server";
+import { RegionsPresenter } from "~/presenters/v3/RegionsPresenter.server";
+import { requireUser } from "~/services/session.server";
+import { docsPath, EnvironmentParamSchema, v3PlaygroundAgentPath } from "~/utils/pathBuilder";
+
+export const meta: MetaFunction = () => {
+  return [{ title: "Playground | Trigger.dev" }];
+};
+
+export const loader = async ({ request, params }: LoaderFunctionArgs) => {
+  const user = await requireUser(request);
+  const { organizationSlug, projectParam, envParam } = EnvironmentParamSchema.parse(params);
+
+  const project = await findProjectBySlug(organizationSlug, projectParam, user.id);
+  if (!project) {
+    throw new Response(undefined, { status: 404, statusText: "Project not found" });
+  }
+
+  const environment = await findEnvironmentBySlug(project.id, envParam, user.id);
+  if (!environment) {
+    throw new Response(undefined, { status: 404, statusText: "Environment not found" });
+  }
+
+  const [agents, backgroundWorkers, regionsResult] = await Promise.all([
+    playgroundPresenter.listAgents({
+      environmentId: environment.id,
+      environmentType: environment.type,
+    }),
+    $replica.backgroundWorker.findMany({
+      where: { runtimeEnvironmentId: environment.id },
+      select: { version: true },
+      orderBy: { createdAt: "desc" },
+      take: 20,
+    }),
+    new RegionsPresenter().call({
+      userId: user.id,
+      projectSlug: projectParam,
+      isAdmin: user.admin || user.isImpersonating,
+    }),
+  ]);
+
+  return json({
+    agents,
+    versions: backgroundWorkers.map((w) => w.version),
+    regions: regionsResult.regions,
+    isDev: environment.type === "DEVELOPMENT",
+  });
+};
+
+export default function PlaygroundPage() {
+  const { agents } = useLoaderData<typeof loader>();
+  const organization = useOrganization();
+  const project = useProject();
+  const environment = useEnvironment();
+  const navigate = useNavigate();
+  const params = useParams();
+  const selectedAgent = params.agentParam ?? "";
+
+  if (agents.length === 0) {
+    return (
+      <PageContainer>
+        <NavBar>
+          <PageTitle title="Playground" />
+        </NavBar>
+        <PageBody>
+          <MainCenteredContainer className="max-w-2xl">
+            <InfoPanel
+              title="Create your first agent"
+              icon={CpuChipIcon}
+              iconClassName="text-indigo-500"
+              panelClassName="max-w-2xl"
+              accessory={
+                <LinkButton
+                  to={docsPath("ai-chat/overview")}
+                  variant="docs/small"
+                  LeadingIcon={BookOpenIcon}
+                >
+                  Agent docs
+                </LinkButton>
+              }
+            >
+              <Paragraph spacing variant="small">
+                The Playground lets you test your AI agents with an interactive chat interface,
+                realtime streaming, and conversation history.
+              </Paragraph>
+              <Paragraph spacing variant="small">
+                Define a chat agent using{" "}
+                <InlineCode variant="small">chat.agent()</InlineCode>:
+              </Paragraph>
+              <CodeBlock
+                code={`import { chat } from "@trigger.dev/sdk/ai";
+import { streamText } from "ai";
+import { openai } from "@ai-sdk/openai";
+
+export const myAgent = chat.agent({
+  id: "my-agent",
+  run: async ({ messages, signal }) => {
+    return streamText({
+      model: openai("gpt-4o"),
+      messages,
+      abortSignal: signal,
+    });
+  },
+});`}
+                showLineNumbers={false}
+                showOpenInModal={false}
+              />
+              <Paragraph variant="small" className="mt-2">
+                Deploy your project and your agents will appear here ready to test.
+              </Paragraph>
+            </InfoPanel>
+          </MainCenteredContainer>
+        </PageBody>
+      </PageContainer>
+    );
+  }
+
+  return (
+    <PageContainer>
+      <NavBar>
+        <PageTitle title="Playground" />
+      </NavBar>
+      <PageBody scrollable={false}>
+        {selectedAgent ? (
+          <Outlet />
+        ) : (
+          <MainCenteredContainer>
+            <div className="flex flex-col items-center gap-4 py-20">
+              <CpuChipIcon className="size-10 text-indigo-500/50" />
+              <Header2 className="text-text-dimmed">Select an agent</Header2>
+              <Paragraph variant="small" className="mb-2 max-w-md text-center text-text-dimmed">
+                Choose an agent to start a conversation.
+              </Paragraph>
+              <Select
+                value={selectedAgent}
+                setValue={(slug) => {
+                  if (slug && typeof slug === "string") {
+                    navigate(v3PlaygroundAgentPath(organization, project, environment, slug));
+                  }
+                }}
+                icon={<CpuChipIcon className="size-4 text-indigo-500" />}
+                text={(val) => val || undefined}
+                placeholder="Select an agent..."
+                variant="tertiary/small"
+                items={agents}
+                filter={(item, search) =>
+                  item.slug.toLowerCase().includes(search.toLowerCase())
+                }
+              >
+                {(matches) =>
+                  matches.map((agent) => (
+                    <SelectItem key={agent.slug} value={agent.slug}>
+                      <div className="flex items-center gap-2">
+                        <CpuChipIcon className="size-3.5 text-indigo-500" />
+                        <span>{agent.slug}</span>
+                      </div>
+                    </SelectItem>
+                  ))
+                }
+              </Select>
+            </div>
+          </MainCenteredContainer>
+        )}
+      </PageBody>
+    </PageContainer>
+  );
+}
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.prompts.$promptSlug/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.prompts.$promptSlug/route.tsx
index 5a953c0199b..7201b94a16e 100644
--- a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.prompts.$promptSlug/route.tsx
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.prompts.$promptSlug/route.tsx
@@ -70,7 +70,7 @@ import { findProjectBySlug } from "~/models/project.server";
 import { findEnvironmentBySlug } from "~/models/runtimeEnvironment.server";
 import { type GenerationRow, PromptPresenter } from "~/presenters/v3/PromptPresenter.server";
 import { SpanView } from "~/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.$runParam.spans.$spanParam/route";
-import { clickhouseClient } from "~/services/clickhouseInstance.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
 import { getResizableSnapshot } from "~/services/resizablePanel.server";
 import { requireUserId } from "~/services/session.server";
 import { PromptService } from "~/v3/services/promptService.server";
@@ -242,7 +242,8 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
   const startTime = fromTime ? new Date(fromTime) : new Date(Date.now() - periodMs);
   const endTime = toTime ? new Date(toTime) : new Date();
 
-  const presenter = new PromptPresenter(clickhouseClient);
+  const clickhouse = await clickhouseFactory.getClickhouseForOrganization(project.organizationId, "standard");
+  const presenter = new PromptPresenter(clickhouse);
   let generations: Awaited<ReturnType<typeof presenter.listGenerations>>["generations"] = [];
   let generationsPagination: { next?: string } = {};
   try {
@@ -273,7 +274,7 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
 
   // Load distinct filter values and resizable snapshots in parallel
   const distinctQuery = (col: string, name: string) =>
-    clickhouseClient.reader.query({
+    clickhouse.reader.query({
       name,
       query: `SELECT DISTINCT ${col} AS val FROM trigger_dev.llm_metrics_v1 WHERE environment_id = {environmentId: String} AND prompt_slug = {promptSlug: String} AND ${col} != '' ORDER BY val`,
       params: z.object({ environmentId: z.string(), promptSlug: z.string() }),
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.prompts._index/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.prompts._index/route.tsx
index 02c7cc444b7..5d3f36a06f1 100644
--- a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.prompts._index/route.tsx
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.prompts._index/route.tsx
@@ -22,7 +22,7 @@ import { useProject } from "~/hooks/useProject";
 import { findProjectBySlug } from "~/models/project.server";
 import { findEnvironmentBySlug } from "~/models/runtimeEnvironment.server";
 import { PromptPresenter } from "~/presenters/v3/PromptPresenter.server";
-import { clickhouseClient } from "~/services/clickhouseInstance.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
 import { requireUserId } from "~/services/session.server";
 import { docsPath, EnvironmentParamSchema, v3PromptsPath } from "~/utils/pathBuilder";
 import { LinkButton } from "~/components/primitives/Buttons";
@@ -46,7 +46,8 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
     throw new Response("Environment not found", { status: 404 });
   }
 
-  const presenter = new PromptPresenter(clickhouseClient);
+  const clickhouse = await clickhouseFactory.getClickhouseForOrganization(project.organizationId, "standard");
+  const presenter = new PromptPresenter(clickhouse);
   const prompts = await presenter.listPrompts(project.id, environment.id);
 
   const sparklines = await presenter.getUsageSparklines(
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.query/QueryHistoryPopover.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.query/QueryHistoryPopover.tsx
index 65c10f3f9d4..de7e7a79e03 100644
--- a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.query/QueryHistoryPopover.tsx
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.query/QueryHistoryPopover.tsx
@@ -5,7 +5,6 @@ import { Popover, PopoverTrigger } from "~/components/primitives/Popover";
 import * as PopoverPrimitive from "@radix-ui/react-popover";
 import type { QueryHistoryItem } from "~/presenters/v3/QueryPresenter.server";
 import { timeFilterRenderValues } from "~/components/runs/v3/SharedFilters";
-import { ChevronUpDownIcon } from "@heroicons/react/20/solid";
 import { cn } from "~/utils/cn";
 
 const SQL_KEYWORDS = [
@@ -97,8 +96,9 @@ export function QueryHistoryPopover({
           variant="secondary/small"
           LeadingIcon={ClockRotateLeftIcon}
           leadingIconClassName="-mr-1.5"
-          TrailingIcon={ChevronUpDownIcon}
           disabled={history.length === 0}
+          tooltip="Query history"
+          shortcut={{ key: "h" }}
         >
           History
         </Button>
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.queues/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.queues/route.tsx
index b33fc1e809b..debab4683ce 100644
--- a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.queues/route.tsx
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.queues/route.tsx
@@ -3,7 +3,6 @@ import {
   ArrowUpCircleIcon,
   BookOpenIcon,
   ChatBubbleLeftEllipsisIcon,
-  MagnifyingGlassIcon,
   PauseIcon,
   PlayIcon,
   RectangleStackIcon,
@@ -32,6 +31,7 @@ import { Dialog, DialogContent, DialogHeader, DialogTrigger } from "~/components
 import { FormButtons } from "~/components/primitives/FormButtons";
 import { Header3 } from "~/components/primitives/Headers";
 import { Input } from "~/components/primitives/Input";
+import { SearchInput } from "~/components/primitives/SearchInput";
 import { NavBar, PageAccessories, PageTitle } from "~/components/primitives/PageHeader";
 import { PaginationControls } from "~/components/primitives/Pagination";
 import { Paragraph } from "~/components/primitives/Paragraph";
@@ -59,7 +59,6 @@ import { useAutoRevalidate } from "~/hooks/useAutoRevalidate";
 import { useEnvironment } from "~/hooks/useEnvironment";
 import { useOrganization } from "~/hooks/useOrganizations";
 import { useProject } from "~/hooks/useProject";
-import { useThrottle } from "~/hooks/useThrottle";
 import { redirectWithErrorMessage, redirectWithSuccessMessage } from "~/models/message.server";
 import { findProjectBySlug } from "~/models/project.server";
 import { findEnvironmentBySlug } from "~/models/runtimeEnvironment.server";
@@ -176,9 +175,7 @@ export const action = async ({ request, params }: ActionFunctionArgs) => {
   const action = formData.get("action");
 
   const url = new URL(request.url);
-  const { page } = SearchParamsSchema.parse(Object.fromEntries(url.searchParams));
-
-  const redirectPath = `/orgs/${organizationSlug}/projects/${projectParam}/env/${envParam}/queues?page=${page}`;
+  const redirectPath = `/orgs/${organizationSlug}/projects/${projectParam}/env/${envParam}/queues${url.search}`;
 
   if (environment.archivedAt) {
     return redirectWithErrorMessage(redirectPath, request, "This branch is archived");
@@ -438,13 +435,8 @@ export default function Page() {
           </div>
 
           {success ? (
-            <div
-              className={cn(
-                "grid max-h-full min-h-full grid-rows-[auto_1fr] overflow-x-auto",
-                pagination.totalPages > 1 && "grid-rows-[auto_1fr_auto]"
-              )}
-            >
-              <div className="flex items-center gap-2 border-t border-grid-dimmed px-1.5 py-1.5">
+            <div className="grid max-h-full min-h-full grid-rows-[auto_1fr] overflow-x-auto">
+              <div className="flex items-center justify-between gap-2 border-t border-grid-dimmed px-1.5 py-1.5">
                 <QueueFilters />
                 <PaginationControls
                   currentPage={pagination.currentPage}
@@ -682,27 +674,6 @@ export default function Page() {
                 </TableBody>
               </Table>
 
-              {pagination.totalPages > 1 && (
-                <div
-                  className={cn(
-                    "grid h-fit max-h-full min-h-full overflow-x-auto",
-                    pagination.totalPages > 1 ? "grid-rows-[1fr_auto]" : "grid-rows-[1fr]"
-                  )}
-                >
-                  <div
-                    className={cn(
-                      "flex min-h-full",
-                      pagination.totalPages > 1 &&
-                        "justify-end border-t border-grid-dimmed px-2 py-3"
-                    )}
-                  >
-                    <PaginationControls
-                      currentPage={pagination.currentPage}
-                      totalPages={pagination.totalPages}
-                    />
-                  </div>
-                </div>
-              )}
             </div>
           ) : (
             <div className="grid place-items-center py-6 text-text-dimmed">
@@ -1076,39 +1047,7 @@ export function isEnvironmentPauseResumeFormSubmission(
 }
 
 export function QueueFilters() {
-  const [searchParams, setSearchParams] = useSearchParams();
-
-  const handleSearchChange = useThrottle((value: string) => {
-    if (value) {
-      setSearchParams((prev) => {
-        prev.set("query", value);
-        prev.delete("page");
-        return prev;
-      });
-    } else {
-      setSearchParams((prev) => {
-        prev.delete("query");
-        prev.delete("page");
-        return prev;
-      });
-    }
-  }, 300);
-
-  const search = searchParams.get("query") ?? "";
-
-  return (
-    <div className="flex grow">
-      <Input
-        name="search"
-        placeholder="Search queue name"
-        icon={MagnifyingGlassIcon}
-        variant="tertiary"
-        className="grow"
-        defaultValue={search}
-        onChange={(e) => handleSearchChange(e.target.value)}
-      />
-    </div>
-  );
+  return <SearchInput placeholder="Search queues…" paramName="query" resetParams={["page"]} />;
 }
 
 function BurstFactorTooltip({
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.regions/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.regions/route.tsx
index 26daa24df34..2d754309a3d 100644
--- a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.regions/route.tsx
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.regions/route.tsx
@@ -204,7 +204,12 @@ export default function Page() {
                         return (
                           <TableRow key={region.id}>
                             <TableCell isTabbableCell>
-                              <CopyableText value={region.name} />
+                              <span className="flex items-center gap-2">
+                                <CopyableText value={region.name} />
+                                {region.workloadType === "MICROVM" && (
+                                  <Badge variant="small">MicroVM</Badge>
+                                )}
+                              </span>
                             </TableCell>
                             <TableCell>
                               {region.cloudProvider ? (
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.$runParam/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.$runParam/route.tsx
index f35376a4275..fbe4b9046c6 100644
--- a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.$runParam/route.tsx
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.$runParam/route.tsx
@@ -88,11 +88,19 @@ import { useReplaceSearchParams } from "~/hooks/useReplaceSearchParams";
 import { useSearchParams } from "~/hooks/useSearchParam";
 import { type Shortcut, useShortcutKeys } from "~/hooks/useShortcutKeys";
 import { useHasAdminAccess } from "~/hooks/useUser";
+import { env } from "~/env.server";
 import { findProjectBySlug } from "~/models/project.server";
 import { findEnvironmentBySlug } from "~/models/runtimeEnvironment.server";
 import { NextRunListPresenter } from "~/presenters/v3/NextRunListPresenter.server";
-import { RunEnvironmentMismatchError, RunPresenter } from "~/presenters/v3/RunPresenter.server";
-import { clickhouseClient } from "~/services/clickhouseInstance.server";
+import {
+  RunEnvironmentMismatchError,
+  RunNotInPgError,
+  RunPresenter,
+} from "~/presenters/v3/RunPresenter.server";
+import { findRunByIdWithMollifierFallback } from "~/v3/mollifier/readFallback.server";
+import { buildSyntheticRunHeader } from "~/v3/mollifier/syntheticRunHeader.server";
+import { buildSyntheticTraceForBufferedRun } from "~/v3/mollifier/syntheticTrace.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
 import { getImpersonationId } from "~/services/impersonation.server";
 import { logger } from "~/services/logger.server";
 import { getResizableSnapshot } from "~/services/resizablePanel.server";
@@ -115,7 +123,7 @@ import { SpanView } from "../resources.orgs.$organizationSlug.projects.$projectP
 
 const resizableSettings = {
   parent: {
-    autosaveId: "panel-run-parent-v2",
+    autosaveId: "panel-run-parent-v3",
     handleId: "parent-handle",
     main: {
       id: "run",
@@ -124,7 +132,7 @@ const resizableSettings = {
     inspector: {
       id: "inspector",
       default: "500px" as const,
-      min: "50px" as const,
+      min: "250px" as const,
     },
   },
   tree: {
@@ -182,7 +190,8 @@ async function getRunsListFromTableState({
       return null;
     }
 
-    const runsListPresenter = new NextRunListPresenter($replica, clickhouseClient);
+    const clickhouse = await clickhouseFactory.getClickhouseForOrganization(project.organizationId, "standard");
+    const runsListPresenter = new NextRunListPresenter($replica, clickhouse);
     const currentPageResult = await runsListPresenter.call(project.organizationId, environment.id, {
       userId,
       projectId: project.id,
@@ -276,9 +285,78 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
       );
     }
 
+    // Only fall back to the mollifier buffer on a genuine PG miss. Any
+    // other error (DB timeout during trace queries, event-repository
+    // failure, etc.) means the run WAS in PG but a downstream lookup
+    // failed — falling back to the buffer here would either return a
+    // stale synth entry if one happens to exist in the brief drainer-
+    // materialisation race window, or quietly mask the real failure.
+    // `RunNotInPgError` is the typed signal RunPresenter throws for the
+    // route loader's specific case (`RunPresenter.server.ts:130`).
+    if (!(error instanceof RunNotInPgError)) {
+      throw error;
+    }
+
+    // PG miss → try the mollifier buffer. When the gate diverts a trigger
+    // the run sits in Redis until the drainer materialises it; without
+    // this fallback the run-detail page 404s for the brief buffered window
+    // even though the API has accepted the trigger and returned an id.
+    const buffered = await tryMollifiedRunFallback({
+      runFriendlyId: runParam,
+      organizationSlug,
+      projectSlug: projectParam,
+      envSlug: envParam,
+      userId,
+    });
+
+    if (buffered) {
+      // Preselect the root span on the initial page load when the URL
+      // doesn't already carry `?span=`. The sibling redirect routes
+      // (runs.$runParam.ts, @.runs.$runParam.ts,
+      // projects.v3.$projectRef.runs.$runParam.ts) all do this, but
+      // direct navigation to the canonical project-scoped URL never
+      // hit those redirects — leaving the right detail panel collapsed.
+      // Skip on `_data` requests (Remix data fetches): they're
+      // client-driven follow-ups and the client URL is what matters,
+      // not the loader's view of it.
+      if (
+        !url.searchParams.has("span") &&
+        !url.searchParams.has("_data") &&
+        buffered.run.spanId
+      ) {
+        url.searchParams.set("span", buffered.run.spanId);
+        throw redirect(url.pathname + "?" + url.searchParams.toString());
+      }
+
+      const parent = await getResizableSnapshot(request, resizableSettings.parent.autosaveId);
+      const tree = await getResizableSnapshot(request, resizableSettings.tree.autosaveId);
+
+      return json({
+        run: buffered.run,
+        trace: buffered.trace,
+        maximumLiveReloadingSetting: env.MAXIMUM_LIVE_RELOADING_EVENTS,
+        resizable: { parent, tree },
+        runsList: null,
+      });
+    }
+
     throw error;
   }
 
+  // Preselect the root span on the initial page load when the URL
+  // doesn't already carry `?span=`. See the comment on the equivalent
+  // block in the buffered fallback above — the sibling redirect routes
+  // do this, but direct navigation to the canonical project-scoped URL
+  // never hits them, leaving the right detail panel collapsed.
+  if (
+    !url.searchParams.has("span") &&
+    !url.searchParams.has("_data") &&
+    result.run.spanId
+  ) {
+    url.searchParams.set("span", result.run.spanId);
+    throw redirect(url.pathname + "?" + url.searchParams.toString());
+  }
+
   //resizable settings
   const parent = await getResizableSnapshot(request, resizableSettings.parent.autosaveId);
   const tree = await getResizableSnapshot(request, resizableSettings.tree.autosaveId);
@@ -304,6 +382,39 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
   });
 };
 
+async function tryMollifiedRunFallback(args: {
+  runFriendlyId: string;
+  organizationSlug: string;
+  projectSlug: string;
+  envSlug: string;
+  userId: string;
+}) {
+  const project = await findProjectBySlug(args.organizationSlug, args.projectSlug, args.userId);
+  if (!project) return null;
+  const environment = await findEnvironmentBySlug(project.id, args.envSlug, args.userId);
+  if (!environment) return null;
+
+  const buffered = await findRunByIdWithMollifierFallback({
+    runId: args.runFriendlyId,
+    environmentId: environment.id,
+    organizationId: project.organizationId,
+  });
+  if (!buffered) return null;
+
+  return {
+    run: buildSyntheticRunHeader({
+      run: buffered,
+      environment: {
+        id: environment.id,
+        organizationId: project.organizationId,
+        type: environment.type,
+        slug: environment.slug,
+      },
+    }),
+    trace: buildSyntheticTraceForBufferedRun(buffered),
+  };
+}
+
 type LoaderData = SerializeFrom<typeof loader>;
 
 export default function Page() {
@@ -406,23 +517,17 @@ export default function Page() {
             />
           </Dialog>
           {run.isFinished ? null : (
-            <Dialog key={`cancel-${run.friendlyId}`}>
-              <DialogTrigger asChild>
-                <Button variant="danger/small" LeadingIcon={StopCircleIcon} shortcut={{ key: "C" }}>
-                  Cancel run…
-                </Button>
-              </DialogTrigger>
-              <CancelRunDialog
-                runFriendlyId={run.friendlyId}
-                redirectPath={v3RunSpanPath(
-                  organization,
-                  project,
-                  environment,
-                  { friendlyId: run.friendlyId },
-                  { spanId: run.spanId }
-                )}
-              />
-            </Dialog>
+            <ControlledCancelRunDialog
+              key={`cancel-${run.friendlyId}`}
+              runFriendlyId={run.friendlyId}
+              redirectPath={v3RunSpanPath(
+                organization,
+                project,
+                environment,
+                { friendlyId: run.friendlyId },
+                { spanId: run.spanId }
+              )}
+            />
           )}
         </PageAccessories>
       </NavBar>
@@ -586,6 +691,35 @@ function TraceView({
   );
 }
 
+// Controlled wrapper around the cancel dialog. Owns the Radix open state
+// so the dialog closes itself once the cancel action transitions through
+// submission. We can't `<DialogClose asChild>`-wrap the submit button
+// because Radix's onClick handler swallows the button's name=value pair
+// that the form action depends on for `redirectUrl`.
+function ControlledCancelRunDialog({
+  runFriendlyId,
+  redirectPath,
+}: {
+  runFriendlyId: string;
+  redirectPath: string;
+}) {
+  const [open, setOpen] = useState(false);
+  return (
+    <Dialog open={open} onOpenChange={setOpen}>
+      <DialogTrigger asChild>
+        <Button variant="danger/small" LeadingIcon={StopCircleIcon} shortcut={{ key: "C" }}>
+          Cancel run…
+        </Button>
+      </DialogTrigger>
+      <CancelRunDialog
+        runFriendlyId={runFriendlyId}
+        redirectPath={redirectPath}
+        onCancelSubmitted={() => setOpen(false)}
+      />
+    </Dialog>
+  );
+}
+
 function NoLogsView({ run, resizable }: Pick<LoaderData, "run" | "resizable">) {
   const plan = useCurrentPlan();
   const organization = useOrganization();
@@ -615,6 +749,11 @@ function NoLogsView({ run, resizable }: Pick<LoaderData, "run" | "resizable">) {
         >
           <div className="grid h-full place-items-center">
             {daysSinceCompleted === undefined ? (
+              // NoLogsView only renders when the loader returns no trace.
+              // Buffered runs always carry a synthetic trace (see
+              // buildSyntheticTraceForBufferedRun) so they never reach
+              // this branch — the message here is the pre-mollifier
+              // copy for runs with no completedAt and no logs.
               <InfoPanel variant="info" icon={InformationCircleIcon} title="We delete old logs">
                 <Paragraph variant="small">
                   We tidy up older logs to keep things running smoothly.
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs._index/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs._index/route.tsx
index ca7e8b7b0c1..25cccaede8e 100644
--- a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs._index/route.tsx
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs._index/route.tsx
@@ -1,7 +1,7 @@
 import { BeakerIcon, BookOpenIcon } from "@heroicons/react/24/solid";
-import { type MetaFunction, useNavigation } from "@remix-run/react";
+import { type MetaFunction, useLocation, useNavigation, useRevalidator } from "@remix-run/react";
 import { type LoaderFunctionArgs } from "@remix-run/server-runtime";
-import { Suspense } from "react";
+import { Suspense, useState } from "react";
 import {
   TypedAwait,
   typeddefer,
@@ -14,11 +14,12 @@ import { DevDisconnectedBanner, useDevPresence } from "~/components/DevPresence"
 import { StepContentContainer } from "~/components/StepContentContainer";
 import { MainCenteredContainer, PageBody } from "~/components/layout/AppLayout";
 import { Badge } from "~/components/primitives/Badge";
-import { LinkButton } from "~/components/primitives/Buttons";
+import { Button, LinkButton } from "~/components/primitives/Buttons";
 import { Header1 } from "~/components/primitives/Headers";
 import { InfoPanel } from "~/components/primitives/InfoPanel";
 import { NavBar, PageAccessories, PageTitle } from "~/components/primitives/PageHeader";
 import { Paragraph } from "~/components/primitives/Paragraph";
+import { PulsingDot } from "~/components/primitives/PulsingDot";
 import {
   RESIZABLE_PANEL_ANIMATION,
   ResizableHandle,
@@ -40,11 +41,12 @@ import { useOrganization } from "~/hooks/useOrganizations";
 import { useProject } from "~/hooks/useProject";
 import { useSearchParams } from "~/hooks/useSearchParam";
 import { useShortcutKeys } from "~/hooks/useShortcutKeys";
+import { redirectWithErrorMessage } from "~/models/message.server";
 import { findProjectBySlug } from "~/models/project.server";
 import { findEnvironmentBySlug } from "~/models/runtimeEnvironment.server";
 import { getRunFiltersFromRequest } from "~/presenters/RunFilters.server";
 import { NextRunListPresenter } from "~/presenters/v3/NextRunListPresenter.server";
-import { clickhouseClient } from "~/services/clickhouseInstance.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
 import {
   setRootOnlyFilterPreference,
   uiPreferencesStorage,
@@ -54,14 +56,18 @@ import { cn } from "~/utils/cn";
 import {
   docsPath,
   EnvironmentParamSchema,
-  v3CreateBulkActionPath,
   v3ProjectPath,
   v3TestPath,
   v3TestTaskPath,
 } from "~/utils/pathBuilder";
+import { throwNotFound } from "~/utils/httpErrors";
 import { ListPagination } from "../../components/ListPagination";
 import { CreateBulkActionInspector } from "../resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.bulkaction";
 import { Callout } from "~/components/primitives/Callout";
+import { isRunsListLoading, RUNS_BULK_INSPECTOR_OPEN_VALUE, shouldRevalidateRunsList } from "./shouldRevalidateRunsList";
+import { useRunsLiveReload } from "./useRunsLiveReload";
+
+export { shouldRevalidateRunsList as shouldRevalidate };
 
 export const meta: MetaFunction = () => {
   return [
@@ -77,25 +83,39 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
 
   const project = await findProjectBySlug(organizationSlug, projectParam, userId);
   if (!project) {
-    throw new Error("Project not found");
+    return redirectWithErrorMessage("/", request, "Project not found");
   }
 
   const environment = await findEnvironmentBySlug(project.id, envParam, userId);
   if (!environment) {
-    throw new Error("Environment not found");
+    throwNotFound("Environment not found");
   }
 
   const filters = await getRunFiltersFromRequest(request);
 
-  const presenter = new NextRunListPresenter($replica, clickhouseClient);
+  const clickhouse = await clickhouseFactory.getClickhouseForOrganization(
+    project.organizationId,
+    "standard"
+  );
+  const presenter = new NextRunListPresenter($replica, clickhouse);
   const list = presenter.call(project.organizationId, environment.id, {
     userId,
     projectId: project.id,
     ...filters,
   });
 
-  const session = await setRootOnlyFilterPreference(filters.rootOnly, request);
-  const cookieValue = await uiPreferencesStorage.commitSession(session);
+  // Only persist rootOnly when no tasks are filtered. While a task filter is active,
+  // the toggle's URL value can be a temporary auto-flip (or a user override scoped to
+  // the current task filter), and we don't want either bleeding into the saved
+  // session preference. Clearing the task filter restores the saved preference.
+  const shouldPersistRootOnly = !filters.tasks || filters.tasks.length === 0;
+  const headers = shouldPersistRootOnly
+    ? {
+        "Set-Cookie": await uiPreferencesStorage.commitSession(
+          await setRootOnlyFilterPreference(filters.rootOnly, request)
+        ),
+      }
+    : undefined;
 
   return typeddefer(
     {
@@ -103,11 +123,7 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
       rootOnlyDefault: filters.rootOnly,
       filters,
     },
-    {
-      headers: {
-        "Set-Cookie": cookieValue,
-      },
-    }
+    headers ? { headers } : undefined
   );
 };
 
@@ -194,19 +210,44 @@ function RunsList({
   rootOnlyDefault: boolean;
   filters: TaskRunListSearchFilters;
 }) {
+  const revalidator = useRevalidator();
+  const location = useLocation();
   const navigation = useNavigation();
-  const isLoading = navigation.state !== "idle";
+  const isLoading = isRunsListLoading(navigation, location.search);
   const organization = useOrganization();
   const project = useProject();
   const environment = useEnvironment();
   const { has, replace } = useSearchParams();
+  const { visibleRuns, showNewRunsBanner, newRunsCount, dismissNewRuns, childrenStatusesBasePath } =
+    useRunsLiveReload({
+      runs: list.runs,
+      hasAnyRuns: list.hasAnyRuns,
+      isLoading,
+      organizationSlug: organization.slug,
+      projectSlug: project.slug,
+      environmentSlug: environment.slug,
+    });
+
+  const onClickShowNewRuns = () => {
+    const isPaginated = has("cursor") || has("direction");
+    dismissNewRuns();
+    if (isPaginated) {
+      replace({
+        cursor: undefined,
+        direction: undefined,
+      });
+      return;
+    }
+
+    revalidator.revalidate();
+  };
 
   // Shortcut keys for bulk actions
   useShortcutKeys({
     shortcut: { key: "r" },
     action: (e) => {
       replace({
-        bulkInspector: "true",
+        bulkInspector: RUNS_BULK_INSPECTOR_OPEN_VALUE,
         action: "replay",
         mode: selectedItems.size > 0 ? "selected" : undefined,
       });
@@ -216,7 +257,7 @@ function RunsList({
     shortcut: { key: "c" },
     action: (e) => {
       replace({
-        bulkInspector: "true",
+        bulkInspector: RUNS_BULK_INSPECTOR_OPEN_VALUE,
         action: "cancel",
         mode: selectedItems.size > 0 ? "selected" : undefined,
       });
@@ -224,6 +265,13 @@ function RunsList({
   });
 
   const isShowingBulkActionInspector = has("bulkInspector") && list.hasAnyRuns;
+  const [isBulkInspectorPanelCollapsed, setIsBulkInspectorPanelCollapsed] = useState(
+    !isShowingBulkActionInspector
+  );
+  // Keep content mounted until onCollapseChange reports the panel is fully collapsed.
+  const showBulkInspectorContent =
+    isShowingBulkActionInspector || !isBulkInspectorPanelCollapsed;
+
   return (
     <ResizablePanelGroup orientation="horizontal" className="max-h-full">
       <ResizablePanel id="runs-main" min={"100px"}>
@@ -256,48 +304,67 @@ function RunsList({
                     rootOnlyDefault={rootOnlyDefault}
                   />
                   <div className="flex items-center justify-end gap-x-2">
-                    {!isShowingBulkActionInspector && (
-                      <LinkButton
-                        variant="secondary/small"
-                        to={v3CreateBulkActionPath(
-                          organization,
-                          project,
-                          environment,
-                          filters,
-                          selectedItems.size > 0 ? "selected" : undefined
-                        )}
-                        LeadingIcon={ListCheckedIcon}
-                        className={selectedItems.size > 0 ? "pr-1" : undefined}
-                        tooltip={
-                          <div className="-mr-1 flex items-center gap-3 text-xs text-text-dimmed">
-                            <div className="flex items-center gap-0.5">
-                              <span>Replay</span>
-                              <ShortcutKey shortcut={{ key: "r" }} variant={"small"} />
-                            </div>
-                            <div className="flex items-center gap-0.5">
-                              <span>Cancel</span>
-                              <ShortcutKey shortcut={{ key: "c" }} variant={"small"} />
-                            </div>
-                          </div>
-                        }
-                      >
-                        <span className="flex items-center gap-x-1 whitespace-nowrap text-text-bright">
-                          <span>Bulk action</span>
-                          {selectedItems.size > 0 && (
-                            <Badge variant="rounded">{selectedItems.size}</Badge>
-                          )}
-                        </span>
-                      </LinkButton>
+                    {showNewRunsBanner && (
+                      <span className="flex duration-150 animate-in fade-in-0">
+                        <Button
+                          variant="secondary/small"
+                          className="text-text-bright"
+                          onClick={onClickShowNewRuns}
+                          LeadingIcon={<PulsingDot className="h-2 w-2" />}
+                          tooltip="Refresh to see new runs"
+                          aria-label="New runs created. Refresh to see new runs."
+                        >
+                          {newRunsCount >= 100
+                            ? "99+ new runs"
+                            : `${newRunsCount} new ${newRunsCount === 1 ? "run" : "runs"}`}
+                        </Button>
+                      </span>
                     )}
+                    {/* Stay mounted while the inspector is open to avoid toolbar layout shift. */}
+                    <Button
+                      variant="secondary/small"
+                      disabled={isShowingBulkActionInspector}
+                      onClick={() =>
+                        replace({
+                          bulkInspector: RUNS_BULK_INSPECTOR_OPEN_VALUE,
+                          mode: selectedItems.size > 0 ? "selected" : undefined,
+                        })
+                      }
+                      LeadingIcon={ListCheckedIcon}
+                      className={cn(
+                        selectedItems.size > 0 ? "pr-1" : undefined,
+                        isShowingBulkActionInspector && "pointer-events-none invisible"
+                      )}
+                      tooltip={
+                        <div className="-mr-1 flex items-center gap-3 text-xs text-text-dimmed">
+                          <div className="flex items-center gap-0.5">
+                            <span>Replay</span>
+                            <ShortcutKey shortcut={{ key: "r" }} variant={"small"} />
+                          </div>
+                          <div className="flex items-center gap-0.5">
+                            <span>Cancel</span>
+                            <ShortcutKey shortcut={{ key: "c" }} variant={"small"} />
+                          </div>
+                        </div>
+                      }
+                    >
+                      <span className="flex items-center gap-x-1 whitespace-nowrap text-text-bright">
+                        <span>Bulk action</span>
+                        {selectedItems.size > 0 && (
+                          <Badge variant="rounded">{selectedItems.size}</Badge>
+                        )}
+                      </span>
+                    </Button>
                     <ListPagination list={list} />
                   </div>
                 </div>
 
                 <TaskRunsTable
-                  total={list.runs.length}
+                  total={visibleRuns.length}
                   hasFilters={list.hasFilters}
                   filters={list.filters}
-                  runs={list.runs}
+                  runs={visibleRuns}
+                  childrenStatusesBasePath={childrenStatusesBasePath}
                   isLoading={isLoading}
                   allowSelection
                   rootOnlyDefault={rootOnlyDefault}
@@ -319,12 +386,12 @@ function RunsList({
         className="overflow-hidden"
         collapsible
         collapsed={!isShowingBulkActionInspector}
-        onCollapseChange={() => {}}
+        onCollapseChange={setIsBulkInspectorPanelCollapsed}
         collapsedSize="0px"
         collapseAnimation={RESIZABLE_PANEL_ANIMATION}
       >
         <div className="h-full" style={{ minWidth: 400 }}>
-          {isShowingBulkActionInspector && (
+          {showBulkInspectorContent && (
             <CreateBulkActionInspector
               filters={filters}
               selectedItems={selectedItems}
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs._index/shouldRevalidateRunsList.ts b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs._index/shouldRevalidateRunsList.ts
new file mode 100644
index 00000000000..69e0ce6b637
--- /dev/null
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs._index/shouldRevalidateRunsList.ts
@@ -0,0 +1,75 @@
+import type { Navigation, ShouldRevalidateFunction } from "@remix-run/react";
+
+/** Search params that only control the bulk-action inspector UI, not list data. */
+export const RUNS_BULK_INSPECTOR_UI_SEARCH_PARAMS = ["bulkInspector", "action", "mode"] as const;
+
+/** URL value set on `bulkInspector` when the inspector panel is open (presence flag). */
+export const RUNS_BULK_INSPECTOR_OPEN_VALUE = "show";
+
+/** Returns a copy with bulk-inspector UI params removed. */
+export function stripBulkInspectorUiParams(params: URLSearchParams): URLSearchParams {
+  const stripped = new URLSearchParams(params);
+  for (const key of RUNS_BULK_INSPECTOR_UI_SEARCH_PARAMS) {
+    stripped.delete(key);
+  }
+  return stripped;
+}
+
+/** Canonical string for list-data params (UI keys stripped, entries sorted by key). */
+export function canonicalRunsListDataSearchParams(params: URLSearchParams): string {
+  const stripped = stripBulkInspectorUiParams(params);
+  stripped.sort();
+  return stripped.toString();
+}
+
+export function searchParamsEqualIgnoringBulkInspectorUiState(
+  current: URLSearchParams,
+  next: URLSearchParams
+) {
+  return (
+    canonicalRunsListDataSearchParams(current) === canonicalRunsListDataSearchParams(next)
+  );
+}
+
+/** True when navigation should show the runs table loading state (excludes bulk-inspector UI toggles). */
+export function isRunsListLoading(navigation: Navigation, currentSearch: string): boolean {
+  if (navigation.state === "idle" || !navigation.location) {
+    return false;
+  }
+
+  const currentParams = new URLSearchParams(currentSearch);
+  const nextParams = new URLSearchParams(navigation.location.search);
+
+  if (searchParamsEqualIgnoringBulkInspectorUiState(currentParams, nextParams)) {
+    return false;
+  }
+
+  return true;
+}
+
+/**
+ * Skip runs list loader revalidation when only bulk-inspector UI params change.
+ * Explicit revalidate() (unchanged URL) and filter/pagination changes still revalidate.
+ */
+export const shouldRevalidateRunsList: ShouldRevalidateFunction = ({
+  currentUrl,
+  nextUrl,
+  defaultShouldRevalidate,
+}) => {
+  if (currentUrl.pathname !== nextUrl.pathname) {
+    return defaultShouldRevalidate;
+  }
+
+  const currentParams = new URLSearchParams(currentUrl.search);
+  const nextParams = new URLSearchParams(nextUrl.search);
+
+  if (currentParams.toString() === nextParams.toString()) {
+    return defaultShouldRevalidate;
+  }
+
+  if (searchParamsEqualIgnoringBulkInspectorUiState(currentParams, nextParams)) {
+    return false;
+  }
+
+  return defaultShouldRevalidate;
+};
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs._index/useRunsLiveReload.ts b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs._index/useRunsLiveReload.ts
new file mode 100644
index 00000000000..3ba1c972479
--- /dev/null
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs._index/useRunsLiveReload.ts
@@ -0,0 +1,266 @@
+import { useLocation } from "@remix-run/react";
+import { useCallback, useEffect, useMemo, useRef, useState } from "react";
+import { useTypedFetcher } from "remix-typedjson";
+import { useInterval } from "~/hooks/useInterval";
+import type { NextRunListItem } from "~/presenters/v3/NextRunListPresenter.server";
+import type { loader as liveRunsLoader } from "../resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.live";
+import { stripBulkInspectorUiParams } from "./shouldRevalidateRunsList";
+
+const RUNS_PAGINATION_SEARCH_PARAMS = ["cursor", "direction"] as const;
+const RUNS_POLL_INTERVAL_MS = 3000;
+/** Check for new runs every N poll ticks (~6s at 3s interval). */
+const NEW_RUNS_EVERY_N_POLL_TICKS = 2;
+
+type ListedRun = NextRunListItem;
+type LiveRunFields = Awaited<ReturnType<typeof liveRunsLoader>>["runs"][number];
+type LivePollFetcherData = Awaited<ReturnType<typeof liveRunsLoader>> | undefined;
+
+function hasNewRunsCountFields(
+  data: LivePollFetcherData
+): data is NonNullable<LivePollFetcherData> & { count: number; since: number } {
+  return data !== undefined && "count" in data && "since" in data;
+}
+
+function maxCreatedAtMs(runs: ListedRun[]): number | undefined {
+  if (runs.length === 0) return undefined;
+
+  return runs.reduce<number>((maxTimestamp, run) => {
+    const runTimestamp = new Date(run.createdAt).getTime();
+    return Math.max(maxTimestamp, runTimestamp);
+  }, 0);
+}
+
+function filterParamsWithoutPagination(search: string) {
+  const params = stripBulkInspectorUiParams(new URLSearchParams(search));
+  for (const key of RUNS_PAGINATION_SEARCH_PARAMS) {
+    params.delete(key);
+  }
+  return params;
+}
+
+function getRunsSearchKeyWithoutPagination(search: string) {
+  return filterParamsWithoutPagination(search).toString();
+}
+
+function isNewRunsCheckTick(tick: number) {
+  return tick === 1 || tick % NEW_RUNS_EVERY_N_POLL_TICKS === 0;
+}
+
+function appendNewRunsSearchParams(
+  searchParams: URLSearchParams,
+  { locationSearch, since }: { locationSearch: string; since: number }
+) {
+  const filterParams = filterParamsWithoutPagination(locationSearch);
+  for (const [key, value] of filterParams) {
+    searchParams.append(key, value);
+  }
+  searchParams.set("includeNewRuns", "true");
+  searchParams.set("since", String(since));
+}
+
+function patchVisibleRunsWithLiveUpdates(currentRuns: ListedRun[], liveRuns: LiveRunFields[]) {
+  const updatesById = new Map(liveRuns.map((run) => [run.friendlyId, run]));
+
+  return currentRuns.map((run) => {
+    const update = updatesById.get(run.friendlyId);
+    if (!update) return run;
+
+    return {
+      ...run,
+      status: update.status,
+      updatedAt: update.updatedAt,
+      startedAt: update.startedAt,
+      finishedAt: update.finishedAt,
+      hasFinished: update.hasFinished,
+      isCancellable: update.isCancellable,
+      isPending: update.isPending,
+      usageDurationMs: update.usageDurationMs,
+      costInCents: update.costInCents,
+      baseCostInCents: update.baseCostInCents,
+    };
+  });
+}
+
+function useNewRunsDetection({
+  runs,
+  hasAnyRuns,
+  isLoading,
+}: {
+  runs: ListedRun[];
+  hasAnyRuns: boolean;
+  isLoading: boolean;
+}) {
+  const pollTickRef = useRef(0);
+  const [knownNewestRunMs, setKnownNewestRunMs] = useState(() => maxCreatedAtMs(runs) ?? Date.now());
+  const [newRunsCount, setNewRunsCount] = useState(0);
+
+  const shouldPollForNewRuns = hasAnyRuns && !isLoading && newRunsCount < 100;
+
+  // Re-baseline the cutoff and clear banner/throttle state. The parent calls
+  // this from its single "list context changed" reset path.
+  const resetNewRunsTracking = useCallback(() => {
+    setKnownNewestRunMs(maxCreatedAtMs(runs) ?? Date.now());
+    setNewRunsCount(0);
+    pollTickRef.current = 0;
+  }, [runs]);
+
+  const dismissNewRuns = useCallback(() => {
+    setNewRunsCount(0);
+    setKnownNewestRunMs(Date.now());
+    pollTickRef.current = 0;
+  }, []);
+
+  const checkNewRunsOnTick = useCallback(() => {
+    pollTickRef.current += 1;
+    return shouldPollForNewRuns && isNewRunsCheckTick(pollTickRef.current);
+  }, [shouldPollForNewRuns]);
+
+  const showNewRunsBanner = newRunsCount > 0;
+
+  return {
+    knownNewestRunMs,
+    newRunsCount,
+    setNewRunsCount,
+    shouldPollForNewRuns,
+    showNewRunsBanner,
+    dismissNewRuns,
+    checkNewRunsOnTick,
+    resetNewRunsTracking,
+  };
+}
+
+export function useRunsLiveReload({
+  runs,
+  hasAnyRuns,
+  isLoading,
+  organizationSlug,
+  projectSlug,
+  environmentSlug,
+}: {
+  runs: ListedRun[];
+  hasAnyRuns: boolean;
+  isLoading: boolean;
+  organizationSlug: string;
+  projectSlug: string;
+  environmentSlug: string;
+}) {
+  const location = useLocation();
+  const runsPollFetcher = useTypedFetcher<typeof liveRunsLoader>();
+  const runsPollFetcherStateRef = useRef(runsPollFetcher.state);
+  runsPollFetcherStateRef.current = runsPollFetcher.state;
+
+  const [visibleRuns, setVisibleRuns] = useState(runs);
+
+  const searchKeyWithoutPagination = useMemo(
+    () => getRunsSearchKeyWithoutPagination(location.search),
+    [location.search]
+  );
+
+  const {
+    knownNewestRunMs,
+    newRunsCount,
+    setNewRunsCount,
+    shouldPollForNewRuns,
+    showNewRunsBanner,
+    dismissNewRuns,
+    checkNewRunsOnTick,
+    resetNewRunsTracking,
+  } = useNewRunsDetection({
+    runs,
+    hasAnyRuns,
+    isLoading,
+  });
+
+  // Single reset path: new loader data or changed filters re-baseline both the
+  // visible rows and new-run tracking.
+  useEffect(() => {
+    setVisibleRuns(runs);
+    resetNewRunsTracking();
+  }, [runs, searchKeyWithoutPagination, resetNewRunsTracking]);
+
+  // Patch visible rows from the live response. Keyed to the response alone so a
+  // loader refresh never re-applies a stale poll payload over fresh rows.
+  useEffect(() => {
+    const data = runsPollFetcher.data;
+    if (!data?.runs.length) return;
+
+    setVisibleRuns((currentRuns) => patchVisibleRunsWithLiveUpdates(currentRuns, data.runs));
+  }, [runsPollFetcher.data]);
+
+  // Update new-runs count from the poll response. Re-evaluates when the cutoff
+  // changes, even if the response object itself is unchanged.
+  useEffect(() => {
+    const data = runsPollFetcher.data;
+    if (!hasNewRunsCountFields(data)) return;
+
+    if (data.since === knownNewestRunMs) {
+      setNewRunsCount(data.count);
+    }
+  }, [runsPollFetcher.data, knownNewestRunMs, setNewRunsCount]);
+
+  const activeRunIdsParam = useMemo(
+    () =>
+      visibleRuns
+        .filter((run) => !run.hasFinished)
+        .map((run) => run.friendlyId)
+        .join(","),
+    [visibleRuns]
+  );
+  const hasActiveRuns = activeRunIdsParam.length > 0;
+
+  const runsResourcesBasePath = useMemo(
+    () =>
+      `/resources/orgs/${organizationSlug}/projects/${projectSlug}/env/${environmentSlug}/runs`,
+    [organizationSlug, projectSlug, environmentSlug]
+  );
+
+  const loadRunsPoll = useCallback(
+    (checkForNewRuns: boolean) => {
+      if (runsPollFetcherStateRef.current !== "idle") return;
+
+      if (!hasActiveRuns && !checkForNewRuns) return;
+
+      const searchParams = new URLSearchParams();
+      if (hasActiveRuns) {
+        searchParams.set("runIds", activeRunIdsParam);
+      }
+
+      if (checkForNewRuns) {
+        appendNewRunsSearchParams(searchParams, {
+          locationSearch: location.search,
+          since: knownNewestRunMs,
+        });
+      }
+
+      runsPollFetcher.load(`${runsResourcesBasePath}/live?${searchParams.toString()}`);
+    },
+    [
+      activeRunIdsParam,
+      hasActiveRuns,
+      location.search,
+      knownNewestRunMs,
+      runsPollFetcher,
+      runsResourcesBasePath,
+    ]
+  );
+
+  const shouldPoll = !isLoading && (hasActiveRuns || shouldPollForNewRuns);
+
+  useInterval({
+    interval: RUNS_POLL_INTERVAL_MS,
+    onLoad: true,
+    pauseWhenHidden: true,
+    disabled: !shouldPoll,
+    callback: () => {
+      loadRunsPoll(checkNewRunsOnTick());
+    },
+  });
+
+  return {
+    visibleRuns,
+    showNewRunsBanner,
+    newRunsCount,
+    dismissNewRuns,
+    childrenStatusesBasePath: runsResourcesBasePath,
+  };
+}
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.schedules.$scheduleParam/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.schedules.$scheduleParam/route.tsx
index f4e663b1b7d..a837274222b 100644
--- a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.schedules.$scheduleParam/route.tsx
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.schedules.$scheduleParam/route.tsx
@@ -55,6 +55,7 @@ import {
   v3SchedulePath,
   v3SchedulesPath,
 } from "~/utils/pathBuilder";
+import { throwNotFound } from "~/utils/httpErrors";
 import { DeleteTaskScheduleService } from "~/v3/services/deleteTaskSchedule.server";
 import { SetActiveOnTaskScheduleService } from "~/v3/services/setActiveOnTaskSchedule.server";
 
@@ -84,7 +85,7 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
   });
 
   if (!result) {
-    throw new Error("Schedule not found");
+    throwNotFound("Schedule not found");
   }
 
   return typedjson({ schedule: result.schedule });
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.schedules/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.schedules/route.tsx
index 769aa10cd75..b3181eefa36 100644
--- a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.schedules/route.tsx
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.schedules/route.tsx
@@ -151,50 +151,6 @@ export default function Page() {
           >
             Schedules docs
           </LinkButton>
-
-          {limits.used >= limits.limit ? (
-            <Dialog>
-              <DialogTrigger asChild>
-                <Button
-                  LeadingIcon={PlusIcon}
-                  leadingIconClassName="text-background-dimmed"
-                  variant="primary/small"
-                  shortcut={{ key: "n" }}
-                  disabled={possibleTasks.length === 0 || isShowingNewPane}
-                >
-                  New schedule
-                </Button>
-              </DialogTrigger>
-              <DialogContent>
-                <DialogHeader>You've exceeded your limit</DialogHeader>
-                <DialogDescription>
-                  You've used {limits.used}/{limits.limit} of your schedules.
-                </DialogDescription>
-                <DialogFooter>
-                  {canUpgrade ? (
-                    <LinkButton variant="primary/small" to={v3BillingPath(organization)}>
-                      Upgrade
-                    </LinkButton>
-                  ) : (
-                    <Feedback
-                      button={<Button variant="primary/small">Request more</Button>}
-                      defaultValue="help"
-                    />
-                  )}
-                </DialogFooter>
-              </DialogContent>
-            </Dialog>
-          ) : (
-            <LinkButton
-              LeadingIcon={PlusIcon}
-              to={`${v3NewSchedulePath(organization, project, environment)}${location.search}`}
-              variant="primary/small"
-              shortcut={{ key: "n" }}
-              disabled={possibleTasks.length === 0 || isShowingNewPane}
-            >
-              New schedule
-            </LinkButton>
-          )}
         </PageAccessories>
       </NavBar>
       <PageBody scrollable={false}>
@@ -219,6 +175,54 @@ export default function Page() {
                         totalPages={totalPages}
                         showPageNumbers={false}
                       />
+                      {limits.used >= limits.limit ? (
+                        <Dialog>
+                          <DialogTrigger asChild>
+                            <Button
+                              LeadingIcon={PlusIcon}
+                              leadingIconClassName="text-background-dimmed"
+                              variant="primary/small"
+                              shortcut={{ key: "n" }}
+                              disabled={possibleTasks.length === 0 || isShowingNewPane}
+                            >
+                              New schedule
+                            </Button>
+                          </DialogTrigger>
+                          <DialogContent>
+                            <DialogHeader>You've exceeded your limit</DialogHeader>
+                            <DialogDescription>
+                              You've used {limits.used}/{limits.limit} of your schedules.
+                            </DialogDescription>
+                            <DialogFooter>
+                              {canUpgrade ? (
+                                <LinkButton
+                                  variant="primary/small"
+                                  to={v3BillingPath(organization)}
+                                >
+                                  Upgrade
+                                </LinkButton>
+                              ) : (
+                                <Feedback
+                                  button={
+                                    <Button variant="primary/small">Request more</Button>
+                                  }
+                                  defaultValue="help"
+                                />
+                              )}
+                            </DialogFooter>
+                          </DialogContent>
+                        </Dialog>
+                      ) : (
+                        <LinkButton
+                          LeadingIcon={PlusIcon}
+                          to={`${v3NewSchedulePath(organization, project, environment)}${location.search}`}
+                          variant="primary/small"
+                          shortcut={{ key: "n" }}
+                          disabled={possibleTasks.length === 0 || isShowingNewPane}
+                        >
+                          New schedule
+                        </LinkButton>
+                      )}
                     </div>
                   </div>
 
@@ -416,58 +420,59 @@ function SchedulesTable({
             }`;
             const isSelected = scheduleParam === schedule.friendlyId;
             const cellClass = schedule.active ? "" : "opacity-50";
+            const selectedActionClass = isSelected ? "text-text-bright" : undefined;
             return (
               <TableRow key={schedule.id} className={isSelected ? "bg-grid-dimmed" : undefined}>
-                <TableCell to={path} isTabbableCell className={cellClass}>
+                <TableCell to={path} isTabbableCell className={cellClass} actionClassName={selectedActionClass}>
                   {schedule.friendlyId}
                 </TableCell>
-                <TableCell to={path} className={cellClass}>
+                <TableCell to={path} className={cellClass} actionClassName={selectedActionClass}>
                   {schedule.taskIdentifier}
                 </TableCell>
-                <TableCell to={path} className={cellClass}>
+                <TableCell to={path} className={cellClass} actionClassName={selectedActionClass}>
                   <ScheduleTypeCombo type={schedule.type} />
                 </TableCell>
-                <TableCell to={path} className={cellClass}>
+                <TableCell to={path} className={cellClass} actionClassName={selectedActionClass}>
                   {schedule.type === "IMPERATIVE"
                     ? schedule.externalId
                       ? schedule.externalId
                       : "–"
                     : "N/A"}
                 </TableCell>
-                <TableCell to={path} className={cellClass}>
+                <TableCell to={path} className={cellClass} actionClassName={selectedActionClass}>
                   {schedule.cron}
                 </TableCell>
-                <TableCell to={path} className={cellClass}>
+                <TableCell to={path} className={cellClass} actionClassName={selectedActionClass}>
                   {schedule.cronDescription}
                 </TableCell>
-                <TableCell to={path} className={cellClass}>
+                <TableCell to={path} className={cellClass} actionClassName={selectedActionClass}>
                   {schedule.timezone}
                 </TableCell>
-                <TableCell to={path} className={cellClass}>
+                <TableCell to={path} className={cellClass} actionClassName={selectedActionClass}>
                   <DateTime date={schedule.nextRun} timeZone={schedule.timezone} />
                 </TableCell>
-                <TableCell to={path} className={cellClass}>
+                <TableCell to={path} className={cellClass} actionClassName={selectedActionClass}>
                   {schedule.lastRun ? (
                     <DateTime date={schedule.lastRun} timeZone={schedule.timezone} />
                   ) : (
                     "–"
                   )}
                 </TableCell>
-                <TableCell to={path} className={cellClass}>
+                <TableCell to={path} className={cellClass} actionClassName={selectedActionClass}>
                   {schedule.type === "IMPERATIVE"
                     ? schedule.userProvidedDeduplicationKey
                       ? schedule.deduplicationKey
                       : "–"
                     : "N/A"}
                 </TableCell>
-                <TableCell to={path} className={cellClass}>
+                <TableCell to={path} className={cellClass} actionClassName={selectedActionClass}>
                   <div className="flex items-center gap-3">
                     {schedule.environments.map((env) => (
                       <EnvironmentCombo key={env.id} environment={env} className="text-xs" />
                     ))}
                   </div>
                 </TableCell>
-                <TableCell to={path}>
+                <TableCell to={path} actionClassName={selectedActionClass}>
                   {schedule.type === "IMPERATIVE" ? (
                     <EnabledStatus enabled={schedule.active} />
                   ) : (
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.sessions.$sessionParam/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.sessions.$sessionParam/route.tsx
new file mode 100644
index 00000000000..688477281d6
--- /dev/null
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.sessions.$sessionParam/route.tsx
@@ -0,0 +1,542 @@
+import { ArrowsRightLeftIcon, BookOpenIcon, XCircleIcon } from "@heroicons/react/24/solid";
+import { type MetaFunction } from "@remix-run/react";
+import { type LoaderFunctionArgs } from "@remix-run/server-runtime";
+import { typedjson, useTypedLoaderData } from "remix-typedjson";
+import { z } from "zod";
+import { CodeBlock } from "~/components/code/CodeBlock";
+import { PageBody } from "~/components/layout/AppLayout";
+import { Button, LinkButton } from "~/components/primitives/Buttons";
+import { Dialog, DialogTrigger } from "~/components/primitives/Dialog";
+import { CopyableText } from "~/components/primitives/CopyableText";
+import { DateTime } from "~/components/primitives/DateTime";
+import { Header2 } from "~/components/primitives/Headers";
+import { NavBar, PageAccessories, PageTitle } from "~/components/primitives/PageHeader";
+import SegmentedControl from "~/components/primitives/SegmentedControl";
+import { Paragraph } from "~/components/primitives/Paragraph";
+import * as Property from "~/components/primitives/PropertyTable";
+import {
+  ResizableHandle,
+  ResizablePanel,
+  ResizablePanelGroup,
+} from "~/components/primitives/Resizable";
+import { TabButton, TabContainer } from "~/components/primitives/Tabs";
+import { TextLink } from "~/components/primitives/TextLink";
+import { SimpleTooltip } from "~/components/primitives/Tooltip";
+import { AgentView } from "~/components/runs/v3/agent/AgentView";
+import { RealtimeStreamViewer } from "~/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.$runParam.streams.$streamKey/route";
+import { RunTag } from "~/components/runs/v3/RunTag";
+import {
+  descriptionForTaskRunStatus,
+  TaskRunStatusCombo,
+} from "~/components/runs/v3/TaskRunStatus";
+import { CloseSessionDialog } from "~/components/sessions/v1/CloseSessionDialog";
+import { SessionStatusCombo } from "~/components/sessions/v1/SessionStatus";
+import { $replica } from "~/db.server";
+import { useEnvironment } from "~/hooks/useEnvironment";
+import { useOrganization } from "~/hooks/useOrganizations";
+import { useProject } from "~/hooks/useProject";
+import { useSearchParams } from "~/hooks/useSearchParam";
+import { useHasAdminAccess } from "~/hooks/useUser";
+import { redirectWithErrorMessage } from "~/models/message.server";
+import { findProjectBySlug } from "~/models/project.server";
+import { findEnvironmentBySlug } from "~/models/runtimeEnvironment.server";
+import { SessionPresenter } from "~/presenters/v3/SessionPresenter.server";
+import { type SessionStatus } from "~/services/sessionsRepository/sessionsRepository.server";
+import { requireUserId } from "~/services/session.server";
+import { cn } from "~/utils/cn";
+import {
+  docsPath,
+  EnvironmentParamSchema,
+  v3RunPath,
+  v3RunsPath,
+  v3SessionsPath,
+} from "~/utils/pathBuilder";
+import { throwNotFound } from "~/utils/httpErrors";
+
+const ParamsSchema = EnvironmentParamSchema.extend({
+  sessionParam: z.string(),
+});
+
+export const meta: MetaFunction = () => {
+  return [{ title: `Session | Trigger.dev` }];
+};
+
+export const loader = async ({ request, params }: LoaderFunctionArgs) => {
+  const userId = await requireUserId(request);
+  const { projectParam, organizationSlug, envParam, sessionParam } = ParamsSchema.parse(params);
+
+  const project = await findProjectBySlug(organizationSlug, projectParam, userId);
+  if (!project) {
+    return redirectWithErrorMessage("/", request, "Project not found");
+  }
+
+  const environment = await findEnvironmentBySlug(project.id, envParam, userId);
+  if (!environment) {
+    throwNotFound("Environment not found");
+  }
+
+  const presenter = new SessionPresenter($replica);
+  const session = await presenter.call({
+    userId,
+    environmentId: environment.id,
+    sessionParam,
+    projectExternalRef: project.externalRef,
+    environmentSlug: environment.slug,
+  });
+
+  if (!session) {
+    throw new Response("Session not found", { status: 404 });
+  }
+
+  return typedjson({ session });
+};
+
+export default function Page() {
+  const { session } = useTypedLoaderData<typeof loader>();
+  const organization = useOrganization();
+  const project = useProject();
+  const environment = useEnvironment();
+
+  const status: SessionStatus =
+    session.closedAt != null
+      ? "CLOSED"
+      : session.expiresAt != null && new Date(session.expiresAt).getTime() < Date.now()
+        ? "EXPIRED"
+        : "ACTIVE";
+
+  const displayId = session.externalId ?? session.friendlyId;
+  const sessionsPath = v3SessionsPath(organization, project, environment);
+
+  return (
+    <>
+      <NavBar>
+        <PageTitle
+          backButton={{ to: sessionsPath, text: "Sessions" }}
+          title={
+            <CopyableText
+              value={displayId}
+              variant="text-below"
+              className="-ml-[0.4375rem] h-6 px-1.5 font-mono text-xs hover:text-text-bright"
+            />
+          }
+        />
+        <PageAccessories>
+          <LinkButton
+            variant={"docs/small"}
+            LeadingIcon={BookOpenIcon}
+            to={docsPath("/ai-chat/overview")}
+          >
+            Sessions docs
+          </LinkButton>
+          {status === "ACTIVE" && (
+            <Dialog key={`close-${session.friendlyId}`}>
+              <DialogTrigger asChild>
+                <Button variant="danger/small" LeadingIcon={XCircleIcon}>
+                  Close session…
+                </Button>
+              </DialogTrigger>
+              <CloseSessionDialog
+                sessionParam={session.friendlyId}
+                environmentId={environment.id}
+                redirectPath={`${sessionsPath}/${session.friendlyId}`}
+              />
+            </Dialog>
+          )}
+        </PageAccessories>
+      </NavBar>
+      <PageBody scrollable={false}>
+        <ResizablePanelGroup orientation="horizontal" className="max-h-full">
+          <ResizablePanel id="session-conversation" min={"300px"}>
+            <ConversationPane session={session} />
+          </ResizablePanel>
+          <ResizableHandle id="session-handle" />
+          <ResizablePanel
+            id="session-inspector"
+            min="380px"
+            default="420px"
+            className="overflow-hidden"
+          >
+            <InspectorPane session={session} status={status} />
+          </ResizablePanel>
+        </ResizablePanelGroup>
+      </PageBody>
+    </>
+  );
+}
+
+type LoadedSession = ReturnType<typeof useTypedLoaderData<typeof loader>>["session"];
+
+function ConversationPane({ session }: { session: LoadedSession }) {
+  const organization = useOrganization();
+  const project = useProject();
+  const environment = useEnvironment();
+  const { value, replace } = useSearchParams();
+  const isRaw = value("raw") === "1";
+  const stream: "out" | "in" = value("stream") === "in" ? "in" : "out";
+
+  const sessionId = session.agentView.sessionId;
+  const encodedSession = encodeURIComponent(sessionId);
+  const sessionResourceBase = `/resources/orgs/${organization.slug}/projects/${project.slug}/env/${environment.slug}/sessions/${encodedSession}/realtime/v1`;
+
+  return (
+    <div className="grid h-full max-h-full grid-rows-[2.5rem_1fr] overflow-hidden bg-background-bright">
+      <div className="flex items-center justify-between gap-2 overflow-x-hidden border-b border-grid-bright px-3">
+        <div className="flex items-center gap-2 overflow-x-hidden">
+          <ArrowsRightLeftIcon className="size-4 text-teal-500" />
+          <Header2 className={cn("overflow-x-hidden text-text-bright")}>
+            <span className="truncate">Conversation</span>
+          </Header2>
+        </div>
+        <SegmentedControl
+          name="conversation-view"
+          value={isRaw ? "raw" : "rendered"}
+          variant="secondary/small"
+          options={[
+            { label: "Rendered", value: "rendered" },
+            { label: "Raw", value: "raw" },
+          ]}
+          onChange={(v) => replace({ raw: v === "raw" ? "1" : undefined })}
+        />
+      </div>
+      {isRaw ? (
+        <div className="overflow-hidden">
+          <RealtimeStreamViewer
+            key={stream}
+            resourcePath={`${sessionResourceBase}/${stream}`}
+            displayName={`.${stream}`}
+            headerLeft={
+              <TabContainer>
+                <TabButton
+                  isActive={stream === "out"}
+                  layoutId="conversation-stream"
+                  onClick={() => replace({ stream: undefined })}
+                >
+                  Output
+                </TabButton>
+                <TabButton
+                  isActive={stream === "in"}
+                  layoutId="conversation-stream"
+                  onClick={() => replace({ stream: "in" })}
+                >
+                  Input
+                </TabButton>
+              </TabContainer>
+            }
+          />
+        </div>
+      ) : (
+        <div className="min-w-0 overflow-x-hidden overflow-y-auto px-3 scrollbar-thin scrollbar-track-transparent scrollbar-thumb-charcoal-600">
+          <AgentView agentView={session.agentView} />
+        </div>
+      )}
+    </div>
+  );
+}
+
+function InspectorPane({
+  session,
+  status,
+}: {
+  session: LoadedSession;
+  status: SessionStatus;
+}) {
+  const { value, replace } = useSearchParams();
+  const tab = value("tab") ?? "overview";
+  const organization = useOrganization();
+  const project = useProject();
+  const environment = useEnvironment();
+
+  const displayId = session.externalId ?? session.friendlyId;
+  const allRunsPath = v3RunsPath(organization, project, environment, {
+    tags: [`chat:${displayId}`],
+  });
+
+  return (
+    <div className="grid h-full max-h-full grid-rows-[2.5rem_2rem_1fr] overflow-hidden bg-background-bright">
+      <div className="flex items-center justify-between gap-2 overflow-x-hidden px-3">
+        <div className="flex items-center gap-2 overflow-x-hidden">
+          <SessionStatusCombo status={status} />
+          <span className="truncate font-mono text-xs text-text-dimmed">
+            {session.friendlyId}
+          </span>
+        </div>
+      </div>
+      <div className="h-fit overflow-x-auto px-3 scrollbar-thin scrollbar-track-transparent scrollbar-thumb-charcoal-600">
+        <TabContainer>
+          <TabButton
+            isActive={tab === "overview"}
+            layoutId="session-inspector"
+            onClick={() => replace({ tab: "overview" })}
+            shortcut={{ key: "o" }}
+          >
+            Overview
+          </TabButton>
+          <TabButton
+            isActive={tab === "runs"}
+            layoutId="session-inspector"
+            onClick={() => replace({ tab: "runs" })}
+            shortcut={{ key: "r" }}
+          >
+            Runs
+          </TabButton>
+          <TabButton
+            isActive={tab === "metadata"}
+            layoutId="session-inspector"
+            onClick={() => replace({ tab: "metadata" })}
+            shortcut={{ key: "m" }}
+          >
+            Metadata
+          </TabButton>
+        </TabContainer>
+      </div>
+      <div className="overflow-y-auto px-3 py-3 scrollbar-thin scrollbar-track-transparent scrollbar-thumb-charcoal-600">
+        {tab === "overview" ? (
+          <OverviewTab session={session} status={status} />
+        ) : tab === "runs" ? (
+          <RunsTab session={session} allRunsPath={allRunsPath} />
+        ) : (
+          <MetadataTab session={session} />
+        )}
+      </div>
+    </div>
+  );
+}
+
+function OverviewTab({
+  session,
+  status,
+}: {
+  session: LoadedSession;
+  status: SessionStatus;
+}) {
+  const organization = useOrganization();
+  const project = useProject();
+  const environment = useEnvironment();
+  const isAdmin = useHasAdminAccess();
+
+  return (
+    <div className="flex flex-col gap-4">
+      <Property.Table>
+        <Property.Item>
+          <Property.Label>Status</Property.Label>
+          <Property.Value>
+            <SessionStatusCombo status={status} />
+          </Property.Value>
+        </Property.Item>
+        <Property.Item>
+          <Property.Label>Friendly ID</Property.Label>
+          <Property.Value>
+            <CopyableText value={session.friendlyId} className="font-mono text-xs" />
+          </Property.Value>
+        </Property.Item>
+        {session.externalId ? (
+          <Property.Item>
+            <Property.Label>External ID</Property.Label>
+            <Property.Value>
+              <CopyableText value={session.externalId} className="font-mono text-xs" />
+            </Property.Value>
+          </Property.Item>
+        ) : null}
+        <Property.Item>
+          <Property.Label>Type</Property.Label>
+          <Property.Value>
+            <span className="font-mono text-xs">{session.type}</span>
+          </Property.Value>
+        </Property.Item>
+        <Property.Item>
+          <Property.Label>Task</Property.Label>
+          <Property.Value>
+            <span className="font-mono text-xs">{session.taskIdentifier}</span>
+          </Property.Value>
+        </Property.Item>
+        {session.currentRun ? (
+          <Property.Item>
+            <Property.Label>Current run</Property.Label>
+            <Property.Value>
+              <TextLink
+                to={v3RunPath(organization, project, environment, {
+                  friendlyId: session.currentRun.friendlyId,
+                })}
+              >
+                <span className="flex items-center gap-2">
+                  <span className="font-mono text-xs">{session.currentRun.friendlyId}</span>
+                  <SimpleTooltip
+                    button={<TaskRunStatusCombo status={session.currentRun.status} />}
+                    content={descriptionForTaskRunStatus(session.currentRun.status)}
+                    disableHoverableContent
+                  />
+                </span>
+              </TextLink>
+            </Property.Value>
+          </Property.Item>
+        ) : null}
+        <Property.Item>
+          <Property.Label>Tags</Property.Label>
+          <Property.Value>
+            {session.tags.length > 0 ? (
+              <div className="flex flex-wrap gap-1">
+                {session.tags.map((tag) => (
+                  <RunTag key={tag} tag={tag} />
+                ))}
+              </div>
+            ) : (
+              <span className="text-text-dimmed">–</span>
+            )}
+          </Property.Value>
+        </Property.Item>
+        <Property.Item>
+          <Property.Label>Created</Property.Label>
+          <Property.Value>
+            <DateTime date={session.createdAt} />
+          </Property.Value>
+        </Property.Item>
+        <Property.Item>
+          <Property.Label>Updated</Property.Label>
+          <Property.Value>
+            <DateTime date={session.updatedAt} />
+          </Property.Value>
+        </Property.Item>
+        {session.expiresAt ? (
+          <Property.Item>
+            <Property.Label>
+              {new Date(session.expiresAt).getTime() < Date.now() ? "Expired" : "Expires"}
+            </Property.Label>
+            <Property.Value>
+              <DateTime date={session.expiresAt} />
+            </Property.Value>
+          </Property.Item>
+        ) : null}
+        {session.closedAt ? (
+          <Property.Item>
+            <Property.Label>Closed</Property.Label>
+            <Property.Value>
+              <DateTime date={session.closedAt} />
+            </Property.Value>
+          </Property.Item>
+        ) : null}
+        {session.closedReason ? (
+          <Property.Item>
+            <Property.Label>Close reason</Property.Label>
+            <Property.Value>
+              <span className="text-xs">{session.closedReason}</span>
+            </Property.Value>
+          </Property.Item>
+        ) : null}
+      </Property.Table>
+      <CodeBlock
+        code={JSON.stringify(session.triggerConfig, null, 2)}
+        language="json"
+        rowTitle="Trigger config"
+        maxLines={20}
+        showLineNumbers={false}
+        showTextWrapping
+      />
+      {isAdmin && (
+        <div className="border-t border-yellow-500/50 pt-2">
+          <Paragraph spacing variant="small" className="text-yellow-500">
+            Admin only
+          </Paragraph>
+          <Property.Table>
+            <Property.Item>
+              <Property.Label>Session ID</Property.Label>
+              <Property.Value>
+                <span className="font-mono text-xs">{session.id}</span>
+              </Property.Value>
+            </Property.Item>
+            <Property.Item>
+              <Property.Label>Stream basin</Property.Label>
+              <Property.Value>
+                <span className="font-mono text-xs">
+                  {session.streamBasinName ?? "(global)"}
+                </span>
+              </Property.Value>
+            </Property.Item>
+          </Property.Table>
+        </div>
+      )}
+    </div>
+  );
+}
+
+function MetadataTab({ session }: { session: LoadedSession }) {
+  if (session.metadata == null) {
+    return (
+      <Paragraph variant="small/dimmed">No metadata.</Paragraph>
+    );
+  }
+  const json = JSON.stringify(session.metadata, null, 2);
+  return (
+    <CodeBlock code={json} language="json" showLineNumbers={false} showTextWrapping />
+  );
+}
+
+function RunsTab({
+  session,
+  allRunsPath,
+}: {
+  session: LoadedSession;
+  allRunsPath: string;
+}) {
+  const organization = useOrganization();
+  const project = useProject();
+  const environment = useEnvironment();
+
+  if (session.runs.length === 0) {
+    return <Paragraph variant="small/dimmed">No runs yet.</Paragraph>;
+  }
+
+  return (
+    <div className="flex flex-col gap-3">
+      <Property.Table>
+        {session.runs.map((entry) => {
+          const runPath = entry.run
+            ? v3RunPath(organization, project, environment, {
+                friendlyId: entry.run.friendlyId,
+              })
+            : undefined;
+          return (
+            <Property.Item key={entry.id}>
+              <Property.Label>
+                <div className="flex flex-col gap-0.5">
+                  <span className="capitalize">{entry.reason}</span>
+                  <span className="text-xs text-text-dimmed">
+                    <DateTime date={entry.triggeredAt} />
+                  </span>
+                </div>
+              </Property.Label>
+              <Property.Value>
+                {entry.run && runPath ? (
+                  <SimpleTooltip
+                    button={
+                      <TextLink
+                        to={runPath}
+                        className="group flex flex-wrap items-center gap-x-2 gap-y-0"
+                      >
+                        <CopyableText
+                          value={entry.run.friendlyId}
+                          copyValue={entry.run.friendlyId}
+                          asChild
+                        />
+                        <TaskRunStatusCombo status={entry.run.status} />
+                      </TextLink>
+                    }
+                    content={`Jump to run`}
+                    disableHoverableContent
+                  />
+                ) : (
+                  <span className="text-text-dimmed">–</span>
+                )}
+              </Property.Value>
+            </Property.Item>
+          );
+        })}
+      </Property.Table>
+      <div className="flex justify-end">
+        <LinkButton variant="tertiary/small" to={allRunsPath}>
+          View all runs
+        </LinkButton>
+      </div>
+    </div>
+  );
+}
+
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.sessions._index/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.sessions._index/route.tsx
new file mode 100644
index 00000000000..510cb880468
--- /dev/null
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.sessions._index/route.tsx
@@ -0,0 +1,112 @@
+import { BookOpenIcon } from "@heroicons/react/24/solid";
+import { type MetaFunction } from "@remix-run/react";
+import { type LoaderFunctionArgs } from "@remix-run/server-runtime";
+import { typedjson, useTypedLoaderData } from "remix-typedjson";
+import { ListPagination } from "~/components/ListPagination";
+import { AdminDebugTooltip } from "~/components/admin/debugTooltip";
+import { MainCenteredContainer, PageBody } from "~/components/layout/AppLayout";
+import { LinkButton } from "~/components/primitives/Buttons";
+import { NavBar, PageAccessories, PageTitle } from "~/components/primitives/PageHeader";
+import { SessionFilters } from "~/components/sessions/v1/SessionFilters";
+import { SessionsTable } from "~/components/sessions/v1/SessionsTable";
+import { SessionsNone } from "~/components/BlankStatePanels";
+import { $replica } from "~/db.server";
+import { redirectWithErrorMessage } from "~/models/message.server";
+import { findProjectBySlug } from "~/models/project.server";
+import { findEnvironmentBySlug } from "~/models/runtimeEnvironment.server";
+import { getSessionFiltersFromRequest } from "~/presenters/SessionFilters.server";
+import { SessionListPresenter } from "~/presenters/v3/SessionListPresenter.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
+import { requireUserId } from "~/services/session.server";
+import { docsPath, EnvironmentParamSchema } from "~/utils/pathBuilder";
+import { throwNotFound } from "~/utils/httpErrors";
+
+export const meta: MetaFunction = () => {
+  return [
+    {
+      title: `Sessions | Trigger.dev`,
+    },
+  ];
+};
+
+export const loader = async ({ request, params }: LoaderFunctionArgs) => {
+  const userId = await requireUserId(request);
+  const { projectParam, organizationSlug, envParam } = EnvironmentParamSchema.parse(params);
+
+  const project = await findProjectBySlug(organizationSlug, projectParam, userId);
+  if (!project) {
+    return redirectWithErrorMessage("/", request, "Project not found");
+  }
+
+  const environment = await findEnvironmentBySlug(project.id, envParam, userId);
+  if (!environment) {
+    throwNotFound("Environment not found");
+  }
+
+  const filters = getSessionFiltersFromRequest(request);
+
+  const clickhouse = await clickhouseFactory.getClickhouseForOrganization(
+    project.organizationId,
+    "standard"
+  );
+  const presenter = new SessionListPresenter($replica, clickhouse);
+  const list = await presenter.call(project.organizationId, environment.id, {
+    userId,
+    projectId: project.id,
+    statuses: filters.statuses,
+    types: filters.types,
+    taskIdentifiers: filters.taskIdentifiers,
+    externalId: filters.externalId,
+    tags: filters.tags,
+    period: filters.period,
+    from: filters.from,
+    to: filters.to,
+    cursor: filters.cursor,
+    direction: filters.direction,
+  });
+
+  return typedjson(list);
+};
+
+export default function Page() {
+  const list = useTypedLoaderData<typeof loader>();
+
+  return (
+    <>
+      <NavBar>
+        <PageTitle title="Sessions" />
+        <PageAccessories>
+          <AdminDebugTooltip />
+          <LinkButton
+            variant={"docs/small"}
+            LeadingIcon={BookOpenIcon}
+            to={docsPath("/ai-chat/overview")}
+          >
+            Sessions docs
+          </LinkButton>
+        </PageAccessories>
+      </NavBar>
+      <PageBody scrollable={false}>
+        {!list.hasAnySessions ? (
+          <MainCenteredContainer className="max-w-md">
+            <SessionsNone />
+          </MainCenteredContainer>
+        ) : (
+          <div className="grid h-full max-h-full grid-rows-[auto_1fr] overflow-hidden">
+            <div className="flex items-start justify-between gap-x-2 p-2">
+              <SessionFilters hasFilters={list.hasFilters} />
+              <div className="flex items-center justify-end gap-x-2">
+                <ListPagination list={{ pagination: list.pagination }} />
+              </div>
+            </div>
+            <SessionsTable
+              sessions={list.sessions}
+              filters={list.filters}
+              hasFilters={list.hasFilters}
+            />
+          </div>
+        )}
+      </PageBody>
+    </>
+  );
+}
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.sessions/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.sessions/route.tsx
new file mode 100644
index 00000000000..f6723ddebaa
--- /dev/null
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.sessions/route.tsx
@@ -0,0 +1,10 @@
+import { Outlet } from "@remix-run/react";
+import { PageContainer } from "~/components/layout/AppLayout";
+
+export default function Page() {
+  return (
+    <PageContainer>
+      <Outlet />
+    </PageContainer>
+  );
+}
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.test.tasks.$taskParam/AIPayloadTabContent.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.test.tasks.$taskParam/AIPayloadTabContent.tsx
index 3d9302356cc..6fc50a41280 100644
--- a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.test.tasks.$taskParam/AIPayloadTabContent.tsx
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.test.tasks.$taskParam/AIPayloadTabContent.tsx
@@ -1,8 +1,9 @@
 import { CheckIcon, XMarkIcon } from "@heroicons/react/20/solid";
 import { AnimatePresence, motion } from "framer-motion";
-import { Suspense, lazy, useCallback, useEffect, useRef, useState } from "react";
+import { Suspense, useCallback, useEffect, useRef, useState } from "react";
 import { SparkleListIcon } from "~/assets/icons/SparkleListIcon";
 import { Button } from "~/components/primitives/Buttons";
+import { StreamdownRenderer } from "~/components/code/StreamdownRenderer";
 import { Header3 } from "~/components/primitives/Headers";
 import { Paragraph } from "~/components/primitives/Paragraph";
 import { Spinner } from "~/components/primitives/Spinner";
@@ -11,16 +12,6 @@ import { useOrganization } from "~/hooks/useOrganizations";
 import { useProject } from "~/hooks/useProject";
 import { cn } from "~/utils/cn";
 
-const StreamdownRenderer = lazy(() =>
-  import("streamdown").then((mod) => ({
-    default: ({ children, isAnimating }: { children: string; isAnimating: boolean }) => (
-      <mod.ShikiThemeContext.Provider value={["one-dark-pro", "one-dark-pro"]}>
-        <mod.Streamdown isAnimating={isAnimating}>{children}</mod.Streamdown>
-      </mod.ShikiThemeContext.Provider>
-    ),
-  }))
-);
-
 type StreamEventType =
   | { type: "thinking"; content: string }
   | { type: "result"; success: true; payload: string }
@@ -31,11 +22,19 @@ export function AIPayloadTabContent({
   payloadSchema,
   taskIdentifier,
   getCurrentPayload,
+  generateButtonLabel = "Generate payload",
+  placeholder,
+  examplePromptsOverride,
+  isAgent = false,
 }: {
   onPayloadGenerated: (payload: string) => void;
   payloadSchema?: unknown;
   taskIdentifier: string;
   getCurrentPayload?: () => string;
+  generateButtonLabel?: string;
+  placeholder?: string;
+  examplePromptsOverride?: string[];
+  isAgent?: boolean;
 }) {
   const [prompt, setPrompt] = useState("");
   const [isLoading, setIsLoading] = useState(false);
@@ -73,6 +72,7 @@ export function AIPayloadTabContent({
         const formData = new FormData();
         formData.append("prompt", queryPrompt);
         formData.append("taskIdentifier", taskIdentifier);
+        formData.append("isAgent", isAgent ? "true" : "false");
         if (payloadSchema) {
           formData.append("payloadSchema", JSON.stringify(payloadSchema));
         }
@@ -144,7 +144,7 @@ export function AIPayloadTabContent({
         setIsLoading(false);
       }
     },
-    [resourcePath, taskIdentifier, payloadSchema, getCurrentPayload]
+    [resourcePath, taskIdentifier, payloadSchema, getCurrentPayload, isAgent]
   );
 
   const processStreamEvent = useCallback(
@@ -191,7 +191,7 @@ export function AIPayloadTabContent({
     }
   }, [error]);
 
-  const examplePrompts = payloadSchema
+  const examplePrompts = examplePromptsOverride ?? (payloadSchema
     ? [
         "Generate a valid payload",
         "Generate a payload with edge cases",
@@ -201,7 +201,7 @@ export function AIPayloadTabContent({
         "Generate a simple JSON payload",
         "Generate a payload with nested objects",
         "Generate a payload with an array of items",
-      ];
+      ]);
 
   return (
     <div className="space-y-2">
@@ -215,9 +215,9 @@ export function AIPayloadTabContent({
               ref={textareaRef}
               name="prompt"
               placeholder={
-                payloadSchema
+                placeholder ?? (payloadSchema
                   ? "e.g. generate a payload for a new user signup"
-                  : "e.g. generate a JSON payload with name, email, and age fields"
+                  : "e.g. generate a JSON payload with name, email, and age fields")
               }
               value={prompt}
               onChange={(e) => setPrompt(e.target.value)}
@@ -251,7 +251,7 @@ export function AIPayloadTabContent({
                   className={cn(!prompt.trim() && "opacity-50")}
                   onClick={() => handleSubmit()}
                 >
-                  Generate payload
+                  {generateButtonLabel}
                 </Button>
               )}
             </div>
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.test.tasks.$taskParam/SchemaTabContent.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.test.tasks.$taskParam/SchemaTabContent.tsx
index b7a43a75028..a5e6a39076c 100644
--- a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.test.tasks.$taskParam/SchemaTabContent.tsx
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.test.tasks.$taskParam/SchemaTabContent.tsx
@@ -9,18 +9,34 @@ import { docsPath } from "~/utils/pathBuilder";
 export function SchemaTabContent({
   schema,
   inferredSchema,
+  title = "Payload schema",
+  description,
+  showDocsLink = true,
 }: {
   schema?: unknown;
   inferredSchema?: unknown;
+  title?: string;
+  description?: string;
+  showDocsLink?: boolean;
 }) {
   if (schema) {
     return (
       <div className="space-y-2">
-        <Header3 className="text-text-bright">Payload schema</Header3>
-        <Paragraph variant="extra-small" className="text-text-dimmed">
-          JSON Schema defined by this task via{" "}
-          <TextLink to={docsPath("tasks/schemaTask")}>schemaTask</TextLink>.
-        </Paragraph>
+        <Header3 className="text-text-bright">{title}</Header3>
+        {showDocsLink ? (
+          <Paragraph variant="extra-small" className="text-text-dimmed">
+            {description ?? (
+              <>
+                JSON Schema defined by this task via{" "}
+                <TextLink to={docsPath("tasks/schemaTask")}>schemaTask</TextLink>.
+              </>
+            )}
+          </Paragraph>
+        ) : description ? (
+          <Paragraph variant="extra-small" className="text-text-dimmed">
+            {description}
+          </Paragraph>
+        ) : null}
         <CodeBlock
           code={JSON.stringify(schema, null, 2)}
           language="json"
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.test.tasks.$taskParam/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.test.tasks.$taskParam/route.tsx
index ee69419e1b7..a611ffbcf89 100644
--- a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.test.tasks.$taskParam/route.tsx
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.test.tasks.$taskParam/route.tsx
@@ -74,7 +74,7 @@ import { Dialog, DialogContent, DialogHeader, DialogTrigger } from "~/components
 import { DialogClose, DialogDescription } from "@radix-ui/react-dialog";
 import { FormButtons } from "~/components/primitives/FormButtons";
 import { $replica } from "~/db.server";
-import { clickhouseClient } from "~/services/clickhouseInstance.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
 import { RegionsPresenter, type Region } from "~/presenters/v3/RegionsPresenter.server";
 import { TestSidebarTabs } from "./TestSidebarTabs";
 import { AIPayloadTabContent } from "./AIPayloadTabContent";
@@ -102,8 +102,13 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
     });
   }
 
-  const presenter = new TestTaskPresenter($replica, clickhouseClient);
   try {
+    const clickhouse = await clickhouseFactory.getClickhouseForOrganization(
+      project.organizationId,
+      "standard"
+    );
+    const presenter = new TestTaskPresenter($replica, clickhouse);
+
     const [result, regionsResult] = await Promise.all([
       presenter.call({
         userId: user.id,
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.test/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.test/route.tsx
index 9bd9443e95a..ea802850c35 100644
--- a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.test/route.tsx
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.test/route.tsx
@@ -138,8 +138,9 @@ function TaskSelector({
       <div className="p-2">
         <Input
           placeholder="Search tasks"
-          variant="small"
+          variant="secondary-small"
           icon={MagnifyingGlassIcon}
+          iconClassName="text-text-bright"
           fullWidth={true}
           value={filterText}
           autoFocus
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.waitpoints.tokens/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.waitpoints.tokens/route.tsx
index 782f3b132ff..54102b86b54 100644
--- a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.waitpoints.tokens/route.tsx
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.waitpoints.tokens/route.tsx
@@ -234,11 +234,6 @@ export default function Page() {
                     </TableBody>
                   </Table>
 
-                  {(pagination.next || pagination.previous) && (
-                    <div className="flex justify-end border-t border-grid-dimmed px-2 py-3">
-                      <ListPagination list={{ pagination }} />
-                    </div>
-                  )}
                 </div>
               </div>
             </ResizablePanel>
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam/route.tsx
index df9ee24be90..98b8c442218 100644
--- a/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam/route.tsx
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam/route.tsx
@@ -5,6 +5,7 @@ import { redirectWithErrorMessage } from "~/models/message.server";
 import { updateCurrentProjectEnvironmentId } from "~/services/dashboardPreferences.server";
 import { logger } from "~/services/logger.server";
 import { requireUser } from "~/services/session.server";
+import { tenantContext } from "~/services/tenantContext.server";
 import { EnvironmentParamSchema, v3ProjectPath } from "~/utils/pathBuilder";
 
 export const loader = async ({ request, params }: LoaderFunctionArgs) => {
@@ -26,6 +27,8 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
     },
     select: {
       id: true,
+      externalRef: true,
+      organization: { select: { id: true } },
       environments: {
         select: {
           id: true,
@@ -52,6 +55,7 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
   }
 
   let environmentId: string | undefined = undefined;
+  let environmentType: "DEVELOPMENT" | "PREVIEW" | "STAGING" | "PRODUCTION" | undefined;
 
   if (environments.length > 1) {
     const bestEnvironment = environments.find((env) => env.orgMember?.userId === user.id);
@@ -63,10 +67,21 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
     }
 
     environmentId = bestEnvironment.id;
+    environmentType = bestEnvironment.type;
   } else {
     environmentId = environments[0].id;
+    environmentType = environments[0].type;
   }
 
+  // userId is enriched higher up in `_app/route.tsx`; only stamp tenant fields here.
+  tenantContext.enrich({
+    orgId: project.organization.id,
+    projectId: project.id,
+    projectRef: project.externalRef,
+    envId: environmentId,
+    envType: environmentType,
+  });
+
   await updateCurrentProjectEnvironmentId({ user: user, projectId: project.id, environmentId });
 
   return project;
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.settings.private-connections._index/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.settings.private-connections._index/route.tsx
index 7c82333ccc0..a62929a0619 100644
--- a/apps/webapp/app/routes/_app.orgs.$organizationSlug.settings.private-connections._index/route.tsx
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.settings.private-connections._index/route.tsx
@@ -18,6 +18,7 @@ import { logger } from "~/services/logger.server";
 import { getPrivateLinks } from "~/services/platform.v3.server";
 import { requireUserId } from "~/services/session.server";
 import {
+  docsPath,
   OrganizationParamsSchema,
   organizationPath,
   v3PrivateConnectionsPath,
@@ -29,6 +30,7 @@ import { type ActionFunctionArgs, json } from "@remix-run/server-runtime";
 import { deletePrivateLink } from "~/services/platform.v3.server";
 import { redirectWithErrorMessage, redirectWithSuccessMessage } from "~/models/message.server";
 import {
+  BookOpenIcon,
   ClipboardDocumentIcon,
   PlusIcon,
   TrashIcon,
@@ -182,6 +184,13 @@ export default function Page() {
       <NavBar>
         <PageTitle title="Private Connections" />
         <PageAccessories>
+          <LinkButton
+            variant="docs/small"
+            LeadingIcon={BookOpenIcon}
+            to={docsPath("private-networking/overview")}
+          >
+            Private connection docs
+          </LinkButton>
           {hasPrivateNetworking && canAdd && (
             <LinkButton variant="primary/small" LeadingIcon={PlusIcon} to="new">
               Add Connection
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.settings.private-connections.new/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.settings.private-connections.new/route.tsx
index 649419b9c65..142d2796172 100644
--- a/apps/webapp/app/routes/_app.orgs.$organizationSlug.settings.private-connections.new/route.tsx
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.settings.private-connections.new/route.tsx
@@ -12,6 +12,7 @@ import {
   PageContainer,
 } from "~/components/layout/AppLayout";
 import { Button, LinkButton } from "~/components/primitives/Buttons";
+import { ClipboardField } from "~/components/primitives/ClipboardField";
 import { Fieldset } from "~/components/primitives/Fieldset";
 import { FormButtons } from "~/components/primitives/FormButtons";
 import { FormError } from "~/components/primitives/FormError";
@@ -19,7 +20,7 @@ import { Header2, Header3 } from "~/components/primitives/Headers";
 import { Input } from "~/components/primitives/Input";
 import { InputGroup } from "~/components/primitives/InputGroup";
 import { Label } from "~/components/primitives/Label";
-import { NavBar, PageTitle } from "~/components/primitives/PageHeader";
+import { NavBar, PageAccessories, PageTitle } from "~/components/primitives/PageHeader";
 import { Paragraph } from "~/components/primitives/Paragraph";
 import { Select, SelectItem } from "~/components/primitives/Select";
 import { prisma } from "~/db.server";
@@ -36,11 +37,14 @@ import {
 } from "~/services/platform.v3.server";
 import { requireUserId } from "~/services/session.server";
 import {
+  docsPath,
   OrganizationParamsSchema,
   organizationPath,
   v3PrivateConnectionsPath,
 } from "~/utils/pathBuilder";
 import {
+  ArrowTopRightOnSquareIcon,
+  BookOpenIcon,
   CommandLineIcon,
   DocumentTextIcon,
   PencilSquareIcon,
@@ -266,7 +270,10 @@ resource "aws_lb_listener" "port_${p.port}" {
 resource "aws_vpc_endpoint_service" "trigger_privatelink" {
   acceptance_required        = false
   network_load_balancer_arns = [aws_lb.trigger_privatelink.arn]
-  supported_regions          = ["us-east-1", "eu-central-1"]
+
+  # Trigger.dev runs in us-east-1 and eu-central-1. Listing both makes this
+  # service consumable from either region so any of your tasks can connect.
+  supported_regions = ["us-east-1", "eu-central-1"]
 
   allowed_principals = [
 ${awsAccountIds.map((id) => `    "arn:aws:iam::${id}:root",`).join("\n")}
@@ -418,7 +425,7 @@ ${validPorts.length > 0 ? validPorts.map((p) => `   - Port ${p.port} (${p.protoc
 3. A VPC Endpoint Service:
    - Acceptance required: no
    - Attach the NLB created above
-   - Supported regions: us-east-1, eu-central-1
+   - Supported regions: us-east-1, eu-central-1 (these are the AWS regions Trigger.dev runs in, so the service must be consumable from both)
    - Allowed principals:
 ${awsAccountIds.map((id) => `     - arn:aws:iam::${id}:root`).join("\n") || "     - <Trigger.dev AWS account ARN>"}
 
@@ -531,7 +538,7 @@ export default function Page() {
   const { availableRegions, activeRegions, awsAccountIds } = useTypedLoaderData<typeof loader>();
   const { organizationSlug } = useParams();
   const lastSubmission = useActionData();
-  const [setupMethod, setSetupMethod] = useState<SetupMethod | null>(null);
+  const [setupMethod, setSetupMethod] = useState<SetupMethod | null>("manual");
 
   const defaultRegion = "us-east-1";
 
@@ -547,6 +554,15 @@ export default function Page() {
     <PageContainer>
       <NavBar>
         <PageTitle title="Add Private Connection" backButton={{ to: v3PrivateConnectionsPath({ slug: organizationSlug! }), text: "Private Connections" }} />
+        <PageAccessories>
+          <LinkButton
+            variant="docs/small"
+            LeadingIcon={BookOpenIcon}
+            to={docsPath("private-networking/overview")}
+          >
+            Private connection docs
+          </LinkButton>
+        </PageAccessories>
       </NavBar>
       <PageBody scrollable={true}>
         <MainHorizontallyCenteredContainer className="max-w-3xl">
@@ -651,7 +667,7 @@ export default function Page() {
               </div>
             )}
 
-            {/* Docs iframe */}
+            {/* Docs link */}
             {setupMethod === "docs" && (
               <div className="mb-6 rounded-lg border border-grid-dimmed p-4">
                 <Header3 spacing>Setup Guide</Header3>
@@ -659,37 +675,47 @@ export default function Page() {
                   <>
                     <Paragraph variant="small" className="mb-3">
                       When adding allowed principals to your VPC Endpoint Service, use the following
-                      AWS account ID(s):
+                      AWS account ARN(s):
                     </Paragraph>
-                    <div className="mb-4 rounded-md border border-charcoal-700 bg-charcoal-900 p-3">
+                    <div className="mb-4 space-y-2">
                       {awsAccountIds.map((id) => (
-                        <code key={id} className="text-sm text-emerald-400">
-                          {id}
-                        </code>
+                        <ClipboardField
+                          key={id}
+                          value={`arn:aws:iam::${id}:root`}
+                          variant="primary/medium"
+                        />
                       ))}
                     </div>
                   </>
                 )}
-                <iframe
-                  src="https://trigger.dev/docs/network/private-link-setup-guide"
-                  title="Private Link Setup Guide"
-                  className="h-[600px] w-full rounded-md border border-charcoal-700"
-                />
+                <Paragraph variant="small" className="mb-3">
+                  Follow the step-by-step guide in our docs to create a VPC Endpoint Service in the
+                  AWS Console, then come back here to add the connection.
+                </Paragraph>
+                <LinkButton
+                  to={docsPath("private-networking/aws-console-setup")}
+                  variant="primary/medium"
+                  TrailingIcon={ArrowTopRightOnSquareIcon}
+                >
+                  Open setup guide
+                </LinkButton>
               </div>
             )}
 
-            {/* AWS account IDs reference */}
-            {setupMethod === "manual" && (
+            {/* AWS account ARNs reference */}
+            {setupMethod === "manual" && awsAccountIds.length > 0 && (
               <div className="mb-6 rounded-lg border border-grid-dimmed p-4">
-                <Paragraph variant="small" className="mb-2">
-                  Add the following AWS account ID(s) to your VPC Endpoint Service's allowed
+                <Paragraph variant="small" className="mb-3">
+                  Add the following AWS account ARN(s) to your VPC Endpoint Service's allowed
                   principals:
                 </Paragraph>
-                <div className="rounded-md border border-charcoal-700 bg-charcoal-900 p-3">
+                <div className="space-y-2">
                   {awsAccountIds.map((id) => (
-                    <code key={id} className="text-sm text-emerald-400">
-                      {id}
-                    </code>
+                    <ClipboardField
+                      key={id}
+                      value={`arn:aws:iam::${id}:root`}
+                      variant="primary/medium"
+                    />
                   ))}
                 </div>
               </div>
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.settings.roles/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.settings.roles/route.tsx
new file mode 100644
index 00000000000..79f2356250a
--- /dev/null
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.settings.roles/route.tsx
@@ -0,0 +1,396 @@
+import { CheckIcon, XMarkIcon } from "@heroicons/react/20/solid";
+import { type MetaFunction } from "@remix-run/react";
+import { useState } from "react";
+import { type UseDataFunctionReturn, typedjson, useTypedLoaderData } from "remix-typedjson";
+import { z } from "zod";
+import { PageBody, PageContainer } from "~/components/layout/AppLayout";
+import { Badge } from "~/components/primitives/Badge";
+import { Button } from "~/components/primitives/Buttons";
+import { Dialog, DialogContent, DialogHeader, DialogTrigger } from "~/components/primitives/Dialog";
+import { Header3 } from "~/components/primitives/Headers";
+import { NavBar, PageTitle } from "~/components/primitives/PageHeader";
+import { Paragraph } from "~/components/primitives/Paragraph";
+import {
+  Table,
+  TableBlankRow,
+  TableBody,
+  TableCell,
+  TableHeader,
+  TableHeaderCell,
+  TableRow,
+} from "~/components/primitives/Table";
+import { cn } from "~/utils/cn";
+import { $replica } from "~/db.server";
+import { useOrganization } from "~/hooks/useOrganizations";
+import { rbac } from "~/services/rbac.server";
+import { dashboardLoader } from "~/services/routeBuilders/dashboardBuilder";
+import { useCurrentPlan } from "../_app.orgs.$organizationSlug/route";
+import { TextLink } from "~/components/primitives/TextLink";
+
+export const meta: MetaFunction = () => {
+  return [
+    {
+      title: `Roles | Trigger.dev`,
+    },
+  ];
+};
+
+const Params = z.object({
+  organizationSlug: z.string(),
+});
+
+async function resolveOrgIdFromSlug(slug: string): Promise<string | null> {
+  const org = await $replica.organization.findFirst({
+    where: { slug },
+    select: { id: true },
+  });
+  return org?.id ?? null;
+}
+
+export const loader = dashboardLoader(
+  {
+    params: Params,
+    context: async (params) => {
+      const orgId = await resolveOrgIdFromSlug(params.organizationSlug);
+      return orgId ? { organizationId: orgId } : {};
+    },
+    authorization: { action: "read", resource: { type: "members" } },
+  },
+  async ({ context }) => {
+    const orgId = context.organizationId;
+    if (!orgId) {
+      throw new Response("Not Found", { status: 404 });
+    }
+
+    const [roles, assignableRoleIds, allPermissions, systemRoles, isUsingPlugin] =
+      await Promise.all([
+        rbac.allRoles(orgId),
+        rbac.getAssignableRoleIds(orgId),
+        rbac.allPermissions(orgId),
+        rbac.systemRoles(orgId),
+        // OSS self-host: no enterprise plugin → no role infrastructure to
+        // show. Render a "roles aren't available" layout in that case
+        // rather than the plan-upsell empty state (which assumes a cloud
+        // plan and would be misleading).
+        rbac.isUsingPlugin(),
+      ]);
+
+    return typedjson({
+      roles,
+      assignableRoleIds,
+      allPermissions,
+      systemRoles,
+      isUsingPlugin,
+    });
+  }
+);
+
+type LoaderData = UseDataFunctionReturn<typeof loader>;
+type LoaderRole = LoaderData["roles"][number];
+type LoaderPermission = LoaderData["allPermissions"][number];
+type RolePermission = LoaderRole["permissions"][number];
+
+// Permissions are bucketed by `permission.group` from the plugin.
+// Section order = first-seen order in `allPermissions()`. Permissions
+// without a group fall into "Other" at the bottom.
+const FALLBACK_GROUP = "Other";
+
+export default function Page() {
+  const { roles, assignableRoleIds, allPermissions, systemRoles, isUsingPlugin } =
+    useTypedLoaderData<typeof loader>();
+  const organization = useOrganization();
+  const plan = useCurrentPlan();
+  const planCode = plan?.v3Subscription?.plan?.code;
+  const isEnterprise = planCode === "enterprise";
+
+  // Map role-id → role for fast cell lookup. Each role's permissions are
+  // already the expanded `effectivePermissions` output (system roles
+  // populated server-side; custom roles too) so cells just filter that
+  // list by permission name.
+  const rolesById = new Map<string, LoaderRole>(roles.map((r) => [r.id, r]));
+  const assignable = new Set(assignableRoleIds);
+
+  // Column ordering follows the plugin's canonical systemRoles order
+  // (highest authority first), then any custom roles in the order
+  // rbac.allRoles returned them. systemRoles is null when no plugin is
+  // installed; fall through to whatever order rbac.allRoles returns.
+  // Each entry's `available` flag reflects plan-tier eligibility — we
+  // render unavailable system roles too, but PlanBadge tags them so
+  // customers see the comparison and know what an upgrade unlocks.
+  const systemRoleOrder = systemRoles ?? [];
+  const systemRoleIdSet = new Set(systemRoleOrder.map((r) => r.id));
+  const systemColumns = systemRoleOrder.flatMap((meta) => {
+    const role = rolesById.get(meta.id);
+    return role ? [{ role, fallbackName: meta.name }] : [];
+  });
+  const customColumns = roles
+    .filter((r) => !systemRoleIdSet.has(r.id))
+    .map((role) => ({ role, fallbackName: role.name }));
+  const columns = [...systemColumns, ...customColumns];
+
+  const grouped = groupPermissions(allPermissions);
+
+  return (
+    <PageContainer>
+      <NavBar>
+        <PageTitle title="Roles" />
+        {/* Suppress the Enterprise-upsell button on OSS — there's no
+            plan to upgrade to in a self-hosted deployment, and the
+            dialog copy ("Available on the Enterprise plan") doesn't
+            apply. The not-supported empty state below makes the
+            absence of role infrastructure clear instead. */}
+        {isUsingPlugin && !isEnterprise ? <CreateRoleUpsell /> : null}
+      </NavBar>
+      <PageBody scrollable={false}>
+        <div className="grid max-h-full min-h-full grid-rows-[auto_1fr]">
+          <div className="border-b border-grid-bright px-4 py-6">
+            <Paragraph variant="small">
+              Roles control what each team member can do in <strong>{organization.title}</strong>.
+              Compare what each role grants below; assign a role to a team member from the{" "}
+              <TextLink to={`/orgs/${organization.slug}/settings/team`}>Team page</TextLink>.
+            </Paragraph>
+          </div>
+          <div className="overflow-y-auto scrollbar-thin scrollbar-track-transparent scrollbar-thumb-charcoal-600">
+            {columns.length === 0 ? (
+              <EmptyState isUsingPlugin={isUsingPlugin} />
+            ) : (
+              <Table containerClassName="border-t-0">
+                <TableHeader>
+                  <TableRow>
+                    <TableHeaderCell>Permission</TableHeaderCell>
+                    {columns.map(({ role }) => (
+                      <TableHeaderCell key={role.id}>
+                        <div className="flex items-center gap-1">
+                          <span>{role.name}</span>
+                          <PlanBadge
+                            roleId={role.id}
+                            assignable={assignable}
+                            systemRoleIdSet={systemRoleIdSet}
+                          />
+                        </div>
+                      </TableHeaderCell>
+                    ))}
+                    <TableHeaderCell>Description</TableHeaderCell>
+                  </TableRow>
+                </TableHeader>
+                <TableBody>
+                  {grouped.length === 0 ? (
+                    <TableBlankRow colSpan={columns.length + 2}>
+                      <Paragraph variant="small" className="text-text-dimmed">
+                        No permissions to display.
+                      </Paragraph>
+                    </TableBlankRow>
+                  ) : (
+                    grouped.flatMap(({ group, permissions }) => [
+                      <TableRow key={`${group}-header`}>
+                        <TableCell colSpan={columns.length + 2} className="bg-charcoal-800">
+                          <Header3 className="text-xs uppercase tracking-wide text-text-dimmed">
+                            {group}
+                          </Header3>
+                        </TableCell>
+                      </TableRow>,
+                      ...permissions.map((permission) => (
+                        <TableRow key={permission.name}>
+                          <TableCell>
+                            <code className="text-xs">{permission.name}</code>
+                          </TableCell>
+                          {columns.map(({ role }) => (
+                            <TableCell key={role.id}>
+                              <RoleCell
+                                permissionName={permission.name}
+                                rolePermissions={role.permissions}
+                              />
+                            </TableCell>
+                          ))}
+                          <TableCell>
+                            <Paragraph variant="small">
+                              {permission.description || (
+                                <span className="text-text-dimmed">—</span>
+                              )}
+                            </Paragraph>
+                          </TableCell>
+                        </TableRow>
+                      )),
+                    ])
+                  )}
+                </TableBody>
+              </Table>
+            )}
+          </div>
+        </div>
+      </PageBody>
+    </PageContainer>
+  );
+}
+
+function EmptyState({ isUsingPlugin }: { isUsingPlugin: boolean }) {
+  // Two distinct empty states:
+  //
+  // 1. Plugin loaded, but rbac.allRoles returned nothing the org can
+  //    use under its plan tier. The plan-upsell copy is correct —
+  //    upgrade unlocks the role infrastructure.
+  // 2. No plugin loaded (OSS self-host). There's no "plan" to upgrade
+  //    to. RBAC simply isn't part of this deployment; we use a
+  //    permissive ability for every authenticated user and rely on
+  //    org-membership for access control. Surface that honestly
+  //    instead of dangling a fake upgrade carrot.
+  if (!isUsingPlugin) {
+    return (
+      <div className="flex flex-col items-center gap-2 p-8 text-center">
+        <Header3>Roles aren't available in this self-hosted deployment.</Header3>
+        <Paragraph variant="small" className="text-text-dimmed">
+          All members have full access. Role-Based Access Controls are available in Trigger.dev
+          Cloud or with an enterprise self-hosted license.
+        </Paragraph>
+      </div>
+    );
+  }
+  return (
+    <div className="flex flex-col items-center gap-2 p-8 text-center">
+      <Header3>No roles available on this plan.</Header3>
+      <Paragraph variant="small" className="text-text-dimmed">
+        Upgrade to Pro to unlock RBAC.
+      </Paragraph>
+    </div>
+  );
+}
+
+function PlanBadge({
+  roleId,
+  assignable,
+  systemRoleIdSet,
+}: {
+  roleId: string;
+  assignable: ReadonlySet<string>;
+  systemRoleIdSet: ReadonlySet<string>;
+}) {
+  // Roles the org's plan doesn't permit get a small upgrade-tier hint
+  // in the column header. The cell rendering is identical regardless
+  // — the comparison value is still useful even on Free/Hobby.
+  if (assignable.has(roleId)) return null;
+  // System roles render as "Pro" (the gating tier where they unlock —
+  // Free/Hobby see Owner+Admin only, Pro adds the rest). Custom roles
+  // render as "Enterprise" — only Enterprise plans can create or assign
+  // them.
+  if (systemRoleIdSet.has(roleId)) {
+    return <Badge variant="extra-small">Pro</Badge>;
+  }
+  return <Badge variant="extra-small">Enterprise</Badge>;
+}
+
+// Render a single (role × permission) cell. Filters the role's
+// effectivePermissions list to entries matching this permission name
+// and emits an icon + optional condition badge based on the rules.
+function RoleCell({
+  permissionName,
+  rolePermissions,
+}: {
+  permissionName: string;
+  rolePermissions: RolePermission[];
+}) {
+  const matching = rolePermissions.filter((p) => p.name === permissionName);
+
+  if (matching.length === 0) {
+    // No rule matches — the role denies this permission by omission.
+    return (
+      <span className="text-text-dimmed" aria-label="Not granted">
+        <XMarkIcon className="size-4" />
+      </span>
+    );
+  }
+
+  const allowed = matching.filter((p) => !p.inverted);
+  const denied = matching.filter((p) => p.inverted);
+
+  // Only inverted rules apply — the role explicitly denies this
+  // permission. Render as ✗ in error colour.
+  if (allowed.length === 0) {
+    return (
+      <span className="text-error" aria-label="Denied">
+        <XMarkIcon className="size-4" />
+      </span>
+    );
+  }
+
+  // At least one allow rule applies. If there's a conditional cannot
+  // rule, replace the ✓ with just the condition label so the user sees
+  // the restriction without a misleading tick. Plain unconditional
+  // allow keeps the ✓.
+  const conditionalDeny = denied.find((p) => p.conditions);
+  if (conditionalDeny?.conditions) {
+    return (
+      <span className="text-xs text-text-dimmed">{conditionLabel(conditionalDeny.conditions)}</span>
+    );
+  }
+  return (
+    <span className="text-success" aria-label="Allowed">
+      <CheckIcon className="size-4" />
+    </span>
+  );
+}
+
+// Render a CASL conditions object into a tier badge label. Only
+// `envType` is recognised today (the catalogue's only allowed condition);
+// extending this requires adding a new branch when ALLOWED_CONDITIONS
+// grows.
+function conditionLabel(conditions: Record<string, unknown>): string {
+  if (typeof conditions.envType === "string") {
+    if (conditions.envType === "PRODUCTION") return "Non-prod only";
+    return `Non-${conditions.envType.toLowerCase()} only`;
+  }
+  return JSON.stringify(conditions);
+}
+
+function groupPermissions(
+  permissions: LoaderPermission[]
+): { group: string; permissions: LoaderPermission[] }[] {
+  // Insertion-ordered map: groups appear in the order their first
+  // permission was seen. Plugins that want a specific section order
+  // just emit permissions in that order from `allPermissions()`.
+  const buckets = new Map<string, LoaderPermission[]>();
+  for (const permission of permissions) {
+    const group = permission.group ?? FALLBACK_GROUP;
+    const list = buckets.get(group) ?? [];
+    list.push(permission);
+    buckets.set(group, list);
+  }
+  return Array.from(buckets, ([group, permissions]) => ({ group, permissions }));
+}
+
+function CreateRoleUpsell() {
+  const [open, setOpen] = useState(false);
+  return (
+    <Dialog open={open} onOpenChange={setOpen}>
+      <DialogTrigger asChild>
+        <Button variant="primary/small">Create role</Button>
+      </DialogTrigger>
+      <DialogContent>
+        <DialogHeader>Custom roles are an Enterprise feature</DialogHeader>
+        <div className="flex flex-col gap-3 pt-2">
+          <Paragraph>
+            Define your own roles with bespoke permission sets — perfect for "Member, but no
+            production deploys" or a vendor/contractor role. Available on the Enterprise plan.
+          </Paragraph>
+          <Paragraph variant="small" className="text-text-dimmed">
+            Get in touch and we'll walk you through the Enterprise plan and how custom roles fit
+            your team.
+          </Paragraph>
+        </div>
+        <div className="mt-6 flex justify-end gap-2">
+          <Button variant="secondary/medium" onClick={() => setOpen(false)}>
+            Maybe later
+          </Button>
+          <Button
+            variant="primary/medium"
+            onClick={() => {
+              window.open("https://trigger.dev/contact", "_blank");
+              setOpen(false);
+            }}
+          >
+            Contact us
+          </Button>
+        </div>
+      </DialogContent>
+    </Dialog>
+  );
+}
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.settings.team/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.settings.team/route.tsx
index dc71bc5585f..c95ca471f85 100644
--- a/apps/webapp/app/routes/_app.orgs.$organizationSlug.settings.team/route.tsx
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.settings.team/route.tsx
@@ -9,7 +9,7 @@ import {
   useFetcher,
   useNavigation,
 } from "@remix-run/react";
-import { type ActionFunctionArgs, type LoaderFunctionArgs, json } from "@remix-run/server-runtime";
+import { json } from "@remix-run/server-runtime";
 import { tryCatch } from "@trigger.dev/core/utils";
 import { useEffect, useRef, useState } from "react";
 import { type UseDataFunctionReturn, typedjson, useTypedLoaderData } from "remix-typedjson";
@@ -41,24 +41,27 @@ import { Label } from "~/components/primitives/Label";
 import { NavBar, PageAccessories, PageTitle } from "~/components/primitives/PageHeader";
 import { Paragraph } from "~/components/primitives/Paragraph";
 import * as Property from "~/components/primitives/PropertyTable";
+import { Select, SelectItem, SelectLinkItem } from "~/components/primitives/Select";
 import { SpinnerWhite } from "~/components/primitives/Spinner";
 import { SimpleTooltip } from "~/components/primitives/Tooltip";
-import { cn } from "~/utils/cn";
 import { $replica } from "~/db.server";
 import { useOrganization } from "~/hooks/useOrganizations";
 import { useUser } from "~/hooks/useUser";
 import { removeTeamMember } from "~/models/member.server";
 import { redirectWithSuccessMessage } from "~/models/message.server";
 import { TeamPresenter } from "~/presenters/TeamPresenter.server";
-import { requireUserId } from "~/services/session.server";
+import { rbac } from "~/services/rbac.server";
+import { dashboardAction, dashboardLoader } from "~/services/routeBuilders/dashboardBuilder";
+import { cn } from "~/utils/cn";
+import { formatCurrency, formatNumber } from "~/utils/numberFormatter";
 import {
   inviteTeamMemberPath,
+  organizationRolesPath,
   organizationTeamPath,
   resendInvitePath,
   revokeInvitePath,
   v3BillingPath,
 } from "~/utils/pathBuilder";
-import { formatCurrency, formatNumber } from "~/utils/numberFormatter";
 import { SetSeatsAddOnService } from "~/v3/services/setSeatsAddOn.server";
 import { useCurrentPlan } from "../_app.orgs.$organizationSlug/route";
 
@@ -74,31 +77,51 @@ const Params = z.object({
   organizationSlug: z.string(),
 });
 
-export const loader = async ({ request, params }: LoaderFunctionArgs) => {
-  const userId = await requireUserId(request);
-  const { organizationSlug } = Params.parse(params);
-
-  const organization = await $replica.organization.findFirst({
-    where: { slug: organizationSlug },
+// Resolve slug → orgId in the dashboardLoader's context callback so the
+// rbac.authenticateSession call gets a real organizationId. The result
+// is cached for the duration of the request and reused by the handler
+// below (we re-find by slug there to get a typed value — the context
+// only sees the loosely typed return type).
+async function resolveOrgIdFromSlug(slug: string): Promise<string | null> {
+  const org = await $replica.organization.findFirst({
+    where: { slug },
     select: { id: true },
   });
+  return org?.id ?? null;
+}
 
-  if (!organization) {
-    throw new Response("Not Found", { status: 404 });
-  }
+export const loader = dashboardLoader(
+  {
+    params: Params,
+    context: async (params) => {
+      const orgId = await resolveOrgIdFromSlug(params.organizationSlug);
+      return orgId ? { organizationId: orgId } : {};
+    },
+    authorization: { action: "read", resource: { type: "members" } },
+  },
+  async ({ user, ability, context }) => {
+    const orgId = context.organizationId;
+    if (!orgId) {
+      throw new Response("Not Found", { status: 404 });
+    }
 
-  const presenter = new TeamPresenter();
-  const result = await presenter.call({
-    userId,
-    organizationId: organization.id,
-  });
+    const presenter = new TeamPresenter();
+    const result = await presenter.call({
+      userId: user.id,
+      organizationId: orgId,
+    });
 
-  if (!result) {
-    throw new Response("Not Found", { status: 404 });
-  }
+    if (!result) {
+      throw new Response("Not Found", { status: 404 });
+    }
 
-  return typedjson(result);
-};
+    // Pre-compute manage authority server-side so the UI gating matches
+    // the action gating (the action enforces it independently).
+    const canManageMembers = ability.can("manage", { type: "members" });
+
+    return typedjson({ ...result, canManageMembers });
+  }
+);
 
 const schema = z.object({
   memberId: z.string(),
@@ -111,89 +134,157 @@ const PurchaseSchema = z.discriminatedUnion("action", [
   }),
   z.object({
     action: z.literal("quota-increase"),
-    amount: z.coerce
-      .number()
-      .int("Must be a whole number")
-      .min(1, "Amount must be greater than 0"),
+    amount: z.coerce.number().int("Must be a whole number").min(1, "Amount must be greater than 0"),
   }),
 ]);
 
-export const action = async ({ request, params }: ActionFunctionArgs) => {
-  const userId = await requireUserId(request);
-  const { organizationSlug } = params;
-  invariant(organizationSlug, "organizationSlug not found");
+const SetRoleSchema = z.object({
+  userId: z.string(),
+  roleId: z.string(),
+});
 
-  const formData = await request.formData();
-  const formType = formData.get("_formType");
+export const action = dashboardAction(
+  {
+    params: Params,
+    context: async (params) => {
+      const orgId = await resolveOrgIdFromSlug(params.organizationSlug);
+      return orgId ? { organizationId: orgId } : {};
+    },
+    // No top-level authorization — different intents have different
+    // requirements. Each branch inside checks the right ability:
+    //   set-role        → manage:members
+    //   purchase-seats  → manage:billing
+    //   remove-member   → manage:members (skipped for self-leave)
+    // Don't rely on the model-layer (removeTeamMember /
+    // SetSeatsAddOnService) for enforcement — those are defense in
+    // depth; the route layer is where the ability gate belongs.
+  },
+  async ({ user, ability, request, params, context }) => {
+    const userId = user.id;
+    const { organizationSlug } = params;
+    invariant(organizationSlug, "organizationSlug not found");
 
-  if (formType === "purchase-seats") {
-    const org = await $replica.organization.findFirst({
-      where: { slug: organizationSlug },
-      select: { id: true },
-    });
+    const formData = await request.formData();
+    const formType = formData.get("_formType");
 
-    if (!org) {
-      return json({ ok: false, error: "Organization not found" } as const);
+    if (formType === "set-role") {
+      if (!ability.can("manage", { type: "members" })) {
+        return json({ ok: false, error: "Unauthorized" } as const, { status: 403 });
+      }
+      const orgId = context.organizationId;
+      if (!orgId) {
+        return json({ ok: false, error: "Organization not found" } as const, { status: 404 });
+      }
+      const submission = parse(formData, { schema: SetRoleSchema });
+      if (!submission.value || submission.intent !== "submit") {
+        return json(submission);
+      }
+      const result = await rbac.setUserRole({
+        userId: submission.value.userId,
+        organizationId: orgId,
+        roleId: submission.value.roleId,
+      });
+      if (!result.ok) {
+        return json({ ok: false, error: result.error } as const, { status: 400 });
+      }
+      return json({ ok: true } as const);
     }
 
-    const submission = parse(formData, { schema: PurchaseSchema });
+    if (formType === "purchase-seats") {
+      // Adjusting seat count is a billing operation. Pre-RBAC the team
+      // page's loader gated the entire route on Owner/Admin, so reaching
+      // this action implied authority. Post-RBAC the loader requires
+      // `read:members` (broader audience), so gate the seat purchase
+      // explicitly here against the right ability rather than relying
+      // on the SetSeatsAddOnService for enforcement at the model layer.
+      if (!ability.can("manage", { type: "billing" })) {
+        return json({ ok: false, error: "Unauthorized" } as const, { status: 403 });
+      }
+      // Reuse the orgId the dashboardBuilder already resolved in the
+      // context callback (single slug → orgId lookup per request,
+      // regardless of whether the OSS fallback or cloud plugin
+      // services the auth — the plugin takes `organizationId` as
+      // input and doesn't re-resolve from a slug).
+      const orgId = context.organizationId;
+      if (!orgId) {
+        return json({ ok: false, error: "Organization not found" } as const);
+      }
 
-    if (!submission.value || submission.intent !== "submit") {
-      return json(submission);
-    }
+      const submission = parse(formData, { schema: PurchaseSchema });
 
-    const service = new SetSeatsAddOnService();
-    const [error, result] = await tryCatch(
-      service.call({
-        userId,
-        organizationId: org.id,
-        action: submission.value.action,
-        amount: submission.value.amount,
-      })
-    );
+      if (!submission.value || submission.intent !== "submit") {
+        return json(submission);
+      }
 
-    if (error) {
-      submission.error.amount = [error instanceof Error ? error.message : "Unknown error"];
-      return json(submission);
+      const service = new SetSeatsAddOnService();
+      const [error, result] = await tryCatch(
+        service.call({
+          userId,
+          organizationId: orgId,
+          action: submission.value.action,
+          amount: submission.value.amount,
+        })
+      );
+
+      if (error) {
+        submission.error.amount = [error instanceof Error ? error.message : "Unknown error"];
+        return json(submission);
+      }
+
+      if (!result.success) {
+        submission.error.amount = [result.error];
+        return json(submission);
+      }
+
+      return json({ ok: true } as const);
     }
 
-    if (!result.success) {
-      submission.error.amount = [result.error];
+    const submission = parse(formData, { schema });
+
+    if (!submission.value || submission.intent !== "submit") {
       return json(submission);
     }
 
-    return json({ ok: true } as const);
-  }
-
-  const submission = parse(formData, { schema });
+    // Default intent: remove a member or leave the org. Self-leave (the
+    // actor removing their own membership) is always allowed. Removing
+    // another member requires `manage:members` — pre-RBAC the
+    // `removeTeamMember` model fn only verified the actor was a member
+    // of the target org, so any org member could remove any other
+    // member by id; this gate fixes that latent permissions hole.
+    const targetMember = await $replica.orgMember.findFirst({
+      where: { id: submission.value.memberId },
+      select: { userId: true },
+    });
+    const isSelfLeave = targetMember?.userId === userId;
+    if (!isSelfLeave && !ability.can("manage", { type: "members" })) {
+      return json({ ok: false, error: "Unauthorized" } as const, { status: 403 });
+    }
 
-  if (!submission.value || submission.intent !== "submit") {
-    return json(submission);
-  }
+    try {
+      const deletedMember = await removeTeamMember({
+        userId,
+        memberId: submission.value.memberId,
+        slug: organizationSlug,
+      });
 
-  try {
-    const deletedMember = await removeTeamMember({
-      userId,
-      memberId: submission.value.memberId,
-      slug: organizationSlug,
-    });
+      if (deletedMember.userId === userId) {
+        return redirectWithSuccessMessage("/", request, `You left the organization`);
+      }
 
-    if (deletedMember.userId === userId) {
-      return redirectWithSuccessMessage("/", request, `You left the organization`);
+      return redirectWithSuccessMessage(
+        organizationTeamPath(deletedMember.organization),
+        request,
+        `Removed ${deletedMember.user.name ?? "member"} from team`
+      );
+    } catch (error: any) {
+      return json({ errors: { body: error.message } }, { status: 400 });
     }
-
-    return redirectWithSuccessMessage(
-      organizationTeamPath(deletedMember.organization),
-      request,
-      `Removed ${deletedMember.user.name ?? "member"} from team`
-    );
-  } catch (error: any) {
-    return json({ errors: { body: error.message } }, { status: 400 });
   }
-};
+);
 
 type Member = UseDataFunctionReturn<typeof loader>["members"][number];
 type Invite = UseDataFunctionReturn<typeof loader>["invites"][number];
+type Role = UseDataFunctionReturn<typeof loader>["roles"][number];
 
 export default function Page() {
   const {
@@ -205,7 +296,16 @@ export default function Page() {
     seatPricing,
     maxSeatQuota,
     planSeatLimit,
+    roles,
+    assignableRoleIds,
+    memberRoles,
+    canManageMembers,
   } = useTypedLoaderData<typeof loader>();
+  // Build a userId → roleId map so the dropdown's defaultValue matches
+  // each member's current assignment without re-querying.
+  const memberRoleByUserId = new Map<string, string>(
+    memberRoles.flatMap((m) => (m.role ? [[m.userId, m.role.id]] : []))
+  );
   const user = useUser();
   const organization = useOrganization();
 
@@ -242,10 +342,31 @@ export default function Page() {
               ))}
             </Property.Table>
           </AdminDebugTooltip>
-          {requiresUpgrade ? (
+          {!canManageMembers ? (
+            // Gate the invite affordance on manage:members. The action
+            // route enforces this independently — hiding it here just
+            // avoids dead UI for non-managers.
+            <SimpleTooltip
+              button={
+                <ButtonContent
+                  variant="primary/small"
+                  LeadingIcon={UserPlusIcon}
+                  className="cursor-not-allowed opacity-50"
+                >
+                  Invite a team member
+                </ButtonContent>
+              }
+              content="You don't have permission to invite team members"
+              disableHoverableContent
+            />
+          ) : requiresUpgrade ? (
             <SimpleTooltip
               button={
-                <ButtonContent variant="primary/small" LeadingIcon={UserPlusIcon} className="cursor-not-allowed opacity-50">
+                <ButtonContent
+                  variant="primary/small"
+                  LeadingIcon={UserPlusIcon}
+                  className="cursor-not-allowed opacity-50"
+                >
                   Invite a team member
                 </ButtonContent>
               }
@@ -291,34 +412,57 @@ export default function Page() {
                   </ul>
                 </>
               )}
-              <Header2>Active team members</Header2>
-              <ul className="divide-ui-border mb-8 mt-3 flex w-full flex-col divide-y border-y border-grid-bright">
+              <div className="mt-4 flex items-baseline justify-between">
+                <Header2>Active team members</Header2>
+                {roles.length > 0 ? (
+                  <a
+                    className="text-xs text-text-link hover:underline"
+                    href={organizationRolesPath(organization)}
+                  >
+                    View all role permissions →
+                  </a>
+                ) : null}
+              </div>
+              <div className="mb-8 mt-3 grid w-full grid-cols-[1fr_auto_auto] items-center gap-x-2 border-y border-grid-bright">
                 {members.map((member) => (
-                  <li key={member.user.id} className="flex items-center gap-x-4 py-4">
-                    <UserAvatar
-                      avatarUrl={member.user.avatarUrl}
-                      name={member.user.name}
-                      className="size-10"
-                    />
-                    <div className="flex flex-col gap-0.5">
-                      <Header3>
-                        {member.user.name}{" "}
-                        {member.user.id === user.id && (
-                          <span className="text-text-dimmed">(You)</span>
-                        )}
-                      </Header3>
-                      <Paragraph variant="small">{member.user.email}</Paragraph>
+                  <div
+                    key={member.user.id}
+                    className="col-span-3 grid grid-cols-subgrid items-center gap-x-2 border-b border-grid-bright py-2 last:border-b-0"
+                  >
+                    <div className="flex items-center gap-x-2">
+                      <UserAvatar
+                        avatarUrl={member.user.avatarUrl}
+                        name={member.user.name}
+                        className="size-10"
+                      />
+                      <div className="flex flex-col gap-0.5">
+                        <Header3>
+                          {member.user.name}{" "}
+                          {member.user.id === user.id && (
+                            <span className="text-text-dimmed">(You)</span>
+                          )}
+                        </Header3>
+                        <Paragraph variant="small">{member.user.email}</Paragraph>
+                      </div>
                     </div>
-                    <div className="flex grow items-center justify-end gap-4">
+                    <RolePicker
+                      memberUserId={member.user.id}
+                      currentRoleId={memberRoleByUserId.get(member.user.id) ?? null}
+                      roles={roles}
+                      assignableRoleIds={assignableRoleIds}
+                      canManageMembers={canManageMembers}
+                    />
+                    <div className="justify-self-end">
                       <LeaveRemoveButton
                         userId={user.id}
                         member={member}
                         memberCount={members.length}
+                        canManageMembers={canManageMembers}
                       />
                     </div>
-                  </li>
+                  </div>
                 ))}
-              </ul>
+              </div>
             </div>
           </div>
 
@@ -387,10 +531,12 @@ function LeaveRemoveButton({
   userId,
   member,
   memberCount,
+  canManageMembers,
 }: {
   userId: string;
   member: Member;
   memberCount: number;
+  canManageMembers: boolean;
 }) {
   const organization = useOrganization();
 
@@ -409,7 +555,8 @@ function LeaveRemoveButton({
       );
     }
 
-    //you leave the team
+    //you leave the team — leaving is always permitted regardless of
+    //manage:members; non-managers can still leave on their own.
     return (
       <LeaveTeamModal
         member={member}
@@ -421,7 +568,20 @@ function LeaveRemoveButton({
     );
   }
 
-  //you remove another member
+  //you remove another member — requires manage:members
+  if (!canManageMembers) {
+    return (
+      <SimpleTooltip
+        button={
+          <ButtonContent variant="secondary/small" className="cursor-not-allowed opacity-50">
+            Remove from team
+          </ButtonContent>
+        }
+        disableHoverableContent
+        content="You don't have permission to remove team members"
+      />
+    );
+  }
   return (
     <LeaveTeamModal
       member={member}
@@ -433,6 +593,100 @@ function LeaveRemoveButton({
   );
 }
 
+// Inline role picker — submits a `_formType=set-role` form via fetcher
+// so the change persists without a full page reload. Disabled options
+// (and the picker itself) reflect plan gating + manage:members; the
+// server's setUserRole enforces both checks again as the source of
+// truth, so this is a UI-affordance layer only.
+function RolePicker({
+  memberUserId,
+  currentRoleId,
+  roles,
+  assignableRoleIds,
+  canManageMembers,
+}: {
+  memberUserId: string;
+  currentRoleId: string | null;
+  roles: Role[];
+  assignableRoleIds: string[];
+  canManageMembers: boolean;
+}) {
+  const organization = useOrganization();
+  const fetcher = useFetcher<{ ok: boolean; error?: string } | { ok: true }>();
+  const assignable = new Set(assignableRoleIds);
+  // With no RBAC plugin installed, the loader returns no roles —
+  // render nothing rather than an empty dropdown.
+  if (roles.length === 0) return null;
+
+  const isSubmitting = fetcher.state === "submitting";
+  const error =
+    fetcher.data && "error" in fetcher.data && fetcher.data.error ? fetcher.data.error : null;
+
+  const picker = (
+    <Select
+      // Controlled — keeps the dropdown in sync with the persisted
+      // role even after a failed set-role fetcher submit (the server
+      // kept the old role; without `value` the UI would show the
+      // attempted change).
+      value={currentRoleId ?? ""}
+      items={roles}
+      variant="tertiary/small"
+      disabled={!canManageMembers || isSubmitting}
+      dropdownIcon
+      text={(v) => roles.find((r) => r.id === v)?.name ?? "No role"}
+      setValue={(next) => {
+        if (typeof next !== "string" || next === (currentRoleId ?? "")) return;
+        // Upgrade-link rows have a value too (Ariakit needs one to
+        // make the row interactive — without it the Link inside
+        // doesn't even register the click), but they shouldn't
+        // submit the role-change form. The Link navigates the user
+        // to the plan-selection page; we just bail here.
+        if (!assignable.has(next)) return;
+        fetcher.submit(
+          { _formType: "set-role", userId: memberUserId, roleId: next },
+          { method: "post" }
+        );
+      }}
+    >
+      {(items) =>
+        items.map((role) => {
+          const isAssignable = assignable.has(role.id);
+          return isAssignable ? (
+            <SelectItem key={role.id} value={role.id}>
+              {role.name}
+            </SelectItem>
+          ) : (
+            <SelectLinkItem key={role.id} value={role.id} to={v3BillingPath(organization)}>
+              {role.name} (upgrade)
+            </SelectLinkItem>
+          );
+        })
+      }
+    </Select>
+  );
+
+  return (
+    <div className="flex flex-col items-end gap-1">
+      {canManageMembers ? (
+        picker
+      ) : (
+        // Disabled <Select> swallows hover events on its own, so wrap it
+        // in a div the tooltip can attach to.
+        <SimpleTooltip
+          button={<div className="cursor-not-allowed">{picker}</div>}
+          content="You don't have permission to change roles"
+          disableHoverableContent
+        />
+      )}
+      {error ? (
+        <span className="text-xs text-error" role="alert">
+          {error}
+        </span>
+      ) : null}
+    </div>
+  );
+}
+
 function LeaveTeamModal({
   member,
   buttonText,
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.settings.usage/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.settings.usage/route.tsx
index 0957c06d044..a430a2b5023 100644
--- a/apps/webapp/app/routes/_app.orgs.$organizationSlug.settings.usage/route.tsx
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.settings.usage/route.tsx
@@ -311,19 +311,21 @@ function UsageChart({ data }: { data: UsageSeriesData }) {
   );
 
   return (
-    <Chart.Root
-      config={chartConfig}
-      data={data}
-      dataKey="date"
-      showLegend={false}
-      enableZoom={false}
-      minHeight="160px"
-    >
-      <Chart.Bar
-        xAxisProps={{ tickFormatter: xAxisTickFormatter }}
-        yAxisProps={{ tickFormatter: yAxisTickFormatter, allowDecimals: true }}
-        tooltipLabelFormatter={tooltipLabelFormatter}
-      />
-    </Chart.Root>
+    <div className="h-80">
+      <Chart.Root
+        config={chartConfig}
+        data={data}
+        dataKey="date"
+        showLegend={false}
+        enableZoom={false}
+        fillContainer
+      >
+        <Chart.Bar
+          xAxisProps={{ tickFormatter: xAxisTickFormatter }}
+          yAxisProps={{ tickFormatter: yAxisTickFormatter, allowDecimals: true }}
+          tooltipLabelFormatter={tooltipLabelFormatter}
+        />
+      </Chart.Root>
+    </div>
   );
 }
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.settings/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.settings/route.tsx
index 97fa2025781..a24a857d6f6 100644
--- a/apps/webapp/app/routes/_app.orgs.$organizationSlug.settings/route.tsx
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug.settings/route.tsx
@@ -8,6 +8,7 @@ import {
   OrganizationSettingsSideMenu,
 } from "~/components/navigation/OrganizationSettingsSideMenu";
 import { useOrganization } from "~/hooks/useOrganizations";
+import { rbac } from "~/services/rbac.server";
 
 export const loader = async ({ request, params }: LoaderFunctionArgs) => {
   return typedjson({
@@ -18,17 +19,22 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
       gitRefName: process.env.BUILD_GIT_REF_NAME,
       buildTimestampSeconds: process.env.BUILD_TIMESTAMP_SECONDS,
     } satisfies BuildInfo,
+    isUsingPlugin: await rbac.isUsingPlugin(),
   });
 };
 
 export default function Page() {
-  const { buildInfo } = useTypedLoaderData<typeof loader>();
+  const { buildInfo, isUsingPlugin } = useTypedLoaderData<typeof loader>();
   const organization = useOrganization();
 
   return (
     <AppContainer>
       <div className="grid grid-cols-[14rem_1fr] overflow-hidden">
-        <OrganizationSettingsSideMenu organization={organization} buildInfo={buildInfo} />
+        <OrganizationSettingsSideMenu
+          organization={organization}
+          buildInfo={buildInfo}
+          isUsingPlugin={isUsingPlugin}
+        />
         <MainBody>
           <Outlet />
         </MainBody>
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug/route.tsx
index 6fea018af54..1ad36854dcf 100644
--- a/apps/webapp/app/routes/_app.orgs.$organizationSlug/route.tsx
+++ b/apps/webapp/app/routes/_app.orgs.$organizationSlug/route.tsx
@@ -7,6 +7,7 @@ import { prisma } from "~/db.server";
 import { useOptionalOrganization } from "~/hooks/useOrganizations";
 import { useTypedMatchesData } from "~/hooks/useTypedMatchData";
 import { OrganizationsPresenter } from "~/presenters/OrganizationsPresenter.server";
+import { RegionsPresenter, type Region } from "~/presenters/v3/RegionsPresenter.server";
 import { getImpersonationId } from "~/services/impersonation.server";
 import { getCachedUsage, getCurrentPlan } from "~/services/platform.v3.server";
 import { requireUser } from "~/services/session.server";
@@ -88,7 +89,10 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
   firstDayOfNextMonth.setUTCDate(1);
   firstDayOfNextMonth.setUTCHours(0, 0, 0, 0);
 
-  const [plan, usage, customDashboards] = await Promise.all([
+  const shouldLoadRegions =
+    !!projectParam && !!environment && environment.type !== "DEVELOPMENT";
+
+  const [plan, usage, customDashboards, regions] = await Promise.all([
     getCurrentPlan(organization.id),
     getCachedUsage(organization.id, { from: firstDayOfMonth, to: firstDayOfNextMonth }),
     prisma.metricsDashboard.findMany({
@@ -100,6 +104,12 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
       },
       orderBy: { createdAt: "desc" },
     }),
+    shouldLoadRegions
+      ? new RegionsPresenter()
+          .call({ userId: user.id, projectSlug: projectParam! })
+          .then(({ regions }) => regions)
+          .catch(() => [] as Region[])
+      : Promise.resolve([] as Region[]),
   ]);
 
   let hasExceededFreeTier = false;
@@ -147,6 +157,7 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
     organization,
     project,
     environment,
+    regions,
     isImpersonating: !!impersonationId,
     currentPlan: { ...plan, v3Usage: { ...usage, hasExceededFreeTier, usagePercentage } },
     customDashboards: customDashboardsWithWidgetCount,
diff --git a/apps/webapp/app/routes/_app/route.tsx b/apps/webapp/app/routes/_app/route.tsx
index 23e1b3834c6..db12ae90b60 100644
--- a/apps/webapp/app/routes/_app/route.tsx
+++ b/apps/webapp/app/routes/_app/route.tsx
@@ -5,10 +5,12 @@ import { RouteErrorDisplay } from "~/components/ErrorDisplay";
 import { AppContainer, MainCenteredContainer } from "~/components/layout/AppLayout";
 import { clearRedirectTo, commitSession } from "~/services/redirectTo.server";
 import { requireUser } from "~/services/session.server";
+import { tenantContext } from "~/services/tenantContext.server";
 import { confirmBasicDetailsPath } from "~/utils/pathBuilder";
 
 export const loader = async ({ request }: LoaderFunctionArgs) => {
   const user = await requireUser(request);
+  tenantContext.enrich({ userId: user.id });
 
   //you have to confirm basic details before you can do anything
   if (!user.confirmedBasicDetails) {
diff --git a/apps/webapp/app/routes/account.security/route.tsx b/apps/webapp/app/routes/account.security/route.tsx
index 18cf8b54ab7..68dc8d1fcf4 100644
--- a/apps/webapp/app/routes/account.security/route.tsx
+++ b/apps/webapp/app/routes/account.security/route.tsx
@@ -1,4 +1,6 @@
 import { type MetaFunction } from "@remix-run/react";
+import type { LoaderFunctionArgs } from "@remix-run/server-runtime";
+import { typedjson, useTypedLoaderData } from "remix-typedjson";
 import {
   MainHorizontallyCenteredContainer,
   PageBody,
@@ -6,10 +8,14 @@ import {
 } from "~/components/layout/AppLayout";
 import { Header2 } from "~/components/primitives/Headers";
 import { NavBar, PageTitle } from "~/components/primitives/PageHeader";
-import { MfaSetup } from "../resources.account.mfa.setup/route";
-import { LoaderFunctionArgs } from "@remix-run/server-runtime";
+import { $replica } from "~/db.server";
 import { requireUser } from "~/services/session.server";
-import { typedjson, useTypedLoaderData } from "remix-typedjson";
+import {
+  getAllowedSessionOptions,
+  getEffectiveSessionDuration,
+} from "~/services/sessionDuration.server";
+import { MfaSetup } from "../resources.account.mfa.setup/route";
+import { SessionDurationSetting } from "../resources.account.session-duration/SessionDurationSetting";
 
 export const meta: MetaFunction = () => {
   return [
@@ -22,13 +28,20 @@ export const meta: MetaFunction = () => {
 export async function loader({ request }: LoaderFunctionArgs) {
   const user = await requireUser(request);
 
+  const { durationSeconds, orgCapSeconds } = await getEffectiveSessionDuration(user.id, $replica);
+  const sessionDurationOptions = getAllowedSessionOptions(orgCapSeconds, durationSeconds);
+
   return typedjson({
     user,
+    sessionDuration: durationSeconds,
+    sessionDurationOptions,
+    orgCapSeconds,
   });
 }
 
 export default function Page() {
-  const { user } = useTypedLoaderData<typeof loader>();
+  const { user, sessionDuration, sessionDurationOptions, orgCapSeconds } =
+    useTypedLoaderData<typeof loader>();
 
   return (
     <PageContainer>
@@ -37,11 +50,20 @@ export default function Page() {
       </NavBar>
 
       <PageBody>
-        <MainHorizontallyCenteredContainer className="grid place-items-center overflow-visible">
-          <div className="mb-3 w-full border-b border-grid-dimmed pb-3">
+        <MainHorizontallyCenteredContainer className="max-w-[37.5rem] overflow-visible">
+          <div className="w-full border-b border-grid-dimmed pb-3">
             <Header2>Security</Header2>
           </div>
-          <MfaSetup isEnabled={!!user.mfaEnabledAt} />
+          <div className="w-full border-b border-grid-dimmed py-4">
+            <MfaSetup isEnabled={!!user.mfaEnabledAt} />
+          </div>
+          <div className="w-full border-b border-grid-dimmed py-4">
+            <SessionDurationSetting
+              currentValue={sessionDuration}
+              options={sessionDurationOptions}
+              orgCapSeconds={orgCapSeconds}
+            />
+          </div>
         </MainHorizontallyCenteredContainer>
       </PageBody>
     </PageContainer>
diff --git a/apps/webapp/app/routes/account.tokens/route.tsx b/apps/webapp/app/routes/account.tokens/route.tsx
index 4ad62d7edc8..d38841cb8b7 100644
--- a/apps/webapp/app/routes/account.tokens/route.tsx
+++ b/apps/webapp/app/routes/account.tokens/route.tsx
@@ -5,6 +5,7 @@ import { ShieldExclamationIcon } from "@heroicons/react/24/solid";
 import { DialogClose } from "@radix-ui/react-dialog";
 import { Form, type MetaFunction, useActionData, useFetcher } from "@remix-run/react";
 import { type ActionFunction, type LoaderFunctionArgs, json } from "@remix-run/server-runtime";
+import { useState } from "react";
 import { typedjson, useTypedLoaderData } from "remix-typedjson";
 import { z } from "zod";
 import { PageBody, PageContainer } from "~/components/layout/AppLayout";
@@ -22,6 +23,7 @@ import { InputGroup } from "~/components/primitives/InputGroup";
 import { Label } from "~/components/primitives/Label";
 import { NavBar, PageAccessories, PageTitle } from "~/components/primitives/PageHeader";
 import { Paragraph } from "~/components/primitives/Paragraph";
+import { Select, SelectItem } from "~/components/primitives/Select";
 import {
   Table,
   TableBlankRow,
@@ -34,6 +36,8 @@ import {
 } from "~/components/primitives/Table";
 import { SimpleTooltip } from "~/components/primitives/Tooltip";
 import { redirectWithSuccessMessage } from "~/models/message.server";
+import { prisma } from "~/db.server";
+import { rbac } from "~/services/rbac.server";
 import {
   type CreatedPersonalAccessToken,
   type ObfuscatedPersonalAccessToken,
@@ -52,14 +56,82 @@ export const meta: MetaFunction = () => {
   ];
 };
 
+// PATs aren't org-scoped, but the RBAC plugin's allRoles is org-keyed
+// (a plugin may also expose org-defined custom roles alongside the
+// global system roles). The picker shows the assignable system role
+// catalogue for the user's primary org — joining `allRoles` (for the
+// full Role with permissions) against `systemRoles` (for the per-org
+// `available` flag, which gates roles by plan tier). This is a UI-only
+// convenience — the chosen role becomes a global TokenRole that
+// applies wherever the PAT is used. Custom (org-defined) roles are
+// out of scope for v1: their org-binding semantics for a multi-org
+// user's PAT need a separate design pass.
+async function loadSystemRolesForUser(userId: string) {
+  const orgMember = await prisma.orgMember.findFirst({
+    where: { userId },
+    select: { organizationId: true },
+    orderBy: { createdAt: "asc" },
+  });
+  if (!orgMember) {
+    return {
+      roles: [],
+      userRoleId: null as string | null,
+      orgId: null as string | null,
+    };
+  }
+
+  const [allRoles, systemRoles, userRole] = await Promise.all([
+    rbac.allRoles(orgMember.organizationId),
+    rbac.systemRoles(orgMember.organizationId),
+    rbac.getUserRole({ userId, organizationId: orgMember.organizationId }),
+  ]);
+
+  // Restrict the picker to system roles the plan permits assigning —
+  // anything else would be a noisy create-time failure (or, with a
+  // permissive fallback, a token bound to a role this org isn't
+  // allowed to issue).
+  const availableIds = new Set(
+    (systemRoles ?? []).filter((r) => r.available).map((r) => r.id)
+  );
+  const roles = allRoles.filter((r) => r.isSystem && availableIds.has(r.id));
+
+  return {
+    roles,
+    userRoleId: userRole?.id ?? null,
+    orgId: orgMember.organizationId,
+  };
+}
+
 export const loader = async ({ request }: LoaderFunctionArgs) => {
   const userId = await requireUserId(request);
 
   try {
-    const personalAccessTokens = await getValidPersonalAccessTokens(userId);
+    const [personalAccessTokens, { roles, userRoleId, orgId }] = await Promise.all([
+      getValidPersonalAccessTokens(userId),
+      loadSystemRolesForUser(userId),
+    ]);
+
+    // Default the role picker to the user's own role in their primary
+    // org so a freshly-created PAT isn't more privileged than the
+    // person creating it. Falls back to the most-restrictive role
+    // available on the org's plan if they don't have one. When the
+    // user isn't a member of any org or no RBAC plugin is installed,
+    // the picker is hidden anyway, so defaultRoleId is just a
+    // placeholder.
+    // Clamp to roles the picker actually renders (`roles` already
+    // joins systemRoles ∩ assignableRoleIds). If userRoleId points at
+    // a custom or plan-blocked role, the hidden form value would
+    // otherwise post a roleId the action's revalidation rejects with
+    // 400. Fall through to the most-restrictive assignable role.
+    const assignableIds = new Set(roles.map((r) => r.id));
+    const lowestAssignable = roles.at(-1)?.id ?? "";
+    const defaultRoleId =
+      userRoleId && assignableIds.has(userRoleId) ? userRoleId : lowestAssignable;
 
     return typedjson({
       personalAccessTokens,
+      roles,
+      defaultRoleId,
     });
   } catch (error) {
     if (error instanceof Response) {
@@ -81,6 +153,10 @@ const CreateTokenSchema = z.discriminatedUnion("action", [
       .string({ required_error: "You must enter a name" })
       .min(2, "Your name must be at least 2 characters long")
       .max(50),
+    // Optional — when no RBAC plugin is installed the UI hides the
+    // dropdown and submits no roleId; the action passes that through
+    // and createPersonalAccessToken just doesn't write a TokenRole.
+    roleId: z.string().optional(),
   }),
   z.object({
     action: z.literal("revoke"),
@@ -100,9 +176,27 @@ export const action: ActionFunction = async ({ request }) => {
   switch (submission.value.action) {
     case "create": {
       try {
+        // Revalidate the submitted roleId against the plan-allowed set
+        // — the loader filters the picker, but a hand-crafted POST can
+        // still submit any string. Empty / undefined is fine: that
+        // means "no role" and createPersonalAccessToken just doesn't
+        // write a TokenRole.
+        const submittedRoleId = submission.value.roleId;
+        if (submittedRoleId) {
+          const { roles } = await loadSystemRolesForUser(userId);
+          const allowed = new Set(roles.map((r) => r.id));
+          if (!allowed.has(submittedRoleId)) {
+            return json(
+              { errors: { body: "Selected role isn't available on this plan" } },
+              { status: 400 }
+            );
+          }
+        }
+
         const tokenResult = await createPersonalAccessToken({
           name: submission.value.tokenName,
           userId,
+          roleId: submittedRoleId,
         });
 
         return json({ ...submission, payload: { token: tokenResult } });
@@ -131,7 +225,7 @@ export const action: ActionFunction = async ({ request }) => {
 };
 
 export default function Page() {
-  const { personalAccessTokens } = useTypedLoaderData<typeof loader>();
+  const { personalAccessTokens, roles, defaultRoleId } = useTypedLoaderData<typeof loader>();
 
   return (
     <PageContainer>
@@ -151,7 +245,7 @@ export default function Page() {
             </DialogTrigger>
             <DialogContent className="max-w-md">
               <DialogHeader>Create a Personal Access Token</DialogHeader>
-              <CreatePersonalAccessToken />
+              <CreatePersonalAccessToken roles={roles} defaultRoleId={defaultRoleId} />
             </DialogContent>
           </Dialog>
         </PageAccessories>
@@ -211,7 +305,15 @@ export default function Page() {
   );
 }
 
-function CreatePersonalAccessToken() {
+type SystemRole = { id: string; name: string; description: string };
+
+function CreatePersonalAccessToken({
+  roles,
+  defaultRoleId,
+}: {
+  roles: SystemRole[];
+  defaultRoleId: string;
+}) {
   const fetcher = useFetcher<typeof action>();
   const lastSubmission = fetcher.data as any;
 
@@ -228,6 +330,14 @@ function CreatePersonalAccessToken() {
     ? (lastSubmission?.payload?.token as CreatedPersonalAccessToken)
     : undefined;
 
+  // With no RBAC plugin installed, rbac.allRoles returns []; hide the
+  // dropdown entirely rather than showing an empty Select.
+  // createPersonalAccessToken's roleId is optional, so omitting it
+  // produces a working PAT with no explicit role attached (matches
+  // pre-RBAC behaviour).
+  const showRolePicker = roles.length > 0;
+  const [selectedRoleId, setSelectedRoleId] = useState(defaultRoleId);
+
   return (
     <div className="max-w-full overflow-x-hidden">
       {token ? (
@@ -248,6 +358,7 @@ function CreatePersonalAccessToken() {
       ) : (
         <fetcher.Form method="post" {...form.props}>
           <input type="hidden" name="action" value="create" />
+          {showRolePicker && <input type="hidden" name="roleId" value={selectedRoleId} />}
           <Fieldset className="mt-3">
             <InputGroup>
               <Label htmlFor={tokenName.id}>Name</Label>
@@ -265,6 +376,37 @@ function CreatePersonalAccessToken() {
               <FormError id={tokenName.errorId}>{tokenName.error}</FormError>
             </InputGroup>
 
+            {showRolePicker && (
+              <InputGroup>
+                <Label>Maximum role</Label>
+                <Select<string, SystemRole>
+                  value={selectedRoleId}
+                  setValue={(v) => setSelectedRoleId(v)}
+                  items={roles}
+                  variant="tertiary/small"
+                  dropdownIcon
+                  text={(v) => roles.find((r) => r.id === v)?.name ?? "Select a role"}
+                >
+                  {(items) =>
+                    items.map((role) => (
+                      <SelectItem key={role.id} value={role.id}>
+                        <span className="flex flex-col">
+                          <span>{role.name}</span>
+                          {role.description ? (
+                            <span className="text-xs text-text-dimmed">{role.description}</span>
+                          ) : null}
+                        </span>
+                      </SelectItem>
+                    ))
+                  }
+                </Select>
+                <Hint>
+                  The token can act with up to this role. Your current role in each org is the
+                  actual ceiling — the token never grants more than you have.
+                </Hint>
+              </InputGroup>
+            )}
+
             <FormButtons
               confirmButton={
                 <Button type="submit" variant={"primary/small"}>
diff --git a/apps/webapp/app/routes/admin._index.tsx b/apps/webapp/app/routes/admin._index.tsx
index aafb8180026..3005934d226 100644
--- a/apps/webapp/app/routes/admin._index.tsx
+++ b/apps/webapp/app/routes/admin._index.tsx
@@ -1,12 +1,9 @@
 import { MagnifyingGlassIcon } from "@heroicons/react/20/solid";
 import { Form } from "@remix-run/react";
-import type { ActionFunctionArgs, LoaderFunctionArgs } from "@remix-run/server-runtime";
-import { redirect } from "@remix-run/server-runtime";
 import { typedjson, useTypedLoaderData } from "remix-typedjson";
 import { z } from "zod";
 import { Button, LinkButton } from "~/components/primitives/Buttons";
 import { CopyableText } from "~/components/primitives/CopyableText";
-import { Header1 } from "~/components/primitives/Headers";
 import { Input } from "~/components/primitives/Input";
 import { PaginationControls } from "~/components/primitives/Pagination";
 import { Paragraph } from "~/components/primitives/Paragraph";
@@ -19,10 +16,8 @@ import {
   TableHeaderCell,
   TableRow,
 } from "~/components/primitives/Table";
-import { useUser } from "~/hooks/useUser";
 import { adminGetUsers, redirectWithImpersonation } from "~/models/admin.server";
-import { commitImpersonationSession, setImpersonationId } from "~/services/impersonation.server";
-import { requireUserId } from "~/services/session.server";
+import { dashboardAction, dashboardLoader } from "~/services/routeBuilders/dashboardBuilder";
 import { createSearchParams } from "~/utils/searchParams";
 
 export const SearchParams = z.object({
@@ -32,33 +27,36 @@ export const SearchParams = z.object({
 
 export type SearchParams = z.infer<typeof SearchParams>;
 
-export const loader = async ({ request, params }: LoaderFunctionArgs) => {
-  const userId = await requireUserId(request);
+export const loader = dashboardLoader(
+  { authorization: { requireSuper: true } },
+  async ({ user, request }) => {
+    const searchParams = createSearchParams(request.url, SearchParams);
+    if (!searchParams.success) {
+      throw new Error(searchParams.error);
+    }
+    const result = await adminGetUsers(user.id, searchParams.params.getAll());
 
-  const searchParams = createSearchParams(request.url, SearchParams);
-  if (!searchParams.success) {
-    throw new Error(searchParams.error);
+    return typedjson(result);
   }
-  const result = await adminGetUsers(userId, searchParams.params.getAll());
-
-  return typedjson(result);
-};
+);
 
 const FormSchema = z.object({ id: z.string() });
 
-export async function action({ request }: ActionFunctionArgs) {
-  if (request.method.toLowerCase() !== "post") {
-    return new Response("Method not allowed", { status: 405 });
-  }
+export const action = dashboardAction(
+  { authorization: { requireSuper: true } },
+  async ({ request }) => {
+    if (request.method.toLowerCase() !== "post") {
+      return new Response("Method not allowed", { status: 405 });
+    }
 
-  const payload = Object.fromEntries(await request.formData());
-  const { id } = FormSchema.parse(payload);
+    const payload = Object.fromEntries(await request.formData());
+    const { id } = FormSchema.parse(payload);
 
-  return redirectWithImpersonation(request, id, "/");
-}
+    return redirectWithImpersonation(request, id, "/");
+  }
+);
 
 export default function AdminDashboardRoute() {
-  const user = useUser();
   const { users, filters, page, pageCount } = useTypedLoaderData<typeof loader>();
 
   return (
@@ -136,7 +134,7 @@ export default function AdminDashboardRoute() {
                     </TableCell>
                     <TableCell>{user.admin ? "✅" : ""}</TableCell>
                     <TableCell isSticky={true}>
-                      <Form method="post" reloadDocument>
+                      <Form method="post" action="/admin/impersonate" reloadDocument>
                         <input type="hidden" name="id" value={user.id} />
                         <Button
                           type="submit"
diff --git a/apps/webapp/app/routes/admin.api.v1.environments.$environmentId.burst-factor.ts b/apps/webapp/app/routes/admin.api.v1.environments.$environmentId.burst-factor.ts
new file mode 100644
index 00000000000..fa197fc1694
--- /dev/null
+++ b/apps/webapp/app/routes/admin.api.v1.environments.$environmentId.burst-factor.ts
@@ -0,0 +1,30 @@
+import { type ActionFunctionArgs, json } from "@remix-run/server-runtime";
+import { z } from "zod";
+import { prisma } from "~/db.server";
+import { requireAdminApiRequest } from "~/services/personalAccessToken.server";
+import { updateEnvConcurrencyLimits } from "~/v3/runQueue.server";
+
+const ParamsSchema = z.object({
+  environmentId: z.string(),
+});
+
+const RequestBodySchema = z.object({
+  burstFactor: z.number().positive(),
+});
+
+export async function action({ request, params }: ActionFunctionArgs) {
+  await requireAdminApiRequest(request);
+
+  const { environmentId } = ParamsSchema.parse(params);
+  const body = RequestBodySchema.parse(await request.json());
+
+  const environment = await prisma.runtimeEnvironment.update({
+    where: { id: environmentId },
+    data: { concurrencyLimitBurstFactor: body.burstFactor },
+    include: { organization: true, project: true },
+  });
+
+  await updateEnvConcurrencyLimits(environment);
+
+  return json({ success: true });
+}
diff --git a/apps/webapp/app/routes/admin.api.v1.environments.$environmentId.engine.repair-queues.ts b/apps/webapp/app/routes/admin.api.v1.environments.$environmentId.engine.repair-queues.ts
index 30d60197f99..a3fd61546e0 100644
--- a/apps/webapp/app/routes/admin.api.v1.environments.$environmentId.engine.repair-queues.ts
+++ b/apps/webapp/app/routes/admin.api.v1.environments.$environmentId.engine.repair-queues.ts
@@ -2,7 +2,7 @@ import { ActionFunctionArgs, json } from "@remix-run/server-runtime";
 import pMap from "p-map";
 import { z } from "zod";
 import { $replica, prisma } from "~/db.server";
-import { authenticateApiRequestWithPersonalAccessToken } from "~/services/personalAccessToken.server";
+import { requireAdminApiRequest } from "~/services/personalAccessToken.server";
 import { determineEngineVersion } from "~/v3/engineVersion.server";
 import { engine } from "~/v3/runEngine.server";
 
@@ -16,26 +16,7 @@ const BodySchema = z.object({
 });
 
 export async function action({ request, params }: ActionFunctionArgs) {
-  // Next authenticate the request
-  const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);
-
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  const user = await prisma.user.findUnique({
-    where: {
-      id: authenticationResult.userId,
-    },
-  });
-
-  if (!user) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  if (!user.admin) {
-    return json({ error: "You must be an admin to perform this action" }, { status: 403 });
-  }
+  await requireAdminApiRequest(request);
 
   const parsedParams = ParamsSchema.parse(params);
 
diff --git a/apps/webapp/app/routes/admin.api.v1.environments.$environmentId.engine.report.ts b/apps/webapp/app/routes/admin.api.v1.environments.$environmentId.engine.report.ts
index 3ea95768991..e37553ea230 100644
--- a/apps/webapp/app/routes/admin.api.v1.environments.$environmentId.engine.report.ts
+++ b/apps/webapp/app/routes/admin.api.v1.environments.$environmentId.engine.report.ts
@@ -1,7 +1,7 @@
 import { json, LoaderFunctionArgs } from "@remix-run/server-runtime";
 import { z } from "zod";
 import { $replica, prisma } from "~/db.server";
-import { authenticateApiRequestWithPersonalAccessToken } from "~/services/personalAccessToken.server";
+import { requireAdminApiRequest } from "~/services/personalAccessToken.server";
 import { determineEngineVersion } from "~/v3/engineVersion.server";
 import { engine } from "~/v3/runEngine.server";
 
@@ -16,26 +16,7 @@ const SearchParamsSchema = z.object({
 });
 
 export async function loader({ request, params }: LoaderFunctionArgs) {
-  // Next authenticate the request
-  const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);
-
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  const user = await prisma.user.findUnique({
-    where: {
-      id: authenticationResult.userId,
-    },
-  });
-
-  if (!user) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  if (!user.admin) {
-    return json({ error: "You must be an admin to perform this action" }, { status: 403 });
-  }
+  await requireAdminApiRequest(request);
 
   const parsedParams = ParamsSchema.parse(params);
 
diff --git a/apps/webapp/app/routes/admin.api.v1.environments.$environmentId.schedules.recover.ts b/apps/webapp/app/routes/admin.api.v1.environments.$environmentId.schedules.recover.ts
index a9ada56085c..33c1581a940 100644
--- a/apps/webapp/app/routes/admin.api.v1.environments.$environmentId.schedules.recover.ts
+++ b/apps/webapp/app/routes/admin.api.v1.environments.$environmentId.schedules.recover.ts
@@ -1,7 +1,7 @@
 import { ActionFunctionArgs, json, LoaderFunctionArgs } from "@remix-run/server-runtime";
 import { z } from "zod";
 import { prisma } from "~/db.server";
-import { authenticateApiRequestWithPersonalAccessToken } from "~/services/personalAccessToken.server";
+import { requireAdminApiRequest } from "~/services/personalAccessToken.server";
 import { scheduleEngine } from "~/v3/scheduleEngine.server";
 
 const ParamsSchema = z.object({
@@ -9,26 +9,7 @@ const ParamsSchema = z.object({
 });
 
 export async function action({ request, params }: ActionFunctionArgs) {
-  // Next authenticate the request
-  const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);
-
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  const user = await prisma.user.findUnique({
-    where: {
-      id: authenticationResult.userId,
-    },
-  });
-
-  if (!user) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  if (!user.admin) {
-    return json({ error: "You must be an admin to perform this action" }, { status: 403 });
-  }
+  await requireAdminApiRequest(request);
 
   const parsedParams = ParamsSchema.parse(params);
 
diff --git a/apps/webapp/app/routes/admin.api.v1.environments.$environmentId.ts b/apps/webapp/app/routes/admin.api.v1.environments.$environmentId.ts
index f448c5b5aca..34ea14f9da5 100644
--- a/apps/webapp/app/routes/admin.api.v1.environments.$environmentId.ts
+++ b/apps/webapp/app/routes/admin.api.v1.environments.$environmentId.ts
@@ -1,7 +1,7 @@
 import { ActionFunctionArgs, json, LoaderFunctionArgs } from "@remix-run/server-runtime";
 import { z } from "zod";
 import { prisma } from "~/db.server";
-import { authenticateApiRequestWithPersonalAccessToken } from "~/services/personalAccessToken.server";
+import { requireAdminApiRequest } from "~/services/personalAccessToken.server";
 import { engine } from "~/v3/runEngine.server";
 import { updateEnvConcurrencyLimits } from "~/v3/runQueue.server";
 
@@ -15,26 +15,7 @@ const RequestBodySchema = z.object({
 });
 
 export async function action({ request, params }: ActionFunctionArgs) {
-  // Next authenticate the request
-  const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);
-
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  const user = await prisma.user.findUnique({
-    where: {
-      id: authenticationResult.userId,
-    },
-  });
-
-  if (!user) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  if (!user.admin) {
-    return json({ error: "You must be an admin to perform this action" }, { status: 403 });
-  }
+  await requireAdminApiRequest(request);
 
   const parsedParams = ParamsSchema.parse(params);
 
@@ -71,26 +52,7 @@ const SearchParamsSchema = z.object({
 });
 
 export async function loader({ request, params }: LoaderFunctionArgs) {
-  // Next authenticate the request
-  const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);
-
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  const user = await prisma.user.findUnique({
-    where: {
-      id: authenticationResult.userId,
-    },
-  });
-
-  if (!user) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  if (!user.admin) {
-    return json({ error: "You must be an admin to get this endpoint" }, { status: 403 });
-  }
+  await requireAdminApiRequest(request);
 
   const parsedParams = ParamsSchema.parse(params);
 
diff --git a/apps/webapp/app/routes/admin.api.v1.feature-flags.ts b/apps/webapp/app/routes/admin.api.v1.feature-flags.ts
index b10c983b14d..92debd43a62 100644
--- a/apps/webapp/app/routes/admin.api.v1.feature-flags.ts
+++ b/apps/webapp/app/routes/admin.api.v1.feature-flags.ts
@@ -1,30 +1,11 @@
 import { ActionFunctionArgs, json } from "@remix-run/server-runtime";
 import { prisma } from "~/db.server";
-import { authenticateApiRequestWithPersonalAccessToken } from "~/services/personalAccessToken.server";
+import { requireAdminApiRequest } from "~/services/personalAccessToken.server";
 import { makeSetMultipleFlags } from "~/v3/featureFlags.server";
 import { validatePartialFeatureFlags } from "~/v3/featureFlags";
 
 export async function action({ request }: ActionFunctionArgs) {
-  // Next authenticate the request
-  const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);
-
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  const user = await prisma.user.findFirst({
-    where: {
-      id: authenticationResult.userId,
-    },
-  });
-
-  if (!user) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  if (!user.admin) {
-    return json({ error: "You must be an admin to perform this action" }, { status: 403 });
-  }
+  await requireAdminApiRequest(request);
 
   try {
     // Parse the request body
diff --git a/apps/webapp/app/routes/admin.api.v1.gc.ts b/apps/webapp/app/routes/admin.api.v1.gc.ts
index ea63a264acc..fbb5f4c9000 100644
--- a/apps/webapp/app/routes/admin.api.v1.gc.ts
+++ b/apps/webapp/app/routes/admin.api.v1.gc.ts
@@ -2,8 +2,7 @@ import { type DataFunctionArgs } from "@remix-run/node";
 import { PerformanceObserver } from "node:perf_hooks";
 import { runInNewContext } from "node:vm";
 import v8 from "v8";
-import { prisma } from "~/db.server";
-import { authenticateApiRequestWithPersonalAccessToken } from "~/services/personalAccessToken.server";
+import { requireAdminApiRequest } from "~/services/personalAccessToken.server";
 
 async function waitTillGcFinishes() {
   let resolver: (value: PerformanceEntry) => void;
@@ -36,21 +35,7 @@ async function waitTillGcFinishes() {
 }
 
 export async function loader({ request }: DataFunctionArgs) {
-  const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);
-
-  if (!authenticationResult) {
-    throw new Response("You must be an admin to perform this action", { status: 403 });
-  }
-
-  const user = await prisma.user.findFirst({
-    where: {
-      id: authenticationResult.userId,
-    },
-  });
-
-  if (!user?.admin) {
-    throw new Response("You must be an admin to perform this action", { status: 403 });
-  }
+  await requireAdminApiRequest(request);
 
   const entry = await waitTillGcFinishes();
 
diff --git a/apps/webapp/app/routes/admin.api.v1.llm-models.$modelId.ts b/apps/webapp/app/routes/admin.api.v1.llm-models.$modelId.ts
index 2556dc8267f..7e5f559a4be 100644
--- a/apps/webapp/app/routes/admin.api.v1.llm-models.$modelId.ts
+++ b/apps/webapp/app/routes/admin.api.v1.llm-models.$modelId.ts
@@ -1,24 +1,10 @@
 import { type ActionFunctionArgs, type LoaderFunctionArgs, json } from "@remix-run/server-runtime";
 import { z } from "zod";
 import { prisma } from "~/db.server";
-import { authenticateApiRequestWithPersonalAccessToken } from "~/services/personalAccessToken.server";
-
-async function requireAdmin(request: Request) {
-  const authResult = await authenticateApiRequestWithPersonalAccessToken(request);
-  if (!authResult) {
-    throw json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  const user = await prisma.user.findUnique({ where: { id: authResult.userId } });
-  if (!user?.admin) {
-    throw json({ error: "You must be an admin to perform this action" }, { status: 403 });
-  }
-
-  return user;
-}
+import { requireAdminApiRequest } from "~/services/personalAccessToken.server";
 
 export async function loader({ request, params }: LoaderFunctionArgs) {
-  await requireAdmin(request);
+  await requireAdminApiRequest(request);
 
   const model = await prisma.llmModel.findUnique({
     where: { id: params.modelId },
@@ -47,6 +33,7 @@ const UpdateModelSchema = z.object({
   maxOutputTokens: z.number().int().nullable().optional(),
   capabilities: z.array(z.string()).optional(),
   isHidden: z.boolean().optional(),
+  pricingUnit: z.string().nullable().optional(),
   pricingTiers: z
     .array(
       z.object({
@@ -69,7 +56,7 @@ const UpdateModelSchema = z.object({
 });
 
 export async function action({ request, params }: ActionFunctionArgs) {
-  await requireAdmin(request);
+  await requireAdminApiRequest(request);
 
   const modelId = params.modelId!;
 
@@ -100,7 +87,7 @@ export async function action({ request, params }: ActionFunctionArgs) {
     return json({ error: "Invalid request body", details: parsed.error.issues }, { status: 400 });
   }
 
-  const { modelName, matchPattern, startDate, pricingTiers, provider, description, contextWindow, maxOutputTokens, capabilities, isHidden } = parsed.data;
+  const { modelName, matchPattern, startDate, pricingTiers, provider, description, contextWindow, maxOutputTokens, capabilities, isHidden, pricingUnit } = parsed.data;
 
   // Validate regex if provided — strip (?i) POSIX flag since our registry handles it
   if (matchPattern) {
@@ -126,6 +113,7 @@ export async function action({ request, params }: ActionFunctionArgs) {
         ...(maxOutputTokens !== undefined && { maxOutputTokens }),
         ...(capabilities !== undefined && { capabilities }),
         ...(isHidden !== undefined && { isHidden }),
+        ...(pricingUnit !== undefined && { pricingUnit }),
       },
     });
 
diff --git a/apps/webapp/app/routes/admin.api.v1.llm-models.missing.ts b/apps/webapp/app/routes/admin.api.v1.llm-models.missing.ts
index 5ca7077e1cc..9e1e7dcb432 100644
--- a/apps/webapp/app/routes/admin.api.v1.llm-models.missing.ts
+++ b/apps/webapp/app/routes/admin.api.v1.llm-models.missing.ts
@@ -1,24 +1,9 @@
 import { type LoaderFunctionArgs, json } from "@remix-run/server-runtime";
-import { prisma } from "~/db.server";
-import { authenticateApiRequestWithPersonalAccessToken } from "~/services/personalAccessToken.server";
+import { requireAdminApiRequest } from "~/services/personalAccessToken.server";
 import { getMissingLlmModels } from "~/services/admin/missingLlmModels.server";
 
-async function requireAdmin(request: Request) {
-  const authResult = await authenticateApiRequestWithPersonalAccessToken(request);
-  if (!authResult) {
-    throw json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  const user = await prisma.user.findUnique({ where: { id: authResult.userId } });
-  if (!user?.admin) {
-    throw json({ error: "You must be an admin to perform this action" }, { status: 403 });
-  }
-
-  return user;
-}
-
 export async function loader({ request }: LoaderFunctionArgs) {
-  await requireAdmin(request);
+  await requireAdminApiRequest(request);
 
   const url = new URL(request.url);
   const lookbackHours = parseInt(url.searchParams.get("lookbackHours") ?? "24", 10);
diff --git a/apps/webapp/app/routes/admin.api.v1.llm-models.reload.ts b/apps/webapp/app/routes/admin.api.v1.llm-models.reload.ts
index 747722b352a..26eee6d8434 100644
--- a/apps/webapp/app/routes/admin.api.v1.llm-models.reload.ts
+++ b/apps/webapp/app/routes/admin.api.v1.llm-models.reload.ts
@@ -1,18 +1,9 @@
 import { type ActionFunctionArgs, json } from "@remix-run/server-runtime";
-import { prisma } from "~/db.server";
-import { authenticateApiRequestWithPersonalAccessToken } from "~/services/personalAccessToken.server";
+import { requireAdminApiRequest } from "~/services/personalAccessToken.server";
 import { llmPricingRegistry } from "~/v3/llmPricingRegistry.server";
 
 export async function action({ request }: ActionFunctionArgs) {
-  const authResult = await authenticateApiRequestWithPersonalAccessToken(request);
-  if (!authResult) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  const user = await prisma.user.findUnique({ where: { id: authResult.userId } });
-  if (!user?.admin) {
-    return json({ error: "You must be an admin to perform this action" }, { status: 403 });
-  }
+  await requireAdminApiRequest(request);
 
   if (!llmPricingRegistry) {
     return json({ error: "LLM cost tracking is disabled" }, { status: 400 });
diff --git a/apps/webapp/app/routes/admin.api.v1.llm-models.seed.ts b/apps/webapp/app/routes/admin.api.v1.llm-models.seed.ts
index 32e780d9fb9..ef85d458733 100644
--- a/apps/webapp/app/routes/admin.api.v1.llm-models.seed.ts
+++ b/apps/webapp/app/routes/admin.api.v1.llm-models.seed.ts
@@ -1,19 +1,11 @@
 import { type ActionFunctionArgs, json } from "@remix-run/server-runtime";
 import { seedLlmPricing, syncLlmCatalog } from "@internal/llm-model-catalog";
 import { prisma } from "~/db.server";
-import { authenticateApiRequestWithPersonalAccessToken } from "~/services/personalAccessToken.server";
+import { requireAdminApiRequest } from "~/services/personalAccessToken.server";
 import { llmPricingRegistry } from "~/v3/llmPricingRegistry.server";
 
 export async function action({ request }: ActionFunctionArgs) {
-  const authResult = await authenticateApiRequestWithPersonalAccessToken(request);
-  if (!authResult) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  const user = await prisma.user.findUnique({ where: { id: authResult.userId } });
-  if (!user?.admin) {
-    return json({ error: "You must be an admin to perform this action" }, { status: 403 });
-  }
+  await requireAdminApiRequest(request);
 
   const url = new URL(request.url);
   const action = url.searchParams.get("action") ?? "seed";
diff --git a/apps/webapp/app/routes/admin.api.v1.llm-models.ts b/apps/webapp/app/routes/admin.api.v1.llm-models.ts
index 4e3cc39f47a..6753f37dcff 100644
--- a/apps/webapp/app/routes/admin.api.v1.llm-models.ts
+++ b/apps/webapp/app/routes/admin.api.v1.llm-models.ts
@@ -1,25 +1,11 @@
 import { type ActionFunctionArgs, type LoaderFunctionArgs, json } from "@remix-run/server-runtime";
 import { z } from "zod";
 import { prisma } from "~/db.server";
-import { authenticateApiRequestWithPersonalAccessToken } from "~/services/personalAccessToken.server";
+import { requireAdminApiRequest } from "~/services/personalAccessToken.server";
 import { generateFriendlyId } from "~/v3/friendlyIdentifiers";
 
-async function requireAdmin(request: Request) {
-  const authResult = await authenticateApiRequestWithPersonalAccessToken(request);
-  if (!authResult) {
-    throw json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  const user = await prisma.user.findUnique({ where: { id: authResult.userId } });
-  if (!user?.admin) {
-    throw json({ error: "You must be an admin to perform this action" }, { status: 403 });
-  }
-
-  return user;
-}
-
 export async function loader({ request }: LoaderFunctionArgs) {
-  await requireAdmin(request);
+  await requireAdminApiRequest(request);
 
   const url = new URL(request.url);
   const page = parseInt(url.searchParams.get("page") ?? "1");
@@ -55,6 +41,7 @@ const CreateModelSchema = z.object({
   maxOutputTokens: z.number().int().optional(),
   capabilities: z.array(z.string()).optional(),
   isHidden: z.boolean().optional(),
+  pricingUnit: z.string().optional(),
   pricingTiers: z.array(
     z.object({
       name: z.string().min(1),
@@ -75,7 +62,7 @@ const CreateModelSchema = z.object({
 });
 
 export async function action({ request }: ActionFunctionArgs) {
-  await requireAdmin(request);
+  await requireAdminApiRequest(request);
 
   if (request.method !== "POST") {
     return json({ error: "Method not allowed" }, { status: 405 });
@@ -94,7 +81,7 @@ export async function action({ request }: ActionFunctionArgs) {
     return json({ error: "Invalid request body", details: parsed.error.issues }, { status: 400 });
   }
 
-  const { modelName, matchPattern, startDate, source, pricingTiers, provider, description, contextWindow, maxOutputTokens, capabilities, isHidden } = parsed.data;
+  const { modelName, matchPattern, startDate, source, pricingTiers, provider, description, contextWindow, maxOutputTokens, capabilities, isHidden, pricingUnit } = parsed.data;
 
   // Validate regex pattern — strip (?i) POSIX flag since our registry handles it
   try {
@@ -119,6 +106,7 @@ export async function action({ request }: ActionFunctionArgs) {
         maxOutputTokens: maxOutputTokens ?? null,
         capabilities: capabilities ?? [],
         isHidden: isHidden ?? false,
+        pricingUnit: pricingUnit ?? null,
       },
     });
 
diff --git a/apps/webapp/app/routes/admin.api.v1.migrate-legacy-master-queues.ts b/apps/webapp/app/routes/admin.api.v1.migrate-legacy-master-queues.ts
index b960287c92a..ad3575fa390 100644
--- a/apps/webapp/app/routes/admin.api.v1.migrate-legacy-master-queues.ts
+++ b/apps/webapp/app/routes/admin.api.v1.migrate-legacy-master-queues.ts
@@ -1,29 +1,9 @@
 import { ActionFunctionArgs, json } from "@remix-run/server-runtime";
-import { prisma } from "~/db.server";
-import { authenticateApiRequestWithPersonalAccessToken } from "~/services/personalAccessToken.server";
+import { requireAdminApiRequest } from "~/services/personalAccessToken.server";
 import { engine } from "~/v3/runEngine.server";
 
 export async function action({ request }: ActionFunctionArgs) {
-  // Next authenticate the request
-  const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);
-
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  const user = await prisma.user.findUnique({
-    where: {
-      id: authenticationResult.userId,
-    },
-  });
-
-  if (!user) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  if (!user.admin) {
-    return json({ error: "You must be an admin to perform this action" }, { status: 403 });
-  }
+  await requireAdminApiRequest(request);
 
   try {
     await engine.migrateLegacyMasterQueues();
diff --git a/apps/webapp/app/routes/admin.api.v1.orgs.$organizationId.concurrency.ts b/apps/webapp/app/routes/admin.api.v1.orgs.$organizationId.concurrency.ts
index d6eee08f37f..f5346a69075 100644
--- a/apps/webapp/app/routes/admin.api.v1.orgs.$organizationId.concurrency.ts
+++ b/apps/webapp/app/routes/admin.api.v1.orgs.$organizationId.concurrency.ts
@@ -1,7 +1,7 @@
 import { ActionFunctionArgs, json } from "@remix-run/server-runtime";
 import { z } from "zod";
 import { prisma } from "~/db.server";
-import { authenticateApiRequestWithPersonalAccessToken } from "~/services/personalAccessToken.server";
+import { requireAdminApiRequest } from "~/services/personalAccessToken.server";
 import { marqs } from "~/v3/marqs/index.server";
 import { updateEnvConcurrencyLimits } from "~/v3/runQueue.server";
 
@@ -17,26 +17,7 @@ const RequestBodySchema = z.object({
 });
 
 export async function action({ request, params }: ActionFunctionArgs) {
-  // Next authenticate the request
-  const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);
-
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  const user = await prisma.user.findUnique({
-    where: {
-      id: authenticationResult.userId,
-    },
-  });
-
-  if (!user) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  if (!user.admin) {
-    return json({ error: "You must be an admin to perform this action" }, { status: 403 });
-  }
+  await requireAdminApiRequest(request);
 
   const { organizationId } = ParamsSchema.parse(params);
 
diff --git a/apps/webapp/app/routes/admin.api.v1.orgs.$organizationId.environments.staging.ts b/apps/webapp/app/routes/admin.api.v1.orgs.$organizationId.environments.staging.ts
index 6a8628f7526..f3c215bfd44 100644
--- a/apps/webapp/app/routes/admin.api.v1.orgs.$organizationId.environments.staging.ts
+++ b/apps/webapp/app/routes/admin.api.v1.orgs.$organizationId.environments.staging.ts
@@ -8,7 +8,7 @@ import {
 import { z } from "zod";
 import { prisma } from "~/db.server";
 import { createEnvironment } from "~/models/organization.server";
-import { authenticateApiRequestWithPersonalAccessToken } from "~/services/personalAccessToken.server";
+import { requireAdminApiRequest } from "~/services/personalAccessToken.server";
 import { updateEnvConcurrencyLimits } from "~/v3/runQueue.server";
 
 const ParamsSchema = z.object({
@@ -19,26 +19,7 @@ const ParamsSchema = z.object({
  * It will create a staging environment for all the projects where there isn't one already
  */
 export async function action({ request, params }: ActionFunctionArgs) {
-  // Next authenticate the request
-  const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);
-
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  const user = await prisma.user.findUnique({
-    where: {
-      id: authenticationResult.userId,
-    },
-  });
-
-  if (!user) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  if (!user.admin) {
-    return json({ error: "You must be an admin to perform this action" }, { status: 403 });
-  }
+  await requireAdminApiRequest(request);
 
   const { organizationId } = ParamsSchema.parse(params);
 
diff --git a/apps/webapp/app/routes/admin.api.v1.orgs.$organizationId.feature-flags.ts b/apps/webapp/app/routes/admin.api.v1.orgs.$organizationId.feature-flags.ts
index bb0671355bd..513616470a0 100644
--- a/apps/webapp/app/routes/admin.api.v1.orgs.$organizationId.feature-flags.ts
+++ b/apps/webapp/app/routes/admin.api.v1.orgs.$organizationId.feature-flags.ts
@@ -1,43 +1,15 @@
 import { ActionFunctionArgs, LoaderFunctionArgs, json } from "@remix-run/server-runtime";
 import { z } from "zod";
 import { prisma } from "~/db.server";
-import { authenticateApiRequestWithPersonalAccessToken } from "~/services/personalAccessToken.server";
+import { requireAdminApiRequest } from "~/services/personalAccessToken.server";
 import { validatePartialFeatureFlags } from "~/v3/featureFlags";
 
 const ParamsSchema = z.object({
   organizationId: z.string(),
 });
 
-async function authenticateAdmin(request: Request) {
-  const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);
-
-  if (!authenticationResult) {
-    return { error: json({ error: "Invalid or Missing API key" }, { status: 401 }) };
-  }
-
-  const user = await prisma.user.findFirst({
-    where: {
-      id: authenticationResult.userId,
-    },
-  });
-
-  if (!user) {
-    return { error: json({ error: "Invalid or Missing API key" }, { status: 401 }) };
-  }
-
-  if (!user.admin) {
-    return { error: json({ error: "You must be an admin to perform this action" }, { status: 403 }) };
-  }
-
-  return { user };
-}
-
 export async function loader({ request, params }: LoaderFunctionArgs) {
-  const authResult = await authenticateAdmin(request);
-
-  if ("error" in authResult) {
-    return authResult.error;
-  }
+  await requireAdminApiRequest(request);
 
   const { organizationId } = ParamsSchema.parse(params);
 
@@ -70,11 +42,7 @@ export async function loader({ request, params }: LoaderFunctionArgs) {
 }
 
 export async function action({ request, params }: ActionFunctionArgs) {
-  const authResult = await authenticateAdmin(request);
-
-  if ("error" in authResult) {
-    return authResult.error;
-  }
+  await requireAdminApiRequest(request);
 
   const { organizationId } = ParamsSchema.parse(params);
 
diff --git a/apps/webapp/app/routes/admin.api.v1.orgs.$organizationId.runs.enable.ts b/apps/webapp/app/routes/admin.api.v1.orgs.$organizationId.runs.enable.ts
index 6b1cf2d9939..d60754f0461 100644
--- a/apps/webapp/app/routes/admin.api.v1.orgs.$organizationId.runs.enable.ts
+++ b/apps/webapp/app/routes/admin.api.v1.orgs.$organizationId.runs.enable.ts
@@ -8,7 +8,7 @@ import {
 import { z } from "zod";
 import { prisma } from "~/db.server";
 import { createEnvironment } from "~/models/organization.server";
-import { authenticateApiRequestWithPersonalAccessToken } from "~/services/personalAccessToken.server";
+import { requireAdminApiRequest } from "~/services/personalAccessToken.server";
 import { updateEnvConcurrencyLimits } from "~/v3/runQueue.server";
 import { PauseEnvironmentService } from "~/v3/services/pauseEnvironment.server";
 
@@ -24,26 +24,7 @@ const BodySchema = z.object({
  * It will enabled/disable runs
  */
 export async function action({ request, params }: ActionFunctionArgs) {
-  // Next authenticate the request
-  const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);
-
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  const user = await prisma.user.findUnique({
-    where: {
-      id: authenticationResult.userId,
-    },
-  });
-
-  if (!user) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  if (!user.admin) {
-    return json({ error: "You must be an admin to perform this action" }, { status: 403 });
-  }
+  await requireAdminApiRequest(request);
 
   const { organizationId } = ParamsSchema.parse(params);
   const body = BodySchema.safeParse(await request.json());
diff --git a/apps/webapp/app/routes/admin.api.v1.orgs.$organizationId.session-duration.ts b/apps/webapp/app/routes/admin.api.v1.orgs.$organizationId.session-duration.ts
new file mode 100644
index 00000000000..9d842aff446
--- /dev/null
+++ b/apps/webapp/app/routes/admin.api.v1.orgs.$organizationId.session-duration.ts
@@ -0,0 +1,79 @@
+import { type ActionFunctionArgs, json } from "@remix-run/server-runtime";
+import { z } from "zod";
+import { prisma } from "~/db.server";
+import { requireAdminApiRequest } from "~/services/personalAccessToken.server";
+import {
+  ALLOWED_SESSION_DURATION_VALUES,
+  isAllowedSessionDuration,
+} from "~/services/sessionDuration.server";
+
+const ParamsSchema = z.object({
+  organizationId: z.string(),
+});
+
+const RequestBodySchema = z.object({
+  /**
+   * Maximum session lifetime (seconds) for members of this organization, or
+   * null to remove the cap. When set, this caps each member's
+   * `User.sessionDuration` and is enforced on the user's next request.
+   *
+   * Must be one of the values in `SESSION_DURATION_OPTIONS` so the cap always
+   * maps to a labeled dropdown option for users — otherwise users see fallback
+   * labels like "7200 seconds" in the UI. To allow a new value, add it to
+   * `SESSION_DURATION_OPTIONS`.
+   */
+  maxSessionDuration: z
+    .number()
+    .int()
+    .positive()
+    .nullable()
+    .refine((v) => v === null || isAllowedSessionDuration(v), {
+      message: `maxSessionDuration must be one of: ${[...ALLOWED_SESSION_DURATION_VALUES]
+        .sort((a, b) => a - b)
+        .join(", ")}`,
+    }),
+});
+
+export async function action({ request, params }: ActionFunctionArgs) {
+  await requireAdminApiRequest(request);
+
+  const { organizationId } = ParamsSchema.parse(params);
+  let rawBody: unknown;
+  try {
+    rawBody = await request.json();
+  } catch {
+    return json(
+      { success: false, errors: { formErrors: ["Invalid JSON body"], fieldErrors: {} } },
+      { status: 400 }
+    );
+  }
+  const parseResult = RequestBodySchema.safeParse(rawBody);
+  if (!parseResult.success) {
+    return json({ success: false, errors: parseResult.error.flatten() }, { status: 400 });
+  }
+  const body = parseResult.data;
+
+  const organization = await prisma.organization.update({
+    where: { id: organizationId },
+    data: { maxSessionDuration: body.maxSessionDuration },
+    select: { id: true, slug: true, maxSessionDuration: true },
+  });
+
+  // Propagate the new cap to currently-logged-in members by shortening their
+  // `nextSessionEnd`. We only ever shorten (`LEAST`): raising or removing the
+  // cap leaves existing sessions alone — the larger window applies on next
+  // login. If a member is in another org with a tighter cap that other cap
+  // remains in effect via their existing `nextSessionEnd` (LEAST keeps it).
+  if (body.maxSessionDuration !== null) {
+    await prisma.$executeRaw`
+      UPDATE "User"
+      SET "nextSessionEnd" = LEAST(
+        COALESCE("nextSessionEnd", 'infinity'::timestamp),
+        NOW() + (LEAST("sessionDuration", ${body.maxSessionDuration}) * INTERVAL '1 second')
+      )
+      WHERE "id" IN (SELECT "userId" FROM "OrgMember" WHERE "organizationId" = ${organizationId})
+    `;
+  }
+
+  return json({ success: true, organization });
+}
diff --git a/apps/webapp/app/routes/admin.api.v1.orgs.$organizationId.stream-basin.ts b/apps/webapp/app/routes/admin.api.v1.orgs.$organizationId.stream-basin.ts
new file mode 100644
index 00000000000..67fd457c6b3
--- /dev/null
+++ b/apps/webapp/app/routes/admin.api.v1.orgs.$organizationId.stream-basin.ts
@@ -0,0 +1,47 @@
+import { ActionFunctionArgs, json } from "@remix-run/server-runtime";
+import { z } from "zod";
+import { requireAdminApiRequest } from "~/services/personalAccessToken.server";
+import { isValidDuration } from "~/services/realtime/duration.server";
+import {
+  deprovisionBasinForOrg,
+  ensureBasinForOrg,
+} from "~/services/realtime/streamBasinProvisioner.server";
+
+const ParamsSchema = z.object({ organizationId: z.string() });
+
+const BodySchema = z.discriminatedUnion("action", [
+  z.object({
+    action: z.literal("ensure"),
+    retention: z
+      .string()
+      .refine(isValidDuration, "retention must be a duration like 7d, 30d, 365d, 1h, 1y"),
+  }),
+  z.object({ action: z.literal("deprovision") }),
+]);
+
+export async function action({ request, params }: ActionFunctionArgs) {
+  await requireAdminApiRequest(request);
+
+  const { organizationId } = ParamsSchema.parse(params);
+
+  let parsed: z.infer<typeof BodySchema>;
+  try {
+    const text = await request.text();
+    const raw = text.length > 0 ? JSON.parse(text) : {};
+    const result = BodySchema.safeParse(raw);
+    if (!result.success) {
+      return json({ ok: false, error: result.error.flatten() }, { status: 400 });
+    }
+    parsed = result.data;
+  } catch {
+    return json({ ok: false, error: "Invalid JSON body" }, { status: 400 });
+  }
+
+  if (parsed.action === "ensure") {
+    const result = await ensureBasinForOrg(organizationId, parsed.retention);
+    return json({ ok: true, ...result });
+  }
+
+  const result = await deprovisionBasinForOrg(organizationId);
+  return json({ ok: true, ...result });
+}
diff --git a/apps/webapp/app/routes/admin.api.v1.platform-notifications.ts b/apps/webapp/app/routes/admin.api.v1.platform-notifications.ts
index 093104bcb05..c0b59631864 100644
--- a/apps/webapp/app/routes/admin.api.v1.platform-notifications.ts
+++ b/apps/webapp/app/routes/admin.api.v1.platform-notifications.ts
@@ -1,7 +1,7 @@
 import { type ActionFunctionArgs, json } from "@remix-run/server-runtime";
 import { err, ok, type Result } from "neverthrow";
-import { prisma } from "~/db.server";
-import { authenticateApiRequestWithPersonalAccessToken } from "~/services/personalAccessToken.server";
+import { logger } from "~/services/logger.server";
+import { authenticateAdminRequest } from "~/services/personalAccessToken.server";
 import {
   createPlatformNotification,
   type CreatePlatformNotificationInput,
@@ -11,24 +11,10 @@ type AdminUser = { id: string; admin: boolean };
 type AuthError = { status: number; message: string };
 
 async function authenticateAdmin(request: Request): Promise<Result<AdminUser, AuthError>> {
-  const authResult = await authenticateApiRequestWithPersonalAccessToken(request);
-  if (!authResult) {
-    return err({ status: 401, message: "Invalid or Missing API key" });
-  }
-
-  const user = await prisma.user.findUnique({
-    where: { id: authResult.userId },
-    select: { id: true, admin: true },
-  });
-
-  if (!user?.admin) {
-    return err({
-      status: user ? 403 : 401,
-      message: user ? "You must be an admin to perform this action" : "Invalid or Missing API key",
-    });
-  }
-
-  return ok(user);
+  const result = await authenticateAdminRequest(request);
+  return result.ok
+    ? ok({ id: result.user.id, admin: result.user.admin })
+    : err({ status: result.status, message: result.message });
 }
 
 export async function action({ request }: ActionFunctionArgs) {
@@ -57,7 +43,8 @@ export async function action({ request }: ActionFunctionArgs) {
       return json({ error: "Validation failed", details: error.issues }, { status: 400 });
     }
 
-    return json({ error: error.message }, { status: 500 });
+    logger.error("Failed to create platform notification", { error });
+    return json({ error: "Something went wrong, please try again." }, { status: 500 });
   }
 
   return json(result.value, { status: 201 });
diff --git a/apps/webapp/app/routes/admin.api.v1.revoked-api-keys.$revokedApiKeyId.ts b/apps/webapp/app/routes/admin.api.v1.revoked-api-keys.$revokedApiKeyId.ts
new file mode 100644
index 00000000000..847828d981f
--- /dev/null
+++ b/apps/webapp/app/routes/admin.api.v1.revoked-api-keys.$revokedApiKeyId.ts
@@ -0,0 +1,48 @@
+import { ActionFunctionArgs, json } from "@remix-run/server-runtime";
+import { z } from "zod";
+import { prisma } from "~/db.server";
+import { requireAdminApiRequest } from "~/services/personalAccessToken.server";
+
+const ParamsSchema = z.object({
+  revokedApiKeyId: z.string(),
+});
+
+const RequestBodySchema = z.object({
+  expiresAt: z.coerce.date(),
+});
+
+export async function action({ request, params }: ActionFunctionArgs) {
+  await requireAdminApiRequest(request);
+
+  const { revokedApiKeyId } = ParamsSchema.parse(params);
+
+  const rawBody = await request.json();
+  const parsedBody = RequestBodySchema.safeParse(rawBody);
+
+  if (!parsedBody.success) {
+    return json({ error: "Invalid request body", issues: parsedBody.error.issues }, { status: 400 });
+  }
+
+  const existing = await prisma.revokedApiKey.findFirst({
+    where: { id: revokedApiKeyId },
+    select: { id: true },
+  });
+
+  if (!existing) {
+    return json({ error: "Revoked API key not found" }, { status: 404 });
+  }
+
+  const updated = await prisma.revokedApiKey.update({
+    where: { id: revokedApiKeyId },
+    data: { expiresAt: parsedBody.data.expiresAt },
+  });
+
+  return json({
+    success: true,
+    revokedApiKey: {
+      id: updated.id,
+      runtimeEnvironmentId: updated.runtimeEnvironmentId,
+      expiresAt: updated.expiresAt.toISOString(),
+    },
+  });
+}
diff --git a/apps/webapp/app/routes/admin.api.v1.runs-replication.$batchId.backfill.ts b/apps/webapp/app/routes/admin.api.v1.runs-replication.$batchId.backfill.ts
index 105fcaa408f..18427795315 100644
--- a/apps/webapp/app/routes/admin.api.v1.runs-replication.$batchId.backfill.ts
+++ b/apps/webapp/app/routes/admin.api.v1.runs-replication.$batchId.backfill.ts
@@ -1,7 +1,6 @@
 import { type ActionFunctionArgs, json } from "@remix-run/server-runtime";
 import { z } from "zod";
-import { prisma } from "~/db.server";
-import { authenticateApiRequestWithPersonalAccessToken } from "~/services/personalAccessToken.server";
+import { requireAdminApiRequest } from "~/services/personalAccessToken.server";
 import { adminWorker } from "~/v3/services/adminWorker.server";
 
 const Body = z.object({
@@ -19,26 +18,7 @@ const DEFAULT_BATCH_SIZE = 500;
 const DEFAULT_DELAY_INTERVAL_MS = 1000;
 
 export async function action({ request, params }: ActionFunctionArgs) {
-  // Next authenticate the request
-  const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);
-
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  const user = await prisma.user.findUnique({
-    where: {
-      id: authenticationResult.userId,
-    },
-  });
-
-  if (!user) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  if (!user.admin) {
-    return json({ error: "You must be an admin to perform this action" }, { status: 403 });
-  }
+  await requireAdminApiRequest(request);
 
   const { batchId } = Params.parse(params);
 
diff --git a/apps/webapp/app/routes/admin.api.v1.runs-replication.$batchId.cancel.ts b/apps/webapp/app/routes/admin.api.v1.runs-replication.$batchId.cancel.ts
index 8dfcf9fb85b..b80bfba6b54 100644
--- a/apps/webapp/app/routes/admin.api.v1.runs-replication.$batchId.cancel.ts
+++ b/apps/webapp/app/routes/admin.api.v1.runs-replication.$batchId.cancel.ts
@@ -1,7 +1,6 @@
 import { type ActionFunctionArgs, json } from "@remix-run/server-runtime";
 import { z } from "zod";
-import { prisma } from "~/db.server";
-import { authenticateApiRequestWithPersonalAccessToken } from "~/services/personalAccessToken.server";
+import { requireAdminApiRequest } from "~/services/personalAccessToken.server";
 import { adminWorker } from "~/v3/services/adminWorker.server";
 
 const Params = z.object({
@@ -9,26 +8,7 @@ const Params = z.object({
 });
 
 export async function action({ request, params }: ActionFunctionArgs) {
-  // Next authenticate the request
-  const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);
-
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  const user = await prisma.user.findUnique({
-    where: {
-      id: authenticationResult.userId,
-    },
-  });
-
-  if (!user) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  if (!user.admin) {
-    return json({ error: "You must be an admin to perform this action" }, { status: 403 });
-  }
+  await requireAdminApiRequest(request);
 
   const { batchId } = Params.parse(params);
 
diff --git a/apps/webapp/app/routes/admin.api.v1.runs-replication.backfill.ts b/apps/webapp/app/routes/admin.api.v1.runs-replication.backfill.ts
index 0897c30c21d..c4d17ba875d 100644
--- a/apps/webapp/app/routes/admin.api.v1.runs-replication.backfill.ts
+++ b/apps/webapp/app/routes/admin.api.v1.runs-replication.backfill.ts
@@ -3,7 +3,7 @@ import { type TaskRun } from "@trigger.dev/database";
 import { z } from "zod";
 import { prisma } from "~/db.server";
 import { logger } from "~/services/logger.server";
-import { authenticateApiRequestWithPersonalAccessToken } from "~/services/personalAccessToken.server";
+import { requireAdminApiRequest } from "~/services/personalAccessToken.server";
 import { runsReplicationInstance } from "~/services/runsReplicationInstance.server";
 import { FINAL_RUN_STATUSES } from "~/v3/taskStatus";
 
@@ -14,26 +14,7 @@ const Body = z.object({
 const MAX_BATCH_SIZE = 50;
 
 export async function action({ request }: ActionFunctionArgs) {
-  // Next authenticate the request
-  const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);
-
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  const user = await prisma.user.findUnique({
-    where: {
-      id: authenticationResult.userId,
-    },
-  });
-
-  if (!user) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  if (!user.admin) {
-    return json({ error: "You must be an admin to perform this action" }, { status: 403 });
-  }
+  await requireAdminApiRequest(request);
 
   try {
     const body = await request.json();
diff --git a/apps/webapp/app/routes/admin.api.v1.runs-replication.create.ts b/apps/webapp/app/routes/admin.api.v1.runs-replication.create.ts
index 483c2d219a1..0026c66bfda 100644
--- a/apps/webapp/app/routes/admin.api.v1.runs-replication.create.ts
+++ b/apps/webapp/app/routes/admin.api.v1.runs-replication.create.ts
@@ -1,9 +1,8 @@
 import { ActionFunctionArgs, json } from "@remix-run/server-runtime";
-import { prisma } from "~/db.server";
-import { authenticateApiRequestWithPersonalAccessToken } from "~/services/personalAccessToken.server";
+import { requireAdminApiRequest } from "~/services/personalAccessToken.server";
 import { z } from "zod";
-import { ClickHouse } from "@internal/clickhouse";
 import { env } from "~/env.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
 import { RunsReplicationService } from "~/services/runsReplicationService.server";
 import {
   getRunsReplicationGlobal,
@@ -29,26 +28,7 @@ const CreateRunReplicationServiceParams = z.object({
 type CreateRunReplicationServiceParams = z.infer<typeof CreateRunReplicationServiceParams>;
 
 export async function action({ request }: ActionFunctionArgs) {
-  // Next authenticate the request
-  const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);
-
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  const user = await prisma.user.findUnique({
-    where: {
-      id: authenticationResult.userId,
-    },
-  });
-
-  if (!user) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  if (!user.admin) {
-    return json({ error: "You must be an admin to perform this action" }, { status: 403 });
-  }
+  await requireAdminApiRequest(request);
 
   try {
     const globalService = getRunsReplicationGlobal();
@@ -62,6 +42,8 @@ export async function action({ request }: ActionFunctionArgs) {
 
     const params = CreateRunReplicationServiceParams.parse(await request.json());
 
+    await clickhouseFactory.isReady();
+
     const service = createRunReplicationService(params);
 
     setRunsReplicationGlobal(service);
@@ -77,24 +59,23 @@ export async function action({ request }: ActionFunctionArgs) {
 }
 
 function createRunReplicationService(params: CreateRunReplicationServiceParams) {
-  const clickhouse = new ClickHouse({
-    url: env.RUN_REPLICATION_CLICKHOUSE_URL,
-    name: params.name,
-    keepAlive: {
-      enabled: params.keepAliveEnabled,
-      idleSocketTtl: params.keepAliveIdleSocketTtl,
-    },
-    logLevel: "debug",
-    compression: {
-      request: true,
-    },
-    maxOpenConnections: params.maxOpenConnections,
-  });
+  const {
+    name,
+    maxFlushConcurrency,
+    flushIntervalMs,
+    flushBatchSize,
+    leaderLockTimeoutMs,
+    leaderLockExtendIntervalMs,
+    leaderLockAcquireAdditionalTimeMs,
+    leaderLockRetryIntervalMs,
+    ackIntervalSeconds,
+    waitForAsyncInsert,
+  } = params;
 
   const service = new RunsReplicationService({
-    clickhouse: clickhouse,
+    clickhouseFactory,
     pgConnectionUrl: env.DATABASE_URL,
-    serviceName: params.name,
+    serviceName: name,
     slotName: env.RUN_REPLICATION_SLOT_NAME,
     publicationName: env.RUN_REPLICATION_PUBLICATION_NAME,
     redisOptions: {
@@ -106,16 +87,16 @@ function createRunReplicationService(params: CreateRunReplicationServiceParams)
       enableAutoPipelining: true,
       ...(env.RUN_REPLICATION_REDIS_TLS_DISABLED === "true" ? {} : { tls: {} }),
     },
-    maxFlushConcurrency: params.maxFlushConcurrency,
-    flushIntervalMs: params.flushIntervalMs,
-    flushBatchSize: params.flushBatchSize,
-    leaderLockTimeoutMs: params.leaderLockTimeoutMs,
-    leaderLockExtendIntervalMs: params.leaderLockExtendIntervalMs,
-    leaderLockAcquireAdditionalTimeMs: params.leaderLockAcquireAdditionalTimeMs,
-    leaderLockRetryIntervalMs: params.leaderLockRetryIntervalMs,
-    ackIntervalSeconds: params.ackIntervalSeconds,
+    maxFlushConcurrency,
+    flushIntervalMs,
+    flushBatchSize,
+    leaderLockTimeoutMs,
+    leaderLockExtendIntervalMs,
+    leaderLockAcquireAdditionalTimeMs,
+    leaderLockRetryIntervalMs,
+    ackIntervalSeconds,
     logLevel: "debug",
-    waitForAsyncInsert: params.waitForAsyncInsert,
+    waitForAsyncInsert,
   });
 
   return service;
diff --git a/apps/webapp/app/routes/admin.api.v1.runs-replication.start.ts b/apps/webapp/app/routes/admin.api.v1.runs-replication.start.ts
index a700c4d4f11..d67ca3a1ae3 100644
--- a/apps/webapp/app/routes/admin.api.v1.runs-replication.start.ts
+++ b/apps/webapp/app/routes/admin.api.v1.runs-replication.start.ts
@@ -1,34 +1,17 @@
 import { ActionFunctionArgs, json } from "@remix-run/server-runtime";
-import { prisma } from "~/db.server";
-import { authenticateApiRequestWithPersonalAccessToken } from "~/services/personalAccessToken.server";
+import { requireAdminApiRequest } from "~/services/personalAccessToken.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
 import { getRunsReplicationGlobal } from "~/services/runsReplicationGlobal.server";
 import { runsReplicationInstance } from "~/services/runsReplicationInstance.server";
 
 export async function action({ request }: ActionFunctionArgs) {
-  // Next authenticate the request
-  const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);
-
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  const user = await prisma.user.findUnique({
-    where: {
-      id: authenticationResult.userId,
-    },
-  });
-
-  if (!user) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  if (!user.admin) {
-    return json({ error: "You must be an admin to perform this action" }, { status: 403 });
-  }
+  await requireAdminApiRequest(request);
 
   try {
     const globalService = getRunsReplicationGlobal();
 
+    await clickhouseFactory.isReady();
+
     if (globalService) {
       await globalService.start();
     } else {
diff --git a/apps/webapp/app/routes/admin.api.v1.runs-replication.stop.ts b/apps/webapp/app/routes/admin.api.v1.runs-replication.stop.ts
index 1dc53833d86..410a9aeaaba 100644
--- a/apps/webapp/app/routes/admin.api.v1.runs-replication.stop.ts
+++ b/apps/webapp/app/routes/admin.api.v1.runs-replication.stop.ts
@@ -1,30 +1,10 @@
 import { ActionFunctionArgs, json } from "@remix-run/server-runtime";
-import { prisma } from "~/db.server";
-import { authenticateApiRequestWithPersonalAccessToken } from "~/services/personalAccessToken.server";
+import { requireAdminApiRequest } from "~/services/personalAccessToken.server";
 import { getRunsReplicationGlobal } from "~/services/runsReplicationGlobal.server";
 import { runsReplicationInstance } from "~/services/runsReplicationInstance.server";
 
 export async function action({ request }: ActionFunctionArgs) {
-  // Next authenticate the request
-  const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);
-
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  const user = await prisma.user.findUnique({
-    where: {
-      id: authenticationResult.userId,
-    },
-  });
-
-  if (!user) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  if (!user.admin) {
-    return json({ error: "You must be an admin to perform this action" }, { status: 403 });
-  }
+  await requireAdminApiRequest(request);
 
   try {
     const globalService = getRunsReplicationGlobal();
diff --git a/apps/webapp/app/routes/admin.api.v1.runs-replication.teardown.ts b/apps/webapp/app/routes/admin.api.v1.runs-replication.teardown.ts
index f4a1223dfcf..8bcf760e72f 100644
--- a/apps/webapp/app/routes/admin.api.v1.runs-replication.teardown.ts
+++ b/apps/webapp/app/routes/admin.api.v1.runs-replication.teardown.ts
@@ -1,6 +1,5 @@
 import { ActionFunctionArgs, json } from "@remix-run/server-runtime";
-import { prisma } from "~/db.server";
-import { authenticateApiRequestWithPersonalAccessToken } from "~/services/personalAccessToken.server";
+import { requireAdminApiRequest } from "~/services/personalAccessToken.server";
 import {
   getRunsReplicationGlobal,
   unregisterRunsReplicationGlobal,
@@ -8,26 +7,7 @@ import {
 import { runsReplicationInstance } from "~/services/runsReplicationInstance.server";
 
 export async function action({ request }: ActionFunctionArgs) {
-  // Next authenticate the request
-  const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);
-
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  const user = await prisma.user.findUnique({
-    where: {
-      id: authenticationResult.userId,
-    },
-  });
-
-  if (!user) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  if (!user.admin) {
-    return json({ error: "You must be an admin to perform this action" }, { status: 403 });
-  }
+  await requireAdminApiRequest(request);
 
   try {
     const globalService = getRunsReplicationGlobal();
diff --git a/apps/webapp/app/routes/admin.api.v1.snapshot.ts b/apps/webapp/app/routes/admin.api.v1.snapshot.ts
index 3b345978f5e..daba88f2a42 100644
--- a/apps/webapp/app/routes/admin.api.v1.snapshot.ts
+++ b/apps/webapp/app/routes/admin.api.v1.snapshot.ts
@@ -4,8 +4,7 @@ import os from "os";
 import path from "path";
 import { PassThrough } from "stream";
 import v8 from "v8";
-import { prisma } from "~/db.server";
-import { authenticateApiRequestWithPersonalAccessToken } from "~/services/personalAccessToken.server";
+import { requireAdminApiRequest } from "~/services/personalAccessToken.server";
 
 // Format date as yyyy-MM-dd HH_mm_ss_SSS
 function formatDate(date: Date) {
@@ -25,21 +24,7 @@ function formatDate(date: Date) {
 }
 
 export async function loader({ request }: DataFunctionArgs) {
-  const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);
-
-  if (!authenticationResult) {
-    throw new Response("You must be an admin to perform this action", { status: 403 });
-  }
-
-  const user = await prisma.user.findFirst({
-    where: {
-      id: authenticationResult.userId,
-    },
-  });
-
-  if (!user?.admin) {
-    throw new Response("You must be an admin to perform this action", { status: 403 });
-  }
+  await requireAdminApiRequest(request);
 
   const tempDir = os.tmpdir();
   const filepath = path.join(
diff --git a/apps/webapp/app/routes/admin.api.v1.workers.ts b/apps/webapp/app/routes/admin.api.v1.workers.ts
index b215d8ce223..caa36e5217b 100644
--- a/apps/webapp/app/routes/admin.api.v1.workers.ts
+++ b/apps/webapp/app/routes/admin.api.v1.workers.ts
@@ -1,9 +1,13 @@
-import { type ActionFunctionArgs, json } from "@remix-run/server-runtime";
+import {
+  type ActionFunctionArgs,
+  type LoaderFunctionArgs,
+  json,
+} from "@remix-run/server-runtime";
 import { tryCatch } from "@trigger.dev/core";
-import { type Project } from "@trigger.dev/database";
+import { type Project, WorkerInstanceGroupType, WorkloadType } from "@trigger.dev/database";
 import { z } from "zod";
 import { prisma } from "~/db.server";
-import { authenticateApiRequestWithPersonalAccessToken } from "~/services/personalAccessToken.server";
+import { requireAdminApiRequest } from "~/services/personalAccessToken.server";
 import { WorkerGroupService } from "~/v3/services/worker/workerGroupService.server";
 
 const RequestBodySchema = z.object({
@@ -12,34 +16,44 @@ const RequestBodySchema = z.object({
   projectId: z.string().optional(),
   makeDefaultForProject: z.boolean().default(false),
   removeDefaultFromProject: z.boolean().default(false),
+  type: z.nativeEnum(WorkerInstanceGroupType).optional(),
+  hidden: z.boolean().optional(),
+  workloadType: z.nativeEnum(WorkloadType).optional(),
+  cloudProvider: z.string().optional(),
+  location: z.string().optional(),
+  staticIPs: z.string().optional(),
+  enableFastPath: z.boolean().optional(),
 });
 
-export async function action({ request }: ActionFunctionArgs) {
-  // Next authenticate the request
-  const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);
-
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
+export async function loader({ request }: LoaderFunctionArgs) {
+  await requireAdminApiRequest(request);
 
-  const user = await prisma.user.findFirst({
-    where: {
-      id: authenticationResult.userId,
-    },
+  const workerGroups = await prisma.workerInstanceGroup.findMany({
+    orderBy: { createdAt: "asc" },
   });
 
-  if (!user) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
+  return json({ workerGroups });
+}
 
-  if (!user.admin) {
-    return json({ error: "You must be an admin to perform this action" }, { status: 403 });
-  }
+export async function action({ request }: ActionFunctionArgs) {
+  await requireAdminApiRequest(request);
 
   try {
     const rawBody = await request.json();
-    const { name, description, projectId, makeDefaultForProject, removeDefaultFromProject } =
-      RequestBodySchema.parse(rawBody ?? {});
+    const {
+      name,
+      description,
+      projectId,
+      makeDefaultForProject,
+      removeDefaultFromProject,
+      type,
+      hidden,
+      workloadType,
+      cloudProvider,
+      location,
+      staticIPs,
+      enableFastPath,
+    } = RequestBodySchema.parse(rawBody ?? {});
 
     if (removeDefaultFromProject) {
       if (!projectId) {
@@ -74,7 +88,17 @@ export async function action({ request }: ActionFunctionArgs) {
     });
 
     if (!existingWorkerGroup) {
-      const { workerGroup, token } = await createWorkerGroup(name, description);
+      const { workerGroup, token } = await createWorkerGroup({
+        name,
+        description,
+        type,
+        hidden,
+        workloadType,
+        cloudProvider,
+        location,
+        staticIPs,
+        enableFastPath,
+      });
 
       if (!makeDefaultForProject) {
         return json({
@@ -150,9 +174,11 @@ export async function action({ request }: ActionFunctionArgs) {
   }
 }
 
-async function createWorkerGroup(name: string | undefined, description: string | undefined) {
+async function createWorkerGroup(
+  options: Parameters<WorkerGroupService["createWorkerGroup"]>[0]
+) {
   const service = new WorkerGroupService();
-  return await service.createWorkerGroup({ name, description });
+  return await service.createWorkerGroup(options);
 }
 
 async function removeDefaultWorkerGroupFromProject(projectId: string) {
diff --git a/apps/webapp/app/routes/admin.back-office._index.tsx b/apps/webapp/app/routes/admin.back-office._index.tsx
new file mode 100644
index 00000000000..e2226aebb4a
--- /dev/null
+++ b/apps/webapp/app/routes/admin.back-office._index.tsx
@@ -0,0 +1,27 @@
+import { typedjson } from "remix-typedjson";
+import { LinkButton } from "~/components/primitives/Buttons";
+import { Header2 } from "~/components/primitives/Headers";
+import { Paragraph } from "~/components/primitives/Paragraph";
+import { dashboardLoader } from "~/services/routeBuilders/dashboardBuilder";
+
+export const loader = dashboardLoader(
+  { authorization: { requireSuper: true } },
+  async () => {
+    return typedjson({});
+  }
+);
+
+export default function BackOfficeIndex() {
+  return (
+    <div className="flex flex-col items-start gap-3 py-6">
+      <Header2>Back office</Header2>
+      <Paragraph variant="base" className="max-w-prose">
+        Back-office actions are applied to a single organization. Pick an org from the
+        Organizations tab to open its detail page.
+      </Paragraph>
+      <LinkButton to="/admin/orgs" variant="primary/medium">
+        Pick an organization
+      </LinkButton>
+    </div>
+  );
+}
diff --git a/apps/webapp/app/routes/admin.back-office.orgs.$orgId.tsx b/apps/webapp/app/routes/admin.back-office.orgs.$orgId.tsx
new file mode 100644
index 00000000000..627c8bd5297
--- /dev/null
+++ b/apps/webapp/app/routes/admin.back-office.orgs.$orgId.tsx
@@ -0,0 +1,209 @@
+import { useNavigation, useSearchParams } from "@remix-run/react";
+import { useEffect } from "react";
+import { z } from "zod";
+import {
+  redirect,
+  typedjson,
+  useTypedActionData,
+  useTypedLoaderData,
+} from "remix-typedjson";
+import {
+  API_RATE_LIMIT_INTENT,
+  API_RATE_LIMIT_SAVED_VALUE,
+  ApiRateLimitSection,
+} from "~/components/admin/backOffice/ApiRateLimitSection";
+import {
+  handleApiRateLimitAction,
+  resolveEffectiveApiRateLimit,
+} from "~/components/admin/backOffice/ApiRateLimitSection.server";
+import {
+  BATCH_RATE_LIMIT_INTENT,
+  BATCH_RATE_LIMIT_SAVED_VALUE,
+  BatchRateLimitSection,
+} from "~/components/admin/backOffice/BatchRateLimitSection";
+import {
+  handleBatchRateLimitAction,
+  resolveEffectiveBatchRateLimit,
+} from "~/components/admin/backOffice/BatchRateLimitSection.server";
+import {
+  MAX_PROJECTS_INTENT,
+  MAX_PROJECTS_SAVED_VALUE,
+  MaxProjectsSection,
+} from "~/components/admin/backOffice/MaxProjectsSection";
+import { handleMaxProjectsAction } from "~/components/admin/backOffice/MaxProjectsSection.server";
+import { LinkButton } from "~/components/primitives/Buttons";
+import { CopyableText } from "~/components/primitives/CopyableText";
+import { Header1 } from "~/components/primitives/Headers";
+import { Paragraph } from "~/components/primitives/Paragraph";
+import { prisma } from "~/db.server";
+import { dashboardAction, dashboardLoader } from "~/services/routeBuilders/dashboardBuilder";
+
+const SAVED_QUERY_KEY = "saved";
+
+const ParamsSchema = z.object({
+  orgId: z.string(),
+});
+
+export const loader = dashboardLoader(
+  { authorization: { requireSuper: true }, params: ParamsSchema },
+  async ({ params }) => {
+    const orgId = params.orgId;
+
+    const org = await prisma.organization.findFirst({
+      where: { id: orgId },
+      select: {
+        id: true,
+        slug: true,
+        title: true,
+        createdAt: true,
+        apiRateLimiterConfig: true,
+        batchRateLimitConfig: true,
+        maximumProjectCount: true,
+      },
+    });
+
+    if (!org) {
+      throw new Response(null, { status: 404 });
+    }
+
+    const apiEffective = resolveEffectiveApiRateLimit(org.apiRateLimiterConfig);
+    const batchEffective = resolveEffectiveBatchRateLimit(org.batchRateLimitConfig);
+
+    return typedjson({ org, apiEffective, batchEffective });
+  }
+);
+
+export const action = dashboardAction(
+  { authorization: { requireSuper: true }, params: ParamsSchema },
+  async ({ user, params, request }) => {
+    const orgId = params.orgId;
+
+    const formData = await request.formData();
+    const intent = formData.get("intent");
+
+  if (intent === MAX_PROJECTS_INTENT) {
+    const result = await handleMaxProjectsAction(formData, orgId, user.id);
+    if (!result.ok) {
+      return typedjson(
+        { section: MAX_PROJECTS_SAVED_VALUE, errors: result.errors },
+        { status: 400 }
+      );
+    }
+    return redirect(
+      `/admin/back-office/orgs/${orgId}?${SAVED_QUERY_KEY}=${MAX_PROJECTS_SAVED_VALUE}`
+    );
+  }
+
+  if (intent === API_RATE_LIMIT_INTENT) {
+    const result = await handleApiRateLimitAction(formData, orgId, user.id);
+    if (!result.ok) {
+      return typedjson(
+        { section: API_RATE_LIMIT_SAVED_VALUE, errors: result.errors },
+        { status: 400 }
+      );
+    }
+    return redirect(
+      `/admin/back-office/orgs/${orgId}?${SAVED_QUERY_KEY}=${API_RATE_LIMIT_SAVED_VALUE}`
+    );
+  }
+
+  if (intent === BATCH_RATE_LIMIT_INTENT) {
+    const result = await handleBatchRateLimitAction(formData, orgId, user.id);
+    if (!result.ok) {
+      return typedjson(
+        { section: BATCH_RATE_LIMIT_SAVED_VALUE, errors: result.errors },
+        { status: 400 }
+      );
+    }
+    return redirect(
+      `/admin/back-office/orgs/${orgId}?${SAVED_QUERY_KEY}=${BATCH_RATE_LIMIT_SAVED_VALUE}`
+    );
+  }
+
+    return typedjson(
+      { section: null, errors: { intent: ["Unknown intent."] } },
+      { status: 400 }
+    );
+  }
+);
+
+export default function BackOfficeOrgPage() {
+  const { org, apiEffective, batchEffective } =
+    useTypedLoaderData<typeof loader>();
+  const actionData = useTypedActionData<typeof action>();
+  const navigation = useNavigation();
+  const submittingIntent = navigation.formData?.get("intent");
+  const isSubmittingApi =
+    navigation.state !== "idle" && submittingIntent === API_RATE_LIMIT_INTENT;
+  const isSubmittingBatch =
+    navigation.state !== "idle" && submittingIntent === BATCH_RATE_LIMIT_INTENT;
+  const isSubmittingMaxProjects =
+    navigation.state !== "idle" && submittingIntent === MAX_PROJECTS_INTENT;
+
+  const errorSection =
+    actionData && "section" in actionData ? actionData.section : null;
+  const errors =
+    actionData && "errors" in actionData
+      ? (actionData.errors as Record<string, string[] | undefined>)
+      : null;
+
+  const [searchParams, setSearchParams] = useSearchParams();
+  const savedSectionRaw = searchParams.get(SAVED_QUERY_KEY);
+  // If the action just returned errors for the same section, hide the
+  // "Saved." banner so it doesn't render alongside field errors. Suppressing
+  // here propagates to every read site (auto-dismiss + JSX comparisons).
+  const savedSection =
+    errors && errorSection === savedSectionRaw ? null : savedSectionRaw;
+
+  // Auto-dismiss the "saved" banner after a few seconds.
+  useEffect(() => {
+    if (!savedSection) return;
+    const t = setTimeout(() => {
+      setSearchParams(
+        (prev) => {
+          prev.delete(SAVED_QUERY_KEY);
+          return prev;
+        },
+        { replace: true, preventScrollReset: true }
+      );
+    }, 3000);
+    return () => clearTimeout(t);
+  }, [savedSection, setSearchParams]);
+
+  return (
+    <div className="flex flex-col gap-6 py-4">
+      <div className="flex items-center justify-between">
+        <div className="flex flex-col gap-1">
+          <Header1>{org.title}</Header1>
+          <Paragraph variant="small" className="text-text-dimmed">
+            <CopyableText value={org.slug} /> · <CopyableText value={org.id} />
+          </Paragraph>
+        </div>
+        <LinkButton to="/admin/orgs" variant="tertiary/small">
+          Back to organizations
+        </LinkButton>
+      </div>
+
+      <ApiRateLimitSection
+        effective={apiEffective}
+        errors={errorSection === API_RATE_LIMIT_SAVED_VALUE ? errors : null}
+        savedJustNow={savedSection === API_RATE_LIMIT_SAVED_VALUE}
+        isSubmitting={isSubmittingApi}
+      />
+
+      <BatchRateLimitSection
+        effective={batchEffective}
+        errors={errorSection === BATCH_RATE_LIMIT_SAVED_VALUE ? errors : null}
+        savedJustNow={savedSection === BATCH_RATE_LIMIT_SAVED_VALUE}
+        isSubmitting={isSubmittingBatch}
+      />
+
+      <MaxProjectsSection
+        maximumProjectCount={org.maximumProjectCount}
+        errors={errorSection === MAX_PROJECTS_SAVED_VALUE ? errors : null}
+        savedJustNow={savedSection === MAX_PROJECTS_SAVED_VALUE}
+        isSubmitting={isSubmittingMaxProjects}
+      />
+    </div>
+  );
+}
diff --git a/apps/webapp/app/routes/admin.back-office.tsx b/apps/webapp/app/routes/admin.back-office.tsx
new file mode 100644
index 00000000000..3ec9e99b2ca
--- /dev/null
+++ b/apps/webapp/app/routes/admin.back-office.tsx
@@ -0,0 +1,21 @@
+import { Outlet } from "@remix-run/react";
+import { typedjson } from "remix-typedjson";
+import { dashboardLoader } from "~/services/routeBuilders/dashboardBuilder";
+
+export const loader = dashboardLoader(
+  { authorization: { requireSuper: true } },
+  async () => {
+    return typedjson({});
+  }
+);
+
+export default function BackOfficeLayout() {
+  return (
+    <main
+      aria-labelledby="primary-heading"
+      className="flex h-full min-w-0 flex-1 flex-col overflow-y-auto px-4 pb-4 lg:order-last"
+    >
+      <Outlet />
+    </main>
+  );
+}
diff --git a/apps/webapp/app/routes/admin.concurrency.tsx b/apps/webapp/app/routes/admin.concurrency.tsx
index a24f7debb9d..630bc100b0b 100644
--- a/apps/webapp/app/routes/admin.concurrency.tsx
+++ b/apps/webapp/app/routes/admin.concurrency.tsx
@@ -1,23 +1,19 @@
 import { InformationCircleIcon } from "@heroicons/react/20/solid";
-import type { LoaderFunctionArgs } from "@remix-run/server-runtime";
-import { redirect, typedjson, useTypedLoaderData } from "remix-typedjson";
+import { typedjson, useTypedLoaderData } from "remix-typedjson";
 import { Header1 } from "~/components/primitives/Headers";
 import { InfoPanel } from "~/components/primitives/InfoPanel";
 import { Paragraph } from "~/components/primitives/Paragraph";
-import { requireUser } from "~/services/session.server";
+import { dashboardLoader } from "~/services/routeBuilders/dashboardBuilder";
 import { concurrencyTracker } from "~/v3/services/taskRunConcurrencyTracker.server";
 
-export const loader = async ({ request, params }: LoaderFunctionArgs) => {
-  const user = await requireUser(request);
-  if (!user.admin) {
-    return redirect("/");
+export const loader = dashboardLoader(
+  { authorization: { requireSuper: true } },
+  async () => {
+    const deployedConcurrency = await concurrencyTracker.globalConcurrentRunCount(true);
+    const devConcurrency = await concurrencyTracker.globalConcurrentRunCount(false);
+    return typedjson({ deployedConcurrency, devConcurrency });
   }
-
-  const deployedConcurrency = await concurrencyTracker.globalConcurrentRunCount(true);
-  const devConcurrency = await concurrencyTracker.globalConcurrentRunCount(false);
-
-  return typedjson({ deployedConcurrency, devConcurrency });
-};
+);
 
 export default function AdminDashboardRoute() {
   const { deployedConcurrency, devConcurrency } = useTypedLoaderData<typeof loader>();
diff --git a/apps/webapp/app/routes/admin.data-stores.tsx b/apps/webapp/app/routes/admin.data-stores.tsx
new file mode 100644
index 00000000000..8dafeb9b2fe
--- /dev/null
+++ b/apps/webapp/app/routes/admin.data-stores.tsx
@@ -0,0 +1,481 @@
+import { useState } from "react";
+import { useFetcher } from "@remix-run/react";
+import type { ActionFunctionArgs, LoaderFunctionArgs } from "@remix-run/server-runtime";
+import { redirect } from "@remix-run/server-runtime";
+import { typedjson, useTypedLoaderData } from "remix-typedjson";
+import { z } from "zod";
+import { Button } from "~/components/primitives/Buttons";
+import {
+  Dialog,
+  DialogContent,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+} from "~/components/primitives/Dialog";
+import { Input } from "~/components/primitives/Input";
+import { Paragraph } from "~/components/primitives/Paragraph";
+import { Popover, PopoverContent, PopoverTrigger } from "~/components/primitives/Popover";
+import {
+  Table,
+  TableBlankRow,
+  TableBody,
+  TableCell,
+  TableHeader,
+  TableHeaderCell,
+  TableRow,
+} from "~/components/primitives/Table";
+import { prisma } from "~/db.server";
+import { requireUser } from "~/services/session.server";
+import { ClickhouseConnectionSchema } from "~/services/clickhouse/clickhouseSecretSchemas.server";
+import { organizationDataStoresRegistry } from "~/services/dataStores/organizationDataStoresRegistryInstance.server";
+import { tryCatch } from "@trigger.dev/core/utils";
+
+// ---------------------------------------------------------------------------
+// Loader
+// ---------------------------------------------------------------------------
+
+export const loader = async ({ request }: LoaderFunctionArgs) => {
+  const user = await requireUser(request);
+  if (!user.admin) throw redirect("/");
+
+  const dataStores = await prisma.organizationDataStore.findMany({
+    orderBy: { createdAt: "desc" },
+  });
+
+  return typedjson({ dataStores });
+};
+
+// ---------------------------------------------------------------------------
+// Action
+// ---------------------------------------------------------------------------
+
+const AddSchema = z.object({
+  _action: z.literal("add"),
+  key: z.string().min(1),
+  organizationIds: z.string().min(1),
+  connectionUrl: z.string().url(),
+});
+
+const UpdateSchema = z.object({
+  _action: z.literal("update"),
+  key: z.string().min(1),
+  organizationIds: z.string().min(1),
+  connectionUrl: z.string().url().optional(),
+});
+
+const DeleteSchema = z.object({
+  _action: z.literal("delete"),
+  key: z.string().min(1),
+});
+
+const FormSchema = z.discriminatedUnion("_action", [AddSchema, UpdateSchema, DeleteSchema]);
+
+export async function action({ request }: ActionFunctionArgs) {
+  const user = await requireUser(request);
+  if (!user.admin) throw redirect("/");
+
+  const formData = await request.formData();
+
+  const result = FormSchema.safeParse(Object.fromEntries(formData));
+
+  if (!result.success) {
+    return typedjson(
+      { error: result.error.issues.map((i) => i.message).join(", ") },
+      { status: 400 }
+    );
+  }
+
+  switch (result.data._action) {
+    case "add": {
+      const { key, organizationIds: rawOrgIds, connectionUrl } = result.data;
+      const organizationIds = rawOrgIds
+        .split(",")
+        .map((s) => s.trim())
+        .filter(Boolean);
+
+      const parsedConfig = ClickhouseConnectionSchema.safeParse({ url: connectionUrl });
+      if (!parsedConfig.success) {
+        return typedjson(
+          { error: parsedConfig.error.issues.map((i) => i.message).join(", ") },
+          { status: 400 }
+        );
+      }
+
+      const [error, _] = await tryCatch(
+        organizationDataStoresRegistry.addDataStore({
+          key,
+          kind: "CLICKHOUSE",
+          organizationIds,
+          config: parsedConfig.data,
+        })
+      );
+
+      if (error) {
+        return typedjson({ error: error.message }, { status: 400 });
+      }
+
+      return typedjson({ success: true });
+    }
+    case "update": {
+      const { key, organizationIds: rawOrgIds, connectionUrl } = result.data;
+      const organizationIds = rawOrgIds
+        .split(",")
+        .map((s) => s.trim())
+        .filter(Boolean);
+
+      let config: ReturnType<typeof ClickhouseConnectionSchema.parse> | undefined;
+      if (connectionUrl) {
+        const parsedConfig = ClickhouseConnectionSchema.safeParse({ url: connectionUrl });
+        if (!parsedConfig.success) {
+          return typedjson(
+            { error: parsedConfig.error.issues.map((i) => i.message).join(", ") },
+            { status: 400 }
+          );
+        }
+        config = parsedConfig.data;
+      }
+
+      const [error, _] = await tryCatch(
+        organizationDataStoresRegistry.updateDataStore({
+          key,
+          kind: "CLICKHOUSE",
+          organizationIds,
+          config,
+        })
+      );
+
+      if (error) {
+        return typedjson({ error: error.message }, { status: 400 });
+      }
+
+      return typedjson({ success: true });
+    }
+    case "delete": {
+      const { key } = result.data;
+
+      const [error, _] = await tryCatch(
+        organizationDataStoresRegistry.deleteDataStore({
+          key,
+          kind: "CLICKHOUSE",
+        })
+      );
+
+      if (error) {
+        return typedjson({ error: error.message }, { status: 400 });
+      }
+
+      return typedjson({ success: true });
+    }
+    default: {
+      return typedjson({ error: "Unknown action" }, { status: 400 });
+    }
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Component
+// ---------------------------------------------------------------------------
+
+export default function AdminDataStoresRoute() {
+  const { dataStores } = useTypedLoaderData<typeof loader>();
+  const [addOpen, setAddOpen] = useState(false);
+
+  return (
+    <main className="flex h-full min-w-0 flex-1 flex-col overflow-y-auto px-4 pb-4">
+      <div className="space-y-4">
+        <div className="flex items-center justify-between">
+          <Paragraph variant="small" className="text-text-dimmed">
+            {dataStores.length} data store{dataStores.length !== 1 ? "s" : ""}
+          </Paragraph>
+          <Button variant="primary/small" onClick={() => setAddOpen(true)}>
+            Add data store
+          </Button>
+        </div>
+
+        <Table>
+          <TableHeader>
+            <TableRow>
+              <TableHeaderCell>Key</TableHeaderCell>
+              <TableHeaderCell>Kind</TableHeaderCell>
+              <TableHeaderCell>Organizations</TableHeaderCell>
+              <TableHeaderCell>Created</TableHeaderCell>
+              <TableHeaderCell>Updated</TableHeaderCell>
+              <TableHeaderCell>
+                <span className="sr-only">Actions</span>
+              </TableHeaderCell>
+            </TableRow>
+          </TableHeader>
+          <TableBody>
+            {dataStores.length === 0 ? (
+              <TableBlankRow colSpan={6}>
+                <Paragraph>No data stores configured</Paragraph>
+              </TableBlankRow>
+            ) : (
+              dataStores.map((ds) => (
+                <TableRow key={ds.id}>
+                  <TableCell>
+                    <span className="font-mono text-xs text-text-bright">{ds.key}</span>
+                  </TableCell>
+                  <TableCell>
+                    <span className="inline-flex rounded-sm bg-indigo-500/20 px-1.5 py-0.5 text-[11px] font-medium text-indigo-400">
+                      {ds.kind}
+                    </span>
+                  </TableCell>
+                  <TableCell>
+                    <span className="text-xs text-text-dimmed">
+                      {ds.organizationIds.length} org{ds.organizationIds.length !== 1 ? "s" : ""}
+                    </span>
+                    {ds.organizationIds.length > 0 && (
+                      <span
+                        className="ml-1 text-xs text-text-dimmed"
+                        title={ds.organizationIds.join(", ")}
+                      >
+                        ({ds.organizationIds.slice(0, 2).join(", ")}
+                        {ds.organizationIds.length > 2
+                          ? ` +${ds.organizationIds.length - 2} more`
+                          : ""}
+                        )
+                      </span>
+                    )}
+                  </TableCell>
+                  <TableCell>
+                    <span className="text-xs text-text-dimmed">
+                      {new Date(ds.createdAt).toLocaleString()}
+                    </span>
+                  </TableCell>
+                  <TableCell>
+                    <span className="text-xs text-text-dimmed">
+                      {new Date(ds.updatedAt).toLocaleString()}
+                    </span>
+                  </TableCell>
+                  <TableCell isSticky>
+                    <div className="flex items-center gap-1">
+                      <EditButton name={ds.key} organizationIds={ds.organizationIds} />
+                      <DeleteButton name={ds.key} />
+                    </div>
+                  </TableCell>
+                </TableRow>
+              ))
+            )}
+          </TableBody>
+        </Table>
+      </div>
+
+      <AddDataStoreDialog open={addOpen} onOpenChange={setAddOpen} />
+    </main>
+  );
+}
+
+// ---------------------------------------------------------------------------
+// Delete button with popover confirmation
+// ---------------------------------------------------------------------------
+
+function DeleteButton({ name }: { name: string }) {
+  const [open, setOpen] = useState(false);
+  const fetcher = useFetcher<{ success?: boolean; error?: string }>();
+  const isDeleting = fetcher.state !== "idle";
+
+  return (
+    <Popover open={open} onOpenChange={setOpen}>
+      <PopoverTrigger asChild>
+        <Button variant="danger/small" disabled={isDeleting}>
+          {isDeleting ? "Deleting…" : "Delete"}
+        </Button>
+      </PopoverTrigger>
+      <PopoverContent align="end" className="w-72 space-y-3">
+        <Paragraph variant="small" className="text-text-bright">
+          Delete <span className="font-mono font-medium">{name}</span>?
+        </Paragraph>
+        <Paragraph variant="extra-small" className="text-text-dimmed">
+          This will remove the data store and its secret. Organizations using it will fall back to
+          the default ClickHouse instance.
+        </Paragraph>
+        <div className="flex items-center justify-end gap-2">
+          <Button variant="tertiary/small" onClick={() => setOpen(false)}>
+            Cancel
+          </Button>
+          <fetcher.Form method="post" onSubmit={() => setOpen(false)}>
+            <input type="hidden" name="_action" value="delete" />
+            <input type="hidden" name="key" value={name} />
+            <Button type="submit" variant="danger/small">
+              Confirm delete
+            </Button>
+          </fetcher.Form>
+        </div>
+      </PopoverContent>
+    </Popover>
+  );
+}
+
+// ---------------------------------------------------------------------------
+// Edit button with dialog
+// ---------------------------------------------------------------------------
+
+function EditButton({ name, organizationIds }: { name: string; organizationIds: string[] }) {
+  const [open, setOpen] = useState(false);
+  const fetcher = useFetcher<{ success?: boolean; error?: string }>();
+  const isSubmitting = fetcher.state !== "idle";
+
+  if (fetcher.data?.success && open) {
+    setOpen(false);
+  }
+
+  return (
+    <>
+      <Button variant="secondary/small" onClick={() => setOpen(true)}>
+        Edit
+      </Button>
+      <Dialog open={open} onOpenChange={setOpen}>
+        <DialogContent className="sm:max-w-lg">
+          <DialogHeader>
+            <DialogTitle>Edit data store</DialogTitle>
+          </DialogHeader>
+
+          <fetcher.Form method="post" className="space-y-4 pt-2">
+            <input type="hidden" name="_action" value="update" />
+            <input type="hidden" name="key" value={name} />
+
+            <div className="space-y-1.5">
+              <label className="text-xs font-medium text-text-dimmed">Key</label>
+              <Input name="_key_display" value={name} readOnly variant="medium" className="font-mono opacity-60" />
+            </div>
+
+            <div className="space-y-1.5">
+              <label className="text-xs font-medium text-text-dimmed">
+                Organization IDs <span className="text-rose-400">*</span>
+              </label>
+              <Input
+                name="organizationIds"
+                defaultValue={organizationIds.join(", ")}
+                placeholder="clxxxxx, clyyyyy, clzzzzz"
+                variant="medium"
+                required
+              />
+              <p className="text-[11px] text-text-dimmed">Comma-separated organization IDs.</p>
+            </div>
+
+            {fetcher.data?.error && <p className="text-xs text-rose-400">{fetcher.data.error}</p>}
+
+            <DialogFooter>
+              <Button variant="tertiary/small" type="button" onClick={() => setOpen(false)} disabled={isSubmitting}>
+                Cancel
+              </Button>
+              <Button type="submit" variant="primary/small" disabled={isSubmitting}>
+                {isSubmitting ? "Saving…" : "Save"}
+              </Button>
+            </DialogFooter>
+          </fetcher.Form>
+        </DialogContent>
+      </Dialog>
+    </>
+  );
+}
+
+// ---------------------------------------------------------------------------
+// Add data store dialog
+// ---------------------------------------------------------------------------
+
+function AddDataStoreDialog({
+  open,
+  onOpenChange,
+}: {
+  open: boolean;
+  onOpenChange: (open: boolean) => void;
+}) {
+  const fetcher = useFetcher<{ success?: boolean; error?: string }>();
+  const isSubmitting = fetcher.state !== "idle";
+
+  // Close dialog on success
+  if (fetcher.data?.success && open) {
+    onOpenChange(false);
+  }
+
+  return (
+    <Dialog open={open} onOpenChange={onOpenChange}>
+      <DialogContent className="sm:max-w-lg">
+        <DialogHeader>
+          <DialogTitle>Add data store</DialogTitle>
+        </DialogHeader>
+
+        <fetcher.Form method="post" className="space-y-4 pt-2">
+          <input type="hidden" name="_action" value="add" />
+
+          <div className="space-y-1.5">
+            <label className="text-xs font-medium text-text-dimmed">
+              Key <span className="text-rose-400">*</span>
+            </label>
+            <Input
+              name="key"
+              placeholder="e.g. hipaa-clickhouse-us-east"
+              variant="medium"
+              required
+              className="font-mono"
+            />
+            <p className="text-[11px] text-text-dimmed">
+              Unique identifier for this data store. Used as the secret key prefix.
+            </p>
+          </div>
+
+          <div className="space-y-1.5">
+            <label className="text-xs font-medium text-text-dimmed">
+              Kind <span className="text-rose-400">*</span>
+            </label>
+            <Input
+              name="kind"
+              value="CLICKHOUSE"
+              readOnly
+              variant="medium"
+              className="opacity-60"
+            />
+          </div>
+
+          <div className="space-y-1.5">
+            <label className="text-xs font-medium text-text-dimmed">
+              Organization IDs <span className="text-rose-400">*</span>
+            </label>
+            <Input
+              name="organizationIds"
+              placeholder="clxxxxx, clyyyyy, clzzzzz"
+              variant="medium"
+              required
+            />
+            <p className="text-[11px] text-text-dimmed">Comma-separated organization IDs.</p>
+          </div>
+
+          <div className="space-y-1.5">
+            <label className="text-xs font-medium text-text-dimmed">
+              ClickHouse connection URL <span className="text-rose-400">*</span>
+            </label>
+            <Input
+              name="connectionUrl"
+              type="password"
+              placeholder="https://user:password@host:8443"
+              variant="medium"
+              required
+              className="font-mono"
+            />
+            <p className="text-[11px] text-text-dimmed">
+              Stored encrypted in SecretStore. Never logged or displayed again.
+            </p>
+          </div>
+
+          {fetcher.data?.error && <p className="text-xs text-rose-400">{fetcher.data.error}</p>}
+
+          <DialogFooter>
+            <Button
+              variant="tertiary/small"
+              type="button"
+              onClick={() => onOpenChange(false)}
+              disabled={isSubmitting}
+            >
+              Cancel
+            </Button>
+            <Button type="submit" variant="primary/small" disabled={isSubmitting}>
+              {isSubmitting ? "Adding…" : "Add data store"}
+            </Button>
+          </DialogFooter>
+        </fetcher.Form>
+      </DialogContent>
+    </Dialog>
+  );
+}
diff --git a/apps/webapp/app/routes/admin.feature-flags.tsx b/apps/webapp/app/routes/admin.feature-flags.tsx
index 8e91bdb0731..02faa7add91 100644
--- a/apps/webapp/app/routes/admin.feature-flags.tsx
+++ b/apps/webapp/app/routes/admin.feature-flags.tsx
@@ -1,14 +1,16 @@
 import { useFetcher } from "@remix-run/react";
-import type { ActionFunctionArgs, LoaderFunctionArgs } from "@remix-run/server-runtime";
 import { useEffect, useState } from "react";
 import stableStringify from "json-stable-stringify";
 import { json } from "@remix-run/server-runtime";
-import { redirect, typedjson, useTypedLoaderData } from "remix-typedjson";
+import { typedjson, useTypedLoaderData } from "remix-typedjson";
 import { z } from "zod";
 import { LockClosedIcon } from "@heroicons/react/20/solid";
 import { prisma } from "~/db.server";
 import { env } from "~/env.server";
-import { requireUser } from "~/services/session.server";
+import {
+  dashboardAction,
+  dashboardLoader,
+} from "~/services/routeBuilders/dashboardBuilder";
 import {
   FEATURE_FLAG,
   GLOBAL_LOCKED_FLAGS,
@@ -38,53 +40,48 @@ import {
   type WorkerGroup,
 } from "~/components/admin/FlagControls";
 
-export const loader = async ({ request }: LoaderFunctionArgs) => {
-  const user = await requireUser(request);
-  if (!user.admin) {
-    return redirect("/");
-  }
-
-  const [globalFlags, workerGroups] = await Promise.all([
-    getGlobalFlags(),
-    prisma.workerInstanceGroup.findMany({
-      select: { id: true, name: true },
-      orderBy: { name: "asc" },
-    }),
-  ]);
-  const controlTypes = getAllFlagControlTypes();
-
-  // Resolve env-based defaults for locked flags
-  const resolvedDefaults: Record<string, string> = {
-    [FEATURE_FLAG.taskEventRepository]: env.EVENT_REPOSITORY_DEFAULT_STORE,
-  };
-
-  // Look up worker group name if the flag is set
-  const workerGroupId = (globalFlags as Record<string, unknown>)?.[
-    FEATURE_FLAG.defaultWorkerInstanceGroupId
-  ];
-  const workerGroupName =
-    typeof workerGroupId === "string"
-      ? workerGroups.find((wg) => wg.id === workerGroupId)?.name
-      : undefined;
-
-  const { isManagedCloud } = featuresForRequest(request);
-
-  return typedjson({
-    globalFlags,
-    controlTypes,
-    resolvedDefaults,
-    workerGroupName,
-    workerGroups,
-    isManagedCloud,
-  });
-};
-
-export const action = async ({ request }: ActionFunctionArgs) => {
-  const user = await requireUser(request);
-  if (!user.admin) {
-    throw new Response("Unauthorized", { status: 403 });
+export const loader = dashboardLoader(
+  { authorization: { requireSuper: true } },
+  async ({ request }) => {
+    const [globalFlags, workerGroups] = await Promise.all([
+      getGlobalFlags(),
+      prisma.workerInstanceGroup.findMany({
+        select: { id: true, name: true },
+        orderBy: { name: "asc" },
+      }),
+    ]);
+    const controlTypes = getAllFlagControlTypes();
+
+    // Resolve env-based defaults for locked flags
+    const resolvedDefaults: Record<string, string> = {
+      [FEATURE_FLAG.taskEventRepository]: env.EVENT_REPOSITORY_DEFAULT_STORE,
+    };
+
+    // Look up worker group name if the flag is set
+    const workerGroupId = (globalFlags as Record<string, unknown>)?.[
+      FEATURE_FLAG.defaultWorkerInstanceGroupId
+    ];
+    const workerGroupName =
+      typeof workerGroupId === "string"
+        ? workerGroups.find((wg) => wg.id === workerGroupId)?.name
+        : undefined;
+
+    const { isManagedCloud } = featuresForRequest(request);
+
+    return typedjson({
+      globalFlags,
+      controlTypes,
+      resolvedDefaults,
+      workerGroupName,
+      workerGroups,
+      isManagedCloud,
+    });
   }
+);
 
+export const action = dashboardAction(
+  { authorization: { requireSuper: true } },
+  async ({ request }) => {
   let body: unknown;
   try {
     body = await request.json();
@@ -156,7 +153,8 @@ export const action = async ({ request }: ActionFunctionArgs) => {
   ]);
 
   return json({ success: true });
-};
+  }
+);
 
 export default function AdminFeatureFlagsRoute() {
   const {
@@ -235,10 +233,12 @@ export default function AdminFeatureFlagsRoute() {
   return (
     <main className="flex h-full min-w-0 flex-1 flex-col overflow-y-auto px-4 pb-4 lg:order-last">
       <div className="max-w-2xl space-y-4">
-        <p className="text-sm text-text-dimmed">
-          Global defaults for all organizations. Org-level overrides take precedence. When not set,
+        <Callout variant="warning">
+          These are global feature flags that affect every organization on this instance. Changing
+          values here is a dangerous operation and should rarely be done - prefer org-level
+          overrides where possible. Org-level overrides take precedence; when a flag isn't set,
           each consumer uses its own default.
-        </p>
+        </Callout>
 
         <div className={isManagedCloud ? "cursor-not-allowed" : undefined}>
           <CheckboxWithLabel
diff --git a/apps/webapp/app/routes/admin.impersonate.tsx b/apps/webapp/app/routes/admin.impersonate.tsx
new file mode 100644
index 00000000000..e7a1847c449
--- /dev/null
+++ b/apps/webapp/app/routes/admin.impersonate.tsx
@@ -0,0 +1,57 @@
+import { redirect, type ActionFunctionArgs, type LoaderFunctionArgs } from "@remix-run/server-runtime";
+import { z } from "zod";
+import { redirectWithImpersonation } from "~/models/admin.server";
+import { requireUser } from "~/services/session.server";
+import { validateAndConsumeImpersonationToken } from "~/services/impersonation.server";
+import { logger } from "~/services/logger.server";
+
+const FormSchema = z.object({ id: z.string() });
+
+async function handleImpersonationRequest(request: Request, userId: string): Promise<Response> {
+  const user = await requireUser(request);
+  if (!user.admin) {
+    return redirect("/");
+  }
+  return redirectWithImpersonation(request, userId, "/", user);
+}
+
+export const loader = async ({ request }: LoaderFunctionArgs) => {
+  const url = new URL(request.url);
+  const impersonateUserId = url.searchParams.get("impersonate");
+  const impersonationToken = url.searchParams.get("impersonationToken");
+
+  if (!impersonateUserId) {
+    return redirect("/admin");
+  }
+
+  if (!impersonationToken) {
+    logger.warn("Impersonation request missing token");
+    return redirect("/");
+  }
+
+  // Check admin BEFORE consuming the one-time token
+  const user = await requireUser(request);
+  if (!user.admin) {
+    return redirect("/");
+  }
+
+  const validatedUserId = await validateAndConsumeImpersonationToken(impersonationToken);
+
+  if (!validatedUserId || validatedUserId !== impersonateUserId) {
+    logger.warn("Invalid or expired impersonation token");
+    return redirect("/");
+  }
+
+  return redirectWithImpersonation(request, impersonateUserId, "/", user);
+};
+
+export async function action({ request }: ActionFunctionArgs) {
+  if (request.method.toLowerCase() !== "post") {
+    return new Response("Method not allowed", { status: 405 });
+  }
+
+  const payload = Object.fromEntries(await request.formData());
+  const { id } = FormSchema.parse(payload);
+
+  return handleImpersonationRequest(request, id);
+}
diff --git a/apps/webapp/app/routes/admin.llm-models.$modelId.tsx b/apps/webapp/app/routes/admin.llm-models.$modelId.tsx
index 7b51067dd0c..f048853c4d4 100644
--- a/apps/webapp/app/routes/admin.llm-models.$modelId.tsx
+++ b/apps/webapp/app/routes/admin.llm-models.$modelId.tsx
@@ -1,5 +1,4 @@
 import { Form, useActionData, useNavigate } from "@remix-run/react";
-import type { ActionFunctionArgs, LoaderFunctionArgs } from "@remix-run/server-runtime";
 import { redirect } from "@remix-run/server-runtime";
 import { typedjson, useTypedLoaderData } from "remix-typedjson";
 import { z } from "zod";
@@ -8,34 +7,37 @@ import { Button, LinkButton } from "~/components/primitives/Buttons";
 import { Input } from "~/components/primitives/Input";
 import { Paragraph } from "~/components/primitives/Paragraph";
 import { prisma } from "~/db.server";
-import { requireUserId } from "~/services/session.server";
+import { dashboardAction, dashboardLoader } from "~/services/routeBuilders/dashboardBuilder";
 import { llmPricingRegistry } from "~/v3/llmPricingRegistry.server";
 
-export const loader = async ({ request, params }: LoaderFunctionArgs) => {
-  const userId = await requireUserId(request);
-  const user = await prisma.user.findUnique({ where: { id: userId } });
-  if (!user?.admin) throw redirect("/");
-
-  const model = await prisma.llmModel.findUnique({
-    where: { friendlyId: params.modelId },
-    include: {
-      pricingTiers: { include: { prices: true }, orderBy: { priority: "asc" } },
-    },
-  });
-
-  if (!model) throw new Response("Model not found", { status: 404 });
-
-  // Convert Prisma Decimal to plain numbers for serialization
-  const serialized = {
-    ...model,
-    pricingTiers: model.pricingTiers.map((t) => ({
-      ...t,
-      prices: t.prices.map((p) => ({ ...p, price: Number(p.price) })),
-    })),
-  };
-
-  return typedjson({ model: serialized });
-};
+const ParamsSchema = z.object({
+  modelId: z.string(),
+});
+
+export const loader = dashboardLoader(
+  { authorization: { requireSuper: true }, params: ParamsSchema },
+  async ({ params }) => {
+    const model = await prisma.llmModel.findUnique({
+      where: { friendlyId: params.modelId },
+      include: {
+        pricingTiers: { include: { prices: true }, orderBy: { priority: "asc" } },
+      },
+    });
+
+    if (!model) throw new Response("Model not found", { status: 404 });
+
+    // Convert Prisma Decimal to plain numbers for serialization
+    const serialized = {
+      ...model,
+      pricingTiers: model.pricingTiers.map((t) => ({
+        ...t,
+        prices: t.prices.map((p) => ({ ...p, price: Number(p.price) })),
+      })),
+    };
+
+    return typedjson({ model: serialized });
+  }
+);
 
 const SaveSchema = z.object({
   modelName: z.string().min(1),
@@ -47,102 +49,103 @@ const SaveSchema = z.object({
   maxOutputTokens: z.string().optional(),
   capabilities: z.string().optional(),
   isHidden: z.string().optional(),
+  pricingUnit: z.string().optional(),
 });
 
-export async function action({ request, params }: ActionFunctionArgs) {
-  const userId = await requireUserId(request);
-  const user = await prisma.user.findUnique({ where: { id: userId } });
-  if (!user?.admin) throw redirect("/");
-
-  const friendlyId = params.modelId!;
-  const existing = await prisma.llmModel.findUnique({ where: { friendlyId } });
-  if (!existing) throw new Response("Model not found", { status: 404 });
-  const modelId = existing.id;
-
-  const formData = await request.formData();
-  const _action = formData.get("_action");
-
-  if (_action === "delete") {
-    await prisma.llmModel.delete({ where: { id: modelId } });
-    await llmPricingRegistry?.reload();
-    return redirect("/admin/llm-models");
-  }
-
-  if (_action === "save") {
-    const raw = Object.fromEntries(formData);
-    const parsed = SaveSchema.safeParse(raw);
-
-    if (!parsed.success) {
-      return typedjson({ error: "Invalid form data", details: parsed.error.issues }, { status: 400 });
-    }
-
-    const { modelName, matchPattern, pricingTiersJson } = parsed.data;
-
-    // Validate regex — strip (?i) POSIX flag since our registry handles it
-    try {
-      const testPattern = matchPattern.startsWith("(?i)") ? matchPattern.slice(4) : matchPattern;
-      new RegExp(testPattern);
-    } catch {
-      return typedjson({ error: "Invalid regex in matchPattern" }, { status: 400 });
-    }
-
-    // Parse tiers
-    let pricingTiers: Array<{
-      name: string;
-      isDefault: boolean;
-      priority: number;
-      conditions: Array<{ usageDetailPattern: string; operator: string; value: number }>;
-      prices: Record<string, number>;
-    }>;
-    try {
-      pricingTiers = JSON.parse(pricingTiersJson) as typeof pricingTiers;
-    } catch {
-      return typedjson({ error: "Invalid pricing tiers JSON" }, { status: 400 });
+export const action = dashboardAction(
+  { authorization: { requireSuper: true }, params: ParamsSchema },
+  async ({ params, request }) => {
+    const friendlyId = params.modelId;
+    const existing = await prisma.llmModel.findUnique({ where: { friendlyId } });
+    if (!existing) throw new Response("Model not found", { status: 404 });
+    const modelId = existing.id;
+
+    const formData = await request.formData();
+    const _action = formData.get("_action");
+
+    if (_action === "delete") {
+      await prisma.llmModel.delete({ where: { id: modelId } });
+      await llmPricingRegistry?.reload();
+      return redirect("/admin/llm-models");
     }
 
-    // Update model
-    const { provider, description, contextWindow, maxOutputTokens, capabilities, isHidden } = parsed.data;
-    await prisma.llmModel.update({
-      where: { id: modelId },
-      data: {
-        modelName,
-        matchPattern,
-        provider: provider || null,
-        description: description || null,
-        contextWindow: contextWindow ? parseInt(contextWindow) || null : null,
-        maxOutputTokens: maxOutputTokens ? parseInt(maxOutputTokens) || null : null,
-        capabilities: capabilities ? capabilities.split(",").map((s) => s.trim()).filter(Boolean) : [],
-        isHidden: isHidden === "on",
-      },
-    });
-
-    // Replace tiers
-    await prisma.llmPricingTier.deleteMany({ where: { modelId } });
-    for (const tier of pricingTiers) {
-      await prisma.llmPricingTier.create({
+    if (_action === "save") {
+      const raw = Object.fromEntries(formData);
+      const parsed = SaveSchema.safeParse(raw);
+
+      if (!parsed.success) {
+        return typedjson({ error: "Invalid form data", details: parsed.error.issues }, { status: 400 });
+      }
+
+      const { modelName, matchPattern, pricingTiersJson } = parsed.data;
+
+      // Validate regex — strip (?i) POSIX flag since our registry handles it
+      try {
+        const testPattern = matchPattern.startsWith("(?i)") ? matchPattern.slice(4) : matchPattern;
+        new RegExp(testPattern);
+      } catch {
+        return typedjson({ error: "Invalid regex in matchPattern" }, { status: 400 });
+      }
+
+      // Parse tiers
+      let pricingTiers: Array<{
+        name: string;
+        isDefault: boolean;
+        priority: number;
+        conditions: Array<{ usageDetailPattern: string; operator: string; value: number }>;
+        prices: Record<string, number>;
+      }>;
+      try {
+        pricingTiers = JSON.parse(pricingTiersJson) as typeof pricingTiers;
+      } catch {
+        return typedjson({ error: "Invalid pricing tiers JSON" }, { status: 400 });
+      }
+
+      // Update model
+      const { provider, description, contextWindow, maxOutputTokens, capabilities, isHidden, pricingUnit } = parsed.data;
+      await prisma.llmModel.update({
+        where: { id: modelId },
         data: {
-          modelId,
-          name: tier.name,
-          isDefault: tier.isDefault,
-          priority: tier.priority,
-          conditions: tier.conditions,
-          prices: {
-            create: Object.entries(tier.prices).map(([usageType, price]) => ({
-              modelId,
-              usageType,
-              price,
-            })),
-          },
+          modelName,
+          matchPattern,
+          provider: provider || null,
+          description: description || null,
+          contextWindow: contextWindow ? parseInt(contextWindow) || null : null,
+          maxOutputTokens: maxOutputTokens ? parseInt(maxOutputTokens) || null : null,
+          capabilities: capabilities ? capabilities.split(",").map((s) => s.trim()).filter(Boolean) : [],
+          isHidden: isHidden === "on",
+          pricingUnit: pricingUnit || null,
         },
       });
+
+      // Replace tiers
+      await prisma.llmPricingTier.deleteMany({ where: { modelId } });
+      for (const tier of pricingTiers) {
+        await prisma.llmPricingTier.create({
+          data: {
+            modelId,
+            name: tier.name,
+            isDefault: tier.isDefault,
+            priority: tier.priority,
+            conditions: tier.conditions,
+            prices: {
+              create: Object.entries(tier.prices).map(([usageType, price]) => ({
+                modelId,
+                usageType,
+                price,
+              })),
+            },
+          },
+        });
+      }
+
+      await llmPricingRegistry?.reload();
+      return typedjson({ success: true });
     }
 
-    await llmPricingRegistry?.reload();
-    return typedjson({ success: true });
+    return typedjson({ error: "Unknown action" }, { status: 400 });
   }
-
-  return typedjson({ error: "Unknown action" }, { status: 400 });
-}
+);
 
 export default function AdminLlmModelDetailRoute() {
   const { model } = useTypedLoaderData<typeof loader>();
@@ -157,6 +160,7 @@ export default function AdminLlmModelDetailRoute() {
   const [maxOutputTokens, setMaxOutputTokens] = useState(model.maxOutputTokens?.toString() ?? "");
   const [capabilities, setCapabilities] = useState(model.capabilities?.join(", ") ?? "");
   const [isHidden, setIsHidden] = useState(model.isHidden ?? false);
+  const [pricingUnit, setPricingUnit] = useState(model.pricingUnit ?? "");
   const [testInput, setTestInput] = useState("");
   const [tiers, setTiers] = useState(() =>
     model.pricingTiers.map((t) => ({
@@ -324,6 +328,23 @@ export default function AdminLlmModelDetailRoute() {
                 </div>
               </div>
 
+              <div className="space-y-1">
+                <label className="text-xs font-medium text-text-dimmed">Pricing Unit</label>
+                <select
+                  name="pricingUnit"
+                  value={pricingUnit}
+                  onChange={(e) => setPricingUnit(e.target.value)}
+                  className="w-full rounded border border-grid-dimmed bg-charcoal-750 px-2 py-1.5 text-sm text-text-bright"
+                >
+                  <option value="">(unset)</option>
+                  {PRICING_UNITS.map((u) => (
+                    <option key={u} value={u}>
+                      {u}
+                    </option>
+                  ))}
+                </select>
+              </div>
+
               <label className="flex items-center gap-2 text-xs text-text-dimmed">
                 <input
                   type="checkbox"
@@ -424,6 +445,8 @@ type TierData = {
   prices: Record<string, number>;
 };
 
+const PRICING_UNITS = ["tokens", "characters", "images", "minutes", "requests", "free", "not_findable"];
+
 const COMMON_USAGE_TYPES = [
   "input",
   "output",
diff --git a/apps/webapp/app/routes/admin.llm-models._index.tsx b/apps/webapp/app/routes/admin.llm-models._index.tsx
index ea2eff72541..585cbb4637b 100644
--- a/apps/webapp/app/routes/admin.llm-models._index.tsx
+++ b/apps/webapp/app/routes/admin.llm-models._index.tsx
@@ -1,7 +1,5 @@
 import { MagnifyingGlassIcon } from "@heroicons/react/20/solid";
 import { Form, useFetcher, Link } from "@remix-run/react";
-import type { ActionFunctionArgs, LoaderFunctionArgs } from "@remix-run/server-runtime";
-import { redirect } from "@remix-run/server-runtime";
 import { typedjson, useTypedLoaderData } from "remix-typedjson";
 import { z } from "zod";
 import { Button, LinkButton } from "~/components/primitives/Buttons";
@@ -18,7 +16,7 @@ import {
   TableRow,
 } from "~/components/primitives/Table";
 import { prisma } from "~/db.server";
-import { requireUserId } from "~/services/session.server";
+import { dashboardAction, dashboardLoader } from "~/services/routeBuilders/dashboardBuilder";
 import { createSearchParams } from "~/utils/searchParams";
 import { seedLlmPricing, syncLlmCatalog } from "@internal/llm-model-catalog";
 import { llmPricingRegistry } from "~/v3/llmPricingRegistry.server";
@@ -30,121 +28,119 @@ const SearchParams = z.object({
   search: z.string().optional(),
 });
 
-export const loader = async ({ request }: LoaderFunctionArgs) => {
-  const userId = await requireUserId(request);
-  const user = await prisma.user.findUnique({ where: { id: userId } });
-  if (!user?.admin) throw redirect("/");
+export const loader = dashboardLoader(
+  { authorization: { requireSuper: true } },
+  async ({ request }) => {
+    const searchParams = createSearchParams(request.url, SearchParams);
+    if (!searchParams.success) throw new Error(searchParams.error);
+    const { page: rawPage, search } = searchParams.params.getAll();
+    const page = rawPage ?? 1;
+
+    const where = {
+      projectId: null as string | null,
+      ...(search ? { modelName: { contains: search, mode: "insensitive" as const } } : {}),
+    };
+
+    const [rawModels, total] = await Promise.all([
+      prisma.llmModel.findMany({
+        where,
+        include: {
+          pricingTiers: { include: { prices: true }, orderBy: { priority: "asc" } },
+        },
+        orderBy: { modelName: "asc" },
+        skip: (page - 1) * PAGE_SIZE,
+        take: PAGE_SIZE,
+      }),
+      prisma.llmModel.count({ where }),
+    ]);
+
+    // Convert Prisma Decimal to plain numbers for serialization
+    const models = rawModels.map((m) => ({
+      ...m,
+      pricingTiers: m.pricingTiers.map((t) => ({
+        ...t,
+        prices: t.prices.map((p) => ({ ...p, price: Number(p.price) })),
+      })),
+    }));
 
-  const searchParams = createSearchParams(request.url, SearchParams);
-  if (!searchParams.success) throw new Error(searchParams.error);
-  const { page: rawPage, search } = searchParams.params.getAll();
-  const page = rawPage ?? 1;
-
-  const where = {
-    projectId: null as string | null,
-    ...(search ? { modelName: { contains: search, mode: "insensitive" as const } } : {}),
-  };
-
-  const [rawModels, total] = await Promise.all([
-    prisma.llmModel.findMany({
-      where,
-      include: {
-        pricingTiers: { include: { prices: true }, orderBy: { priority: "asc" } },
-      },
-      orderBy: { modelName: "asc" },
-      skip: (page - 1) * PAGE_SIZE,
-      take: PAGE_SIZE,
-    }),
-    prisma.llmModel.count({ where }),
-  ]);
-
-  // Convert Prisma Decimal to plain numbers for serialization
-  const models = rawModels.map((m) => ({
-    ...m,
-    pricingTiers: m.pricingTiers.map((t) => ({
-      ...t,
-      prices: t.prices.map((p) => ({ ...p, price: Number(p.price) })),
-    })),
-  }));
-
-  return typedjson({
-    models,
-    total,
-    page,
-    pageCount: Math.ceil(total / PAGE_SIZE),
-    filters: { search },
-  });
-};
-
-export async function action({ request }: ActionFunctionArgs) {
-  const userId = await requireUserId(request);
-  const user = await prisma.user.findUnique({ where: { id: userId } });
-  if (!user?.admin) throw redirect("/");
-
-  const formData = await request.formData();
-  const _action = formData.get("_action");
-
-  if (_action === "seed") {
-    console.log("[admin] seed action started");
-    const result = await seedLlmPricing(prisma);
-    console.log(`[admin] seed complete: ${result.modelsCreated} created, ${result.modelsSkipped} skipped, ${result.modelsUpdated} updated`);
-    await llmPricingRegistry?.reload();
-    console.log("[admin] registry reloaded after seed");
     return typedjson({
-      success: true,
-      message: `Seeded: ${result.modelsCreated} created, ${result.modelsSkipped} skipped, ${result.modelsUpdated} updated`,
+      models,
+      total,
+      page,
+      pageCount: Math.ceil(total / PAGE_SIZE),
+      filters: { search },
     });
   }
+);
+
+export const action = dashboardAction(
+  { authorization: { requireSuper: true } },
+  async ({ request }) => {
+    const formData = await request.formData();
+    const _action = formData.get("_action");
+
+    if (_action === "seed") {
+      console.log("[admin] seed action started");
+      const result = await seedLlmPricing(prisma);
+      console.log(`[admin] seed complete: ${result.modelsCreated} created, ${result.modelsSkipped} skipped, ${result.modelsUpdated} updated`);
+      await llmPricingRegistry?.reload();
+      console.log("[admin] registry reloaded after seed");
+      return typedjson({
+        success: true,
+        message: `Seeded: ${result.modelsCreated} created, ${result.modelsSkipped} skipped, ${result.modelsUpdated} updated`,
+      });
+    }
 
-  if (_action === "sync") {
-    console.log("[admin] sync catalog action started");
-    const result = await syncLlmCatalog(prisma);
-    console.log(`[admin] sync complete: ${result.modelsUpdated} updated, ${result.modelsSkipped} skipped`);
-    await llmPricingRegistry?.reload();
-    console.log("[admin] registry reloaded after sync");
-    return typedjson({
-      success: true,
-      message: `Synced: ${result.modelsUpdated} updated, ${result.modelsSkipped} skipped`,
-    });
-  }
-
-  if (_action === "reload") {
-    console.log("[admin] reload action started");
-    await llmPricingRegistry?.reload();
-    console.log("[admin] registry reloaded");
-    return typedjson({ success: true, message: "Registry reloaded" });
-  }
-
-  if (_action === "test") {
-    const modelString = formData.get("modelString");
-    if (typeof modelString !== "string" || !modelString) {
-      return typedjson({ testResult: null });
+    if (_action === "sync") {
+      console.log("[admin] sync catalog action started");
+      const result = await syncLlmCatalog(prisma);
+      console.log(`[admin] sync complete: ${result.modelsUpdated} updated, ${result.modelsSkipped} skipped`);
+      await llmPricingRegistry?.reload();
+      console.log("[admin] registry reloaded after sync");
+      return typedjson({
+        success: true,
+        message: `Synced: ${result.modelsUpdated} updated, ${result.modelsSkipped} skipped`,
+      });
     }
 
-    // Use the registry's match() which handles prefix stripping automatically
-    const matched = llmPricingRegistry?.match(modelString) ?? null;
+    if (_action === "reload") {
+      console.log("[admin] reload action started");
+      await llmPricingRegistry?.reload();
+      console.log("[admin] registry reloaded");
+      return typedjson({ success: true, message: "Registry reloaded" });
+    }
 
-    return typedjson({
-      testResult: {
-        modelString,
-        match: matched
-          ? { friendlyId: matched.friendlyId, modelName: matched.modelName }
-          : null,
-      },
-    });
-  }
+    if (_action === "test") {
+      const modelString = formData.get("modelString");
+      if (typeof modelString !== "string" || !modelString) {
+        return typedjson({ testResult: null });
+      }
+
+      // Use the registry's match() which handles prefix stripping automatically
+      const matched = llmPricingRegistry?.match(modelString) ?? null;
+
+      return typedjson({
+        testResult: {
+          modelString,
+          match: matched
+            ? { friendlyId: matched.friendlyId, modelName: matched.modelName }
+            : null,
+        },
+      });
+    }
 
-  if (_action === "delete") {
-    const modelId = formData.get("modelId");
-    if (typeof modelId === "string") {
-      await prisma.llmModel.delete({ where: { id: modelId } });
-      await llmPricingRegistry?.reload();
+    if (_action === "delete") {
+      const modelId = formData.get("modelId");
+      if (typeof modelId === "string") {
+        await prisma.llmModel.delete({ where: { id: modelId } });
+        await llmPricingRegistry?.reload();
+      }
+      return typedjson({ success: true });
     }
-    return typedjson({ success: true });
-  }
 
-  return typedjson({ error: "Unknown action" }, { status: 400 });
-}
+    return typedjson({ error: "Unknown action" }, { status: 400 });
+  }
+);
 
 export default function AdminLlmModelsRoute() {
   const { models, filters, page, pageCount, total } =
diff --git a/apps/webapp/app/routes/admin.llm-models.missing.$model.tsx b/apps/webapp/app/routes/admin.llm-models.missing.$model.tsx
index 78cb1c4fc91..3c63ce09fc4 100644
--- a/apps/webapp/app/routes/admin.llm-models.missing.$model.tsx
+++ b/apps/webapp/app/routes/admin.llm-models.missing.$model.tsx
@@ -1,39 +1,40 @@
 import { useState } from "react";
-import type { LoaderFunctionArgs } from "@remix-run/server-runtime";
-import { redirect } from "@remix-run/server-runtime";
 import { typedjson, useTypedLoaderData } from "remix-typedjson";
+import { z } from "zod";
 import { Button, LinkButton } from "~/components/primitives/Buttons";
 import { Paragraph } from "~/components/primitives/Paragraph";
-import { prisma } from "~/db.server";
-import { requireUserId } from "~/services/session.server";
+import { dashboardLoader } from "~/services/routeBuilders/dashboardBuilder";
 import {
   getMissingModelSamples,
   type MissingModelSample,
 } from "~/services/admin/missingLlmModels.server";
 
-export const loader = async ({ request, params }: LoaderFunctionArgs) => {
-  const userId = await requireUserId(request);
-  const user = await prisma.user.findUnique({ where: { id: userId } });
-  if (!user?.admin) throw redirect("/");
+const ParamsSchema = z.object({
+  model: z.string(),
+});
 
-  // Model name is URL-encoded in the URL param
-  const modelName = decodeURIComponent(params.model ?? "");
-  if (!modelName) throw new Response("Missing model param", { status: 400 });
+export const loader = dashboardLoader(
+  { authorization: { requireSuper: true }, params: ParamsSchema },
+  async ({ params, request }) => {
+    // Model name is URL-encoded in the URL param
+    const modelName = decodeURIComponent(params.model);
+    if (!modelName) throw new Response("Missing model param", { status: 400 });
 
-  const url = new URL(request.url);
-  const lookbackHours = parseInt(url.searchParams.get("lookbackHours") ?? "24", 10);
+    const url = new URL(request.url);
+    const lookbackHours = parseInt(url.searchParams.get("lookbackHours") ?? "24", 10);
 
-  let samples: MissingModelSample[] = [];
-  let error: string | undefined;
+    let samples: MissingModelSample[] = [];
+    let error: string | undefined;
 
-  try {
-    samples = await getMissingModelSamples({ model: modelName, lookbackHours, limit: 10 });
-  } catch (e) {
-    error = e instanceof Error ? e.message : "Failed to query ClickHouse";
-  }
+    try {
+      samples = await getMissingModelSamples({ model: modelName, lookbackHours, limit: 10 });
+    } catch (e) {
+      error = e instanceof Error ? e.message : "Failed to query ClickHouse";
+    }
 
-  return typedjson({ modelName, samples, lookbackHours, error });
-};
+    return typedjson({ modelName, samples, lookbackHours, error });
+  }
+);
 
 export default function AdminMissingModelDetailRoute() {
   const { modelName, samples, lookbackHours, error } = useTypedLoaderData<typeof loader>();
diff --git a/apps/webapp/app/routes/admin.llm-models.missing._index.tsx b/apps/webapp/app/routes/admin.llm-models.missing._index.tsx
index fd933cd22e9..7cacb727f9c 100644
--- a/apps/webapp/app/routes/admin.llm-models.missing._index.tsx
+++ b/apps/webapp/app/routes/admin.llm-models.missing._index.tsx
@@ -1,6 +1,4 @@
 import { useSearchParams } from "@remix-run/react";
-import type { LoaderFunctionArgs } from "@remix-run/server-runtime";
-import { redirect } from "@remix-run/server-runtime";
 import { typedjson, useTypedLoaderData } from "remix-typedjson";
 import { z } from "zod";
 import { LinkButton } from "~/components/primitives/Buttons";
@@ -14,8 +12,7 @@ import {
   TableHeaderCell,
   TableRow,
 } from "~/components/primitives/Table";
-import { prisma } from "~/db.server";
-import { requireUserId } from "~/services/session.server";
+import { dashboardLoader } from "~/services/routeBuilders/dashboardBuilder";
 import { getMissingLlmModels } from "~/services/admin/missingLlmModels.server";
 
 const LOOKBACK_OPTIONS = [
@@ -30,25 +27,24 @@ const SearchParams = z.object({
   lookbackHours: z.coerce.number().optional(),
 });
 
-export const loader = async ({ request }: LoaderFunctionArgs) => {
-  const userId = await requireUserId(request);
-  const user = await prisma.user.findUnique({ where: { id: userId } });
-  if (!user?.admin) throw redirect("/");
+export const loader = dashboardLoader(
+  { authorization: { requireSuper: true } },
+  async ({ request }) => {
+    const url = new URL(request.url);
+    const lookbackHours = parseInt(url.searchParams.get("lookbackHours") ?? "24", 10);
 
-  const url = new URL(request.url);
-  const lookbackHours = parseInt(url.searchParams.get("lookbackHours") ?? "24", 10);
+    let models: Awaited<ReturnType<typeof getMissingLlmModels>> = [];
+    let error: string | undefined;
 
-  let models: Awaited<ReturnType<typeof getMissingLlmModels>> = [];
-  let error: string | undefined;
+    try {
+      models = await getMissingLlmModels({ lookbackHours });
+    } catch (e) {
+      error = e instanceof Error ? e.message : "Failed to query ClickHouse";
+    }
 
-  try {
-    models = await getMissingLlmModels({ lookbackHours });
-  } catch (e) {
-    error = e instanceof Error ? e.message : "Failed to query ClickHouse";
+    return typedjson({ models, lookbackHours, error });
   }
-
-  return typedjson({ models, lookbackHours, error });
-};
+);
 
 export default function AdminLlmModelsMissingRoute() {
   const { models, lookbackHours, error } = useTypedLoaderData<typeof loader>();
diff --git a/apps/webapp/app/routes/admin.llm-models.new.tsx b/apps/webapp/app/routes/admin.llm-models.new.tsx
index 7f18bf5826a..a66601a0c85 100644
--- a/apps/webapp/app/routes/admin.llm-models.new.tsx
+++ b/apps/webapp/app/routes/admin.llm-models.new.tsx
@@ -1,5 +1,4 @@
 import { Form, useActionData, useSearchParams } from "@remix-run/react";
-import type { ActionFunctionArgs, LoaderFunctionArgs } from "@remix-run/server-runtime";
 import { redirect } from "@remix-run/server-runtime";
 import { typedjson } from "remix-typedjson";
 import { z } from "zod";
@@ -7,16 +6,16 @@ import { useState } from "react";
 import { Button, LinkButton } from "~/components/primitives/Buttons";
 import { Input } from "~/components/primitives/Input";
 import { prisma } from "~/db.server";
-import { requireUserId } from "~/services/session.server";
+import { dashboardAction, dashboardLoader } from "~/services/routeBuilders/dashboardBuilder";
 import { generateFriendlyId } from "~/v3/friendlyIdentifiers";
 import { llmPricingRegistry } from "~/v3/llmPricingRegistry.server";
 
-export const loader = async ({ request }: LoaderFunctionArgs) => {
-  const userId = await requireUserId(request);
-  const user = await prisma.user.findUnique({ where: { id: userId } });
-  if (!user?.admin) throw redirect("/");
-  return typedjson({});
-};
+export const loader = dashboardLoader(
+  { authorization: { requireSuper: true } },
+  async () => {
+    return typedjson({});
+  }
+);
 
 const CreateSchema = z.object({
   modelName: z.string().min(1),
@@ -28,85 +27,86 @@ const CreateSchema = z.object({
   maxOutputTokens: z.string().optional(),
   capabilities: z.string().optional(),
   isHidden: z.string().optional(),
+  pricingUnit: z.string().optional(),
 });
 
-export async function action({ request }: ActionFunctionArgs) {
-  const userId = await requireUserId(request);
-  const user = await prisma.user.findUnique({ where: { id: userId } });
-  if (!user?.admin) throw redirect("/");
+export const action = dashboardAction(
+  { authorization: { requireSuper: true } },
+  async ({ request }) => {
+    const formData = await request.formData();
+    const raw = Object.fromEntries(formData);
+    console.log("[admin] create model form data:", JSON.stringify(raw).slice(0, 500));
+    const parsed = CreateSchema.safeParse(raw);
+
+    if (!parsed.success) {
+      console.log("[admin] create model validation error:", JSON.stringify(parsed.error.issues));
+      return typedjson({ error: "Invalid form data", details: parsed.error.issues }, { status: 400 });
+    }
 
-  const formData = await request.formData();
-  const raw = Object.fromEntries(formData);
-  console.log("[admin] create model form data:", JSON.stringify(raw).slice(0, 500));
-  const parsed = CreateSchema.safeParse(raw);
+    const { modelName, matchPattern, pricingTiersJson } = parsed.data;
 
-  if (!parsed.success) {
-    console.log("[admin] create model validation error:", JSON.stringify(parsed.error.issues));
-    return typedjson({ error: "Invalid form data", details: parsed.error.issues }, { status: 400 });
-  }
-
-  const { modelName, matchPattern, pricingTiersJson } = parsed.data;
+    // Validate regex — strip (?i) POSIX flag since our registry handles it
+    try {
+      const testPattern = matchPattern.startsWith("(?i)") ? matchPattern.slice(4) : matchPattern;
+      new RegExp(testPattern);
+    } catch {
+      return typedjson({ error: "Invalid regex in matchPattern" }, { status: 400 });
+    }
 
-  // Validate regex — strip (?i) POSIX flag since our registry handles it
-  try {
-    const testPattern = matchPattern.startsWith("(?i)") ? matchPattern.slice(4) : matchPattern;
-    new RegExp(testPattern);
-  } catch {
-    return typedjson({ error: "Invalid regex in matchPattern" }, { status: 400 });
-  }
+    let pricingTiers: Array<{
+      name: string;
+      isDefault: boolean;
+      priority: number;
+      conditions: Array<{ usageDetailPattern: string; operator: string; value: number }>;
+      prices: Record<string, number>;
+    }>;
+    try {
+      pricingTiers = JSON.parse(pricingTiersJson) as typeof pricingTiers;
+    } catch {
+      return typedjson({ error: "Invalid pricing tiers JSON" }, { status: 400 });
+    }
 
-  let pricingTiers: Array<{
-    name: string;
-    isDefault: boolean;
-    priority: number;
-    conditions: Array<{ usageDetailPattern: string; operator: string; value: number }>;
-    prices: Record<string, number>;
-  }>;
-  try {
-    pricingTiers = JSON.parse(pricingTiersJson) as typeof pricingTiers;
-  } catch {
-    return typedjson({ error: "Invalid pricing tiers JSON" }, { status: 400 });
-  }
+    const { provider, description, contextWindow, maxOutputTokens, capabilities, isHidden, pricingUnit } = parsed.data;
 
-  const { provider, description, contextWindow, maxOutputTokens, capabilities, isHidden } = parsed.data;
-
-  const model = await prisma.llmModel.create({
-    data: {
-      friendlyId: generateFriendlyId("llm_model"),
-      modelName,
-      matchPattern,
-      source: "admin",
-      provider: provider || null,
-      description: description || null,
-      contextWindow: contextWindow ? parseInt(contextWindow) || null : null,
-      maxOutputTokens: maxOutputTokens ? parseInt(maxOutputTokens) || null : null,
-      capabilities: capabilities ? capabilities.split(",").map((s) => s.trim()).filter(Boolean) : [],
-      isHidden: isHidden === "on",
-    },
-  });
-
-  for (const tier of pricingTiers) {
-    await prisma.llmPricingTier.create({
+    const model = await prisma.llmModel.create({
       data: {
-        modelId: model.id,
-        name: tier.name,
-        isDefault: tier.isDefault,
-        priority: tier.priority,
-        conditions: tier.conditions,
-        prices: {
-          create: Object.entries(tier.prices).map(([usageType, price]) => ({
-            modelId: model.id,
-            usageType,
-            price,
-          })),
-        },
+        friendlyId: generateFriendlyId("llm_model"),
+        modelName,
+        matchPattern,
+        source: "admin",
+        provider: provider || null,
+        description: description || null,
+        contextWindow: contextWindow ? parseInt(contextWindow) || null : null,
+        maxOutputTokens: maxOutputTokens ? parseInt(maxOutputTokens) || null : null,
+        capabilities: capabilities ? capabilities.split(",").map((s) => s.trim()).filter(Boolean) : [],
+        isHidden: isHidden === "on",
+        pricingUnit: pricingUnit || null,
       },
     });
-  }
 
-  await llmPricingRegistry?.reload();
-  return redirect(`/admin/llm-models/${model.friendlyId}`);
-}
+    for (const tier of pricingTiers) {
+      await prisma.llmPricingTier.create({
+        data: {
+          modelId: model.id,
+          name: tier.name,
+          isDefault: tier.isDefault,
+          priority: tier.priority,
+          conditions: tier.conditions,
+          prices: {
+            create: Object.entries(tier.prices).map(([usageType, price]) => ({
+              modelId: model.id,
+              usageType,
+              price,
+            })),
+          },
+        },
+      });
+    }
+
+    await llmPricingRegistry?.reload();
+    return redirect(`/admin/llm-models/${model.friendlyId}`);
+  }
+);
 
 export default function AdminLlmModelNewRoute() {
   const actionData = useActionData<{ error?: string; details?: unknown[] }>();
@@ -120,6 +120,7 @@ export default function AdminLlmModelNewRoute() {
   const [maxOutputTokens, setMaxOutputTokens] = useState("");
   const [capabilities, setCapabilities] = useState("");
   const [isHidden, setIsHidden] = useState(false);
+  const [pricingUnit, setPricingUnit] = useState("tokens");
   const [testInput, setTestInput] = useState("");
   const [tiers, setTiers] = useState<TierData[]>([
     { name: "Standard", isDefault: true, priority: 0, conditions: [], prices: { input: 0, output: 0 } },
@@ -281,6 +282,23 @@ export default function AdminLlmModelNewRoute() {
                 </div>
               </div>
 
+              <div className="space-y-1">
+                <label className="text-xs font-medium text-text-dimmed">Pricing Unit</label>
+                <select
+                  name="pricingUnit"
+                  value={pricingUnit}
+                  onChange={(e) => setPricingUnit(e.target.value)}
+                  className="w-full rounded border border-grid-dimmed bg-charcoal-750 px-2 py-1.5 text-sm text-text-bright"
+                >
+                  <option value="">(unset)</option>
+                  {PRICING_UNITS.map((u) => (
+                    <option key={u} value={u}>
+                      {u}
+                    </option>
+                  ))}
+                </select>
+              </div>
+
               <label className="flex items-center gap-2 text-xs text-text-dimmed">
                 <input
                   type="checkbox"
@@ -368,6 +386,8 @@ type TierData = {
   prices: Record<string, number>;
 };
 
+const PRICING_UNITS = ["tokens", "characters", "images", "minutes", "requests", "free", "not_findable"];
+
 const COMMON_USAGE_TYPES = [
   "input",
   "output",
diff --git a/apps/webapp/app/routes/admin.notifications.tsx b/apps/webapp/app/routes/admin.notifications.tsx
index 179ab23c3ee..60b74d104cd 100644
--- a/apps/webapp/app/routes/admin.notifications.tsx
+++ b/apps/webapp/app/routes/admin.notifications.tsx
@@ -1,9 +1,6 @@
-import { ChevronRightIcon, TrashIcon, XMarkIcon } from "@heroicons/react/20/solid";
+import { TrashIcon } from "@heroicons/react/20/solid";
 import { useFetcher, useSearchParams } from "@remix-run/react";
-import type { ActionFunctionArgs, LoaderFunctionArgs } from "@remix-run/server-runtime";
-import { redirect } from "@remix-run/server-runtime";
-import { useEffect, useRef, useState, useLayoutEffect } from "react";
-import ReactMarkdown from "react-markdown";
+import { useEffect, useState } from "react";
 import { typedjson, useTypedLoaderData } from "remix-typedjson";
 import { z } from "zod";
 import {
@@ -20,13 +17,19 @@ import { Button } from "~/components/primitives/Buttons";
 import {
   Dialog,
   DialogContent,
+  DialogFooter,
   DialogHeader,
   DialogTitle,
 } from "~/components/primitives/Dialog";
-import { Header3 } from "~/components/primitives/Headers";
+import { Checkbox, CheckboxWithLabel } from "~/components/primitives/Checkbox";
+import { Hint } from "~/components/primitives/Hint";
 import { Input } from "~/components/primitives/Input";
+import { Label } from "~/components/primitives/Label";
+import { NotificationCard } from "~/components/navigation/NotificationCard";
 import { PaginationControls } from "~/components/primitives/Pagination";
 import { Paragraph } from "~/components/primitives/Paragraph";
+import { Select, SelectItem } from "~/components/primitives/Select";
+import { TextArea } from "~/components/primitives/TextArea";
 import {
   Table,
   TableBlankRow,
@@ -36,8 +39,8 @@ import {
   TableHeaderCell,
   TableRow,
 } from "~/components/primitives/Table";
-import { prisma } from "~/db.server";
-import { requireUserId } from "~/services/session.server";
+import { dashboardAction, dashboardLoader } from "~/services/routeBuilders/dashboardBuilder";
+import { logger } from "~/services/logger.server";
 import {
   archivePlatformNotification,
   createPlatformNotification,
@@ -47,63 +50,69 @@ import {
   updatePlatformNotification,
 } from "~/services/platformNotifications.server";
 import { createSearchParams } from "~/utils/searchParams";
-import { cn } from "~/utils/cn";
 
 const PAGE_SIZE = 20;
 
 const WEBAPP_TYPES = ["card", "changelog"] as const;
 const CLI_TYPES = ["info", "warn", "error", "success"] as const;
 
+/** Sentinel for the discovery "match behavior" select meaning "none / not configured". */
+const DISCOVERY_MATCH_NONE = "";
+const DISCOVERY_MATCH_LABEL = "— none —";
+
 const SearchParams = z.object({
   page: z.coerce.number().optional(),
   hideInactive: z.coerce.boolean().optional(),
 });
 
-export const loader = async ({ request }: LoaderFunctionArgs) => {
-  const userId = await requireUserId(request);
-  const user = await prisma.user.findUnique({ where: { id: userId } });
-  if (!user?.admin) throw redirect("/");
-
-  const searchParams = createSearchParams(request.url, SearchParams);
-  if (!searchParams.success) throw new Error(searchParams.error);
-  const { page: rawPage, hideInactive } = searchParams.params.getAll();
-  const page = rawPage ?? 1;
-
-  const data = await getAdminNotificationsList({ page, pageSize: PAGE_SIZE, hideInactive: hideInactive ?? false });
+export const loader = dashboardLoader(
+  { authorization: { requireSuper: true } },
+  async ({ user, request }) => {
+    const searchParams = createSearchParams(request.url, SearchParams);
+    if (!searchParams.success) throw new Error(searchParams.error);
+    const { page: rawPage, hideInactive } = searchParams.params.getAll();
+    const page = rawPage ?? 1;
+
+    const data = await getAdminNotificationsList({
+      page,
+      pageSize: PAGE_SIZE,
+      hideInactive: hideInactive ?? false,
+    });
 
-  return typedjson({ ...data, userId });
-};
+    return typedjson({ ...data, userId: user.id });
+  }
+);
 
-export async function action({ request }: ActionFunctionArgs) {
-  const userId = await requireUserId(request);
-  const user = await prisma.user.findUnique({ where: { id: userId } });
-  if (!user?.admin) throw redirect("/");
+export const action = dashboardAction(
+  { authorization: { requireSuper: true } },
+  async ({ user, request }) => {
+    const userId = user.id;
+    const formData = await request.formData();
+    const _action = formData.get("_action");
 
-  const formData = await request.formData();
-  const _action = formData.get("_action");
+    if (_action === "create" || _action === "create-preview") {
+      return handleCreateAction(formData, userId, _action === "create-preview");
+    }
 
-  if (_action === "create" || _action === "create-preview") {
-    return handleCreateAction(formData, userId, _action === "create-preview");
-  }
+    if (_action === "archive") {
+      return handleArchiveAction(formData);
+    }
 
-  if (_action === "archive") {
-    return handleArchiveAction(formData);
-  }
+    if (_action === "delete") {
+      return handleDeleteAction(formData);
+    }
 
-  if (_action === "delete") {
-    return handleDeleteAction(formData);
-  }
+    if (_action === "publish-now") {
+      return handlePublishNowAction(formData);
+    }
 
-  if (_action === "publish-now") {
-    return handlePublishNowAction(formData);
-  }
+    if (_action === "edit") {
+      return handleEditAction(formData);
+    }
 
-  if (_action === "edit") {
-    return handleEditAction(formData);
+    return typedjson({ error: "Unknown action" }, { status: 400 });
   }
-
-  return typedjson({ error: "Unknown action" }, { status: 400 });
-}
+);
 
 function parseNotificationFormData(formData: FormData) {
   const surface = formData.get("surface") as string;
@@ -133,12 +142,12 @@ function parseNotificationFormData(formData: FormData) {
     : undefined;
 
   const discoveryFilePatterns = (formData.get("discoveryFilePatterns") as string) || "";
-  const discoveryContentPattern =
-    (formData.get("discoveryContentPattern") as string) || undefined;
-  const discoveryMatchBehavior = (formData.get("discoveryMatchBehavior") as string) || "";
+  const discoveryContentPattern = (formData.get("discoveryContentPattern") as string) || undefined;
+  const discoveryMatchBehavior =
+    (formData.get("discoveryMatchBehavior") as string) || DISCOVERY_MATCH_NONE;
 
   const discovery =
-    discoveryFilePatterns && discoveryMatchBehavior
+    discoveryFilePatterns && discoveryMatchBehavior !== DISCOVERY_MATCH_NONE
       ? {
           filePatterns: discoveryFilePatterns
             .split(",")
@@ -190,7 +199,14 @@ function buildPayloadInput(fields: ReturnType<typeof parseNotificationFormData>)
 async function handleCreateAction(formData: FormData, userId: string, isPreview: boolean) {
   const fields = parseNotificationFormData(formData);
 
-  if (!fields.adminLabel || !fields.title || !fields.description || !fields.endsAt || !fields.surface || !fields.payloadType) {
+  if (
+    !fields.adminLabel ||
+    !fields.title ||
+    !fields.description ||
+    !fields.endsAt ||
+    !fields.surface ||
+    !fields.payloadType
+  ) {
     return typedjson({ error: "Missing required fields" }, { status: 400 });
   }
 
@@ -203,14 +219,18 @@ async function handleCreateAction(formData: FormData, userId: string, isPreview:
       ? { userId }
       : {
           ...(fields.scope === "USER" && fields.scopeUserId ? { userId: fields.scopeUserId } : {}),
-          ...(fields.scope === "ORGANIZATION" && fields.scopeOrganizationId ? { organizationId: fields.scopeOrganizationId } : {}),
-          ...(fields.scope === "PROJECT" && fields.scopeProjectId ? { projectId: fields.scopeProjectId } : {}),
+          ...(fields.scope === "ORGANIZATION" && fields.scopeOrganizationId
+            ? { organizationId: fields.scopeOrganizationId }
+            : {}),
+          ...(fields.scope === "PROJECT" && fields.scopeProjectId
+            ? { projectId: fields.scopeProjectId }
+            : {}),
         }),
     startsAt: isPreview
       ? new Date().toISOString()
       : fields.startsAt
-        ? new Date(fields.startsAt + "Z").toISOString()
-        : new Date().toISOString(),
+      ? new Date(fields.startsAt + "Z").toISOString()
+      : new Date().toISOString(),
     endsAt: isPreview
       ? new Date(Date.now() + 60 * 60 * 1000).toISOString()
       : new Date(fields.endsAt + "Z").toISOString(),
@@ -234,7 +254,8 @@ async function handleCreateAction(formData: FormData, userId: string, isPreview:
         { status: 400 }
       );
     }
-    return typedjson({ error: err.message }, { status: 500 });
+    logger.error("Failed to create platform notification", { error: err });
+    return typedjson({ error: "Something went wrong, please try again." }, { status: 500 });
   }
 
   if (isPreview) {
@@ -249,8 +270,16 @@ async function handleArchiveAction(formData: FormData) {
     return typedjson({ error: "Missing notificationId" }, { status: 400 });
   }
 
-  await archivePlatformNotification(notificationId);
-  return typedjson({ success: true });
+  try {
+    await archivePlatformNotification(notificationId);
+    return typedjson({ success: true });
+  } catch (error) {
+    logger.error("Failed to archive platform notification", { error, notificationId });
+    return typedjson(
+      { error: "Failed to archive notification, please try again." },
+      { status: 500 }
+    );
+  }
 }
 
 async function handleDeleteAction(formData: FormData) {
@@ -259,8 +288,16 @@ async function handleDeleteAction(formData: FormData) {
     return typedjson({ error: "Missing notificationId" }, { status: 400 });
   }
 
-  await deletePlatformNotification(notificationId);
-  return typedjson({ success: true });
+  try {
+    await deletePlatformNotification(notificationId);
+    return typedjson({ success: true });
+  } catch (error) {
+    logger.error("Failed to delete platform notification", { error, notificationId });
+    return typedjson(
+      { error: "Failed to delete notification, please try again." },
+      { status: 500 }
+    );
+  }
 }
 
 async function handlePublishNowAction(formData: FormData) {
@@ -269,15 +306,32 @@ async function handlePublishNowAction(formData: FormData) {
     return typedjson({ error: "Missing notificationId" }, { status: 400 });
   }
 
-  await publishNowPlatformNotification(notificationId);
-  return typedjson({ success: true });
+  try {
+    await publishNowPlatformNotification(notificationId);
+    return typedjson({ success: true });
+  } catch (error) {
+    logger.error("Failed to publish platform notification", { error, notificationId });
+    return typedjson(
+      { error: "Failed to publish notification, please try again." },
+      { status: 500 }
+    );
+  }
 }
 
 async function handleEditAction(formData: FormData) {
   const notificationId = formData.get("notificationId") as string;
   const fields = parseNotificationFormData(formData);
 
-  if (!notificationId || !fields.adminLabel || !fields.title || !fields.description || !fields.endsAt || !fields.surface || !fields.payloadType || !fields.startsAt) {
+  if (
+    !notificationId ||
+    !fields.adminLabel ||
+    !fields.title ||
+    !fields.description ||
+    !fields.endsAt ||
+    !fields.surface ||
+    !fields.payloadType ||
+    !fields.startsAt
+  ) {
     return typedjson({ error: "Missing required fields" }, { status: 400 });
   }
 
@@ -288,8 +342,12 @@ async function handleEditAction(formData: FormData) {
     surface: fields.surface as "CLI" | "WEBAPP",
     scope: fields.scope as "USER" | "PROJECT" | "ORGANIZATION" | "GLOBAL",
     ...(fields.scope === "USER" && fields.scopeUserId ? { userId: fields.scopeUserId } : {}),
-    ...(fields.scope === "ORGANIZATION" && fields.scopeOrganizationId ? { organizationId: fields.scopeOrganizationId } : {}),
-    ...(fields.scope === "PROJECT" && fields.scopeProjectId ? { projectId: fields.scopeProjectId } : {}),
+    ...(fields.scope === "ORGANIZATION" && fields.scopeOrganizationId
+      ? { organizationId: fields.scopeOrganizationId }
+      : {}),
+    ...(fields.scope === "PROJECT" && fields.scopeProjectId
+      ? { projectId: fields.scopeProjectId }
+      : {}),
     startsAt: new Date(fields.startsAt + "Z").toISOString(),
     endsAt: new Date(fields.endsAt + "Z").toISOString(),
     priority: fields.priority,
@@ -310,7 +368,8 @@ async function handleEditAction(formData: FormData) {
         { status: 400 }
       );
     }
-    return typedjson({ error: err.message }, { status: 500 });
+    logger.error("Failed to update platform notification", { error: err });
+    return typedjson({ error: "Something went wrong, please try again." }, { status: 500 });
   }
 
   return typedjson({ success: true, id: result.value.id });
@@ -319,8 +378,12 @@ async function handleEditAction(formData: FormData) {
 export default function AdminNotificationsRoute() {
   const { notifications, total, page, pageCount } = useTypedLoaderData<typeof loader>();
   const [showCreate, setShowCreate] = useState(false);
-  const [detailNotification, setDetailNotification] = useState<(typeof notifications)[number] | null>(null);
-  const [editNotification, setEditNotification] = useState<(typeof notifications)[number] | null>(null);
+  const [detailNotification, setDetailNotification] = useState<
+    (typeof notifications)[number] | null
+  >(null);
+  const [editNotification, setEditNotification] = useState<(typeof notifications)[number] | null>(
+    null
+  );
 
   const [urlSearchParams, setUrlSearchParams] = useSearchParams();
   const hideInactive = urlSearchParams.get("hideInactive") === "true";
@@ -343,23 +406,21 @@ export default function AdminNotificationsRoute() {
       <div className="space-y-4">
         <div className="flex items-center justify-end">
           <Button variant="primary/small" onClick={() => setShowCreate(true)}>
-            Create Notification
+            Create notification
           </Button>
         </div>
 
         <Dialog
           open={showCreate}
-          onOpenChange={(open) => { if (!open) setShowCreate(false); }}
+          onOpenChange={(open) => {
+            if (!open) setShowCreate(false);
+          }}
         >
-          <DialogContent className="max-w-2xl max-h-[90vh] overflow-y-auto">
+          <DialogContent className="max-h-[90vh] max-w-3xl overflow-y-auto">
             <DialogHeader>
-              <DialogTitle>Create Notification</DialogTitle>
+              <DialogTitle>Create notification</DialogTitle>
             </DialogHeader>
-            <NotificationForm
-              key="create"
-              mode="create"
-              onClose={() => setShowCreate(false)}
-            />
+            <NotificationForm key="create" mode="create" onClose={() => setShowCreate(false)} />
           </DialogContent>
         </Dialog>
 
@@ -368,12 +429,7 @@ export default function AdminNotificationsRoute() {
             {total} notifications (page {page} of {pageCount || 1})
           </Paragraph>
           <label className="flex items-center gap-2 text-xs text-text-dimmed">
-            <input
-              type="checkbox"
-              checked={hideInactive}
-              onChange={toggleHideInactive}
-              className="rounded border-grid-dimmed bg-charcoal-900"
-            />
+            <Checkbox checked={hideInactive} onChange={toggleHideInactive} />
             Hide inactive
           </label>
         </div>
@@ -409,7 +465,7 @@ export default function AdminNotificationsRoute() {
                       <button
                         type="button"
                         onClick={() => setDetailNotification(n)}
-                        className="text-sm font-medium text-text-bright hover:text-indigo-400 transition-colors text-left"
+                        className="text-left text-sm font-medium text-text-bright transition-colors hover:text-indigo-400"
                       >
                         {n.title}
                       </button>
@@ -430,33 +486,28 @@ export default function AdminNotificationsRoute() {
                       <span className="text-xs text-text-dimmed">{formatDate(n.endsAt)}</span>
                     </TableCell>
                     <TableCell>
-                      <span className="text-xs font-mono">{n.stats.seen}</span>
+                      <span className="font-mono text-xs">{n.stats.seen}</span>
                     </TableCell>
                     <TableCell>
-                      <span className="text-xs font-mono">{n.stats.clicked}</span>
+                      <span className="font-mono text-xs">{n.stats.clicked}</span>
                     </TableCell>
                     <TableCell>
-                      <span className="text-xs font-mono">{n.stats.dismissed}</span>
+                      <span className="font-mono text-xs">{n.stats.dismissed}</span>
                     </TableCell>
                     <TableCell>
                       <StatusBadge status={status} />
                     </TableCell>
                     <TableCell>
-                      <div className="flex items-center justify-end gap-1 opacity-0 group-hover/row:opacity-100 transition-opacity">
-                        {status === "pending" && (
-                          <PublishNowButton notificationId={n.id} />
-                        )}
-                        {(status === "pending" || status === "releasing" || status === "active") && (
-                          <Button
-                            variant="tertiary/small"
-                            onClick={() => setEditNotification(n)}
-                          >
+                      <div className="flex items-center justify-end gap-1 opacity-0 transition-opacity group-hover/row:opacity-100">
+                        {status === "pending" && <PublishNowButton notificationId={n.id} />}
+                        {(status === "pending" ||
+                          status === "releasing" ||
+                          status === "active") && (
+                          <Button variant="tertiary/small" onClick={() => setEditNotification(n)}>
                             Edit
                           </Button>
                         )}
-                        {status !== "archived" && (
-                          <ArchiveButton notificationId={n.id} />
-                        )}
+                        {status !== "archived" && <ArchiveButton notificationId={n.id} />}
                         <DeleteConfirmationButton notificationId={n.id} />
                       </div>
                     </TableCell>
@@ -476,7 +527,7 @@ export default function AdminNotificationsRoute() {
           if (!open) setDetailNotification(null);
         }}
       >
-        <DialogContent className="max-w-lg">
+        <DialogContent className="max-w-2xl">
           {detailNotification && (
             <>
               <DialogHeader>
@@ -494,11 +545,11 @@ export default function AdminNotificationsRoute() {
           if (!open) setEditNotification(null);
         }}
       >
-        <DialogContent className="max-w-2xl max-h-[90vh] overflow-y-auto">
+        <DialogContent className="max-h-[90vh] max-w-2xl overflow-y-auto">
           {editNotification && (
             <>
               <DialogHeader>
-                <DialogTitle>Edit Notification</DialogTitle>
+                <DialogTitle>Edit notification</DialogTitle>
               </DialogHeader>
               <NotificationForm
                 key={editNotification.id}
@@ -534,7 +585,7 @@ function PublishNowButton({ notificationId }: { notificationId: string }) {
   return (
     <Alert open={open} onOpenChange={setOpen}>
       <AlertTrigger asChild>
-        <Button variant="secondary/small">Publish Now</Button>
+        <Button variant="secondary/small">Publish now</Button>
       </AlertTrigger>
       <AlertContent>
         <AlertHeader>
@@ -575,8 +626,8 @@ function DeleteConfirmationButton({ notificationId }: { notificationId: string }
         <AlertHeader>
           <AlertTitle>Delete notification</AlertTitle>
           <AlertDescription>
-            This will permanently delete this notification and all its interaction data. This
-            action cannot be undone.
+            This will permanently delete this notification and all its interaction data. This action
+            cannot be undone.
           </AlertDescription>
         </AlertHeader>
         <AlertFooter>
@@ -633,13 +684,18 @@ function NotificationForm({
   onClose: () => void;
 }) {
   const fetcher = useFetcher<{ success?: boolean; error?: string; previewId?: string }>();
-  const [surface, setSurface] = useState<"CLI" | "WEBAPP">((n?.surface as "CLI" | "WEBAPP") ?? "WEBAPP");
+  const [surface, setSurface] = useState<"CLI" | "WEBAPP">(
+    (n?.surface as "CLI" | "WEBAPP") ?? "WEBAPP"
+  );
   const [payloadType, setPayloadType] = useState<string>(n?.payloadType ?? "card");
   const [scope, setScope] = useState<string>(n?.scope ?? "GLOBAL");
   const [title, setTitle] = useState(n?.payloadTitle ?? "");
   const [description, setDescription] = useState(n?.payloadDescription ?? "");
   const [actionUrl, setActionUrl] = useState(n?.payloadActionUrl ?? "");
   const [image, setImage] = useState(n?.payloadImage ?? "");
+  const [discoveryMatchBehavior, setDiscoveryMatchBehavior] = useState<string>(
+    n?.payloadDiscovery?.matchBehavior ?? DISCOVERY_MATCH_NONE
+  );
 
   const typeOptions = surface === "WEBAPP" ? WEBAPP_TYPES : CLI_TYPES;
 
@@ -668,50 +724,67 @@ function NotificationForm({
         </>
       )}
 
-      <div className="flex gap-3">
-        <div className="flex-1">
-          <label className="text-xs font-medium text-text-dimmed">Admin Label</label>
-          <Input
-            name="adminLabel"
-            variant="medium"
-            fullWidth
-            defaultValue={n?.title ?? ""}
-            placeholder="Internal name for this notification"
-            className="mt-1"
-          />
-        </div>
+      <input type="hidden" name="surface" value={surface} />
+      <input type="hidden" name="payloadType" value={payloadType} />
+      <input type="hidden" name="scope" value={scope} />
 
+      <div>
+        <Label variant="small">
+          Admin name <span className="text-red-400">*</span>
+        </Label>
+        <Input
+          name="adminLabel"
+          variant="medium"
+          fullWidth
+          defaultValue={n?.title ?? ""}
+          placeholder="Internal name for this notification"
+          className="mt-1"
+        />
+      </div>
+
+      <div className="flex gap-3">
         <div className="w-28">
-          <label className="text-xs font-medium text-text-dimmed">Surface</label>
-          <select
-            name="surface"
+          <Label variant="small">Show in</Label>
+          <Select<"CLI" | "WEBAPP", "CLI" | "WEBAPP">
             value={surface}
-            onChange={(e) => handleSurfaceChange(e.target.value as "CLI" | "WEBAPP")}
-            className="mt-1 block w-full rounded-sm border border-grid-dimmed bg-charcoal-900 px-2 py-1.5 text-sm text-text-bright"
+            setValue={(v) => handleSurfaceChange(v as "CLI" | "WEBAPP")}
+            variant="tertiary/medium"
+            items={["WEBAPP", "CLI"]}
+            text={(v) => v}
+            className="mt-1 w-full"
           >
-            <option value="WEBAPP">WEBAPP</option>
-            <option value="CLI">CLI</option>
-          </select>
+            {(items) =>
+              items.map((item) => (
+                <SelectItem key={item} value={item}>
+                  {item}
+                </SelectItem>
+              ))
+            }
+          </Select>
         </div>
 
         <div className="w-28">
-          <label className="text-xs font-medium text-text-dimmed">Type</label>
-          <select
-            name="payloadType"
+          <Label variant="small">Display as</Label>
+          <Select<string, string>
             value={payloadType}
-            onChange={(e) => setPayloadType(e.target.value)}
-            className="mt-1 block w-full rounded-sm border border-grid-dimmed bg-charcoal-900 px-2 py-1.5 text-sm text-text-bright"
+            setValue={setPayloadType}
+            variant="tertiary/medium"
+            items={[...typeOptions]}
+            text={(v) => v}
+            className="mt-1 w-full"
           >
-            {typeOptions.map((t) => (
-              <option key={t} value={t}>
-                {t}
-              </option>
-            ))}
-          </select>
+            {(items) =>
+              items.map((item) => (
+                <SelectItem key={item} value={item}>
+                  {item}
+                </SelectItem>
+              ))
+            }
+          </Select>
         </div>
 
-        <div className="w-16">
-          <label className="text-xs font-medium text-text-dimmed">Priority</label>
+        <div className="w-20">
+          <Label variant="small">Priority</Label>
           <Input
             name="priority"
             variant="medium"
@@ -721,53 +794,75 @@ function NotificationForm({
             className="mt-1"
           />
         </div>
-      </div>
 
-      <div className="flex gap-3">
-        <div className="w-36">
-          <label className="text-xs font-medium text-text-dimmed">Scope</label>
-          <select
-            name="scope"
+        <div className="flex-1">
+          <Label variant="small">Scope</Label>
+          <Select<string, string>
             value={scope}
-            onChange={(e) => setScope(e.target.value)}
-            className="mt-1 block w-full rounded-sm border border-grid-dimmed bg-charcoal-900 px-2 py-1.5 text-sm text-text-bright"
+            setValue={setScope}
+            variant="tertiary/medium"
+            items={["GLOBAL", "USER", "ORGANIZATION", "PROJECT"]}
+            text={(v) => v}
+            className="mt-1 w-full"
           >
-            <option value="GLOBAL">GLOBAL</option>
-            <option value="USER">USER</option>
-            <option value="ORGANIZATION">ORGANIZATION</option>
-            <option value="PROJECT">PROJECT</option>
-          </select>
+            {(items) =>
+              items.map((item) => (
+                <SelectItem key={item} value={item}>
+                  {item}
+                </SelectItem>
+              ))
+            }
+          </Select>
         </div>
+      </div>
 
-        {scope === "USER" && (
-          <div className="flex-1">
-            <label className="text-xs font-medium text-text-dimmed">User ID</label>
-            <Input name="scopeUserId" variant="medium" fullWidth defaultValue={n?.userId ?? ""} placeholder="User ID" className="mt-1" />
-          </div>
-        )}
+      {scope === "USER" && (
+        <div>
+          <Label variant="small">User ID</Label>
+          <Input
+            name="scopeUserId"
+            variant="medium"
+            fullWidth
+            defaultValue={n?.userId ?? ""}
+            placeholder="User ID"
+            className="mt-1"
+          />
+        </div>
+      )}
 
-        {scope === "ORGANIZATION" && (
-          <div className="flex-1">
-            <label className="text-xs font-medium text-text-dimmed">Organization ID</label>
-            <Input name="scopeOrganizationId" variant="medium" fullWidth defaultValue={n?.organizationId ?? ""} placeholder="Organization ID" className="mt-1" />
-          </div>
-        )}
+      {scope === "ORGANIZATION" && (
+        <div>
+          <Label variant="small">Organization ID</Label>
+          <Input
+            name="scopeOrganizationId"
+            variant="medium"
+            fullWidth
+            defaultValue={n?.organizationId ?? ""}
+            placeholder="Organization ID"
+            className="mt-1"
+          />
+        </div>
+      )}
 
-        {scope === "PROJECT" && (
-          <div className="flex-1">
-            <label className="text-xs font-medium text-text-dimmed">Project ID</label>
-            <Input name="scopeProjectId" variant="medium" fullWidth defaultValue={n?.projectId ?? ""} placeholder="Project ID" className="mt-1" />
-          </div>
-        )}
-      </div>
+      {scope === "PROJECT" && (
+        <div>
+          <Label variant="small">Project ID</Label>
+          <Input
+            name="scopeProjectId"
+            variant="medium"
+            fullWidth
+            defaultValue={n?.projectId ?? ""}
+            placeholder="Project ID"
+            className="mt-1"
+          />
+        </div>
+      )}
 
       {/* CLI live preview */}
       {surface === "CLI" && (title || description) && (
         <div>
-          <p className="text-[10px] font-medium text-text-dimmed/60 uppercase tracking-wider mb-1">
-            CLI Preview
-          </p>
-          <div className="rounded border border-grid-dimmed bg-charcoal-900 p-3 font-mono text-xs leading-relaxed">
+          <Label variant="small">CLI preview</Label>
+          <div className="mt-1 rounded border border-grid-dimmed bg-charcoal-900 p-3 font-mono text-xs leading-relaxed">
             {title && (
               <p className="font-bold text-text-bright">
                 <CliColorMarkup text={title} fallbackClass="text-text-bright" />
@@ -778,109 +873,112 @@ function NotificationForm({
                 <CliColorMarkup text={description} fallbackClass="text-text-dimmed" />
               </p>
             )}
-            {actionUrl && (
-              <p className="text-text-dimmed underline">{actionUrl}</p>
-            )}
+            {actionUrl && <p className="text-text-dimmed underline">{actionUrl}</p>}
           </div>
         </div>
       )}
 
-      <div>
-        <label className="text-xs font-medium text-text-dimmed">Title</label>
-        <Input
-          name="title"
-          variant="medium"
-          fullWidth
-          placeholder="Notification title"
-          value={title}
-          onChange={(e) => setTitle(e.target.value)}
-          className="mt-1"
-        />
-      </div>
+      <hr className="-mx-4 border-grid-bright" />
 
-      <div>
-        <label className="text-xs font-medium text-text-dimmed">
-          Description{surface === "WEBAPP" ? " (markdown)" : ""}
-        </label>
-        {surface === "WEBAPP" ? (
-          <div className="mt-1 flex gap-3">
-            <textarea
+      {surface === "WEBAPP" ? (
+        <div className="flex gap-3">
+          <div className="min-w-0 flex-1 space-y-3">
+            <div>
+              <Label variant="small">
+                Title <span className="text-red-400">*</span>
+              </Label>
+              <TextArea
+                name="title"
+                value={title}
+                onChange={(e) => setTitle(e.target.value)}
+                rows={2}
+                placeholder="Notification title"
+                className="mt-1"
+              />
+            </div>
+            <div>
+              <Label variant="small">
+                Description (markdown) <span className="text-red-400">*</span>
+              </Label>
+              <TextArea
+                name="description"
+                value={description}
+                onChange={(e) => setDescription(e.target.value)}
+                rows={6}
+                placeholder="Supports **bold**, *italic*, `code`, [links](url)..."
+                className="mt-1 font-mono"
+              />
+            </div>
+          </div>
+          <div className="w-56 shrink-0">
+            <Label variant="small">Preview</Label>
+            <div className="mt-1">
+              <NotificationCard
+                title={title || "Notification title"}
+                description={description || "Description preview will appear here..."}
+                actionUrl={actionUrl || undefined}
+                image={image || undefined}
+              />
+            </div>
+          </div>
+        </div>
+      ) : (
+        <>
+          <div>
+            <Label variant="small">
+              Title <span className="text-red-400">*</span>
+            </Label>
+            <TextArea
+              name="title"
+              value={title}
+              onChange={(e) => setTitle(e.target.value)}
+              rows={2}
+              placeholder="Notification title"
+              className="mt-1 font-mono"
+            />
+          </div>
+          <div>
+            <Label variant="small">
+              Description <span className="text-red-400">*</span>
+            </Label>
+            <TextArea
               name="description"
               value={description}
               onChange={(e) => setDescription(e.target.value)}
               rows={6}
-              placeholder="Supports **bold**, *italic*, `code`, [links](url)..."
-              className="block min-w-0 flex-1 rounded-sm border border-grid-dimmed bg-charcoal-900 px-2 py-1.5 text-sm text-text-bright placeholder:text-text-dimmed/50 font-mono resize-y"
+              placeholder="Plain text description..."
+              className="mt-1 font-mono"
             />
-            <div className="shrink-0">
-              <div className="text-[10px] font-medium text-text-dimmed/60 uppercase tracking-wider mb-1">
-                Preview
-              </div>
-              <div className="w-56">
-                <NotificationPreviewCard
-                  title={title || "Notification title"}
-                  description={description || "Description preview will appear here..."}
-                  actionUrl={actionUrl || undefined}
-                  image={image || undefined}
-                />
-              </div>
-            </div>
           </div>
-        ) : (
-          <textarea
-            name="description"
-            value={description}
-            onChange={(e) => setDescription(e.target.value)}
-            rows={6}
-            placeholder="Plain text description..."
-            className="mt-1 block w-full rounded-sm border border-grid-dimmed bg-charcoal-900 px-2 py-1.5 text-sm text-text-bright placeholder:text-text-dimmed/50 font-mono resize-y"
+        </>
+      )}
+
+      <div>
+        <Label variant="small">Action URL</Label>
+        <Input
+          name="actionUrl"
+          variant="medium"
+          fullWidth
+          placeholder="https://..."
+          value={actionUrl}
+          onChange={(e) => setActionUrl(e.target.value)}
+          className="mt-1"
+        />
+        {surface === "WEBAPP" && (
+          <CheckboxWithLabel
+            name="dismissOnAction"
+            value="true"
+            defaultChecked={n?.payloadDismissOnAction ?? false}
+            variant="simple/small"
+            label="Dismiss on action click"
+            className="mt-2"
           />
         )}
       </div>
 
-      {surface === "WEBAPP" ? (
-        <div className="flex items-end gap-3">
-          <div className="flex-1">
-            <label className="text-xs font-medium text-text-dimmed">Action URL (optional)</label>
-            <Input
-              name="actionUrl"
-              variant="medium"
-              fullWidth
-              placeholder="https://..."
-              value={actionUrl}
-              onChange={(e) => setActionUrl(e.target.value)}
-              className="mt-1"
-            />
-          </div>
-          <label className="flex items-center gap-2 pb-1.5 text-xs text-text-dimmed whitespace-nowrap">
-            <input
-              type="checkbox"
-              name="dismissOnAction"
-              value="true"
-              defaultChecked={n?.payloadDismissOnAction ?? false}
-              className="rounded border-grid-dimmed bg-charcoal-900"
-            />
-            Dismiss on action click
-          </label>
-        </div>
-      ) : (
-        <div>
-          <label className="text-xs font-medium text-text-dimmed">Action URL (optional)</label>
-          <Input
-            name="actionUrl"
-            variant="medium"
-            fullWidth
-            placeholder="https://..."
-            value={actionUrl}
-            onChange={(e) => setActionUrl(e.target.value)}
-            className="mt-1"
-          />
-        </div>
-      )}
-
       {surface === "WEBAPP" && (
         <div>
-          <label className="text-xs font-medium text-text-dimmed">Image URL (optional)</label>
+          <Label variant="small">Image URL</Label>
           <Input
             name="image"
             variant="medium"
@@ -895,21 +993,28 @@ function NotificationForm({
 
       <div className="grid grid-cols-2 gap-3">
         <div>
-          <label className="text-xs font-medium text-text-dimmed">Starts At (UTC)</label>
+          <Label variant="small">
+            Starts at (UTC) {isEdit && <span className="text-red-400">*</span>}
+          </Label>
           <input
             name="startsAt"
             type="datetime-local"
-            defaultValue={n?.startsAt ? toDatetimeLocalUTC(new Date(n.startsAt)) : defaultStartsAt()}
-            className="mt-1 block w-full rounded-sm border border-grid-dimmed bg-charcoal-900 px-2 py-1.5 text-sm text-text-bright"
+            defaultValue={
+              n?.startsAt ? toDatetimeLocalUTC(new Date(n.startsAt)) : defaultStartsAt()
+            }
+            className="mt-1 block h-8 w-full rounded border border-charcoal-800 bg-charcoal-750 px-2 text-sm text-text-bright transition hover:border-charcoal-600 hover:bg-charcoal-650"
+            required={isEdit}
           />
         </div>
         <div>
-          <label className="text-xs font-medium text-text-dimmed">Ends At (UTC)</label>
+          <Label variant="small">
+            Ends at (UTC) <span className="text-red-400">*</span>
+          </Label>
           <input
             name="endsAt"
             type="datetime-local"
             defaultValue={n?.endsAt ? toDatetimeLocalUTC(new Date(n.endsAt)) : defaultEndsAt()}
-            className="mt-1 block w-full rounded-sm border border-grid-dimmed bg-charcoal-900 px-2 py-1.5 text-sm text-text-bright"
+            className="mt-1 block h-8 w-full rounded border border-charcoal-800 bg-charcoal-750 px-2 text-sm text-text-bright transition hover:border-charcoal-600 hover:bg-charcoal-650"
             required
           />
         </div>
@@ -917,9 +1022,11 @@ function NotificationForm({
 
       {surface === "CLI" && (
         <>
+          <input type="hidden" name="discoveryMatchBehavior" value={discoveryMatchBehavior} />
+
           <div className="grid grid-cols-3 gap-3 rounded border border-grid-dimmed bg-charcoal-900 p-3">
             <div>
-              <label className="text-xs font-medium text-text-dimmed">Max Show Count</label>
+              <Label variant="small">Max show count</Label>
               <Input
                 name="cliMaxShowCount"
                 variant="medium"
@@ -931,21 +1038,21 @@ function NotificationForm({
               />
             </div>
             <div>
-              <label className="text-xs font-medium text-text-dimmed">
-                Max Days After First Seen
-              </label>
+              <Label variant="small">Max days after first seen</Label>
               <Input
                 name="cliMaxDaysAfterFirstSeen"
                 variant="medium"
                 fullWidth
                 type="number"
-                defaultValue={n?.cliMaxDaysAfterFirstSeen != null ? String(n.cliMaxDaysAfterFirstSeen) : ""}
+                defaultValue={
+                  n?.cliMaxDaysAfterFirstSeen != null ? String(n.cliMaxDaysAfterFirstSeen) : ""
+                }
                 placeholder="e.g. 7"
                 className="mt-1"
               />
             </div>
             <div>
-              <label className="text-xs font-medium text-text-dimmed">Show Every (Nth)</label>
+              <Label variant="small">Show every (nth)</Label>
               <Input
                 name="cliShowEvery"
                 variant="medium"
@@ -958,13 +1065,13 @@ function NotificationForm({
             </div>
           </div>
 
-          <div className="rounded border border-grid-dimmed bg-charcoal-900 p-3 space-y-3">
-            <div className="text-xs font-medium text-text-dimmed">
+          <div className="space-y-3 rounded border border-grid-dimmed bg-charcoal-900 p-3">
+            <Paragraph variant="small" className="text-text-dimmed">
               Discovery (optional) — only show notification if file pattern matches
-            </div>
+            </Paragraph>
             <div className="grid grid-cols-3 gap-3">
               <div>
-                <label className="text-xs font-medium text-text-dimmed">File Patterns</label>
+                <Label variant="small">File patterns</Label>
                 <Input
                   name="discoveryFilePatterns"
                   variant="medium"
@@ -973,10 +1080,10 @@ function NotificationForm({
                   placeholder="trigger.config.ts, trigger.config.js"
                   className="mt-1"
                 />
-                <span className="text-[10px] text-text-dimmed/60">Comma-separated</span>
+                <Hint>Comma-separated</Hint>
               </div>
               <div>
-                <label className="text-xs font-medium text-text-dimmed">Content Pattern</label>
+                <Label variant="small">Content pattern</Label>
                 <Input
                   name="discoveryContentPattern"
                   variant="medium"
@@ -985,75 +1092,83 @@ function NotificationForm({
                   placeholder="e.g. syncVercelEnvVars"
                   className="mt-1"
                 />
-                <span className="text-[10px] text-text-dimmed/60">Regex (optional)</span>
+                <Hint>Regex (optional)</Hint>
               </div>
               <div>
-                <label className="text-xs font-medium text-text-dimmed">Match Behavior</label>
-                <select
-                  name="discoveryMatchBehavior"
-                  defaultValue={n?.payloadDiscovery?.matchBehavior ?? ""}
-                  className="mt-1 block w-full rounded-sm border border-grid-dimmed bg-charcoal-900 px-2 py-1.5 text-sm text-text-bright"
+                <Label variant="small">Match behavior</Label>
+                <Select<string, string>
+                  value={discoveryMatchBehavior}
+                  setValue={setDiscoveryMatchBehavior}
+                  variant="tertiary/medium"
+                  items={[DISCOVERY_MATCH_NONE, "show-if-found", "show-if-not-found"]}
+                  placeholder={DISCOVERY_MATCH_LABEL}
+                  text={(v) => (v === DISCOVERY_MATCH_NONE ? DISCOVERY_MATCH_LABEL : v)}
+                  className="mt-1 w-full"
                 >
-                  <option value="">— none —</option>
-                  <option value="show-if-found">show-if-found</option>
-                  <option value="show-if-not-found">show-if-not-found</option>
-                </select>
+                  {(items) =>
+                    items.map((item) => (
+                      <SelectItem
+                        key={item === DISCOVERY_MATCH_NONE ? "none" : item}
+                        value={item}
+                      >
+                        {item === DISCOVERY_MATCH_NONE ? DISCOVERY_MATCH_LABEL : item}
+                      </SelectItem>
+                    ))
+                  }
+                </Select>
               </div>
             </div>
           </div>
         </>
       )}
 
-      <div className="flex items-center gap-2">
-        {isEdit ? (
-          <Button
-            type="submit"
-            variant="primary/small"
-            disabled={fetcher.state !== "idle"}
-          >
-            {fetcher.state !== "idle" ? "Saving..." : "Save Changes"}
+      <DialogFooter className="items-center">
+        <div className="flex items-center gap-3">
+          <Button type="button" variant="tertiary/medium" onClick={onClose}>
+            Cancel
           </Button>
-        ) : (
-          <>
-            <Button
-              type="submit"
-              name="_action"
-              value="create"
-              variant="primary/small"
-              disabled={fetcher.state !== "idle"}
-            >
-              {fetcher.state !== "idle" ? "Creating..." : "Create"}
-            </Button>
-            <Button
-              type="submit"
-              name="_action"
-              value="create-preview"
-              variant="tertiary/small"
-              disabled={fetcher.state !== "idle"}
-            >
-              Send Preview to Me
+          {fetcher.data?.error && (
+            <span className="text-xs text-red-400">{fetcher.data.error}</span>
+          )}
+          {!isEdit && fetcher.data?.success && !fetcher.data.previewId && (
+            <span className="text-xs text-green-400">Created successfully</span>
+          )}
+          {!isEdit && fetcher.data?.previewId && (
+            <span className="text-xs text-green-400">
+              Preview sent (ID: {fetcher.data.previewId})
+            </span>
+          )}
+        </div>
+
+        <div className="flex items-center gap-2">
+          {isEdit ? (
+            <Button type="submit" variant="primary/medium" disabled={fetcher.state !== "idle"}>
+              {fetcher.state !== "idle" ? "Saving..." : "Save changes"}
             </Button>
-          </>
-        )}
-        <Button
-          type="button"
-          variant="tertiary/small"
-          onClick={onClose}
-        >
-          Cancel
-        </Button>
-        {fetcher.data?.error && (
-          <span className="text-xs text-red-400">{fetcher.data.error}</span>
-        )}
-        {!isEdit && fetcher.data?.success && !fetcher.data.previewId && (
-          <span className="text-xs text-green-400">Created successfully</span>
-        )}
-        {!isEdit && fetcher.data?.previewId && (
-          <span className="text-xs text-green-400">
-            Preview sent (ID: {fetcher.data.previewId})
-          </span>
-        )}
-      </div>
+          ) : (
+            <>
+              <Button
+                type="submit"
+                name="_action"
+                value="create-preview"
+                variant="tertiary/medium"
+                disabled={fetcher.state !== "idle"}
+              >
+                Send preview to me
+              </Button>
+              <Button
+                type="submit"
+                name="_action"
+                value="create"
+                variant="primary/medium"
+                disabled={fetcher.state !== "idle"}
+              >
+                {fetcher.state !== "idle" ? "Creating..." : "Create"}
+              </Button>
+            </>
+          )}
+        </div>
+      </DialogFooter>
     </fetcher.Form>
   );
 }
@@ -1089,7 +1204,7 @@ function NotificationDetailContent({
         <div>
           <p className="mb-1 text-xs font-medium text-text-dimmed">Preview</p>
           {n.surface === "WEBAPP" ? (
-            <NotificationPreviewCard
+            <NotificationCard
               title={n.payloadTitle}
               description={n.payloadDescription}
               actionUrl={n.payloadActionUrl ?? undefined}
@@ -1126,22 +1241,26 @@ function NotificationDetailContent({
       </div>
 
       {/* CLI settings */}
-      {n.surface === "CLI" && (n.cliMaxShowCount || n.cliMaxDaysAfterFirstSeen || n.cliShowEvery) && (
-        <div>
-          <p className="mb-1 text-xs font-medium text-text-dimmed">CLI Settings</p>
-          <div className="grid grid-cols-2 gap-x-4 gap-y-2 text-xs">
-            {n.cliMaxShowCount != null && (
-              <DetailRow label="Max show count" value={String(n.cliMaxShowCount)} />
-            )}
-            {n.cliMaxDaysAfterFirstSeen != null && (
-              <DetailRow label="Max days after first seen" value={String(n.cliMaxDaysAfterFirstSeen)} />
-            )}
-            {n.cliShowEvery != null && (
-              <DetailRow label="Show every N-th" value={String(n.cliShowEvery)} />
-            )}
+      {n.surface === "CLI" &&
+        (n.cliMaxShowCount || n.cliMaxDaysAfterFirstSeen || n.cliShowEvery) && (
+          <div>
+            <p className="mb-1 text-xs font-medium text-text-dimmed">CLI Settings</p>
+            <div className="grid grid-cols-2 gap-x-4 gap-y-2 text-xs">
+              {n.cliMaxShowCount != null && (
+                <DetailRow label="Max show count" value={String(n.cliMaxShowCount)} />
+              )}
+              {n.cliMaxDaysAfterFirstSeen != null && (
+                <DetailRow
+                  label="Max days after first seen"
+                  value={String(n.cliMaxDaysAfterFirstSeen)}
+                />
+              )}
+              {n.cliShowEvery != null && (
+                <DetailRow label="Show every N-th" value={String(n.cliShowEvery)} />
+              )}
+            </div>
           </div>
-        </div>
-      )}
+        )}
 
       {/* Stats */}
       <div>
@@ -1160,7 +1279,7 @@ function DetailRow({ label, value }: { label: string; value: string }) {
   return (
     <>
       <span className="text-text-dimmed">{label}</span>
-      <span className="text-text-bright break-all">{value}</span>
+      <span className="break-all text-text-bright">{value}</span>
     </>
   );
 }
@@ -1168,115 +1287,12 @@ function DetailRow({ label, value }: { label: string; value: string }) {
 function StatCard({ label, value }: { label: string; value: number }) {
   return (
     <div className="rounded border border-grid-dimmed bg-charcoal-900 p-2 text-center">
-      <p className="text-lg font-mono font-medium text-text-bright">{value}</p>
+      <p className="font-mono text-lg font-medium text-text-bright">{value}</p>
       <p className="text-xs text-text-dimmed">{label}</p>
     </div>
   );
 }
 
-// Mirrors NotificationCard from NotificationPanel.tsx — static preview, no interactions
-function NotificationPreviewCard({
-  title,
-  description,
-  actionUrl,
-  image,
-}: {
-  title: string;
-  description: string;
-  actionUrl?: string;
-  image?: string;
-}) {
-  const [isExpanded, setIsExpanded] = useState(false);
-  const [isOverflowing, setIsOverflowing] = useState(false);
-  const descriptionRef = useRef<HTMLDivElement>(null);
-
-  useLayoutEffect(() => {
-    const el = descriptionRef.current;
-    if (el) {
-      setIsOverflowing(el.scrollHeight > el.clientHeight);
-    }
-  }, [description]);
-
-  const Wrapper = actionUrl ? "a" : "div";
-  const wrapperProps = actionUrl
-    ? { href: actionUrl, target: "_blank" as const, rel: "noopener noreferrer" as const }
-    : {};
-
-  return (
-    <Wrapper
-      {...wrapperProps}
-      className="group/card group relative block overflow-hidden rounded border transition-colors border-grid-bright bg-charcoal-750/50 no-underline"
-    >
-      <div className="relative flex items-start gap-1 px-2 pt-1.5">
-        <Header3 className="flex-1 !text-xs">{title}</Header3>
-        <button
-          type="button"
-          className="shrink-0 rounded p-0.5 text-text-dimmed transition-colors hover:bg-charcoal-700 hover:text-text-bright"
-          tabIndex={-1}
-        >
-          <XMarkIcon className="size-3.5" />
-        </button>
-      </div>
-
-      <div className="relative px-2 pb-2">
-        <div className="flex gap-1">
-          <div className="min-w-0 flex-1">
-            <div ref={descriptionRef} className={cn(!isExpanded && "line-clamp-3")}>
-              <ReactMarkdown components={markdownComponents}>{description}</ReactMarkdown>
-            </div>
-            {(isOverflowing || isExpanded) && (
-              <button
-                type="button"
-                onClick={(e) => {
-                  e.preventDefault();
-                  e.stopPropagation();
-                  setIsExpanded((v) => !v);
-                }}
-                className="mt-0.5 text-xs text-indigo-400 hover:text-indigo-300"
-              >
-                {isExpanded ? "Show less" : "Show more"}
-              </button>
-            )}
-          </div>
-          {actionUrl && (
-            <div className="mt-1 flex shrink-0 items-center pb-1 text-text-dimmed group-hover/card:text-text-bright transition-colors">
-              <ChevronRightIcon className="size-4" />
-            </div>
-          )}
-        </div>
-
-        {image && (
-          <img src={sanitizeImageUrl(image)} alt="" className="mt-1.5 rounded px-2 pb-2" />
-        )}
-      </div>
-    </Wrapper>
-  );
-}
-
-const markdownComponents = {
-  p: ({ children }: { children?: React.ReactNode }) => (
-    <p className="my-0.5 text-xs leading-relaxed text-text-dimmed">{children}</p>
-  ),
-  a: ({ href, children }: { href?: string; children?: React.ReactNode }) => (
-    <a
-      href={href}
-      target="_blank"
-      rel="noopener noreferrer"
-      className="text-indigo-400 underline hover:text-indigo-300 transition-colors"
-      onClick={(e) => e.stopPropagation()}
-    >
-      {children}
-    </a>
-  ),
-  strong: ({ children }: { children?: React.ReactNode }) => (
-    <strong className="font-semibold text-text-bright">{children}</strong>
-  ),
-  em: ({ children }: { children?: React.ReactNode }) => <em>{children}</em>,
-  code: ({ children }: { children?: React.ReactNode }) => (
-    <code className="rounded bg-charcoal-700 px-1 py-0.5 text-[11px]">{children}</code>
-  ),
-};
-
 const CLI_COLOR_MAP: Record<string, string> = {
   red: "text-red-500",
   green: "text-green-500",
@@ -1322,7 +1338,11 @@ function CliColorMarkup({ text, fallbackClass }: { text: string; fallbackClass?:
       if (endIdx !== -1) {
         // Push text before the tag
         if (braceIdx > pos) {
-          parts.push(<span key={key++} className={fallbackClass}>{text.slice(pos, braceIdx)}</span>);
+          parts.push(
+            <span key={key++} className={fallbackClass}>
+              {text.slice(pos, braceIdx)}
+            </span>
+          );
         }
         // Push styled content
         parts.push(
@@ -1380,7 +1400,9 @@ function formatDate(date: string | Date): string {
 
 function toDatetimeLocalUTC(date: Date): string {
   const pad = (n: number) => String(n).padStart(2, "0");
-  return `${date.getUTCFullYear()}-${pad(date.getUTCMonth() + 1)}-${pad(date.getUTCDate())}T${pad(date.getUTCHours())}:${pad(date.getUTCMinutes())}`;
+  return `${date.getUTCFullYear()}-${pad(date.getUTCMonth() + 1)}-${pad(date.getUTCDate())}T${pad(
+    date.getUTCHours()
+  )}:${pad(date.getUTCMinutes())}`;
 }
 
 function defaultStartsAt(): string {
@@ -1391,19 +1413,6 @@ function defaultEndsAt(): string {
   return toDatetimeLocalUTC(new Date(Date.now() + 30 * 24 * 60 * 60 * 1000));
 }
 
-/** Sanitize image URL to prevent XSS via javascript: or data: URIs. */
-function sanitizeImageUrl(url: string): string {
-  try {
-    const parsed = new URL(url);
-    if (parsed.protocol === "https:" || parsed.protocol === "http:") {
-      return parsed.href;
-    }
-    return "";
-  } catch {
-    return "";
-  }
-}
-
 type NotificationStatus = "active" | "pending" | "releasing" | "expired" | "archived";
 
 const FIVE_MINUTES_MS = 5 * 60 * 1000;
@@ -1434,7 +1443,9 @@ function StatusBadge({ status }: { status: NotificationStatus }) {
   };
 
   return (
-    <span className={`inline-flex rounded-sm px-1.5 py-0.5 text-[11px] font-medium ${styles[status]}`}>
+    <span
+      className={`inline-flex rounded-sm px-1.5 py-0.5 text-[11px] font-medium ${styles[status]}`}
+    >
       {status}
     </span>
   );
diff --git a/apps/webapp/app/routes/admin.orgs.tsx b/apps/webapp/app/routes/admin.orgs.tsx
index 6f496362947..8441d4d19da 100644
--- a/apps/webapp/app/routes/admin.orgs.tsx
+++ b/apps/webapp/app/routes/admin.orgs.tsx
@@ -1,7 +1,6 @@
 import { MagnifyingGlassIcon } from "@heroicons/react/20/solid";
 import { Form } from "@remix-run/react";
-import type { LoaderFunctionArgs } from "@remix-run/server-runtime";
-import { redirect, typedjson, useTypedLoaderData } from "remix-typedjson";
+import { typedjson, useTypedLoaderData } from "remix-typedjson";
 import { useState } from "react";
 import { z } from "zod";
 import { FeatureFlagsDialog } from "~/components/admin/FeatureFlagsDialog";
@@ -20,7 +19,7 @@ import {
   TableRow,
 } from "~/components/primitives/Table";
 import { adminGetOrganizations } from "~/models/admin.server";
-import { requireUser, requireUserId } from "~/services/session.server";
+import { dashboardLoader } from "~/services/routeBuilders/dashboardBuilder";
 import { createSearchParams } from "~/utils/searchParams";
 
 export const SearchParams = z.object({
@@ -30,20 +29,18 @@ export const SearchParams = z.object({
 
 export type SearchParams = z.infer<typeof SearchParams>;
 
-export const loader = async ({ request, params }: LoaderFunctionArgs) => {
-  const user = await requireUser(request);
-  if (!user.admin) {
-    return redirect("/");
-  }
+export const loader = dashboardLoader(
+  { authorization: { requireSuper: true } },
+  async ({ user, request }) => {
+    const searchParams = createSearchParams(request.url, SearchParams);
+    if (!searchParams.success) {
+      throw new Error(searchParams.error);
+    }
+    const result = await adminGetOrganizations(user.id, searchParams.params.getAll());
 
-  const searchParams = createSearchParams(request.url, SearchParams);
-  if (!searchParams.success) {
-    throw new Error(searchParams.error);
+    return typedjson(result);
   }
-  const result = await adminGetOrganizations(user.id, searchParams.params.getAll());
-
-  return typedjson(result);
-};
+);
 
 export default function AdminDashboardRoute() {
   const { organizations, filters, page, pageCount } = useTypedLoaderData<typeof loader>();
@@ -85,15 +82,14 @@ export default function AdminDashboardRoute() {
               <TableHeaderCell>Slug</TableHeaderCell>
               <TableHeaderCell>Members</TableHeaderCell>
               <TableHeaderCell>id</TableHeaderCell>
-              <TableHeaderCell>v2?</TableHeaderCell>
-              <TableHeaderCell>v3?</TableHeaderCell>
               <TableHeaderCell>Deleted?</TableHeaderCell>
+              <TableHeaderCell>Back office</TableHeaderCell>
               <TableHeaderCell>Actions</TableHeaderCell>
             </TableRow>
           </TableHeader>
           <TableBody>
             {organizations.length === 0 ? (
-              <TableBlankRow colSpan={9}>
+              <TableBlankRow colSpan={7}>
                 <Paragraph>No orgs found for search</Paragraph>
               </TableBlankRow>
             ) : (
@@ -120,9 +116,15 @@ export default function AdminDashboardRoute() {
                     <TableCell>
                       <CopyableText value={org.id} />
                     </TableCell>
-                    <TableCell>{org.v2Enabled ? "✅" : ""}</TableCell>
-                    <TableCell>{org.v3Enabled ? "✅" : ""}</TableCell>
                     <TableCell>{org.deletedAt ? "☠️" : ""}</TableCell>
+                    <TableCell>
+                      <LinkButton
+                        to={`/admin/back-office/orgs/${org.id}`}
+                        variant="tertiary/small"
+                      >
+                        Open
+                      </LinkButton>
+                    </TableCell>
                     <TableCell isSticky={true}>
                       <div className="flex items-center gap-2">
                         <Button
diff --git a/apps/webapp/app/routes/admin.tsx b/apps/webapp/app/routes/admin.tsx
index 4cd2deca533..bf01e5f187a 100644
--- a/apps/webapp/app/routes/admin.tsx
+++ b/apps/webapp/app/routes/admin.tsx
@@ -1,20 +1,19 @@
-import { Outlet } from "@remix-run/react";
-import type { LoaderFunctionArgs } from "@remix-run/server-runtime";
-import { redirect, typedjson } from "remix-typedjson";
+import { Outlet, useSearchParams } from "@remix-run/react";
+import { typedjson } from "remix-typedjson";
 import { LinkButton } from "~/components/primitives/Buttons";
 import { Tabs } from "~/components/primitives/Tabs";
-import { requireUser } from "~/services/session.server";
+import { dashboardLoader } from "~/services/routeBuilders/dashboardBuilder";
 
-export async function loader({ request }: LoaderFunctionArgs) {
-  const user = await requireUser(request);
-  if (!user.admin) {
-    return redirect("/");
-  }
-
-  return typedjson({ user });
-}
+export const loader = dashboardLoader(
+  { authorization: { requireSuper: true } },
+  async ({ user }) => typedjson({ user })
+);
 
 export default function Page() {
+  const [searchParams] = useSearchParams();
+  const search = searchParams.get("search");
+  const searchSuffix = search ? `?search=${encodeURIComponent(search)}` : "";
+
   return (
     <div className="h-full w-full">
       <div className="flex items-center justify-between p-4">
@@ -22,11 +21,11 @@ export default function Page() {
           tabs={[
             {
               label: "Users",
-              to: "/admin",
+              to: `/admin${searchSuffix}`,
             },
             {
               label: "Organizations",
-              to: "/admin/orgs",
+              to: `/admin/orgs${searchSuffix}`,
             },
             {
               label: "Concurrency",
@@ -37,13 +36,22 @@ export default function Page() {
               to: "/admin/llm-models",
             },
             {
-              label: "Feature Flags",
+              label: "Global Feature Flags",
               to: "/admin/feature-flags",
             },
             {
               label: "Notifications",
               to: "/admin/notifications",
             },
+            {
+              label: "Back office",
+              to: "/admin/back-office",
+              end: false,
+            },
+            {
+              label: "Data Stores",
+              to: "/admin/data-stores",
+            },
           ]}
           layoutId={"admin"}
         />
diff --git a/apps/webapp/app/routes/api.v1.artifacts.ts b/apps/webapp/app/routes/api.v1.artifacts.ts
index 82ae3f53756..c74c66a222d 100644
--- a/apps/webapp/app/routes/api.v1.artifacts.ts
+++ b/apps/webapp/app/routes/api.v1.artifacts.ts
@@ -13,79 +13,85 @@ export async function action({ request }: ActionFunctionArgs) {
     return json({ error: "Method Not Allowed" }, { status: 405 });
   }
 
-  const authenticationResult = await authenticateRequest(request, {
-    apiKey: true,
-    organizationAccessToken: false,
-    personalAccessToken: false,
-  });
+  try {
+    const authenticationResult = await authenticateRequest(request, {
+      apiKey: true,
+      organizationAccessToken: false,
+      personalAccessToken: false,
+    });
 
-  if (!authenticationResult || !authenticationResult.result.ok) {
-    logger.info("Invalid or missing api key", { url: request.url });
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
+    if (!authenticationResult || !authenticationResult.result.ok) {
+      logger.info("Invalid or missing api key", { url: request.url });
+      return json({ error: "Invalid or Missing API key" }, { status: 401 });
+    }
 
-  const [, rawBody] = await tryCatch(request.json());
-  const body = CreateArtifactRequestBody.safeParse(rawBody ?? {});
+    const [, rawBody] = await tryCatch(request.json());
+    const body = CreateArtifactRequestBody.safeParse(rawBody ?? {});
 
-  if (!body.success) {
-    return json({ error: "Invalid request body", issues: body.error.issues }, { status: 400 });
-  }
+    if (!body.success) {
+      return json({ error: "Invalid request body", issues: body.error.issues }, { status: 400 });
+    }
 
-  const { environment: authenticatedEnv } = authenticationResult.result;
+    const { environment: authenticatedEnv } = authenticationResult.result;
 
-  const service = new ArtifactsService();
-  return await service
-    .createArtifact(body.data.type, authenticatedEnv, body.data.contentLength)
-    .match(
-      (result) => {
-        return json(
-          {
-            artifactKey: result.artifactKey,
-            uploadUrl: result.uploadUrl,
-            uploadFields: result.uploadFields,
-            expiresAt: result.expiresAt.toISOString(),
-          } satisfies CreateArtifactResponseBody,
-          { status: 201 }
-        );
-      },
-      (error) => {
-        switch (error.type) {
-          case "artifact_size_exceeds_limit": {
-            logger.warn("Artifact size exceeds limit", { error });
-            const sizeMB = parseFloat((error.contentLength / (1024 * 1024)).toFixed(1));
-            const limitMB = parseFloat((error.sizeLimit / (1024 * 1024)).toFixed(1));
+    const service = new ArtifactsService();
+    return await service
+      .createArtifact(body.data.type, authenticatedEnv, body.data.contentLength)
+      .match(
+        (result) => {
+          return json(
+            {
+              artifactKey: result.artifactKey,
+              uploadUrl: result.uploadUrl,
+              uploadFields: result.uploadFields,
+              expiresAt: result.expiresAt.toISOString(),
+            } satisfies CreateArtifactResponseBody,
+            { status: 201 }
+          );
+        },
+        (error) => {
+          switch (error.type) {
+            case "artifact_size_exceeds_limit": {
+              logger.warn("Artifact size exceeds limit", { error });
+              const sizeMB = parseFloat((error.contentLength / (1024 * 1024)).toFixed(1));
+              const limitMB = parseFloat((error.sizeLimit / (1024 * 1024)).toFixed(1));
 
-            let errorMessage;
+              let errorMessage;
 
-            switch (body.data.type) {
-              case "deployment_context":
-                errorMessage = `Artifact size (${sizeMB} MB) exceeds the allowed limit of ${limitMB} MB. Make sure you are in the correct directory of your Trigger.dev project. Reach out to us if you are seeing this error consistently.`;
-                break;
-              default:
-                body.data.type satisfies never;
-                errorMessage = `Artifact size (${sizeMB} MB) exceeds the allowed limit of ${limitMB} MB`;
+              switch (body.data.type) {
+                case "deployment_context":
+                  errorMessage = `Artifact size (${sizeMB} MB) exceeds the allowed limit of ${limitMB} MB. Make sure you are in the correct directory of your Trigger.dev project. Reach out to us if you are seeing this error consistently.`;
+                  break;
+                default:
+                  body.data.type satisfies never;
+                  errorMessage = `Artifact size (${sizeMB} MB) exceeds the allowed limit of ${limitMB} MB`;
+              }
+              return json(
+                {
+                  error: errorMessage,
+                },
+                { status: 400 }
+              );
+            }
+            case "failed_to_create_presigned_post": {
+              logger.error("Failed to create presigned POST", { error });
+              return json({ error: "Failed to generate artifact upload URL" }, { status: 500 });
+            }
+            case "artifacts_bucket_not_configured": {
+              logger.error("Artifacts bucket not configured", { error });
+              return json({ error: "Internal server error" }, { status: 500 });
+            }
+            default: {
+              error satisfies never;
+              logger.error("Failed creating artifact", { error });
+              return json({ error: "Internal server error" }, { status: 500 });
             }
-            return json(
-              {
-                error: errorMessage,
-              },
-              { status: 400 }
-            );
-          }
-          case "failed_to_create_presigned_post": {
-            logger.error("Failed to create presigned POST", { error });
-            return json({ error: "Failed to generate artifact upload URL" }, { status: 500 });
-          }
-          case "artifacts_bucket_not_configured": {
-            logger.error("Artifacts bucket not configured", { error });
-            return json({ error: "Internal server error" }, { status: 500 });
-          }
-          default: {
-            error satisfies never;
-            logger.error("Failed creating artifact", { error });
-            return json({ error: "Internal server error" }, { status: 500 });
           }
         }
-      }
-    );
+      );
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to create artifact", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
+  }
 }
diff --git a/apps/webapp/app/routes/api.v1.auth.jwt.claims.ts b/apps/webapp/app/routes/api.v1.auth.jwt.claims.ts
index 0091078dbb5..b62874d5608 100644
--- a/apps/webapp/app/routes/api.v1.auth.jwt.claims.ts
+++ b/apps/webapp/app/routes/api.v1.auth.jwt.claims.ts
@@ -1,19 +1,26 @@
 import type { LoaderFunctionArgs } from "@remix-run/server-runtime";
 import { json } from "@remix-run/server-runtime";
 import { authenticateApiRequest } from "~/services/apiAuth.server";
+import { logger } from "~/services/logger.server";
 
 export async function action({ request }: LoaderFunctionArgs) {
-  // Next authenticate the request
-  const authenticationResult = await authenticateApiRequest(request);
+  try {
+    // Next authenticate the request
+    const authenticationResult = await authenticateApiRequest(request);
 
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
+    if (!authenticationResult) {
+      return json({ error: "Invalid or Missing API key" }, { status: 401 });
+    }
 
-  const claims = {
-    sub: authenticationResult.environment.id,
-    pub: true,
-  };
+    const claims = {
+      sub: authenticationResult.environment.id,
+      pub: true,
+    };
 
-  return json(claims);
+    return json(claims);
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to read auth jwt claims", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
+  }
 }
diff --git a/apps/webapp/app/routes/api.v1.auth.jwt.ts b/apps/webapp/app/routes/api.v1.auth.jwt.ts
index e495c9b3688..c38cdeb14ac 100644
--- a/apps/webapp/app/routes/api.v1.auth.jwt.ts
+++ b/apps/webapp/app/routes/api.v1.auth.jwt.ts
@@ -1,6 +1,7 @@
 import type { LoaderFunctionArgs } from "@remix-run/server-runtime";
 import { json } from "@remix-run/server-runtime";
 import { authenticateApiRequest } from "~/services/apiAuth.server";
+import { logger } from "~/services/logger.server";
 import { z } from "zod";
 import { generateJWT as internal_generateJWT } from "@trigger.dev/core/v3";
 
@@ -14,33 +15,42 @@ const RequestBodySchema = z.object({
 });
 
 export async function action({ request }: LoaderFunctionArgs) {
-  // Next authenticate the request
-  const authenticationResult = await authenticateApiRequest(request);
-
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  const parsedBody = RequestBodySchema.safeParse(await request.json());
-
-  if (!parsedBody.success) {
-    return json(
-      { error: "Invalid request body", issues: parsedBody.error.issues },
-      { status: 400 }
-    );
+  try {
+    // Next authenticate the request
+    const authenticationResult = await authenticateApiRequest(request);
+
+    if (!authenticationResult) {
+      return json({ error: "Invalid or Missing API key" }, { status: 401 });
+    }
+
+    const parsedBody = RequestBodySchema.safeParse(await request.json());
+
+    if (!parsedBody.success) {
+      return json(
+        { error: "Invalid request body", issues: parsedBody.error.issues },
+        { status: 400 }
+      );
+    }
+
+    const claims = {
+      sub: authenticationResult.environment.id,
+      pub: true,
+      ...parsedBody.data.claims,
+    };
+
+    // Sign with the environment's current canonical key, not the raw header key,
+    // so JWTs minted with a revoked (grace-window) key still validate — validation
+    // in jwtAuth.server.ts uses environment.apiKey.
+    const jwt = await internal_generateJWT({
+      secretKey: authenticationResult.environment.apiKey,
+      payload: claims,
+      expirationTime: parsedBody.data.expirationTime ?? "1h",
+    });
+
+    return json({ token: jwt });
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to mint auth jwt", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
   }
-
-  const claims = {
-    sub: authenticationResult.environment.id,
-    pub: true,
-    ...parsedBody.data.claims,
-  };
-
-  const jwt = await internal_generateJWT({
-    secretKey: authenticationResult.apiKey,
-    payload: claims,
-    expirationTime: parsedBody.data.expirationTime ?? "1h",
-  });
-
-  return json({ token: jwt });
 }
diff --git a/apps/webapp/app/routes/api.v1.authorization-code.ts b/apps/webapp/app/routes/api.v1.authorization-code.ts
index b924b67500a..2e5c1aadf25 100644
--- a/apps/webapp/app/routes/api.v1.authorization-code.ts
+++ b/apps/webapp/app/routes/api.v1.authorization-code.ts
@@ -32,7 +32,7 @@ export async function action({ request }: ActionFunctionArgs) {
         error: error.message,
       });
 
-      return json({ error: error.message }, { status: 400 });
+      return json({ error: "Failed to create authorization code" }, { status: 400 });
     }
 
     return json({ error: "Something went wrong" }, { status: 500 });
diff --git a/apps/webapp/app/routes/api.v1.batches.$batchId.ts b/apps/webapp/app/routes/api.v1.batches.$batchId.ts
index d852385b4b6..5c0c65baf57 100644
--- a/apps/webapp/app/routes/api.v1.batches.$batchId.ts
+++ b/apps/webapp/app/routes/api.v1.batches.$batchId.ts
@@ -1,7 +1,7 @@
 import { json } from "@remix-run/server-runtime";
 import { z } from "zod";
 import { $replica } from "~/db.server";
-import { createLoaderApiRoute } from "~/services/routeBuilders/apiBuilder.server";
+import { anyResource, createLoaderApiRoute } from "~/services/routeBuilders/apiBuilder.server";
 
 const ParamsSchema = z.object({
   batchId: z.string(),
@@ -25,8 +25,19 @@ export const loader = createLoaderApiRoute(
     },
     authorization: {
       action: "read",
-      resource: (batch) => ({ batch: batch.friendlyId }),
-      superScopes: ["read:runs", "read:all", "admin"],
+      // Pre-RBAC, this route's `superScopes` included `read:runs`, so a
+      // JWT minted with `read:runs` could read batches. The new strict
+      // scope-type match means `read:runs` no longer trivially matches
+      // `{type: "batch"}`. Include `{type: "runs"}` (alongside the
+      // batch-id-scoped element) to preserve that semantic for any
+      // SDK-issued tokens in the wild — a `read:runs` JWT still passes
+      // batch retrieval. Per-id `read:batch:<id>` and type-level
+      // `read:batch` still grant via the first element.
+      resource: (batch) =>
+        anyResource([
+          { type: "batch", id: batch.friendlyId },
+          { type: "runs" },
+        ]),
     },
   },
   async ({ resource: batch }) => {
diff --git a/apps/webapp/app/routes/api.v1.batches.$batchParam.results.ts b/apps/webapp/app/routes/api.v1.batches.$batchParam.results.ts
index 7eb2fd4207b..edb19736691 100644
--- a/apps/webapp/app/routes/api.v1.batches.$batchParam.results.ts
+++ b/apps/webapp/app/routes/api.v1.batches.$batchParam.results.ts
@@ -4,6 +4,7 @@ import { z } from "zod";
 import { ApiBatchResultsPresenter } from "~/presenters/v3/ApiBatchResultsPresenter.server";
 import { ApiRunResultPresenter } from "~/presenters/v3/ApiRunResultPresenter.server";
 import { authenticateApiRequest } from "~/services/apiAuth.server";
+import { logger } from "~/services/logger.server";
 
 const ParamsSchema = z.object({
   /* This is the batch friendly ID */
@@ -11,35 +12,38 @@ const ParamsSchema = z.object({
 });
 
 export async function loader({ request, params }: LoaderFunctionArgs) {
-  // Authenticate the request
-  const authenticationResult = await authenticateApiRequest(request);
+  try {
+    // Authenticate the request
+    const authenticationResult = await authenticateApiRequest(request);
 
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing API Key" }, { status: 401 });
-  }
+    if (!authenticationResult) {
+      return json({ error: "Invalid or Missing API Key" }, { status: 401 });
+    }
 
-  const parsed = ParamsSchema.safeParse(params);
+    const parsed = ParamsSchema.safeParse(params);
 
-  if (!parsed.success) {
-    return json({ error: "Invalid or missing run ID" }, { status: 400 });
-  }
+    if (!parsed.success) {
+      return json({ error: "Invalid or missing run ID" }, { status: 400 });
+    }
 
-  const { batchParam } = parsed.data;
+    const { batchParam } = parsed.data;
 
-  try {
-    const presenter = new ApiBatchResultsPresenter();
-    const result = await presenter.call(batchParam, authenticationResult.environment);
+    try {
+      const presenter = new ApiBatchResultsPresenter();
+      const result = await presenter.call(batchParam, authenticationResult.environment);
 
-    if (!result) {
-      return json({ error: "Batch not found" }, { status: 404 });
-    }
+      if (!result) {
+        return json({ error: "Batch not found" }, { status: 404 });
+      }
 
-    return json(result);
-  } catch (error) {
-    if (error instanceof Error) {
-      return json({ error: error.message }, { status: 500 });
-    } else {
-      return json({ error: JSON.stringify(error) }, { status: 500 });
+      return json(result);
+    } catch (error) {
+      logger.error("Failed to load batch results", { error });
+      return json({ error: "Something went wrong, please try again." }, { status: 500 });
     }
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to load batch results (outer)", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
   }
 }
diff --git a/apps/webapp/app/routes/api.v1.deployments.$deploymentId.background-workers.ts b/apps/webapp/app/routes/api.v1.deployments.$deploymentId.background-workers.ts
index edaa1b257e5..26503c14f9d 100644
--- a/apps/webapp/app/routes/api.v1.deployments.$deploymentId.background-workers.ts
+++ b/apps/webapp/app/routes/api.v1.deployments.$deploymentId.background-workers.ts
@@ -23,51 +23,63 @@ export async function action({ request, params }: ActionFunctionArgs) {
     return json({ error: "Invalid params" }, { status: 400 });
   }
 
-  // Next authenticate the request
-  const authenticationResult = await authenticateApiRequest(request);
-
-  if (!authenticationResult) {
-    logger.info("Invalid or missing api key", { url: request.url });
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
+  try {
+    // Next authenticate the request
+    const authenticationResult = await authenticateApiRequest(request);
 
-  const authenticatedEnv = authenticationResult.environment;
+    if (!authenticationResult) {
+      logger.info("Invalid or missing api key", { url: request.url });
+      return json({ error: "Invalid or Missing API key" }, { status: 401 });
+    }
 
-  const { deploymentId } = parsedParams.data;
+    const authenticatedEnv = authenticationResult.environment;
 
-  const rawBody = await request.json();
-  const body = CreateBackgroundWorkerRequestBody.safeParse(rawBody);
+    const { deploymentId } = parsedParams.data;
 
-  if (!body.success) {
-    return json({ error: "Invalid body", issues: body.error.issues }, { status: 400 });
-  }
+    const rawBody = await request.json();
+    const body = CreateBackgroundWorkerRequestBody.safeParse(rawBody);
 
-  const service = new CreateDeploymentBackgroundWorkerServiceV4();
+    if (!body.success) {
+      return json({ error: "Invalid body", issues: body.error.issues }, { status: 400 });
+    }
 
-  try {
-    const backgroundWorker = await service.call(authenticatedEnv, deploymentId, body.data);
+    const service = new CreateDeploymentBackgroundWorkerServiceV4();
+
+    try {
+      const backgroundWorker = await service.call(authenticatedEnv, deploymentId, body.data);
+
+      if (!backgroundWorker) {
+        return json({ error: "Failed to create background worker" }, { status: 500 });
+      }
+
+      return json(
+        {
+          id: backgroundWorker.friendlyId,
+          version: backgroundWorker.version,
+          contentHash: backgroundWorker.contentHash,
+        },
+        { status: 200 }
+      );
+    } catch (e) {
+      // Customer-facing validation failures (invalid task config, customer cron
+      // expression, etc.). The handler returns 4xx with the message; system
+      // handles it gracefully, no alert needed.
+      if (e instanceof ServiceValidationError) {
+        logger.warn("Failed to create background worker", { error: e.message });
+        return json({ error: e.message }, { status: e.status ?? 400 });
+      }
+      if (e instanceof CreateDeclarativeScheduleError) {
+        logger.warn("Failed to create background worker", { error: e.message });
+        return json({ error: e.message }, { status: 400 });
+      }
+
+      logger.error("Failed to create background worker", { error: e });
 
-    if (!backgroundWorker) {
       return json({ error: "Failed to create background worker" }, { status: 500 });
     }
-
-    return json(
-      {
-        id: backgroundWorker.friendlyId,
-        version: backgroundWorker.version,
-        contentHash: backgroundWorker.contentHash,
-      },
-      { status: 200 }
-    );
-  } catch (e) {
-    logger.error("Failed to create background worker", { error: e });
-
-    if (e instanceof ServiceValidationError) {
-      return json({ error: e.message }, { status: e.status ?? 400 });
-    } else if (e instanceof CreateDeclarativeScheduleError) {
-      return json({ error: e.message }, { status: 400 });
-    }
-
-    return json({ error: "Failed to create background worker" }, { status: 500 });
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to create deployment background worker", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
   }
 }
diff --git a/apps/webapp/app/routes/api.v1.deployments.$deploymentId.cancel.ts b/apps/webapp/app/routes/api.v1.deployments.$deploymentId.cancel.ts
index dd209d4494b..56b93fe17e3 100644
--- a/apps/webapp/app/routes/api.v1.deployments.$deploymentId.cancel.ts
+++ b/apps/webapp/app/routes/api.v1.deployments.$deploymentId.cancel.ts
@@ -20,53 +20,59 @@ export async function action({ request, params }: ActionFunctionArgs) {
     return json({ error: "Invalid params" }, { status: 400 });
   }
 
-  const authenticationResult = await authenticateRequest(request, {
-    apiKey: true,
-    organizationAccessToken: false,
-    personalAccessToken: false,
-  });
+  try {
+    const authenticationResult = await authenticateRequest(request, {
+      apiKey: true,
+      organizationAccessToken: false,
+      personalAccessToken: false,
+    });
 
-  if (!authenticationResult || !authenticationResult.result.ok) {
-    logger.info("Invalid or missing api key", { url: request.url });
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
+    if (!authenticationResult || !authenticationResult.result.ok) {
+      logger.info("Invalid or missing api key", { url: request.url });
+      return json({ error: "Invalid or Missing API key" }, { status: 401 });
+    }
 
-  const { environment: authenticatedEnv } = authenticationResult.result;
-  const { deploymentId } = parsedParams.data;
+    const { environment: authenticatedEnv } = authenticationResult.result;
+    const { deploymentId } = parsedParams.data;
 
-  const [, rawBody] = await tryCatch(request.json());
-  const body = CancelDeploymentRequestBody.safeParse(rawBody ?? {});
+    const [, rawBody] = await tryCatch(request.json());
+    const body = CancelDeploymentRequestBody.safeParse(rawBody ?? {});
 
-  if (!body.success) {
-    return json({ error: "Invalid request body", issues: body.error.issues }, { status: 400 });
-  }
+    if (!body.success) {
+      return json({ error: "Invalid request body", issues: body.error.issues }, { status: 400 });
+    }
 
-  const deploymentService = new DeploymentService();
+    const deploymentService = new DeploymentService();
 
-  return await deploymentService
-    .cancelDeployment(authenticatedEnv, deploymentId, {
-      canceledReason: body.data.reason,
-    })
-    .match(
-      () => {
-        return new Response(null, { status: 204 });
-      },
-      (error) => {
-        switch (error.type) {
-          case "deployment_not_found":
-            return json({ error: "Deployment not found" }, { status: 404 });
-          case "failed_to_delete_deployment_timeout":
-            return new Response(null, { status: 204 }); // not a critical error, ignore
-          case "deployment_cannot_be_cancelled":
-            return json(
-              { error: "Deployment is already in a final state and cannot be canceled" },
-              { status: 409 }
-            );
-          case "other":
-          default:
-            error.type satisfies "other";
-            return json({ error: "Internal server error" }, { status: 500 });
+    return await deploymentService
+      .cancelDeployment(authenticatedEnv, deploymentId, {
+        canceledReason: body.data.reason,
+      })
+      .match(
+        () => {
+          return new Response(null, { status: 204 });
+        },
+        (error) => {
+          switch (error.type) {
+            case "deployment_not_found":
+              return json({ error: "Deployment not found" }, { status: 404 });
+            case "failed_to_delete_deployment_timeout":
+              return new Response(null, { status: 204 }); // not a critical error, ignore
+            case "deployment_cannot_be_cancelled":
+              return json(
+                { error: "Deployment is already in a final state and cannot be canceled" },
+                { status: 409 }
+              );
+            case "other":
+            default:
+              error.type satisfies "other";
+              return json({ error: "Internal server error" }, { status: 500 });
+          }
         }
-      }
-    );
+      );
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to cancel deployment", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
+  }
 }
diff --git a/apps/webapp/app/routes/api.v1.deployments.$deploymentId.fail.ts b/apps/webapp/app/routes/api.v1.deployments.$deploymentId.fail.ts
index 5edea5636e7..43eb45c5364 100644
--- a/apps/webapp/app/routes/api.v1.deployments.$deploymentId.fail.ts
+++ b/apps/webapp/app/routes/api.v1.deployments.$deploymentId.fail.ts
@@ -21,32 +21,41 @@ export async function action({ request, params }: ActionFunctionArgs) {
     return json({ error: "Invalid params" }, { status: 400 });
   }
 
-  // Next authenticate the request
-  const authenticationResult = await authenticateApiRequest(request);
-
-  if (!authenticationResult) {
-    logger.info("Invalid or missing api key", { url: request.url });
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  const authenticatedEnv = authenticationResult.environment;
-
-  const { deploymentId } = parsedParams.data;
-
-  const rawBody = await request.json();
-  const body = FailDeploymentRequestBody.safeParse(rawBody);
-
-  if (!body.success) {
-    return json({ error: "Invalid body", issues: body.error.issues }, { status: 400 });
+  try {
+    // Next authenticate the request
+    const authenticationResult = await authenticateApiRequest(request);
+
+    if (!authenticationResult) {
+      logger.info("Invalid or missing api key", { url: request.url });
+      return json({ error: "Invalid or Missing API key" }, { status: 401 });
+    }
+
+    const authenticatedEnv = authenticationResult.environment;
+
+    const { deploymentId } = parsedParams.data;
+
+    const rawBody = await request.json();
+    const body = FailDeploymentRequestBody.safeParse(rawBody);
+
+    if (!body.success) {
+      return json({ error: "Invalid body", issues: body.error.issues }, { status: 400 });
+    }
+
+    const service = new FailDeploymentService();
+    await service.call(authenticatedEnv, deploymentId, body.data);
+
+    return json(
+      {
+        id: deploymentId,
+      },
+      { status: 200 }
+    );
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    if (error instanceof SyntaxError) {
+      return json({ error: "Invalid JSON body" }, { status: 400 });
+    }
+    logger.error("Failed to fail deployment", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
   }
-
-  const service = new FailDeploymentService();
-  await service.call(authenticatedEnv, deploymentId, body.data);
-
-  return json(
-    {
-      id: deploymentId,
-    },
-    { status: 200 }
-  );
 }
diff --git a/apps/webapp/app/routes/api.v1.deployments.$deploymentId.finalize.ts b/apps/webapp/app/routes/api.v1.deployments.$deploymentId.finalize.ts
index 9bd12e4bd3f..c1ce30bbe79 100644
--- a/apps/webapp/app/routes/api.v1.deployments.$deploymentId.finalize.ts
+++ b/apps/webapp/app/routes/api.v1.deployments.$deploymentId.finalize.ts
@@ -22,44 +22,47 @@ export async function action({ request, params }: ActionFunctionArgs) {
     return json({ error: "Invalid params" }, { status: 400 });
   }
 
-  // Next authenticate the request
-  const authenticationResult = await authenticateApiRequest(request);
+  try {
+    // Next authenticate the request
+    const authenticationResult = await authenticateApiRequest(request);
 
-  if (!authenticationResult) {
-    logger.info("Invalid or missing api key", { url: request.url });
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
+    if (!authenticationResult) {
+      logger.info("Invalid or missing api key", { url: request.url });
+      return json({ error: "Invalid or Missing API key" }, { status: 401 });
+    }
 
-  const authenticatedEnv = authenticationResult.environment;
+    const authenticatedEnv = authenticationResult.environment;
 
-  const { deploymentId } = parsedParams.data;
+    const { deploymentId } = parsedParams.data;
 
-  const rawBody = await request.json();
-  const body = FinalizeDeploymentRequestBody.safeParse(rawBody);
+    const rawBody = await request.json();
+    const body = FinalizeDeploymentRequestBody.safeParse(rawBody);
 
-  if (!body.success) {
-    return json({ error: "Invalid body", issues: body.error.issues }, { status: 400 });
-  }
+    if (!body.success) {
+      return json({ error: "Invalid body", issues: body.error.issues }, { status: 400 });
+    }
 
-  try {
-    const service = new FinalizeDeploymentService();
-    await service.call(authenticatedEnv, deploymentId, body.data);
+    try {
+      const service = new FinalizeDeploymentService();
+      await service.call(authenticatedEnv, deploymentId, body.data);
 
-    return json(
-      {
-        id: deploymentId,
-      },
-      { status: 200 }
-    );
-  } catch (error) {
-    if (error instanceof ServiceValidationError) {
-      return json({ error: error.message }, { status: 400 });
-    } else if (error instanceof Error) {
-      logger.error("Error finalizing deployment", { error: error.message });
-      return json({ error: `Internal server error: ${error.message}` }, { status: 500 });
-    } else {
-      logger.error("Error finalizing deployment", { error: String(error) });
+      return json(
+        {
+          id: deploymentId,
+        },
+        { status: 200 }
+      );
+    } catch (error) {
+      if (error instanceof ServiceValidationError) {
+        return json({ error: error.message }, { status: 400 });
+      }
+
+      logger.error("Error finalizing deployment", { error });
       return json({ error: "Internal server error" }, { status: 500 });
     }
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to finalize deployment", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
   }
 }
diff --git a/apps/webapp/app/routes/api.v1.deployments.$deploymentId.generate-registry-credentials.ts b/apps/webapp/app/routes/api.v1.deployments.$deploymentId.generate-registry-credentials.ts
index 161f37f930b..89aaad4301e 100644
--- a/apps/webapp/app/routes/api.v1.deployments.$deploymentId.generate-registry-credentials.ts
+++ b/apps/webapp/app/routes/api.v1.deployments.$deploymentId.generate-registry-credentials.ts
@@ -24,77 +24,83 @@ export async function action({ request, params }: ActionFunctionArgs) {
     return json({ error: "Invalid params" }, { status: 400 });
   }
 
-  const authenticationResult = await authenticateRequest(request, {
-    apiKey: true,
-    organizationAccessToken: false,
-    personalAccessToken: false,
-  });
+  try {
+    const authenticationResult = await authenticateRequest(request, {
+      apiKey: true,
+      organizationAccessToken: false,
+      personalAccessToken: false,
+    });
 
-  if (!authenticationResult || !authenticationResult.result.ok) {
-    logger.info("Invalid or missing api key", { url: request.url });
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
+    if (!authenticationResult || !authenticationResult.result.ok) {
+      logger.info("Invalid or missing api key", { url: request.url });
+      return json({ error: "Invalid or Missing API key" }, { status: 401 });
+    }
 
-  const { environment: authenticatedEnv } = authenticationResult.result;
-  const { deploymentId } = parsedParams.data;
+    const { environment: authenticatedEnv } = authenticationResult.result;
+    const { deploymentId } = parsedParams.data;
 
-  const [, rawBody] = await tryCatch(request.json());
-  const body = ProgressDeploymentRequestBody.safeParse(rawBody ?? {});
+    const [, rawBody] = await tryCatch(request.json());
+    const body = ProgressDeploymentRequestBody.safeParse(rawBody ?? {});
 
-  if (!body.success) {
-    return json({ error: "Invalid request body", issues: body.error.issues }, { status: 400 });
-  }
+    if (!body.success) {
+      return json({ error: "Invalid request body", issues: body.error.issues }, { status: 400 });
+    }
 
-  const deploymentService = new DeploymentService();
+    const deploymentService = new DeploymentService();
 
-  return await deploymentService.generateRegistryCredentials(authenticatedEnv, deploymentId).match(
-    (result) => {
-      return json(
-        {
-          username: result.username,
-          password: result.password,
-          expiresAt: result.expiresAt.toISOString(),
-          repositoryUri: result.repositoryUri,
-        } satisfies GenerateRegistryCredentialsResponseBody,
-        { status: 200 }
-      );
-    },
-    (error) => {
-      switch (error.type) {
-        case "deployment_not_found":
-          return json({ error: "Deployment not found" }, { status: 404 });
-        case "deployment_has_no_image_reference":
-          logger.error(
-            "Failed to generate registry credentials: deployment_has_no_image_reference",
-            { deploymentId }
-          );
-          return json({ error: "Deployment has no image reference" }, { status: 409 });
-        case "deployment_is_already_final":
-          return json(
-            { error: "Failed to generate registry credentials: deployment_is_already_final" },
-            { status: 409 }
-          );
-        case "missing_registry_credentials":
-          logger.error("Failed to generate registry credentials: missing_registry_credentials", {
-            deploymentId,
-          });
-          return json({ error: "Missing registry credentials" }, { status: 409 });
-        case "registry_not_supported":
-          logger.error("Failed to generate registry credentials: registry_not_supported", {
-            deploymentId,
-          });
-          return json({ error: "Registry not supported" }, { status: 409 });
-        case "registry_region_not_supported":
-          logger.error("Failed to generate registry credentials: registry_region_not_supported", {
-            deploymentId,
-          });
-          return json({ error: "Registry region not supported" }, { status: 409 });
-        case "other":
-        default:
-          error.type satisfies "other";
-          logger.error("Failed to generate registry credentials", { error: error.cause });
-          return json({ error: "Internal server error" }, { status: 500 });
+    return await deploymentService.generateRegistryCredentials(authenticatedEnv, deploymentId).match(
+      (result) => {
+        return json(
+          {
+            username: result.username,
+            password: result.password,
+            expiresAt: result.expiresAt.toISOString(),
+            repositoryUri: result.repositoryUri,
+          } satisfies GenerateRegistryCredentialsResponseBody,
+          { status: 200 }
+        );
+      },
+      (error) => {
+        switch (error.type) {
+          case "deployment_not_found":
+            return json({ error: "Deployment not found" }, { status: 404 });
+          case "deployment_has_no_image_reference":
+            logger.error(
+              "Failed to generate registry credentials: deployment_has_no_image_reference",
+              { deploymentId }
+            );
+            return json({ error: "Deployment has no image reference" }, { status: 409 });
+          case "deployment_is_already_final":
+            return json(
+              { error: "Failed to generate registry credentials: deployment_is_already_final" },
+              { status: 409 }
+            );
+          case "missing_registry_credentials":
+            logger.error("Failed to generate registry credentials: missing_registry_credentials", {
+              deploymentId,
+            });
+            return json({ error: "Missing registry credentials" }, { status: 409 });
+          case "registry_not_supported":
+            logger.error("Failed to generate registry credentials: registry_not_supported", {
+              deploymentId,
+            });
+            return json({ error: "Registry not supported" }, { status: 409 });
+          case "registry_region_not_supported":
+            logger.error("Failed to generate registry credentials: registry_region_not_supported", {
+              deploymentId,
+            });
+            return json({ error: "Registry region not supported" }, { status: 409 });
+          case "other":
+          default:
+            error.type satisfies "other";
+            logger.error("Failed to generate registry credentials", { error: error.cause });
+            return json({ error: "Internal server error" }, { status: 500 });
+        }
       }
-    }
-  );
+    );
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to generate registry credentials", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
+  }
 }
diff --git a/apps/webapp/app/routes/api.v1.deployments.$deploymentId.progress.ts b/apps/webapp/app/routes/api.v1.deployments.$deploymentId.progress.ts
index 2c78c59f552..671f42606a2 100644
--- a/apps/webapp/app/routes/api.v1.deployments.$deploymentId.progress.ts
+++ b/apps/webapp/app/routes/api.v1.deployments.$deploymentId.progress.ts
@@ -20,62 +20,68 @@ export async function action({ request, params }: ActionFunctionArgs) {
     return json({ error: "Invalid params" }, { status: 400 });
   }
 
-  const authenticationResult = await authenticateRequest(request, {
-    apiKey: true,
-    organizationAccessToken: false,
-    personalAccessToken: false,
-  });
+  try {
+    const authenticationResult = await authenticateRequest(request, {
+      apiKey: true,
+      organizationAccessToken: false,
+      personalAccessToken: false,
+    });
 
-  if (!authenticationResult || !authenticationResult.result.ok) {
-    logger.info("Invalid or missing api key", { url: request.url });
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
+    if (!authenticationResult || !authenticationResult.result.ok) {
+      logger.info("Invalid or missing api key", { url: request.url });
+      return json({ error: "Invalid or Missing API key" }, { status: 401 });
+    }
 
-  const { environment: authenticatedEnv } = authenticationResult.result;
-  const { deploymentId } = parsedParams.data;
+    const { environment: authenticatedEnv } = authenticationResult.result;
+    const { deploymentId } = parsedParams.data;
 
-  const [, rawBody] = await tryCatch(request.json());
-  const body = ProgressDeploymentRequestBody.safeParse(rawBody ?? {});
+    const [, rawBody] = await tryCatch(request.json());
+    const body = ProgressDeploymentRequestBody.safeParse(rawBody ?? {});
 
-  if (!body.success) {
-    return json({ error: "Invalid request body", issues: body.error.issues }, { status: 400 });
-  }
+    if (!body.success) {
+      return json({ error: "Invalid request body", issues: body.error.issues }, { status: 400 });
+    }
 
-  const deploymentService = new DeploymentService();
+    const deploymentService = new DeploymentService();
 
-  return await deploymentService
-    .progressDeployment(authenticatedEnv, deploymentId, {
-      contentHash: body.data.contentHash,
-      git: body.data.gitMeta,
-      runtime: body.data.runtime,
-      buildServerMetadata: body.data.buildServerMetadata,
-    })
-    .match(
-      () => {
-        return new Response(null, { status: 204 });
-      },
-      (error) => {
-        switch (error.type) {
-          case "failed_to_extend_deployment_timeout": {
-            logger.warn("Failed to extend deployment timeout", { error: error.cause });
-            return new Response(null, { status: 204 }); // ignore these errors for now
+    return await deploymentService
+      .progressDeployment(authenticatedEnv, deploymentId, {
+        contentHash: body.data.contentHash,
+        git: body.data.gitMeta,
+        runtime: body.data.runtime,
+        buildServerMetadata: body.data.buildServerMetadata,
+      })
+      .match(
+        () => {
+          return new Response(null, { status: 204 });
+        },
+        (error) => {
+          switch (error.type) {
+            case "failed_to_extend_deployment_timeout": {
+              logger.warn("Failed to extend deployment timeout", { error: error.cause });
+              return new Response(null, { status: 204 }); // ignore these errors for now
+            }
+            case "deployment_not_found":
+              return json({ error: "Deployment not found" }, { status: 404 });
+            case "deployment_cannot_be_progressed":
+              return json(
+                { error: "Deployment is not in a progressable state (PENDING or INSTALLING)" },
+                { status: 409 }
+              );
+            case "failed_to_create_remote_build": {
+              logger.error("Failed to create remote Depot build", { error: error.cause });
+              return json({ error: "Failed to create remote build" }, { status: 500 });
+            }
+            case "other":
+            default:
+              error.type satisfies "other";
+              return json({ error: "Internal server error" }, { status: 500 });
           }
-          case "deployment_not_found":
-            return json({ error: "Deployment not found" }, { status: 404 });
-          case "deployment_cannot_be_progressed":
-            return json(
-              { error: "Deployment is not in a progressable state (PENDING or INSTALLING)" },
-              { status: 409 }
-            );
-          case "failed_to_create_remote_build": {
-            logger.error("Failed to create remote Depot build", { error: error.cause });
-            return json({ error: "Failed to create remote build" }, { status: 500 });
-          }
-          case "other":
-          default:
-            error.type satisfies "other";
-            return json({ error: "Internal server error" }, { status: 500 });
         }
-      }
-    );
+      );
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to progress deployment", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
+  }
 }
diff --git a/apps/webapp/app/routes/api.v1.deployments.$deploymentId.ts b/apps/webapp/app/routes/api.v1.deployments.$deploymentId.ts
index d0593e564fd..dd16fabf24c 100644
--- a/apps/webapp/app/routes/api.v1.deployments.$deploymentId.ts
+++ b/apps/webapp/app/routes/api.v1.deployments.$deploymentId.ts
@@ -16,70 +16,76 @@ export async function loader({ request, params }: LoaderFunctionArgs) {
     return json({ error: "Invalid params" }, { status: 400 });
   }
 
-  // Next authenticate the request
-  const authenticationResult = await authenticateApiRequest(request);
+  try {
+    // Next authenticate the request
+    const authenticationResult = await authenticateApiRequest(request);
 
-  if (!authenticationResult) {
-    logger.info("Invalid or missing api key", { url: request.url });
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
+    if (!authenticationResult) {
+      logger.info("Invalid or missing api key", { url: request.url });
+      return json({ error: "Invalid or Missing API key" }, { status: 401 });
+    }
 
-  const authenticatedEnv = authenticationResult.environment;
+    const authenticatedEnv = authenticationResult.environment;
 
-  const { deploymentId } = parsedParams.data;
+    const { deploymentId } = parsedParams.data;
 
-  const deployment = await prisma.workerDeployment.findFirst({
-    where: {
-      friendlyId: deploymentId,
-      environmentId: authenticatedEnv.id,
-    },
-    include: {
-      worker: {
-        include: {
-          tasks: true,
+    const deployment = await prisma.workerDeployment.findFirst({
+      where: {
+        friendlyId: deploymentId,
+        environmentId: authenticatedEnv.id,
+      },
+      include: {
+        worker: {
+          include: {
+            tasks: true,
+          },
         },
+        integrationDeployments: true,
       },
-      integrationDeployments: true,
-    },
-  });
+    });
 
-  if (!deployment) {
-    return json({ error: "Deployment not found" }, { status: 404 });
-  }
+    if (!deployment) {
+      return json({ error: "Deployment not found" }, { status: 404 });
+    }
 
-  return json({
-    id: deployment.friendlyId,
-    status: deployment.status,
-    contentHash: deployment.contentHash,
-    shortCode: deployment.shortCode,
-    version: deployment.version,
-    imageReference: deployment.imageReference,
-    imagePlatform: deployment.imagePlatform,
-    commitSHA: deployment.commitSHA,
-    externalBuildData:
-      deployment.externalBuildData as GetDeploymentResponseBody["externalBuildData"],
-    errorData: deployment.errorData as GetDeploymentResponseBody["errorData"],
-    worker: deployment.worker
-      ? {
-          id: deployment.worker.friendlyId,
-          version: deployment.worker.version,
-          tasks: deployment.worker.tasks.map((task) => ({
-            id: task.friendlyId,
-            slug: task.slug,
-            filePath: task.filePath,
-            exportName: task.exportName ?? "@deprecated",
-          })),
-        }
-      : undefined,
-    integrationDeployments:
-      deployment.integrationDeployments.length > 0
-        ? deployment.integrationDeployments.map((id) => ({
-            id: id.id,
-            integrationName: id.integrationName,
-            integrationDeploymentId: id.integrationDeploymentId,
-            commitSHA: id.commitSHA,
-            createdAt: id.createdAt,
-          }))
+    return json({
+      id: deployment.friendlyId,
+      status: deployment.status,
+      contentHash: deployment.contentHash,
+      shortCode: deployment.shortCode,
+      version: deployment.version,
+      imageReference: deployment.imageReference,
+      imagePlatform: deployment.imagePlatform,
+      commitSHA: deployment.commitSHA,
+      externalBuildData:
+        deployment.externalBuildData as GetDeploymentResponseBody["externalBuildData"],
+      errorData: deployment.errorData as GetDeploymentResponseBody["errorData"],
+      worker: deployment.worker
+        ? {
+            id: deployment.worker.friendlyId,
+            version: deployment.worker.version,
+            tasks: deployment.worker.tasks.map((task) => ({
+              id: task.friendlyId,
+              slug: task.slug,
+              filePath: task.filePath,
+              exportName: task.exportName ?? "@deprecated",
+            })),
+          }
         : undefined,
-  } satisfies GetDeploymentResponseBody);
+      integrationDeployments:
+        deployment.integrationDeployments.length > 0
+          ? deployment.integrationDeployments.map((id) => ({
+              id: id.id,
+              integrationName: id.integrationName,
+              integrationDeploymentId: id.integrationDeploymentId,
+              commitSHA: id.commitSHA,
+              createdAt: id.createdAt,
+            }))
+          : undefined,
+    } satisfies GetDeploymentResponseBody);
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to load deployment", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
+  }
 }
diff --git a/apps/webapp/app/routes/api.v1.deployments.$deploymentVersion.promote.ts b/apps/webapp/app/routes/api.v1.deployments.$deploymentVersion.promote.ts
index 893b260dc82..9f3b4cad185 100644
--- a/apps/webapp/app/routes/api.v1.deployments.$deploymentVersion.promote.ts
+++ b/apps/webapp/app/routes/api.v1.deployments.$deploymentVersion.promote.ts
@@ -22,49 +22,55 @@ export async function action({ request, params }: ActionFunctionArgs) {
     return json({ error: "Invalid params" }, { status: 400 });
   }
 
-  // Next authenticate the request
-  const authenticationResult = await authenticateApiRequest(request);
+  try {
+    // Next authenticate the request
+    const authenticationResult = await authenticateApiRequest(request);
 
-  if (!authenticationResult) {
-    logger.info("Invalid or missing api key", { url: request.url });
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
+    if (!authenticationResult) {
+      logger.info("Invalid or missing api key", { url: request.url });
+      return json({ error: "Invalid or Missing API key" }, { status: 401 });
+    }
 
-  const authenticatedEnv = authenticationResult.environment;
+    const authenticatedEnv = authenticationResult.environment;
 
-  const url = new URL(request.url);
-  const allowRollbacks = url.searchParams.get("allowRollbacks") === "true";
+    const url = new URL(request.url);
+    const allowRollbacks = url.searchParams.get("allowRollbacks") === "true";
 
-  const { deploymentVersion } = parsedParams.data;
+    const { deploymentVersion } = parsedParams.data;
 
-  const deployment = await prisma.workerDeployment.findFirst({
-    where: {
-      version: deploymentVersion,
-      environmentId: authenticatedEnv.id,
-    },
-  });
+    const deployment = await prisma.workerDeployment.findFirst({
+      where: {
+        version: deploymentVersion,
+        environmentId: authenticatedEnv.id,
+      },
+    });
 
-  if (!deployment) {
-    return json({ error: "Deployment not found" }, { status: 404 });
-  }
+    if (!deployment) {
+      return json({ error: "Deployment not found" }, { status: 404 });
+    }
 
-  try {
-    const service = new ChangeCurrentDeploymentService();
-    await service.call(deployment, "promote", allowRollbacks);
+    try {
+      const service = new ChangeCurrentDeploymentService();
+      await service.call(deployment, "promote", allowRollbacks);
 
-    return json(
-      {
-        id: deployment.friendlyId,
-        version: deployment.version,
-        shortCode: deployment.shortCode,
-      },
-      { status: 200 }
-    );
-  } catch (error) {
-    if (error instanceof ServiceValidationError) {
-      return json({ error: error.message }, { status: 400 });
-    } else {
-      return json({ error: "Failed to promote deployment" }, { status: 500 });
+      return json(
+        {
+          id: deployment.friendlyId,
+          version: deployment.version,
+          shortCode: deployment.shortCode,
+        },
+        { status: 200 }
+      );
+    } catch (error) {
+      if (error instanceof ServiceValidationError) {
+        return json({ error: error.message }, { status: 400 });
+      } else {
+        return json({ error: "Failed to promote deployment" }, { status: 500 });
+      }
     }
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to promote deployment", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
   }
 }
diff --git a/apps/webapp/app/routes/api.v1.deployments.current.ts b/apps/webapp/app/routes/api.v1.deployments.current.ts
new file mode 100644
index 00000000000..48170414ec2
--- /dev/null
+++ b/apps/webapp/app/routes/api.v1.deployments.current.ts
@@ -0,0 +1,54 @@
+import { json } from "@remix-run/server-runtime";
+import { $replica } from "~/db.server";
+import { createLoaderApiRoute } from "~/services/routeBuilders/apiBuilder.server";
+
+export const loader = createLoaderApiRoute(
+  {
+    allowJWT: true,
+    corsStrategy: "none",
+    authorization: {
+      action: "read",
+      resource: () => ({ type: "deployments", id: "current" }),
+    },
+    findResource: async (_params, auth) => {
+      const promotion = await $replica.workerDeploymentPromotion.findFirst({
+        where: {
+          environmentId: auth.environment.id,
+          label: "current",
+        },
+        select: {
+          deployment: {
+            select: {
+              friendlyId: true,
+              createdAt: true,
+              shortCode: true,
+              version: true,
+              runtime: true,
+              runtimeVersion: true,
+              status: true,
+              deployedAt: true,
+              git: true,
+              errorData: true,
+            },
+          },
+        },
+      });
+
+      return promotion?.deployment ?? undefined;
+    },
+  },
+  async ({ resource: deployment }) => {
+    return json({
+      id: deployment.friendlyId,
+      createdAt: deployment.createdAt,
+      shortCode: deployment.shortCode,
+      version: deployment.version,
+      runtime: deployment.runtime,
+      runtimeVersion: deployment.runtimeVersion,
+      status: deployment.status,
+      deployedAt: deployment.deployedAt ?? undefined,
+      git: deployment.git ?? undefined,
+      error: deployment.errorData ?? undefined,
+    });
+  }
+);
diff --git a/apps/webapp/app/routes/api.v1.deployments.latest.ts b/apps/webapp/app/routes/api.v1.deployments.latest.ts
index 6f31f58fcc2..b8dcb667856 100644
--- a/apps/webapp/app/routes/api.v1.deployments.latest.ts
+++ b/apps/webapp/app/routes/api.v1.deployments.latest.ts
@@ -5,37 +5,43 @@ import { authenticateApiRequest } from "~/services/apiAuth.server";
 import { logger } from "~/services/logger.server";
 
 export async function loader({ request }: LoaderFunctionArgs) {
-  // Next authenticate the request
-  const authenticationResult = await authenticateApiRequest(request);
+  try {
+    // Next authenticate the request
+    const authenticationResult = await authenticateApiRequest(request);
 
-  if (!authenticationResult) {
-    logger.info("Invalid or missing api key", { url: request.url });
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
+    if (!authenticationResult) {
+      logger.info("Invalid or missing api key", { url: request.url });
+      return json({ error: "Invalid or Missing API key" }, { status: 401 });
+    }
 
-  const authenticatedEnv = authenticationResult.environment;
+    const authenticatedEnv = authenticationResult.environment;
 
-  const deployment = await prisma.workerDeployment.findFirst({
-    where: {
-      type: WorkerInstanceGroupType.UNMANAGED,
-      environmentId: authenticatedEnv.id,
-    },
-    orderBy: {
-      createdAt: "desc",
-    },
-  });
+    const deployment = await prisma.workerDeployment.findFirst({
+      where: {
+        type: WorkerInstanceGroupType.UNMANAGED,
+        environmentId: authenticatedEnv.id,
+      },
+      orderBy: {
+        createdAt: "desc",
+      },
+    });
 
-  if (!deployment) {
-    return json({ error: "Deployment not found" }, { status: 404 });
-  }
+    if (!deployment) {
+      return json({ error: "Deployment not found" }, { status: 404 });
+    }
 
-  return json({
-    id: deployment.friendlyId,
-    status: deployment.status,
-    contentHash: deployment.contentHash,
-    shortCode: deployment.shortCode,
-    version: deployment.version,
-    imageReference: deployment.imageReference,
-    errorData: deployment.errorData,
-  });
+    return json({
+      id: deployment.friendlyId,
+      status: deployment.status,
+      contentHash: deployment.contentHash,
+      shortCode: deployment.shortCode,
+      version: deployment.version,
+      imageReference: deployment.imageReference,
+      errorData: deployment.errorData,
+    });
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to load latest deployment", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
+  }
 }
diff --git a/apps/webapp/app/routes/api.v1.deployments.ts b/apps/webapp/app/routes/api.v1.deployments.ts
index 0190ba123d5..39988e1d13d 100644
--- a/apps/webapp/app/routes/api.v1.deployments.ts
+++ b/apps/webapp/app/routes/api.v1.deployments.ts
@@ -55,13 +55,10 @@ export async function action({ request, params }: ActionFunctionArgs) {
   } catch (error) {
     if (error instanceof ServiceValidationError) {
       return json({ error: error.message }, { status: 400 });
-    } else if (error instanceof Error) {
-      logger.error("Error initializing deployment", { error: error.message });
-      return json({ error: `Internal server error: ${error.message}` }, { status: 500 });
-    } else {
-      logger.error("Error initializing deployment", { error: String(error) });
-      return json({ error: "Internal server error" }, { status: 500 });
     }
+
+    logger.error("Error initializing deployment", { error });
+    return json({ error: "Internal server error" }, { status: 500 });
   }
 }
 
@@ -72,8 +69,7 @@ export const loader = createLoaderApiRoute(
     corsStrategy: "none",
     authorization: {
       action: "read",
-      resource: () => ({ deployments: "list" }),
-      superScopes: ["read:deployments", "read:all", "admin"],
+      resource: () => ({ type: "deployments", id: "list" }),
     },
     findResource: async () => 1, // This is a dummy function, we don't need to find a resource
   },
diff --git a/apps/webapp/app/routes/api.v1.idempotencyKeys.$key.reset.ts b/apps/webapp/app/routes/api.v1.idempotencyKeys.$key.reset.ts
index 557a67409de..f9c5ac0b68c 100644
--- a/apps/webapp/app/routes/api.v1.idempotencyKeys.$key.reset.ts
+++ b/apps/webapp/app/routes/api.v1.idempotencyKeys.$key.reset.ts
@@ -21,8 +21,7 @@ export const { action } = createActionApiRoute(
     corsStrategy: "all",
     authorization: {
       action: "write",
-      resource: () => ({}),
-      superScopes: ["write:runs", "admin"],
+      resource: () => ({ type: "runs" }),
     },
   },
   async ({ params, body, authentication }) => {
diff --git a/apps/webapp/app/routes/api.v1.orgs.$orgParam.projects.ts b/apps/webapp/app/routes/api.v1.orgs.$orgParam.projects.ts
index dc1791dabc5..47eb82c6930 100644
--- a/apps/webapp/app/routes/api.v1.orgs.$orgParam.projects.ts
+++ b/apps/webapp/app/routes/api.v1.orgs.$orgParam.projects.ts
@@ -20,17 +20,72 @@ const ParamsSchema = z.object({
 export async function loader({ request, params }: LoaderFunctionArgs) {
   logger.info("get projects", { url: request.url });
 
-  const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);
+  try {
+    const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);
+
+    if (!authenticationResult) {
+      return json({ error: "Invalid or Missing Access Token" }, { status: 401 });
+    }
+
+    const { orgParam } = ParamsSchema.parse(params);
+
+    const projects = await prisma.project.findMany({
+      where: {
+        organization: {
+          ...orgParamWhereClause(orgParam),
+          deletedAt: null,
+          members: {
+            some: {
+              userId: authenticationResult.userId,
+            },
+          },
+        },
+        version: "V3",
+        deletedAt: null,
+      },
+      include: {
+        organization: true,
+      },
+    });
+
+    if (!projects) {
+      return json({ error: "Projects not found" }, { status: 404 });
+    }
+
+    const result: GetProjectsResponseBody = projects.map((project) => ({
+      id: project.id,
+      externalRef: project.externalRef,
+      name: project.name,
+      slug: project.slug,
+      createdAt: project.createdAt,
+      organization: {
+        id: project.organization.id,
+        title: project.organization.title,
+        slug: project.organization.slug,
+        createdAt: project.organization.createdAt,
+      },
+    }));
 
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing Access Token" }, { status: 401 });
+    return json(result);
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to list org projects", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
   }
+}
 
-  const { orgParam } = ParamsSchema.parse(params);
+export async function action({ request, params }: ActionFunctionArgs) {
+  try {
+    const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);
 
-  const projects = await prisma.project.findMany({
-    where: {
-      organization: {
+    if (!authenticationResult) {
+      return json({ error: "Invalid or Missing Access Token" }, { status: 401 });
+    }
+
+    const { orgParam } = ParamsSchema.parse(params);
+
+    const organization = await prisma.organization.findFirst({
+      where: {
         ...orgParamWhereClause(orgParam),
         deletedAt: null,
         members: {
@@ -39,95 +94,53 @@ export async function loader({ request, params }: LoaderFunctionArgs) {
           },
         },
       },
-      version: "V3",
-      deletedAt: null,
-    },
-    include: {
-      organization: true,
-    },
-  });
-
-  if (!projects) {
-    return json({ error: "Projects not found" }, { status: 404 });
-  }
-
-  const result: GetProjectsResponseBody = projects.map((project) => ({
-    id: project.id,
-    externalRef: project.externalRef,
-    name: project.name,
-    slug: project.slug,
-    createdAt: project.createdAt,
-    organization: {
-      id: project.organization.id,
-      title: project.organization.title,
-      slug: project.organization.slug,
-      createdAt: project.organization.createdAt,
-    },
-  }));
-
-  return json(result);
-}
-
-export async function action({ request, params }: ActionFunctionArgs) {
-  const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);
-
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing Access Token" }, { status: 401 });
-  }
-
-  const { orgParam } = ParamsSchema.parse(params);
-
-  const organization = await prisma.organization.findFirst({
-    where: {
-      ...orgParamWhereClause(orgParam),
-      deletedAt: null,
-      members: {
-        some: {
-          userId: authenticationResult.userId,
-        },
+    });
+
+    if (!organization) {
+      return json({ error: "Organization not found" }, { status: 404 });
+    }
+
+    const body = await request.json();
+    const parsedBody = CreateProjectRequestBody.safeParse(body);
+
+    if (!parsedBody.success) {
+      return json({ error: "Invalid request body" }, { status: 400 });
+    }
+
+    const [error, project] = await tryCatch(
+      createProject({
+        organizationSlug: organization.slug,
+        name: parsedBody.data.name,
+        userId: authenticationResult.userId,
+        version: "v3",
+      })
+    );
+
+    if (error) {
+      logger.error("Failed to create project", { error });
+      return json({ error: "Failed to create project" }, { status: 400 });
+    }
+
+    const result: GetProjectResponseBody = {
+      id: project.id,
+      externalRef: project.externalRef,
+      name: project.name,
+      slug: project.slug,
+      createdAt: project.createdAt,
+      organization: {
+        id: project.organization.id,
+        title: project.organization.title,
+        slug: project.organization.slug,
+        createdAt: project.organization.createdAt,
       },
-    },
-  });
-
-  if (!organization) {
-    return json({ error: "Organization not found" }, { status: 404 });
-  }
-
-  const body = await request.json();
-  const parsedBody = CreateProjectRequestBody.safeParse(body);
-
-  if (!parsedBody.success) {
-    return json({ error: "Invalid request body" }, { status: 400 });
-  }
+    };
 
-  const [error, project] = await tryCatch(
-    createProject({
-      organizationSlug: organization.slug,
-      name: parsedBody.data.name,
-      userId: authenticationResult.userId,
-      version: "v3",
-    })
-  );
-
-  if (error) {
-    return json({ error: error.message }, { status: 400 });
+    return json(result);
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to create org project", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
   }
-
-  const result: GetProjectResponseBody = {
-    id: project.id,
-    externalRef: project.externalRef,
-    name: project.name,
-    slug: project.slug,
-    createdAt: project.createdAt,
-    organization: {
-      id: project.organization.id,
-      title: project.organization.title,
-      slug: project.organization.slug,
-      createdAt: project.organization.createdAt,
-    },
-  };
-
-  return json(result);
 }
 
 function orgParamWhereClause(orgParam: string) {
diff --git a/apps/webapp/app/routes/api.v1.orgs.$organizationSlug.projects.$projectParam.vercel.projects.ts b/apps/webapp/app/routes/api.v1.orgs.$organizationSlug.projects.$projectParam.vercel.projects.ts
index aaf54685888..6fc85d69cc3 100644
--- a/apps/webapp/app/routes/api.v1.orgs.$organizationSlug.projects.$projectParam.vercel.projects.ts
+++ b/apps/webapp/app/routes/api.v1.orgs.$organizationSlug.projects.$projectParam.vercel.projects.ts
@@ -29,119 +29,125 @@ export async function loader({ request, params }: LoaderFunctionArgs) {
     return apiCors(request, json({}));
   }
 
-  const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);
-
-  if (!authenticationResult) {
-    return apiCors(
-      request,
-      json({ error: "Invalid or Missing Access Token" }, { status: 401 })
-    );
-  }
-
-  const parsedParams = ParamsSchema.safeParse(params);
-  if (!parsedParams.success) {
-    return apiCors(
-      request,
-      json({ error: "Invalid parameters" }, { status: 400 })
-    );
-  }
-
-  const { organizationSlug, projectParam } = parsedParams.data;
-
-  const result = await fromPromise(
-    (async () => {
-      // Find the project, verifying org membership
-      const project = await prisma.project.findFirst({
-        where: {
-          slug: projectParam,
-          organization: {
-            slug: organizationSlug,
-            members: {
-              some: {
-                userId: authenticationResult.userId,
+  try {
+    const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);
+
+    if (!authenticationResult) {
+      return apiCors(
+        request,
+        json({ error: "Invalid or Missing Access Token" }, { status: 401 })
+      );
+    }
+
+    const parsedParams = ParamsSchema.safeParse(params);
+    if (!parsedParams.success) {
+      return apiCors(
+        request,
+        json({ error: "Invalid parameters" }, { status: 400 })
+      );
+    }
+
+    const { organizationSlug, projectParam } = parsedParams.data;
+
+    const result = await fromPromise(
+      (async () => {
+        // Find the project, verifying org membership
+        const project = await prisma.project.findFirst({
+          where: {
+            slug: projectParam,
+            organization: {
+              slug: organizationSlug,
+              members: {
+                some: {
+                  userId: authenticationResult.userId,
+                },
               },
             },
+            deletedAt: null,
           },
-          deletedAt: null,
-        },
-        select: {
-          id: true,
-          name: true,
-          slug: true,
-          organizationId: true,
-        },
-      });
-
-      if (!project) {
-        return { type: "not_found" as const };
-      }
-
-      // Get Vercel integration for the project
-      const vercelService = new VercelIntegrationService();
-      const integration = await vercelService.getVercelProjectIntegration(project.id);
+          select: {
+            id: true,
+            name: true,
+            slug: true,
+            organizationId: true,
+          },
+        });
 
-      return { type: "success" as const, project, integration };
-    })(),
-    (error) => error
-  );
+        if (!project) {
+          return { type: "not_found" as const };
+        }
 
-  if (result.isErr()) {
-    logger.error("Failed to fetch Vercel projects", {
-      error: result.error,
-      organizationSlug,
-      projectParam,
-    });
+        // Get Vercel integration for the project
+        const vercelService = new VercelIntegrationService();
+        const integration = await vercelService.getVercelProjectIntegration(project.id);
 
-    return apiCors(
-      request,
-      json({ error: "Internal server error" }, { status: 500 })
+        return { type: "success" as const, project, integration };
+      })(),
+      (error) => error
     );
-  }
 
-  if (result.value.type === "not_found") {
-    return apiCors(
-      request,
-      json({ error: "Project not found" }, { status: 404 })
-    );
-  }
+    if (result.isErr()) {
+      logger.error("Failed to fetch Vercel projects", {
+        error: result.error,
+        organizationSlug,
+        projectParam,
+      });
 
-  const { project, integration } = result.value;
+      return apiCors(
+        request,
+        json({ error: "Internal server error" }, { status: 500 })
+      );
+    }
+
+    if (result.value.type === "not_found") {
+      return apiCors(
+        request,
+        json({ error: "Project not found" }, { status: 404 })
+      );
+    }
+
+    const { project, integration } = result.value;
+
+    if (!integration) {
+      return apiCors(
+        request,
+        json({
+          connected: false,
+          vercelProject: null,
+          config: null,
+          syncEnvVarsMapping: null,
+        })
+      );
+    }
+
+    const { parsedIntegrationData } = integration;
 
-  if (!integration) {
     return apiCors(
       request,
       json({
-        connected: false,
-        vercelProject: null,
-        config: null,
-        syncEnvVarsMapping: null,
+        connected: true,
+        vercelProject: {
+          id: parsedIntegrationData.vercelProjectId,
+          name: parsedIntegrationData.vercelProjectName,
+          teamId: parsedIntegrationData.vercelTeamId,
+        },
+        config: {
+          atomicBuilds: parsedIntegrationData.config.atomicBuilds,
+          pullEnvVarsBeforeBuild: parsedIntegrationData.config.pullEnvVarsBeforeBuild,
+          vercelStagingEnvironment: parsedIntegrationData.config.vercelStagingEnvironment,
+        },
+        syncEnvVarsMapping: parsedIntegrationData.syncEnvVarsMapping,
+        triggerProject: {
+          id: project.id,
+          name: project.name,
+          slug: project.slug,
+        },
       })
     );
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to fetch Vercel projects", { error });
+    return apiCors(request, json({ error: "Internal Server Error" }, { status: 500 }));
   }
-
-  const { parsedIntegrationData } = integration;
-
-  return apiCors(
-    request,
-    json({
-      connected: true,
-      vercelProject: {
-        id: parsedIntegrationData.vercelProjectId,
-        name: parsedIntegrationData.vercelProjectName,
-        teamId: parsedIntegrationData.vercelTeamId,
-      },
-      config: {
-        atomicBuilds: parsedIntegrationData.config.atomicBuilds,
-        pullEnvVarsBeforeBuild: parsedIntegrationData.config.pullEnvVarsBeforeBuild,
-        vercelStagingEnvironment: parsedIntegrationData.config.vercelStagingEnvironment,
-      },
-      syncEnvVarsMapping: parsedIntegrationData.syncEnvVarsMapping,
-      triggerProject: {
-        id: project.id,
-        name: project.name,
-        slug: project.slug,
-      },
-    })
-  );
 }
 
diff --git a/apps/webapp/app/routes/api.v1.orgs.ts b/apps/webapp/app/routes/api.v1.orgs.ts
index 626162f234b..31ef3783f3e 100644
--- a/apps/webapp/app/routes/api.v1.orgs.ts
+++ b/apps/webapp/app/routes/api.v1.orgs.ts
@@ -2,36 +2,43 @@ import type { LoaderFunctionArgs } from "@remix-run/server-runtime";
 import { json } from "@remix-run/server-runtime";
 import { GetOrgsResponseBody } from "@trigger.dev/core/v3";
 import { prisma } from "~/db.server";
+import { logger } from "~/services/logger.server";
 import { authenticateApiRequestWithPersonalAccessToken } from "~/services/personalAccessToken.server";
 
 export async function loader({ request }: LoaderFunctionArgs) {
-  const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);
+  try {
+    const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);
 
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing Access Token" }, { status: 401 });
-  }
+    if (!authenticationResult) {
+      return json({ error: "Invalid or Missing Access Token" }, { status: 401 });
+    }
 
-  const orgs = await prisma.organization.findMany({
-    where: {
-      deletedAt: null,
-      members: {
-        some: {
-          userId: authenticationResult.userId,
+    const orgs = await prisma.organization.findMany({
+      where: {
+        deletedAt: null,
+        members: {
+          some: {
+            userId: authenticationResult.userId,
+          },
         },
       },
-    },
-  });
+    });
 
-  if (!orgs) {
-    return json({ error: "Orgs not found" }, { status: 404 });
-  }
+    if (!orgs) {
+      return json({ error: "Orgs not found" }, { status: 404 });
+    }
 
-  const result: GetOrgsResponseBody = orgs.map((org) => ({
-    id: org.id,
-    title: org.title,
-    slug: org.slug,
-    createdAt: org.createdAt,
-  }));
+    const result: GetOrgsResponseBody = orgs.map((org) => ({
+      id: org.id,
+      title: org.title,
+      slug: org.slug,
+      createdAt: org.createdAt,
+    }));
 
-  return json(result);
+    return json(result);
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to list orgs", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
+  }
 }
diff --git a/apps/webapp/app/routes/api.v1.packets.$.ts b/apps/webapp/app/routes/api.v1.packets.$.ts
index 031f2854bbb..ff2cc7607a7 100644
--- a/apps/webapp/app/routes/api.v1.packets.$.ts
+++ b/apps/webapp/app/routes/api.v1.packets.$.ts
@@ -3,7 +3,7 @@ import { json } from "@remix-run/server-runtime";
 import { z } from "zod";
 import { authenticateApiRequest } from "~/services/apiAuth.server";
 import { createLoaderApiRoute } from "~/services/routeBuilders/apiBuilder.server";
-import { generatePresignedUrl } from "~/v3/objectStore.server";
+import { generatePresignedUrl, jsonPacketPresignFailure } from "~/v3/objectStore.server";
 
 const ParamsSchema = z.object({
   "*": z.string(),
@@ -34,7 +34,7 @@ export async function action({ request, params }: ActionFunctionArgs) {
   );
 
   if (!signed.success) {
-    return json({ error: `Failed to generate presigned URL: ${signed.error}` }, { status: 500 });
+    return jsonPacketPresignFailure(signed);
   }
 
   // Caller can now use this URL to upload to that object.
@@ -59,7 +59,7 @@ export const loader = createLoaderApiRoute(
     );
 
     if (!signed.success) {
-      return json({ error: `Failed to generate presigned URL: ${signed.error}` }, { status: 500 });
+      return jsonPacketPresignFailure(signed);
     }
 
     // Caller can now use this URL to fetch that object.
diff --git a/apps/webapp/app/routes/api.v1.plain.customer-cards.ts b/apps/webapp/app/routes/api.v1.plain.customer-cards.ts
new file mode 100644
index 00000000000..fe7845c5409
--- /dev/null
+++ b/apps/webapp/app/routes/api.v1.plain.customer-cards.ts
@@ -0,0 +1,444 @@
+import { json, type ActionFunctionArgs } from "@remix-run/server-runtime";
+import { timingSafeEqual } from "crypto";
+import { uiComponent } from "@team-plain/typescript-sdk";
+import { z } from "zod";
+import { prisma } from "~/db.server";
+import { env } from "~/env.server";
+import { logger } from "~/services/logger.server";
+import { generateImpersonationToken } from "~/services/impersonation.server";
+
+// Schema for the request body from Plain
+const PlainCustomerCardRequestSchema = z.object({
+  cardKeys: z.array(z.string()),
+  customer: z
+    .object({
+      id: z.string(),
+      email: z.string().optional(),
+      externalId: z.string().optional(),
+    })
+    .refine(
+      (data) => data.email || data.externalId,
+      {
+        message: "Either customer.email or customer.externalId must be provided",
+        path: ["customer"],
+      }
+    ),
+  thread: z
+    .object({
+      id: z.string(),
+    })
+    .optional(),
+});
+
+function sanitizeHeaders(request: Request, skipHeaders?: string[]): Partial<Record<string, string>> {
+  const authHeaderName = (env.PLAIN_CUSTOMER_CARDS_HEADERS || "Authorization").toLowerCase();
+  const defaultSkipHeaders = skipHeaders || [authHeaderName, "cookie"];
+  const sanitizedHeaders: Partial<Record<string, string>> = {};
+
+  for (const [key, value] of request.headers.entries()) {
+    if (!defaultSkipHeaders.includes(key.toLowerCase())) {
+      sanitizedHeaders[key] = value;
+    }
+  }
+
+  return sanitizedHeaders;
+}
+
+// Authenticate the request from Plain
+function authenticatePlainRequest(request: Request): boolean {
+  const authHeaderName = env.PLAIN_CUSTOMER_CARDS_HEADERS || "Authorization";
+  const authHeader = request.headers.get(authHeaderName);
+  const expectedSecret = env.PLAIN_CUSTOMER_CARDS_SECRET;
+  if (!expectedSecret) {
+    logger.warn("PLAIN_CUSTOMER_CARDS_SECRET not configured");
+    return false;
+  }
+
+  if (!authHeader) {
+    return false;
+  }
+
+  // Support both "Bearer <token>" and plain token formats
+  const token = authHeader.startsWith("Bearer ") ? authHeader.slice(7) : authHeader;
+
+  // Use constant-time comparison to prevent timing attacks
+  const encoder = new TextEncoder();
+  const tokenBuffer = encoder.encode(token);
+  const secretBuffer = encoder.encode(expectedSecret);
+  if (tokenBuffer.byteLength !== secretBuffer.byteLength) {
+    return false;
+  }
+  return timingSafeEqual(tokenBuffer, secretBuffer);
+}
+
+export async function action({ request }: ActionFunctionArgs) {
+  // Only accept POST requests
+  if (request.method !== "POST") {
+    return json({ error: "Method not allowed" }, { status: 405 });
+  }
+
+  // Authenticate the request
+  if (!authenticatePlainRequest(request)) {
+    logger.warn("Unauthorized Plain customer card request", {
+      headers: sanitizeHeaders(request),
+    });
+    return json({ error: "Unauthorized" }, { status: 401 });
+  }
+
+  // Parse JSON with separate error handling for malformed JSON
+  let body: unknown;
+  try {
+    body = await request.json();
+  } catch (error) {
+    // Handle JSON parsing errors as client errors (400) instead of server errors (500)
+    if (error instanceof SyntaxError || error instanceof TypeError) {
+      logger.warn("Malformed JSON in Plain customer card request", {
+        error: error.message,
+      });
+      return json({ error: "Invalid JSON in request body" }, { status: 400 });
+    }
+    // Re-throw unexpected errors to be caught by outer catch
+    throw error;
+  }
+
+  // Validate the request body schema
+  const parsed = PlainCustomerCardRequestSchema.safeParse(body);
+
+  if (!parsed.success) {
+    logger.warn("Invalid Plain customer card request", {
+      errors: parsed.error.errors,
+    });
+    return json({ error: "Invalid request body" }, { status: 400 });
+  }
+
+  try {
+
+    const { customer, cardKeys } = parsed.data;
+
+    const userInclude = {
+      orgMemberships: {
+        where: {
+          organization: { deletedAt: null },
+        },
+        include: {
+          organization: {
+            include: {
+              projects: {
+                where: { deletedAt: null },
+                take: 10,
+                orderBy: { createdAt: "desc" as const },
+              },
+            },
+          },
+        },
+      },
+    };
+
+    const where = customer.externalId
+      ? { id: customer.externalId }
+      : customer.email
+      ? { email: customer.email }
+      : null;
+
+    const user = where ? await prisma.user.findFirst({ where, include: userInclude }) : null;
+
+    // If user not found, return empty cards
+    if (!user) {
+      logger.info("User not found for Plain customer card request", {
+        customerId: customer.id,
+        externalId: customer.externalId,
+        hasEmail: !!customer.email,
+      });
+      return json({ cards: [] });
+    }
+
+    // Build cards based on requested cardKeys
+    const cards = [];
+
+    const accountDetailsKey = env.PLAIN_CUSTOMER_CARDS_KEY || "account-details";
+    for (const cardKey of cardKeys) {
+      switch (cardKey) {
+        case accountDetailsKey: {
+          // Generate a signed one-time token for impersonation
+          const impersonationToken = await generateImpersonationToken(user.id);
+          // Build the impersonate URL with token for CSRF protection
+          const impersonateUrl = `${env.APP_ORIGIN}/admin/impersonate?impersonate=${user.id}&impersonationToken=${encodeURIComponent(impersonationToken)}`;
+
+          cards.push({
+            key: accountDetailsKey,
+            timeToLiveSeconds: 15, 
+            components: [
+              uiComponent.container({
+                content: [
+                  uiComponent.text({
+                    text: "Account Details",
+                    size: "L",
+                    color: "NORMAL",
+                  }),
+                  uiComponent.spacer({ size: "M" }),
+                  uiComponent.row({
+                    mainContent: [
+                      uiComponent.text({
+                        text: "User ID",
+                        size: "S",
+                        color: "MUTED",
+                      }),
+                    ],
+                    asideContent: [
+                      uiComponent.copyButton({
+                        value: user.id,
+                        tooltip: "Copy",
+                      }),
+                    ],
+                  }),
+                  uiComponent.spacer({ size: "S" }),
+                  uiComponent.row({
+                    mainContent: [
+                      uiComponent.text({
+                        text: "Email",
+                        size: "S",
+                        color: "MUTED",
+                      }),
+                    ],
+                    asideContent: [
+                      uiComponent.text({
+                        text: user.email,
+                        size: "S",
+                        color: "NORMAL",
+                      }),
+                    ],
+                  }),
+                  uiComponent.spacer({ size: "S" }),
+                  uiComponent.row({
+                    mainContent: [
+                      uiComponent.text({
+                        text: "Name",
+                        size: "S",
+                        color: "MUTED",
+                      }),
+                    ],
+                    asideContent: [
+                      uiComponent.text({
+                        text: user.name || user.displayName || "N/A",
+                        size: "S",
+                        color: "NORMAL",
+                      }),
+                    ],
+                  }),
+                  uiComponent.spacer({ size: "S" }),
+                  uiComponent.row({
+                    mainContent: [
+                      uiComponent.text({
+                        text: "Member Since",
+                        size: "S",
+                        color: "MUTED",
+                      }),
+                    ],
+                    asideContent: [
+                      uiComponent.text({
+                        text: new Date(user.createdAt).toLocaleDateString(),
+                        size: "S",
+                        color: "NORMAL",
+                      }),
+                    ],
+                  }),
+                  uiComponent.spacer({ size: "M" }),
+                  uiComponent.divider({ spacingSize: "M" }),
+                  uiComponent.spacer({ size: "M" }),
+                  uiComponent.linkButton({
+                    label: "Impersonate User",
+                    url: impersonateUrl,
+                  }),
+                ],
+              }),
+            ],
+          });
+          break;
+        }
+
+        case "organizations": {
+          if (user.orgMemberships.length === 0) {
+            cards.push({
+              key: "organizations",
+              timeToLiveSeconds: 300,
+              components: [
+                uiComponent.container({
+                  content: [
+                    uiComponent.text({
+                      text: "Organizations",
+                      size: "L",
+                      color: "NORMAL",
+                    }),
+                    uiComponent.spacer({ size: "M" }),
+                    uiComponent.text({
+                      text: "No organizations found",
+                      size: "S",
+                      color: "MUTED",
+                    }),
+                  ],
+                }),
+              ],
+            });
+            break;
+          }
+
+          const orgComponents = user.orgMemberships.flatMap(
+            (
+              membership: (typeof user.orgMemberships)[0],
+              index: number
+            ) => {
+              const org = membership.organization;
+              const projectCount = org.projects.length;
+
+              return [
+                ...(index > 0 ? [uiComponent.divider({ spacingSize: "M" })] : []),
+                uiComponent.text({
+                  text: org.title,
+                  size: "M",
+                  color: "NORMAL",
+                }),
+                uiComponent.spacer({ size: "XS" }),
+                uiComponent.row({
+                  mainContent: [
+                    uiComponent.badge({
+                      label: membership.role,
+                      color: membership.role === "ADMIN" ? "BLUE" : "GREY",
+                    }),
+                  ],
+                  asideContent: [
+                    uiComponent.text({
+                      text: `${projectCount} recent project${projectCount !== 1 ? "s" : ""}`,
+                      size: "S",
+                      color: "MUTED",
+                    }),
+                  ],
+                }),
+                uiComponent.spacer({ size: "XS" }),
+                uiComponent.linkButton({
+                  label: "View in Dashboard",
+                  url: `${env.APP_ORIGIN}/@/orgs/${org.slug}`,
+                }),
+              ];
+            }
+          );
+
+          cards.push({
+            key: "organizations",
+            timeToLiveSeconds: 300,
+            components: [
+              uiComponent.container({
+                content: [
+                  uiComponent.text({
+                    text: "Organizations",
+                    size: "L",
+                    color: "NORMAL",
+                  }),
+                  uiComponent.spacer({ size: "M" }),
+                  ...orgComponents,
+                ],
+              }),
+            ],
+          });
+          break;
+        }
+
+        case "projects": {
+          const allProjects = user.orgMemberships.flatMap((membership) =>
+            membership.organization.projects.map((project) => ({
+              ...project,
+              orgSlug: membership.organization.slug,
+            }))
+          );
+
+          if (allProjects.length === 0) {
+            cards.push({
+              key: "projects",
+              timeToLiveSeconds: 300,
+              components: [
+                uiComponent.container({
+                  content: [
+                    uiComponent.text({
+                      text: "Projects",
+                      size: "L",
+                      color: "NORMAL",
+                    }),
+                    uiComponent.spacer({ size: "M" }),
+                    uiComponent.text({
+                      text: "No projects found",
+                      size: "S",
+                      color: "MUTED",
+                    }),
+                  ],
+                }),
+              ],
+            });
+            break;
+          }
+
+          const projectComponents = allProjects.slice(0, 10).flatMap(
+            (
+              project: typeof allProjects[0] & { orgSlug: string },
+              index: number
+            ) => {
+              return [
+                ...(index > 0 ? [uiComponent.divider({ spacingSize: "M" })] : []),
+                uiComponent.text({
+                  text: project.name,
+                  size: "M",
+                  color: "NORMAL",
+                }),
+                uiComponent.spacer({ size: "XS" }),
+                uiComponent.row({
+                  mainContent: [
+                    uiComponent.badge({
+                      label: project.version,
+                      color: project.version === "V3" ? "GREEN" : "GREY",
+                    }),
+                  ],
+                  asideContent: [
+                    uiComponent.linkButton({
+                      label: "View",
+                      url: `${env.APP_ORIGIN}/@/orgs/${project.orgSlug}/projects/${project.slug}`,
+                    }),
+                  ],
+                }),
+              ];
+            }
+          );
+
+          cards.push({
+            key: "projects",
+            timeToLiveSeconds: 300,
+            components: [
+              uiComponent.container({
+                content: [
+                  uiComponent.text({
+                    text: "Projects",
+                    size: "L",
+                    color: "NORMAL",
+                  }),
+                  uiComponent.spacer({ size: "M" }),
+                  ...projectComponents,
+                ],
+              }),
+            ],
+          });
+          break;
+        }
+
+        default:
+          // Unknown card key - skip it
+          logger.info("Unknown card key requested", { cardKey });
+          break;
+      }
+    }
+
+    return json({ cards });
+  } catch (error) {
+    logger.error("Error processing Plain customer card request", {
+      error: error instanceof Error ? error.message : String(error),
+      stack: error instanceof Error ? error.stack : undefined,
+    });
+    return json({ error: "Internal server error" }, { status: 500 });
+  }
+}
diff --git a/apps/webapp/app/routes/api.v1.projects.$projectRef.$env.jwt.ts b/apps/webapp/app/routes/api.v1.projects.$projectRef.$env.jwt.ts
index e4b48ece05e..b9cb61e1f20 100644
--- a/apps/webapp/app/routes/api.v1.projects.$projectRef.$env.jwt.ts
+++ b/apps/webapp/app/routes/api.v1.projects.$projectRef.$env.jwt.ts
@@ -5,6 +5,7 @@ import {
   authenticatedEnvironmentForAuthentication,
   authenticateRequest,
 } from "~/services/apiAuth.server";
+import { logger } from "~/services/logger.server";
 
 const ParamsSchema = z.object({
   projectRef: z.string(),
@@ -21,52 +22,58 @@ const RequestBodySchema = z.object({
 });
 
 export async function action({ request, params }: ActionFunctionArgs) {
-  const authenticationResult = await authenticateRequest(request, {
-    personalAccessToken: true,
-    organizationAccessToken: true,
-    apiKey: false,
-  });
+  try {
+    const authenticationResult = await authenticateRequest(request, {
+      personalAccessToken: true,
+      organizationAccessToken: true,
+      apiKey: false,
+    });
 
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing Access Token" }, { status: 401 });
-  }
+    if (!authenticationResult) {
+      return json({ error: "Invalid or Missing Access Token" }, { status: 401 });
+    }
 
-  const parsedParams = ParamsSchema.safeParse(params);
+    const parsedParams = ParamsSchema.safeParse(params);
 
-  if (!parsedParams.success) {
-    return json({ error: "Invalid Params" }, { status: 400 });
-  }
+    if (!parsedParams.success) {
+      return json({ error: "Invalid Params" }, { status: 400 });
+    }
 
-  const { projectRef, env } = parsedParams.data;
-  const triggerBranch = request.headers.get("x-trigger-branch") ?? undefined;
+    const { projectRef, env } = parsedParams.data;
+    const triggerBranch = request.headers.get("x-trigger-branch") ?? undefined;
 
-  const runtimeEnv = await authenticatedEnvironmentForAuthentication(
-    authenticationResult,
-    projectRef,
-    env,
-    triggerBranch
-  );
+    const runtimeEnv = await authenticatedEnvironmentForAuthentication(
+      authenticationResult,
+      projectRef,
+      env,
+      triggerBranch
+    );
 
-  const parsedBody = RequestBodySchema.safeParse(await request.json());
+    const parsedBody = RequestBodySchema.safeParse(await request.json());
 
-  if (!parsedBody.success) {
-    return json(
-      { error: "Invalid request body", issues: parsedBody.error.issues },
-      { status: 400 }
-    );
-  }
+    if (!parsedBody.success) {
+      return json(
+        { error: "Invalid request body", issues: parsedBody.error.issues },
+        { status: 400 }
+      );
+    }
 
-  const claims = {
-    sub: runtimeEnv.id,
-    pub: true,
-    ...parsedBody.data.claims,
-  };
+    const claims = {
+      sub: runtimeEnv.id,
+      pub: true,
+      ...parsedBody.data.claims,
+    };
 
-  const jwt = await internal_generateJWT({
-    secretKey: runtimeEnv.apiKey,
-    payload: claims,
-    expirationTime: parsedBody.data.expirationTime ?? "1h",
-  });
+    const jwt = await internal_generateJWT({
+      secretKey: runtimeEnv.apiKey,
+      payload: claims,
+      expirationTime: parsedBody.data.expirationTime ?? "1h",
+    });
 
-  return json({ token: jwt });
+    return json({ token: jwt });
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to generate env JWT", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
+  }
 }
diff --git a/apps/webapp/app/routes/api.v1.projects.$projectRef.$env.ts b/apps/webapp/app/routes/api.v1.projects.$projectRef.$env.ts
index e0349aab558..218cc580dd3 100644
--- a/apps/webapp/app/routes/api.v1.projects.$projectRef.$env.ts
+++ b/apps/webapp/app/routes/api.v1.projects.$projectRef.$env.ts
@@ -7,6 +7,7 @@ import {
   authenticateRequest,
   branchNameFromRequest,
 } from "~/services/apiAuth.server";
+import { logger } from "~/services/logger.server";
 
 const ParamsSchema = z.object({
   projectRef: z.string(),
@@ -24,25 +25,31 @@ export async function loader({ request, params }: LoaderFunctionArgs) {
 
   const { projectRef, env } = parsedParams.data;
 
-  const authenticationResult = await authenticateRequest(request);
-
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
+  try {
+    const authenticationResult = await authenticateRequest(request);
+
+    if (!authenticationResult) {
+      return json({ error: "Invalid or Missing API key" }, { status: 401 });
+    }
+
+    const environment = await authenticatedEnvironmentForAuthentication(
+      authenticationResult,
+      projectRef,
+      env,
+      branchNameFromRequest(request)
+    );
+
+    const result: GetProjectEnvResponse = {
+      apiKey: environment.apiKey,
+      name: environment.project.name,
+      apiUrl: processEnv.API_ORIGIN ?? processEnv.APP_ORIGIN,
+      projectId: environment.project.id,
+    };
+
+    return json(result);
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to load project env", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
   }
-
-  const environment = await authenticatedEnvironmentForAuthentication(
-    authenticationResult,
-    projectRef,
-    env,
-    branchNameFromRequest(request)
-  );
-
-  const result: GetProjectEnvResponse = {
-    apiKey: environment.apiKey,
-    name: environment.project.name,
-    apiUrl: processEnv.API_ORIGIN ?? processEnv.APP_ORIGIN,
-    projectId: environment.project.id,
-  };
-
-  return json(result);
 }
diff --git a/apps/webapp/app/routes/api.v1.projects.$projectRef.$env.workers.$tagName.ts b/apps/webapp/app/routes/api.v1.projects.$projectRef.$env.workers.$tagName.ts
index ddb398b4c21..07774339dc8 100644
--- a/apps/webapp/app/routes/api.v1.projects.$projectRef.$env.workers.$tagName.ts
+++ b/apps/webapp/app/routes/api.v1.projects.$projectRef.$env.workers.$tagName.ts
@@ -9,6 +9,7 @@ import {
   authenticatedEnvironmentForAuthentication,
   authenticateRequest,
 } from "~/services/apiAuth.server";
+import { logger } from "~/services/logger.server";
 
 const ParamsSchema = z.object({
   projectRef: z.string(),
@@ -23,34 +24,37 @@ const HeadersSchema = z.object({
 type ParamsSchema = z.infer<typeof ParamsSchema>;
 
 export async function loader({ request, params }: LoaderFunctionArgs) {
-  const authenticationResult = await authenticateRequest(request, {
-    personalAccessToken: true,
-    organizationAccessToken: true,
-    apiKey: false,
-  });
+  try {
+    const authenticationResult = await authenticateRequest(request, {
+      personalAccessToken: true,
+      organizationAccessToken: true,
+      apiKey: false,
+    });
 
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing Access Token" }, { status: 401 });
-  }
+    if (!authenticationResult) {
+      return json({ error: "Invalid or Missing Access Token" }, { status: 401 });
+    }
 
-  const parsedParams = ParamsSchema.safeParse(params);
+    const parsedParams = ParamsSchema.safeParse(params);
 
-  if (!parsedParams.success) {
-    return json({ error: "Invalid Params" }, { status: 400 });
-  }
-  const { projectRef, env } = parsedParams.data;
+    if (!parsedParams.success) {
+      return json({ error: "Invalid Params" }, { status: 400 });
+    }
+    const { projectRef, env } = parsedParams.data;
 
-  const parsedHeaders = HeadersSchema.safeParse(Object.fromEntries(request.headers));
-  const triggerBranch = parsedHeaders.success ? parsedHeaders.data["x-trigger-branch"] : undefined;
+    const parsedHeaders = HeadersSchema.safeParse(Object.fromEntries(request.headers));
+    const triggerBranch = parsedHeaders.success
+      ? parsedHeaders.data["x-trigger-branch"]
+      : undefined;
 
-  const runtimeEnv = await authenticatedEnvironmentForAuthentication(
-    authenticationResult,
-    projectRef,
-    env,
-    triggerBranch
-  );
+    const runtimeEnv = await authenticatedEnvironmentForAuthentication(
+      authenticationResult,
+      projectRef,
+      env,
+      triggerBranch
+    );
 
-  const currentWorker = await findCurrentWorkerFromEnvironment(
+    const currentWorker = await findCurrentWorkerFromEnvironment(
     {
       id: runtimeEnv.id,
       type: runtimeEnv.type,
@@ -109,5 +113,10 @@ export async function loader({ request, params }: LoaderFunctionArgs) {
     urls,
   };
 
-  return json(response);
+    return json(response);
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to load worker by tag", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
+  }
 }
diff --git a/apps/webapp/app/routes/api.v1.projects.$projectRef.alertChannels.ts b/apps/webapp/app/routes/api.v1.projects.$projectRef.alertChannels.ts
index ebc5b176478..73597075615 100644
--- a/apps/webapp/app/routes/api.v1.projects.$projectRef.alertChannels.ts
+++ b/apps/webapp/app/routes/api.v1.projects.$projectRef.alertChannels.ts
@@ -5,6 +5,7 @@ import {
   ApiAlertChannelPresenter,
   ApiCreateAlertChannel,
 } from "~/presenters/v3/ApiAlertChannelPresenter.server";
+import { logger } from "~/services/logger.server";
 import { authenticateApiRequestWithPersonalAccessToken } from "~/services/personalAccessToken.server";
 import { CreateAlertChannelService } from "~/v3/services/alerts/createAlertChannel.server";
 import { ServiceValidationError } from "~/v3/services/baseService.server";
@@ -14,83 +15,87 @@ const ParamsSchema = z.object({
 });
 
 export async function action({ request, params }: ActionFunctionArgs) {
-  const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);
+  try {
+    const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);
 
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing Access Token" }, { status: 401 });
-  }
+    if (!authenticationResult) {
+      return json({ error: "Invalid or Missing Access Token" }, { status: 401 });
+    }
 
-  const parsedParams = ParamsSchema.safeParse(params);
+    const parsedParams = ParamsSchema.safeParse(params);
 
-  if (!parsedParams.success) {
-    return json({ error: "Invalid Params" }, { status: 400 });
-  }
-
-  const { projectRef } = parsedParams.data;
+    if (!parsedParams.success) {
+      return json({ error: "Invalid Params" }, { status: 400 });
+    }
 
-  const rawBody = await request.json();
+    const { projectRef } = parsedParams.data;
 
-  const body = ApiCreateAlertChannel.safeParse(rawBody);
+    const rawBody = await request.json();
 
-  if (!body.success) {
-    return json({ error: "Invalid request body", issues: body.error.issues }, { status: 400 });
-  }
+    const body = ApiCreateAlertChannel.safeParse(rawBody);
 
-  const service = new CreateAlertChannelService();
+    if (!body.success) {
+      return json({ error: "Invalid request body", issues: body.error.issues }, { status: 400 });
+    }
 
-  try {
-    if (body.data.channel === "email") {
-      if (!body.data.channelData.email) {
-        return json({ error: "Email is required" }, { status: 422 });
+    const service = new CreateAlertChannelService();
+
+    try {
+      if (body.data.channel === "email") {
+        if (!body.data.channelData.email) {
+          return json({ error: "Email is required" }, { status: 422 });
+        }
+
+        const alertChannel = await service.call(projectRef, authenticationResult.userId, {
+          name: body.data.name,
+          alertTypes: body.data.alertTypes.map((type) =>
+            ApiAlertChannelPresenter.alertTypeFromApi(type)
+          ),
+          channel: {
+            type: "EMAIL",
+            email: body.data.channelData.email,
+          },
+          deduplicationKey: body.data.deduplicationKey,
+          environmentTypes: body.data.environmentTypes,
+        });
+
+        return json(await ApiAlertChannelPresenter.alertChannelToApi(alertChannel));
       }
 
-      const alertChannel = await service.call(projectRef, authenticationResult.userId, {
-        name: body.data.name,
-        alertTypes: body.data.alertTypes.map((type) =>
-          ApiAlertChannelPresenter.alertTypeFromApi(type)
-        ),
-        channel: {
-          type: "EMAIL",
-          email: body.data.channelData.email,
-        },
-        deduplicationKey: body.data.deduplicationKey,
-        environmentTypes: body.data.environmentTypes,
-      });
-
-      return json(await ApiAlertChannelPresenter.alertChannelToApi(alertChannel));
-    }
+      if (body.data.channel === "webhook") {
+        if (!body.data.channelData.url) {
+          return json({ error: "webhook url is required" }, { status: 422 });
+        }
+
+        const alertChannel = await service.call(projectRef, authenticationResult.userId, {
+          name: body.data.name,
+          alertTypes: body.data.alertTypes.map((type) =>
+            ApiAlertChannelPresenter.alertTypeFromApi(type)
+          ),
+          channel: {
+            type: "WEBHOOK",
+            url: body.data.channelData.url,
+            secret: body.data.channelData.secret,
+          },
+          deduplicationKey: body.data.deduplicationKey,
+          environmentTypes: body.data.environmentTypes,
+        });
+
+        return json(await ApiAlertChannelPresenter.alertChannelToApi(alertChannel));
+      }
 
-    if (body.data.channel === "webhook") {
-      if (!body.data.channelData.url) {
-        return json({ error: "webhook url is required" }, { status: 422 });
+      return json({ error: "Invalid channel type" }, { status: 422 });
+    } catch (error) {
+      if (error instanceof ServiceValidationError) {
+        return json({ error: error.message }, { status: 422 });
       }
 
-      const alertChannel = await service.call(projectRef, authenticationResult.userId, {
-        name: body.data.name,
-        alertTypes: body.data.alertTypes.map((type) =>
-          ApiAlertChannelPresenter.alertTypeFromApi(type)
-        ),
-        channel: {
-          type: "WEBHOOK",
-          url: body.data.channelData.url,
-          secret: body.data.channelData.secret,
-        },
-        deduplicationKey: body.data.deduplicationKey,
-        environmentTypes: body.data.environmentTypes,
-      });
-
-      return json(await ApiAlertChannelPresenter.alertChannelToApi(alertChannel));
+      logger.error("Failed to create alert channel", { error });
+      return json({ error: "Something went wrong, please try again." }, { status: 500 });
     }
-
-    return json({ error: "Invalid channel type" }, { status: 422 });
   } catch (error) {
-    if (error instanceof ServiceValidationError) {
-      return json({ error: error.message }, { status: 422 });
-    }
-
-    return json(
-      { error: error instanceof Error ? error.message : "Internal Server Error" },
-      { status: 500 }
-    );
+    if (error instanceof Response) throw error;
+    logger.error("Failed to create alert channel (outer)", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
   }
 }
diff --git a/apps/webapp/app/routes/api.v1.projects.$projectRef.background-workers.$envSlug.$version.ts b/apps/webapp/app/routes/api.v1.projects.$projectRef.background-workers.$envSlug.$version.ts
index 6b044c9e833..e09bc510d91 100644
--- a/apps/webapp/app/routes/api.v1.projects.$projectRef.background-workers.$envSlug.$version.ts
+++ b/apps/webapp/app/routes/api.v1.projects.$projectRef.background-workers.$envSlug.$version.ts
@@ -6,6 +6,7 @@ import {
   authenticatedEnvironmentForAuthentication,
   branchNameFromRequest,
 } from "~/services/apiAuth.server";
+import { logger } from "~/services/logger.server";
 import zlib from "node:zlib";
 
 const ParamsSchema = z.object({
@@ -21,44 +22,45 @@ export async function loader({ params, request }: LoaderFunctionArgs) {
     return json({ error: "Invalid params" }, { status: 400 });
   }
 
-  const authenticationResult = await authenticateRequest(request);
+  try {
+    const authenticationResult = await authenticateRequest(request);
 
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
+    if (!authenticationResult) {
+      return json({ error: "Invalid or Missing API key" }, { status: 401 });
+    }
 
-  const environment = await authenticatedEnvironmentForAuthentication(
-    authenticationResult,
-    parsedParams.data.projectRef,
-    parsedParams.data.envSlug,
-    branchNameFromRequest(request)
-  );
+    const environment = await authenticatedEnvironmentForAuthentication(
+      authenticationResult,
+      parsedParams.data.projectRef,
+      parsedParams.data.envSlug,
+      branchNameFromRequest(request)
+    );
 
-  // Find the background worker and tasks and files
-  const backgroundWorker = await prisma.backgroundWorker.findFirst({
-    where: {
-      runtimeEnvironmentId: environment.id,
-      version: parsedParams.data.version,
-    },
-    include: {
-      tasks: true,
-      files: {
-        include: {
-          tasks: {
-            select: {
-              slug: true,
+    // Find the background worker and tasks and files
+    const backgroundWorker = await prisma.backgroundWorker.findFirst({
+      where: {
+        runtimeEnvironmentId: environment.id,
+        version: parsedParams.data.version,
+      },
+      include: {
+        tasks: true,
+        files: {
+          include: {
+            tasks: {
+              select: {
+                slug: true,
+              },
             },
           },
         },
       },
-    },
-  });
+    });
 
-  if (!backgroundWorker) {
-    return json({ error: "Background worker not found" }, { status: 404 });
-  }
+    if (!backgroundWorker) {
+      return json({ error: "Background worker not found" }, { status: 404 });
+    }
 
-  return json({
+    return json({
     id: backgroundWorker.friendlyId,
     version: backgroundWorker.version,
     cliVersion: backgroundWorker.cliVersion,
@@ -74,14 +76,19 @@ export async function loader({ params, request }: LoaderFunctionArgs) {
       retryConfig: task.retryConfig,
       queueConfig: task.queueConfig,
     })),
-    files: backgroundWorker.files.map((file) => ({
-      id: file.friendlyId,
-      filePath: file.filePath,
-      contentHash: file.contentHash,
-      contents: decompressContent(file.contents),
-      tasks: Array.from(new Set(file.tasks.map((task) => task.slug))),
-    })),
-  });
+      files: backgroundWorker.files.map((file) => ({
+        id: file.friendlyId,
+        filePath: file.filePath,
+        contentHash: file.contentHash,
+        contents: decompressContent(file.contents),
+        tasks: Array.from(new Set(file.tasks.map((task) => task.slug))),
+      })),
+    });
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to load background worker", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
+  }
 }
 
 function decompressContent(compressedBuffer: Uint8Array): string {
diff --git a/apps/webapp/app/routes/api.v1.projects.$projectRef.background-workers.ts b/apps/webapp/app/routes/api.v1.projects.$projectRef.background-workers.ts
index 872ca6f2f53..12e5eb24dde 100644
--- a/apps/webapp/app/routes/api.v1.projects.$projectRef.background-workers.ts
+++ b/apps/webapp/app/routes/api.v1.projects.$projectRef.background-workers.ts
@@ -25,47 +25,59 @@ export async function action({ request, params }: ActionFunctionArgs) {
     return json({ error: "Invalid params" }, { status: 400 });
   }
 
-  // Next authenticate the request
-  const authenticationResult = await authenticateApiRequest(request);
+  try {
+    // Next authenticate the request
+    const authenticationResult = await authenticateApiRequest(request);
 
-  if (!authenticationResult) {
-    logger.info("Invalid or missing api key", { url: request.url });
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
+    if (!authenticationResult) {
+      logger.info("Invalid or missing api key", { url: request.url });
+      return json({ error: "Invalid or Missing API key" }, { status: 401 });
+    }
 
-  const authenticatedEnv = authenticationResult.environment;
+    const authenticatedEnv = authenticationResult.environment;
 
-  const { projectRef } = parsedParams.data;
+    const { projectRef } = parsedParams.data;
 
-  const rawBody = await request.json();
-  const body = CreateBackgroundWorkerRequestBody.safeParse(rawBody);
+    const rawBody = await request.json();
+    const body = CreateBackgroundWorkerRequestBody.safeParse(rawBody);
 
-  if (!body.success) {
-    return json({ error: "Invalid body", issues: body.error.issues }, { status: 400 });
-  }
+    if (!body.success) {
+      return json({ error: "Invalid body", issues: body.error.issues }, { status: 400 });
+    }
 
-  const service = new CreateBackgroundWorkerService();
+    const service = new CreateBackgroundWorkerService();
 
-  try {
-    const backgroundWorker = await service.call(projectRef, authenticatedEnv, body.data);
+    try {
+      const backgroundWorker = await service.call(projectRef, authenticatedEnv, body.data);
 
-    return json(
-      {
-        id: backgroundWorker.friendlyId,
-        version: backgroundWorker.version,
-        contentHash: backgroundWorker.contentHash,
-      },
-      { status: 200 }
-    );
-  } catch (e) {
-    logger.error("Failed to create background worker", { error: JSON.stringify(e) });
+      return json(
+        {
+          id: backgroundWorker.friendlyId,
+          version: backgroundWorker.version,
+          contentHash: backgroundWorker.contentHash,
+        },
+        { status: 200 }
+      );
+    } catch (e) {
+      // Customer-facing validation failures (invalid task config, customer cron
+      // expression, etc.). The handler returns 4xx with the message; system
+      // handles it gracefully, no alert needed.
+      if (e instanceof ServiceValidationError) {
+        logger.warn("Failed to create background worker", { error: e.message });
+        return json({ error: e.message }, { status: 400 });
+      }
+      if (e instanceof CreateDeclarativeScheduleError) {
+        logger.warn("Failed to create background worker", { error: e.message });
+        return json({ error: e.message }, { status: 400 });
+      }
 
-    if (e instanceof ServiceValidationError) {
-      return json({ error: e.message }, { status: 400 });
-    } else if (e instanceof CreateDeclarativeScheduleError) {
-      return json({ error: e.message }, { status: 400 });
-    }
+      logger.error("Failed to create background worker", { error: e });
 
-    return json({ error: "Failed to create background worker" }, { status: 500 });
+      return json({ error: "Failed to create background worker" }, { status: 500 });
+    }
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to create project background worker", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
   }
 }
diff --git a/apps/webapp/app/routes/api.v1.projects.$projectRef.dev-status.ts b/apps/webapp/app/routes/api.v1.projects.$projectRef.dev-status.ts
index f5f632a8223..7d536042fe6 100644
--- a/apps/webapp/app/routes/api.v1.projects.$projectRef.dev-status.ts
+++ b/apps/webapp/app/routes/api.v1.projects.$projectRef.dev-status.ts
@@ -5,37 +5,44 @@ import {
   authenticatedEnvironmentForAuthentication,
   authenticateRequest,
 } from "~/services/apiAuth.server";
+import { logger } from "~/services/logger.server";
 
 const ParamsSchema = z.object({
   projectRef: z.string(),
 });
 
 export async function loader({ request, params }: LoaderFunctionArgs) {
-  const authenticationResult = await authenticateRequest(request, {
-    personalAccessToken: true,
-    organizationAccessToken: true,
-    apiKey: false,
-  });
-
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing Access Token" }, { status: 401 });
+  try {
+    const authenticationResult = await authenticateRequest(request, {
+      personalAccessToken: true,
+      organizationAccessToken: true,
+      apiKey: false,
+    });
+
+    if (!authenticationResult) {
+      return json({ error: "Invalid or Missing Access Token" }, { status: 401 });
+    }
+
+    const parsedParams = ParamsSchema.safeParse(params);
+
+    if (!parsedParams.success) {
+      return json({ error: "Invalid Params" }, { status: 400 });
+    }
+
+    const { projectRef } = parsedParams.data;
+
+    const runtimeEnv = await authenticatedEnvironmentForAuthentication(
+      authenticationResult,
+      projectRef,
+      "dev"
+    );
+
+    const isConnected = await devPresence.isConnected(runtimeEnv.id);
+
+    return json({ isConnected });
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to load dev status", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
   }
-
-  const parsedParams = ParamsSchema.safeParse(params);
-
-  if (!parsedParams.success) {
-    return json({ error: "Invalid Params" }, { status: 400 });
-  }
-
-  const { projectRef } = parsedParams.data;
-
-  const runtimeEnv = await authenticatedEnvironmentForAuthentication(
-    authenticationResult,
-    projectRef,
-    "dev"
-  );
-
-  const isConnected = await devPresence.isConnected(runtimeEnv.id);
-
-  return json({ isConnected });
 }
diff --git a/apps/webapp/app/routes/api.v1.projects.$projectRef.environments.ts b/apps/webapp/app/routes/api.v1.projects.$projectRef.environments.ts
new file mode 100644
index 00000000000..32ba74d0a79
--- /dev/null
+++ b/apps/webapp/app/routes/api.v1.projects.$projectRef.environments.ts
@@ -0,0 +1,71 @@
+import { json } from "@remix-run/server-runtime";
+import { type GetProjectEnvironmentsResponseBody } from "@trigger.dev/core/v3";
+import { z } from "zod";
+import { $replica } from "~/db.server";
+import { findProjectByRef } from "~/models/project.server";
+import { createLoaderPATApiRoute } from "~/services/routeBuilders/apiBuilder.server";
+import { sortEnvironments } from "~/utils/environmentSort";
+
+const ParamsSchema = z.object({
+  projectRef: z.string(),
+});
+
+export const loader = createLoaderPATApiRoute(
+  {
+    params: ParamsSchema,
+    corsStrategy: "all",
+    // Resolve projectRef → org so the PAT plugin can ground its role-floor
+    // calculation. Membership is enforced by the plugin (`authenticatePat`
+    // rejects users who aren't members of the target org) and again by
+    // `findProjectByRef` below.
+    context: async (params) => {
+      const project = await $replica.project.findFirst({
+        where: { externalRef: params.projectRef },
+        select: { organizationId: true },
+      });
+      return project ? { organizationId: project.organizationId } : {};
+    },
+    authorization: { action: "read", resource: () => ({ type: "environments" }) },
+  },
+  async ({ params, authentication }) => {
+    const project = await findProjectByRef(params.projectRef, authentication.userId);
+
+    if (!project) {
+      return json({ error: "Project not found" }, { status: 404 });
+    }
+
+    const environments = await $replica.runtimeEnvironment.findMany({
+      where: {
+        projectId: project.id,
+        // Only base/parent environments. Branch children (preview branches)
+        // are excluded — syncs target the parent and branches override elsewhere.
+        parentEnvironmentId: null,
+        archivedAt: null,
+        OR: [
+          { type: { in: ["STAGING", "PRODUCTION", "PREVIEW"] } },
+          // dev is per-user: only return the caller's own dev environment
+          { type: "DEVELOPMENT", orgMember: { userId: authentication.userId } },
+        ],
+      },
+      select: {
+        id: true,
+        slug: true,
+        type: true,
+        isBranchableEnvironment: true,
+        branchName: true,
+        paused: true,
+      },
+    });
+
+    const result: GetProjectEnvironmentsResponseBody = sortEnvironments(environments).map((env) => ({
+      id: env.id,
+      slug: env.slug,
+      type: env.type,
+      isBranchableEnvironment: env.isBranchableEnvironment,
+      branchName: env.branchName,
+      paused: env.paused,
+    }));
+
+    return json(result);
+  }
+);
diff --git a/apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.$name.ts b/apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.$name.ts
index e3081b090e3..00e155622ce 100644
--- a/apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.$name.ts
+++ b/apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.$name.ts
@@ -7,6 +7,7 @@ import {
   authenticatedEnvironmentForAuthentication,
   branchNameFromRequest,
 } from "~/services/apiAuth.server";
+import { logger } from "~/services/logger.server";
 import { EnvironmentVariablesRepository } from "~/v3/environmentVariables/environmentVariablesRepository.server";
 
 const ParamsSchema = z.object({
@@ -22,73 +23,82 @@ export async function action({ params, request }: ActionFunctionArgs) {
     return json({ error: "Invalid params" }, { status: 400 });
   }
 
-  const authenticationResult = await authenticateRequest(request);
+  try {
+    const authenticationResult = await authenticateRequest(request);
 
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
-
-  const environment = await authenticatedEnvironmentForAuthentication(
-    authenticationResult,
-    parsedParams.data.projectRef,
-    parsedParams.data.slug,
-    branchNameFromRequest(request)
-  );
-
-  // Find the environment variable
-  const variable = await prisma.environmentVariable.findFirst({
-    where: {
-      key: parsedParams.data.name,
-      projectId: environment.project.id,
-    },
-  });
-
-  if (!variable) {
-    return json({ error: "Environment variable not found" }, { status: 404 });
-  }
-
-  const repository = new EnvironmentVariablesRepository();
-
-  switch (request.method.toUpperCase()) {
-    case "DELETE": {
-      const result = await repository.deleteValue(environment.project.id, {
-        id: variable.id,
-        environmentId: environment.id,
-      });
+    if (!authenticationResult) {
+      return json({ error: "Invalid or Missing API key" }, { status: 401 });
+    }
 
-      if (result.success) {
-        return json({ success: true });
-      } else {
-        return json({ error: result.error }, { status: 400 });
-      }
+    const environment = await authenticatedEnvironmentForAuthentication(
+      authenticationResult,
+      parsedParams.data.projectRef,
+      parsedParams.data.slug,
+      branchNameFromRequest(request)
+    );
+
+    // Find the environment variable
+    const variable = await prisma.environmentVariable.findFirst({
+      where: {
+        key: parsedParams.data.name,
+        projectId: environment.project.id,
+      },
+    });
+
+    if (!variable) {
+      return json({ error: "Environment variable not found" }, { status: 404 });
     }
-    case "PUT":
-    case "POST": {
-      const jsonBody = await request.json();
 
-      const body = UpdateEnvironmentVariableRequestBody.safeParse(jsonBody);
+    const repository = new EnvironmentVariablesRepository();
 
-      if (!body.success) {
-        return json({ error: "Invalid request body", issues: body.error.issues }, { status: 400 });
-      }
+    switch (request.method.toUpperCase()) {
+      case "DELETE": {
+        const result = await repository.deleteValue(environment.project.id, {
+          id: variable.id,
+          environmentId: environment.id,
+        });
 
-      const result = await repository.edit(environment.project.id, {
-        values: [
-          {
-            value: body.data.value,
-            environmentId: environment.id,
-          },
-        ],
-        id: variable.id,
-        keepEmptyValues: true,
-      });
-
-      if (result.success) {
-        return json({ success: true });
-      } else {
-        return json({ error: result.error }, { status: 400 });
+        if (result.success) {
+          return json({ success: true });
+        } else {
+          return json({ error: result.error }, { status: 400 });
+        }
+      }
+      case "PUT":
+      case "POST": {
+        const jsonBody = await request.json();
+
+        const body = UpdateEnvironmentVariableRequestBody.safeParse(jsonBody);
+
+        if (!body.success) {
+          return json(
+            { error: "Invalid request body", issues: body.error.issues },
+            { status: 400 }
+          );
+        }
+
+        const result = await repository.edit(environment.project.id, {
+          values: [
+            {
+              value: body.data.value,
+              environmentId: environment.id,
+            },
+          ],
+          id: variable.id,
+          keepEmptyValues: true,
+        });
+
+        if (result.success) {
+          return json({ success: true });
+        } else {
+          return json({ error: result.error }, { status: 400 });
+        }
       }
     }
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to update environment variable", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
   }
 }
 
@@ -99,48 +109,54 @@ export async function loader({ params, request }: LoaderFunctionArgs) {
     return json({ error: "Invalid params" }, { status: 400 });
   }
 
-  const authenticationResult = await authenticateRequest(request);
+  try {
+    const authenticationResult = await authenticateRequest(request);
 
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
+    if (!authenticationResult) {
+      return json({ error: "Invalid or Missing API key" }, { status: 401 });
+    }
 
-  const environment = await authenticatedEnvironmentForAuthentication(
-    authenticationResult,
-    parsedParams.data.projectRef,
-    parsedParams.data.slug,
-    branchNameFromRequest(request)
-  );
-
-  // Find the environment variable
-  const variable = await prisma.environmentVariable.findFirst({
-    where: {
-      key: parsedParams.data.name,
-      projectId: environment.project.id,
-    },
-  });
-
-  if (!variable) {
-    return json({ error: "Environment variable not found" }, { status: 404 });
-  }
+    const environment = await authenticatedEnvironmentForAuthentication(
+      authenticationResult,
+      parsedParams.data.projectRef,
+      parsedParams.data.slug,
+      branchNameFromRequest(request)
+    );
+
+    // Find the environment variable
+    const variable = await prisma.environmentVariable.findFirst({
+      where: {
+        key: parsedParams.data.name,
+        projectId: environment.project.id,
+      },
+    });
+
+    if (!variable) {
+      return json({ error: "Environment variable not found" }, { status: 404 });
+    }
 
-  const repository = new EnvironmentVariablesRepository();
+    const repository = new EnvironmentVariablesRepository();
 
-  const variables = await repository.getEnvironmentWithRedactedSecrets(
-    environment.project.id,
-    environment.id,
-    environment.parentEnvironmentId ?? undefined
-  );
+    const variables = await repository.getEnvironmentWithRedactedSecrets(
+      environment.project.id,
+      environment.id,
+      environment.parentEnvironmentId ?? undefined
+    );
 
-  const environmentVariable = variables.find((v) => v.key === parsedParams.data.name);
+    const environmentVariable = variables.find((v) => v.key === parsedParams.data.name);
 
-  if (!environmentVariable) {
-    return json({ error: "Environment variable not found" }, { status: 404 });
-  }
+    if (!environmentVariable) {
+      return json({ error: "Environment variable not found" }, { status: 404 });
+    }
 
-  return json({
-    name: environmentVariable.key,
-    value: environmentVariable.value,
-    isSecret: environmentVariable.isSecret,
-  });
+    return json({
+      name: environmentVariable.key,
+      value: environmentVariable.value,
+      isSecret: environmentVariable.isSecret,
+    });
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to get environment variable", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
+  }
 }
diff --git a/apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.import.ts b/apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.import.ts
index 53bc4429c1d..313ecdc8538 100644
--- a/apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.import.ts
+++ b/apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.import.ts
@@ -40,6 +40,7 @@ export async function action({ params, request }: ActionFunctionArgs) {
 
   const result = await repository.create(environment.project.id, {
     override: typeof body.override === "boolean" ? body.override : false,
+    isSecret: body.isSecret,
     environmentIds: [environment.id],
     // Pass parent environment ID so new variables can inherit isSecret from parent
     parentEnvironmentId: environment.parentEnvironmentId ?? undefined,
@@ -54,6 +55,7 @@ export async function action({ params, request }: ActionFunctionArgs) {
   if (environment.parentEnvironmentId && body.parentVariables) {
     const parentResult = await repository.create(environment.project.id, {
       override: typeof body.override === "boolean" ? body.override : false,
+      isSecret: body.isSecret,
       environmentIds: [environment.parentEnvironmentId],
       variables: Object.entries(body.parentVariables).map(([key, value]) => ({
         key,
diff --git a/apps/webapp/app/routes/api.v1.projects.$projectRef.runs.ts b/apps/webapp/app/routes/api.v1.projects.$projectRef.runs.ts
index 295bcb5caee..5e952aa7ce0 100644
--- a/apps/webapp/app/routes/api.v1.projects.$projectRef.runs.ts
+++ b/apps/webapp/app/routes/api.v1.projects.$projectRef.runs.ts
@@ -1,5 +1,6 @@
 import { json } from "@remix-run/server-runtime";
 import { z } from "zod";
+import { $replica } from "~/db.server";
 import { findProjectByRef } from "~/models/project.server";
 import {
   ApiRunListPresenter,
@@ -16,6 +17,20 @@ export const loader = createLoaderPATApiRoute(
     params: ParamsSchema,
     searchParams: ApiRunListSearchParams,
     corsStrategy: "all",
+    // Resolve projectRef → org so the PAT plugin can ground its
+    // role-floor calculation. We deliberately don't filter by user
+    // membership here — that's the plugin's job (`authenticatePat`
+    // checks OrgMember in the target org and rejects if the user
+    // isn't a member). Keeps the contract clean: context is "what
+    // org does this URL target?" and auth is "is this user allowed?"
+    context: async (params) => {
+      const project = await $replica.project.findFirst({
+        where: { externalRef: params.projectRef },
+        select: { organizationId: true },
+      });
+      return project ? { organizationId: project.organizationId } : {};
+    },
+    authorization: { action: "read", resource: () => ({ type: "runs" }) },
   },
   async ({ searchParams, params, authentication, apiVersion }) => {
     const project = await findProjectByRef(params.projectRef, authentication.userId);
diff --git a/apps/webapp/app/routes/api.v1.projects.ts b/apps/webapp/app/routes/api.v1.projects.ts
index 3a12417dce0..372a8108f41 100644
--- a/apps/webapp/app/routes/api.v1.projects.ts
+++ b/apps/webapp/app/routes/api.v1.projects.ts
@@ -8,47 +8,53 @@ import { authenticateApiRequestWithPersonalAccessToken } from "~/services/person
 export async function loader({ request }: LoaderFunctionArgs) {
   logger.info("get projects", { url: request.url });
 
-  const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);
+  try {
+    const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);
 
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing Access Token" }, { status: 401 });
-  }
+    if (!authenticationResult) {
+      return json({ error: "Invalid or Missing Access Token" }, { status: 401 });
+    }
 
-  const projects = await prisma.project.findMany({
-    where: {
-      organization: {
-        deletedAt: null,
-        members: {
-          some: {
-            userId: authenticationResult.userId,
+    const projects = await prisma.project.findMany({
+      where: {
+        organization: {
+          deletedAt: null,
+          members: {
+            some: {
+              userId: authenticationResult.userId,
+            },
           },
         },
+        version: "V3",
+        deletedAt: null,
+      },
+      include: {
+        organization: true,
       },
-      version: "V3",
-      deletedAt: null,
-    },
-    include: {
-      organization: true,
-    },
-  });
+    });
 
-  if (!projects) {
-    return json({ error: "Projects not found" }, { status: 404 });
-  }
+    if (!projects) {
+      return json({ error: "Projects not found" }, { status: 404 });
+    }
 
-  const result: GetProjectsResponseBody = projects.map((project) => ({
-    id: project.id,
-    externalRef: project.externalRef,
-    name: project.name,
-    slug: project.slug,
-    createdAt: project.createdAt,
-    organization: {
-      id: project.organization.id,
-      title: project.organization.title,
-      slug: project.organization.slug,
-      createdAt: project.organization.createdAt,
-    },
-  }));
+    const result: GetProjectsResponseBody = projects.map((project) => ({
+      id: project.id,
+      externalRef: project.externalRef,
+      name: project.name,
+      slug: project.slug,
+      createdAt: project.createdAt,
+      organization: {
+        id: project.organization.id,
+        title: project.organization.title,
+        slug: project.organization.slug,
+        createdAt: project.organization.createdAt,
+      },
+    }));
 
-  return json(result);
+    return json(result);
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to list projects", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
+  }
 }
diff --git a/apps/webapp/app/routes/api.v1.prompts.$slug.override.reactivate.ts b/apps/webapp/app/routes/api.v1.prompts.$slug.override.reactivate.ts
index 1203682793a..99601b5d668 100644
--- a/apps/webapp/app/routes/api.v1.prompts.$slug.override.reactivate.ts
+++ b/apps/webapp/app/routes/api.v1.prompts.$slug.override.reactivate.ts
@@ -22,8 +22,7 @@ const { action } = createActionApiRoute(
     corsStrategy: "all",
     authorization: {
       action: "update",
-      resource: (params) => ({ prompts: params.slug }),
-      superScopes: ["admin"],
+      resource: (params) => ({ type: "prompts", id: params.slug }),
     },
   },
   async ({ body, params, authentication }) => {
diff --git a/apps/webapp/app/routes/api.v1.prompts.$slug.override.ts b/apps/webapp/app/routes/api.v1.prompts.$slug.override.ts
index 3ddf7b78416..2a00ceac15c 100644
--- a/apps/webapp/app/routes/api.v1.prompts.$slug.override.ts
+++ b/apps/webapp/app/routes/api.v1.prompts.$slug.override.ts
@@ -40,8 +40,7 @@ const { action, loader } = createMultiMethodApiRoute({
   corsStrategy: "all",
   authorization: {
     action: "update",
-    resource: (params) => ({ prompts: params.slug }),
-    superScopes: ["admin"],
+    resource: (params) => ({ type: "prompts", id: params.slug }),
   },
   methods: {
     POST: {
diff --git a/apps/webapp/app/routes/api.v1.prompts.$slug.promote.ts b/apps/webapp/app/routes/api.v1.prompts.$slug.promote.ts
index 6040fdb46e6..795e4a6c68f 100644
--- a/apps/webapp/app/routes/api.v1.prompts.$slug.promote.ts
+++ b/apps/webapp/app/routes/api.v1.prompts.$slug.promote.ts
@@ -22,8 +22,7 @@ const { action } = createActionApiRoute(
     corsStrategy: "all",
     authorization: {
       action: "update",
-      resource: (params) => ({ prompts: params.slug }),
-      superScopes: ["admin"],
+      resource: (params) => ({ type: "prompts", id: params.slug }),
     },
   },
   async ({ body, params, authentication }) => {
diff --git a/apps/webapp/app/routes/api.v1.prompts.$slug.ts b/apps/webapp/app/routes/api.v1.prompts.$slug.ts
index 32ea1525c14..3d8de30c25c 100644
--- a/apps/webapp/app/routes/api.v1.prompts.$slug.ts
+++ b/apps/webapp/app/routes/api.v1.prompts.$slug.ts
@@ -2,7 +2,7 @@ import { json } from "@remix-run/server-runtime";
 import { z } from "zod";
 import { prisma } from "~/db.server";
 import { PromptPresenter } from "~/presenters/v3/PromptPresenter.server";
-import { clickhouseClient } from "~/services/clickhouseInstance.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
 import {
   createActionApiRoute,
   createLoaderApiRoute,
@@ -33,12 +33,18 @@ export const loader = createLoaderApiRoute(
             slug: params.slug,
           },
         },
+        include: {
+          project: {
+            select: {
+              organizationId: true,
+            },
+          },
+        },
       });
     },
     authorization: {
       action: "read",
-      resource: (_resource, params) => ({ prompts: params.slug }),
-      superScopes: ["read:prompts", "admin"],
+      resource: (_resource, params) => ({ type: "prompts", id: params.slug }),
     },
   },
   async ({ searchParams, resource: prompt }) => {
@@ -46,7 +52,8 @@ export const loader = createLoaderApiRoute(
       return json({ error: "Prompt not found" }, { status: 404 });
     }
 
-    const presenter = new PromptPresenter(clickhouseClient);
+    const clickhouse = await clickhouseFactory.getClickhouseForOrganization(prompt.project.organizationId, "standard");
+    const presenter = new PromptPresenter(clickhouse);
     const version = await presenter.resolveVersion(prompt.id, {
       version: searchParams.version,
       label: searchParams.label,
@@ -98,8 +105,7 @@ const { action } = createActionApiRoute(
     corsStrategy: "all",
     authorization: {
       action: "read",
-      resource: (params) => ({ prompts: params.slug }),
-      superScopes: ["read:prompts", "admin"],
+      resource: (params) => ({ type: "prompts", id: params.slug }),
     },
   },
   async ({ body, params, authentication }) => {
@@ -117,7 +123,8 @@ const { action } = createActionApiRoute(
       return json({ error: "Prompt not found" }, { status: 404 });
     }
 
-    const presenter = new PromptPresenter(clickhouseClient);
+    const clickhouse = await clickhouseFactory.getClickhouseForOrganization(authentication.environment.organizationId, "standard");
+    const presenter = new PromptPresenter(clickhouse);
     const version = await presenter.resolveVersion(prompt.id, {
       version: body.version,
       label: body.label,
diff --git a/apps/webapp/app/routes/api.v1.prompts.$slug.versions.ts b/apps/webapp/app/routes/api.v1.prompts.$slug.versions.ts
index c40b3e62dbf..6ef8a014f9c 100644
--- a/apps/webapp/app/routes/api.v1.prompts.$slug.versions.ts
+++ b/apps/webapp/app/routes/api.v1.prompts.$slug.versions.ts
@@ -2,7 +2,7 @@ import { json } from "@remix-run/server-runtime";
 import { z } from "zod";
 import { prisma } from "~/db.server";
 import { PromptPresenter } from "~/presenters/v3/PromptPresenter.server";
-import { clickhouseClient } from "~/services/clickhouseInstance.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
 import { createLoaderApiRoute } from "~/services/routeBuilders/apiBuilder.server";
 
 const ParamsSchema = z.object({
@@ -23,12 +23,18 @@ export const loader = createLoaderApiRoute(
             slug: params.slug,
           },
         },
+        include: {
+          project: {
+            select: {
+              organizationId: true,
+            },
+          },
+        },
       });
     },
     authorization: {
       action: "read",
-      resource: (_resource, params) => ({ prompts: params.slug }),
-      superScopes: ["read:prompts", "admin"],
+      resource: (_resource, params) => ({ type: "prompts", id: params.slug }),
     },
   },
   async ({ resource: prompt }) => {
@@ -36,7 +42,8 @@ export const loader = createLoaderApiRoute(
       return json({ error: "Prompt not found" }, { status: 404 });
     }
 
-    const presenter = new PromptPresenter(clickhouseClient);
+    const clickhouse = await clickhouseFactory.getClickhouseForOrganization(prompt.project.organizationId, "standard");
+    const presenter = new PromptPresenter(clickhouse);
     const versions = await presenter.listVersions(prompt.id);
 
     return json({
diff --git a/apps/webapp/app/routes/api.v1.prompts._index.ts b/apps/webapp/app/routes/api.v1.prompts._index.ts
index ccbc0ec38d0..8ba10c660de 100644
--- a/apps/webapp/app/routes/api.v1.prompts._index.ts
+++ b/apps/webapp/app/routes/api.v1.prompts._index.ts
@@ -1,6 +1,6 @@
 import { json } from "@remix-run/server-runtime";
 import { PromptPresenter } from "~/presenters/v3/PromptPresenter.server";
-import { clickhouseClient } from "~/services/clickhouseInstance.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
 import { createLoaderApiRoute } from "~/services/routeBuilders/apiBuilder.server";
 
 export const loader = createLoaderApiRoute(
@@ -10,12 +10,12 @@ export const loader = createLoaderApiRoute(
     findResource: async () => 1,
     authorization: {
       action: "read",
-      resource: () => ({ prompts: "all" }),
-      superScopes: ["read:prompts", "admin"],
+      resource: () => ({ type: "prompts", id: "all" }),
     },
   },
   async ({ authentication }) => {
-    const presenter = new PromptPresenter(clickhouseClient);
+    const clickhouse = await clickhouseFactory.getClickhouseForOrganization(authentication.environment.organizationId, "standard");
+    const presenter = new PromptPresenter(clickhouse);
     const prompts = await presenter.listPrompts(
       authentication.environment.projectId,
       authentication.environment.id
diff --git a/apps/webapp/app/routes/api.v1.query.dashboards._index.ts b/apps/webapp/app/routes/api.v1.query.dashboards._index.ts
index fdc4dbc3852..2bc9e3b3016 100644
--- a/apps/webapp/app/routes/api.v1.query.dashboards._index.ts
+++ b/apps/webapp/app/routes/api.v1.query.dashboards._index.ts
@@ -37,8 +37,7 @@ export const loader = createLoaderApiRoute(
     findResource: async () => 1,
     authorization: {
       action: "read",
-      resource: () => ({ query: "dashboards" }),
-      superScopes: ["read:query", "read:all", "admin"],
+      resource: () => ({ type: "query", id: "dashboards" }),
     },
   },
   async () => {
diff --git a/apps/webapp/app/routes/api.v1.query.schema.ts b/apps/webapp/app/routes/api.v1.query.schema.ts
index aa4762af6f8..3e95d16818d 100644
--- a/apps/webapp/app/routes/api.v1.query.schema.ts
+++ b/apps/webapp/app/routes/api.v1.query.schema.ts
@@ -47,8 +47,7 @@ export const loader = createLoaderApiRoute(
     findResource: async () => 1,
     authorization: {
       action: "read",
-      resource: () => ({ query: "schema" }),
-      superScopes: ["read:query", "read:all", "admin"],
+      resource: () => ({ type: "query", id: "schema" }),
     },
   },
   async () => {
diff --git a/apps/webapp/app/routes/api.v1.query.ts b/apps/webapp/app/routes/api.v1.query.ts
index 22500011671..3fb6b04ec78 100644
--- a/apps/webapp/app/routes/api.v1.query.ts
+++ b/apps/webapp/app/routes/api.v1.query.ts
@@ -1,7 +1,10 @@
 import { json } from "@remix-run/server-runtime";
 import { QueryError } from "@internal/clickhouse";
 import { z } from "zod";
-import { createActionApiRoute } from "~/services/routeBuilders/apiBuilder.server";
+import {
+  createActionApiRoute,
+  everyResource,
+} from "~/services/routeBuilders/apiBuilder.server";
 import { executeQuery, type QueryScope } from "~/services/queryService.server";
 import { logger } from "~/services/logger.server";
 import { rowsToCSV } from "~/utils/dataExport";
@@ -34,11 +37,16 @@ const { action, loader } = createActionApiRoute(
     findResource: async () => 1,
     authorization: {
       action: "read",
+      // A multi-table query reads from every detected table. Wrap with
+      // everyResource so a JWT scoped to one table can't pass auth for
+      // a query that also reads tables it isn't scoped to (would be the
+      // same OR-loophole the batch trigger route had pre-fix).
       resource: (_, __, ___, body) => {
         const tables = detectTables(body.query);
-        return { query: tables.length > 0 ? tables : "all" };
+        return tables.length > 0
+          ? everyResource(tables.map((id) => ({ type: "query", id })))
+          : { type: "query", id: "all" };
       },
-      superScopes: ["read:query", "read:all", "admin"],
     },
   },
   async ({ body, authentication }) => {
@@ -61,10 +69,16 @@ const { action, loader } = createActionApiRoute(
     });
 
     if (!queryResult.success) {
-      const message =
-        queryResult.error instanceof QueryError
-          ? queryResult.error.message
-          : "An unexpected error occurred while executing the query.";
+      // QueryError surfaces customer SQL problems (invalid syntax,
+      // unsupported construct). Returned to the caller as 400; system
+      // handles it gracefully, no alert needed.
+      if (queryResult.error instanceof QueryError) {
+        logger.warn("Query API error", {
+          error: queryResult.error.message,
+          query,
+        });
+        return json({ error: queryResult.error.message }, { status: 400 });
+      }
 
       logger.error("Query API error", {
         error: queryResult.error,
@@ -72,8 +86,8 @@ const { action, loader } = createActionApiRoute(
       });
 
       return json(
-        { error: message },
-        { status: queryResult.error instanceof QueryError ? 400 : 500 }
+        { error: "An unexpected error occurred while executing the query." },
+        { status: 500 }
       );
     }
 
diff --git a/apps/webapp/app/routes/api.v1.queues.ts b/apps/webapp/app/routes/api.v1.queues.ts
index 551b3c2f34f..18c0f688370 100644
--- a/apps/webapp/app/routes/api.v1.queues.ts
+++ b/apps/webapp/app/routes/api.v1.queues.ts
@@ -2,6 +2,7 @@ import { json } from "@remix-run/server-runtime";
 import { type QueueItem } from "@trigger.dev/core/v3";
 import { z } from "zod";
 import { QueueListPresenter } from "~/presenters/v3/QueueListPresenter.server";
+import { logger } from "~/services/logger.server";
 import { createLoaderApiRoute } from "~/services/routeBuilders/apiBuilder.server";
 import { ServiceValidationError } from "~/v3/services/baseService.server";
 
@@ -35,10 +36,8 @@ export const loader = createLoaderApiRoute(
         return json({ error: error.message }, { status: 422 });
       }
 
-      return json(
-        { error: error instanceof Error ? error.message : "Internal Server Error" },
-        { status: 500 }
-      );
+      logger.error("Failed to list queues", { error });
+      return json({ error: "Something went wrong, please try again." }, { status: 500 });
     }
   }
 );
diff --git a/apps/webapp/app/routes/api.v1.runs.$runFriendlyId.input-streams.wait.ts b/apps/webapp/app/routes/api.v1.runs.$runFriendlyId.input-streams.wait.ts
index 8e41e9fe4c8..0924bf3fc91 100644
--- a/apps/webapp/app/routes/api.v1.runs.$runFriendlyId.input-streams.wait.ts
+++ b/apps/webapp/app/routes/api.v1.runs.$runFriendlyId.input-streams.wait.ts
@@ -11,6 +11,7 @@ import {
   deleteInputStreamWaitpoint,
   setInputStreamWaitpoint,
 } from "~/services/inputStreamWaitpointCache.server";
+import { logger } from "~/services/logger.server";
 import { getRealtimeStreamInstance } from "~/services/realtime/v1StreamsGlobal.server";
 import { createActionApiRoute } from "~/services/routeBuilders/apiBuilder.server";
 import { parseDelay } from "~/utils/delays";
@@ -40,6 +41,7 @@ const { action, loader } = createActionApiRoute(
           id: true,
           friendlyId: true,
           realtimeStreamsVersion: true,
+          streamBasinName: true,
         },
       });
 
@@ -98,7 +100,8 @@ const { action, loader } = createActionApiRoute(
         try {
           const realtimeStream = getRealtimeStreamInstance(
             authentication.environment,
-            run.realtimeStreamsVersion
+            run.realtimeStreamsVersion,
+            { run }
           );
 
           const records = await realtimeStream.readRecords(
@@ -136,10 +139,9 @@ const { action, loader } = createActionApiRoute(
     } catch (error) {
       if (error instanceof ServiceValidationError) {
         return json({ error: error.message }, { status: 422 });
-      } else if (error instanceof Error) {
-        return json({ error: error.message }, { status: 500 });
       }
 
+      logger.error("Failed to create input-stream waitpoint", { error });
       return json({ error: "Something went wrong" }, { status: 500 });
     }
   }
diff --git a/apps/webapp/app/routes/api.v1.runs.$runFriendlyId.session-streams.wait.ts b/apps/webapp/app/routes/api.v1.runs.$runFriendlyId.session-streams.wait.ts
new file mode 100644
index 00000000000..39c30894416
--- /dev/null
+++ b/apps/webapp/app/routes/api.v1.runs.$runFriendlyId.session-streams.wait.ts
@@ -0,0 +1,193 @@
+import { json } from "@remix-run/server-runtime";
+import {
+  CreateSessionStreamWaitpointRequestBody,
+  type CreateSessionStreamWaitpointResponseBody,
+} from "@trigger.dev/core/v3";
+import { WaitpointId } from "@trigger.dev/core/v3/isomorphic";
+import { z } from "zod";
+import { $replica } from "~/db.server";
+import { createWaitpointTag, MAX_TAGS_PER_WAITPOINT } from "~/models/waitpointTag.server";
+import {
+  canonicalSessionAddressingKey,
+  isSessionFriendlyIdForm,
+  resolveSessionByIdOrExternalId,
+} from "~/services/realtime/sessions.server";
+import { S2RealtimeStreams } from "~/services/realtime/s2realtimeStreams.server";
+import { getRealtimeStreamInstance } from "~/services/realtime/v1StreamsGlobal.server";
+import {
+  addSessionStreamWaitpoint,
+  removeSessionStreamWaitpoint,
+} from "~/services/sessionStreamWaitpointCache.server";
+import { createActionApiRoute } from "~/services/routeBuilders/apiBuilder.server";
+import { logger } from "~/services/logger.server";
+import { parseDelay } from "~/utils/delays";
+import { resolveIdempotencyKeyTTL } from "~/utils/idempotencyKeys.server";
+import { engine } from "~/v3/runEngine.server";
+import { ServiceValidationError } from "~/v3/services/baseService.server";
+
+const ParamsSchema = z.object({
+  runFriendlyId: z.string(),
+});
+
+const { action, loader } = createActionApiRoute(
+  {
+    params: ParamsSchema,
+    body: CreateSessionStreamWaitpointRequestBody,
+    maxContentLength: 1024 * 10, // 10KB
+    method: "POST",
+  },
+  async ({ authentication, body, params }) => {
+    try {
+      const run = await $replica.taskRun.findFirst({
+        where: {
+          friendlyId: params.runFriendlyId,
+          runtimeEnvironmentId: authentication.environment.id,
+        },
+        select: {
+          id: true,
+          friendlyId: true,
+          realtimeStreamsVersion: true,
+        },
+      });
+
+      if (!run) {
+        return json({ error: "Run not found" }, { status: 404 });
+      }
+
+      // Row-optional addressing — see the .out / .in.append handlers.
+      // The waitpoint cache + S2 stream key derive from the row's
+      // canonical identity (externalId if set, else friendlyId), so
+      // the agent's wait registration and the append-side drain
+      // converge regardless of which URL form each side used.
+      const maybeSession = await resolveSessionByIdOrExternalId(
+        $replica,
+        authentication.environment.id,
+        body.session
+      );
+
+      if (!maybeSession && isSessionFriendlyIdForm(body.session)) {
+        return json({ error: "Session not found" }, { status: 404 });
+      }
+
+      const addressingKey = canonicalSessionAddressingKey(maybeSession, body.session);
+
+      const idempotencyKeyExpiresAt = body.idempotencyKeyTTL
+        ? resolveIdempotencyKeyTTL(body.idempotencyKeyTTL)
+        : undefined;
+
+      const timeout = await parseDelay(body.timeout);
+
+      const bodyTags = typeof body.tags === "string" ? [body.tags] : body.tags;
+
+      if (bodyTags && bodyTags.length > MAX_TAGS_PER_WAITPOINT) {
+        throw new ServiceValidationError(
+          `Waitpoints can only have ${MAX_TAGS_PER_WAITPOINT} tags, you're trying to set ${bodyTags.length}.`
+        );
+      }
+
+      if (bodyTags && bodyTags.length > 0) {
+        for (const tag of bodyTags) {
+          await createWaitpointTag({
+            tag,
+            environmentId: authentication.environment.id,
+            projectId: authentication.environment.projectId,
+          });
+        }
+      }
+
+      // Step 1: Create the waitpoint.
+      const result = await engine.createManualWaitpoint({
+        environmentId: authentication.environment.id,
+        projectId: authentication.environment.projectId,
+        idempotencyKey: body.idempotencyKey,
+        idempotencyKeyExpiresAt,
+        timeout,
+        tags: bodyTags,
+      });
+
+      // Step 2: Register the waitpoint on the session channel so the next
+      // append fires it. Keyed by (environmentId, addressingKey, io) — the
+      // canonical string for the row, scoped to the environment because
+      // externalIds are only unique per environment. The append handler
+      // drains by the same key, so writers and readers converge regardless
+      // of which URL form the agent vs. the appending caller used.
+      const ttlMs = timeout ? timeout.getTime() - Date.now() : undefined;
+      await addSessionStreamWaitpoint(
+        authentication.environment.id,
+        addressingKey,
+        body.io,
+        result.waitpoint.id,
+        ttlMs && ttlMs > 0 ? ttlMs : undefined
+      );
+
+      // Step 3: Race-check. If a record landed on the channel before this
+      // .wait() call, complete the waitpoint synchronously with that data
+      // and remove the pending registration.
+      if (!result.isCached) {
+        try {
+          // Match the writer's basin resolution exactly: session if the
+          // row exists, otherwise the org so we look at the same basin a
+          // fresh row would be stamped with. Mirrors the PUT/GET sister
+          // routes in `realtime.v1.sessions.$session.$io.ts`.
+          const realtimeStream = getRealtimeStreamInstance(authentication.environment, "v2", {
+            session: maybeSession,
+            organization: maybeSession ? null : authentication.environment.organization,
+          });
+
+          if (realtimeStream instanceof S2RealtimeStreams) {
+            const records = await realtimeStream.readSessionStreamRecords(
+              addressingKey,
+              body.io,
+              body.lastSeqNum
+            );
+
+            if (records.length > 0) {
+              const record = records[0]!;
+
+              await engine.completeWaitpoint({
+                id: result.waitpoint.id,
+                output: {
+                  value: record.data,
+                  type: "application/json",
+                  isError: false,
+                },
+              });
+
+              await removeSessionStreamWaitpoint(
+                authentication.environment.id,
+                addressingKey,
+                body.io,
+                result.waitpoint.id
+              );
+            }
+          }
+        } catch (error) {
+          // Non-fatal: pending registration stays in Redis; the next append
+          // will complete the waitpoint via the append handler path. Log so
+          // a broken race-check doesn't silently degrade to timeout-only.
+          logger.warn("session-stream wait race-check failed", {
+            addressingKey,
+            io: body.io,
+            waitpointId: WaitpointId.toFriendlyId(result.waitpoint.id),
+            error,
+          });
+        }
+      }
+
+      return json<CreateSessionStreamWaitpointResponseBody>({
+        waitpointId: WaitpointId.toFriendlyId(result.waitpoint.id),
+        isCached: result.isCached,
+      });
+    } catch (error) {
+      if (error instanceof ServiceValidationError) {
+        return json({ error: error.message }, { status: 422 });
+      }
+      // Don't forward raw internal error messages (could leak Prisma/engine
+      // details). Log server-side and return a generic 500.
+      logger.error("Failed to create session-stream waitpoint", { error });
+      return json({ error: "Something went wrong" }, { status: 500 });
+    }
+  }
+);
+
+export { action, loader };
diff --git a/apps/webapp/app/routes/api.v1.runs.$runId.events.ts b/apps/webapp/app/routes/api.v1.runs.$runId.events.ts
index ac96c9ddb81..42468f67604 100644
--- a/apps/webapp/app/routes/api.v1.runs.$runId.events.ts
+++ b/apps/webapp/app/routes/api.v1.runs.$runId.events.ts
@@ -1,9 +1,12 @@
 import { json } from "@remix-run/server-runtime";
 import { z } from "zod";
 import { getTaskEventStoreTableForRun } from "~/v3/taskEventStore.server";
-import { createLoaderApiRoute } from "~/services/routeBuilders/apiBuilder.server";
+import {
+  anyResource,
+  createLoaderApiRoute,
+} from "~/services/routeBuilders/apiBuilder.server";
 import { ApiRetrieveRunPresenter } from "~/presenters/v3/ApiRetrieveRunPresenter.server";
-import { resolveEventRepositoryForStore } from "~/v3/eventRepository/index.server";
+import { getEventRepositoryForStore } from "~/v3/eventRepository/index.server";
 
 const ParamsSchema = z.object({
   runId: z.string(), // This is the run friendly ID
@@ -21,17 +24,34 @@ export const loader = createLoaderApiRoute(
     shouldRetryNotFound: true,
     authorization: {
       action: "read",
-      resource: (run) => ({
-        runs: run.friendlyId,
-        tags: run.runTags,
-        batch: run.batch?.friendlyId,
-        tasks: run.taskIdentifier,
-      }),
-      superScopes: ["read:runs", "read:all", "admin"],
+      resource: (run) => {
+        const resources = [
+          { type: "runs", id: run.friendlyId },
+          { type: "tasks", id: run.taskIdentifier },
+          ...run.runTags.map((tag) => ({ type: "tags", id: tag })),
+        ];
+        if (run.batch?.friendlyId) {
+          resources.push({ type: "batch", id: run.batch.friendlyId });
+        }
+        return anyResource(resources);
+      },
     },
   },
   async ({ resource: run, authentication }) => {
-    const eventRepository = resolveEventRepositoryForStore(run.taskEventStore);
+    // Short-circuit for mollifier-buffered runs. The drainer hasn't
+    // materialised execution events yet (the gate intercepts before
+    // any trace event is written), so a ClickHouse round-trip is
+    // guaranteed to come back empty. `findRun` now sets `isBuffered`
+    // explicitly on its return value — gate on that rather than
+    // probing surrogate fields like `traceId === ""`.
+    if (run.isBuffered) {
+      return json({ events: [] }, { status: 200 });
+    }
+
+    const eventRepository = await getEventRepositoryForStore(
+      run.taskEventStore,
+      authentication.environment.organization.id
+    );
 
     const runEvents = await eventRepository.getRunEvents(
       getTaskEventStoreTableForRun(run),
diff --git a/apps/webapp/app/routes/api.v1.runs.$runId.metadata.ts b/apps/webapp/app/routes/api.v1.runs.$runId.metadata.ts
index f27a9c13f98..3f22929aca9 100644
--- a/apps/webapp/app/routes/api.v1.runs.$runId.metadata.ts
+++ b/apps/webapp/app/routes/api.v1.runs.$runId.metadata.ts
@@ -1,15 +1,178 @@
+import type { LoaderFunctionArgs } from "@remix-run/server-runtime";
 import { json } from "@remix-run/server-runtime";
 import { tryCatch } from "@trigger.dev/core/utils";
+import type { RunMetadataChangeOperation } from "@trigger.dev/core/v3/schemas";
 import { UpdateMetadataRequestBody } from "@trigger.dev/core/v3";
 import { z } from "zod";
+import { $replica } from "~/db.server";
+// Aliased to avoid shadowing the local `env: AuthenticatedEnvironment`
+// parameter the route handler and `routeOperationsToRun` use.
+import { env as appEnv } from "~/env.server";
+import type { AuthenticatedEnvironment } from "~/services/apiAuth.server";
+import { authenticateApiRequest } from "~/services/apiAuth.server";
+import { logger } from "~/services/logger.server";
 import { updateMetadataService } from "~/services/metadata/updateMetadataInstance.server";
+import { publishChangeRecord } from "~/services/realtime/runChangeNotifierInstance.server";
 import { createActionApiRoute } from "~/services/routeBuilders/apiBuilder.server";
 import { ServiceValidationError } from "~/v3/services/common.server";
+import { applyMetadataMutationToBufferedRun } from "~/v3/mollifier/applyMetadataMutation.server";
+import { findRunByIdWithMollifierFallback } from "~/v3/mollifier/readFallback.server";
 
 const ParamsSchema = z.object({
   runId: z.string(),
 });
 
+// GET handler added to fix the pre-existing route bug where this URL
+// returned a Remix "no loader" 400 — only PUT (update) was exported, so
+// GET had no handler. Returns `{ metadata, metadataType }` from either
+// the Postgres row or the mollifier buffer snapshot.
+export async function loader({ request, params }: LoaderFunctionArgs) {
+  const authenticationResult = await authenticateApiRequest(request);
+  if (!authenticationResult) {
+    return json({ error: "Invalid or Missing API Key" }, { status: 401 });
+  }
+
+  const parsed = ParamsSchema.safeParse(params);
+  if (!parsed.success) {
+    return json({ error: "Invalid or missing run ID" }, { status: 400 });
+  }
+
+  const env = authenticationResult.environment;
+
+  const pgRun = await $replica.taskRun.findFirst({
+    where: { friendlyId: parsed.data.runId, runtimeEnvironmentId: env.id },
+    select: { metadata: true, metadataType: true },
+  });
+  if (pgRun) {
+    return json({ metadata: pgRun.metadata, metadataType: pgRun.metadataType }, { status: 200 });
+  }
+
+  const buffered = await findRunByIdWithMollifierFallback({
+    runId: parsed.data.runId,
+    environmentId: env.id,
+    organizationId: env.organizationId,
+  });
+  if (buffered) {
+    return json(
+      {
+        metadata: buffered.metadata ?? null,
+        metadataType: buffered.metadataType ?? "application/json",
+      },
+      { status: 200 }
+    );
+  }
+
+  return json({ error: "Run not found" }, { status: 404 });
+}
+
+// Route parent/root operations to the existing PG service by directly
+// invoking it against the parent/root runId. The service ingests via
+// its batching worker, which targets PG by id. If the parent/root is
+// itself buffered we recurse through our buffered-mutation helper.
+// `_ingestion_only` flag: a synthetic body that has the operations
+// promoted to top-level `operations` so the service applies them to
+// `targetRunId` directly.
+// Exported so the silent-failure logging behaviour can be unit-tested.
+// The route handler itself isn't an attractive test target (createActionApiRoute
+// wraps it in auth + body parsing + error-handler middleware), but the
+// fan-out helper carries the load-bearing logic — including the ops-
+// visibility branch this change adds.
+export async function routeOperationsToRun(
+  targetRunId: string | undefined,
+  operations: RunMetadataChangeOperation[] | undefined,
+  env: AuthenticatedEnvironment
+): Promise<void> {
+  if (!targetRunId || !operations || operations.length === 0) return;
+
+  // Try PG first via the existing service (this is how parent/root
+  // operations have always landed; preserve that). Accepts the full
+  // AuthenticatedEnvironment so we don't have to recover the unsafe
+  // `as unknown` cast that the previous narrowed `{ id, organizationId }`
+  // signature forced on us.
+  //
+  // Two non-success outcomes from `call`:
+  //   * throws — PG threw (e.g. "Cannot update metadata for a completed
+  //     run", or a transient PG outage).
+  //   * resolves with undefined — PG row didn't exist (the target may be
+  //     buffered, not yet materialised).
+  // Either way we want to try the buffer fallback below; treating the
+  // undefined-return as success would make the fallback unreachable.
+  const [error, result] = await tryCatch(
+    updateMetadataService.call(targetRunId, { operations }, env)
+  );
+  if (!error && result !== undefined) {
+    // The parent/root run changed too — wake its live feeds (only when something was
+    // actually written here; buffered writes publish from the flusher).
+    if (result.updatedAtMs !== undefined) {
+      publishChangeRecord({
+        runId: result.runId,
+        envId: env.id,
+        tags: result.runTags,
+        batchId: result.batchId,
+        updatedAtMs: result.updatedAtMs,
+      });
+    }
+    return;
+  }
+
+  if (error) {
+    // PG threw — auxiliary op, stay best-effort and don't surface this
+    // to the caller (the caller's primary mutation already landed). But
+    // warn so a genuine PG outage on these ops isn't invisible.
+    logger.warn("metadata route: parent/root PG op failed", {
+      targetRunId,
+      error: error instanceof Error ? error.message : String(error),
+    });
+  }
+
+  // Buffer fallback only makes sense for friendlyId-keyed entries. The
+  // PG-side parent/root IDs are internal cuids; the buffer keys entries
+  // by friendlyId, so passing the internal id would silently no-op.
+  // Skip explicitly — a buffered child's parent is always materialised
+  // in PG already (a buffered run hasn't executed, so it can't have
+  // triggered the child), so the buffered-parent branch isn't actually
+  // reachable. Treating the no-op as intentional rather than incidental.
+  if (!targetRunId.startsWith("run_")) return;
+
+  // Best-effort buffer fallback. Wrap so a transient Redis throw on
+  // this auxiliary op can't 500 the request after the primary mutation
+  // already succeeded.
+  const [bufferError, bufferOutcome] = await tryCatch(
+    applyMetadataMutationToBufferedRun({
+      runId: targetRunId,
+      environmentId: env.id,
+      organizationId: env.organizationId,
+      maximumSize: appEnv.TASK_RUN_METADATA_MAXIMUM_SIZE,
+      maxRetries: appEnv.TRIGGER_MOLLIFIER_METADATA_MAX_RETRIES,
+      backoffBaseMs: appEnv.TRIGGER_MOLLIFIER_METADATA_BACKOFF_BASE_MS,
+      backoffStepMs: appEnv.TRIGGER_MOLLIFIER_METADATA_BACKOFF_STEP_MS,
+      body: { operations },
+    })
+  );
+  if (bufferError) {
+    logger.warn("metadata route: buffer fallback for parent/root op failed", {
+      targetRunId,
+      error: bufferError instanceof Error ? bufferError.message : String(bufferError),
+    });
+    return;
+  }
+  // `applyMetadataMutationToBufferedRun` reports non-throw failures via
+  // its returned outcome kind: `not_found`, `busy`, `version_exhausted`,
+  // `metadata_too_large`. Without inspecting `.kind`, the parent/root
+  // operation can silently disappear — no PG row landed it (handled
+  // above) and the buffer rejected it for one of these reasons but the
+  // helper returned cleanly. Surface a warn log per non-success branch
+  // so ops can trace why a parent/root op went missing. The customer's
+  // primary mutation has already succeeded by this point; this remains
+  // best-effort, so we still don't bubble these to the response.
+  if (bufferOutcome && bufferOutcome.kind !== "applied") {
+    logger.warn("metadata route: parent/root buffer op did not apply", {
+      targetRunId,
+      kind: bufferOutcome.kind,
+    });
+  }
+}
+
 const { action } = createActionApiRoute(
   {
     params: ParamsSchema,
@@ -18,23 +181,120 @@ const { action } = createActionApiRoute(
     method: "PUT",
   },
   async ({ authentication, body, params }) => {
-    const [error, result] = await tryCatch(
-      updateMetadataService.call(params.runId, body, authentication.environment)
-    );
+    const env = authentication.environment;
+    const runId = params.runId;
 
-    if (error) {
-      if (error instanceof ServiceValidationError) {
-        return json({ error: error.message }, { status: error.status ?? 422 });
+    // PG-canonical path. If the run is in PG, the existing service
+    // owns the full request shape including parent/root operations,
+    // metadataVersion CAS, batching, validation — none of which the
+    // buffer side needs to reimplement.
+    const [pgError, pgResult] = await tryCatch(
+      updateMetadataService.call(runId, body, env)
+    );
+    if (pgError) {
+      if (pgError instanceof ServiceValidationError) {
+        return json({ error: pgError.message }, { status: pgError.status ?? 422 });
       }
-
       return json({ error: "Internal Server Error" }, { status: 500 });
     }
+    if (pgResult) {
+      // Reflect metadata.set() on a live feed before the next lifecycle event. Publish the
+      // internal id (the router keys single-run feeds by it, not the friendly id from the
+      // URL) with the committed updatedAt as the read-your-writes watermark. No write
+      // (no-op body, or ops buffered for the flusher) means nothing to announce here.
+      if (pgResult.updatedAtMs !== undefined) {
+        publishChangeRecord({
+          runId: pgResult.runId,
+          envId: env.id,
+          tags: pgResult.runTags,
+          batchId: pgResult.batchId,
+          updatedAtMs: pgResult.updatedAtMs,
+        });
+      }
+      return json({ metadata: pgResult.metadata }, { status: 200 });
+    }
 
-    if (!result) {
+    // PG miss. Target run is either buffered or genuinely absent.
+    const bufferOutcome = await applyMetadataMutationToBufferedRun({
+      runId,
+      environmentId: env.id,
+      organizationId: env.organizationId,
+      maximumSize: appEnv.TASK_RUN_METADATA_MAXIMUM_SIZE,
+      maxRetries: appEnv.TRIGGER_MOLLIFIER_METADATA_MAX_RETRIES,
+      backoffBaseMs: appEnv.TRIGGER_MOLLIFIER_METADATA_BACKOFF_BASE_MS,
+      backoffStepMs: appEnv.TRIGGER_MOLLIFIER_METADATA_BACKOFF_STEP_MS,
+      body: { metadata: body.metadata, operations: body.operations },
+    });
+
+    if (bufferOutcome.kind === "not_found") {
       return json({ error: "Task Run not found" }, { status: 404 });
     }
+    if (bufferOutcome.kind === "metadata_too_large") {
+      // Mirror PG's `MetadataTooLargeError` (413).
+      return json(
+        {
+          error: `Metadata exceeds maximum size of ${bufferOutcome.maximumSize} bytes`,
+        },
+        { status: 413 }
+      );
+    }
+    if (bufferOutcome.kind === "busy") {
+      // Entry is materialising. Best path is to retry the PG call —
+      // the row may be visible now. We don't waste a roundtrip in
+      // the happy path, but a 503 here would be customer-visible
+      // breakage for legitimately-burst workloads. Hand back 503 with
+      // a retry hint; SDK retry policy converges.
+      return json({ error: "Run materialising, retry shortly" }, { status: 503 });
+    }
+    if (bufferOutcome.kind === "version_exhausted") {
+      // Pathological contention — many concurrent metadata writers on
+      // the same buffered runId. Surface as 503 rather than silently
+      // dropping the request.
+      return json({ error: "Metadata write contention; retry shortly" }, { status: 503 });
+    }
+
+    // Buffered metadata mutation succeeded. Fan parent/root operations
+    // out to their respective runs (parent/root are typically PG-
+    // materialised by the time the child is buffered, so the existing
+    // service handles them; if they're also buffered, the helper
+    // recurses through the buffered mutation path).
+    //
+    // Use the parent/root friendlyIds the buffered mutation captured
+    // during its internal read — NOT a second `findRunByIdWithMollifierFallback`
+    // call here. The drainer's terminal-failure path DELetes the entry
+    // hash atomically, so if it fires between the primary mutation
+    // landing and our route's second read, `bufferedEntry` would come
+    // back null and the route would silently drop `parentOperations` /
+    // `rootOperations` after the customer's primary mutation already
+    // landed on the snapshot. Capturing the ids in the helper's first
+    // CAS read closes that race.
+    //
+    // Self-fallback to `runId` matches PG semantics: the PG service
+    // routes to `taskRun.parentTaskRun?.id ?? taskRun.id` and
+    // `taskRun.rootTaskRun?.id ?? taskRun.id`, so a top-level run's
+    // parent/root ops land on itself rather than being silently
+    // dropped.
+    await Promise.all([
+      routeOperationsToRun(
+        bufferOutcome.parentTaskRunFriendlyId ?? runId,
+        body.parentOperations,
+        env,
+      ),
+      routeOperationsToRun(
+        bufferOutcome.rootTaskRunFriendlyId ?? runId,
+        body.rootOperations,
+        env,
+      ),
+    ]);
 
-    return json(result, { status: 200 });
+    // Wire-shape parity with the PG branch. `UpdateMetadataService.call`
+    // returns `{ metadata: <object> }` (see `updateMetadata.server.ts:356-358`),
+    // sourced from `applyResults.newMetadata` / `parsePacket(metadataPacket)`
+    // — both parsed `Record<string, unknown>`. `bufferOutcome.newMetadata`
+    // is typed identically (`applyMetadataMutation.server.ts:27`). SDK
+    // consumers see the same response shape regardless of which branch
+    // serves the request.
+    return json({ metadata: bufferOutcome.newMetadata }, { status: 200 });
   }
 );
 
diff --git a/apps/webapp/app/routes/api.v1.runs.$runId.spans.$spanId.ts b/apps/webapp/app/routes/api.v1.runs.$runId.spans.$spanId.ts
index 7c093efd960..a5250e5b850 100644
--- a/apps/webapp/app/routes/api.v1.runs.$runId.spans.$spanId.ts
+++ b/apps/webapp/app/routes/api.v1.runs.$runId.spans.$spanId.ts
@@ -3,42 +3,101 @@ import { BatchId } from "@trigger.dev/core/v3/isomorphic";
 import { z } from "zod";
 import { $replica } from "~/db.server";
 import { extractAISpanData } from "~/components/runs/v3/ai";
-import { createLoaderApiRoute } from "~/services/routeBuilders/apiBuilder.server";
-import { resolveEventRepositoryForStore } from "~/v3/eventRepository/index.server";
+import {
+  anyResource,
+  createLoaderApiRoute,
+} from "~/services/routeBuilders/apiBuilder.server";
+import { getEventRepositoryForStore } from "~/v3/eventRepository/index.server";
 import { getTaskEventStoreTableForRun } from "~/v3/taskEventStore.server";
+import { findRunByIdWithMollifierFallback } from "~/v3/mollifier/readFallback.server";
+import { buildSyntheticSpanDetailBody } from "~/v3/mollifier/syntheticApiResponses.server";
 
 const ParamsSchema = z.object({
   runId: z.string(),
   spanId: z.string(),
 });
 
+// Resolve the run from either Postgres or the mollifier buffer.
+// Buffered runs only have one valid spanId (the queued span recorded at
+// gate time and reused as the run's root spanId when the drainer
+// materialises). Any other spanId returns a deterministic 404; the queued
+// span returns a minimal synthesised shape so the customer's SDK sees the
+// same 200 contract they'd get for a freshly-triggered run.
+type ResolvedRun =
+  | { source: "pg"; run: Awaited<ReturnType<typeof findPgRun>> & {} }
+  | { source: "buffer"; run: NonNullable<Awaited<ReturnType<typeof findRunByIdWithMollifierFallback>>> };
+
+async function findPgRun(runId: string, environmentId: string) {
+  return $replica.taskRun.findFirst({
+    where: { friendlyId: runId, runtimeEnvironmentId: environmentId },
+  });
+}
+
 export const loader = createLoaderApiRoute(
   {
     params: ParamsSchema,
     allowJWT: true,
     corsStrategy: "all",
-    findResource: (params, auth) => {
-      return $replica.taskRun.findFirst({
-        where: {
-          friendlyId: params.runId,
-          runtimeEnvironmentId: auth.environment.id,
-        },
+    findResource: async (params, auth): Promise<ResolvedRun | null> => {
+      const pgRun = await findPgRun(params.runId, auth.environment.id);
+      if (pgRun) return { source: "pg", run: pgRun };
+
+      const buffered = await findRunByIdWithMollifierFallback({
+        runId: params.runId,
+        environmentId: auth.environment.id,
+        organizationId: auth.environment.organizationId,
       });
+      if (buffered) return { source: "buffer", run: buffered };
+
+      return null;
     },
     shouldRetryNotFound: true,
     authorization: {
       action: "read",
-      resource: (run) => ({
-        runs: run.friendlyId,
-        tags: run.runTags,
-        batch: run.batchId ? BatchId.toFriendlyId(run.batchId) : undefined,
-        tasks: run.taskIdentifier,
-      }),
-      superScopes: ["read:runs", "read:all", "admin"],
+      resource: (resolved) => {
+        if (resolved.source === "pg") {
+          const run = resolved.run;
+          const resources = [
+            { type: "runs", id: run.friendlyId },
+            { type: "tasks", id: run.taskIdentifier },
+            ...run.runTags.map((tag) => ({ type: "tags", id: tag })),
+          ];
+          if (run.batchId) {
+            resources.push({ type: "batch", id: BatchId.toFriendlyId(run.batchId) });
+          }
+          return anyResource(resources);
+        }
+        const run = resolved.run;
+        const resources = [
+          { type: "runs", id: run.friendlyId },
+          ...(run.taskIdentifier ? [{ type: "tasks", id: run.taskIdentifier }] : []),
+          ...run.tags.map((tag) => ({ type: "tags", id: tag })),
+        ];
+        if (run.batchId) {
+          resources.push({ type: "batch", id: BatchId.toFriendlyId(run.batchId) });
+        }
+        return anyResource(resources);
+      },
     },
   },
-  async ({ params, resource: run, authentication }) => {
-    const eventRepository = resolveEventRepositoryForStore(run.taskEventStore);
+  async ({ params, resource: resolved, authentication }) => {
+    if (resolved.source === "buffer") {
+      // Buffered runs have exactly one valid spanId — the queued span the
+      // mollifier gate recorded at trigger time, which becomes the run's
+      // root spanId once the drainer materialises. Any other spanId is a
+      // deterministic 404. The matching spanId returns a minimal shape
+      // representing "span exists, no execution data yet."
+      if (resolved.run.spanId !== params.spanId) {
+        return json({ error: "Span not found" }, { status: 404 });
+      }
+      return json(buildSyntheticSpanDetailBody(resolved.run), { status: 200 });
+    }
+
+    const run = resolved.run;
+    const eventRepository = await getEventRepositoryForStore(
+      run.taskEventStore,
+      authentication.environment.organization.id
+    );
     const eventStore = getTaskEventStoreTableForRun(run);
 
     const span = await eventRepository.getSpan(
diff --git a/apps/webapp/app/routes/api.v1.runs.$runId.tags.ts b/apps/webapp/app/routes/api.v1.runs.$runId.tags.ts
index 2a48ded529e..f984562eb3d 100644
--- a/apps/webapp/app/routes/api.v1.runs.$runId.tags.ts
+++ b/apps/webapp/app/routes/api.v1.runs.$runId.tags.ts
@@ -1,21 +1,40 @@
 import { type ActionFunctionArgs, json } from "@remix-run/server-runtime";
 import { AddTagsRequestBody } from "@trigger.dev/core/v3";
+import type { BufferEntry } from "@trigger.dev/redis-worker";
 import { z } from "zod";
 import { prisma } from "~/db.server";
 import { MAX_TAGS_PER_RUN } from "~/models/taskRunTag.server";
 import { authenticateApiRequest } from "~/services/apiAuth.server";
+import { getRequestAbortSignal } from "~/services/httpAsyncStorage.server";
+import { logger } from "~/services/logger.server";
+import { publishChangeRecord } from "~/services/realtime/runChangeNotifierInstance.server";
+import { mutateWithFallback } from "~/v3/mollifier/mutateWithFallback.server";
+
+// Pull the existing tags out of a buffer entry's serialised payload so
+// the buffer-path response can dedup against them, matching the
+// PG-path's `newTags.length` count rather than the pre-dedup input
+// count. Returns null on any parse failure / shape mismatch so the
+// caller can fall back gracefully.
+function parseSnapshotTags(entry: BufferEntry | null): string[] | null {
+  if (!entry) return null;
+  try {
+    const snapshot = JSON.parse(entry.payload) as { tags?: unknown };
+    if (!Array.isArray(snapshot.tags)) return null;
+    return snapshot.tags.filter((t): t is string => typeof t === "string");
+  } catch {
+    return null;
+  }
+}
 
 const ParamsSchema = z.object({
   runId: z.string(),
 });
 
 export async function action({ request, params }: ActionFunctionArgs) {
-  // Ensure this is a POST request
   if (request.method.toUpperCase() !== "POST") {
     return { status: 405, body: "Method Not Allowed" };
   }
 
-  // Authenticate the request
   const authenticationResult = await authenticateApiRequest(request);
   if (!authenticationResult) {
     return json({ error: "Invalid or Missing API Key" }, { status: 401 });
@@ -31,63 +50,101 @@ export async function action({ request, params }: ActionFunctionArgs) {
 
   try {
     const anyBody = await request.json();
-
     const body = AddTagsRequestBody.safeParse(anyBody);
     if (!body.success) {
       return json({ error: "Invalid request body", issues: body.error.issues }, { status: 400 });
     }
-
-    const run = await prisma.taskRun.findFirst({
-      where: {
-        friendlyId: parsedParams.data.runId,
-        runtimeEnvironmentId: authenticationResult.environment.id,
-      },
-      select: {
-        runTags: true,
-      },
-    });
-
-    const existingTags = run?.runTags ?? [];
-
-    //remove duplicate tags from the new tags
     const bodyTags = typeof body.data.tags === "string" ? [body.data.tags] : body.data.tags;
-    const newTags = bodyTags.filter((tag) => {
-      if (tag.trim().length === 0) return false;
-      return !existingTags.includes(tag);
-    });
+    const nonEmptyTags = bodyTags.filter((t) => t.trim().length > 0);
 
-    if (existingTags.length + newTags.length > MAX_TAGS_PER_RUN) {
-      return json(
-        {
-          error: `Runs can only have ${MAX_TAGS_PER_RUN} tags, you're trying to set ${
-            existingTags.length + newTags.length
-          }. These tags have not been set: ${newTags.map((t) => `'${t}'`).join(", ")}.`,
-        },
-        { status: 422 }
-      );
-    }
-
-    if (newTags.length === 0) {
+    if (nonEmptyTags.length === 0) {
       return json({ message: "No new tags to add" }, { status: 200 });
     }
 
-    await prisma.taskRun.update({
-      where: {
-        friendlyId: parsedParams.data.runId,
-        runtimeEnvironmentId: authenticationResult.environment.id,
+    const env = authenticationResult.environment;
+    const outcome = await mutateWithFallback<Response>({
+      runId: parsedParams.data.runId,
+      environmentId: env.id,
+      organizationId: env.organizationId,
+      bufferPatch: { type: "append_tags", tags: nonEmptyTags, maxTags: MAX_TAGS_PER_RUN },
+      pgMutation: async (taskRun) => {
+        const existing = taskRun.runTags ?? [];
+        const newTags = nonEmptyTags.filter((t) => !existing.includes(t));
+
+        if (existing.length + newTags.length > MAX_TAGS_PER_RUN) {
+          return json(
+            {
+              error: `Runs can only have ${MAX_TAGS_PER_RUN} tags, you're trying to set ${
+                existing.length + newTags.length
+              }. These tags have not been set: ${newTags.map((t) => `'${t}'`).join(", ")}.`,
+            },
+            { status: 422 }
+          );
+        }
+        if (newTags.length === 0) {
+          return json({ message: "No new tags to add" }, { status: 200 });
+        }
+        const updated = await prisma.taskRun.update({
+          where: {
+            id: taskRun.id,
+            runtimeEnvironmentId: env.id,
+          },
+          data: { runTags: { push: newTags } },
+          select: { updatedAt: true },
+        });
+        // Publish a run-changed record with the NEW tag set so tag feeds reindex
+        // (no-op unless enabled). updatedAt is the read-your-writes watermark.
+        publishChangeRecord({
+          runId: taskRun.id,
+          envId: env.id,
+          tags: existing.concat(newTags),
+          batchId: taskRun.batchId,
+          updatedAtMs: updated.updatedAt.getTime(),
+        });
+        return json({ message: `Successfully set ${newTags.length} new tags.` }, { status: 200 });
       },
-      data: {
-        runTags: {
-          push: newTags,
-        },
+      // Buffer-applied patch path. The mutateSnapshot Lua deduplicates
+      // against existing snapshot tags atomically and enforces
+      // MAX_TAGS_PER_RUN via the `maxTags` we pass in `bufferPatch` —
+      // matching the PG-path cap above so a buffered run can't exceed the
+      // limit the trigger validator applies at creation.
+      //
+      // Dedup the success-count off the pre-mutation entry (already
+      // fetched by mutateWithFallback's env-auth pre-check, so no extra
+      // Redis read) so the message reports the same `newTags.length` the
+      // PG path reports — not the pre-dedup request count, which would
+      // give an inconsistent number across the buffered/materialised
+      // boundary for the same input.
+      synthesisedResponse: ({ bufferEntry }) => {
+        const existing = parseSnapshotTags(bufferEntry);
+        const newTagsCount = existing
+          ? nonEmptyTags.filter((t) => !existing.includes(t)).length
+          : nonEmptyTags.length;
+        return json(
+          { message: `Successfully set ${newTagsCount} new tags.` },
+          { status: 200 }
+        );
       },
+      // Buffer rejected the append because it would exceed the cap. We
+      // don't know the exact deduped overflow count here (the Lua does),
+      // so report the limit rather than a precise "trying to set N".
+      rejectedResponse: () =>
+        json(
+          { error: `Runs can only have ${MAX_TAGS_PER_RUN} tags.` },
+          { status: 422 }
+        ),
+      abortSignal: getRequestAbortSignal(),
     });
 
-    return json({ message: `Successfully set ${newTags.length} new tags.` }, { status: 200 });
+    if (outcome.kind === "not_found") {
+      return json({ error: "Run not found" }, { status: 404 });
+    }
+    if (outcome.kind === "timed_out") {
+      return json({ error: "Run materialisation timed out" }, { status: 503 });
+    }
+    return outcome.response;
   } catch (error) {
-    return json(
-      { error: error instanceof Error ? error.message : "Internal Server Error" },
-      { status: 500 }
-    );
+    logger.error("Failed to add run tags", { error });
+    return json({ error: "Something went wrong, please try again." }, { status: 500 });
   }
 }
diff --git a/apps/webapp/app/routes/api.v1.runs.$runId.trace.ts b/apps/webapp/app/routes/api.v1.runs.$runId.trace.ts
index cc35836bfe6..04ae398194f 100644
--- a/apps/webapp/app/routes/api.v1.runs.$runId.trace.ts
+++ b/apps/webapp/app/routes/api.v1.runs.$runId.trace.ts
@@ -2,41 +2,97 @@ import { json } from "@remix-run/server-runtime";
 import { BatchId } from "@trigger.dev/core/v3/isomorphic";
 import { z } from "zod";
 import { $replica } from "~/db.server";
-import { createLoaderApiRoute } from "~/services/routeBuilders/apiBuilder.server";
-import { resolveEventRepositoryForStore } from "~/v3/eventRepository/index.server";
+import {
+  anyResource,
+  createLoaderApiRoute,
+} from "~/services/routeBuilders/apiBuilder.server";
+import { getEventRepositoryForStore } from "~/v3/eventRepository/index.server";
 import { getTaskEventStoreTableForRun } from "~/v3/taskEventStore.server";
+import { findRunByIdWithMollifierFallback } from "~/v3/mollifier/readFallback.server";
+import { buildSyntheticTraceBody } from "~/v3/mollifier/syntheticApiResponses.server";
 
 const ParamsSchema = z.object({
   runId: z.string(), // This is the run friendly ID
 });
 
+// Discriminator on the resolved resource — `pg` is the real Prisma TaskRun
+// row, `buffer` is a synthesised shape from the mollifier buffer for runs
+// whose drainer hasn't yet materialised them. The handler renders an empty
+// trace for buffered runs so the customer sees the same 200 shape they'd
+// get for a freshly-triggered PG run with no spans yet (matches the
+// pass-through control case in scripts/mollifier-api-parity.sh).
+type ResolvedRun =
+  | { source: "pg"; run: Awaited<ReturnType<typeof findPgRun>> & {} }
+  | { source: "buffer"; run: NonNullable<Awaited<ReturnType<typeof findRunByIdWithMollifierFallback>>> };
+
+async function findPgRun(runId: string, environmentId: string) {
+  return $replica.taskRun.findFirst({
+    where: { friendlyId: runId, runtimeEnvironmentId: environmentId },
+  });
+}
+
 export const loader = createLoaderApiRoute(
   {
     params: ParamsSchema,
     allowJWT: true,
     corsStrategy: "all",
-    findResource: (params, auth) => {
-      return $replica.taskRun.findFirst({
-        where: {
-          friendlyId: params.runId,
-          runtimeEnvironmentId: auth.environment.id,
-        },
+    findResource: async (params, auth): Promise<ResolvedRun | null> => {
+      const pgRun = await findPgRun(params.runId, auth.environment.id);
+      if (pgRun) return { source: "pg", run: pgRun };
+
+      const buffered = await findRunByIdWithMollifierFallback({
+        runId: params.runId,
+        environmentId: auth.environment.id,
+        organizationId: auth.environment.organizationId,
       });
+      if (buffered) return { source: "buffer", run: buffered };
+
+      return null;
     },
     shouldRetryNotFound: true,
     authorization: {
       action: "read",
-      resource: (run) => ({
-        runs: run.friendlyId,
-        tags: run.runTags,
-        batch: run.batchId ? BatchId.toFriendlyId(run.batchId) : undefined,
-        tasks: run.taskIdentifier,
-      }),
-      superScopes: ["read:runs", "read:all", "admin"],
+      resource: (resolved) => {
+        if (resolved.source === "pg") {
+          const run = resolved.run;
+          const resources = [
+            { type: "runs", id: run.friendlyId },
+            { type: "tasks", id: run.taskIdentifier },
+            ...run.runTags.map((tag) => ({ type: "tags", id: tag })),
+          ];
+          if (run.batchId) {
+            resources.push({ type: "batch", id: BatchId.toFriendlyId(run.batchId) });
+          }
+          return anyResource(resources);
+        }
+        const run = resolved.run;
+        const resources = [
+          { type: "runs", id: run.friendlyId },
+          ...(run.taskIdentifier ? [{ type: "tasks", id: run.taskIdentifier }] : []),
+          ...run.tags.map((tag) => ({ type: "tags", id: tag })),
+        ];
+        if (run.batchId) {
+          resources.push({ type: "batch", id: BatchId.toFriendlyId(run.batchId) });
+        }
+        return anyResource(resources);
+      },
     },
   },
-  async ({ resource: run, authentication }) => {
-    const eventRepository = resolveEventRepositoryForStore(run.taskEventStore);
+  async ({ resource: resolved, authentication }) => {
+    if (resolved.source === "buffer") {
+      // Buffered runs have no events ingested yet — the drainer hasn't
+      // materialised the PG row and the worker hasn't started executing.
+      // The helper synthesises a single root span that satisfies the SDK's
+      // RetrieveRunTraceResponseBody schema (rootSpan is non-nullable) and
+      // reflects the buffered terminal state.
+      return json(buildSyntheticTraceBody(resolved.run), { status: 200 });
+    }
+
+    const run = resolved.run;
+    const eventRepository = await getEventRepositoryForStore(
+      run.taskEventStore,
+      authentication.environment.organization.id
+    );
 
     const traceSummary = await eventRepository.getTraceDetailedSummary(
       getTaskEventStoreTableForRun(run),
diff --git a/apps/webapp/app/routes/api.v1.runs.$runParam.attempts.ts b/apps/webapp/app/routes/api.v1.runs.$runParam.attempts.ts
index 33894f8493c..790e52bee4e 100644
--- a/apps/webapp/app/routes/api.v1.runs.$runParam.attempts.ts
+++ b/apps/webapp/app/routes/api.v1.runs.$runParam.attempts.ts
@@ -2,6 +2,7 @@ import type { ActionFunctionArgs } from "@remix-run/server-runtime";
 import { json } from "@remix-run/server-runtime";
 import { z } from "zod";
 import { authenticateApiRequest } from "~/services/apiAuth.server";
+import { logger } from "~/services/logger.server";
 import { ServiceValidationError } from "~/v3/services/baseService.server";
 import { CreateTaskRunAttemptService } from "~/v3/services/createTaskRunAttempt.server";
 
@@ -40,9 +41,7 @@ export async function action({ request, params }: ActionFunctionArgs) {
       return json({ error: error.message }, { status: error.status ?? 422 });
     }
 
-    return json(
-      { error: error instanceof Error ? error.message : "Internal Server Error" },
-      { status: 500 }
-    );
+    logger.error("Failed to create run attempt", { error });
+    return json({ error: "Something went wrong, please try again." }, { status: 500 });
   }
 }
diff --git a/apps/webapp/app/routes/api.v1.runs.$runParam.replay.ts b/apps/webapp/app/routes/api.v1.runs.$runParam.replay.ts
index 72ad202467d..4bb5922997f 100644
--- a/apps/webapp/app/routes/api.v1.runs.$runParam.replay.ts
+++ b/apps/webapp/app/routes/api.v1.runs.$runParam.replay.ts
@@ -1,10 +1,12 @@
 import type { ActionFunctionArgs } from "@remix-run/server-runtime";
 import { json } from "@remix-run/server-runtime";
+import type { TaskRun } from "@trigger.dev/database";
 import { z } from "zod";
 import { prisma } from "~/db.server";
 import { authenticateApiRequest } from "~/services/apiAuth.server";
 import { logger } from "~/services/logger.server";
 import { ReplayTaskRunService } from "~/v3/services/replayTaskRun.server";
+import { findRunByIdWithMollifierFallback } from "~/v3/mollifier/readFallback.server";
 import { sanitizeTriggerSource } from "~/utils/triggerSource";
 
 const ParamsSchema = z.object({
@@ -12,6 +14,39 @@ const ParamsSchema = z.object({
   runParam: z.string(),
 });
 
+// Subset of TaskRun fields that ReplayTaskRunService.call actually
+// reads from `existingTaskRun`. Validate the buffered fallback against
+// this before casting to TaskRun so a buffer-format drift surfaces as a
+// 404/422 here rather than as a silent NaN/undefined deep inside
+// replay. The full TaskRun type has many more fields the service never
+// touches; we only assert the ones it reads.
+const BufferedReplayInputSchema = z.object({
+  id: z.string(),
+  friendlyId: z.string(),
+  runtimeEnvironmentId: z.string(),
+  taskIdentifier: z.string(),
+  payload: z.string(),
+  payloadType: z.string(),
+  queue: z.string(),
+  isTest: z.boolean(),
+  traceId: z.string(),
+  spanId: z.string(),
+  engine: z.string(),
+  runTags: z.array(z.string()),
+  // Nullable / optional fields the service tolerates via `??` fallbacks.
+  concurrencyKey: z.string().nullable().optional(),
+  workerQueue: z.string().nullable().optional(),
+  machinePreset: z.string().nullable().optional(),
+  realtimeStreamsVersion: z.string().nullable().optional(),
+  // ReplayTaskRunService.getExistingMetadata reads these to preserve
+  // the original run's metadata on replay. Without them in the schema
+  // they'd be stripped by Zod's default key-passthrough behaviour, and
+  // a buffered-source replay would silently lose metadata that a
+  // PG-source replay carries over.
+  seedMetadata: z.string().nullable().optional(),
+  seedMetadataType: z.string().nullable().optional(),
+});
+
 export async function action({ request, params }: ActionFunctionArgs) {
   // Ensure this is a POST request
   if (request.method.toUpperCase() !== "POST") {
@@ -32,12 +67,57 @@ export async function action({ request, params }: ActionFunctionArgs) {
   const { runParam } = parsed.data;
 
   try {
-    const taskRun = await prisma.taskRun.findUnique({
+    const env = authenticationResult.environment;
+    // PG-first. Replay works on any status per audit — no
+    // filter beyond friendlyId is the existing semantic; findFirst with
+    // env scoping tightens it minimally without changing behaviour for
+    // a correctly-authed caller.
+    let taskRun: TaskRun | null = await prisma.taskRun.findFirst({
       where: {
         friendlyId: runParam,
+        runtimeEnvironmentId: env.id,
       },
     });
 
+    if (!taskRun) {
+      // Buffered fallback. SyntheticRun carries every field
+      // ReplayTaskRunService reads from a TaskRun. Validate the subset of
+      // fields the service consumes (BufferedReplayInputSchema above)
+      // before casting; a schema mismatch surfaces as a 404 here rather
+      // than as a silent undefined deep inside the service.
+      const buffered = await findRunByIdWithMollifierFallback({
+        runId: runParam,
+        environmentId: env.id,
+        organizationId: env.organizationId,
+      });
+      if (buffered) {
+        const parsed = BufferedReplayInputSchema.safeParse(buffered);
+        if (parsed.success) {
+          // Manual sync point: `BufferedReplayInputSchema` covers only
+          // the subset of `TaskRun` fields `ReplayTaskRunService.call`
+          // currently reads from `existingTaskRun`. The cast is `as
+          // unknown as TaskRun` because the full `TaskRun` type carries
+          // ~40 fields the service never touches; mirroring all of them
+          // on a synthetic snapshot would be misleading. If a future
+          // change to `ReplayTaskRunService` reads an additional
+          // `existingTaskRun` field, **add it to the schema above** —
+          // otherwise the buffered path will silently feed the service
+          // `undefined` for that field while the PG-source replay
+          // works. The `safeParse` + warn-log + 404 below is the
+          // run-time fail-safe; this comment is the design fail-safe.
+          taskRun = parsed.data as unknown as TaskRun;
+        } else {
+          logger.warn("replay: buffered fallback failed schema validation", {
+            runParam,
+            issues: parsed.error.issues.map((issue) => ({
+              path: issue.path.join("."),
+              code: issue.code,
+            })),
+          });
+        }
+      }
+    }
+
     if (!taskRun) {
       return json({ error: "Run not found" }, { status: 404 });
     }
diff --git a/apps/webapp/app/routes/api.v1.runs.$runParam.reschedule.ts b/apps/webapp/app/routes/api.v1.runs.$runParam.reschedule.ts
index f4e08831f4f..cbdd9807d8b 100644
--- a/apps/webapp/app/routes/api.v1.runs.$runParam.reschedule.ts
+++ b/apps/webapp/app/routes/api.v1.runs.$runParam.reschedule.ts
@@ -3,91 +3,163 @@ import { json } from "@remix-run/server-runtime";
 import { RescheduleRunRequestBody } from "@trigger.dev/core/v3/schemas";
 import { z } from "zod";
 import { getApiVersion } from "~/api/versions";
-import { prisma } from "~/db.server";
 import { ApiRetrieveRunPresenter } from "~/presenters/v3/ApiRetrieveRunPresenter.server";
 import { authenticateApiRequest } from "~/services/apiAuth.server";
+import { getRequestAbortSignal } from "~/services/httpAsyncStorage.server";
+import { logger } from "~/services/logger.server";
 import { ServiceValidationError } from "~/v3/services/baseService.server";
 import { RescheduleTaskRunService } from "~/v3/services/rescheduleTaskRun.server";
+import { mutateWithFallback } from "~/v3/mollifier/mutateWithFallback.server";
+import { getMollifierBuffer } from "~/v3/mollifier/mollifierBuffer.server";
+import { parseDelay } from "~/utils/delays";
 
 const ParamsSchema = z.object({
   runParam: z.string(),
 });
 
 export async function action({ request, params }: ActionFunctionArgs) {
-  // Ensure this is a POST request
   if (request.method.toUpperCase() !== "POST") {
     return { status: 405, body: "Method Not Allowed" };
   }
 
-  // Authenticate the request
   const authenticationResult = await authenticateApiRequest(request);
-
   if (!authenticationResult) {
     return json({ error: "Invalid or missing API Key" }, { status: 401 });
   }
 
   const parsed = ParamsSchema.safeParse(params);
-
   if (!parsed.success) {
     return json({ error: "Invalid or missing run ID" }, { status: 400 });
   }
 
-  const { runParam } = parsed.data;
-
-  const taskRun = await prisma.taskRun.findUnique({
-    where: {
-      friendlyId: runParam,
-      runtimeEnvironmentId: authenticationResult.environment.id,
-    },
-  });
-
-  if (!taskRun) {
-    return json({ error: "Run not found" }, { status: 404 });
-  }
-
   const anyBody = await request.json();
-
   const body = RescheduleRunRequestBody.safeParse(anyBody);
-
   if (!body.success) {
     return json({ error: "Invalid request body" }, { status: 400 });
   }
 
-  const service = new RescheduleTaskRunService();
+  const env = authenticationResult.environment;
+  // Pre-resolve the absolute Date the buffer snapshot should encode.
+  // RescheduleTaskRunService expects this to be present on the body for
+  // its PG-side flow; for the buffer-side patch we encode the same
+  // wall-clock value so the drainer's engine.trigger sees the intended
+  // delayUntil after materialisation.
+  //
+  // Wire-compat: pre-PR the validation lived inside
+  // `RescheduleTaskRunService.call` (rescheduleTaskRun.server.ts:14-18),
+  // which throws `ServiceValidationError("Invalid delay: …")`. The
+  // route's catch block below converts that to status **400** (not
+  // 422 — `ServiceValidationError` defaults to 422 but this route's
+  // catch block has always returned 400). Mirror that 400 + message
+  // shape here so SDK consumers keying retry/classification logic on
+  // 400 see no behavioural drift now that the parse is hoisted to the
+  // route layer.
+  const delayUntil = await parseDelay(body.data.delay);
+  if (!delayUntil) {
+    return json({ error: `Invalid delay: ${body.data.delay}` }, { status: 400 });
+  }
 
   try {
-    const updatedRun = await service.call(taskRun, body.data);
-
-    if (!updatedRun) {
-      return json({ error: "An unknown error occurred" }, { status: 500 });
+    // PG-side `RescheduleTaskRunService.call` enforces
+    // `taskRun.status !== "DELAYED"` and 422s otherwise — without an
+    // equivalent guard the buffer path would happily inject a
+    // `delayUntil` into the snapshot of a non-delayed buffered run, and
+    // the drainer would materialise it with an unintended delay. The
+    // SyntheticRun type doesn't carry a "DELAYED" enum value because
+    // it's not a terminal status the trace API needs to express; the
+    // buffered analogue is `delayUntil` set in the snapshot. Gate on
+    // that.
+    //
+    // Only apply the guard when the buffer entry is NOT yet
+    // materialised. Post-materialise the entry sticks around for a
+    // 30s grace TTL with `materialised: true`, but the PG row is now
+    // canonical — its DELAYED state may differ from what the snapshot
+    // recorded at trigger time (e.g. a prior reschedule via the PG
+    // path, or a delay set by the engine through another mechanism).
+    // Reading from the stale snapshot would 422 a legitimately-DELAYED
+    // PG row. When `materialised` we let `mutateWithFallback` route to
+    // PG, which runs its own canonical DELAYED check.
+    const buffer = getMollifierBuffer();
+    const entry = buffer ? await buffer.getEntry(parsed.data.runParam) : null;
+    const isLiveBuffered =
+      entry !== null &&
+      entry.materialised !== true &&
+      entry.envId === env.id &&
+      entry.orgId === env.organizationId;
+    if (isLiveBuffered) {
+      const snapshot = JSON.parse(entry.payload) as Record<string, unknown>;
+      const snapshotDelayUntil =
+        typeof snapshot.delayUntil === "string" ? snapshot.delayUntil : undefined;
+      if (!snapshotDelayUntil) {
+        return json(
+          { error: "Cannot reschedule a run that is not delayed" },
+          { status: 422 },
+        );
+      }
     }
 
-    const run = await ApiRetrieveRunPresenter.findRun(
-      updatedRun.friendlyId,
-      authenticationResult.environment
-    );
-
-    if (!run) {
+    const outcome = await mutateWithFallback<Response>({
+      runId: parsed.data.runParam,
+      environmentId: env.id,
+      organizationId: env.organizationId,
+      bufferPatch: {
+        type: "set_delay",
+        delayUntil: delayUntil.toISOString(),
+      },
+      pgMutation: async (taskRun) => {
+        const service = new RescheduleTaskRunService();
+        const updatedRun = await service.call(taskRun, body.data);
+        if (!updatedRun) {
+          return json({ error: "An unknown error occurred" }, { status: 500 });
+        }
+
+        const run = await ApiRetrieveRunPresenter.findRun(updatedRun.friendlyId, env);
+        if (!run) {
+          return json({ error: "Run not found" }, { status: 404 });
+        }
+        const apiVersion = getApiVersion(request);
+        const presenter = new ApiRetrieveRunPresenter(apiVersion);
+        const result = await presenter.call(run, env);
+        if (!result) {
+          return json({ error: "Run not found" }, { status: 404 });
+        }
+        return json(result);
+      },
+      // Buffered snapshot has been patched. Run it through the same
+      // ApiRetrieveRunPresenter the PG branch uses (it falls back to
+      // the buffer for the SyntheticRun lookup) so the response shape
+      // matches `RetrieveRunResponse` — that's what the SDK's
+      // `rescheduleRun` zod-validates against. Returning a stripped
+      // `{ id, delayUntil }` object fails the SDK schema on every
+      // existing SDK version.
+      synthesisedResponse: async () => {
+        const run = await ApiRetrieveRunPresenter.findRun(parsed.data.runParam, env);
+        if (!run) {
+          return json({ error: "Run not found" }, { status: 404 });
+        }
+        const apiVersion = getApiVersion(request);
+        const presenter = new ApiRetrieveRunPresenter(apiVersion);
+        const result = await presenter.call(run, env);
+        if (!result) {
+          return json({ error: "Run not found" }, { status: 404 });
+        }
+        return json(result);
+      },
+      abortSignal: getRequestAbortSignal(),
+    });
+
+    if (outcome.kind === "not_found") {
       return json({ error: "Run not found" }, { status: 404 });
     }
-
-    const apiVersion = getApiVersion(request);
-
-    const presenter = new ApiRetrieveRunPresenter(apiVersion);
-    const result = await presenter.call(run, authenticationResult.environment);
-
-    if (!result) {
-      return json({ error: "Run not found" }, { status: 404 });
+    if (outcome.kind === "timed_out") {
+      return json({ error: "Run materialisation timed out" }, { status: 503 });
     }
-
-    return json(result);
+    return outcome.response;
   } catch (error) {
     if (error instanceof ServiceValidationError) {
       return json({ error: error.message }, { status: 400 });
-    } else if (error instanceof Error) {
-      return json({ error: error.message }, { status: 500 });
-    } else {
-      return json({ error: "An unknown error occurred" }, { status: 500 });
     }
+    logger.error("Failed to reschedule run", { error });
+    return json({ error: "Something went wrong, please try again." }, { status: 500 });
   }
 }
diff --git a/apps/webapp/app/routes/api.v1.runs.$runParam.result.ts b/apps/webapp/app/routes/api.v1.runs.$runParam.result.ts
index 16343a91434..4cbf27d3275 100644
--- a/apps/webapp/app/routes/api.v1.runs.$runParam.result.ts
+++ b/apps/webapp/app/routes/api.v1.runs.$runParam.result.ts
@@ -3,6 +3,7 @@ import { json } from "@remix-run/server-runtime";
 import { z } from "zod";
 import { ApiRunResultPresenter } from "~/presenters/v3/ApiRunResultPresenter.server";
 import { authenticateApiRequest } from "~/services/apiAuth.server";
+import { logger } from "~/services/logger.server";
 
 const ParamsSchema = z.object({
   /* This is the run friendly ID */
@@ -35,10 +36,7 @@ export async function loader({ request, params }: LoaderFunctionArgs) {
 
     return json(result);
   } catch (error) {
-    if (error instanceof Error) {
-      return json({ error: error.message }, { status: 500 });
-    } else {
-      return json({ error: JSON.stringify(error) }, { status: 500 });
-    }
+    logger.error("Failed to load run result", { error });
+    return json({ error: "Something went wrong, please try again." }, { status: 500 });
   }
 }
diff --git a/apps/webapp/app/routes/api.v1.runs.ts b/apps/webapp/app/routes/api.v1.runs.ts
index b5191ee2591..4cbd689f627 100644
--- a/apps/webapp/app/routes/api.v1.runs.ts
+++ b/apps/webapp/app/routes/api.v1.runs.ts
@@ -4,7 +4,10 @@ import {
   ApiRunListSearchParams,
 } from "~/presenters/v3/ApiRunListPresenter.server";
 import { logger } from "~/services/logger.server";
-import { createLoaderApiRoute } from "~/services/routeBuilders/apiBuilder.server";
+import {
+  anyResource,
+  createLoaderApiRoute,
+} from "~/services/routeBuilders/apiBuilder.server";
 
 export const loader = createLoaderApiRoute(
   {
@@ -13,8 +16,24 @@ export const loader = createLoaderApiRoute(
     corsStrategy: "all",
     authorization: {
       action: "read",
-      resource: (_, __, searchParams) => ({ tasks: searchParams["filter[taskIdentifier]"] }),
-      superScopes: ["read:runs", "read:all", "admin"],
+      resource: (_, __, searchParams) => {
+        const taskFilter = searchParams["filter[taskIdentifier]"] ?? [];
+        // Pre-RBAC, the resource was `{ tasks: searchParams["filter[taskIdentifier]"] }`
+        // and the legacy `checkAuthorization` iterated `Object.keys` — so a
+        // JWT with type-level `read:tasks` (no id) granted access to the
+        // unfiltered runs list. The new ability model only matches against
+        // resources we list, so the type-level `{ type: "tasks" }` element
+        // (alongside `{ type: "runs" }` and the per-id task elements)
+        // preserves that semantic — `read:tasks` JWTs in the wild still
+        // list unfiltered runs without needing a separate `read:runs`
+        // scope. Per-id `read:tasks:foo` still grants only when the
+        // filter includes `foo`.
+        return anyResource([
+          { type: "runs" },
+          { type: "tasks" },
+          ...taskFilter.map((id) => ({ type: "tasks", id })),
+        ]);
+      },
     },
     findResource: async () => 1, // This is a dummy function, we don't need to find a resource
   },
diff --git a/apps/webapp/app/routes/api.v1.schedules.$scheduleId.activate.ts b/apps/webapp/app/routes/api.v1.schedules.$scheduleId.activate.ts
index 7eb281c0520..9cc8b7173c7 100644
--- a/apps/webapp/app/routes/api.v1.schedules.$scheduleId.activate.ts
+++ b/apps/webapp/app/routes/api.v1.schedules.$scheduleId.activate.ts
@@ -5,6 +5,7 @@ import { prisma } from "~/db.server";
 import { scheduleUniqWhereClause, scheduleWhereClause } from "~/models/schedules.server";
 import { ViewSchedulePresenter } from "~/presenters/v3/ViewSchedulePresenter.server";
 import { authenticateApiRequest } from "~/services/apiAuth.server";
+import { logger } from "~/services/logger.server";
 
 const ParamsSchema = z.object({
   scheduleId: z.string(),
@@ -68,9 +69,7 @@ export async function action({ request, params }: ActionFunctionArgs) {
 
     return json(presenter.toJSONResponse(result), { status: 200 });
   } catch (error) {
-    return json(
-      { error: error instanceof Error ? error.message : "Internal Server Error" },
-      { status: 500 }
-    );
+    logger.error("Failed to activate schedule", { error });
+    return json({ error: "Something went wrong, please try again." }, { status: 500 });
   }
 }
diff --git a/apps/webapp/app/routes/api.v1.schedules.$scheduleId.deactivate.ts b/apps/webapp/app/routes/api.v1.schedules.$scheduleId.deactivate.ts
index e9b2997116f..eb985bea728 100644
--- a/apps/webapp/app/routes/api.v1.schedules.$scheduleId.deactivate.ts
+++ b/apps/webapp/app/routes/api.v1.schedules.$scheduleId.deactivate.ts
@@ -5,6 +5,7 @@ import { prisma } from "~/db.server";
 import { scheduleUniqWhereClause, scheduleWhereClause } from "~/models/schedules.server";
 import { ViewSchedulePresenter } from "~/presenters/v3/ViewSchedulePresenter.server";
 import { authenticateApiRequest } from "~/services/apiAuth.server";
+import { logger } from "~/services/logger.server";
 
 const ParamsSchema = z.object({
   scheduleId: z.string(),
@@ -68,9 +69,7 @@ export async function action({ request, params }: ActionFunctionArgs) {
 
     return json(presenter.toJSONResponse(result), { status: 200 });
   } catch (error) {
-    return json(
-      { error: error instanceof Error ? error.message : "Internal Server Error" },
-      { status: 500 }
-    );
+    logger.error("Failed to deactivate schedule", { error });
+    return json({ error: "Something went wrong, please try again." }, { status: 500 });
   }
 }
diff --git a/apps/webapp/app/routes/api.v1.schedules.$scheduleId.ts b/apps/webapp/app/routes/api.v1.schedules.$scheduleId.ts
index b9fc8e2caff..e76f65e6e8a 100644
--- a/apps/webapp/app/routes/api.v1.schedules.$scheduleId.ts
+++ b/apps/webapp/app/routes/api.v1.schedules.$scheduleId.ts
@@ -6,6 +6,7 @@ import { Prisma, prisma } from "~/db.server";
 import { scheduleUniqWhereClause } from "~/models/schedules.server";
 import { ViewSchedulePresenter } from "~/presenters/v3/ViewSchedulePresenter.server";
 import { authenticateApiRequest } from "~/services/apiAuth.server";
+import { logger } from "~/services/logger.server";
 import { UpsertSchedule } from "~/v3/schedules";
 import { ServiceValidationError } from "~/v3/services/baseService.server";
 import { UpsertTaskScheduleService } from "~/v3/services/upsertTaskSchedule.server";
@@ -57,10 +58,8 @@ export async function action({ request, params }: ActionFunctionArgs) {
             { status: error.code === "P2025" ? 404 : 422 }
           );
         } else {
-          return json(
-            { error: error instanceof Error ? error.message : "Internal Server Error" },
-            { status: 500 }
-          );
+          logger.error("Failed to delete schedule", { error });
+          return json({ error: "Something went wrong, please try again." }, { status: 500 });
         }
       }
     }
@@ -110,10 +109,8 @@ export async function action({ request, params }: ActionFunctionArgs) {
           return json({ error: error.message }, { status: 422 });
         }
 
-        return json(
-          { error: error instanceof Error ? error.message : "Internal Server Error" },
-          { status: 500 }
-        );
+        logger.error("Failed to upsert schedule", { error });
+        return json({ error: "Something went wrong, please try again." }, { status: 500 });
       }
     }
   }
diff --git a/apps/webapp/app/routes/api.v1.schedules.ts b/apps/webapp/app/routes/api.v1.schedules.ts
index beb232c9757..56250eaac55 100644
--- a/apps/webapp/app/routes/api.v1.schedules.ts
+++ b/apps/webapp/app/routes/api.v1.schedules.ts
@@ -4,6 +4,7 @@ import { CreateScheduleOptions, ScheduleObject } from "@trigger.dev/core/v3";
 import { z } from "zod";
 import { ScheduleListPresenter } from "~/presenters/v3/ScheduleListPresenter.server";
 import { authenticateApiRequest } from "~/services/apiAuth.server";
+import { logger } from "~/services/logger.server";
 import { UpsertSchedule } from "~/v3/schedules";
 import { ServiceValidationError } from "~/v3/services/baseService.server";
 import { UpsertTaskScheduleService } from "~/v3/services/upsertTaskSchedule.server";
@@ -71,10 +72,8 @@ export async function action({ request }: ActionFunctionArgs) {
       return json({ error: error.message }, { status: 422 });
     }
 
-    return json(
-      { error: error instanceof Error ? error.message : "Internal Server Error" },
-      { status: 500 }
-    );
+    logger.error("Failed to create schedule", { error });
+    return json({ error: "Something went wrong, please try again." }, { status: 500 });
   }
 }
 
diff --git a/apps/webapp/app/routes/api.v1.sessions.$session.close.ts b/apps/webapp/app/routes/api.v1.sessions.$session.close.ts
new file mode 100644
index 00000000000..15c2e8dc6bd
--- /dev/null
+++ b/apps/webapp/app/routes/api.v1.sessions.$session.close.ts
@@ -0,0 +1,78 @@
+import { json } from "@remix-run/server-runtime";
+import {
+  CloseSessionRequestBody,
+  type RetrieveSessionResponseBody,
+} from "@trigger.dev/core/v3";
+import { z } from "zod";
+import { $replica, prisma } from "~/db.server";
+import {
+  resolveSessionByIdOrExternalId,
+  serializeSessionWithFriendlyRunId,
+} from "~/services/realtime/sessions.server";
+import { createActionApiRoute } from "~/services/routeBuilders/apiBuilder.server";
+
+const ParamsSchema = z.object({
+  session: z.string(),
+});
+
+const { action, loader } = createActionApiRoute(
+  {
+    params: ParamsSchema,
+    body: CloseSessionRequestBody,
+    maxContentLength: 1024,
+    method: "POST",
+    allowJWT: true,
+    corsStrategy: "all",
+    authorization: {
+      action: "admin",
+      resource: (params) => ({ type: "sessions", id: params.session }),
+    },
+  },
+  async ({ authentication, params, body }) => {
+    const existing = await resolveSessionByIdOrExternalId(
+      $replica,
+      authentication.environment.id,
+      params.session
+    );
+
+    if (!existing) {
+      return json({ error: "Session not found" }, { status: 404 });
+    }
+
+    // Idempotent: if already closed, return the current row without clobbering
+    // the original closedAt / closedReason.
+    if (existing.closedAt) {
+      return json<RetrieveSessionResponseBody>(
+        await serializeSessionWithFriendlyRunId(existing)
+      );
+    }
+
+    // `closedAt: null` on the where clause makes the update conditional at
+    // the DB level. Two concurrent closes race through the earlier read,
+    // but only one can win this update — the loser hits `count === 0` and
+    // falls back to reading the winning row. Closedness is write-once.
+    const { count } = await prisma.session.updateMany({
+      where: { id: existing.id, closedAt: null },
+      data: {
+        closedAt: new Date(),
+        closedReason: body.reason ?? null,
+      },
+    });
+
+    if (count === 0) {
+      const final = await prisma.session.findFirst({ where: { id: existing.id } });
+      if (!final) return json({ error: "Session not found" }, { status: 404 });
+      return json<RetrieveSessionResponseBody>(
+        await serializeSessionWithFriendlyRunId(final)
+      );
+    }
+
+    const updated = await prisma.session.findFirst({ where: { id: existing.id } });
+    if (!updated) return json({ error: "Session not found" }, { status: 404 });
+    return json<RetrieveSessionResponseBody>(
+      await serializeSessionWithFriendlyRunId(updated)
+    );
+  }
+);
+
+export { action, loader };
diff --git a/apps/webapp/app/routes/api.v1.sessions.$session.end-and-continue.ts b/apps/webapp/app/routes/api.v1.sessions.$session.end-and-continue.ts
new file mode 100644
index 00000000000..7c5718aeae3
--- /dev/null
+++ b/apps/webapp/app/routes/api.v1.sessions.$session.end-and-continue.ts
@@ -0,0 +1,141 @@
+import { json } from "@remix-run/server-runtime";
+import {
+  EndAndContinueSessionRequestBody,
+  type EndAndContinueSessionResponseBody,
+} from "@trigger.dev/core/v3";
+import { z } from "zod";
+import { $replica, prisma } from "~/db.server";
+import { logger } from "~/services/logger.server";
+import { swapSessionRun } from "~/services/realtime/sessionRunManager.server";
+import { resolveSessionByIdOrExternalId } from "~/services/realtime/sessions.server";
+import {
+  anyResource,
+  createActionApiRoute,
+} from "~/services/routeBuilders/apiBuilder.server";
+
+const ParamsSchema = z.object({
+  session: z.string(),
+});
+
+// POST /api/v1/sessions/:session/end-and-continue
+//
+// Generic "the running run is exiting; please trigger a fresh one for
+// this session and swap `currentRunId` to it" endpoint. The agent calls
+// this from `chat.requestUpgrade` and other planned-handoff paths. The
+// transport's `.out` SSE keeps streaming across the swap because S2 is
+// keyed on the session, not the run — v1's last chunks land, v2's new
+// chunks land on the same stream.
+//
+// Auth: `write:sessions:{ext}` — the running agent's internal API key
+// (PRIVATE) bypasses authorization; a browser holding the session PAT
+// can also reach this endpoint, which is fine: if you have the session
+// PAT, you own the chat.
+const { action, loader } = createActionApiRoute(
+  {
+    params: ParamsSchema,
+    body: EndAndContinueSessionRequestBody,
+    method: "POST",
+    maxContentLength: 1024,
+    allowJWT: true,
+    corsStrategy: "all",
+    // Resolved before authorization so the auth scope can expand to both
+    // addressing forms (friendlyId + externalId). Handler reads the row
+    // from `resource` instead of re-fetching.
+    findResource: async (params, auth) =>
+      resolveSessionByIdOrExternalId($replica, auth.environment.id, params.session),
+    authorization: {
+      action: "write",
+      // Multi-key: the session is addressable by URL param, friendlyId,
+      // and externalId — a JWT scoped to any of them grants access.
+      // Type-level `write:sessions` (no id) also matches; `write:all` /
+      // `admin` bypass via the JWT ability's wildcard branches.
+      resource: (params, _, __, ___, session) => {
+        const ids = new Set<string>([params.session]);
+        if (session) {
+          ids.add(session.friendlyId);
+          if (session.externalId) ids.add(session.externalId);
+        }
+        return anyResource([...ids].map((id) => ({ type: "sessions", id })));
+      },
+    },
+  },
+  async ({ authentication, params, body, resource: session }) => {
+    if (!session) {
+      // Unreachable — `findResource` 404s before this runs. Type narrow.
+      return json({ error: "Session not found" }, { status: 404 });
+    }
+
+    if (session.closedAt) {
+      return json(
+        { error: "Cannot end-and-continue a closed session" },
+        { status: 400 }
+      );
+    }
+
+    if (session.expiresAt && session.expiresAt.getTime() < Date.now()) {
+      return json(
+        { error: "Cannot end-and-continue an expired session" },
+        { status: 400 }
+      );
+    }
+
+    // The wire `callingRunId` is a friendlyId (that's what the agent
+    // SDK exposes via `ctx.run.id`). Internally `Session.currentRunId`
+    // stores the TaskRun.id cuid, so resolve before handing to the
+    // optimistic-claim service.
+    const callingRun = await $replica.taskRun.findFirst({
+      where: {
+        friendlyId: body.callingRunId,
+        runtimeEnvironmentId: authentication.environment.id,
+      },
+      select: { id: true },
+    });
+    if (!callingRun) {
+      return json({ error: "callingRunId not found in this environment" }, { status: 404 });
+    }
+
+    try {
+      // Body's `reason` is free-form for forward-compat (audit metadata
+      // only); narrow into the closed `EnsureRunReason` set, defaulting
+      // to `"manual"` for unknown labels.
+      const reason: "initial" | "continuation" | "upgrade" | "manual" =
+        body.reason === "upgrade" ||
+        body.reason === "continuation" ||
+        body.reason === "initial" ||
+        body.reason === "manual"
+          ? body.reason
+          : "manual";
+
+      const result = await swapSessionRun({
+        session,
+        callingRunId: callingRun.id,
+        environment: authentication.environment,
+        reason,
+      });
+
+      // Read-after-write: the swap just triggered (or claimed) the
+      // run on the writer, so read it from `prisma` rather than
+      // `$replica`. A replica miss here would silently fall back to
+      // returning the internal cuid, which the public API contract
+      // says is a friendlyId.
+      const run = await prisma.taskRun.findFirst({
+        where: { id: result.runId },
+        select: { friendlyId: true },
+      });
+
+      const responseBody: EndAndContinueSessionResponseBody = {
+        runId: run?.friendlyId ?? result.runId,
+        swapped: result.swapped,
+      };
+      return json<EndAndContinueSessionResponseBody>(responseBody);
+    } catch (error) {
+      logger.error("Failed end-and-continue", {
+        sessionId: session.id,
+        error,
+      });
+      return json({ error: "Failed to swap session run" }, { status: 500 });
+    }
+  }
+);
+
+export { action, loader };
diff --git a/apps/webapp/app/routes/api.v1.sessions.$session.ts b/apps/webapp/app/routes/api.v1.sessions.$session.ts
new file mode 100644
index 00000000000..58208de35e3
--- /dev/null
+++ b/apps/webapp/app/routes/api.v1.sessions.$session.ts
@@ -0,0 +1,135 @@
+import { json } from "@remix-run/server-runtime";
+import {
+  type RetrieveSessionResponseBody,
+  UpdateSessionRequestBody,
+} from "@trigger.dev/core/v3";
+import { Prisma } from "@trigger.dev/database";
+import { z } from "zod";
+import { $replica, prisma } from "~/db.server";
+import {
+  resolveSessionByIdOrExternalId,
+  serializeSessionWithFriendlyRunId,
+} from "~/services/realtime/sessions.server";
+import {
+  anyResource,
+  createActionApiRoute,
+  createLoaderApiRoute,
+} from "~/services/routeBuilders/apiBuilder.server";
+
+const ParamsSchema = z.object({
+  session: z.string(),
+});
+
+export const loader = createLoaderApiRoute(
+  {
+    params: ParamsSchema,
+    allowJWT: true,
+    corsStrategy: "all",
+    findResource: async (params, auth) => {
+      return resolveSessionByIdOrExternalId($replica, auth.environment.id, params.session);
+    },
+    authorization: {
+      action: "read",
+      // Multi-key: a session is addressable by both friendlyId and (when
+      // set) externalId. A JWT scoped to either id grants access; type-
+      // level `read:sessions` (no id) matches both elements; `read:all`
+      // / `admin` bypass via the JWT ability's wildcard branches.
+      resource: (session) =>
+        session.externalId
+          ? anyResource([
+              { type: "sessions", id: session.friendlyId },
+              { type: "sessions", id: session.externalId },
+            ])
+          : { type: "sessions", id: session.friendlyId },
+    },
+  },
+  async ({ resource: session }) => {
+    return json<RetrieveSessionResponseBody>(
+      await serializeSessionWithFriendlyRunId(session)
+    );
+  }
+);
+
+const { action } = createActionApiRoute(
+  {
+    params: ParamsSchema,
+    body: UpdateSessionRequestBody,
+    maxContentLength: 1024 * 32,
+    method: "PATCH",
+    allowJWT: true,
+    corsStrategy: "all",
+    authorization: {
+      action: "admin",
+      resource: (params) => ({ type: "sessions", id: params.session }),
+    },
+  },
+  async ({ authentication, params, body }) => {
+    const existing = await resolveSessionByIdOrExternalId(
+      $replica,
+      authentication.environment.id,
+      params.session
+    );
+
+    if (!existing) {
+      return json({ error: "Session not found" }, { status: 404 });
+    }
+
+    // The externalId is the canonical addressing key once set: the S2
+    // stream names, the waitpoint cache key, and the minted session PAT
+    // scope all derive from it. Re-keying a session would orphan its
+    // streams (the chat goes silent) and invalidate the PAT's scope, so
+    // reject any change. Same-value PATCHes stay idempotent.
+    if (
+      body.externalId !== undefined &&
+      body.externalId !== existing.externalId
+    ) {
+      return json(
+        {
+          error:
+            "externalId cannot be changed after creation; close this session and create a new one with the desired externalId",
+        },
+        { status: 422 }
+      );
+    }
+
+    try {
+      const updated = await prisma.session.update({
+        where: { id: existing.id },
+        data: {
+          ...(body.tags !== undefined ? { tags: body.tags } : {}),
+          ...(body.metadata !== undefined
+            ? {
+                metadata:
+                  body.metadata === null
+                    ? Prisma.JsonNull
+                    : (body.metadata as Prisma.InputJsonValue),
+              }
+            : {}),
+          ...(body.externalId !== undefined ? { externalId: body.externalId } : {}),
+        },
+      });
+
+      return json<RetrieveSessionResponseBody>(
+        await serializeSessionWithFriendlyRunId(updated)
+      );
+    } catch (error) {
+      // A duplicate externalId in the same environment violates the
+      // `(runtimeEnvironmentId, externalId)` unique constraint. Surface that
+      // as a 409 rather than a generic 500.
+      if (
+        error instanceof Prisma.PrismaClientKnownRequestError &&
+        error.code === "P2002" &&
+        Array.isArray((error.meta as { target?: string[] })?.target) &&
+        ((error.meta as { target?: string[] }).target ?? []).includes("externalId")
+      ) {
+        return json(
+          { error: "A session with this externalId already exists in this environment" },
+          { status: 409 }
+        );
+      }
+      throw error;
+    }
+  }
+);
+
+export { action };
diff --git a/apps/webapp/app/routes/api.v1.sessions.$sessionId.snapshot-url.ts b/apps/webapp/app/routes/api.v1.sessions.$sessionId.snapshot-url.ts
new file mode 100644
index 00000000000..80140f05d20
--- /dev/null
+++ b/apps/webapp/app/routes/api.v1.sessions.$sessionId.snapshot-url.ts
@@ -0,0 +1,93 @@
+import { json } from "@remix-run/server-runtime";
+import { z } from "zod";
+import { $replica } from "~/db.server";
+import { chatSnapshotStorageKey } from "~/services/realtime/chatSnapshot.server";
+import { resolveSessionByIdOrExternalId } from "~/services/realtime/sessions.server";
+import {
+  anyResource,
+  createActionApiRoute,
+  createLoaderApiRoute,
+} from "~/services/routeBuilders/apiBuilder.server";
+import { generatePresignedUrl } from "~/v3/objectStore.server";
+
+const ParamsSchema = z.object({
+  sessionId: z.string(),
+});
+
+const routeConfig = {
+  params: ParamsSchema,
+  allowJWT: true,
+  corsStrategy: "all" as const,
+  findResource: async (params: z.infer<typeof ParamsSchema>, auth: { environment: { id: string } }) =>
+    resolveSessionByIdOrExternalId($replica, auth.environment.id, params.sessionId),
+};
+
+// Authorize against the union of the URL form, friendlyId, and externalId —
+// same shape as the sibling session routes. Without an authorization block
+// the route builder skips scope checks entirely, so any session-scoped JWT
+// in the environment could presign URLs for any other session's snapshot.
+function sessionResource(
+  paramId: string,
+  session: { friendlyId: string; externalId: string | null } | null | undefined
+) {
+  const ids = new Set<string>([paramId]);
+  if (session) {
+    ids.add(session.friendlyId);
+    if (session.externalId) ids.add(session.externalId);
+  }
+  return anyResource([...ids].map((id) => ({ type: "sessions" as const, id })));
+}
+
+export const { action } = createActionApiRoute(
+  {
+    ...routeConfig,
+    method: "PUT",
+    authorization: {
+      action: "write",
+      resource: (params, _, __, ___, session) => sessionResource(params.sessionId, session),
+    },
+  },
+  async ({ authentication, resource: session }) => {
+    if (!session) {
+      return json({ error: "Session not found" }, { status: 404 });
+    }
+
+    const signed = await generatePresignedUrl(
+      authentication.environment.project.externalRef,
+      authentication.environment.slug,
+      chatSnapshotStorageKey(session),
+      "PUT"
+    );
+    if (!signed.success) {
+      return json({ error: `Failed to generate presigned URL: ${signed.error}` }, { status: 500 });
+    }
+
+    return json({ presignedUrl: signed.url });
+  }
+);
+
+export const loader = createLoaderApiRoute(
+  {
+    ...routeConfig,
+    authorization: {
+      action: "read",
+      resource: (session, params) => sessionResource(params.sessionId, session),
+    },
+  },
+  async ({ authentication, resource: session }) => {
+  if (!session) {
+    return json({ error: "Session not found" }, { status: 404 });
+  }
+
+  const signed = await generatePresignedUrl(
+    authentication.environment.project.externalRef,
+    authentication.environment.slug,
+    chatSnapshotStorageKey(session),
+    "GET"
+  );
+  if (!signed.success) {
+    return json({ error: `Failed to generate presigned URL: ${signed.error}` }, { status: 500 });
+  }
+
+  return json({ presignedUrl: signed.url });
+});
diff --git a/apps/webapp/app/routes/api.v1.sessions.ts b/apps/webapp/app/routes/api.v1.sessions.ts
new file mode 100644
index 00000000000..44f8c7ef69f
--- /dev/null
+++ b/apps/webapp/app/routes/api.v1.sessions.ts
@@ -0,0 +1,312 @@
+import { json } from "@remix-run/server-runtime";
+import {
+  CreateSessionRequestBody,
+  type CreatedSessionResponseBody,
+  ListSessionsQueryParams,
+  type ListSessionsResponseBody,
+  type SessionItem,
+  type SessionStatus,
+} from "@trigger.dev/core/v3";
+import { SessionId } from "@trigger.dev/core/v3/isomorphic";
+import type { Prisma, Session } from "@trigger.dev/database";
+import { $replica, prisma, type PrismaClient } from "~/db.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
+import { logger } from "~/services/logger.server";
+import { mintSessionToken } from "~/services/realtime/mintSessionToken.server";
+import {
+  ensureRunForSession,
+  type SessionTriggerConfig,
+} from "~/services/realtime/sessionRunManager.server";
+import { chatSnapshotStoragePathForSession } from "~/services/realtime/chatSnapshot.server";
+import {
+  serializeSession,
+  serializeSessionsWithFriendlyRunIds,
+} from "~/services/realtime/sessions.server";
+import { SessionsRepository } from "~/services/sessionsRepository/sessionsRepository.server";
+import {
+  anyResource,
+  createActionApiRoute,
+  createLoaderApiRoute,
+} from "~/services/routeBuilders/apiBuilder.server";
+import { ServiceValidationError } from "~/v3/services/common.server";
+
+function asArray<T>(value: T | T[] | undefined): T[] | undefined {
+  if (value === undefined) return undefined;
+  return Array.isArray(value) ? value : [value];
+}
+
+export const loader = createLoaderApiRoute(
+  {
+    searchParams: ListSessionsQueryParams,
+    allowJWT: true,
+    corsStrategy: "all",
+    authorization: {
+      action: "read",
+      // Multi-key resource preserves the pre-RBAC superScope semantics:
+      //   - Per-task scoping via `read:tasks:<id>` matches a task element
+      //   - Type-level `read:sessions` (the old superScope) matches the
+      //     sessions element (collection-level — no id)
+      //   - `read:all` / `admin` bypass via the JWT ability's wildcard branches
+      // The taskIdentifier filter accepts a string or an array; expand to
+      // one resource per task id so any per-task-scoped JWT among them
+      // grants access (the array gets OR semantics).
+      resource: (_, __, searchParams) => {
+        const taskFilter = asArray(searchParams["filter[taskIdentifier]"]) ?? [];
+        return anyResource([
+          ...taskFilter.map((id) => ({ type: "tasks" as const, id })),
+          { type: "sessions" as const },
+        ]);
+      },
+    },
+    findResource: async () => 1,
+  },
+  async ({ searchParams, authentication }) => {
+    const clickhouse = await clickhouseFactory.getClickhouseForOrganization(
+      authentication.environment.organizationId,
+      "standard"
+    );
+    const repository = new SessionsRepository({
+      clickhouse,
+      prisma: $replica as PrismaClient,
+    });
+
+    // `page[after]` is the forward cursor, `page[before]` is the backward
+    // cursor. The repository internally keys off `{cursor, direction}`.
+    const cursor = searchParams["page[after]"] ?? searchParams["page[before]"];
+    const direction = searchParams["page[before]"] ? "backward" : "forward";
+
+    const { sessions: rows, pagination } = await repository.listSessions({
+      organizationId: authentication.environment.organizationId,
+      projectId: authentication.environment.projectId,
+      environmentId: authentication.environment.id,
+      types: asArray(searchParams["filter[type]"]),
+      tags: asArray(searchParams["filter[tags]"]),
+      taskIdentifiers: asArray(searchParams["filter[taskIdentifier]"]),
+      externalId: searchParams["filter[externalId]"],
+      statuses: asArray(searchParams["filter[status]"]) as SessionStatus[] | undefined,
+      period: searchParams["filter[createdAt][period]"],
+      from: searchParams["filter[createdAt][from]"],
+      to: searchParams["filter[createdAt][to]"],
+      page: {
+        size: searchParams["page[size]"],
+        cursor,
+        direction,
+      },
+    });
+
+    // Batched friendlyId translation: `currentRunId` on the wire is the
+    // public `run_*` form, matching the single-session routes. One `IN`
+    // lookup per page.
+    const data = await serializeSessionsWithFriendlyRunIds(
+      rows.map(
+        (row) =>
+          ({
+            ...row,
+            // Columns the list query doesn't select — filled so the
+            // serializer can operate on a narrowed payload without type errors.
+            projectId: authentication.environment.projectId,
+            environmentType: authentication.environment.type,
+            organizationId: authentication.environment.organizationId,
+          }) as Session
+      ),
+      {
+        projectId: authentication.environment.projectId,
+        runtimeEnvironmentId: authentication.environment.id,
+      }
+    );
+
+    return json<ListSessionsResponseBody>({
+      data,
+      pagination: {
+        ...(pagination.nextCursor ? { next: pagination.nextCursor } : {}),
+        ...(pagination.previousCursor ? { previous: pagination.previousCursor } : {}),
+      },
+    });
+  }
+);
+
+const { action } = createActionApiRoute(
+  {
+    body: CreateSessionRequestBody,
+    method: "POST",
+    maxContentLength: 1024 * 32, // 32KB — metadata is the only thing that grows
+    // Customer's server (typically wrapping
+    // `chat.createStartSessionAction`) owns session creation so any
+    // authorization decision (per-user/plan/quota) sits server-side
+    // alongside whatever DB write the customer pairs with the create.
+    // The session-scoped PAT returned in the response body is what the
+    // browser uses thereafter against `.in/append`, `.out` SSE,
+    // `end-and-continue`, etc.
+    //
+    // JWT is allowed when the caller holds an explicit `write:sessions` /
+    // `admin` super-scope plus a `tasks:<taskIdentifier>` scope — gates
+    // server-side surfaces like the cli-v3 MCP from creating sessions on
+    // behalf of the developer without weakening the browser model.
+    allowJWT: true,
+    authorization: {
+      // Per-task scoping via `body.taskIdentifier` (action-route resource
+      // callbacks receive the parsed body as the 4th arg — see
+      // `apiBuilder.server.ts:710`). A JWT scoped only to `write:tasks:foo`
+      // can only create sessions whose `taskIdentifier` is `"foo"`.
+      //
+      // Multi-key resource: pre-RBAC this route had a `superScopes:
+      // ["write:sessions", "admin"]` whitelist; post-RBAC the equivalent
+      // is the `{ type: "sessions" }` element below — a `write:sessions`
+      // JWT (no id) matches it directly, deliberately bypassing the
+      // per-task check exactly as before. `admin` / `write:all` bypass
+      // via the JWT ability's wildcard branches.
+      action: "write",
+      resource: (_params, _searchParams, _headers, body) =>
+        anyResource([
+          { type: "tasks", id: body.taskIdentifier },
+          { type: "sessions" },
+        ]),
+    },
+    corsStrategy: "all",
+  },
+  async ({ authentication, body }) => {
+    try {
+      const { id, friendlyId } = SessionId.generate();
+
+      // Idempotent on (env, externalId): two concurrent POSTs converge
+      // to the same row. We refresh `triggerConfig` on the cached path
+      // so newly-deployed schema changes (e.g. an updated
+      // `clientDataSchema` on the agent) propagate to subsequent runs
+      // — the next `ensureRunForSession` reads back the latest config.
+      let session: Session;
+      let isCached = false;
+
+      const triggerConfigJson = body.triggerConfig as unknown as Prisma.InputJsonValue;
+
+      if (body.externalId) {
+        session = await prisma.session.upsert({
+          where: {
+            runtimeEnvironmentId_externalId: {
+              runtimeEnvironmentId: authentication.environment.id,
+              externalId: body.externalId,
+            },
+          },
+          create: {
+            id,
+            friendlyId,
+            externalId: body.externalId,
+            type: body.type,
+            taskIdentifier: body.taskIdentifier,
+            triggerConfig: triggerConfigJson,
+            tags: body.tags ?? [],
+            metadata: body.metadata as Prisma.InputJsonValue | undefined,
+            expiresAt: body.expiresAt ?? null,
+            projectId: authentication.environment.projectId,
+            runtimeEnvironmentId: authentication.environment.id,
+            environmentType: authentication.environment.type,
+            organizationId: authentication.environment.organizationId,
+            streamBasinName: authentication.environment.organization.streamBasinName,
+            chatSnapshotStoragePath: chatSnapshotStoragePathForSession(friendlyId),
+          },
+          update: { triggerConfig: triggerConfigJson },
+        });
+        isCached = session.id !== id;
+      } else {
+        session = await prisma.session.create({
+          data: {
+            id,
+            friendlyId,
+            type: body.type,
+            taskIdentifier: body.taskIdentifier,
+            triggerConfig: triggerConfigJson,
+            tags: body.tags ?? [],
+            metadata: body.metadata as Prisma.InputJsonValue | undefined,
+            expiresAt: body.expiresAt ?? null,
+            projectId: authentication.environment.projectId,
+            runtimeEnvironmentId: authentication.environment.id,
+            environmentType: authentication.environment.type,
+            organizationId: authentication.environment.organizationId,
+            streamBasinName: authentication.environment.organization.streamBasinName,
+            chatSnapshotStoragePath: chatSnapshotStoragePathForSession(friendlyId),
+          },
+        });
+      }
+
+      // Reject create on a closed session. The upsert path will return
+      // an already-closed row when the caller reuses an externalId, and
+      // without this guard `ensureRunForSession` would trigger a fresh
+      // run that can't receive `.in` input (the append handler 409s on
+      // closed sessions). Force the caller to use a different externalId
+      // — `close` is one-way.
+      if (session.closedAt) {
+        return json(
+          { error: "Session is closed; use a different externalId to create a new session" },
+          { status: 409 }
+        );
+      }
+
+      // Same guard as the append / end-and-continue handlers: an expired
+      // row must not spawn a run, because every subsequent `.in/append`
+      // would 400 on the expiry check — a run boots but the chat can
+      // never receive input.
+      if (session.expiresAt && session.expiresAt.getTime() < Date.now()) {
+        return json(
+          { error: "Session is expired; use a different externalId to create a new session" },
+          { status: 409 }
+        );
+      }
+
+      // Session is task-bound — every session has a live run by
+      // construction. `ensureRunForSession` is idempotent: on the
+      // cached path it sees `currentRunId` is alive and returns it
+      // without re-triggering.
+      const ensureResult = await ensureRunForSession({
+        session,
+        environment: authentication.environment,
+        reason: isCached ? "continuation" : "initial",
+      });
+
+      // Read-after-write: the run was just triggered in this request,
+      // so go to the writer rather than $replica. Replica lag here
+      // would null this out and turn a successful create into a 500.
+      const run = await prisma.taskRun.findFirst({
+        where: { id: ensureResult.runId },
+        select: { friendlyId: true },
+      });
+      if (!run) {
+        throw new Error(`Triggered run ${ensureResult.runId} not found`);
+      }
+
+      // Mint a session-scoped PAT keyed on the addressing string the
+      // transport will use everywhere (`.in/append`, `.out` SSE,
+      // `end-and-continue`). For sessions with an externalId, that's
+      // the externalId; otherwise the friendlyId. Mirrors the
+      // canonical addressing key used server-side.
+      const addressingKey = session.externalId ?? session.friendlyId;
+      const publicAccessToken = await mintSessionToken(
+        authentication.environment,
+        addressingKey
+      );
+
+      const sessionItem: SessionItem = {
+        ...serializeSession(session),
+        triggerConfig: session.triggerConfig as unknown as SessionTriggerConfig,
+        currentRunId: run.friendlyId,
+      };
+
+      const responseBody: CreatedSessionResponseBody = {
+        ...sessionItem,
+        runId: run.friendlyId,
+        publicAccessToken,
+        isCached,
+      };
+
+      return json<CreatedSessionResponseBody>(responseBody, {
+        status: isCached ? 200 : 201,
+      });
+    } catch (error) {
+      if (error instanceof ServiceValidationError) {
+        return json({ error: error.message }, { status: 422 });
+      }
+      logger.error("Failed to create session", { error });
+      return json({ error: "Something went wrong" }, { status: 500 });
+    }
+  }
+);
+
+export { action };
diff --git a/apps/webapp/app/routes/api.v1.tasks.$taskId.trigger.ts b/apps/webapp/app/routes/api.v1.tasks.$taskId.trigger.ts
index 5811fc67709..1f8a42af08c 100644
--- a/apps/webapp/app/routes/api.v1.tasks.$taskId.trigger.ts
+++ b/apps/webapp/app/routes/api.v1.tasks.$taskId.trigger.ts
@@ -28,7 +28,10 @@ const ParamsSchema = z.object({
 });
 
 export const HeadersSchema = z.object({
-  "idempotency-key": z.string().nullish(),
+  "idempotency-key": z
+    .string()
+    .max(2048, "idempotency-key must be 2048 characters or less")
+    .nullish(),
   "idempotency-key-ttl": z.string().nullish(),
   "trigger-version": z.string().nullish(),
   "x-trigger-span-parent-as-link": z.coerce.number().nullish(),
@@ -51,8 +54,7 @@ const { action, loader } = createActionApiRoute(
     maxContentLength: env.TASK_PAYLOAD_MAXIMUM_SIZE,
     authorization: {
       action: "trigger",
-      resource: (params) => ({ tasks: params.taskId }),
-      superScopes: ["write:tasks", "admin"],
+      resource: (params) => ({ type: "tasks", id: params.taskId }),
     },
     corsStrategy: "all",
   },
@@ -132,7 +134,20 @@ const { action, loader } = createActionApiRoute(
         return json({ error: "Task not found" }, { status: 404 });
       }
 
-      await saveRequestIdempotency(requestIdempotencyKey, "trigger", result.run.id);
+      // Skip request-idempotency caching when the gate diverted to the
+      // mollifier buffer. `result.run.id` is a synthesised cuid with no
+      // corresponding PG row, so a lost-response SDK retry that reaches
+      // `handleRequestIdempotency` would lookup that id, miss in PG, and
+      // fall through to a fresh trigger — producing a duplicate buffer
+      // entry for triggers without a task-level idempotency key (the
+      // task-level path still dedupes via the buffer's SETNX in
+      // `findBufferedRunWithIdempotency`). Accepting the retry-as-fresh-
+      // trigger semantics here is bounded by the drainer's eventual
+      // materialisation: once the run lands in PG, normal request-
+      // idempotency from that point forward works as usual.
+      if (!result.isMollified) {
+        await saveRequestIdempotency(requestIdempotencyKey, "trigger", result.run.id);
+      }
 
       const $responseHeaders = await responseHeaders(result.run, authentication);
 
@@ -153,10 +168,9 @@ const { action, loader } = createActionApiRoute(
         return json({ error: error.message }, { status: error.status ?? 422 });
       } else if (error instanceof OutOfEntitlementError) {
         return json({ error: error.message }, { status: 422 });
-      } else if (error instanceof Error) {
-        return json({ error: error.message }, { status: 500 });
       }
 
+      logger.error("Trigger task failed", { error });
       return json({ error: "Something went wrong" }, { status: 500 });
     }
   }
diff --git a/apps/webapp/app/routes/api.v1.tasks.batch.ts b/apps/webapp/app/routes/api.v1.tasks.batch.ts
index e6ada1a739c..16b3ef16062 100644
--- a/apps/webapp/app/routes/api.v1.tasks.batch.ts
+++ b/apps/webapp/app/routes/api.v1.tasks.batch.ts
@@ -7,7 +7,10 @@ import {
 import { env } from "~/env.server";
 import { AuthenticatedEnvironment, getOneTimeUseToken } from "~/services/apiAuth.server";
 import { logger } from "~/services/logger.server";
-import { createActionApiRoute } from "~/services/routeBuilders/apiBuilder.server";
+import {
+  createActionApiRoute,
+  everyResource,
+} from "~/services/routeBuilders/apiBuilder.server";
 import { resolveIdempotencyKeyTTL } from "~/utils/idempotencyKeys.server";
 import { ServiceValidationError } from "~/v3/services/baseService.server";
 import {
@@ -30,10 +33,17 @@ const { action, loader } = createActionApiRoute(
     maxContentLength: env.BATCH_TASK_PAYLOAD_MAXIMUM_SIZE,
     authorization: {
       action: "batchTrigger",
-      resource: (_, __, ___, body) => ({
-        tasks: Array.from(new Set(body.items.map((i) => i.task))),
-      }),
-      superScopes: ["write:tasks", "admin"],
+      // Each item in the batch is a distinct task — every one must be
+      // authorized, not just any one of them. `everyResource` flips
+      // the auth check to AND semantics so a JWT scoped to taskA can't
+      // submit a batch that also includes taskB / taskC.
+      resource: (_, __, ___, body) =>
+        everyResource(
+          Array.from(new Set(body.items.map((i) => i.task))).map((id) => ({
+            type: "tasks",
+            id,
+          }))
+        ),
     },
     corsStrategy: "all",
   },
@@ -127,6 +137,18 @@ const { action, loader } = createActionApiRoute(
 
       return json(batch, { status: 202, headers: $responseHeaders });
     } catch (error) {
+      // Customer-facing validation/quota failures (invalid batch shape,
+      // entitlements exhausted). The handler returns 422 with the message;
+      // system handles it gracefully, no alert needed.
+      if (error instanceof ServiceValidationError) {
+        logger.warn("Batch trigger error", { error: error.message });
+        return json({ error: error.message }, { status: 422 });
+      }
+      if (error instanceof OutOfEntitlementError) {
+        logger.warn("Batch trigger error", { error: error.message });
+        return json({ error: error.message }, { status: 422 });
+      }
+
       logger.error("Batch trigger error", {
         error: {
           message: (error as Error).message,
@@ -134,11 +156,7 @@ const { action, loader } = createActionApiRoute(
         },
       });
 
-      if (error instanceof ServiceValidationError) {
-        return json({ error: error.message }, { status: 422 });
-      } else if (error instanceof OutOfEntitlementError) {
-        return json({ error: error.message }, { status: 422 });
-      } else if (error instanceof Error) {
+      if (error instanceof Error) {
         return json(
           { error: "Something went wrong" },
           { status: 500, headers: { "x-should-retry": "false" } }
diff --git a/apps/webapp/app/routes/api.v1.waitpoints.tokens.$waitpointFriendlyId.callback.$hash.ts b/apps/webapp/app/routes/api.v1.waitpoints.tokens.$waitpointFriendlyId.callback.$hash.ts
index e8a7f046edb..d86feff7b91 100644
--- a/apps/webapp/app/routes/api.v1.waitpoints.tokens.$waitpointFriendlyId.callback.$hash.ts
+++ b/apps/webapp/app/routes/api.v1.waitpoints.tokens.$waitpointFriendlyId.callback.$hash.ts
@@ -45,6 +45,7 @@ export async function action({ request, params }: ActionFunctionArgs) {
             orgMember: true,
             parentEnvironment: {
               select: {
+                id: true,
                 apiKey: true,
               },
             },
diff --git a/apps/webapp/app/routes/api.v1.waitpoints.tokens.$waitpointFriendlyId.complete.ts b/apps/webapp/app/routes/api.v1.waitpoints.tokens.$waitpointFriendlyId.complete.ts
index 916bfd19864..4a3e5f960c6 100644
--- a/apps/webapp/app/routes/api.v1.waitpoints.tokens.$waitpointFriendlyId.complete.ts
+++ b/apps/webapp/app/routes/api.v1.waitpoints.tokens.$waitpointFriendlyId.complete.ts
@@ -23,8 +23,7 @@ const { action, loader } = createActionApiRoute(
     allowJWT: true,
     authorization: {
       action: "write",
-      resource: (params) => ({ waitpoints: params.waitpointFriendlyId }),
-      superScopes: ["write:waitpoints", "admin"],
+      resource: (params) => ({ type: "waitpoints", id: params.waitpointFriendlyId }),
     },
     corsStrategy: "all",
   },
@@ -72,7 +71,16 @@ const { action, loader } = createActionApiRoute(
         { status: 200 }
       );
     } catch (error) {
-      logger.error("Failed to complete waitpoint token", { error });
+      // Re-throw Response objects (intentional HTTP responses like the 404 above) so the
+      // client gets the correct status code instead of a 500, and we don't log them as errors.
+      if (error instanceof Response) throw error;
+
+      logger.error("Failed to complete waitpoint token", {
+        error:
+          error instanceof Error
+            ? { name: error.name, message: error.message, stack: error.stack }
+            : error,
+      });
       throw json({ error: "Failed to complete waitpoint token" }, { status: 500 });
     }
   }
diff --git a/apps/webapp/app/routes/api.v1.waitpoints.tokens.ts b/apps/webapp/app/routes/api.v1.waitpoints.tokens.ts
index 4542236d488..b7ef988b728 100644
--- a/apps/webapp/app/routes/api.v1.waitpoints.tokens.ts
+++ b/apps/webapp/app/routes/api.v1.waitpoints.tokens.ts
@@ -10,6 +10,7 @@ import {
   ApiWaitpointListSearchParams,
 } from "~/presenters/v3/ApiWaitpointListPresenter.server";
 import { type AuthenticatedEnvironment } from "~/services/apiAuth.server";
+import { logger } from "~/services/logger.server";
 import { generateHttpCallbackUrl } from "~/services/httpCallback.server";
 import {
   createActionApiRoute,
@@ -92,10 +93,9 @@ const { action } = createActionApiRoute(
     } catch (error) {
       if (error instanceof ServiceValidationError) {
         return json({ error: error.message }, { status: 422 });
-      } else if (error instanceof Error) {
-        return json({ error: error.message }, { status: 500 });
       }
 
+      logger.error("Failed to create waitpoint token", { error });
       return json({ error: "Something went wrong" }, { status: 500 });
     }
   }
diff --git a/apps/webapp/app/routes/api.v1.whoami.ts b/apps/webapp/app/routes/api.v1.whoami.ts
index 0ebb70b4491..f0dea9a7a57 100644
--- a/apps/webapp/app/routes/api.v1.whoami.ts
+++ b/apps/webapp/app/routes/api.v1.whoami.ts
@@ -2,32 +2,39 @@ import type { LoaderFunctionArgs } from "@remix-run/server-runtime";
 import { json } from "@remix-run/server-runtime";
 import { prisma } from "~/db.server";
 import { authenticateApiRequest } from "~/services/apiAuth.server";
+import { logger } from "~/services/logger.server";
 
 export async function loader({ request }: LoaderFunctionArgs) {
-  // Next authenticate the request
-  const authenticationResult = await authenticateApiRequest(request);
+  try {
+    // Next authenticate the request
+    const authenticationResult = await authenticateApiRequest(request);
 
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
+    if (!authenticationResult) {
+      return json({ error: "Invalid or Missing API key" }, { status: 401 });
+    }
 
-  const environmentWithUser = await prisma.runtimeEnvironment.findUnique({
-    select: {
-      orgMember: {
-        select: {
-          userId: true,
+    const environmentWithUser = await prisma.runtimeEnvironment.findUnique({
+      select: {
+        orgMember: {
+          select: {
+            userId: true,
+          },
         },
       },
-    },
-    where: {
-      id: authenticationResult.environment.id,
-    },
-  });
+      where: {
+        id: authenticationResult.environment.id,
+      },
+    });
 
-  const result = {
-    ...authenticationResult.environment,
-    userId: environmentWithUser?.orgMember?.userId,
-  };
+    const result = {
+      ...authenticationResult.environment,
+      userId: environmentWithUser?.orgMember?.userId,
+    };
 
-  return json(result);
+    return json(result);
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to load whoami", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
+  }
 }
diff --git a/apps/webapp/app/routes/api.v2.batches.$batchId.ts b/apps/webapp/app/routes/api.v2.batches.$batchId.ts
index c89dbbaf312..a4a3027cfb7 100644
--- a/apps/webapp/app/routes/api.v2.batches.$batchId.ts
+++ b/apps/webapp/app/routes/api.v2.batches.$batchId.ts
@@ -1,7 +1,7 @@
 import { json } from "@remix-run/server-runtime";
 import { z } from "zod";
 import { $replica } from "~/db.server";
-import { createLoaderApiRoute } from "~/services/routeBuilders/apiBuilder.server";
+import { anyResource, createLoaderApiRoute } from "~/services/routeBuilders/apiBuilder.server";
 
 const ParamsSchema = z.object({
   batchId: z.string(),
@@ -25,8 +25,13 @@ export const loader = createLoaderApiRoute(
     },
     authorization: {
       action: "read",
-      resource: (batch) => ({ batch: batch.friendlyId }),
-      superScopes: ["read:runs", "read:all", "admin"],
+      // See sibling note in api.v1.batches.$batchId.ts — `{type: "runs"}`
+      // preserves pre-RBAC `read:runs` superScope access for batch reads.
+      resource: (batch) =>
+        anyResource([
+          { type: "batch", id: batch.friendlyId },
+          { type: "runs" },
+        ]),
     },
   },
   async ({ resource: batch }) => {
diff --git a/apps/webapp/app/routes/api.v2.deployments.$deploymentId.finalize.ts b/apps/webapp/app/routes/api.v2.deployments.$deploymentId.finalize.ts
index 768212ee8dd..380f2c2e600 100644
--- a/apps/webapp/app/routes/api.v2.deployments.$deploymentId.finalize.ts
+++ b/apps/webapp/app/routes/api.v2.deployments.$deploymentId.finalize.ts
@@ -54,12 +54,9 @@ export async function action({ request, params }: ActionFunctionArgs) {
   } catch (error) {
     if (error instanceof ServiceValidationError) {
       return json({ error: error.message }, { status: 400 });
-    } else if (error instanceof Error) {
-      logger.error("Error finalizing deployment", { error: error.message });
-      return json({ error: `Internal server error: ${error.message}` }, { status: 500 });
-    } else {
-      logger.error("Error finalizing deployment", { error: String(error) });
-      return json({ error: "Internal server error" }, { status: 500 });
     }
+
+    logger.error("Error finalizing deployment", { error });
+    return json({ error: "Internal server error" }, { status: 500 });
   }
 }
diff --git a/apps/webapp/app/routes/api.v2.packets.$.ts b/apps/webapp/app/routes/api.v2.packets.$.ts
index 8810dc6005a..04ec14c3301 100644
--- a/apps/webapp/app/routes/api.v2.packets.$.ts
+++ b/apps/webapp/app/routes/api.v2.packets.$.ts
@@ -2,7 +2,7 @@ import type { ActionFunctionArgs } from "@remix-run/server-runtime";
 import { json } from "@remix-run/server-runtime";
 import { z } from "zod";
 import { authenticateApiRequest } from "~/services/apiAuth.server";
-import { generatePresignedUrl } from "~/v3/objectStore.server";
+import { generatePresignedUrl, jsonPacketPresignFailure } from "~/v3/objectStore.server";
 
 const ParamsSchema = z.object({
   "*": z.string(),
@@ -34,7 +34,7 @@ export async function action({ request, params }: ActionFunctionArgs) {
   );
 
   if (!signed.success) {
-    return json({ error: `Failed to generate presigned URL: ${signed.error}` }, { status: 500 });
+    return jsonPacketPresignFailure(signed);
   }
 
   if (signed.storagePath === undefined) {
diff --git a/apps/webapp/app/routes/api.v2.runs.$runParam.cancel.ts b/apps/webapp/app/routes/api.v2.runs.$runParam.cancel.ts
index a05af273d8d..cb660049c9c 100644
--- a/apps/webapp/app/routes/api.v2.runs.$runParam.cancel.ts
+++ b/apps/webapp/app/routes/api.v2.runs.$runParam.cancel.ts
@@ -1,8 +1,14 @@
 import { json } from "@remix-run/server-runtime";
 import { z } from "zod";
-import { $replica } from "~/db.server";
+import { env as appEnv } from "~/env.server";
 import { createActionApiRoute } from "~/services/routeBuilders/apiBuilder.server";
+import { getRequestAbortSignal } from "~/services/httpAsyncStorage.server";
 import { CancelTaskRunService } from "~/v3/services/cancelTaskRun.server";
+import { mutateWithFallback } from "~/v3/mollifier/mutateWithFallback.server";
+import {
+  resolveRunForMutation,
+  type ResolvedRunForMutation,
+} from "~/v3/mollifier/resolveRunForMutation.server";
 
 const ParamsSchema = z.object({
   runParam: z.string(),
@@ -15,32 +21,61 @@ const { action } = createActionApiRoute(
     corsStrategy: "none",
     authorization: {
       action: "write",
-      resource: (params) => ({ runs: params.runParam }),
-      superScopes: ["write:runs", "admin"],
-    },
-    findResource: async (params, auth) => {
-      return $replica.taskRun.findFirst({
-        where: {
-          friendlyId: params.runParam,
-          runtimeEnvironmentId: auth.environment.id,
-        },
-      });
+      resource: (params) => ({ type: "runs", id: params.runParam }),
     },
+    // PG-or-buffer resolver. Returning null here would 404 BEFORE the
+    // action runs (`apiBuilder.server.ts:321`), so buffered cancels need
+    // a buffer check at this layer too. Logic lives in a helper so the
+    // three paths (PG hit, buffer hit, both miss) are unit-tested
+    // independently of the route builder. The action's mutateWithFallback
+    // call repeats the lookup atomically — slightly redundant but keeps
+    // wait-and-bounce semantics intact.
+    findResource: async (params, auth): Promise<ResolvedRunForMutation | null> =>
+      resolveRunForMutation({
+        runParam: params.runParam,
+        environmentId: auth.environment.id,
+        organizationId: auth.environment.organizationId,
+      }),
   },
-  async ({ resource }) => {
-    if (!resource) {
-      return json({ error: "Run not found" }, { status: 404 });
-    }
+  async ({ params, authentication }) => {
+    const runId = params.runParam;
+    const env = authentication.environment;
+    const cancelledAt = new Date();
+    const cancelReason = "Canceled by user";
 
-    const service = new CancelTaskRunService();
+    const outcome = await mutateWithFallback({
+      runId,
+      environmentId: env.id,
+      organizationId: env.organizationId,
+      bufferPatch: {
+        type: "mark_cancelled",
+        cancelledAt: cancelledAt.toISOString(),
+        cancelReason,
+      },
+      pgMutation: async (taskRun) => {
+        const service = new CancelTaskRunService();
+        try {
+          await service.call(taskRun);
+        } catch {
+          return json({ error: "Internal Server Error" }, { status: 500 });
+        }
+        return json({ id: taskRun.friendlyId }, { status: 200 });
+      },
+      synthesisedResponse: () => json({ id: runId }, { status: 200 }),
+      abortSignal: getRequestAbortSignal(),
+      safetyNetMs: appEnv.TRIGGER_MOLLIFIER_MUTATE_SAFETY_NET_MS,
+      pollStepMs: appEnv.TRIGGER_MOLLIFIER_MUTATE_POLL_STEP_MS,
+      maxPollStepMs: appEnv.TRIGGER_MOLLIFIER_MUTATE_MAX_POLL_STEP_MS,
+      backoffFactor: appEnv.TRIGGER_MOLLIFIER_MUTATE_BACKOFF_FACTOR,
+    });
 
-    try {
-      await service.call(resource);
-    } catch (error) {
-      return json({ error: "Internal Server Error" }, { status: 500 });
+    if (outcome.kind === "not_found") {
+      return json({ error: "Run not found" }, { status: 404 });
     }
-
-    return json({ id: resource.friendlyId }, { status: 200 });
+    if (outcome.kind === "timed_out") {
+      return json({ error: "Run materialisation timed out" }, { status: 503 });
+    }
+    return outcome.response;
   }
 );
 
diff --git a/apps/webapp/app/routes/api.v2.tasks.batch.ts b/apps/webapp/app/routes/api.v2.tasks.batch.ts
index 8db98b4d343..8b2be6e3ca5 100644
--- a/apps/webapp/app/routes/api.v2.tasks.batch.ts
+++ b/apps/webapp/app/routes/api.v2.tasks.batch.ts
@@ -9,7 +9,10 @@ import { env } from "~/env.server";
 import { RunEngineBatchTriggerService } from "~/runEngine/services/batchTrigger.server";
 import { AuthenticatedEnvironment, getOneTimeUseToken } from "~/services/apiAuth.server";
 import { logger } from "~/services/logger.server";
-import { createActionApiRoute } from "~/services/routeBuilders/apiBuilder.server";
+import {
+  createActionApiRoute,
+  everyResource,
+} from "~/services/routeBuilders/apiBuilder.server";
 import {
   handleRequestIdempotency,
   saveRequestIdempotency,
@@ -32,10 +35,17 @@ const { action, loader } = createActionApiRoute(
     maxContentLength: env.BATCH_TASK_PAYLOAD_MAXIMUM_SIZE,
     authorization: {
       action: "batchTrigger",
-      resource: (_, __, ___, body) => ({
-        tasks: Array.from(new Set(body.items.map((i) => i.task))),
-      }),
-      superScopes: ["write:tasks", "admin"],
+      // Each item in the batch is a distinct task — every one must be
+      // authorized, not just any one of them. `everyResource` flips
+      // the auth check to AND semantics so a JWT scoped to taskA can't
+      // submit a batch that also includes taskB / taskC.
+      resource: (_, __, ___, body) =>
+        everyResource(
+          Array.from(new Set(body.items.map((i) => i.task))).map((id) => ({
+            type: "tasks",
+            id,
+          }))
+        ),
     },
     corsStrategy: "all",
   },
@@ -144,6 +154,18 @@ const { action, loader } = createActionApiRoute(
         headers: $responseHeaders,
       });
     } catch (error) {
+      // Customer-facing validation/quota failures (invalid batch shape,
+      // entitlements exhausted). The handler returns 422 with the message;
+      // system handles it gracefully, no alert needed.
+      if (error instanceof ServiceValidationError) {
+        logger.warn("Batch trigger error", { error: error.message });
+        return json({ error: error.message }, { status: 422 });
+      }
+      if (error instanceof OutOfEntitlementError) {
+        logger.warn("Batch trigger error", { error: error.message });
+        return json({ error: error.message }, { status: 422 });
+      }
+
       logger.error("Batch trigger error", {
         error: {
           message: (error as Error).message,
@@ -151,11 +173,7 @@ const { action, loader } = createActionApiRoute(
         },
       });
 
-      if (error instanceof ServiceValidationError) {
-        return json({ error: error.message }, { status: 422 });
-      } else if (error instanceof OutOfEntitlementError) {
-        return json({ error: error.message }, { status: 422 });
-      } else if (error instanceof Error) {
+      if (error instanceof Error) {
         return json(
           { error: error.message },
           { status: 500, headers: { "x-should-retry": "false" } }
diff --git a/apps/webapp/app/routes/api.v3.batches.$batchId.items.ts b/apps/webapp/app/routes/api.v3.batches.$batchId.items.ts
index 2d732d1555a..49e0d9053cc 100644
--- a/apps/webapp/app/routes/api.v3.batches.$batchId.items.ts
+++ b/apps/webapp/app/routes/api.v3.batches.$batchId.items.ts
@@ -88,6 +88,22 @@ export async function action({ request, params }: ActionFunctionArgs) {
 
     return json(result, { status: 200 });
   } catch (error) {
+    // Customer-facing validation failures (invalid item shape, invalid JSON
+    // in the streamed body). The handler returns 4xx with the message;
+    // system handles it gracefully, no alert needed.
+    if (error instanceof ServiceValidationError) {
+      logger.warn("Stream batch items error", { batchId, error: error.message });
+      return json({ error: error.message }, { status: 422 });
+    }
+
+    if (error instanceof Error && error.message.includes("Invalid JSON")) {
+      logger.warn("Stream batch items error: invalid JSON", {
+        batchId,
+        error: error.message,
+      });
+      return json({ error: error.message }, { status: 400 });
+    }
+
     logger.error("Stream batch items error", {
       batchId,
       error: {
@@ -96,17 +112,6 @@ export async function action({ request, params }: ActionFunctionArgs) {
       },
     });
 
-    if (error instanceof ServiceValidationError) {
-      return json({ error: error.message }, { status: 422 });
-    } else if (error instanceof Error) {
-      // Check for stream parsing errors (e.g. invalid JSON)
-      if (error.message.includes("Invalid JSON")) {
-        return json({ error: error.message }, { status: 400 });
-      }
-
-      return json({ error: error.message }, { status: 500 });
-    }
-
     return json({ error: "Something went wrong" }, { status: 500 });
   }
 }
diff --git a/apps/webapp/app/routes/api.v3.batches.ts b/apps/webapp/app/routes/api.v3.batches.ts
index 5067eaef06e..f4227106765 100644
--- a/apps/webapp/app/routes/api.v3.batches.ts
+++ b/apps/webapp/app/routes/api.v3.batches.ts
@@ -35,12 +35,9 @@ const { action, loader } = createActionApiRoute(
     maxContentLength: 131_072, // 128KB is plenty for the batch metadata
     authorization: {
       action: "batchTrigger",
-      resource: () => ({
-        // No specific tasks to authorize at batch creation time
-        // Tasks are validated when items are streamed
-        tasks: [],
-      }),
-      superScopes: ["write:tasks", "admin"],
+      // No specific tasks to authorize at batch creation time — tasks are
+      // validated when items are streamed. Collection-level check.
+      resource: () => ({ type: "tasks" }),
     },
     corsStrategy: "all",
   },
@@ -172,6 +169,18 @@ const { action, loader } = createActionApiRoute(
         );
       }
 
+      // Customer-facing validation/quota failures (invalid batch shape,
+      // entitlements exhausted). The handler returns 422 with the message;
+      // system handles it gracefully, no alert needed.
+      if (error instanceof ServiceValidationError) {
+        logger.warn("Create batch error", { error: error.message });
+        return json({ error: error.message }, { status: error.status ?? 422 });
+      }
+      if (error instanceof OutOfEntitlementError) {
+        logger.warn("Create batch error", { error: error.message });
+        return json({ error: error.message }, { status: 422 });
+      }
+
       logger.error("Create batch error", {
         error: {
           message: (error as Error).message,
@@ -179,11 +188,7 @@ const { action, loader } = createActionApiRoute(
         },
       });
 
-      if (error instanceof ServiceValidationError) {
-        return json({ error: error.message }, { status: 422 });
-      } else if (error instanceof OutOfEntitlementError) {
-        return json({ error: error.message }, { status: 422 });
-      } else if (error instanceof Error) {
+      if (error instanceof Error) {
         return json(
           { error: error.message },
           { status: 500, headers: { "x-should-retry": "false" } }
diff --git a/apps/webapp/app/routes/api.v3.deployments.$deploymentId.finalize.ts b/apps/webapp/app/routes/api.v3.deployments.$deploymentId.finalize.ts
index d6594c2520d..f08b3ed0525 100644
--- a/apps/webapp/app/routes/api.v3.deployments.$deploymentId.finalize.ts
+++ b/apps/webapp/app/routes/api.v3.deployments.$deploymentId.finalize.ts
@@ -75,11 +75,8 @@ export async function action({ request, params }: ActionFunctionArgs) {
 
         if (error instanceof ServiceValidationError) {
           errorMessage = { error: error.message };
-        } else if (error instanceof Error) {
-          logger.error("Error finalizing deployment", { error: error.message });
-          errorMessage = { error: `Internal server error: ${error.message}` };
         } else {
-          logger.error("Error finalizing deployment", { error: String(error) });
+          logger.error("Error finalizing deployment", { error });
           errorMessage = { error: "Internal server error" };
         }
 
@@ -93,12 +90,9 @@ export async function action({ request, params }: ActionFunctionArgs) {
   } catch (error) {
     if (error instanceof ServiceValidationError) {
       return json({ error: error.message }, { status: 400 });
-    } else if (error instanceof Error) {
-      logger.error("Error finalizing deployment", { error: error.message });
-      return json({ error: `Internal server error: ${error.message}` }, { status: 500 });
-    } else {
-      logger.error("Error finalizing deployment", { error: String(error) });
-      return json({ error: "Internal server error" }, { status: 500 });
     }
+
+    logger.error("Error finalizing deployment", { error });
+    return json({ error: "Internal server error" }, { status: 500 });
   }
 }
diff --git a/apps/webapp/app/routes/api.v3.runs.$runId.ts b/apps/webapp/app/routes/api.v3.runs.$runId.ts
index de40a9a9120..00ea7102580 100644
--- a/apps/webapp/app/routes/api.v3.runs.$runId.ts
+++ b/apps/webapp/app/routes/api.v3.runs.$runId.ts
@@ -1,7 +1,10 @@
 import { json } from "@remix-run/server-runtime";
 import { z } from "zod";
 import { ApiRetrieveRunPresenter } from "~/presenters/v3/ApiRetrieveRunPresenter.server";
-import { createLoaderApiRoute } from "~/services/routeBuilders/apiBuilder.server";
+import {
+  anyResource,
+  createLoaderApiRoute,
+} from "~/services/routeBuilders/apiBuilder.server";
 
 const ParamsSchema = z.object({
   runId: z.string(),
@@ -18,13 +21,17 @@ export const loader = createLoaderApiRoute(
     shouldRetryNotFound: true,
     authorization: {
       action: "read",
-      resource: (run) => ({
-        runs: run.friendlyId,
-        tags: run.runTags,
-        batch: run.batch?.friendlyId,
-        tasks: run.taskIdentifier,
-      }),
-      superScopes: ["read:runs", "read:all", "admin"],
+      resource: (run) => {
+        const resources = [
+          { type: "runs", id: run.friendlyId },
+          { type: "tasks", id: run.taskIdentifier },
+          ...run.runTags.map((tag) => ({ type: "tags", id: tag })),
+        ];
+        if (run.batch?.friendlyId) {
+          resources.push({ type: "batch", id: run.batch.friendlyId });
+        }
+        return anyResource(resources);
+      },
     },
   },
   async ({ authentication, resource, apiVersion }) => {
diff --git a/apps/webapp/app/routes/auth.github.callback.tsx b/apps/webapp/app/routes/auth.github.callback.tsx
index 2313b348f4a..44277dbf941 100644
--- a/apps/webapp/app/routes/auth.github.callback.tsx
+++ b/apps/webapp/app/routes/auth.github.callback.tsx
@@ -1,10 +1,11 @@
 import type { LoaderFunction } from "@remix-run/node";
 import { redirect } from "@remix-run/node";
 import { prisma } from "~/db.server";
-import { getSession, redirectWithErrorMessage } from "~/models/message.server";
+import { redirectWithErrorMessage } from "~/models/message.server";
 import { authenticator } from "~/services/auth.server";
 import { setLastAuthMethodHeader } from "~/services/lastAuthMethod.server";
-import { commitSession } from "~/services/sessionStorage.server";
+import { commitSession, getUserSession } from "~/services/sessionStorage.server";
+import { commitAuthenticatedSession } from "~/services/sessionDuration.server";
 import { trackAndClearReferralSource } from "~/services/referralSource.server";
 import { redirectCookie } from "./auth.github";
 import { sanitizeRedirectPath } from "~/utils";
@@ -18,7 +19,7 @@ export let loader: LoaderFunction = async ({ request }) => {
     failureRedirect: "/login", // If auth fails, the failureRedirect will be thrown as a Response
   });
 
-  const session = await getSession(request.headers.get("cookie"));
+  const session = await getUserSession(request);
 
   const userRecord = await prisma.user.findFirst({
     where: {
@@ -52,7 +53,7 @@ export let loader: LoaderFunction = async ({ request }) => {
   session.set(authenticator.sessionKey, auth);
 
   const headers = new Headers();
-  headers.append("Set-Cookie", await commitSession(session));
+  headers.append("Set-Cookie", await commitAuthenticatedSession(session, auth.userId));
   headers.append("Set-Cookie", await setLastAuthMethodHeader("github"));
 
   await trackAndClearReferralSource(request, auth.userId, headers);
diff --git a/apps/webapp/app/routes/auth.google.callback.tsx b/apps/webapp/app/routes/auth.google.callback.tsx
index 65dabd605ce..e065a9de58e 100644
--- a/apps/webapp/app/routes/auth.google.callback.tsx
+++ b/apps/webapp/app/routes/auth.google.callback.tsx
@@ -1,10 +1,11 @@
 import type { LoaderFunction } from "@remix-run/node";
 import { redirect } from "@remix-run/node";
 import { prisma } from "~/db.server";
-import { getSession, redirectWithErrorMessage } from "~/models/message.server";
+import { redirectWithErrorMessage } from "~/models/message.server";
 import { authenticator } from "~/services/auth.server";
 import { setLastAuthMethodHeader } from "~/services/lastAuthMethod.server";
-import { commitSession } from "~/services/sessionStorage.server";
+import { commitSession, getUserSession } from "~/services/sessionStorage.server";
+import { commitAuthenticatedSession } from "~/services/sessionDuration.server";
 import { trackAndClearReferralSource } from "~/services/referralSource.server";
 import { redirectCookie } from "./auth.google";
 import { sanitizeRedirectPath } from "~/utils";
@@ -18,7 +19,7 @@ export let loader: LoaderFunction = async ({ request }) => {
     failureRedirect: "/login", // If auth fails, the failureRedirect will be thrown as a Response
   });
 
-  const session = await getSession(request.headers.get("cookie"));
+  const session = await getUserSession(request);
 
   const userRecord = await prisma.user.findFirst({
     where: {
@@ -52,7 +53,7 @@ export let loader: LoaderFunction = async ({ request }) => {
   session.set(authenticator.sessionKey, auth);
 
   const headers = new Headers();
-  headers.append("Set-Cookie", await commitSession(session));
+  headers.append("Set-Cookie", await commitAuthenticatedSession(session, auth.userId));
   headers.append("Set-Cookie", await setLastAuthMethodHeader("google"));
 
   await trackAndClearReferralSource(request, auth.userId, headers);
diff --git a/apps/webapp/app/routes/engine.v1.dev.runs.$runFriendlyId.snapshots.$snapshotFriendlyId.attempts.start.ts b/apps/webapp/app/routes/engine.v1.dev.runs.$runFriendlyId.snapshots.$snapshotFriendlyId.attempts.start.ts
index 0c88cc45f61..a3f35013b78 100644
--- a/apps/webapp/app/routes/engine.v1.dev.runs.$runFriendlyId.snapshots.$snapshotFriendlyId.attempts.start.ts
+++ b/apps/webapp/app/routes/engine.v1.dev.runs.$runFriendlyId.snapshots.$snapshotFriendlyId.attempts.start.ts
@@ -5,7 +5,7 @@ import {
   WorkerApiRunAttemptStartRequestBody,
   WorkerApiRunAttemptStartResponseBody,
 } from "@trigger.dev/core/v3/workers";
-import { RuntimeEnvironment } from "@trigger.dev/database";
+import type { AuthenticatedEnvironment } from "@trigger.dev/core/v3/auth/environment";
 import { defaultMachine } from "~/services/platform.v3.server";
 import { z } from "zod";
 import { prisma } from "~/db.server";
@@ -76,7 +76,7 @@ const { action } = createActionApiRoute(
 );
 
 async function getEnvVars(
-  environment: RuntimeEnvironment,
+  environment: AuthenticatedEnvironment,
   runId: string,
   machinePreset: MachinePreset,
   taskEventStore?: string
diff --git a/apps/webapp/app/routes/engine.v1.worker-actions.dequeue.ts b/apps/webapp/app/routes/engine.v1.worker-actions.dequeue.ts
index 2b41cd23c2e..f1a96335779 100644
--- a/apps/webapp/app/routes/engine.v1.worker-actions.dequeue.ts
+++ b/apps/webapp/app/routes/engine.v1.worker-actions.dequeue.ts
@@ -7,12 +7,13 @@ import { createActionWorkerApiRoute } from "~/services/routeBuilders/apiBuilder.
 
 export const action = createActionWorkerApiRoute(
   {
-    body: WorkerApiDequeueRequestBody, // Even though we don't use it, we need to keep it for backwards compatibility
+    body: WorkerApiDequeueRequestBody,
   },
   async ({
     authenticatedWorker,
     runnerId,
+    body,
   }): Promise<TypedResponse<WorkerApiDequeueResponseBody>> => {
-    return json(await authenticatedWorker.dequeue({ runnerId }));
+    return json(await authenticatedWorker.dequeue({ runnerId, queueClass: body.queueClass }));
   }
 );
diff --git a/apps/webapp/app/routes/healthcheck.tsx b/apps/webapp/app/routes/healthcheck.tsx
index 19b5c962f1c..4ad3992e3c1 100644
--- a/apps/webapp/app/routes/healthcheck.tsx
+++ b/apps/webapp/app/routes/healthcheck.tsx
@@ -1,14 +1,24 @@
 import { prisma } from "~/db.server";
 import type { LoaderFunction } from "@remix-run/node";
 import { env } from "~/env.server";
+import { rbac } from "~/services/rbac.server";
 
 export const loader: LoaderFunction = async ({ request }) => {
   try {
+    // Resolve the lazy plugin controller so plugin-load failures surface
+    // during readiness probes. With REQUIRE_PLUGINS=1, a failed plugin
+    // load throws here and the rollout's readiness probe fails. The
+    // fallback path doesn't touch the DB, so this runs even when
+    // HEALTHCHECK_DATABASE_DISABLED=1 — REQUIRE_PLUGINS protection must
+    // not be silently bypassed by the DB-disabled flag.
+    await rbac.isUsingPlugin();
+
     if (env.HEALTHCHECK_DATABASE_DISABLED === "1") {
       return new Response("OK");
     }
 
     await prisma.$queryRaw`SELECT 1`;
+
     return new Response("OK");
   } catch (error: unknown) {
     console.log("healthcheck ❌", { error });
diff --git a/apps/webapp/app/routes/invite-resend.tsx b/apps/webapp/app/routes/invite-resend.tsx
index dc66e898517..5dc285b944f 100644
--- a/apps/webapp/app/routes/invite-resend.tsx
+++ b/apps/webapp/app/routes/invite-resend.tsx
@@ -4,7 +4,7 @@ import { env } from "process";
 import { z } from "zod";
 import { resendInvite } from "~/models/member.server";
 import { redirectWithSuccessMessage } from "~/models/message.server";
-import { scheduleEmail } from "~/services/email.server";
+import { scheduleEmail } from "~/services/scheduleEmail.server";
 import { requireUserId } from "~/services/session.server";
 import { acceptInvitePath, organizationTeamPath } from "~/utils/pathBuilder";
 
diff --git a/apps/webapp/app/routes/login.magic/route.tsx b/apps/webapp/app/routes/login.magic/route.tsx
index 8c4323be54e..06523b3d8c5 100644
--- a/apps/webapp/app/routes/login.magic/route.tsx
+++ b/apps/webapp/app/routes/login.magic/route.tsx
@@ -23,6 +23,7 @@ import { TextLink } from "~/components/primitives/TextLink";
 import { authenticator } from "~/services/auth.server";
 import { commitSession, getUserSession } from "~/services/sessionStorage.server";
 import { setRedirectTo, commitSession as commitRedirectSession } from "~/services/redirectTo.server";
+import { sanitizeRedirectPath } from "~/utils";
 import {
   checkMagicLinkEmailRateLimit,
   checkMagicLinkEmailDailyRateLimit,
@@ -60,11 +61,14 @@ export async function loader({ request }: LoaderFunctionArgs) {
   const session = await getUserSession(request);
   const error = session.get("auth:error");
 
-  // Get redirectTo from URL params and store in session if present
+  // Get redirectTo from URL params and store in session if present.
+  // Sanitize to drop non-page paths (fetcher routes, callbacks) which would
+  // render blank if the user was sent there post-login.
   const url = new URL(request.url);
-  const redirectTo = url.searchParams.get("redirectTo");
+  const sanitized = sanitizeRedirectPath(url.searchParams.get("redirectTo"));
+  const redirectTo = sanitized === "/" ? null : sanitized;
   const headers = new Headers();
-  
+
   if (redirectTo) {
     const redirectSession = await setRedirectTo(request, redirectTo);
     headers.append("Set-Cookie", await commitRedirectSession(redirectSession));
@@ -97,17 +101,32 @@ export async function action({ request }: ActionFunctionArgs) {
 
   const payload = Object.fromEntries(await clonedRequest.formData());
 
-  const data = z
+  const result = z
     .discriminatedUnion("action", [
       z.object({
         action: z.literal("send"),
-        email: z.string().trim().toLowerCase(),
+        email: z.string().trim().toLowerCase().email(),
       }),
       z.object({
         action: z.literal("reset"),
       }),
     ])
-    .parse(payload);
+    .safeParse(payload);
+
+  if (!result.success) {
+    const session = await getUserSession(request);
+    session.set("auth:error", {
+      message: "Please enter a valid email address.",
+    });
+
+    return redirect("/login/magic", {
+      headers: {
+        "Set-Cookie": await commitSession(session),
+      },
+    });
+  }
+
+  const data = result.data;
 
   switch (data.action) {
     case "send": {
diff --git a/apps/webapp/app/routes/login.mfa/route.tsx b/apps/webapp/app/routes/login.mfa/route.tsx
index 1a71cd7227a..67006c37482 100644
--- a/apps/webapp/app/routes/login.mfa/route.tsx
+++ b/apps/webapp/app/routes/login.mfa/route.tsx
@@ -21,6 +21,7 @@ import { Paragraph } from "~/components/primitives/Paragraph";
 import { Spinner } from "~/components/primitives/Spinner";
 import { authenticator } from "~/services/auth.server";
 import { commitSession, getUserSession } from "~/services/sessionStorage.server";
+import { commitAuthenticatedSession } from "~/services/sessionDuration.server";
 import { getSession as getMessageSession } from "~/models/message.server";
 import { MultiFactorAuthenticationService } from "~/services/mfa/multiFactorAuthentication.server";
 import { redirectWithErrorMessage, redirectBackWithErrorMessage } from "~/models/message.server";
@@ -162,7 +163,7 @@ async function completeLogin(request: Request, session: Session, userId: string)
   session.unset("pending-mfa-redirect-to");
 
   const headers = new Headers();
-  headers.append("Set-Cookie", await commitSession(session));
+  headers.append("Set-Cookie", await commitAuthenticatedSession(session, userId));
 
   await trackAndClearReferralSource(request, userId, headers);
 
diff --git a/apps/webapp/app/routes/magic.tsx b/apps/webapp/app/routes/magic.tsx
index 682f0ef46e5..d4606e1b7de 100644
--- a/apps/webapp/app/routes/magic.tsx
+++ b/apps/webapp/app/routes/magic.tsx
@@ -6,10 +6,15 @@ import { authenticator } from "~/services/auth.server";
 import { setLastAuthMethodHeader } from "~/services/lastAuthMethod.server";
 import { getRedirectTo } from "~/services/redirectTo.server";
 import { commitSession, getSession } from "~/services/sessionStorage.server";
+import { commitAuthenticatedSession } from "~/services/sessionDuration.server";
 import { trackAndClearReferralSource } from "~/services/referralSource.server";
+import { sanitizeRedirectPath } from "~/utils";
 
 export async function loader({ request }: LoaderFunctionArgs) {
-  const redirectTo = await getRedirectTo(request);
+  // Defense-in-depth: sanitize the cookie value to drop non-page paths in case
+  // a stale cookie from before sanitization shipped is still in the browser.
+  const sanitized = sanitizeRedirectPath(await getRedirectTo(request));
+  const redirectTo = sanitized === "/" ? undefined : sanitized;
 
   const auth = await authenticator.authenticate("email-link", request, {
     failureRedirect: "/login/magic", // If auth fails, the failureRedirect will be thrown as a Response
@@ -51,7 +56,7 @@ export async function loader({ request }: LoaderFunctionArgs) {
   session.set(authenticator.sessionKey, auth);
 
   const headers = new Headers();
-  headers.append("Set-Cookie", await commitSession(session));
+  headers.append("Set-Cookie", await commitAuthenticatedSession(session, auth.userId));
   headers.append("Set-Cookie", await setLastAuthMethodHeader("email"));
 
   await trackAndClearReferralSource(request, auth.userId, headers);
diff --git a/apps/webapp/app/routes/otel.v1.logs.ts b/apps/webapp/app/routes/otel.v1.logs.ts
index a05ddd24cf2..1dc7c07c16c 100644
--- a/apps/webapp/app/routes/otel.v1.logs.ts
+++ b/apps/webapp/app/routes/otel.v1.logs.ts
@@ -4,12 +4,13 @@ import { otlpExporter } from "~/v3/otlpExporter.server";
 
 export async function action({ request }: ActionFunctionArgs) {
   try {
+    const exporter = await otlpExporter;
     const contentType = request.headers.get("content-type")?.toLowerCase() ?? "";
 
     if (contentType.startsWith("application/json")) {
       const body = await request.json();
 
-      const exportResponse = await otlpExporter.exportLogs(body as ExportLogsServiceRequest);
+      const exportResponse = await exporter.exportLogs(body as ExportLogsServiceRequest);
 
       return json(exportResponse, { status: 200 });
     } else if (contentType.startsWith("application/x-protobuf")) {
@@ -17,7 +18,7 @@ export async function action({ request }: ActionFunctionArgs) {
 
       const exportRequest = ExportLogsServiceRequest.decode(new Uint8Array(buffer));
 
-      const exportResponse = await otlpExporter.exportLogs(exportRequest);
+      const exportResponse = await exporter.exportLogs(exportRequest);
 
       return new Response(ExportLogsServiceResponse.encode(exportResponse).finish(), {
         status: 200,
diff --git a/apps/webapp/app/routes/otel.v1.metrics.ts b/apps/webapp/app/routes/otel.v1.metrics.ts
index 5529f9310ec..803dc3da260 100644
--- a/apps/webapp/app/routes/otel.v1.metrics.ts
+++ b/apps/webapp/app/routes/otel.v1.metrics.ts
@@ -10,19 +10,21 @@ export async function action({ request }: ActionFunctionArgs) {
     const contentType = request.headers.get("content-type")?.toLowerCase() ?? "";
 
     if (contentType.startsWith("application/json")) {
+      const exporter = await otlpExporter;
       const body = await request.json();
 
-      const exportResponse = await otlpExporter.exportMetrics(
+      const exportResponse = await exporter.exportMetrics(
         body as ExportMetricsServiceRequest
       );
 
       return json(exportResponse, { status: 200 });
     } else if (contentType.startsWith("application/x-protobuf")) {
+      const exporter = await otlpExporter;
       const buffer = await request.arrayBuffer();
 
       const exportRequest = ExportMetricsServiceRequest.decode(new Uint8Array(buffer));
 
-      const exportResponse = await otlpExporter.exportMetrics(exportRequest);
+      const exportResponse = await exporter.exportMetrics(exportRequest);
 
       return new Response(ExportMetricsServiceResponse.encode(exportResponse).finish(), {
         status: 200,
diff --git a/apps/webapp/app/routes/otel.v1.traces.ts b/apps/webapp/app/routes/otel.v1.traces.ts
index 609b72c0465..8e974c7b1dd 100644
--- a/apps/webapp/app/routes/otel.v1.traces.ts
+++ b/apps/webapp/app/routes/otel.v1.traces.ts
@@ -4,12 +4,13 @@ import { otlpExporter } from "~/v3/otlpExporter.server";
 
 export async function action({ request }: ActionFunctionArgs) {
   try {
+    const exporter = await otlpExporter;
     const contentType = request.headers.get("content-type")?.toLowerCase() ?? "";
 
     if (contentType.startsWith("application/json")) {
       const body = await request.json();
 
-      const exportResponse = await otlpExporter.exportTraces(body as ExportTraceServiceRequest);
+      const exportResponse = await exporter.exportTraces(body as ExportTraceServiceRequest);
 
       return json(exportResponse, { status: 200 });
     } else if (contentType.startsWith("application/x-protobuf")) {
@@ -17,7 +18,7 @@ export async function action({ request }: ActionFunctionArgs) {
 
       const exportRequest = ExportTraceServiceRequest.decode(new Uint8Array(buffer));
 
-      const exportResponse = await otlpExporter.exportTraces(exportRequest);
+      const exportResponse = await exporter.exportTraces(exportRequest);
 
       return new Response(ExportTraceServiceResponse.encode(exportResponse).finish(), {
         status: 200,
diff --git a/apps/webapp/app/routes/realtime.v1.batches.$batchId.ts b/apps/webapp/app/routes/realtime.v1.batches.$batchId.ts
index 17a759e6ca0..add50434d48 100644
--- a/apps/webapp/app/routes/realtime.v1.batches.$batchId.ts
+++ b/apps/webapp/app/routes/realtime.v1.batches.$batchId.ts
@@ -1,7 +1,8 @@
 import { z } from "zod";
 import { $replica } from "~/db.server";
-import { realtimeClient } from "~/services/realtimeClientGlobal.server";
-import { createLoaderApiRoute } from "~/services/routeBuilders/apiBuilder.server";
+import { getRequestAbortSignal } from "~/services/httpAsyncStorage.server";
+import { resolveRealtimeStreamClient } from "~/services/realtime/resolveRealtimeStreamClient.server";
+import { anyResource, createLoaderApiRoute } from "~/services/routeBuilders/apiBuilder.server";
 
 const ParamsSchema = z.object({
   batchId: z.string(),
@@ -22,18 +23,27 @@ export const loader = createLoaderApiRoute(
     },
     authorization: {
       action: "read",
-      resource: (batch) => ({ batch: batch.friendlyId }),
-      superScopes: ["read:runs", "read:all", "admin"],
+      // See sibling note in api.v1.batches.$batchId.ts — `{type: "runs"}`
+      // preserves pre-RBAC `read:runs` superScope access for batch reads.
+      resource: (batch) =>
+        anyResource([
+          { type: "batch", id: batch.friendlyId },
+          { type: "runs" },
+        ]),
     },
   },
   async ({ authentication, request, resource: batchRun, apiVersion }) => {
-    return realtimeClient.streamBatch(
+    // Pick the Electric proxy or the native backend per org (defaults to Electric); both implement streamBatch.
+    const client = await resolveRealtimeStreamClient(authentication.environment);
+
+    return client.streamBatch(
       request.url,
       authentication.environment,
       batchRun.id,
       apiVersion,
       authentication.realtime,
-      request.headers.get("x-trigger-electric-version") ?? undefined
+      request.headers.get("x-trigger-electric-version") ?? undefined,
+      getRequestAbortSignal()
     );
   }
 );
diff --git a/apps/webapp/app/routes/realtime.v1.runs.$runId.ts b/apps/webapp/app/routes/realtime.v1.runs.$runId.ts
index 35a34b01b4c..46118c1d894 100644
--- a/apps/webapp/app/routes/realtime.v1.runs.$runId.ts
+++ b/apps/webapp/app/routes/realtime.v1.runs.$runId.ts
@@ -1,8 +1,12 @@
 import { json } from "@remix-run/server-runtime";
 import { z } from "zod";
 import { $replica } from "~/db.server";
-import { realtimeClient } from "~/services/realtimeClientGlobal.server";
-import { createLoaderApiRoute } from "~/services/routeBuilders/apiBuilder.server";
+import { getRequestAbortSignal } from "~/services/httpAsyncStorage.server";
+import { resolveRealtimeStreamClient } from "~/services/realtime/resolveRealtimeStreamClient.server";
+import {
+  anyResource,
+  createLoaderApiRoute,
+} from "~/services/routeBuilders/apiBuilder.server";
 
 const ParamsSchema = z.object({
   runId: z.string(),
@@ -30,23 +34,32 @@ export const loader = createLoaderApiRoute(
     },
     authorization: {
       action: "read",
-      resource: (run) => ({
-        runs: run.friendlyId,
-        tags: run.runTags,
-        batch: run.batch?.friendlyId,
-        tasks: run.taskIdentifier,
-      }),
-      superScopes: ["read:runs", "read:all", "admin"],
+      resource: (run) => {
+        const resources = [
+          { type: "runs", id: run.friendlyId },
+          { type: "tasks", id: run.taskIdentifier },
+          ...run.runTags.map((tag) => ({ type: "tags", id: tag })),
+        ];
+        if (run.batch?.friendlyId) {
+          resources.push({ type: "batch", id: run.batch.friendlyId });
+        }
+        return anyResource(resources);
+      },
     },
   },
   async ({ authentication, request, resource: run, apiVersion }) => {
-    return realtimeClient.streamRun(
+    // Pick the Electric proxy or the native backend per org (defaults to Electric); both implement streamRun.
+    const client = await resolveRealtimeStreamClient(authentication.environment);
+
+    return client.streamRun(
       request.url,
       authentication.environment,
       run.id,
       apiVersion,
       authentication.realtime,
-      request.headers.get("x-trigger-electric-version") ?? undefined
+      request.headers.get("x-trigger-electric-version") ?? undefined,
+      // Propagate abort on client disconnect so the upstream Electric long-poll is cancelled too, else undici buffers grow RSS until the poll timeout.
+      getRequestAbortSignal()
     );
   }
 );
diff --git a/apps/webapp/app/routes/realtime.v1.runs.ts b/apps/webapp/app/routes/realtime.v1.runs.ts
index 1819265ee7f..2e3617800fe 100644
--- a/apps/webapp/app/routes/realtime.v1.runs.ts
+++ b/apps/webapp/app/routes/realtime.v1.runs.ts
@@ -1,6 +1,10 @@
 import { z } from "zod";
-import { realtimeClient } from "~/services/realtimeClientGlobal.server";
-import { createLoaderApiRoute } from "~/services/routeBuilders/apiBuilder.server";
+import { getRequestAbortSignal } from "~/services/httpAsyncStorage.server";
+import { resolveRealtimeStreamClient } from "~/services/realtime/resolveRealtimeStreamClient.server";
+import {
+  anyResource,
+  createLoaderApiRoute,
+} from "~/services/routeBuilders/apiBuilder.server";
 
 const SearchParamsSchema = z.object({
   tags: z
@@ -20,18 +24,27 @@ export const loader = createLoaderApiRoute(
     findResource: async () => 1, // This is a dummy value, it's not used
     authorization: {
       action: "read",
-      resource: (_, __, searchParams) => searchParams,
-      superScopes: ["read:runs", "read:all", "admin"],
+      resource: (_, __, searchParams) =>
+        // `{ type: "tags" }` preserves pre-RBAC type-level `read:tags` access to the unfiltered stream; per-id `read:tags:<tag>` still grants only when the filter includes that tag.
+        anyResource([
+          { type: "runs" },
+          { type: "tags" },
+          ...(searchParams.tags ?? []).map((tag) => ({ type: "tags", id: tag })),
+        ]),
     },
   },
   async ({ searchParams, authentication, request, apiVersion }) => {
-    return realtimeClient.streamRuns(
+    // Pick the Electric proxy or the native backend per org (defaults to Electric); both implement streamRuns.
+    const client = await resolveRealtimeStreamClient(authentication.environment);
+
+    return client.streamRuns(
       request.url,
       authentication.environment,
       searchParams,
       apiVersion,
       authentication.realtime,
-      request.headers.get("x-trigger-electric-version") ?? undefined
+      request.headers.get("x-trigger-electric-version") ?? undefined,
+      getRequestAbortSignal()
     );
   }
 );
diff --git a/apps/webapp/app/routes/realtime.v1.sessions.$session.$io.append.ts b/apps/webapp/app/routes/realtime.v1.sessions.$session.$io.append.ts
new file mode 100644
index 00000000000..e5fc0d5c344
--- /dev/null
+++ b/apps/webapp/app/routes/realtime.v1.sessions.$session.$io.append.ts
@@ -0,0 +1,244 @@
+import { json } from "@remix-run/server-runtime";
+import { tryCatch } from "@trigger.dev/core/utils";
+import { nanoid } from "nanoid";
+import { z } from "zod";
+import { $replica } from "~/db.server";
+import { logger } from "~/services/logger.server";
+import { S2RealtimeStreams } from "~/services/realtime/s2realtimeStreams.server";
+import { ensureRunForSession } from "~/services/realtime/sessionRunManager.server";
+import {
+  canonicalSessionAddressingKey,
+  resolveSessionByIdOrExternalId,
+} from "~/services/realtime/sessions.server";
+import { getRealtimeStreamInstance } from "~/services/realtime/v1StreamsGlobal.server";
+import {
+  claimSessionStreamPart,
+  drainSessionStreamWaitpoints,
+  releaseSessionStreamPart,
+} from "~/services/sessionStreamWaitpointCache.server";
+import {
+  anyResource,
+  createActionApiRoute,
+} from "~/services/routeBuilders/apiBuilder.server";
+import { engine } from "~/v3/runEngine.server";
+import { ServiceValidationError } from "~/v3/services/common.server";
+
+const ParamsSchema = z.object({
+  session: z.string(),
+  io: z.enum(["out", "in"]),
+});
+
+// POST: server-side append of a single record to a session channel. Mirrors
+// the existing /realtime/v1/streams/:runId/:target/:streamId/append route,
+// scoped to a Session primitive.
+//
+// The HTTP body cap here is just a DoS pre-guard — set generously at
+// 1 MiB so we don't buffer arbitrarily large inputs before we can
+// compute the wrapped size. The actual S2 per-record limit (verified
+// empirically against cloud S2) is enforced precisely inside
+// `S2RealtimeStreams.#appendPartByName` — it throws
+// `S2RecordTooLargeError` (a `ServiceValidationError` with status
+// 413) when the metered record size would exceed S2's 1 MiB ceiling
+// after JSON wrapping. That lets legitimate bodies up to ~1023 KiB
+// raw through (ASCII or low-escape content) while still rejecting
+// pathological all-quote content that would double on wrap.
+const MAX_APPEND_BODY_BYTES = 1024 * 1024;
+
+const { action, loader } = createActionApiRoute(
+  {
+    params: ParamsSchema,
+    method: "POST",
+    maxContentLength: MAX_APPEND_BODY_BYTES,
+    allowJWT: true,
+    corsStrategy: "all",
+    // Sessions are task-bound (created by `POST /api/v1/sessions` which
+    // also triggers the first run). The row exists before any caller
+    // can reach `.in/append` — no row, no append. Resolved here so the
+    // authorization scope can expand to both addressing forms (friendlyId
+    // + externalId) and the handler can skip its own lookup.
+    findResource: async (params, auth) =>
+      resolveSessionByIdOrExternalId($replica, auth.environment.id, params.session),
+    authorization: {
+      action: "write",
+      // Authorize against the union of the URL form, friendlyId, and
+      // externalId so a JWT scoped to any form authorizes any URL.
+      // Type-level `write:sessions` (no id) also matches; `write:all` /
+      // `admin` bypass via the JWT ability's wildcard branches.
+      resource: (params, _, __, ___, session) => {
+        const ids = new Set<string>([params.session]);
+        if (session) {
+          ids.add(session.friendlyId);
+          if (session.externalId) ids.add(session.externalId);
+        }
+        return anyResource([...ids].map((id) => ({ type: "sessions", id })));
+      },
+    },
+  },
+  async ({ request, params, authentication, resource: session }) => {
+    if (!session) {
+      // Unreachable — `findResource` short-circuits to 404 before this
+      // handler runs. Type-narrow the rest of the body.
+      return new Response("Session not found", { status: 404 });
+    }
+
+    if (session.closedAt) {
+      return json(
+        { ok: false, error: "Cannot append to a closed session" },
+        { status: 400 }
+      );
+    }
+
+    if (session.expiresAt && session.expiresAt.getTime() < Date.now()) {
+      return json(
+        { ok: false, error: "Cannot append to an expired session" },
+        { status: 400 }
+      );
+    }
+
+    // `.out` is the agent→client channel. Only PRIVATE (secret key) auth —
+    // i.e. the agent run itself — may write to it. Session-scoped JWTs carry
+    // `write:sessions:<key>` for `.in`; without this gate they could forge
+    // assistant chunks and complete `.out` waitpoints on their own session.
+    if (params.io === "out" && authentication.type !== "PRIVATE") {
+      return json(
+        { ok: false, error: "Appending to the out channel requires secret key authentication" },
+        { status: 403 }
+      );
+    }
+
+    const realtimeStream = getRealtimeStreamInstance(authentication.environment, "v2", {
+      session,
+    });
+
+    if (!(realtimeStream instanceof S2RealtimeStreams)) {
+      return json(
+        { ok: false, error: "Session channels require the S2 realtime backend" },
+        { status: 501 }
+      );
+    }
+
+    // Probe + ensure a live run before appending. The append itself is
+    // run-independent (S2 stream is durable, keyed on the session) but
+    // the message is useless if no run is alive to consume it. The
+    // probe is a single Prisma read; ensureRunForSession is no-op when
+    // currentRunId is alive, so the steady-state cost is one extra
+    // read in the hot path.
+    //
+    // Best-effort: if ensureRunForSession throws (e.g. the trigger
+    // call fails transiently), still append to S2 — the record is
+    // durable and the next append will retry the ensure step. Don't
+    // surface the error to the caller; the SSE tail just won't deliver
+    // it until a run boots.
+    const [ensureError] = await tryCatch(
+      ensureRunForSession({
+        session,
+        environment: authentication.environment,
+        reason: "continuation",
+      })
+    );
+    if (ensureError) {
+      logger.error("Failed to ensureRunForSession on .in/append", {
+        sessionId: session.id,
+        externalId: session.externalId,
+        error: ensureError,
+      });
+    }
+
+    const addressingKey = canonicalSessionAddressingKey(session, params.session);
+
+    const part = await request.text();
+    const clientPartId = request.headers.get("X-Part-Id");
+    const partId = clientPartId ?? nanoid(7);
+
+    // Idempotency on client-supplied part ids: atomically claim the id before
+    // appending. A concurrent or retried POST that loses the claim skips the
+    // append (no duplicate record) but still falls through to the drain below,
+    // so a retry whose first attempt died before waking the waitpoint can still
+    // recover it. The claim is released on append failure so a genuine retry
+    // can re-claim and proceed.
+    const wonClaim = clientPartId
+      ? await claimSessionStreamPart(
+          authentication.environment.id,
+          addressingKey,
+          params.io,
+          clientPartId
+        )
+      : true;
+
+    if (wonClaim) {
+      const [appendError] = await tryCatch(
+        realtimeStream.appendPartToSessionStream(part, partId, addressingKey, params.io)
+      );
+
+      if (appendError) {
+        if (clientPartId) {
+          await releaseSessionStreamPart(
+            authentication.environment.id,
+            addressingKey,
+            params.io,
+            clientPartId
+          );
+        }
+        if (appendError instanceof ServiceValidationError) {
+          return json(
+            { ok: false, error: appendError.message },
+            { status: appendError.status ?? 422 }
+          );
+        }
+        logger.error("Failed to append to session stream", {
+          sessionId: session.id,
+          io: params.io,
+          error: appendError,
+        });
+        return json(
+          { ok: false, error: "Something went wrong, please try again." },
+          { status: 500 }
+        );
+      }
+    }
+
+    // Fire any run-scoped waitpoints registered against this channel. Best
+    // effort — a failure here must not fail the append (the record is
+    // durable in S2; the SSE tail will still deliver it). Waitpoints are
+    // keyed on the canonical addressing key the agent registered with via
+    // `sessions.open(...).in.wait()`, so writers and readers converge
+    // regardless of which URL form they used.
+    const [drainError, waitpointIds] = await tryCatch(
+      drainSessionStreamWaitpoints(authentication.environment.id, addressingKey, params.io)
+    );
+    if (drainError) {
+      logger.error("Failed to drain session stream waitpoints", {
+        addressingKey,
+        io: params.io,
+        error: drainError,
+      });
+    } else if (waitpointIds && waitpointIds.length > 0) {
+      await Promise.all(
+        waitpointIds.map(async (waitpointId) => {
+          const [completeError] = await tryCatch(
+            engine.completeWaitpoint({
+              id: waitpointId,
+              output: {
+                value: part,
+                type: "application/json",
+                isError: false,
+              },
+            })
+          );
+          if (completeError) {
+            logger.error("Failed to complete session stream waitpoint", {
+              addressingKey,
+              io: params.io,
+              waitpointId,
+              error: completeError,
+            });
+          }
+        })
+      );
+    }
+
+    return json({ ok: true }, { status: 200 });
+  }
+);
+
+export { action, loader };
diff --git a/apps/webapp/app/routes/realtime.v1.sessions.$session.$io.records.ts b/apps/webapp/app/routes/realtime.v1.sessions.$session.$io.records.ts
new file mode 100644
index 00000000000..92d87fca760
--- /dev/null
+++ b/apps/webapp/app/routes/realtime.v1.sessions.$session.$io.records.ts
@@ -0,0 +1,98 @@
+import { json } from "@remix-run/server-runtime";
+import { z } from "zod";
+import { $replica } from "~/db.server";
+import { S2RealtimeStreams } from "~/services/realtime/s2realtimeStreams.server";
+import {
+  canonicalSessionAddressingKey,
+  isSessionFriendlyIdForm,
+  resolveSessionByIdOrExternalId,
+} from "~/services/realtime/sessions.server";
+import { getRealtimeStreamInstance } from "~/services/realtime/v1StreamsGlobal.server";
+import { anyResource, createLoaderApiRoute } from "~/services/routeBuilders/apiBuilder.server";
+
+const ParamsSchema = z.object({
+  session: z.string(),
+  io: z.enum(["out", "in"]),
+});
+
+const SearchSchema = z.object({
+  // S2 sequence number — same cursor format as the SSE Last-Event-ID
+  // (the SSE `id:` field on session-channel events is the seq_num,
+  // stringified). Records returned have `seqNum > afterEventId`.
+  afterEventId: z.string().regex(/^\d+$/).optional(),
+});
+
+// GET: non-SSE, `wait=0` drain of a session channel. Returns a JSON body
+// `{ records: StreamRecord[] }` with whatever records exist after
+// `afterEventId` (or from the head if absent) and closes immediately.
+//
+// Used by the SDK's `replaySessionOutTail` at run boot — the SSE long-poll
+// path costs ~1s per fresh chat (the timeout duration) regardless of stream
+// content, which is unacceptable on the first-message TTFC budget. This
+// route gives the agent a cheap "what's there right now" peek instead.
+//
+// Same row-optional addressing as the SSE GET route in `…$io.ts`: we
+// resolve via `resolveSessionByIdOrExternalId` and only 404 for opaque
+// `session_*` friendlyIds (which must reference a real row). External-id
+// form falls through with `row: null` so the boot path doesn't 404 on a
+// fresh chat that hasn't written its first chunk yet.
+export const loader = createLoaderApiRoute(
+  {
+    params: ParamsSchema,
+    searchParams: SearchSchema,
+    allowJWT: true,
+    corsStrategy: "all",
+    findResource: async (params, auth) => {
+      const row = await resolveSessionByIdOrExternalId(
+        $replica,
+        auth.environment.id,
+        params.session
+      );
+      if (!row && isSessionFriendlyIdForm(params.session)) {
+        return undefined;
+      }
+      return {
+        row,
+        addressingKey: canonicalSessionAddressingKey(row, params.session),
+      };
+    },
+    authorization: {
+      action: "read",
+      // Multi-key: the channel is addressable by the URL key, the row's
+      // friendlyId, and (if set) externalId. Type-level `read:sessions`
+      // matches any of them; `read:all` / `admin` bypass via the JWT
+      // ability's wildcard branches.
+      resource: ({ row, addressingKey }) => {
+        const ids = new Set<string>([addressingKey]);
+        if (row) {
+          ids.add(row.friendlyId);
+          if (row.externalId) ids.add(row.externalId);
+        }
+        return anyResource([...ids].map((id) => ({ type: "sessions", id })));
+      },
+    },
+  },
+  async ({ params, authentication, resource, searchParams }) => {
+    const realtimeStream = getRealtimeStreamInstance(authentication.environment, "v2", {
+      session: resource.row,
+      organization: resource.row ? null : authentication.environment.organization,
+    });
+
+    if (!(realtimeStream instanceof S2RealtimeStreams)) {
+      return new Response("Session channels require the S2 realtime backend", {
+        status: 501,
+      });
+    }
+
+    const afterSeqNum =
+      searchParams.afterEventId !== undefined ? Number(searchParams.afterEventId) : undefined;
+
+    const records = await realtimeStream.readSessionStreamRecords(
+      resource.addressingKey,
+      params.io,
+      afterSeqNum
+    );
+
+    return json({ records });
+  }
+);
diff --git a/apps/webapp/app/routes/realtime.v1.sessions.$session.$io.ts b/apps/webapp/app/routes/realtime.v1.sessions.$session.$io.ts
new file mode 100644
index 00000000000..562b19fad99
--- /dev/null
+++ b/apps/webapp/app/routes/realtime.v1.sessions.$session.$io.ts
@@ -0,0 +1,194 @@
+import { json } from "@remix-run/server-runtime";
+import { z } from "zod";
+import { $replica } from "~/db.server";
+import { getRequestAbortSignal } from "~/services/httpAsyncStorage.server";
+import { S2RealtimeStreams } from "~/services/realtime/s2realtimeStreams.server";
+import {
+  canonicalSessionAddressingKey,
+  isSessionFriendlyIdForm,
+  resolveSessionByIdOrExternalId,
+} from "~/services/realtime/sessions.server";
+import { getRealtimeStreamInstance } from "~/services/realtime/v1StreamsGlobal.server";
+import {
+  anyResource,
+  createActionApiRoute,
+  createLoaderApiRoute,
+} from "~/services/routeBuilders/apiBuilder.server";
+
+const ParamsSchema = z.object({
+  session: z.string(),
+  io: z.enum(["out", "in"]),
+});
+
+// PUT: initialize the S2 channel for this (session, io) pair — returns S2
+// credentials in response headers so the caller can write/read directly
+// against S2. GET is handled by the loader below.
+const { action } = createActionApiRoute(
+  {
+    params: ParamsSchema,
+    method: "PUT",
+    allowJWT: true,
+    corsStrategy: "all",
+    authorization: {
+      action: "write",
+      resource: (params) => ({ type: "sessions", id: params.session }),
+    },
+  },
+  async ({ params, authentication }) => {
+    // Row-optional addressing. The agent calls PUT initialize as part
+    // of `session.out.writer()`, by which time it has already created
+    // the row at bind, so a missing row here is an unusual case
+    // (manual init from outside chat.agent). Require a real row only
+    // for opaque friendlyIds, and treat closedAt as a soft reject only
+    // when a row exists. The S2 stream key is built from the row's
+    // canonical key (externalId if set, else friendlyId) so writers
+    // and readers converge regardless of URL form.
+    const maybeSession = await resolveSessionByIdOrExternalId(
+      $replica,
+      authentication.environment.id,
+      params.session
+    );
+
+    if (!maybeSession && isSessionFriendlyIdForm(params.session)) {
+      return new Response("Session not found", { status: 404 });
+    }
+
+    if (maybeSession?.closedAt) {
+      return new Response("Cannot initialize a channel on a closed session", {
+        status: 400,
+      });
+    }
+
+    // No-row form: resolve via the org so the stream initialised here
+    // matches what later appends/subscribes will land on once the row
+    // is created.
+    const realtimeStream = getRealtimeStreamInstance(authentication.environment, "v2", {
+      session: maybeSession,
+      organization: maybeSession ? null : authentication.environment.organization,
+    });
+
+    if (!(realtimeStream instanceof S2RealtimeStreams)) {
+      return new Response("Session channels require the S2 realtime backend", {
+        status: 501,
+      });
+    }
+
+    const addressingKey = canonicalSessionAddressingKey(maybeSession, params.session);
+
+    const { responseHeaders } = await realtimeStream.initializeSessionStream(
+      addressingKey,
+      params.io
+    );
+
+    return json({ version: "v2" }, { status: 202, headers: responseHeaders });
+  }
+);
+
+// GET: SSE subscribe to a session channel. HEAD returns the last chunk index
+// for resume semantics, mirroring the existing run-stream route.
+//
+// Subscribes are row-optional: the chat.agent transport opens the SSE on
+// `chatId` (externalId) before the agent has booted and upserted the
+// Session row. The S2 stream is keyed on the row's *canonical* identity
+// (externalId if set, else friendlyId) so two callers addressing the
+// same row via different URL forms converge on the same stream. We
+// short-circuit to 404 only for opaque `session_*` friendlyIds (those
+// must come from a real mint).
+const loader = createLoaderApiRoute(
+  {
+    params: ParamsSchema,
+    allowJWT: true,
+    corsStrategy: "all",
+    findResource: async (params, auth) => {
+      const row = await resolveSessionByIdOrExternalId(
+        $replica,
+        auth.environment.id,
+        params.session
+      );
+      if (!row && isSessionFriendlyIdForm(params.session)) {
+        return undefined; // 404 — opaque friendlyId must reference a real row
+      }
+      // Non-null wrapper so missing row doesn't 404 for externalId form.
+      return {
+        row,
+        addressingKey: canonicalSessionAddressingKey(row, params.session),
+      };
+    },
+    authorization: {
+      action: "read",
+      // Multi-key: the channel is addressable by the URL key, the row's
+      // friendlyId, and (if set) externalId. Type-level `read:sessions`
+      // matches any of them; `read:all` / `admin` bypass via the JWT
+      // ability's wildcard branches.
+      resource: ({ row, addressingKey }) => {
+        const ids = new Set<string>([addressingKey]);
+        if (row) {
+          ids.add(row.friendlyId);
+          if (row.externalId) ids.add(row.externalId);
+        }
+        return anyResource([...ids].map((id) => ({ type: "sessions", id })));
+      },
+    },
+  },
+  async ({ params, request, authentication, resource }) => {
+    // Same no-row fallback as PUT above.
+    const realtimeStream = getRealtimeStreamInstance(authentication.environment, "v2", {
+      session: resource.row,
+      organization: resource.row ? null : authentication.environment.organization,
+    });
+
+    if (!(realtimeStream instanceof S2RealtimeStreams)) {
+      return new Response("Session channels require the S2 realtime backend", {
+        status: 501,
+      });
+    }
+
+    if (request.method === "HEAD") {
+      // No last-chunk-index on the S2 backend (clients resume via Last-Event-ID
+      // on the SSE stream directly). Return 200 with a zero index for
+      // compatibility with the run-stream shape.
+      return new Response(null, {
+        status: 200,
+        headers: { "X-Last-Chunk-Index": "0" },
+      });
+    }
+
+    const lastEventId = request.headers.get("Last-Event-ID") ?? undefined;
+
+    const timeoutInSecondsRaw = request.headers.get("Timeout-Seconds");
+    let timeoutInSeconds: number | undefined;
+    if (timeoutInSecondsRaw) {
+      // `Number()` rejects `"10abc"` as NaN; `parseInt` would silently accept
+      // the trailing garbage and bypass the bounds checks below.
+      const parsed = Number(timeoutInSecondsRaw);
+      if (!Number.isFinite(parsed) || !Number.isInteger(parsed)) {
+        return new Response("Invalid timeout seconds", { status: 400 });
+      }
+      if (parsed < 1) {
+        return new Response("Timeout seconds must be greater than 0", { status: 400 });
+      }
+      if (parsed > 600) {
+        return new Response("Timeout seconds must be less than 600", { status: 400 });
+      }
+      timeoutInSeconds = parsed;
+    }
+
+    // Opt-in: only consider the settled-peek shortcut when the client
+    // asks for it via `X-Peek-Settled: 1`. Reconnect-on-reload paths
+    // (`TriggerChatTransport.reconnectToStream`) set this; the active
+    // send-a-message path (`sendMessages → subscribeToSessionStream`)
+    // does not — otherwise the peek races with the newly-triggered
+    // turn's first chunk and the SSE closes before records land.
+    const peekSettled = request.headers.get("X-Peek-Settled") === "1";
+
+    return realtimeStream.streamResponseFromSessionStream(
+      request,
+      resource.addressingKey,
+      params.io,
+      getRequestAbortSignal(),
+      { lastEventId, timeoutInSeconds, peekSettled }
+    );
+  }
+);
+
+export { action, loader };
diff --git a/apps/webapp/app/routes/realtime.v1.streams.$runId.$streamId.ts b/apps/webapp/app/routes/realtime.v1.streams.$runId.$streamId.ts
index 822c10a8101..d6470794a73 100644
--- a/apps/webapp/app/routes/realtime.v1.streams.$runId.$streamId.ts
+++ b/apps/webapp/app/routes/realtime.v1.streams.$runId.$streamId.ts
@@ -1,8 +1,12 @@
 import { type ActionFunctionArgs } from "@remix-run/server-runtime";
 import { z } from "zod";
 import { $replica } from "~/db.server";
+import { getRequestAbortSignal } from "~/services/httpAsyncStorage.server";
 import { getRealtimeStreamInstance } from "~/services/realtime/v1StreamsGlobal.server";
-import { createLoaderApiRoute } from "~/services/routeBuilders/apiBuilder.server";
+import {
+  anyResource,
+  createLoaderApiRoute,
+} from "~/services/routeBuilders/apiBuilder.server";
 import { AuthenticatedEnvironment } from "~/services/apiAuth.server";
 
 const ParamsSchema = z.object({
@@ -28,6 +32,7 @@ export async function action({ request, params }: ActionFunctionArgs) {
     select: {
       id: true,
       friendlyId: true,
+      streamBasinName: true,
       runtimeEnvironment: {
         include: {
           project: true,
@@ -63,7 +68,9 @@ export async function action({ request, params }: ActionFunctionArgs) {
   }
 
   // The runtimeEnvironment from the run is already in the correct shape for AuthenticatedEnvironment
-  const realtimeStream = getRealtimeStreamInstance(run.runtimeEnvironment, streamVersion);
+  const realtimeStream = getRealtimeStreamInstance(run.runtimeEnvironment, streamVersion, {
+    run,
+  });
 
   return realtimeStream.ingestData(
     request.body,
@@ -80,12 +87,18 @@ export const loader = createLoaderApiRoute(
     allowJWT: true,
     corsStrategy: "all",
     findResource: async (params, auth) => {
-      return $replica.taskRun.findFirst({
+      const run = await $replica.taskRun.findFirst({
         where: {
           friendlyId: params.runId,
           runtimeEnvironmentId: auth.environment.id,
         },
-        include: {
+        select: {
+          id: true,
+          friendlyId: true,
+          taskIdentifier: true,
+          runTags: true,
+          realtimeStreamsVersion: true,
+          streamBasinName: true,
           batch: {
             select: {
               friendlyId: true,
@@ -93,16 +106,21 @@ export const loader = createLoaderApiRoute(
           },
         },
       });
+      return run;
     },
     authorization: {
       action: "read",
-      resource: (run) => ({
-        runs: run.friendlyId,
-        tags: run.runTags,
-        batch: run.batch?.friendlyId,
-        tasks: run.taskIdentifier,
-      }),
-      superScopes: ["read:runs", "read:all", "admin"],
+      resource: (run) => {
+        const resources = [
+          { type: "runs", id: run.friendlyId },
+          { type: "tasks", id: run.taskIdentifier },
+          ...run.runTags.map((tag) => ({ type: "tags", id: tag })),
+        ];
+        if (run.batch?.friendlyId) {
+          resources.push({ type: "batch", id: run.batch.friendlyId });
+        }
+        return anyResource(resources);
+      },
     },
   },
   async ({ params, request, resource: run, authentication }) => {
@@ -126,10 +144,11 @@ export const loader = createLoaderApiRoute(
 
     const realtimeStream = getRealtimeStreamInstance(
       authentication.environment,
-      run.realtimeStreamsVersion
+      run.realtimeStreamsVersion,
+      { run }
     );
 
-    return realtimeStream.streamResponse(request, run.friendlyId, params.streamId, request.signal, {
+    return realtimeStream.streamResponse(request, run.friendlyId, params.streamId, getRequestAbortSignal(), {
       lastEventId,
       timeoutInSeconds,
     });
diff --git a/apps/webapp/app/routes/realtime.v1.streams.$runId.$target.$streamId.append.ts b/apps/webapp/app/routes/realtime.v1.streams.$runId.$target.$streamId.append.ts
index facb6dd664f..ec5800c1f9f 100644
--- a/apps/webapp/app/routes/realtime.v1.streams.$runId.$target.$streamId.append.ts
+++ b/apps/webapp/app/routes/realtime.v1.streams.$runId.$target.$streamId.append.ts
@@ -13,9 +13,17 @@ const ParamsSchema = z.object({
   streamId: z.string(),
 });
 
+// S2 enforces a 1 MiB per-record limit (metered as
+// `8 + 2*H + Σ(header name+value) + body`). Cap the raw HTTP body at
+// 512 KiB so the JSON wrapper, string escaping, and any future per-record
+// header additions all stay well under S2's ceiling.
+// See https://s2.dev/docs/limits.
+const MAX_APPEND_BODY_BYTES = 1024 * 512;
+
 const { action } = createActionApiRoute(
   {
     params: ParamsSchema,
+    maxContentLength: MAX_APPEND_BODY_BYTES,
   },
   async ({ request, params, authentication }) => {
     const run = await $replica.taskRun.findFirst({
@@ -64,6 +72,7 @@ const { action } = createActionApiRoute(
         realtimeStreamsVersion: true,
         completedAt: true,
         id: true,
+        streamBasinName: true,
       },
     });
 
@@ -94,7 +103,8 @@ const { action } = createActionApiRoute(
 
     const realtimeStream = getRealtimeStreamInstance(
       authentication.environment,
-      targetRun.realtimeStreamsVersion
+      targetRun.realtimeStreamsVersion,
+      { run: targetRun }
     );
 
     const partId = request.headers.get("X-Part-Id") ?? nanoid(7);
diff --git a/apps/webapp/app/routes/realtime.v1.streams.$runId.$target.$streamId.ts b/apps/webapp/app/routes/realtime.v1.streams.$runId.$target.$streamId.ts
index 2a8d07053d9..dd3d3bf31dd 100644
--- a/apps/webapp/app/routes/realtime.v1.streams.$runId.$target.$streamId.ts
+++ b/apps/webapp/app/routes/realtime.v1.streams.$runId.$target.$streamId.ts
@@ -26,14 +26,17 @@ const { action } = createActionApiRoute(
       select: {
         id: true,
         friendlyId: true,
+        streamBasinName: true,
         parentTaskRun: {
           select: {
             friendlyId: true,
+            streamBasinName: true,
           },
         },
         rootTaskRun: {
           select: {
             friendlyId: true,
+            streamBasinName: true,
           },
         },
       },
@@ -43,51 +46,65 @@ const { action } = createActionApiRoute(
       return new Response("Run not found", { status: 404 });
     }
 
-    const targetId =
+    const targetRun =
       params.target === "self"
-        ? run.friendlyId
+        ? run
         : params.target === "parent"
-        ? run.parentTaskRun?.friendlyId
-        : run.rootTaskRun?.friendlyId;
+        ? run.parentTaskRun
+        : run.rootTaskRun;
 
-    if (!targetId) {
+    if (!targetRun?.friendlyId) {
       return new Response("Target not found", { status: 404 });
     }
 
+    const targetId = targetRun.friendlyId;
+    const basinContext = { run: { streamBasinName: targetRun.streamBasinName ?? null } };
+
     if (request.method === "PUT") {
       // This is the "create" endpoint
-      const updatedRun = await prisma.taskRun.update({
+      const target = await prisma.taskRun.findFirst({
         where: {
           friendlyId: targetId,
           runtimeEnvironmentId: authentication.environment.id,
         },
-        data: {
-          realtimeStreams: {
-            push: params.streamId,
-          },
-        },
         select: {
+          id: true,
+          realtimeStreams: true,
           realtimeStreamsVersion: true,
           completedAt: true,
         },
       });
 
-      if (updatedRun.completedAt) {
+      if (!target) {
+        return new Response("Run not found", { status: 404 });
+      }
+
+      if (target.completedAt) {
         return new Response("Cannot initialize a realtime stream on a completed run", {
           status: 400,
         });
       }
 
+      if (!target.realtimeStreams.includes(params.streamId)) {
+        await prisma.taskRun.update({
+          where: { id: target.id },
+          data: {
+            realtimeStreams: { push: params.streamId },
+          },
+        });
+      }
+
       const realtimeStream = getRealtimeStreamInstance(
         authentication.environment,
-        updatedRun.realtimeStreamsVersion
+        target.realtimeStreamsVersion,
+        basinContext
       );
 
       const { responseHeaders } = await realtimeStream.initializeStream(targetId, params.streamId);
 
       return json(
         {
-          version: updatedRun.realtimeStreamsVersion,
+          version: target.realtimeStreamsVersion,
         },
         { status: 202, headers: responseHeaders }
       );
@@ -112,7 +129,11 @@ const { action } = createActionApiRoute(
         resumeFromChunkNumber = parsed;
       }
 
-      const realtimeStream = getRealtimeStreamInstance(authentication.environment, streamVersion);
+      const realtimeStream = getRealtimeStreamInstance(
+        authentication.environment,
+        streamVersion,
+        basinContext
+      );
 
       return realtimeStream.ingestData(
         request.body,
@@ -139,14 +160,17 @@ const loader = createLoaderApiRoute(
         select: {
           id: true,
           friendlyId: true,
+          streamBasinName: true,
           parentTaskRun: {
             select: {
               friendlyId: true,
+              streamBasinName: true,
             },
           },
           rootTaskRun: {
             select: {
               friendlyId: true,
+              streamBasinName: true,
             },
           },
         },
@@ -158,17 +182,19 @@ const loader = createLoaderApiRoute(
       return new Response("Run not found", { status: 404 });
     }
 
-    const targetId =
+    const targetRun =
       params.target === "self"
-        ? run.friendlyId
+        ? run
         : params.target === "parent"
-        ? run.parentTaskRun?.friendlyId
-        : run.rootTaskRun?.friendlyId;
+        ? run.parentTaskRun
+        : run.rootTaskRun;
 
-    if (!targetId) {
+    if (!targetRun?.friendlyId) {
       return new Response("Target not found", { status: 404 });
     }
 
+    const targetId = targetRun.friendlyId;
+
     // Handle HEAD request to get last chunk index
     if (request.method !== "HEAD") {
       return new Response("Only HEAD requests are allowed for this endpoint", { status: 405 });
@@ -178,7 +204,11 @@ const loader = createLoaderApiRoute(
     const clientId = request.headers.get("X-Client-Id") || "default";
     const streamVersion = request.headers.get("X-Stream-Version") || "v1";
 
-    const realtimeStream = getRealtimeStreamInstance(authentication.environment, streamVersion);
+    const realtimeStream = getRealtimeStreamInstance(
+      authentication.environment,
+      streamVersion,
+      { run: { streamBasinName: targetRun.streamBasinName ?? null } }
+    );
 
     const lastChunkIndex = await realtimeStream.getLastChunkIndex(
       targetId,
diff --git a/apps/webapp/app/routes/realtime.v1.streams.$runId.input.$streamId.ts b/apps/webapp/app/routes/realtime.v1.streams.$runId.input.$streamId.ts
index 98c348a023a..a404e6a76ae 100644
--- a/apps/webapp/app/routes/realtime.v1.streams.$runId.input.$streamId.ts
+++ b/apps/webapp/app/routes/realtime.v1.streams.$runId.input.$streamId.ts
@@ -1,16 +1,20 @@
 import { json } from "@remix-run/server-runtime";
+import { tryCatch } from "@trigger.dev/core/utils";
 import { z } from "zod";
 import { $replica } from "~/db.server";
+import { getRequestAbortSignal } from "~/services/httpAsyncStorage.server";
 import {
   getInputStreamWaitpoint,
   deleteInputStreamWaitpoint,
 } from "~/services/inputStreamWaitpointCache.server";
 import {
+  anyResource,
   createActionApiRoute,
   createLoaderApiRoute,
 } from "~/services/routeBuilders/apiBuilder.server";
 import { getRealtimeStreamInstance } from "~/services/realtime/v1StreamsGlobal.server";
 import { engine } from "~/v3/runEngine.server";
+import { ServiceValidationError } from "~/v3/services/common.server";
 
 const ParamsSchema = z.object({
   runId: z.string(),
@@ -30,8 +34,7 @@ const { action } = createActionApiRoute(
     corsStrategy: "all",
     authorization: {
       action: "write",
-      resource: (params) => ({ inputStreams: params.runId }),
-      superScopes: ["write:inputStreams", "write:all", "admin"],
+      resource: (params) => ({ type: "inputStreams", id: params.runId }),
     },
   },
   async ({ request, params, authentication }) => {
@@ -45,6 +48,7 @@ const { action } = createActionApiRoute(
         friendlyId: true,
         completedAt: true,
         realtimeStreamsVersion: true,
+        streamBasinName: true,
       },
     });
 
@@ -67,20 +71,37 @@ const { action } = createActionApiRoute(
 
     const realtimeStream = getRealtimeStreamInstance(
       authentication.environment,
-      run.realtimeStreamsVersion
+      run.realtimeStreamsVersion,
+      { run }
     );
 
     // Build the input stream record (raw user data, no wrapper)
     const recordId = `inp_${crypto.randomUUID().replace(/-/g, "").slice(0, 12)}`;
     const record = JSON.stringify(body.data.data);
 
-    // Append the record to the per-stream S2 stream (auto-creates on first write)
-    await realtimeStream.appendPart(
-      record,
-      recordId,
-      run.friendlyId,
-      `$trigger.input:${params.streamId}`
+    // Append the record to the per-stream S2 stream (auto-creates on
+    // first write). `appendPart` can throw `S2RecordTooLargeError` (a
+    // `ServiceValidationError` with status 413) when the wrapped
+    // record exceeds S2's per-record ceiling — surface that as 413
+    // rather than letting it propagate to the apiBuilder catch-all
+    // as a generic 500.
+    const [appendError] = await tryCatch(
+      realtimeStream.appendPart(
+        record,
+        recordId,
+        run.friendlyId,
+        `$trigger.input:${params.streamId}`
+      )
     );
+    if (appendError) {
+      if (appendError instanceof ServiceValidationError) {
+        return json(
+          { ok: false, error: appendError.message },
+          { status: appendError.status ?? 422 }
+        );
+      }
+      throw appendError;
+    }
 
     // Check Redis cache for a linked .wait() waitpoint (fast, no DB hit if none)
     // Get first, complete, then delete — so the mapping survives if completeWaitpoint throws
@@ -124,13 +145,17 @@ const loader = createLoaderApiRoute(
     },
     authorization: {
       action: "read",
-      resource: (run) => ({
-        runs: run.friendlyId,
-        tags: run.runTags,
-        batch: run.batch?.friendlyId,
-        tasks: run.taskIdentifier,
-      }),
-      superScopes: ["read:runs", "read:all", "admin"],
+      resource: (run) => {
+        const resources = [
+          { type: "runs", id: run.friendlyId },
+          { type: "tasks", id: run.taskIdentifier },
+          ...run.runTags.map((tag) => ({ type: "tags", id: tag })),
+        ];
+        if (run.batch?.friendlyId) {
+          resources.push({ type: "batch", id: run.batch.friendlyId });
+        }
+        return anyResource(resources);
+      },
     },
   },
   async ({ params, request, resource: run, authentication }) => {
@@ -154,7 +179,8 @@ const loader = createLoaderApiRoute(
 
     const realtimeStream = getRealtimeStreamInstance(
       authentication.environment,
-      run.realtimeStreamsVersion
+      run.realtimeStreamsVersion,
+      { run }
     );
 
     // Read from the internal S2 stream name (prefixed to avoid user stream collisions)
@@ -162,7 +188,7 @@ const loader = createLoaderApiRoute(
       request,
       run.friendlyId,
       `$trigger.input:${params.streamId}`,
-      request.signal,
+      getRequestAbortSignal(),
       {
         lastEventId,
         timeoutInSeconds,
diff --git a/apps/webapp/app/routes/resources.account.mfa.setup/MfaToggle.tsx b/apps/webapp/app/routes/resources.account.mfa.setup/MfaToggle.tsx
index 8fecc0a6493..c63c2eb8f84 100644
--- a/apps/webapp/app/routes/resources.account.mfa.setup/MfaToggle.tsx
+++ b/apps/webapp/app/routes/resources.account.mfa.setup/MfaToggle.tsx
@@ -12,24 +12,24 @@ interface MfaToggleProps {
 export function MfaToggle({ isEnabled, onToggle }: MfaToggleProps) {
   return (
     <Form method="post" className="w-full">
-      <InputGroup className="mb-4">
-        <Label>Multi-factor authentication</Label>
-        <Paragraph variant="small">
-          Enable an extra layer of security by requiring a one-time code from your authenticator
-          app (TOTP) each time you log in.
-        </Paragraph>
-      </InputGroup>
-      <div className="flex items-center justify-between">
-        <Switch
-          id="mfa"
-          variant="medium"
-          label={isEnabled ? "Enabled" : "Enable"}
-          labelPosition="right"
-          className="-ml-2 w-fit pr-3"
-          checked={isEnabled}
-          onCheckedChange={onToggle}
-        />
+      <div className="flex w-full items-center justify-between gap-4">
+        <InputGroup className="flex-1">
+          <Label htmlFor="mfa">Multi-factor authentication</Label>
+          <Paragraph variant="small">
+            Require a one-time code from your authenticator app (TOTP).
+          </Paragraph>
+        </InputGroup>
+        <div className="flex flex-none items-center">
+          <Switch
+            id="mfa"
+            variant="medium"
+            labelPosition="right"
+            className="w-fit pr-3"
+            checked={isEnabled}
+            onCheckedChange={onToggle}
+          />
+        </div>
       </div>
     </Form>
   );
-}
\ No newline at end of file
+}
diff --git a/apps/webapp/app/routes/resources.account.mfa.setup/route.tsx b/apps/webapp/app/routes/resources.account.mfa.setup/route.tsx
index 33800cb842f..04f5c8f74e0 100644
--- a/apps/webapp/app/routes/resources.account.mfa.setup/route.tsx
+++ b/apps/webapp/app/routes/resources.account.mfa.setup/route.tsx
@@ -1,7 +1,11 @@
-import { ActionFunctionArgs } from "@remix-run/server-runtime";
+import { type ActionFunctionArgs } from "@remix-run/server-runtime";
 import { typedjson } from "remix-typedjson";
 import { z } from "zod";
-import { redirectWithSuccessMessage, redirectWithErrorMessage, typedJsonWithSuccessMessage } from "~/models/message.server";
+import {
+  redirectWithSuccessMessage,
+  redirectWithErrorMessage,
+  typedJsonWithSuccessMessage,
+} from "~/models/message.server";
 import { MultiFactorAuthenticationService } from "~/services/mfa/multiFactorAuthentication.server";
 import { requireUserId } from "~/services/session.server";
 import { ServiceValidationError } from "~/v3/services/baseService.server";
@@ -132,14 +136,15 @@ export async function action({ request }: ActionFunctionArgs) {
     if (error instanceof ServiceValidationError) {
       return redirectWithErrorMessage("/account/security", request, error.message);
     }
-    
+
     // Re-throw unexpected errors
     throw error;
   }
 }
 
 export function MfaSetup({ isEnabled }: { isEnabled: boolean }) {
-  const { state, actions, isQrDialogOpen, isRecoveryDialogOpen, isDisableDialogOpen } = useMfaSetup(isEnabled);
+  const { state, actions, isQrDialogOpen, isRecoveryDialogOpen, isDisableDialogOpen } =
+    useMfaSetup(isEnabled);
 
   const handleToggle = (enabled: boolean) => {
     if (enabled && !state.isEnabled) {
@@ -151,10 +156,7 @@ export function MfaSetup({ isEnabled }: { isEnabled: boolean }) {
 
   return (
     <>
-      <MfaToggle
-        isEnabled={state.isEnabled}
-        onToggle={handleToggle}
-      />
+      <MfaToggle isEnabled={state.isEnabled} onToggle={handleToggle} />
 
       <MfaSetupDialog
         isOpen={isQrDialogOpen}
diff --git a/apps/webapp/app/routes/resources.account.session-duration/SessionDurationSetting.tsx b/apps/webapp/app/routes/resources.account.session-duration/SessionDurationSetting.tsx
new file mode 100644
index 00000000000..299b7877df2
--- /dev/null
+++ b/apps/webapp/app/routes/resources.account.session-duration/SessionDurationSetting.tsx
@@ -0,0 +1,71 @@
+import { useSubmit } from "@remix-run/react";
+import { InputGroup } from "~/components/primitives/InputGroup";
+import { Label } from "~/components/primitives/Label";
+import { Paragraph } from "~/components/primitives/Paragraph";
+import { Select, SelectItem } from "~/components/primitives/Select";
+import type { SessionDurationOption } from "~/services/sessionDuration.server";
+
+interface SessionDurationSettingProps {
+  currentValue: number;
+  options: SessionDurationOption[];
+  orgCapSeconds: number | null;
+}
+
+export function SessionDurationSetting({
+  currentValue,
+  options,
+  orgCapSeconds,
+}: SessionDurationSettingProps) {
+  const submit = useSubmit();
+
+  const orgCapOption =
+    orgCapSeconds === null ? null : options.find((o) => o.value === orgCapSeconds);
+
+  return (
+    <div className="w-full">
+      <div className="flex w-full items-center justify-between gap-4">
+        <InputGroup className="flex-1">
+          <Label>Automatic logout</Label>
+          <Paragraph variant="small">
+            Automatically log out after a period of time.
+            {orgCapSeconds !== null ? (
+              <>
+                {" "}
+                Your organization caps this at {orgCapOption?.label ?? `${orgCapSeconds} seconds`}.
+              </>
+            ) : null}
+          </Paragraph>
+        </InputGroup>
+        <div className="flex flex-none items-center">
+          <Select
+            name="sessionDuration"
+            variant="secondary/small"
+            defaultValue={String(currentValue)}
+            setValue={(value) => {
+              const next = Array.isArray(value) ? value[0] : value;
+              if (typeof next !== "string" || next === String(currentValue)) return;
+              submit(
+                { sessionDuration: next },
+                { method: "post", action: "/resources/account/session-duration" }
+              );
+            }}
+            text={(value: string) =>
+              options.find((o) => String(o.value) === value)?.label ?? "Select a duration"
+            }
+            dropdownIcon
+          >
+            {options.map((option) => (
+              <SelectItem
+                key={option.value}
+                value={String(option.value)}
+                className="text-text-bright"
+              >
+                {option.label}
+              </SelectItem>
+            ))}
+          </Select>
+        </div>
+      </div>
+    </div>
+  );
+}
diff --git a/apps/webapp/app/routes/resources.account.session-duration/route.tsx b/apps/webapp/app/routes/resources.account.session-duration/route.tsx
new file mode 100644
index 00000000000..8aad7c68433
--- /dev/null
+++ b/apps/webapp/app/routes/resources.account.session-duration/route.tsx
@@ -0,0 +1,78 @@
+import { redirect, type ActionFunctionArgs } from "@remix-run/server-runtime";
+import { z } from "zod";
+import { prisma } from "~/db.server";
+import {
+  commitSession as commitMessageSession,
+  getSession as getMessageSession,
+  setErrorMessage,
+  setSuccessMessage,
+} from "~/models/message.server";
+import { requireUserId } from "~/services/session.server";
+import {
+  commitAuthenticatedSession,
+  getAllowedSessionOptions,
+  getEffectiveSessionDuration,
+  isAllowedSessionDuration,
+} from "~/services/sessionDuration.server";
+import { getUserSession } from "~/services/sessionStorage.server";
+
+const FormSchema = z.object({
+  sessionDuration: z.coerce.number().int().positive(),
+});
+
+const REDIRECT_PATH = "/account/security";
+
+async function redirectWithError(request: Request, message: string) {
+  const messageSession = await getMessageSession(request.headers.get("cookie"));
+  setErrorMessage(messageSession, message);
+  return redirect(REDIRECT_PATH, {
+    headers: { "Set-Cookie": await commitMessageSession(messageSession) },
+  });
+}
+
+export async function action({ request }: ActionFunctionArgs) {
+  const userId = await requireUserId(request);
+
+  const formData = await request.formData();
+  const parsed = FormSchema.safeParse(Object.fromEntries(formData));
+
+  if (!parsed.success) {
+    return redirectWithError(request, "Invalid session duration value.");
+  }
+
+  const { sessionDuration } = parsed.data;
+
+  if (!isAllowedSessionDuration(sessionDuration)) {
+    return redirectWithError(request, "Invalid session duration value.");
+  }
+
+  const { orgCapSeconds, durationSeconds } = await getEffectiveSessionDuration(userId);
+  const allowed = getAllowedSessionOptions(orgCapSeconds, durationSeconds);
+  if (!allowed.some((o) => o.value === sessionDuration)) {
+    return redirectWithError(
+      request,
+      "Your organization's policy does not allow that session duration."
+    );
+  }
+
+  await prisma.user.update({
+    where: { id: userId },
+    data: { sessionDuration },
+  });
+
+  // Re-issue the cookie with the new maxAge and reset issuedAt so the user
+  // gets a fresh window matching their new selection right away. This also
+  // restamps `User.nextSessionEnd` against the new effective duration.
+  const authSession = await getUserSession(request);
+  const authCookie = await commitAuthenticatedSession(authSession, userId);
+
+  const messageSession = await getMessageSession(request.headers.get("cookie"));
+  setSuccessMessage(messageSession, "Session duration updated.");
+  const messageCookie = await commitMessageSession(messageSession);
+
+  const headers = new Headers();
+  headers.append("Set-Cookie", authCookie);
+  headers.append("Set-Cookie", messageCookie);
+
+  return redirect(REDIRECT_PATH, { headers });
+}
diff --git a/apps/webapp/app/routes/resources.feedback.ts b/apps/webapp/app/routes/resources.feedback.ts
index a6271c9d5ad..bc6e3c30847 100644
--- a/apps/webapp/app/routes/resources.feedback.ts
+++ b/apps/webapp/app/routes/resources.feedback.ts
@@ -8,19 +8,55 @@ import { sendToPlain } from "~/utils/plain.server";
 
 let client: PlainClient | undefined;
 
-export const feedbackTypeLabel = {
-  bug: "Bug report",
-  feature: "Feature request",
-  help: "Help me out",
-  enterprise: "Enterprise enquiry",
-  feedback: "General feedback",
-  concurrency: "Increase my concurrency",
-  region: "Suggest a new region",
-};
+export const feedbackTypes = {
+  bug: {
+    label: "Bug report",
+    labelTypeId: "lt_01HB920BTPFS36KH1JT9C36YVY",
+    threadTitle: "Contact form: Bug report",
+  },
+  feature: {
+    label: "Feature request",
+    labelTypeId: "lt_01HB920BV8CJGYXVE15WWN6P07",
+    threadTitle: "Contact form: Feature request",
+  },
+  help: {
+    label: "Help me out",
+    labelTypeId: "lt_01KTVCAPZY5ZJ0SS4ACMXWYYT3",
+    threadTitle: "Contact form: Help me out",
+  },
+  enterprise: {
+    label: "Enterprise enquiry",
+    labelTypeId: "lt_01K7PF5EV2877EH4SZYB667FW4",
+    threadTitle: "Contact form: Enterprise enquiry",
+  },
+  feedback: {
+    label: "General feedback",
+    labelTypeId: "lt_01HB920BSRZ3RA1ETHBVEB5ST2",
+    threadTitle: "Contact form: General feedback",
+  },
+  concurrency: {
+    label: "Increase my concurrency",
+    labelTypeId: "lt_01KTVCCY2PDE5V6WV2PQ8N85K2",
+    threadTitle: "Contact form: Increase my concurrency",
+  },
+  region: {
+    label: "Suggest a new region",
+    labelTypeId: "lt_01KTVCDPYYBW6KS9H5V8MTQ0GG",
+    threadTitle: "Contact form: Suggest a new region",
+  },
+  hipaa: {
+    label: "HIPAA BAA request",
+    labelTypeId: "lt_01KS54WBRYKE6DY369KPK2SS4W",
+    threadTitle: "Contact form: HIPAA BAA request",
+  },
+} as const satisfies Record<
+  string,
+  { label: string; labelTypeId?: string; threadTitle: string }
+>;
 
-export type FeedbackType = keyof typeof feedbackTypeLabel;
+export type FeedbackType = keyof typeof feedbackTypes;
 
-const feedbackTypeLiterals = Object.keys(feedbackTypeLabel).map((key) => z.literal(key));
+const feedbackTypeLiterals = Object.keys(feedbackTypes).map((key) => z.literal(key));
 
 const feedbackType = z.union(
   [feedbackTypeLiterals[0], feedbackTypeLiterals[1], ...feedbackTypeLiterals.slice(2)],
@@ -46,16 +82,17 @@ export async function action({ request }: ActionFunctionArgs) {
     return json(submission);
   }
 
-  const title = feedbackTypeLabel[submission.value.feedbackType as FeedbackType];
+  const inquiry = feedbackTypes[submission.value.feedbackType as FeedbackType];
   try {
     await sendToPlain({
       userId: user.id,
       email: user.email,
       name: user.name ?? user.displayName ?? user.email,
-      title,
+      title: inquiry.threadTitle,
+      labelTypeIds: inquiry.labelTypeId ? [inquiry.labelTypeId] : undefined,
       components: [
         uiComponent.text({
-          text: `New ${title} reported by ${user.name} (${user.email})`,
+          text: `New ${inquiry.label} reported by ${user.name} (${user.email})`,
         }),
         uiComponent.divider({ spacingSize: "M" }),
         uiComponent.text({
diff --git a/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.github.tsx b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.github.tsx
index 15062a718bc..fe1b32f8925 100644
--- a/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.github.tsx
+++ b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.github.tsx
@@ -865,8 +865,14 @@ export function GitHubSettingsPanel({
   const fetcher = useTypedFetcher<typeof loader>();
   const location = useLocation();
 
-  // Use provided redirectUrl or fall back to current path (without search params)
-  const effectiveRedirectUrl = location.pathname;
+  // Preserve current search params (e.g. origin=marketplace, next=...) but strip
+  // openGithubRepoModal so the modal doesn't re-open in a loop after the action redirect.
+  const effectiveRedirectUrl = (() => {
+    const params = new URLSearchParams(location.search);
+    params.delete("openGithubRepoModal");
+    const search = params.toString();
+    return search ? `${location.pathname}?${search}` : location.pathname;
+  })();
   useEffect(() => {
     fetcher.load(gitHubResourcePath(organizationSlug, projectSlug, environmentSlug));
   }, [organizationSlug, projectSlug, environmentSlug]);
diff --git a/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.logs.$logId.tsx b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.logs.$logId.tsx
index f862ced6b05..f4d34907042 100644
--- a/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.logs.$logId.tsx
+++ b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.logs.$logId.tsx
@@ -1,7 +1,7 @@
 import { type LoaderFunctionArgs } from "@remix-run/server-runtime";
 import { typedjson } from "remix-typedjson";
 import { z } from "zod";
-import { logsClickhouseClient } from "~/services/clickhouseInstance.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
 import { requireUserId } from "~/services/session.server";
 import { LogDetailPresenter } from "~/presenters/v3/LogDetailPresenter.server";
 import { findProjectBySlug } from "~/models/project.server";
@@ -43,7 +43,8 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
 
   const [traceId, spanId, , startTime] = parts;
 
-  const presenter = new LogDetailPresenter($replica, logsClickhouseClient);
+  const logsClickhouse = await clickhouseFactory.getClickhouseForOrganization(project.organizationId, "logs");
+  const presenter = new LogDetailPresenter($replica, logsClickhouse);
 
   let result;
   try {
diff --git a/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.logs.ts b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.logs.ts
index 66ddebe4e2a..38b7dd390f8 100644
--- a/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.logs.ts
+++ b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.logs.ts
@@ -6,7 +6,7 @@ import { findProjectBySlug } from "~/models/project.server";
 import { findEnvironmentBySlug } from "~/models/runtimeEnvironment.server";
 import { LogsListPresenter, type LogLevel, LogsListOptionsSchema } from "~/presenters/v3/LogsListPresenter.server";
 import { $replica } from "~/db.server";
-import { logsClickhouseClient } from "~/services/clickhouseInstance.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
 import { getCurrentPlan } from "~/services/platform.v3.server";
 
 // Valid log levels for filtering
@@ -69,7 +69,8 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
     retentionLimitDays,
   }) as any; // Validated by LogsListOptionsSchema at runtime
 
-  const presenter = new LogsListPresenter($replica, logsClickhouseClient);
+  const logsClickhouse = await clickhouseFactory.getClickhouseForOrganization(project.organizationId, "logs");
+  const presenter = new LogsListPresenter($replica, logsClickhouse);
   const result = await presenter.call(project.organizationId, environment.id, options);
 
   return json({
diff --git a/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.playground.action.tsx b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.playground.action.tsx
new file mode 100644
index 00000000000..0fab90e1457
--- /dev/null
+++ b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.playground.action.tsx
@@ -0,0 +1,307 @@
+import { json } from "@remix-run/server-runtime";
+import { type ActionFunctionArgs } from "@remix-run/server-runtime";
+import { z } from "zod";
+import type { Prisma } from "@trigger.dev/database";
+import { SessionId } from "@trigger.dev/core/v3/isomorphic";
+import { prisma } from "~/db.server";
+import { findProjectBySlug } from "~/models/project.server";
+import { findEnvironmentBySlug } from "~/models/runtimeEnvironment.server";
+import { requireUserId } from "~/services/session.server";
+import { EnvironmentParamSchema } from "~/utils/pathBuilder";
+import { mintSessionToken } from "~/services/realtime/mintSessionToken.server";
+import { ensureRunForSession } from "~/services/realtime/sessionRunManager.server";
+
+const PlaygroundAction = z.object({
+  intent: z.enum(["create", "start", "save", "delete"]),
+  agentSlug: z.string(),
+  // For create
+  conversationId: z.string().optional(),
+  // For start (replaces "trigger" — atomically creates the Session and
+  // triggers its first run, returns a session-scoped PAT)
+  chatId: z.string().optional(),
+  payload: z.string().optional(),
+  clientData: z.string().optional(),
+  tags: z.string().optional(),
+  machine: z.string().optional(),
+  maxAttempts: z.string().optional(),
+  maxDuration: z.string().optional(),
+  version: z.string().optional(),
+  region: z.string().optional(),
+  // For save
+  messages: z.string().optional(),
+  lastEventId: z.string().optional(),
+  // For delete
+  deleteConversationId: z.string().optional(),
+});
+
+export const action = async ({ request, params }: ActionFunctionArgs) => {
+  const userId = await requireUserId(request);
+  const { organizationSlug, projectParam, envParam } = EnvironmentParamSchema.parse(params);
+
+  const project = await findProjectBySlug(organizationSlug, projectParam, userId);
+  if (!project) {
+    return json({ error: "Project not found" }, { status: 404 });
+  }
+
+  const environment = await findEnvironmentBySlug(project.id, envParam, userId);
+  if (!environment) {
+    return json({ error: "Environment not found" }, { status: 404 });
+  }
+
+  const formData = await request.formData();
+  const parsed = PlaygroundAction.safeParse(Object.fromEntries(formData));
+  if (!parsed.success) {
+    return json({ error: "Invalid request", details: parsed.error.issues }, { status: 400 });
+  }
+
+  const { intent } = parsed.data;
+
+  switch (intent) {
+    case "create": {
+      const { agentSlug } = parsed.data;
+      const chatId = crypto.randomUUID();
+
+      const conversation = await prisma.playgroundConversation.create({
+        data: {
+          chatId,
+          agentSlug,
+          projectId: project.id,
+          runtimeEnvironmentId: environment.id,
+          userId,
+        },
+      });
+
+      return json({
+        conversationId: conversation.id,
+        chatId,
+      });
+    }
+
+    case "start": {
+      const {
+        agentSlug,
+        chatId,
+        payload: payloadStr,
+        clientData,
+        tags: tagsStr,
+        machine,
+        maxAttempts,
+        maxDuration,
+        version,
+        region,
+      } = parsed.data;
+
+      if (!chatId) {
+        return json({ error: "chatId is required" }, { status: 400 });
+      }
+
+      // Parse the optional initial payload — used as the basePayload
+      // for the first run trigger. After session create, the agent
+      // reads subsequent messages from `.in/append` so the payload
+      // here is just the bootstrap.
+      let payload: Record<string, any> = {};
+      try {
+        payload = payloadStr ? (JSON.parse(payloadStr) as Record<string, any>) : {};
+      } catch {
+        return json({ error: "Invalid payload JSON" }, { status: 400 });
+      }
+
+      let parsedClientData: unknown;
+      try {
+        parsedClientData = clientData ? JSON.parse(clientData) : undefined;
+      } catch {
+        /* invalid JSON — fall through with undefined */
+      }
+
+      const tags = [
+        `chat:${chatId}`,
+        "playground:true",
+        ...(tagsStr ? tagsStr.split(",").map((t) => t.trim()).filter(Boolean) : []),
+      ].slice(0, 5);
+
+      const triggerConfig = {
+        basePayload: {
+          // The first run boots before the user's first message lands on
+          // `.in/append`, so it sees `messages: []` and `trigger: "preload"`.
+          // Mirrors the defaults in `chat.createStartSessionAction` —
+          // chat.agent's runtime reads `payload.messages.length` so the
+          // field must be an array, not undefined.
+          messages: [],
+          trigger: "preload",
+          ...payload,
+          chatId,
+          ...(parsedClientData ? { metadata: parsedClientData } : {}),
+        },
+        ...(machine ? { machine } : {}),
+        tags,
+        ...(maxAttempts ? { maxAttempts: parseInt(maxAttempts, 10) } : {}),
+        ...(maxDuration ? { maxDuration: parseInt(maxDuration, 10) } : {}),
+        ...(version ? { lockToVersion: version } : {}),
+        ...(region ? { region } : {}),
+      };
+
+      // Atomic: upsert the Session, then trigger the first run via
+      // the optimistic-claim path. The transport's `accessToken`
+      // callback hits this endpoint on initial start AND on 401 — the
+      // upsert + ensureRunForSession combo is idempotent so repeat
+      // calls converge to the same session and (if alive) reuse the
+      // existing run.
+      const { id: sessionId, friendlyId } = SessionId.generate();
+      const session = await prisma.session.upsert({
+        where: {
+          runtimeEnvironmentId_externalId: {
+            runtimeEnvironmentId: environment.id,
+            externalId: chatId,
+          },
+        },
+        create: {
+          id: sessionId,
+          friendlyId,
+          externalId: chatId,
+          type: "chat.agent",
+          taskIdentifier: agentSlug,
+          triggerConfig: triggerConfig as unknown as Prisma.InputJsonValue,
+          tags: ["playground"],
+          projectId: project.id,
+          runtimeEnvironmentId: environment.id,
+          environmentType: environment.type,
+          organizationId: project.organizationId,
+          // Stamp the org's S2 basin so realtime reads on this
+          // session's `.in/.out` channels resolve without joining
+          // Organization. Null until per-org basins are provisioned.
+          streamBasinName: environment.organization.streamBasinName,
+        },
+        update: {
+          // Refresh trigger config in case agent version / params changed
+          triggerConfig: triggerConfig as unknown as Prisma.InputJsonValue,
+        },
+      });
+
+      const ensureResult = await ensureRunForSession({
+        session,
+        environment,
+        reason: "initial",
+      });
+
+      const run = await prisma.taskRun.findFirst({
+        where: { id: ensureResult.runId },
+        select: { friendlyId: true },
+      });
+      if (!run) {
+        return json({ error: "Triggered run not found" }, { status: 500 });
+      }
+
+      // Title: prefer the user message text on first start, else a
+      // generic placeholder. The conversation row is the playground's
+      // own surface — separate from the Session row that drives the
+      // trigger.
+      const firstMessage = payload?.messages?.[0];
+      const firstText =
+        firstMessage?.parts?.find((p: any) => p.type === "text")?.text ?? "New conversation";
+      const title = firstText.length > 60 ? firstText.slice(0, 60) + "..." : firstText;
+
+      const conversation = await prisma.playgroundConversation.upsert({
+        where: {
+          chatId_runtimeEnvironmentId: {
+            chatId,
+            runtimeEnvironmentId: environment.id,
+          },
+        },
+        create: {
+          chatId,
+          title,
+          agentSlug,
+          runId: ensureResult.runId,
+          clientData: parsedClientData as any,
+          projectId: project.id,
+          runtimeEnvironmentId: environment.id,
+          userId,
+        },
+        update: {
+          runId: ensureResult.runId,
+          clientData: parsedClientData as any,
+          title,
+        },
+      });
+
+      const publicAccessToken = await mintSessionToken(environment, chatId);
+
+      return json({
+        runId: run.friendlyId,
+        publicAccessToken,
+        conversationId: conversation.id,
+      });
+    }
+
+    case "save": {
+      const { chatId, messages: messagesStr, lastEventId } = parsed.data;
+      if (!chatId) {
+        return json({ error: "chatId is required" }, { status: 400 });
+      }
+
+      let messagesData: unknown;
+      try {
+        messagesData = messagesStr ? JSON.parse(messagesStr) : undefined;
+      } catch {
+        return json({ error: "Invalid messages JSON" }, { status: 400 });
+      }
+
+      // Extract title from the first user message if the conversation still has the default title.
+      // This handles the case where a preloaded conversation gets its first real message
+      // via the input stream (bypassing the trigger action that normally sets the title).
+      let titleUpdate: { title: string } | undefined;
+      if (messagesData && Array.isArray(messagesData)) {
+        const existing = await prisma.playgroundConversation.findFirst({
+          where: { chatId, runtimeEnvironmentId: environment.id, userId },
+          select: { title: true },
+        });
+
+        if (existing?.title === "New conversation") {
+          const firstUserMsg = messagesData.find(
+            (m: any) => m.role === "user"
+          ) as Record<string, any> | undefined;
+          const firstText =
+            firstUserMsg?.parts?.find((p: any) => p.type === "text")?.text ??
+            firstUserMsg?.content;
+          if (firstText && typeof firstText === "string") {
+            titleUpdate = {
+              title: firstText.length > 60 ? firstText.slice(0, 60) + "..." : firstText,
+            };
+          }
+        }
+      }
+
+      await prisma.playgroundConversation.updateMany({
+        where: {
+          chatId,
+          runtimeEnvironmentId: environment.id,
+          userId,
+        },
+        data: {
+          ...(messagesData ? { messages: messagesData as any } : {}),
+          ...(lastEventId ? { lastEventId } : {}),
+          ...titleUpdate,
+        },
+      });
+
+      return json({ ok: true });
+    }
+
+    case "delete": {
+      const { deleteConversationId } = parsed.data;
+      if (!deleteConversationId) {
+        return json({ error: "deleteConversationId is required" }, { status: 400 });
+      }
+
+      await prisma.playgroundConversation.deleteMany({
+        where: {
+          id: deleteConversationId,
+          runtimeEnvironmentId: environment.id,
+          userId,
+        },
+      });
+
+      return json({ ok: true });
+    }
+  }
+};
diff --git a/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.playground.realtime.v1.sessions.$session.$io.append.ts b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.playground.realtime.v1.sessions.$session.$io.append.ts
new file mode 100644
index 00000000000..038e053a8b0
--- /dev/null
+++ b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.playground.realtime.v1.sessions.$session.$io.append.ts
@@ -0,0 +1,165 @@
+import { json, type ActionFunctionArgs } from "@remix-run/server-runtime";
+import { tryCatch } from "@trigger.dev/core/utils";
+import { nanoid } from "nanoid";
+import { z } from "zod";
+import { $replica } from "~/db.server";
+import { findProjectBySlug } from "~/models/project.server";
+import { findEnvironmentBySlug } from "~/models/runtimeEnvironment.server";
+import { logger } from "~/services/logger.server";
+import { S2RealtimeStreams } from "~/services/realtime/s2realtimeStreams.server";
+import { ensureRunForSession } from "~/services/realtime/sessionRunManager.server";
+import {
+  canonicalSessionAddressingKey,
+  resolveSessionByIdOrExternalId,
+} from "~/services/realtime/sessions.server";
+import { getRealtimeStreamInstance } from "~/services/realtime/v1StreamsGlobal.server";
+import { drainSessionStreamWaitpoints } from "~/services/sessionStreamWaitpointCache.server";
+import { requireUserId } from "~/services/session.server";
+import { EnvironmentParamSchema } from "~/utils/pathBuilder";
+import { engine } from "~/v3/runEngine.server";
+import { ServiceValidationError } from "~/v3/services/common.server";
+
+const ParamsSchema = z.object({
+  session: z.string(),
+  io: z.enum(["out", "in"]),
+});
+
+// HTTP body cap. Mirrors the public /realtime/v1/sessions/:s/:io/append
+// route — DoS pre-guard only. The actual S2 per-record limit is
+// enforced precisely by `S2RealtimeStreams.#appendPartByName`
+// (throws `S2RecordTooLargeError` with status 413 when the metered
+// record size would exceed S2's 1 MiB ceiling after JSON wrapping).
+const MAX_APPEND_BODY_BYTES = 1024 * 1024;
+
+// POST: Append a single record to a Session channel from the dashboard
+// playground. Mirrors the public `POST /realtime/v1/sessions/:session/:io/append`
+// but authenticates via the dashboard session cookie instead of a
+// session-scoped JWT.
+export async function action({ request, params }: ActionFunctionArgs) {
+  const userId = await requireUserId(request);
+  const { organizationSlug, projectParam, envParam } = EnvironmentParamSchema.parse(params);
+  const { session: sessionParam, io } = ParamsSchema.parse(params);
+
+  const project = await findProjectBySlug(organizationSlug, projectParam, userId);
+  if (!project) {
+    return json({ ok: false, error: "Project not found" }, { status: 404 });
+  }
+
+  const environment = await findEnvironmentBySlug(project.id, envParam, userId);
+  if (!environment) {
+    return json({ ok: false, error: "Environment not found" }, { status: 404 });
+  }
+
+  const contentLength = request.headers.get("content-length");
+  const contentLengthNum = contentLength ? parseInt(contentLength, 10) : NaN;
+  if (Number.isNaN(contentLengthNum) || contentLengthNum > MAX_APPEND_BODY_BYTES) {
+    return json({ ok: false, error: "Request body too large" }, { status: 413 });
+  }
+
+  const session = await resolveSessionByIdOrExternalId(
+    $replica,
+    environment.id,
+    sessionParam
+  );
+  if (!session) {
+    return json({ ok: false, error: "Session not found" }, { status: 404 });
+  }
+
+  if (session.closedAt) {
+    return json(
+      { ok: false, error: "Cannot append to a closed session" },
+      { status: 400 }
+    );
+  }
+
+  if (session.expiresAt && session.expiresAt.getTime() < Date.now()) {
+    return json(
+      { ok: false, error: "Cannot append to an expired session" },
+      { status: 400 }
+    );
+  }
+
+  const realtimeStream = getRealtimeStreamInstance(environment, "v2", { session });
+
+  if (!(realtimeStream instanceof S2RealtimeStreams)) {
+    return json(
+      { ok: false, error: "Session channels require the S2 realtime backend" },
+      { status: 501 }
+    );
+  }
+
+  // Probe + ensure a live run before appending (mirrors public route).
+  // Best-effort: failure here doesn't block the append — the record is
+  // durable; the next append retries the ensure.
+  const [ensureError] = await tryCatch(
+    ensureRunForSession({
+      session,
+      environment,
+      reason: "continuation",
+    })
+  );
+  if (ensureError) {
+    logger.error("Failed to ensureRunForSession on playground .in/append", {
+      sessionId: session.id,
+      externalId: session.externalId,
+      error: ensureError,
+    });
+  }
+
+  const addressingKey = canonicalSessionAddressingKey(session, sessionParam);
+
+  const part = await request.text();
+  const partId = request.headers.get("X-Part-Id") ?? nanoid(7);
+
+  const [appendError] = await tryCatch(
+    realtimeStream.appendPartToSessionStream(part, partId, addressingKey, io)
+  );
+
+  if (appendError) {
+    if (appendError instanceof ServiceValidationError) {
+      return json(
+        { ok: false, error: appendError.message },
+        { status: appendError.status ?? 422 }
+      );
+    }
+    return json({ ok: false, error: appendError.message }, { status: 500 });
+  }
+
+  // Drain any waitpoints registered for this channel — same as the
+  // public append. Best-effort; failure doesn't fail the append.
+  const [drainError, waitpointIds] = await tryCatch(
+    drainSessionStreamWaitpoints(environment.id, addressingKey, io)
+  );
+  if (drainError) {
+    logger.error("Failed to drain session stream waitpoints (playground)", {
+      addressingKey,
+      io,
+      error: drainError,
+    });
+  } else if (waitpointIds && waitpointIds.length > 0) {
+    await Promise.all(
+      waitpointIds.map(async (waitpointId) => {
+        const [completeError] = await tryCatch(
+          engine.completeWaitpoint({
+            id: waitpointId,
+            output: {
+              value: part,
+              type: "application/json",
+              isError: false,
+            },
+          })
+        );
+        if (completeError) {
+          logger.error("Failed to complete session stream waitpoint (playground)", {
+            addressingKey,
+            io,
+            waitpointId,
+            error: completeError,
+          });
+        }
+      })
+    );
+  }
+
+  return json({ ok: true }, { status: 200 });
+}
diff --git a/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.playground.realtime.v1.sessions.$session.$io.ts b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.playground.realtime.v1.sessions.$session.$io.ts
new file mode 100644
index 00000000000..e54bfe35755
--- /dev/null
+++ b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.playground.realtime.v1.sessions.$session.$io.ts
@@ -0,0 +1,91 @@
+import { type LoaderFunctionArgs } from "@remix-run/server-runtime";
+import { z } from "zod";
+import { $replica } from "~/db.server";
+import { findProjectBySlug } from "~/models/project.server";
+import { findEnvironmentBySlug } from "~/models/runtimeEnvironment.server";
+import { getRequestAbortSignal } from "~/services/httpAsyncStorage.server";
+import { S2RealtimeStreams } from "~/services/realtime/s2realtimeStreams.server";
+import {
+  canonicalSessionAddressingKey,
+  resolveSessionByIdOrExternalId,
+} from "~/services/realtime/sessions.server";
+import { getRealtimeStreamInstance } from "~/services/realtime/v1StreamsGlobal.server";
+import { requireUserId } from "~/services/session.server";
+import { EnvironmentParamSchema } from "~/utils/pathBuilder";
+
+const ParamsSchema = z.object({
+  session: z.string(),
+  io: z.enum(["out", "in"]),
+});
+
+// HEAD/GET: SSE subscribe to a Session channel from the dashboard
+// playground. Mirrors the public `GET /realtime/v1/sessions/:session/:io`
+// route but authenticates via the dashboard session cookie instead of a
+// session-scoped JWT — the playground transport never holds a PAT.
+//
+// `:session` accepts either the `session_*` friendlyId or the externalId
+// the playground assigned (`chatId`). Resolution is environment-scoped
+// so users can't subscribe to sessions from other envs.
+export async function loader({ request, params }: LoaderFunctionArgs) {
+  const userId = await requireUserId(request);
+  const { organizationSlug, projectParam, envParam } = EnvironmentParamSchema.parse(params);
+  const { session: sessionParam, io } = ParamsSchema.parse(params);
+
+  const project = await findProjectBySlug(organizationSlug, projectParam, userId);
+  if (!project) {
+    return new Response("Project not found", { status: 404 });
+  }
+
+  const environment = await findEnvironmentBySlug(project.id, envParam, userId);
+  if (!environment) {
+    return new Response("Environment not found", { status: 404 });
+  }
+
+  const session = await resolveSessionByIdOrExternalId(
+    $replica,
+    environment.id,
+    sessionParam
+  );
+
+  if (!session) {
+    return new Response("Session not found", { status: 404 });
+  }
+
+  const realtimeStream = getRealtimeStreamInstance(environment, "v2", { session });
+
+  if (!(realtimeStream instanceof S2RealtimeStreams)) {
+    return new Response("Session channels require the S2 realtime backend", {
+      status: 501,
+    });
+  }
+
+  if (request.method === "HEAD") {
+    // No last-chunk-index on the S2 backend (clients resume via
+    // Last-Event-ID on the SSE stream directly). Return 200 with a
+    // zero index for compatibility with the run-stream shape.
+    return new Response(null, {
+      status: 200,
+      headers: { "X-Last-Chunk-Index": "0" },
+    });
+  }
+
+  const lastEventId = request.headers.get("Last-Event-ID") || undefined;
+  const timeoutInSecondsRaw = request.headers.get("Timeout-Seconds");
+  let timeoutInSeconds: number | undefined;
+  if (timeoutInSecondsRaw !== null) {
+    timeoutInSeconds = Number(timeoutInSecondsRaw);
+    if (!Number.isInteger(timeoutInSeconds) || timeoutInSeconds < 1 || timeoutInSeconds > 600) {
+      return new Response("Invalid timeout", { status: 400 });
+    }
+  }
+
+  const addressingKey = canonicalSessionAddressingKey(session, sessionParam);
+
+  return realtimeStream.streamResponseFromSessionStream(
+    request,
+    addressingKey,
+    io,
+    getRequestAbortSignal(),
+    { lastEventId, timeoutInSeconds }
+  );
+}
diff --git a/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.prompts.$promptSlug.generations.ts b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.prompts.$promptSlug.generations.ts
index 77a55ec3f0b..e468438cdc1 100644
--- a/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.prompts.$promptSlug.generations.ts
+++ b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.prompts.$promptSlug.generations.ts
@@ -6,7 +6,7 @@ import { EnvironmentParamSchema } from "~/utils/pathBuilder";
 import { parsePeriodToMs } from "~/utils/periods";
 import { findProjectBySlug } from "~/models/project.server";
 import { findEnvironmentBySlug } from "~/models/runtimeEnvironment.server";
-import { clickhouseClient } from "~/services/clickhouseInstance.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
 import {
   PromptPresenter,
   type GenerationRow,
@@ -59,7 +59,8 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
   const operations = url.searchParams.getAll("operations").filter(Boolean);
   const providers = url.searchParams.getAll("providers").filter(Boolean);
 
-  const presenter = new PromptPresenter(clickhouseClient);
+  const clickhouse = await clickhouseFactory.getClickhouseForOrganization(project.organizationId, "standard");
+  const presenter = new PromptPresenter(clickhouse);
   const result = await presenter.listGenerations({
     environmentId: environment.id,
     promptSlug,
diff --git a/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.query.ai-generate.tsx b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.query.ai-generate.tsx
index 91ff6218944..c1626b966d2 100644
--- a/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.query.ai-generate.tsx
+++ b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.query.ai-generate.tsx
@@ -116,19 +116,19 @@ export async function action({ request, params }: ActionFunctionArgs) {
         for await (const part of result.fullStream) {
           switch (part.type) {
             case "text-delta": {
-              sendEvent({ type: "thinking", content: part.textDelta });
+              sendEvent({ type: "thinking", content: part.text });
               break;
             }
             case "tool-call": {
               sendEvent({
                 type: "tool_call",
                 tool: part.toolName,
-                args: part.args,
+                args: part.input,
               });
 
               // If it's a setTimeFilter call, emit the time_filter event immediately
               if (part.toolName === "setTimeFilter") {
-                const args = part.args as { period?: string; from?: string; to?: string };
+                const args = part.input as { period?: string; from?: string; to?: string };
                 sendEvent({
                   type: "time_filter",
                   filter: {
diff --git a/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.$runParam.realtime.v1.sessions.$sessionId.$io.ts b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.$runParam.realtime.v1.sessions.$sessionId.$io.ts
new file mode 100644
index 00000000000..66135347253
--- /dev/null
+++ b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.$runParam.realtime.v1.sessions.$sessionId.$io.ts
@@ -0,0 +1,118 @@
+import { type LoaderFunctionArgs } from "@remix-run/server-runtime";
+import { z } from "zod";
+import { $replica } from "~/db.server";
+import { findProjectBySlug } from "~/models/project.server";
+import { findEnvironmentBySlug } from "~/models/runtimeEnvironment.server";
+import { getRequestAbortSignal } from "~/services/httpAsyncStorage.server";
+import { S2RealtimeStreams } from "~/services/realtime/s2realtimeStreams.server";
+import {
+  canonicalSessionAddressingKey,
+  resolveSessionByIdOrExternalId,
+} from "~/services/realtime/sessions.server";
+import { getRealtimeStreamInstance } from "~/services/realtime/v1StreamsGlobal.server";
+import { requireUserId } from "~/services/session.server";
+import { EnvironmentParamSchema } from "~/utils/pathBuilder";
+
+const ParamsSchema = z.object({
+  runParam: z.string(),
+  sessionId: z.string(),
+  io: z.enum(["out", "in"]),
+});
+
+// GET: SSE stream subscription for a backing Session's `.out` / `.in`
+// channel. Dashboard-auth counterpart to the public API's
+// `/realtime/v1/sessions/:sessionId/:io` endpoint. Used by the Agent tab
+// in the span inspector to observe assistant chunks (`.out`) and
+// user-side ChatInputChunk payloads (`.in`) for a chat.agent run.
+//
+// The `:sessionId` segment accepts either the `session_*` friendlyId or
+// the externalId the transport registered for the chat (typically the
+// browser's `chatId`). Runs pre-dating the Sessions migration that have
+// `chatId` but no `sessionId` in the payload take the externalId path.
+//
+// Authenticated by the dashboard session — the user must have access to
+// the project, environment, and run. The run binds this resource
+// hierarchy; the session identity is verified against the environment.
+export async function loader({ request, params }: LoaderFunctionArgs) {
+  const userId = await requireUserId(request);
+  const { organizationSlug, projectParam, envParam } = EnvironmentParamSchema.parse(params);
+  const { runParam, sessionId, io } = ParamsSchema.parse(params);
+
+  const project = await findProjectBySlug(organizationSlug, projectParam, userId);
+  if (!project) {
+    return new Response("Project not found", { status: 404 });
+  }
+
+  const environment = await findEnvironmentBySlug(project.id, envParam, userId);
+  if (!environment) {
+    return new Response("Environment not found", { status: 404 });
+  }
+
+  // Verify the run lives in this environment — keeps callers from
+  // subscribing to arbitrary sessions via `/runs/$runParam/...`.
+  const run = await $replica.taskRun.findFirst({
+    where: {
+      friendlyId: runParam,
+      runtimeEnvironmentId: environment.id,
+    },
+    select: { id: true, friendlyId: true },
+  });
+
+  if (!run) {
+    return new Response("Run not found", { status: 404 });
+  }
+
+  const session = await resolveSessionByIdOrExternalId(
+    $replica,
+    environment.id,
+    sessionId
+  );
+
+  if (!session) {
+    return new Response("Session not found", { status: 404 });
+  }
+
+  // Enforce run ↔ session linkage. Without this, knowledge of a runId in
+  // this environment is enough to subscribe to any session in the same
+  // environment — defeats the point of scoping subscriptions through the
+  // run route. SessionRun.runId is indexed (@unique), so this is cheap.
+  const linkedSessionRun = await $replica.sessionRun.findFirst({
+    where: { runId: run.id, sessionId: session.id },
+    select: { id: true },
+  });
+
+  if (!linkedSessionRun) {
+    return new Response("Session not found for run", { status: 404 });
+  }
+
+  const realtimeStream = getRealtimeStreamInstance(environment, "v2", { session });
+
+  if (!(realtimeStream instanceof S2RealtimeStreams)) {
+    return new Response("Session channels require the S2 realtime backend", {
+      status: 501,
+    });
+  }
+
+  const lastEventId = request.headers.get("Last-Event-ID") || undefined;
+  const timeoutInSecondsRaw = request.headers.get("Timeout-Seconds");
+  let timeoutInSeconds: number | undefined;
+  if (timeoutInSecondsRaw !== null) {
+    timeoutInSeconds = Number(timeoutInSecondsRaw);
+    if (!Number.isInteger(timeoutInSeconds) || timeoutInSeconds < 1 || timeoutInSeconds > 600) {
+      return new Response("Invalid timeout", { status: 400 });
+    }
+  }
+
+  // The agent writes via the canonical addressing key (externalId if
+  // set, else friendlyId). Subscribe with the same key so the read
+  // hits the same S2 stream the agent is writing into.
+  const addressingKey = canonicalSessionAddressingKey(session, sessionId);
+
+  return realtimeStream.streamResponseFromSessionStream(
+    request,
+    addressingKey,
+    io,
+    getRequestAbortSignal(),
+    { lastEventId, timeoutInSeconds }
+  );
+}
diff --git a/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.$runParam.realtime.v1.streams.$runId.$streamId.ts b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.$runParam.realtime.v1.streams.$runId.$streamId.ts
new file mode 100644
index 00000000000..8d0af728df8
--- /dev/null
+++ b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.$runParam.realtime.v1.streams.$runId.$streamId.ts
@@ -0,0 +1,91 @@
+import { type LoaderFunctionArgs } from "@remix-run/server-runtime";
+import { z } from "zod";
+import { $replica } from "~/db.server";
+import { getRequestAbortSignal } from "~/services/httpAsyncStorage.server";
+import { getRealtimeStreamInstance } from "~/services/realtime/v1StreamsGlobal.server";
+import { findProjectBySlug } from "~/models/project.server";
+import { findEnvironmentBySlug } from "~/models/runtimeEnvironment.server";
+import { requireUserId } from "~/services/session.server";
+import { EnvironmentParamSchema } from "~/utils/pathBuilder";
+
+const ParamsSchema = z.object({
+  runParam: z.string(),
+  runId: z.string(),
+  streamId: z.string(),
+});
+
+// GET: SSE stream subscription for a run's realtime output stream.
+//
+// The run-scoped equivalent of the playground stream route. Used by the
+// Agent tab in the span inspector to subscribe to the run's chat output
+// stream (streamed via `pipeChat` on the task side) through the dashboard
+// instead of hitting the public API directly.
+//
+// Authenticated by the dashboard session — the user must have access to
+// the project and environment.
+export async function loader({ request, params }: LoaderFunctionArgs) {
+  const userId = await requireUserId(request);
+  const { organizationSlug, projectParam, envParam } = EnvironmentParamSchema.parse(params);
+  const { runParam, runId, streamId } = ParamsSchema.parse(params);
+
+  // Defensive: callers should pass the same friendly ID for both the route
+  // `:runParam` segment and the stream `:runId` segment.
+  if (runParam !== runId) {
+    return new Response("Run ID mismatch", { status: 400 });
+  }
+
+  const project = await findProjectBySlug(organizationSlug, projectParam, userId);
+  if (!project) {
+    return new Response("Project not found", { status: 404 });
+  }
+
+  const environment = await findEnvironmentBySlug(project.id, envParam, userId);
+  if (!environment) {
+    return new Response("Environment not found", { status: 404 });
+  }
+
+  const run = await $replica.taskRun.findFirst({
+    where: {
+      friendlyId: runId,
+      runtimeEnvironmentId: environment.id,
+    },
+    select: {
+      id: true,
+      friendlyId: true,
+      realtimeStreamsVersion: true,
+      streamBasinName: true,
+    },
+  });
+
+  if (!run) {
+    return new Response("Run not found", { status: 404 });
+  }
+
+  const lastEventId = request.headers.get("Last-Event-ID") || undefined;
+  const timeoutInSecondsRaw = request.headers.get("Timeout-Seconds");
+  let timeoutInSeconds: number | undefined;
+  if (timeoutInSecondsRaw !== null) {
+    timeoutInSeconds = Number(timeoutInSecondsRaw);
+    if (!Number.isInteger(timeoutInSeconds) || timeoutInSeconds < 1 || timeoutInSeconds > 600) {
+      return new Response("Invalid timeout", { status: 400 });
+    }
+  }
+
+  const realtimeStream = getRealtimeStreamInstance(environment, run.realtimeStreamsVersion, {
+    run,
+  });
+
+  // `request.signal` is severed by Remix's Request.clone() + Node undici GC bug
+  // (see apps/webapp/CLAUDE.md). Use the Express res.on('close')-backed signal so
+  // the upstream stream fetch actually aborts when the user closes the tab.
+  return realtimeStream.streamResponse(
+    request,
+    run.friendlyId,
+    streamId,
+    getRequestAbortSignal(),
+    {
+      lastEventId,
+      timeoutInSeconds,
+    }
+  );
+}
diff --git a/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.$runParam.realtime.v1.streams.$runId.input.$streamId.ts b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.$runParam.realtime.v1.streams.$runId.input.$streamId.ts
new file mode 100644
index 00000000000..c9480299cc0
--- /dev/null
+++ b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.$runParam.realtime.v1.streams.$runId.input.$streamId.ts
@@ -0,0 +1,92 @@
+import { type LoaderFunctionArgs } from "@remix-run/server-runtime";
+import { z } from "zod";
+import { $replica } from "~/db.server";
+import { getRequestAbortSignal } from "~/services/httpAsyncStorage.server";
+import { getRealtimeStreamInstance } from "~/services/realtime/v1StreamsGlobal.server";
+import { findProjectBySlug } from "~/models/project.server";
+import { findEnvironmentBySlug } from "~/models/runtimeEnvironment.server";
+import { requireUserId } from "~/services/session.server";
+import { EnvironmentParamSchema } from "~/utils/pathBuilder";
+
+const ParamsSchema = z.object({
+  runParam: z.string(),
+  runId: z.string(),
+  streamId: z.string(),
+});
+
+// GET: SSE stream subscription for a run's realtime INPUT stream.
+//
+// Dashboard-auth counterpart to the public API's
+// `/realtime/v1/streams/:runId/input/:streamId` endpoint. Used by the Agent
+// tab in the span inspector to observe user messages sent to an agent run
+// over the `chat-messages` input stream.
+//
+// The underlying S2 stream name is `$trigger.input:${streamId}` (mirrors the
+// naming used on the write side in `sendInputStream`). The realtime stream
+// instance handles the actual SSE proxy; this route just enforces session
+// auth and resolves the run.
+export async function loader({ request, params }: LoaderFunctionArgs) {
+  const userId = await requireUserId(request);
+  const { organizationSlug, projectParam, envParam } = EnvironmentParamSchema.parse(params);
+  const { runParam, runId, streamId } = ParamsSchema.parse(params);
+
+  // Defensive: callers should pass the same friendly ID for both the route
+  // `:runParam` segment and the stream `:runId` segment.
+  if (runParam !== runId) {
+    return new Response("Run ID mismatch", { status: 400 });
+  }
+
+  const project = await findProjectBySlug(organizationSlug, projectParam, userId);
+  if (!project) {
+    return new Response("Project not found", { status: 404 });
+  }
+
+  const environment = await findEnvironmentBySlug(project.id, envParam, userId);
+  if (!environment) {
+    return new Response("Environment not found", { status: 404 });
+  }
+
+  const run = await $replica.taskRun.findFirst({
+    where: {
+      friendlyId: runId,
+      runtimeEnvironmentId: environment.id,
+    },
+    select: {
+      id: true,
+      friendlyId: true,
+      realtimeStreamsVersion: true,
+      streamBasinName: true,
+    },
+  });
+
+  if (!run) {
+    return new Response("Run not found", { status: 404 });
+  }
+
+  const lastEventId = request.headers.get("Last-Event-ID") || undefined;
+  const timeoutInSecondsRaw = request.headers.get("Timeout-Seconds");
+  let timeoutInSeconds: number | undefined;
+  if (timeoutInSecondsRaw !== null) {
+    timeoutInSeconds = Number(timeoutInSecondsRaw);
+    if (!Number.isInteger(timeoutInSeconds) || timeoutInSeconds < 1 || timeoutInSeconds > 600) {
+      return new Response("Invalid timeout", { status: 400 });
+    }
+  }
+
+  const realtimeStream = getRealtimeStreamInstance(environment, run.realtimeStreamsVersion, {
+    run,
+  });
+
+  // `request.signal` is severed by Remix's Request.clone() + Node undici GC bug
+  // (see apps/webapp/CLAUDE.md). Use the Express res.on('close')-backed signal.
+  return realtimeStream.streamResponse(
+    request,
+    run.friendlyId,
+    `$trigger.input:${streamId}`,
+    getRequestAbortSignal(),
+    {
+      lastEventId,
+      timeoutInSeconds,
+    }
+  );
+}
diff --git a/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.$runParam.spans.$spanParam/route.tsx b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.$runParam.spans.$spanParam/route.tsx
index e0bec66ffb2..6602d91ea20 100644
--- a/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.$runParam.spans.$spanParam/route.tsx
+++ b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.$runParam.spans.$spanParam/route.tsx
@@ -1,9 +1,9 @@
 import {
   ArrowPathIcon,
-  ArrowRightIcon,
   BookOpenIcon,
   CheckIcon,
   ChevronUpIcon,
+  ClipboardDocumentIcon,
   ClockIcon,
   CloudArrowDownIcon,
   EnvelopeIcon,
@@ -22,7 +22,7 @@ import { assertNever } from "assert-never";
 import { useEffect, useState } from "react";
 import { typedjson, useTypedFetcher } from "remix-typedjson";
 import { ExitIcon } from "~/assets/icons/ExitIcon";
-import { FlagIcon } from "~/assets/icons/RegionIcons";
+import { RegionLabel } from "~/components/runs/v3/RegionLabel";
 import { AdminDebugRun } from "~/components/admin/debugRun";
 import { CodeBlock } from "~/components/code/CodeBlock";
 import { EnvironmentCombo } from "~/components/environments/EnvironmentLabel";
@@ -42,6 +42,8 @@ import {
   PopoverMenuItem,
   PopoverTrigger,
 } from "~/components/primitives/Popover";
+import { ToastUI } from "~/components/primitives/Toast";
+import { toast } from "sonner";
 import * as Property from "~/components/primitives/PropertyTable";
 import { Spinner } from "~/components/primitives/Spinner";
 import {
@@ -53,6 +55,7 @@ import {
   TableRow,
 } from "~/components/primitives/Table";
 import { TabButton, TabContainer } from "~/components/primitives/Tabs";
+import { SessionStatusCombo } from "~/components/sessions/v1/SessionStatus";
 import { TextLink } from "~/components/primitives/TextLink";
 import { InfoIconTooltip, SimpleTooltip } from "~/components/primitives/Tooltip";
 import { RunTimeline, RunTimelineEvent, SpanTimeline } from "~/components/run/RunTimeline";
@@ -78,7 +81,6 @@ import { useOrganization } from "~/hooks/useOrganizations";
 import { useProject } from "~/hooks/useProject";
 import { useSearchParams } from "~/hooks/useSearchParam";
 import { useHasAdminAccess } from "~/hooks/useUser";
-import { useCanViewLogsPage } from "~/hooks/useCanViewLogsPage";
 import { redirectWithErrorMessage } from "~/models/message.server";
 import { type Span, SpanPresenter, type SpanRun } from "~/presenters/v3/SpanPresenter.server";
 import { logger } from "~/services/logger.server";
@@ -88,8 +90,8 @@ import { formatCurrencyAccurate } from "~/utils/numberFormatter";
 import {
   docsPath,
   v3BatchPath,
+  v3SessionPath,
   v3DeploymentVersionPath,
-  v3LogsPath,
   v3RunDownloadLogsPath,
   v3RunIdempotencyKeyResetPath,
   v3RunPath,
@@ -118,13 +120,33 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
   try {
     const result = await presenter.call({
       projectSlug: projectParam,
+      envSlug: envParam,
       spanId: spanParam,
       runFriendlyId: runParam,
       userId,
       linkedRunId,
     });
 
-    return typedjson(result);
+    if (!result) {
+      return redirectWithErrorMessage(
+        v3RunPath(
+          { slug: organizationSlug },
+          { slug: projectParam },
+          { slug: envParam },
+          { friendlyId: runParam }
+        ),
+        request,
+        `Event not found.`
+      );
+    }
+
+    // Reconstruct the discriminated union explicitly. Spreading
+    // `{ ...result }` collapses the union and loses the
+    // `type === "run" | "span"` discriminant downstream in `SpanView`.
+    if (result.type === "run") {
+      return typedjson({ type: "run" as const, run: result.run });
+    }
+    return typedjson({ type: "span" as const, span: result.span });
   } catch (error) {
     logger.error("Error loading span", {
       projectParam,
@@ -364,7 +386,6 @@ function RunBody({
   const { value, replace } = useSearchParams();
   const tab = value("tab");
   const resetFetcher = useTypedFetcher<typeof resetIdempotencyKeyAction>();
-  const canViewLogsPage = useCanViewLogsPage();
 
   return (
     <div className="grid h-full max-h-full grid-rows-[2.5rem_2rem_1fr_minmax(3.25rem,auto)] overflow-hidden bg-background-bright">
@@ -618,6 +639,32 @@ function RunBody({
                     </Property.Value>
                   </Property.Item>
                 )}
+                {run.session && (
+                  <Property.Item>
+                    <Property.Label>Session</Property.Label>
+                    <Property.Value>
+                      <SimpleTooltip
+                        button={
+                          <TextLink
+                            to={v3SessionPath(organization, project, environment, {
+                              friendlyId: run.session.friendlyId,
+                            })}
+                            className="group flex flex-wrap items-center gap-x-2 gap-y-0"
+                          >
+                            <CopyableText
+                              value={run.session.externalId ?? run.session.friendlyId}
+                              copyValue={run.session.externalId ?? run.session.friendlyId}
+                              asChild
+                            />
+                            <SessionStatusCombo status={run.session.status} />
+                          </TextLink>
+                        }
+                        content={`Jump to session (${run.session.reason})`}
+                        disableHoverableContent
+                      />
+                    </Property.Value>
+                  </Property.Item>
+                )}
                 <Property.Item>
                   <Property.Label>
                     <div className="flex items-center justify-between">
@@ -925,12 +972,7 @@ function RunBody({
                   <Property.Item>
                     <Property.Label>Region</Property.Label>
                     <Property.Value>
-                      <span className="flex items-center gap-1">
-                        {run.region.location ? (
-                          <FlagIcon region={run.region.location} className="size-5" />
-                        ) : null}
-                        {run.region.name}
-                      </span>
+                      <RegionLabel region={run.region} />
                     </Property.Value>
                   </Property.Item>
                 )}
@@ -979,6 +1021,10 @@ function RunBody({
                     <Paragraph spacing variant="small" className="text-yellow-500">
                       Admin only
                     </Paragraph>
+                    <Property.Item>
+                      <Property.Label>Buffered</Property.Label>
+                      <Property.Value>{run.isBuffered ? "Yes" : "No"}</Property.Value>
+                    </Property.Item>
                     <Property.Item>
                       <Property.Label>Worker queue</Property.Label>
                       <Property.Value>{run.workerQueue}</Property.Value>
@@ -1054,61 +1100,25 @@ function RunBody({
               {run.isCached ? "Jump to original run" : "Focus on run"}
             </LinkButton>
           )}
-          <AdminDebugRun friendlyId={run.friendlyId} />
+          {!run.isBuffered && <AdminDebugRun friendlyId={run.friendlyId} />}
         </div>
         <div className="flex items-center">
           {run.logsDeletedAt === null ? (
-            canViewLogsPage ? (
-              <div className="flex">
-                <LinkButton
-                  to={`${v3LogsPath(organization, project, environment)}?runId=${runParam}&from=${
-                    new Date(run.createdAt).getTime() - 60000
-                  }`}
+            <Popover>
+              <PopoverTrigger asChild>
+                <Button
                   variant="secondary/medium"
-                  className="rounded-r-none border-r-0"
+                  LeadingIcon={CloudArrowDownIcon}
+                  leadingIconClassName="text-indigo-400"
+                  TrailingIcon={ChevronUpIcon}
                 >
-                  View logs
-                </LinkButton>
-                <Popover>
-                  <PopoverTrigger asChild>
-                    <Button
-                      variant="secondary/medium"
-                      className="rounded-l-none border-l-charcoal-700 px-1.5"
-                    >
-                      <ChevronUpIcon className="size-4 transition group-hover/button:text-text-bright" />
-                    </Button>
-                  </PopoverTrigger>
-                  <PopoverContent className="min-w-[140px] p-1" align="end">
-                    <PopoverMenuItem
-                      to={`${v3LogsPath(
-                        organization,
-                        project,
-                        environment
-                      )}?runId=${runParam}&from=${new Date(run.createdAt).getTime() - 60000}`}
-                      title="View logs"
-                      icon={ArrowRightIcon}
-                      leadingIconClassName="text-blue-500"
-                    />
-                    <PopoverMenuItem
-                      to={v3RunDownloadLogsPath({ friendlyId: runParam })}
-                      title="Download logs"
-                      icon={CloudArrowDownIcon}
-                      leadingIconClassName="text-indigo-500"
-                      openInNewTab
-                    />
-                  </PopoverContent>
-                </Popover>
-              </div>
-            ) : (
-              <LinkButton
-                to={v3RunDownloadLogsPath({ friendlyId: runParam })}
-                LeadingIcon={CloudArrowDownIcon}
-                leadingIconClassName="text-indigo-400"
-                variant="secondary/medium"
-              >
-                Download logs
-              </LinkButton>
-            )
+                  Export trace
+                </Button>
+              </PopoverTrigger>
+              <PopoverContent className="min-w-[180px] p-1" align="end">
+                <TraceExportMenuItems runParam={runParam} />
+              </PopoverContent>
+            </Popover>
           ) : null}
         </div>
       </div>
@@ -1116,6 +1126,72 @@ function RunBody({
   );
 }
 
+// Trace export menu items: copy the trace as Markdown (for pasting into an AI
+// assistant) plus a download per format. The export route streams `?format=`
+// server-side.
+function TraceExportMenuItems({ runParam }: { runParam: string }) {
+  const downloadPath = v3RunDownloadLogsPath({ friendlyId: runParam });
+
+  const copyForAI = async () => {
+    try {
+      // Hand the clipboard a ClipboardItem backed by a promise so access is
+      // reserved synchronously during the click. The fetch can then take as long
+      // as a large trace needs without the browser revoking the transient user
+      // activation, which a fetch-then-writeText sequence trips (notably Safari
+      // and Firefox).
+      const text = fetch(`${downloadPath}?format=markdown`, { credentials: "include" }).then(
+        async (response) => {
+          if (!response.ok) {
+            throw new Error(`Request failed with ${response.status}`);
+          }
+          return new Blob([await response.text()], { type: "text/plain" });
+        }
+      );
+
+      await navigator.clipboard.write([new ClipboardItem({ "text/plain": text })]);
+      toast.custom((t) => (
+        <ToastUI variant="success" message="Copied trace as Markdown" t={t as string} />
+      ));
+    } catch {
+      toast.custom((t) => (
+        <ToastUI variant="error" message="Couldn't copy the trace" t={t as string} />
+      ));
+    }
+  };
+
+  return (
+    <>
+      <PopoverMenuItem
+        title="Copy for AI"
+        icon={ClipboardDocumentIcon}
+        leadingIconClassName="text-emerald-500"
+        onClick={copyForAI}
+      />
+      <PopoverMenuItem
+        to={`${downloadPath}?format=markdown`}
+        title="Download · Markdown"
+        icon={CloudArrowDownIcon}
+        leadingIconClassName="text-indigo-500"
+        openInNewTab
+      />
+      <PopoverMenuItem
+        to={`${downloadPath}?format=log`}
+        title="Download · Log"
+        icon={CloudArrowDownIcon}
+        leadingIconClassName="text-indigo-500"
+        openInNewTab
+      />
+      <PopoverMenuItem
+        to={`${downloadPath}?format=jsonl`}
+        title="Download · JSON Lines"
+        icon={CloudArrowDownIcon}
+        leadingIconClassName="text-indigo-500"
+        openInNewTab
+      />
+    </>
+  );
+}
+
 function RunError({ error }: { error: TaskRunError }) {
   const enhancedError = taskRunErrorEnhancer(error);
 
diff --git a/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.$runParam.streams.$streamKey/route.tsx b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.$runParam.streams.$streamKey/route.tsx
index b5763bb4e9c..4a9581831c9 100644
--- a/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.$runParam.streams.$streamKey/route.tsx
+++ b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.$runParam.streams.$streamKey/route.tsx
@@ -21,6 +21,7 @@ import { $replica } from "~/db.server";
 import { useEnvironment } from "~/hooks/useEnvironment";
 import { useOrganization } from "~/hooks/useOrganizations";
 import { useProject } from "~/hooks/useProject";
+import { getRequestAbortSignal } from "~/services/httpAsyncStorage.server";
 import { getRealtimeStreamInstance } from "~/services/realtime/v1StreamsGlobal.server";
 import { requireUserId } from "~/services/session.server";
 import { cn } from "~/utils/cn";
@@ -86,10 +87,11 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
 
   const realtimeStream = getRealtimeStreamInstance(
     run.runtimeEnvironment,
-    run.realtimeStreamsVersion
+    run.realtimeStreamsVersion,
+    { run }
   );
 
-  return realtimeStream.streamResponse(request, run.friendlyId, streamKey, request.signal, {
+  return realtimeStream.streamResponse(request, run.friendlyId, streamKey, getRequestAbortSignal(), {
     lastEventId,
   });
 };
@@ -99,17 +101,32 @@ export function RealtimeStreamViewer({
   streamKey,
   metadata,
   displayName,
+  resourcePath: resourcePathOverride,
+  headerLabel,
+  headerLeft,
 }: {
-  runId: string;
-  streamKey: string;
-  metadata: Record<string, unknown> | undefined;
+  runId?: string;
+  streamKey?: string;
+  metadata?: Record<string, unknown> | undefined;
   displayName?: string;
+  /** Pre-built resource path. When provided, `runId`/`streamKey` are unused. */
+  resourcePath?: string;
+  /** Override the "Stream:" / "Input stream:" prefix in the header. */
+  headerLabel?: string;
+  /**
+   * Replaces the default "Stream: <name>" content next to the connection
+   * icon. Use to inline tabs or other navigation in place of a static
+   * label.
+   */
+  headerLeft?: React.ReactNode;
 }) {
   const organization = useOrganization();
   const project = useProject();
   const environment = useEnvironment();
 
-  const resourcePath = `/resources/orgs/${organization.slug}/projects/${project.slug}/env/${environment.slug}/runs/${runId}/streams/${streamKey}`;
+  const resourcePath =
+    resourcePathOverride ??
+    `/resources/orgs/${organization.slug}/projects/${project.slug}/env/${environment.slug}/runs/${runId}/streams/${streamKey}`;
 
   const startIndex = typeof metadata?.startIndex === "number" ? metadata.startIndex : undefined;
   const { chunks, error, isConnected } = useRealtimeStream(resourcePath, startIndex);
@@ -227,7 +244,7 @@ export function RealtimeStreamViewer({
       {/* Header */}
       <div className="border-b border-grid-bright bg-background-bright @container">
         <div className="flex flex-wrap items-center justify-between gap-2 px-3 py-2.5 @[300px]:flex-nowrap">
-          <div className="flex min-w-0 items-center gap-1.5">
+          <div className="flex min-w-0 items-center gap-3">
             <TooltipProvider>
               <Tooltip>
                 <TooltipTrigger>
@@ -242,13 +259,17 @@ export function RealtimeStreamViewer({
                 </TooltipContent>
               </Tooltip>
             </TooltipProvider>
-            <Paragraph
-              variant="small/bright"
-              className="mb-0 flex min-w-0 items-center gap-1 truncate whitespace-nowrap"
-            >
-              <span>{displayName ? "Input stream:" : "Stream:"}</span>
-              <span className="truncate font-mono text-text-dimmed">{displayName ?? streamKey}</span>
-            </Paragraph>
+            {headerLeft ?? (
+              <Paragraph
+                variant="small/bright"
+                className="mb-0 flex min-w-0 items-center gap-1 truncate whitespace-nowrap"
+              >
+                <span>{headerLabel ?? (displayName ? "Input stream:" : "Stream:")}</span>
+                <span className="truncate font-mono text-text-dimmed">
+                  {displayName ?? streamKey ?? ""}
+                </span>
+              </Paragraph>
+            )}
           </div>
           <div className="flex w-full flex-wrap items-center justify-between gap-3 @[300px]:w-auto @[300px]:flex-nowrap">
             <Paragraph variant="small" className="mb-0 whitespace-nowrap">
diff --git a/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.ai-filter.tsx b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.ai-filter.tsx
index 9ae306c98a6..ff289d241be 100644
--- a/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.ai-filter.tsx
+++ b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.ai-filter.tsx
@@ -2,11 +2,10 @@ import { openai } from "@ai-sdk/openai";
 import { type ActionFunctionArgs, json } from "@remix-run/server-runtime";
 import { tryCatch } from "@trigger.dev/core";
 import { z } from "zod";
-import { $replica } from "~/db.server";
 import { env } from "~/env.server";
 import { findProjectBySlug } from "~/models/project.server";
 import { findEnvironmentBySlug } from "~/models/runtimeEnvironment.server";
-import { getAllTaskIdentifiers } from "~/models/task.server";
+import { getTaskIdentifiers } from "~/models/task.server";
 import { QueueListPresenter } from "~/presenters/v3/QueueListPresenter.server";
 import { RunTagListPresenter } from "~/presenters/v3/RunTagListPresenter.server";
 import { VersionListPresenter } from "~/presenters/v3/VersionListPresenter.server";
@@ -126,7 +125,7 @@ export async function action({ request, params }: ActionFunctionArgs) {
 
   const queryTasks: QueryTasks = {
     query: async () => {
-      const tasks = await getAllTaskIdentifiers($replica, environment.id);
+      const tasks = await getTaskIdentifiers(environment.id);
       return {
         tasks,
       };
diff --git a/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.bulkaction.tsx b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.bulkaction.tsx
index be9a2763752..ab216bcab7e 100644
--- a/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.bulkaction.tsx
+++ b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.bulkaction.tsx
@@ -23,7 +23,7 @@ import {
   AccordionItem,
   AccordionTrigger,
 } from "~/components/primitives/Accordion";
-import { Button, LinkButton } from "~/components/primitives/Buttons";
+import { Button } from "~/components/primitives/Buttons";
 import { CheckboxWithLabel } from "~/components/primitives/Checkbox";
 import {
   Dialog,
@@ -51,10 +51,11 @@ import { redirectWithErrorMessage, redirectWithSuccessMessage } from "~/models/m
 import { findProjectBySlug } from "~/models/project.server";
 import { findEnvironmentBySlug } from "~/models/runtimeEnvironment.server";
 import { CreateBulkActionPresenter } from "~/presenters/v3/CreateBulkActionPresenter.server";
+import { RUNS_BULK_INSPECTOR_UI_SEARCH_PARAMS } from "~/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs._index/shouldRevalidateRunsList";
 import { logger } from "~/services/logger.server";
 import { requireUserId } from "~/services/session.server";
 import { cn } from "~/utils/cn";
-import { EnvironmentParamSchema, v3BulkActionPath, v3RunsPath } from "~/utils/pathBuilder";
+import { EnvironmentParamSchema, v3BulkActionPath } from "~/utils/pathBuilder";
 import { BulkActionService } from "~/v3/services/bulk/BulkActionV2.server";
 
 export async function loader({ request, params }: LoaderFunctionArgs) {
@@ -187,7 +188,7 @@ export function CreateBulkActionInspector({
   const project = useProject();
   const environment = useEnvironment();
   const fetcher = useTypedFetcher<typeof loader>();
-  const { value, replace } = useSearchParams();
+  const { value, replace, del } = useSearchParams();
   const [action, setAction] = useState<BulkActionAction>(
     bulkActionActionFromString(value("action"))
   );
@@ -208,9 +209,6 @@ export function CreateBulkActionInspector({
 
   const data = fetcher.data != null ? fetcher.data : undefined;
 
-  const closedSearchParams = new URLSearchParams(location.search);
-  closedSearchParams.delete("bulkInspector");
-
   const impactedCountElement =
     mode === "selected" ? selectedItems.size : <EstimatedCount count={data?.count} />;
 
@@ -225,13 +223,10 @@ export function CreateBulkActionInspector({
       <div className="grid h-full max-h-full grid-rows-[2.5rem_1fr_3.25rem] overflow-hidden bg-background-bright">
         <div className="mx-3 flex items-center justify-between gap-2 border-b border-grid-dimmed">
           <Header2 className="whitespace-nowrap">Create a bulk action</Header2>
-          <LinkButton
-            to={`${v3RunsPath(
-              organization,
-              project,
-              environment
-            )}?${closedSearchParams.toString()}`}
+          <Button
+            type="button"
             variant="minimal/small"
+            onClick={() => del([...RUNS_BULK_INSPECTOR_UI_SEARCH_PARAMS])}
             TrailingIcon={ExitIcon}
             shortcut={{ key: "esc" }}
             shortcutPosition="before-trailing-icon"
diff --git a/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.children-statuses.ts b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.children-statuses.ts
new file mode 100644
index 00000000000..896dd25dd79
--- /dev/null
+++ b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.children-statuses.ts
@@ -0,0 +1,110 @@
+import { type LoaderFunctionArgs } from "@remix-run/server-runtime";
+import { type TaskRunStatus } from "@trigger.dev/database";
+import { z } from "zod";
+import { $replica } from "~/db.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
+import { loadProjectEnvironmentFromRequest } from "~/services/loadProjectEnvironmentFromRequest.server";
+import { RunsRepository } from "~/services/runsRepository/runsRepository.server";
+import { runIdsQueryParam } from "~/utils/searchParams";
+
+const SearchParamsSchema = z.object({
+  runIds: runIdsQueryParam,
+});
+
+const ROOT_CREATED_AT_SAFETY_MARGIN_MS = 5 * 60 * 1000;
+
+type RootRun = { id: string; friendlyId: string; createdAt: Date };
+type ChildStatusEntry = { status: TaskRunStatus; count: number };
+type GroupedChildStatus = {
+  rootRunId: string;
+  status: TaskRunStatus;
+  count: number;
+};
+
+function mapGroupedStatusesToFriendlyIds(
+  grouped: GroupedChildStatus[],
+  roots: RootRun[]
+): Map<string, ChildStatusEntry[]> {
+  const rootFriendlyIdById = new Map(roots.map((run) => [run.id, run.friendlyId]));
+  const statusesByFriendlyId = new Map<string, ChildStatusEntry[]>();
+
+  for (const item of grouped) {
+    const friendlyId = rootFriendlyIdById.get(item.rootRunId);
+    if (!friendlyId) continue;
+
+    const existing = statusesByFriendlyId.get(friendlyId) ?? [];
+    existing.push({
+      status: item.status,
+      count: item.count,
+    });
+    statusesByFriendlyId.set(friendlyId, existing);
+  }
+
+  return statusesByFriendlyId;
+}
+
+function childrenStatusesResponseForRunIds(
+  runIds: string[],
+  statusesByFriendlyId: Map<string, ChildStatusEntry[]>
+) {
+  return {
+    runs: runIds.map((friendlyId) => ({
+      friendlyId,
+      statuses: (statusesByFriendlyId.get(friendlyId) ?? []).filter((entry) => entry.count > 0),
+    })),
+  };
+}
+
+export async function loader({ request, params }: LoaderFunctionArgs) {
+  const url = new URL(request.url);
+  const { runIds } = SearchParamsSchema.parse(Object.fromEntries(url.searchParams));
+
+  if (runIds.length === 0) {
+    return { runs: [] };
+  }
+
+  const { project, environment } = await loadProjectEnvironmentFromRequest(request, params);
+
+  const clickhouse = await clickhouseFactory.getClickhouseForOrganization(
+    project.organizationId,
+    "standard"
+  );
+  const runsRepository = new RunsRepository({ clickhouse, prisma: $replica });
+
+  const { runs: roots } = await runsRepository.listRuns({
+    organizationId: project.organizationId,
+    projectId: project.id,
+    environmentId: environment.id,
+    runId: runIds,
+    page: { size: 100 },
+  });
+
+  if (roots.length === 0) {
+    return { runs: [] };
+  }
+
+  const earliestRootCreatedAtMs = Math.min(...roots.map((run) => run.createdAt.getTime()));
+  const sinceMs = Math.max(0, earliestRootCreatedAtMs - ROOT_CREATED_AT_SAFETY_MARGIN_MS);
+
+  const [queryError, groupedRows] = await clickhouse.taskRuns.getChildRunStatusCounts({
+    organizationId: project.organizationId,
+    projectId: project.id,
+    environmentId: environment.id,
+    rootRunIds: roots.map((run) => run.id),
+    since: sinceMs,
+  });
+
+  if (queryError) {
+    throw queryError;
+  }
+
+  const grouped: GroupedChildStatus[] = groupedRows.map((row) => ({
+    rootRunId: row.root_run_id,
+    status: row.status as TaskRunStatus,
+    count: row.count,
+  }));
+
+  const statusesByFriendlyId = mapGroupedStatusesToFriendlyIds(grouped, roots);
+
+  return childrenStatusesResponseForRunIds(runIds, statusesByFriendlyId);
+}
diff --git a/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.live.ts b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.live.ts
new file mode 100644
index 00000000000..616aa728872
--- /dev/null
+++ b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.live.ts
@@ -0,0 +1,93 @@
+import { type LoaderFunctionArgs } from "@remix-run/server-runtime";
+import { z } from "zod";
+import { $replica } from "~/db.server";
+import { mapRunToLiveFields } from "~/presenters/v3/mapRunToLiveFields.server";
+import { getRunFiltersFromRequest } from "~/presenters/RunFilters.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
+import { loadProjectEnvironmentFromRequest } from "~/services/loadProjectEnvironmentFromRequest.server";
+import { RunsRepository } from "~/services/runsRepository/runsRepository.server";
+import { runIdsQueryParam } from "~/utils/searchParams";
+
+const SearchParamsSchema = z.object({
+  runIds: runIdsQueryParam,
+  includeNewRuns: z
+    .string()
+    .optional()
+    .transform((value) => value === "true"),
+  since: z.coerce.number().optional(),
+});
+
+export async function loader({ request, params }: LoaderFunctionArgs) {
+  const url = new URL(request.url);
+  const { runIds, includeNewRuns, since } = SearchParamsSchema.parse(
+    Object.fromEntries(url.searchParams)
+  );
+
+  const newRunsSince =
+    includeNewRuns && since !== undefined ? since : undefined;
+
+  if (runIds.length === 0 && newRunsSince === undefined) {
+    return { runs: [] };
+  }
+
+  const { project, environment } = await loadProjectEnvironmentFromRequest(request, params);
+
+  const clickhouse = await clickhouseFactory.getClickhouseForOrganization(
+    project.organizationId,
+    "standard"
+  );
+  const runsRepository = new RunsRepository({ clickhouse, prisma: $replica });
+
+  const [runs, newRunsResult] = await Promise.all([
+    runIds.length > 0
+      ? runsRepository
+          .listRuns({
+            organizationId: project.organizationId,
+            projectId: project.id,
+            environmentId: environment.id,
+            runId: runIds,
+            page: { size: 100 },
+          })
+          .then(({ runs: listedRuns }) => listedRuns.map(mapRunToLiveFields))
+      : Promise.resolve([]),
+    newRunsSince !== undefined
+      ? (async () => {
+          const filters = await getRunFiltersFromRequest(request);
+
+          if (filters.to !== undefined && filters.to <= newRunsSince) {
+            return { count: 0, since: newRunsSince };
+          }
+
+          const { runIds: newRunIds } = await runsRepository.listRunIds({
+            organizationId: project.organizationId,
+            projectId: project.id,
+            environmentId: environment.id,
+            tasks: filters.tasks,
+            versions: filters.versions,
+            statuses: filters.statuses,
+            tags: filters.tags,
+            scheduleId: filters.scheduleId,
+            period: filters.period,
+            from: Math.max(filters.from ?? 0, newRunsSince + 1),
+            to: filters.to,
+            rootOnly: filters.rootOnly,
+            batchId: filters.batchId,
+            runId: filters.runId,
+            bulkId: filters.bulkId,
+            queues: filters.queues,
+            machines: filters.machines,
+            errorId: filters.errorId,
+            page: { size: 100 },
+          });
+
+          return { count: newRunIds.length, since: newRunsSince };
+        })()
+      : Promise.resolve(undefined),
+  ]);
+
+  if (newRunsResult) {
+    return { runs, ...newRunsResult };
+  }
+
+  return { runs };
+}
diff --git a/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.schedules.new/route.tsx b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.schedules.new/route.tsx
index 1e44dbdc00b..90a81a5c2c3 100644
--- a/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.schedules.new/route.tsx
+++ b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.schedules.new/route.tsx
@@ -403,7 +403,7 @@ export function UpsertScheduleForm({
         <div className="flex items-center gap-4">
           <LinkButton
             to={`${v3SchedulesPath(organization, project, environment)}${location.search}`}
-            variant="tertiary/medium"
+            variant="secondary/medium"
           >
             Cancel
           </LinkButton>
diff --git a/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.sessions.$sessionParam.realtime.v1.$io.ts b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.sessions.$sessionParam.realtime.v1.$io.ts
new file mode 100644
index 00000000000..4bc6bb0f61b
--- /dev/null
+++ b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.sessions.$sessionParam.realtime.v1.$io.ts
@@ -0,0 +1,83 @@
+import { type LoaderFunctionArgs } from "@remix-run/server-runtime";
+import { z } from "zod";
+import { $replica } from "~/db.server";
+import { findProjectBySlug } from "~/models/project.server";
+import { findEnvironmentBySlug } from "~/models/runtimeEnvironment.server";
+import { getRequestAbortSignal } from "~/services/httpAsyncStorage.server";
+import { S2RealtimeStreams } from "~/services/realtime/s2realtimeStreams.server";
+import {
+  canonicalSessionAddressingKey,
+  resolveSessionByIdOrExternalId,
+} from "~/services/realtime/sessions.server";
+import { getRealtimeStreamInstance } from "~/services/realtime/v1StreamsGlobal.server";
+import { requireUserId } from "~/services/session.server";
+import { EnvironmentParamSchema } from "~/utils/pathBuilder";
+
+const ParamsSchema = z.object({
+  sessionParam: z.string(),
+  io: z.enum(["out", "in"]),
+});
+
+// GET: SSE stream subscription for a Session's `.out` / `.in` channel.
+// Dashboard-auth counterpart to the public API's
+// `/realtime/v1/sessions/:sessionId/:io`. Used by the Sessions detail
+// view (and the run page's Agent tab) to observe assistant chunks
+// (`.out`) and user-side ChatInputChunk payloads (`.in`).
+//
+// The `:sessionParam` segment accepts either the `session_*` friendlyId
+// or the externalId the transport registered for the chat (typically the
+// browser's `chatId`).
+//
+// Authenticated by the dashboard session — the user must have access to
+// the project and environment. The session must live in that environment.
+export async function loader({ request, params }: LoaderFunctionArgs) {
+  const userId = await requireUserId(request);
+  const { organizationSlug, projectParam, envParam } = EnvironmentParamSchema.parse(params);
+  const { sessionParam, io } = ParamsSchema.parse(params);
+
+  const project = await findProjectBySlug(organizationSlug, projectParam, userId);
+  if (!project) {
+    return new Response("Project not found", { status: 404 });
+  }
+
+  const environment = await findEnvironmentBySlug(project.id, envParam, userId);
+  if (!environment) {
+    return new Response("Environment not found", { status: 404 });
+  }
+
+  const session = await resolveSessionByIdOrExternalId($replica, environment.id, sessionParam);
+  if (!session) {
+    return new Response("Session not found", { status: 404 });
+  }
+
+  const realtimeStream = getRealtimeStreamInstance(environment, "v2", { session });
+
+  if (!(realtimeStream instanceof S2RealtimeStreams)) {
+    return new Response("Session channels require the S2 realtime backend", {
+      status: 501,
+    });
+  }
+
+  const lastEventId = request.headers.get("Last-Event-ID") || undefined;
+  const timeoutInSecondsRaw = request.headers.get("Timeout-Seconds");
+  let timeoutInSeconds: number | undefined;
+  if (timeoutInSecondsRaw !== null) {
+    timeoutInSeconds = Number(timeoutInSecondsRaw);
+    if (!Number.isInteger(timeoutInSeconds) || timeoutInSeconds < 1 || timeoutInSeconds > 600) {
+      return new Response("Invalid timeout", { status: 400 });
+    }
+  }
+
+  // The agent writes via the canonical addressing key (externalId if
+  // set, else friendlyId). Subscribe with the same key so the read
+  // hits the same S2 stream the agent is writing into.
+  const addressingKey = canonicalSessionAddressingKey(session, sessionParam);
+
+  return realtimeStream.streamResponseFromSessionStream(
+    request,
+    addressingKey,
+    io,
+    getRequestAbortSignal(),
+    { lastEventId, timeoutInSeconds }
+  );
+}
diff --git a/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.test.ai-generate-payload.tsx b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.test.ai-generate-payload.tsx
index 2cfbe6a10b8..d03b1985cb4 100644
--- a/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.test.ai-generate-payload.tsx
+++ b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.test.ai-generate-payload.tsx
@@ -1,10 +1,11 @@
 import { openai } from "@ai-sdk/openai";
-import { streamText, tool } from "ai";
+import { streamText, stepCountIs, tool } from "ai";
 import { type ActionFunctionArgs } from "@remix-run/server-runtime";
 import { z } from "zod";
 import { env } from "~/env.server";
 import { findProjectBySlug } from "~/models/project.server";
 import { findEnvironmentBySlug } from "~/models/runtimeEnvironment.server";
+import { getRequestAbortSignal } from "~/services/httpAsyncStorage.server";
 import { requireUserId } from "~/services/session.server";
 import { EnvironmentParamSchema } from "~/utils/pathBuilder";
 import { inflate } from "node:zlib";
@@ -20,6 +21,7 @@ const RequestSchema = z.object({
   taskIdentifier: z.string().max(256),
   payloadSchema: z.string().max(50_000).optional(),
   currentPayload: z.string().max(50_000).optional(),
+  isAgent: z.enum(["true", "false"]).optional(),
 });
 
 export async function action({ request, params }: ActionFunctionArgs) {
@@ -63,16 +65,20 @@ export async function action({ request, params }: ActionFunctionArgs) {
     );
   }
 
-  const { prompt, taskIdentifier, payloadSchema, currentPayload } = submission.data;
+  const { prompt, taskIdentifier, payloadSchema, currentPayload, isAgent } = submission.data;
+  const agentMode = isAgent === "true";
 
   logger.info("[AI payload] Generating payload", {
     taskIdentifier,
     hasPayloadSchema: !!payloadSchema,
     hasCurrentPayload: !!currentPayload,
     promptLength: prompt.length,
+    agentMode,
   });
 
-  const systemPrompt = buildSystemPrompt(taskIdentifier, payloadSchema, currentPayload);
+  const systemPrompt = agentMode
+    ? buildAgentClientDataPrompt(taskIdentifier, payloadSchema, currentPayload)
+    : buildSystemPrompt(taskIdentifier, payloadSchema, currentPayload);
 
   const stream = new ReadableStream({
     async start(controller) {
@@ -92,26 +98,26 @@ export async function action({ request, params }: ActionFunctionArgs) {
         const result = streamText({
           model: openai(env.AI_RUN_FILTER_MODEL ?? "gpt-5-mini"),
           temperature: 1,
-          abortSignal: request.signal,
+          abortSignal: getRequestAbortSignal(),
           system: systemPrompt,
           prompt,
           tools: {
             getTaskSourceCode: tool({
               description:
                 "Look up the source code of the task to understand what payload shape it expects. Use this when there is no JSON Schema available and you need to infer the payload structure from the task implementation.",
-              parameters: z.object({}),
+              inputSchema: z.object({}),
               execute: async () => {
                 return getTaskSourceCode(environment.id, environment.type, taskIdentifier);
               },
             }),
           },
-          maxSteps: 3,
+          stopWhen: stepCountIs(3),
         });
 
         for await (const part of result.fullStream) {
           switch (part.type) {
             case "text-delta": {
-              sendEvent({ type: "thinking", content: part.textDelta });
+              sendEvent({ type: "thinking", content: part.text });
               break;
             }
             case "tool-call": {
@@ -233,6 +239,60 @@ async function getTaskFromDeployment(environmentId: string, taskIdentifier: stri
   return { fileId: task.fileId };
 }
 
+function buildAgentClientDataPrompt(
+  taskIdentifier: string,
+  payloadSchema?: string,
+  currentPayload?: string
+): string {
+  let prompt = `You are a JSON generator for client data (metadata) of a Trigger.dev chat agent with id "${taskIdentifier}".
+
+IMPORTANT: You are generating ONLY the client data object — this is the metadata sent alongside each chat message. It is NOT the full task payload. Do NOT generate fields like "chatId", "messages", "trigger", or "idleTimeoutInSeconds" — those are internal transport fields managed by the framework.
+
+The client data typically contains user context like user IDs, preferences, configuration, or session info. Return ONLY valid JSON wrapped in a \`\`\`json code block.
+
+Requirements:
+- Generate realistic, meaningful example data
+- All string values should be plausible (real-looking IDs, names, etc.)
+- The JSON must be valid and parseable
+- Keep it simple — client data is usually a flat or shallow object`;
+
+  if (payloadSchema) {
+    prompt += `
+
+The agent has the following JSON Schema for its client data:
+\`\`\`json
+${payloadSchema}
+\`\`\`
+
+Generate client data that strictly conforms to this schema.`;
+  } else {
+    prompt += `
+
+No JSON Schema is available for this agent's client data. Use the getTaskSourceCode tool to look up the agent's source code file.
+
+IMPORTANT instructions for reading the source code:
+- The file may contain multiple task/agent definitions. Find the one with id "${taskIdentifier}".
+- Look for \`withClientData({ schema: ... })\` or \`clientDataSchema\` to find the expected client data shape.
+- If using \`chat.agent()\` or \`chat.customAgent()\`, the client data is accessed via \`clientData\` in hooks and \`payload.metadata\` in raw tasks.
+- Look for how \`clientData\` or \`payload.metadata\` is accessed/destructured to infer the shape.
+- Do NOT generate the full ChatTaskWirePayload (messages, chatId, trigger, etc.) — ONLY the metadata/clientData portion.
+- If no client data schema or usage is found, generate a simple \`{ "userId": "user_..." }\` object.`;
+  }
+
+  if (currentPayload) {
+    prompt += `
+
+The current client data in the editor is:
+\`\`\`json
+${currentPayload}
+\`\`\`
+
+Use this as context but generate new client data based on the user's prompt.`;
+  }
+
+  return prompt;
+}
+
 function buildSystemPrompt(
   taskIdentifier: string,
   payloadSchema?: string,
diff --git a/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.vercel.tsx b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.vercel.tsx
index d6131083bdf..fdc6dfd8242 100644
--- a/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.vercel.tsx
+++ b/apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.vercel.tsx
@@ -61,7 +61,7 @@ import {
   getAvailableEnvSlugsForBuildSettings,
 } from "~/v3/vercel/vercelProjectIntegrationSchema";
 import { Result, fromPromise } from "neverthrow";
-import { useEffect, useState } from "react";
+import { useEffect, useRef, useState } from "react";
 
 export type ConnectedVercelProject = {
   id: string;
@@ -92,6 +92,12 @@ function parseVercelStagingEnvironment(
   );
 }
 
+// Sentinel values for the clearTriggerVersion hidden input. Used by the schema transform,
+// the input's defaultValue, and the modal's submit helper — keep all three reading the same
+// constants so they cannot drift.
+const CLEAR_TRIGGER_VERSION_YES = "true";
+const CLEAR_TRIGGER_VERSION_NO = "false";
+
 const UpdateVercelConfigFormSchema = z.object({
   action: z.literal("update-config"),
   atomicBuilds: envSlugArrayField,
@@ -99,6 +105,10 @@ const UpdateVercelConfigFormSchema = z.object({
   discoverEnvVars: envSlugArrayField,
   vercelStagingEnvironment: z.string().nullable().optional(),
   autoPromote: z.string().optional().transform((val) => val !== "false"),
+  clearTriggerVersion: z
+    .string()
+    .optional()
+    .transform((val) => val === CLEAR_TRIGGER_VERSION_YES),
 });
 
 const DisconnectVercelFormSchema = z.object({
@@ -243,6 +253,7 @@ export async function action({ request, params }: ActionFunctionArgs) {
         discoverEnvVars,
         vercelStagingEnvironment,
         autoPromote,
+        clearTriggerVersion,
       } = submission.value;
 
       const parsedStagingEnv = parseVercelStagingEnvironment(vercelStagingEnvironment);
@@ -271,6 +282,21 @@ export async function action({ request, params }: ActionFunctionArgs) {
           );
         }
 
+        // When atomic deployments are being disabled and the user confirmed clearing the pin,
+        // remove TRIGGER_VERSION from Vercel production so future deploys don't stay pinned.
+        // If the Vercel API call fails we still consider the settings save itself successful,
+        // but tell the user so they can clear the env var manually from the Vercel dashboard.
+        if (clearTriggerVersion && !atomicBuilds?.includes("prod")) {
+          const cleared = await vercelService.clearTriggerVersionFromVercelProduction(project.id);
+          if (!cleared) {
+            return redirectWithErrorMessage(
+              settingsPath,
+              request,
+              "Vercel settings saved, but failed to clear TRIGGER_VERSION on Vercel — please remove it manually from your Vercel project settings."
+            );
+          }
+        }
+
         return redirectWithSuccessMessage(settingsPath, request, "Vercel settings updated successfully");
       }
 
@@ -573,6 +599,8 @@ function ConnectedVercelProjectForm({
   hasPreviewEnvironment,
   customEnvironments,
   autoAssignCustomDomains,
+  currentTriggerVersion,
+  currentTriggerVersionFetchFailed,
   organizationSlug,
   projectSlug,
   environmentSlug,
@@ -582,6 +610,8 @@ function ConnectedVercelProjectForm({
   hasPreviewEnvironment: boolean;
   customEnvironments: Array<{ id: string; slug: string }>;
   autoAssignCustomDomains: boolean | null;
+  currentTriggerVersion: string | null;
+  currentTriggerVersionFetchFailed: boolean;
   organizationSlug: string;
   projectSlug: string;
   environmentSlug: string;
@@ -645,6 +675,34 @@ function ConnectedVercelProjectForm({
     },
   });
 
+  const saveButtonRef = useRef<HTMLButtonElement>(null);
+  const clearTriggerVersionInputRef = useRef<HTMLInputElement>(null);
+  const [showClearDialog, setShowClearDialog] = useState(false);
+
+  // Modal trigger uses the page-load state of atomicBuilds, not whatever changed in-session,
+  // because clearing TRIGGER_VERSION only makes sense when atomic was actually on at load time.
+  // If the Vercel lookup failed we still prompt — we don't know whether a pin exists, so the
+  // user needs to make the call explicitly rather than silently leaving prod pinned.
+  const wasAtomicEnabledAtLoad = originalAtomicBuilds.includes("prod");
+  const isAtomicNowDisabled = !configValues.atomicBuilds.includes("prod");
+  const shouldPromptClearOnSave =
+    wasAtomicEnabledAtLoad &&
+    isAtomicNowDisabled &&
+    (Boolean(currentTriggerVersion) || currentTriggerVersionFetchFailed);
+
+  const submitWithClearChoice = (clear: boolean) => {
+    if (clearTriggerVersionInputRef.current) {
+      clearTriggerVersionInputRef.current.value = clear
+        ? CLEAR_TRIGGER_VERSION_YES
+        : CLEAR_TRIGGER_VERSION_NO;
+    }
+    setShowClearDialog(false);
+    // Conform owns the form's React ref via {...configForm.props}, so look it up by id
+    // (set via useForm({ id: "update-vercel-config" })) rather than fighting for the ref.
+    const form = document.getElementById("update-vercel-config") as HTMLFormElement | null;
+    form?.requestSubmit(saveButtonRef.current ?? undefined);
+  };
+
   const isConfigLoading =
     navigation.formData?.get("action") === "update-config" &&
     (navigation.state === "submitting" || navigation.state === "loading");
@@ -742,6 +800,13 @@ function ConnectedVercelProjectForm({
           name="autoPromote"
           value={String(configValues.autoPromote)}
         />
+        {/* Flipped to CLEAR_TRIGGER_VERSION_YES by the clear-pinned-version modal on submit. */}
+        <input
+          type="hidden"
+          name="clearTriggerVersion"
+          defaultValue={CLEAR_TRIGGER_VERSION_NO}
+          ref={clearTriggerVersionInputRef}
+        />
 
         <Fieldset>
           <InputGroup fullWidth>
@@ -819,6 +884,9 @@ function ConnectedVercelProjectForm({
                 onAutoPromoteChange={(value) =>
                   setConfigValues((prev) => ({ ...prev, autoPromote: value }))
                 }
+                currentTriggerVersion={currentTriggerVersion}
+                currentTriggerVersionFetchFailed={currentTriggerVersionFetchFailed}
+                hideSectionToggles
               />
 
               {/* Warning: autoAssignCustomDomains must be disabled for atomic deployments */}
@@ -861,12 +929,19 @@ function ConnectedVercelProjectForm({
           <FormButtons
             confirmButton={
               <Button
+                ref={saveButtonRef}
                 type="submit"
                 name="action"
                 value="update-config"
                 variant="secondary/small"
                 disabled={isConfigLoading || !hasConfigChanges}
                 LeadingIcon={isConfigLoading ? SpinnerWhite : undefined}
+                onClick={(event) => {
+                  if (shouldPromptClearOnSave) {
+                    event.preventDefault();
+                    setShowClearDialog(true);
+                  }
+                }}
               >
                 Save
               </Button>
@@ -874,6 +949,58 @@ function ConnectedVercelProjectForm({
           />
         </Fieldset>
       </Form>
+
+      <Dialog open={showClearDialog} onOpenChange={setShowClearDialog}>
+        <DialogContent className="max-w-md">
+          <DialogHeader>Clear TRIGGER_VERSION from Vercel?</DialogHeader>
+          <div className="flex flex-col gap-3 pt-3">
+            {currentTriggerVersion ? (
+              <Paragraph className="mb-1">
+                Atomic deployments are being turned off. The{" "}
+                <span className="font-mono text-text-bright">TRIGGER_VERSION</span> env var on
+                your Vercel production environment is currently set to{" "}
+                <span className="font-mono text-text-bright">{currentTriggerVersion}</span>.
+              </Paragraph>
+            ) : (
+              <Paragraph className="mb-1">
+                Atomic deployments are being turned off. We couldn't reach Vercel to confirm
+                whether{" "}
+                <span className="font-mono text-text-bright">TRIGGER_VERSION</span> is currently
+                set on your Vercel production environment, so please verify in the Vercel
+                dashboard.
+              </Paragraph>
+            )}
+            <Paragraph className="mb-1">
+              If you leave it, your Vercel project will stay pinned to this version. Since atomic
+              deployments will be off, Trigger.dev will no longer update this variable, and future
+              Vercel deploys will continue using this pinned version. We recommend clearing it.
+            </Paragraph>
+            <FormButtons
+              confirmButton={
+                <div className="flex gap-2">
+                  <Button
+                    variant="secondary/medium"
+                    onClick={() => submitWithClearChoice(false)}
+                  >
+                    Keep pinned
+                  </Button>
+                  <Button
+                    variant="primary/medium"
+                    onClick={() => submitWithClearChoice(true)}
+                  >
+                    Clear and disable
+                  </Button>
+                </div>
+              }
+              cancelButton={
+                <DialogClose asChild>
+                  <Button variant="tertiary/medium">Cancel</Button>
+                </DialogClose>
+              }
+            />
+          </div>
+        </DialogContent>
+      </Dialog>
     </>
   );
 }
@@ -904,12 +1031,6 @@ function VercelSettingsPanel({
     }
   }, [organizationSlug, projectSlug, environmentSlug, data?.authInvalid, hasError, data, hasFetched]);
 
-  useEffect(() => {
-    if (hasFetched && fetcher.state === "idle" && fetcher.data === undefined && !hasError) {
-      setHasError(true);
-    }
-  }, [fetcher.state, fetcher.data, hasError, hasFetched]);
-
   if (hasError) {
     return (
       <div className="rounded-sm border border-rose-500/40 bg-rose-500/10 p-4">
@@ -953,6 +1074,8 @@ function VercelSettingsPanel({
           hasPreviewEnvironment={data.hasPreviewEnvironment}
           customEnvironments={data.customEnvironments}
           autoAssignCustomDomains={data.autoAssignCustomDomains ?? null}
+          currentTriggerVersion={data.currentTriggerVersion ?? null}
+          currentTriggerVersionFetchFailed={data.currentTriggerVersionFetchFailed ?? false}
           organizationSlug={organizationSlug}
           projectSlug={projectSlug}
           environmentSlug={environmentSlug}
diff --git a/apps/webapp/app/routes/resources.orgs.$organizationSlug.select-plan.tsx b/apps/webapp/app/routes/resources.orgs.$organizationSlug.select-plan.tsx
index 131dc6b3e47..2ba2c761d70 100644
--- a/apps/webapp/app/routes/resources.orgs.$organizationSlug.select-plan.tsx
+++ b/apps/webapp/app/routes/resources.orgs.$organizationSlug.select-plan.tsx
@@ -1,5 +1,4 @@
 import {
-  ArrowUpRightIcon,
   CheckIcon,
   ExclamationTriangleIcon,
   ShieldCheckIcon,
@@ -37,6 +36,7 @@ import { Header2 } from "~/components/primitives/Headers";
 import { Paragraph } from "~/components/primitives/Paragraph";
 import { Spinner } from "~/components/primitives/Spinner";
 import { TextArea } from "~/components/primitives/TextArea";
+import { TextLink } from "~/components/primitives/TextLink";
 import { SimpleTooltip } from "~/components/primitives/Tooltip";
 import { prisma } from "~/db.server";
 import { redirectWithErrorMessage } from "~/models/message.server";
@@ -237,6 +237,11 @@ const pricingDefinitions = {
     title: "Query period",
     content: "The maximum number of days a query can look back when analyzing your task data.",
   },
+  hipaaBaa: {
+    title: "HIPAA BAA",
+    content:
+      "A signed Business Associate Agreement (BAA) is required to run tasks that process Protected Health Information (PHI) on Trigger.dev Cloud.",
+  },
 };
 
 type PricingPlansProps = {
@@ -317,9 +322,6 @@ export function TierFree({
     <TierContainer>
       <div className="relative">
         <PricingHeader title={plan.title} cost={0} />
-        <TierLimit href="https://trigger.dev/pricing#computePricing">
-          ${plan.limits.includedUsage / 100} free monthly usage
-        </TierLimit>
         {showGithubVerificationBadge && status === "approved" && (
           <SimpleTooltip
             buttonClassName="absolute right-1 top-1"
@@ -351,7 +353,6 @@ export function TierFree({
       </div>
       {status === "rejected" ? (
         <div>
-          <hr className="my-6 border-grid-bright" />
           <div className="flex flex-col gap-2 rounded-sm border border-warning p-4">
             <ExclamationTriangleIcon className="size-6 text-warning" />
             <Paragraph variant="small/bright">
@@ -533,6 +534,16 @@ export function TierFree({
             </Form>
           )}
           <ul className="flex flex-col gap-2.5">
+            <FeatureItem checked>
+              <DefinitionTip
+                title="Free credits"
+                content={`You get $${
+                  plan.limits.includedUsage / 100
+                } of compute each month for free. Requires a verified GitHub account.`}
+              >
+                ${plan.limits.includedUsage / 100} / month free credits
+              </DefinitionTip>
+            </FeatureItem>
             <ConcurrentRuns limits={plan.limits} />
             <FeatureItem checked>
               Unlimited{" "}
@@ -584,9 +595,6 @@ export function TierHobby({
   return (
     <TierContainer isHighlighted={isHighlighted}>
       <PricingHeader title={plan.title} isHighlighted={isHighlighted} cost={plan.tierPrice} />
-      <TierLimit href="https://trigger.dev/pricing#computePricing">
-        ${plan.limits.includedUsage / 100} usage included
-      </TierLimit>
       <Form action={formAction} method="post" id="subscribe-hobby" className="py-6">
         <input type="hidden" name="type" value="paid" />
         <input type="hidden" name="planCode" value={plan.code} />
@@ -652,6 +660,24 @@ export function TierHobby({
         )}
       </Form>
       <ul className="flex flex-col gap-2.5">
+        <FeatureItem checked>
+          <DefinitionTip
+            disableHoverableContent={false}
+            title="Credits included"
+            content={
+              <Paragraph variant="small/dimmed" spacing>
+                This plan includes ${plan.limits.includedUsage / 100} of compute each month. After
+                that's used, tasks keep running and you're billed per our{" "}
+                <TextLink target="_blank" to="https://trigger.dev/pricing#computePricing">
+                  compute usage rates
+                </TextLink>
+                .
+              </Paragraph>
+            }
+          >
+            ${plan.limits.includedUsage / 100} / month credits included
+          </DefinitionTip>
+        </FeatureItem>
         <ConcurrentRuns limits={plan.limits} />
         <FeatureItem checked>
           Unlimited{" "}
@@ -672,6 +698,16 @@ export function TierHobby({
         <SupportLevel limits={plan.limits} />
         <Alerts limits={plan.limits} />
         <RealtimeConcurrency limits={plan.limits} />
+        <HIPAAAddOn>
+          <Feedback
+            defaultValue="hipaa"
+            button={
+              <span className="cursor-pointer underline decoration-charcoal-500 underline-offset-4 transition hover:decoration-text-bright">
+                Request a BAA
+              </span>
+            }
+          />
+        </HIPAAAddOn>
       </ul>
     </TierContainer>
   );
@@ -701,9 +737,6 @@ export function TierPro({
   return (
     <TierContainer>
       <PricingHeader title={plan.title} cost={plan.tierPrice} />
-      <TierLimit href="https://trigger.dev/pricing#computePricing">
-        ${plan.limits.includedUsage / 100} usage included
-      </TierLimit>
       <Form action={formAction} method="post" id="subscribe-pro">
         <div className="py-6">
           <input type="hidden" name="type" value="paid" />
@@ -773,6 +806,24 @@ export function TierPro({
         </div>
       </Form>
       <ul className="flex flex-col gap-2.5">
+        <FeatureItem checked>
+          <DefinitionTip
+            disableHoverableContent={false}
+            title="Credits included"
+            content={
+              <Paragraph variant="small/dimmed" spacing>
+                This plan includes ${plan.limits.includedUsage / 100} of compute each month. After
+                that's used, tasks keep running and you're billed per our{" "}
+                <TextLink target="_blank" to="https://trigger.dev/pricing#computePricing">
+                  compute usage rates
+                </TextLink>
+                .
+              </Paragraph>
+            }
+          >
+            ${plan.limits.includedUsage / 100} / month credits included
+          </DefinitionTip>
+        </FeatureItem>
         <ConcurrentRuns limits={plan.limits}>
           {`Then ${formatCurrency(concurrencyAddOnPricing.centsPerStep / 100, true)}/month per ${
             concurrencyAddOnPricing.stepSize
@@ -801,6 +852,16 @@ export function TierPro({
         <RealtimeConcurrency limits={plan.limits}>
           {pricingDefinitions.additionalRealtimeConnections.content}
         </RealtimeConcurrency>
+        <HIPAAAddOn>
+          <Feedback
+            defaultValue="hipaa"
+            button={
+              <span className="cursor-pointer underline decoration-charcoal-500 underline-offset-4 transition hover:decoration-text-bright">
+                Request a BAA
+              </span>
+            }
+          />
+        </HIPAAAddOn>
       </ul>
     </TierContainer>
   );
@@ -809,41 +870,12 @@ export function TierPro({
 export function TierEnterprise() {
   return (
     <TierContainer>
-      <div className="flex w-full flex-col items-center justify-between gap-4 lg:flex-row">
-        <div className="flex w-full flex-wrap items-center justify-between gap-2 lg:flex-nowrap">
-          <div className="-mt-1 mb-2 flex w-full flex-col gap-2 lg:mb-0 lg:gap-0.5">
-            <h2 className="text-xl font-medium text-text-dimmed">Enterprise</h2>
-            <hr className="my-2 block border-grid-dimmed lg:hidden" />
-            <p className="whitespace-nowrap font-sans text-lg font-normal text-text-bright lg:text-sm">
-              Tailor a custom plan
-            </p>
-          </div>
-          <ul className="flex w-full flex-col gap-y-3 lg:gap-y-1">
-            <FeatureItem checked checkedColor="bright">
-              All Pro plan features +
-            </FeatureItem>
-            <FeatureItem checked checkedColor="bright">
-              Custom log retention
-            </FeatureItem>
-          </ul>
-          <ul className="flex w-full flex-col gap-y-3 lg:gap-y-1">
-            <FeatureItem checked checkedColor="bright">
-              Priority support
-            </FeatureItem>
-            <FeatureItem checked checkedColor="bright">
-              Role-based access control
-            </FeatureItem>
-          </ul>
-          <ul className="flex w-full flex-col gap-y-3 lg:gap-y-1">
-            <FeatureItem checked checkedColor="bright">
-              SOC 2 report
-            </FeatureItem>
-            <FeatureItem checked checkedColor="bright">
-              SSO
-            </FeatureItem>
-          </ul>
+      <div className="mb-4 flex w-full flex-col items-start justify-between gap-4 lg:flex-row lg:items-center">
+        <div className="flex flex-col gap-0.5">
+          <h2 className="text-xl font-medium text-text-dimmed">Enterprise</h2>
+          <p className="font-sans text-lg font-normal text-text-bright">Tailor a custom plan</p>
         </div>
-        <div className="w-full lg:max-w-[16rem]">
+        <div className="w-full lg:w-auto lg:max-w-[16rem]">
           <Feedback
             defaultValue="enterprise"
             button={
@@ -854,6 +886,44 @@ export function TierEnterprise() {
           />
         </div>
       </div>
+      <div className="flex w-full flex-wrap items-start justify-between gap-2 lg:flex-nowrap">
+        <ul className="flex w-full flex-col gap-y-3 lg:gap-y-1">
+          <FeatureItem checked checkedColor="bright">
+            All Pro plan features +
+          </FeatureItem>
+          <FeatureItem checked checkedColor="bright">
+            Custom log retention
+          </FeatureItem>
+        </ul>
+        <ul className="flex w-full flex-col gap-y-3 lg:gap-y-1">
+          <FeatureItem checked checkedColor="bright">
+            Priority support
+          </FeatureItem>
+          <FeatureItem checked checkedColor="bright">
+            Role-based access control
+          </FeatureItem>
+        </ul>
+        <ul className="flex w-full flex-col gap-y-3 lg:gap-y-1">
+          <FeatureItem checked checkedColor="bright">
+            SOC 2 report
+          </FeatureItem>
+          <FeatureItem checked checkedColor="bright">
+            SSO
+          </FeatureItem>
+        </ul>
+        <ul className="flex w-full flex-col gap-y-3 lg:gap-y-1">
+          <HIPAAAddOn checkedColor="bright">
+            <Feedback
+              defaultValue="hipaa"
+              button={
+                <span className="cursor-pointer underline decoration-charcoal-500 underline-offset-4 transition hover:decoration-text-bright">
+                  Request a BAA
+                </span>
+              }
+            />
+          </HIPAAAddOn>
+        </ul>
+      </div>
     </TierContainer>
   );
 }
@@ -921,36 +991,6 @@ function PricingHeader({
   );
 }
 
-function TierLimit({ children, href }: { children: React.ReactNode; href?: string }) {
-  return (
-    <>
-      <hr className="my-6 border-grid-bright" />
-      {href ? (
-        <SimpleTooltip
-          buttonClassName="text-left w-fit"
-          disableHoverableContent
-          button={
-            <a
-              href={href}
-              className="text-left font-sans text-lg font-normal text-text-bright underline decoration-charcoal-500 underline-offset-4 transition hover:decoration-text-bright"
-            >
-              {children}
-            </a>
-          }
-          content={
-            <div className="flex items-center gap-1">
-              <Paragraph variant="small">View compute pricing information</Paragraph>
-              <ArrowUpRightIcon className="size-4 text-text-dimmed" />
-            </div>
-          }
-        />
-      ) : (
-        <div className="font-sans text-lg font-normal text-text-bright">{children}</div>
-      )}
-    </>
-  );
-}
-
 function FeatureItem({
   checked,
   checkedColor = "primary",
@@ -1100,7 +1140,7 @@ function LogRetention({ limits }: { limits: Limits }) {
 function SupportLevel({ limits }: { limits: Limits }) {
   return (
     <FeatureItem checked>
-      {limits.support === "community" ? "Community support" : "Dedicated Slack support"}
+      {limits.support === "community" ? "Community support" : "Priority support"}
     </FeatureItem>
   );
 }
@@ -1206,6 +1246,31 @@ function QueryPeriod({ limits }: { limits: Limits }) {
   );
 }
 
+function HIPAAAddOn({
+  children,
+  checkedColor = "primary",
+}: {
+  children?: React.ReactNode;
+  checkedColor?: "primary" | "bright";
+}) {
+  return (
+    <FeatureItem checked checkedColor={checkedColor}>
+      <div className="flex flex-col gap-y-0.5">
+        <div>
+          <DefinitionTip
+            title={pricingDefinitions.hipaaBaa.title}
+            content={pricingDefinitions.hipaaBaa.content}
+          >
+            HIPAA BAA
+          </DefinitionTip>{" "}
+          add-on
+        </div>
+        {children && <span className="text-xs text-text-dimmed">{children}</span>}
+      </div>
+    </FeatureItem>
+  );
+}
+
 function Branches({ limits, children }: { limits: Limits; children?: React.ReactNode }) {
   return (
     <FeatureItem checked={limits.branches.number > 0}>
diff --git a/apps/webapp/app/routes/resources.platform-changelogs.tsx b/apps/webapp/app/routes/resources.platform-changelogs.tsx
index 8eeabd6b047..ed62de3c1df 100644
--- a/apps/webapp/app/routes/resources.platform-changelogs.tsx
+++ b/apps/webapp/app/routes/resources.platform-changelogs.tsx
@@ -2,6 +2,7 @@ import { json } from "@remix-run/node";
 import type { LoaderFunctionArgs } from "@remix-run/node";
 import { useFetcher, type ShouldRevalidateFunction } from "@remix-run/react";
 import { useEffect, useRef } from "react";
+import { logger } from "~/services/logger.server";
 import { requireUserId } from "~/services/session.server";
 import { getRecentChangelogs, verifyOrgMembership } from "~/services/platformNotifications.server";
 
@@ -12,20 +13,29 @@ export type PlatformChangelogsLoaderData = {
 };
 
 export async function loader({ request }: LoaderFunctionArgs) {
-  const userId = await requireUserId(request);
-  const url = new URL(request.url);
-  const rawOrganizationId = url.searchParams.get("organizationId") ?? undefined;
-  const rawProjectId = url.searchParams.get("projectId") ?? undefined;
+  try {
+    const userId = await requireUserId(request);
+    const url = new URL(request.url);
+    const rawOrganizationId = url.searchParams.get("organizationId") ?? undefined;
+    const rawProjectId = url.searchParams.get("projectId") ?? undefined;
 
-  const { organizationId, projectId } = await verifyOrgMembership({
-    userId,
-    organizationId: rawOrganizationId,
-    projectId: rawProjectId,
-  });
+    const { organizationId, projectId } = await verifyOrgMembership({
+      userId,
+      organizationId: rawOrganizationId,
+      projectId: rawProjectId,
+    });
 
-  const changelogs = await getRecentChangelogs({ userId, organizationId, projectId });
+    const changelogs = await getRecentChangelogs({ userId, organizationId, projectId });
 
-  return json<PlatformChangelogsLoaderData>({ changelogs });
+    return json<PlatformChangelogsLoaderData>({ changelogs });
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to load platform changelogs", { error });
+    // Polling widget — degrade silently so a transient DB blip doesn't paint
+    // the dashboard with errors every 60s. Empty payload keeps the consumer's
+    // fetcher.data shape stable; the fault is recorded server-side.
+    return json<PlatformChangelogsLoaderData>({ changelogs: [] });
+  }
 }
 
 const POLL_INTERVAL_MS = 60_000;
diff --git a/apps/webapp/app/routes/resources.runs.$runParam.logs.download.ts b/apps/webapp/app/routes/resources.runs.$runParam.logs.download.ts
index f3f21fc15b6..7cda5ac7824 100644
--- a/apps/webapp/app/routes/resources.runs.$runParam.logs.download.ts
+++ b/apps/webapp/app/routes/resources.runs.$runParam.logs.download.ts
@@ -1,19 +1,31 @@
 import { LoaderFunctionArgs } from "@remix-run/server-runtime";
 import { prisma } from "~/db.server";
+import { env } from "~/env.server";
 import { requireUser } from "~/services/session.server";
-import { v3RunParamsSchema } from "~/utils/pathBuilder";
-import type { RunPreparedEvent } from "~/v3/eventRepository/eventRepository.types";
+import { v3RunParamsSchema, v3RunPath } from "~/utils/pathBuilder";
 import { createGzip } from "zlib";
 import { Readable } from "stream";
-import { formatDurationMilliseconds } from "@trigger.dev/core/v3/utils/durations";
 import { getTaskEventStoreTableForRun } from "~/v3/taskEventStore.server";
-import { TaskEventKind } from "@trigger.dev/database";
-import { resolveEventRepositoryForStore } from "~/v3/eventRepository/index.server";
+import { getEventRepositoryForStore } from "~/v3/eventRepository/index.server";
+import {
+  getTraceExportFormat,
+  streamTraceExport,
+  type TraceExportContext,
+} from "~/v3/eventRepository/traceExport.server";
+import { getMollifierBuffer } from "~/v3/mollifier/mollifierBuffer.server";
 
 export async function loader({ params, request }: LoaderFunctionArgs) {
   const user = await requireUser(request);
   const parsedParams = v3RunParamsSchema.pick({ runParam: true }).parse(params);
 
+  const url = new URL(request.url);
+  // ?format=log|jsonl|markdown (default log). ?showDebug=true includes internal
+  // engine debug events; these stay admin-only (matching the admin-gated Debug
+  // toggle in the trace view) and are off by default.
+  const format = getTraceExportFormat(url.searchParams.get("format"));
+  const showDebug = url.searchParams.get("showDebug") === "true" && user.admin;
+  const filename = `${parsedParams.runParam}.${format.extension}`;
+
   const run = await prisma.taskRun.findFirst({
     where: {
       friendlyId: parsedParams.runParam,
@@ -27,101 +39,93 @@ export async function loader({ params, request }: LoaderFunctionArgs) {
         },
       },
     },
+    select: {
+      friendlyId: true,
+      traceId: true,
+      organizationId: true,
+      runtimeEnvironmentId: true,
+      createdAt: true,
+      completedAt: true,
+      taskEventStore: true,
+      taskIdentifier: true,
+      project: { select: { slug: true, organization: { select: { slug: true } } } },
+      runtimeEnvironment: { select: { slug: true } },
+    },
   });
 
-  if (!run) {
+  if (!run || !run.organizationId) {
+    // Buffered run? It hasn't executed, so there's no trace to stream — but a
+    // 404 is wrong: the run does exist, the customer's "Download trace" button
+    // on the run-detail page generates this exact URL, and a 404 reads as "your
+    // run vanished" rather than "no trace yet". Verify the entry exists in the
+    // buffer (with the user as a member of the entry's org), and if so stream a
+    // single informational line instead of a 0-byte mystery.
+    const buffer = getMollifierBuffer();
+    if (buffer) {
+      const entry = await buffer.getEntry(parsedParams.runParam);
+      if (entry) {
+        const member = await prisma.orgMember.findFirst({
+          where: { userId: user.id, organizationId: entry.orgId },
+          select: { id: true },
+        });
+        if (member) {
+          return streamGzipText(
+            `Run ${parsedParams.runParam} is queued and has not started executing yet — no trace to download.\n`,
+            filename
+          );
+        }
+      }
+    }
     return new Response("Not found", { status: 404 });
   }
 
-  const eventRepository = resolveEventRepositoryForStore(run.taskEventStore);
+  const eventRepository = await getEventRepositoryForStore(
+    run.taskEventStore,
+    run.organizationId
+  );
 
-  const runEvents = await eventRepository.getRunEvents(
+  // Stream the trace straight from the store to the gzip response, one event at
+  // a time, never materialising the full set or building a tree. This keeps the
+  // download bounded in memory and non-blocking regardless of how large the
+  // trace is. The chosen format renders each event as it streams through.
+  const events = eventRepository.streamTraceEvents(
     getTaskEventStoreTableForRun(run),
     run.runtimeEnvironmentId,
     run.traceId,
-    run.friendlyId,
     run.createdAt,
-    run.completedAt ?? undefined
+    run.completedAt ?? undefined,
+    { includeDebugLogs: showDebug }
   );
 
-  // Create a Readable stream from the runEvents array
-  const readable = new Readable({
-    read() {
-      runEvents.forEach((event) => {
-        try {
-          if (!user.admin && event.kind === TaskEventKind.LOG) {
-            // Only return debug logs for admins
-            return;
-          }
-          this.push(formatRunEvent(event) + "\n");
-        } catch {}
-      });
-      this.push(null); // End of stream
-    },
-  });
-
-  // Create a gzip transform stream
-  const gzip = createGzip();
+  const context: TraceExportContext = {
+    runFriendlyId: run.friendlyId,
+    traceId: run.traceId,
+    taskIdentifier: run.taskIdentifier,
+    runUrl: `${env.APP_ORIGIN}${v3RunPath(
+      run.project.organization,
+      run.project,
+      run.runtimeEnvironment,
+      { friendlyId: run.friendlyId }
+    )}`,
+  };
+
+  return streamGzipText(streamTraceExport(events, format, context), filename);
+}
 
-  // Pipe the readable stream into the gzip stream
-  const compressedStream = readable.pipe(gzip);
+function streamGzipText(source: string | AsyncIterable<string>, filename: string): Response {
+  // `Readable.from` handles both a single string and an async generator. For
+  // the generator case it pulls lazily under backpressure, so a large trace is
+  // never fully materialised in memory — gzip drains it as fast as the client
+  // reads, and the generator pauses in between.
+  const readable = typeof source === "string" ? Readable.from([source]) : Readable.from(source);
+  const compressedStream = readable.pipe(createGzip());
 
-  // Return the response with the compressed stream
   return new Response(compressedStream as any, {
     status: 200,
     headers: {
       "Content-Type": "application/octet-stream",
-      "Content-Disposition": `attachment; filename="${parsedParams.runParam}.log"`,
+      "Content-Disposition": `attachment; filename="${filename}"`,
       "Content-Encoding": "gzip",
     },
   });
 }
-
-function formatRunEvent(event: RunPreparedEvent): string {
-  const entries = [];
-  const parts: string[] = [];
-
-  parts.push(getDateFromNanoseconds(event.startTime).toISOString());
-
-  if (event.taskSlug) {
-    parts.push(event.taskSlug);
-  }
-
-  parts.push(event.level);
-  parts.push(event.message);
-
-  if (event.level === "TRACE") {
-    parts.push(`(${formatDurationMilliseconds(event.duration / 1_000_000)})`);
-  }
-
-  entries.push(parts.join(" "));
-
-  if (event.events) {
-    for (const subEvent of event.events) {
-      if (subEvent.name === "exception") {
-        const subEventParts: string[] = [];
-
-        subEventParts.push(subEvent.time as unknown as string);
-
-        if (event.taskSlug) {
-          subEventParts.push(event.taskSlug);
-        }
-
-        subEventParts.push(subEvent.name);
-        subEventParts.push((subEvent.properties as any).exception.message);
-
-        if ((subEvent.properties as any).exception.stack) {
-          subEventParts.push((subEvent.properties as any).exception.stack);
-        }
-
-        entries.push(subEventParts.join(" "));
-      }
-    }
-  }
-
-  return entries.join("\n");
-}
-
-function getDateFromNanoseconds(nanoseconds: bigint) {
-  return new Date(Number(nanoseconds) / 1_000_000);
-}
diff --git a/apps/webapp/app/routes/resources.sessions.$sessionParam.close.ts b/apps/webapp/app/routes/resources.sessions.$sessionParam.close.ts
new file mode 100644
index 00000000000..27ffec56716
--- /dev/null
+++ b/apps/webapp/app/routes/resources.sessions.$sessionParam.close.ts
@@ -0,0 +1,98 @@
+import { parse } from "@conform-to/zod";
+import { type ActionFunction, json } from "@remix-run/node";
+import { z } from "zod";
+import { $replica, prisma } from "~/db.server";
+import { redirectWithErrorMessage, redirectWithSuccessMessage } from "~/models/message.server";
+import { resolveSessionByIdOrExternalId } from "~/services/realtime/sessions.server";
+import { logger } from "~/services/logger.server";
+import { requireUserId } from "~/services/session.server";
+
+export const closeSessionSchema = z.object({
+  redirectUrl: z.string(),
+  environmentId: z.string(),
+  reason: z.string().optional(),
+});
+
+const ParamSchema = z.object({
+  sessionParam: z.string(),
+});
+
+export const action: ActionFunction = async ({ request, params }) => {
+  const userId = await requireUserId(request);
+  const { sessionParam } = ParamSchema.parse(params);
+
+  const formData = await request.formData();
+  const submission = parse(formData, { schema: closeSessionSchema });
+
+  if (!submission.value) {
+    return json(submission);
+  }
+
+  const { redirectUrl, environmentId, reason } = submission.value;
+  const trimmedReason = reason?.trim();
+  const closedReason =
+    trimmedReason && trimmedReason.length > 0 ? trimmedReason : "closed-from-dashboard";
+
+  try {
+    // Confirm the user belongs to the org that owns this environment, then
+    // resolve the session by friendlyId or externalId scoped to that env.
+    const environment = await $replica.runtimeEnvironment.findFirst({
+      where: {
+        id: environmentId,
+        organization: { members: { some: { userId } } },
+      },
+      select: { id: true },
+    });
+
+    if (!environment) {
+      submission.error = { environmentId: ["Environment not found"] };
+      return json(submission);
+    }
+
+    const session = await resolveSessionByIdOrExternalId(
+      $replica,
+      environment.id,
+      sessionParam
+    );
+
+    if (!session) {
+      submission.error = { sessionParam: ["Session not found"] };
+      return json(submission);
+    }
+
+    if (session.closedAt) {
+      // Already closed — no-op, but redirect with a friendly message so the
+      // UI doesn't look like it did nothing.
+      return redirectWithSuccessMessage(redirectUrl, request, `Session already closed`);
+    }
+
+    // Conditional update mirrors the public API: two concurrent closes race
+    // through the read but only one wins this update.
+    await prisma.session.updateMany({
+      where: { id: session.id, closedAt: null },
+      data: {
+        closedAt: new Date(),
+        closedReason,
+      },
+    });
+
+    return redirectWithSuccessMessage(redirectUrl, request, `Closed session`);
+  } catch (error) {
+    if (error instanceof Error) {
+      logger.error("Failed to close session", {
+        error: { name: error.name, message: error.message, stack: error.stack },
+      });
+      return redirectWithErrorMessage(
+        redirectUrl,
+        request,
+        `Failed to close session, ${error.message}`
+      );
+    }
+    logger.error("Failed to close session", { error });
+    return redirectWithErrorMessage(
+      redirectUrl,
+      request,
+      `Failed to close session, ${JSON.stringify(error)}`
+    );
+  }
+};
diff --git a/apps/webapp/app/routes/resources.taskruns.$runParam.cancel.ts b/apps/webapp/app/routes/resources.taskruns.$runParam.cancel.ts
index 240d7d3d8ed..fa6ee29f3db 100644
--- a/apps/webapp/app/routes/resources.taskruns.$runParam.cancel.ts
+++ b/apps/webapp/app/routes/resources.taskruns.$runParam.cancel.ts
@@ -6,6 +6,7 @@ import { redirectWithErrorMessage, redirectWithSuccessMessage } from "~/models/m
 import { logger } from "~/services/logger.server";
 import { requireUserId } from "~/services/session.server";
 import { CancelTaskRunService } from "~/v3/services/cancelTaskRun.server";
+import { getMollifierBuffer } from "~/v3/mollifier/mollifierBuffer.server";
 
 export const cancelSchema = z.object({
   redirectUrl: z.string(),
@@ -42,15 +43,56 @@ export const action: ActionFunction = async ({ request, params }) => {
       },
     });
 
-    if (!taskRun) {
+    if (taskRun) {
+      const cancelRunService = new CancelTaskRunService();
+      await cancelRunService.call(taskRun);
+      return redirectWithSuccessMessage(submission.value.redirectUrl, request, `Canceled run`);
+    }
+
+    // PG miss — try the mollifier buffer. The customer can hit cancel
+    // on a buffered run from the dashboard during the burst window.
+    // Snapshot a `mark_cancelled` patch; the drainer's
+    // bifurcation routes the run to `engine.createCancelledRun` on
+    // next pop.
+    const buffer = getMollifierBuffer();
+    const entry = buffer ? await buffer.getEntry(runParam) : null;
+    if (!entry) {
       submission.error = { runParam: ["Run not found"] };
       return json(submission);
     }
 
-    const cancelRunService = new CancelTaskRunService();
-    await cancelRunService.call(taskRun);
+    // Dashboard auth: verify the requesting user is a member of the
+    // buffered run's org. The API path scopes by env id from the
+    // authenticated request; the dashboard route uses org-membership
+    // because the URL doesn't carry an envId.
+    const member = await prisma.orgMember.findFirst({
+      where: { userId, organizationId: entry.orgId },
+      select: { id: true },
+    });
+    if (!member) {
+      submission.error = { runParam: ["Run not found"] };
+      return json(submission);
+    }
 
-    return redirectWithSuccessMessage(submission.value.redirectUrl, request, `Canceled run`);
+    const result = await buffer!.mutateSnapshot(runParam, {
+      type: "mark_cancelled",
+      cancelledAt: new Date().toISOString(),
+      cancelReason: "Canceled by user",
+    });
+    if (result === "applied_to_snapshot") {
+      return redirectWithSuccessMessage(submission.value.redirectUrl, request, `Canceled run`);
+    }
+    // "not_found" or "busy" — both indicate the drainer raced us between
+    // the getEntry check above and mutateSnapshot. On "not_found" the
+    // entry was just popped and the PG row is in flight; on "busy" the
+    // drainer is mid-materialisation. Either way the customer should
+    // retry — by then the PG row exists and the regular cancel path at
+    // the top of this action takes over.
+    return redirectWithErrorMessage(
+      submission.value.redirectUrl,
+      request,
+      "Run is materialising — retry in a moment"
+    );
   } catch (error) {
     if (error instanceof Error) {
       logger.error("Failed to cancel run", {
diff --git a/apps/webapp/app/routes/resources.taskruns.$runParam.replay.ts b/apps/webapp/app/routes/resources.taskruns.$runParam.replay.ts
index 8a22822d06b..631bd5ece52 100644
--- a/apps/webapp/app/routes/resources.taskruns.$runParam.replay.ts
+++ b/apps/webapp/app/routes/resources.taskruns.$runParam.replay.ts
@@ -11,7 +11,14 @@ import { requireUser } from "~/services/session.server";
 import { sortEnvironments } from "~/utils/environmentSort";
 import { v3RunSpanPath } from "~/utils/pathBuilder";
 import { ReplayTaskRunService } from "~/v3/services/replayTaskRun.server";
+import { getMollifierBuffer } from "~/v3/mollifier/mollifierBuffer.server";
+import { findRunByIdWithMollifierFallback } from "~/v3/mollifier/readFallback.server";
+import {
+  buildSyntheticReplayTaskRun,
+  type SyntheticReplayTaskRun,
+} from "~/v3/mollifier/syntheticReplayTaskRun.server";
 import parseDuration from "parse-duration";
+import { baseWorkerQueue } from "~/runEngine/concerns/workerQueueSplit.server";
 import { findCurrentWorkerDeployment } from "~/v3/models/workerDeployment.server";
 import { queueTypeFromType } from "~/presenters/v3/QueueRetrievePresenter.server";
 import { ReplayRunData } from "~/v3/replayTask";
@@ -33,7 +40,7 @@ export async function loader({ request, params }: LoaderFunctionArgs) {
     Object.fromEntries(new URL(request.url).searchParams)
   );
 
-  const run = await $replica.taskRun.findFirst({
+  let run = await $replica.taskRun.findFirst({
     select: {
       payload: true,
       payloadType: true,
@@ -88,6 +95,83 @@ export async function loader({ request, params }: LoaderFunctionArgs) {
     where: { friendlyId: runParam, project: { organization: { members: { some: { userId } } } } },
   });
 
+  let synthetic:
+    | (Awaited<ReturnType<typeof findRunByIdWithMollifierFallback>> & { __synth: true })
+    | undefined;
+  if (!run) {
+    // Buffered fallback: read the snapshot and look up the env list via
+    // the snapshot's organizationId. Without this the Replay dialog
+    // 404s for runs queued in the mollifier buffer, which dumps the
+    // user back to the task list.
+    const buffer = getMollifierBuffer();
+    const entry = buffer ? await buffer.getEntry(runParam) : null;
+    if (!entry) throw new Response("Not Found", { status: 404 });
+    const member = await prisma.orgMember.findFirst({
+      where: { userId, organizationId: entry.orgId },
+      select: { id: true },
+    });
+    if (!member) throw new Response("Not Found", { status: 404 });
+    const buffered = await findRunByIdWithMollifierFallback({
+      runId: runParam,
+      environmentId: entry.envId,
+      organizationId: entry.orgId,
+    });
+    if (!buffered) throw new Response("Not Found", { status: 404 });
+    synthetic = Object.assign(buffered, { __synth: true as const });
+    // Scope the project lookup to the buffer entry's org as well as the
+    // env id. The prior `orgMember.findFirst` above confirms the user
+    // belongs to `entry.orgId`; pinning `organizationId` here means a
+    // malformed entry whose envId resolves to a different org can't leak
+    // that project's data through this loader. Mirrors the PG path's
+    // `project.organization.members.some.userId` scoping (lines 42-95)
+    // — the env filter and select shape are kept identical so the Replay
+    // dialog renders the same dropdown either way.
+    const orgProject = await $replica.project.findFirst({
+      where: {
+        organizationId: entry.orgId,
+        environments: { some: { id: entry.envId } },
+      },
+      select: {
+        slug: true,
+        environments: {
+          select: {
+            id: true,
+            type: true,
+            slug: true,
+            branchName: true,
+            orgMember: { select: { user: true } },
+          },
+          where: {
+            archivedAt: null,
+            OR: [
+              { type: { in: ["PREVIEW", "STAGING", "PRODUCTION"] } },
+              { type: "DEVELOPMENT", orgMember: { userId } },
+            ],
+          },
+        },
+      },
+    });
+    if (!orgProject) throw new Response("Not Found", { status: 404 });
+    run = {
+      payload: buffered.payload,
+      payloadType: buffered.payloadType ?? "application/json",
+      seedMetadata: buffered.seedMetadata ?? null,
+      seedMetadataType: buffered.seedMetadataType ?? null,
+      runtimeEnvironmentId: entry.envId,
+      concurrencyKey: buffered.concurrencyKey ?? null,
+      maxAttempts: buffered.maxAttempts ?? null,
+      maxDurationInSeconds: buffered.maxDurationInSeconds ?? null,
+      machinePreset: buffered.machinePreset ?? null,
+      workerQueue: buffered.workerQueue ?? null,
+      ttl: buffered.ttl ?? null,
+      idempotencyKey: buffered.idempotencyKey ?? null,
+      runTags: buffered.runTags,
+      queue: buffered.queue ?? "task/",
+      taskIdentifier: buffered.taskIdentifier ?? "",
+      project: orgProject,
+    } as unknown as typeof run;
+  }
+
   if (!run) {
     throw new Response("Not Found", { status: 404 });
   }
@@ -126,7 +210,7 @@ export async function loader({ request, params }: LoaderFunctionArgs) {
     maxAttempts: run.maxAttempts,
     maxDurationSeconds: run.maxDurationInSeconds,
     machinePreset: run.machinePreset,
-    region: environment.type === "DEVELOPMENT" ? undefined : run.workerQueue,
+    region: environment.type === "DEVELOPMENT" ? undefined : baseWorkerQueue(run.workerQueue),
     regions: regionsResult.regions,
     ttlSeconds: run.ttl ? parseDuration(run.ttl, "s") ?? undefined : undefined,
     idempotencyKey: run.idempotencyKey,
@@ -164,6 +248,15 @@ export async function loader({ request, params }: LoaderFunctionArgs) {
 }
 
 export const action: ActionFunction = async ({ request, params }) => {
+  // Dashboard auth: identical pattern to resources.taskruns.$runParam.cancel.ts.
+  // The loader above this action already gates with `requireUser`, but
+  // Remix's action runs independently — without this call any request
+  // with a valid runParam could submit a replay. The PG findFirst below
+  // also adds the org-membership filter so a PAT can't replay another
+  // org's run, and the buffered fallback verifies org membership via
+  // orgMember.findFirst against the snapshot's orgId.
+  const user = await requireUser(request);
+  const userId = user.id;
   const { runParam } = ParamSchema.parse(params);
 
   const formData = await request.formData();
@@ -174,9 +267,18 @@ export const action: ActionFunction = async ({ request, params }) => {
   }
 
   try {
-    const taskRun = await prisma.taskRun.findFirst({
+    const pgRun = await prisma.taskRun.findFirst({
       where: {
         friendlyId: runParam,
+        project: {
+          organization: {
+            members: {
+              some: {
+                userId,
+              },
+            },
+          },
+        },
       },
       include: {
         runtimeEnvironment: {
@@ -192,6 +294,50 @@ export const action: ActionFunction = async ({ request, params }) => {
       },
     });
 
+    // Mollifier read-fallback: if the original isn't in PG yet,
+    // synthesise a TaskRun from the buffered snapshot. The B4-extended
+    // SyntheticRun carries every field ReplayTaskRunService reads. We
+    // also need projectSlug + orgSlug + envSlug for the redirect path,
+    // so look those up via the snapshot's runtimeEnvironmentId.
+    let taskRun: SyntheticReplayTaskRun | null = pgRun ?? null;
+    if (!taskRun) {
+      const buffer = getMollifierBuffer();
+      const entry = buffer ? await buffer.getEntry(runParam) : null;
+      if (entry) {
+        // Same org-membership gate as the PG path above. Without this
+        // any authenticated user who knows a runId could replay the
+        // buffered run across orgs.
+        const member = await prisma.orgMember.findFirst({
+          where: { userId, organizationId: entry.orgId },
+          select: { id: true },
+        });
+        if (!member) {
+          return redirectWithErrorMessage(
+            submission.value.failedRedirect,
+            request,
+            "Run not found"
+          );
+        }
+        const synthetic = await findRunByIdWithMollifierFallback({
+          runId: runParam,
+          environmentId: entry.envId,
+          organizationId: entry.orgId,
+        });
+        if (synthetic) {
+          const envRow = await prisma.runtimeEnvironment.findFirst({
+            where: { id: entry.envId },
+            select: {
+              slug: true,
+              project: { select: { slug: true, organization: { select: { slug: true } } } },
+            },
+          });
+          if (envRow) {
+            taskRun = buildSyntheticReplayTaskRun({ synthetic, envRow });
+          }
+        }
+      }
+    }
+
     if (!taskRun) {
       return redirectWithErrorMessage(submission.value.failedRedirect, request, "Run not found");
     }
diff --git a/apps/webapp/app/routes/runs.$runParam.ts b/apps/webapp/app/routes/runs.$runParam.ts
index 4a8d7a12d32..b472d7ae8f4 100644
--- a/apps/webapp/app/routes/runs.$runParam.ts
+++ b/apps/webapp/app/routes/runs.$runParam.ts
@@ -28,6 +28,7 @@ export async function loader({ params, request }: LoaderFunctionArgs) {
       },
     },
     select: {
+      spanId: true,
       runtimeEnvironment: {
         select: {
           slug: true,
@@ -57,11 +58,20 @@ export async function loader({ params, request }: LoaderFunctionArgs) {
     );
   }
 
+  // Preserve existing search params from the request, add span if not already set
+  const url = new URL(request.url);
+  const searchParams = url.searchParams;
+
+  if (!searchParams.has("span") && run.spanId) {
+    searchParams.set("span", run.spanId);
+  }
+
   const path = v3RunPath(
     { slug: run.project.organization.slug },
     { slug: run.project.slug },
     { slug: run.runtimeEnvironment.slug },
-    { friendlyId: runParam }
+    { friendlyId: runParam },
+    searchParams
   );
 
   return redirect(path);
diff --git a/apps/webapp/app/routes/storybook.streamdown/route.tsx b/apps/webapp/app/routes/storybook.streamdown/route.tsx
new file mode 100644
index 00000000000..8f2c0d3e89c
--- /dev/null
+++ b/apps/webapp/app/routes/storybook.streamdown/route.tsx
@@ -0,0 +1,117 @@
+import { Suspense } from "react";
+import { StreamdownRenderer } from "~/components/code/StreamdownRenderer";
+import { Header2 } from "~/components/primitives/Headers";
+
+const sampleMarkdown = `# Streamdown Rendering
+
+This is a paragraph with **bold**, *italic*, and \`inline code\` formatting.
+
+## Code Block (TypeScript)
+
+\`\`\`typescript
+import { task } from "@trigger.dev/sdk";
+
+export const myTask = task({
+  id: "my-task",
+  run: async (payload: { message: string }) => {
+    const result = await processMessage(payload.message);
+    this.logger.info("Task completed", { result });
+    return { success: true, count: 42 };
+  },
+});
+\`\`\`
+
+## Code Block (JSON)
+
+\`\`\`json
+{
+  "id": "run_1234",
+  "status": "completed",
+  "output": {
+    "success": true,
+    "count": 42
+  }
+}
+\`\`\`
+
+## Lists
+
+- First item
+- Second item with \`code\`
+- Third item
+
+1. Ordered first
+2. Ordered second
+3. Ordered third
+
+## Table
+
+| Feature | Status | Notes |
+|---------|--------|-------|
+| Syntax highlighting | Done | Custom Shiki theme |
+| Markdown rendering | Done | Streamdown v2 |
+| Lazy loading | Done | SSR safe |
+
+## Blockquote
+
+> This is a blockquote with some **bold** text and a [link](https://trigger.dev).
+
+---
+
+That's all the elements.
+`;
+
+const codeOnlyMarkdown = `Here's a function that demonstrates the color palette:
+
+\`\`\`typescript
+const API_URL = "https://api.trigger.dev";
+const MAX_RETRIES = 3;
+
+interface TaskConfig {
+  id: string;
+  retry: { maxAttempts: number };
+}
+
+export async function executeTask(config: TaskConfig): Promise<boolean> {
+  // Validate the configuration
+  if (!config.id || config.retry.maxAttempts < 1) {
+    throw new Error("Invalid task config");
+  }
+
+  for (let i = 0; i < MAX_RETRIES; i++) {
+    const response = await fetch(\`\${API_URL}/tasks/\${config.id}\`);
+    const data = response.json();
+
+    if (response.ok) {
+      return true;
+    }
+  }
+
+  return false;
+}
+\`\`\`
+`;
+
+export default function Story() {
+  return (
+    <div className="flex flex-col items-start gap-y-8 p-8">
+      <div className="max-w-3xl">
+        <Header2 className="mb-4">Full Markdown</Header2>
+        <div className="streamdown-container rounded-lg border border-charcoal-700 bg-charcoal-900 p-6 text-sm text-text-bright/90">
+          <Suspense fallback={<p className="text-text-dimmed">Loading streamdown...</p>}>
+            <StreamdownRenderer>{sampleMarkdown}</StreamdownRenderer>
+          </Suspense>
+        </div>
+      </div>
+
+      <div className="max-w-3xl">
+        <Header2 className="mb-4">Code Highlighting Theme</Header2>
+        <div className="streamdown-container rounded-lg border border-charcoal-700 bg-charcoal-900 p-6 text-sm text-text-bright/90">
+          <Suspense fallback={<p className="text-text-dimmed">Loading streamdown...</p>}>
+            <StreamdownRenderer>{codeOnlyMarkdown}</StreamdownRenderer>
+          </Suspense>
+        </div>
+      </div>
+    </div>
+  );
+}
diff --git a/apps/webapp/app/routes/storybook/route.tsx b/apps/webapp/app/routes/storybook/route.tsx
index 3efa990548c..423bee7514c 100644
--- a/apps/webapp/app/routes/storybook/route.tsx
+++ b/apps/webapp/app/routes/storybook/route.tsx
@@ -104,6 +104,10 @@ const stories: Story[] = [
     name: "Spinners",
     slug: "spinner",
   },
+  {
+    name: "Streamdown",
+    slug: "streamdown",
+  },
   {
     name: "Switch",
     slug: "switch",
diff --git a/apps/webapp/app/routes/vercel.install.tsx b/apps/webapp/app/routes/vercel.install.tsx
index 86fa6fe1bc8..6a1ca4d7a64 100644
--- a/apps/webapp/app/routes/vercel.install.tsx
+++ b/apps/webapp/app/routes/vercel.install.tsx
@@ -4,7 +4,6 @@ import { z } from "zod";
 import { $replica } from "~/db.server";
 import { requireUser } from "~/services/session.server";
 import { logger } from "~/services/logger.server";
-import { loopsClient } from "~/services/loops.server";
 import { OrgIntegrationRepository } from "~/models/orgIntegration.server";
 import { generateVercelOAuthState } from "~/v3/vercel/vercelOAuthState.server";
 import { findProjectBySlug } from "~/models/project.server";
@@ -66,15 +65,6 @@ export const loader = async ({ request }: LoaderFunctionArgs) => {
     projectSlug: project_slug,
   });
 
-  // Send Loops.so event (fire-and-forget, don't block the redirect)
-  loopsClient
-    ?.vercelIntegrationStarted({
-      userId: user.id,
-      email: user.email,
-      name: user.name,
-    })
-    .catch(() => {});
-
   // Generate Vercel install URL
   const vercelInstallUrl = OrgIntegrationRepository.vercelInstallUrl(stateToken);
 
diff --git a/apps/webapp/app/runEngine/concerns/batchLimits.server.ts b/apps/webapp/app/runEngine/concerns/batchLimits.server.ts
index f40088039eb..8cd7bf72c6a 100644
--- a/apps/webapp/app/runEngine/concerns/batchLimits.server.ts
+++ b/apps/webapp/app/runEngine/concerns/batchLimits.server.ts
@@ -32,7 +32,16 @@ function createBatchLimitsRedisClient() {
   return redisClient;
 }
 
-function createOrganizationRateLimiter(organization: Organization): RateLimiter {
+// Just the org fields this module reads. Compatible with both the full
+// Prisma `Organization` payload and the slim `AuthenticatedEnvironment`
+// `["organization"]` shape (when passed `batchRateLimitConfig` /
+// `batchQueueConcurrencyConfig` as `unknown`).
+type OrganizationForBatchLimits = {
+  batchRateLimitConfig?: unknown;
+  batchQueueConcurrencyConfig?: unknown;
+};
+
+function createOrganizationRateLimiter(organization: OrganizationForBatchLimits): RateLimiter {
   const limiterConfig = resolveBatchRateLimitConfig(organization.batchRateLimitConfig);
 
   const limiter = createLimiterFromConfig(limiterConfig);
@@ -72,7 +81,7 @@ function resolveBatchRateLimitConfig(batchRateLimitConfig?: unknown): RateLimite
  * Internally looks up the plan type, but doesn't expose it to callers.
  */
 export async function getBatchLimits(
-  organization: Organization
+  organization: OrganizationForBatchLimits
 ): Promise<{ rateLimiter: RateLimiter; config: BatchLimitsConfig }> {
   const rateLimiter = createOrganizationRateLimiter(organization);
   const config = resolveBatchLimitsConfig(organization.batchQueueConcurrencyConfig);
diff --git a/apps/webapp/app/runEngine/concerns/idempotencyKeys.server.ts b/apps/webapp/app/runEngine/concerns/idempotencyKeys.server.ts
index a6fe5babe2c..493c5c1ce4b 100644
--- a/apps/webapp/app/runEngine/concerns/idempotencyKeys.server.ts
+++ b/apps/webapp/app/runEngine/concerns/idempotencyKeys.server.ts
@@ -1,14 +1,52 @@
 import { RunId } from "@trigger.dev/core/v3/isomorphic";
 import type { PrismaClientOrTransaction, TaskRun } from "@trigger.dev/database";
+import { env } from "~/env.server";
 import { logger } from "~/services/logger.server";
 import { resolveIdempotencyKeyTTL } from "~/utils/idempotencyKeys.server";
+import { ServiceValidationError } from "~/v3/services/common.server";
 import type { RunEngine } from "~/v3/runEngine.server";
 import { shouldIdempotencyKeyBeCleared } from "~/v3/taskStatus";
+import { getMollifierBuffer } from "~/v3/mollifier/mollifierBuffer.server";
+import { findRunByIdWithMollifierFallback } from "~/v3/mollifier/readFallback.server";
+import { claimOrAwait } from "~/v3/mollifier/idempotencyClaim.server";
+import { makeResolveMollifierFlag } from "~/v3/mollifier/mollifierGate.server";
 import type { TraceEventConcern, TriggerTaskRequest } from "../types";
 
+// In-memory per-org mollifier-enabled check, shared with `evaluateGate`
+// (same `Organization.featureFlags` JSON, no DB read). Used to gate the
+// pre-gate claim's Redis round-trip so non-mollifier orgs don't pay it
+// during staged rollout — see the comment above the claim block in
+// handleTriggerRequest.
+const resolveOrgMollifierFlag = makeResolveMollifierFlag();
+
+// Claim ownership context returned to the caller when the
+// IdempotencyKeyConcern won a pre-gate claim. Caller MUST publish the
+// winning runId on pipeline success (`publishClaim`) or release the
+// claim on failure (`releaseClaim`).
+export type ClaimedIdempotency = {
+  envId: string;
+  taskIdentifier: string;
+  idempotencyKey: string;
+  // Ownership token from `claimOrAwait`. The caller's trigger pipeline
+  // MUST thread this into publishClaim/releaseClaim so the buffer's
+  // compare-and-act protects the slot against a stale predecessor.
+  token: string;
+};
+
 export type IdempotencyKeyConcernResult =
   | { isCached: true; run: TaskRun }
-  | { isCached: false; idempotencyKey?: string; idempotencyKeyExpiresAt?: Date };
+  | {
+      isCached: false;
+      idempotencyKey?: string;
+      idempotencyKeyExpiresAt?: Date;
+      // Set when this trigger holds a pre-gate claim. The caller's
+      // trigger pipeline MUST resolve the claim by either publishing
+      // the runId on success or releasing on failure. Undefined when
+      // the request has no idempotency key, when the buffer is
+      // unavailable, or when the request is a triggerAndWait (claim
+      // path skipped per plan doc).
+      claim?: ClaimedIdempotency;
+    };
 
 export class IdempotencyKeyConcern {
   constructor(
@@ -17,6 +55,86 @@ export class IdempotencyKeyConcern {
     private readonly traceEventConcern: TraceEventConcern
   ) {}
 
+  // Buffer-side idempotency dedup. Resolves an idempotency key against the
+  // mollifier buffer when PG missed. Returns a SyntheticRun cast to
+  // TaskRun so the route handler (which only reads run.id / run.friendlyId)
+  // can echo the buffered run's friendlyId as a cached hit. Returns null
+  // for any failure or miss — buffer outages must not 500 the trigger
+  // hot path; we fail open to "no cache hit" and let the request through.
+  private async findBufferedRunWithIdempotency(
+    environmentId: string,
+    organizationId: string,
+    taskIdentifier: string,
+    idempotencyKey: string,
+  ): Promise<TaskRun | null> {
+    const buffer = getMollifierBuffer();
+    if (!buffer) return null;
+
+    let bufferedRunId: string | null;
+    try {
+      bufferedRunId = await buffer.lookupIdempotency({
+        envId: environmentId,
+        taskIdentifier,
+        idempotencyKey,
+      });
+    } catch (err) {
+      logger.error("IdempotencyKeyConcern: buffer lookupIdempotency failed", {
+        environmentId,
+        taskIdentifier,
+        err: err instanceof Error ? err.message : String(err),
+      });
+      return null;
+    }
+    if (!bufferedRunId) return null;
+
+    const synthetic = await findRunByIdWithMollifierFallback({
+      runId: bufferedRunId,
+      environmentId,
+      organizationId,
+    });
+    if (!synthetic) return null;
+    // PG-resident path enforces idempotency-key expiry below
+    // (`existingRun.idempotencyKeyExpiresAt < new Date()` clears the key
+    // and lets a new run go through). The buffer path needs the same
+    // check — without it a customer who passes `idempotencyKeyTTL: "2s"`
+    // gets the cached buffered runId returned indefinitely, because the
+    // buffer entry persists for its own (hours-long) TTL independent of
+    // the customer's key TTL.
+    //
+    // Returning null isn't enough on its own: the trigger pipeline then
+    // proceeds to `mollifyTrigger`, whose `buffer.accept` Lua dedupes by
+    // `(envId, taskIdentifier, idempotencyKey)` via SETNX on the same
+    // `mollifier:idempotency:*` key and would echo the stale runId as
+    // `duplicate_idempotency`. Clear the buffer-side idempotency
+    // binding (both the lookup and any in-flight claim) so the next
+    // accept goes through as a fresh trigger. Mirrors what
+    // `ResetIdempotencyKeyService` does for the explicit
+    // reset-via-API path.
+    if (
+      synthetic.idempotencyKeyExpiresAt &&
+      synthetic.idempotencyKeyExpiresAt < new Date()
+    ) {
+      const buffer = getMollifierBuffer();
+      if (buffer) {
+        try {
+          await buffer.resetIdempotency({
+            envId: environmentId,
+            taskIdentifier,
+            idempotencyKey,
+          });
+        } catch (err) {
+          logger.warn("IdempotencyKeyConcern: failed to reset expired buffer idempotency", {
+            envId: environmentId,
+            taskIdentifier,
+            err: err instanceof Error ? err.message : String(err),
+          });
+        }
+      }
+      return null;
+    }
+    return synthetic as unknown as TaskRun;
+  }
+
   async handleTriggerRequest(
     request: TriggerTaskRequest,
     parentStore: string | undefined
@@ -44,6 +162,25 @@ export class IdempotencyKeyConcern {
         })
       : undefined;
 
+    // Buffer fallback per the mollifier-idempotency design. PG missed —
+    // the same key may belong to a buffered run that hasn't materialised
+    // yet. Skipped when `resumeParentOnCompletion` is set: blocking a
+    // parent on a buffered child via waitpoint requires a PG row that
+    // doesn't exist yet. The follow-up accept's SETNX in mollifyTrigger
+    // still dedupes the trigger itself; the waitpoint just doesn't fire
+    // for this rare race window.
+    if (!existingRun && idempotencyKey && !request.body.options?.resumeParentOnCompletion) {
+      const buffered = await this.findBufferedRunWithIdempotency(
+        request.environment.id,
+        request.environment.organizationId,
+        request.taskId,
+        idempotencyKey,
+      );
+      if (buffered) {
+        return { isCached: true, run: buffered };
+      }
+    }
+
     if (existingRun) {
       // The idempotency key has expired
       if (existingRun.idempotencyKeyExpiresAt && existingRun.idempotencyKeyExpiresAt < new Date()) {
@@ -133,6 +270,135 @@ export class IdempotencyKeyConcern {
       return { isCached: true, run: existingRun };
     }
 
+    // Pre-gate claim — closes the PG+buffer race during gate transition.
+    // All same-key triggers serialise here before evaluateGate decides
+    // PG-pass-through vs mollify. Skipped for triggerAndWait
+    // (resumeParentOnCompletion) — that path bypasses the gate entirely
+    // and its existing PG-side dedup is sufficient.
+    //
+    // Also gated on the same per-org mollifier flag the gate uses: when
+    // `TRIGGER_MOLLIFIER_ENABLED=1` globally for staged rollout, the buffer
+    // singleton is constructed and `claimOrAwait` would otherwise issue a
+    // Redis SETNX for EVERY idempotency-keyed trigger — including orgs
+    // that haven't opted in. Those orgs never enter the mollify branch
+    // (the gate always returns pass_through for them), so there's no
+    // buffer activity to serialise against; PG's unique constraint
+    // already deduplicates concurrent same-key races. Resolving the org
+    // flag is a pure in-memory read of `Organization.featureFlags` — no
+    // DB query, same predicate the gate uses — keeping the claim's Redis
+    // RTT off the hot path for non-opted-in orgs during incremental
+    // rollout.
+    // Match the gate's bypass list (`mollifierGate.server.ts:158-175`).
+    // debounce + oneTimeUseToken triggers always return pass_through from
+    // the gate, so claiming a Redis SETNX here is wasted RTT on the
+    // trigger hot path. Excluding them keeps the claim aligned with the
+    // gate — if the gate would never mollify the request, there's no
+    // buffer to serialise against.
+    const claimEligible =
+      !request.body.options?.resumeParentOnCompletion &&
+      !request.body.options?.debounce &&
+      !request.options?.oneTimeUseToken &&
+      (await resolveOrgMollifierFlag({
+        envId: request.environment.id,
+        orgId: request.environment.organizationId,
+        taskId: request.taskId,
+        orgFeatureFlags:
+          ((request.environment.organization?.featureFlags as
+            | Record<string, unknown>
+            | null
+            | undefined) ?? null),
+      }));
+    if (claimEligible) {
+      const ttlSeconds = Math.max(
+        1,
+        Math.min(
+          env.TRIGGER_MOLLIFIER_CLAIM_TTL_SECONDS,
+          Math.ceil((idempotencyKeyExpiresAt.getTime() - Date.now()) / 1000),
+        ),
+      );
+      const outcome = await claimOrAwait({
+        envId: request.environment.id,
+        taskIdentifier: request.taskId,
+        idempotencyKey,
+        ttlSeconds,
+        safetyNetMs: env.TRIGGER_MOLLIFIER_CLAIM_WAIT_MS,
+        pollStepMs: env.TRIGGER_MOLLIFIER_CLAIM_POLL_MS,
+      });
+      if (outcome.kind === "resolved") {
+        // Another concurrent trigger committed first. Re-resolve via the
+        // existing checks: writer-side PG findFirst first (defeats
+        // replica lag), then buffer fallback for the buffered case.
+        const writerRun = await this.prisma.taskRun.findFirst({
+          where: {
+            runtimeEnvironmentId: request.environment.id,
+            idempotencyKey,
+            taskIdentifier: request.taskId,
+          },
+          include: { associatedWaitpoint: true },
+        });
+        if (writerRun) {
+          return { isCached: true, run: writerRun };
+        }
+        const buffered = await this.findBufferedRunWithIdempotency(
+          request.environment.id,
+          request.environment.organizationId,
+          request.taskId,
+          idempotencyKey,
+        );
+        if (buffered) {
+          return { isCached: true, run: buffered };
+        }
+        // Claim resolved to a runId nothing can find — the run was
+        // genuinely lost (claimant errored after publish, drain failed,
+        // or both the PG row and buffer entry TTL'd out). This is
+        // terminal, not transient: `lookupIdempotency` self-heals a
+        // dangling pointer, and `ack` keeps the entry hash as a
+        // read-fallback past the PG write, so re-polling cannot conjure
+        // a run that is gone. Falling through to a fresh trigger is the
+        // correct recovery.
+        //
+        // Why falling through claimless is safe (no duplicate runs):
+        // concurrent triggers that also fall through here converge on a
+        // single run via the same dedup backstops the claim layer relies
+        // on — the PG unique constraint on the idempotency key
+        // (RunDuplicateIdempotencyKeyError → retry resolves to the
+        // winner) for the pass-through path, and `accept`'s idempotency
+        // SETNX (`duplicate_idempotency`) for the mollify path. Once the
+        // first fall-through commits a run, later callers find it via the
+        // writer-PG / buffer lookups above despite the stale `resolved:`
+        // slot, which the slot's TTL clears within ~30s. The residual
+        // cost is a few redundant (deduped) trigger attempts in that
+        // window, not duplicate runs.
+        logger.warn("idempotency claim resolved but runId not findable", {
+          envId: request.environment.id,
+          taskIdentifier: request.taskId,
+          claimedRunId: outcome.runId,
+        });
+      }
+      if (outcome.kind === "timed_out") {
+        throw new ServiceValidationError(
+          "Idempotency claim resolution timed out",
+          503,
+        );
+      }
+      if (outcome.kind === "claimed") {
+        // Caller MUST publish/release. Signalled via the result's
+        // `claim` field, including the ownership token so the buffer
+        // can compare-and-act on the slot we now own.
+        return {
+          isCached: false,
+          idempotencyKey,
+          idempotencyKeyExpiresAt,
+          claim: {
+            envId: request.environment.id,
+            taskIdentifier: request.taskId,
+            idempotencyKey,
+            token: outcome.token,
+          },
+        };
+      }
+    }
+
     return { isCached: false, idempotencyKey, idempotencyKeyExpiresAt };
   }
 }
diff --git a/apps/webapp/app/runEngine/concerns/queues.server.ts b/apps/webapp/app/runEngine/concerns/queues.server.ts
index eb00bf1c586..dce74d7d1a9 100644
--- a/apps/webapp/app/runEngine/concerns/queues.server.ts
+++ b/apps/webapp/app/runEngine/concerns/queues.server.ts
@@ -15,8 +15,11 @@ import type { RunEngine } from "~/v3/runEngine.server";
 import { env } from "~/env.server";
 import { tryCatch } from "@trigger.dev/core/v3";
 import { ServiceValidationError } from "~/v3/services/common.server";
+import { isInfrastructureError } from "~/utils/prismaErrors";
 import { createCache, createLRUMemoryStore, DefaultStatefulContext, Namespace } from "@internal/cache";
 import { singleton } from "~/utils/singleton";
+import type { TaskMetadataCache, TaskMetadataEntry } from "~/services/taskMetadataCache.server";
+import { taskMetadataCacheInstance } from "~/services/taskMetadataCacheInstance.server";
 
 // LRU cache for environment queue sizes to reduce Redis calls
 const queueSizeCache = singleton("queueSizeCache", () => {
@@ -62,10 +65,18 @@ function extractQueueName(queue: { name?: unknown } | undefined): string | undef
 }
 
 export class DefaultQueueManager implements QueueManager {
+  private readonly replicaPrisma: PrismaClientOrTransaction;
+  private readonly taskMetaCache: TaskMetadataCache;
+
   constructor(
     private readonly prisma: PrismaClientOrTransaction,
-    private readonly engine: RunEngine
-  ) { }
+    private readonly engine: RunEngine,
+    replicaPrisma?: PrismaClientOrTransaction,
+    taskMetaCache: TaskMetadataCache = taskMetadataCacheInstance
+  ) {
+    this.replicaPrisma = replicaPrisma ?? prisma;
+    this.taskMetaCache = taskMetaCache;
+  }
 
   async resolveQueueProperties(
     request: TriggerTaskRequest,
@@ -74,6 +85,7 @@ export class DefaultQueueManager implements QueueManager {
     let queueName: string;
     let lockedQueueId: string | undefined;
     let taskTtl: string | null | undefined;
+    let taskKind: string | undefined;
 
     // Determine queue name based on lockToVersion and provided options
     if (lockedBackgroundWorker) {
@@ -81,7 +93,10 @@ export class DefaultQueueManager implements QueueManager {
       const specifiedQueueName = extractQueueName(request.body.options?.queue);
 
       if (specifiedQueueName) {
-        // A specific queue name is provided, validate it exists for the locked worker
+        // A specific queue name is provided, validate it exists for the locked worker.
+        // Pre-existing query — not cached because TaskQueue rows can be added or
+        // removed independently of BackgroundWorkerTask, and a stale "queue exists"
+        // claim would silently route to the wrong queue.
         const specifiedQueue = await this.prisma.taskQueue.findFirst({
           where: {
             name: specifiedQueueName,
@@ -101,42 +116,45 @@ export class DefaultQueueManager implements QueueManager {
         queueName = specifiedQueue.name;
         lockedQueueId = specifiedQueue.id;
 
-        // Only fetch task for TTL if caller didn't provide a per-trigger TTL
-        if (request.body.options?.ttl === undefined) {
-          const lockedTask = await this.prisma.backgroundWorkerTask.findFirst({
-            where: {
-              workerId: lockedBackgroundWorker.id,
-              runtimeEnvironmentId: request.environment.id,
-              slug: request.taskId,
-            },
-            select: { ttl: true },
-          });
+        // Pull `triggerSource` (for `taskKind` annotation) and `ttl` from cache.
+        // On cache hit this is 0 PG queries; on miss the helper falls back to
+        // a BackgroundWorkerTask lookup and back-fills the cache.
+        //
+        // If the task slug isn't on this locked worker version, we tolerate
+        // the missing row and fall through with `taskKind = undefined`
+        // (coalesced to "STANDARD" downstream) and `taskTtl = undefined`.
+        // This matches main's pre-PR behavior — the no-override branch below
+        // still throws because there's no queue to route to in that case,
+        // but here the caller already named the queue.
+        const lockedMeta = await this.resolveLockedTaskMetadata(
+          lockedBackgroundWorker.id,
+          request.environment.id,
+          request.taskId
+        );
 
-          taskTtl = lockedTask?.ttl;
+        if (request.body.options?.ttl === undefined) {
+          taskTtl = lockedMeta?.ttl ?? undefined;
         }
+        taskKind = lockedMeta?.triggerSource;
       } else {
-        // No queue override - fetch task with queue to get both default queue and TTL
-        const lockedTask = await this.prisma.backgroundWorkerTask.findFirst({
-          where: {
-            workerId: lockedBackgroundWorker.id,
-            runtimeEnvironmentId: request.environment.id,
-            slug: request.taskId,
-          },
-          include: {
-            queue: true,
-          },
-        });
+        // No queue override - resolve default queue + TTL + triggerSource via cache,
+        // falling back to a single BackgroundWorkerTask lookup on miss.
+        const lockedMeta = await this.resolveLockedTaskMetadata(
+          lockedBackgroundWorker.id,
+          request.environment.id,
+          request.taskId
+        );
 
-        if (!lockedTask) {
+        if (!lockedMeta) {
           throw new ServiceValidationError(
             `Task '${request.taskId}' not found on locked version '${lockedBackgroundWorker.version ?? "<unknown>"
             }'.`
           );
         }
 
-        taskTtl = lockedTask.ttl;
+        taskTtl = lockedMeta.ttl;
 
-        if (!lockedTask.queue) {
+        if (!lockedMeta.queueName) {
           // This case should ideally be prevented by earlier checks or schema constraints,
           // but handle it defensively.
           logger.error("Task found on locked version, but has no associated queue record", {
@@ -151,8 +169,9 @@ export class DefaultQueueManager implements QueueManager {
         }
 
         // Use the task's default queue name
-        queueName = lockedTask.queue.name;
-        lockedQueueId = lockedTask.queue.id;
+        queueName = lockedMeta.queueName;
+        lockedQueueId = lockedMeta.queueId ?? undefined;
+        taskKind = lockedMeta.triggerSource;
       }
     } else {
       // Task is not locked to a specific version, use regular logic
@@ -167,6 +186,7 @@ export class DefaultQueueManager implements QueueManager {
       const taskInfo = await this.getTaskQueueInfo(request);
       queueName = taskInfo.queueName;
       taskTtl = taskInfo.taskTtl;
+      taskKind = taskInfo.taskKind;
     }
 
     // Sanitize the final determined queue name once
@@ -183,12 +203,13 @@ export class DefaultQueueManager implements QueueManager {
       queueName,
       lockedQueueId,
       taskTtl,
+      taskKind,
     };
   }
 
   private async getTaskQueueInfo(
     request: TriggerTaskRequest
-  ): Promise<{ queueName: string; taskTtl?: string | null }> {
+  ): Promise<{ queueName: string; taskTtl?: string | null; taskKind?: string | undefined }> {
     const { taskId, environment, body } = request;
     const { queue } = body.options ?? {};
 
@@ -197,69 +218,130 @@ export class DefaultQueueManager implements QueueManager {
 
     const defaultQueueName = `task/${taskId}`;
 
-    // When caller provides both a queue override and a per-trigger TTL,
-    // we don't need any DB queries - the per-trigger TTL takes precedence
-    if (overriddenQueueName && body.options?.ttl !== undefined) {
-      return { queueName: overriddenQueueName, taskTtl: undefined };
-    }
+    // Resolve the current worker's task metadata via cache (HGET on warm path,
+    // BackgroundWorkerTask findFirst + cache back-fill on miss). When this hits,
+    // both the queue-override + TTL caller and the default-queue caller satisfy
+    // their full result without any database query.
+    const meta = await this.resolveCurrentTaskMetadata(environment, taskId);
 
-    // Find the current worker for the environment
-    const worker = await findCurrentWorkerFromEnvironment(environment, this.prisma);
+    if (overriddenQueueName) {
+      // Caller already named the queue. We only need triggerSource (for taskKind)
+      // and ttl (for the call site to coalesce against body.options.ttl).
+      return {
+        queueName: overriddenQueueName,
+        taskTtl: meta?.ttl ?? undefined,
+        taskKind: meta?.triggerSource,
+      };
+    }
 
-    if (!worker) {
-      logger.debug("Failed to get queue name: No worker found", {
+    if (!meta) {
+      logger.debug("Failed to get queue name: No worker or task found", {
         taskId,
         environmentId: environment.id,
       });
-
-      return { queueName: overriddenQueueName ?? defaultQueueName, taskTtl: undefined };
+      return { queueName: defaultQueueName, taskTtl: undefined };
     }
 
-    // When queue is overridden, we only need TTL from the task (no queue join needed)
-    if (overriddenQueueName) {
-      const task = await this.prisma.backgroundWorkerTask.findFirst({
-        where: {
-          workerId: worker.id,
-          runtimeEnvironmentId: environment.id,
-          slug: taskId,
-        },
-        select: { ttl: true },
+    if (!meta.queueName) {
+      logger.debug("Failed to get queue name: No queue found", {
+        taskId,
+        environmentId: environment.id,
       });
-
-      return { queueName: overriddenQueueName, taskTtl: task?.ttl };
+      return { queueName: defaultQueueName, taskTtl: meta.ttl, taskKind: meta.triggerSource };
     }
 
-    const task = await this.prisma.backgroundWorkerTask.findFirst({
-      where: {
-        workerId: worker.id,
-        runtimeEnvironmentId: environment.id,
-        slug: taskId,
-      },
-      include: {
-        queue: true,
+    return { queueName: meta.queueName, taskTtl: meta.ttl, taskKind: meta.triggerSource };
+  }
+
+  /**
+   * Resolve task metadata for a locked-version trigger. Reads from the
+   * `task-meta:by-worker:{workerId}` Redis hash; falls back to a single
+   * BackgroundWorkerTask findFirst on miss and back-fills the cache.
+   *
+   * Returns null when no BackgroundWorkerTask row exists.
+   */
+  private async resolveLockedTaskMetadata(
+    workerId: string,
+    environmentId: string,
+    slug: string
+  ): Promise<TaskMetadataEntry | null> {
+    const cached = await this.taskMetaCache.getByWorker(workerId, slug);
+    if (cached) return cached;
+
+    const row = await this.replicaPrisma.backgroundWorkerTask.findFirst({
+      where: { workerId, runtimeEnvironmentId: environmentId, slug },
+      select: {
+        ttl: true,
+        triggerSource: true,
+        queue: { select: { id: true, name: true } },
       },
     });
 
-    if (!task) {
-      console.log("Failed to get queue name: No task found", {
-        taskId,
-        environmentId: environment.id,
-      });
+    if (!row) return null;
 
-      return { queueName: defaultQueueName, taskTtl: undefined };
-    }
+    const entry: TaskMetadataEntry = {
+      slug,
+      ttl: row.ttl,
+      triggerSource: row.triggerSource,
+      queueId: row.queue?.id ?? null,
+      queueName: row.queue?.name ?? "",
+    };
 
-    if (!task.queue) {
-      console.log("Failed to get queue name: No queue found", {
-        taskId,
-        environmentId: environment.id,
-        queueConfig: task.queueConfig,
-      });
+    // Fire-and-forget back-fill — `setByWorker` upserts the single field and
+    // refreshes the hash TTL. Errors are logged inside the cache and swallowed.
+    void this.taskMetaCache.setByWorker(workerId, entry);
 
-      return { queueName: defaultQueueName, taskTtl: task.ttl };
-    }
+    return entry;
+  }
+
+  /**
+   * Resolve task metadata for a non-locked trigger. Reads from the
+   * `task-meta:env:{envId}` Redis hash; falls back to
+   * findCurrentWorkerFromEnvironment + a single BackgroundWorkerTask findFirst
+   * on miss and back-fills both keyspaces.
+   *
+   * Returns null when no current worker or task can be resolved.
+   */
+  private async resolveCurrentTaskMetadata(
+    environment: AuthenticatedEnvironment,
+    slug: string
+  ): Promise<TaskMetadataEntry | null> {
+    const cached = await this.taskMetaCache.getCurrent(environment.id, slug);
+    if (cached) return cached;
+
+    // Cold cache: discover the current worker for the env. Replica is fine —
+    // the adjacent BackgroundWorkerTask lookup below uses `replicaPrisma` too
+    // (replica lag for "just deployed" is bounded the same way for both
+    // queries; reading from the writer here would only widen the window).
+    const worker = await findCurrentWorkerFromEnvironment(environment, this.replicaPrisma);
+    if (!worker) return null;
+
+    const row = await this.replicaPrisma.backgroundWorkerTask.findFirst({
+      where: { workerId: worker.id, runtimeEnvironmentId: environment.id, slug },
+      select: {
+        ttl: true,
+        triggerSource: true,
+        queue: { select: { id: true, name: true } },
+      },
+    });
 
-    return { queueName: task.queue.name ?? defaultQueueName, taskTtl: task.ttl };
+    if (!row) return null;
+
+    const entry: TaskMetadataEntry = {
+      slug,
+      ttl: row.ttl,
+      triggerSource: row.triggerSource,
+      queueId: row.queue?.id ?? null,
+      queueName: row.queue?.name ?? "",
+    };
+
+    // Fire-and-forget back-fill — atomically upserts the slug into both
+    // keyspaces so a subsequent locked-or-not trigger hits the cache. The
+    // env-keyspace TTL is preserved (promotion owns it); the by-worker TTL
+    // is refreshed (sliding window keeps active workers warm).
+    void this.taskMetaCache.setByCurrentWorker(environment.id, worker.id, entry);
+
+    return entry;
   }
 
   async validateQueueLimits(
@@ -313,6 +395,17 @@ export class DefaultQueueManager implements QueueManager {
     );
 
     if (error) {
+      // getDefaultWorkerGroupForProject queries the writer DB. A Prisma
+      // infrastructure error (e.g. P1001 "Can't reach database server", whose
+      // message carries the DB hostname) must NOT be promoted into a
+      // client-facing ServiceValidationError: that leaks internal infra detail
+      // to the API client (the SDK echoes it into the run view) and
+      // mis-classifies a transient outage as a non-retryable 422. Let it
+      // propagate to the route's generic 500 handler (scrubbed + retryable);
+      // only wrap genuine domain failures.
+      if (isInfrastructureError(error)) {
+        throw error;
+      }
       throw new ServiceValidationError(error.message);
     }
 
diff --git a/apps/webapp/app/runEngine/concerns/traceEvents.server.ts b/apps/webapp/app/runEngine/concerns/traceEvents.server.ts
index cb2eaa30a58..8c9029e2d60 100644
--- a/apps/webapp/app/runEngine/concerns/traceEvents.server.ts
+++ b/apps/webapp/app/runEngine/concerns/traceEvents.server.ts
@@ -10,6 +10,7 @@ export class DefaultTraceEventsConcern implements TraceEventConcern {
     parentStore: string | undefined
   ): Promise<{ repository: IEventRepository; store: string }> {
     return await getEventRepository(
+      request.environment.organization.id,
       request.environment.organization.featureFlags as Record<string, unknown>,
       parentStore
     );
@@ -162,18 +163,15 @@ export class DefaultTraceEventsConcern implements TraceEventConcern {
       },
       async (event, traceContext, traceparent) => {
         // Log a message about the debounced trigger
-        await repository.recordEvent(
-          `Debounced: using existing run with key "${debounceKey}"`,
-          {
-            taskSlug: request.taskId,
-            environment: request.environment,
-            attributes: {
-              runId: existingRun.friendlyId,
-            },
-            context: request.options?.traceContext,
-            parentId: event.spanId,
-          }
-        );
+        await repository.recordEvent(`Debounced: using existing run with key "${debounceKey}"`, {
+          taskSlug: request.taskId,
+          environment: request.environment,
+          attributes: {
+            runId: existingRun.friendlyId,
+          },
+          context: request.options?.traceContext,
+          parentId: event.spanId,
+        });
 
         return await callback(
           {
diff --git a/apps/webapp/app/runEngine/concerns/waitpointCompletionPacket.server.ts b/apps/webapp/app/runEngine/concerns/waitpointCompletionPacket.server.ts
index 5e029221344..e59ede59f18 100644
--- a/apps/webapp/app/runEngine/concerns/waitpointCompletionPacket.server.ts
+++ b/apps/webapp/app/runEngine/concerns/waitpointCompletionPacket.server.ts
@@ -2,6 +2,7 @@ import { type IOPacket, packetRequiresOffloading, tryCatch } from "@trigger.dev/
 import type { AuthenticatedEnvironment } from "~/services/apiAuth.server";
 import { env } from "~/env.server";
 import { uploadPacketToObjectStore } from "~/v3/objectStore.server";
+import { logger } from "~/services/logger.server";
 import { ServiceValidationError } from "~/v3/services/common.server";
 
 function packetExtensionForDataType(dataType: string): string {
@@ -53,6 +54,11 @@ export async function processWaitpointCompletionPacket(
   );
 
   if (uploadError) {
+    logger.error("Failed to upload large waitpoint to object store", {
+      error: uploadError,
+      filename,
+      environmentId: environment.id,
+    });
     throw new ServiceValidationError("Failed to upload large waitpoint to object store", 500);
   }
 
diff --git a/apps/webapp/app/runEngine/concerns/workerQueueSplit.server.ts b/apps/webapp/app/runEngine/concerns/workerQueueSplit.server.ts
new file mode 100644
index 00000000000..af0d4a819a1
--- /dev/null
+++ b/apps/webapp/app/runEngine/concerns/workerQueueSplit.server.ts
@@ -0,0 +1,111 @@
+import type { WorkerQueueClass } from "@trigger.dev/core/v3/workers";
+import { FEATURE_FLAG, FeatureFlagCatalog } from "~/v3/featureFlags";
+
+/**
+ * Suffix appended to a region's worker queue name to route scheduled-lineage
+ * runs onto their own Redis list (e.g. `us-nyc-3` -> `us-nyc-3:scheduled`). A
+ * dedicated consumer fleet dequeues the suffixed list so the top-of-hour
+ * scheduled-cron herd can't starve standard/agent run startup. The worker queue
+ * name is opaque everywhere downstream (it's only ever `:`-joined into a Redis
+ * key and persisted on the run), so encoding the class in the suffix needs no
+ * Lua, envelope, or resolver changes.
+ */
+export const SCHEDULED_WORKER_QUEUE_SUFFIX = ":scheduled";
+
+/**
+ * Recover the base region a worker queue belongs to by stripping any split
+ * suffix (e.g. `us-nyc-3:scheduled` -> `us-nyc-3`). Region/masterQueue names are
+ * either `<name>` or `<projectId>-<name>` and never contain a colon, so the
+ * region is everything before the first `:`. Use this wherever a worker queue is
+ * read as a region — for display, filtering, or as a region override — so
+ * scheduled-split runs group under their real region instead of a phantom one.
+ * Idempotent; returns the input unchanged when there's no suffix. A nullish
+ * worker queue (e.g. from a synthetic run snapshot) passes straight through.
+ */
+export function baseWorkerQueue(workerQueue: string): string;
+export function baseWorkerQueue(workerQueue: string | null | undefined): string | null | undefined;
+export function baseWorkerQueue(workerQueue: string | null | undefined): string | null | undefined {
+  if (workerQueue == null) {
+    return workerQueue;
+  }
+
+  const colon = workerQueue.indexOf(":");
+  return colon === -1 ? workerQueue : workerQueue.slice(0, colon);
+}
+
+/** `TriggerSource` value used for runs originating from a schedule. */
+const SCHEDULE_TRIGGER_SOURCE = "schedule";
+
+/**
+ * Resolve whether the scheduled worker-queue split is enabled for a run, reading
+ * only the in-memory org feature-flags JSON (already loaded on the authenticated
+ * environment) — never a DB query, so it is safe on the trigger hot path.
+ *
+ * Precedence: a per-org override wins in BOTH directions; the global default is
+ * used only when the org has not set the flag.
+ */
+export function resolveScheduledQueueSplitEnabled({
+  orgFeatureFlags,
+  globalDefault,
+}: {
+  orgFeatureFlags: Record<string, unknown> | null | undefined;
+  globalDefault: boolean;
+}): boolean {
+  const override = orgFeatureFlags?.[FEATURE_FLAG.workerQueueScheduledSplitEnabled];
+
+  if (override !== undefined) {
+    const parsed =
+      FeatureFlagCatalog[FEATURE_FLAG.workerQueueScheduledSplitEnabled].safeParse(override);
+
+    if (parsed.success) {
+      return parsed.data;
+    }
+  }
+
+  return globalDefault;
+}
+
+/**
+ * Pick the worker queue a run should be enqueued onto. Runs in a scheduled
+ * lineage (`rootTriggerSource === "schedule"`, which propagates from a scheduled
+ * root down to every descendant) route to the suffixed list when the split is
+ * enabled; everything else is unchanged. Idempotent — never double-suffixes.
+ */
+export function workerQueueForRun({
+  workerQueue,
+  rootTriggerSource,
+  splitEnabled,
+}: {
+  workerQueue: string;
+  rootTriggerSource: string | undefined;
+  splitEnabled: boolean;
+}): string {
+  if (
+    !splitEnabled ||
+    rootTriggerSource !== SCHEDULE_TRIGGER_SOURCE ||
+    workerQueue.endsWith(SCHEDULED_WORKER_QUEUE_SUFFIX)
+  ) {
+    return workerQueue;
+  }
+
+  return `${workerQueue}${SCHEDULED_WORKER_QUEUE_SUFFIX}`;
+}
+
+/**
+ * Consumer-side counterpart to {@link workerQueueForRun}: given a worker's base
+ * (region) queue and the requested queue class, return the worker queue to
+ * dequeue from. `"scheduled"` targets the suffixed list; anything else is the
+ * base queue. The server always derives this from the authenticated worker's
+ * own `masterQueue`, so a token can only ever reach its own region's queues.
+ * Idempotent — never double-suffixes.
+ */
+export function workerQueueForClass(
+  masterQueue: string,
+  queueClass: WorkerQueueClass | undefined
+): string {
+  if (queueClass === "scheduled" && !masterQueue.endsWith(SCHEDULED_WORKER_QUEUE_SUFFIX)) {
+    return `${masterQueue}${SCHEDULED_WORKER_QUEUE_SUFFIX}`;
+  }
+
+  return masterQueue;
+}
diff --git a/apps/webapp/app/runEngine/services/batchTrigger.server.ts b/apps/webapp/app/runEngine/services/batchTrigger.server.ts
index 4e504163fec..3df2dfb00f9 100644
--- a/apps/webapp/app/runEngine/services/batchTrigger.server.ts
+++ b/apps/webapp/app/runEngine/services/batchTrigger.server.ts
@@ -531,6 +531,7 @@ export class RunEngineBatchTriggerService extends WithRunEngine {
     const triggerFailedTaskService = new TriggerFailedTaskService({
       prisma: this._prisma,
       engine: this._engine,
+      replicaPrisma: this._replica,
     });
 
     for (const item of itemsToProcess) {
diff --git a/apps/webapp/app/runEngine/services/createBatch.server.ts b/apps/webapp/app/runEngine/services/createBatch.server.ts
index 309a7700f1a..0653e1ef1c2 100644
--- a/apps/webapp/app/runEngine/services/createBatch.server.ts
+++ b/apps/webapp/app/runEngine/services/createBatch.server.ts
@@ -40,7 +40,7 @@ export class CreateBatchService extends WithRunEngine {
   constructor(protected readonly _prisma: PrismaClientOrTransaction = prisma) {
     super({ prisma: _prisma });
 
-    this.queueConcern = new DefaultQueueManager(this._prisma, this._engine);
+    this.queueConcern = new DefaultQueueManager(this._prisma, this._engine, this._replica);
     this.validator = new DefaultTriggerTaskValidator();
   }
 
diff --git a/apps/webapp/app/runEngine/services/streamBatchItems.server.ts b/apps/webapp/app/runEngine/services/streamBatchItems.server.ts
index 859dfe2e6b9..81f244655d2 100644
--- a/apps/webapp/app/runEngine/services/streamBatchItems.server.ts
+++ b/apps/webapp/app/runEngine/services/streamBatchItems.server.ts
@@ -4,12 +4,55 @@ import {
 } from "@trigger.dev/core/v3";
 import { BatchId } from "@trigger.dev/core/v3/isomorphic";
 import type { BatchItem, RunEngine } from "@internal/run-engine";
+import type { BatchTaskRunStatus } from "@trigger.dev/database";
 import { prisma, type PrismaClientOrTransaction } from "~/db.server";
 import type { AuthenticatedEnvironment } from "~/services/apiAuth.server";
 import { logger } from "~/services/logger.server";
 import { ServiceValidationError, WithRunEngine } from "../../v3/services/baseService.server";
 import { BatchPayloadProcessor } from "../concerns/batchPayloads.server";
 
+/**
+ * Phase 2 retry idempotency check (TRI-9944).
+ *
+ * Returns true when the batch is in a state that means the Phase 2 stream's
+ * job has already been done — every item has a TaskRun record (real or
+ * pre-failed) for the customer to monitor. A retry, or the original call
+ * racing against a fast-completing BatchQueue, should return sealed:true
+ * in these states so the SDK stops retrying.
+ *
+ * Three "work is done" shapes:
+ *  - status moved out of PENDING into PROCESSING/COMPLETED/PARTIAL_FAILED
+ *    (PROCESSING via our seal, COMPLETED via tryCompleteBatch, PARTIAL_FAILED
+ *    via the V2 batchCompletionCallback).
+ *  - status stuck at PENDING but `sealed=true`: another concurrent
+ *    streamBatchItems call sealed the batch and then the callback's
+ *    happy-path branch reset status to PENDING ("all runs created").
+ *  - status stuck at PENDING with `sealed=false` but `processingCompletedAt`
+ *    set: the cleanup-race. BatchQueue rushed through all items, callback
+ *    fired (setting processingCompletedAt), cleanup deleted the Redis
+ *    metadata — all before our service got the chance to seal. The work
+ *    is done; the discriminator is processingCompletedAt which is set
+ *    exclusively by the V2 completion callback.
+ *
+ * ABORTED is excluded — it means ZERO TaskRun records were created (every
+ * per-item attempt failed AND the pre-failed-TaskRun fallback also failed,
+ * or queue-overload on every item). The customer has nothing to monitor
+ * at the run level, so the trigger call must throw to give their retry/
+ * error handling a chance to create a fresh batch.
+ */
+export function isIdempotentRetrySuccess(
+  status: BatchTaskRunStatus | null | undefined,
+  sealed: boolean | null | undefined,
+  processingCompletedAt: Date | null | undefined
+): boolean {
+  return (
+    status === "PROCESSING" ||
+    status === "COMPLETED" ||
+    status === "PARTIAL_FAILED" ||
+    (status === "PENDING" && (sealed === true || processingCompletedAt != null))
+  );
+}
+
 export type StreamBatchItemsServiceOptions = {
   maxItemBytes: number;
 };
@@ -93,6 +136,7 @@ export class StreamBatchItemsService extends WithRunEngine {
             runCount: true,
             sealed: true,
             batchVersion: true,
+            processingCompletedAt: true,
           },
         });
 
@@ -100,13 +144,27 @@ export class StreamBatchItemsService extends WithRunEngine {
           throw new ServiceValidationError(`Batch ${batchFriendlyId} not found`);
         }
 
-        if (batch.sealed) {
-          throw new ServiceValidationError(
-            `Batch ${batchFriendlyId} is already sealed and cannot accept more items`
-          );
+        if (isIdempotentRetrySuccess(batch.status, batch.sealed, batch.processingCompletedAt)) {
+          logger.info("Batch already sealed/completed - treating Phase 2 retry as success", {
+            batchId: batchFriendlyId,
+            batchSealed: batch.sealed,
+            batchStatus: batch.status,
+            processingCompletedAt: batch.processingCompletedAt,
+          });
+
+          return {
+            id: batchFriendlyId,
+            itemsAccepted: 0,
+            itemsDeduplicated: 0,
+            sealed: true,
+            runCount: batch.runCount,
+          };
         }
 
         if (batch.status !== "PENDING") {
+          // ABORTED or any other unexpected non-PENDING state — surface as an error.
+          // For ABORTED specifically, throwing is required so the customer's
+          // batchTrigger() retries (a new batch) can recreate the runs.
           throw new ServiceValidationError(
             `Batch ${batchFriendlyId} is not in PENDING status (current: ${batch.status})`
           );
@@ -212,22 +270,32 @@ export class StreamBatchItemsService extends WithRunEngine {
         // Validate we received the expected number of items
         if (enqueuedCount !== batch.runCount) {
           // The batch queue consumers may have already processed all items and
-          // cleaned up the Redis keys before we got here (especially likely when
-          // items include pre-failed runs that complete instantly). Check if the
-          // batch was already sealed/completed in Postgres.
-          const currentBatch = await this._prisma.batchTaskRun.findUnique({
+          // cleaned up the Redis keys before we got here. This happens when all
+          // runs complete fast enough that cleanup() deletes the enqueuedItemsKey
+          // before we read it — typically when the last item executes in the
+          // milliseconds between the loop ending and getBatchEnqueuedCount() being called.
+          // Check both sealed (sealed by this endpoint on a concurrent request) and
+          // COMPLETED (sealed by the BatchQueue completion path before we got here).
+          const currentBatch = await this._prisma.batchTaskRun.findFirst({
             where: { id: batchId },
-            select: { sealed: true, status: true },
+            select: { sealed: true, status: true, processingCompletedAt: true },
           });
 
-          if (currentBatch?.sealed) {
+          if (
+            isIdempotentRetrySuccess(
+              currentBatch?.status,
+              currentBatch?.sealed,
+              currentBatch?.processingCompletedAt
+            )
+          ) {
             logger.info("Batch already sealed before count check (fast completion)", {
               batchId: batchFriendlyId,
               itemsAccepted,
               itemsDeduplicated,
               enqueuedCount,
               expectedCount: batch.runCount,
-              batchStatus: currentBatch.status,
+              batchStatus: currentBatch?.status,
+              processingCompletedAt: currentBatch?.processingCompletedAt,
             });
 
             return {
@@ -239,6 +307,15 @@ export class StreamBatchItemsService extends WithRunEngine {
             };
           }
 
+          if (currentBatch?.status === "ABORTED") {
+            // Zero TaskRuns exist — the count-mismatch sealed:false semantics
+            // ("retry with missing items") would mislead the SDK. Throw so the
+            // customer's batchTrigger() retry creates a fresh batch.
+            throw new ServiceValidationError(
+              `Batch ${batchFriendlyId} is not in PENDING status (current: ABORTED)`
+            );
+          }
+
           logger.warn("Batch item count mismatch", {
             batchId: batchFriendlyId,
             expected: batch.runCount,
@@ -279,24 +356,43 @@ export class StreamBatchItemsService extends WithRunEngine {
 
         // Check if we won the race to seal the batch
         if (sealResult.count === 0) {
-          // Another request sealed the batch first - re-query to check current state
-          const currentBatch = await this._prisma.batchTaskRun.findUnique({
+          // The conditional update failed because the batch was no longer in
+          // PENDING status. Re-query to determine which path got there first:
+          //   - A concurrent streaming request already sealed and moved it to
+          //     PROCESSING.
+          //   - The BatchQueue completion path finished all runs and set it to
+          //     COMPLETED (without setting sealed=true — that's this endpoint's
+          //     job). This window exists between completionCallback (which calls
+          //     tryCompleteBatch) and cleanup() in BatchQueue — see
+          //     batch-queue/index.ts.
+          // Either way the goal — a durable batch that the SDK stops retrying —
+          // has been achieved, so we return sealed: true.
+          const currentBatch = await this._prisma.batchTaskRun.findFirst({
             where: { id: batchId },
             select: {
               id: true,
               friendlyId: true,
               status: true,
               sealed: true,
+              processingCompletedAt: true,
             },
           });
 
-          if (currentBatch?.sealed && currentBatch.status === "PROCESSING") {
-            // The batch was sealed by another request - this is fine, the goal was achieved
-            logger.info("Batch already sealed by concurrent request", {
+          if (
+            isIdempotentRetrySuccess(
+              currentBatch?.status,
+              currentBatch?.sealed,
+              currentBatch?.processingCompletedAt
+            )
+          ) {
+            logger.info("Batch already sealed/completed by concurrent path", {
               batchId: batchFriendlyId,
               itemsAccepted,
               itemsDeduplicated,
               envId: environment.id,
+              batchStatus: currentBatch?.status,
+              batchSealed: currentBatch?.sealed,
+              processingCompletedAt: currentBatch?.processingCompletedAt,
             });
 
             span.setAttribute("itemsAccepted", itemsAccepted);
diff --git a/apps/webapp/app/runEngine/services/triggerFailedTask.server.ts b/apps/webapp/app/runEngine/services/triggerFailedTask.server.ts
index cdcfa63ff0b..a8a7cbf0f3b 100644
--- a/apps/webapp/app/runEngine/services/triggerFailedTask.server.ts
+++ b/apps/webapp/app/runEngine/services/triggerFailedTask.server.ts
@@ -6,6 +6,7 @@ import type { PrismaClientOrTransaction } from "@trigger.dev/database";
 import type { AuthenticatedEnvironment } from "~/services/apiAuth.server";
 import { logger } from "~/services/logger.server";
 import { getEventRepository } from "~/v3/eventRepository/index.server";
+import { PerformTaskRunAlertsService } from "~/v3/services/alerts/performTaskRunAlerts.server";
 import { DefaultQueueManager } from "../concerns/queues.server";
 import type { TriggerTaskRequest } from "../types";
 
@@ -51,10 +52,16 @@ export type TriggerFailedTaskRequest = {
  */
 export class TriggerFailedTaskService {
   private readonly prisma: PrismaClientOrTransaction;
+  private readonly replicaPrisma: PrismaClientOrTransaction;
   private readonly engine: RunEngine;
 
-  constructor(opts: { prisma: PrismaClientOrTransaction; engine: RunEngine }) {
+  constructor(opts: {
+    prisma: PrismaClientOrTransaction;
+    engine: RunEngine;
+    replicaPrisma?: PrismaClientOrTransaction;
+  }) {
     this.prisma = opts.prisma;
+    this.replicaPrisma = opts.replicaPrisma ?? opts.prisma;
     this.engine = opts.engine;
   }
 
@@ -68,6 +75,7 @@ export class TriggerFailedTaskService {
 
     try {
       const { repository, store } = await getEventRepository(
+        request.environment.organization.id,
         request.environment.organization.featureFlags as Record<string, unknown>,
         undefined
       );
@@ -75,11 +83,11 @@ export class TriggerFailedTaskService {
       // Resolve parent run for rootTaskRunId and depth (same as triggerTask.server.ts)
       const parentRun = request.parentRunId
         ? await this.prisma.taskRun.findFirst({
-          where: {
-            id: RunId.fromFriendlyId(request.parentRunId),
-            runtimeEnvironmentId: request.environment.id,
-          },
-        })
+            where: {
+              id: RunId.fromFriendlyId(request.parentRunId),
+              runtimeEnvironmentId: request.environment.id,
+            },
+          })
         : undefined;
 
       const depth = parentRun ? parentRun.depth + 1 : 0;
@@ -91,7 +99,7 @@ export class TriggerFailedTaskService {
       let queueName: string | undefined;
       let lockedQueueId: string | undefined;
       try {
-        const queueConcern = new DefaultQueueManager(this.prisma, this.engine);
+        const queueConcern = new DefaultQueueManager(this.prisma, this.engine, this.replicaPrisma);
         const bodyOptions = request.options as TriggerTaskRequest["body"]["options"];
         const triggerRequest: TriggerTaskRequest = {
           taskId: request.taskId,
@@ -110,18 +118,18 @@ export class TriggerFailedTaskService {
         // resolveQueueProperties requires the worker to be passed when lockToVersion is present.
         const lockedToBackgroundWorker = bodyOptions?.lockToVersion
           ? await this.prisma.backgroundWorker.findFirst({
-            where: {
-              projectId: request.environment.projectId,
-              runtimeEnvironmentId: request.environment.id,
-              version: bodyOptions.lockToVersion,
-            },
-            select: {
-              id: true,
-              version: true,
-              sdkVersion: true,
-              cliVersion: true,
-            },
-          })
+              where: {
+                projectId: request.environment.projectId,
+                runtimeEnvironmentId: request.environment.id,
+                version: bodyOptions.lockToVersion,
+              },
+              select: {
+                id: true,
+                version: true,
+                sdkVersion: true,
+                cliVersion: true,
+              },
+            })
           : undefined;
 
         const resolved = await queueConcern.resolveQueueProperties(
@@ -169,6 +177,14 @@ export class TriggerFailedTaskService {
           event.setAttribute("runId", failedRunFriendlyId);
           event.failWithError(taskRunError);
 
+          // `emitRunFailedEvent: false` because this call site owns the
+          // trace-event lifecycle via the outer `traceEvent({
+          // incomplete: false, isError: true })`. Letting the engine
+          // emit `runFailed` here would race the
+          // `completeFailedRunEvent` listener against the outer trace
+          // event's own completion write for the same (traceId, spanId).
+          // We re-trigger the alerts side directly after the trace
+          // event closes, below.
           return await this.engine.createFailedTaskRun({
             friendlyId: failedRunFriendlyId,
             environment: {
@@ -193,12 +209,30 @@ export class TriggerFailedTaskService {
             spanId: event.spanId,
             traceContext: traceContext as Record<string, unknown>,
             taskEventStore: store,
+            emitRunFailedEvent: false,
             ...(queueName !== undefined && { queue: queueName }),
             ...(lockedQueueId !== undefined && { lockedQueueId }),
           });
         }
       );
 
+      // Alerts side of `runFailed` — the engine emit was suppressed
+      // above so the trace-event completion isn't double-written; we
+      // still need the alert pipeline to fire so customers' ERROR
+      // channels see the failure. Best-effort: a failed enqueue logs
+      // but doesn't block returning the friendlyId, mirroring the
+      // engine handler's behaviour at runEngineHandlers.server.ts:81.
+      try {
+        await PerformTaskRunAlertsService.enqueue(failedRun.id);
+      } catch (alertsError) {
+        logger.warn("TriggerFailedTaskService: alert enqueue failed", {
+          taskId: request.taskId,
+          friendlyId: failedRun.friendlyId,
+          error:
+            alertsError instanceof Error ? alertsError.message : String(alertsError),
+        });
+      }
+
       return failedRun.friendlyId;
     } catch (createError) {
       const createErrorMsg =
@@ -257,7 +291,7 @@ export class TriggerFailedTaskService {
         }
       }
 
-      await this.engine.createFailedTaskRun({
+      const failedRun = await this.engine.createFailedTaskRun({
         friendlyId: failedRunFriendlyId,
         environment: {
           id: opts.environmentId,
@@ -267,9 +301,7 @@ export class TriggerFailedTaskService {
         },
         taskIdentifier: opts.taskId,
         payload:
-          typeof opts.payload === "string"
-            ? opts.payload
-            : JSON.stringify(opts.payload ?? ""),
+          typeof opts.payload === "string" ? opts.payload : JSON.stringify(opts.payload ?? ""),
         payloadType: opts.payloadType ?? "application/json",
         error: {
           type: "INTERNAL_ERROR" as const,
@@ -281,8 +313,32 @@ export class TriggerFailedTaskService {
         depth,
         resumeParentOnCompletion: opts.resumeParentOnCompletion,
         batch: opts.batch,
+        // Suppress the engine's `runFailed` bus emit — the listener
+        // (`runEngineHandlers.server.ts` `runFailed`) calls
+        // `completeFailedRunEvent`, which writes a ClickHouse trace event
+        // row keyed on (traceId, spanId). This caller has no trace
+        // context (the method name is literally `callWithoutTraceEvents`)
+        // so the emit would write a row with empty traceId/spanId —
+        // orphan event in the store. We still want alert coverage,
+        // though, so enqueue directly below.
+        emitRunFailedEvent: false,
       });
 
+      // Alerts side of `runFailed` — the engine emit was suppressed
+      // above so we don't create an orphan trace event; enqueue the
+      // alert directly so customers' ERROR channels still see the
+      // failure. Best-effort, mirroring the `call()` path.
+      try {
+        await PerformTaskRunAlertsService.enqueue(failedRun.id);
+      } catch (alertsError) {
+        logger.warn("TriggerFailedTaskService.callWithoutTraceEvents: alert enqueue failed", {
+          taskId: opts.taskId,
+          friendlyId: failedRun.friendlyId,
+          error:
+            alertsError instanceof Error ? alertsError.message : String(alertsError),
+        });
+      }
+
       return failedRunFriendlyId;
     } catch (createError) {
       logger.error("TriggerFailedTaskService: failed to create pre-failed TaskRun (no trace)", {
diff --git a/apps/webapp/app/runEngine/services/triggerTask.server.ts b/apps/webapp/app/runEngine/services/triggerTask.server.ts
index 610484e67ca..77057990db9 100644
--- a/apps/webapp/app/runEngine/services/triggerTask.server.ts
+++ b/apps/webapp/app/runEngine/services/triggerTask.server.ts
@@ -30,7 +30,18 @@ import type {
   TriggerTaskServiceResult,
 } from "../../v3/services/triggerTask.server";
 import { clampMaxDuration } from "../../v3/utils/maxDuration";
-import { IdempotencyKeyConcern } from "../concerns/idempotencyKeys.server";
+import {
+  IdempotencyKeyConcern,
+  type ClaimedIdempotency,
+} from "../concerns/idempotencyKeys.server";
+import {
+  resolveScheduledQueueSplitEnabled,
+  workerQueueForRun,
+} from "../concerns/workerQueueSplit.server";
+import {
+  publishClaim as publishMollifierClaim,
+  releaseClaim as releaseMollifierClaim,
+} from "~/v3/mollifier/idempotencyClaim.server";
 import type {
   PayloadProcessor,
   QueueManager,
@@ -40,6 +51,18 @@ import type {
   TriggerTaskRequest,
   TriggerTaskValidator,
 } from "../types";
+import { env } from "~/env.server";
+import {
+  evaluateGate as defaultEvaluateGate,
+  type GateOutcome,
+  type MollifierEvaluateGate,
+} from "~/v3/mollifier/mollifierGate.server";
+import {
+  getMollifierBuffer as defaultGetMollifierBuffer,
+  type MollifierGetBuffer,
+} from "~/v3/mollifier/mollifierBuffer.server";
+import { mollifyTrigger } from "~/v3/mollifier/mollifierMollify.server";
+import { type MollifierBuffer } from "@trigger.dev/redis-worker";
 import { QueueSizeLimitExceededError, ServiceValidationError } from "~/v3/services/common.server";
 
 class NoopTriggerRacepointSystem implements TriggerRacepointSystem {
@@ -59,6 +82,14 @@ export class RunEngineTriggerTaskService {
   private readonly traceEventConcern: TraceEventConcern;
   private readonly triggerRacepointSystem: TriggerRacepointSystem;
   private readonly metadataMaximumSize: number;
+  // Mollifier hooks are DI'd so tests can drive the call-site's mollify branch
+  // deterministically (stub the gate to return mollify, inject a real or fake
+  // buffer, force the global-enabled predicate to true so the call site
+  // doesn't short-circuit on an unset env). In production all three default
+  // to the live module-level singletons + env read.
+  private readonly evaluateGate: MollifierEvaluateGate;
+  private readonly getMollifierBuffer: MollifierGetBuffer;
+  private readonly isMollifierGloballyEnabled: () => boolean;
 
   constructor(opts: {
     prisma: PrismaClientOrTransaction;
@@ -71,6 +102,9 @@ export class RunEngineTriggerTaskService {
     tracer: Tracer;
     metadataMaximumSize: number;
     triggerRacepointSystem?: TriggerRacepointSystem;
+    evaluateGate?: MollifierEvaluateGate;
+    getMollifierBuffer?: MollifierGetBuffer;
+    isMollifierGloballyEnabled?: () => boolean;
   }) {
     this.prisma = opts.prisma;
     this.engine = opts.engine;
@@ -82,6 +116,10 @@ export class RunEngineTriggerTaskService {
     this.traceEventConcern = opts.traceEventConcern;
     this.metadataMaximumSize = opts.metadataMaximumSize;
     this.triggerRacepointSystem = opts.triggerRacepointSystem ?? new NoopTriggerRacepointSystem();
+    this.evaluateGate = opts.evaluateGate ?? defaultEvaluateGate;
+    this.getMollifierBuffer = opts.getMollifierBuffer ?? defaultGetMollifierBuffer;
+    this.isMollifierGloballyEnabled =
+      opts.isMollifierGloballyEnabled ?? (() => env.TRIGGER_MOLLIFIER_ENABLED === "1");
   }
 
   public async call({
@@ -97,385 +135,682 @@ export class RunEngineTriggerTaskService {
     options?: TriggerTaskServiceOptions;
     attempt?: number;
   }): Promise<TriggerTaskServiceResult | undefined> {
-    return await startSpan(this.tracer, "RunEngineTriggerTaskService.call()", async (span) => {
-      span.setAttribute("taskId", taskId);
-      span.setAttribute("attempt", attempt);
-
-      const runFriendlyId = options?.runFriendlyId ?? RunId.generate().friendlyId;
-      const triggerRequest = {
-        taskId,
-        friendlyId: runFriendlyId,
-        environment,
-        body,
-        options,
-      } satisfies TriggerTaskRequest;
-
-      // Validate max attempts
-      const maxAttemptsValidation = this.validator.validateMaxAttempts({
-        taskId,
-        attempt,
-      });
-
-      if (!maxAttemptsValidation.ok) {
-        throw maxAttemptsValidation.error;
-      }
+    // Pre-gate idempotency-claim ownership. Set inside the span when
+    // `IdempotencyKeyConcern.handleTriggerRequest` returns `claim:
+    // {...}`. The try/catch below resolves it once the span finishes.
+    let idempotencyClaim: ClaimedIdempotency | undefined;
+    try {
+      const result = await startSpan(
+        this.tracer,
+        "RunEngineTriggerTaskService.call()",
+        async (span) => {
+          span.setAttribute("taskId", taskId);
+          span.setAttribute("attempt", attempt);
+
+          const runFriendlyId = options?.runFriendlyId ?? RunId.generate().friendlyId;
+          const triggerRequest = {
+            taskId,
+            friendlyId: runFriendlyId,
+            environment,
+            body,
+            options,
+          } satisfies TriggerTaskRequest;
 
-      // Validate tags
-      const tagValidation = this.validator.validateTags({
-        tags: body.options?.tags,
-      });
+          // Validate max attempts
+          const maxAttemptsValidation = this.validator.validateMaxAttempts({
+            taskId,
+            attempt,
+          });
 
-      if (!tagValidation.ok) {
-        throw tagValidation.error;
-      }
+          if (!maxAttemptsValidation.ok) {
+            throw maxAttemptsValidation.error;
+          }
 
-      // Validate entitlement (unless skipChecks is enabled)
-      let planType: string | undefined;
+          // Validate tags
+          const tagValidation = this.validator.validateTags({
+            tags: body.options?.tags,
+          });
 
-      if (!options.skipChecks) {
-        const entitlementValidation = await this.validator.validateEntitlement({
-          environment,
-        });
+          if (!tagValidation.ok) {
+            throw tagValidation.error;
+          }
 
-        if (!entitlementValidation.ok) {
-          throw entitlementValidation.error;
-        }
+          // Validate entitlement (unless skipChecks is enabled)
+          let planType: string | undefined;
 
-        // Extract plan type from entitlement response
-        planType = entitlementValidation.plan?.type;
-      } else {
-        // When skipChecks is enabled, planType should be passed via options
-        planType = options.planType;
+          if (!options.skipChecks) {
+            const entitlementValidation = await this.validator.validateEntitlement({
+              environment,
+            });
 
-        if (!planType) {
-          logger.warn("Plan type not set but skipChecks is enabled", {
-            taskId,
-            environment: {
-              id: environment.id,
-              type: environment.type,
-              projectId: environment.projectId,
-              organizationId: environment.organizationId,
-            },
-          });
-        }
-      }
+            if (!entitlementValidation.ok) {
+              throw entitlementValidation.error;
+            }
 
-      // Parse delay from either explicit delay option or debounce.delay
-      const delaySource = body.options?.delay ?? body.options?.debounce?.delay;
-      const [parseDelayError, delayUntil] = await tryCatch(parseDelay(delaySource));
+            // Extract plan type from entitlement response
+            planType = entitlementValidation.plan?.type;
+          } else {
+            // When skipChecks is enabled, planType should be passed via options
+            planType = options.planType;
+
+            if (!planType) {
+              logger.warn("Plan type not set but skipChecks is enabled", {
+                taskId,
+                environment: {
+                  id: environment.id,
+                  type: environment.type,
+                  projectId: environment.projectId,
+                  organizationId: environment.organizationId,
+                },
+              });
+            }
+          }
 
-      if (parseDelayError) {
-        throw new ServiceValidationError(`Invalid delay ${delaySource}`);
-      }
+          // Parse delay from either explicit delay option or debounce.delay
+          const delaySource = body.options?.delay ?? body.options?.debounce?.delay;
+          const [parseDelayError, delayUntil] = await tryCatch(parseDelay(delaySource));
 
-      // Validate debounce options
-      if (body.options?.debounce) {
-        if (!delayUntil) {
-          throw new ServiceValidationError(
-            `Debounce requires a valid delay duration. Provided: ${body.options.debounce.delay}`
-          );
-        }
-
-        // Always validate debounce.delay separately since it's used for rescheduling
-        // This catches the case where options.delay is valid but debounce.delay is invalid
-        const [debounceDelayError, debounceDelayUntil] = await tryCatch(
-          parseDelay(body.options.debounce.delay)
-        );
-
-        if (debounceDelayError || !debounceDelayUntil) {
-          throw new ServiceValidationError(
-            `Invalid debounce delay: ${body.options.debounce.delay}. ` +
-              `Supported formats: {number}s, {number}m, {number}h, {number}d, {number}w`
-          );
-        }
-      }
+          if (parseDelayError) {
+            throw new ServiceValidationError(`Invalid delay ${delaySource}`);
+          }
 
-      // Get parent run if specified
-      const parentRun = body.options?.parentRunId
-        ? await this.prisma.taskRun.findFirst({
-            where: {
-              id: RunId.fromFriendlyId(body.options.parentRunId),
-              runtimeEnvironmentId: environment.id,
-            },
-          })
-        : undefined;
-
-      // Validate parent run
-      const parentRunValidation = this.validator.validateParentRun({
-        taskId,
-        parentRun: parentRun ?? undefined,
-        resumeParentOnCompletion: body.options?.resumeParentOnCompletion,
-      });
-
-      if (!parentRunValidation.ok) {
-        throw parentRunValidation.error;
-      }
+          // Validate debounce options
+          if (body.options?.debounce) {
+            if (!delayUntil) {
+              throw new ServiceValidationError(
+                `Debounce requires a valid delay duration. Provided: ${body.options.debounce.delay}`
+              );
+            }
 
-      const idempotencyKeyConcernResult = await this.idempotencyKeyConcern.handleTriggerRequest(
-        triggerRequest,
-        parentRun?.taskEventStore
-      );
+            // Always validate debounce.delay separately since it's used for rescheduling
+            // This catches the case where options.delay is valid but debounce.delay is invalid
+            const [debounceDelayError, debounceDelayUntil] = await tryCatch(
+              parseDelay(body.options.debounce.delay)
+            );
 
-      if (idempotencyKeyConcernResult.isCached) {
-        return idempotencyKeyConcernResult;
-      }
+            if (debounceDelayError || !debounceDelayUntil) {
+              throw new ServiceValidationError(
+                `Invalid debounce delay: ${body.options.debounce.delay}. ` +
+                `Supported formats: {number}s, {number}m, {number}h, {number}d, {number}w`
+              );
+            }
+          }
 
-      const { idempotencyKey, idempotencyKeyExpiresAt } = idempotencyKeyConcernResult;
+          // Get parent run if specified
+          const parentRun = body.options?.parentRunId
+            ? await this.prisma.taskRun.findFirst({
+              where: {
+                id: RunId.fromFriendlyId(body.options.parentRunId),
+                runtimeEnvironmentId: environment.id,
+              },
+            })
+            : undefined;
 
-      if (idempotencyKey) {
-        await this.triggerRacepointSystem.waitForRacepoint({
-          racepoint: "idempotencyKey",
-          id: idempotencyKey,
-        });
-      }
+          // Validate parent run
+          const parentRunValidation = this.validator.validateParentRun({
+            taskId,
+            parentRun: parentRun ?? undefined,
+            resumeParentOnCompletion: body.options?.resumeParentOnCompletion,
+          });
 
-      const lockedToBackgroundWorker = body.options?.lockToVersion
-        ? await this.prisma.backgroundWorker.findFirst({
-            where: {
-              projectId: environment.projectId,
-              runtimeEnvironmentId: environment.id,
-              version: body.options?.lockToVersion,
-            },
-            select: {
-              id: true,
-              version: true,
-              sdkVersion: true,
-              cliVersion: true,
-            },
-          })
-        : undefined;
-
-      const { queueName, lockedQueueId, taskTtl } =
-        await this.queueConcern.resolveQueueProperties(
-          triggerRequest,
-          lockedToBackgroundWorker ?? undefined
-        );
-
-      // Resolve TTL with precedence: per-trigger > task-level > dev default
-      let ttl: string | undefined;
-
-      if (body.options?.ttl !== undefined) {
-        ttl =
-          typeof body.options.ttl === "number"
-            ? stringifyDuration(body.options.ttl)
-            : body.options.ttl;
-      } else {
-        ttl = taskTtl ?? (environment.type === "DEVELOPMENT" ? "10m" : undefined);
-      }
+          if (!parentRunValidation.ok) {
+            throw parentRunValidation.error;
+          }
 
-      if (!options.skipChecks) {
-        const queueSizeGuard = await this.queueConcern.validateQueueLimits(
-          environment,
-          queueName
-        );
-
-        if (!queueSizeGuard.ok) {
-          throw new QueueSizeLimitExceededError(
-            `Cannot trigger ${taskId} as the queue size limit for this environment has been reached. The maximum size is ${queueSizeGuard.maximumSize}`,
-            queueSizeGuard.maximumSize ?? 0,
-            undefined,
-            "warn"
+          const idempotencyKeyConcernResult = await this.idempotencyKeyConcern.handleTriggerRequest(
+            triggerRequest,
+            parentRun?.taskEventStore
           );
-        }
-      }
 
-      const metadataPacket = body.options?.metadata
-        ? handleMetadataPacket(
-            body.options?.metadata,
-            body.options?.metadataType ?? "application/json",
-            this.metadataMaximumSize
-          )
-        : undefined;
-
-      const tags = (
-        body.options?.tags
-          ? typeof body.options.tags === "string"
-            ? [body.options.tags]
-            : body.options.tags
-          : []
-      ).filter((tag) => tag.trim().length > 0);
-
-      const depth = parentRun ? parentRun.depth + 1 : 0;
-
-      const workerQueueResult = await this.queueConcern.getWorkerQueue(
-        environment,
-        body.options?.region
-      );
-      const workerQueue = workerQueueResult?.masterQueue;
-      const enableFastPath = workerQueueResult?.enableFastPath ?? false;
-
-      // Build annotations for this run
-      const triggerSource = options.triggerSource ?? "api";
-      const triggerAction = options.triggerAction ?? "trigger";
-      const parentAnnotations = RunAnnotations.safeParse(parentRun?.annotations).data;
-      const annotations = {
-        triggerSource,
-        triggerAction,
-        rootTriggerSource: parentAnnotations?.rootTriggerSource ?? triggerSource,
-        rootScheduleId: parentAnnotations?.rootScheduleId || options.scheduleId || undefined,
-      };
-
-      try {
-        return await this.traceEventConcern.traceRun(
-          triggerRequest,
-          parentRun?.taskEventStore,
-          async (event, store) => {
-            event.setAttribute("queueName", queueName);
-            span.setAttribute("queueName", queueName);
-            event.setAttribute("runId", runFriendlyId);
-            span.setAttribute("runId", runFriendlyId);
-
-            const payloadPacket = await this.payloadProcessor.process(triggerRequest);
-
-            const taskRun = await this.engine.trigger(
-              {
-                friendlyId: runFriendlyId,
-                environment: environment,
-                idempotencyKey,
-                idempotencyKeyExpiresAt: idempotencyKey ? idempotencyKeyExpiresAt : undefined,
-                idempotencyKeyOptions: body.options?.idempotencyKeyOptions,
-                taskIdentifier: taskId,
-                payload: payloadPacket.data ?? "",
-                payloadType: payloadPacket.dataType,
-                context: body.context,
-                traceContext: this.#propagateExternalTraceContext(
-                  event.traceContext,
-                  parentRun?.traceContext,
-                  event.traceparent?.spanId
-                ),
-                traceId: event.traceId,
-                spanId: event.spanId,
-                parentSpanId:
-                  options.parentAsLinkType === "replay" ? undefined : event.traceparent?.spanId,
-                replayedFromTaskRunFriendlyId: options.replayedFromTaskRunFriendlyId,
-                lockedToVersionId: lockedToBackgroundWorker?.id,
-                taskVersion: lockedToBackgroundWorker?.version,
-                sdkVersion: lockedToBackgroundWorker?.sdkVersion,
-                cliVersion: lockedToBackgroundWorker?.cliVersion,
-                concurrencyKey: body.options?.concurrencyKey,
-                queue: queueName,
-                lockedQueueId,
-                workerQueue,
-                enableFastPath,
-                isTest: body.options?.test ?? false,
-                delayUntil,
-                queuedAt: delayUntil ? undefined : new Date(),
-                maxAttempts: body.options?.maxAttempts,
-                taskEventStore: store,
-                ttl,
-                tags,
-                oneTimeUseToken: options.oneTimeUseToken,
-                parentTaskRunId: parentRun?.id,
-                rootTaskRunId: parentRun?.rootTaskRunId ?? parentRun?.id,
-                batch: options?.batchId
-                  ? {
-                      id: options.batchId,
-                      index: options.batchIndex ?? 0,
-                    }
-                  : undefined,
-                resumeParentOnCompletion: body.options?.resumeParentOnCompletion,
-                depth,
-                metadata: metadataPacket?.data,
-                metadataType: metadataPacket?.dataType,
-                seedMetadata: metadataPacket?.data,
-                seedMetadataType: metadataPacket?.dataType,
-                maxDurationInSeconds: body.options?.maxDuration
-                  ? clampMaxDuration(body.options.maxDuration)
-                  : undefined,
-                machine: body.options?.machine,
-                priorityMs: body.options?.priority ? body.options.priority * 1_000 : undefined,
-                queueTimestamp:
-                  options.queueTimestamp ??
-                  (parentRun && body.options?.resumeParentOnCompletion
-                    ? parentRun.queueTimestamp ?? undefined
-                    : undefined),
-                scheduleId: options.scheduleId,
-                scheduleInstanceId: options.scheduleInstanceId,
-                createdAt: options.overrideCreatedAt,
-                bulkActionId: body.options?.bulkActionId,
-                planType,
-                realtimeStreamsVersion: options.realtimeStreamsVersion,
-                debounce: body.options?.debounce,
-                annotations,
-                // When debouncing with triggerAndWait, create a span for the debounced trigger
-                onDebounced:
-                  body.options?.debounce && body.options?.resumeParentOnCompletion
-                    ? async ({ existingRun, waitpoint, debounceKey }) => {
-                        return await this.traceEventConcern.traceDebouncedRun(
-                          triggerRequest,
-                          parentRun?.taskEventStore,
-                          {
-                            existingRun,
-                            debounceKey,
-                            incomplete: waitpoint.status === "PENDING",
-                            isError: waitpoint.outputIsError,
-                          },
-                          async (spanEvent) => {
-                            const spanId =
-                              options?.parentAsLinkType === "replay"
-                                ? spanEvent.spanId
-                                : spanEvent.traceparent?.spanId
-                                ? `${spanEvent.traceparent.spanId}:${spanEvent.spanId}`
-                                : spanEvent.spanId;
-                            return spanId;
-                          }
-                        );
-                      }
-                    : undefined,
+          if (idempotencyKeyConcernResult.isCached) {
+            return idempotencyKeyConcernResult;
+          }
+
+          const { idempotencyKey, idempotencyKeyExpiresAt, claim: claimResult } =
+            idempotencyKeyConcernResult;
+
+          // If we own an idempotency claim, the trigger pipeline below MUST
+          // resolve it — publish on success so waiters see our runId,
+          // release on error so the next claimant can retry. Stored in an
+          // outer scope so the try/catch at the bottom of `callV2` can act
+          // on whichever return path or throw the pipeline takes.
+          idempotencyClaim = claimResult;
+
+          if (idempotencyKey) {
+            await this.triggerRacepointSystem.waitForRacepoint({
+              racepoint: "idempotencyKey",
+              id: idempotencyKey,
+            });
+          }
+
+          const lockedToBackgroundWorker = body.options?.lockToVersion
+            ? await this.prisma.backgroundWorker.findFirst({
+              where: {
+                projectId: environment.projectId,
+                runtimeEnvironmentId: environment.id,
+                version: body.options?.lockToVersion,
+              },
+              select: {
+                id: true,
+                version: true,
+                sdkVersion: true,
+                cliVersion: true,
               },
-              this.prisma
+            })
+            : undefined;
+
+          const { queueName, lockedQueueId, taskTtl, taskKind } =
+            await this.queueConcern.resolveQueueProperties(
+              triggerRequest,
+              lockedToBackgroundWorker ?? undefined
             );
 
-            // If the returned run has a different friendlyId, it was debounced.
-            // For triggerAndWait: stop the outer span since a replacement debounced span was created via onDebounced.
-            // For regular trigger: let the span complete normally - no replacement span needed since the
-            // original run already has its span from when it was first created.
-            if (
-              taskRun.friendlyId !== runFriendlyId &&
-              body.options?.debounce &&
-              body.options?.resumeParentOnCompletion
-            ) {
-              event.stop();
-            }
+          // Resolve TTL with precedence: per-trigger > task-level > dev default
+          let ttl: string | undefined;
 
-            const error = taskRun.error ? TaskRunError.parse(taskRun.error) : undefined;
+          if (body.options?.ttl !== undefined) {
+            ttl =
+              typeof body.options.ttl === "number"
+                ? stringifyDuration(body.options.ttl)
+                : body.options.ttl;
+          } else {
+            ttl = taskTtl ?? (environment.type === "DEVELOPMENT" ? "10m" : undefined);
+          }
+
+          if (!options.skipChecks) {
+            const queueSizeGuard = await this.queueConcern.validateQueueLimits(
+              environment,
+              queueName
+            );
 
-            if (error) {
-              event.failWithError(error);
+            if (!queueSizeGuard.ok) {
+              throw new QueueSizeLimitExceededError(
+                `Cannot trigger ${taskId} as the queue size limit for this environment has been reached. The maximum size is ${queueSizeGuard.maximumSize}`,
+                queueSizeGuard.maximumSize ?? 0,
+                undefined,
+                "warn"
+              );
             }
+          }
 
-            const result = { run: taskRun, error, isCached: false };
+          const metadataPacket = body.options?.metadata
+            ? handleMetadataPacket(
+              body.options?.metadata,
+              body.options?.metadataType ?? "application/json",
+              this.metadataMaximumSize
+            )
+            : undefined;
+
+          const tags = (
+            body.options?.tags
+              ? typeof body.options.tags === "string"
+                ? [body.options.tags]
+                : body.options.tags
+              : []
+          ).filter((tag) => tag.trim().length > 0);
+
+          const depth = parentRun ? parentRun.depth + 1 : 0;
+
+          const workerQueueResult = await this.queueConcern.getWorkerQueue(
+            environment,
+            body.options?.region
+          );
+          const baseWorkerQueue = workerQueueResult?.masterQueue;
+          const enableFastPath = workerQueueResult?.enableFastPath ?? false;
+
+          // Build annotations for this run
+          const triggerSource = options.triggerSource ?? "api";
+          const triggerAction = options.triggerAction ?? "trigger";
+          const parentAnnotations = RunAnnotations.safeParse(parentRun?.annotations).data;
+          const annotations = {
+            triggerSource,
+            triggerAction,
+            rootTriggerSource: parentAnnotations?.rootTriggerSource ?? triggerSource,
+            rootScheduleId: parentAnnotations?.rootScheduleId || options.scheduleId || undefined,
+            taskKind: taskKind ?? "STANDARD",
+          };
+
+          // Route runs in a scheduled lineage (the scheduled run itself and every
+          // descendant, via the propagated rootTriggerSource) to a dedicated
+          // `<region>:scheduled` worker queue so a separate consumer fleet can
+          // dequeue them independently of standard/agent runs. Gated per-org with
+          // a global default, never applied to dev. Reads only the in-memory org
+          // flags already on the environment — no DB query on the hot path.
+          const scheduledQueueSplitEnabled =
+            environment.type !== "DEVELOPMENT" &&
+            resolveScheduledQueueSplitEnabled({
+              orgFeatureFlags: environment.organization.featureFlags as Record<
+                string,
+                unknown
+              > | null,
+              globalDefault: env.TRIGGER_WORKER_QUEUE_SCHEDULED_SPLIT_ENABLED === "1",
+            });
+          const workerQueue =
+            baseWorkerQueue !== undefined
+              ? workerQueueForRun({
+                  workerQueue: baseWorkerQueue,
+                  rootTriggerSource: annotations.rootTriggerSource,
+                  splitEnabled: scheduledQueueSplitEnabled,
+                })
+              : baseWorkerQueue;
+
+          try {
+            return await this.traceEventConcern.traceRun(
+              triggerRequest,
+              parentRun?.taskEventStore,
+              async (event, store) => {
+                event.setAttribute("queueName", queueName);
+                span.setAttribute("queueName", queueName);
+                event.setAttribute("runId", runFriendlyId);
+                span.setAttribute("runId", runFriendlyId);
+
+                // Short-circuit when mollifier is globally off (the default
+                // for every deployment that hasn't opted in). Avoids the
+                // GateInputs allocation, the deps spread inside `evaluateGate`,
+                // and the `mollifier.decisions{outcome=pass_through}` OTel
+                // increment on every trigger — `triggerTask` is the
+                // highest-throughput code path in the system. The check goes
+                // through a DI'd predicate so unit tests that inject a custom
+                // `evaluateGate` can also override the gate-on check (the
+                // default reads `env.TRIGGER_MOLLIFIER_ENABLED`, which is "0"
+                // in CI where no .env file is present).
+                //
+                // Batch items bypass the mollifier gate entirely.
+                //
+                // The mollify path returns a stripped run-shape `{ id,
+                // friendlyId, spanId }` with no PG row written. Batch
+                // tracking relies on `BatchTaskRunItem`, a join row whose
+                // `taskRunId` column has a NOT NULL FK to `TaskRun.id` —
+                // creating that join at trigger-time (in
+                // `batchTriggerV3.server.ts:871`) fails with FK violation
+                // for any mollified item, and skipping it at trigger-time
+                // would silently drop the batch↔run link forever because
+                // the drainer's materialise path doesn't (yet) create
+                // `BatchTaskRunItem`. Either side alone is wrong:
+                //   - skip at trigger-time only → batch progress
+                //     under-reports forever, `batchTriggerAndWait` parent
+                //     stays parked
+                //   - mollify at trigger-time only → FK violation, 500
+                //
+                // The proper end state is a drainer-side
+                // `BatchTaskRunItem` create-on-materialise (the snapshot
+                // already carries `batch: { id, index }` so the drainer
+                // has the info). That belongs in the drainer / replay PR,
+                // not here. Until that lands, batch triggers pass-through
+                // — they lose the burst-protection benefit, but the path
+                // works end-to-end.
+                const skipMollifierForBatch = !!options.batchId;
+                const mollifierOutcome: GateOutcome | null =
+                  this.isMollifierGloballyEnabled() && !skipMollifierForBatch
+                    ? await this.evaluateGate({
+                        envId: environment.id,
+                        orgId: environment.organizationId,
+                        taskId,
+                        orgFeatureFlags:
+                          (environment.organization.featureFlags as Record<string, unknown> | null) ??
+                          null,
+                        options: {
+                          debounce: body.options?.debounce,
+                          oneTimeUseToken: options.oneTimeUseToken,
+                          parentTaskRunId: body.options?.parentRunId,
+                          resumeParentOnCompletion: body.options?.resumeParentOnCompletion,
+                        },
+                      })
+                    : null;
+
+                // When the gate says mollify, write the engine.trigger input
+                // snapshot into the Redis buffer and return a synthesised
+                // TriggerTaskServiceResult. The customer never waits on
+                // Postgres; the drainer materialises the run later by replaying
+                // engine.trigger against the snapshot. The run span has already
+                // been opened by traceRun above (PARTIAL event in ClickHouse),
+                // so its traceId/spanId live in the snapshot and the drainer's
+                // `mollifier.drained` span parents on the same trace — buffered
+                // runs become visible in the dashboard's trace view immediately,
+                // not only after the drainer fires.
+                if (mollifierOutcome?.action === "mollify") {
+                  const mollifierBuffer = this.getMollifierBuffer();
+                  if (mollifierBuffer && !body.options?.debounce) {
+                    event.setAttribute("mollifier.reason", mollifierOutcome.decision.reason);
+                    event.setAttribute("mollifier.count", String(mollifierOutcome.decision.count));
+                    event.setAttribute(
+                      "mollifier.threshold",
+                      String(mollifierOutcome.decision.threshold)
+                    );
+                    event.setAttribute("taskRunId", runFriendlyId);
+
+                    const payloadPacket = await this.payloadProcessor.process(triggerRequest);
+
+                    const engineTriggerInput = this.#buildEngineTriggerInput({
+                      runFriendlyId,
+                      environment,
+                      idempotencyKey,
+                      idempotencyKeyExpiresAt,
+                      body,
+                      options,
+                      queueName,
+                      lockedQueueId,
+                      workerQueue,
+                      enableFastPath,
+                      lockedToBackgroundWorker: lockedToBackgroundWorker ?? undefined,
+                      delayUntil,
+                      ttl,
+                      metadataPacket,
+                      tags,
+                      depth,
+                      parentRun: parentRun ?? undefined,
+                      annotations,
+                      planType,
+                      taskId,
+                      payloadPacket,
+                      traceContext: this.#propagateExternalTraceContext(
+                        event.traceContext,
+                        parentRun?.traceContext,
+                        event.traceparent?.spanId
+                      ),
+                      traceId: event.traceId,
+                      spanId: event.spanId,
+                      parentSpanId:
+                        options.parentAsLinkType === "replay"
+                          ? undefined
+                          : event.traceparent?.spanId,
+                      taskEventStore: store,
+                    });
+
+                    const result = await mollifyTrigger({
+                      runFriendlyId,
+                      environmentId: environment.id,
+                      organizationId: environment.organizationId,
+                      engineTriggerInput,
+                      decision: mollifierOutcome.decision,
+                      buffer: mollifierBuffer,
+                      // Idempotency-key triple wires the buffer's SETNX into
+                      // the trigger-time dedup symmetric with PG.
+                      idempotencyKey,
+                      taskIdentifier: taskId,
+                    });
+
+                    logger.debug("mollifier.buffered", {
+                      runId: runFriendlyId,
+                      envId: environment.id,
+                      orgId: environment.organizationId,
+                      taskId,
+                      reason: mollifierOutcome.decision.reason,
+                    });
+
+                    // Synthetic result is structurally narrower than the full
+                    // TaskRun; the route handler only reads
+                    // `result.run.friendlyId`. traceRun flushes the PARTIAL
+                    // run-span event to ClickHouse on callback return.
+                    // `isMollified` flags the route to skip the request-
+                    // idempotency cache write — see the field's contract on
+                    // `TriggerTaskServiceResult`.
+                    return {
+                      ...(result as unknown as TriggerTaskServiceResult),
+                      isMollified: true,
+                    };
+                  }
+                  if (!mollifierBuffer) {
+                    logger.warn(
+                      "mollifier gate said mollify but buffer is null — falling through to pass-through"
+                    );
+                  }
+                }
+
+                const payloadPacket = await this.payloadProcessor.process(triggerRequest);
+
+                const baseEngineInput = this.#buildEngineTriggerInput({
+                  runFriendlyId,
+                  environment,
+                  idempotencyKey,
+                  idempotencyKeyExpiresAt,
+                  body,
+                  options,
+                  queueName,
+                  lockedQueueId,
+                  workerQueue,
+                  enableFastPath,
+                  lockedToBackgroundWorker: lockedToBackgroundWorker ?? undefined,
+                  delayUntil,
+                  ttl,
+                  metadataPacket,
+                  tags,
+                  depth,
+                  parentRun: parentRun ?? undefined,
+                  annotations,
+                  planType,
+                  taskId,
+                  payloadPacket,
+                  traceContext: this.#propagateExternalTraceContext(
+                    event.traceContext,
+                    parentRun?.traceContext,
+                    event.traceparent?.spanId
+                  ),
+                  traceId: event.traceId,
+                  spanId: event.spanId,
+                  parentSpanId:
+                    options.parentAsLinkType === "replay" ? undefined : event.traceparent?.spanId,
+                  taskEventStore: store,
+                });
+
+                const taskRun = await this.engine.trigger(
+                  {
+                    ...baseEngineInput,
+                    // onDebounced is a closure over webapp state (triggerRequest +
+                    // traceEventConcern) and can't be serialised into the mollifier
+                    // snapshot. The pass-through path attaches it here; the drainer
+                    // path replays without it. The debounce and triggerAndWait gate
+                    // bypasses ensure neither reaches the mollify branch.
+                    onDebounced:
+                      body.options?.debounce && body.options?.resumeParentOnCompletion
+                        ? async ({ existingRun, waitpoint, debounceKey }) => {
+                          return await this.traceEventConcern.traceDebouncedRun(
+                            triggerRequest,
+                            parentRun?.taskEventStore,
+                            {
+                              existingRun,
+                              debounceKey,
+                              incomplete: waitpoint.status === "PENDING",
+                              isError: waitpoint.outputIsError,
+                            },
+                            async (spanEvent) => {
+                              const spanId =
+                                options?.parentAsLinkType === "replay"
+                                  ? spanEvent.spanId
+                                  : spanEvent.traceparent?.spanId
+                                    ? `${spanEvent.traceparent.spanId}:${spanEvent.spanId}`
+                                    : spanEvent.spanId;
+                              return spanId;
+                            }
+                          );
+                        }
+                        : undefined,
+                  },
+                  this.prisma
+                );
+
+                // If the returned run has a different friendlyId, it was debounced.
+                // For triggerAndWait: stop the outer span since a replacement debounced span was created via onDebounced.
+                // For regular trigger: let the span complete normally - no replacement span needed since the
+                // original run already has its span from when it was first created.
+                if (
+                  taskRun.friendlyId !== runFriendlyId &&
+                  body.options?.debounce &&
+                  body.options?.resumeParentOnCompletion
+                ) {
+                  event.stop();
+                }
+
+                const error = taskRun.error ? TaskRunError.parse(taskRun.error) : undefined;
+
+                if (error) {
+                  event.failWithError(error);
+                }
+
+                const result = { run: taskRun, error, isCached: false };
+
+                if (result?.error) {
+                  throw new ServiceValidationError(
+                    taskRunErrorToString(taskRunErrorEnhancer(result.error))
+                  );
+                }
+
+                return result;
+              }
+            );
+          } catch (error) {
+            if (error instanceof RunDuplicateIdempotencyKeyError) {
+              //retry calling this function, because this time it will return the idempotent run
+              return await this.call({
+                taskId,
+                environment,
+                body,
+                options: { ...options, runFriendlyId },
+                attempt: attempt + 1,
+              });
+            }
 
-            if (result?.error) {
+            if (error instanceof RunOneTimeUseTokenError) {
               throw new ServiceValidationError(
-                taskRunErrorToString(taskRunErrorEnhancer(result.error))
+                `Cannot trigger ${taskId} with a one-time use token as it has already been used.`
               );
             }
 
-            return result;
+            throw error;
           }
-        );
-      } catch (error) {
-        if (error instanceof RunDuplicateIdempotencyKeyError) {
-          //retry calling this function, because this time it will return the idempotent run
-          return await this.call({
-            taskId,
-            environment,
-            body,
-            options: { ...options, runFriendlyId },
-            attempt: attempt + 1,
-          });
-        }
-
-        if (error instanceof RunOneTimeUseTokenError) {
-          throw new ServiceValidationError(
-            `Cannot trigger ${taskId} with a one-time use token as it has already been used.`
-          );
-        }
-
-        throw error;
+        },
+      );
+      // Pipeline returned successfully — publish the claim if we held
+      // one. Waiters polling for our key resolve to this runId.
+      if (idempotencyClaim && result?.run?.friendlyId) {
+        await publishMollifierClaim({
+          envId: idempotencyClaim.envId,
+          taskIdentifier: idempotencyClaim.taskIdentifier,
+          idempotencyKey: idempotencyClaim.idempotencyKey,
+          token: idempotencyClaim.token,
+          runId: result.run.friendlyId,
+          ttlSeconds: env.TRIGGER_MOLLIFIER_CLAIM_TTL_SECONDS,
+        });
       }
-    });
+      return result;
+    } catch (err) {
+      // Pipeline threw — release the claim so the next claimant can
+      // retry. Re-throw so the caller sees the original error.
+      if (idempotencyClaim) {
+        await releaseMollifierClaim(idempotencyClaim);
+      }
+      throw err;
+    }
+  }
+
+  // Build the engine.trigger() input object from the values gathered during
+  // this.call(). Extracted so the mollify path can construct the
+  // same input shape without re-entering the trace-run span. The pass-through
+  // path spreads this result and attaches `onDebounced` inline; the mollify
+  // path serialises it into the buffer for drainer replay.
+  #buildEngineTriggerInput(args: {
+    runFriendlyId: string;
+    environment: AuthenticatedEnvironment;
+    idempotencyKey?: string;
+    idempotencyKeyExpiresAt?: Date;
+    body: TriggerTaskRequest["body"];
+    options: TriggerTaskServiceOptions;
+    queueName: string;
+    lockedQueueId?: string;
+    workerQueue?: string;
+    enableFastPath: boolean;
+    lockedToBackgroundWorker?: { id: string; version: string; sdkVersion: string; cliVersion: string };
+    delayUntil?: Date;
+    ttl?: string;
+    metadataPacket?: { data?: string; dataType: string };
+    tags: string[];
+    depth: number;
+    parentRun?: { id: string; rootTaskRunId?: string | null; queueTimestamp?: Date | null; taskEventStore?: string };
+    annotations: {
+      triggerSource: string;
+      triggerAction: string;
+      rootTriggerSource: string;
+      rootScheduleId?: string | undefined;
+    };
+    planType?: string;
+    taskId: string;
+    payloadPacket: { data?: string; dataType: string };
+    traceContext: TriggerTraceContext;
+    traceId: string;
+    spanId: string;
+    parentSpanId: string | undefined;
+    taskEventStore: string;
+  }) {
+    return {
+      friendlyId: args.runFriendlyId,
+      environment: args.environment,
+      idempotencyKey: args.idempotencyKey,
+      idempotencyKeyExpiresAt: args.idempotencyKey ? args.idempotencyKeyExpiresAt : undefined,
+      idempotencyKeyOptions: args.body.options?.idempotencyKeyOptions,
+      taskIdentifier: args.taskId,
+      payload: args.payloadPacket.data ?? "",
+      payloadType: args.payloadPacket.dataType,
+      context: args.body.context,
+      traceContext: args.traceContext,
+      traceId: args.traceId,
+      spanId: args.spanId,
+      parentSpanId: args.parentSpanId,
+      replayedFromTaskRunFriendlyId: args.options.replayedFromTaskRunFriendlyId,
+      lockedToVersionId: args.lockedToBackgroundWorker?.id,
+      taskVersion: args.lockedToBackgroundWorker?.version,
+      sdkVersion: args.lockedToBackgroundWorker?.sdkVersion,
+      cliVersion: args.lockedToBackgroundWorker?.cliVersion,
+      // Schema-level coercion now lands `body.options.concurrencyKey` as
+      // `string` on the API path, but the BatchQueue worker rebuilds
+      // body.options from Redis-stored items (Record<string, unknown>),
+      // which can still carry the pre-fix shape from in-flight batches.
+      concurrencyKey:
+        typeof args.body.options?.concurrencyKey === "number"
+          ? String(args.body.options.concurrencyKey)
+          : args.body.options?.concurrencyKey,
+      queue: args.queueName,
+      lockedQueueId: args.lockedQueueId,
+      workerQueue: args.workerQueue,
+      enableFastPath: args.enableFastPath,
+      isTest: args.body.options?.test ?? false,
+      delayUntil: args.delayUntil,
+      queuedAt: args.delayUntil ? undefined : new Date(),
+      maxAttempts: args.body.options?.maxAttempts,
+      taskEventStore: args.taskEventStore,
+      ttl: args.ttl,
+      tags: args.tags,
+      oneTimeUseToken: args.options.oneTimeUseToken,
+      parentTaskRunId: args.parentRun?.id,
+      rootTaskRunId: args.parentRun?.rootTaskRunId ?? args.parentRun?.id,
+      batch: args.options?.batchId
+        ? { id: args.options.batchId, index: args.options.batchIndex ?? 0 }
+        : undefined,
+      resumeParentOnCompletion: args.body.options?.resumeParentOnCompletion,
+      depth: args.depth,
+      metadata: args.metadataPacket?.data,
+      metadataType: args.metadataPacket?.dataType,
+      seedMetadata: args.metadataPacket?.data,
+      seedMetadataType: args.metadataPacket?.dataType,
+      maxDurationInSeconds: args.body.options?.maxDuration
+        ? clampMaxDuration(args.body.options.maxDuration)
+        : undefined,
+      machine: args.body.options?.machine,
+      priorityMs: args.body.options?.priority ? args.body.options.priority * 1_000 : undefined,
+      queueTimestamp:
+        args.options.queueTimestamp ??
+        (args.parentRun && args.body.options?.resumeParentOnCompletion
+          ? args.parentRun.queueTimestamp ?? undefined
+          : undefined),
+      scheduleId: args.options.scheduleId,
+      scheduleInstanceId: args.options.scheduleInstanceId,
+      createdAt: args.options.overrideCreatedAt,
+      bulkActionId: args.body.options?.bulkActionId,
+      planType: args.planType,
+      realtimeStreamsVersion: args.options.realtimeStreamsVersion,
+      streamBasinName: args.environment.organization.streamBasinName,
+      debounce: args.body.options?.debounce,
+      annotations: args.annotations,
+    };
   }
 
   #propagateExternalTraceContext(
diff --git a/apps/webapp/app/runEngine/types.ts b/apps/webapp/app/runEngine/types.ts
index d5e61d01889..c0c5de1d2fd 100644
--- a/apps/webapp/app/runEngine/types.ts
+++ b/apps/webapp/app/runEngine/types.ts
@@ -37,18 +37,19 @@ export type TriggerTaskResult = {
 
 export type QueueValidationResult =
   | {
-      ok: true;
-    }
+    ok: true;
+  }
   | {
-      ok: false;
-      maximumSize: number;
-      queueSize: number;
-    };
+    ok: false;
+    maximumSize: number;
+    queueSize: number;
+  };
 
 export type QueueProperties = {
   queueName: string;
   lockedQueueId?: string;
   taskTtl?: string | null;
+  taskKind?: string;
 };
 
 export type LockedBackgroundWorker = Pick<
@@ -98,22 +99,22 @@ export interface ParentRunValidationParams {
 
 export type ValidationResult =
   | {
-      ok: true;
-    }
+    ok: true;
+  }
   | {
-      ok: false;
-      error: Error;
-    };
+    ok: false;
+    error: Error;
+  };
 
 export type EntitlementValidationResult =
   | {
-      ok: true;
-      plan?: ReportUsagePlan;
-    }
+    ok: true;
+    plan?: ReportUsagePlan;
+  }
   | {
-      ok: false;
-      error: Error;
-    };
+    ok: false;
+    error: Error;
+  };
 
 export interface TriggerTaskValidator {
   validateTags(params: TagValidationParams): ValidationResult;
diff --git a/apps/webapp/app/services/admin/missingLlmModels.server.ts b/apps/webapp/app/services/admin/missingLlmModels.server.ts
index 7ce6bc2ab7e..07e6160ee03 100644
--- a/apps/webapp/app/services/admin/missingLlmModels.server.ts
+++ b/apps/webapp/app/services/admin/missingLlmModels.server.ts
@@ -1,4 +1,4 @@
-import { adminClickhouseClient } from "~/services/clickhouseInstance.server";
+import { getAdminClickhouse } from "~/services/clickhouse/clickhouseFactory.server";
 import { llmPricingRegistry } from "~/v3/llmPricingRegistry.server";
 
 export type MissingLlmModel = {
@@ -13,8 +13,10 @@ export async function getMissingLlmModels(opts: {
   const lookbackHours = opts.lookbackHours ?? 24;
   const since = new Date(Date.now() - lookbackHours * 60 * 60 * 1000);
 
+  const adminClickhouse = getAdminClickhouse();
+
   // queryBuilderFast returns a factory function — call it to get the builder
-  const createBuilder = adminClickhouseClient.reader.queryBuilderFast<{
+  const createBuilder = adminClickhouse.reader.queryBuilderFast<{
     model: string;
     system: string;
     cnt: string;
@@ -93,7 +95,9 @@ export async function getMissingModelSamples(opts: {
   const limit = opts.limit ?? 10;
   const since = new Date(Date.now() - lookbackHours * 60 * 60 * 1000);
 
-  const createBuilder = adminClickhouseClient.reader.queryBuilderFast<MissingModelSample>({
+  const adminClickhouse = getAdminClickhouse();
+
+  const createBuilder = adminClickhouse.reader.queryBuilderFast<MissingModelSample>({
     name: "missingModelSamples",
     table: "trigger_dev.task_events_v2",
     columns: [
diff --git a/apps/webapp/app/services/apiAuth.server.ts b/apps/webapp/app/services/apiAuth.server.ts
index 611953efc4f..915311c07c1 100644
--- a/apps/webapp/app/services/apiAuth.server.ts
+++ b/apps/webapp/app/services/apiAuth.server.ts
@@ -1,5 +1,4 @@
 import { json } from "@remix-run/server-runtime";
-import { type Prettify } from "@trigger.dev/core";
 import { SignJWT, errors, jwtVerify } from "jose";
 import { z } from "zod";
 
@@ -7,8 +6,11 @@ import { $replica } from "~/db.server";
 import { env } from "~/env.server";
 import { findProjectByRef } from "~/models/project.server";
 import {
+  authIncludeBase,
+  authIncludeWithParent,
   findEnvironmentByApiKey,
   findEnvironmentByPublicApiKey,
+  toAuthenticated,
 } from "~/models/runtimeEnvironment.server";
 import { type RuntimeEnvironmentForEnvRepo } from "~/v3/environmentVariables/environmentVariablesRepository.server";
 import { logger } from "./logger.server";
@@ -23,7 +25,7 @@ import {
   isOrganizationAccessToken,
 } from "./organizationAccessToken.server";
 import { isPublicJWT, validatePublicJwtKey } from "./realtime/jwtAuth.server";
-import { sanitizeBranchName } from "~/v3/gitBranch";
+import { sanitizeBranchName } from "@trigger.dev/core/v3/utils/gitBranch";
 
 const ClaimsSchema = z.object({
   scopes: z.array(z.string()).optional(),
@@ -36,12 +38,10 @@ const ClaimsSchema = z.object({
     .optional(),
 });
 
-type Optional<T, K extends keyof T> = Prettify<Omit<T, K> & Partial<Pick<T, K>>>;
-
-export type AuthenticatedEnvironment = Optional<
-  NonNullable<Awaited<ReturnType<typeof findEnvironmentByApiKey>>>,
-  "orgMember"
->;
+// Re-export the slim shape defined in @trigger.dev/core. Single source of
+// truth across the auth boundary (RBAC plugin contract → webapp handlers).
+export type { AuthenticatedEnvironment } from "@trigger.dev/core/v3/auth/environment";
+import type { AuthenticatedEnvironment } from "@trigger.dev/core/v3/auth/environment";
 
 export type ApiAuthenticationResult =
   | ApiAuthenticationResultSuccess
@@ -52,7 +52,6 @@ export type ApiAuthenticationResultSuccess = {
   apiKey: string;
   type: "PUBLIC" | "PRIVATE" | "PUBLIC_JWT";
   environment: AuthenticatedEnvironment;
-  scopes?: string[];
   oneTimeUse?: boolean;
   realtime?: {
     skipColumns?: string[];
@@ -163,7 +162,6 @@ export async function authenticateApiKey(
         ok: true,
         ...result,
         environment: validationResults.environment,
-        scopes: parsedClaims.success ? parsedClaims.data.scopes : [],
         oneTimeUse: parsedClaims.success ? parsedClaims.data.otu : false,
         realtime: parsedClaims.success ? parsedClaims.data.realtime : undefined,
       };
@@ -246,7 +244,6 @@ async function authenticateApiKeyWithFailure(
         ok: true,
         ...result,
         environment: validationResults.environment,
-        scopes: parsedClaims.success ? parsedClaims.data.scopes : [],
         oneTimeUse: parsedClaims.success ? parsedClaims.data.otu : false,
         realtime: parsedClaims.success ? parsedClaims.data.realtime : undefined,
       };
@@ -510,17 +507,14 @@ export async function authenticatedEnvironmentForAuthentication(
                 }
               : {}),
           },
-          include: {
-            project: true,
-            organization: true,
-          },
+          include: authIncludeBase,
         });
 
         if (!environment) {
           throw json({ error: "Environment not found" }, { status: 404 });
         }
 
-        return environment;
+        return toAuthenticated(environment);
       }
 
       const environment = await $replica.runtimeEnvironment.findFirst({
@@ -530,11 +524,7 @@ export async function authenticatedEnvironmentForAuthentication(
           branchName: sanitizedBranch,
           archivedAt: null,
         },
-        include: {
-          project: true,
-          organization: true,
-          parentEnvironment: true,
-        },
+        include: authIncludeWithParent,
       });
 
       if (!environment) {
@@ -545,12 +535,13 @@ export async function authenticatedEnvironmentForAuthentication(
         throw json({ error: "Branch not associated with a preview environment" }, { status: 400 });
       }
 
-      return {
+      // PREVIEW envs reuse the parent's apiKey for downstream auth flows
+      // (signed JWTs, internal-fetch helpers). Override before mapping so
+      // the slim shape carries the parent's key.
+      return toAuthenticated({
         ...environment,
         apiKey: environment.parentEnvironment.apiKey,
-        organization: environment.organization,
-        project: environment.project,
-      };
+      });
     }
     case "organizationAccessToken": {
       const organization = await $replica.organization.findUnique({
@@ -582,17 +573,14 @@ export async function authenticatedEnvironmentForAuthentication(
             projectId: project.id,
             slug: slug,
           },
-          include: {
-            project: true,
-            organization: true,
-          },
+          include: authIncludeBase,
         });
 
         if (!environment) {
           throw json({ error: "Environment not found" }, { status: 404 });
         }
 
-        return environment;
+        return toAuthenticated(environment);
       }
 
       const environment = await $replica.runtimeEnvironment.findFirst({
@@ -602,11 +590,7 @@ export async function authenticatedEnvironmentForAuthentication(
           branchName: sanitizedBranch,
           archivedAt: null,
         },
-        include: {
-          project: true,
-          organization: true,
-          parentEnvironment: true,
-        },
+        include: authIncludeWithParent,
       });
 
       if (!environment) {
@@ -617,12 +601,10 @@ export async function authenticatedEnvironmentForAuthentication(
         throw json({ error: "Branch not associated with a preview environment" }, { status: 400 });
       }
 
-      return {
+      return toAuthenticated({
         ...environment,
         apiKey: environment.parentEnvironment.apiKey,
-        organization: environment.organization,
-        project: environment.project,
-      };
+      });
     }
     default: {
       auth satisfies never;
diff --git a/apps/webapp/app/services/apiRateLimit.server.ts b/apps/webapp/app/services/apiRateLimit.server.ts
index dee0a889d1b..4621146bd66 100644
--- a/apps/webapp/app/services/apiRateLimit.server.ts
+++ b/apps/webapp/app/services/apiRateLimit.server.ts
@@ -51,6 +51,7 @@ export const apiRateLimiter = authorizationRateLimitMiddleware({
     "/api/v1/authorization-code",
     "/api/v1/token",
     "/api/v1/usage/ingest",
+    "/api/v1/plain/customer-cards",
     /^\/api\/v1\/tasks\/[^\/]+\/callback\/[^\/]+$/, // /api/v1/tasks/$id/callback/$secret
     /^\/api\/v1\/runs\/[^\/]+\/tasks\/[^\/]+\/callback\/[^\/]+$/, // /api/v1/runs/$runId/tasks/$id/callback/$secret
     /^\/api\/v1\/http-endpoints\/[^\/]+\/env\/[^\/]+\/[^\/]+$/, // /api/v1/http-endpoints/$httpEndpointId/env/$envType/$shortcode
@@ -62,6 +63,14 @@ export const apiRateLimiter = authorizationRateLimitMiddleware({
     /^\/api\/v1\/runs\/[^\/]+\/attempts$/, // /api/v1/runs/$runFriendlyId/attempts
     /^\/api\/v1\/waitpoints\/tokens\/[^\/]+\/callback\/[^\/]+$/, // /api/v1/waitpoints/tokens/$waitpointFriendlyId/callback/$hash
     /^\/api\/v\d+\/deployments/, // /api/v{1,2,3,n}/deployments/*
+    // Internal SDK plumbing — packets are presigned-URL handshakes for
+    // payload uploads (v2 PUT) and downloads (v1 GET), authenticated via
+    // run-scoped JWT, called once per task/turn boundary by the runtime.
+    // Same shape as `/api/v1/runs/$runFriendlyId/attempts` above; not a
+    // customer-facing surface so customer rate limits shouldn't apply.
+    /^\/api\/v1\/packets\//,
+    /^\/api\/v2\/packets\//,
+    /^\/api\/v1\/sessions\/[^\/]+\/snapshot-url$/,
   ],
   log: {
     rejections: env.API_RATE_LIMIT_REJECTION_LOGS_ENABLED === "1",
diff --git a/apps/webapp/app/services/authorization.server.ts b/apps/webapp/app/services/authorization.server.ts
deleted file mode 100644
index 0406c02438e..00000000000
--- a/apps/webapp/app/services/authorization.server.ts
+++ /dev/null
@@ -1,113 +0,0 @@
-export type AuthorizationAction = "read" | "write" | string; // Add more actions as needed
-
-const ResourceTypes = ["tasks", "tags", "runs", "batch", "waitpoints", "deployments", "inputStreams", "query", "prompts"] as const;
-
-export type AuthorizationResources = {
-  [key in (typeof ResourceTypes)[number]]?: string | string[];
-};
-
-export type AuthorizationEntity = {
-  type: "PUBLIC" | "PRIVATE" | "PUBLIC_JWT";
-  scopes?: string[];
-};
-
-/**
- * Checks if the given entity is authorized to perform a specific action on a resource.
- *
- * @param entity - The entity requesting authorization.
- * @param action - The action the entity wants to perform.
- * @param resource - The resource on which the action is to be performed.
- * @param superScopes - An array of super scopes that can bypass the normal authorization checks.
- *
- * @example
- *
- * ```typescript
- * import { checkAuthorization } from "./authorization.server";
- *
- * const entity = {
- *  type: "PUBLIC",
- *  scope: ["read:runs:run_1234", "read:tasks"]
- * };
- *
- * checkAuthorization(entity, "read", { runs: "run_1234" }); // Returns true
- * checkAuthorization(entity, "read", { runs: "run_5678" }); // Returns false
- * checkAuthorization(entity, "read", { tasks: "task_1234" }); // Returns true
- * checkAuthorization(entity, "read", { tasks: ["task_5678"] }); // Returns true
- * ```
- */
-export type AuthorizationResult = { authorized: true } | { authorized: false; reason: string };
-
-/**
- * Checks if the given entity is authorized to perform a specific action on a resource.
- */
-export function checkAuthorization(
-  entity: AuthorizationEntity,
-  action: AuthorizationAction,
-  resource: AuthorizationResources,
-  superScopes?: string[]
-): AuthorizationResult {
-  // "PRIVATE" is a secret key and has access to everything
-  if (entity.type === "PRIVATE") {
-    return { authorized: true };
-  }
-
-  // "PUBLIC" is a deprecated key and has no access
-  if (entity.type === "PUBLIC") {
-    return { authorized: false, reason: "PUBLIC type is deprecated and has no access" };
-  }
-
-  // If the entity has no permissions, deny access
-  if (!entity.scopes || entity.scopes.length === 0) {
-    return {
-      authorized: false,
-      reason:
-        "Public Access Token has no permissions. See https://trigger.dev/docs/frontend/overview#authentication for more information.",
-    };
-  }
-
-  // If the resource object is empty, deny access
-  if (Object.keys(resource).length === 0) {
-    return { authorized: false, reason: "Resource object is empty" };
-  }
-
-  // Check for any of the super scopes
-  if (superScopes && superScopes.length > 0) {
-    if (superScopes.some((permission) => entity.scopes?.includes(permission))) {
-      return { authorized: true };
-    }
-  }
-
-  const filteredResource = Object.keys(resource).reduce((acc, key) => {
-    if (ResourceTypes.includes(key)) {
-      acc[key as keyof AuthorizationResources] = resource[key as keyof AuthorizationResources];
-    }
-    return acc;
-  }, {} as AuthorizationResources);
-
-  // Check each resource type
-  for (const [resourceType, resourceValue] of Object.entries(filteredResource)) {
-    const resourceValues = Array.isArray(resourceValue) ? resourceValue : [resourceValue];
-
-    for (const value of resourceValues) {
-      // Check for specific resource permission
-      const specificPermission = `${action}:${resourceType}:${value}`;
-      // Check for general resource type permission
-      const generalPermission = `${action}:${resourceType}`;
-
-      // If any permission matches, return authorized
-      if (entity.scopes.includes(specificPermission) || entity.scopes.includes(generalPermission)) {
-        return { authorized: true };
-      }
-    }
-  }
-
-  // No matching permissions found
-  return {
-    authorized: false,
-    reason: `Public Access Token is missing required permissions. Token has the following permissions: ${entity.scopes
-      .map((s) => `'${s}'`)
-      .join(
-        ", "
-      )}. See https://trigger.dev/docs/frontend/overview#authentication for more information.`,
-  };
-}
diff --git a/apps/webapp/app/services/autoIncrementCounter.server.ts b/apps/webapp/app/services/autoIncrementCounter.server.ts
index 205e6ef9c1c..b11a3f4e11d 100644
--- a/apps/webapp/app/services/autoIncrementCounter.server.ts
+++ b/apps/webapp/app/services/autoIncrementCounter.server.ts
@@ -1,4 +1,5 @@
 import Redis, { RedisOptions } from "ioredis";
+import { defaultReconnectOnError } from "@internal/redis";
 import { Prisma, PrismaClientOrTransaction, PrismaTransactionOptions, prisma } from "~/db.server";
 import { env } from "~/env.server";
 import { singleton } from "~/utils/singleton";
@@ -11,7 +12,7 @@ export class AutoIncrementCounter {
   private _redis: Redis;
 
   constructor(private options: AutoIncrementCounterOptions) {
-    this._redis = new Redis(options.redis);
+    this._redis = new Redis({ reconnectOnError: defaultReconnectOnError, ...options.redis });
   }
 
   async incrementInTransaction<T>(
diff --git a/apps/webapp/app/services/clickhouse/clickhouseFactory.server.ts b/apps/webapp/app/services/clickhouse/clickhouseFactory.server.ts
new file mode 100644
index 00000000000..7c20dd3a2a5
--- /dev/null
+++ b/apps/webapp/app/services/clickhouse/clickhouseFactory.server.ts
@@ -0,0 +1,590 @@
+import { ClickHouse } from "@internal/clickhouse";
+import { createHash } from "crypto";
+import { ClickhouseEventRepository } from "~/v3/eventRepository/clickhouseEventRepository.server";
+import { env } from "~/env.server";
+import { clampToEmergencySpanCap } from "~/v3/eventRepository/emergencySpanCap.server";
+import { singleton } from "~/utils/singleton";
+import type { OrganizationDataStoresRegistry } from "~/services/dataStores/organizationDataStoresRegistry.server";
+import { type IEventRepository } from "~/v3/eventRepository/eventRepository.types";
+
+// ---------------------------------------------------------------------------
+// Default clients (singleton per process)
+// ---------------------------------------------------------------------------
+
+const defaultClickhouseClient = singleton("clickhouseClient", initializeClickhouseClient);
+
+function initializeClickhouseClient() {
+  const url = new URL(env.CLICKHOUSE_URL);
+  url.searchParams.delete("secure");
+
+  console.log(`🗃️  Clickhouse service enabled to host ${url.host}`);
+
+  return new ClickHouse({
+    url: url.toString(),
+    name: "clickhouse-instance",
+    keepAlive: {
+      enabled: env.CLICKHOUSE_KEEP_ALIVE_ENABLED === "1",
+      idleSocketTtl: env.CLICKHOUSE_KEEP_ALIVE_IDLE_SOCKET_TTL_MS,
+    },
+    logLevel: env.CLICKHOUSE_LOG_LEVEL,
+    compression: { request: true },
+    maxOpenConnections: env.CLICKHOUSE_MAX_OPEN_CONNECTIONS,
+  });
+}
+
+const defaultLogsClickhouseClient = singleton(
+  "logsClickhouseClient",
+  initializeLogsClickhouseClient
+);
+
+function getLogsListClickhouseSettings() {
+  return {
+    max_memory_usage: env.CLICKHOUSE_LOGS_LIST_MAX_MEMORY_USAGE.toString(),
+    max_bytes_before_external_sort:
+      env.CLICKHOUSE_LOGS_LIST_MAX_BYTES_BEFORE_EXTERNAL_SORT.toString(),
+    max_threads: env.CLICKHOUSE_LOGS_LIST_MAX_THREADS,
+    ...(env.CLICKHOUSE_LOGS_LIST_MAX_ROWS_TO_READ && {
+      max_rows_to_read: env.CLICKHOUSE_LOGS_LIST_MAX_ROWS_TO_READ.toString(),
+    }),
+    ...(env.CLICKHOUSE_LOGS_LIST_MAX_EXECUTION_TIME && {
+      max_execution_time: env.CLICKHOUSE_LOGS_LIST_MAX_EXECUTION_TIME,
+    }),
+  };
+}
+
+function initializeLogsClickhouseClient() {
+  if (!env.LOGS_CLICKHOUSE_URL) {
+    throw new Error("LOGS_CLICKHOUSE_URL is not set");
+  }
+
+  const url = new URL(env.LOGS_CLICKHOUSE_URL);
+  url.searchParams.delete("secure");
+
+  return new ClickHouse({
+    url: url.toString(),
+    name: "logs-clickhouse",
+    keepAlive: {
+      enabled: env.CLICKHOUSE_KEEP_ALIVE_ENABLED === "1",
+      idleSocketTtl: env.CLICKHOUSE_KEEP_ALIVE_IDLE_SOCKET_TTL_MS,
+    },
+    logLevel: env.CLICKHOUSE_LOG_LEVEL,
+    compression: { request: true },
+    maxOpenConnections: env.CLICKHOUSE_MAX_OPEN_CONNECTIONS,
+    clickhouseSettings: getLogsListClickhouseSettings(),
+  });
+}
+
+const defaultAdminClickhouseClient = singleton(
+  "adminClickhouseClient",
+  initializeAdminClickhouseClient
+);
+
+function initializeAdminClickhouseClient() {
+  if (!env.ADMIN_CLICKHOUSE_URL) {
+    throw new Error("ADMIN_CLICKHOUSE_URL is not set");
+  }
+
+  const url = new URL(env.ADMIN_CLICKHOUSE_URL);
+  url.searchParams.delete("secure");
+
+  return new ClickHouse({
+    url: url.toString(),
+    name: "admin-clickhouse",
+    keepAlive: {
+      enabled: env.CLICKHOUSE_KEEP_ALIVE_ENABLED === "1",
+      idleSocketTtl: env.CLICKHOUSE_KEEP_ALIVE_IDLE_SOCKET_TTL_MS,
+    },
+    logLevel: env.CLICKHOUSE_LOG_LEVEL,
+    compression: { request: true },
+    maxOpenConnections: env.CLICKHOUSE_MAX_OPEN_CONNECTIONS,
+  });
+}
+
+const defaultQueryClickhouseClient = singleton(
+  "queryClickhouseClient",
+  initializeQueryClickhouseClient
+);
+
+function initializeQueryClickhouseClient() {
+  if (!env.QUERY_CLICKHOUSE_URL) {
+    throw new Error("QUERY_CLICKHOUSE_URL is not set");
+  }
+
+  const url = new URL(env.QUERY_CLICKHOUSE_URL);
+  url.searchParams.delete("secure");
+
+  return new ClickHouse({
+    url: url.toString(),
+    name: "query-clickhouse",
+    keepAlive: {
+      enabled: env.CLICKHOUSE_KEEP_ALIVE_ENABLED === "1",
+      idleSocketTtl: env.CLICKHOUSE_KEEP_ALIVE_IDLE_SOCKET_TTL_MS,
+    },
+    logLevel: env.CLICKHOUSE_LOG_LEVEL,
+    compression: { request: true },
+    maxOpenConnections: env.CLICKHOUSE_MAX_OPEN_CONNECTIONS,
+  });
+}
+
+/** TaskRun replication to ClickHouse (`RUN_REPLICATION_CLICKHOUSE_URL`); not exported. */
+const defaultRunsReplicationClickhouseClient = singleton(
+  "runsReplicationClickhouseClient",
+  initializeRunsReplicationClickhouseClient
+);
+
+function initializeRunsReplicationClickhouseClient(): ClickHouse {
+  if (!env.RUN_REPLICATION_CLICKHOUSE_URL) {
+    // Runs replication worker gates on this URL; factory may still resolve "replication" for tests.
+    return defaultClickhouseClient;
+  }
+
+  const url = new URL(env.RUN_REPLICATION_CLICKHOUSE_URL);
+  url.searchParams.delete("secure");
+
+  return new ClickHouse({
+    url: url.toString(),
+    name: "runs-replication",
+    keepAlive: {
+      enabled: env.RUN_REPLICATION_KEEP_ALIVE_ENABLED === "1",
+      idleSocketTtl: env.RUN_REPLICATION_KEEP_ALIVE_IDLE_SOCKET_TTL_MS,
+    },
+    logLevel: env.RUN_REPLICATION_CLICKHOUSE_LOG_LEVEL,
+    compression: { request: true },
+    maxOpenConnections: env.RUN_REPLICATION_MAX_OPEN_CONNECTIONS,
+  });
+}
+
+/** Session replication to ClickHouse (`SESSION_REPLICATION_CLICKHOUSE_URL`); not exported. */
+const defaultSessionsReplicationClickhouseClient = singleton(
+  "sessionsReplicationClickhouseClient",
+  initializeSessionsReplicationClickhouseClient
+);
+
+function initializeSessionsReplicationClickhouseClient(): ClickHouse {
+  if (!env.SESSION_REPLICATION_CLICKHOUSE_URL) {
+    // Sessions replication worker gates on this URL; factory may still resolve "sessions_replication" for tests.
+    return defaultClickhouseClient;
+  }
+
+  const url = new URL(env.SESSION_REPLICATION_CLICKHOUSE_URL);
+  url.searchParams.delete("secure");
+
+  return new ClickHouse({
+    url: url.toString(),
+    name: "sessions-replication",
+    keepAlive: {
+      enabled: env.SESSION_REPLICATION_KEEP_ALIVE_ENABLED === "1",
+      idleSocketTtl: env.SESSION_REPLICATION_KEEP_ALIVE_IDLE_SOCKET_TTL_MS,
+    },
+    logLevel: env.SESSION_REPLICATION_CLICKHOUSE_LOG_LEVEL,
+    compression: { request: true },
+    maxOpenConnections: env.SESSION_REPLICATION_MAX_OPEN_CONNECTIONS,
+  });
+}
+
+/** Run-engine PendingVersionSystem lookup (`RUN_ENGINE_CLICKHOUSE_URL`);
+ *  falls back to the default client if unset. */
+const defaultRunEngineClickhouseClient = singleton(
+  "runEngineClickhouseClient",
+  initializeRunEngineClickhouseClient
+);
+
+function initializeRunEngineClickhouseClient(): ClickHouse {
+  if (!env.RUN_ENGINE_CLICKHOUSE_URL) {
+    return defaultClickhouseClient;
+  }
+
+  const url = new URL(env.RUN_ENGINE_CLICKHOUSE_URL);
+  url.searchParams.delete("secure");
+
+  return new ClickHouse({
+    url: url.toString(),
+    name: "run-engine-clickhouse",
+    keepAlive: {
+      enabled: env.RUN_ENGINE_CLICKHOUSE_KEEP_ALIVE_ENABLED === "1",
+      idleSocketTtl: env.RUN_ENGINE_CLICKHOUSE_KEEP_ALIVE_IDLE_SOCKET_TTL_MS,
+    },
+    logLevel: env.RUN_ENGINE_CLICKHOUSE_LOG_LEVEL,
+    compression: {
+      request: env.RUN_ENGINE_CLICKHOUSE_COMPRESSION_REQUEST === "1",
+    },
+    maxOpenConnections: env.RUN_ENGINE_CLICKHOUSE_MAX_OPEN_CONNECTIONS,
+  });
+}
+
+/** Realtime runs feed tag/batch id resolution (`REALTIME_BACKEND_NATIVE_CLICKHOUSE_URL`);
+ *  falls back to the default client if unset. */
+const defaultRealtimeClickhouseClient = singleton(
+  "realtimeClickhouseClient",
+  initializeRealtimeClickhouseClient
+);
+
+function initializeRealtimeClickhouseClient(): ClickHouse {
+  if (!env.REALTIME_BACKEND_NATIVE_CLICKHOUSE_URL) {
+    return defaultClickhouseClient;
+  }
+
+  const url = new URL(env.REALTIME_BACKEND_NATIVE_CLICKHOUSE_URL);
+  url.searchParams.delete("secure");
+
+  return new ClickHouse({
+    url: url.toString(),
+    name: "realtime-runs-clickhouse",
+    keepAlive: {
+      enabled: env.REALTIME_BACKEND_NATIVE_CLICKHOUSE_KEEP_ALIVE_ENABLED === "1",
+      idleSocketTtl: env.REALTIME_BACKEND_NATIVE_CLICKHOUSE_KEEP_ALIVE_IDLE_SOCKET_TTL_MS,
+    },
+    logLevel: env.REALTIME_BACKEND_NATIVE_CLICKHOUSE_LOG_LEVEL,
+    compression: {
+      request: env.REALTIME_BACKEND_NATIVE_CLICKHOUSE_COMPRESSION_REQUEST === "1",
+    },
+    maxOpenConnections: env.REALTIME_BACKEND_NATIVE_CLICKHOUSE_MAX_OPEN_CONNECTIONS,
+  });
+}
+
+/** Task events (`EVENTS_CLICKHOUSE_URL`); not exported — accessed via factory. */
+const defaultEventsClickhouseClient = singleton(
+  "eventsClickhouseClient",
+  initializeEventsClickhouseClient
+);
+
+function initializeEventsClickhouseClient(): ClickHouse {
+  if (!env.EVENTS_CLICKHOUSE_URL) {
+    throw new Error("EVENTS_CLICKHOUSE_URL is not set");
+  }
+
+  const url = new URL(env.EVENTS_CLICKHOUSE_URL);
+  url.searchParams.delete("secure");
+
+  return new ClickHouse({
+    url: url.toString(),
+    name: "task-events",
+    keepAlive: {
+      enabled: env.EVENTS_CLICKHOUSE_KEEP_ALIVE_ENABLED === "1",
+      idleSocketTtl: env.EVENTS_CLICKHOUSE_KEEP_ALIVE_IDLE_SOCKET_TTL_MS,
+    },
+    logLevel: env.EVENTS_CLICKHOUSE_LOG_LEVEL,
+    compression: {
+      request: env.EVENTS_CLICKHOUSE_COMPRESSION_REQUEST === "1",
+    },
+    maxOpenConnections: env.EVENTS_CLICKHOUSE_MAX_OPEN_CONNECTIONS,
+  });
+}
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function hashHostname(url: string): string {
+  const parsed = new URL(url);
+  return createHash("sha256").update(parsed.hostname).digest("hex");
+}
+
+export type ClientType =
+  | "standard"
+  | "events"
+  | "replication"
+  | "sessions_replication"
+  | "logs"
+  | "query"
+  | "admin"
+  | "engine"
+  | "realtime";
+
+function buildOrgClickhouseClient(url: string, clientType: ClientType): ClickHouse {
+  const parsed = new URL(url);
+  parsed.searchParams.delete("secure");
+  const name = `org-clickhouse-${clientType}`;
+
+  switch (clientType) {
+    case "events":
+      return new ClickHouse({
+        url: parsed.toString(),
+        name,
+        keepAlive: {
+          enabled: env.EVENTS_CLICKHOUSE_KEEP_ALIVE_ENABLED === "1",
+          idleSocketTtl: env.EVENTS_CLICKHOUSE_KEEP_ALIVE_IDLE_SOCKET_TTL_MS,
+        },
+        logLevel: env.EVENTS_CLICKHOUSE_LOG_LEVEL,
+        compression: {
+          request: env.EVENTS_CLICKHOUSE_COMPRESSION_REQUEST === "1",
+        },
+        maxOpenConnections: env.EVENTS_CLICKHOUSE_MAX_OPEN_CONNECTIONS,
+      });
+    case "replication":
+      return new ClickHouse({
+        url: parsed.toString(),
+        name,
+        keepAlive: {
+          enabled: env.RUN_REPLICATION_KEEP_ALIVE_ENABLED === "1",
+          idleSocketTtl: env.RUN_REPLICATION_KEEP_ALIVE_IDLE_SOCKET_TTL_MS,
+        },
+        logLevel: env.RUN_REPLICATION_CLICKHOUSE_LOG_LEVEL,
+        compression: { request: true },
+        maxOpenConnections: env.RUN_REPLICATION_MAX_OPEN_CONNECTIONS,
+      });
+    case "sessions_replication":
+      return new ClickHouse({
+        url: parsed.toString(),
+        name,
+        keepAlive: {
+          enabled: env.SESSION_REPLICATION_KEEP_ALIVE_ENABLED === "1",
+          idleSocketTtl: env.SESSION_REPLICATION_KEEP_ALIVE_IDLE_SOCKET_TTL_MS,
+        },
+        logLevel: env.SESSION_REPLICATION_CLICKHOUSE_LOG_LEVEL,
+        compression: { request: true },
+        maxOpenConnections: env.SESSION_REPLICATION_MAX_OPEN_CONNECTIONS,
+      });
+    case "logs":
+      return new ClickHouse({
+        url: parsed.toString(),
+        name,
+        keepAlive: {
+          enabled: env.CLICKHOUSE_KEEP_ALIVE_ENABLED === "1",
+          idleSocketTtl: env.CLICKHOUSE_KEEP_ALIVE_IDLE_SOCKET_TTL_MS,
+        },
+        logLevel: env.CLICKHOUSE_LOG_LEVEL,
+        compression: { request: true },
+        maxOpenConnections: env.CLICKHOUSE_MAX_OPEN_CONNECTIONS,
+        clickhouseSettings: getLogsListClickhouseSettings(),
+      });
+    case "engine":
+      return new ClickHouse({
+        url: parsed.toString(),
+        name,
+        keepAlive: {
+          enabled: env.RUN_ENGINE_CLICKHOUSE_KEEP_ALIVE_ENABLED === "1",
+          idleSocketTtl: env.RUN_ENGINE_CLICKHOUSE_KEEP_ALIVE_IDLE_SOCKET_TTL_MS,
+        },
+        logLevel: env.RUN_ENGINE_CLICKHOUSE_LOG_LEVEL,
+        compression: {
+          request: env.RUN_ENGINE_CLICKHOUSE_COMPRESSION_REQUEST === "1",
+        },
+        maxOpenConnections: env.RUN_ENGINE_CLICKHOUSE_MAX_OPEN_CONNECTIONS,
+      });
+    case "realtime":
+      return new ClickHouse({
+        url: parsed.toString(),
+        name,
+        keepAlive: {
+          enabled: env.REALTIME_BACKEND_NATIVE_CLICKHOUSE_KEEP_ALIVE_ENABLED === "1",
+          idleSocketTtl: env.REALTIME_BACKEND_NATIVE_CLICKHOUSE_KEEP_ALIVE_IDLE_SOCKET_TTL_MS,
+        },
+        logLevel: env.REALTIME_BACKEND_NATIVE_CLICKHOUSE_LOG_LEVEL,
+        compression: {
+          request: env.REALTIME_BACKEND_NATIVE_CLICKHOUSE_COMPRESSION_REQUEST === "1",
+        },
+        maxOpenConnections: env.REALTIME_BACKEND_NATIVE_CLICKHOUSE_MAX_OPEN_CONNECTIONS,
+      });
+    case "standard":
+    case "query":
+    case "admin":
+      return new ClickHouse({
+        url: parsed.toString(),
+        name,
+        keepAlive: {
+          enabled: env.CLICKHOUSE_KEEP_ALIVE_ENABLED === "1",
+          idleSocketTtl: env.CLICKHOUSE_KEEP_ALIVE_IDLE_SOCKET_TTL_MS,
+        },
+        logLevel: env.CLICKHOUSE_LOG_LEVEL,
+        compression: { request: true },
+        maxOpenConnections: env.CLICKHOUSE_MAX_OPEN_CONNECTIONS,
+      });
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Factory class (injectable for testing)
+// ---------------------------------------------------------------------------
+
+export class ClickhouseFactory {
+  /** ClickHouse clients keyed by hostname hash + clientType. */
+  private readonly _clientCache = new Map<string, ClickHouse>();
+  /** Event repositories keyed by hostname hash (stateful, must be reused). */
+  private readonly _eventRepositoryCache = new Map<string, ClickhouseEventRepository>();
+
+  constructor(private readonly _registry: OrganizationDataStoresRegistry) {}
+
+  async isReady(): Promise<boolean> {
+    if (!this._registry.isLoaded) {
+      await this._registry.isReady;
+    }
+    return true;
+  }
+
+  async getClickhouseForOrganization(
+    organizationId: string,
+    clientType: ClientType
+  ): Promise<ClickHouse> {
+    if (!this._registry.isLoaded) {
+      await this._registry.isReady;
+    }
+
+    return this.getClickhouseForOrganizationSync(organizationId, clientType);
+  }
+
+  getClickhouseForOrganizationSync(organizationId: string, clientType: ClientType): ClickHouse {
+    const dataStore = this._registry.get(organizationId, "CLICKHOUSE");
+
+    if (!dataStore) {
+      switch (clientType) {
+        case "standard":
+          return defaultClickhouseClient;
+        case "events":
+          return defaultEventsClickhouseClient;
+        case "replication":
+          return defaultRunsReplicationClickhouseClient;
+        case "sessions_replication":
+          return defaultSessionsReplicationClickhouseClient;
+        case "logs":
+          return defaultLogsClickhouseClient;
+        case "query":
+          return defaultQueryClickhouseClient;
+        case "admin":
+          return defaultAdminClickhouseClient;
+        case "engine":
+          return defaultRunEngineClickhouseClient;
+        case "realtime":
+          return defaultRealtimeClickhouseClient;
+      }
+    }
+
+    const hostnameHash = hashHostname(dataStore.url);
+    const cacheKey = `${hostnameHash}:${clientType}`;
+    let client = this._clientCache.get(cacheKey);
+
+    if (!client) {
+      client = buildOrgClickhouseClient(dataStore.url, clientType);
+      this._clientCache.set(cacheKey, client);
+    }
+
+    return client;
+  }
+
+  async getEventRepositoryForOrganization(
+    store: string,
+    organizationId: string
+  ): Promise<{ key: string; repository: IEventRepository }> {
+    if (!this._registry.isLoaded) {
+      await this._registry.isReady;
+    }
+
+    return this.getEventRepositoryForOrganizationSync(store, organizationId);
+  }
+
+  getEventRepositoryForOrganizationSync(
+    store: string,
+    organizationId: string
+  ): { key: string; repository: IEventRepository } {
+    const dataStore = this._registry.get(organizationId, "CLICKHOUSE");
+
+    if (!dataStore) {
+      const defaultKey = `default:events:${store}`;
+      let defaultRepo = this._eventRepositoryCache.get(defaultKey);
+      if (!defaultRepo) {
+        const eventsClickhouse = getEventsClickhouseClient();
+        defaultRepo = buildEventRepository(store, eventsClickhouse);
+        this._eventRepositoryCache.set(defaultKey, defaultRepo);
+      }
+      return { key: defaultKey, repository: defaultRepo };
+    }
+
+    const hostnameHash = hashHostname(dataStore.url);
+    const cacheKey = `${hostnameHash}:events:${store}`;
+    let repository = this._eventRepositoryCache.get(cacheKey);
+
+    if (!repository) {
+      const client = this.getClickhouseForOrganizationSync(organizationId, "events");
+      repository = buildEventRepository(store, client);
+      this._eventRepositoryCache.set(cacheKey, repository);
+    }
+
+    return { key: cacheKey, repository: repository };
+  }
+}
+
+/**
+ * Get admin ClickHouse client for cross-organization queries.
+ * Only use for admin tools and analytics that need to query across all orgs.
+ */
+export function getAdminClickhouse(): ClickHouse {
+  return defaultAdminClickhouseClient;
+}
+
+export function getDefaultClickhouseClient(): ClickHouse {
+  return defaultClickhouseClient;
+}
+
+export function getDefaultLogsClickhouseClient(): ClickHouse {
+  return defaultLogsClickhouseClient;
+}
+
+// ---------------------------------------------------------------------------
+// Private helpers
+// ---------------------------------------------------------------------------
+
+function getEventsClickhouseClient(): ClickHouse {
+  return defaultEventsClickhouseClient;
+}
+
+function buildEventRepository(store: string, clickhouse: ClickHouse): ClickhouseEventRepository {
+  switch (store) {
+    case "clickhouse": {
+      return new ClickhouseEventRepository({
+        clickhouse,
+        batchSize: env.EVENTS_CLICKHOUSE_BATCH_SIZE,
+        flushInterval: env.EVENTS_CLICKHOUSE_FLUSH_INTERVAL_MS,
+        maximumTraceSummaryViewCount: clampToEmergencySpanCap(
+          env.EVENTS_CLICKHOUSE_MAX_TRACE_SUMMARY_VIEW_COUNT
+        ),
+        maximumTraceDetailedSummaryViewCount: clampToEmergencySpanCap(
+          env.EVENTS_CLICKHOUSE_MAX_TRACE_DETAILED_SUMMARY_VIEW_COUNT
+        ),
+        maximumLiveReloadingSetting: env.EVENTS_CLICKHOUSE_MAX_LIVE_RELOADING_SETTING,
+        insertStrategy: env.EVENTS_CLICKHOUSE_INSERT_STRATEGY,
+        waitForAsyncInsert: env.EVENTS_CLICKHOUSE_WAIT_FOR_ASYNC_INSERT === "1",
+        asyncInsertMaxDataSize: env.EVENTS_CLICKHOUSE_ASYNC_INSERT_MAX_DATA_SIZE,
+        asyncInsertBusyTimeoutMs: env.EVENTS_CLICKHOUSE_ASYNC_INSERT_BUSY_TIMEOUT_MS,
+        startTimeMaxAgeMs: env.EVENTS_CLICKHOUSE_START_TIME_MAX_AGE_MS,
+        llmMetricsBatchSize: env.LLM_METRICS_BATCH_SIZE,
+        llmMetricsFlushInterval: env.LLM_METRICS_FLUSH_INTERVAL_MS,
+        llmMetricsMaxBatchSize: env.LLM_METRICS_MAX_BATCH_SIZE,
+        llmMetricsMaxConcurrency: env.LLM_METRICS_MAX_CONCURRENCY,
+        otlpMetricsBatchSize: env.METRICS_CLICKHOUSE_BATCH_SIZE,
+        otlpMetricsFlushInterval: env.METRICS_CLICKHOUSE_FLUSH_INTERVAL_MS,
+        otlpMetricsMaxConcurrency: env.METRICS_CLICKHOUSE_MAX_CONCURRENCY,
+        version: "v1",
+      });
+    }
+    case "clickhouse_v2": {
+      return new ClickhouseEventRepository({
+        clickhouse: clickhouse,
+        batchSize: env.EVENTS_CLICKHOUSE_BATCH_SIZE,
+        flushInterval: env.EVENTS_CLICKHOUSE_FLUSH_INTERVAL_MS,
+        maximumTraceSummaryViewCount: clampToEmergencySpanCap(
+          env.EVENTS_CLICKHOUSE_MAX_TRACE_SUMMARY_VIEW_COUNT
+        ),
+        maximumTraceDetailedSummaryViewCount: clampToEmergencySpanCap(
+          env.EVENTS_CLICKHOUSE_MAX_TRACE_DETAILED_SUMMARY_VIEW_COUNT
+        ),
+        maximumLiveReloadingSetting: env.EVENTS_CLICKHOUSE_MAX_LIVE_RELOADING_SETTING,
+        insertStrategy: env.EVENTS_CLICKHOUSE_INSERT_STRATEGY,
+        waitForAsyncInsert: env.EVENTS_CLICKHOUSE_WAIT_FOR_ASYNC_INSERT === "1",
+        asyncInsertMaxDataSize: env.EVENTS_CLICKHOUSE_ASYNC_INSERT_MAX_DATA_SIZE,
+        asyncInsertBusyTimeoutMs: env.EVENTS_CLICKHOUSE_ASYNC_INSERT_BUSY_TIMEOUT_MS,
+        startTimeMaxAgeMs: env.EVENTS_CLICKHOUSE_START_TIME_MAX_AGE_MS,
+        llmMetricsBatchSize: env.LLM_METRICS_BATCH_SIZE,
+        llmMetricsFlushInterval: env.LLM_METRICS_FLUSH_INTERVAL_MS,
+        llmMetricsMaxBatchSize: env.LLM_METRICS_MAX_BATCH_SIZE,
+        llmMetricsMaxConcurrency: env.LLM_METRICS_MAX_CONCURRENCY,
+        otlpMetricsBatchSize: env.METRICS_CLICKHOUSE_BATCH_SIZE,
+        otlpMetricsFlushInterval: env.METRICS_CLICKHOUSE_FLUSH_INTERVAL_MS,
+        otlpMetricsMaxConcurrency: env.METRICS_CLICKHOUSE_MAX_CONCURRENCY,
+        version: "v2",
+      });
+    }
+    default: {
+      throw new Error(`Unknown ClickHouse event repository store: ${store}`);
+    }
+  }
+}
diff --git a/apps/webapp/app/services/clickhouse/clickhouseFactoryInstance.server.ts b/apps/webapp/app/services/clickhouse/clickhouseFactoryInstance.server.ts
new file mode 100644
index 00000000000..6795df5f644
--- /dev/null
+++ b/apps/webapp/app/services/clickhouse/clickhouseFactoryInstance.server.ts
@@ -0,0 +1,13 @@
+import { organizationDataStoresRegistry } from "~/services/dataStores/organizationDataStoresRegistryInstance.server";
+import { singleton } from "~/utils/singleton";
+import { ClickhouseFactory } from "./clickhouseFactory.server";
+
+/**
+ * Production singleton wired to the global organization data-stores registry.
+ * Import this only from app/runtime code — not from tests that construct a
+ * {@link ClickhouseFactory} with a stub registry (see `clickhouseFactory.server.ts`).
+ */
+export const clickhouseFactory = singleton(
+  "clickhouseFactory",
+  () => new ClickhouseFactory(organizationDataStoresRegistry)
+);
diff --git a/apps/webapp/app/services/clickhouse/clickhouseSecretSchemas.server.ts b/apps/webapp/app/services/clickhouse/clickhouseSecretSchemas.server.ts
new file mode 100644
index 00000000000..016eb717c18
--- /dev/null
+++ b/apps/webapp/app/services/clickhouse/clickhouseSecretSchemas.server.ts
@@ -0,0 +1,11 @@
+import { z } from "zod";
+
+export const ClickhouseConnectionSchema = z.object({
+  url: z.string().url(),
+});
+
+export type ClickhouseConnection = z.infer<typeof ClickhouseConnectionSchema>;
+
+export function getClickhouseSecretKey(orgId: string, clientType: string): string {
+  return `org:${orgId}:clickhouse:${clientType}`;
+}
diff --git a/apps/webapp/app/services/clickhouseInstance.server.ts b/apps/webapp/app/services/clickhouseInstance.server.ts
deleted file mode 100644
index 9c4941671f3..00000000000
--- a/apps/webapp/app/services/clickhouseInstance.server.ts
+++ /dev/null
@@ -1,130 +0,0 @@
-import { ClickHouse } from "@internal/clickhouse";
-import { env } from "~/env.server";
-import { singleton } from "~/utils/singleton";
-
-export const clickhouseClient = singleton("clickhouseClient", initializeClickhouseClient);
-
-function initializeClickhouseClient() {
-  const url = new URL(env.CLICKHOUSE_URL);
-
-  // Remove secure param
-  url.searchParams.delete("secure");
-
-  console.log(`🗃️  Clickhouse service enabled to host ${url.host}`);
-
-  const clickhouse = new ClickHouse({
-    url: url.toString(),
-    name: "clickhouse-instance",
-    keepAlive: {
-      enabled: env.CLICKHOUSE_KEEP_ALIVE_ENABLED === "1",
-      idleSocketTtl: env.CLICKHOUSE_KEEP_ALIVE_IDLE_SOCKET_TTL_MS,
-    },
-    logLevel: env.CLICKHOUSE_LOG_LEVEL,
-    compression: {
-      request: true,
-    },
-    maxOpenConnections: env.CLICKHOUSE_MAX_OPEN_CONNECTIONS,
-  });
-
-  return clickhouse;
-}
-
-export const logsClickhouseClient = singleton(
-  "logsClickhouseClient",
-  initializeLogsClickhouseClient
-);
-
-function initializeLogsClickhouseClient() {
-  if (!env.LOGS_CLICKHOUSE_URL) {
-    throw new Error("LOGS_CLICKHOUSE_URL is not set");
-  }
-
-  const url = new URL(env.LOGS_CLICKHOUSE_URL);
-
-  // Remove secure param
-  url.searchParams.delete("secure");
-
-  return new ClickHouse({
-    url: url.toString(),
-    name: "logs-clickhouse",
-    keepAlive: {
-      enabled: env.CLICKHOUSE_KEEP_ALIVE_ENABLED === "1",
-      idleSocketTtl: env.CLICKHOUSE_KEEP_ALIVE_IDLE_SOCKET_TTL_MS,
-    },
-    logLevel: env.CLICKHOUSE_LOG_LEVEL,
-    compression: {
-      request: true,
-    },
-    maxOpenConnections: env.CLICKHOUSE_MAX_OPEN_CONNECTIONS,
-    clickhouseSettings: {
-      max_memory_usage: env.CLICKHOUSE_LOGS_LIST_MAX_MEMORY_USAGE.toString(),
-      max_bytes_before_external_sort:
-        env.CLICKHOUSE_LOGS_LIST_MAX_BYTES_BEFORE_EXTERNAL_SORT.toString(),
-      max_threads: env.CLICKHOUSE_LOGS_LIST_MAX_THREADS,
-      ...(env.CLICKHOUSE_LOGS_LIST_MAX_ROWS_TO_READ && {
-        max_rows_to_read: env.CLICKHOUSE_LOGS_LIST_MAX_ROWS_TO_READ.toString(),
-      }),
-      ...(env.CLICKHOUSE_LOGS_LIST_MAX_EXECUTION_TIME && {
-        max_execution_time: env.CLICKHOUSE_LOGS_LIST_MAX_EXECUTION_TIME,
-      }),
-    },
-  });
-}
-
-export const adminClickhouseClient = singleton(
-  "adminClickhouseClient",
-  initializeAdminClickhouseClient
-);
-
-function initializeAdminClickhouseClient() {
-  if (!env.ADMIN_CLICKHOUSE_URL) {
-    throw new Error("ADMIN_CLICKHOUSE_URL is not set");
-  }
-
-  const url = new URL(env.ADMIN_CLICKHOUSE_URL);
-  url.searchParams.delete("secure");
-
-  return new ClickHouse({
-    url: url.toString(),
-    name: "admin-clickhouse",
-    keepAlive: {
-      enabled: env.CLICKHOUSE_KEEP_ALIVE_ENABLED === "1",
-      idleSocketTtl: env.CLICKHOUSE_KEEP_ALIVE_IDLE_SOCKET_TTL_MS,
-    },
-    logLevel: env.CLICKHOUSE_LOG_LEVEL,
-    compression: {
-      request: true,
-    },
-    maxOpenConnections: env.CLICKHOUSE_MAX_OPEN_CONNECTIONS,
-  });
-}
-
-export const queryClickhouseClient = singleton(
-  "queryClickhouseClient",
-  initializeQueryClickhouseClient
-);
-
-function initializeQueryClickhouseClient() {
-  if (!env.QUERY_CLICKHOUSE_URL) {
-    throw new Error("QUERY_CLICKHOUSE_URL is not set");
-  }
-
-  const url = new URL(env.QUERY_CLICKHOUSE_URL);
-
-  // Remove secure param
-  url.searchParams.delete("secure");
-
-  return new ClickHouse({
-    url: url.toString(),
-    name: "query-clickhouse",
-    keepAlive: {
-      enabled: env.CLICKHOUSE_KEEP_ALIVE_ENABLED === "1",
-      idleSocketTtl: env.CLICKHOUSE_KEEP_ALIVE_IDLE_SOCKET_TTL_MS,
-    },
-    logLevel: env.CLICKHOUSE_LOG_LEVEL,
-    compression: {
-      request: true,
-    },
-    maxOpenConnections: env.CLICKHOUSE_MAX_OPEN_CONNECTIONS,
-  });
-}
diff --git a/apps/webapp/app/services/dataStores/organizationDataStoreConfigSchemas.server.ts b/apps/webapp/app/services/dataStores/organizationDataStoreConfigSchemas.server.ts
new file mode 100644
index 00000000000..a4a2491a2d6
--- /dev/null
+++ b/apps/webapp/app/services/dataStores/organizationDataStoreConfigSchemas.server.ts
@@ -0,0 +1,39 @@
+import { z } from "zod";
+
+// ---------------------------------------------------------------------------
+// ClickHouse config (kind = CLICKHOUSE)
+// ---------------------------------------------------------------------------
+
+/** V1: single secret-store key that supplies the ClickHouse connection URL. */
+export const ClickhouseDataStoreConfigV1 = z.object({
+  version: z.literal(1),
+  data: z.object({
+    /** Key into the SecretStore that resolves to a ClickhouseConnection ({url}). */
+    secretKey: z.string(),
+  }),
+});
+
+export type ClickhouseDataStoreConfigV1 = z.infer<typeof ClickhouseDataStoreConfigV1>;
+
+/** Discriminated union over version — extend by adding new literals here. */
+export const ClickhouseDataStoreConfig = z.discriminatedUnion("version", [
+  ClickhouseDataStoreConfigV1,
+]);
+
+export type ClickhouseDataStoreConfig = z.infer<typeof ClickhouseDataStoreConfig>;
+
+// ---------------------------------------------------------------------------
+// Top-level per-kind union
+// ---------------------------------------------------------------------------
+
+/**
+ * Secrets are resolved to URLs at registry load time so the factory never
+ * needs to touch the secret store on the hot path.
+ */
+export type ParsedClickhouseDataStore = {
+  kind: "CLICKHOUSE";
+  url: string;
+};
+
+/** Union of all parsed data store types. Extend as new DataStoreKind values are added. */
+export type ParsedDataStore = ParsedClickhouseDataStore;
diff --git a/apps/webapp/app/services/dataStores/organizationDataStoresRegistry.server.ts b/apps/webapp/app/services/dataStores/organizationDataStoresRegistry.server.ts
new file mode 100644
index 00000000000..07a4f1d3592
--- /dev/null
+++ b/apps/webapp/app/services/dataStores/organizationDataStoresRegistry.server.ts
@@ -0,0 +1,202 @@
+import type { DataStoreKind, PrismaClient, PrismaReplicaClient } from "@trigger.dev/database";
+import {
+  ClickhouseDataStoreConfig,
+  type ParsedDataStore,
+} from "./organizationDataStoreConfigSchemas.server";
+import { getSecretStore } from "../secrets/secretStore.server";
+import { ClickhouseConnectionSchema } from "../clickhouse/clickhouseSecretSchemas.server";
+
+export class OrganizationDataStoresRegistry {
+  /**
+   * Writer client — used by every method that mutates state
+   * (`addDataStore` / `updateDataStore` / `deleteDataStore` and their backing
+   * SecretStore writes). Must be the primary connection; replica-targeted
+   * writes are rejected by Postgres with code 25006 (read-only transaction).
+   */
+  private _writer: PrismaClient;
+  /**
+   * Read client used by the polling `loadFromDatabase()` (and its
+   * `SecretStore.getSecret` lookups). Can be a replica — these are
+   * cache-fillers, not on hot user-facing paths.
+   */
+  private _replica: PrismaClient | PrismaReplicaClient;
+  /** Keyed by `${organizationId}:${kind}` */
+  private _lookup: Map<string, ParsedDataStore> = new Map();
+  private _loaded = false;
+  private _readyResolve!: () => void;
+
+  /**
+   * Resolves once the initial `loadFromDatabase()` completes successfully.
+   * At process startup the singleton loads the registry with unbounded retries
+   * (exponential backoff, capped delay) until Postgres is reachable; until then
+   * this promise stays pending and callers that await readiness will block.
+   */
+  readonly isReady: Promise<void>;
+
+  constructor(writer: PrismaClient, replica: PrismaClient | PrismaReplicaClient) {
+    this._writer = writer;
+    this._replica = replica;
+    this.isReady = new Promise<void>((resolve) => {
+      this._readyResolve = resolve;
+    });
+  }
+
+  get isLoaded(): boolean {
+    return this._loaded;
+  }
+
+  async loadFromDatabase(): Promise<void> {
+    // Sort by `key` (unique, immutable) to ensure a deterministic winner when the
+    // same `${orgId}:${kind}` appears in multiple rows. The registry must never
+    // throw on overlap — failing the load would break every customer, not just the
+    // misconfigured orgs — so we keep the first entry and log an error instead.
+    const rows = await this._replica.organizationDataStore.findMany({
+      orderBy: { key: "asc" },
+    });
+    const secretStore = getSecretStore("DATABASE", { prismaClient: this._replica });
+
+    const lookup = new Map<string, ParsedDataStore>();
+    /** Tracks which row's `key` already owns each `${orgId}:${kind}` so we can log conflicts. */
+    const winnerByLookupKey = new Map<string, string>();
+
+    for (const row of rows) {
+      let parsed: ParsedDataStore | null = null;
+
+      switch (row.kind) {
+        case "CLICKHOUSE": {
+          const result = ClickhouseDataStoreConfig.safeParse(row.config);
+          if (!result.success) {
+            console.warn(
+              `[OrganizationDataStoresRegistry] Invalid config for OrganizationDataStore "${row.key}" (kind=CLICKHOUSE): ${result.error.message}`
+            );
+            continue;
+          }
+
+          const connection = await secretStore.getSecret(
+            ClickhouseConnectionSchema,
+            result.data.data.secretKey
+          );
+
+          if (!connection) {
+            console.warn(
+              `[OrganizationDataStoresRegistry] Secret "${result.data.data.secretKey}" not found for OrganizationDataStore "${row.key}" — skipping`
+            );
+            continue;
+          }
+
+          parsed = { kind: "CLICKHOUSE", url: connection.url };
+          break;
+        }
+        default: {
+          console.warn(
+            `[OrganizationDataStoresRegistry] Unknown kind "${row.kind}" for OrganizationDataStore "${row.key}" — skipping`
+          );
+          continue;
+        }
+      }
+
+      for (const orgId of row.organizationIds) {
+        const lookupKey = `${orgId}:${row.kind}`;
+        const existingWinner = winnerByLookupKey.get(lookupKey);
+        if (existingWinner) {
+          console.error(
+            `[OrganizationDataStoresRegistry] Overlapping OrganizationDataStore assignment for orgId="${orgId}" kind=${row.kind}: already routed to "${existingWinner}", ignoring "${row.key}". Pick one store per (org, kind) to resolve.`
+          );
+          continue;
+        }
+        winnerByLookupKey.set(lookupKey, row.key);
+        lookup.set(lookupKey, parsed);
+      }
+    }
+
+    this._lookup = lookup;
+
+    if (!this._loaded) {
+      this._loaded = true;
+      this._readyResolve();
+    }
+  }
+
+  async reload(): Promise<void> {
+    await this.loadFromDatabase();
+  }
+
+  #secretKey(key: string, kind: DataStoreKind) {
+    return `data-store:${key}:${kind.toLocaleLowerCase()}`;
+  }
+
+  async addDataStore({
+    key,
+    kind,
+    organizationIds,
+    config,
+  }: {
+    key: string;
+    kind: DataStoreKind;
+    organizationIds: string[];
+    config: any;
+  }) {
+    const secretKey = this.#secretKey(key, kind);
+
+    const secretStore = getSecretStore("DATABASE", { prismaClient: this._writer });
+    await secretStore.setSecret(secretKey, config);
+
+    return this._writer.organizationDataStore.create({
+      data: {
+        key,
+        organizationIds,
+        kind,
+        config: { version: 1, data: { secretKey } },
+      },
+    });
+
+  }
+
+  async updateDataStore({
+    key,
+    kind,
+    organizationIds,
+    config,
+  }: {
+    key: string;
+    kind: DataStoreKind;
+    organizationIds: string[];
+    config?: any;
+  }) {
+    const secretKey = this.#secretKey(key, kind);
+
+    if (config) {
+      const secretStore = getSecretStore("DATABASE", { prismaClient: this._writer });
+      await secretStore.setSecret(secretKey, config);
+    }
+
+    return this._writer.organizationDataStore.update({
+      where: {
+        key,
+      },
+      data: {
+        organizationIds,
+        kind: "CLICKHOUSE",
+      },
+    });
+  }
+
+  async deleteDataStore({ key, kind }: { key: string; kind: DataStoreKind }) {
+    const secretKey = this.#secretKey(key, kind);
+    const secretStore = getSecretStore("DATABASE", { prismaClient: this._writer });
+    await secretStore.deleteSecret(secretKey).catch(() => {
+      // Secret may not exist — proceed with deletion
+    });
+
+    await this._writer.organizationDataStore.delete({ where: { key } });
+  }
+
+  /**
+   * Returns the parsed data store config for the given organization and kind,
+   * or `null` if no override is configured (caller should use the default).
+   */
+  get(organizationId: string, kind: DataStoreKind): ParsedDataStore | null {
+    if (!this._loaded) return null;
+    return this._lookup.get(`${organizationId}:${kind}`) ?? null;
+  }
+}
diff --git a/apps/webapp/app/services/dataStores/organizationDataStoresRegistryInstance.server.ts b/apps/webapp/app/services/dataStores/organizationDataStoresRegistryInstance.server.ts
new file mode 100644
index 00000000000..239683965ea
--- /dev/null
+++ b/apps/webapp/app/services/dataStores/organizationDataStoresRegistryInstance.server.ts
@@ -0,0 +1,42 @@
+import pRetry from "p-retry";
+import { $replica, prisma } from "~/db.server";
+import { env } from "~/env.server";
+import { logger } from "~/services/logger.server";
+import { signalsEmitter } from "~/services/signals.server";
+import { singleton } from "~/utils/singleton";
+import { OrganizationDataStoresRegistry } from "./organizationDataStoresRegistry.server";
+
+export const organizationDataStoresRegistry = singleton("organizationDataStoresRegistry", () => {
+  const registry = new OrganizationDataStoresRegistry(prisma, $replica);
+
+  // Runs as soon as this singleton is created (first import of this module). The
+  // registry’s `isReady` promise resolves when this eventually succeeds.
+  const startupLoadPromise = pRetry(() => registry.loadFromDatabase(), {
+    forever: true,
+    retries: 10,
+    minTimeout: 1_000,
+    maxTimeout: 60_000,
+    factor: 2,
+    onFailedAttempt: (error) => {
+      logger.warn("[OrganizationDataStoresRegistry] Startup load failed, retrying", {
+        attemptNumber: error.attemptNumber,
+        retriesLeft: error.retriesLeft,
+        error: error.message,
+      });
+    },
+  });
+  startupLoadPromise.catch((err) => {
+    console.error("[OrganizationDataStoresRegistry] Unexpected startup load failure", err);
+  });
+
+  const interval = setInterval(() => {
+    registry.reload().catch((err) => {
+      console.error("[OrganizationDataStoresRegistry] Failed to reload", err);
+    });
+  }, env.ORGANIZATION_DATA_STORES_RELOAD_INTERVAL_MS);
+
+  signalsEmitter.on("SIGTERM", () => clearInterval(interval));
+  signalsEmitter.on("SIGINT", () => clearInterval(interval));
+
+  return registry;
+});
diff --git a/apps/webapp/app/services/email.server.ts b/apps/webapp/app/services/email.server.ts
index 290addcdc97..17fba0c52e1 100644
--- a/apps/webapp/app/services/email.server.ts
+++ b/apps/webapp/app/services/email.server.ts
@@ -4,7 +4,6 @@ import type { SendEmailOptions } from "remix-auth-email-link";
 import { redirect } from "remix-typedjson";
 import { env } from "~/env.server";
 import type { AuthUser } from "./authUser";
-import { commonWorker } from "~/v3/commonWorker.server";
 import { logger } from "./logger.server";
 import { singleton } from "~/utils/singleton";
 import { assertEmailAllowed } from "~/utils/email";
@@ -92,15 +91,6 @@ export async function sendPlainTextEmail(options: SendPlainTextOptions) {
   return client.sendPlainText(options);
 }
 
-export async function scheduleEmail(data: DeliverEmail, delay?: { seconds: number }) {
-  const availableAt = delay ? new Date(Date.now() + delay.seconds * 1000) : undefined;
-  await commonWorker.enqueue({
-    job: "scheduleEmail",
-    payload: data,
-    availableAt,
-  });
-}
-
 export async function sendEmail(data: DeliverEmail) {
   return client.send(data);
 }
diff --git a/apps/webapp/app/services/httpAsyncStorage.server.ts b/apps/webapp/app/services/httpAsyncStorage.server.ts
index 7b709e4bf19..24b5c23f871 100644
--- a/apps/webapp/app/services/httpAsyncStorage.server.ts
+++ b/apps/webapp/app/services/httpAsyncStorage.server.ts
@@ -5,6 +5,7 @@ export type HttpLocalStorage = {
   path: string;
   host: string;
   method: string;
+  abortController: AbortController;
 };
 
 const httpLocalStorage = new AsyncLocalStorage<HttpLocalStorage>();
@@ -18,3 +19,15 @@ export function runWithHttpContext<T>(context: HttpLocalStorage, fn: () => T): T
 export function getHttpContext(): HttpLocalStorage | undefined {
   return httpLocalStorage.getStore();
 }
+
+// Fallback signal that is never aborted, safe for tests and non-Express contexts.
+const neverAbortedSignal = new AbortController().signal;
+
+/**
+ * Returns an AbortSignal wired to the Express response's "close" event.
+ * This bypasses the broken request.signal chain in @remix-run/express
+ * (caused by Node.js undici GC bug nodejs/node#55428).
+ */
+export function getRequestAbortSignal(): AbortSignal {
+  return httpLocalStorage.getStore()?.abortController.signal ?? neverAbortedSignal;
+}
diff --git a/apps/webapp/app/services/impersonation.server.ts b/apps/webapp/app/services/impersonation.server.ts
index 78c771528b6..288fd635ae6 100644
--- a/apps/webapp/app/services/impersonation.server.ts
+++ b/apps/webapp/app/services/impersonation.server.ts
@@ -1,5 +1,10 @@
 import { createCookieSessionStorage, type Session } from "@remix-run/node";
+import { SignJWT, jwtVerify, errors } from "jose";
+import { randomUUID } from "node:crypto";
+import { singleton } from "~/utils/singleton";
+import { createRedisClient, type RedisClient } from "~/redis.server";
 import { env } from "~/env.server";
+import { logger } from "~/services/logger.server";
 
 export const impersonationSessionStorage = createCookieSessionStorage({
   cookie: {
@@ -42,3 +47,107 @@ export async function clearImpersonationId(request: Request) {
 
   return session;
 }
+
+// Impersonation token utilities for CSRF protection
+const IMPERSONATION_TOKEN_EXPIRY_SECONDS = 5 * 60; // 5 minutes
+
+function getImpersonationTokenSecret(): Uint8Array {
+  return new TextEncoder().encode(env.SESSION_SECRET);
+}
+
+function getImpersonationTokenRedisClient(): RedisClient {
+  return singleton(
+    "impersonationTokenRedis",
+    () =>
+      createRedisClient("impersonation:token", {
+        host: env.CACHE_REDIS_HOST,
+        port: env.CACHE_REDIS_PORT,
+        username: env.CACHE_REDIS_USERNAME,
+        password: env.CACHE_REDIS_PASSWORD,
+        tlsDisabled: env.CACHE_REDIS_TLS_DISABLED === "true",
+        clusterMode: env.CACHE_REDIS_CLUSTER_MODE_ENABLED === "1",
+        keyPrefix: "impersonation:token:",
+      })
+  );
+}
+
+/**
+ * Generate a signed one-time impersonation token for a user
+ */
+export async function generateImpersonationToken(userId: string): Promise<string> {
+  const secret = getImpersonationTokenSecret();
+  const now = Math.floor(Date.now() / 1000);
+
+  const token = await new SignJWT({ userId })
+    .setProtectedHeader({ alg: "HS256" })
+    .setIssuedAt(now)
+    .setExpirationTime(now + IMPERSONATION_TOKEN_EXPIRY_SECONDS)
+    .setIssuer("https://trigger.dev")
+    .setAudience("https://trigger.dev/admin")
+    .setJti(randomUUID())
+    .sign(secret);
+
+  return token;
+}
+
+/**
+ * Validate and consume an impersonation token (prevents replay attacks)
+ */
+export async function validateAndConsumeImpersonationToken(
+  token: string
+): Promise<string | undefined> {
+  try {
+    const secret = getImpersonationTokenSecret();
+
+    // Verify the token signature and expiration
+    const { payload } = await jwtVerify(token, secret, {
+      issuer: "https://trigger.dev",
+      audience: "https://trigger.dev/admin",
+    });
+
+    const userId = payload.userId as string | undefined;
+    if (!userId || typeof userId !== "string") {
+      return undefined;
+    }
+
+    // Atomically mark the token as used to prevent replay attacks.
+    // Use the jti (a short UUID) as the Redis key rather than the full JWT string.
+    // If Redis is unavailable, fall back to JWT expiry as the only protection.
+    if (env.CACHE_REDIS_HOST) {
+      // Defensively reject tokens without a jti (e.g. issued before this change)
+      if (!payload.jti) {
+        logger.warn("Impersonation token missing jti claim, rejecting for safety");
+        return undefined;
+      }
+
+      try {
+        const redis = getImpersonationTokenRedisClient();
+        const result = await redis.set(
+          payload.jti,
+          "1",
+          "EX",
+          IMPERSONATION_TOKEN_EXPIRY_SECONDS,
+          "NX"
+        );
+        if (result !== "OK") {
+          // Token was already used
+          return undefined;
+        }
+      } catch (redisError) {
+        logger.warn("Redis unavailable for impersonation token tracking, relying on JWT expiry only", {
+          error: redisError instanceof Error ? redisError.message : String(redisError),
+        });
+      }
+    }
+
+    return userId;
+  } catch (error) {
+    if (error instanceof errors.JWTExpired || error instanceof errors.JWTInvalid) {
+      return undefined;
+    }
+    logger.error("Error validating impersonation token", {
+      error: error instanceof Error ? error.message : String(error),
+    });
+    return undefined;
+  }
+}
diff --git a/apps/webapp/app/services/inputStreamWaitpointCache.server.ts b/apps/webapp/app/services/inputStreamWaitpointCache.server.ts
index ab360c837a8..5bfd632633a 100644
--- a/apps/webapp/app/services/inputStreamWaitpointCache.server.ts
+++ b/apps/webapp/app/services/inputStreamWaitpointCache.server.ts
@@ -1,4 +1,5 @@
 import { Redis } from "ioredis";
+import { defaultReconnectOnError } from "@internal/redis";
 import { env } from "~/env.server";
 import { singleton } from "~/utils/singleton";
 import { logger } from "./logger.server";
@@ -24,6 +25,7 @@ function initializeRedis(): Redis | undefined {
     password: env.CACHE_REDIS_PASSWORD,
     keyPrefix: "tr:",
     enableAutoPipelining: true,
+    reconnectOnError: defaultReconnectOnError,
     ...(env.CACHE_REDIS_TLS_DISABLED === "true" ? {} : { tls: {} }),
   });
 }
diff --git a/apps/webapp/app/services/loadProjectEnvironmentFromRequest.server.ts b/apps/webapp/app/services/loadProjectEnvironmentFromRequest.server.ts
new file mode 100644
index 00000000000..76c39caba67
--- /dev/null
+++ b/apps/webapp/app/services/loadProjectEnvironmentFromRequest.server.ts
@@ -0,0 +1,25 @@
+import { type Params } from "@remix-run/react";
+import { findProjectBySlug } from "~/models/project.server";
+import { findEnvironmentBySlug } from "~/models/runtimeEnvironment.server";
+import { requireUserId } from "~/services/session.server";
+import { EnvironmentParamSchema } from "~/utils/pathBuilder";
+
+export async function loadProjectEnvironmentFromRequest(
+  request: Request,
+  params: Params<string>
+) {
+  const userId = await requireUserId(request);
+  const { organizationSlug, projectParam, envParam } = EnvironmentParamSchema.parse(params);
+
+  const project = await findProjectBySlug(organizationSlug, projectParam, userId);
+  if (!project) {
+    throw new Response(undefined, { status: 404, statusText: "Project not found" });
+  }
+
+  const environment = await findEnvironmentBySlug(project.id, envParam, userId);
+  if (!environment) {
+    throw new Response(undefined, { status: 404, statusText: "Environment not found" });
+  }
+
+  return { userId, project, environment };
+}
diff --git a/apps/webapp/app/services/loops.server.ts b/apps/webapp/app/services/loops.server.ts
index 78c7faad81b..6509d894701 100644
--- a/apps/webapp/app/services/loops.server.ts
+++ b/apps/webapp/app/services/loops.server.ts
@@ -22,24 +22,6 @@ class LoopsClient {
     });
   }
 
-  async vercelIntegrationStarted({
-    userId,
-    email,
-    name,
-  }: {
-    userId: string;
-    email: string;
-    name: string | null;
-  }) {
-    logger.info(`Loops send "vercel-integration" event`, { userId, email, name });
-    return this.#sendEvent({
-      email,
-      userId,
-      firstName: name?.split(" ").at(0),
-      eventName: "vercel-integration",
-    });
-  }
-
   async #sendEvent({
     email,
     userId,
diff --git a/apps/webapp/app/services/metadata/updateMetadata.server.ts b/apps/webapp/app/services/metadata/updateMetadata.server.ts
index cfb946a1024..7b87034a301 100644
--- a/apps/webapp/app/services/metadata/updateMetadata.server.ts
+++ b/apps/webapp/app/services/metadata/updateMetadata.server.ts
@@ -30,6 +30,16 @@ export type UpdateMetadataServiceOptions = {
   maximumSize?: number;
   logger?: Logger;
   logLevel?: LogLevel;
+  /** Called after the batched flusher writes a run's buffered operations, with everything
+   * a realtime change record needs — buffered (parent/root) updates otherwise never wake
+   * live feeds. */
+  onRunFlushed?: (run: {
+    runId: string;
+    environmentId: string;
+    tags: string[];
+    batchId: string | null;
+    updatedAtMs: number;
+  }) => void;
   // Testing hooks
   onBeforeUpdate?: (runId: string) => Promise<void>;
   onAfterRead?: (runId: string, metadataVersion: number) => Promise<void>;
@@ -172,12 +182,20 @@ export class UpdateMetadataService {
     operations: BufferedRunMetadataChangeOperation[]
   ) => {
     return Effect.gen(this, function* (_) {
-      // Fetch current run
+      // Fetch current run (+ the realtime membership keys, so a flush can publish)
       const run = yield* _(
         Effect.tryPromise(() =>
           this._prisma.taskRun.findFirst({
             where: { id: runId },
-            select: { id: true, metadata: true, metadataType: true, metadataVersion: true },
+            select: {
+              id: true,
+              metadata: true,
+              metadataType: true,
+              metadataVersion: true,
+              runtimeEnvironmentId: true,
+              runTags: true,
+              batchId: true,
+            },
           })
         )
       );
@@ -237,6 +255,9 @@ export class UpdateMetadataService {
         yield* _(Effect.tryPromise(() => this.options.onBeforeUpdate!(runId)));
       }
 
+      // Stamp updatedAt explicitly so the realtime publish can carry the exact committed
+      // value without a follow-up read (updateMany can't RETURNING).
+      const writeTime = new Date();
       const result = yield* _(
         Effect.tryPromise(() =>
           this._prisma.taskRun.updateMany({
@@ -247,6 +268,7 @@ export class UpdateMetadataService {
             data: {
               metadata: newMetadataPacket.data,
               metadataVersion: { increment: 1 },
+              updatedAt: writeTime,
             },
           })
         )
@@ -262,6 +284,16 @@ export class UpdateMetadataService {
         return yield* _(Effect.fail(new Error("Optimistic lock failed")));
       }
 
+      yield* Effect.sync(() => {
+        this.options.onRunFlushed?.({
+          runId,
+          environmentId: run.runtimeEnvironmentId,
+          tags: run.runTags,
+          batchId: run.batchId,
+          updatedAtMs: writeTime.getTime(),
+        });
+      });
+
       return result;
     });
   };
@@ -308,6 +340,8 @@ export class UpdateMetadataService {
           },
       select: {
         id: true,
+        batchId: true,
+        runTags: true,
         completedAt: true,
         status: true,
         metadata: true,
@@ -344,7 +378,7 @@ export class UpdateMetadataService {
       this.#ingestRunOperations(taskRun.rootTaskRun?.id ?? taskRun.id, body.rootOperations);
     }
 
-    const newMetadata = await this.#updateRunMetadata({
+    const result = await this.#updateRunMetadata({
       runId: taskRun.id,
       body,
       existingMetadata: {
@@ -354,7 +388,14 @@ export class UpdateMetadataService {
     });
 
     return {
-      metadata: newMetadata,
+      metadata: result?.metadata,
+      // Internal id + membership keys, so callers can publish full realtime records the router routes by index.
+      runId: taskRun.id,
+      batchId: taskRun.batchId,
+      runTags: taskRun.runTags,
+      // The committed row's updatedAt — the realtime watermark. Undefined when nothing was
+      // written here (no-op, or buffered for the flusher, which publishes itself).
+      updatedAtMs: result?.updatedAtMs,
     };
   }
 
@@ -366,7 +407,7 @@ export class UpdateMetadataService {
     runId: string;
     body: UpdateMetadataRequestBody;
     existingMetadata: IOPacket;
-  }) {
+  }): Promise<{ metadata: Record<string, unknown> | undefined; updatedAtMs?: number }> {
     if (Array.isArray(body.operations)) {
       return this.#updateRunMetadataWithOperations(runId, body.operations);
     } else {
@@ -374,7 +415,10 @@ export class UpdateMetadataService {
     }
   }
 
-  async #updateRunMetadataWithOperations(runId: string, operations: RunMetadataChangeOperation[]) {
+  async #updateRunMetadataWithOperations(
+    runId: string,
+    operations: RunMetadataChangeOperation[]
+  ): Promise<{ metadata: Record<string, unknown> | undefined; updatedAtMs?: number }> {
     const MAX_RETRIES = 3;
     let attempts = 0;
 
@@ -402,9 +446,9 @@ export class UpdateMetadataService {
       // Apply operations to the current metadata
       const applyResults = applyMetadataOperations(currentMetadata, operations);
 
-      // If no operations were applied, return the current metadata
+      // If no operations were applied, return the current metadata (nothing written)
       if (applyResults.unappliedOperations.length === operations.length) {
-        return currentMetadata;
+        return { metadata: currentMetadata };
       }
 
       const newMetadataPacket = handleMetadataPacket(
@@ -422,7 +466,9 @@ export class UpdateMetadataService {
         await this.options.onBeforeUpdate(runId);
       }
 
-      // Update with optimistic locking
+      // Update with optimistic locking; updatedAt stamped explicitly so the caller can
+      // publish the exact committed watermark without a follow-up read.
+      const writeTime = new Date();
       const result = await this._prisma.taskRun.updateMany({
         where: {
           id: runId,
@@ -434,6 +480,7 @@ export class UpdateMetadataService {
           metadataVersion: {
             increment: 1,
           },
+          updatedAt: writeTime,
         },
       });
 
@@ -448,9 +495,10 @@ export class UpdateMetadataService {
         }
 
         // If this was our last attempt, buffer the operations and return optimistically
+        // (no watermark — the flusher writes later and publishes itself).
         if (attempts === MAX_RETRIES) {
           this.#ingestRunOperations(runId, operations);
-          return applyResults.newMetadata;
+          return { metadata: applyResults.newMetadata };
         }
 
         // Otherwise sleep and try again
@@ -468,8 +516,10 @@ export class UpdateMetadataService {
       }
 
       // Success! Return the new metadata
-      return applyResults.newMetadata;
+      return { metadata: applyResults.newMetadata, updatedAtMs: writeTime.getTime() };
     }
+
+    return { metadata: undefined };
   }
 
   // Checks to see if a run is updatable
@@ -487,7 +537,7 @@ export class UpdateMetadataService {
     runId: string,
     body: UpdateMetadataRequestBody,
     existingMetadata: IOPacket
-  ) {
+  ): Promise<{ metadata: Record<string, unknown> | undefined; updatedAtMs?: number }> {
     const metadataPacket = handleMetadataPacket(
       body.metadata,
       "application/json",
@@ -495,9 +545,11 @@ export class UpdateMetadataService {
     );
 
     if (!metadataPacket) {
-      return {};
+      return { metadata: {} };
     }
 
+    let updatedAtMs: number | undefined;
+
     if (
       metadataPacket.data !== "{}" ||
       (existingMetadata.data && metadataPacket.data !== existingMetadata.data)
@@ -509,7 +561,9 @@ export class UpdateMetadataService {
         });
       }
 
-      // Update the metadata without version check
+      // Update the metadata without version check; updatedAt stamped explicitly so the
+      // caller can publish the exact committed watermark.
+      const writeTime = new Date();
       await this._prisma.taskRun.update({
         where: {
           id: runId,
@@ -520,12 +574,14 @@ export class UpdateMetadataService {
           metadataVersion: {
             increment: 1,
           },
+          updatedAt: writeTime,
         },
       });
+      updatedAtMs = writeTime.getTime();
     }
 
     const newMetadata = await parsePacket(metadataPacket);
-    return newMetadata;
+    return { metadata: newMetadata, updatedAtMs };
   }
 
   #ingestRunOperations(runId: string, operations: RunMetadataChangeOperation[]) {
diff --git a/apps/webapp/app/services/metadata/updateMetadataInstance.server.ts b/apps/webapp/app/services/metadata/updateMetadataInstance.server.ts
index fe7c3b63f5f..9f1818e5ed3 100644
--- a/apps/webapp/app/services/metadata/updateMetadataInstance.server.ts
+++ b/apps/webapp/app/services/metadata/updateMetadataInstance.server.ts
@@ -2,6 +2,7 @@ import { singleton } from "~/utils/singleton";
 import { env } from "~/env.server";
 import { UpdateMetadataService } from "./updateMetadata.server";
 import { prisma } from "~/db.server";
+import { publishChangeRecord } from "~/services/realtime/runChangeNotifierInstance.server";
 
 export const updateMetadataService = singleton(
   "update-metadata-service",
@@ -13,5 +14,16 @@ export const updateMetadataService = singleton(
       flushLoggingEnabled: env.BATCH_METADATA_OPERATIONS_FLUSH_LOGGING_ENABLED === "1",
       maximumSize: env.TASK_RUN_METADATA_MAXIMUM_SIZE,
       logLevel: env.BATCH_METADATA_OPERATIONS_FLUSH_LOGGING_ENABLED === "1" ? "debug" : "info",
+      // Buffered (parent/root) operations land via the flusher, not the caller's request —
+      // publish here so those changes wake live feeds too (no-op when the backend is off).
+      onRunFlushed: (run) => {
+        publishChangeRecord({
+          runId: run.runId,
+          envId: run.environmentId,
+          tags: run.tags,
+          batchId: run.batchId,
+          updatedAtMs: run.updatedAtMs,
+        });
+      },
     })
 );
diff --git a/apps/webapp/app/services/mfa/multiFactorAuthentication.server.ts b/apps/webapp/app/services/mfa/multiFactorAuthentication.server.ts
index 3aa28bc01db..3774a84ef32 100644
--- a/apps/webapp/app/services/mfa/multiFactorAuthentication.server.ts
+++ b/apps/webapp/app/services/mfa/multiFactorAuthentication.server.ts
@@ -7,7 +7,7 @@ import { createHash } from "@better-auth/utils/hash";
 import { createOTP } from "@better-auth/utils/otp";
 import { base32 } from "@better-auth/utils/base32";
 import { z } from "zod";
-import { scheduleEmail } from "../email.server";
+import { scheduleEmail } from "../scheduleEmail.server";
 
 const generateRandomString = createRandomStringGenerator("A-Z", "0-9");
 
diff --git a/apps/webapp/app/services/organizationAccessToken.server.ts b/apps/webapp/app/services/organizationAccessToken.server.ts
index ba11374c24d..77519ef8d1f 100644
--- a/apps/webapp/app/services/organizationAccessToken.server.ts
+++ b/apps/webapp/app/services/organizationAccessToken.server.ts
@@ -8,6 +8,12 @@ const tokenValueLength = 40;
 //lowercase only, removed 0 and l to avoid confusion
 const tokenGenerator = customAlphabet("123456789abcdefghijkmnopqrstuvwxyz", tokenValueLength);
 
+// Skip the lastAccessedAt write if the existing value is already within this
+// window. Eliminates per-auth UPDATE churn on a small narrow hot table; the
+// settings UI reads this field at human granularity so a few-minute
+// staleness is fine.
+export const OAT_LAST_ACCESSED_THROTTLE_MS = 5 * 60 * 1000;
+
 type CreateOrganizationAccessTokenOptions = {
   name: string;
   organizationId: string;
@@ -105,9 +111,19 @@ export async function authenticateOrganizationAccessToken(
     return;
   }
 
-  await prisma.organizationAccessToken.update({
+  // Conditional updateMany — only writes if the existing lastAccessedAt is
+  // null or older than the throttle window. The WHERE runs inside the UPDATE
+  // so concurrent auths don't race into a double-write. `revokedAt: null`
+  // matches the findFirst guard above so a token revoked between the read
+  // and write doesn't get a stale lastAccessedAt update.
+  await prisma.organizationAccessToken.updateMany({
     where: {
       id: organizationAccessToken.id,
+      revokedAt: null,
+      OR: [
+        { lastAccessedAt: null },
+        { lastAccessedAt: { lt: new Date(Date.now() - OAT_LAST_ACCESSED_THROTTLE_MS) } },
+      ],
     },
     data: {
       lastAccessedAt: new Date(),
diff --git a/apps/webapp/app/services/personalAccessToken.server.ts b/apps/webapp/app/services/personalAccessToken.server.ts
index ebe8bc31ff5..ad3e7be8f16 100644
--- a/apps/webapp/app/services/personalAccessToken.server.ts
+++ b/apps/webapp/app/services/personalAccessToken.server.ts
@@ -1,8 +1,9 @@
-import { type PersonalAccessToken } from "@trigger.dev/database";
+import { type PersonalAccessToken, type User } from "@trigger.dev/database";
 import { customAlphabet, nanoid } from "nanoid";
 import { z } from "zod";
 import { prisma } from "~/db.server";
 import { logger } from "./logger.server";
+import { rbac } from "./rbac.server";
 import { decryptToken, encryptToken, hashToken } from "~/utils/tokens.server";
 import { env } from "~/env.server";
 
@@ -10,9 +11,21 @@ const tokenValueLength = 40;
 //lowercase only, removed 0 and l to avoid confusion
 const tokenGenerator = customAlphabet("123456789abcdefghijkmnopqrstuvwxyz", tokenValueLength);
 
+// Skip the lastAccessedAt write if the existing value is already within this
+// window. Eliminates per-auth UPDATE churn on a small narrow hot table; the
+// /account/tokens UI reads this field at human granularity so a few-minute
+// staleness is fine.
+export const PAT_LAST_ACCESSED_THROTTLE_MS = 5 * 60 * 1000;
+
 type CreatePersonalAccessTokenOptions = {
   name: string;
   userId: string;
+  // Optional: when provided, persist a TokenRole row alongside the PAT
+  // so PAT-authenticated requests pick up that role's permissions
+  // (TRI-8749). The dashboard tokens page passes a chosen system role;
+  // the CLI auth-code path doesn't pass one (legacy behaviour
+  // preserved — those PATs run with no explicit role).
+  roleId?: string;
 };
 
 /** Returns obfuscated access tokens that aren't revoked */
@@ -99,6 +112,43 @@ export type PersonalAccessTokenAuthenticationResult = {
   userId: string;
 };
 
+/**
+ * Smart-skip the `lastAccessedAt` write when the cached value is already
+ * within the throttle window. Saves one DB roundtrip per "fresh" auth.
+ *
+ * Two layers of throttling: JS-side (`Date.now() - lastAccessedAt.getTime()`)
+ * elides the SQL entirely when the caller already has a recent timestamp;
+ * SQL-side `WHERE` clause inside the `updateMany` guards against concurrent
+ * auths racing to a double-write when the JS check decides to fire.
+ *
+ * Called from both the legacy PAT flow (`authenticatePersonalAccessToken`)
+ * and the apiBuilder's RBAC-routed PAT flow (which gets `lastAccessedAt`
+ * from `rbac.authenticatePat`'s result). Keeps the throttle policy in one
+ * place rather than expecting every plugin implementer to re-implement it.
+ */
+export async function updateLastAccessedAtIfStale(
+  tokenId: string,
+  lastAccessedAt: Date | null
+): Promise<void> {
+  if (
+    lastAccessedAt &&
+    Date.now() - lastAccessedAt.getTime() <= PAT_LAST_ACCESSED_THROTTLE_MS
+  ) {
+    return; // fresh — no roundtrip
+  }
+  await prisma.personalAccessToken.updateMany({
+    where: {
+      id: tokenId,
+      revokedAt: null,
+      OR: [
+        { lastAccessedAt: null },
+        { lastAccessedAt: { lt: new Date(Date.now() - PAT_LAST_ACCESSED_THROTTLE_MS) } },
+      ],
+    },
+    data: { lastAccessedAt: new Date() },
+  });
+}
+
 const EncryptedSecretValueSchema = z.object({
   nonce: z.string(),
   ciphertext: z.string(),
@@ -118,6 +168,59 @@ export async function authenticateApiRequestWithPersonalAccessToken(
   return authenticatePersonalAccessToken(token);
 }
 
+export type AdminAuthenticationResult =
+  | { ok: true; user: User }
+  | { ok: false; status: 401 | 403; message: string };
+
+/**
+ * Authenticates a request via personal access token and checks the user is
+ * an admin. Returns a discriminated result so callers can shape the failure
+ * (throw a Response, wrap in neverthrow, return JSON, etc.) to fit their
+ * context. See `requireAdminApiRequest` for the Remix loader/action wrapper.
+ */
+export async function authenticateAdminRequest(
+  request: Request
+): Promise<AdminAuthenticationResult> {
+  const authResult = await authenticateApiRequestWithPersonalAccessToken(request);
+
+  if (!authResult) {
+    return { ok: false, status: 401, message: "Invalid or Missing API key" };
+  }
+
+  const user = await prisma.user.findFirst({
+    where: { id: authResult.userId },
+  });
+
+  if (!user) {
+    return { ok: false, status: 401, message: "Invalid or Missing API key" };
+  }
+
+  if (!user.admin) {
+    return { ok: false, status: 403, message: "You must be an admin to perform this action" };
+  }
+
+  return { ok: true, user };
+}
+
+/**
+ * Remix loader/action wrapper around `authenticateAdminRequest` that throws
+ * a Response on failure so routes can `await` without handling the error
+ * branch. Uses `new Response` directly to avoid coupling this module to
+ * `@remix-run/server-runtime`.
+ */
+export async function requireAdminApiRequest(request: Request): Promise<User> {
+  const result = await authenticateAdminRequest(request);
+
+  if (!result.ok) {
+    throw new Response(JSON.stringify({ error: result.message }), {
+      status: result.status,
+      headers: { "Content-Type": "application/json" },
+    });
+  }
+
+  return result.user;
+}
+
 function getPersonalAccessTokenFromRequest(request: Request) {
   const rawAuthorization = request.headers.get("Authorization");
 
@@ -152,14 +255,7 @@ export async function authenticatePersonalAccessToken(
     return;
   }
 
-  await prisma.personalAccessToken.update({
-    where: {
-      id: personalAccessToken.id,
-    },
-    data: {
-      lastAccessedAt: new Date(),
-    },
-  });
+  await updateLastAccessedAtIfStale(personalAccessToken.id, personalAccessToken.lastAccessedAt);
 
   const decryptedToken = decryptPersonalAccessToken(personalAccessToken);
 
@@ -269,6 +365,7 @@ export async function createPersonalAccessTokenFromAuthorizationCode(
 export async function createPersonalAccessToken({
   name,
   userId,
+  roleId,
 }: CreatePersonalAccessTokenOptions) {
   const token = createToken();
   const encryptedToken = encryptToken(token, env.ENCRYPTION_KEY);
@@ -283,6 +380,45 @@ export async function createPersonalAccessToken({
     },
   });
 
+  // Persist the role choice via the RBAC plugin's setTokenRole. The
+  // plugin may store this in a separate datastore from Prisma (e.g.
+  // Drizzle on a different schema), so co-transactional inserts are
+  // awkward — we use a compensating-delete pattern instead: if
+  // setTokenRole fails, roll back the PAT row by deleting it. The auth
+  // path treats "no role" as permissive (matches the default fallback)
+  // so a brief orphan window between the two writes is harmless. The
+  // compensating delete narrows that window from "until manual cleanup"
+  // to "until the request returns".
+  //
+  // Skip the call entirely when no RBAC plugin is loaded — the OSS
+  // fallback has no TokenRole table to write to. Gating on
+  // `rbac.isUsingPlugin()` (rather than parsing the fallback's error
+  // string) keeps the OSS-vs-cloud branch explicit and decoupled from
+  // any specific error message.
+  if (roleId && (await rbac.isUsingPlugin())) {
+    const roleResult = await rbac.setTokenRole({
+      tokenId: personalAccessToken.id,
+      roleId,
+    });
+    if (!roleResult.ok) {
+      await prisma.personalAccessToken
+        .delete({ where: { id: personalAccessToken.id } })
+        .catch((err) => {
+          logger.error("Failed to compensating-delete PAT after TokenRole insert failed", {
+            patId: personalAccessToken.id,
+            roleResultError: roleResult.error,
+            deleteError: err instanceof Error ? err.message : String(err),
+          });
+        });
+      throw new Error(`Failed to assign role to access token: ${roleResult.error}`);
+    }
+  } else if (roleId) {
+    logger.debug("createPersonalAccessToken: no RBAC plugin, skipping role assignment", {
+      patId: personalAccessToken.id,
+      userId,
+    });
+  }
+
   return {
     id: personalAccessToken.id,
     name,
diff --git a/apps/webapp/app/services/platform.v3.server.ts b/apps/webapp/app/services/platform.v3.server.ts
index 3a981396003..bd189b4fb5a 100644
--- a/apps/webapp/app/services/platform.v3.server.ts
+++ b/apps/webapp/app/services/platform.v3.server.ts
@@ -1,5 +1,5 @@
 import { MachinePresetName, tryCatch } from "@trigger.dev/core/v3";
-import type { Organization, Project, RuntimeEnvironmentType } from "@trigger.dev/database";
+import type { RuntimeEnvironmentType } from "@trigger.dev/database";
 import {
   BillingClient,
   defaultMachine as defaultMachineFromPlatform,
@@ -25,12 +25,12 @@ import { redirect } from "remix-typedjson";
 import { z } from "zod";
 import { env } from "~/env.server";
 import { redirectWithErrorMessage, redirectWithSuccessMessage } from "~/models/message.server";
-import { createEnvironment } from "~/models/organization.server";
 import { logger } from "~/services/logger.server";
 import { newProjectPath, organizationBillingPath } from "~/utils/pathBuilder";
 import { singleton } from "~/utils/singleton";
 import { RedisCacheStore } from "./unkey/redisCacheStore.server";
 import { $replica } from "~/db.server";
+import { metrics } from "@opentelemetry/api";
 
 function initializeClient() {
   if (isCloud() && process.env.BILLING_API_URL && process.env.BILLING_API_KEY) {
@@ -44,6 +44,34 @@ function initializeClient() {
 
 const client = singleton("billingClient", initializeClient);
 
+/**
+ * `true` when the billing client was instantiated — i.e. we're running
+ * in a cloud-style install with `BILLING_API_URL` + `BILLING_API_KEY`
+ * configured. OSS / self-hosted installs return `false` here, which
+ * lets callers distinguish "no billing wired up, fall back to
+ * defaults" from "billing wired up but the call failed, retry."
+ */
+export function isBillingConfigured(): boolean {
+  return client !== undefined;
+}
+// Failures from @trigger.dev/platform billing client calls are tracked via
+// this metric (with low-cardinality {function, kind} labels) rather than
+// logged. Every task invocation hits these paths, so per-call logs were too
+// noisy; dashboard the counter for visibility instead.
+const platformClientMeter = metrics.getMeter("trigger.dev/platform-client");
+const platformClientFailuresCounter = platformClientMeter.createCounter(
+  "platform_client.failures_total",
+  {
+    description:
+      "Failures returned or thrown by @trigger.dev/platform billing client calls",
+  }
+);
+
+function recordPlatformFailure(fn: string, kind: "caught" | "no_success") {
+  platformClientFailuresCounter.add(1, { function: fn, kind });
+}
+
+
 function initializePlatformCache() {
   const ctx = new DefaultStatefulContext();
   const memory = createLRUMemoryStore(1000);
@@ -71,6 +99,11 @@ function initializePlatformCache() {
       fresh: 60_000 * 5, // 5 minutes
       stale: 60_000 * 10, // 10 minutes
     }),
+    entitlement: new Namespace<ReportUsageResult>(ctx, {
+      stores: [memory, redisCacheStore],
+      fresh: 60_000, // serve without revalidation for 60s
+      stale: 120_000, // total TTL — fresh 0-60s, stale-revalidate 60-120s
+    }),
   });
 
   return cache;
@@ -201,7 +234,7 @@ export async function getCurrentPlan(orgId: string) {
     firstDayOfNextMonth.setUTCHours(0, 0, 0, 0);
 
     if (!result.success) {
-      logger.error("Error getting current plan - no success", { orgId, error: result.error });
+      recordPlatformFailure("getCurrentPlan", "no_success");
       return undefined;
     }
 
@@ -217,7 +250,7 @@ export async function getCurrentPlan(orgId: string) {
 
     return { ...result, usage };
   } catch (e) {
-    logger.error("Error getting current plan - caught error", { orgId, error: e });
+    recordPlatformFailure("getCurrentPlan", "caught");
     return undefined;
   }
 }
@@ -228,13 +261,13 @@ export async function getLimits(orgId: string) {
   try {
     const result = await client.currentPlan(orgId);
     if (!result.success) {
-      logger.error("Error getting limits - no success", { orgId, error: result.error });
+      recordPlatformFailure("getLimits", "no_success");
       return undefined;
     }
 
     return result.v3Subscription?.plan?.limits;
   } catch (e) {
-    logger.error("Error getting limits - caught error", { orgId, error: e });
+    recordPlatformFailure("getLimits", "caught");
     return undefined;
   }
 }
@@ -310,7 +343,7 @@ export async function customerPortalUrl(orgId: string, orgSlug: string) {
       returnUrl: `${env.APP_ORIGIN}${organizationBillingPath({ slug: orgSlug })}`,
     });
   } catch (e) {
-    logger.error("Error getting customer portal Url", { orgId, error: e });
+    recordPlatformFailure("customerPortalUrl", "caught");
     return undefined;
   }
 }
@@ -321,12 +354,12 @@ export async function getPlans() {
   try {
     const result = await client.plans();
     if (!result.success) {
-      logger.error("Error getting plans - no success", { error: result.error });
+      recordPlatformFailure("getPlans", "no_success");
       return undefined;
     }
     return result;
   } catch (e) {
-    logger.error("Error getting plans - caught error", { error: e });
+    recordPlatformFailure("getPlans", "caught");
     return undefined;
   }
 }
@@ -368,6 +401,7 @@ export async function setPlan(
       if (result.accepted) {
         // Invalidate billing cache since plan changed
         opts?.invalidateBillingCache?.(organization.id);
+        platformCache.entitlement.remove(organization.id).catch(() => {});
         return redirect(newProjectPath(organization, "You're on the Free plan."));
       } else {
         return redirectWithErrorMessage(
@@ -384,11 +418,13 @@ export async function setPlan(
     case "updated_subscription": {
       // Invalidate billing cache since subscription changed
       opts?.invalidateBillingCache?.(organization.id);
+      platformCache.entitlement.remove(organization.id).catch(() => {});
       return redirectWithSuccessMessage(callerPath, request, "Subscription updated successfully.");
     }
     case "canceled_subscription": {
       // Invalidate billing cache since subscription was canceled
       opts?.invalidateBillingCache?.(organization.id);
+      platformCache.entitlement.remove(organization.id).catch(() => {});
       return redirectWithSuccessMessage(callerPath, request, "Subscription canceled.");
     }
   }
@@ -400,12 +436,12 @@ export async function setConcurrencyAddOn(organizationId: string, amount: number
   try {
     const result = await client.setAddOn(organizationId, { type: "concurrency", amount });
     if (!result.success) {
-      logger.error("Error setting concurrency add on - no success", { error: result.error });
+      recordPlatformFailure("setConcurrencyAddOn", "no_success");
       return undefined;
     }
     return result;
   } catch (e) {
-    logger.error("Error setting concurrency add on - caught error", { error: e });
+    recordPlatformFailure("setConcurrencyAddOn", "caught");
     return undefined;
   }
 }
@@ -416,12 +452,12 @@ export async function setSeatsAddOn(organizationId: string, amount: number) {
   try {
     const result = await client.setAddOn(organizationId, { type: "seats", amount });
     if (!result.success) {
-      logger.error("Error setting seats add on - no success", { error: result.error });
+      recordPlatformFailure("setSeatsAddOn", "no_success");
       return undefined;
     }
     return result;
   } catch (e) {
-    logger.error("Error setting seats add on - caught error", { error: e });
+    recordPlatformFailure("setSeatsAddOn", "caught");
     return undefined;
   }
 }
@@ -432,12 +468,12 @@ export async function setBranchesAddOn(organizationId: string, amount: number) {
   try {
     const result = await client.setAddOn(organizationId, { type: "branches", amount });
     if (!result.success) {
-      logger.error("Error setting branches add on - no success", { error: result.error });
+      recordPlatformFailure("setBranchesAddOn", "no_success");
       return undefined;
     }
     return result;
   } catch (e) {
-    logger.error("Error setting branches add on - caught error", { error: e });
+    recordPlatformFailure("setBranchesAddOn", "caught");
     return undefined;
   }
 }
@@ -448,12 +484,12 @@ export async function getUsage(organizationId: string, { from, to }: { from: Dat
   try {
     const result = await client.usage(organizationId, { from, to });
     if (!result.success) {
-      logger.error("Error getting usage - no success", { error: result.error });
+      recordPlatformFailure("getUsage", "no_success");
       return undefined;
     }
     return result;
   } catch (e) {
-    logger.error("Error getting usage - caught error", { error: e });
+    recordPlatformFailure("getUsage", "caught");
     return undefined;
   }
 }
@@ -482,12 +518,12 @@ export async function getUsageSeries(organizationId: string, params: UsageSeries
   try {
     const result = await client.usageSeries(organizationId, params);
     if (!result.success) {
-      logger.error("Error getting usage series - no success", { error: result.error });
+      recordPlatformFailure("getUsageSeries", "no_success");
       return undefined;
     }
     return result;
   } catch (e) {
-    logger.error("Error getting usage series - caught error", { error: e });
+    recordPlatformFailure("getUsageSeries", "caught");
     return undefined;
   }
 }
@@ -506,12 +542,12 @@ export async function reportInvocationUsage(
       additionalData,
     });
     if (!result.success) {
-      logger.error("Error reporting invocation - no success", { error: result.error });
+      recordPlatformFailure("reportInvocationUsage", "no_success");
       return undefined;
     }
     return result;
   } catch (e) {
-    logger.error("Error reporting invocation - caught error", { error: e });
+    recordPlatformFailure("reportInvocationUsage", "caught");
     return undefined;
   }
 }
@@ -531,48 +567,34 @@ export async function getEntitlement(
 ): Promise<ReportUsageResult | undefined> {
   if (!client) return undefined;
 
-  try {
-    const result = await client.getEntitlement(organizationId);
-    if (!result.success) {
-      logger.error("Error getting entitlement - no success", { error: result.error });
-      return {
-        hasAccess: true as const,
-      };
+  // Errors must be caught inside the loader — @unkey/cache passes the loader
+  // promise to waitUntil() with no .catch(), so an unhandled rejection during
+  // background SWR revalidation would crash the process. Returning undefined
+  // on error tells SWR not to commit a fail-open value to the cache, which
+  // prevents transient billing errors from overwriting a legitimate
+  // hasAccess: false entry. The fail-open default is applied *outside* the
+  // SWR call so it never becomes a cached access decision.
+  const result = await platformCache.entitlement.swr(organizationId, async () => {
+    try {
+      const response = await client.getEntitlement(organizationId);
+      if (!response.success) {
+        recordPlatformFailure("getEntitlement", "no_success");
+        return undefined;
+      }
+      return response;
+    } catch (e) {
+      recordPlatformFailure("getEntitlement", "caught");
+      return undefined;
     }
-    return result;
-  } catch (e) {
-    logger.error("Error getting entitlement - caught error", { error: e });
+  });
+
+  if (result.err || result.val === undefined) {
     return {
       hasAccess: true as const,
     };
   }
-}
 
-export async function projectCreated(
-  organization: Pick<Organization, "id" | "maximumConcurrencyLimit">,
-  project: Project
-) {
-  if (!isCloud()) {
-    await createEnvironment({ organization, project, type: "STAGING" });
-    await createEnvironment({
-      organization,
-      project,
-      type: "PREVIEW",
-      isBranchableEnvironment: true,
-    });
-  } else {
-    //staging is only available on certain plans
-    const plan = await getCurrentPlan(organization.id);
-    if (plan?.v3Subscription.plan?.limits.hasStagingEnvironment) {
-      await createEnvironment({ organization, project, type: "STAGING" });
-      await createEnvironment({
-        organization,
-        project,
-        type: "PREVIEW",
-        isBranchableEnvironment: true,
-      });
-    }
-  }
+  return result.val;
 }
 
 export async function getBillingAlerts(
@@ -581,7 +603,7 @@ export async function getBillingAlerts(
   if (!client) return undefined;
   const result = await client.getBillingAlerts(organizationId);
   if (!result.success) {
-    logger.error("Error getting billing alert", { error: result.error, organizationId });
+    recordPlatformFailure("getBillingAlert", "no_success");
     throw new Error("Error getting billing alert");
   }
   return result;
@@ -594,7 +616,7 @@ export async function setBillingAlert(
   if (!client) return undefined;
   const result = await client.updateBillingAlerts(organizationId, alert);
   if (!result.success) {
-    logger.error("Error setting billing alert", { error: result.error, organizationId });
+    recordPlatformFailure("setBillingAlert", "no_success");
     throw new Error("Error setting billing alert");
   }
   return result;
@@ -607,11 +629,7 @@ export async function generateRegistryCredentials(
   if (!client) return undefined;
   const result = await client.generateRegistryCredentials(projectId, region);
   if (!result.success) {
-    logger.error("Error generating registry credentials", {
-      error: result.error,
-      projectId,
-      region,
-    });
+    recordPlatformFailure("generateRegistryCredentials", "no_success");
     throw new Error("Failed to generate registry credentials");
   }
 
@@ -630,13 +648,7 @@ export async function enqueueBuild(
   if (!client) return undefined;
   const result = await client.enqueueBuild(projectId, { deploymentId, artifactKey, options });
   if (!result.success) {
-    logger.error("Error enqueuing build", {
-      error: result.error,
-      projectId,
-      deploymentId,
-      artifactKey,
-      options,
-    });
+    recordPlatformFailure("enqueueBuild", "no_success");
     throw new Error("Failed to enqueue build");
   }
 
@@ -651,12 +663,12 @@ export async function getPrivateLinks(
   const [error, result] = await tryCatch(client.getPrivateLinks(organizationId));
 
   if (error) {
-    logger.error("Error getting private links", { organizationId, error });
+    recordPlatformFailure("getPrivateLinks", "caught");
     return undefined;
   }
 
   if (!result.success) {
-    logger.error("Error getting private links - no success", { organizationId, error: result.error });
+    recordPlatformFailure("getPrivateLinks", "no_success");
     return undefined;
   }
 
@@ -672,12 +684,12 @@ export async function createPrivateLink(
   const [error, result] = await tryCatch(client.createPrivateLink(organizationId, body));
 
   if (error) {
-    logger.error("Error creating private link", { organizationId, error });
+    recordPlatformFailure("createPrivateLink", "caught");
     throw error;
   }
 
   if (!result.success) {
-    logger.error("Error creating private link - no success", { organizationId, error: result.error });
+    recordPlatformFailure("createPrivateLink", "no_success");
     throw new Error(result.error ?? "Failed to create private link");
   }
 
@@ -693,12 +705,12 @@ export async function deletePrivateLink(
   const [error, result] = await tryCatch(client.deletePrivateLink(organizationId, connectionId));
 
   if (error) {
-    logger.error("Error deleting private link", { organizationId, connectionId, error });
+    recordPlatformFailure("deletePrivateLink", "caught");
     throw error;
   }
 
   if (!result.success) {
-    logger.error("Error deleting private link - no success", { organizationId, connectionId, error: result.error });
+    recordPlatformFailure("deletePrivateLink", "no_success");
     throw new Error(result.error ?? "Failed to delete private link");
   }
 }
@@ -711,12 +723,12 @@ export async function getPrivateLinkRegions(
   const [error, result] = await tryCatch(client.getPrivateLinkRegions(organizationId));
 
   if (error) {
-    logger.error("Error getting private link regions", { organizationId, error });
+    recordPlatformFailure("getPrivateLinkRegions", "caught");
     return undefined;
   }
 
   if (!result.success) {
-    logger.error("Error getting private link regions - no success", { organizationId, error: result.error });
+    recordPlatformFailure("getPrivateLinkRegions", "no_success");
     return undefined;
   }
 
@@ -749,7 +761,7 @@ export async function triggerInitialDeployment(
   }
 }
 
-function isCloud(): boolean {
+export function isCloud(): boolean {
   const acceptableHosts = [
     "https://cloud.trigger.dev",
     "https://test-cloud.trigger.dev",
diff --git a/apps/webapp/app/services/platformNotificationCounter.server.ts b/apps/webapp/app/services/platformNotificationCounter.server.ts
index dc2970045da..3bd4fa49afb 100644
--- a/apps/webapp/app/services/platformNotificationCounter.server.ts
+++ b/apps/webapp/app/services/platformNotificationCounter.server.ts
@@ -1,4 +1,5 @@
 import { Redis } from "ioredis";
+import { defaultReconnectOnError } from "@internal/redis";
 import { env } from "~/env.server";
 import { singleton } from "~/utils/singleton";
 import { logger } from "./logger.server";
@@ -18,6 +19,7 @@ function initializeRedis(): Redis | undefined {
     password: env.CACHE_REDIS_PASSWORD,
     keyPrefix: "tr:",
     enableAutoPipelining: true,
+    reconnectOnError: defaultReconnectOnError,
     ...(env.CACHE_REDIS_TLS_DISABLED === "true" ? {} : { tls: {} }),
   });
 }
diff --git a/apps/webapp/app/services/projectCreated.server.ts b/apps/webapp/app/services/projectCreated.server.ts
new file mode 100644
index 00000000000..f845af52033
--- /dev/null
+++ b/apps/webapp/app/services/projectCreated.server.ts
@@ -0,0 +1,35 @@
+import type { Organization, Project } from "@trigger.dev/database";
+import { createEnvironment } from "~/models/organization.server";
+import { getCurrentPlan, isCloud } from "~/services/platform.v3.server";
+
+// Extracted from platform.v3.server.ts to break a circular import:
+// platform.v3.server ↔ models/organization.server (via createEnvironment).
+// The cycle caused the bundled __esm wrappers to re-enter and short-circuit
+// the platform.v3.server init, leaving `defaultMachine` and `machines`
+// undefined in `singleton("machinePresets", ...)` — the boot crash at
+// `allMachines()` traced to TRI-8731.
+export async function projectCreated(
+  organization: Pick<Organization, "id" | "maximumConcurrencyLimit">,
+  project: Project
+) {
+  if (!isCloud()) {
+    await createEnvironment({ organization, project, type: "STAGING" });
+    await createEnvironment({
+      organization,
+      project,
+      type: "PREVIEW",
+      isBranchableEnvironment: true,
+    });
+  } else {
+    const plan = await getCurrentPlan(organization.id);
+    if (plan?.v3Subscription?.plan?.limits?.hasStagingEnvironment) {
+      await createEnvironment({ organization, project, type: "STAGING" });
+      await createEnvironment({
+        organization,
+        project,
+        type: "PREVIEW",
+        isBranchableEnvironment: true,
+      });
+    }
+  }
+}
diff --git a/apps/webapp/app/services/queryService.server.ts b/apps/webapp/app/services/queryService.server.ts
index 1f3bdbba18a..4a576c2bf34 100644
--- a/apps/webapp/app/services/queryService.server.ts
+++ b/apps/webapp/app/services/queryService.server.ts
@@ -11,7 +11,7 @@ import type { TableSchema, WhereClauseCondition } from "@internal/tsql";
 import { z } from "zod";
 import { prisma } from "~/db.server";
 import { env } from "~/env.server";
-import { queryClickhouseClient } from "./clickhouseInstance.server";
+import { clickhouseFactory } from "./clickhouse/clickhouseFactoryInstance.server";
 import {
   queryConcurrencyLimiter,
   DEFAULT_ORG_CONCURRENCY_LIMIT,
@@ -275,7 +275,8 @@ export async function executeQuery<TOut extends z.ZodSchema>(
       environment: Object.fromEntries(environments.map((e) => [e.id, e.slug])),
     };
 
-    const result = await executeTSQL(queryClickhouseClient.reader, {
+    const queryClickhouse = await clickhouseFactory.getClickhouseForOrganization(organizationId, "query");
+    const result = await executeTSQL(queryClickhouse.reader, {
       ...baseOptions,
       schema: z.record(z.any()),
       tableSchema: querySchemas,
diff --git a/apps/webapp/app/services/rbac.server.ts b/apps/webapp/app/services/rbac.server.ts
new file mode 100644
index 00000000000..49b6f88ecf4
--- /dev/null
+++ b/apps/webapp/app/services/rbac.server.ts
@@ -0,0 +1,29 @@
+import { $replica, prisma } from "~/db.server";
+import type { PrismaClient } from "@trigger.dev/database";
+import plugin from "@trigger.dev/rbac";
+import { env } from "~/env.server";
+
+// plugin.create() is synchronous — returns a lazy controller that resolves
+// any installed RBAC plugin on first call. Top-level await is not used
+// because CJS output format does not support it.
+//
+// Auth-path reads run on every request — pass the replica explicitly so
+// they don't pile up on the primary. Writes (role mutations) still go
+// through the primary. Same separation findEnvironmentByApiKey used
+// before this PR moved bearer auth into the RBAC plugin.
+//
+// Session-cookie userId resolution lives at the call site (see
+// dashboardBuilder.server.ts), not here. Statically importing
+// `~/services/session.server` from this module dragged the entire
+// remix-auth pipeline (auth.server → emailAuth/gitHubAuth/googleAuth,
+// each validating their secret at module load) into anything that
+// transitively imported `rbac` — including PAT auth callers that have
+// no session-cookie path at all. Passing userId through the
+// `authenticateSession` context decouples the plugin host from the
+// host's session implementation.
+export const rbac = plugin.create(
+  // $replica is structurally a PrismaClient minus `$transaction` — the
+  // RBAC fallback only uses `findFirst` on it, so the cast is safe.
+  { primary: prisma, replica: $replica as PrismaClient },
+  { forceFallback: env.RBAC_FORCE_FALLBACK }
+);
diff --git a/apps/webapp/app/services/realtime/boundedTtlCache.ts b/apps/webapp/app/services/realtime/boundedTtlCache.ts
new file mode 100644
index 00000000000..ac422880ded
--- /dev/null
+++ b/apps/webapp/app/services/realtime/boundedTtlCache.ts
@@ -0,0 +1,50 @@
+/**
+ * Tiny in-process bounded TTL cache shared by the realtime feeds: entries expire after `ttlMs` (evicted on read),
+ * and at-capacity writes sweep expired entries then drop the oldest. A stored `undefined` is indistinguishable from a miss (use `null` for absence).
+ */
+export class BoundedTtlCache<V> {
+  readonly #entries = new Map<string, { value: V; expiresAt: number }>();
+
+  constructor(
+    private readonly ttlMs: number,
+    private readonly maxEntries: number
+  ) {}
+
+  get(key: string): V | undefined {
+    const entry = this.#entries.get(key);
+    if (!entry) {
+      return undefined;
+    }
+    if (entry.expiresAt > Date.now()) {
+      return entry.value;
+    }
+    // Evict on read so expired entries don't linger until the next at-capacity
+    // sweep — important for read-heavy / low-churn caches (per-handle working sets).
+    this.#entries.delete(key);
+    return undefined;
+  }
+
+  set(key: string, value: V): void {
+    // Only run capacity eviction when inserting a NEW key — updating an existing key
+    // doesn't grow the map, so it must never drop an unrelated live entry.
+    if (!this.#entries.has(key) && this.#entries.size >= this.maxEntries) {
+      const now = Date.now();
+      for (const [key, entry] of this.#entries) {
+        if (entry.expiresAt <= now) {
+          this.#entries.delete(key);
+        }
+      }
+      if (this.#entries.size >= this.maxEntries) {
+        const oldest = this.#entries.keys().next().value;
+        if (oldest !== undefined) {
+          this.#entries.delete(oldest);
+        }
+      }
+    }
+    this.#entries.set(key, { value, expiresAt: Date.now() + this.ttlMs });
+  }
+
+  get size(): number {
+    return this.#entries.size;
+  }
+}
diff --git a/apps/webapp/app/services/realtime/chatSnapshot.server.ts b/apps/webapp/app/services/realtime/chatSnapshot.server.ts
new file mode 100644
index 00000000000..8d0ef537fec
--- /dev/null
+++ b/apps/webapp/app/services/realtime/chatSnapshot.server.ts
@@ -0,0 +1,34 @@
+import { env } from "~/env.server";
+
+/**
+ * Canonical storage URI for a session's chat.agent snapshot. Stamped on
+ * `Session.chatSnapshotStoragePath` at row creation so PUT/GET presigns
+ * resolve to the same store even if `OBJECT_STORE_DEFAULT_PROTOCOL`
+ * changes later.
+ */
+export function chatSnapshotStoragePathForSession(friendlyId: string): string {
+  const path = `sessions/${friendlyId}/snapshot.json`;
+  const protocol = env.OBJECT_STORE_DEFAULT_PROTOCOL;
+  return protocol ? `${protocol}://${path}` : path;
+}
+
+/**
+ * Resolve the storage key/URI a session's chat snapshot is written to and read
+ * from. Single source of truth shared by every reader/writer so they all hit
+ * the same object store:
+ * - the SDK write + boot read (via the `snapshot-url` presign route), and
+ * - the dashboard `SessionPresenter` (Agent/Session view).
+ *
+ * Prefers `chatSnapshotStoragePath` stamped at row creation (already
+ * protocol-qualified, e.g. `s3://sessions/{id}/snapshot.json`), falling back to
+ * recomputing it for sessions created before the column existed. Using a bare,
+ * unqualified key here is the bug this guards against: the object store applies
+ * `OBJECT_STORE_DEFAULT_PROTOCOL` to unprefixed keys on PUT but not on GET, so a
+ * bare key can write to one store and read from another.
+ */
+export function chatSnapshotStorageKey(session: {
+  friendlyId: string;
+  chatSnapshotStoragePath: string | null;
+}): string {
+  return session.chatSnapshotStoragePath ?? chatSnapshotStoragePathForSession(session.friendlyId);
+}
diff --git a/apps/webapp/app/services/realtime/clickHouseRunListResolver.server.ts b/apps/webapp/app/services/realtime/clickHouseRunListResolver.server.ts
new file mode 100644
index 00000000000..317b1c15454
--- /dev/null
+++ b/apps/webapp/app/services/realtime/clickHouseRunListResolver.server.ts
@@ -0,0 +1,39 @@
+import { type ClickHouse } from "@internal/clickhouse";
+import { type PrismaClientOrTransaction } from "~/db.server";
+import { RunsRepository } from "~/services/runsRepository/runsRepository.server";
+import { type RunListFilter, type RunListResolver } from "./runReader.server";
+
+export type ClickHouseRunListResolverOptions = {
+  /** Resolves the per-organization ClickHouse client (multi-tenant routing). */
+  getClickhouse: (organizationId: string) => Promise<ClickHouse>;
+  prisma: PrismaClientOrTransaction;
+};
+
+/**
+ * Resolves the realtime tag/list filter into matching run ids via ClickHouse `listRunIds` (filter-only;
+ * rows hydrated from Postgres by id afterward). Tag matching is contains-ALL, byte-matching Electric's
+ * `runTags @> ARRAY[...]` shape.
+ */
+export class ClickHouseRunListResolver implements RunListResolver {
+  constructor(private readonly options: ClickHouseRunListResolverOptions) {}
+
+  async resolveMatchingRunIds(filter: RunListFilter): Promise<string[]> {
+    const clickhouse = await this.options.getClickhouse(filter.organizationId);
+    const repository = new RunsRepository({ clickhouse, prisma: this.options.prisma });
+
+    const { runIds } = await repository.listRunIds({
+      organizationId: filter.organizationId,
+      projectId: filter.projectId,
+      environmentId: filter.environmentId,
+      tags: filter.tags && filter.tags.length > 0 ? filter.tags : undefined,
+      // Contains-ALL, matching the Electric shape's `runTags @> ARRAY[...]` semantics.
+      tagsMatch: "all",
+      batchId: filter.batchId,
+      from: filter.createdAtAfter?.getTime(),
+      page: { size: filter.limit },
+    });
+
+    // listRunIds is keyset-paginated; runIds is already capped to page.size (= limit).
+    return runIds;
+  }
+}
diff --git a/apps/webapp/app/services/realtime/duration.server.ts b/apps/webapp/app/services/realtime/duration.server.ts
new file mode 100644
index 00000000000..c6aab9eb9df
--- /dev/null
+++ b/apps/webapp/app/services/realtime/duration.server.ts
@@ -0,0 +1,49 @@
+/**
+ * Duration string parsing for stream-basin retention / delete-on-empty
+ * configuration. Used by `streamBasinProvisioner` (to convert to S2's
+ * integer-seconds wire format) and by `env.server.ts` (to validate
+ * duration-shaped env vars at boot rather than at first use).
+ *
+ * Accepts the short forms (`7d`, `30d`, `365d`, `1h`, `90m`, `45s`,
+ * `2w`, `1y`) and the human forms (`7days`, `1week`, `1year`).
+ */
+
+const PATTERN =
+  /^(\d+)\s*(s|sec|secs|seconds?|m|min|mins|minutes?|h|hour|hours?|d|day|days?|w|week|weeks?|y|year|years?)$/;
+
+export function isValidDuration(input: string): boolean {
+  return PATTERN.test(input.trim().toLowerCase());
+}
+
+/**
+ * Parse a duration string into seconds. Throws on garbage so a
+ * misconfigured env var fails loudly. Use {@link isValidDuration}
+ * for non-throwing validation (e.g. inside a Zod `.refine()`).
+ */
+export function parseDuration(input: string): number {
+  const trimmed = input.trim().toLowerCase();
+  const match = trimmed.match(PATTERN);
+  if (!match) {
+    throw new Error(`Invalid duration string: ${input}`);
+  }
+  const value = parseInt(match[1]!, 10);
+  const unit = match[2]!;
+  const multiplier =
+    /^s/.test(unit)
+      ? 1
+      : /^m(?:in|ins|inute|inutes)?$/.test(unit)
+        ? 60
+        : /^h/.test(unit)
+          ? 3600
+          : /^d/.test(unit)
+            ? 86400
+            : /^w/.test(unit)
+              ? 604800
+              : /^y/.test(unit)
+                ? 31_536_000
+                : NaN;
+  if (!Number.isFinite(multiplier)) {
+    throw new Error(`Invalid duration unit: ${unit}`);
+  }
+  return value * multiplier;
+}
diff --git a/apps/webapp/app/services/realtime/electricStreamProtocol.server.ts b/apps/webapp/app/services/realtime/electricStreamProtocol.server.ts
new file mode 100644
index 00000000000..efe711a7273
--- /dev/null
+++ b/apps/webapp/app/services/realtime/electricStreamProtocol.server.ts
@@ -0,0 +1,279 @@
+/**
+ * Pure (no DB/Redis/env) Electric HTTP shape-stream wire serializer, byte-faithful to what the
+ * deployed `@electric-sql/client` (1.0.14 + 0.4.0) and the SDK's `SubscribeRunRawShape` expect.
+ * Each column value is wire-encoded as a string (or null) decoded via the `electric-schema` header;
+ * `up-to-date` is the only control message that makes the client emit, and re-sending a full row is idempotent.
+ */
+
+export type ElectricColumnType =
+  | "text"
+  | "timestamp"
+  | "int4"
+  | "int8"
+  | "float8"
+  | "bool"
+  | "jsonb";
+
+type ElectricColumn = {
+  name: string;
+  type: ElectricColumnType;
+  /** Array dimensionality. 1 => `type[]` (Postgres `{a,b}` literal). */
+  dims?: number;
+  /** Array columns only: true when the column has no SQL default, so an empty value emits `null` (not `{}`). Prisma erases this distinction, so we re-derive it here. */
+  emptyArrayAsNull?: boolean;
+};
+
+/** Columns the realtime run feed exposes; keep in sync with `DEFAULT_ELECTRIC_COLUMNS`. `type`/`dims` drive the schema header and value encoding. */
+export const RUN_ELECTRIC_COLUMNS: ReadonlyArray<ElectricColumn> = [
+  { name: "id", type: "text" },
+  { name: "taskIdentifier", type: "text" },
+  { name: "createdAt", type: "timestamp" },
+  { name: "updatedAt", type: "timestamp" },
+  { name: "startedAt", type: "timestamp" },
+  { name: "delayUntil", type: "timestamp" },
+  { name: "queuedAt", type: "timestamp" },
+  { name: "expiredAt", type: "timestamp" },
+  { name: "completedAt", type: "timestamp" },
+  { name: "friendlyId", type: "text" },
+  { name: "number", type: "int4" },
+  { name: "isTest", type: "bool" },
+  { name: "status", type: "text" },
+  { name: "usageDurationMs", type: "int4" },
+  { name: "costInCents", type: "float8" },
+  { name: "baseCostInCents", type: "float8" },
+  { name: "ttl", type: "text" },
+  { name: "payload", type: "text" },
+  { name: "payloadType", type: "text" },
+  { name: "metadata", type: "text" },
+  { name: "metadataType", type: "text" },
+  { name: "output", type: "text" },
+  { name: "outputType", type: "text" },
+  { name: "runTags", type: "text", dims: 1, emptyArrayAsNull: true },
+  { name: "error", type: "jsonb" },
+  { name: "realtimeStreams", type: "text", dims: 1 },
+];
+
+/** Columns that can never be skipped via `skipColumns` (mirrors realtimeClient). */
+export const RESERVED_COLUMNS = ["id", "taskIdentifier", "friendlyId", "status", "createdAt"];
+
+/** A single run hydrated for the realtime feed; structurally compatible with the `RunHydrator` Prisma `TaskRun` projection. */
+export type RealtimeRunRow = {
+  id: string;
+  taskIdentifier: string;
+  createdAt: Date;
+  updatedAt: Date;
+  startedAt: Date | null;
+  delayUntil: Date | null;
+  queuedAt: Date | null;
+  expiredAt: Date | null;
+  completedAt: Date | null;
+  friendlyId: string;
+  number: number;
+  isTest: boolean;
+  status: string;
+  usageDurationMs: number;
+  costInCents: number;
+  baseCostInCents: number;
+  ttl: string | null;
+  payload: string;
+  payloadType: string;
+  metadata: string | null;
+  metadataType: string;
+  output: string | null;
+  outputType: string;
+  runTags: string[];
+  error: unknown;
+  realtimeStreams: string[];
+};
+
+type Operation = "insert" | "update" | "delete";
+
+type ChangeMessage = {
+  key: string;
+  value: Record<string, string | null>;
+  headers: { operation: Operation };
+};
+
+type ControlMessage = {
+  headers: { control: "up-to-date" | "must-refetch" };
+};
+
+type ShapeMessage = ChangeMessage | ControlMessage;
+
+const UP_TO_DATE: ControlMessage = { headers: { control: "up-to-date" } };
+
+function effectiveSkipColumns(skipColumns: string[]): Set<string> {
+  return new Set(skipColumns.filter((c) => c !== "" && !RESERVED_COLUMNS.includes(c)));
+}
+
+function quoteArrayElement(value: string): string {
+  return `"${value.replace(/\\/g, "\\\\").replace(/"/g, '\\"')}"`;
+}
+
+function pgArrayLiteral(values: unknown[]): string {
+  if (values.length === 0) {
+    return "{}";
+  }
+  return `{${values.map((v) => quoteArrayElement(String(v))).join(",")}}`;
+}
+
+function serializeValue(value: unknown, column: ElectricColumn): string | null {
+  if (value === null || value === undefined) {
+    return null;
+  }
+
+  if (column.dims && column.dims > 0) {
+    if (!Array.isArray(value)) {
+      return null;
+    }
+    // A no-default array column stores NULL when empty, so Electric emits `null`
+    // (not `{}`); match that here since Prisma handed us `[]` for the NULL value.
+    if (value.length === 0 && column.emptyArrayAsNull) {
+      return null;
+    }
+    return pgArrayLiteral(value);
+  }
+
+  switch (column.type) {
+    case "bool":
+      // Postgres text representation; the client's parseBool accepts "t"/"f".
+      return value ? "t" : "f";
+    case "timestamp":
+      // The SDK's RawShapeDate appends "Z" before parsing, so we emit the ISO
+      // string WITHOUT the trailing "Z".
+      return value instanceof Date ? value.toISOString().slice(0, -1) : String(value);
+    case "jsonb":
+      return JSON.stringify(value);
+    case "int4":
+    case "int8":
+    case "float8":
+    case "text":
+    default:
+      return String(value);
+  }
+}
+
+/** The merge key the client uses to reassemble a row across insert/update cycles. */
+export function runShapeKey(runId: string): string {
+  return `"public"."TaskRun"/"${runId}"`;
+}
+
+/** Encode a single run row into the wire `value` object (column -> string|null). */
+export function serializeRunRow(
+  row: RealtimeRunRow,
+  skipColumns: string[] = []
+): Record<string, string | null> {
+  const skip = effectiveSkipColumns(skipColumns);
+  const value: Record<string, string | null> = {};
+
+  for (const column of RUN_ELECTRIC_COLUMNS) {
+    if (skip.has(column.name)) {
+      continue;
+    }
+    value[column.name] = serializeValue((row as Record<string, unknown>)[column.name], column);
+  }
+
+  return value;
+}
+
+/** The `electric-schema` response header value for the (optionally trimmed) column set. */
+export function buildElectricSchemaHeader(skipColumns: string[] = []): string {
+  const skip = effectiveSkipColumns(skipColumns);
+  const schema: Record<string, { type: string; dims?: number }> = {};
+
+  for (const column of RUN_ELECTRIC_COLUMNS) {
+    if (skip.has(column.name)) {
+      continue;
+    }
+    schema[column.name] = column.dims ? { type: column.type, dims: column.dims } : { type: column.type };
+  }
+
+  return JSON.stringify(schema);
+}
+
+/** Initial snapshot body: an `insert` for the row (if present) then `up-to-date`; an absent row emits a bare `up-to-date` (empty shape). */
+export function buildSnapshotBody(row: RealtimeRunRow | null, skipColumns: string[] = []): string {
+  const messages: ShapeMessage[] = [];
+  if (row) {
+    messages.push({
+      key: runShapeKey(row.id),
+      value: serializeRunRow(row, skipColumns),
+      headers: { operation: "insert" },
+    });
+  }
+  messages.push(UP_TO_DATE);
+  return JSON.stringify(messages);
+}
+
+/** Live body when the row advanced: a full-row `update` followed by `up-to-date`. */
+export function buildUpdateBody(row: RealtimeRunRow, skipColumns: string[] = []): string {
+  const messages: ShapeMessage[] = [
+    {
+      key: runShapeKey(row.id),
+      value: serializeRunRow(row, skipColumns),
+      headers: { operation: "update" },
+    },
+    UP_TO_DATE,
+  ];
+  return JSON.stringify(messages);
+}
+
+/** Live body when nothing advanced: a bare `up-to-date` (no row emission). */
+export function buildUpToDateBody(): string {
+  return JSON.stringify([UP_TO_DATE]);
+}
+
+export type RowChange = { row: RealtimeRunRow; operation: "insert" | "update" };
+
+/** Multi-row body for the tag-list feed: one change message per row then `up-to-date` (empty `changes` emits a bare `up-to-date`). */
+export function buildRowsBody(changes: RowChange[], skipColumns: string[] = []): string {
+  const messages: ShapeMessage[] = changes.map((change) => ({
+    key: runShapeKey(change.row.id),
+    value: serializeRunRow(change.row, skipColumns),
+    headers: { operation: change.operation },
+  }));
+  messages.push(UP_TO_DATE);
+  return JSON.stringify(messages);
+}
+
+/** A row change whose wire `value` was already serialized (once, shared across feeds by
+ * the EnvChangeRouter); the per-feed `operation` is applied here. */
+export type SerializedRowChange = {
+  runId: string;
+  value: Record<string, string | null>;
+  operation: "insert" | "update";
+};
+
+/** Like `buildRowsBody`, but from values serialized once per (runId, columnSet) upstream,
+ * so a run matching many feeds is serialized once and reused across their bodies. */
+export function buildRowsBodyFromSerialized(changes: SerializedRowChange[]): string {
+  const messages: ShapeMessage[] = changes.map((change) => ({
+    key: runShapeKey(change.runId),
+    value: change.value,
+    headers: { operation: change.operation },
+  }));
+  messages.push(UP_TO_DATE);
+  return JSON.stringify(messages);
+}
+
+export const INITIAL_OFFSET = "-1";
+
+/** Opaque `<updatedAtMs>_<seq>` offset token (client `${number}_${number}` type); the first segment lets a live request detect whether the row advanced. */
+export function encodeOffset(updatedAtMs: number, seq: number): string {
+  return `${Math.trunc(updatedAtMs)}_${Math.trunc(seq)}`;
+}
+
+/** Extract the `updatedAt` epoch-ms a client last saw from its echoed offset. */
+export function parseOffsetUpdatedAtMs(offset: string | null | undefined): number {
+  if (!offset) {
+    return 0;
+  }
+  const [first] = offset.split("_");
+  const value = Number(first);
+  return Number.isFinite(value) && value > 0 ? value : 0;
+}
+
+/** Mirror of realtimeClient's DEQUEUED->EXECUTING rewrite for non-current API versions. */
+export function rewriteBodyForLegacyApiVersion(body: string): string {
+  return body.replace(/"status":"DEQUEUED"/g, '"status":"EXECUTING"');
+}
diff --git a/apps/webapp/app/services/realtime/envChangeRouter.server.ts b/apps/webapp/app/services/realtime/envChangeRouter.server.ts
new file mode 100644
index 00000000000..6c5969e02c6
--- /dev/null
+++ b/apps/webapp/app/services/realtime/envChangeRouter.server.ts
@@ -0,0 +1,694 @@
+import { type ChangeRecord } from "./runChangeNotifier.server";
+import { type RealtimeRunRow, serializeRunRow } from "./electricStreamProtocol.server";
+import { logger } from "~/services/logger.server";
+
+/**
+ * EnvChangeRouter — per-instance routing layer that fans one env's change stream out to the feeds it
+ * matches. Owns one subscription per env (over the RunChangeNotifier) plus an inverted index of held
+ * feeds, then per batch: routes via the index, batch-hydrates matched runs once per column set,
+ * serializes each row's wire value once, and resolves each matched feed's pending wait. Stateless across reconnects.
+ */
+
+export type WakeReason = "notify" | "timeout" | "abort";
+
+/** A feed's membership predicate over the env stream. */
+export type FeedFilter =
+  | { kind: "run"; runId: string }
+  | { kind: "tag"; tags: string[]; createdAtFloorMs?: number }
+  | { kind: "batch"; batchId: string };
+
+/** A matched run handed to a feed: the hydrated row (for the feed's working-set diff) and
+ * its wire `value` serialized once for this feed's column set (shared across feeds). */
+export type MatchedRow = { row: RealtimeRunRow; value: Record<string, string | null> };
+
+export type WaitResult = { reason: WakeReason; rows: MatchedRow[] };
+
+/** Minimal deps so the router is unit-testable without Redis/Postgres. */
+export interface EnvChangeSource {
+  subscribeToEnv(environmentId: string, onBatch: (records: ChangeRecord[]) => void): () => void;
+}
+export interface RowHydrator {
+  hydrateByIds(
+    environmentId: string,
+    ids: string[],
+    skipColumns: string[]
+  ): Promise<RealtimeRunRow[]>;
+}
+
+export type EnvChangeRouterOptions = {
+  source: EnvChangeSource;
+  hydrator: RowHydrator;
+  /** Observability: a hydrate-by-id batch ran (count = runs hydrated this tick). */
+  onHydrate?: (runCount: number) => void;
+  /** How far back (ms) a newly-armed feed replays buffered records. 0 disables replay. */
+  replayWindowMs?: number;
+  /** Cap on buffered recent records per env (latest record per run). */
+  replayMaxRunsPerEnv?: number;
+  /** How long (ms) to keep an env subscribed + buffering after its last feed closes. 0 disables. */
+  unsubscribeLingerMs?: number;
+  /** Observability: a replay scan found candidates and delivered rows (or none survived). */
+  onReplay?: (result: "delivered" | "empty") => void;
+  /** Observability: a buffered record was evicted. `cap` evictions mean the env churns more
+   * runs inside the window than the buffer holds (the replay guarantee is degrading). */
+  onReplayEviction?: (reason: "cap" | "window") => void;
+  /** Read-your-writes gate over the replica: delays wake-path hydrates until the replica
+   * should have applied the change (record.updatedAtMs + lag + margin), and re-hydrates
+   * rows the tripwire still finds stale. Omit to hydrate immediately (legacy behavior). */
+  replicaLag?: ReplicaLagGate;
+};
+
+export type ReplicaLagGate = {
+  /** Current replica-lag estimate (ms). */
+  getLagMs(): number;
+  /** Feedback: a hydrate provably read at least this far behind the primary. */
+  noteObservedLagMs(lagMs: number): void;
+  /** Safety margin added on top of the estimate (clock skew + scheduling). */
+  marginMs: number;
+  /** Hard cap on any single gate delay — a sick replica degrades freshness, never liveness. */
+  maxDelayMs: number;
+  /** Re-hydrate attempts for rows that still read stale after the delay. */
+  staleRetries: number;
+  /** Observability: stale rows recovered by a retry, or delivered stale after exhausting them. */
+  onStaleHydrate?: (outcome: "recovered" | "gave_up", runCount: number) => void;
+};
+
+const DEFAULT_REPLAY_WINDOW_MS = 2_000;
+const DEFAULT_REPLAY_MAX_RUNS_PER_ENV = 512;
+const DEFAULT_UNSUBSCRIBE_LINGER_MS = 5_000;
+
+/** Handle a feed holds for the duration of one long-poll. */
+export type FeedRegistration = {
+  /** Wait for the next batch matching this feed (or timeout/abort), with the matched runs
+   * hydrated + serialized for this feed's columns. One wait active at a time. */
+  waitForMatch(signal: AbortSignal | undefined, timeoutMs: number): Promise<WaitResult>;
+  /** Deregister from the index; unsubscribes the env when the last feed leaves. */
+  close(): void;
+  /** False when this instance's env subscription is younger than the replay window, so a
+   * change in the caller's inter-poll gap may have been missed (hop/cold start) — the
+   * caller should resolve once instead of holding blind. */
+  gapCovered: boolean;
+};
+
+type Feed = {
+  filter: FeedFilter;
+  skipColumns: string[];
+  columnSig: string;
+  /** The currently-waiting poll's resolver (null between polls). */
+  resolve: ((result: WaitResult) => void) | null;
+  /** Buffered records at or before this timestamp have been replayed (or predate this feed). */
+  replayCursorMs: number;
+};
+
+type EnvState = {
+  unsubscribe: () => void;
+  feeds: Set<Feed>;
+  byRunId: Map<string, Set<Feed>>;
+  byTag: Map<string, Set<Feed>>;
+  byBatchId: Map<string, Set<Feed>>;
+  /** All tag feeds, for routing partial records (no tags) as hydrate-to-classify candidates. */
+  tagFeeds: Set<Feed>;
+  /** Tag feeds with no tag filter — they match every record but are unreachable via byTag. */
+  unfilteredTagFeeds: Set<Feed>;
+  /** When this env's channel subscription started (for the gap-coverage check). */
+  subscribedAtMs: number;
+  /** Latest record per run, insertion-ordered, for replaying inter-poll gaps to newly-armed feeds. */
+  recent: Map<string, { record: ChangeRecord; receivedAtMs: number }>;
+  /** Pending teardown while the env lingers with zero feeds. */
+  lingerTimer?: ReturnType<typeof setTimeout>;
+};
+
+function sleepMs(ms: number): Promise<void> {
+  return new Promise((resolve) => {
+    const timer = setTimeout(resolve, ms);
+    timer.unref?.();
+  });
+}
+
+function addToIndex(index: Map<string, Set<Feed>>, key: string, feed: Feed) {
+  let set = index.get(key);
+  if (!set) {
+    set = new Set();
+    index.set(key, set);
+  }
+  set.add(feed);
+}
+
+function removeFromIndex(index: Map<string, Set<Feed>>, key: string, feed: Feed) {
+  const set = index.get(key);
+  if (set) {
+    set.delete(feed);
+    if (set.size === 0) {
+      index.delete(key);
+    }
+  }
+}
+
+export class EnvChangeRouter {
+  readonly #envs = new Map<string, EnvState>();
+
+  constructor(private readonly options: EnvChangeRouterOptions) {}
+
+  register(
+    environmentId: string,
+    filter: FeedFilter,
+    skipColumns: string[],
+    opts?: {
+      /** When the caller last received data for this connection. Bounds the replay to the
+       * true inter-poll gap; older than the window can't be proven covered. */
+      replaySinceMs?: number;
+    }
+  ): FeedRegistration {
+    const env = this.#ensureEnv(environmentId);
+    const replayWindowMs = this.options.replayWindowMs ?? DEFAULT_REPLAY_WINDOW_MS;
+    const now = Date.now();
+    const windowFloorMs = now - replayWindowMs;
+    const sinceMs = opts?.replaySinceMs ?? windowFloorMs;
+    const feed: Feed = {
+      filter,
+      skipColumns,
+      columnSig: skipColumns.length > 0 ? [...skipColumns].sort().join(",") : "",
+      resolve: null,
+      // First arm replays the caller's inter-poll gap; later arms only what arrived since.
+      // The buffer only spans the window, so never rewind past it.
+      replayCursorMs: Math.max(sinceMs, windowFloorMs),
+    };
+
+    env.feeds.add(feed);
+    this.#indexFeed(env, feed);
+
+    const waitForMatch = (signal: AbortSignal | undefined, timeoutMs: number) =>
+      new Promise<WaitResult>((resolve) => {
+        if (signal?.aborted) {
+          resolve({ reason: "abort", rows: [] });
+          return;
+        }
+        let settled = false;
+        let timer: ReturnType<typeof setTimeout> | undefined;
+        let onAbort: (() => void) | undefined;
+        const settle = (result: WaitResult) => {
+          if (settled) return;
+          settled = true;
+          feed.resolve = null;
+          if (timer) clearTimeout(timer);
+          if (signal && onAbort) signal.removeEventListener("abort", onAbort);
+          resolve(result);
+        };
+        feed.resolve = settle;
+        timer = setTimeout(() => settle({ reason: "timeout", rows: [] }), timeoutMs);
+        timer.unref?.();
+        if (signal) {
+          onAbort = () => settle({ reason: "abort", rows: [] });
+          signal.addEventListener("abort", onAbort, { once: true });
+        }
+        // Deliver any buffered records this feed hasn't seen (catches changes that
+        // landed while the caller was between polls).
+        if (replayWindowMs > 0 && env.recent.size > 0) {
+          this.#replayRecent(environmentId, env, feed).catch((error) => {
+            logger.error("[envChangeRouter] failed to replay buffered records", {
+              environmentId,
+              error,
+            });
+          });
+        }
+      });
+
+    const close = () => {
+      if (!env.feeds.has(feed)) {
+        return;
+      }
+      env.feeds.delete(feed);
+      this.#deindexFeed(env, feed);
+      // Resolve any in-flight wait so the poll doesn't hang.
+      feed.resolve?.({ reason: "abort", rows: [] });
+      feed.resolve = null;
+      if (env.feeds.size === 0) {
+        this.#scheduleEnvTeardown(environmentId, env);
+      }
+    };
+
+    return {
+      waitForMatch,
+      close,
+      // Covered when this instance was already subscribed (and buffering) at the gap's
+      // start, and the gap fits inside the buffer's window.
+      gapCovered:
+        replayWindowMs <= 0 || (env.subscribedAtMs <= sinceMs && sinceMs >= windowFloorMs),
+    };
+  }
+
+  /** Distinct environments currently routed (for metrics). */
+  get activeEnvCount(): number {
+    return this.#envs.size;
+  }
+
+  /** Currently-held feeds by kind (for metrics) — the system's capacity unit. */
+  get heldFeedCounts(): { run: number; tag: number; batch: number } {
+    const counts = { run: 0, tag: 0, batch: 0 };
+    for (const env of this.#envs.values()) {
+      for (const feed of env.feeds) {
+        counts[feed.filter.kind]++;
+      }
+    }
+    return counts;
+  }
+
+  #ensureEnv(environmentId: string): EnvState {
+    const existing = this.#envs.get(environmentId);
+    if (existing) {
+      // A pending teardown is cancelled by new interest; the buffer survives the gap.
+      if (existing.lingerTimer) {
+        clearTimeout(existing.lingerTimer);
+        existing.lingerTimer = undefined;
+      }
+      return existing;
+    }
+    const env: EnvState = {
+      unsubscribe: () => {},
+      feeds: new Set(),
+      byRunId: new Map(),
+      byTag: new Map(),
+      byBatchId: new Map(),
+      tagFeeds: new Set(),
+      unfilteredTagFeeds: new Set(),
+      subscribedAtMs: Date.now(),
+      recent: new Map(),
+    };
+    this.#envs.set(environmentId, env);
+    env.unsubscribe = this.options.source.subscribeToEnv(environmentId, (records) => {
+      this.#bufferRecent(env, records);
+      // Fire-and-forget; catch hydrate failures here (unhandled rejection exits the process) — waiters time out into the backstop.
+      this.#onBatch(environmentId, env, records).catch((error) => {
+        logger.error("[envChangeRouter] failed to route a change batch", {
+          environmentId,
+          error,
+        });
+      });
+    });
+    return env;
+  }
+
+  /** Keep the env subscribed + buffering for a linger after its last feed closes, so a
+   * client's next poll (or another instance hop landing back here) can replay the gap. */
+  #scheduleEnvTeardown(environmentId: string, env: EnvState) {
+    const lingerMs = this.options.unsubscribeLingerMs ?? DEFAULT_UNSUBSCRIBE_LINGER_MS;
+    if (lingerMs <= 0) {
+      this.#envs.delete(environmentId);
+      env.unsubscribe();
+      return;
+    }
+    if (env.lingerTimer) {
+      clearTimeout(env.lingerTimer);
+    }
+    env.lingerTimer = setTimeout(() => {
+      if (env.feeds.size === 0) {
+        this.#envs.delete(environmentId);
+        env.unsubscribe();
+      }
+    }, lingerMs);
+    env.lingerTimer.unref?.();
+  }
+
+  /** Upsert the latest record per run (insertion-ordered) and prune to the window + cap. */
+  #bufferRecent(env: EnvState, records: ChangeRecord[]) {
+    const windowMs = this.options.replayWindowMs ?? DEFAULT_REPLAY_WINDOW_MS;
+    if (windowMs <= 0) {
+      return;
+    }
+    const maxRuns = this.options.replayMaxRunsPerEnv ?? DEFAULT_REPLAY_MAX_RUNS_PER_ENV;
+    const now = Date.now();
+    for (const record of records) {
+      env.recent.delete(record.runId);
+      env.recent.set(record.runId, { record, receivedAtMs: now });
+    }
+    const cutoff = now - windowMs;
+    for (const [runId, entry] of env.recent) {
+      if (entry.receivedAtMs >= cutoff && env.recent.size <= maxRuns) {
+        break;
+      }
+      this.options.onReplayEviction?.(entry.receivedAtMs < cutoff ? "window" : "cap");
+      env.recent.delete(runId);
+    }
+  }
+
+  /** Whether a buffered record matches a feed's predicate (mirrors #onBatch's routing). */
+  #recordMatchesFeed(record: ChangeRecord, feed: Feed): boolean {
+    switch (feed.filter.kind) {
+      case "run":
+        return record.runId === feed.filter.runId;
+      case "batch":
+        return record.batchId != null && record.batchId === feed.filter.batchId;
+      case "tag": {
+        const tags = feed.filter.tags;
+        // Unfiltered feed matches everything; partial record (no tags) = hydrate-to-classify.
+        if (tags.length === 0 || record.tags === undefined) {
+          return true;
+        }
+        return record.tags.some((tag) => tags.includes(tag));
+      }
+    }
+  }
+
+  /** How long to wait before hydrating so the replica has applied every change in the
+   * batch: each record is safe at updatedAtMs + lag + margin (records without a watermark
+   * anchor at now, degrading to a plain lag-sized delay). Capped — see ReplicaLagGate. */
+  #gateDelayMs(records: ChangeRecord[]): number {
+    const gate = this.options.replicaLag;
+    if (!gate || records.length === 0) {
+      return 0;
+    }
+    const now = Date.now();
+    const lagMs = gate.getLagMs();
+    let safeAtMs = 0;
+    for (const record of records) {
+      const anchorMs = record.updatedAtMs ?? now;
+      safeAtMs = Math.max(safeAtMs, anchorMs + lagMs + gate.marginMs);
+    }
+    return Math.max(0, Math.min(safeAtMs - now, gate.maxDelayMs));
+  }
+
+  /** Deliver buffered records newer than the feed's cursor through the normal
+   * hydrate -> serialize -> settle pipeline. Already-seen rows diff to nothing downstream. */
+  async #replayRecent(environmentId: string, env: EnvState, feed: Feed) {
+    const cursor = feed.replayCursorMs;
+    feed.replayCursorMs = Date.now();
+
+    const runIds: string[] = [];
+    const candidateRecords: ChangeRecord[] = [];
+    for (const [runId, entry] of env.recent) {
+      if (entry.receivedAtMs > cursor && this.#recordMatchesFeed(entry.record, feed)) {
+        runIds.push(runId);
+        candidateRecords.push(entry.record);
+      }
+    }
+    if (runIds.length === 0 || !feed.resolve) {
+      return;
+    }
+
+    // Replayed records are usually past the lag window already (delay computes to 0); a
+    // just-buffered one gets the same read-your-writes gate as the live path. No tripwire
+    // here — a stale replay diffs to a re-emission on the next wake or backstop.
+    const replayDelayMs = this.#gateDelayMs(candidateRecords);
+    if (replayDelayMs > 0) {
+      await sleepMs(replayDelayMs);
+      if (!feed.resolve) {
+        return;
+      }
+    }
+
+    const hydrated = await this.options.hydrator.hydrateByIds(
+      environmentId,
+      runIds,
+      feed.skipColumns
+    );
+    this.options.onHydrate?.(hydrated.length);
+
+    const rows: MatchedRow[] = [];
+    for (const row of hydrated) {
+      if (feed.filter.kind === "tag" && !this.#tagRowMatches(row, feed.filter)) {
+        continue;
+      }
+      rows.push({ row, value: serializeRunRow(row, feed.skipColumns) });
+    }
+
+    if (rows.length > 0 && feed.resolve) {
+      this.options.onReplay?.("delivered");
+      feed.resolve({ reason: "notify", rows });
+    } else {
+      this.options.onReplay?.("empty");
+    }
+  }
+
+  #indexFeed(env: EnvState, feed: Feed) {
+    switch (feed.filter.kind) {
+      case "run":
+        addToIndex(env.byRunId, feed.filter.runId, feed);
+        break;
+      case "batch":
+        addToIndex(env.byBatchId, feed.filter.batchId, feed);
+        break;
+      case "tag":
+        env.tagFeeds.add(feed);
+        if (feed.filter.tags.length === 0) {
+          env.unfilteredTagFeeds.add(feed);
+        }
+        for (const tag of feed.filter.tags) {
+          addToIndex(env.byTag, tag, feed);
+        }
+        break;
+    }
+  }
+
+  #deindexFeed(env: EnvState, feed: Feed) {
+    switch (feed.filter.kind) {
+      case "run":
+        removeFromIndex(env.byRunId, feed.filter.runId, feed);
+        break;
+      case "batch":
+        removeFromIndex(env.byBatchId, feed.filter.batchId, feed);
+        break;
+      case "tag":
+        env.tagFeeds.delete(feed);
+        env.unfilteredTagFeeds.delete(feed);
+        for (const tag of feed.filter.tags) {
+          removeFromIndex(env.byTag, tag, feed);
+        }
+        break;
+    }
+  }
+
+  async #onBatch(environmentId: string, env: EnvState, records: ChangeRecord[], attempt = 0) {
+    // 0. Read-your-writes gate: wait out the replica's apply lag before hydrating, so the
+    //    rows we read contain the changes the records announce. Retry attempts were
+    //    scheduled with their own delay, so only the first pass gates here.
+    if (attempt === 0) {
+      const delayMs = this.#gateDelayMs(records);
+      if (delayMs > 0) {
+        await sleepMs(delayMs);
+      }
+    }
+
+    // 1. Route each record to the held feeds it matches; collect matched runIds per feed.
+    const matchedRunIdsByFeed = new Map<Feed, Set<string>>();
+    const addMatch = (feed: Feed, runId: string) => {
+      if (!feed.resolve) {
+        // Feed isn't currently waiting (between polls). Drop — its backstop catches gaps.
+        return;
+      }
+      let set = matchedRunIdsByFeed.get(feed);
+      if (!set) {
+        set = new Set();
+        matchedRunIdsByFeed.set(feed, set);
+      }
+      set.add(runId);
+    };
+
+    for (const record of records) {
+      // run feeds: exact runId match.
+      const runFeeds = env.byRunId.get(record.runId);
+      if (runFeeds) {
+        for (const feed of runFeeds) addMatch(feed, record.runId);
+      }
+
+      // batch feeds: exact batchId match (only when the record carries one).
+      if (record.batchId) {
+        const batchFeeds = env.byBatchId.get(record.batchId);
+        if (batchFeeds) {
+          for (const feed of batchFeeds) addMatch(feed, record.runId);
+        }
+      }
+
+      // tag feeds.
+      if (record.tags !== undefined) {
+        // Full record: prune via the tag index; only feeds whose filter intersects match.
+        const seen = new Set<Feed>();
+        for (const tag of record.tags) {
+          const tagFeeds = env.byTag.get(tag);
+          if (!tagFeeds) continue;
+          for (const feed of tagFeeds) {
+            if (seen.has(feed)) continue;
+            seen.add(feed);
+            addMatch(feed, record.runId);
+          }
+        }
+        // Unfiltered tag feeds match every record but live outside the index.
+        for (const feed of env.unfilteredTagFeeds) addMatch(feed, record.runId);
+      } else {
+        // Partial record (no membership data): route to every tag feed as a candidate to
+        // hydrate-and-classify (rare; the publish side emits full records in practice).
+        for (const feed of env.tagFeeds) addMatch(feed, record.runId);
+      }
+    }
+
+    if (matchedRunIdsByFeed.size === 0) {
+      return;
+    }
+
+    // 2. Batch-hydrate ONCE per column set, then 3. serialize ONCE per (runId, column set).
+    const runIdsByColumnSig = new Map<string, { skipColumns: string[]; runIds: Set<string> }>();
+    for (const [feed, runIds] of matchedRunIdsByFeed) {
+      let group = runIdsByColumnSig.get(feed.columnSig);
+      if (!group) {
+        group = { skipColumns: feed.skipColumns, runIds: new Set() };
+        runIdsByColumnSig.set(feed.columnSig, group);
+      }
+      for (const id of runIds) group.runIds.add(id);
+    }
+
+    const hydratedByColumnSig = new Map<string, Map<string, MatchedRow>>();
+    await Promise.all(
+      [...runIdsByColumnSig.entries()].map(async ([columnSig, group]) => {
+        const ids = [...group.runIds];
+        const rows = await this.options.hydrator.hydrateByIds(
+          environmentId,
+          ids,
+          group.skipColumns
+        );
+        this.options.onHydrate?.(rows.length);
+        const map = new Map<string, MatchedRow>();
+        for (const row of rows) {
+          map.set(row.id, { row, value: serializeRunRow(row, group.skipColumns) });
+        }
+        hydratedByColumnSig.set(columnSig, map);
+      })
+    );
+
+    // 3.5 Stale tripwire: a watermarked record whose hydrated row is older (or missing —
+    //     the insert race) read a replica that hadn't applied the change. Withhold those
+    //     rows and re-hydrate shortly. Exhausting the retry budget delivers what we have
+    //     (liveness over freshness) — but a stale emission advances the feed's cursor, so
+    //     it ALSO schedules echo passes past the gate: re-hydrates flowing through normal
+    //     emission, where the working-set diff drops unchanged rows and emits the fresh
+    //     version once the replica catches up. The backstop stays the terminal net.
+    //     Each detection feeds the lag estimator.
+    const gate = this.options.replicaLag;
+    const isEchoPass = gate !== undefined && attempt > gate.staleRetries;
+    const staleRunIds = gate
+      ? this.#detectStaleRuns(records, runIdsByColumnSig, hydratedByColumnSig)
+      : new Set<string>();
+    if (attempt > 0 && !isEchoPass) {
+      const recovered = new Set(records.map((r) => r.runId)).size - staleRunIds.size;
+      if (recovered > 0) {
+        gate?.onStaleHydrate?.("recovered", recovered);
+      }
+    }
+    if (staleRunIds.size > 0 && gate) {
+      const staleRecords = records.filter((record) => staleRunIds.has(record.runId));
+      // Re-buffer the withheld records so a feed that re-arms between now and the next
+      // pass replays them instead of waiting for its backstop.
+      this.#bufferRecent(env, staleRecords);
+      if (attempt >= gate.staleRetries) {
+        // Budget exhausted: deliver the stale rows below (liveness) — but a stale emission
+        // advances the feed's cursor, so keep echoing re-hydrates through normal emission
+        // (the working-set diff drops unchanged rows, emits the fresh version when the
+        // replica catches up). Echoes stop once the change ages past the horizon; deeper
+        // outages are the backstop's job.
+        if (attempt === gate.staleRetries) {
+          gate.onStaleHydrate?.("gave_up", staleRunIds.size);
+        }
+        staleRunIds.clear();
+      }
+      const echoHorizonMs = gate.maxDelayMs * 10;
+      const newestWatermarkMs = Math.max(
+        ...staleRecords.map((record) => record.updatedAtMs ?? 0)
+      );
+      const withinEchoHorizon = Date.now() - newestWatermarkMs < echoHorizonMs;
+      if (attempt < gate.staleRetries || withinEchoHorizon) {
+        const retryDelayMs = Math.max(
+          25,
+          Math.min(gate.getLagMs() + gate.marginMs, gate.maxDelayMs)
+        );
+        const timer = setTimeout(() => {
+          this.#onBatch(environmentId, env, staleRecords, attempt + 1).catch((error) => {
+            logger.error("[envChangeRouter] failed to re-hydrate stale rows", {
+              environmentId,
+              error,
+            });
+          });
+        }, retryDelayMs);
+        timer.unref?.();
+      }
+    }
+
+    // 4. Assemble each feed's matched rows (post-filtering tag feeds against the
+    //    authoritative hydrated row) and resolve its pending wait.
+    for (const [feed, runIds] of matchedRunIdsByFeed) {
+      if (!feed.resolve) {
+        continue; // stopped waiting while we hydrated; its next poll/backstop covers it
+      }
+      const hydrated = hydratedByColumnSig.get(feed.columnSig);
+      if (!hydrated) continue;
+
+      const rows: MatchedRow[] = [];
+      for (const runId of runIds) {
+        if (staleRunIds.has(runId)) {
+          continue; // withheld; the scheduled re-hydrate delivers the fresh version
+        }
+        const matched = hydrated.get(runId);
+        if (!matched) continue; // run not found / left the table
+        if (feed.filter.kind === "tag" && !this.#tagRowMatches(matched.row, feed.filter)) {
+          continue; // re-confirm tags + createdAt floor against the authoritative row
+        }
+        rows.push(matched);
+      }
+
+      if (rows.length > 0) {
+        feed.resolve({ reason: "notify", rows });
+      }
+      // No surviving rows (e.g. a partial-record candidate that didn't actually match):
+      // leave the feed waiting; nothing relevant changed for it.
+    }
+  }
+
+  /** Runs whose hydrated row is provably behind its record's watermark (stale content),
+   * or absent entirely despite a watermark (the insert hasn't applied). Records without
+   * `updatedAtMs` can't be judged and always pass. */
+  #detectStaleRuns(
+    records: ChangeRecord[],
+    runIdsByColumnSig: Map<string, { skipColumns: string[]; runIds: Set<string> }>,
+    hydratedByColumnSig: Map<string, Map<string, MatchedRow>>
+  ): Set<string> {
+    const gate = this.options.replicaLag;
+    const stale = new Set<string>();
+    if (!gate) {
+      return stale;
+    }
+    const expectedByRunId = new Map<string, number>();
+    for (const record of records) {
+      if (record.updatedAtMs !== undefined) {
+        const existing = expectedByRunId.get(record.runId);
+        if (existing === undefined || record.updatedAtMs > existing) {
+          expectedByRunId.set(record.runId, record.updatedAtMs);
+        }
+      }
+    }
+    if (expectedByRunId.size === 0) {
+      return stale;
+    }
+    const now = Date.now();
+    for (const [columnSig, group] of runIdsByColumnSig) {
+      const hydrated = hydratedByColumnSig.get(columnSig);
+      for (const runId of group.runIds) {
+        const expected = expectedByRunId.get(runId);
+        if (expected === undefined || stale.has(runId)) {
+          continue;
+        }
+        const matched = hydrated?.get(runId);
+        if (!matched || matched.row.updatedAt.getTime() < expected) {
+          stale.add(runId);
+          gate.noteObservedLagMs(now - expected);
+        }
+      }
+    }
+    return stale;
+  }
+
+  /** Authoritative re-check for tag feeds: the hydrated row carries ALL the filter's tags
+   * (Electric's `runTags @> ARRAY[...]` semantics) and its createdAt is within the window. */
+  #tagRowMatches(row: RealtimeRunRow, filter: Extract<FeedFilter, { kind: "tag" }>): boolean {
+    if (filter.createdAtFloorMs !== undefined && row.createdAt.getTime() < filter.createdAtFloorMs) {
+      return false;
+    }
+    const rowTags = row.runTags ?? [];
+    return filter.tags.every((tag) => rowTags.includes(tag));
+  }
+}
diff --git a/apps/webapp/app/services/realtime/jwtAuth.server.ts b/apps/webapp/app/services/realtime/jwtAuth.server.ts
index 1bac76b8f3a..66b7ccf2258 100644
--- a/apps/webapp/app/services/realtime/jwtAuth.server.ts
+++ b/apps/webapp/app/services/realtime/jwtAuth.server.ts
@@ -1,5 +1,6 @@
 import { json } from "@remix-run/server-runtime";
-import { validateJWT } from "@trigger.dev/core/v3/jwt";
+import { validateJWT, type ValidationResult } from "@trigger.dev/core/v3/jwt";
+import { $replica } from "~/db.server";
 import { findEnvironmentById } from "~/models/runtimeEnvironment.server";
 import { AuthenticatedEnvironment } from "../apiAuth.server";
 import { logger } from "../logger.server";
@@ -34,11 +35,23 @@ export async function validatePublicJwtKey(token: string): Promise<ValidatePubli
     return { ok: false, error: "Invalid Public Access Token, environment not found." };
   }
 
-  const result = await validateJWT(
+  let result = await validateJWT(
     token,
     environment.parentEnvironment?.apiKey ?? environment.apiKey
   );
 
+  // PATs are signed with the env's apiKey at mint time. If the env's apiKey
+  // has since been rotated, signature verification fails against the current
+  // key — fall back to any RevokedApiKey rows still in their grace window.
+  // Only run this query on the failure path so the success path is unchanged.
+  if (!result.ok) {
+    result = await validateAgainstRevokedApiKeys(
+      token,
+      environment.parentEnvironment?.id ?? environment.id,
+      result
+    );
+  }
+
   if (!result.ok) {
     switch (result.code) {
       case "ERR_JWT_EXPIRED": {
@@ -71,6 +84,29 @@ export async function validatePublicJwtKey(token: string): Promise<ValidatePubli
   };
 }
 
+async function validateAgainstRevokedApiKeys(
+  token: string,
+  signingEnvironmentId: string,
+  primaryResult: ValidationResult
+): Promise<ValidationResult> {
+  const revokedApiKeys = await $replica.revokedApiKey.findMany({
+    where: {
+      runtimeEnvironmentId: signingEnvironmentId,
+      expiresAt: { gt: new Date() },
+    },
+    select: { apiKey: true },
+  });
+
+  for (const { apiKey } of revokedApiKeys) {
+    const fallbackResult = await validateJWT(token, apiKey);
+    if (fallbackResult.ok) {
+      return fallbackResult;
+    }
+  }
+
+  return primaryResult;
+}
+
 export function isPublicJWT(token: string): boolean {
   // Split the token
   const parts = token.split(".");
@@ -90,9 +126,7 @@ export function isPublicJWT(token: string): boolean {
   }
 }
 
-export function extractJwtSigningSecretKey(
-  environment: AuthenticatedEnvironment & { parentEnvironment?: { apiKey: string } }
-) {
+export function extractJwtSigningSecretKey(environment: AuthenticatedEnvironment) {
   return environment.parentEnvironment?.apiKey ?? environment.apiKey;
 }
 
diff --git a/apps/webapp/app/services/realtime/mintRunToken.server.ts b/apps/webapp/app/services/realtime/mintRunToken.server.ts
new file mode 100644
index 00000000000..2cdc4316e66
--- /dev/null
+++ b/apps/webapp/app/services/realtime/mintRunToken.server.ts
@@ -0,0 +1,41 @@
+import { generateJWT as internal_generateJWT } from "@trigger.dev/core/v3";
+import { extractJwtSigningSecretKey } from "./jwtAuth.server";
+
+type Environment = Parameters<typeof extractJwtSigningSecretKey>[0];
+
+export type MintRunTokenOptions = {
+  /** Include the input-stream write scope (needed for steering messages from the playground). */
+  includeInputStreamWrite?: boolean;
+  /** Token expiration. Defaults to "1h". */
+  expirationTime?: string;
+};
+
+/**
+ * Mint a run-scoped public access token (JWT) for browser subscription to a
+ * run's realtime streams.
+ *
+ * Used by:
+ * - The playground action to give a freshly triggered chat session a token.
+ * - The run details page to let the agent view subscribe to the chat stream
+ *   of an existing run (read-only).
+ */
+export async function mintRunToken(
+  environment: Environment,
+  runFriendlyId: string,
+  options: MintRunTokenOptions = {}
+): Promise<string> {
+  const scopes = [`read:runs:${runFriendlyId}`];
+  if (options.includeInputStreamWrite) {
+    scopes.push(`write:inputStreams:${runFriendlyId}`);
+  }
+
+  return internal_generateJWT({
+    secretKey: extractJwtSigningSecretKey(environment),
+    payload: {
+      sub: environment.id,
+      pub: true,
+      scopes,
+    },
+    expirationTime: options.expirationTime ?? "1h",
+  });
+}
diff --git a/apps/webapp/app/services/realtime/mintSessionToken.server.ts b/apps/webapp/app/services/realtime/mintSessionToken.server.ts
new file mode 100644
index 00000000000..d69b36b7710
--- /dev/null
+++ b/apps/webapp/app/services/realtime/mintSessionToken.server.ts
@@ -0,0 +1,40 @@
+import { generateJWT as internal_generateJWT } from "@trigger.dev/core/v3";
+import { extractJwtSigningSecretKey } from "./jwtAuth.server";
+
+type Environment = Parameters<typeof extractJwtSigningSecretKey>[0];
+
+export type MintSessionTokenOptions = {
+  /** Token expiration. Defaults to "1h". */
+  expirationTime?: string;
+};
+
+/**
+ * Mint a session-scoped public access token (JWT) covering both `.in`
+ * append and `.out` subscribe for a session's realtime channels.
+ *
+ * Returned by `POST /api/v1/sessions` so the browser holds a single
+ * long-lived token that survives across runs (sessions outlive any
+ * single run). Includes both read and write scopes since the transport
+ * needs both: read for SSE subscribe on `.out`, write for `.in` appends
+ * (`stop`, follow-up messages, action chunks).
+ */
+export async function mintSessionToken(
+  environment: Environment,
+  sessionAddressingKey: string,
+  options: MintSessionTokenOptions = {}
+): Promise<string> {
+  const scopes = [
+    `read:sessions:${sessionAddressingKey}`,
+    `write:sessions:${sessionAddressingKey}`,
+  ];
+
+  return internal_generateJWT({
+    secretKey: extractJwtSigningSecretKey(environment),
+    payload: {
+      sub: environment.id,
+      pub: true,
+      scopes,
+    },
+    expirationTime: options.expirationTime ?? "1h",
+  });
+}
diff --git a/apps/webapp/app/services/realtime/nativeRealtimeClient.server.ts b/apps/webapp/app/services/realtime/nativeRealtimeClient.server.ts
new file mode 100644
index 00000000000..00e50ed9fcc
--- /dev/null
+++ b/apps/webapp/app/services/realtime/nativeRealtimeClient.server.ts
@@ -0,0 +1,1046 @@
+import { json } from "@remix-run/server-runtime";
+import { safeParseNaturalLanguageDurationAgo } from "@trigger.dev/core/v3/isomorphic";
+import { randomUUID } from "node:crypto";
+import { API_VERSIONS, CURRENT_API_VERSION } from "~/api/versions";
+import {
+  type CachedLimitProvider,
+  type RealtimeEnvironment,
+  type RealtimeRequestOptions,
+  type RealtimeRunsParams,
+} from "../realtimeClient.server";
+import { logger } from "../logger.server";
+import {
+  buildElectricSchemaHeader,
+  buildRowsBody,
+  buildRowsBodyFromSerialized,
+  buildSnapshotBody,
+  buildUpdateBody,
+  buildUpToDateBody,
+  encodeOffset,
+  INITIAL_OFFSET,
+  parseOffsetUpdatedAtMs,
+  type RealtimeRunRow,
+  rewriteBodyForLegacyApiVersion,
+  RESERVED_COLUMNS,
+  type RowChange,
+  type SerializedRowChange,
+} from "./electricStreamProtocol.server";
+import { BoundedTtlCache } from "./boundedTtlCache";
+import {
+  type EnvChangeRouter,
+  type FeedFilter,
+  type MatchedRow,
+} from "./envChangeRouter.server";
+import { type RunHydrator, type RunListResolver } from "./runReader.server";
+import { type RealtimeConcurrencyLimiter } from "./realtimeConcurrencyLimiter.server";
+import { InMemoryReplayCursorStore, type ReplayCursorStore } from "./replayCursorStore.server";
+
+/** Widened with projectId so the tag-list feed can resolve ids via ClickHouse (needs org + project + env). */
+export type RealtimeListEnvironment = RealtimeEnvironment & { projectId: string };
+
+/** The realtime feeds the run routes depend on (single-run, tag-list, batch); both backends satisfy it. */
+export interface RealtimeStreamClient {
+  streamRun(
+    url: URL | string,
+    environment: RealtimeEnvironment,
+    runId: string,
+    apiVersion: API_VERSIONS,
+    requestOptions?: RealtimeRequestOptions,
+    clientVersion?: string,
+    signal?: AbortSignal
+  ): Promise<Response>;
+  streamRuns(
+    url: URL | string,
+    environment: RealtimeListEnvironment,
+    params: RealtimeRunsParams,
+    apiVersion: API_VERSIONS,
+    requestOptions?: RealtimeRequestOptions,
+    clientVersion?: string,
+    signal?: AbortSignal
+  ): Promise<Response>;
+  streamBatch(
+    url: URL | string,
+    environment: RealtimeListEnvironment,
+    batchId: string,
+    apiVersion: API_VERSIONS,
+    requestOptions?: RealtimeRequestOptions,
+    clientVersion?: string,
+    signal?: AbortSignal
+  ): Promise<Response>;
+}
+
+export type WakeupReason = "notify" | "timeout" | "abort";
+
+/** How a live poll resolved: `fast-hydrate` (router woke us, hydrate-by-id), `full-resolve`
+ * (backstop), or `cold-resolve` (fresh env subscription probed once instead of holding blind). */
+export type LivePollPath = "fast-hydrate" | "full-resolve" | "cold-resolve";
+
+export type NativeRealtimeClientOptions = {
+  runReader: RunHydrator;
+  /** Resolves the tag/list filter into the matching id-set (filter-only). */
+  runListResolver: RunListResolver;
+  /** Per-instance routing layer over the single env change channel. */
+  router: EnvChangeRouter;
+  limiter: RealtimeConcurrencyLimiter;
+  cachedLimitProvider: CachedLimitProvider;
+  /** Fallback per-env concurrent-connection limit when the org has none cached. */
+  defaultConcurrencyLimit?: number;
+  /** Backstop wait before refetching on a live request (ms). Defaults to 20000. */
+  livePollTimeoutMs?: number;
+  /** Jitter ratio applied to the live-poll timeout (0.15 = ±15%). */
+  livePollJitterRatio?: number;
+  /** Ceiling for the tag-list createdAt lookback window (ms). */
+  maximumCreatedAtFilterAgeMs: number;
+  /** Hard cap on tag-list snapshot size. Defaults to 1000. */
+  maxListResults?: number;
+  /** TTL (ms) for the multi-run resolve+hydrate coalescing cache (initial + backstop). */
+  runSetResolveCacheTtlMs?: number;
+  /** Max entries in the resolve+hydrate cache. Defaults to 5000. */
+  runSetResolveCacheMaxEntries?: number;
+  /** Max entries in the per-handle working-set cache. Defaults to 10000. */
+  listCacheMaxEntries?: number;
+  /** TTL (ms) for working-set cache entries. Defaults to 300000. */
+  workingSetCacheTtlMs?: number;
+  /** Epoch-aligned bucket (ms) the tag-list createdAt floor is floored to, so same-tag feeds share a cache entry. Defaults to 60000; 0 disables. */
+  runSetCreatedAtBucketMs?: number;
+  /** When true (default), a multi-run live poll holds until a real delta or the backstop rather than returning an empty up-to-date. */
+  holdOnEmpty?: boolean;
+  /** Max concurrent fresh ClickHouse resolves (cache misses) per instance, bounding a distinct-filter stampede. Defaults to 16; 0 disables. */
+  resolveAdmissionLimit?: number;
+  /** Per-connection replay-cursor store. Inject a fleet-shared (Redis) store so an instance
+   * hop reads the connection's true inter-poll gap instead of cold-probing; defaults to a
+   * per-instance in-memory cache. */
+  replayCursorStore?: ReplayCursorStore;
+  /** Observability hook: why a live request woke (notify vs timeout vs abort). */
+  onWakeup?: (reason: WakeupReason) => void;
+  /** Observability hook: how a live poll resolved (fast path vs full resolve). */
+  onLivePollPath?: (path: LivePollPath) => void;
+  /** Observability hook: whether a multi-run resolve hit the cache, coalesced onto an in-flight resolve, or missed. */
+  onRunSetResolve?: (result: "hit" | "miss" | "coalesced") => void;
+  /** Observability hook: latency (ms) of the ClickHouse resolve / Postgres hydrate. */
+  onRunSetQuery?: (stage: "resolve" | "hydrate", ms: number) => void;
+  /** Observability hook: a fresh resolve waited `ms` for an admission permit (only when the gate engaged). */
+  onResolveAdmissionWait?: (ms: number) => void;
+  /** Observability hook: a live emission left the server — lag is now minus the newest
+   * emitted row's updatedAt (the end-to-end delivery SLI), rowCount the delta size. */
+  onEmit?: (path: LivePollPath, lagMs: number, rowCount: number) => void;
+  /** Observability hook: a backstop resolve found missed changes (delivered) or nothing
+   * (empty). Sustained `delivered` means the notify/replay path is leaking. */
+  onBackstopResult?: (result: "delivered" | "empty") => void;
+  /** Observability hook: a poll was rejected by the per-env concurrency limiter (429). */
+  onConcurrencyRejected?: () => void;
+};
+
+const DEFAULT_CONCURRENCY_LIMIT = 100_000;
+// Matches Electric's ~20s live long-poll hold (jittered ±15% per request).
+const DEFAULT_LIVE_POLL_TIMEOUT_MS = 20_000;
+const DEFAULT_LIVE_POLL_JITTER_RATIO = 0.15;
+const DEFAULT_MAX_LIST_RESULTS = 1_000;
+const LIST_CACHE_TTL_MS = 5 * 60_000;
+const LIST_CACHE_MAX_ENTRIES = 10_000;
+const DEFAULT_RUNSET_CACHE_TTL_MS = 1_000;
+const DEFAULT_RUNSET_CACHE_MAX_ENTRIES = 5_000;
+const DEFAULT_RUNSET_CREATED_AT_BUCKET_MS = 60_000;
+const DEFAULT_RESOLVE_ADMISSION_LIMIT = 16;
+
+/** Fair FIFO semaphore bounding concurrent fresh ClickHouse resolves. Sits behind the single-flight + TTL cache, so only genuine cache-miss resolves take a permit. */
+class ResolveAdmissionGate {
+  #available: number;
+  #inUse = 0;
+  readonly #waiters: Array<() => void> = [];
+
+  constructor(limit: number) {
+    this.#available = limit;
+  }
+
+  /** Permits currently held (for a metrics gauge); never exceeds the limit. */
+  get inUse(): number {
+    return this.#inUse;
+  }
+
+  async acquire(): Promise<void> {
+    if (this.#available > 0) {
+      this.#available--;
+      this.#inUse++;
+      return;
+    }
+    await new Promise<void>((resolve) => this.#waiters.push(resolve));
+    this.#inUse++;
+  }
+
+  release(): void {
+    this.#inUse--;
+    const next = this.#waiters.shift();
+    if (next) {
+      next(); // hand the freed permit straight to the next waiter (FIFO, no count churn)
+    } else {
+      this.#available++;
+    }
+  }
+}
+
+/** A multi-run feed's filter: tag-list sets `tags` (+ pinned `createdAtAfter`); the batch feed sets `batchId`. */
+type RunSetFilter = {
+  tags?: string[];
+  batchId?: string;
+  createdAtAfter?: Date;
+};
+
+/** Per-handle working set: runId -> last-emitted updatedAt (ms), so live polls emit only rows that advanced. */
+type WorkingSet = Map<string, number>;
+
+type ResponseHeaderInput = {
+  offset: string;
+  handle: string;
+  cursor?: string;
+  schema?: string;
+};
+
+/**
+ * Native-backend implementation of the realtime run feeds. All three feeds are predicates over ONE
+ * per-environment change stream (the EnvChangeRouter), which decides membership, hydrates the matched
+ * runs, and serializes their wire values once; this client owns the snapshot, the per-handle working-set
+ * diff, the ClickHouse backstop, and the wire response (opaque `offset`/`handle`/`cursor` tokens).
+ */
+export class NativeRealtimeClient implements RealtimeStreamClient {
+  #seq = 0;
+  readonly #workingSetCache: BoundedTtlCache<WorkingSet>;
+  /** Coalescing cache for the multi-run resolve+hydrate, keyed by (env, filter, columns), so identical filters share one resolve. */
+  readonly #runSetCache: BoundedTtlCache<RealtimeRunRow[]>;
+  readonly #runSetInflight = new Map<string, Promise<RealtimeRunRow[]>>();
+  /** Bounds concurrent fresh CH resolves (undefined => unbounded). */
+  readonly #admissionGate?: ResolveAdmissionGate;
+  /** Per-connection: when this connection's last response was sent, so the router's
+   * replay covers exactly the inter-poll gap instead of rewinding a full window.
+   * Fleet-shared when a store is injected (hops stop looking like unknown gaps). */
+  readonly #replayCursors: ReplayCursorStore;
+
+  constructor(private readonly options: NativeRealtimeClientOptions) {
+    this.#workingSetCache = new BoundedTtlCache(
+      options.workingSetCacheTtlMs ?? LIST_CACHE_TTL_MS,
+      options.listCacheMaxEntries ?? LIST_CACHE_MAX_ENTRIES
+    );
+    this.#replayCursors =
+      options.replayCursorStore ??
+      new InMemoryReplayCursorStore(
+        options.workingSetCacheTtlMs ?? LIST_CACHE_TTL_MS,
+        options.listCacheMaxEntries ?? LIST_CACHE_MAX_ENTRIES
+      );
+    this.#runSetCache = new BoundedTtlCache(
+      options.runSetResolveCacheTtlMs ?? DEFAULT_RUNSET_CACHE_TTL_MS,
+      options.runSetResolveCacheMaxEntries ?? DEFAULT_RUNSET_CACHE_MAX_ENTRIES
+    );
+    const admissionLimit = options.resolveAdmissionLimit ?? DEFAULT_RESOLVE_ADMISSION_LIMIT;
+    if (admissionLimit > 0) {
+      this.#admissionGate = new ResolveAdmissionGate(admissionLimit);
+    }
+  }
+
+  /** Current size of the per-handle working-set cache (for a metrics gauge). */
+  get workingSetCacheSize(): number {
+    return this.#workingSetCache.size;
+  }
+
+  /** Fresh CH resolves currently holding an admission permit (for a metrics gauge). */
+  get resolveAdmissionInUse(): number {
+    return this.#admissionGate?.inUse ?? 0;
+  }
+
+  async streamRun(
+    url: URL | string,
+    environment: RealtimeEnvironment,
+    runId: string,
+    apiVersion: API_VERSIONS,
+    requestOptions?: RealtimeRequestOptions,
+    clientVersion?: string,
+    signal?: AbortSignal
+  ): Promise<Response> {
+    const { offset, handle, isLive, skipColumns } = this.#parseStreamRequest(url, requestOptions);
+
+    // Initial snapshot — no prior offset/handle.
+    if (offset === INITIAL_OFFSET || !handle) {
+      const row = await this.options.runReader.getRunById(environment.id, runId);
+      return this.#snapshotResponse(runId, row, skipColumns, apiVersion, clientVersion);
+    }
+
+    if (isLive) {
+      return this.#liveResponse({
+        environment,
+        runId,
+        offset,
+        handle,
+        skipColumns,
+        apiVersion,
+        clientVersion,
+        signal,
+      });
+    }
+
+    // Non-live catch-up with a handle: re-emit the current snapshot (idempotent).
+    const row = await this.options.runReader.getRunById(environment.id, runId);
+    return this.#snapshotResponse(runId, row, skipColumns, apiVersion, clientVersion, handle);
+  }
+
+  async streamRuns(
+    url: URL | string,
+    environment: RealtimeListEnvironment,
+    params: RealtimeRunsParams,
+    apiVersion: API_VERSIONS,
+    requestOptions?: RealtimeRequestOptions,
+    clientVersion?: string,
+    signal?: AbortSignal
+  ): Promise<Response> {
+    const { offset, handle, isLive, skipColumns } = this.#parseStreamRequest(url, requestOptions);
+    const tags = params.tags ?? [];
+
+    // Initial snapshot — pin the createdAt window in a fresh handle.
+    if (offset === INITIAL_OFFSET || !handle) {
+      const createdAtFilterMs = this.#computeCreatedAtFilter(params.createdAt).getTime();
+      return this.#runSetSnapshotResponse(
+        environment,
+        { tags, createdAtAfter: new Date(createdAtFilterMs) },
+        this.#mintListHandle(createdAtFilterMs),
+        skipColumns,
+        apiVersion,
+        clientVersion
+      );
+    }
+
+    // Recover the pinned window from the handle so the lower bound never drifts.
+    // Re-clamp the recovered value to the max-age floor so a stale or crafted handle
+    // can't widen the lookback past the configured ceiling.
+    const recoveredMs = this.#filterMsFromHandle(handle);
+    const filter: RunSetFilter = {
+      tags,
+      createdAtAfter: new Date(
+        recoveredMs !== undefined
+          ? this.#clampCreatedAtFloor(recoveredMs)
+          : this.#computeCreatedAtFilter(params.createdAt).getTime()
+      ),
+    };
+
+    if (isLive) {
+      return this.#runSetLiveResponse(
+        environment,
+        filter,
+        handle,
+        offset,
+        skipColumns,
+        apiVersion,
+        clientVersion,
+        signal
+      );
+    }
+
+    // Non-live catch-up under the same handle.
+    return this.#runSetSnapshotResponse(
+      environment,
+      filter,
+      handle,
+      skipColumns,
+      apiVersion,
+      clientVersion
+    );
+  }
+
+  async streamBatch(
+    url: URL | string,
+    environment: RealtimeListEnvironment,
+    batchId: string,
+    apiVersion: API_VERSIONS,
+    requestOptions?: RealtimeRequestOptions,
+    clientVersion?: string,
+    signal?: AbortSignal
+  ): Promise<Response> {
+    const { offset, handle, isLive, skipColumns } = this.#parseStreamRequest(url, requestOptions);
+
+    const filter: RunSetFilter = { batchId };
+
+    if (offset !== INITIAL_OFFSET && handle && isLive) {
+      return this.#runSetLiveResponse(
+        environment,
+        filter,
+        handle,
+        offset,
+        skipColumns,
+        apiVersion,
+        clientVersion,
+        signal
+      );
+    }
+
+    // Initial snapshot + non-live catch-up. The handle must be per-connection, never
+    // derived from the batchId: working sets are keyed by handle, and a shared handle
+    // lets one subscriber's emit permanently suppress the same row for another.
+    return this.#runSetSnapshotResponse(
+      environment,
+      filter,
+      handle ?? this.#mintBatchHandle(batchId),
+      skipColumns,
+      apiVersion,
+      clientVersion
+    );
+  }
+
+  #snapshotResponse(
+    runId: string,
+    row: Awaited<ReturnType<RunHydrator["getRunById"]>>,
+    skipColumns: string[],
+    apiVersion: API_VERSIONS,
+    clientVersion?: string,
+    existingHandle?: string
+  ): Response {
+    const body = buildSnapshotBody(row, skipColumns);
+    const offset = row ? encodeOffset(row.updatedAt.getTime(), this.#nextSeq()) : encodeOffset(0, 0);
+    return this.#buildResponse(body, apiVersion, clientVersion, {
+      offset,
+      handle: existingHandle ?? this.#mintHandle(runId),
+      schema: buildElectricSchemaHeader(skipColumns),
+    });
+  }
+
+  /** Live poll for a single-run feed: emit a full-row `update` only when the row advanced past the client's offset, else a bare `up-to-date`. */
+  async #liveResponse(params: {
+    environment: RealtimeEnvironment;
+    runId: string;
+    offset: string;
+    handle: string;
+    skipColumns: string[];
+    apiVersion: API_VERSIONS;
+    clientVersion?: string;
+    signal?: AbortSignal;
+  }): Promise<Response> {
+    const { environment, runId, offset, handle, skipColumns, apiVersion, clientVersion, signal } =
+      params;
+
+    return this.#withConcurrencySlot(environment, async () => {
+      const lastSeenMs = parseOffsetUpdatedAtMs(offset);
+      const registration = this.options.router.register(
+        environment.id,
+        { kind: "run", runId },
+        skipColumns
+      );
+      const deadline = Date.now() + this.#jitteredTimeout();
+
+      try {
+        // Cold start (fresh env subscription, e.g. an instance hop): a change in the
+        // caller's inter-poll gap may have been missed — check the row once, then hold.
+        if (!registration.gapCovered) {
+          this.options.onLivePollPath?.("cold-resolve");
+          const probed = await this.options.runReader.getRunById(environment.id, runId);
+          if (probed && probed.updatedAt.getTime() > lastSeenMs) {
+            const seq = this.#nextSeq();
+            this.options.onEmit?.("cold-resolve", Date.now() - probed.updatedAt.getTime(), 1);
+            return this.#buildResponse(
+              buildUpdateBody(probed, skipColumns),
+              apiVersion,
+              clientVersion,
+              {
+                offset: encodeOffset(probed.updatedAt.getTime(), seq),
+                handle,
+                cursor: String(seq),
+              }
+            );
+          }
+        }
+
+        while (true) {
+          const remaining = deadline - Date.now();
+          const { reason, rows } =
+            remaining > 0
+              ? await registration.waitForMatch(signal, remaining)
+              : { reason: "timeout" as const, rows: [] as MatchedRow[] };
+          this.options.onWakeup?.(reason);
+
+          if (reason === "abort") {
+            return this.#buildResponse(buildUpToDateBody(), apiVersion, clientVersion, {
+              offset,
+              handle,
+              cursor: String(this.#nextSeq()),
+            });
+          }
+
+          if (reason === "notify" && rows.length > 0) {
+            // The router hydrated + serialized this run; emit it (only on advance).
+            this.options.onLivePollPath?.("fast-hydrate");
+            const matched = rows[0];
+            const updatedAtMs = matched.row.updatedAt.getTime();
+            if (updatedAtMs > lastSeenMs) {
+              const seq = this.#nextSeq();
+              this.options.onEmit?.("fast-hydrate", Date.now() - updatedAtMs, 1);
+              return this.#buildResponse(
+                buildRowsBodyFromSerialized([
+                  { runId: matched.row.id, value: matched.value, operation: "update" },
+                ]),
+                apiVersion,
+                clientVersion,
+                { offset: encodeOffset(updatedAtMs, seq), handle, cursor: String(seq) }
+              );
+            }
+            // Already seen (e.g. a replayed record): keep holding rather than returning an
+            // empty up-to-date the client would immediately re-issue.
+            continue;
+          }
+
+          // Backstop timeout: re-check the run directly (no ClickHouse for the single-run feed).
+          this.options.onLivePollPath?.("full-resolve");
+          const row = await this.options.runReader.getRunById(environment.id, runId);
+          const seq = this.#nextSeq();
+          if (row && row.updatedAt.getTime() > lastSeenMs) {
+            this.options.onBackstopResult?.("delivered");
+            this.options.onEmit?.("full-resolve", Date.now() - row.updatedAt.getTime(), 1);
+            return this.#buildResponse(
+              buildUpdateBody(row, skipColumns),
+              apiVersion,
+              clientVersion,
+              {
+                offset: encodeOffset(row.updatedAt.getTime(), seq),
+                handle,
+                cursor: String(seq),
+              }
+            );
+          }
+          this.options.onBackstopResult?.("empty");
+          return this.#buildResponse(buildUpToDateBody(), apiVersion, clientVersion, {
+            offset,
+            handle,
+            cursor: String(seq),
+          });
+        }
+      } finally {
+        registration.close();
+      }
+    });
+  }
+
+  /** Initial (and non-live catch-up) snapshot for a multi-run feed: resolve the
+   * id-set, hydrate, emit every row as an `insert`, and seed the working set. */
+  async #runSetSnapshotResponse(
+    environment: RealtimeListEnvironment,
+    filter: RunSetFilter,
+    handle: string,
+    skipColumns: string[],
+    apiVersion: API_VERSIONS,
+    clientVersion?: string
+  ): Promise<Response> {
+    const rows = await this.#resolveAndHydrate(environment, filter, skipColumns);
+
+    const changes: RowChange[] = rows.map((row) => ({ row, operation: "insert" as const }));
+
+    // updatedAt comes from the authoritative Postgres hydrate, not ClickHouse.
+    const seen: WorkingSet = new Map();
+    let maxUpdatedAt = 0;
+    for (const row of rows) {
+      const updatedAtMs = row.updatedAt.getTime();
+      seen.set(row.id, updatedAtMs);
+      maxUpdatedAt = Math.max(maxUpdatedAt, updatedAtMs);
+    }
+    this.#workingSetCache.set(this.#workingSetKey(environment.id, handle), seen);
+    this.#replayCursors.set(this.#workingSetKey(environment.id, handle), Date.now());
+
+    return this.#buildResponse(buildRowsBody(changes, skipColumns), apiVersion, clientVersion, {
+      offset: encodeOffset(maxUpdatedAt, this.#nextSeq()),
+      handle,
+      schema: buildElectricSchemaHeader(skipColumns),
+    });
+  }
+
+  /** Live poll for a multi-run feed: fast path diffs router-notified rows against the working set; the timeout backstop does a full ClickHouse resolve. */
+  async #runSetLiveResponse(
+    environment: RealtimeListEnvironment,
+    filter: RunSetFilter,
+    handle: string,
+    offset: string,
+    skipColumns: string[],
+    apiVersion: API_VERSIONS,
+    clientVersion: string | undefined,
+    signal: AbortSignal | undefined
+  ): Promise<Response> {
+    return this.#withConcurrencySlot(environment, async () => {
+      const offsetFloorMs = parseOffsetUpdatedAtMs(offset);
+      // Total time to hold this long-poll, jittered to avoid synchronized refetch herds.
+      const deadline = Date.now() + this.#jitteredTimeout();
+      const holdOnEmpty = this.options.holdOnEmpty ?? true;
+
+      // Working set we diff against: seeded from the cache (or the offset floor on a
+      // miss) and advanced on each refetch within this held request.
+      const workingSetKey = this.#workingSetKey(environment.id, handle);
+      let prevSeen = this.#workingSetCache.get(workingSetKey);
+
+      const markPollEnd = () => this.#replayCursors.set(workingSetKey, Date.now());
+      const emitFromSerialized = (changes: SerializedRowChange[], maxUpdatedAt: number): Response => {
+        const seq = this.#nextSeq();
+        markPollEnd();
+        return this.#buildResponse(buildRowsBodyFromSerialized(changes), apiVersion, clientVersion, {
+          offset: encodeOffset(maxUpdatedAt, seq),
+          handle,
+          cursor: String(seq),
+        });
+      };
+      const emitFromRows = (changes: RowChange[], maxUpdatedAt: number): Response => {
+        const seq = this.#nextSeq();
+        markPollEnd();
+        return this.#buildResponse(buildRowsBody(changes, skipColumns), apiVersion, clientVersion, {
+          offset: encodeOffset(maxUpdatedAt, seq),
+          handle,
+          cursor: String(seq),
+        });
+      };
+      const emitUpToDate = (maxUpdatedAt: number): Response => {
+        const seq = this.#nextSeq();
+        markPollEnd();
+        return this.#buildResponse(buildUpToDateBody(), apiVersion, clientVersion, {
+          offset: encodeOffset(maxUpdatedAt, seq),
+          handle,
+          cursor: String(seq),
+        });
+      };
+
+      // When this connection last received data, so replay covers exactly its gap. A store
+      // error degrades to undefined (cold probe), never a failed poll.
+      const replaySinceMs = await this.#replayCursors.get(workingSetKey);
+      const registration = this.options.router.register(
+        environment.id,
+        this.#feedFilter(filter),
+        skipColumns,
+        { replaySinceMs }
+      );
+
+      // Cold start (fresh env subscription, e.g. an instance hop): resolve once up front
+      // instead of holding blind — a change in the caller's inter-poll gap may have been missed.
+      let coldProbe = !registration.gapCovered;
+
+      try {
+        while (true) {
+          if (coldProbe) {
+            coldProbe = false;
+            this.options.onLivePollPath?.("cold-resolve");
+            const resolved = await this.#resolveAndHydrate(environment, filter, skipColumns);
+            const { changes, maxUpdatedAt, touched } = this.#diffRows(
+              resolved,
+              prevSeen,
+              offsetFloorMs
+            );
+            this.#workingSetCache.set(workingSetKey, touched);
+            prevSeen = touched;
+            if (changes.length > 0) {
+              this.options.onEmit?.("cold-resolve", Date.now() - maxUpdatedAt, changes.length);
+              return emitFromRows(changes, maxUpdatedAt);
+            }
+            continue; // nothing was missed — hold as usual
+          }
+
+          const remaining = deadline - Date.now();
+          const { reason, rows } =
+            remaining > 0
+              ? await registration.waitForMatch(signal, remaining)
+              : { reason: "timeout" as const, rows: [] as MatchedRow[] };
+          this.options.onWakeup?.(reason);
+
+          if (reason === "abort") {
+            return emitUpToDate(offsetFloorMs);
+          }
+
+          // FAST PATH: the router already confirmed membership + the createdAt window and
+          // hydrated/serialized the matched runs. Just diff against the working set.
+          if (reason === "notify") {
+            this.options.onLivePollPath?.("fast-hydrate");
+            const { changes, maxUpdatedAt, touched } = this.#diffMatched(
+              rows,
+              prevSeen,
+              offsetFloorMs
+            );
+            // Merge (not replace): the router only surfaced the changed subset, so keep the
+            // rest of the working set intact. The backstop full-resolve rebuilds it.
+            const merged = this.#mergeWorkingSet(prevSeen, touched);
+            this.#workingSetCache.set(workingSetKey, merged);
+            prevSeen = merged;
+
+            if (changes.length > 0) {
+              this.options.onEmit?.("fast-hydrate", Date.now() - maxUpdatedAt, changes.length);
+              return emitFromSerialized(changes, maxUpdatedAt);
+            }
+            // Matched but no row advanced (already seen). Keep holding.
+            if (holdOnEmpty) {
+              continue;
+            }
+            return emitUpToDate(maxUpdatedAt);
+          }
+
+          // BACKSTOP: full ClickHouse resolve + hydrate. Replaces the working set so runs
+          // that left the filter stop being tracked (the client keeps showing them).
+          this.options.onLivePollPath?.("full-resolve");
+          const resolved = await this.#resolveAndHydrate(environment, filter, skipColumns);
+          const { changes, maxUpdatedAt, touched } = this.#diffRows(
+            resolved,
+            prevSeen,
+            offsetFloorMs
+          );
+          this.#workingSetCache.set(workingSetKey, touched);
+          prevSeen = touched;
+
+          if (changes.length > 0) {
+            this.options.onBackstopResult?.("delivered");
+            this.options.onEmit?.("full-resolve", Date.now() - maxUpdatedAt, changes.length);
+            return emitFromRows(changes, maxUpdatedAt);
+          }
+          // Empty backstop diff: timeout returns up-to-date; (holdOnEmpty never reaches
+          // here on a notify — those are handled in the fast path above).
+          this.options.onBackstopResult?.("empty");
+          return emitUpToDate(maxUpdatedAt);
+        }
+      } finally {
+        registration.close();
+      }
+    });
+  }
+
+  /** Translate a multi-run filter into the router's membership predicate. */
+  #feedFilter(filter: RunSetFilter): FeedFilter {
+    if (filter.batchId !== undefined) {
+      return { kind: "batch", batchId: filter.batchId };
+    }
+    return {
+      kind: "tag",
+      tags: filter.tags ?? [],
+      createdAtFloorMs: filter.createdAtAfter?.getTime(),
+    };
+  }
+
+  /** Diff router-matched rows (already serialized) against the prior working set, pairing
+   * each row's shared `value` with this feed's operation. */
+  #diffMatched(
+    matched: MatchedRow[],
+    prevSeen: WorkingSet | undefined,
+    offsetFloorMs: number
+  ): { changes: SerializedRowChange[]; maxUpdatedAt: number; touched: WorkingSet } {
+    const changes: SerializedRowChange[] = [];
+    const touched: WorkingSet = new Map();
+    let maxUpdatedAt = offsetFloorMs;
+    for (const { row, value } of matched) {
+      const updatedAtMs = row.updatedAt.getTime();
+      touched.set(row.id, updatedAtMs);
+      maxUpdatedAt = Math.max(maxUpdatedAt, updatedAtMs);
+
+      if (prevSeen) {
+        const prior = prevSeen.get(row.id);
+        if (prior === undefined) {
+          changes.push({ runId: row.id, value, operation: "insert" });
+        } else if (updatedAtMs > prior) {
+          changes.push({ runId: row.id, value, operation: "update" });
+        }
+      } else if (updatedAtMs > offsetFloorMs) {
+        changes.push({ runId: row.id, value, operation: "update" });
+      }
+    }
+    return { changes, maxUpdatedAt, touched };
+  }
+
+  /** Diff hydrated rows against the prior working set on Postgres `updatedAt`: not-in-set is `insert`, advanced is `update`. */
+  #diffRows(
+    rows: RealtimeRunRow[],
+    prevSeen: WorkingSet | undefined,
+    offsetFloorMs: number
+  ): { changes: RowChange[]; maxUpdatedAt: number; touched: WorkingSet } {
+    const changes: RowChange[] = [];
+    const touched: WorkingSet = new Map();
+    let maxUpdatedAt = offsetFloorMs;
+    for (const row of rows) {
+      const updatedAtMs = row.updatedAt.getTime();
+      touched.set(row.id, updatedAtMs);
+      maxUpdatedAt = Math.max(maxUpdatedAt, updatedAtMs);
+
+      if (prevSeen) {
+        const prior = prevSeen.get(row.id);
+        if (prior === undefined) {
+          changes.push({ row, operation: "insert" });
+        } else if (updatedAtMs > prior) {
+          changes.push({ row, operation: "update" });
+        }
+      } else if (updatedAtMs > offsetFloorMs) {
+        changes.push({ row, operation: "update" });
+      }
+    }
+    return { changes, maxUpdatedAt, touched };
+  }
+
+  /** Merge fast-path touched rows into the prior working set. The fast path only saw the
+   * changed subset, so we keep the rest (the backstop full-resolve does the exact rebuild). */
+  #mergeWorkingSet(prevSeen: WorkingSet | undefined, touched: WorkingSet): WorkingSet {
+    const merged: WorkingSet = new Map(prevSeen ?? undefined);
+    for (const [id, updatedAtMs] of touched) {
+      merged.set(id, updatedAtMs);
+    }
+    return merged;
+  }
+
+  /** Resolve the filter's id-set (ClickHouse) and hydrate (Postgres), coalesced + short-TTL cached so identical filters share one resolve+hydrate. */
+  async #resolveAndHydrate(
+    environment: RealtimeListEnvironment,
+    filter: RunSetFilter,
+    skipColumns: string[]
+  ): Promise<RealtimeRunRow[]> {
+    const key = this.#runSetCacheKey(environment.id, filter, skipColumns);
+
+    const cached = this.#runSetCache.get(key);
+    if (cached) {
+      this.options.onRunSetResolve?.("hit");
+      return cached;
+    }
+
+    const existing = this.#runSetInflight.get(key);
+    if (existing) {
+      this.options.onRunSetResolve?.("coalesced");
+      return existing;
+    }
+
+    this.options.onRunSetResolve?.("miss");
+    // Registered in #runSetInflight synchronously below, so same-filter callers that arrive
+    // while this is still waiting for an admission permit coalesce onto it (one permit, not N).
+    const promise = this.#admitAndResolveUncached(environment, filter, skipColumns)
+      .then((rows) => {
+        this.#runSetCache.set(key, rows);
+        return rows;
+      })
+      .finally(() => {
+        this.#runSetInflight.delete(key);
+      });
+
+    this.#runSetInflight.set(key, promise);
+    return promise;
+  }
+
+  /** Acquire an admission permit (if the gate is enabled) before the fresh CH+PG resolve, so
+   * a distinct-filter stampede is throttled to the configured concurrency. */
+  async #admitAndResolveUncached(
+    environment: RealtimeListEnvironment,
+    filter: RunSetFilter,
+    skipColumns: string[]
+  ): Promise<RealtimeRunRow[]> {
+    if (!this.#admissionGate) {
+      return this.#resolveAndHydrateUncached(environment, filter, skipColumns);
+    }
+    const waitStart = Date.now();
+    await this.#admissionGate.acquire();
+    const waited = Date.now() - waitStart;
+    if (waited > 0) {
+      this.options.onResolveAdmissionWait?.(waited);
+    }
+    try {
+      return await this.#resolveAndHydrateUncached(environment, filter, skipColumns);
+    } finally {
+      this.#admissionGate.release();
+    }
+  }
+
+  async #resolveAndHydrateUncached(
+    environment: RealtimeListEnvironment,
+    filter: RunSetFilter,
+    skipColumns: string[]
+  ): Promise<RealtimeRunRow[]> {
+    const resolveStart = Date.now();
+    const ids = await this.#resolveIds(environment, filter);
+    this.options.onRunSetQuery?.("resolve", Date.now() - resolveStart);
+
+    const hydrateStart = Date.now();
+    const rows = await this.options.runReader.hydrateByIds(environment.id, ids, skipColumns);
+    this.options.onRunSetQuery?.("hydrate", Date.now() - hydrateStart);
+
+    return rows;
+  }
+
+  /** Stable cache key for the resolve+hydrate cache. Same key => same id-set and the
+   * same projected columns, so cached rows always match the requesting feed. */
+  #runSetCacheKey(environmentId: string, filter: RunSetFilter, skipColumns: string[]): string {
+    // JSON-encode the arrays (not a join) so a tag containing the separator can't collide with a different filter.
+    const tags = filter.tags && filter.tags.length > 0 ? JSON.stringify([...filter.tags].sort()) : "";
+    const cols = skipColumns.length > 0 ? JSON.stringify([...skipColumns].sort()) : "";
+    const maxListResults = this.options.maxListResults ?? DEFAULT_MAX_LIST_RESULTS;
+    return `${environmentId}|${tags}|${filter.batchId ?? ""}|${
+      filter.createdAtAfter?.getTime() ?? ""
+    }|${maxListResults}|${cols}`;
+  }
+
+  async #resolveIds(environment: RealtimeListEnvironment, filter: RunSetFilter): Promise<string[]> {
+    const maxListResults = this.options.maxListResults ?? DEFAULT_MAX_LIST_RESULTS;
+    const ids = await this.options.runListResolver.resolveMatchingRunIds({
+      organizationId: environment.organizationId,
+      projectId: environment.projectId,
+      environmentId: environment.id,
+      tags: filter.tags,
+      batchId: filter.batchId,
+      createdAtAfter: filter.createdAtAfter,
+      limit: maxListResults,
+    });
+
+    if (ids.length >= maxListResults) {
+      logger.warn("[nativeRealtimeClient] run-set feed hit the result cap", {
+        environmentId: environment.id,
+        filter,
+        cap: maxListResults,
+      });
+    }
+
+    return ids;
+  }
+
+  #computeCreatedAtFilter(createdAt: string | undefined): Date {
+    // Clamp to the maximum lookback window, mirroring realtimeClient.
+    const floor = new Date(Date.now() - this.options.maximumCreatedAtFilterAgeMs);
+    const parsed = safeParseNaturalLanguageDurationAgo(createdAt ?? "24h");
+    const resolved = !parsed || parsed < floor ? floor : parsed;
+    // Bucket the lower bound so same-tag feeds share a cache key; floored, so the window only ever widens by < bucket.
+    return new Date(this.#bucketCreatedAtMs(resolved.getTime()));
+  }
+
+  #bucketCreatedAtMs(ms: number): number {
+    const bucket = this.options.runSetCreatedAtBucketMs ?? DEFAULT_RUNSET_CREATED_AT_BUCKET_MS;
+    return bucket > 0 ? Math.floor(ms / bucket) * bucket : ms;
+  }
+
+  /** Clamp a handle-recovered createdAt lower bound up to the max-age floor (so a
+   * stale or crafted handle can't widen the window past the ceiling), then re-bucket. */
+  #clampCreatedAtFloor(ms: number): number {
+    const floorMs = Date.now() - this.options.maximumCreatedAtFilterAgeMs;
+    return this.#bucketCreatedAtMs(Math.max(ms, floorMs));
+  }
+
+  #mintListHandle(createdAtFilterMs: number): string {
+    // Pins the createdAt threshold in the opaque handle so live polls reuse the
+    // same lower bound even on a working-set cache miss.
+    return `runs_${Math.trunc(createdAtFilterMs)}_${this.#mintUniqueSuffix()}`;
+  }
+
+  #mintBatchHandle(batchId: string): string {
+    return `batch_${batchId}_${this.#mintUniqueSuffix()}`;
+  }
+
+  #mintUniqueSuffix(): string {
+    // The seq alone isn't unique across instances/restarts; behind a non-sticky ALB a
+    // collision would land two connections on one working-set cache entry.
+    return `${this.#nextSeq()}_${randomUUID().slice(0, 8)}`;
+  }
+
+  #workingSetKey(environmentId: string, handle: string): string {
+    // The handle is client-echoed; env-prefix the key so a foreign handle can never
+    // read or overwrite another tenant's working set.
+    return `${environmentId}:${handle}`;
+  }
+
+  #filterMsFromHandle(handle: string): number | undefined {
+    const parts = handle.split("_");
+    if (parts[0] !== "runs") {
+      return undefined;
+    }
+    const ms = Number(parts[1]);
+    return Number.isFinite(ms) && ms > 0 ? ms : undefined;
+  }
+
+  #parseStreamRequest(
+    url: URL | string,
+    requestOptions?: RealtimeRequestOptions
+  ): { offset: string; handle: string | null; isLive: boolean; skipColumns: string[] } {
+    const $url = new URL(url.toString());
+    return {
+      offset: $url.searchParams.get("offset") ?? INITIAL_OFFSET,
+      handle: $url.searchParams.get("handle") ?? $url.searchParams.get("shape_id"),
+      isLive: $url.searchParams.get("live") === "true",
+      skipColumns: this.#resolveSkipColumns($url, requestOptions),
+    };
+  }
+
+  /** Runs `work` inside a per-env concurrency slot (429 if over the org limit, 500 if the limit can't be read), always releasing it after. */
+  async #withConcurrencySlot(
+    environment: RealtimeEnvironment,
+    work: () => Promise<Response>
+  ): Promise<Response> {
+    const requestId = randomUUID();
+    const concurrencyLimit = await this.options.cachedLimitProvider.getCachedLimit(
+      environment.organizationId,
+      this.options.defaultConcurrencyLimit ?? DEFAULT_CONCURRENCY_LIMIT
+    );
+
+    if (concurrencyLimit == null) {
+      logger.error("[nativeRealtimeClient] Failed to get concurrency limit", {
+        organizationId: environment.organizationId,
+      });
+      return json({ error: "Failed to get concurrency limit" }, { status: 500 });
+    }
+
+    const canProceed = await this.options.limiter.incrementAndCheck(
+      environment.id,
+      requestId,
+      concurrencyLimit
+    );
+
+    if (!canProceed) {
+      this.options.onConcurrencyRejected?.();
+      return json({ error: "Too many concurrent requests" }, { status: 429 });
+    }
+
+    try {
+      return await work();
+    } finally {
+      await this.options.limiter.decrement(environment.id, requestId);
+    }
+  }
+
+  #jitteredTimeout(): number {
+    const base = this.options.livePollTimeoutMs ?? DEFAULT_LIVE_POLL_TIMEOUT_MS;
+    // Jittered to avoid synchronized refetch herds.
+    const ratio = this.options.livePollJitterRatio ?? DEFAULT_LIVE_POLL_JITTER_RATIO;
+    return Math.round(base * (1 - ratio + Math.random() * 2 * ratio));
+  }
+
+  #buildResponse(
+    body: string,
+    apiVersion: API_VERSIONS,
+    clientVersion: string | undefined,
+    headers: ResponseHeaderInput
+  ): Response {
+    const finalBody =
+      apiVersion === CURRENT_API_VERSION ? body : rewriteBodyForLegacyApiVersion(body);
+
+    const responseHeaders = new Headers();
+    responseHeaders.set("content-type", "application/json");
+    responseHeaders.set("cache-control", "no-store");
+
+    // Expose the electric-* headers cross-origin or the deployed react-hooks fail with MissingHeadersError (bearer requests are non-credentialed, so wildcard is safe).
+    responseHeaders.set("access-control-allow-origin", "*");
+    responseHeaders.set("access-control-expose-headers", "*");
+
+    // Modern clients send `x-trigger-electric-version` and read `electric-offset`/`electric-handle`; legacy clients omit it and read the shape-id/chunk-last-offset names.
+    if (clientVersion) {
+      responseHeaders.set("electric-offset", headers.offset);
+      responseHeaders.set("electric-handle", headers.handle);
+    } else {
+      responseHeaders.set("electric-chunk-last-offset", headers.offset);
+      responseHeaders.set("electric-shape-id", headers.handle);
+    }
+
+    if (headers.cursor !== undefined) {
+      responseHeaders.set("electric-cursor", headers.cursor);
+    }
+    if (headers.schema !== undefined) {
+      responseHeaders.set("electric-schema", headers.schema);
+    }
+
+    return new Response(finalBody, { status: 200, headers: responseHeaders });
+  }
+
+  #mintHandle(runId: string): string {
+    // Stable per-run handle: the single-run shape never changes columns, so the
+    // client never needs a must-refetch from a handle change.
+    return `run-${runId}`;
+  }
+
+  #nextSeq(): number {
+    this.#seq = (this.#seq + 1) % Number.MAX_SAFE_INTEGER;
+    return this.#seq;
+  }
+
+  #resolveSkipColumns(url: URL, requestOptions?: RealtimeRequestOptions): string[] {
+    const raw = requestOptions?.skipColumns ?? url.searchParams.get("skipColumns")?.split(",") ?? [];
+    return raw.map((c) => c.trim()).filter((c) => c !== "" && !RESERVED_COLUMNS.includes(c));
+  }
+}
diff --git a/apps/webapp/app/services/realtime/nativeRealtimeClientInstance.server.ts b/apps/webapp/app/services/realtime/nativeRealtimeClientInstance.server.ts
new file mode 100644
index 00000000000..012c28c08fc
--- /dev/null
+++ b/apps/webapp/app/services/realtime/nativeRealtimeClientInstance.server.ts
@@ -0,0 +1,270 @@
+import { getMeter } from "@internal/tracing";
+import { $replica } from "~/db.server";
+import { env } from "~/env.server";
+import { singleton } from "~/utils/singleton";
+import { getCachedLimit } from "../platform.v3.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
+import { ClickHouseRunListResolver } from "./clickHouseRunListResolver.server";
+import { EnvChangeRouter, type EnvChangeSource } from "./envChangeRouter.server";
+import { NativeRealtimeClient } from "./nativeRealtimeClient.server";
+import { RealtimeConcurrencyLimiter } from "./realtimeConcurrencyLimiter.server";
+import { getRunChangeNotifier } from "./runChangeNotifierInstance.server";
+import { RedisReplayCursorStore } from "./replayCursorStore.server";
+import { createPostgresReplicaLagSource, ReplicaLagEstimator } from "./replicaLagEstimator.server";
+import { RunHydrator } from "./runReader.server";
+
+// Process-singleton wiring for the native realtime client; only constructed when a
+// request actually routes to it, so a disabled webapp never instantiates it.
+function initializeNativeRealtimeClient(): NativeRealtimeClient {
+  const meter = getMeter("realtime-native");
+
+  const wakeups = meter.createCounter("realtime_native.wakeups", {
+    description:
+      "Live realtime wakeups by reason. A rising 'timeout' share suggests a write site is missing its publishChangeRecord delegate.",
+  });
+
+  const runSetResolves = meter.createCounter("realtime_native.runset_resolves", {
+    description:
+      "Multi-run (tag-list/batch) resolve+hydrate outcomes. 'hit'/'coalesced' vs 'miss' shows how effectively concurrent same-filter feeds share a single ClickHouse + Postgres query.",
+  });
+
+  const runSetQueryMs = meter.createHistogram("realtime_native.runset_query_ms", {
+    description: "Latency of the multi-run resolve (ClickHouse) and hydrate (Postgres) stages.",
+    unit: "ms",
+  });
+
+  const livePollPaths = meter.createCounter("realtime_native.live_polls", {
+    description:
+      "How live polls resolved. 'fast-hydrate' = router wake with rows hydrated by id (no ClickHouse); 'full-resolve' = backstop; 'cold-resolve' = fresh env subscription probed once.",
+  });
+
+  const routerHydrates = meter.createCounter("realtime_native.router_hydrated_runs", {
+    description:
+      "Runs hydrated by the EnvChangeRouter's batch-hydrate (one query per column set per wake, shared across all feeds matching the same run).",
+  });
+
+  const resolveAdmissionWaits = meter.createCounter("realtime_native.resolve_admission_waits", {
+    description:
+      "Fresh ClickHouse resolves that had to queue for an admission permit. A rising count means a distinct-filter reconnect stampede is being throttled (the gate is doing its job).",
+  });
+
+  const replays = meter.createCounter("realtime_native.replays", {
+    description:
+      "Buffered change records replayed to a newly-armed feed (inter-poll gap recovery). 'delivered' = rows reached the feed; 'empty' = candidates hydrated but none survived the filter/diff.",
+  });
+
+  const replayEvictions = meter.createCounter("realtime_native.replay_evictions", {
+    description:
+      "Replay-buffer evictions. 'window' expiry is normal; 'cap' means an env churns more runs inside the window than the buffer holds (replay guarantee degrading — retune the knobs).",
+  });
+
+  const deliveryLagMs = meter.createHistogram("realtime_native.delivery_lag_ms", {
+    description:
+      "Live emissions: now minus the newest emitted row's updatedAt (PG clock vs app clock, so approximate). The end-to-end delivery SLI — a p99 near the backstop hold means wakes are being missed.",
+    unit: "ms",
+  });
+
+  const emittedRows = meter.createHistogram("realtime_native.emitted_rows", {
+    description:
+      "Rows per live emission. Deltas should be small; a fat tail means working-set/offset-floor fallbacks are re-emitting full sets.",
+    unit: "rows",
+  });
+
+  const backstops = meter.createCounter("realtime_native.backstops", {
+    description:
+      "Backstop full resolves by outcome. 'empty' is normal idle behavior; sustained 'delivered' means the notify/replay path missed changes — alert on it.",
+  });
+
+  const concurrencyRejections = meter.createCounter("realtime_native.concurrency_rejections", {
+    description: "Polls rejected (429) by the per-env concurrency limiter.",
+  });
+
+  const replayCursorOps = meter.createCounter("realtime_native.replay_cursor_ops", {
+    description:
+      "Shared replay-cursor store operations by outcome. Errors degrade hops to cold resolves (watch live_polls{path='cold-resolve'} rise with them), never failed polls.",
+  });
+
+  const staleHydrates = meter.createCounter("realtime_native.stale_hydrates", {
+    description:
+      "Wake hydrates the read-your-writes tripwire caught reading behind the publish. 'recovered' = a retry delivered the fresh row; sustained 'gave_up' means replica lag is outrunning the retry budget.",
+  });
+
+  const limiter = new RealtimeConcurrencyLimiter({
+    keyPrefix: "tr:realtime:native:concurrency",
+    redis: {
+      port: env.RATE_LIMIT_REDIS_PORT,
+      host: env.RATE_LIMIT_REDIS_HOST,
+      username: env.RATE_LIMIT_REDIS_USERNAME,
+      password: env.RATE_LIMIT_REDIS_PASSWORD,
+      tlsDisabled: env.RATE_LIMIT_REDIS_TLS_DISABLED === "true",
+      clusterMode: env.RATE_LIMIT_REDIS_CLUSTER_MODE_ENABLED === "1",
+    },
+  });
+
+  // Fleet-shared replay cursors (one timestamp per connection) on the same Redis as the
+  // change channel, so a load-balancer hop reads the connection's true inter-poll gap.
+  const replayCursorStore =
+    env.REALTIME_BACKEND_NATIVE_SHARED_REPLAY_CURSORS === "1"
+      ? new RedisReplayCursorStore({
+          redis: {
+            host: env.REALTIME_BACKEND_NATIVE_PUBSUB_REDIS_HOST,
+            port: env.REALTIME_BACKEND_NATIVE_PUBSUB_REDIS_PORT,
+            username: env.REALTIME_BACKEND_NATIVE_PUBSUB_REDIS_USERNAME,
+            password: env.REALTIME_BACKEND_NATIVE_PUBSUB_REDIS_PASSWORD,
+            tlsDisabled: env.REALTIME_BACKEND_NATIVE_PUBSUB_REDIS_TLS_DISABLED === "true",
+            clusterMode: env.REALTIME_BACKEND_NATIVE_PUBSUB_REDIS_CLUSTER_MODE_ENABLED === "1",
+          },
+          ttlMs: env.REALTIME_BACKEND_NATIVE_WORKING_SET_TTL_MS,
+          onResult: (op, ok) => replayCursorOps.add(1, { op, result: ok ? "ok" : "error" }),
+        })
+      : undefined;
+
+  // One RunHydrator shared by the router and the client, so its single-flight + short-TTL cache covers both.
+  const runReader = new RunHydrator({
+    replica: $replica,
+    cacheTtlMs: env.REALTIME_BACKEND_NATIVE_RUN_CACHE_TTL_MS,
+    maxCacheEntries: env.REALTIME_BACKEND_NATIVE_RUN_CACHE_MAX_ENTRIES,
+  });
+
+  // Read-your-writes gate: the estimator samples replica lag (reader-side only, paused
+  // when idle) and the router delays wake hydrates by it, anchored to each record's
+  // updatedAtMs — so a publish racing the replica's apply is waited out, not read stale.
+  const lagEstimator =
+    env.REALTIME_BACKEND_NATIVE_REPLICA_LAG_GATE_ENABLED === "1"
+      ? new ReplicaLagEstimator({
+          source: createPostgresReplicaLagSource($replica),
+          sampleIntervalMs: env.REALTIME_BACKEND_NATIVE_REPLICA_LAG_SAMPLE_INTERVAL_MS,
+          idleAfterMs: env.REALTIME_BACKEND_NATIVE_REPLICA_LAG_IDLE_AFTER_MS,
+          windowMs: env.REALTIME_BACKEND_NATIVE_REPLICA_LAG_WINDOW_MS,
+          defaultLagMs: env.REALTIME_BACKEND_NATIVE_REPLICA_LAG_DEFAULT_MS,
+          observedFloorTtlMs: env.REALTIME_BACKEND_NATIVE_REPLICA_LAG_OBSERVED_FLOOR_TTL_MS,
+        })
+      : undefined;
+
+  // The notifier wrapped so router activity keeps the lag sampler warm.
+  const notifier = getRunChangeNotifier();
+  const source: EnvChangeSource = lagEstimator
+    ? {
+        subscribeToEnv(environmentId, onBatch) {
+          lagEstimator.touch();
+          return notifier.subscribeToEnv(environmentId, (records) => {
+            lagEstimator.touch();
+            onBatch(records);
+          });
+        },
+      }
+    : notifier;
+
+  const router = new EnvChangeRouter({
+    source,
+    hydrator: runReader,
+    onHydrate: (runCount) => routerHydrates.add(runCount),
+    replayWindowMs: env.REALTIME_BACKEND_NATIVE_REPLAY_WINDOW_MS,
+    replayMaxRunsPerEnv: env.REALTIME_BACKEND_NATIVE_REPLAY_MAX_RUNS,
+    unsubscribeLingerMs: env.REALTIME_BACKEND_NATIVE_UNSUBSCRIBE_LINGER_MS,
+    onReplay: (result) => replays.add(1, { result }),
+    onReplayEviction: (reason) => replayEvictions.add(1, { reason }),
+    replicaLag: lagEstimator
+      ? {
+          getLagMs: () => lagEstimator.getLagMs(),
+          noteObservedLagMs: (lagMs) => lagEstimator.noteObservedLagMs(lagMs),
+          marginMs: env.REALTIME_BACKEND_NATIVE_REPLICA_LAG_MARGIN_MS,
+          maxDelayMs: env.REALTIME_BACKEND_NATIVE_REPLICA_LAG_MAX_DELAY_MS,
+          staleRetries: env.REALTIME_BACKEND_NATIVE_STALE_HYDRATE_RETRIES,
+          onStaleHydrate: (outcome, runCount) => staleHydrates.add(runCount, { outcome }),
+        }
+      : undefined,
+  });
+
+  const client = new NativeRealtimeClient({
+    runReader,
+    runListResolver: new ClickHouseRunListResolver({
+      getClickhouse: (organizationId) =>
+        clickhouseFactory.getClickhouseForOrganization(organizationId, "realtime"),
+      prisma: $replica,
+    }),
+    router,
+    limiter,
+    cachedLimitProvider: {
+      async getCachedLimit(organizationId, defaultValue) {
+        const result = await getCachedLimit(
+          organizationId,
+          "realtimeConcurrentConnections",
+          defaultValue
+        );
+        return result.val;
+      },
+    },
+    defaultConcurrencyLimit: env.REALTIME_BACKEND_NATIVE_DEFAULT_CONCURRENCY_LIMIT,
+    livePollTimeoutMs: env.REALTIME_BACKEND_NATIVE_LIVE_POLL_TIMEOUT_MS,
+    livePollJitterRatio: env.REALTIME_BACKEND_NATIVE_LIVE_POLL_JITTER_RATIO,
+    maximumCreatedAtFilterAgeMs: env.REALTIME_MAXIMUM_CREATED_AT_FILTER_AGE_IN_MS,
+    maxListResults: env.REALTIME_BACKEND_NATIVE_MAX_LIST_RESULTS,
+    runSetResolveCacheTtlMs: env.REALTIME_BACKEND_NATIVE_RUNSET_CACHE_TTL_MS,
+    runSetResolveCacheMaxEntries: env.REALTIME_BACKEND_NATIVE_RUNSET_CACHE_MAX_ENTRIES,
+    listCacheMaxEntries: env.REALTIME_BACKEND_NATIVE_WORKING_SET_MAX_ENTRIES,
+    workingSetCacheTtlMs: env.REALTIME_BACKEND_NATIVE_WORKING_SET_TTL_MS,
+    runSetCreatedAtBucketMs: env.REALTIME_BACKEND_NATIVE_RUNSET_CREATED_AT_BUCKET_MS,
+    holdOnEmpty: env.REALTIME_BACKEND_NATIVE_HOLD_ON_EMPTY === "1",
+    resolveAdmissionLimit: env.REALTIME_BACKEND_NATIVE_RESOLVE_ADMISSION_LIMIT,
+    replayCursorStore,
+    onWakeup: (reason) => wakeups.add(1, { reason }),
+    onLivePollPath: (path) => livePollPaths.add(1, { path }),
+    onRunSetResolve: (result) => runSetResolves.add(1, { result }),
+    onRunSetQuery: (stage, ms) => runSetQueryMs.record(ms, { stage }),
+    onResolveAdmissionWait: () => resolveAdmissionWaits.add(1),
+    onEmit: (path, lagMs, rowCount) => {
+      deliveryLagMs.record(Math.max(lagMs, 0), { path });
+      emittedRows.record(rowCount);
+    },
+    onBackstopResult: (result) => backstops.add(1, { result }),
+    onConcurrencyRejected: () => concurrencyRejections.add(1),
+  });
+
+  meter
+    .createObservableGauge("realtime_native.working_set_size", {
+      description:
+        "Entries in the per-handle working-set cache (one per active multi-run feed session).",
+    })
+    .addCallback((result) => result.observe(client.workingSetCacheSize));
+
+  meter
+    .createObservableGauge("realtime_native.resolve_admission_in_use", {
+      description:
+        "Fresh ClickHouse resolves currently holding an admission permit (live concurrency against the gate's limit).",
+    })
+    .addCallback((result) => result.observe(client.resolveAdmissionInUse));
+
+  meter
+    .createObservableGauge("realtime_native.held_feeds", {
+      description: "Long-polls currently held, by feed kind — the system's capacity unit.",
+    })
+    .addCallback((result) => {
+      const counts = router.heldFeedCounts;
+      result.observe(counts.run, { kind: "run" });
+      result.observe(counts.tag, { kind: "tag" });
+      result.observe(counts.batch, { kind: "batch" });
+    });
+
+  meter
+    .createObservableGauge("realtime_native.active_envs", {
+      description:
+        "Environments currently routed on this instance (held feeds + lingering subscriptions).",
+    })
+    .addCallback((result) => result.observe(router.activeEnvCount));
+
+  if (lagEstimator) {
+    meter
+      .createObservableGauge("realtime_native.replica_lag_estimate_ms", {
+        description:
+          "The read-your-writes gate's current replica-lag estimate (max sample in the window). Wake hydrates are delayed by roughly this much past each change's commit.",
+      })
+      .addCallback((result) => result.observe(lagEstimator.getLagMs()));
+  }
+
+  return client;
+}
+
+export function getNativeRealtimeClient(): NativeRealtimeClient {
+  return singleton("nativeRealtimeClient", initializeNativeRealtimeClient);
+}
diff --git a/apps/webapp/app/services/realtime/realtimeConcurrencyLimiter.server.ts b/apps/webapp/app/services/realtime/realtimeConcurrencyLimiter.server.ts
new file mode 100644
index 00000000000..1b6fdb3b0b4
--- /dev/null
+++ b/apps/webapp/app/services/realtime/realtimeConcurrencyLimiter.server.ts
@@ -0,0 +1,107 @@
+import { Callback, Result } from "ioredis";
+import { createRedisClient, RedisClient, RedisWithClusterOptions } from "~/redis.server";
+import { logger } from "../logger.server";
+
+export type RealtimeConcurrencyLimiterOptions = {
+  redis: RedisWithClusterOptions;
+  keyPrefix: string;
+  /** How long a tracked request lives before it's swept as stale (seconds). */
+  expiryTimeInSeconds?: number;
+  connectionName?: string;
+};
+
+/**
+ * Per-environment concurrent-connection limiter for realtime long-polls; a standalone copy of the limiter in
+ * `realtimeClient.server.ts` (identical Lua + key shape, different key prefix) so the native backend tracks independently.
+ */
+export class RealtimeConcurrencyLimiter {
+  private redis: RedisClient;
+  private expiryTimeInSeconds: number;
+
+  constructor(private options: RealtimeConcurrencyLimiterOptions) {
+    this.redis = createRedisClient(
+      options.connectionName ?? "trigger:realtime:native:concurrency",
+      options.redis
+    );
+    this.expiryTimeInSeconds = options.expiryTimeInSeconds ?? 60 * 5;
+    this.#registerCommands();
+  }
+
+  async incrementAndCheck(environmentId: string, requestId: string, limit: number): Promise<boolean> {
+    const key = this.#getKey(environmentId);
+    const now = Date.now();
+
+    const result = await this.redis.incrementAndCheckRealtimeNativeConcurrency(
+      key,
+      now.toString(),
+      requestId,
+      this.expiryTimeInSeconds.toString(),
+      (now - this.expiryTimeInSeconds * 1000).toString(),
+      limit.toString()
+    );
+
+    return result === 1;
+  }
+
+  async decrement(environmentId: string, requestId: string): Promise<void> {
+    const key = this.#getKey(environmentId);
+    await this.redis.zrem(key, requestId);
+  }
+
+  #getKey(environmentId: string): string {
+    return `${this.options.keyPrefix}:${environmentId}`;
+  }
+
+  #registerCommands() {
+    this.redis.defineCommand("incrementAndCheckRealtimeNativeConcurrency", {
+      numberOfKeys: 1,
+      lua: /* lua */ `
+        local concurrencyKey = KEYS[1]
+
+        local timestamp = tonumber(ARGV[1])
+        local requestId = ARGV[2]
+        local expiryTime = tonumber(ARGV[3])
+        local cutoffTime = tonumber(ARGV[4])
+        local limit = tonumber(ARGV[5])
+
+        -- Remove expired entries
+        redis.call('ZREMRANGEBYSCORE', concurrencyKey, '-inf', cutoffTime)
+
+        -- Add the new request to the sorted set
+        redis.call('ZADD', concurrencyKey, timestamp, requestId)
+
+        -- Set the expiry time on the key
+        redis.call('EXPIRE', concurrencyKey, expiryTime)
+
+        -- Get the total number of concurrent requests
+        local totalRequests = redis.call('ZCARD', concurrencyKey)
+
+        -- Check if the limit has been exceeded
+        if totalRequests > limit then
+            redis.call('ZREM', concurrencyKey, requestId)
+            return 0
+        end
+
+        return 1
+      `,
+    });
+
+    this.redis.on("error", (error) => {
+      logger.error("[realtimeConcurrencyLimiter] redis error", { error });
+    });
+  }
+}
+
+declare module "ioredis" {
+  interface RedisCommander<Context> {
+    incrementAndCheckRealtimeNativeConcurrency(
+      key: string,
+      timestamp: string,
+      requestId: string,
+      expiryTime: string,
+      cutoffTime: string,
+      limit: string,
+      callback?: Callback<number>
+    ): Result<number, Context>;
+  }
+}
diff --git a/apps/webapp/app/services/realtime/redisRealtimeStreams.server.ts b/apps/webapp/app/services/realtime/redisRealtimeStreams.server.ts
index e742f770a99..b5a3c896701 100644
--- a/apps/webapp/app/services/realtime/redisRealtimeStreams.server.ts
+++ b/apps/webapp/app/services/realtime/redisRealtimeStreams.server.ts
@@ -1,5 +1,6 @@
 import { Logger, LogLevel } from "@trigger.dev/core/logger";
 import Redis, { RedisOptions } from "ioredis";
+import { defaultReconnectOnError } from "@internal/redis";
 import { env } from "~/env.server";
 import { StreamIngestor, StreamResponder, StreamResponseOptions } from "./types";
 
@@ -7,7 +8,7 @@ export type RealtimeStreamsOptions = {
   redis: RedisOptions | undefined;
   logger?: Logger;
   logLevel?: LogLevel;
-  inactivityTimeoutMs?: number; // Close stream after this many ms of no new data (default: 60000)
+  inactivityTimeoutMs?: number; // Close stream after this many ms of no new data (default: 15000)
 };
 
 // Legacy constant for backward compatibility (no longer written, but still recognized when reading)
@@ -23,10 +24,24 @@ type StreamChunk =
 export class RedisRealtimeStreams implements StreamIngestor, StreamResponder {
   private logger: Logger;
   private inactivityTimeoutMs: number;
+  // Shared connection for short-lived non-blocking operations (XADD, XREVRANGE, EXPIRE).
+  // Lazily created on first use so we don't open a connection if only streamResponse is called.
+  private _sharedRedis: Redis | undefined;
 
   constructor(private options: RealtimeStreamsOptions) {
     this.logger = options.logger ?? new Logger("RedisRealtimeStreams", options.logLevel ?? "info");
-    this.inactivityTimeoutMs = options.inactivityTimeoutMs ?? 60000; // Default: 60 seconds
+    this.inactivityTimeoutMs = options.inactivityTimeoutMs ?? 15000; // Default: 15 seconds
+  }
+
+  private get sharedRedis(): Redis {
+    if (!this._sharedRedis) {
+      this._sharedRedis = new Redis({
+        reconnectOnError: defaultReconnectOnError,
+        ...this.options.redis,
+        connectionName: "realtime:shared",
+      });
+    }
+    return this._sharedRedis;
   }
 
   async initializeStream(
@@ -43,7 +58,11 @@ export class RedisRealtimeStreams implements StreamIngestor, StreamResponder {
     signal: AbortSignal,
     options?: StreamResponseOptions
   ): Promise<Response> {
-    const redis = new Redis(this.options.redis ?? {});
+    const redis = new Redis({
+      reconnectOnError: defaultReconnectOnError,
+      ...this.options.redis,
+      connectionName: "realtime:streamResponse",
+    });
     const streamKey = `stream:${runId}:${streamId}`;
     let isCleanedUp = false;
 
@@ -269,7 +288,10 @@ export class RedisRealtimeStreams implements StreamIngestor, StreamResponder {
     async function cleanup() {
       if (isCleanedUp) return;
       isCleanedUp = true;
-      await redis.quit().catch(console.error);
+      // disconnect() tears down the TCP socket immediately, which causes any
+      // pending XREAD BLOCK to reject right away instead of waiting for the
+      // block timeout to elapse.  quit() would queue behind the blocking command.
+      redis.disconnect();
     }
 
     signal.addEventListener("abort", cleanup, { once: true });
@@ -290,22 +312,12 @@ export class RedisRealtimeStreams implements StreamIngestor, StreamResponder {
     clientId: string,
     resumeFromChunk?: number
   ): Promise<Response> {
-    const redis = new Redis(this.options.redis ?? {});
+    const redis = this.sharedRedis;
     const streamKey = `stream:${runId}:${streamId}`;
     const startChunk = resumeFromChunk ?? 0;
     // Start counting from the resume point, not from 0
     let currentChunkIndex = startChunk;
 
-    const self = this;
-
-    async function cleanup() {
-      try {
-        await redis.quit();
-      } catch (error) {
-        self.logger.error("[RedisRealtimeStreams][ingestData] Error in cleanup:", { error });
-      }
-    }
-
     try {
       const textStream = stream.pipeThrough(new TextDecoderStream());
       const reader = textStream.getReader();
@@ -361,13 +373,11 @@ export class RedisRealtimeStreams implements StreamIngestor, StreamResponder {
       this.logger.error("[RealtimeStreams][ingestData] Error in ingestData:", { error });
 
       return new Response(null, { status: 500 });
-    } finally {
-      await cleanup();
     }
   }
 
   async appendPart(part: string, partId: string, runId: string, streamId: string): Promise<void> {
-    const redis = new Redis(this.options.redis ?? {});
+    const redis = this.sharedRedis;
     const streamKey = `stream:${runId}:${streamId}`;
 
     await redis.xadd(
@@ -386,12 +396,10 @@ export class RedisRealtimeStreams implements StreamIngestor, StreamResponder {
 
     // Set TTL for cleanup when stream is done
     await redis.expire(streamKey, env.REALTIME_STREAM_TTL);
-
-    await redis.quit();
   }
 
   async getLastChunkIndex(runId: string, streamId: string, clientId: string): Promise<number> {
-    const redis = new Redis(this.options.redis ?? {});
+    const redis = this.sharedRedis;
     const streamKey = `stream:${runId}:${streamId}`;
 
     try {
@@ -460,10 +468,6 @@ export class RedisRealtimeStreams implements StreamIngestor, StreamResponder {
       });
       // Return -1 to indicate we don't know what the server has
       return -1;
-    } finally {
-      await redis.quit().catch((err) => {
-        this.logger.error("[RedisRealtimeStreams][getLastChunkIndex] Error in cleanup:", { err });
-      });
     }
   }
 
diff --git a/apps/webapp/app/services/realtime/replayCursorStore.server.ts b/apps/webapp/app/services/realtime/replayCursorStore.server.ts
new file mode 100644
index 00000000000..597957704af
--- /dev/null
+++ b/apps/webapp/app/services/realtime/replayCursorStore.server.ts
@@ -0,0 +1,145 @@
+import { createRedisClient, type RedisClient, type RedisWithClusterOptions } from "~/redis.server";
+import { logger } from "../logger.server";
+import { BoundedTtlCache } from "./boundedTtlCache";
+
+/**
+ * Per-connection replay cursors ("when did this connection last receive data"), keyed by the
+ * env-prefixed working-set key. Sharing them fleet-wide makes an instance hop look like a normal
+ * inter-poll gap instead of an unknown one, so hops stop triggering cold resolves and full-window
+ * replays. Values are single timestamps, so the shared store stays cheap.
+ */
+export interface ReplayCursorStore {
+  /** The connection's last-response timestamp; undefined on miss OR error (the caller
+   * degrades to a cold probe / full-window replay, never blocks the poll). */
+  get(key: string): Promise<number | undefined>;
+  /** Fire-and-forget stamp; must never throw. */
+  set(key: string, ms: number): void;
+}
+
+/** Per-instance fallback with the same shape (used when the shared store is disabled, and in tests). */
+export class InMemoryReplayCursorStore implements ReplayCursorStore {
+  readonly #cache: BoundedTtlCache<number>;
+
+  constructor(ttlMs: number, maxEntries: number) {
+    this.#cache = new BoundedTtlCache<number>(ttlMs, maxEntries);
+  }
+
+  async get(key: string): Promise<number | undefined> {
+    return this.#cache.get(key);
+  }
+
+  set(key: string, ms: number): void {
+    this.#cache.set(key, ms);
+  }
+}
+
+export type RedisReplayCursorStoreOptions = {
+  redis: RedisWithClusterOptions;
+  /** Entry TTL (ms); matches the working-set TTL so both views of a connection age out together. */
+  ttlMs: number;
+  /** Read deadline (ms): a slow or down Redis degrades the poll to a cold probe instead of stalling it. */
+  getTimeoutMs?: number;
+  keyPrefix?: string;
+  connectionName?: string;
+  /** Observability hook: a store op settled (errors are the degradation signal, not failures). */
+  onResult?: (op: "get" | "set", ok: boolean) => void;
+};
+
+const DEFAULT_KEY_PREFIX = "realtime:replay-cursor:";
+const DEFAULT_GET_TIMEOUT_MS = 250;
+const TIMED_OUT = Symbol("replay-cursor-get-timeout");
+
+export class RedisReplayCursorStore implements ReplayCursorStore {
+  #client: RedisClient | undefined;
+
+  constructor(private readonly options: RedisReplayCursorStoreOptions) {}
+
+  async get(key: string): Promise<number | undefined> {
+    try {
+      const raw = await this.#getWithDeadline(this.#key(key));
+      if (raw === TIMED_OUT) {
+        this.options.onResult?.("get", false);
+        logger.warn("[replayCursorStore] replay-cursor read timed out", { key });
+        return undefined;
+      }
+      this.options.onResult?.("get", true);
+      if (raw === null) {
+        return undefined;
+      }
+      const ms = Number(raw);
+      return Number.isFinite(ms) && ms > 0 ? ms : undefined;
+    } catch (error) {
+      this.options.onResult?.("get", false);
+      logger.error("[replayCursorStore] failed to read a replay cursor", { error, key });
+      return undefined;
+    }
+  }
+
+  /** GET raced against the read deadline (ioredis queues commands while disconnected, which
+   * would otherwise stall every poll start through an outage). */
+  #getWithDeadline(key: string): Promise<string | null | typeof TIMED_OUT> {
+    return new Promise((resolve, reject) => {
+      const timer = setTimeout(
+        () => resolve(TIMED_OUT),
+        this.options.getTimeoutMs ?? DEFAULT_GET_TIMEOUT_MS
+      );
+      timer.unref?.();
+      this.#ensureClient()
+        .get(key)
+        .then(
+          (value) => {
+            clearTimeout(timer);
+            resolve(value);
+          },
+          (error) => {
+            clearTimeout(timer);
+            reject(error);
+          }
+        );
+    });
+  }
+
+  set(key: string, ms: number): void {
+    try {
+      this.#ensureClient()
+        .set(this.#key(key), String(ms), "PX", this.options.ttlMs)
+        .then(
+          () => this.options.onResult?.("set", true),
+          (error) => {
+            this.options.onResult?.("set", false);
+            logger.error("[replayCursorStore] failed to write a replay cursor", { error, key });
+          }
+        );
+    } catch (error) {
+      this.options.onResult?.("set", false);
+      logger.error("[replayCursorStore] failed to write a replay cursor", { error, key });
+    }
+  }
+
+  async quit(): Promise<void> {
+    const client = this.#client;
+    this.#client = undefined;
+    if (!client) return;
+    try {
+      // Bounded graceful QUIT; cursor writes are best-effort, so force-close beyond it.
+      await Promise.race([client.quit(), new Promise((resolve) => setTimeout(resolve, 500))]);
+    } catch {
+      // force-close below
+    }
+    client.disconnect();
+  }
+
+  #key(key: string): string {
+    return `${this.options.keyPrefix ?? DEFAULT_KEY_PREFIX}${key}`;
+  }
+
+  #ensureClient(): RedisClient {
+    if (!this.#client) {
+      this.#client = createRedisClient(
+        this.options.connectionName ?? "trigger:realtime:replay-cursors",
+        this.options.redis
+      );
+    }
+    return this.#client;
+  }
+}
diff --git a/apps/webapp/app/services/realtime/replicaLagEstimator.server.ts b/apps/webapp/app/services/realtime/replicaLagEstimator.server.ts
new file mode 100644
index 00000000000..17aa7e2b893
--- /dev/null
+++ b/apps/webapp/app/services/realtime/replicaLagEstimator.server.ts
@@ -0,0 +1,257 @@
+import { logger } from "~/services/logger.server";
+
+/**
+ * ReplicaLagEstimator — tracks how far the read replica trails the primary so the
+ * EnvChangeRouter can delay wake-path hydrates just long enough to read their own writes.
+ * Two inputs: a ReplicaLagSource (active, reader-side only — never queries the primary)
+ * sampled on an interval while the router is busy, and passive observations fed back by
+ * the router's stale-hydrate tripwire. The estimate is the max over a short window —
+ * floored by recent observations — so spikes widen the delay immediately and decay back
+ * out as fresh samples land.
+ */
+
+type RawQueryable = {
+  $queryRawUnsafe<T = unknown>(query: string): Promise<T>;
+};
+
+/** A dialect-specific reader-side lag measure. `sampleLagMs()` returns the current lag in
+ * ms, or undefined when lag is genuinely unmeasurable right now (NOT an error — errors
+ * throw, and the composing source uses them to rule the dialect out). */
+export interface ReplicaLagSource {
+  readonly name: string;
+  sampleLagMs(): Promise<number | undefined>;
+}
+
+/** Aurora: replicas share the storage layer and reject every standard WAL function;
+ * `aurora_replica_status()` is the only live lag source. Max across readers, since the
+ * `$replica` pool balances over all of them. No reader rows = `$replica` is the writer =
+ * no lag. Throws on non-Aurora (the function doesn't exist). */
+export class AuroraReplicaLagSource implements ReplicaLagSource {
+  readonly name = "aurora";
+
+  constructor(private readonly db: RawQueryable) {}
+
+  async sampleLagMs(): Promise<number | undefined> {
+    const rows = await this.db.$queryRawUnsafe<{ lag: number | null }[]>(
+      `SELECT max(replica_lag_in_msec)::float8 AS lag FROM aurora_replica_status() WHERE session_id <> 'MASTER_SESSION_ID' AND replica_lag_in_msec IS NOT NULL`
+    );
+    const lag = rows[0]?.lag;
+    return typeof lag === "number" && Number.isFinite(lag) ? Math.max(0, lag) : 0;
+  }
+}
+
+/** Vanilla PG streaming replication. A primary (not in recovery — no replica configured,
+ * `$replica` is the writer) has no lag by definition; a caught-up replica (receive LSN ==
+ * replay LSN) reports 0. Mid-apply there is NO honest reader-side timestamp measure —
+ * `now() - pg_last_xact_replay_timestamp()` reads as the full inter-write gap on
+ * low-traffic systems, which (measured locally) pins the estimate at the delay cap — so
+ * mid-apply reports undefined and the tripwire's observed-staleness floor carries the
+ * estimate instead. */
+export class VanillaPgReplicaLagSource implements ReplicaLagSource {
+  readonly name = "vanilla-pg";
+
+  constructor(private readonly db: RawQueryable) {}
+
+  async sampleLagMs(): Promise<number | undefined> {
+    const rows = await this.db.$queryRawUnsafe<{ caught_up: boolean | null }[]>(
+      `SELECT CASE
+         WHEN NOT pg_is_in_recovery() THEN true
+         WHEN pg_last_wal_receive_lsn() IS NOT DISTINCT FROM pg_last_wal_replay_lsn() THEN true
+         ELSE false
+       END AS caught_up`
+    );
+    return rows[0]?.caught_up ? 0 : undefined;
+  }
+}
+
+/** Composes dialect sources: the first whose sample succeeds is selected and used from
+ * then on; a database where none work degrades to never-measuring (the estimator then
+ * runs on its default + tripwire observations). Selection is by thrown-vs-returned —
+ * sources throw on unsupported dialects and return undefined for "can't measure now". */
+export class FirstSupportedReplicaLagSource implements ReplicaLagSource {
+  /** undefined = not probed yet; null = no candidate works here. */
+  #selected: ReplicaLagSource | null | undefined;
+
+  constructor(private readonly candidates: ReplicaLagSource[]) {}
+
+  get name(): string {
+    return this.#selected ? this.#selected.name : "undetected";
+  }
+
+  async sampleLagMs(): Promise<number | undefined> {
+    if (this.#selected === null) {
+      return undefined;
+    }
+    if (this.#selected) {
+      // Transient errors don't unselect the dialect; the sample is just skipped.
+      try {
+        return await this.#selected.sampleLagMs();
+      } catch {
+        return undefined;
+      }
+    }
+    for (const candidate of this.candidates) {
+      try {
+        const lag = await candidate.sampleLagMs();
+        this.#selected = candidate;
+        logger.info("[replicaLagEstimator] selected lag source", { source: candidate.name });
+        return lag;
+      } catch {
+        // unsupported dialect; try the next
+      }
+    }
+    this.#selected = null;
+    logger.warn(
+      "[replicaLagEstimator] no usable lag source; relying on default + tripwire observations"
+    );
+    return undefined;
+  }
+}
+
+/** The standard composition for a Prisma replica client. */
+export function createPostgresReplicaLagSource(replica: RawQueryable): ReplicaLagSource {
+  return new FirstSupportedReplicaLagSource([
+    new AuroraReplicaLagSource(replica),
+    new VanillaPgReplicaLagSource(replica),
+  ]);
+}
+
+export type ReplicaLagEstimatorOptions = {
+  source: ReplicaLagSource;
+  /** Sample cadence while active. */
+  sampleIntervalMs?: number;
+  /** Stop sampling this long after the last touch(); the next touch resumes. */
+  idleAfterMs?: number;
+  /** The estimate is the max sample inside this window. */
+  windowMs?: number;
+  /** Estimate before any sample lands (and the floor when sampling is unavailable). */
+  defaultLagMs?: number;
+  /** Ceiling on accepted samples — shields the estimate from a wild observation. */
+  maxLagMs?: number;
+  /** How long a tripwire observation floors the estimate. Sources that can't measure
+   * mid-apply lag (vanilla PG) return nothing, so without this floor the estimate decays
+   * to the caught-up zeros within windowMs and every ~window one wake pays a stale retry
+   * to re-learn. */
+  observedFloorTtlMs?: number;
+  /** Observability: a sample (active or passive) was accepted. */
+  onSample?: (lagMs: number, source: "probe" | "observed") => void;
+};
+
+const DEFAULT_SAMPLE_INTERVAL_MS = 250;
+const DEFAULT_IDLE_AFTER_MS = 30_000;
+const DEFAULT_WINDOW_MS = 5_000;
+const DEFAULT_DEFAULT_LAG_MS = 30;
+const DEFAULT_MAX_LAG_MS = 60_000;
+const DEFAULT_OBSERVED_FLOOR_TTL_MS = 60_000;
+
+export class ReplicaLagEstimator {
+  readonly #sampleIntervalMs: number;
+  readonly #idleAfterMs: number;
+  readonly #windowMs: number;
+  readonly #defaultLagMs: number;
+  readonly #maxLagMs: number;
+  readonly #observedFloorTtlMs: number;
+  #samples: { atMs: number; lagMs: number }[] = [];
+  #lastKnownLagMs: number | undefined;
+  #observedFloorLagMs = 0;
+  #observedFloorAtMs = 0;
+  #lastTouchMs = 0;
+  #timer: ReturnType<typeof setInterval> | undefined;
+  #sampling = false;
+
+  constructor(private readonly options: ReplicaLagEstimatorOptions) {
+    this.#sampleIntervalMs = options.sampleIntervalMs ?? DEFAULT_SAMPLE_INTERVAL_MS;
+    this.#idleAfterMs = options.idleAfterMs ?? DEFAULT_IDLE_AFTER_MS;
+    this.#windowMs = options.windowMs ?? DEFAULT_WINDOW_MS;
+    this.#defaultLagMs = options.defaultLagMs ?? DEFAULT_DEFAULT_LAG_MS;
+    this.#maxLagMs = options.maxLagMs ?? DEFAULT_MAX_LAG_MS;
+    this.#observedFloorTtlMs = options.observedFloorTtlMs ?? DEFAULT_OBSERVED_FLOOR_TTL_MS;
+  }
+
+  /** Mark router activity; starts (or keeps) the sampler running. */
+  touch() {
+    this.#lastTouchMs = Date.now();
+    if (!this.#timer) {
+      this.#timer = setInterval(() => this.#tick(), this.#sampleIntervalMs);
+      this.#timer.unref?.();
+      // Sample immediately so the first wake after idle doesn't run on a stale estimate.
+      this.#tick();
+    }
+  }
+
+  /** Current lag estimate (ms): the max recent sample (else last known, else the default),
+   * floored by the latest tripwire observation while it's fresh. Never throws. */
+  getLagMs(): number {
+    const now = Date.now();
+    const cutoff = now - this.#windowMs;
+    let max: number | undefined;
+    for (const sample of this.#samples) {
+      if (sample.atMs >= cutoff && (max === undefined || sample.lagMs > max)) {
+        max = sample.lagMs;
+      }
+    }
+    const base = max ?? this.#lastKnownLagMs ?? this.#defaultLagMs;
+    const floor =
+      now - this.#observedFloorAtMs < this.#observedFloorTtlMs ? this.#observedFloorLagMs : 0;
+    return Math.max(base, floor);
+  }
+
+  /** Feedback from the stale-hydrate tripwire: a read provably ran at least this far
+   * behind the primary. Widens the estimate immediately AND floors it for a while —
+   * sources that can't measure mid-apply lag would otherwise decay it straight back. */
+  noteObservedLagMs(lagMs: number) {
+    const clamped = Math.min(Math.max(0, lagMs), this.#maxLagMs);
+    const floorExpired = Date.now() - this.#observedFloorAtMs >= this.#observedFloorTtlMs;
+    if (clamped >= this.#observedFloorLagMs || floorExpired) {
+      this.#observedFloorLagMs = clamped;
+      this.#observedFloorAtMs = Date.now();
+    }
+    this.#accept(lagMs, "observed");
+  }
+
+  stop() {
+    if (this.#timer) {
+      clearInterval(this.#timer);
+      this.#timer = undefined;
+    }
+  }
+
+  #accept(lagMs: number, source: "probe" | "observed") {
+    if (!Number.isFinite(lagMs)) {
+      return;
+    }
+    const clamped = Math.min(Math.max(0, lagMs), this.#maxLagMs);
+    const now = Date.now();
+    this.#samples.push({ atMs: now, lagMs: clamped });
+    this.#lastKnownLagMs = clamped;
+    const cutoff = now - this.#windowMs;
+    while (this.#samples.length > 0 && this.#samples[0].atMs < cutoff) {
+      this.#samples.shift();
+    }
+    this.options.onSample?.(clamped, source);
+  }
+
+  #tick() {
+    if (Date.now() - this.#lastTouchMs > this.#idleAfterMs) {
+      this.stop();
+      return;
+    }
+    if (this.#sampling) {
+      return; // a slow sample shouldn't stack
+    }
+    this.#sampling = true;
+    this.options.source
+      .sampleLagMs()
+      .then((lagMs) => {
+        if (lagMs !== undefined) {
+          this.#accept(lagMs, "probe");
+        }
+      })
+      .catch(() => {
+        // sampling errors never propagate; the estimate just ages
+      })
+      .finally(() => {
+        this.#sampling = false;
+      });
+  }
+}
diff --git a/apps/webapp/app/services/realtime/resolveRealtimeStreamClient.server.ts b/apps/webapp/app/services/realtime/resolveRealtimeStreamClient.server.ts
new file mode 100644
index 00000000000..69ca81cf2cc
--- /dev/null
+++ b/apps/webapp/app/services/realtime/resolveRealtimeStreamClient.server.ts
@@ -0,0 +1,93 @@
+import { $replica } from "~/db.server";
+import { env } from "~/env.server";
+import { singleton } from "~/utils/singleton";
+import { FEATURE_FLAG } from "~/v3/featureFlags";
+import { makeFlag } from "~/v3/featureFlags.server";
+import { logger } from "../logger.server";
+import { type RealtimeEnvironment } from "../realtimeClient.server";
+import { realtimeClient } from "../realtimeClientGlobal.server";
+import { BoundedTtlCache } from "./boundedTtlCache";
+import { type RealtimeStreamClient } from "./nativeRealtimeClient.server";
+import { getNativeRealtimeClient } from "./nativeRealtimeClientInstance.server";
+import { getShadowRealtimeClient } from "./shadowRealtimeClientInstance.server";
+
+type RealtimeBackend = "electric" | "native" | "shadow";
+
+// Two gates, both defaulting to the Electric path: the env master switch, then the
+// per-org `realtimeBackend` feature flag (cached so long-polls don't hit the DB per request).
+const nativeBackendEnabled = env.REALTIME_BACKEND_NATIVE_ENABLED === "1";
+
+const flag = singleton("realtimeBackendFlag", () => makeFlag($replica));
+const backendCache = singleton(
+  "realtimeBackendCache",
+  () =>
+    new BoundedTtlCache<RealtimeBackend>(
+      env.REALTIME_BACKEND_FLAG_CACHE_TTL_MS,
+      env.REALTIME_BACKEND_FLAG_CACHE_MAX_ENTRIES
+    )
+);
+
+export async function resolveRealtimeStreamClient(
+  environment: RealtimeEnvironment & { organization?: { featureFlags?: unknown } }
+): Promise<RealtimeStreamClient> {
+  if (!nativeBackendEnabled) {
+    return realtimeClient;
+  }
+
+  // The authenticated environment already carries the org's feature flags; pass them
+  // through so a cache miss doesn't need an extra organization read.
+  const orgFeatureFlags = environment.organization
+    ? environment.organization.featureFlags ?? {}
+    : undefined;
+
+  switch (await getRealtimeBackend(environment.organizationId, orgFeatureFlags)) {
+    case "native":
+      return getNativeRealtimeClient();
+    case "shadow":
+      // The client is still served Electric; the native path is diffed in the background.
+      return getShadowRealtimeClient();
+    case "electric":
+    default:
+      return realtimeClient;
+  }
+}
+
+async function getRealtimeBackend(
+  organizationId: string,
+  orgFeatureFlags: unknown | undefined
+): Promise<RealtimeBackend> {
+  const cached = backendCache.get(organizationId);
+  if (cached !== undefined) {
+    return cached;
+  }
+
+  let backend: RealtimeBackend = "electric";
+
+  try {
+    const overrides =
+      orgFeatureFlags !== undefined
+        ? orgFeatureFlags
+        : (
+            await $replica.organization.findFirst({
+              where: { id: organizationId },
+              select: { featureFlags: true },
+            })
+          )?.featureFlags;
+
+    backend = await flag({
+      key: FEATURE_FLAG.realtimeBackend,
+      defaultValue: "electric",
+      overrides: (overrides as Record<string, unknown>) ?? {},
+    });
+  } catch (error) {
+    // Never let a flag lookup failure break the realtime feed.
+    logger.error("[resolveRealtimeStreamClient] failed to resolve realtimeBackend flag", {
+      organizationId,
+      error,
+    });
+    backend = "electric";
+  }
+
+  backendCache.set(organizationId, backend);
+  return backend;
+}
diff --git a/apps/webapp/app/services/realtime/runChangeNotifier.server.ts b/apps/webapp/app/services/realtime/runChangeNotifier.server.ts
new file mode 100644
index 00000000000..f295c02d3f8
--- /dev/null
+++ b/apps/webapp/app/services/realtime/runChangeNotifier.server.ts
@@ -0,0 +1,325 @@
+import { createRedisClient, RedisClient, RedisWithClusterOptions } from "~/redis.server";
+import { logger } from "../logger.server";
+
+export const CHANGE_RECORD_VERSION = 1;
+
+/**
+ * A self-describing run-change fact published once to the run's environment channel; row state is
+ * never on the wire. `tags` present (even `[]`) marks a "full" record a feed can classify locally;
+ * `tags` absent marks a "partial" record (envId+runId only) a tag feed must hydrate to classify.
+ */
+export type ChangeRecord = {
+  v: number;
+  runId: string;
+  envId: string;
+  tags?: string[];
+  batchId?: string | null;
+  createdAtMs?: number;
+  updatedAtMs?: number;
+  status?: string;
+};
+
+/** What a publish site provides; the notifier stamps the version. */
+export type ChangeRecordInput = Omit<ChangeRecord, "v">;
+
+export function encodeChangeRecord(record: ChangeRecord): string {
+  return JSON.stringify(record);
+}
+
+/** Decode a wire message into a ChangeRecord; a bare/malformed frame degrades to a partial record rather than throwing. */
+export function decodeChangeRecord(message: string): ChangeRecord {
+  if (message.length === 0 || message[0] !== "{") {
+    return { v: 0, runId: message, envId: "" };
+  }
+  try {
+    const parsed = JSON.parse(message) as Partial<ChangeRecord>;
+    if (parsed && typeof parsed.runId === "string") {
+      return {
+        v: parsed.v ?? 0,
+        runId: parsed.runId,
+        envId: parsed.envId ?? "",
+        tags: parsed.tags,
+        batchId: parsed.batchId,
+        createdAtMs: parsed.createdAtMs,
+        updatedAtMs: parsed.updatedAtMs,
+        status: parsed.status,
+      };
+    }
+  } catch {
+    // fall through to the bare-runId fallback
+  }
+  return { v: 0, runId: message, envId: "" };
+}
+
+export type RunChangeNotifierOptions = {
+  redis: RedisWithClusterOptions;
+  /** Channel name prefix; the envId is appended inside a hash-tag for slot locality. */
+  channelPrefix?: string;
+  connectionName?: string;
+  /** Leading-edge throttle (ms) for the per-env channel, bounding the wake rate per env. Defaults to 100ms; 0 disables. */
+  envWakeCoalesceWindowMs?: number;
+  /** Use Redis sharded pub/sub (SSUBSCRIBE/SPUBLISH); cluster-only and requires `clusterOptions.shardedSubscribers`. Defaults to false (classic). */
+  shardedPubSub?: boolean;
+  /** Observability hook: a publish settled (ok) or failed (the leading degradation signal). */
+  onPublishResult?: (ok: boolean) => void;
+  /** Observability hook: a raw channel message arrived (pre-coalesce). */
+  onMessageReceived?: () => void;
+  /** Observability hook: a coalesced batch was delivered to listeners (records per batch). */
+  onBatchDelivered?: (recordCount: number) => void;
+};
+
+const DEFAULT_CHANNEL_PREFIX = "realtime:";
+const DEFAULT_ENV_WAKE_COALESCE_WINDOW_MS = 100;
+
+/**
+ * RunChangeNotifier — carries "run X changed" facts from write sites to the realtime feeds over ONE
+ * per-environment channel (`<prefix>env:{<envId>}`, hash-tagged so an env stays on one cluster slot).
+ * Uses one shared multiplexed subscriber per process (refcounted), created lazily, and a fire-and-forget
+ * `publish` that never throws — a dropped publish only costs latency because the consumer has a backstop.
+ */
+export class RunChangeNotifier {
+  #publisher: RedisClient | undefined;
+  #subscriber: RedisClient | undefined;
+  readonly #listeners = new Map<string, Set<(records: ChangeRecord[]) => void>>();
+  /** Per-channel accumulator of records since the last delivery, deduped by runId (latest per run wins), so a coalesced wake carries every run that moved. */
+  readonly #pending = new Map<string, Map<string, ChangeRecord>>();
+  readonly #channelPrefix: string;
+  readonly #connectionName: string;
+  readonly #coalesceWindowMs: number;
+  /** When true, use sharded pub/sub (SSUBSCRIBE/SPUBLISH/smessage) — see options. */
+  readonly #sharded: boolean;
+  /** Active coalescing windows per channel. */
+  readonly #coalesceTimers = new Map<string, ReturnType<typeof setTimeout>>();
+  /** Channels that received a message while their window was open (need a trailing wake). */
+  readonly #coalesceDirty = new Set<string>();
+
+  constructor(private readonly options: RunChangeNotifierOptions) {
+    this.#channelPrefix = options.channelPrefix ?? DEFAULT_CHANNEL_PREFIX;
+    this.#connectionName = options.connectionName ?? "trigger:realtime:run-change-notifier";
+    this.#coalesceWindowMs = options.envWakeCoalesceWindowMs ?? DEFAULT_ENV_WAKE_COALESCE_WINDOW_MS;
+    this.#sharded = options.shardedPubSub ?? false;
+  }
+
+  /** Fire-and-forget publish of a run-changed fact to the run's environment channel; never throws. */
+  publish(input: ChangeRecordInput): void {
+    const record: ChangeRecord = { v: CHANGE_RECORD_VERSION, ...input };
+    this.#publishToChannel(this.#channelForEnv(record.envId), encodeChangeRecord(record));
+  }
+
+  /** Fire-and-forget publish of many run-changed facts. Never throws. */
+  publishMany(inputs: ChangeRecordInput[]): void {
+    for (const input of inputs) {
+      this.publish(input);
+    }
+  }
+
+  #publishToChannel(channel: string, payload: string): void {
+    try {
+      const publisher = this.#ensurePublisher();
+      // Sharded pub/sub (SPUBLISH) routes to the channel's slot owner; classic PUBLISH
+      // broadcasts cluster-wide. The channel is hash-tagged by envId.
+      const result = this.#sharded
+        ? publisher.spublish(channel, payload)
+        : publisher.publish(channel, payload);
+      if (typeof (result as Promise<number>)?.then === "function") {
+        (result as Promise<number>).then(
+          () => this.options.onPublishResult?.(true),
+          (error) => {
+            this.options.onPublishResult?.(false);
+            logger.error("[runChangeNotifier] Failed to publish run-changed notification", {
+              error,
+              channel,
+            });
+          }
+        );
+      } else {
+        this.options.onPublishResult?.(true);
+      }
+    } catch (error) {
+      this.options.onPublishResult?.(false);
+      logger.error("[runChangeNotifier] Failed to publish run-changed notification", {
+        error,
+        channel,
+      });
+    }
+  }
+
+  /** Subscribe to an env's run-change stream; refcounted over the shared subscriber (first listener SUBSCRIBEs, last UNSUBSCRIBEs). */
+  subscribeToEnv(environmentId: string, onBatch: (records: ChangeRecord[]) => void): () => void {
+    const channel = this.#channelForEnv(environmentId);
+    const subscriber = this.#ensureSubscriber();
+
+    let listeners = this.#listeners.get(channel);
+    if (!listeners) {
+      listeners = new Set();
+      this.#listeners.set(channel, listeners);
+      this.#subscribeChannel(subscriber, channel).catch((error) => {
+        logger.error("[runChangeNotifier] Failed to subscribe to run-change channel", {
+          error,
+          channel,
+        });
+      });
+    }
+    listeners.add(onBatch);
+
+    let unsubscribed = false;
+    return () => {
+      if (unsubscribed) {
+        return;
+      }
+      unsubscribed = true;
+
+      const current = this.#listeners.get(channel);
+      if (!current) {
+        return;
+      }
+      current.delete(onBatch);
+      if (current.size === 0) {
+        // Drop the channel from the map only after Redis confirms UNSUBSCRIBE and no new listener re-subscribed in the meantime.
+        this.#unsubscribeChannel(subscriber, channel)
+          .then(() => {
+            const latest = this.#listeners.get(channel);
+            if (!latest) {
+              return;
+            }
+            if (latest.size === 0) {
+              this.#listeners.delete(channel);
+            } else {
+              // A listener arrived during the in-flight UNSUBSCRIBE; re-subscribe so it keeps receiving (the backstop covers the gap).
+              this.#subscribeChannel(subscriber, channel).catch((error) => {
+                logger.error("[runChangeNotifier] Failed to re-subscribe to run-change channel", {
+                  error,
+                  channel,
+                });
+              });
+            }
+          })
+          .catch((error) => {
+            // UNSUBSCRIBE failed (likely still subscribed in Redis): keep the empty map entry so a future subscriber reuses it.
+            logger.error("[runChangeNotifier] Failed to unsubscribe from run-change channel", {
+              error,
+              channel,
+            });
+          });
+      }
+    };
+  }
+
+  /** Number of distinct env channels currently subscribed (for metrics). */
+  get activeSubscriptionCount(): number {
+    return this.#listeners.size;
+  }
+
+  async quit(): Promise<void> {
+    for (const timer of this.#coalesceTimers.values()) {
+      clearTimeout(timer);
+    }
+    this.#coalesceTimers.clear();
+    this.#coalesceDirty.clear();
+    this.#pending.clear();
+    await Promise.allSettled([this.#subscriber?.quit(), this.#publisher?.quit()]);
+    this.#subscriber = undefined;
+    this.#publisher = undefined;
+    this.#listeners.clear();
+  }
+
+  #ensurePublisher(): RedisClient {
+    if (!this.#publisher) {
+      this.#publisher = createRedisClient(`${this.#connectionName}:pub`, this.options.redis);
+    }
+    return this.#publisher;
+  }
+
+  #ensureSubscriber(): RedisClient {
+    if (!this.#subscriber) {
+      const subscriber = createRedisClient(`${this.#connectionName}:sub`, this.options.redis);
+      const onMessage = (channel: string, message: string) => this.#onMessage(channel, message);
+      // Classic pub/sub delivers "message"; sharded pub/sub delivers "smessage". Register
+      // both so the delivery path is identical regardless of mode.
+      subscriber.on("message", onMessage);
+      subscriber.on("smessage", onMessage);
+      this.#subscriber = subscriber;
+    }
+    return this.#subscriber;
+  }
+
+  /** SUBSCRIBE (classic) vs SSUBSCRIBE (sharded, cluster-only). */
+  #subscribeChannel(subscriber: RedisClient, channel: string): Promise<unknown> {
+    return this.#sharded ? subscriber.ssubscribe(channel) : subscriber.subscribe(channel);
+  }
+
+  /** UNSUBSCRIBE (classic) vs SUNSUBSCRIBE (sharded, cluster-only). */
+  #unsubscribeChannel(subscriber: RedisClient, channel: string): Promise<unknown> {
+    return this.#sharded ? subscriber.sunsubscribe(channel) : subscriber.unsubscribe(channel);
+  }
+
+  #onMessage(channel: string, message: string) {
+    this.options.onMessageReceived?.();
+    // Accumulate the decoded record (deduped by runId) before delivering, so a coalesced
+    // wake carries every run that moved during the window.
+    this.#addPending(channel, decodeChangeRecord(message));
+
+    if (this.#coalesceWindowMs > 0) {
+      this.#deliverCoalesced(channel);
+      return;
+    }
+    this.#deliver(channel);
+  }
+
+  /** Accumulate a record into the channel's pending batch, deduped by runId (a later
+   * record for the same run replaces the earlier one, keeping the freshest keys). */
+  #addPending(channel: string, record: ChangeRecord) {
+    let batch = this.#pending.get(channel);
+    if (!batch) {
+      batch = new Map();
+      this.#pending.set(channel, batch);
+    }
+    batch.set(record.runId, record);
+  }
+
+  #deliver(channel: string) {
+    // Drain the accumulated batch (and clear it) so listeners woken now get every run that
+    // changed since the last delivery, and a later message starts a fresh batch.
+    const batchMap = this.#pending.get(channel);
+    const batch = batchMap ? [...batchMap.values()] : [];
+    this.#pending.delete(channel);
+
+    const listeners = this.#listeners.get(channel);
+    if (!listeners || batch.length === 0) {
+      return;
+    }
+    this.options.onBatchDelivered?.(batch.length);
+    for (const onBatch of [...listeners]) {
+      onBatch(batch);
+    }
+  }
+
+  /** Leading-edge throttle capping the wake rate to ~1/window: deliver the first wake immediately, then one trailing wake per window while activity continues. Lossless. */
+  #deliverCoalesced(channel: string) {
+    if (this.#coalesceTimers.has(channel)) {
+      this.#coalesceDirty.add(channel);
+      return;
+    }
+    this.#deliver(channel);
+    this.#openCoalesceWindow(channel);
+  }
+
+  #openCoalesceWindow(channel: string) {
+    const timer = setTimeout(() => {
+      this.#coalesceTimers.delete(channel);
+      if (this.#coalesceDirty.delete(channel)) {
+        this.#deliver(channel);
+        this.#openCoalesceWindow(channel);
+      }
+    }, this.#coalesceWindowMs);
+    // Don't let a pending coalescing window hold the process open at shutdown.
+    timer.unref?.();
+    this.#coalesceTimers.set(channel, timer);
+  }
+
+  // Hash-tagged (`...{<envId>}`) so all of an env's traffic maps to one cluster slot (one
+  // shard) under sharded pub/sub.
+  #channelForEnv(environmentId: string): string {
+    return `${this.#channelPrefix}env:{${environmentId}}`;
+  }
+}
diff --git a/apps/webapp/app/services/realtime/runChangeNotifierHandlers.server.ts b/apps/webapp/app/services/realtime/runChangeNotifierHandlers.server.ts
new file mode 100644
index 00000000000..b7d90122db0
--- /dev/null
+++ b/apps/webapp/app/services/realtime/runChangeNotifierHandlers.server.ts
@@ -0,0 +1,87 @@
+import { env } from "~/env.server";
+import { engine } from "~/v3/runEngine.server";
+import { logger } from "../logger.server";
+import { publishChangeRecord } from "./runChangeNotifierInstance.server";
+
+/**
+ * Builds and publishes a self-describing `ChangeRecord` for the lifecycle events whose engine-bus payload
+ * already carries env + tags + batchId. Terminal transitions, runAttemptFailed, and runMetadataUpdated publish
+ * from `runEngineHandlers.server.ts` instead. Coverage isn't exhaustive — a dropped transition only adds latency
+ * because the consumer has a periodic backstop full-resolve. The env master switch is `REALTIME_BACKEND_NATIVE_ENABLED`.
+ */
+export function registerRunChangeNotifierHandlers() {
+  // Return truthy in every path so singleton() caches this factory and never re-runs it (re-running would attach duplicate engine-bus listeners on dev reload).
+  if (env.REALTIME_BACKEND_NATIVE_ENABLED !== "1") {
+    return true;
+  }
+
+  // Run created: the first signal for a brand-new run (born QUEUED with no status transition), so it surfaces before ClickHouse ingests it.
+  engine.eventBus.on("runCreated", ({ run, environment }) => {
+    publishChangeRecord({
+      runId: run.id,
+      envId: environment.id,
+      tags: run.runTags,
+      batchId: run.batchId,
+    });
+  });
+
+  // Status transitions (checkpoint suspend/resume, pending version, dequeue).
+  engine.eventBus.on("runStatusChanged", ({ run, environment }) => {
+    publishChangeRecord({
+      runId: run.id,
+      envId: environment.id,
+      tags: run.runTags,
+      batchId: run.batchId,
+    });
+  });
+
+  // Dequeue/lock (sets startedAt) and attempt start (DEQUEUED -> EXECUTING) — the
+  // most-watched "my run started" transitions.
+  engine.eventBus.on("runLocked", ({ run, environment }) => {
+    publishChangeRecord({
+      runId: run.id,
+      envId: environment.id,
+      tags: run.runTags,
+      batchId: run.batchId,
+    });
+  });
+  engine.eventBus.on("runAttemptStarted", ({ run, environment }) => {
+    publishChangeRecord({
+      runId: run.id,
+      envId: environment.id,
+      tags: run.runTags,
+      batchId: run.batchId,
+    });
+  });
+
+  engine.eventBus.on("runRetryScheduled", ({ run, environment }) => {
+    publishChangeRecord({
+      runId: run.id,
+      envId: environment.id,
+      tags: run.runTags,
+      batchId: run.batchId,
+    });
+  });
+
+  // Delay lifecycle (delayUntil / queued-after-delay changes).
+  engine.eventBus.on("runDelayRescheduled", ({ run, environment }) => {
+    publishChangeRecord({
+      runId: run.id,
+      envId: environment.id,
+      tags: run.runTags,
+      batchId: run.batchId,
+    });
+  });
+  engine.eventBus.on("runEnqueuedAfterDelay", ({ run, environment }) => {
+    publishChangeRecord({
+      runId: run.id,
+      envId: environment.id,
+      tags: run.runTags,
+      batchId: run.batchId,
+    });
+  });
+
+  logger.info("[runChangeNotifier] realtime change-record builder registered");
+
+  return true;
+}
diff --git a/apps/webapp/app/services/realtime/runChangeNotifierInstance.server.ts b/apps/webapp/app/services/realtime/runChangeNotifierInstance.server.ts
new file mode 100644
index 00000000000..b656052c339
--- /dev/null
+++ b/apps/webapp/app/services/realtime/runChangeNotifierInstance.server.ts
@@ -0,0 +1,85 @@
+import { getMeter } from "@internal/tracing";
+import { env } from "~/env.server";
+import { singleton } from "~/utils/singleton";
+import { RunChangeNotifier, type ChangeRecordInput } from "./runChangeNotifier.server";
+
+/**
+ * Process-singleton wiring for the RunChangeNotifier plus the gated convenience functions write sites
+ * delegate to. The notifier is constructed lazily, so `REALTIME_BACKEND_NATIVE_ENABLED=0` (default) opens no Redis connections.
+ */
+const nativeBackendEnabled = env.REALTIME_BACKEND_NATIVE_ENABLED === "1";
+
+function initializeRunChangeNotifier(): RunChangeNotifier {
+  const clusterMode = env.REALTIME_BACKEND_NATIVE_PUBSUB_REDIS_CLUSTER_MODE_ENABLED === "1";
+  // Sharded pub/sub only works against a cluster; classic pub/sub there would
+  // broadcast every message to every node, so this is what actually shards load.
+  const shardedPubSub = clusterMode && env.REALTIME_BACKEND_NATIVE_PUBSUB_REDIS_SHARDED_ENABLED === "1";
+
+  const meter = getMeter("realtime-notifier");
+
+  const publishes = meter.createCounter("realtime_notifier.publishes", {
+    description:
+      "Change-record publishes by outcome. Failures are the leading indicator that feeds are degrading to their backstops (pub/sub Redis trouble).",
+  });
+
+  const received = meter.createCounter("realtime_notifier.messages_received", {
+    description: "Raw channel messages received by this instance's subscriber, pre-coalesce.",
+  });
+
+  const delivered = meter.createCounter("realtime_notifier.batches_delivered", {
+    description:
+      "Coalesced batches delivered to listeners. received/batches = the coalesce ratio (how hard a busy env is being collapsed).",
+  });
+
+  const notifier = new RunChangeNotifier({
+    redis: {
+      host: env.REALTIME_BACKEND_NATIVE_PUBSUB_REDIS_HOST,
+      port: env.REALTIME_BACKEND_NATIVE_PUBSUB_REDIS_PORT,
+      username: env.REALTIME_BACKEND_NATIVE_PUBSUB_REDIS_USERNAME,
+      password: env.REALTIME_BACKEND_NATIVE_PUBSUB_REDIS_PASSWORD,
+      tlsDisabled: env.REALTIME_BACKEND_NATIVE_PUBSUB_REDIS_TLS_DISABLED === "true",
+      clusterMode,
+      // One subscriber connection per shard so SSUBSCRIBE routes to the slot owner.
+      ...(shardedPubSub ? { clusterOptions: { shardedSubscribers: true } } : {}),
+    },
+    envWakeCoalesceWindowMs: env.REALTIME_BACKEND_NATIVE_ENV_WAKE_COALESCE_WINDOW_MS,
+    shardedPubSub,
+    onPublishResult: (ok) => publishes.add(1, { result: ok ? "ok" : "error" }),
+    onMessageReceived: () => received.add(1),
+    onBatchDelivered: () => delivered.add(1),
+  });
+
+  meter
+    .createObservableGauge("realtime_notifier.active_subscriptions", {
+      description: "Distinct env channels currently subscribed for realtime change notifications.",
+    })
+    .addCallback((result) => result.observe(notifier.activeSubscriptionCount));
+
+  return notifier;
+}
+
+/** Lazily construct (and memoize) the notifier singleton. */
+export function getRunChangeNotifier(): RunChangeNotifier {
+  return singleton("runChangeNotifier", initializeRunChangeNotifier);
+}
+
+/** Whether the notifier subsystem is enabled for this process. */
+export function isRunChangeNotifierEnabled(): boolean {
+  return nativeBackendEnabled;
+}
+
+/** Fire-and-forget publish of a run-changed record. No-op (and no notifier construction)
+ * when disabled, so publish sites can call it unconditionally. */
+export function publishChangeRecord(input: ChangeRecordInput): void {
+  if (!nativeBackendEnabled) {
+    return;
+  }
+  getRunChangeNotifier().publish(input);
+}
+
+export function publishManyChangeRecords(inputs: ChangeRecordInput[]): void {
+  if (!nativeBackendEnabled) {
+    return;
+  }
+  getRunChangeNotifier().publishMany(inputs);
+}
diff --git a/apps/webapp/app/services/realtime/runReader.server.ts b/apps/webapp/app/services/realtime/runReader.server.ts
new file mode 100644
index 00000000000..e8509d73de4
--- /dev/null
+++ b/apps/webapp/app/services/realtime/runReader.server.ts
@@ -0,0 +1,163 @@
+import { type Prisma, type PrismaClient } from "@trigger.dev/database";
+import { BoundedTtlCache } from "./boundedTtlCache";
+import { RESERVED_COLUMNS, type RealtimeRunRow } from "./electricStreamProtocol.server";
+
+/**
+ * RunReader — the pluggable read half of the native-backend realtime feed: ClickHouse is filter-only
+ * (resolves ids), Postgres always hydrates row columns. Owns the `RunHydrator` (by-id) and the
+ * `RunListResolver` interface (the tag/list filter -> id-set seam, implemented over ClickHouse).
+ */
+
+/** The TaskRun columns the realtime feed projects (mirrors DEFAULT_ELECTRIC_COLUMNS). */
+export const RUN_HYDRATOR_SELECT = {
+  id: true,
+  taskIdentifier: true,
+  createdAt: true,
+  updatedAt: true,
+  startedAt: true,
+  delayUntil: true,
+  queuedAt: true,
+  expiredAt: true,
+  completedAt: true,
+  friendlyId: true,
+  number: true,
+  isTest: true,
+  status: true,
+  usageDurationMs: true,
+  costInCents: true,
+  baseCostInCents: true,
+  ttl: true,
+  payload: true,
+  payloadType: true,
+  metadata: true,
+  metadataType: true,
+  output: true,
+  outputType: true,
+  runTags: true,
+  error: true,
+  realtimeStreams: true,
+} satisfies Prisma.TaskRunSelect;
+
+/** Columns hydrated regardless of `skipColumns`: `id` keys the row, `updatedAt` drives the offset and working-set diff. */
+const ALWAYS_HYDRATED_COLUMNS = new Set<string>(["id", "updatedAt", ...RESERVED_COLUMNS]);
+
+/** Project `RUN_HYDRATOR_SELECT` down to the columns the client didn't skip (plus
+ * the always-needed ones). An empty skip set returns the full select unchanged. */
+export function buildHydratorSelect(skipColumns: string[] = []): Prisma.TaskRunSelect {
+  if (skipColumns.length === 0) {
+    return RUN_HYDRATOR_SELECT;
+  }
+  const skip = new Set(skipColumns);
+  const select: Record<string, boolean> = {};
+  for (const column of Object.keys(RUN_HYDRATOR_SELECT)) {
+    if (ALWAYS_HYDRATED_COLUMNS.has(column) || !skip.has(column)) {
+      select[column] = true;
+    }
+  }
+  return select as Prisma.TaskRunSelect;
+}
+
+export type RunListFilter = {
+  organizationId: string;
+  projectId: string;
+  environmentId: string;
+  /** Contains-ANY tag match (OR). Omit/empty for non-tag feeds. */
+  tags?: string[];
+  /** Restrict to a single batch (internal batch id) — the batch feed. */
+  batchId?: string;
+  /** Lower bound on createdAt (the tag-list feed pins this; batch omits it). */
+  createdAtAfter?: Date;
+  /** Hard cap on the result set so a broad filter can't unbound the snapshot. */
+  limit: number;
+};
+
+/** Resolves a tag/list filter into the matching run id-set, filter-only (rows hydrated from Postgres by id afterward). ClickHouse impl in `clickHouseRunListResolver.server.ts`. */
+export interface RunListResolver {
+  resolveMatchingRunIds(filter: RunListFilter): Promise<string[]>;
+}
+
+export type RunHydratorOptions = {
+  /** A read-replica Prisma client (`$replica`). Always Postgres. */
+  replica: Pick<PrismaClient, "taskRun">;
+  /** Read-through cache TTL (ms) collapsing duplicate refetches for the same run. Set 0 to disable. Defaults to 250ms. */
+  cacheTtlMs?: number;
+  /** Hard cap on cache entries before expired entries are swept. */
+  maxCacheEntries?: number;
+};
+
+const DEFAULT_CACHE_TTL_MS = 250;
+const DEFAULT_MAX_CACHE_ENTRIES = 5_000;
+
+/** Hydrates runs by id from the read replica, projected to the realtime columns; concurrent same-run refetches are single-flighted + short-TTL cached. */
+export class RunHydrator {
+  readonly #inflight = new Map<string, Promise<RealtimeRunRow | null>>();
+  readonly #cache: BoundedTtlCache<RealtimeRunRow | null>;
+  readonly #cacheTtlMs: number;
+
+  constructor(private readonly options: RunHydratorOptions) {
+    this.#cacheTtlMs = options.cacheTtlMs ?? DEFAULT_CACHE_TTL_MS;
+    this.#cache = new BoundedTtlCache(
+      this.#cacheTtlMs,
+      options.maxCacheEntries ?? DEFAULT_MAX_CACHE_ENTRIES
+    );
+  }
+
+  async getRunById(environmentId: string, runId: string): Promise<RealtimeRunRow | null> {
+    const key = `${environmentId}:${runId}`;
+
+    if (this.#cacheTtlMs > 0) {
+      // A cached null is a valid "run not found" hit; only undefined is a miss.
+      const cached = this.#cache.get(key);
+      if (cached !== undefined) {
+        return cached;
+      }
+    }
+
+    const existing = this.#inflight.get(key);
+    if (existing) {
+      return existing;
+    }
+
+    const promise = this.#fetch(environmentId, runId).finally(() => this.#inflight.delete(key));
+    this.#inflight.set(key, promise);
+
+    const row = await promise;
+
+    if (this.#cacheTtlMs > 0) {
+      this.#cache.set(key, row);
+    }
+
+    return row;
+  }
+
+  /** Hydrate many runs by id in one query (order not guaranteed); `skipColumns` projects the SELECT so dropped columns aren't shipped. */
+  async hydrateByIds(
+    environmentId: string,
+    ids: string[],
+    skipColumns: string[] = []
+  ): Promise<RealtimeRunRow[]> {
+    if (ids.length === 0) {
+      return [];
+    }
+    const rows = await this.options.replica.taskRun.findMany({
+      where: {
+        runtimeEnvironmentId: environmentId,
+        id: { in: ids },
+      },
+      select: buildHydratorSelect(skipColumns),
+    });
+    return rows as unknown as RealtimeRunRow[];
+  }
+
+  async #fetch(environmentId: string, runId: string): Promise<RealtimeRunRow | null> {
+    const run = await this.options.replica.taskRun.findFirst({
+      where: {
+        id: runId,
+        runtimeEnvironmentId: environmentId,
+      },
+      select: RUN_HYDRATOR_SELECT,
+    });
+
+    return (run ?? null) as RealtimeRunRow | null;
+  }
+}
diff --git a/apps/webapp/app/services/realtime/s2realtimeStreams.server.ts b/apps/webapp/app/services/realtime/s2realtimeStreams.server.ts
index 4a7acb60606..b91f47c6b3c 100644
--- a/apps/webapp/app/services/realtime/s2realtimeStreams.server.ts
+++ b/apps/webapp/app/services/realtime/s2realtimeStreams.server.ts
@@ -2,7 +2,38 @@
 import type { UnkeyCache } from "@internal/cache";
 import { StreamIngestor, StreamRecord, StreamResponder, StreamResponseOptions } from "./types";
 import { Logger, LogLevel } from "@trigger.dev/core/logger";
+import { headerValue } from "@trigger.dev/core/v3";
 import { randomUUID } from "node:crypto";
+import { ServiceValidationError } from "~/v3/services/common.server";
+
+// S2's per-record metered-size limit. Verified empirically against
+// cloud S2: append succeeds at metered=1048576 and 422s at 1048577
+// with `"record must have metered size less than 1 MiB"` (the "less
+// than" wording is slightly off — the boundary is inclusive).
+//
+// Metered size formula:
+//   metered = 8 (record overhead) + 2*H + Σ(header name + value) + body
+// where `body` is the unescaped record body length in UTF-8 bytes and
+// `H` is the number of S2 record headers.
+//
+// We attach no record headers (H=0), so the budget reduces to:
+//   8 + body ≤ 1048576  →  body ≤ 1048568
+export const S2_MAX_METERED_BYTES = 1024 * 1024; // 1 MiB
+export const S2_RECORD_BASE_OVERHEAD_BYTES = 8;
+
+/**
+ * Thrown when a record's metered size would exceed S2's hard per-record
+ * limit. Caught by the route handler and surfaced as 413.
+ */
+export class S2RecordTooLargeError extends ServiceValidationError {
+  constructor(public readonly meteredBytes: number) {
+    super(
+      `Record metered size ${meteredBytes} bytes exceeds the S2 per-record limit of ${S2_MAX_METERED_BYTES} bytes. Reduce tool-output size or split into smaller parts.`,
+      413
+    );
+    this.name = "S2RecordTooLargeError";
+  }
+}
 
 export type S2RealtimeStreamsOptions = {
   // S2
@@ -32,6 +63,16 @@ export type S2RealtimeStreamsOptions = {
   }>;
 };
 
+// Ops the issued S2 access token is scoped to. `trim` is a distinct op
+// from `append` even though trim records are appended like any other —
+// without it, `AppendRecord.trim()` 403s with "Operation not permitted".
+// `chat.agent`'s per-turn trim chain depends on it.
+//
+// The fingerprint folds the ops list into the cache key, so any future
+// scope change auto-invalidates pre-deploy cached tokens.
+const S2_TOKEN_OPS = ["append", "create-stream", "trim"] as const;
+const S2_TOKEN_OPS_FINGERPRINT = [...S2_TOKEN_OPS].sort().join(",");
+
 type S2IssueAccessTokenResponse = { access_token: string };
 type S2AppendInput = { records: { body: string }[] };
 type S2AppendAck = {
@@ -88,9 +129,42 @@ export class S2RealtimeStreams implements StreamResponder, StreamIngestor {
     return `${this.streamPrefix}/runs/${runId}/${streamId}`;
   }
 
+  /**
+   * Build an S2 stream name for a `Session`-primitive channel, addressed by
+   * the session's `friendlyId` and the I/O direction. Used by the session
+   * realtime routes to route traffic to `sessions/{friendlyId}/{out|in}`.
+   */
+  public toSessionStreamName(friendlyId: string, io: "out" | "in"): string {
+    return `${this.streamPrefix}/sessions/${friendlyId}/${io}`;
+  }
+
   async initializeStream(
     runId: string,
     streamId: string
+  ): Promise<{ responseHeaders?: Record<string, string> }> {
+    return this.#initializeStreamByName(
+      this.toStreamName(runId, streamId),
+      `/runs/${runId}/${streamId}`
+    );
+  }
+
+  /**
+   * Initialize an S2 stream by `(sessionFriendlyId, io)` — mirrors
+   * {@link initializeStream} but addresses the new `sessions/*` key format.
+   */
+  async initializeSessionStream(
+    friendlyId: string,
+    io: "out" | "in"
+  ): Promise<{ responseHeaders?: Record<string, string> }> {
+    return this.#initializeStreamByName(
+      this.toSessionStreamName(friendlyId, io),
+      `/sessions/${friendlyId}/${io}`
+    );
+  }
+
+  async #initializeStreamByName(
+    prefixedName: string,
+    relativeName: string
   ): Promise<{ responseHeaders?: Record<string, string> }> {
     const accessToken = this.skipAccessTokens
       ? this.token
@@ -99,9 +173,7 @@ export class S2RealtimeStreams implements StreamResponder, StreamIngestor {
     return {
       responseHeaders: {
         "X-S2-Access-Token": accessToken,
-        "X-S2-Stream-Name": this.skipAccessTokens
-          ? this.toStreamName(runId, streamId)
-          : `/runs/${runId}/${streamId}`,
+        "X-S2-Stream-Name": this.skipAccessTokens ? prefixedName : relativeName,
         "X-S2-Basin": this.basin,
         "X-S2-Flush-Interval-Ms": this.flushIntervalMs.toString(),
         "X-S2-Max-Retries": this.maxRetries.toString(),
@@ -121,12 +193,32 @@ export class S2RealtimeStreams implements StreamResponder, StreamIngestor {
   }
 
   async appendPart(part: string, partId: string, runId: string, streamId: string): Promise<void> {
-    const s2Stream = this.toStreamName(runId, streamId);
+    return this.#appendPartByName(part, partId, this.toStreamName(runId, streamId));
+  }
 
+  /**
+   * Append a single record to a `Session`-primitive channel.
+   */
+  async appendPartToSessionStream(
+    part: string,
+    partId: string,
+    friendlyId: string,
+    io: "out" | "in"
+  ): Promise<void> {
+    return this.#appendPartByName(part, partId, this.toSessionStreamName(friendlyId, io));
+  }
+
+  async #appendPartByName(part: string, partId: string, s2Stream: string): Promise<void> {
     this.logger.debug(`S2 appending to stream`, { part, stream: s2Stream });
 
+    const recordBody = JSON.stringify({ data: part, id: partId });
+    const meteredBytes = Buffer.byteLength(recordBody, "utf8") + S2_RECORD_BASE_OVERHEAD_BYTES;
+    if (meteredBytes > S2_MAX_METERED_BYTES) {
+      throw new S2RecordTooLargeError(meteredBytes);
+    }
+
     const result = await this.s2Append(s2Stream, {
-      records: [{ body: JSON.stringify({ data: part, id: partId }) }],
+      records: [{ body: recordBody }],
     });
 
     this.logger.debug(`S2 append result`, { result });
@@ -141,7 +233,22 @@ export class S2RealtimeStreams implements StreamResponder, StreamIngestor {
     streamId: string,
     afterSeqNum?: number
   ): Promise<StreamRecord[]> {
-    const s2Stream = this.toStreamName(runId, streamId);
+    return this.#readRecordsByName(this.toStreamName(runId, streamId), afterSeqNum);
+  }
+
+  /**
+   * Read records from a `Session`-primitive channel starting after the
+   * given sequence number. Used by the `.wait()` race-check path.
+   */
+  async readSessionStreamRecords(
+    friendlyId: string,
+    io: "out" | "in",
+    afterSeqNum?: number
+  ): Promise<StreamRecord[]> {
+    return this.#readRecordsByName(this.toSessionStreamName(friendlyId, io), afterSeqNum);
+  }
+
+  async #readRecordsByName(s2Stream: string, afterSeqNum?: number): Promise<StreamRecord[]> {
     const startSeq = afterSeqNum != null ? afterSeqNum + 1 : 0;
 
     const qs = new URLSearchParams();
@@ -198,15 +305,37 @@ export class S2RealtimeStreams implements StreamResponder, StreamIngestor {
       if (eventType === "batch" && data) {
         try {
           const parsed = JSON.parse(data) as {
-            records: Array<{ body: string; seq_num: number; timestamp: number }>;
+            records: Array<{
+              body: string;
+              seq_num: number;
+              timestamp: number;
+              headers?: Array<[string, string]>;
+            }>;
           };
 
           for (const record of parsed.records) {
-            const parsedBody = JSON.parse(record.body) as { data: string; id: string };
+            // S2 command records (trim/fence) have a single header with
+            // empty name. Skip — callers want only data + Trigger control
+            // records.
+            if (record.headers?.[0]?.[0] === "") {
+              continue;
+            }
+
+            // Data records carry a JSON envelope; Trigger control records
+            // have an empty body and route via headers. Tolerate non-JSON
+            // bodies so a control record (or a malformed data record)
+            // doesn't take the whole batch down with it.
+            let parsedBody: { data: string; id: string } | undefined;
+            try {
+              parsedBody = JSON.parse(record.body) as { data: string; id: string };
+            } catch {
+              parsedBody = undefined;
+            }
             records.push({
-              data: parsedBody.data,
-              id: parsedBody.id,
+              data: parsedBody?.data ?? "",
+              id: parsedBody?.id ?? "",
               seqNum: record.seq_num,
+              headers: record.headers,
             });
           }
         } catch {
@@ -227,7 +356,162 @@ export class S2RealtimeStreams implements StreamResponder, StreamIngestor {
     signal: AbortSignal,
     options?: StreamResponseOptions
   ): Promise<Response> {
-    const s2Stream = this.toStreamName(runId, streamId);
+    return this.#streamResponseByName(this.toStreamName(runId, streamId), signal, options);
+  }
+
+  /**
+   * Serve SSE from a `Session`-primitive channel addressed by
+   * `(friendlyId, io)`.
+   *
+   * For `io=out`, peek the tail of the stream. If the most recent
+   * non-command record is a `turn-complete` control record (i.e. the
+   * agent has finished a turn and is either idle-waiting on `.in` or
+   * has exited), no more chunks will arrive without further user
+   * action. We switch the downstream S2 read to `wait=0` (drain
+   * whatever's left, close fast) and set `X-Session-Settled: true` so
+   * the client knows this SSE close is terminal instead of the normal
+   * 60s long-poll cycle.
+   *
+   * The actual tail is now usually an S2 `trim` command record (the
+   * agent appends one after every turn-complete to keep `.out`
+   * bounded). The peek reads two records and walks past the trim to
+   * find the turn-complete underneath.
+   *
+   * Mid-turn tail (streaming UIMessageChunk) falls through to the
+   * long-poll path; a crashed-mid-turn stream is indistinguishable
+   * here and behaves like today (client sees wait=60 close, retries).
+   */
+  async streamResponseFromSessionStream(
+    request: Request,
+    friendlyId: string,
+    io: "out" | "in",
+    signal: AbortSignal,
+    options?: StreamResponseOptions
+  ): Promise<Response> {
+    const s2Stream = this.toSessionStreamName(friendlyId, io);
+
+    let waitSeconds = options?.timeoutInSeconds ?? this.s2WaitSeconds;
+    let settled = false;
+
+    // Only peek + settle when the client opts in via `options.peekSettled`.
+    // Reconnect-on-reload paths (`TriggerChatTransport.reconnectToStream`)
+    // set it; active send-a-message paths don't — otherwise the peek
+    // races the newly-triggered turn's first chunk and the SSE closes
+    // before records land.
+    if (io === "out" && options?.peekSettled) {
+      settled = await this.#peekIsSettled(s2Stream);
+      if (settled) {
+        waitSeconds = 0;
+      }
+    }
+
+    const s2Response = await this.#streamResponseByName(s2Stream, signal, {
+      ...options,
+      timeoutInSeconds: waitSeconds,
+    });
+
+    if (!settled) return s2Response;
+
+    const headers = new Headers(s2Response.headers);
+    headers.set("X-Session-Settled", "true");
+    return new Response(s2Response.body, {
+      status: s2Response.status,
+      statusText: s2Response.statusText,
+      headers,
+    });
+  }
+
+  /**
+   * Peek the tail of `.out` and return whether the stream is "settled" —
+   * i.e. the most recent non-command record is a `turn-complete` control
+   * record. The agent appends an S2 `trim` command record immediately
+   * after every turn-complete to keep the stream bounded, so we read two
+   * tail records and walk past any trim command to find the
+   * turn-complete underneath.
+   */
+  async #peekIsSettled(s2Stream: string): Promise<boolean> {
+    const qs = new URLSearchParams();
+    // `tail_offset=2` rewinds two seq positions; `count=2` caps it to
+    // those two records. At steady state these are `[turn-complete, trim]`.
+    // `wait=0` returns immediately with no long-poll.
+    qs.set("tail_offset", "2");
+    qs.set("count", "2");
+    qs.set("wait", "0");
+
+    let res: Response;
+    try {
+      res = await fetch(
+        `${this.baseUrl}/streams/${encodeURIComponent(s2Stream)}/records?${qs}`,
+        {
+          method: "GET",
+          headers: {
+            Authorization: `Bearer ${this.token}`,
+            Accept: "application/json",
+            "S2-Format": "raw",
+            "S2-Basin": this.basin,
+          },
+        }
+      );
+    } catch (err) {
+      this.logger.warn("S2 peek last record: fetch failed", { err, stream: s2Stream });
+      return false;
+    }
+
+    if (!res.ok) {
+      // 404: stream has never been written to. 416: range not
+      // satisfiable (empty stream). Both mean "nothing to peek."
+      if (res.status === 404 || res.status === 416) return false;
+      const text = await res.text().catch(() => "");
+      this.logger.warn("S2 peek last record failed", {
+        status: res.status,
+        statusText: res.statusText,
+        text,
+        stream: s2Stream,
+      });
+      return false;
+    }
+
+    let records: Array<{
+      body: string;
+      seq_num: number;
+      timestamp: number;
+      headers?: Array<[string, string]>;
+    }>;
+    try {
+      const json = (await res.json()) as {
+        records?: Array<{
+          body: string;
+          seq_num: number;
+          timestamp: number;
+          headers?: Array<[string, string]>;
+        }>;
+      };
+      records = json.records ?? [];
+    } catch (err) {
+      this.logger.warn("S2 peek last record: parse failed", { err, stream: s2Stream });
+      return false;
+    }
+
+    // Walk from most-recent backward, skipping S2 command records
+    // (`headers[0][0] === ""`). The first non-command record is the
+    // real tail — settled iff its `trigger-control` header is
+    // `turn-complete`.
+    for (let i = records.length - 1; i >= 0; i--) {
+      const record = records[i]!;
+      if (record.headers?.[0]?.[0] === "") {
+        continue;
+      }
+      const controlValue = headerValue(record.headers, "trigger-control");
+      return controlValue === "turn-complete";
+    }
+    return false;
+  }
+
+  async #streamResponseByName(
+    s2Stream: string,
+    signal: AbortSignal,
+    options?: StreamResponseOptions
+  ): Promise<Response> {
     const startSeq = this.parseLastEventId(options?.lastEventId);
 
     this.logger.info(`S2 streaming records from stream`, { stream: s2Stream, startSeq });
@@ -246,8 +530,16 @@ export class S2RealtimeStreams implements StreamResponder, StreamIngestor {
 
   // ---------- Internals: S2 REST ----------
   private async s2Append(stream: string, body: S2AppendInput): Promise<S2AppendAck> {
-    // POST /v1/streams/{stream}/records (JSON)
-    const res = await fetch(`${this.baseUrl}/streams/${encodeURIComponent(stream)}/records`, {
+    // POST /v1/streams/{stream}/records (JSON).
+    //
+    // Retries transient failures (network errors and 5xx) up to 3 times with
+    // exponential backoff. Undici's "fetch failed" errors observed locally
+    // are pre-connection (DNS/TCP) so the request never reaches S2, making
+    // retry safe — the alternative is a 500 surfacing to the SDK transport,
+    // which then retries the whole `/in/append` round-trip and pollutes
+    // logs. 4xx are not retried (genuine client errors).
+    const url = `${this.baseUrl}/streams/${encodeURIComponent(stream)}/records`;
+    const init: RequestInit = {
       method: "POST",
       headers: {
         Authorization: `Bearer ${this.token}`,
@@ -256,12 +548,60 @@ export class S2RealtimeStreams implements StreamResponder, StreamIngestor {
         "S2-Basin": this.basin,
       },
       body: JSON.stringify(body),
-    });
-    if (!res.ok) {
-      const text = await res.text().catch(() => "");
-      throw new Error(`S2 append failed: ${res.status} ${res.statusText} ${text}`);
+    };
+
+    const maxAttempts = 3;
+    const backoffsMs = [100, 250, 600];
+    let lastError: unknown;
+
+    for (let attempt = 0; attempt < maxAttempts; attempt++) {
+      // The `try` only wraps `fetch` — once we have a Response we handle status
+      // outside the catch, so a 4xx throw can't be swallowed and retried.
+      let res: Response | undefined;
+      try {
+        res = await fetch(url, init);
+      } catch (err) {
+        lastError = err;
+      }
+
+      if (res) {
+        if (res.ok) {
+          return (await res.json()) as S2AppendAck;
+        }
+        const text = await res.text().catch(() => "");
+        const httpError = new Error(
+          `S2 append failed: ${res.status} ${res.statusText} ${text}`
+        );
+        if (res.status >= 400 && res.status < 500) {
+          // 4xx — caller-side problem (auth, malformed body, closed stream).
+          // Retrying won't help.
+          throw httpError;
+        }
+        // 5xx — retryable.
+        lastError = httpError;
+      }
+
+      const isLastAttempt = attempt === maxAttempts - 1;
+      const diagnostics = describeFetchError(lastError);
+      if (isLastAttempt) {
+        this.logger.error("S2 append failed after retries", {
+          stream,
+          attempts: maxAttempts,
+          ...diagnostics,
+        });
+        break;
+      }
+
+      this.logger.warn("S2 append transient failure, retrying", {
+        stream,
+        attempt: attempt + 1,
+        nextDelayMs: backoffsMs[attempt],
+        ...diagnostics,
+      });
+      await new Promise((resolve) => setTimeout(resolve, backoffsMs[attempt]));
     }
-    return (await res.json()) as S2AppendAck;
+
+    throw lastError instanceof Error ? lastError : new Error(String(lastError));
   }
 
   private async getS2AccessToken(id: string): Promise<string> {
@@ -269,7 +609,12 @@ export class S2RealtimeStreams implements StreamResponder, StreamIngestor {
       return this.s2IssueAccessToken(id);
     }
 
-    const result = await this.cache.accessToken.swr(this.streamPrefix, async () => {
+    // Cache key includes basin so per-org basins never collide on
+    // cached tokens, and the ops fingerprint so a scope change in code
+    // (e.g. adding `trim` in #3644) auto-invalidates pre-deploy entries
+    // instead of returning stale tokens for up to 24h.
+    const cacheKey = `${this.basin}:${this.streamPrefix}:${S2_TOKEN_OPS_FINGERPRINT}`;
+    const result = await this.cache.accessToken.swr(cacheKey, async () => {
       return this.s2IssueAccessToken(id);
     });
 
@@ -294,7 +639,7 @@ export class S2RealtimeStreams implements StreamResponder, StreamIngestor {
           basins: {
             exact: this.basin,
           },
-          ops: ["append", "create-stream"],
+          ops: [...S2_TOKEN_OPS],
           streams: {
             prefix: this.streamPrefix,
           },
@@ -362,3 +707,40 @@ export class S2RealtimeStreams implements StreamResponder, StreamIngestor {
     return Number.isFinite(n) && n >= 0 ? n + 1 : undefined;
   }
 }
+
+// Pulls the underlying network error out of undici's generic "fetch failed".
+// undici sets `error.cause` to either a SystemError-shaped object with `code`
+// (e.g. `ECONNRESET`, `UND_ERR_SOCKET`, `ETIMEDOUT`), `errno`, and `syscall`,
+// or — for happy-eyeballs / multi-address connect attempts — an
+// `AggregateError` whose `errors[]` each carry their own code. Surfacing
+// those tells us whether failures are pre-connection (DNS / TCP), mid-stream
+// socket resets, or genuine S2 server errors.
+function describeFetchError(err: unknown): Record<string, unknown> {
+  if (!(err instanceof Error)) {
+    return { error: String(err) };
+  }
+  const out: Record<string, unknown> = {
+    error: err.message,
+    name: err.name,
+  };
+  const cause = (err as { cause?: unknown }).cause;
+  if (cause && typeof cause === "object") {
+    const c = cause as Record<string, unknown>;
+    if (typeof c.code === "string") out.causeCode = c.code;
+    if (typeof c.errno === "number" || typeof c.errno === "string") out.causeErrno = c.errno;
+    if (typeof c.syscall === "string") out.causeSyscall = c.syscall;
+    if (typeof c.message === "string") out.causeMessage = c.message;
+    if (Array.isArray(c.errors)) {
+      out.causeErrors = c.errors
+        .filter((e: unknown): e is Error => e instanceof Error)
+        .map((e) => ({
+          message: e.message,
+          code: (e as { code?: unknown }).code,
+          syscall: (e as { syscall?: unknown }).syscall,
+          address: (e as { address?: unknown }).address,
+          port: (e as { port?: unknown }).port,
+        }));
+    }
+  }
+  return out;
+}
diff --git a/apps/webapp/app/services/realtime/sessionRunManager.server.ts b/apps/webapp/app/services/realtime/sessionRunManager.server.ts
new file mode 100644
index 00000000000..95fc87e2018
--- /dev/null
+++ b/apps/webapp/app/services/realtime/sessionRunManager.server.ts
@@ -0,0 +1,535 @@
+import type { Session, TaskRunStatus } from "@trigger.dev/database";
+import { SessionTriggerConfig as SessionTriggerConfigZod } from "@trigger.dev/core/v3";
+import { z } from "zod";
+import { prisma, $replica } from "~/db.server";
+import type { AuthenticatedEnvironment } from "~/services/apiAuth.server";
+import { logger } from "~/services/logger.server";
+import { CancelTaskRunService } from "~/v3/services/cancelTaskRun.server";
+import { TriggerTaskService } from "~/v3/services/triggerTask.server";
+import { isFinalRunStatus } from "~/v3/taskStatus";
+
+/**
+ * Schema for `Session.triggerConfig` (stored as JSONB). The wire-format
+ * source of truth lives in `@trigger.dev/core/v3` as `SessionTriggerConfig`;
+ * we re-export it here for the trigger machinery to validate on read.
+ *
+ * `basePayload` carries the customer's wire payload (for chat.agent:
+ * `{ chatId, ...clientData, idleTimeoutInSeconds? }`). Runtime fields
+ * specific to a particular trigger (e.g. `trigger: "trigger" | "preload"`,
+ * an `isContinuation` flag) come in via the `payloadOverrides` argument
+ * to `ensureRunForSession` and shallow-merge on top of `basePayload`.
+ */
+export const SessionTriggerConfigSchema = SessionTriggerConfigZod;
+
+export type SessionTriggerConfig = z.infer<typeof SessionTriggerConfigSchema>;
+
+export type EnsureRunReason = "initial" | "continuation" | "upgrade" | "manual";
+
+/**
+ * Hard cap on how many times `ensureRunForSession` will recurse on the
+ * pathological "we lost the claim race AND the winner's run was already
+ * terminal" path. In practice progress through the run engine bounds
+ * this, but a misconfigured task that crashes before it can be dequeued
+ * could otherwise loop without limit. After this many attempts we
+ * surface `SessionRunManagerError` so the caller can 5xx instead of
+ * blowing the stack.
+ */
+const ENSURE_RUN_FOR_SESSION_MAX_ATTEMPTS = 3;
+
+type EnsureRunForSessionParams = {
+  /**
+   * Session row to operate on. Caller is responsible for the env match —
+   * we don't re-check `runtimeEnvironmentId` against `environment.id`.
+   *
+   * `friendlyId` is used to pre-populate `payload.sessionId` on the new
+   * run so the agent's `chat.agent` boot path can attach to `session.in/.out`
+   * without a control-plane round-trip. `currentRunId` is also forwarded
+   * as `payload.previousRunId` (with `continuation: true`) when the prior
+   * run is dead, so the agent's boot gate triggers snapshot.read + replay
+   * instead of treating the run as a fresh chat.
+   */
+  session: Pick<
+    Session,
+    | "id"
+    | "friendlyId"
+    | "taskIdentifier"
+    | "triggerConfig"
+    | "currentRunId"
+    | "currentRunVersion"
+  >;
+  environment: AuthenticatedEnvironment;
+  reason: EnsureRunReason;
+  /**
+   * Shallow-merged on top of `triggerConfig.basePayload`. Runtime fields
+   * only — caller-controlled data that varies per trigger (`trigger:
+   * "preload"` vs `"trigger"`, etc).
+   */
+  payloadOverrides?: Record<string, unknown>;
+  /**
+   * @internal Recursion-guard counter for the lost-claim-race retry path.
+   * Public callers should leave this unset; the function recurses with
+   * an incremented value on the pathological "winner's run was already
+   * terminal" branch and throws once it exceeds
+   * {@link ENSURE_RUN_FOR_SESSION_MAX_ATTEMPTS}.
+   */
+  _attempt?: number;
+};
+
+export type EnsureRunResult = {
+  runId: string;
+  /** True if this call triggered a fresh run; false if it reused an alive existing one. */
+  triggered: boolean;
+};
+
+/**
+ * Idempotently make sure the session has a live run.
+ *
+ * Algorithm:
+ *   1. If `currentRunId` is set, probe its status. Alive → return as-is.
+ *   2. Trigger a new run upfront (cheap to cancel if we lose the race).
+ *   3. Atomic claim via `updateMany` keyed on `currentRunVersion`.
+ *      - Won: return new runId, record SessionRun audit row.
+ *      - Lost: cancel our triggered run, re-read session, reuse winner's
+ *        run if alive. If pathological (winner's run already terminal),
+ *        recurse.
+ *
+ * No DB lock is held across the trigger call. Wasted-trigger window is
+ * the rare multi-tab race on a dead run; cancel cost is negligible and
+ * the run-engine handles it gracefully.
+ */
+export async function ensureRunForSession(
+  params: EnsureRunForSessionParams
+): Promise<EnsureRunResult> {
+  const { session, environment, reason, payloadOverrides, _attempt = 1 } = params;
+
+  if (_attempt > ENSURE_RUN_FOR_SESSION_MAX_ATTEMPTS) {
+    throw new SessionRunManagerError(
+      `ensureRunForSession exceeded ${ENSURE_RUN_FOR_SESSION_MAX_ATTEMPTS} attempts for session ${session.id} — every triggered run reached a terminal state before claim could resolve`
+    );
+  }
+
+  // 1. Probe currentRunId.
+  let priorDeadRunFriendlyId: string | undefined;
+  if (session.currentRunId) {
+    const probe = await getRunStatusAndFriendlyId(session.currentRunId);
+    if (probe && !isFinalRunStatus(probe.status)) {
+      return { runId: session.currentRunId, triggered: false };
+    }
+    // Either the row vanished (probe null) or its status is final. Either
+    // way the prior run isn't going to consume new appends — but the
+    // session may still hold conversation state on `session.out` and an
+    // S3 snapshot keyed on `session.friendlyId`. Forward the prior run's
+    // public-form id (friendlyId — same shape as `ctx.run.id`) to the
+    // agent as `previousRunId` so its boot gate flips
+    // `couldHavePriorState` and replays the persisted state instead of
+    // treating this as a fresh chat. See `chat.agent`'s boot orchestration
+    // in `packages/trigger-sdk/src/v3/ai.ts`.
+    if (probe?.friendlyId) {
+      priorDeadRunFriendlyId = probe.friendlyId;
+    } else {
+      // Replica miss on a row we just observed via `currentRunId`. Retry
+      // on the writer so the customer's `runs.retrieve(previousRunId)`
+      // gets the public `run_*` form rather than the internal cuid.
+      const writerProbe = await prisma.taskRun.findFirst({
+        where: { id: session.currentRunId },
+        select: { friendlyId: true },
+      });
+      priorDeadRunFriendlyId = writerProbe?.friendlyId ?? session.currentRunId;
+    }
+  }
+
+  // 2. Validate config + trigger upfront. Continuation overrides
+  // (`continuation`, `previousRunId`) are derived from session state above
+  // and merged AFTER caller-supplied overrides — caller can't accidentally
+  // unset them on a session that has had a prior run, but can still
+  // override `trigger`/`metadata` etc. `sessionId` is always set so the
+  // agent doesn't need a control-plane round-trip to look up the session
+  // friendlyId from `payload.chatId`.
+  // Continuation overrides strip the basePayload's first-run-only fields
+  // so a continuation run doesn't inherit a stale boot payload. The Session
+  // row's `triggerConfig.basePayload` is captured at create-time and used
+  // verbatim for every Run we trigger; if the customer included `message`
+  // / `messages` / `trigger: "submit-message"` to make the FIRST run boot
+  // straight into a first turn (via `chat.createStartSessionAction`), those
+  // values stick around and get replayed on every continuation. With
+  // `continuation: true` and `message`/`messages` cleared, the SDK boot
+  // path enters its continuation-wait branch and waits for the next
+  // session.in record before running a turn.
+  const continuationOverrides: Record<string, unknown> = {
+    sessionId: session.friendlyId,
+    ...(priorDeadRunFriendlyId !== undefined
+      ? {
+          continuation: true,
+          previousRunId: priorDeadRunFriendlyId,
+          // Clear sticky boot-payload fields so the new run waits for the
+          // next session.in record instead of re-processing whatever was
+          // in the original `createStartSessionAction({ basePayload })`.
+          message: undefined,
+          messages: undefined,
+          trigger: undefined,
+        }
+      : {}),
+  };
+  const mergedPayloadOverrides: Record<string, unknown> = {
+    ...(payloadOverrides ?? {}),
+    ...continuationOverrides,
+  };
+
+  const config = SessionTriggerConfigSchema.parse(session.triggerConfig);
+  const triggered = await triggerSessionRun({
+    session,
+    config,
+    environment,
+    payloadOverrides: mergedPayloadOverrides,
+  });
+
+  // 3. Try to claim the slot atomically.
+  const claim = await prisma.session.updateMany({
+    where: {
+      id: session.id,
+      currentRunVersion: session.currentRunVersion,
+    },
+    data: {
+      currentRunId: triggered.id,
+      currentRunVersion: { increment: 1 },
+    },
+  });
+
+  if (claim.count === 1) {
+    // Won. Audit the SessionRun. Best-effort — failure here doesn't
+    // invalidate the live run, just leaves a missing audit row.
+    prisma.sessionRun
+      .create({
+        data: { sessionId: session.id, runId: triggered.id, reason },
+      })
+      .catch((error) => {
+        logger.warn("Failed to record SessionRun audit row", {
+          sessionId: session.id,
+          runId: triggered.id,
+          reason,
+          error,
+        });
+      });
+
+    return { runId: triggered.id, triggered: true };
+  }
+
+  // 4. Lost the race. Cancel our triggered run; reuse the winner's.
+  cancelLostRaceRun(triggered.id, environment).catch((error) => {
+    logger.warn("Failed to cancel lost-race session run", {
+      sessionId: session.id,
+      runId: triggered.id,
+      error,
+    });
+  });
+
+  // Read-after-write: the winner just wrote `currentRunId` /
+  // `currentRunVersion` on the writer. Reading from `$replica` could
+  // return pre-race state and cause us to recurse with the same stale
+  // version, losing the next claim, until we exhaust max attempts.
+  const fresh = await prisma.session.findFirst({
+    where: { id: session.id },
+    select: {
+      id: true,
+      friendlyId: true,
+      taskIdentifier: true,
+      triggerConfig: true,
+      currentRunId: true,
+      currentRunVersion: true,
+    },
+  });
+
+  if (!fresh) {
+    // Session vanished mid-flight. Surface as an error — caller decides
+    // whether to 404 or retry.
+    throw new SessionRunManagerError(`Session ${session.id} not found after lost claim race`);
+  }
+
+  if (fresh.currentRunId) {
+    // Same read-after-write reason as the `fresh` reload above: the winner
+    // just wrote `currentRunId` on the writer, so probe the writer too —
+    // the replica may not have the run row yet, and a missed probe forces
+    // another trigger+recurse until `ENSURE_RUN_FOR_SESSION_MAX_ATTEMPTS`.
+    const probe = await prisma.taskRun.findFirst({
+      where: { id: fresh.currentRunId },
+      select: { status: true, friendlyId: true },
+    });
+    if (probe && !isFinalRunStatus(probe.status)) {
+      return { runId: fresh.currentRunId, triggered: false };
+    }
+  }
+
+  // Pathological: winner's run already terminal. Recurse with the fresh
+  // version. Bounded by `ENSURE_RUN_FOR_SESSION_MAX_ATTEMPTS` so a task
+  // that always crashes before being dequeued surfaces as an error
+  // instead of a stack overflow.
+  return ensureRunForSession({
+    session: fresh,
+    environment,
+    reason,
+    payloadOverrides,
+    _attempt: _attempt + 1,
+  });
+}
+
+/**
+ * Trigger a single run for a session. Builds `TriggerTaskRequestBody`
+ * by shallow-merging `payloadOverrides` over `config.basePayload` and
+ * threading `config`'s machine/queue/tags through the trigger options.
+ */
+async function triggerSessionRun(params: {
+  session: Pick<Session, "id" | "taskIdentifier">;
+  config: SessionTriggerConfig;
+  environment: AuthenticatedEnvironment;
+  payloadOverrides?: Record<string, unknown>;
+}): Promise<{ id: string; friendlyId: string }> {
+  const { session, config, environment, payloadOverrides } = params;
+
+  const payload = {
+    ...config.basePayload,
+    ...(config.idleTimeoutInSeconds !== undefined
+      ? { idleTimeoutInSeconds: config.idleTimeoutInSeconds }
+      : {}),
+    ...(payloadOverrides ?? {}),
+  };
+
+  const body = {
+    payload,
+    context: {},
+    options: {
+      ...(config.machine ? { machine: config.machine as never } : {}),
+      ...(config.queue ? { queue: { name: config.queue } } : {}),
+      ...(config.tags ? { tags: config.tags } : {}),
+      ...(config.maxAttempts !== undefined ? { maxAttempts: config.maxAttempts } : {}),
+      ...(config.maxDuration !== undefined ? { maxDuration: config.maxDuration } : {}),
+      ...(config.lockToVersion ? { lockToVersion: config.lockToVersion } : {}),
+      ...(config.region ? { region: config.region } : {}),
+    },
+  };
+
+  const service = new TriggerTaskService();
+  const result = await service.call(session.taskIdentifier, environment, body, {
+    triggerSource: "session",
+    triggerAction: "trigger",
+  });
+
+  if (!result) {
+    throw new SessionRunManagerError(
+      `TriggerTaskService returned no result for taskIdentifier=${session.taskIdentifier}`
+    );
+  }
+
+  return { id: result.run.id, friendlyId: result.run.friendlyId };
+}
+
+type SwapSessionRunParams = {
+  /**
+   * Session row to swap. `friendlyId` is forwarded as `payload.sessionId`
+   * on the new run so the agent attaches to `session.in/.out` without a
+   * control-plane round-trip (same convention as
+   * {@link EnsureRunForSessionParams}).
+   */
+  session: Pick<
+    Session,
+    | "id"
+    | "friendlyId"
+    | "taskIdentifier"
+    | "triggerConfig"
+    | "currentRunId"
+    | "currentRunVersion"
+  >;
+  /**
+   * The run requesting the swap. Optimistic claim requires
+   * `Session.currentRunId === callingRunId` so the swap can't clobber
+   * a run triggered out-of-band (e.g. a parallel `.in/append` probe
+   * that already replaced the dead run).
+   *
+   * Also forwarded as `payload.previousRunId` on the new run alongside
+   * `continuation: true` — every swap is a continuation by construction
+   * (`chat.requestUpgrade` / `chat.endRun` deliberately hand off prior
+   * conversation state to a new run), so the agent's boot gate flips
+   * `couldHavePriorState` and replays the snapshot + session.out tail.
+   */
+  callingRunId: string;
+  environment: AuthenticatedEnvironment;
+  reason: EnsureRunReason;
+  payloadOverrides?: Record<string, unknown>;
+};
+
+export type SwapSessionRunResult = {
+  /** runId of the newly-triggered run that has taken over the session. */
+  runId: string;
+  /**
+   * False when the swap was preempted (currentRunId is no longer the
+   * calling run). The caller should treat this as "someone else
+   * already moved on" — exit cleanly without expecting to drive the
+   * next run.
+   */
+  swapped: boolean;
+};
+
+/**
+ * Force-swap the session to a freshly-triggered run, regardless of
+ * whether the current run is alive. Called by `end-and-continue` when
+ * the running agent wants a clean handoff (typically version upgrade).
+ *
+ * Differs from `ensureRunForSession`: never reuses the current run.
+ * The optimistic claim is keyed on `currentRunId === callingRunId`, so
+ * a parallel append-time probe that already swapped to a different
+ * run wins the race and `swapped: false` is surfaced.
+ */
+export async function swapSessionRun(
+  params: SwapSessionRunParams
+): Promise<SwapSessionRunResult> {
+  const { session, callingRunId, environment, reason, payloadOverrides } = params;
+
+  // `callingRunId` is the internal cuid (`Session.currentRunId` stores
+  // cuid; the route handler resolves the wire's friendlyId before passing
+  // it here). The agent's `previousRunId` is customer-visible and must
+  // match the public `run_*` form exposed via `ctx.run.id` — resolve
+  // before forwarding.
+  const callingRunFriendlyId = await resolveRunFriendlyId(callingRunId);
+
+  // Continuation overrides — unconditionally set on swap. Unlike
+  // `ensureRunForSession`, there's no dead-run-detection branch here:
+  // every swap is a deliberate handoff from `callingRunId` (which owned
+  // prior conversation state) to a fresh run. Merged AFTER caller-supplied
+  // overrides so a caller can't accidentally unset them.
+  //
+  // Sticky boot-payload fields (`message` / `messages` / `trigger`) are
+  // cleared here for the same reason as in `ensureRunForSession`: the
+  // Session's basePayload is captured at create-time and replays on every
+  // continuation if not stripped. See the comment in `ensureRunForSession`.
+  const mergedPayloadOverrides: Record<string, unknown> = {
+    ...(payloadOverrides ?? {}),
+    sessionId: session.friendlyId,
+    continuation: true,
+    previousRunId: callingRunFriendlyId,
+    message: undefined,
+    messages: undefined,
+    trigger: undefined,
+  };
+
+  const config = SessionTriggerConfigSchema.parse(session.triggerConfig);
+  const triggered = await triggerSessionRun({
+    session,
+    config,
+    environment,
+    payloadOverrides: mergedPayloadOverrides,
+  });
+
+  const claim = await prisma.session.updateMany({
+    where: {
+      id: session.id,
+      currentRunId: callingRunId,
+      currentRunVersion: session.currentRunVersion,
+    },
+    data: {
+      currentRunId: triggered.id,
+      currentRunVersion: { increment: 1 },
+    },
+  });
+
+  if (claim.count === 1) {
+    prisma.sessionRun
+      .create({
+        data: { sessionId: session.id, runId: triggered.id, reason },
+      })
+      .catch((error) => {
+        logger.warn("Failed to record SessionRun audit row", {
+          sessionId: session.id,
+          runId: triggered.id,
+          reason,
+          error,
+        });
+      });
+    return { runId: triggered.id, swapped: true };
+  }
+
+  // Lost the race — someone else already swapped to a new run. Cancel
+  // ours, surface the existing winner.
+  cancelLostRaceRun(triggered.id, environment).catch((error) => {
+    logger.warn("Failed to cancel preempted swap run", {
+      sessionId: session.id,
+      runId: triggered.id,
+      error,
+    });
+  });
+
+  // Read-after-write: the winner's swap was just committed on the
+  // writer. A replica read could return the pre-swap `currentRunId`
+  // (often `callingRunId` itself), which would tell the caller it is
+  // still the canonical run when in fact a different run has taken
+  // over.
+  const fresh = await prisma.session.findFirst({
+    where: { id: session.id },
+    select: { currentRunId: true },
+  });
+
+  // Mirror `ensureRunForSession`'s "session vanished" branch: if we
+  // can't find the row (or it has no current run) on the writer right
+  // after losing the race, surface as an error rather than handing back
+  // `callingRunId` with `swapped: false` — that would tell the caller
+  // it's still the canonical run when in fact we don't know who is.
+  if (!fresh?.currentRunId) {
+    throw new SessionRunManagerError(
+      `Session ${session.id} has no currentRunId after preempted swap`
+    );
+  }
+
+  return {
+    runId: fresh.currentRunId,
+    swapped: false,
+  };
+}
+
+async function getRunStatusAndFriendlyId(
+  runId: string
+): Promise<{ status: TaskRunStatus; friendlyId: string } | null> {
+  // Use the read replica — this is a hot-path probe and stale-by-ms is
+  // fine. The append handler re-checks if it ends up reusing the runId.
+  // `friendlyId` is fetched alongside `status` so the dead-run-detection
+  // branch in `ensureRunForSession` can forward the public-form id as
+  // `payload.previousRunId` without a second read. `Session.currentRunId`
+  // stores the internal cuid; the agent's wire / customer hooks expose
+  // the friendlyId via `ctx.run.id`, so consistency matters.
+  const row = await $replica.taskRun.findFirst({
+    where: { id: runId },
+    select: { status: true, friendlyId: true },
+  });
+  return row ?? null;
+}
+
+/**
+ * Resolve a TaskRun cuid to its friendlyId. Used by `swapSessionRun` to
+ * forward the calling run's public-form id as `payload.previousRunId` on
+ * the new run. Falls back to the cuid on lookup miss so the swap doesn't
+ * fail just because the read replica hasn't caught up — the agent only
+ * uses `previousRunId` for customer-visible bookkeeping (e.g.
+ * `runs.retrieve(previousRunId)`), so a stale-but-non-null value is
+ * acceptable degraded behavior.
+ */
+async function resolveRunFriendlyId(runId: string): Promise<string> {
+  const row = await $replica.taskRun.findFirst({
+    where: { id: runId },
+    select: { friendlyId: true },
+  });
+  return row?.friendlyId ?? runId;
+}
+
+async function cancelLostRaceRun(
+  runId: string,
+  environment: AuthenticatedEnvironment
+): Promise<void> {
+  const service = new CancelTaskRunService();
+  // Read-after-write: the run was just triggered on the writer, so go
+  // through `prisma`. A `$replica` miss here would silently no-op the
+  // cancel and leak an orphan run that no session is going to claim.
+  const run = await prisma.taskRun.findFirst({ where: { id: runId } });
+  if (!run) return;
+  await service.call(run, { reason: "Lost session-run claim race" });
+}
+
+export class SessionRunManagerError extends Error {
+  readonly name = "SessionRunManagerError";
+}
diff --git a/apps/webapp/app/services/realtime/sessions.server.ts b/apps/webapp/app/services/realtime/sessions.server.ts
new file mode 100644
index 00000000000..226ec443d4c
--- /dev/null
+++ b/apps/webapp/app/services/realtime/sessions.server.ts
@@ -0,0 +1,162 @@
+import type { PrismaClient, Session } from "@trigger.dev/database";
+import type { SessionItem } from "@trigger.dev/core/v3";
+import { $replica } from "~/db.server";
+
+/**
+ * Prefix that {@link SessionId.generate} attaches to every Session friendlyId.
+ * Used to distinguish friendlyId lookups (`session_abc...`) from externalId
+ * lookups on the public `GET /api/v1/sessions/:session` route.
+ */
+const SESSION_FRIENDLY_ID_PREFIX = "session_";
+
+/**
+ * Resolve a session from a URL path parameter that may contain either a
+ * friendlyId (`session_abc...`) or a user-supplied externalId.
+ *
+ * Disambiguated by prefix: values starting with `session_` are treated as
+ * friendlyIds, anything else is looked up against `externalId` scoped to
+ * the caller's environment.
+ */
+export async function resolveSessionByIdOrExternalId(
+  prisma: Pick<PrismaClient, "session">,
+  runtimeEnvironmentId: string,
+  idOrExternalId: string
+): Promise<Session | null> {
+  if (isSessionFriendlyIdForm(idOrExternalId)) {
+    return prisma.session.findFirst({
+      where: { friendlyId: idOrExternalId, runtimeEnvironmentId },
+    });
+  }
+
+  // `findFirst` rather than `findUnique` per the repo rule — `findUnique`'s
+  // implicit DataLoader has open correctness bugs in Prisma 6.x that bite
+  // hot-path lookups exactly like this one.
+  return prisma.session.findFirst({
+    where: { runtimeEnvironmentId, externalId: idOrExternalId },
+  });
+}
+
+/** True for `session_*` friendlyId form, false for everything else. */
+export function isSessionFriendlyIdForm(value: string): boolean {
+  return value.startsWith(SESSION_FRIENDLY_ID_PREFIX);
+}
+
+/**
+ * Canonicalise the addressing key used for everything stream-level: the
+ * S2 stream path and the run-engine waitpoint cache key. `chat.agent`
+ * and the rest of the operational surface always pass `externalId`, but
+ * a public-API caller may legitimately address by `friendlyId` — and a
+ * session created without an `externalId` only has a friendlyId at all.
+ *
+ * Rule:
+ *   - If we have a Session row, the canonical key is `externalId` if
+ *     set, else `friendlyId`. This way two callers addressing the same
+ *     row via different forms always converge to the same S2 stream.
+ *   - If we have no row (yet — chat.agent's transport may subscribe
+ *     before the agent's bind-time upsert lands), the canonical key is
+ *     whatever the URL had. Operationally that's always an externalId.
+ *     Friendlyid-form callers without a matching row are rejected by
+ *     the route handler before this is reached.
+ */
+export function canonicalSessionAddressingKey(
+  row: Session | null,
+  paramSession: string
+): string {
+  if (row) {
+    return row.externalId ?? row.friendlyId;
+  }
+  return paramSession;
+}
+
+/**
+ * Convert a Prisma `Session` row to the public {@link SessionItem} wire format.
+ * Strips internal columns (project/environment/organization ids) and narrows
+ * the `metadata` JSON to a record.
+ *
+ * Note: `currentRunId` is left as-is — Prisma stores the internal run id
+ * (cuid), but `SessionItem.currentRunId` is the *friendly* form. Routes
+ * that emit `SessionItem`s must translate: single-row endpoints via
+ * {@link serializeSessionWithFriendlyRunId}, list endpoints via the
+ * batched {@link serializeSessionsWithFriendlyRunIds}. Never put this
+ * raw form on the wire directly.
+ */
+export function serializeSession(session: Session): SessionItem {
+  return {
+    id: session.friendlyId,
+    externalId: session.externalId,
+    type: session.type,
+    taskIdentifier: session.taskIdentifier,
+    triggerConfig: session.triggerConfig as SessionItem["triggerConfig"],
+    currentRunId: session.currentRunId,
+    tags: session.tags,
+    metadata: (session.metadata ?? null) as SessionItem["metadata"],
+    closedAt: session.closedAt,
+    closedReason: session.closedReason,
+    expiresAt: session.expiresAt,
+    createdAt: session.createdAt,
+    updatedAt: session.updatedAt,
+  };
+}
+
+/**
+ * Same as {@link serializeSession} but resolves `currentRunId` from the
+ * internal cuid to the public `run_*` friendlyId via a TaskRun lookup.
+ * Single-row endpoints (`POST/GET/PATCH/close /api/v1/sessions/:s`) use
+ * this so the wire-side `currentRunId` is consistent with the rest of
+ * the public API (which only accepts friendlyIds for run lookups).
+ *
+ * Skips the lookup when `currentRunId` is null. The read goes through
+ * `$replica` — a TaskRun's `friendlyId` is immutable so replica lag is
+ * harmless, and serializing on the writer would just add hot-path load.
+ */
+export async function serializeSessionWithFriendlyRunId(
+  session: Session
+): Promise<SessionItem> {
+  const base = serializeSession(session);
+  if (!session.currentRunId) return base;
+
+  const run = await $replica.taskRun.findFirst({
+    where: { id: session.currentRunId },
+    select: { friendlyId: true },
+  });
+
+  return {
+    ...base,
+    currentRunId: run?.friendlyId ?? null,
+  };
+}
+
+/**
+ * Batched form of {@link serializeSessionWithFriendlyRunId} for list
+ * endpoints: one `IN` lookup per page instead of N+1. `currentRunId` on
+ * the wire is always the public `run_*` friendlyId — the raw
+ * {@link serializeSession} form leaks the internal cuid, which customers
+ * can't use with `runs.retrieve(...)`.
+ */
+export async function serializeSessionsWithFriendlyRunIds(
+  sessions: Session[],
+  scope: { projectId: string; runtimeEnvironmentId: string }
+): Promise<SessionItem[]> {
+  const runIds = [...new Set(sessions.map((s) => s.currentRunId).filter((id): id is string => !!id))];
+
+  // `currentRunId` is a plain string pointer (no FK), so scope the lookup to
+  // the caller's tenant — a stale value must not resolve a run in another env.
+  const runs = runIds.length
+    ? await $replica.taskRun.findMany({
+        where: {
+          id: { in: runIds },
+          projectId: scope.projectId,
+          runtimeEnvironmentId: scope.runtimeEnvironmentId,
+        },
+        select: { id: true, friendlyId: true },
+      })
+    : [];
+  const friendlyIdByRunId = new Map(runs.map((run) => [run.id, run.friendlyId]));
+
+  return sessions.map((session) => ({
+    ...serializeSession(session),
+    currentRunId: session.currentRunId
+      ? friendlyIdByRunId.get(session.currentRunId) ?? null
+      : null,
+  }));
+}
diff --git a/apps/webapp/app/services/realtime/shadowCompare.server.ts b/apps/webapp/app/services/realtime/shadowCompare.server.ts
new file mode 100644
index 00000000000..27831dd68a2
--- /dev/null
+++ b/apps/webapp/app/services/realtime/shadowCompare.server.ts
@@ -0,0 +1,283 @@
+import {
+  type ElectricColumnType,
+  RUN_ELECTRIC_COLUMNS,
+  serializeRunRow,
+} from "./electricStreamProtocol.server";
+import { type RunHydrator, type RunListFilter, type RunListResolver } from "./runReader.server";
+
+/**
+ * Dual-run shadow-compare: the client is always served the Electric response while this re-derives what
+ * the native backend would emit and diffs the two, to prove parity on real traffic before cutover. Checks
+ * serialization (semantic per-column compare, gated on same updatedAt so a changed row is "skew", not a
+ * divergence) and membership (emitted id-set, only on tag/batch initial snapshots). Pure but for the injected deps.
+ */
+
+export type ShadowFeed = "run" | "runs" | "batch";
+
+type WireValue = Record<string, string | null>;
+
+type ShapeMessage = {
+  key?: string;
+  value?: WireValue;
+  headers: { operation?: string; control?: string };
+};
+
+const COLUMN_BY_NAME = new Map(RUN_ELECTRIC_COLUMNS.map((column) => [column.name, column]));
+
+export type ColumnDiff = {
+  runId: string;
+  column: string;
+  electric: string | null;
+  native: string | null;
+};
+
+export type ShadowCompareOutcome = {
+  feed: ShadowFeed;
+  /** Runs whose every emitted column matched (same-version). */
+  serializationMatched: number;
+  /** Runs with at least one semantic column divergence (same-version). */
+  serializationDiverged: number;
+  /** Runs that changed between Electric's emit and our refetch (not a divergence). */
+  serializationSkew: number;
+  /** Per-column divergences (capped) for logging. */
+  diffs: ColumnDiff[];
+  /** Set membership (tag/batch initial snapshot only). undefined when not checked. */
+  membershipMatch?: boolean;
+  missingInNative?: string[];
+  extraInNative?: string[];
+};
+
+export type ShadowCompareInput = {
+  feed: ShadowFeed;
+  /** The served Electric response body (a JSON array of messages, or "" / "[]"). */
+  electricBody: string;
+  environment: { id: string };
+  skipColumns: string[];
+  /** True when this was an initial snapshot request (offset=-1); enables membership compare. */
+  isInitialSnapshot: boolean;
+  /** When set (tag/batch initial snapshot), compare the resolved id-set. */
+  membershipFilter?: RunListFilter;
+};
+
+const MAX_DIFFS = 20;
+
+export class RealtimeShadowComparator {
+  constructor(
+    private readonly options: { runReader: RunHydrator; runListResolver: RunListResolver }
+  ) {}
+
+  async compare(input: ShadowCompareInput): Promise<ShadowCompareOutcome> {
+    const messages = parseBody(input.electricBody);
+    const changes = messages.filter(
+      (m): m is ShapeMessage & { value: WireValue } =>
+        typeof m.headers?.operation === "string" && !!m.value && m.headers.operation !== "delete"
+    );
+
+    const outcome: ShadowCompareOutcome = {
+      feed: input.feed,
+      serializationMatched: 0,
+      serializationDiverged: 0,
+      serializationSkew: 0,
+      diffs: [],
+    };
+
+    // Bulk-hydrate every emitted run in one query rather than a per-message round
+    // trip, so shadow mode doesn't inflate the very replica load it's measuring.
+    const emittedIds = changes
+      .map((m) => m.value.id)
+      .filter((id): id is string => typeof id === "string");
+    const hydrated = await this.options.runReader.hydrateByIds(input.environment.id, emittedIds);
+    const rowsById = new Map(hydrated.map((row) => [row.id, row]));
+
+    for (const message of changes) {
+      const runId = message.value.id ?? undefined;
+      if (!runId) {
+        continue;
+      }
+
+      const row = rowsById.get(runId);
+      if (!row) {
+        // Run no longer readable (deleted / replica miss). Not a serialization divergence.
+        outcome.serializationSkew++;
+        continue;
+      }
+
+      const nativeValue = serializeRunRow(row, input.skipColumns);
+
+      // Only compare rows at the same version; otherwise the row advanced between
+      // Electric's emit and our refetch (timing skew, not a divergence).
+      if (!sameInstant(message.value.updatedAt, nativeValue.updatedAt)) {
+        outcome.serializationSkew++;
+        continue;
+      }
+
+      let rowDiverged = false;
+      for (const [column, electricRaw] of Object.entries(message.value)) {
+        const meta = COLUMN_BY_NAME.get(column);
+        if (!meta) {
+          continue;
+        }
+        const nativeRaw = nativeValue[column] ?? null;
+        if (!valuesEqual(electricRaw, nativeRaw, meta.type, meta.dims, column)) {
+          rowDiverged = true;
+          if (outcome.diffs.length < MAX_DIFFS) {
+            outcome.diffs.push({ runId, column, electric: electricRaw, native: nativeRaw });
+          }
+        }
+      }
+
+      if (rowDiverged) {
+        outcome.serializationDiverged++;
+      } else {
+        outcome.serializationMatched++;
+      }
+    }
+
+    if (input.isInitialSnapshot && input.membershipFilter) {
+      const electricIds = new Set(
+        changes.map((m) => m.value.id).filter((id): id is string => typeof id === "string")
+      );
+      const nativeIds = new Set(
+        await this.options.runListResolver.resolveMatchingRunIds(input.membershipFilter)
+      );
+
+      outcome.missingInNative = [...electricIds].filter((id) => !nativeIds.has(id));
+      outcome.extraInNative = [...nativeIds].filter((id) => !electricIds.has(id));
+      outcome.membershipMatch =
+        outcome.missingInNative.length === 0 && outcome.extraInNative.length === 0;
+    }
+
+    return outcome;
+  }
+}
+
+function parseBody(body: string): ShapeMessage[] {
+  const text = body.trim();
+  if (!text) {
+    return [];
+  }
+  try {
+    const parsed = JSON.parse(text);
+    return Array.isArray(parsed) ? (parsed as ShapeMessage[]) : [];
+  } catch {
+    return [];
+  }
+}
+
+/** Status carries a known legacy rewrite (DEQUEUED -> EXECUTING) applied equally to
+ * both paths for non-current API versions; treat them as equivalent. */
+function normalizeStatus(value: string): string {
+  return value === "DEQUEUED" ? "EXECUTING" : value;
+}
+
+function sameInstant(a: string | null | undefined, b: string | null | undefined): boolean {
+  if (a == null || b == null) {
+    return a == null && b == null;
+  }
+  // Mirror the SDK's RawShapeDate (`new Date(val + "Z")`).
+  return new Date(`${a}Z`).getTime() === new Date(`${b}Z`).getTime();
+}
+
+function valuesEqual(
+  electricRaw: string | null,
+  nativeRaw: string | null,
+  type: ElectricColumnType,
+  dims: number | undefined,
+  column: string
+): boolean {
+  if (electricRaw == null || nativeRaw == null) {
+    return electricRaw == null && nativeRaw == null;
+  }
+
+  if (dims && dims > 0) {
+    return arraysEqual(parsePgTextArray(electricRaw), parsePgTextArray(nativeRaw));
+  }
+
+  switch (type) {
+    case "timestamp":
+      return new Date(`${electricRaw}Z`).getTime() === new Date(`${nativeRaw}Z`).getTime();
+    case "bool":
+      return parseBool(electricRaw) === parseBool(nativeRaw);
+    case "int4":
+    case "int8":
+    case "float8":
+      return Number(electricRaw) === Number(nativeRaw);
+    case "jsonb":
+      return jsonEqual(electricRaw, nativeRaw);
+    case "text":
+    default:
+      if (column === "status") {
+        return normalizeStatus(electricRaw) === normalizeStatus(nativeRaw);
+      }
+      return electricRaw === nativeRaw;
+  }
+}
+
+function parseBool(value: string): boolean {
+  return value === "t" || value === "true";
+}
+
+function jsonEqual(a: string, b: string): boolean {
+  try {
+    return deepEqual(JSON.parse(a), JSON.parse(b));
+  } catch {
+    return a === b;
+  }
+}
+
+function deepEqual(a: unknown, b: unknown): boolean {
+  if (a === b) return true;
+  if (typeof a !== typeof b || a === null || b === null) return false;
+  if (Array.isArray(a) && Array.isArray(b)) {
+    return a.length === b.length && a.every((v, i) => deepEqual(v, b[i]));
+  }
+  if (typeof a === "object" && typeof b === "object") {
+    const ak = Object.keys(a as object).sort();
+    const bk = Object.keys(b as object).sort();
+    return (
+      ak.length === bk.length &&
+      ak.every((k, i) => k === bk[i]) &&
+      ak.every((k) => deepEqual((a as any)[k], (b as any)[k]))
+    );
+  }
+  return false;
+}
+
+function arraysEqual(a: string[], b: string[]): boolean {
+  return a.length === b.length && a.every((v, i) => v === b[i]);
+}
+
+/** Parse a Postgres text-array literal (`{"a","b"}` / `{}`). Mirrors the client's pgArrayParser. */
+function parsePgTextArray(literal: string): string[] {
+  if (literal === "{}" || literal === "") {
+    return [];
+  }
+  const inner = literal.startsWith("{") && literal.endsWith("}") ? literal.slice(1, -1) : literal;
+  const result: string[] = [];
+  let i = 0;
+  while (i < inner.length) {
+    if (inner[i] === '"') {
+      i++;
+      let s = "";
+      while (i < inner.length && inner[i] !== '"') {
+        if (inner[i] === "\\") {
+          i++;
+        }
+        s += inner[i];
+        i++;
+      }
+      result.push(s);
+      i++;
+      if (inner[i] === ",") i++;
+    } else {
+      let s = "";
+      while (i < inner.length && inner[i] !== ",") {
+        s += inner[i];
+        i++;
+      }
+      result.push(s);
+      if (inner[i] === ",") i++;
+    }
+  }
+  return result;
+}
diff --git a/apps/webapp/app/services/realtime/shadowRealtimeClient.server.ts b/apps/webapp/app/services/realtime/shadowRealtimeClient.server.ts
new file mode 100644
index 00000000000..90bc1d90070
--- /dev/null
+++ b/apps/webapp/app/services/realtime/shadowRealtimeClient.server.ts
@@ -0,0 +1,188 @@
+import { API_VERSIONS } from "~/api/versions";
+import { logger } from "../logger.server";
+import {
+  type RealtimeEnvironment,
+  type RealtimeRequestOptions,
+  type RealtimeRunsParams,
+} from "../realtimeClient.server";
+import { RESERVED_COLUMNS } from "./electricStreamProtocol.server";
+import {
+  type RealtimeListEnvironment,
+  type RealtimeStreamClient,
+} from "./nativeRealtimeClient.server";
+import { type RunListFilter } from "./runReader.server";
+import {
+  type RealtimeShadowComparator,
+  type ShadowCompareOutcome,
+  type ShadowFeed,
+} from "./shadowCompare.server";
+
+export type ShadowRealtimeClientOptions = {
+  /** The path actually served to the client (Electric). */
+  electric: RealtimeStreamClient;
+  comparator: RealtimeShadowComparator;
+  /** createdAt window (ms) used to resolve tag-list membership for the compare. */
+  maximumCreatedAtFilterAgeMs: number;
+  /** Cap for the membership resolve. */
+  maxListResults: number;
+  /** Metrics sink for compare outcomes. */
+  onOutcome?: (outcome: ShadowCompareOutcome) => void;
+};
+
+/** Transparent wrapper that serves the Electric response unchanged and, in the background (fire-and-forget), diffs what the native backend would emit. */
+export class ShadowRealtimeClient implements RealtimeStreamClient {
+  constructor(private readonly options: ShadowRealtimeClientOptions) {}
+
+  async streamRun(
+    url: URL | string,
+    environment: RealtimeEnvironment,
+    runId: string,
+    apiVersion: API_VERSIONS,
+    requestOptions?: RealtimeRequestOptions,
+    clientVersion?: string,
+    signal?: AbortSignal
+  ): Promise<Response> {
+    const response = await this.options.electric.streamRun(
+      url,
+      environment,
+      runId,
+      apiVersion,
+      requestOptions,
+      clientVersion,
+      signal
+    );
+    this.#shadow("run", response, url, environment, requestOptions);
+    return response;
+  }
+
+  async streamRuns(
+    url: URL | string,
+    environment: RealtimeListEnvironment,
+    params: RealtimeRunsParams,
+    apiVersion: API_VERSIONS,
+    requestOptions?: RealtimeRequestOptions,
+    clientVersion?: string,
+    signal?: AbortSignal
+  ): Promise<Response> {
+    const response = await this.options.electric.streamRuns(
+      url,
+      environment,
+      params,
+      apiVersion,
+      requestOptions,
+      clientVersion,
+      signal
+    );
+    this.#shadow("runs", response, url, environment, requestOptions, { tags: params.tags ?? [] });
+    return response;
+  }
+
+  async streamBatch(
+    url: URL | string,
+    environment: RealtimeListEnvironment,
+    batchId: string,
+    apiVersion: API_VERSIONS,
+    requestOptions?: RealtimeRequestOptions,
+    clientVersion?: string,
+    signal?: AbortSignal
+  ): Promise<Response> {
+    const response = await this.options.electric.streamBatch(
+      url,
+      environment,
+      batchId,
+      apiVersion,
+      requestOptions,
+      clientVersion,
+      signal
+    );
+    this.#shadow("batch", response, url, environment, requestOptions, { batchId });
+    return response;
+  }
+
+  /** Fire-and-forget; never blocks the served response, never throws into the request. */
+  #shadow(
+    feed: ShadowFeed,
+    electricResponse: Response,
+    url: URL | string,
+    environment: RealtimeEnvironment & { projectId?: string },
+    requestOptions?: RealtimeRequestOptions,
+    membership?: { tags?: string[]; batchId?: string }
+  ): void {
+    // Clone synchronously before the client consumes the body.
+    let bodyClone: Response;
+    try {
+      if (electricResponse.status !== 200) {
+        return;
+      }
+      bodyClone = electricResponse.clone();
+    } catch {
+      return;
+    }
+
+    void this.#runShadow(feed, bodyClone, url, environment, requestOptions, membership).catch(
+      (error) => logger.debug("[shadowRealtime] compare failed", { feed, error })
+    );
+  }
+
+  async #runShadow(
+    feed: ShadowFeed,
+    bodyClone: Response,
+    url: URL | string,
+    environment: RealtimeEnvironment & { projectId?: string },
+    requestOptions: RealtimeRequestOptions | undefined,
+    membership: { tags?: string[]; batchId?: string } | undefined
+  ): Promise<void> {
+    const $url = new URL(url.toString());
+    const offset = $url.searchParams.get("offset") ?? "-1";
+    const handle = $url.searchParams.get("handle") ?? $url.searchParams.get("shape_id");
+    const isInitialSnapshot = offset === "-1" || !handle;
+    const skipColumns = resolveSkipColumns($url, requestOptions);
+    const electricBody = await bodyClone.text();
+
+    let membershipFilter: RunListFilter | undefined;
+    if (isInitialSnapshot && membership && environment.projectId) {
+      membershipFilter = {
+        organizationId: environment.organizationId,
+        projectId: environment.projectId,
+        environmentId: environment.id,
+        tags: membership.tags,
+        batchId: membership.batchId,
+        createdAtAfter: membership.batchId
+          ? undefined
+          : new Date(Date.now() - this.options.maximumCreatedAtFilterAgeMs),
+        limit: this.options.maxListResults,
+      };
+    }
+
+    const outcome = await this.options.comparator.compare({
+      feed,
+      electricBody,
+      environment: { id: environment.id },
+      skipColumns,
+      isInitialSnapshot,
+      membershipFilter,
+    });
+
+    this.options.onOutcome?.(outcome);
+
+    if (outcome.serializationDiverged > 0 || outcome.membershipMatch === false) {
+      logger.warn("[shadowRealtime] divergence detected", {
+        feed,
+        serializationDiverged: outcome.serializationDiverged,
+        serializationMatched: outcome.serializationMatched,
+        serializationSkew: outcome.serializationSkew,
+        membershipMatch: outcome.membershipMatch,
+        missingInNative: outcome.missingInNative?.slice(0, 20),
+        extraInNative: outcome.extraInNative?.slice(0, 20),
+        // Log only which run/column diverged, never the raw cell values — they can
+        // include run payload/output/metadata and must not leak into logs.
+        diffs: outcome.diffs.map(({ runId, column }) => ({ runId, column })),
+      });
+    }
+  }
+}
+
+function resolveSkipColumns(url: URL, requestOptions?: RealtimeRequestOptions): string[] {
+  const raw = requestOptions?.skipColumns ?? url.searchParams.get("skipColumns")?.split(",") ?? [];
+  return raw.map((c) => c.trim()).filter((c) => c !== "" && !RESERVED_COLUMNS.includes(c));
+}
diff --git a/apps/webapp/app/services/realtime/shadowRealtimeClientInstance.server.ts b/apps/webapp/app/services/realtime/shadowRealtimeClientInstance.server.ts
new file mode 100644
index 00000000000..8dbb5007c20
--- /dev/null
+++ b/apps/webapp/app/services/realtime/shadowRealtimeClientInstance.server.ts
@@ -0,0 +1,64 @@
+import { getMeter } from "@internal/tracing";
+import { $replica } from "~/db.server";
+import { env } from "~/env.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
+import { singleton } from "~/utils/singleton";
+import { realtimeClient } from "../realtimeClientGlobal.server";
+import { ClickHouseRunListResolver } from "./clickHouseRunListResolver.server";
+import { RunHydrator } from "./runReader.server";
+import { RealtimeShadowComparator } from "./shadowCompare.server";
+import { ShadowRealtimeClient } from "./shadowRealtimeClient.server";
+
+/**
+ * Process-singleton wiring for the shadow-compare client. Only constructed
+ * when an org's `realtimeBackend` flag is set to "shadow".
+ */
+function initializeShadowRealtimeClient(): ShadowRealtimeClient {
+  const compares = getMeter("realtime-shadow").createCounter("realtime_shadow.compares", {
+    description:
+      "Dual-run shadow-compare outcomes (Electric vs native). kind=serialization|membership, result=match|diverge|skew.",
+  });
+
+  const comparator = new RealtimeShadowComparator({
+    runReader: new RunHydrator({ replica: $replica }),
+    runListResolver: new ClickHouseRunListResolver({
+      getClickhouse: (organizationId) =>
+        clickhouseFactory.getClickhouseForOrganization(organizationId, "realtime"),
+      prisma: $replica,
+    }),
+  });
+
+  return new ShadowRealtimeClient({
+    electric: realtimeClient,
+    comparator,
+    maximumCreatedAtFilterAgeMs: env.REALTIME_MAXIMUM_CREATED_AT_FILTER_AGE_IN_MS,
+    maxListResults: env.REALTIME_BACKEND_NATIVE_MAX_LIST_RESULTS,
+    onOutcome: (outcome) => {
+      const { feed } = outcome;
+      if (outcome.serializationMatched) {
+        compares.add(outcome.serializationMatched, { feed, kind: "serialization", result: "match" });
+      }
+      if (outcome.serializationDiverged) {
+        compares.add(outcome.serializationDiverged, {
+          feed,
+          kind: "serialization",
+          result: "diverge",
+        });
+      }
+      if (outcome.serializationSkew) {
+        compares.add(outcome.serializationSkew, { feed, kind: "serialization", result: "skew" });
+      }
+      if (outcome.membershipMatch !== undefined) {
+        compares.add(1, {
+          feed,
+          kind: "membership",
+          result: outcome.membershipMatch ? "match" : "diverge",
+        });
+      }
+    },
+  });
+}
+
+export function getShadowRealtimeClient(): ShadowRealtimeClient {
+  return singleton("shadowRealtimeClient", initializeShadowRealtimeClient);
+}
diff --git a/apps/webapp/app/services/realtime/streamBasinProvisioner.server.ts b/apps/webapp/app/services/realtime/streamBasinProvisioner.server.ts
new file mode 100644
index 00000000000..e29aeb168fb
--- /dev/null
+++ b/apps/webapp/app/services/realtime/streamBasinProvisioner.server.ts
@@ -0,0 +1,248 @@
+/**
+ * Per-org S2 basin provisioning. Gated by
+ * `REALTIME_STREAMS_PER_ORG_BASINS_ENABLED`: when off, all orgs share
+ * `REALTIME_STREAMS_S2_BASIN` and this module no-ops.
+ *
+ * Pure retention-string in / S2-call out. Plan vocabulary lives in the
+ * cloud billing app, which calls into the admin sync route to drive
+ * provisioning + reconfiguration.
+ */
+import type { PrismaClientOrTransaction } from "~/db.server";
+import { prisma } from "~/db.server";
+import { env } from "~/env.server";
+import { logger } from "~/services/logger.server";
+import { parseDuration } from "./duration.server";
+
+export function isPerOrgBasinsEnabled(): boolean {
+  return env.REALTIME_STREAMS_PER_ORG_BASINS_ENABLED === "true";
+}
+
+export function defaultRetention(): string {
+  return env.REALTIME_STREAMS_BASIN_DEFAULT_RETENTION;
+}
+
+// Org id is a cuid — fixed-length and stable, so the basin name is
+// collision-free without truncation. Slugs are user-editable and would
+// drift.
+export function basinNameForOrg(org: { id: string }): string {
+  const prefix = env.REALTIME_STREAMS_BASIN_NAME_PREFIX;
+  const envName = env.REALTIME_STREAMS_BASIN_NAME_ENV;
+  return `${prefix}-${envName}-org-${org.id}`;
+}
+
+type ProvisionInput = {
+  id: string;
+  retention?: string;
+  streamBasinName: string | null | undefined;
+};
+
+type ProvisionResult =
+  | { kind: "skipped"; reason: "feature-disabled" | "already-provisioned"; basin: string | null }
+  | { kind: "provisioned"; basin: string; retention: string };
+
+// Idempotent. Treats S2 409 as success (race with another caller, or
+// previous run that crashed after S2 ack but before the column write).
+export async function provisionBasinForOrg(
+  org: ProvisionInput,
+  prismaClient: PrismaClientOrTransaction = prisma
+): Promise<ProvisionResult> {
+  if (!isPerOrgBasinsEnabled()) {
+    return { kind: "skipped", reason: "feature-disabled", basin: null };
+  }
+
+  if (org.streamBasinName) {
+    return { kind: "skipped", reason: "already-provisioned", basin: org.streamBasinName };
+  }
+
+  const accessToken = env.REALTIME_STREAMS_S2_ACCESS_TOKEN;
+  if (!accessToken) {
+    throw new Error(
+      "REALTIME_STREAMS_S2_ACCESS_TOKEN must be set when REALTIME_STREAMS_PER_ORG_BASINS_ENABLED=true"
+    );
+  }
+
+  const basin = basinNameForOrg(org);
+  const retention = org.retention ?? defaultRetention();
+
+  await s2CreateBasin(basin, {
+    accessToken,
+    retentionPolicy: retention,
+    storageClass: env.REALTIME_STREAMS_BASIN_STORAGE_CLASS,
+    deleteOnEmptyMinAge: env.REALTIME_STREAMS_BASIN_DELETE_ON_EMPTY_MIN_AGE,
+  });
+
+  await prismaClient.organization.update({
+    where: { id: org.id },
+    data: { streamBasinName: basin },
+  });
+
+  logger.info("[streamBasinProvisioner] provisioned basin for org", {
+    orgId: org.id,
+    basin,
+    retention,
+  });
+
+  return { kind: "provisioned", basin, retention };
+}
+
+export async function reconfigureBasinForOrg(
+  orgId: string,
+  retention: string
+): Promise<void> {
+  if (!isPerOrgBasinsEnabled()) return;
+
+  const accessToken = env.REALTIME_STREAMS_S2_ACCESS_TOKEN;
+  if (!accessToken) {
+    throw new Error(
+      "REALTIME_STREAMS_S2_ACCESS_TOKEN must be set when REALTIME_STREAMS_PER_ORG_BASINS_ENABLED=true"
+    );
+  }
+
+  const org = await prisma.organization.findFirst({
+    where: { id: orgId },
+    select: { id: true, streamBasinName: true },
+  });
+  if (!org?.streamBasinName) return;
+
+  await s2ReconfigureBasin(org.streamBasinName, { accessToken, retentionPolicy: retention });
+
+  logger.info("[streamBasinProvisioner] reconfigured basin retention", {
+    orgId,
+    basin: org.streamBasinName,
+    retention,
+  });
+}
+
+type EnsureResult =
+  | { kind: "skipped"; reason: "feature-disabled" | "org-not-found" }
+  | { kind: "provisioned"; basin: string; retention: string }
+  | { kind: "reconfigured"; basin: string; retention: string };
+
+// Idempotent: provisions if the org has no basin, PATCHes retention if
+// it does. The single entrypoint the cloud billing app drives — both
+// for the live plan-change path and the bulk backfill.
+export async function ensureBasinForOrg(
+  orgId: string,
+  retention: string
+): Promise<EnsureResult> {
+  if (!isPerOrgBasinsEnabled()) {
+    return { kind: "skipped", reason: "feature-disabled" };
+  }
+
+  const org = await prisma.organization.findFirst({
+    where: { id: orgId },
+    select: { id: true, streamBasinName: true },
+  });
+  if (!org) return { kind: "skipped", reason: "org-not-found" };
+
+  if (!org.streamBasinName) {
+    const result = await provisionBasinForOrg(
+      { id: org.id, streamBasinName: null, retention }
+    );
+    if (result.kind === "provisioned") {
+      return { kind: "provisioned", basin: result.basin, retention: result.retention };
+    }
+    return { kind: "skipped", reason: "feature-disabled" };
+  }
+
+  await reconfigureBasinForOrg(org.id, retention);
+  return { kind: "reconfigured", basin: org.streamBasinName, retention };
+}
+
+// Inverse of ensureBasinForOrg: nulls the column so future runs/sessions
+// land in the shared global basin. The S2 basin lingers; existing streams
+// age out on their original retention.
+export async function deprovisionBasinForOrg(
+  orgId: string
+): Promise<{ kind: "deprovisioned" } | { kind: "skipped"; reason: "no-basin" }> {
+  const org = await prisma.organization.findFirst({
+    where: { id: orgId },
+    select: { id: true, streamBasinName: true },
+  });
+  if (!org?.streamBasinName) return { kind: "skipped", reason: "no-basin" };
+
+  await prisma.organization.update({
+    where: { id: org.id },
+    data: { streamBasinName: null },
+  });
+
+  logger.info("[streamBasinProvisioner] deprovisioned basin for org", {
+    orgId,
+    previousBasin: org.streamBasinName,
+  });
+
+  return { kind: "deprovisioned" };
+}
+
+// S2 REST: POST /v1/basins to create, PATCH /v1/basins/{name} to
+// reconfigure. Wire shape takes integer seconds; we accept human strings
+// like "7d" / "1y" as env-var ergonomics and parse them here.
+
+type CreateBasinOptions = {
+  accessToken: string;
+  retentionPolicy: string;
+  storageClass: "express" | "standard";
+  deleteOnEmptyMinAge: string;
+};
+
+async function s2CreateBasin(name: string, opts: CreateBasinOptions): Promise<void> {
+  const url = `https://aws.s2.dev/v1/basins`;
+  const body = {
+    basin: name,
+    config: {
+      create_stream_on_append: true,
+      create_stream_on_read: true,
+      default_stream_config: {
+        storage_class: opts.storageClass,
+        retention_policy: { age: parseDuration(opts.retentionPolicy) },
+        delete_on_empty: { min_age_secs: parseDuration(opts.deleteOnEmptyMinAge) },
+      },
+    },
+  };
+
+  const res = await fetch(url, {
+    signal: AbortSignal.timeout(10_000),
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${opts.accessToken}`,
+      "Content-Type": "application/json",
+    },
+    body: JSON.stringify(body),
+  });
+
+  // 409 = basin already exists; treat as success (idempotent).
+  if (res.ok || res.status === 409) return;
+
+  const text = await res.text().catch(() => "");
+  throw new Error(`S2 createBasin failed: ${res.status} ${res.statusText} ${text}`);
+}
+
+type ReconfigureBasinOptions = {
+  accessToken: string;
+  retentionPolicy: string;
+};
+
+async function s2ReconfigureBasin(name: string, opts: ReconfigureBasinOptions): Promise<void> {
+  const url = `https://aws.s2.dev/v1/basins/${encodeURIComponent(name)}`;
+  const body = {
+    default_stream_config: {
+      retention_policy: { age: parseDuration(opts.retentionPolicy) },
+    },
+  };
+
+  const res = await fetch(url, {
+    signal: AbortSignal.timeout(10_000),
+    method: "PATCH",
+    headers: {
+      Authorization: `Bearer ${opts.accessToken}`,
+      "Content-Type": "application/json",
+    },
+    body: JSON.stringify(body),
+  });
+
+  if (res.ok) return;
+
+  const text = await res.text().catch(() => "");
+  throw new Error(`S2 reconfigureBasin failed: ${res.status} ${res.statusText} ${text}`);
+}
+
diff --git a/apps/webapp/app/services/realtime/types.ts b/apps/webapp/app/services/realtime/types.ts
index 64433a716f4..f09507997a2 100644
--- a/apps/webapp/app/services/realtime/types.ts
+++ b/apps/webapp/app/services/realtime/types.ts
@@ -2,6 +2,13 @@ export type StreamRecord = {
   data: string;
   id: string;
   seqNum: number;
+  /**
+   * S2 record headers, when the underlying backend is the v2 (S2) shape.
+   * Undefined or empty for run-scoped Redis streams. First-header empty-name
+   * is an S2 command record (trim/fence); the parser strips those before
+   * surfacing the record, so callers never see them.
+   */
+  headers?: Array<[string, string]>;
 };
 
 // Interface for stream ingestion
@@ -33,6 +40,19 @@ export interface StreamIngestor {
 export type StreamResponseOptions = {
   timeoutInSeconds?: number;
   lastEventId?: string;
+  /**
+   * Session-stream-only. When `true`, the responder MAY peek the tail
+   * of `.out` and short-circuit to `wait=0` + `X-Session-Settled: true`
+   * if the last record is a terminal marker (a `trigger-control`
+   * `turn-complete` control record, ignoring any trailing S2 trim
+   * command record). Used by `TriggerChatTransport.reconnectToStream`
+   * on page reload.
+   *
+   * When absent/false, the responder keeps the unconditional long-poll
+   * behavior — required on the active send-a-message path where the
+   * peek would race the newly-triggered turn's first chunk.
+   */
+  peekSettled?: boolean;
 };
 
 // Interface for stream response
diff --git a/apps/webapp/app/services/realtime/v1StreamsGlobal.server.ts b/apps/webapp/app/services/realtime/v1StreamsGlobal.server.ts
index b1bf15b9fed..868294abfde 100644
--- a/apps/webapp/app/services/realtime/v1StreamsGlobal.server.ts
+++ b/apps/webapp/app/services/realtime/v1StreamsGlobal.server.ts
@@ -29,41 +29,69 @@ function initializeRedisRealtimeStreams() {
 
 export const v1RealtimeStreams = singleton("realtimeStreams", initializeRedisRealtimeStreams);
 
+/**
+ * Resolve a stream's basin. Precedence: run → session → org → global env.
+ * Pre-migration rows have `streamBasinName: null` and fall through to
+ * the global basin (where their streams actually live), so only pass
+ * `organization` when no run/session row exists at all — otherwise a
+ * null column would short-circuit to the org's *current* basin.
+ */
+export type StreamBasinContext = {
+  run?: { streamBasinName: string | null } | null;
+  session?: { streamBasinName: string | null } | null;
+  organization?: { streamBasinName: string | null } | null;
+};
+
+export function resolveStreamBasin(ctx: StreamBasinContext): string | undefined {
+  return (
+    ctx.run?.streamBasinName ??
+    ctx.session?.streamBasinName ??
+    ctx.organization?.streamBasinName ??
+    env.REALTIME_STREAMS_S2_BASIN ??
+    undefined
+  );
+}
+
 export function getRealtimeStreamInstance(
   environment: AuthenticatedEnvironment,
-  streamVersion: string
+  streamVersion: string,
+  basinContext?: StreamBasinContext
 ): StreamIngestor & StreamResponder {
   if (streamVersion === "v1") {
     return v1RealtimeStreams;
-  } else {
-    if (
-      env.REALTIME_STREAMS_S2_BASIN &&
-      (env.REALTIME_STREAMS_S2_ACCESS_TOKEN ||
-        env.REALTIME_STREAMS_S2_SKIP_ACCESS_TOKENS === "true")
-    ) {
-      return new S2RealtimeStreams({
-        basin: env.REALTIME_STREAMS_S2_BASIN,
-        accessToken: env.REALTIME_STREAMS_S2_ACCESS_TOKEN ?? "",
-        endpoint: env.REALTIME_STREAMS_S2_ENDPOINT,
-        skipAccessTokens: env.REALTIME_STREAMS_S2_SKIP_ACCESS_TOKENS === "true",
-        streamPrefix: [
-          "org",
-          environment.organization.id,
-          "env",
-          environment.slug,
-          environment.id,
-        ].join("/"),
-        logLevel: env.REALTIME_STREAMS_S2_LOG_LEVEL,
-        flushIntervalMs: env.REALTIME_STREAMS_S2_FLUSH_INTERVAL_MS,
-        maxRetries: env.REALTIME_STREAMS_S2_MAX_RETRIES,
-        s2WaitSeconds: env.REALTIME_STREAMS_S2_WAIT_SECONDS,
-        accessTokenExpirationInMs: env.REALTIME_STREAMS_S2_ACCESS_TOKEN_EXPIRATION_IN_MS,
-        cache: s2RealtimeStreamsCache,
-      });
-    }
+  }
 
-    throw new Error("Realtime streams v2 is required for this run but S2 configuration is missing");
+  const resolvedBasin = resolveStreamBasin(basinContext ?? {});
+  if (
+    resolvedBasin &&
+    (env.REALTIME_STREAMS_S2_ACCESS_TOKEN || env.REALTIME_STREAMS_S2_SKIP_ACCESS_TOKENS === "true")
+  ) {
+    return new S2RealtimeStreams({
+      basin: resolvedBasin,
+      accessToken: env.REALTIME_STREAMS_S2_ACCESS_TOKEN ?? "",
+      endpoint: env.REALTIME_STREAMS_S2_ENDPOINT,
+      skipAccessTokens: env.REALTIME_STREAMS_S2_SKIP_ACCESS_TOKENS === "true",
+      streamPrefix: streamPrefixFor(environment, resolvedBasin),
+      logLevel: env.REALTIME_STREAMS_S2_LOG_LEVEL,
+      flushIntervalMs: env.REALTIME_STREAMS_S2_FLUSH_INTERVAL_MS,
+      maxRetries: env.REALTIME_STREAMS_S2_MAX_RETRIES,
+      s2WaitSeconds: env.REALTIME_STREAMS_S2_WAIT_SECONDS,
+      accessTokenExpirationInMs: env.REALTIME_STREAMS_S2_ACCESS_TOKEN_EXPIRATION_IN_MS,
+      cache: s2RealtimeStreamsCache,
+    });
   }
+
+  throw new Error("Realtime streams v2 is required for this run but S2 configuration is missing");
+}
+
+// Shared basin needs `org/{orgId}` to namespace; per-org basin already
+// isolates so the segment drops.
+function streamPrefixFor(environment: AuthenticatedEnvironment, basin: string): string {
+  const isPerOrgBasin = basin !== env.REALTIME_STREAMS_S2_BASIN;
+  const segments = isPerOrgBasin
+    ? ["env", environment.slug, environment.id]
+    : ["org", environment.organization.id, "env", environment.slug, environment.id];
+  return segments.join("/");
 }
 
 export function determineRealtimeStreamsVersion(streamVersion?: string): "v1" | "v2" {
diff --git a/apps/webapp/app/services/realtimeClient.server.ts b/apps/webapp/app/services/realtimeClient.server.ts
index d962a57426e..12b93f1996d 100644
--- a/apps/webapp/app/services/realtimeClient.server.ts
+++ b/apps/webapp/app/services/realtimeClient.server.ts
@@ -115,7 +115,8 @@ export class RealtimeClient {
     runId: string,
     apiVersion: API_VERSIONS,
     requestOptions?: RealtimeRequestOptions,
-    clientVersion?: string
+    clientVersion?: string,
+    signal?: AbortSignal
   ) {
     return this.#streamRunsWhere(
       url,
@@ -123,7 +124,8 @@ export class RealtimeClient {
       `id='${runId}'`,
       apiVersion,
       requestOptions,
-      clientVersion
+      clientVersion,
+      signal
     );
   }
 
@@ -133,7 +135,8 @@ export class RealtimeClient {
     batchId: string,
     apiVersion: API_VERSIONS,
     requestOptions?: RealtimeRequestOptions,
-    clientVersion?: string
+    clientVersion?: string,
+    signal?: AbortSignal
   ) {
     const whereClauses: string[] = [
       `"runtimeEnvironmentId"='${environment.id}'`,
@@ -148,7 +151,8 @@ export class RealtimeClient {
       whereClause,
       apiVersion,
       requestOptions,
-      clientVersion
+      clientVersion,
+      signal
     );
   }
 
@@ -158,7 +162,8 @@ export class RealtimeClient {
     params: RealtimeRunsParams,
     apiVersion: API_VERSIONS,
     requestOptions?: RealtimeRequestOptions,
-    clientVersion?: string
+    clientVersion?: string,
+    signal?: AbortSignal
   ) {
     const whereClauses: string[] = [`"runtimeEnvironmentId"='${environment.id}'`];
 
@@ -180,7 +185,8 @@ export class RealtimeClient {
       whereClause,
       apiVersion,
       requestOptions,
-      clientVersion
+      clientVersion,
+      signal
     );
 
     if (createdAtFilter) {
@@ -274,7 +280,8 @@ export class RealtimeClient {
     whereClause: string,
     apiVersion: API_VERSIONS,
     requestOptions?: RealtimeRequestOptions,
-    clientVersion?: string
+    clientVersion?: string,
+    signal?: AbortSignal
   ) {
     const electricUrl = this.#constructRunsElectricUrl(
       url,
@@ -288,7 +295,7 @@ export class RealtimeClient {
       electricUrl,
       environment,
       apiVersion,
-      undefined,
+      signal,
       clientVersion
     );
   }
diff --git a/apps/webapp/app/services/routeBuilders/apiBuilder.server.ts b/apps/webapp/app/services/routeBuilders/apiBuilder.server.ts
index e1f248927ae..0c661a7e684 100644
--- a/apps/webapp/app/services/routeBuilders/apiBuilder.server.ts
+++ b/apps/webapp/app/services/routeBuilders/apiBuilder.server.ts
@@ -1,20 +1,14 @@
 import { z } from "zod";
-import {
-  ApiAuthenticationResultSuccess,
-  authenticateApiRequestWithFailure,
-} from "../apiAuth.server";
+import { ApiAuthenticationResultSuccess } from "../apiAuth.server";
 import { ActionFunctionArgs, json, LoaderFunctionArgs } from "@remix-run/server-runtime";
 import { fromZodError } from "zod-validation-error";
 import { apiCors } from "~/utils/apiCors";
-import {
-  AuthorizationAction,
-  AuthorizationResources,
-  checkAuthorization,
-} from "../authorization.server";
 import { logger } from "../logger.server";
+import { rbac } from "../rbac.server";
+import type { RbacAbility, RbacResource } from "@trigger.dev/rbac";
 import {
-  authenticateApiRequestWithPersonalAccessToken,
   PersonalAccessTokenAuthenticationResult,
+  updateLastAccessedAtIfStale,
 } from "../personalAccessToken.server";
 import { safeJsonParse } from "~/utils/json";
 import {
@@ -25,9 +19,155 @@ import { API_VERSIONS, getApiVersion } from "~/api/versions";
 import { WORKER_HEADERS } from "@trigger.dev/core/v3/runEngineWorker";
 import { ServiceValidationError } from "~/v3/services/common.server";
 import { EngineServiceValidationError } from "@internal/run-engine";
+import {
+  tenantContext,
+  tenantContextFromAuthEnvironment,
+} from "~/services/tenantContext.server";
+
+// Client aborts and service-level validation errors aren't bugs — they're
+// expected at API boundaries. Log them at `warn` so they stay in stdout
+// without flowing to Sentry via Logger.onError.
+function logBoundaryError(
+  message: "Error in loader" | "Error in action",
+  error: unknown,
+  url: string
+) {
+  const formatted =
+    error instanceof Error
+      ? { name: error.name, message: error.message, stack: error.stack }
+      : String(error);
+  const isExpected =
+    error instanceof Error &&
+    (error.name === "AbortError" ||
+      error instanceof ServiceValidationError ||
+      error instanceof EngineServiceValidationError);
+  if (isExpected) {
+    logger.warn(message, { error: formatted, url });
+  } else {
+    logger.error(message, { error: formatted, url });
+  }
+}
+
+// Bridges the RBAC plugin (source of truth for auth + abilities) to the legacy
+// ApiAuthenticationResultSuccess shape route handlers still expect. All three
+// apiBuilder call sites funnel through this helper — no handler-level changes
+// needed.
+async function authenticateRequestForApiBuilder(
+  request: Request,
+  { allowJWT }: { allowJWT: boolean }
+): Promise<
+  | { ok: false; status: 401 | 403; error: string }
+  | { ok: true; authentication: ApiAuthenticationResultSuccess; ability: RbacAbility }
+> {
+  const result = await rbac.authenticateBearer(request, { allowJWT });
+  if (!result.ok) {
+    // Plugin auth distinguishes 401 (who are you?) from 403 (you're not
+    // allowed) — e.g. a suspended account or IP block returns 403.
+    // Forwarding the status preserves that semantic for client retry logic.
+    return { ok: false, status: result.status, error: result.error };
+  }
+
+  // Plugins return the full AuthenticatedEnvironment shape directly — no
+  // follow-up DB lookup. The fallback fetches via Prisma, the cloud plugin
+  // via Drizzle; both produce the same slim contract type.
+  const authentication: ApiAuthenticationResultSuccess = {
+    ok: true,
+    apiKey: result.environment.apiKey,
+    type: result.subject.type === "publicJWT" ? "PUBLIC_JWT" : "PRIVATE",
+    environment: result.environment,
+    realtime: result.jwt?.realtime,
+    oneTimeUse: result.jwt?.oneTimeUse,
+  };
+
+  return { ok: true, authentication, ability: result.ability };
+}
 
 type AnyZodSchema = z.ZodFirstPartySchemaTypes | z.ZodDiscriminatedUnion<any, any>;
 
+// A multi-resource auth check has two possible directions, and route authors
+// have to pick one explicitly:
+//
+//  - `anyResource(...)` — succeed if *any* element passes. Used when a single
+//    record carries multiple identifiers (a run is addressable by friendlyId /
+//    batch / tags / task) so a JWT scoped to *any* of them grants access.
+//
+//  - `everyResource(...)` — succeed only if *every* element passes. Used for
+//    batch operations where each element is a *distinct* resource and a JWT
+//    scoped to one element must not authorize the others.
+//
+// Bare `RbacResource[]` is intentionally *not* part of `AuthResource` — the
+// type system forces every multi-resource site to disambiguate. The original
+// pre-RBAC apiBuilder had a separate `superScopes: [...]` whitelist for
+// "broader-than-this-resource" access; post-RBAC that's expressed via the JWT
+// ability's wildcard branches (`*:all` and `admin*` — see
+// `internal-packages/rbac/src/ability.ts`) plus a collection-level shape
+// `{ type: "<subject>" }` (no id) in the `anyResource` array so a
+// `<action>:<subject>` JWT matches it. No code knob needed.
+//
+// Markers are Symbols so they can't collide with arbitrary RbacResource fields.
+const ANY_RESOURCE_MARKER = Symbol.for("@trigger.dev/rbac.anyResource");
+const EVERY_RESOURCE_MARKER = Symbol.for("@trigger.dev/rbac.everyResource");
+
+type AnyResourceAuth = {
+  readonly [ANY_RESOURCE_MARKER]: true;
+  readonly resources: readonly RbacResource[];
+};
+
+type EveryResourceAuth = {
+  readonly [EVERY_RESOURCE_MARKER]: true;
+  readonly resources: readonly RbacResource[];
+};
+
+export function anyResource(resources: RbacResource[]): AnyResourceAuth {
+  return { [ANY_RESOURCE_MARKER]: true, resources };
+}
+
+export function everyResource(resources: RbacResource[]): EveryResourceAuth {
+  return { [EVERY_RESOURCE_MARKER]: true, resources };
+}
+
+function isAnyResource(value: unknown): value is AnyResourceAuth {
+  return (
+    typeof value === "object" &&
+    value !== null &&
+    (value as Record<symbol, unknown>)[ANY_RESOURCE_MARKER] === true
+  );
+}
+
+function isEveryResource(value: unknown): value is EveryResourceAuth {
+  return (
+    typeof value === "object" &&
+    value !== null &&
+    (value as Record<symbol, unknown>)[EVERY_RESOURCE_MARKER] === true
+  );
+}
+
+type AuthResource = RbacResource | AnyResourceAuth | EveryResourceAuth;
+
+function checkAuth(
+  ability: RbacAbility,
+  action: string,
+  resource: AuthResource
+): boolean {
+  if (isEveryResource(resource)) {
+    // Empty array via [].every() is vacuously true — would let any token
+    // pass auth. Routes building everyResource() from request bodies
+    // (e.g. batch trigger items) should never produce zero elements
+    // because body validation rejects empty arrays first, but defending
+    // here anyway since the auth layer should never grant on no input.
+    if (resource.resources.length === 0) return false;
+    return resource.resources.every((r) => ability.can(action, r));
+  }
+  if (isAnyResource(resource)) {
+    // Symmetric guard: anyResource([]) is benign for most abilities
+    // (.some() is false on empty), but the permissive ability would
+    // still grant. Treat empty as "no resource declared" → deny.
+    if (resource.resources.length === 0) return false;
+    return ability.can(action, [...resource.resources]);
+  }
+  return ability.can(action, resource);
+}
+
 type ApiKeyRouteBuilderOptions<
   TParamsSchema extends AnyZodSchema | undefined = undefined,
   TSearchParamsSchema extends AnyZodSchema | undefined = undefined,
@@ -52,7 +192,7 @@ type ApiKeyRouteBuilderOptions<
   ) => Promise<TResource | undefined>;
   shouldRetryNotFound?: boolean;
   authorization?: {
-    action: AuthorizationAction;
+    action: string;
     resource: (
       resource: NonNullable<TResource>,
       params: TParamsSchema extends z.ZodFirstPartySchemaTypes | z.ZodDiscriminatedUnion<any, any>
@@ -66,8 +206,7 @@ type ApiKeyRouteBuilderOptions<
       headers: THeadersSchema extends z.ZodFirstPartySchemaTypes | z.ZodDiscriminatedUnion<any, any>
         ? z.infer<THeadersSchema>
         : undefined
-    ) => AuthorizationResources;
-    superScopes?: string[];
+    ) => AuthResource;
   };
 };
 
@@ -120,23 +259,15 @@ export function createLoaderApiRoute<
     }
 
     try {
-      const authenticationResult = await authenticateApiRequestWithFailure(request, { allowJWT });
-
-      if (!authenticationResult) {
-        return await wrapResponse(
-          request,
-          json({ error: "Invalid or Missing API key" }, { status: 401 }),
-          corsStrategy !== "none"
-        );
-      }
-
-      if (!authenticationResult.ok) {
+      const authResult = await authenticateRequestForApiBuilder(request, { allowJWT });
+      if (!authResult.ok) {
         return await wrapResponse(
           request,
-          json({ error: authenticationResult.error }, { status: 401 }),
+          json({ error: authResult.error }, { status: authResult.status }),
           corsStrategy !== "none"
         );
       }
+      const { authentication: authenticationResult, ability } = authResult;
 
       let parsedParams: any = undefined;
       if (paramsSchema) {
@@ -203,7 +334,7 @@ export function createLoaderApiRoute<
       }
 
       if (authorization) {
-        const { action, resource: authResource, superScopes } = authorization;
+        const { action, resource: authResource } = authorization;
         const $authResource = authResource(
           resource,
           parsedParams,
@@ -211,26 +342,12 @@ export function createLoaderApiRoute<
           parsedHeaders
         );
 
-        logger.debug("Checking authorization", {
-          action,
-          resource: $authResource,
-          superScopes,
-          scopes: authenticationResult.scopes,
-        });
-
-        const authorizationResult = checkAuthorization(
-          authenticationResult,
-          action,
-          $authResource,
-          superScopes
-        );
-
-        if (!authorizationResult.authorized) {
+        if (!checkAuth(ability, action, $authResource)) {
           return await wrapResponse(
             request,
             json(
               {
-                error: `Unauthorized: ${authorizationResult.reason}`,
+                error: "Unauthorized",
                 code: "unauthorized",
                 param: "access_token",
                 type: "authorization",
@@ -244,15 +361,19 @@ export function createLoaderApiRoute<
 
       const apiVersion = getApiVersion(request);
 
-      const result = await handler({
-        params: parsedParams,
-        searchParams: parsedSearchParams,
-        headers: parsedHeaders,
-        authentication: authenticationResult,
-        request,
-        resource,
-        apiVersion,
-      });
+      const result = await tenantContext.run(
+        tenantContextFromAuthEnvironment(authenticationResult.environment),
+        () =>
+          handler({
+            params: parsedParams,
+            searchParams: parsedSearchParams,
+            headers: parsedHeaders,
+            authentication: authenticationResult,
+            request,
+            resource,
+            apiVersion,
+          })
+      );
       return await wrapResponse(request, result, corsStrategy !== "none");
     } catch (error) {
       try {
@@ -260,17 +381,7 @@ export function createLoaderApiRoute<
           return await wrapResponse(request, error, corsStrategy !== "none");
         }
 
-        logger.error("Error in loader", {
-          error:
-            error instanceof Error
-              ? {
-                  name: error.name,
-                  message: error.message,
-                  stack: error.stack,
-                }
-              : String(error),
-          url: request.url,
-        });
+        logBoundaryError("Error in loader", error, request.url);
 
         return await wrapResponse(
           request,
@@ -295,6 +406,37 @@ type PATRouteBuilderOptions<
   searchParams?: TSearchParamsSchema;
   headers?: THeadersSchema;
   corsStrategy?: "all" | "none";
+  // Resolves the target org/project for the request. Fed to
+  // `rbac.authenticatePat` so the plugin can compute the user's role
+  // floor (their authority in that org) for the cap intersection.
+  // When omitted, the PAT runs in identity-only mode — no role floor,
+  // no per-route ability gating beyond what authorization (if any)
+  // declares against a permissive baseline. Routes added before TRI-9087
+  // run in this mode by default.
+  context?: (
+    params: TParamsSchema extends z.ZodFirstPartySchemaTypes | z.ZodDiscriminatedUnion<any, any>
+      ? z.infer<TParamsSchema>
+      : undefined,
+    request: Request
+  ) =>
+    | { organizationId?: string; projectId?: string }
+    | Promise<{ organizationId?: string; projectId?: string }>;
+  authorization?: {
+    action: string;
+    resource: (
+      params: TParamsSchema extends z.ZodFirstPartySchemaTypes | z.ZodDiscriminatedUnion<any, any>
+        ? z.infer<TParamsSchema>
+        : undefined,
+      searchParams: TSearchParamsSchema extends
+        | z.ZodFirstPartySchemaTypes
+        | z.ZodDiscriminatedUnion<any, any>
+        ? z.infer<TSearchParamsSchema>
+        : undefined,
+      headers: THeadersSchema extends z.ZodFirstPartySchemaTypes | z.ZodDiscriminatedUnion<any, any>
+        ? z.infer<THeadersSchema>
+        : undefined
+    ) => AuthResource;
+  };
 };
 
 type PATHandlerFunction<
@@ -314,6 +456,7 @@ type PATHandlerFunction<
     ? z.infer<THeadersSchema>
     : undefined;
   authentication: PersonalAccessTokenAuthenticationResult;
+  ability: RbacAbility;
   request: Request;
   apiVersion: API_VERSIONS;
 }) => Promise<Response>;
@@ -332,6 +475,8 @@ export function createLoaderPATApiRoute<
       searchParams: searchParamsSchema,
       headers: headersSchema,
       corsStrategy = "none",
+      context: contextFn,
+      authorization,
     } = options;
 
     if (corsStrategy !== "none" && request.method.toUpperCase() === "OPTIONS") {
@@ -339,16 +484,6 @@ export function createLoaderPATApiRoute<
     }
 
     try {
-      const authenticationResult = await authenticateApiRequestWithPersonalAccessToken(request);
-
-      if (!authenticationResult) {
-        return await wrapResponse(
-          request,
-          json({ error: "Invalid or Missing API key" }, { status: 401 }),
-          corsStrategy !== "none"
-        );
-      }
-
       let parsedParams: any = undefined;
       if (paramsSchema) {
         const parsed = paramsSchema.safeParse(params);
@@ -401,11 +536,75 @@ export function createLoaderPATApiRoute<
 
       const apiVersion = getApiVersion(request);
 
+      // Single PAT auth roundtrip. `rbac.authenticatePat` validates the
+      // token AND computes the cap-and-floor ability in one DB query
+      // (the OSS fallback does the validation only and returns a
+      // permissive ability; the cloud plugin returns the joined
+      // cap/floor result). We previously called
+      // `authenticateApiRequestWithPersonalAccessToken` here first as
+      // belt-and-braces, but that meant two PAT lookups per request
+      // for routes with `context`/`authorization` declared. Routes
+      // without those still get a working `authentication` object —
+      // we pass an empty ctx and the fallback validates fine.
+      //
+      // `lastAccessedAt` is plumbed through the plugin result so the
+      // host can decide whether to fire the update (smart-skip in
+      // `updateLastAccessedAtIfStale` — no DB roundtrip when the
+      // cached timestamp is fresher than the throttle window).
+      const ctx = contextFn ? await contextFn(parsedParams, request) : {};
+      const patAuth = await rbac.authenticatePat(request, ctx);
+      if (!patAuth.ok) {
+        return await wrapResponse(
+          request,
+          json({ error: patAuth.error }, { status: patAuth.status }),
+          corsStrategy !== "none"
+        );
+      }
+
+      const authenticationResult: PersonalAccessTokenAuthenticationResult = {
+        userId: patAuth.userId,
+      };
+      const ability: RbacAbility = patAuth.ability;
+
+      // Fire the `lastAccessedAt` write conditionally. Two-layer throttle:
+      // JS skips the SQL when the value is fresh (most requests); the
+      // SQL `WHERE` clause inside the helper is race-safe for concurrent
+      // auths that both decide to fire. Don't `await` it from the
+      // critical path? — it's a one-row update on a small hot table and
+      // we want to surface failures, so it's awaited (same shape as the
+      // legacy `authenticatePersonalAccessToken`).
+      await updateLastAccessedAtIfStale(patAuth.tokenId, patAuth.lastAccessedAt);
+
+      if (authorization) {
+        const $resource = authorization.resource(parsedParams, parsedSearchParams, parsedHeaders);
+        if (!checkAuth(ability, authorization.action, $resource)) {
+          return await wrapResponse(
+            request,
+            json(
+              {
+                error: "Unauthorized",
+                code: "unauthorized",
+                param: "access_token",
+                type: "authorization",
+              },
+              { status: 403 }
+            ),
+            corsStrategy !== "none"
+          );
+        }
+      }
+
+      // PAT auth carries `userId` but no environment — enrich the scope
+      // the Express middleware established with the authenticated user so
+      // Sentry events from this handler get user-level attribution.
+      tenantContext.enrich({ userId: authenticationResult.userId });
+
       const result = await handler({
         params: parsedParams,
         searchParams: parsedSearchParams,
         headers: parsedHeaders,
         authentication: authenticationResult,
+        ability,
         request,
         apiVersion,
       });
@@ -454,7 +653,7 @@ type ApiKeyActionRouteBuilderOptions<
       : undefined
   ) => Promise<TResource | undefined>;
   authorization?: {
-    action: AuthorizationAction;
+    action: string;
     resource: (
       params: TParamsSchema extends z.ZodFirstPartySchemaTypes | z.ZodDiscriminatedUnion<any, any>
         ? z.infer<TParamsSchema>
@@ -469,9 +668,14 @@ type ApiKeyActionRouteBuilderOptions<
         : undefined,
       body: TBodySchema extends z.ZodFirstPartySchemaTypes | z.ZodDiscriminatedUnion<any, any>
         ? z.infer<TBodySchema>
-        : undefined
-    ) => AuthorizationResources;
-    superScopes?: string[];
+        : undefined,
+      // The resolved resource from `findResource`. `undefined` when the route
+      // doesn't declare `findResource`. Routes that need to expand the auth
+      // scope to alternate identifiers of the same row (e.g. friendlyId +
+      // externalId for sessions) read it here so a JWT minted for either form
+      // authorizes both URL forms.
+      resource: TResource | undefined
+    ) => AuthResource;
   };
   maxContentLength?: number;
   body?: TBodySchema;
@@ -559,29 +763,25 @@ export function createActionApiRoute<
     }
 
     try {
-      const authenticationResult = await authenticateApiRequestWithFailure(request, { allowJWT });
-
-      if (!authenticationResult) {
+      const authResult = await authenticateRequestForApiBuilder(request, { allowJWT });
+      if (!authResult.ok) {
         return await wrapResponse(
           request,
-          json({ error: "Invalid or Missing API key" }, { status: 401 }),
-          corsStrategy !== "none"
-        );
-      }
-
-      if (!authenticationResult.ok) {
-        return await wrapResponse(
-          request,
-          json({ error: authenticationResult.error }, { status: 401 }),
+          json({ error: authResult.error }, { status: authResult.status }),
           corsStrategy !== "none"
         );
       }
+      const { authentication: authenticationResult, ability } = authResult;
 
       if (maxContentLength) {
         const contentLength = request.headers.get("content-length");
 
         if (!contentLength || parseInt(contentLength) > maxContentLength) {
-          return json({ error: "Request body too large" }, { status: 413 });
+          return await wrapResponse(
+            request,
+            json({ error: "Request body too large" }, { status: 413 }),
+            corsStrategy !== "none"
+          );
         }
       }
 
@@ -667,30 +867,40 @@ export function createActionApiRoute<
         parsedBody = body.data;
       }
 
+      // Resolve the resource before authorization so the auth scope check
+      // can expand to alternate identifiers of the same row (e.g. a Session
+      // is addressable by both `friendlyId` and `externalId` and a JWT minted
+      // for either form should authorize both URL forms). Mirrors the
+      // ordering in `createLoaderApiRoute`.
+      const resource = options.findResource
+        ? await options.findResource(parsedParams, authenticationResult, parsedSearchParams)
+        : undefined;
+
+      // Run authorization first — but with the resolved resource available
+      // as the 5th arg so the auth scope check can expand to alternate
+      // identifiers of the same row (e.g. a Session is addressable by both
+      // `friendlyId` and `externalId`). Resource-null is checked AFTER auth
+      // so:
+      //   - underscoped JWT + missing resource → 403 (no info leak)
+      //   - underscoped JWT + existing resource → 403 (existing behavior)
+      //   - PRIVATE key + missing resource → auth passes → 404 (correct)
+      //   - PRIVATE key + existing resource → auth passes → handler runs
       if (authorization) {
-        const { action, resource, superScopes } = authorization;
-        const $resource = resource(parsedParams, parsedSearchParams, parsedHeaders, parsedBody);
-
-        logger.debug("Checking authorization", {
-          action,
-          resource: $resource,
-          superScopes,
-          scopes: authenticationResult.scopes,
-        });
-
-        const authorizationResult = checkAuthorization(
-          authenticationResult,
-          action,
-          $resource,
-          superScopes
+        const { action, resource: authResource } = authorization;
+        const $resource = authResource(
+          parsedParams,
+          parsedSearchParams,
+          parsedHeaders,
+          parsedBody,
+          resource
         );
 
-        if (!authorizationResult.authorized) {
+        if (!checkAuth(ability, action, $resource)) {
           return await wrapResponse(
             request,
             json(
               {
-                error: `Unauthorized: ${authorizationResult.reason}`,
+                error: "Unauthorized",
                 code: "unauthorized",
                 param: "access_token",
                 type: "authorization",
@@ -702,10 +912,6 @@ export function createActionApiRoute<
         }
       }
 
-      const resource = options.findResource
-        ? await options.findResource(parsedParams, authenticationResult, parsedSearchParams)
-        : undefined;
-
       if (options.findResource && !resource) {
         return await wrapResponse(
           request,
@@ -714,15 +920,19 @@ export function createActionApiRoute<
         );
       }
 
-      const result = await handler({
-        params: parsedParams,
-        searchParams: parsedSearchParams,
-        headers: parsedHeaders,
-        body: parsedBody,
-        authentication: authenticationResult,
-        request,
-        resource,
-      });
+      const result = await tenantContext.run(
+        tenantContextFromAuthEnvironment(authenticationResult.environment),
+        () =>
+          handler({
+            params: parsedParams,
+            searchParams: parsedSearchParams,
+            headers: parsedHeaders,
+            body: parsedBody,
+            authentication: authenticationResult,
+            request,
+            resource,
+          })
+      );
       return await wrapResponse(request, result, corsStrategy !== "none");
     } catch (error) {
       try {
@@ -730,17 +940,7 @@ export function createActionApiRoute<
           return await wrapResponse(request, error, corsStrategy !== "none");
         }
 
-        logger.error("Error in action", {
-          error:
-            error instanceof Error
-              ? {
-                  name: error.name,
-                  message: error.message,
-                  stack: error.stack,
-                }
-              : String(error),
-          url: request.url,
-        });
+        logBoundaryError("Error in action", error, request.url);
 
         return await wrapResponse(
           request,
@@ -795,9 +995,8 @@ type MultiMethodApiRouteOptions<
   allowJWT?: boolean;
   corsStrategy?: "all" | "none";
   authorization?: {
-    action: AuthorizationAction;
-    resource: (params: InferZod<TParamsSchema>) => AuthorizationResources;
-    superScopes?: string[];
+    action: string;
+    resource: (params: InferZod<TParamsSchema>) => AuthResource;
   };
   maxContentLength?: number;
   methods: Partial<
@@ -842,33 +1041,22 @@ export function createMultiMethodApiRoute<
     if (!methodConfig) {
       return await wrapResponse(
         request,
-        json(
-          { error: "Method not allowed" },
-          { status: 405, headers: { Allow: allowedMethods } }
-        ),
+        json({ error: "Method not allowed" }, { status: 405, headers: { Allow: allowedMethods } }),
         corsStrategy !== "none"
       );
     }
 
     try {
       // Authenticate
-      const authenticationResult = await authenticateApiRequestWithFailure(request, { allowJWT });
-
-      if (!authenticationResult) {
+      const authResult = await authenticateRequestForApiBuilder(request, { allowJWT });
+      if (!authResult.ok) {
         return await wrapResponse(
           request,
-          json({ error: "Invalid or Missing API key" }, { status: 401 }),
-          corsStrategy !== "none"
-        );
-      }
-
-      if (!authenticationResult.ok) {
-        return await wrapResponse(
-          request,
-          json({ error: authenticationResult.error }, { status: 401 }),
+          json({ error: authResult.error }, { status: authResult.status }),
           corsStrategy !== "none"
         );
       }
+      const { authentication: authenticationResult, ability } = authResult;
 
       if (maxContentLength) {
         const contentLength = request.headers.get("content-length");
@@ -936,29 +1124,15 @@ export function createMultiMethodApiRoute<
 
       // Authorize
       if (authorization) {
-        const { action, resource, superScopes } = authorization;
+        const { action, resource } = authorization;
         const $resource = resource(parsedParams);
 
-        logger.debug("Checking authorization", {
-          action,
-          resource: $resource,
-          superScopes,
-          scopes: authenticationResult.scopes,
-        });
-
-        const authorizationResult = checkAuthorization(
-          authenticationResult,
-          action,
-          $resource,
-          superScopes
-        );
-
-        if (!authorizationResult.authorized) {
+        if (!checkAuth(ability, action, $resource)) {
           return await wrapResponse(
             request,
             json(
               {
-                error: `Unauthorized: ${authorizationResult.reason}`,
+                error: "Unauthorized",
                 code: "unauthorized",
                 param: "access_token",
                 type: "authorization",
@@ -1003,14 +1177,18 @@ export function createMultiMethodApiRoute<
       }
 
       // Dispatch to method handler
-      const result = await methodConfig.handler({
-        params: parsedParams,
-        searchParams: parsedSearchParams,
-        headers: parsedHeaders,
-        body: parsedBody,
-        authentication: authenticationResult,
-        request,
-      });
+      const result = await tenantContext.run(
+        tenantContextFromAuthEnvironment(authenticationResult.environment),
+        () =>
+          methodConfig.handler({
+            params: parsedParams,
+            searchParams: parsedSearchParams,
+            headers: parsedHeaders,
+            body: parsedBody,
+            authentication: authenticationResult,
+            request,
+          })
+      );
       return await wrapResponse(request, result, corsStrategy !== "none");
     } catch (error) {
       try {
@@ -1018,13 +1196,7 @@ export function createMultiMethodApiRoute<
           return await wrapResponse(request, error, corsStrategy !== "none");
         }
 
-        logger.error("Error in action", {
-          error:
-            error instanceof Error
-              ? { name: error.name, message: error.message, stack: error.stack }
-              : String(error),
-          url: request.url,
-        });
+        logBoundaryError("Error in action", error, request.url);
 
         return await wrapResponse(
           request,
@@ -1162,17 +1334,7 @@ export function createLoaderWorkerApiRoute<
         return error;
       }
 
-      logger.error("Error in loader", {
-        error:
-          error instanceof Error
-            ? {
-                name: error.name,
-                message: error.message,
-                stack: error.stack,
-              }
-            : String(error),
-        url: request.url,
-      });
+      logBoundaryError("Error in loader", error, request.url);
 
       return json({ error: "Internal Server Error" }, { status: 500 });
     }
@@ -1337,17 +1499,7 @@ export function createActionWorkerApiRoute<
         return json({ error: error.message }, { status: error.status ?? 422 });
       }
 
-      logger.error("Error in action", {
-        error:
-          error instanceof Error
-            ? {
-                name: error.name,
-                message: error.message,
-                stack: error.stack,
-              }
-            : String(error),
-        url: request.url,
-      });
+      logBoundaryError("Error in action", error, request.url);
 
       return json({ error: "Internal Server Error" }, { status: 500 });
     }
diff --git a/apps/webapp/app/services/routeBuilders/dashboardBuilder.server.ts b/apps/webapp/app/services/routeBuilders/dashboardBuilder.server.ts
new file mode 100644
index 00000000000..656761d852d
--- /dev/null
+++ b/apps/webapp/app/services/routeBuilders/dashboardBuilder.server.ts
@@ -0,0 +1,117 @@
+// Server-only impl backing dashboardBuilder.ts. Imports rbac.server and
+// runs the actual auth/authorization. The wrappers in dashboardBuilder.ts
+// dynamic-import this module from inside the loader/action body, so it
+// never reaches the client bundle.
+
+import { json, redirect } from "@remix-run/server-runtime";
+import type { RbacAbility } from "@trigger.dev/rbac";
+import { rbac } from "~/services/rbac.server";
+import { getUserId } from "~/services/session.server";
+import type {
+  AuthorizationOption,
+  DashboardLoaderOptions,
+  SessionUser,
+} from "./dashboardBuilder";
+import { fromZodError } from "zod-validation-error";
+import type { z } from "zod";
+
+type AnyZodSchema = z.ZodFirstPartySchemaTypes | z.ZodDiscriminatedUnion<any, any>;
+
+function loginRedirectFor(request: Request, override?: string): Response {
+  if (override) return redirect(override);
+  const url = new URL(request.url);
+  const redirectTo = encodeURIComponent(`${url.pathname}${url.search}`);
+  return redirect(`/login?redirectTo=${redirectTo}`);
+}
+
+function isAuthorized(ability: RbacAbility, authorization: AuthorizationOption): boolean {
+  if ("requireSuper" in authorization) {
+    return ability.canSuper();
+  }
+  return ability.can(authorization.action, authorization.resource);
+}
+
+type AuthScope = { organizationId?: string; projectId?: string };
+
+export async function authenticateAndAuthorize<
+  TParams,
+  TSearchParams,
+  TContext extends AuthScope
+>(
+  request: Request,
+  rawParams: unknown,
+  options: DashboardLoaderOptions<TParams, TSearchParams, TContext>
+): Promise<
+  | { ok: false; response: Response }
+  | {
+      ok: true;
+      user: SessionUser;
+      ability: RbacAbility;
+      params: unknown;
+      searchParams: unknown;
+      context: TContext;
+    }
+> {
+  let parsedParams: any = undefined;
+  if (options.params) {
+    const parsed = (options.params as unknown as AnyZodSchema).safeParse(rawParams);
+    if (!parsed.success) {
+      return {
+        ok: false,
+        response: json(
+          { error: "Params Error", details: fromZodError(parsed.error).details },
+          { status: 400 }
+        ),
+      };
+    }
+    parsedParams = parsed.data;
+  }
+
+  let parsedSearchParams: any = undefined;
+  if (options.searchParams) {
+    const fromUrl = Object.fromEntries(new URL(request.url).searchParams);
+    const parsed = (options.searchParams as unknown as AnyZodSchema).safeParse(fromUrl);
+    if (!parsed.success) {
+      return {
+        ok: false,
+        response: json(
+          { error: "Query Error", details: fromZodError(parsed.error).details },
+          { status: 400 }
+        ),
+      };
+    }
+    parsedSearchParams = parsed.data;
+  }
+
+  const ctx = (options.context
+    ? await options.context(parsedParams, request)
+    : ({} as TContext)) as TContext;
+  // Resolve userId from the session cookie *here* (the dashboard
+  // request boundary) and feed it into the rbac plugin context. The
+  // plugin no longer takes a `helpers.getSessionUserId` callback —
+  // statically importing session.server from rbac.server dragged the
+  // entire remix-auth strategy chain (each strategy validates its
+  // secret at module load) into anything that pulled `rbac` in,
+  // including PAT-only callers.
+  const userId = (await getUserId(request)) ?? null;
+  const auth = await rbac.authenticateSession(request, { ...ctx, userId });
+  if (!auth.ok) {
+    if (auth.reason === "unauthenticated") {
+      return { ok: false, response: loginRedirectFor(request, options.loginRedirect) };
+    }
+    return { ok: false, response: redirect(options.unauthorizedRedirect ?? "/") };
+  }
+
+  if (options.authorization && !isAuthorized(auth.ability, options.authorization)) {
+    return { ok: false, response: redirect(options.unauthorizedRedirect ?? "/") };
+  }
+
+  return {
+    ok: true,
+    user: auth.user,
+    ability: auth.ability,
+    params: parsedParams,
+    searchParams: parsedSearchParams,
+    context: ctx,
+  };
+}
diff --git a/apps/webapp/app/services/routeBuilders/dashboardBuilder.ts b/apps/webapp/app/services/routeBuilders/dashboardBuilder.ts
new file mode 100644
index 00000000000..673f4f78deb
--- /dev/null
+++ b/apps/webapp/app/services/routeBuilders/dashboardBuilder.ts
@@ -0,0 +1,141 @@
+// Client-safe shim for the dashboard route builder. The actual server
+// implementation lives in dashboardBuilder.server.ts; the wrappers here
+// just return closures that lazily import that impl on first invocation.
+//
+// Why split: routes use `export const loader = dashboardLoader(...)` at
+// module top-level. Remix's dev build preserves the top-level call when
+// resolving the loader export, so the import target needs to exist on
+// the client even though the closure body never executes there. A
+// `.server.ts` file is excluded from the client bundle, which would
+// resolve `dashboardLoader` to undefined and crash with
+// "dashboardLoader is not a function" on first navigation. Keeping this
+// file non-`.server` puts the wrappers in the client bundle as
+// effectively no-op closures (they're never called there), and the
+// closure body's dynamic import only resolves at server runtime.
+
+import type { ActionFunctionArgs, LoaderFunctionArgs } from "@remix-run/server-runtime";
+import type { RbacAbility, RbacResource } from "@trigger.dev/rbac";
+import type { z } from "zod";
+
+type AnyZodSchema = z.ZodFirstPartySchemaTypes | z.ZodDiscriminatedUnion<any, any>;
+
+type InferZod<T> = T extends z.ZodFirstPartySchemaTypes | z.ZodDiscriminatedUnion<any, any>
+  ? z.infer<T>
+  : undefined;
+
+export type SessionUser = {
+  id: string;
+  email: string;
+  name: string | null;
+  displayName: string | null;
+  avatarUrl: string | null;
+  admin: boolean;
+  confirmedBasicDetails: boolean;
+  isImpersonating: boolean;
+};
+
+// `requireSuper: true` enforces ability.canSuper(). Otherwise an explicit
+// action + resource pair is checked via ability.can(...).
+export type AuthorizationOption =
+  | { requireSuper: true }
+  | {
+      action: string;
+      resource: RbacResource | RbacResource[];
+    };
+
+// Plugin-side scope: whatever the route's `context` returns must include
+// these (or just be `{}` when the route doesn't scope by org/project).
+// rbac.authenticateSession reads them off the value to filter UserRole.
+type AuthScope = { organizationId?: string; projectId?: string };
+
+export type DashboardLoaderOptions<TParams, TSearchParams, TContext extends AuthScope> = {
+  params?: TParams;
+  searchParams?: TSearchParams;
+  // Resolves any per-request data the handler + auth check both need
+  // (typically org/project lookups from URL params). The returned object
+  // is fed to `rbac.authenticateSession` as the auth scope AND passed
+  // through to the handler in `args.context`, so the route does each
+  // lookup once.
+  context?: (
+    params: InferZod<TParams>,
+    request: Request
+  ) => TContext | Promise<TContext>;
+  authorization?: AuthorizationOption;
+  // Where to send unauthenticated requests. Defaults to /login with a
+  // redirectTo back to the original path.
+  loginRedirect?: string;
+  // Where to send users who pass auth but fail the ability check. Defaults
+  // to "/" (the home page).
+  unauthorizedRedirect?: string;
+};
+
+export type DashboardLoaderHandlerArgs<TParams, TSearchParams, TContext> = {
+  params: InferZod<TParams>;
+  searchParams: InferZod<TSearchParams>;
+  user: SessionUser;
+  ability: RbacAbility;
+  context: TContext;
+  request: Request;
+};
+
+export function dashboardLoader<
+  TParams extends AnyZodSchema | undefined = undefined,
+  TSearchParams extends AnyZodSchema | undefined = undefined,
+  TContext extends AuthScope = AuthScope,
+  TReturn extends Response = Response
+>(
+  options: DashboardLoaderOptions<TParams, TSearchParams, TContext>,
+  handler: (
+    args: DashboardLoaderHandlerArgs<TParams, TSearchParams, TContext>
+  ) => Promise<TReturn>
+) {
+  return async function loader({ request, params }: LoaderFunctionArgs): Promise<TReturn> {
+    // Server-only — see comment at top. Node caches the module after the
+    // first call, so the dynamic import is effectively free past warmup.
+    const { authenticateAndAuthorize } = await import("./dashboardBuilder.server");
+    const result = await authenticateAndAuthorize(request, params, options);
+    if (!result.ok) throw result.response;
+
+    return handler({
+      params: result.params as InferZod<TParams>,
+      searchParams: result.searchParams as InferZod<TSearchParams>,
+      user: result.user,
+      ability: result.ability,
+      context: result.context as TContext,
+      request,
+    });
+  };
+}
+
+export type DashboardActionOptions<TParams, TSearchParams, TContext extends AuthScope> =
+  DashboardLoaderOptions<TParams, TSearchParams, TContext>;
+
+export type DashboardActionHandlerArgs<TParams, TSearchParams, TContext> =
+  DashboardLoaderHandlerArgs<TParams, TSearchParams, TContext>;
+
+export function dashboardAction<
+  TParams extends AnyZodSchema | undefined = undefined,
+  TSearchParams extends AnyZodSchema | undefined = undefined,
+  TContext extends AuthScope = AuthScope,
+  TReturn extends Response = Response
+>(
+  options: DashboardActionOptions<TParams, TSearchParams, TContext>,
+  handler: (
+    args: DashboardActionHandlerArgs<TParams, TSearchParams, TContext>
+  ) => Promise<TReturn>
+) {
+  return async function action({ request, params }: ActionFunctionArgs): Promise<TReturn> {
+    const { authenticateAndAuthorize } = await import("./dashboardBuilder.server");
+    const result = await authenticateAndAuthorize(request, params, options);
+    if (!result.ok) throw result.response;
+
+    return handler({
+      params: result.params as InferZod<TParams>,
+      searchParams: result.searchParams as InferZod<TSearchParams>,
+      user: result.user,
+      ability: result.ability,
+      context: result.context as TContext,
+      request,
+    });
+  };
+}
diff --git a/apps/webapp/app/services/runsReplicationInstance.server.ts b/apps/webapp/app/services/runsReplicationInstance.server.ts
index 0a8ab5e1bde..d5071e2d2b8 100644
--- a/apps/webapp/app/services/runsReplicationInstance.server.ts
+++ b/apps/webapp/app/services/runsReplicationInstance.server.ts
@@ -1,6 +1,6 @@
-import { ClickHouse } from "@internal/clickhouse";
 import invariant from "tiny-invariant";
 import { env } from "~/env.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
 import { singleton } from "~/utils/singleton";
 import { meter, provider } from "~/v3/tracer.server";
 import { RunsReplicationService } from "./runsReplicationService.server";
@@ -22,22 +22,8 @@ function initializeRunsReplicationInstance() {
 
   console.log("🗃️  Runs replication service enabled");
 
-  const clickhouse = new ClickHouse({
-    url: env.RUN_REPLICATION_CLICKHOUSE_URL,
-    name: "runs-replication",
-    keepAlive: {
-      enabled: env.RUN_REPLICATION_KEEP_ALIVE_ENABLED === "1",
-      idleSocketTtl: env.RUN_REPLICATION_KEEP_ALIVE_IDLE_SOCKET_TTL_MS,
-    },
-    logLevel: env.RUN_REPLICATION_CLICKHOUSE_LOG_LEVEL,
-    compression: {
-      request: true,
-    },
-    maxOpenConnections: env.RUN_REPLICATION_MAX_OPEN_CONNECTIONS,
-  });
-
   const service = new RunsReplicationService({
-    clickhouse: clickhouse,
+    clickhouseFactory,
     pgConnectionUrl: DATABASE_URL,
     serviceName: "runs-replication",
     slotName: env.RUN_REPLICATION_SLOT_NAME,
@@ -72,8 +58,9 @@ function initializeRunsReplicationInstance() {
   });
 
   if (env.RUN_REPLICATION_ENABLED === "1") {
-    service
-      .start()
+    clickhouseFactory
+      .isReady()
+      .then(() => service.start())
       .then(() => {
         console.log("🗃️ Runs replication service started");
       })
diff --git a/apps/webapp/app/services/runsReplicationService.server.ts b/apps/webapp/app/services/runsReplicationService.server.ts
index 7930c05481f..d6055c21b17 100644
--- a/apps/webapp/app/services/runsReplicationService.server.ts
+++ b/apps/webapp/app/services/runsReplicationService.server.ts
@@ -1,5 +1,11 @@
-import type { ClickHouse, TaskRunInsertArray, PayloadInsertArray } from "@internal/clickhouse";
-import { getTaskRunField, getPayloadField } from "@internal/clickhouse";
+import type { ClickhouseFactory } from "~/services/clickhouse/clickhouseFactory.server";
+import {
+  type ClickHouse,
+  type PayloadInsertArray,
+  type TaskRunInsertArray,
+  getPayloadField,
+  getTaskRunField,
+} from "@internal/clickhouse";
 import { type RedisOptions } from "@internal/redis";
 import {
   LogicalReplicationClient,
@@ -21,7 +27,10 @@ import {
 import { Logger, type LogLevel } from "@trigger.dev/core/logger";
 import { tryCatch } from "@trigger.dev/core/utils";
 import { parsePacketAsJson } from "@trigger.dev/core/v3/utils/ioSerialization";
-import { unsafeExtractIdempotencyKeyScope, unsafeExtractIdempotencyKeyUser } from "@trigger.dev/core/v3/serverOnly";
+import {
+  unsafeExtractIdempotencyKeyScope,
+  unsafeExtractIdempotencyKeyUser,
+} from "@trigger.dev/core/v3/serverOnly";
 import { RunAnnotations } from "@trigger.dev/core/v3";
 import { type TaskRun } from "@trigger.dev/database";
 import { nanoid } from "nanoid";
@@ -29,6 +38,12 @@ import EventEmitter from "node:events";
 import pLimit from "p-limit";
 import { detectBadJsonStrings } from "~/utils/detectBadJsonStrings";
 import { calculateErrorFingerprint } from "~/utils/errorFingerprinting";
+import { baseWorkerQueue } from "~/runEngine/concerns/workerQueueSplit.server";
+import {
+  isClickHouseJsonParseError,
+  parseRowNumberFromError,
+  sanitizeRows,
+} from "~/v3/eventRepository/sanitizeRowsOnParseError.server";
 
 interface TransactionEvent<T = any> {
   tag: "insert" | "update" | "delete";
@@ -46,7 +61,7 @@ interface Transaction<T = any> {
 }
 
 export type RunsReplicationServiceOptions = {
-  clickhouse: ClickHouse;
+  clickhouseFactory: ClickhouseFactory;
   pgConnectionUrl: string;
   serviceName: string;
   slotName: string;
@@ -120,6 +135,15 @@ export class RunsReplicationService {
   private _disablePayloadInsert: boolean;
   private _disableErrorFingerprinting: boolean;
 
+  /**
+   * Counts batches that hit a ClickHouse `Cannot parse JSON object` failure
+   * that survived one sanitize-retry. These batches are dropped on the floor
+   * (returning success-ish to the caller so the retry layer doesn't spin on
+   * the same deterministic failure), and we track the drop count for
+   * observability. Counter only — does not gate behaviour.
+   */
+  private _permanentlyDroppedBatches = 0;
+
   // Metrics
   private _replicationLagHistogram: Histogram;
   private _batchesFlushedCounter: Counter;
@@ -274,6 +298,11 @@ export class RunsReplicationService {
     this._insertMaxDelayMs = options.insertMaxDelayMs ?? 2000;
   }
 
+  /** Exposed for tests and metrics — total batches lost to unrecoverable parse errors. */
+  get permanentlyDroppedBatches() {
+    return this._permanentlyDroppedBatches;
+  }
+
   public async shutdown() {
     if (this._isShuttingDown) return;
 
@@ -560,16 +589,50 @@ export class RunsReplicationService {
     const flushStartTime = performance.now();
 
     await startSpan(this._tracer, "flushBatch", async (span) => {
-      const preparedInserts = await startSpan(this._tracer, "prepare_inserts", async (span) => {
+      const preparedInserts = await startSpan(this._tracer, "prepare_inserts", async () => {
         return await Promise.all(batch.map(this.#prepareRunInserts.bind(this)));
       });
 
-      const taskRunInserts = preparedInserts
-        .map(({ taskRunInsert }) => taskRunInsert)
-        .filter((x): x is TaskRunInsertArray => Boolean(x))
-        // batch inserts in clickhouse are more performant if the items
-        // are pre-sorted by the primary key
-        .sort((a, b) => {
+      const routeCache = new Map<string, ClickHouse>();
+      const groups = new Map<
+        ClickHouse,
+        { taskRunInserts: TaskRunInsertArray[]; payloadInserts: PayloadInsertArray[] }
+      >();
+
+      for (let i = 0; i < batch.length; i++) {
+        const batchedRun = batch[i]!;
+        const prep = preparedInserts[i]!;
+        const { run } = batchedRun;
+
+        if (!run.organizationId || !run.environmentType) {
+          continue;
+        }
+
+        let client = routeCache.get(run.organizationId);
+        if (!client) {
+          client = this.options.clickhouseFactory.getClickhouseForOrganizationSync(
+            run.organizationId,
+            "replication"
+          );
+          routeCache.set(run.organizationId, client);
+        }
+
+        let group = groups.get(client);
+        if (!group) {
+          group = { taskRunInserts: [], payloadInserts: [] };
+          groups.set(client, group);
+        }
+
+        if (prep.taskRunInsert) {
+          group.taskRunInserts.push(prep.taskRunInsert);
+        }
+        if (prep.payloadInsert) {
+          group.payloadInserts.push(prep.payloadInsert);
+        }
+      }
+
+      const sortTaskRunInserts = (rows: TaskRunInsertArray[]) =>
+        rows.sort((a, b) => {
           const aOrgId = getTaskRunField(a, "organization_id");
           const bOrgId = getTaskRunField(b, "organization_id");
           if (aOrgId !== bOrgId) {
@@ -596,41 +659,65 @@ export class RunsReplicationService {
           return aRunId < bRunId ? -1 : 1;
         });
 
-      const payloadInserts = preparedInserts
-        .map(({ payloadInsert }) => payloadInsert)
-        .filter((x): x is PayloadInsertArray => Boolean(x))
-        // batch inserts in clickhouse are more performant if the items
-        // are pre-sorted by the primary key
-        .sort((a, b) => {
+      const sortPayloadInserts = (rows: PayloadInsertArray[]) =>
+        rows.sort((a, b) => {
           const aRunId = getPayloadField(a, "run_id");
           const bRunId = getPayloadField(b, "run_id");
           if (aRunId === bRunId) return 0;
           return aRunId < bRunId ? -1 : 1;
         });
 
-      span.setAttribute("task_run_inserts", taskRunInserts.length);
-      span.setAttribute("payload_inserts", payloadInserts.length);
+      const combinedTaskRunInserts: TaskRunInsertArray[] = [];
+      const combinedPayloadInserts: PayloadInsertArray[] = [];
+      let taskRunError: Error | null = null;
+      let payloadError: Error | null = null;
+
+      for (const [clickhouse, group] of groups) {
+        sortTaskRunInserts(group.taskRunInserts);
+        sortPayloadInserts(group.payloadInserts);
+        combinedTaskRunInserts.push(...group.taskRunInserts);
+        combinedPayloadInserts.push(...group.payloadInserts);
+
+        const [trErr, trOutcome] = await this.#insertWithRetry(
+          (attempt) => this.#insertTaskRunInserts(clickhouse, group.taskRunInserts, attempt),
+          "task run inserts",
+          flushId
+        );
+        if (trErr && !taskRunError) {
+          taskRunError = trErr;
+        }
+
+        const [plErr, plOutcome] = await this.#insertWithRetry(
+          (attempt) => this.#insertPayloadInserts(clickhouse, group.payloadInserts, attempt),
+          "payload inserts",
+          flushId
+        );
+        if (plErr && !payloadError) {
+          payloadError = plErr;
+        }
+
+        // Only count rows that actually landed in ClickHouse. `kind: "dropped"`
+        // means the recovery wrapper bailed (sanitizer no-op or sanitize-retry
+        // still failed) — those rows never made it, so they must not show up
+        // as successful inserts in the per-batch counter.
+        if (!trErr && trOutcome?.kind !== "dropped") {
+          this._taskRunsInsertedCounter.add(group.taskRunInserts.length);
+        }
+        if (!plErr && plOutcome?.kind !== "dropped") {
+          this._payloadsInsertedCounter.add(group.payloadInserts.length);
+        }
+      }
+
+      span.setAttribute("task_run_inserts", combinedTaskRunInserts.length);
+      span.setAttribute("payload_inserts", combinedPayloadInserts.length);
 
       this.logger.debug("Flushing inserts", {
         flushId,
-        taskRunInserts: taskRunInserts.length,
-        payloadInserts: payloadInserts.length,
+        taskRunInserts: combinedTaskRunInserts.length,
+        payloadInserts: combinedPayloadInserts.length,
+        clickhouseGroups: groups.size,
       });
 
-      // Insert task runs and payloads with retry logic for connection errors
-      const [taskRunError, taskRunResult] = await this.#insertWithRetry(
-        (attempt) => this.#insertTaskRunInserts(taskRunInserts, attempt),
-        "task run inserts",
-        flushId
-      );
-
-      const [payloadError, payloadResult] = await this.#insertWithRetry(
-        (attempt) => this.#insertPayloadInserts(payloadInserts, attempt),
-        "payload inserts",
-        flushId
-      );
-
-      // Log any errors that occurred
       if (taskRunError) {
         this.logger.error("Error inserting task run inserts", {
           error: taskRunError,
@@ -649,27 +736,22 @@ export class RunsReplicationService {
 
       this.logger.debug("Flushed inserts", {
         flushId,
-        taskRunInserts: taskRunInserts.length,
-        payloadInserts: payloadInserts.length,
+        taskRunInserts: combinedTaskRunInserts.length,
+        payloadInserts: combinedPayloadInserts.length,
       });
 
-      this.events.emit("batchFlushed", { flushId, taskRunInserts, payloadInserts });
+      this.events.emit("batchFlushed", {
+        flushId,
+        taskRunInserts: combinedTaskRunInserts,
+        payloadInserts: combinedPayloadInserts,
+      });
 
-      // Record metrics
       const flushDurationMs = performance.now() - flushStartTime;
       const hasErrors = taskRunError !== null || payloadError !== null;
 
       this._batchSizeHistogram.record(batch.length);
       this._flushDurationHistogram.record(flushDurationMs);
       this._batchesFlushedCounter.add(1, { success: !hasErrors });
-
-      if (!taskRunError) {
-        this._taskRunsInsertedCounter.add(taskRunInserts.length);
-      }
-
-      if (!payloadError) {
-        this._payloadsInsertedCounter.add(payloadInserts.length);
-      }
     });
   }
 
@@ -770,50 +852,172 @@ export class RunsReplicationService {
     };
   }
 
-  async #insertTaskRunInserts(taskRunInserts: TaskRunInsertArray[], attempt: number) {
+  async #insertTaskRunInserts(
+    clickhouse: ClickHouse,
+    taskRunInserts: TaskRunInsertArray[],
+    attempt: number
+  ) {
+    if (taskRunInserts.length === 0) {
+      return;
+    }
     return await startSpan(this._tracer, "insertTaskRunsInserts", async (span) => {
-      const [insertError, insertResult] =
-        await this.options.clickhouse.taskRuns.insertCompactArrays(taskRunInserts, {
-          params: {
-            clickhouse_settings: this.#getClickhouseInsertSettings(),
-          },
-        });
-
-      if (insertError) {
-        this.logger.error("Error inserting task run inserts attempt", {
-          error: insertError,
-          attempt,
-        });
-
-        recordSpanError(span, insertError);
-        throw insertError;
-      }
-
-      return insertResult;
+      const doInsert = async () => {
+        const [insertError, insertResult] = await clickhouse.taskRuns.insertCompactArrays(
+          taskRunInserts,
+          { params: { clickhouse_settings: this.#getClickhouseInsertSettings() } }
+        );
+        if (insertError) {
+          this.logger.error("Error inserting task run inserts attempt", {
+            error: insertError,
+            attempt,
+          });
+          recordSpanError(span, insertError);
+          throw insertError;
+        }
+        return insertResult;
+      };
+
+      return await this.#insertWithJsonParseRecovery(
+        taskRunInserts,
+        doInsert,
+        "task_runs_v2",
+        attempt
+      );
     });
   }
 
-  async #insertPayloadInserts(payloadInserts: PayloadInsertArray[], attempt: number) {
+  async #insertPayloadInserts(
+    clickhouse: ClickHouse,
+    payloadInserts: PayloadInsertArray[],
+    attempt: number
+  ) {
+    if (payloadInserts.length === 0) {
+      return;
+    }
     return await startSpan(this._tracer, "insertPayloadInserts", async (span) => {
-      const [insertError, insertResult] =
-        await this.options.clickhouse.taskRuns.insertPayloadsCompactArrays(payloadInserts, {
-          params: {
-            clickhouse_settings: this.#getClickhouseInsertSettings(),
-          },
-        });
-
-      if (insertError) {
-        this.logger.error("Error inserting payload inserts attempt", {
-          error: insertError,
-          attempt,
-        });
+      const doInsert = async () => {
+        const [insertError, insertResult] = await clickhouse.taskRuns.insertPayloadsCompactArrays(
+          payloadInserts,
+          { params: { clickhouse_settings: this.#getClickhouseInsertSettings() } }
+        );
+        if (insertError) {
+          this.logger.error("Error inserting payload inserts attempt", {
+            error: insertError,
+            attempt,
+          });
+          recordSpanError(span, insertError);
+          throw insertError;
+        }
+        return insertResult;
+      };
+
+      return await this.#insertWithJsonParseRecovery(
+        payloadInserts,
+        doInsert,
+        "raw_task_runs_payload_v1",
+        attempt
+      );
+    });
+  }
 
-        recordSpanError(span, insertError);
-        throw insertError;
+  /**
+   * Wraps a ClickHouse insert with reactive UTF-16 sanitization for
+   * `Cannot parse JSON object` rejections. Mirrors the pattern from
+   * `ClickhouseEventRepository.#insertWithJsonParseRecovery` introduced
+   * in #3659 — same root cause (lone UTF-16 surrogates in user-provided
+   * JSON), same recovery shape:
+   *
+   *   1. Try the insert. Healthy batches pay zero scan cost.
+   *   2. On parse error, walk the whole batch via `sanitizeRows` and
+   *      replace any lone-surrogate string with `"[invalid-utf16]"`.
+   *   3. Retry once. If the sanitizer found nothing or the retry also
+   *      fails with the same error class, drop the batch loudly and
+   *      return — do NOT rethrow, otherwise the surrounding
+   *      `#insertWithRetry` layer would spin three more times on the
+   *      same deterministic failure.
+   *   4. Non-parse errors propagate unchanged so the existing
+   *      transient-retry path still handles them.
+   *
+   * The whole-batch scan (rather than slicing on the `at row N` hint) is
+   * deliberate: `at row N` semantics under `input_format_parallel_parsing`
+   * aren't stable enough to safely skip rows. The cost is bounded because
+   * `detectBadJsonStrings` exits in O(1) for clean strings.
+   */
+  async #insertWithJsonParseRecovery<T extends object>(
+    rows: T[],
+    doInsert: () => Promise<unknown>,
+    contextLabel: string,
+    attempt: number
+  ): Promise<
+    | { kind: "inserted"; insertResult: unknown }
+    | { kind: "sanitized"; insertResult: unknown }
+    | { kind: "dropped" }
+  > {
+    try {
+      return { kind: "inserted", insertResult: await doInsert() };
+    } catch (firstError) {
+      if (!isClickHouseJsonParseError(firstError)) throw firstError;
+
+      const firstMessage =
+        typeof firstError === "object" && firstError !== null && "message" in firstError
+          ? String((firstError as { message?: unknown }).message ?? "")
+          : String(firstError);
+
+      const rowHint = parseRowNumberFromError(firstMessage);
+      const { rowsTouched, fieldsSanitized } = sanitizeRows(rows);
+
+      if (fieldsSanitized === 0) {
+        this._permanentlyDroppedBatches += 1;
+        this.logger.error(
+          "Dropped batch — ClickHouse JSON parse error but sanitizer found nothing to fix",
+          {
+            contextLabel,
+            attempt,
+            batchSize: rows.length,
+            clickhouseRowHint: rowHint,
+            permanentlyDroppedBatches: this._permanentlyDroppedBatches,
+            sampleRow: JSON.stringify(rows[0] ?? null).slice(0, 1024),
+            clickhouseError: firstMessage.split("\n")[0],
+          }
+        );
+        return { kind: "dropped" };
       }
 
-      return insertResult;
-    });
+      this.logger.warn("Sanitizing batch after ClickHouse JSON parse error", {
+        contextLabel,
+        attempt,
+        batchSize: rows.length,
+        clickhouseRowHint: rowHint,
+        rowsTouched,
+        fieldsSanitized,
+        clickhouseError: firstMessage.split("\n")[0],
+      });
+
+      try {
+        return { kind: "sanitized", insertResult: await doInsert() };
+      } catch (retryError) {
+        if (!isClickHouseJsonParseError(retryError)) throw retryError;
+
+        this._permanentlyDroppedBatches += 1;
+        const retryMessage =
+          typeof retryError === "object" && retryError !== null && "message" in retryError
+            ? String((retryError as { message?: unknown }).message ?? "")
+            : String(retryError);
+        this.logger.error(
+          "Dropped batch after sanitize-retry still hit ClickHouse JSON parse error",
+          {
+            contextLabel,
+            attempt,
+            batchSize: rows.length,
+            permanentlyDroppedBatches: this._permanentlyDroppedBatches,
+            sampleRow: JSON.stringify(rows[0] ?? null).slice(0, 1024),
+            firstError: firstMessage.split("\n")[0],
+            retryError: retryMessage.split("\n")[0],
+          }
+        );
+        return { kind: "dropped" };
+      }
+    }
   }
 
   async #prepareRunInserts(
@@ -860,12 +1064,13 @@ export class RunsReplicationService {
     const errorData = { data: run.error };
 
     // Calculate error fingerprint for failed runs
-    const errorFingerprint = (
+    const errorFingerprint =
       !this._disableErrorFingerprinting &&
-      ['SYSTEM_FAILURE', 'CRASHED', 'INTERRUPTED', 'COMPLETED_WITH_ERRORS', 'TIMED_OUT'].includes(run.status)
-    )
-      ? calculateErrorFingerprint(run.error)
-      : '';
+      ["SYSTEM_FAILURE", "CRASHED", "INTERRUPTED", "COMPLETED_WITH_ERRORS", "TIMED_OUT"].includes(
+        run.status
+      )
+        ? calculateErrorFingerprint(run.error)
+        : "";
 
     const annotations = this.#parseAnnotations(run.annotations);
 
@@ -917,10 +1122,11 @@ export class RunsReplicationService {
       event === "delete" ? 1 : 0, // _is_deleted
       run.concurrencyKey ?? "", // concurrency_key
       run.bulkActionGroupIds ?? [], // bulk_action_group_ids
-      run.masterQueue ?? "", // worker_queue
+      baseWorkerQueue(run.masterQueue ?? ""), // worker_queue (region; strip any split suffix like `:scheduled`)
       run.maxDurationInSeconds ?? null, // max_duration_in_seconds
       annotations?.triggerSource ?? "", // trigger_source
       annotations?.rootTriggerSource ?? "", // root_trigger_source
+      annotations?.taskKind ?? "", // task_kind
       run.isWarmStart ?? null, // is_warm_start
     ];
   }
@@ -978,7 +1184,6 @@ export class RunsReplicationService {
 
     return { data: parsedData };
   }
-
 }
 
 export type ConcurrentFlushSchedulerConfig<T> = {
diff --git a/apps/webapp/app/services/runsRepository/clickhouseRunsRepository.server.ts b/apps/webapp/app/services/runsRepository/clickhouseRunsRepository.server.ts
index 1368279e63d..304777b39e0 100644
--- a/apps/webapp/app/services/runsRepository/clickhouseRunsRepository.server.ts
+++ b/apps/webapp/app/services/runsRepository/clickhouseRunsRepository.server.ts
@@ -4,12 +4,16 @@ import {
   type FilterRunsOptions,
   type IRunsRepository,
   type ListRunsOptions,
+  type RunIdsPage,
   type RunListInputOptions,
   type RunsRepositoryOptions,
   type TagListOptions,
   convertRunListInputOptionsToFilterRunsOptions,
 } from "./runsRepository.server";
 import parseDuration from "parse-duration";
+import { decodeRunsCursor, encodeRunsCursor } from "./runsCursor.server";
+
+type RunCursorRow = { runId: string; createdAt: number };
 
 export class ClickHouseRunsRepository implements IRunsRepository {
   constructor(private readonly options: RunsRepositoryOptions) {}
@@ -18,25 +22,52 @@ export class ClickHouseRunsRepository implements IRunsRepository {
     return "clickhouse";
   }
 
-  async listRunIds(options: ListRunsOptions) {
+  /**
+   * Runs the keyset-paginated query and returns `{ runId, createdAt }` rows
+   * (one extra beyond `page.size` to signal "has more"). The ordering is always
+   * the composite `(created_at, run_id)`; the cursor predicate must match it.
+   *
+   * Composite cursors carry both components, so we cut on the
+   * `(created_at, run_id)` tuple — sound regardless of how run_id order relates
+   * to created_at order. Legacy bare-run_id cursors fall back to the old
+   * `run_id`-only predicate (knowingly unsound) for backwards compatibility
+   * with in-flight cursors.
+   */
+  private async listRunRows(options: ListRunsOptions): Promise<RunCursorRow[]> {
     const queryBuilder = this.options.clickhouse.taskRuns.queryBuilder();
     applyRunFiltersToQueryBuilder(
       queryBuilder,
       await convertRunListInputOptionsToFilterRunsOptions(options, this.options.prisma)
     );
 
+    const forward = options.page.direction === "forward" || !options.page.direction;
+
     if (options.page.cursor) {
-      if (options.page.direction === "forward" || !options.page.direction) {
-        queryBuilder
-          .where("run_id < {runId: String}", { runId: options.page.cursor })
-          .orderBy("created_at DESC, run_id DESC")
-          .limit(options.page.size + 1);
+      const decoded = decodeRunsCursor(options.page.cursor);
+
+      if (forward) {
+        if (decoded.kind === "composite") {
+          queryBuilder.where(
+            "(created_at, run_id) < (fromUnixTimestamp64Milli({cursorCreatedAt: Int64}), {runId: String})",
+            { cursorCreatedAt: decoded.createdAt, runId: decoded.runId }
+          );
+        } else {
+          queryBuilder.where("run_id < {runId: String}", { runId: decoded.runId });
+        }
+        queryBuilder.orderBy("created_at DESC, run_id DESC");
       } else {
-        queryBuilder
-          .where("run_id > {runId: String}", { runId: options.page.cursor })
-          .orderBy("created_at ASC, run_id ASC")
-          .limit(options.page.size + 1);
+        if (decoded.kind === "composite") {
+          queryBuilder.where(
+            "(created_at, run_id) > (fromUnixTimestamp64Milli({cursorCreatedAt: Int64}), {runId: String})",
+            { cursorCreatedAt: decoded.createdAt, runId: decoded.runId }
+          );
+        } else {
+          queryBuilder.where("run_id > {runId: String}", { runId: decoded.runId });
+        }
+        queryBuilder.orderBy("created_at ASC, run_id ASC");
       }
+
+      queryBuilder.limit(options.page.size + 1);
     } else {
       // Initial page - no cursor provided
       queryBuilder.orderBy("created_at DESC, run_id DESC").limit(options.page.size + 1);
@@ -48,75 +79,96 @@ export class ClickHouseRunsRepository implements IRunsRepository {
       throw queryError;
     }
 
-    const runIds = result.map((row) => row.run_id);
-    return runIds;
+    return result.map((row) => ({ runId: row.run_id, createdAt: row.created_at_ms }));
   }
 
-  async listFriendlyRunIds(options: ListRunsOptions) {
-    // First get internal IDs from ClickHouse
-    const internalIds = await this.listRunIds(options);
+  /**
+   * A keyset-paginated page of run ids ordered by `(created_at, run_id)`, plus
+   * the cursors to page forward/backward. Cursors are composite tokens that
+   * match the ordering, so pagination can't duplicate or skip runs even when
+   * run_id order diverges from created_at order. This is the single source of
+   * cursor construction — `listRuns` and bulk actions both build on it.
+   */
+  async listRunIds(options: ListRunsOptions): Promise<RunIdsPage> {
+    const rows = await this.listRunRows(options);
 
-    if (internalIds.length === 0) {
-      return [];
-    }
+    // listRunRows fetches one extra row beyond page.size to detect "has more".
+    const hasMore = rows.length > options.page.size;
 
-    // Then get friendly IDs from Prisma
-    const runs = await this.options.prisma.taskRun.findMany({
-      where: {
-        id: {
-          in: internalIds,
-        },
-      },
-      select: {
-        friendlyId: true,
-      },
-    });
-
-    return runs.map((run) => run.friendlyId);
-  }
-
-  async listRuns(options: ListRunsOptions) {
-    const runIds = await this.listRunIds(options);
-
-    // If there are more runs than the page size, we need to fetch the next page
-    const hasMore = runIds.length > options.page.size;
+    const cursorFor = (row: RunCursorRow | undefined): string | null =>
+      row ? encodeRunsCursor(row.createdAt, row.runId) : null;
 
     let nextCursor: string | null = null;
     let previousCursor: string | null = null;
 
-    //get cursors for next and previous pages
     const direction = options.page.direction ?? "forward";
     switch (direction) {
       case "forward": {
-        previousCursor = options.page.cursor ? runIds.at(0) ?? null : null;
+        previousCursor = options.page.cursor ? cursorFor(rows.at(0)) : null;
         if (hasMore) {
-          // The next cursor should be the last run ID from this page
-          nextCursor = runIds[options.page.size - 1];
+          // The next cursor is the last run on this page.
+          nextCursor = cursorFor(rows[options.page.size - 1]);
         }
         break;
       }
       case "backward": {
-        const reversedRunIds = [...runIds].reverse();
+        const reversedRows = [...rows].reverse();
         if (hasMore) {
-          previousCursor = reversedRunIds.at(1) ?? null;
-          nextCursor = reversedRunIds.at(options.page.size) ?? null;
+          previousCursor = cursorFor(reversedRows.at(1));
+          nextCursor = cursorFor(reversedRows.at(options.page.size));
         } else {
-          nextCursor = reversedRunIds.at(options.page.size - 1) ?? null;
+          // No newer rows, so there's no previous (newer) page. The next
+          // (older) cursor is the oldest row on this page = rows[0] (rows are
+          // ASC here). Index by the actual row count, not page.size — on a
+          // partial page (fewer than page.size rows) page.size-1 overshoots
+          // and would null the cursor, stranding forward navigation.
+          nextCursor = cursorFor(rows.at(0));
         }
-
         break;
       }
     }
 
-    const runIdsToReturn =
-      options.page.direction === "backward" && hasMore
-        ? runIds.slice(1, options.page.size + 1)
-        : runIds.slice(0, options.page.size);
+    // The page is always the first `page.size` rows of the result. listRunRows
+    // fetches one extra row only to detect `hasMore`; that extra row is the
+    // farthest from the cursor in BOTH directions (forward orders DESC, backward
+    // orders ASC), so it's always the trailing element to drop — never the
+    // leading one. (Slicing `[1, size+1]` for backward dropped the row closest
+    // to the cursor and kept the has-more sentinel, straddling two pages.)
+    const runIds = rows.slice(0, options.page.size).map((row) => row.runId);
+
+    return { runIds, pagination: { nextCursor, previousCursor } };
+  }
+
+  async listFriendlyRunIds(options: ListRunsOptions) {
+    // First get internal IDs from ClickHouse
+    const { runIds } = await this.listRunIds(options);
+
+    if (runIds.length === 0) {
+      return [];
+    }
+
+    // Then get friendly IDs from Prisma
+    const runs = await this.options.prisma.taskRun.findMany({
+      where: {
+        id: {
+          in: runIds,
+        },
+      },
+      select: {
+        friendlyId: true,
+      },
+    });
+
+    return runs.map((run) => run.friendlyId);
+  }
+
+  async listRuns(options: ListRunsOptions) {
+    const { runIds, pagination } = await this.listRunIds(options);
 
     let runs = await this.options.prisma.taskRun.findMany({
       where: {
         id: {
-          in: runIdsToReturn,
+          in: runIds,
         },
       },
       orderBy: {
@@ -151,6 +203,8 @@ export class ClickHouseRunsRepository implements IRunsRepository {
         metadataType: true,
         machinePreset: true,
         queue: true,
+        workerQueue: true,
+        annotations: true,
       },
     });
 
@@ -161,10 +215,7 @@ export class ClickHouseRunsRepository implements IRunsRepository {
 
     return {
       runs,
-      pagination: {
-        nextCursor,
-        previousCursor,
-      },
+      pagination,
     };
   }
 
@@ -270,7 +321,9 @@ function applyRunFiltersToQueryBuilder<T>(
   }
 
   if (options.tags && options.tags.length > 0) {
-    queryBuilder.where("hasAny(tags, {tags: Array(String)})", { tags: options.tags });
+    // Both hasAny and hasAll are served by the tags bloom_filter skip index.
+    const tagsFn = options.tagsMatch === "all" ? "hasAll" : "hasAny";
+    queryBuilder.where(`${tagsFn}(tags, {tags: Array(String)})`, { tags: options.tags });
   }
 
   if (options.scheduleId) {
@@ -323,6 +376,10 @@ function applyRunFiltersToQueryBuilder<T>(
     queryBuilder.where("queue IN {queues: Array(String)}", { queues: options.queues });
   }
 
+  if (options.regions && options.regions.length > 0) {
+    queryBuilder.where("worker_queue IN {regions: Array(String)}", { regions: options.regions });
+  }
+
   if (options.machines && options.machines.length > 0) {
     queryBuilder.where("machine_preset IN {machines: Array(String)}", {
       machines: options.machines,
@@ -334,4 +391,22 @@ function applyRunFiltersToQueryBuilder<T>(
       errorFingerprint: ErrorId.toId(options.errorId),
     });
   }
+
+  if (options.taskKinds && options.taskKinds.length > 0) {
+    const includesStandard = options.taskKinds.includes("STANDARD");
+    // Include empty string when filtering for STANDARD (default value for pre-existing runs)
+    const effectiveKinds = includesStandard
+      ? [...options.taskKinds, ""]
+      : options.taskKinds;
+
+    if (effectiveKinds.length === 1) {
+      queryBuilder.where("task_kind = {taskKind: String}", {
+        taskKind: effectiveKinds[0]!,
+      });
+    } else {
+      queryBuilder.where("task_kind IN {taskKinds: Array(String)}", {
+        taskKinds: effectiveKinds,
+      });
+    }
+  }
 }
diff --git a/apps/webapp/app/services/runsRepository/runsCursor.server.ts b/apps/webapp/app/services/runsRepository/runsCursor.server.ts
new file mode 100644
index 00000000000..f16d30a0c05
--- /dev/null
+++ b/apps/webapp/app/services/runsRepository/runsCursor.server.ts
@@ -0,0 +1,47 @@
+/**
+ * Cursor encoding for keyset pagination over `(created_at, run_id)`.
+ *
+ * The list query orders by the composite key `(created_at, run_id)`, so a sound
+ * cursor must carry BOTH components — cutting on `run_id` alone re-includes and
+ * skips rows whenever `run_id` order diverges from `created_at` order.
+ *
+ * A cursor is an opaque URL-safe base64 token wrapping `{ c: createdAtMs, r:
+ * runId }`. Cursors are server-issued (the SDK just echoes
+ * `pagination.next`/`previous` back), so this format needs no client update.
+ *
+ * Legacy cursors were the bare internal run_id (a cuid). They are detected by
+ * decode failure: a cuid base64-decodes to non-JSON bytes, so it falls through
+ * to `{ kind: "legacy" }` and the old (knowingly unsound) `run_id`-only
+ * predicate. In-flight legacy cursors keep working and drain naturally.
+ */
+
+import { z } from "zod";
+
+export type DecodedRunsCursor =
+  | { kind: "composite"; createdAt: number; runId: string }
+  | { kind: "legacy"; runId: string };
+
+// `c` = created_at (ms since epoch), `r` = run_id. Short keys keep the token small.
+const CompositeCursor = z.object({
+  c: z.number().int(),
+  r: z.string().min(1),
+});
+
+export function encodeRunsCursor(createdAtMs: number, runId: string): string {
+  return Buffer.from(JSON.stringify({ c: createdAtMs, r: runId })).toString("base64url");
+}
+
+export function decodeRunsCursor(cursor: string): DecodedRunsCursor {
+  try {
+    const parsed = CompositeCursor.safeParse(
+      JSON.parse(Buffer.from(cursor, "base64url").toString("utf8"))
+    );
+    if (parsed.success) {
+      return { kind: "composite", createdAt: parsed.data.c, runId: parsed.data.r };
+    }
+  } catch {
+    // JSON.parse threw — not a composite cursor.
+  }
+
+  return { kind: "legacy", runId: cursor };
+}
diff --git a/apps/webapp/app/services/runsRepository/runsRepository.server.ts b/apps/webapp/app/services/runsRepository/runsRepository.server.ts
index 4f097f61ce2..74963bc3ff2 100644
--- a/apps/webapp/app/services/runsRepository/runsRepository.server.ts
+++ b/apps/webapp/app/services/runsRepository/runsRepository.server.ts
@@ -30,6 +30,8 @@ const RunListInputOptionsSchema = z.object({
   versions: z.array(z.string()).optional(),
   statuses: z.array(RunStatus).optional(),
   tags: z.array(z.string()).optional(),
+  // "any" (default) = run has at least one of `tags`; "all" = run has every tag.
+  tagsMatch: z.enum(["any", "all"]).optional(),
   scheduleId: z.string().optional(),
   period: z.string().optional(),
   from: z.number().optional(),
@@ -40,8 +42,10 @@ const RunListInputOptionsSchema = z.object({
   runId: z.array(z.string()).optional(),
   bulkId: z.string().optional(),
   queues: z.array(z.string()).optional(),
+  regions: z.array(z.string()).optional(),
   machines: MachinePresetName.array().optional(),
   errorId: z.string().optional(),
+  taskKinds: z.array(z.string()).optional(),
 });
 
 export type RunListInputOptions = z.infer<typeof RunListInputOptionsSchema>;
@@ -53,6 +57,7 @@ export type RunListInputFilters = Omit<
 export type ParsedRunFilters = RunListInputFilters & {
   cursor?: string;
   direction?: "forward" | "backward";
+  sources?: string[];
 };
 
 export type FilterRunsOptions = Omit<RunListInputOptions, "period"> & {
@@ -102,6 +107,8 @@ export type ListedRun = Prisma.TaskRunGetPayload<{
     metadataType: true;
     machinePreset: true;
     queue: true;
+    workerQueue: true;
+    annotations: true;
   };
 }>;
 
@@ -122,9 +129,25 @@ export type TagList = {
   tags: string[];
 };
 
+export type CursorPagination = {
+  nextCursor: string | null;
+  previousCursor: string | null;
+};
+
+export type RunIdsPage = {
+  runIds: string[];
+  pagination: CursorPagination;
+};
+
 export interface IRunsRepository {
   name: string;
-  listRunIds(options: ListRunsOptions): Promise<string[]>;
+  /**
+   * A keyset-paginated page of run ids plus the cursors to navigate
+   * forward/backward. The cursors are opaque composite `(created_at, run_id)`
+   * tokens, so pagination can't duplicate or skip runs. This is the single
+   * cursor-aware list primitive — `listRuns` and bulk actions build on it.
+   */
+  listRunIds(options: ListRunsOptions): Promise<RunIdsPage>;
   /** Returns friendly IDs (e.g., run_xxx) instead of internal UUIDs. Used for ClickHouse task_events queries. */
   listFriendlyRunIds(options: ListRunsOptions): Promise<string[]>;
   listRuns(options: ListRunsOptions): Promise<{
@@ -149,7 +172,7 @@ export class RunsRepository implements IRunsRepository {
     return "runsRepository";
   }
 
-  async listRunIds(options: ListRunsOptions): Promise<string[]> {
+  async listRunIds(options: ListRunsOptions): Promise<RunIdsPage> {
     return startActiveSpan(
       "runsRepository.listRunIds",
       async () => this.clickHouseRunsRepository.listRunIds(options),
@@ -295,8 +318,9 @@ export async function convertRunListInputOptionsToFilterRunsOptions(
     convertedOptions.runId = options.runId.map((r) => RunId.toFriendlyId(r));
   }
 
-  // Show all runs if we are filtering by batchId or runId
-  if (options.batchId || options.runId?.length || options.scheduleId || options.tasks?.length) {
+  // batchId/runId/scheduleId target specific runs, so rootOnly is meaningless and forced off.
+  // tasks is intentionally excluded so rootOnly can narrow a task filter to root runs only.
+  if (options.batchId || options.runId?.length || options.scheduleId) {
     convertedOptions.rootOnly = false;
   }
 
diff --git a/apps/webapp/app/services/scheduleEmail.server.ts b/apps/webapp/app/services/scheduleEmail.server.ts
new file mode 100644
index 00000000000..0da19c86cb3
--- /dev/null
+++ b/apps/webapp/app/services/scheduleEmail.server.ts
@@ -0,0 +1,16 @@
+import type { DeliverEmail } from "emails";
+import { commonWorker } from "~/v3/commonWorker.server";
+
+// Lives outside email.server.ts so that the SMTP/Resend client module
+// stays a leaf dependency. Pulling commonWorker from email.server poisoned
+// every consumer of the auth chain (auth → emailAuth → email) with the
+// V1+V2 worker tree, which transitively loads marqs and trips Redis-env
+// guards in any vitest file whose import graph reaches it.
+export async function scheduleEmail(data: DeliverEmail, delay?: { seconds: number }) {
+  const availableAt = delay ? new Date(Date.now() + delay.seconds * 1000) : undefined;
+  await commonWorker.enqueue({
+    job: "scheduleEmail",
+    payload: data,
+    availableAt,
+  });
+}
diff --git a/apps/webapp/app/services/secrets/secretStore.server.ts b/apps/webapp/app/services/secrets/secretStore.server.ts
index 855463fcd13..58af8e86f76 100644
--- a/apps/webapp/app/services/secrets/secretStore.server.ts
+++ b/apps/webapp/app/services/secrets/secretStore.server.ts
@@ -18,6 +18,7 @@ type ProviderInitializationOptions = {
 export interface SecretStoreProvider {
   getSecret<T>(schema: z.Schema<T>, key: string): Promise<T | undefined>;
   getSecrets<T>(schema: z.Schema<T>, keyPrefix: string): Promise<{ key: string; value: T }[]>;
+  getSecretsByKeys<T>(schema: z.Schema<T>, keys: string[]): Promise<{ key: string; value: T }[]>;
   setSecret<T extends object>(key: string, value: T): Promise<void>;
   deleteSecret(key: string): Promise<void>;
 }
@@ -48,6 +49,10 @@ export class SecretStore {
     return this.provider.getSecrets(schema, keyPrefix);
   }
 
+  getSecretsByKeys<T>(schema: z.Schema<T>, keys: string[]): Promise<{ key: string; value: T }[]> {
+    return this.provider.getSecretsByKeys(schema, keys);
+  }
+
   deleteSecret(key: string): Promise<void> {
     return this.provider.deleteSecret(key);
   }
@@ -83,29 +88,7 @@ class PrismaSecretStore implements SecretStoreProvider {
       return undefined;
     }
 
-    if (secret.version === "1") {
-      return schema.parse(secret.value);
-    }
-
-    const encryptedData = EncryptedSecretValueSchema.safeParse(secret.value);
-
-    if (!encryptedData.success) {
-      throw new Error(`Unable to parse encrypted secret ${key}: ${encryptedData.error.message}`);
-    }
-
-    const decrypted = await this.#decrypt(
-      encryptedData.data.nonce,
-      encryptedData.data.ciphertext,
-      encryptedData.data.tag
-    );
-
-    const parsedDecrypted = safeJsonParse(decrypted);
-
-    if (!parsedDecrypted) {
-      return;
-    }
-
-    return schema.parse(parsedDecrypted);
+    return this.#parseStoredSecret(schema, secret);
   }
 
   async getSecrets<T>(
@@ -120,37 +103,74 @@ class PrismaSecretStore implements SecretStoreProvider {
       },
     });
 
+    return this.#parseStoredSecrets(schema, secrets);
+  }
+
+  async getSecretsByKeys<T>(
+    schema: z.Schema<T>,
+    keys: string[]
+  ): Promise<{ key: string; value: T }[]> {
+    if (keys.length === 0) {
+      return [];
+    }
+
+    const secrets = await this.#prismaClient.secretStore.findMany({
+      where: {
+        key: {
+          in: keys,
+        },
+      },
+    });
+
+    return this.#parseStoredSecrets(schema, secrets);
+  }
+
+  async #parseStoredSecrets<T>(
+    schema: z.Schema<T>,
+    secrets: Array<{ key: string; value: unknown; version: string }>
+  ): Promise<{ key: string; value: T }[]> {
     const results = [] as { key: string; value: T }[];
 
     for (const secret of secrets) {
-      if (secret.version === "1") {
-        results.push({ key: secret.key, value: schema.parse(secret.value) });
+      const value = await this.#parseStoredSecret(schema, secret);
+      if (value !== undefined) {
+        results.push({ key: secret.key, value });
       }
+    }
 
-      const encryptedData = EncryptedSecretValueSchema.safeParse(secret.value);
+    return results;
+  }
 
-      if (!encryptedData.success) {
-        throw new Error(
-          `Unable to parse encrypted secret ${secret.key}: ${encryptedData.error.message}`
-        );
-      }
+  async #parseStoredSecret<T>(
+    schema: z.Schema<T>,
+    secret: { key: string; value: unknown; version: string }
+  ): Promise<T | undefined> {
+    if (secret.version === "1") {
+      return schema.parse(secret.value);
+    }
 
-      const decrypted = await this.#decrypt(
-        encryptedData.data.nonce,
-        encryptedData.data.ciphertext,
-        encryptedData.data.tag
+    const encryptedData = EncryptedSecretValueSchema.safeParse(secret.value);
+
+    if (!encryptedData.success) {
+      throw new Error(
+        `Unable to parse encrypted secret ${secret.key}: ${encryptedData.error.message}`
       );
+    }
 
-      const parsedDecrypted = safeJsonParse(decrypted);
-      if (!parsedDecrypted) {
-        logger.error(`Secret isn't JSON ${secret.key}`);
-        continue;
-      }
+    const decrypted = await this.#decrypt(
+      encryptedData.data.nonce,
+      encryptedData.data.ciphertext,
+      encryptedData.data.tag
+    );
+
+    const parsedDecrypted = safeJsonParse(decrypted);
 
-      results.push({ key: secret.key, value: schema.parse(parsedDecrypted) });
+    if (!parsedDecrypted) {
+      logger.error(`Secret isn't JSON ${secret.key}`);
+      return undefined;
     }
 
-    return results;
+    return schema.parse(parsedDecrypted);
   }
 
   async setSecret<T extends object>(key: string, value: T): Promise<void> {
diff --git a/apps/webapp/app/services/session.server.ts b/apps/webapp/app/services/session.server.ts
index ea6831265c7..3c55e8efa83 100644
--- a/apps/webapp/app/services/session.server.ts
+++ b/apps/webapp/app/services/session.server.ts
@@ -1,45 +1,118 @@
 import { redirect } from "@remix-run/node";
 import { getUserById } from "~/models/user.server";
+import { sanitizeRedirectPath } from "~/utils";
+import { extractClientIp } from "~/utils/extractClientIp.server";
 import { authenticator } from "./auth.server";
 import { getImpersonationId } from "./impersonation.server";
+import { logger } from "./logger.server";
+
+/**
+ * Logs the user out when their session has lived past `User.nextSessionEnd`.
+ *
+ * The deadline is written at login (and any time the effective duration is
+ * recomputed — see `commitAuthenticatedSession`) and shortened in bulk when
+ * an admin lowers an org cap (see the admin `session-duration` route).
+ * Non-impersonation `requireUserId`/`getUserId` paths do NOT enforce —
+ * enforcement happens at the next page navigation (root.tsx calls `getUser`),
+ * which matches HIPAA auto-logoff semantics: terminate at the navigation
+ * boundary, not on every polling fetch. Impersonation paths DO enforce in
+ * `getUserId` (against the admin's deadline) so a `requireUserId`-only route
+ * can't keep operating as the impersonation target after the admin's session
+ * has expired or their admin role was revoked.
+ *
+ * `nextSessionEnd === null` means "no enforced deadline" — applies to legacy
+ * sessions from before this feature shipped. The default `User.sessionDuration`
+ * is 1 year (matching the cookie's `Max-Age`), so a null deadline is
+ * functionally identical to "natural cookie expiry" for users with default
+ * settings. Every path that produces a sub-default effective duration —
+ * fresh login, user setting change, admin cap change — also writes
+ * `nextSessionEnd`, so there is no realistic state where an unenforced null
+ * masks a tighter cap.
+ */
+function maybeAutoLogout(
+  request: Request,
+  user: { id: string; nextSessionEnd: Date | null },
+  impersonatedUserId: string | null = null
+): void {
+  if (user.nextSessionEnd === null) return;
+  if (Date.now() <= user.nextSessionEnd.getTime()) return;
+  // Don't redirect to /logout when we're already on /logout — root.tsx's
+  // loader runs for every route (including /logout itself), so without this
+  // guard an expired session would redirect to /logout in a loop and the
+  // route's own loader (which destroys the session cookie) would never run.
+  if (new URL(request.url).pathname === "/logout") return;
+
+  // HIPAA audit trail: structured log lands in CloudWatch via stdout. Use
+  // the stable `event` field to filter/aggregate auto-logout events.
+  // `sourceIp` uses ALB's appended (last) X-Forwarded-For element, not the
+  // first one, since the leading element is client-supplied and spoofable.
+  logger.info("Auto-logout: session exceeded effective duration", {
+    event: "session.auto_logout",
+    userId: user.id,
+    impersonatedUserId,
+    nextSessionEnd: user.nextSessionEnd.toISOString(),
+    requestPath: new URL(request.url).pathname,
+    sourceIp: extractClientIp(request.headers.get("x-forwarded-for")),
+  });
+  throw redirect("/logout");
+}
 
 export async function getUserId(request: Request): Promise<string | undefined> {
   const impersonatedUserId = await getImpersonationId(request);
 
   if (impersonatedUserId) {
-    // Verify the real user (from the session cookie) is still an admin
+    // Impersonating: verify the real user (the admin) is still an admin and
+    // enforce against their deadline (the cap belongs to the cookie, not the
+    // target). If admin status was revoked, fall through to operate as the
+    // admin themselves — otherwise a `requireUserId`-only route would keep
+    // letting them act as the impersonation target after losing the role.
     const authUser = await authenticator.isAuthenticated(request);
-    if (authUser?.userId) {
-      const realUser = await getUserById(authUser.userId);
-      if (realUser?.admin) {
-        return impersonatedUserId;
-      }
+    if (!authUser?.userId) return undefined;
+    const realUser = await getUserById(authUser.userId);
+    if (!realUser) return authUser.userId;
+    if (realUser.admin) {
+      maybeAutoLogout(request, realUser, impersonatedUserId);
+      return impersonatedUserId;
     }
-    // Admin revoked or session invalid — fall through to return the real user's ID
-    return authUser?.userId;
+    maybeAutoLogout(request, realUser);
+    return authUser.userId;
   }
 
-  let authUser = await authenticator.isAuthenticated(request);
+  // Non-impersonation fast path: zero DB queries. Auto-logout enforcement
+  // for this path happens in `getUser`, where we already pay for the User
+  // row fetch. `requireUserId` callers stay cookie-only.
+  const authUser = await authenticator.isAuthenticated(request);
   return authUser?.userId;
 }
 
 export async function getUser(request: Request) {
   const userId = await getUserId(request);
   if (userId === undefined) return null;
-
   const user = await getUserById(userId);
-  if (user) return user;
-
-  throw await logout(request);
+  if (!user) {
+    // Same loop-guard as in maybeAutoLogout: if /logout's loader is what
+    // matched, let it destroy the cookie itself rather than redirecting in
+    // circles via root.tsx.
+    if (new URL(request.url).pathname === "/logout") return null;
+    throw await logout(request);
+  }
+  // Auto-logout for the non-impersonation path. The impersonation path was
+  // already enforced inside `getUserId` against the admin's deadline, so
+  // skip re-checking against the (impersonation target's) row here.
+  const impersonationId = await getImpersonationId(request);
+  if (!impersonationId) maybeAutoLogout(request, user);
+  return user;
 }
 
 export async function requireUserId(request: Request, redirectTo?: string) {
   const userId = await getUserId(request);
   if (!userId) {
     const url = new URL(request.url);
-    const searchParams = new URLSearchParams([
-      ["redirectTo", redirectTo ?? `${url.pathname}${url.search}`],
-    ]);
+    // Only propagate the originating URL when it's a real user-navigable page.
+    // Fetcher endpoints (e.g. /resources/*) and auth callbacks would render
+    // blank or loop if used as a post-login destination.
+    const finalRedirectTo = sanitizeRedirectPath(redirectTo ?? `${url.pathname}${url.search}`);
+    const searchParams = new URLSearchParams([["redirectTo", finalRedirectTo]]);
     throw redirect(`/login?${searchParams}`);
   }
   return userId;
@@ -48,28 +121,29 @@ export async function requireUserId(request: Request, redirectTo?: string) {
 export type UserFromSession = Awaited<ReturnType<typeof requireUser>>;
 
 export async function requireUser(request: Request) {
-  const userId = await requireUserId(request);
-
-  const impersonationId = await getImpersonationId(request);
-  const user = await getUserById(userId);
-  if (user) {
-    return {
-      id: user.id,
-      email: user.email,
-      name: user.name,
-      displayName: user.displayName,
-      avatarUrl: user.avatarUrl,
-      admin: user.admin,
-      createdAt: user.createdAt,
-      updatedAt: user.updatedAt,
-      dashboardPreferences: user.dashboardPreferences,
-      confirmedBasicDetails: user.confirmedBasicDetails,
-      mfaEnabledAt: user.mfaEnabledAt,
-      isImpersonating: !!impersonationId && impersonationId === userId,
-    };
+  const user = await getUser(request);
+  if (!user) {
+    const url = new URL(request.url);
+    const finalRedirectTo = sanitizeRedirectPath(`${url.pathname}${url.search}`);
+    const searchParams = new URLSearchParams([["redirectTo", finalRedirectTo]]);
+    throw redirect(`/login?${searchParams}`);
   }
 
-  throw await logout(request);
+  const impersonationId = await getImpersonationId(request);
+  return {
+    id: user.id,
+    email: user.email,
+    name: user.name,
+    displayName: user.displayName,
+    avatarUrl: user.avatarUrl,
+    admin: user.admin,
+    createdAt: user.createdAt,
+    updatedAt: user.updatedAt,
+    dashboardPreferences: user.dashboardPreferences,
+    confirmedBasicDetails: user.confirmedBasicDetails,
+    mfaEnabledAt: user.mfaEnabledAt,
+    isImpersonating: !!impersonationId && impersonationId === user.id,
+  };
 }
 
 export async function logout(request: Request) {
diff --git a/apps/webapp/app/services/sessionDuration.server.ts b/apps/webapp/app/services/sessionDuration.server.ts
new file mode 100644
index 00000000000..2fb8b838fd6
--- /dev/null
+++ b/apps/webapp/app/services/sessionDuration.server.ts
@@ -0,0 +1,170 @@
+import type { Session } from "@remix-run/node";
+import type { PrismaClientOrTransaction } from "@trigger.dev/database";
+import { prisma } from "~/db.server";
+import { commitSession, DEFAULT_SESSION_DURATION_SECONDS } from "./sessionStorage.server";
+
+export { DEFAULT_SESSION_DURATION_SECONDS };
+
+// Months and years use standard Gregorian-calendar conversions (365.2425 days/yr,
+// 30.436875 days/month) so values produced by external "X months in seconds"
+// calculators map cleanly to a labeled option.
+const GREGORIAN_HALF_YEAR_SECONDS = 15_778_476;
+
+export type SessionDurationOption = {
+  value: number;
+  label: string;
+};
+
+export const SESSION_DURATION_OPTIONS: SessionDurationOption[] = [
+  { value: 60 * 5, label: "5 minutes" },
+  { value: 60 * 30, label: "30 minutes" },
+  { value: 60 * 60, label: "1 hour" },
+  { value: 60 * 60 * 24, label: "1 day" },
+  { value: 60 * 60 * 24 * 30, label: "30 days" },
+  { value: GREGORIAN_HALF_YEAR_SECONDS, label: "6 months" },
+  { value: DEFAULT_SESSION_DURATION_SECONDS, label: "1 year" },
+];
+
+export const ALLOWED_SESSION_DURATION_VALUES: ReadonlySet<number> = new Set(
+  SESSION_DURATION_OPTIONS.map((o) => o.value)
+);
+
+export function isAllowedSessionDuration(value: number): boolean {
+  return ALLOWED_SESSION_DURATION_VALUES.has(value);
+}
+
+export type OrganizationSessionCap = {
+  /** The org cap in seconds. */
+  orgCapSeconds: number;
+  /** The id of the org whose cap is currently the most restrictive. */
+  cappingOrgId: string;
+};
+
+/**
+ * Returns the most restrictive max session duration across the user's orgs
+ * along with the id of the org that owns it, ignoring orgs where the cap is
+ * null. Returns null when no org has set a cap.
+ */
+export async function getOrganizationSessionCap(
+  userId: string,
+  client: PrismaClientOrTransaction = prisma
+): Promise<OrganizationSessionCap | null> {
+  const tightest = await client.organization.findFirst({
+    where: {
+      members: { some: { userId } },
+      maxSessionDuration: { not: null },
+      deletedAt: null,
+    },
+    orderBy: { maxSessionDuration: "asc" },
+    select: { id: true, maxSessionDuration: true },
+  });
+  if (!tightest || tightest.maxSessionDuration === null) return null;
+  return { orgCapSeconds: tightest.maxSessionDuration, cappingOrgId: tightest.id };
+}
+
+export type EffectiveSessionDuration = {
+  /** Effective session duration in seconds = min(user.sessionDuration, orgCap?). */
+  durationSeconds: number;
+  /** The org cap in seconds, or null if no org caps the user. */
+  orgCapSeconds: number | null;
+  /** The id of the org whose cap is currently in effect, or null. */
+  cappingOrgId: string | null;
+  /** The raw user setting in seconds. */
+  userSettingSeconds: number;
+};
+
+/**
+ * Computes the effective session duration for a user by combining their
+ * configured `User.sessionDuration` with the most restrictive cap across
+ * their organizations.
+ */
+export async function getEffectiveSessionDuration(
+  userId: string,
+  client: PrismaClientOrTransaction = prisma
+): Promise<EffectiveSessionDuration> {
+  const [user, orgCap] = await Promise.all([
+    client.user.findFirst({
+      where: { id: userId },
+      select: { sessionDuration: true },
+    }),
+    getOrganizationSessionCap(userId, client),
+  ]);
+
+  const userSettingSeconds = user?.sessionDuration ?? DEFAULT_SESSION_DURATION_SECONDS;
+  const durationSeconds =
+    orgCap === null ? userSettingSeconds : Math.min(userSettingSeconds, orgCap.orgCapSeconds);
+
+  return {
+    durationSeconds,
+    orgCapSeconds: orgCap?.orgCapSeconds ?? null,
+    cappingOrgId: orgCap?.cappingOrgId ?? null,
+    userSettingSeconds,
+  };
+}
+
+/**
+ * Returns the dropdown options the user is allowed to pick. Options strictly
+ * greater than the org cap are removed.
+ *
+ * `currentValueSeconds` should be the *effective* (clamped) duration — i.e.
+ * `EffectiveSessionDuration.durationSeconds`, which is guaranteed to be ≤
+ * `orgCapSeconds`. Passing the clamped value makes the dropdown's selected
+ * option reflect what's actually in effect rather than the user's stored
+ * preference, which is the right UX when a stricter org cap supersedes a
+ * larger user setting (the raw user preference stays in the DB and is
+ * restored automatically if the cap is later removed).
+ *
+ * The tag-along branch below — appending `currentValueSeconds` to the option
+ * list when it isn't already present — is now defensive only. It exists so
+ * that any caller passing an out-of-range value (e.g. tests, or future
+ * callers wanting to surface the raw user preference) still gets a renderable
+ * form, rather than a dropdown whose `defaultValue` matches no option.
+ */
+export function getAllowedSessionOptions(
+  orgCapSeconds: number | null,
+  currentValueSeconds: number
+): SessionDurationOption[] {
+  const allowed = SESSION_DURATION_OPTIONS.filter((opt) => {
+    if (orgCapSeconds === null) return true;
+    return opt.value <= orgCapSeconds;
+  });
+
+  if (!allowed.some((o) => o.value === currentValueSeconds)) {
+    const currentLabel =
+      SESSION_DURATION_OPTIONS.find((o) => o.value === currentValueSeconds)?.label ??
+      `${currentValueSeconds} seconds`;
+    allowed.push({ value: currentValueSeconds, label: currentLabel });
+    allowed.sort((a, b) => a.value - b.value);
+  }
+
+  return allowed;
+}
+
+/**
+ * Commits the session for an authenticated user and stamps the user's
+ * effective expiry into `User.nextSessionEnd`. Use this at every
+ * login/MFA-completion point so the session window starts fresh, plus any
+ * time the user re-affirms their session duration. The single DB write here
+ * is the canonical "compute effective duration" step — request-time checks
+ * just read `nextSessionEnd` from the row that `requireUser`/`getUser`
+ * already fetches.
+ *
+ * The auth cookie's `Max-Age` is intentionally long
+ * (`DEFAULT_SESSION_DURATION_SECONDS`, 1 year) so the cookie always reaches
+ * the server. Actual session expiry is enforced server-side by reading
+ * `User.nextSessionEnd`. If we let the cookie expire client-side, the user
+ * is silently logged out.
+ */
+export async function commitAuthenticatedSession(
+  session: Session,
+  userId: string,
+  now: number = Date.now(),
+  client: PrismaClientOrTransaction = prisma
+): Promise<string> {
+  const { durationSeconds } = await getEffectiveSessionDuration(userId, client);
+  await client.user.update({
+    where: { id: userId },
+    data: { nextSessionEnd: new Date(now + durationSeconds * 1000) },
+  });
+  return commitSession(session, { maxAge: DEFAULT_SESSION_DURATION_SECONDS });
+}
diff --git a/apps/webapp/app/services/sessionStorage.server.ts b/apps/webapp/app/services/sessionStorage.server.ts
index 3bb9a51fa7e..c54561d647b 100644
--- a/apps/webapp/app/services/sessionStorage.server.ts
+++ b/apps/webapp/app/services/sessionStorage.server.ts
@@ -1,15 +1,22 @@
 import { createCookieSessionStorage } from "@remix-run/node";
 import { env } from "~/env.server";
 
+// Canonical "1 year in seconds", using Gregorian calendar conversion
+// (365.2425 * 86400) so it matches the labeled "1 year" dropdown option in
+// SESSION_DURATION_OPTIONS exactly. This is the cookie's hard upper-bound
+// lifetime; the actual per-session value is enforced server-side via
+// `sessionIssuedAt` against the user's effective duration.
+export const DEFAULT_SESSION_DURATION_SECONDS = 31_556_952;
+
 export const sessionStorage = createCookieSessionStorage({
   cookie: {
-    name: "__session", // use any name you want here
-    sameSite: "lax", // this helps with CSRF
-    path: "/", // remember to add this so the cookie will work in all routes
-    httpOnly: true, // for security reasons, make this cookie http only
+    name: "__session",
+    sameSite: "lax",
+    path: "/",
+    httpOnly: true,
     secrets: [env.SESSION_SECRET],
-    secure: env.NODE_ENV === "production", // enable this in prod only
-    maxAge: 60 * 60 * 24 * 365, // 7 days
+    secure: env.NODE_ENV === "production",
+    maxAge: DEFAULT_SESSION_DURATION_SECONDS,
   },
 });
 
diff --git a/apps/webapp/app/services/sessionStreamWaitpointCache.server.ts b/apps/webapp/app/services/sessionStreamWaitpointCache.server.ts
new file mode 100644
index 00000000000..31121678282
--- /dev/null
+++ b/apps/webapp/app/services/sessionStreamWaitpointCache.server.ts
@@ -0,0 +1,258 @@
+import { Redis } from "ioredis";
+import { defaultReconnectOnError } from "@internal/redis";
+import { env } from "~/env.server";
+import { singleton } from "~/utils/singleton";
+import { logger } from "./logger.server";
+
+// "ssw" — session-stream-waitpoint. Parallel to the input-stream variant
+// (`isw:{runFriendlyId}:{streamId}`). Keyed on `{environmentId, addressingKey, io}`
+// so a send() lands on the channel regardless of which run is waiting, and
+// multiple concurrent waiters (e.g. two agents on one chat) all wake.
+// The environmentId prefix is load-bearing: the addressing key is the
+// user-supplied externalId (unique only per environment), and this Redis
+// is shared — without it, two environments using the same externalId
+// would drain each other's waitpoints.
+const KEY_PREFIX = "ssw:";
+const DEFAULT_TTL_MS = 7 * 24 * 60 * 60 * 1000; // 7 days
+
+function buildKey(environmentId: string, addressingKey: string, io: "out" | "in"): string {
+  return `${KEY_PREFIX}${environmentId}:${addressingKey}:${io}`;
+}
+
+// Pre-env-scoping key format, drained for one release so waitpoints from the
+// previous deploy still wake. Removable once this has been live > turn timeout.
+function buildLegacyKey(addressingKey: string, io: "out" | "in"): string {
+  return `${KEY_PREFIX}${addressingKey}:${io}`;
+}
+
+function initializeRedis(): Redis | undefined {
+  const host = env.CACHE_REDIS_HOST;
+  if (!host) {
+    return undefined;
+  }
+
+  return new Redis({
+    connectionName: "sessionStreamWaitpointCache",
+    host,
+    port: env.CACHE_REDIS_PORT,
+    username: env.CACHE_REDIS_USERNAME,
+    password: env.CACHE_REDIS_PASSWORD,
+    keyPrefix: "tr:",
+    enableAutoPipelining: true,
+    reconnectOnError: defaultReconnectOnError,
+    ...(env.CACHE_REDIS_TLS_DISABLED === "true" ? {} : { tls: {} }),
+  });
+}
+
+const redis = singleton("sessionStreamWaitpointCache", initializeRedis);
+
+// Atomic SADD + PEXPIRE that only ever extends the key's TTL.
+//
+// Two concerns rolled into one script:
+// 1. SADD + PEXPIRE as separate commands can leave the key with no TTL
+//    if the second call fails (or the process crashes in between).
+// 2. Each waitpoint registers with its own `ttlMs` (derived from the
+//    waitpoint's timeout). Calling PEXPIRE unconditionally would let a
+//    short-TTL registration shrink the key's TTL below a longer-TTL
+//    sibling — evicting the sibling early and degrading the append-path
+//    fast drain to engine-timeout-only.
+//
+// The script: SADD the member, then set PEXPIRE only if the new TTL is
+// greater than the current PTTL (or the key has no TTL yet). Engine-
+// level timeouts still fire per-waitpoint; this keeps the Redis key
+// alive for the longest-lived member.
+const ADD_WAITPOINT_SCRIPT = `
+  redis.call("SADD", KEYS[1], ARGV[1])
+  local newTtl = tonumber(ARGV[2])
+  local currentTtl = redis.call("PTTL", KEYS[1])
+  if currentTtl < 0 or newTtl > currentTtl then
+    redis.call("PEXPIRE", KEYS[1], newTtl)
+  end
+  return 1
+`;
+
+/**
+ * Register a waitpoint as pending on the given session channel. Called
+ * from the `.wait()` create-waitpoint route. Multiple waiters on the same
+ * channel are allowed (stored as a Redis set).
+ */
+export async function addSessionStreamWaitpoint(
+  environmentId: string,
+  addressingKey: string,
+  io: "out" | "in",
+  waitpointId: string,
+  ttlMs?: number
+): Promise<void> {
+  if (!redis) return;
+
+  try {
+    const key = buildKey(environmentId, addressingKey, io);
+    await redis.eval(
+      ADD_WAITPOINT_SCRIPT,
+      1,
+      key,
+      waitpointId,
+      String(ttlMs ?? DEFAULT_TTL_MS)
+    );
+  } catch (error) {
+    logger.error("Failed to set session stream waitpoint cache", {
+      environmentId,
+      addressingKey,
+      io,
+      error,
+    });
+  }
+}
+
+/**
+ * Atomically read + clear all waitpoints registered on the given session
+ * channel. Called from the append handler so the next append sees an
+ * empty set even if two appends race.
+ */
+export async function drainSessionStreamWaitpoints(
+  environmentId: string,
+  addressingKey: string,
+  io: "out" | "in"
+): Promise<string[]> {
+  if (!redis) return [];
+
+  try {
+    const key = buildKey(environmentId, addressingKey, io);
+    const legacyKey = buildLegacyKey(addressingKey, io);
+    const pipeline = redis.multi();
+    pipeline.smembers(key);
+    pipeline.del(key);
+    pipeline.smembers(legacyKey);
+    pipeline.del(legacyKey);
+    const results = await pipeline.exec();
+    if (!results) return [];
+    // Union members from the env-scoped key and the legacy key (dual-read).
+    const ids = new Set<string>();
+    for (const idx of [0, 2]) {
+      const entry = results[idx];
+      if (!entry) continue;
+      const [err, members] = entry;
+      if (err || !Array.isArray(members)) continue;
+      for (const m of members as string[]) ids.add(m);
+    }
+    return [...ids];
+  } catch (error) {
+    logger.error("Failed to drain session stream waitpoint cache", {
+      environmentId,
+      addressingKey,
+      io,
+      error,
+    });
+    return [];
+  }
+}
+
+/**
+ * Remove a single waitpoint from the pending set. Called after a race
+ * where `.wait()` completed the waitpoint from pre-arrived data.
+ */
+// "ssa" — session-stream-append. Idempotency claim for the append route:
+// when a caller supplies an `X-Part-Id`, the first request atomically claims
+// the key (SET NX) before appending; a concurrent or retried POST with the
+// same id fails the claim and skips the append, so it never produces a
+// duplicate record (or double-fires the waitpoint drain). The claim is
+// released if the append fails, so a retry of a genuinely failed append
+// still goes through. 5-minute window — covers retry storms, not a
+// permanent idempotency store.
+const APPEND_DEDUPE_PREFIX = "ssa:";
+const APPEND_DEDUPE_TTL_SECONDS = 5 * 60;
+
+function buildAppendDedupeKey(
+  environmentId: string,
+  addressingKey: string,
+  io: "out" | "in",
+  partId: string
+): string {
+  // Encode the free-form segments — `addressingKey` (externalId) and `partId`
+  // (X-Part-Id) are user-supplied and may contain `:`, which would otherwise
+  // let different tuples collide and falsely suppress an append.
+  return `${APPEND_DEDUPE_PREFIX}${encodeURIComponent(environmentId)}:${encodeURIComponent(
+    addressingKey
+  )}:${io}:${encodeURIComponent(partId)}`;
+}
+
+/**
+ * Atomically claim a part id before appending. Returns true if this caller
+ * won the claim (first to see this id) and should perform the append, false
+ * if the id was already claimed (a concurrent or retried POST) and the append
+ * should be skipped. Fails open (returns true) when Redis is unavailable —
+ * appends degrade to at-least-once, never to dropped.
+ */
+export async function claimSessionStreamPart(
+  environmentId: string,
+  addressingKey: string,
+  io: "out" | "in",
+  partId: string
+): Promise<boolean> {
+  if (!redis) return true;
+
+  try {
+    // SET NX is the atomic claim: "OK" when set (we won), null when the key
+    // already exists (someone else owns this id).
+    const result = await redis.set(
+      buildAppendDedupeKey(environmentId, addressingKey, io, partId),
+      "1",
+      "EX",
+      APPEND_DEDUPE_TTL_SECONDS,
+      "NX"
+    );
+    return result === "OK";
+  } catch (error) {
+    logger.error("Failed to claim session stream append part", {
+      environmentId,
+      addressingKey,
+      io,
+      partId,
+      error,
+    });
+    return true;
+  }
+}
+
+/** Release a claim so a retry can proceed — called when the append itself failed. */
+export async function releaseSessionStreamPart(
+  environmentId: string,
+  addressingKey: string,
+  io: "out" | "in",
+  partId: string
+): Promise<void> {
+  if (!redis) return;
+
+  try {
+    await redis.del(buildAppendDedupeKey(environmentId, addressingKey, io, partId));
+  } catch (error) {
+    logger.error("Failed to release session stream append part", {
+      environmentId,
+      addressingKey,
+      io,
+      partId,
+      error,
+    });
+  }
+}
+
+export async function removeSessionStreamWaitpoint(
+  environmentId: string,
+  addressingKey: string,
+  io: "out" | "in",
+  waitpointId: string
+): Promise<void> {
+  if (!redis) return;
+
+  try {
+    const key = buildKey(environmentId, addressingKey, io);
+    await redis.srem(key, waitpointId);
+  } catch (error) {
+    logger.error("Failed to remove session stream waitpoint cache entry", {
+      environmentId,
+      addressingKey,
+      io,
+      error,
+    });
+  }
+}
diff --git a/apps/webapp/app/services/sessionsReplicationInstance.server.ts b/apps/webapp/app/services/sessionsReplicationInstance.server.ts
new file mode 100644
index 00000000000..8cbc8303a6f
--- /dev/null
+++ b/apps/webapp/app/services/sessionsReplicationInstance.server.ts
@@ -0,0 +1,88 @@
+import invariant from "tiny-invariant";
+import { env } from "~/env.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
+import { singleton } from "~/utils/singleton";
+import { meter, provider } from "~/v3/tracer.server";
+import { SessionsReplicationService } from "./sessionsReplicationService.server";
+import { signalsEmitter } from "./signals.server";
+
+export const sessionsReplicationInstance = singleton(
+  "sessionsReplicationInstance",
+  initializeSessionsReplicationInstance
+);
+
+function initializeSessionsReplicationInstance() {
+  const { DATABASE_URL } = process.env;
+  invariant(typeof DATABASE_URL === "string", "DATABASE_URL env var not set");
+
+  if (!env.SESSION_REPLICATION_CLICKHOUSE_URL) {
+    console.log("🗃️  Sessions replication service not enabled");
+    return;
+  }
+
+  console.log("🗃️  Sessions replication service enabled");
+
+  const service = new SessionsReplicationService({
+    clickhouseFactory,
+    pgConnectionUrl: DATABASE_URL,
+    serviceName: "sessions-replication",
+    slotName: env.SESSION_REPLICATION_SLOT_NAME,
+    publicationName: env.SESSION_REPLICATION_PUBLICATION_NAME,
+    redisOptions: {
+      keyPrefix: "sessions-replication:",
+      port: env.RUN_REPLICATION_REDIS_PORT ?? undefined,
+      host: env.RUN_REPLICATION_REDIS_HOST ?? undefined,
+      username: env.RUN_REPLICATION_REDIS_USERNAME ?? undefined,
+      password: env.RUN_REPLICATION_REDIS_PASSWORD ?? undefined,
+      enableAutoPipelining: true,
+      ...(env.RUN_REPLICATION_REDIS_TLS_DISABLED === "true" ? {} : { tls: {} }),
+    },
+    maxFlushConcurrency: env.SESSION_REPLICATION_MAX_FLUSH_CONCURRENCY,
+    flushIntervalMs: env.SESSION_REPLICATION_FLUSH_INTERVAL_MS,
+    flushBatchSize: env.SESSION_REPLICATION_FLUSH_BATCH_SIZE,
+    leaderLockTimeoutMs: env.SESSION_REPLICATION_LEADER_LOCK_TIMEOUT_MS,
+    leaderLockExtendIntervalMs: env.SESSION_REPLICATION_LEADER_LOCK_EXTEND_INTERVAL_MS,
+    leaderLockAcquireAdditionalTimeMs: env.SESSION_REPLICATION_LEADER_LOCK_ADDITIONAL_TIME_MS,
+    leaderLockRetryIntervalMs: env.SESSION_REPLICATION_LEADER_LOCK_RETRY_INTERVAL_MS,
+    ackIntervalSeconds: env.SESSION_REPLICATION_ACK_INTERVAL_SECONDS,
+    logLevel: env.SESSION_REPLICATION_LOG_LEVEL,
+    waitForAsyncInsert: env.SESSION_REPLICATION_WAIT_FOR_ASYNC_INSERT === "1",
+    tracer: provider.getTracer("sessions-replication-service"),
+    meter,
+    insertMaxRetries: env.SESSION_REPLICATION_INSERT_MAX_RETRIES,
+    insertBaseDelayMs: env.SESSION_REPLICATION_INSERT_BASE_DELAY_MS,
+    insertMaxDelayMs: env.SESSION_REPLICATION_INSERT_MAX_DELAY_MS,
+    insertStrategy: env.SESSION_REPLICATION_INSERT_STRATEGY,
+  });
+
+  if (env.SESSION_REPLICATION_ENABLED === "1") {
+    // Gate start() on the org data-stores registry being loaded. Starting earlier would
+    // race the registry load — sync factory lookups would return `null` and route org-scoped
+    // sessions to the default ClickHouse, writing them to the wrong cluster.
+    clickhouseFactory
+      .isReady()
+      .then(() => service.start())
+      .then(() => {
+        console.log("🗃️ Sessions replication service started");
+      })
+      .catch((error) => {
+        console.error("🗃️ Sessions replication service failed to start", {
+          error,
+        });
+      });
+
+    // SIGTERM/SIGINT fire during process teardown; wrap the async shutdown so an
+    // unhandled rejection doesn't bubble past process exit.
+    const shutdownSessionsReplication = () => {
+      service.shutdown().catch((error) => {
+        console.error("🗃️ Sessions replication service shutdown error", {
+          error,
+        });
+      });
+    };
+    signalsEmitter.on("SIGTERM", shutdownSessionsReplication);
+    signalsEmitter.on("SIGINT", shutdownSessionsReplication);
+  }
+
+  return service;
+}
diff --git a/apps/webapp/app/services/sessionsReplicationService.server.ts b/apps/webapp/app/services/sessionsReplicationService.server.ts
new file mode 100644
index 00000000000..12b66e29dfb
--- /dev/null
+++ b/apps/webapp/app/services/sessionsReplicationService.server.ts
@@ -0,0 +1,813 @@
+import type { ClickHouse, SessionInsertArray } from "@internal/clickhouse";
+import { getSessionField } from "@internal/clickhouse";
+import { type RedisOptions } from "@internal/redis";
+import {
+  LogicalReplicationClient,
+  type MessageDelete,
+  type MessageInsert,
+  type MessageUpdate,
+  type PgoutputMessage,
+} from "@internal/replication";
+import {
+  getMeter,
+  recordSpanError,
+  startSpan,
+  trace,
+  type Counter,
+  type Histogram,
+  type Meter,
+  type Tracer,
+} from "@internal/tracing";
+import { Logger, type LogLevel } from "@trigger.dev/core/logger";
+import { tryCatch } from "@trigger.dev/core/utils";
+import { type Session } from "@trigger.dev/database";
+import EventEmitter from "node:events";
+import type { ClickhouseFactory } from "~/services/clickhouse/clickhouseFactory.server";
+import { ConcurrentFlushScheduler } from "./runsReplicationService.server";
+
+interface TransactionEvent<T = any> {
+  tag: "insert" | "update" | "delete";
+  data: T;
+  raw: MessageInsert | MessageUpdate | MessageDelete;
+}
+
+interface Transaction<T = any> {
+  beginStartTimestamp: number;
+  commitLsn: string | null;
+  commitEndLsn: string | null;
+  xid: number;
+  events: TransactionEvent<T>[];
+  replicationLagMs: number;
+}
+
+export type SessionsReplicationServiceOptions = {
+  clickhouseFactory: ClickhouseFactory;
+  pgConnectionUrl: string;
+  serviceName: string;
+  slotName: string;
+  publicationName: string;
+  redisOptions: RedisOptions;
+  maxFlushConcurrency?: number;
+  flushIntervalMs?: number;
+  flushBatchSize?: number;
+  leaderLockTimeoutMs?: number;
+  leaderLockExtendIntervalMs?: number;
+  leaderLockAcquireAdditionalTimeMs?: number;
+  leaderLockRetryIntervalMs?: number;
+  ackIntervalSeconds?: number;
+  acknowledgeTimeoutMs?: number;
+  logger?: Logger;
+  logLevel?: LogLevel;
+  tracer?: Tracer;
+  meter?: Meter;
+  waitForAsyncInsert?: boolean;
+  insertStrategy?: "insert" | "insert_async";
+  // Retry configuration for insert operations
+  insertMaxRetries?: number;
+  insertBaseDelayMs?: number;
+  insertMaxDelayMs?: number;
+};
+
+type SessionInsert = {
+  _version: bigint;
+  session: Session;
+  event: "insert" | "update" | "delete";
+};
+
+export type SessionsReplicationServiceEvents = {
+  message: [{ lsn: string; message: PgoutputMessage; service: SessionsReplicationService }];
+  batchFlushed: [{ flushId: string; sessionInserts: SessionInsertArray[] }];
+};
+
+export class SessionsReplicationService {
+  private _isSubscribed = false;
+  private _currentTransaction:
+    | (Omit<Transaction<Session>, "commitEndLsn" | "replicationLagMs"> & {
+        commitEndLsn?: string | null;
+        replicationLagMs?: number;
+      })
+    | null = null;
+
+  private _replicationClient: LogicalReplicationClient;
+  private _concurrentFlushScheduler: ConcurrentFlushScheduler<SessionInsert>;
+  private logger: Logger;
+  private _isShuttingDown = false;
+  private _isShutDownComplete = false;
+  private _tracer: Tracer;
+  private _meter: Meter;
+  private _currentParseDurationMs: number | null = null;
+  private _lastAcknowledgedAt: number | null = null;
+  private _acknowledgeTimeoutMs: number;
+  private _latestCommitEndLsn: string | null = null;
+  private _lastAcknowledgedLsn: string | null = null;
+  private _acknowledgeInterval: NodeJS.Timeout | null = null;
+  // Retry configuration
+  private _insertMaxRetries: number;
+  private _insertBaseDelayMs: number;
+  private _insertMaxDelayMs: number;
+  private _insertStrategy: "insert" | "insert_async";
+
+  // Metrics
+  private _replicationLagHistogram: Histogram;
+  private _batchesFlushedCounter: Counter;
+  private _batchSizeHistogram: Histogram;
+  private _sessionsInsertedCounter: Counter;
+  private _insertRetriesCounter: Counter;
+  private _eventsProcessedCounter: Counter;
+  private _flushDurationHistogram: Histogram;
+
+  public readonly events: EventEmitter<SessionsReplicationServiceEvents>;
+
+  constructor(private readonly options: SessionsReplicationServiceOptions) {
+    this.logger =
+      options.logger ?? new Logger("SessionsReplicationService", options.logLevel ?? "info");
+    this.events = new EventEmitter();
+    this._tracer = options.tracer ?? trace.getTracer("sessions-replication-service");
+    this._meter = options.meter ?? getMeter("sessions-replication");
+
+    // Initialize metrics
+    this._replicationLagHistogram = this._meter.createHistogram(
+      "sessions_replication.replication_lag_ms",
+      {
+        description: "Replication lag from Postgres commit to processing",
+        unit: "ms",
+      }
+    );
+
+    this._batchesFlushedCounter = this._meter.createCounter(
+      "sessions_replication.batches_flushed",
+      {
+        description: "Total batches flushed to ClickHouse",
+      }
+    );
+
+    this._batchSizeHistogram = this._meter.createHistogram("sessions_replication.batch_size", {
+      description: "Number of items per batch flush",
+      unit: "items",
+    });
+
+    this._sessionsInsertedCounter = this._meter.createCounter(
+      "sessions_replication.sessions_inserted",
+      {
+        description: "Session inserts to ClickHouse",
+        unit: "inserts",
+      }
+    );
+
+    this._insertRetriesCounter = this._meter.createCounter("sessions_replication.insert_retries", {
+      description: "Insert retry attempts",
+    });
+
+    this._eventsProcessedCounter = this._meter.createCounter(
+      "sessions_replication.events_processed",
+      {
+        description: "Replication events processed (inserts, updates, deletes)",
+      }
+    );
+
+    this._flushDurationHistogram = this._meter.createHistogram(
+      "sessions_replication.flush_duration_ms",
+      {
+        description: "Duration of batch flush operations",
+        unit: "ms",
+      }
+    );
+
+    this._acknowledgeTimeoutMs = options.acknowledgeTimeoutMs ?? 1_000;
+
+    this._insertStrategy = options.insertStrategy ?? "insert";
+
+    this._replicationClient = new LogicalReplicationClient({
+      pgConfig: {
+        connectionString: options.pgConnectionUrl,
+      },
+      name: options.serviceName,
+      slotName: options.slotName,
+      publicationName: options.publicationName,
+      table: "Session",
+      redisOptions: options.redisOptions,
+      autoAcknowledge: false,
+      publicationActions: ["insert", "update", "delete"],
+      logger: options.logger ?? new Logger("LogicalReplicationClient", options.logLevel ?? "info"),
+      leaderLockTimeoutMs: options.leaderLockTimeoutMs ?? 30_000,
+      leaderLockExtendIntervalMs: options.leaderLockExtendIntervalMs ?? 10_000,
+      ackIntervalSeconds: options.ackIntervalSeconds ?? 10,
+      leaderLockAcquireAdditionalTimeMs: options.leaderLockAcquireAdditionalTimeMs ?? 10_000,
+      leaderLockRetryIntervalMs: options.leaderLockRetryIntervalMs ?? 500,
+      tracer: options.tracer,
+    });
+
+    this._concurrentFlushScheduler = new ConcurrentFlushScheduler<SessionInsert>({
+      batchSize: options.flushBatchSize ?? 50,
+      flushInterval: options.flushIntervalMs ?? 100,
+      maxConcurrency: options.maxFlushConcurrency ?? 100,
+      callback: this.#flushBatch.bind(this),
+      // Key-based deduplication to reduce duplicates sent to ClickHouse
+      getKey: (item) => {
+        if (!item?.session?.id) {
+          this.logger.warn("Skipping replication event with null session", { event: item });
+          return null;
+        }
+        return `${item.event}_${item.session.id}`;
+      },
+      // Keep the session with the higher version (latest)
+      // and take the last occurrence for that version.
+      // Items originating from the same DB transaction have the same version.
+      shouldReplace: (existing, incoming) => incoming._version >= existing._version,
+      logger: new Logger("ConcurrentFlushScheduler", options.logLevel ?? "info"),
+      tracer: options.tracer,
+    });
+
+    this._replicationClient.events.on("data", async ({ lsn, log, parseDuration }) => {
+      this.#handleData(lsn, log, parseDuration);
+    });
+
+    this._replicationClient.events.on("heartbeat", async ({ lsn, shouldRespond }) => {
+      if (this._isShuttingDown) return;
+      if (this._isShutDownComplete) return;
+
+      if (shouldRespond) {
+        this._lastAcknowledgedLsn = lsn;
+        await this._replicationClient.acknowledge(lsn);
+      }
+    });
+
+    this._replicationClient.events.on("error", (error) => {
+      this.logger.error("Replication client error", {
+        error,
+      });
+    });
+
+    this._replicationClient.events.on("start", () => {
+      this.logger.info("Replication client started");
+    });
+
+    this._replicationClient.events.on("acknowledge", ({ lsn }) => {
+      this.logger.debug("Acknowledged", { lsn });
+    });
+
+    this._replicationClient.events.on("leaderElection", (isLeader) => {
+      this.logger.info("Leader election", { isLeader });
+    });
+
+    // Initialize retry configuration
+    this._insertMaxRetries = options.insertMaxRetries ?? 3;
+    this._insertBaseDelayMs = options.insertBaseDelayMs ?? 100;
+    this._insertMaxDelayMs = options.insertMaxDelayMs ?? 2000;
+  }
+
+  public async shutdown() {
+    if (this._isShuttingDown) return;
+
+    this._isShuttingDown = true;
+
+    this.logger.info("Initiating shutdown of sessions replication service");
+
+    if (!this._currentTransaction) {
+      this.logger.info("No transaction to commit, shutting down immediately");
+      await this._replicationClient.stop();
+      this._isSubscribed = false;
+      this._isShutDownComplete = true;
+      return;
+    }
+
+    this._concurrentFlushScheduler.shutdown();
+  }
+
+  async start() {
+    if (this._isSubscribed) {
+      this.logger.debug("Replication client already started, skipping start");
+      return;
+    }
+
+    this.logger.info("Starting replication client", {
+      lastLsn: this._latestCommitEndLsn,
+    });
+
+    await this._replicationClient.subscribe(this._latestCommitEndLsn ?? undefined);
+
+    this._acknowledgeInterval = setInterval(this.#acknowledgeLatestTransaction.bind(this), 1000);
+    this._concurrentFlushScheduler.start();
+    this._isSubscribed = true;
+  }
+
+  async stop() {
+    this.logger.info("Stopping replication client");
+
+    await this._replicationClient.stop();
+
+    if (this._acknowledgeInterval) {
+      clearInterval(this._acknowledgeInterval);
+      this._acknowledgeInterval = null;
+    }
+
+    this._isSubscribed = false;
+  }
+
+  async teardown() {
+    this.logger.info("Teardown replication client");
+
+    await this._replicationClient.teardown();
+
+    if (this._acknowledgeInterval) {
+      clearInterval(this._acknowledgeInterval);
+      this._acknowledgeInterval = null;
+    }
+
+    this._isSubscribed = false;
+  }
+
+  #handleData(lsn: string, message: PgoutputMessage, parseDuration: bigint) {
+    this.logger.debug("Handling data", {
+      lsn,
+      tag: message.tag,
+      parseDuration,
+    });
+
+    this.events.emit("message", { lsn, message, service: this });
+
+    switch (message.tag) {
+      case "begin": {
+        if (this._isShuttingDown || this._isShutDownComplete) {
+          return;
+        }
+
+        this._currentTransaction = {
+          beginStartTimestamp: Date.now(),
+          commitLsn: message.commitLsn,
+          xid: message.xid,
+          events: [],
+        };
+
+        this._currentParseDurationMs = Number(parseDuration) / 1_000_000;
+
+        break;
+      }
+      case "insert": {
+        if (!this._currentTransaction) {
+          return;
+        }
+
+        if (this._currentParseDurationMs) {
+          this._currentParseDurationMs =
+            this._currentParseDurationMs + Number(parseDuration) / 1_000_000;
+        }
+
+        this._currentTransaction.events.push({
+          tag: message.tag,
+          data: message.new as Session,
+          raw: message,
+        });
+        break;
+      }
+      case "update": {
+        if (!this._currentTransaction) {
+          return;
+        }
+
+        if (this._currentParseDurationMs) {
+          this._currentParseDurationMs =
+            this._currentParseDurationMs + Number(parseDuration) / 1_000_000;
+        }
+
+        this._currentTransaction.events.push({
+          tag: message.tag,
+          data: message.new as Session,
+          raw: message,
+        });
+        break;
+      }
+      case "delete": {
+        if (!this._currentTransaction) {
+          return;
+        }
+
+        if (this._currentParseDurationMs) {
+          this._currentParseDurationMs =
+            this._currentParseDurationMs + Number(parseDuration) / 1_000_000;
+        }
+
+        this._currentTransaction.events.push({
+          tag: message.tag,
+          data: message.old as Session,
+          raw: message,
+        });
+
+        break;
+      }
+      case "commit": {
+        if (!this._currentTransaction) {
+          return;
+        }
+
+        if (this._currentParseDurationMs) {
+          this._currentParseDurationMs =
+            this._currentParseDurationMs + Number(parseDuration) / 1_000_000;
+        }
+
+        const replicationLagMs = Date.now() - Number(message.commitTime / 1000n);
+        this._currentTransaction.commitEndLsn = message.commitEndLsn;
+        this._currentTransaction.replicationLagMs = replicationLagMs;
+        const transaction = this._currentTransaction as Transaction<Session>;
+        this._currentTransaction = null;
+
+        if (transaction.commitEndLsn) {
+          this._latestCommitEndLsn = transaction.commitEndLsn;
+        }
+
+        this.#handleTransaction(transaction);
+        break;
+      }
+      default: {
+        this.logger.debug("Unknown message tag", {
+          pgMessage: message,
+        });
+      }
+    }
+  }
+
+  #handleTransaction(transaction: Transaction<Session>) {
+    if (this._isShutDownComplete) return;
+
+    if (this._isShuttingDown) {
+      this._replicationClient.stop().finally(() => {
+        this._isSubscribed = false;
+        this._isShutDownComplete = true;
+      });
+    }
+
+    // If there are no events, do nothing
+    if (transaction.events.length === 0) {
+      return;
+    }
+
+    if (!transaction.commitEndLsn) {
+      this.logger.error("Transaction has no commit end lsn", {
+        transaction,
+      });
+
+      return;
+    }
+
+    const lsnToUInt64Start = process.hrtime.bigint();
+
+    // If there are events, we need to handle them
+    const _version = lsnToUInt64(transaction.commitEndLsn);
+
+    const lsnToUInt64DurationMs = Number(process.hrtime.bigint() - lsnToUInt64Start) / 1_000_000;
+
+    this._concurrentFlushScheduler.addToBatch(
+      transaction.events.map((event) => ({
+        _version,
+        session: event.data,
+        event: event.tag,
+      }))
+    );
+
+    // Record metrics
+    this._replicationLagHistogram.record(transaction.replicationLagMs);
+
+    // Count events by type
+    for (const event of transaction.events) {
+      this._eventsProcessedCounter.add(1, { event_type: event.tag });
+    }
+
+    this.logger.debug("handle_transaction", {
+      transaction: {
+        xid: transaction.xid,
+        commitLsn: transaction.commitLsn,
+        commitEndLsn: transaction.commitEndLsn,
+        events: transaction.events.length,
+        parseDurationMs: this._currentParseDurationMs,
+        lsnToUInt64DurationMs,
+        version: _version.toString(),
+      },
+    });
+  }
+
+  async #acknowledgeLatestTransaction() {
+    if (!this._latestCommitEndLsn) {
+      return;
+    }
+
+    if (this._lastAcknowledgedLsn === this._latestCommitEndLsn) {
+      return;
+    }
+
+    const now = Date.now();
+
+    if (this._lastAcknowledgedAt) {
+      const timeSinceLastAcknowledged = now - this._lastAcknowledgedAt;
+      // If we've already acknowledged within the last second, don't acknowledge again
+      if (timeSinceLastAcknowledged < this._acknowledgeTimeoutMs) {
+        return;
+      }
+    }
+
+    this._lastAcknowledgedAt = now;
+    this._lastAcknowledgedLsn = this._latestCommitEndLsn;
+
+    this.logger.debug("acknowledge_latest_transaction", {
+      commitEndLsn: this._latestCommitEndLsn,
+      lastAcknowledgedAt: this._lastAcknowledgedAt,
+    });
+
+    const [ackError] = await tryCatch(
+      this._replicationClient.acknowledge(this._latestCommitEndLsn)
+    );
+
+    if (ackError) {
+      this.logger.error("Error acknowledging transaction", { ackError });
+    }
+
+    if (this._isShutDownComplete && this._acknowledgeInterval) {
+      clearInterval(this._acknowledgeInterval);
+    }
+  }
+
+  async #flushBatch(flushId: string, batch: Array<SessionInsert>) {
+    if (batch.length === 0) {
+      return;
+    }
+
+    this.logger.debug("Flushing batch", {
+      flushId,
+      batchSize: batch.length,
+    });
+
+    const flushStartTime = performance.now();
+
+    await startSpan(this._tracer, "flushBatch", async (span) => {
+      const routeCache = new Map<string, ClickHouse>();
+      const groups = new Map<ClickHouse, { sessionInserts: SessionInsertArray[] }>();
+
+      for (const item of batch) {
+        if (!item.session.organizationId) {
+          continue;
+        }
+
+        let client = routeCache.get(item.session.organizationId);
+        if (!client) {
+          client = this.options.clickhouseFactory.getClickhouseForOrganizationSync(
+            item.session.organizationId,
+            "sessions_replication"
+          );
+          routeCache.set(item.session.organizationId, client);
+        }
+
+        let group = groups.get(client);
+        if (!group) {
+          group = { sessionInserts: [] };
+          groups.set(client, group);
+        }
+
+        group.sessionInserts.push(
+          toSessionInsertArray(item.session, item._version, item.event === "delete")
+        );
+      }
+
+      // batch inserts in clickhouse are more performant if the items
+      // are pre-sorted by the primary key
+      const sortSessionInserts = (rows: SessionInsertArray[]) =>
+        rows.sort((a, b) => {
+          const aOrgId = getSessionField(a, "organization_id");
+          const bOrgId = getSessionField(b, "organization_id");
+          if (aOrgId !== bOrgId) {
+            return aOrgId < bOrgId ? -1 : 1;
+          }
+          const aProjId = getSessionField(a, "project_id");
+          const bProjId = getSessionField(b, "project_id");
+          if (aProjId !== bProjId) {
+            return aProjId < bProjId ? -1 : 1;
+          }
+          const aEnvId = getSessionField(a, "environment_id");
+          const bEnvId = getSessionField(b, "environment_id");
+          if (aEnvId !== bEnvId) {
+            return aEnvId < bEnvId ? -1 : 1;
+          }
+          const aCreatedAt = getSessionField(a, "created_at");
+          const bCreatedAt = getSessionField(b, "created_at");
+          if (aCreatedAt !== bCreatedAt) {
+            return aCreatedAt - bCreatedAt;
+          }
+          const aSessionId = getSessionField(a, "session_id");
+          const bSessionId = getSessionField(b, "session_id");
+          if (aSessionId === bSessionId) return 0;
+          return aSessionId < bSessionId ? -1 : 1;
+        });
+
+      const combinedSessionInserts: SessionInsertArray[] = [];
+      let sessionError: Error | null = null;
+
+      // Sequential per-group flush — matches runsReplicationService for the same reason
+      // (parallel writes have hit Linux net.ipv4.tcp_wmem buffer pressure at high throughput).
+      for (const [clickhouse, group] of groups) {
+        sortSessionInserts(group.sessionInserts);
+        combinedSessionInserts.push(...group.sessionInserts);
+
+        const [insErr] = await this.#insertWithRetry(
+          (attempt) => this.#insertSessionInserts(clickhouse, group.sessionInserts, attempt),
+          "session inserts",
+          flushId
+        );
+        if (insErr && !sessionError) {
+          sessionError = insErr;
+        }
+
+        if (!insErr) {
+          this._sessionsInsertedCounter.add(group.sessionInserts.length);
+        }
+      }
+
+      span.setAttribute("session_inserts", combinedSessionInserts.length);
+
+      this.logger.debug("Flushing inserts", {
+        flushId,
+        sessionInserts: combinedSessionInserts.length,
+        clickhouseGroups: groups.size,
+      });
+
+      if (sessionError) {
+        this.logger.error("Error inserting session inserts", {
+          error: sessionError,
+          flushId,
+        });
+        recordSpanError(span, sessionError);
+      }
+
+      this.logger.debug("Flushed inserts", {
+        flushId,
+        sessionInserts: combinedSessionInserts.length,
+      });
+
+      this.events.emit("batchFlushed", { flushId, sessionInserts: combinedSessionInserts });
+
+      const flushDurationMs = performance.now() - flushStartTime;
+      const hasErrors = sessionError !== null;
+
+      this._batchSizeHistogram.record(batch.length);
+      this._flushDurationHistogram.record(flushDurationMs);
+      this._batchesFlushedCounter.add(1, { success: !hasErrors });
+    });
+  }
+
+  // New method to handle inserts with retry logic for connection errors
+  async #insertWithRetry<T>(
+    insertFn: (attempt: number) => Promise<T>,
+    operationName: string,
+    flushId: string
+  ): Promise<[Error | null, T | null]> {
+    let lastError: Error | null = null;
+
+    for (let attempt = 1; attempt <= this._insertMaxRetries; attempt++) {
+      try {
+        const result = await insertFn(attempt);
+        return [null, result];
+      } catch (error) {
+        lastError = error instanceof Error ? error : new Error(String(error));
+
+        // Check if this is a retryable error
+        if (this.#isRetryableError(lastError)) {
+          const delay = this.#calculateRetryDelay(attempt);
+
+          this.logger.warn(`Retrying SessionsReplication insert due to error`, {
+            operationName,
+            flushId,
+            attempt,
+            maxRetries: this._insertMaxRetries,
+            error: lastError.message,
+            delay,
+          });
+
+          // Record retry metric
+          this._insertRetriesCounter.add(1, { operation: "sessions" });
+
+          await new Promise((resolve) => setTimeout(resolve, delay));
+          continue;
+        }
+        break;
+      }
+    }
+
+    return [lastError, null];
+  }
+
+  // Retry all errors except known permanent ones
+  #isRetryableError(error: Error): boolean {
+    const errorMessage = error.message.toLowerCase();
+
+    // Permanent errors that should NOT be retried
+    const permanentErrorPatterns = [
+      "authentication failed",
+      "permission denied",
+      "invalid credentials",
+      "table not found",
+      "database not found",
+      "column not found",
+      "schema mismatch",
+      "invalid query",
+      "syntax error",
+      "type error",
+      "constraint violation",
+      "duplicate key",
+      "foreign key violation",
+    ];
+
+    // If it's a known permanent error, don't retry
+    if (permanentErrorPatterns.some((pattern) => errorMessage.includes(pattern))) {
+      return false;
+    }
+
+    // Retry everything else
+    return true;
+  }
+
+  #calculateRetryDelay(attempt: number): number {
+    // Exponential backoff: baseDelay, baseDelay*2, baseDelay*4, etc.
+    const delay = Math.min(
+      this._insertBaseDelayMs * Math.pow(2, attempt - 1),
+      this._insertMaxDelayMs
+    );
+
+    // Add some jitter to prevent thundering herd
+    const jitter = Math.random() * 100;
+    return delay + jitter;
+  }
+
+  #getClickhouseInsertSettings() {
+    if (this._insertStrategy === "insert") {
+      return {};
+    }
+
+    return {
+      async_insert: 1 as const,
+      async_insert_max_data_size: "1000000",
+      async_insert_busy_timeout_ms: 1000,
+      wait_for_async_insert: this.options.waitForAsyncInsert ? (1 as const) : (0 as const),
+    };
+  }
+
+  async #insertSessionInserts(
+    clickhouse: ClickHouse,
+    sessionInserts: SessionInsertArray[],
+    attempt: number
+  ) {
+    if (sessionInserts.length === 0) {
+      return;
+    }
+    return await startSpan(this._tracer, "insertSessionInserts", async (span) => {
+      const [insertError, insertResult] = await clickhouse.sessions.insertCompactArrays(
+        sessionInserts,
+        {
+          params: {
+            clickhouse_settings: this.#getClickhouseInsertSettings(),
+          },
+        }
+      );
+
+      if (insertError) {
+        this.logger.error("Error inserting session inserts attempt", {
+          error: insertError,
+          attempt,
+        });
+
+        recordSpanError(span, insertError);
+        throw insertError;
+      }
+
+      return insertResult;
+    });
+  }
+}
+
+function toSessionInsertArray(
+  session: Session,
+  version: bigint,
+  isDeleted: boolean
+): SessionInsertArray {
+  return [
+    session.runtimeEnvironmentId,
+    session.organizationId,
+    session.projectId,
+    session.id,
+    session.environmentType,
+    session.friendlyId,
+    session.externalId ?? "",
+    session.type,
+    session.taskIdentifier ?? "",
+    session.tags ?? [],
+    { data: session.metadata ?? null },
+    session.closedAt ? session.closedAt.getTime() : null,
+    session.closedReason ?? "",
+    session.expiresAt ? session.expiresAt.getTime() : null,
+    session.createdAt.getTime(),
+    session.updatedAt.getTime(),
+    version.toString(),
+    isDeleted ? 1 : 0,
+  ];
+}
+
+function lsnToUInt64(lsn: string): bigint {
+  const [seg, off] = lsn.split("/");
+  return (BigInt("0x" + seg) << 32n) | BigInt("0x" + off);
+}
diff --git a/apps/webapp/app/services/sessionsRepository/clickhouseSessionsRepository.server.ts b/apps/webapp/app/services/sessionsRepository/clickhouseSessionsRepository.server.ts
new file mode 100644
index 00000000000..aebf61628fa
--- /dev/null
+++ b/apps/webapp/app/services/sessionsRepository/clickhouseSessionsRepository.server.ts
@@ -0,0 +1,255 @@
+import { type ClickhouseQueryBuilder } from "@internal/clickhouse";
+import parseDuration from "parse-duration";
+import {
+  convertSessionListInputOptionsToFilterOptions,
+  type FilterSessionsOptions,
+  type ISessionsRepository,
+  type ListSessionsOptions,
+  type SessionListInputOptions,
+  type SessionTagListOptions,
+  type SessionsRepositoryOptions,
+} from "./sessionsRepository.server";
+
+export class ClickHouseSessionsRepository implements ISessionsRepository {
+  constructor(private readonly options: SessionsRepositoryOptions) {}
+
+  get name() {
+    return "clickhouse";
+  }
+
+  async listSessionIds(options: ListSessionsOptions): Promise<string[]> {
+    const queryBuilder = this.options.clickhouse.sessions.queryBuilder();
+    applySessionFiltersToQueryBuilder(
+      queryBuilder,
+      convertSessionListInputOptionsToFilterOptions(options)
+    );
+
+    if (options.page.cursor) {
+      if (options.page.direction === "forward" || !options.page.direction) {
+        queryBuilder
+          .where("session_id < {sessionId: String}", { sessionId: options.page.cursor })
+          .orderBy("created_at DESC, session_id DESC")
+          .limit(options.page.size + 1);
+      } else {
+        queryBuilder
+          .where("session_id > {sessionId: String}", { sessionId: options.page.cursor })
+          .orderBy("created_at ASC, session_id ASC")
+          .limit(options.page.size + 1);
+      }
+    } else {
+      queryBuilder.orderBy("created_at DESC, session_id DESC").limit(options.page.size + 1);
+    }
+
+    const [queryError, result] = await queryBuilder.execute();
+    if (queryError) throw queryError;
+
+    return result.map((row) => row.session_id);
+  }
+
+  async listSessions(options: ListSessionsOptions) {
+    const sessionIds = await this.listSessionIds(options);
+    const hasMore = sessionIds.length > options.page.size;
+
+    let nextCursor: string | null = null;
+    let previousCursor: string | null = null;
+
+    const direction = options.page.direction ?? "forward";
+    switch (direction) {
+      case "forward": {
+        previousCursor = options.page.cursor ? sessionIds.at(0) ?? null : null;
+        if (hasMore) {
+          nextCursor = sessionIds[options.page.size - 1];
+        }
+        break;
+      }
+      case "backward": {
+        const reversed = [...sessionIds].reverse();
+        if (hasMore) {
+          previousCursor = reversed.at(1) ?? null;
+          nextCursor = reversed.at(options.page.size) ?? null;
+        } else {
+          nextCursor = reversed.at(options.page.size - 1) ?? null;
+        }
+        break;
+      }
+    }
+
+    // Both directions slice the first `size` IDs: the `size+1`th item is
+    // the sentinel proving another page exists (hasMore), not part of the
+    // page content. Backward queries sort ASC (items closest to the cursor
+    // first), so `[0..size)` is still the legitimate window and the last
+    // element is the sentinel — identical to the forward case.
+    const idsToReturn = sessionIds.slice(0, options.page.size);
+
+    let sessions = await this.options.prisma.session.findMany({
+      where: {
+        id: { in: idsToReturn },
+        runtimeEnvironmentId: options.environmentId,
+      },
+      orderBy: { createdAt: "desc" },
+      select: {
+        id: true,
+        friendlyId: true,
+        externalId: true,
+        type: true,
+        taskIdentifier: true,
+        tags: true,
+        metadata: true,
+        closedAt: true,
+        closedReason: true,
+        expiresAt: true,
+        createdAt: true,
+        updatedAt: true,
+        runtimeEnvironmentId: true,
+        currentRunId: true,
+      },
+    });
+
+    // ClickHouse is slightly delayed; narrow by derived status in-memory to
+    // catch recent Postgres writes that haven't replicated yet.
+    if (options.statuses && options.statuses.length > 0) {
+      const wanted = new Set(options.statuses);
+      const now = Date.now();
+      sessions = sessions.filter((s) => {
+        const status =
+          s.closedAt != null
+            ? "CLOSED"
+            : s.expiresAt != null && s.expiresAt.getTime() < now
+              ? "EXPIRED"
+              : "ACTIVE";
+        return wanted.has(status);
+      });
+    }
+
+    return {
+      sessions,
+      pagination: { nextCursor, previousCursor },
+    };
+  }
+
+  async countSessions(options: SessionListInputOptions): Promise<number> {
+    const queryBuilder = this.options.clickhouse.sessions.countQueryBuilder();
+    applySessionFiltersToQueryBuilder(
+      queryBuilder,
+      convertSessionListInputOptionsToFilterOptions(options)
+    );
+
+    const [queryError, result] = await queryBuilder.execute();
+    if (queryError) throw queryError;
+
+    if (result.length === 0) {
+      throw new Error("No count rows returned");
+    }
+    return result[0].count;
+  }
+
+  async listTags(options: SessionTagListOptions) {
+    const queryBuilder = this.options.clickhouse.sessions
+      .tagQueryBuilder()
+      .where("organization_id = {organizationId: String}", {
+        organizationId: options.organizationId,
+      })
+      .where("project_id = {projectId: String}", { projectId: options.projectId })
+      .where("environment_id = {environmentId: String}", {
+        environmentId: options.environmentId,
+      });
+
+    const periodMs = options.period ? parseDuration(options.period) ?? undefined : undefined;
+    if (periodMs) {
+      queryBuilder.where("created_at >= fromUnixTimestamp64Milli({period: Int64})", {
+        period: new Date(Date.now() - periodMs).getTime(),
+      });
+    }
+
+    if (options.from) {
+      queryBuilder.where("created_at >= fromUnixTimestamp64Milli({from: Int64})", {
+        from: options.from,
+      });
+    }
+
+    if (options.to) {
+      queryBuilder.where("created_at <= fromUnixTimestamp64Milli({to: Int64})", {
+        to: options.to,
+      });
+    }
+
+    if (options.query && options.query.trim().length > 0) {
+      queryBuilder.where("positionCaseInsensitiveUTF8(tag, {query: String}) > 0", {
+        query: options.query,
+      });
+    }
+
+    queryBuilder.orderBy("tag ASC").limit(options.limit);
+
+    const [queryError, result] = await queryBuilder.execute();
+    if (queryError) throw queryError;
+
+    return { tags: result.map((row) => row.tag) };
+  }
+}
+
+function applySessionFiltersToQueryBuilder<T>(
+  queryBuilder: ClickhouseQueryBuilder<T>,
+  options: FilterSessionsOptions
+) {
+  queryBuilder
+    .where("organization_id = {organizationId: String}", {
+      organizationId: options.organizationId,
+    })
+    .where("project_id = {projectId: String}", { projectId: options.projectId })
+    .where("environment_id = {environmentId: String}", { environmentId: options.environmentId });
+
+  if (options.types && options.types.length > 0) {
+    queryBuilder.where("type IN {types: Array(String)}", { types: options.types });
+  }
+
+  if (options.tags && options.tags.length > 0) {
+    queryBuilder.where("hasAny(tags, {tags: Array(String)})", { tags: options.tags });
+  }
+
+  if (options.taskIdentifiers && options.taskIdentifiers.length > 0) {
+    queryBuilder.where("task_identifier IN {taskIdentifiers: Array(String)}", {
+      taskIdentifiers: options.taskIdentifiers,
+    });
+  }
+
+  if (options.externalId) {
+    queryBuilder.where("external_id = {externalId: String}", { externalId: options.externalId });
+  }
+
+  if (options.statuses && options.statuses.length > 0) {
+    const conditions: string[] = [];
+    if (options.statuses.includes("ACTIVE")) {
+      conditions.push(
+        "(closed_at IS NULL AND (expires_at IS NULL OR expires_at > now64(3)))"
+      );
+    }
+    if (options.statuses.includes("CLOSED")) {
+      conditions.push("closed_at IS NOT NULL");
+    }
+    if (options.statuses.includes("EXPIRED")) {
+      conditions.push("(closed_at IS NULL AND expires_at IS NOT NULL AND expires_at <= now64(3))");
+    }
+    if (conditions.length > 0) {
+      queryBuilder.where(`(${conditions.join(" OR ")})`);
+    }
+  }
+
+  if (options.period) {
+    queryBuilder.where("created_at >= fromUnixTimestamp64Milli({period: Int64})", {
+      period: new Date(Date.now() - options.period).getTime(),
+    });
+  }
+
+  if (options.from) {
+    queryBuilder.where("created_at >= fromUnixTimestamp64Milli({from: Int64})", {
+      from: options.from,
+    });
+  }
+
+  if (options.to) {
+    queryBuilder.where("created_at <= fromUnixTimestamp64Milli({to: Int64})", {
+      to: options.to,
+    });
+  }
+}
diff --git a/apps/webapp/app/services/sessionsRepository/sessionsRepository.server.ts b/apps/webapp/app/services/sessionsRepository/sessionsRepository.server.ts
new file mode 100644
index 00000000000..245f1df2295
--- /dev/null
+++ b/apps/webapp/app/services/sessionsRepository/sessionsRepository.server.ts
@@ -0,0 +1,199 @@
+import { type ClickHouse } from "@internal/clickhouse";
+import { type Tracer } from "@internal/tracing";
+import { type Logger, type LogLevel } from "@trigger.dev/core/logger";
+import { type Prisma } from "@trigger.dev/database";
+import parseDuration from "parse-duration";
+import { z } from "zod";
+import { type PrismaClientOrTransaction } from "~/db.server";
+import { startActiveSpan } from "~/v3/tracer.server";
+import { ClickHouseSessionsRepository } from "./clickhouseSessionsRepository.server";
+
+export type SessionsRepositoryOptions = {
+  clickhouse: ClickHouse;
+  prisma: PrismaClientOrTransaction;
+  logger?: Logger;
+  logLevel?: LogLevel;
+  tracer?: Tracer;
+};
+
+/**
+ * Derived status values — `Session` rows don't have a stored status column.
+ * `ACTIVE` is the base state; `CLOSED` means `closedAt` is set; `EXPIRED`
+ * means `expiresAt` has passed.
+ */
+export const SessionStatus = z.enum(["ACTIVE", "CLOSED", "EXPIRED"]);
+export type SessionStatus = z.infer<typeof SessionStatus>;
+
+const SessionListInputOptionsSchema = z.object({
+  organizationId: z.string(),
+  projectId: z.string(),
+  environmentId: z.string(),
+  // filters
+  types: z.array(z.string()).optional(),
+  tags: z.array(z.string()).optional(),
+  taskIdentifiers: z.array(z.string()).optional(),
+  externalId: z.string().optional(),
+  statuses: z.array(SessionStatus).optional(),
+  period: z.string().optional(),
+  from: z.number().optional(),
+  to: z.number().optional(),
+});
+
+export type SessionListInputOptions = z.infer<typeof SessionListInputOptionsSchema>;
+export type SessionListInputFilters = Omit<
+  SessionListInputOptions,
+  "organizationId" | "projectId" | "environmentId"
+>;
+
+export type FilterSessionsOptions = Omit<SessionListInputOptions, "period"> & {
+  /** period converted to milliseconds duration */
+  period: number | undefined;
+};
+
+type Pagination = {
+  page: {
+    size: number;
+    cursor?: string;
+    direction?: "forward" | "backward";
+  };
+};
+
+export type ListSessionsOptions = SessionListInputOptions & Pagination;
+
+type OffsetPagination = {
+  offset: number;
+  limit: number;
+};
+
+export type SessionTagListOptions = {
+  organizationId: string;
+  projectId: string;
+  environmentId: string;
+  period?: string;
+  from?: number;
+  to?: number;
+  /** Case-insensitive substring match on the tag name */
+  query?: string;
+} & OffsetPagination;
+
+export type SessionTagList = {
+  tags: string[];
+};
+
+export type ListedSession = Prisma.SessionGetPayload<{
+  select: {
+    id: true;
+    friendlyId: true;
+    externalId: true;
+    type: true;
+    taskIdentifier: true;
+    tags: true;
+    metadata: true;
+    closedAt: true;
+    closedReason: true;
+    expiresAt: true;
+    createdAt: true;
+    updatedAt: true;
+    runtimeEnvironmentId: true;
+    currentRunId: true;
+  };
+}>;
+
+export type ISessionsRepository = {
+  name: string;
+  listSessionIds(options: ListSessionsOptions): Promise<string[]>;
+  listSessions(options: ListSessionsOptions): Promise<{
+    sessions: ListedSession[];
+    pagination: {
+      nextCursor: string | null;
+      previousCursor: string | null;
+    };
+  }>;
+  countSessions(options: SessionListInputOptions): Promise<number>;
+  listTags(options: SessionTagListOptions): Promise<SessionTagList>;
+};
+
+export class SessionsRepository implements ISessionsRepository {
+  private readonly clickHouseSessionsRepository: ClickHouseSessionsRepository;
+
+  constructor(private readonly options: SessionsRepositoryOptions) {
+    this.clickHouseSessionsRepository = new ClickHouseSessionsRepository(options);
+  }
+
+  get name() {
+    return "sessionsRepository";
+  }
+
+  async listSessionIds(options: ListSessionsOptions): Promise<string[]> {
+    return startActiveSpan(
+      "sessionsRepository.listSessionIds",
+      async () => this.clickHouseSessionsRepository.listSessionIds(options),
+      {
+        attributes: {
+          "repository.name": "clickhouse",
+          organizationId: options.organizationId,
+          projectId: options.projectId,
+          environmentId: options.environmentId,
+        },
+      }
+    );
+  }
+
+  async listSessions(options: ListSessionsOptions) {
+    return startActiveSpan(
+      "sessionsRepository.listSessions",
+      async () => this.clickHouseSessionsRepository.listSessions(options),
+      {
+        attributes: {
+          "repository.name": "clickhouse",
+          organizationId: options.organizationId,
+          projectId: options.projectId,
+          environmentId: options.environmentId,
+        },
+      }
+    );
+  }
+
+  async countSessions(options: SessionListInputOptions) {
+    return startActiveSpan(
+      "sessionsRepository.countSessions",
+      async () => this.clickHouseSessionsRepository.countSessions(options),
+      {
+        attributes: {
+          "repository.name": "clickhouse",
+          organizationId: options.organizationId,
+          projectId: options.projectId,
+          environmentId: options.environmentId,
+        },
+      }
+    );
+  }
+
+  async listTags(options: SessionTagListOptions) {
+    return startActiveSpan(
+      "sessionsRepository.listTags",
+      async () => this.clickHouseSessionsRepository.listTags(options),
+      {
+        attributes: {
+          "repository.name": "clickhouse",
+          organizationId: options.organizationId,
+          projectId: options.projectId,
+          environmentId: options.environmentId,
+        },
+      }
+    );
+  }
+}
+
+export function parseSessionListInputOptions(data: unknown): SessionListInputOptions {
+  return SessionListInputOptionsSchema.parse(data);
+}
+
+export function convertSessionListInputOptionsToFilterOptions(
+  options: SessionListInputOptions
+): FilterSessionsOptions {
+  return {
+    ...options,
+    period: options.period ? parseDuration(options.period) ?? undefined : undefined,
+  };
+}
diff --git a/apps/webapp/app/services/taskIdentifierCache.server.ts b/apps/webapp/app/services/taskIdentifierCache.server.ts
new file mode 100644
index 00000000000..04929c583cc
--- /dev/null
+++ b/apps/webapp/app/services/taskIdentifierCache.server.ts
@@ -0,0 +1,117 @@
+import { Redis } from "ioredis";
+import { defaultReconnectOnError } from "@internal/redis";
+import type { TaskTriggerSource } from "@trigger.dev/database";
+import { env } from "~/env.server";
+import { singleton } from "~/utils/singleton";
+import { logger } from "./logger.server";
+
+const KEY_PREFIX = "tids:";
+
+type CachedTaskIdentifier = {
+  s: string;
+  ts: TaskTriggerSource;
+  live: boolean;
+};
+
+export type TaskIdentifierEntry = {
+  slug: string;
+  triggerSource: TaskTriggerSource;
+  isInLatestDeployment: boolean;
+};
+
+function buildKey(environmentId: string): string {
+  return `${KEY_PREFIX}${environmentId}`;
+}
+
+function encode(entry: TaskIdentifierEntry): string {
+  return JSON.stringify({
+    s: entry.slug,
+    ts: entry.triggerSource,
+    live: entry.isInLatestDeployment,
+  } satisfies CachedTaskIdentifier);
+}
+
+function decode(raw: string): TaskIdentifierEntry {
+  const parsed = JSON.parse(raw) as CachedTaskIdentifier;
+  return {
+    slug: parsed.s,
+    triggerSource: parsed.ts,
+    isInLatestDeployment: parsed.live,
+  };
+}
+
+function initializeRedis(): Redis | undefined {
+  const host = env.CACHE_REDIS_HOST;
+  if (!host) {
+    return undefined;
+  }
+
+  return new Redis({
+    connectionName: "taskIdentifierCache",
+    host,
+    port: env.CACHE_REDIS_PORT,
+    username: env.CACHE_REDIS_USERNAME,
+    password: env.CACHE_REDIS_PASSWORD,
+    keyPrefix: "tr:",
+    enableAutoPipelining: true,
+    reconnectOnError: defaultReconnectOnError,
+    ...(env.CACHE_REDIS_TLS_DISABLED === "true" ? {} : { tls: {} }),
+  });
+}
+
+const redis = singleton("taskIdentifierCache", initializeRedis);
+
+export async function populateTaskIdentifierCache(
+  environmentId: string,
+  identifiers: TaskIdentifierEntry[]
+): Promise<void> {
+  if (!redis) return;
+
+  try {
+    const key = buildKey(environmentId);
+    const pipeline = redis.pipeline();
+    pipeline.del(key);
+    if (identifiers.length > 0) {
+      pipeline.sadd(key, ...identifiers.map(encode));
+    }
+    await pipeline.exec();
+  } catch (error) {
+    logger.error("Failed to populate task identifier cache", {
+      environmentId,
+      error,
+    });
+  }
+}
+
+export async function invalidateTaskIdentifierCache(environmentId: string): Promise<void> {
+  if (!redis) return;
+
+  try {
+    const key = buildKey(environmentId);
+    await redis.del(key);
+  } catch (error) {
+    logger.error("Failed to invalidate task identifier cache", {
+      environmentId,
+      error,
+    });
+  }
+}
+
+export async function getTaskIdentifiersFromCache(
+  environmentId: string
+): Promise<TaskIdentifierEntry[] | null> {
+  if (!redis) return null;
+
+  try {
+    const key = buildKey(environmentId);
+    const members = await redis.smembers(key);
+    if (members.length === 0) return null;
+    return members.map(decode);
+  } catch (error) {
+    logger.error("Failed to get task identifiers from cache", {
+      environmentId,
+      error,
+    });
+    return null;
+  }
+}
diff --git a/apps/webapp/app/services/taskIdentifierRegistry.server.ts b/apps/webapp/app/services/taskIdentifierRegistry.server.ts
new file mode 100644
index 00000000000..83d531d53e9
--- /dev/null
+++ b/apps/webapp/app/services/taskIdentifierRegistry.server.ts
@@ -0,0 +1,156 @@
+import { type PrismaClient, type PrismaClientOrTransaction, TaskTriggerSource } from "@trigger.dev/database";
+import { $replica, prisma } from "~/db.server";
+import { getAllTaskIdentifiers } from "~/models/task.server";
+import { logger } from "./logger.server";
+import {
+  getTaskIdentifiersFromCache,
+  populateTaskIdentifierCache,
+  type TaskIdentifierEntry,
+} from "./taskIdentifierCache.server";
+
+function toTriggerSource(source: string | undefined): TaskTriggerSource {
+  if (source === "SCHEDULED" || source === "schedule") return "SCHEDULED";
+  return "STANDARD";
+}
+
+export async function syncTaskIdentifiers(
+  environmentId: string,
+  projectId: string,
+  workerId: string,
+  tasks: { id: string; triggerSource?: string }[],
+  db: PrismaClient = prisma
+): Promise<void> {
+  const slugs = tasks.map((t) => t.id);
+  const now = new Date();
+
+  // Group slugs by resolved triggerSource for bulk updates
+  const slugsBySource = new Map<TaskTriggerSource, string[]>();
+  for (const task of tasks) {
+    const source = toTriggerSource(task.triggerSource);
+    const existing = slugsBySource.get(source);
+    if (existing) {
+      existing.push(task.id);
+    } else {
+      slugsBySource.set(source, [task.id]);
+    }
+  }
+
+  // Batch: insert new rows, update existing rows per source group, archive removed tasks
+  await db.$transaction([
+    // Insert any new task identifiers (skips rows that already exist)
+    db.taskIdentifier.createMany({
+      data: tasks.map((task) => ({
+        runtimeEnvironmentId: environmentId,
+        projectId,
+        slug: task.id,
+        currentTriggerSource: toTriggerSource(task.triggerSource),
+        currentWorkerId: workerId,
+      })),
+      skipDuplicates: true,
+    }),
+    // Update existing rows — one updateMany per distinct triggerSource value
+    ...Array.from(slugsBySource.entries()).map(([source, taskSlugs]) =>
+      db.taskIdentifier.updateMany({
+        where: {
+          runtimeEnvironmentId: environmentId,
+          slug: { in: taskSlugs },
+        },
+        data: {
+          currentTriggerSource: source,
+          currentWorkerId: workerId,
+          lastSeenAt: now,
+          isInLatestDeployment: true,
+        },
+      })
+    ),
+    // Archive tasks no longer in this deploy
+    db.taskIdentifier.updateMany({
+      where: {
+        runtimeEnvironmentId: environmentId,
+        slug: { notIn: slugs },
+        isInLatestDeployment: true,
+      },
+      data: { isInLatestDeployment: false },
+    }),
+  ]);
+
+  const allIdentifiers = await db.taskIdentifier.findMany({
+    where: { runtimeEnvironmentId: environmentId },
+    select: {
+      slug: true,
+      currentTriggerSource: true,
+      isInLatestDeployment: true,
+    },
+  });
+
+  populateTaskIdentifierCache(
+    environmentId,
+    allIdentifiers.map((t) => ({
+      slug: t.slug,
+      triggerSource: t.currentTriggerSource,
+      isInLatestDeployment: t.isInLatestDeployment,
+    }))
+  ).catch((error) => {
+    logger.error("Failed to populate task identifier cache after sync", { environmentId, error });
+  });
+}
+
+function sortEntries(entries: TaskIdentifierEntry[]): TaskIdentifierEntry[] {
+  return entries.sort((a, b) => {
+    if (a.isInLatestDeployment !== b.isInLatestDeployment)
+      return a.isInLatestDeployment ? -1 : 1;
+    return a.slug.localeCompare(b.slug);
+  });
+}
+
+export async function getTaskIdentifiers(
+  environmentId: string,
+  db: PrismaClientOrTransaction = $replica
+): Promise<TaskIdentifierEntry[]> {
+  const cached = await getTaskIdentifiersFromCache(environmentId);
+  if (cached) return sortEntries(cached);
+
+  const dbRows = await db.taskIdentifier.findMany({
+    where: { runtimeEnvironmentId: environmentId },
+    select: {
+      slug: true,
+      currentTriggerSource: true,
+      isInLatestDeployment: true,
+    },
+  });
+
+  if (dbRows.length > 0) {
+    const entries: TaskIdentifierEntry[] = dbRows.map((t) => ({
+      slug: t.slug,
+      triggerSource: t.currentTriggerSource,
+      isInLatestDeployment: t.isInLatestDeployment,
+    }));
+
+    populateTaskIdentifierCache(environmentId, entries).catch((error) => {
+      logger.error("Failed to populate task identifier cache after DB read", {
+        environmentId,
+        error,
+      });
+    });
+
+    return sortEntries(entries);
+  }
+
+  const legacyRows = await getAllTaskIdentifiers(db, environmentId);
+  const entries: TaskIdentifierEntry[] = legacyRows.map((t) => ({
+    slug: t.slug,
+    triggerSource: t.triggerSource,
+    isInLatestDeployment: true,
+  }));
+
+  if (entries.length > 0) {
+    populateTaskIdentifierCache(environmentId, entries).catch((error) => {
+      logger.error("Failed to populate task identifier cache after legacy fallback", {
+        environmentId,
+        error,
+      });
+    });
+  }
+
+  return sortEntries(entries);
+}
diff --git a/apps/webapp/app/services/taskMetadataCache.server.ts b/apps/webapp/app/services/taskMetadataCache.server.ts
new file mode 100644
index 00000000000..6130295a73f
--- /dev/null
+++ b/apps/webapp/app/services/taskMetadataCache.server.ts
@@ -0,0 +1,427 @@
+import type { Redis, Result, Callback } from "ioredis";
+import type { TaskTriggerSource } from "@trigger.dev/database";
+import { logger } from "./logger.server";
+
+export type TaskMetadataEntry = {
+  slug: string;
+  ttl: string | null;
+  triggerSource: TaskTriggerSource;
+  queueId: string | null;
+  queueName: string;
+};
+
+export interface TaskMetadataCache {
+  /** Read a slug's metadata from the env keyspace (current pointer). */
+  getCurrent(envId: string, slug: string): Promise<TaskMetadataEntry | null>;
+  /** Read a slug's metadata from the by-worker keyspace (locked-version lookups). */
+  getByWorker(workerId: string, slug: string): Promise<TaskMetadataEntry | null>;
+  /**
+   * Atomically replace both `task-meta:env:{envId}` and
+   * `task-meta:by-worker:{workerId}` with the given entries. Used at deploy
+   * promotion sites where the worker just became current for the env.
+   */
+  populateByCurrentWorker(
+    envId: string,
+    workerId: string,
+    entries: TaskMetadataEntry[]
+  ): Promise<void>;
+  /**
+   * Replace `task-meta:by-worker:{workerId}` only. Used at deploy build sites
+   * (V4) where the worker is created but not yet promoted.
+   */
+  populateByWorker(workerId: string, entries: TaskMetadataEntry[]): Promise<void>;
+  /**
+   * Atomically upsert one slug in both keyspaces. Used by the non-locked
+   * read-path back-fill. The env-keyspace TTL is only set when no TTL is
+   * present (preserves the promotion boundary); the by-worker TTL is
+   * refreshed on every call (sliding expiry).
+   */
+  setByCurrentWorker(envId: string, workerId: string, entry: TaskMetadataEntry): Promise<void>;
+  /**
+   * Upsert one slug in `task-meta:by-worker:{workerId}` only. Used by the
+   * locked-version read-path back-fill; refreshes the by-worker TTL.
+   */
+  setByWorker(workerId: string, entry: TaskMetadataEntry): Promise<void>;
+}
+
+export type RedisTaskMetadataCacheOptions = {
+  redis: Redis;
+  /** Safety TTL on `task-meta:env:{envId}`. Default 24h. Use 0 for no expiry. */
+  currentEnvTtlSeconds?: number;
+  /** Idle TTL on `task-meta:by-worker:{workerId}`. Default 30d. Use 0 for no expiry. */
+  byWorkerTtlSeconds?: number;
+};
+
+type EncodedEntry = {
+  t: string | null;
+  k: TaskTriggerSource;
+  q: string | null;
+  n: string;
+};
+
+function encode(entry: TaskMetadataEntry): string {
+  const payload: EncodedEntry = {
+    t: entry.ttl,
+    k: entry.triggerSource,
+    q: entry.queueId,
+    n: entry.queueName,
+  };
+  return JSON.stringify(payload);
+}
+
+function decode(slug: string, raw: string): TaskMetadataEntry | null {
+  try {
+    const parsed = JSON.parse(raw) as EncodedEntry;
+    return {
+      slug,
+      ttl: parsed.t,
+      triggerSource: parsed.k,
+      queueId: parsed.q,
+      queueName: parsed.n,
+    };
+  } catch (error) {
+    logger.error("Failed to decode task metadata cache entry", { slug, error });
+    return null;
+  }
+}
+
+function currentEnvKey(envId: string): string {
+  return `task-meta:env:${envId}`;
+}
+
+function byWorkerKey(workerId: string): string {
+  return `task-meta:by-worker:${workerId}`;
+}
+
+/**
+ * Atomically replace a single HASH's contents and reset its TTL.
+ *
+ * KEYS[1] = hash key
+ * ARGV[1] = ttl seconds (0 = no TTL)
+ * ARGV[2..N] = alternating field, value pairs
+ */
+const REPLACE_HASH_LUA = `
+redis.call("DEL", KEYS[1])
+if #ARGV > 1 then
+  local fv = {}
+  for i = 2, #ARGV do
+    fv[#fv + 1] = ARGV[i]
+  end
+  redis.call("HSET", KEYS[1], unpack(fv))
+end
+local ttl = tonumber(ARGV[1])
+if ttl and ttl > 0 then
+  redis.call("EXPIRE", KEYS[1], ttl)
+end
+return 1
+`;
+
+/**
+ * Reserved field name on env hashes that records the worker currently
+ * "owning" the env keyspace. The back-fill Lua script reads this and skips
+ * its env-side write if the owner has flipped — closing the race where a
+ * concurrent promotion atomically replaces the env hash between a resolver's
+ * PG read and its back-fill write. Customer task slugs are kebab/camelCase
+ * and never start with `__`, so collisions are not a concern; an accidental
+ * `getCurrent(envId, "__owner_worker_id")` would JSON.parse-fail and fall
+ * back to PG, not corrupt anything.
+ */
+const OWNER_FIELD = "__owner_worker_id";
+
+/**
+ * Atomically replace BOTH keyspaces in one Redis transaction. Used at deploy
+ * promotion — the worker just became current for the env, so the env keyspace
+ * and the worker keyspace get the same field set, and the env hash is
+ * stamped with the new owner workerId.
+ *
+ * KEYS[1] = env hash key
+ * KEYS[2] = by-worker hash key
+ * ARGV[1] = env ttl seconds (0 = no TTL)
+ * ARGV[2] = by-worker ttl seconds (0 = no TTL)
+ * ARGV[3] = workerId (env-hash owner marker)
+ * ARGV[4..N] = alternating field, value pairs (same for both hashes)
+ */
+const REPLACE_TWO_HASHES_LUA = `
+redis.call("DEL", KEYS[1])
+redis.call("DEL", KEYS[2])
+if #ARGV > 3 then
+  local fv = {}
+  for i = 4, #ARGV do
+    fv[#fv + 1] = ARGV[i]
+  end
+  redis.call("HSET", KEYS[1], unpack(fv))
+  redis.call("HSET", KEYS[2], unpack(fv))
+end
+redis.call("HSET", KEYS[1], "${OWNER_FIELD}", ARGV[3])
+local envTtl = tonumber(ARGV[1])
+if envTtl and envTtl > 0 then
+  redis.call("EXPIRE", KEYS[1], envTtl)
+end
+local workerTtl = tonumber(ARGV[2])
+if workerTtl and workerTtl > 0 then
+  redis.call("EXPIRE", KEYS[2], workerTtl)
+end
+return 1
+`;
+
+/**
+ * Set a single field and refresh the HASH TTL. Used by the locked-version
+ * back-fill path — sliding expiry keeps active workers warm.
+ *
+ * KEYS[1] = hash key
+ * ARGV[1] = ttl seconds (0 = no TTL refresh)
+ * ARGV[2] = field
+ * ARGV[3] = value
+ */
+const SET_FIELD_REFRESH_TTL_LUA = `
+redis.call("HSET", KEYS[1], ARGV[2], ARGV[3])
+local ttl = tonumber(ARGV[1])
+if ttl and ttl > 0 then
+  redis.call("EXPIRE", KEYS[1], ttl)
+end
+return 1
+`;
+
+/**
+ * Atomically upsert one field in BOTH keyspaces. Used by the non-locked
+ * back-fill path.
+ *
+ * The by-worker hash always gets written (the key contains the workerId, so
+ * stale data lands in a dead worker's keyspace and is never read by anyone
+ * not pinned to that version).
+ *
+ * The env hash is CAS-guarded by `${OWNER_FIELD}`: if a concurrent promotion
+ * has replaced the hash between this resolver's PG read and this write, the
+ * stored owner won't match the workerId the back-filler resolved to, so the
+ * env write is skipped — preventing the back-fill from overwriting a freshly
+ * promoted slug with stale data from the previous worker.
+ *
+ * KEYS[1] = env hash key
+ * KEYS[2] = by-worker hash key
+ * ARGV[1] = env ttl seconds (0 = no TTL)
+ * ARGV[2] = by-worker ttl seconds (0 = no TTL)
+ * ARGV[3] = writer's expected env-hash owner workerId
+ * ARGV[4] = field
+ * ARGV[5] = value
+ */
+const SET_TWO_FIELDS_LUA = `
+redis.call("HSET", KEYS[2], ARGV[4], ARGV[5])
+local workerTtl = tonumber(ARGV[2])
+if workerTtl and workerTtl > 0 then
+  redis.call("EXPIRE", KEYS[2], workerTtl)
+end
+
+local owner = redis.call("HGET", KEYS[1], "${OWNER_FIELD}")
+if owner == false or owner == ARGV[3] then
+  redis.call("HSET", KEYS[1], ARGV[4], ARGV[5])
+  if owner == false then
+    redis.call("HSET", KEYS[1], "${OWNER_FIELD}", ARGV[3])
+  end
+  local envTtl = tonumber(ARGV[1])
+  if envTtl and envTtl > 0 and redis.call("TTL", KEYS[1]) == -1 then
+    redis.call("EXPIRE", KEYS[1], envTtl)
+  end
+end
+return 1
+`;
+
+declare module "ioredis" {
+  interface RedisCommander<Context> {
+    taskMetaReplaceHash(
+      key: string,
+      ttlSeconds: string,
+      ...fieldValues: string[]
+    ): Result<number, Context>;
+    taskMetaReplaceTwoHashes(
+      envKey: string,
+      workerKey: string,
+      envTtlSeconds: string,
+      workerTtlSeconds: string,
+      workerId: string,
+      ...fieldValues: string[]
+    ): Result<number, Context>;
+    taskMetaSetFieldRefreshTtl(
+      key: string,
+      ttlSeconds: string,
+      field: string,
+      value: string,
+      callback?: Callback<number>
+    ): Result<number, Context>;
+    taskMetaSetTwoFields(
+      envKey: string,
+      workerKey: string,
+      envTtlSeconds: string,
+      workerTtlSeconds: string,
+      workerId: string,
+      field: string,
+      value: string,
+      callback?: Callback<number>
+    ): Result<number, Context>;
+  }
+}
+
+export class RedisTaskMetadataCache implements TaskMetadataCache {
+  private readonly redis: Redis;
+  private readonly currentEnvTtlSeconds: number;
+  private readonly byWorkerTtlSeconds: number;
+
+  constructor(options: RedisTaskMetadataCacheOptions) {
+    this.redis = options.redis;
+    this.currentEnvTtlSeconds = options.currentEnvTtlSeconds ?? 86400;
+    this.byWorkerTtlSeconds = options.byWorkerTtlSeconds ?? 30 * 24 * 60 * 60;
+
+    this.redis.defineCommand("taskMetaReplaceHash", {
+      numberOfKeys: 1,
+      lua: REPLACE_HASH_LUA,
+    });
+    this.redis.defineCommand("taskMetaReplaceTwoHashes", {
+      numberOfKeys: 2,
+      lua: REPLACE_TWO_HASHES_LUA,
+    });
+    this.redis.defineCommand("taskMetaSetFieldRefreshTtl", {
+      numberOfKeys: 1,
+      lua: SET_FIELD_REFRESH_TTL_LUA,
+    });
+    this.redis.defineCommand("taskMetaSetTwoFields", {
+      numberOfKeys: 2,
+      lua: SET_TWO_FIELDS_LUA,
+    });
+  }
+
+  async getCurrent(envId: string, slug: string): Promise<TaskMetadataEntry | null> {
+    return this.#get(currentEnvKey(envId), slug);
+  }
+
+  async getByWorker(workerId: string, slug: string): Promise<TaskMetadataEntry | null> {
+    return this.#get(byWorkerKey(workerId), slug);
+  }
+
+  async populateByCurrentWorker(
+    envId: string,
+    workerId: string,
+    entries: TaskMetadataEntry[]
+  ): Promise<void> {
+    try {
+      // Always invoke the script — empty `entries` is valid and causes both
+      // keyspaces to be cleared (DEL + no HSET), which is the right behavior
+      // when promoting a worker with no tasks.
+      const fieldValues: string[] = [];
+      for (const entry of entries) {
+        fieldValues.push(entry.slug, encode(entry));
+      }
+      await this.redis.taskMetaReplaceTwoHashes(
+        currentEnvKey(envId),
+        byWorkerKey(workerId),
+        String(this.currentEnvTtlSeconds),
+        String(this.byWorkerTtlSeconds),
+        workerId,
+        ...fieldValues
+      );
+    } catch (error) {
+      logger.error("Failed to populate task metadata cache (current worker)", {
+        envId,
+        workerId,
+        error,
+      });
+    }
+  }
+
+  async populateByWorker(workerId: string, entries: TaskMetadataEntry[]): Promise<void> {
+    try {
+      // Always invoke the script — empty `entries` clears the keyspace.
+      const fieldValues: string[] = [];
+      for (const entry of entries) {
+        fieldValues.push(entry.slug, encode(entry));
+      }
+      await this.redis.taskMetaReplaceHash(
+        byWorkerKey(workerId),
+        String(this.byWorkerTtlSeconds),
+        ...fieldValues
+      );
+    } catch (error) {
+      logger.error("Failed to populate task metadata cache (by worker)", {
+        workerId,
+        error,
+      });
+    }
+  }
+
+  async setByCurrentWorker(
+    envId: string,
+    workerId: string,
+    entry: TaskMetadataEntry
+  ): Promise<void> {
+    try {
+      await this.redis.taskMetaSetTwoFields(
+        currentEnvKey(envId),
+        byWorkerKey(workerId),
+        String(this.currentEnvTtlSeconds),
+        String(this.byWorkerTtlSeconds),
+        workerId,
+        entry.slug,
+        encode(entry)
+      );
+    } catch (error) {
+      logger.error("Failed to set task metadata cache field (current worker)", {
+        envId,
+        workerId,
+        slug: entry.slug,
+        error,
+      });
+    }
+  }
+
+  async setByWorker(workerId: string, entry: TaskMetadataEntry): Promise<void> {
+    try {
+      await this.redis.taskMetaSetFieldRefreshTtl(
+        byWorkerKey(workerId),
+        String(this.byWorkerTtlSeconds),
+        entry.slug,
+        encode(entry)
+      );
+    } catch (error) {
+      logger.error("Failed to set task metadata cache field (by worker)", {
+        workerId,
+        slug: entry.slug,
+        error,
+      });
+    }
+  }
+
+  async #get(key: string, slug: string): Promise<TaskMetadataEntry | null> {
+    try {
+      const raw = await this.redis.hget(key, slug);
+      if (!raw) return null;
+      return decode(slug, raw);
+    } catch (error) {
+      logger.error("Failed to read task metadata from cache", { key, slug, error });
+      return null;
+    }
+  }
+}
+
+export class NoopTaskMetadataCache implements TaskMetadataCache {
+  async getCurrent(): Promise<TaskMetadataEntry | null> {
+    return null;
+  }
+
+  async getByWorker(): Promise<TaskMetadataEntry | null> {
+    return null;
+  }
+
+  async populateByCurrentWorker(): Promise<void> {
+    // intentionally empty
+  }
+
+  async populateByWorker(): Promise<void> {
+    // intentionally empty
+  }
+
+  async setByCurrentWorker(): Promise<void> {
+    // intentionally empty
+  }
+
+  async setByWorker(): Promise<void> {
+    // intentionally empty
+  }
+}
diff --git a/apps/webapp/app/services/taskMetadataCacheInstance.server.ts b/apps/webapp/app/services/taskMetadataCacheInstance.server.ts
new file mode 100644
index 00000000000..b673cf122ed
--- /dev/null
+++ b/apps/webapp/app/services/taskMetadataCacheInstance.server.ts
@@ -0,0 +1,38 @@
+import { Redis } from "ioredis";
+import { defaultReconnectOnError } from "@internal/redis";
+import { env } from "~/env.server";
+import { singleton } from "~/utils/singleton";
+import {
+  NoopTaskMetadataCache,
+  RedisTaskMetadataCache,
+  type TaskMetadataCache,
+} from "./taskMetadataCache.server";
+
+export const taskMetadataCacheInstance: TaskMetadataCache = singleton(
+  "taskMetadataCacheInstance",
+  initializeTaskMetadataCache
+);
+
+function initializeTaskMetadataCache(): TaskMetadataCache {
+  if (!env.TASK_META_CACHE_REDIS_HOST) {
+    return new NoopTaskMetadataCache();
+  }
+
+  const redis = new Redis({
+    connectionName: "taskMetadataCache",
+    host: env.TASK_META_CACHE_REDIS_HOST,
+    port: env.TASK_META_CACHE_REDIS_PORT,
+    username: env.TASK_META_CACHE_REDIS_USERNAME,
+    password: env.TASK_META_CACHE_REDIS_PASSWORD,
+    keyPrefix: "tr:",
+    enableAutoPipelining: true,
+    reconnectOnError: defaultReconnectOnError,
+    ...(env.TASK_META_CACHE_REDIS_TLS_DISABLED === "true" ? {} : { tls: {} }),
+  });
+
+  return new RedisTaskMetadataCache({
+    redis,
+    currentEnvTtlSeconds: env.TASK_META_CACHE_CURRENT_ENV_TTL_SECONDS,
+    byWorkerTtlSeconds: env.TASK_META_CACHE_BY_WORKER_TTL_SECONDS,
+  });
+}
diff --git a/apps/webapp/app/services/tenantContext.server.ts b/apps/webapp/app/services/tenantContext.server.ts
new file mode 100644
index 00000000000..0cadaa9f4c2
--- /dev/null
+++ b/apps/webapp/app/services/tenantContext.server.ts
@@ -0,0 +1,50 @@
+import { AsyncLocalStorage } from "node:async_hooks";
+import type { AuthenticatedEnvironment } from "./apiAuth.server";
+
+// All fields are optional. The middleware establishes an empty scope per
+// request; entry points fill what they know:
+//   - URL-matching paths get the slug trio from the Express middleware (zero IO).
+//   - The `_app` layout adds `userId` for any authenticated request.
+//   - The env layout adds tenant IDs / env type after its own existing DB query.
+//   - API routes get the full set up-front from `authenticationResult.environment`.
+export type TenantContext = {
+  userId?: string;
+  orgSlug?: string;
+  projectSlug?: string;
+  envSlug?: string;
+  orgId?: string;
+  projectId?: string;
+  projectRef?: string;
+  envId?: string;
+  envType?: "DEVELOPMENT" | "PREVIEW" | "STAGING" | "PRODUCTION";
+  impersonating?: boolean;
+};
+
+const storage = new AsyncLocalStorage<TenantContext>();
+
+export const tenantContext = {
+  run<T>(ctx: TenantContext, fn: () => T): T {
+    return storage.run(ctx, fn);
+  },
+  get(): TenantContext | undefined {
+    return storage.getStore();
+  },
+  enrich(patch: Partial<TenantContext>): void {
+    const current = storage.getStore();
+    if (current) Object.assign(current, patch);
+  },
+};
+
+export function tenantContextFromAuthEnvironment(env: AuthenticatedEnvironment): TenantContext {
+  return {
+    userId: env.orgMember?.userId,
+    orgSlug: env.organization.slug,
+    projectSlug: env.project.slug,
+    envSlug: env.slug,
+    orgId: env.organization.id,
+    projectId: env.project.id,
+    projectRef: env.project.externalRef,
+    envId: env.id,
+    envType: env.type,
+  };
+}
diff --git a/apps/webapp/app/services/tenantContextResolver.server.ts b/apps/webapp/app/services/tenantContextResolver.server.ts
new file mode 100644
index 00000000000..764670df95f
--- /dev/null
+++ b/apps/webapp/app/services/tenantContextResolver.server.ts
@@ -0,0 +1,42 @@
+import type { NextFunction, Request, Response } from "express";
+import { tenantContext, type TenantContext } from "./tenantContext.server";
+
+const URL_PATTERN = /^\/orgs\/([^/]+)(?:\/projects\/([^/]+)(?:\/env\/([^/]+))?)?/;
+
+export type ParsedTenantPath = {
+  orgSlug: string;
+  projectSlug?: string;
+  envSlug?: string;
+};
+
+// Pulls whatever tenant slugs are present in the URL. `/orgs/:o` returns the
+// org alone; `/orgs/:o/projects/:p` adds the project; `/orgs/:o/projects/:p/env/:e`
+// returns all three. Non-tenant paths (`/`, `/login`, `/admin/*`) return undefined.
+export function parseTenantPath(pathname: string): ParsedTenantPath | undefined {
+  const match = pathname.match(URL_PATTERN);
+  if (!match) return undefined;
+  const [, orgSlug, projectSlug, envSlug] = match;
+  if (!orgSlug) return undefined;
+  return {
+    orgSlug,
+    ...(projectSlug ? { projectSlug } : {}),
+    ...(envSlug ? { envSlug } : {}),
+  };
+}
+
+export function resolveTenantContextFromPath(pathname: string): TenantContext {
+  return parseTenantPath(pathname) ?? {};
+}
+
+export type PathResolver = (pathname: string) => TenantContext;
+
+export function createTenantContextMiddleware(resolver: PathResolver) {
+  // Always establish an ALS scope, even when the path carries no tenant
+  // slugs. Authenticated loaders (e.g. the `_app` layout) then enrich the
+  // same scope with `userId`, so non-tenant pages still get user attribution.
+  return function tenantContextMiddleware(req: Request, res: Response, next: NextFunction) {
+    tenantContext.run(resolver(req.path), () => next());
+  };
+}
+
+export const tenantContextMiddleware = createTenantContextMiddleware(resolveTenantContextFromPath);
diff --git a/apps/webapp/app/services/upsertBranch.server.ts b/apps/webapp/app/services/upsertBranch.server.ts
index 3b4e18a58ea..e13f5d244c8 100644
--- a/apps/webapp/app/services/upsertBranch.server.ts
+++ b/apps/webapp/app/services/upsertBranch.server.ts
@@ -3,7 +3,7 @@ import slug from "slug";
 import { prisma } from "~/db.server";
 import { createApiKeyForEnv, createPkApiKeyForEnv } from "~/models/api-key.server";
 import { type CreateBranchOptions } from "~/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.branches/route";
-import { isValidGitBranchName, sanitizeBranchName } from "~/v3/gitBranch";
+import { isValidGitBranchName, sanitizeBranchName } from "@trigger.dev/core/v3/utils/gitBranch";
 import { logger } from "./logger.server";
 import { getCurrentPlan, getLimit } from "./platform.v3.server";
 
diff --git a/apps/webapp/app/services/vercelIntegration.server.ts b/apps/webapp/app/services/vercelIntegration.server.ts
index cf9e634afbb..286e9974054 100644
--- a/apps/webapp/app/services/vercelIntegration.server.ts
+++ b/apps/webapp/app/services/vercelIntegration.server.ts
@@ -409,7 +409,7 @@ export class VercelIntegrationService {
         key: "TRIGGER_SECRET_KEY",
         value: stagingEnv.apiKey,
         customEnvironmentId: newCustomEnvironmentId,
-        type: "encrypted",
+        type: "sensitive",
       });
 
       if (upsertResult.isErr()) {
@@ -714,6 +714,102 @@ export class VercelIntegrationService {
     });
   }
 
+  /**
+   * Returns true when TRIGGER_VERSION is no longer pinned on Vercel production after the call
+   * (either we cleared it or it wasn't set to begin with). Returns false when we failed to
+   * verify or perform the delete — callers should surface that to the user so they can clear
+   * it manually.
+   */
+  async clearTriggerVersionFromVercelProduction(projectId: string): Promise<boolean> {
+    const orgIntegration =
+      await VercelIntegrationRepository.findVercelOrgIntegrationForProject(projectId);
+    if (!orgIntegration) {
+      return false;
+    }
+
+    const clientResult = await VercelIntegrationRepository.getVercelClient(orgIntegration);
+    if (clientResult.isErr()) {
+      logger.error("Failed to get Vercel client for TRIGGER_VERSION clear", {
+        projectId,
+        error: clientResult.error.message,
+      });
+      return false;
+    }
+    const client = clientResult.value;
+    const teamId = await VercelIntegrationRepository.getTeamIdFromIntegration(orgIntegration);
+
+    const projectIntegration = await this.#prismaClient.organizationProjectIntegration.findFirst({
+      where: {
+        projectId,
+        organizationIntegrationId: orgIntegration.id,
+        deletedAt: null,
+      },
+      select: {
+        externalEntityId: true,
+      },
+    });
+
+    if (!projectIntegration) {
+      return false;
+    }
+
+    const vercelProjectId = projectIntegration.externalEntityId;
+
+    const envVarsResult = await VercelIntegrationRepository.getVercelEnvironmentVariables(
+      client,
+      vercelProjectId,
+      teamId
+    );
+
+    if (envVarsResult.isErr()) {
+      logger.warn("Failed to fetch Vercel env vars for TRIGGER_VERSION clear", {
+        projectId,
+        vercelProjectId,
+        error: envVarsResult.error.message,
+      });
+      return false;
+    }
+
+    const existingTriggerVersion = envVarsResult.value.find(
+      (env) => env.key === "TRIGGER_VERSION" && env.target.includes("production")
+    );
+
+    if (!existingTriggerVersion) {
+      logger.info("TRIGGER_VERSION not present on Vercel production — nothing to clear", {
+        projectId,
+        vercelProjectId,
+      });
+      return true;
+    }
+
+    const removeResult = await ResultAsync.fromPromise(
+      client.projects.batchRemoveProjectEnv({
+        idOrName: vercelProjectId,
+        ...(teamId && { teamId }),
+        requestBody: { ids: [existingTriggerVersion.id] },
+      }),
+      (error) => error
+    );
+
+    if (removeResult.isErr()) {
+      logger.error("Failed to clear TRIGGER_VERSION from Vercel production", {
+        projectId,
+        vercelProjectId,
+        error:
+          removeResult.error instanceof Error
+            ? removeResult.error.message
+            : String(removeResult.error),
+      });
+      return false;
+    }
+
+    logger.info("Cleared TRIGGER_VERSION from Vercel production", {
+      projectId,
+      vercelProjectId,
+    });
+    return true;
+  }
+
   async disconnectVercelProject(projectId: string): Promise<boolean> {
     const existing = await this.getVercelProjectIntegration(projectId);
     if (!existing) {
diff --git a/apps/webapp/app/services/worker.server.ts b/apps/webapp/app/services/worker.server.ts
index 902d752ed0a..7de2c7cb2e7 100644
--- a/apps/webapp/app/services/worker.server.ts
+++ b/apps/webapp/app/services/worker.server.ts
@@ -1,3 +1,24 @@
+/**
+ * ⚠️ LEGACY — Graphile-worker / ZodWorker setup. Do not touch.
+ *
+ * This file wires the original background-job system the webapp was
+ * built on (`@internal/zod-worker` → graphile-worker → Postgres). It is
+ * now in deprecation mode: every task in `workerCatalog` below is
+ * annotated with `@deprecated, moved to <new home>` and the live jobs
+ * for new features all run on `@trigger.dev/redis-worker` instead.
+ *
+ * Where to put new things:
+ *   - Background jobs / queues → use redis-worker, alongside
+ *     `~/v3/commonWorker.server.ts`, `~/v3/alertsWorker.server.ts`, or
+ *     `~/v3/batchTriggerWorker.server.ts`.
+ *   - Run lifecycle → `@internal/run-engine` via `~/v3/runEngine.server`.
+ *   - Custom polling loops with their own Redis connection → keep them
+ *     in their own lifecycle module (e.g. `~/v3/mollifierDrainerWorker.server.ts`)
+ *     and wire the bootstrap from `entry.server.tsx`. Don't reach into
+ *     `init()` below.
+ *
+ * Edit only when removing legacy paths.
+ */
 import { ZodWorker } from "@internal/zod-worker";
 import { DeliverEmailSchema } from "emails";
 import { z } from "zod";
diff --git a/apps/webapp/app/tailwind.css b/apps/webapp/app/tailwind.css
index 8ec29b91568..04ac2508784 100644
--- a/apps/webapp/app/tailwind.css
+++ b/apps/webapp/app/tailwind.css
@@ -151,11 +151,18 @@
 
 /* Streamdown markdown styling */
 .streamdown-container {
-  /* Streamdown uses shadcn/ui CSS variables - define them for our theme */
-  --muted: 220 13% 20%;
-  --muted-foreground: 215 14% 60%;
-  --foreground: 210 20% 90%;
-  --border: 217 19% 27%;
+  /* Streamdown uses shadcn/ui CSS variables - define them for our theme.
+     These map Tailwind utility classes like bg-background, bg-primary, etc.
+     that streamdown uses internally for its link safety modal, code blocks,
+     and other interactive elements. */
+  --background: 230 16% 9%; /* charcoal-900 #121317 */
+  --foreground: 215 19% 87%; /* charcoal-200 #D7D9DD */
+  --muted: 220 8% 17%; /* charcoal-775 #1C1E21 */
+  --muted-foreground: 220 8% 57%; /* charcoal-400 #878C99 */
+  --border: 216 7% 27%; /* charcoal-650 #2C3034 */
+  --primary: 95 100% 66%; /* apple-500 #A8FF53 */
+  --primary-foreground: 230 16% 9%; /* charcoal-900 */
+  --sidebar: 228 10% 11%; /* charcoal-850 #15171A */;
 
   /* Code block styling */
   & [data-code-block-container] {
diff --git a/apps/webapp/app/utils.ts b/apps/webapp/app/utils.ts
index adb18292811..7551bef1b6f 100644
--- a/apps/webapp/app/utils.ts
+++ b/apps/webapp/app/utils.ts
@@ -3,10 +3,24 @@ import { useMatches } from "@remix-run/react";
 
 const DEFAULT_REDIRECT = "/";
 
+// Pathnames that are NOT user-navigable destinations: fetcher endpoints,
+// OAuth/auth callbacks, JSON APIs, the magic-link redemption route, and the
+// auth flow routes themselves (which would create a redirect loop). Note
+// `/admin/api/` covers admin JSON endpoints while leaving `/admin`,
+// `/admin/back-office/*`, `/admin/orgs`, etc. navigable.
+const NON_NAVIGABLE_PREFIXES = ["/resources/", "/auth/", "/admin/api/", "/api/", "/engine/"];
+const NON_NAVIGABLE_EXACT = new Set(["/magic", "/logout", "/login", "/login/magic", "/login/mfa"]);
+
+function isNavigablePath(pathname: string): boolean {
+  if (NON_NAVIGABLE_EXACT.has(pathname)) return false;
+  return !NON_NAVIGABLE_PREFIXES.some((prefix) => pathname.startsWith(prefix));
+}
+
 /**
  * This should be used any time the redirect path is user-provided
  * (Like the query string on our login/signup pages). This avoids
- * open-redirect vulnerabilities.
+ * open-redirect vulnerabilities and prevents redirecting users to
+ * non-page routes (e.g. fetcher endpoints) that would render blank.
  * @param {string} path The redirect destination
  * @param {string} defaultRedirect The redirect to use if the to is unsafe.
  */
@@ -28,16 +42,21 @@ export function sanitizeRedirectPath(
     return defaultRedirect;
   } catch {}
 
+  let parsed: URL;
   try {
     // ensure it's a valid relative path
-    const url = new URL(path, "https://example.com");
-    if (url.hostname !== "example.com") {
+    parsed = new URL(path, "https://example.com");
+    if (parsed.hostname !== "example.com") {
       return defaultRedirect;
     }
   } catch {
     return defaultRedirect;
   }
 
+  if (!isNavigablePath(parsed.pathname)) {
+    return defaultRedirect;
+  }
+
   return path;
 }
 
diff --git a/apps/webapp/app/utils/detectBadJsonStrings.ts b/apps/webapp/app/utils/detectBadJsonStrings.ts
index 4a000b54293..99ffec4b9b0 100644
--- a/apps/webapp/app/utils/detectBadJsonStrings.ts
+++ b/apps/webapp/app/utils/detectBadJsonStrings.ts
@@ -1,3 +1,17 @@
+/**
+ * Detects unpaired UTF-16 surrogate escape sequences in JSON-encoded text.
+ *
+ * Returns true if the input contains a `\uD8XX`/`\uD9XX`/`\uDAXX`/`\uDBXX`
+ * high-surrogate escape not immediately followed by a `\uDC..`–`\uDF..` low
+ * surrogate, or a `\uDC..`–`\uDF..` low surrogate not immediately preceded by
+ * a high surrogate. Strict JSON parsers (e.g. ClickHouse `JSONEachRow`)
+ * reject input containing such sequences.
+ *
+ * Surrogate hex ranges (case-insensitive — inputs from `JSON.stringify` are
+ * lowercase):
+ *   - High surrogate (U+D800–U+DBFF):  `\uD[8-B][0-9A-F][0-9A-F]`
+ *   - Low surrogate  (U+DC00–U+DFFF):  `\uD[C-F][0-9A-F][0-9A-F]`
+ */
 export function detectBadJsonStrings(jsonString: string): boolean {
   // Fast path: skip everything if no \u
   let idx = jsonString.indexOf("\\u");
@@ -13,7 +27,7 @@ export function detectBadJsonStrings(jsonString: string): boolean {
     if (jsonString[idx + 1] === "u" && jsonString[idx + 2] === "d") {
       const third = jsonString[idx + 3];
 
-      // High surrogate check
+      // High surrogate check — third nibble is 8, 9, a, or b (U+D800–U+DBFF)
       if (
         /[89ab]/.test(third) &&
         /[0-9a-f]/.test(jsonString[idx + 4]) &&
@@ -28,7 +42,7 @@ export function detectBadJsonStrings(jsonString: string): boolean {
           jsonString[idx + 6] !== "\\" ||
           jsonString[idx + 7] !== "u" ||
           jsonString[idx + 8] !== "d" ||
-          !/[cd]/.test(jsonString[idx + 9]) ||
+          !/[c-f]/.test(jsonString[idx + 9]) ||
           !/[0-9a-f]/.test(jsonString[idx + 10]) ||
           !/[0-9a-f]/.test(jsonString[idx + 11])
         ) {
@@ -36,9 +50,9 @@ export function detectBadJsonStrings(jsonString: string): boolean {
         }
       }
 
-      // Low surrogate check
+      // Low surrogate check — third nibble is c, d, e, or f (U+DC00–U+DFFF)
       if (
-        (third === "c" || third === "d") &&
+        /[c-f]/.test(third) &&
         /[0-9a-f]/.test(jsonString[idx + 4]) &&
         /[0-9a-f]/.test(jsonString[idx + 5])
       ) {
diff --git a/apps/webapp/app/utils/httpErrors.ts b/apps/webapp/app/utils/httpErrors.ts
index 5131730e3bb..2e41aa67eff 100644
--- a/apps/webapp/app/utils/httpErrors.ts
+++ b/apps/webapp/app/utils/httpErrors.ts
@@ -1,3 +1,7 @@
+export function throwNotFound(statusText: string): never {
+  throw new Response(undefined, { status: 404, statusText });
+}
+
 export function friendlyErrorDisplay(statusCode: number, statusText?: string) {
   switch (statusCode) {
     case 400:
diff --git a/apps/webapp/app/utils/longPollingFetch.ts b/apps/webapp/app/utils/longPollingFetch.ts
index ec7e309180d..cb5f97693b7 100644
--- a/apps/webapp/app/utils/longPollingFetch.ts
+++ b/apps/webapp/app/utils/longPollingFetch.ts
@@ -11,8 +11,10 @@ export async function longPollingFetch(
   options?: RequestInit,
   rewriteResponseHeaders?: Record<string, string>
 ) {
+  let upstream: Response | undefined;
   try {
-    let response = await fetch(url, options);
+    upstream = await fetch(url, options);
+    let response = upstream;
 
     if (response.headers.get("content-encoding")) {
       const headers = new Headers(response.headers);
@@ -46,16 +48,24 @@ export async function longPollingFetch(
 
     return response;
   } catch (error) {
+    // Release upstream undici socket + buffers explicitly. Without this the
+    // ReadableStream stays open and undici keeps buffering chunks into memory
+    // until the upstream times out (see H1 isolation test — ~44 KB retained
+    // per unconsumed-body fetch in RSS).
+    try { await upstream?.body?.cancel(); } catch {}
+
+    // AbortError is the expected path when downstream disconnects with a
+    // propagated signal — treat as a clean client-close, not a server error.
+    if (error instanceof Error && error.name === "AbortError") {
+      throw new Response(null, { status: 499 });
+    }
     if (error instanceof TypeError) {
-      // Network error or other fetch-related errors
       logger.error("Network error:", { error: error.message });
       throw new Response("Network error occurred", { status: 503 });
     } else if (error instanceof Error) {
-      // HTTP errors or other known errors
       logger.error("Fetch error:", { error: error.message });
       throw new Response(error.message, { status: 500 });
     } else {
-      // Unknown errors
       logger.error("Unknown error occurred during fetch");
       throw new Response("An unknown error occurred", { status: 500 });
     }
diff --git a/apps/webapp/app/utils/pathBuilder.ts b/apps/webapp/app/utils/pathBuilder.ts
index 7a151053f5a..76254797669 100644
--- a/apps/webapp/app/utils/pathBuilder.ts
+++ b/apps/webapp/app/utils/pathBuilder.ts
@@ -3,6 +3,7 @@ import { z } from "zod";
 import { type TaskRunListSearchFilters } from "~/components/runs/v3/RunFilters";
 import type { Organization } from "~/models/organization.server";
 import type { Project } from "~/models/project.server";
+import { RUNS_BULK_INSPECTOR_OPEN_VALUE } from "~/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs._index/shouldRevalidateRunsList";
 import { objectToSearchParams } from "./searchParams";
 import { type WaitpointSearchParams } from "~/components/runs/v3/WaitpointTokenFilters";
 export type OrgForPath = Pick<Organization, "slug">;
@@ -114,6 +115,10 @@ export function organizationTeamPath(organization: OrgForPath) {
   return `${organizationPath(organization)}/settings/team`;
 }
 
+export function organizationRolesPath(organization: OrgForPath) {
+  return `${organizationPath(organization)}/settings/roles`;
+}
+
 export function inviteTeamMemberPath(organization: OrgForPath) {
   return `${organizationPath(organization)}/invite`;
 }
@@ -314,6 +319,31 @@ export function v3TestTaskPath(
   )}`;
 }
 
+export function v3PlaygroundPath(
+  organization: OrgForPath,
+  project: ProjectForPath,
+  environment: EnvironmentForPath
+) {
+  return `${v3EnvironmentPath(organization, project, environment)}/playground`;
+}
+
+export function v3PlaygroundAgentPath(
+  organization: OrgForPath,
+  project: ProjectForPath,
+  environment: EnvironmentForPath,
+  agentSlug: string
+) {
+  return `${v3PlaygroundPath(organization, project, environment)}/${encodeURIComponent(agentSlug)}`;
+}
+
+export function v3AgentsPath(
+  organization: OrgForPath,
+  project: ProjectForPath,
+  environment: EnvironmentForPath
+) {
+  return `${v3EnvironmentPath(organization, project, environment)}/agents`;
+}
+
 export function v3RunsPath(
   organization: OrgForPath,
   project: ProjectForPath,
@@ -334,7 +364,7 @@ export function v3CreateBulkActionPath(
   action?: "replay" | "cancel"
 ) {
   const searchParams = objectToSearchParams(filters) ?? new URLSearchParams();
-  searchParams.set("bulkInspector", "show");
+  searchParams.set("bulkInspector", RUNS_BULK_INSPECTOR_OPEN_VALUE);
   if (mode) {
     searchParams.set("mode", mode);
   }
@@ -482,6 +512,23 @@ export function v3BatchesPath(
   return `${v3EnvironmentPath(organization, project, environment)}/batches`;
 }
 
+export function v3SessionsPath(
+  organization: OrgForPath,
+  project: ProjectForPath,
+  environment: EnvironmentForPath
+) {
+  return `${v3EnvironmentPath(organization, project, environment)}/sessions`;
+}
+
+export function v3SessionPath(
+  organization: OrgForPath,
+  project: ProjectForPath,
+  environment: EnvironmentForPath,
+  session: { friendlyId: string }
+) {
+  return `${v3SessionsPath(organization, project, environment)}/${session.friendlyId}`;
+}
+
 export function v3BatchPath(
   organization: OrgForPath,
   project: ProjectForPath,
diff --git a/apps/webapp/app/utils/plain.server.ts b/apps/webapp/app/utils/plain.server.ts
index 4e8ce630731..ee205374e17 100644
--- a/apps/webapp/app/utils/plain.server.ts
+++ b/apps/webapp/app/utils/plain.server.ts
@@ -7,9 +7,17 @@ type Input = {
   name: string;
   title: string;
   components: ReturnType<typeof uiComponent.text>[];
+  labelTypeIds?: string[];
 };
 
-export async function sendToPlain({ userId, email, name, title, components }: Input) {
+export async function sendToPlain({
+  userId,
+  email,
+  name,
+  title,
+  components,
+  labelTypeIds,
+}: Input) {
   if (!env.PLAIN_API_KEY) {
     return;
   }
@@ -51,6 +59,7 @@ export async function sendToPlain({ userId, email, name, title, components }: In
     },
     title: title,
     components: components,
+    labelTypeIds,
   });
 
   if (createThreadRes.error) {
diff --git a/apps/webapp/app/utils/prismaErrors.ts b/apps/webapp/app/utils/prismaErrors.ts
new file mode 100644
index 00000000000..b8262ed3d1f
--- /dev/null
+++ b/apps/webapp/app/utils/prismaErrors.ts
@@ -0,0 +1,39 @@
+import { Prisma } from "@trigger.dev/database";
+
+// Prisma connectivity / infrastructure error codes — engine- and
+// connection-level failures, not query- or validation-level ones. When the
+// database is unreachable, Prisma 6.x throws a PrismaClientKnownRequestError
+// carrying one of these codes (e.g. P1001 "Can't reach database server").
+const INFRASTRUCTURE_PRISMA_CODES = new Set([
+  "P1001", // Can't reach database server
+  "P1002", // Database server reached but timed out
+  "P1008", // Operations timed out
+  "P1017", // Server has closed the connection
+]);
+
+/**
+ * True when `error` is a Prisma infrastructure/connectivity failure (DB
+ * unreachable, timed out, connection dropped) rather than a query- or
+ * validation-level error.
+ *
+ * These errors carry internal infrastructure detail (e.g. the database
+ * hostname) in their `.message`, so they must never be surfaced to API
+ * clients — callers should let them propagate to the generic 5xx handler
+ * (which both scrubs the message and is retryable by the SDK) instead of
+ * folding `.message` into a client-facing error.
+ */
+export function isInfrastructureError(error: unknown): boolean {
+  if (
+    error instanceof Prisma.PrismaClientInitializationError ||
+    error instanceof Prisma.PrismaClientRustPanicError ||
+    error instanceof Prisma.PrismaClientUnknownRequestError
+  ) {
+    return true;
+  }
+
+  if (error instanceof Prisma.PrismaClientKnownRequestError) {
+    return INFRASTRUCTURE_PRISMA_CODES.has(error.code);
+  }
+
+  return false;
+}
diff --git a/apps/webapp/app/utils/queryPerformanceMonitor.server.ts b/apps/webapp/app/utils/queryPerformanceMonitor.server.ts
index 69a11f22b3f..2398a49da10 100644
--- a/apps/webapp/app/utils/queryPerformanceMonitor.server.ts
+++ b/apps/webapp/app/utils/queryPerformanceMonitor.server.ts
@@ -32,15 +32,16 @@ export class QueryPerformanceMonitor {
 
     const { duration, query, params, target, timestamp } = log;
 
-    // Only log very slow queries as errors
+    // Slow queries are an observability signal (DB load, missing indexes,
+    // etc.), not an application error. Logged at warn so it lands in stdout
+    // without flowing to Sentry — track via metrics/dashboards instead.
     if (duration > this.config.verySlowQueryThreshold) {
-      // Truncate long queries for readability
       const truncatedQuery =
         query.length > this.config.maxQueryLogLength
           ? query.substring(0, this.config.maxQueryLogLength) + "..."
           : query;
 
-      logger.error("Prisma: very slow database query", {
+      logger.warn("Prisma: very slow database query", {
         clientType,
         durationMs: duration,
         query: truncatedQuery,
diff --git a/apps/webapp/app/utils/searchParams.ts b/apps/webapp/app/utils/searchParams.ts
index 4e3b0682b06..79220c7801e 100644
--- a/apps/webapp/app/utils/searchParams.ts
+++ b/apps/webapp/app/utils/searchParams.ts
@@ -1,6 +1,23 @@
-import { ZodType } from "zod";
+import { z, ZodType } from "zod";
 import { fromZodError } from "zod-validation-error";
 
+/**
+ * Parses a comma-separated `runIds` query param into a trimmed, de-duplicated
+ * list of run friendly IDs, capped at 100. Shared by the runs `/live` and
+ * `/children-statuses` resource routes.
+ */
+export const runIdsQueryParam = z
+  .string()
+  .optional()
+  .transform((value) => {
+    const ids =
+      value
+        ?.split(",")
+        .map((id) => id.trim())
+        .filter(Boolean) ?? [];
+    return [...new Set(ids)].slice(0, 100);
+  });
+
 export function objectToSearchParams(
   obj:
     | undefined
diff --git a/apps/webapp/app/utils/sentryTenantContext.server.ts b/apps/webapp/app/utils/sentryTenantContext.server.ts
new file mode 100644
index 00000000000..303c3b32739
--- /dev/null
+++ b/apps/webapp/app/utils/sentryTenantContext.server.ts
@@ -0,0 +1,26 @@
+import type { Event, EventHint } from "@sentry/remix";
+import { tenantContext } from "../services/tenantContext.server";
+
+export function addTenantContextToEvent(event: Event, _hint: EventHint): Event {
+  const ctx = tenantContext.get();
+  if (!ctx) return event;
+  return {
+    ...event,
+    // Only stamp user.id when we have a real user — keeps "Users Impacted"
+    // counting distinct humans rather than mixing in tenants. Events without
+    // a known user (e.g. unauthenticated paths) skip user attribution.
+    ...(ctx.userId ? { user: { ...event.user, id: ctx.userId } } : {}),
+    tags: {
+      ...event.tags,
+      ...(ctx.orgSlug ? { org_slug: ctx.orgSlug } : {}),
+      ...(ctx.projectSlug ? { project_slug: ctx.projectSlug } : {}),
+      ...(ctx.envSlug ? { env_slug: ctx.envSlug } : {}),
+      ...(ctx.orgId ? { org_id: ctx.orgId } : {}),
+      ...(ctx.projectId ? { project_id: ctx.projectId } : {}),
+      ...(ctx.projectRef ? { project_ref: ctx.projectRef } : {}),
+      ...(ctx.envId ? { environment_id: ctx.envId } : {}),
+      ...(ctx.envType ? { env_type: ctx.envType } : {}),
+      ...(ctx.impersonating ? { impersonating: "true" } : {}),
+    },
+  };
+}
diff --git a/apps/webapp/app/utils/sentryTraceContext.server.ts b/apps/webapp/app/utils/sentryTraceContext.server.ts
new file mode 100644
index 00000000000..bad678c34d8
--- /dev/null
+++ b/apps/webapp/app/utils/sentryTraceContext.server.ts
@@ -0,0 +1,52 @@
+import { type Span, TraceFlags, trace } from "@opentelemetry/api";
+import type { Event, EventHint } from "@sentry/remix";
+
+export type GetActiveSpan = () => Span | undefined;
+
+const defaultGetActiveSpan: GetActiveSpan = () => trace.getActiveSpan();
+
+export function getActiveTraceIds(
+  getActiveSpan: GetActiveSpan = defaultGetActiveSpan
+): { traceId: string; spanId: string; sampled: boolean } | undefined {
+  try {
+    const span = getActiveSpan();
+    if (!span) return undefined;
+    const ctx = span.spanContext();
+    return {
+      traceId: ctx.traceId,
+      spanId: ctx.spanId,
+      sampled: (ctx.traceFlags & TraceFlags.SAMPLED) !== 0,
+    };
+  } catch {
+    return undefined;
+  }
+}
+
+export function addOtelTraceContextToEvent(
+  event: Event,
+  _hint: EventHint,
+  getActiveSpan: GetActiveSpan = defaultGetActiveSpan
+): Event {
+  const ids = getActiveTraceIds(getActiveSpan);
+  if (!ids) return event;
+  // We intentionally overwrite Sentry's own trace_id/span_id on contexts.trace.
+  // With skipOpenTelemetrySetup: true, Sentry generates an internal trace_id
+  // unrelated to OTel; replacing it with the active OTel ids is the whole
+  // point of this processor — it makes Sentry issues navigable to the
+  // corresponding OTel trace in any backend.
+  return {
+    ...event,
+    contexts: {
+      ...event.contexts,
+      trace: {
+        ...event.contexts?.trace,
+        trace_id: ids.traceId,
+        span_id: ids.spanId,
+      },
+    },
+    tags: {
+      ...event.tags,
+      otel_sampled: ids.sampled ? "true" : "false",
+    },
+  };
+}
diff --git a/apps/webapp/app/utils/sse.server.ts b/apps/webapp/app/utils/sse.server.ts
index 56e7b191af7..c8ecce4a859 100644
--- a/apps/webapp/app/utils/sse.server.ts
+++ b/apps/webapp/app/utils/sse.server.ts
@@ -1,5 +1,6 @@
 import { eventStream } from "remix-utils/sse/server";
 import { env } from "~/env.server";
+import { getRequestAbortSignal } from "~/services/httpAsyncStorage.server";
 import { logger } from "~/services/logger.server";
 
 type SseProps = {
@@ -22,6 +23,8 @@ export function sse({ request, pingInterval = 1000, updateInterval = 348, run }:
     return new Response("SSE disabled", { status: 200 });
   }
 
+  const signal = getRequestAbortSignal();
+
   let pinger: NodeJS.Timeout | undefined = undefined;
   let updater: NodeJS.Timeout | undefined = undefined;
   let timeout: NodeJS.Timeout | undefined = undefined;
@@ -32,7 +35,7 @@ export function sse({ request, pingInterval = 1000, updateInterval = 348, run }:
     clearTimeout(timeout);
   };
 
-  return eventStream(request.signal, (send, close) => {
+  return eventStream(signal, (send, close) => {
     const safeSend = (args: { event?: string; data: string }) => {
       try {
         send(args);
@@ -60,7 +63,7 @@ export function sse({ request, pingInterval = 1000, updateInterval = 348, run }:
     };
 
     pinger = setInterval(() => {
-      if (request.signal.aborted) {
+      if (signal.aborted) {
         return abort();
       }
 
@@ -68,7 +71,7 @@ export function sse({ request, pingInterval = 1000, updateInterval = 348, run }:
     }, pingInterval);
 
     updater = setInterval(() => {
-      if (request.signal.aborted) {
+      if (signal.aborted) {
         return abort();
       }
 
diff --git a/apps/webapp/app/utils/sse.ts b/apps/webapp/app/utils/sse.ts
index 8f396c092e9..53f9aa010cd 100644
--- a/apps/webapp/app/utils/sse.ts
+++ b/apps/webapp/app/utils/sse.ts
@@ -2,6 +2,7 @@ import { type LoaderFunctionArgs } from "@remix-run/node";
 import { type Params } from "@remix-run/router";
 import { eventStream } from "remix-utils/sse/server";
 import { setInterval } from "timers/promises";
+import { getRequestAbortSignal } from "~/services/httpAsyncStorage.server";
 
 export type SendFunction = Parameters<Parameters<typeof eventStream>[1]>[0];
 
@@ -37,6 +38,20 @@ type SSEOptions = {
 // This is used to track the open connections, for debugging
 const connections: Set<string> = new Set();
 
+// Stackless sentinel reasons passed to AbortController#abort. Calling .abort()
+// with no argument produces a DOMException that captures a ~500-byte stack
+// trace; a string reason is stored verbatim with no stack. The choice of
+// reason type does not cause the retention we saw in prod (that was the
+// AbortSignal.any composite — see comment near the timeoutTimer below for the
+// Node issue refs), but naming the sentinels keeps call sites readable and
+// lets future signal.reason consumers branch on the cause.
+export const ABORT_REASON_REQUEST = "request_aborted";
+export const ABORT_REASON_TIMEOUT = "timeout";
+export const ABORT_REASON_SEND_ERROR = "send_error";
+export const ABORT_REASON_INIT_STOP = "init_requested_stop";
+export const ABORT_REASON_ITERATOR_STOP = "iterator_requested_stop";
+export const ABORT_REASON_ITERATOR_ERROR = "iterator_error";
+
 export function createSSELoader(options: SSEOptions) {
   const { timeout, interval = 500, debug = false, handler } = options;
 
@@ -44,7 +59,6 @@ export function createSSELoader(options: SSEOptions) {
     const id = request.headers.get("x-request-id") || Math.random().toString(36).slice(2, 8);
 
     const internalController = new AbortController();
-    const timeoutSignal = AbortSignal.timeout(timeout);
 
     const log = (message: string) => {
       if (debug)
@@ -59,16 +73,20 @@ export function createSSELoader(options: SSEOptions) {
           if (!internalController.signal.aborted) {
             originalSend(event);
           }
-          // If controller is aborted, silently ignore the send attempt
         } catch (error) {
           if (error instanceof Error) {
             if (error.message?.includes("Controller is already closed")) {
-              // Silently handle controller closed errors
               return;
             }
             log(`Error sending event: ${error.message}`);
           }
-          throw error; // Re-throw other errors
+          // Abort before rethrowing so timer + request-abort listener are cleaned
+          // up immediately. Otherwise a send-failure in initStream leaves them
+          // alive until `timeout` fires.
+          if (!internalController.signal.aborted) {
+            internalController.abort(ABORT_REASON_SEND_ERROR);
+          }
+          throw error;
         }
       };
     };
@@ -89,51 +107,59 @@ export function createSSELoader(options: SSEOptions) {
       throw new Response("Internal Server Error", { status: 500 });
     });
 
-    const combinedSignal = AbortSignal.any([
-      request.signal,
-      timeoutSignal,
-      internalController.signal,
-    ]);
+    const requestAbortSignal = getRequestAbortSignal();
 
     log("Start");
 
-    request.signal.addEventListener(
-      "abort",
-      () => {
-        log(`request signal aborted`);
-        internalController.abort("Request aborted");
-      },
-      { once: true, signal: internalController.signal }
-    );
+    // Single-signal abort chain: everything rolls up into internalController.
+    // Timeout is a plain setTimeout cleared on abort rather than an
+    // AbortSignal.timeout() combined via AbortSignal.any() — AbortSignal.any
+    // keeps its source signals in an internal Set<WeakRef> managed by a
+    // FinalizationRegistry, and under sustained request traffic those entries
+    // accumulate faster than they get cleaned up, pinning every source signal
+    // (and its listeners, and anything those listeners close over) until the
+    // parent signal is GC'd or aborts. Reproduced locally in isolation; shape
+    // matches the ChainSafe Lodestar production case described in
+    // nodejs/node#54614. See also nodejs/node#55351 (mechanism confirmed by
+    // @jasnell, narrow fix in 22.12.0 via #55354) and nodejs/node#57584
+    // (circular-dep variant, still open).
+    const timeoutTimer = setTimeout(() => {
+      if (!internalController.signal.aborted) internalController.abort(ABORT_REASON_TIMEOUT);
+    }, timeout);
+
+    const onRequestAbort = () => {
+      log("request signal aborted");
+      if (!internalController.signal.aborted) internalController.abort(ABORT_REASON_REQUEST);
+    };
 
-    combinedSignal.addEventListener(
+    internalController.signal.addEventListener(
       "abort",
       () => {
-        log(`combinedSignal aborted: ${combinedSignal.reason}`);
+        clearTimeout(timeoutTimer);
+        requestAbortSignal.removeEventListener("abort", onRequestAbort);
       },
-      { once: true, signal: internalController.signal }
+      { once: true }
     );
 
-    timeoutSignal.addEventListener(
-      "abort",
-      () => {
-        if (internalController.signal.aborted) return;
-        log(`timeoutSignal aborted: ${timeoutSignal.reason}`);
-        internalController.abort("Timeout");
-      },
-      { once: true, signal: internalController.signal }
-    );
+    // The request could have been aborted during `await handler(context)` above.
+    // AbortSignal listeners added after the signal is already aborted never fire,
+    // so invoke cleanup synchronously in that case instead of waiting for `timeout`.
+    if (requestAbortSignal.aborted) {
+      onRequestAbort();
+    } else {
+      requestAbortSignal.addEventListener("abort", onRequestAbort, { once: true });
+    }
 
     if (handlers.beforeStream) {
       const shouldContinue = await handlers.beforeStream();
       if (shouldContinue === false) {
         log("beforeStream returned false, so we'll exit before creating the stream");
-        internalController.abort("Init requested stop");
+        internalController.abort(ABORT_REASON_INIT_STOP);
         return;
       }
     }
 
-    return eventStream(combinedSignal, function setup(send) {
+    return eventStream(internalController.signal, function setup(send) {
       connections.add(id);
       const safeSend = createSafeSend(send);
 
@@ -144,14 +170,14 @@ export function createSSELoader(options: SSEOptions) {
             const shouldContinue = await handlers.initStream({ send: safeSend });
             if (shouldContinue === false) {
               log("initStream returned false, so we'll stop the stream");
-              internalController.abort("Init requested stop");
+              internalController.abort(ABORT_REASON_INIT_STOP);
               return;
             }
           }
 
           log("Starting interval");
           for await (const _ of setInterval(interval, null, {
-            signal: combinedSignal,
+            signal: internalController.signal,
           })) {
             log("PING");
 
@@ -162,13 +188,16 @@ export function createSSELoader(options: SSEOptions) {
                 const shouldContinue = await handlers.iterator({ date, send: safeSend });
                 if (shouldContinue === false) {
                   log("iterator return false, so we'll stop the stream");
-                  internalController.abort("Iterator requested stop");
+                  internalController.abort(ABORT_REASON_ITERATOR_STOP);
                   break;
                 }
               } catch (error) {
                 log("iterator threw an error, aborting stream");
                 // Immediately abort to trigger cleanup
-                internalController.abort(error instanceof Error ? error.message : "Iterator error");
+                if (error instanceof Error && error.name !== "AbortError") {
+                  log(`iterator error: ${error.message}`);
+                }
+                internalController.abort(ABORT_REASON_ITERATOR_ERROR);
                 // No need to re-throw as we're handling it by aborting
                 return; // Exit the run function immediately
               }
diff --git a/apps/webapp/app/utils/timelineSpanEvents.ts b/apps/webapp/app/utils/timelineSpanEvents.ts
index 9e09ba0a795..596f0399a6f 100644
--- a/apps/webapp/app/utils/timelineSpanEvents.ts
+++ b/apps/webapp/app/utils/timelineSpanEvents.ts
@@ -117,7 +117,6 @@ export function createTimelineSpanEventsFromSpanEvents(
       offset,
       timestamp,
       duration,
-      properties: spanEvent.properties,
       helpText: getHelpTextForEvent(name),
       markerVariant,
       lineVariant: "light" as const,
diff --git a/apps/webapp/app/v3/dynamicFlushScheduler.server.ts b/apps/webapp/app/v3/dynamicFlushScheduler.server.ts
index 9f2cffec9e6..afa3e133222 100644
--- a/apps/webapp/app/v3/dynamicFlushScheduler.server.ts
+++ b/apps/webapp/app/v3/dynamicFlushScheduler.server.ts
@@ -310,7 +310,7 @@ export class DynamicFlushScheduler<T> {
     if (newConcurrency !== currentConcurrency) {
       this.limiter = pLimit(newConcurrency);
 
-      this.logger.info("Adjusted flush concurrency", {
+      this.logger.debug("Adjusted flush concurrency", {
         previousConcurrency: currentConcurrency,
         newConcurrency,
         queuePressure,
diff --git a/apps/webapp/app/v3/environmentVariables/environmentVariablesRepository.server.ts b/apps/webapp/app/v3/environmentVariables/environmentVariablesRepository.server.ts
index c6c72d79567..68f9aa0f3b3 100644
--- a/apps/webapp/app/v3/environmentVariables/environmentVariablesRepository.server.ts
+++ b/apps/webapp/app/v3/environmentVariables/environmentVariablesRepository.server.ts
@@ -1,7 +1,8 @@
 import { Prisma, type PrismaClient, type RuntimeEnvironmentType } from "@trigger.dev/database";
+import type { AuthenticatedEnvironment } from "@trigger.dev/core/v3/auth/environment";
 import { z } from "zod";
 import { environmentFullTitle } from "~/components/environments/EnvironmentLabel";
-import { $transaction, prisma } from "~/db.server";
+import { $replica, $transaction, prisma, type PrismaReplicaClient } from "~/db.server";
 import { env } from "~/env.server";
 import { getSecretStore } from "~/services/secrets/secretStore.server";
 import { generateFriendlyId } from "../friendlyIdentifiers";
@@ -46,7 +47,10 @@ function parseSecretKey(key: string) {
 const SecretValue = z.object({ secret: z.string() });
 
 export class EnvironmentVariablesRepository implements Repository {
-  constructor(private prismaClient: PrismaClient = prisma) {}
+  constructor(
+    private prismaClient: PrismaClient = prisma,
+    private replicaClient: PrismaReplicaClient = $replica
+  ) {}
 
   async create(projectId: string, options: CreateEnvironmentVariables): Promise<CreateResult> {
     const project = await this.prismaClient.project.findFirst({
@@ -573,6 +577,42 @@ export class EnvironmentVariablesRepository implements Repository {
     return results;
   }
 
+  async getVariableValuesForKeys(
+    projectId: string,
+    items: Array<{ environmentId: string; key: string }>
+  ): Promise<Map<string, string>> {
+    if (items.length === 0) {
+      return new Map();
+    }
+
+    const uniqueItems = new Map<string, { environmentId: string; key: string }>();
+    for (const item of items) {
+      uniqueItems.set(`${item.environmentId}:${item.key}`, item);
+    }
+
+    const secretStore = getSecretStore("DATABASE", {
+      prismaClient: this.replicaClient,
+    });
+
+    const storeKeys = Array.from(uniqueItems.values()).map((item) =>
+      secretKey(projectId, item.environmentId, item.key)
+    );
+
+    const secrets = await secretStore.getSecretsByKeys(SecretValue, storeKeys);
+    const secretsByStoreKey = new Map(secrets.map((secret) => [secret.key, secret.value.secret]));
+
+    const values = new Map<string, string>();
+    for (const item of uniqueItems.values()) {
+      const storeKey = secretKey(projectId, item.environmentId, item.key);
+      const value = secretsByStoreKey.get(storeKey);
+      if (value !== undefined) {
+        values.set(`${item.environmentId}:${item.key}`, value);
+      }
+    }
+
+    return values;
+  }
+
   async getEnvironmentWithRedactedSecrets(
     projectId: string,
     environmentId: string,
@@ -581,7 +621,7 @@ export class EnvironmentVariablesRepository implements Repository {
     const variables = await this.getEnvironment(projectId, environmentId, parentEnvironmentId);
 
     // Get the keys of all secret variables
-    const secretValues = await this.prismaClient.environmentVariableValue.findMany({
+    const secretValues = await this.replicaClient.environmentVariableValue.findMany({
       where: {
         environmentId: parentEnvironmentId
           ? { in: [environmentId, parentEnvironmentId] }
@@ -876,8 +916,21 @@ export const RuntimeEnvironmentForEnvRepoPayload = {
   },
 } as const;
 
-export type RuntimeEnvironmentForEnvRepo = Prisma.RuntimeEnvironmentGetPayload<
-  typeof RuntimeEnvironmentForEnvRepoPayload
+// Derived from the slim AuthenticatedEnvironment so a full AE satisfies
+// this type — the legacy Prisma payload had `builtInEnvironmentVariableOverrides`
+// as Prisma's JsonValue, which is a subtype of `unknown` in the slim
+// shape, causing assignability errors in the JWT/queue paths that pass
+// AE values straight through. Using Pick<AE, ...> aligns them.
+export type RuntimeEnvironmentForEnvRepo = Pick<
+  AuthenticatedEnvironment,
+  | "id"
+  | "slug"
+  | "type"
+  | "projectId"
+  | "apiKey"
+  | "organizationId"
+  | "branchName"
+  | "builtInEnvironmentVariableOverrides"
 >;
 
 export const environmentVariablesRepository = new EnvironmentVariablesRepository();
@@ -1333,10 +1386,13 @@ function resolveBuiltInEnvironmentVariableOverrides(
   if (
     !Array.isArray(overrides) &&
     typeof overrides === "object" &&
-    key in overrides &&
-    typeof overrides[key] === "string"
+    overrides !== null &&
+    key in overrides
   ) {
-    return overrides[key];
+    const value = (overrides as Record<string, unknown>)[key];
+    if (typeof value === "string") {
+      return value;
+    }
   }
 
   return defaultValue;
diff --git a/apps/webapp/app/v3/environmentVariables/repository.ts b/apps/webapp/app/v3/environmentVariables/repository.ts
index ea027bc2ca8..84dee8beaf3 100644
--- a/apps/webapp/app/v3/environmentVariables/repository.ts
+++ b/apps/webapp/app/v3/environmentVariables/repository.ts
@@ -106,6 +106,14 @@ export interface Repository {
   edit(projectId: string, options: EditEnvironmentVariable): Promise<Result>;
   editValue(projectId: string, options: EditEnvironmentVariableValue): Promise<Result>;
   getProject(projectId: string): Promise<ProjectEnvironmentVariable[]>;
+  /**
+   * Fetch and decrypt only the given env var values (for dashboard display of non-secret rows).
+   * Map keys are `${environmentId}:${variableKey}`.
+   */
+  getVariableValuesForKeys(
+    projectId: string,
+    items: Array<{ environmentId: string; key: string }>
+  ): Promise<Map<string, string>>;
   /**
    * Get the environment variables for a given environment, it does NOT return values for secret variables
    */
diff --git a/apps/webapp/app/v3/eventRepository/clickhouseEventRepository.server.ts b/apps/webapp/app/v3/eventRepository/clickhouseEventRepository.server.ts
index 27b96ed7d37..1e091944e6a 100644
--- a/apps/webapp/app/v3/eventRepository/clickhouseEventRepository.server.ts
+++ b/apps/webapp/app/v3/eventRepository/clickhouseEventRepository.server.ts
@@ -1,6 +1,7 @@
 import type {
   ClickHouse,
   LlmMetricsV1Input,
+  MetricsV1Input,
   TaskEventDetailedSummaryV1Result,
   TaskEventDetailsV1Result,
   TaskEventSummaryV1Result,
@@ -45,6 +46,11 @@ import {
   removePrivateProperties,
   isEmptyObject,
 } from "./common.server";
+import {
+  isClickHouseJsonParseError,
+  parseRowNumberFromError,
+  sanitizeRows,
+} from "./sanitizeRowsOnParseError.server";
 import type {
   CompleteableTaskRun,
   CreateEventInput,
@@ -56,6 +62,7 @@ import type {
   SpanOverride,
   SpanSummary,
   SpanSummaryCommon,
+  StreamedTraceEvent,
   TraceAttributes,
   TraceDetailedSummary,
   TraceEventOptions,
@@ -91,6 +98,10 @@ export type ClickhouseEventRepositoryConfig = {
   llmMetricsFlushInterval?: number;
   llmMetricsMaxBatchSize?: number;
   llmMetricsMaxConcurrency?: number;
+  /** OTLP / task metrics_v1 flush scheduler config */
+  otlpMetricsBatchSize?: number;
+  otlpMetricsFlushInterval?: number;
+  otlpMetricsMaxConcurrency?: number;
 };
 
 /**
@@ -102,8 +113,16 @@ export class ClickhouseEventRepository implements IEventRepository {
   private _config: ClickhouseEventRepositoryConfig;
   private readonly _flushScheduler: DynamicFlushScheduler<TaskEventV1Input | TaskEventV2Input>;
   private readonly _llmMetricsFlushScheduler: DynamicFlushScheduler<LlmMetricsV1Input>;
+  private readonly _otlpMetricsFlushScheduler: DynamicFlushScheduler<MetricsV1Input>;
   private _tracer: Tracer;
   private _version: "v1" | "v2";
+  /**
+   * Counts batches that hit a ClickHouse JSON parse failure that survived
+   * one sanitize-retry. These batches are dropped on the floor (the scheduler
+   * is told the flush "succeeded" so its queue counter doesn't leak), and we
+   * track the drop count for observability.
+   */
+  private _permanentlyDroppedBatches = 0;
 
   constructor(config: ClickhouseEventRepositoryConfig) {
     this._clickhouse = config.clickhouse;
@@ -137,6 +156,15 @@ export class ClickhouseEventRepository implements IEventRepository {
       memoryPressureThreshold: config.llmMetricsMaxBatchSize ?? 10000,
       loadSheddingEnabled: false,
     });
+
+    this._otlpMetricsFlushScheduler = new DynamicFlushScheduler({
+      batchSize: config.otlpMetricsBatchSize ?? 10000,
+      flushInterval: config.otlpMetricsFlushInterval ?? 1000,
+      callback: this.#flushOtelMetricsBatch.bind(this),
+      minConcurrency: 1,
+      maxConcurrency: config.otlpMetricsMaxConcurrency ?? 3,
+      loadSheddingEnabled: false,
+    });
   }
 
   get version() {
@@ -147,6 +175,11 @@ export class ClickhouseEventRepository implements IEventRepository {
     return this._config.maximumLiveReloadingSetting ?? 1000;
   }
 
+  /** Exposed for tests and metrics — total batches lost to unrecoverable parse errors. */
+  get permanentlyDroppedBatches() {
+    return this._permanentlyDroppedBatches;
+  }
+
   /**
    * Clamps a start time (in nanoseconds) to now if it's too far in the past.
    * Returns the clamped value as a bigint.
@@ -215,19 +248,32 @@ export class ClickhouseEventRepository implements IEventRepository {
           ? this._clickhouse.taskEventsV2.insert
           : this._clickhouse.taskEvents.insert;
 
-      const [insertError, insertResult] = await insertFn(events, {
-        params: {
-          clickhouse_settings: this.#getClickhouseInsertSettings(),
-        },
-      });
+      const doInsert = async () => {
+        const [insertError, insertResult] = await insertFn(events, {
+          params: {
+            clickhouse_settings: this.#getClickhouseInsertSettings(),
+          },
+        });
+        if (insertError) throw insertError;
+        return insertResult;
+      };
 
-      if (insertError) {
-        throw insertError;
+      const outcome = await this.#insertWithJsonParseRecovery(
+        flushId,
+        events,
+        doInsert,
+        `task_events_${this._version}`
+      );
+
+      if (outcome.kind === "dropped") {
+        // Loud log already emitted; nothing landed in ClickHouse — don't publish to Redis.
+        return;
       }
 
-      logger.info("ClickhouseEventRepository.flushBatch Inserted batch into clickhouse", {
+      logger.debug("ClickhouseEventRepository.flushBatch Inserted batch into clickhouse", {
         events: events.length,
-        insertResult,
+        insertResult: outcome.insertResult,
+        sanitized: outcome.kind === "sanitized",
         version: this._version,
       });
 
@@ -236,19 +282,149 @@ export class ClickhouseEventRepository implements IEventRepository {
   }
 
   async #flushLlmMetricsBatch(flushId: string, rows: LlmMetricsV1Input[]) {
+    const doInsert = async () => {
+      const [insertError, insertResult] = await this._clickhouse.llmMetrics.insert(rows, {
+        params: {
+          clickhouse_settings: this.#getClickhouseInsertSettings(),
+        },
+      });
+      if (insertError) throw insertError;
+      return insertResult;
+    };
 
-    const [insertError] = await this._clickhouse.llmMetrics.insert(rows, {
-      params: {
-        clickhouse_settings: this.#getClickhouseInsertSettings(),
-      },
-    });
+    const outcome = await this.#insertWithJsonParseRecovery(
+      flushId,
+      rows,
+      doInsert,
+      "llm_metrics_v1"
+    );
 
-    if (insertError) {
-      throw insertError;
+    if (outcome.kind === "dropped") {
+      return;
     }
 
-    logger.info("ClickhouseEventRepository.flushLlmMetricsBatch Inserted LLM metrics batch", {
+    logger.debug("ClickhouseEventRepository.flushLlmMetricsBatch Inserted LLM metrics batch", {
       rows: rows.length,
+      sanitized: outcome.kind === "sanitized",
+    });
+  }
+
+  /**
+   * Wraps a ClickHouse insert callable with reactive UTF-16 sanitization.
+   *
+   * On a `Cannot parse JSON object` failure:
+   *   1. Sanitize the batch from `max(0, parsedRowN - 1)` onwards (rows
+   *      before the failing one parsed fine — known good).
+   *   2. Retry the insert once with the sanitized batch.
+   *   3. If the retry still fails with the same error class, log loudly,
+   *      increment `permanentlyDroppedBatches`, and return without
+   *      throwing — the scheduler's transient-retry path would just repeat
+   *      the same deterministic failure.
+   *
+   * Non-parse errors propagate unchanged so the scheduler's existing
+   * backoff/retry behaviour still handles transient network or CH issues.
+   */
+  async #insertWithJsonParseRecovery<T extends object>(
+    flushId: string,
+    rows: T[],
+    doInsert: () => Promise<unknown>,
+    contextLabel: string
+  ): Promise<
+    | { kind: "inserted"; insertResult: unknown }
+    | { kind: "sanitized"; insertResult: unknown }
+    | { kind: "dropped" }
+  > {
+    try {
+      return { kind: "inserted", insertResult: await doInsert() };
+    } catch (firstError) {
+      if (!isClickHouseJsonParseError(firstError)) throw firstError;
+
+      const firstMessage =
+        typeof firstError === "object" && firstError !== null && "message" in firstError
+          ? String((firstError as { message?: unknown }).message ?? "")
+          : String(firstError);
+
+      // Sanitize the whole batch. ClickHouse's `at row N` index is logged
+      // for observability but not used to slice — its semantics under
+      // parallel parsing are not stable enough to safely skip rows.
+      const rowHint = parseRowNumberFromError(firstMessage);
+      const { rowsTouched, fieldsSanitized } = sanitizeRows(rows);
+
+      // Sanitizer found nothing to fix → retrying the exact same batch is
+      // guaranteed to hit the same deterministic parse failure. Skip the
+      // wasted ClickHouse round-trip and drop loudly. Throwing instead would
+      // hand the failure back to the scheduler's 3× transient-retry loop —
+      // exactly the retry storm this wrapper is designed to avoid.
+      if (fieldsSanitized === 0) {
+        this._permanentlyDroppedBatches += 1;
+        logger.error(
+          "Dropped batch — ClickHouse JSON parse error but sanitizer found nothing to fix",
+          {
+            flushId,
+            contextLabel,
+            batchSize: rows.length,
+            clickhouseRowHint: rowHint,
+            permanentlyDroppedBatches: this._permanentlyDroppedBatches,
+            sampleRow: JSON.stringify(rows[0] ?? null).slice(0, 1024),
+            clickhouseError: firstMessage.split("\n")[0],
+          }
+        );
+        return { kind: "dropped" };
+      }
+
+      logger.warn("Sanitizing batch after ClickHouse JSON parse error", {
+        flushId,
+        contextLabel,
+        batchSize: rows.length,
+        clickhouseRowHint: rowHint,
+        rowsTouched,
+        fieldsSanitized,
+        clickhouseError: firstMessage.split("\n")[0],
+      });
+
+      try {
+        return { kind: "sanitized", insertResult: await doInsert() };
+      } catch (retryError) {
+        if (!isClickHouseJsonParseError(retryError)) throw retryError;
+
+        this._permanentlyDroppedBatches += 1;
+        const retryMessage =
+          typeof retryError === "object" && retryError !== null && "message" in retryError
+            ? String((retryError as { message?: unknown }).message ?? "")
+            : String(retryError);
+        logger.error("Dropped batch after sanitize-retry still hit ClickHouse JSON parse error", {
+          flushId,
+          contextLabel,
+          batchSize: rows.length,
+          permanentlyDroppedBatches: this._permanentlyDroppedBatches,
+          sampleRow: JSON.stringify(rows[0] ?? null).slice(0, 1024),
+          firstError: firstMessage.split("\n")[0],
+          retryError: retryMessage.split("\n")[0],
+        });
+
+        return { kind: "dropped" };
+      }
+    }
+  }
+
+  async #flushOtelMetricsBatch(flushId: string, rows: MetricsV1Input[]) {
+    await startSpan(this._tracer, "flushOtelMetricsBatch", async (span) => {
+      span.setAttribute("flush_id", flushId);
+      span.setAttribute("row_count", rows.length);
+
+      const [insertError] = await this._clickhouse.metrics.insert(rows, {
+        params: {
+          clickhouse_settings: this.#getClickhouseInsertSettings(),
+        },
+      });
+
+      if (insertError) {
+        throw insertError;
+      }
+
+      logger.debug("ClickhouseEventRepository.flushOtelMetricsBatch Inserted OTLP metrics batch", {
+        rows: rows.length,
+      });
     });
   }
 
@@ -310,7 +486,7 @@ export class ClickhouseEventRepository implements IEventRepository {
     await tracePubSub.publish(events.map((e) => e.trace_id));
   }
 
-  async insertMany(events: CreateEventInput[]): Promise<void> {
+  insertMany(events: CreateEventInput[]): void {
     this.addToBatch(events.flatMap((event) => this.createEventToTaskEventV1Input(event)));
 
     // Dual-write LLM metrics records for spans with cost enrichment
@@ -327,6 +503,11 @@ export class ClickhouseEventRepository implements IEventRepository {
     this.insertMany(events);
   }
 
+  insertManyMetrics(rows: MetricsV1Input[]): void {
+    if (rows.length === 0) return;
+    this._otlpMetricsFlushScheduler.addToBatch(rows);
+  }
+
   private createEventToTaskEventV1Input(event: CreateEventInput): TaskEventV1Input[] {
     return [
       {
@@ -1808,6 +1989,80 @@ export class ClickhouseEventRepository implements IEventRepository {
     };
   }
 
+  async *streamTraceEvents(
+    storeTable: TaskEventStoreTable,
+    environmentId: string,
+    traceId: string,
+    startCreatedAt: Date,
+    endCreatedAt?: Date,
+    options?: { includeDebugLogs?: boolean }
+  ): AsyncIterable<StreamedTraceEvent> {
+    const startCreatedAtWithBuffer = new Date(startCreatedAt.getTime() - 1000);
+
+    const queryBuilder =
+      this._version === "v2"
+        ? this._clickhouse.taskEventsV2.traceEventsForExportQueryBuilder()
+        : this._clickhouse.taskEvents.traceEventsForExportQueryBuilder();
+
+    queryBuilder.where("environment_id = {environmentId: String}", { environmentId });
+    queryBuilder.where("trace_id = {traceId: String}", { traceId });
+    queryBuilder.where("start_time >= {startCreatedAt: String}", {
+      startCreatedAt: convertDateToNanoseconds(startCreatedAtWithBuffer).toString(),
+    });
+
+    if (endCreatedAt) {
+      queryBuilder.where("start_time <= {endCreatedAt: String}", {
+        endCreatedAt: convertDateToNanoseconds(endCreatedAt).toString(),
+      });
+    }
+
+    if (this._version === "v2") {
+      queryBuilder.where("inserted_at >= {insertedAtStart: DateTime64(3)}", {
+        insertedAtStart: convertDateToClickhouseDateTime(startCreatedAtWithBuffer),
+      });
+    }
+
+    // Admin-only debug events stay hidden unless explicitly requested.
+    if (options?.includeDebugLogs !== true) {
+      queryBuilder.where("kind != {debugKind: String}", { debugKind: "DEBUG_EVENT" });
+    }
+
+    // Each span is written twice: a PARTIAL start-marker (empty attributes) and
+    // the completed row. Keep only the completed row so the export has one line
+    // per span (the tree path merges these; streaming can't, so we filter).
+    queryBuilder.where("status != {partialStatus: String}", { partialStatus: "PARTIAL" });
+
+    // Internal trigger.dev span events (start timeline) are uninformative noise
+    // in the export; the tree path filters them too. Real span events such as
+    // exceptions are kept.
+    queryBuilder.where(
+      "(kind != {spanEventKind: String} OR NOT startsWith(message, {internalPrefix: String}))",
+      { spanEventKind: "SPAN_EVENT", internalPrefix: "trigger.dev/" }
+    );
+
+    // ANCESTOR_OVERRIDE rows duplicate a descendant's error onto an ancestor span
+    // to colour the tree; they carry no event of their own. The tree path drops
+    // them, so the export does too (otherwise the same error shows up twice).
+    queryBuilder.where("kind != {ancestorKind: String}", { ancestorKind: "ANCESTOR_OVERRIDE" });
+
+    queryBuilder.orderBy("start_time ASC");
+    // Deliberately no LIMIT: streaming never materialises the result set, so the
+    // detailed-summary memory cap doesn't apply to the export.
+
+    for await (const row of queryBuilder.executeStream()) {
+      yield {
+        spanId: row.span_id,
+        parentSpanId: row.parent_span_id,
+        startTime: convertClickhouseDateTime64ToJsDate(row.start_time),
+        durationNs: typeof row.duration === "number" ? row.duration : Number(row.duration),
+        level: clickhouseKindToLevel(row.kind),
+        message: row.message,
+        isError: row.status === "ERROR",
+        propertiesText: row.attributes_text ?? "",
+      };
+    }
+  }
+
   #mergeRecordsIntoSpanDetailedSummary(
     spanId: string,
     records: TaskEventDetailedSummaryV1Result[],
@@ -2088,6 +2343,16 @@ export function convertClickhouseDateTime64ToNanosecondsEpoch(date: string): big
  *
  * Optimized with fast path for common format (avoids regex for 99% of cases).
  */
+// Map a ClickHouse task-event `kind` to a human display level for the streaming
+// export (e.g. LOG_INFO -> INFO, SPAN -> TRACE, SPAN_EVENT -> EVENT).
+function clickhouseKindToLevel(kind: string): string {
+  if (kind.startsWith("LOG_")) return kind.slice(4);
+  if (kind === "SPAN") return "TRACE";
+  if (kind === "SPAN_EVENT") return "EVENT";
+  if (kind === "DEBUG_EVENT") return "DEBUG";
+  return kind;
+}
+
 export function convertClickhouseDateTime64ToJsDate(date: string): Date {
   // Fast path for common format: "2025-09-23 12:32:46.130262875" or "2025-09-23 12:32:46"
   // This avoids the expensive regex for the common case
diff --git a/apps/webapp/app/v3/eventRepository/clickhouseEventRepositoryInstance.server.ts b/apps/webapp/app/v3/eventRepository/clickhouseEventRepositoryInstance.server.ts
deleted file mode 100644
index d4e28c5841a..00000000000
--- a/apps/webapp/app/v3/eventRepository/clickhouseEventRepositoryInstance.server.ts
+++ /dev/null
@@ -1,112 +0,0 @@
-import { ClickHouse } from "@internal/clickhouse";
-import { env } from "~/env.server";
-import { singleton } from "~/utils/singleton";
-import { ClickhouseEventRepository } from "./clickhouseEventRepository.server";
-
-export const clickhouseEventRepository = singleton(
-  "clickhouseEventRepository",
-  initializeClickhouseRepository
-);
-
-export const clickhouseEventRepositoryV2 = singleton(
-  "clickhouseEventRepositoryV2",
-  initializeClickhouseRepositoryV2
-);
-
-function getClickhouseClient() {
-  if (!env.EVENTS_CLICKHOUSE_URL) {
-    throw new Error("EVENTS_CLICKHOUSE_URL is not set");
-  }
-
-  const url = new URL(env.EVENTS_CLICKHOUSE_URL);
-  url.searchParams.delete("secure");
-
-  return new ClickHouse({
-    url: url.toString(),
-    name: "task-events",
-    keepAlive: {
-      enabled: env.EVENTS_CLICKHOUSE_KEEP_ALIVE_ENABLED === "1",
-      idleSocketTtl: env.EVENTS_CLICKHOUSE_KEEP_ALIVE_IDLE_SOCKET_TTL_MS,
-    },
-    logLevel: env.EVENTS_CLICKHOUSE_LOG_LEVEL,
-    compression: {
-      request: env.EVENTS_CLICKHOUSE_COMPRESSION_REQUEST === "1",
-    },
-    maxOpenConnections: env.EVENTS_CLICKHOUSE_MAX_OPEN_CONNECTIONS,
-  });
-}
-
-function initializeClickhouseRepository() {
-  if (!env.EVENTS_CLICKHOUSE_URL) {
-    throw new Error("EVENTS_CLICKHOUSE_URL is not set");
-  }
-
-  const url = new URL(env.EVENTS_CLICKHOUSE_URL);
-  url.searchParams.delete("secure");
-
-  const safeUrl = new URL(url.toString());
-  safeUrl.password = "redacted";
-
-  console.log("🗃️  Initializing Clickhouse event repository (v1)", { url: safeUrl.toString() });
-
-  const clickhouse = getClickhouseClient();
-
-  const repository = new ClickhouseEventRepository({
-    clickhouse: clickhouse,
-    batchSize: env.EVENTS_CLICKHOUSE_BATCH_SIZE,
-    flushInterval: env.EVENTS_CLICKHOUSE_FLUSH_INTERVAL_MS,
-    maximumTraceSummaryViewCount: env.EVENTS_CLICKHOUSE_MAX_TRACE_SUMMARY_VIEW_COUNT,
-    maximumTraceDetailedSummaryViewCount:
-      env.EVENTS_CLICKHOUSE_MAX_TRACE_DETAILED_SUMMARY_VIEW_COUNT,
-    maximumLiveReloadingSetting: env.EVENTS_CLICKHOUSE_MAX_LIVE_RELOADING_SETTING,
-    insertStrategy: env.EVENTS_CLICKHOUSE_INSERT_STRATEGY,
-    waitForAsyncInsert: env.EVENTS_CLICKHOUSE_WAIT_FOR_ASYNC_INSERT === "1",
-    asyncInsertMaxDataSize: env.EVENTS_CLICKHOUSE_ASYNC_INSERT_MAX_DATA_SIZE,
-    asyncInsertBusyTimeoutMs: env.EVENTS_CLICKHOUSE_ASYNC_INSERT_BUSY_TIMEOUT_MS,
-    startTimeMaxAgeMs: env.EVENTS_CLICKHOUSE_START_TIME_MAX_AGE_MS,
-    llmMetricsBatchSize: env.LLM_METRICS_BATCH_SIZE,
-    llmMetricsFlushInterval: env.LLM_METRICS_FLUSH_INTERVAL_MS,
-    llmMetricsMaxBatchSize: env.LLM_METRICS_MAX_BATCH_SIZE,
-    llmMetricsMaxConcurrency: env.LLM_METRICS_MAX_CONCURRENCY,
-    version: "v1",
-  });
-
-  return repository;
-}
-
-function initializeClickhouseRepositoryV2() {
-  if (!env.EVENTS_CLICKHOUSE_URL) {
-    throw new Error("EVENTS_CLICKHOUSE_URL is not set");
-  }
-
-  const url = new URL(env.EVENTS_CLICKHOUSE_URL);
-  url.searchParams.delete("secure");
-
-  const safeUrl = new URL(url.toString());
-  safeUrl.password = "redacted";
-
-  console.log("🗃️  Initializing Clickhouse event repository (v2)", { url: safeUrl.toString() });
-
-  const clickhouse = getClickhouseClient();
-
-  const repository = new ClickhouseEventRepository({
-    clickhouse: clickhouse,
-    batchSize: env.EVENTS_CLICKHOUSE_BATCH_SIZE,
-    flushInterval: env.EVENTS_CLICKHOUSE_FLUSH_INTERVAL_MS,
-    maximumTraceSummaryViewCount: env.EVENTS_CLICKHOUSE_MAX_TRACE_SUMMARY_VIEW_COUNT,
-    maximumTraceDetailedSummaryViewCount:
-      env.EVENTS_CLICKHOUSE_MAX_TRACE_DETAILED_SUMMARY_VIEW_COUNT,
-    maximumLiveReloadingSetting: env.EVENTS_CLICKHOUSE_MAX_LIVE_RELOADING_SETTING,
-    insertStrategy: env.EVENTS_CLICKHOUSE_INSERT_STRATEGY,
-    waitForAsyncInsert: env.EVENTS_CLICKHOUSE_WAIT_FOR_ASYNC_INSERT === "1",
-    asyncInsertMaxDataSize: env.EVENTS_CLICKHOUSE_ASYNC_INSERT_MAX_DATA_SIZE,
-    asyncInsertBusyTimeoutMs: env.EVENTS_CLICKHOUSE_ASYNC_INSERT_BUSY_TIMEOUT_MS,
-    llmMetricsBatchSize: env.LLM_METRICS_BATCH_SIZE,
-    llmMetricsFlushInterval: env.LLM_METRICS_FLUSH_INTERVAL_MS,
-    llmMetricsMaxBatchSize: env.LLM_METRICS_MAX_BATCH_SIZE,
-    llmMetricsMaxConcurrency: env.LLM_METRICS_MAX_CONCURRENCY,
-    version: "v2",
-  });
-
-  return repository;
-}
diff --git a/apps/webapp/app/v3/eventRepository/emergencySpanCap.server.ts b/apps/webapp/app/v3/eventRepository/emergencySpanCap.server.ts
new file mode 100644
index 00000000000..6203e615816
--- /dev/null
+++ b/apps/webapp/app/v3/eventRepository/emergencySpanCap.server.ts
@@ -0,0 +1,8 @@
+import { env } from "~/env.server";
+
+// Emergency circuit breaker for trace views: when TRACE_VIEW_EMERGENCY_SPAN_CAP
+// is set, clamp a trace summary span limit to it. Unset = no clamping.
+export function clampToEmergencySpanCap(limit: number): number {
+  const cap = env.TRACE_VIEW_EMERGENCY_SPAN_CAP;
+  return cap === undefined ? limit : Math.min(limit, cap);
+}
diff --git a/apps/webapp/app/v3/eventRepository/eventRepository.server.ts b/apps/webapp/app/v3/eventRepository/eventRepository.server.ts
index de2a19e395e..268c955fd25 100644
--- a/apps/webapp/app/v3/eventRepository/eventRepository.server.ts
+++ b/apps/webapp/app/v3/eventRepository/eventRepository.server.ts
@@ -18,6 +18,7 @@ import {
   unflattenAttributes,
 } from "@trigger.dev/core/v3";
 import { serializeTraceparent } from "@trigger.dev/core/v3/isomorphic";
+import type { MetricsV1Input } from "@internal/clickhouse";
 import { Prisma, TaskEvent, TaskEventKind } from "@trigger.dev/database";
 import { nanoid } from "nanoid";
 import { Gauge } from "prom-client";
@@ -59,6 +60,7 @@ import type {
   SpanDetail,
   SpanDetailedSummary,
   SpanSummary,
+  StreamedTraceEvent,
   TraceAttributes,
   TraceDetailedSummary,
   TraceEventOptions,
@@ -151,7 +153,7 @@ export class EventRepository implements IEventRepository {
     await this.#flushBatch(nanoid(), [this.#createableEventToPrismaEvent(event)]);
   }
 
-  async insertMany(events: CreateEventInput[]) {
+  insertMany(events: CreateEventInput[]) {
     this._flushScheduler.addToBatch(events.map(this.#createableEventToPrismaEvent));
   }
 
@@ -159,6 +161,8 @@ export class EventRepository implements IEventRepository {
     await this.#flushBatchWithReturn(nanoid(), events.map(this.#createableEventToPrismaEvent));
   }
 
+  insertManyMetrics(_rows: MetricsV1Input[]): void {}
+
   async completeSuccessfulRunEvent({ run, endTime }: { run: CompleteableTaskRun; endTime?: Date }) {
     const startTime = convertDateToNanoseconds(run.createdAt);
 
@@ -680,6 +684,38 @@ export class EventRepository implements IEventRepository {
     });
   }
 
+  public async *streamTraceEvents(
+    storeTable: TaskEventStoreTable,
+    environmentId: string,
+    traceId: string,
+    startCreatedAt: Date,
+    endCreatedAt?: Date,
+    options?: { includeDebugLogs?: boolean }
+  ): AsyncIterable<StreamedTraceEvent> {
+    for await (const event of this.taskEventStore.streamDetailedTraceEvents(
+      storeTable,
+      traceId,
+      startCreatedAt,
+      endCreatedAt,
+      { includeDebugLogs: options?.includeDebugLogs }
+    )) {
+      const properties = event.properties
+        ? removePrivateProperties(event.properties as Attributes) ?? {}
+        : {};
+
+      yield {
+        spanId: event.spanId,
+        parentSpanId: event.parentId ?? "",
+        startTime: getDateFromNanoseconds(event.startTime),
+        durationNs: Number(event.duration),
+        level: event.level,
+        message: event.message,
+        isError: event.isError,
+        propertiesText: JSON.stringify(properties),
+      };
+    }
+  }
+
   public async getRunEvents(
     storeTable: TaskEventStoreTable,
     environmentId: string,
diff --git a/apps/webapp/app/v3/eventRepository/eventRepository.types.ts b/apps/webapp/app/v3/eventRepository/eventRepository.types.ts
index 0b45e536490..591c7927a58 100644
--- a/apps/webapp/app/v3/eventRepository/eventRepository.types.ts
+++ b/apps/webapp/app/v3/eventRepository/eventRepository.types.ts
@@ -14,6 +14,7 @@ import type {
   TaskEventStatus,
   TaskRun,
 } from "@trigger.dev/database";
+import type { MetricsV1Input } from "@internal/clickhouse";
 import type { DetailedTraceEvent, TaskEventStoreTable } from "../taskEventStore.server";
 export type { ExceptionEventProperties };
 
@@ -329,6 +330,24 @@ export type SpanDetailedSummary = {
   children: Array<SpanDetailedSummary>;
 };
 
+// A single trace event for the streaming export path (the "Download trace"
+// feature). Deliberately flat and self-contained: it carries its own parent ref
+// so hierarchy is reconstructable downstream without ever building a tree. Used
+// by `streamTraceEvents`, which yields these one at a time so an arbitrarily
+// large trace is never fully resident in memory.
+export type StreamedTraceEvent = {
+  spanId: string;
+  parentSpanId: string;
+  startTime: Date;
+  durationNs: number;
+  level: string;
+  message: string;
+  isError: boolean;
+  // Span attributes/properties as a raw JSON string, emitted verbatim (the
+  // ClickHouse store already materialises it as text — no per-row parse).
+  propertiesText: string;
+};
+
 export type TraceDetailedSummary = {
   traceId: string;
   rootSpan: SpanDetailedSummary;
@@ -345,8 +364,9 @@ export type TraceDetailedSummary = {
 export interface IEventRepository {
   maximumLiveReloadingSetting: number;
   // Event insertion methods
-  insertMany(events: CreateEventInput[]): Promise<void>;
+  insertMany(events: CreateEventInput[]): void;
   insertManyImmediate(events: CreateEventInput[]): Promise<void>;
+  insertManyMetrics(rows: MetricsV1Input[]): void;
 
   // Run event completion methods
   completeSuccessfulRunEvent(params: { run: CompleteableTaskRun; endTime?: Date }): Promise<void>;
@@ -405,6 +425,18 @@ export interface IEventRepository {
     options?: { includeDebugLogs?: boolean }
   ): Promise<TraceDetailedSummary | undefined>;
 
+  // Streams a trace's events in start_time order, one at a time, without ever
+  // materialising the full result set or a tree. Powers the streaming trace
+  // export so arbitrarily large traces download with bounded memory.
+  streamTraceEvents(
+    storeTable: TaskEventStoreTable,
+    environmentId: string,
+    traceId: string,
+    startCreatedAt: Date,
+    endCreatedAt?: Date,
+    options?: { includeDebugLogs?: boolean }
+  ): AsyncIterable<StreamedTraceEvent>;
+
   getRunEvents(
     storeTable: TaskEventStoreTable,
     environmentId: string,
diff --git a/apps/webapp/app/v3/eventRepository/index.server.ts b/apps/webapp/app/v3/eventRepository/index.server.ts
index 70ea6440321..4be392535c3 100644
--- a/apps/webapp/app/v3/eventRepository/index.server.ts
+++ b/apps/webapp/app/v3/eventRepository/index.server.ts
@@ -1,29 +1,12 @@
 import { env } from "~/env.server";
 import { eventRepository } from "./eventRepository.server";
-import {
-  clickhouseEventRepository,
-  clickhouseEventRepositoryV2,
-} from "./clickhouseEventRepositoryInstance.server";
-import { IEventRepository, TraceEventOptions } from "./eventRepository.types";
+import { type IEventRepository, type TraceEventOptions } from "./eventRepository.types";
 import { prisma } from "~/db.server";
 import { logger } from "~/services/logger.server";
 import { FEATURE_FLAG } from "../featureFlags";
 import { flag } from "../featureFlags.server";
 import { getTaskEventStore } from "../taskEventStore.server";
-
-export function resolveEventRepositoryForStore(store: string | undefined): IEventRepository {
-  const taskEventStore = store ?? env.EVENT_REPOSITORY_DEFAULT_STORE;
-
-  if (taskEventStore === "clickhouse_v2") {
-    return clickhouseEventRepositoryV2;
-  }
-
-  if (taskEventStore === "clickhouse") {
-    return clickhouseEventRepository;
-  }
-
-  return eventRepository;
-}
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
 
 export const EVENT_STORE_TYPES = {
   POSTGRES: "postgres",
@@ -33,6 +16,50 @@ export const EVENT_STORE_TYPES = {
 
 export type EventStoreType = (typeof EVENT_STORE_TYPES)[keyof typeof EVENT_STORE_TYPES];
 
+/**
+ * Resolve the event repository for a run's persisted `taskEventStore` value and org.
+ * Postgres-backed runs use the Prisma `eventRepository`; ClickHouse-backed runs use
+ * `clickhouseFactory.getEventRepositoryForOrganizationSync`.
+ *
+ * Intentionally NOT exported. Sync resolution can race the org data-stores
+ * registry load and silently route writes to the default ClickHouse instead of
+ * the org's configured override. Hot paths that genuinely cannot afford to await
+ * (OTEL exporter, replication services) call `clickhouseFactory.getEvent…Sync`
+ * directly and gate startup on `clickhouseFactory.isReady()`. Everything else
+ * should use {@link getEventRepositoryForStore}, the async variant below.
+ */
+function resolveEventRepositoryForStore(
+  store: string,
+  organizationId: string
+): IEventRepository {
+  if (store === EVENT_STORE_TYPES.CLICKHOUSE || store === EVENT_STORE_TYPES.CLICKHOUSE_V2) {
+    return clickhouseFactory.getEventRepositoryForOrganizationSync(store, organizationId)
+      .repository;
+  }
+  return eventRepository;
+}
+
+/**
+ * Async variant of {@link resolveEventRepositoryForStore}. Awaits the factory's
+ * registry readiness before returning the ClickHouse event repository; for
+ * non-ClickHouse stores (e.g. the "taskEvent" DB default for Postgres-backed
+ * runs) it returns the Prisma event repository without ever touching the
+ * factory — so the factory never needs to know about Postgres.
+ */
+export async function getEventRepositoryForStore(
+  store: string,
+  organizationId: string
+): Promise<IEventRepository> {
+  if (store !== EVENT_STORE_TYPES.CLICKHOUSE && store !== EVENT_STORE_TYPES.CLICKHOUSE_V2) {
+    return eventRepository;
+  }
+  const { repository } = await clickhouseFactory.getEventRepositoryForOrganization(
+    store,
+    organizationId
+  );
+  return repository;
+}
+
 export async function getConfiguredEventRepository(
   organizationId: string
 ): Promise<{ repository: IEventRepository; store: EventStoreType }> {
@@ -59,62 +86,79 @@ export async function getConfiguredEventRepository(
   );
 
   if (taskEventStore === EVENT_STORE_TYPES.CLICKHOUSE_V2) {
-    return { repository: clickhouseEventRepositoryV2, store: EVENT_STORE_TYPES.CLICKHOUSE_V2 };
+    const { repository: resolvedRepository } =
+      await clickhouseFactory.getEventRepositoryForOrganization(taskEventStore, organizationId);
+    return { repository: resolvedRepository, store: EVENT_STORE_TYPES.CLICKHOUSE_V2 };
   }
 
   if (taskEventStore === EVENT_STORE_TYPES.CLICKHOUSE) {
-    return { repository: clickhouseEventRepository, store: EVENT_STORE_TYPES.CLICKHOUSE };
+    const { repository: resolvedRepository } =
+      await clickhouseFactory.getEventRepositoryForOrganization(taskEventStore, organizationId);
+    return { repository: resolvedRepository, store: EVENT_STORE_TYPES.CLICKHOUSE };
   }
 
   return { repository: eventRepository, store: EVENT_STORE_TYPES.POSTGRES };
 }
 
 export async function getEventRepository(
+  organizationId: string,
   featureFlags: Record<string, unknown> | undefined,
   parentStore: string | undefined
 ): Promise<{ repository: IEventRepository; store: string }> {
-  if (typeof parentStore === "string") {
-    if (parentStore === "clickhouse_v2") {
-      return { repository: clickhouseEventRepositoryV2, store: "clickhouse_v2" };
-    }
-    if (parentStore === "clickhouse") {
-      return { repository: clickhouseEventRepository, store: "clickhouse" };
-    } else {
-      return { repository: eventRepository, store: getTaskEventStore() };
-    }
+  const taskEventStore = parentStore ?? (await resolveTaskEventRepositoryFlag(featureFlags));
+
+  // Non-ClickHouse stores (e.g. the "taskEvent" DB default for Postgres-backed
+  // runs, or the legacy "postgres" value) resolve to the Prisma event repo.
+  if (
+    taskEventStore !== EVENT_STORE_TYPES.CLICKHOUSE &&
+    taskEventStore !== EVENT_STORE_TYPES.CLICKHOUSE_V2
+  ) {
+    return { repository: eventRepository, store: getTaskEventStore() };
   }
 
-  const taskEventRepository = await resolveTaskEventRepositoryFlag(featureFlags);
-
-  if (taskEventRepository === "clickhouse_v2") {
-    return { repository: clickhouseEventRepositoryV2, store: "clickhouse_v2" };
-  }
+  const { repository: resolvedRepository } =
+    await clickhouseFactory.getEventRepositoryForOrganization(taskEventStore, organizationId);
 
-  if (taskEventRepository === "clickhouse") {
-    return { repository: clickhouseEventRepository, store: "clickhouse" };
+  switch (taskEventStore) {
+    case EVENT_STORE_TYPES.CLICKHOUSE_V2: {
+      return { repository: resolvedRepository, store: EVENT_STORE_TYPES.CLICKHOUSE_V2 };
+    }
+    case EVENT_STORE_TYPES.CLICKHOUSE: {
+      return { repository: resolvedRepository, store: EVENT_STORE_TYPES.CLICKHOUSE };
+    }
+    default: {
+      return { repository: eventRepository, store: getTaskEventStore() };
+    }
   }
-
-  return { repository: eventRepository, store: getTaskEventStore() };
 }
 
 export async function getV3EventRepository(
+  organizationId: string,
   parentStore: string | undefined
 ): Promise<{ repository: IEventRepository; store: string }> {
   if (typeof parentStore === "string") {
-    if (parentStore === "clickhouse_v2") {
-      return { repository: clickhouseEventRepositoryV2, store: "clickhouse_v2" };
-    }
-    if (parentStore === "clickhouse") {
-      return { repository: clickhouseEventRepository, store: "clickhouse" };
-    } else {
-      return { repository: eventRepository, store: getTaskEventStore() };
+    // Support legacy Postgres store for self-hosters and runs persisted with a
+    // non-ClickHouse store — fall back to the Prisma-based event repository.
+    if (
+      parentStore !== EVENT_STORE_TYPES.CLICKHOUSE &&
+      parentStore !== EVENT_STORE_TYPES.CLICKHOUSE_V2
+    ) {
+      return { repository: eventRepository, store: parentStore };
     }
+
+    const { repository: resolvedRepository } =
+      await clickhouseFactory.getEventRepositoryForOrganization(parentStore, organizationId);
+    return { repository: resolvedRepository, store: parentStore };
   }
 
   if (env.EVENT_REPOSITORY_DEFAULT_STORE === "clickhouse_v2") {
-    return { repository: clickhouseEventRepositoryV2, store: "clickhouse_v2" };
+    const { repository: resolvedRepository } =
+      await clickhouseFactory.getEventRepositoryForOrganization("clickhouse_v2", organizationId);
+    return { repository: resolvedRepository, store: "clickhouse_v2" };
   } else if (env.EVENT_REPOSITORY_DEFAULT_STORE === "clickhouse") {
-    return { repository: clickhouseEventRepository, store: "clickhouse" };
+    const { repository: resolvedRepository } =
+      await clickhouseFactory.getEventRepositoryForOrganization("clickhouse", organizationId);
+    return { repository: resolvedRepository, store: "clickhouse" };
   } else {
     return { repository: eventRepository, store: getTaskEventStore() };
   }
@@ -203,7 +247,10 @@ async function recordRunEvent(
       };
     }
 
-    const $eventRepository = resolveEventRepositoryForStore(foundRun.taskEventStore);
+    const $eventRepository = await getEventRepositoryForStore(
+      foundRun.taskEventStore,
+      foundRun.runtimeEnvironment.organizationId
+    );
 
     const { attributes, startTime, ...optionsRest } = options;
 
diff --git a/apps/webapp/app/v3/eventRepository/sanitizeRowsOnParseError.server.ts b/apps/webapp/app/v3/eventRepository/sanitizeRowsOnParseError.server.ts
new file mode 100644
index 00000000000..0374442200a
--- /dev/null
+++ b/apps/webapp/app/v3/eventRepository/sanitizeRowsOnParseError.server.ts
@@ -0,0 +1,164 @@
+import { detectBadJsonStrings } from "~/utils/detectBadJsonStrings";
+
+/**
+ * Replacement string we substitute for any attribute value that contains
+ * a lone UTF-16 surrogate. JSON-safe, distinctly recognisable in logs and
+ * the dashboard so operators can spot affected rows.
+ */
+export const INVALID_UTF16_SENTINEL = "[invalid-utf16]";
+
+/**
+ * ClickHouse's `JSON(max_dynamic_paths)` column fits each bare-integer
+ * JSON token into Int64 (signed) or UInt64 (unsigned). Bare integers
+ * outside `[-2^63, 2^64 - 1]` are rejected with `INCORRECT_DATA` (no
+ * silent fallback to Float64). `JSON.stringify` emits any integer-valued
+ * Number with `|value| < 1e21` as a bare integer (no exponent), so any
+ * JS Number above ~9.2e18 that *happens* to be integer-valued lands on
+ * the wire as a token CH cannot accept.
+ *
+ * The fix: replace such Numbers with their string form. CH's dynamic
+ * JSON column accepts a `String` subtype on the same path, so the row
+ * inserts cleanly on retry. The numeric value was already
+ * precision-lossy upstream (JS Number can't represent integers above
+ * 2^53 faithfully), so type-flipping to string is information-preserving
+ * relative to what arrived.
+ *
+ * Float-valued numbers (including very large ones like `1e25`) serialise
+ * with an exponent and are accepted by CH at any magnitude, so they're
+ * left alone.
+ */
+const UINT64_MAX = 18446744073709551615n;
+const INT64_MIN = -9223372036854775808n;
+
+function isUnsafeJsonInteger(value: number): boolean {
+  if (!Number.isFinite(value)) return false;
+  if (!Number.isInteger(value)) return false;
+  // JSON.stringify emits integer-valued Numbers as bare integer tokens
+  // (no exponent) only while `|value| < 1e21`; at or above that
+  // threshold `Number.prototype.toString` switches to exponential form,
+  // which CH accepts as Float64 at any magnitude. So the dangerous band
+  // is strictly between the Int64/UInt64 boundary and 1e21.
+  if (Math.abs(value) >= 1e21) return false;
+  // Compare via BigInt for exactness. The Number literal 18446744073709551615
+  // is rounded to 2**64 in float64 (the float spacing near 2^64 is 2048), so a
+  // direct `value > 18446744073709551615` would miss a Number whose float64
+  // value is exactly 2**64 — `JSON.stringify` of that emits
+  // "18446744073709552000", which exceeds UInt64.MAX and ClickHouse rejects.
+  // `BigInt(value)` is safe here because we already gated on Number.isInteger.
+  const asBigInt = BigInt(value);
+  return asBigInt > UINT64_MAX || asBigInt < INT64_MIN;
+}
+
+export type SanitizeResult = {
+  /** How many rows had at least one string field replaced. */
+  rowsTouched: number;
+  /** Total count of string fields replaced across all sanitized rows. */
+  fieldsSanitized: number;
+};
+
+/**
+ * Recognises ClickHouse's "Cannot parse JSON object" rejection — the
+ * deterministic-failure class our sanitizer is designed for. Bubbles up
+ * from `@clickhouse/client` as an `InsertError` whose `.message` retains
+ * the original ClickHouse error text.
+ */
+export function isClickHouseJsonParseError(err: unknown): boolean {
+  if (!err) return false;
+  const message =
+    typeof err === "object" && err !== null && "message" in err
+      ? String((err as { message?: unknown }).message ?? "")
+      : String(err);
+  return message.includes("Cannot parse JSON object");
+}
+
+/**
+ * Extracts the row index ClickHouse reported as the first to fail
+ * (`(at row N)`). Returns `null` if the message doesn't include one —
+ * caller should treat that as "sanitize from row 0".
+ */
+export function parseRowNumberFromError(errorMessage: string): number | null {
+  const match = errorMessage.match(/at row (\d+)/);
+  return match ? Number.parseInt(match[1], 10) : null;
+}
+
+/**
+ * Walks `value` recursively and replaces any string leaf that contains a
+ * lone UTF-16 surrogate with `INVALID_UTF16_SENTINEL`. Mutates objects
+ * and arrays in place; primitives are returned unchanged.
+ *
+ * Caller passes anything: a row object, a single field, an unknown JSON
+ * payload. The walker doesn't depend on the row's schema — it sanitizes
+ * every string in the structure, which is exactly what ClickHouse cares
+ * about when parsing the row's JSON form.
+ */
+export function sanitizeUnknownInPlace(value: unknown): { value: unknown; fixed: number } {
+  if (typeof value === "string") {
+    // `detectBadJsonStrings` works on JSON-escaped text — feed it the
+    // serialized form so any lone UTF-16 surrogate in the JS string is
+    // emitted as a `\uXXXX` escape it can spot. Valid surrogate pairs
+    // (e.g. emoji) are emitted as raw characters by JSON.stringify and
+    // exit at the function's fast path.
+    if (detectBadJsonStrings(JSON.stringify(value))) {
+      return { value: INVALID_UTF16_SENTINEL, fixed: 1 };
+    }
+    return { value, fixed: 0 };
+  }
+
+  if (typeof value === "number" && isUnsafeJsonInteger(value)) {
+    return { value: String(value), fixed: 1 };
+  }
+
+  if (Array.isArray(value)) {
+    let fixed = 0;
+    for (let i = 0; i < value.length; i++) {
+      const result = sanitizeUnknownInPlace(value[i]);
+      value[i] = result.value;
+      fixed += result.fixed;
+    }
+    return { value, fixed };
+  }
+
+  if (value !== null && typeof value === "object") {
+    let fixed = 0;
+    const obj = value as Record<string, unknown>;
+    for (const k of Object.keys(obj)) {
+      const result = sanitizeUnknownInPlace(obj[k]);
+      obj[k] = result.value;
+      fixed += result.fixed;
+    }
+    return { value, fixed };
+  }
+
+  return { value, fixed: 0 };
+}
+
+/**
+ * Sanitizes every row in `rows`, mutating each in place so callers can
+ * hand the same array to the retry insert.
+ *
+ * Rationale for scanning the whole batch (instead of starting from the
+ * row index ClickHouse reports): `at row N` semantics under
+ * `input_format_parallel_parsing` aren't well-defined — N can be
+ * chunk-relative rather than batch-global, and 0-vs-1 indexing differs
+ * between formats. Whole-batch scanning is robust to those quirks and
+ * also catches multiple bad rows in one pass (so a single retry covers
+ * the entire failure even if more than one row is poisoned).
+ *
+ * The cost is bounded: this only runs on the rare ClickHouse-rejection
+ * path, and `detectBadJsonStrings` exits in O(1) for clean strings
+ * (the fast `indexOf("\\u")` check), so healthy attributes are effectively
+ * free even when included in the walk.
+ */
+export function sanitizeRows<T extends object>(rows: T[]): SanitizeResult {
+  const result: SanitizeResult = { rowsTouched: 0, fieldsSanitized: 0 };
+
+  for (let i = 0; i < rows.length; i++) {
+    const { fixed } = sanitizeUnknownInPlace(rows[i]);
+    if (fixed > 0) {
+      result.rowsTouched++;
+      result.fieldsSanitized += fixed;
+    }
+  }
+
+  return result;
+}
diff --git a/apps/webapp/app/v3/eventRepository/traceExport.server.ts b/apps/webapp/app/v3/eventRepository/traceExport.server.ts
new file mode 100644
index 00000000000..d1e9f5b6f0c
--- /dev/null
+++ b/apps/webapp/app/v3/eventRepository/traceExport.server.ts
@@ -0,0 +1,205 @@
+import { formatDurationNanoseconds } from "@trigger.dev/core/v3/utils/durations";
+import type { StreamedTraceEvent } from "./eventRepository.types";
+
+// Lines are batched into ~64KB chunks before being yielded to the gzip stream:
+// per-line chunks make `Readable.from` ~10x slower, while chunks this size keep
+// the pipe fed yet stay small enough to release the event loop frequently.
+const DEFAULT_FLUSH_BYTES = 64 * 1024;
+
+export type TraceExportContext = {
+  runFriendlyId: string;
+  traceId: string;
+  taskIdentifier?: string;
+  /** Absolute dashboard URL for the run (used by formats that link out). */
+  runUrl?: string;
+};
+
+/**
+ * A trace export format. `formatEvent` renders one {@link StreamedTraceEvent} to
+ * a string; `header`/`footer` bookend the stream. Formats are intentionally
+ * stateless across events so the export stays O(1) memory — see
+ * {@link streamTraceExport}.
+ */
+export type TraceExportFormat = {
+  name: TraceExportFormatName;
+  extension: string;
+  header?: (ctx: TraceExportContext) => string;
+  formatEvent: (event: StreamedTraceEvent, ctx: TraceExportContext) => string;
+  footer?: (ctx: TraceExportContext) => string;
+};
+
+export type TraceExportFormatName = "log" | "jsonl" | "markdown";
+
+/**
+ * Streams a trace export by piping events through a {@link TraceExportFormat}.
+ * Batches output into ~`flushBytes` chunks and releases the event loop between
+ * flushes; holds nothing across events but the buffer, so an arbitrarily large
+ * trace exports in bounded memory regardless of format.
+ */
+export async function* streamTraceExport(
+  events: AsyncIterable<StreamedTraceEvent>,
+  format: TraceExportFormat,
+  ctx: TraceExportContext,
+  options: { flushBytes?: number } = {}
+): AsyncGenerator<string> {
+  const flushBytes = options.flushBytes ?? DEFAULT_FLUSH_BYTES;
+
+  let buffer = format.header ? format.header(ctx) : "";
+
+  for await (const event of events) {
+    buffer += format.formatEvent(event, ctx);
+    if (buffer.length >= flushBytes) {
+      yield buffer;
+      buffer = "";
+      await new Promise<void>((resolve) => setImmediate(resolve));
+    }
+  }
+
+  if (format.footer) {
+    buffer += format.footer(ctx);
+  }
+
+  if (buffer.length > 0) {
+    yield buffer;
+  }
+}
+
+function hasProperties(propertiesText: string): boolean {
+  const trimmed = propertiesText.trim();
+  return trimmed.length > 0 && trimmed !== "{}";
+}
+
+// For error events, pull the error message out of the properties so formats can
+// surface it inline instead of burying it in the JSON blob. Only parses when the
+// event is actually an error (rare), so the common path stays parse-free. Handles
+// both trigger.dev's `error.*` shape and OTel's `exception.*` shape; the full
+// object (incl. stacktrace) still rides along in the properties.
+function errorMessage(event: StreamedTraceEvent): string | undefined {
+  if (!event.isError || !hasProperties(event.propertiesText)) return undefined;
+  try {
+    const props = JSON.parse(event.propertiesText) as {
+      error?: { message?: unknown };
+      exception?: { message?: unknown };
+    };
+    const message = props.error?.message ?? props.exception?.message;
+    return typeof message === "string" && message.length > 0
+      ? message.replace(/\s+/g, " ").trim()
+      : undefined;
+  } catch {
+    return undefined;
+  }
+}
+
+function lineage(event: StreamedTraceEvent): string {
+  return event.parentSpanId ? `${event.spanId} ← ${event.parentSpanId}` : event.spanId;
+}
+
+// ---------------------------------------------------------------------------
+// log — flat, chronological, grep-friendly. One line per event (+ a props line).
+// ---------------------------------------------------------------------------
+const logFormat: TraceExportFormat = {
+  name: "log",
+  extension: "txt",
+  formatEvent(event) {
+    const time = event.startTime.toISOString();
+    const level = event.level.padEnd(5);
+    const errMsg = errorMessage(event);
+    const status = event.isError ? (errMsg ? ` [ERROR: ${errMsg}]` : " [ERROR]") : "";
+    const duration = event.durationNs > 0 ? ` (${formatDurationNanoseconds(event.durationNs)})` : "";
+
+    let out = `${time} ${level} [${lineage(event)}] ${event.message}${status}${duration}\n`;
+    if (hasProperties(event.propertiesText)) {
+      out += `    props: ${event.propertiesText.trim()}\n`;
+    }
+    return out;
+  },
+};
+
+// ---------------------------------------------------------------------------
+// jsonl — one JSON object per line, properties inlined as a nested object.
+// ---------------------------------------------------------------------------
+const jsonlFormat: TraceExportFormat = {
+  name: "jsonl",
+  extension: "jsonl",
+  formatEvent(event) {
+    let properties: unknown = undefined;
+    if (hasProperties(event.propertiesText)) {
+      try {
+        properties = JSON.parse(event.propertiesText);
+      } catch {
+        properties = event.propertiesText;
+      }
+    }
+
+    return (
+      JSON.stringify({
+        time: event.startTime.toISOString(),
+        level: event.level,
+        spanId: event.spanId,
+        parentSpanId: event.parentSpanId || undefined,
+        message: event.message,
+        durationNs: event.durationNs,
+        isError: event.isError || undefined,
+        errorMessage: errorMessage(event),
+        properties,
+      }) + "\n"
+    );
+  },
+};
+
+// ---------------------------------------------------------------------------
+// markdown — AI-friendly: YAML frontmatter (ids, task, dashboard URL) + a
+// scannable table, one row per event. Properties stay (inline code) so the
+// export isn't lossy; a column-friendly cell escaper keeps the table intact.
+// ---------------------------------------------------------------------------
+function mdCell(value: string): string {
+  // Pipes and newlines would break the table row; escape/flatten them. (GFM
+  // treats `\|` inside a table cell — including code spans — as a literal pipe.)
+  return value.replace(/\\/g, "\\\\").replace(/\|/g, "\\|").replace(/\r?\n/g, " ");
+}
+
+const markdownFormat: TraceExportFormat = {
+  name: "markdown",
+  extension: "md",
+  header(ctx) {
+    const lines = ["---", `run: ${ctx.runFriendlyId}`, `trace: ${ctx.traceId}`];
+    if (ctx.taskIdentifier) lines.push(`task: ${ctx.taskIdentifier}`);
+    if (ctx.runUrl) lines.push(`url: ${ctx.runUrl}`);
+    lines.push("---", "", `# Trace for ${ctx.runFriendlyId}`, "");
+    if (ctx.runUrl) {
+      lines.push(`[View in dashboard](${ctx.runUrl})`, "");
+    }
+    lines.push(
+      "| time | level | event | duration | span ← parent | properties |",
+      "| --- | --- | --- | --- | --- | --- |"
+    );
+    return lines.join("\n") + "\n";
+  },
+  formatEvent(event) {
+    const time = event.startTime.toISOString();
+    const level = event.isError ? `${event.level} ❌` : event.level;
+    const duration = event.durationNs > 0 ? formatDurationNanoseconds(event.durationNs) : "—";
+    const lineage = event.parentSpanId ? `${event.spanId} ← ${event.parentSpanId}` : event.spanId;
+    const errMsg = errorMessage(event);
+    const eventCell = errMsg ? `${event.message} — ${errMsg}` : event.message;
+    const properties = hasProperties(event.propertiesText)
+      ? "`" + mdCell(event.propertiesText.trim()) + "`"
+      : "—";
+
+    return `| ${time} | ${level} | ${mdCell(eventCell)} | ${duration} | \`${lineage}\` | ${properties} |\n`;
+  },
+};
+
+const FORMATS: Record<TraceExportFormatName, TraceExportFormat> = {
+  log: logFormat,
+  jsonl: jsonlFormat,
+  markdown: markdownFormat,
+};
+
+/** Resolve a `?format=` value to a format, defaulting to `log`. */
+export function getTraceExportFormat(name: string | null | undefined): TraceExportFormat {
+  if (name && Object.prototype.hasOwnProperty.call(FORMATS, name)) {
+    return FORMATS[name as TraceExportFormatName];
+  }
+  return logFormat;
+}
diff --git a/apps/webapp/app/v3/featureFlags.ts b/apps/webapp/app/v3/featureFlags.ts
index b40a83c3a35..3066f2dda01 100644
--- a/apps/webapp/app/v3/featureFlags.ts
+++ b/apps/webapp/app/v3/featureFlags.ts
@@ -8,6 +8,9 @@ export const FEATURE_FLAG = {
   hasAiAccess: "hasAiAccess",
   hasComputeAccess: "hasComputeAccess",
   hasPrivateConnections: "hasPrivateConnections",
+  mollifierEnabled: "mollifierEnabled",
+  workerQueueScheduledSplitEnabled: "workerQueueScheduledSplitEnabled",
+  realtimeBackend: "realtimeBackend",
 } as const;
 
 export const FeatureFlagCatalog = {
@@ -18,6 +21,12 @@ export const FeatureFlagCatalog = {
   [FEATURE_FLAG.hasAiAccess]: z.coerce.boolean(),
   [FEATURE_FLAG.hasComputeAccess]: z.coerce.boolean(),
   [FEATURE_FLAG.hasPrivateConnections]: z.coerce.boolean(),
+  [FEATURE_FLAG.mollifierEnabled]: z.coerce.boolean(),
+  [FEATURE_FLAG.workerQueueScheduledSplitEnabled]: z.coerce.boolean(),
+  // Which backend serves the realtime run feed. Controllable
+  // globally and per-org (org wins). Defaults to "electric" when unset.
+  // "shadow" serves Electric but diffs the native path in the background.
+  [FEATURE_FLAG.realtimeBackend]: z.enum(["electric", "native", "shadow"]),
 };
 
 export type FeatureFlagKey = keyof typeof FeatureFlagCatalog;
diff --git a/apps/webapp/app/v3/getDeploymentImageRef.server.ts b/apps/webapp/app/v3/getDeploymentImageRef.server.ts
index 70e6023891b..d6531b8384b 100644
--- a/apps/webapp/app/v3/getDeploymentImageRef.server.ts
+++ b/apps/webapp/app/v3/getDeploymentImageRef.server.ts
@@ -8,6 +8,7 @@ import {
   GetAuthorizationTokenCommand,
   PutLifecyclePolicyCommand,
   PutImageTagMutabilityCommand,
+  SetRepositoryPolicyCommand,
 } from "@aws-sdk/client-ecr";
 import { STSClient, AssumeRoleCommand } from "@aws-sdk/client-sts";
 import { tryCatch } from "@trigger.dev/core";
@@ -138,6 +139,7 @@ export async function getDeploymentImageRef({
         roleArn: registry.ecrAssumeRoleArn,
         externalId: registry.ecrAssumeRoleExternalId,
       },
+      defaultRepositoryPolicy: registry.ecrDefaultRepositoryPolicy,
     })
   );
 
@@ -219,12 +221,14 @@ async function createEcrRepository({
   accountId,
   registryTags,
   assumeRole,
+  defaultRepositoryPolicy,
 }: {
   repositoryName: string;
   region: string;
   accountId?: string;
   registryTags?: string;
   assumeRole?: AssumeRoleConfig;
+  defaultRepositoryPolicy?: string;
 }): Promise<Repository> {
   const ecr = await createEcrClient({ region, assumeRole });
 
@@ -262,9 +266,50 @@ async function createEcrRepository({
     })
   );
 
+  // Apply an operator-provided IAM policy to the new repository. Useful for
+  // self-hosters whose ECR account is separate from the account running the
+  // EKS workers — without this the workers get 403 Forbidden when pulling the
+  // task image (default ECR policy only grants access to the registry owner).
+  // The existing-repo branch of `ensureEcrRepositoryExists` reconciles this
+  // same policy on every call, so a partial-create that fails here is
+  // self-healing on the next deploy.
+  if (defaultRepositoryPolicy) {
+    await applyEcrRepositoryPolicy({
+      repositoryName: result.repository.repositoryName!,
+      region,
+      accountId: result.repository.registryId ?? accountId,
+      assumeRole,
+      defaultRepositoryPolicy,
+    });
+  }
+
   return result.repository;
 }
 
+async function applyEcrRepositoryPolicy({
+  repositoryName,
+  region,
+  accountId,
+  assumeRole,
+  defaultRepositoryPolicy,
+}: {
+  repositoryName: string;
+  region: string;
+  accountId?: string;
+  assumeRole?: AssumeRoleConfig;
+  defaultRepositoryPolicy: string;
+}): Promise<void> {
+  const ecr = await createEcrClient({ region, assumeRole });
+
+  await ecr.send(
+    new SetRepositoryPolicyCommand({
+      repositoryName,
+      registryId: accountId,
+      policyText: defaultRepositoryPolicy,
+    })
+  );
+}
+
 async function updateEcrRepositoryCacheSettings({
   repositoryName,
   region,
@@ -386,11 +431,13 @@ async function ensureEcrRepositoryExists({
   registryHost,
   registryTags,
   assumeRole,
+  defaultRepositoryPolicy,
 }: {
   repositoryName: string;
   registryHost: string;
   registryTags?: string;
   assumeRole?: AssumeRoleConfig;
+  defaultRepositoryPolicy?: string;
 }): Promise<{ repo: Repository; repoCreated: boolean }> {
   const { region, accountId } = parseEcrRegistryDomain(registryHost);
 
@@ -421,6 +468,31 @@ async function ensureEcrRepositoryExists({
       }
     }
 
+    // Reconcile the default repository policy on every call. Idempotent, and
+    // covers two recovery cases: (1) a previous create succeeded but the
+    // SetRepositoryPolicy call failed mid-flight, leaving the repo without a
+    // policy; (2) the operator updated DEPLOY_REGISTRY_ECR_DEFAULT_REPOSITORY_POLICY
+    // and existing repos need to pick up the new value.
+    if (defaultRepositoryPolicy) {
+      const [policyError] = await tryCatch(
+        applyEcrRepositoryPolicy({
+          repositoryName,
+          region,
+          accountId,
+          assumeRole,
+          defaultRepositoryPolicy,
+        })
+      );
+
+      if (policyError) {
+        logger.error("Failed to reconcile ECR repository policy on existing repo", {
+          repositoryName,
+          region,
+          policyError,
+        });
+      }
+    }
+
     return {
       repo: existingRepo,
       repoCreated: false,
@@ -428,7 +500,14 @@ async function ensureEcrRepositoryExists({
   }
 
   const [createRepoError, newRepo] = await tryCatch(
-    createEcrRepository({ repositoryName, region, accountId, registryTags, assumeRole })
+    createEcrRepository({
+      repositoryName,
+      region,
+      accountId,
+      registryTags,
+      assumeRole,
+      defaultRepositoryPolicy,
+    })
   );
 
   if (createRepoError) {
diff --git a/apps/webapp/app/v3/gitBranch.ts b/apps/webapp/app/v3/gitBranch.ts
deleted file mode 100644
index 06c76f06241..00000000000
--- a/apps/webapp/app/v3/gitBranch.ts
+++ /dev/null
@@ -1,44 +0,0 @@
-export function isValidGitBranchName(branch: string): boolean {
-  // Must not be empty
-  if (!branch) return false;
-
-  // Disallowed characters: space, ~, ^, :, ?, *, [, \
-  if (/[ \~\^:\?\*\[\\]/.test(branch)) return false;
-
-  // Disallow ASCII control characters (0-31) and DEL (127)
-  for (let i = 0; i < branch.length; i++) {
-    const code = branch.charCodeAt(i);
-    if ((code >= 0 && code <= 31) || code === 127) return false;
-  }
-
-  // Cannot start or end with a slash
-  if (branch.startsWith("/") || branch.endsWith("/")) return false;
-
-  // Cannot have consecutive slashes
-  if (branch.includes("//")) return false;
-
-  // Cannot contain '..'
-  if (branch.includes("..")) return false;
-
-  // Cannot contain '@{'
-  if (branch.includes("@{")) return false;
-
-  // Cannot end with '.lock'
-  if (branch.endsWith(".lock")) return false;
-
-  return true;
-}
-
-export function sanitizeBranchName(ref: string | undefined): string | null {
-  if (!ref) return null;
-  if (ref.startsWith("refs/heads/")) return ref.substring("refs/heads/".length);
-  if (ref.startsWith("refs/remotes/")) return ref.substring("refs/remotes/".length);
-  if (ref.startsWith("refs/tags/")) return ref.substring("refs/tags/".length);
-  if (ref.startsWith("refs/pull/")) return ref.substring("refs/pull/".length);
-  if (ref.startsWith("refs/merge/")) return ref.substring("refs/merge/".length);
-  if (ref.startsWith("refs/release/")) return ref.substring("refs/release/".length);
-  //unknown ref format, so reject
-  if (ref.startsWith("refs/")) return null;
-
-  return ref;
-}
diff --git a/apps/webapp/app/v3/handleSocketIo.server.ts b/apps/webapp/app/v3/handleSocketIo.server.ts
index fbc50428407..aec9ded6f49 100644
--- a/apps/webapp/app/v3/handleSocketIo.server.ts
+++ b/apps/webapp/app/v3/handleSocketIo.server.ts
@@ -15,6 +15,7 @@ import type {
   WorkerServerToClientEvents,
 } from "@trigger.dev/core/v3/workers";
 import { ZodNamespace } from "@trigger.dev/core/v3/zodNamespace";
+import { defaultReconnectOnError } from "@internal/redis";
 import { Redis } from "ioredis";
 import { Namespace, Server, Socket } from "socket.io";
 import { env } from "~/env.server";
@@ -93,6 +94,7 @@ function initializeSocketIOServerInstance() {
       username: env.REDIS_USERNAME,
       password: env.REDIS_PASSWORD,
       enableAutoPipelining: true,
+      reconnectOnError: defaultReconnectOnError,
       ...(env.REDIS_TLS_DISABLED === "true" ? {} : { tls: {} }),
     });
     const subClient = pubClient.duplicate();
@@ -489,7 +491,10 @@ function createWorkerNamespace({
 
       next();
     } catch (error) {
-      logger.error("Worker authentication failed", {
+      // System handles auth failure by disconnecting the socket — not an
+      // error. Most volume is V1 /dev-worker reconnect churn from outdated
+      // CLIs anyway.
+      logger.warn("Worker authentication failed", {
         namespace,
         error: error instanceof Error ? error.message : error,
       });
diff --git a/apps/webapp/app/v3/llmPricingRegistry.server.ts b/apps/webapp/app/v3/llmPricingRegistry.server.ts
index 2212c41779d..eb186e15213 100644
--- a/apps/webapp/app/v3/llmPricingRegistry.server.ts
+++ b/apps/webapp/app/v3/llmPricingRegistry.server.ts
@@ -1,7 +1,9 @@
 import { ModelPricingRegistry, seedLlmPricing } from "@internal/llm-model-catalog";
 import { prisma, $replica } from "~/db.server";
 import { env } from "~/env.server";
+import { logger } from "~/services/logger.server";
 import { signalsEmitter } from "~/services/signals.server";
+import { createRedisClient } from "~/redis.server";
 import { singleton } from "~/utils/singleton";
 import { setLlmPricingRegistry } from "./utils/enrichCreatableEvents.server";
 
@@ -27,7 +29,7 @@ export const llmPricingRegistry = singleton("llmPricingRegistry", () => {
     console.error("Failed to initialize LLM pricing registry", err);
   });
 
-  // Periodic reload
+  // Periodic reload (backstop for the pub/sub path below)
   const reloadInterval = env.LLM_PRICING_RELOAD_INTERVAL_MS;
   const interval = setInterval(() => {
     registry.reload().catch((err) => {
@@ -35,12 +37,69 @@ export const llmPricingRegistry = singleton("llmPricingRegistry", () => {
     });
   }, reloadInterval);
 
-  signalsEmitter.on("SIGTERM", () => {
-    clearInterval(interval);
-  });
-  signalsEmitter.on("SIGINT", () => {
-    clearInterval(interval);
-  });
+  // Pub/sub reload is opt-in per process (default off). Without it, the
+  // registry stays accurate via the existing 5-minute interval. Enable on
+  // the OTel-ingesting services where pricing freshness directly affects
+  // span cost enrichment; dashboard and worker services don't need it and
+  // shouldn't pile onto each publish with a full-table reload.
+  if (env.LLM_PRICING_RELOAD_PUBSUB_ENABLED) {
+    const subscriber = createRedisClient("llm-pricing:subscriber", {
+      keyPrefix: "llm-pricing:subscriber:",
+      host: env.COMMON_WORKER_REDIS_HOST,
+      port: env.COMMON_WORKER_REDIS_PORT,
+      username: env.COMMON_WORKER_REDIS_USERNAME,
+      password: env.COMMON_WORKER_REDIS_PASSWORD,
+      tlsDisabled: env.COMMON_WORKER_REDIS_TLS_DISABLED === "true",
+      clusterMode: env.COMMON_WORKER_REDIS_CLUSTER_MODE_ENABLED === "1",
+    });
+
+    subscriber.subscribe(env.LLM_PRICING_RELOAD_CHANNEL).catch((err) => {
+      logger.warn("Failed to subscribe to LLM pricing reload channel", {
+        channel: env.LLM_PRICING_RELOAD_CHANNEL,
+        error: err instanceof Error ? err.message : String(err),
+      });
+    });
+
+    // Coalesce reload calls so a burst of publishes only triggers one
+    // reload. The first publish schedules a reload at
+    // T+LLM_PRICING_RELOAD_DEBOUNCE_MS; subsequent publishes during that
+    // window are no-ops because the trailing reload picks up everything
+    // when it queries the DB. Bounds reload rate to at most 1 per debounce
+    // window regardless of publisher chattiness.
+    const debounceMs = env.LLM_PRICING_RELOAD_DEBOUNCE_MS;
+    let pendingReloadTimer: NodeJS.Timeout | null = null;
+
+    function scheduleReload() {
+      if (pendingReloadTimer) return;
+      pendingReloadTimer = setTimeout(() => {
+        pendingReloadTimer = null;
+        registry.reload().catch((err) => {
+          logger.warn("Failed to reload LLM pricing registry from pub/sub", {
+            error: err instanceof Error ? err.message : String(err),
+          });
+        });
+      }, debounceMs);
+    }
+
+    subscriber.on("message", (channel) => {
+      if (channel !== env.LLM_PRICING_RELOAD_CHANNEL) return;
+      scheduleReload();
+    });
+
+    signalsEmitter.on("SIGTERM", () => {
+      clearInterval(interval);
+      if (pendingReloadTimer) clearTimeout(pendingReloadTimer);
+      void subscriber.quit().catch(() => {});
+    });
+    signalsEmitter.on("SIGINT", () => {
+      clearInterval(interval);
+      if (pendingReloadTimer) clearTimeout(pendingReloadTimer);
+      void subscriber.quit().catch(() => {});
+    });
+  } else {
+    signalsEmitter.on("SIGTERM", () => clearInterval(interval));
+    signalsEmitter.on("SIGINT", () => clearInterval(interval));
+  }
 
   return registry;
 });
diff --git a/apps/webapp/app/v3/marqs/devQueueConsumer.server.ts b/apps/webapp/app/v3/marqs/devQueueConsumer.server.ts
index 2bd80d465b4..3143e40f0de 100644
--- a/apps/webapp/app/v3/marqs/devQueueConsumer.server.ts
+++ b/apps/webapp/app/v3/marqs/devQueueConsumer.server.ts
@@ -519,6 +519,7 @@ export class DevQueueConsumer {
         runId: lockedTaskRun.friendlyId,
         messageId: lockedTaskRun.id,
         isTest: lockedTaskRun.isTest,
+        isReplay: !!lockedTaskRun.replayedFromTaskRunFriendlyId,
         metrics: [
           {
             name: "start",
diff --git a/apps/webapp/app/v3/marqs/sharedQueueConsumer.server.ts b/apps/webapp/app/v3/marqs/sharedQueueConsumer.server.ts
index 0d6327f0640..518b64666d4 100644
--- a/apps/webapp/app/v3/marqs/sharedQueueConsumer.server.ts
+++ b/apps/webapp/app/v3/marqs/sharedQueueConsumer.server.ts
@@ -600,7 +600,7 @@ export class SharedQueueConsumer {
       (!retryingFromCheckpoint &&
         !EXECUTABLE_RUN_STATUSES.withoutCheckpoint.includes(existingTaskRun.status))
     ) {
-      logger.error("Task run has invalid status for execution. Going to ack", {
+      logger.warn("Task run has invalid status for execution. Going to ack", {
         queueMessage: message.data,
         messageId: message.messageId,
         taskRun: existingTaskRun.id,
@@ -1640,6 +1640,7 @@ export const AttemptForExecutionGetPayload = {
         createdAt: true,
         startedAt: true,
         isTest: true,
+        replayedFromTaskRunFriendlyId: true,
         metadata: true,
         metadataType: true,
         idempotencyKey: true,
@@ -1726,6 +1727,7 @@ class SharedQueueTasks {
         startedAt: taskRun.startedAt ?? taskRun.createdAt,
         tags: taskRun.runTags ?? [],
         isTest: taskRun.isTest,
+        isReplay: !!taskRun.replayedFromTaskRunFriendlyId,
         idempotencyKey: taskRun.idempotencyKey ?? undefined,
         durationMs: taskRun.usageDurationMs,
         costInCents: taskRun.costInCents,
@@ -2045,6 +2047,7 @@ class SharedQueueTasks {
         traceContext: true,
         friendlyId: true,
         isTest: true,
+        replayedFromTaskRunFriendlyId: true,
         lockedBy: {
           select: {
             machineConfig: true,
@@ -2090,6 +2093,7 @@ class SharedQueueTasks {
       runId: run.friendlyId,
       messageId: run.id,
       isTest: run.isTest,
+      isReplay: !!run.replayedFromTaskRunFriendlyId,
       attemptCount,
       metrics: [],
     } satisfies TaskRunExecutionLazyAttemptPayload;
diff --git a/apps/webapp/app/v3/mollifier/applyMetadataMutation.server.ts b/apps/webapp/app/v3/mollifier/applyMetadataMutation.server.ts
new file mode 100644
index 00000000000..bef87afa376
--- /dev/null
+++ b/apps/webapp/app/v3/mollifier/applyMetadataMutation.server.ts
@@ -0,0 +1,209 @@
+import { applyMetadataOperations } from "@trigger.dev/core/v3";
+import type { FlushedRunMetadata } from "@trigger.dev/core/v3/schemas";
+import { RunId } from "@trigger.dev/core/v3/isomorphic";
+import type { MollifierBuffer } from "@trigger.dev/redis-worker";
+import { logger } from "~/services/logger.server";
+import { getMollifierBuffer } from "./mollifierBuffer.server";
+
+// On `applied` we surface the parent/root friendlyIds captured during
+// the snapshot read. Callers that fan parent/root metadata operations
+// out to their respective runs can use these without a second
+// `findRunByIdWithMollifierFallback` round trip — and, more importantly,
+// without racing the drainer's terminal-failure path (which atomically
+// DELetes the entry hash). Without these on the outcome the second
+// read can come back null mid-route, silently dropping the caller's
+// parentOperations / rootOperations after the primary mutation already
+// landed on the snapshot.
+//
+// FriendlyIds (not internal cuids) because the consuming
+// `routeOperationsToRun` helper gates on the `run_…` prefix to decide
+// whether to attempt the buffer fallback; cuids would skip that path.
+// The snapshot's `parentTaskRunId` / `rootTaskRunId` are engine-side
+// cuids, so we convert via `RunId.toFriendlyId` here — identical to
+// what `readFallback.server.ts` does when assembling its SyntheticRun.
+export type ApplyMetadataMutationOutcome =
+  | {
+      kind: "applied";
+      newMetadata: Record<string, unknown>;
+      parentTaskRunFriendlyId: string | undefined;
+      rootTaskRunFriendlyId: string | undefined;
+    }
+  | { kind: "not_found" }
+  | { kind: "busy" }
+  | { kind: "version_exhausted" }
+  // Mirrors the PG-side `MetadataTooLargeError` (status 413). Carries
+  // the limit + observed size so the route can produce a useful body.
+  | { kind: "metadata_too_large"; maximumSize: number; observedSize: number };
+
+// Apply a metadata PUT (body.metadata replace AND/OR body.operations
+// deltas) to a buffered run's snapshot. Mirrors the PG-side
+// `UpdateMetadataService.#updateRunMetadataWithOperations` retry loop:
+// read snapshot → apply operations in JS → CAS-write back with the
+// observed `metadataVersion`. Retries on conflict; bounded by
+// `maxRetries`. The Lua CAS is the atomicity primitive — concurrent
+// callers never lose an increment / append / set.
+export async function applyMetadataMutationToBufferedRun(input: {
+  runId: string;
+  // Env+org scoping closes a cross-environment write gap on the buffer
+  // path: the route's PG path is already env-scoped via Prisma filters,
+  // and this helper now enforces the same isolation before any buffer
+  // write so a caller authed in env A can't mutate a buffered run that
+  // belongs to env B.
+  environmentId: string;
+  organizationId: string;
+  // Byte-size cap on the resulting metadata payload, mirroring the
+  // PG-side `UpdateMetadataService.maximumSize` (sourced from
+  // `env.TASK_RUN_METADATA_MAXIMUM_SIZE`). Required so the buffer path
+  // doesn't silently allow writes the PG path would have rejected.
+  maximumSize: number;
+  body: Pick<FlushedRunMetadata, "metadata" | "operations">;
+  buffer?: MollifierBuffer | null;
+  maxRetries?: number;
+  // Jittered conflict-backoff envelope: random in [0, base + attempt * step) ms.
+  backoffBaseMs?: number;
+  backoffStepMs?: number;
+}): Promise<ApplyMetadataMutationOutcome> {
+  const buffer = input.buffer ?? getMollifierBuffer();
+  if (!buffer) return { kind: "not_found" };
+
+  // Default retry budget tuned for buffered-window concurrency. The
+  // PG-side `UpdateMetadataService` uses 3, which is fine when the only
+  // writer is the executing task itself. For a buffered run the writers
+  // are external API callers, and N parallel writers exhaust 3 retries
+  // quickly under contention. Bumping to 12 covers ~50-way concurrency
+  // with sub-percent failure probability; the cost is bounded (each
+  // retry is one Redis Lua call ~1ms).
+  const maxRetries = input.maxRetries ?? 12;
+  const backoffBaseMs = input.backoffBaseMs ?? 5;
+  const backoffStepMs = input.backoffStepMs ?? 5;
+  for (let attempt = 0; attempt <= maxRetries; attempt++) {
+    const entry = await buffer.getEntry(input.runId);
+    if (!entry) return { kind: "not_found" };
+    // Env+org check: an entry from a different env is treated as a
+    // miss (not 403) so existence in other envs doesn't leak.
+    if (
+      entry.envId !== input.environmentId ||
+      entry.orgId !== input.organizationId
+    ) {
+      return { kind: "not_found" };
+    }
+    if (entry.status !== "QUEUED" || entry.materialised) {
+      return { kind: "busy" };
+    }
+
+    const snapshot = JSON.parse(entry.payload) as Record<string, unknown>;
+    const currentMetadataType =
+      typeof snapshot.metadataType === "string" ? snapshot.metadataType : "application/json";
+
+    // Capture parent/root ids during this read so the caller can fan
+    // parent/root operations out without a second buffer.getEntry. If
+    // the drainer's terminal-failure path runs between our CAS-write
+    // below and the route's follow-up, the entry hash would be DELd
+    // and a second read would return null — silently dropping the
+    // caller's `body.parentOperations` / `body.rootOperations`. The ids
+    // themselves are immutable for a run, so capturing them on any
+    // loop iteration is fine.
+    const snapshotParentTaskRunInternalId =
+      typeof snapshot.parentTaskRunId === "string" ? snapshot.parentTaskRunId : undefined;
+    const snapshotParentTaskRunFriendlyId = snapshotParentTaskRunInternalId
+      ? RunId.toFriendlyId(snapshotParentTaskRunInternalId)
+      : undefined;
+    const snapshotRootTaskRunInternalId =
+      typeof snapshot.rootTaskRunId === "string" ? snapshot.rootTaskRunId : undefined;
+    const snapshotRootTaskRunFriendlyId = snapshotRootTaskRunInternalId
+      ? RunId.toFriendlyId(snapshotRootTaskRunInternalId)
+      : undefined;
+
+    // Match PG semantics: `body.operations` and `body.metadata` are
+    // mutually exclusive on a single request. The PG service
+    // (`UpdateMetadataService.#updateRunMetadata`) branches on
+    // `Array.isArray(body.operations)` — if operations are present it
+    // applies them on top of the EXISTING metadata and ignores
+    // `body.metadata` entirely; otherwise `body.metadata` is the new
+    // full value. Doing both here would make a request like
+    // `{ metadata: {b:2}, operations: [set c=3] }` produce
+    // `{b:2,c:3}` on the buffer vs `{a:1,c:3}` on PG, which silently
+    // changes semantics across the buffered/materialised boundary.
+    const parseSnapshotMetadata = (): Record<string, unknown> => {
+      if (typeof snapshot.metadata !== "string") return {};
+      try {
+        return JSON.parse(snapshot.metadata) as Record<string, unknown>;
+      } catch {
+        return {};
+      }
+    };
+
+    let metadataObject: Record<string, unknown>;
+    // Use `Array.isArray` (the PG service's predicate) instead of a
+    // truthy length check. For `{ metadata, operations: [] }` PG sees
+    // Array.isArray([])=true and no-ops on existing metadata; a
+    // `.length` check would treat the empty array as falsy and fall
+    // through to the `body.metadata` branch, replacing metadata —
+    // exactly the cross-boundary drift the comment above warns
+    // against.
+    if (Array.isArray(input.body.operations)) {
+      // Operations take precedence: apply on top of existing snapshot
+      // metadata; ignore `body.metadata` to match PG behaviour.
+      metadataObject = applyMetadataOperations(
+        parseSnapshotMetadata(),
+        input.body.operations,
+      ).newMetadata;
+    } else if (input.body.metadata !== undefined) {
+      // No operations — full replace.
+      metadataObject = input.body.metadata as Record<string, unknown>;
+    } else {
+      // Neither — write back existing snapshot metadata (no-op shape).
+      metadataObject = parseSnapshotMetadata();
+    }
+
+    const newMetadataStr = JSON.stringify(metadataObject);
+
+    // Size cap — match PG (`handleMetadataPacket` throws
+    // `MetadataTooLargeError` (413) when the JSON-encoded packet
+    // exceeds the configured cap). Reject in-loop, before CAS, so a
+    // single oversize write doesn't churn the retry budget.
+    const observedSize = Buffer.byteLength(newMetadataStr, "utf8");
+    if (observedSize > input.maximumSize) {
+      return {
+        kind: "metadata_too_large",
+        maximumSize: input.maximumSize,
+        observedSize,
+      };
+    }
+
+    const cas = await buffer.casSetMetadata({
+      runId: input.runId,
+      expectedVersion: entry.metadataVersion,
+      newMetadata: newMetadataStr,
+      newMetadataType: currentMetadataType,
+    });
+
+    if (cas.kind === "applied") {
+      return {
+        kind: "applied",
+        newMetadata: metadataObject,
+        parentTaskRunFriendlyId: snapshotParentTaskRunFriendlyId,
+        rootTaskRunFriendlyId: snapshotRootTaskRunFriendlyId,
+      };
+    }
+    if (cas.kind === "not_found") return { kind: "not_found" };
+    if (cas.kind === "busy") return { kind: "busy" };
+    // version_conflict — another caller wrote between our read + CAS.
+    // Small jittered backoff so a thundering herd of N retriers doesn't
+    // all re-read + re-CAS at exactly the same moment.
+    logger.debug("applyMetadataMutationToBufferedRun: version_conflict, retrying", {
+      runId: input.runId,
+      attempt,
+      observedVersion: entry.metadataVersion,
+      currentVersion: cas.currentVersion,
+    });
+    const backoffMs = Math.floor(Math.random() * (backoffBaseMs + attempt * backoffStepMs));
+    await new Promise((resolve) => setTimeout(resolve, backoffMs));
+  }
+
+  logger.warn("applyMetadataMutationToBufferedRun: retries exhausted", {
+    runId: input.runId,
+    maxRetries,
+  });
+  return { kind: "version_exhausted" };
+}
diff --git a/apps/webapp/app/v3/mollifier/bufferedTriggerPayload.server.ts b/apps/webapp/app/v3/mollifier/bufferedTriggerPayload.server.ts
new file mode 100644
index 00000000000..287b5bf9bcb
--- /dev/null
+++ b/apps/webapp/app/v3/mollifier/bufferedTriggerPayload.server.ts
@@ -0,0 +1,107 @@
+import type { TriggerTaskRequestBody } from "@trigger.dev/core/v3";
+import type { TriggerTaskServiceOptions } from "~/v3/services/triggerTask.server";
+
+// Canonical payload shape written to the mollifier buffer when the gate
+// decides to mollify a trigger. At this stage the call site ALSO calls
+// engine.trigger directly (dual-write), so this is currently an
+// audit/preview record. A later change makes the buffer the primary write
+// path: the drainer's handler reads this payload and replays it through
+// engine.trigger to create the run in Postgres, and read-fallback
+// endpoints synthesise a Run view from it while it is still QUEUED.
+//
+// CONTRACT: this shape must contain everything the drainer-replay needs to
+// reconstruct an equivalent engine.trigger call. Today it is emitted to
+// logs; later it is serialised into Redis and rebuilt on the drain side.
+// Keep it serialisable — no functions, no class instances.
+export type BufferedTriggerPayload = {
+  runFriendlyId: string;
+
+  // Routing identifiers — let the drainer re-fetch full AuthenticatedEnvironment
+  // at replay time rather than embedding it in the payload.
+  envId: string;
+  envType: string;
+  envSlug: string;
+  orgId: string;
+  orgSlug: string;
+  projectId: string;
+  projectRef: string;
+
+  // Task identifier — looked up against the locked BackgroundWorkerTask
+  // at replay time to recover task-defaults.
+  taskId: string;
+
+  // Customer-supplied trigger body (payload, options, context).
+  body: TriggerTaskRequestBody;
+
+  // Resolved values from upstream concerns. The drainer should NOT re-resolve
+  // these — that would create a second idempotency-key check, etc.
+  idempotencyKey: string | null;
+  idempotencyKeyExpiresAt: string | null;
+  tags: string[];
+
+  // Parent/root linkage for nested triggers.
+  parentRunFriendlyId: string | null;
+
+  // Trace context — propagates the original triggering span across the
+  // buffer→drain boundary so the run's lifecycle stays under one trace.
+  traceContext: Record<string, unknown>;
+
+  // Annotations + service options that influence routing/replay.
+  triggerSource: string;
+  triggerAction: string;
+  serviceOptions: TriggerTaskServiceOptions;
+
+  // Wall-clock instants relevant to the run.
+  createdAt: string;
+};
+
+// Assemble the canonical payload from the inputs available at the point
+// `evaluateGate` returns "mollify" in `RunEngineTriggerTaskService.call`.
+// All fields must be derivable from data already in scope at that call site;
+// nothing should require an extra DB lookup.
+export function buildBufferedTriggerPayload(input: {
+  runFriendlyId: string;
+  taskId: string;
+  envId: string;
+  envType: string;
+  envSlug: string;
+  orgId: string;
+  orgSlug: string;
+  projectId: string;
+  projectRef: string;
+  body: TriggerTaskRequestBody;
+  idempotencyKey: string | null;
+  idempotencyKeyExpiresAt: Date | null;
+  tags: string[];
+  parentRunFriendlyId: string | null;
+  traceContext: Record<string, unknown>;
+  triggerSource: string;
+  triggerAction: string;
+  serviceOptions: TriggerTaskServiceOptions;
+  createdAt: Date;
+}): BufferedTriggerPayload {
+  return {
+    runFriendlyId: input.runFriendlyId,
+    envId: input.envId,
+    envType: input.envType,
+    envSlug: input.envSlug,
+    orgId: input.orgId,
+    orgSlug: input.orgSlug,
+    projectId: input.projectId,
+    projectRef: input.projectRef,
+    taskId: input.taskId,
+    body: input.body,
+    idempotencyKey: input.idempotencyKey,
+    idempotencyKeyExpiresAt:
+      input.idempotencyKey && input.idempotencyKeyExpiresAt
+        ? input.idempotencyKeyExpiresAt.toISOString()
+        : null,
+    tags: input.tags,
+    parentRunFriendlyId: input.parentRunFriendlyId,
+    traceContext: input.traceContext,
+    triggerSource: input.triggerSource,
+    triggerAction: input.triggerAction,
+    serviceOptions: input.serviceOptions,
+    createdAt: input.createdAt.toISOString(),
+  };
+}
diff --git a/apps/webapp/app/v3/mollifier/idempotencyClaim.server.ts b/apps/webapp/app/v3/mollifier/idempotencyClaim.server.ts
new file mode 100644
index 00000000000..47c9733c927
--- /dev/null
+++ b/apps/webapp/app/v3/mollifier/idempotencyClaim.server.ts
@@ -0,0 +1,218 @@
+import { randomUUID } from "node:crypto";
+import type {
+  IdempotencyClaimResult,
+  IdempotencyLookupInput,
+  MollifierBuffer,
+} from "@trigger.dev/redis-worker";
+import { logger } from "~/services/logger.server";
+import { getMollifierBuffer } from "./mollifierBuffer.server";
+
+// Tunables. The TTL on the claim key is bounded by typical trigger-pipeline
+// dwell; long enough that a slow PG insert doesn't expire mid-flight,
+// short enough that a crashed claimant unblocks waiters quickly.
+export const DEFAULT_CLAIM_TTL_SECONDS = 30;
+// safetyNetMs caps how long a waiter blocks before returning timed_out.
+// Matches the mutateWithFallback safety net so SDK retry policies don't
+// have to special-case this path.
+export const DEFAULT_CLAIM_WAIT_MS = 5_000;
+export const DEFAULT_CLAIM_POLL_MS = 25;
+
+export type ClaimOrAwaitOutcome =
+  // We own the claim. `token` MUST be passed to publishClaim/releaseClaim
+  // so the buffer can compare-and-act against our ownership marker — a
+  // late release from a previous claimant whose TTL expired cannot
+  // erase our slot.
+  | { kind: "claimed"; token: string }
+  | { kind: "resolved"; runId: string } // someone else's runId; caller returns isCached:true
+  | { kind: "timed_out" };
+
+export type ClaimOrAwaitInput = IdempotencyLookupInput & {
+  ttlSeconds?: number;
+  safetyNetMs?: number;
+  pollStepMs?: number;
+  abortSignal?: AbortSignal;
+  // Test injection.
+  buffer?: MollifierBuffer | null;
+  now?: () => number;
+  sleep?: (ms: number) => Promise<void>;
+  // Test override for the ownership-token generator. Defaults to
+  // `crypto.randomUUID()`. Tests pass a deterministic value so they
+  // can assert publish/release pass-through.
+  generateToken?: () => string;
+};
+
+// Pre-gate Redis claim. All same-key triggers serialise through here
+// before the trigger pipeline runs. Returning `resolved` short-circuits
+// the trigger entirely — the caller responds with the cached runId.
+// Returning `claimed` means we own the claim and MUST publish the
+// winning runId on success (`publishClaim`) or release the claim on
+// failure (`releaseClaim`).
+//
+// Failure modes:
+// - Redis down at claim time: returns `claimed` (fail open, no
+//   coordination). Customer is no worse than today's race; the
+//   PG unique constraint is the eventual arbiter.
+// - Claimant crashes mid-pipeline: claim TTL expires, waiters
+//   eventually time out, SDK retries.
+// - PG/buffer publish failure: waiters time out and SDK retries; next
+//   attempt sees the eventual PG/buffer state via existing
+//   IdempotencyKeyConcern PG-first lookup.
+export async function claimOrAwait(input: ClaimOrAwaitInput): Promise<ClaimOrAwaitOutcome> {
+  const buffer = input.buffer === undefined ? getMollifierBuffer() : input.buffer;
+  if (!buffer) {
+    // Mollifier disabled / buffer construction failed. Fall open —
+    // caller proceeds with the trigger pipeline (PG unique constraint
+    // backstop). The token is never read in this case (publish/release
+    // are buffer-null no-ops downstream), so we skip the default
+    // `randomUUID()` to keep the mollifier-OFF hot path allocation-free
+    // for idempotency-keyed triggers — `triggerTask` is the
+    // highest-throughput code path in the system. A test-injected
+    // generator is still honoured for deterministic assertions.
+    return { kind: "claimed", token: input.generateToken ? input.generateToken() : "" };
+  }
+  const generateToken = input.generateToken ?? randomUUID;
+  // Generate the ownership token up front so the retry loop reuses it
+  // — we're the same logical claimant across attempts; only the slot
+  // owner changes between releases.
+  const token = generateToken();
+  const ttlSeconds = input.ttlSeconds ?? DEFAULT_CLAIM_TTL_SECONDS;
+  const safetyNetMs = input.safetyNetMs ?? DEFAULT_CLAIM_WAIT_MS;
+  const pollStepMs = input.pollStepMs ?? DEFAULT_CLAIM_POLL_MS;
+  const now = input.now ?? Date.now;
+  const sleep = input.sleep ?? defaultSleep;
+
+  const lookupInput: IdempotencyLookupInput = {
+    envId: input.envId,
+    taskIdentifier: input.taskIdentifier,
+    idempotencyKey: input.idempotencyKey,
+  };
+
+  // Initial claim attempt. Most production-path calls resolve here on
+  // the first call (either we win, or the key is already resolved from
+  // a prior burst).
+  let result: IdempotencyClaimResult;
+  try {
+    result = await buffer.claimIdempotency({ ...lookupInput, token, ttlSeconds });
+  } catch (err) {
+    logger.warn("idempotency claim failed (fail-open)", {
+      envId: input.envId,
+      taskIdentifier: input.taskIdentifier,
+      err: err instanceof Error ? err.message : String(err),
+    });
+    return { kind: "claimed", token };
+  }
+
+  if (result.kind === "claimed") return { kind: "claimed", token };
+  if (result.kind === "resolved") return result;
+
+  // result.kind === "pending" — wait/poll loop. May see the value flip
+  // to "resolved" (winner published), the key vanish (winner released
+  // on error → retry claim), or stay "pending" until the safety net.
+  const deadline = now() + safetyNetMs;
+  while (now() < deadline) {
+    if (input.abortSignal?.aborted) return { kind: "timed_out" };
+    await sleep(pollStepMs);
+
+    let current: IdempotencyClaimResult | null;
+    try {
+      current = await buffer.readClaim(lookupInput);
+    } catch (err) {
+      // Transient read failure — keep polling until deadline.
+      logger.warn("idempotency claim read failed mid-poll", {
+        err: err instanceof Error ? err.message : String(err),
+      });
+      continue;
+    }
+
+    if (current === null) {
+      // Claimant released on error. Re-attempt the claim — one of the
+      // waiters will win, the rest see "pending" again. Reuse our token:
+      // we're still the same logical claimant, just contending for a
+      // freshly empty slot.
+      try {
+        const retry = await buffer.claimIdempotency({ ...lookupInput, token, ttlSeconds });
+        if (retry.kind === "claimed") return { kind: "claimed", token };
+        if (retry.kind === "resolved") return retry;
+        // "pending" again → keep polling.
+      } catch (err) {
+        logger.warn("idempotency claim retry failed", {
+          err: err instanceof Error ? err.message : String(err),
+        });
+        return { kind: "claimed", token };
+      }
+      continue;
+    }
+    if (current.kind === "resolved") return current;
+    // current.kind === "pending" → keep polling.
+  }
+  return { kind: "timed_out" };
+}
+
+// Publish the winning runId so waiters resolve. Best-effort: failure
+// here means waiters will time out and the SDK will retry, which will
+// then find the row via the existing IdempotencyKeyConcern PG-first
+// check.
+export async function publishClaim(input: {
+  envId: string;
+  taskIdentifier: string;
+  idempotencyKey: string;
+  // Ownership token from the `claimed` outcome. Buffer compare-and-sets
+  // on this so a publish from a stale claimant (TTL expired, another
+  // claimant moved in) is a no-op rather than overwriting their claim.
+  token: string;
+  runId: string;
+  ttlSeconds?: number;
+  buffer?: MollifierBuffer | null;
+}): Promise<void> {
+  const buffer = input.buffer === undefined ? getMollifierBuffer() : input.buffer;
+  if (!buffer) return;
+  const ttlSeconds = input.ttlSeconds ?? DEFAULT_CLAIM_TTL_SECONDS;
+  try {
+    await buffer.publishClaim({
+      envId: input.envId,
+      taskIdentifier: input.taskIdentifier,
+      idempotencyKey: input.idempotencyKey,
+      token: input.token,
+      runId: input.runId,
+      ttlSeconds,
+    });
+  } catch (err) {
+    logger.warn("idempotency claim publish failed", {
+      envId: input.envId,
+      taskIdentifier: input.taskIdentifier,
+      err: err instanceof Error ? err.message : String(err),
+    });
+  }
+}
+
+// Release on pipeline failure. Best-effort. If the DEL fails, the claim
+// TTL is the safety net — waiters time out, SDK retries.
+export async function releaseClaim(input: {
+  envId: string;
+  taskIdentifier: string;
+  idempotencyKey: string;
+  // Ownership token from the `claimed` outcome. Buffer compare-and-
+  // deletes on this so a release from a stale claimant whose TTL
+  // expired can't wipe a new owner's claim.
+  token: string;
+  buffer?: MollifierBuffer | null;
+}): Promise<void> {
+  const buffer = input.buffer === undefined ? getMollifierBuffer() : input.buffer;
+  if (!buffer) return;
+  try {
+    await buffer.releaseClaim({
+      envId: input.envId,
+      taskIdentifier: input.taskIdentifier,
+      idempotencyKey: input.idempotencyKey,
+      token: input.token,
+    });
+  } catch (err) {
+    logger.warn("idempotency claim release failed", {
+      err: err instanceof Error ? err.message : String(err),
+    });
+  }
+}
+
+function defaultSleep(ms: number): Promise<void> {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
diff --git a/apps/webapp/app/v3/mollifier/mollifierBuffer.server.ts b/apps/webapp/app/v3/mollifier/mollifierBuffer.server.ts
new file mode 100644
index 00000000000..2f7af70d0f2
--- /dev/null
+++ b/apps/webapp/app/v3/mollifier/mollifierBuffer.server.ts
@@ -0,0 +1,35 @@
+import { MollifierBuffer } from "@trigger.dev/redis-worker";
+import { env } from "~/env.server";
+import { logger } from "~/services/logger.server";
+import { singleton } from "~/utils/singleton";
+
+// DI seam type for consumers (e.g. triggerTask.server.ts) that need a
+// nullable buffer accessor at construction time.
+export type MollifierGetBuffer = () => MollifierBuffer | null;
+
+function initializeMollifierBuffer(): MollifierBuffer {
+  logger.debug("Initializing mollifier buffer", {
+    host: env.TRIGGER_MOLLIFIER_REDIS_HOST,
+  });
+
+  return new MollifierBuffer({
+    redisOptions: {
+      keyPrefix: "",
+      host: env.TRIGGER_MOLLIFIER_REDIS_HOST,
+      port: env.TRIGGER_MOLLIFIER_REDIS_PORT,
+      username: env.TRIGGER_MOLLIFIER_REDIS_USERNAME,
+      password: env.TRIGGER_MOLLIFIER_REDIS_PASSWORD,
+      enableAutoPipelining: true,
+      ...(env.TRIGGER_MOLLIFIER_REDIS_TLS_DISABLED === "true" ? {} : { tls: {} }),
+    },
+    ackGraceTtlSeconds: env.TRIGGER_MOLLIFIER_ACK_GRACE_TTL_SECONDS,
+    maxRetriesPerRequest: env.TRIGGER_MOLLIFIER_REDIS_MAX_RETRIES_PER_REQUEST,
+    reconnectStepMs: env.TRIGGER_MOLLIFIER_REDIS_RECONNECT_STEP_MS,
+    reconnectMaxMs: env.TRIGGER_MOLLIFIER_REDIS_RECONNECT_MAX_MS,
+  });
+}
+
+export function getMollifierBuffer(): MollifierBuffer | null {
+  if (env.TRIGGER_MOLLIFIER_ENABLED !== "1") return null;
+  return singleton("mollifierBuffer", initializeMollifierBuffer);
+}
diff --git a/apps/webapp/app/v3/mollifier/mollifierDrainer.server.ts b/apps/webapp/app/v3/mollifier/mollifierDrainer.server.ts
new file mode 100644
index 00000000000..c520847ce3c
--- /dev/null
+++ b/apps/webapp/app/v3/mollifier/mollifierDrainer.server.ts
@@ -0,0 +1,105 @@
+import { MollifierDrainer } from "@trigger.dev/redis-worker";
+import { prisma } from "~/db.server";
+import { env } from "~/env.server";
+import { engine as runEngine } from "~/v3/runEngine.server";
+import { logger } from "~/services/logger.server";
+import { singleton } from "~/utils/singleton";
+import { getMollifierBuffer } from "./mollifierBuffer.server";
+import {
+  createDrainerHandler,
+  createDrainerTerminalFailureHandler,
+  isRetryablePgError,
+} from "./mollifierDrainerHandler.server";
+import type { MollifierSnapshot } from "./mollifierSnapshot.server";
+
+// Distinct error class for the deterministic "fail loud at boot" throws
+// below. The bootstrap in `mollifierDrainerWorker.server.ts` catches
+// transient/init errors and logs them so an unrelated Redis blip doesn't
+// crash the webapp, but it RETHROWS this class — a misconfigured
+// shutdown timeout or missing buffer is a deploy-time mistake that
+// should fail health checks and roll back, not silently disable a
+// half-rolled-out feature.
+//
+// The `name` getter is set explicitly so cross-realm `instanceof` checks
+// (e.g. when Remix dev hot-reloads the module and the consumer keeps a
+// reference to the old class) can fall back to `error.name === ...` and
+// still recognise the marker.
+export class MollifierConfigurationError extends Error {
+  constructor(message: string) {
+    super(message);
+    this.name = "MollifierConfigurationError";
+  }
+}
+
+function initializeMollifierDrainer(): MollifierDrainer<MollifierSnapshot> {
+  const buffer = getMollifierBuffer();
+  if (!buffer) {
+    // Unreachable in normal config: getMollifierDrainer() gates on the
+    // same env flag as getMollifierBuffer(). If we hit this, fail loud
+    // — the operator has set TRIGGER_MOLLIFIER_ENABLED=1 on a worker pod but
+    // the buffer can't initialise (e.g. TRIGGER_MOLLIFIER_REDIS_HOST resolves
+    // to nothing). Crashing surfaces the misconfig immediately rather
+    // than silently leaving entries un-drained.
+    throw new MollifierConfigurationError(
+      "MollifierDrainer initialised without a buffer — env vars inconsistent",
+    );
+  }
+
+  // Validate BEFORE start() so a misconfigured shutdown timeout fails
+  // loud at module-load time and the singleton is never cached. If start()
+  // ran first and the throw propagated out, the loop would already be
+  // polling with no SIGTERM handler registered by the caller — exactly
+  // the failure mode the validation is supposed to prevent.
+  //
+  // The SIGTERM handler in mollifierDrainerWorker.server.ts is sync fire-and-forget:
+  // `drainer.stop({ timeoutMs })` returns a promise that keeps the event
+  // loop alive, but in cluster mode the primary runs its own
+  // GRACEFUL_SHUTDOWN_TIMEOUT and will call `process.exit(0)`
+  // independently. If the drainer's deadline exceeds the primary's, the
+  // drainer is cut off mid-wait — "log a warning on timeout" turns into
+  // "hard exit with no log". 1s margin gives the primary room to finish
+  // its own teardown after the drainer settles.
+  const shutdownMarginMs = env.TRIGGER_MOLLIFIER_DRAIN_SHUTDOWN_MARGIN_MS;
+  if (
+    env.TRIGGER_MOLLIFIER_DRAIN_SHUTDOWN_TIMEOUT_MS >=
+    env.GRACEFUL_SHUTDOWN_TIMEOUT - shutdownMarginMs
+  ) {
+    throw new MollifierConfigurationError(
+      `TRIGGER_MOLLIFIER_DRAIN_SHUTDOWN_TIMEOUT_MS (${env.TRIGGER_MOLLIFIER_DRAIN_SHUTDOWN_TIMEOUT_MS}) must be at least ${shutdownMarginMs}ms below GRACEFUL_SHUTDOWN_TIMEOUT (${env.GRACEFUL_SHUTDOWN_TIMEOUT}); otherwise the primary's hard exit shadows the drainer's deadline.`,
+    );
+  }
+
+  logger.debug("Initializing mollifier drainer", {
+    concurrency: env.TRIGGER_MOLLIFIER_DRAIN_CONCURRENCY,
+    maxAttempts: env.TRIGGER_MOLLIFIER_DRAIN_MAX_ATTEMPTS,
+    drainBatchSize: env.TRIGGER_MOLLIFIER_DRAIN_BATCH_SIZE,
+  });
+
+  const drainer = new MollifierDrainer<MollifierSnapshot>({
+    buffer,
+    handler: createDrainerHandler({ engine: runEngine, prisma }),
+    onTerminalFailure: createDrainerTerminalFailureHandler({ engine: runEngine, prisma }),
+    concurrency: env.TRIGGER_MOLLIFIER_DRAIN_CONCURRENCY,
+    maxAttempts: env.TRIGGER_MOLLIFIER_DRAIN_MAX_ATTEMPTS,
+    maxOrgsPerTick: env.TRIGGER_MOLLIFIER_DRAIN_MAX_ORGS_PER_TICK,
+    drainBatchSize: env.TRIGGER_MOLLIFIER_DRAIN_BATCH_SIZE,
+    pollIntervalMs: env.TRIGGER_MOLLIFIER_DRAIN_POLL_INTERVAL_MS,
+    maxBackoffMs: env.TRIGGER_MOLLIFIER_DRAIN_MAX_BACKOFF_MS,
+    backoffFloorMs: env.TRIGGER_MOLLIFIER_DRAIN_BACKOFF_FLOOR_MS,
+    isRetryable: isRetryablePgError,
+  });
+
+  return drainer;
+}
+
+// Returns a configured-but-stopped drainer. Callers MUST register their
+// SIGTERM / SIGINT shutdown handlers before invoking `drainer.start()` —
+// see `apps/webapp/app/v3/mollifierDrainerWorker.server.ts`. Starting
+// inside the singleton factory would put the polling loop ahead of
+// handler registration, leaving a narrow window where a SIGTERM landing
+// between `start()` and `process.once("SIGTERM", ...)` would skip the
+// graceful stop. The split is intentional.
+export function getMollifierDrainer(): MollifierDrainer<MollifierSnapshot> | null {
+  if (env.TRIGGER_MOLLIFIER_ENABLED !== "1") return null;
+  return singleton("mollifierDrainer", initializeMollifierDrainer);
+}
diff --git a/apps/webapp/app/v3/mollifier/mollifierDrainerHandler.server.ts b/apps/webapp/app/v3/mollifier/mollifierDrainerHandler.server.ts
new file mode 100644
index 00000000000..6e829baa575
--- /dev/null
+++ b/apps/webapp/app/v3/mollifier/mollifierDrainerHandler.server.ts
@@ -0,0 +1,403 @@
+import { context, trace, TraceFlags } from "@opentelemetry/api";
+import type { RunEngine } from "@internal/run-engine";
+import type { PrismaClientOrTransaction } from "@trigger.dev/database";
+import { RunId } from "@trigger.dev/core/v3/isomorphic";
+import type {
+  MollifierDrainerHandler,
+  MollifierDrainerTerminalFailureHandler,
+} from "@trigger.dev/redis-worker";
+import { logger } from "~/services/logger.server";
+import { recordRunDebugLog } from "~/v3/eventRepository/index.server";
+import { PerformTaskRunAlertsService } from "~/v3/services/alerts/performTaskRunAlerts.server";
+import { startSpan } from "~/v3/tracing.server";
+import type { MollifierSnapshot } from "./mollifierSnapshot.server";
+
+const tracer = trace.getTracer("mollifier-drainer");
+
+export function isRetryablePgError(err: unknown): boolean {
+  if (!(err instanceof Error)) return false;
+  const msg = err.message ?? "";
+  // Prisma surfaces P1001 ("Can't reach database server") via two
+  // different error classes — `PrismaClientKnownRequestError` exposes
+  // it as `err.code`, `PrismaClientInitializationError` exposes it as
+  // `err.errorCode`. Check both so reconnection-time errors retry
+  // regardless of which class fires.
+  const code = (err as { code?: string }).code;
+  const errorCode = (err as { errorCode?: string }).errorCode;
+  if (code === "P2024") return true;
+  if (code === "P1001" || errorCode === "P1001") return true;
+  if (msg.includes("Can't reach database server")) return true;
+  if (msg.includes("Connection lost")) return true;
+  if (msg.includes("ECONNRESET")) return true;
+  return false;
+}
+
+export function createDrainerHandler(deps: {
+  engine: RunEngine;
+  prisma: PrismaClientOrTransaction;
+}): MollifierDrainerHandler<MollifierSnapshot> {
+  return async (input) => {
+    const dwellMs = Date.now() - input.createdAt.getTime();
+
+    // Re-attach to the trace started by the caller's mollifier.queued span
+    // (its traceId + spanId were captured into the snapshot at buffer time).
+    // Without this the drainer would emit mollifier.drained in a brand-new
+    // trace and the engine.trigger instrumentation would inherit an empty
+    // active context — leaving the run-detail page with only the root span.
+    const snapshotTraceId =
+      typeof input.payload.traceId === "string" ? input.payload.traceId : undefined;
+    const snapshotSpanId =
+      typeof input.payload.spanId === "string" ? input.payload.spanId : undefined;
+
+    const parentContext =
+      snapshotTraceId && snapshotSpanId
+        ? trace.setSpanContext(context.active(), {
+            traceId: snapshotTraceId,
+            spanId: snapshotSpanId,
+            traceFlags: TraceFlags.SAMPLED,
+            isRemote: true,
+          })
+        : context.active();
+
+    // Cancel-wins-over-trigger. If a cancel API call landed on this
+    // entry while it was QUEUED, the snapshot carries `cancelledAt` +
+    // `cancelReason`. Skip the normal materialise path and write a
+    // CANCELED PG row directly. The `runCancelled` bus emit is
+    // suppressed here because a buffered-only run never had a primary
+    // trace event written for it — the runCancelled handler's
+    // `cancelRunEvent` lookup would fail and log noise per cancel.
+    const cancelledAtStr =
+      typeof input.payload.cancelledAt === "string" ? input.payload.cancelledAt : undefined;
+    if (cancelledAtStr) {
+      const cancelReason =
+        typeof input.payload.cancelReason === "string"
+          ? input.payload.cancelReason
+          : "Canceled by user";
+      await context.with(parentContext, async () => {
+        await startSpan(tracer, "mollifier.drained.cancelled", async (span) => {
+          span.setAttribute("mollifier.drained", true);
+          span.setAttribute("mollifier.dwell_ms", dwellMs);
+          span.setAttribute("mollifier.attempts", input.attempts);
+          span.setAttribute("mollifier.run_friendly_id", input.runId);
+          span.setAttribute("mollifier.cancel_bifurcation", true);
+          span.setAttribute("taskRunId", input.runId);
+          try {
+            await deps.engine.createCancelledRun(
+              {
+                snapshot: input.payload as any,
+                cancelledAt: new Date(cancelledAtStr),
+                cancelReason,
+                emitRunCancelledEvent: false,
+              },
+              deps.prisma,
+            );
+          } catch (err) {
+            // createCancelledRun throws a conflict when the normal trigger
+            // replay path won the race and already materialised a live
+            // (non-CANCELED) row for this friendlyId. Its contract leaves
+            // the resolution to us: honour the cancel by actually
+            // cancelling the now-live run. Letting the conflict propagate
+            // would instead reach the drainer's terminal-failure path
+            // (isRetryablePgError() is false for it), buffer.fail() the
+            // entry, and silently lose the cancellation while the run
+            // keeps executing.
+            const isConflict =
+              err instanceof Error && err.message.startsWith("createCancelledRun conflict");
+            if (!isConflict) {
+              // Mirror the SYSTEM_FAILURE fallback the non-cancelled
+              // trigger path uses below. Without this branch, a
+              // non-retryable createCancelledRun failure rethrows, the
+              // drainer's onTerminalFailure handler skips because it
+              // gates on `cause === "max-attempts-exhausted"` (and the
+              // outer drainer classifies non-retryable failures with
+              // `cause: "non-retryable"`), and buffer.fail() deletes
+              // the entry — leaving NO PG row. The cancellation
+              // disappears silently from the customer's dashboard.
+              // Writing a SYSTEM_FAILURE row gives the run a terminal,
+              // visible state.
+              if (isRetryablePgError(err)) {
+                throw err;
+              }
+              span.setAttribute("mollifier.cancel_terminal_failure_reason",
+                err instanceof Error ? err.message : String(err));
+              try {
+                const wrote = await writeMollifierTerminalFailureRow(deps, {
+                  friendlyId: input.runId,
+                  snapshot: input.payload as Record<string, unknown>,
+                  reason: err instanceof Error ? err.message : String(err),
+                });
+                if (wrote) return;
+              } catch (writeErr) {
+                if (isRetryablePgError(writeErr)) {
+                  span.setAttribute("mollifier.cancel_terminal_write_retryable", true);
+                  throw writeErr;
+                }
+                span.setAttribute(
+                  "mollifier.cancel_terminal_write_error",
+                  writeErr instanceof Error ? writeErr.message : String(writeErr)
+                );
+              }
+              throw err;
+            }
+            span.setAttribute("mollifier.cancel_conflict", true);
+            const friendlyId =
+              typeof input.payload.friendlyId === "string"
+                ? input.payload.friendlyId
+                : input.runId;
+            await deps.engine.cancelRun({
+              runId: RunId.fromFriendlyId(friendlyId),
+              completedAt: new Date(cancelledAtStr),
+              reason: cancelReason,
+            });
+          }
+        });
+      });
+      return;
+    }
+
+    await context.with(parentContext, async () => {
+      await startSpan(tracer, "mollifier.drained", async (span) => {
+        span.setAttribute("mollifier.drained", true);
+        span.setAttribute("mollifier.dwell_ms", dwellMs);
+        span.setAttribute("mollifier.attempts", input.attempts);
+        span.setAttribute("mollifier.run_friendly_id", input.runId);
+        span.setAttribute("taskRunId", input.runId);
+
+        let triggerSucceeded = false;
+        try {
+          await deps.engine.trigger(input.payload as any, deps.prisma);
+          triggerSucceeded = true;
+        } catch (err) {
+          // The retryable-PG class re-throws so the drainer's outer
+          // worker loop can `buffer.requeue` (handled in
+          // `MollifierDrainer.drainOne`). For non-retryable failures we
+          // write a terminal SYSTEM_FAILURE row to PG via the engine's
+          // existing `createFailedTaskRun` (used by batch-trigger for
+          // the same purpose) so the customer sees the run in their
+          // dashboard / SDK instead of silently losing it when the
+          // buffer entry TTLs out. If THAT insert also fails (PG truly
+          // unreachable), rethrow so the drainer's outer catch falls
+          // through to its existing `buffer.fail` terminal-marker path.
+          if (isRetryablePgError(err)) {
+            throw err;
+          }
+          const reason = err instanceof Error ? err.message : String(err);
+          span.setAttribute("mollifier.terminal_failure_reason", reason);
+          try {
+            const wrote = await writeMollifierTerminalFailureRow(deps, {
+              friendlyId: input.runId,
+              snapshot: input.payload as Record<string, unknown>,
+              reason,
+            });
+            if (!wrote) {
+              // Snapshot too malformed to even construct a TaskRun row.
+              // Drainer's outer catch will buffer.fail this entry.
+              throw err;
+            }
+          } catch (writeErr) {
+            // The terminal SYSTEM_FAILURE write itself failed. If it
+            // failed because PG is transiently unreachable, rethrow the
+            // *write* error so the drainer requeues — buffer.fail()ing on
+            // the original non-retryable error would lose the run with no
+            // PG row ever landing. Once PG recovers the requeued entry
+            // writes its failure row and the customer sees it.
+            if (isRetryablePgError(writeErr)) {
+              span.setAttribute("mollifier.terminal_write_retryable", true);
+              throw writeErr;
+            }
+            // PG reachable but the write was rejected for another reason
+            // (genuinely bad snapshot). Rethrow the original trigger error
+            // so the drainer falls back to buffer.fail.
+            span.setAttribute(
+              "mollifier.terminal_write_error",
+              writeErr instanceof Error ? writeErr.message : String(writeErr)
+            );
+            throw err;
+          }
+        }
+
+        // Admin-only audit trail emitted once engine.trigger has
+        // landed a PG row. `recordRunDebugLog` flips this to the
+        // admin-gated debug kind (TaskEventKind.LOG in the PG store /
+        // DEBUG_EVENT in the ClickHouse store) which the trace view +
+        // logs download already strip for non-admins
+        // (`eventRepository.server.ts:108`,
+        // `resources.runs.$runParam.logs.download.ts:118`).
+        //
+        // Placement: emit as a zero-duration marker AT materialisation
+        // time, not as a back-dated bar spanning the buffered window.
+        // `engine.trigger` rewrites the run's root span at
+        // materialisation (it adopts the synth root via traceId/spanId
+        // carryover but updates start_time to "now"), so the trace
+        // renderer treats materialisation time as t=0. A back-dated
+        // event with startTime = bufferedAt would land before that t=0
+        // and get clipped from the tree. Same pattern as the
+        // `[engine] QUEUED` markers. The window itself is preserved
+        // in metadata so admins can read it off the span detail pane.
+        //
+        // Best-effort: `recordRunDebugLog` has its own try/catch and
+        // returns a result, so it never throws into the materialisation
+        // path. Failures are logged but not surfaced because the
+        // customer-visible run has already landed.
+        if (triggerSucceeded) {
+          const debugResult = await recordRunDebugLog(
+            RunId.fromFriendlyId(input.runId),
+            `Mollifier buffered ${dwellMs}ms before materialising`,
+            {
+              attributes: {
+                runId: input.runId,
+                metadata: {
+                  "mollifier.bufferedAt": input.createdAt.toISOString(),
+                  "mollifier.materialisedAt": new Date().toISOString(),
+                  "mollifier.dwellMs": dwellMs,
+                  "mollifier.attempts": input.attempts,
+                },
+              },
+              parentId: snapshotSpanId,
+            }
+          );
+          if (!debugResult.success && debugResult.code !== "RUN_NOT_FOUND") {
+            logger.warn("mollifier drainer: failed to record admin debug log", {
+              runId: input.runId,
+              code: debugResult.code,
+            });
+          }
+        }
+      });
+    });
+  };
+}
+
+// Shared SYSTEM_FAILURE construction used by both terminal paths:
+//   - non-retryable failure inside the handler (above)
+//   - retryable failure after maxAttempts inside the drainer's
+//     `processEntry` (via `createDrainerTerminalFailureHandler`)
+//
+// Suppresses `runFailed` and enqueues the alert manually — the engine's
+// `runFailed` handler calls `completeFailedRunEvent`, which looks up
+// the run's primary span. Buffered-only runs never had a primary trace
+// event written (the mollifier gate intercepts BEFORE
+// `repository.traceEvent` runs), so the lookup always fails and the
+// handler logs a systematic `[runFailed] Failed to complete failed
+// run event` error per terminal failure. `TriggerFailedTaskService`
+// handles the identical situation the same way (see triggerFailedTask
+// .server.ts:212 and 324) — pass `emitRunFailedEvent: false` to the
+// engine and call `PerformTaskRunAlertsService.enqueue(...)` directly
+// so customers' ERROR channels still fire. Alert enqueue is
+// best-effort; an alert-side failure is logged but does not bubble up
+// (the SYSTEM_FAILURE row landing is the load-bearing customer-visible
+// outcome).
+//
+// Returns the new `TaskRun` on success or `null` when the snapshot was
+// so malformed it couldn't even produce an environment — caller decides
+// whether to escalate that to `buffer.fail` directly. Throws on any
+// other failure so the drainer's retryable/non-retryable disposition
+// logic can own the decision.
+async function writeMollifierTerminalFailureRow(
+  deps: { engine: RunEngine; prisma: PrismaClientOrTransaction },
+  args: { friendlyId: string; snapshot: Record<string, unknown>; reason: string },
+) {
+  const { snapshot } = args;
+  const env = snapshot.environment as
+    | {
+        id: string;
+        type: any;
+        project: { id: string };
+        organization: { id: string };
+      }
+    | undefined;
+  if (!env) return null;
+  // Extract batch association from the snapshot if present. Without this
+  // a SYSTEM_FAILURE row for a buffered batch child won't be linked to
+  // its batch, and the batch parent's completion tracking can hang
+  // indefinitely waiting on a child that landed but isn't visible to
+  // the batch.
+  const rawBatch = snapshot.batch;
+  const batch =
+    rawBatch &&
+    typeof rawBatch === "object" &&
+    "id" in rawBatch &&
+    typeof (rawBatch as { id: unknown }).id === "string" &&
+    "index" in rawBatch &&
+    typeof (rawBatch as { index: unknown }).index === "number"
+      ? (rawBatch as { id: string; index: number })
+      : undefined;
+  const failedRun = await deps.engine.createFailedTaskRun({
+    friendlyId: args.friendlyId,
+    environment: env,
+    taskIdentifier: String(snapshot.taskIdentifier ?? ""),
+    payload: typeof snapshot.payload === "string" ? snapshot.payload : undefined,
+    payloadType: typeof snapshot.payloadType === "string" ? snapshot.payloadType : undefined,
+    error: {
+      type: "STRING_ERROR",
+      raw: `Mollifier drainer terminal failure: ${args.reason}`,
+    },
+    parentTaskRunId:
+      typeof snapshot.parentTaskRunId === "string" ? snapshot.parentTaskRunId : undefined,
+    rootTaskRunId:
+      typeof snapshot.rootTaskRunId === "string" ? snapshot.rootTaskRunId : undefined,
+    depth: typeof snapshot.depth === "number" ? snapshot.depth : 0,
+    resumeParentOnCompletion: snapshot.resumeParentOnCompletion === true,
+    batch,
+    traceId: typeof snapshot.traceId === "string" ? snapshot.traceId : undefined,
+    spanId: typeof snapshot.spanId === "string" ? snapshot.spanId : undefined,
+    taskEventStore:
+      typeof snapshot.taskEventStore === "string" ? snapshot.taskEventStore : undefined,
+    queue: typeof snapshot.queue === "string" ? snapshot.queue : undefined,
+    lockedQueueId:
+      typeof snapshot.lockedQueueId === "string" ? snapshot.lockedQueueId : undefined,
+    emitRunFailedEvent: false,
+  });
+  // Alerts side of `runFailed` — the engine emit was suppressed above
+  // so we don't create an orphan trace event; enqueue the alert
+  // directly so customers' ERROR channels still see the failure.
+  // Best-effort, mirroring TriggerFailedTaskService.
+  try {
+    await PerformTaskRunAlertsService.enqueue(failedRun.id);
+  } catch (alertsError) {
+    logger.warn("writeMollifierTerminalFailureRow: alert enqueue failed", {
+      friendlyId: args.friendlyId,
+      error: alertsError instanceof Error ? alertsError.message : String(alertsError),
+    });
+  }
+  return failedRun;
+}
+
+// Drainer-side terminal-failure callback. Fires from
+// `MollifierDrainer.processEntry` BEFORE `buffer.fail()` on any path
+// where the in-handler write didn't already land — currently the
+// `cause: "max-attempts-exhausted"` case for retryable PG errors. Writes
+// the same SYSTEM_FAILURE row the non-retryable handler path writes
+// inline (via the shared `writeMollifierTerminalFailureRow` helper) so
+// the customer-visible behaviour is identical regardless of how the
+// failure was classified.
+//
+// Re-throws retryable PG errors so the drainer requeues — buffer.fail()ing
+// here would still lose the run if PG is genuinely unreachable. Throwing
+// anything else falls through to buffer.fail to avoid an infinite loop on
+// a genuinely bad snapshot (the drainer logs it).
+export function createDrainerTerminalFailureHandler(deps: {
+  engine: RunEngine;
+  prisma: PrismaClientOrTransaction;
+}): MollifierDrainerTerminalFailureHandler<MollifierSnapshot> {
+  return async (input) => {
+    // The handler's own non-retryable terminal path has already written
+    // the SYSTEM_FAILURE row before it throws non-retryable. Only the
+    // retryable-exhausted path reaches us with no row written yet — gate
+    // on `cause` to avoid double-writing for non-retryable failures.
+    if (input.cause !== "max-attempts-exhausted") return;
+    await startSpan(tracer, "mollifier.drained.terminal_failure", async (span) => {
+      span.setAttribute("mollifier.drained", false);
+      span.setAttribute("mollifier.attempts", input.attempts);
+      span.setAttribute("mollifier.run_friendly_id", input.runId);
+      span.setAttribute("mollifier.terminal_failure_cause", input.cause);
+      span.setAttribute("mollifier.terminal_failure_reason", input.error.message);
+      span.setAttribute("taskRunId", input.runId);
+      await writeMollifierTerminalFailureRow(deps, {
+        friendlyId: input.runId,
+        snapshot: input.payload as Record<string, unknown>,
+        reason: input.error.message,
+      });
+    });
+  };
+}
diff --git a/apps/webapp/app/v3/mollifier/mollifierDrainingGauge.server.ts b/apps/webapp/app/v3/mollifier/mollifierDrainingGauge.server.ts
new file mode 100644
index 00000000000..eda8f45ebf1
--- /dev/null
+++ b/apps/webapp/app/v3/mollifier/mollifierDrainingGauge.server.ts
@@ -0,0 +1,63 @@
+import { logger } from "~/services/logger.server";
+import { getMollifierBuffer } from "./mollifierBuffer.server";
+import { reportDrainingCount } from "./mollifierTelemetry.server";
+
+// How often we ZCARD the draining-tracker set. Each poll is a single
+// O(1) Redis call, so cadence is bounded by "how fresh do we want the
+// gauge?" rather than cost. 15s gives a tight-enough window to spot a
+// brief OOM-induced spike without burning RTTs, and lines up well with
+// typical Prometheus scrape intervals.
+const POLL_INTERVAL_MS = 15_000;
+
+let intervalHandle: ReturnType<typeof setInterval> | null = null;
+
+// Polls `mollifier:draining` cardinality on an interval and feeds the
+// gauge in `mollifierTelemetry.server.ts`. Started from the drainer
+// worker bootstrap (alongside `drainer.start()`) so it runs on the same
+// pods that actually pop/ack entries — observability is colocated with
+// the lifecycle.
+//
+// Idempotent: a second call is a no-op (Remix dev hot-reload re-runs
+// the bootstrap; the existing interval keeps ticking).
+export function startMollifierDrainingGauge(opts: {
+  intervalMs?: number;
+  getBuffer?: typeof getMollifierBuffer;
+} = {}): void {
+  if (intervalHandle !== null) return;
+
+  const intervalMs = opts.intervalMs ?? POLL_INTERVAL_MS;
+  const getBuffer = opts.getBuffer ?? getMollifierBuffer;
+
+  // Fire one poll immediately so the gauge populates before the first
+  // scrape rather than reading 0 for a full interval after boot.
+  const tick = async () => {
+    const buffer = getBuffer();
+    if (!buffer) return;
+    try {
+      const count = await buffer.getDrainingCount();
+      reportDrainingCount(count);
+    } catch (err) {
+      // Transient Redis blip — don't tank the loop, just leave the
+      // gauge at its last-known value. A sustained Redis outage will
+      // surface via the drainer's own alerts long before this gauge
+      // staleness becomes a primary signal.
+      logger.warn("Mollifier draining gauge poll failed; keeping previous value", { err });
+    }
+  };
+
+  void tick();
+  // unref so the interval doesn't keep the process alive past
+  // graceful shutdown — the gauge is best-effort, not a flush boundary.
+  intervalHandle = setInterval(() => {
+    void tick();
+  }, intervalMs);
+  intervalHandle.unref?.();
+}
+
+// Test seam. Production code never calls this; lifecycle is implicitly
+// process-end.
+export function stopMollifierDrainingGauge(): void {
+  if (intervalHandle === null) return;
+  clearInterval(intervalHandle);
+  intervalHandle = null;
+}
diff --git a/apps/webapp/app/v3/mollifier/mollifierGate.server.ts b/apps/webapp/app/v3/mollifier/mollifierGate.server.ts
new file mode 100644
index 00000000000..461faa8d3b0
--- /dev/null
+++ b/apps/webapp/app/v3/mollifier/mollifierGate.server.ts
@@ -0,0 +1,250 @@
+import { env } from "~/env.server";
+import { logger } from "~/services/logger.server";
+import { FEATURE_FLAG, FeatureFlagCatalog } from "~/v3/featureFlags";
+import { getMollifierBuffer } from "./mollifierBuffer.server";
+import { createRealTripEvaluator } from "./mollifierTripEvaluator.server";
+import {
+  recordDecision,
+  type DecisionOutcome,
+  type DecisionReason,
+  type RecordDecisionOptions,
+} from "./mollifierTelemetry.server";
+
+// `count` is the fleet-wide fixed-window counter for the env (INCR with a
+// PEXPIRE armed on the first tick of each window — see
+// `mollifierEvaluateTrip` in `packages/redis-worker/src/mollifier/buffer.ts`).
+// All webapp replicas pointing at the same Redis share the key
+// `mollifier:rate:${envId}`, so the threshold is the fleet-wide ceiling
+// rather than a per-instance one. At a window boundary an env can briefly
+// admit up to ~2x threshold across the fleet before tripping (fixed-window
+// not sliding-window). The tripped marker is refreshed on every overage
+// call, so a sustained burst holds the divert state until the rate falls
+// below threshold within a window.
+export type TripDecision =
+  | { divert: false }
+  | {
+      divert: true;
+      reason: "per_env_rate";
+      count: number;
+      threshold: number;
+      windowMs: number;
+      holdMs: number;
+    };
+
+export type GateOutcome =
+  | { action: "pass_through" }
+  | { action: "mollify"; decision: Extract<TripDecision, { divert: true }> }
+  | { action: "shadow_log"; decision: Extract<TripDecision, { divert: true }> };
+
+export type GateInputs = {
+  envId: string;
+  orgId: string;
+  taskId: string;
+  // Org-scoped flag overrides — taken from `Organization.featureFlags` on the
+  // AuthenticatedEnvironment at the call site. The repo-wide `flag()` helper
+  // queries the global `FeatureFlag` table; passing per-org overrides lets the
+  // mollifier opt in a single org without touching the global row, matching
+  // the pattern used by `canAccessAi`, `canAccessPrivateConnections`, and the
+  // compute-template beta gate.
+  orgFeatureFlags: Record<string, unknown> | null;
+  // Trigger options that drive the debounce / OTU / triggerAndWait
+  // bypasses. The mollify path can't
+  // serialise stateful callbacks (debounce), can't safely break OTU's
+  // synchronous-rejection contract, and shouldn't intercept single
+  // triggerAndWait (batchTriggerAndWait still funnels through per item).
+  options?: {
+    debounce?: unknown;
+    oneTimeUseToken?: string;
+    parentTaskRunId?: string;
+    resumeParentOnCompletion?: boolean;
+  };
+};
+
+export type TripEvaluator = (inputs: GateInputs) => Promise<TripDecision>;
+
+// DI seam type for consumers (e.g. triggerTask.server.ts) that inject the
+// gate at construction time. Deliberately narrower than `evaluateGate`'s
+// real signature — no `deps` param — because consumers only call it with
+// inputs and rely on the module-level defaults.
+export type MollifierEvaluateGate = (inputs: GateInputs) => Promise<GateOutcome>;
+
+export type GateDependencies = {
+  isMollifierEnabled: () => boolean;
+  isShadowModeOn: () => boolean;
+  resolveOrgFlag: (inputs: GateInputs) => Promise<boolean>;
+  evaluator: TripEvaluator;
+  logShadow: (
+    inputs: GateInputs,
+    decision: Extract<TripDecision, { divert: true }>,
+  ) => void;
+  logMollified: (
+    inputs: GateInputs,
+    decision: Extract<TripDecision, { divert: true }>,
+  ) => void;
+  recordDecision: (outcome: DecisionOutcome, opts: RecordDecisionOptions) => void;
+};
+
+// `options` is a thunk so env reads happen per-evaluation, not at module load.
+// Don't "simplify" to a plain object — dynamic config relies on the
+// gate observing whichever env values are live at trigger time.
+const defaultEvaluator = createRealTripEvaluator({
+  getBuffer: () => getMollifierBuffer(),
+  options: () => ({
+    windowMs: env.TRIGGER_MOLLIFIER_TRIP_WINDOW_MS,
+    threshold: env.TRIGGER_MOLLIFIER_TRIP_THRESHOLD,
+    holdMs: env.TRIGGER_MOLLIFIER_HOLD_MS,
+  }),
+});
+
+function logDivertDecision(
+  message: "mollifier.would_mollify" | "mollifier.mollified",
+  inputs: GateInputs,
+  decision: Extract<TripDecision, { divert: true }>,
+): void {
+  logger.debug(message, {
+    envId: inputs.envId,
+    orgId: inputs.orgId,
+    taskId: inputs.taskId,
+    reason: decision.reason,
+    count: decision.count,
+    threshold: decision.threshold,
+    windowMs: decision.windowMs,
+    holdMs: decision.holdMs,
+  });
+}
+
+// Resolve the per-org mollifier flag purely from the in-memory
+// `Organization.featureFlags` JSON. No DB query — `triggerTask` is the
+// trigger hot path and the webapp CLAUDE.md forbids adding Prisma calls
+// there. The fleet-wide kill switch lives in `TRIGGER_MOLLIFIER_ENABLED`; rollout
+// is per-org via the JSON, matching the pattern used by `canAccessAi`,
+// `hasComputeAccess`, etc. There is no global `FeatureFlag` table read
+// in this path by design.
+export function makeResolveMollifierFlag(): (inputs: GateInputs) => Promise<boolean> {
+  return (inputs) => {
+    const override = inputs.orgFeatureFlags?.[FEATURE_FLAG.mollifierEnabled];
+    if (override !== undefined) {
+      const parsed = FeatureFlagCatalog[FEATURE_FLAG.mollifierEnabled].safeParse(override);
+      if (parsed.success) {
+        return Promise.resolve(parsed.data);
+      }
+    }
+    return Promise.resolve(false);
+  };
+}
+
+const resolveMollifierFlag = makeResolveMollifierFlag();
+
+export const defaultGateDependencies: GateDependencies = {
+  isMollifierEnabled: () => env.TRIGGER_MOLLIFIER_ENABLED === "1",
+  isShadowModeOn: () => env.TRIGGER_MOLLIFIER_SHADOW_MODE === "1",
+  resolveOrgFlag: resolveMollifierFlag,
+  evaluator: defaultEvaluator,
+  logShadow: (inputs, decision) =>
+    logDivertDecision("mollifier.would_mollify", inputs, decision),
+  logMollified: (inputs, decision) =>
+    logDivertDecision("mollifier.mollified", inputs, decision),
+  recordDecision,
+};
+
+export async function evaluateGate(
+  inputs: GateInputs,
+  deps: Partial<GateDependencies> = {},
+): Promise<GateOutcome> {
+  const d = { ...defaultGateDependencies, ...deps };
+
+  // Resolve the per-org flag up front so every decision below — including
+  // the bypasses — can be labelled enrolled vs not on the
+  // `mollifier.decisions` counter. Fail open: a transient error must not
+  // block triggers. The resolver is purely in-memory (reads
+  // `Organization.featureFlags`); it adds no DB round-trip to the hot path.
+  let orgFlagEnabled: boolean;
+  try {
+    orgFlagEnabled = await d.resolveOrgFlag(inputs);
+  } catch (error) {
+    logger.warn("mollifier.resolve_org_flag_failed", {
+      envId: inputs.envId,
+      orgId: inputs.orgId,
+      taskId: inputs.taskId,
+      error: error instanceof Error ? error.message : String(error),
+    });
+    orgFlagEnabled = false;
+  }
+  // Passed to every `recordDecision`. `org` only becomes a label for the
+  // (operationally capped) enrolled cohort — the guard is in
+  // `decisionLabels`, so passing orgId unconditionally here is safe.
+  const labels: RecordDecisionOptions = { enrolled: orgFlagEnabled, orgId: inputs.orgId };
+
+  // Debounce bypass. onDebounced is a closure over webapp state and
+  // can't be snapshotted into the buffer for drainer replay. Skip before the
+  // trip evaluator so debounce traffic is never counted against the rate.
+  if (inputs.options?.debounce) {
+    d.recordDecision("pass_through", labels);
+    return { action: "pass_through" };
+  }
+  // OneTimeUseToken bypass. OTU is a security feature on the PUBLIC_JWT
+  // auth path; its synchronous-rejection contract is materially worse to
+  // break than the idempotency-key contract.
+  if (inputs.options?.oneTimeUseToken) {
+    d.recordDecision("pass_through", labels);
+    return { action: "pass_through" };
+  }
+  // Single triggerAndWait bypass. batchTriggerAndWait still funnels
+  // through TriggerTaskService.call per item so the dominant burst pattern
+  // remains covered.
+  if (inputs.options?.parentTaskRunId && inputs.options?.resumeParentOnCompletion) {
+    d.recordDecision("pass_through", labels);
+    return { action: "pass_through" };
+  }
+
+  if (!d.isMollifierEnabled()) {
+    d.recordDecision("pass_through", labels);
+    return { action: "pass_through" };
+  }
+
+  const shadowOn = d.isShadowModeOn();
+
+  if (!orgFlagEnabled && !shadowOn) {
+    d.recordDecision("pass_through", labels);
+    return { action: "pass_through" };
+  }
+
+  // Fail open on evaluator errors too. The default `createRealTripEvaluator`
+  // catches its own errors and returns `{ divert: false }`, but injected or
+  // future evaluators may not — keep the contract symmetric with the org
+  // flag resolution above so the trigger hot path can never be broken by a
+  // gate-internal failure.
+  //
+  // Note: the evaluator INCRs the per-env Redis counter (`mollifier:rate:${envId}`)
+  // in *both* shadow-only and flag-on modes — shadow mode is observation-only at
+  // the user-visible level (no diversion), but not Redis-passive. It has to write
+  // because the threshold is computed from a counter, and a counter that doesn't
+  // increment isn't a counter. There's no cross-org bleed: `RuntimeEnvironment`
+  // is 1:1 with `Organization`, so the per-env counter is effectively per-org.
+  let decision: TripDecision;
+  try {
+    decision = await d.evaluator(inputs);
+  } catch (error) {
+    logger.warn("mollifier.evaluator_failed", {
+      envId: inputs.envId,
+      orgId: inputs.orgId,
+      taskId: inputs.taskId,
+      error: error instanceof Error ? error.message : String(error),
+    });
+    decision = { divert: false };
+  }
+  if (!decision.divert) {
+    d.recordDecision("pass_through", labels);
+    return { action: "pass_through" };
+  }
+
+  if (orgFlagEnabled) {
+    d.logMollified(inputs, decision);
+    d.recordDecision("mollify", { ...labels, reason: decision.reason });
+    return { action: "mollify", decision };
+  }
+
+  d.logShadow(inputs, decision);
+  d.recordDecision("shadow_log", { ...labels, reason: decision.reason });
+  return { action: "shadow_log", decision };
+}
diff --git a/apps/webapp/app/v3/mollifier/mollifierMollify.server.ts b/apps/webapp/app/v3/mollifier/mollifierMollify.server.ts
new file mode 100644
index 00000000000..a8b0b151115
--- /dev/null
+++ b/apps/webapp/app/v3/mollifier/mollifierMollify.server.ts
@@ -0,0 +1,98 @@
+import { RunId } from "@trigger.dev/core/v3/isomorphic";
+import type { MollifierBuffer } from "@trigger.dev/redis-worker";
+import { serialiseMollifierSnapshot, type MollifierSnapshot } from "./mollifierSnapshot.server";
+import type { TripDecision } from "./mollifierGate.server";
+
+export type MollifyNotice = {
+  code: "mollifier.queued";
+  message: string;
+  docs: string;
+};
+
+export type MollifySyntheticResult = {
+  // `id` is the canonical TaskRun primary key derived from `friendlyId`
+  // via `RunId.fromFriendlyId`. Downstream consumers in the trigger
+  // route — notably `saveRequestIdempotency` — index the request-
+  // idempotency cache by this id; without it the cache stores
+  // `undefined` and Prisma's `findFirst({ where: { id: undefined } })`
+  // on retry strips the predicate and returns an arbitrary TaskRun
+  // (potential cross-tenant leak). Always populated.
+  //
+  // `spanId` is the root-span id allocated at gate-accept time and
+  // stored in the snapshot. Callers like the dashboard's Test action
+  // use it to build a `v3RunSpanPath` URL that auto-opens the right
+  // details panel — without it, the buffered run lands on the
+  // run-detail page with no span selected (parity gap with PG runs).
+  run: { id: string; friendlyId: string; spanId: string };
+  error: undefined;
+  // The race-loser path: if accept's SETNX hit an existing
+  // buffered run with the same (env, task, idempotencyKey), the
+  // response echoes the winner's runId with isCached=true. The
+  // mollifier-queued notice is only attached for the happy accept.
+  isCached: boolean;
+  notice?: MollifyNotice;
+};
+
+const NOTICE: MollifyNotice = {
+  code: "mollifier.queued",
+  message:
+    "Trigger accepted into burst buffer. Consider batchTrigger for fan-outs of 100+.",
+  docs: "https://trigger.dev/docs/management/tasks/batch-trigger",
+};
+
+export async function mollifyTrigger(args: {
+  runFriendlyId: string;
+  environmentId: string;
+  organizationId: string;
+  engineTriggerInput: MollifierSnapshot;
+  decision: Extract<TripDecision, { divert: true }>;
+  buffer: MollifierBuffer;
+  // Optional idempotency context. When both are passed, accept SETNXes
+  // the lookup so the buffered window participates in trigger-time
+  // dedup symmetrically with PG.
+  idempotencyKey?: string;
+  taskIdentifier?: string;
+}): Promise<MollifySyntheticResult> {
+  const result = await args.buffer.accept({
+    runId: args.runFriendlyId,
+    envId: args.environmentId,
+    orgId: args.organizationId,
+    payload: serialiseMollifierSnapshot(args.engineTriggerInput),
+    idempotencyKey: args.idempotencyKey,
+    taskIdentifier: args.taskIdentifier,
+  });
+
+  if (result.kind === "duplicate_idempotency") {
+    // Race loser. Echo the winner's runId so the SDK's response shape
+    // matches PG-side idempotency cache hits. The winner's spanId isn't
+    // readily available without a second buffer fetch; an empty string
+    // causes `v3RunSpanPath` to omit the `?span=` param, which matches
+    // current behaviour for cached PG responses.
+    return {
+      run: {
+        id: RunId.fromFriendlyId(result.existingRunId),
+        friendlyId: result.existingRunId,
+        spanId: "",
+      },
+      error: undefined,
+      isCached: true,
+    };
+  }
+
+  // Both "accepted" and "duplicate_run_id" produce the same customer-
+  // visible response: a buffered-trigger acknowledgement. The duplicate
+  // runId case is unreachable in practice (runIds are server-generated
+  // and unique) but is silently idempotent at the buffer layer either way.
+  const rawSpanId = args.engineTriggerInput.spanId;
+  const spanId = typeof rawSpanId === "string" ? rawSpanId : "";
+  return {
+    run: {
+      id: RunId.fromFriendlyId(args.runFriendlyId),
+      friendlyId: args.runFriendlyId,
+      spanId,
+    },
+    error: undefined,
+    isCached: false,
+    notice: NOTICE,
+  };
+}
diff --git a/apps/webapp/app/v3/mollifier/mollifierSnapshot.server.ts b/apps/webapp/app/v3/mollifier/mollifierSnapshot.server.ts
new file mode 100644
index 00000000000..a0732a3542e
--- /dev/null
+++ b/apps/webapp/app/v3/mollifier/mollifierSnapshot.server.ts
@@ -0,0 +1,16 @@
+import { serialiseSnapshot, deserialiseSnapshot } from "@trigger.dev/redis-worker";
+
+// MollifierSnapshot is the JSON-serialisable shape of the input that would be
+// passed to engine.trigger(). The drainer deserialises and replays it.
+// Kept as Record<string, unknown> at this layer — the engine.trigger call site
+// casts it to the engine's typed input. This keeps the mollifier subdirectory
+// from depending on @internal/run-engine internals.
+export type MollifierSnapshot = Record<string, unknown>;
+
+export function serialiseMollifierSnapshot(input: MollifierSnapshot): string {
+  return serialiseSnapshot(input);
+}
+
+export function deserialiseMollifierSnapshot(serialised: string): MollifierSnapshot {
+  return deserialiseSnapshot<MollifierSnapshot>(serialised);
+}
diff --git a/apps/webapp/app/v3/mollifier/mollifierStaleSweep.server.ts b/apps/webapp/app/v3/mollifier/mollifierStaleSweep.server.ts
new file mode 100644
index 00000000000..d135824032c
--- /dev/null
+++ b/apps/webapp/app/v3/mollifier/mollifierStaleSweep.server.ts
@@ -0,0 +1,256 @@
+import type { MollifierBuffer } from "@trigger.dev/redis-worker";
+import { logger as defaultLogger } from "~/services/logger.server";
+import { getMollifierBuffer } from "./mollifierBuffer.server";
+import { MollifierStaleSweepState, type StaleSweepStateStore } from "./mollifierStaleSweepState.server";
+import {
+  recordStaleEntry as defaultRecordStaleEntry,
+  reportStaleEntrySnapshot as defaultReportStaleEntrySnapshot,
+} from "./mollifierTelemetry.server";
+
+// One pass of the sweep scans a bounded slice of orgs from the buffer's
+// queue LIST, identified by a durable cursor in Redis. Per-env entry
+// scan is also bounded so a single pathological env can't extend the
+// pass.
+const DEFAULT_MAX_ENTRIES_PER_ENV = 1000;
+// Max orgs visited per tick. Together with `maxEntriesPerEnv` this
+// caps Redis traffic per pass. One "cycle" (visiting every org once)
+// takes `ceil(N_orgs / cap)` ticks, after which the cursor wraps and a
+// fresh org list is taken.
+const DEFAULT_MAX_ORGS_PER_PASS = 100;
+
+export type StaleSweepConfig = {
+  // Entries whose dwell exceeds this threshold are flagged stale. Set
+  // it well below `entryTtlSeconds * 1000` so ops have lead time before
+  // TTL-induced silent loss; the default (half of entryTtlSeconds)
+  // matches the cadence in the plan doc.
+  staleThresholdMs: number;
+  maxEntriesPerEnv?: number;
+  // Hard cap on orgs visited per tick. Bounds the per-pass Redis traffic
+  // and wall-time. Default 100 — at typical fleet sizes one or two
+  // ticks cover everyone; under incident-scale fan-out a full cycle
+  // takes a handful of ticks (~minutes) which is still well below the
+  // staleness signal latency that ops cares about.
+  maxOrgsPerPass?: number;
+};
+
+export type StaleSweepDeps = {
+  getBuffer?: () => MollifierBuffer | null;
+  // Durable cursor + per-env counts hash. Required: the sweep is
+  // useless without persistent state across ticks. The webapp wires up
+  // a real `MollifierStaleSweepState`; tests pass one constructed
+  // against the test container.
+  state: StaleSweepStateStore;
+  // No `envId` arg — `envId` is a high-cardinality metric attribute and
+  // is intentionally not emitted as a metric label. The structured warn
+  // log below carries envId for forensic drill-down.
+  recordStaleEntry?: () => void;
+  reportStaleEntrySnapshot?: (snapshot: Map<string, number>) => void;
+  logger?: { warn: (message: string, fields: Record<string, unknown>) => void };
+  now?: () => number;
+};
+
+export type StaleSweepResult = {
+  orgsScanned: number;
+  envsScanned: number;
+  entriesScanned: number;
+  staleCount: number;
+};
+
+// Walks a bounded slice of `orgs → envs → entries`, emitting an OTel
+// counter tick and a structured warning log for each buffer entry whose
+// dwell exceeds the stale threshold. Read-only on the buffer's own
+// state; writes only to the sweep's three dedicated keys
+// (`mollifier:stale_sweep:*`). The sweep does NOT remove or salvage
+// buffer entries; that decision is deferred to a separate retention-
+// policy change. The signal here exists so ops sees the drainer falling
+// behind well before TTL-induced loss kicks in.
+//
+// Sharding contract:
+// - Cursor starts at 0. On cursor=0 the org list is refreshed by
+//   snapshotting `buffer.listOrgs()` into the durable LIST — that is
+//   the cycle's frozen view of orgs to visit.
+// - Each tick consumes up to `maxOrgsPerPass` orgs from the LIST,
+//   advances the cursor, and persists.
+// - When the cursor reaches the end of the LIST it wraps to 0; the next
+//   tick rebuilds the org list, capturing any orgs that joined the
+//   buffer mid-cycle.
+// - The per-env counts HASH carries over across ticks: an env visited
+//   on tick N and not revisited until tick N+M keeps its last-known
+//   stale count in the gauge for that window. This is the price of
+//   sharding — accepted because the alternative (re-scan everything
+//   every tick) does not bound work.
+export async function runStaleSweepOnce(
+  config: StaleSweepConfig,
+  deps: StaleSweepDeps,
+): Promise<StaleSweepResult> {
+  const getBuffer = deps.getBuffer ?? getMollifierBuffer;
+  const recordStale = deps.recordStaleEntry ?? defaultRecordStaleEntry;
+  const reportSnapshot =
+    deps.reportStaleEntrySnapshot ?? defaultReportStaleEntrySnapshot;
+  const log = deps.logger ?? defaultLogger;
+  const now = (deps.now ?? Date.now)();
+  const maxEntries = config.maxEntriesPerEnv ?? DEFAULT_MAX_ENTRIES_PER_ENV;
+  const maxOrgsPerPass = config.maxOrgsPerPass ?? DEFAULT_MAX_ORGS_PER_PASS;
+
+  const buffer = getBuffer();
+  if (!buffer) {
+    // Replace any previous snapshot with empty so a previously-paging
+    // env doesn't stay latched if mollifier is turned off mid-flight.
+    // Also clear the durable state so a re-enable starts from a clean
+    // slate instead of resuming on a stale cursor.
+    await deps.state.clearAll();
+    reportSnapshot(new Map());
+    return { orgsScanned: 0, envsScanned: 0, entriesScanned: 0, staleCount: 0 };
+  }
+
+  let cursor = await deps.state.readCursor();
+  if (cursor === 0) {
+    // Fresh cycle — capture the current set of orgs into the frozen
+    // LIST. Any orgs that join after this snapshot wait until the next
+    // cycle to be visited. Acceptable for an observational sweep; the
+    // staleness signal would only fire on entries that have been
+    // dwelling for `staleThresholdMs` anyway, so they're not new.
+    const orgs = await buffer.listOrgs();
+    await deps.state.rebuildOrgList(orgs);
+  }
+
+  const { orgs: slice, total } = await deps.state.readOrgListSlice(
+    cursor,
+    maxOrgsPerPass,
+  );
+
+  let envsScanned = 0;
+  let entriesScanned = 0;
+  let staleCount = 0;
+
+  for (const orgId of slice) {
+    const envs = await buffer.listEnvsForOrg(orgId);
+    for (const envId of envs) {
+      envsScanned += 1;
+      let envStale = 0;
+      const entries = await buffer.listEntriesForEnv(envId, maxEntries);
+      for (const entry of entries) {
+        entriesScanned += 1;
+        const dwellMs = now - entry.createdAt.getTime();
+        if (dwellMs > config.staleThresholdMs) {
+          recordStale();
+          log.warn("mollifier.stale_entry", {
+            runId: entry.runId,
+            envId,
+            orgId,
+            dwellMs,
+            staleThresholdMs: config.staleThresholdMs,
+          });
+          envStale += 1;
+        }
+      }
+      // Persist the per-env count to the durable hash. HSET when stale
+      // > 0, HDEL when it dropped back to zero — the hash is the source
+      // of truth for the gauge snapshot below.
+      await deps.state.setEnvStaleCount(envId, envStale);
+      // Track that this env was visited during the current cycle. The
+      // reconcile step at cycle wrap uses this to HDEL counts hash
+      // entries for envs that fully drained mid-cycle (they disappear
+      // from listEnvsForOrg, so the inner loop above never reaches them
+      // and never HDELs their hash field — without reconcile the gauge
+      // would stay elevated forever).
+      await deps.state.markEnvVisited(envId);
+      staleCount += envStale;
+    }
+  }
+
+  // Advance the cursor. If the slice consumed the end of the LIST, wrap
+  // to 0 so the next tick rebuilds the org list and starts a new cycle.
+  const advanced = cursor + slice.length;
+  const wrapped = advanced >= total;
+  const newCursor = wrapped ? 0 : advanced;
+  await deps.state.writeCursor(newCursor);
+
+  if (wrapped) {
+    // Cycle ended. HDEL any env still in the counts hash that didn't
+    // appear in any tick of the just-completed cycle — these are envs
+    // that fully drained from the buffer mid-cycle and would otherwise
+    // hold their stale gauge value forever. Also DELs the visited set
+    // so the next cycle starts clean.
+    await deps.state.reconcileVisited();
+  }
+
+  // Emit the snapshot from the durable hash, which carries values for
+  // envs visited in earlier ticks too. This is what makes the gauge
+  // stable across ticks (and across webapp restarts).
+  const snapshot = await deps.state.readAllEnvStaleCounts();
+  reportSnapshot(snapshot);
+
+  return { orgsScanned: slice.length, envsScanned, entriesScanned, staleCount };
+}
+
+export type StaleSweepIntervalHandle = {
+  stop: () => Promise<void>;
+};
+
+// Production wrapper: schedule `runStaleSweepOnce` on a fixed interval.
+// One pass at a time — if a sweep is still running when the timer fires
+// the next tick is skipped (a backed-up Redis would otherwise queue
+// overlapping sweeps that all log the same stale entries).
+export function startStaleSweepInterval(
+  config: StaleSweepConfig & { intervalMs: number },
+  deps: StaleSweepDeps,
+): StaleSweepIntervalHandle {
+  let stopped = false;
+  let inFlight = false;
+  // Tracks the current tick so `stop()` can await it before closing the
+  // state's Redis client. Without this, a tick that's already past the
+  // `stopped` guard at entry would continue making `state.*` calls
+  // against an ioredis client that `stop()` has already `quit()`ed,
+  // raising errors that the tick's own try/catch then logs as
+  // `mollifier.stale_sweep.failed` warnings — spurious noise on every
+  // graceful shutdown.
+  let currentTick: Promise<void> | null = null;
+
+  const tick = async () => {
+    if (stopped || inFlight) return;
+    inFlight = true;
+    const run = (async () => {
+      try {
+        await runStaleSweepOnce(config, deps);
+      } catch (err) {
+        const log = deps.logger ?? defaultLogger;
+        log.warn("mollifier.stale_sweep.failed", {
+          err: err instanceof Error ? err.message : String(err),
+        });
+      } finally {
+        inFlight = false;
+        currentTick = null;
+      }
+    })();
+    currentTick = run;
+    await run;
+  };
+
+  const timer = setInterval(() => {
+    void tick();
+  }, config.intervalMs);
+
+  return {
+    stop: async () => {
+      stopped = true;
+      clearInterval(timer);
+      // Drain any tick that started before `stopped` flipped. Its
+      // `state.*` calls must land before we close the Redis client.
+      if (currentTick) {
+        try {
+          await currentTick;
+        } catch {
+          // tick has its own catch — this await is just to ensure
+          // ordering, not to surface errors that have already been
+          // logged inside the tick.
+        }
+      }
+      // Close the state's underlying resource. The `close()` method is
+      // part of the `StaleSweepStateStore` contract — production's
+      // `MollifierStaleSweepState` shuts down its ioredis client; fake
+      // test states implement a no-op.
+      await deps.state.close();
+    },
+  };
+}
diff --git a/apps/webapp/app/v3/mollifier/mollifierStaleSweepState.server.ts b/apps/webapp/app/v3/mollifier/mollifierStaleSweepState.server.ts
new file mode 100644
index 00000000000..a6f3ff3e4a9
--- /dev/null
+++ b/apps/webapp/app/v3/mollifier/mollifierStaleSweepState.server.ts
@@ -0,0 +1,192 @@
+import { createRedisClient, type Redis, type RedisOptions } from "@internal/redis";
+import { Logger } from "@trigger.dev/core/logger";
+
+// Durable per-tick state for the sharded stale sweep. Four Redis keys,
+// all in the `mollifier:` namespace alongside the buffer's own state:
+//
+//   mollifier:stale_sweep:cursor    STRING  next position in org_list (0 = fresh cycle)
+//   mollifier:stale_sweep:org_list  LIST    org IDs frozen at the start of the cycle
+//   mollifier:stale_sweep:counts    HASH    envId -> last-known stale count
+//   mollifier:stale_sweep:visited   SET     envIds visited during the current cycle
+//
+// The state survives webapp restarts: a restarted process picks up the
+// cursor where the previous one left off and re-emits the last-known
+// gauge values immediately, rather than blinking to zero until the next
+// cycle visits each env.
+//
+// The `visited` set exists to GC the `counts` hash at cycle wrap: an env
+// that drains completely between sweep ticks disappears from
+// `buffer.listEnvsForOrg`, so the sweep's inner loop never revisits it
+// and never HDELs its counts entry. Without the visited-set GC the
+// counts hash retains the env's last-known stale count forever and the
+// gauge stays permanently elevated. At cursor wrap we diff the hash
+// against the cycle's visited set and HDEL the difference.
+//
+// Storage is owned by this class rather than added to MollifierBuffer
+// because the keys are sweep-internal — the buffer abstracts the
+// drainer/queue state, this abstracts sweep state. They share a
+// namespace prefix but no API surface.
+
+export interface StaleSweepStateStore {
+  readCursor(): Promise<number>;
+  writeCursor(value: number): Promise<void>;
+  /** Replaces the cycle's frozen org_list. Called at cursor=0. */
+  rebuildOrgList(orgs: string[]): Promise<void>;
+  /** Returns up to `count` org IDs starting at `start`, plus the LIST's total length. */
+  readOrgListSlice(start: number, count: number): Promise<{ orgs: string[]; total: number }>;
+  /** HSET when count > 0, HDEL when count === 0 (so the snapshot reflects current truth). */
+  setEnvStaleCount(envId: string, count: number): Promise<void>;
+  readAllEnvStaleCounts(): Promise<Map<string, number>>;
+  /** SADD `envId` to the current cycle's visited set. Called once per env scanned per tick. */
+  markEnvVisited(envId: string): Promise<void>;
+  /**
+   * HDEL every env in the counts hash that is NOT in the visited set, then
+   * DEL the visited set. Called when the cursor wraps (cycle ends) so
+   * envs that fully drained mid-cycle get cleaned out of the gauge.
+   */
+  reconcileVisited(): Promise<void>;
+  clearAll(): Promise<void>;
+  close(): Promise<void>;
+}
+
+const CURSOR_KEY = "mollifier:stale_sweep:cursor";
+const ORG_LIST_KEY = "mollifier:stale_sweep:org_list";
+const COUNTS_KEY = "mollifier:stale_sweep:counts";
+const VISITED_KEY = "mollifier:stale_sweep:visited";
+
+export class MollifierStaleSweepState implements StaleSweepStateStore {
+  private readonly redis: Redis;
+  private readonly logger: Logger;
+
+  constructor(options: {
+    redisOptions: RedisOptions;
+    logger?: Logger;
+    maxRetriesPerRequest?: number;
+  }) {
+    this.logger = options.logger ?? new Logger("MollifierStaleSweepState", "debug");
+    this.redis = createRedisClient(
+      { ...options.redisOptions, maxRetriesPerRequest: options.maxRetriesPerRequest ?? 20 },
+      {
+        onError: (error) => {
+          this.logger.error("MollifierStaleSweepState redis client error:", { error });
+        },
+      },
+    );
+  }
+
+  async readCursor(): Promise<number> {
+    const raw = await this.redis.get(CURSOR_KEY);
+    if (raw === null) return 0;
+    const n = Number.parseInt(raw, 10);
+    return Number.isFinite(n) && n >= 0 ? n : 0;
+  }
+
+  async writeCursor(value: number): Promise<void> {
+    await this.redis.set(CURSOR_KEY, String(value));
+  }
+
+  async rebuildOrgList(orgs: string[]): Promise<void> {
+    // DEL + RPUSH in a pipeline — close enough to atomic for an
+    // observational sweep (the inFlight guard at startStaleSweepInterval
+    // serialises sweep passes; nothing else writes these keys).
+    const pipeline = this.redis.pipeline();
+    pipeline.del(ORG_LIST_KEY);
+    if (orgs.length > 0) {
+      pipeline.rpush(ORG_LIST_KEY, ...orgs);
+    }
+    await pipeline.exec();
+  }
+
+  async readOrgListSlice(
+    start: number,
+    count: number,
+  ): Promise<{ orgs: string[]; total: number }> {
+    const pipeline = this.redis.pipeline();
+    pipeline.lrange(ORG_LIST_KEY, start, start + count - 1);
+    pipeline.llen(ORG_LIST_KEY);
+    const results = await pipeline.exec();
+    // `pipeline.exec()` returning null is the abort-on-broken-pipe path.
+    // Surface it as a thrown error — the previous `return { orgs: [], total: 0 }`
+    // looked indistinguishable from a genuinely empty org list to the
+    // caller (`runStaleSweepOnce`), which then wrote cursor=0, reconciled
+    // visited envs against the empty result, and cleared the stale-entry
+    // gauge. That hid real Redis problems and silenced the alerts the
+    // sweep exists to raise.
+    if (!results) {
+      throw new Error("MollifierStaleSweepState.readOrgListSlice: pipeline.exec returned null");
+    }
+    const [lrangeErr, lrangeRes] = results[0] as [Error | null, string[] | null];
+    const [llenErr, llenRes] = results[1] as [Error | null, number | null];
+    if (lrangeErr || llenErr) {
+      this.logger.error("MollifierStaleSweepState.readOrgListSlice failed", {
+        lrangeErr: lrangeErr?.message,
+        llenErr: llenErr?.message,
+      });
+      // Same reasoning as the null-result path above — propagate the
+      // failure so the sweep's interval wrapper records a failed cycle
+      // and the durable cursor / counts hash stay untouched.
+      throw lrangeErr ?? llenErr ?? new Error("MollifierStaleSweepState.readOrgListSlice failed");
+    }
+    return { orgs: lrangeRes ?? [], total: llenRes ?? 0 };
+  }
+
+  async setEnvStaleCount(envId: string, count: number): Promise<void> {
+    if (count > 0) {
+      await this.redis.hset(COUNTS_KEY, envId, String(count));
+    } else {
+      await this.redis.hdel(COUNTS_KEY, envId);
+    }
+  }
+
+  async readAllEnvStaleCounts(): Promise<Map<string, number>> {
+    const raw = await this.redis.hgetall(COUNTS_KEY);
+    const out = new Map<string, number>();
+    for (const [envId, value] of Object.entries(raw)) {
+      const n = Number.parseInt(value, 10);
+      if (Number.isFinite(n)) out.set(envId, n);
+    }
+    return out;
+  }
+
+  async markEnvVisited(envId: string): Promise<void> {
+    await this.redis.sadd(VISITED_KEY, envId);
+  }
+
+  async reconcileVisited(): Promise<void> {
+    // HKEYS + SMEMBERS in a pipeline, then HDEL the difference locally.
+    // For typical fleet sizes (counts and visited both bounded by the
+    // count of buffered envs) this is well within a single RTT plus one
+    // small HDEL.
+    const pipeline = this.redis.pipeline();
+    pipeline.hkeys(COUNTS_KEY);
+    pipeline.smembers(VISITED_KEY);
+    const results = await pipeline.exec();
+    if (!results) return;
+    const [hkeysErr, hkeysRes] = results[0] as [Error | null, string[] | null];
+    const [smembersErr, smembersRes] = results[1] as [Error | null, string[] | null];
+    if (hkeysErr || smembersErr) {
+      this.logger.error("MollifierStaleSweepState.reconcileVisited failed", {
+        hkeysErr: hkeysErr?.message,
+        smembersErr: smembersErr?.message,
+      });
+      return;
+    }
+    const hashEnvs = hkeysRes ?? [];
+    const visited = new Set(smembersRes ?? []);
+    const orphans = hashEnvs.filter((envId) => !visited.has(envId));
+    const cleanup = this.redis.pipeline();
+    if (orphans.length > 0) {
+      cleanup.hdel(COUNTS_KEY, ...orphans);
+    }
+    cleanup.del(VISITED_KEY);
+    await cleanup.exec();
+  }
+
+  async clearAll(): Promise<void> {
+    await this.redis.del(CURSOR_KEY, ORG_LIST_KEY, COUNTS_KEY, VISITED_KEY);
+  }
+
+  async close(): Promise<void> {
+    await this.redis.quit();
+  }
+}
diff --git a/apps/webapp/app/v3/mollifier/mollifierTelemetry.server.ts b/apps/webapp/app/v3/mollifier/mollifierTelemetry.server.ts
new file mode 100644
index 00000000000..4bd2c45eb54
--- /dev/null
+++ b/apps/webapp/app/v3/mollifier/mollifierTelemetry.server.ts
@@ -0,0 +1,162 @@
+import { getMeter } from "@internal/tracing";
+
+const meter = getMeter("mollifier");
+
+export const mollifierDecisionsCounter = meter.createCounter("mollifier.decisions", {
+  description: "Count of mollifier gate decisions by outcome",
+});
+
+export type DecisionOutcome = "pass_through" | "shadow_log" | "mollify";
+export type DecisionReason = "per_env_rate";
+
+export type RecordDecisionOptions = {
+  reason?: DecisionReason;
+  // Whether the org has the per-org mollifier flag enabled. Emitted as the
+  // bounded `enrolled` label so we can see how often enrolled orgs pass
+  // through instead of mollifying — the whole point of this instrumentation.
+  enrolled: boolean;
+  // Org id, attached as the `org` label ONLY when `enrolled` is true. The
+  // enrolled cohort is capped operationally (<= 10 orgs), so this stays
+  // low-cardinality. It must NEVER be attached for non-enrolled orgs — that
+  // would fan the metric out across every org id in production (unbounded;
+  // the same high-cardinality ban that keeps envId/orgId off the other
+  // mollifier metrics). The guard lives in `decisionLabels`, so callers can
+  // pass orgId unconditionally.
+  orgId?: string;
+};
+
+// Pure: builds the metric label set for a gate decision. Extracted from
+// `recordDecision` so the org-only-when-enrolled cardinality guard is
+// unit-testable without standing up an OTel meter.
+export function decisionLabels(
+  outcome: DecisionOutcome,
+  opts: RecordDecisionOptions,
+): Record<string, string> {
+  return {
+    outcome,
+    enrolled: opts.enrolled ? "true" : "false",
+    ...(opts.reason ? { reason: opts.reason } : {}),
+    ...(opts.enrolled && opts.orgId ? { org: opts.orgId } : {}),
+  };
+}
+
+export function recordDecision(outcome: DecisionOutcome, opts: RecordDecisionOptions): void {
+  mollifierDecisionsCounter.add(1, decisionLabels(outcome, opts));
+}
+
+// Counts subscriptions hitting `/realtime/v1/runs/<id>` for a run that
+// lives only in the mollifier buffer (no PG row yet). The route opens
+// the Electric stream anyway so the eventual drainer-INSERT propagates
+// to the client; this counter is the signal of how often customers
+// subscribe inside the buffered window.
+export const realtimeBufferedSubscriptionsCounter = meter.createCounter(
+  "mollifier.realtime_subscriptions.buffered",
+  {
+    description:
+      "Realtime subscriptions opened against a runId that exists only in the mollifier buffer",
+  },
+);
+
+// No `envId` attribute — `envId` is a banned high-cardinality metric
+// label per the repo's OTel rules. The structured warn log emitted
+// alongside the counter tick (in `mollifierStaleSweep.server.ts`)
+// carries the envId / orgId / runId for forensic drill-down; the
+// metric stays an aggregate.
+export function recordRealtimeBufferedSubscription(): void {
+  realtimeBufferedSubscriptionsCounter.add(1);
+}
+
+// Counts buffer entries that have been waiting in the queue ZSET longer
+// than the configured stale threshold. Useful for historical "stale
+// events over time" views, but not directly alertable on its own — a
+// single stuck entry observed by N sweep ticks adds N to the counter,
+// so `rate()` over an alerting window reflects (entries × ticks), not
+// "entries that are stale right now".
+export const staleEntriesCounter = meter.createCounter(
+  "mollifier.stale_entries",
+  {
+    description:
+      "Mollifier buffer entries whose dwell exceeds the stale threshold (per sweep pass)",
+  },
+);
+
+// No `envId` attribute — see comment above.
+export function recordStaleEntry(): void {
+  staleEntriesCounter.add(1);
+}
+
+// Alertable signal: the total count of stale entries observed by the
+// latest sweep. The sweep snapshots the full picture on each pass so
+// the gauge drops back to 0 when the drainer catches up instead of
+// staying latched. Recommended alert:
+//   mollifier_stale_entries_current > 0 for 5m
+export const staleEntriesGauge = meter.createObservableGauge(
+  "mollifier.stale_entries.current",
+  {
+    description:
+      "Buffer entries whose dwell exceeds the stale threshold, as observed by the latest sweep pass",
+  },
+);
+
+let latestStaleTotal = 0;
+
+export function reportStaleEntrySnapshot(snapshot: Map<string, number>): void {
+  // Sum across envs. Per-env breakdown is intentionally NOT emitted as
+  // a metric label (high-cardinality); the structured warn log lines
+  // from the sweep carry per-env detail for ops to drill down.
+  let total = 0;
+  for (const count of snapshot.values()) {
+    total += count;
+  }
+  latestStaleTotal = total;
+}
+
+meter.addBatchObservableCallback(
+  (result) => {
+    result.observe(staleEntriesGauge, latestStaleTotal);
+  },
+  [staleEntriesGauge],
+);
+
+// Observability gauge for entries currently in DRAINING state — popped
+// by the drainer but not yet acked/failed/requeued. Backed by the
+// `mollifier:draining` ZSET (see `MollifierBuffer.getDrainingCount`)
+// and polled by the loop in `mollifierDrainingGaugeLoop.server.ts`.
+//
+// Useful for:
+//   - "Is anything mid-drain right now?" panels
+//   - Post-crash forensics ("how many entries got stranded by that ECS OOM?")
+//   - Alerting: a sustained non-zero with no drainer progress is a stall
+//
+// No `envId` attribute — same high-cardinality constraint as the other
+// mollifier gauges. The per-entry hash carries env/org for drill-down.
+export const drainingCountGauge = meter.createObservableGauge(
+  "mollifier.draining.current",
+  {
+    description:
+      "Mollifier buffer entries currently in DRAINING state (popped but not yet acked/failed/requeued)",
+  },
+);
+
+let latestDrainingCount = 0;
+
+export function reportDrainingCount(count: number): void {
+  latestDrainingCount = count;
+}
+
+meter.addBatchObservableCallback(
+  (result) => {
+    result.observe(drainingCountGauge, latestDrainingCount);
+  },
+  [drainingCountGauge],
+);
+
+// Electric SQL's shape-stream protocol adds a `handle=` query param on
+// every reconnect after the initial GET. Gating the realtime-buffered
+// log/counter on its absence keeps the signal at one tick per
+// subscription instead of one tick per ~20s live-poll iteration —
+// without it the counter would over-count by the long-poll factor.
+export function isInitialBufferedSubscriptionRequest(url: string | URL): boolean {
+  const u = typeof url === "string" ? new URL(url) : url;
+  return !u.searchParams.has("handle");
+}
diff --git a/apps/webapp/app/v3/mollifier/mollifierTripEvaluator.server.ts b/apps/webapp/app/v3/mollifier/mollifierTripEvaluator.server.ts
new file mode 100644
index 00000000000..9032467d200
--- /dev/null
+++ b/apps/webapp/app/v3/mollifier/mollifierTripEvaluator.server.ts
@@ -0,0 +1,47 @@
+import type { MollifierBuffer } from "@trigger.dev/redis-worker";
+import { logger } from "~/services/logger.server";
+import type { GateInputs, TripDecision, TripEvaluator } from "./mollifierGate.server";
+
+export type TripEvaluatorOptions = {
+  windowMs: number;
+  threshold: number;
+  holdMs: number;
+};
+
+export type CreateRealTripEvaluatorDeps = {
+  getBuffer: () => MollifierBuffer | null;
+  options: () => TripEvaluatorOptions;
+};
+
+export function createRealTripEvaluator(deps: CreateRealTripEvaluatorDeps): TripEvaluator {
+  return async (inputs: GateInputs): Promise<TripDecision> => {
+    const buffer = deps.getBuffer();
+    if (!buffer) return { divert: false };
+
+    const opts = deps.options();
+
+    try {
+      const { tripped, count } = await buffer.evaluateTrip(inputs.envId, opts);
+      if (!tripped) return { divert: false };
+
+      return {
+        divert: true,
+        reason: "per_env_rate",
+        count,
+        threshold: opts.threshold,
+        windowMs: opts.windowMs,
+        holdMs: opts.holdMs,
+      };
+    } catch (err) {
+      // Deliberate: no error counter here. Shadow mode means a silent miss is
+      // harmless — fail-open is the safe direction. The error log + Sentry
+      // capture is sufficient operability while this runs in shadow mode. Revisit
+      // once buffer writes are the primary path and a missed evaluation has cost.
+      logger.error("mollifier trip evaluator: fail-open on error", {
+        envId: inputs.envId,
+        err: err instanceof Error ? err.message : String(err),
+      });
+      return { divert: false };
+    }
+  };
+}
diff --git a/apps/webapp/app/v3/mollifier/mutateWithFallback.server.ts b/apps/webapp/app/v3/mollifier/mutateWithFallback.server.ts
new file mode 100644
index 00000000000..e6deff5dbee
--- /dev/null
+++ b/apps/webapp/app/v3/mollifier/mutateWithFallback.server.ts
@@ -0,0 +1,248 @@
+import type {
+  BufferEntry,
+  MollifierBuffer,
+  MutateSnapshotResult,
+  SnapshotPatch,
+} from "@trigger.dev/redis-worker";
+import type { TaskRun } from "@trigger.dev/database";
+import { prisma, $replica } from "~/db.server";
+import { logger } from "~/services/logger.server";
+import { getMollifierBuffer } from "./mollifierBuffer.server";
+
+// Wait/retry knobs. Exported for tests.
+export const DEFAULT_SAFETY_NET_MS = 2_000;
+// Initial gap between buffer polls; grows by BACKOFF_FACTOR up to
+// DEFAULT_MAX_POLL_STEP_MS so a slow drain doesn't poll at a tight fixed
+// cadence for the whole safety-net budget.
+export const DEFAULT_POLL_STEP_MS = 20;
+export const DEFAULT_MAX_POLL_STEP_MS = 250;
+export const DEFAULT_BACKOFF_FACTOR = 1.7;
+
+export type MutateWithFallbackInput<TResponse> = {
+  runId: string;
+  environmentId: string;
+  organizationId: string;
+  bufferPatch: SnapshotPatch;
+  // Called when a PG row exists (either replica-hit or post-wait writer-hit).
+  // Receives the full TaskRun shape and returns the customer-visible body.
+  pgMutation: (pgRow: TaskRun) => Promise<TResponse>;
+  // Called when the patch landed cleanly on the buffer snapshot. The
+  // drainer will see the patched payload on its next pop. Receives the
+  // pre-mutation snapshot entry (the one fetched for the env auth
+  // check above) so the caller can compute response details that
+  // depend on the prior state — e.g. the tags route needs to dedup
+  // against the existing tags to report an accurate `newTags` count
+  // matching the PG path, without an extra Redis round-trip.
+  // `bufferEntry` is `null` in the rare race where the entry didn't
+  // exist at pre-check time but appeared before `mutateSnapshot`.
+  synthesisedResponse: (ctx: {
+    bufferEntry: BufferEntry | null;
+  }) => TResponse | Promise<TResponse>;
+  // Called when the buffer rejected the patch as invalid (e.g. an
+  // `append_tags` patch carrying `maxTags` would exceed the cap). Required
+  // only by callers that send a rejectable patch; the helper throws if the
+  // buffer reports a rejection and no builder was supplied. Receives the
+  // same `bufferEntry` context as `synthesisedResponse` so a rejection
+  // message can reference the prior state if useful.
+  rejectedResponse?: (ctx: {
+    bufferEntry: BufferEntry | null;
+  }) => TResponse | Promise<TResponse>;
+  abortSignal?: AbortSignal;
+  // Override defaults for tests.
+  safetyNetMs?: number;
+  pollStepMs?: number;
+  maxPollStepMs?: number;
+  backoffFactor?: number;
+  // Test injection.
+  getBuffer?: () => MollifierBuffer | null;
+  prismaWriter?: TaskRunReader;
+  prismaReplica?: TaskRunReader;
+  sleep?: (ms: number) => Promise<void>;
+  now?: () => number;
+  // Jitter source; defaults to Math.random. Inject `() => 0` for
+  // deterministic poll timing in tests.
+  random?: () => number;
+};
+
+export type MutateWithFallbackOutcome<TResponse> =
+  | { kind: "pg"; response: TResponse }
+  | { kind: "snapshot"; response: TResponse }
+  | { kind: "rejected"; response: TResponse }
+  | { kind: "not_found" }
+  | { kind: "timed_out" };
+
+// PG-first → buffer mutateSnapshot → wait-and-bounce. The
+// caller decides how to translate the outcome into an HTTP response —
+// this helper never throws Response objects so it remains route-agnostic
+// and unit-testable in isolation.
+export async function mutateWithFallback<TResponse>(
+  input: MutateWithFallbackInput<TResponse>,
+): Promise<MutateWithFallbackOutcome<TResponse>> {
+  const replica = input.prismaReplica ?? $replica;
+  const writer = input.prismaWriter ?? prisma;
+  const buffer = (input.getBuffer ?? getMollifierBuffer)();
+  const sleep = input.sleep ?? defaultSleep;
+  const now = input.now ?? Date.now;
+
+  // Path 1 — PG is already canonical.
+  const replicaRow = await findRunInPg(replica, input.runId, input.environmentId);
+  if (replicaRow) {
+    const response = await input.pgMutation(replicaRow);
+    return { kind: "pg", response };
+  }
+
+  if (!buffer) {
+    // No buffer configured (mollifier disabled or boot-time error). The
+    // pre-PR mutation routes read from the writer directly, so a freshly-
+    // created PG row was always visible regardless of replication lag.
+    // Now that the read moved to the replica (line 87) for the offload,
+    // a `!buffer` short-circuit would regress: a real PG row + replica
+    // lag would return 404. Mirror the writer-disambiguation block below
+    // (line 148, the buffer-says-not-found path) so degraded mode
+    // (mollifier disabled) still matches pre-PR mutation behaviour.
+    const writerRow = await findRunInPg(writer, input.runId, input.environmentId);
+    if (writerRow) {
+      const response = await input.pgMutation(writerRow);
+      return { kind: "pg", response };
+    }
+    return { kind: "not_found" };
+  }
+
+  // Env-scoped authorization for the buffer path. The replica/writer
+  // lookups above are already env-scoped via findRunInPg; this closes
+  // the same gap on the buffer side so a caller authed in env A can't
+  // mutate a buffered run that belongs to env B (or a different org)
+  // by guessing its friendlyId. Non-atomic w.r.t. the mutateSnapshot
+  // call below, but the TOCTOU is benign: runIds are globally unique,
+  // so a cross-env entry can't suddenly appear after a same-env check.
+  // A genuinely-missing entry (entry === null) falls through and is
+  // handled by the existing not_found / writer-recovery path below.
+  const entryForAuth = await buffer.getEntry(input.runId);
+  if (
+    entryForAuth &&
+    (entryForAuth.envId !== input.environmentId ||
+      entryForAuth.orgId !== input.organizationId)
+  ) {
+    // Hide existence on env mismatch: return not_found, same shape as
+    // a true miss, rather than 403 which would leak that the runId
+    // exists in some other env.
+    return { kind: "not_found" };
+  }
+
+  // Path 2 — buffer snapshot mutation.
+  const result: MutateSnapshotResult = await buffer.mutateSnapshot(
+    input.runId,
+    input.bufferPatch,
+  );
+
+  if (result === "applied_to_snapshot") {
+    return {
+      kind: "snapshot",
+      response: await input.synthesisedResponse({ bufferEntry: entryForAuth }),
+    };
+  }
+
+  if (result === "limit_exceeded") {
+    // The buffer refused the patch (e.g. tag cap). Nothing was written.
+    // Surface the caller's rejection body; a missing builder means the
+    // caller sent a rejectable patch without handling the rejection.
+    if (!input.rejectedResponse) {
+      throw new Error(
+        "mutateWithFallback: buffer returned 'limit_exceeded' but no rejectedResponse was provided",
+      );
+    }
+    return {
+      kind: "rejected",
+      response: await input.rejectedResponse({ bufferEntry: entryForAuth }),
+    };
+  }
+
+  if (result === "not_found") {
+    // Disambiguate a genuine 404 from a replica-lag miss: ask the writer
+    // directly. If the row just appeared post-drain we route through the
+    // PG mutation path.
+    const writerRow = await findRunInPg(writer, input.runId, input.environmentId);
+    if (writerRow) {
+      const response = await input.pgMutation(writerRow);
+      return { kind: "pg", response };
+    }
+    return { kind: "not_found" };
+  }
+
+  // result === "busy" — the entry is mid-handoff (DRAINING) or already
+  // materialised. We do NOT poll the primary for the row to appear: that
+  // piles read load onto the writer at exactly the moment mollifier exists
+  // to shed it. Instead we watch the buffer entry itself (cheap Redis
+  // reads). The drainer writes the PG row BEFORE it acks (sets
+  // `materialised`) or fails (deletes the entry), so the entry's own state
+  // is an authoritative, already-in-Redis signal for "is the row in PG
+  // yet?". Only once it resolves do we touch the primary — exactly once,
+  // for the real mutation.
+  const safetyNetMs = input.safetyNetMs ?? DEFAULT_SAFETY_NET_MS;
+  const maxPollStepMs = input.maxPollStepMs ?? DEFAULT_MAX_POLL_STEP_MS;
+  const backoffFactor = input.backoffFactor ?? DEFAULT_BACKOFF_FACTOR;
+  const random = input.random ?? Math.random;
+  const deadline = now() + safetyNetMs;
+  let step = input.pollStepMs ?? DEFAULT_POLL_STEP_MS;
+
+  while (now() < deadline) {
+    if (input.abortSignal?.aborted) {
+      return { kind: "timed_out" };
+    }
+
+    const entry = await buffer.getEntry(input.runId);
+    // Resolved when the entry is gone (`fail` deleted it after writing a
+    // terminal SYSTEM_FAILURE row) or materialised (`ack` after a
+    // successful trigger / cancel write). In both cases the PG row is now
+    // committed on the primary, so read it once and route through the
+    // canonical PG mutation path.
+    if (entry === null || entry.materialised === true) {
+      const row = await findRunInPg(writer, input.runId, input.environmentId);
+      if (row) {
+        const response = await input.pgMutation(row);
+        return { kind: "pg", response };
+      }
+      // Entry gone with no PG row: the drainer's terminal write itself
+      // failed (PG unreachable). Nothing to mutate.
+      return { kind: "not_found" };
+    }
+    // Still QUEUED (requeued after a retryable drain error) or DRAINING —
+    // the run hasn't reached PG. Back off with jitter so concurrent
+    // waiters on the same draining run don't requery in lockstep.
+    if (now() >= deadline) break;
+    const jittered = step + Math.floor(random() * step);
+    await sleep(jittered);
+    step = Math.min(Math.ceil(step * backoffFactor), maxPollStepMs);
+  }
+
+  logger.warn("mollifier mutate-with-fallback: drainer resolution timed out", {
+    runId: input.runId,
+    safetyNetMs,
+  });
+  return { kind: "timed_out" };
+}
+
+// Structural reader interface — accepts both the writer (`prisma`) and the
+// replica (`$replica`), which differ slightly in their generated Prisma
+// types but share the findFirst surface used here.
+type TaskRunReader = {
+  taskRun: {
+    findFirst(args: {
+      where: { friendlyId: string; runtimeEnvironmentId: string };
+    }): Promise<TaskRun | null>;
+  };
+};
+
+async function findRunInPg(
+  client: TaskRunReader,
+  friendlyId: string,
+  environmentId: string,
+): Promise<TaskRun | null> {
+  return client.taskRun.findFirst({
+    where: { friendlyId, runtimeEnvironmentId: environmentId },
+  });
+}
+
+function defaultSleep(ms: number): Promise<void> {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
diff --git a/apps/webapp/app/v3/mollifier/readFallback.server.ts b/apps/webapp/app/v3/mollifier/readFallback.server.ts
new file mode 100644
index 00000000000..21dd6c23957
--- /dev/null
+++ b/apps/webapp/app/v3/mollifier/readFallback.server.ts
@@ -0,0 +1,266 @@
+import type { MollifierBuffer } from "@trigger.dev/redis-worker";
+import { RunId } from "@trigger.dev/core/v3/isomorphic";
+import { IdempotencyKeyOptionsSchema } from "@trigger.dev/core/v3/schemas";
+import type { z } from "zod";
+import { logger } from "~/services/logger.server";
+import { deserialiseMollifierSnapshot } from "./mollifierSnapshot.server";
+import { getMollifierBuffer } from "./mollifierBuffer.server";
+
+export type ReadFallbackInput = {
+  runId: string;
+  environmentId: string;
+  organizationId: string;
+};
+
+export type SyntheticRun = {
+  // Snapshot-derived TaskRun primary key. Used by ReplayTaskRunService
+  // for logging and by callers passing this object where a TaskRun is
+  // expected (cast). Derived deterministically from `friendlyId`.
+  id: string;
+  friendlyId: string;
+  status: "QUEUED" | "FAILED" | "CANCELED";
+  // Set when the customer cancelled the run via the dashboard or API
+  // while it was buffered. The drainer's cancel bifurcation reads this
+  // on next pop and writes a CANCELED PG row directly (skipping
+  // materialisation). Reflected back into the UI by the synthesised
+  // SpanRun so the run-detail page shows the cancelled state even before
+  // the drainer materialises it.
+  cancelledAt: Date | undefined;
+  cancelReason: string | undefined;
+  // Reschedule patch (`set_delay`) writes `delayUntil` into the snapshot.
+  // Surfacing it on SyntheticRun lets the retrieve-run shape reflect the
+  // pending delay before the drainer materialises the PG row.
+  delayUntil: Date | undefined;
+  taskIdentifier: string | undefined;
+  createdAt: Date;
+
+  payload: unknown;
+  payloadType: string | undefined;
+  metadata: unknown;
+  metadataType: string | undefined;
+  // Seed-metadata mirrors what `triggerTask.server.ts` writes into the
+  // snapshot: the original metadataPacket data preserved separately from
+  // any later customer mutations. ReplayTaskRunService uses these to
+  // rebuild the replay's metadata.
+  seedMetadata: string | undefined;
+  seedMetadataType: string | undefined;
+
+  idempotencyKey: string | undefined;
+  // Surfaced for the cached-hit expiration check in IdempotencyKeyConcern.
+  // The PG-resident path enforces this (clears key, allows new run when
+  // expired). For buffered runs the snapshot carries the same field — we
+  // expose it here so the cached-hit branch can apply the same check
+  // rather than indefinitely returning the buffered run's id.
+  idempotencyKeyExpiresAt: Date | undefined;
+  // `{ key, scope }` object form, matching how the SDK serialises and PG
+  // stores it. Previously typed as `string[]` (legacy/incorrect — Prisma
+  // is `Json?` carrying the schema-shaped object). `getUserProvidedIdempotencyKey`
+  // and `extractIdempotencyKeyScope` both parse via the same Zod schema;
+  // they returned `undefined` for the array-shape, which silently
+  // demoted the response to surface the hash instead of the user-
+  // provided key for buffered runs — a contract divergence from
+  // PG-resident runs. See the regression test in `mollifierReadFallback.test.ts`.
+  idempotencyKeyOptions: z.infer<typeof IdempotencyKeyOptionsSchema> | undefined;
+  isTest: boolean;
+  depth: number;
+  ttl: string | undefined;
+  tags: string[];
+  // Mirror of `tags` under the PG field name. ReplayTaskRunService reads
+  // `existingTaskRun.runTags`; both names are kept here so a synthetic
+  // run can be passed wherever the PG-shape `runTags` is expected.
+  runTags: string[];
+  lockedToVersion: string | undefined;
+  resumeParentOnCompletion: boolean;
+  parentTaskRunId: string | undefined;
+
+  // Allocated at gate-accept time and embedded in the snapshot so the run's
+  // trace is continuous from QUEUED-in-buffer through executing post-drain.
+  traceId: string | undefined;
+  spanId: string | undefined;
+  parentSpanId: string | undefined;
+
+  // Replay-relevant fields populated from the engine-trigger snapshot.
+  // ReplayTaskRunService reads each of these from the existing TaskRun;
+  // when the original lives in the buffer we synthesise them here.
+  runtimeEnvironmentId: string | undefined;
+  engine: "V2";
+  workerQueue: string | undefined;
+  queue: string | undefined;
+  concurrencyKey: string | undefined;
+  machinePreset: string | undefined;
+  realtimeStreamsVersion: string | undefined;
+
+  // Additional snapshot-sourced fields used when synthesising a SpanRun
+  // for the dashboard's right-side details panel. All optional because
+  // older snapshots may not carry them.
+  maxAttempts: number | undefined;
+  maxDurationInSeconds: number | undefined;
+  replayedFromTaskRunFriendlyId: string | undefined;
+  annotations: unknown;
+  traceContext: unknown;
+  scheduleId: string | undefined;
+  batchId: string | undefined;
+  parentTaskRunFriendlyId: string | undefined;
+  rootTaskRunFriendlyId: string | undefined;
+
+  error?: { code: string; message: string };
+};
+
+export type ReadFallbackDeps = {
+  getBuffer?: () => MollifierBuffer | null;
+};
+
+function asString(value: unknown): string | undefined {
+  return typeof value === "string" ? value : undefined;
+}
+
+function asStringArray(value: unknown): string[] {
+  return Array.isArray(value) && value.every((v) => typeof v === "string") ? (value as string[]) : [];
+}
+
+function asDate(value: unknown): Date | undefined {
+  const raw = asString(value);
+  if (!raw) return undefined;
+  const parsed = new Date(raw);
+  return Number.isNaN(parsed.getTime()) ? undefined : parsed;
+}
+
+// Snapshot ids are written by engine.trigger as INTERNAL ids (cuids); the
+// SyntheticRun contract exposes friendlyIds. `RunId.toFriendlyId` is
+// already used for the synthetic run's own id (line 155); reuse it for
+// parent/root so consumers see the same shape as the PG path.
+function internalRunIdToFriendlyId(internalId: string | undefined): string | undefined {
+  if (!internalId) return undefined;
+  return RunId.toFriendlyId(internalId);
+}
+
+export async function findRunByIdWithMollifierFallback(
+  input: ReadFallbackInput,
+  deps: ReadFallbackDeps = {},
+): Promise<SyntheticRun | null> {
+  const buffer = (deps.getBuffer ?? getMollifierBuffer)();
+  if (!buffer) return null;
+
+  try {
+    const entry = await buffer.getEntry(input.runId);
+    if (!entry) return null;
+
+    if (entry.envId !== input.environmentId || entry.orgId !== input.organizationId) {
+      logger.warn("mollifier read-fallback auth mismatch", {
+        runId: input.runId,
+        callerEnvId: input.environmentId,
+        callerOrgId: input.organizationId,
+      });
+      return null;
+    }
+
+    const snapshot = deserialiseMollifierSnapshot(entry.payload);
+    // Parse via the canonical schema (`{ key: string, scope: "run" |
+    // "attempt" | "global" }`) rather than the legacy Array.isArray
+    // check. The SDK and Prisma both store this as an object; the array
+    // form never matches, so a buffered run's response previously fell
+    // back to the server-side hash in `getUserProvidedIdempotencyKey`
+    // instead of the customer-supplied key — diverging from how
+    // materialised runs render the same field.
+    const idempotencyKeyOptionsParsed = IdempotencyKeyOptionsSchema.safeParse(
+      snapshot.idempotencyKeyOptions,
+    );
+    const idempotencyKeyOptions = idempotencyKeyOptionsParsed.success
+      ? idempotencyKeyOptionsParsed.data
+      : undefined;
+
+    const tags = asStringArray(snapshot.tags);
+    const environment =
+      snapshot.environment && typeof snapshot.environment === "object"
+        ? (snapshot.environment as Record<string, unknown>)
+        : undefined;
+
+    const cancelledAt = asDate(snapshot.cancelledAt);
+    const cancelReason = asString(snapshot.cancelReason);
+    let status: SyntheticRun["status"] = "QUEUED";
+    if (cancelledAt) {
+      status = "CANCELED";
+    } else if (entry.status === "FAILED") {
+      status = "FAILED";
+    }
+    const delayUntil = asDate(snapshot.delayUntil);
+
+    return {
+      id: RunId.fromFriendlyId(entry.runId),
+      friendlyId: entry.runId,
+      status,
+      cancelledAt,
+      cancelReason,
+      delayUntil,
+      taskIdentifier: asString(snapshot.taskIdentifier),
+      createdAt: entry.createdAt,
+
+      payload: snapshot.payload,
+      payloadType: asString(snapshot.payloadType),
+      metadata: snapshot.metadata,
+      metadataType: asString(snapshot.metadataType),
+      seedMetadata: asString(snapshot.seedMetadata),
+      seedMetadataType: asString(snapshot.seedMetadataType),
+
+      idempotencyKey: asString(snapshot.idempotencyKey),
+      idempotencyKeyExpiresAt: asDate(snapshot.idempotencyKeyExpiresAt),
+      idempotencyKeyOptions,
+      isTest: snapshot.isTest === true,
+      depth: typeof snapshot.depth === "number" ? snapshot.depth : 0,
+      ttl: asString(snapshot.ttl),
+      tags,
+      runTags: tags,
+      lockedToVersion: asString(snapshot.taskVersion),
+      resumeParentOnCompletion: snapshot.resumeParentOnCompletion === true,
+      parentTaskRunId: asString(snapshot.parentTaskRunId),
+
+      traceId: asString(snapshot.traceId),
+      spanId: asString(snapshot.spanId),
+      parentSpanId: asString(snapshot.parentSpanId),
+
+      runtimeEnvironmentId:
+        asString(environment?.id) ?? entry.envId,
+      engine: "V2",
+      workerQueue: asString(snapshot.workerQueue),
+      queue: asString(snapshot.queue),
+      concurrencyKey: asString(snapshot.concurrencyKey),
+      machinePreset: asString(snapshot.machine),
+      realtimeStreamsVersion: asString(snapshot.realtimeStreamsVersion),
+
+      maxAttempts: typeof snapshot.maxAttempts === "number" ? snapshot.maxAttempts : undefined,
+      maxDurationInSeconds:
+        typeof snapshot.maxDurationInSeconds === "number"
+          ? snapshot.maxDurationInSeconds
+          : undefined,
+      replayedFromTaskRunFriendlyId: asString(snapshot.replayedFromTaskRunFriendlyId),
+      annotations: snapshot.annotations,
+      traceContext: snapshot.traceContext,
+      scheduleId: asString(snapshot.scheduleId),
+      // The engine.trigger input embeds the batch as `{ id, index }` (see
+      // triggerTask.server.ts #buildEngineTriggerInput), not as a flat
+      // `batchId`. The nested `id` is the batch's internal cuid — the same
+      // value PG stores in `TaskRun.batchId` — so callers reconstruct the
+      // friendly id via `BatchId.toFriendlyId` exactly as the PG path does.
+      batchId: asString((snapshot.batch as { id?: unknown } | undefined)?.id),
+      // The snapshot only carries the INTERNAL parent/root ids
+      // (`parentTaskRunId` / `rootTaskRunId` — what engine.trigger consumes),
+      // not the friendlyIds the SyntheticRun contract expects. Convert
+      // internal → friendly here so consumers don't have to special-case
+      // the buffered path.
+      parentTaskRunFriendlyId: internalRunIdToFriendlyId(
+        asString(snapshot.parentTaskRunId)
+      ),
+      rootTaskRunFriendlyId: internalRunIdToFriendlyId(
+        asString(snapshot.rootTaskRunId)
+      ),
+
+      error: entry.lastError,
+    };
+  } catch (err) {
+    logger.error("mollifier read-fallback errored — fail-open to null", {
+      runId: input.runId,
+      err: err instanceof Error ? err.message : String(err),
+    });
+    return null;
+  }
+}
diff --git a/apps/webapp/app/v3/mollifier/resolveRunForMutation.server.ts b/apps/webapp/app/v3/mollifier/resolveRunForMutation.server.ts
new file mode 100644
index 00000000000..b3db81368b9
--- /dev/null
+++ b/apps/webapp/app/v3/mollifier/resolveRunForMutation.server.ts
@@ -0,0 +1,82 @@
+import type { MollifierBuffer } from "@trigger.dev/redis-worker";
+import { $replica as defaultReplica, prisma as defaultWriter } from "~/db.server";
+import { getMollifierBuffer as defaultGetBuffer } from "./mollifierBuffer.server";
+
+// Discriminated-union resolver used by mutation routes' `findResource`.
+// The route builder treats a null return from `findResource` as a 404
+// BEFORE the action handler runs (`apiBuilder.server.ts:321`), so we
+// must check BOTH the PG canonical store and the mollifier buffer here
+// — otherwise a buffered run can't be cancelled / mutated even though
+// the underlying mutateWithFallback flow would handle it correctly.
+//
+// (Regression: before extracting this helper the cancel route had
+// `findResource: async () => null`, which made every cancel 404 before
+// the action ran. The helper makes the lookup unit-testable.)
+export type ResolvedRunForMutation =
+  | { source: "pg"; friendlyId: string }
+  | { source: "buffer"; friendlyId: string };
+
+type PrismaTaskRunFindFirst = {
+  taskRun: {
+    findFirst(args: {
+      where: { friendlyId: string; runtimeEnvironmentId: string };
+      select: { friendlyId: true };
+    }): Promise<{ friendlyId: string } | null>;
+  };
+};
+
+export type ResolveRunForMutationDeps = {
+  prismaReplica?: PrismaTaskRunFindFirst;
+  prismaWriter?: PrismaTaskRunFindFirst;
+  getBuffer?: () => MollifierBuffer | null;
+};
+
+export async function resolveRunForMutation(input: {
+  runParam: string;
+  environmentId: string;
+  organizationId: string;
+  deps?: ResolveRunForMutationDeps;
+}): Promise<ResolvedRunForMutation | null> {
+  const replica = input.deps?.prismaReplica ?? defaultReplica;
+  const writer = input.deps?.prismaWriter ?? defaultWriter;
+  const getBuffer = input.deps?.getBuffer ?? defaultGetBuffer;
+
+  const pgRun = await replica.taskRun.findFirst({
+    where: { friendlyId: input.runParam, runtimeEnvironmentId: input.environmentId },
+    select: { friendlyId: true },
+  });
+  if (pgRun) return { source: "pg", friendlyId: pgRun.friendlyId };
+
+  const buffer = getBuffer();
+
+  if (buffer) {
+    const entry = await buffer.getEntry(input.runParam);
+    if (
+      entry &&
+      entry.envId === input.environmentId &&
+      entry.orgId === input.organizationId
+    ) {
+      return { source: "buffer", friendlyId: input.runParam };
+    }
+  }
+
+  // Replica + buffer both missed. Before declaring "not found" (which the
+  // route builder converts to a hard 404 *before* the action handler runs,
+  // so the downstream `mutateWithFallback` writer-recovery never gets a
+  // chance to fire), do one final probe against the writer. This catches
+  // two cases:
+  //   1. Replica lag on a freshly-created PG row.
+  //   2. A buffered run that materialised in the window between the
+  //      replica read and our buffer check (the entry was ack'd and the
+  //      hash is mid-grace-TTL but our getEntry returned null due to
+  //      lookup-by-friendlyId timing).
+  // Without this, the resolver returns null in degraded states that the
+  // downstream mutateWithFallback flow would otherwise handle correctly.
+  const writerRun = await writer.taskRun.findFirst({
+    where: { friendlyId: input.runParam, runtimeEnvironmentId: input.environmentId },
+    select: { friendlyId: true },
+  });
+  if (writerRun) return { source: "pg", friendlyId: writerRun.friendlyId };
+
+  return null;
+}
diff --git a/apps/webapp/app/v3/mollifier/syntheticApiResponses.server.ts b/apps/webapp/app/v3/mollifier/syntheticApiResponses.server.ts
new file mode 100644
index 00000000000..02c63fe91f1
--- /dev/null
+++ b/apps/webapp/app/v3/mollifier/syntheticApiResponses.server.ts
@@ -0,0 +1,73 @@
+import type { SyntheticRun } from "./readFallback.server";
+
+// Buffered runs have no execution data — the drainer hasn't materialised
+// the PG row and the worker hasn't started. The SDK-facing read routes
+// still need to return a span/trace shape that satisfies their response
+// schemas; these helpers build that minimal shape from the buffered
+// SyntheticRun.
+//
+// CANCELED and FAILED are terminal states: a FAILED buffered run is
+// errored (drainer exhausted retries or the gate rejected it) and must
+// not signal "still in progress." The flags below mirror
+// syntheticTrace.server.ts so the SDK contract stays consistent across
+// the three read paths (spans, trace, dashboard trace presenter).
+
+function deriveTerminalFlags(status: SyntheticRun["status"]): {
+  isError: boolean;
+  isPartial: boolean;
+  isCancelled: boolean;
+} {
+  const isCancelled = status === "CANCELED";
+  const isFailed = status === "FAILED";
+  return {
+    isError: isFailed,
+    isPartial: !isCancelled && !isFailed,
+    isCancelled,
+  };
+}
+
+// Body for GET /api/v1/runs/:runId/spans/:spanId when the run is buffered
+// and `:spanId` has already been verified against `buffered.spanId` by the
+// route. Pure function so the route layer just authenticates, resolves
+// the run, validates the spanId, and forwards the buffered run here.
+export function buildSyntheticSpanDetailBody(buffered: SyntheticRun) {
+  const flags = deriveTerminalFlags(buffered.status);
+  return {
+    spanId: buffered.spanId,
+    parentId: buffered.parentSpanId ?? null,
+    runId: buffered.friendlyId,
+    message: buffered.taskIdentifier ?? "",
+    ...flags,
+    level: "TRACE" as const,
+    startTime: buffered.createdAt,
+    durationMs: 0,
+  };
+}
+
+// Body for GET /api/v1/runs/:runId/trace when the run is buffered.
+// Returns the `{ trace: { traceId, rootSpan } }` envelope expected by the
+// SDK's RetrieveRunTraceResponseBody schema.
+export function buildSyntheticTraceBody(buffered: SyntheticRun) {
+  const flags = deriveTerminalFlags(buffered.status);
+  return {
+    trace: {
+      traceId: buffered.traceId ?? "",
+      rootSpan: {
+        id: buffered.spanId ?? "",
+        runId: buffered.friendlyId,
+        data: {
+          message: buffered.taskIdentifier ?? "",
+          taskSlug: buffered.taskIdentifier ?? undefined,
+          events: [] as unknown[],
+          startTime: buffered.createdAt,
+          duration: 0,
+          ...flags,
+          level: "TRACE" as const,
+          queueName: buffered.queue ?? undefined,
+          machinePreset: buffered.machinePreset ?? undefined,
+        },
+        children: [] as unknown[],
+      },
+    },
+  };
+}
diff --git a/apps/webapp/app/v3/mollifier/syntheticRedirectInfo.server.ts b/apps/webapp/app/v3/mollifier/syntheticRedirectInfo.server.ts
new file mode 100644
index 00000000000..e316846d708
--- /dev/null
+++ b/apps/webapp/app/v3/mollifier/syntheticRedirectInfo.server.ts
@@ -0,0 +1,119 @@
+import type { MollifierBuffer } from "@trigger.dev/redis-worker";
+import type { PrismaClientOrTransaction } from "@trigger.dev/database";
+import { z } from "zod";
+import { prisma } from "~/db.server";
+import { logger } from "~/services/logger.server";
+import { getMollifierBuffer } from "./mollifierBuffer.server";
+// Use the webapp-side wrapper (not `deserialiseSnapshot` from
+// @trigger.dev/redis-worker directly) so this file shares a single
+// deserialisation path with readFallback.server.ts. The two are
+// behaviourally identical today (both wrap `JSON.parse`), but pinning
+// the shared helper keeps the two read-side modules from drifting if
+// snapshot encoding ever changes.
+import { deserialiseMollifierSnapshot } from "./mollifierSnapshot.server";
+
+// Validated subset of a mollifier snapshot — just the fields needed to
+// rebuild a canonical run-detail URL for a buffered run. Anything else
+// in the payload is ignored. `safeParse` against this schema replaces
+// the ad-hoc `as Record<string, unknown>` + `typeof === "string"` checks
+// that the redirect path used to do by hand; missing or wrong-typed
+// fields collapse into a single `parsed.success === false` branch.
+const BufferedSnapshotSchema = z.object({
+  spanId: z.string().optional(),
+  environment: z.object({
+    slug: z.string(),
+    project: z.object({ slug: z.string() }),
+    organization: z.object({ slug: z.string() }),
+  }),
+});
+
+export type BufferedRunRedirectInfo = {
+  organizationSlug: string;
+  projectSlug: string;
+  environmentSlug: string;
+  spanId: string | undefined;
+};
+
+export type FindBufferedRunRedirectInfoDeps = {
+  getBuffer?: () => MollifierBuffer | null;
+  prismaClient?: PrismaClientOrTransaction;
+};
+
+// Resolve the org/project/env slugs needed to build the canonical run-detail
+// URL for a buffered run. Used by the short-URL redirect routes
+// (`runs.$runParam`, `@.runs.$runParam`, `projects.v3.$projectRef.runs.$runParam`)
+// so a customer clicking the trigger-API-returned run link doesn't 404
+// during the buffered window.
+//
+// Authorisation: PG query confirms the requesting user belongs to the
+// organisation the buffer entry says owns the run. Without this check a
+// known runId would leak slugs.
+export async function findBufferedRunRedirectInfo(
+  args: {
+    runFriendlyId: string;
+    userId: string;
+    // Admin impersonation paths bypass org-membership; mirrors the existing
+    // PG-side admin route behaviour (`@.runs.$runParam` doesn't filter by
+    // org membership in the PG query either).
+    skipOrgMembershipCheck?: boolean;
+  },
+  deps: FindBufferedRunRedirectInfoDeps = {},
+): Promise<BufferedRunRedirectInfo | null> {
+  const buffer = (deps.getBuffer ?? getMollifierBuffer)();
+  const prismaClient = deps.prismaClient ?? prisma;
+  if (!buffer) return null;
+
+  let entry;
+  try {
+    entry = await buffer.getEntry(args.runFriendlyId);
+  } catch (err) {
+    logger.warn("buffered redirect: buffer.getEntry failed", {
+      runFriendlyId: args.runFriendlyId,
+      err: err instanceof Error ? err.message : String(err),
+    });
+    return null;
+  }
+  if (!entry) return null;
+
+  if (!args.skipOrgMembershipCheck) {
+    const member = await prismaClient.orgMember.findFirst({
+      where: { userId: args.userId, organizationId: entry.orgId },
+      select: { id: true },
+    });
+    if (!member) return null;
+  }
+
+  let raw: unknown;
+  try {
+    raw = deserialiseMollifierSnapshot(entry.payload);
+  } catch (err) {
+    logger.warn("buffered redirect: snapshot deserialise failed", {
+      runFriendlyId: args.runFriendlyId,
+      err: err instanceof Error ? err.message : String(err),
+    });
+    return null;
+  }
+
+  const parsed = BufferedSnapshotSchema.safeParse(raw);
+  if (!parsed.success) {
+    // Either the snapshot is from a different writer that doesn't carry
+    // environment slugs (in which case we genuinely can't build a URL)
+    // or a buffer-format drift snuck through. Log at debug; the caller
+    // 404s and the user sees the standard not-found page, not a 500.
+    logger.debug("buffered redirect: snapshot shape mismatch", {
+      runFriendlyId: args.runFriendlyId,
+      issues: parsed.error.issues.map((issue) => ({
+        path: issue.path.join("."),
+        code: issue.code,
+      })),
+    });
+    return null;
+  }
+
+  return {
+    organizationSlug: parsed.data.environment.organization.slug,
+    projectSlug: parsed.data.environment.project.slug,
+    environmentSlug: parsed.data.environment.slug,
+    spanId: parsed.data.spanId,
+  };
+}
diff --git a/apps/webapp/app/v3/mollifier/syntheticReplayTaskRun.server.ts b/apps/webapp/app/v3/mollifier/syntheticReplayTaskRun.server.ts
new file mode 100644
index 00000000000..01962cf7890
--- /dev/null
+++ b/apps/webapp/app/v3/mollifier/syntheticReplayTaskRun.server.ts
@@ -0,0 +1,51 @@
+import type { TaskRun } from "@trigger.dev/database";
+import type { SyntheticRun } from "./readFallback.server";
+
+export type SyntheticReplayTaskRun = TaskRun & {
+  project: { slug: string; organization: { slug: string } };
+  runtimeEnvironment: { slug: string };
+};
+
+// Adapt a buffered-run snapshot into the TaskRun-shaped input that
+// `ReplayTaskRunService.call` expects. ReplayTaskRunService builds the
+// new run's traceparent as `00-${existingTaskRun.traceId}-${existingTaskRun.spanId}-01`
+// without guarding for undefined, so a synthetic with missing traceId
+// or spanId (older snapshots — both fields are documented optional on
+// `SyntheticRun`) would produce `00-undefined-undefined-01`, an invalid
+// W3C traceparent that OTel silently drops, severing the replay's trace
+// link to the original run.
+//
+// Returns null when those fields are missing — the caller surfaces this
+// as "Run not found" so the customer retries once the drainer has
+// materialised the PG row, where traceId/spanId are guaranteed present.
+export function buildSyntheticReplayTaskRun(args: {
+  synthetic: SyntheticRun;
+  envRow: {
+    slug: string;
+    project: { slug: string; organization: { slug: string } };
+  };
+}): SyntheticReplayTaskRun | null {
+  const { synthetic, envRow } = args;
+  if (!synthetic.traceId || !synthetic.spanId) return null;
+  return {
+    // The double `as unknown as TaskRun` cast is load-bearing — a direct
+    // `synthetic as TaskRun` won't compile. `SyntheticRun` carries the
+    // subset of fields that `ReplayTaskRunService.call` actually reads
+    // (the contract is enumerated on the SyntheticRun type comment in
+    // readFallback.server.ts), but its shape is not structurally
+    // assignable to the full Prisma `TaskRun` row: optional vs required
+    // fields diverge, several PG columns (number, batchId variants,
+    // status enum widening) are deliberately absent or narrower on the
+    // synthetic. Routing it through `unknown` is the explicit "we know
+    // this is a subset, we've audited which fields are read" signal,
+    // and the traceId/spanId guard above prevents the only field
+    // ReplayTaskRunService consumes that would corrupt downstream
+    // behaviour (the OTel traceparent) when undefined.
+    ...(synthetic as unknown as TaskRun),
+    project: {
+      slug: envRow.project.slug,
+      organization: { slug: envRow.project.organization.slug },
+    },
+    runtimeEnvironment: { slug: envRow.slug },
+  };
+}
diff --git a/apps/webapp/app/v3/mollifier/syntheticRunHeader.server.ts b/apps/webapp/app/v3/mollifier/syntheticRunHeader.server.ts
new file mode 100644
index 00000000000..9b137f87fb3
--- /dev/null
+++ b/apps/webapp/app/v3/mollifier/syntheticRunHeader.server.ts
@@ -0,0 +1,75 @@
+import type { SyntheticRun } from "./readFallback.server";
+
+// Synthesise the run-detail page's `run` header shape (the NavBar +
+// status badge + Cancel-button gate) from a buffered run snapshot. The
+// shape matches `RunPresenter.getRun`'s `runData` — keep this in sync
+// when fields are added there.
+//
+// CANCELED and FAILED state is reflected back from
+// `SyntheticRun.cancelledAt` / `status` so terminal buffered runs show
+// the correct status in the NavBar + isFinished:true (which collapses
+// the Cancel button on the page header) before the drainer materialises
+// the PG row. This mirrors what `buildSyntheticSpanRun` does for the
+// right-side details panel — the SyntheticRun.cancelledAt contract
+// comment in readFallback.server.ts names this exact UI surface.
+//
+// FAILED status maps to `SYSTEM_FAILURE` to match the drainer's
+// non-retryable terminal path, which is what `buildSyntheticSpanRun`
+// uses too. Symmetric across the header + span-detail panel so an
+// admin doesn't see "Pending" + "FAILED" simultaneously on the same
+// run.
+export function buildSyntheticRunHeader(args: {
+  run: SyntheticRun;
+  environment: {
+    id: string;
+    organizationId: string;
+    type: "PRODUCTION" | "DEVELOPMENT" | "STAGING" | "PREVIEW";
+    slug: string;
+  };
+}) {
+  const { run, environment } = args;
+  const isCancelled = run.status === "CANCELED";
+  const isFailed = run.status === "FAILED";
+
+  return {
+    // `id` mirrors RunPresenter.getRun's runData (the PG path), which
+    // is the internal cuid — not the friendlyId. SyntheticRun.id is
+    // already the cuid (RunId.fromFriendlyId(entry.runId) in
+    // readFallback.server.ts) so the admin debug tooltip on the run
+    // detail page shows the same format for buffered + materialised
+    // runs.
+    id: run.id,
+    number: 1,
+    friendlyId: run.friendlyId,
+    traceId: run.traceId ?? "",
+    spanId: run.spanId ?? "",
+    status: isCancelled
+      ? ("CANCELED" as const)
+      : isFailed
+      ? ("SYSTEM_FAILURE" as const)
+      : ("PENDING" as const),
+    isFinished: isCancelled || isFailed,
+    startedAt: null,
+    // Symmetric with `buildSyntheticSpanRun` and the
+    // `ApiRetrieveRunPresenter` synth path. The run-detail route
+    // derives `isCompleted` from `completedAt !== null` and gates SSE
+    // live-reloading on it (`route.tsx:459`, `:551`); leaving
+    // `completedAt` null for FAILED would keep a terminal buffered run
+    // live-reloading forever. PG-resident SYSTEM_FAILURE rows always
+    // have completedAt set, so fall back to createdAt (the buffer
+    // entry has no separate failedAt — closest proxy for when the
+    // terminal state landed).
+    completedAt: run.cancelledAt ?? (isFailed ? run.createdAt : null),
+    logsDeletedAt: null,
+    rootTaskRun: null,
+    parentTaskRun: null,
+    environment: {
+      id: environment.id,
+      organizationId: environment.organizationId,
+      type: environment.type,
+      slug: environment.slug,
+      userId: undefined,
+      userName: undefined,
+    },
+  };
+}
diff --git a/apps/webapp/app/v3/mollifier/syntheticSpanRun.server.ts b/apps/webapp/app/v3/mollifier/syntheticSpanRun.server.ts
new file mode 100644
index 00000000000..ae274aac3d5
--- /dev/null
+++ b/apps/webapp/app/v3/mollifier/syntheticSpanRun.server.ts
@@ -0,0 +1,197 @@
+import { prettyPrintPacket, RunAnnotations } from "@trigger.dev/core/v3";
+import { getMaxDuration } from "@trigger.dev/core/v3/isomorphic";
+import {
+  extractIdempotencyKeyScope,
+  getUserProvidedIdempotencyKey,
+} from "@trigger.dev/core/v3/serverOnly";
+import { MachinePresetName } from "@trigger.dev/core/v3/schemas";
+import type { SpanRun } from "~/presenters/v3/SpanPresenter.server";
+import type { SyntheticRun } from "./readFallback.server";
+
+// `SyntheticRun.machinePreset` is sourced from the snapshot payload as
+// a plain string, but `SpanRun.machinePreset` is the narrowed enum.
+// Validate against the canonical enum so an unknown / stale preset
+// string collapses to undefined rather than fighting the type checker.
+function narrowMachinePreset(value: string | undefined): SpanRun["machinePreset"] {
+  if (value === undefined) return undefined;
+  const parsed = MachinePresetName.safeParse(value);
+  return parsed.success ? parsed.data : undefined;
+}
+
+// Synthesise a SpanRun-shaped object from a buffered run so the run-detail
+// page's right-side details panel renders identically to a PG-resident
+// run. The shape matches `SpanPresenter.getRun`'s return value;
+// buffered-irrelevant fields (output, attempts, schedule, session,
+// region, batch) are filled with sensible defaults, while terminal state
+// (CANCELED / FAILED) is reflected into `status`, `isFinished`, `isError`
+// and `error` so a finished buffered run does not render as PENDING.
+//
+// Pretty-printing for payload and metadata mirrors SpanPresenter so the
+// UI receives data in the same shape. Buffered runs cannot use the
+// `application/store` packet path (no R2 object yet) so we treat raw
+// snapshot fields as inline packets.
+export async function buildSyntheticSpanRun(args: {
+  run: SyntheticRun;
+  environment: { id: string; slug: string; type: "PRODUCTION" | "DEVELOPMENT" | "STAGING" | "PREVIEW" };
+}): Promise<SpanRun> {
+  const { run, environment } = args;
+
+  const payload =
+    typeof run.payload !== "undefined" && run.payload !== null
+      ? await prettyPrintPacket(run.payload, run.payloadType ?? undefined)
+      : undefined;
+
+  // Nullish check, not truthy — matches the payload branch above so an
+  // intentionally-empty packet (e.g. metadata: "") still gets handed to
+  // `prettyPrintPacket` and renders consistently. A truthy check would
+  // drop the empty-string case and the two paths would diverge.
+  const metadata =
+    typeof run.metadata !== "undefined" && run.metadata !== null
+      ? await prettyPrintPacket(run.metadata, run.metadataType, {
+          filteredKeys: ["$$streams", "$$streamsVersion", "$$streamsBaseUrl"],
+        })
+      : undefined;
+
+  const idempotencyShape = {
+    idempotencyKey: run.idempotencyKey ?? null,
+    idempotencyKeyExpiresAt: null,
+    idempotencyKeyOptions: run.idempotencyKeyOptions ?? null,
+  };
+
+  const idempotencyKey = getUserProvidedIdempotencyKey(idempotencyShape);
+  const idempotencyKeyScope = extractIdempotencyKeyScope(idempotencyShape);
+  const idempotencyKeyStatus: SpanRun["idempotencyKeyStatus"] = idempotencyKey
+    ? "active"
+    : idempotencyKeyScope
+    ? "inactive"
+    : undefined;
+
+  const taskKind = RunAnnotations.safeParse(run.annotations).data?.taskKind;
+  const isAgentRun = taskKind === "AGENT";
+
+  const queueName = run.queue ?? "task/";
+  const isCancelled = run.status === "CANCELED";
+  const isFailed = run.status === "FAILED";
+
+  // The run-detail panel derives terminal/error state from `status`,
+  // `isFinished` and `isError` (SpanPresenter.getRun -> isFinalRunStatus /
+  // isFailedRunStatus). Buffered FAILED runs surface as SYSTEM_FAILURE to
+  // match ApiRetrieveRunPresenter.bufferedStatusToTaskRunStatus; both
+  // CANCELED and SYSTEM_FAILURE are final run statuses, and SYSTEM_FAILURE
+  // is also a failed status.
+  const status: SpanRun["status"] = isCancelled
+    ? "CANCELED"
+    : isFailed
+    ? "SYSTEM_FAILURE"
+    : "PENDING";
+
+  // Mirror ApiRetrieveRunPresenter's STRING_ERROR synthesis so the panel
+  // shows why a buffered run failed instead of an empty error block.
+  const error: SpanRun["error"] =
+    isFailed && run.error
+      ? { type: "STRING_ERROR", raw: `${run.error.code}: ${run.error.message}` }
+      : undefined;
+
+  return {
+    id: run.id,
+    friendlyId: run.friendlyId,
+    status,
+    statusReason: isCancelled
+      ? run.cancelReason ?? undefined
+      : isFailed
+      ? run.error?.message ?? undefined
+      : undefined,
+    createdAt: run.createdAt,
+    startedAt: null,
+    executedAt: null,
+    updatedAt: run.cancelledAt ?? run.createdAt,
+    delayUntil: run.delayUntil ?? null,
+    expiredAt: null,
+    // Symmetric with `ApiRetrieveRunPresenter` — FAILED buffered runs
+    // must surface a non-null `completedAt` so the run-detail panel
+    // (and any caller checking `isFinished && completedAt`) doesn't
+    // render a finished run with no completion timestamp. PG-resident
+    // SYSTEM_FAILURE rows always have completedAt set; the buffer
+    // entry has no separate failedAt, so we fall back to createdAt
+    // as the best proxy for when the terminal state landed.
+    completedAt: run.cancelledAt ?? (isFailed ? run.createdAt : null),
+    logsDeletedAt: null,
+    ttl: run.ttl ?? null,
+    taskIdentifier: run.taskIdentifier ?? "",
+    version: undefined,
+    sdkVersion: undefined,
+    runtime: undefined,
+    runtimeVersion: undefined,
+    isTest: run.isTest,
+    replayedFromTaskRunFriendlyId: run.replayedFromTaskRunFriendlyId ?? null,
+    environmentId: environment.id,
+    idempotencyKey,
+    idempotencyKeyExpiresAt: null,
+    idempotencyKeyScope,
+    idempotencyKeyStatus,
+    debounce: null,
+    schedule: undefined,
+    queue: {
+      name: queueName,
+      isCustomQueue: !queueName.startsWith("task/"),
+      concurrencyKey: run.concurrencyKey ?? null,
+    },
+    tags: run.runTags,
+    baseCostInCents: 0,
+    costInCents: 0,
+    totalCostInCents: 0,
+    usageDurationMs: 0,
+    isFinished: isCancelled || isFailed,
+    isRunning: false,
+    isError: isFailed,
+    isAgentRun,
+    payload,
+    payloadType: run.payloadType ?? "application/json",
+    output: undefined,
+    outputType: "application/json",
+    error,
+    // The snapshot only carries the root/parent friendly IDs, not the
+    // spanId or taskIdentifier that SpanPresenter sources from the joined
+    // PG rows. Emitting them with empty-string stubs renders a blank task
+    // name and a misleading `?span=` jump target, so we omit the
+    // relationships until the drainer materialises the row (a transient
+    // window). Top-level buffered runs have no relationships regardless.
+    relationships: {
+      root: undefined,
+      parent: undefined,
+    },
+    context: JSON.stringify(
+      {
+        task: {
+          id: run.taskIdentifier ?? "",
+        },
+        run: {
+          id: run.friendlyId,
+          createdAt: run.createdAt,
+          isTest: run.isTest,
+        },
+        environment: {
+          id: environment.id,
+          slug: environment.slug,
+          type: environment.type,
+        },
+      },
+      null,
+      2,
+    ),
+    metadata,
+    maxDurationInSeconds: getMaxDuration(run.maxDurationInSeconds),
+    batch: undefined,
+    session: undefined,
+    engine: "V2",
+    region: null,
+    workerQueue: run.workerQueue ?? "",
+    traceId: run.traceId ?? "",
+    spanId: run.spanId ?? "",
+    isCached: false,
+    isBuffered: true,
+    machinePreset: narrowMachinePreset(run.machinePreset),
+    taskEventStore: "taskEvent",
+    externalTraceId: undefined,
+  };
+}
diff --git a/apps/webapp/app/v3/mollifier/syntheticTrace.server.ts b/apps/webapp/app/v3/mollifier/syntheticTrace.server.ts
new file mode 100644
index 00000000000..f0660d8ef1e
--- /dev/null
+++ b/apps/webapp/app/v3/mollifier/syntheticTrace.server.ts
@@ -0,0 +1,79 @@
+import { millisecondsToNanoseconds } from "@trigger.dev/core/v3";
+import { createTreeFromFlatItems, flattenTree } from "~/components/primitives/TreeView/TreeView";
+import { createTimelineSpanEventsFromSpanEvents } from "~/utils/timelineSpanEvents";
+import type { SpanSummary } from "~/v3/eventRepository/eventRepository.types";
+import type { SyntheticRun } from "./readFallback.server";
+
+// Build a single-span trace for a buffered run so the run-detail page
+// renders a meaningful timeline before the drainer materialises the
+// row. Mirrors the shape produced by `RunPresenter` when its trace
+// store lookup returns no spans, so the dashboard consumer treats the
+// buffered run identically to a freshly enqueued PG run that hasn't
+// emitted any events yet.
+export function buildSyntheticTraceForBufferedRun(run: SyntheticRun) {
+  const spanId = run.spanId ?? "";
+  const isCancelled = run.status === "CANCELED";
+  const isFailed = run.status === "FAILED";
+  const span: SpanSummary = {
+    id: spanId,
+    parentId: run.parentSpanId,
+    runId: run.friendlyId,
+    data: {
+      message: run.taskIdentifier ?? "Task",
+      style: { icon: "task", variant: "primary" },
+      events: [],
+      startTime: run.createdAt,
+      duration: 0,
+      isError: isFailed,
+      // CANCELED and FAILED are terminal; only a still-queued buffered run
+      // is partial. A partial failed span would otherwise render as
+      // "executing" forever in the timeline.
+      isPartial: !isCancelled && !isFailed,
+      isCancelled,
+      isDebug: false,
+      level: "TRACE",
+    },
+  };
+
+  const tree = createTreeFromFlatItems([span], spanId);
+  const treeRootStartTimeMs = tree?.data.startTime.getTime() ?? 0;
+  const totalDuration = Math.max(tree?.data.duration ?? 0, millisecondsToNanoseconds(1));
+
+  const events = tree
+    ? flattenTree(tree).map((n) => {
+        const offset = millisecondsToNanoseconds(
+          n.data.startTime.getTime() - treeRootStartTimeMs
+        );
+        // Mirror RunPresenter: raw span events stay server-side, only
+        // timelineEvents ship to the client.
+        const { events: spanEvents, ...data } = n.data;
+        return {
+          ...n,
+          data: {
+            ...data,
+            timelineEvents: createTimelineSpanEventsFromSpanEvents(spanEvents, false, treeRootStartTimeMs),
+            duration: n.data.isPartial ? null : n.data.duration,
+            offset,
+            isRoot: n.id === spanId,
+          },
+        };
+      })
+    : [];
+
+  return {
+    // Matches RunPresenter's derivation: failed root span -> "failed",
+    // otherwise a terminal (non-partial) span -> "completed", else
+    // "executing". CANCELED is terminal-but-not-error, so "completed".
+    rootSpanStatus: (isFailed ? "failed" : isCancelled ? "completed" : "executing") as
+      | "executing"
+      | "completed"
+      | "failed",
+    events,
+    duration: totalDuration,
+    rootStartedAt: tree?.data.startTime,
+    startedAt: null,
+    queuedDuration: undefined,
+    overridesBySpanId: undefined,
+    linkedRunIdBySpanId: {} as Record<string, string>,
+  };
+}
diff --git a/apps/webapp/app/v3/mollifierDrainerWorker.server.ts b/apps/webapp/app/v3/mollifierDrainerWorker.server.ts
new file mode 100644
index 00000000000..b79b9f08e5b
--- /dev/null
+++ b/apps/webapp/app/v3/mollifierDrainerWorker.server.ts
@@ -0,0 +1,132 @@
+import { env } from "~/env.server";
+import { logger } from "~/services/logger.server";
+import { signalsEmitter } from "~/services/signals.server";
+import {
+  getMollifierDrainer,
+  MollifierConfigurationError,
+} from "./mollifier/mollifierDrainer.server";
+import { startMollifierDrainingGauge } from "./mollifier/mollifierDrainingGauge.server";
+
+declare global {
+  // eslint-disable-next-line no-var
+  var __mollifierShutdownRegistered__: boolean | undefined;
+}
+
+/**
+ * Bootstraps the mollifier drainer.
+ *
+ * Two-step lifecycle:
+ *   1. Construct the drainer via the gated singleton in
+ *      `mollifierDrainer.server.ts`. That factory validates the
+ *      shutdown-timeout reconciliation against `GRACEFUL_SHUTDOWN_TIMEOUT`
+ *      and throws BEFORE returning if it's misconfigured; the returned
+ *      drainer is configured-but-stopped.
+ *   2. Register SIGTERM/SIGINT shutdown handlers, then call
+ *      `drainer.start()`. Doing this in the bootstrap (and not in the
+ *      factory) guarantees a signal landing during boot can never find
+ *      the polling loop running without a graceful-stop path.
+ *
+ * The drainer is intentionally NOT wired through `~/services/worker.server`
+ * — that file is the legacy ZodWorker / graphile-worker setup. The
+ * mollifier drainer is a custom polling loop over `MollifierBuffer`, not
+ * a graphile-worker job, so it gets its own lifecycle file alongside the
+ * redis-worker workers (`commonWorker`, `alertsWorker`,
+ * `batchTriggerWorker`).
+ *
+ * Gating order:
+ *   - `TRIGGER_MOLLIFIER_DRAINER_ENABLED !== "1"`  → early return. Unset defaults
+ *     to `TRIGGER_MOLLIFIER_ENABLED`, so single-container self-hosters still get
+ *     the drainer for free with one flag. In multi-replica deployments,
+ *     set this to "0" explicitly on every replica except the dedicated
+ *     drainer service so the polling loop doesn't race across replicas.
+ *   - `TRIGGER_MOLLIFIER_ENABLED !== "1"`  → `getMollifierDrainer()` returns null
+ *     and the bootstrap is a no-op. `TRIGGER_MOLLIFIER_ENABLED` remains the
+ *     master kill switch; the new flag only controls WHICH replicas
+ *     run the drainer when the system is on.
+ */
+export function initMollifierDrainerWorker(
+  opts: {
+    // Test seams. Production callers pass nothing; the defaults read the
+    // live env and resolve the live singleton. Tests inject overrides so
+    // the misconfig-rethrow / transient-swallow branches can be driven
+    // without manipulating module-level env state.
+    isEnabled?: () => boolean;
+    getDrainer?: typeof getMollifierDrainer;
+  } = {},
+): void {
+  const isEnabled = opts.isEnabled ?? (() => env.TRIGGER_MOLLIFIER_DRAINER_ENABLED === "1");
+  const getDrainer = opts.getDrainer ?? getMollifierDrainer;
+
+  if (!isEnabled()) {
+    return;
+  }
+
+  try {
+    const drainer = getDrainer();
+    if (drainer && !global.__mollifierShutdownRegistered__) {
+      // `__mollifierShutdownRegistered__` guards against double-register
+      // on dev hot-reloads (this bootstrap is called from
+      // entry.server.tsx, which Remix dev re-evaluates on every change).
+      // Same guard owns both the handler registration and the start()
+      // call so the two never get out of sync.
+      //
+      // Registers through `signalsEmitter` (the webapp-wide singleton in
+      // `~/services/signals.server`) rather than `process.once` directly:
+      //  - matches the codebase convention (runsReplicationInstance,
+      //    llmPricingRegistry, dynamicFlushScheduler etc. all listen on
+      //    the same emitter);
+      //  - `.on` (not `.once`) means a second SIGTERM still reaches us if
+      //    the orchestrator delivers more than one signal before SIGKILL;
+      //  - if SIGTERM lands in the gap between this listener attaching
+      //    and `drainer.start()` below, the first invocation no-ops
+      //    (stop() returns early because the drainer isn't running yet)
+      //    but the listener stays attached for a subsequent signal,
+      //    rather than being consumed by `once`.
+      const stopDrainer = () => {
+        drainer
+          .stop({ timeoutMs: env.TRIGGER_MOLLIFIER_DRAIN_SHUTDOWN_TIMEOUT_MS })
+          .catch((error) => {
+            logger.error("Failed to stop mollifier drainer", { error });
+          });
+      };
+      signalsEmitter.on("SIGTERM", stopDrainer);
+      signalsEmitter.on("SIGINT", stopDrainer);
+      global.__mollifierShutdownRegistered__ = true;
+      drainer.start();
+      // Spin up the observability-only gauge poller for the
+      // `mollifier:draining` ZSET cardinality. Colocated with the
+      // drainer because that's the loop creating the DRAINING entries
+      // — same pod, same Redis client lifecycle. Idempotent + unref'd
+      // so it's safe under dev hot-reload and doesn't block shutdown.
+      startMollifierDrainingGauge({
+        intervalMs: env.TRIGGER_MOLLIFIER_DRAINING_GAUGE_INTERVAL_MS,
+      });
+    }
+  } catch (error) {
+    // Deterministic misconfig (shutdown-timeout vs GRACEFUL_SHUTDOWN_TIMEOUT,
+    // missing buffer client) is a deploy-time mistake the operator must
+    // see immediately — rethrow so the process crashes, health checks
+    // fail, and the orchestrator rolls the deploy back. The drainer is currently
+    // monitoring-only and the silent-fallback was tempting, but later phases
+    // make the drainer the source of truth for diverted triggers, where a
+    // silently-disabled drainer means data loss. Better to fail loud now
+    // than retrofit later.
+    //
+    // We accept both `instanceof` and `error.name === ...` so Remix dev
+    // hot-reload (where the consumer can hold a stale class reference)
+    // still recognises the marker.
+    if (
+      error instanceof MollifierConfigurationError ||
+      (error instanceof Error && error.name === "MollifierConfigurationError")
+    ) {
+      logger.error("Mollifier drainer misconfiguration — failing loud", {
+        error: error.message,
+      });
+      throw error;
+    }
+    // Anything else (transient Redis blip, unexpected runtime error) is
+    // logged but kept non-fatal — the rest of the webapp shouldn't go
+    // down because the buffer's Redis cluster is briefly unreachable.
+    logger.error("Failed to initialise mollifier drainer", { error });
+  }
+}
diff --git a/apps/webapp/app/v3/mollifierStaleSweepWorker.server.ts b/apps/webapp/app/v3/mollifierStaleSweepWorker.server.ts
new file mode 100644
index 00000000000..e147422bfe6
--- /dev/null
+++ b/apps/webapp/app/v3/mollifierStaleSweepWorker.server.ts
@@ -0,0 +1,76 @@
+import { env } from "~/env.server";
+import { logger } from "~/services/logger.server";
+import { signalsEmitter } from "~/services/signals.server";
+import {
+  startStaleSweepInterval,
+  type StaleSweepIntervalHandle,
+} from "./mollifier/mollifierStaleSweep.server";
+import { MollifierStaleSweepState } from "./mollifier/mollifierStaleSweepState.server";
+
+declare global {
+  // eslint-disable-next-line no-var
+  var __mollifierStaleSweepRegistered__: boolean | undefined;
+  // eslint-disable-next-line no-var
+  var __mollifierStaleSweepHandle__: StaleSweepIntervalHandle | undefined;
+}
+
+/**
+ * Bootstraps the mollifier stale-entry sweep.
+ *
+ * Independent of the drainer — its purpose is to alert when entries are
+ * piling up despite the drainer being supposedly healthy, so it runs
+ * any time the mollifier itself is enabled (gated separately from
+ * `TRIGGER_MOLLIFIER_DRAINER_ENABLED`). The sweep is read-only: it
+ * counts and logs stale entries but does not remove or salvage them.
+ *
+ * The Remix dev server re-evaluates `entry.server.tsx` on every change,
+ * so the registration guard + handle cache make the bootstrap
+ * idempotent across hot reloads.
+ */
+export function initMollifierStaleSweepWorker(): void {
+  if (env.TRIGGER_MOLLIFIER_STALE_SWEEP_ENABLED !== "1") return;
+  if (global.__mollifierStaleSweepRegistered__) return;
+
+  logger.debug("Initializing mollifier stale-entry sweep", {
+    intervalMs: env.TRIGGER_MOLLIFIER_STALE_SWEEP_INTERVAL_MS,
+    staleThresholdMs: env.TRIGGER_MOLLIFIER_STALE_SWEEP_THRESHOLD_MS,
+  });
+
+  // Construct the sweep's durable-state Redis client using the same
+  // mollifier-Redis credentials as the buffer. Keeping this client
+  // separate from the buffer's own client keeps state ownership clean:
+  // the buffer abstracts queue/entry state, this abstracts sweep state.
+  const state = new MollifierStaleSweepState({
+    redisOptions: {
+      keyPrefix: "",
+      host: env.TRIGGER_MOLLIFIER_REDIS_HOST,
+      port: env.TRIGGER_MOLLIFIER_REDIS_PORT,
+      username: env.TRIGGER_MOLLIFIER_REDIS_USERNAME,
+      password: env.TRIGGER_MOLLIFIER_REDIS_PASSWORD,
+      enableAutoPipelining: true,
+      ...(env.TRIGGER_MOLLIFIER_REDIS_TLS_DISABLED === "true" ? {} : { tls: {} }),
+    },
+    maxRetriesPerRequest: env.TRIGGER_MOLLIFIER_REDIS_MAX_RETRIES_PER_REQUEST,
+  });
+
+  const handle = startStaleSweepInterval(
+    {
+      intervalMs: env.TRIGGER_MOLLIFIER_STALE_SWEEP_INTERVAL_MS,
+      staleThresholdMs: env.TRIGGER_MOLLIFIER_STALE_SWEEP_THRESHOLD_MS,
+      maxEntriesPerEnv: env.TRIGGER_MOLLIFIER_STALE_SWEEP_MAX_ENTRIES_PER_ENV,
+      maxOrgsPerPass: env.TRIGGER_MOLLIFIER_STALE_SWEEP_MAX_ORGS_PER_PASS,
+    },
+    { state },
+  );
+
+  // `handle.stop` is now async (it closes the Redis client). The signals
+  // emitter swallows promise rejections from listeners, so wrap it in a
+  // void-returning shim to be explicit about discarding the promise.
+  const onShutdown = (): void => {
+    void handle.stop();
+  };
+  signalsEmitter.on("SIGTERM", onShutdown);
+  signalsEmitter.on("SIGINT", onShutdown);
+  global.__mollifierStaleSweepRegistered__ = true;
+  global.__mollifierStaleSweepHandle__ = handle;
+}
diff --git a/apps/webapp/app/v3/objectStore.server.ts b/apps/webapp/app/v3/objectStore.server.ts
index bd85fb905fa..16aa9d71ee4 100644
--- a/apps/webapp/app/v3/objectStore.server.ts
+++ b/apps/webapp/app/v3/objectStore.server.ts
@@ -1,9 +1,15 @@
+import { json } from "@remix-run/server-runtime";
 import { type IOPacket } from "@trigger.dev/core/v3";
 import { env } from "~/env.server";
 import { type AuthenticatedEnvironment } from "~/services/apiAuth.server";
 import { logger } from "~/services/logger.server";
+import { ServiceValidationError } from "~/v3/services/common.server";
 import { singleton } from "~/utils/singleton";
-import { ObjectStoreClient, type ObjectStoreClientConfig } from "./objectStoreClient.server";
+import {
+  normalizeObjectStoreLogicalKeyPathname,
+  ObjectStoreClient,
+  type ObjectStoreClientConfig,
+} from "./objectStoreClient.server";
 
 /**
  * Parsed storage URI with optional protocol prefix
@@ -47,6 +53,115 @@ export function formatStorageUri(path: string, protocol?: string): string {
   return path;
 }
 
+export const INVALID_PACKET_STORAGE_PATH = "Invalid packet storage path";
+
+export type PacketPresignFailure = {
+  success: false;
+  error: string;
+  status?: number;
+};
+
+const PACKET_RELATIVE_PATH_BASE = "/__packet_base__";
+
+function throwInvalidPacketStoragePath(): never {
+  throw new ServiceValidationError(INVALID_PACKET_STORAGE_PATH, 400);
+}
+
+function assertRawPacketRelativePathSegments(path: string): void {
+  if (!path || path.includes("\\") || path.startsWith("/")) {
+    throwInvalidPacketStoragePath();
+  }
+
+  for (const segment of path.split("/")) {
+    if (segment === "" || segment === "." || segment === "..") {
+      throwInvalidPacketStoragePath();
+    }
+
+    if (segment.includes("%")) {
+      let decoded: string;
+      try {
+        decoded = decodeURIComponent(segment);
+      } catch {
+        throwInvalidPacketStoragePath();
+      }
+
+      if (decoded === "." || decoded === ".." || decoded.includes("/")) {
+        throwInvalidPacketStoragePath();
+      }
+    }
+  }
+}
+
+/**
+ * Normalize a packet-relative path using the same URL pathname resolution as object-store clients.
+ */
+export function normalizePacketRelativePath(path: string): string {
+  const url = new URL("https://trigger.invalid");
+  url.pathname = `${PACKET_RELATIVE_PATH_BASE}/${path.replace(/^\/+/, "")}`;
+
+  const prefix = `${PACKET_RELATIVE_PATH_BASE}/`;
+  if (!url.pathname.startsWith(prefix)) {
+    throwInvalidPacketStoragePath();
+  }
+
+  return url.pathname.slice(prefix.length);
+}
+
+/**
+ * Ensure a full logical object-store key resolves under the packet prefix after URL normalization.
+ */
+export function assertPacketObjectStoreKeyUnderPrefix(key: string, packetPrefix: string): void {
+  const normalizedKeyPath = normalizeObjectStoreLogicalKeyPathname(key);
+  const normalizedPrefixPath = normalizeObjectStoreLogicalKeyPathname(packetPrefix);
+
+  if (
+    normalizedKeyPath !== normalizedPrefixPath &&
+    !normalizedKeyPath.startsWith(`${normalizedPrefixPath}/`)
+  ) {
+    throwInvalidPacketStoragePath();
+  }
+}
+
+/**
+ * Validate a packet-relative path and return the canonical form used for object-store keys.
+ */
+export function resolveSafePacketRelativePath(path: string): string {
+  assertRawPacketRelativePathSegments(path);
+  const normalized = normalizePacketRelativePath(path);
+  assertRawPacketRelativePathSegments(normalized);
+  return normalized;
+}
+
+/**
+ * Reject path traversal and other unsafe packet-relative storage paths before
+ * building object-store keys or presigned URLs.
+ */
+export function assertSafePacketRelativePath(path: string): void {
+  resolveSafePacketRelativePath(path);
+}
+
+function buildPacketObjectStoreKey(
+  projectRef: string,
+  envSlug: string,
+  relativePath: string
+): string {
+  const safeRelativePath = resolveSafePacketRelativePath(relativePath);
+  const prefix = `packets/${projectRef}/${envSlug}`;
+  const key = `${prefix}/${safeRelativePath}`;
+  assertPacketObjectStoreKeyUnderPrefix(key, prefix);
+  return key;
+}
+
+/** JSON response for packet presign failures (400 client error vs 500 internal). */
+export function jsonPacketPresignFailure(failure: PacketPresignFailure) {
+  const status = failure.status ?? 500;
+  if (status === 400) {
+    return json({ error: failure.error }, { status: 400 });
+  }
+
+  return json({ error: `Failed to generate presigned URL: ${failure.error}` }, { status: 500 });
+}
+
 /**
  * Get object storage configuration for a given protocol.
  * Returns a config if baseUrl is set, even without explicit credentials —
@@ -134,14 +249,20 @@ export async function uploadPacketToObjectStore(
     throw new Error(`Object store is not configured for protocol: ${protocol || "default"}`);
   }
 
-  const key = `packets/${environment.project.externalRef}/${environment.slug}/${filename}`;
+  const { path } = parseStorageUri(filename);
+  const safePath = resolveSafePacketRelativePath(path);
+  const key = buildPacketObjectStoreKey(
+    environment.project.externalRef,
+    environment.slug,
+    safePath
+  );
 
   logger.debug("Uploading to object store", { key, protocol: protocol || "default" });
 
   await client.putObject(key, data, contentType);
 
-  // Return filename with protocol prefix if specified
-  return formatStorageUri(filename, protocol);
+  // Return canonical storage URI (path only in the key; protocol prefix applied here)
+  return formatStorageUri(safePath, protocol);
 }
 
 export async function downloadPacketFromObjectStore(
@@ -162,14 +283,18 @@ export async function downloadPacketFromObjectStore(
   }
 
   const { protocol, path } = parseStorageUri(packet.data);
+  const key = buildPacketObjectStoreKey(
+    environment.project.externalRef,
+    environment.slug,
+    path
+  );
+
   const client = getObjectStoreClient(protocol);
 
   if (!client) {
     throw new Error(`Object store is not configured for protocol: ${protocol || "default"}`);
   }
 
-  const key = `packets/${environment.project.externalRef}/${environment.slug}/${path}`;
-
   logger.debug("Downloading from object store", { key, protocol: protocol || "default" });
 
   const data = await client.getObject(key);
@@ -220,10 +345,7 @@ export async function generatePresignedRequest(
   method: "PUT" | "GET" = "PUT",
   options?: GeneratePacketPresignOptions
 ): Promise<
-  | {
-      success: false;
-      error: string;
-    }
+  | PacketPresignFailure
   | {
       success: true;
       request: Request;
@@ -237,6 +359,21 @@ export async function generatePresignedRequest(
     options?.forceNoPrefix
   );
 
+  let safePath: string;
+  try {
+    safePath = resolveSafePacketRelativePath(path);
+  } catch (error) {
+    if (error instanceof ServiceValidationError) {
+      return {
+        success: false,
+        error: error.message,
+        status: error.status ?? 400,
+      };
+    }
+
+    throw error;
+  }
+
   const config = getObjectStoreConfig(storeProtocol);
   if (!config?.baseUrl) {
     return {
@@ -253,7 +390,7 @@ export async function generatePresignedRequest(
     };
   }
 
-  const key = `packets/${projectRef}/${envSlug}/${path}`;
+  const key = buildPacketObjectStoreKey(projectRef, envSlug, safePath);
 
   try {
     const url = await client.presign(key, method, 300); // 5 minutes
@@ -266,7 +403,7 @@ export async function generatePresignedRequest(
       protocol: storeProtocol || "default",
     });
 
-    const storagePath = method === "PUT" ? formatStorageUri(path, storeProtocol) : undefined;
+    const storagePath = method === "PUT" ? formatStorageUri(safePath, storeProtocol) : undefined;
 
     return {
       success: true,
@@ -276,9 +413,7 @@ export async function generatePresignedRequest(
   } catch (error) {
     return {
       success: false,
-      error: `Failed to generate presigned URL: ${
-        error instanceof Error ? error.message : String(error)
-      }`,
+      error: error instanceof Error ? error.message : String(error),
     };
   }
 }
@@ -289,23 +424,14 @@ export async function generatePresignedUrl(
   filename: string,
   method: "PUT" | "GET" = "PUT",
   options?: GeneratePacketPresignOptions
-): Promise<
-  | {
-      success: false;
-      error: string;
-    }
-  | {
-      success: true;
-      url: string;
-      storagePath?: string;
-    }
-> {
+): Promise<PacketPresignFailure | { success: true; url: string; storagePath?: string }> {
   const signed = await generatePresignedRequest(projectRef, envSlug, filename, method, options);
 
   if (!signed.success) {
     return {
       success: false,
       error: signed.error,
+      status: signed.status,
     };
   }
 
diff --git a/apps/webapp/app/v3/objectStoreClient.server.ts b/apps/webapp/app/v3/objectStoreClient.server.ts
index d7a85924220..9999a40b79e 100644
--- a/apps/webapp/app/v3/objectStoreClient.server.ts
+++ b/apps/webapp/app/v3/objectStoreClient.server.ts
@@ -2,6 +2,16 @@ import { AwsClient } from "aws4fetch";
 import { GetObjectCommand, PutObjectCommand, S3Client } from "@aws-sdk/client-s3";
 import { getSignedUrl } from "@aws-sdk/s3-request-presigner";
 
+/**
+ * Normalize a logical object-store key the same way Aws4FetchClient assigns URL pathnames.
+ * Decodes percent-escapes and resolves `.` / `..` segments before the request is signed.
+ */
+export function normalizeObjectStoreLogicalKeyPathname(logicalKey: string): string {
+  const url = new URL("https://trigger.invalid");
+  url.pathname = `/${logicalKey.replace(/^\/+/, "")}`;
+  return url.pathname;
+}
+
 interface IObjectStoreClient {
   putObject(key: string, body: ReadableStream | string, contentType: string): Promise<string>;
   getObject(key: string): Promise<string>;
@@ -32,7 +42,7 @@ class Aws4FetchClient implements IObjectStoreClient {
 
   private buildUrl(key: string): string {
     const url = new URL(this.config.baseUrl);
-    url.pathname = `/${key}`;
+    url.pathname = normalizeObjectStoreLogicalKeyPathname(key);
     return url.toString();
   }
 
@@ -59,7 +69,7 @@ class Aws4FetchClient implements IObjectStoreClient {
 
   async presign(key: string, method: "PUT" | "GET", expiresIn: number): Promise<string> {
     const url = new URL(this.config.baseUrl);
-    url.pathname = `/${key}`;
+    url.pathname = normalizeObjectStoreLogicalKeyPathname(key);
     url.searchParams.set("X-Amz-Expires", String(expiresIn));
 
     const signed = await this.awsClient.sign(new Request(url, { method }), {
@@ -100,7 +110,7 @@ class AwsSdkClient implements IObjectStoreClient {
 
   private logicalObjectUrl(logicalKey: string): string {
     const url = new URL(this.config.baseUrl);
-    url.pathname = `/${logicalKey}`;
+    url.pathname = normalizeObjectStoreLogicalKeyPathname(logicalKey);
     return url.href;
   }
 
diff --git a/apps/webapp/app/v3/otlpExporter.server.ts b/apps/webapp/app/v3/otlpExporter.server.ts
index 7505693e3ab..975e4aed4a7 100644
--- a/apps/webapp/app/v3/otlpExporter.server.ts
+++ b/apps/webapp/app/v3/otlpExporter.server.ts
@@ -20,15 +20,11 @@ import {
 } from "@trigger.dev/otlp-importer";
 import type { MetricsV1Input } from "@internal/clickhouse";
 import { logger } from "~/services/logger.server";
-import { clickhouseClient } from "~/services/clickhouseInstance.server";
-import { DynamicFlushScheduler } from "./dynamicFlushScheduler.server";
-import { ClickhouseEventRepository } from "./eventRepository/clickhouseEventRepository.server";
-import {
-  clickhouseEventRepository,
-  clickhouseEventRepositoryV2,
-} from "./eventRepository/clickhouseEventRepositoryInstance.server";
+import type { ClickhouseFactory } from "~/services/clickhouse/clickhouseFactory.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
+
 import { generateSpanId } from "./eventRepository/common.server";
-import { EventRepository, eventRepository } from "./eventRepository/eventRepository.server";
+import { eventRepository } from "./eventRepository/eventRepository.server";
 import type {
   CreatableEventKind,
   CreatableEventStatus,
@@ -39,21 +35,25 @@ import { startSpan } from "./tracing.server";
 import { enrichCreatableEvents } from "./utils/enrichCreatableEvents.server";
 import { waitForLlmPricingReady } from "./llmPricingRegistry.server";
 import { env } from "~/env.server";
-import { detectBadJsonStrings } from "~/utils/detectBadJsonStrings";
 import { singleton } from "~/utils/singleton";
 
+type OTLPExporterConfig = {
+  clickhouseFactory: ClickhouseFactory;
+  verbose: boolean;
+  spanAttributeValueLengthLimit: number;
+};
+
 class OTLPExporter {
   private _tracer: Tracer;
+  private readonly _clickhouseFactory: ClickhouseFactory;
+  private readonly _verbose: boolean;
+  private readonly _spanAttributeValueLengthLimit: number;
 
-  constructor(
-    private readonly _eventRepository: EventRepository,
-    private readonly _clickhouseEventRepository: ClickhouseEventRepository,
-    private readonly _clickhouseEventRepositoryV2: ClickhouseEventRepository,
-    private readonly _metricsFlushScheduler: DynamicFlushScheduler<MetricsV1Input>,
-    private readonly _verbose: boolean,
-    private readonly _spanAttributeValueLengthLimit: number
-  ) {
+  constructor(config: OTLPExporterConfig) {
     this._tracer = trace.getTracer("otlp-exporter");
+    this._clickhouseFactory = config.clickhouseFactory;
+    this._verbose = config.verbose;
+    this._spanAttributeValueLengthLimit = config.spanAttributeValueLengthLimit;
   }
 
   async exportTraces(request: ExportTraceServiceRequest): Promise<ExportTraceServiceResponse> {
@@ -74,23 +74,16 @@ class OTLPExporter {
     });
   }
 
-  async exportMetrics(
-    request: ExportMetricsServiceRequest
-  ): Promise<ExportMetricsServiceResponse> {
+  async exportMetrics(request: ExportMetricsServiceRequest): Promise<ExportMetricsServiceResponse> {
     return await startSpan(this._tracer, "exportMetrics", async (span) => {
-      const rows = this.#filterResourceMetrics(request.resourceMetrics).flatMap(
-        (resourceMetrics) => {
-          return convertMetricsToClickhouseRows(
-            resourceMetrics,
-            this._spanAttributeValueLengthLimit
-          );
-        }
+      const rows = this.#filterResourceMetrics(request.resourceMetrics).flatMap((resourceMetrics) =>
+        convertMetricsToClickhouseRows(resourceMetrics, this._spanAttributeValueLengthLimit)
       );
 
       span.setAttribute("metric_row_count", rows.length);
 
       if (rows.length > 0) {
-        this._metricsFlushScheduler.addToBatch(rows);
+        await this.#exportMetricRows(rows);
       }
 
       return ExportMetricsServiceResponse.create();
@@ -118,40 +111,81 @@ class OTLPExporter {
   async #exportEvents(
     eventsWithStores: { events: Array<CreateEventInput>; taskEventStore: string }[]
   ) {
-    const eventsGroupedByStore = eventsWithStores.reduce((acc, { events, taskEventStore }) => {
-      acc[taskEventStore] = acc[taskEventStore] || [];
-      acc[taskEventStore].push(...events);
-      return acc;
-    }, {} as Record<string, Array<CreateEventInput>>);
+    await waitForLlmPricingReady();
+
+    // Group by unique event repositories
+    const routeCache = new Map<string, { key: string; repository: IEventRepository }>();
+    const groups = new Map<string, { repository: IEventRepository; events: CreateEventInput[] }>();
+    for (const { events, taskEventStore } of eventsWithStores) {
+      for (const event of events) {
+        const routeKey = `${event.organizationId}\0${taskEventStore}`;
+        let resolved = routeCache.get(routeKey);
+        if (!resolved) {
+          // Non-ClickHouse stores (taskEvent / taskEventPartitioned) are Postgres-backed.
+          // The ClickHouse factory only handles clickhouse/clickhouse_v2 and throws otherwise.
+          if (taskEventStore !== "clickhouse" && taskEventStore !== "clickhouse_v2") {
+            // Non-ClickHouse stores (taskEvent / taskEventPartitioned) are Postgres-backed.
+            // The ClickHouse factory only handles clickhouse/clickhouse_v2 and throws otherwise.
+            resolved = { key: "postgres:default", repository: eventRepository };
+          } else {
+            resolved = this._clickhouseFactory.getEventRepositoryForOrganizationSync(
+              taskEventStore,
+              event.organizationId
+            );
+          }
+          routeCache.set(routeKey, resolved);
+        }
 
-    let eventCount = 0;
+        let group = groups.get(resolved.key);
+        if (!group) {
+          group = { repository: resolved.repository, events: [] };
+          groups.set(resolved.key, group);
+        }
+        group.events.push(event);
+      }
+    }
 
-    for (const [store, events] of Object.entries(eventsGroupedByStore)) {
-      const eventRepository = this.#getEventRepositoryForStore(store);
+    let eventCount = 0;
 
-      await waitForLlmPricingReady();
+    for (const [repoKey, { repository, events }] of groups) {
       const enrichedEvents = enrichCreatableEvents(events);
 
-      this.#logEventsVerbose(enrichedEvents, `exportEvents ${store}`);
+      this.#logEventsVerbose(enrichedEvents, `exportEvents ${repoKey}`);
 
       eventCount += enrichedEvents.length;
 
-      await eventRepository.insertMany(enrichedEvents);
+      repository.insertMany(enrichedEvents);
     }
 
     return eventCount;
   }
 
-  #getEventRepositoryForStore(store: string): IEventRepository {
-    if (store === "clickhouse") {
-      return this._clickhouseEventRepository;
-    }
+  async #exportMetricRows(rows: MetricsV1Input[]): Promise<void> {
+    const routeCache = new Map<string, { key: string; repository: IEventRepository }>();
+    const groups = new Map<string, { repository: IEventRepository; rows: MetricsV1Input[] }>();
+
+    for (const row of rows) {
+      const routeKey = row.organization_id;
+      let resolved = routeCache.get(routeKey);
+      if (!resolved) {
+        resolved = this._clickhouseFactory.getEventRepositoryForOrganizationSync(
+          "clickhouse_v2",
+          row.organization_id
+        );
+        routeCache.set(routeKey, resolved);
+      }
 
-    if (store === "clickhouse_v2") {
-      return this._clickhouseEventRepositoryV2;
+      let group = groups.get(resolved.key);
+      if (!group) {
+        group = { repository: resolved.repository, rows: [] };
+        groups.set(resolved.key, group);
+      }
+      group.rows.push(row);
     }
 
-    return this._eventRepository;
+    for (const [, { repository, rows: groupedRows }] of groups) {
+      repository.insertManyMetrics(groupedRows);
+    }
   }
 
   #logEventsVerbose(events: CreateEventInput[], prefix: string) {
@@ -393,7 +427,10 @@ function convertSpansToCreateableEvents(
           SemanticInternalAttributes.METADATA
         );
 
-        const runTags = extractArrayAttribute(span.attributes ?? [], SemanticInternalAttributes.RUN_TAGS);
+        const runTags = extractArrayAttribute(
+          span.attributes ?? [],
+          SemanticInternalAttributes.RUN_TAGS
+        );
 
         const properties =
           truncateAttributes(
@@ -464,7 +501,10 @@ function floorToTenSecondBucket(timeUnixNano: bigint | number): string {
   const flooredMs = Math.floor(epochMs / 10_000) * 10_000;
   const date = new Date(flooredMs);
   // Format as ClickHouse DateTime: YYYY-MM-DD HH:MM:SS
-  return date.toISOString().replace("T", " ").replace(/\.\d{3}Z$/, "");
+  return date
+    .toISOString()
+    .replace("T", " ")
+    .replace(/\.\d{3}Z$/, "");
 }
 
 function convertMetricsToClickhouseRows(
@@ -584,8 +624,7 @@ function resolveDataPointContext(
   attributes: Record<string, unknown>;
 } {
   const runId =
-    resourceCtx.runId ??
-    extractStringAttribute(dpAttributes, SemanticInternalAttributes.RUN_ID);
+    resourceCtx.runId ?? extractStringAttribute(dpAttributes, SemanticInternalAttributes.RUN_ID);
   const taskSlug =
     resourceCtx.taskSlug ??
     extractStringAttribute(dpAttributes, SemanticInternalAttributes.TASK_SLUG);
@@ -1172,26 +1211,13 @@ function hasUnpairedSurrogateAtEnd(str: string): boolean {
 
 export const otlpExporter = singleton("otlpExporter", initializeOTLPExporter);
 
-function initializeOTLPExporter() {
-  const metricsFlushScheduler = new DynamicFlushScheduler<MetricsV1Input>({
-    batchSize: env.METRICS_CLICKHOUSE_BATCH_SIZE,
-    flushInterval: env.METRICS_CLICKHOUSE_FLUSH_INTERVAL_MS,
-    callback: async (_flushId, batch) => {
-      await clickhouseClient.metrics.insert(batch);
-    },
-    minConcurrency: 1,
-    maxConcurrency: env.METRICS_CLICKHOUSE_MAX_CONCURRENCY,
-    loadSheddingEnabled: false,
-  });
-
-  return new OTLPExporter(
-    eventRepository,
-    clickhouseEventRepository,
-    clickhouseEventRepositoryV2,
-    metricsFlushScheduler,
-    process.env.OTLP_EXPORTER_VERBOSE === "1",
-    process.env.SERVER_OTEL_SPAN_ATTRIBUTE_VALUE_LENGTH_LIMIT
+async function initializeOTLPExporter() {
+  await clickhouseFactory.isReady();
+  return new OTLPExporter({
+    clickhouseFactory,
+    verbose: process.env.OTLP_EXPORTER_VERBOSE === "1",
+    spanAttributeValueLengthLimit: process.env.SERVER_OTEL_SPAN_ATTRIBUTE_VALUE_LENGTH_LIMIT
       ? parseInt(process.env.SERVER_OTEL_SPAN_ATTRIBUTE_VALUE_LENGTH_LIMIT, 10)
-      : 8192
-  );
-}
\ No newline at end of file
+      : 8192,
+  });
+}
diff --git a/apps/webapp/app/v3/querySchemas.ts b/apps/webapp/app/v3/querySchemas.ts
index 1d2c5467742..947e6e8e468 100644
--- a/apps/webapp/app/v3/querySchemas.ts
+++ b/apps/webapp/app/v3/querySchemas.ts
@@ -176,11 +176,19 @@ export const runsSchema: TableSchema = {
     idempotency_key: {
       name: "idempotency_key",
       clickhouseName: "idempotency_key_user",
-      ...column("String", { description: "Idempotency key (available from 4.3.3)", example: "user-123-action-456" }),
+      ...column("String", {
+        description: "Idempotency key (available from 4.3.3)",
+        example: "user-123-action-456",
+      }),
     },
     idempotency_key_scope: {
       name: "idempotency_key_scope",
-      ...column("String", { description: "The idempotency key scope determines whether a task should be considered unique within a parent run, a specific attempt, or globally. An empty value means there's no idempotency key set (available from 4.3.3).", example: "run", allowedValues: ["global", "run", "attempt"], }),
+      ...column("String", {
+        description:
+          "The idempotency key scope determines whether a task should be considered unique within a parent run, a specific attempt, or globally. An empty value means there's no idempotency key set (available from 4.3.3).",
+        example: "run",
+        allowedValues: ["global", "run", "attempt"],
+      }),
     },
     region: {
       name: "region",
@@ -404,6 +412,13 @@ export const runsSchema: TableSchema = {
       ...column("UInt8", { description: "Whether this is a test run (0 or 1)", example: "0" }),
       expression: "if(is_test > 0, true, false)",
     },
+    is_warm_start: {
+      name: "is_warm_start",
+      ...column("Nullable(UInt8)", {
+        description: "Whether this run used a warm start vs a cold start.",
+        example: "1",
+      }),
+    },
     concurrency_key: {
       name: "concurrency_key",
       ...column("String", {
diff --git a/apps/webapp/app/v3/registryConfig.server.ts b/apps/webapp/app/v3/registryConfig.server.ts
index 72e2abdaee8..eb7986edd06 100644
--- a/apps/webapp/app/v3/registryConfig.server.ts
+++ b/apps/webapp/app/v3/registryConfig.server.ts
@@ -8,6 +8,7 @@ export type RegistryConfig = {
   ecrTags?: string;
   ecrAssumeRoleArn?: string;
   ecrAssumeRoleExternalId?: string;
+  ecrDefaultRepositoryPolicy?: string;
 };
 
 export function getRegistryConfig(isV4Deployment: boolean): RegistryConfig {
@@ -20,6 +21,7 @@ export function getRegistryConfig(isV4Deployment: boolean): RegistryConfig {
       ecrTags: env.V4_DEPLOY_REGISTRY_ECR_TAGS,
       ecrAssumeRoleArn: env.V4_DEPLOY_REGISTRY_ECR_ASSUME_ROLE_ARN,
       ecrAssumeRoleExternalId: env.V4_DEPLOY_REGISTRY_ECR_ASSUME_ROLE_EXTERNAL_ID,
+      ecrDefaultRepositoryPolicy: env.V4_DEPLOY_REGISTRY_ECR_DEFAULT_REPOSITORY_POLICY,
     };
   }
 
@@ -31,5 +33,6 @@ export function getRegistryConfig(isV4Deployment: boolean): RegistryConfig {
     ecrTags: env.DEPLOY_REGISTRY_ECR_TAGS,
     ecrAssumeRoleArn: env.DEPLOY_REGISTRY_ECR_ASSUME_ROLE_ARN,
     ecrAssumeRoleExternalId: env.DEPLOY_REGISTRY_ECR_ASSUME_ROLE_EXTERNAL_ID,
+    ecrDefaultRepositoryPolicy: env.DEPLOY_REGISTRY_ECR_DEFAULT_REPOSITORY_POLICY,
   };
 }
diff --git a/apps/webapp/app/v3/remoteImageBuilder.server.ts b/apps/webapp/app/v3/remoteImageBuilder.server.ts
index a6f113022af..763ef2e95ff 100644
--- a/apps/webapp/app/v3/remoteImageBuilder.server.ts
+++ b/apps/webapp/app/v3/remoteImageBuilder.server.ts
@@ -1,13 +1,21 @@
 import { depot } from "@depot/sdk-node";
 import { type ExternalBuildData } from "@trigger.dev/core/v3";
-import { type Project } from "@trigger.dev/database";
 import { prisma } from "~/db.server";
 import { env } from "~/env.server";
 import pRetry from "p-retry";
 import { logger } from "~/services/logger.server";
 
+// Just the project columns this module reads — keeps the signature
+// compatible with both the full Prisma `Project` payload and the slim
+// `AuthenticatedEnvironment["project"]` shape.
+type ProjectForBuilder = {
+  id: string;
+  externalRef: string;
+  builderProjectId: string | null;
+};
+
 export async function createRemoteImageBuild(
-  project: Project
+  project: ProjectForBuilder
 ): Promise<ExternalBuildData | undefined> {
   if (!remoteBuildsEnabled()) {
     return;
@@ -42,7 +50,7 @@ export async function createRemoteImageBuild(
   };
 }
 
-async function createBuilderProjectIfNotExists(project: Project) {
+async function createBuilderProjectIfNotExists(project: ProjectForBuilder) {
   if (project.builderProjectId) {
     return project.builderProjectId;
   }
diff --git a/apps/webapp/app/v3/runEngine.server.ts b/apps/webapp/app/v3/runEngine.server.ts
index b55bc352a24..e2c8ad85e94 100644
--- a/apps/webapp/app/v3/runEngine.server.ts
+++ b/apps/webapp/app/v3/runEngine.server.ts
@@ -6,6 +6,7 @@ import { logger } from "~/services/logger.server";
 import { defaultMachine, getCurrentPlan } from "~/services/platform.v3.server";
 import { singleton } from "~/utils/singleton";
 import { allMachines } from "./machinePresets.server";
+import { runEnginePendingVersionLookup } from "./runEnginePendingVersionLookup.server";
 import { meter, tracer } from "./tracer.server";
 
 export const engine = singleton("RunEngine", createRunEngine);
@@ -19,6 +20,12 @@ function createRunEngine() {
     logLevel: env.RUN_ENGINE_WORKER_LOG_LEVEL,
     treatProductionExecutionStallsAsOOM:
       env.RUN_ENGINE_TREAT_PRODUCTION_EXECUTION_STALLS_AS_OOM === "1",
+    readReplicaSnapshotsSinceEnabled:
+      env.RUN_ENGINE_READ_REPLICA_SNAPSHOTS_SINCE_ENABLED === "1",
+    readReplicaSnapshotsSinceRetryDelay: {
+      minMs: env.RUN_ENGINE_SNAPSHOTS_SINCE_REPLICA_RETRY_MIN_MS,
+      maxMs: env.RUN_ENGINE_SNAPSHOTS_SINCE_REPLICA_RETRY_MAX_MS,
+    },
     worker: {
       disabled: env.RUN_ENGINE_WORKER_ENABLED === "0",
       workers: env.RUN_ENGINE_WORKER_COUNT,
@@ -129,6 +136,7 @@ function createRunEngine() {
       factor: env.RUN_ENGINE_SUSPENDED_HEARTBEAT_RETRIES_FACTOR,
     },
     retryWarmStartThresholdMs: env.RUN_ENGINE_RETRY_WARM_START_THRESHOLD_MS,
+    pendingVersionRunIdLookup: runEnginePendingVersionLookup,
     billing: {
       getCurrentPlan: async (orgId: string) => {
         const plan = await getCurrentPlan(orgId);
@@ -212,6 +220,9 @@ function createRunEngine() {
     // Debounce configuration
     debounce: {
       maxDebounceDurationMs: env.RUN_ENGINE_MAXIMUM_DEBOUNCE_DURATION_MS,
+      quantizeNewDelayUntilMs: env.RUN_ENGINE_DEBOUNCE_QUANTIZE_NEW_DELAY_UNTIL_MS,
+      fastPathSkipEnabled: env.RUN_ENGINE_DEBOUNCE_FAST_PATH_SKIP_ENABLED === "1",
+      useReplicaForFastPathRead: env.RUN_ENGINE_DEBOUNCE_USE_REPLICA_FOR_FAST_PATH_READ === "1",
     },
   });
 
diff --git a/apps/webapp/app/v3/runEngineHandlers.server.ts b/apps/webapp/app/v3/runEngineHandlers.server.ts
index e728160f00f..082974af388 100644
--- a/apps/webapp/app/v3/runEngineHandlers.server.ts
+++ b/apps/webapp/app/v3/runEngineHandlers.server.ts
@@ -17,17 +17,15 @@ import { QueueSizeLimitExceededError } from "~/v3/services/common.server";
 import { TriggerTaskService } from "~/v3/services/triggerTask.server";
 import { tracer } from "~/v3/tracer.server";
 import { createExceptionPropertiesFromError } from "./eventRepository/common.server";
-import {
-  recordRunDebugLog,
-  resolveEventRepositoryForStore,
-} from "./eventRepository/index.server";
+import { getEventRepositoryForStore, recordRunDebugLog } from "./eventRepository/index.server";
 import { roomFromFriendlyRunId, socketIo } from "./handleSocketIo.server";
 import { engine } from "./runEngine.server";
+import { publishChangeRecord } from "~/services/realtime/runChangeNotifierInstance.server";
 import { PerformTaskRunAlertsService } from "./services/alerts/performTaskRunAlerts.server";
 import { TaskRunErrorCodes } from "@trigger.dev/core/v3";
 
 export function registerRunEngineEventBusHandlers() {
-  engine.eventBus.on("runSucceeded", async ({ time, run }) => {
+  engine.eventBus.on("runSucceeded", async ({ time, run, organization, environment }) => {
     const [taskRunError, taskRun] = await tryCatch(
       $replica.taskRun.findFirstOrThrow({
         where: {
@@ -48,6 +46,11 @@ export function registerRunEngineEventBusHandlers() {
           isTest: true,
           organizationId: true,
           taskEventStore: true,
+          // Piggyback the realtime run-changed publish on this existing read so the
+          // per-env channel carries the membership keys (no separate query). No-op when
+          // the native backend is disabled.
+          runTags: true,
+          batchId: true,
         },
       })
     );
@@ -60,7 +63,18 @@ export function registerRunEngineEventBusHandlers() {
       return;
     }
 
-    const eventRepository = resolveEventRepositoryForStore(run.taskEventStore);
+    publishChangeRecord({
+      runId: taskRun.id,
+      envId: environment.id,
+      tags: taskRun.runTags,
+      batchId: taskRun.batchId,
+      updatedAtMs: run.updatedAt.getTime(),
+    });
+
+    const eventRepository = await getEventRepositoryForStore(
+      run.taskEventStore,
+      taskRun.organizationId ?? organization.id
+    );
 
     const [completeSuccessfulRunEventError] = await tryCatch(
       eventRepository.completeSuccessfulRunEvent({
@@ -91,7 +105,7 @@ export function registerRunEngineEventBusHandlers() {
   });
 
   // Handle events
-  engine.eventBus.on("runFailed", async ({ time, run }) => {
+  engine.eventBus.on("runFailed", async ({ time, run, organization, environment }) => {
     const sanitizedError = sanitizeError(run.error);
     const exception = createExceptionPropertiesFromError(sanitizedError);
 
@@ -115,6 +129,10 @@ export function registerRunEngineEventBusHandlers() {
           isTest: true,
           organizationId: true,
           taskEventStore: true,
+          // Piggyback the realtime run-changed publish on this existing read (no-op when
+          // the native backend is disabled).
+          runTags: true,
+          batchId: true,
         },
       })
     );
@@ -127,7 +145,18 @@ export function registerRunEngineEventBusHandlers() {
       return;
     }
 
-    const eventRepository = resolveEventRepositoryForStore(taskRun.taskEventStore);
+    publishChangeRecord({
+      runId: taskRun.id,
+      envId: environment.id,
+      tags: taskRun.runTags,
+      batchId: taskRun.batchId,
+      updatedAtMs: run.updatedAt.getTime(),
+    });
+
+    const eventRepository = await getEventRepositoryForStore(
+      run.taskEventStore,
+      taskRun.organizationId ?? organization.id
+    );
 
     const [completeFailedRunEventError] = await tryCatch(
       eventRepository.completeFailedRunEvent({
@@ -169,6 +198,10 @@ export function registerRunEngineEventBusHandlers() {
           isTest: true,
           organizationId: true,
           taskEventStore: true,
+          // Piggyback the realtime run-changed publish on this existing read (no-op when
+          // the native backend is disabled).
+          runTags: true,
+          batchId: true,
         },
       })
     );
@@ -181,7 +214,25 @@ export function registerRunEngineEventBusHandlers() {
       return;
     }
 
-    const eventRepository = resolveEventRepositoryForStore(taskRun.taskEventStore);
+    publishChangeRecord({
+      runId: taskRun.id,
+      envId: taskRun.runtimeEnvironmentId,
+      tags: taskRun.runTags,
+      batchId: taskRun.batchId,
+      updatedAtMs: run.updatedAt.getTime(),
+    });
+
+    if (!taskRun.organizationId) {
+      logger.error("[runAttemptFailed] Task run has no organization id", {
+        runId: run.id,
+      });
+      return;
+    }
+
+    const eventRepository = await getEventRepositoryForStore(
+      run.taskEventStore,
+      taskRun.organizationId
+    );
 
     const [createAttemptFailedRunEventError] = await tryCatch(
       eventRepository.createAttemptFailedRunEvent({
@@ -282,7 +333,17 @@ export function registerRunEngineEventBusHandlers() {
         return;
       }
 
-      const eventRepository = resolveEventRepositoryForStore(blockedRun.taskEventStore);
+      if (!blockedRun.organizationId) {
+        logger.error("[cachedRunCompleted] Blocked run has no organization id", {
+          blockedRunId,
+        });
+        return;
+      }
+
+      const eventRepository = await getEventRepositoryForStore(
+        blockedRun.taskEventStore,
+        blockedRun.organizationId
+      );
 
       const [completeCachedRunEventError] = await tryCatch(
         eventRepository.completeCachedRunEvent({
@@ -305,7 +366,7 @@ export function registerRunEngineEventBusHandlers() {
     }
   );
 
-  engine.eventBus.on("runExpired", async ({ time, run }) => {
+  engine.eventBus.on("runExpired", async ({ time, run, organization, environment }) => {
     if (!run.ttl) {
       return;
     }
@@ -330,6 +391,10 @@ export function registerRunEngineEventBusHandlers() {
           isTest: true,
           organizationId: true,
           taskEventStore: true,
+          // Piggyback the realtime run-changed publish on this existing read (no-op when
+          // the native backend is disabled).
+          runTags: true,
+          batchId: true,
         },
       })
     );
@@ -342,7 +407,18 @@ export function registerRunEngineEventBusHandlers() {
       return;
     }
 
-    const eventRepository = resolveEventRepositoryForStore(taskRun.taskEventStore);
+    publishChangeRecord({
+      runId: taskRun.id,
+      envId: environment.id,
+      tags: taskRun.runTags,
+      batchId: taskRun.batchId,
+      updatedAtMs: run.updatedAt.getTime(),
+    });
+
+    const eventRepository = await getEventRepositoryForStore(
+      taskRun.taskEventStore,
+      taskRun.organizationId ?? organization.id
+    );
 
     const [completeExpiredRunEventError] = await tryCatch(
       eventRepository.completeExpiredRunEvent({
@@ -360,7 +436,7 @@ export function registerRunEngineEventBusHandlers() {
     }
   });
 
-  engine.eventBus.on("runCancelled", async ({ time, run }) => {
+  engine.eventBus.on("runCancelled", async ({ time, run, organization, environment }) => {
     const [taskRunError, taskRun] = await tryCatch(
       $replica.taskRun.findFirstOrThrow({
         where: {
@@ -381,6 +457,10 @@ export function registerRunEngineEventBusHandlers() {
           isTest: true,
           organizationId: true,
           taskEventStore: true,
+          // Piggyback the realtime run-changed publish on this existing read (no-op when
+          // the native backend is disabled).
+          runTags: true,
+          batchId: true,
         },
       })
     );
@@ -393,7 +473,18 @@ export function registerRunEngineEventBusHandlers() {
       return;
     }
 
-    const eventRepository = resolveEventRepositoryForStore(taskRun.taskEventStore);
+    publishChangeRecord({
+      runId: taskRun.id,
+      envId: environment.id,
+      tags: taskRun.runTags,
+      batchId: taskRun.batchId,
+      updatedAtMs: run.updatedAt.getTime(),
+    });
+
+    const eventRepository = await getEventRepositoryForStore(
+      taskRun.taskEventStore,
+      taskRun.organizationId ?? organization.id
+    );
 
     const error = createJsonErrorObject(run.error);
 
@@ -413,46 +504,53 @@ export function registerRunEngineEventBusHandlers() {
     }
   });
 
-  engine.eventBus.on("runRetryScheduled", async ({ time, run, environment, retryAt }) => {
-    try {
-      if (retryAt && time && time >= retryAt) {
-        return;
-      }
+  engine.eventBus.on(
+    "runRetryScheduled",
+    async ({ time, run, environment, retryAt, organization }) => {
+      try {
+        if (retryAt && time && time >= retryAt) {
+          return;
+        }
 
-      let retryMessage = `Retry ${typeof run.attemptNumber === "number" ? `#${run.attemptNumber - 1}` : ""
+        let retryMessage = `Retry ${
+          typeof run.attemptNumber === "number" ? `#${run.attemptNumber - 1}` : ""
         } delay`;
 
-      if (run.nextMachineAfterOOM) {
-        retryMessage += ` after OOM`;
-      }
+        if (run.nextMachineAfterOOM) {
+          retryMessage += ` after OOM`;
+        }
 
-      const eventRepository = resolveEventRepositoryForStore(run.taskEventStore);
+        const eventRepository = await getEventRepositoryForStore(
+          run.taskEventStore ?? "taskEvent",
+          organization.id
+        );
 
-      await eventRepository.recordEvent(retryMessage, {
-        startTime: BigInt(time.getTime() * 1000000),
-        taskSlug: run.taskIdentifier,
-        environment,
-        attributes: {
-          properties: {
-            retryAt: retryAt.toISOString(),
-            nextMachine: run.nextMachineAfterOOM,
-          },
-          runId: run.friendlyId,
-          style: {
-            icon: "schedule-attempt",
+        await eventRepository.recordEvent(retryMessage, {
+          startTime: BigInt(time.getTime() * 1000000),
+          taskSlug: run.taskIdentifier,
+          environment,
+          attributes: {
+            properties: {
+              retryAt: retryAt.toISOString(),
+              nextMachine: run.nextMachineAfterOOM,
+            },
+            runId: run.friendlyId,
+            style: {
+              icon: "schedule-attempt",
+            },
           },
-        },
-        context: run.traceContext as Record<string, string | undefined>,
-        endTime: retryAt,
-      });
-    } catch (error) {
-      logger.error("[runRetryScheduled] Failed to record retry event", {
-        error: error instanceof Error ? error.message : error,
-        runId: run.id,
-        spanId: run.spanId,
-      });
+          context: run.traceContext as Record<string, string | undefined>,
+          endTime: retryAt,
+        });
+      } catch (error) {
+        logger.error("[runRetryScheduled] Failed to record retry event", {
+          error: error instanceof Error ? error.message : error,
+          runId: run.id,
+          spanId: run.spanId,
+        });
+      }
     }
-  });
+  );
 
   engine.eventBus.on("runAttemptStarted", async ({ time, run, organization }) => {
     try {
@@ -469,15 +567,29 @@ export function registerRunEngineEventBusHandlers() {
   });
 
   engine.eventBus.on("runMetadataUpdated", async ({ time, run }) => {
-    const env = await findEnvironmentFromRun(run.id);
+    const result = await findEnvironmentFromRun(run.id);
 
-    if (!env) {
+    if (!result) {
       logger.error("[runMetadataUpdated] Failed to find environment", { runId: run.id });
       return;
     }
 
+    const { environment, runTags, batchId } = result;
+
     try {
-      await updateMetadataService.call(run.id, run.metadata, env);
+      const updateResult = await updateMetadataService.call(run.id, run.metadata, environment);
+      // Realtime run-changed publish, after the write so the router's hydrate sees the new
+      // row. A full record (env + tags + batchId + the committed updatedAt watermark), so
+      // feeds route by index. Nothing written here (no-op or buffered) = nothing to announce.
+      if (updateResult?.updatedAtMs !== undefined) {
+        publishChangeRecord({
+          runId: run.id,
+          envId: environment.id,
+          tags: runTags,
+          batchId,
+          updatedAtMs: updateResult.updatedAtMs,
+        });
+      }
     } catch (e) {
       if (e instanceof MetadataTooLargeError) {
         logger.warn("[runMetadataUpdated] Failed to update metadata, too large", {
@@ -485,10 +597,10 @@ export function registerRunEngineEventBusHandlers() {
           error:
             e instanceof Error
               ? {
-                name: e.name,
-                message: e.message,
-                stack: e.stack,
-              }
+                  name: e.name,
+                  message: e.message,
+                  stack: e.stack,
+                }
               : e,
         });
       } else {
@@ -497,10 +609,10 @@ export function registerRunEngineEventBusHandlers() {
           error:
             e instanceof Error
               ? {
-                name: e.name,
-                message: e.message,
-                stack: e.stack,
-              }
+                  name: e.name,
+                  message: e.message,
+                  stack: e.stack,
+                }
               : e,
         });
       }
@@ -658,120 +770,200 @@ const QUEUE_SIZE_LIMIT_EXCEEDED_ERROR_CODE = "QUEUE_SIZE_LIMIT_EXCEEDED";
  */
 export function setupBatchQueueCallbacks() {
   // Item processing callback - creates a run for each batch item
-  engine.setBatchProcessItemCallback(async ({ batchId, friendlyId, itemIndex, item, meta, attempt, isFinalAttempt }) => {
-    return tracer.startActiveSpan(
-      "batch.processItem",
-      {
-        kind: SpanKind.INTERNAL,
-        attributes: {
-          "batch.id": friendlyId,
-          "batch.item_index": itemIndex,
-          "batch.task": item.task,
-          "batch.environment_id": meta.environmentId,
-          "batch.parent_run_id": meta.parentRunId ?? "",
-          "batch.attempt": attempt,
-          "batch.is_final_attempt": isFinalAttempt,
+  engine.setBatchProcessItemCallback(
+    async ({ batchId, friendlyId, itemIndex, item, meta, attempt, isFinalAttempt }) => {
+      return tracer.startActiveSpan(
+        "batch.processItem",
+        {
+          kind: SpanKind.INTERNAL,
+          attributes: {
+            "batch.id": friendlyId,
+            "batch.item_index": itemIndex,
+            "batch.task": item.task,
+            "batch.environment_id": meta.environmentId,
+            "batch.parent_run_id": meta.parentRunId ?? "",
+            "batch.attempt": attempt,
+            "batch.is_final_attempt": isFinalAttempt,
+          },
         },
-      },
-      async (span) => {
-        const triggerFailedTaskService = new TriggerFailedTaskService({
-          prisma,
-          engine,
-        });
+        async (span) => {
+          const triggerFailedTaskService = new TriggerFailedTaskService({
+            prisma,
+            engine,
+            replicaPrisma: $replica,
+          });
+
+          // Check for pre-marked error items (e.g. oversized payloads)
+          const itemError = item.options?.__error as string | undefined;
+          if (itemError) {
+            const errorCode = (item.options?.__errorCode as string) ?? "ITEM_ERROR";
+
+            let environment: AuthenticatedEnvironment | undefined;
+            try {
+              environment = (await findEnvironmentById(meta.environmentId)) ?? undefined;
+            } catch {
+              // Best-effort environment lookup
+            }
+
+            if (environment) {
+              const failedRunId = await triggerFailedTaskService.call({
+                taskId: item.task,
+                environment,
+                payload: item.payload ?? "{}",
+                payloadType: item.payloadType as string,
+                errorMessage: itemError,
+                errorCode: errorCode as TaskRunErrorCodes,
+                parentRunId: meta.parentRunId,
+                resumeParentOnCompletion: meta.resumeParentOnCompletion,
+                batch: { id: batchId, index: itemIndex },
+                traceContext: meta.traceContext as Record<string, unknown> | undefined,
+                spanParentAsLink: meta.spanParentAsLink,
+              });
+
+              if (failedRunId) {
+                span.setAttribute("batch.result.pre_failed", true);
+                span.setAttribute("batch.result.run_id", failedRunId);
+                span.end();
+                return { success: true as const, runId: failedRunId };
+              }
+            }
 
-        // Check for pre-marked error items (e.g. oversized payloads)
-        const itemError = item.options?.__error as string | undefined;
-        if (itemError) {
-          const errorCode = (item.options?.__errorCode as string) ?? "ITEM_ERROR";
+            // Fallback if TriggerFailedTaskService or environment lookup fails
+            span.end();
+            return { success: false as const, error: itemError, errorCode };
+          }
 
           let environment: AuthenticatedEnvironment | undefined;
           try {
             environment = (await findEnvironmentById(meta.environmentId)) ?? undefined;
-          } catch {
-            // Best-effort environment lookup
-          }
 
-          if (environment) {
-            const failedRunId = await triggerFailedTaskService.call({
-              taskId: item.task,
-              environment,
-              payload: item.payload ?? "{}",
-              payloadType: item.payloadType as string,
-              errorMessage: itemError,
-              errorCode: errorCode as TaskRunErrorCodes,
-              parentRunId: meta.parentRunId,
-              resumeParentOnCompletion: meta.resumeParentOnCompletion,
-              batch: { id: batchId, index: itemIndex },
-              traceContext: meta.traceContext as Record<string, unknown> | undefined,
-              spanParentAsLink: meta.spanParentAsLink,
-            });
-
-            if (failedRunId) {
-              span.setAttribute("batch.result.pre_failed", true);
-              span.setAttribute("batch.result.run_id", failedRunId);
+            if (!environment) {
+              span.setAttribute("batch.result.error", "Environment not found");
               span.end();
-              return { success: true as const, runId: failedRunId };
+
+              return {
+                success: false as const,
+                error: "Environment not found",
+                errorCode: "ENVIRONMENT_NOT_FOUND",
+              };
             }
-          }
 
-          // Fallback if TriggerFailedTaskService or environment lookup fails
-          span.end();
-          return { success: false as const, error: itemError, errorCode };
-        }
+            const triggerTaskService = new TriggerTaskService();
 
-        let environment: AuthenticatedEnvironment | undefined;
-        try {
-          environment = (await findEnvironmentById(meta.environmentId)) ?? undefined;
+            // Normalize payload - for application/store (R2 paths), this passes through as-is
+            const payload = normalizePayload(item.payload, item.payloadType);
 
-          if (!environment) {
-            span.setAttribute("batch.result.error", "Environment not found");
-            span.end();
+            const result = await triggerTaskService.call(
+              item.task,
+              environment,
+              {
+                payload,
+                options: {
+                  ...(item.options as Record<string, unknown>),
+                  payloadType: item.payloadType,
+                  parentRunId: meta.parentRunId,
+                  resumeParentOnCompletion: meta.resumeParentOnCompletion,
+                  parentBatch: batchId,
+                },
+              },
+              {
+                triggerVersion: meta.triggerVersion,
+                traceContext: meta.traceContext as Record<string, unknown> | undefined,
+                spanParentAsLink: meta.spanParentAsLink,
+                batchId,
+                batchIndex: itemIndex,
+                realtimeStreamsVersion: meta.realtimeStreamsVersion,
+                planType: meta.planType,
+                triggerSource: meta.parentRunId ? "sdk" : meta.triggerSource ?? "api",
+                triggerAction: "trigger",
+              },
+              "V2"
+            );
 
-            return {
-              success: false as const,
-              error: "Environment not found",
-              errorCode: "ENVIRONMENT_NOT_FOUND",
-            };
-          }
+            if (result) {
+              span.setAttribute("batch.result.run_id", result.run.friendlyId);
+              span.end();
+              return { success: true as const, runId: result.run.friendlyId };
+            } else {
+              logger.error("[BatchQueue] TriggerTaskService returned undefined", {
+                batchId,
+                friendlyId,
+                itemIndex,
+                task: item.task,
+                environmentId: meta.environmentId,
+                attempt,
+                isFinalAttempt,
+              });
 
-          const triggerTaskService = new TriggerTaskService();
+              span.setAttribute("batch.result.error", "TriggerTaskService returned undefined");
+
+              // Only create a pre-failed run on the final attempt; otherwise let the retry mechanism handle it
+              if (isFinalAttempt) {
+                const failedRunId = await triggerFailedTaskService.call({
+                  taskId: item.task,
+                  environment,
+                  payload: item.payload,
+                  payloadType: item.payloadType as string,
+                  errorMessage: "TriggerTaskService returned undefined",
+                  parentRunId: meta.parentRunId,
+                  resumeParentOnCompletion: meta.resumeParentOnCompletion,
+                  batch: { id: batchId, index: itemIndex },
+                  options: item.options as Record<string, unknown>,
+                  traceContext: meta.traceContext as Record<string, unknown> | undefined,
+                  spanParentAsLink: meta.spanParentAsLink,
+                  errorCode: TaskRunErrorCodes.BATCH_ITEM_COULD_NOT_TRIGGER,
+                });
+
+                span.end();
+
+                if (failedRunId) {
+                  return { success: true as const, runId: failedRunId };
+                }
+              } else {
+                span.end();
+              }
 
-          // Normalize payload - for application/store (R2 paths), this passes through as-is
-          const payload = normalizePayload(item.payload, item.payloadType);
+              return {
+                success: false as const,
+                error: "TriggerTaskService returned undefined",
+                errorCode: "TRIGGER_FAILED",
+              };
+            }
+          } catch (error) {
+            const errorMessage = error instanceof Error ? error.message : String(error);
+
+            // Queue-size-limit rejections are a customer-overload scenario (the
+            // env's queue is at its configured max). Retrying is pointless — the
+            // same item will fail again — and creating pre-failed TaskRuns for
+            // every item of every retried batch is exactly what chews through
+            // DB capacity when a noisy tenant fills their queue. Signal the
+            // BatchQueue to skip retries and skip pre-failed run creation, and
+            // let the completion callback collapse the per-item errors into a
+            // single summary row.
+            if (error instanceof QueueSizeLimitExceededError) {
+              logger.warn("[BatchQueue] Batch item rejected: queue size limit reached", {
+                batchId,
+                friendlyId,
+                itemIndex,
+                task: item.task,
+                environmentId: meta.environmentId,
+                maximumSize: error.maximumSize,
+              });
 
-          const result = await triggerTaskService.call(
-            item.task,
-            environment,
-            {
-              payload,
-              options: {
-                ...(item.options as Record<string, unknown>),
-                payloadType: item.payloadType,
-                parentRunId: meta.parentRunId,
-                resumeParentOnCompletion: meta.resumeParentOnCompletion,
-                parentBatch: batchId,
-              },
-            },
-            {
-              triggerVersion: meta.triggerVersion,
-              traceContext: meta.traceContext as Record<string, unknown> | undefined,
-              spanParentAsLink: meta.spanParentAsLink,
-              batchId,
-              batchIndex: itemIndex,
-              realtimeStreamsVersion: meta.realtimeStreamsVersion,
-              planType: meta.planType,
-              triggerSource: meta.parentRunId ? "sdk" : meta.triggerSource ?? "api",
-              triggerAction: "trigger",
-            },
-            "V2"
-          );
+              span.setAttribute("batch.result.error", errorMessage);
+              span.setAttribute("batch.result.errorCode", QUEUE_SIZE_LIMIT_EXCEEDED_ERROR_CODE);
+              span.setAttribute("batch.result.skipRetries", true);
+              span.end();
 
-          if (result) {
-            span.setAttribute("batch.result.run_id", result.run.friendlyId);
-            span.end();
-            return { success: true as const, runId: result.run.friendlyId };
-          } else {
-            logger.error("[BatchQueue] TriggerTaskService returned undefined", {
+              return {
+                success: false as const,
+                error: errorMessage,
+                errorCode: QUEUE_SIZE_LIMIT_EXCEEDED_ERROR_CODE,
+                skipRetries: true,
+              };
+            }
+
+            logger.error("[BatchQueue] Failed to trigger batch item", {
               batchId,
               friendlyId,
               itemIndex,
@@ -779,18 +971,20 @@ export function setupBatchQueueCallbacks() {
               environmentId: meta.environmentId,
               attempt,
               isFinalAttempt,
+              error,
             });
 
-            span.setAttribute("batch.result.error", "TriggerTaskService returned undefined");
+            span.setAttribute("batch.result.error", errorMessage);
+            span.recordException(error instanceof Error ? error : new Error(String(error)));
 
             // Only create a pre-failed run on the final attempt; otherwise let the retry mechanism handle it
-            if (isFinalAttempt) {
+            if (isFinalAttempt && environment) {
               const failedRunId = await triggerFailedTaskService.call({
                 taskId: item.task,
                 environment,
                 payload: item.payload,
                 payloadType: item.payloadType as string,
-                errorMessage: "TriggerTaskService returned undefined",
+                errorMessage,
                 parentRunId: meta.parentRunId,
                 resumeParentOnCompletion: meta.resumeParentOnCompletion,
                 batch: { id: batchId, index: itemIndex },
@@ -809,95 +1003,16 @@ export function setupBatchQueueCallbacks() {
               span.end();
             }
 
-            return {
-              success: false as const,
-              error: "TriggerTaskService returned undefined",
-              errorCode: "TRIGGER_FAILED",
-            };
-          }
-        } catch (error) {
-          const errorMessage = error instanceof Error ? error.message : String(error);
-
-          // Queue-size-limit rejections are a customer-overload scenario (the
-          // env's queue is at its configured max). Retrying is pointless — the
-          // same item will fail again — and creating pre-failed TaskRuns for
-          // every item of every retried batch is exactly what chews through
-          // DB capacity when a noisy tenant fills their queue. Signal the
-          // BatchQueue to skip retries and skip pre-failed run creation, and
-          // let the completion callback collapse the per-item errors into a
-          // single summary row.
-          if (error instanceof QueueSizeLimitExceededError) {
-            logger.warn("[BatchQueue] Batch item rejected: queue size limit reached", {
-              batchId,
-              friendlyId,
-              itemIndex,
-              task: item.task,
-              environmentId: meta.environmentId,
-              maximumSize: error.maximumSize,
-            });
-
-            span.setAttribute("batch.result.error", errorMessage);
-            span.setAttribute("batch.result.errorCode", QUEUE_SIZE_LIMIT_EXCEEDED_ERROR_CODE);
-            span.setAttribute("batch.result.skipRetries", true);
-            span.end();
-
             return {
               success: false as const,
               error: errorMessage,
-              errorCode: QUEUE_SIZE_LIMIT_EXCEEDED_ERROR_CODE,
-              skipRetries: true,
+              errorCode: "TRIGGER_ERROR",
             };
           }
-
-          logger.error("[BatchQueue] Failed to trigger batch item", {
-            batchId,
-            friendlyId,
-            itemIndex,
-            task: item.task,
-            environmentId: meta.environmentId,
-            attempt,
-            isFinalAttempt,
-            error,
-          });
-
-          span.setAttribute("batch.result.error", errorMessage);
-          span.recordException(error instanceof Error ? error : new Error(String(error)));
-
-          // Only create a pre-failed run on the final attempt; otherwise let the retry mechanism handle it
-          if (isFinalAttempt && environment) {
-            const failedRunId = await triggerFailedTaskService.call({
-              taskId: item.task,
-              environment,
-              payload: item.payload,
-              payloadType: item.payloadType as string,
-              errorMessage,
-              parentRunId: meta.parentRunId,
-              resumeParentOnCompletion: meta.resumeParentOnCompletion,
-              batch: { id: batchId, index: itemIndex },
-              options: item.options as Record<string, unknown>,
-              traceContext: meta.traceContext as Record<string, unknown> | undefined,
-              spanParentAsLink: meta.spanParentAsLink,
-              errorCode: TaskRunErrorCodes.BATCH_ITEM_COULD_NOT_TRIGGER,
-            });
-
-            span.end();
-
-            if (failedRunId) {
-              return { success: true as const, runId: failedRunId };
-            }
-          } else {
-            span.end();
-          }
-
-          return {
-            success: false as const,
-            error: errorMessage,
-            errorCode: "TRIGGER_ERROR",
-          };
         }
-      }
-    );
-  });
+      );
+    }
+  );
 
   // Batch completion callback - updates Postgres with results
   engine.setBatchCompletionCallback(async (result: CompleteBatchResult) => {
diff --git a/apps/webapp/app/v3/runEnginePendingVersionLookup.server.ts b/apps/webapp/app/v3/runEnginePendingVersionLookup.server.ts
new file mode 100644
index 00000000000..407504fab72
--- /dev/null
+++ b/apps/webapp/app/v3/runEnginePendingVersionLookup.server.ts
@@ -0,0 +1,24 @@
+import { type PendingVersionRunIdLookup } from "@internal/run-engine";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
+import { logger } from "~/services/logger.server";
+import { singleton } from "~/utils/singleton";
+import { ClickhousePendingVersionLookup } from "./services/clickhousePendingVersionLookup.server";
+
+/**
+ * Lookup used by `@internal/run-engine`'s `PendingVersionSystem` to find
+ * `PENDING_VERSION` TaskRun ids via ClickHouse, removing the need for
+ * Postgres index #13 (`TaskRun_status_runtimeEnvironmentId_createdAt_id_idx`).
+ *
+ * Resolves the ClickHouse client per call via {@link clickhouseFactory}
+ * using the `"engine"` client type, configured by `RUN_ENGINE_CLICKHOUSE_*`
+ * env vars and routed per-organization for customers with HIPAA / data
+ * sovereignty data stores.
+ */
+export const runEnginePendingVersionLookup = singleton(
+  "runEnginePendingVersionLookup",
+  initializeRunEnginePendingVersionLookup
+);
+
+function initializeRunEnginePendingVersionLookup(): PendingVersionRunIdLookup {
+  return new ClickhousePendingVersionLookup({ clickhouseFactory, logger });
+}
diff --git a/apps/webapp/app/v3/services/adminWorker.server.ts b/apps/webapp/app/v3/services/adminWorker.server.ts
index 97c94b954f0..cf3dbd57c6c 100644
--- a/apps/webapp/app/v3/services/adminWorker.server.ts
+++ b/apps/webapp/app/v3/services/adminWorker.server.ts
@@ -4,6 +4,18 @@ import { z } from "zod";
 import { env } from "~/env.server";
 import { logger } from "~/services/logger.server";
 import { runsReplicationInstance } from "~/services/runsReplicationInstance.server";
+// Reference-hold the sessions-replication singleton so module evaluation runs
+// its initializer (creates the ClickHouse client, subscribes to the logical
+// replication slot, wires signal handlers) when the webapp boots.
+//
+// IMPORTANT: do NOT replace with `void sessionsReplicationInstance;`. With
+// `"sideEffects": false` in apps/webapp/package.json, esbuild treats `void X;`
+// as a pure expression statement and eliminates the import — the singleton
+// initializer never fires. Assignment to globalThis is an observable side
+// effect the bundler must preserve. See TRI-9864.
+import { sessionsReplicationInstance } from "~/services/sessionsReplicationInstance.server";
+(globalThis as Record<string, unknown>).__sessionsReplicationInstance =
+  sessionsReplicationInstance;
 import { singleton } from "~/utils/singleton";
 import { tracer } from "../tracer.server";
 import { $replica } from "~/db.server";
diff --git a/apps/webapp/app/v3/services/aiQueryService.server.ts b/apps/webapp/app/v3/services/aiQueryService.server.ts
index 3e40fc810de..29007e5c157 100644
--- a/apps/webapp/app/v3/services/aiQueryService.server.ts
+++ b/apps/webapp/app/v3/services/aiQueryService.server.ts
@@ -5,7 +5,7 @@ import {
   type TableSchema,
   type ValidationIssue,
 } from "@internal/tsql";
-import { streamText, type LanguageModelV1, tool } from "ai";
+import { streamText, stepCountIs, type LanguageModel, tool } from "ai";
 import { z } from "zod";
 import type { AITimeFilter } from "~/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.query/types";
 
@@ -55,7 +55,7 @@ export class AIQueryService {
 
   constructor(
     private readonly tableSchema: TableSchema[],
-    private readonly model: LanguageModelV1 = openai("gpt-4.1-mini")
+    private readonly model: LanguageModel = openai("gpt-4.1-mini")
   ) {}
 
   /**
@@ -66,7 +66,7 @@ export class AIQueryService {
     return tool({
       description:
         "Set the time filter for the query page UI instead of adding time conditions to the query. ALWAYS use this tool when the user wants to filter by time (e.g., 'last 7 days', 'past hour', 'yesterday'). The UI will apply this filter automatically using the table's time column (triggered_at for runs, bucket_start for metrics). Do NOT add triggered_at or bucket_start to the WHERE clause for time filtering - use this tool instead.",
-      parameters: z.object({
+      inputSchema: z.object({
         period: z
           .string()
           .optional()
@@ -125,7 +125,7 @@ export class AIQueryService {
         validateTSQLQuery: tool({
           description:
             "Validate a TSQL query for syntax errors and schema compliance. Always use this tool to verify your query before returning it to the user.",
-          parameters: z.object({
+          inputSchema: z.object({
             query: z.string().describe("The TSQL query to validate"),
           }),
           execute: async ({ query }) => {
@@ -135,7 +135,7 @@ export class AIQueryService {
         getTableSchema: tool({
           description:
             "Get detailed schema information about available tables and columns. Use this to understand what data is available and how to query it.",
-          parameters: z.object({
+          inputSchema: z.object({
             tableName: z
               .string()
               .optional()
@@ -147,7 +147,7 @@ export class AIQueryService {
         }),
         setTimeFilter: this.buildSetTimeFilterTool(),
       },
-      maxSteps: 5,
+      stopWhen: stepCountIs(5),
       experimental_telemetry: {
         isEnabled: true,
         metadata: {
@@ -191,7 +191,7 @@ export class AIQueryService {
         validateTSQLQuery: tool({
           description:
             "Validate a TSQL query for syntax errors and schema compliance. Always use this tool to verify your query before returning it to the user.",
-          parameters: z.object({
+          inputSchema: z.object({
             query: z.string().describe("The TSQL query to validate"),
           }),
           execute: async ({ query }) => {
@@ -201,7 +201,7 @@ export class AIQueryService {
         getTableSchema: tool({
           description:
             "Get detailed schema information about available tables and columns. Use this to understand what data is available and how to query it.",
-          parameters: z.object({
+          inputSchema: z.object({
             tableName: z
               .string()
               .optional()
@@ -213,7 +213,7 @@ export class AIQueryService {
         }),
         setTimeFilter: this.buildSetTimeFilterTool(),
       },
-      maxSteps: 5,
+      stopWhen: stepCountIs(5),
       experimental_telemetry: {
         isEnabled: true,
         metadata: {
diff --git a/apps/webapp/app/v3/services/aiQueryTitleService.server.ts b/apps/webapp/app/v3/services/aiQueryTitleService.server.ts
index 983f732453a..5bf216379e8 100644
--- a/apps/webapp/app/v3/services/aiQueryTitleService.server.ts
+++ b/apps/webapp/app/v3/services/aiQueryTitleService.server.ts
@@ -1,5 +1,5 @@
 import { openai } from "@ai-sdk/openai";
-import { generateText, type LanguageModelV1 } from "ai";
+import { generateText, type LanguageModel } from "ai";
 import { env } from "~/env.server";
 
 /**
@@ -13,7 +13,7 @@ export type AIQueryTitleResult =
  * Service for generating concise titles for SQL queries using AI
  */
 export class AIQueryTitleService {
-  constructor(private readonly model: LanguageModelV1 = openai("gpt-4o-mini")) {}
+  constructor(private readonly model: LanguageModel = openai("gpt-4o-mini")) {}
 
   /**
    * Generate a concise title for a SQL query
@@ -45,7 +45,7 @@ Examples:
 - "Average execution time by task"
 - "Recent runs with errors"`,
         prompt: `Generate a concise title for this SQL query:\n\n${query}`,
-        maxTokens: 50,
+        maxOutputTokens: 50,
         experimental_telemetry: {
           isEnabled: true,
           metadata: {
diff --git a/apps/webapp/app/v3/services/aiRunFilterService.server.ts b/apps/webapp/app/v3/services/aiRunFilterService.server.ts
index 4ce12b94557..96b74ab3314 100644
--- a/apps/webapp/app/v3/services/aiRunFilterService.server.ts
+++ b/apps/webapp/app/v3/services/aiRunFilterService.server.ts
@@ -1,6 +1,6 @@
 import { openai } from "@ai-sdk/openai";
 import { type TaskTriggerSource } from "@trigger.dev/database";
-import { generateText, LanguageModelV1, Output, tool } from "ai";
+import { generateText, stepCountIs, type LanguageModel, Output, tool } from "ai";
 import { z } from "zod";
 import { TaskRunListSearchFilters } from "~/components/runs/v3/RunFilters";
 import { logger } from "~/services/logger.server";
@@ -14,17 +14,25 @@ const AIFilters = TaskRunListSearchFilters.omit({
   to: z.string().optional().describe("The ISO datetime to filter to"),
 });
 
+// The response is wrapped in an object with a single `response` field because
+// OpenAI structured outputs (both the Chat and Responses APIs) require the root
+// JSON Schema to be `type: "object"`. A bare `z.discriminatedUnion` compiles to
+// a root-level `anyOf`, which OpenAI rejects ("schema must be of type object").
+// Nesting the union under a property keeps the discriminated-union ergonomics
+// while satisfying the root-object constraint.
 const AIFilterResponseSchema = z
-  .discriminatedUnion("success", [
-    z.object({
-      success: z.literal(true),
-      filters: AIFilters,
-    }),
-    z.object({
-      success: z.literal(false),
-      error: z.string().describe("A short human-readable error message"),
-    }),
-  ])
+  .object({
+    response: z.discriminatedUnion("success", [
+      z.object({
+        success: z.literal(true),
+        filters: AIFilters,
+      }),
+      z.object({
+        success: z.literal(false),
+        error: z.string().describe("A short human-readable error message"),
+      }),
+    ]),
+  })
   .describe("The response from the AI filter service");
 
 export interface QueryQueues {
@@ -80,7 +88,7 @@ export class AIRunFilterService {
       queryQueues: QueryQueues;
       queryTasks: QueryTasks;
     },
-    private readonly model: LanguageModelV1 = openai("gpt-4o-mini")
+    private readonly model: LanguageModel = openai("gpt-4o-mini")
   ) {}
 
   async call(text: string, environmentId: string): Promise<AIFilterResult> {
@@ -88,10 +96,20 @@ export class AIRunFilterService {
       const result = await generateText({
         model: this.model,
         experimental_output: Output.object({ schema: AIFilterResponseSchema }),
+        // Disable OpenAI strict JSON-schema mode. The filters schema has many
+        // optional fields, and strict mode requires every property to appear in
+        // `required` (it rejects bare optionals). Non-strict mode treats the
+        // schema as guidance; the `AIFilters.safeParse` below still validates
+        // the result, so correctness is preserved.
+        providerOptions: {
+          openai: {
+            strictJsonSchema: false,
+          },
+        },
         tools: {
           lookupTags: tool({
             description: "Look up available tags in the environment",
-            parameters: z.object({
+            inputSchema: z.object({
               query: z.string().optional().describe("Optional search query to filter tags"),
             }),
             execute: async ({ query }) => {
@@ -101,7 +119,7 @@ export class AIRunFilterService {
           lookupVersions: tool({
             description:
               "Look up available versions in the environment. If you specify `isCurrent` it will return a single version string if it finds one. Otherwise it will return an array of version strings.",
-            parameters: z.object({
+            inputSchema: z.object({
               isCurrent: z
                 .boolean()
                 .optional()
@@ -119,7 +137,7 @@ export class AIRunFilterService {
           }),
           lookupQueues: tool({
             description: "Look up available queues in the environment",
-            parameters: z.object({
+            inputSchema: z.object({
               query: z.string().optional().describe("Optional search query to filter queues"),
               type: z
                 .enum(["task", "custom"])
@@ -135,13 +153,13 @@ export class AIRunFilterService {
           lookupTasks: tool({
             description:
               "Look up available tasks in the environment. It will return each one. The `slug` is used for the filtering. You also get the triggerSource which is either `STANDARD` or `SCHEDULED`",
-            parameters: z.object({}),
+            inputSchema: z.object({}),
             execute: async () => {
               return await this.queryFns.queryTasks.query();
             },
           }),
         },
-        maxSteps: 5,
+        stopWhen: stepCountIs(5),
         system: `You are an AI assistant that converts natural language descriptions into structured filter parameters for a task run filtering system.
   
   Available filter options:
@@ -198,21 +216,24 @@ export class AIRunFilterService {
   
   The filters object should only contain the fields that are actually being filtered. Do not include fields with empty arrays or undefined values.
   
-  CRITICAL: The response must be a valid JSON object with exactly this structure:
+  CRITICAL: The response must be a valid JSON object with a single top-level "response" key wrapping this structure:
   {
-    "success": true,
-    "filters": {
-      // only include fields that have actual values
-    },
-    "explanation": "string explaining what filters were applied"
+    "response": {
+      "success": true,
+      "filters": {
+        // only include fields that have actual values
+      }
+    }
   }
-  
+
   or if you can't figure out the filters then return:
   {
-    "success": false,
-    "error": "<short human understandable suggestion>"
+    "response": {
+      "success": false,
+      "error": "<short human understandable suggestion>"
+    }
   }
-  
+
   Make the error no more than 8 words.
   `,
         prompt: text,
@@ -224,19 +245,21 @@ export class AIRunFilterService {
         },
       });
 
-      if (!result.experimental_output.success) {
+      const output = result.experimental_output.response;
+
+      if (!output.success) {
         return {
           success: false,
-          error: result.experimental_output.error,
+          error: output.error,
         };
       }
 
       // Validate the filters against the schema to catch any issues
-      const validationResult = AIFilters.safeParse(result.experimental_output.filters);
+      const validationResult = AIFilters.safeParse(output.filters);
       if (!validationResult.success) {
         logger.error("AI filter validation failed", {
           errors: validationResult.error.errors,
-          filters: result.experimental_output.filters,
+          filters: output.filters,
         });
 
         return {
@@ -245,14 +268,35 @@ export class AIRunFilterService {
         };
       }
 
+      // `from`/`to` are validated as strings, so a malformed value (e.g. the
+      // model returning a non-ISO date) would survive safeParse and then
+      // produce NaN here. NaN serializes to `null` over JSON, silently dropping
+      // the date constraint while still reporting success — so reject it.
+      const from = validationResult.data.from
+        ? new Date(validationResult.data.from).getTime()
+        : undefined;
+      const to = validationResult.data.to
+        ? new Date(validationResult.data.to).getTime()
+        : undefined;
+
+      if ((from !== undefined && Number.isNaN(from)) || (to !== undefined && Number.isNaN(to))) {
+        logger.error("AI filter returned an invalid datetime", {
+          from: validationResult.data.from,
+          to: validationResult.data.to,
+        });
+
+        return {
+          success: false,
+          error: "AI response contained an invalid date",
+        };
+      }
+
       return {
         success: true,
         filters: {
           ...validationResult.data,
-          from: validationResult.data.from
-            ? new Date(validationResult.data.from).getTime()
-            : undefined,
-          to: validationResult.data.to ? new Date(validationResult.data.to).getTime() : undefined,
+          from,
+          to,
         },
       };
     } catch (error) {
diff --git a/apps/webapp/app/v3/services/alerts/deliverAlert.server.ts b/apps/webapp/app/v3/services/alerts/deliverAlert.server.ts
index 5ab99bf8046..bc8f9a3a5f2 100644
--- a/apps/webapp/app/v3/services/alerts/deliverAlert.server.ts
+++ b/apps/webapp/app/v3/services/alerts/deliverAlert.server.ts
@@ -1182,15 +1182,19 @@ export class DeliverAlertService extends BaseService {
   }
 
   #formatTimestamp(date: Date): string {
-    return new Intl.DateTimeFormat("en-US", {
-      month: "short",
-      day: "numeric",
-      year: "numeric",
-      hour: "numeric",
-      minute: "2-digit",
-      second: "2-digit",
-      hour12: true,
-    }).format(date);
+    const unix = Math.floor(date.getTime() / 1000);
+    const fallback =
+      new Intl.DateTimeFormat("en-US", {
+        month: "short",
+        day: "numeric",
+        year: "numeric",
+        hour: "numeric",
+        minute: "2-digit",
+        second: "2-digit",
+        hour12: true,
+        timeZone: "UTC",
+      }).format(date) + " UTC";
+    return `<!date^${unix}^{date_short_pretty} {time_secs}|${fallback}>`;
   }
 
   #buildWebhookGitObject(git: GitMetaLinks | null) {
diff --git a/apps/webapp/app/v3/services/alerts/deliverErrorGroupAlert.server.ts b/apps/webapp/app/v3/services/alerts/deliverErrorGroupAlert.server.ts
index 422811cdee3..647a0b0cf39 100644
--- a/apps/webapp/app/v3/services/alerts/deliverErrorGroupAlert.server.ts
+++ b/apps/webapp/app/v3/services/alerts/deliverErrorGroupAlert.server.ts
@@ -383,15 +383,19 @@ export class DeliverErrorGroupAlertService {
   }
 
   #formatTimestamp(date: Date): string {
-    return new Intl.DateTimeFormat("en-US", {
-      month: "short",
-      day: "numeric",
-      year: "numeric",
-      hour: "numeric",
-      minute: "2-digit",
-      second: "2-digit",
-      hour12: true,
-    }).format(date);
+    const unix = Math.floor(date.getTime() / 1000);
+    const fallback =
+      new Intl.DateTimeFormat("en-US", {
+        month: "short",
+        day: "numeric",
+        year: "numeric",
+        hour: "numeric",
+        minute: "2-digit",
+        second: "2-digit",
+        hour12: true,
+        timeZone: "UTC",
+      }).format(date) + " UTC";
+    return `<!date^${unix}^{date_short_pretty} {time_secs}|${fallback}>`;
   }
 }
 
diff --git a/apps/webapp/app/v3/services/alerts/errorAlertEvaluator.server.ts b/apps/webapp/app/v3/services/alerts/errorAlertEvaluator.server.ts
index e935a8a6911..cd68258c015 100644
--- a/apps/webapp/app/v3/services/alerts/errorAlertEvaluator.server.ts
+++ b/apps/webapp/app/v3/services/alerts/errorAlertEvaluator.server.ts
@@ -7,7 +7,7 @@ import {
 } from "@trigger.dev/database";
 import { $replica, prisma } from "~/db.server";
 import { ErrorAlertConfig } from "~/models/projectAlert.server";
-import { clickhouseClient } from "~/services/clickhouseInstance.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
 import { logger } from "~/services/logger.server";
 import { alertsWorker } from "~/v3/alertsWorker.server";
 
@@ -45,8 +45,7 @@ const DEFAULT_INTERVAL_MS = 300_000;
 export class ErrorAlertEvaluator {
   constructor(
     protected readonly _prisma: PrismaClientOrTransaction = prisma,
-    protected readonly _replica: PrismaClientOrTransaction = $replica,
-    protected readonly _clickhouse: ClickHouse = clickhouseClient
+    protected readonly _replica: PrismaClientOrTransaction = $replica
   ) {}
 
   async evaluate(projectId: string, scheduledAt: number): Promise<void> {
@@ -245,10 +244,7 @@ export class ErrorAlertEvaluator {
       }
     }
 
-    if (
-      state.ignoredUntilTotalOccurrences != null &&
-      state.ignoredAtOccurrenceCount != null
-    ) {
+    if (state.ignoredUntilTotalOccurrences != null && state.ignoredAtOccurrenceCount != null) {
       const occurrencesSinceIgnored =
         context.totalOccurrenceCount - Number(state.ignoredAtOccurrenceCount);
       if (occurrencesSinceIgnored >= state.ignoredUntilTotalOccurrences) {
@@ -335,7 +331,11 @@ export class ErrorAlertEvaluator {
     envIds: string[],
     scheduledAt: number
   ): Promise<ActiveErrorsSinceQueryResult[]> {
-    const qb = this._clickhouse.errors.activeErrorsSinceQueryBuilder();
+    const queryClickhouse = await clickhouseFactory.getClickhouseForOrganization(
+      organizationId,
+      "query"
+    );
+    const qb = queryClickhouse.errors.activeErrorsSinceQueryBuilder();
     qb.where("organization_id = {organizationId: String}", { organizationId });
     qb.where("project_id = {projectId: String}", { projectId });
     qb.where("environment_id IN {envIds: Array(String)}", { envIds });
@@ -389,7 +389,11 @@ export class ErrorAlertEvaluator {
       occurrences_since: number;
     }>
   > {
-    const qb = this._clickhouse.errors.occurrenceCountsSinceQueryBuilder();
+    const queryClickhouse = await clickhouseFactory.getClickhouseForOrganization(
+      organizationId,
+      "query"
+    );
+    const qb = queryClickhouse.errors.occurrenceCountsSinceQueryBuilder();
     qb.where("organization_id = {organizationId: String}", { organizationId });
     qb.where("project_id = {projectId: String}", { projectId });
     qb.where("environment_id IN {envIds: Array(String)}", { envIds });
diff --git a/apps/webapp/app/v3/services/bulk/BulkActionV2.server.ts b/apps/webapp/app/v3/services/bulk/BulkActionV2.server.ts
index 156b68bff59..babdb02ca6a 100644
--- a/apps/webapp/app/v3/services/bulk/BulkActionV2.server.ts
+++ b/apps/webapp/app/v3/services/bulk/BulkActionV2.server.ts
@@ -7,7 +7,7 @@ import {
 } from "@trigger.dev/database";
 import { getRunFiltersFromRequest } from "~/presenters/RunFilters.server";
 import { type CreateBulkActionPayload } from "~/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.bulkaction";
-import { clickhouseClient } from "~/services/clickhouseInstance.server";
+import { clickhouseFactory } from "~/services/clickhouse/clickhouseFactoryInstance.server";
 import {
   parseRunListInputOptions,
   type RunListInputFilters,
@@ -38,8 +38,9 @@ export class BulkActionService extends BaseService {
     const filters = await getFilters(payload, request);
 
     // Count the runs that will be affected by the bulk action
+    const clickhouse = await clickhouseFactory.getClickhouseForOrganization(organizationId, "standard");
     const runsRepository = new RunsRepository({
-      clickhouse: clickhouseClient,
+      clickhouse,
       prisma: this._replica as PrismaClient,
     });
     const count = await runsRepository.countRuns({
@@ -147,8 +148,9 @@ export class BulkActionService extends BaseService {
       ...rawParams,
     });
 
+    const clickhouse = await clickhouseFactory.getClickhouseForOrganization(group.project.organizationId, "standard");
     const runsRepository = new RunsRepository({
-      clickhouse: clickhouseClient,
+      clickhouse,
       prisma: this._replica as PrismaClient,
     });
 
@@ -157,8 +159,13 @@ export class BulkActionService extends BaseService {
       throw new Error(`Bulk action group has invalid query name: ${group.queryName}`);
     }
 
-    // 2. Get the runs to process in this batch
-    const runIds = await runsRepository.listRunIds({
+    // 2. Get the runs to process in this batch, plus the cursor for the next
+    // batch. The cursor is a composite (created_at, run_id) keyset cursor so the
+    // next batch can't re-include or skip runs.
+    const {
+      runIds: runIdsToProcess,
+      pagination: { nextCursor },
+    } = await runsRepository.listRunIds({
       ...filters,
       page: {
         size: env.BULK_ACTION_BATCH_SIZE,
@@ -170,8 +177,6 @@ export class BulkActionService extends BaseService {
     // 3. Process the runs
     let successCount = 0;
     let failureCount = 0;
-    // Slice because we fetch an extra for the cursor
-    const runIdsToProcess = runIds.slice(0, env.BULK_ACTION_BATCH_SIZE);
 
     switch (group.type) {
       case BulkActionType.CANCEL: {
@@ -272,7 +277,10 @@ export class BulkActionService extends BaseService {
       }
     }
 
-    const isFinished = runIdsToProcess.length === 0;
+    // A null nextCursor means there is no further page — this batch was the
+    // last (or there were no runs at all), so the action is complete. (An empty
+    // batch also yields a null cursor.)
+    const isFinished = nextCursor === null;
 
     logger.debug("Bulk action group processed batch", {
       bulkActionId,
@@ -290,7 +298,8 @@ export class BulkActionService extends BaseService {
     const updatedGroup = await this._prisma.bulkActionGroup.update({
       where: { id: bulkActionId },
       data: {
-        cursor: runIdsToProcess.at(runIdsToProcess.length - 1),
+        // Json column: leave unchanged when there's no next cursor (finished).
+        cursor: nextCursor ?? undefined,
         successCount: {
           increment: successCount,
         },
diff --git a/apps/webapp/app/v3/services/cancelTaskRunV1.server.ts b/apps/webapp/app/v3/services/cancelTaskRunV1.server.ts
index 4b4482a1dab..eb366834c01 100644
--- a/apps/webapp/app/v3/services/cancelTaskRunV1.server.ts
+++ b/apps/webapp/app/v3/services/cancelTaskRunV1.server.ts
@@ -10,7 +10,7 @@ import { CancelTaskAttemptDependenciesService } from "./cancelTaskAttemptDepende
 import { CancelableTaskRun } from "./cancelTaskRun.server";
 import { FinalizeTaskRunService } from "./finalizeTaskRun.server";
 import { tryCatch } from "@trigger.dev/core/utils";
-import { resolveEventRepositoryForStore } from "../eventRepository/index.server";
+import { getEventRepositoryForStore } from "../eventRepository/index.server";
 
 type ExtendedTaskRun = Prisma.TaskRunGetPayload<{
   include: {
@@ -101,7 +101,10 @@ export class CancelTaskRunServiceV1 extends BaseService {
       },
     });
 
-    const eventRepository = resolveEventRepositoryForStore(cancelledTaskRun.taskEventStore);
+    const eventRepository = await getEventRepositoryForStore(
+      cancelledTaskRun.taskEventStore,
+      cancelledTaskRun.runtimeEnvironment.organizationId
+    );
 
     const [cancelRunEventError] = await tryCatch(
       eventRepository.cancelRunEvent({
diff --git a/apps/webapp/app/v3/services/changeCurrentDeployment.server.ts b/apps/webapp/app/v3/services/changeCurrentDeployment.server.ts
index 00360df946c..693e893e854 100644
--- a/apps/webapp/app/v3/services/changeCurrentDeployment.server.ts
+++ b/apps/webapp/app/v3/services/changeCurrentDeployment.server.ts
@@ -1,12 +1,32 @@
-import { WorkerDeployment } from "@trigger.dev/database";
+import { BackgroundWorkerMetadata, tryCatch } from "@trigger.dev/core/v3";
+import { CURRENT_DEPLOYMENT_LABEL } from "@trigger.dev/core/v3/isomorphic";
+import { PrismaClientOrTransaction, WorkerDeployment } from "@trigger.dev/database";
+import { logger } from "~/services/logger.server";
+import { syncTaskIdentifiers } from "~/services/taskIdentifierRegistry.server";
+import {
+  type TaskMetadataCache,
+  type TaskMetadataEntry,
+} from "~/services/taskMetadataCache.server";
+import { taskMetadataCacheInstance } from "~/services/taskMetadataCacheInstance.server";
 import { BaseService, ServiceValidationError } from "./baseService.server";
+import { syncDeclarativeSchedules } from "./createBackgroundWorker.server";
 import { ExecuteTasksWaitingForDeployService } from "./executeTasksWaitingForDeploy";
 import { compareDeploymentVersions } from "../utils/deploymentVersions";
-import { CURRENT_DEPLOYMENT_LABEL } from "@trigger.dev/core/v3/isomorphic";
 
 export type ChangeCurrentDeploymentDirection = "promote" | "rollback";
 
 export class ChangeCurrentDeploymentService extends BaseService {
+  private readonly _taskMetaCache: TaskMetadataCache;
+
+  constructor(
+    prisma?: PrismaClientOrTransaction,
+    replica?: PrismaClientOrTransaction,
+    taskMetaCache: TaskMetadataCache = taskMetadataCacheInstance
+  ) {
+    super(prisma, replica);
+    this._taskMetaCache = taskMetaCache;
+  }
+
   public async call(
     deployment: WorkerDeployment,
     direction: ChangeCurrentDeploymentDirection,
@@ -50,10 +70,8 @@ export class ChangeCurrentDeploymentService extends BaseService {
         switch (direction) {
           case "promote": {
             if (
-              compareDeploymentVersions(
-                currentPromotion.deployment.version,
-                deployment.version
-              ) >= 0
+              compareDeploymentVersions(currentPromotion.deployment.version, deployment.version) >=
+              0
             ) {
               throw new ServiceValidationError(
                 "Cannot promote a deployment that is older than the current deployment."
@@ -63,10 +81,8 @@ export class ChangeCurrentDeploymentService extends BaseService {
           }
           case "rollback": {
             if (
-              compareDeploymentVersions(
-                currentPromotion.deployment.version,
-                deployment.version
-              ) <= 0
+              compareDeploymentVersions(currentPromotion.deployment.version, deployment.version) <=
+              0
             ) {
               throw new ServiceValidationError(
                 "Cannot rollback to a deployment that is newer than the current deployment."
@@ -96,6 +112,123 @@ export class ChangeCurrentDeploymentService extends BaseService {
       },
     });
 
-    await ExecuteTasksWaitingForDeployService.enqueue(deployment.workerId);
+    const [fetchTasksError, tasks] = await tryCatch(
+      this._prisma.backgroundWorkerTask.findMany({
+        where: { workerId: deployment.workerId! },
+        select: {
+          slug: true,
+          triggerSource: true,
+          ttl: true,
+          queue: { select: { id: true, name: true } },
+        },
+      })
+    );
+
+    if (fetchTasksError) {
+      logger.error("Error fetching worker tasks on deployment change", {
+        error: fetchTasksError,
+      });
+    }
+
+    if (tasks) {
+      // Side effect 1: refresh the `TaskIdentifier` table and the existing
+      // `tids:` Redis cache so the task-listing UI reflects the new deploy.
+      const [syncIdentifiersError] = await tryCatch(
+        syncTaskIdentifiers(
+          deployment.environmentId,
+          deployment.projectId,
+          deployment.workerId!,
+          tasks.map((t) => ({ id: t.slug, triggerSource: t.triggerSource }))
+        )
+      );
+
+      if (syncIdentifiersError) {
+        logger.error("Error syncing task identifiers on deployment change", {
+          error: syncIdentifiersError,
+        });
+      }
+
+      // Side effect 2: refresh the `task-meta:` cache that the queue resolver
+      // reads from. Independent of side effect 1 — if `syncTaskIdentifiers`
+      // throws, the queue resolver still gets a warm cache for the new worker.
+      const metadataEntries: TaskMetadataEntry[] = tasks.map((t) => ({
+        slug: t.slug,
+        ttl: t.ttl,
+        triggerSource: t.triggerSource,
+        queueId: t.queue?.id ?? null,
+        queueName: t.queue?.name ?? "",
+      }));
+
+      // Cache calls log+swallow internally.
+      await this._taskMetaCache.populateByCurrentWorker(
+        deployment.environmentId,
+        deployment.workerId!,
+        metadataEntries
+      );
+    }
+
+    const [scheduleSyncError] = await tryCatch(this.#syncSchedulesForDeployment(deployment));
+
+    if (scheduleSyncError) {
+      logger.error("Error syncing declarative schedules on deployment change", {
+        error: scheduleSyncError,
+      });
+    }
+
+    // Only V1 engine workers need the WAITING_FOR_DEPLOY drain — V2 runs sit
+    // in PENDING_VERSION and are handled out of band, so enqueuing here for V2
+    // just produces empty scans of the TaskRun status index.
+    const worker = await this._prisma.backgroundWorker.findFirst({
+      where: { id: deployment.workerId },
+      select: { engine: true },
+    });
+
+    if (worker?.engine === "V1") {
+      await ExecuteTasksWaitingForDeployService.enqueue(deployment.workerId);
+    }
+  }
+
+  async #syncSchedulesForDeployment(deployment: WorkerDeployment) {
+    const worker = await this._prisma.backgroundWorker.findFirst({
+      where: { id: deployment.workerId! },
+    });
+
+    if (!worker) {
+      logger.error("Worker not found for deployment schedule sync", {
+        deploymentId: deployment.id,
+        workerId: deployment.workerId,
+      });
+      return;
+    }
+
+    const parsed = BackgroundWorkerMetadata.safeParse(worker.metadata);
+
+    if (!parsed.success) {
+      logger.error("Failed to parse worker metadata for schedule sync", {
+        deploymentId: deployment.id,
+        workerId: deployment.workerId,
+        error: parsed.error,
+      });
+      return;
+    }
+
+    const environment = await this._prisma.runtimeEnvironment.findFirst({
+      where: { id: deployment.environmentId },
+      include: {
+        project: true,
+        organization: true,
+        orgMember: true,
+      },
+    });
+
+    if (!environment) {
+      logger.error("Environment not found for deployment schedule sync", {
+        deploymentId: deployment.id,
+        environmentId: deployment.environmentId,
+      });
+      return;
+    }
+
+    await syncDeclarativeSchedules(parsed.data.tasks, worker, environment, this._prisma);
   }
 }
diff --git a/apps/webapp/app/v3/services/clickhousePendingVersionLookup.server.ts b/apps/webapp/app/v3/services/clickhousePendingVersionLookup.server.ts
new file mode 100644
index 00000000000..2cdde550e9c
--- /dev/null
+++ b/apps/webapp/app/v3/services/clickhousePendingVersionLookup.server.ts
@@ -0,0 +1,97 @@
+import {
+  type PendingVersionRunIdLookup,
+  type PendingVersionRunIdLookupOptions,
+  type PendingVersionRunIdLookupResult,
+} from "@internal/run-engine";
+import { Logger } from "@trigger.dev/core/logger";
+import type { ClickhouseFactory } from "~/services/clickhouse/clickhouseFactory.server";
+
+export type ClickhousePendingVersionLookupOptions = {
+  clickhouseFactory: ClickhouseFactory;
+  logger: Logger;
+};
+
+/**
+ * ClickHouse-backed lookup for `PENDING_VERSION` TaskRun ids.
+ *
+ * Resolves the ClickHouse client per call via the
+ * {@link ClickhouseFactory}, which honors per-organization data-store
+ * routing (HIPAA / data-sovereignty customers get their own instance,
+ * everyone else lands on the shared `engine` client configured by
+ * `RUN_ENGINE_CLICKHOUSE_*` env vars).
+ *
+ * Best-effort by design: replication lag against `task_runs_v2` can
+ * produce stale candidates. The run-engine consumer re-validates every
+ * id against Postgres by primary key with a `status = 'PENDING_VERSION'`
+ * guard before any mutation, so stale ids are dropped at the source of
+ * truth. On ClickHouse error we log and return an empty result; the
+ * pending-version re-enqueue tail loop retries on the next event.
+ */
+export class ClickhousePendingVersionLookup implements PendingVersionRunIdLookup {
+  readonly name = "clickhouse";
+
+  constructor(private readonly opts: ClickhousePendingVersionLookupOptions) {}
+
+  async lookupPendingVersionRunIds(
+    options: PendingVersionRunIdLookupOptions
+  ): Promise<PendingVersionRunIdLookupResult> {
+    // Empty IN-lists would be a no-op; bail before issuing the query.
+    if (options.taskIdentifiers.length === 0 || options.queues.length === 0) {
+      return { runIds: [] };
+    }
+
+    let clickhouse;
+    try {
+      clickhouse = await this.opts.clickhouseFactory.getClickhouseForOrganization(
+        options.organizationId,
+        "engine"
+      );
+    } catch (error) {
+      // Factory resolution failures usually mean a real configuration
+      // problem (registry misload, missing data store, ClientType mismatch).
+      // These are not transient — log at error so ops sees them in dashboards
+      // and incident hooks. Query-level errors below stay at warn because
+      // those are expected to be transient.
+      this.opts.logger.error("ClickhousePendingVersionLookup factory resolution failed", {
+        error,
+        organizationId: options.organizationId,
+      });
+      return { runIds: [] };
+    }
+
+    const builder = clickhouse.taskRuns
+      .pendingVersionIdsQueryBuilder()
+      // `organization_id` MUST be the leading filter — it is the leading
+      // sort-key column on `task_runs_v2` and the only thing that prunes
+      // granules cheaply on a multi-tenant table.
+      .where("organization_id = {organizationId: String}", {
+        organizationId: options.organizationId,
+      })
+      .where("project_id = {projectId: String}", { projectId: options.projectId })
+      .where("environment_id = {environmentId: String}", {
+        environmentId: options.environmentId,
+      })
+      .where("status = 'PENDING_VERSION'")
+      .where("task_identifier IN {taskIdentifiers: Array(String)}", {
+        taskIdentifiers: options.taskIdentifiers,
+      })
+      .where("queue IN {queues: Array(String)}", { queues: options.queues })
+      .where("_is_deleted = 0")
+      .orderBy("created_at ASC")
+      .limit(options.limit);
+
+    const [queryError, rows] = await builder.execute();
+
+    if (queryError) {
+      this.opts.logger.warn("ClickhousePendingVersionLookup query failed", {
+        error: queryError,
+        organizationId: options.organizationId,
+        projectId: options.projectId,
+        environmentId: options.environmentId,
+      });
+      return { runIds: [] };
+    }
+
+    return { runIds: rows.map((row) => row.run_id) };
+  }
+}
diff --git a/apps/webapp/app/v3/services/completeAttempt.server.ts b/apps/webapp/app/v3/services/completeAttempt.server.ts
index 99169331a99..c4076648819 100644
--- a/apps/webapp/app/v3/services/completeAttempt.server.ts
+++ b/apps/webapp/app/v3/services/completeAttempt.server.ts
@@ -31,7 +31,7 @@ import { CancelAttemptService } from "./cancelAttempt.server";
 import { CreateCheckpointService } from "./createCheckpoint.server";
 import { FinalizeTaskRunService } from "./finalizeTaskRun.server";
 import { RetryAttemptService } from "./retryAttempt.server";
-import { resolveEventRepositoryForStore } from "../eventRepository/index.server";
+import { getEventRepositoryForStore } from "../eventRepository/index.server";
 
 type FoundAttempt = Awaited<ReturnType<typeof findAttempt>>;
 
@@ -163,7 +163,10 @@ export class CompleteAttemptService extends BaseService {
       env,
     });
 
-    const eventRepository = resolveEventRepositoryForStore(taskRunAttempt.taskRun.taskEventStore);
+    const eventRepository = await getEventRepositoryForStore(
+      taskRunAttempt.taskRun.taskEventStore,
+      taskRunAttempt.taskRun.organizationId ?? ""
+    );
 
     const [completeSuccessfulRunEventError] = await tryCatch(
       eventRepository.completeSuccessfulRunEvent({
@@ -316,7 +319,10 @@ export class CompleteAttemptService extends BaseService {
       exitRun(taskRunAttempt.taskRunId);
     }
 
-    const eventRepository = resolveEventRepositoryForStore(taskRunAttempt.taskRun.taskEventStore);
+    const eventRepository = await getEventRepositoryForStore(
+      taskRunAttempt.taskRun.taskEventStore,
+      taskRunAttempt.taskRun.organizationId ?? ""
+    );
 
     const [completeFailedRunEventError] = await tryCatch(
       eventRepository.completeFailedRunEvent({
@@ -538,7 +544,10 @@ export class CompleteAttemptService extends BaseService {
   }) {
     const retryAt = new Date(executionRetry.timestamp);
 
-    const eventRepository = resolveEventRepositoryForStore(taskRunAttempt.taskRun.taskEventStore);
+    const eventRepository = await getEventRepositoryForStore(
+      taskRunAttempt.taskRun.taskEventStore,
+      taskRunAttempt.taskRun.organizationId ?? ""
+    );
 
     // Retry the task run
     await eventRepository.recordEvent(
diff --git a/apps/webapp/app/v3/services/computeTemplateCreation.server.ts b/apps/webapp/app/v3/services/computeTemplateCreation.server.ts
index 37235aa1617..c972952b471 100644
--- a/apps/webapp/app/v3/services/computeTemplateCreation.server.ts
+++ b/apps/webapp/app/v3/services/computeTemplateCreation.server.ts
@@ -1,4 +1,6 @@
 import { ComputeClient, stripImageDigest } from "@internal/compute";
+import type { TemplateCreateResultEntry } from "@internal/compute";
+import { MachinePresetName } from "@trigger.dev/core/v3";
 import { machinePresetFromName } from "~/v3/machinePresets.server";
 import { env } from "~/env.server";
 import { logger } from "~/services/logger.server";
@@ -10,8 +12,16 @@ import { resolveComputeAccess } from "../regionAccess.server";
 
 type TemplateCreationMode = "required" | "shadow" | "skip";
 
+type ResolvedPreset = {
+  name: MachinePresetName;
+  cpu: number;
+  memory_gb: number;
+};
+
 export class ComputeTemplateCreationService {
   private client: ComputeClient | undefined;
+  private presets: ResolvedPreset[];
+  private requiredPresets: Set<MachinePresetName>;
 
   constructor() {
     if (env.COMPUTE_GATEWAY_URL) {
@@ -21,6 +31,12 @@ export class ComputeTemplateCreationService {
         timeoutMs: 5 * 60 * 1000, // 5 minutes
       });
     }
+
+    this.presets = env.COMPUTE_TEMPLATE_MACHINE_PRESETS.map((name) => {
+      const machine = machinePresetFromName(name);
+      return { name, cpu: machine.cpu, memory_gb: machine.memory };
+    });
+    this.requiredPresets = new Set(env.COMPUTE_TEMPLATE_MACHINE_PRESETS_REQUIRED);
   }
 
   /**
@@ -48,12 +64,12 @@ export class ComputeTemplateCreationService {
 
     if (mode === "shadow") {
       this.createTemplate(options.imageReference, { background: true })
-        .then((result) => {
-          if (!result.success) {
+        .then((outcome) => {
+          if (outcome.error) {
             logger.error("Shadow template creation failed", {
               id: options.deploymentFriendlyId,
               imageReference: options.imageReference,
-              error: result.error,
+              error: outcome.error,
             });
           }
         })
@@ -81,31 +97,39 @@ export class ComputeTemplateCreationService {
     logger.info("Creating compute template (required mode)", {
       id: options.deploymentFriendlyId,
       imageReference: options.imageReference,
+      presets: this.presets.map((p) => p.name),
+      requiredPresets: [...this.requiredPresets],
     });
 
-    const result = await this.createTemplate(options.imageReference);
+    const outcome = await this.createTemplate(options.imageReference);
+    const failureMessage = this.failureMessageForRequiredMode(
+      outcome,
+      options.deploymentFriendlyId,
+      options.imageReference
+    );
 
-    if (!result.success) {
+    if (failureMessage) {
       logger.error("Compute template creation failed", {
         id: options.deploymentFriendlyId,
         imageReference: options.imageReference,
-        error: result.error,
+        error: failureMessage,
       });
 
       const failService = new FailDeploymentService();
       await failService.call(options.authenticatedEnv, options.deploymentFriendlyId, {
         error: {
           name: "TemplateCreationFailed",
-          message: `Failed to create compute template: ${result.error}`,
+          message: `Failed to create compute template: ${failureMessage}`,
         },
       });
 
-      throw new ServiceValidationError(`Compute template creation failed: ${result.error}`);
+      throw new ServiceValidationError(`Compute template creation failed: ${failureMessage}`);
     }
 
     logger.info("Compute template created", {
       id: options.deploymentFriendlyId,
       imageReference: options.imageReference,
+      results: outcome.results.length,
     });
   }
 
@@ -154,29 +178,104 @@ export class ComputeTemplateCreationService {
   async createTemplate(
     imageReference: string,
     options?: { background?: boolean }
-  ): Promise<{ success: boolean; error?: string }> {
+  ): Promise<CreateTemplateOutcome> {
     if (!this.client) {
-      return { success: false, error: "Compute gateway not configured" };
+      return { error: "Compute gateway not configured", results: [] };
     }
 
     try {
-      // Templates are resource-agnostic - these values don't affect template content.
-      const machine = machinePresetFromName("small-1x");
+      const machineConfigs = this.presets.map((p) => ({
+        cpu: p.cpu,
+        memory_gb: p.memory_gb,
+      }));
 
-      await this.client.templates.create({
+      const response = await this.client.templates.create({
         image: stripImageDigest(imageReference),
-        cpu: machine.cpu,
-        memory_gb: machine.memory,
+        machine_configs: machineConfigs,
         background: options?.background,
       });
-      return { success: true };
+
+      // Background mode (202 Accepted): no body to inspect.
+      if (options?.background || !response) {
+        return { results: [] };
+      }
+
+      return {
+        error: response.error,
+        results: response.results,
+      };
     } catch (error) {
       const message = error instanceof Error ? error.message : "Unknown error";
       logger.error("Failed to create compute template", {
         imageReference,
         error: message,
       });
-      return { success: false, error: message };
+      return { error: message, results: [] };
+    }
+  }
+
+  // Returns a human-readable failure message if any required preset failed
+  // or the request itself failed. Optional preset failures are logged and
+  // do not contribute to the message. Returns undefined on success.
+  private failureMessageForRequiredMode(
+    outcome: CreateTemplateOutcome,
+    deploymentFriendlyId: string,
+    imageReference: string
+  ): string | undefined {
+    if (this.presets.length === 0) {
+      return undefined;
+    }
+
+    const failures: string[] = [];
+
+    this.presets.forEach((preset) => {
+      const isRequired = this.requiredPresets.has(preset.name);
+      // Match results to presets by (cpu, memory_gb) content with a small
+      // epsilon to tolerate float round-trip noise (memory_gb passes through
+      // gb -> mb -> gb conversion in the compute layer).
+      const result = outcome.results.find(
+        (r) =>
+          Math.abs(r.machine_config.cpu - preset.cpu) < 1e-9 &&
+          Math.abs(r.machine_config.memory_gb - preset.memory_gb) < 1e-9
+      );
+
+      if (!result) {
+        if (isRequired) {
+          failures.push(`${preset.name}: not built`);
+        } else {
+          logger.warn("Optional compute template preset not built", {
+            id: deploymentFriendlyId,
+            imageReference,
+            preset: preset.name,
+          });
+        }
+        return;
+      }
+
+      if (result.error) {
+        if (isRequired) {
+          failures.push(`${preset.name}: ${result.error}`);
+        } else {
+          logger.warn("Optional compute template preset failed", {
+            id: deploymentFriendlyId,
+            imageReference,
+            preset: preset.name,
+            error: result.error,
+          });
+        }
+      }
+    });
+
+    // Surface request-level errors only when no per-preset failure attributed.
+    if (outcome.error && failures.length === 0) {
+      failures.push(outcome.error);
     }
+
+    return failures.length > 0 ? failures.join("; ") : undefined;
   }
 }
+
+type CreateTemplateOutcome = {
+  error?: string;
+  results: TemplateCreateResultEntry[];
+};
diff --git a/apps/webapp/app/v3/services/crashTaskRun.server.ts b/apps/webapp/app/v3/services/crashTaskRun.server.ts
index 9ed7d8b7aaf..cd55b9ec0f9 100644
--- a/apps/webapp/app/v3/services/crashTaskRun.server.ts
+++ b/apps/webapp/app/v3/services/crashTaskRun.server.ts
@@ -7,7 +7,7 @@ import { FailedTaskRunRetryHelper } from "../failedTaskRun.server";
 import { CRASHABLE_ATTEMPT_STATUSES, isCrashableRunStatus } from "../taskStatus";
 import { BaseService } from "./baseService.server";
 import { FinalizeTaskRunService } from "./finalizeTaskRun.server";
-import { resolveEventRepositoryForStore } from "../eventRepository/index.server";
+import { getEventRepositoryForStore } from "../eventRepository/index.server";
 
 export type CrashTaskRunServiceOptions = {
   reason?: string;
@@ -120,7 +120,10 @@ export class CrashTaskRunService extends BaseService {
       },
     });
 
-    const eventRepository = resolveEventRepositoryForStore(crashedTaskRun.taskEventStore);
+    const eventRepository = await getEventRepositoryForStore(
+      crashedTaskRun.taskEventStore,
+      crashedTaskRun.runtimeEnvironment.organizationId
+    );
 
     const [createAttemptFailedEventError] = await tryCatch(
       eventRepository.completeFailedRunEvent({
diff --git a/apps/webapp/app/v3/services/createBackgroundWorker.server.ts b/apps/webapp/app/v3/services/createBackgroundWorker.server.ts
index 1b51ec04aee..3f658643e7f 100644
--- a/apps/webapp/app/v3/services/createBackgroundWorker.server.ts
+++ b/apps/webapp/app/v3/services/createBackgroundWorker.server.ts
@@ -13,6 +13,12 @@ import { $transaction, Prisma, PrismaClientOrTransaction } from "~/db.server";
 import { sanitizeQueueName } from "~/models/taskQueue.server";
 import { AuthenticatedEnvironment } from "~/services/apiAuth.server";
 import { logger } from "~/services/logger.server";
+import { syncTaskIdentifiers } from "~/services/taskIdentifierRegistry.server";
+import {
+  type TaskMetadataCache,
+  type TaskMetadataEntry,
+} from "~/services/taskMetadataCache.server";
+import { taskMetadataCacheInstance } from "~/services/taskMetadataCacheInstance.server";
 import { generateFriendlyId } from "../friendlyIdentifiers";
 import {
   removeQueueConcurrencyLimits,
@@ -28,7 +34,22 @@ import { tryCatch } from "@trigger.dev/core/v3";
 import { engine } from "../runEngine.server";
 import { scheduleEngine } from "../scheduleEngine.server";
 
+import { stripBackgroundWorkerMetadataForStorage } from "./stripBackgroundWorkerMetadataForStorage.server";
+import { assertNoDuplicateTaskIds } from "./duplicateTaskIds.server";
+export { stripBackgroundWorkerMetadataForStorage };
+
 export class CreateBackgroundWorkerService extends BaseService {
+  private readonly _taskMetaCache: TaskMetadataCache;
+
+  constructor(
+    prisma?: PrismaClientOrTransaction,
+    replica?: PrismaClientOrTransaction,
+    taskMetaCache: TaskMetadataCache = taskMetadataCacheInstance
+  ) {
+    super(prisma, replica);
+    this._taskMetaCache = taskMetaCache;
+  }
+
   public async call(
     projectRef: string,
     environment: AuthenticatedEnvironment,
@@ -78,8 +99,7 @@ export class CreateBackgroundWorkerService extends BaseService {
           version: nextVersion,
           runtimeEnvironmentId: environment.id,
           projectId: project.id,
-          // body.metadata has an index signature that Prisma doesn't like (from the JSONSchema type) so we are safe to just cast it
-          metadata: body.metadata as Prisma.InputJsonValue,
+          metadata: stripBackgroundWorkerMetadataForStorage(body.metadata),
           contentHash: body.metadata.contentHash,
           cliVersion: body.metadata.cliPackageVersion,
           sdkVersion: body.metadata.packageVersion,
@@ -121,7 +141,7 @@ export class CreateBackgroundWorkerService extends BaseService {
         throw new ServiceValidationError("Error creating background worker files");
       }
 
-      const [resourcesError] = await tryCatch(
+      const [resourcesError, workerTaskEntries] = await tryCatch(
         createWorkerResources(
           body.metadata,
           backgroundWorker,
@@ -132,6 +152,15 @@ export class CreateBackgroundWorkerService extends BaseService {
       );
 
       if (resourcesError) {
+        if (resourcesError instanceof ServiceValidationError) {
+          // Customer-facing config error (e.g. duplicate task ids). Surface the
+          // real message to the client via the rethrow.
+          logger.warn("Error creating worker resources", {
+            error: resourcesError.message,
+          });
+          throw resourcesError;
+        }
+
         logger.error("Error creating worker resources", {
           error: resourcesError,
           backgroundWorker,
@@ -145,19 +174,67 @@ export class CreateBackgroundWorkerService extends BaseService {
       );
 
       if (schedulesError) {
+        if (schedulesError instanceof ServiceValidationError) {
+          // Customer schedule config (typically invalid cron). Surface to
+          // client via the rethrow; system returns gracefully.
+          logger.warn("Error syncing declarative schedules", {
+            error: schedulesError.message,
+            backgroundWorker,
+            environment,
+          });
+          throw schedulesError;
+        }
+
+        // Wrapping the underlying error into a ServiceValidationError below
+        // would otherwise hide it once the SDK-level filter drops SVEs; log at
+        // error so the underlying cause stays visible. Mirrors the
+        // waitpointCompletionPacket.server.ts pattern from dac9c83bd.
         logger.error("Error syncing declarative schedules", {
           error: schedulesError,
           backgroundWorker,
           environment,
         });
 
-        if (schedulesError instanceof ServiceValidationError) {
-          throw schedulesError;
-        }
-
         throw new ServiceValidationError("Error syncing declarative schedules");
       }
 
+      const [syncIdentifiersError] = await tryCatch(
+        syncTaskIdentifiers(
+          environment.id,
+          project.id,
+          backgroundWorker.id,
+          body.metadata.tasks.map((t) => ({ id: t.id, triggerSource: t.triggerSource }))
+        )
+      );
+
+      if (syncIdentifiersError) {
+        logger.error("Error syncing task identifiers", {
+          error: syncIdentifiersError,
+          backgroundWorker,
+          environment,
+        });
+      }
+
+      // Populate task metadata cache. DEV workers are always "current" because
+      // `findCurrentWorkerFromEnvironment` resolves DEV current as the latest
+      // worker by createdAt. Non-DEV (deploy-built) workers are not promoted
+      // here — promotion writes the `:env:` keyspace later in
+      // changeCurrentDeployment / createDeploymentBackgroundWorkerV3.
+      // Cache calls log+swallow internally, so a Redis blip can't break
+      // anything else here. Empty `workerTaskEntries` is intentional — the
+      // populate methods clear stale hashes for zero-task deploys.
+      if (workerTaskEntries) {
+        if (environment.type === "DEVELOPMENT") {
+          await this._taskMetaCache.populateByCurrentWorker(
+            environment.id,
+            backgroundWorker.id,
+            workerTaskEntries
+          );
+        } else {
+          await this._taskMetaCache.populateByWorker(backgroundWorker.id, workerTaskEntries);
+        }
+      }
+
       const [updateConcurrencyLimitsError] = await tryCatch(
         updateEnvConcurrencyLimits(environment)
       );
@@ -211,17 +288,33 @@ export async function createWorkerResources(
   environment: AuthenticatedEnvironment,
   prisma: PrismaClientOrTransaction,
   tasksToBackgroundFiles?: Map<string, string>
-) {
+): Promise<TaskMetadataEntry[]> {
+  // Defense-in-depth against two tasks sharing an id (across all task types,
+  // e.g. a schedule and a regular task). Note: the CLI's resource catalog keys
+  // tasks by id and overwrites collisions, so duplicates are normally already
+  // collapsed before reaching here — this guards against any client that sends
+  // an un-deduplicated task list.
+  assertNoDuplicateTaskIds(metadata.tasks);
+
   // Create the queues
   const queues = await createWorkerQueues(metadata, worker, environment, prisma);
 
   // Create the tasks
-  await createWorkerTasks(metadata, queues, worker, environment, prisma, tasksToBackgroundFiles);
+  const taskEntries = await createWorkerTasks(
+    metadata,
+    queues,
+    worker,
+    environment,
+    prisma,
+    tasksToBackgroundFiles
+  );
 
   // Register prompts
   if (metadata.prompts && metadata.prompts.length > 0) {
     await createWorkerPrompts(metadata.prompts, worker, environment, prisma);
   }
+
+  return taskEntries;
 }
 
 async function createWorkerTasks(
@@ -231,17 +324,22 @@ async function createWorkerTasks(
   environment: AuthenticatedEnvironment,
   prisma: PrismaClientOrTransaction,
   tasksToBackgroundFiles?: Map<string, string>
-) {
+): Promise<TaskMetadataEntry[]> {
   // Create tasks in chunks of 20
   const CHUNK_SIZE = 20;
+  const entries: TaskMetadataEntry[] = [];
   for (let i = 0; i < metadata.tasks.length; i += CHUNK_SIZE) {
     const chunk = metadata.tasks.slice(i, i + CHUNK_SIZE);
-    await Promise.all(
+    const chunkEntries = await Promise.all(
       chunk.map((task) =>
         createWorkerTask(task, queues, worker, environment, prisma, tasksToBackgroundFiles)
       )
     );
+    for (const entry of chunkEntries) {
+      if (entry) entries.push(entry);
+    }
   }
+  return entries;
 }
 
 async function createWorkerTask(
@@ -251,9 +349,14 @@ async function createWorkerTask(
   environment: AuthenticatedEnvironment,
   prisma: PrismaClientOrTransaction,
   tasksToBackgroundFiles?: Map<string, string>
-) {
+): Promise<TaskMetadataEntry | null> {
+  // Hoisted so the P2002 catch branch can return the same entry shape.
+  let queue: TaskQueue | undefined;
+  let resolvedTriggerSource: "SCHEDULED" | "AGENT" | "STANDARD" | undefined;
+  let resolvedTtl: string | null | undefined;
+
   try {
-    let queue = queues.find((queue) => queue.name === task.queue?.name);
+    queue = queues.find((queue) => queue.name === task.queue?.name);
 
     if (!queue) {
       // Create a TaskQueue
@@ -270,6 +373,16 @@ async function createWorkerTask(
       );
     }
 
+    resolvedTriggerSource =
+      task.triggerSource === "schedule"
+        ? ("SCHEDULED" as const)
+        : task.triggerSource === "agent"
+          ? ("AGENT" as const)
+          : ("STANDARD" as const);
+
+    resolvedTtl =
+      typeof task.ttl === "number" ? stringifyDuration(task.ttl) ?? null : task.ttl ?? null;
+
     await prisma.backgroundWorkerTask.create({
       data: {
         friendlyId: generateFriendlyId("task"),
@@ -283,23 +396,47 @@ async function createWorkerTask(
         retryConfig: task.retry,
         queueConfig: task.queue,
         machineConfig: task.machine,
-        triggerSource: task.triggerSource === "schedule" ? "SCHEDULED" : "STANDARD",
+        triggerSource: resolvedTriggerSource,
+        config: task.agentConfig ? (task.agentConfig as any) : undefined,
         fileId: tasksToBackgroundFiles?.get(task.id) ?? null,
         maxDurationInSeconds: task.maxDuration ? clampMaxDuration(task.maxDuration) : null,
-        ttl:
-          typeof task.ttl === "number" ? stringifyDuration(task.ttl) ?? null : task.ttl ?? null,
+        ttl: resolvedTtl,
         queueId: queue.id,
         payloadSchema: task.payloadSchema as any,
       },
     });
+
+    return {
+      slug: task.id,
+      ttl: resolvedTtl,
+      triggerSource: resolvedTriggerSource,
+      queueId: queue.id,
+      queueName: queue.name,
+    };
   } catch (error) {
     if (error instanceof Prisma.PrismaClientKnownRequestError) {
       // The error code for unique constraint violation in Prisma is P2002
       if (error.code === "P2002") {
-        logger.warn("Task already exists", {
+        // Retry landing after the first attempt's row was already written.
+        const existing = await prisma.backgroundWorkerTask.findFirst({
+          where: { workerId: worker.id, slug: task.id },
+          select: { id: true },
+        });
+
+        logger.warn("Attempted to recreate background worker task", {
           task,
           worker,
         });
+
+        if (existing && queue && resolvedTriggerSource && resolvedTtl !== undefined) {
+          return {
+            slug: task.id,
+            ttl: resolvedTtl,
+            triggerSource: resolvedTriggerSource,
+            queueId: queue.id,
+            queueName: queue.name,
+          };
+        }
       } else {
         logger.error("Prisma Error creating background worker task", {
           error: {
@@ -327,6 +464,7 @@ async function createWorkerTask(
         worker,
       });
     }
+    return null;
   }
 }
 
diff --git a/apps/webapp/app/v3/services/createDeploymentBackgroundWorkerV3.server.ts b/apps/webapp/app/v3/services/createDeploymentBackgroundWorkerV3.server.ts
index e093f2c2006..d8f13227d78 100644
--- a/apps/webapp/app/v3/services/createDeploymentBackgroundWorkerV3.server.ts
+++ b/apps/webapp/app/v3/services/createDeploymentBackgroundWorkerV3.server.ts
@@ -1,12 +1,19 @@
-import { CreateBackgroundWorkerRequestBody } from "@trigger.dev/core/v3";
-import type { BackgroundWorker, Prisma } from "@trigger.dev/database";
+import { CreateBackgroundWorkerRequestBody, tryCatch } from "@trigger.dev/core/v3";
+import type { BackgroundWorker, PrismaClientOrTransaction } from "@trigger.dev/database";
 import { AuthenticatedEnvironment } from "~/services/apiAuth.server";
 import { logger } from "~/services/logger.server";
+import { syncTaskIdentifiers } from "~/services/taskIdentifierRegistry.server";
+import { type TaskMetadataCache } from "~/services/taskMetadataCache.server";
+import { taskMetadataCacheInstance } from "~/services/taskMetadataCacheInstance.server";
 import { socketIo } from "../handleSocketIo.server";
 import { updateEnvConcurrencyLimits } from "../runQueue.server";
 import { PerformDeploymentAlertsService } from "./alerts/performDeploymentAlerts.server";
 import { BaseService } from "./baseService.server";
-import { createWorkerResources, syncDeclarativeSchedules } from "./createBackgroundWorker.server";
+import {
+  createWorkerResources,
+  stripBackgroundWorkerMetadataForStorage,
+  syncDeclarativeSchedules,
+} from "./createBackgroundWorker.server";
 import { ExecuteTasksWaitingForDeployService } from "./executeTasksWaitingForDeploy";
 import { projectPubSub } from "./projectPubSub.server";
 import { TimeoutDeploymentService } from "./timeoutDeployment.server";
@@ -19,6 +26,17 @@ import { CURRENT_DEPLOYMENT_LABEL, BackgroundWorkerId } from "@trigger.dev/core/
  * @deprecated
  */
 export class CreateDeploymentBackgroundWorkerServiceV3 extends BaseService {
+  private readonly _taskMetaCache: TaskMetadataCache;
+
+  constructor(
+    prisma?: PrismaClientOrTransaction,
+    replica?: PrismaClientOrTransaction,
+    taskMetaCache: TaskMetadataCache = taskMetadataCacheInstance
+  ) {
+    super(prisma, replica);
+    this._taskMetaCache = taskMetaCache;
+  }
+
   public async call(
     projectRef: string,
     environment: AuthenticatedEnvironment,
@@ -48,8 +66,7 @@ export class CreateDeploymentBackgroundWorkerServiceV3 extends BaseService {
           version: deployment.version,
           runtimeEnvironmentId: environment.id,
           projectId: environment.projectId,
-          // body.metadata has an index signature that Prisma doesn't like (from the JSONSchema type) so we are safe to just cast it
-          metadata: body.metadata as Prisma.InputJsonValue,
+          metadata: stripBackgroundWorkerMetadataForStorage(body.metadata),
           contentHash: body.metadata.contentHash,
           cliVersion: body.metadata.cliPackageVersion,
           sdkVersion: body.metadata.packageVersion,
@@ -70,8 +87,14 @@ export class CreateDeploymentBackgroundWorkerServiceV3 extends BaseService {
         });
       }
 
+      let workerTaskEntries: Awaited<ReturnType<typeof createWorkerResources>> = [];
       try {
-        await createWorkerResources(body.metadata, backgroundWorker, environment, this._prisma);
+        workerTaskEntries = await createWorkerResources(
+          body.metadata,
+          backgroundWorker,
+          environment,
+          this._prisma
+        );
         await syncDeclarativeSchedules(
           body.metadata.tasks,
           backgroundWorker,
@@ -130,6 +153,29 @@ export class CreateDeploymentBackgroundWorkerServiceV3 extends BaseService {
         },
       });
 
+      const [syncIdError] = await tryCatch(
+        syncTaskIdentifiers(
+          environment.id,
+          environment.projectId,
+          backgroundWorker.id,
+          body.metadata.tasks.map((t) => ({ id: t.id, triggerSource: t.triggerSource }))
+        )
+      );
+
+      if (syncIdError) {
+        logger.error("Error syncing task identifiers", { error: syncIdError });
+      }
+
+      // V3 promotes the deployment immediately above, so this worker is now
+      // current for the env — write both keyspaces atomically. Cache calls
+      // log+swallow internally. Empty `workerTaskEntries` is intentional: the
+      // populate methods clear stale hashes for zero-task deploys.
+      await this._taskMetaCache.populateByCurrentWorker(
+        environment.id,
+        backgroundWorker.id,
+        workerTaskEntries
+      );
+
       try {
         //send a notification that a new worker has been created
         await projectPubSub.publish(
diff --git a/apps/webapp/app/v3/services/createDeploymentBackgroundWorkerV4.server.ts b/apps/webapp/app/v3/services/createDeploymentBackgroundWorkerV4.server.ts
index cc73a8569d9..d34db841cd6 100644
--- a/apps/webapp/app/v3/services/createDeploymentBackgroundWorkerV4.server.ts
+++ b/apps/webapp/app/v3/services/createDeploymentBackgroundWorkerV4.server.ts
@@ -1,17 +1,34 @@
 import { CreateBackgroundWorkerRequestBody, logger, tryCatch } from "@trigger.dev/core/v3";
-import { BackgroundWorkerId } from "@trigger.dev/core/v3/isomorphic";
-import type { BackgroundWorker, Prisma, WorkerDeployment } from "@trigger.dev/database";
+import type {
+  BackgroundWorker,
+  PrismaClientOrTransaction,
+  WorkerDeployment,
+} from "@trigger.dev/database";
 import { AuthenticatedEnvironment } from "~/services/apiAuth.server";
+import { type TaskMetadataCache } from "~/services/taskMetadataCache.server";
+import { taskMetadataCacheInstance } from "~/services/taskMetadataCacheInstance.server";
 import { BaseService, ServiceValidationError } from "./baseService.server";
 import {
   createBackgroundFiles,
   createWorkerResources,
   syncDeclarativeSchedules,
 } from "./createBackgroundWorker.server";
+import { findOrCreateBackgroundWorker } from "./createDeploymentBackgroundWorkerV4/findOrCreateBackgroundWorker.server";
 import { TimeoutDeploymentService } from "./timeoutDeployment.server";
 import { env } from "~/env.server";
 
 export class CreateDeploymentBackgroundWorkerServiceV4 extends BaseService {
+  private readonly _taskMetaCache: TaskMetadataCache;
+
+  constructor(
+    prisma?: PrismaClientOrTransaction,
+    replica?: PrismaClientOrTransaction,
+    taskMetaCache: TaskMetadataCache = taskMetadataCacheInstance
+  ) {
+    super(prisma, replica);
+    this._taskMetaCache = taskMetaCache;
+  }
+
   public async call(
     environment: AuthenticatedEnvironment,
     deploymentId: string,
@@ -36,6 +53,11 @@ export class CreateDeploymentBackgroundWorkerServiceV4 extends BaseService {
       });
 
       if (!deployment) {
+        logger.warn("createDeploymentBackgroundWorker: deployment not found", {
+          deploymentId,
+          environmentId: environment.id,
+          projectId: environment.projectId,
+        });
         return;
       }
 
@@ -55,27 +77,44 @@ export class CreateDeploymentBackgroundWorkerServiceV4 extends BaseService {
         }
       }
 
+      // Late-retry idempotency: if a worker was registered by a prior fully-
+      // successful attempt and the deployment already moved past BUILDING, return
+      // that worker so the CLI can finalize instead of seeing a 5xx.
+      if (deployment.workerId) {
+        const linkedWorker = await this._prisma.backgroundWorker.findFirst({
+          where: { id: deployment.workerId },
+        });
+        if (linkedWorker) {
+          return linkedWorker;
+        }
+      }
+
       if (deployment.status !== "BUILDING") {
+        logger.warn("createDeploymentBackgroundWorker: deployment not in BUILDING state", {
+          deploymentId,
+          deploymentStatus: deployment.status,
+          environmentId: environment.id,
+          projectId: environment.projectId,
+        });
         return;
       }
 
-      const backgroundWorker = await this._prisma.backgroundWorker.create({
-        data: {
-          ...BackgroundWorkerId.generate(),
-          version: deployment.version,
-          runtimeEnvironmentId: environment.id,
-          projectId: environment.projectId,
-          // body.metadata has an index signature that Prisma doesn't like (from the JSONSchema type) so we are safe to just cast it
-          metadata: body.metadata as Prisma.InputJsonValue,
-          contentHash: body.metadata.contentHash,
-          cliVersion: body.metadata.cliPackageVersion,
-          sdkVersion: body.metadata.packageVersion,
-          supportsLazyAttempts: body.supportsLazyAttempts,
-          engine: body.engine,
-          runtime: body.metadata.runtime,
-          runtimeVersion: body.metadata.runtimeVersion,
-        },
-      });
+      const [findOrCreateError, backgroundWorker] = await tryCatch(
+        findOrCreateBackgroundWorker(environment, deployment, body, this._prisma)
+      );
+
+      if (findOrCreateError) {
+        // Definitive failures (e.g. contentHash drift) surface as
+        // `ServiceValidationError` — fail the deployment so the operator sees it
+        // immediately instead of waiting 8 minutes for the timeout. Transient
+        // races throw a plain `Error` and propagate as 5xx without failing.
+        if (findOrCreateError instanceof ServiceValidationError) {
+          // `#failBackgroundWorkerDeployment` already throws its argument; the
+          // outer `throw` covers the non-SVE branch.
+          await this.#failBackgroundWorkerDeployment(deployment, findOrCreateError);
+        }
+        throw findOrCreateError;
+      }
 
       //upgrade the project to engine "V2" if it's not already
       if (environment.project.engine === "V1" && body.engine === "V2") {
@@ -110,7 +149,7 @@ export class CreateDeploymentBackgroundWorkerServiceV4 extends BaseService {
         throw serviceError;
       }
 
-      const [resourcesError] = await tryCatch(
+      const [resourcesError, workerTaskEntries] = await tryCatch(
         createWorkerResources(
           body.metadata,
           backgroundWorker,
@@ -121,6 +160,17 @@ export class CreateDeploymentBackgroundWorkerServiceV4 extends BaseService {
       );
 
       if (resourcesError) {
+        if (resourcesError instanceof ServiceValidationError) {
+          // Customer-facing config error (e.g. duplicate task ids). Surface the
+          // real message to the client via the rethrow.
+          logger.warn("Error creating background worker resources", {
+            error: resourcesError.message,
+          });
+
+          await this.#failBackgroundWorkerDeployment(deployment, resourcesError);
+          throw resourcesError;
+        }
+
         logger.error("Error creating background worker resources", {
           error: resourcesError,
         });
@@ -134,29 +184,52 @@ export class CreateDeploymentBackgroundWorkerServiceV4 extends BaseService {
         throw serviceError;
       }
 
+      // V4 build path: worker created but NOT yet promoted to current. Write
+      // only the `task-meta:by-worker:{workerId}` keyspace so locked-version
+      // triggers against this build hit the cache. Promotion (which writes the
+      // env keyspace) happens later via finalizeDeployment → changeCurrentDeployment.
+      // Cache calls log+swallow internally, so a Redis blip can't stall the
+      // deployment state machine. Empty entries clears stale hashes.
+      if (workerTaskEntries) {
+        await this._taskMetaCache.populateByWorker(backgroundWorker.id, workerTaskEntries);
+      }
+
       const [schedulesError] = await tryCatch(
         syncDeclarativeSchedules(body.metadata.tasks, backgroundWorker, environment, this._prisma)
       );
 
       if (schedulesError) {
+        if (schedulesError instanceof ServiceValidationError) {
+          // Customer schedule config (typically invalid cron). Surface to
+          // client via the rethrow; system returns gracefully.
+          logger.warn("Error syncing declarative schedules", {
+            error: schedulesError.message,
+          });
+
+          await this.#failBackgroundWorkerDeployment(deployment, schedulesError);
+          throw schedulesError;
+        }
+
+        // Wrapping the underlying error into a ServiceValidationError below
+        // would otherwise hide it once the SDK-level filter drops SVEs; log at
+        // error so the underlying cause stays visible. Mirrors the
+        // waitpointCompletionPacket.server.ts pattern from dac9c83bd.
         logger.error("Error syncing declarative schedules", {
           error: schedulesError,
         });
 
-        const serviceError =
-          schedulesError instanceof ServiceValidationError
-            ? schedulesError
-            : new ServiceValidationError("Error syncing declarative schedules");
+        const serviceError = new ServiceValidationError("Error syncing declarative schedules");
 
         await this.#failBackgroundWorkerDeployment(deployment, serviceError);
 
         throw serviceError;
       }
 
-      // Link the deployment with the background worker
-      await this._prisma.workerDeployment.update({
+      // Guarded BUILDING → DEPLOYING transition. `updateMany` for optimistic concurrency control
+      const { count: updatedCount } = await this._prisma.workerDeployment.updateMany({
         where: {
           id: deployment.id,
+          status: "BUILDING",
         },
         data: {
           status: "DEPLOYING",
@@ -168,6 +241,18 @@ export class CreateDeploymentBackgroundWorkerServiceV4 extends BaseService {
         },
       });
 
+      if (updatedCount === 0) {
+        logger.warn(
+          "createDeploymentBackgroundWorker: deployment no longer in BUILDING state, skipping DEPLOYING transition",
+          {
+            deploymentId,
+            environmentId: environment.id,
+            projectId: environment.projectId,
+          }
+        );
+        return backgroundWorker;
+      }
+
       await TimeoutDeploymentService.enqueue(
         deployment.id,
         "DEPLOYING",
@@ -180,9 +265,14 @@ export class CreateDeploymentBackgroundWorkerServiceV4 extends BaseService {
   }
 
   async #failBackgroundWorkerDeployment(deployment: WorkerDeployment, error: Error) {
-    await this._prisma.workerDeployment.update({
+    // Guarded BUILDING → FAILED transition, symmetric with the BUILDING → DEPLOYING
+    // transition in `call()`. With idempotent retries, two attempts can run side-by-side;
+    // without the predicate, one attempt's failure could downgrade the deployment after
+    // the other already flipped it to DEPLOYING, leaving it stuck in FAILED with a worker.
+    const { count: updatedCount } = await this._prisma.workerDeployment.updateMany({
       where: {
         id: deployment.id,
+        status: "BUILDING",
       },
       data: {
         status: "FAILED",
@@ -194,7 +284,20 @@ export class CreateDeploymentBackgroundWorkerServiceV4 extends BaseService {
       },
     });
 
-    await TimeoutDeploymentService.dequeue(deployment.id, this._prisma);
+    if (updatedCount === 0) {
+      logger.warn(
+        "failBackgroundWorkerDeployment: deployment moved out of BUILDING during call, skipping FAILED transition",
+        {
+          deploymentId: deployment.id,
+          originalError: error.message,
+        }
+      );
+    } else {
+      // Only dequeue the timeout if we actually flipped to FAILED — otherwise a
+      // sibling attempt may have just enqueued it as part of a successful
+      // BUILDING → DEPLOYING transition.
+      await TimeoutDeploymentService.dequeue(deployment.id, this._prisma);
+    }
 
     throw error;
   }
diff --git a/apps/webapp/app/v3/services/createDeploymentBackgroundWorkerV4/findOrCreateBackgroundWorker.server.ts b/apps/webapp/app/v3/services/createDeploymentBackgroundWorkerV4/findOrCreateBackgroundWorker.server.ts
new file mode 100644
index 00000000000..7a2dcb06c34
--- /dev/null
+++ b/apps/webapp/app/v3/services/createDeploymentBackgroundWorkerV4/findOrCreateBackgroundWorker.server.ts
@@ -0,0 +1,81 @@
+import type { CreateBackgroundWorkerRequestBody } from "@trigger.dev/core/v3";
+import { BackgroundWorkerId } from "@trigger.dev/core/v3/isomorphic";
+import {
+  isUniqueConstraintError,
+  type BackgroundWorker,
+  type PrismaClientOrTransaction,
+  type WorkerDeployment,
+} from "@trigger.dev/database";
+import type { AuthenticatedEnvironment } from "~/services/apiAuth.server";
+import { ServiceValidationError } from "../common.server";
+import { stripBackgroundWorkerMetadataForStorage } from "../stripBackgroundWorkerMetadataForStorage.server";
+
+/**
+ * Idempotent on `(project, environment, version)` for sequential calls, not concurrent calls.
+ *
+ * Failure shapes the caller distinguishes:
+ *   - `ServiceValidationError` (409): definitive — contentHash drift means a different build
+ *     is being pushed under the same deployment version, so the caller should fail the
+ *     deployment instead of waiting for a timeout.
+ *   - Plain `Error`: transient — two attempts raced the `create()` call and the loser caught
+ *     the unique-index violation. The caller should propagate this as 5xx so the CLI's
+ *     retry/backoff hits findFirst on the next attempt and returns the winner's row.
+ */
+export async function findOrCreateBackgroundWorker(
+  environment: AuthenticatedEnvironment,
+  deployment: WorkerDeployment,
+  body: CreateBackgroundWorkerRequestBody,
+  prisma: PrismaClientOrTransaction
+): Promise<BackgroundWorker> {
+  const existing = await prisma.backgroundWorker.findFirst({
+    where: {
+      projectId: environment.projectId,
+      runtimeEnvironmentId: environment.id,
+      version: deployment.version,
+    },
+  });
+
+  if (existing && existing.contentHash === body.metadata.contentHash) {
+    return existing;
+  }
+
+  if (existing) {
+    throw new ServiceValidationError(
+      "A background worker for this deployment version already exists with a different content hash",
+      409
+    );
+  }
+
+  try {
+    return await prisma.backgroundWorker.create({
+      data: {
+        ...BackgroundWorkerId.generate(),
+        version: deployment.version,
+        runtimeEnvironmentId: environment.id,
+        projectId: environment.projectId,
+        metadata: stripBackgroundWorkerMetadataForStorage(body.metadata),
+        contentHash: body.metadata.contentHash,
+        cliVersion: body.metadata.cliPackageVersion,
+        sdkVersion: body.metadata.packageVersion,
+        supportsLazyAttempts: body.supportsLazyAttempts,
+        engine: body.engine,
+        runtime: body.metadata.runtime,
+        runtimeVersion: body.metadata.runtimeVersion,
+      },
+    });
+  } catch (error) {
+    // Concurrent attempts raced past `findFirst` and both reached `create`. Surface
+    // a clear, non-Prisma error so the 5xx the caller returns isn't an opaque
+    // P2002 — the CLI's retry will then hit `findFirst` and find the winner's row.
+    // Intentionally NOT a ServiceValidationError so the caller doesn't fail-deploy
+    // on a transient race.
+    if (
+      isUniqueConstraintError(error, ["projectId", "runtimeEnvironmentId", "version"])
+    ) {
+      throw new Error(
+        "Concurrent background worker registration detected for this deployment version; please retry"
+      );
+    }
+    throw error;
+  }
+}
diff --git a/apps/webapp/app/v3/services/createTaskRunAttempt.server.ts b/apps/webapp/app/v3/services/createTaskRunAttempt.server.ts
index 7e0b40dd826..8be2b9557cc 100644
--- a/apps/webapp/app/v3/services/createTaskRunAttempt.server.ts
+++ b/apps/webapp/app/v3/services/createTaskRunAttempt.server.ts
@@ -210,6 +210,7 @@ export class CreateTaskRunAttemptService extends BaseService {
           createdAt: taskRun.createdAt,
           tags: taskRun.runTags ?? [],
           isTest: taskRun.isTest,
+          isReplay: !!taskRun.replayedFromTaskRunFriendlyId,
           idempotencyKey: taskRun.idempotencyKey ?? undefined,
           startedAt: taskRun.startedAt ?? taskRun.createdAt,
           durationMs: taskRun.usageDurationMs,
diff --git a/apps/webapp/app/v3/services/duplicateTaskIds.server.ts b/apps/webapp/app/v3/services/duplicateTaskIds.server.ts
new file mode 100644
index 00000000000..4ade92fd9fd
--- /dev/null
+++ b/apps/webapp/app/v3/services/duplicateTaskIds.server.ts
@@ -0,0 +1,56 @@
+import { ServiceValidationError } from "./common.server";
+
+type TaskIdResource = {
+  id: string;
+  filePath?: string;
+  exportName?: string;
+};
+
+/**
+ * Returns the set of task ids that are defined more than once. All task types
+ * (regular tasks, scheduled tasks, agents, etc.) share a single id namespace,
+ * so a schedule and a regular task that use the same id count as a duplicate.
+ */
+export function findDuplicateTaskIds(tasks: Array<TaskIdResource>): string[] {
+  const seen = new Set<string>();
+  const duplicates = new Set<string>();
+
+  for (const task of tasks) {
+    if (seen.has(task.id)) {
+      duplicates.add(task.id);
+    } else {
+      seen.add(task.id);
+    }
+  }
+
+  return Array.from(duplicates);
+}
+
+/**
+ * Throws a customer-facing {@link ServiceValidationError} (HTTP 400) if any
+ * task id is defined more than once, naming each offending id and the files it
+ * was found in.
+ */
+export function assertNoDuplicateTaskIds(tasks: Array<TaskIdResource>): void {
+  const duplicateTaskIds = findDuplicateTaskIds(tasks);
+
+  if (duplicateTaskIds.length === 0) {
+    return;
+  }
+
+  const details = duplicateTaskIds
+    .map((id) => {
+      const locations = tasks
+        .filter((task) => task.id === id)
+        .map((task) => task.filePath ?? "unknown file")
+        .join(", ");
+
+      return `"${id}" (defined in ${locations})`;
+    })
+    .join("; ");
+
+  throw new ServiceValidationError(
+    `Duplicate task ids detected: ${details}. Each task must have a unique id across all task types (including scheduled tasks). Please rename one of them.`,
+    400
+  );
+}
diff --git a/apps/webapp/app/v3/services/executeTasksWaitingForDeploy.ts b/apps/webapp/app/v3/services/executeTasksWaitingForDeploy.ts
index 7839b9e6e07..fb519b43151 100644
--- a/apps/webapp/app/v3/services/executeTasksWaitingForDeploy.ts
+++ b/apps/webapp/app/v3/services/executeTasksWaitingForDeploy.ts
@@ -7,6 +7,12 @@ import { BaseService } from "./baseService.server";
 
 export class ExecuteTasksWaitingForDeployService extends BaseService {
   public async call(backgroundWorkerId: string) {
+    // Kill-switch for the legacy V1 WAITING_FOR_DEPLOY drain. Set to "1" to
+    // neuter any jobs already enqueued (V2 has its own PENDING_VERSION path).
+    if (env.LEGACY_RUN_ENGINE_WAITING_FOR_DEPLOY_DISABLED === "1") {
+      return;
+    }
+
     const backgroundWorker = await this._prisma.backgroundWorker.findFirst({
       where: {
         id: backgroundWorkerId,
diff --git a/apps/webapp/app/v3/services/expireEnqueuedRun.server.ts b/apps/webapp/app/v3/services/expireEnqueuedRun.server.ts
index aa69f4c9f65..0409b6ed956 100644
--- a/apps/webapp/app/v3/services/expireEnqueuedRun.server.ts
+++ b/apps/webapp/app/v3/services/expireEnqueuedRun.server.ts
@@ -4,7 +4,7 @@ import { commonWorker } from "../commonWorker.server";
 import { BaseService } from "./baseService.server";
 import { FinalizeTaskRunService } from "./finalizeTaskRun.server";
 import { tryCatch } from "@trigger.dev/core/utils";
-import { resolveEventRepositoryForStore } from "../eventRepository/index.server";
+import { getEventRepositoryForStore } from "../eventRepository/index.server";
 
 export class ExpireEnqueuedRunService extends BaseService {
   public static async ack(runId: string, tx?: PrismaClientOrTransaction) {
@@ -78,7 +78,10 @@ export class ExpireEnqueuedRunService extends BaseService {
       },
     });
 
-    const eventRepository = resolveEventRepositoryForStore(run.taskEventStore);
+    const eventRepository = await getEventRepositoryForStore(
+      run.taskEventStore,
+      run.runtimeEnvironment.organization.id
+    );
 
     if (run.ttl) {
       const [completeExpiredRunEventError] = await tryCatch(
diff --git a/apps/webapp/app/v3/services/initializeDeployment.server.ts b/apps/webapp/app/v3/services/initializeDeployment.server.ts
index 987925aa709..2f51fe79c73 100644
--- a/apps/webapp/app/v3/services/initializeDeployment.server.ts
+++ b/apps/webapp/app/v3/services/initializeDeployment.server.ts
@@ -9,13 +9,13 @@ import { type AuthenticatedEnvironment } from "~/services/apiAuth.server";
 import { logger } from "~/services/logger.server";
 import { generateFriendlyId } from "../friendlyIdentifiers";
 import { createRemoteImageBuild, remoteBuildsEnabled } from "../remoteImageBuilder.server";
-import { calculateNextBuildVersion } from "../utils/calculateNextBuildVersion";
 import { BaseService, ServiceValidationError } from "./baseService.server";
 import { TimeoutDeploymentService } from "./timeoutDeployment.server";
 import { getDeploymentImageRef } from "../getDeploymentImageRef.server";
 import { tryCatch } from "@trigger.dev/core";
 import { getRegistryConfig } from "../registryConfig.server";
 import { DeploymentService } from "./deployment.server";
+import { createDeploymentWithNextVersion } from "./initializeDeployment/createDeploymentWithNextVersion.server";
 import { errAsync } from "neverthrow";
 
 const nanoid = customAlphabet("1234567890abcdefghijklmnopqrstuvwxyz", 8);
@@ -59,6 +59,28 @@ export class InitializeDeploymentService extends BaseService {
         };
       }
 
+      // v4 CLI versions always send `payload.type` ("MANAGED" or "V1"). v3 CLI
+      // versions never do, so the absence of `type` is a reliable signal that
+      // the request came from a 3.x CLI. Detection always runs (so we can
+      // observe how many deploys are still using v3), enforcement is gated
+      // behind DEPRECATE_V3_CLI_DEPLOYS_ENABLED so it can be rolled out safely.
+      if (!payload.type) {
+        const enforced = env.DEPRECATE_V3_CLI_DEPLOYS_ENABLED === "1";
+
+        logger.warn("Detected deploy from deprecated v3 CLI", {
+          environmentId: environment.id,
+          projectId: environment.projectId,
+          organizationId: environment.project.organizationId,
+          enforced,
+        });
+
+        if (enforced) {
+          throw new ServiceValidationError(
+            "The trigger.dev CLI v3 is no longer supported for deployments. Please upgrade your project to v4: https://trigger.dev/docs/migrating-from-v3"
+          );
+        }
+      }
+
       if (payload.type === "UNMANAGED") {
         throw new ServiceValidationError("UNMANAGED deployments are not supported");
       }
@@ -75,18 +97,6 @@ export class InitializeDeploymentService extends BaseService {
         });
       }
 
-      const latestDeployment = await this._prisma.workerDeployment.findFirst({
-        where: {
-          environmentId: environment.id,
-        },
-        orderBy: {
-          createdAt: "desc",
-        },
-        take: 1,
-      });
-
-      const nextVersion = calculateNextBuildVersion(latestDeployment?.version);
-
       if (payload.selfHosted && remoteBuildsEnabled()) {
         throw new ServiceValidationError(
           "Self-hosted deployments are not supported on this instance"
@@ -124,30 +134,6 @@ export class InitializeDeploymentService extends BaseService {
 
       const deploymentShortCode = nanoid(8);
 
-      const [imageRefError, imageRefResult] = await tryCatch(
-        getDeploymentImageRef({
-          registry: registryConfig,
-          projectRef: environment.project.externalRef,
-          nextVersion,
-          environmentType: environment.type,
-          deploymentShortCode,
-        })
-      );
-
-      if (imageRefError) {
-        logger.error("Failed to get deployment image ref", {
-          environmentId: environment.id,
-          projectId: environment.projectId,
-          version: nextVersion,
-          triggeredById: triggeredBy?.id,
-          type: payload.type,
-          cause: imageRefError.message,
-        });
-        throw new ServiceValidationError("Failed to get deployment image ref");
-      }
-
-      const { imageRef, isEcr, repoCreated } = imageRefResult;
-
       // We keep using `BUILDING` as the initial status if not explicitly set
       // to avoid changing the behavior for deployments not created in the build server.
       // Native builds always start in the `PENDING` status.
@@ -186,20 +172,6 @@ export class InitializeDeploymentService extends BaseService {
           }
         : undefined;
 
-      logger.debug("Creating deployment", {
-        environmentId: environment.id,
-        projectId: environment.projectId,
-        version: nextVersion,
-        triggeredById: triggeredBy?.id,
-        type: payload.type,
-        imageRef,
-        isEcr,
-        repoCreated,
-        initialStatus,
-        artifactKey: payload.isNativeBuild ? payload.artifactKey : undefined,
-        isNativeBuild: payload.isNativeBuild,
-      });
-
       const buildServerMetadata: BuildServerMetadata | undefined =
         payload.isNativeBuild || payload.buildId
           ? {
@@ -216,28 +188,77 @@ export class InitializeDeploymentService extends BaseService {
             }
           : undefined;
 
-      const deployment = await this._prisma.workerDeployment.create({
-        data: {
-          friendlyId: generateFriendlyId("deployment"),
-          contentHash: payload.contentHash,
-          shortCode: deploymentShortCode,
-          version: nextVersion,
-          status: initialStatus,
-          environmentId: environment.id,
-          projectId: environment.projectId,
-          externalBuildData,
-          buildServerMetadata,
-          triggeredById: triggeredBy?.id,
-          type: payload.type,
-          imageReference: imageRef,
-          imagePlatform: env.DEPLOY_IMAGE_PLATFORM,
-          git: payload.gitMeta ?? undefined,
-          commitSHA: payload.gitMeta?.commitSha ?? undefined,
-          runtime: payload.runtime ?? undefined,
-          triggeredVia: payload.triggeredVia ?? undefined,
-          startedAt: initialStatus === "BUILDING" ? new Date() : undefined,
-        },
-      });
+      // Concurrent deploys to the same environment race on the
+      // `(environmentId, version)` unique constraint. The helper retries on
+      // P2002, recomputing the version (and re-running the image ref call so
+      // the persisted imageReference always matches the persisted version)
+      // each attempt.
+      const deployment = await createDeploymentWithNextVersion(
+        this._prisma,
+        environment.id,
+        async (nextVersion) => {
+          const [imageRefError, imageRefResult] = await tryCatch(
+            getDeploymentImageRef({
+              registry: registryConfig,
+              projectRef: environment.project.externalRef,
+              nextVersion,
+              environmentType: environment.type,
+              deploymentShortCode,
+            })
+          );
+
+          if (imageRefError) {
+            logger.error("Failed to get deployment image ref", {
+              environmentId: environment.id,
+              projectId: environment.projectId,
+              version: nextVersion,
+              triggeredById: triggeredBy?.id,
+              type: payload.type,
+              cause: imageRefError.message,
+            });
+            throw new ServiceValidationError("Failed to get deployment image ref");
+          }
+
+          const { imageRef, isEcr, repoCreated } = imageRefResult;
+
+          logger.debug("Creating deployment", {
+            environmentId: environment.id,
+            projectId: environment.projectId,
+            version: nextVersion,
+            triggeredById: triggeredBy?.id,
+            type: payload.type,
+            imageRef,
+            isEcr,
+            repoCreated,
+            initialStatus,
+            artifactKey: payload.isNativeBuild ? payload.artifactKey : undefined,
+            isNativeBuild: payload.isNativeBuild,
+          });
+
+          return {
+            // Regenerated per attempt: each attempt is a fresh `create` that
+            // must satisfy `WorkerDeployment.friendlyId @unique`, so reusing a
+            // friendlyId across retries would risk a spurious P2002 on
+            // friendlyId instead of the version collision we're retrying.
+            friendlyId: generateFriendlyId("deployment"),
+            contentHash: payload.contentHash,
+            shortCode: deploymentShortCode,
+            status: initialStatus,
+            projectId: environment.projectId,
+            externalBuildData,
+            buildServerMetadata,
+            triggeredById: triggeredBy?.id,
+            type: payload.type,
+            imageReference: imageRef,
+            imagePlatform: env.DEPLOY_IMAGE_PLATFORM,
+            git: payload.gitMeta ?? undefined,
+            commitSHA: payload.gitMeta?.commitSha ?? undefined,
+            runtime: payload.runtime ?? undefined,
+            triggeredVia: payload.triggeredVia ?? undefined,
+            startedAt: initialStatus === "BUILDING" ? new Date() : undefined,
+          };
+        }
+      );
 
       const timeoutMs =
         deployment.status === "PENDING" ? env.DEPLOY_QUEUE_TIMEOUT_MS : env.DEPLOY_TIMEOUT_MS;
@@ -287,7 +308,7 @@ export class InitializeDeploymentService extends BaseService {
 
       return {
         deployment,
-        imageRef,
+        imageRef: deployment.imageReference ?? "",
         eventStream,
       };
     });
diff --git a/apps/webapp/app/v3/services/initializeDeployment/createDeploymentWithNextVersion.server.ts b/apps/webapp/app/v3/services/initializeDeployment/createDeploymentWithNextVersion.server.ts
new file mode 100644
index 00000000000..0a7e54c2947
--- /dev/null
+++ b/apps/webapp/app/v3/services/initializeDeployment/createDeploymentWithNextVersion.server.ts
@@ -0,0 +1,99 @@
+import {
+  isUniqueConstraintError,
+  type Prisma,
+  type PrismaClientOrTransaction,
+  type WorkerDeployment,
+} from "@trigger.dev/database";
+import { setTimeout as sleep } from "node:timers/promises";
+import { logger } from "~/services/logger.server";
+import { calculateNextBuildVersion } from "../../utils/calculateNextBuildVersion";
+
+export type CreateDeploymentData = Omit<
+  Prisma.WorkerDeploymentUncheckedCreateInput,
+  "version" | "environmentId"
+>;
+
+export type CreateDeploymentWithNextVersionOptions = {
+  maxRetries?: number;
+  jitterMs?: { min: number; max: number };
+};
+
+const DEFAULT_MAX_RETRIES = 5;
+const DEFAULT_JITTER_MS = { min: 5, max: 50 };
+
+export class DeploymentVersionCollisionError extends Error {
+  readonly name = "DeploymentVersionCollisionError";
+  readonly environmentId: string;
+  readonly attempts: number;
+  readonly lastAttemptedVersion: string;
+
+  constructor(args: {
+    environmentId: string;
+    attempts: number;
+    lastAttemptedVersion: string;
+    cause: unknown;
+  }) {
+    super(
+      `Failed to allocate a unique worker deployment version for environment ${args.environmentId} after ${args.attempts} attempt(s); last tried "${args.lastAttemptedVersion}"`,
+      { cause: args.cause }
+    );
+    this.environmentId = args.environmentId;
+    this.attempts = args.attempts;
+    this.lastAttemptedVersion = args.lastAttemptedVersion;
+  }
+}
+
+export async function createDeploymentWithNextVersion(
+  prisma: PrismaClientOrTransaction,
+  environmentId: string,
+  buildData: (nextVersion: string) => CreateDeploymentData | Promise<CreateDeploymentData>,
+  options: CreateDeploymentWithNextVersionOptions = {}
+): Promise<WorkerDeployment> {
+  const maxRetries = options.maxRetries ?? DEFAULT_MAX_RETRIES;
+  const jitterMs = options.jitterMs ?? DEFAULT_JITTER_MS;
+
+  let lastError: unknown;
+  let lastVersion = "";
+
+  for (let attempt = 0; attempt <= maxRetries; attempt++) {
+    const latest = await prisma.workerDeployment.findFirst({
+      where: { environmentId },
+      orderBy: { createdAt: "desc" },
+      take: 1,
+    });
+
+    const version = calculateNextBuildVersion(latest?.version);
+    lastVersion = version;
+    const data = await buildData(version);
+
+    try {
+      return await prisma.workerDeployment.create({
+        data: { ...data, environmentId, version },
+      });
+    } catch (error) {
+      if (!isUniqueConstraintError(error, ["environmentId", "version"])) {
+        throw error;
+      }
+
+      lastError = error;
+      logger.warn("Worker deployment version collided, retrying", {
+        environmentId,
+        attempt: attempt + 1,
+        maxRetries,
+        attemptedVersion: version,
+      });
+
+      // Randomised backoff so N concurrent racers don't loop in lockstep into the
+      // same collision again.
+      const delay = jitterMs.min + Math.random() * (jitterMs.max - jitterMs.min);
+      await sleep(delay);
+    }
+  }
+
+  throw new DeploymentVersionCollisionError({
+    environmentId,
+    attempts: maxRetries + 1,
+    lastAttemptedVersion: lastVersion,
+    cause: lastError,
+  });
+}
diff --git a/apps/webapp/app/v3/services/replayTaskRun.server.ts b/apps/webapp/app/v3/services/replayTaskRun.server.ts
index 836611b3610..7975694b5e4 100644
--- a/apps/webapp/app/v3/services/replayTaskRun.server.ts
+++ b/apps/webapp/app/v3/services/replayTaskRun.server.ts
@@ -6,6 +6,7 @@ import {
 } from "@trigger.dev/core/v3";
 import { type TaskRun } from "@trigger.dev/database";
 import { findEnvironmentById } from "~/models/runtimeEnvironment.server";
+import { baseWorkerQueue } from "~/runEngine/concerns/workerQueueSplit.server";
 import { logger } from "~/services/logger.server";
 import { BaseService } from "./baseService.server";
 import { OutOfEntitlementError, TriggerTaskService } from "./triggerTask.server";
@@ -65,7 +66,9 @@ export class ReplayTaskRunService extends BaseService {
       existingTaskRun.engine === "V1" ||
       existingEnvironment.type === "DEVELOPMENT" ||
       authenticatedEnvironment.type === "DEVELOPMENT";
-    const region = ignoreRegion ? undefined : overrideOptions.region ?? existingTaskRun.workerQueue;
+    const region = ignoreRegion
+      ? undefined
+      : overrideOptions.region ?? baseWorkerQueue(existingTaskRun.workerQueue);
 
     try {
       const taskQueue = await this._prisma.taskQueue.findFirst({
diff --git a/apps/webapp/app/v3/services/resetIdempotencyKey.server.ts b/apps/webapp/app/v3/services/resetIdempotencyKey.server.ts
index 95684999303..8273d8c9d97 100644
--- a/apps/webapp/app/v3/services/resetIdempotencyKey.server.ts
+++ b/apps/webapp/app/v3/services/resetIdempotencyKey.server.ts
@@ -1,6 +1,7 @@
 import type { AuthenticatedEnvironment } from "~/services/apiAuth.server";
 import { BaseService, ServiceValidationError } from "./baseService.server";
 import { logger } from "~/services/logger.server";
+import { getMollifierBuffer } from "~/v3/mollifier/mollifierBuffer.server";
 
 export class ResetIdempotencyKeyService extends BaseService {
   public async call(
@@ -8,7 +9,7 @@ export class ResetIdempotencyKeyService extends BaseService {
     taskIdentifier: string,
     authenticatedEnv: AuthenticatedEnvironment
   ): Promise<{ id: string }> {
-    const { count } = await this._prisma.taskRun.updateMany({
+    const { count: pgCount } = await this._prisma.taskRun.updateMany({
       where: {
         idempotencyKey,
         taskIdentifier,
@@ -20,7 +21,77 @@ export class ResetIdempotencyKeyService extends BaseService {
       },
     });
 
-    if (count === 0) {
+    // Buffer-side reset: the key may belong to a buffered run that
+    // hasn't materialised yet. The PG updateMany above can't see it.
+    // resetIdempotency clears both the snapshot fields and the Redis
+    // lookup atomically. Returns null when nothing was bound there.
+    const buffer = getMollifierBuffer();
+    let bufferResetFailed = false;
+    const bufferResult = buffer
+      ? await buffer
+          .resetIdempotency({
+            envId: authenticatedEnv.id,
+            taskIdentifier,
+            idempotencyKey,
+          })
+          .catch((err) => {
+            // Don't drop a buffer outage on the floor. We log + flag so
+            // the 404 branch below can distinguish "no record anywhere"
+            // (legitimate not-found) from "PG cleared nothing AND we
+            // couldn't see the buffer" (partial outage — caller should
+            // retry, not be told "doesn't exist").
+            bufferResetFailed = true;
+            logger.error("ResetIdempotencyKeyService: buffer reset failed", {
+              idempotencyKey,
+              taskIdentifier,
+              err: err instanceof Error ? err.message : String(err),
+            });
+            return { clearedRunId: null };
+          })
+      : { clearedRunId: null };
+
+    const totalCount = pgCount + (bufferResult.clearedRunId ? 1 : 0);
+
+    if (pgCount === 0 && bufferResetFailed) {
+      // PG saw nothing AND the buffer is unreachable. We can't truthfully
+      // say "not found" — there may be a buffered run we can't observe.
+      // Surface as 503 so the caller retries instead of being misled.
+      throw new ServiceValidationError(
+        "Unable to verify buffered idempotency state right now; please retry",
+        503
+      );
+    }
+
+    if (totalCount === 0) {
+      // PG↔buffer handoff re-check. Between the initial `pg.updateMany`
+      // and the buffer reset above, a buffered run can materialise into
+      // PG: the drainer's `engine.trigger` writes the row with the
+      // original idempotencyKey, then `buffer.ack` clears the Redis
+      // idempotency lookup (per ack's contract on
+      // `packages/redis-worker/src/mollifier/buffer.ts`). Both surfaces
+      // now report "nothing", but the key still lives on the freshly-
+      // materialised PG row. One more conditional updateMany catches
+      // that row before we 404 the customer. Cost: a single indexed
+      // lookup against the writer when there's nothing to find;
+      // otherwise the exact write the customer asked for (i.e., not
+      // duplicative — without it the reset is silently lost).
+      const { count: handoffPgCount } = await this._prisma.taskRun.updateMany({
+        where: {
+          idempotencyKey,
+          taskIdentifier,
+          runtimeEnvironmentId: authenticatedEnv.id,
+        },
+        data: {
+          idempotencyKey: null,
+          idempotencyKeyExpiresAt: null,
+        },
+      });
+      if (handoffPgCount > 0) {
+        logger.info(
+          `Reset idempotency key via handoff re-check: ${idempotencyKey} for task: ${taskIdentifier} in env: ${authenticatedEnv.id}, affected ${handoffPgCount} run(s)`
+        );
+        return { id: idempotencyKey };
+      }
       throw new ServiceValidationError(
         `No runs found with idempotency key: ${idempotencyKey} and task: ${taskIdentifier}`,
         404
@@ -28,7 +99,7 @@ export class ResetIdempotencyKeyService extends BaseService {
     }
 
     logger.info(
-      `Reset idempotency key: ${idempotencyKey} for task: ${taskIdentifier} in env: ${authenticatedEnv.id}, affected ${count} run(s)`
+      `Reset idempotency key: ${idempotencyKey} for task: ${taskIdentifier} in env: ${authenticatedEnv.id}, affected ${totalCount} run(s) (pg=${pgCount}, buffered=${bufferResult.clearedRunId ? 1 : 0})`
     );
 
     return { id: idempotencyKey };
diff --git a/apps/webapp/app/v3/services/stripBackgroundWorkerMetadataForStorage.server.ts b/apps/webapp/app/v3/services/stripBackgroundWorkerMetadataForStorage.server.ts
new file mode 100644
index 00000000000..a740bd2c1d6
--- /dev/null
+++ b/apps/webapp/app/v3/services/stripBackgroundWorkerMetadataForStorage.server.ts
@@ -0,0 +1,28 @@
+import { BackgroundWorkerMetadata } from "@trigger.dev/core/v3";
+import { Prisma } from "@trigger.dev/database";
+
+/**
+ * Strip BackgroundWorkerMetadata down to the slice that's actually read after
+ * storage. Everything else is duplicated to dedicated columns/tables
+ * (BackgroundWorker.{contentHash,cliVersion,sdkVersion,runtime,runtimeVersion},
+ * BackgroundWorkerTask, BackgroundWorkerFile, TaskQueue, Prompt). Today the
+ * only post-write reader is changeCurrentDeployment.server.ts, which feeds
+ * tasks[].schedule into syncDeclarativeSchedules. packageVersion, contentHash,
+ * and tasks[].filePath are kept solely to satisfy BackgroundWorkerMetadata's
+ * required fields when the column is parsed back.
+ */
+export function stripBackgroundWorkerMetadataForStorage(
+  metadata: BackgroundWorkerMetadata
+): Prisma.InputJsonValue {
+  return {
+    packageVersion: metadata.packageVersion,
+    contentHash: metadata.contentHash,
+    tasks: metadata.tasks
+      .filter((t) => t.schedule)
+      .map((t) => ({
+        id: t.id,
+        filePath: t.filePath,
+        schedule: t.schedule,
+      })),
+  };
+}
diff --git a/apps/webapp/app/v3/services/timeoutDeployment.server.ts b/apps/webapp/app/v3/services/timeoutDeployment.server.ts
index efb2569a94e..79d1fd9e332 100644
--- a/apps/webapp/app/v3/services/timeoutDeployment.server.ts
+++ b/apps/webapp/app/v3/services/timeoutDeployment.server.ts
@@ -27,7 +27,10 @@ export class TimeoutDeploymentService extends BaseService {
     }
 
     if (deployment.status !== fromStatus) {
-      logger.error("Deployment is not in the correct state to be timed out", {
+      // Race: timeout job fired after the deployment moved out of the
+      // expected state (already deployed/failed). System handles it by
+      // returning early — not an error.
+      logger.warn("Deployment is not in the correct state to be timed out", {
         currentStatus: deployment.status,
         fromStatus,
       });
diff --git a/apps/webapp/app/v3/services/triggerTask.server.ts b/apps/webapp/app/v3/services/triggerTask.server.ts
index 000633fb73f..7bbaa0dd99b 100644
--- a/apps/webapp/app/v3/services/triggerTask.server.ts
+++ b/apps/webapp/app/v3/services/triggerTask.server.ts
@@ -46,6 +46,14 @@ export class OutOfEntitlementError extends Error {
 export type TriggerTaskServiceResult = {
   run: TaskRun;
   isCached: boolean;
+  // True when the mollifier gate diverted the trigger to the Redis
+  // buffer and `run` is a synthesised record (no PG row exists yet).
+  // The trigger route reads this to skip `saveRequestIdempotency` —
+  // caching the synth runId would mean a lost-response SDK retry hits
+  // a PG-miss in `handleRequestIdempotency` and falls through to a
+  // fresh trigger, producing a duplicate buffer entry for trigger
+  // calls that don't carry a task-level idempotency key.
+  isMollified?: boolean;
 };
 
 export const MAX_ATTEMPTS = 2;
@@ -99,7 +107,7 @@ export class TriggerTaskService extends WithRunEngine {
     const service = new RunEngineTriggerTaskService({
       prisma: this._prisma,
       engine: this._engine,
-      queueConcern: new DefaultQueueManager(this._prisma, this._engine),
+      queueConcern: new DefaultQueueManager(this._prisma, this._engine, this._replica),
       validator: new DefaultTriggerTaskValidator(),
       payloadProcessor: new DefaultPayloadProcessor(),
       idempotencyKeyConcern: new IdempotencyKeyConcern(
diff --git a/apps/webapp/app/v3/services/triggerTaskV1.server.ts b/apps/webapp/app/v3/services/triggerTaskV1.server.ts
index 6a927765bed..a2f0b9de21b 100644
--- a/apps/webapp/app/v3/services/triggerTaskV1.server.ts
+++ b/apps/webapp/app/v3/services/triggerTaskV1.server.ts
@@ -294,6 +294,7 @@ export class TriggerTaskServiceV1 extends BaseService {
         : undefined;
 
       const { repository, store } = await getV3EventRepository(
+        environment.organization.id,
         dependentAttempt?.taskRun.taskEventStore ??
           parentAttempt?.taskRun.taskEventStore ??
           dependentBatchRun?.dependentTaskAttempt?.taskRun.taskEventStore
diff --git a/apps/webapp/app/v3/services/worker/workerGroupService.server.ts b/apps/webapp/app/v3/services/worker/workerGroupService.server.ts
index 6a2c19cf243..fc280e81652 100644
--- a/apps/webapp/app/v3/services/worker/workerGroupService.server.ts
+++ b/apps/webapp/app/v3/services/worker/workerGroupService.server.ts
@@ -1,4 +1,4 @@
-import { WorkerInstanceGroup, WorkerInstanceGroupType } from "@trigger.dev/database";
+import { WorkerInstanceGroup, WorkerInstanceGroupType, WorkloadType } from "@trigger.dev/database";
 import { WithRunEngine } from "../baseService.server";
 import { WorkerGroupTokenService } from "./workerGroupTokenService.server";
 import { logger } from "~/services/logger.server";
@@ -14,11 +14,25 @@ export class WorkerGroupService extends WithRunEngine {
     organizationId,
     name,
     description,
+    type,
+    hidden,
+    workloadType,
+    cloudProvider,
+    location,
+    staticIPs,
+    enableFastPath,
   }: {
     projectId?: string;
     organizationId?: string;
     name?: string;
     description?: string;
+    type?: WorkerInstanceGroupType;
+    hidden?: boolean;
+    workloadType?: WorkloadType;
+    cloudProvider?: string;
+    location?: string;
+    staticIPs?: string;
+    enableFastPath?: boolean;
   }) {
     if (!name) {
       name = await this.generateWorkerName({ projectId });
@@ -30,15 +44,24 @@ export class WorkerGroupService extends WithRunEngine {
     });
     const token = await tokenService.createToken();
 
+    const resolvedType =
+      type ?? (projectId ? WorkerInstanceGroupType.UNMANAGED : WorkerInstanceGroupType.MANAGED);
+
     const workerGroup = await this._prisma.workerInstanceGroup.create({
       data: {
         projectId,
         organizationId,
-        type: projectId ? WorkerInstanceGroupType.UNMANAGED : WorkerInstanceGroupType.MANAGED,
+        type: resolvedType,
         masterQueue: this.generateMasterQueueName({ projectId, name }),
         tokenId: token.id,
         description,
         name,
+        hidden,
+        workloadType,
+        cloudProvider,
+        location,
+        staticIPs,
+        enableFastPath,
       },
     });
 
diff --git a/apps/webapp/app/v3/services/worker/workerGroupTokenService.server.ts b/apps/webapp/app/v3/services/worker/workerGroupTokenService.server.ts
index b29056c6244..cb4a90cc597 100644
--- a/apps/webapp/app/v3/services/worker/workerGroupTokenService.server.ts
+++ b/apps/webapp/app/v3/services/worker/workerGroupTokenService.server.ts
@@ -10,7 +10,7 @@ import {
   TaskRunExecutionResult,
 } from "@trigger.dev/core/v3";
 import { fromFriendlyId } from "@trigger.dev/core/v3/isomorphic";
-import { WORKER_HEADERS } from "@trigger.dev/core/v3/workers";
+import { WORKER_HEADERS, type WorkerQueueClass } from "@trigger.dev/core/v3/workers";
 import {
   Prisma,
   RuntimeEnvironment,
@@ -27,6 +27,7 @@ import { defaultMachine } from "~/services/platform.v3.server";
 import { singleton } from "~/utils/singleton";
 import { resolveVariablesForEnvironment } from "~/v3/environmentVariables/environmentVariablesRepository.server";
 import { machinePresetFromName } from "~/v3/machinePresets.server";
+import { workerQueueForClass } from "~/runEngine/concerns/workerQueueSplit.server";
 import { WithRunEngine, WithRunEngineOptions } from "../baseService.server";
 
 const authenticatedWorkerInstanceCache = singleton(
@@ -369,10 +370,18 @@ export class AuthenticatedWorkerInstance extends WithRunEngine {
     });
   }
 
-  async dequeue({ runnerId }: { runnerId?: string }): Promise<DequeuedMessage[]> {
+  async dequeue({
+    runnerId,
+    queueClass,
+  }: {
+    runnerId?: string;
+    queueClass?: WorkerQueueClass;
+  }): Promise<DequeuedMessage[]> {
+    // Derive the actual queue from this worker's own masterQueue + class, so a
+    // token can only ever reach its own region's queues (default or :scheduled).
     return await this._engine.dequeueFromWorkerQueue({
       consumerId: this.workerInstanceId,
-      workerQueue: this.masterQueue,
+      workerQueue: workerQueueForClass(this.masterQueue, queueClass),
       workerId: this.workerInstanceId,
       runnerId,
     });
diff --git a/apps/webapp/app/v3/taskEventStore.server.ts b/apps/webapp/app/v3/taskEventStore.server.ts
index 6a80aa99261..ed580b40d0e 100644
--- a/apps/webapp/app/v3/taskEventStore.server.ts
+++ b/apps/webapp/app/v3/taskEventStore.server.ts
@@ -2,6 +2,7 @@
 import { Prisma, TaskEvent } from "@trigger.dev/database";
 import type { PrismaClient, PrismaReplicaClient } from "~/db.server";
 import { env } from "~/env.server";
+import { clampToEmergencySpanCap } from "~/v3/eventRepository/emergencySpanCap.server";
 
 export type CommonTaskEvent = Omit<TaskEvent, "id">;
 export type TraceEvent = Pick<
@@ -192,7 +193,7 @@ export class TaskEventStore {
               : Prisma.empty
           }
         ORDER BY "startTime" ASC
-        LIMIT ${env.MAXIMUM_TRACE_SUMMARY_VIEW_COUNT}
+        LIMIT ${clampToEmergencySpanCap(env.MAXIMUM_TRACE_SUMMARY_VIEW_COUNT)}
       `;
     } else {
       return await this.readReplica.$queryRaw<TraceEvent[]>`
@@ -220,7 +221,7 @@ export class TaskEventStore {
               : Prisma.empty
           }
         ORDER BY "startTime" ASC
-        LIMIT ${env.MAXIMUM_TRACE_SUMMARY_VIEW_COUNT}
+        LIMIT ${clampToEmergencySpanCap(env.MAXIMUM_TRACE_SUMMARY_VIEW_COUNT)}
       `;
     }
   }
@@ -270,7 +271,7 @@ export class TaskEventStore {
               : Prisma.empty
           }
         ORDER BY "startTime" ASC
-        LIMIT ${env.MAXIMUM_TRACE_DETAILED_SUMMARY_VIEW_COUNT}
+        LIMIT ${clampToEmergencySpanCap(env.MAXIMUM_TRACE_DETAILED_SUMMARY_VIEW_COUNT)}
       `;
     } else {
       return await this.readReplica.$queryRaw<DetailedTraceEvent[]>`
@@ -299,8 +300,87 @@ export class TaskEventStore {
               : Prisma.empty
           }
         ORDER BY "startTime" ASC
-        LIMIT ${env.MAXIMUM_TRACE_DETAILED_SUMMARY_VIEW_COUNT}
+        LIMIT ${clampToEmergencySpanCap(env.MAXIMUM_TRACE_DETAILED_SUMMARY_VIEW_COUNT)}
       `;
     }
   }
+
+  // Streams a trace's detailed events in (startTime, spanId) order via keyset
+  // pagination. Holds at most one page at a time — no overall cap, no full
+  // materialisation — so an arbitrarily large trace can be exported with bounded
+  // memory. Powers the streaming "Download trace" export.
+  async *streamDetailedTraceEvents(
+    table: TaskEventStoreTable,
+    traceId: string,
+    startCreatedAt: Date,
+    endCreatedAt?: Date,
+    options?: { includeDebugLogs?: boolean; pageSize?: number }
+  ): AsyncGenerator<DetailedTraceEvent> {
+    const filterDebug =
+      options?.includeDebugLogs === false || options?.includeDebugLogs === undefined;
+    const pageSize = options?.pageSize ?? 5_000;
+    const debugFilter = filterDebug
+      ? Prisma.sql`AND \"kind\" <> CAST('LOG'::text AS "public"."TaskEventKind")`
+      : Prisma.empty;
+    // Spans are written as a partial start-marker plus a completed row; keep
+    // only the completed row so the export has one line per span (mirrors the
+    // tree path's merge, but without holding state).
+    const partialFilter = Prisma.sql`AND "isPartial" = false`;
+
+    const createdAtBufferInMillis = env.TASK_EVENT_PARTITIONED_WINDOW_IN_SECONDS * 1000;
+    const startCreatedAtWithBuffer = new Date(startCreatedAt.getTime() - createdAtBufferInMillis);
+    const $endCreatedAt = endCreatedAt ?? new Date();
+    const endCreatedAtWithBuffer = new Date($endCreatedAt.getTime() + createdAtBufferInMillis);
+
+    let afterStartTime: bigint | null = null;
+    let afterSpanId: string | null = null;
+
+    while (true) {
+      const keyset: Prisma.Sql =
+        afterStartTime === null
+          ? Prisma.empty
+          : Prisma.sql`AND ("startTime" > ${afterStartTime} OR ("startTime" = ${afterStartTime} AND "spanId" > ${afterSpanId}))`;
+
+      const rows: DetailedTraceEvent[] =
+        table === "taskEventPartitioned"
+          ? await this.readReplica.$queryRaw<DetailedTraceEvent[]>`
+              SELECT "spanId","parentId","runId",message,style,"startTime",duration,"isError","isPartial","isCancelled",level,events,"kind","taskSlug",properties,"attemptNumber"
+              FROM "TaskEventPartitioned"
+              WHERE "traceId" = ${traceId}
+                AND "createdAt" >= ${startCreatedAtWithBuffer.toISOString()}::timestamp
+                AND "createdAt" < ${endCreatedAtWithBuffer.toISOString()}::timestamp
+                ${debugFilter}
+                ${partialFilter}
+                ${keyset}
+              ORDER BY "startTime" ASC, "spanId" ASC
+              LIMIT ${pageSize}
+            `
+          : await this.readReplica.$queryRaw<DetailedTraceEvent[]>`
+              SELECT "spanId","parentId","runId",message,style,"startTime",duration,"isError","isPartial","isCancelled",level,events,"kind","taskSlug",properties,"attemptNumber"
+              FROM "TaskEvent"
+              WHERE "traceId" = ${traceId}
+                ${debugFilter}
+                ${partialFilter}
+                ${keyset}
+              ORDER BY "startTime" ASC, "spanId" ASC
+              LIMIT ${pageSize}
+            `;
+
+      if (rows.length === 0) {
+        break;
+      }
+
+      for (const row of rows) {
+        yield row;
+      }
+
+      if (rows.length < pageSize) {
+        break;
+      }
+
+      const last: DetailedTraceEvent = rows[rows.length - 1];
+      afterStartTime = typeof last.startTime === "bigint" ? last.startTime : BigInt(last.startTime);
+      afterSpanId = last.spanId;
+    }
+  }
 }
diff --git a/apps/webapp/app/v3/taskStatus.ts b/apps/webapp/app/v3/taskStatus.ts
index b5e1d915cf7..8606bcdafce 100644
--- a/apps/webapp/app/v3/taskStatus.ts
+++ b/apps/webapp/app/v3/taskStatus.ts
@@ -18,6 +18,7 @@ export const NON_FINAL_RUN_STATUSES = [
   "PENDING",
   "PENDING_VERSION",
   "WAITING_FOR_DEPLOY",
+  "DEQUEUED",
   "EXECUTING",
   "WAITING_TO_RESUME",
   "RETRYING_AFTER_FAILURE",
diff --git a/apps/webapp/app/v3/tracer.server.ts b/apps/webapp/app/v3/tracer.server.ts
index 71e14521e50..3b924ff8a19 100644
--- a/apps/webapp/app/v3/tracer.server.ts
+++ b/apps/webapp/app/v3/tracer.server.ts
@@ -1,6 +1,7 @@
 import {
   type Attributes,
   type Context,
+  createContextKey,
   DiagConsoleLogger,
   DiagLogLevel,
   type Link,
@@ -37,6 +38,7 @@ import { ATTR_SERVICE_NAME } from "@opentelemetry/semantic-conventions";
 import { PrismaInstrumentation } from "@prisma/instrumentation";
 import { HostMetrics } from "@opentelemetry/host-metrics";
 import { AwsInstrumentation as AwsSdkInstrumentation } from "@opentelemetry/instrumentation-aws-sdk";
+import v8 from "node:v8";
 import { awsEcsDetector, awsEc2Detector } from "@opentelemetry/resource-detector-aws";
 import {
   detectResources,
@@ -61,6 +63,24 @@ import { performance } from "node:perf_hooks";
 
 export const SEMINTATTRS_FORCE_RECORDING = "forceRecording";
 
+export const DATASOURCE_CONTEXT_KEY = createContextKey("trigger.db.datasource");
+
+class DatasourceAttributeSpanProcessor implements SpanProcessor {
+  onStart(span: Span, parentContext: Context): void {
+    const ds = parentContext.getValue(DATASOURCE_CONTEXT_KEY);
+    if (typeof ds === "string") {
+      span.setAttribute("db.datasource", ds);
+    }
+  }
+  onEnd(): void {}
+  shutdown(): Promise<void> {
+    return Promise.resolve();
+  }
+  forceFlush(): Promise<void> {
+    return Promise.resolve();
+  }
+}
+
 class CustomWebappSampler implements Sampler {
   constructor(private readonly _baseSampler: Sampler) {}
 
@@ -205,7 +225,7 @@ function setupTelemetry() {
 
   const samplingRate = 1.0 / Math.max(parseInt(env.INTERNAL_OTEL_TRACE_SAMPLING_RATE, 10), 1);
 
-  const spanProcessors: SpanProcessor[] = [];
+  const spanProcessors: SpanProcessor[] = [new DatasourceAttributeSpanProcessor()];
 
   if (env.INTERNAL_OTEL_TRACE_EXPORTER_URL) {
     const headers = parseInternalTraceHeaders() ?? {};
@@ -283,13 +303,15 @@ function setupTelemetry() {
   provider.register();
 
   let instrumentations: Instrumentation[] = [
-    new HttpInstrumentation(),
-    new ExpressInstrumentation(),
     new AwsSdkInstrumentation({
       suppressInternalInstrumentation: true,
     }),
   ];
 
+  if (!env.DISABLE_HTTP_INSTRUMENTATION) {
+    instrumentations.unshift(new HttpInstrumentation(), new ExpressInstrumentation());
+  }
+
   if (env.INTERNAL_OTEL_TRACE_INSTRUMENT_PRISMA_ENABLED === "1") {
     instrumentations.push(new PrismaInstrumentation());
   }
@@ -609,6 +631,39 @@ function configureNodejsMetrics({ meter }: { meter: Meter }) {
     unit: "1", // OpenTelemetry convention for ratios
   });
 
+  // V8 heap + process memory. `NODE_MAX_OLD_SPACE_SIZE` caps V8 old space
+  // (reflected in `heap.limit`), but doesn't cap external/arrayBuffers/native
+  // memory — which is why RSS can exceed the heap total. Tracking all of these
+  // per-worker lets us size `NODE_MAX_OLD_SPACE_SIZE` against observed heap
+  // peaks rather than RSS (which overstates heap by the external + native
+  // footprint). `host-metrics` already publishes `process.memory.usage`
+  // (RSS), but we duplicate it under `nodejs.memory.rss` so all the memory
+  // numbers land in the same scope and are queryable together.
+  const heapUsedGauge = meter.createObservableGauge("nodejs.memory.heap.used", {
+    description: "V8 heap actively in use after the last GC",
+    unit: "By",
+  });
+  const heapTotalGauge = meter.createObservableGauge("nodejs.memory.heap.total", {
+    description: "V8 heap reserved (young + old generations)",
+    unit: "By",
+  });
+  const heapLimitGauge = meter.createObservableGauge("nodejs.memory.heap.limit", {
+    description: "V8 heap size limit (configured via --max-old-space-size)",
+    unit: "By",
+  });
+  const externalMemoryGauge = meter.createObservableGauge("nodejs.memory.external", {
+    description: "Memory used by C++ objects bound to JS (Buffer, etc.)",
+    unit: "By",
+  });
+  const arrayBuffersGauge = meter.createObservableGauge("nodejs.memory.array_buffers", {
+    description: "Memory allocated for ArrayBuffers and SharedArrayBuffers",
+    unit: "By",
+  });
+  const rssGauge = meter.createObservableGauge("nodejs.memory.rss", {
+    description: "Resident set size — total physical memory held by the process",
+    unit: "By",
+  });
+
   // Get UV threadpool size (defaults to 4 if not set)
   const uvThreadpoolSize = parseInt(process.env.UV_THREADPOOL_SIZE || "4", 10);
 
@@ -662,10 +717,16 @@ function configureNodejsMetrics({ meter }: { meter: Meter }) {
       currentEventLoopUtilization,
       lastEventLoopUtilization
     );
+    // Rotate the baseline so the next collection reports per-interval
+    // utilization rather than the cumulative average from process start.
+    lastEventLoopUtilization = currentEventLoopUtilization;
 
     // diff.utilization is between 0 and 1 (fraction of time "active")
     const utilization = Number.isFinite(diff.utilization) ? diff.utilization : 0;
 
+    const mem = process.memoryUsage();
+    const heapStats = v8.getHeapStatistics();
+
     return {
       threadpoolSize: uvThreadpoolSize,
       handlesByType,
@@ -681,6 +742,14 @@ function configureNodejsMetrics({ meter }: { meter: Meter }) {
         p99: eventLoopLagP99?.values?.[0]?.value ?? 0,
         utilization,
       },
+      memory: {
+        heapUsed: mem.heapUsed,
+        heapTotal: mem.heapTotal,
+        heapLimit: heapStats.heap_size_limit,
+        external: mem.external,
+        arrayBuffers: mem.arrayBuffers,
+        rss: mem.rss,
+      },
     };
   }
 
@@ -693,6 +762,7 @@ function configureNodejsMetrics({ meter }: { meter: Meter }) {
         requestsByType,
         requestsTotal,
         eventLoop,
+        memory,
       } = await readNodeMetrics();
 
       // Observe UV threadpool size
@@ -718,6 +788,14 @@ function configureNodejsMetrics({ meter }: { meter: Meter }) {
       res.observe(eventLoopLagP90Gauge, eventLoop.p90);
       res.observe(eventLoopLagP99Gauge, eventLoop.p99);
       res.observe(eluGauge, eventLoop.utilization);
+
+      // Observe memory metrics (bytes)
+      res.observe(heapUsedGauge, memory.heapUsed);
+      res.observe(heapTotalGauge, memory.heapTotal);
+      res.observe(heapLimitGauge, memory.heapLimit);
+      res.observe(externalMemoryGauge, memory.external);
+      res.observe(arrayBuffersGauge, memory.arrayBuffers);
+      res.observe(rssGauge, memory.rss);
     },
     [
       uvThreadpoolSizeGauge,
@@ -732,6 +810,12 @@ function configureNodejsMetrics({ meter }: { meter: Meter }) {
       eventLoopLagP90Gauge,
       eventLoopLagP99Gauge,
       eluGauge,
+      heapUsedGauge,
+      heapTotalGauge,
+      heapLimitGauge,
+      externalMemoryGauge,
+      arrayBuffersGauge,
+      rssGauge,
     ]
   );
 }
diff --git a/apps/webapp/app/v3/utils/calculateNextSchedule.server.ts b/apps/webapp/app/v3/utils/calculateNextSchedule.server.ts
index 68adbd3a4b4..9be995e4aa1 100644
--- a/apps/webapp/app/v3/utils/calculateNextSchedule.server.ts
+++ b/apps/webapp/app/v3/utils/calculateNextSchedule.server.ts
@@ -22,6 +22,20 @@ function calculateNextStep(schedule: string, timezone: string | null, currentDat
     .toDate();
 }
 
+export function previousScheduledTimestamp(
+  schedule: string,
+  timezone: string | null,
+  fromTimestamp: Date = new Date()
+) {
+  return parseExpression(schedule, {
+    currentDate: fromTimestamp,
+    utc: timezone === null,
+    tz: timezone ?? undefined,
+  })
+    .prev()
+    .toDate();
+}
+
 export function nextScheduledTimestamps(
   cron: string,
   timezone: string | null,
diff --git a/apps/webapp/app/v3/utils/enrichCreatableEvents.server.ts b/apps/webapp/app/v3/utils/enrichCreatableEvents.server.ts
index 64382010496..94e1539bb44 100644
--- a/apps/webapp/app/v3/utils/enrichCreatableEvents.server.ts
+++ b/apps/webapp/app/v3/utils/enrichCreatableEvents.server.ts
@@ -157,12 +157,10 @@ function enrichLlmMetrics(event: CreateEventInput): void {
     }
   }
 
-  // Extract new performance/behavioral fields
-  const finishReason = typeof props["ai.response.finishReason"] === "string"
-    ? props["ai.response.finishReason"]
-    : typeof props["gen_ai.response.finish_reasons"] === "string"
-      ? props["gen_ai.response.finish_reasons"]
-      : "";
+  // Extract new performance/behavioral fields.
+  // v6 emits ai.response.finishReason (plain string); v7 (@ai-sdk/otel) emits
+  // gen_ai.response.finish_reasons as a JSON array string (e.g. `["stop"]`).
+  const finishReason = readFinishReason(props);
   const operationId = typeof props["ai.operationId"] === "string"
     ? props["ai.operationId"]
     : typeof props["gen_ai.operation.name"] === "string"
@@ -181,7 +179,12 @@ function enrichLlmMetrics(event: CreateEventInput): void {
 
   // Set _llmMetrics side-channel for dual-write to llm_metrics_v1
   const llmMetrics: LlmMetricsData = {
-    genAiSystem: typeof props["gen_ai.system"] === "string" ? props["gen_ai.system"] : "unknown",
+    genAiSystem:
+      typeof props["gen_ai.system"] === "string"
+        ? props["gen_ai.system"]
+        : typeof props["gen_ai.provider.name"] === "string"
+          ? props["gen_ai.provider.name"]
+          : "unknown",
     requestModel: typeof props["gen_ai.request.model"] === "string" ? props["gen_ai.request.model"] : responseModel,
     responseModel,
     baseResponseModel: modelCatalog[responseModel]?.baseModelName ?? responseModel,
@@ -224,8 +227,11 @@ function extractUsageDetails(props: Record<string, unknown>): Record<string, num
     "gen_ai.usage.total_tokens": "total",
     "gen_ai.usage.cache_read_input_tokens": "input_cached_tokens",
     "gen_ai.usage.input_tokens_cache_read": "input_cached_tokens",
+    // AI SDK 7 (@ai-sdk/otel) nests cache token counts: gen_ai.usage.cache_read.input_tokens
+    "gen_ai.usage.cache_read.input_tokens": "input_cached_tokens",
     "gen_ai.usage.cache_creation_input_tokens": "cache_creation_input_tokens",
     "gen_ai.usage.input_tokens_cache_write": "cache_creation_input_tokens",
+    "gen_ai.usage.cache_creation.input_tokens": "cache_creation_input_tokens",
     "gen_ai.usage.reasoning_tokens": "reasoning_tokens",
   };
 
@@ -242,6 +248,35 @@ function extractUsageDetails(props: Record<string, unknown>): Record<string, num
   return details;
 }
 
+/**
+ * Resolve the finish reason across AI SDK majors. v6 emits
+ * `ai.response.finishReason` as a plain string; v7 (@ai-sdk/otel) emits
+ * `gen_ai.response.finish_reasons` as a JSON array string (e.g. `["stop"]`).
+ */
+function readFinishReason(props: Record<string, unknown>): string {
+  const v6 = props["ai.response.finishReason"];
+  if (typeof v6 === "string" && v6) return v6;
+
+  const v7 = props["gen_ai.response.finish_reasons"];
+  if (typeof v7 === "string" && v7) {
+    const trimmed = v7.trim();
+    if (trimmed.startsWith("[")) {
+      try {
+        const parsed = JSON.parse(trimmed);
+        if (Array.isArray(parsed)) {
+          const first = parsed.find((r) => typeof r === "string");
+          if (typeof first === "string") return first;
+        }
+      } catch {
+        // fall through to the raw value
+      }
+    }
+    return v7;
+  }
+
+  return "";
+}
+
 function enrichStyle(event: CreateEventInput) {
   const baseStyle = event.style ?? {};
   const props = event.properties;
@@ -250,7 +285,7 @@ function enrichStyle(event: CreateEventInput) {
     return baseStyle;
   }
 
-  const system = props["gen_ai.system"];
+  const system = props["gen_ai.system"] ?? props["gen_ai.provider.name"];
   const modelId = props["gen_ai.request.model"] ?? props["ai.model.id"];
 
   const provider = resolveAiProvider(
diff --git a/apps/webapp/evalite.config.ts b/apps/webapp/evalite.config.ts
new file mode 100644
index 00000000000..52f5728b65b
--- /dev/null
+++ b/apps/webapp/evalite.config.ts
@@ -0,0 +1,12 @@
+import { defineConfig } from "evalite/config";
+import tsconfigPaths from "vite-tsconfig-paths";
+
+// evalite 1.0 runs its own Vite instance and does not pick up `vitest.config.ts`,
+// so the `~/*` -> `./app/*` path alias must be wired in explicitly here (mirrors
+// the plugin setup in vitest.config.ts).
+export default defineConfig({
+  viteConfig: {
+    // @ts-ignore - vite-tsconfig-paths plugin type vs evalite's bundled vite version
+    plugins: [tsconfigPaths({ projects: ["./tsconfig.json"] })],
+  },
+});
diff --git a/apps/webapp/evals/aiQuery.eval.ts b/apps/webapp/evals/aiQuery.eval.ts
index b65cf076ddc..801aea7fbf1 100644
--- a/apps/webapp/evals/aiQuery.eval.ts
+++ b/apps/webapp/evals/aiQuery.eval.ts
@@ -3,7 +3,7 @@ import { Levenshtein } from "autoevals";
 import { AIQueryService } from "~/v3/services/aiQueryService.server";
 import { runsSchema } from "~/v3/querySchemas";
 import dotenv from "dotenv";
-import { traceAISDKModel } from "evalite/ai-sdk";
+import { wrapAISDKModel } from "evalite/ai-sdk";
 import { openai } from "@ai-sdk/openai";
 
 dotenv.config({ path: "../../.env" });
@@ -365,7 +365,7 @@ LIMIT 100`,
     ];
   },
   task: async (input) => {
-    const service = new AIQueryService([runsSchema], traceAISDKModel(openai("gpt-4o-mini")));
+    const service = new AIQueryService([runsSchema], wrapAISDKModel(openai("gpt-4o-mini")));
 
     const result = await service.call(input);
     return JSON.stringify(result);
diff --git a/apps/webapp/evals/aiRunFilter.eval.ts b/apps/webapp/evals/aiRunFilter.eval.ts
index b80328789e2..28c49eceb13 100644
--- a/apps/webapp/evals/aiRunFilter.eval.ts
+++ b/apps/webapp/evals/aiRunFilter.eval.ts
@@ -8,7 +8,7 @@ import {
   type QueryVersions,
 } from "~/v3/services/aiRunFilterService.server";
 import dotenv from "dotenv";
-import { traceAISDKModel } from "evalite/ai-sdk";
+import { wrapAISDKModel } from "evalite/ai-sdk";
 import { openai } from "@ai-sdk/openai";
 
 dotenv.config({ path: "../../.env" });
@@ -272,7 +272,7 @@ evalite("AI Run Filter", {
         queryQueues,
         queryTasks,
       },
-      traceAISDKModel(openai("gpt-4o-mini"))
+      wrapAISDKModel(openai("gpt-4o-mini"))
     );
 
     const result = await service.call(input, "123456");
diff --git a/apps/webapp/package.json b/apps/webapp/package.json
index 451d2785097..efebaf48207 100644
--- a/apps/webapp/package.json
+++ b/apps/webapp/package.json
@@ -7,7 +7,7 @@
     "build": "run-s build:** && pnpm run upload:sourcemaps",
     "build:remix": "remix build --sourcemap",
     "build:server": "esbuild --platform=node --format=cjs ./server.ts --outdir=build --sourcemap",
-    "build:sentry": "esbuild --platform=node --format=cjs ./sentry.server.ts --outdir=build --sourcemap",
+    "build:sentry": "esbuild --platform=node --format=cjs --outbase=. ./sentry.server.ts ./app/utils/sentryTraceContext.server.ts --outdir=build --sourcemap",
     "dev": "cross-env PORT=3030 remix dev -c \"node ./build/server.js\"",
     "dev:worker": "cross-env NODE_PATH=../../node_modules/.pnpm/node_modules node ./build/server.js",
     "format": "prettier --write .",
@@ -27,7 +27,8 @@
     "/public/build"
   ],
   "dependencies": {
-    "@ai-sdk/openai": "^1.3.23",
+    "@ai-sdk/openai": "^3.0.0",
+    "@ai-sdk/react": "^3.0.0",
     "@ariakit/react": "^0.4.6",
     "@ariakit/react-core": "^0.4.6",
     "@aws-sdk/client-ecr": "^3.931.0",
@@ -55,7 +56,6 @@
     "@electric-sql/react": "^0.3.5",
     "@headlessui/react": "^1.7.8",
     "@heroicons/react": "^2.0.12",
-    "@jsonhero/schema-infer": "^0.1.5",
     "@internal/cache": "workspace:*",
     "@internal/compute": "workspace:*",
     "@internal/llm-model-catalog": "workspace:*",
@@ -66,27 +66,28 @@
     "@internal/tsql": "workspace:*",
     "@internal/zod-worker": "workspace:*",
     "@internationalized/date": "^3.5.1",
+    "@jsonhero/schema-infer": "^0.1.5",
     "@kapaai/react-sdk": "^0.1.3",
     "@lezer/highlight": "^1.1.6",
-    "@opentelemetry/api": "1.9.0",
-    "@opentelemetry/api-logs": "0.203.0",
-    "@opentelemetry/core": "2.0.1",
-    "@opentelemetry/exporter-logs-otlp-http": "0.203.0",
-    "@opentelemetry/exporter-metrics-otlp-proto": "0.203.0",
-    "@opentelemetry/exporter-trace-otlp-http": "0.203.0",
-    "@opentelemetry/host-metrics": "^0.37.0",
-    "@opentelemetry/instrumentation": "0.203.0",
-    "@opentelemetry/instrumentation-aws-sdk": "^0.57.0",
-    "@opentelemetry/instrumentation-express": "^0.52.0",
-    "@opentelemetry/instrumentation-http": "0.203.0",
-    "@opentelemetry/resource-detector-aws": "^2.3.0",
-    "@opentelemetry/resources": "2.0.1",
-    "@opentelemetry/sdk-logs": "0.203.0",
-    "@opentelemetry/sdk-metrics": "2.0.1",
-    "@opentelemetry/sdk-node": "0.203.0",
-    "@opentelemetry/sdk-trace-base": "2.0.1",
-    "@opentelemetry/sdk-trace-node": "2.0.1",
-    "@opentelemetry/semantic-conventions": "1.36.0",
+    "@opentelemetry/api": "1.9.1",
+    "@opentelemetry/api-logs": "0.218.0",
+    "@opentelemetry/core": "2.7.1",
+    "@opentelemetry/exporter-logs-otlp-http": "0.218.0",
+    "@opentelemetry/exporter-metrics-otlp-proto": "0.218.0",
+    "@opentelemetry/exporter-trace-otlp-http": "0.218.0",
+    "@opentelemetry/host-metrics": "^0.38.3",
+    "@opentelemetry/instrumentation": "0.218.0",
+    "@opentelemetry/instrumentation-aws-sdk": "^0.69.0",
+    "@opentelemetry/instrumentation-express": "^0.62.0",
+    "@opentelemetry/instrumentation-http": "0.218.0",
+    "@opentelemetry/resource-detector-aws": "^2.14.0",
+    "@opentelemetry/resources": "2.7.1",
+    "@opentelemetry/sdk-logs": "0.218.0",
+    "@opentelemetry/sdk-metrics": "2.7.1",
+    "@opentelemetry/sdk-node": "0.218.0",
+    "@opentelemetry/sdk-trace-base": "2.7.1",
+    "@opentelemetry/sdk-trace-node": "2.7.1",
+    "@opentelemetry/semantic-conventions": "1.41.1",
     "@popperjs/core": "^2.11.8",
     "@prisma/instrumentation": "^6.14.0",
     "@radix-ui/react-accordion": "^1.2.11",
@@ -104,17 +105,18 @@
     "@react-aria/datepicker": "^3.9.1",
     "@react-stately/datepicker": "^3.9.1",
     "@react-types/datepicker": "^3.7.1",
-    "@remix-run/express": "2.1.0",
-    "@remix-run/node": "2.1.0",
-    "@remix-run/react": "2.1.0",
-    "@remix-run/router": "^1.15.3",
-    "@remix-run/serve": "2.1.0",
-    "@remix-run/server-runtime": "2.1.0",
+    "@remix-run/express": "2.17.4",
+    "@remix-run/node": "2.17.4",
+    "@remix-run/react": "2.17.4",
+    "@remix-run/router": "^1.23.2",
+    "@remix-run/serve": "2.17.4",
+    "@remix-run/server-runtime": "2.17.4",
     "@remix-run/v1-meta": "^0.1.3",
-    "@s2-dev/streamstore": "^0.22.5",
+    "@s2-dev/streamstore": "^0.22.10",
     "@sentry/remix": "9.46.0",
-    "@slack/web-api": "7.9.1",
+    "@slack/web-api": "7.16.0",
     "@socket.io/redis-adapter": "^8.3.0",
+    "@streamdown/code": "^1.1.1",
     "@tabler/icons-react": "^3.36.1",
     "@tailwindcss/container-queries": "^0.1.1",
     "@tanstack/match-sorter-utils": "^8.19.4",
@@ -126,6 +128,7 @@
     "@trigger.dev/database": "workspace:*",
     "@trigger.dev/otlp-importer": "workspace:*",
     "@trigger.dev/platform": "1.0.27",
+    "@trigger.dev/rbac": "workspace:*",
     "@trigger.dev/redis-worker": "workspace:*",
     "@trigger.dev/sdk": "workspace:*",
     "@types/pg": "8.6.6",
@@ -135,7 +138,8 @@
     "@upstash/ratelimit": "^1.1.3",
     "@vercel/sdk": "^1.19.1",
     "@whatwg-node/fetch": "^0.9.14",
-    "ai": "^4.3.19",
+    "@window-splitter/react": "1.1.3",
+    "ai": "^6.0.116",
     "assert-never": "^1.2.1",
     "aws4fetch": "^1.0.18",
     "class-variance-authority": "^0.5.2",
@@ -147,9 +151,9 @@
     "cross-env": "^7.0.3",
     "cuid": "^2.1.8",
     "date-fns": "^4.1.0",
-    "dompurify": "^3.2.6",
+    "dompurify": "^3.4.1",
     "dotenv": "^16.4.5",
-    "effect": "^3.11.7",
+    "effect": "^3.21.2",
     "emails": "workspace:*",
     "eventsource": "^4.0.0",
     "evt": "^2.4.13",
@@ -159,7 +163,7 @@
     "humanize-duration": "^3.27.3",
     "input-otp": "^1.4.2",
     "intl-parse-accept-language": "^1.0.0",
-    "ioredis": "^5.3.2",
+    "ioredis": "~5.6.0",
     "isbot": "^3.6.5",
     "jose": "^5.4.0",
     "json-stable-stringify": "^1.3.0",
@@ -180,7 +184,7 @@
     "p-retry": "^4.6.1",
     "parse-duration": "^2.1.0",
     "posthog-js": "^1.93.3",
-    "posthog-node": "4.17.1",
+    "posthog-node": "5.35.6",
     "prism-react-renderer": "^2.3.1",
     "prismjs": "^1.30.0",
     "prom-client": "^15.1.0",
@@ -199,7 +203,6 @@
     "react-resizable-panels": "^2.0.9",
     "react-stately": "^3.29.1",
     "react-use": "17.5.1",
-    "react-window-splitter": "^0.4.1",
     "recharts": "^2.15.2",
     "regression": "^2.0.1",
     "remix-auth": "^3.6.0",
@@ -218,7 +221,7 @@
     "sonner": "^1.0.3",
     "sql-formatter": "^15.4.10",
     "sqs-consumer": "^7.4.0",
-    "streamdown": "^1.4.0",
+    "streamdown": "^2.5.0",
     "superjson": "^2.2.1",
     "tailwind-merge": "^1.12.0",
     "tailwind-scrollbar-hide": "^1.1.7",
@@ -227,7 +230,7 @@
     "tiny-invariant": "^1.2.0",
     "ulid": "^2.3.0",
     "ulidx": "^2.2.1",
-    "uuid": "^9.0.0",
+    "uuid": "^14.0.0",
     "ws": "^8.11.0",
     "zod": "3.25.76",
     "zod-error": "1.5.0",
@@ -237,9 +240,9 @@
     "@internal/clickhouse": "workspace:*",
     "@internal/replication": "workspace:*",
     "@internal/testcontainers": "workspace:*",
-    "@remix-run/dev": "2.1.0",
-    "@remix-run/eslint-config": "2.1.0",
-    "@remix-run/testing": "^2.1.0",
+    "@remix-run/dev": "2.17.4",
+    "@remix-run/eslint-config": "2.17.4",
+    "@remix-run/testing": "^2.17.4",
     "@sentry/cli": "2.50.2",
     "@swc/core": "^1.3.4",
     "@swc/helpers": "^0.4.11",
@@ -249,7 +252,6 @@
     "@types/bcryptjs": "^2.4.2",
     "@types/compression": "^1.7.2",
     "@types/cookie": "^0.6.0",
-    "@types/dompurify": "^3.2.0",
     "@types/eslint": "^8.4.6",
     "@types/express": "^4.17.13",
     "@types/humanize-duration": "^3.27.1",
@@ -270,7 +272,6 @@
     "@types/slug": "^5.0.3",
     "@types/supertest": "^6.0.2",
     "@types/tar": "^6.1.4",
-    "@types/uuid": "^9.0.0",
     "@types/ws": "^8.5.3",
     "@typescript-eslint/eslint-plugin": "^5.59.6",
     "@typescript-eslint/parser": "^5.59.6",
@@ -285,14 +286,14 @@
     "eslint-plugin-import": "^2.29.1",
     "eslint-plugin-react-hooks": "^4.6.2",
     "eslint-plugin-turbo": "^2.0.4",
-    "evalite": "^0.11.4",
+    "evalite": "1.0.0-beta.16",
     "npm-run-all": "^4.1.5",
     "postcss-import": "^16.0.1",
     "postcss-loader": "^8.1.1",
     "prettier": "^2.8.8",
     "prettier-plugin-tailwindcss": "^0.3.0",
     "prop-types": "^15.8.1",
-    "rimraf": "^3.0.2",
+    "rimraf": "^6.0.1",
     "style-loader": "^3.3.4",
     "supertest": "^7.0.0",
     "tailwind-scrollbar": "^3.0.1",
diff --git a/apps/webapp/remix.config.js b/apps/webapp/remix.config.js
index ae2f18cd72e..130c1591962 100644
--- a/apps/webapp/remix.config.js
+++ b/apps/webapp/remix.config.js
@@ -30,6 +30,8 @@ module.exports = {
     "redlock",
     "parse-duration",
     "uncrypto",
+    "std-env",
+    "uuid",
   ],
   browserNodeBuiltinsPolyfill: {
     modules: {
diff --git a/apps/webapp/scripts/test-sentry-filter.mts b/apps/webapp/scripts/test-sentry-filter.mts
new file mode 100644
index 00000000000..e08bc78c8e4
--- /dev/null
+++ b/apps/webapp/scripts/test-sentry-filter.mts
@@ -0,0 +1,27 @@
+import "dotenv/config";
+import "../sentry.server";
+import * as Sentry from "@sentry/remix";
+
+const tag = `filter-test-${Date.now()}`;
+
+const cases = [
+  { name: "ServiceValidationError", expect: "DROPPED" },
+  { name: "QueueSizeLimitExceededError", expect: "KEPT" },
+  { name: "MetadataTooLargeError", expect: "KEPT" },
+  { name: "Error", expect: "KEPT" },
+];
+
+for (const { name, expect } of cases) {
+  const err = new Error(`[FILTER TEST ${tag}] ${name} expect=${expect}`);
+  err.name = name;
+  Sentry.withScope((scope) => {
+    scope.setTag("filter_test", tag);
+    scope.setTag("expect", expect);
+    Sentry.captureException(err);
+  });
+}
+
+const ok = await Sentry.flush(10_000);
+console.log(`flushed=${ok} tag=${tag}`);
+console.log(`Sentry search: https://triggerdev.sentry.io/issues/?query=filter_test%3A${tag}`);
+process.exit(0);
diff --git a/apps/webapp/seed.mts b/apps/webapp/seed.mts
index 9eb30cd2503..655f679a0f0 100644
--- a/apps/webapp/seed.mts
+++ b/apps/webapp/seed.mts
@@ -53,7 +53,10 @@ async function seed() {
     console.log(`✅ Organization already exists: ${organization.title} (${organization.slug})`);
   }
 
-  // Define the reference projects with their specific project refs
+  // Reference projects with their specific project refs. These refs MUST stay in
+  // sync with the corresponding projects in the standalone references repo
+  // (github.com/triggerdotdev/references): hello-world hardcodes its ref in
+  // trigger.config.ts; d3-chat and realtime-streams read TRIGGER_PROJECT_REF.
   const referenceProjects = [
     {
       name: "hello-world",
@@ -82,9 +85,9 @@ async function seed() {
   console.log(`User: ${user.email}`);
   console.log(`Organization: ${organization.title} (${organization.slug})`);
   console.log(`Projects: ${referenceProjects.map((p) => p.name).join(", ")}`);
-  console.log("\n⚠️  Note: Update the .env files in d3-chat and realtime-streams with:");
-  console.log(`  - d3-chat: TRIGGER_PROJECT_REF=proj_cdmymsrobxmcgjqzhdkq`);
-  console.log(`  - realtime-streams: TRIGGER_PROJECT_REF=proj_klxlzjnzxmbgiwuuwhvb`);
+  console.log("\n⚠️  Note: in your triggerdotdev/references clone, set TRIGGER_PROJECT_REF in:");
+  console.log(`  - projects/d3-chat/.env: TRIGGER_PROJECT_REF=proj_cdmymsrobxmcgjqzhdkq`);
+  console.log(`  - projects/realtime-streams/.env: TRIGGER_PROJECT_REF=proj_klxlzjnzxmbgiwuuwhvb`);
 }
 
 async function createBatchLimitOrgs(user: User) {
diff --git a/apps/webapp/sentry.server.ts b/apps/webapp/sentry.server.ts
index a50efcfe85b..7f8f6deb621 100644
--- a/apps/webapp/sentry.server.ts
+++ b/apps/webapp/sentry.server.ts
@@ -1,4 +1,24 @@
 import * as Sentry from "@sentry/remix";
+import { addOtelTraceContextToEvent } from "./app/utils/sentryTraceContext.server";
+
+// Rules for collapsing high-volume errors into a single Sentry issue.
+// Without this, e.g. a DB outage produces hundreds of distinct issues —
+// one per stack trace — which buries other alerts. Add a new rule here
+// when you spot another error that fans out across call sites. Keep
+// predicates cheap (string compare, not regex over stack traces).
+const FINGERPRINT_RULES: Array<{
+  match: (err: { code?: unknown; errorCode?: unknown; name?: unknown }) => boolean;
+  fingerprint: string;
+  tags?: Record<string, string>;
+}> = [
+  {
+    // Prisma surfaces P1001 on `code` for KnownRequestError (mid-query connection drop)
+    // and `errorCode` for InitializationError (client failed to connect at startup).
+    match: (err) => err.code === "P1001" || err.errorCode === "P1001",
+    fingerprint: "prisma-p1001-db-unreachable",
+    tags: { db_unreachable: "true" },
+  },
+];
 
 if (process.env.SENTRY_DSN) {
   console.log("🔭 Initializing Sentry");
@@ -21,7 +41,28 @@ if (process.env.SENTRY_DSN) {
     serverName: process.env.SERVICE_NAME,
     environment: process.env.APP_ENV,
 
-    ignoreErrors: ["queryRoute() call aborted"],
+    // ServiceValidationError is thrown deliberately for user-facing
+    // validation failures (quota, parent run state, invalid input). Anchored
+    // regex matches the exception type exactly; subclasses
+    // (QueueSizeLimitExceededError, MetadataTooLargeError) override `.name`
+    // and stay visible.
+    ignoreErrors: ["queryRoute() call aborted", /^ServiceValidationError(?::|$)/],
     includeLocalVariables: false,
+
+    beforeSend(event, hint) {
+      const err = hint.originalException as
+        | { code?: unknown; errorCode?: unknown; name?: unknown }
+        | undefined;
+      if (!err) return event;
+
+      const rule = FINGERPRINT_RULES.find((r) => r.match(err));
+      if (!rule) return event;
+
+      event.fingerprint = [rule.fingerprint];
+      if (rule.tags) event.tags = { ...event.tags, ...rule.tags };
+      return event;
+    },
   });
+
+  Sentry.addEventProcessor(addOtelTraceContextToEvent);
 }
diff --git a/apps/webapp/server.ts b/apps/webapp/server.ts
index b2cc9387332..964c13c5625 100644
--- a/apps/webapp/server.ts
+++ b/apps/webapp/server.ts
@@ -19,6 +19,10 @@ const ENABLE_CLUSTER = process.env.ENABLE_CLUSTER === "1";
 const cpuCount = os.availableParallelism();
 const WORKERS =
   Number.parseInt(process.env.WEB_CONCURRENCY || process.env.CLUSTER_WORKERS || "", 10) || cpuCount;
+// Must be greater than the upstream load balancer's idle timeout to avoid the
+// LB pipelining a request onto a connection Node has already closed (→ 502).
+const HTTP_KEEPALIVE_TIMEOUT_MS =
+  Number.parseInt(process.env.HTTP_KEEPALIVE_TIMEOUT_MS || "", 10) || 65 * 1000;
 
 function forkWorkers() {
   for (let i = 0; i < WORKERS; i++) {
@@ -104,7 +108,16 @@ if (ENABLE_CLUSTER && cluster.isPrimary) {
   // more aggressive with this caching.
   app.use(express.static("public", { maxAge: "1h" }));
 
-  app.use(morgan("tiny"));
+  // On high-volume machine-ingest services (e.g. otel) the per-request access
+  // log dominates log volume. HTTP_ACCESS_LOG_DISABLED suppresses successful
+  // (2xx) access logs; non-2xx responses are always logged so errors stay visible.
+  const suppressSuccessfulAccessLogs = process.env.HTTP_ACCESS_LOG_DISABLED === "1";
+  app.use(
+    morgan("tiny", {
+      skip: (_req, res) =>
+        suppressSuccessfulAccessLogs && res.statusCode >= 200 && res.statusCode < 300,
+    })
+  );
 
   process.title = ENABLE_CLUSTER
     ? `node webapp-worker-${cluster.isWorker ? cluster.worker?.id : "solo"}`
@@ -122,6 +135,8 @@ if (ENABLE_CLUSTER && cluster.isPrimary) {
     const apiRateLimiter: RateLimitMiddleware = build.entry.module.apiRateLimiter;
     const engineRateLimiter: RateLimitMiddleware = build.entry.module.engineRateLimiter;
     const runWithHttpContext: RunWithHttpContextFunction = build.entry.module.runWithHttpContext;
+    const tenantContextMiddleware: import("express").RequestHandler =
+      build.entry.module.tenantContextMiddleware;
 
     app.use((req, res, next) => {
       // helpful headers:
@@ -145,9 +160,11 @@ if (ENABLE_CLUSTER && cluster.isPrimary) {
     app.use((req, res, next) => {
       // Generate a unique request ID for each request
       const requestId = nanoid();
+      const abortController = new AbortController();
+      res.on("close", () => abortController.abort());
 
       runWithHttpContext(
-        { requestId, path: req.url, host: req.hostname, method: req.method },
+        { requestId, path: req.url, host: req.hostname, method: req.method, abortController },
         next
       );
     });
@@ -169,6 +186,8 @@ if (ENABLE_CLUSTER && cluster.isPrimary) {
       app.use(apiRateLimiter);
       app.use(engineRateLimiter);
 
+      app.use(tenantContextMiddleware);
+
       app.all(
         "*",
         // @ts-ignore
@@ -178,10 +197,18 @@ if (ENABLE_CLUSTER && cluster.isPrimary) {
         })
       );
     } else {
-      // we need to do the health check here at /healthcheck
-      app.get("/healthcheck", (req, res) => {
-        res.status(200).send("OK");
-      });
+      // we need to do the health check here at /healthcheck — forward
+      // to the Remix handler so the loader's readiness checks (DB ping,
+      // REQUIRE_PLUGINS-gated plugin load) run in this mode too. A
+      // static 200 here would silently mask a failed plugin load.
+      app.get(
+        "/healthcheck",
+        // @ts-ignore
+        createRequestHandler({
+          build,
+          mode: MODE,
+        })
+      );
     }
 
     const server = app.listen(port, () => {
@@ -198,7 +225,7 @@ if (ENABLE_CLUSTER && cluster.isPrimary) {
       }
     });
 
-    server.keepAliveTimeout = 65 * 1000;
+    server.keepAliveTimeout = HTTP_KEEPALIVE_TIMEOUT_MS;
     // Mitigate against https://github.com/triggerdotdev/trigger.dev/security/dependabot/128
     // by not allowing 2000+ headers to be sent and causing a DoS
     // headers will instead be limited by the maxHeaderSize
diff --git a/apps/webapp/tailwind.config.js b/apps/webapp/tailwind.config.js
index d598ae83d20..f90a9fd71b1 100644
--- a/apps/webapp/tailwind.config.js
+++ b/apps/webapp/tailwind.config.js
@@ -184,7 +184,7 @@ const radius = "0.5rem";
 
 /** @type {import('tailwindcss').Config} */
 module.exports = {
-  content: ["./app/**/*.{ts,jsx,tsx}"],
+  content: ["./app/**/*.{ts,jsx,tsx}", "./node_modules/streamdown/dist/**/*.js"],
   theme: {
     container: {
       center: true,
@@ -264,6 +264,18 @@ module.exports = {
         aiPrompts,
         aiMetrics,
         errors,
+        // shadcn/ui color tokens used by streamdown's internal components
+        // (link safety modal, code block actions, etc.)
+        // Values are defined via CSS variables in .streamdown-container
+        background: "hsl(var(--background, 230 16% 9%) / <alpha-value>)",
+        foreground: "hsl(var(--foreground, 215 19% 87%) / <alpha-value>)",
+        muted: {
+          DEFAULT: "hsl(var(--muted, 220 8% 17%) / <alpha-value>)",
+          foreground: "hsl(var(--muted-foreground, 220 8% 57%) / <alpha-value>)",
+        },
+        border: "hsl(var(--border, 216 7% 27%) / <alpha-value>)",
+        sidebar: "hsl(var(--sidebar, 228 10% 11%) / <alpha-value>)",
+        "primary-foreground": "hsl(var(--primary-foreground, 230 16% 9%) / <alpha-value>)",
       },
       focusStyles: {
         outline: "1px solid",
diff --git a/apps/webapp/test/EnvironmentVariablesPresenter.test.ts b/apps/webapp/test/EnvironmentVariablesPresenter.test.ts
new file mode 100644
index 00000000000..b5172bd5948
--- /dev/null
+++ b/apps/webapp/test/EnvironmentVariablesPresenter.test.ts
@@ -0,0 +1,180 @@
+import { describe, expect, vi } from "vitest";
+
+vi.mock("~/db.server", () => ({
+  prisma: {},
+  $replica: {},
+  $transaction: async (
+    prismaClient: {
+      $transaction: (fn: (tx: unknown) => Promise<unknown>) => Promise<unknown>;
+    },
+    nameOrFn: string | ((tx: unknown) => Promise<unknown>),
+    fnOrOptions?: ((tx: unknown) => Promise<unknown>) | unknown
+  ) => {
+    const fn =
+      typeof nameOrFn === "string"
+        ? (fnOrOptions as (tx: unknown) => Promise<unknown>)
+        : nameOrFn;
+
+    return prismaClient.$transaction(fn);
+  },
+}));
+
+import { postgresTest } from "@internal/testcontainers";
+import { EnvironmentVariablesPresenter } from "~/presenters/v3/EnvironmentVariablesPresenter.server";
+import { EnvironmentVariablesRepository } from "~/v3/environmentVariables/environmentVariablesRepository.server";
+import {
+  createEnvironmentVariable,
+  createRuntimeEnvironment,
+  createTestOrgProjectWithMember,
+} from "./fixtures/environmentVariablesFixtures";
+
+vi.setConfig({ testTimeout: 60_000 });
+
+describe("EnvironmentVariablesPresenter", () => {
+  postgresTest("keeps secret values redacted while returning non-secret values", async ({ prisma }) => {
+    const { user, organization, project, projectSlug } = await createTestOrgProjectWithMember(prisma);
+    const production = await createRuntimeEnvironment(prisma, {
+      projectId: project.id,
+      organizationId: organization.id,
+      type: "PRODUCTION",
+    });
+
+    const repository = new EnvironmentVariablesRepository(prisma, prisma);
+
+    await createEnvironmentVariable(repository, project.id, {
+      environmentId: production.id,
+      key: "SECRET_VAR",
+      value: "super-secret",
+      isSecret: true,
+      userId: user.id,
+    });
+    await createEnvironmentVariable(repository, project.id, {
+      environmentId: production.id,
+      key: "PLAIN_VAR",
+      value: "plain-value",
+      isSecret: false,
+      userId: user.id,
+    });
+
+    const result = await new EnvironmentVariablesPresenter(prisma, prisma).call({
+      userId: user.id,
+      projectSlug,
+    });
+
+    const secretVariable = result.environmentVariables.find((variable) => variable.key === "SECRET_VAR");
+    const nonSecretVariable = result.environmentVariables.find((variable) => variable.key === "PLAIN_VAR");
+
+    expect(secretVariable).toBeDefined();
+    expect(nonSecretVariable).toBeDefined();
+    expect(secretVariable!.value).toBe("");
+    expect(nonSecretVariable!.value).toBe("plain-value");
+  });
+
+  postgresTest(
+    "returns values for active environments (including branch environments) and excludes archived branch environments",
+    async ({ prisma }) => {
+      const { user, organization, project, projectSlug } =
+        await createTestOrgProjectWithMember(prisma);
+
+      const prodEnvironment = await createRuntimeEnvironment(prisma, {
+        projectId: project.id,
+        organizationId: organization.id,
+        type: "PRODUCTION",
+      });
+
+      const parentPreviewEnvironment = await createRuntimeEnvironment(prisma, {
+        projectId: project.id,
+        organizationId: organization.id,
+        type: "PREVIEW",
+      });
+      await prisma.runtimeEnvironment.update({
+        where: { id: parentPreviewEnvironment.id },
+        data: { isBranchableEnvironment: true },
+      });
+
+      const activeBranchEnvironment = await createRuntimeEnvironment(prisma, {
+        projectId: project.id,
+        organizationId: organization.id,
+        type: "PREVIEW",
+      });
+      await prisma.runtimeEnvironment.update({
+        where: { id: activeBranchEnvironment.id },
+        data: {
+          parentEnvironmentId: parentPreviewEnvironment.id,
+          branchName: "feature/active",
+        },
+      });
+
+      const archivedBranchEnvironment = await createRuntimeEnvironment(prisma, {
+        projectId: project.id,
+        organizationId: organization.id,
+        type: "PREVIEW",
+      });
+      await prisma.runtimeEnvironment.update({
+        where: { id: archivedBranchEnvironment.id },
+        data: {
+          parentEnvironmentId: parentPreviewEnvironment.id,
+          branchName: "feature/archived",
+        },
+      });
+
+      const repository = new EnvironmentVariablesRepository(prisma, prisma);
+
+      await createEnvironmentVariable(repository, project.id, {
+        environmentId: prodEnvironment.id,
+        key: "MY_VAR",
+        value: "prod-value",
+        userId: user.id,
+      });
+      await createEnvironmentVariable(repository, project.id, {
+        environmentId: activeBranchEnvironment.id,
+        key: "MY_VAR",
+        value: "active-branch-value",
+        userId: user.id,
+      });
+      await createEnvironmentVariable(repository, project.id, {
+        environmentId: archivedBranchEnvironment.id,
+        key: "MY_VAR",
+        value: "archived-branch-value",
+        userId: user.id,
+      });
+
+      // Archive the branch after it accumulated values (archiving does not
+      // delete its EnvironmentVariableValue rows).
+      await prisma.runtimeEnvironment.update({
+        where: { id: archivedBranchEnvironment.id },
+        data: { archivedAt: new Date() },
+      });
+
+      const result = await new EnvironmentVariablesPresenter(prisma, prisma).call({
+        userId: user.id,
+        projectSlug,
+      });
+
+      const environmentIds = result.environments.map((environment) => environment.id);
+      expect(environmentIds).toContain(prodEnvironment.id);
+      expect(environmentIds).toContain(activeBranchEnvironment.id);
+      expect(environmentIds).not.toContain(archivedBranchEnvironment.id);
+
+      const myVarValues = result.environmentVariables.filter(
+        (variable) => variable.key === "MY_VAR"
+      );
+      expect(myVarValues).toHaveLength(2);
+
+      const prodValue = myVarValues.find(
+        (variable) => variable.environment.id === prodEnvironment.id
+      );
+      expect(prodValue?.value).toBe("prod-value");
+
+      const activeBranchValue = myVarValues.find(
+        (variable) => variable.environment.id === activeBranchEnvironment.id
+      );
+      expect(activeBranchValue?.value).toBe("active-branch-value");
+      expect(activeBranchValue?.environment.branchName).toBe("feature/active");
+
+      expect(
+        myVarValues.some((variable) => variable.environment.id === archivedBranchEnvironment.id)
+      ).toBe(false);
+    }
+  );
+});
diff --git a/apps/webapp/test/README.md b/apps/webapp/test/README.md
new file mode 100644
index 00000000000..d1c2a418b39
--- /dev/null
+++ b/apps/webapp/test/README.md
@@ -0,0 +1,65 @@
+# Webapp tests
+
+Three suites live in this directory.
+
+## Unit tests — `*.test.ts`
+
+Run with `pnpm test` from `apps/webapp`. Default vitest pickup. No
+container setup. Run on every PR via `unit-tests-webapp.yml`.
+
+## Smoke e2e — `*.e2e.test.ts`
+
+End-to-end auth baseline that proves the route auth plumbing is wired up.
+Each file spins up its own webapp + Postgres + Redis container in
+`beforeAll` (~30s startup). Vitest config: `vitest.e2e.config.ts`. Run on
+every PR via `e2e-webapp.yml`.
+
+```bash
+cd apps/webapp
+pnpm exec vitest --config vitest.e2e.config.ts
+```
+
+## Comprehensive auth e2e — `*.e2e.full.test.ts`
+
+The full RBAC auth matrix — every route family with explicit pass/fail
+scenarios. See TRI-8731 for the parent ticket and TRI-8732 onwards for
+each family's coverage spec.
+
+**Architecture**: one container reused across the whole suite via
+`vitest.e2e.full.config.ts`'s `globalSetup`. Test files share the server
+through `getTestServer()` from `helpers/sharedTestServer.ts`. Each test
+seeds its own resources so order doesn't matter.
+
+**Layout**:
+
+| File | Top-level describe | Family subtasks |
+|---|---|---|
+| `auth-api.e2e.full.test.ts` | `API` | TRI-8733 trigger, TRI-8734 run resource, TRI-8735 run mutations, TRI-8736 run lists, TRI-8737 batches, TRI-8738 prompts, TRI-8739 deployments + query, TRI-8740 waitpoints + input streams, TRI-8741 PAT |
+| `auth-dashboard.e2e.full.test.ts` | `Dashboard` | TRI-8742 admin pages |
+| `auth-cross-cutting.e2e.full.test.ts` | `Cross-cutting` | TRI-8743 deleted projects / revoked keys / expired JWTs / env mismatch / force-fallback toggle |
+
+**Adding a new family**: pick the relevant file, add a nested `describe`
+block. Inside, seed your own fixtures via the helpers and hit the shared
+server.
+
+```ts
+describe("Trigger task", () => {
+  const server = getTestServer();
+
+  it("missing Authorization → 401", async () => {
+    const res = await server.webapp.fetch("/api/v1/tasks/x/trigger", { method: "POST", body: "{}" });
+    expect(res.status).toBe(401);
+  });
+});
+```
+
+**CI**: `e2e-webapp-auth-full.yml`. Triggers on `workflow_dispatch`,
+nightly schedule, and PRs touching auth-relevant paths (route builders,
+rbac.server.ts, apiAuth.server.ts, apiroutes, the suite itself).
+
+**Run locally**:
+
+```bash
+cd apps/webapp
+pnpm exec vitest --config vitest.e2e.full.config.ts
+```
diff --git a/apps/webapp/test/api-auth.e2e.test.ts b/apps/webapp/test/api-auth.e2e.test.ts
new file mode 100644
index 00000000000..31e365d6d40
--- /dev/null
+++ b/apps/webapp/test/api-auth.e2e.test.ts
@@ -0,0 +1,427 @@
+/**
+ * E2E auth baseline tests.
+ *
+ * These tests capture current auth behavior before the apiBuilder migration to RBAC.
+ * Run them before and after the migration to verify behavior is identical.
+ *
+ * Requires a pre-built webapp: pnpm run build --filter webapp
+ */
+import { afterAll, beforeAll, describe, expect, it, vi } from "vitest";
+import type { TestServer } from "@internal/testcontainers/webapp";
+import { startTestServer } from "@internal/testcontainers/webapp";
+import { generateJWT } from "@trigger.dev/core/v3/jwt";
+import { seedTestEnvironment } from "./helpers/seedTestEnvironment";
+import { seedTestPAT, seedTestUser } from "./helpers/seedTestPAT";
+import { seedTestRun } from "./helpers/seedTestRun";
+import { seedTestWaitpoint } from "./helpers/seedTestWaitpoint";
+
+vi.setConfig({ testTimeout: 180_000 });
+
+// Shared across all tests in this file — one postgres container + one webapp instance.
+let server: TestServer;
+
+beforeAll(async () => {
+  server = await startTestServer();
+}, 180_000);
+
+afterAll(async () => {
+  await server?.stop();
+}, 120_000);
+
+async function generateTestJWT(
+  environment: { id: string; apiKey: string },
+  options: { scopes?: string[] } = {}
+): Promise<string> {
+  const scopes = options.scopes ?? ["read:runs"];
+  return generateJWT({
+    secretKey: environment.apiKey,
+    payload: { pub: true, sub: environment.id, scopes },
+    expirationTime: "15m",
+  });
+}
+
+describe("API bearer auth — baseline behavior", () => {
+  it("valid API key: auth passes (404 not 401)", async () => {
+    const { apiKey } = await seedTestEnvironment(server.prisma);
+    const res = await server.webapp.fetch("/api/v1/runs/run_doesnotexist/result", {
+      headers: { Authorization: `Bearer ${apiKey}` },
+    });
+    // Auth passed — resource just doesn't exist
+    expect(res.status).not.toBe(401);
+    expect(res.status).not.toBe(403);
+  });
+
+  it("missing Authorization header: 401", async () => {
+    const res = await server.webapp.fetch("/api/v1/runs/run_doesnotexist/result");
+    expect(res.status).toBe(401);
+  });
+
+  it("invalid API key: 401", async () => {
+    const res = await server.webapp.fetch("/api/v1/runs/run_doesnotexist/result", {
+      headers: { Authorization: "Bearer tr_dev_completely_invalid_key_xyz_not_real" },
+    });
+    expect(res.status).toBe(401);
+  });
+
+  it("401 response has error field", async () => {
+    const res = await server.webapp.fetch("/api/v1/runs/run_doesnotexist/result");
+    const body = await res.json();
+    expect(body).toHaveProperty("error");
+  });
+});
+
+describe("JWT bearer auth — baseline behavior", () => {
+  it("valid JWT on JWT-enabled route: auth passes", async () => {
+    const { environment } = await seedTestEnvironment(server.prisma);
+    const jwt = await generateTestJWT(environment, { scopes: ["read:runs"] });
+
+    // /api/v1/runs has allowJWT: true with superScopes: ["read:runs", ...]
+    const res = await server.webapp.fetch("/api/v1/runs", {
+      headers: { Authorization: `Bearer ${jwt}` },
+    });
+
+    // Auth passed — 200 (empty list) or 400 (bad search params), not 401
+    expect(res.status).not.toBe(401);
+  });
+
+  it("valid JWT on non-JWT route: 401", async () => {
+    const { environment } = await seedTestEnvironment(server.prisma);
+    const jwt = await generateTestJWT(environment, { scopes: ["read:runs"] });
+
+    // /api/v1/runs/$runParam/result does NOT have allowJWT: true
+    const res = await server.webapp.fetch("/api/v1/runs/run_doesnotexist/result", {
+      headers: { Authorization: `Bearer ${jwt}` },
+    });
+
+    expect(res.status).toBe(401);
+  });
+
+  it("JWT with empty scopes on JWT-enabled route: 403", async () => {
+    const { environment } = await seedTestEnvironment(server.prisma);
+    const jwt = await generateTestJWT(environment, { scopes: [] });
+
+    const res = await server.webapp.fetch("/api/v1/runs", {
+      headers: { Authorization: `Bearer ${jwt}` },
+    });
+
+    // Empty scopes → no read:runs permission → 403
+    expect(res.status).toBe(403);
+  });
+
+  it("JWT signed with wrong key: 401", async () => {
+    const { environment } = await seedTestEnvironment(server.prisma);
+    const jwt = await generateJWT({
+      secretKey: "wrong-signing-key-that-does-not-match-environment-key",
+      payload: { pub: true, sub: environment.id, scopes: ["read:runs"] },
+    });
+
+    const res = await server.webapp.fetch("/api/v1/runs", {
+      headers: { Authorization: `Bearer ${jwt}` },
+    });
+
+    expect(res.status).toBe(401);
+  });
+});
+
+// Exercises the RBAC plugin loader end-to-end. The test server boots
+// with RBAC_FORCE_FALLBACK=1 (see internal-packages/testcontainers/src/webapp.ts),
+// which makes rbac.server.ts use the default fallback regardless of
+// whether a plugin is installed in node_modules. /admin/concurrency
+// uses rbac.authenticateSession internally; an unauthenticated request
+// must flow through LazyController → RoleBaseAccessFallback →
+// redirect("/login").
+describe("RBAC plugin — fallback wiring", () => {
+  it("unauthenticated dashboard route redirects to /login via the fallback", async () => {
+    const res = await server.webapp.fetch("/admin/concurrency", { redirect: "manual" });
+    expect(res.status).toBe(302);
+    const location = res.headers.get("location") ?? "";
+    expect(new URL(location, "http://placeholder").pathname).toBe("/login");
+  });
+});
+
+// Covers createActionApiRoute's bearer auth path. The target route is
+// POST /api/v1/idempotencyKeys/:key/reset — allowJWT: true, superScopes: ["write:runs", "admin"].
+// Tests assert HTTP-observable behavior so they remain valid after TRI-8719 swaps
+// authenticateApiRequestWithFailure for rbac.authenticateBearer.
+describe("API bearer auth — action requests", () => {
+  const targetPath = "/api/v1/idempotencyKeys/does-not-exist/reset";
+
+  it("valid API key: auth passes (body validation fails, not 401/403)", async () => {
+    const { apiKey } = await seedTestEnvironment(server.prisma);
+    const res = await server.webapp.fetch(targetPath, {
+      method: "POST",
+      headers: { Authorization: `Bearer ${apiKey}`, "content-type": "application/json" },
+      body: JSON.stringify({}), // missing taskIdentifier → zod validation error
+    });
+    expect(res.status).not.toBe(401);
+    expect(res.status).not.toBe(403);
+  });
+
+  it("missing Authorization header: 401", async () => {
+    const res = await server.webapp.fetch(targetPath, {
+      method: "POST",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify({ taskIdentifier: "noop" }),
+    });
+    expect(res.status).toBe(401);
+  });
+
+  it("invalid API key: 401", async () => {
+    const res = await server.webapp.fetch(targetPath, {
+      method: "POST",
+      headers: {
+        Authorization: "Bearer tr_dev_completely_invalid_key_xyz_not_real",
+        "content-type": "application/json",
+      },
+      body: JSON.stringify({ taskIdentifier: "noop" }),
+    });
+    expect(res.status).toBe(401);
+  });
+
+});
+
+describe("JWT bearer auth — action requests", () => {
+  const targetPath = "/api/v1/idempotencyKeys/does-not-exist/reset";
+
+  it("JWT with matching scope: auth passes", async () => {
+    const { environment } = await seedTestEnvironment(server.prisma);
+    const jwt = await generateTestJWT(environment, { scopes: ["write:runs"] });
+    const res = await server.webapp.fetch(targetPath, {
+      method: "POST",
+      headers: { Authorization: `Bearer ${jwt}`, "content-type": "application/json" },
+      body: JSON.stringify({}),
+    });
+    expect(res.status).not.toBe(401);
+    expect(res.status).not.toBe(403);
+  });
+
+  it("JWT with wrong scope (read-only) on write route: 403", async () => {
+    const { environment } = await seedTestEnvironment(server.prisma);
+    const jwt = await generateTestJWT(environment, { scopes: ["read:runs"] });
+    const res = await server.webapp.fetch(targetPath, {
+      method: "POST",
+      headers: { Authorization: `Bearer ${jwt}`, "content-type": "application/json" },
+      body: JSON.stringify({ taskIdentifier: "noop" }),
+    });
+    expect(res.status).toBe(403);
+  });
+});
+
+// Covers createLoaderPATApiRoute via GET /api/v1/projects/:projectRef/runs.
+// authenticateApiRequestWithPersonalAccessToken rejects anything that isn't tr_pat_-prefixed
+// or doesn't match a non-revoked PersonalAccessToken row.
+describe("Personal access token auth", () => {
+  const pathFor = (ref: string) => `/api/v1/projects/${ref}/runs`;
+
+  it("missing Authorization header: 401", async () => {
+    const res = await server.webapp.fetch(pathFor("nonexistent"));
+    expect(res.status).toBe(401);
+  });
+
+  it("API key (tr_dev_*) on PAT-only route: 401", async () => {
+    const { apiKey } = await seedTestEnvironment(server.prisma);
+    const res = await server.webapp.fetch(pathFor("nonexistent"), {
+      headers: { Authorization: `Bearer ${apiKey}` },
+    });
+    expect(res.status).toBe(401);
+  });
+
+  it("malformed PAT (wrong prefix): 401", async () => {
+    const res = await server.webapp.fetch(pathFor("nonexistent"), {
+      headers: { Authorization: "Bearer not_a_pat_at_all_random_string" },
+    });
+    expect(res.status).toBe(401);
+  });
+
+  it("well-formed but unknown PAT: 401", async () => {
+    const res = await server.webapp.fetch(pathFor("nonexistent"), {
+      headers: {
+        Authorization: "Bearer tr_pat_0000000000000000000000000000000000000000",
+      },
+    });
+    expect(res.status).toBe(401);
+  });
+
+  it("revoked PAT: 401", async () => {
+    const user = await seedTestUser(server.prisma);
+    const { token } = await seedTestPAT(server.prisma, user.id, { revoked: true });
+    const res = await server.webapp.fetch(pathFor("nonexistent"), {
+      headers: { Authorization: `Bearer ${token}` },
+    });
+    expect(res.status).toBe(401);
+  });
+
+  it("valid PAT on nonexistent project: 404 (auth passes)", async () => {
+    const user = await seedTestUser(server.prisma);
+    const { token } = await seedTestPAT(server.prisma, user.id);
+    const res = await server.webapp.fetch(pathFor("nonexistent"), {
+      headers: { Authorization: `Bearer ${token}` },
+    });
+    expect(res.status).toBe(404);
+  });
+});
+
+// Verifies resource-scoped JWT behaviour end-to-end against a real seeded resource.
+// Target: POST /api/v1/waitpoints/tokens/:waitpointFriendlyId/complete — allowJWT: true,
+// authorization: { action: "write", resource: (params) => ({ waitpoints: params.waitpointFriendlyId }),
+// superScopes: ["write:waitpoints", "admin"] }.
+//
+// The Waitpoint is seeded with status COMPLETED so the handler short-circuits with
+// { success: true } once auth passes — no run-engine worker needed. "Auth passes" is
+// observable as a 200 response; "auth fails" is observable as a 403.
+describe("JWT bearer auth — resource-scoped scopes", () => {
+  const pathFor = (friendlyId: string) => `/api/v1/waitpoints/tokens/${friendlyId}/complete`;
+
+  async function seedEnvAndWaitpoint() {
+    const seed = await seedTestEnvironment(server.prisma);
+    const waitpoint = await seedTestWaitpoint(server.prisma, {
+      environmentId: seed.environment.id,
+      projectId: seed.project.id,
+    });
+    return { ...seed, waitpoint };
+  }
+
+  async function completeRequest(friendlyId: string, jwt: string) {
+    return server.webapp.fetch(pathFor(friendlyId), {
+      method: "POST",
+      headers: { Authorization: `Bearer ${jwt}`, "content-type": "application/json" },
+      body: JSON.stringify({}),
+    });
+  }
+
+  it("scope matches exact resource id: 200", async () => {
+    const { environment, waitpoint } = await seedEnvAndWaitpoint();
+    const jwt = await generateTestJWT(environment, {
+      scopes: [`write:waitpoints:${waitpoint.friendlyId}`],
+    });
+    const res = await completeRequest(waitpoint.friendlyId, jwt);
+    expect(res.status).toBe(200);
+  });
+
+  it("scope targets a different resource id: 403", async () => {
+    const { environment, waitpoint } = await seedEnvAndWaitpoint();
+    const jwt = await generateTestJWT(environment, {
+      scopes: ["write:waitpoints:waitpoint_someoneelse000000000000000"],
+    });
+    const res = await completeRequest(waitpoint.friendlyId, jwt);
+    expect(res.status).toBe(403);
+  });
+
+  it("type-level scope (no id) grants all resources of that type: 200", async () => {
+    const { environment, waitpoint } = await seedEnvAndWaitpoint();
+    const jwt = await generateTestJWT(environment, { scopes: ["write:waitpoints"] });
+    const res = await completeRequest(waitpoint.friendlyId, jwt);
+    expect(res.status).toBe(200);
+  });
+
+  it("scope action mismatch (read-only on write route) with matching resource id: 403", async () => {
+    const { environment, waitpoint } = await seedEnvAndWaitpoint();
+    const jwt = await generateTestJWT(environment, {
+      scopes: [`read:waitpoints:${waitpoint.friendlyId}`],
+    });
+    const res = await completeRequest(waitpoint.friendlyId, jwt);
+    expect(res.status).toBe(403);
+  });
+
+  it("scope targets a different resource type: 403", async () => {
+    const { environment, waitpoint } = await seedEnvAndWaitpoint();
+    const jwt = await generateTestJWT(environment, {
+      scopes: ["write:runs:run_abc000000000000000000000"],
+    });
+    const res = await completeRequest(waitpoint.friendlyId, jwt);
+    expect(res.status).toBe(403);
+  });
+
+  it("admin super-scope grants access (legacy behaviour): 200", async () => {
+    const { environment, waitpoint } = await seedEnvAndWaitpoint();
+    const jwt = await generateTestJWT(environment, { scopes: ["admin"] });
+    const res = await completeRequest(waitpoint.friendlyId, jwt);
+    expect(res.status).toBe(200);
+  });
+
+  it("unrelated type scope with no super-scope match: 403", async () => {
+    const { environment, waitpoint } = await seedEnvAndWaitpoint();
+    const jwt = await generateTestJWT(environment, { scopes: ["read:runs"] });
+    const res = await completeRequest(waitpoint.friendlyId, jwt);
+    expect(res.status).toBe(403);
+  });
+});
+
+// Pre-migration coverage for the three behavioural constraints captured in TRI-8719.
+// Each test locks in an observable current behaviour that the migration must preserve:
+// - custom actions (trigger/batchTrigger/update) satisfied by write:* scopes
+// - multi-key resource callbacks (runs/tags/batch/tasks) — any key match grants access
+// - empty resource callbacks relying on superScopes
+describe("JWT bearer auth — behaviours to preserve through TRI-8719", () => {
+  it("custom action: type-level write:tasks scope satisfies action=\"trigger\" (auth passes)", async () => {
+    const { environment } = await seedTestEnvironment(server.prisma);
+    // Current SDK + MCP JWTs for task-trigger use type-level scope, e.g. write:tasks.
+    // Legacy checkAuthorization passes via exact superScope match ["write:tasks", "admin"].
+    // After TRI-8719, the ACTION_ALIASES map must keep this working: trigger action is
+    // satisfied by a scope whose action is write.
+    const jwt = await generateTestJWT(environment, { scopes: ["write:tasks"] });
+    const res = await server.webapp.fetch("/api/v1/tasks/nonexistent-task/trigger", {
+      method: "POST",
+      headers: { Authorization: `Bearer ${jwt}`, "content-type": "application/json" },
+      body: JSON.stringify({}),
+    });
+    expect(res.status).not.toBe(401);
+    expect(res.status).not.toBe(403);
+  });
+
+  it("multi-key resource: read:tags:<tag> scope grants access to a run carrying that tag (auth passes)", async () => {
+    const { environment, project } = await seedTestEnvironment(server.prisma);
+    const { runFriendlyId } = await seedTestRun(server.prisma, {
+      environmentId: environment.id,
+      projectId: project.id,
+      runTags: ["my-resource-scoped-tag"],
+    });
+    const jwt = await generateTestJWT(environment, {
+      scopes: ["read:tags:my-resource-scoped-tag"],
+    });
+    const res = await server.webapp.fetch(`/api/v1/runs/${runFriendlyId}/trace`, {
+      headers: { Authorization: `Bearer ${jwt}` },
+    });
+    expect(res.status).not.toBe(401);
+    expect(res.status).not.toBe(403);
+  });
+
+  it("multi-key resource: read:batch:<friendlyId> scope grants access to a run in that batch (auth passes)", async () => {
+    const { environment, project } = await seedTestEnvironment(server.prisma);
+    const { runFriendlyId, batchFriendlyId } = await seedTestRun(server.prisma, {
+      environmentId: environment.id,
+      projectId: project.id,
+      withBatch: true,
+    });
+    const jwt = await generateTestJWT(environment, {
+      scopes: [`read:batch:${batchFriendlyId}`],
+    });
+    const res = await server.webapp.fetch(`/api/v1/runs/${runFriendlyId}/trace`, {
+      headers: { Authorization: `Bearer ${jwt}` },
+    });
+    expect(res.status).not.toBe(401);
+    expect(res.status).not.toBe(403);
+  });
+
+  // Empty-resource routes (api.v1.batches.ts, api.v1.idempotencyKeys.$key.reset.ts)
+  // currently DENY all JWTs because legacy checkAuthorization's empty-resource check
+  // fires before the superScope check. TRI-8719's plan to add explicit { type: "runs" }
+  // changes this to "JWTs with read:runs or write:runs now work on these routes" — an
+  // intentional improvement, not a preserved behaviour. See TRI-8719 description for
+  // the note; there's nothing to lock in with a test here.
+});
+
+// Edge cases where auth-path DB state should cause 401 even with a valid-looking token.
+describe("API bearer auth — environment/project edge cases", () => {
+  it("valid API key whose project is soft-deleted: 401", async () => {
+    const { apiKey, project } = await seedTestEnvironment(server.prisma);
+    await server.prisma.project.update({
+      where: { id: project.id },
+      data: { deletedAt: new Date() },
+    });
+    const res = await server.webapp.fetch("/api/v1/runs/run_doesnotexist/result", {
+      headers: { Authorization: `Bearer ${apiKey}` },
+    });
+    expect(res.status).toBe(401);
+  });
+});
diff --git a/apps/webapp/test/auth-api.e2e.full.test.ts b/apps/webapp/test/auth-api.e2e.full.test.ts
new file mode 100644
index 00000000000..e66cb1e8072
--- /dev/null
+++ b/apps/webapp/test/auth-api.e2e.full.test.ts
@@ -0,0 +1,2977 @@
+// Comprehensive API auth tests — uses the shared TestServer started by
+// vitest.e2e.full.config.ts's globalSetup. Family subtasks under TRI-8731
+// add nested describe blocks here:
+//
+//   describe("API", () => {
+//     describe("Trigger task", () => { ... })   // TRI-8733
+//     describe("Runs — resource routes", () => { ... }) // TRI-8734
+//     ...
+//   })
+//
+// See test/helpers/sharedTestServer.ts for `getTestServer()`.
+
+import { generateJWT } from "@trigger.dev/core/v3/jwt";
+import { describe, expect, it } from "vitest";
+import { getTestServer } from "./helpers/sharedTestServer";
+import { seedTestEnvironment } from "./helpers/seedTestEnvironment";
+import { seedTestPAT, seedTestUser } from "./helpers/seedTestPAT";
+import { seedTestRun } from "./helpers/seedTestRun";
+import { seedTestApiSession } from "./helpers/seedTestApiSession";
+import { seedTestUserProject } from "./helpers/seedTestUserProject";
+import { seedTestWaitpoint } from "./helpers/seedTestWaitpoint";
+
+describe("API", () => {
+  // Placeholder until family subtasks add their describes (TRI-8733+).
+  // Verifies the shared container is reachable from this worker.
+  it("shared webapp container responds to /healthcheck", async () => {
+    const server = getTestServer();
+    const res = await server.webapp.fetch("/healthcheck");
+    expect(res.ok).toBe(true);
+  });
+
+  // PAT-authenticated routes (TRI-8741). The smoke matrix in
+  // test/api-auth.e2e.test.ts covers basic 401 cases (missing auth,
+  // wrong-prefix, unknown PAT, revoked PAT, valid-PAT-on-nonexistent-
+  // project). This describe extends the matrix to the cases that
+  // require seeding the full user → org → project → env graph:
+  // valid-PAT-on-real-project, cross-org isolation, soft-deleted
+  // project, and the global-admin-flag-doesn't-grant-cross-org carve-
+  // out.
+  //
+  // Target route: GET /api/v1/projects/:projectRef/runs (the only
+  // createLoaderPATApiRoute consumer at time of writing — re-grep
+  // before extending if more PAT-only routes appear).
+  describe("PAT-authenticated routes — comprehensive", () => {
+    const pathFor = (ref: string) => `/api/v1/projects/${ref}/runs`;
+
+    it("JWT on PAT-only route: 401", async () => {
+      const server = getTestServer();
+      const { environment } = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: environment.apiKey,
+        payload: { pub: true, sub: environment.id, scopes: ["read:runs"] },
+        expirationTime: "15m",
+      });
+      const res = await server.webapp.fetch(pathFor("nonexistent"), {
+        headers: { Authorization: `Bearer ${jwt}` },
+      });
+      // PAT route doesn't accept JWTs — auth rejects before resource lookup.
+      expect(res.status).toBe(401);
+    });
+
+    it("valid PAT, project exists in user's org: auth passes", async () => {
+      const server = getTestServer();
+      const { project, pat } = await seedTestUserProject(server.prisma);
+      const res = await server.webapp.fetch(pathFor(project.externalRef), {
+        headers: { Authorization: `Bearer ${pat.token}` },
+      });
+      // Auth + scoping pass. The route's run-list presenter hits
+      // ClickHouse which isn't reachable in tests — accept any status
+      // that isn't an auth failure.
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("valid PAT, project belongs to a different user's org: 404", async () => {
+      const server = getTestServer();
+      // Two completely isolated graphs. Both projects exist; the PAT
+      // belongs to userA, the project to userB's org. findProjectByRef
+      // scopes by `members: { some: { userId } }`, so userA's PAT
+      // sees userB's project as nonexistent → 404 (not 403).
+      const a = await seedTestUserProject(server.prisma);
+      const b = await seedTestUserProject(server.prisma);
+      const res = await server.webapp.fetch(pathFor(b.project.externalRef), {
+        headers: { Authorization: `Bearer ${a.pat.token}` },
+      });
+      // Lock in the 404 — the access check inside findProjectByRef
+      // returns null for cross-org and the route maps null to 404.
+      expect(res.status).toBe(404);
+    });
+
+    it("valid PAT, project soft-deleted (deletedAt != null): 200 (route does not filter)", async () => {
+      const server = getTestServer();
+      // findProjectByRef (apps/webapp/app/models/project.server.ts)
+      // does NOT filter on deletedAt — it scopes only by externalRef
+      // and the user's org membership. So a soft-deleted project is
+      // still findable here; the run-list presenter just returns
+      // data:[] (or whatever survived). The ticket lists this as a
+      // 404 case but that's not the route's actual contract; lock in
+      // observed behaviour and call out the gap so a future change
+      // (either tightening findProjectByRef or filtering at the route)
+      // is conscious.
+      const { project, pat } = await seedTestUserProject(server.prisma, {
+        projectDeleted: true,
+      });
+      const res = await server.webapp.fetch(pathFor(project.externalRef), {
+        headers: { Authorization: `Bearer ${pat.token}` },
+      });
+      // ClickHouse-dependent run-list — auth-passed assertion.
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("valid PAT for a global-admin user: still per-user (no cross-org access)", async () => {
+      const server = getTestServer();
+      // user.admin = true is the legacy super-admin flag. The PAT
+      // route's access check is per-user (members: { some: { userId } }),
+      // not admin-aware — so admin doesn't unlock cross-org visibility.
+      // Lock in that behaviour: an admin's PAT can't read another
+      // org's project either.
+      const admin = await seedTestUser(server.prisma, { admin: true });
+      const adminPat = await seedTestPAT(server.prisma, admin.id);
+      const otherOrg = await seedTestUserProject(server.prisma);
+
+      const res = await server.webapp.fetch(pathFor(otherOrg.project.externalRef), {
+        headers: { Authorization: `Bearer ${adminPat.token}` },
+      });
+      expect(res.status).toBe(404);
+    });
+
+    it("valid PAT, admin user accessing their OWN project: auth passes", async () => {
+      const server = getTestServer();
+      // Companion to the above — confirm admin=true users can still
+      // access their own org's projects (the admin flag isn't
+      // accidentally subtracting permission).
+      const { project, pat } = await seedTestUserProject(server.prisma, {
+        userAdmin: true,
+      });
+      const res = await server.webapp.fetch(pathFor(project.externalRef), {
+        headers: { Authorization: `Bearer ${pat.token}` },
+      });
+      // ClickHouse-dependent run-list — auth-passed assertion.
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+  });
+
+  // Resource-scoped writes (TRI-8740). Two routes:
+  //   - POST /api/v1/waitpoints/tokens/:friendlyId/complete
+  //     resource: { type: "waitpoints", id: friendlyId }
+  //   - POST /realtime/v1/streams/:runId/input/:streamId
+  //     resource: { type: "inputStreams", id: runId }
+  //
+  // The smoke matrix (api-auth.e2e.test.ts "JWT bearer auth — resource-
+  // scoped scopes") already covers waitpoints comprehensively for JWT
+  // resource-id matching, type-level scopes, action mismatches, admin
+  // super-scope, etc. This block fills the gaps:
+  //   - Private API key (not JWT) on the route.
+  //   - JWT with `write:all` super-scope.
+  //   - Cross-env (env A's JWT trying env B's resource).
+  // Plus the equivalent full matrix for input-streams which the smoke
+  // matrix doesn't touch.
+  describe("Resource-scoped writes — waitpoints (gap-fill)", () => {
+    const pathFor = (friendlyId: string) =>
+      `/api/v1/waitpoints/tokens/${friendlyId}/complete`;
+    const completeRequest = (path: string, headers: Record<string, string>) =>
+      getTestServer().webapp.fetch(path, {
+        method: "POST",
+        headers: { "Content-Type": "application/json", ...headers },
+        body: JSON.stringify({}),
+      });
+
+    async function seedEnvAndWaitpoint() {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const waitpoint = await seedTestWaitpoint(server.prisma, {
+        environmentId: seed.environment.id,
+        projectId: seed.project.id,
+      });
+      return { ...seed, waitpoint };
+    }
+
+    it("private API key (tr_dev_*): auth passes (200)", async () => {
+      const { apiKey, waitpoint } = await seedEnvAndWaitpoint();
+      const res = await completeRequest(pathFor(waitpoint.friendlyId), {
+        Authorization: `Bearer ${apiKey}`,
+      });
+      // Waitpoint is COMPLETED, so the handler short-circuits with 200
+      // once auth passes. Auth-passed assertion: NOT 401 / 403.
+      expect(res.status).toBe(200);
+    });
+
+    it("JWT with write:all super-scope: auth passes (200)", async () => {
+      const { environment, waitpoint } = await seedEnvAndWaitpoint();
+      const jwt = await generateJWT({
+        secretKey: environment.apiKey,
+        payload: { pub: true, sub: environment.id, scopes: ["write:all"] },
+        expirationTime: "15m",
+      });
+      const res = await completeRequest(pathFor(waitpoint.friendlyId), {
+        Authorization: `Bearer ${jwt}`,
+      });
+      expect(res.status).toBe(200);
+    });
+
+    it("cross-env: env A's JWT cannot complete env B's waitpoint: not 200", async () => {
+      const server = getTestServer();
+      const a = await seedTestEnvironment(server.prisma);
+      const b = await seedEnvAndWaitpoint();
+      const jwt = await generateJWT({
+        secretKey: a.apiKey,
+        payload: {
+          pub: true,
+          sub: a.environment.id,
+          scopes: [`write:waitpoints:${b.waitpoint.friendlyId}`],
+        },
+        expirationTime: "15m",
+      });
+      // The JWT is signed by env A and its sub claim says env A. The
+      // route resolves env from the sub claim and the waitpoint is
+      // env B's, so the lookup misses. The exact code depends on
+      // whether auth or the resource lookup fires first — both
+      // outcomes are correct, just NOT 200.
+      const res = await completeRequest(pathFor(b.waitpoint.friendlyId), {
+        Authorization: `Bearer ${jwt}`,
+      });
+      expect(res.status).not.toBe(200);
+    });
+  });
+
+  describe("Resource-scoped writes — input streams (full matrix)", () => {
+    const pathFor = (runId: string, streamId: string) =>
+      `/realtime/v1/streams/${runId}/input/${streamId}`;
+    const postRequest = (path: string, headers: Record<string, string>) =>
+      getTestServer().webapp.fetch(path, {
+        method: "POST",
+        headers: { "Content-Type": "application/json", ...headers },
+        body: JSON.stringify({ data: { hello: "world" } }),
+      });
+
+    async function seedEnvAndRun() {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const { runFriendlyId } = await seedTestRun(server.prisma, {
+        environmentId: seed.environment.id,
+        projectId: seed.project.id,
+      });
+      return { ...seed, runFriendlyId, streamId: "test-stream" };
+    }
+
+    it("missing auth: 401", async () => {
+      const server = getTestServer();
+      const res = await server.webapp.fetch(pathFor("run_doesnotexist", "stream-x"), {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ data: {} }),
+      });
+      expect(res.status).toBe(401);
+    });
+
+    it("private API key: auth passes (not 401/403)", async () => {
+      const { apiKey, runFriendlyId, streamId } = await seedEnvAndRun();
+      const res = await postRequest(pathFor(runFriendlyId, streamId), {
+        Authorization: `Bearer ${apiKey}`,
+      });
+      // Route may return any 2xx/4xx based on stream state — we only
+      // care that auth passed (NOT 401/403).
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT with exact-id scope: auth passes", async () => {
+      const { environment, runFriendlyId, streamId } = await seedEnvAndRun();
+      const jwt = await generateJWT({
+        secretKey: environment.apiKey,
+        payload: {
+          pub: true,
+          sub: environment.id,
+          scopes: [`write:inputStreams:${runFriendlyId}`],
+        },
+        expirationTime: "15m",
+      });
+      const res = await postRequest(pathFor(runFriendlyId, streamId), {
+        Authorization: `Bearer ${jwt}`,
+      });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT with type-level scope: auth passes", async () => {
+      const { environment, runFriendlyId, streamId } = await seedEnvAndRun();
+      const jwt = await generateJWT({
+        secretKey: environment.apiKey,
+        payload: { pub: true, sub: environment.id, scopes: ["write:inputStreams"] },
+        expirationTime: "15m",
+      });
+      const res = await postRequest(pathFor(runFriendlyId, streamId), {
+        Authorization: `Bearer ${jwt}`,
+      });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT with wrong resource id: 403", async () => {
+      const { environment, runFriendlyId, streamId } = await seedEnvAndRun();
+      const jwt = await generateJWT({
+        secretKey: environment.apiKey,
+        payload: {
+          pub: true,
+          sub: environment.id,
+          scopes: ["write:inputStreams:run_someoneelse00000000000000"],
+        },
+        expirationTime: "15m",
+      });
+      const res = await postRequest(pathFor(runFriendlyId, streamId), {
+        Authorization: `Bearer ${jwt}`,
+      });
+      expect(res.status).toBe(403);
+    });
+
+    it("JWT with read action on write route: 403", async () => {
+      const { environment, runFriendlyId, streamId } = await seedEnvAndRun();
+      const jwt = await generateJWT({
+        secretKey: environment.apiKey,
+        payload: {
+          pub: true,
+          sub: environment.id,
+          scopes: [`read:inputStreams:${runFriendlyId}`],
+        },
+        expirationTime: "15m",
+      });
+      const res = await postRequest(pathFor(runFriendlyId, streamId), {
+        Authorization: `Bearer ${jwt}`,
+      });
+      expect(res.status).toBe(403);
+    });
+
+    it("JWT with write:all super-scope: auth passes", async () => {
+      const { environment, runFriendlyId, streamId } = await seedEnvAndRun();
+      const jwt = await generateJWT({
+        secretKey: environment.apiKey,
+        payload: { pub: true, sub: environment.id, scopes: ["write:all"] },
+        expirationTime: "15m",
+      });
+      const res = await postRequest(pathFor(runFriendlyId, streamId), {
+        Authorization: `Bearer ${jwt}`,
+      });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT with admin super-scope: auth passes", async () => {
+      const { environment, runFriendlyId, streamId } = await seedEnvAndRun();
+      const jwt = await generateJWT({
+        secretKey: environment.apiKey,
+        payload: { pub: true, sub: environment.id, scopes: ["admin"] },
+        expirationTime: "15m",
+      });
+      const res = await postRequest(pathFor(runFriendlyId, streamId), {
+        Authorization: `Bearer ${jwt}`,
+      });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("cross-env: env A's JWT cannot write to env B's run: not 200", async () => {
+      const server = getTestServer();
+      const a = await seedTestEnvironment(server.prisma);
+      const b = await seedEnvAndRun();
+      const jwt = await generateJWT({
+        secretKey: a.apiKey,
+        payload: {
+          pub: true,
+          sub: a.environment.id,
+          scopes: [`write:inputStreams:${b.runFriendlyId}`],
+        },
+        expirationTime: "15m",
+      });
+      const res = await postRequest(pathFor(b.runFriendlyId, b.streamId), {
+        Authorization: `Bearer ${jwt}`,
+      });
+      // Either auth fails outright or the run lookup misses (env A's
+      // view of the run doesn't include env B's data). Critical
+      // security property: NOT 200.
+      expect(res.status).not.toBe(200);
+    });
+  });
+
+  // Trigger task routes (TRI-8733). The single-task route uses
+  // action: "trigger" with a single resource { type: "tasks", id };
+  // batch v1/v2 use action: "batchTrigger" with a body-derived array
+  // [{type:"tasks", id}, ...] under AND semantics — every task in the
+  // batch must be authorized, not just any one (otherwise a JWT scoped
+  // to one task could submit a batch with arbitrary other tasks).
+  // v3 batches use a collection-level resource { type: "tasks" }
+  // (no id — items are validated per-row when streamed).
+  //
+  // ACTION_ALIASES (from packages/core/src/v3/jwt.ts) maps write→trigger
+  // and write→batchTrigger so write:tasks scopes also satisfy these
+  // routes. The smoke matrix already verifies write:tasks → trigger
+  // alias works; we re-test it here per-route so scope misconfig in
+  // one route doesn't slip past.
+  describe("Trigger task — single (api.v1.tasks.$taskId.trigger)", () => {
+    const TASK_ID = "test-task";
+    const path = `/api/v1/tasks/${TASK_ID}/trigger`;
+
+    async function seedAndRequest(
+      headers: Record<string, string>,
+      body: unknown = { payload: {} }
+    ) {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const res = await server.webapp.fetch(path, {
+        method: "POST",
+        headers: { "Content-Type": "application/json", ...headers },
+        body: JSON.stringify(body),
+      });
+      return { res, seed };
+    }
+
+    it("missing auth: 401", async () => {
+      const server = getTestServer();
+      const res = await server.webapp.fetch(path, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ payload: {} }),
+      });
+      expect(res.status).toBe(401);
+    });
+
+    it("private API key: auth passes (handler may 4xx — not 401/403)", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const res = await server.webapp.fetch(path, {
+        method: "POST",
+        headers: {
+          Authorization: `Bearer ${seed.apiKey}`,
+          "Content-Type": "application/json",
+        },
+        body: JSON.stringify({ payload: {} }),
+      });
+      // Auth passed; the handler may 404 because the task doesn't
+      // actually exist in the BackgroundWorker. Anything not 401/403
+      // is "auth passed" for this test.
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT with write:tasks (type-level, ACTION_ALIASES write→trigger): auth passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["write:tasks"] },
+        expirationTime: "15m",
+      });
+      const res = await server.webapp.fetch(path, {
+        method: "POST",
+        headers: { Authorization: `Bearer ${jwt}`, "Content-Type": "application/json" },
+        body: JSON.stringify({ payload: {} }),
+      });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT with trigger:tasks:<exact taskId>: auth passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: {
+          pub: true,
+          sub: seed.environment.id,
+          scopes: [`trigger:tasks:${TASK_ID}`],
+        },
+        expirationTime: "15m",
+      });
+      const res = await server.webapp.fetch(path, {
+        method: "POST",
+        headers: { Authorization: `Bearer ${jwt}`, "Content-Type": "application/json" },
+        body: JSON.stringify({ payload: {} }),
+      });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT with trigger:tasks:<other>: 403", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: {
+          pub: true,
+          sub: seed.environment.id,
+          scopes: ["trigger:tasks:some-other-task"],
+        },
+        expirationTime: "15m",
+      });
+      const res = await server.webapp.fetch(path, {
+        method: "POST",
+        headers: { Authorization: `Bearer ${jwt}`, "Content-Type": "application/json" },
+        body: JSON.stringify({ payload: {} }),
+      });
+      expect(res.status).toBe(403);
+    });
+
+    it("JWT with read:tasks: 403 (read NOT aliased to trigger)", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["read:tasks"] },
+        expirationTime: "15m",
+      });
+      const res = await server.webapp.fetch(path, {
+        method: "POST",
+        headers: { Authorization: `Bearer ${jwt}`, "Content-Type": "application/json" },
+        body: JSON.stringify({ payload: {} }),
+      });
+      expect(res.status).toBe(403);
+    });
+
+    it("JWT with empty scopes: 403", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: [] },
+        expirationTime: "15m",
+      });
+      const res = await server.webapp.fetch(path, {
+        method: "POST",
+        headers: { Authorization: `Bearer ${jwt}`, "Content-Type": "application/json" },
+        body: JSON.stringify({ payload: {} }),
+      });
+      expect(res.status).toBe(403);
+    });
+
+    it("JWT signed with wrong key: 401", async () => {
+      const server = getTestServer();
+      const a = await seedTestEnvironment(server.prisma);
+      const b = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: b.apiKey, // wrong key for env A's sub
+        payload: {
+          pub: true,
+          sub: a.environment.id,
+          scopes: [`trigger:tasks:${TASK_ID}`],
+        },
+        expirationTime: "15m",
+      });
+      const res = await server.webapp.fetch(path, {
+        method: "POST",
+        headers: { Authorization: `Bearer ${jwt}`, "Content-Type": "application/json" },
+        body: JSON.stringify({ payload: {} }),
+      });
+      expect(res.status).toBe(401);
+    });
+
+    it("JWT with admin super-scope: auth passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["admin"] },
+        expirationTime: "15m",
+      });
+      const res = await server.webapp.fetch(path, {
+        method: "POST",
+        headers: { Authorization: `Bearer ${jwt}`, "Content-Type": "application/json" },
+        body: JSON.stringify({ payload: {} }),
+      });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+  });
+
+  describe("Trigger task — batch v1 (api.v1.tasks.batch)", () => {
+    const path = "/api/v1/tasks/batch";
+    const buildBody = (taskIds: string[]) => ({
+      items: taskIds.map((task) => ({ task, payload: {} })),
+    });
+
+    it("missing auth: 401", async () => {
+      const server = getTestServer();
+      const res = await server.webapp.fetch(path, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(buildBody(["taskA"])),
+      });
+      expect(res.status).toBe(401);
+    });
+
+    it("private API key: auth passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const res = await server.webapp.fetch(path, {
+        method: "POST",
+        headers: {
+          Authorization: `Bearer ${seed.apiKey}`,
+          "Content-Type": "application/json",
+        },
+        body: JSON.stringify(buildBody(["taskA"])),
+      });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT with write:tasks (type-level): auth passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["write:tasks"] },
+        expirationTime: "15m",
+      });
+      const res = await server.webapp.fetch(path, {
+        method: "POST",
+        headers: { Authorization: `Bearer ${jwt}`, "Content-Type": "application/json" },
+        body: JSON.stringify(buildBody(["taskA", "taskB"])),
+      });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT with batchTrigger:tasks:taskA + body has [taskA, taskB]: 403 (every-task semantics)", async () => {
+      // Batch trigger uses AND semantics — every task in the body must
+      // be authorized, not just any one of them. A JWT scoped to only
+      // taskA cannot submit a batch that also includes taskB, otherwise
+      // the caller would be triggering tasks they have no scope for.
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: {
+          pub: true,
+          sub: seed.environment.id,
+          scopes: ["batchTrigger:tasks:taskA"],
+        },
+        expirationTime: "15m",
+      });
+      const res = await server.webapp.fetch(path, {
+        method: "POST",
+        headers: { Authorization: `Bearer ${jwt}`, "Content-Type": "application/json" },
+        body: JSON.stringify(buildBody(["taskA", "taskB"])),
+      });
+      expect(res.status).toBe(403);
+    });
+
+    it("JWT with batchTrigger:tasks:taskA + body has [taskA] only: auth passes", async () => {
+      // Per-task scope grants per-task access — a batch containing
+      // only the authorized task is allowed.
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: {
+          pub: true,
+          sub: seed.environment.id,
+          scopes: ["batchTrigger:tasks:taskA"],
+        },
+        expirationTime: "15m",
+      });
+      const res = await server.webapp.fetch(path, {
+        method: "POST",
+        headers: { Authorization: `Bearer ${jwt}`, "Content-Type": "application/json" },
+        body: JSON.stringify(buildBody(["taskA"])),
+      });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT with batchTrigger:tasks:<unrelated> + body has only taskA: 403", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: {
+          pub: true,
+          sub: seed.environment.id,
+          scopes: ["batchTrigger:tasks:not-in-body"],
+        },
+        expirationTime: "15m",
+      });
+      const res = await server.webapp.fetch(path, {
+        method: "POST",
+        headers: { Authorization: `Bearer ${jwt}`, "Content-Type": "application/json" },
+        body: JSON.stringify(buildBody(["taskA"])),
+      });
+      expect(res.status).toBe(403);
+    });
+
+    it("JWT with read:tasks: 403 (action mismatch)", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["read:tasks"] },
+        expirationTime: "15m",
+      });
+      const res = await server.webapp.fetch(path, {
+        method: "POST",
+        headers: { Authorization: `Bearer ${jwt}`, "Content-Type": "application/json" },
+        body: JSON.stringify(buildBody(["taskA"])),
+      });
+      expect(res.status).toBe(403);
+    });
+
+    it("JWT with admin: auth passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["admin"] },
+        expirationTime: "15m",
+      });
+      const res = await server.webapp.fetch(path, {
+        method: "POST",
+        headers: { Authorization: `Bearer ${jwt}`, "Content-Type": "application/json" },
+        body: JSON.stringify(buildBody(["taskA"])),
+      });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+  });
+
+  // v2 batch shares the exact same authorization config as v1 — same
+  // body-derived array resource, same batchTrigger action. We don't
+  // duplicate the full matrix here; the v1 tests cover the wrapper
+  // behaviour. If v2's authorization config ever diverges from v1's,
+  // add a targeted test here. For now just sanity-check that the v2
+  // route's wiring is alive.
+  describe("Trigger task — batch v2 (api.v2.tasks.batch) sanity", () => {
+    const path = "/api/v2/tasks/batch";
+
+    it("missing auth: 401", async () => {
+      const server = getTestServer();
+      const res = await server.webapp.fetch(path, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ items: [{ task: "t", payload: {} }] }),
+      });
+      expect(res.status).toBe(401);
+    });
+
+    it("JWT with write:tasks: auth passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["write:tasks"] },
+        expirationTime: "15m",
+      });
+      const res = await server.webapp.fetch(path, {
+        method: "POST",
+        headers: { Authorization: `Bearer ${jwt}`, "Content-Type": "application/json" },
+        body: JSON.stringify({ items: [{ task: "t", payload: {} }] }),
+      });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+  });
+
+  // v3 batches use a collection-level resource { type: "tasks" } with
+  // no id — items are validated per-row when streamed. So id-specific
+  // scopes (write:tasks:foo) shouldn't grant blanket access; only
+  // type-level write:tasks (or admin/write:all) should.
+  describe("Trigger task — batch v3 (api.v3.batches) collection-level", () => {
+    const path = "/api/v3/batches";
+    const buildBody = () => ({ runCount: 1 });
+
+    it("missing auth: 401", async () => {
+      const server = getTestServer();
+      const res = await server.webapp.fetch(path, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(buildBody()),
+      });
+      expect(res.status).toBe(401);
+    });
+
+    it("JWT with write:tasks (type-level): auth passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["write:tasks"] },
+        expirationTime: "15m",
+      });
+      const res = await server.webapp.fetch(path, {
+        method: "POST",
+        headers: { Authorization: `Bearer ${jwt}`, "Content-Type": "application/json" },
+        body: JSON.stringify(buildBody()),
+      });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT with read:tasks: 403", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["read:tasks"] },
+        expirationTime: "15m",
+      });
+      const res = await server.webapp.fetch(path, {
+        method: "POST",
+        headers: { Authorization: `Bearer ${jwt}`, "Content-Type": "application/json" },
+        body: JSON.stringify(buildBody()),
+      });
+      expect(res.status).toBe(403);
+    });
+
+    it("JWT with admin: auth passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["admin"] },
+        expirationTime: "15m",
+      });
+      const res = await server.webapp.fetch(path, {
+        method: "POST",
+        headers: { Authorization: `Bearer ${jwt}`, "Content-Type": "application/json" },
+        body: JSON.stringify(buildBody()),
+      });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+  });
+
+  // Run lists (TRI-8736). Two routes share the same multi-key
+  // resource pattern — collection-level `{ type: "runs" }` always
+  // present, plus an array of secondary keys derived from search
+  // params:
+  //   - GET /api/v1/runs: filter[taskIdentifier]=A,B → +{ type: "tasks", id: A }, { type: "tasks", id: B }
+  //   - GET /realtime/v1/runs: ?tags=foo,bar       → +{ type: "tags", id: "foo" }, { type: "tags", id: "bar" }
+  //
+  // Multi-key any-match contract from TRI-8719: a JWT with a scope
+  // matching ANY element of the resource array grants access. So:
+  //   - read:runs                   → matches the collection key  → passes
+  //   - read:tasks:A (with A in filter) → matches an array element → passes
+  //   - read:tasks:Z (with A in filter) → no match                → 403
+  describe("Run list — api.v1.runs (multi-key tasks)", () => {
+    const path = "/api/v1/runs";
+
+    async function get(query: string, headers: Record<string, string>) {
+      return getTestServer().webapp.fetch(`${path}${query}`, { headers });
+    }
+
+    it("missing auth: 401", async () => {
+      const res = await getTestServer().webapp.fetch(path);
+      expect(res.status).toBe(401);
+    });
+
+    // Pass cases on api.v1.runs assert "auth passed" (not 401/403)
+    // rather than strict 200. The handler hits ClickHouse which isn't
+    // reachable from the test container — the endpoint can 500 in
+    // tests even when auth is fine. The auth layer is what we're
+    // verifying here.
+    it("private API key: auth passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const res = await get("", { Authorization: `Bearer ${seed.apiKey}` });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT with read:runs (collection-level): auth passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["read:runs"] },
+        expirationTime: "15m",
+      });
+      const res = await get("", { Authorization: `Bearer ${jwt}` });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT with read:all super-scope: auth passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["read:all"] },
+        expirationTime: "15m",
+      });
+      const res = await get("", { Authorization: `Bearer ${jwt}` });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT with admin: auth passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["admin"] },
+        expirationTime: "15m",
+      });
+      const res = await get("", { Authorization: `Bearer ${jwt}` });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT with empty scopes: 403", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: [] },
+        expirationTime: "15m",
+      });
+      const res = await get("", { Authorization: `Bearer ${jwt}` });
+      expect(res.status).toBe(403);
+    });
+
+    it("JWT with write:runs (action mismatch — read route): 403", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["write:runs"] },
+        expirationTime: "15m",
+      });
+      const res = await get("", { Authorization: `Bearer ${jwt}` });
+      expect(res.status).toBe(403);
+    });
+
+    it("filter[taskIdentifier]=task_a,task_b + JWT read:tasks:task_a → passes (array match)", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: {
+          pub: true,
+          sub: seed.environment.id,
+          scopes: ["read:tasks:task_a"],
+        },
+        expirationTime: "15m",
+      });
+      const res = await get(
+        "?filter%5BtaskIdentifier%5D=task_a%2Ctask_b",
+        { Authorization: `Bearer ${jwt}` }
+      );
+      // Resource array is [{type:"runs"}, {type:"tasks",id:"task_a"}, {type:"tasks",id:"task_b"}].
+      // The scope read:tasks:task_a matches the second element → access granted.
+      // Handler may 500 (ClickHouse unreachable in tests) but auth passed.
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("filter[taskIdentifier]=task_a + JWT read:tasks:task_z → 403 (no array match)", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: {
+          pub: true,
+          sub: seed.environment.id,
+          scopes: ["read:tasks:task_z"],
+        },
+        expirationTime: "15m",
+      });
+      const res = await get(
+        "?filter%5BtaskIdentifier%5D=task_a",
+        { Authorization: `Bearer ${jwt}` }
+      );
+      // Resource is [{runs}, {tasks:task_a}]. JWT scope says
+      // read:tasks:task_z which doesn't match the runs collection
+      // (wrong type) or the task_a element (wrong id). 403.
+      expect(res.status).toBe(403);
+    });
+  });
+
+  describe("Run list — realtime.v1.runs (multi-key tags)", () => {
+    const path = "/realtime/v1/runs";
+
+    async function get(query: string, headers: Record<string, string>) {
+      return getTestServer().webapp.fetch(`${path}${query}`, { headers });
+    }
+
+    it("missing auth: 401", async () => {
+      const res = await getTestServer().webapp.fetch(path);
+      expect(res.status).toBe(401);
+    });
+
+    it("JWT with read:runs (collection-level): auth passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["read:runs"] },
+        expirationTime: "15m",
+      });
+      const res = await get("", { Authorization: `Bearer ${jwt}` });
+      // Realtime endpoints stream — the route may return 200 (streaming
+      // OK) or other status codes depending on streams setup. We only
+      // care that auth passed: NOT 401/403.
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT with read:tags:foo + ?tags=foo,bar → passes (array match)", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: {
+          pub: true,
+          sub: seed.environment.id,
+          scopes: ["read:tags:foo"],
+        },
+        expirationTime: "15m",
+      });
+      const res = await get("?tags=foo,bar", { Authorization: `Bearer ${jwt}` });
+      // Resource array is [{type:"runs"}, {type:"tags",id:"foo"}, {type:"tags",id:"bar"}].
+      // Scope matches the foo element → access granted.
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT with read:tags:baz + ?tags=foo → 403 (no array match)", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: {
+          pub: true,
+          sub: seed.environment.id,
+          scopes: ["read:tags:baz"],
+        },
+        expirationTime: "15m",
+      });
+      const res = await get("?tags=foo", { Authorization: `Bearer ${jwt}` });
+      expect(res.status).toBe(403);
+    });
+
+    it("JWT with admin: auth passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["admin"] },
+        expirationTime: "15m",
+      });
+      const res = await get("", { Authorization: `Bearer ${jwt}` });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT with write:runs (action mismatch): 403", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["write:runs"] },
+        expirationTime: "15m",
+      });
+      const res = await get("", { Authorization: `Bearer ${jwt}` });
+      expect(res.status).toBe(403);
+    });
+  });
+
+  // Run mutations (TRI-8735). Two routes:
+  //   - POST /api/v2/runs/:runParam/cancel
+  //       action: write, resource: { type: "runs", id: params.runParam }
+  //       — single id-keyed resource, supports id-specific scopes.
+  //   - POST /api/v1/idempotencyKeys/:key/reset
+  //       action: write, resource: { type: "runs" } (collection-level)
+  //       — id-specific scopes don't grant blanket access; only
+  //       type-level write:runs (or super-scopes) work.
+  //
+  // The legacy idempotencyKeys/:key/reset rejected ALL JWTs due to an
+  // empty-resource bug. Post TRI-8719 the empty-resource resolution
+  // lets write:runs JWTs through. Tests here lock in the new behaviour.
+  describe("Run mutations — cancel (api.v2.runs.$runParam.cancel)", () => {
+    const pathFor = (runId: string) => `/api/v2/runs/${runId}/cancel`;
+    const post = (path: string, headers: Record<string, string>) =>
+      getTestServer().webapp.fetch(path, {
+        method: "POST",
+        headers: { "Content-Type": "application/json", ...headers },
+        body: JSON.stringify({}),
+      });
+
+    it("missing auth: 401", async () => {
+      const res = await post(pathFor("run_anything"), {});
+      expect(res.status).toBe(401);
+    });
+
+    it("invalid API key: 401", async () => {
+      const res = await post(pathFor("run_anything"), {
+        Authorization: "Bearer tr_dev_definitely_not_real_key",
+      });
+      expect(res.status).toBe(401);
+    });
+
+    it("private API key on real run: auth passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const { runFriendlyId } = await seedTestRun(server.prisma, {
+        environmentId: seed.environment.id,
+        projectId: seed.project.id,
+      });
+      const res = await post(pathFor(runFriendlyId), {
+        Authorization: `Bearer ${seed.apiKey}`,
+      });
+      // Auth + findResource passed; handler may return any 2xx/4xx
+      // depending on run state. We only care: not 401/403.
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT with write:runs (type-level): auth passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const { runFriendlyId } = await seedTestRun(server.prisma, {
+        environmentId: seed.environment.id,
+        projectId: seed.project.id,
+      });
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["write:runs"] },
+        expirationTime: "15m",
+      });
+      const res = await post(pathFor(runFriendlyId), {
+        Authorization: `Bearer ${jwt}`,
+      });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT with write:runs:<exact runId>: auth passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const { runFriendlyId } = await seedTestRun(server.prisma, {
+        environmentId: seed.environment.id,
+        projectId: seed.project.id,
+      });
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: {
+          pub: true,
+          sub: seed.environment.id,
+          scopes: [`write:runs:${runFriendlyId}`],
+        },
+        expirationTime: "15m",
+      });
+      const res = await post(pathFor(runFriendlyId), {
+        Authorization: `Bearer ${jwt}`,
+      });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT with write:runs:<other>: 403", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const { runFriendlyId } = await seedTestRun(server.prisma, {
+        environmentId: seed.environment.id,
+        projectId: seed.project.id,
+      });
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: {
+          pub: true,
+          sub: seed.environment.id,
+          scopes: ["write:runs:run_someoneelse00000000000"],
+        },
+        expirationTime: "15m",
+      });
+      const res = await post(pathFor(runFriendlyId), {
+        Authorization: `Bearer ${jwt}`,
+      });
+      expect(res.status).toBe(403);
+    });
+
+    it("JWT with read:runs (action mismatch): 403", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const { runFriendlyId } = await seedTestRun(server.prisma, {
+        environmentId: seed.environment.id,
+        projectId: seed.project.id,
+      });
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: {
+          pub: true,
+          sub: seed.environment.id,
+          scopes: [`read:runs:${runFriendlyId}`],
+        },
+        expirationTime: "15m",
+      });
+      const res = await post(pathFor(runFriendlyId), {
+        Authorization: `Bearer ${jwt}`,
+      });
+      expect(res.status).toBe(403);
+    });
+
+    it("JWT with write:all super-scope: auth passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const { runFriendlyId } = await seedTestRun(server.prisma, {
+        environmentId: seed.environment.id,
+        projectId: seed.project.id,
+      });
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["write:all"] },
+        expirationTime: "15m",
+      });
+      const res = await post(pathFor(runFriendlyId), {
+        Authorization: `Bearer ${jwt}`,
+      });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT with admin: auth passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const { runFriendlyId } = await seedTestRun(server.prisma, {
+        environmentId: seed.environment.id,
+        projectId: seed.project.id,
+      });
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["admin"] },
+        expirationTime: "15m",
+      });
+      const res = await post(pathFor(runFriendlyId), {
+        Authorization: `Bearer ${jwt}`,
+      });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+  });
+
+  describe("Run mutations — idempotencyKeys.reset (api.v1.idempotencyKeys.$key.reset)", () => {
+    // Collection-level resource { type: "runs" } — id-specific
+    // write:runs:<runId> scopes don't help here (no id to match).
+    // The legacy version of this route rejected ALL JWTs due to an
+    // empty-resource bug; the post-TRI-8719 path lets write:runs
+    // through. Tests below pin that down.
+    const path = "/api/v1/idempotencyKeys/some-key/reset";
+    const validBody = JSON.stringify({ taskIdentifier: "test-task" });
+
+    const post = (headers: Record<string, string>, body = validBody) =>
+      getTestServer().webapp.fetch(path, {
+        method: "POST",
+        headers: { "Content-Type": "application/json", ...headers },
+        body,
+      });
+
+    it("missing auth: 401", async () => {
+      const res = await post({});
+      expect(res.status).toBe(401);
+    });
+
+    it("invalid API key: 401", async () => {
+      const res = await post({ Authorization: "Bearer tr_dev_invalid" });
+      expect(res.status).toBe(401);
+    });
+
+    it("private API key: auth passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const res = await post({ Authorization: `Bearer ${seed.apiKey}` });
+      // Handler may 404/204 depending on whether the idempotency key
+      // exists. Auth-passed assertion only.
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT with write:runs (type-level): auth passes — locks in TRI-8719 fix", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["write:runs"] },
+        expirationTime: "15m",
+      });
+      const res = await post({ Authorization: `Bearer ${jwt}` });
+      // PRE-TRI-8719: this returned 403 (legacy empty-resource bug
+      // rejected all JWTs). POST-TRI-8719: write:runs grants access.
+      // Locking in the new behaviour.
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT with read:runs (action mismatch): 403", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["read:runs"] },
+        expirationTime: "15m",
+      });
+      const res = await post({ Authorization: `Bearer ${jwt}` });
+      expect(res.status).toBe(403);
+    });
+
+    it("JWT with write:all: auth passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["write:all"] },
+        expirationTime: "15m",
+      });
+      const res = await post({ Authorization: `Bearer ${jwt}` });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT with admin: auth passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["admin"] },
+        expirationTime: "15m",
+      });
+      const res = await post({ Authorization: `Bearer ${jwt}` });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+  });
+
+  // Run resource routes (TRI-8734). Every read-side `$runId` route
+  // computes its authorization resource from the loaded TaskRun:
+  //   [
+  //     { type: "runs", id: run.friendlyId },
+  //     { type: "tasks", id: run.taskIdentifier },
+  //     ...run.runTags.map(tag => ({ type: "tags", id: tag })),
+  //     run.batch?.friendlyId && { type: "batch", id: run.batch.friendlyId },
+  //   ]
+  //
+  // A JWT scope matching ANY array element grants access. We test the
+  // full matrix against the canonical route (api.v3.runs.$runId), and
+  // a sanity check on one of the others to confirm the wiring isn't
+  // route-local. If a future route's resource shape diverges, add a
+  // targeted describe.
+  describe("Run resource — GET /api/v3/runs/:runId (multi-key array)", () => {
+    const pathFor = (runId: string) => `/api/v3/runs/${runId}`;
+
+    async function seedRunWithBatchAndTags() {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const seeded = await seedTestRun(server.prisma, {
+        environmentId: seed.environment.id,
+        projectId: seed.project.id,
+        runTags: ["alpha", "beta"],
+        withBatch: true,
+      });
+      return { ...seed, ...seeded };
+    }
+
+    const get = (path: string, headers: Record<string, string>) =>
+      getTestServer().webapp.fetch(path, { headers });
+
+    it("missing auth: 401", async () => {
+      const res = await get(pathFor("run_anything"), {});
+      expect(res.status).toBe(401);
+    });
+
+    it("invalid API key: 401", async () => {
+      const res = await get(pathFor("run_anything"), {
+        Authorization: "Bearer tr_dev_invalid",
+      });
+      expect(res.status).toBe(401);
+    });
+
+    it("private API key on real run: auth passes", async () => {
+      const { runFriendlyId, apiKey } = await seedRunWithBatchAndTags();
+      const res = await get(pathFor(runFriendlyId), {
+        Authorization: `Bearer ${apiKey}`,
+      });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT read:runs (type-level): auth passes", async () => {
+      const { runFriendlyId, apiKey, environment } = await seedRunWithBatchAndTags();
+      const jwt = await generateJWT({
+        secretKey: apiKey,
+        payload: { pub: true, sub: environment.id, scopes: ["read:runs"] },
+        expirationTime: "15m",
+      });
+      const res = await get(pathFor(runFriendlyId), { Authorization: `Bearer ${jwt}` });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT read:runs:<exact friendlyId>: auth passes (id match)", async () => {
+      const { runFriendlyId, apiKey, environment } = await seedRunWithBatchAndTags();
+      const jwt = await generateJWT({
+        secretKey: apiKey,
+        payload: {
+          pub: true,
+          sub: environment.id,
+          scopes: [`read:runs:${runFriendlyId}`],
+        },
+        expirationTime: "15m",
+      });
+      const res = await get(pathFor(runFriendlyId), { Authorization: `Bearer ${jwt}` });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT read:runs:<other>: 403", async () => {
+      const { runFriendlyId, apiKey, environment } = await seedRunWithBatchAndTags();
+      const jwt = await generateJWT({
+        secretKey: apiKey,
+        payload: {
+          pub: true,
+          sub: environment.id,
+          scopes: ["read:runs:run_someoneelse00000000000"],
+        },
+        expirationTime: "15m",
+      });
+      const res = await get(pathFor(runFriendlyId), { Authorization: `Bearer ${jwt}` });
+      expect(res.status).toBe(403);
+    });
+
+    it("JWT read:tags:<tag the run has>: auth passes (array element match)", async () => {
+      const { runFriendlyId, apiKey, environment } = await seedRunWithBatchAndTags();
+      // run was seeded with runTags=["alpha","beta"]; scope matches "alpha".
+      const jwt = await generateJWT({
+        secretKey: apiKey,
+        payload: { pub: true, sub: environment.id, scopes: ["read:tags:alpha"] },
+        expirationTime: "15m",
+      });
+      const res = await get(pathFor(runFriendlyId), { Authorization: `Bearer ${jwt}` });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT read:tags:<tag the run does not have>: 403", async () => {
+      const { runFriendlyId, apiKey, environment } = await seedRunWithBatchAndTags();
+      const jwt = await generateJWT({
+        secretKey: apiKey,
+        payload: { pub: true, sub: environment.id, scopes: ["read:tags:gamma"] },
+        expirationTime: "15m",
+      });
+      const res = await get(pathFor(runFriendlyId), { Authorization: `Bearer ${jwt}` });
+      expect(res.status).toBe(403);
+    });
+
+    it("JWT read:batch:<run's batchFriendlyId>: auth passes", async () => {
+      const { runFriendlyId, batchFriendlyId, apiKey, environment } =
+        await seedRunWithBatchAndTags();
+      const jwt = await generateJWT({
+        secretKey: apiKey,
+        payload: {
+          pub: true,
+          sub: environment.id,
+          scopes: [`read:batch:${batchFriendlyId}`],
+        },
+        expirationTime: "15m",
+      });
+      const res = await get(pathFor(runFriendlyId), { Authorization: `Bearer ${jwt}` });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT read:batch:<other>: 403", async () => {
+      const { runFriendlyId, apiKey, environment } = await seedRunWithBatchAndTags();
+      const jwt = await generateJWT({
+        secretKey: apiKey,
+        payload: {
+          pub: true,
+          sub: environment.id,
+          scopes: ["read:batch:batch_someoneelse00000000"],
+        },
+        expirationTime: "15m",
+      });
+      const res = await get(pathFor(runFriendlyId), { Authorization: `Bearer ${jwt}` });
+      expect(res.status).toBe(403);
+    });
+
+    it("JWT read:tasks:<run's taskIdentifier>: auth passes", async () => {
+      const { runFriendlyId, apiKey, environment } = await seedRunWithBatchAndTags();
+      // seedTestRun uses taskIdentifier "test-task" by default.
+      const jwt = await generateJWT({
+        secretKey: apiKey,
+        payload: { pub: true, sub: environment.id, scopes: ["read:tasks:test-task"] },
+        expirationTime: "15m",
+      });
+      const res = await get(pathFor(runFriendlyId), { Authorization: `Bearer ${jwt}` });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT read:all: auth passes", async () => {
+      const { runFriendlyId, apiKey, environment } = await seedRunWithBatchAndTags();
+      const jwt = await generateJWT({
+        secretKey: apiKey,
+        payload: { pub: true, sub: environment.id, scopes: ["read:all"] },
+        expirationTime: "15m",
+      });
+      const res = await get(pathFor(runFriendlyId), { Authorization: `Bearer ${jwt}` });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT admin: auth passes", async () => {
+      const { runFriendlyId, apiKey, environment } = await seedRunWithBatchAndTags();
+      const jwt = await generateJWT({
+        secretKey: apiKey,
+        payload: { pub: true, sub: environment.id, scopes: ["admin"] },
+        expirationTime: "15m",
+      });
+      const res = await get(pathFor(runFriendlyId), { Authorization: `Bearer ${jwt}` });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT write:runs:<friendlyId>: 403 (action mismatch — read route)", async () => {
+      const { runFriendlyId, apiKey, environment } = await seedRunWithBatchAndTags();
+      const jwt = await generateJWT({
+        secretKey: apiKey,
+        payload: {
+          pub: true,
+          sub: environment.id,
+          scopes: [`write:runs:${runFriendlyId}`],
+        },
+        expirationTime: "15m",
+      });
+      const res = await get(pathFor(runFriendlyId), { Authorization: `Bearer ${jwt}` });
+      expect(res.status).toBe(403);
+    });
+
+    it("cross-env: env A's JWT cannot read env B's run: not 200", async () => {
+      const server = getTestServer();
+      const a = await seedTestEnvironment(server.prisma);
+      const b = await seedRunWithBatchAndTags();
+      const jwt = await generateJWT({
+        secretKey: a.apiKey,
+        payload: {
+          pub: true,
+          sub: a.environment.id,
+          scopes: [`read:runs:${b.runFriendlyId}`],
+        },
+        expirationTime: "15m",
+      });
+      const res = await get(pathFor(b.runFriendlyId), { Authorization: `Bearer ${jwt}` });
+      // Either auth fails or the run lookup misses (env A's view of
+      // the run doesn't include env B's data). Critical: NOT 200.
+      expect(res.status).not.toBe(200);
+    });
+  });
+
+  // Sanity check: same multi-key pattern wired the same way on the
+  // events sub-route. If this drifts in the future the divergence
+  // gets a dedicated describe.
+  describe("Run resource — GET /api/v1/runs/:runId/events (sanity)", () => {
+    const pathFor = (runId: string) => `/api/v1/runs/${runId}/events`;
+
+    it("missing auth: 401", async () => {
+      const res = await getTestServer().webapp.fetch(pathFor("run_anything"));
+      expect(res.status).toBe(401);
+    });
+
+    it("JWT read:runs (type-level): auth passes on a real run", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const { runFriendlyId } = await seedTestRun(server.prisma, {
+        environmentId: seed.environment.id,
+        projectId: seed.project.id,
+      });
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["read:runs"] },
+        expirationTime: "15m",
+      });
+      const res = await getTestServer().webapp.fetch(pathFor(runFriendlyId), {
+        headers: { Authorization: `Bearer ${jwt}` },
+      });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+  });
+
+  // Batch resources (TRI-8737). Per-batch retrieve + realtime
+  // endpoints — single-id resource `{ type: "batch", id: batch.friendlyId }`.
+  // The list endpoint (`GET /api/v1/batches`) is currently absent
+  // from this branch (deleted in s3-switchover), so the list-
+  // section of the matrix is N/A here. If/when the list endpoint
+  // returns, add a list-side describe.
+  //
+  // Notable behaviour: the route's resource is `{ type: "batch" }`,
+  // NOT `{ type: "runs" }`. The legacy literal-match escape that
+  // let `read:runs` JWTs hit batch endpoints no longer applies.
+  // Tests pin this down (a `read:runs` scope on a `{ type: "batch" }`
+  // resource is a type mismatch → 403).
+  describe("Batch retrieve — GET /api/v1/batches/:batchId", () => {
+    const pathFor = (batchId: string) => `/api/v1/batches/${batchId}`;
+
+    async function seedRunWithBatch() {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const seeded = await seedTestRun(server.prisma, {
+        environmentId: seed.environment.id,
+        projectId: seed.project.id,
+        withBatch: true,
+      });
+      // batchFriendlyId is guaranteed when withBatch is set.
+      if (!seeded.batchFriendlyId) {
+        throw new Error("seedTestRun({ withBatch: true }) didn't return a batchFriendlyId");
+      }
+      return { ...seed, batchFriendlyId: seeded.batchFriendlyId };
+    }
+
+    const get = (path: string, headers: Record<string, string>) =>
+      getTestServer().webapp.fetch(path, { headers });
+
+    it("missing auth: 401", async () => {
+      const res = await get(pathFor("batch_anything"), {});
+      expect(res.status).toBe(401);
+    });
+
+    it("invalid API key: 401", async () => {
+      const res = await get(pathFor("batch_anything"), {
+        Authorization: "Bearer tr_dev_invalid",
+      });
+      expect(res.status).toBe(401);
+    });
+
+    it("private API key on real batch: auth passes", async () => {
+      const { batchFriendlyId, apiKey } = await seedRunWithBatch();
+      const res = await get(pathFor(batchFriendlyId), {
+        Authorization: `Bearer ${apiKey}`,
+      });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT read:batch:<friendlyId> matching: auth passes", async () => {
+      const { batchFriendlyId, apiKey, environment } = await seedRunWithBatch();
+      const jwt = await generateJWT({
+        secretKey: apiKey,
+        payload: {
+          pub: true,
+          sub: environment.id,
+          scopes: [`read:batch:${batchFriendlyId}`],
+        },
+        expirationTime: "15m",
+      });
+      const res = await get(pathFor(batchFriendlyId), { Authorization: `Bearer ${jwt}` });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT read:batch:<other>: 403", async () => {
+      const { batchFriendlyId, apiKey, environment } = await seedRunWithBatch();
+      const jwt = await generateJWT({
+        secretKey: apiKey,
+        payload: {
+          pub: true,
+          sub: environment.id,
+          scopes: ["read:batch:batch_someoneelse00000000"],
+        },
+        expirationTime: "15m",
+      });
+      const res = await get(pathFor(batchFriendlyId), { Authorization: `Bearer ${jwt}` });
+      expect(res.status).toBe(403);
+    });
+
+    it("JWT read:batch (type-level): auth passes", async () => {
+      const { batchFriendlyId, apiKey, environment } = await seedRunWithBatch();
+      const jwt = await generateJWT({
+        secretKey: apiKey,
+        payload: { pub: true, sub: environment.id, scopes: ["read:batch"] },
+        expirationTime: "15m",
+      });
+      const res = await get(pathFor(batchFriendlyId), { Authorization: `Bearer ${jwt}` });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT read:runs: auth passes (backwards-compat for legacy SDKs)", async () => {
+      const { batchFriendlyId, apiKey, environment } = await seedRunWithBatch();
+      const jwt = await generateJWT({
+        secretKey: apiKey,
+        payload: { pub: true, sub: environment.id, scopes: ["read:runs"] },
+        expirationTime: "15m",
+      });
+      const res = await get(pathFor(batchFriendlyId), { Authorization: `Bearer ${jwt}` });
+      // Pre-RBAC the batch-retrieve route's superScopes included
+      // `read:runs`, so JWTs minted with read:runs could read batches.
+      // The post-migration backwards-compat fix adds a `{type: "runs"}`
+      // element to the route's anyResource(...) list so those
+      // SDK-issued JWTs in the wild keep working — avoids a silent
+      // 401/403 regression for callers we never told to switch scopes.
+      // Per-id `read:batch:<id>` and type-level `read:batch` still
+      // grant via the route's first resource element.
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT read:all super-scope: auth passes", async () => {
+      const { batchFriendlyId, apiKey, environment } = await seedRunWithBatch();
+      const jwt = await generateJWT({
+        secretKey: apiKey,
+        payload: { pub: true, sub: environment.id, scopes: ["read:all"] },
+        expirationTime: "15m",
+      });
+      const res = await get(pathFor(batchFriendlyId), { Authorization: `Bearer ${jwt}` });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT admin: auth passes", async () => {
+      const { batchFriendlyId, apiKey, environment } = await seedRunWithBatch();
+      const jwt = await generateJWT({
+        secretKey: apiKey,
+        payload: { pub: true, sub: environment.id, scopes: ["admin"] },
+        expirationTime: "15m",
+      });
+      const res = await get(pathFor(batchFriendlyId), { Authorization: `Bearer ${jwt}` });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("cross-env: env A's JWT cannot read env B's batch: not 200", async () => {
+      const server = getTestServer();
+      const a = await seedTestEnvironment(server.prisma);
+      const b = await seedRunWithBatch();
+      const jwt = await generateJWT({
+        secretKey: a.apiKey,
+        payload: {
+          pub: true,
+          sub: a.environment.id,
+          scopes: [`read:batch:${b.batchFriendlyId}`],
+        },
+        expirationTime: "15m",
+      });
+      const res = await get(pathFor(b.batchFriendlyId), { Authorization: `Bearer ${jwt}` });
+      // Critical: env A's JWT can't see env B's batch (env-scoped
+      // findResource returns null). NOT 200.
+      expect(res.status).not.toBe(200);
+    });
+  });
+
+  // Sanity: api.v2 and realtime.v1 share the exact same authorization
+  // config as v1. Don't duplicate the full matrix; just verify the
+  // wiring is alive on each.
+  describe("Batch retrieve — GET /api/v2/batches/:batchId (sanity)", () => {
+    it("missing auth: 401", async () => {
+      const res = await getTestServer().webapp.fetch("/api/v2/batches/batch_anything");
+      expect(res.status).toBe(401);
+    });
+
+    it("JWT read:batch (type-level): auth passes on real batch", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const seeded = await seedTestRun(server.prisma, {
+        environmentId: seed.environment.id,
+        projectId: seed.project.id,
+        withBatch: true,
+      });
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["read:batch"] },
+        expirationTime: "15m",
+      });
+      const res = await getTestServer().webapp.fetch(
+        `/api/v2/batches/${seeded.batchFriendlyId}`,
+        { headers: { Authorization: `Bearer ${jwt}` } }
+      );
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+  });
+
+  // Prompts routes (TRI-8738). Resource shapes:
+  //   - List       resource: { type: "prompts", id: "all" }      action: read
+  //   - Retrieve   resource: { type: "prompts", id: params.slug } action: read
+  //   - Override   resource: { type: "prompts", id: params.slug } action: update
+  //                (multi-method: POST/PUT/PATCH/DELETE)
+  //   - Promote    resource: { type: "prompts", id: params.slug } action: update
+  //   - Reactivate resource: { type: "prompts", id: params.slug } action: update
+  //
+  // ACTION_ALIASES: update ← write, so write:prompts also satisfies
+  // the update-action routes.
+  //
+  // Auth happens before any DB lookup, so we test against
+  // non-existent slugs — handler will 404 but we assert "not 401/403"
+  // for pass cases.
+  describe("Prompts list — GET /api/v1/prompts (collection-level)", () => {
+    const path = "/api/v1/prompts";
+    const get = (headers: Record<string, string>) =>
+      getTestServer().webapp.fetch(path, { headers });
+
+    it("missing auth: 401", async () => {
+      const res = await getTestServer().webapp.fetch(path);
+      expect(res.status).toBe(401);
+    });
+
+    it("private API key: auth passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const res = await get({ Authorization: `Bearer ${seed.apiKey}` });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT read:prompts (type-level): auth passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["read:prompts"] },
+        expirationTime: "15m",
+      });
+      const res = await get({ Authorization: `Bearer ${jwt}` });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT read:runs: 403 (type mismatch)", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["read:runs"] },
+        expirationTime: "15m",
+      });
+      const res = await get({ Authorization: `Bearer ${jwt}` });
+      expect(res.status).toBe(403);
+    });
+
+    it("JWT admin: auth passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["admin"] },
+        expirationTime: "15m",
+      });
+      const res = await get({ Authorization: `Bearer ${jwt}` });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+  });
+
+  describe("Prompts retrieve — GET /api/v1/prompts/:slug (id-keyed read)", () => {
+    const SLUG = "test-prompt";
+    const path = `/api/v1/prompts/${SLUG}`;
+    const get = (headers: Record<string, string>) =>
+      getTestServer().webapp.fetch(path, { headers });
+
+    it("missing auth: 401", async () => {
+      const res = await getTestServer().webapp.fetch(path);
+      expect(res.status).toBe(401);
+    });
+
+    it("private API key: auth passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const res = await get({ Authorization: `Bearer ${seed.apiKey}` });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT read:prompts (type-level): auth passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["read:prompts"] },
+        expirationTime: "15m",
+      });
+      const res = await get({ Authorization: `Bearer ${jwt}` });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT read:prompts:<exact slug>: auth passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: {
+          pub: true,
+          sub: seed.environment.id,
+          scopes: [`read:prompts:${SLUG}`],
+        },
+        expirationTime: "15m",
+      });
+      const res = await get({ Authorization: `Bearer ${jwt}` });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT read:prompts:<other>: not 200 (no access)", async () => {
+      // Note: the prompts retrieve route has a findResource callback
+      // that runs BEFORE authorization. Since we don't seed a Prompt
+      // fixture, the route 404s before reaching the auth check —
+      // assert "not 200" to capture the no-access semantic without
+      // depending on whether the guard that fires first is auth (403)
+      // or findResource (404). Both block the user.
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: {
+          pub: true,
+          sub: seed.environment.id,
+          scopes: ["read:prompts:some-other-slug"],
+        },
+        expirationTime: "15m",
+      });
+      const res = await get({ Authorization: `Bearer ${jwt}` });
+      expect(res.status).not.toBe(200);
+    });
+
+    it("JWT read:runs: not 200 (type mismatch — no access)", async () => {
+      // Same caveat as above re: findResource ordering.
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["read:runs"] },
+        expirationTime: "15m",
+      });
+      const res = await get({ Authorization: `Bearer ${jwt}` });
+      expect(res.status).not.toBe(200);
+    });
+
+    it("JWT admin: auth passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["admin"] },
+        expirationTime: "15m",
+      });
+      const res = await get({ Authorization: `Bearer ${jwt}` });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+  });
+
+  describe("Prompts override — POST /api/v1/prompts/:slug/override (update action)", () => {
+    const SLUG = "test-prompt";
+    const path = `/api/v1/prompts/${SLUG}/override`;
+    const post = (headers: Record<string, string>) =>
+      getTestServer().webapp.fetch(path, {
+        method: "POST",
+        headers: { "Content-Type": "application/json", ...headers },
+        body: JSON.stringify({ content: "test" }),
+      });
+
+    it("missing auth: 401", async () => {
+      const res = await post({});
+      expect(res.status).toBe(401);
+    });
+
+    it("JWT write:prompts:<slug> matching (ACTION_ALIASES write→update): passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: {
+          pub: true,
+          sub: seed.environment.id,
+          scopes: [`write:prompts:${SLUG}`],
+        },
+        expirationTime: "15m",
+      });
+      const res = await post({ Authorization: `Bearer ${jwt}` });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT write:prompts (type-level): passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["write:prompts"] },
+        expirationTime: "15m",
+      });
+      const res = await post({ Authorization: `Bearer ${jwt}` });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT read:prompts: 403 (action mismatch — read NOT aliased to update)", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: {
+          pub: true,
+          sub: seed.environment.id,
+          scopes: [`read:prompts:${SLUG}`],
+        },
+        expirationTime: "15m",
+      });
+      const res = await post({ Authorization: `Bearer ${jwt}` });
+      expect(res.status).toBe(403);
+    });
+
+    it("JWT write:prompts:<other>: 403", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: {
+          pub: true,
+          sub: seed.environment.id,
+          scopes: ["write:prompts:some-other-slug"],
+        },
+        expirationTime: "15m",
+      });
+      const res = await post({ Authorization: `Bearer ${jwt}` });
+      expect(res.status).toBe(403);
+    });
+
+    it("JWT admin: passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["admin"] },
+        expirationTime: "15m",
+      });
+      const res = await post({ Authorization: `Bearer ${jwt}` });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+  });
+
+  describe("Prompts promote/reactivate (sanity, update action)", () => {
+    it("promote: JWT write:prompts (type-level): auth passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["write:prompts"] },
+        expirationTime: "15m",
+      });
+      const res = await server.webapp.fetch("/api/v1/prompts/some-slug/promote", {
+        method: "POST",
+        headers: { "Content-Type": "application/json", Authorization: `Bearer ${jwt}` },
+        body: JSON.stringify({}),
+      });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("reactivate: JWT read:prompts: 403 (action mismatch)", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["read:prompts"] },
+        expirationTime: "15m",
+      });
+      // Body must satisfy the route's schema ({ version: positive int })
+      // — otherwise body validation 400s before authorization runs.
+      const res = await server.webapp.fetch(
+        "/api/v1/prompts/some-slug/override/reactivate",
+        {
+          method: "POST",
+          headers: { "Content-Type": "application/json", Authorization: `Bearer ${jwt}` },
+          body: JSON.stringify({ version: 1 }),
+        }
+      );
+      expect(res.status).toBe(403);
+    });
+  });
+
+  // Deployments + query routes (TRI-8739). Read-only family with
+  // distinct resource types per route:
+  //   - GET /api/v1/deployments         { type: "deployments", id: "list" }
+  //   - GET /api/v1/query/schema        { type: "query", id: "schema" }
+  //   - GET /api/v1/query/dashboards    { type: "query", id: "dashboards" }
+  //   - POST /api/v1/query              body-derived: detectTables(query) →
+  //                                     [{ type: "query", id }] or
+  //                                     { type: "query", id: "all" } if none
+  describe("Deployments list — GET /api/v1/deployments", () => {
+    const path = "/api/v1/deployments";
+    const get = (headers: Record<string, string>) =>
+      getTestServer().webapp.fetch(path, { headers });
+
+    it("missing auth: 401", async () => {
+      const res = await getTestServer().webapp.fetch(path);
+      expect(res.status).toBe(401);
+    });
+
+    it("private API key: auth passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const res = await get({ Authorization: `Bearer ${seed.apiKey}` });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT read:deployments: auth passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["read:deployments"] },
+        expirationTime: "15m",
+      });
+      const res = await get({ Authorization: `Bearer ${jwt}` });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT read:all: auth passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["read:all"] },
+        expirationTime: "15m",
+      });
+      const res = await get({ Authorization: `Bearer ${jwt}` });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT admin: auth passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["admin"] },
+        expirationTime: "15m",
+      });
+      const res = await get({ Authorization: `Bearer ${jwt}` });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT read:runs (type mismatch): 403", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["read:runs"] },
+        expirationTime: "15m",
+      });
+      const res = await get({ Authorization: `Bearer ${jwt}` });
+      expect(res.status).toBe(403);
+    });
+
+    it("JWT write:deployments (action mismatch — read route): 403", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["write:deployments"] },
+        expirationTime: "15m",
+      });
+      const res = await get({ Authorization: `Bearer ${jwt}` });
+      expect(res.status).toBe(403);
+    });
+  });
+
+  describe("Query schema — GET /api/v1/query/schema (sanity)", () => {
+    const path = "/api/v1/query/schema";
+
+    it("missing auth: 401", async () => {
+      const res = await getTestServer().webapp.fetch(path);
+      expect(res.status).toBe(401);
+    });
+
+    it("JWT read:query (type-level): auth passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["read:query"] },
+        expirationTime: "15m",
+      });
+      const res = await server.webapp.fetch(path, {
+        headers: { Authorization: `Bearer ${jwt}` },
+      });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT read:deployments (type mismatch): 403", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["read:deployments"] },
+        expirationTime: "15m",
+      });
+      const res = await server.webapp.fetch(path, {
+        headers: { Authorization: `Bearer ${jwt}` },
+      });
+      expect(res.status).toBe(403);
+    });
+  });
+
+  describe("Query dashboards — GET /api/v1/query/dashboards (sanity)", () => {
+    const path = "/api/v1/query/dashboards";
+
+    it("missing auth: 401", async () => {
+      const res = await getTestServer().webapp.fetch(path);
+      expect(res.status).toBe(401);
+    });
+
+    it("JWT read:query: auth passes", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["read:query"] },
+        expirationTime: "15m",
+      });
+      const res = await server.webapp.fetch(path, {
+        headers: { Authorization: `Bearer ${jwt}` },
+      });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+  });
+
+  describe("Query ad-hoc — POST /api/v1/query (body-derived resource)", () => {
+    const path = "/api/v1/query";
+    const post = (body: object, headers: Record<string, string>) =>
+      getTestServer().webapp.fetch(path, {
+        method: "POST",
+        headers: { "Content-Type": "application/json", ...headers },
+        body: JSON.stringify(body),
+      });
+
+    it("missing auth: 401", async () => {
+      const res = await post({ query: "SELECT * FROM runs" }, {});
+      expect(res.status).toBe(401);
+    });
+
+    it("body with table 'runs' + JWT read:query:runs: auth passes (any-match)", async () => {
+      // detectTables pulls 'runs' from FROM-clause. Resource becomes
+      // [{ type: "query", id: "runs" }]. Scope read:query:runs matches.
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["read:query:runs"] },
+        expirationTime: "15m",
+      });
+      const res = await post({ query: "SELECT * FROM runs" }, {
+        Authorization: `Bearer ${jwt}`,
+      });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("body with no detectable tables (defaults id='all') + JWT read:query: auth passes", async () => {
+      // A query with no FROM clause → detectTables returns [] →
+      // resource is { type: "query", id: "all" }. Type-level read:query
+      // matches.
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["read:query"] },
+        expirationTime: "15m",
+      });
+      const res = await post({ query: "SELECT 1" }, { Authorization: `Bearer ${jwt}` });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("multi-table body + JWT scoped to only one of them: 403 (every-table semantics)", async () => {
+      // detectTables matches `\bFROM\s+<name>\b` per query-schema, so
+      // a query with two FROM clauses (e.g. UNION) yields a multi-
+      // entry resource list. The route wraps it in everyResource so
+      // AND semantics apply: a JWT scoped to one detected table
+      // cannot submit a query that also reads the other.
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["read:query:runs"] },
+        expirationTime: "15m",
+      });
+      const res = await post(
+        {
+          query:
+            "SELECT count() FROM runs UNION ALL SELECT count() FROM metrics",
+        },
+        { Authorization: `Bearer ${jwt}` }
+      );
+      expect(res.status).toBe(403);
+    });
+
+    it("multi-table body + JWT scoped to all detected tables: auth passes", async () => {
+      // Companion to the every-table 403 above — when the JWT covers
+      // every detected table the AND-check passes.
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: {
+          pub: true,
+          sub: seed.environment.id,
+          scopes: ["read:query:runs", "read:query:metrics"],
+        },
+        expirationTime: "15m",
+      });
+      const res = await post(
+        {
+          query:
+            "SELECT count() FROM runs UNION ALL SELECT count() FROM metrics",
+        },
+        { Authorization: `Bearer ${jwt}` }
+      );
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("body with table 'runs' + JWT read:query:other_table: 403", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: {
+          pub: true,
+          sub: seed.environment.id,
+          scopes: ["read:query:other_table"],
+        },
+        expirationTime: "15m",
+      });
+      const res = await post({ query: "SELECT * FROM runs" }, {
+        Authorization: `Bearer ${jwt}`,
+      });
+      expect(res.status).toBe(403);
+    });
+
+    it("JWT admin: auth passes regardless of body", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["admin"] },
+        expirationTime: "15m",
+      });
+      const res = await post({ query: "SELECT * FROM runs" }, {
+        Authorization: `Bearer ${jwt}`,
+      });
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+
+    it("JWT write:query (action mismatch): 403", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: { pub: true, sub: seed.environment.id, scopes: ["write:query"] },
+        expirationTime: "15m",
+      });
+      const res = await post({ query: "SELECT 1" }, { Authorization: `Bearer ${jwt}` });
+      expect(res.status).toBe(403);
+    });
+  });
+
+  describe("Batch retrieve — GET /realtime/v1/batches/:batchId (sanity)", () => {
+    it("missing auth: 401", async () => {
+      const res = await getTestServer().webapp.fetch("/realtime/v1/batches/batch_anything");
+      expect(res.status).toBe(401);
+    });
+
+    it("JWT read:batch:<friendlyId>: auth passes on real batch", async () => {
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const seeded = await seedTestRun(server.prisma, {
+        environmentId: seed.environment.id,
+        projectId: seed.project.id,
+        withBatch: true,
+      });
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: {
+          pub: true,
+          sub: seed.environment.id,
+          scopes: [`read:batch:${seeded.batchFriendlyId}`],
+        },
+        expirationTime: "15m",
+      });
+      const res = await getTestServer().webapp.fetch(
+        `/realtime/v1/batches/${seeded.batchFriendlyId}`,
+        { headers: { Authorization: `Bearer ${jwt}` } }
+      );
+      expect(res.status).not.toBe(401);
+      expect(res.status).not.toBe(403);
+    });
+  });
+
+  // Sessions — JWT scope matrix.
+  //
+  // The session routes were authored against the pre-RBAC apiBuilder
+  // and used the legacy `superScopes: [...]` field to whitelist broad
+  // access. After TRI-8719 superScopes is dead code; the equivalent
+  // bypass is expressed via:
+  //   - multi-key resource arrays (one element per addressable key,
+  //     plus a collection-level `{ type: "sessions" }` for type-only
+  //     scopes)
+  //   - the JWT ability's `*:all` and `admin*` wildcard branches
+  //
+  // These tests lock in that the migration's "no JWT regresses"
+  // promise holds for sessions. Each historical superScope becomes a
+  // positive test, and per-task narrowing gets negative coverage.
+  describe("Sessions — JWT scope matrix", () => {
+    // ---- List sessions: GET /api/v1/sessions
+    //
+    // Resource: [{ type: "tasks", id: <filter> } per filter id, { type: "sessions" }]
+    // Old superScopes: ["read:sessions", "read:all", "admin"]
+    describe("List sessions — GET /api/v1/sessions", () => {
+      const path = (taskFilter?: string) =>
+        taskFilter
+          ? `/api/v1/sessions?filter[taskIdentifier]=${taskFilter}`
+          : "/api/v1/sessions";
+
+      const fetchWithJwt = async (jwt: string, taskFilter?: string) =>
+        getTestServer().webapp.fetch(path(taskFilter), {
+          headers: { Authorization: `Bearer ${jwt}` },
+        });
+
+      const mintJwt = async (apiKey: string, envId: string, scopes: string[]) =>
+        generateJWT({
+          secretKey: apiKey,
+          payload: { pub: true, sub: envId, scopes },
+          expirationTime: "15m",
+        });
+
+      // The handler reads from ClickHouse via SessionsRepository, which
+      // isn't wired up in the e2e webapp container — so successful auth
+      // surfaces as 5xx after the handler errors. Assert "not 401, not
+      // 403" rather than 200 for the auth-passes paths.
+
+      it("read:tasks:foo on filter=foo: auth passes", async () => {
+        const seed = await seedTestEnvironment(getTestServer().prisma);
+        const jwt = await mintJwt(seed.apiKey, seed.environment.id, [
+          "read:tasks:foo",
+        ]);
+        const res = await fetchWithJwt(jwt, "foo");
+        expect(res.status).not.toBe(401);
+        expect(res.status).not.toBe(403);
+      });
+
+      it("read:tasks:bar on filter=foo: 403 (per-task narrowing)", async () => {
+        const seed = await seedTestEnvironment(getTestServer().prisma);
+        const jwt = await mintJwt(seed.apiKey, seed.environment.id, [
+          "read:tasks:bar",
+        ]);
+        const res = await fetchWithJwt(jwt, "foo");
+        expect(res.status).toBe(403);
+      });
+
+      it("read:sessions on filter=foo: auth passes (was a superScope)", async () => {
+        const seed = await seedTestEnvironment(getTestServer().prisma);
+        const jwt = await mintJwt(seed.apiKey, seed.environment.id, [
+          "read:sessions",
+        ]);
+        const res = await fetchWithJwt(jwt, "foo");
+        expect(res.status).not.toBe(401);
+        expect(res.status).not.toBe(403);
+      });
+
+      it("read:sessions on no-filter list: auth passes", async () => {
+        const seed = await seedTestEnvironment(getTestServer().prisma);
+        const jwt = await mintJwt(seed.apiKey, seed.environment.id, [
+          "read:sessions",
+        ]);
+        const res = await fetchWithJwt(jwt);
+        expect(res.status).not.toBe(401);
+        expect(res.status).not.toBe(403);
+      });
+
+      it("read:all: auth passes (was a superScope)", async () => {
+        const seed = await seedTestEnvironment(getTestServer().prisma);
+        const jwt = await mintJwt(seed.apiKey, seed.environment.id, ["read:all"]);
+        const res = await fetchWithJwt(jwt, "foo");
+        expect(res.status).not.toBe(401);
+        expect(res.status).not.toBe(403);
+      });
+
+      it("admin: auth passes (was a superScope)", async () => {
+        const seed = await seedTestEnvironment(getTestServer().prisma);
+        const jwt = await mintJwt(seed.apiKey, seed.environment.id, ["admin"]);
+        const res = await fetchWithJwt(jwt, "foo");
+        expect(res.status).not.toBe(401);
+        expect(res.status).not.toBe(403);
+      });
+
+      it("read:tasks (type-only) on no-filter list: 403 (filter is sessions, not tasks)", async () => {
+        // No filter → resource is `{ type: "sessions" }` only. read:tasks
+        // doesn't match the sessions type, so 403 — explicit narrowing.
+        const seed = await seedTestEnvironment(getTestServer().prisma);
+        const jwt = await mintJwt(seed.apiKey, seed.environment.id, [
+          "read:tasks",
+        ]);
+        const res = await fetchWithJwt(jwt);
+        expect(res.status).toBe(403);
+      });
+
+      it("write:tasks:foo (wrong action) on filter=foo: 403", async () => {
+        const seed = await seedTestEnvironment(getTestServer().prisma);
+        const jwt = await mintJwt(seed.apiKey, seed.environment.id, [
+          "write:tasks:foo",
+        ]);
+        const res = await fetchWithJwt(jwt, "foo");
+        expect(res.status).toBe(403);
+      });
+    });
+
+    // ---- Create session: POST /api/v1/sessions
+    //
+    // Resource: [{ type: "tasks", id: body.taskIdentifier }, { type: "sessions" }]
+    // Old superScopes: ["write:sessions", "admin"]
+    describe("Create session — POST /api/v1/sessions", () => {
+      const path = "/api/v1/sessions";
+
+      const post = async (jwt: string, taskIdentifier: string) =>
+        getTestServer().webapp.fetch(path, {
+          method: "POST",
+          headers: {
+            Authorization: `Bearer ${jwt}`,
+            "Content-Type": "application/json",
+          },
+          body: JSON.stringify({
+            type: "chat.agent",
+            taskIdentifier,
+            triggerConfig: { basePayload: {} },
+          }),
+        });
+
+      const mintJwt = async (apiKey: string, envId: string, scopes: string[]) =>
+        generateJWT({
+          secretKey: apiKey,
+          payload: { pub: true, sub: envId, scopes },
+          expirationTime: "15m",
+        });
+
+      it("write:tasks:foo matching body: auth passes", async () => {
+        const seed = await seedTestEnvironment(getTestServer().prisma);
+        const jwt = await mintJwt(seed.apiKey, seed.environment.id, [
+          "write:tasks:foo",
+        ]);
+        const res = await post(jwt, "foo");
+        // Body validation / handler can fail later (404 if task is
+        // missing, 400 for invalid body) — we only care that auth
+        // didn't reject.
+        expect(res.status).not.toBe(401);
+        expect(res.status).not.toBe(403);
+      });
+
+      it("write:tasks:bar mismatching body: 403", async () => {
+        const seed = await seedTestEnvironment(getTestServer().prisma);
+        const jwt = await mintJwt(seed.apiKey, seed.environment.id, [
+          "write:tasks:bar",
+        ]);
+        const res = await post(jwt, "foo");
+        expect(res.status).toBe(403);
+      });
+
+      it("write:sessions: auth passes (was a superScope)", async () => {
+        const seed = await seedTestEnvironment(getTestServer().prisma);
+        const jwt = await mintJwt(seed.apiKey, seed.environment.id, [
+          "write:sessions",
+        ]);
+        const res = await post(jwt, "foo");
+        expect(res.status).not.toBe(401);
+        expect(res.status).not.toBe(403);
+      });
+
+      it("write:all: auth passes", async () => {
+        const seed = await seedTestEnvironment(getTestServer().prisma);
+        const jwt = await mintJwt(seed.apiKey, seed.environment.id, ["write:all"]);
+        const res = await post(jwt, "foo");
+        expect(res.status).not.toBe(401);
+        expect(res.status).not.toBe(403);
+      });
+
+      it("admin: auth passes", async () => {
+        const seed = await seedTestEnvironment(getTestServer().prisma);
+        const jwt = await mintJwt(seed.apiKey, seed.environment.id, ["admin"]);
+        const res = await post(jwt, "foo");
+        expect(res.status).not.toBe(401);
+        expect(res.status).not.toBe(403);
+      });
+
+      it("read:tasks:foo (wrong action): 403", async () => {
+        const seed = await seedTestEnvironment(getTestServer().prisma);
+        const jwt = await mintJwt(seed.apiKey, seed.environment.id, [
+          "read:tasks:foo",
+        ]);
+        const res = await post(jwt, "foo");
+        expect(res.status).toBe(403);
+      });
+    });
+
+    // ---- Retrieve session: GET /api/v1/sessions/:session
+    //
+    // Resource: multi-key array of `{ type: "sessions", id }` entries
+    // for friendlyId and externalId (when set).
+    // Old superScopes: ["read:sessions", "read:all", "admin"]
+    describe("Retrieve session — GET /api/v1/sessions/:session", () => {
+      const get = async (sessionParam: string, jwt: string) =>
+        getTestServer().webapp.fetch(`/api/v1/sessions/${sessionParam}`, {
+          headers: { Authorization: `Bearer ${jwt}` },
+        });
+
+      const mintJwt = async (apiKey: string, envId: string, scopes: string[]) =>
+        generateJWT({
+          secretKey: apiKey,
+          payload: { pub: true, sub: envId, scopes },
+          expirationTime: "15m",
+        });
+
+      it("read:sessions:<friendlyId>: 200", async () => {
+        const server = getTestServer();
+        const seed = await seedTestEnvironment(server.prisma);
+        const session = await seedTestApiSession(server.prisma, seed.environment);
+        const jwt = await mintJwt(seed.apiKey, seed.environment.id, [
+          `read:sessions:${session.friendlyId}`,
+        ]);
+        const res = await get(session.friendlyId, jwt);
+        expect(res.status).toBe(200);
+      });
+
+      it("read:sessions:<externalId> on externalId URL form: 200 (multi-key)", async () => {
+        const server = getTestServer();
+        const seed = await seedTestEnvironment(server.prisma);
+        const session = await seedTestApiSession(server.prisma, seed.environment);
+        const jwt = await mintJwt(seed.apiKey, seed.environment.id, [
+          `read:sessions:${session.externalId}`,
+        ]);
+        const res = await get(session.externalId!, jwt);
+        expect(res.status).toBe(200);
+      });
+
+      it("read:sessions (type-only): 200", async () => {
+        const server = getTestServer();
+        const seed = await seedTestEnvironment(server.prisma);
+        const session = await seedTestApiSession(server.prisma, seed.environment);
+        const jwt = await mintJwt(seed.apiKey, seed.environment.id, [
+          "read:sessions",
+        ]);
+        const res = await get(session.friendlyId, jwt);
+        expect(res.status).toBe(200);
+      });
+
+      it("read:sessions:other (non-matching id): 403", async () => {
+        const server = getTestServer();
+        const seed = await seedTestEnvironment(server.prisma);
+        const session = await seedTestApiSession(server.prisma, seed.environment);
+        const jwt = await mintJwt(seed.apiKey, seed.environment.id, [
+          "read:sessions:not-this-session",
+        ]);
+        const res = await get(session.friendlyId, jwt);
+        expect(res.status).toBe(403);
+      });
+    });
+
+    // ---- Update session: PATCH /api/v1/sessions/:session
+    //
+    // action: "admin" — only admin-tier scopes (or wildcards) satisfy.
+    // Old superScopes: ["admin:sessions", "admin:all", "admin"]
+    describe("Update session — PATCH /api/v1/sessions/:session", () => {
+      const patch = async (sessionParam: string, jwt: string) =>
+        getTestServer().webapp.fetch(`/api/v1/sessions/${sessionParam}`, {
+          method: "PATCH",
+          headers: {
+            Authorization: `Bearer ${jwt}`,
+            "Content-Type": "application/json",
+          },
+          body: JSON.stringify({ tags: ["updated"] }),
+        });
+
+      const mintJwt = async (apiKey: string, envId: string, scopes: string[]) =>
+        generateJWT({
+          secretKey: apiKey,
+          payload: { pub: true, sub: envId, scopes },
+          expirationTime: "15m",
+        });
+
+      it("admin:sessions:<friendlyId>: 200", async () => {
+        const server = getTestServer();
+        const seed = await seedTestEnvironment(server.prisma);
+        const session = await seedTestApiSession(server.prisma, seed.environment);
+        const jwt = await mintJwt(seed.apiKey, seed.environment.id, [
+          `admin:sessions:${session.friendlyId}`,
+        ]);
+        const res = await patch(session.friendlyId, jwt);
+        expect(res.status).toBe(200);
+      });
+
+      it("admin:sessions (type-only): 200", async () => {
+        const server = getTestServer();
+        const seed = await seedTestEnvironment(server.prisma);
+        const session = await seedTestApiSession(server.prisma, seed.environment);
+        const jwt = await mintJwt(seed.apiKey, seed.environment.id, [
+          "admin:sessions",
+        ]);
+        const res = await patch(session.friendlyId, jwt);
+        expect(res.status).toBe(200);
+      });
+
+      it("admin:all: 200", async () => {
+        const server = getTestServer();
+        const seed = await seedTestEnvironment(server.prisma);
+        const session = await seedTestApiSession(server.prisma, seed.environment);
+        const jwt = await mintJwt(seed.apiKey, seed.environment.id, ["admin:all"]);
+        const res = await patch(session.friendlyId, jwt);
+        expect(res.status).toBe(200);
+      });
+
+      it("admin (bare): 200", async () => {
+        const server = getTestServer();
+        const seed = await seedTestEnvironment(server.prisma);
+        const session = await seedTestApiSession(server.prisma, seed.environment);
+        const jwt = await mintJwt(seed.apiKey, seed.environment.id, ["admin"]);
+        const res = await patch(session.friendlyId, jwt);
+        expect(res.status).toBe(200);
+      });
+
+      it("write:sessions (wrong action — admin not aliased from write): 403", async () => {
+        const server = getTestServer();
+        const seed = await seedTestEnvironment(server.prisma);
+        const session = await seedTestApiSession(server.prisma, seed.environment);
+        const jwt = await mintJwt(seed.apiKey, seed.environment.id, [
+          "write:sessions",
+        ]);
+        const res = await patch(session.friendlyId, jwt);
+        expect(res.status).toBe(403);
+      });
+    });
+
+    // ---- Close session: POST /api/v1/sessions/:session/close
+    //
+    // action: "admin" — same matrix as PATCH.
+    describe("Close session — POST /api/v1/sessions/:session/close", () => {
+      const close = async (sessionParam: string, jwt: string) =>
+        getTestServer().webapp.fetch(
+          `/api/v1/sessions/${sessionParam}/close`,
+          {
+            method: "POST",
+            headers: {
+              Authorization: `Bearer ${jwt}`,
+              "Content-Type": "application/json",
+            },
+            body: JSON.stringify({ reason: "test" }),
+          }
+        );
+
+      const mintJwt = async (apiKey: string, envId: string, scopes: string[]) =>
+        generateJWT({
+          secretKey: apiKey,
+          payload: { pub: true, sub: envId, scopes },
+          expirationTime: "15m",
+        });
+
+      it("admin:sessions: auth passes", async () => {
+        const server = getTestServer();
+        const seed = await seedTestEnvironment(server.prisma);
+        const session = await seedTestApiSession(server.prisma, seed.environment);
+        const jwt = await mintJwt(seed.apiKey, seed.environment.id, [
+          "admin:sessions",
+        ]);
+        const res = await close(session.friendlyId, jwt);
+        expect(res.status).not.toBe(401);
+        expect(res.status).not.toBe(403);
+      });
+
+      it("admin: auth passes", async () => {
+        const server = getTestServer();
+        const seed = await seedTestEnvironment(server.prisma);
+        const session = await seedTestApiSession(server.prisma, seed.environment);
+        const jwt = await mintJwt(seed.apiKey, seed.environment.id, ["admin"]);
+        const res = await close(session.friendlyId, jwt);
+        expect(res.status).not.toBe(401);
+        expect(res.status).not.toBe(403);
+      });
+
+      it("write:sessions: 403 (admin action)", async () => {
+        const server = getTestServer();
+        const seed = await seedTestEnvironment(server.prisma);
+        const session = await seedTestApiSession(server.prisma, seed.environment);
+        const jwt = await mintJwt(seed.apiKey, seed.environment.id, [
+          "write:sessions",
+        ]);
+        const res = await close(session.friendlyId, jwt);
+        expect(res.status).toBe(403);
+      });
+    });
+
+    // ---- End-and-continue: POST /api/v1/sessions/:session/end-and-continue
+    //
+    // action: "write" — multi-key sessions resource.
+    describe("End-and-continue — POST /api/v1/sessions/:session/end-and-continue", () => {
+      const endAndContinue = async (sessionParam: string, jwt: string) =>
+        getTestServer().webapp.fetch(
+          `/api/v1/sessions/${sessionParam}/end-and-continue`,
+          {
+            method: "POST",
+            headers: {
+              Authorization: `Bearer ${jwt}`,
+              "Content-Type": "application/json",
+            },
+            // Body shape doesn't matter for auth — handler runs after
+            // the auth check so any 4xx here means auth passed.
+            body: JSON.stringify({
+              reason: "test",
+              callingRunId: "run_does_not_exist",
+            }),
+          }
+        );
+
+      const mintJwt = async (apiKey: string, envId: string, scopes: string[]) =>
+        generateJWT({
+          secretKey: apiKey,
+          payload: { pub: true, sub: envId, scopes },
+          expirationTime: "15m",
+        });
+
+      it("write:sessions: auth passes (was a superScope)", async () => {
+        const server = getTestServer();
+        const seed = await seedTestEnvironment(server.prisma);
+        const session = await seedTestApiSession(server.prisma, seed.environment);
+        const jwt = await mintJwt(seed.apiKey, seed.environment.id, [
+          "write:sessions",
+        ]);
+        const res = await endAndContinue(session.friendlyId, jwt);
+        expect(res.status).not.toBe(401);
+        expect(res.status).not.toBe(403);
+      });
+
+      it("write:all: auth passes", async () => {
+        const server = getTestServer();
+        const seed = await seedTestEnvironment(server.prisma);
+        const session = await seedTestApiSession(server.prisma, seed.environment);
+        const jwt = await mintJwt(seed.apiKey, seed.environment.id, ["write:all"]);
+        const res = await endAndContinue(session.friendlyId, jwt);
+        expect(res.status).not.toBe(401);
+        expect(res.status).not.toBe(403);
+      });
+
+      it("read:sessions (wrong action): 403", async () => {
+        const server = getTestServer();
+        const seed = await seedTestEnvironment(server.prisma);
+        const session = await seedTestApiSession(server.prisma, seed.environment);
+        const jwt = await mintJwt(seed.apiKey, seed.environment.id, [
+          "read:sessions",
+        ]);
+        const res = await endAndContinue(session.friendlyId, jwt);
+        expect(res.status).toBe(403);
+      });
+    });
+
+    // ---- Realtime IO: GET (subscribe) and PUT (initialize)
+    //
+    // Both go through createLoaderApiRoute / createActionApiRoute — same
+    // multi-key sessions resource. No deep matrix here; one positive
+    // test per old superScope per method is enough.
+    describe("Realtime IO — /realtime/v1/sessions/:session/:io", () => {
+      const ioPath = (sessionParam: string) =>
+        `/realtime/v1/sessions/${sessionParam}/in`;
+
+      const mintJwt = async (apiKey: string, envId: string, scopes: string[]) =>
+        generateJWT({
+          secretKey: apiKey,
+          payload: { pub: true, sub: envId, scopes },
+          expirationTime: "15m",
+        });
+
+      it("GET with read:sessions (was a superScope): auth passes", async () => {
+        const server = getTestServer();
+        const seed = await seedTestEnvironment(server.prisma);
+        const session = await seedTestApiSession(server.prisma, seed.environment);
+        const jwt = await mintJwt(seed.apiKey, seed.environment.id, [
+          "read:sessions",
+        ]);
+        const res = await server.webapp.fetch(ioPath(session.friendlyId), {
+          method: "HEAD",
+          headers: { Authorization: `Bearer ${jwt}` },
+        });
+        expect(res.status).not.toBe(401);
+        expect(res.status).not.toBe(403);
+      });
+
+      it("GET with read:all: auth passes", async () => {
+        const server = getTestServer();
+        const seed = await seedTestEnvironment(server.prisma);
+        const session = await seedTestApiSession(server.prisma, seed.environment);
+        const jwt = await mintJwt(seed.apiKey, seed.environment.id, ["read:all"]);
+        const res = await server.webapp.fetch(ioPath(session.friendlyId), {
+          method: "HEAD",
+          headers: { Authorization: `Bearer ${jwt}` },
+        });
+        expect(res.status).not.toBe(401);
+        expect(res.status).not.toBe(403);
+      });
+
+      it("PUT with write:sessions (was a superScope): auth passes", async () => {
+        const server = getTestServer();
+        const seed = await seedTestEnvironment(server.prisma);
+        const session = await seedTestApiSession(server.prisma, seed.environment);
+        const jwt = await mintJwt(seed.apiKey, seed.environment.id, [
+          "write:sessions",
+        ]);
+        const res = await server.webapp.fetch(ioPath(session.friendlyId), {
+          method: "PUT",
+          headers: { Authorization: `Bearer ${jwt}` },
+        });
+        expect(res.status).not.toBe(401);
+        expect(res.status).not.toBe(403);
+      });
+    });
+
+    // ---- Realtime append: POST /realtime/v1/sessions/:session/:io/append
+    //
+    // action: "write" — multi-key sessions resource.
+    describe("Realtime append — POST /realtime/v1/sessions/:session/:io/append", () => {
+      const appendPath = (sessionParam: string) =>
+        `/realtime/v1/sessions/${sessionParam}/in/append`;
+
+      const mintJwt = async (apiKey: string, envId: string, scopes: string[]) =>
+        generateJWT({
+          secretKey: apiKey,
+          payload: { pub: true, sub: envId, scopes },
+          expirationTime: "15m",
+        });
+
+      it("write:sessions (was a superScope): auth passes", async () => {
+        const server = getTestServer();
+        const seed = await seedTestEnvironment(server.prisma);
+        const session = await seedTestApiSession(server.prisma, seed.environment);
+        const jwt = await mintJwt(seed.apiKey, seed.environment.id, [
+          "write:sessions",
+        ]);
+        const res = await server.webapp.fetch(appendPath(session.friendlyId), {
+          method: "POST",
+          headers: {
+            Authorization: `Bearer ${jwt}`,
+            "Content-Type": "application/octet-stream",
+          },
+          body: new Uint8Array([1, 2, 3]),
+        });
+        expect(res.status).not.toBe(401);
+        expect(res.status).not.toBe(403);
+      });
+
+      it("write:all: auth passes", async () => {
+        const server = getTestServer();
+        const seed = await seedTestEnvironment(server.prisma);
+        const session = await seedTestApiSession(server.prisma, seed.environment);
+        const jwt = await mintJwt(seed.apiKey, seed.environment.id, ["write:all"]);
+        const res = await server.webapp.fetch(appendPath(session.friendlyId), {
+          method: "POST",
+          headers: {
+            Authorization: `Bearer ${jwt}`,
+            "Content-Type": "application/octet-stream",
+          },
+          body: new Uint8Array([1, 2, 3]),
+        });
+        expect(res.status).not.toBe(401);
+        expect(res.status).not.toBe(403);
+      });
+    });
+  });
+});
diff --git a/apps/webapp/test/auth-cross-cutting.e2e.full.test.ts b/apps/webapp/test/auth-cross-cutting.e2e.full.test.ts
new file mode 100644
index 00000000000..d5d462f6c32
--- /dev/null
+++ b/apps/webapp/test/auth-cross-cutting.e2e.full.test.ts
@@ -0,0 +1,216 @@
+// Cross-cutting auth-layer behaviours that aren't tied to a specific route
+// family — see TRI-8743. Soft-deleted projects, revoked keys, expired JWTs,
+// cross-env mismatch, force-fallback toggle.
+//
+// Strategy: pick one representative API-key route
+// (GET /api/v1/runs/run_doesnotexist/result) and one representative JWT
+// route (POST /api/v1/waitpoints/tokens/<id>/complete) and exercise the
+// edge cases against those. The route choice doesn't matter — the
+// auth layer is shared across every API route via apiBuilder.server.ts.
+// Smoke matrix (api-auth.e2e.test.ts) already covers the trivial
+// cases (missing/invalid key, basic JWT pass, soft-deleted project);
+// this file adds cases that need explicit fixture setup.
+
+import { generateJWT } from "@trigger.dev/core/v3/jwt";
+import { SignJWT } from "jose";
+import { describe, expect, it } from "vitest";
+import { getTestServer } from "./helpers/sharedTestServer";
+import { seedTestEnvironment } from "./helpers/seedTestEnvironment";
+
+describe("Cross-cutting", () => {
+  it("shared prisma client can read from the postgres container", async () => {
+    const server = getTestServer();
+    const count = await server.prisma.user.count();
+    expect(count).toBeGreaterThanOrEqual(0);
+  });
+
+  // The auth path falls back to RevokedApiKey when a key isn't found
+  // in RuntimeEnvironment — letting customers continue to use a key
+  // for a configurable grace window after rotation. See
+  // models/runtimeEnvironment.server.ts. The grace lookup matches by
+  // (apiKey AND expiresAt > now) and rehydrates the env via the FK.
+  describe("Revoked API key grace window", () => {
+    const route = "/api/v1/runs/run_doesnotexist/result";
+
+    it("revoked key within grace (expiresAt > now): auth passes", async () => {
+      const server = getTestServer();
+      const { environment } = await seedTestEnvironment(server.prisma);
+      // Mint a fresh "rotated" key that doesn't exist on any env, then
+      // record it as recently revoked with a future grace expiry.
+      const rotatedKey = `tr_dev_rotated_${Math.random().toString(36).slice(2)}`;
+      await server.prisma.revokedApiKey.create({
+        data: {
+          apiKey: rotatedKey,
+          runtimeEnvironmentId: environment.id,
+          expiresAt: new Date(Date.now() + 24 * 60 * 60 * 1000), // +1 day
+        },
+      });
+      const res = await server.webapp.fetch(route, {
+        headers: { Authorization: `Bearer ${rotatedKey}` },
+      });
+      // Auth passed — the route's resource lookup just doesn't find
+      // run_doesnotexist. The point is NOT 401.
+      expect(res.status).not.toBe(401);
+    });
+
+    it("revoked key past grace (expiresAt < now): 401", async () => {
+      const server = getTestServer();
+      const { environment } = await seedTestEnvironment(server.prisma);
+      const expiredKey = `tr_dev_expired_${Math.random().toString(36).slice(2)}`;
+      await server.prisma.revokedApiKey.create({
+        data: {
+          apiKey: expiredKey,
+          runtimeEnvironmentId: environment.id,
+          expiresAt: new Date(Date.now() - 60 * 1000), // -1 minute
+        },
+      });
+      const res = await server.webapp.fetch(route, {
+        headers: { Authorization: `Bearer ${expiredKey}` },
+      });
+      expect(res.status).toBe(401);
+    });
+  });
+
+  // JWT edge cases beyond what the smoke matrix covers (which only
+  // checks "wrong key" and "missing scope"). All target the same
+  // representative JWT route — the JWT validator is shared across
+  // routes via apiBuilder, so coverage here generalises.
+  describe("JWT edge cases", () => {
+    const route = "/api/v1/waitpoints/tokens/wp_does_not_exist/complete";
+
+    async function postWithJwt(jwt: string) {
+      const server = getTestServer();
+      return server.webapp.fetch(route, {
+        method: "POST",
+        headers: {
+          Authorization: `Bearer ${jwt}`,
+          "Content-Type": "application/json",
+        },
+        body: JSON.stringify({}),
+      });
+    }
+
+    it("JWT with expirationTime in the past: 401", async () => {
+      const server = getTestServer();
+      const { environment } = await seedTestEnvironment(server.prisma);
+      // generateJWT only accepts string expirationTimes (relative, like
+      // "15m"). To create a definitively-expired token use jose
+      // directly with an absolute past timestamp.
+      const secret = new TextEncoder().encode(environment.apiKey);
+      const jwt = await new SignJWT({
+        pub: true,
+        sub: environment.id,
+        scopes: ["write:waitpoints"],
+      })
+        .setIssuer("https://id.trigger.dev")
+        .setAudience("https://api.trigger.dev")
+        .setProtectedHeader({ alg: "HS256" })
+        .setIssuedAt(0)
+        .setExpirationTime(1) // 1970-01-01 — definitively expired
+        .sign(secret);
+
+      const res = await postWithJwt(jwt);
+      expect(res.status).toBe(401);
+    });
+
+    it("JWT with pub: false: 401", async () => {
+      const server = getTestServer();
+      const { environment } = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: environment.apiKey,
+        payload: { pub: false, sub: environment.id, scopes: ["write:waitpoints"] },
+        expirationTime: "15m",
+      });
+      // pub: false means "this token isn't meant for client-side use"
+      // — the auth layer rejects it for the same-class JWT routes.
+      const res = await postWithJwt(jwt);
+      expect(res.status).toBe(401);
+    });
+
+    it("JWT with no sub claim: 401", async () => {
+      const server = getTestServer();
+      const { environment } = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: environment.apiKey,
+        payload: { pub: true, scopes: ["write:waitpoints"] },
+        expirationTime: "15m",
+      });
+      // No sub claim — auth can't resolve which env the token belongs
+      // to, so it must reject. (sub carries the env id.)
+      const res = await postWithJwt(jwt);
+      expect(res.status).toBe(401);
+    });
+
+    it("JWT signed with another env's apiKey (cross-env): 401", async () => {
+      const server = getTestServer();
+      // env A's id but signed with env B's apiKey — sub-vs-signature
+      // mismatch the auth layer must catch.
+      const a = await seedTestEnvironment(server.prisma);
+      const b = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: b.apiKey, // <-- WRONG key relative to the sub claim
+        payload: { pub: true, sub: a.environment.id, scopes: ["write:waitpoints"] },
+        expirationTime: "15m",
+      });
+      const res = await postWithJwt(jwt);
+      expect(res.status).toBe(401);
+    });
+
+    it("JWT malformed (three parts but invalid base64 in payload): 401", async () => {
+      // Three "."-separated parts so the JWT shape gate sees it as a
+      // candidate, but the payload segment is non-base64 garbage.
+      // Validator must surface this as 401, not 500.
+      const malformed = "eyJhbGciOiJIUzI1NiJ9.@@@notbase64@@@.signature";
+      const res = await postWithJwt(malformed);
+      expect(res.status).toBe(401);
+    });
+  });
+
+  // The auth layer resolves the JWT's env from the `sub` claim — NOT
+  // from the route path. So a JWT for env A hitting a route that
+  // fetches a resource from env B should never accidentally see env
+  // B's data. Test by minting a JWT for env A and asking for a
+  // resource that lives in env B — expect 404 (not 200).
+  describe("Cross-environment: JWT auth resolves env from sub, not URL", () => {
+    it("env A's JWT cannot read env B's resource: 404", async () => {
+      const server = getTestServer();
+      const a = await seedTestEnvironment(server.prisma);
+      const b = await seedTestEnvironment(server.prisma);
+
+      // Seed a real-ish run row in env B so the route would have
+      // something to find IF auth resolved the env from the URL.
+      const friendlyId = `run_${Math.random().toString(36).slice(2, 10)}`;
+      await server.prisma.taskRun.create({
+        data: {
+          friendlyId,
+          taskIdentifier: "test-task",
+          payload: "{}",
+          payloadType: "application/json",
+          traceId: `trace_${Math.random().toString(36).slice(2)}`,
+          spanId: `span_${Math.random().toString(36).slice(2)}`,
+          runtimeEnvironmentId: b.environment.id,
+          projectId: b.project.id,
+          organizationId: b.organization.id,
+          engine: "V2",
+          status: "COMPLETED_SUCCESSFULLY",
+          queue: "task/test-task",
+        },
+      });
+
+      const jwt = await generateJWT({
+        secretKey: a.apiKey,
+        payload: { pub: true, sub: a.environment.id, scopes: ["read:runs"] },
+        expirationTime: "15m",
+      });
+
+      const res = await server.webapp.fetch(`/api/v1/runs/${friendlyId}/result`, {
+        headers: { Authorization: `Bearer ${jwt}` },
+      });
+      // The route resolves runs scoped to the JWT's env (env A). The
+      // run lives in env B, so env A's view returns "not found" —
+      // critically, NOT 200.
+      expect(res.status).not.toBe(200);
+      expect([401, 404]).toContain(res.status);
+    });
+  });
+});
diff --git a/apps/webapp/test/auth-dashboard.e2e.full.test.ts b/apps/webapp/test/auth-dashboard.e2e.full.test.ts
new file mode 100644
index 00000000000..948b9c6c0cf
--- /dev/null
+++ b/apps/webapp/test/auth-dashboard.e2e.full.test.ts
@@ -0,0 +1,122 @@
+// Comprehensive dashboard session-auth tests — see TRI-8742.
+// Each test seeds a User + session cookie via seedTestUser / seedTestSession
+// (helpers/seedTestSession.ts) and hits the shared webapp container.
+
+import { describe, expect, it } from "vitest";
+import { getTestServer } from "./helpers/sharedTestServer";
+import { seedTestSession, seedTestUser } from "./helpers/seedTestSession";
+
+describe("Dashboard", () => {
+  it("shared webapp container redirects /admin/concurrency to /login when unauthenticated", async () => {
+    const server = getTestServer();
+    const res = await server.webapp.fetch("/admin/concurrency", { redirect: "manual" });
+    expect(res.status).toBe(302);
+  });
+
+  // Admin pages migrated to dashboardLoader({ authorization: { requireSuper: true } })
+  // in TRI-8717. The dashboardLoader resolves auth in three stages:
+  //   1. No session → redirect to /login?redirectTo=<path>.
+  //   2. Session, user.admin === false → redirect to / (no path leakage).
+  //   3. Session, user.admin === true → run the loader handler.
+  //
+  // Coverage strategy: pick three representative routes (the index, a
+  // tabbed sub-page, and the back-office tree) rather than all 14 —
+  // they all share the same dashboardLoader config so testing every
+  // file would just confirm the wrapper works, which the harness
+  // already proves. If the wrapper config drifts per-route in the
+  // future, add targeted tests for the divergent ones.
+  describe("Admin pages — requireSuper gate", () => {
+    const adminRoutes = [
+      "/admin",
+      "/admin/concurrency",
+      "/admin/back-office",
+    ];
+
+    for (const path of adminRoutes) {
+      describe(`GET ${path}`, () => {
+        it("no session: redirects to /login?redirectTo=<path>", async () => {
+          const server = getTestServer();
+          const res = await server.webapp.fetch(path, { redirect: "manual" });
+          expect(res.status).toBe(302);
+          const location = res.headers.get("location") ?? "";
+          expect(location).toContain("/login");
+          // Path leaks deliberately so a successful login bounces the
+          // user back to where they were headed.
+          expect(location).toContain(`redirectTo=${encodeURIComponent(path)}`);
+        });
+
+        it("session for non-admin user: redirects to / (no path leakage)", async () => {
+          const server = getTestServer();
+          const user = await seedTestUser(server.prisma, { admin: false });
+          const cookie = await seedTestSession({ userId: user.id });
+          const res = await server.webapp.fetch(path, {
+            redirect: "manual",
+            headers: { Cookie: cookie },
+          });
+          expect(res.status).toBe(302);
+          const location = res.headers.get("location") ?? "";
+          // unauthorizedRedirect default in dashboardBuilder is "/".
+          // A non-admin landing on /admin shouldn't get redirectTo
+          // back to /admin once they upgrade — they're not getting in
+          // by re-auth.
+          expect(new URL(location, "http://localhost").pathname).toBe("/");
+        });
+
+        it("session for admin user: 2xx", async () => {
+          const server = getTestServer();
+          const user = await seedTestUser(server.prisma, { admin: true });
+          const cookie = await seedTestSession({ userId: user.id });
+          const res = await server.webapp.fetch(path, {
+            redirect: "manual",
+            headers: { Cookie: cookie },
+          });
+          // Loader handler ran — could be 200 (HTML) or 204 (Remix
+          // _data fetch). Either way, NOT a redirect.
+          expect(res.status).toBeLessThan(300);
+        });
+      });
+    }
+  });
+
+  // Action handlers behind requireSuper used to return 403 Unauthorized
+  // pre-RBAC — now they redirect to / via dashboardAction's
+  // unauthorizedRedirect. The ticket flagged this as a behaviour
+  // change worth locking in (any XHR fetcher that branched on 403
+  // would have regressed silently). Use admin.feature-flags POST as
+  // the canary — it's the simplest action of the bunch.
+  describe("Admin action — requireSuper gate (admin.feature-flags POST)", () => {
+    const path = "/admin/feature-flags";
+
+    it("no session: redirects to /login (POST)", async () => {
+      const server = getTestServer();
+      const res = await server.webapp.fetch(path, {
+        method: "POST",
+        body: JSON.stringify({}),
+        headers: { "Content-Type": "application/json" },
+        redirect: "manual",
+      });
+      expect(res.status).toBe(302);
+      const location = res.headers.get("location") ?? "";
+      expect(location).toContain("/login");
+    });
+
+    it("session for non-admin user: redirects to / (was 403 pre-RBAC)", async () => {
+      const server = getTestServer();
+      const user = await seedTestUser(server.prisma, { admin: false });
+      const cookie = await seedTestSession({ userId: user.id });
+      const res = await server.webapp.fetch(path, {
+        method: "POST",
+        body: JSON.stringify({}),
+        headers: { "Content-Type": "application/json", Cookie: cookie },
+        redirect: "manual",
+      });
+      // Behaviour change from the TRI-8717 migration: the legacy
+      // path returned 403 Unauthorized; dashboardAction returns a
+      // 302 to "/" instead. Any client code branching on 403 needs
+      // updating — locking this in so a silent regression is loud.
+      expect(res.status).toBe(302);
+      const location = res.headers.get("location") ?? "";
+      expect(new URL(location, "http://localhost").pathname).toBe("/");
+    });
+  });
+});
diff --git a/apps/webapp/test/authorization.test.ts b/apps/webapp/test/authorization.test.ts
deleted file mode 100644
index 1dc574966f5..00000000000
--- a/apps/webapp/test/authorization.test.ts
+++ /dev/null
@@ -1,423 +0,0 @@
-import { describe, it, expect } from "vitest";
-import { checkAuthorization, AuthorizationEntity } from "../app/services/authorization.server";
-
-describe("checkAuthorization", () => {
-  // Test entities
-  const privateEntity: AuthorizationEntity = { type: "PRIVATE" };
-  const publicEntity: AuthorizationEntity = { type: "PUBLIC" };
-  const publicJwtEntityWithPermissions: AuthorizationEntity = {
-    type: "PUBLIC_JWT",
-    scopes: ["read:runs:run_1234", "read:tasks", "read:tags:tag_5678"],
-  };
-  const publicJwtEntityNoPermissions: AuthorizationEntity = { type: "PUBLIC_JWT" };
-  const publicJwtEntityWithTaskWritePermissions: AuthorizationEntity = {
-    type: "PUBLIC_JWT",
-    scopes: ["write:tasks:task-1"],
-  };
-
-  describe("PRIVATE entity", () => {
-    it("should always return authorized regardless of action or resource", () => {
-      const result1 = checkAuthorization(privateEntity, "read", { runs: "run_1234" });
-      expect(result1.authorized).toBe(true);
-      expect(result1).not.toHaveProperty("reason");
-
-      const result2 = checkAuthorization(privateEntity, "read", { tasks: ["task_1", "task_2"] });
-      expect(result2.authorized).toBe(true);
-      expect(result2).not.toHaveProperty("reason");
-
-      const result3 = checkAuthorization(privateEntity, "read", { tags: "nonexistent_tag" });
-      expect(result3.authorized).toBe(true);
-      expect(result3).not.toHaveProperty("reason");
-    });
-  });
-
-  describe("PUBLIC entity", () => {
-    it("should always return unauthorized with reason regardless of action or resource", () => {
-      const result1 = checkAuthorization(publicEntity, "read", { runs: "run_1234" });
-      expect(result1.authorized).toBe(false);
-      if (!result1.authorized) {
-        expect(result1.reason).toBe("PUBLIC type is deprecated and has no access");
-      }
-
-      const result2 = checkAuthorization(publicEntity, "read", { tasks: ["task_1", "task_2"] });
-      expect(result2.authorized).toBe(false);
-      if (!result2.authorized) {
-        expect(result2.reason).toBe("PUBLIC type is deprecated and has no access");
-      }
-
-      const result3 = checkAuthorization(publicEntity, "read", { tags: "tag_5678" });
-      expect(result3.authorized).toBe(false);
-      if (!result3.authorized) {
-        expect(result3.reason).toBe("PUBLIC type is deprecated and has no access");
-      }
-    });
-  });
-
-  describe("PUBLIC_JWT entity with task write scope", () => {
-    it("should return authorized for specific resource scope", () => {
-      const result = checkAuthorization(publicJwtEntityWithTaskWritePermissions, "write", {
-        tasks: "task-1",
-      });
-      expect(result.authorized).toBe(true);
-      expect(result).not.toHaveProperty("reason");
-    });
-
-    it("should return unauthorized with reason for unauthorized specific resources", () => {
-      const result = checkAuthorization(publicJwtEntityWithTaskWritePermissions, "write", {
-        tasks: "task-2",
-      });
-      expect(result.authorized).toBe(false);
-      if (!result.authorized) {
-        expect(result.reason).toBe(
-          "Public Access Token is missing required permissions. Token has the following permissions: 'write:tasks:task-1'. See https://trigger.dev/docs/frontend/overview#authentication for more information."
-        );
-      }
-    });
-  });
-
-  describe("PUBLIC_JWT entity with scope", () => {
-    it("should return authorized for specific resource scope", () => {
-      const result = checkAuthorization(publicJwtEntityWithPermissions, "read", {
-        runs: "run_1234",
-      });
-      expect(result.authorized).toBe(true);
-      expect(result).not.toHaveProperty("reason");
-    });
-
-    it("should return unauthorized with reason for unauthorized specific resources", () => {
-      const result = checkAuthorization(publicJwtEntityWithPermissions, "read", {
-        runs: "run_5678",
-      });
-      expect(result.authorized).toBe(false);
-      if (!result.authorized) {
-        expect(result.reason).toBe(
-          "Public Access Token is missing required permissions. Token has the following permissions: 'read:runs:run_1234', 'read:tasks', 'read:tags:tag_5678'. See https://trigger.dev/docs/frontend/overview#authentication for more information."
-        );
-      }
-    });
-
-    it("should return authorized for general resource type scope", () => {
-      const result1 = checkAuthorization(publicJwtEntityWithPermissions, "read", {
-        tasks: "task_1234",
-      });
-      expect(result1.authorized).toBe(true);
-      expect(result1).not.toHaveProperty("reason");
-
-      const result2 = checkAuthorization(publicJwtEntityWithPermissions, "read", {
-        tasks: ["task_5678", "task_9012"],
-      });
-      expect(result2.authorized).toBe(true);
-      expect(result2).not.toHaveProperty("reason");
-    });
-
-    it("should return authorized if any resource in an array is authorized", () => {
-      const result = checkAuthorization(publicJwtEntityWithPermissions, "read", {
-        tags: ["tag_1234", "tag_5678"],
-      });
-      expect(result.authorized).toBe(true);
-      expect(result).not.toHaveProperty("reason");
-    });
-
-    it("should return authorized for nonexistent resource types", () => {
-      const result = checkAuthorization(publicJwtEntityWithPermissions, "read", {
-        // @ts-expect-error
-        nonexistent: "resource",
-      });
-      expect(result.authorized).toBe(false);
-      expect(result).toHaveProperty("reason");
-    });
-  });
-
-  describe("PUBLIC_JWT entity without scope", () => {
-    it("should always return unauthorized with reason regardless of action or resource", () => {
-      const result1 = checkAuthorization(publicJwtEntityNoPermissions, "read", {
-        runs: "run_1234",
-      });
-      expect(result1.authorized).toBe(false);
-      if (!result1.authorized) {
-        expect(result1.reason).toBe(
-          "Public Access Token has no permissions. See https://trigger.dev/docs/frontend/overview#authentication for more information."
-        );
-      }
-
-      const result2 = checkAuthorization(publicJwtEntityNoPermissions, "read", {
-        tasks: ["task_1", "task_2"],
-      });
-      expect(result2.authorized).toBe(false);
-      if (!result2.authorized) {
-        expect(result2.reason).toBe(
-          "Public Access Token has no permissions. See https://trigger.dev/docs/frontend/overview#authentication for more information."
-        );
-      }
-
-      const result3 = checkAuthorization(publicJwtEntityNoPermissions, "read", {
-        tags: "tag_5678",
-      });
-      expect(result3.authorized).toBe(false);
-      if (!result3.authorized) {
-        expect(result3.reason).toBe(
-          "Public Access Token has no permissions. See https://trigger.dev/docs/frontend/overview#authentication for more information."
-        );
-      }
-    });
-  });
-
-  describe("Edge cases", () => {
-    it("should handle empty resource objects", () => {
-      const result = checkAuthorization(publicJwtEntityWithPermissions, "read", {});
-      expect(result.authorized).toBe(false);
-      if (!result.authorized) {
-        expect(result.reason).toBe("Resource object is empty");
-      }
-    });
-
-    it("should handle undefined scope", () => {
-      const entityUndefinedPermissions: AuthorizationEntity = { type: "PUBLIC_JWT" };
-      const result = checkAuthorization(entityUndefinedPermissions, "read", { runs: "run_1234" });
-      expect(result.authorized).toBe(false);
-      if (!result.authorized) {
-        expect(result.reason).toBe(
-          "Public Access Token has no permissions. See https://trigger.dev/docs/frontend/overview#authentication for more information."
-        );
-      }
-    });
-
-    it("should handle empty scope array", () => {
-      const entityEmptyPermissions: AuthorizationEntity = { type: "PUBLIC_JWT", scopes: [] };
-      const result = checkAuthorization(entityEmptyPermissions, "read", { runs: "run_1234" });
-      expect(result.authorized).toBe(false);
-      if (!result.authorized) {
-        expect(result.reason).toBe(
-          "Public Access Token has no permissions. See https://trigger.dev/docs/frontend/overview#authentication for more information."
-        );
-      }
-    });
-
-    it("should return authorized if any resource is authorized", () => {
-      const result = checkAuthorization(publicJwtEntityWithPermissions, "read", {
-        runs: "run_1234", // This is authorized
-        tasks: "task_5678", // This is authorized (general permission)
-        tags: "tag_3456", // This is not authorized
-      });
-      expect(result.authorized).toBe(true);
-      expect(result).not.toHaveProperty("reason");
-    });
-
-    it("should return unauthorized only if no resources are authorized", () => {
-      const result = checkAuthorization(publicJwtEntityWithPermissions, "read", {
-        runs: "run_5678", // Not authorized
-        tags: "tag_3456", // Not authorized
-      });
-      expect(result.authorized).toBe(false);
-      if (!result.authorized) {
-        expect(result.reason).toContain("Public Access Token is missing required permissions");
-      }
-    });
-  });
-
-  describe("Super scope", () => {
-    const entityWithSuperPermissions: AuthorizationEntity = {
-      type: "PUBLIC_JWT",
-      scopes: ["read:all", "admin"],
-    };
-
-    const entityWithOneSuperPermission: AuthorizationEntity = {
-      type: "PUBLIC_JWT",
-      scopes: ["read:all"],
-    };
-
-    it("should grant access with any of the super scope", () => {
-      const result1 = checkAuthorization(
-        entityWithSuperPermissions,
-        "read",
-        { tasks: "task_1234" },
-        ["read:all", "admin"]
-      );
-      expect(result1.authorized).toBe(true);
-      expect(result1).not.toHaveProperty("reason");
-
-      const result2 = checkAuthorization(
-        entityWithSuperPermissions,
-        "read",
-        { tags: ["tag_1", "tag_2"] },
-        ["write:all", "admin"]
-      );
-      expect(result2.authorized).toBe(true);
-      expect(result2).not.toHaveProperty("reason");
-    });
-
-    it("should grant access with one matching super permission", () => {
-      const result = checkAuthorization(
-        entityWithOneSuperPermission,
-        "read",
-        { runs: "run_5678" },
-        ["read:all", "admin"]
-      );
-      expect(result.authorized).toBe(true);
-      expect(result).not.toHaveProperty("reason");
-    });
-
-    it("should not grant access when no super scope match", () => {
-      const result = checkAuthorization(
-        entityWithOneSuperPermission,
-        "read",
-        { tasks: "task_1234" },
-        ["write:all", "admin"]
-      );
-      expect(result.authorized).toBe(false);
-      if (!result.authorized) {
-        expect(result.reason).toBe(
-          "Public Access Token is missing required permissions. Token has the following permissions: 'read:all'. See https://trigger.dev/docs/frontend/overview#authentication for more information."
-        );
-      }
-    });
-
-    it("should grant access to multiple resources with super scope", () => {
-      const result = checkAuthorization(
-        entityWithSuperPermissions,
-        "read",
-        {
-          tasks: "task_1234",
-          tags: ["tag_1", "tag_2"],
-          runs: "run_5678",
-        },
-        ["read:all"]
-      );
-      expect(result.authorized).toBe(true);
-      expect(result).not.toHaveProperty("reason");
-    });
-
-    it("should fall back to specific scope when super scope are not provided", () => {
-      const entityWithSpecificPermissions: AuthorizationEntity = {
-        type: "PUBLIC_JWT",
-        scopes: ["read:tasks", "read:tags"],
-      };
-      const result1 = checkAuthorization(entityWithSpecificPermissions, "read", {
-        tasks: "task_1234",
-      });
-      expect(result1.authorized).toBe(true);
-      expect(result1).not.toHaveProperty("reason");
-
-      const result2 = checkAuthorization(entityWithSpecificPermissions, "read", {
-        runs: "run_5678",
-      });
-      expect(result2.authorized).toBe(false);
-      if (!result2.authorized) {
-        expect(result2.reason).toBe(
-          "Public Access Token is missing required permissions. Token has the following permissions: 'read:tasks', 'read:tags'. See https://trigger.dev/docs/frontend/overview#authentication for more information."
-        );
-      }
-    });
-  });
-
-  describe("Query resource type", () => {
-    it("should grant access with read:query super scope", () => {
-      const entity: AuthorizationEntity = {
-        type: "PUBLIC_JWT",
-        scopes: ["read:query"],
-      };
-      const result = checkAuthorization(
-        entity,
-        "read",
-        { query: "runs" },
-        ["read:query", "read:all", "admin"]
-      );
-      expect(result.authorized).toBe(true);
-    });
-
-    it("should grant access with table-specific query scope", () => {
-      const entity: AuthorizationEntity = {
-        type: "PUBLIC_JWT",
-        scopes: ["read:query:runs"],
-      };
-      const result = checkAuthorization(entity, "read", { query: "runs" });
-      expect(result.authorized).toBe(true);
-    });
-
-    it("should deny access to different table with table-specific scope", () => {
-      const entity: AuthorizationEntity = {
-        type: "PUBLIC_JWT",
-        scopes: ["read:query:runs"],
-      };
-      const result = checkAuthorization(entity, "read", { query: "llm_metrics" });
-      expect(result.authorized).toBe(false);
-    });
-
-    it("should grant access with general read:query scope to any table", () => {
-      const entity: AuthorizationEntity = {
-        type: "PUBLIC_JWT",
-        scopes: ["read:query"],
-      };
-
-      const runsResult = checkAuthorization(entity, "read", { query: "runs" });
-      expect(runsResult.authorized).toBe(true);
-
-      const metricsResult = checkAuthorization(entity, "read", { query: "metrics" });
-      expect(metricsResult.authorized).toBe(true);
-
-      const llmResult = checkAuthorization(entity, "read", { query: "llm_metrics" });
-      expect(llmResult.authorized).toBe(true);
-    });
-
-    it("should grant access to multiple tables when querying with super scope", () => {
-      const entity: AuthorizationEntity = {
-        type: "PUBLIC_JWT",
-        scopes: ["read:query"],
-      };
-      const result = checkAuthorization(
-        entity,
-        "read",
-        { query: ["runs", "llm_metrics"] },
-        ["read:query", "read:all", "admin"]
-      );
-      expect(result.authorized).toBe(true);
-    });
-
-    it("should grant access to schema with read:query scope", () => {
-      const entity: AuthorizationEntity = {
-        type: "PUBLIC_JWT",
-        scopes: ["read:query"],
-      };
-      const result = checkAuthorization(
-        entity,
-        "read",
-        { query: "schema" },
-        ["read:query", "read:all", "admin"]
-      );
-      expect(result.authorized).toBe(true);
-    });
-  });
-
-  describe("Without super scope", () => {
-    const entityWithoutSuperPermissions: AuthorizationEntity = {
-      type: "PUBLIC_JWT",
-      scopes: ["read:tasks"],
-    };
-
-    it("should still grant access based on specific scope", () => {
-      const result = checkAuthorization(
-        entityWithoutSuperPermissions,
-        "read",
-        { tasks: "task_1234" },
-        ["read:all", "admin"]
-      );
-      expect(result.authorized).toBe(true);
-      expect(result).not.toHaveProperty("reason");
-    });
-
-    it("should deny access to resources not in scope", () => {
-      const result = checkAuthorization(
-        entityWithoutSuperPermissions,
-        "read",
-        { runs: "run_5678" },
-        ["read:all", "admin"]
-      );
-      expect(result.authorized).toBe(false);
-      if (!result.authorized) {
-        expect(result.reason).toBe(
-          "Public Access Token is missing required permissions. Token has the following permissions: 'read:tasks'. See https://trigger.dev/docs/frontend/overview#authentication for more information."
-        );
-      }
-    });
-  });
-});
diff --git a/apps/webapp/test/bufferedTriggerPayload.test.ts b/apps/webapp/test/bufferedTriggerPayload.test.ts
new file mode 100644
index 00000000000..6280acd4c63
--- /dev/null
+++ b/apps/webapp/test/bufferedTriggerPayload.test.ts
@@ -0,0 +1,96 @@
+import { describe, expect, it } from "vitest";
+import { buildBufferedTriggerPayload } from "~/v3/mollifier/bufferedTriggerPayload.server";
+
+describe("buildBufferedTriggerPayload", () => {
+  const baseInput = {
+    runFriendlyId: "run_abc",
+    taskId: "my-task",
+    envId: "env_1",
+    envType: "DEVELOPMENT",
+    envSlug: "dev",
+    orgId: "org_1",
+    orgSlug: "acme",
+    projectId: "proj_db_id",
+    projectRef: "proj_xyz",
+    body: { payload: { hello: "world" }, options: { tags: ["t1"] } } as any,
+    idempotencyKey: null,
+    idempotencyKeyExpiresAt: null,
+    tags: ["t1"],
+    parentRunFriendlyId: null,
+    traceContext: { traceparent: "00-abc-def-01" },
+    triggerSource: "api" as const,
+    triggerAction: "trigger" as const,
+    serviceOptions: {} as any,
+    createdAt: new Date("2026-05-13T09:00:00.000Z"),
+  };
+
+  it("captures all routing identifiers without losing data", () => {
+    const payload = buildBufferedTriggerPayload(baseInput);
+
+    expect(payload.runFriendlyId).toBe("run_abc");
+    expect(payload.envId).toBe("env_1");
+    expect(payload.envType).toBe("DEVELOPMENT");
+    expect(payload.envSlug).toBe("dev");
+    expect(payload.orgId).toBe("org_1");
+    expect(payload.orgSlug).toBe("acme");
+    expect(payload.projectId).toBe("proj_db_id");
+    expect(payload.projectRef).toBe("proj_xyz");
+    expect(payload.taskId).toBe("my-task");
+  });
+
+  it("serialises idempotencyKeyExpiresAt to ISO string only when key is present", () => {
+    const withKey = buildBufferedTriggerPayload({
+      ...baseInput,
+      idempotencyKey: "ik_1",
+      idempotencyKeyExpiresAt: new Date("2026-05-13T10:00:00.000Z"),
+    });
+    expect(withKey.idempotencyKey).toBe("ik_1");
+    expect(withKey.idempotencyKeyExpiresAt).toBe("2026-05-13T10:00:00.000Z");
+
+    const noKey = buildBufferedTriggerPayload(baseInput);
+    expect(noKey.idempotencyKey).toBeNull();
+    expect(noKey.idempotencyKeyExpiresAt).toBeNull();
+
+    // Defensive: an expiresAt without an accompanying key is an impossible
+    // idempotency state — drop the expiresAt rather than serialise it.
+    const orphanExpiry = buildBufferedTriggerPayload({
+      ...baseInput,
+      idempotencyKey: null,
+      idempotencyKeyExpiresAt: new Date("2026-05-13T10:00:00.000Z"),
+    });
+    expect(orphanExpiry.idempotencyKey).toBeNull();
+    expect(orphanExpiry.idempotencyKeyExpiresAt).toBeNull();
+  });
+
+  it("preserves customer body byte-equivalent (drainer replay must match Postgres)", () => {
+    const body = {
+      payload: { quotes: 'a"b', newline: "x\ny", unicode: "🚀", nested: { n: 1 } },
+      options: { tags: ["a"], maxAttempts: 3, machine: "small-1x" },
+    } as any;
+    const payload = buildBufferedTriggerPayload({ ...baseInput, body });
+    expect(payload.body).toEqual(body);
+
+    // JSON round-trip is the storage path; verify no information loss.
+    const roundtripped = JSON.parse(JSON.stringify(payload.body));
+    expect(roundtripped).toEqual(body);
+  });
+
+  it("createdAt is serialised to ISO 8601", () => {
+    const payload = buildBufferedTriggerPayload(baseInput);
+    expect(payload.createdAt).toBe("2026-05-13T09:00:00.000Z");
+  });
+
+  it("preserves traceContext (OTel continuity across buffer→drain boundary)", () => {
+    const traceContext = { traceparent: "00-x-y-01", tracestate: "vendor=foo" };
+    const payload = buildBufferedTriggerPayload({ ...baseInput, traceContext });
+    expect(payload.traceContext).toEqual(traceContext);
+  });
+
+  it("nullable parentRunFriendlyId — present and absent", () => {
+    expect(buildBufferedTriggerPayload(baseInput).parentRunFriendlyId).toBeNull();
+    expect(
+      buildBufferedTriggerPayload({ ...baseInput, parentRunFriendlyId: "run_parent" })
+        .parentRunFriendlyId,
+    ).toBe("run_parent");
+  });
+});
diff --git a/apps/webapp/test/chat-snapshot-integration.test.ts b/apps/webapp/test/chat-snapshot-integration.test.ts
new file mode 100644
index 00000000000..c2a5dcce98d
--- /dev/null
+++ b/apps/webapp/test/chat-snapshot-integration.test.ts
@@ -0,0 +1,234 @@
+// Plan F.3: integration test that round-trips a `ChatSnapshotV1` blob
+// through the SDK's snapshot helpers + a real MinIO backing store. Mirrors
+// the testcontainer pattern from `objectStore.test.ts`.
+//
+// What this verifies end-to-end:
+//   - SDK's `writeChatSnapshot` calls `apiClient.createUploadPayloadUrl`
+//     to mint a presigned PUT, then PUTs JSON to it.
+//   - SDK's `readChatSnapshot` calls `apiClient.getPayloadUrl` to mint a
+//     presigned GET, then fetches and parses.
+//   - The webapp's `generatePresignedUrl` produces URLs MinIO accepts.
+//   - The blob round-trips with `version: 1` shape preserved.
+//   - 404 (no snapshot for a fresh session) returns `undefined`, not an
+//     error.
+//
+// This is the integration safety net behind the unit tests in
+// `packages/trigger-sdk/test/chat-snapshot.test.ts` — those tests mock
+// `fetch`; this one drives a real S3-compatible backend.
+
+import { postgresAndMinioTest } from "@internal/testcontainers";
+import { apiClientManager } from "@trigger.dev/core/v3";
+import {
+  __readChatSnapshotProductionPathForTests as readChatSnapshot,
+  __writeChatSnapshotProductionPathForTests as writeChatSnapshot,
+  type ChatSnapshotV1,
+} from "@trigger.dev/sdk/ai";
+import type { UIMessage } from "ai";
+import { afterEach, describe, expect, vi } from "vitest";
+import { env } from "~/env.server";
+import { chatSnapshotStoragePathForSession } from "~/services/realtime/chatSnapshot.server";
+import { generatePresignedUrl } from "~/v3/objectStore.server";
+
+vi.setConfig({ testTimeout: 60_000 });
+
+// ── Helpers ────────────────────────────────────────────────────────────
+
+function makeSnapshot(opts: { messages?: UIMessage[]; lastOutEventId?: string } = {}): ChatSnapshotV1 {
+  return {
+    version: 1,
+    savedAt: 1_700_000_000_000,
+    messages: opts.messages ?? [
+      {
+        id: "u-1",
+        role: "user",
+        parts: [{ type: "text", text: "hello" }],
+      },
+      {
+        id: "a-1",
+        role: "assistant",
+        parts: [{ type: "text", text: "world" }],
+      },
+    ],
+    lastOutEventId: opts.lastOutEventId ?? "evt-42",
+  };
+}
+
+/**
+ * Stub `apiClientManager.clientOrThrow()` so the SDK helpers see a fake
+ * api client. Mirrors the snapshot-url route: derive the canonical
+ * `sessions/{id}/snapshot.json` key (with optional default-protocol
+ * prefix) and sign it via `generatePresignedUrl` against MinIO.
+ */
+function stubApiClient(opts: { projectRef: string; envSlug: string }) {
+  vi.spyOn(apiClientManager, "clientOrThrow").mockReturnValue({
+    async getChatSnapshotUrl(sessionId: string) {
+      const key = chatSnapshotStoragePathForSession(sessionId);
+      const result = await generatePresignedUrl(opts.projectRef, opts.envSlug, key, "GET");
+      if (!result.success) throw new Error(result.error);
+      return { presignedUrl: result.url };
+    },
+    async createChatSnapshotUploadUrl(sessionId: string) {
+      const key = chatSnapshotStoragePathForSession(sessionId);
+      const result = await generatePresignedUrl(opts.projectRef, opts.envSlug, key, "PUT");
+      if (!result.success) throw new Error(result.error);
+      return { presignedUrl: result.url };
+    },
+  } as never);
+}
+
+// Suppress noisy warnings from logger.warn during error-path tests.
+let warnSpy: ReturnType<typeof vi.spyOn>;
+
+afterEach(() => {
+  vi.restoreAllMocks();
+  warnSpy?.mockRestore();
+});
+
+// ── Tests ──────────────────────────────────────────────────────────────
+
+describe("chat snapshot integration (MinIO + SDK helpers)", () => {
+  postgresAndMinioTest("round-trips a snapshot through real MinIO", async ({ minioConfig }) => {
+    env.OBJECT_STORE_BASE_URL = minioConfig.baseUrl;
+    env.OBJECT_STORE_ACCESS_KEY_ID = minioConfig.accessKeyId;
+    env.OBJECT_STORE_SECRET_ACCESS_KEY = minioConfig.secretAccessKey;
+    env.OBJECT_STORE_REGION = minioConfig.region;
+    env.OBJECT_STORE_DEFAULT_PROTOCOL = undefined;
+
+    stubApiClient({ projectRef: "proj_snap_rt", envSlug: "dev" });
+
+    const sessionId = "sess_round_trip_1";
+    const snapshot = makeSnapshot();
+
+    // Write through the SDK helper — should land in MinIO at
+    // `packets/proj_snap_rt/dev/sessions/sess_round_trip_1/snapshot.json`.
+    await writeChatSnapshot(sessionId, snapshot);
+
+    // Read back through the SDK helper — should reconstruct the original.
+    const result = await readChatSnapshot(sessionId);
+
+    expect(result).toEqual(snapshot);
+  });
+
+  postgresAndMinioTest("returns undefined for a fresh session with no snapshot", async ({ minioConfig }) => {
+    env.OBJECT_STORE_BASE_URL = minioConfig.baseUrl;
+    env.OBJECT_STORE_ACCESS_KEY_ID = minioConfig.accessKeyId;
+    env.OBJECT_STORE_SECRET_ACCESS_KEY = minioConfig.secretAccessKey;
+    env.OBJECT_STORE_REGION = minioConfig.region;
+    env.OBJECT_STORE_DEFAULT_PROTOCOL = undefined;
+
+    stubApiClient({ projectRef: "proj_snap_404", envSlug: "dev" });
+
+    warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
+
+    // Session never had a snapshot written — read returns undefined.
+    const result = await readChatSnapshot("sess_never_existed");
+    expect(result).toBeUndefined();
+  });
+
+  postgresAndMinioTest("overwrites a prior snapshot in place (single-writer)", async ({ minioConfig }) => {
+    // The runtime guarantees one attempt alive at a time, and
+    // `writeChatSnapshot` runs awaited after `onTurnComplete`. Verify
+    // that a second write to the same key replaces the first cleanly —
+    // the read-after-write reflects the latest blob.
+    env.OBJECT_STORE_BASE_URL = minioConfig.baseUrl;
+    env.OBJECT_STORE_ACCESS_KEY_ID = minioConfig.accessKeyId;
+    env.OBJECT_STORE_SECRET_ACCESS_KEY = minioConfig.secretAccessKey;
+    env.OBJECT_STORE_REGION = minioConfig.region;
+    env.OBJECT_STORE_DEFAULT_PROTOCOL = undefined;
+
+    stubApiClient({ projectRef: "proj_snap_overwrite", envSlug: "dev" });
+
+    const sessionId = "sess_overwrite";
+
+    const turn1 = makeSnapshot({
+      messages: [
+        { id: "u-1", role: "user", parts: [{ type: "text", text: "first" }] },
+      ],
+      lastOutEventId: "evt-turn1",
+    });
+    const turn2 = makeSnapshot({
+      messages: [
+        { id: "u-1", role: "user", parts: [{ type: "text", text: "first" }] },
+        { id: "a-1", role: "assistant", parts: [{ type: "text", text: "reply-1" }] },
+        { id: "u-2", role: "user", parts: [{ type: "text", text: "second" }] },
+        { id: "a-2", role: "assistant", parts: [{ type: "text", text: "reply-2" }] },
+      ],
+      lastOutEventId: "evt-turn2",
+    });
+
+    await writeChatSnapshot(sessionId, turn1);
+    await writeChatSnapshot(sessionId, turn2);
+
+    const result = await readChatSnapshot(sessionId);
+    expect(result).toEqual(turn2);
+    expect(result?.messages).toHaveLength(4);
+    expect(result?.lastOutEventId).toBe("evt-turn2");
+  });
+
+  postgresAndMinioTest("isolates snapshots by sessionId (no cross-talk)", async ({ minioConfig }) => {
+    env.OBJECT_STORE_BASE_URL = minioConfig.baseUrl;
+    env.OBJECT_STORE_ACCESS_KEY_ID = minioConfig.accessKeyId;
+    env.OBJECT_STORE_SECRET_ACCESS_KEY = minioConfig.secretAccessKey;
+    env.OBJECT_STORE_REGION = minioConfig.region;
+    env.OBJECT_STORE_DEFAULT_PROTOCOL = undefined;
+
+    stubApiClient({ projectRef: "proj_snap_iso", envSlug: "dev" });
+
+    const sessA = "sess_iso_A";
+    const sessB = "sess_iso_B";
+    const snapA = makeSnapshot({ lastOutEventId: "evt-A" });
+    const snapB = makeSnapshot({ lastOutEventId: "evt-B" });
+
+    await writeChatSnapshot(sessA, snapA);
+    await writeChatSnapshot(sessB, snapB);
+
+    const readA = await readChatSnapshot(sessA);
+    const readB = await readChatSnapshot(sessB);
+
+    expect(readA?.lastOutEventId).toBe("evt-A");
+    expect(readB?.lastOutEventId).toBe("evt-B");
+    // Distinct objects — modifying one shouldn't affect the other.
+    expect(readA?.lastOutEventId).not.toBe(readB?.lastOutEventId);
+  });
+
+  postgresAndMinioTest("handles snapshots with large message lists (~50 messages)", async ({ minioConfig }) => {
+    // Stress test: a 50-turn chat snapshot. Plan F.4 mentions the
+    // pre-change baseline grew past 512 KiB around turn 10-30 with tool
+    // use; the post-slim wire keeps wire payloads small but the snapshot
+    // itself can still get large. Verify the helpers handle a realistic
+    // payload size.
+    env.OBJECT_STORE_BASE_URL = minioConfig.baseUrl;
+    env.OBJECT_STORE_ACCESS_KEY_ID = minioConfig.accessKeyId;
+    env.OBJECT_STORE_SECRET_ACCESS_KEY = minioConfig.secretAccessKey;
+    env.OBJECT_STORE_REGION = minioConfig.region;
+    env.OBJECT_STORE_DEFAULT_PROTOCOL = undefined;
+
+    stubApiClient({ projectRef: "proj_snap_big", envSlug: "dev" });
+
+    const messages: UIMessage[] = [];
+    for (let i = 0; i < 50; i++) {
+      messages.push({
+        id: `u-${i}`,
+        role: "user",
+        parts: [{ type: "text", text: `user message ${i}: ${"x".repeat(200)}` }],
+      });
+      messages.push({
+        id: `a-${i}`,
+        role: "assistant",
+        parts: [{ type: "text", text: `assistant reply ${i}: ${"y".repeat(500)}` }],
+      });
+    }
+    const snapshot = makeSnapshot({ messages, lastOutEventId: "evt-50" });
+
+    await writeChatSnapshot("sess_big_chat", snapshot);
+    const result = await readChatSnapshot("sess_big_chat");
+
+    expect(result).toBeDefined();
+    expect(result!.messages).toHaveLength(100);
+    expect(result!.lastOutEventId).toBe("evt-50");
+    // Spot-check ordering integrity — the messages array round-tripped
+    // in the same order.
+    expect(result!.messages[0]!.id).toBe("u-0");
+    expect(result!.messages[99]!.id).toBe("a-49");
+  });
+});
diff --git a/apps/webapp/test/clickhouseFactory.test.ts b/apps/webapp/test/clickhouseFactory.test.ts
new file mode 100644
index 00000000000..7f19ea1f218
--- /dev/null
+++ b/apps/webapp/test/clickhouseFactory.test.ts
@@ -0,0 +1,130 @@
+import { describe, expect } from "vitest";
+
+vi.mock("~/db.server", () => ({ prisma: {}, $replica: {} }));
+
+import { postgresTest } from "@internal/testcontainers";
+import { OrganizationDataStoresRegistry } from "~/services/dataStores/organizationDataStoresRegistry.server";
+import { ClickhouseConnectionSchema } from "~/services/clickhouse/clickhouseSecretSchemas.server";
+import { ClickhouseFactory } from "~/services/clickhouse/clickhouseFactory.server";
+
+vi.setConfig({ testTimeout: 60_000 });
+
+const TEST_URL = "https://default:password@ch-org.example.com:8443";
+const TEST_URL_2 = "https://default:password@ch-other.example.com:8443";
+
+describe("ClickHouse Factory", () => {
+  postgresTest(
+    "returns default client when org has no data store",
+    async ({ prisma }) => {
+      const registry = new OrganizationDataStoresRegistry(prisma, prisma);
+      await registry.loadFromDatabase();
+
+      const factory = new ClickhouseFactory(registry);
+      const client = await factory.getClickhouseForOrganization("org-no-store", "standard");
+      expect(client).toBeDefined();
+    }
+  );
+
+  postgresTest(
+    "returns org-specific client when a data store is configured",
+    async ({ prisma }) => {
+      const registry = new OrganizationDataStoresRegistry(prisma, prisma);
+
+      await registry.addDataStore({
+        key: "factory-store",
+        kind: "CLICKHOUSE",
+        organizationIds: ["org-custom"],
+        config: ClickhouseConnectionSchema.parse({ url: TEST_URL }),
+      });
+
+      await registry.loadFromDatabase();
+
+      const factory = new ClickhouseFactory(registry);
+      const client = await factory.getClickhouseForOrganization("org-custom", "standard");
+      expect(client).toBeDefined();
+
+      // Default client is a different instance from the org-specific one
+      const defaultClient = await factory.getClickhouseForOrganization("org-no-store", "standard");
+      expect(client).not.toBe(defaultClient);
+    }
+  );
+
+  postgresTest(
+    "two orgs sharing the same data store get the same cached client",
+    async ({ prisma }) => {
+      const registry = new OrganizationDataStoresRegistry(prisma, prisma);
+
+      await registry.addDataStore({
+        key: "shared-factory-store",
+        kind: "CLICKHOUSE",
+        organizationIds: ["org-shared-1", "org-shared-2"],
+        config: ClickhouseConnectionSchema.parse({ url: TEST_URL }),
+      });
+
+      await registry.loadFromDatabase();
+
+      const factory = new ClickhouseFactory(registry);
+      const client1 = await factory.getClickhouseForOrganization("org-shared-1", "standard");
+      const client2 = await factory.getClickhouseForOrganization("org-shared-2", "standard");
+
+      // Same hostname → same cached client instance
+      expect(client1).toBe(client2);
+    }
+  );
+
+  postgresTest(
+    "two data stores with different URLs produce different clients",
+    async ({ prisma }) => {
+      const registry = new OrganizationDataStoresRegistry(prisma, prisma);
+
+      await registry.addDataStore({
+        key: "store-a",
+        kind: "CLICKHOUSE",
+        organizationIds: ["org-a"],
+        config: ClickhouseConnectionSchema.parse({ url: TEST_URL }),
+      });
+
+      await registry.addDataStore({
+        key: "store-b",
+        kind: "CLICKHOUSE",
+        organizationIds: ["org-b"],
+        config: ClickhouseConnectionSchema.parse({ url: TEST_URL_2 }),
+      });
+
+      await registry.loadFromDatabase();
+
+      const factory = new ClickhouseFactory(registry);
+      const clientA = await factory.getClickhouseForOrganization("org-a", "standard");
+      const clientB = await factory.getClickhouseForOrganization("org-b", "standard");
+
+      expect(clientA).not.toBe(clientB);
+    }
+  );
+
+  postgresTest(
+    "after reload with a deleted store, org falls back to default",
+    async ({ prisma }) => {
+      const registry = new OrganizationDataStoresRegistry(prisma, prisma);
+
+      await registry.addDataStore({
+        key: "removable-store",
+        kind: "CLICKHOUSE",
+        organizationIds: ["org-removable"],
+        config: ClickhouseConnectionSchema.parse({ url: TEST_URL }),
+      });
+
+      await registry.loadFromDatabase();
+
+      const factory = new ClickhouseFactory(registry);
+      const before = await factory.getClickhouseForOrganization("org-removable", "standard");
+      const defaultClient = await factory.getClickhouseForOrganization("org-no-store", "standard");
+      expect(before).not.toBe(defaultClient);
+
+      await registry.deleteDataStore({ key: "removable-store", kind: "CLICKHOUSE" });
+      await registry.reload();
+
+      const after = await factory.getClickhouseForOrganization("org-removable", "standard");
+      expect(after).toBe(defaultClient);
+    }
+  );
+});
diff --git a/apps/webapp/test/components/runs/v3/agent/AgentMessageView.test.ts b/apps/webapp/test/components/runs/v3/agent/AgentMessageView.test.ts
new file mode 100644
index 00000000000..0d16f8fa715
--- /dev/null
+++ b/apps/webapp/test/components/runs/v3/agent/AgentMessageView.test.ts
@@ -0,0 +1,33 @@
+import { describe, expect, it } from "vitest";
+import { toSafeUrl } from "~/components/runs/v3/agent/AgentMessageView";
+
+describe("toSafeUrl", () => {
+  it("allows http(s) and blob URLs", () => {
+    expect(toSafeUrl("https://example.com/x")).toBe("https://example.com/x");
+    expect(toSafeUrl("http://example.com/x")).toBe("http://example.com/x");
+    expect(toSafeUrl("blob:https://example.com/uuid")).toBe("blob:https://example.com/uuid");
+  });
+
+  it("rejects javascript: and other dangerous schemes", () => {
+    expect(toSafeUrl("javascript:alert(1)")).toBeNull();
+    expect(toSafeUrl("JavaScript:alert(1)")).toBeNull();
+    expect(toSafeUrl("vbscript:msgbox(1)")).toBeNull();
+    expect(toSafeUrl("file:///etc/passwd")).toBeNull();
+  });
+
+  it("rejects data: URLs unless inline images are explicitly allowed", () => {
+    const dataImage = "data:image/png;base64,iVBORw0KGgo=";
+    expect(toSafeUrl(dataImage)).toBeNull();
+    expect(toSafeUrl(dataImage, true)).toBe(dataImage);
+    // Only image data is allowed, even in image context — never data:text/html.
+    expect(toSafeUrl("data:text/html,<script>alert(1)</script>", true)).toBeNull();
+  });
+
+  it("rejects relative URLs and non-string/malformed input", () => {
+    expect(toSafeUrl("/relative/path")).toBeNull();
+    expect(toSafeUrl("not a url")).toBeNull();
+    expect(toSafeUrl(undefined)).toBeNull();
+    expect(toSafeUrl(null)).toBeNull();
+    expect(toSafeUrl(42)).toBeNull();
+  });
+});
diff --git a/apps/webapp/test/createDeploymentWithNextVersion.test.ts b/apps/webapp/test/createDeploymentWithNextVersion.test.ts
new file mode 100644
index 00000000000..aa135b3a316
--- /dev/null
+++ b/apps/webapp/test/createDeploymentWithNextVersion.test.ts
@@ -0,0 +1,133 @@
+import { containerTest } from "@internal/testcontainers";
+import { PrismaClient } from "@trigger.dev/database";
+import { describe, expect, vi } from "vitest";
+import {
+  createDeploymentWithNextVersion,
+  DeploymentVersionCollisionError,
+} from "~/v3/services/initializeDeployment/createDeploymentWithNextVersion.server";
+
+vi.setConfig({ testTimeout: 30_000 });
+
+async function seedEnvironment(prisma: PrismaClient) {
+  const slug = `s${Math.random().toString(36).slice(2, 10)}`;
+  const organization = await prisma.organization.create({
+    data: { title: slug, slug },
+  });
+
+  const project = await prisma.project.create({
+    data: {
+      name: slug,
+      slug,
+      organizationId: organization.id,
+      externalRef: slug,
+    },
+  });
+
+  const environment = await prisma.runtimeEnvironment.create({
+    data: {
+      slug,
+      type: "PRODUCTION",
+      projectId: project.id,
+      organizationId: organization.id,
+      apiKey: slug,
+      pkApiKey: slug,
+      shortcode: slug,
+    },
+  });
+
+  return { organization, project, environment };
+}
+
+describe("createDeploymentWithNextVersion", () => {
+  containerTest(
+    "assigns unique sequential versions for concurrent calls in the same environment",
+    async ({ prisma }) => {
+      const { project, environment } = await seedEnvironment(prisma);
+
+      const concurrency = 5;
+
+      const results = await Promise.all(
+        Array.from({ length: concurrency }, (_, i) =>
+          createDeploymentWithNextVersion(prisma, environment.id, (nextVersion) => ({
+            projectId: project.id,
+            friendlyId: `deployment_${i}_${nextVersion}`,
+            shortCode: `short_${i}_${nextVersion}`,
+            contentHash: `hash_${i}`,
+          }))
+        )
+      );
+
+      // The property we care about: N concurrent racers all end up with
+      // distinct, persistable versions. The retry path is exercised whenever
+      // collisions happen (visible in the `Worker deployment version collided`
+      // warn logs), and the exhaustion branch is covered deterministically by
+      // the maxRetries: 0 test below.
+      const versions = results.map((d) => d.version).sort();
+      expect(new Set(versions).size).toBe(concurrency);
+    }
+  );
+
+  containerTest(
+    "propagates non-P2002 errors immediately without retrying",
+    async ({ prisma }) => {
+      const { environment } = await seedEnvironment(prisma);
+
+      let buildDataCalls = 0;
+      const buildData = () => {
+        buildDataCalls++;
+        throw new Error("builder boom");
+      };
+
+      await expect(
+        createDeploymentWithNextVersion(prisma, environment.id, buildData)
+      ).rejects.toThrow("builder boom");
+
+      expect(buildDataCalls).toBe(1);
+    }
+  );
+
+  containerTest(
+    "wraps exhausted retries in DeploymentVersionCollisionError with the P2002 as cause",
+    async ({ prisma }) => {
+      const { project, environment } = await seedEnvironment(prisma);
+
+      const concurrency = 4;
+      // maxRetries: 0 → no retry path. Concurrent racers all attempt the same
+      // version; one wins, the rest must surface the wrapped collision error
+      // (not a raw P2002) so Sentry can distinguish exhaustion from any other
+      // unique-constraint violation.
+      const settled = await Promise.allSettled(
+        Array.from({ length: concurrency }, (_, i) =>
+          createDeploymentWithNextVersion(
+            prisma,
+            environment.id,
+            (nextVersion) => ({
+              projectId: project.id,
+              friendlyId: `deployment_${i}_${nextVersion}`,
+              shortCode: `short_${i}_${nextVersion}`,
+              contentHash: `hash_${i}`,
+            }),
+            { maxRetries: 0 }
+          )
+        )
+      );
+
+      const fulfilled = settled.filter((s) => s.status === "fulfilled");
+      const rejected = settled.filter(
+        (s): s is PromiseRejectedResult => s.status === "rejected"
+      );
+
+      expect(fulfilled.length).toBeGreaterThanOrEqual(1);
+      expect(rejected.length).toBeGreaterThanOrEqual(1);
+
+      for (const r of rejected) {
+        expect(r.reason).toBeInstanceOf(DeploymentVersionCollisionError);
+        const err = r.reason as DeploymentVersionCollisionError;
+        expect(err.environmentId).toBe(environment.id);
+        expect(err.attempts).toBe(1);
+        expect(err.lastAttemptedVersion).toMatch(/^\d{8}\.\d+$/);
+        expect((err.cause as { code?: string }).code).toBe("P2002");
+      }
+    }
+  );
+});
diff --git a/apps/webapp/test/detectbadJsonStrings.test.ts b/apps/webapp/test/detectbadJsonStrings.test.ts
index 7d14bf4aee8..f3d10037c47 100644
--- a/apps/webapp/test/detectbadJsonStrings.test.ts
+++ b/apps/webapp/test/detectbadJsonStrings.test.ts
@@ -180,6 +180,72 @@ describe("detectBadJsonStrings", () => {
     // The difference should be reasonable (not more than 5x)
     expect(noUnicodeTime / withUnicodeTime).toBeLessThan(5);
   });
+
+  describe("full UTF-16 low-surrogate range coverage (U+DC00–U+DFFF)", () => {
+    // Regression guard: a previous version of this scanner used `[cd]` to
+    // match the low-surrogate nibble, missing the entire U+DE00–U+DFFF
+    // half of the range. Valid surrogate pairs with low surrogates in that
+    // upper half (which includes most common emoji) were falsely flagged,
+    // and lone surrogates in the upper half were falsely passed.
+
+    it("does NOT flag a valid pair with low surrogate in the c range (U+DC00–U+DCFF)", () => {
+      // 🐍 SNAKE = U+1F40D = 🐍
+      expect(detectBadJsonStrings(`{"s":"\\ud83d\\udc0d"}`)).toBe(false);
+    });
+
+    it("does NOT flag a valid pair with low surrogate in the d range (U+DD00–U+DDFF)", () => {
+      // U+1F540 = 🕀
+      expect(detectBadJsonStrings(`{"s":"\\ud83d\\udd40"}`)).toBe(false);
+    });
+
+    it("does NOT flag a valid pair with low surrogate in the e range (U+DE00–U+DEFF)", () => {
+      // 😀 GRINNING FACE = U+1F600 = 😀 — previously false-flagged
+      expect(detectBadJsonStrings(`{"s":"\\ud83d\\ude00"}`)).toBe(false);
+    });
+
+    it("does NOT flag a valid pair with low surrogate in the f range (U+DF00–U+DFFF)", () => {
+      // U+1F700 = 🜀 — previously false-flagged
+      expect(detectBadJsonStrings(`{"s":"\\ud83d\\udf00"}`)).toBe(false);
+    });
+
+    it("flags a lone low surrogate in the e range (\\uDE00)", () => {
+      // Previously this was NOT flagged because the forward scan only
+      // recognised low surrogates with third nibble === "c" || "d".
+      expect(detectBadJsonStrings(`{"s":"prefix \\ude00 suffix"}`)).toBe(true);
+    });
+
+    it("flags a lone low surrogate in the f range (\\uDFFF)", () => {
+      expect(detectBadJsonStrings(`{"s":"prefix \\udfff suffix"}`)).toBe(true);
+    });
+
+    it("flags a high surrogate followed by something that looks like a low surrogate but is in the e range with a missing prefix", () => {
+      // The previous high-surrogate-then-pair check used `[cd]` for the
+      // matching low surrogate nibble, so any high surrogate followed by
+      // \uDe.. would be falsely flagged as unpaired. Verify the fix works
+      // for the valid case AND still flags genuinely broken inputs.
+      expect(detectBadJsonStrings(`{"s":"\\ud800X"}`)).toBe(true); // truly broken
+      expect(detectBadJsonStrings(`{"s":"\\ud83d\\ude00"}`)).toBe(false); // valid, but used to flag
+    });
+  });
+
+  describe("integration with JSON.stringify", () => {
+    it("does NOT flag JSON.stringify of a valid emoji 😀", () => {
+      // V8 emits the raw character for valid surrogate pairs, so the
+      // fast-path returns false without exercising the regex.
+      expect(detectBadJsonStrings(JSON.stringify("😀"))).toBe(false);
+    });
+
+    it("flags JSON.stringify of a lone high surrogate", () => {
+      expect(detectBadJsonStrings(JSON.stringify("\uD800"))).toBe(true);
+    });
+
+    it("flags JSON.stringify of a lone low surrogate in each of c/d/e/f ranges", () => {
+      expect(detectBadJsonStrings(JSON.stringify("\uDC00"))).toBe(true);
+      expect(detectBadJsonStrings(JSON.stringify("\uDD00"))).toBe(true);
+      expect(detectBadJsonStrings(JSON.stringify("\uDE00"))).toBe(true);
+      expect(detectBadJsonStrings(JSON.stringify("\uDFFF"))).toBe(true);
+    });
+  });
 });
 
 function processPacket(data: string): { data?: string; dataType?: string } {
diff --git a/apps/webapp/test/duplicateTaskIds.test.ts b/apps/webapp/test/duplicateTaskIds.test.ts
new file mode 100644
index 00000000000..f0f95806c56
--- /dev/null
+++ b/apps/webapp/test/duplicateTaskIds.test.ts
@@ -0,0 +1,55 @@
+import { describe, it, expect } from "vitest";
+import { ServiceValidationError } from "~/v3/services/common.server";
+import { assertNoDuplicateTaskIds } from "~/v3/services/duplicateTaskIds.server";
+
+function task(partial: { id: string; filePath?: string; exportName?: string; triggerSource?: string }) {
+  return {
+    filePath: "src/trigger/example.ts",
+    exportName: "exampleTask",
+    ...partial,
+  } as any;
+}
+
+describe("assertNoDuplicateTaskIds", () => {
+  it("does not throw when all task ids are unique", () => {
+    const tasks = [task({ id: "a" }), task({ id: "b" }), task({ id: "c" })];
+
+    expect(() => assertNoDuplicateTaskIds(tasks)).not.toThrow();
+  });
+
+  it("throws a ServiceValidationError when a task id is duplicated", () => {
+    const tasks = [task({ id: "a" }), task({ id: "a" })];
+
+    expect(() => assertNoDuplicateTaskIds(tasks)).toThrow(ServiceValidationError);
+  });
+
+  it("reports a 400 and names the duplicate id and its files", () => {
+    const tasks = [
+      task({ id: "report", filePath: "src/trigger/report.ts" }),
+      task({ id: "report", filePath: "src/trigger/scheduled.ts" }),
+    ];
+
+    let error: unknown;
+    try {
+      assertNoDuplicateTaskIds(tasks);
+    } catch (e) {
+      error = e;
+    }
+
+    expect(error).toBeInstanceOf(ServiceValidationError);
+    const validationError = error as ServiceValidationError;
+    expect(validationError.status).toBe(400);
+    expect(validationError.message).toContain("report");
+    expect(validationError.message).toContain("src/trigger/report.ts");
+    expect(validationError.message).toContain("src/trigger/scheduled.ts");
+  });
+
+  it("detects duplicates across different task types (a schedule and a regular task sharing an id)", () => {
+    const tasks = [
+      task({ id: "report", triggerSource: undefined, filePath: "src/trigger/report.ts" }),
+      task({ id: "report", triggerSource: "schedule", filePath: "src/trigger/scheduled.ts" }),
+    ];
+
+    expect(() => assertNoDuplicateTaskIds(tasks)).toThrow(ServiceValidationError);
+  });
+});
diff --git a/apps/webapp/test/engine/streamBatchItems.test.ts b/apps/webapp/test/engine/streamBatchItems.test.ts
index 2dee8668762..072f24986b1 100644
--- a/apps/webapp/test/engine/streamBatchItems.test.ts
+++ b/apps/webapp/test/engine/streamBatchItems.test.ts
@@ -16,7 +16,9 @@ vi.mock("~/services/platform.v3.server", async (importOriginal) => {
 
 import { RunEngine } from "@internal/run-engine";
 import { setupAuthenticatedEnvironment } from "@internal/run-engine/tests";
-import { containerTest } from "@internal/testcontainers";
+// Per-test redis isolation: each test runs its own RunEngine whose background work outlives the test
+// body. NoClickhouse because this suite never touches ClickHouse - skips the worker-scoped boot+migrate.
+import { containerTestWithIsolatedRedisNoClickhouse as containerTest } from "@internal/testcontainers";
 import { trace } from "@opentelemetry/api";
 import { PrismaClient } from "@trigger.dev/database";
 import { BatchId } from "@trigger.dev/core/v3/isomorphic";
@@ -29,7 +31,9 @@ import {
 } from "../../app/runEngine/services/streamBatchItems.server";
 import { ServiceValidationError } from "../../app/v3/services/baseService.server";
 
-vi.setConfig({ testTimeout: 30_000 }); // 30 seconds timeout
+// 120s: a cold per-test container boot counts against the test's own timeout, and under CI Docker
+// contention 30s was too tight. Matches the run-engine convention for this footprint.
+vi.setConfig({ testTimeout: 120_000 });
 
 describe("StreamBatchItemsService", () => {
   /**
@@ -40,8 +44,9 @@ describe("StreamBatchItemsService", () => {
     environmentId: string,
     options: {
       runCount: number;
-      status?: "PENDING" | "PROCESSING" | "COMPLETED" | "ABORTED";
+      status?: "PENDING" | "PROCESSING" | "COMPLETED" | "PARTIAL_FAILED" | "ABORTED";
       sealed?: boolean;
+      processingCompletedAt?: Date | null;
     }
   ) {
     const { id, friendlyId } = BatchId.generate();
@@ -57,6 +62,7 @@ describe("StreamBatchItemsService", () => {
         runIds: [],
         batchVersion: "runengine:v2",
         sealed: options.sealed ?? false,
+        processingCompletedAt: options.processingCompletedAt ?? null,
       },
     });
 
@@ -174,7 +180,7 @@ describe("StreamBatchItemsService", () => {
   );
 
   containerTest(
-    "should handle race condition when batch already sealed by another request",
+    "should return sealed=true when batch is already sealed and PROCESSING (Phase 2 retry idempotency)",
     async ({ prisma, redisOptions }) => {
       const engine = new RunEngine({
         prisma,
@@ -211,14 +217,825 @@ describe("StreamBatchItemsService", () => {
 
       const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
 
-      // Create a batch that is already sealed and PROCESSING (simulating another request won the race)
+      // Simulate the SDK retrying Phase 2 after the original request succeeded:
+      // the original request already sealed the batch and moved it to PROCESSING.
       const batch = await createBatch(prisma, authenticatedEnvironment.id, {
         runCount: 2,
         status: "PROCESSING",
         sealed: true,
       });
 
-      // Initialize the batch in Redis with full count
+      const service = new StreamBatchItemsService({
+        prisma,
+        engine,
+      });
+
+      const result = await service.call(
+        authenticatedEnvironment,
+        batch.friendlyId,
+        itemsToAsyncIterable([]),
+        {
+          maxItemBytes: 1024 * 1024,
+        }
+      );
+
+      // The retry should be treated as success — the original request already
+      // enqueued every item, so the SDK should stop retrying.
+      expect(result.sealed).toBe(true);
+      expect(result.id).toBe(batch.friendlyId);
+      expect(result.itemsAccepted).toBe(0);
+      expect(result.itemsDeduplicated).toBe(0);
+      expect(result.runCount).toBe(2);
+
+      await engine.quit();
+    }
+  );
+
+  containerTest(
+    "should return sealed=true when batch is COMPLETED before Phase 2 retry arrives (TRI-9944)",
+    async ({ prisma, redisOptions }) => {
+      const engine = new RunEngine({
+        prisma,
+        worker: {
+          redis: redisOptions,
+          workers: 1,
+          tasksPerWorker: 10,
+          pollIntervalMs: 100,
+          disabled: true,
+        },
+        queue: {
+          redis: redisOptions,
+        },
+        runLock: {
+          redis: redisOptions,
+        },
+        machines: {
+          defaultMachine: "small-1x",
+          machines: {
+            "small-1x": {
+              name: "small-1x" as const,
+              cpu: 0.5,
+              memory: 0.5,
+              centsPerMs: 0.0001,
+            },
+          },
+          baseCostInCents: 0.0005,
+        },
+        batchQueue: {
+          redis: redisOptions,
+        },
+        tracer: trace.getTracer("test", "0.0.0"),
+      });
+
+      const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+
+      // The customer-reported scenario: single-item batch where the original
+      // Phase 2 request succeeded server-side, the run executed fast, the batch
+      // flipped to COMPLETED, then the lost-response SDK retry hits us.
+      // Note: tryCompleteBatch sets status=COMPLETED but does NOT set sealed=true.
+      const batch = await createBatch(prisma, authenticatedEnvironment.id, {
+        runCount: 1,
+        status: "COMPLETED",
+        sealed: false,
+      });
+
+      const service = new StreamBatchItemsService({
+        prisma,
+        engine,
+      });
+
+      const result = await service.call(
+        authenticatedEnvironment,
+        batch.friendlyId,
+        itemsToAsyncIterable([]),
+        {
+          maxItemBytes: 1024 * 1024,
+        }
+      );
+
+      expect(result.sealed).toBe(true);
+      expect(result.id).toBe(batch.friendlyId);
+      expect(result.itemsAccepted).toBe(0);
+      expect(result.itemsDeduplicated).toBe(0);
+
+      await engine.quit();
+    }
+  );
+
+  containerTest(
+    "should throw when batch is in ABORTED status",
+    async ({ prisma, redisOptions }) => {
+      const engine = new RunEngine({
+        prisma,
+        worker: {
+          redis: redisOptions,
+          workers: 1,
+          tasksPerWorker: 10,
+          pollIntervalMs: 100,
+          disabled: true,
+        },
+        queue: {
+          redis: redisOptions,
+        },
+        runLock: {
+          redis: redisOptions,
+        },
+        machines: {
+          defaultMachine: "small-1x",
+          machines: {
+            "small-1x": {
+              name: "small-1x" as const,
+              cpu: 0.5,
+              memory: 0.5,
+              centsPerMs: 0.0001,
+            },
+          },
+          baseCostInCents: 0.0005,
+        },
+        batchQueue: {
+          redis: redisOptions,
+        },
+        tracer: trace.getTracer("test", "0.0.0"),
+      });
+
+      const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+
+      const batch = await createBatch(prisma, authenticatedEnvironment.id, {
+        runCount: 2,
+        status: "ABORTED",
+        sealed: false,
+      });
+
+      const service = new StreamBatchItemsService({
+        prisma,
+        engine,
+      });
+
+      await expect(
+        service.call(authenticatedEnvironment, batch.friendlyId, itemsToAsyncIterable([]), {
+          maxItemBytes: 1024 * 1024,
+        })
+      ).rejects.toThrow(ServiceValidationError);
+
+      await engine.quit();
+    }
+  );
+
+  containerTest(
+    "should throw when batch is sealed but ABORTED (callback aborted post-seal must surface as error)",
+    async ({ prisma, redisOptions }) => {
+      const engine = new RunEngine({
+        prisma,
+        worker: {
+          redis: redisOptions,
+          workers: 1,
+          tasksPerWorker: 10,
+          pollIntervalMs: 100,
+          disabled: true,
+        },
+        queue: {
+          redis: redisOptions,
+        },
+        runLock: {
+          redis: redisOptions,
+        },
+        machines: {
+          defaultMachine: "small-1x",
+          machines: {
+            "small-1x": {
+              name: "small-1x" as const,
+              cpu: 0.5,
+              memory: 0.5,
+              centsPerMs: 0.0001,
+            },
+          },
+          baseCostInCents: 0.0005,
+        },
+        batchQueue: {
+          redis: redisOptions,
+        },
+        tracer: trace.getTracer("test", "0.0.0"),
+      });
+
+      const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+
+      // V2 batch completion callback sets status=ABORTED (failedRunCount > 0 &&
+      // successfulRunCount === 0) without touching sealed=true that the seal
+      // step previously set. The Phase 2 retry must NOT mask this terminal
+      // failure as success — every run failed.
+      const batch = await createBatch(prisma, authenticatedEnvironment.id, {
+        runCount: 2,
+        status: "ABORTED",
+        sealed: true,
+      });
+
+      const service = new StreamBatchItemsService({
+        prisma,
+        engine,
+      });
+
+      await expect(
+        service.call(authenticatedEnvironment, batch.friendlyId, itemsToAsyncIterable([]), {
+          maxItemBytes: 1024 * 1024,
+        })
+      ).rejects.toThrow(ServiceValidationError);
+
+      await engine.quit();
+    }
+  );
+
+  containerTest(
+    "should return sealed=true when batch is PARTIAL_FAILED (Phase 2 retry idempotency)",
+    async ({ prisma, redisOptions }) => {
+      const engine = new RunEngine({
+        prisma,
+        worker: {
+          redis: redisOptions,
+          workers: 1,
+          tasksPerWorker: 10,
+          pollIntervalMs: 100,
+          disabled: true,
+        },
+        queue: {
+          redis: redisOptions,
+        },
+        runLock: {
+          redis: redisOptions,
+        },
+        machines: {
+          defaultMachine: "small-1x",
+          machines: {
+            "small-1x": {
+              name: "small-1x" as const,
+              cpu: 0.5,
+              memory: 0.5,
+              centsPerMs: 0.0001,
+            },
+          },
+          baseCostInCents: 0.0005,
+        },
+        batchQueue: {
+          redis: redisOptions,
+        },
+        tracer: trace.getTracer("test", "0.0.0"),
+      });
+
+      const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+
+      // V2 completion callback sets PARTIAL_FAILED when some run-creation
+      // attempts failed but at least one succeeded. The Phase 2 stream itself
+      // did its job (items were enqueued and processed), so a retry should
+      // see this as terminal success — the per-item failures are visible on
+      // the individual run records.
+      const batch = await createBatch(prisma, authenticatedEnvironment.id, {
+        runCount: 2,
+        status: "PARTIAL_FAILED",
+        sealed: false,
+      });
+
+      const service = new StreamBatchItemsService({
+        prisma,
+        engine,
+      });
+
+      const result = await service.call(
+        authenticatedEnvironment,
+        batch.friendlyId,
+        itemsToAsyncIterable([]),
+        {
+          maxItemBytes: 1024 * 1024,
+        }
+      );
+
+      expect(result.sealed).toBe(true);
+      expect(result.id).toBe(batch.friendlyId);
+      expect(result.itemsAccepted).toBe(0);
+      expect(result.itemsDeduplicated).toBe(0);
+
+      await engine.quit();
+    }
+  );
+
+  containerTest(
+    "should return sealed=true when batch is PARTIAL_FAILED by callback before seal attempt",
+    async ({ prisma, redisOptions }) => {
+      const engine = new RunEngine({
+        prisma,
+        worker: {
+          redis: redisOptions,
+          workers: 1,
+          tasksPerWorker: 10,
+          pollIntervalMs: 100,
+          disabled: true,
+        },
+        queue: {
+          redis: redisOptions,
+        },
+        runLock: {
+          redis: redisOptions,
+        },
+        machines: {
+          defaultMachine: "small-1x",
+          machines: {
+            "small-1x": {
+              name: "small-1x" as const,
+              cpu: 0.5,
+              memory: 0.5,
+              centsPerMs: 0.0001,
+            },
+          },
+          baseCostInCents: 0.0005,
+        },
+        batchQueue: {
+          redis: redisOptions,
+        },
+        tracer: trace.getTracer("test", "0.0.0"),
+      });
+
+      const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+
+      const batch = await createBatch(prisma, authenticatedEnvironment.id, {
+        runCount: 2,
+        status: "PENDING",
+        sealed: false,
+      });
+
+      await engine.initializeBatch({
+        batchId: batch.id,
+        friendlyId: batch.friendlyId,
+        environmentId: authenticatedEnvironment.id,
+        environmentType: authenticatedEnvironment.type,
+        organizationId: authenticatedEnvironment.organizationId,
+        projectId: authenticatedEnvironment.projectId,
+        runCount: 2,
+        processingConcurrency: 10,
+      });
+
+      await engine.enqueueBatchItem(batch.id, authenticatedEnvironment.id, 0, {
+        task: "test-task",
+        payload: JSON.stringify({ data: "item1" }),
+        payloadType: "application/json",
+      });
+      await engine.enqueueBatchItem(batch.id, authenticatedEnvironment.id, 1, {
+        task: "test-task",
+        payload: JSON.stringify({ data: "item2" }),
+        payloadType: "application/json",
+      });
+
+      // Simulate the race where V2's batchCompletionCallback runs between
+      // getEnqueuedCount and the seal updateMany — some runs failed to create
+      // but at least one succeeded, so callback sets status=PARTIAL_FAILED
+      // without setting sealed=true.
+      const racingPrisma = {
+        ...prisma,
+        batchTaskRun: {
+          ...prisma.batchTaskRun,
+          findFirst: prisma.batchTaskRun.findFirst.bind(prisma.batchTaskRun),
+          updateMany: async () => {
+            await prisma.batchTaskRun.update({
+              where: { id: batch.id },
+              data: {
+                status: "PARTIAL_FAILED",
+              },
+            });
+            return { count: 0 };
+          },
+          findUnique: prisma.batchTaskRun.findUnique.bind(prisma.batchTaskRun),
+        },
+      } as unknown as PrismaClient;
+
+      const service = new StreamBatchItemsService({
+        prisma: racingPrisma,
+        engine,
+      });
+
+      const result = await service.call(
+        authenticatedEnvironment,
+        batch.friendlyId,
+        itemsToAsyncIterable([]),
+        {
+          maxItemBytes: 1024 * 1024,
+        }
+      );
+
+      expect(result.sealed).toBe(true);
+      expect(result.id).toBe(batch.friendlyId);
+
+      const updatedBatch = await prisma.batchTaskRun.findUnique({
+        where: { id: batch.id },
+      });
+
+      expect(updatedBatch?.status).toBe("PARTIAL_FAILED");
+      expect(updatedBatch?.sealed).toBe(false);
+
+      await engine.quit();
+    }
+  );
+
+  containerTest(
+    "should return sealed=true when concurrent request already sealed the batch during seal attempt",
+    async ({ prisma, redisOptions }) => {
+      const engine = new RunEngine({
+        prisma,
+        worker: {
+          redis: redisOptions,
+          workers: 1,
+          tasksPerWorker: 10,
+          pollIntervalMs: 100,
+          disabled: true,
+        },
+        queue: {
+          redis: redisOptions,
+        },
+        runLock: {
+          redis: redisOptions,
+        },
+        machines: {
+          defaultMachine: "small-1x",
+          machines: {
+            "small-1x": {
+              name: "small-1x" as const,
+              cpu: 0.5,
+              memory: 0.5,
+              centsPerMs: 0.0001,
+            },
+          },
+          baseCostInCents: 0.0005,
+        },
+        batchQueue: {
+          redis: redisOptions,
+        },
+        tracer: trace.getTracer("test", "0.0.0"),
+      });
+
+      const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+
+      // Create a batch in PENDING state
+      const batch = await createBatch(prisma, authenticatedEnvironment.id, {
+        runCount: 2,
+        status: "PENDING",
+        sealed: false,
+      });
+
+      // Initialize the batch in Redis
+      await engine.initializeBatch({
+        batchId: batch.id,
+        friendlyId: batch.friendlyId,
+        environmentId: authenticatedEnvironment.id,
+        environmentType: authenticatedEnvironment.type,
+        organizationId: authenticatedEnvironment.organizationId,
+        projectId: authenticatedEnvironment.projectId,
+        runCount: 2,
+        processingConcurrency: 10,
+      });
+
+      // Enqueue items
+      await engine.enqueueBatchItem(batch.id, authenticatedEnvironment.id, 0, {
+        task: "test-task",
+        payload: JSON.stringify({ data: "item1" }),
+        payloadType: "application/json",
+      });
+      await engine.enqueueBatchItem(batch.id, authenticatedEnvironment.id, 1, {
+        task: "test-task",
+        payload: JSON.stringify({ data: "item2" }),
+        payloadType: "application/json",
+      });
+
+      // Create a custom prisma client that simulates a race condition:
+      // When updateMany is called on batchTaskRun, it returns count: 0 (as if another request beat us)
+      // but the subsequent findUnique shows the batch is sealed and PROCESSING
+      const racingPrisma = {
+        ...prisma,
+        batchTaskRun: {
+          ...prisma.batchTaskRun,
+          findFirst: prisma.batchTaskRun.findFirst.bind(prisma.batchTaskRun),
+          updateMany: async () => {
+            // Simulate another request winning the race - seal the batch first
+            await prisma.batchTaskRun.update({
+              where: { id: batch.id },
+              data: {
+                sealed: true,
+                sealedAt: new Date(),
+                status: "PROCESSING",
+                processingStartedAt: new Date(),
+              },
+            });
+            // Return 0 as if the conditional update failed
+            return { count: 0 };
+          },
+          findUnique: prisma.batchTaskRun.findUnique.bind(prisma.batchTaskRun),
+        },
+      } as unknown as PrismaClient;
+
+      const service = new StreamBatchItemsService({
+        prisma: racingPrisma,
+        engine,
+      });
+
+      // Call the service - it should detect the race and return success since batch is sealed
+      const result = await service.call(
+        authenticatedEnvironment,
+        batch.friendlyId,
+        itemsToAsyncIterable([]),
+        {
+          maxItemBytes: 1024 * 1024,
+        }
+      );
+
+      // Should return sealed=true because the batch was sealed (by the "other" request)
+      expect(result.sealed).toBe(true);
+      expect(result.id).toBe(batch.friendlyId);
+
+      // Verify the batch is sealed in the database
+      const updatedBatch = await prisma.batchTaskRun.findUnique({
+        where: { id: batch.id },
+      });
+
+      expect(updatedBatch?.sealed).toBe(true);
+      expect(updatedBatch?.status).toBe("PROCESSING");
+
+      await engine.quit();
+    }
+  );
+
+  containerTest(
+    "should return sealed=true when batch is COMPLETED by BatchQueue before seal attempt",
+    async ({ prisma, redisOptions }) => {
+      const engine = new RunEngine({
+        prisma,
+        worker: {
+          redis: redisOptions,
+          workers: 1,
+          tasksPerWorker: 10,
+          pollIntervalMs: 100,
+          disabled: true,
+        },
+        queue: {
+          redis: redisOptions,
+        },
+        runLock: {
+          redis: redisOptions,
+        },
+        machines: {
+          defaultMachine: "small-1x",
+          machines: {
+            "small-1x": {
+              name: "small-1x" as const,
+              cpu: 0.5,
+              memory: 0.5,
+              centsPerMs: 0.0001,
+            },
+          },
+          baseCostInCents: 0.0005,
+        },
+        batchQueue: {
+          redis: redisOptions,
+        },
+        tracer: trace.getTracer("test", "0.0.0"),
+      });
+
+      const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+
+      // Create a batch in PENDING state
+      const batch = await createBatch(prisma, authenticatedEnvironment.id, {
+        runCount: 2,
+        status: "PENDING",
+        sealed: false,
+      });
+
+      // Initialize the batch in Redis
+      await engine.initializeBatch({
+        batchId: batch.id,
+        friendlyId: batch.friendlyId,
+        environmentId: authenticatedEnvironment.id,
+        environmentType: authenticatedEnvironment.type,
+        organizationId: authenticatedEnvironment.organizationId,
+        projectId: authenticatedEnvironment.projectId,
+        runCount: 2,
+        processingConcurrency: 10,
+      });
+
+      // Enqueue items - the enqueued count check passes but the seal updateMany
+      // will race with tryCompleteBatch moving status to COMPLETED.
+      await engine.enqueueBatchItem(batch.id, authenticatedEnvironment.id, 0, {
+        task: "test-task",
+        payload: JSON.stringify({ data: "item1" }),
+        payloadType: "application/json",
+      });
+      await engine.enqueueBatchItem(batch.id, authenticatedEnvironment.id, 1, {
+        task: "test-task",
+        payload: JSON.stringify({ data: "item2" }),
+        payloadType: "application/json",
+      });
+
+      // Simulate the race where BatchQueue's completionCallback runs
+      // tryCompleteBatch between getEnqueuedCount and the seal updateMany.
+      // tryCompleteBatch sets status=COMPLETED but NOT sealed=true.
+      const racingPrisma = {
+        ...prisma,
+        batchTaskRun: {
+          ...prisma.batchTaskRun,
+          findFirst: prisma.batchTaskRun.findFirst.bind(prisma.batchTaskRun),
+          updateMany: async () => {
+            await prisma.batchTaskRun.update({
+              where: { id: batch.id },
+              data: {
+                status: "COMPLETED",
+              },
+            });
+            // The conditional updateMany(where: status="PENDING") would now fail
+            return { count: 0 };
+          },
+          findUnique: prisma.batchTaskRun.findUnique.bind(prisma.batchTaskRun),
+        },
+      } as unknown as PrismaClient;
+
+      const service = new StreamBatchItemsService({
+        prisma: racingPrisma,
+        engine,
+      });
+
+      const result = await service.call(
+        authenticatedEnvironment,
+        batch.friendlyId,
+        itemsToAsyncIterable([]),
+        {
+          maxItemBytes: 1024 * 1024,
+        }
+      );
+
+      // The endpoint should accept the COMPLETED state as a success case so the
+      // SDK does not retry a batch whose child runs have already finished.
+      expect(result.sealed).toBe(true);
+      expect(result.id).toBe(batch.friendlyId);
+
+      const updatedBatch = await prisma.batchTaskRun.findUnique({
+        where: { id: batch.id },
+      });
+
+      expect(updatedBatch?.status).toBe("COMPLETED");
+      // sealed stays false because the BatchQueue completion path does not set
+      // it - that's fine, the batch is terminal.
+      expect(updatedBatch?.sealed).toBe(false);
+
+      await engine.quit();
+    }
+  );
+
+  containerTest(
+    "should throw error when race condition leaves batch in unexpected state",
+    async ({ prisma, redisOptions }) => {
+      const engine = new RunEngine({
+        prisma,
+        worker: {
+          redis: redisOptions,
+          workers: 1,
+          tasksPerWorker: 10,
+          pollIntervalMs: 100,
+          disabled: true,
+        },
+        queue: {
+          redis: redisOptions,
+        },
+        runLock: {
+          redis: redisOptions,
+        },
+        machines: {
+          defaultMachine: "small-1x",
+          machines: {
+            "small-1x": {
+              name: "small-1x" as const,
+              cpu: 0.5,
+              memory: 0.5,
+              centsPerMs: 0.0001,
+            },
+          },
+          baseCostInCents: 0.0005,
+        },
+        batchQueue: {
+          redis: redisOptions,
+        },
+        tracer: trace.getTracer("test", "0.0.0"),
+      });
+
+      const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+
+      // Create a batch in PENDING state
+      const batch = await createBatch(prisma, authenticatedEnvironment.id, {
+        runCount: 2,
+        status: "PENDING",
+        sealed: false,
+      });
+
+      // Initialize the batch in Redis
+      await engine.initializeBatch({
+        batchId: batch.id,
+        friendlyId: batch.friendlyId,
+        environmentId: authenticatedEnvironment.id,
+        environmentType: authenticatedEnvironment.type,
+        organizationId: authenticatedEnvironment.organizationId,
+        projectId: authenticatedEnvironment.projectId,
+        runCount: 2,
+        processingConcurrency: 10,
+      });
+
+      // Enqueue items
+      await engine.enqueueBatchItem(batch.id, authenticatedEnvironment.id, 0, {
+        task: "test-task",
+        payload: JSON.stringify({ data: "item1" }),
+        payloadType: "application/json",
+      });
+      await engine.enqueueBatchItem(batch.id, authenticatedEnvironment.id, 1, {
+        task: "test-task",
+        payload: JSON.stringify({ data: "item2" }),
+        payloadType: "application/json",
+      });
+
+      // Create a custom prisma client that simulates a race condition where
+      // the batch ends up in an unexpected state (ABORTED instead of PROCESSING)
+      const racingPrisma = {
+        ...prisma,
+        batchTaskRun: {
+          ...prisma.batchTaskRun,
+          findFirst: prisma.batchTaskRun.findFirst.bind(prisma.batchTaskRun),
+          updateMany: async () => {
+            // Simulate the batch being aborted by another process
+            await prisma.batchTaskRun.update({
+              where: { id: batch.id },
+              data: {
+                sealed: true,
+                status: "ABORTED",
+              },
+            });
+            // Return 0 as if the conditional update failed
+            return { count: 0 };
+          },
+          findUnique: prisma.batchTaskRun.findUnique.bind(prisma.batchTaskRun),
+        },
+      } as unknown as PrismaClient;
+
+      const service = new StreamBatchItemsService({
+        prisma: racingPrisma,
+        engine,
+      });
+
+      // Call the service - it should throw because the batch is in an unexpected state
+      await expect(
+        service.call(authenticatedEnvironment, batch.friendlyId, itemsToAsyncIterable([]), {
+          maxItemBytes: 1024 * 1024,
+        })
+      ).rejects.toThrow(/unexpected state/);
+
+      await engine.quit();
+    }
+  );
+
+  containerTest(
+    "should return sealed=false when item count does not match",
+    async ({ prisma, redisOptions }) => {
+      const engine = new RunEngine({
+        prisma,
+        worker: {
+          redis: redisOptions,
+          workers: 1,
+          tasksPerWorker: 10,
+          pollIntervalMs: 100,
+          disabled: true,
+        },
+        queue: {
+          redis: redisOptions,
+        },
+        runLock: {
+          redis: redisOptions,
+        },
+        machines: {
+          defaultMachine: "small-1x",
+          machines: {
+            "small-1x": {
+              name: "small-1x" as const,
+              cpu: 0.5,
+              memory: 0.5,
+              centsPerMs: 0.0001,
+            },
+          },
+          baseCostInCents: 0.0005,
+        },
+        batchQueue: {
+          redis: redisOptions,
+        },
+        tracer: trace.getTracer("test", "0.0.0"),
+      });
+
+      const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+
+      // Create a batch expecting 3 items
+      const batch = await createBatch(prisma, authenticatedEnvironment.id, {
+        runCount: 3,
+        status: "PENDING",
+        sealed: false,
+      });
+
+      // Initialize the batch in Redis
       await engine.initializeBatch({
         batchId: batch.id,
         friendlyId: batch.friendlyId,
@@ -226,11 +1043,11 @@ describe("StreamBatchItemsService", () => {
         environmentType: authenticatedEnvironment.type,
         organizationId: authenticatedEnvironment.organizationId,
         projectId: authenticatedEnvironment.projectId,
-        runCount: 2,
+        runCount: 3,
         processingConcurrency: 10,
       });
 
-      // Enqueue items directly
+      // Only enqueue 2 items (1 short of expected)
       await engine.enqueueBatchItem(batch.id, authenticatedEnvironment.id, 0, {
         task: "test-task",
         payload: JSON.stringify({ data: "item1" }),
@@ -247,19 +1064,34 @@ describe("StreamBatchItemsService", () => {
         engine,
       });
 
-      // This should fail because the batch is already sealed
-      await expect(
-        service.call(authenticatedEnvironment, batch.friendlyId, itemsToAsyncIterable([]), {
+      const result = await service.call(
+        authenticatedEnvironment,
+        batch.friendlyId,
+        itemsToAsyncIterable([]),
+        {
           maxItemBytes: 1024 * 1024,
-        })
-      ).rejects.toThrow(ServiceValidationError);
+        }
+      );
+
+      // Should return sealed=false because item count doesn't match
+      expect(result.sealed).toBe(false);
+      expect(result.enqueuedCount).toBe(2);
+      expect(result.expectedCount).toBe(3);
+
+      // Verify the batch is NOT sealed in the database
+      const updatedBatch = await prisma.batchTaskRun.findUnique({
+        where: { id: batch.id },
+      });
+
+      expect(updatedBatch?.sealed).toBe(false);
+      expect(updatedBatch?.status).toBe("PENDING");
 
       await engine.quit();
     }
   );
 
   containerTest(
-    "should return sealed=true when concurrent request already sealed the batch during seal attempt",
+    "should return sealed=true when seal-failed race produces sealed=true + PENDING (post-callback all-created)",
     async ({ prisma, redisOptions }) => {
       const engine = new RunEngine({
         prisma,
@@ -296,14 +1128,12 @@ describe("StreamBatchItemsService", () => {
 
       const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
 
-      // Create a batch in PENDING state
       const batch = await createBatch(prisma, authenticatedEnvironment.id, {
         runCount: 2,
         status: "PENDING",
         sealed: false,
       });
 
-      // Initialize the batch in Redis
       await engine.initializeBatch({
         batchId: batch.id,
         friendlyId: batch.friendlyId,
@@ -315,7 +1145,6 @@ describe("StreamBatchItemsService", () => {
         processingConcurrency: 10,
       });
 
-      // Enqueue items
       await engine.enqueueBatchItem(batch.id, authenticatedEnvironment.id, 0, {
         task: "test-task",
         payload: JSON.stringify({ data: "item1" }),
@@ -327,26 +1156,28 @@ describe("StreamBatchItemsService", () => {
         payloadType: "application/json",
       });
 
-      // Create a custom prisma client that simulates a race condition:
-      // When updateMany is called on batchTaskRun, it returns count: 0 (as if another request beat us)
-      // but the subsequent findUnique shows the batch is sealed and PROCESSING
+      // Simulate the race where a concurrent path seals the batch (sealed=true,
+      // PROCESSING), then the V2 batchCompletionCallback fires with all runs
+      // created successfully and resets status to PENDING (sealed stays true).
+      // Our seal updateMany then fails the conditional (sealed=false no longer
+      // matches), and the re-query sees sealed=true + PENDING — a perfectly
+      // valid post-callback state that the SDK retry should treat as success.
       const racingPrisma = {
         ...prisma,
         batchTaskRun: {
           ...prisma.batchTaskRun,
           findFirst: prisma.batchTaskRun.findFirst.bind(prisma.batchTaskRun),
           updateMany: async () => {
-            // Simulate another request winning the race - seal the batch first
             await prisma.batchTaskRun.update({
               where: { id: batch.id },
               data: {
                 sealed: true,
                 sealedAt: new Date(),
-                status: "PROCESSING",
-                processingStartedAt: new Date(),
+                // Intentionally leave status as PENDING — that's exactly what
+                // the V2 batchCompletionCallback does after all runs are
+                // created (status PROCESSING → PENDING).
               },
             });
-            // Return 0 as if the conditional update failed
             return { count: 0 };
           },
           findUnique: prisma.batchTaskRun.findUnique.bind(prisma.batchTaskRun),
@@ -358,7 +1189,6 @@ describe("StreamBatchItemsService", () => {
         engine,
       });
 
-      // Call the service - it should detect the race and return success since batch is sealed
       const result = await service.call(
         authenticatedEnvironment,
         batch.friendlyId,
@@ -368,24 +1198,22 @@ describe("StreamBatchItemsService", () => {
         }
       );
 
-      // Should return sealed=true because the batch was sealed (by the "other" request)
       expect(result.sealed).toBe(true);
       expect(result.id).toBe(batch.friendlyId);
 
-      // Verify the batch is sealed in the database
       const updatedBatch = await prisma.batchTaskRun.findUnique({
         where: { id: batch.id },
       });
 
       expect(updatedBatch?.sealed).toBe(true);
-      expect(updatedBatch?.status).toBe("PROCESSING");
+      expect(updatedBatch?.status).toBe("PENDING");
 
       await engine.quit();
     }
   );
 
   containerTest(
-    "should throw error when race condition leaves batch in unexpected state",
+    "should throw when count-mismatch race produces sealed=true + ABORTED (no TaskRuns created)",
     async ({ prisma, redisOptions }) => {
       const engine = new RunEngine({
         prisma,
@@ -422,14 +1250,12 @@ describe("StreamBatchItemsService", () => {
 
       const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
 
-      // Create a batch in PENDING state
       const batch = await createBatch(prisma, authenticatedEnvironment.id, {
-        runCount: 2,
+        runCount: 3,
         status: "PENDING",
         sealed: false,
       });
 
-      // Initialize the batch in Redis
       await engine.initializeBatch({
         batchId: batch.id,
         friendlyId: batch.friendlyId,
@@ -437,11 +1263,17 @@ describe("StreamBatchItemsService", () => {
         environmentType: authenticatedEnvironment.type,
         organizationId: authenticatedEnvironment.organizationId,
         projectId: authenticatedEnvironment.projectId,
-        runCount: 2,
+        runCount: 3,
         processingConcurrency: 10,
       });
 
-      // Enqueue items
+      // Only enqueue 2 items so the post-loop count check trips into the
+      // mismatch handler. The race we're simulating: between our pre-loop
+      // findFirst and the count-mismatch re-query, a concurrent path sealed
+      // the batch, runs were attempted, every run-creation failed AND the
+      // pre-failed-TaskRun fallback also failed → callback sets ABORTED.
+      // The customer has zero TaskRun records to monitor, so the retry must
+      // throw rather than silently succeed.
       await engine.enqueueBatchItem(batch.id, authenticatedEnvironment.id, 0, {
         task: "test-task",
         payload: JSON.stringify({ data: "item1" }),
@@ -453,25 +1285,31 @@ describe("StreamBatchItemsService", () => {
         payloadType: "application/json",
       });
 
-      // Create a custom prisma client that simulates a race condition where
-      // the batch ends up in an unexpected state (ABORTED instead of PROCESSING)
+      // Override findFirst to flip the batch to sealed=true + ABORTED on the
+      // re-query that happens INSIDE the count-mismatch branch. The first
+      // findFirst (pre-loop) must still see PENDING + sealed=false so we
+      // pass through and reach the count-mismatch branch.
+      let findFirstCallCount = 0;
       const racingPrisma = {
         ...prisma,
         batchTaskRun: {
           ...prisma.batchTaskRun,
-          findFirst: prisma.batchTaskRun.findFirst.bind(prisma.batchTaskRun),
-          updateMany: async () => {
-            // Simulate the batch being aborted by another process
-            await prisma.batchTaskRun.update({
-              where: { id: batch.id },
-              data: {
-                sealed: true,
-                status: "ABORTED",
-              },
-            });
-            // Return 0 as if the conditional update failed
-            return { count: 0 };
+          findFirst: async (args: Parameters<typeof prisma.batchTaskRun.findFirst>[0]) => {
+            findFirstCallCount++;
+            if (findFirstCallCount >= 2) {
+              await prisma.batchTaskRun.update({
+                where: { id: batch.id },
+                data: {
+                  sealed: true,
+                  sealedAt: new Date(),
+                  status: "ABORTED",
+                  completedAt: new Date(),
+                },
+              });
+            }
+            return prisma.batchTaskRun.findFirst.call(prisma.batchTaskRun, args);
           },
+          updateMany: prisma.batchTaskRun.updateMany.bind(prisma.batchTaskRun),
           findUnique: prisma.batchTaskRun.findUnique.bind(prisma.batchTaskRun),
         },
       } as unknown as PrismaClient;
@@ -481,19 +1319,18 @@ describe("StreamBatchItemsService", () => {
         engine,
       });
 
-      // Call the service - it should throw because the batch is in an unexpected state
       await expect(
         service.call(authenticatedEnvironment, batch.friendlyId, itemsToAsyncIterable([]), {
           maxItemBytes: 1024 * 1024,
         })
-      ).rejects.toThrow(/unexpected state/);
+      ).rejects.toThrow(ServiceValidationError);
 
       await engine.quit();
     }
   );
 
   containerTest(
-    "should return sealed=false when item count does not match",
+    "should return sealed=true when batch is sealed=false + PENDING + processingCompletedAt set (pre-loop post-callback)",
     async ({ prisma, redisOptions }) => {
       const engine = new RunEngine({
         prisma,
@@ -530,14 +1367,93 @@ describe("StreamBatchItemsService", () => {
 
       const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
 
-      // Create a batch expecting 3 items
+      // The V2 batchCompletionCallback set processingCompletedAt without
+      // touching sealed (sealed gets set by streamBatchItems, not the callback).
+      // Status stays PENDING because every run was created successfully (the
+      // callback's "all created, waiting for completion" branch). A Phase 2
+      // retry arriving in this state must treat it as success — every item
+      // has a TaskRun record for the customer to monitor.
       const batch = await createBatch(prisma, authenticatedEnvironment.id, {
-        runCount: 3,
+        runCount: 4,
+        status: "PENDING",
+        sealed: false,
+        processingCompletedAt: new Date(),
+      });
+
+      const service = new StreamBatchItemsService({
+        prisma,
+        engine,
+      });
+
+      const result = await service.call(
+        authenticatedEnvironment,
+        batch.friendlyId,
+        itemsToAsyncIterable([]),
+        {
+          maxItemBytes: 1024 * 1024,
+        }
+      );
+
+      expect(result.sealed).toBe(true);
+      expect(result.id).toBe(batch.friendlyId);
+      expect(result.itemsAccepted).toBe(0);
+      expect(result.itemsDeduplicated).toBe(0);
+
+      await engine.quit();
+    }
+  );
+
+  containerTest(
+    "should return sealed=true on count-mismatch when callback fired before our getEnqueuedCount (cleanup race — customer scenario)",
+    async ({ prisma, redisOptions }) => {
+      const engine = new RunEngine({
+        prisma,
+        worker: {
+          redis: redisOptions,
+          workers: 1,
+          tasksPerWorker: 10,
+          pollIntervalMs: 100,
+          disabled: true,
+        },
+        queue: {
+          redis: redisOptions,
+        },
+        runLock: {
+          redis: redisOptions,
+        },
+        machines: {
+          defaultMachine: "small-1x",
+          machines: {
+            "small-1x": {
+              name: "small-1x" as const,
+              cpu: 0.5,
+              memory: 0.5,
+              centsPerMs: 0.0001,
+            },
+          },
+          baseCostInCents: 0.0005,
+        },
+        batchQueue: {
+          redis: redisOptions,
+        },
+        tracer: trace.getTracer("test", "0.0.0"),
+      });
+
+      const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+
+      // The customer's exact case: 4-item batch, BatchQueue rushes through
+      // all items before our service finishes its loop, callback fires
+      // (setting processingCompletedAt; status stays PENDING because all
+      // runs created cleanly), cleanup deletes Redis state. Our service
+      // hits the count-mismatch branch because getBatchEnqueuedCount returns
+      // 0 (cleaned). The re-query sees sealed=false + PENDING but
+      // processingCompletedAt is set — the work is done.
+      const batch = await createBatch(prisma, authenticatedEnvironment.id, {
+        runCount: 4,
         status: "PENDING",
         sealed: false,
       });
 
-      // Initialize the batch in Redis
       await engine.initializeBatch({
         batchId: batch.id,
         friendlyId: batch.friendlyId,
@@ -545,24 +1461,45 @@ describe("StreamBatchItemsService", () => {
         environmentType: authenticatedEnvironment.type,
         organizationId: authenticatedEnvironment.organizationId,
         projectId: authenticatedEnvironment.projectId,
-        runCount: 3,
+        runCount: 4,
         processingConcurrency: 10,
       });
 
-      // Only enqueue 2 items (1 short of expected)
-      await engine.enqueueBatchItem(batch.id, authenticatedEnvironment.id, 0, {
-        task: "test-task",
-        payload: JSON.stringify({ data: "item1" }),
-        payloadType: "application/json",
-      });
-      await engine.enqueueBatchItem(batch.id, authenticatedEnvironment.id, 1, {
-        task: "test-task",
-        payload: JSON.stringify({ data: "item2" }),
-        payloadType: "application/json",
-      });
+      // Force the count-mismatch branch by leaving Redis at 0 items vs
+      // runCount=4. The pre-loop must see "initial" state (so it passes
+      // through to the loop), and the count-mismatch re-query must see
+      // "post-callback" state. Use a findFirst counter to flip the DB
+      // between those two reads, exactly matching the production timing
+      // where the callback fires while our loop is running.
+      let findFirstCallCount = 0;
+      const racingPrisma = {
+        ...prisma,
+        batchTaskRun: {
+          ...prisma.batchTaskRun,
+          findFirst: async (args: Parameters<typeof prisma.batchTaskRun.findFirst>[0]) => {
+            findFirstCallCount++;
+            if (findFirstCallCount === 2) {
+              // The post-loop count-mismatch re-query: BatchQueue completed
+              // all items and the callback fired in the window before this
+              // read. Status stays PENDING (all runs created OK) but
+              // processingCompletedAt is now set.
+              await prisma.batchTaskRun.update({
+                where: { id: batch.id },
+                data: {
+                  processingCompletedAt: new Date(),
+                  successfulRunCount: 4,
+                },
+              });
+            }
+            return prisma.batchTaskRun.findFirst.call(prisma.batchTaskRun, args);
+          },
+          updateMany: prisma.batchTaskRun.updateMany.bind(prisma.batchTaskRun),
+          findUnique: prisma.batchTaskRun.findUnique.bind(prisma.batchTaskRun),
+        },
+      } as unknown as PrismaClient;
 
       const service = new StreamBatchItemsService({
-        prisma,
+        prisma: racingPrisma,
         engine,
       });
 
@@ -575,18 +1512,13 @@ describe("StreamBatchItemsService", () => {
         }
       );
 
-      // Should return sealed=false because item count doesn't match
-      expect(result.sealed).toBe(false);
-      expect(result.enqueuedCount).toBe(2);
-      expect(result.expectedCount).toBe(3);
-
-      // Verify the batch is NOT sealed in the database
-      const updatedBatch = await prisma.batchTaskRun.findUnique({
-        where: { id: batch.id },
-      });
-
-      expect(updatedBatch?.sealed).toBe(false);
-      expect(updatedBatch?.status).toBe("PENDING");
+      // The retry must be treated as success — every item's TaskRun was
+      // created by the original Phase 2 call. Returning sealed:false here
+      // (the previous behavior) made the SDK retry the stream against a
+      // cleaned-up batch, which then 5xx'd, exhausted SDK retries, and
+      // surfaced as BatchTriggerError despite all runs succeeding.
+      expect(result.sealed).toBe(true);
+      expect(result.id).toBe(batch.friendlyId);
 
       await engine.quit();
     }
@@ -656,10 +1588,7 @@ describe("createNdjsonParserStream", () => {
     const parser = createNdjsonParserStream(1024);
     const results = await collectStream(stream.pipeThrough(parser));
 
-    expect(results).toEqual([
-      { payload: "line1\nline2\nline3" },
-      { payload: "no newlines" },
-    ]);
+    expect(results).toEqual([{ payload: "line1\nline2\nline3" }, { payload: "no newlines" }]);
   });
 
   it("should skip empty lines", async () => {
@@ -960,7 +1889,9 @@ describe("extractIndexAndTask", () => {
   });
 
   it("should not match nested keys", () => {
-    const bytes = encoder.encode('{"nested":{"index":999,"task":"inner"},"index":5,"task":"outer"}');
+    const bytes = encoder.encode(
+      '{"nested":{"index":999,"task":"inner"},"index":5,"task":"outer"}'
+    );
     const result = extractIndexAndTask(bytes);
     expect(result.index).toBe(5);
     expect(result.task).toBe("outer");
diff --git a/apps/webapp/test/engine/taskIdentifierRegistry.test.ts b/apps/webapp/test/engine/taskIdentifierRegistry.test.ts
new file mode 100644
index 00000000000..af33640463f
--- /dev/null
+++ b/apps/webapp/test/engine/taskIdentifierRegistry.test.ts
@@ -0,0 +1,271 @@
+import { describe, expect, vi } from "vitest";
+
+vi.mock("~/db.server", () => ({
+  prisma: {},
+  $replica: {},
+}));
+
+vi.mock("~/services/taskIdentifierCache.server", () => ({
+  getTaskIdentifiersFromCache: vi.fn().mockResolvedValue(null),
+  populateTaskIdentifierCache: vi.fn().mockResolvedValue(undefined),
+}));
+
+vi.mock("~/services/logger.server", () => ({
+  logger: { error: vi.fn(), warn: vi.fn(), info: vi.fn() },
+}));
+
+vi.mock("~/models/task.server", () => ({
+  getAllTaskIdentifiers: vi.fn().mockResolvedValue([]),
+}));
+
+import { setupAuthenticatedEnvironment } from "@internal/run-engine/tests";
+import { postgresTest } from "@internal/testcontainers";
+import { generateFriendlyId } from "@trigger.dev/core/v3/isomorphic";
+import type { PrismaClient } from "@trigger.dev/database";
+import {
+  syncTaskIdentifiers,
+  getTaskIdentifiers,
+} from "../../app/services/taskIdentifierRegistry.server";
+import type { AuthenticatedEnvironment } from "@internal/run-engine/tests";
+
+vi.setConfig({ testTimeout: 30_000 });
+
+async function createWorker(prisma: PrismaClient, env: AuthenticatedEnvironment) {
+  return prisma.backgroundWorker.create({
+    data: {
+      friendlyId: generateFriendlyId("worker"),
+      contentHash: `hash-${Date.now()}-${Math.random()}`,
+      projectId: env.project.id,
+      runtimeEnvironmentId: env.id,
+      version: `${Date.now()}`,
+      metadata: {},
+      engine: "V2",
+    },
+  });
+}
+
+describe("TaskIdentifierRegistry", () => {
+  postgresTest("should create task identifiers on first sync", async ({ prisma }) => {
+    const env = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+    const worker = await createWorker(prisma, env);
+
+    await syncTaskIdentifiers(
+      env.id,
+      env.project.id,
+      worker.id,
+      [
+        { id: "task-a", triggerSource: "STANDARD" },
+        { id: "task-b", triggerSource: "SCHEDULED" },
+      ],
+      prisma
+    );
+
+    const rows = await prisma.taskIdentifier.findMany({
+      where: { runtimeEnvironmentId: env.id },
+      orderBy: { slug: "asc" },
+    });
+
+    expect(rows).toHaveLength(2);
+    expect(rows[0].slug).toBe("task-a");
+    expect(rows[0].currentTriggerSource).toBe("STANDARD");
+    expect(rows[0].isInLatestDeployment).toBe(true);
+    expect(rows[1].slug).toBe("task-b");
+    expect(rows[1].currentTriggerSource).toBe("SCHEDULED");
+    expect(rows[1].isInLatestDeployment).toBe(true);
+  });
+
+  postgresTest("should update triggerSource on re-deploy", async ({ prisma }) => {
+    const env = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+    const worker1 = await createWorker(prisma, env);
+
+    // First deploy: STANDARD
+    await syncTaskIdentifiers(
+      env.id,
+      env.project.id,
+      worker1.id,
+      [{ id: "my-task", triggerSource: "STANDARD" }],
+      prisma
+    );
+
+    const worker2 = await createWorker(prisma, env);
+
+    // Second deploy: change to SCHEDULED
+    await syncTaskIdentifiers(
+      env.id,
+      env.project.id,
+      worker2.id,
+      [{ id: "my-task", triggerSource: "SCHEDULED" }],
+      prisma
+    );
+
+    const rows = await prisma.taskIdentifier.findMany({
+      where: { runtimeEnvironmentId: env.id },
+    });
+
+    expect(rows).toHaveLength(1);
+    expect(rows[0].slug).toBe("my-task");
+    expect(rows[0].currentTriggerSource).toBe("SCHEDULED");
+    expect(rows[0].currentWorkerId).toBe(worker2.id);
+  });
+
+  postgresTest("should archive tasks removed in a deploy", async ({ prisma }) => {
+    const env = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+    const worker1 = await createWorker(prisma, env);
+
+    // Deploy with both tasks
+    await syncTaskIdentifiers(
+      env.id,
+      env.project.id,
+      worker1.id,
+      [
+        { id: "task-a", triggerSource: "STANDARD" },
+        { id: "task-b", triggerSource: "STANDARD" },
+      ],
+      prisma
+    );
+
+    const worker2 = await createWorker(prisma, env);
+
+    // Deploy with only task-a (task-b removed)
+    await syncTaskIdentifiers(
+      env.id,
+      env.project.id,
+      worker2.id,
+      [{ id: "task-a", triggerSource: "STANDARD" }],
+      prisma
+    );
+
+    const rows = await prisma.taskIdentifier.findMany({
+      where: { runtimeEnvironmentId: env.id },
+      orderBy: { slug: "asc" },
+    });
+
+    expect(rows).toHaveLength(2);
+    expect(rows[0].slug).toBe("task-a");
+    expect(rows[0].isInLatestDeployment).toBe(true);
+    expect(rows[1].slug).toBe("task-b");
+    expect(rows[1].isInLatestDeployment).toBe(false);
+  });
+
+  postgresTest("should resurrect archived tasks on re-deploy", async ({ prisma }) => {
+    const env = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+    const worker1 = await createWorker(prisma, env);
+
+    // Deploy with both
+    await syncTaskIdentifiers(
+      env.id,
+      env.project.id,
+      worker1.id,
+      [
+        { id: "task-a", triggerSource: "STANDARD" },
+        { id: "task-b", triggerSource: "STANDARD" },
+      ],
+      prisma
+    );
+
+    const worker2 = await createWorker(prisma, env);
+
+    // Deploy without task-b
+    await syncTaskIdentifiers(
+      env.id,
+      env.project.id,
+      worker2.id,
+      [{ id: "task-a", triggerSource: "STANDARD" }],
+      prisma
+    );
+
+    const worker3 = await createWorker(prisma, env);
+
+    // Deploy with task-b again
+    await syncTaskIdentifiers(
+      env.id,
+      env.project.id,
+      worker3.id,
+      [
+        { id: "task-a", triggerSource: "STANDARD" },
+        { id: "task-b", triggerSource: "STANDARD" },
+      ],
+      prisma
+    );
+
+    const rows = await prisma.taskIdentifier.findMany({
+      where: { runtimeEnvironmentId: env.id },
+      orderBy: { slug: "asc" },
+    });
+
+    expect(rows).toHaveLength(2);
+    expect(rows[0].isInLatestDeployment).toBe(true);
+    expect(rows[1].isInLatestDeployment).toBe(true);
+  });
+
+  postgresTest(
+    "should return identifiers sorted active-first from DB when cache misses",
+    async ({ prisma }) => {
+      const env = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+      const worker1 = await createWorker(prisma, env);
+
+      await syncTaskIdentifiers(
+        env.id,
+        env.project.id,
+        worker1.id,
+        [
+          { id: "active-task", triggerSource: "STANDARD" },
+          { id: "archived-task", triggerSource: "STANDARD" },
+        ],
+        prisma
+      );
+
+      const worker2 = await createWorker(prisma, env);
+
+      // Archive one task
+      await syncTaskIdentifiers(
+        env.id,
+        env.project.id,
+        worker2.id,
+        [{ id: "active-task", triggerSource: "STANDARD" }],
+        prisma
+      );
+
+      // Read with cache miss (mocked to return null)
+      const result = await getTaskIdentifiers(env.id, prisma);
+
+      expect(result).toHaveLength(2);
+      // Active first
+      expect(result[0].slug).toBe("active-task");
+      expect(result[0].isInLatestDeployment).toBe(true);
+      // Archived second
+      expect(result[1].slug).toBe("archived-task");
+      expect(result[1].isInLatestDeployment).toBe(false);
+    }
+  );
+
+  postgresTest("should handle multiple triggerSource groups in one deploy", async ({ prisma }) => {
+    const env = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+    const worker = await createWorker(prisma, env);
+
+    // Note: AGENT enum value is missing from migrations (no ALTER TYPE migration exists),
+    // so we test with STANDARD + SCHEDULED only. AGENT works in prod because the enum
+    // was added via prisma db push or manual ALTER.
+    await syncTaskIdentifiers(
+      env.id,
+      env.project.id,
+      worker.id,
+      [
+        { id: "standard-task", triggerSource: "STANDARD" },
+        { id: "scheduled-task", triggerSource: "SCHEDULED" },
+      ],
+      prisma
+    );
+
+    const rows = await prisma.taskIdentifier.findMany({
+      where: { runtimeEnvironmentId: env.id },
+      orderBy: { slug: "asc" },
+    });
+
+    expect(rows).toHaveLength(2);
+    expect(rows[0].slug).toBe("scheduled-task");
+    expect(rows[0].currentTriggerSource).toBe("SCHEDULED");
+    expect(rows[1].slug).toBe("standard-task");
+    expect(rows[1].currentTriggerSource).toBe("STANDARD");
+  });
+});
diff --git a/apps/webapp/test/engine/triggerTask.test.ts b/apps/webapp/test/engine/triggerTask.test.ts
index ddceb8754c1..c40416837dd 100644
--- a/apps/webapp/test/engine/triggerTask.test.ts
+++ b/apps/webapp/test/engine/triggerTask.test.ts
@@ -20,8 +20,10 @@ import { assertNonNullable, containerTest } from "@internal/testcontainers";
 import { trace } from "@opentelemetry/api";
 import { IOPacket } from "@trigger.dev/core/v3";
 import { TaskRun } from "@trigger.dev/database";
+import { Redis } from "ioredis";
 import { IdempotencyKeyConcern } from "~/runEngine/concerns/idempotencyKeys.server";
 import { DefaultQueueManager } from "~/runEngine/concerns/queues.server";
+import { RedisTaskMetadataCache } from "~/services/taskMetadataCache.server";
 import {
   EntitlementValidationParams,
   MaxAttemptsValidationParams,
@@ -66,17 +68,31 @@ class MockTriggerTaskValidator implements TriggerTaskValidator {
   }
 }
 
+// Mirror the production ClickhouseEventRepository.traceEvent shape so
+// callers that read `event.traceContext.traceparent` (e.g. the
+// mollifier branch seeding the snapshot) get the same W3C-formatted
+// value they'd get against a real event repository.
+const MOCK_TRACE_ID = "0123456789abcdef0123456789abcdef";
+const MOCK_SPAN_ID = "fedcba9876543210";
+const MOCK_TRACEPARENT = `00-${MOCK_TRACE_ID}-${MOCK_SPAN_ID}-01`;
+
 class MockTraceEventConcern implements TraceEventConcern {
+  // Records the start time of the most recent traceRun callback entry.
+  // Used by ordering assertions that verify traceRun fires before
+  // downstream side effects (e.g. mollifier buffer writes).
+  public traceRunEnteredAt: number | undefined;
+
   async traceRun<T>(
     request: TriggerTaskRequest,
     parentStore: string | undefined,
     callback: (span: TracedEventSpan, store: string) => Promise<T>
   ): Promise<T> {
+    this.traceRunEnteredAt = Date.now();
     return await callback(
       {
-        traceId: "test",
-        spanId: "test",
-        traceContext: {},
+        traceId: MOCK_TRACE_ID,
+        spanId: MOCK_SPAN_ID,
+        traceContext: { traceparent: MOCK_TRACEPARENT },
         traceparent: undefined,
         setAttribute: () => { },
         failWithError: () => { },
@@ -251,6 +267,194 @@ describe("RunEngineTriggerTaskService", () => {
     await engine.quit();
   });
 
+  containerTest(
+    "routes scheduled-lineage runs to a separate worker queue that dequeues independently",
+    async ({ prisma, redisOptions }) => {
+      const engine = new RunEngine({
+        prisma,
+        worker: {
+          redis: redisOptions,
+          workers: 1,
+          tasksPerWorker: 10,
+          pollIntervalMs: 100,
+        },
+        queue: {
+          redis: redisOptions,
+          // Disable the background master-queue consumers so our manual
+          // processMasterQueueForEnvironment + dequeue calls are deterministic.
+          masterQueueConsumersDisabled: true,
+          processWorkerQueueDebounceMs: 50,
+        },
+        runLock: { redis: redisOptions },
+        machines: {
+          defaultMachine: "small-1x",
+          machines: {
+            "small-1x": {
+              name: "small-1x" as const,
+              cpu: 0.5,
+              memory: 0.5,
+              centsPerMs: 0.0001,
+            },
+          },
+          baseCostInCents: 0.0005,
+        },
+        tracer: trace.getTracer("test", "0.0.0"),
+      });
+
+      try {
+        const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+
+        // Turn the per-org split flag on in-memory — the resolver reads this
+        // object directly (no DB round-trip on the trigger hot path).
+        (authenticatedEnvironment.organization as { featureFlags?: unknown }).featureFlags = {
+          workerQueueScheduledSplitEnabled: true,
+        };
+
+        const taskIdentifier = "test-task";
+        await setupBackgroundWorker(engine, authenticatedEnvironment, taskIdentifier);
+
+        const triggerTaskService = new RunEngineTriggerTaskService({
+          engine,
+          prisma,
+          payloadProcessor: new MockPayloadProcessor(),
+          queueConcern: new DefaultQueueManager(prisma, engine),
+          idempotencyKeyConcern: new IdempotencyKeyConcern(
+            prisma,
+            engine,
+            new MockTraceEventConcern()
+          ),
+          validator: new MockTriggerTaskValidator(),
+          traceEventConcern: new MockTraceEventConcern(),
+          tracer: trace.getTracer("test", "0.0.0"),
+          metadataMaximumSize: 1024 * 1024 * 1,
+        });
+
+        // A standard run (default triggerSource) stays on the region queue.
+        const standardResult = await triggerTaskService.call({
+          taskId: taskIdentifier,
+          environment: authenticatedEnvironment,
+          body: { payload: { kind: "standard" } },
+        });
+        assertNonNullable(standardResult);
+
+        // A scheduled run routes to the `<region>:scheduled` queue. Descendants
+        // would too, via rootTriggerSource propagation.
+        const scheduledResult = await triggerTaskService.call({
+          taskId: taskIdentifier,
+          environment: authenticatedEnvironment,
+          body: { payload: { kind: "scheduled" } },
+          options: { triggerSource: "schedule" },
+        });
+        assertNonNullable(scheduledResult);
+
+        const standardRun = await prisma.taskRun.findUniqueOrThrow({
+          where: { id: standardResult.run.id },
+        });
+        const scheduledRun = await prisma.taskRun.findUniqueOrThrow({
+          where: { id: scheduledResult.run.id },
+        });
+
+        // Producer routing: the persisted worker queue carries the class.
+        const baseWorkerQueue = standardRun.workerQueue;
+        expect(scheduledRun.workerQueue).toBe(`${baseWorkerQueue}:scheduled`);
+
+        // Move both runs from the env queue onto their respective worker queues.
+        await engine.runQueue.processMasterQueueForEnvironment(authenticatedEnvironment.id, 10);
+        await setTimeout(500);
+
+        // Dequeue isolation: the scheduled queue yields only the scheduled run...
+        const dequeuedScheduled = await engine.dequeueFromWorkerQueue({
+          consumerId: "test-scheduled-consumer",
+          workerQueue: `${baseWorkerQueue}:scheduled`,
+        });
+        expect(dequeuedScheduled.length).toBe(1);
+        assertNonNullable(dequeuedScheduled[0]);
+        expect(dequeuedScheduled[0].run.id).toBe(scheduledResult.run.id);
+
+        // ...and the base queue yields only the standard run.
+        const dequeuedStandard = await engine.dequeueFromWorkerQueue({
+          consumerId: "test-standard-consumer",
+          workerQueue: baseWorkerQueue,
+        });
+        expect(dequeuedStandard.length).toBe(1);
+        assertNonNullable(dequeuedStandard[0]);
+        expect(dequeuedStandard[0].run.id).toBe(standardResult.run.id);
+      } finally {
+        await engine.quit();
+      }
+    }
+  );
+
+  // The BatchQueue worker rebuilds body.options from Redis-stored items
+  // (Record<string, unknown>), so the Phase-2 schema coercion doesn't apply
+  // to in-flight items enqueued before the schema fix. The defensive
+  // `typeof === "number"` coercion at the engine.trigger call site is what
+  // prevents these from failing at prisma.taskRun.create with
+  // "Argument concurrencyKey: Expected String or Null, provided Int".
+  containerTest(
+    "coerces a numeric concurrencyKey to a string at the engine.trigger boundary",
+    async ({ prisma, redisOptions }) => {
+      const engine = new RunEngine({
+        prisma,
+        worker: {
+          redis: redisOptions,
+          workers: 1,
+          tasksPerWorker: 10,
+          pollIntervalMs: 100,
+        },
+        queue: { redis: redisOptions },
+        runLock: { redis: redisOptions },
+        machines: {
+          defaultMachine: "small-1x",
+          machines: {
+            "small-1x": {
+              name: "small-1x" as const,
+              cpu: 0.5,
+              memory: 0.5,
+              centsPerMs: 0.0001,
+            },
+          },
+          baseCostInCents: 0.0005,
+        },
+        tracer: trace.getTracer("test", "0.0.0"),
+      });
+
+      const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+      const taskIdentifier = "test-task";
+      await setupBackgroundWorker(engine, authenticatedEnvironment, taskIdentifier);
+
+      const triggerTaskService = new RunEngineTriggerTaskService({
+        engine,
+        prisma,
+        payloadProcessor: new MockPayloadProcessor(),
+        queueConcern: new DefaultQueueManager(prisma, engine),
+        idempotencyKeyConcern: new IdempotencyKeyConcern(
+          prisma,
+          engine,
+          new MockTraceEventConcern()
+        ),
+        validator: new MockTriggerTaskValidator(),
+        traceEventConcern: new MockTraceEventConcern(),
+        tracer: trace.getTracer("test", "0.0.0"),
+        metadataMaximumSize: 1024 * 1024 * 1,
+      });
+
+      const result = await triggerTaskService.call({
+        taskId: taskIdentifier,
+        environment: authenticatedEnvironment,
+        // Cast through `any` to simulate the in-flight Redis batch-item shape
+        // (Record<string, unknown>) that bypasses the BatchItemNDJSON schema.
+        body: { payload: { userId: 51262 }, options: { concurrencyKey: 51262 as any } },
+      });
+
+      expect(result).toBeDefined();
+      const run = await prisma.taskRun.findUnique({ where: { id: result!.run.id } });
+      expect(run?.concurrencyKey).toBe("51262");
+
+      await engine.quit();
+    }
+  );
+
   containerTest("should handle idempotency keys correctly", async ({ prisma, redisOptions }) => {
     const engine = new RunEngine({
       prisma,
@@ -1172,4 +1376,728 @@ describe("RunEngineTriggerTaskService", () => {
       await engine.quit();
     }
   );
+
+  // ─── Mollifier integration ──────────────────────────────────────────────────
+  //
+  // These tests pin the call-site behaviour of the mollifier hooks inside
+  // RunEngineTriggerTaskService.call. They use the optional DI ports
+  // (`evaluateGate`, `getMollifierBuffer`) added on the service constructor —
+  // production wiring is unchanged (defaults to the live module-level imports).
+  // Each test's regression intent lives in its own setup comment.
+
+  class CapturingMollifierBuffer {
+    public accepted: Array<{ runId: string; envId: string; orgId: string; payload: string }> = [];
+    async accept(input: { runId: string; envId: string; orgId: string; payload: string }) {
+      this.accepted.push(input);
+      return true;
+    }
+    async pop() { return null; }
+    async ack() {}
+    async requeue() {}
+    async fail() { return false; }
+    async getEntry() { return null; }
+    async listEnvs(): Promise<string[]> { return []; }
+    async getEntryTtlSeconds(): Promise<number> { return -1; }
+    async evaluateTrip() { return { tripped: false, count: 0 }; }
+    async close() {}
+  }
+
+  containerTest(
+    "mollifier · validation throws before the gate is consulted; no buffer write",
+    async ({ prisma, redisOptions }) => {
+      const engine = new RunEngine({
+        prisma,
+        worker: { redis: redisOptions, workers: 1, tasksPerWorker: 10, pollIntervalMs: 100 },
+        queue: { redis: redisOptions },
+        runLock: { redis: redisOptions },
+        machines: {
+          defaultMachine: "small-1x",
+          machines: { "small-1x": { name: "small-1x" as const, cpu: 0.5, memory: 0.5, centsPerMs: 0.0001 } },
+          baseCostInCents: 0.0005,
+        },
+        tracer: trace.getTracer("test", "0.0.0"),
+      });
+
+      const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+      const taskIdentifier = "test-task";
+      await setupBackgroundWorker(engine, authenticatedEnvironment, taskIdentifier);
+
+      // Validator that fails on maxAttempts. Any validation throw must abort
+      // the call BEFORE the gate runs — otherwise the gate could leak a
+      // buffer write for an invalid request.
+      class FailingMaxAttemptsValidator extends MockTriggerTaskValidator {
+        validateMaxAttempts(): ValidationResult {
+          return { ok: false, error: new Error("synthetic max-attempts failure") };
+        }
+      }
+
+      const buffer = new CapturingMollifierBuffer();
+      const evaluateGateSpy = vi.fn(async () => ({ action: "mollify" as const, decision: {
+        divert: true as const, reason: "per_env_rate" as const, count: 99, threshold: 1, windowMs: 200, holdMs: 500,
+      } }));
+
+      const triggerTaskService = new RunEngineTriggerTaskService({
+        engine,
+        prisma,
+        payloadProcessor: new MockPayloadProcessor(),
+        queueConcern: new DefaultQueueManager(prisma, engine),
+        idempotencyKeyConcern: new IdempotencyKeyConcern(prisma, engine, new MockTraceEventConcern()),
+        validator: new FailingMaxAttemptsValidator(),
+        traceEventConcern: new MockTraceEventConcern(),
+        tracer: trace.getTracer("test", "0.0.0"),
+        metadataMaximumSize: 1024 * 1024,
+        evaluateGate: evaluateGateSpy,
+        getMollifierBuffer: () => buffer as never,
+        isMollifierGloballyEnabled: () => true,
+      });
+
+      await expect(
+        triggerTaskService.call({
+          taskId: taskIdentifier,
+          environment: authenticatedEnvironment,
+          body: { payload: { test: "x" } },
+        }),
+      ).rejects.toThrow(/synthetic max-attempts failure/);
+
+      // Critical: the gate must NEVER be consulted when validation fails.
+      // If this assertion fires, validation has been re-ordered after the
+      // mollifier gate — a regression that would let invalid triggers land
+      // in the buffer.
+      expect(evaluateGateSpy).not.toHaveBeenCalled();
+      expect(buffer.accepted).toHaveLength(0);
+
+      await engine.quit();
+    },
+  );
+
+  containerTest(
+    "mollifier · mollify action writes to buffer and returns synthetic result (no Postgres row)",
+    async ({ prisma, redisOptions }) => {
+      // When the gate decides mollify, the call site
+      // invokes `mollifyTrigger` which writes the engine.trigger snapshot
+      // to the buffer and returns a synthesised `MollifySyntheticResult`
+      // (run.friendlyId + notice + isCached:false). `engine.trigger` is
+      // NEVER invoked on this path — the run materialises in Postgres
+      // later, when the drainer replays the snapshot. The replay is
+      // covered by `mollifierDrainerHandler.test.ts`; this test pins the
+      // call-site integration: synthetic result + buffer write + no
+      // Postgres side effect.
+      const engine = new RunEngine({
+        prisma,
+        worker: { redis: redisOptions, workers: 1, tasksPerWorker: 10, pollIntervalMs: 100 },
+        queue: { redis: redisOptions },
+        runLock: { redis: redisOptions },
+        machines: {
+          defaultMachine: "small-1x",
+          machines: { "small-1x": { name: "small-1x" as const, cpu: 0.5, memory: 0.5, centsPerMs: 0.0001 } },
+          baseCostInCents: 0.0005,
+        },
+        tracer: trace.getTracer("test", "0.0.0"),
+      });
+
+      const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+      const taskIdentifier = "test-task";
+      await setupBackgroundWorker(engine, authenticatedEnvironment, taskIdentifier);
+
+      // Buffer override records the time of the accept call so we can
+      // assert that traceRun fired strictly before the buffer was
+      // touched. If a future change re-introduces the "skip traceRun on
+      // mollify" shortcut, traceConcern.traceRunEnteredAt stays
+      // undefined and the ordering assertion fails.
+      class TimestampedBuffer extends CapturingMollifierBuffer {
+        public acceptedAt: number | undefined;
+        override async accept(input: {
+          runId: string;
+          envId: string;
+          orgId: string;
+          payload: string;
+        }) {
+          this.acceptedAt = Date.now();
+          return await super.accept(input);
+        }
+      }
+      const buffer = new TimestampedBuffer();
+      const trippedDecision = {
+        divert: true as const,
+        reason: "per_env_rate" as const,
+        count: 150,
+        threshold: 100,
+        windowMs: 200,
+        holdMs: 500,
+      };
+      const traceConcern = new MockTraceEventConcern();
+
+      const triggerTaskService = new RunEngineTriggerTaskService({
+        engine,
+        prisma,
+        payloadProcessor: new MockPayloadProcessor(),
+        queueConcern: new DefaultQueueManager(prisma, engine),
+        idempotencyKeyConcern: new IdempotencyKeyConcern(prisma, engine, new MockTraceEventConcern()),
+        validator: new MockTriggerTaskValidator(),
+        traceEventConcern: traceConcern,
+        tracer: trace.getTracer("test", "0.0.0"),
+        metadataMaximumSize: 1024 * 1024,
+        evaluateGate: async () => ({ action: "mollify", decision: trippedDecision }),
+        getMollifierBuffer: () => buffer as never,
+        isMollifierGloballyEnabled: () => true,
+      });
+
+      const result = await triggerTaskService.call({
+        taskId: taskIdentifier,
+        environment: authenticatedEnvironment,
+        body: { payload: { hello: "world" } },
+      });
+
+      // Pre-modifier span creation: traceRun must run BEFORE the buffer
+      // is touched. Customer-visible effect — the run span lands in
+      // ClickHouse from the moment the trigger returns, even when the
+      // drainer is offline, so buffered runs are visible in the trace
+      // view immediately rather than only after drain.
+      expect(traceConcern.traceRunEnteredAt).toBeDefined();
+      expect(buffer.acceptedAt).toBeDefined();
+      expect(traceConcern.traceRunEnteredAt!).toBeLessThanOrEqual(buffer.acceptedAt!);
+
+      // Synthetic result is returned with the `mollifier.queued` notice
+      // (the call-site casts the synthetic shape to `TriggerTaskServiceResult`;
+      // at runtime the `notice` and `isCached: false` fields are present
+      // and read by the api.v1.tasks.$taskId.trigger.ts route handler).
+      expect(result).toBeDefined();
+      expect(result?.run.friendlyId).toBeDefined();
+      const synthetic = result as unknown as {
+        run: { friendlyId: string };
+        isCached: false;
+        notice: { code: string; message: string; docs: string };
+      };
+      expect(synthetic.isCached).toBe(false);
+      expect(synthetic.notice.code).toBe("mollifier.queued");
+      expect(synthetic.notice.message).toBeTypeOf("string");
+      expect(synthetic.notice.docs).toBeTypeOf("string");
+
+      // The mollify branch must flag `isMollified: true` on the result so
+      // the trigger route can skip `saveRequestIdempotency`. Caching the
+      // synthetic runId in the request-idempotency table would mean a
+      // lost-response SDK retry (same `x-trigger-request-idempotency-key`
+      // header) hits a PG miss in `handleRequestIdempotency` and falls
+      // through to a fresh trigger — producing a duplicate buffer entry
+      // for trigger calls without a task-level idempotency key. The
+      // bounded behaviour (accept retry-as-fresh-trigger during the
+      // buffer window) is the deliberate choice; a stale-cache lookup
+      // returning null is not.
+      expect(result?.isMollified).toBe(true);
+
+      // buffer.accept ran — Redis has the canonical engine.trigger snapshot
+      // under the synthesised friendlyId. The drainer will read this and
+      // replay it through engine.trigger to materialise the run.
+      expect(buffer.accepted).toHaveLength(1);
+      expect(buffer.accepted[0]!.runId).toBe(result!.run.friendlyId);
+      expect(buffer.accepted[0]!.envId).toBe(authenticatedEnvironment.id);
+      expect(buffer.accepted[0]!.orgId).toBe(authenticatedEnvironment.organizationId);
+      // Payload is a JSON-serialised MollifierSnapshot (the engine.trigger
+      // input). Schema is internal to the engine, so we only assert that
+      // it parses and references the friendlyId — anything more specific
+      // would couple the mollifier-layer test to engine-layer fields.
+      const snapshot = JSON.parse(buffer.accepted[0]!.payload) as {
+        traceId?: string;
+        spanId?: string;
+        traceContext?: { traceparent?: string };
+      };
+
+      // Regression guard for the dashboard trace-tree bug: the mollifier
+      // snapshot MUST carry a W3C `traceparent` in `traceContext`,
+      // seeded from the same span traceRun opened. Without it, the
+      // drainer replays through engine.trigger with empty traceContext
+      // and every downstream `recordRunDebugLog`
+      // (QUEUED/EXECUTING/FINISHED/run:notify…) gets a fresh traceId +
+      // null parentId — the run-detail page can only show the root
+      // span. Both the mollify and pass-through paths now flow through
+      // `traceEventConcern.traceRun`; this assertion pins the
+      // seeding-from-the-run-span contract.
+      expect(snapshot.traceContext?.traceparent).toMatch(
+        /^00-[0-9a-f]{32}-[0-9a-f]{16}-[0-9a-f]{2}$/
+      );
+      expect(snapshot.traceContext!.traceparent).toContain(snapshot.traceId);
+      expect(snapshot.traceContext!.traceparent).toContain(snapshot.spanId);
+      // The snapshot inherits the *run span's* traceId/spanId (from the
+      // event handed in by traceRun), not a separately-generated OTel
+      // span. This is what lets the drainer's `mollifier.drained` span
+      // and downstream engine.trigger materialisation parent on the
+      // same ClickHouse trace the customer sees from the moment trigger
+      // returns.
+      expect(snapshot.traceId).toBe(MOCK_TRACE_ID);
+      expect(snapshot.spanId).toBe(MOCK_SPAN_ID);
+
+      // Postgres has NOT been written: engine.trigger was never called on
+      // the mollify path. The run materialises only when the drainer
+      // replays the snapshot. Regression intent: if a future change makes
+      // the mollify branch fall through to engine.trigger (re-introducing
+      // phase-1 dual-write), this assertion fails loudly.
+      const pgRun = await prisma.taskRun.findFirst({
+        where: { friendlyId: result!.run.friendlyId },
+      });
+      expect(pgRun).toBeNull();
+
+      await engine.quit();
+    },
+  );
+
+  containerTest(
+    "mollifier · pass_through action does NOT call buffer.accept",
+    async ({ prisma, redisOptions }) => {
+      const engine = new RunEngine({
+        prisma,
+        worker: { redis: redisOptions, workers: 1, tasksPerWorker: 10, pollIntervalMs: 100 },
+        queue: { redis: redisOptions },
+        runLock: { redis: redisOptions },
+        machines: {
+          defaultMachine: "small-1x",
+          machines: { "small-1x": { name: "small-1x" as const, cpu: 0.5, memory: 0.5, centsPerMs: 0.0001 } },
+          baseCostInCents: 0.0005,
+        },
+        tracer: trace.getTracer("test", "0.0.0"),
+      });
+
+      const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+      const taskIdentifier = "test-task";
+      await setupBackgroundWorker(engine, authenticatedEnvironment, taskIdentifier);
+
+      const buffer = new CapturingMollifierBuffer();
+      const getBufferSpy = vi.fn(() => buffer as never);
+
+      const triggerTaskService = new RunEngineTriggerTaskService({
+        engine,
+        prisma,
+        payloadProcessor: new MockPayloadProcessor(),
+        queueConcern: new DefaultQueueManager(prisma, engine),
+        idempotencyKeyConcern: new IdempotencyKeyConcern(prisma, engine, new MockTraceEventConcern()),
+        validator: new MockTriggerTaskValidator(),
+        traceEventConcern: new MockTraceEventConcern(),
+        tracer: trace.getTracer("test", "0.0.0"),
+        metadataMaximumSize: 1024 * 1024,
+        evaluateGate: async () => ({ action: "pass_through" }),
+        getMollifierBuffer: getBufferSpy,
+        isMollifierGloballyEnabled: () => true,
+      });
+
+      const result = await triggerTaskService.call({
+        taskId: taskIdentifier,
+        environment: authenticatedEnvironment,
+        body: { payload: { test: "x" } },
+      });
+
+      expect(result).toBeDefined();
+      // Postgres has the run, no buffer side-effects
+      expect(buffer.accepted).toHaveLength(0);
+      // getMollifierBuffer must not be called either — the call site short-circuits
+      // before touching the singleton when the gate says pass_through.
+      expect(getBufferSpy).not.toHaveBeenCalled();
+      // Pass-through must NOT set `isMollified` — `result.run` is a real
+      // PG row, and the trigger route's `saveRequestIdempotency` is
+      // safe to call. Setting the flag here would silently skip the
+      // request-idempotency cache for every non-mollified trigger on a
+      // mollifier-enabled org, breaking lost-response retry dedup.
+      expect(result?.isMollified).toBeFalsy();
+
+      await engine.quit();
+    },
+  );
+
+  containerTest(
+    "mollifier · idempotency-key match short-circuits BEFORE the gate is consulted",
+    async ({ prisma, redisOptions }) => {
+      // SCENARIO: a trigger arrives with an idempotency key matching an
+      // already-created run. `IdempotencyKeyConcern.handleTriggerRequest`
+      // (line 236 of triggerTask.server.ts) detects the match BEFORE the
+      // mollifier gate runs and returns `{ isCached: true, run }`. The
+      // service early-returns. The gate is never consulted, buffer.accept
+      // never fires, no orphan entry is created.
+      //
+      // Regression intent: if IdempotencyKeyConcern were re-ordered to run
+      // AFTER evaluateGate, every idempotent retry on a flagged org would
+      // produce an orphan buffer entry — the audit-trail invariant ("every
+      // buffered runId has a matching TaskRun") would silently start failing
+      // for retries. This test pins the current order.
+
+      const engine = new RunEngine({
+        prisma,
+        worker: { redis: redisOptions, workers: 1, tasksPerWorker: 10, pollIntervalMs: 100 },
+        queue: { redis: redisOptions },
+        runLock: { redis: redisOptions },
+        machines: {
+          defaultMachine: "small-1x",
+          machines: { "small-1x": { name: "small-1x" as const, cpu: 0.5, memory: 0.5, centsPerMs: 0.0001 } },
+          baseCostInCents: 0.0005,
+        },
+        tracer: trace.getTracer("test", "0.0.0"),
+      });
+
+      const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+      const taskIdentifier = "test-task";
+      await setupBackgroundWorker(engine, authenticatedEnvironment, taskIdentifier);
+
+      const idempotencyKeyConcern = new IdempotencyKeyConcern(
+        prisma,
+        engine,
+        new MockTraceEventConcern(),
+      );
+
+      // Setup: normal trigger to create the cached run (no mollifier).
+      const baseline = new RunEngineTriggerTaskService({
+        engine,
+        prisma,
+        payloadProcessor: new MockPayloadProcessor(),
+        queueConcern: new DefaultQueueManager(prisma, engine),
+        idempotencyKeyConcern,
+        validator: new MockTriggerTaskValidator(),
+        traceEventConcern: new MockTraceEventConcern(),
+        tracer: trace.getTracer("test", "0.0.0"),
+        metadataMaximumSize: 1024 * 1024,
+      });
+      const first = await baseline.call({
+        taskId: taskIdentifier,
+        environment: authenticatedEnvironment,
+        body: { payload: { test: "x" }, options: { idempotencyKey: "regression-key-5" } },
+      });
+      expect(first?.isCached).toBe(false);
+
+      // Action: same idempotency key, with a mollify-stub gate that WOULD
+      // create an orphan if reached. The concern must short-circuit first.
+      const buffer = new CapturingMollifierBuffer();
+      const evaluateGateSpy = vi.fn(async () => ({
+        action: "mollify" as const,
+        decision: {
+          divert: true as const,
+          reason: "per_env_rate" as const,
+          count: 150,
+          threshold: 100,
+          windowMs: 200,
+          holdMs: 500,
+        },
+      }));
+
+      const mollifierService = new RunEngineTriggerTaskService({
+        engine,
+        prisma,
+        payloadProcessor: new MockPayloadProcessor(),
+        queueConcern: new DefaultQueueManager(prisma, engine),
+        idempotencyKeyConcern,
+        validator: new MockTriggerTaskValidator(),
+        traceEventConcern: new MockTraceEventConcern(),
+        tracer: trace.getTracer("test", "0.0.0"),
+        metadataMaximumSize: 1024 * 1024,
+        evaluateGate: evaluateGateSpy,
+        getMollifierBuffer: () => buffer as never,
+        isMollifierGloballyEnabled: () => true,
+      });
+
+      const cached = await mollifierService.call({
+        taskId: taskIdentifier,
+        environment: authenticatedEnvironment,
+        body: { payload: { test: "x" }, options: { idempotencyKey: "regression-key-5" } },
+      });
+
+      // Customer sees the cached run, isCached=true
+      expect(cached).toBeDefined();
+      expect(cached?.isCached).toBe(true);
+      expect(cached?.run.friendlyId).toBe(first?.run.friendlyId);
+
+      // Critical: the gate must NEVER be consulted on a cached-idempotency replay.
+      expect(evaluateGateSpy).not.toHaveBeenCalled();
+      expect(buffer.accepted).toHaveLength(0);
+
+      await engine.quit();
+    },
+  );
+
+});
+
+describe("DefaultQueueManager task metadata cache", () => {
+  containerTest(
+    "warm cache returns metadata without falling through to PG",
+    async ({ prisma, redisOptions }) => {
+      const engine = new RunEngine({
+        prisma,
+        worker: { redis: redisOptions, workers: 1, tasksPerWorker: 10, pollIntervalMs: 100 },
+        queue: { redis: redisOptions },
+        runLock: { redis: redisOptions },
+        machines: {
+          defaultMachine: "small-1x",
+          machines: {
+            "small-1x": { name: "small-1x", cpu: 0.5, memory: 0.5, centsPerMs: 0.0001 },
+          },
+          baseCostInCents: 0.0005,
+        },
+        tracer: trace.getTracer("test", "0.0.0"),
+      });
+
+      const environment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+      const taskIdentifier = "cached-task";
+      const setup = await setupBackgroundWorker(engine, environment, taskIdentifier);
+
+      const redis = new Redis(redisOptions);
+      const cache = new RedisTaskMetadataCache({ redis });
+
+      // Pre-populate cache with AGENT triggerSource; DB row has the default STANDARD.
+      // If the read path hits the cache, the resulting TaskRun.taskKind reflects the
+      // cached value. If it falls through to PG, it reflects STANDARD.
+      await cache.populateByCurrentWorker(environment.id, setup.worker.id, [
+        {
+          slug: taskIdentifier,
+          ttl: null,
+          triggerSource: "AGENT",
+          queueId: null,
+          queueName: `task/${taskIdentifier}`,
+        },
+      ]);
+
+      const queuesManager = new DefaultQueueManager(prisma, engine, undefined, cache);
+      const triggerTaskService = new RunEngineTriggerTaskService({
+        engine,
+        prisma,
+        payloadProcessor: new MockPayloadProcessor(),
+        queueConcern: queuesManager,
+        idempotencyKeyConcern: new IdempotencyKeyConcern(prisma, engine, new MockTraceEventConcern()),
+        validator: new MockTriggerTaskValidator(),
+        traceEventConcern: new MockTraceEventConcern(),
+        tracer: trace.getTracer("test", "0.0.0"),
+        metadataMaximumSize: 1024 * 1024,
+      });
+
+      const result = await triggerTaskService.call({
+        taskId: taskIdentifier,
+        environment,
+        body: { payload: { test: "x" } },
+      });
+
+      assertNonNullable(result);
+      expect(result.run.taskIdentifier).toBe(taskIdentifier);
+      expect((result.run.annotations as { taskKind?: string } | null)?.taskKind).toBe("AGENT");
+
+      await redis.quit();
+      await engine.quit();
+    }
+  );
+
+  containerTest(
+    "cache miss falls through to PG and back-fills the cache",
+    async ({ prisma, redisOptions }) => {
+      const engine = new RunEngine({
+        prisma,
+        worker: { redis: redisOptions, workers: 1, tasksPerWorker: 10, pollIntervalMs: 100 },
+        queue: { redis: redisOptions },
+        runLock: { redis: redisOptions },
+        machines: {
+          defaultMachine: "small-1x",
+          machines: {
+            "small-1x": { name: "small-1x", cpu: 0.5, memory: 0.5, centsPerMs: 0.0001 },
+          },
+          baseCostInCents: 0.0005,
+        },
+        tracer: trace.getTracer("test", "0.0.0"),
+      });
+
+      const environment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+      const taskIdentifier = "miss-task";
+      await setupBackgroundWorker(engine, environment, taskIdentifier);
+
+      const redis = new Redis(redisOptions);
+      const cache = new RedisTaskMetadataCache({ redis });
+
+      // Cache starts empty. Sanity-check both keyspaces.
+      expect(await cache.getCurrent(environment.id, taskIdentifier)).toBeNull();
+
+      const queuesManager = new DefaultQueueManager(prisma, engine, undefined, cache);
+      const triggerTaskService = new RunEngineTriggerTaskService({
+        engine,
+        prisma,
+        payloadProcessor: new MockPayloadProcessor(),
+        queueConcern: queuesManager,
+        idempotencyKeyConcern: new IdempotencyKeyConcern(prisma, engine, new MockTraceEventConcern()),
+        validator: new MockTriggerTaskValidator(),
+        traceEventConcern: new MockTraceEventConcern(),
+        tracer: trace.getTracer("test", "0.0.0"),
+        metadataMaximumSize: 1024 * 1024,
+      });
+
+      const result = await triggerTaskService.call({
+        taskId: taskIdentifier,
+        environment,
+        body: { payload: { test: "x" } },
+      });
+
+      assertNonNullable(result);
+      expect((result.run.annotations as { taskKind?: string } | null)?.taskKind).toBe("STANDARD");
+
+      // Back-fill is fire-and-forget; poll with a bounded timeout to avoid CI flakes.
+      let backfilled = await cache.getCurrent(environment.id, taskIdentifier);
+      for (let i = 0; i < 40 && !backfilled; i++) {
+        await setTimeout(25);
+        backfilled = await cache.getCurrent(environment.id, taskIdentifier);
+      }
+      expect(backfilled).not.toBeNull();
+      expect(backfilled?.triggerSource).toBe("STANDARD");
+      expect(backfilled?.queueName).toBe(`task/${taskIdentifier}`);
+
+      await redis.quit();
+      await engine.quit();
+    }
+  );
+
+  containerTest(
+    "queue-override + ttl path returns taskKind from cache without a BWT lookup",
+    async ({ prisma, redisOptions }) => {
+      const engine = new RunEngine({
+        prisma,
+        worker: { redis: redisOptions, workers: 1, tasksPerWorker: 10, pollIntervalMs: 100 },
+        queue: { redis: redisOptions },
+        runLock: { redis: redisOptions },
+        machines: {
+          defaultMachine: "small-1x",
+          machines: {
+            "small-1x": { name: "small-1x", cpu: 0.5, memory: 0.5, centsPerMs: 0.0001 },
+          },
+          baseCostInCents: 0.0005,
+        },
+        tracer: trace.getTracer("test", "0.0.0"),
+      });
+
+      const environment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+      const taskIdentifier = "override-task";
+      const setup = await setupBackgroundWorker(engine, environment, taskIdentifier);
+
+      const redis = new Redis(redisOptions);
+      const cache = new RedisTaskMetadataCache({ redis });
+
+      // Cache says AGENT; DB row says STANDARD. Caller provides both a queue
+      // override and an explicit TTL — the hot path the PR regressed.
+      await cache.populateByCurrentWorker(environment.id, setup.worker.id, [
+        {
+          slug: taskIdentifier,
+          ttl: null,
+          triggerSource: "AGENT",
+          queueId: null,
+          queueName: `task/${taskIdentifier}`,
+        },
+      ]);
+
+      const queuesManager = new DefaultQueueManager(prisma, engine, undefined, cache);
+      const triggerTaskService = new RunEngineTriggerTaskService({
+        engine,
+        prisma,
+        payloadProcessor: new MockPayloadProcessor(),
+        queueConcern: queuesManager,
+        idempotencyKeyConcern: new IdempotencyKeyConcern(prisma, engine, new MockTraceEventConcern()),
+        validator: new MockTriggerTaskValidator(),
+        traceEventConcern: new MockTraceEventConcern(),
+        tracer: trace.getTracer("test", "0.0.0"),
+        metadataMaximumSize: 1024 * 1024,
+      });
+
+      const result = await triggerTaskService.call({
+        taskId: taskIdentifier,
+        environment,
+        body: {
+          payload: { test: "x" },
+          options: {
+            queue: { name: "caller-queue" },
+            ttl: "5m",
+          },
+        },
+      });
+
+      assertNonNullable(result);
+      expect(result.run.queue).toBe("caller-queue");
+      expect((result.run.annotations as { taskKind?: string } | null)?.taskKind).toBe("AGENT");
+
+      await redis.quit();
+      await engine.quit();
+    }
+  );
+
+  containerTest(
+    "locked-version trigger reads from by-worker keyspace, not env keyspace",
+    async ({ prisma, redisOptions }) => {
+      const engine = new RunEngine({
+        prisma,
+        worker: { redis: redisOptions, workers: 1, tasksPerWorker: 10, pollIntervalMs: 100 },
+        queue: { redis: redisOptions },
+        runLock: { redis: redisOptions },
+        machines: {
+          defaultMachine: "small-1x",
+          machines: {
+            "small-1x": { name: "small-1x", cpu: 0.5, memory: 0.5, centsPerMs: 0.0001 },
+          },
+          baseCostInCents: 0.0005,
+        },
+        tracer: trace.getTracer("test", "0.0.0"),
+      });
+
+      const environment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+      const taskIdentifier = "keyspace-task";
+      const worker = await setupBackgroundWorker(engine, environment, taskIdentifier);
+
+      const redis = new Redis(redisOptions);
+      const cache = new RedisTaskMetadataCache({ redis });
+
+      // Populate the two keyspaces with conflicting triggerSource values so we
+      // can tell which keyspace the read used. The real worker's by-worker
+      // hash gets AGENT; the env hash gets SCHEDULED (seeded via a throwaway
+      // worker id since `populateByCurrentWorker` writes both keyspaces and
+      // we want the real worker's by-worker hash untouched).
+      await cache.populateByWorker(worker.worker.id, [
+        {
+          slug: taskIdentifier,
+          ttl: null,
+          triggerSource: "AGENT",
+          queueId: null,
+          queueName: `task/${taskIdentifier}`,
+        },
+      ]);
+      await cache.populateByCurrentWorker(environment.id, "dummy-worker-for-env-seed", [
+        {
+          slug: taskIdentifier,
+          ttl: null,
+          triggerSource: "SCHEDULED",
+          queueId: null,
+          queueName: `task/${taskIdentifier}`,
+        },
+      ]);
+
+      const queuesManager = new DefaultQueueManager(prisma, engine, undefined, cache);
+      const triggerTaskService = new RunEngineTriggerTaskService({
+        engine,
+        prisma,
+        payloadProcessor: new MockPayloadProcessor(),
+        queueConcern: queuesManager,
+        idempotencyKeyConcern: new IdempotencyKeyConcern(prisma, engine, new MockTraceEventConcern()),
+        validator: new MockTriggerTaskValidator(),
+        traceEventConcern: new MockTraceEventConcern(),
+        tracer: trace.getTracer("test", "0.0.0"),
+        metadataMaximumSize: 1024 * 1024,
+      });
+
+      // Locked → by-worker keyspace → AGENT
+      const locked = await triggerTaskService.call({
+        taskId: taskIdentifier,
+        environment,
+        body: {
+          payload: { test: "x" },
+          options: { lockToVersion: worker.worker.version },
+        },
+      });
+      assertNonNullable(locked);
+      expect((locked.run.annotations as { taskKind?: string } | null)?.taskKind).toBe("AGENT");
+
+      // Not locked → env keyspace → SCHEDULED
+      const current = await triggerTaskService.call({
+        taskId: taskIdentifier,
+        environment,
+        body: { payload: { test: "y" } },
+      });
+      assertNonNullable(current);
+      expect((current.run.annotations as { taskKind?: string } | null)?.taskKind).toBe("SCHEDULED");
+
+      await redis.quit();
+      await engine.quit();
+    }
+  );
 });
diff --git a/apps/webapp/test/environmentVariablesEnvironments.test.ts b/apps/webapp/test/environmentVariablesEnvironments.test.ts
new file mode 100644
index 00000000000..2555bcae0f7
--- /dev/null
+++ b/apps/webapp/test/environmentVariablesEnvironments.test.ts
@@ -0,0 +1,144 @@
+import { describe, expect, vi } from "vitest";
+
+vi.mock("~/db.server", () => ({
+  prisma: {},
+  $replica: {},
+  $transaction: async (
+    prismaClient: {
+      $transaction: (fn: (tx: unknown) => Promise<unknown>) => Promise<unknown>;
+    },
+    nameOrFn: string | ((tx: unknown) => Promise<unknown>),
+    fnOrOptions?: ((tx: unknown) => Promise<unknown>) | unknown
+  ) => {
+    const fn =
+      typeof nameOrFn === "string"
+        ? (fnOrOptions as (tx: unknown) => Promise<unknown>)
+        : nameOrFn;
+
+    return prismaClient.$transaction(fn);
+  },
+}));
+
+import { postgresTest } from "@internal/testcontainers";
+import { loadEnvironmentVariablesEnvironments } from "~/presenters/v3/environmentVariablesEnvironments.server";
+import {
+  createRuntimeEnvironment,
+  createTestOrgProjectWithMember,
+  createTestUser,
+} from "./fixtures/environmentVariablesFixtures";
+
+vi.setConfig({ testTimeout: 60_000 });
+
+describe("loadEnvironmentVariablesEnvironments", () => {
+  postgresTest("returns environments for a project member", async ({ prisma }) => {
+    const { user, organization, project } = await createTestOrgProjectWithMember(prisma);
+
+    const production = await createRuntimeEnvironment(prisma, {
+      projectId: project.id,
+      organizationId: organization.id,
+      type: "PRODUCTION",
+    });
+
+    const result = await loadEnvironmentVariablesEnvironments(prisma, {
+      userId: user.id,
+      projectId: project.id,
+    });
+
+    expect(result.environments.map((environment) => environment.id)).toContain(production.id);
+    expect(result.environments.every((environment) => typeof environment.id === "string")).toBe(true);
+  });
+
+  postgresTest("rejects users who are not project members", async ({ prisma }) => {
+    const { project } = await createTestOrgProjectWithMember(prisma);
+    const outsider = await createTestUser(prisma);
+
+    await expect(
+      loadEnvironmentVariablesEnvironments(prisma, {
+        userId: outsider.id,
+        projectId: project.id,
+      })
+    ).rejects.toThrow("Project not found");
+  });
+
+  postgresTest("filters shared, personal, and inaccessible environments", async ({ prisma }) => {
+    const { user, organization, project, orgMember } = await createTestOrgProjectWithMember(prisma);
+    const otherUser = await createTestUser(prisma);
+    const otherOrgMember = await prisma.orgMember.create({
+      data: {
+        organizationId: organization.id,
+        userId: otherUser.id,
+        role: "MEMBER",
+      },
+    });
+
+    const sharedProduction = await createRuntimeEnvironment(prisma, {
+      projectId: project.id,
+      organizationId: organization.id,
+      type: "PRODUCTION",
+    });
+    const currentUserDev = await createRuntimeEnvironment(prisma, {
+      projectId: project.id,
+      organizationId: organization.id,
+      type: "DEVELOPMENT",
+      orgMemberId: orgMember.id,
+    });
+    const otherUserDev = await createRuntimeEnvironment(prisma, {
+      projectId: project.id,
+      organizationId: organization.id,
+      type: "DEVELOPMENT",
+      orgMemberId: otherOrgMember.id,
+    });
+    const orphanedDev = await createRuntimeEnvironment(prisma, {
+      projectId: project.id,
+      organizationId: organization.id,
+      type: "DEVELOPMENT",
+      orgMemberId: null,
+    });
+
+    const result = await loadEnvironmentVariablesEnvironments(prisma, {
+      userId: user.id,
+      projectId: project.id,
+    });
+
+    const environmentIds = result.environments.map((environment) => environment.id);
+
+    expect(environmentIds).toContain(sharedProduction.id);
+    expect(environmentIds).toContain(currentUserDev.id);
+    expect(environmentIds).not.toContain(otherUserDev.id);
+    expect(environmentIds).not.toContain(orphanedDev.id);
+  });
+
+  postgresTest("returns hasStaging true when a staging environment exists", async ({ prisma }) => {
+    const { user, organization, project } = await createTestOrgProjectWithMember(prisma);
+
+    await createRuntimeEnvironment(prisma, {
+      projectId: project.id,
+      organizationId: organization.id,
+      type: "STAGING",
+    });
+
+    const result = await loadEnvironmentVariablesEnvironments(prisma, {
+      userId: user.id,
+      projectId: project.id,
+    });
+
+    expect(result.hasStaging).toBe(true);
+  });
+
+  postgresTest("returns hasStaging false when no staging environment exists", async ({ prisma }) => {
+    const { user, organization, project } = await createTestOrgProjectWithMember(prisma);
+
+    await createRuntimeEnvironment(prisma, {
+      projectId: project.id,
+      organizationId: organization.id,
+      type: "PRODUCTION",
+    });
+
+    const result = await loadEnvironmentVariablesEnvironments(prisma, {
+      userId: user.id,
+      projectId: project.id,
+    });
+
+    expect(result.hasStaging).toBe(false);
+  });
+});
diff --git a/apps/webapp/test/environmentVariablesRepository.test.ts b/apps/webapp/test/environmentVariablesRepository.test.ts
new file mode 100644
index 00000000000..ead865eb5da
--- /dev/null
+++ b/apps/webapp/test/environmentVariablesRepository.test.ts
@@ -0,0 +1,178 @@
+import { describe, expect, vi } from "vitest";
+
+vi.mock("~/db.server", () => ({
+  prisma: {},
+  $replica: {},
+  $transaction: async (
+    prismaClient: {
+      $transaction: (fn: (tx: unknown) => Promise<unknown>) => Promise<unknown>;
+    },
+    nameOrFn: string | ((tx: unknown) => Promise<unknown>),
+    fnOrOptions?: ((tx: unknown) => Promise<unknown>) | unknown
+  ) => {
+    const fn =
+      typeof nameOrFn === "string"
+        ? (fnOrOptions as (tx: unknown) => Promise<unknown>)
+        : nameOrFn;
+
+    return prismaClient.$transaction(fn);
+  },
+}));
+
+import { postgresTest } from "@internal/testcontainers";
+import { EnvironmentVariablesRepository } from "~/v3/environmentVariables/environmentVariablesRepository.server";
+import {
+  createEnvironmentVariable,
+  createRuntimeEnvironment,
+  createTestOrgProjectWithMember,
+} from "./fixtures/environmentVariablesFixtures";
+
+vi.setConfig({ testTimeout: 60_000 });
+
+describe("EnvironmentVariablesRepository.getVariableValuesForKeys", () => {
+  postgresTest("returns an empty map for an empty items array", async ({ prisma }) => {
+    const { project } = await createTestOrgProjectWithMember(prisma);
+    const repository = new EnvironmentVariablesRepository(prisma, prisma);
+
+    const result = await repository.getVariableValuesForKeys(project.id, []);
+
+    expect(result).toBeInstanceOf(Map);
+    expect(result.size).toBe(0);
+  });
+
+  postgresTest("omits missing keys from the result without throwing", async ({ prisma }) => {
+    const { organization, project } = await createTestOrgProjectWithMember(prisma);
+    const environment = await createRuntimeEnvironment(prisma, {
+      projectId: project.id,
+      organizationId: organization.id,
+      type: "PRODUCTION",
+    });
+
+    const repository = new EnvironmentVariablesRepository(prisma, prisma);
+
+    const result = await repository.getVariableValuesForKeys(project.id, [
+      { environmentId: environment.id, key: "DOES_NOT_EXIST" },
+    ]);
+
+    expect(result.size).toBe(0);
+    expect(result.has(`${environment.id}:DOES_NOT_EXIST`)).toBe(false);
+  });
+
+  postgresTest("returns requested values with correct map keys and decrypted values", async ({ prisma }) => {
+    const { user, organization, project } = await createTestOrgProjectWithMember(prisma);
+    const environment = await createRuntimeEnvironment(prisma, {
+      projectId: project.id,
+      organizationId: organization.id,
+      type: "PRODUCTION",
+    });
+
+    const repository = new EnvironmentVariablesRepository(prisma, prisma);
+
+    await createEnvironmentVariable(repository, project.id, {
+      environmentId: environment.id,
+      key: "VAR_A",
+      value: "value-a",
+      userId: user.id,
+    });
+    await createEnvironmentVariable(repository, project.id, {
+      environmentId: environment.id,
+      key: "VAR_B",
+      value: "value-b",
+      userId: user.id,
+    });
+    await createEnvironmentVariable(repository, project.id, {
+      environmentId: environment.id,
+      key: "VAR_C",
+      value: "value-c",
+      userId: user.id,
+    });
+
+    const result = await repository.getVariableValuesForKeys(project.id, [
+      { environmentId: environment.id, key: "VAR_A" },
+      { environmentId: environment.id, key: "VAR_C" },
+    ]);
+
+    expect(result).toBeInstanceOf(Map);
+    expect(result.size).toBe(2);
+    expect(result.get(`${environment.id}:VAR_A`)).toBe("value-a");
+    expect(result.get(`${environment.id}:VAR_C`)).toBe("value-c");
+    expect(result.has(`${environment.id}:VAR_B`)).toBe(false);
+  });
+
+  postgresTest("deduplicates duplicate environmentId and key requests", async ({ prisma }) => {
+    const { user, organization, project } = await createTestOrgProjectWithMember(prisma);
+    const environment = await createRuntimeEnvironment(prisma, {
+      projectId: project.id,
+      organizationId: organization.id,
+      type: "PRODUCTION",
+    });
+
+    const repository = new EnvironmentVariablesRepository(prisma, prisma);
+
+    await createEnvironmentVariable(repository, project.id, {
+      environmentId: environment.id,
+      key: "DEDUP_KEY",
+      value: "dedup-value",
+      userId: user.id,
+    });
+
+    const request = { environmentId: environment.id, key: "DEDUP_KEY" };
+    const result = await repository.getVariableValuesForKeys(project.id, [request, request, request]);
+
+    expect(result.size).toBe(1);
+    expect(result.get(`${environment.id}:DEDUP_KEY`)).toBe("dedup-value");
+  });
+
+  postgresTest("isolates values by project", async ({ prisma }) => {
+    const { user, organization, project: projectA } = await createTestOrgProjectWithMember(prisma);
+
+    const projectB = await prisma.project.create({
+      data: {
+        name: "Project B",
+        slug: `proj-b-${Date.now()}`,
+        organizationId: organization.id,
+        externalRef: `ext-b-${Date.now()}`,
+      },
+    });
+
+    const envA = await createRuntimeEnvironment(prisma, {
+      projectId: projectA.id,
+      organizationId: organization.id,
+      type: "PRODUCTION",
+    });
+    const envB = await createRuntimeEnvironment(prisma, {
+      projectId: projectB.id,
+      organizationId: organization.id,
+      type: "PRODUCTION",
+    });
+
+    const repository = new EnvironmentVariablesRepository(prisma, prisma);
+
+    await createEnvironmentVariable(repository, projectA.id, {
+      environmentId: envA.id,
+      key: "SHARED_KEY",
+      value: "project-a-value",
+      userId: user.id,
+    });
+    await createEnvironmentVariable(repository, projectB.id, {
+      environmentId: envB.id,
+      key: "SHARED_KEY",
+      value: "project-b-value",
+      userId: user.id,
+    });
+
+    const resultForProjectA = await repository.getVariableValuesForKeys(projectA.id, [
+      { environmentId: envA.id, key: "SHARED_KEY" },
+    ]);
+
+    expect(resultForProjectA.size).toBe(1);
+    expect(resultForProjectA.get(`${envA.id}:SHARED_KEY`)).toBe("project-a-value");
+    expect(resultForProjectA.get(`${envB.id}:SHARED_KEY`)).toBeUndefined();
+
+    const crossProjectRequest = await repository.getVariableValuesForKeys(projectA.id, [
+      { environmentId: envB.id, key: "SHARED_KEY" },
+    ]);
+
+    expect(crossProjectRequest.size).toBe(0);
+  });
+});
diff --git a/apps/webapp/test/findOrCreateBackgroundWorker.test.ts b/apps/webapp/test/findOrCreateBackgroundWorker.test.ts
new file mode 100644
index 00000000000..8b047001b87
--- /dev/null
+++ b/apps/webapp/test/findOrCreateBackgroundWorker.test.ts
@@ -0,0 +1,183 @@
+import { containerTest } from "@internal/testcontainers";
+import { CreateBackgroundWorkerRequestBody } from "@trigger.dev/core/v3";
+import { PrismaClient } from "@trigger.dev/database";
+import { describe, expect, vi } from "vitest";
+import type { AuthenticatedEnvironment } from "~/services/apiAuth.server";
+import { ServiceValidationError } from "~/v3/services/common.server";
+import { findOrCreateBackgroundWorker } from "~/v3/services/createDeploymentBackgroundWorkerV4/findOrCreateBackgroundWorker.server";
+
+vi.setConfig({ testTimeout: 30_000 });
+
+async function seedDeployment(prisma: PrismaClient, version = "20260528.1") {
+  const slug = `s${Math.random().toString(36).slice(2, 10)}`;
+  const organization = await prisma.organization.create({
+    data: { title: slug, slug },
+  });
+
+  const project = await prisma.project.create({
+    data: {
+      name: slug,
+      slug,
+      organizationId: organization.id,
+      externalRef: slug,
+    },
+  });
+
+  const environment = await prisma.runtimeEnvironment.create({
+    data: {
+      slug,
+      type: "PRODUCTION",
+      projectId: project.id,
+      organizationId: organization.id,
+      apiKey: slug,
+      pkApiKey: slug,
+      shortcode: slug,
+    },
+  });
+
+  const deployment = await prisma.workerDeployment.create({
+    data: {
+      friendlyId: `deployment_${slug}`,
+      shortCode: slug,
+      contentHash: "h_initial",
+      status: "BUILDING",
+      version,
+      projectId: project.id,
+      environmentId: environment.id,
+    },
+  });
+
+  // The helper only reads `id` and `projectId`; the rest of the type is
+  // unused here so we cast a partial.
+  const authEnv = { id: environment.id, projectId: project.id } as AuthenticatedEnvironment;
+
+  return { project, environment, deployment, authEnv };
+}
+
+function bodyWithHash(contentHash: string): CreateBackgroundWorkerRequestBody {
+  return {
+    localOnly: false,
+    metadata: {
+      contentHash,
+      packageVersion: "0.0.0",
+      cliPackageVersion: "0.0.0",
+      tasks: [],
+      queues: [],
+      sourceFiles: [],
+      runtime: "node",
+      runtimeVersion: "21.0.0",
+    },
+    engine: "V2",
+    supportsLazyAttempts: true,
+  };
+}
+
+describe("findOrCreateBackgroundWorker", () => {
+  containerTest("creates a new BackgroundWorker on the first call", async ({ prisma }) => {
+    const { authEnv, deployment } = await seedDeployment(prisma);
+
+    const worker = await findOrCreateBackgroundWorker(
+      authEnv,
+      deployment,
+      bodyWithHash("h1"),
+      prisma
+    );
+
+    expect(worker.projectId).toBe(authEnv.projectId);
+    expect(worker.runtimeEnvironmentId).toBe(authEnv.id);
+    expect(worker.version).toBe(deployment.version);
+    expect(worker.contentHash).toBe("h1");
+
+    const rowCount = await prisma.backgroundWorker.count({
+      where: { projectId: authEnv.projectId, version: deployment.version },
+    });
+    expect(rowCount).toBe(1);
+  });
+
+  containerTest(
+    "returns the existing row on a second call with the same contentHash (no duplicate)",
+    async ({ prisma }) => {
+      const { authEnv, deployment } = await seedDeployment(prisma);
+
+      const first = await findOrCreateBackgroundWorker(
+        authEnv,
+        deployment,
+        bodyWithHash("h1"),
+        prisma
+      );
+      const second = await findOrCreateBackgroundWorker(
+        authEnv,
+        deployment,
+        bodyWithHash("h1"),
+        prisma
+      );
+
+      expect(second.id).toBe(first.id);
+
+      const rowCount = await prisma.backgroundWorker.count({
+        where: { projectId: authEnv.projectId, version: deployment.version },
+      });
+      expect(rowCount).toBe(1);
+    }
+  );
+
+  containerTest(
+    "throws 409 ServiceValidationError when an existing row has a different contentHash",
+    async ({ prisma }) => {
+      const { authEnv, deployment } = await seedDeployment(prisma);
+
+      await findOrCreateBackgroundWorker(authEnv, deployment, bodyWithHash("h1"), prisma);
+
+      await expect(
+        findOrCreateBackgroundWorker(authEnv, deployment, bodyWithHash("h2"), prisma)
+      ).rejects.toMatchObject({
+        name: "ServiceValidationError",
+        status: 409,
+      });
+
+      // Also assert the constructor so callers can `catch (e instanceof ServiceValidationError)`.
+      await expect(
+        findOrCreateBackgroundWorker(authEnv, deployment, bodyWithHash("h2"), prisma)
+      ).rejects.toBeInstanceOf(ServiceValidationError);
+    }
+  );
+
+  containerTest(
+    "concurrent create race surfaces as plain Error (not ServiceValidationError)",
+    async ({ prisma }) => {
+      // The class distinction matters: the V4 service uses `instanceof ServiceValidationError`
+      // to decide whether to fail-deploy. A transient race must not fail-deploy.
+      const { authEnv, deployment } = await seedDeployment(prisma);
+
+      const [first, second] = await Promise.allSettled([
+        findOrCreateBackgroundWorker(authEnv, deployment, bodyWithHash("h-race"), prisma),
+        findOrCreateBackgroundWorker(authEnv, deployment, bodyWithHash("h-race"), prisma),
+      ]);
+
+      const fulfilled = [first, second].filter((r) => r.status === "fulfilled");
+      const rejected = [first, second].filter(
+        (r): r is PromiseRejectedResult => r.status === "rejected"
+      );
+
+      // Exactly one row in the database regardless of who won.
+      const rowCount = await prisma.backgroundWorker.count({
+        where: { projectId: authEnv.projectId, version: deployment.version },
+      });
+      expect(rowCount).toBe(1);
+
+      // If the schedule produced an actual race (one wins, one loses), the loser
+      // must surface a non-SVE error. If the schedule serialised them by accident,
+      // both fulfilled is also acceptable — this test is about the error *class*,
+      // not the rate of races.
+      if (rejected.length > 0) {
+        expect(fulfilled).toHaveLength(1);
+        for (const r of rejected) {
+          expect(r.reason).not.toBeInstanceOf(ServiceValidationError);
+          expect((r.reason as Error).message).toMatch(/concurrent/i);
+        }
+      } else {
+        expect(fulfilled).toHaveLength(2);
+      }
+    }
+  );
+});
diff --git a/apps/webapp/test/fixtures/environmentVariablesFixtures.ts b/apps/webapp/test/fixtures/environmentVariablesFixtures.ts
new file mode 100644
index 00000000000..8e358e1295b
--- /dev/null
+++ b/apps/webapp/test/fixtures/environmentVariablesFixtures.ts
@@ -0,0 +1,104 @@
+import type { PrismaClient, RuntimeEnvironmentType } from "@trigger.dev/database";
+import { EnvironmentVariablesRepository } from "~/v3/environmentVariables/environmentVariablesRepository.server";
+
+let idCounter = 0;
+
+export function uniqueId(prefix: string) {
+  idCounter += 1;
+  return `${prefix}-${idCounter}-${Date.now()}`;
+}
+
+export async function createTestUser(prisma: PrismaClient, email?: string) {
+  return prisma.user.create({
+    data: {
+      email: email ?? `${uniqueId("user")}@test.com`,
+      authenticationMethod: "MAGIC_LINK",
+    },
+  });
+}
+
+export async function createTestOrgProjectWithMember(
+  prisma: PrismaClient,
+  options?: { userId?: string }
+) {
+  const user = options?.userId
+    ? await prisma.user.findUniqueOrThrow({ where: { id: options.userId } })
+    : await createTestUser(prisma);
+
+  const orgSlug = uniqueId("org");
+  const organization = await prisma.organization.create({
+    data: {
+      title: "Test Org",
+      slug: orgSlug,
+      members: { create: { userId: user.id, role: "ADMIN" } },
+    },
+    include: { members: true },
+  });
+
+  const projectSlug = uniqueId("proj");
+  const project = await prisma.project.create({
+    data: {
+      name: "Test Project",
+      slug: projectSlug,
+      organizationId: organization.id,
+      externalRef: uniqueId("ext"),
+    },
+  });
+
+  return {
+    user,
+    organization,
+    project,
+    orgMember: organization.members[0]!,
+    projectSlug,
+  };
+}
+
+export async function createRuntimeEnvironment(
+  prisma: PrismaClient,
+  options: {
+    projectId: string;
+    organizationId: string;
+    type: RuntimeEnvironmentType;
+    orgMemberId?: string | null;
+    slug?: string;
+  }
+) {
+  const slug = options.slug ?? uniqueId("env");
+  return prisma.runtimeEnvironment.create({
+    data: {
+      slug,
+      type: options.type,
+      projectId: options.projectId,
+      organizationId: options.organizationId,
+      orgMemberId: options.orgMemberId ?? null,
+      apiKey: uniqueId("api"),
+      pkApiKey: uniqueId("pk"),
+      shortcode: uniqueId("sc"),
+    },
+  });
+}
+
+export async function createEnvironmentVariable(
+  repository: EnvironmentVariablesRepository,
+  projectId: string,
+  options: {
+    environmentId: string;
+    key: string;
+    value: string;
+    isSecret?: boolean;
+    userId: string;
+  }
+) {
+  const result = await repository.create(projectId, {
+    override: true,
+    environmentIds: [options.environmentId],
+    variables: [{ key: options.key, value: options.value }],
+    isSecret: options.isSecret ?? false,
+    lastUpdatedBy: { type: "user", userId: options.userId },
+  });
+
+  if (!result.success) {
+    throw new Error(result.error);
+  }
+}
diff --git a/apps/webapp/test/healthcheck-require-plugins.e2e.test.ts b/apps/webapp/test/healthcheck-require-plugins.e2e.test.ts
new file mode 100644
index 00000000000..17e02ce8d93
--- /dev/null
+++ b/apps/webapp/test/healthcheck-require-plugins.e2e.test.ts
@@ -0,0 +1,92 @@
+/**
+ * E2E verification that REQUIRE_PLUGINS=1 fails the rollout via /healthcheck.
+ *
+ * The unit tests in @trigger.dev/rbac cover the loader throw. This file
+ * closes the loop end-to-end: spawn a real webapp, hit /healthcheck via
+ * HTTP, and verify the route's catch turns the throw into a 500 — the
+ * status the ECS/k8s readiness probe rolls back on.
+ *
+ * Each case spawns its own webapp + Postgres + Redis container (~30s) so
+ * env can differ per case. Slow but isolated, matching api-auth.e2e.test.ts.
+ *
+ * Requires a pre-built webapp: pnpm run build --filter webapp
+ *
+ * The REQUIRE_PLUGINS=1 case relies on the plugin NOT being resolvable
+ * from the spawned webapp. CI satisfies this because the plugin isn't in
+ * pnpm-lock.yaml. Local devs who ran `pnpm dev:link-webapp` have the
+ * plugin symlinked into apps/webapp/node_modules — that case is detected
+ * and skipped below.
+ */
+import { existsSync } from "node:fs";
+import { resolve } from "node:path";
+import { afterAll, beforeAll, describe, expect, it, vi } from "vitest";
+import type { TestServer } from "@internal/testcontainers/webapp";
+import { startTestServer } from "@internal/testcontainers/webapp";
+
+const LINKED_PLUGIN_PATH = resolve(
+  __dirname,
+  "..",
+  "node_modules",
+  "@triggerdotdev",
+  "plugins"
+);
+const pluginLocallyLinked = existsSync(LINKED_PLUGIN_PATH);
+
+vi.setConfig({ testTimeout: 180_000 });
+
+describe("/healthcheck with REQUIRE_PLUGINS", () => {
+  describe.skipIf(pluginLocallyLinked)("REQUIRE_PLUGINS=1 + plugin missing", () => {
+    let server: TestServer;
+
+    beforeAll(async () => {
+      // requirePlugins: true implies forceRbacFallback: false, so the
+      // loader actually tries to dynamic-import the plugin. The plugin
+      // is not installed in this OSS repo, so the import fails and the
+      // loader throws (instead of falling back) because REQUIRE_PLUGINS=1.
+      // The throw surfaces on the first .isUsingPlugin() call from the
+      // /healthcheck route, which catches it and returns 500.
+      server = await startTestServer({ requirePlugins: true });
+    }, 180_000);
+
+    afterAll(async () => {
+      await server?.stop();
+    }, 120_000);
+
+    it("returns 500 so the readiness probe fails and the rollout is rolled back", async () => {
+      const res = await server.webapp.fetch("/healthcheck");
+      expect(res.status).toBe(500);
+      expect(await res.text()).toBe("ERROR");
+    });
+  });
+
+  // Surface the skip in dev so it doesn't go unnoticed. CI hits the real test above.
+  describe.runIf(pluginLocallyLinked)(
+    "REQUIRE_PLUGINS=1 + plugin LOCALLY LINKED (cross-repo dev setup)",
+    () => {
+      it.skip(
+        `skipped because ${LINKED_PLUGIN_PATH} exists — plugin would load successfully. Run \`pnpm dev:unlink-webapp\` to exercise this case locally; CI runs it without the link.`,
+        () => {}
+      );
+    }
+  );
+
+  describe("REQUIRE_PLUGINS unset + plugin missing", () => {
+    let server: TestServer;
+
+    beforeAll(async () => {
+      // Default: forceRbacFallback=true so the loader short-circuits to
+      // the fallback without trying to import. /healthcheck succeeds.
+      server = await startTestServer();
+    }, 180_000);
+
+    afterAll(async () => {
+      await server?.stop();
+    }, 120_000);
+
+    it("returns 200 (baseline — unchanged self-hoster behaviour)", async () => {
+      const res = await server.webapp.fetch("/healthcheck");
+      expect(res.status).toBe(200);
+      expect(await res.text()).toBe("OK");
+    });
+  });
+});
diff --git a/apps/webapp/test/helpers/seedTestApiSession.ts b/apps/webapp/test/helpers/seedTestApiSession.ts
new file mode 100644
index 00000000000..cb98c1798c9
--- /dev/null
+++ b/apps/webapp/test/helpers/seedTestApiSession.ts
@@ -0,0 +1,47 @@
+// Inserts a `Session` row directly via Prisma so route auth tests can
+// exercise routes that resolve a session by friendlyId or externalId.
+//
+// Note: not to be confused with `seedTestSession` in this directory —
+// that helper builds a *dashboard cookie session* for cookie-auth tests.
+// This helper builds an *agent-stream Session row* (the chat.agent
+// runtime concept).
+
+import type { PrismaClient, Session } from "@trigger.dev/database";
+import { randomBytes } from "node:crypto";
+
+function randomHex(len = 12): string {
+  return randomBytes(Math.ceil(len / 2)).toString("hex").slice(0, len);
+}
+
+export async function seedTestApiSession(
+  prisma: PrismaClient,
+  env: {
+    id: string;
+    type: string;
+    organizationId: string;
+    projectId: string;
+  },
+  overrides?: { taskIdentifier?: string; externalId?: string | null }
+): Promise<Session> {
+  const suffix = randomHex(8);
+  return prisma.session.create({
+    data: {
+      id: `session_${suffix}`,
+      friendlyId: `session_${suffix}`,
+      // `null` lets a caller exercise the externalId-absent code path
+      // (single-id auth resource); omit the override to get a unique
+      // externalId for the multi-key path.
+      externalId:
+        overrides?.externalId === null
+          ? null
+          : overrides?.externalId ?? `ext_${suffix}`,
+      type: "chat.agent",
+      projectId: env.projectId,
+      runtimeEnvironmentId: env.id,
+      environmentType: env.type as Session["environmentType"],
+      organizationId: env.organizationId,
+      taskIdentifier: overrides?.taskIdentifier ?? `agent_${suffix}`,
+      triggerConfig: { basePayload: { messages: [], trigger: "preload" } },
+    },
+  });
+}
diff --git a/apps/webapp/test/helpers/seedTestEnvironment.ts b/apps/webapp/test/helpers/seedTestEnvironment.ts
new file mode 100644
index 00000000000..670927cc626
--- /dev/null
+++ b/apps/webapp/test/helpers/seedTestEnvironment.ts
@@ -0,0 +1,44 @@
+import type { PrismaClient } from "@trigger.dev/database";
+import { randomBytes } from "crypto";
+
+function randomHex(len = 12): string {
+  return randomBytes(Math.ceil(len / 2)).toString("hex").slice(0, len);
+}
+
+export async function seedTestEnvironment(prisma: PrismaClient) {
+  const suffix = randomHex(8);
+  const apiKey = `tr_dev_${randomHex(24)}`;
+  const pkApiKey = `pk_dev_${randomHex(24)}`;
+
+  const organization = await prisma.organization.create({
+    data: {
+      title: `e2e-test-org-${suffix}`,
+      slug: `e2e-org-${suffix}`,
+      v3Enabled: true,
+    },
+  });
+
+  const project = await prisma.project.create({
+    data: {
+      name: `e2e-test-project-${suffix}`,
+      slug: `e2e-proj-${suffix}`,
+      externalRef: `proj_${suffix}`,
+      organizationId: organization.id,
+      engine: "V2",
+    },
+  });
+
+  const environment = await prisma.runtimeEnvironment.create({
+    data: {
+      slug: "dev",
+      type: "DEVELOPMENT",
+      apiKey,
+      pkApiKey,
+      shortcode: suffix.slice(0, 4),
+      projectId: project.id,
+      organizationId: organization.id,
+    },
+  });
+
+  return { organization, project, environment, apiKey };
+}
diff --git a/apps/webapp/test/helpers/seedTestPAT.ts b/apps/webapp/test/helpers/seedTestPAT.ts
new file mode 100644
index 00000000000..d977bf5882e
--- /dev/null
+++ b/apps/webapp/test/helpers/seedTestPAT.ts
@@ -0,0 +1,59 @@
+import type { PrismaClient } from "@trigger.dev/database";
+import { createCipheriv, createHash, randomBytes } from "node:crypto";
+
+// Must match ENCRYPTION_KEY in internal-packages/testcontainers/src/webapp.ts
+const ENCRYPTION_KEY = "test-encryption-key-for-e2e!!!!!";
+
+function hashToken(token: string): string {
+  return createHash("sha256").update(token).digest("hex");
+}
+
+function encryptToken(value: string, key: string) {
+  const nonce = randomBytes(12);
+  const cipher = createCipheriv("aes-256-gcm", key, nonce);
+  let encrypted = cipher.update(value, "utf8", "hex");
+  encrypted += cipher.final("hex");
+  return {
+    nonce: nonce.toString("hex"),
+    ciphertext: encrypted,
+    tag: cipher.getAuthTag().toString("hex"),
+  };
+}
+
+function obfuscate(token: string): string {
+  return `${token.slice(0, 11)}${"•".repeat(20)}${token.slice(-4)}`;
+}
+
+export async function seedTestUser(prisma: PrismaClient, overrides?: { admin?: boolean }) {
+  const suffix = randomBytes(6).toString("hex");
+  return prisma.user.create({
+    data: {
+      email: `pat-user-${suffix}@test.local`,
+      authenticationMethod: "MAGIC_LINK",
+      admin: overrides?.admin ?? false,
+    },
+  });
+}
+
+// Seeds a PersonalAccessToken row using the same hashing/encryption scheme as
+// webapp's services/personalAccessToken.server.ts so the webapp subprocess can
+// authenticate against it.
+export async function seedTestPAT(
+  prisma: PrismaClient,
+  userId: string,
+  opts: { revoked?: boolean } = {}
+): Promise<{ token: string; id: string }> {
+  const token = `tr_pat_${randomBytes(20).toString("hex")}`;
+  const encrypted = encryptToken(token, ENCRYPTION_KEY);
+  const row = await prisma.personalAccessToken.create({
+    data: {
+      name: "e2e-test-pat",
+      userId,
+      encryptedToken: encrypted,
+      hashedToken: hashToken(token),
+      obfuscatedToken: obfuscate(token),
+      revokedAt: opts.revoked ? new Date() : null,
+    },
+  });
+  return { token, id: row.id };
+}
diff --git a/apps/webapp/test/helpers/seedTestRun.ts b/apps/webapp/test/helpers/seedTestRun.ts
new file mode 100644
index 00000000000..44137e45005
--- /dev/null
+++ b/apps/webapp/test/helpers/seedTestRun.ts
@@ -0,0 +1,61 @@
+import type { PrismaClient, TaskRun } from "@trigger.dev/database";
+import { customAlphabet, nanoid } from "nanoid";
+
+const idGenerator = customAlphabet("123456789abcdefghijkmnopqrstuvwxyz", 21);
+
+export interface SeededRun {
+  run: TaskRun;
+  runFriendlyId: string; // `run_...`
+  batchFriendlyId?: string; // `batch_...` when { withBatch: true }
+}
+
+// Minimum-viable TaskRun for auth-layer e2e tests — enough fields for
+// ApiRetrieveRunPresenter.findRun to return it and for the authorization.resource
+// callback to populate `runs`, `tags`, `batch`, `tasks` keys.
+export async function seedTestRun(
+  prisma: PrismaClient,
+  opts: {
+    environmentId: string;
+    projectId: string;
+    runTags?: string[];
+    withBatch?: boolean;
+  }
+): Promise<SeededRun> {
+  const runInternalId = idGenerator();
+  const runFriendlyId = `run_${runInternalId}`;
+
+  let batchInternalId: string | undefined;
+  if (opts.withBatch) {
+    batchInternalId = idGenerator();
+    await prisma.batchTaskRun.create({
+      data: {
+        id: batchInternalId,
+        friendlyId: `batch_${batchInternalId}`,
+        runtimeEnvironmentId: opts.environmentId,
+      },
+    });
+  }
+
+  const run = await prisma.taskRun.create({
+    data: {
+      id: runInternalId,
+      friendlyId: runFriendlyId,
+      taskIdentifier: "test-task",
+      payload: "{}",
+      payloadType: "application/json",
+      traceId: nanoid(32),
+      spanId: nanoid(16),
+      queue: "task/test-task",
+      runtimeEnvironmentId: opts.environmentId,
+      projectId: opts.projectId,
+      runTags: opts.runTags ?? [],
+      batchId: batchInternalId,
+    },
+  });
+
+  return {
+    run,
+    runFriendlyId,
+    batchFriendlyId: batchInternalId ? `batch_${batchInternalId}` : undefined,
+  };
+}
diff --git a/apps/webapp/test/helpers/seedTestSession.ts b/apps/webapp/test/helpers/seedTestSession.ts
new file mode 100644
index 00000000000..3e51c5c2c63
--- /dev/null
+++ b/apps/webapp/test/helpers/seedTestSession.ts
@@ -0,0 +1,58 @@
+// Produces a `Cookie:` header value for an authenticated session that the
+// webapp under test will accept. Mirrors the webapp's
+// `services/sessionStorage.server.ts` config exactly — the SESSION_SECRET
+// must match what the webapp container was started with (see
+// `internal-packages/testcontainers/src/webapp.ts` — currently
+// "test-session-secret-for-e2e-tests").
+//
+// Used by dashboard auth tests (TRI-8742). Each test seeds its own user +
+// session so test order doesn't matter.
+
+import { createCookieSessionStorage } from "@remix-run/node";
+import type { PrismaClient } from "@trigger.dev/database";
+import { randomBytes } from "node:crypto";
+
+// Must match SESSION_SECRET in internal-packages/testcontainers/src/webapp.ts.
+const SESSION_SECRET = "test-session-secret-for-e2e-tests";
+
+// Shape of the session config in apps/webapp/app/services/sessionStorage.server.ts.
+const sessionStorage = createCookieSessionStorage({
+  cookie: {
+    name: "__session",
+    sameSite: "lax",
+    path: "/",
+    httpOnly: true,
+    secrets: [SESSION_SECRET],
+    secure: false, // NODE_ENV is "test" in the spawned webapp.
+    maxAge: 60 * 60 * 24 * 365,
+  },
+});
+
+export async function seedTestUser(
+  prisma: PrismaClient,
+  overrides?: { admin?: boolean; email?: string }
+) {
+  const suffix = randomBytes(6).toString("hex");
+  return prisma.user.create({
+    data: {
+      email: overrides?.email ?? `e2e-${suffix}@test.local`,
+      authenticationMethod: "MAGIC_LINK",
+      admin: overrides?.admin ?? false,
+    },
+  });
+}
+
+// Builds the `Cookie:` header value for a given user. Set this on test
+// requests to the webapp to authenticate as that user.
+//
+// remix-auth's default sessionKey is "user" and stores AuthUser as
+// { userId } — see apps/webapp/app/services/authUser.ts.
+export async function seedTestSession(opts: { userId: string }): Promise<string> {
+  const session = await sessionStorage.getSession();
+  session.set("user", { userId: opts.userId });
+  const setCookie = await sessionStorage.commitSession(session);
+  // commitSession returns "__session=<value>; Path=/; ...". The Cookie
+  // header only needs the name=value pair.
+  const firstSegment = setCookie.split(";")[0];
+  return firstSegment;
+}
diff --git a/apps/webapp/test/helpers/seedTestUserProject.ts b/apps/webapp/test/helpers/seedTestUserProject.ts
new file mode 100644
index 00000000000..3512054ec1f
--- /dev/null
+++ b/apps/webapp/test/helpers/seedTestUserProject.ts
@@ -0,0 +1,67 @@
+import type { PrismaClient } from "@trigger.dev/database";
+import { randomBytes } from "node:crypto";
+import { seedTestPAT, seedTestUser } from "./seedTestPAT";
+
+function randomHex(len = 12): string {
+  return randomBytes(Math.ceil(len / 2)).toString("hex").slice(0, len);
+}
+
+// Composite test fixture: a User, an Organization with that user as a
+// member, a Project owned by the org, a DEVELOPMENT environment, and a
+// non-revoked PAT for the user.
+//
+// Used by the PAT-comprehensive matrix (TRI-8741) to exercise routes
+// like GET /api/v1/projects/:projectRef/runs whose access check is
+// `findProjectByRef(externalRef, userId)` — i.e. the project's org
+// must have the userId in its members. seedTestEnvironment alone
+// doesn't create the OrgMember link, which is why this helper exists.
+//
+// Caller passes `projectDeleted: true` to test the soft-deleted-
+// project path; `userAdmin: true` to confirm the global admin flag
+// doesn't add cross-org visibility (the route is per-user).
+export async function seedTestUserProject(
+  prisma: PrismaClient,
+  opts: { userAdmin?: boolean; projectDeleted?: boolean } = {}
+) {
+  const suffix = randomHex(8);
+  const apiKey = `tr_dev_${randomHex(24)}`;
+  const pkApiKey = `pk_dev_${randomHex(24)}`;
+
+  const user = await seedTestUser(prisma, { admin: opts.userAdmin ?? false });
+
+  const organization = await prisma.organization.create({
+    data: {
+      title: `e2e-pat-org-${suffix}`,
+      slug: `e2e-pat-org-${suffix}`,
+      v3Enabled: true,
+      members: { create: { userId: user.id, role: "ADMIN" } },
+    },
+  });
+
+  const project = await prisma.project.create({
+    data: {
+      name: `e2e-pat-project-${suffix}`,
+      slug: `e2e-pat-proj-${suffix}`,
+      externalRef: `proj_${suffix}`,
+      organizationId: organization.id,
+      engine: "V2",
+      deletedAt: opts.projectDeleted ? new Date() : null,
+    },
+  });
+
+  const environment = await prisma.runtimeEnvironment.create({
+    data: {
+      slug: "dev",
+      type: "DEVELOPMENT",
+      apiKey,
+      pkApiKey,
+      shortcode: suffix.slice(0, 4),
+      projectId: project.id,
+      organizationId: organization.id,
+    },
+  });
+
+  const pat = await seedTestPAT(prisma, user.id);
+
+  return { user, organization, project, environment, pat };
+}
diff --git a/apps/webapp/test/helpers/seedTestWaitpoint.ts b/apps/webapp/test/helpers/seedTestWaitpoint.ts
new file mode 100644
index 00000000000..f4794b2b6c1
--- /dev/null
+++ b/apps/webapp/test/helpers/seedTestWaitpoint.ts
@@ -0,0 +1,29 @@
+import type { PrismaClient } from "@trigger.dev/database";
+import { customAlphabet } from "nanoid";
+
+// Must match friendlyId.ts IdUtil alphabet so generated IDs are valid.
+const idGenerator = customAlphabet("123456789abcdefghijkmnopqrstuvwxyz", 21);
+
+// Seeds a Waitpoint already in COMPLETED status so the waitpoints/:id/complete
+// handler short-circuits with { success: true }. That keeps the "auth passes"
+// assertion independent of run-engine workers (which are disabled in e2e).
+export async function seedTestWaitpoint(
+  prisma: PrismaClient,
+  opts: { environmentId: string; projectId: string }
+): Promise<{ id: string; friendlyId: string }> {
+  const internalId = idGenerator();
+  const friendlyId = `waitpoint_${internalId}`;
+  await prisma.waitpoint.create({
+    data: {
+      id: internalId,
+      friendlyId,
+      type: "MANUAL",
+      status: "COMPLETED",
+      idempotencyKey: internalId,
+      userProvidedIdempotencyKey: false,
+      environmentId: opts.environmentId,
+      projectId: opts.projectId,
+    },
+  });
+  return { id: internalId, friendlyId };
+}
diff --git a/apps/webapp/test/helpers/sharedTestServer.ts b/apps/webapp/test/helpers/sharedTestServer.ts
new file mode 100644
index 00000000000..35360fd221f
--- /dev/null
+++ b/apps/webapp/test/helpers/sharedTestServer.ts
@@ -0,0 +1,53 @@
+// Per-worker access to the shared TestServer started by globalSetup. Each
+// test file imports `getTestServer()` once at module top-level; the returned
+// value is a singleton within that worker process.
+//
+// `webapp.fetch(path)` prepends the shared baseUrl. The PrismaClient is
+// constructed lazily and disconnected on test-suite end via afterAll in the
+// importing file (or left to the worker shutting down).
+
+import { PrismaClient } from "@trigger.dev/database";
+import { afterAll, inject } from "vitest";
+
+interface SharedWebapp {
+  baseUrl: string;
+  fetch(path: string, init?: RequestInit): Promise<Response>;
+}
+
+interface SharedTestServer {
+  webapp: SharedWebapp;
+  prisma: PrismaClient;
+}
+
+let cached: SharedTestServer | undefined;
+
+export function getTestServer(): SharedTestServer {
+  if (cached) return cached;
+
+  const baseUrl = inject("baseUrl");
+  const databaseUrl = inject("databaseUrl");
+
+  if (!baseUrl || !databaseUrl) {
+    throw new Error(
+      "globalSetup didn't provide baseUrl/databaseUrl — run via vitest.e2e.full.config.ts"
+    );
+  }
+
+  const prisma = new PrismaClient({ datasources: { db: { url: databaseUrl } } });
+
+  cached = {
+    webapp: {
+      baseUrl,
+      fetch: (path, init) => fetch(`${baseUrl}${path}`, init),
+    },
+    prisma,
+  };
+
+  // Disconnect the PrismaClient when the worker is done. globalSetup's
+  // teardown stops the container; this just releases the per-worker pool.
+  afterAll(async () => {
+    await prisma.$disconnect().catch(() => {});
+  });
+
+  return cached;
+}
diff --git a/apps/webapp/test/httpErrors.test.ts b/apps/webapp/test/httpErrors.test.ts
new file mode 100644
index 00000000000..dab90bdb024
--- /dev/null
+++ b/apps/webapp/test/httpErrors.test.ts
@@ -0,0 +1,28 @@
+import { describe, expect, it } from "vitest";
+import { throwNotFound } from "~/utils/httpErrors";
+
+describe("throwNotFound", () => {
+  it("throws a Response with status 404 and the provided statusText", () => {
+    let thrown: unknown;
+    try {
+      throwNotFound("Environment not found");
+    } catch (e) {
+      thrown = e;
+    }
+
+    expect(thrown).toBeInstanceOf(Response);
+    expect((thrown as Response).status).toBe(404);
+    expect((thrown as Response).statusText).toBe("Environment not found");
+  });
+
+  it("passes through whatever statusText the caller provides", () => {
+    let thrown: unknown;
+    try {
+      throwNotFound("Project not found");
+    } catch (e) {
+      thrown = e;
+    }
+
+    expect((thrown as Response).statusText).toBe("Project not found");
+  });
+});
diff --git a/apps/webapp/test/metadataRouteOperationsLogging.test.ts b/apps/webapp/test/metadataRouteOperationsLogging.test.ts
new file mode 100644
index 00000000000..ab96c9b9b23
--- /dev/null
+++ b/apps/webapp/test/metadataRouteOperationsLogging.test.ts
@@ -0,0 +1,132 @@
+import { describe, expect, it, vi } from "vitest";
+
+// `vi.mock` factories are hoisted above regular top-level `const`s, so
+// any cross-references between the spy/mock fns and the factories have
+// to live inside `vi.hoisted`. See `mollifierDrainerHandler.test.ts`
+// for the same pattern.
+const { warnSpy, applyMetadataMutationToBufferedRunMock } = vi.hoisted(() => ({
+  warnSpy: vi.fn(),
+  applyMetadataMutationToBufferedRunMock: vi.fn(),
+}));
+
+// The route module's import graph (createActionApiRoute, the env, the
+// services singleton) is heavier than the helper actually needs. Stub
+// the leaf modules so only the helper under test executes; the route's
+// top-level `createActionApiRoute(...)` call runs against the stubbed
+// builder and never touches platform.v3.server / prisma.
+vi.mock("~/db.server", () => ({ prisma: {}, $replica: {} }));
+vi.mock("~/env.server", () => ({
+  env: { TASK_RUN_METADATA_MAXIMUM_SIZE: 256 * 1024 },
+}));
+vi.mock("~/services/routeBuilders/apiBuilder.server", () => ({
+  createActionApiRoute: () => ({ action: vi.fn() }),
+}));
+vi.mock("~/services/apiAuth.server", () => ({
+  authenticateApiRequest: vi.fn(),
+}));
+vi.mock("~/v3/services/common.server", () => ({
+  ServiceValidationError: class extends Error {
+    constructor(public override message: string, public status?: number) {
+      super(message);
+    }
+  },
+}));
+vi.mock("~/services/metadata/updateMetadataInstance.server", () => ({
+  updateMetadataService: { call: vi.fn(async () => undefined) },
+}));
+vi.mock("~/v3/mollifier/applyMetadataMutation.server", () => ({
+  applyMetadataMutationToBufferedRun: applyMetadataMutationToBufferedRunMock,
+}));
+vi.mock("~/v3/mollifier/readFallback.server", () => ({
+  findRunByIdWithMollifierFallback: vi.fn(),
+}));
+vi.mock("~/services/logger.server", () => ({
+  logger: {
+    warn: warnSpy,
+    info: vi.fn(),
+    error: vi.fn(),
+    debug: vi.fn(),
+  },
+}));
+
+import { routeOperationsToRun } from "~/routes/api.v1.runs.$runId.metadata";
+import type { AuthenticatedEnvironment } from "~/services/apiAuth.server";
+
+const env = {
+  id: "env_a",
+  organizationId: "org_1",
+} as unknown as AuthenticatedEnvironment;
+
+const opsFixture = [{ type: "set", key: "k", value: "v" }] as Parameters<
+  typeof routeOperationsToRun
+>[1];
+
+describe("routeOperationsToRun — non-throw buffer outcome logging", () => {
+  // Each non-success outcome `applyMetadataMutationToBufferedRun` can
+  // return (`not_found`, `busy`, `version_exhausted`, `metadata_too_large`)
+  // must produce a warn log so ops can trace silent drops. Without this
+  // branch the parent/root operation would disappear with no record —
+  // `tryCatch` only catches throws, and the outcome object was
+  // previously ignored.
+  for (const kind of ["not_found", "busy", "version_exhausted", "metadata_too_large"] as const) {
+    it(`warn-logs when buffer outcome is { kind: "${kind}" }`, async () => {
+      warnSpy.mockClear();
+      applyMetadataMutationToBufferedRunMock.mockResolvedValueOnce({ kind });
+
+      await routeOperationsToRun("run_buffered_1", opsFixture, env);
+
+      expect(warnSpy).toHaveBeenCalledWith(
+        "metadata route: parent/root buffer op did not apply",
+        expect.objectContaining({ targetRunId: "run_buffered_1", kind }),
+      );
+    });
+  }
+
+  it("does NOT warn on the happy path (kind: 'applied')", async () => {
+    warnSpy.mockClear();
+    applyMetadataMutationToBufferedRunMock.mockResolvedValueOnce({
+      kind: "applied",
+      newMetadata: { k: "v" },
+      parentTaskRunFriendlyId: undefined,
+      rootTaskRunFriendlyId: undefined,
+    });
+
+    await routeOperationsToRun("run_buffered_1", opsFixture, env);
+
+    expect(warnSpy).not.toHaveBeenCalledWith(
+      "metadata route: parent/root buffer op did not apply",
+      expect.anything(),
+    );
+  });
+
+  it("warn-logs once when the helper throws (the pre-existing throw branch keeps working)", async () => {
+    warnSpy.mockClear();
+    applyMetadataMutationToBufferedRunMock.mockRejectedValueOnce(new Error("ECONNRESET"));
+
+    await routeOperationsToRun("run_buffered_1", opsFixture, env);
+
+    // Pre-existing branch — the catch logs `buffer fallback for parent/root
+    // op failed`. The new non-throw branch must NOT also fire (we return
+    // early on bufferError).
+    expect(warnSpy).toHaveBeenCalledWith(
+      "metadata route: buffer fallback for parent/root op failed",
+      expect.objectContaining({ targetRunId: "run_buffered_1" }),
+    );
+    expect(warnSpy).not.toHaveBeenCalledWith(
+      "metadata route: parent/root buffer op did not apply",
+      expect.anything(),
+    );
+  });
+
+  it("skips both PG and buffer when targetRunId is missing or operations is empty", async () => {
+    warnSpy.mockClear();
+    applyMetadataMutationToBufferedRunMock.mockClear();
+
+    await routeOperationsToRun(undefined, opsFixture, env);
+    await routeOperationsToRun("run_x", undefined, env);
+    await routeOperationsToRun("run_x", [], env);
+
+    expect(applyMetadataMutationToBufferedRunMock).not.toHaveBeenCalled();
+    expect(warnSpy).not.toHaveBeenCalled();
+  });
+});
diff --git a/apps/webapp/test/mollifierApplyMetadataMutation.test.ts b/apps/webapp/test/mollifierApplyMetadataMutation.test.ts
new file mode 100644
index 00000000000..5995f6969f3
--- /dev/null
+++ b/apps/webapp/test/mollifierApplyMetadataMutation.test.ts
@@ -0,0 +1,352 @@
+import { describe, expect, it, vi } from "vitest";
+
+vi.mock("~/db.server", () => ({ prisma: {}, $replica: {} }));
+
+import { applyMetadataMutationToBufferedRun } from "~/v3/mollifier/applyMetadataMutation.server";
+import type { BufferEntry, MollifierBuffer, CasSetMetadataResult } from "@trigger.dev/redis-worker";
+import { RunId } from "@trigger.dev/core/v3/isomorphic";
+
+// Regression for a CAS retry-exhaustion bug: the default `maxRetries`
+// was 3, matching the PG-side service, but that exhausts fast when N
+// external API writers race the same buffered run's metadata. Bumped
+// to 12 + jittered backoff. These tests simulate version_conflict
+// races and assert (a) every delta lands and (b) the retry budget is
+// sized for realistic concurrency.
+
+const NOW = new Date("2026-05-21T10:00:00Z");
+
+type BufferStub = {
+  buffer: MollifierBuffer;
+  state: {
+    version: number;
+    metadata: Record<string, unknown>;
+    pendingConflictsForNextN: number;
+  };
+};
+
+// Build a stub MollifierBuffer that simulates Lua-CAS semantics
+// in-memory. The first `pendingConflictsForNextN` casSetMetadata calls
+// from any worker will return version_conflict (then the version
+// bumps); subsequent calls succeed.
+function makeBufferStub(initialPayload: Record<string, unknown> = {}): BufferStub {
+  const state = {
+    version: 0,
+    metadata: initialPayload.metadata
+      ? (JSON.parse(initialPayload.metadata as string) as Record<string, unknown>)
+      : {},
+    pendingConflictsForNextN: 0,
+  };
+  const entryTemplate: Omit<BufferEntry, "payload"> = {
+    runId: "run_1",
+    envId: "env_a",
+    orgId: "org_1",
+    status: "QUEUED",
+    attempts: 0,
+    createdAt: NOW,
+    createdAtMicros: 1747044000000000,
+    materialised: false,
+    idempotencyLookupKey: "",
+    metadataVersion: 0,
+  };
+
+  const buffer: MollifierBuffer = {
+    getEntry: vi.fn(async (): Promise<BufferEntry> => ({
+      ...entryTemplate,
+      metadataVersion: state.version,
+      payload: JSON.stringify({ ...initialPayload, metadata: JSON.stringify(state.metadata) }),
+    })),
+    casSetMetadata: vi.fn(
+      async (input: {
+        runId: string;
+        expectedVersion: number;
+        newMetadata: string;
+        newMetadataType: string;
+      }): Promise<CasSetMetadataResult> => {
+        // Inject a controlled number of conflicts to simulate races.
+        if (state.pendingConflictsForNextN > 0) {
+          state.pendingConflictsForNextN -= 1;
+          // Bump version as if some other writer just landed.
+          state.version += 1;
+          return { kind: "version_conflict", currentVersion: state.version };
+        }
+        if (input.expectedVersion !== state.version) {
+          return { kind: "version_conflict", currentVersion: state.version };
+        }
+        state.metadata = JSON.parse(input.newMetadata) as Record<string, unknown>;
+        state.version += 1;
+        return { kind: "applied", newVersion: state.version };
+      },
+    ),
+  } as unknown as MollifierBuffer;
+
+  return { buffer, state };
+}
+
+describe("applyMetadataMutationToBufferedRun — retry behaviour", () => {
+  it("succeeds when CAS lands on the first try (no contention)", async () => {
+    const { buffer, state } = makeBufferStub();
+    const result = await applyMetadataMutationToBufferedRun({
+      runId: "run_1",
+      environmentId: "env_a",
+      organizationId: "org_1",
+      maximumSize: 1024 * 1024,
+      body: { metadata: { counter: 1 } },
+      buffer,
+    });
+    expect(result.kind).toBe("applied");
+    expect(state.metadata).toEqual({ counter: 1 });
+    expect(state.version).toBe(1);
+  });
+
+  it("succeeds after 5 version conflicts (default budget = 12)", async () => {
+    const { buffer, state } = makeBufferStub();
+    state.pendingConflictsForNextN = 5;
+    const result = await applyMetadataMutationToBufferedRun({
+      runId: "run_1",
+      environmentId: "env_a",
+      organizationId: "org_1",
+      maximumSize: 1024 * 1024,
+      body: { operations: [{ type: "increment", key: "counter", value: 1 }] },
+      buffer,
+    });
+    expect(result.kind).toBe("applied");
+    if (result.kind === "applied") {
+      expect(result.newMetadata.counter).toBe(1);
+    }
+  });
+
+  it("succeeds after 11 version conflicts (one under the default budget)", async () => {
+    const { buffer } = makeBufferStub();
+    const setStateConflicts = (n: number) => {
+      // Re-read state from the closure
+      const state = (buffer as unknown as { __state__?: never; getEntry: () => Promise<BufferEntry> });
+      void state;
+    };
+    void setStateConflicts;
+    // Set conflicts directly via the shared state object
+    const { state } = makeBufferStub();
+    state.pendingConflictsForNextN = 11;
+    // Build a fresh stub since we want one shared state instance
+    const stub = makeBufferStub();
+    stub.state.pendingConflictsForNextN = 11;
+    const result = await applyMetadataMutationToBufferedRun({
+      runId: "run_1",
+      environmentId: "env_a",
+      organizationId: "org_1",
+      maximumSize: 1024 * 1024,
+      body: { operations: [{ type: "increment", key: "counter", value: 1 }] },
+      buffer: stub.buffer,
+    });
+    expect(result.kind).toBe("applied");
+  });
+
+  it("returns version_exhausted after retries are spent", async () => {
+    const stub = makeBufferStub();
+    // 99 conflicts ≫ default budget of 12. With maxRetries 3 (the
+    // pre-fix value), this would have exhausted after 4 attempts.
+    stub.state.pendingConflictsForNextN = 99;
+    const result = await applyMetadataMutationToBufferedRun({
+      runId: "run_1",
+      environmentId: "env_a",
+      organizationId: "org_1",
+      maximumSize: 1024 * 1024,
+      body: { operations: [{ type: "increment", key: "counter", value: 1 }] },
+      buffer: stub.buffer,
+      maxRetries: 12,
+    });
+    expect(result.kind).toBe("version_exhausted");
+  });
+
+  it("regression: 3 retries are NOT enough under 50-way concurrency simulation", async () => {
+    // The pre-fix default would have lost most deltas under this
+    // contention. Asserting that the OLD budget (3) exhausts confirms
+    // the regression actually existed and the new budget addresses it.
+    const stub = makeBufferStub();
+    stub.state.pendingConflictsForNextN = 8;
+    const result = await applyMetadataMutationToBufferedRun({
+      runId: "run_1",
+      environmentId: "env_a",
+      organizationId: "org_1",
+      maximumSize: 1024 * 1024,
+      body: { operations: [{ type: "increment", key: "counter", value: 1 }] },
+      buffer: stub.buffer,
+      maxRetries: 3,
+    });
+    expect(result.kind).toBe("version_exhausted");
+  });
+
+  it("matches PG semantics when body has both metadata + operations: ops on top of EXISTING, body.metadata ignored", async () => {
+    // PG service (UpdateMetadataService.#updateRunMetadata) branches on
+    // Array.isArray(body.operations) — when present it applies ops on
+    // top of existing PG metadata and IGNORES body.metadata. The buffer
+    // helper used to merge both (replace then apply), producing different
+    // results across the buffered/materialised boundary. This regression
+    // pins the PG-matching behaviour.
+    const stub = makeBufferStub({ metadata: JSON.stringify({ a: 1 }) });
+    const result = await applyMetadataMutationToBufferedRun({
+      runId: "run_1",
+      environmentId: "env_a",
+      organizationId: "org_1",
+      maximumSize: 1024 * 1024,
+      body: {
+        // Should be ignored because `operations` is also present.
+        metadata: { b: 2 },
+        operations: [{ type: "set", key: "c", value: 3 }],
+      },
+      buffer: stub.buffer,
+    });
+    expect(result.kind).toBe("applied");
+    if (result.kind === "applied") {
+      // PG would produce {a:1, c:3}; previously the buffer produced {b:2, c:3}.
+      expect(result.newMetadata).toEqual({ a: 1, c: 3 });
+      expect(result.newMetadata).not.toHaveProperty("b");
+    }
+  });
+
+  it("returns metadata_too_large when the resulting payload exceeds maximumSize (mirrors PG 413)", async () => {
+    // PG-side `UpdateMetadataService` uses `handleMetadataPacket` to
+    // enforce TASK_RUN_METADATA_MAXIMUM_SIZE (default 256KB), throwing
+    // `MetadataTooLargeError` (413) on overflow. The buffer helper now
+    // matches that cap so a buffered run can't accept a payload PG
+    // would have rejected. Reject must fire BEFORE casSetMetadata.
+    const stub = makeBufferStub();
+    const big = "x".repeat(2048); // 2 KB string value
+    const result = await applyMetadataMutationToBufferedRun({
+      runId: "run_1",
+      environmentId: "env_a",
+      organizationId: "org_1",
+      maximumSize: 1024, // 1 KB cap — strictly less than the payload
+      body: { metadata: { big } },
+      buffer: stub.buffer,
+    });
+    expect(result.kind).toBe("metadata_too_large");
+    if (result.kind === "metadata_too_large") {
+      expect(result.maximumSize).toBe(1024);
+      expect(result.observedSize).toBeGreaterThan(1024);
+    }
+    // No CAS write should have been attempted.
+    expect(stub.buffer.casSetMetadata).not.toHaveBeenCalled();
+    expect(stub.state.version).toBe(0);
+  });
+
+  it("returns not_found when the buffered entry belongs to a different env (cross-env auth gate)", async () => {
+    // Same shape as a normal apply call, but the caller's environmentId
+    // doesn't match the entry's envId. The helper must refuse the
+    // mutation and return not_found (without leaking existence) and
+    // must NOT call casSetMetadata.
+    const stub = makeBufferStub();
+    const result = await applyMetadataMutationToBufferedRun({
+      runId: "run_1",
+      environmentId: "env_OTHER",
+      organizationId: "org_1",
+      maximumSize: 1024 * 1024,
+      body: { metadata: { counter: 1 } },
+      buffer: stub.buffer,
+    });
+    expect(result.kind).toBe("not_found");
+    expect(stub.buffer.casSetMetadata).not.toHaveBeenCalled();
+    expect(stub.state.version).toBe(0);
+  });
+
+  it("returns not_found when the buffered entry belongs to a different org (cross-org auth gate)", async () => {
+    const stub = makeBufferStub();
+    const result = await applyMetadataMutationToBufferedRun({
+      runId: "run_1",
+      environmentId: "env_a",
+      organizationId: "org_OTHER",
+      maximumSize: 1024 * 1024,
+      body: { metadata: { counter: 1 } },
+      buffer: stub.buffer,
+    });
+    expect(result.kind).toBe("not_found");
+    expect(stub.buffer.casSetMetadata).not.toHaveBeenCalled();
+  });
+
+  it("surfaces parent/root friendlyIds on `applied` so the route can fan parent/root ops without a second buffer read", async () => {
+    // Regression: the metadata route used to do a SECOND
+    // `findRunByIdWithMollifierFallback` after the primary CAS to
+    // obtain parent/root friendlyIds for `routeOperationsToRun`.
+    // If the drainer's terminal-failure path ran between the CAS and
+    // the second read, the entry hash was DELd and the second read
+    // came back null — the route silently skipped the entire
+    // parent/root fan-out, dropping `body.parentOperations` /
+    // `body.rootOperations` after the primary mutation already
+    // landed. The helper now captures the ids inside its own read
+    // loop and surfaces them on the `applied` outcome so the route
+    // never needs a second round trip.
+    //
+    // Engine-side snapshot stores internal cuids; we expect the
+    // helper to convert via `RunId.toFriendlyId` so the outcome
+    // matches what `readFallback.server.ts` would have produced.
+    const parentFriendly = RunId.generate().friendlyId;
+    const rootFriendly = RunId.generate().friendlyId;
+    const parentInternal = RunId.fromFriendlyId(parentFriendly);
+    const rootInternal = RunId.fromFriendlyId(rootFriendly);
+    const stub = makeBufferStub({
+      parentTaskRunId: parentInternal,
+      rootTaskRunId: rootInternal,
+    });
+    const result = await applyMetadataMutationToBufferedRun({
+      runId: "run_1",
+      environmentId: "env_a",
+      organizationId: "org_1",
+      maximumSize: 1024 * 1024,
+      body: { metadata: { counter: 1 } },
+      buffer: stub.buffer,
+    });
+    expect(result.kind).toBe("applied");
+    if (result.kind === "applied") {
+      expect(result.parentTaskRunFriendlyId).toBe(parentFriendly);
+      expect(result.rootTaskRunFriendlyId).toBe(rootFriendly);
+    }
+  });
+
+  it("`applied` parent/root ids are undefined when the snapshot carries neither (top-level run)", async () => {
+    // Top-level runs (parentTaskRunId/rootTaskRunId both undefined in
+    // the engine-trigger snapshot) must surface as undefined on the
+    // outcome so the route's `?? runId` self-fallback fires —
+    // matching the PG service's `taskRun.parentTaskRun?.id ??
+    // taskRun.id` semantics.
+    const stub = makeBufferStub({});
+    const result = await applyMetadataMutationToBufferedRun({
+      runId: "run_1",
+      environmentId: "env_a",
+      organizationId: "org_1",
+      maximumSize: 1024 * 1024,
+      body: { metadata: { counter: 1 } },
+      buffer: stub.buffer,
+    });
+    expect(result.kind).toBe("applied");
+    if (result.kind === "applied") {
+      expect(result.parentTaskRunFriendlyId).toBeUndefined();
+      expect(result.rootTaskRunFriendlyId).toBeUndefined();
+    }
+  });
+
+  it("N-way concurrent applies all converge under default budget", async () => {
+    // Simulate N parallel writers against a shared state. Each writer
+    // reads, applies a delta, CAS-writes. The Lua CAS forces them to
+    // retry until they see the latest version.
+    const N = 30;
+    const sharedStub = makeBufferStub();
+    // Override the stub to model real per-attempt serialisation: each
+    // call reads the latest version, and CAS conflicts are organic
+    // (not pre-injected) when expectedVersion != current.
+    sharedStub.state.pendingConflictsForNextN = 0;
+
+    const calls = Array.from({ length: N }, () =>
+      applyMetadataMutationToBufferedRun({
+        runId: "run_1",
+        environmentId: "env_a",
+        organizationId: "org_1",
+        maximumSize: 1024 * 1024,
+        body: { operations: [{ type: "increment", key: "counter", value: 1 }] },
+        buffer: sharedStub.buffer,
+      }),
+    );
+    const results = await Promise.all(calls);
+    const applied = results.filter((r) => r.kind === "applied").length;
+    expect(applied).toBe(N);
+    expect(sharedStub.state.metadata.counter).toBe(N);
+  });
+});
diff --git a/apps/webapp/test/mollifierClaimResolution.test.ts b/apps/webapp/test/mollifierClaimResolution.test.ts
new file mode 100644
index 00000000000..f61cda0d04e
--- /dev/null
+++ b/apps/webapp/test/mollifierClaimResolution.test.ts
@@ -0,0 +1,143 @@
+import { describe, expect, it, vi } from "vitest";
+
+// Stub `~/db.server` before importing the concern — the real module
+// eagerly calls `prisma.$connect()` at singleton construction, which
+// would fail without a database. The concern under test receives its
+// prisma via the constructor, so the stub is never used by the code path.
+vi.mock("~/db.server", () => ({ prisma: {}, $replica: {} }));
+
+// The IdempotencyKeyConcern resolves the pre-gate claim through the
+// global mollifier buffer (`getMollifierBuffer`), shared by both
+// `claimOrAwait` and `findBufferedRunWithIdempotency`. Control it via a
+// hoisted handle so each test can script the claim/lookup responses.
+const h = vi.hoisted(() => ({ buffer: null as unknown, orgFlag: true }));
+vi.mock("~/v3/mollifier/mollifierBuffer.server", () => ({
+  getMollifierBuffer: () => h.buffer,
+}));
+// Stub `mollifierGate.server` so loading the concern doesn't drag in
+// `env.server` (which fails to parse without a populated environment in
+// CI). The concern only uses `makeResolveMollifierFlag` to gate the
+// claim; tests flip `h.orgFlag` to cover both opted-in and opted-out
+// orgs without touching real env or feature-flag wiring.
+vi.mock("~/v3/mollifier/mollifierGate.server", () => ({
+  makeResolveMollifierFlag: () => async () => h.orgFlag,
+}));
+
+import type { MollifierBuffer } from "@trigger.dev/redis-worker";
+import { IdempotencyKeyConcern } from "~/runEngine/concerns/idempotencyKeys.server";
+import type { TriggerTaskRequest } from "~/runEngine/types";
+
+function makeConcern(prisma: { findFirst: () => Promise<unknown> }) {
+  return new IdempotencyKeyConcern(
+    { taskRun: { findFirst: prisma.findFirst } } as never,
+    {} as never, // engine — unused on this path
+    {} as never, // traceEventConcern — unused on this path
+  );
+}
+
+function makeRequest(): TriggerTaskRequest {
+  return {
+    taskId: "my-task",
+    environment: {
+      id: "env_a",
+      organizationId: "org_1",
+      // The pre-gate claim is gated by the per-org mollifier flag
+      // (mirroring evaluateGate's gating) so non-opted-in orgs don't pay
+      // the Redis SETNX. Tests covering the claim path must opt this
+      // fake org in, otherwise the concern skips claimOrAwait entirely
+      // and the resolution branches under test never run.
+      organization: { featureFlags: { mollifierEnabled: true } },
+    },
+    options: {},
+    body: { options: { idempotencyKey: "k-1" } },
+  } as unknown as TriggerTaskRequest;
+}
+
+describe("IdempotencyKeyConcern · claim resolution", () => {
+  it("resolved-but-unfindable falls through to a fresh trigger (no cached run, no claim held)", async () => {
+    // The claim slot holds a runId that is gone from both stores: the PG
+    // findFirst misses and the buffer lookup misses. Regression guard for
+    // the resolved-but-unfindable terminal case — the concern must fall
+    // through to a fresh trigger rather than throw, hand back a bogus
+    // cached run, or claim ownership it doesn't hold.
+    const lookupIdempotency = vi.fn(async () => null);
+    h.buffer = {
+      claimIdempotency: vi.fn(async () => ({ kind: "resolved", runId: "run_gone" })),
+      lookupIdempotency,
+    } as unknown as MollifierBuffer;
+
+    const findFirst = vi.fn(async () => null); // PG misses on every call
+    const concern = makeConcern({ findFirst });
+
+    const result = await concern.handleTriggerRequest(makeRequest(), undefined);
+
+    expect(result.isCached).toBe(false);
+    if (result.isCached === false) {
+      // No claim held — we resolved someone else's (stale) claim, we did
+      // not win one. The caller must NOT publish/release on our behalf.
+      expect(result.claim).toBeUndefined();
+      expect(result.idempotencyKey).toBe("k-1");
+    }
+    // We attempted the buffer fallback before giving up.
+    expect(lookupIdempotency).toHaveBeenCalled();
+  });
+
+  it("resolved-and-findable returns the existing run as a cached hit", async () => {
+    // Guard the happy resolved path: when the claimed runId IS findable
+    // (writer-side PG), the fall-through change must not swallow it.
+    h.buffer = {
+      claimIdempotency: vi.fn(async () => ({ kind: "resolved", runId: "run_winner" })),
+      lookupIdempotency: vi.fn(async () => null),
+    } as unknown as MollifierBuffer;
+
+    const winner = { id: "run_winner", friendlyId: "run_winner" };
+    // First findFirst (initial existingRun check) misses so we enter the
+    // claim path; the second (writer-side re-resolve) finds the winner.
+    let calls = 0;
+    const findFirst = vi.fn(async () => {
+      calls += 1;
+      return calls >= 2 ? winner : null;
+    });
+    const concern = makeConcern({ findFirst });
+
+    const result = await concern.handleTriggerRequest(makeRequest(), undefined);
+
+    expect(result.isCached).toBe(true);
+    if (result.isCached === true) {
+      expect(result.run).toBe(winner);
+    }
+  });
+
+  it("non-opted-in org skips claimOrAwait entirely (no buffer round-trip, no claim held)", async () => {
+    // Regression guard for the per-org gating that keeps the claim's
+    // Redis SETNX off the hot path for orgs that haven't opted into the
+    // mollifier — even when `TRIGGER_MOLLIFIER_ENABLED=1` globally and
+    // the buffer singleton exists. The concern should NOT touch
+    // `claimIdempotency` for these orgs; PG's unique constraint already
+    // deduplicates same-key races on the pass-through path.
+    h.orgFlag = false;
+    const claimIdempotency = vi.fn(async () => ({ kind: "claimed" as const }));
+    const lookupIdempotency = vi.fn(async () => null);
+    h.buffer = {
+      claimIdempotency,
+      lookupIdempotency,
+    } as unknown as MollifierBuffer;
+
+    const findFirst = vi.fn(async () => null);
+    const concern = makeConcern({ findFirst });
+
+    try {
+      const result = await concern.handleTriggerRequest(makeRequest(), undefined);
+      expect(result.isCached).toBe(false);
+      if (result.isCached === false) {
+        // No claim returned — the caller must NOT publish/release.
+        expect(result.claim).toBeUndefined();
+        expect(result.idempotencyKey).toBe("k-1");
+      }
+      // The headline guarantee: zero Redis claim activity for this org.
+      expect(claimIdempotency).not.toHaveBeenCalled();
+    } finally {
+      h.orgFlag = true; // restore for any later tests in this file
+    }
+  });
+});
diff --git a/apps/webapp/test/mollifierDecisionLabels.test.ts b/apps/webapp/test/mollifierDecisionLabels.test.ts
new file mode 100644
index 00000000000..8206edabb0b
--- /dev/null
+++ b/apps/webapp/test/mollifierDecisionLabels.test.ts
@@ -0,0 +1,54 @@
+import { describe, expect, it } from "vitest";
+
+import { decisionLabels } from "~/v3/mollifier/mollifierTelemetry.server";
+
+// The cardinality guard. `org` is a bounded label (enrolled cohort is capped
+// at <= 10 orgs operationally), so it may ONLY be attached when the org is
+// enrolled. Attaching it for non-enrolled orgs would fan `mollifier.decisions`
+// out across every org id in production — the high-cardinality blow-up these
+// labels are explicitly designed to avoid.
+describe("decisionLabels", () => {
+  it("always emits a bounded `enrolled` label (true/false)", () => {
+    expect(decisionLabels("pass_through", { enrolled: false })).toEqual({
+      outcome: "pass_through",
+      enrolled: "false",
+    });
+    expect(decisionLabels("pass_through", { enrolled: true, orgId: "org_1" })).toMatchObject({
+      enrolled: "true",
+    });
+  });
+
+  it("attaches the `org` label ONLY when enrolled — never for non-enrolled, even if orgId is passed", () => {
+    // Non-enrolled: orgId passed but MUST be dropped (cardinality guard).
+    expect(decisionLabels("pass_through", { enrolled: false, orgId: "org_unbounded" })).toEqual({
+      outcome: "pass_through",
+      enrolled: "false",
+    });
+
+    // Enrolled: org label present.
+    expect(
+      decisionLabels("mollify", { enrolled: true, orgId: "org_1", reason: "per_env_rate" }),
+    ).toEqual({
+      outcome: "mollify",
+      enrolled: "true",
+      reason: "per_env_rate",
+      org: "org_1",
+    });
+  });
+
+  it("omits `org` when enrolled but no orgId is supplied", () => {
+    expect(decisionLabels("pass_through", { enrolled: true })).toEqual({
+      outcome: "pass_through",
+      enrolled: "true",
+    });
+  });
+
+  it("includes `reason` only when supplied", () => {
+    expect(decisionLabels("pass_through", { enrolled: true, orgId: "org_1" })).not.toHaveProperty(
+      "reason",
+    );
+    expect(
+      decisionLabels("shadow_log", { enrolled: false, reason: "per_env_rate" }),
+    ).toMatchObject({ reason: "per_env_rate" });
+  });
+});
diff --git a/apps/webapp/test/mollifierDrainerHandler.test.ts b/apps/webapp/test/mollifierDrainerHandler.test.ts
new file mode 100644
index 00000000000..085fab6418b
--- /dev/null
+++ b/apps/webapp/test/mollifierDrainerHandler.test.ts
@@ -0,0 +1,574 @@
+import { describe, expect, it, vi } from "vitest";
+import { trace } from "@opentelemetry/api";
+import { RunId } from "@trigger.dev/core/v3/isomorphic";
+
+vi.mock("~/db.server", () => ({
+  prisma: {},
+  $replica: {},
+}));
+
+// `writeMollifierTerminalFailureRow` enqueues a PerformTaskRunAlertsService
+// after writing the SYSTEM_FAILURE row (mirrors TriggerFailedTaskService).
+// In production that enqueues into the alerts redis-worker; the test
+// environment has no redis-worker, so the real call hangs the tick out
+// to its 5s vitest timeout. Stub `enqueue` to a resolved no-op so the
+// handler's best-effort try/catch sees a clean success path.
+vi.mock("~/v3/services/alerts/performTaskRunAlerts.server", () => ({
+  PerformTaskRunAlertsService: {
+    enqueue: vi.fn(async () => undefined),
+  },
+}));
+
+// The drainer calls `recordRunDebugLog` after a successful engine.trigger
+// to emit an admin-only LOG-kind event encoding the buffered window.
+// The real implementation imports the configured event repository (prisma
+// + clickhouse + env), which has heavy side-effects on first import.
+// Stub it to a vi.fn so the unit tests can assert call shape without
+// dragging the whole eventRepository graph into webapp test setup.
+// `vi.hoisted` is required because `vi.mock` factories are hoisted above
+// regular `const`s — referencing a top-level variable from inside the
+// factory otherwise fires `Cannot access 'X' before initialization`.
+const { recordRunDebugLogMock } = vi.hoisted(() => ({
+  recordRunDebugLogMock: vi.fn(async () => ({ success: true as const })),
+}));
+vi.mock("~/v3/eventRepository/index.server", () => ({
+  recordRunDebugLog: recordRunDebugLogMock,
+}));
+
+import {
+  createDrainerHandler,
+  isRetryablePgError,
+} from "~/v3/mollifier/mollifierDrainerHandler.server";
+
+describe("isRetryablePgError", () => {
+  it("returns true for P2024 (connection pool timeout)", () => {
+    const err = Object.assign(new Error("Timed out fetching a new connection"), {
+      code: "P2024",
+    });
+    expect(isRetryablePgError(err)).toBe(true);
+  });
+
+  it("returns true for generic connection-lost messages", () => {
+    expect(isRetryablePgError(new Error("Connection lost"))).toBe(true);
+    expect(isRetryablePgError(new Error("Can't reach database server"))).toBe(true);
+  });
+
+  it("returns false for validation errors", () => {
+    expect(isRetryablePgError(new Error("Invalid payload"))).toBe(false);
+  });
+
+  it("returns false for non-Error inputs", () => {
+    expect(isRetryablePgError("string error")).toBe(false);
+    expect(isRetryablePgError({ message: "object" })).toBe(false);
+  });
+});
+
+describe("createDrainerHandler", () => {
+  it("invokes engine.trigger with the deserialised snapshot", async () => {
+    const trigger = vi.fn(async () => ({ friendlyId: "run_x" }));
+    const handler = createDrainerHandler({
+      engine: { trigger } as any,
+      prisma: {} as any,
+    });
+
+    await handler({
+      runId: "run_x",
+      envId: "env_a",
+      orgId: "org_1",
+      payload: { taskIdentifier: "t", payload: "{}" },
+      attempts: 0,
+      createdAt: new Date(),
+    } as any);
+
+    expect(trigger).toHaveBeenCalledOnce();
+    const callArg = trigger.mock.calls[0][0] as { taskIdentifier: string };
+    expect(callArg.taskIdentifier).toBe("t");
+  });
+
+  it("re-attaches the snapshot's traceId so engine.trigger inherits the original trace", async () => {
+    // Captures the active traceId at the moment engine.trigger is invoked.
+    // Without context propagation it would be a fresh traceId, leaving the
+    // run-detail page with only the root span.
+    let observedTraceId: string | undefined;
+    const trigger = vi.fn(async () => {
+      observedTraceId = trace.getActiveSpan()?.spanContext().traceId;
+      return { friendlyId: "run_x" };
+    });
+
+    const handler = createDrainerHandler({
+      engine: { trigger } as any,
+      prisma: {} as any,
+    });
+
+    const snapshotTraceId = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
+    const snapshotSpanId = "bbbbbbbbbbbbbbbb";
+
+    await handler({
+      runId: "run_x",
+      envId: "env_a",
+      orgId: "org_1",
+      payload: {
+        taskIdentifier: "t",
+        traceId: snapshotTraceId,
+        spanId: snapshotSpanId,
+      },
+      attempts: 0,
+      createdAt: new Date(),
+    } as any);
+
+    expect(observedTraceId).toBe(snapshotTraceId);
+  });
+
+  it("rethrows retryable PG errors so MollifierDrainer requeues the entry", async () => {
+    const err = new Error("Can't reach database server");
+    const trigger = vi.fn(async () => {
+      throw err;
+    });
+    const createFailedTaskRun = vi.fn();
+    const handler = createDrainerHandler({
+      engine: { trigger, createFailedTaskRun } as any,
+      prisma: {} as any,
+    });
+
+    await expect(
+      handler({
+        runId: "run_x",
+        envId: "env_a",
+        orgId: "org_1",
+        payload: { taskIdentifier: "t" },
+        attempts: 0,
+        createdAt: new Date(),
+      } as any),
+    ).rejects.toThrow("Can't reach database server");
+    // Retryable: we do NOT write a SYSTEM_FAILURE row, the entry should
+    // be requeued for another shot.
+    expect(createFailedTaskRun).not.toHaveBeenCalled();
+  });
+
+  const envFixture = {
+    id: "env_a",
+    type: "DEVELOPMENT",
+    project: { id: "proj_1" },
+    organization: { id: "org_1" },
+  };
+
+  it("writes a SYSTEM_FAILURE PG row when engine.trigger fails non-retryably", async () => {
+    const trigger = vi.fn(async () => {
+      throw new Error("validation failed: payload too large");
+    });
+    const createFailedTaskRun = vi.fn(async () => ({
+      id: "internal",
+      friendlyId: "run_x",
+    }));
+    const handler = createDrainerHandler({
+      engine: { trigger, createFailedTaskRun } as any,
+      prisma: {} as any,
+    });
+
+    await expect(
+      handler({
+        runId: "run_x",
+        envId: "env_a",
+        orgId: "org_1",
+        payload: { taskIdentifier: "t", environment: envFixture },
+        attempts: 0,
+        createdAt: new Date(),
+      } as any),
+    ).resolves.toBeUndefined();
+
+    expect(trigger).toHaveBeenCalledOnce();
+    expect(createFailedTaskRun).toHaveBeenCalledOnce();
+    const arg = createFailedTaskRun.mock.calls[0][0] as { error: { raw: string } };
+    expect(arg.error.raw).toContain("validation failed");
+  });
+
+  it("propagates the batch association into createFailedTaskRun (so batch parents don't hang on missing children)", async () => {
+    // Devin's ANALYSIS report on PR #3754: the terminal-failure path
+    // extracts most snapshot fields (parentTaskRunId, rootTaskRunId,
+    // depth, etc.) but dropped `batch`. If the original trigger was
+    // part of a batch, the SYSTEM_FAILURE row isn't associated with
+    // the batch, so the batch parent's completion-tracking can hang
+    // indefinitely waiting on a child that landed but isn't linked.
+    const trigger = vi.fn(async () => {
+      throw new Error("validation failed: payload too large");
+    });
+    const createFailedTaskRun = vi.fn(async () => ({
+      id: "internal",
+      friendlyId: "run_x",
+    }));
+    const handler = createDrainerHandler({
+      engine: { trigger, createFailedTaskRun } as any,
+      prisma: {} as any,
+    });
+
+    await expect(
+      handler({
+        runId: "run_batched",
+        envId: "env_a",
+        orgId: "org_1",
+        payload: {
+          taskIdentifier: "t",
+          environment: envFixture,
+          batch: { id: "batch_xyz", index: 7 },
+        },
+        attempts: 0,
+        createdAt: new Date(),
+      } as any),
+    ).resolves.toBeUndefined();
+
+    expect(createFailedTaskRun).toHaveBeenCalledOnce();
+    const arg = createFailedTaskRun.mock.calls[0][0] as {
+      batch?: { id: string; index: number };
+    };
+    expect(arg.batch).toEqual({ id: "batch_xyz", index: 7 });
+  });
+
+  it("rethrows the original error when createFailedTaskRun also fails (PG genuinely unreachable)", async () => {
+    const triggerErr = new Error("engine rejected the snapshot");
+    const trigger = vi.fn(async () => {
+      throw triggerErr;
+    });
+    const createFailedTaskRun = vi.fn(async () => {
+      throw new Error("connection refused");
+    });
+    const handler = createDrainerHandler({
+      engine: { trigger, createFailedTaskRun } as any,
+      prisma: {} as any,
+    });
+
+    await expect(
+      handler({
+        runId: "run_x",
+        envId: "env_a",
+        orgId: "org_1",
+        payload: { taskIdentifier: "t", environment: envFixture },
+        attempts: 0,
+        createdAt: new Date(),
+      } as any),
+    ).rejects.toThrow("engine rejected the snapshot");
+    // Drainer's outer drainOne loop now decides retry vs buffer.fail.
+    expect(createFailedTaskRun).toHaveBeenCalledOnce();
+  });
+
+  it("calls createCancelledRun with emitRunCancelledEvent: false (suppresses orphan trace-event log noise)", async () => {
+    // Buffered-only runs never had a primary trace event written for
+    // them — the mollifier gate skipped `repository.traceEvent` since
+    // the run hadn't materialised in PG yet. The `runCancelled` handler
+    // would log `[runCancelled] Failed to cancel run event` for every
+    // cancelled buffered run if we let the emit fire. Suppress it.
+    const friendlyId = RunId.generate().friendlyId;
+    const createCancelledRun = vi.fn(async () => ({
+      id: "internal",
+      friendlyId,
+      status: "CANCELED",
+    }));
+    const handler = createDrainerHandler({
+      engine: { createCancelledRun } as any,
+      prisma: {} as any,
+    });
+
+    await handler({
+      runId: friendlyId,
+      envId: "env_a",
+      orgId: "org_1",
+      payload: {
+        friendlyId,
+        taskIdentifier: "t",
+        environment: envFixture,
+        cancelledAt: new Date().toISOString(),
+        cancelReason: "Canceled by user",
+      },
+      attempts: 0,
+      createdAt: new Date(),
+    } as any);
+
+    expect(createCancelledRun).toHaveBeenCalledOnce();
+    const arg = createCancelledRun.mock.calls[0][0] as {
+      emitRunCancelledEvent?: boolean;
+    };
+    expect(arg.emitRunCancelledEvent).toBe(false);
+  });
+
+  it("honours the cancel when a buffered cancel races a materialised non-CANCELED row", async () => {
+    // Cancel-wins-over-trigger. If the normal trigger
+    // replay path materialised a live PENDING row before the cancel
+    // bifurcation drained, engine.createCancelledRun throws a conflict —
+    // its documented contract is that "the caller must decide between
+    // engine.cancelRun() and skipping". The drainer handler must honour
+    // the cancel intent by actually cancelling the now-live run; otherwise
+    // the conflict propagates, isRetryablePgError() returns false, and the
+    // drainer buffer.fail()s the entry — silently losing the cancellation
+    // while the run keeps executing.
+    const friendlyId = RunId.generate().friendlyId;
+    const createCancelledRun = vi.fn(async () => {
+      throw new Error(
+        `createCancelledRun conflict: existing run ${friendlyId} has status PENDING`
+      );
+    });
+    const cancelRun = vi.fn(async () => ({ alreadyFinished: false }));
+    const handler = createDrainerHandler({
+      engine: { createCancelledRun, cancelRun } as any,
+      prisma: {} as any,
+    });
+
+    await expect(
+      handler({
+        runId: friendlyId,
+        envId: "env_a",
+        orgId: "org_1",
+        payload: {
+          friendlyId,
+          taskIdentifier: "t",
+          environment: envFixture,
+          cancelledAt: new Date().toISOString(),
+          cancelReason: "Canceled by user",
+        },
+        attempts: 0,
+        createdAt: new Date(),
+      } as any)
+    ).resolves.toBeUndefined();
+
+    // The live run is actually cancelled, by its internal id.
+    expect(cancelRun).toHaveBeenCalledOnce();
+    expect(cancelRun.mock.calls[0][0].runId).toBe(RunId.fromFriendlyId(friendlyId));
+  });
+
+  it("requeues on a transient PG outage during the SYSTEM_FAILURE fallback write", async () => {
+    // engine.trigger failed non-retryably, so we try to write a terminal
+    // SYSTEM_FAILURE row. If THAT write fails because PG is transiently
+    // unreachable, rethrowing the *original* non-retryable error makes the
+    // drainer buffer.fail() the entry — losing the run with no PG row ever
+    // landing. Rethrow the retryable write error instead so the drainer
+    // requeues; once PG recovers the failure row lands and the customer
+    // sees it.
+    const trigger = vi.fn(async () => {
+      throw new Error("validation failed: payload too large");
+    });
+    const createFailedTaskRun = vi.fn(async () => {
+      throw new Error("Can't reach database server");
+    });
+    const handler = createDrainerHandler({
+      engine: { trigger, createFailedTaskRun } as any,
+      prisma: {} as any,
+    });
+
+    await expect(
+      handler({
+        runId: "run_x",
+        envId: "env_a",
+        orgId: "org_1",
+        payload: { taskIdentifier: "t", environment: envFixture },
+        attempts: 0,
+        createdAt: new Date(),
+      } as any)
+    ).rejects.toThrow("Can't reach database server");
+  });
+
+  it("writes a SYSTEM_FAILURE row when createCancelledRun fails non-retryably (cancel bifurcation)", async () => {
+    // Without this guard a non-conflict, non-retryable failure from
+    // createCancelledRun rethrows out of the handler. The drainer's
+    // onTerminalFailure gates on cause==="max-attempts-exhausted" and
+    // skips "non-retryable", so buffer.fail() deletes the entry with
+    // no PG row written — the cancellation disappears silently.
+    // Mirror the non-cancel path's SYSTEM_FAILURE fallback so the
+    // customer always sees a terminal row.
+    const friendlyId = RunId.generate().friendlyId;
+    const cancelErr = new Error("validation failed: bad cancel snapshot");
+    const createCancelledRun = vi.fn(async () => {
+      throw cancelErr;
+    });
+    const createFailedTaskRun = vi.fn(async () => ({ id: "internal_x" }));
+    const handler = createDrainerHandler({
+      engine: { createCancelledRun, createFailedTaskRun } as any,
+      prisma: {} as any,
+    });
+
+    await handler({
+      runId: friendlyId,
+      envId: "env_a",
+      orgId: "org_1",
+      payload: {
+        friendlyId,
+        taskIdentifier: "t",
+        environment: envFixture,
+        cancelledAt: new Date().toISOString(),
+        cancelReason: "Canceled by user",
+      },
+      attempts: 0,
+      createdAt: new Date(),
+    } as any);
+
+    // SYSTEM_FAILURE row was written via the shared helper. Handler
+    // returns cleanly so the drainer ACKs the entry instead of
+    // buffer.fail()ing it.
+    expect(createFailedTaskRun).toHaveBeenCalledOnce();
+    expect(createFailedTaskRun.mock.calls[0][0].friendlyId).toBe(friendlyId);
+    expect(createFailedTaskRun.mock.calls[0][0].error.raw).toContain(
+      "validation failed: bad cancel snapshot"
+    );
+  });
+
+  it("requeues when createCancelledRun fails with a retryable PG error (cancel bifurcation)", async () => {
+    // Retryable PG failures must rethrow so the drainer requeues the
+    // entry — writing a SYSTEM_FAILURE row when PG is transiently
+    // unreachable would still fail. The drainer's existing retry loop
+    // handles the requeue.
+    const friendlyId = RunId.generate().friendlyId;
+    const cancelErr = new Error("Can't reach database server");
+    const createCancelledRun = vi.fn(async () => {
+      throw cancelErr;
+    });
+    const createFailedTaskRun = vi.fn();
+    const handler = createDrainerHandler({
+      engine: { createCancelledRun, createFailedTaskRun } as any,
+      prisma: {} as any,
+    });
+
+    await expect(
+      handler({
+        runId: friendlyId,
+        envId: "env_a",
+        orgId: "org_1",
+        payload: {
+          friendlyId,
+          taskIdentifier: "t",
+          environment: envFixture,
+          cancelledAt: new Date().toISOString(),
+          cancelReason: "Canceled by user",
+        },
+        attempts: 0,
+        createdAt: new Date(),
+      } as any)
+    ).rejects.toThrow("Can't reach database server");
+    expect(createFailedTaskRun).not.toHaveBeenCalled();
+  });
+
+  it("rethrows the original error when the snapshot lacks an environment block", async () => {
+    const triggerErr = new Error("engine rejected the snapshot");
+    const trigger = vi.fn(async () => {
+      throw triggerErr;
+    });
+    const createFailedTaskRun = vi.fn();
+    const handler = createDrainerHandler({
+      engine: { trigger, createFailedTaskRun } as any,
+      prisma: {} as any,
+    });
+
+    await expect(
+      handler({
+        runId: "run_x",
+        envId: "env_a",
+        orgId: "org_1",
+        payload: { taskIdentifier: "t" /* no environment */ },
+        attempts: 0,
+        createdAt: new Date(),
+      } as any),
+    ).rejects.toThrow("engine rejected the snapshot");
+    expect(createFailedTaskRun).not.toHaveBeenCalled();
+  });
+
+  it("emits an admin-only LOG-kind event with the buffered window after engine.trigger succeeds", async () => {
+    // The drainer's audit trail rides the existing TaskEventKind.LOG
+    // filter pattern (`eventRepository.server.ts:108` + `logs.download.ts:118`)
+    // — admins see the buffered window in the trace; non-admins don't.
+    recordRunDebugLogMock.mockClear();
+    const trigger = vi.fn(async () => ({ friendlyId: "run_z" }));
+    const handler = createDrainerHandler({
+      engine: { trigger } as any,
+      prisma: {} as any,
+    });
+
+    const bufferedAt = new Date(Date.now() - 4_000);
+    await handler({
+      runId: "run_z",
+      envId: "env_a",
+      orgId: "org_1",
+      payload: { taskIdentifier: "t", spanId: "snapspan", traceId: "snaptrace" },
+      attempts: 2,
+      createdAt: bufferedAt,
+    } as any);
+
+    expect(recordRunDebugLogMock).toHaveBeenCalledOnce();
+    const [callRunId, message, options] = recordRunDebugLogMock.mock.calls[0] as [
+      string,
+      string,
+      any,
+    ];
+    // Internal cuid derived from the friendlyId, mirroring what
+    // `findRunForEventCreation` queries on.
+    expect(callRunId).toBe("z");
+    expect(message).toMatch(/Mollifier buffered \d+ms before materialising/);
+    // Emitted as a marker at materialisation time (no `startTime` /
+    // `duration` overrides) — engine.trigger has just rewritten the
+    // root span's start_time to "now", so back-dating the event would
+    // clip it off-screen in the trace renderer. The historical window
+    // is preserved in metadata so admins can still read it.
+    expect(options.startTime).toBeUndefined();
+    expect(options.duration).toBeUndefined();
+    expect(options.parentId).toBe("snapspan");
+    expect(options.attributes.metadata["mollifier.bufferedAt"]).toBe(bufferedAt.toISOString());
+    expect(options.attributes.metadata["mollifier.attempts"]).toBe(2);
+    expect(options.attributes.metadata["mollifier.dwellMs"]).toBeGreaterThan(0);
+  });
+
+  it("does NOT emit the admin LOG event when engine.trigger fails non-retryably", async () => {
+    // The audit trail is for runs that actually materialised. On a
+    // terminal SYSTEM_FAILURE path the customer-visible outcome is the
+    // failure row; emitting a "buffered for Xms" event next to it would
+    // imply the buffered window completed normally.
+    recordRunDebugLogMock.mockClear();
+    const trigger = vi.fn(async () => {
+      throw new Error("engine rejected the snapshot");
+    });
+    const createFailedTaskRun = vi.fn(async () => ({ id: "internal" }));
+    const handler = createDrainerHandler({
+      engine: { trigger, createFailedTaskRun } as any,
+      prisma: {} as any,
+    });
+
+    await handler({
+      runId: "run_z",
+      envId: "env_a",
+      orgId: "org_1",
+      payload: { taskIdentifier: "t", environment: envFixture },
+      attempts: 0,
+      createdAt: new Date(),
+    } as any);
+
+    expect(recordRunDebugLogMock).not.toHaveBeenCalled();
+  });
+
+  it("does NOT emit the admin LOG event on the cancel-bifurcation path", async () => {
+    // Cancel-bifurcation writes a CANCELED row directly without calling
+    // engine.trigger. There's no buffered-then-materialised window to
+    // describe — the run never ran.
+    recordRunDebugLogMock.mockClear();
+    const friendlyId = RunId.generate().friendlyId;
+    const createCancelledRun = vi.fn(async () => ({
+      id: "internal",
+      friendlyId,
+      status: "CANCELED",
+    }));
+    const handler = createDrainerHandler({
+      engine: { createCancelledRun } as any,
+      prisma: {} as any,
+    });
+
+    await handler({
+      runId: friendlyId,
+      envId: "env_a",
+      orgId: "org_1",
+      payload: {
+        friendlyId,
+        taskIdentifier: "t",
+        environment: envFixture,
+        cancelledAt: new Date().toISOString(),
+        cancelReason: "Canceled by user",
+      },
+      attempts: 0,
+      createdAt: new Date(),
+    } as any);
+
+    expect(recordRunDebugLogMock).not.toHaveBeenCalled();
+  });
+});
diff --git a/apps/webapp/test/mollifierDrainerWorker.test.ts b/apps/webapp/test/mollifierDrainerWorker.test.ts
new file mode 100644
index 00000000000..0d4e931fd83
--- /dev/null
+++ b/apps/webapp/test/mollifierDrainerWorker.test.ts
@@ -0,0 +1,85 @@
+import { describe, expect, it, vi } from "vitest";
+
+// Importing `~/v3/mollifier/mollifierDrainer.server` (below) transitively
+// loads `~/v3/runEngine.server`, whose top-level `singleton(...)` call
+// eagerly constructs a RunEngine. That spins up Prisma + Redis workers
+// that try to connect to localhost — which in CI (no PG, no Redis)
+// produces an unhandled `PrismaClientInitializationError` that fails
+// the test run even though the assertions all pass. Mocking the
+// runEngine module short-circuits the singleton so no worker starts.
+vi.mock("~/v3/runEngine.server", () => ({ engine: {} }));
+// Same problem: prisma.server.ts's top-level singleton tries to open a
+// PG client. The test never makes a query; an empty stub is enough.
+vi.mock("~/db.server", () => ({ prisma: {}, $replica: {} }));
+
+import { MollifierConfigurationError } from "~/v3/mollifier/mollifierDrainer.server";
+import { initMollifierDrainerWorker } from "~/v3/mollifierDrainerWorker.server";
+
+// Pins the error-classification policy inside the bootstrap's catch:
+// deterministic misconfig errors propagate (so a deploy fails loud
+// rather than silently disabling the drainer), and anything else is
+// logged-and-swallowed (so a transient Redis blip during boot doesn't
+// take the whole webapp down). The corresponding production-path
+// integration is the call at `entry.server.tsx`: a sync throw out of
+// `initMollifierDrainerWorker` propagates to the module top level
+// BEFORE `process.on("uncaughtException", ...)` is registered, so Node
+// crashes with a stack trace and exit code 1 — which is exactly what we
+// want from the orchestrator's health-check perspective.
+describe("initMollifierDrainerWorker error classification", () => {
+  it("rethrows MollifierConfigurationError so the process can crash on misconfig", () => {
+    const misconfig = new MollifierConfigurationError(
+      "TRIGGER_MOLLIFIER_DRAIN_SHUTDOWN_TIMEOUT_MS must be at least 1000ms below GRACEFUL_SHUTDOWN_TIMEOUT",
+    );
+
+    expect(() =>
+      initMollifierDrainerWorker({
+        isEnabled: () => true,
+        getDrainer: () => {
+          throw misconfig;
+        },
+      }),
+    ).toThrow(MollifierConfigurationError);
+  });
+
+  it("rethrows when the error carries the marker name even if instanceof fails (dev-realm hot-reload fallback)", () => {
+    // Simulate the cross-realm case where the consumer's instanceof
+    // check sees a different class instance from the one the throw
+    // site used. The bootstrap's `.name === "MollifierConfigurationError"`
+    // fallback must catch this so dev hot-reload doesn't silently
+    // suppress misconfig errors.
+    const cousin = new Error("buffer not initialised");
+    cousin.name = "MollifierConfigurationError";
+
+    expect(() =>
+      initMollifierDrainerWorker({
+        isEnabled: () => true,
+        getDrainer: () => {
+          throw cousin;
+        },
+      }),
+    ).toThrow(cousin);
+  });
+
+  it("swallows non-configuration errors so transient init failures don't take the webapp down", () => {
+    expect(() =>
+      initMollifierDrainerWorker({
+        isEnabled: () => true,
+        getDrainer: () => {
+          throw new Error("transient redis blip during buffer init");
+        },
+      }),
+    ).not.toThrow();
+  });
+
+  it("is a no-op when the drainer is disabled for this replica", () => {
+    let factoryCalled = false;
+    initMollifierDrainerWorker({
+      isEnabled: () => false,
+      getDrainer: () => {
+        factoryCalled = true;
+        return null;
+      },
+    });
+    expect(factoryCalled).toBe(false);
+  });
+});
diff --git a/apps/webapp/test/mollifierDrainingGauge.test.ts b/apps/webapp/test/mollifierDrainingGauge.test.ts
new file mode 100644
index 00000000000..18251e310b5
--- /dev/null
+++ b/apps/webapp/test/mollifierDrainingGauge.test.ts
@@ -0,0 +1,116 @@
+import { describe, expect, it, vi, beforeEach, afterEach } from "vitest";
+
+// Same defensive mocks as mollifierDrainerWorker.test.ts: importing
+// the gauge module transitively loads telemetry → meter → OTel
+// initialisation, plus the buffer singleton's runtime resolution.
+vi.mock("~/db.server", () => ({ prisma: {}, $replica: {} }));
+vi.mock("~/services/logger.server", () => ({
+  logger: { warn: vi.fn(), error: vi.fn(), info: vi.fn(), debug: vi.fn() },
+}));
+
+const reportDrainingCount = vi.fn();
+vi.mock("~/v3/mollifier/mollifierTelemetry.server", () => ({
+  reportDrainingCount: (count: number) => reportDrainingCount(count),
+}));
+
+import {
+  startMollifierDrainingGauge,
+  stopMollifierDrainingGauge,
+} from "~/v3/mollifier/mollifierDrainingGauge.server";
+
+// The gauge poller reads `mollifier:draining` cardinality on a cadence
+// and forwards it to `reportDrainingCount`. These tests pin the
+// observable contract: the gauge value is the buffer's count, transient
+// errors keep the last value, and the loop never blocks the main thread
+// (unref'd interval — verified implicitly because Vitest exits cleanly).
+describe("startMollifierDrainingGauge", () => {
+  beforeEach(() => {
+    reportDrainingCount.mockReset();
+    stopMollifierDrainingGauge();
+  });
+
+  afterEach(() => {
+    stopMollifierDrainingGauge();
+  });
+
+  it("fires an immediate poll on start so the gauge populates before the first scrape", async () => {
+    const buffer = { getDrainingCount: vi.fn().mockResolvedValue(7) } as any;
+    startMollifierDrainingGauge({
+      intervalMs: 100_000, // long — we're checking the immediate fire, not the interval
+      getBuffer: () => buffer,
+    });
+
+    // Wait one microtask tick so the eager poll resolves.
+    await new Promise((r) => setImmediate(r));
+    expect(reportDrainingCount).toHaveBeenCalledWith(7);
+    expect(buffer.getDrainingCount).toHaveBeenCalledTimes(1);
+  });
+
+  it("polls on the configured cadence", async () => {
+    const buffer = { getDrainingCount: vi.fn().mockResolvedValue(3) } as any;
+    startMollifierDrainingGauge({
+      intervalMs: 20,
+      getBuffer: () => buffer,
+    });
+
+    // Eager tick + at least one interval tick.
+    await new Promise((r) => setTimeout(r, 80));
+    expect(buffer.getDrainingCount.mock.calls.length).toBeGreaterThanOrEqual(2);
+    expect(reportDrainingCount).toHaveBeenCalledWith(3);
+  });
+
+  it("no-ops when the buffer singleton returns null (mollifier disabled)", async () => {
+    startMollifierDrainingGauge({
+      intervalMs: 20,
+      getBuffer: () => null,
+    });
+    await new Promise((r) => setTimeout(r, 60));
+    expect(reportDrainingCount).not.toHaveBeenCalled();
+  });
+
+  it("swallows a transient ZCARD failure so the loop keeps running", async () => {
+    let calls = 0;
+    const buffer = {
+      getDrainingCount: vi.fn(async () => {
+        calls += 1;
+        if (calls === 1) throw new Error("transient redis blip");
+        return 4;
+      }),
+    } as any;
+    startMollifierDrainingGauge({
+      intervalMs: 20,
+      getBuffer: () => buffer,
+    });
+
+    await new Promise((r) => setTimeout(r, 80));
+    // First call threw → no report. Second call succeeded → reported.
+    // The gauge keeps its previous value (stale-but-non-zero) between
+    // the failed poll and the next successful one — better than
+    // crashing the loop and going silent forever.
+    expect(reportDrainingCount).toHaveBeenCalledWith(4);
+    expect(buffer.getDrainingCount.mock.calls.length).toBeGreaterThanOrEqual(2);
+  });
+
+  it("is idempotent: a second start does not spawn a parallel loop", async () => {
+    const buffer = { getDrainingCount: vi.fn().mockResolvedValue(1) } as any;
+    startMollifierDrainingGauge({ intervalMs: 25, getBuffer: () => buffer });
+    startMollifierDrainingGauge({ intervalMs: 25, getBuffer: () => buffer });
+
+    await new Promise((r) => setTimeout(r, 90));
+    // One eager + a small number of interval ticks. Doubled-loop would
+    // produce ~2× the calls in the same window. Upper bound is generous
+    // for CI jitter; the property is "single loop", not exact count.
+    expect(buffer.getDrainingCount.mock.calls.length).toBeLessThan(8);
+  });
+
+  it("stop halts the polling loop", async () => {
+    const buffer = { getDrainingCount: vi.fn().mockResolvedValue(2) } as any;
+    startMollifierDrainingGauge({ intervalMs: 20, getBuffer: () => buffer });
+    await new Promise((r) => setTimeout(r, 50));
+    const callsAtStop = buffer.getDrainingCount.mock.calls.length;
+    stopMollifierDrainingGauge();
+
+    await new Promise((r) => setTimeout(r, 80));
+    expect(buffer.getDrainingCount.mock.calls.length).toBe(callsAtStop);
+  });
+});
diff --git a/apps/webapp/test/mollifierGate.test.ts b/apps/webapp/test/mollifierGate.test.ts
new file mode 100644
index 00000000000..5f3f28e668c
--- /dev/null
+++ b/apps/webapp/test/mollifierGate.test.ts
@@ -0,0 +1,556 @@
+import { describe, expect, it, vi } from "vitest";
+
+// Stub `~/db.server` before importing anything that transitively imports it.
+// The real module eagerly calls `prisma.$connect()` at singleton construction
+// (db.server.ts), so loading it under vitest tries to reach localhost:5432
+// and surfaces as an unhandled rejection that fails the whole shard — even
+// though no test in this file actually uses the default prisma client.
+vi.mock("~/db.server", () => ({
+  prisma: {},
+  $replica: {},
+}));
+
+import {
+  evaluateGate,
+  makeResolveMollifierFlag,
+  type GateDependencies,
+  type GateInputs,
+  type TripDecision,
+} from "~/v3/mollifier/mollifierGate.server";
+import type { DecisionOutcome, DecisionReason } from "~/v3/mollifier/mollifierTelemetry.server";
+
+// We deliberately don't use vi.fn here. Per repo policy tests shouldn't lean on
+// mock frameworks for behaviours that are pure functions of the inputs — the
+// gate is pure decision logic, so a hand-rolled "deps + spy log" wired with
+// plain closures gives exactly the assertions we need without the indirection.
+type Spies = {
+  evaluatorCalls: number;
+  logShadowCalls: Array<{ inputs: GateInputs; decision: Extract<TripDecision, { divert: true }> }>;
+  logMollifiedCalls: Array<{ inputs: GateInputs; decision: Extract<TripDecision, { divert: true }> }>;
+  recordDecisionCalls: Array<{
+    outcome: DecisionOutcome;
+    reason?: DecisionReason;
+    enrolled?: boolean;
+    orgId?: string;
+  }>;
+};
+
+type Toggles = {
+  enabled: boolean;
+  shadow: boolean;
+  flag: boolean;
+  decision: TripDecision;
+};
+
+function makeDeps(toggles: Toggles): { deps: GateDependencies; spies: Spies } {
+  const spies: Spies = {
+    evaluatorCalls: 0,
+    logShadowCalls: [],
+    logMollifiedCalls: [],
+    recordDecisionCalls: [],
+  };
+  const deps: GateDependencies = {
+    isMollifierEnabled: () => toggles.enabled,
+    isShadowModeOn: () => toggles.shadow,
+    resolveOrgFlag: async () => toggles.flag,
+    evaluator: async () => {
+      spies.evaluatorCalls += 1;
+      return toggles.decision;
+    },
+    logShadow: (inputs, decision) => {
+      spies.logShadowCalls.push({ inputs, decision });
+    },
+    logMollified: (inputs, decision) => {
+      spies.logMollifiedCalls.push({ inputs, decision });
+    },
+    recordDecision: (outcome, opts) => {
+      spies.recordDecisionCalls.push({
+        outcome,
+        reason: opts.reason,
+        enrolled: opts.enrolled,
+        orgId: opts.orgId,
+      });
+    },
+  };
+  return { deps, spies };
+}
+
+const trippedDecision = {
+  divert: true as const,
+  reason: "per_env_rate" as const,
+  count: 150,
+  threshold: 100,
+  windowMs: 200,
+  holdMs: 500,
+};
+
+const passDecision: TripDecision = { divert: false };
+
+const inputs: GateInputs = {
+  envId: "e1",
+  orgId: "o1",
+  taskId: "t1",
+  orgFeatureFlags: null,
+};
+
+// Cascade truth table. Every combination of (enabled, shadow, flag, divert) is
+// enumerated. `evaluatorCalls` is the expected count, not arbitrary: the gate
+// short-circuits before the evaluator if `!enabled` or (`!flag && !shadow`).
+// `expectedReason` is the optional second arg to `recordDecision` — only
+// divert-true paths attach a reason.
+type Row = {
+  id: number;
+  enabled: boolean;
+  shadow: boolean;
+  flag: boolean;
+  divert: boolean;
+  expected: {
+    action: "pass_through" | "shadow_log" | "mollify";
+    evaluatorCalls: 0 | 1;
+    logShadowCalls: 0 | 1;
+    logMollifiedCalls: 0 | 1;
+    recordedOutcome: "pass_through" | "shadow_log" | "mollify";
+    expectedReason: "per_env_rate" | undefined;
+  };
+};
+
+// 16 rows = 2^4 input combinations. Comment column shows which gate branch
+// each row exercises so reviewers can map row → code at a glance.
+const cascade: Row[] = [
+  // enabled=F → kill-switch wins; evaluator+flag never consulted (rows 1-8)
+  { id: 1, enabled: false, shadow: false, flag: false, divert: false, expected: { action: "pass_through", evaluatorCalls: 0, logShadowCalls: 0, logMollifiedCalls: 0, recordedOutcome: "pass_through", expectedReason: undefined } },
+  { id: 2, enabled: false, shadow: false, flag: false, divert: true,  expected: { action: "pass_through", evaluatorCalls: 0, logShadowCalls: 0, logMollifiedCalls: 0, recordedOutcome: "pass_through", expectedReason: undefined } },
+  { id: 3, enabled: false, shadow: false, flag: true,  divert: false, expected: { action: "pass_through", evaluatorCalls: 0, logShadowCalls: 0, logMollifiedCalls: 0, recordedOutcome: "pass_through", expectedReason: undefined } },
+  { id: 4, enabled: false, shadow: false, flag: true,  divert: true,  expected: { action: "pass_through", evaluatorCalls: 0, logShadowCalls: 0, logMollifiedCalls: 0, recordedOutcome: "pass_through", expectedReason: undefined } },
+  { id: 5, enabled: false, shadow: true,  flag: false, divert: false, expected: { action: "pass_through", evaluatorCalls: 0, logShadowCalls: 0, logMollifiedCalls: 0, recordedOutcome: "pass_through", expectedReason: undefined } },
+  { id: 6, enabled: false, shadow: true,  flag: false, divert: true,  expected: { action: "pass_through", evaluatorCalls: 0, logShadowCalls: 0, logMollifiedCalls: 0, recordedOutcome: "pass_through", expectedReason: undefined } },
+  { id: 7, enabled: false, shadow: true,  flag: true,  divert: false, expected: { action: "pass_through", evaluatorCalls: 0, logShadowCalls: 0, logMollifiedCalls: 0, recordedOutcome: "pass_through", expectedReason: undefined } },
+  { id: 8, enabled: false, shadow: true,  flag: true,  divert: true,  expected: { action: "pass_through", evaluatorCalls: 0, logShadowCalls: 0, logMollifiedCalls: 0, recordedOutcome: "pass_through", expectedReason: undefined } },
+  // enabled=T, flag=F, shadow=F → both opt-ins off; evaluator never called (rows 9-10)
+  { id: 9, enabled: true,  shadow: false, flag: false, divert: false, expected: { action: "pass_through", evaluatorCalls: 0, logShadowCalls: 0, logMollifiedCalls: 0, recordedOutcome: "pass_through", expectedReason: undefined } },
+  { id: 10, enabled: true, shadow: false, flag: false, divert: true,  expected: { action: "pass_through", evaluatorCalls: 0, logShadowCalls: 0, logMollifiedCalls: 0, recordedOutcome: "pass_through", expectedReason: undefined } },
+  // enabled=T, flag=F, shadow=T → shadow path; divert routes outcome (rows 11-12)
+  { id: 11, enabled: true, shadow: true,  flag: false, divert: false, expected: { action: "pass_through", evaluatorCalls: 1, logShadowCalls: 0, logMollifiedCalls: 0, recordedOutcome: "pass_through", expectedReason: undefined } },
+  { id: 12, enabled: true, shadow: true,  flag: false, divert: true,  expected: { action: "shadow_log",   evaluatorCalls: 1, logShadowCalls: 1, logMollifiedCalls: 0, recordedOutcome: "shadow_log",   expectedReason: "per_env_rate" } },
+  // enabled=T, flag=T, shadow=F → mollify path (rows 13-14)
+  { id: 13, enabled: true, shadow: false, flag: true,  divert: false, expected: { action: "pass_through", evaluatorCalls: 1, logShadowCalls: 0, logMollifiedCalls: 0, recordedOutcome: "pass_through", expectedReason: undefined } },
+  { id: 14, enabled: true, shadow: false, flag: true,  divert: true,  expected: { action: "mollify",      evaluatorCalls: 1, logShadowCalls: 0, logMollifiedCalls: 1, recordedOutcome: "mollify",      expectedReason: "per_env_rate" } },
+  // enabled=T, flag=T, shadow=T → flag wins over shadow (rows 15-16)
+  { id: 15, enabled: true, shadow: true,  flag: true,  divert: false, expected: { action: "pass_through", evaluatorCalls: 1, logShadowCalls: 0, logMollifiedCalls: 0, recordedOutcome: "pass_through", expectedReason: undefined } },
+  { id: 16, enabled: true, shadow: true,  flag: true,  divert: true,  expected: { action: "mollify",      evaluatorCalls: 1, logShadowCalls: 0, logMollifiedCalls: 1, recordedOutcome: "mollify",      expectedReason: "per_env_rate" } },
+];
+
+describe("evaluateGate cascade — exhaustive truth table", () => {
+  it.each(cascade)(
+    "row $id: enabled=$enabled shadow=$shadow flag=$flag divert=$divert → action=$expected.action",
+    async (row) => {
+      const { deps, spies } = makeDeps({
+        enabled: row.enabled,
+        shadow: row.shadow,
+        flag: row.flag,
+        decision: row.divert ? trippedDecision : passDecision,
+      });
+
+      const outcome = await evaluateGate(inputs, deps);
+
+      expect(outcome.action).toBe(row.expected.action);
+      expect(spies.evaluatorCalls).toBe(row.expected.evaluatorCalls);
+      expect(spies.logShadowCalls).toHaveLength(row.expected.logShadowCalls);
+      expect(spies.logMollifiedCalls).toHaveLength(row.expected.logMollifiedCalls);
+
+      // Every evaluation records exactly one decision.
+      expect(spies.recordDecisionCalls).toHaveLength(1);
+      expect(spies.recordDecisionCalls[0].outcome).toBe(row.expected.recordedOutcome);
+      expect(spies.recordDecisionCalls[0].reason).toBe(row.expected.expectedReason);
+      // enrolled label = the resolved per-org flag, now hoisted above the
+      // bypasses so it's set on every decision. orgId is always passed by the
+      // gate; the telemetry layer drops it for non-enrolled (covered in
+      // mollifierDecisionLabels.test.ts).
+      expect(spies.recordDecisionCalls[0].enrolled).toBe(row.flag);
+      expect(spies.recordDecisionCalls[0].orgId).toBe(inputs.orgId);
+    },
+  );
+
+  it("divert log carries the full decision (envId, orgId, taskId, reason, count, threshold, windowMs, holdMs)", async () => {
+    const { deps, spies } = makeDeps({
+      enabled: true,
+      shadow: true,
+      flag: false,
+      decision: trippedDecision,
+    });
+
+    await evaluateGate(inputs, deps);
+
+    expect(spies.logShadowCalls).toEqual([{ inputs, decision: trippedDecision }]);
+  });
+
+  it("mollify log carries the full decision (mirrors shadow log)", async () => {
+    const { deps, spies } = makeDeps({
+      enabled: true,
+      shadow: false,
+      flag: true,
+      decision: trippedDecision,
+    });
+
+    await evaluateGate(inputs, deps);
+
+    expect(spies.logMollifiedCalls).toEqual([{ inputs, decision: trippedDecision }]);
+  });
+});
+
+// Hot-path guard: `triggerTask.server.ts` calls `evaluateGate` on every
+// trigger when `TRIGGER_MOLLIFIER_ENABLED=1`. The per-org override path must resolve
+// without a Prisma round-trip — otherwise the gate adds a DB query to the
+// highest-throughput code path in the system (see apps/webapp/CLAUDE.md).
+describe("resolveMollifierFlag — hot path", () => {
+  it("returns the per-org override when it's set", async () => {
+    const resolve = makeResolveMollifierFlag();
+
+    const enabled = await resolve({
+      envId: "e",
+      orgId: "o",
+      taskId: "t",
+      orgFeatureFlags: { mollifierEnabled: true },
+    });
+    const disabled = await resolve({
+      envId: "e",
+      orgId: "o",
+      taskId: "t",
+      orgFeatureFlags: { mollifierEnabled: false },
+    });
+
+    expect(enabled).toBe(true);
+    expect(disabled).toBe(false);
+  });
+
+  it("returns false when the org has no override for the key — no DB query, ever", async () => {
+    // Regression intent: the resolver MUST NOT call `flag()` (which would
+    // query `FeatureFlag` via Prisma) on the trigger hot path. Per-org
+    // rollout via `Organization.featureFlags` JSON is the only enable
+    // path; the fleet-wide kill switch is `TRIGGER_MOLLIFIER_ENABLED`.
+    const resolve = makeResolveMollifierFlag();
+
+    const fromNull = await resolve({
+      envId: "e",
+      orgId: "o",
+      taskId: "t",
+      orgFeatureFlags: null,
+    });
+    const fromUnrelatedKeys = await resolve({
+      envId: "e",
+      orgId: "o",
+      taskId: "t",
+      orgFeatureFlags: { hasAiAccess: true },
+    });
+
+    expect(fromNull).toBe(false);
+    expect(fromUnrelatedKeys).toBe(false);
+  });
+});
+
+describe("evaluateGate — fail open on evaluator error", () => {
+  it("treats a throwing evaluator as no-divert (pass_through), and never blocks the trigger", async () => {
+    const spies: Spies = {
+      evaluatorCalls: 0,
+      logShadowCalls: [],
+      logMollifiedCalls: [],
+      recordDecisionCalls: [],
+    };
+    const deps: Partial<GateDependencies> = {
+      isMollifierEnabled: () => true,
+      isShadowModeOn: () => false,
+      resolveOrgFlag: async () => true,
+      evaluator: async () => {
+        spies.evaluatorCalls += 1;
+        throw new Error("simulated evaluator failure");
+      },
+      logShadow: (inputs, decision) => {
+        spies.logShadowCalls.push({ inputs, decision });
+      },
+      logMollified: (inputs, decision) => {
+        spies.logMollifiedCalls.push({ inputs, decision });
+      },
+      recordDecision: (outcome, opts) => {
+        spies.recordDecisionCalls.push({
+          outcome,
+          reason: opts.reason,
+          enrolled: opts.enrolled,
+          orgId: opts.orgId,
+        });
+      },
+    };
+
+    const outcome = await evaluateGate(inputs, deps);
+
+    expect(outcome.action).toBe("pass_through");
+    expect(spies.evaluatorCalls).toBe(1);
+    expect(spies.logMollifiedCalls).toHaveLength(0);
+    expect(spies.logShadowCalls).toHaveLength(0);
+    expect(spies.recordDecisionCalls).toHaveLength(1);
+    expect(spies.recordDecisionCalls[0]).toMatchObject({
+      outcome: "pass_through",
+      reason: undefined,
+      enrolled: true,
+      orgId: inputs.orgId,
+    });
+  });
+});
+
+describe("evaluateGate — fail open on resolveOrgFlag error", () => {
+  it("treats org flag as false when resolveOrgFlag throws, and does not block triggers", async () => {
+    const spies: Spies = {
+      evaluatorCalls: 0,
+      logShadowCalls: [],
+      logMollifiedCalls: [],
+      recordDecisionCalls: [],
+    };
+    const deps: Partial<GateDependencies> = {
+      isMollifierEnabled: () => true,
+      isShadowModeOn: () => false,
+      resolveOrgFlag: async () => {
+        throw new Error("simulated prisma timeout");
+      },
+      evaluator: async () => {
+        spies.evaluatorCalls += 1;
+        return trippedDecision;
+      },
+      logShadow: (inputs, decision) => {
+        spies.logShadowCalls.push({ inputs, decision });
+      },
+      logMollified: (inputs, decision) => {
+        spies.logMollifiedCalls.push({ inputs, decision });
+      },
+      recordDecision: (outcome, opts) => {
+        spies.recordDecisionCalls.push({
+          outcome,
+          reason: opts.reason,
+          enrolled: opts.enrolled,
+          orgId: opts.orgId,
+        });
+      },
+    };
+
+    const outcome = await evaluateGate(inputs, deps);
+
+    expect(outcome.action).toBe("pass_through");
+    expect(spies.evaluatorCalls).toBe(0);
+    expect(spies.recordDecisionCalls).toHaveLength(1);
+    expect(spies.recordDecisionCalls[0]).toMatchObject({
+      outcome: "pass_through",
+      reason: undefined,
+      enrolled: false,
+      orgId: inputs.orgId,
+    });
+  });
+});
+
+describe("evaluateGate — per-org isolation via Organization.featureFlags", () => {
+  function makeIsolationDeps(
+    resolveOrgFlag: GateDependencies["resolveOrgFlag"],
+  ): { deps: Partial<GateDependencies>; spies: Spies } {
+    const spies: Spies = {
+      evaluatorCalls: 0,
+      logShadowCalls: [],
+      logMollifiedCalls: [],
+      recordDecisionCalls: [],
+    };
+    // Override lifecycle bits and inject the production resolveOrgFlag.
+    // Evaluator returns a fixed tripped decision so the outcome is purely a
+    // function of the flag resolution (which is what we're isolating on).
+    const deps: Partial<GateDependencies> = {
+      isMollifierEnabled: () => true,
+      isShadowModeOn: () => false,
+      resolveOrgFlag,
+      evaluator: async () => {
+        spies.evaluatorCalls += 1;
+        return trippedDecision;
+      },
+      logShadow: (inputs, decision) => {
+        spies.logShadowCalls.push({ inputs, decision });
+      },
+      logMollified: (inputs, decision) => {
+        spies.logMollifiedCalls.push({ inputs, decision });
+      },
+      recordDecision: (outcome, opts) => {
+        spies.recordDecisionCalls.push({
+          outcome,
+          reason: opts.reason,
+          enrolled: opts.enrolled,
+          orgId: opts.orgId,
+        });
+      },
+    };
+    return { deps, spies };
+  }
+
+  // The production resolver — purely in-memory, no Prisma. Mirrors
+  // `defaultGateDependencies.resolveOrgFlag` exactly.
+  const resolve = makeResolveMollifierFlag();
+
+  it("opts in only the org whose featureFlags has mollifierEnabled=true", async () => {
+    const orgA = { ...inputs, orgId: "org_a", orgFeatureFlags: { mollifierEnabled: true } };
+    const orgB = { ...inputs, orgId: "org_b", orgFeatureFlags: { mollifierEnabled: false } };
+    const orgC = { ...inputs, orgId: "org_c", orgFeatureFlags: null };
+
+    const a = makeIsolationDeps(resolve);
+    const b = makeIsolationDeps(resolve);
+    const c = makeIsolationDeps(resolve);
+
+    const [outcomeA, outcomeB, outcomeC] = await Promise.all([
+      evaluateGate(orgA, a.deps),
+      evaluateGate(orgB, b.deps),
+      evaluateGate(orgC, c.deps),
+    ]);
+
+    // Only org A's flag is on → only org A mollifies. Orgs B and C never
+    // reach the evaluator because both flag and shadow-mode are off.
+    expect(outcomeA.action).toBe("mollify");
+    expect(outcomeB.action).toBe("pass_through");
+    expect(outcomeC.action).toBe("pass_through");
+
+    expect(a.spies.evaluatorCalls).toBe(1);
+    expect(b.spies.evaluatorCalls).toBe(0);
+    expect(c.spies.evaluatorCalls).toBe(0);
+
+    expect(a.spies.logMollifiedCalls).toHaveLength(1);
+    expect(b.spies.logMollifiedCalls).toHaveLength(0);
+    expect(c.spies.logMollifiedCalls).toHaveLength(0);
+  });
+
+  it("another org's beta flags must not opt them into mollifier", async () => {
+    // Org A has mollifier on (plus an unrelated beta).
+    const orgA = {
+      ...inputs,
+      orgId: "org_a",
+      orgFeatureFlags: { mollifierEnabled: true, hasComputeAccess: true },
+    };
+    // Org B has *other* betas on but mollifier remains off — keys that gate
+    // compute/AI/query must not bleed across into the mollifier decision.
+    const orgB = {
+      ...inputs,
+      orgId: "org_b",
+      orgFeatureFlags: { hasComputeAccess: true, hasAiAccess: true },
+    };
+
+    const a = makeIsolationDeps(resolve);
+    const b = makeIsolationDeps(resolve);
+
+    const outcomeA = await evaluateGate(orgA, a.deps);
+    const outcomeB = await evaluateGate(orgB, b.deps);
+
+    expect(outcomeA.action).toBe("mollify");
+    expect(outcomeB.action).toBe("pass_through");
+  });
+
+  it("orgs without an explicit override stay off — no global FeatureFlag fallback", async () => {
+    // Regression intent: the resolver MUST NOT consult the global
+    // `FeatureFlag` table on the hot path. An org with `orgFeatureFlags`
+    // unset (the default for almost every org during rollout) gets
+    // pass_through, period. The fleet-wide kill switch lives in
+    // `TRIGGER_MOLLIFIER_ENABLED`, not the FeatureFlag table.
+    const orgInherits = { ...inputs, orgId: "org_inherits", orgFeatureFlags: null };
+    const orgEmpty = { ...inputs, orgId: "org_empty", orgFeatureFlags: {} };
+    const orgUnrelated = {
+      ...inputs,
+      orgId: "org_unrelated",
+      orgFeatureFlags: { hasAiAccess: true },
+    };
+
+    const inheritsDeps = makeIsolationDeps(resolve);
+    const emptyDeps = makeIsolationDeps(resolve);
+    const unrelatedDeps = makeIsolationDeps(resolve);
+
+    const [outInherits, outEmpty, outUnrelated] = await Promise.all([
+      evaluateGate(orgInherits, inheritsDeps.deps),
+      evaluateGate(orgEmpty, emptyDeps.deps),
+      evaluateGate(orgUnrelated, unrelatedDeps.deps),
+    ]);
+
+    expect(outInherits.action).toBe("pass_through");
+    expect(outEmpty.action).toBe("pass_through");
+    expect(outUnrelated.action).toBe("pass_through");
+    // None of these reached the evaluator (flag off, shadow off).
+    expect(inheritsDeps.spies.evaluatorCalls).toBe(0);
+    expect(emptyDeps.spies.evaluatorCalls).toBe(0);
+    expect(unrelatedDeps.spies.evaluatorCalls).toBe(0);
+  });
+});
+
+// Bypasses: the three categories of trigger that the mollifier never
+// intercepts, regardless of the per-org flag or the trip-evaluator decision.
+describe("evaluateGate — debounce / OTU / triggerAndWait bypasses", () => {
+  it("debounce triggers pass through without invoking the evaluator", async () => {
+    const { deps, spies } = makeDeps({
+      enabled: true,
+      shadow: false,
+      flag: true,
+      decision: trippedDecision,
+    });
+    const outcome = await evaluateGate(
+      { ...inputs, options: { debounce: { key: "k" } } },
+      deps,
+    );
+    expect(outcome).toEqual({ action: "pass_through" });
+    expect(spies.evaluatorCalls).toBe(0);
+  });
+
+  it("oneTimeUseToken triggers pass through without invoking the evaluator", async () => {
+    const { deps, spies } = makeDeps({
+      enabled: true,
+      shadow: false,
+      flag: true,
+      decision: trippedDecision,
+    });
+    const outcome = await evaluateGate(
+      { ...inputs, options: { oneTimeUseToken: "jwt-otu" } },
+      deps,
+    );
+    expect(outcome).toEqual({ action: "pass_through" });
+    expect(spies.evaluatorCalls).toBe(0);
+  });
+
+  it("single triggerAndWait (parentTaskRunId + resumeParentOnCompletion) passes through", async () => {
+    const { deps, spies } = makeDeps({
+      enabled: true,
+      shadow: false,
+      flag: true,
+      decision: trippedDecision,
+    });
+    const outcome = await evaluateGate(
+      {
+        ...inputs,
+        options: { parentTaskRunId: "run_parent", resumeParentOnCompletion: true },
+      },
+      deps,
+    );
+    expect(outcome).toEqual({ action: "pass_through" });
+    expect(spies.evaluatorCalls).toBe(0);
+  });
+
+  it("parentTaskRunId alone (no resumeParentOnCompletion) does NOT bypass — must be both", async () => {
+    const { deps, spies } = makeDeps({
+      enabled: true,
+      shadow: false,
+      flag: true,
+      decision: trippedDecision,
+    });
+    const outcome = await evaluateGate(
+      { ...inputs, options: { parentTaskRunId: "run_parent" } },
+      deps,
+    );
+    expect(outcome.action).toBe("mollify");
+    expect(spies.evaluatorCalls).toBe(1);
+  });
+
+  it("bypass records pass_through decision (so observability counters stay accurate)", async () => {
+    const { deps, spies } = makeDeps({
+      enabled: true,
+      shadow: false,
+      flag: true,
+      decision: trippedDecision,
+    });
+    await evaluateGate({ ...inputs, options: { debounce: { key: "k" } } }, deps);
+    expect(spies.recordDecisionCalls).toHaveLength(1);
+    expect(spies.recordDecisionCalls[0].outcome).toBe("pass_through");
+  });
+});
diff --git a/apps/webapp/test/mollifierIdempotencyClaim.test.ts b/apps/webapp/test/mollifierIdempotencyClaim.test.ts
new file mode 100644
index 00000000000..87c009cb1f7
--- /dev/null
+++ b/apps/webapp/test/mollifierIdempotencyClaim.test.ts
@@ -0,0 +1,268 @@
+import { describe, expect, it, vi } from "vitest";
+
+vi.mock("~/db.server", () => ({ prisma: {}, $replica: {} }));
+
+import {
+  claimOrAwait,
+  publishClaim,
+  releaseClaim,
+} from "~/v3/mollifier/idempotencyClaim.server";
+import type {
+  IdempotencyClaimResult,
+  MollifierBuffer,
+} from "@trigger.dev/redis-worker";
+
+type ClaimState = {
+  value: string | null;
+  // Scripted return sequence for claimIdempotency calls. When set,
+  // overrides the default behaviour of returning based on `value`.
+  scriptedClaims?: IdempotencyClaimResult[];
+};
+
+function makeBuffer(initial: ClaimState = { value: null }): {
+  buffer: MollifierBuffer;
+  state: ClaimState;
+} {
+  const state = { ...initial };
+  const buffer = {
+    claimIdempotency: vi.fn(async (): Promise<IdempotencyClaimResult> => {
+      if (state.scriptedClaims && state.scriptedClaims.length > 0) {
+        return state.scriptedClaims.shift()!;
+      }
+      if (state.value === null) {
+        state.value = "pending";
+        return { kind: "claimed" };
+      }
+      if (state.value === "pending") return { kind: "pending" };
+      return { kind: "resolved", runId: state.value };
+    }),
+    readClaim: vi.fn(async (): Promise<IdempotencyClaimResult | null> => {
+      if (state.value === null) return null;
+      if (state.value === "pending") return { kind: "pending" };
+      return { kind: "resolved", runId: state.value };
+    }),
+    publishClaim: vi.fn(async ({ runId }: { runId: string }) => {
+      state.value = runId;
+    }),
+    releaseClaim: vi.fn(async () => {
+      state.value = null;
+    }),
+  } as unknown as MollifierBuffer;
+  return { buffer, state };
+}
+
+const baseInput = {
+  envId: "env_a",
+  taskIdentifier: "my-task",
+  idempotencyKey: "k-1",
+};
+
+describe("claimOrAwait", () => {
+  it("returns 'claimed' for the first caller — empty key wins SETNX", async () => {
+    const { buffer } = makeBuffer({ value: null });
+    const outcome = await claimOrAwait({
+      ...baseInput,
+      buffer,
+      generateToken: () => "token-1",
+    });
+    expect(outcome).toEqual({ kind: "claimed", token: "token-1" });
+  });
+
+  it("returns 'resolved' immediately when the key already holds a runId", async () => {
+    const { buffer } = makeBuffer({ value: "run_X" });
+    const outcome = await claimOrAwait({ ...baseInput, buffer });
+    expect(outcome).toEqual({ kind: "resolved", runId: "run_X" });
+  });
+
+  it("polls a pending key, then resolves when the runId is published", async () => {
+    const { buffer, state } = makeBuffer({ value: "pending" });
+    let nowValue = 0;
+    let pollCount = 0;
+    const outcome = await claimOrAwait({
+      ...baseInput,
+      buffer,
+      now: () => nowValue,
+      sleep: async (ms) => {
+        nowValue += ms;
+        pollCount += 1;
+        if (pollCount === 3) state.value = "run_X";
+      },
+      safetyNetMs: 1000,
+      pollStepMs: 25,
+    });
+    expect(outcome).toEqual({ kind: "resolved", runId: "run_X" });
+  });
+
+  it("returns 'timed_out' when the key stays pending past safetyNetMs", async () => {
+    const { buffer } = makeBuffer({ value: "pending" });
+    let nowValue = 0;
+    const outcome = await claimOrAwait({
+      ...baseInput,
+      buffer,
+      now: () => nowValue,
+      sleep: async (ms) => {
+        nowValue += ms;
+      },
+      safetyNetMs: 50,
+      pollStepMs: 25,
+    });
+    expect(outcome).toEqual({ kind: "timed_out" });
+  });
+
+  it("retries the claim when a polled key vanishes (claimant released)", async () => {
+    const { buffer, state } = makeBuffer({ value: "pending" });
+    let nowValue = 0;
+    let pollCount = 0;
+    // Scripted retry: on the second `claimIdempotency` call we win.
+    state.scriptedClaims = [
+      { kind: "pending" }, // first call (initial)
+      { kind: "claimed" }, // second call (retry after release)
+    ];
+    const outcome = await claimOrAwait({
+      ...baseInput,
+      buffer,
+      generateToken: () => "token-retry",
+      now: () => nowValue,
+      sleep: async (ms) => {
+        nowValue += ms;
+        pollCount += 1;
+        // First poll cycle: key vanishes (release).
+        if (pollCount === 1) state.value = null;
+      },
+      safetyNetMs: 1000,
+      pollStepMs: 25,
+    });
+    expect(outcome).toEqual({ kind: "claimed", token: "token-retry" });
+  });
+
+  it("fails open with 'claimed' when buffer is null (mollifier disabled)", async () => {
+    const outcome = await claimOrAwait({
+      ...baseInput,
+      buffer: null,
+      generateToken: () => "token-fallopen-null",
+    });
+    expect(outcome).toEqual({ kind: "claimed", token: "token-fallopen-null" });
+  });
+
+  it("fails open with 'claimed' if buffer.claimIdempotency throws (Redis down)", async () => {
+    const buffer = {
+      claimIdempotency: vi.fn(async () => {
+        throw new Error("ECONNREFUSED");
+      }),
+    } as unknown as MollifierBuffer;
+    const outcome = await claimOrAwait({
+      ...baseInput,
+      buffer,
+      generateToken: () => "token-fallopen-throw",
+    });
+    expect(outcome).toEqual({ kind: "claimed", token: "token-fallopen-throw" });
+  });
+
+  it("respects an aborted signal during the wait loop", async () => {
+    const { buffer } = makeBuffer({ value: "pending" });
+    const controller = new AbortController();
+    let nowValue = 0;
+    let pollCount = 0;
+    const outcome = await claimOrAwait({
+      ...baseInput,
+      buffer,
+      now: () => nowValue,
+      sleep: async (ms) => {
+        nowValue += ms;
+        pollCount += 1;
+        if (pollCount === 1) controller.abort();
+      },
+      abortSignal: controller.signal,
+      safetyNetMs: 5000,
+      pollStepMs: 25,
+    });
+    expect(outcome).toEqual({ kind: "timed_out" });
+  });
+});
+
+describe("publishClaim", () => {
+  it("writes the runId to the claim key", async () => {
+    const { buffer, state } = makeBuffer({ value: "pending" });
+    await publishClaim({ ...baseInput, token: "owner-token", runId: "run_X", buffer });
+    expect(state.value).toBe("run_X");
+    expect(buffer.publishClaim).toHaveBeenCalledOnce();
+  });
+
+  it("no-op when buffer is null", async () => {
+    await expect(
+      publishClaim({ ...baseInput, token: "owner-token", runId: "run_X", buffer: null }),
+    ).resolves.toBeUndefined();
+  });
+
+  it("swallows errors so trigger pipeline isn't broken by Redis hiccups", async () => {
+    const buffer = {
+      publishClaim: vi.fn(async () => {
+        throw new Error("ECONNREFUSED");
+      }),
+    } as unknown as MollifierBuffer;
+    await expect(
+      publishClaim({ ...baseInput, token: "owner-token", runId: "run_X", buffer }),
+    ).resolves.toBeUndefined();
+  });
+});
+
+describe("releaseClaim", () => {
+  it("DELs the claim so waiters can re-acquire", async () => {
+    const { buffer, state } = makeBuffer({ value: "pending" });
+    await releaseClaim({ ...baseInput, token: "owner-token", buffer });
+    expect(state.value).toBeNull();
+  });
+
+  it("no-op when buffer is null", async () => {
+    await expect(releaseClaim({ ...baseInput, token: "owner-token", buffer: null })).resolves.toBeUndefined();
+  });
+});
+
+// End-to-end: the token from `claimOrAwait`'s `claimed` outcome must
+// reach `buffer.claimIdempotency` and round-trip through publishClaim /
+// releaseClaim. Without this the compare-and-act ownership protection
+// in the buffer is bypassed and the stale-claimant hazard returns.
+describe("claim ownership token wiring", () => {
+  it("threads the token from claimOrAwait into buffer.claimIdempotency", async () => {
+    const { buffer } = makeBuffer({ value: null });
+    const outcome = await claimOrAwait({
+      ...baseInput,
+      buffer,
+      generateToken: () => "owner-token-xyz",
+    });
+    expect(outcome).toEqual({ kind: "claimed", token: "owner-token-xyz" });
+    expect(buffer.claimIdempotency).toHaveBeenCalledWith({
+      ...baseInput,
+      token: "owner-token-xyz",
+      ttlSeconds: 30,
+    });
+  });
+
+  it("threads the token from publishClaim into buffer.publishClaim", async () => {
+    const { buffer } = makeBuffer({ value: "pending" });
+    await publishClaim({
+      ...baseInput,
+      token: "owner-token-xyz",
+      runId: "run_X",
+      buffer,
+    });
+    expect(buffer.publishClaim).toHaveBeenCalledWith(
+      expect.objectContaining({
+        token: "owner-token-xyz",
+        runId: "run_X",
+      }),
+    );
+  });
+
+  it("threads the token from releaseClaim into buffer.releaseClaim", async () => {
+    const { buffer } = makeBuffer({ value: "pending" });
+    await releaseClaim({
+      ...baseInput,
+      token: "owner-token-xyz",
+      buffer,
+    });
+    expect(buffer.releaseClaim).toHaveBeenCalledWith(
+      expect.objectContaining({ token: "owner-token-xyz" }),
+    );
+  });
+});
diff --git a/apps/webapp/test/mollifierMollify.test.ts b/apps/webapp/test/mollifierMollify.test.ts
new file mode 100644
index 00000000000..ec7a30b49c2
--- /dev/null
+++ b/apps/webapp/test/mollifierMollify.test.ts
@@ -0,0 +1,133 @@
+import { describe, expect, it, vi } from "vitest";
+
+vi.mock("~/db.server", () => ({
+  prisma: {},
+  $replica: {},
+}));
+
+import { mollifyTrigger } from "~/v3/mollifier/mollifierMollify.server";
+import { RunId } from "@trigger.dev/core/v3/isomorphic";
+import type { MollifierBuffer } from "@trigger.dev/redis-worker";
+
+function fakeBuffer(
+  acceptResult: Awaited<ReturnType<MollifierBuffer["accept"]>> = { kind: "accepted" },
+): { buffer: MollifierBuffer; accept: ReturnType<typeof vi.fn> } {
+  const accept = vi.fn(async () => acceptResult);
+  return {
+    buffer: { accept } as unknown as MollifierBuffer,
+    accept,
+  };
+}
+
+describe("mollifyTrigger", () => {
+  it("writes the snapshot to buffer and returns synthesised result", async () => {
+    const { buffer, accept } = fakeBuffer();
+    const result = await mollifyTrigger({
+      runFriendlyId: "run_abc123def456",
+      environmentId: "env_a",
+      organizationId: "org_1",
+      engineTriggerInput: { taskIdentifier: "my-task", payload: '{"x":1}' },
+      decision: {
+        divert: true,
+        reason: "per_env_rate",
+        count: 150,
+        threshold: 100,
+      },
+      buffer,
+    });
+
+    expect(accept).toHaveBeenCalledOnce();
+    expect(accept).toHaveBeenCalledWith({
+      runId: "run_abc123def456",
+      envId: "env_a",
+      orgId: "org_1",
+      payload: expect.any(String),
+      idempotencyKey: undefined,
+      taskIdentifier: undefined,
+    });
+    expect(result.run.friendlyId).toBe("run_abc123def456");
+    expect(result.error).toBeUndefined();
+    expect(result.isCached).toBe(false);
+    expect(result.notice).toEqual({
+      code: "mollifier.queued",
+      message: expect.stringContaining("burst buffer"),
+      docs: expect.stringContaining("trigger.dev/docs"),
+    });
+  });
+
+  it("echoes the winner's runId with isCached=true on duplicate_idempotency", async () => {
+    const { buffer } = fakeBuffer({
+      kind: "duplicate_idempotency",
+      existingRunId: "run_winner12345",
+    });
+    const result = await mollifyTrigger({
+      runFriendlyId: "run_loser56789a",
+      environmentId: "env_a",
+      organizationId: "org_1",
+      engineTriggerInput: { taskIdentifier: "t", payload: "{}" },
+      decision: { divert: true, reason: "per_env_rate", count: 1, threshold: 1 },
+      buffer,
+      idempotencyKey: "key",
+      taskIdentifier: "t",
+    });
+    expect(result.run.friendlyId).toBe("run_winner12345");
+    expect(result.isCached).toBe(true);
+    expect(result.notice).toBeUndefined();
+  });
+
+  // Regression: the synthetic result MUST carry a populated `run.id`
+  // derived from the friendlyId. Without it, the route handler's
+  // `saveRequestIdempotency(…, result.run.id)` stores `undefined` as
+  // the cached entity id, and on SDK retry Prisma's
+  // `findFirst({ where: { id: undefined } })` silently drops the
+  // predicate and returns an arbitrary TaskRun — a cross-tenant leak
+  // path. (See Devin review on PR #3753.)
+  it("populates run.id from friendlyId on the happy-accept path", async () => {
+    const { buffer } = fakeBuffer();
+    const result = await mollifyTrigger({
+      runFriendlyId: "run_pri456789ab",
+      environmentId: "env_a",
+      organizationId: "org_1",
+      engineTriggerInput: { taskIdentifier: "t", payload: "{}" },
+      decision: { divert: true, reason: "per_env_rate", count: 1, threshold: 1 },
+      buffer,
+    });
+    expect(result.run.id).toBe(RunId.fromFriendlyId("run_pri456789ab"));
+    expect(result.run.id).toMatch(/^[a-z0-9]+$/); // non-undefined, non-empty
+  });
+
+  it("populates run.id from the WINNER's friendlyId on duplicate_idempotency", async () => {
+    const { buffer } = fakeBuffer({
+      kind: "duplicate_idempotency",
+      existingRunId: "run_winnerdup12",
+    });
+    const result = await mollifyTrigger({
+      runFriendlyId: "run_loser56789a",
+      environmentId: "env_a",
+      organizationId: "org_1",
+      engineTriggerInput: { taskIdentifier: "t", payload: "{}" },
+      decision: { divert: true, reason: "per_env_rate", count: 1, threshold: 1 },
+      buffer,
+      idempotencyKey: "key",
+      taskIdentifier: "t",
+    });
+    expect(result.run.id).toBe(RunId.fromFriendlyId("run_winnerdup12"));
+    expect(result.run.id).not.toBe(RunId.fromFriendlyId("run_loser56789a"));
+  });
+
+  it("snapshot is round-trippable: payload field is parseable JSON of engineTriggerInput", async () => {
+    const { buffer, accept } = fakeBuffer();
+    const engineInput = { taskIdentifier: "t", payload: "{}", tags: ["a", "b"] };
+    await mollifyTrigger({
+      runFriendlyId: "run_xabcde12345",
+      environmentId: "env_a",
+      organizationId: "org_1",
+      engineTriggerInput: engineInput,
+      decision: { divert: true, reason: "per_env_rate", count: 1, threshold: 1 },
+      buffer,
+    });
+
+    const callArg = accept.mock.calls[0][0] as { payload: string };
+    expect(JSON.parse(callArg.payload)).toEqual(engineInput);
+  });
+});
diff --git a/apps/webapp/test/mollifierMutateWithFallback.test.ts b/apps/webapp/test/mollifierMutateWithFallback.test.ts
new file mode 100644
index 00000000000..1102229f568
--- /dev/null
+++ b/apps/webapp/test/mollifierMutateWithFallback.test.ts
@@ -0,0 +1,481 @@
+import { describe, expect, it, vi } from "vitest";
+
+vi.mock("~/db.server", () => ({
+  prisma: { taskRun: { findFirst: vi.fn(async () => null) } },
+  $replica: { taskRun: { findFirst: vi.fn(async () => null) } },
+}));
+
+import { mutateWithFallback } from "~/v3/mollifier/mutateWithFallback.server";
+import type {
+  BufferEntry,
+  MollifierBuffer,
+  MutateSnapshotResult,
+} from "@trigger.dev/redis-worker";
+import type { TaskRun } from "@trigger.dev/database";
+
+type FindFirst = ReturnType<typeof vi.fn>;
+type PrismaStub = { taskRun: { findFirst: FindFirst } };
+
+function fakePrisma(rows: Array<TaskRun | null>): PrismaStub {
+  const fn = vi.fn();
+  for (const r of rows) fn.mockResolvedValueOnce(r);
+  fn.mockResolvedValue(null);
+  return { taskRun: { findFirst: fn } };
+}
+
+// Env-matching entry returned by the env-pre-check getEntry call that
+// mutateWithFallback now does before any buffer write (cross-env auth
+// gate). Same envId/orgId as `baseInput` so the check passes and the
+// flow under test proceeds to mutateSnapshot.
+const preCheckEntry = (): BufferEntry =>
+  ({
+    envId: "env_a",
+    orgId: "org_1",
+    status: "QUEUED",
+    materialised: false,
+  }) as unknown as BufferEntry;
+
+function bufferReturning(result: MutateSnapshotResult): MollifierBuffer {
+  const getEntry = vi.fn(async () => preCheckEntry());
+  return {
+    mutateSnapshot: vi.fn(async () => result),
+    getEntry,
+  } as unknown as MollifierBuffer;
+}
+
+// Buffer whose mutateSnapshot returns "busy" and whose getEntry walks a
+// scripted sequence of entry states. The pre-check getEntry call (one
+// extra read before the busy-wait loop, used for env authorization)
+// consumes the first scripted result, then the busy-wait loop pops the
+// remainder; the last element repeats once the sequence is exhausted.
+function bufferBusy(entries: Array<BufferEntry | null>): MollifierBuffer {
+  const getEntry = vi.fn();
+  // Pre-check consumes one entry. Use a QUEUED env-matching entry so
+  // the env-check passes and the flow reaches mutateSnapshot (which
+  // returns "busy") and enters the wait-loop.
+  getEntry.mockResolvedValueOnce(preCheckEntry());
+  for (const e of entries) getEntry.mockResolvedValueOnce(e);
+  getEntry.mockResolvedValue(entries.length ? entries[entries.length - 1] : null);
+  return {
+    mutateSnapshot: vi.fn(async () => "busy" as const),
+    getEntry,
+  } as unknown as MollifierBuffer;
+}
+
+const entryDraining = (): BufferEntry =>
+  ({
+    envId: "env_a",
+    orgId: "org_1",
+    status: "DRAINING",
+    materialised: false,
+  }) as unknown as BufferEntry;
+const entryQueued = (): BufferEntry =>
+  ({
+    envId: "env_a",
+    orgId: "org_1",
+    status: "QUEUED",
+    materialised: false,
+  }) as unknown as BufferEntry;
+const entryMaterialised = (): BufferEntry =>
+  ({
+    envId: "env_a",
+    orgId: "org_1",
+    status: "DRAINING",
+    materialised: true,
+  }) as unknown as BufferEntry;
+
+const fakeRun = (overrides: Partial<TaskRun> = {}): TaskRun =>
+  ({
+    id: "pg_id",
+    friendlyId: "run_1",
+    runtimeEnvironmentId: "env_a",
+    ...overrides,
+  }) as TaskRun;
+
+const baseInput = {
+  runId: "run_1",
+  environmentId: "env_a",
+  organizationId: "org_1",
+  bufferPatch: { type: "append_tags" as const, tags: ["x"] },
+};
+
+describe("mutateWithFallback", () => {
+  it("hits replica → calls pgMutation, returns pg outcome", async () => {
+    const row = fakeRun();
+    const pgMutation = vi.fn(async () => "pg-response");
+    const synthesisedResponse = vi.fn(() => "snapshot-response");
+
+    const result = await mutateWithFallback({
+      ...baseInput,
+      pgMutation,
+      synthesisedResponse,
+      prismaReplica: fakePrisma([row]) as unknown as typeof import("~/db.server").$replica,
+      prismaWriter: fakePrisma([]) as unknown as typeof import("~/db.server").prisma,
+      getBuffer: () => bufferReturning("applied_to_snapshot"),
+    });
+
+    expect(result).toEqual({ kind: "pg", response: "pg-response" });
+    expect(pgMutation).toHaveBeenCalledWith(row);
+    expect(synthesisedResponse).not.toHaveBeenCalled();
+  });
+
+  it("replica miss + buffer applied_to_snapshot → synthesisedResponse", async () => {
+    const pgMutation = vi.fn(async () => "pg");
+    const result = await mutateWithFallback({
+      ...baseInput,
+      pgMutation,
+      synthesisedResponse: () => "snap",
+      prismaReplica: fakePrisma([null]) as unknown as typeof import("~/db.server").$replica,
+      prismaWriter: fakePrisma([]) as unknown as typeof import("~/db.server").prisma,
+      getBuffer: () => bufferReturning("applied_to_snapshot"),
+    });
+    expect(result).toEqual({ kind: "snapshot", response: "snap" });
+    expect(pgMutation).not.toHaveBeenCalled();
+  });
+
+  it("applied_to_snapshot forwards the pre-mutation entry to synthesisedResponse (lets callers dedup)", async () => {
+    // The tags route uses this to compute the same post-dedup count
+    // the PG path reports, without an extra Redis round-trip.
+    const synthesised = vi.fn(({ bufferEntry }: { bufferEntry: BufferEntry | null }) => {
+      // Caller can inspect bufferEntry.payload (or other fields) to
+      // produce a response that depends on the prior snapshot state.
+      return bufferEntry ? "snap-with-entry" : "snap-without-entry";
+    });
+    const result = await mutateWithFallback({
+      ...baseInput,
+      pgMutation: async () => "pg",
+      synthesisedResponse: synthesised,
+      prismaReplica: fakePrisma([null]) as unknown as typeof import("~/db.server").$replica,
+      prismaWriter: fakePrisma([]) as unknown as typeof import("~/db.server").prisma,
+      getBuffer: () => bufferReturning("applied_to_snapshot"),
+    });
+    expect(result).toEqual({ kind: "snapshot", response: "snap-with-entry" });
+    expect(synthesised).toHaveBeenCalledTimes(1);
+    const ctx = synthesised.mock.calls[0]?.[0];
+    expect(ctx?.bufferEntry).not.toBeNull();
+    // The pre-check entry has the env-matching shape set up by
+    // bufferReturning() / preCheckEntry().
+    expect(ctx?.bufferEntry?.envId).toBe("env_a");
+    expect(ctx?.bufferEntry?.orgId).toBe("org_1");
+  });
+
+  // Symmetric writer-fallback in the `!buffer` short-circuit. Without
+  // this, mollifier-disabled deployments (or boot-time buffer init
+  // failures) would regress the pre-PR mutation routes — those read
+  // from the writer directly, so a fresh PG row was always visible.
+  // The replica offload introduced here moves the read to the lagging
+  // follower; if the buffer isn't available to disambiguate, we still
+  // probe the writer before returning 404.
+  it("replica miss + !buffer + writer hit → pgMutation (mollifier-disabled mode recovery)", async () => {
+    const row = fakeRun({ friendlyId: "run_1" });
+    const pgMutation = vi.fn(async () => "pg-recovered-no-buffer");
+    const result = await mutateWithFallback({
+      ...baseInput,
+      pgMutation,
+      synthesisedResponse: () => "snap",
+      prismaReplica: fakePrisma([null]) as unknown as typeof import("~/db.server").$replica,
+      prismaWriter: fakePrisma([row]) as unknown as typeof import("~/db.server").prisma,
+      getBuffer: () => null,
+    });
+    expect(result).toEqual({ kind: "pg", response: "pg-recovered-no-buffer" });
+    expect(pgMutation).toHaveBeenCalledWith(row);
+  });
+
+  it("replica miss + !buffer + writer miss → not_found (genuine 404 in mollifier-disabled mode)", async () => {
+    const result = await mutateWithFallback({
+      ...baseInput,
+      pgMutation: async () => "pg",
+      synthesisedResponse: () => "snap",
+      prismaReplica: fakePrisma([null]) as unknown as typeof import("~/db.server").$replica,
+      prismaWriter: fakePrisma([null]) as unknown as typeof import("~/db.server").prisma,
+      getBuffer: () => null,
+    });
+    expect(result).toEqual({ kind: "not_found" });
+  });
+
+  it("replica miss + buffer not_found + writer miss → not_found", async () => {
+    const result = await mutateWithFallback({
+      ...baseInput,
+      pgMutation: async () => "pg",
+      synthesisedResponse: () => "snap",
+      prismaReplica: fakePrisma([null]) as unknown as typeof import("~/db.server").$replica,
+      prismaWriter: fakePrisma([null]) as unknown as typeof import("~/db.server").prisma,
+      getBuffer: () => bufferReturning("not_found"),
+    });
+    expect(result).toEqual({ kind: "not_found" });
+  });
+
+  it("replica miss + buffer not_found + writer hit → pgMutation (replica-lag recovery)", async () => {
+    const row = fakeRun({ friendlyId: "run_1" });
+    const pgMutation = vi.fn(async () => "pg-recovered");
+    const result = await mutateWithFallback({
+      ...baseInput,
+      pgMutation,
+      synthesisedResponse: () => "snap",
+      prismaReplica: fakePrisma([null]) as unknown as typeof import("~/db.server").$replica,
+      prismaWriter: fakePrisma([row]) as unknown as typeof import("~/db.server").prisma,
+      getBuffer: () => bufferReturning("not_found"),
+    });
+    expect(result).toEqual({ kind: "pg", response: "pg-recovered" });
+    expect(pgMutation).toHaveBeenCalledWith(row);
+  });
+
+  it("busy → watches buffer through DRAINING, materialises, hits primary exactly once", async () => {
+    const row = fakeRun();
+    const pgMutation = vi.fn(async () => "pg-after-wait");
+    // Writer is read ONCE, only after the buffer reports materialised.
+    const writer = fakePrisma([row]);
+    const buffer = bufferBusy([entryDraining(), entryDraining(), entryMaterialised()]);
+    let nowValue = 0;
+    const result = await mutateWithFallback({
+      ...baseInput,
+      pgMutation,
+      synthesisedResponse: () => "snap",
+      prismaReplica: fakePrisma([null]) as unknown as typeof import("~/db.server").$replica,
+      prismaWriter: writer as unknown as typeof import("~/db.server").prisma,
+      getBuffer: () => buffer,
+      sleep: async (ms) => {
+        nowValue += ms;
+      },
+      now: () => nowValue,
+      safetyNetMs: 2000,
+      pollStepMs: 20,
+      random: () => 0,
+    });
+    expect(result).toEqual({ kind: "pg", response: "pg-after-wait" });
+    expect(pgMutation).toHaveBeenCalledWith(row);
+    // One env-pre-check call + 3 busy-wait polls = 4 getEntry reads;
+    // primary read exactly once.
+    expect(buffer.getEntry).toHaveBeenCalledTimes(4);
+    expect(writer.taskRun.findFirst).toHaveBeenCalledTimes(1);
+  });
+
+  it("busy → entry deleted by terminal fail, writer finds SYSTEM_FAILURE row → pgMutation", async () => {
+    const row = fakeRun();
+    const pgMutation = vi.fn(async () => "pg-failed-row");
+    const writer = fakePrisma([row]);
+    const buffer = bufferBusy([entryDraining(), null]);
+    let nowValue = 0;
+    const result = await mutateWithFallback({
+      ...baseInput,
+      pgMutation,
+      synthesisedResponse: () => "snap",
+      prismaReplica: fakePrisma([null]) as unknown as typeof import("~/db.server").$replica,
+      prismaWriter: writer as unknown as typeof import("~/db.server").prisma,
+      getBuffer: () => buffer,
+      sleep: async (ms) => {
+        nowValue += ms;
+      },
+      now: () => nowValue,
+      safetyNetMs: 2000,
+      pollStepMs: 20,
+      random: () => 0,
+    });
+    expect(result).toEqual({ kind: "pg", response: "pg-failed-row" });
+    expect(writer.taskRun.findFirst).toHaveBeenCalledTimes(1);
+  });
+
+  it("busy → entry deleted but no PG row (terminal write failed) → not_found", async () => {
+    const buffer = bufferBusy([null]);
+    const writer = fakePrisma([null]);
+    let nowValue = 0;
+    const result = await mutateWithFallback({
+      ...baseInput,
+      pgMutation: async () => "pg",
+      synthesisedResponse: () => "snap",
+      prismaReplica: fakePrisma([null]) as unknown as typeof import("~/db.server").$replica,
+      prismaWriter: writer as unknown as typeof import("~/db.server").prisma,
+      getBuffer: () => buffer,
+      sleep: async (ms) => {
+        nowValue += ms;
+      },
+      now: () => nowValue,
+      safetyNetMs: 2000,
+      pollStepMs: 20,
+      random: () => 0,
+    });
+    expect(result).toEqual({ kind: "not_found" });
+    expect(writer.taskRun.findFirst).toHaveBeenCalledTimes(1);
+  });
+
+  it("busy → requeued (back to QUEUED) then materialises; doesn't resolve early", async () => {
+    const row = fakeRun();
+    const pgMutation = vi.fn(async () => "pg-after-requeue");
+    const writer = fakePrisma([row]);
+    // QUEUED (requeued after a retryable drain error) must NOT be treated
+    // as "done" — the run hasn't reached PG. Only the later materialise does.
+    const buffer = bufferBusy([entryQueued(), entryDraining(), entryMaterialised()]);
+    let nowValue = 0;
+    const result = await mutateWithFallback({
+      ...baseInput,
+      pgMutation,
+      synthesisedResponse: () => "snap",
+      prismaReplica: fakePrisma([null]) as unknown as typeof import("~/db.server").$replica,
+      prismaWriter: writer as unknown as typeof import("~/db.server").prisma,
+      getBuffer: () => buffer,
+      sleep: async (ms) => {
+        nowValue += ms;
+      },
+      now: () => nowValue,
+      safetyNetMs: 2000,
+      pollStepMs: 20,
+      random: () => 0,
+    });
+    expect(result).toEqual({ kind: "pg", response: "pg-after-requeue" });
+    // One env-pre-check + 3 busy-wait polls.
+    expect(buffer.getEntry).toHaveBeenCalledTimes(4);
+    expect(writer.taskRun.findFirst).toHaveBeenCalledTimes(1);
+  });
+
+  it("busy → drainer never resolves (stays DRAINING) → timed_out, primary never touched", async () => {
+    const writer = fakePrisma([]);
+    const buffer = bufferBusy([entryDraining()]);
+    let nowValue = 0;
+    const result = await mutateWithFallback({
+      ...baseInput,
+      pgMutation: async () => "pg",
+      synthesisedResponse: () => "snap",
+      prismaReplica: fakePrisma([null]) as unknown as typeof import("~/db.server").$replica,
+      prismaWriter: writer as unknown as typeof import("~/db.server").prisma,
+      getBuffer: () => buffer,
+      sleep: async (ms) => {
+        nowValue += ms;
+      },
+      now: () => nowValue,
+      safetyNetMs: 100,
+      pollStepMs: 20,
+      random: () => 0,
+    });
+    expect(result).toEqual({ kind: "timed_out" });
+    // The whole point: while the run is still draining we never read the primary.
+    expect(writer.taskRun.findFirst).toHaveBeenCalledTimes(0);
+  });
+
+  it("abort signal during wait → timed_out without further polls", async () => {
+    const writer = fakePrisma([]);
+    const buffer = bufferBusy([entryDraining(), entryDraining()]);
+    const controller = new AbortController();
+    let nowValue = 0;
+    const result = await mutateWithFallback({
+      ...baseInput,
+      pgMutation: async () => "pg",
+      synthesisedResponse: () => "snap",
+      prismaReplica: fakePrisma([null]) as unknown as typeof import("~/db.server").$replica,
+      prismaWriter: writer as unknown as typeof import("~/db.server").prisma,
+      getBuffer: () => buffer,
+      sleep: async (ms) => {
+        nowValue += ms;
+        controller.abort();
+      },
+      now: () => nowValue,
+      safetyNetMs: 2000,
+      pollStepMs: 20,
+      random: () => 0,
+      abortSignal: controller.signal,
+    });
+    expect(result).toEqual({ kind: "timed_out" });
+    // One env-pre-check + one busy-wait poll before sleep+abort; primary untouched.
+    expect(buffer.getEntry).toHaveBeenCalledTimes(2);
+    expect(writer.taskRun.findFirst).toHaveBeenCalledTimes(0);
+  });
+
+  it("replica miss + buffer limit_exceeded → rejected via rejectedResponse builder", async () => {
+    const pgMutation = vi.fn(async () => "pg");
+    const synthesisedResponse = vi.fn(() => "snap");
+    const result = await mutateWithFallback({
+      ...baseInput,
+      pgMutation,
+      synthesisedResponse,
+      rejectedResponse: () => "too-many-tags",
+      prismaReplica: fakePrisma([null]) as unknown as typeof import("~/db.server").$replica,
+      prismaWriter: fakePrisma([]) as unknown as typeof import("~/db.server").prisma,
+      getBuffer: () => bufferReturning("limit_exceeded"),
+    });
+    expect(result).toEqual({ kind: "rejected", response: "too-many-tags" });
+    expect(pgMutation).not.toHaveBeenCalled();
+    expect(synthesisedResponse).not.toHaveBeenCalled();
+  });
+
+  it("buffer limit_exceeded without a rejectedResponse builder → throws (programmer error)", async () => {
+    await expect(
+      mutateWithFallback({
+        ...baseInput,
+        pgMutation: async () => "pg",
+        synthesisedResponse: () => "snap",
+        prismaReplica: fakePrisma([null]) as unknown as typeof import("~/db.server").$replica,
+        prismaWriter: fakePrisma([]) as unknown as typeof import("~/db.server").prisma,
+        getBuffer: () => bufferReturning("limit_exceeded"),
+      })
+    ).rejects.toThrow(/limit_exceeded/);
+  });
+
+  it("replica miss + buffer entry belongs to a different env → not_found (cross-env auth gate)", async () => {
+    // Same flow as the applied_to_snapshot test, except the entry's
+    // envId doesn't match input.environmentId. mutateWithFallback must
+    // refuse the write and return not_found (without leaking that the
+    // runId exists in another env), and must NOT call mutateSnapshot.
+    const crossEnvEntry: BufferEntry = {
+      envId: "env_OTHER",
+      orgId: "org_1",
+      status: "QUEUED",
+      materialised: false,
+    } as unknown as BufferEntry;
+    const mutateSnapshot = vi.fn(async () => "applied_to_snapshot" as const);
+    const buffer = {
+      mutateSnapshot,
+      getEntry: vi.fn(async () => crossEnvEntry),
+    } as unknown as MollifierBuffer;
+
+    const pgMutation = vi.fn(async () => "pg");
+    const synthesisedResponse = vi.fn(() => "snap");
+    const result = await mutateWithFallback({
+      ...baseInput,
+      pgMutation,
+      synthesisedResponse,
+      prismaReplica: fakePrisma([null]) as unknown as typeof import("~/db.server").$replica,
+      prismaWriter: fakePrisma([]) as unknown as typeof import("~/db.server").prisma,
+      getBuffer: () => buffer,
+    });
+    expect(result).toEqual({ kind: "not_found" });
+    expect(mutateSnapshot).not.toHaveBeenCalled();
+    expect(pgMutation).not.toHaveBeenCalled();
+    expect(synthesisedResponse).not.toHaveBeenCalled();
+  });
+
+  it("replica miss + buffer entry belongs to a different org → not_found (cross-org auth gate)", async () => {
+    const crossOrgEntry: BufferEntry = {
+      envId: "env_a",
+      orgId: "org_OTHER",
+      status: "QUEUED",
+      materialised: false,
+    } as unknown as BufferEntry;
+    const mutateSnapshot = vi.fn(async () => "applied_to_snapshot" as const);
+    const buffer = {
+      mutateSnapshot,
+      getEntry: vi.fn(async () => crossOrgEntry),
+    } as unknown as MollifierBuffer;
+
+    const result = await mutateWithFallback({
+      ...baseInput,
+      pgMutation: async () => "pg",
+      synthesisedResponse: () => "snap",
+      prismaReplica: fakePrisma([null]) as unknown as typeof import("~/db.server").$replica,
+      prismaWriter: fakePrisma([]) as unknown as typeof import("~/db.server").prisma,
+      getBuffer: () => buffer,
+    });
+    expect(result).toEqual({ kind: "not_found" });
+    expect(mutateSnapshot).not.toHaveBeenCalled();
+  });
+
+  it("buffer is null (mollifier disabled) → not_found after replica miss", async () => {
+    const result = await mutateWithFallback({
+      ...baseInput,
+      pgMutation: async () => "pg",
+      synthesisedResponse: () => "snap",
+      prismaReplica: fakePrisma([null]) as unknown as typeof import("~/db.server").$replica,
+      prismaWriter: fakePrisma([]) as unknown as typeof import("~/db.server").prisma,
+      getBuffer: () => null,
+    });
+    expect(result).toEqual({ kind: "not_found" });
+  });
+});
diff --git a/apps/webapp/test/mollifierReadFallback.test.ts b/apps/webapp/test/mollifierReadFallback.test.ts
new file mode 100644
index 00000000000..feef6a420ad
--- /dev/null
+++ b/apps/webapp/test/mollifierReadFallback.test.ts
@@ -0,0 +1,535 @@
+import { describe, expect, it, vi } from "vitest";
+
+vi.mock("~/db.server", () => ({
+  prisma: {},
+  $replica: {},
+}));
+
+import { findRunByIdWithMollifierFallback } from "~/v3/mollifier/readFallback.server";
+import type { MollifierBuffer, BufferEntry } from "@trigger.dev/redis-worker";
+import { RunId } from "@trigger.dev/core/v3/isomorphic";
+
+function fakeBuffer(entry: BufferEntry | null): MollifierBuffer {
+  return {
+    getEntry: vi.fn(async () => entry),
+  } as unknown as MollifierBuffer;
+}
+
+const NOW = new Date("2026-05-11T12:00:00Z");
+
+describe("findRunByIdWithMollifierFallback", () => {
+  it("returns null when buffer is unavailable (mollifier disabled)", async () => {
+    const result = await findRunByIdWithMollifierFallback(
+      { runId: "run_1", environmentId: "env_a", organizationId: "org_1" },
+      { getBuffer: () => null },
+    );
+    expect(result).toBeNull();
+  });
+
+  it("returns null when no buffer entry exists", async () => {
+    const result = await findRunByIdWithMollifierFallback(
+      { runId: "run_1", environmentId: "env_a", organizationId: "org_1" },
+      { getBuffer: () => fakeBuffer(null) },
+    );
+    expect(result).toBeNull();
+  });
+
+  it("returns null when buffer entry envId does not match caller (auth mismatch)", async () => {
+    const entry: BufferEntry = {
+      runId: "run_1",
+      envId: "env_OTHER",
+      orgId: "org_1",
+      payload: JSON.stringify({ taskIdentifier: "t" }),
+      status: "QUEUED",
+      attempts: 0,
+      createdAt: NOW,
+    };
+    const result = await findRunByIdWithMollifierFallback(
+      { runId: "run_1", environmentId: "env_a", organizationId: "org_1" },
+      { getBuffer: () => fakeBuffer(entry) },
+    );
+    expect(result).toBeNull();
+  });
+
+  it("returns null when buffer entry orgId does not match caller (auth mismatch)", async () => {
+    const entry: BufferEntry = {
+      runId: "run_1",
+      envId: "env_a",
+      orgId: "org_OTHER",
+      payload: JSON.stringify({ taskIdentifier: "t" }),
+      status: "QUEUED",
+      attempts: 0,
+      createdAt: NOW,
+    };
+    const result = await findRunByIdWithMollifierFallback(
+      { runId: "run_1", environmentId: "env_a", organizationId: "org_1" },
+      { getBuffer: () => fakeBuffer(entry) },
+    );
+    expect(result).toBeNull();
+  });
+
+  it("returns synthesised QUEUED run when entry exists with matching auth", async () => {
+    const entry: BufferEntry = {
+      runId: "run_1",
+      envId: "env_a",
+      orgId: "org_1",
+      payload: JSON.stringify({ taskIdentifier: "my-task" }),
+      status: "QUEUED",
+      attempts: 0,
+      createdAt: NOW,
+    };
+    const result = await findRunByIdWithMollifierFallback(
+      { runId: "run_1", environmentId: "env_a", organizationId: "org_1" },
+      { getBuffer: () => fakeBuffer(entry) },
+    );
+    expect(result).not.toBeNull();
+    expect(result!.friendlyId).toBe("run_1");
+    expect(result!.status).toBe("QUEUED");
+    expect(result!.taskIdentifier).toBe("my-task");
+    expect(result!.createdAt).toEqual(NOW);
+  });
+
+  it("returns synthesised QUEUED for DRAINING (internal state same externally)", async () => {
+    const entry: BufferEntry = {
+      runId: "run_1",
+      envId: "env_a",
+      orgId: "org_1",
+      payload: JSON.stringify({ taskIdentifier: "t" }),
+      status: "DRAINING",
+      attempts: 1,
+      createdAt: NOW,
+    };
+    const result = await findRunByIdWithMollifierFallback(
+      { runId: "run_1", environmentId: "env_a", organizationId: "org_1" },
+      { getBuffer: () => fakeBuffer(entry) },
+    );
+    expect(result!.status).toBe("QUEUED");
+  });
+
+  it("returns FAILED state with structured error for FAILED entries", async () => {
+    const entry: BufferEntry = {
+      runId: "run_1",
+      envId: "env_a",
+      orgId: "org_1",
+      payload: JSON.stringify({ taskIdentifier: "t" }),
+      status: "FAILED",
+      attempts: 3,
+      createdAt: NOW,
+      lastError: { code: "VALIDATION", message: "task not found" },
+    };
+    const result = await findRunByIdWithMollifierFallback(
+      { runId: "run_1", environmentId: "env_a", organizationId: "org_1" },
+      { getBuffer: () => fakeBuffer(entry) },
+    );
+    expect(result!.status).toBe("FAILED");
+    expect(result!.error).toEqual({ code: "VALIDATION", message: "task not found" });
+  });
+
+  it("extracts snapshot-derived fields from the buffered payload", async () => {
+    const entry: BufferEntry = {
+      runId: "run_1",
+      envId: "env_a",
+      orgId: "org_1",
+      payload: JSON.stringify({
+        taskIdentifier: "my-task",
+        payload: '{"foo":"bar"}',
+        payloadType: "application/json",
+        metadata: '{"customer":"acme"}',
+        metadataType: "application/json",
+        idempotencyKey: "client-abc",
+        idempotencyKeyOptions: { key: "client-abc", scope: "run" },
+        isTest: true,
+        depth: 2,
+        ttl: "1h",
+        tags: ["tag-a", "tag-b"],
+        // The engine.trigger snapshot stores the locked version string under
+        // `taskVersion` (see triggerTask.server.ts#buildEngineTriggerInput).
+        taskVersion: "20260511.1",
+        resumeParentOnCompletion: false,
+        parentTaskRunId: "run_parent",
+      }),
+      status: "QUEUED",
+      attempts: 0,
+      createdAt: NOW,
+    };
+    const result = await findRunByIdWithMollifierFallback(
+      { runId: "run_1", environmentId: "env_a", organizationId: "org_1" },
+      { getBuffer: () => fakeBuffer(entry) },
+    );
+    expect(result).not.toBeNull();
+    expect(result!.payloadType).toBe("application/json");
+    expect(result!.metadata).toBe('{"customer":"acme"}');
+    expect(result!.metadataType).toBe("application/json");
+    expect(result!.idempotencyKey).toBe("client-abc");
+    expect(result!.idempotencyKeyOptions).toEqual({ key: "client-abc", scope: "run" });
+    expect(result!.isTest).toBe(true);
+    expect(result!.depth).toBe(2);
+    expect(result!.ttl).toBe("1h");
+    expect(result!.tags).toEqual(["tag-a", "tag-b"]);
+    expect(result!.lockedToVersion).toBe("20260511.1");
+    expect(result!.resumeParentOnCompletion).toBe(false);
+    expect(result!.parentTaskRunId).toBe("run_parent");
+  });
+
+  it("extracts gate-allocated trace context from the snapshot", async () => {
+    const entry: BufferEntry = {
+      runId: "run_1",
+      envId: "env_a",
+      orgId: "org_1",
+      payload: JSON.stringify({
+        taskIdentifier: "t",
+        traceId: "trace_abc",
+        spanId: "span_xyz",
+        parentSpanId: "span_parent",
+      }),
+      status: "QUEUED",
+      attempts: 0,
+      createdAt: NOW,
+    };
+    const result = await findRunByIdWithMollifierFallback(
+      { runId: "run_1", environmentId: "env_a", organizationId: "org_1" },
+      { getBuffer: () => fakeBuffer(entry) },
+    );
+    expect(result!.traceId).toBe("trace_abc");
+    expect(result!.spanId).toBe("span_xyz");
+    expect(result!.parentSpanId).toBe("span_parent");
+  });
+
+  it("parses idempotencyKeyOptions in the canonical { key, scope } object shape (regression for the buffered-vs-PG API contract divergence)", async () => {
+    // Regression for the bug where `readFallback` parsed
+    // `idempotencyKeyOptions` via Array.isArray and rejected the
+    // canonical object shape. The SDK and Prisma both serialise this
+    // as `{ key, scope }`; the legacy array check would reject it,
+    // returning `undefined` here, which downstream demoted the API's
+    // `idempotencyKey` field to surface the *hash* (server-side
+    // generated) instead of the user-supplied key — diverging from
+    // how materialised runs render the same field, and creating a
+    // silent contract flip at the drainer-materialisation boundary.
+    // Pin the schema-parse path so the buffered response matches
+    // PG-resident behaviour from the moment the run is buffered.
+    const entry: BufferEntry = {
+      runId: "run_1",
+      envId: "env_a",
+      orgId: "org_1",
+      payload: JSON.stringify({
+        taskIdentifier: "t",
+        idempotencyKey: "<hashed>",
+        idempotencyKeyOptions: { key: "user-supplied-key", scope: "global" },
+      }),
+      status: "QUEUED",
+      attempts: 0,
+      createdAt: NOW,
+    };
+    const result = await findRunByIdWithMollifierFallback(
+      { runId: "run_1", environmentId: "env_a", organizationId: "org_1" },
+      { getBuffer: () => fakeBuffer(entry) },
+    );
+    expect(result).not.toBeNull();
+    expect(result!.idempotencyKeyOptions).toEqual({
+      key: "user-supplied-key",
+      scope: "global",
+    });
+  });
+
+  it("returns undefined for idempotencyKeyOptions when the snapshot carries a legacy/invalid shape", async () => {
+    // The Zod schema parse rejects:
+    //   - array shape (the legacy bug we just fixed)
+    //   - object without required fields
+    //   - missing field entirely
+    // In all these cases the field is left `undefined`. Downstream
+    // `getUserProvidedIdempotencyKey` then falls back to the
+    // `idempotencyKey` field, matching how PG-resident runs handle
+    // malformed/missing options.
+    const entry: BufferEntry = {
+      runId: "run_1",
+      envId: "env_a",
+      orgId: "org_1",
+      payload: JSON.stringify({
+        taskIdentifier: "t",
+        idempotencyKey: "<hashed>",
+        // Legacy array shape — must NOT be accepted.
+        idempotencyKeyOptions: ["payload"],
+      }),
+      status: "QUEUED",
+      attempts: 0,
+      createdAt: NOW,
+    };
+    const result = await findRunByIdWithMollifierFallback(
+      { runId: "run_1", environmentId: "env_a", organizationId: "org_1" },
+      { getBuffer: () => fakeBuffer(entry) },
+    );
+    expect(result).not.toBeNull();
+    expect(result!.idempotencyKeyOptions).toBeUndefined();
+  });
+
+  it("defaults snapshot-derived fields to safe values when absent", async () => {
+    const entry: BufferEntry = {
+      runId: "run_1",
+      envId: "env_a",
+      orgId: "org_1",
+      payload: JSON.stringify({ taskIdentifier: "t" }),
+      status: "QUEUED",
+      attempts: 0,
+      createdAt: NOW,
+    };
+    const result = await findRunByIdWithMollifierFallback(
+      { runId: "run_1", environmentId: "env_a", organizationId: "org_1" },
+      { getBuffer: () => fakeBuffer(entry) },
+    );
+    expect(result!.payloadType).toBeUndefined();
+    expect(result!.metadata).toBeUndefined();
+    expect(result!.idempotencyKey).toBeUndefined();
+    expect(result!.isTest).toBe(false);
+    expect(result!.depth).toBe(0);
+    expect(result!.tags).toEqual([]);
+    expect(result!.resumeParentOnCompletion).toBe(false);
+    expect(result!.traceId).toBeUndefined();
+    expect(result!.spanId).toBeUndefined();
+  });
+
+  it("populates replay-relevant fields from the snapshot", async () => {
+    const entry: BufferEntry = {
+      runId: "run_1",
+      envId: "env_a",
+      orgId: "org_1",
+      payload: JSON.stringify({
+        taskIdentifier: "my-task",
+        environment: { id: "env_a" },
+        workerQueue: "default",
+        queue: "task/my-task",
+        concurrencyKey: "tenant-42",
+        machine: "medium-1x",
+        realtimeStreamsVersion: "v2",
+        seedMetadata: '{"k":"v"}',
+        seedMetadataType: "application/json",
+        tags: ["t1", "t2"],
+      }),
+      status: "QUEUED",
+      attempts: 0,
+      createdAt: NOW,
+    };
+    const result = await findRunByIdWithMollifierFallback(
+      { runId: "run_1", environmentId: "env_a", organizationId: "org_1" },
+      { getBuffer: () => fakeBuffer(entry) },
+    );
+    expect(result).not.toBeNull();
+    expect(result!.id).toBeTypeOf("string");
+    expect(result!.id.length).toBeGreaterThan(0);
+    expect(result!.engine).toBe("V2");
+    expect(result!.runtimeEnvironmentId).toBe("env_a");
+    expect(result!.workerQueue).toBe("default");
+    expect(result!.queue).toBe("task/my-task");
+    expect(result!.concurrencyKey).toBe("tenant-42");
+    expect(result!.machinePreset).toBe("medium-1x");
+    expect(result!.realtimeStreamsVersion).toBe("v2");
+    expect(result!.seedMetadata).toBe('{"k":"v"}');
+    expect(result!.seedMetadataType).toBe("application/json");
+    expect(result!.runTags).toEqual(["t1", "t2"]);
+  });
+
+  it("extracts batchId from the snapshot's nested batch object (engine.trigger shape)", async () => {
+    const entry: BufferEntry = {
+      runId: "run_1",
+      envId: "env_a",
+      orgId: "org_1",
+      payload: JSON.stringify({
+        taskIdentifier: "t",
+        // The engine.trigger input nests the batch as `{ id, index }`,
+        // where `id` is the batch's internal cuid (not a flat `batchId`).
+        batch: { id: "batch_internal_cuid", index: 3 },
+      }),
+      status: "QUEUED",
+      attempts: 0,
+      createdAt: NOW,
+    };
+    const result = await findRunByIdWithMollifierFallback(
+      { runId: "run_1", environmentId: "env_a", organizationId: "org_1" },
+      { getBuffer: () => fakeBuffer(entry) },
+    );
+    expect(result!.batchId).toBe("batch_internal_cuid");
+  });
+
+  it("leaves batchId undefined when the snapshot has no batch (non-batched run)", async () => {
+    const entry: BufferEntry = {
+      runId: "run_1",
+      envId: "env_a",
+      orgId: "org_1",
+      payload: JSON.stringify({ taskIdentifier: "t" }),
+      status: "QUEUED",
+      attempts: 0,
+      createdAt: NOW,
+    };
+    const result = await findRunByIdWithMollifierFallback(
+      { runId: "run_1", environmentId: "env_a", organizationId: "org_1" },
+      { getBuffer: () => fakeBuffer(entry) },
+    );
+    expect(result!.batchId).toBeUndefined();
+  });
+
+  it("treats invalid date strings as undefined and does not mis-classify status as CANCELED", async () => {
+    const entry: BufferEntry = {
+      runId: "run_1",
+      envId: "env_a",
+      orgId: "org_1",
+      payload: JSON.stringify({
+        taskIdentifier: "t",
+        cancelledAt: "not-a-date",
+        cancelReason: "user requested",
+        delayUntil: "also-not-a-date",
+      }),
+      status: "QUEUED",
+      attempts: 0,
+      createdAt: NOW,
+    };
+    const result = await findRunByIdWithMollifierFallback(
+      { runId: "run_1", environmentId: "env_a", organizationId: "org_1" },
+      { getBuffer: () => fakeBuffer(entry) },
+    );
+    expect(result).not.toBeNull();
+    expect(result!.status).toBe("QUEUED");
+    expect(result!.cancelledAt).toBeUndefined();
+    expect(result!.delayUntil).toBeUndefined();
+  });
+
+  it("parses valid ISO date strings on cancelledAt and delayUntil", async () => {
+    const cancelledAtIso = "2026-05-11T13:00:00.000Z";
+    const delayUntilIso = "2026-05-11T14:00:00.000Z";
+    const entry: BufferEntry = {
+      runId: "run_1",
+      envId: "env_a",
+      orgId: "org_1",
+      payload: JSON.stringify({
+        taskIdentifier: "t",
+        cancelledAt: cancelledAtIso,
+        cancelReason: "user requested",
+        delayUntil: delayUntilIso,
+      }),
+      status: "QUEUED",
+      attempts: 0,
+      createdAt: NOW,
+    };
+    const result = await findRunByIdWithMollifierFallback(
+      { runId: "run_1", environmentId: "env_a", organizationId: "org_1" },
+      { getBuffer: () => fakeBuffer(entry) },
+    );
+    expect(result!.status).toBe("CANCELED");
+    expect(result!.cancelledAt).toEqual(new Date(cancelledAtIso));
+    expect(result!.cancelReason).toBe("user requested");
+    expect(result!.delayUntil).toEqual(new Date(delayUntilIso));
+  });
+
+  it("falls back to entry.envId for runtimeEnvironmentId when snapshot lacks environment.id", async () => {
+    const entry: BufferEntry = {
+      runId: "run_1",
+      envId: "env_a",
+      orgId: "org_1",
+      payload: JSON.stringify({ taskIdentifier: "t" }),
+      status: "QUEUED",
+      attempts: 0,
+      createdAt: NOW,
+    };
+    const result = await findRunByIdWithMollifierFallback(
+      { runId: "run_1", environmentId: "env_a", organizationId: "org_1" },
+      { getBuffer: () => fakeBuffer(entry) },
+    );
+    expect(result!.runtimeEnvironmentId).toBe("env_a");
+    expect(result!.workerQueue).toBeUndefined();
+    expect(result!.queue).toBeUndefined();
+  });
+
+  it("extracts batchId from the nested snapshot.batch object (not the flat key)", async () => {
+    // Regression for the field-name mismatch Devin flagged:
+    // #buildEngineTriggerInput writes batch info as
+    // `batch: { id, index }`, never as a flat `batchId`. readFallback
+    // must read the nested key, otherwise SyntheticRun.batchId is always
+    // undefined for buffered runs.
+    const entry: BufferEntry = {
+      runId: "run_1",
+      envId: "env_a",
+      orgId: "org_1",
+      payload: JSON.stringify({
+        taskIdentifier: "t",
+        batch: { id: "batch_internal_xyz", index: 3 },
+      }),
+      status: "QUEUED",
+      attempts: 0,
+      createdAt: NOW,
+    };
+    const result = await findRunByIdWithMollifierFallback(
+      { runId: "run_1", environmentId: "env_a", organizationId: "org_1" },
+      { getBuffer: () => fakeBuffer(entry) },
+    );
+    expect(result!.batchId).toBe("batch_internal_xyz");
+  });
+
+  it("does NOT read a flat `batchId` key — only the nested batch.id", async () => {
+    // Belt-and-braces: a payload with the wrong-shaped flat key should
+    // resolve to undefined, not silently pick up the bogus value.
+    const entry: BufferEntry = {
+      runId: "run_1",
+      envId: "env_a",
+      orgId: "org_1",
+      payload: JSON.stringify({
+        taskIdentifier: "t",
+        batchId: "should-be-ignored",
+      }),
+      status: "QUEUED",
+      attempts: 0,
+      createdAt: NOW,
+    };
+    const result = await findRunByIdWithMollifierFallback(
+      { runId: "run_1", environmentId: "env_a", organizationId: "org_1" },
+      { getBuffer: () => fakeBuffer(entry) },
+    );
+    expect(result!.batchId).toBeUndefined();
+  });
+
+  it("converts internal parent/root IDs in the snapshot to friendlyIds", async () => {
+    // Regression for Devin's structural-unfillable finding: the snapshot
+    // only carries INTERNAL parent/root ids (engine.trigger consumes the
+    // internal shape), while SyntheticRun exposes friendlyIds. Convert
+    // here so consumers don't have to special-case the buffered path.
+    // The conversion is deterministic via RunId.toFriendlyId — we drive
+    // it through `RunId.generate()` to get a matching internal+friendly
+    // pair and assert the round-trip.
+    const parent = RunId.generate();
+    const root = RunId.generate();
+    const entry: BufferEntry = {
+      runId: "run_1",
+      envId: "env_a",
+      orgId: "org_1",
+      payload: JSON.stringify({
+        taskIdentifier: "t",
+        parentTaskRunId: parent.id,
+        rootTaskRunId: root.id,
+      }),
+      status: "QUEUED",
+      attempts: 0,
+      createdAt: NOW,
+    };
+    const result = await findRunByIdWithMollifierFallback(
+      { runId: "run_1", environmentId: "env_a", organizationId: "org_1" },
+      { getBuffer: () => fakeBuffer(entry) },
+    );
+    expect(result!.parentTaskRunFriendlyId).toBe(parent.friendlyId);
+    expect(result!.rootTaskRunFriendlyId).toBe(root.friendlyId);
+  });
+
+  it("leaves parent/root friendlyIds undefined when the snapshot carries no parent context", async () => {
+    const entry: BufferEntry = {
+      runId: "run_1",
+      envId: "env_a",
+      orgId: "org_1",
+      payload: JSON.stringify({ taskIdentifier: "t" }),
+      status: "QUEUED",
+      attempts: 0,
+      createdAt: NOW,
+    };
+    const result = await findRunByIdWithMollifierFallback(
+      { runId: "run_1", environmentId: "env_a", organizationId: "org_1" },
+      { getBuffer: () => fakeBuffer(entry) },
+    );
+    expect(result!.parentTaskRunFriendlyId).toBeUndefined();
+    expect(result!.rootTaskRunFriendlyId).toBeUndefined();
+  });
+});
diff --git a/apps/webapp/test/mollifierReplayPayloadShape.test.ts b/apps/webapp/test/mollifierReplayPayloadShape.test.ts
new file mode 100644
index 00000000000..d2f098d7086
--- /dev/null
+++ b/apps/webapp/test/mollifierReplayPayloadShape.test.ts
@@ -0,0 +1,99 @@
+import { describe, expect, it } from "vitest";
+import {
+  serialiseMollifierSnapshot,
+  deserialiseMollifierSnapshot,
+} from "~/v3/mollifier/mollifierSnapshot.server";
+import { prettyPrintPacket } from "@trigger.dev/core/v3";
+
+// Regression test for the Devin "Buffered replay loader passes
+// non-string payload to prettyPrintPacket" finding on PR #3757.
+//
+// Devin's claim is that the snapshot codec double-unwraps the
+// payload: `engine.trigger` carries it pre-serialised, then the
+// snapshot serialise/deserialise round-trip would JSON.parse it a
+// second time, leaving `buffered.payload` as a *parsed* object —
+// which `prettyPrintPacket` then mis-handles, producing malformed
+// payload display in the Replay dialog.
+//
+// This test pins the actual contract: the snapshot codec is a single
+// JSON.stringify / JSON.parse layer. The payload field stored on the
+// engine trigger input is a string (the SDK-serialised payload from
+// `payloadPacket.data`). A string round-trips through
+// JSON.stringify/JSON.parse unchanged — it does NOT get a second
+// unwrap. Therefore `buffered.payload` reaches the replay loader as
+// a string, exactly the shape `prettyPrintPacket` expects.
+describe("mollifier replay payload shape", () => {
+  it("serialise/deserialise preserves the payload as a string", () => {
+    // Shape mirrors what `triggerTask.server.ts:#buildEngineTriggerInput`
+    // produces — `payload` is `args.payloadPacket.data`, already a JSON
+    // string from the SDK's packet serialisation.
+    const triggerInput = {
+      friendlyId: "run_x",
+      taskIdentifier: "hello-world",
+      payload: JSON.stringify({ hello: "world", n: 42 }),
+      payloadType: "application/json",
+      traceId: "trace_x",
+      spanId: "span_x",
+    };
+
+    const serialised = serialiseMollifierSnapshot(triggerInput);
+    const roundTripped = deserialiseMollifierSnapshot(serialised);
+
+    expect(typeof roundTripped.payload).toBe("string");
+    expect(roundTripped.payload).toBe(triggerInput.payload);
+    expect(roundTripped.payloadType).toBe("application/json");
+  });
+
+  it("prettyPrintPacket on the round-tripped payload produces the expected pretty JSON", async () => {
+    const original = { hello: "world", nested: { count: 3 } };
+    const triggerInput = {
+      payload: JSON.stringify(original),
+      payloadType: "application/json",
+    };
+
+    const roundTripped = deserialiseMollifierSnapshot(
+      serialiseMollifierSnapshot(triggerInput),
+    );
+
+    // This is exactly the call the replay loader makes:
+    //   prettyPrintPacket(run.payload, run.payloadType)
+    // If Devin were right, the payload here would be a parsed object
+    // and prettyPrintPacket would either double-encode or skip
+    // formatting. In reality it's a string, so we get correct pretty
+    // JSON.
+    const pretty = await prettyPrintPacket(
+      roundTripped.payload,
+      roundTripped.payloadType as string,
+    );
+
+    expect(pretty).toBe(JSON.stringify(original, null, 2));
+  });
+
+  it("string payload survives the buffer-codec round-trip even with snapshot fields around it", () => {
+    // Replicate the realistic snapshot shape (the engine.trigger input
+    // has many sibling fields). Confirms there's no field-shape
+    // interaction that would mutate payload.
+    const triggerInput = {
+      friendlyId: "run_x",
+      environment: {
+        id: "env",
+        type: "DEVELOPMENT",
+        project: { id: "p" },
+        organization: { id: "o" },
+      },
+      taskIdentifier: "t",
+      payload: '{"a":1}',
+      payloadType: "application/json",
+      context: { run: { id: "x" } },
+      traceContext: { traceparent: "00-...-..." },
+      traceId: "abc",
+      spanId: "def",
+      tags: ["one", "two"],
+      depth: 2,
+      isTest: false,
+    };
+    const out = deserialiseMollifierSnapshot(serialiseMollifierSnapshot(triggerInput));
+    expect(typeof out.payload).toBe("string");
+    expect(out.payload).toBe('{"a":1}');
+  });
+});
diff --git a/apps/webapp/test/mollifierResetIdempotencyKey.test.ts b/apps/webapp/test/mollifierResetIdempotencyKey.test.ts
new file mode 100644
index 00000000000..4909087d70c
--- /dev/null
+++ b/apps/webapp/test/mollifierResetIdempotencyKey.test.ts
@@ -0,0 +1,158 @@
+import { describe, expect, it, vi } from "vitest";
+
+// Mock the db module so the BaseService default prisma doesn't try to
+// open a real connection at module load. Each test wires its own
+// prisma stub.
+vi.mock("~/db.server", () => ({ prisma: {}, $replica: {} }));
+// Prevent the runEngine singleton from instantiating and spinning up
+// PG/Redis workers at module load — without this CI fails with
+// unhandled `PrismaClientInitializationError`s even though the
+// assertions all pass (see `mollifierDrainerWorker.test.ts`).
+vi.mock("~/v3/runEngine.server", () => ({ engine: {} }));
+
+// Hoisted mock state so we can swap the buffer per test without
+// re-importing modules.
+const bufferMock: { current: unknown } = { current: null };
+vi.mock("~/v3/mollifier/mollifierBuffer.server", () => ({
+  getMollifierBuffer: () => bufferMock.current,
+}));
+
+import { ResetIdempotencyKeyService } from "~/v3/services/resetIdempotencyKey.server";
+import { ServiceValidationError } from "~/v3/services/baseService.server";
+
+type FakePrisma = {
+  taskRun: { updateMany: (...args: unknown[]) => Promise<{ count: number }> };
+};
+
+function makePrisma(pgCount: number): FakePrisma {
+  return {
+    taskRun: {
+      updateMany: vi.fn(async () => ({ count: pgCount })),
+    },
+  };
+}
+
+const env = {
+  id: "env_a",
+  organizationId: "org_1",
+} as unknown as Parameters<ResetIdempotencyKeyService["call"]>[2];
+
+describe("ResetIdempotencyKeyService — buffer-outage handling", () => {
+  it("returns success when PG cleared >=1 run, even if the buffer reset throws", async () => {
+    bufferMock.current = {
+      resetIdempotency: vi.fn(async () => {
+        throw new Error("ECONNREFUSED");
+      }),
+    };
+    const prisma = makePrisma(1);
+    const service = new ResetIdempotencyKeyService(prisma as never);
+
+    const result = await service.call("ikey", "task", env);
+    expect(result).toEqual({ id: "ikey" });
+  });
+
+  it("returns success when PG cleared nothing but the buffer cleared a run", async () => {
+    bufferMock.current = {
+      resetIdempotency: vi.fn(async () => ({ clearedRunId: "run_x" })),
+    };
+    const prisma = makePrisma(0);
+    const service = new ResetIdempotencyKeyService(prisma as never);
+
+    const result = await service.call("ikey", "task", env);
+    expect(result).toEqual({ id: "ikey" });
+  });
+
+  it("404s when PG and buffer both legitimately report 'nothing to clear'", async () => {
+    bufferMock.current = {
+      resetIdempotency: vi.fn(async () => ({ clearedRunId: null })),
+    };
+    const prisma = makePrisma(0);
+    const service = new ResetIdempotencyKeyService(prisma as never);
+
+    await expect(service.call("ikey", "task", env)).rejects.toMatchObject({
+      status: 404,
+    });
+  });
+
+  // Regression for the silent-not-found hazard CodeRabbit flagged: if PG
+  // sees nothing AND we can't read the buffer (Redis outage), the
+  // previous behaviour was to 404 — masking a partial outage and
+  // leaving a buffered key effectively un-reset while the caller was
+  // told "doesn't exist." We now surface 503 so the caller retries.
+  it("503s when PG cleared nothing AND the buffer reset failed (partial outage)", async () => {
+    bufferMock.current = {
+      resetIdempotency: vi.fn(async () => {
+        throw new Error("ECONNREFUSED");
+      }),
+    };
+    const prisma = makePrisma(0);
+    const service = new ResetIdempotencyKeyService(prisma as never);
+
+    const error = await service.call("ikey", "task", env).then(
+      () => null,
+      (err) => err,
+    );
+    expect(error).toBeInstanceOf(ServiceValidationError);
+    expect(error.status).toBe(503);
+    expect(error.message).toMatch(/retry/i);
+  });
+
+  it("404s normally when buffer is null (mollifier disabled) and PG cleared nothing", async () => {
+    bufferMock.current = null;
+    const prisma = makePrisma(0);
+    const service = new ResetIdempotencyKeyService(prisma as never);
+
+    await expect(service.call("ikey", "task", env)).rejects.toMatchObject({
+      status: 404,
+    });
+  });
+
+  // Regression for the PG↔buffer handoff race CodeRabbit flagged on PR #3756.
+  //
+  // Sequence the test models (deterministic, by setup):
+  //   1. ResetIdempotencyKeyService.call begins while the run is still
+  //      buffered. The initial pg.updateMany sees no PG row → count=0.
+  //   2. Between that update and the buffer reset, the drainer materialises
+  //      the buffered run into PG (engine.trigger writes the row with the
+  //      original idempotencyKey intact) AND `buffer.ack` clears the
+  //      associated Redis idempotency lookup — that's part of ack's
+  //      atomic contract (see `buffer.ts:493` comment).
+  //   3. buffer.resetIdempotency runs after ack → returns
+  //      `{ clearedRunId: null }` because the lookup is gone.
+  //
+  // Without the handoff re-check, totalCount = 0 + 0 = 0 → the service
+  // throws 404 for a key that genuinely still exists on the now-
+  // materialised PG row. The customer's reset is silently lost.
+  //
+  // Correct behaviour: the service must discover the materialised row
+  // and clear its key, returning success. This test pins that contract.
+  it("succeeds when a buffered run materialises into PG between the initial pgUpdate and the buffer reset (handoff race)", async () => {
+    let updateManyCalls = 0;
+    const prisma: FakePrisma = {
+      taskRun: {
+        // First call: pre-materialisation, no PG row yet → 0.
+        // Second call (the fix's re-check after both surfaces report
+        // nothing): post-materialisation, drainer wrote the row → 1.
+        updateMany: vi.fn(async () => {
+          updateManyCalls += 1;
+          return updateManyCalls === 1 ? { count: 0 } : { count: 1 };
+        }),
+      },
+    };
+    const resetIdempotency = vi.fn(async () => ({ clearedRunId: null as string | null }));
+    bufferMock.current = { resetIdempotency };
+
+    const service = new ResetIdempotencyKeyService(prisma as never);
+
+    const result = await service.call("ikey", "task", env);
+    expect(result).toEqual({ id: "ikey" });
+
+    // Load-bearing pieces of the fix:
+    //   - The buffer path was consulted (we didn't bypass the normal
+    //     handoff window check), and
+    //   - A second pg.updateMany fired AFTER the buffer's null result,
+    //     catching the now-materialised row.
+    expect(resetIdempotency).toHaveBeenCalledOnce();
+    expect(updateManyCalls).toBe(2);
+  });
+});
diff --git a/apps/webapp/test/mollifierResolveRunForMutation.test.ts b/apps/webapp/test/mollifierResolveRunForMutation.test.ts
new file mode 100644
index 00000000000..b50d8ad9400
--- /dev/null
+++ b/apps/webapp/test/mollifierResolveRunForMutation.test.ts
@@ -0,0 +1,229 @@
+import { describe, expect, it, vi } from "vitest";
+
+vi.mock("~/db.server", () => ({
+  // Both default clients return null. Individual tests inject their
+  // own fakes via `deps` when they want non-default behaviour.
+  prisma: { taskRun: { findFirst: vi.fn(async () => null) } },
+  $replica: { taskRun: { findFirst: vi.fn(async () => null) } },
+}));
+
+import { resolveRunForMutation } from "~/v3/mollifier/resolveRunForMutation.server";
+import type { BufferEntry, MollifierBuffer } from "@trigger.dev/redis-worker";
+
+// Regression coverage for the cancel-route 404 bug (commit b490afe23).
+// Before the fix the route had `findResource: async () => null`, which
+// caused the route builder to 404 every cancel — including for valid
+// PG-row runs — BEFORE the action handler could run. The helper
+// resolveRunForMutation has to return a non-null discriminated value
+// whenever the run exists in either store.
+
+const NOW = new Date("2026-05-21T10:00:00Z");
+
+function fakeReplica(row: { friendlyId: string } | null) {
+  return { taskRun: { findFirst: vi.fn(async () => row) } };
+}
+function fakeWriter(row: { friendlyId: string } | null) {
+  return { taskRun: { findFirst: vi.fn(async () => row) } };
+}
+
+function fakeBuffer(entry: BufferEntry | null): MollifierBuffer {
+  return {
+    getEntry: vi.fn(async () => entry),
+  } as unknown as MollifierBuffer;
+}
+
+const baseInput = {
+  runParam: "run_1",
+  environmentId: "env_a",
+  organizationId: "org_1",
+};
+
+describe("resolveRunForMutation", () => {
+  it("returns { source: 'pg' } when the PG row exists", async () => {
+    const result = await resolveRunForMutation({
+      ...baseInput,
+      deps: {
+        prismaReplica: fakeReplica({ friendlyId: "run_1" }),
+        getBuffer: () => null,
+      },
+    });
+    expect(result).toEqual({ source: "pg", friendlyId: "run_1" });
+  });
+
+  it("returns { source: 'buffer' } when PG misses and the buffer entry matches env+org", async () => {
+    const entry: BufferEntry = {
+      runId: "run_1",
+      envId: "env_a",
+      orgId: "org_1",
+      payload: "{}",
+      status: "QUEUED",
+      attempts: 0,
+      createdAt: NOW,
+      createdAtMicros: 1747044000000000,
+      materialised: false,
+      idempotencyLookupKey: "",
+      metadataVersion: 0,
+    };
+    const result = await resolveRunForMutation({
+      ...baseInput,
+      deps: {
+        prismaReplica: fakeReplica(null),
+        getBuffer: () => fakeBuffer(entry),
+      },
+    });
+    expect(result).toEqual({ source: "buffer", friendlyId: "run_1" });
+  });
+
+  it("returns null when PG misses and the buffer entry env doesn't match", async () => {
+    const entry: BufferEntry = {
+      runId: "run_1",
+      envId: "env_OTHER",
+      orgId: "org_1",
+      payload: "{}",
+      status: "QUEUED",
+      attempts: 0,
+      createdAt: NOW,
+      createdAtMicros: 1747044000000000,
+      materialised: false,
+      idempotencyLookupKey: "",
+      metadataVersion: 0,
+    };
+    const result = await resolveRunForMutation({
+      ...baseInput,
+      deps: {
+        prismaReplica: fakeReplica(null),
+        getBuffer: () => fakeBuffer(entry),
+      },
+    });
+    expect(result).toBeNull();
+  });
+
+  it("returns null when PG misses and the buffer entry org doesn't match", async () => {
+    const entry: BufferEntry = {
+      runId: "run_1",
+      envId: "env_a",
+      orgId: "org_OTHER",
+      payload: "{}",
+      status: "QUEUED",
+      attempts: 0,
+      createdAt: NOW,
+      createdAtMicros: 1747044000000000,
+      materialised: false,
+      idempotencyLookupKey: "",
+      metadataVersion: 0,
+    };
+    const result = await resolveRunForMutation({
+      ...baseInput,
+      deps: {
+        prismaReplica: fakeReplica(null),
+        getBuffer: () => fakeBuffer(entry),
+      },
+    });
+    expect(result).toBeNull();
+  });
+
+  it("returns null when both PG and buffer miss", async () => {
+    const result = await resolveRunForMutation({
+      ...baseInput,
+      deps: {
+        prismaReplica: fakeReplica(null),
+        getBuffer: () => fakeBuffer(null),
+      },
+    });
+    expect(result).toBeNull();
+  });
+
+  it("returns null when buffer is unavailable (mollifier disabled) and PG misses", async () => {
+    const result = await resolveRunForMutation({
+      ...baseInput,
+      deps: {
+        prismaReplica: fakeReplica(null),
+        getBuffer: () => null,
+      },
+    });
+    expect(result).toBeNull();
+  });
+
+  it("PG-hit short-circuits before consulting the buffer", async () => {
+    const buffer = fakeBuffer(null);
+    const result = await resolveRunForMutation({
+      ...baseInput,
+      deps: {
+        prismaReplica: fakeReplica({ friendlyId: "run_1" }),
+        getBuffer: () => buffer,
+      },
+    });
+    expect(result?.source).toBe("pg");
+    expect(buffer.getEntry).not.toHaveBeenCalled();
+  });
+
+  // Regressions for the degraded-mode false-404 CodeRabbit flagged.
+  //
+  // Pre-PR the mutation routes read from the writer directly, so any
+  // PG row was visible regardless of replication lag. This helper
+  // moved the read to the replica for offload purposes. The route
+  // builder treats a null return as a hard 404 BEFORE the action
+  // handler runs, so any path where replica misses and the writer has
+  // the row needs to be reachable here — otherwise mutateWithFallback's
+  // own writer recovery never gets a chance to fire.
+  it("falls back to the writer when both replica and buffer miss, returning the writer row as 'pg' source", async () => {
+    const result = await resolveRunForMutation({
+      ...baseInput,
+      deps: {
+        prismaReplica: fakeReplica(null),
+        prismaWriter: fakeWriter({ friendlyId: "run_1" }),
+        getBuffer: () => fakeBuffer(null),
+      },
+    });
+    expect(result?.source).toBe("pg");
+    expect(result?.friendlyId).toBe("run_1");
+  });
+
+  it("falls back to the writer when the buffer is unavailable (mollifier disabled) and replica misses", async () => {
+    const result = await resolveRunForMutation({
+      ...baseInput,
+      deps: {
+        prismaReplica: fakeReplica(null),
+        prismaWriter: fakeWriter({ friendlyId: "run_1" }),
+        getBuffer: () => null,
+      },
+    });
+    expect(result?.source).toBe("pg");
+    expect(result?.friendlyId).toBe("run_1");
+  });
+
+  it("still returns null when replica, buffer, AND writer all miss (legitimate not-found)", async () => {
+    const writer = fakeWriter(null);
+    const result = await resolveRunForMutation({
+      ...baseInput,
+      deps: {
+        prismaReplica: fakeReplica(null),
+        prismaWriter: writer,
+        getBuffer: () => fakeBuffer(null),
+      },
+    });
+    expect(result).toBeNull();
+    // Writer probe ran — the fallback fires exactly once on the miss
+    // path; doesn't pile retries.
+    expect(writer.taskRun.findFirst).toHaveBeenCalledOnce();
+  });
+
+  it("PG-hit short-circuits before consulting either the buffer OR the writer", async () => {
+    const buffer = fakeBuffer(null);
+    const writer = fakeWriter({ friendlyId: "should-not-be-read" });
+    const result = await resolveRunForMutation({
+      ...baseInput,
+      deps: {
+        prismaReplica: fakeReplica({ friendlyId: "run_1" }),
+        prismaWriter: writer,
+        getBuffer: () => buffer,
+      },
+    });
+    expect(result?.source).toBe("pg");
+    expect(result?.friendlyId).toBe("run_1");
+    expect(buffer.getEntry).not.toHaveBeenCalled();
+    // Writer must NOT fire when the replica already had the row —
+    // otherwise we'd negate the whole replica-offload purpose.
+    expect(writer.taskRun.findFirst).not.toHaveBeenCalled();
+  });
+});
diff --git a/apps/webapp/test/mollifierStaleSweep.test.ts b/apps/webapp/test/mollifierStaleSweep.test.ts
new file mode 100644
index 00000000000..94928611119
--- /dev/null
+++ b/apps/webapp/test/mollifierStaleSweep.test.ts
@@ -0,0 +1,976 @@
+import { describe, expect, it, vi } from "vitest";
+import { redisTest } from "@internal/testcontainers";
+import { MollifierBuffer } from "@trigger.dev/redis-worker";
+
+vi.mock("~/db.server", () => ({ prisma: {}, $replica: {} }));
+
+import {
+  runStaleSweepOnce,
+  startStaleSweepInterval,
+} from "~/v3/mollifier/mollifierStaleSweep.server";
+import { MollifierStaleSweepState } from "~/v3/mollifier/mollifierStaleSweepState.server";
+
+const SNAPSHOT = {
+  taskIdentifier: "hello-world",
+  payload: '{"x":1}',
+  payloadType: "application/json",
+  traceContext: {},
+};
+
+// In-memory fake state for unit tests that don't have a Redis container.
+// The testcontainer tests use a real MollifierStaleSweepState against
+// the test Redis instead.
+function makeFakeState() {
+  let cursor = 0;
+  let orgList: string[] = [];
+  const counts = new Map<string, number>();
+  let visited = new Set<string>();
+  return {
+    readCursor: async () => cursor,
+    writeCursor: async (v: number) => {
+      cursor = v;
+    },
+    rebuildOrgList: async (orgs: string[]) => {
+      orgList = [...orgs];
+    },
+    readOrgListSlice: async (start: number, count: number) => ({
+      orgs: orgList.slice(start, start + count),
+      total: orgList.length,
+    }),
+    setEnvStaleCount: async (envId: string, count: number) => {
+      if (count > 0) counts.set(envId, count);
+      else counts.delete(envId);
+    },
+    readAllEnvStaleCounts: async () => new Map(counts),
+    markEnvVisited: async (envId: string) => {
+      visited.add(envId);
+    },
+    reconcileVisited: async () => {
+      for (const envId of [...counts.keys()]) {
+        if (!visited.has(envId)) counts.delete(envId);
+      }
+      visited = new Set();
+    },
+    clearAll: async () => {
+      cursor = 0;
+      orgList = [];
+      counts.clear();
+      visited = new Set();
+    },
+    close: async () => {},
+  };
+}
+
+function spyDeps() {
+  // Counter ticks — metric carries no `envId` label (high-cardinality)
+  // so the spy is a simple call count. Per-env detail lives on the
+  // structured warn log and the snapshot map.
+  let staleEntryCount = 0;
+  const snapshots: Array<Map<string, number>> = [];
+  const warnings: Array<{ message: string; fields: Record<string, unknown> }> = [];
+  return {
+    get staleEntryCount() {
+      return staleEntryCount;
+    },
+    snapshots,
+    warnings,
+    deps: {
+      recordStaleEntry: () => {
+        staleEntryCount += 1;
+      },
+      reportStaleEntrySnapshot: (snapshot: Map<string, number>) => {
+        // Clone so post-sweep assertions see what was reported *at that
+        // call site*, not whatever subsequent passes mutate the source
+        // map into.
+        snapshots.push(new Map(snapshot));
+      },
+      logger: {
+        warn: (message: string, fields: Record<string, unknown>) => {
+          warnings.push({ message, fields });
+        },
+      },
+    },
+  };
+}
+
+describe("runStaleSweepOnce — unit", () => {
+  it("returns zeros when the buffer is null", async () => {
+    // Mirrors the prod gate: if TRIGGER_MOLLIFIER_ENABLED=0 the buffer
+    // singleton is null and the sweep is a no-op. We don't want it to
+    // emit a metric (or throw) just because mollifier is disabled.
+    const spies = spyDeps();
+    const result = await runStaleSweepOnce(
+      { staleThresholdMs: 1000 },
+      { ...spies.deps, getBuffer: () => null, state: makeFakeState() },
+    );
+    expect(result).toEqual({
+      orgsScanned: 0,
+      envsScanned: 0,
+      entriesScanned: 0,
+      staleCount: 0,
+    });
+    expect(spies.staleEntryCount).toBe(0);
+    expect(spies.warnings).toEqual([]);
+    const snapshots = spies.snapshots;
+    // An empty snapshot is still reported so any previously-paging env
+    // (from a prior sweep before mollifier was disabled) clears.
+    expect(snapshots).toHaveLength(1);
+    expect(snapshots[0].size).toBe(0);
+  });
+
+  it("surfaces readOrgListSlice failures and leaves durable state untouched", async () => {
+    // Regression: previously a Redis read failure inside
+    // `readOrgListSlice` returned `{ orgs: [], total: 0 }` and the
+    // sweep treated that as a clean empty cycle — writing cursor=0,
+    // reconciling visited envs against the empty result, and CLEARING
+    // the stale-entry gauge. That silenced the very alerts the sweep
+    // exists to raise. The fix re-throws; the caller (this function
+    // and the interval wrapper above it) must NOT mutate cursor or
+    // counts when readOrgListSlice fails.
+    const state = makeFakeState();
+    // Seed durable state so we can assert it isn't touched on failure.
+    await state.writeCursor(42);
+    await state.setEnvStaleCount("env_seed", 7);
+    await state.rebuildOrgList(["org_pre"]);
+    // Inject a failure on the very next slice read.
+    const readErr = new Error("Redis read failed");
+    let readAttempts = 0;
+    const failingState = {
+      ...state,
+      readOrgListSlice: async (start: number, count: number) => {
+        readAttempts += 1;
+        throw readErr;
+      },
+    };
+    const spies = spyDeps();
+    const buffer = {
+      listOrgs: async () => ["org_pre"],
+      listEnvsForOrg: async () => [],
+      listEntriesForEnv: async () => [],
+    } as unknown as MollifierBuffer;
+
+    await expect(
+      runStaleSweepOnce(
+        { staleThresholdMs: 60_000, maxOrgsPerPass: 10 },
+        {
+          ...spies.deps,
+          state: failingState,
+          getBuffer: () => buffer,
+          now: () => Date.now(),
+        },
+      ),
+    ).rejects.toThrow("Redis read failed");
+
+    expect(readAttempts).toBe(1);
+    // Cursor untouched (still the seeded 42, not reset to 0).
+    expect(await state.readCursor()).toBe(42);
+    // Counts hash untouched — the seeded env's count survives the
+    // failed cycle so the gauge keeps reporting its last-known value.
+    const counts = await state.readAllEnvStaleCounts();
+    expect(counts.get("env_seed")).toBe(7);
+    // No snapshot was reported because the function threw before
+    // reaching reportStaleEntrySnapshot.
+    expect(spies.snapshots).toHaveLength(0);
+    expect(spies.staleEntryCount).toBe(0);
+  });
+});
+
+describe("runStaleSweepOnce — testcontainers", () => {
+  redisTest(
+    "flags every entry whose dwell exceeds the stale threshold",
+    { timeout: 20_000 },
+    async ({ redisOptions }) => {
+      const buffer = new MollifierBuffer({ redisOptions });
+      try {
+        // Three entries across two envs in the same org. The sweep below
+        // runs against a `now` advanced by 5 minutes, so all three have
+        // dwell ~5min and ALL THREE are stale against a 1-minute
+        // threshold — there is no "fresh" entry in this scenario. The
+        // assertions below pin the all-three-stale shape.
+        await buffer.accept({
+          runId: "run_stale_a",
+          envId: "env_a",
+          orgId: "org_1",
+          payload: JSON.stringify(SNAPSHOT),
+        });
+        await buffer.accept({
+          runId: "run_stale_b",
+          envId: "env_b",
+          orgId: "org_1",
+          payload: JSON.stringify(SNAPSHOT),
+        });
+        await buffer.accept({
+          runId: "run_stale_c",
+          envId: "env_a",
+          orgId: "org_1",
+          payload: JSON.stringify(SNAPSHOT),
+        });
+        // Yank the system clock forward 5 minutes for the sweep — way
+        // past the threshold below. The `now` deps seam lets us drive
+        // the threshold without actually waiting in real time.
+        const futureNow = Date.now() + 5 * 60 * 1000;
+
+        const spies = spyDeps();
+        const state = new MollifierStaleSweepState({ redisOptions });
+        try {
+          const result = await runStaleSweepOnce(
+            { staleThresholdMs: 60 * 1000 },
+            {
+              ...spies.deps,
+              getBuffer: () => buffer,
+              state,
+              now: () => futureNow,
+            },
+          );
+
+          expect(result.envsScanned).toBe(2);
+          expect(result.entriesScanned).toBe(3);
+          expect(result.staleCount).toBe(3);
+          // All three entries exceed the threshold; each emits one
+          // counter tick + one warning.
+          expect(spies.staleEntryCount).toBe(3);
+          expect(spies.warnings).toHaveLength(3);
+          for (const w of spies.warnings) {
+            expect(w.message).toBe("mollifier.stale_entry");
+            expect(w.fields.staleThresholdMs).toBe(60 * 1000);
+            expect(w.fields.dwellMs).toBeGreaterThan(60 * 1000);
+          }
+          // Snapshot drives the alertable gauge — env_a has 2 stale
+          // entries, env_b has 1. Per-env detail is still passed to
+          // `reportStaleEntrySnapshot` for forensic value even though the
+          // gauge itself aggregates the total.
+          expect(spies.snapshots).toHaveLength(1);
+          expect(Object.fromEntries(spies.snapshots[0])).toEqual({
+            env_a: 2,
+            env_b: 1,
+          });
+        } finally {
+          await state.close();
+        }
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "snapshot omits envs that have entries but none stale (durable hash HDEL's zeros)",
+    { timeout: 20_000 },
+    async ({ redisOptions }) => {
+      // Critical for alert behaviour: a previous sweep flagged env_a
+      // stale, alert fired, drainer caught up. The next sweep must
+      // remove env_a from the durable counts hash so the gauge drops
+      // below the alert threshold instead of staying latched at the
+      // last stale value. With the sharded design the snapshot is
+      // sourced from the HASH directly — visiting an env with zero
+      // stale entries HDEL's it, so it's simply absent from the
+      // snapshot (telemetry sums values, so absence is equivalent to
+      // zero for the gauge).
+      const buffer = new MollifierBuffer({ redisOptions });
+      const state = new MollifierStaleSweepState({ redisOptions });
+      try {
+        await buffer.accept({
+          runId: "run_just_arrived",
+          envId: "env_a",
+          orgId: "org_1",
+          payload: JSON.stringify(SNAPSHOT),
+        });
+        const spies = spyDeps();
+        await runStaleSweepOnce(
+          { staleThresholdMs: 60 * 1000 },
+          { ...spies.deps, getBuffer: () => buffer, state },
+        );
+        expect(spies.snapshots).toHaveLength(1);
+        // env_a has entries but none stale → not in the snapshot.
+        expect(spies.snapshots[0].has("env_a")).toBe(false);
+      } finally {
+        await state.close();
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "leaves fresh entries alone (dwell below threshold)",
+    { timeout: 20_000 },
+    async ({ redisOptions }) => {
+      // Regression guard for the inequality direction. A bug that flipped
+      // `dwellMs > threshold` to `dwellMs >= threshold` would flag every
+      // entry the first time the sweep runs after a perfectly synchronised
+      // accept call — the dashboard would page on every burst.
+      const buffer = new MollifierBuffer({ redisOptions });
+      const state = new MollifierStaleSweepState({ redisOptions });
+      try {
+        await buffer.accept({
+          runId: "run_fresh_only",
+          envId: "env_a",
+          orgId: "org_1",
+          payload: JSON.stringify(SNAPSHOT),
+        });
+        const spies = spyDeps();
+        const result = await runStaleSweepOnce(
+          { staleThresholdMs: 60 * 1000 },
+          { ...spies.deps, getBuffer: () => buffer, state },
+        );
+        expect(result.staleCount).toBe(0);
+        expect(spies.staleEntryCount).toBe(0);
+        expect(spies.warnings).toEqual([]);
+      } finally {
+        await state.close();
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "shards work across ticks: cursor advances by maxOrgsPerPass and wraps after a full cycle",
+    { timeout: 30_000 },
+    async ({ redisOptions }) => {
+      // Without sharding the sweep walks every org/env every tick — at
+      // any meaningful backlog that runs longer than the tick interval
+      // and the next tick gets dropped by the inFlight guard. Sharding
+      // splits the work: each tick visits at most `maxOrgsPerPass` orgs,
+      // advances a durable cursor, and resumes from there next tick.
+      // Over `ceil(N / cap)` ticks the cycle covers every org.
+      const buffer = new MollifierBuffer({ redisOptions });
+      const state = new MollifierStaleSweepState({ redisOptions });
+      try {
+        for (let i = 0; i < 5; i++) {
+          await buffer.accept({
+            runId: `run_shard_${i}`,
+            envId: `env_shard_${i}`,
+            orgId: `org_shard_${i}`,
+            payload: JSON.stringify(SNAPSHOT),
+          });
+        }
+        const futureNow = Date.now() + 5 * 60 * 1000;
+        const spies = spyDeps();
+        const cfg = { staleThresholdMs: 60 * 1000, maxOrgsPerPass: 2 };
+        const baseDeps = {
+          ...spies.deps,
+          getBuffer: () => buffer,
+          state,
+          now: () => futureNow,
+        };
+
+        // Tick 1: cursor starts at 0, scans 2 orgs.
+        const r1 = await runStaleSweepOnce(cfg, baseDeps);
+        expect(r1.orgsScanned).toBe(2);
+        expect(spies.snapshots[0].size).toBe(2);
+
+        // Tick 2: cursor was 2, scans 2 more orgs.
+        const r2 = await runStaleSweepOnce(cfg, baseDeps);
+        expect(r2.orgsScanned).toBe(2);
+        // Snapshot is the durable HASH — accumulates across ticks.
+        expect(spies.snapshots[1].size).toBe(4);
+
+        // Tick 3: cursor was 4, scans the last 1 org and wraps to 0.
+        const r3 = await runStaleSweepOnce(cfg, baseDeps);
+        expect(r3.orgsScanned).toBe(1);
+        expect(spies.snapshots[2].size).toBe(5);
+
+        // Tick 4: cycle complete, cursor is back at 0 — starts over.
+        const r4 = await runStaleSweepOnce(cfg, baseDeps);
+        expect(r4.orgsScanned).toBe(2);
+      } finally {
+        await state.close();
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "clears an env from the durable snapshot on revisit when it has entries but none currently stale",
+    { timeout: 30_000 },
+    async ({ redisOptions }) => {
+      // Stale state in the durable hash must be HDEL'd, not just left
+      // stale, when a previously-flagged env no longer has any entries
+      // whose dwell exceeds the threshold (drainer caught up, alert
+      // condition cleared). The same `entry` flips from stale to
+      // not-stale between two sweep ticks by varying the sweep's `now`
+      // — tick 1 uses a future clock so the entry is flagged stale;
+      // tick 2 uses real time so the same entry has near-zero dwell and
+      // is no longer stale. The env stays in the active set throughout
+      // (queue still has an entry), so the cursor revisits it and the
+      // hash field is cleared.
+      const buffer = new MollifierBuffer({ redisOptions });
+      const state = new MollifierStaleSweepState({ redisOptions });
+      try {
+        await buffer.accept({
+          runId: "run_drain",
+          envId: "env_drain",
+          orgId: "org_drain",
+          payload: JSON.stringify(SNAPSHOT),
+        });
+        const futureNow = Date.now() + 5 * 60 * 1000;
+        const spies = spyDeps();
+        const cfg = { staleThresholdMs: 60 * 1000, maxOrgsPerPass: 10 };
+
+        // Tick 1 with future clock: entry's dwell is 5min vs 1min
+        // threshold → flagged stale.
+        await runStaleSweepOnce(cfg, {
+          ...spies.deps,
+          getBuffer: () => buffer,
+          state,
+          now: () => futureNow,
+        });
+        expect(spies.snapshots[0].get("env_drain")).toBe(1);
+
+        // Tick 2 with real time: same entry, but its dwell is now ~ms
+        // vs the same 1min threshold → not stale. The env is revisited
+        // (cursor wrapped to 0 after tick 1, only 1 org in the list),
+        // setEnvStaleCount called with 0 → HDEL.
+        await runStaleSweepOnce(cfg, {
+          ...spies.deps,
+          getBuffer: () => buffer,
+          state,
+        });
+        expect(spies.snapshots[1].has("env_drain")).toBe(false);
+      } finally {
+        await state.close();
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "evicts fully-drained envs from the counts hash at cycle wrap (no permanent alert)",
+    { timeout: 30_000 },
+    async ({ redisOptions }) => {
+      // Devin's BUG report on PR #3754: an env that drains completely
+      // between sweep ticks disappears from `mollifier:org-envs:${orgId}`
+      // entirely, so the inner loop at runStaleSweepOnce never visits it
+      // and `setEnvStaleCount(envId, 0)` (which HDELs the field) is
+      // never called. The counts hash retains the env's last-known
+      // stale count forever, the gauge stays elevated, and the
+      // recommended alert `> 0 for 5m` fires indefinitely.
+      //
+      // Fix: at cycle wrap (cursor returned to 0) HDEL any env in the
+      // counts hash that wasn't visited during the just-completed cycle.
+      // Verified here by:
+      //   1. Flagging env_will_drain stale, confirming it's in the hash
+      //   2. Draining its only entry — now invisible to listEnvsForOrg
+      //   3. Running a sweep tick that triggers cycle wrap
+      //   4. Asserting the env is no longer in the snapshot
+      const buffer = new MollifierBuffer({ redisOptions });
+      const state = new MollifierStaleSweepState({ redisOptions });
+      try {
+        await buffer.accept({
+          runId: "run_will_drain",
+          envId: "env_will_drain",
+          orgId: "org_will_drain",
+          payload: JSON.stringify(SNAPSHOT),
+        });
+        const futureNow = Date.now() + 5 * 60 * 1000;
+        const cfg = { staleThresholdMs: 60 * 1000, maxOrgsPerPass: 10 };
+        const spies = spyDeps();
+
+        // Tick 1: env_will_drain is flagged stale → enters counts hash.
+        // Cursor wraps to 0 (only 1 org in the list).
+        await runStaleSweepOnce(cfg, {
+          ...spies.deps,
+          getBuffer: () => buffer,
+          state,
+          now: () => futureNow,
+        });
+        expect(spies.snapshots[0].get("env_will_drain")).toBe(1);
+
+        // Drain the only entry. mollifier:queue:env_will_drain is now
+        // empty, and the buffer's atomic Lua removes env_will_drain
+        // from `mollifier:org-envs:org_will_drain` (and removes the org
+        // from `mollifier:orgs` since it has no other envs). The env is
+        // now invisible to listEnvsForOrg.
+        const popped = await buffer.pop("env_will_drain");
+        expect(popped?.runId).toBe("run_will_drain");
+
+        // Tick 2: cursor was 0 after tick 1's wrap, so this rebuilds
+        // the org list (now empty) and immediately wraps again. The
+        // wrap-handler must HDEL env_will_drain from the counts hash
+        // because it wasn't in the visited set for this cycle.
+        await runStaleSweepOnce(cfg, {
+          ...spies.deps,
+          getBuffer: () => buffer,
+          state,
+          now: () => futureNow,
+        });
+        expect(spies.snapshots[1].has("env_will_drain")).toBe(false);
+        // And the durable hash is genuinely empty, not just absent from
+        // this snapshot.
+        expect((await state.readAllEnvStaleCounts()).size).toBe(0);
+      } finally {
+        await state.close();
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "scans across multiple orgs",
+    { timeout: 20_000 },
+    async ({ redisOptions }) => {
+      // The drainer pops with org-level fairness, so the sweep must
+      // walk every org/env to surface stale entries across all of them
+      // — not just stop at the first env it finds. If a future refactor
+      // collapsed listOrgs/listEnvsForOrg into a single env-flat list,
+      // this test catches a regression there.
+      const buffer = new MollifierBuffer({ redisOptions });
+      const state = new MollifierStaleSweepState({ redisOptions });
+      try {
+        await buffer.accept({
+          runId: "run_x",
+          envId: "env_x",
+          orgId: "org_x",
+          payload: JSON.stringify(SNAPSHOT),
+        });
+        await buffer.accept({
+          runId: "run_y",
+          envId: "env_y",
+          orgId: "org_y",
+          payload: JSON.stringify(SNAPSHOT),
+        });
+        const futureNow = Date.now() + 5 * 60 * 1000;
+        const spies = spyDeps();
+        const result = await runStaleSweepOnce(
+          { staleThresholdMs: 60 * 1000 },
+          { ...spies.deps, getBuffer: () => buffer, state, now: () => futureNow },
+        );
+        expect(result.orgsScanned).toBe(2);
+        expect(result.envsScanned).toBe(2);
+        expect(result.staleCount).toBe(2);
+      } finally {
+        await state.close();
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "state survives process restart: a second state instance picks up the cursor and counts",
+    { timeout: 30_000 },
+    async ({ redisOptions }) => {
+      // This is the headline reason the sweep state is durable in Redis
+      // instead of process-local — a webapp restart mid-cycle must not
+      // re-emit the gauge as fresh-zero for previously-flagged envs nor
+      // restart the cursor walk from scratch. Simulated here by closing
+      // state1 (its Redis client quits cleanly) and constructing state2
+      // against the same Redis. The cursor + counts that state1 wrote
+      // are visible to state2 on its first tick.
+      const buffer = new MollifierBuffer({ redisOptions });
+      const state1 = new MollifierStaleSweepState({ redisOptions });
+      try {
+        await buffer.accept({
+          runId: "run_a",
+          envId: "env_a",
+          orgId: "org_a",
+          payload: JSON.stringify(SNAPSHOT),
+        });
+        await buffer.accept({
+          runId: "run_b",
+          envId: "env_b",
+          orgId: "org_b",
+          payload: JSON.stringify(SNAPSHOT),
+        });
+        const futureNow = Date.now() + 5 * 60 * 1000;
+        const cfg = { staleThresholdMs: 60 * 1000, maxOrgsPerPass: 1 };
+        const spies1 = spyDeps();
+
+        // Tick 1 with state1: visits 1 of 2 orgs.
+        await runStaleSweepOnce(cfg, {
+          ...spies1.deps,
+          getBuffer: () => buffer,
+          state: state1,
+          now: () => futureNow,
+        });
+        expect(spies1.snapshots[0].size).toBe(1);
+      } finally {
+        // Simulate webapp restart: state1's Redis client closes cleanly.
+        await state1.close();
+      }
+
+      // New process boots, constructs a fresh state pointing at the
+      // same Redis. The cycle's frozen org_list, the cursor, and the
+      // counts hash are all preserved — state2 picks up at the second
+      // org of the cycle.
+      const state2 = new MollifierStaleSweepState({ redisOptions });
+      try {
+        const futureNow = Date.now() + 5 * 60 * 1000;
+        const cfg = { staleThresholdMs: 60 * 1000, maxOrgsPerPass: 1 };
+        const spies2 = spyDeps();
+
+        await runStaleSweepOnce(cfg, {
+          ...spies2.deps,
+          getBuffer: () => buffer,
+          state: state2,
+          now: () => futureNow,
+        });
+        // Snapshot now has BOTH envs: the one tick 1 flagged (still in
+        // the counts hash from state1) plus the one tick 2 just flagged.
+        // A non-durable design would show only the second.
+        expect(spies2.snapshots[0].size).toBe(2);
+      } finally {
+        await state2.close();
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "cycle wrap rebuilds the org list, so orgs that joined mid-cycle get visited on the next cycle",
+    { timeout: 30_000 },
+    async ({ redisOptions }) => {
+      // The docstring promises "orgs joining mid-cycle wait until the
+      // next cycle to be visited." The mechanism is rebuildOrgList at
+      // cursor=0: a fresh snapshot of buffer.listOrgs() replaces the
+      // previous frozen LIST. Verified here by adding a third org
+      // between cycles and asserting it shows up only in the next
+      // cycle's snapshot.
+      const buffer = new MollifierBuffer({ redisOptions });
+      const state = new MollifierStaleSweepState({ redisOptions });
+      try {
+        await buffer.accept({
+          runId: "run_init_a",
+          envId: "env_init_a",
+          orgId: "org_init_a",
+          payload: JSON.stringify(SNAPSHOT),
+        });
+        await buffer.accept({
+          runId: "run_init_b",
+          envId: "env_init_b",
+          orgId: "org_init_b",
+          payload: JSON.stringify(SNAPSHOT),
+        });
+        const futureNow = Date.now() + 5 * 60 * 1000;
+        const spies = spyDeps();
+        const cfg = { staleThresholdMs: 60 * 1000, maxOrgsPerPass: 10 };
+        const baseDeps = {
+          ...spies.deps,
+          getBuffer: () => buffer,
+          state,
+          now: () => futureNow,
+        };
+
+        // Tick 1: cycle 1. Visits both initial orgs; cursor wraps to 0.
+        await runStaleSweepOnce(cfg, baseDeps);
+        expect(spies.snapshots[0].size).toBe(2);
+
+        // Mid-flight: a third org joins the buffer. It must NOT have
+        // been part of cycle 1's frozen LIST.
+        await buffer.accept({
+          runId: "run_mid",
+          envId: "env_mid",
+          orgId: "org_mid",
+          payload: JSON.stringify(SNAPSHOT),
+        });
+
+        // Tick 2: cycle 2 begins (cursor was 0 after tick 1's wrap).
+        // rebuildOrgList captures all 3 orgs; this tick visits all 3.
+        const r2 = await runStaleSweepOnce(cfg, baseDeps);
+        expect(r2.orgsScanned).toBe(3);
+        expect(spies.snapshots[1].size).toBe(3);
+        expect(spies.snapshots[1].has("env_mid")).toBe(true);
+      } finally {
+        await state.close();
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "empty buffer (no orgs) advances cleanly with zero work and an empty snapshot",
+    { timeout: 30_000 },
+    async ({ redisOptions }) => {
+      // `mollifier:orgs` is empty (no entries ever accepted, or every
+      // entry has been drained). The sweep must handle the boundary:
+      // rebuildOrgList with [], readOrgListSlice returns total=0,
+      // the org loop is skipped, and the cursor stays at 0 instead of
+      // tripping the wrap math.
+      const buffer = new MollifierBuffer({ redisOptions });
+      const state = new MollifierStaleSweepState({ redisOptions });
+      try {
+        const spies = spyDeps();
+        const result = await runStaleSweepOnce(
+          { staleThresholdMs: 60 * 1000, maxOrgsPerPass: 10 },
+          { ...spies.deps, getBuffer: () => buffer, state },
+        );
+        expect(result).toEqual({
+          orgsScanned: 0,
+          envsScanned: 0,
+          entriesScanned: 0,
+          staleCount: 0,
+        });
+        expect(spies.snapshots).toHaveLength(1);
+        expect(spies.snapshots[0].size).toBe(0);
+        // Cursor stayed at 0 — nothing to advance through.
+        expect(await state.readCursor()).toBe(0);
+      } finally {
+        await state.close();
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "buffer-null branch wipes the durable state so a re-enable starts fresh",
+    { timeout: 30_000 },
+    async ({ redisOptions }) => {
+      // The unit test above asserts the snapshot is empty when the
+      // buffer is null, but doesn't verify the durable state was
+      // actually cleared. Without clearAll the next re-enable would
+      // resume on a stale cursor + carry over a stale counts hash.
+      const buffer = new MollifierBuffer({ redisOptions });
+      const state = new MollifierStaleSweepState({ redisOptions });
+      try {
+        await buffer.accept({
+          runId: "run_seed",
+          envId: "env_seed",
+          orgId: "org_seed",
+          payload: JSON.stringify(SNAPSHOT),
+        });
+        const futureNow = Date.now() + 5 * 60 * 1000;
+        const cfg = { staleThresholdMs: 60 * 1000, maxOrgsPerPass: 10 };
+        const spies = spyDeps();
+
+        // Tick 1: populate state.
+        await runStaleSweepOnce(cfg, {
+          ...spies.deps,
+          getBuffer: () => buffer,
+          state,
+          now: () => futureNow,
+        });
+        expect(spies.snapshots[0].size).toBe(1);
+        expect((await state.readAllEnvStaleCounts()).size).toBe(1);
+
+        // Tick 2: mollifier flips OFF — getBuffer returns null. The
+        // sweep must clear the durable state.
+        await runStaleSweepOnce(cfg, {
+          ...spies.deps,
+          getBuffer: () => null,
+          state,
+        });
+        expect(spies.snapshots[1].size).toBe(0);
+        expect((await state.readAllEnvStaleCounts()).size).toBe(0);
+        expect(await state.readCursor()).toBe(0);
+      } finally {
+        await state.close();
+        await buffer.close();
+      }
+    },
+  );
+});
+
+describe("MollifierStaleSweepState — direct unit tests", () => {
+  redisTest("readCursor returns 0 when the key is absent", { timeout: 20_000 }, async ({ redisOptions }) => {
+    const state = new MollifierStaleSweepState({ redisOptions });
+    try {
+      expect(await state.readCursor()).toBe(0);
+    } finally {
+      await state.close();
+    }
+  });
+
+  redisTest(
+    "writeCursor + readCursor round-trip; readCursor parses a non-numeric value as 0",
+    { timeout: 20_000 },
+    async ({ redisOptions }) => {
+      const state = new MollifierStaleSweepState({ redisOptions });
+      try {
+        await state.writeCursor(42);
+        expect(await state.readCursor()).toBe(42);
+
+        // Defensive: a corrupted/garbage value must not throw or
+        // propagate NaN into the sweep's cursor arithmetic.
+        await state["redis"].set("mollifier:stale_sweep:cursor", "not-a-number");
+        expect(await state.readCursor()).toBe(0);
+      } finally {
+        await state.close();
+      }
+    },
+  );
+
+  redisTest(
+    "rebuildOrgList replaces the previous list (DEL + RPUSH, in order)",
+    { timeout: 20_000 },
+    async ({ redisOptions }) => {
+      const state = new MollifierStaleSweepState({ redisOptions });
+      try {
+        await state.rebuildOrgList(["org_a", "org_b", "org_c"]);
+        let slice = await state.readOrgListSlice(0, 10);
+        expect(slice.total).toBe(3);
+        expect(slice.orgs).toEqual(["org_a", "org_b", "org_c"]);
+
+        // Replacement, not append.
+        await state.rebuildOrgList(["org_x"]);
+        slice = await state.readOrgListSlice(0, 10);
+        expect(slice.total).toBe(1);
+        expect(slice.orgs).toEqual(["org_x"]);
+
+        // Empty rebuild leaves the list empty (DEL fires, no RPUSH).
+        await state.rebuildOrgList([]);
+        slice = await state.readOrgListSlice(0, 10);
+        expect(slice.total).toBe(0);
+        expect(slice.orgs).toEqual([]);
+      } finally {
+        await state.close();
+      }
+    },
+  );
+
+  redisTest(
+    "setEnvStaleCount HSETs when count > 0 and HDELs when count === 0",
+    { timeout: 20_000 },
+    async ({ redisOptions }) => {
+      const state = new MollifierStaleSweepState({ redisOptions });
+      try {
+        await state.setEnvStaleCount("env_a", 3);
+        await state.setEnvStaleCount("env_b", 1);
+        let counts = await state.readAllEnvStaleCounts();
+        expect(Object.fromEntries(counts)).toEqual({ env_a: 3, env_b: 1 });
+
+        // Zero clears the field (HDEL), not stores 0.
+        await state.setEnvStaleCount("env_a", 0);
+        counts = await state.readAllEnvStaleCounts();
+        expect(Object.fromEntries(counts)).toEqual({ env_b: 1 });
+        expect(counts.has("env_a")).toBe(false);
+      } finally {
+        await state.close();
+      }
+    },
+  );
+
+  redisTest(
+    "clearAll DELs cursor, org_list, and counts in one call",
+    { timeout: 20_000 },
+    async ({ redisOptions }) => {
+      const state = new MollifierStaleSweepState({ redisOptions });
+      try {
+        await state.writeCursor(7);
+        await state.rebuildOrgList(["org_a", "org_b"]);
+        await state.setEnvStaleCount("env_a", 5);
+
+        await state.clearAll();
+
+        expect(await state.readCursor()).toBe(0);
+        expect((await state.readOrgListSlice(0, 10)).total).toBe(0);
+        expect((await state.readAllEnvStaleCounts()).size).toBe(0);
+      } finally {
+        await state.close();
+      }
+    },
+  );
+});
+
+describe("startStaleSweepInterval — lifecycle", () => {
+  it("stop() waits for an in-flight tick to finish before closing the state", async () => {
+    // Devin's BUG report on PR #3754: `stop()` previously called
+    // `deps.state.close()` immediately after `clearInterval`, but the
+    // `tick` function only checks `stopped` at entry. A tick that was
+    // already past that check would keep making `state.*` Redis calls
+    // against a now-closed ioredis client, throw, get caught by tick's
+    // own try/catch, and log a `mollifier.stale_sweep.failed` warning
+    // for every graceful shutdown.
+    //
+    // The fix tracks the current tick promise so `stop()` can await it
+    // before closing. This test pins that order by gating one of the
+    // tick's state calls on a Deferred — until we resolve it, the tick
+    // can't progress, and `stop()` must hang in the meantime.
+    let resolveGate: () => void = () => {};
+    const gate = new Promise<void>((r) => {
+      resolveGate = r;
+    });
+
+    const callOrder: string[] = [];
+    let closeCalled = false;
+    const state = {
+      readCursor: async () => {
+        callOrder.push("readCursor:start");
+        await gate;
+        callOrder.push("readCursor:end");
+        return 0;
+      },
+      writeCursor: async () => {
+        callOrder.push("writeCursor");
+      },
+      rebuildOrgList: async () => {
+        callOrder.push("rebuildOrgList");
+      },
+      readOrgListSlice: async () => {
+        callOrder.push("readOrgListSlice");
+        // Return zero orgs so the org loop is a no-op — we only care
+        // about ordering of state calls vs close, not the work.
+        return { orgs: [] as string[], total: 0 };
+      },
+      setEnvStaleCount: async () => {
+        callOrder.push("setEnvStaleCount");
+      },
+      readAllEnvStaleCounts: async () => {
+        callOrder.push("readAllEnvStaleCounts");
+        return new Map<string, number>();
+      },
+      markEnvVisited: async () => {
+        callOrder.push("markEnvVisited");
+      },
+      reconcileVisited: async () => {
+        callOrder.push("reconcileVisited");
+      },
+      clearAll: async () => {
+        callOrder.push("clearAll");
+      },
+      close: async () => {
+        callOrder.push("close");
+        closeCalled = true;
+      },
+    };
+
+    const fakeBuffer = {
+      listOrgs: async () => [],
+      listEnvsForOrg: async () => [],
+      listEntriesForEnv: async () => [],
+    } as any;
+
+    const handle = startStaleSweepInterval(
+      {
+        intervalMs: 20,
+        staleThresholdMs: 60_000,
+        maxOrgsPerPass: 10,
+      },
+      {
+        state,
+        getBuffer: () => fakeBuffer,
+        recordStaleEntry: () => {},
+        reportStaleEntrySnapshot: () => {},
+        logger: { warn: () => {} },
+        now: () => Date.now(),
+      },
+    );
+
+    // Wait for the interval to fire one tick. The tick will start, call
+    // readCursor, and then block on `gate`.
+    await new Promise((r) => setTimeout(r, 80));
+    expect(callOrder).toContain("readCursor:start");
+    expect(closeCalled).toBe(false);
+
+    // Call stop() concurrently — its promise MUST NOT resolve while the
+    // tick is still mid-flight.
+    let stopResolved = false;
+    const stopPromise = handle.stop().then(() => {
+      stopResolved = true;
+    });
+    await new Promise((r) => setTimeout(r, 50));
+    expect(stopResolved).toBe(false);
+    expect(closeCalled).toBe(false);
+
+    // Release the gate. The tick can now finish, and only then should
+    // stop() resolve and close the state.
+    resolveGate();
+    await stopPromise;
+    expect(stopResolved).toBe(true);
+    expect(closeCalled).toBe(true);
+
+    // The tick's readCursor:end MUST appear before the close — otherwise
+    // we closed the Redis client out from under an in-flight tick.
+    expect(callOrder.indexOf("readCursor:end")).toBeGreaterThan(-1);
+    expect(callOrder.indexOf("close")).toBeGreaterThan(
+      callOrder.indexOf("readCursor:end"),
+    );
+  });
+});
diff --git a/apps/webapp/test/mollifierSynthesiseFoundRun.test.ts b/apps/webapp/test/mollifierSynthesiseFoundRun.test.ts
new file mode 100644
index 00000000000..4e2d6a61632
--- /dev/null
+++ b/apps/webapp/test/mollifierSynthesiseFoundRun.test.ts
@@ -0,0 +1,216 @@
+import { describe, expect, it, vi } from "vitest";
+
+vi.mock("~/db.server", () => ({ prisma: {}, $replica: {} }));
+
+import {
+  synthesiseFoundRunFromBuffer,
+  type FoundRun,
+} from "~/presenters/v3/ApiRetrieveRunPresenter.server";
+import type { SyntheticRun } from "~/v3/mollifier/readFallback.server";
+
+const NOW = new Date("2026-05-24T10:00:00Z");
+
+function makeSyntheticRun(overrides: Partial<SyntheticRun> = {}): SyntheticRun {
+  return {
+    id: "run_internal_1",
+    friendlyId: "run_friendly_1",
+    status: "QUEUED",
+    cancelledAt: undefined,
+    cancelReason: undefined,
+    delayUntil: undefined,
+    taskIdentifier: "hello-world",
+    createdAt: NOW,
+    payload: '{"hello":"world"}',
+    payloadType: "application/json",
+    metadata: undefined,
+    metadataType: undefined,
+    seedMetadata: undefined,
+    seedMetadataType: undefined,
+    idempotencyKey: undefined,
+    idempotencyKeyOptions: undefined,
+    isTest: false,
+    depth: 0,
+    ttl: undefined,
+    tags: ["alpha", "beta"],
+    runTags: ["alpha", "beta"],
+    lockedToVersion: undefined,
+    resumeParentOnCompletion: false,
+    parentTaskRunId: undefined,
+    traceId: "trace_1",
+    spanId: "span_1",
+    parentSpanId: undefined,
+    runtimeEnvironmentId: "env_a",
+    engine: "V2",
+    workerQueue: undefined,
+    queue: undefined,
+    concurrencyKey: undefined,
+    machinePreset: undefined,
+    realtimeStreamsVersion: undefined,
+    maxAttempts: undefined,
+    maxDurationInSeconds: undefined,
+    replayedFromTaskRunFriendlyId: undefined,
+    annotations: undefined,
+    traceContext: undefined,
+    scheduleId: undefined,
+    batchId: undefined,
+    parentTaskRunFriendlyId: undefined,
+    rootTaskRunFriendlyId: undefined,
+    ...overrides,
+  };
+}
+
+describe("synthesiseFoundRunFromBuffer", () => {
+  it("populates internal id and friendlyId so downstream logging keys off the cuid", () => {
+    const found: FoundRun = synthesiseFoundRunFromBuffer(makeSyntheticRun());
+    expect(found.id).toBe("run_internal_1");
+    expect(found.friendlyId).toBe("run_friendly_1");
+  });
+
+  it("marks the synth as isBuffered=true so callers like the events route can short-circuit ClickHouse lookups", () => {
+    // The PG path of `findRun` sets `isBuffered: false`; the buffered
+    // path goes through `synthesiseFoundRunFromBuffer` and must set
+    // `isBuffered: true` so consumers (e.g. the events endpoint) can
+    // skip queries that are guaranteed to return empty for buffered
+    // runs without rewriting them around surrogate signals like
+    // `traceId === ""`.
+    const found: FoundRun = synthesiseFoundRunFromBuffer(makeSyntheticRun());
+    expect(found.isBuffered).toBe(true);
+  });
+
+  it("forwards scheduleId from the snapshot so resolveSchedule can hydrate the schedule field", () => {
+    // Regression: scheduleId was previously hardcoded to null, dropping the
+    // schedule metadata for buffered scheduled runs even though the snapshot
+    // carries it (readFallback.server.ts extracts snapshot.scheduleId).
+    const found = synthesiseFoundRunFromBuffer(
+      makeSyntheticRun({ scheduleId: "schedule_internal_42" })
+    );
+    expect(found.scheduleId).toBe("schedule_internal_42");
+  });
+
+  it("leaves scheduleId null when the snapshot has no scheduleId (non-scheduled trigger)", () => {
+    const found = synthesiseFoundRunFromBuffer(makeSyntheticRun());
+    expect(found.scheduleId).toBeNull();
+  });
+
+  it("reconstructs batch.friendlyId from snapshot.batchId so batch-scoped JWTs authorise", () => {
+    // Regression: batch was previously hardcoded to null, so the
+    // route-authorization callbacks (which read run.batch?.friendlyId)
+    // skipped pushing the batch resource — a batch-scoped JWT 403'd on
+    // buffered batched runs.
+    const found = synthesiseFoundRunFromBuffer(
+      // BatchId.toFriendlyId encodes the internal id with a "batch_" prefix.
+      makeSyntheticRun({ batchId: "abcdefghijklmnopqrstuvwx" })
+    );
+    expect(found.batch).not.toBeNull();
+    expect(found.batch!.id).toBe("abcdefghijklmnopqrstuvwx");
+    expect(found.batch!.friendlyId).toMatch(/^batch_/);
+  });
+
+  it("leaves batch null when the snapshot has no batchId (non-batched run)", () => {
+    const found = synthesiseFoundRunFromBuffer(makeSyntheticRun());
+    expect(found.batch).toBeNull();
+  });
+
+  it("defaults workerQueue to '' so createCommonRunStructure coerces region to undefined", () => {
+    // Regression: workerQueue previously defaulted to "main", which fed
+    // through `run.workerQueue || undefined` as the API response's
+    // `region` — advertising a not-yet-assigned region.
+    const found = synthesiseFoundRunFromBuffer(makeSyntheticRun({ workerQueue: undefined }));
+    expect(found.workerQueue).toBe("");
+  });
+
+  it("passes through an explicit workerQueue from the snapshot unchanged", () => {
+    const found = synthesiseFoundRunFromBuffer(
+      makeSyntheticRun({ workerQueue: "us-east-1" })
+    );
+    expect(found.workerQueue).toBe("us-east-1");
+  });
+
+  it("maps buffered FAILED to SYSTEM_FAILURE so the API surfaces the failure", () => {
+    const found = synthesiseFoundRunFromBuffer(
+      makeSyntheticRun({
+        status: "FAILED",
+        error: { code: "GATE_REJECTED", message: "buffer rejected the run" },
+      })
+    );
+    expect(found.status).toBe("SYSTEM_FAILURE");
+    expect(found.error).toEqual({
+      type: "STRING_ERROR",
+      raw: "GATE_REJECTED: buffer rejected the run",
+    });
+  });
+
+  it("maps buffered CANCELED to CANCELED with completedAt populated from cancelledAt", () => {
+    const cancelledAt = new Date("2026-05-24T10:05:00Z");
+    const found = synthesiseFoundRunFromBuffer(
+      makeSyntheticRun({ status: "CANCELED", cancelledAt })
+    );
+    expect(found.status).toBe("CANCELED");
+    expect(found.completedAt).toEqual(cancelledAt);
+  });
+
+  it("maps buffered QUEUED to PENDING with no error and no completedAt", () => {
+    const found = synthesiseFoundRunFromBuffer(makeSyntheticRun({ status: "QUEUED" }));
+    expect(found.status).toBe("PENDING");
+    expect(found.error).toBeNull();
+    expect(found.completedAt).toBeNull();
+  });
+
+  it("passes through a string snapshot.metadata unchanged", () => {
+    const found = synthesiseFoundRunFromBuffer(
+      makeSyntheticRun({ metadata: '{"customer":"acme"}' })
+    );
+    expect(found.metadata).toBe('{"customer":"acme"}');
+  });
+
+  it("defensively coerces a non-string snapshot.metadata to a JSON string instead of dropping it silently", () => {
+    // Production never writes non-string metadata, but if the snapshot
+    // shape drifts we'd rather see the value (with a warn log) than have
+    // it disappear.
+    const found = synthesiseFoundRunFromBuffer(
+      makeSyntheticRun({ metadata: { customer: "acme" } })
+    );
+    expect(found.metadata).toBe('{"customer":"acme"}');
+  });
+
+  it("defaults idempotencyKey / idempotencyKeyOptions to null when absent", () => {
+    const found = synthesiseFoundRunFromBuffer(makeSyntheticRun());
+    expect(found.idempotencyKey).toBeNull();
+    expect(found.idempotencyKeyOptions).toBeNull();
+  });
+
+  it("zeroes execution-state fields that aren't meaningful for a buffered run", () => {
+    const found = synthesiseFoundRunFromBuffer(makeSyntheticRun());
+    expect(found.startedAt).toBeNull();
+    expect(found.attempts).toEqual([]);
+    expect(found.attemptNumber).toBeNull();
+    expect(found.parentTaskRun).toBeNull();
+    expect(found.rootTaskRun).toBeNull();
+    expect(found.childRuns).toEqual([]);
+    expect(found.output).toBeNull();
+    expect(found.costInCents).toBe(0);
+    expect(found.baseCostInCents).toBe(0);
+    expect(found.usageDurationMs).toBe(0);
+  });
+
+  it("forwards runTags from the snapshot tags array", () => {
+    // Use distinct values for `tags` and `runTags` so the assertion
+    // actually pins the mapping. With the fixture's previous
+    // `runTags` default matching the same `["alpha", "beta"]` input,
+    // this test would have passed even if synthesiseFoundRunFromBuffer
+    // accidentally read `runTags` instead of `tags`.
+    const found = synthesiseFoundRunFromBuffer(
+      makeSyntheticRun({
+        tags: ["from-tags"],
+        runTags: ["stale-run-tags"],
+      })
+    );
+    expect(found.runTags).toEqual(["from-tags"]);
+  });
+
+  it("pins engine to V2 and taskEventStore to taskEvent (only valid values for a buffered run)", () => {
+    const found = synthesiseFoundRunFromBuffer(makeSyntheticRun());
+    expect(found.engine).toBe("V2");
+    expect(found.taskEventStore).toBe("taskEvent");
+  });
+});
diff --git a/apps/webapp/test/mollifierSyntheticApiResponses.test.ts b/apps/webapp/test/mollifierSyntheticApiResponses.test.ts
new file mode 100644
index 00000000000..94ee67c8584
--- /dev/null
+++ b/apps/webapp/test/mollifierSyntheticApiResponses.test.ts
@@ -0,0 +1,164 @@
+import { describe, expect, it, vi } from "vitest";
+
+vi.mock("~/db.server", () => ({ prisma: {}, $replica: {} }));
+
+import {
+  buildSyntheticSpanDetailBody,
+  buildSyntheticTraceBody,
+} from "~/v3/mollifier/syntheticApiResponses.server";
+import type { SyntheticRun } from "~/v3/mollifier/readFallback.server";
+
+const NOW = new Date("2026-05-23T10:00:00Z");
+
+function makeSyntheticRun(overrides: Partial<SyntheticRun> = {}): SyntheticRun {
+  return {
+    id: "run_internal_1",
+    friendlyId: "run_friendly_1",
+    status: "QUEUED",
+    cancelledAt: undefined,
+    cancelReason: undefined,
+    delayUntil: undefined,
+    taskIdentifier: "hello-world",
+    createdAt: NOW,
+    payload: undefined,
+    payloadType: undefined,
+    metadata: undefined,
+    metadataType: undefined,
+    seedMetadata: undefined,
+    seedMetadataType: undefined,
+    idempotencyKey: undefined,
+    idempotencyKeyOptions: undefined,
+    isTest: false,
+    depth: 0,
+    ttl: undefined,
+    tags: [],
+    runTags: [],
+    lockedToVersion: undefined,
+    resumeParentOnCompletion: false,
+    parentTaskRunId: undefined,
+    traceId: "trace_1",
+    spanId: "span_1",
+    parentSpanId: "span_parent",
+    runtimeEnvironmentId: "env_a",
+    engine: "V2",
+    workerQueue: undefined,
+    queue: "task/hello-world",
+    concurrencyKey: undefined,
+    machinePreset: "small-1x",
+    realtimeStreamsVersion: undefined,
+    maxAttempts: undefined,
+    maxDurationInSeconds: undefined,
+    replayedFromTaskRunFriendlyId: undefined,
+    annotations: undefined,
+    traceContext: undefined,
+    scheduleId: undefined,
+    batchId: undefined,
+    parentTaskRunFriendlyId: undefined,
+    rootTaskRunFriendlyId: undefined,
+    ...overrides,
+  };
+}
+
+describe("buildSyntheticSpanDetailBody", () => {
+  it("populates identity fields from the buffered run", () => {
+    const body = buildSyntheticSpanDetailBody(makeSyntheticRun());
+    expect(body.spanId).toBe("span_1");
+    expect(body.parentId).toBe("span_parent");
+    expect(body.runId).toBe("run_friendly_1");
+    expect(body.message).toBe("hello-world");
+    expect(body.level).toBe("TRACE");
+    expect(body.startTime).toEqual(NOW);
+    expect(body.durationMs).toBe(0);
+  });
+
+  it("defaults parentId to null when the buffered run has no parentSpanId", () => {
+    const body = buildSyntheticSpanDetailBody(makeSyntheticRun({ parentSpanId: undefined }));
+    expect(body.parentId).toBeNull();
+  });
+
+  it("defaults message to '' when the buffered run has no taskIdentifier", () => {
+    const body = buildSyntheticSpanDetailBody(
+      makeSyntheticRun({ taskIdentifier: undefined })
+    );
+    expect(body.message).toBe("");
+  });
+
+  it("renders a QUEUED buffered run as a still-partial, non-error, non-cancelled span", () => {
+    const body = buildSyntheticSpanDetailBody(makeSyntheticRun({ status: "QUEUED" }));
+    expect(body.isPartial).toBe(true);
+    expect(body.isError).toBe(false);
+    expect(body.isCancelled).toBe(false);
+  });
+
+  it("renders a CANCELED buffered run as a non-partial, non-error, cancelled span", () => {
+    const body = buildSyntheticSpanDetailBody(makeSyntheticRun({ status: "CANCELED" }));
+    expect(body.isPartial).toBe(false);
+    expect(body.isError).toBe(false);
+    expect(body.isCancelled).toBe(true);
+  });
+
+  it("renders a FAILED buffered run as a non-partial, errored, non-cancelled span", () => {
+    // Regression: a FAILED buffered run used to slip through as
+    // `isPartial: true, isError: false`, telling SDK pollers it was still
+    // executing.
+    const body = buildSyntheticSpanDetailBody(makeSyntheticRun({ status: "FAILED" }));
+    expect(body.isPartial).toBe(false);
+    expect(body.isError).toBe(true);
+    expect(body.isCancelled).toBe(false);
+  });
+});
+
+describe("buildSyntheticTraceBody", () => {
+  it("envelopes the synthesised root span under `trace.rootSpan` with the buffered traceId", () => {
+    const body = buildSyntheticTraceBody(makeSyntheticRun());
+    expect(body.trace.traceId).toBe("trace_1");
+    expect(body.trace.rootSpan.id).toBe("span_1");
+    expect(body.trace.rootSpan.runId).toBe("run_friendly_1");
+    expect(body.trace.rootSpan.children).toEqual([]);
+    expect(body.trace.rootSpan.data.events).toEqual([]);
+  });
+
+  it("falls back to empty strings when traceId / spanId are absent from the snapshot", () => {
+    const body = buildSyntheticTraceBody(
+      makeSyntheticRun({ traceId: undefined, spanId: undefined })
+    );
+    expect(body.trace.traceId).toBe("");
+    expect(body.trace.rootSpan.id).toBe("");
+  });
+
+  it("passes through queueName and machinePreset from the snapshot", () => {
+    const body = buildSyntheticTraceBody(makeSyntheticRun());
+    expect(body.trace.rootSpan.data.queueName).toBe("task/hello-world");
+    expect(body.trace.rootSpan.data.machinePreset).toBe("small-1x");
+  });
+
+  it("defaults taskSlug to undefined when the buffered run has no taskIdentifier", () => {
+    const body = buildSyntheticTraceBody(makeSyntheticRun({ taskIdentifier: undefined }));
+    expect(body.trace.rootSpan.data.taskSlug).toBeUndefined();
+    expect(body.trace.rootSpan.data.message).toBe("");
+  });
+
+  it("renders a QUEUED buffered run as a partial, non-error, non-cancelled root span", () => {
+    const body = buildSyntheticTraceBody(makeSyntheticRun({ status: "QUEUED" }));
+    expect(body.trace.rootSpan.data.isPartial).toBe(true);
+    expect(body.trace.rootSpan.data.isError).toBe(false);
+    expect(body.trace.rootSpan.data.isCancelled).toBe(false);
+  });
+
+  it("renders a CANCELED buffered run as a non-partial, non-error, cancelled root span", () => {
+    const body = buildSyntheticTraceBody(makeSyntheticRun({ status: "CANCELED" }));
+    expect(body.trace.rootSpan.data.isPartial).toBe(false);
+    expect(body.trace.rootSpan.data.isError).toBe(false);
+    expect(body.trace.rootSpan.data.isCancelled).toBe(true);
+  });
+
+  it("renders a FAILED buffered run as a non-partial, errored, non-cancelled root span", () => {
+    // Regression: a FAILED buffered run used to render with
+    // `isPartial: true, isError: false`, masking the failure from SDK
+    // consumers.
+    const body = buildSyntheticTraceBody(makeSyntheticRun({ status: "FAILED" }));
+    expect(body.trace.rootSpan.data.isPartial).toBe(false);
+    expect(body.trace.rootSpan.data.isError).toBe(true);
+    expect(body.trace.rootSpan.data.isCancelled).toBe(false);
+  });
+});
diff --git a/apps/webapp/test/mollifierSyntheticRedirectInfo.test.ts b/apps/webapp/test/mollifierSyntheticRedirectInfo.test.ts
new file mode 100644
index 00000000000..a996b9de693
--- /dev/null
+++ b/apps/webapp/test/mollifierSyntheticRedirectInfo.test.ts
@@ -0,0 +1,197 @@
+import { describe, expect, vi } from "vitest";
+import { redisTest } from "@internal/testcontainers";
+import { MollifierBuffer } from "@trigger.dev/redis-worker";
+
+vi.mock("~/db.server", () => ({ prisma: {}, $replica: {} }));
+
+import { findBufferedRunRedirectInfo } from "~/v3/mollifier/syntheticRedirectInfo.server";
+
+const SNAPSHOT = {
+  spanId: "span_1",
+  environment: {
+    slug: "dev",
+    project: { slug: "hello-world-bN7m" },
+    organization: { slug: "references-6120" },
+  },
+};
+
+function fakePrisma(member: { id: string } | null) {
+  return {
+    orgMember: { findFirst: vi.fn(async () => member) },
+  } as unknown as Parameters<typeof findBufferedRunRedirectInfo>[1]["prismaClient"];
+}
+
+describe("findBufferedRunRedirectInfo (testcontainers)", () => {
+  redisTest("returns slugs + spanId for a real buffer entry when user is a member", async ({ redisOptions }) => {
+    const buffer = new MollifierBuffer({ redisOptions });
+    try {
+      await buffer.accept({
+        runId: "run_real_1",
+        envId: "env_a",
+        orgId: "org_1",
+        payload: JSON.stringify(SNAPSHOT),
+      });
+      const info = await findBufferedRunRedirectInfo(
+        { runFriendlyId: "run_real_1", userId: "user_1" },
+        { getBuffer: () => buffer, prismaClient: fakePrisma({ id: "member_1" }) },
+      );
+      expect(info).toEqual({
+        organizationSlug: "references-6120",
+        projectSlug: "hello-world-bN7m",
+        environmentSlug: "dev",
+        spanId: "span_1",
+      });
+    } finally {
+      await buffer.close();
+    }
+  });
+
+  redisTest("returns null when no buffer entry exists for the runId", async ({ redisOptions }) => {
+    const buffer = new MollifierBuffer({ redisOptions });
+    try {
+      const info = await findBufferedRunRedirectInfo(
+        { runFriendlyId: "run_missing", userId: "user_1" },
+        { getBuffer: () => buffer, prismaClient: fakePrisma({ id: "member_1" }) },
+      );
+      expect(info).toBeNull();
+    } finally {
+      await buffer.close();
+    }
+  });
+
+  redisTest("returns null when the user is not an org member (default check enforced)", async ({ redisOptions }) => {
+    const buffer = new MollifierBuffer({ redisOptions });
+    try {
+      await buffer.accept({
+        runId: "run_real_2",
+        envId: "env_a",
+        orgId: "org_1",
+        payload: JSON.stringify(SNAPSHOT),
+      });
+      const info = await findBufferedRunRedirectInfo(
+        { runFriendlyId: "run_real_2", userId: "user_other" },
+        { getBuffer: () => buffer, prismaClient: fakePrisma(null) },
+      );
+      expect(info).toBeNull();
+    } finally {
+      await buffer.close();
+    }
+  });
+
+  redisTest("skips the org-membership check when skipOrgMembershipCheck is set (admin path)", async ({ redisOptions }) => {
+    const buffer = new MollifierBuffer({ redisOptions });
+    try {
+      await buffer.accept({
+        runId: "run_real_3",
+        envId: "env_a",
+        orgId: "org_1",
+        payload: JSON.stringify(SNAPSHOT),
+      });
+      const findFirst = vi.fn();
+      const info = await findBufferedRunRedirectInfo(
+        { runFriendlyId: "run_real_3", userId: "user_admin", skipOrgMembershipCheck: true },
+        {
+          getBuffer: () => buffer,
+          prismaClient: { orgMember: { findFirst } } as unknown as Parameters<typeof findBufferedRunRedirectInfo>[1]["prismaClient"],
+        },
+      );
+      expect(info?.organizationSlug).toBe("references-6120");
+      expect(findFirst).not.toHaveBeenCalled();
+    } finally {
+      await buffer.close();
+    }
+  });
+
+  redisTest("returns null when snapshot is malformed JSON", async ({ redisOptions }) => {
+    const buffer = new MollifierBuffer({ redisOptions });
+    try {
+      await buffer.accept({
+        runId: "run_real_4",
+        envId: "env_a",
+        orgId: "org_1",
+        payload: "{not-json",
+      });
+      const info = await findBufferedRunRedirectInfo(
+        { runFriendlyId: "run_real_4", userId: "user_1" },
+        { getBuffer: () => buffer, prismaClient: fakePrisma({ id: "member_1" }) },
+      );
+      expect(info).toBeNull();
+    } finally {
+      await buffer.close();
+    }
+  });
+
+  redisTest("returns null when snapshot lacks org/project slugs", async ({ redisOptions }) => {
+    const buffer = new MollifierBuffer({ redisOptions });
+    try {
+      await buffer.accept({
+        runId: "run_real_5",
+        envId: "env_a",
+        orgId: "org_1",
+        payload: JSON.stringify({ spanId: "s", environment: { slug: "dev" } }),
+      });
+      const info = await findBufferedRunRedirectInfo(
+        { runFriendlyId: "run_real_5", userId: "user_1" },
+        { getBuffer: () => buffer, prismaClient: fakePrisma({ id: "member_1" }) },
+      );
+      expect(info).toBeNull();
+    } finally {
+      await buffer.close();
+    }
+  });
+
+  redisTest("returns info with undefined spanId when snapshot has no spanId", async ({ redisOptions }) => {
+    const buffer = new MollifierBuffer({ redisOptions });
+    try {
+      await buffer.accept({
+        runId: "run_real_6",
+        envId: "env_a",
+        orgId: "org_1",
+        payload: JSON.stringify({ environment: SNAPSHOT.environment }),
+      });
+      const info = await findBufferedRunRedirectInfo(
+        { runFriendlyId: "run_real_6", userId: "user_1" },
+        { getBuffer: () => buffer, prismaClient: fakePrisma({ id: "member_1" }) },
+      );
+      expect(info?.spanId).toBeUndefined();
+      expect(info?.environmentSlug).toBe("dev");
+    } finally {
+      await buffer.close();
+    }
+  });
+
+  redisTest(
+    "rejects snapshots where a slug is the wrong type (Zod guard, not just typeof)",
+    async ({ redisOptions }) => {
+      // Regression for the pre-Zod implementation: the slug check was
+      // `typeof slug !== "string"` so any string passed, including ones
+      // that should've been rejected on shape grounds. The Zod schema
+      // gives us full structural validation — a `slug: 42` (number)
+      // collapses into the parse-fail branch like any other shape
+      // mismatch and we return null instead of leaking a half-built
+      // redirect URL.
+      const buffer = new MollifierBuffer({ redisOptions });
+      try {
+        await buffer.accept({
+          runId: "run_real_7",
+          envId: "env_a",
+          orgId: "org_1",
+          payload: JSON.stringify({
+            environment: {
+              slug: 42,
+              project: { slug: "p" },
+              organization: { slug: "o" },
+            },
+          }),
+        });
+        const info = await findBufferedRunRedirectInfo(
+          { runFriendlyId: "run_real_7", userId: "user_1" },
+          { getBuffer: () => buffer, prismaClient: fakePrisma({ id: "member_1" }) },
+        );
+        expect(info).toBeNull();
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+});
diff --git a/apps/webapp/test/mollifierSyntheticReplayTaskRun.test.ts b/apps/webapp/test/mollifierSyntheticReplayTaskRun.test.ts
new file mode 100644
index 00000000000..6df2d92dde4
--- /dev/null
+++ b/apps/webapp/test/mollifierSyntheticReplayTaskRun.test.ts
@@ -0,0 +1,106 @@
+import { describe, expect, it, vi } from "vitest";
+
+vi.mock("~/db.server", () => ({ prisma: {}, $replica: {} }));
+
+import { buildSyntheticReplayTaskRun } from "~/v3/mollifier/syntheticReplayTaskRun.server";
+import type { SyntheticRun } from "~/v3/mollifier/readFallback.server";
+
+const NOW = new Date("2026-05-21T10:00:00Z");
+
+function makeSyntheticRun(overrides: Partial<SyntheticRun> = {}): SyntheticRun {
+  return {
+    id: "run_internal_1",
+    friendlyId: "run_friendly_1",
+    status: "QUEUED",
+    cancelledAt: undefined,
+    cancelReason: undefined,
+    delayUntil: undefined,
+    taskIdentifier: "hello-world",
+    createdAt: NOW,
+    payload: { message: "hi" },
+    payloadType: "application/json",
+    metadata: undefined,
+    metadataType: undefined,
+    seedMetadata: undefined,
+    seedMetadataType: undefined,
+    idempotencyKey: undefined,
+    idempotencyKeyOptions: undefined,
+    isTest: false,
+    depth: 0,
+    ttl: "10m",
+    tags: [],
+    runTags: [],
+    lockedToVersion: undefined,
+    resumeParentOnCompletion: false,
+    parentTaskRunId: undefined,
+    traceId: "trace_1",
+    spanId: "span_1",
+    parentSpanId: undefined,
+    runtimeEnvironmentId: "env_a",
+    engine: "V2",
+    workerQueue: "worker-queue-1",
+    queue: "task/hello-world",
+    concurrencyKey: undefined,
+    machinePreset: "small-1x",
+    realtimeStreamsVersion: "v1",
+    maxAttempts: 3,
+    maxDurationInSeconds: 3600,
+    replayedFromTaskRunFriendlyId: undefined,
+    annotations: undefined,
+    traceContext: undefined,
+    scheduleId: undefined,
+    batchId: undefined,
+    parentTaskRunFriendlyId: undefined,
+    rootTaskRunFriendlyId: undefined,
+    ...overrides,
+  };
+}
+
+const ENV_ROW = {
+  slug: "dev",
+  project: { slug: "hello-world", organization: { slug: "references" } },
+};
+
+describe("buildSyntheticReplayTaskRun", () => {
+  it("returns the adapted TaskRun shape when traceId and spanId are present", () => {
+    const taskRun = buildSyntheticReplayTaskRun({
+      synthetic: makeSyntheticRun(),
+      envRow: ENV_ROW,
+    });
+    expect(taskRun).not.toBeNull();
+    expect(taskRun!.traceId).toBe("trace_1");
+    expect(taskRun!.spanId).toBe("span_1");
+    expect(taskRun!.project.slug).toBe("hello-world");
+    expect(taskRun!.project.organization.slug).toBe("references");
+    expect(taskRun!.runtimeEnvironment.slug).toBe("dev");
+  });
+
+  it("returns null when the snapshot has no traceId", () => {
+    // ReplayTaskRunService builds `00-${traceId}-${spanId}-01` without
+    // guarding for undefined. Falling through with a missing traceId
+    // would emit `00-undefined-...-01`, an invalid W3C traceparent that
+    // OTel silently drops, breaking the replayed run's trace linkage to
+    // the original. The helper must refuse rather than degrade silently.
+    const taskRun = buildSyntheticReplayTaskRun({
+      synthetic: makeSyntheticRun({ traceId: undefined }),
+      envRow: ENV_ROW,
+    });
+    expect(taskRun).toBeNull();
+  });
+
+  it("returns null when the snapshot has no spanId", () => {
+    const taskRun = buildSyntheticReplayTaskRun({
+      synthetic: makeSyntheticRun({ spanId: undefined }),
+      envRow: ENV_ROW,
+    });
+    expect(taskRun).toBeNull();
+  });
+
+  it("returns null when both traceId and spanId are missing", () => {
+    const taskRun = buildSyntheticReplayTaskRun({
+      synthetic: makeSyntheticRun({ traceId: undefined, spanId: undefined }),
+      envRow: ENV_ROW,
+    });
+    expect(taskRun).toBeNull();
+  });
+});
diff --git a/apps/webapp/test/mollifierSyntheticRunHeader.test.ts b/apps/webapp/test/mollifierSyntheticRunHeader.test.ts
new file mode 100644
index 00000000000..0d9f7c7e13f
--- /dev/null
+++ b/apps/webapp/test/mollifierSyntheticRunHeader.test.ts
@@ -0,0 +1,130 @@
+import { describe, expect, it, vi } from "vitest";
+
+vi.mock("~/db.server", () => ({ prisma: {}, $replica: {} }));
+
+import { buildSyntheticRunHeader } from "~/v3/mollifier/syntheticRunHeader.server";
+import type { SyntheticRun } from "~/v3/mollifier/readFallback.server";
+
+const NOW = new Date("2026-05-21T10:00:00Z");
+const CANCELLED_AT = new Date("2026-05-21T10:00:30Z");
+
+function makeSyntheticRun(overrides: Partial<SyntheticRun> = {}): SyntheticRun {
+  return {
+    id: "run_internal_1",
+    friendlyId: "run_friendly_1",
+    status: "QUEUED",
+    cancelledAt: undefined,
+    cancelReason: undefined,
+    delayUntil: undefined,
+    taskIdentifier: "hello-world",
+    createdAt: NOW,
+    payload: { message: "hi" },
+    payloadType: "application/json",
+    metadata: undefined,
+    metadataType: undefined,
+    seedMetadata: undefined,
+    seedMetadataType: undefined,
+    idempotencyKey: undefined,
+    idempotencyKeyOptions: undefined,
+    isTest: false,
+    depth: 0,
+    ttl: "10m",
+    tags: [],
+    runTags: [],
+    lockedToVersion: undefined,
+    resumeParentOnCompletion: false,
+    parentTaskRunId: undefined,
+    traceId: "trace_1",
+    spanId: "span_1",
+    parentSpanId: undefined,
+    runtimeEnvironmentId: "env_a",
+    engine: "V2",
+    workerQueue: "worker-queue-1",
+    queue: "task/hello-world",
+    concurrencyKey: undefined,
+    machinePreset: "small-1x",
+    realtimeStreamsVersion: "v1",
+    maxAttempts: 3,
+    maxDurationInSeconds: 3600,
+    replayedFromTaskRunFriendlyId: undefined,
+    annotations: undefined,
+    traceContext: undefined,
+    scheduleId: undefined,
+    batchId: undefined,
+    parentTaskRunFriendlyId: undefined,
+    rootTaskRunFriendlyId: undefined,
+    ...overrides,
+  };
+}
+
+const ENV = {
+  id: "env_a",
+  organizationId: "org_a",
+  type: "DEVELOPMENT" as const,
+  slug: "dev",
+};
+
+describe("buildSyntheticRunHeader", () => {
+  it("returns PENDING / non-final state for a queued buffered run", () => {
+    const header = buildSyntheticRunHeader({ run: makeSyntheticRun(), environment: ENV });
+    expect(header.status).toBe("PENDING");
+    expect(header.isFinished).toBe(false);
+    expect(header.completedAt).toBeNull();
+  });
+
+  it("reflects CANCELED state from the snapshot so the NavBar and Cancel-button gate update before the drainer materialises", () => {
+    const header = buildSyntheticRunHeader({
+      run: makeSyntheticRun({ status: "CANCELED", cancelledAt: CANCELLED_AT }),
+      environment: ENV,
+    });
+    // The Cancel button in route.tsx is gated on `!run.isFinished` and the
+    // status badge reads `run.status`. Both must flip on buffered-cancel
+    // or the user sees a "Pending" badge with a Cancel button on a run
+    // that's already cancelled in the snapshot.
+    expect(header.status).toBe("CANCELED");
+    expect(header.isFinished).toBe(true);
+    expect(header.completedAt).toEqual(CANCELLED_AT);
+  });
+
+  it("populates completedAt for FAILED runs so the route stops live-reloading and renders as completed", () => {
+    // The run-detail route derives `isCompleted` from
+    // `run.completedAt !== null` and gates SSE live-reloading on it
+    // (`route.tsx:459`, `:551`). Leaving completedAt null for FAILED
+    // buffered runs would keep a terminal run live-reloading forever
+    // while the badge already says SYSTEM_FAILURE. Symmetric with
+    // buildSyntheticSpanRun + ApiRetrieveRunPresenter.
+    const header = buildSyntheticRunHeader({
+      run: makeSyntheticRun({ status: "FAILED" }),
+      environment: ENV,
+    });
+    expect(header.status).toBe("SYSTEM_FAILURE");
+    expect(header.isFinished).toBe(true);
+    expect(header.completedAt).toEqual(NOW);
+  });
+
+  it("forwards identity and environment fields from the snapshot", () => {
+    const header = buildSyntheticRunHeader({ run: makeSyntheticRun(), environment: ENV });
+    expect(header.friendlyId).toBe("run_friendly_1");
+    // `id` mirrors RunPresenter.getRun (the PG path) which puts the
+    // internal cuid in this field. SyntheticRun.id is the cuid; the
+    // header must surface it (not the friendlyId).
+    expect(header.id).toBe("run_internal_1");
+    expect(header.traceId).toBe("trace_1");
+    expect(header.spanId).toBe("span_1");
+    expect(header.environment).toMatchObject({
+      id: "env_a",
+      organizationId: "org_a",
+      type: "DEVELOPMENT",
+      slug: "dev",
+    });
+  });
+
+  it("falls back to empty strings when the snapshot has no trace/span ids", () => {
+    const header = buildSyntheticRunHeader({
+      run: makeSyntheticRun({ traceId: undefined, spanId: undefined }),
+      environment: ENV,
+    });
+    expect(header.traceId).toBe("");
+    expect(header.spanId).toBe("");
+  });
+});
diff --git a/apps/webapp/test/mollifierSyntheticSpanRun.test.ts b/apps/webapp/test/mollifierSyntheticSpanRun.test.ts
new file mode 100644
index 00000000000..3a89046e8cb
--- /dev/null
+++ b/apps/webapp/test/mollifierSyntheticSpanRun.test.ts
@@ -0,0 +1,197 @@
+import { describe, expect, it, vi } from "vitest";
+
+vi.mock("~/db.server", () => ({ prisma: {}, $replica: {} }));
+
+import { buildSyntheticSpanRun } from "~/v3/mollifier/syntheticSpanRun.server";
+import type { SyntheticRun } from "~/v3/mollifier/readFallback.server";
+
+const NOW = new Date("2026-05-21T10:00:00Z");
+
+function makeSyntheticRun(overrides: Partial<SyntheticRun> = {}): SyntheticRun {
+  return {
+    id: "run_internal_1",
+    friendlyId: "run_friendly_1",
+    status: "QUEUED",
+    taskIdentifier: "hello-world",
+    createdAt: NOW,
+    payload: { message: "hi" },
+    payloadType: "application/json",
+    metadata: undefined,
+    metadataType: undefined,
+    seedMetadata: undefined,
+    seedMetadataType: undefined,
+    idempotencyKey: undefined,
+    idempotencyKeyOptions: undefined,
+    isTest: false,
+    depth: 0,
+    ttl: "10m",
+    tags: ["a", "b"],
+    runTags: ["a", "b"],
+    lockedToVersion: undefined,
+    resumeParentOnCompletion: false,
+    parentTaskRunId: undefined,
+    traceId: "trace_1",
+    spanId: "span_1",
+    parentSpanId: undefined,
+    runtimeEnvironmentId: "env_a",
+    engine: "V2",
+    workerQueue: "worker-queue-1",
+    queue: "task/hello-world",
+    concurrencyKey: undefined,
+    machinePreset: "small-1x",
+    realtimeStreamsVersion: "v1",
+    maxAttempts: 3,
+    maxDurationInSeconds: 3600,
+    replayedFromTaskRunFriendlyId: undefined,
+    annotations: undefined,
+    traceContext: undefined,
+    scheduleId: undefined,
+    batchId: undefined,
+    parentTaskRunFriendlyId: undefined,
+    rootTaskRunFriendlyId: undefined,
+    ...overrides,
+  };
+}
+
+const ENV = {
+  id: "env_a",
+  slug: "dev",
+  type: "DEVELOPMENT" as const,
+};
+
+describe("buildSyntheticSpanRun", () => {
+  it("populates the core identity fields from the snapshot", async () => {
+    const synth = await buildSyntheticSpanRun({ run: makeSyntheticRun(), environment: ENV });
+    expect(synth.id).toBe("run_internal_1");
+    expect(synth.friendlyId).toBe("run_friendly_1");
+    expect(synth.taskIdentifier).toBe("hello-world");
+    expect(synth.traceId).toBe("trace_1");
+    expect(synth.spanId).toBe("span_1");
+    expect(synth.environmentId).toBe("env_a");
+    expect(synth.engine).toBe("V2");
+    expect(synth.workerQueue).toBe("worker-queue-1");
+  });
+
+  it("reports PENDING status and the non-final flags", async () => {
+    const synth = await buildSyntheticSpanRun({ run: makeSyntheticRun(), environment: ENV });
+    expect(synth.status).toBe("PENDING");
+    expect(synth.isFinished).toBe(false);
+    expect(synth.isRunning).toBe(false);
+    expect(synth.isError).toBe(false);
+    expect(synth.startedAt).toBeNull();
+    expect(synth.completedAt).toBeNull();
+  });
+
+  it("pretty-prints the JSON payload from the snapshot", async () => {
+    const synth = await buildSyntheticSpanRun({
+      run: makeSyntheticRun({ payload: { message: "hi" }, payloadType: "application/json" }),
+      environment: ENV,
+    });
+    // prettyPrintPacket round-trips JSON with 2-space indent.
+    expect(synth.payload).toContain('"message": "hi"');
+    expect(synth.payloadType).toBe("application/json");
+  });
+
+  it("forwards runTags onto `tags` exactly", async () => {
+    const synth = await buildSyntheticSpanRun({
+      run: makeSyntheticRun({ runTags: ["alpha", "beta"] }),
+      environment: ENV,
+    });
+    expect(synth.tags).toEqual(["alpha", "beta"]);
+  });
+
+  it("classifies the queue name as custom when it does not start with 'task/'", async () => {
+    const taskQueue = await buildSyntheticSpanRun({
+      run: makeSyntheticRun({ queue: "task/hello-world" }),
+      environment: ENV,
+    });
+    expect(taskQueue.queue.isCustomQueue).toBe(false);
+
+    const customQueue = await buildSyntheticSpanRun({
+      run: makeSyntheticRun({ queue: "my-custom" }),
+      environment: ENV,
+    });
+    expect(customQueue.queue.isCustomQueue).toBe(true);
+  });
+
+  it("derives idempotency status from the snapshot key/options", async () => {
+    const withKey = await buildSyntheticSpanRun({
+      run: makeSyntheticRun({ idempotencyKey: "abc", idempotencyKeyOptions: ["scope"] }),
+      environment: ENV,
+    });
+    expect(withKey.idempotencyKey).toBe("abc");
+    expect(withKey.idempotencyKeyStatus).toBe("active");
+
+    const noKey = await buildSyntheticSpanRun({
+      run: makeSyntheticRun({ idempotencyKey: undefined, idempotencyKeyOptions: undefined }),
+      environment: ENV,
+    });
+    expect(noKey.idempotencyKeyStatus).toBeUndefined();
+  });
+
+  it("omits relationships even when parent/root friendlyIds are present, since the snapshot lacks their spanId/taskIdentifier", async () => {
+    const synth = await buildSyntheticSpanRun({
+      run: makeSyntheticRun({
+        parentTaskRunFriendlyId: "run_parent",
+        rootTaskRunFriendlyId: "run_root",
+      }),
+      environment: ENV,
+    });
+    expect(synth.relationships.parent).toBeUndefined();
+    expect(synth.relationships.root).toBeUndefined();
+  });
+
+  it("returns no relationship objects when the snapshot has no parent/root", async () => {
+    const synth = await buildSyntheticSpanRun({
+      run: makeSyntheticRun(),
+      environment: ENV,
+    });
+    expect(synth.relationships.parent).toBeUndefined();
+    expect(synth.relationships.root).toBeUndefined();
+  });
+
+  it("reflects a buffered CANCELED run as a finished, cancelled terminal state", async () => {
+    const synth = await buildSyntheticSpanRun({
+      run: makeSyntheticRun({
+        status: "CANCELED",
+        cancelledAt: NOW,
+        cancelReason: "cancelled by user",
+      }),
+      environment: ENV,
+    });
+    expect(synth.status).toBe("CANCELED");
+    expect(synth.statusReason).toBe("cancelled by user");
+    expect(synth.isFinished).toBe(true);
+    expect(synth.isError).toBe(false);
+    expect(synth.completedAt).toEqual(NOW);
+  });
+
+  it("reflects a buffered FAILED run as a finished, errored SYSTEM_FAILURE", async () => {
+    const synth = await buildSyntheticSpanRun({
+      run: makeSyntheticRun({
+        status: "FAILED",
+        error: { code: "GATE_REJECTED", message: "buffer rejected the run" },
+      }),
+      environment: ENV,
+    });
+    expect(synth.status).toBe("SYSTEM_FAILURE");
+    expect(synth.isFinished).toBe(true);
+    expect(synth.isError).toBe(true);
+    expect(synth.statusReason).toBe("buffer rejected the run");
+    expect(synth.error).toEqual({
+      type: "STRING_ERROR",
+      raw: "GATE_REJECTED: buffer rejected the run",
+    });
+    // PG-resident SYSTEM_FAILURE rows always have completedAt set;
+    // mirror that on the synth path so callers checking
+    // `isFinished && completedAt` don't render a finished run with
+    // no completion timestamp. The buffer entry has no separate
+    // failedAt, so createdAt is the best-available proxy.
+    expect(synth.completedAt).toEqual(NOW);
+  });
+
+  it("flags the synthetic run as 'not cached' since cache lookup did not match it", async () => {
+    const synth = await buildSyntheticSpanRun({ run: makeSyntheticRun(), environment: ENV });
+    expect(synth.isCached).toBe(false);
+  });
+});
diff --git a/apps/webapp/test/mollifierSyntheticTrace.test.ts b/apps/webapp/test/mollifierSyntheticTrace.test.ts
new file mode 100644
index 00000000000..e711eb0ffe2
--- /dev/null
+++ b/apps/webapp/test/mollifierSyntheticTrace.test.ts
@@ -0,0 +1,150 @@
+import { describe, expect, it, vi } from "vitest";
+
+vi.mock("~/db.server", () => ({ prisma: {}, $replica: {} }));
+
+import { buildSyntheticTraceForBufferedRun } from "~/v3/mollifier/syntheticTrace.server";
+import type { SyntheticRun } from "~/v3/mollifier/readFallback.server";
+
+const NOW = new Date("2026-05-22T10:00:00Z");
+const ONE_MS_IN_NS = 1_000_000;
+
+function makeSyntheticRun(overrides: Partial<SyntheticRun> = {}): SyntheticRun {
+  return {
+    id: "run_internal_1",
+    friendlyId: "run_friendly_1",
+    status: "QUEUED",
+    cancelledAt: undefined,
+    cancelReason: undefined,
+    delayUntil: undefined,
+    taskIdentifier: "hello-world",
+    createdAt: NOW,
+    payload: undefined,
+    payloadType: undefined,
+    metadata: undefined,
+    metadataType: undefined,
+    seedMetadata: undefined,
+    seedMetadataType: undefined,
+    idempotencyKey: undefined,
+    idempotencyKeyOptions: undefined,
+    isTest: false,
+    depth: 0,
+    ttl: undefined,
+    tags: [],
+    runTags: [],
+    lockedToVersion: undefined,
+    resumeParentOnCompletion: false,
+    parentTaskRunId: undefined,
+    traceId: "trace_1",
+    spanId: "span_1",
+    parentSpanId: undefined,
+    runtimeEnvironmentId: "env_a",
+    engine: "V2",
+    workerQueue: undefined,
+    queue: undefined,
+    concurrencyKey: undefined,
+    machinePreset: undefined,
+    realtimeStreamsVersion: undefined,
+    maxAttempts: undefined,
+    maxDurationInSeconds: undefined,
+    replayedFromTaskRunFriendlyId: undefined,
+    annotations: undefined,
+    traceContext: undefined,
+    scheduleId: undefined,
+    batchId: undefined,
+    parentTaskRunFriendlyId: undefined,
+    rootTaskRunFriendlyId: undefined,
+    ...overrides,
+  };
+}
+
+describe("buildSyntheticTraceForBufferedRun", () => {
+  it("populates the synthesised root span from snapshot identity fields", () => {
+    const trace = buildSyntheticTraceForBufferedRun(makeSyntheticRun());
+    expect(trace.events).toHaveLength(1);
+    const root = trace.events[0];
+    expect(root.id).toBe("span_1");
+    expect(root.data.message).toBe("hello-world");
+    expect(root.data.startTime).toEqual(NOW);
+    expect(root.data.isRoot).toBe(true);
+    expect(root.data.offset).toBe(0);
+    expect(root.data.level).toBe("TRACE");
+  });
+
+  it("defaults the span message to 'Task' when the snapshot has no taskIdentifier", () => {
+    const trace = buildSyntheticTraceForBufferedRun(
+      makeSyntheticRun({ taskIdentifier: undefined })
+    );
+    expect(trace.events[0].data.message).toBe("Task");
+  });
+
+  it("falls back to an empty-string span id when the snapshot has no spanId", () => {
+    const trace = buildSyntheticTraceForBufferedRun(
+      makeSyntheticRun({ spanId: undefined })
+    );
+    expect(trace.events[0].id).toBe("");
+    // Empty id still marks as root (it matches the rootId fallback).
+    expect(trace.events[0].data.isRoot).toBe(true);
+  });
+
+  it("renders a QUEUED buffered run as an executing, partial root span", () => {
+    const trace = buildSyntheticTraceForBufferedRun(makeSyntheticRun({ status: "QUEUED" }));
+    expect(trace.rootSpanStatus).toBe("executing");
+    expect(trace.events[0].data.isPartial).toBe(true);
+    expect(trace.events[0].data.isError).toBe(false);
+    expect(trace.events[0].data.isCancelled).toBe(false);
+    // A partial span exposes duration as null (the timeline reads it as
+    // "still running"); see syntheticTrace.server.ts duration mapping.
+    expect(trace.events[0].data.duration).toBeNull();
+  });
+
+  it("renders a CANCELED buffered run as a completed, non-partial cancelled span", () => {
+    const trace = buildSyntheticTraceForBufferedRun(
+      makeSyntheticRun({ status: "CANCELED", cancelledAt: NOW })
+    );
+    expect(trace.rootSpanStatus).toBe("completed");
+    expect(trace.events[0].data.isPartial).toBe(false);
+    expect(trace.events[0].data.isCancelled).toBe(true);
+    expect(trace.events[0].data.isError).toBe(false);
+    // Non-partial: duration is the span's numeric value (0 here), not null.
+    expect(trace.events[0].data.duration).toBe(0);
+  });
+
+  it("renders a FAILED buffered run as a failed, non-partial errored span", () => {
+    const trace = buildSyntheticTraceForBufferedRun(
+      makeSyntheticRun({
+        status: "FAILED",
+        error: { code: "GATE_REJECTED", message: "buffer rejected the run" },
+      })
+    );
+    expect(trace.rootSpanStatus).toBe("failed");
+    expect(trace.events[0].data.isPartial).toBe(false);
+    expect(trace.events[0].data.isError).toBe(true);
+    expect(trace.events[0].data.isCancelled).toBe(false);
+    expect(trace.events[0].data.duration).toBe(0);
+  });
+
+  it("floors the trace duration to a minimum of 1ms (in nanoseconds) so the timeline has a positive extent", () => {
+    const trace = buildSyntheticTraceForBufferedRun(makeSyntheticRun());
+    expect(trace.duration).toBe(ONE_MS_IN_NS);
+  });
+
+  it("reports the buffered createdAt as the trace's rootStartedAt and leaves startedAt null", () => {
+    const trace = buildSyntheticTraceForBufferedRun(makeSyntheticRun());
+    expect(trace.rootStartedAt).toEqual(NOW);
+    expect(trace.startedAt).toBeNull();
+  });
+
+  it("returns no link or override metadata (buffered traces are single-span)", () => {
+    const trace = buildSyntheticTraceForBufferedRun(makeSyntheticRun());
+    expect(trace.linkedRunIdBySpanId).toEqual({});
+    expect(trace.overridesBySpanId).toBeUndefined();
+    expect(trace.queuedDuration).toBeUndefined();
+  });
+
+  it("synthesises an empty timeline and keeps raw span events out of the payload", () => {
+    const trace = buildSyntheticTraceForBufferedRun(makeSyntheticRun());
+    // Raw span events stay server-side (mirrors RunPresenter's payload diet).
+    expect(trace.events[0].data).not.toHaveProperty("events");
+    expect(trace.events[0].data.timelineEvents).toEqual([]);
+  });
+});
diff --git a/apps/webapp/test/mollifierTripEvaluator.test.ts b/apps/webapp/test/mollifierTripEvaluator.test.ts
new file mode 100644
index 00000000000..14ac0cc55bc
--- /dev/null
+++ b/apps/webapp/test/mollifierTripEvaluator.test.ts
@@ -0,0 +1,90 @@
+import { redisTest } from "@internal/testcontainers";
+import { MollifierBuffer } from "@trigger.dev/redis-worker";
+import { describe, expect, vi } from "vitest";
+import { createRealTripEvaluator } from "~/v3/mollifier/mollifierTripEvaluator.server";
+
+vi.setConfig({ testTimeout: 30_000 });
+
+// Use a real MollifierBuffer backed by a Redis testcontainer — repo policy
+// is no mocks for Redis. Per-test envIds keep keys disjoint without explicit
+// cleanup. We close() the buffer in a finally to release the client.
+const inputs = { envId: "env_a", orgId: "org_1", taskId: "t1" } as const;
+
+describe("createRealTripEvaluator", () => {
+  redisTest(
+    "returns divert=false when the sliding window stays under threshold",
+    async ({ redisOptions }) => {
+      const buffer = new MollifierBuffer({ redisOptions });
+      try {
+        const evaluator = createRealTripEvaluator({
+          getBuffer: () => buffer,
+          options: () => ({ windowMs: 1000, threshold: 100, holdMs: 500 }),
+        });
+
+        const decision = await evaluator({ ...inputs, envId: "env_under" });
+        expect(decision).toEqual({ divert: false });
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "returns divert=true with reason per_env_rate once the window trips",
+    async ({ redisOptions }) => {
+      const buffer = new MollifierBuffer({ redisOptions });
+      try {
+        // threshold=2 → the 3rd call within windowMs is the first that trips.
+        const options = { windowMs: 5000, threshold: 2, holdMs: 5000 } as const;
+        const evaluator = createRealTripEvaluator({
+          getBuffer: () => buffer,
+          options: () => options,
+        });
+
+        const envId = "env_trip";
+        await evaluator({ ...inputs, envId });
+        await evaluator({ ...inputs, envId });
+        const decision = await evaluator({ ...inputs, envId });
+
+        expect(decision.divert).toBe(true);
+        if (decision.divert) {
+          expect(decision.reason).toBe("per_env_rate");
+          expect(decision.threshold).toBe(options.threshold);
+          expect(decision.windowMs).toBe(options.windowMs);
+          expect(decision.holdMs).toBe(options.holdMs);
+          expect(decision.count).toBeGreaterThan(options.threshold);
+        }
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest("returns divert=false when getBuffer returns null (fail-open)", async () => {
+    const evaluator = createRealTripEvaluator({
+      getBuffer: () => null,
+      options: () => ({ windowMs: 200, threshold: 100, holdMs: 500 }),
+    });
+
+    const decision = await evaluator(inputs);
+    expect(decision).toEqual({ divert: false });
+  });
+
+  redisTest(
+    "returns divert=false when buffer throws (fail-open)",
+    async ({ redisOptions }) => {
+      const buffer = new MollifierBuffer({ redisOptions });
+      // Closing the client up front means evaluateTrip will throw on the first
+      // Redis command — a real failure mode, not a stub.
+      await buffer.close();
+
+      const evaluator = createRealTripEvaluator({
+        getBuffer: () => buffer,
+        options: () => ({ windowMs: 200, threshold: 100, holdMs: 500 }),
+      });
+
+      const decision = await evaluator(inputs);
+      expect(decision).toEqual({ divert: false });
+    },
+  );
+});
diff --git a/apps/webapp/test/objectStore.test.ts b/apps/webapp/test/objectStore.test.ts
index bbd12d23124..bdfd1f7cfb1 100644
--- a/apps/webapp/test/objectStore.test.ts
+++ b/apps/webapp/test/objectStore.test.ts
@@ -4,13 +4,21 @@ import { type PrismaClient } from "@trigger.dev/database";
 import { afterAll, describe, expect, it, vi } from "vitest";
 import { env } from "~/env.server";
 import { processWaitpointCompletionPacket } from "~/runEngine/concerns/waitpointCompletionPacket.server";
+import { ServiceValidationError } from "~/v3/services/common.server";
+import { normalizeObjectStoreLogicalKeyPathname } from "~/v3/objectStoreClient.server";
 import {
+  assertPacketObjectStoreKeyUnderPrefix,
+  assertSafePacketRelativePath,
   downloadPacketFromObjectStore,
   formatStorageUri,
   generatePresignedRequest,
   generatePresignedUrl,
   hasObjectStoreClient,
+  INVALID_PACKET_STORAGE_PATH,
+  jsonPacketPresignFailure,
+  normalizePacketRelativePath,
   parseStorageUri,
+  resolveSafePacketRelativePath,
   resolveStoreProtocolForPacketPresign,
   uploadPacketToObjectStore,
 } from "~/v3/objectStore.server";
@@ -106,6 +114,182 @@ describe("Object Storage", () => {
     });
   });
 
+  describe("assertSafePacketRelativePath", () => {
+    const expectInvalidPath = (path: string) => {
+      try {
+        assertSafePacketRelativePath(path);
+        expect.unreachable("expected path validation to throw");
+      } catch (error) {
+        expect(error).toBeInstanceOf(ServiceValidationError);
+        expect((error as ServiceValidationError).message).toBe(INVALID_PACKET_STORAGE_PATH);
+        expect((error as ServiceValidationError).status).toBe(400);
+      }
+    };
+
+    it.each([
+      "../file.json",
+      "../../other-env/file.json",
+      "foo/../bar.json",
+      "/absolute/path.json",
+      "foo//bar.json",
+      "foo\\bar.json",
+      ".",
+      "..",
+    ])("rejects unsafe path %s with 400 ServiceValidationError", (path) => {
+      expectInvalidPath(path);
+    });
+
+    it.each([
+      "run/%2e%2e/secret.json",
+      "%2e%2e/secret.json",
+      "%2E%2E/secret.json",
+      "run/%2e./payload.json",
+      "run/%2e%2e",
+      "foo/%2e/bar.json",
+      "foo/%2E/bar.json",
+    ])("rejects percent-encoded traversal %s", (path) => {
+      expectInvalidPath(path);
+    });
+
+    it("allows normal packet paths", () => {
+      expect(() => assertSafePacketRelativePath("run_123/payload.json")).not.toThrow();
+      expect(resolveSafePacketRelativePath("run_123/payload.json")).toBe("run_123/payload.json");
+    });
+
+    it("rejects traversal in protocol-prefixed storage URIs", () => {
+      expect(() => assertSafePacketRelativePath(parseStorageUri("s3://../evil.json").path)).toThrow(
+        ServiceValidationError
+      );
+    });
+  });
+
+  describe("normalizePacketRelativePath", () => {
+    it("collapses redundant segments in safe paths", () => {
+      expect(normalizePacketRelativePath("run/./payload.json")).toBe("run/payload.json");
+    });
+
+    it("collapses encoded parent segments when used without segment decoding (why decode is required)", () => {
+      expect(normalizePacketRelativePath("run/%2e%2e/secret.json")).toBe("secret.json");
+    });
+  });
+
+  describe("double-encoded traversal segments", () => {
+    it("does not decode %252e%252e to .. in URL pathname (stays literal; prefix check still holds)", () => {
+      const path = "%252e%252e/secret.json";
+      expect(() => assertSafePacketRelativePath(path)).not.toThrow();
+
+      const key = `packets/proj_ref/dev/${path}`;
+      const normalized = normalizeObjectStoreLogicalKeyPathname(key);
+      expect(normalized).toBe(`/packets/proj_ref/dev/${path}`);
+      expect(() => assertPacketObjectStoreKeyUnderPrefix(key, "packets/proj_ref/dev")).not.toThrow();
+    });
+  });
+
+  describe("assertPacketObjectStoreKeyUnderPrefix", () => {
+    const prefix = "packets/proj_ref/dev";
+
+    it("accepts keys under the packet prefix after URL normalization", () => {
+      expect(() =>
+        assertPacketObjectStoreKeyUnderPrefix(`${prefix}/run_123/payload.json`, prefix)
+      ).not.toThrow();
+    });
+
+    it("rejects keys whose normalized pathname escapes the packet prefix", () => {
+      const traversalKey = `${prefix}/%2e%2e/secret.json`;
+      const normalized = normalizeObjectStoreLogicalKeyPathname(traversalKey);
+      expect(normalized).toBe("/packets/proj_ref/secret.json");
+
+      expect(() => assertPacketObjectStoreKeyUnderPrefix(traversalKey, prefix)).toThrow(
+        ServiceValidationError
+      );
+    });
+
+    it("rejects env-level traversal via encoded parent segments", () => {
+      const traversalKey = `${prefix}/%2e%2e/secret.json`;
+      expect(normalizeObjectStoreLogicalKeyPathname(traversalKey)).toBe("/packets/proj_ref/secret.json");
+
+      expect(() => assertPacketObjectStoreKeyUnderPrefix(traversalKey, prefix)).toThrow(
+        ServiceValidationError
+      );
+    });
+  });
+
+  describe("normalizeObjectStoreLogicalKeyPathname (Aws4FetchClient behavior)", () => {
+    it("decodes %2e%2e segments into parent directory traversal", () => {
+      const key = "packets/proj_ref/dev/run/%2e%2e/secret.json";
+      expect(normalizeObjectStoreLogicalKeyPathname(key)).toBe(
+        "/packets/proj_ref/dev/secret.json"
+      );
+    });
+  });
+
+  describe("jsonPacketPresignFailure", () => {
+    it("returns 400 for invalid packet path validation failures", async () => {
+      const response = jsonPacketPresignFailure({
+        success: false,
+        error: INVALID_PACKET_STORAGE_PATH,
+        status: 400,
+      });
+      expect(response.status).toBe(400);
+      expect(await response.json()).toEqual({ error: INVALID_PACKET_STORAGE_PATH });
+    });
+
+    it("returns 500 for other presign failures", async () => {
+      const response = jsonPacketPresignFailure({
+        success: false,
+        error: "Object store is not configured for protocol: default",
+      });
+      expect(response.status).toBe(500);
+      expect(await response.json()).toEqual({
+        error: "Failed to generate presigned URL: Object store is not configured for protocol: default",
+      });
+    });
+
+    it("prefixes unprefixed internal errors exactly once (no double prefix)", async () => {
+      const response = jsonPacketPresignFailure({
+        success: false,
+        error: "Access Denied",
+      });
+      const body = await response.json();
+      expect(body).toEqual({ error: "Failed to generate presigned URL: Access Denied" });
+      expect(body.error).not.toMatch(/Failed to generate presigned URL: Failed to generate/);
+    });
+  });
+
+  describe("generatePresignedUrl path validation", () => {
+    it.each([
+      "../file.json",
+      "../../other-env/file.json",
+      "foo/../bar.json",
+      "/absolute/path.json",
+      "run/%2e%2e/secret.json",
+      "%2e%2e/secret.json",
+      "%2E%2E/secret.json",
+    ])(
+      "returns 400 failure for unsafe path %s without calling object store",
+      async (filename) => {
+        const result = await generatePresignedUrl("proj_test", "dev", filename, "PUT");
+        expect(result.success).toBe(false);
+        if (result.success) throw new Error("expected presign to fail");
+        expect(result.error).toBe(INVALID_PACKET_STORAGE_PATH);
+        expect(result.status).toBe(400);
+      }
+    );
+
+    it("allows presign for valid packet paths when object store is not configured", async () => {
+      env.OBJECT_STORE_BASE_URL = undefined;
+      env.OBJECT_STORE_ACCESS_KEY_ID = undefined;
+      env.OBJECT_STORE_SECRET_ACCESS_KEY = undefined;
+      env.OBJECT_STORE_DEFAULT_PROTOCOL = undefined;
+
+      const result = await generatePresignedUrl("proj_test", "dev", "run_123/payload.json", "PUT");
+      expect(result.success).toBe(false);
+      if (result.success) throw new Error("expected presign to fail");
+      expect(result.error).toContain("Object store is not configured");
+      expect(result.status).toBeUndefined();
+    });
+  });
+
   describe("resolveStoreProtocolForPacketPresign", () => {
     afterEach(() => {
       env.OBJECT_STORE_DEFAULT_PROTOCOL = originalEnvObj.OBJECT_STORE_DEFAULT_PROTOCOL;
diff --git a/apps/webapp/test/organizationDataStoresRegistry.test.ts b/apps/webapp/test/organizationDataStoresRegistry.test.ts
new file mode 100644
index 00000000000..9d94e0447fe
--- /dev/null
+++ b/apps/webapp/test/organizationDataStoresRegistry.test.ts
@@ -0,0 +1,230 @@
+import { describe, expect } from "vitest";
+
+vi.mock("~/db.server", () => ({ prisma: {}, $replica: {} }));
+
+import { postgresTest } from "@internal/testcontainers";
+import { OrganizationDataStoresRegistry } from "~/services/dataStores/organizationDataStoresRegistry.server";
+import { ClickhouseConnectionSchema } from "~/services/clickhouse/clickhouseSecretSchemas.server";
+
+vi.setConfig({ testTimeout: 60_000 });
+
+const TEST_URL = "https://default:password@clickhouse.example.com:8443";
+const TEST_URL_2 = "https://default:password@clickhouse2.example.com:8443";
+
+describe("OrganizationDataStoresRegistry", () => {
+  postgresTest("isLoaded is false before loadFromDatabase", async ({ prisma }) => {
+    const registry = new OrganizationDataStoresRegistry(prisma, prisma);
+    expect(registry.isLoaded).toBe(false);
+    expect(registry.get("any-org", "CLICKHOUSE")).toBeNull();
+  });
+
+  postgresTest("isLoaded is true after loadFromDatabase", async ({ prisma }) => {
+    const registry = new OrganizationDataStoresRegistry(prisma, prisma);
+    await registry.loadFromDatabase();
+    expect(registry.isLoaded).toBe(true);
+  });
+
+  postgresTest("isReady resolves after loadFromDatabase", async ({ prisma }) => {
+    const registry = new OrganizationDataStoresRegistry(prisma, prisma);
+    let resolved = false;
+    registry.isReady.then(() => {
+      resolved = true;
+    });
+    await registry.loadFromDatabase();
+    await registry.isReady;
+    expect(resolved).toBe(true);
+  });
+
+  postgresTest("get returns null when no data stores exist", async ({ prisma }) => {
+    const registry = new OrganizationDataStoresRegistry(prisma, prisma);
+    await registry.loadFromDatabase();
+    expect(registry.get("org-1", "CLICKHOUSE")).toBeNull();
+  });
+
+  postgresTest("addDataStore creates a row and stores the secret", async ({ prisma }) => {
+    const registry = new OrganizationDataStoresRegistry(prisma, prisma);
+
+    await registry.addDataStore({
+      key: "test-store",
+      kind: "CLICKHOUSE",
+      organizationIds: ["org-1", "org-2"],
+      config: ClickhouseConnectionSchema.parse({ url: TEST_URL }),
+    });
+
+    const row = await prisma.organizationDataStore.findFirst({ where: { key: "test-store" } });
+    expect(row).not.toBeNull();
+    expect(row?.organizationIds).toEqual(["org-1", "org-2"]);
+    expect(row?.kind).toBe("CLICKHOUSE");
+
+    const secret = await prisma.secretStore.findFirst({
+      where: { key: "data-store:test-store:clickhouse" },
+    });
+    expect(secret).not.toBeNull();
+  });
+
+  postgresTest("loadFromDatabase resolves secrets and makes orgs available via get", async ({ prisma }) => {
+    const registry = new OrganizationDataStoresRegistry(prisma, prisma);
+
+    await registry.addDataStore({
+      key: "hipaa-store",
+      kind: "CLICKHOUSE",
+      organizationIds: ["org-hipaa"],
+      config: ClickhouseConnectionSchema.parse({ url: TEST_URL }),
+    });
+
+    await registry.loadFromDatabase();
+
+    const result = registry.get("org-hipaa", "CLICKHOUSE");
+    expect(result).not.toBeNull();
+    expect(result?.kind).toBe("CLICKHOUSE");
+    expect(result?.url).toBe(TEST_URL);
+  });
+
+  postgresTest("get returns null for orgs not in any data store", async ({ prisma }) => {
+    const registry = new OrganizationDataStoresRegistry(prisma, prisma);
+
+    await registry.addDataStore({
+      key: "partial-store",
+      kind: "CLICKHOUSE",
+      organizationIds: ["org-a"],
+      config: ClickhouseConnectionSchema.parse({ url: TEST_URL }),
+    });
+
+    await registry.loadFromDatabase();
+
+    expect(registry.get("org-a", "CLICKHOUSE")).not.toBeNull();
+    expect(registry.get("org-b", "CLICKHOUSE")).toBeNull();
+  });
+
+  postgresTest("multiple orgs can share the same data store", async ({ prisma }) => {
+    const registry = new OrganizationDataStoresRegistry(prisma, prisma);
+
+    await registry.addDataStore({
+      key: "shared-store",
+      kind: "CLICKHOUSE",
+      organizationIds: ["org-x", "org-y", "org-z"],
+      config: ClickhouseConnectionSchema.parse({ url: TEST_URL }),
+    });
+
+    await registry.loadFromDatabase();
+
+    const x = registry.get("org-x", "CLICKHOUSE");
+    const y = registry.get("org-y", "CLICKHOUSE");
+    const z = registry.get("org-z", "CLICKHOUSE");
+
+    expect(x?.url).toBe(TEST_URL);
+    expect(y?.url).toBe(TEST_URL);
+    expect(z?.url).toBe(TEST_URL);
+  });
+
+  postgresTest(
+    "when an org appears in multiple data stores, first row by id asc wins",
+    async ({ prisma }) => {
+      const registry = new OrganizationDataStoresRegistry(prisma, prisma);
+      const sharedOrg = "org-dup-overlap";
+
+      await registry.addDataStore({
+        key: "dup-overlap-first",
+        kind: "CLICKHOUSE",
+        organizationIds: [sharedOrg],
+        config: ClickhouseConnectionSchema.parse({ url: TEST_URL }),
+      });
+      await registry.addDataStore({
+        key: "dup-overlap-second",
+        kind: "CLICKHOUSE",
+        organizationIds: [sharedOrg],
+        config: ClickhouseConnectionSchema.parse({ url: TEST_URL_2 }),
+      });
+
+      const [winner] = await prisma.organizationDataStore.findMany({
+        where: { key: { in: ["dup-overlap-first", "dup-overlap-second"] } },
+        orderBy: { id: "asc" },
+      });
+      expect(winner).toBeDefined();
+
+      await registry.loadFromDatabase();
+
+      const expectedUrl =
+        winner!.key === "dup-overlap-first" ? TEST_URL : TEST_URL_2;
+      expect(registry.get(sharedOrg, "CLICKHOUSE")?.url).toBe(expectedUrl);
+    }
+  );
+
+  postgresTest("updateDataStore updates organizationIds and rotates the secret", async ({ prisma }) => {
+    const registry = new OrganizationDataStoresRegistry(prisma, prisma);
+
+    await registry.addDataStore({
+      key: "update-store",
+      kind: "CLICKHOUSE",
+      organizationIds: ["org-old"],
+      config: ClickhouseConnectionSchema.parse({ url: TEST_URL }),
+    });
+
+    await registry.updateDataStore({
+      key: "update-store",
+      kind: "CLICKHOUSE",
+      organizationIds: ["org-new-1", "org-new-2"],
+      config: ClickhouseConnectionSchema.parse({ url: TEST_URL_2 }),
+    });
+
+    const row = await prisma.organizationDataStore.findFirst({ where: { key: "update-store" } });
+    expect(row?.organizationIds).toEqual(["org-new-1", "org-new-2"]);
+
+    await registry.loadFromDatabase();
+    expect(registry.get("org-new-1", "CLICKHOUSE")?.url).toBe(TEST_URL_2);
+    expect(registry.get("org-old", "CLICKHOUSE")).toBeNull();
+  });
+
+  postgresTest("reload picks up changes made after initial load", async ({ prisma }) => {
+    const registry = new OrganizationDataStoresRegistry(prisma, prisma);
+    await registry.loadFromDatabase();
+    expect(registry.get("org-reload", "CLICKHOUSE")).toBeNull();
+
+    await registry.addDataStore({
+      key: "reload-store",
+      kind: "CLICKHOUSE",
+      organizationIds: ["org-reload"],
+      config: ClickhouseConnectionSchema.parse({ url: TEST_URL }),
+    });
+
+    expect(registry.get("org-reload", "CLICKHOUSE")).toBeNull();
+
+    await registry.reload();
+    expect(registry.get("org-reload", "CLICKHOUSE")?.url).toBe(TEST_URL);
+  });
+
+  postgresTest("deleteDataStore removes the row and its secret", async ({ prisma }) => {
+    const registry = new OrganizationDataStoresRegistry(prisma, prisma);
+
+    await registry.addDataStore({
+      key: "delete-store",
+      kind: "CLICKHOUSE",
+      organizationIds: ["org-delete"],
+      config: ClickhouseConnectionSchema.parse({ url: TEST_URL }),
+    });
+
+    await registry.deleteDataStore({ key: "delete-store", kind: "CLICKHOUSE" });
+
+    expect(await prisma.organizationDataStore.findFirst({ where: { key: "delete-store" } })).toBeNull();
+    expect(await prisma.secretStore.findFirst({ where: { key: "data-store:delete-store:clickhouse" } })).toBeNull();
+  });
+
+  postgresTest("after delete and reload, org no longer has a data store", async ({ prisma }) => {
+    const registry = new OrganizationDataStoresRegistry(prisma, prisma);
+
+    await registry.addDataStore({
+      key: "ephemeral-store",
+      kind: "CLICKHOUSE",
+      organizationIds: ["org-ephemeral"],
+      config: ClickhouseConnectionSchema.parse({ url: TEST_URL }),
+    });
+
+    await registry.loadFromDatabase();
+    expect(registry.get("org-ephemeral", "CLICKHOUSE")?.url).toBe(TEST_URL);
+
+    await registry.deleteDataStore({ key: "ephemeral-store", kind: "CLICKHOUSE" });
+    await registry.reload();
+
+    expect(registry.get("org-ephemeral", "CLICKHOUSE")).toBeNull();
+  });
+});
diff --git a/apps/webapp/test/otlpUtf16Sanitization.integration.test.ts b/apps/webapp/test/otlpUtf16Sanitization.integration.test.ts
new file mode 100644
index 00000000000..7897ecf73fd
--- /dev/null
+++ b/apps/webapp/test/otlpUtf16Sanitization.integration.test.ts
@@ -0,0 +1,197 @@
+import { clickhouseTest } from "@internal/testcontainers";
+import { describe, expect } from "vitest";
+import {
+  INVALID_UTF16_SENTINEL,
+  isClickHouseJsonParseError,
+  parseRowNumberFromError,
+  sanitizeRows,
+} from "~/v3/eventRepository/sanitizeRowsOnParseError.server";
+
+/**
+ * Integration test that proves the reactive sanitize-and-retry flow works
+ * against a real ClickHouse instance. Boots a CH container (via testcontainers)
+ * and reproduces the prod failure path end-to-end.
+ *
+ * Three contracts are verified:
+ *
+ * 1. **Happy retry path** — insert a row with a lone UTF-16 surrogate, observe
+ *    the parse error, recover via `parseRowNumberFromError` +
+ *    `sanitizeRowsFrom`, retry once, and confirm the row lands with the
+ *    sentinel substituted.
+ *
+ * 2. **Real CH error shape** — confirm `isClickHouseJsonParseError` correctly
+ *    recognises the error string we get back from a real CH (not just synthetic
+ *    test fixtures) and that `parseRowNumberFromError` extracts the right
+ *    integer from the same string.
+ *
+ * 3. **Non-parse errors don't get swallowed** — push a row past the CH per-row
+ *    size cap and confirm the resulting `Size of JSON object ... is extremely
+ *    large` error is NOT misclassified as a JSON parse error by our predicate.
+ */
+
+const HIGH_SURROGATE = "\uD800";
+const LOW_SURROGATE = "\uDC00";
+
+// ClickHouse container boot + image pull on first run can take well past
+// vitest's 5 s default. Match what `internal-packages/clickhouse/vitest.config.ts`
+// uses for its own clickhouseTest specs.
+const INTEGRATION_TIMEOUT_MS = 60_000;
+
+describe("OTel attribute UTF-16 sanitization → ClickHouse insert", () => {
+  clickhouseTest(
+    "lone surrogate is rejected by CH, then sanitized and retried successfully",
+    async ({ clickhouseClient }) => {
+      const table = "trigger_dev_test.utf16_repro";
+
+      await clickhouseClient.command({
+        query: "CREATE DATABASE IF NOT EXISTS trigger_dev_test",
+      });
+      await clickhouseClient.command({ query: `DROP TABLE IF EXISTS ${table}` });
+      await clickhouseClient.command({
+        query: `
+          CREATE TABLE ${table} (
+            id String,
+            attributes JSON
+          ) ENGINE = MergeTree() ORDER BY id
+          SETTINGS allow_experimental_json_type = 1
+        `,
+      });
+
+      const rows = [
+        {
+          id: "row-clean-prefix",
+          attributes: { ai: { prompt: { messages: "valid prompt 1" } } },
+        },
+        {
+          id: "row-poisoned",
+          attributes: {
+            ai: { prompt: { messages: `valid prefix ${HIGH_SURROGATE} broken tail` } },
+          },
+        },
+        {
+          id: "row-clean-suffix",
+          attributes: { ai: { prompt: { messages: "valid prompt 3" } } },
+        },
+      ];
+
+      // --- Contract 1: real CH rejects the raw insert with our recognisable error ---
+      const firstError = await clickhouseClient
+        .insert({
+          table,
+          values: rows,
+          format: "JSONEachRow",
+          clickhouse_settings: { async_insert: 0, input_format_parallel_parsing: 1 },
+        })
+        .then(
+          () => null,
+          (e: unknown) => e as Error
+        );
+
+      expect(firstError, "first insert must be rejected").not.toBeNull();
+      expect(
+        isClickHouseJsonParseError(firstError),
+        "our predicate must recognise the real CH parse error"
+      ).toBe(true);
+      const rowN = parseRowNumberFromError(firstError!.message);
+      expect(rowN, "real CH error must include `at row N`").not.toBeNull();
+      expect(rowN! >= 0).toBe(true);
+
+      // --- Recovery: sanitize the whole batch, retry ---
+      // We don't slice on `rowN` even though we logged it — `at row N`
+      // semantics under parallel parsing aren't stable enough to skip rows.
+      const { rowsTouched, fieldsSanitized } = sanitizeRows(rows);
+      expect(fieldsSanitized, "exactly one field should have been replaced").toBe(1);
+      expect(rowsTouched).toBe(1);
+
+      // Confirm the targeted row was sanitized and the clean ones were left alone.
+      expect(rows[1].attributes.ai.prompt.messages).toBe(INVALID_UTF16_SENTINEL);
+      expect(rows[0].attributes.ai.prompt.messages).toBe("valid prompt 1");
+      expect(rows[2].attributes.ai.prompt.messages).toBe("valid prompt 3");
+
+      // --- Contract 1 (cont'd): retry now lands cleanly ---
+      await clickhouseClient.insert({
+        table,
+        values: rows,
+        format: "JSONEachRow",
+        clickhouse_settings: { async_insert: 0, input_format_parallel_parsing: 1 },
+      });
+
+      const result = await clickhouseClient
+        .query({
+          query: `
+            SELECT id, toJSONString(attributes) AS attributes_text
+            FROM ${table}
+            ORDER BY id
+          `,
+          format: "JSONEachRow",
+        })
+        .then((r) => r.json<{ id: string; attributes_text: string }>());
+
+      expect(result).toHaveLength(3);
+      const byId = Object.fromEntries(result.map((r) => [r.id, r]));
+      expect(byId["row-clean-prefix"].attributes_text).toContain("valid prompt 1");
+      expect(byId["row-clean-suffix"].attributes_text).toContain("valid prompt 3");
+      expect(byId["row-poisoned"].attributes_text).toContain(INVALID_UTF16_SENTINEL);
+
+      // --- Contract 2: lone LOW surrogate also recognised + recoverable ---
+      const lowSurrogateRow = {
+        id: "row-low-surrogate",
+        attributes: {
+          ai: { prompt: { messages: `valid prefix ${LOW_SURROGATE} broken tail` } },
+        },
+      };
+      const lowSurrogateError = await clickhouseClient
+        .insert({
+          table,
+          values: [lowSurrogateRow],
+          format: "JSONEachRow",
+          clickhouse_settings: { async_insert: 0, input_format_parallel_parsing: 1 },
+        })
+        .then(
+          () => null,
+          (e: unknown) => e as Error
+        );
+      expect(lowSurrogateError).not.toBeNull();
+      expect(isClickHouseJsonParseError(lowSurrogateError)).toBe(true);
+
+      sanitizeRows([lowSurrogateRow]);
+      expect(lowSurrogateRow.attributes.ai.prompt.messages).toBe(INVALID_UTF16_SENTINEL);
+
+      await clickhouseClient.insert({
+        table,
+        values: [lowSurrogateRow],
+        format: "JSONEachRow",
+        clickhouse_settings: { async_insert: 0, input_format_parallel_parsing: 1 },
+      });
+    },
+    INTEGRATION_TIMEOUT_MS
+  );
+
+  clickhouseTest(
+    "non-parse-error rejections (e.g. missing table) are NOT misclassified as JSON parse errors",
+    async ({ clickhouseClient }) => {
+      // Pick an error class that is unambiguously NOT a JSON parse failure —
+      // inserting into a table that doesn't exist. CH returns
+      // `Table doesn't exist` (UNKNOWN_TABLE). If our predicate ever started
+      // matching it we'd wastefully sanitize-and-retry an unrelated failure.
+      const error = await clickhouseClient
+        .insert({
+          table: "trigger_dev_test_nonexistent.utf16_does_not_exist",
+          values: [{ id: "1", attributes: { ok: "yes" } }],
+          format: "JSONEachRow",
+          clickhouse_settings: { async_insert: 0 },
+        })
+        .then(
+          () => null,
+          (e: unknown) => e as Error
+        );
+
+      expect(error, "missing-table insert should be rejected").not.toBeNull();
+      expect(
+        isClickHouseJsonParseError(error),
+        "non-parse error must not be misclassified as JSON parse error"
+      ).toBe(false);
+    },
+    INTEGRATION_TIMEOUT_MS
+  );
+});
diff --git a/apps/webapp/test/presenters/mapRunToLiveFields.test.ts b/apps/webapp/test/presenters/mapRunToLiveFields.test.ts
new file mode 100644
index 00000000000..954b502c18e
--- /dev/null
+++ b/apps/webapp/test/presenters/mapRunToLiveFields.test.ts
@@ -0,0 +1,79 @@
+import { describe, expect, it } from "vitest";
+import { mapRunToLiveFields } from "~/presenters/v3/mapRunToLiveFields.server";
+
+describe("mapRunToLiveFields", () => {
+  it("maps an executing run with lockedAt fallback and non-final flags", () => {
+    const updatedAt = new Date("2026-05-07T10:00:00.000Z");
+    const lockedAt = new Date("2026-05-07T09:59:50.000Z");
+
+    const result = mapRunToLiveFields({
+      friendlyId: "run_123",
+      status: "EXECUTING",
+      updatedAt,
+      startedAt: null,
+      lockedAt,
+      completedAt: null,
+      usageDurationMs: BigInt(2500),
+      costInCents: 10,
+      baseCostInCents: 5,
+    });
+
+    expect(result).toEqual({
+      friendlyId: "run_123",
+      status: "EXECUTING",
+      updatedAt: updatedAt.toISOString(),
+      startedAt: lockedAt.toISOString(),
+      finishedAt: undefined,
+      hasFinished: false,
+      isCancellable: true,
+      isPending: false,
+      usageDurationMs: 2500,
+      costInCents: 10,
+      baseCostInCents: 5,
+    });
+  });
+
+  it("maps a final run and prefers completedAt for finishedAt", () => {
+    const updatedAt = new Date("2026-05-07T10:00:00.000Z");
+    const startedAt = new Date("2026-05-07T09:59:00.000Z");
+    const completedAt = new Date("2026-05-07T09:59:30.000Z");
+
+    const result = mapRunToLiveFields({
+      friendlyId: "run_456",
+      status: "COMPLETED_SUCCESSFULLY",
+      updatedAt,
+      startedAt,
+      lockedAt: null,
+      completedAt,
+      usageDurationMs: 1200,
+      costInCents: 20,
+      baseCostInCents: 7,
+    });
+
+    expect(result.finishedAt).toBe(completedAt.toISOString());
+    expect(result.startedAt).toBe(startedAt.toISOString());
+    expect(result.hasFinished).toBe(true);
+    expect(result.isCancellable).toBe(false);
+  });
+
+  it("falls back to updatedAt when a final run has no completedAt", () => {
+    const updatedAt = new Date("2026-05-07T10:00:00.000Z");
+
+    const result = mapRunToLiveFields({
+      friendlyId: "run_789",
+      status: "CRASHED",
+      updatedAt,
+      startedAt: null,
+      lockedAt: null,
+      completedAt: null,
+      usageDurationMs: 0,
+      costInCents: 0,
+      baseCostInCents: 0,
+    });
+
+    expect(result.finishedAt).toBe(updatedAt.toISOString());
+    expect(result.hasFinished).toBe(true);
+    expect(result.isPending).toBe(false);
+    expect(result.isCancellable).toBe(false);
+  });
+});
diff --git a/apps/webapp/test/prismaErrors.test.ts b/apps/webapp/test/prismaErrors.test.ts
new file mode 100644
index 00000000000..48af6c829c7
--- /dev/null
+++ b/apps/webapp/test/prismaErrors.test.ts
@@ -0,0 +1,32 @@
+import { describe, expect, it } from "vitest";
+import { Prisma } from "@trigger.dev/database";
+import { isInfrastructureError } from "../app/utils/prismaErrors.js";
+
+describe("isInfrastructureError", () => {
+  it("treats a P1001 'can't reach database server' (KnownRequestError) as infrastructure", () => {
+    // Prisma 6.x reports P1001 as a PrismaClientKnownRequestError with code P1001 —
+    // this is the exact production shape that leaked the RDS hostname to a customer.
+    const err = new Prisma.PrismaClientKnownRequestError(
+      "Invalid `prisma.project.findFirst()` invocation: Can't reach database server at host:5432",
+      { code: "P1001", clientVersion: "6.14.0" }
+    );
+    expect(isInfrastructureError(err)).toBe(true);
+  });
+
+  it("treats a PrismaClientInitializationError as infrastructure", () => {
+    const err = new Prisma.PrismaClientInitializationError("init failed", "6.14.0");
+    expect(isInfrastructureError(err)).toBe(true);
+  });
+
+  it("does NOT treat a query/validation error (P2002 unique constraint) as infrastructure", () => {
+    const err = new Prisma.PrismaClientKnownRequestError("Unique constraint failed", {
+      code: "P2002",
+      clientVersion: "6.14.0",
+    });
+    expect(isInfrastructureError(err)).toBe(false);
+  });
+
+  it("does NOT treat a plain domain Error as infrastructure", () => {
+    expect(isInfrastructureError(new Error("Project not found."))).toBe(false);
+  });
+});
diff --git a/apps/webapp/test/realtime/boundedTtlCache.test.ts b/apps/webapp/test/realtime/boundedTtlCache.test.ts
new file mode 100644
index 00000000000..a3fb0b1e425
--- /dev/null
+++ b/apps/webapp/test/realtime/boundedTtlCache.test.ts
@@ -0,0 +1,52 @@
+import { afterEach, describe, expect, it, vi } from "vitest";
+import { BoundedTtlCache } from "~/services/realtime/boundedTtlCache";
+
+describe("BoundedTtlCache", () => {
+  afterEach(() => {
+    vi.useRealTimers();
+  });
+
+  it("returns a live entry within its TTL", () => {
+    vi.useFakeTimers();
+    const cache = new BoundedTtlCache<string>(1_000, 100);
+    cache.set("k", "v");
+    vi.advanceTimersByTime(500);
+    expect(cache.get("k")).toBe("v");
+    expect(cache.size).toBe(1);
+  });
+
+  it("evicts an expired entry on read instead of letting it linger", () => {
+    vi.useFakeTimers();
+    const cache = new BoundedTtlCache<number>(1_000, 100);
+    cache.set("a", 1);
+    expect(cache.size).toBe(1);
+
+    vi.advanceTimersByTime(1_001);
+    expect(cache.get("a")).toBeUndefined();
+    // The previous bug left expired entries in the map until an at-capacity sweep;
+    // they must now be removed on read.
+    expect(cache.size).toBe(0);
+  });
+
+  it("does not evict another entry when updating an existing key at capacity", () => {
+    const cache = new BoundedTtlCache<number>(60_000, 2);
+    cache.set("a", 1);
+    cache.set("b", 2);
+    // Updating an existing key doesn't grow the map, so it must not drop "b".
+    cache.set("a", 11);
+    expect(cache.get("a")).toBe(11);
+    expect(cache.get("b")).toBe(2);
+    expect(cache.size).toBe(2);
+  });
+
+  it("drops the oldest entry when full of still-live entries", () => {
+    const cache = new BoundedTtlCache<number>(60_000, 2);
+    cache.set("a", 1);
+    cache.set("b", 2);
+    cache.set("c", 3); // over capacity, none expired -> evict oldest insertion (a)
+    expect(cache.get("a")).toBeUndefined();
+    expect(cache.get("b")).toBe(2);
+    expect(cache.get("c")).toBe(3);
+    expect(cache.size).toBe(2);
+  });
+});
diff --git a/apps/webapp/test/realtime/electricStreamProtocol.test.ts b/apps/webapp/test/realtime/electricStreamProtocol.test.ts
new file mode 100644
index 00000000000..a48f4f9f8e8
--- /dev/null
+++ b/apps/webapp/test/realtime/electricStreamProtocol.test.ts
@@ -0,0 +1,304 @@
+import { SubscribeRunRawShape } from "@trigger.dev/core/v3/schemas";
+import { describe, expect, it } from "vitest";
+import {
+  buildElectricSchemaHeader,
+  buildRowsBody,
+  buildSnapshotBody,
+  buildUpdateBody,
+  buildUpToDateBody,
+  encodeOffset,
+  parseOffsetUpdatedAtMs,
+  type RealtimeRunRow,
+  rewriteBodyForLegacyApiVersion,
+  serializeRunRow,
+} from "~/services/realtime/electricStreamProtocol.server";
+
+function sampleRow(overrides: Partial<RealtimeRunRow> = {}): RealtimeRunRow {
+  return {
+    id: "run_abc123",
+    taskIdentifier: "my-task",
+    createdAt: new Date("2026-06-06T10:00:00.000Z"),
+    updatedAt: new Date("2026-06-06T10:05:30.123Z"),
+    startedAt: new Date("2026-06-06T10:01:00.000Z"),
+    delayUntil: null,
+    queuedAt: new Date("2026-06-06T10:00:30.000Z"),
+    expiredAt: null,
+    completedAt: null,
+    friendlyId: "run_friendly_abc",
+    number: 42,
+    isTest: true,
+    status: "EXECUTING",
+    usageDurationMs: 1234,
+    costInCents: 0.55,
+    baseCostInCents: 0.25,
+    ttl: "1h",
+    payload: '{"hello":"world"}',
+    payloadType: "application/json",
+    metadata: '{"step":1}',
+    metadataType: "application/json",
+    output: null,
+    outputType: "application/json",
+    runTags: ["user:123", "env:prod"],
+    error: null,
+    realtimeStreams: [],
+    ...overrides,
+  };
+}
+
+/**
+ * Faithful re-implementation of the @electric-sql/client value parser rules
+ * (defaultParser + pgArrayParser), so we can decode our wire `value` object the
+ * same way the deployed client would, then validate against the real SDK schema.
+ * Source: @electric-sql/client@1.0.14 src/parser.ts.
+ */
+function electricParse(
+  value: Record<string, string | null>,
+  schema: Record<string, { type: string; dims?: number }>
+): Record<string, unknown> {
+  const out: Record<string, unknown> = {};
+  for (const [key, raw] of Object.entries(value)) {
+    if (raw === null) {
+      out[key] = null;
+      continue;
+    }
+    const info = schema[key];
+    if (!info) {
+      out[key] = raw;
+      continue;
+    }
+    if (info.dims && info.dims > 0) {
+      out[key] = parsePgTextArray(raw);
+      continue;
+    }
+    switch (info.type) {
+      case "bool":
+        out[key] = raw === "t" || raw === "true";
+        break;
+      case "int8":
+        out[key] = BigInt(raw);
+        break;
+      case "int2":
+      case "int4":
+      case "float4":
+      case "float8":
+        out[key] = Number(raw);
+        break;
+      case "json":
+      case "jsonb":
+        out[key] = JSON.parse(raw);
+        break;
+      default:
+        out[key] = raw; // text/timestamp pass through as strings
+    }
+  }
+  return out;
+}
+
+function parsePgTextArray(literal: string): string[] {
+  if (literal === "{}") {
+    return [];
+  }
+  const inner = literal.slice(1, -1);
+  const result: string[] = [];
+  let i = 0;
+  while (i < inner.length) {
+    if (inner[i] === '"') {
+      i++;
+      let s = "";
+      while (i < inner.length && inner[i] !== '"') {
+        if (inner[i] === "\\") {
+          i++;
+        }
+        s += inner[i];
+        i++;
+      }
+      result.push(s);
+      i++; // closing quote
+      if (inner[i] === ",") i++;
+    } else {
+      let s = "";
+      while (i < inner.length && inner[i] !== ",") {
+        s += inner[i];
+        i++;
+      }
+      result.push(s);
+      if (inner[i] === ",") i++;
+    }
+  }
+  return result;
+}
+
+describe("electricStreamProtocol serializer", () => {
+  it("encodes each Postgres type the way the Electric client expects", () => {
+    const value = serializeRunRow(sampleRow());
+
+    // text: passed through as-is
+    expect(value.id).toBe("run_abc123");
+    expect(value.status).toBe("EXECUTING");
+    expect(value.payload).toBe('{"hello":"world"}');
+
+    // int/float: stringified
+    expect(value.number).toBe("42");
+    expect(value.usageDurationMs).toBe("1234");
+    expect(value.costInCents).toBe("0.55");
+
+    // bool: postgres "t"/"f"
+    expect(value.isTest).toBe("t");
+
+    // timestamp: ISO without trailing Z (the SDK appends Z before parsing)
+    expect(value.updatedAt).toBe("2026-06-06T10:05:30.123");
+    expect(value.createdAt).toBe("2026-06-06T10:00:00.000");
+
+    // nullable timestamp: null stays null
+    expect(value.delayUntil).toBeNull();
+    expect(value.completedAt).toBeNull();
+
+    // text[]: quoted pg array literal; empty realtimeStreams (@default([])) => {}
+    expect(value.runTags).toBe('{"user:123","env:prod"}');
+    expect(value.realtimeStreams).toBe("{}");
+
+    // jsonb: null stays null
+    expect(value.error).toBeNull();
+  });
+
+  it("encodes an empty no-default array column (runTags) as null, matching Electric", () => {
+    // runTags has no Postgres default, so an empty value is stored as SQL NULL and
+    // Electric emits `null` (not `{}`). realtimeStreams has @default([]), so its
+    // empty value is `{}`. Prisma hands us `[]` for both; we re-derive the wire form.
+    const value = serializeRunRow(sampleRow({ runTags: [], realtimeStreams: [] }));
+    expect(value.runTags).toBeNull();
+    expect(value.realtimeStreams).toBe("{}");
+  });
+
+  it("encodes jsonb error as a JSON string", () => {
+    const value = serializeRunRow(sampleRow({ error: { type: "STRING_ERROR", raw: "boom" } }));
+    expect(value.error).toBe('{"type":"STRING_ERROR","raw":"boom"}');
+  });
+
+  it("round-trips through the client parser into a valid SubscribeRunRawShape", () => {
+    const row = sampleRow({ error: { type: "STRING_ERROR", raw: "boom" } });
+    const value = serializeRunRow(row);
+    const schema = JSON.parse(buildElectricSchemaHeader());
+
+    const decoded = electricParse(value, schema);
+    const parsed = SubscribeRunRawShape.parse(decoded);
+
+    expect(parsed.id).toBe("run_abc123");
+    expect(parsed.friendlyId).toBe("run_friendly_abc");
+    expect(parsed.status).toBe("EXECUTING");
+    expect(parsed.number).toBe(42);
+    expect(parsed.isTest).toBe(true);
+    expect(parsed.usageDurationMs).toBe(1234);
+    expect(parsed.costInCents).toBeCloseTo(0.55);
+    expect(parsed.runTags).toEqual(["user:123", "env:prod"]);
+    expect(parsed.realtimeStreams).toEqual([]);
+    // RawShapeDate appends "Z" and coerces to a Date equal to the source instant.
+    expect(parsed.createdAt.toISOString()).toBe("2026-06-06T10:00:00.000Z");
+    expect(parsed.updatedAt.toISOString()).toBe("2026-06-06T10:05:30.123Z");
+    expect(parsed.startedAt?.toISOString()).toBe("2026-06-06T10:01:00.000Z");
+    expect(parsed.delayUntil ?? null).toBeNull();
+    expect(parsed.error).toEqual({ type: "STRING_ERROR", raw: "boom" });
+  });
+
+  it("honors skipColumns (but never the reserved columns)", () => {
+    const value = serializeRunRow(sampleRow(), ["payload", "output", "id", "status"]);
+    expect(value.payload).toBeUndefined();
+    expect(value.output).toBeUndefined();
+    // reserved columns can't be skipped
+    expect(value.id).toBe("run_abc123");
+    expect(value.status).toBe("EXECUTING");
+
+    const schema = JSON.parse(buildElectricSchemaHeader(["payload"]));
+    expect(schema.payload).toBeUndefined();
+    expect(schema.status).toBeDefined();
+  });
+});
+
+describe("electricStreamProtocol message bodies", () => {
+  it("emits insert + up-to-date for an initial snapshot", () => {
+    const messages = JSON.parse(buildSnapshotBody(sampleRow()));
+    expect(messages).toHaveLength(2);
+    expect(messages[0].headers.operation).toBe("insert");
+    expect(messages[0].key).toBe('"public"."TaskRun"/"run_abc123"');
+    expect(messages[0].value.status).toBe("EXECUTING");
+    expect(messages[1].headers.control).toBe("up-to-date");
+  });
+
+  it("emits a bare up-to-date for an empty (missing) run snapshot", () => {
+    const messages = JSON.parse(buildSnapshotBody(null));
+    expect(messages).toHaveLength(1);
+    expect(messages[0].headers.control).toBe("up-to-date");
+  });
+
+  it("emits update + up-to-date for a live change", () => {
+    const messages = JSON.parse(buildUpdateBody(sampleRow()));
+    expect(messages[0].headers.operation).toBe("update");
+    expect(messages[1].headers.control).toBe("up-to-date");
+  });
+
+  it("emits a bare up-to-date when nothing advanced", () => {
+    const messages = JSON.parse(buildUpToDateBody());
+    expect(messages).toEqual([{ headers: { control: "up-to-date" } }]);
+  });
+
+  it("uses the same merge key across insert and update so the client merges by row", () => {
+    const insert = JSON.parse(buildSnapshotBody(sampleRow()))[0];
+    const update = JSON.parse(buildUpdateBody(sampleRow()))[0];
+    expect(insert.key).toBe(update.key);
+  });
+});
+
+describe("electricStreamProtocol multi-row (tag-list) bodies", () => {
+  it("emits one change message per row with per-row operation, then up-to-date", () => {
+    const a = sampleRow({ id: "run_a" });
+    const b = sampleRow({ id: "run_b", status: "QUEUED" });
+    const messages = JSON.parse(
+      buildRowsBody([
+        { row: a, operation: "insert" },
+        { row: b, operation: "update" },
+      ])
+    );
+    expect(messages).toHaveLength(3);
+    expect(messages[0].headers.operation).toBe("insert");
+    expect(messages[0].key).toBe('"public"."TaskRun"/"run_a"');
+    expect(messages[1].headers.operation).toBe("update");
+    expect(messages[1].key).toBe('"public"."TaskRun"/"run_b"');
+    expect(messages[1].value.status).toBe("QUEUED");
+    expect(messages[2].headers.control).toBe("up-to-date");
+  });
+
+  it("emits a bare up-to-date for an empty change set", () => {
+    const messages = JSON.parse(buildRowsBody([]));
+    expect(messages).toEqual([{ headers: { control: "up-to-date" } }]);
+  });
+
+  it("honors skipColumns across all rows", () => {
+    const messages = JSON.parse(
+      buildRowsBody([{ row: sampleRow(), operation: "insert" }], ["payload"])
+    );
+    expect(messages[0].value.payload).toBeUndefined();
+    expect(messages[0].value.status).toBe("EXECUTING");
+  });
+});
+
+describe("electricStreamProtocol tokens + legacy rewrite", () => {
+  it("encodes and parses the offset updatedAt segment", () => {
+    const offset = encodeOffset(1717667130123, 7);
+    expect(offset).toBe("1717667130123_7");
+    expect(parseOffsetUpdatedAtMs(offset)).toBe(1717667130123);
+  });
+
+  it("treats the initial offset (-1) and garbage as zero", () => {
+    expect(parseOffsetUpdatedAtMs("-1")).toBe(0);
+    expect(parseOffsetUpdatedAtMs(null)).toBe(0);
+    expect(parseOffsetUpdatedAtMs("nonsense")).toBe(0);
+  });
+
+  it("rewrites DEQUEUED to EXECUTING for legacy API versions", () => {
+    const body = buildUpdateBody(sampleRow({ status: "DEQUEUED" }));
+    expect(body).toContain('"status":"DEQUEUED"');
+    const rewritten = rewriteBodyForLegacyApiVersion(body);
+    expect(rewritten).not.toContain('"status":"DEQUEUED"');
+    expect(rewritten).toContain('"status":"EXECUTING"');
+  });
+});
diff --git a/apps/webapp/test/realtime/envChangeRouter.test.ts b/apps/webapp/test/realtime/envChangeRouter.test.ts
new file mode 100644
index 00000000000..022b5827cd6
--- /dev/null
+++ b/apps/webapp/test/realtime/envChangeRouter.test.ts
@@ -0,0 +1,550 @@
+import { describe, expect, it, vi } from "vitest";
+import {
+  EnvChangeRouter,
+  type EnvChangeSource,
+  type RowHydrator,
+} from "~/services/realtime/envChangeRouter.server";
+import { type ChangeRecord } from "~/services/realtime/runChangeNotifier.server";
+import { type RealtimeRunRow } from "~/services/realtime/electricStreamProtocol.server";
+
+const FLOOR_MS = Date.UTC(2026, 5, 7, 12, 0, 0);
+
+function row(
+  id: string,
+  opts: { tags?: string[]; createdAtMs?: number; updatedAtMs?: number } = {}
+): RealtimeRunRow {
+  return {
+    id,
+    runTags: opts.tags ?? [],
+    createdAt: new Date(opts.createdAtMs ?? FLOOR_MS + 1_000),
+    updatedAt: new Date(opts.updatedAtMs ?? FLOOR_MS + 5_000),
+  } as unknown as RealtimeRunRow;
+}
+
+function record(runId: string, extra: Partial<ChangeRecord> = {}): ChangeRecord {
+  return { v: 1, runId, envId: "env_1", ...extra };
+}
+
+/** A controllable EnvChangeSource: tests push batches to the env's listener. */
+function fakeSource() {
+  const listeners = new Map<string, Set<(records: ChangeRecord[]) => void>>();
+  const source: EnvChangeSource = {
+    subscribeToEnv(envId, onBatch) {
+      let set = listeners.get(envId);
+      if (!set) {
+        set = new Set();
+        listeners.set(envId, set);
+      }
+      set.add(onBatch);
+      return () => {
+        listeners.get(envId)?.delete(onBatch);
+      };
+    },
+  };
+  return {
+    source,
+    push(envId: string, records: ChangeRecord[]) {
+      for (const l of listeners.get(envId) ?? []) l(records);
+    },
+    isSubscribed(envId: string) {
+      return (listeners.get(envId)?.size ?? 0) > 0;
+    },
+  };
+}
+
+function makeRouter(
+  rowsById: Map<string, RealtimeRunRow> = new Map(),
+  options: Record<string, unknown> = {}
+) {
+  const src = fakeSource();
+  const hydrateSpy = vi.fn<RowHydrator["hydrateByIds"]>(async (_env, ids) =>
+    ids.map((id) => rowsById.get(id)).filter((r): r is RealtimeRunRow => Boolean(r))
+  );
+  const router = new EnvChangeRouter({
+    source: src.source,
+    hydrator: { hydrateByIds: hydrateSpy },
+    ...options,
+  });
+  return { router, src, hydrateSpy };
+}
+
+describe("EnvChangeRouter", () => {
+  it("routes a tag match to the feed (hydrated + serialized) and ignores non-matches", async () => {
+    const rows = new Map([["r1", row("r1", { tags: ["a"] })]]);
+    const { router, src, hydrateSpy } = makeRouter(rows);
+    const reg = router.register("env_1", { kind: "tag", tags: ["a"] }, []);
+    const wait = reg.waitForMatch(undefined, 1_000);
+
+    // A non-matching tag is dropped (no wake); a matching tag wakes with the hydrated row.
+    src.push("env_1", [record("rX", { tags: ["b"] }), record("r1", { tags: ["a"] })]);
+
+    const result = await wait;
+    expect(result.reason).toBe("notify");
+    expect(result.rows.map((m) => m.row.id)).toEqual(["r1"]);
+    expect(result.rows[0].value.id).toBe("r1"); // serialized wire value
+    expect(hydrateSpy).toHaveBeenCalledWith("env_1", ["r1"], []);
+    reg.close();
+  });
+
+  it("wakes an unfiltered tag feed (no tags) for every full record, live and via replay", async () => {
+    const rows = new Map([["r1", row("r1", { tags: ["a"] })]]);
+    const { router, src } = makeRouter(rows);
+
+    // Live path: a full record (tags defined) must reach the zero-filter feed even
+    // though it can never appear in the byTag index.
+    const reg = router.register("env_1", { kind: "tag", tags: [] }, []);
+    const wait = reg.waitForMatch(undefined, 1_000);
+    src.push("env_1", [record("r1", { tags: ["a"] })]);
+    const live = await wait;
+    expect(live.reason).toBe("notify");
+    expect(live.rows.map((m) => m.row.id)).toEqual(["r1"]);
+    reg.close();
+
+    // Replay path: the buffered record matches an unfiltered feed registered after the push.
+    const late = router.register("env_1", { kind: "tag", tags: [] }, [], {
+      replaySinceMs: Date.now() - 1_000,
+    });
+    const replayed = await late.waitForMatch(undefined, 1_000);
+    expect(replayed.reason).toBe("notify");
+    expect(replayed.rows.map((m) => m.row.id)).toEqual(["r1"]);
+    late.close();
+  });
+
+  it("batch-hydrates ONCE and shares the serialized value across feeds matching the same run", async () => {
+    const rows = new Map([["r1", row("r1", { tags: ["a"] })]]);
+    const { router, src, hydrateSpy } = makeRouter(rows);
+    const regs = [
+      router.register("env_1", { kind: "tag", tags: ["a"] }, []),
+      router.register("env_1", { kind: "tag", tags: ["a"] }, []),
+    ];
+    const waits = regs.map((r) => r.waitForMatch(undefined, 1_000));
+
+    src.push("env_1", [record("r1", { tags: ["a"] })]);
+    const results = await Promise.all(waits);
+
+    // One hydrate for the whole tick (same column set), shared by both feeds...
+    expect(hydrateSpy).toHaveBeenCalledTimes(1);
+    // ...and the same serialized value object is reused (serialize-once).
+    expect(results[0].rows[0].value).toBe(results[1].rows[0].value);
+    regs.forEach((r) => r.close());
+  });
+
+  it("a hydrate failure doesn't reject out of the source callback; the feed times out", async () => {
+    const src = fakeSource();
+    const hydrateSpy = vi.fn<RowHydrator["hydrateByIds"]>(async () => {
+      throw new Error("replica down");
+    });
+    const router = new EnvChangeRouter({
+      source: src.source,
+      hydrator: { hydrateByIds: hydrateSpy },
+    });
+    const reg = router.register("env_1", { kind: "run", runId: "r1" }, []);
+    const wait = reg.waitForMatch(undefined, 50);
+
+    // Would be an unhandled rejection (process exit) if #onBatch's promise were unguarded.
+    src.push("env_1", [record("r1")]);
+
+    const result = await wait;
+    expect(result.reason).toBe("timeout");
+    expect(hydrateSpy).toHaveBeenCalledTimes(1);
+    reg.close();
+  });
+
+  it("routes a run feed by exact runId", async () => {
+    const rows = new Map([["r1", row("r1")]]);
+    const { router, src } = makeRouter(rows);
+    const reg = router.register("env_1", { kind: "run", runId: "r1" }, []);
+    const wait = reg.waitForMatch(undefined, 1_000);
+    src.push("env_1", [record("r2"), record("r1")]);
+    const result = await wait;
+    expect(result.rows.map((m) => m.row.id)).toEqual(["r1"]);
+    reg.close();
+  });
+
+  it("routes a batch feed by batchId", async () => {
+    const rows = new Map([["r1", row("r1")]]);
+    const { router, src } = makeRouter(rows);
+    const reg = router.register("env_1", { kind: "batch", batchId: "batch_1" }, []);
+    const wait = reg.waitForMatch(undefined, 1_000);
+    src.push("env_1", [
+      record("rX", { batchId: "other" }),
+      record("r1", { batchId: "batch_1" }),
+    ]);
+    const result = await wait;
+    expect(result.rows.map((m) => m.row.id)).toEqual(["r1"]);
+    reg.close();
+  });
+
+  it("multi-tag feeds require ALL tags on the row (Electric contains-all semantics)", async () => {
+    const rows = new Map([
+      ["r_both", row("r_both", { tags: ["a", "b", "c"] })],
+      ["r_one", row("r_one", { tags: ["a"] })],
+    ]);
+    const { router, src } = makeRouter(rows);
+    const reg = router.register("env_1", { kind: "tag", tags: ["a", "b"] }, []);
+    const wait = reg.waitForMatch(undefined, 1_000);
+
+    // r_one shares a tag (routes as a candidate via the index) but lacks "b" — must be
+    // culled by the authoritative row check. r_both carries both and wakes the feed.
+    src.push("env_1", [record("r_one", { tags: ["a"] }), record("r_both", { tags: ["a", "b", "c"] })]);
+
+    const result = await wait;
+    expect(result.reason).toBe("notify");
+    expect(result.rows.map((m) => m.row.id)).toEqual(["r_both"]);
+    reg.close();
+  });
+
+  it("drops a tag match created before the feed's createdAt floor", async () => {
+    const rows = new Map([["r1", row("r1", { tags: ["a"], createdAtMs: FLOOR_MS - 10_000 })]]);
+    const { router, src } = makeRouter(rows);
+    const reg = router.register("env_1", { kind: "tag", tags: ["a"], createdAtFloorMs: FLOOR_MS }, []);
+    let settled = false;
+    const wait = reg.waitForMatch(undefined, 60).then((r) => {
+      settled = true;
+      return r;
+    });
+    src.push("env_1", [record("r1", { tags: ["a"], createdAtMs: FLOOR_MS - 10_000 })]);
+    // Hydrated but out-of-window -> not woken; falls through to the timeout.
+    const result = await wait;
+    expect(settled).toBe(true);
+    expect(result.reason).toBe("timeout");
+    reg.close();
+  });
+
+  it("classifies a partial record (no tags) by hydrating and re-checking the row's tags", async () => {
+    // Partial record routes to all tag feeds as candidates; the authoritative row decides.
+    const rows = new Map([["r1", row("r1", { tags: ["a"] })]]);
+    const { router, src } = makeRouter(rows);
+    const match = router.register("env_1", { kind: "tag", tags: ["a"] }, []);
+    const noMatch = router.register("env_1", { kind: "tag", tags: ["z"] }, []);
+    const matchWait = match.waitForMatch(undefined, 1_000);
+    let noMatchSettled = false;
+    const noMatchWait = noMatch.waitForMatch(undefined, 80).then((r) => {
+      noMatchSettled = true;
+      return r;
+    });
+
+    src.push("env_1", [record("r1", { tags: undefined })]); // partial: tags absent
+
+    expect((await matchWait).rows.map((m) => m.row.id)).toEqual(["r1"]);
+    expect((await noMatchWait).reason).toBe("timeout"); // row tags ["a"] don't intersect ["z"]
+    expect(noMatchSettled).toBe(true);
+    match.close();
+    noMatch.close();
+  });
+
+  it("times out and aborts cleanly", async () => {
+    const { router, src } = makeRouter(new Map(), { unsubscribeLingerMs: 0 });
+    const reg = router.register("env_1", { kind: "tag", tags: ["a"] }, []);
+    expect((await reg.waitForMatch(undefined, 30)).reason).toBe("timeout");
+
+    const controller = new AbortController();
+    const wait = reg.waitForMatch(controller.signal, 5_000);
+    controller.abort();
+    expect((await wait).reason).toBe("abort");
+    reg.close();
+    expect(src.isSubscribed("env_1")).toBe(false); // linger disabled: last feed left -> unsubscribed
+  });
+
+  it("buffers a record that arrives between polls and replays it on the next arm", async () => {
+    const rows = new Map([["r1", row("r1", { tags: ["a"] })]]);
+    const { router, src, hydrateSpy } = makeRouter(rows);
+    const reg = router.register("env_1", { kind: "tag", tags: ["a"] }, []);
+    // Not waiting yet: the push can't wake anything, but it lands in the env buffer.
+    src.push("env_1", [record("r1", { tags: ["a"] })]);
+    expect(hydrateSpy).not.toHaveBeenCalled();
+
+    const result = await reg.waitForMatch(undefined, 1_000);
+    expect(result.reason).toBe("notify");
+    expect(result.rows.map((m) => m.row.id)).toEqual(["r1"]);
+    expect(hydrateSpy).toHaveBeenCalledTimes(1);
+    reg.close();
+  });
+
+  it("does not redeliver a replayed record on a later arm", async () => {
+    const rows = new Map([["r1", row("r1", { tags: ["a"] })]]);
+    const { router, src, hydrateSpy } = makeRouter(rows);
+    const reg = router.register("env_1", { kind: "tag", tags: ["a"] }, []);
+    src.push("env_1", [record("r1", { tags: ["a"] })]);
+    expect((await reg.waitForMatch(undefined, 1_000)).reason).toBe("notify");
+
+    // Same buffered record must not fire again; the wait falls through to its timeout.
+    expect((await reg.waitForMatch(undefined, 50)).reason).toBe("timeout");
+    expect(hydrateSpy).toHaveBeenCalledTimes(1);
+    reg.close();
+  });
+
+  it("lingers the env subscription after the last feed closes and replays the gap", async () => {
+    const rows = new Map([["r1", row("r1", { tags: ["a"] })]]);
+    const { router, src, hydrateSpy } = makeRouter(rows, { unsubscribeLingerMs: 60 });
+    const reg1 = router.register("env_1", { kind: "tag", tags: ["a"] }, []);
+    reg1.close();
+    expect(src.isSubscribed("env_1")).toBe(true); // lingering
+
+    // The inter-poll gap: a change arrives while no feed is registered.
+    src.push("env_1", [record("r1", { tags: ["a"] })]);
+
+    const reg2 = router.register("env_1", { kind: "tag", tags: ["a"] }, []);
+    const result = await reg2.waitForMatch(undefined, 1_000);
+    expect(result.reason).toBe("notify");
+    expect(result.rows.map((m) => m.row.id)).toEqual(["r1"]);
+    expect(hydrateSpy).toHaveBeenCalledTimes(1);
+
+    reg2.close();
+    await new Promise((r) => setTimeout(r, 100));
+    expect(src.isSubscribed("env_1")).toBe(false); // linger expired -> unsubscribed
+  });
+
+  it("reports gapCovered=false on a fresh env subscription and true once it ages past the window", async () => {
+    const { router } = makeRouter(new Map(), { replayWindowMs: 50 });
+    const reg1 = router.register("env_1", { kind: "run", runId: "r1" }, []);
+    expect(reg1.gapCovered).toBe(false);
+
+    await new Promise((r) => setTimeout(r, 70));
+    const reg2 = router.register("env_1", { kind: "run", runId: "r2" }, []);
+    expect(reg2.gapCovered).toBe(true);
+    reg1.close();
+    reg2.close();
+  });
+
+  it("honors the caller's replaySinceMs so a new poll doesn't rewind into delivered records", async () => {
+    const rows = new Map([["r1", row("r1", { tags: ["a"] })]]);
+    const { router, src, hydrateSpy } = makeRouter(rows);
+    const anchor = router.register("env_1", { kind: "tag", tags: ["a"] }, []); // keeps the env subscribed
+    src.push("env_1", [record("r1", { tags: ["a"] })]);
+    const afterPush = Date.now();
+
+    // A connection whose last response left after the push: nothing to replay.
+    const caughtUp = router.register("env_1", { kind: "tag", tags: ["a"] }, [], {
+      replaySinceMs: afterPush,
+    });
+    expect(caughtUp.gapCovered).toBe(true); // env subscribed since before its gap began
+    expect((await caughtUp.waitForMatch(undefined, 50)).reason).toBe("timeout");
+    expect(hydrateSpy).not.toHaveBeenCalled();
+
+    // A connection whose gap started before the push: the record replays.
+    const behind = router.register("env_1", { kind: "tag", tags: ["a"] }, [], {
+      replaySinceMs: afterPush - 1_000,
+    });
+    const result = await behind.waitForMatch(undefined, 1_000);
+    expect(result.reason).toBe("notify");
+    expect(result.rows.map((m) => m.row.id)).toEqual(["r1"]);
+
+    anchor.close();
+    caughtUp.close();
+    behind.close();
+  });
+
+  it("caps the replay buffer to the newest records per env", async () => {
+    const rows = new Map([
+      ["r1", row("r1")],
+      ["r2", row("r2")],
+      ["r3", row("r3")],
+    ]);
+    const evictions: string[] = [];
+    const { router, src, hydrateSpy } = makeRouter(rows, {
+      replayMaxRunsPerEnv: 2,
+      onReplayEviction: (reason: string) => evictions.push(reason),
+    });
+    const reg = router.register("env_1", { kind: "batch", batchId: "batch_1" }, []);
+    src.push("env_1", [
+      record("r1", { batchId: "batch_1" }),
+      record("r2", { batchId: "batch_1" }),
+      record("r3", { batchId: "batch_1" }),
+    ]);
+
+    const result = await reg.waitForMatch(undefined, 1_000);
+    expect(result.reason).toBe("notify");
+    // r1 was evicted by the cap; only the newest two replay.
+    expect(hydrateSpy).toHaveBeenCalledWith("env_1", ["r2", "r3"], []);
+    expect(evictions).toEqual(["cap"]);
+    reg.close();
+  });
+});
+
+describe("EnvChangeRouter read-your-writes gate", () => {
+  function gate(overrides: Record<string, unknown> = {}) {
+    const observed: number[] = [];
+    const outcomes: { outcome: string; runCount: number }[] = [];
+    return {
+      observed,
+      outcomes,
+      replicaLag: {
+        getLagMs: () => 0,
+        noteObservedLagMs: (ms: number) => observed.push(ms),
+        marginMs: 0,
+        maxDelayMs: 1_000,
+        staleRetries: 3,
+        onStaleHydrate: (outcome: string, runCount: number) =>
+          outcomes.push({ outcome, runCount }),
+        ...overrides,
+      },
+    };
+  }
+
+  it("delays the wake hydrate by lag+margin anchored to the record's updatedAtMs", async () => {
+    const rows = new Map([["r1", row("r1", { tags: ["a"] })]]);
+    const g = gate({ getLagMs: () => 80, marginMs: 10 });
+    const { router, src, hydrateSpy } = makeRouter(rows, { replicaLag: g.replicaLag });
+    const reg = router.register("env_1", { kind: "tag", tags: ["a"] }, []);
+    const wait = reg.waitForMatch(undefined, 2_000);
+
+    const pushedAt = Date.now();
+    src.push("env_1", [record("r1", { tags: ["a"], updatedAtMs: pushedAt })]);
+
+    // The hydrate must wait out the lag window (~90ms), not run immediately.
+    await new Promise((r) => setTimeout(r, 30));
+    expect(hydrateSpy).not.toHaveBeenCalled();
+
+    const result = await wait;
+    expect(result.reason).toBe("notify");
+    expect(Date.now() - pushedAt).toBeGreaterThanOrEqual(80);
+    reg.close();
+  });
+
+  it("does not delay when the record's anchor is already past the lag window", async () => {
+    // The row's updatedAt matches the watermark so the tripwire stays quiet.
+    const anchorMs = Date.now() - 5_000;
+    const rows = new Map([["r1", row("r1", { tags: ["a"], updatedAtMs: anchorMs })]]);
+    const g = gate({ getLagMs: () => 80, marginMs: 10 });
+    const { router, src } = makeRouter(rows, { replicaLag: g.replicaLag });
+    const reg = router.register("env_1", { kind: "tag", tags: ["a"] }, []);
+    const wait = reg.waitForMatch(undefined, 2_000);
+
+    const pushedAt = Date.now();
+    src.push("env_1", [record("r1", { tags: ["a"], updatedAtMs: anchorMs })]);
+
+    const result = await wait;
+    expect(result.reason).toBe("notify");
+    expect(Date.now() - pushedAt).toBeLessThan(60);
+    reg.close();
+  });
+
+  it("withholds a stale row, re-hydrates, and delivers only the fresh version", async () => {
+    const watermark = FLOOR_MS + 10_000;
+    const staleRow = row("r1", { tags: ["a"], updatedAtMs: FLOOR_MS + 5_000 });
+    const freshRow = row("r1", { tags: ["a"], updatedAtMs: watermark });
+    const hydrateSpy = vi
+      .fn<RowHydrator["hydrateByIds"]>()
+      .mockResolvedValueOnce([staleRow])
+      .mockResolvedValue([freshRow]);
+    const src = fakeSource();
+    const g = gate();
+    const router = new EnvChangeRouter({
+      source: src.source,
+      hydrator: { hydrateByIds: hydrateSpy },
+      replicaLag: g.replicaLag,
+    });
+    const reg = router.register("env_1", { kind: "tag", tags: ["a"] }, []);
+    const wait = reg.waitForMatch(undefined, 2_000);
+
+    src.push("env_1", [record("r1", { tags: ["a"], updatedAtMs: watermark })]);
+
+    const result = await wait;
+    expect(result.reason).toBe("notify");
+    expect(result.rows[0].row.updatedAt.getTime()).toBe(watermark);
+    expect(hydrateSpy).toHaveBeenCalledTimes(2);
+    expect(g.observed.length).toBe(1); // the stale read fed the estimator
+    expect(g.outcomes).toEqual([{ outcome: "recovered", runCount: 1 }]);
+    reg.close();
+  });
+
+  it("a missing row with a watermark (insert race) retries and delivers when it appears", async () => {
+    const watermark = FLOOR_MS + 10_000;
+    const freshRow = row("r1", { tags: ["a"], updatedAtMs: watermark });
+    const hydrateSpy = vi
+      .fn<RowHydrator["hydrateByIds"]>()
+      .mockResolvedValueOnce([])
+      .mockResolvedValue([freshRow]);
+    const src = fakeSource();
+    const g = gate();
+    const router = new EnvChangeRouter({
+      source: src.source,
+      hydrator: { hydrateByIds: hydrateSpy },
+      replicaLag: g.replicaLag,
+    });
+    const reg = router.register("env_1", { kind: "tag", tags: ["a"] }, []);
+    const wait = reg.waitForMatch(undefined, 2_000);
+
+    src.push("env_1", [record("r1", { tags: ["a"], updatedAtMs: watermark })]);
+
+    const result = await wait;
+    expect(result.rows[0].row.id).toBe("r1");
+    expect(hydrateSpy).toHaveBeenCalledTimes(2);
+    reg.close();
+  });
+
+  it("delivers the stale row after exhausting retries (liveness over freshness)", async () => {
+    const watermark = FLOOR_MS + 10_000;
+    const staleRow = row("r1", { tags: ["a"], updatedAtMs: FLOOR_MS + 5_000 });
+    const hydrateSpy = vi.fn<RowHydrator["hydrateByIds"]>().mockResolvedValue([staleRow]);
+    const src = fakeSource();
+    const g = gate({ staleRetries: 1 });
+    const router = new EnvChangeRouter({
+      source: src.source,
+      hydrator: { hydrateByIds: hydrateSpy },
+      replicaLag: g.replicaLag,
+    });
+    const reg = router.register("env_1", { kind: "tag", tags: ["a"] }, []);
+    const wait = reg.waitForMatch(undefined, 2_000);
+
+    src.push("env_1", [record("r1", { tags: ["a"], updatedAtMs: watermark })]);
+
+    const result = await wait;
+    expect(result.reason).toBe("notify");
+    expect(result.rows[0].row.updatedAt.getTime()).toBe(FLOOR_MS + 5_000);
+    expect(hydrateSpy).toHaveBeenCalledTimes(2); // first pass + 1 retry
+    expect(g.outcomes).toEqual([{ outcome: "gave_up", runCount: 1 }]);
+    reg.close();
+  });
+
+  it("after giving up, echo passes deliver the fresh row once the replica catches up", async () => {
+    // Recent watermark (inside the echo horizon); retries exhausted immediately.
+    const watermark = Date.now() - 50;
+    const staleRow = row("r1", { tags: ["a"], updatedAtMs: watermark - 5_000 });
+    const freshRow = row("r1", { tags: ["a"], updatedAtMs: watermark });
+    const hydrateSpy = vi
+      .fn<RowHydrator["hydrateByIds"]>()
+      .mockResolvedValueOnce([staleRow]) // first pass: stale -> gave_up, delivered anyway
+      .mockResolvedValue([freshRow]); // echo pass: fresh
+    const src = fakeSource();
+    const g = gate({ staleRetries: 0 });
+    const router = new EnvChangeRouter({
+      source: src.source,
+      hydrator: { hydrateByIds: hydrateSpy },
+      replicaLag: g.replicaLag,
+    });
+    const reg = router.register("env_1", { kind: "tag", tags: ["a"] }, []);
+
+    const first = reg.waitForMatch(undefined, 2_000);
+    src.push("env_1", [record("r1", { tags: ["a"], updatedAtMs: watermark })]);
+    const staleDelivery = await first;
+    expect(staleDelivery.rows[0].row.updatedAt.getTime()).toBe(watermark - 5_000);
+    expect(g.outcomes).toEqual([{ outcome: "gave_up", runCount: 1 }]);
+
+    // The client re-arms (as it would after consuming the stale emission); the echo
+    // re-hydrate delivers the fresh version through the normal pipeline.
+    const echoed = await reg.waitForMatch(undefined, 2_000);
+    expect(echoed.reason).toBe("notify");
+    expect(echoed.rows[0].row.updatedAt.getTime()).toBe(watermark);
+    reg.close();
+  });
+
+  it("records without a watermark bypass the tripwire entirely", async () => {
+    const staleLooking = row("r1", { tags: ["a"], updatedAtMs: FLOOR_MS + 5_000 });
+    const rows = new Map([["r1", staleLooking]]);
+    const g = gate();
+    const { router, src, hydrateSpy } = makeRouter(rows, { replicaLag: g.replicaLag });
+    const reg = router.register("env_1", { kind: "tag", tags: ["a"] }, []);
+    const wait = reg.waitForMatch(undefined, 2_000);
+
+    src.push("env_1", [record("r1", { tags: ["a"] })]); // no updatedAtMs
+
+    const result = await wait;
+    expect(result.reason).toBe("notify");
+    expect(hydrateSpy).toHaveBeenCalledTimes(1);
+    expect(g.outcomes).toEqual([]);
+    expect(g.observed).toEqual([]);
+    reg.close();
+  });
+});
diff --git a/apps/webapp/test/realtime/nativeHoldOnEmpty.test.ts b/apps/webapp/test/realtime/nativeHoldOnEmpty.test.ts
new file mode 100644
index 00000000000..615abc90394
--- /dev/null
+++ b/apps/webapp/test/realtime/nativeHoldOnEmpty.test.ts
@@ -0,0 +1,266 @@
+import { setTimeout as sleep } from "node:timers/promises";
+import { CURRENT_API_VERSION } from "~/api/versions";
+import {
+  NativeRealtimeClient,
+  type RealtimeListEnvironment,
+} from "~/services/realtime/nativeRealtimeClient.server";
+import { type RealtimeRunRow } from "~/services/realtime/electricStreamProtocol.server";
+import {
+  EnvChangeRouter,
+  type EnvChangeSource,
+} from "~/services/realtime/envChangeRouter.server";
+import { type ChangeRecord } from "~/services/realtime/runChangeNotifier.server";
+import { describe, expect, it, vi } from "vitest";
+
+const ENV: RealtimeListEnvironment = { id: "env_1", organizationId: "org_1", projectId: "proj_1" };
+
+// Fixed offset floor: a row's updatedAt above/below it produces a delta / empty diff. The
+// createdAt window resolves to this same floor (large maximumCreatedAtFilterAgeMs below).
+const FLOOR_MS = Date.UTC(2026, 5, 7, 12, 0, 0);
+
+function row(
+  id: string,
+  updatedAtMs: number,
+  opts: { createdAtMs?: number; tags?: string[] } = {}
+): RealtimeRunRow {
+  return {
+    id,
+    runTags: opts.tags ?? ["t"],
+    createdAt: new Date(opts.createdAtMs ?? FLOOR_MS + 1_000),
+    updatedAt: new Date(updatedAtMs),
+  } as unknown as RealtimeRunRow;
+}
+
+function rec(runId: string, extra: Partial<ChangeRecord> = {}): ChangeRecord {
+  return { v: 1, runId, envId: "env_1", ...extra };
+}
+
+/** A controllable EnvChangeSource the test pushes batches into. */
+function fakeSource() {
+  const listeners = new Map<string, Set<(records: ChangeRecord[]) => void>>();
+  const source: EnvChangeSource = {
+    subscribeToEnv(envId, onBatch) {
+      let set = listeners.get(envId);
+      if (!set) {
+        set = new Set();
+        listeners.set(envId, set);
+      }
+      set.add(onBatch);
+      return () => listeners.get(envId)?.delete(onBatch);
+    },
+  };
+  return {
+    source,
+    push: (envId: string, records: ChangeRecord[]) => {
+      for (const l of listeners.get(envId) ?? []) l(records);
+    },
+    isSubscribed: (envId: string) => (listeners.get(envId)?.size ?? 0) > 0,
+  };
+}
+
+function makeClient(overrides: Record<string, unknown> = {}) {
+  let rowsToReturn: RealtimeRunRow[] = [];
+  const hydrateSpy = vi.fn(async (_env: string, ids: string[]) =>
+    rowsToReturn.filter((r) => ids.includes(r.id))
+  );
+  const resolveSpy = vi.fn(async () => rowsToReturn.map((r) => r.id));
+  const src = fakeSource();
+  const router = new EnvChangeRouter({
+    source: src.source,
+    hydrator: { hydrateByIds: hydrateSpy },
+    replayWindowMs: 0,
+    unsubscribeLingerMs: 0,
+    ...(overrides.routerOptions as Record<string, unknown> ?? {}),
+  });
+  delete overrides.routerOptions;
+
+  const client = new NativeRealtimeClient({
+    runReader: { getRunById: async () => null, hydrateByIds: hydrateSpy } as any,
+    runListResolver: { resolveMatchingRunIds: resolveSpy } as any,
+    router,
+    limiter: { incrementAndCheck: async () => true, decrement: async () => {} } as any,
+    cachedLimitProvider: { getCachedLimit: async () => 100 },
+    // Large so the recovered createdAt floor isn't clamped past FLOOR_MS.
+    maximumCreatedAtFilterAgeMs: 100 * 365 * 24 * 60 * 60 * 1000,
+    runSetResolveCacheTtlMs: 0,
+    livePollTimeoutMs: 10_000,
+    ...overrides,
+  });
+
+  return { client, src, hydrateSpy, resolveSpy, setRows: (rows: RealtimeRunRow[]) => (rowsToReturn = rows) };
+}
+
+function liveRuns(client: NativeRealtimeClient) {
+  return client.streamRuns(
+    `http://localhost:3030/realtime/v1/runs?offset=${FLOOR_MS}_1&live=true&handle=runs_${FLOOR_MS}_7`,
+    ENV,
+    { tags: ["t"] },
+    CURRENT_API_VERSION,
+    undefined,
+    "1.0.0"
+  );
+}
+
+async function whenWaiting(src: ReturnType<typeof fakeSource>) {
+  // Subscribed (feed registered) + a tick so waitForMatch has armed feed.resolve.
+  await vi.waitFor(() => expect(src.isSubscribed("env_1")).toBe(true));
+  await sleep(15);
+}
+
+async function bodyOf(res: Response) {
+  return JSON.parse(await res.text()) as Array<{
+    headers?: { control?: string; operation?: string };
+    value?: unknown;
+  }>;
+}
+const hasRowOp = (body: Awaited<ReturnType<typeof bodyOf>>) =>
+  body.some((m) => m?.headers?.operation || (m && typeof m === "object" && "value" in m));
+const isUpToDate = (body: Awaited<ReturnType<typeof bodyOf>>) =>
+  body.some((m) => m?.headers?.control === "up-to-date");
+
+describe("NativeRealtimeClient multi-run live path over the router", () => {
+  it("a matching change hydrates by id (no ClickHouse) and returns a delta", async () => {
+    const emits: Array<[string, number, number]> = [];
+    const { client, src, hydrateSpy, resolveSpy, setRows } = makeClient({
+      onEmit: (path: string, lagMs: number, rows: number) => emits.push([path, lagMs, rows]),
+    });
+    setRows([row("run_1", FLOOR_MS + 5_000, { tags: ["t"] })]);
+
+    const responsePromise = liveRuns(client);
+    await whenWaiting(src);
+    src.push("env_1", [rec("run_1", { tags: ["t", "x"] })]);
+
+    const res = await responsePromise;
+    expect(res.status).toBe(200);
+    expect(hasRowOp(await bodyOf(res))).toBe(true);
+    expect(resolveSpy).not.toHaveBeenCalled(); // ClickHouse skipped
+    expect(hydrateSpy).toHaveBeenCalledWith("env_1", ["run_1"], expect.anything());
+    expect(emits).toHaveLength(1);
+    expect(emits[0][0]).toBe("fast-hydrate");
+    expect(emits[0][2]).toBe(1); // one delta row
+  });
+
+  it("a change that doesn't match the filter never wakes the feed (no CH, no PG); a later match does", async () => {
+    const { client, src, hydrateSpy, resolveSpy, setRows } = makeClient();
+    setRows([row("run_1", FLOOR_MS + 5_000, { tags: ["t"] })]);
+
+    const responsePromise = liveRuns(client);
+    let settled = false;
+    void responsePromise.then(() => (settled = true));
+    await whenWaiting(src);
+
+    src.push("env_1", [rec("run_x", { tags: ["other"] })]); // doesn't intersect ["t"]
+    await sleep(50);
+    expect(settled).toBe(false);
+    expect(hydrateSpy).not.toHaveBeenCalled(); // router never routed it
+    expect(resolveSpy).not.toHaveBeenCalled();
+
+    src.push("env_1", [rec("run_1", { tags: ["t"] })]);
+    const res = await responsePromise;
+    expect(settled).toBe(true);
+    expect(hasRowOp(await bodyOf(res))).toBe(true);
+  });
+
+  it("a matching run created before the window floor is hydrated but dropped (keeps holding)", async () => {
+    // Generous backstop so the "still holding" assertion can't race a timeout in slow CI.
+    const { client, src, hydrateSpy, resolveSpy, setRows } = makeClient({ livePollTimeoutMs: 1500 });
+    setRows([row("run_1", FLOOR_MS + 5_000, { createdAtMs: FLOOR_MS - 10_000, tags: ["t"] })]);
+
+    const responsePromise = liveRuns(client);
+    let settled = false;
+    void responsePromise.then(() => (settled = true));
+    await whenWaiting(src);
+    src.push("env_1", [rec("run_1", { tags: ["t"] })]);
+
+    await sleep(40);
+    expect(settled).toBe(false); // dropped by the createdAt floor -> held
+    expect(hydrateSpy).toHaveBeenCalledWith("env_1", ["run_1"], expect.anything());
+    expect(resolveSpy).not.toHaveBeenCalled();
+
+    await responsePromise; // drain via the backstop
+  });
+
+  it("the backstop timeout does a full ClickHouse resolve and returns up-to-date", async () => {
+    const backstopResults: string[] = [];
+    const { client, resolveSpy } = makeClient({
+      livePollTimeoutMs: 50,
+      onBackstopResult: (r: string) => backstopResults.push(r),
+    });
+    const res = await liveRuns(client); // never pushed -> backstop fires
+    expect(res.status).toBe(200);
+    expect(isUpToDate(await bodyOf(res))).toBe(true);
+    expect(resolveSpy).toHaveBeenCalled();
+    expect(backstopResults).toEqual(["empty"]);
+  });
+
+  it("a cold env registration resolves immediately instead of holding blind", async () => {
+    // Fresh env subscription (gapCovered=false): a change in the inter-poll gap may have
+    // been missed, so the live poll probes once. The row advanced past the offset floor.
+    const { client, resolveSpy, setRows } = makeClient({
+      routerOptions: { replayWindowMs: 2_000 },
+    });
+    setRows([row("run_1", FLOOR_MS + 5_000, { tags: ["t"] })]);
+
+    const res = await liveRuns(client); // no push needed — the cold probe finds the delta
+    expect(res.status).toBe(200);
+    expect(resolveSpy).toHaveBeenCalledTimes(1);
+    expect(hasRowOp(await bodyOf(res))).toBe(true);
+  });
+
+  it("a cold probe with nothing missed keeps holding", async () => {
+    const { client, src, resolveSpy, setRows } = makeClient({
+      routerOptions: { replayWindowMs: 2_000 },
+      livePollTimeoutMs: 1_500,
+    });
+    setRows([row("run_1", FLOOR_MS - 1_000, { tags: ["t"] })]); // at/below the offset floor
+
+    const responsePromise = liveRuns(client);
+    let settled = false;
+    void responsePromise.then(() => (settled = true));
+    await whenWaiting(src);
+    await sleep(50);
+    expect(settled).toBe(false); // probed, found nothing missed, held
+    expect(resolveSpy).toHaveBeenCalledTimes(1);
+    await responsePromise; // drain via the backstop
+  });
+
+  it("a single-run poll holds on a replayed already-seen record instead of busy re-polling", async () => {
+    const { client, src, setRows } = makeClient({
+      routerOptions: { replayWindowMs: 2_000 },
+      livePollTimeoutMs: 300,
+    });
+    setRows([row("run_1", FLOOR_MS + 1_000)]);
+    const url = `http://localhost:3030/realtime/v1/runs/run_1?offset=${FLOOR_MS + 1_000}_1&handle=run-run_1&live=true`;
+
+    // First poll subscribes the env, then drains via its backstop.
+    const first = await client.streamRun(url, ENV, "run_1", CURRENT_API_VERSION, undefined, "1.0.0");
+    expect(first.status).toBe(200);
+
+    // The record lands between polls; the lingering env subscription buffers it.
+    src.push("env_1", [rec("run_1")]);
+
+    // The next poll replays it, but the row hasn't advanced past the client's offset:
+    // the poll must HOLD (the old behavior returned up-to-date instantly = a busy loop).
+    let settled = false;
+    const second = client.streamRun(url, ENV, "run_1", CURRENT_API_VERSION, undefined, "1.0.0");
+    void second.then(() => (settled = true));
+    await sleep(120);
+    expect(settled).toBe(false);
+    expect((await second).status).toBe(200); // drains via the backstop
+  });
+
+  it("with holdOnEmpty=false, a matched-but-not-advanced change returns up-to-date without ClickHouse", async () => {
+    const { client, src, resolveSpy, setRows } = makeClient({ holdOnEmpty: false });
+    // Matches the tag and is in-window, but updatedAt is at/below the offset floor -> no delta.
+    setRows([row("run_1", FLOOR_MS - 1_000, { tags: ["t"] })]);
+
+    const responsePromise = liveRuns(client);
+    await whenWaiting(src);
+    src.push("env_1", [rec("run_1", { tags: ["t"] })]);
+
+    const res = await responsePromise;
+    expect(res.status).toBe(200);
+    expect(isUpToDate(await bodyOf(res))).toBe(true);
+    expect(resolveSpy).not.toHaveBeenCalled();
+  });
+});
diff --git a/apps/webapp/test/realtime/nativeRealtimeClient.test.ts b/apps/webapp/test/realtime/nativeRealtimeClient.test.ts
new file mode 100644
index 00000000000..b94c72a4e65
--- /dev/null
+++ b/apps/webapp/test/realtime/nativeRealtimeClient.test.ts
@@ -0,0 +1,110 @@
+import { CURRENT_API_VERSION } from "~/api/versions";
+import {
+  NativeRealtimeClient,
+  type RealtimeListEnvironment,
+} from "~/services/realtime/nativeRealtimeClient.server";
+import { type RealtimeRunRow } from "~/services/realtime/electricStreamProtocol.server";
+import { EnvChangeRouter } from "~/services/realtime/envChangeRouter.server";
+import { describe, expect, it } from "vitest";
+
+function sampleRow(): RealtimeRunRow {
+  return {
+    id: "run_1",
+    taskIdentifier: "t",
+    createdAt: new Date("2026-06-07T10:00:00.000Z"),
+    updatedAt: new Date("2026-06-07T10:00:01.000Z"),
+    startedAt: null,
+    delayUntil: null,
+    queuedAt: null,
+    expiredAt: null,
+    completedAt: null,
+    friendlyId: "run_friendly_1",
+    number: 1,
+    isTest: false,
+    status: "EXECUTING",
+    usageDurationMs: 0,
+    costInCents: 0,
+    baseCostInCents: 0,
+    ttl: null,
+    payload: "{}",
+    payloadType: "application/json",
+    metadata: null,
+    metadataType: "application/json",
+    output: null,
+    outputType: "application/json",
+    runTags: [],
+    error: null,
+    realtimeStreams: [],
+  };
+}
+
+// Only the initial-snapshot path is exercised here, which touches the shared
+// #buildResponse — enough to lock the response-header contract.
+function makeClient(row: RealtimeRunRow | null) {
+  return new NativeRealtimeClient({
+    runReader: {
+      getRunById: async () => row,
+      hydrateByIds: async () => (row ? [row] : []),
+    } as any,
+    runListResolver: { resolveMatchingRunIds: async () => [] } as any,
+    // Snapshot path only; the router (over a no-op source) is never invoked here.
+    router: new EnvChangeRouter({
+      source: { subscribeToEnv: () => () => {} },
+      hydrator: { hydrateByIds: async () => (row ? [row] : []) },
+      replayWindowMs: 0,
+      unsubscribeLingerMs: 0,
+    }),
+    limiter: { incrementAndCheck: async () => true, decrement: async () => {} } as any,
+    cachedLimitProvider: { getCachedLimit: async () => 100 },
+    maximumCreatedAtFilterAgeMs: 24 * 60 * 60 * 1000,
+  });
+}
+
+const ENV: RealtimeListEnvironment = {
+  id: "env_1",
+  organizationId: "org_1",
+  projectId: "proj_1",
+};
+
+describe("NativeRealtimeClient response headers", () => {
+  it("exposes electric headers cross-origin so browser hooks can read them", async () => {
+    const client = makeClient(sampleRow());
+    const res = await client.streamRun(
+      "http://localhost:3030/realtime/v1/runs/run_1?offset=-1",
+      ENV,
+      "run_1",
+      CURRENT_API_VERSION,
+      undefined,
+      "1.0.0-beta.1" // modern client => lowercase electric-* headers
+    );
+
+    // Without these the deployed @electric-sql/client throws MissingHeadersError
+    // (it can't read the electric-* headers across origins). This regressed once.
+    expect(res.headers.get("access-control-allow-origin")).toBe("*");
+    expect(res.headers.get("access-control-expose-headers")).toBe("*");
+
+    // Initial (non-live) snapshot requires offset + handle + schema.
+    expect(res.headers.get("electric-offset")).toBeTruthy();
+    expect(res.headers.get("electric-handle")).toBeTruthy();
+    expect(res.headers.get("electric-schema")).toBeTruthy();
+    expect(res.headers.get("content-type")).toBe("application/json");
+  });
+
+  it("renames headers for legacy (0.4.0) clients", async () => {
+    const client = makeClient(sampleRow());
+    const res = await client.streamRun(
+      "http://localhost:3030/realtime/v1/runs/run_1?offset=-1",
+      ENV,
+      "run_1",
+      CURRENT_API_VERSION,
+      undefined,
+      undefined // no client version => legacy header names
+    );
+
+    expect(res.headers.get("electric-chunk-last-offset")).toBeTruthy();
+    expect(res.headers.get("electric-shape-id")).toBeTruthy();
+    expect(res.headers.get("electric-offset")).toBeNull();
+    expect(res.headers.get("electric-handle")).toBeNull();
+    expect(res.headers.get("access-control-expose-headers")).toBe("*");
+  });
+});
diff --git a/apps/webapp/test/realtime/nativeRunSetCache.test.ts b/apps/webapp/test/realtime/nativeRunSetCache.test.ts
new file mode 100644
index 00000000000..2389fd78080
--- /dev/null
+++ b/apps/webapp/test/realtime/nativeRunSetCache.test.ts
@@ -0,0 +1,344 @@
+import { CURRENT_API_VERSION } from "~/api/versions";
+import {
+  NativeRealtimeClient,
+  type RealtimeListEnvironment,
+} from "~/services/realtime/nativeRealtimeClient.server";
+import { type RealtimeRunRow } from "~/services/realtime/electricStreamProtocol.server";
+import { EnvChangeRouter } from "~/services/realtime/envChangeRouter.server";
+import { setTimeout as sleep } from "node:timers/promises";
+import { describe, expect, it, vi } from "vitest";
+
+const ENV: RealtimeListEnvironment = { id: "env_1", organizationId: "org_1", projectId: "proj_1" };
+
+function row(id: string): RealtimeRunRow {
+  // Only id/createdAt/updatedAt are read directly; the rest serialize to null.
+  return {
+    id,
+    createdAt: new Date("2026-06-07T09:00:00.000Z"),
+    updatedAt: new Date("2026-06-07T10:00:00.000Z"),
+  } as unknown as RealtimeRunRow;
+}
+
+function makeClient(overrides: Record<string, unknown> = {}) {
+  const resolveSpy = vi.fn(async () => ["run_1", "run_2"]);
+  const hydrateSpy = vi.fn(async (_env: string, ids: string[]) => ids.map(row));
+
+  const client = new NativeRealtimeClient({
+    runReader: { getRunById: async () => null, hydrateByIds: hydrateSpy } as any,
+    runListResolver: { resolveMatchingRunIds: resolveSpy } as any,
+    // No-op source: live polls never get a router wake, so they fall through to the
+    // backstop full-resolve — which is what the live tests below assert on.
+    router: new EnvChangeRouter({
+      source: { subscribeToEnv: () => () => {} },
+      hydrator: { hydrateByIds: hydrateSpy },
+      replayWindowMs: 0,
+      unsubscribeLingerMs: 0,
+    }),
+    limiter: { incrementAndCheck: async () => true, decrement: async () => {} } as any,
+    cachedLimitProvider: { getCachedLimit: async () => 100 },
+    maximumCreatedAtFilterAgeMs: 24 * 60 * 60 * 1000,
+    runSetResolveCacheTtlMs: 5_000,
+    ...overrides,
+  });
+
+  return { client, resolveSpy, hydrateSpy };
+}
+
+// streamBatch with offset=-1 takes the snapshot path, which calls the coalescing
+// resolve+hydrate directly (no concurrency slot / subscription needed).
+function snapshot(client: NativeRealtimeClient, batchId: string, skipColumns?: string) {
+  const skip = skipColumns ? `&skipColumns=${skipColumns}` : "";
+  return client.streamBatch(
+    `http://localhost:3030/realtime/v1/batches/${batchId}?offset=-1${skip}`,
+    ENV,
+    batchId,
+    CURRENT_API_VERSION,
+    undefined,
+    "1.0.0"
+  );
+}
+
+// Tag-list snapshot (offset=-1) — exercises the createdAt bucketing + cache key.
+function snapshotTag(client: NativeRealtimeClient, tags: string[]) {
+  return client.streamRuns(
+    "http://localhost:3030/realtime/v1/runs?offset=-1",
+    ENV,
+    { tags },
+    CURRENT_API_VERSION,
+    undefined,
+    "1.0.0"
+  );
+}
+
+describe("NativeRealtimeClient run-set resolve coalescing + cache", () => {
+  it("coalesces concurrent same-filter resolves into one ClickHouse + Postgres query", async () => {
+    const { client, resolveSpy, hydrateSpy } = makeClient();
+    let release!: (ids: string[]) => void;
+    const gate = new Promise<string[]>((resolve) => {
+      release = resolve;
+    });
+    resolveSpy.mockReturnValueOnce(gate);
+
+    const p1 = snapshot(client, "batch_1");
+    const p2 = snapshot(client, "batch_1");
+    release(["run_1"]);
+    await Promise.all([p1, p2]);
+
+    expect(resolveSpy).toHaveBeenCalledTimes(1);
+    expect(hydrateSpy).toHaveBeenCalledTimes(1);
+  });
+
+  it("serves a second same-filter request from the cache within the TTL", async () => {
+    const { client, resolveSpy, hydrateSpy } = makeClient();
+    await snapshot(client, "batch_1");
+    await snapshot(client, "batch_1");
+    expect(resolveSpy).toHaveBeenCalledTimes(1);
+    expect(hydrateSpy).toHaveBeenCalledTimes(1);
+  });
+
+  it("does not share the cache across different filters", async () => {
+    const { client, resolveSpy } = makeClient();
+    await snapshot(client, "batch_1");
+    await snapshot(client, "batch_2");
+    expect(resolveSpy).toHaveBeenCalledTimes(2);
+  });
+
+  it("re-queries after the cache TTL expires", async () => {
+    vi.useFakeTimers({ toFake: ["Date"] });
+    try {
+      const { client, resolveSpy } = makeClient({ runSetResolveCacheTtlMs: 1_000 });
+      await snapshot(client, "batch_1");
+      vi.advanceTimersByTime(1_001);
+      await snapshot(client, "batch_1");
+      expect(resolveSpy).toHaveBeenCalledTimes(2);
+    } finally {
+      vi.useRealTimers();
+    }
+  });
+
+  it("passes the client's skipColumns through to the hydrator (column projection)", async () => {
+    const { client, hydrateSpy } = makeClient();
+    await snapshot(client, "batch_1", "payload,output");
+    expect(hydrateSpy).toHaveBeenCalledWith("env_1", expect.any(Array), ["payload", "output"]);
+  });
+
+  it("reports resolve outcomes (miss then hit) to the metrics hook", async () => {
+    const results: string[] = [];
+    const { client } = makeClient({ onRunSetResolve: (r: string) => results.push(r) });
+    await snapshot(client, "batch_1");
+    await snapshot(client, "batch_1");
+    expect(results).toEqual(["miss", "hit"]);
+  });
+
+  it("mints a distinct batch handle per connection and echoes a client-provided one", async () => {
+    const { client } = makeClient();
+    // Two subscribers to the SAME batch must never share a handle (the working-set
+    // cache is keyed by it; sharing lets one suppress the other's deltas forever).
+    const res1 = await snapshot(client, "batch_1");
+    const res2 = await snapshot(client, "batch_1");
+    const h1 = res1.headers.get("electric-handle");
+    const h2 = res2.headers.get("electric-handle");
+    expect(h1).toBeTruthy();
+    expect(h1).not.toBe(h2);
+
+    // Catch-up under an existing handle keeps it.
+    const res3 = await client.streamBatch(
+      `http://localhost:3030/realtime/v1/batches/batch_1?offset=123_1&handle=${h1}`,
+      ENV,
+      "batch_1",
+      CURRENT_API_VERSION,
+      undefined,
+      "1.0.0"
+    );
+    expect(res3.headers.get("electric-handle")).toBe(h1);
+  });
+});
+
+describe("NativeRealtimeClient resolve admission gate (mass-reconnect stampede)", () => {
+  // A resolver that blocks each invocation until released, so we can watch how many run
+  // concurrently. Tracks peak concurrency and exposes a release-one-at-a-time drain.
+  function gatedResolver() {
+    let active = 0;
+    let peak = 0;
+    const releases: Array<() => void> = [];
+    const resolve = vi.fn(async () => {
+      active++;
+      peak = Math.max(peak, active);
+      await new Promise<void>((r) => releases.push(r));
+      active--;
+      return ["run_1"];
+    });
+    return {
+      resolve,
+      peak: () => peak,
+      releaseOne: () => releases.shift()?.(),
+      waiting: () => releases.length,
+    };
+  }
+
+  function makeGatedClient(resolveAdmissionLimit: number, resolver: ReturnType<typeof gatedResolver>) {
+    const hydrateSpy = vi.fn(async (_env: string, ids: string[]) => ids.map(row));
+    return new NativeRealtimeClient({
+      runReader: { getRunById: async () => null, hydrateByIds: hydrateSpy } as any,
+      runListResolver: { resolveMatchingRunIds: resolver.resolve } as any,
+      router: new EnvChangeRouter({
+        source: { subscribeToEnv: () => () => {} },
+        hydrator: { hydrateByIds: hydrateSpy },
+        replayWindowMs: 0,
+        unsubscribeLingerMs: 0,
+      }),
+      limiter: { incrementAndCheck: async () => true, decrement: async () => {} } as any,
+      cachedLimitProvider: { getCachedLimit: async () => 100 },
+      maximumCreatedAtFilterAgeMs: 24 * 60 * 60 * 1000,
+      runSetResolveCacheTtlMs: 0, // no cache -> every distinct filter is a fresh resolve
+      resolveAdmissionLimit,
+    });
+  }
+
+  it("throttles a distinct-filter stampede to the admission limit of concurrent CH resolves", async () => {
+    const resolver = gatedResolver();
+    const client = makeGatedClient(2, resolver);
+
+    // 5 distinct batchIds => 5 distinct filters => 5 fresh resolves, fired at once.
+    const polls = [0, 1, 2, 3, 4].map((i) => snapshot(client, `batch_${i}`));
+
+    // Only the limit (2) may run concurrently; the rest queue for a permit.
+    await vi.waitFor(() => expect(resolver.resolve).toHaveBeenCalledTimes(2));
+    await sleep(20);
+    expect(resolver.resolve).toHaveBeenCalledTimes(2); // 3 still queued behind the gate
+    expect(resolver.peak()).toBe(2);
+
+    // Drain: each release frees a permit, admitting exactly one queued resolve.
+    while (resolver.waiting() > 0) {
+      resolver.releaseOne();
+      await sleep(5);
+    }
+    await Promise.all(polls);
+
+    expect(resolver.resolve).toHaveBeenCalledTimes(5); // all ran...
+    expect(resolver.peak()).toBe(2); // ...but never more than the limit at once
+  });
+
+  it("lets a same-filter burst through on a single permit (coalesces before the gate)", async () => {
+    const resolver = gatedResolver();
+    const client = makeGatedClient(1, resolver); // limit 1 would deadlock if each took a permit
+
+    // 5 identical filters fired at once -> single-flight collapses to one in-flight resolve.
+    const polls = [0, 1, 2, 3, 4].map(() => snapshot(client, "batch_same"));
+    await vi.waitFor(() => expect(resolver.resolve).toHaveBeenCalledTimes(1));
+    await sleep(20);
+
+    resolver.releaseOne();
+    await Promise.all(polls);
+    expect(resolver.resolve).toHaveBeenCalledTimes(1); // one resolve, one permit, no queue
+  });
+});
+
+describe("NativeRealtimeClient tag-list createdAt bucketing", () => {
+  it("floors the resolved createdAt lower bound to the bucket boundary", async () => {
+    // Fix the clock to a non-bucket-aligned instant so the assertion is deterministic.
+    vi.useFakeTimers({ toFake: ["Date"] });
+    vi.setSystemTime(new Date("2026-06-07T10:00:30.500Z"));
+    try {
+      const { client, resolveSpy } = makeClient({ runSetCreatedAtBucketMs: 60_000 });
+      await snapshotTag(client, ["critical"]);
+      const passed = resolveSpy.mock.calls[0][0].createdAtAfter as Date;
+      expect(passed.getTime() % 60_000).toBe(0);
+    } finally {
+      vi.useRealTimers();
+    }
+  });
+
+  it("lets two same-tag feeds in the same bucket share one resolve", async () => {
+    // A large bucket guarantees both windows floor to the same boundary regardless of
+    // the sub-millisecond gap between the two calls.
+    const { client, resolveSpy, hydrateSpy } = makeClient({
+      runSetCreatedAtBucketMs: 60 * 60_000,
+    });
+    await snapshotTag(client, ["critical"]);
+    await snapshotTag(client, ["critical"]);
+    expect(resolveSpy).toHaveBeenCalledTimes(1);
+    expect(hydrateSpy).toHaveBeenCalledTimes(1);
+  });
+
+  it("does not share across different tags", async () => {
+    const { client, resolveSpy } = makeClient({ runSetCreatedAtBucketMs: 60 * 60_000 });
+    await snapshotTag(client, ["critical"]);
+    await snapshotTag(client, ["debug"]);
+    expect(resolveSpy).toHaveBeenCalledTimes(2);
+  });
+
+  it("does not collide a comma-containing tag with two separate tags", async () => {
+    const { client, resolveSpy } = makeClient({ runSetCreatedAtBucketMs: 60 * 60_000 });
+    await snapshotTag(client, ["a,b"]); // one tag "a,b"
+    await snapshotTag(client, ["a", "b"]); // two tags a OR b — a different filter
+    expect(resolveSpy).toHaveBeenCalledTimes(2);
+  });
+
+  it("keeps each feed's exact lower bound when bucketing is disabled (0)", async () => {
+    vi.useFakeTimers({ toFake: ["Date"] });
+    vi.setSystemTime(new Date("2026-06-07T10:00:30.500Z"));
+    try {
+      const { client, resolveSpy } = makeClient({ runSetCreatedAtBucketMs: 0 });
+      await snapshotTag(client, ["critical"]);
+      const passed = resolveSpy.mock.calls[0][0].createdAtAfter as Date;
+      // Exact (now - 24h) lower bound, not floored to a 60s boundary.
+      expect(passed.getTime() % 60_000).not.toBe(0);
+    } finally {
+      vi.useRealTimers();
+    }
+  });
+});
+
+describe("NativeRealtimeClient review fixes", () => {
+  // makeClient's router has a no-op source, so the live poll never gets a wake and falls
+  // through to its backstop timeout — the full ClickHouse resolve these tests assert on
+  // (createdAt clamp / concurrency limit).
+
+  it("clamps a stale/crafted handle's createdAt up to the max-age floor", async () => {
+    const maxAge = 24 * 60 * 60 * 1000;
+    const { client, resolveSpy } = makeClient({
+      maximumCreatedAtFilterAgeMs: maxAge,
+      runSetCreatedAtBucketMs: 0,
+      livePollTimeoutMs: 50,
+    });
+    const before = Date.now();
+    // Handle encodes createdAt = 1ms epoch, far older than the 24h ceiling.
+    await client.streamRuns(
+      "http://localhost:3030/realtime/v1/runs?offset=123_1&live=true&handle=runs_1_7",
+      ENV,
+      { tags: ["t"] },
+      CURRENT_API_VERSION,
+      undefined,
+      "1.0.0"
+    );
+    const passed = resolveSpy.mock.calls[0][0].createdAtAfter as Date;
+    // Clamped to ~now - maxAge, not the epoch value encoded in the handle.
+    expect(passed.getTime()).toBeGreaterThan(before - maxAge - 1_000);
+  });
+
+  it("enforces a concurrency limit of 0 instead of failing with a 500", async () => {
+    let limitCheckedWith: number | undefined;
+    const { client } = makeClient({
+      cachedLimitProvider: { getCachedLimit: async () => 0 },
+      limiter: {
+        incrementAndCheck: async (_env: string, _id: string, limit: number) => {
+          limitCheckedWith = limit;
+          return true;
+        },
+        decrement: async () => {},
+      },
+      livePollTimeoutMs: 50,
+    });
+    const res = await client.streamBatch(
+      "http://localhost:3030/realtime/v1/batches/batch_1?offset=123_1&live=true&handle=batch_batch_1_7_abc",
+      ENV,
+      "batch_1",
+      CURRENT_API_VERSION,
+      undefined,
+      "1.0.0"
+    );
+    expect(res.status).toBe(200);
+    expect(limitCheckedWith).toBe(0);
+  });
+});
diff --git a/apps/webapp/test/realtime/replayCursorStore.test.ts b/apps/webapp/test/realtime/replayCursorStore.test.ts
new file mode 100644
index 00000000000..b66bc72df9c
--- /dev/null
+++ b/apps/webapp/test/realtime/replayCursorStore.test.ts
@@ -0,0 +1,141 @@
+import { redisTest } from "@internal/testcontainers";
+import { setTimeout as sleep } from "node:timers/promises";
+import { CURRENT_API_VERSION } from "~/api/versions";
+import { EnvChangeRouter } from "~/services/realtime/envChangeRouter.server";
+import {
+  NativeRealtimeClient,
+  type RealtimeListEnvironment,
+} from "~/services/realtime/nativeRealtimeClient.server";
+import {
+  InMemoryReplayCursorStore,
+  RedisReplayCursorStore,
+  type ReplayCursorStore,
+} from "~/services/realtime/replayCursorStore.server";
+import { describe, expect, it, vi } from "vitest";
+
+describe("InMemoryReplayCursorStore", () => {
+  it("round-trips and expires", async () => {
+    const store = new InMemoryReplayCursorStore(50, 10);
+    store.set("env_1:h1", 123_456);
+    expect(await store.get("env_1:h1")).toBe(123_456);
+    expect(await store.get("env_1:other")).toBeUndefined();
+    await sleep(60);
+    expect(await store.get("env_1:h1")).toBeUndefined();
+  });
+});
+
+describe("RedisReplayCursorStore", () => {
+  redisTest("round-trips, misses, and expires via PX", async ({ redisOptions }) => {
+    const store = new RedisReplayCursorStore({
+      redis: { ...redisOptions, tlsDisabled: true },
+      ttlMs: 150,
+    });
+    try {
+      const now = Date.now();
+      store.set("env_1:h1", now);
+      await vi.waitFor(async () => expect(await store.get("env_1:h1")).toBe(now));
+      expect(await store.get("env_1:missing")).toBeUndefined();
+      await sleep(200);
+      expect(await store.get("env_1:h1")).toBeUndefined();
+    } finally {
+      await store.quit();
+    }
+  });
+
+  redisTest("a second store instance reads the first's cursor (fleet sharing)", async ({
+    redisOptions,
+  }) => {
+    const a = new RedisReplayCursorStore({
+      redis: { ...redisOptions, tlsDisabled: true },
+      ttlMs: 60_000,
+    });
+    const b = new RedisReplayCursorStore({
+      redis: { ...redisOptions, tlsDisabled: true },
+      ttlMs: 60_000,
+    });
+    try {
+      a.set("env_1:h2", 42_000);
+      await vi.waitFor(async () => expect(await b.get("env_1:h2")).toBe(42_000));
+    } finally {
+      await Promise.all([a.quit(), b.quit()]);
+    }
+  });
+
+  it("degrades to undefined within the read deadline when Redis is unreachable", async () => {
+    const results: Array<[string, boolean]> = [];
+    const store = new RedisReplayCursorStore({
+      redis: { host: "127.0.0.1", port: 1, tlsDisabled: true } as any,
+      ttlMs: 1_000,
+      getTimeoutMs: 100,
+      onResult: (op, ok) => results.push([op, ok]),
+    });
+    try {
+      expect(await store.get("env_1:h3")).toBeUndefined();
+      expect(results).toContainEqual(["get", false]);
+    } finally {
+      await store.quit().catch(() => {});
+    }
+  });
+});
+
+describe("NativeRealtimeClient replay-cursor threading", () => {
+  const ENV: RealtimeListEnvironment = { id: "env_1", organizationId: "org_1", projectId: "proj_1" };
+  const FLOOR_MS = Date.UTC(2026, 5, 7, 12, 0, 0);
+
+  it("passes the stored cursor to register and stamps the store after responding", async () => {
+    const cursorMs = Date.now() - 500;
+    const gets: string[] = [];
+    const sets: Array<[string, number]> = [];
+    const store: ReplayCursorStore = {
+      get: async (key) => {
+        gets.push(key);
+        return cursorMs;
+      },
+      set: (key, ms) => {
+        sets.push([key, ms]);
+      },
+    };
+
+    const router = new EnvChangeRouter({
+      source: { subscribeToEnv: () => () => {} },
+      hydrator: { hydrateByIds: async () => [] },
+      replayWindowMs: 0,
+      unsubscribeLingerMs: 0,
+    });
+    const registerSpy = vi.spyOn(router, "register");
+
+    const client = new NativeRealtimeClient({
+      runReader: { getRunById: async () => null, hydrateByIds: async () => [] } as any,
+      runListResolver: { resolveMatchingRunIds: async () => [] } as any,
+      router,
+      limiter: { incrementAndCheck: async () => true, decrement: async () => {} } as any,
+      cachedLimitProvider: { getCachedLimit: async () => 100 },
+      maximumCreatedAtFilterAgeMs: 100 * 365 * 24 * 60 * 60 * 1000,
+      runSetResolveCacheTtlMs: 0,
+      livePollTimeoutMs: 30,
+      replayCursorStore: store,
+    });
+
+    const res = await client.streamRuns(
+      `http://localhost:3030/realtime/v1/runs?offset=${FLOOR_MS}_1&live=true&handle=runs_${FLOOR_MS}_7`,
+      ENV,
+      { tags: ["t"] },
+      CURRENT_API_VERSION,
+      undefined,
+      "1.0.0"
+    );
+
+    expect(res.status).toBe(200);
+    expect(gets).toEqual([`env_1:runs_${FLOOR_MS}_7`]);
+    expect(registerSpy).toHaveBeenCalledWith(
+      "env_1",
+      expect.objectContaining({ kind: "tag" }),
+      expect.anything(),
+      { replaySinceMs: cursorMs }
+    );
+    // The backstop's up-to-date response stamps the cursor for the next poll.
+    expect(sets.length).toBe(1);
+    expect(sets[0][0]).toBe(`env_1:runs_${FLOOR_MS}_7`);
+    expect(sets[0][1]).toBeGreaterThanOrEqual(cursorMs);
+  });
+});
diff --git a/apps/webapp/test/realtime/replicaLagEstimator.test.ts b/apps/webapp/test/realtime/replicaLagEstimator.test.ts
new file mode 100644
index 00000000000..7666ea28efb
--- /dev/null
+++ b/apps/webapp/test/realtime/replicaLagEstimator.test.ts
@@ -0,0 +1,164 @@
+import { afterEach, describe, expect, it } from "vitest";
+import {
+  FirstSupportedReplicaLagSource,
+  ReplicaLagEstimator,
+  type ReplicaLagSource,
+} from "~/services/realtime/replicaLagEstimator.server";
+
+const sleep = (ms: number) => new Promise((r) => setTimeout(r, ms));
+
+function source(sampleLagMs: () => Promise<number | undefined>, name = "fake"): ReplicaLagSource {
+  return { name, sampleLagMs };
+}
+
+describe("ReplicaLagEstimator", () => {
+  let estimator: ReplicaLagEstimator | undefined;
+
+  afterEach(() => {
+    estimator?.stop();
+    estimator = undefined;
+  });
+
+  it("returns the default before any sample lands", () => {
+    estimator = new ReplicaLagEstimator({
+      source: source(async () => undefined),
+      defaultLagMs: 42,
+    });
+    expect(estimator.getLagMs()).toBe(42);
+  });
+
+  it("samples the source while touched and reports the window max", async () => {
+    const samples = [10, 60, 20];
+    let i = 0;
+    estimator = new ReplicaLagEstimator({
+      source: source(async () => samples[Math.min(i++, samples.length - 1)]),
+      sampleIntervalMs: 10,
+      windowMs: 5_000,
+      defaultLagMs: 0,
+    });
+    estimator.touch();
+    await sleep(60);
+    // The max sample (60) dominates even after smaller ones land.
+    expect(estimator.getLagMs()).toBe(60);
+  });
+
+  it("widens immediately on an observed (tripwire) lag and clamps wild values", () => {
+    estimator = new ReplicaLagEstimator({
+      source: source(async () => 5),
+      defaultLagMs: 5,
+      maxLagMs: 1_000,
+    });
+    estimator.noteObservedLagMs(250);
+    expect(estimator.getLagMs()).toBe(250);
+    estimator.noteObservedLagMs(99_999);
+    expect(estimator.getLagMs()).toBe(1_000);
+  });
+
+  it("an observed lag floors the estimate past the sample window (until its TTL)", async () => {
+    estimator = new ReplicaLagEstimator({
+      source: source(async () => 0), // caught-up zeros, like vanilla PG between writes
+      sampleIntervalMs: 10,
+      windowMs: 30,
+      defaultLagMs: 0,
+      observedFloorTtlMs: 10_000,
+    });
+    estimator.touch();
+    estimator.noteObservedLagMs(150);
+    // Long past windowMs the zeros have flushed the observation out of the window,
+    // but the floor still carries it.
+    await sleep(80);
+    expect(estimator.getLagMs()).toBe(150);
+  });
+
+  it("stops sampling once idle and resumes on touch", async () => {
+    let probes = 0;
+    estimator = new ReplicaLagEstimator({
+      source: source(async () => {
+        probes++;
+        return 1;
+      }),
+      sampleIntervalMs: 10,
+      idleAfterMs: 20,
+    });
+    estimator.touch();
+    await sleep(80);
+    const afterIdle = probes;
+    expect(afterIdle).toBeGreaterThan(0);
+    await sleep(40);
+    // No new samples while idle...
+    expect(probes).toBe(afterIdle);
+    // ...and touching resumes immediately.
+    estimator.touch();
+    await sleep(15);
+    expect(probes).toBeGreaterThan(afterIdle);
+  });
+
+  it("survives a throwing source and keeps the last known value", async () => {
+    let fail = false;
+    estimator = new ReplicaLagEstimator({
+      source: source(async () => {
+        if (fail) throw new Error("source down");
+        return 33;
+      }),
+      sampleIntervalMs: 10,
+      windowMs: 30,
+      defaultLagMs: 0,
+    });
+    estimator.touch();
+    await sleep(25);
+    expect(estimator.getLagMs()).toBe(33);
+    fail = true;
+    await sleep(60);
+    // Window emptied, source failing — falls back to the last known sample.
+    expect(estimator.getLagMs()).toBe(33);
+  });
+});
+
+describe("FirstSupportedReplicaLagSource", () => {
+  it("selects the first candidate whose sample succeeds and sticks with it", async () => {
+    let auroraCalls = 0;
+    let vanillaCalls = 0;
+    const composed = new FirstSupportedReplicaLagSource([
+      source(async () => {
+        auroraCalls++;
+        throw new Error("function aurora_replica_status() does not exist");
+      }, "aurora"),
+      source(async () => {
+        vanillaCalls++;
+        return 7;
+      }, "vanilla-pg"),
+    ]);
+    expect(composed.name).toBe("undetected");
+    expect(await composed.sampleLagMs()).toBe(7);
+    expect(composed.name).toBe("vanilla-pg");
+    expect(await composed.sampleLagMs()).toBe(7);
+    // The unsupported dialect was only probed during selection.
+    expect(auroraCalls).toBe(1);
+    expect(vanillaCalls).toBe(2);
+  });
+
+  it("degrades to never-measuring when no candidate works", async () => {
+    const composed = new FirstSupportedReplicaLagSource([
+      source(async () => {
+        throw new Error("nope");
+      }),
+    ]);
+    expect(await composed.sampleLagMs()).toBeUndefined();
+    expect(await composed.sampleLagMs()).toBeUndefined();
+  });
+
+  it("a transient error after selection skips the sample without unselecting", async () => {
+    let calls = 0;
+    const composed = new FirstSupportedReplicaLagSource([
+      source(async () => {
+        calls++;
+        if (calls === 2) throw new Error("transient");
+        return 11;
+      }, "flaky"),
+    ]);
+    expect(await composed.sampleLagMs()).toBe(11);
+    expect(await composed.sampleLagMs()).toBeUndefined(); // transient error -> skipped sample
+    expect(await composed.sampleLagMs()).toBe(11); // still selected
+    expect(composed.name).toBe("flaky");
+  });
+});
diff --git a/apps/webapp/test/realtime/runChangeNotifier.test.ts b/apps/webapp/test/realtime/runChangeNotifier.test.ts
new file mode 100644
index 00000000000..96d7fd56a45
--- /dev/null
+++ b/apps/webapp/test/realtime/runChangeNotifier.test.ts
@@ -0,0 +1,172 @@
+import { redisTest } from "@internal/testcontainers";
+import { setTimeout as sleep } from "node:timers/promises";
+import { describe, expect, it, vi } from "vitest";
+import {
+  type ChangeRecord,
+  decodeChangeRecord,
+  encodeChangeRecord,
+  RunChangeNotifier,
+} from "~/services/realtime/runChangeNotifier.server";
+
+function toRedisOptions(redisOptions: { host?: string; port?: number; password?: string }) {
+  return {
+    host: redisOptions.host,
+    port: redisOptions.port,
+    password: redisOptions.password,
+    tlsDisabled: true,
+    clusterMode: false,
+  };
+}
+
+// Time for a SUBSCRIBE to register server-side before we publish.
+const SUBSCRIBE_SETTLE_MS = 250;
+
+describe("RunChangeNotifier", () => {
+  redisTest(
+    "delivers a published change to an env subscriber",
+    { timeout: 30_000 },
+    async ({ redisOptions }) => {
+      const notifier = new RunChangeNotifier({ redis: toRedisOptions(redisOptions) });
+      try {
+        const received: ChangeRecord[] = [];
+        const unsubscribe = notifier.subscribeToEnv("env_1", (records) => received.push(...records));
+        expect(notifier.activeSubscriptionCount).toBe(1);
+
+        await sleep(SUBSCRIBE_SETTLE_MS);
+        notifier.publish({ runId: "run_1", envId: "env_1", tags: ["a"], batchId: "batch_1" });
+
+        await vi.waitFor(() => expect(received.some((r) => r.runId === "run_1")).toBe(true), {
+          timeout: 5_000,
+          interval: 50,
+        });
+        const got = received.find((r) => r.runId === "run_1")!;
+        expect(got.tags).toEqual(["a"]);
+        expect(got.batchId).toBe("batch_1");
+
+        unsubscribe();
+        // Cleanup is deferred until Redis confirms UNSUBSCRIBE, so the count converges to 0.
+        await vi.waitFor(() => expect(notifier.activeSubscriptionCount).toBe(0), {
+          timeout: 5_000,
+          interval: 50,
+        });
+      } finally {
+        await notifier.quit();
+      }
+    }
+  );
+
+  redisTest(
+    "does not deliver a change for a different env",
+    { timeout: 30_000 },
+    async ({ redisOptions }) => {
+      const notifier = new RunChangeNotifier({ redis: toRedisOptions(redisOptions) });
+      try {
+        const received: ChangeRecord[] = [];
+        notifier.subscribeToEnv("env_a", (records) => received.push(...records));
+
+        await sleep(SUBSCRIBE_SETTLE_MS);
+        notifier.publish({ runId: "run_1", envId: "env_b", tags: [] }); // different env
+        await sleep(500);
+
+        expect(received).toHaveLength(0);
+      } finally {
+        await notifier.quit();
+      }
+    }
+  );
+
+  redisTest(
+    "coalesces a burst of env publishes into far fewer batches than publishes (lossless)",
+    { timeout: 30_000 },
+    async ({ redisOptions }) => {
+      const notifier = new RunChangeNotifier({
+        redis: toRedisOptions(redisOptions),
+        envWakeCoalesceWindowMs: 100,
+      });
+      try {
+        let batches = 0;
+        const runIds = new Set<string>();
+        notifier.subscribeToEnv("env_burst", (records) => {
+          batches++;
+          for (const r of records) runIds.add(r.runId);
+        });
+
+        await sleep(SUBSCRIBE_SETTLE_MS);
+        let pubs = 0;
+        const end = Date.now() + 1_000;
+        while (Date.now() < end) {
+          notifier.publish({ runId: `r${pubs++}`, envId: "env_burst", tags: [] });
+          await sleep(5);
+        }
+        await sleep(300);
+
+        expect(pubs).toBeGreaterThan(100);
+        expect(batches).toBeGreaterThanOrEqual(1);
+        // Leading-edge throttle: far fewer deliveries than publishes...
+        expect(batches).toBeLessThan(pubs / 4);
+        // ...but lossless — the batch accumulates every run that changed in the window.
+        expect(runIds.size).toBeGreaterThan(pubs / 2);
+      } finally {
+        await notifier.quit();
+      }
+    }
+  );
+
+  // Sharded pub/sub (SSUBSCRIBE/SPUBLISH/smessage) wiring — validated end to end on a
+  // single node (Redis 7.2 accepts these and delivers same-node). Multi-shard ROUTING
+  // needs a real cluster (the cluster fixture covers that); this proves the command path.
+  redisTest(
+    "delivers via sharded pub/sub on the env channel",
+    { timeout: 30_000 },
+    async ({ redisOptions }) => {
+      const notifier = new RunChangeNotifier({
+        redis: toRedisOptions(redisOptions),
+        shardedPubSub: true,
+      });
+      try {
+        const received: ChangeRecord[] = [];
+        notifier.subscribeToEnv("env_sharded", (records) => received.push(...records));
+
+        await sleep(SUBSCRIBE_SETTLE_MS);
+        notifier.publish({ runId: "run_1", envId: "env_sharded", tags: ["a"] });
+
+        await vi.waitFor(() => expect(received.some((r) => r.runId === "run_1")).toBe(true), {
+          timeout: 5_000,
+          interval: 50,
+        });
+      } finally {
+        await notifier.quit();
+      }
+    }
+  );
+
+  describe("ChangeRecord codec", () => {
+    it("round-trips a full record (tags with a separator survive)", () => {
+      const encoded = encodeChangeRecord({
+        v: 1,
+        runId: "run_1",
+        envId: "env_1",
+        tags: ["a", "b,c"],
+        batchId: "batch_1",
+      });
+      expect(decodeChangeRecord(encoded)).toMatchObject({
+        v: 1,
+        runId: "run_1",
+        envId: "env_1",
+        tags: ["a", "b,c"],
+        batchId: "batch_1",
+      });
+    });
+
+    it("decodes a bare runId to a partial record (tags undefined)", () => {
+      // A bare/legacy frame: the consumer falls back to hydrate-to-classify.
+      const decoded = decodeChangeRecord("run_3");
+      expect(decoded.runId).toBe("run_3");
+      expect(decoded.tags).toBeUndefined();
+    });
+
+    it("falls back to a bare runId on an unparseable message", () => {
+      expect(decodeChangeRecord("{not json").runId).toBe("{not json");
+    });
+  });
+});
diff --git a/apps/webapp/test/realtime/runReaderProjection.test.ts b/apps/webapp/test/realtime/runReaderProjection.test.ts
new file mode 100644
index 00000000000..07aebf92589
--- /dev/null
+++ b/apps/webapp/test/realtime/runReaderProjection.test.ts
@@ -0,0 +1,75 @@
+import { describe, expect, it, vi } from "vitest";
+import { buildHydratorSelect, RunHydrator } from "~/services/realtime/runReader.server";
+
+describe("buildHydratorSelect", () => {
+  it("returns the full select when nothing is skipped", () => {
+    const select = buildHydratorSelect([]);
+    expect(select.id).toBe(true);
+    expect(select.payload).toBe(true);
+    expect(select.output).toBe(true);
+    expect(select.metadata).toBe(true);
+    expect(select.error).toBe(true);
+  });
+
+  it("keeps protocol-reserved columns even when asked to skip them", () => {
+    // Reserved columns are always emitted by the serializer, so hydration must keep
+    // them regardless of skipColumns or the output is null/incorrect.
+    const select = buildHydratorSelect([
+      "status",
+      "taskIdentifier",
+      "createdAt",
+      "friendlyId",
+      "payload",
+    ]);
+    expect(select.status).toBe(true);
+    expect(select.taskIdentifier).toBe(true);
+    expect(select.createdAt).toBe(true);
+    expect(select.friendlyId).toBe(true);
+    // A non-reserved skipped column is still dropped.
+    expect(select.payload).toBeUndefined();
+  });
+
+  it("drops skipped columns but always keeps id + updatedAt", () => {
+    const select = buildHydratorSelect(["payload", "output", "metadata", "error"]);
+    expect(select.payload).toBeUndefined();
+    expect(select.output).toBeUndefined();
+    expect(select.metadata).toBeUndefined();
+    expect(select.error).toBeUndefined();
+    // Needed internally regardless of skipColumns (keys the row, drives the diff/offset).
+    expect(select.id).toBe(true);
+    expect(select.updatedAt).toBe(true);
+    // A non-skipped column survives.
+    expect(select.status).toBe(true);
+  });
+});
+
+describe("RunHydrator.hydrateByIds column projection", () => {
+  function makeHydrator() {
+    let capturedSelect: Record<string, boolean> | undefined;
+    const replica = {
+      taskRun: {
+        findMany: vi.fn(async ({ select }: { select: Record<string, boolean> }) => {
+          capturedSelect = select;
+          return [];
+        }),
+      },
+    } as any;
+    return { hydrator: new RunHydrator({ replica }), getSelect: () => capturedSelect };
+  }
+
+  it("projects the SELECT by skipColumns", async () => {
+    const { hydrator, getSelect } = makeHydrator();
+    await hydrator.hydrateByIds("env_1", ["run_1"], ["payload", "output"]);
+    const select = getSelect()!;
+    expect(select.payload).toBeUndefined();
+    expect(select.output).toBeUndefined();
+    expect(select.id).toBe(true);
+    expect(select.updatedAt).toBe(true);
+  });
+
+  it("selects the full column set when no skipColumns are given", async () => {
+    const { hydrator, getSelect } = makeHydrator();
+    await hydrator.hydrateByIds("env_1", ["run_1"]);
+    expect(getSelect()!.payload).toBe(true);
+  });
+});
diff --git a/apps/webapp/test/realtime/shadowCompare.test.ts b/apps/webapp/test/realtime/shadowCompare.test.ts
new file mode 100644
index 00000000000..0d5f431f0bf
--- /dev/null
+++ b/apps/webapp/test/realtime/shadowCompare.test.ts
@@ -0,0 +1,216 @@
+import {
+  type RealtimeRunRow,
+  serializeRunRow,
+} from "~/services/realtime/electricStreamProtocol.server";
+import { type RunListFilter } from "~/services/realtime/runReader.server";
+import { RealtimeShadowComparator } from "~/services/realtime/shadowCompare.server";
+import { describe, expect, it } from "vitest";
+
+function sampleRow(overrides: Partial<RealtimeRunRow> = {}): RealtimeRunRow {
+  return {
+    id: "run_a",
+    taskIdentifier: "my-task",
+    createdAt: new Date("2026-06-07T09:00:00.000Z"),
+    updatedAt: new Date("2026-06-07T10:05:30.123Z"),
+    startedAt: null,
+    delayUntil: null,
+    queuedAt: null,
+    expiredAt: null,
+    completedAt: null,
+    friendlyId: "run_friendly_a",
+    number: 7,
+    isTest: true,
+    status: "EXECUTING",
+    usageDurationMs: 1234,
+    costInCents: 0.55,
+    baseCostInCents: 0.25,
+    ttl: "1h",
+    payload: '{"hello":"world"}',
+    payloadType: "application/json",
+    metadata: null,
+    metadataType: "application/json",
+    output: null,
+    outputType: "application/json",
+    runTags: ["a", "b"],
+    error: null,
+    realtimeStreams: [],
+    ...overrides,
+  };
+}
+
+const UP_TO_DATE = { headers: { control: "up-to-date" } };
+
+function insert(value: Record<string, string | null>) {
+  return { key: `"public"."TaskRun"/"${value.id}"`, value, headers: { operation: "insert" } };
+}
+
+function makeComparator(
+  rowsById: Record<string, RealtimeRunRow | null>,
+  resolvedIds: string[] = []
+) {
+  return new RealtimeShadowComparator({
+    runReader: {
+      getRunById: async (_env: string, id: string) => rowsById[id] ?? null,
+      hydrateByIds: async (_env: string, ids: string[]) =>
+        ids.map((id) => rowsById[id]).filter((row): row is RealtimeRunRow => Boolean(row)),
+    } as any,
+    runListResolver: { resolveMatchingRunIds: async (_f: RunListFilter) => resolvedIds } as any,
+  });
+}
+
+describe("RealtimeShadowComparator serialization", () => {
+  it("counts a faithful re-serialization as a match", async () => {
+    const row = sampleRow();
+    const body = JSON.stringify([insert(serializeRunRow(row)), UP_TO_DATE]);
+    const cmp = makeComparator({ run_a: row });
+
+    const out = await cmp.compare({
+      feed: "run",
+      electricBody: body,
+      environment: { id: "env_1" },
+      skipColumns: [],
+      isInitialSnapshot: true,
+    });
+
+    expect(out.serializationMatched).toBe(1);
+    expect(out.serializationDiverged).toBe(0);
+    expect(out.serializationSkew).toBe(0);
+    expect(out.diffs).toEqual([]);
+  });
+
+  it("does not flag semantically-equivalent but differently-encoded values", async () => {
+    const row = sampleRow();
+    // Electric encodes bool as "true" (native uses "t"), a number with a trailing
+    // zero, and a timestamp without millis — all equal after decoding.
+    const value = {
+      ...serializeRunRow(row),
+      isTest: "true",
+      costInCents: "0.5500",
+      createdAt: "2026-06-07T09:00:00",
+    };
+    const body = JSON.stringify([insert(value), UP_TO_DATE]);
+    const cmp = makeComparator({ run_a: row });
+
+    const out = await cmp.compare({
+      feed: "run",
+      electricBody: body,
+      environment: { id: "env_1" },
+      skipColumns: [],
+      isInitialSnapshot: true,
+    });
+
+    expect(out.serializationMatched).toBe(1);
+    expect(out.serializationDiverged).toBe(0);
+  });
+
+  it("flags a genuine column divergence (same version)", async () => {
+    const row = sampleRow();
+    const value = { ...serializeRunRow(row), payload: '{"hello":"TAMPERED"}' };
+    const body = JSON.stringify([insert(value), UP_TO_DATE]);
+    const cmp = makeComparator({ run_a: row });
+
+    const out = await cmp.compare({
+      feed: "run",
+      electricBody: body,
+      environment: { id: "env_1" },
+      skipColumns: [],
+      isInitialSnapshot: true,
+    });
+
+    expect(out.serializationDiverged).toBe(1);
+    expect(out.serializationMatched).toBe(0);
+    expect(out.diffs).toEqual([
+      { runId: "run_a", column: "payload", electric: '{"hello":"TAMPERED"}', native: '{"hello":"world"}' },
+    ]);
+  });
+
+  it("treats DEQUEUED/EXECUTING as equivalent (legacy status rewrite)", async () => {
+    const row = sampleRow({ status: "EXECUTING" });
+    const value = { ...serializeRunRow(row), status: "DEQUEUED" };
+    const body = JSON.stringify([insert(value), UP_TO_DATE]);
+    const cmp = makeComparator({ run_a: row });
+
+    const out = await cmp.compare({
+      feed: "run",
+      electricBody: body,
+      environment: { id: "env_1" },
+      skipColumns: [],
+      isInitialSnapshot: true,
+    });
+
+    expect(out.serializationDiverged).toBe(0);
+    expect(out.serializationMatched).toBe(1);
+  });
+
+  it("records skew when the row advanced between emit and refetch", async () => {
+    const row = sampleRow();
+    // Electric emitted an older version; the refetched row is newer.
+    const value = { ...serializeRunRow(sampleRow({ updatedAt: new Date("2026-06-07T10:00:00.000Z") })) };
+    const body = JSON.stringify([insert(value), UP_TO_DATE]);
+    const cmp = makeComparator({ run_a: row });
+
+    const out = await cmp.compare({
+      feed: "run",
+      electricBody: body,
+      environment: { id: "env_1" },
+      skipColumns: [],
+      isInitialSnapshot: true,
+    });
+
+    expect(out.serializationSkew).toBe(1);
+    expect(out.serializationMatched).toBe(0);
+    expect(out.serializationDiverged).toBe(0);
+  });
+});
+
+describe("RealtimeShadowComparator membership", () => {
+  const filter: RunListFilter = {
+    organizationId: "org_1",
+    projectId: "proj_1",
+    environmentId: "env_1",
+    tags: ["t"],
+    createdAtAfter: new Date("2026-06-06T00:00:00.000Z"),
+    limit: 1000,
+  };
+
+  function bodyFor(ids: string[]) {
+    const msgs = ids.map((id) => insert(serializeRunRow(sampleRow({ id }))));
+    return JSON.stringify([...msgs, UP_TO_DATE]);
+  }
+
+  it("matches when Electric's set equals the native resolver's set", async () => {
+    const cmp = makeComparator(
+      { a: sampleRow({ id: "a" }), b: sampleRow({ id: "b" }) },
+      ["a", "b"]
+    );
+    const out = await cmp.compare({
+      feed: "runs",
+      electricBody: bodyFor(["a", "b"]),
+      environment: { id: "env_1" },
+      skipColumns: [],
+      isInitialSnapshot: true,
+      membershipFilter: filter,
+    });
+    expect(out.membershipMatch).toBe(true);
+    expect(out.missingInNative).toEqual([]);
+    expect(out.extraInNative).toEqual([]);
+  });
+
+  it("reports rows missing from / extra in the native resolution", async () => {
+    const cmp = makeComparator(
+      { a: sampleRow({ id: "a" }), b: sampleRow({ id: "b" }) },
+      ["a", "c"] // native missing b, has extra c
+    );
+    const out = await cmp.compare({
+      feed: "runs",
+      electricBody: bodyFor(["a", "b"]),
+      environment: { id: "env_1" },
+      skipColumns: [],
+      isInitialSnapshot: true,
+      membershipFilter: filter,
+    });
+    expect(out.membershipMatch).toBe(false);
+    expect(out.missingInNative).toEqual(["b"]);
+    expect(out.extraInNative).toEqual(["c"]);
+  });
+});
diff --git a/apps/webapp/test/replay-after-crash.test.ts b/apps/webapp/test/replay-after-crash.test.ts
new file mode 100644
index 00000000000..fdd5274b5e7
--- /dev/null
+++ b/apps/webapp/test/replay-after-crash.test.ts
@@ -0,0 +1,320 @@
+// Plan F.3: integration test for the crash-recovery boot path. The
+// scenario it locks down:
+//
+//   1. Run A streams chunks to `session.out` and `onTurnComplete` fires.
+//   2. Run A crashes BEFORE `writeChatSnapshot` lands the post-turn
+//      blob (or the write fails silently — both have the same effect).
+//   3. Run B boots: `readChatSnapshot` returns `undefined` (no snapshot
+//      yet, or stale-from-prior-turn). Replay then drains
+//      `session.out` from the snapshot's `lastOutEventId` (or seq 0)
+//      and reduces the chunks back into UIMessage[].
+//   4. The accumulator is consistent — Run A's completed chunks reach
+//      Run B's run loop without losing data.
+//
+// Plan section H.1 / H.4 spell out the "snapshot didn't make it before
+// crash" path; this test is the integration safety net behind the
+// unit tests in `packages/trigger-sdk/test/replay-session-out.test.ts`.
+//
+// We exercise the SDK's `__replaySessionOutTailProductionPathForTests`
+// against a stubbed `apiClient.readSessionStreamRecords` — the new
+// non-SSE records endpoint introduced in plan task #22. The replay path
+// is a single GET that returns whatever's already on the stream; no
+// long-poll. MinIO is provisioned to keep parity with
+// `chat-snapshot-integration.test.ts` (the snapshot read path runs
+// through it), even though the replay path itself doesn't read from S3.
+
+import { postgresAndMinioTest } from "@internal/testcontainers";
+import { apiClientManager } from "@trigger.dev/core/v3";
+import {
+  __readChatSnapshotProductionPathForTests as readChatSnapshot,
+  __replaySessionOutTailProductionPathForTests as replaySessionOutTail,
+  type ChatSnapshotV1,
+} from "@trigger.dev/sdk/ai";
+import type { UIMessageChunk } from "ai";
+import { afterEach, describe, expect, vi } from "vitest";
+import { env } from "~/env.server";
+import { chatSnapshotStoragePathForSession } from "~/services/realtime/chatSnapshot.server";
+import { generatePresignedUrl } from "~/v3/objectStore.server";
+
+vi.setConfig({ testTimeout: 60_000 });
+
+// ── Helpers ────────────────────────────────────────────────────────────
+
+function textTurn(id: string, text: string): UIMessageChunk[] {
+  return [
+    { type: "start", messageId: id, messageMetadata: { role: "assistant" } } as UIMessageChunk,
+    { type: "text-start", id: `${id}.t1` } as UIMessageChunk,
+    { type: "text-delta", id: `${id}.t1`, delta: text } as UIMessageChunk,
+    { type: "text-end", id: `${id}.t1` } as UIMessageChunk,
+    { type: "finish" } as UIMessageChunk,
+  ];
+}
+
+/**
+ * Stub `apiClientManager.clientOrThrow()` so:
+ *   - `getPayloadUrl` / `createUploadPayloadUrl` mint MinIO presigned URLs
+ *     via the webapp's real `generatePresignedUrl` (so snapshot reads
+ *     hit a real S3-compatible backend).
+ *   - `readSessionStreamRecords` returns the canonical
+ *     `{ records: [{ data, id, seqNum }] }` shape. `data` is the parsed
+ *     chunk OBJECT — the SDK writer puts the chunk object directly into
+ *     the record envelope and the webapp route forwards it as-is, so
+ *     the schema now declares `data: z.unknown()` and consumers use it
+ *     without an extra `JSON.parse` step.
+ */
+function stubApiClient(opts: {
+  projectRef: string;
+  envSlug: string;
+  sessionOutChunks: unknown[];
+}) {
+  const records = opts.sessionOutChunks.map((chunk, i) => ({
+    data: chunk,
+    id: `evt-${i + 1}`,
+    seqNum: i + 1,
+  }));
+  const readRecordsSpy = vi.fn(
+    async (_id: string, _io: "in" | "out", _options?: { afterEventId?: string }) => ({
+      records,
+    })
+  );
+  vi.spyOn(apiClientManager, "clientOrThrow").mockReturnValue({
+    async getChatSnapshotUrl(sessionId: string) {
+      const key = chatSnapshotStoragePathForSession(sessionId);
+      const result = await generatePresignedUrl(opts.projectRef, opts.envSlug, key, "GET");
+      if (!result.success) throw new Error(result.error);
+      return { presignedUrl: result.url };
+    },
+    async createChatSnapshotUploadUrl(sessionId: string) {
+      const key = chatSnapshotStoragePathForSession(sessionId);
+      const result = await generatePresignedUrl(opts.projectRef, opts.envSlug, key, "PUT");
+      if (!result.success) throw new Error(result.error);
+      return { presignedUrl: result.url };
+    },
+    readSessionStreamRecords: readRecordsSpy,
+  } as never);
+  return readRecordsSpy;
+}
+
+let warnSpy: ReturnType<typeof vi.spyOn>;
+
+afterEach(() => {
+  vi.restoreAllMocks();
+  warnSpy?.mockRestore();
+});
+
+// ── Tests ──────────────────────────────────────────────────────────────
+
+describe("replay after crash (MinIO + SDK helpers)", () => {
+  postgresAndMinioTest(
+    "boot reconstructs accumulator from session.out replay when no snapshot exists",
+    async ({ minioConfig }) => {
+      env.OBJECT_STORE_BASE_URL = minioConfig.baseUrl;
+      env.OBJECT_STORE_ACCESS_KEY_ID = minioConfig.accessKeyId;
+      env.OBJECT_STORE_SECRET_ACCESS_KEY = minioConfig.secretAccessKey;
+      env.OBJECT_STORE_REGION = minioConfig.region;
+      env.OBJECT_STORE_DEFAULT_PROTOCOL = undefined;
+
+      warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
+
+      // The crashed run's session.out: two completed assistant turns, no
+      // snapshot ever written. Boot must recover both via replay.
+      const chunks = [...textTurn("a-1", "first turn"), ...textTurn("a-2", "second turn")];
+      stubApiClient({
+        projectRef: "proj_replay_crash",
+        envSlug: "dev",
+        sessionOutChunks: chunks,
+      });
+
+      // Step 1: read snapshot — returns undefined (fresh boot, no snap).
+      const snapshot = await readChatSnapshot("sess_no_snap");
+      expect(snapshot).toBeUndefined();
+
+      // Step 2: replay tail.
+      const replayed = await replaySessionOutTail("sess_no_snap");
+
+      expect(replayed).toHaveLength(2);
+      expect(replayed.map((m) => m.id)).toEqual(["a-1", "a-2"]);
+      const texts = replayed.flatMap((m) =>
+        (m.parts as Array<{ type: string; text?: string }>)
+          .filter((p) => p.type === "text")
+          .map((p) => p.text)
+      );
+      expect(texts).toEqual(["first turn", "second turn"]);
+    }
+  );
+
+  postgresAndMinioTest(
+    "boot replays only chunks AFTER snapshot.lastOutEventId (resume cursor)",
+    async ({ minioConfig }) => {
+      env.OBJECT_STORE_BASE_URL = minioConfig.baseUrl;
+      env.OBJECT_STORE_ACCESS_KEY_ID = minioConfig.accessKeyId;
+      env.OBJECT_STORE_SECRET_ACCESS_KEY = minioConfig.secretAccessKey;
+      env.OBJECT_STORE_REGION = minioConfig.region;
+      env.OBJECT_STORE_DEFAULT_PROTOCOL = undefined;
+
+      // The replay helper accepts the snapshot's `lastEventId` cursor
+      // and forwards it as `afterEventId` on the records endpoint —
+      // that's the cursor field name on the new non-SSE route. Here we
+      // feed only the post-snapshot chunks (modeling what the server
+      // returns for `afterEventId=evt-snapped`) and verify the helper
+      // threads the cursor through.
+      const readRecordsSpy = stubApiClient({
+        projectRef: "proj_replay_resume",
+        envSlug: "dev",
+        sessionOutChunks: textTurn("a-after-snap", "post-snapshot turn"),
+      });
+
+      const result = await replaySessionOutTail("sess_resume", { lastEventId: "evt-snapped" });
+
+      expect(readRecordsSpy).toHaveBeenCalledWith(
+        "sess_resume",
+        "out",
+        expect.objectContaining({ afterEventId: "evt-snapped" })
+      );
+      expect(result).toHaveLength(1);
+      expect(result[0]!.id).toBe("a-after-snap");
+    }
+  );
+
+  postgresAndMinioTest(
+    "boot returns [] when session.out is empty (first-ever turn, no snapshot)",
+    async ({ minioConfig }) => {
+      env.OBJECT_STORE_BASE_URL = minioConfig.baseUrl;
+      env.OBJECT_STORE_ACCESS_KEY_ID = minioConfig.accessKeyId;
+      env.OBJECT_STORE_SECRET_ACCESS_KEY = minioConfig.secretAccessKey;
+      env.OBJECT_STORE_REGION = minioConfig.region;
+      env.OBJECT_STORE_DEFAULT_PROTOCOL = undefined;
+
+      warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
+
+      stubApiClient({
+        projectRef: "proj_replay_empty",
+        envSlug: "dev",
+        sessionOutChunks: [],
+      });
+
+      const snapshot = await readChatSnapshot("sess_empty");
+      expect(snapshot).toBeUndefined();
+
+      const replayed = await replaySessionOutTail("sess_empty");
+      expect(replayed).toEqual([]);
+    }
+  );
+
+  postgresAndMinioTest(
+    "boot drops orphaned trailing tool parts (cleanupAbortedParts) — partial crash",
+    async ({ minioConfig }) => {
+      // Simulates a true mid-turn crash: assistant finished one turn,
+      // then started a tool-call but the run died before resolution.
+      // Replay must surface the completed turn but NOT include the
+      // orphaned tool part in `input-streaming` state.
+      env.OBJECT_STORE_BASE_URL = minioConfig.baseUrl;
+      env.OBJECT_STORE_ACCESS_KEY_ID = minioConfig.accessKeyId;
+      env.OBJECT_STORE_SECRET_ACCESS_KEY = minioConfig.secretAccessKey;
+      env.OBJECT_STORE_REGION = minioConfig.region;
+      env.OBJECT_STORE_DEFAULT_PROTOCOL = undefined;
+
+      stubApiClient({
+        projectRef: "proj_replay_partial",
+        envSlug: "dev",
+        sessionOutChunks: [
+          ...textTurn("a-complete", "I finished step 1"),
+          // Partial tool turn — no tool-input-end, no finish.
+          { type: "start", messageId: "a-orphan", messageMetadata: { role: "assistant" } } as UIMessageChunk,
+          { type: "tool-input-start", id: "tc-cut", toolName: "search" } as UIMessageChunk,
+          { type: "tool-input-delta", id: "tc-cut", delta: '{"q":"x"}' } as UIMessageChunk,
+        ],
+      });
+
+      const replayed = await replaySessionOutTail("sess_partial_crash");
+
+      // Completed turn always present.
+      expect(replayed.find((m) => m.id === "a-complete")).toBeTruthy();
+      // Orphaned tool-call never surfaces in `input-streaming` state.
+      const orphan = replayed.find((m) => m.id === "a-orphan");
+      if (orphan) {
+        const stillStreaming = (orphan.parts as Array<{ toolCallId?: string; state?: string }>).find(
+          (p) => p.toolCallId === "tc-cut" && p.state === "input-streaming"
+        );
+        expect(stillStreaming).toBeUndefined();
+      }
+    }
+  );
+
+  postgresAndMinioTest(
+    "snapshot+replay merge: snapshot supplies user msgs, replay supplies assistants",
+    async ({ minioConfig }) => {
+      // The boot orchestration calls
+      // `mergeByIdReplaceWins(snapshot.messages, replayed)`. The runtime
+      // contract is that user messages live in snapshot only (session.in
+      // never goes through replay) and assistants come from replay
+      // (which carries the freshest representation). Here we simulate
+      // the realistic split: snapshot has [u-1, a-1-stale], replay has
+      // [a-1-fresh, a-2-new]. After merge the accumulator should reflect
+      // the fresh assistant + new assistant, with the user message
+      // preserved.
+      //
+      // Note: this is a pre-merge round-trip — we drive the read and
+      // replay through real MinIO + stubbed S2 to confirm both arrive
+      // intact for the orchestration to merge.
+      env.OBJECT_STORE_BASE_URL = minioConfig.baseUrl;
+      env.OBJECT_STORE_ACCESS_KEY_ID = minioConfig.accessKeyId;
+      env.OBJECT_STORE_SECRET_ACCESS_KEY = minioConfig.secretAccessKey;
+      env.OBJECT_STORE_REGION = minioConfig.region;
+      env.OBJECT_STORE_DEFAULT_PROTOCOL = undefined;
+
+      // Pre-write a snapshot to MinIO via real apiClient stub.
+      const sessionId = "sess_merge_round_trip";
+      const snapshot: ChatSnapshotV1 = {
+        version: 1,
+        savedAt: 1_700_000_000_000,
+        messages: [
+          { id: "u-1", role: "user", parts: [{ type: "text", text: "hi" }] },
+          { id: "a-1", role: "assistant", parts: [{ type: "text", text: "stale-assistant" }] },
+        ],
+        lastOutEventId: "evt-prev",
+      };
+
+      // Use the SDK's own writer to lay the snapshot down, then swap
+      // the stub to also serve replay chunks for the read path.
+      stubApiClient({
+        projectRef: "proj_merge",
+        envSlug: "dev",
+        sessionOutChunks: [],
+      });
+      const { __writeChatSnapshotProductionPathForTests: writeSnapshot } = await import(
+        "@trigger.dev/sdk/ai"
+      );
+      await writeSnapshot(sessionId, snapshot);
+
+      // Restubbing for the boot phase: replay tail carries the fresh
+      // assistant for `a-1` plus a brand-new `a-2`. The orchestration's
+      // merge would replace `a-1` and append `a-2` after `u-1`.
+      vi.restoreAllMocks();
+      stubApiClient({
+        projectRef: "proj_merge",
+        envSlug: "dev",
+        sessionOutChunks: [
+          ...textTurn("a-1", "fresh-assistant"),
+          ...textTurn("a-2", "next-assistant"),
+        ],
+      });
+
+      const readBack = await readChatSnapshot(sessionId);
+      expect(readBack?.messages.map((m) => m.id)).toEqual(["u-1", "a-1"]);
+
+      const replayed = await replaySessionOutTail(sessionId, {
+        lastEventId: readBack?.lastOutEventId,
+      });
+      expect(replayed.map((m) => m.id)).toEqual(["a-1", "a-2"]);
+      // Replay's `a-1` carries the fresh content — when merge runs in
+      // the runtime, this version would replace the snapshot's stale
+      // `a-1`.
+      const replayedA1Text = (replayed[0]!.parts as Array<{ type: string; text?: string }>)
+        .filter((p) => p.type === "text")
+        .map((p) => p.text)
+        .join("");
+      expect(replayedA1Text).toBe("fresh-assistant");
+    }
+  );
+});
diff --git a/apps/webapp/test/runsBackfiller.test.ts b/apps/webapp/test/runsBackfiller.test.ts
index 7051fb976f5..fbdb16a4a7b 100644
--- a/apps/webapp/test/runsBackfiller.test.ts
+++ b/apps/webapp/test/runsBackfiller.test.ts
@@ -7,16 +7,17 @@ vi.mock("~/db.server", () => ({
 }));
 
 import { ClickHouse } from "@internal/clickhouse";
-import { containerTest } from "@internal/testcontainers";
+import { replicationContainerTest } from "@internal/testcontainers";
 import { z } from "zod";
 import { RunsBackfillerService } from "~/services/runsBackfiller.server";
 import { RunsReplicationService } from "~/services/runsReplicationService.server";
 import { createInMemoryTracing } from "./utils/tracing";
+import { TestReplicationClickhouseFactory } from "./utils/testReplicationClickhouseFactory";
 
 vi.setConfig({ testTimeout: 60_000 });
 
 describe("RunsBackfillerService", () => {
-  containerTest(
+  replicationContainerTest(
     "should backfill completed runs to clickhouse",
     async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
       const clickhouse = new ClickHouse({
@@ -30,7 +31,7 @@ describe("RunsBackfillerService", () => {
       const { tracer, exporter } = createInMemoryTracing();
 
       const runsReplicationService = new RunsReplicationService({
-        clickhouse,
+        clickhouseFactory: new TestReplicationClickhouseFactory(clickhouse),
         pgConnectionUrl: postgresContainer.getConnectionUri(),
         serviceName: "runs-replication",
         slotName: "task_runs_to_clickhouse_v1",
diff --git a/apps/webapp/test/runsReplicationBenchmark.test.ts b/apps/webapp/test/runsReplicationBenchmark.test.ts
index 5c04ef55cc8..d1b80d06af0 100644
--- a/apps/webapp/test/runsReplicationBenchmark.test.ts
+++ b/apps/webapp/test/runsReplicationBenchmark.test.ts
@@ -1,5 +1,5 @@
 import { ClickHouse } from "@internal/clickhouse";
-import { containerTest } from "@internal/testcontainers";
+import { replicationContainerTest } from "@internal/testcontainers";
 import { fork, type ChildProcess } from "node:child_process";
 import { performance, PerformanceObserver } from "node:perf_hooks";
 import { setTimeout } from "node:timers/promises";
@@ -7,6 +7,7 @@ import path from "node:path";
 import { z } from "zod";
 import { RunsReplicationService } from "~/services/runsReplicationService.server";
 import { createInMemoryTracing, createInMemoryMetrics } from "./utils/tracing";
+import { TestReplicationClickhouseFactory } from "./utils/testReplicationClickhouseFactory";
 
 // Extend test timeout for benchmarks
 vi.setConfig({ testTimeout: 300_000 }); // 5 minutes
@@ -320,7 +321,7 @@ async function runBenchmark(
 
   // Create and start replication service
   const runsReplicationService = new RunsReplicationService({
-    clickhouse,
+    clickhouseFactory: new TestReplicationClickhouseFactory(clickhouse),
     pgConnectionUrl: postgresContainer.getConnectionUri(),
     serviceName: `benchmark-${name}`,
     slotName: `benchmark_${name.replace(/-/g, "_")}`,
@@ -500,7 +501,7 @@ function compareBenchmarks(baseline: BenchmarkResult, comparison: BenchmarkResul
 }
 
 describe("RunsReplicationService Benchmark", () => {
-  containerTest.skipIf(process.env.BENCHMARKS_ENABLED !== "1")(
+  replicationContainerTest.skipIf(process.env.BENCHMARKS_ENABLED !== "1")(
     "should benchmark error fingerprinting performance impact",
     async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
       // Enable replica identity for TaskRun table
diff --git a/apps/webapp/test/runsReplicationService.part1.test.ts b/apps/webapp/test/runsReplicationService.part1.test.ts
index 715d4583dc2..5a085944a61 100644
--- a/apps/webapp/test/runsReplicationService.part1.test.ts
+++ b/apps/webapp/test/runsReplicationService.part1.test.ts
@@ -1,16 +1,17 @@
 import { ClickHouse } from "@internal/clickhouse";
-import { containerTest } from "@internal/testcontainers";
+import { replicationContainerTest } from "@internal/testcontainers";
 import { setTimeout } from "node:timers/promises";
 import { z } from "zod";
 import { TaskRunStatus } from "~/database-types";
 import { RunsReplicationService } from "~/services/runsReplicationService.server";
 import { createInMemoryTracing, createInMemoryMetrics } from "./utils/tracing";
+import { TestReplicationClickhouseFactory } from "./utils/testReplicationClickhouseFactory";
 import superjson from "superjson";
 
 vi.setConfig({ testTimeout: 60_000 });
 
-describe("RunsReplicationService (part 1/2)", () => {
-  containerTest(
+describe("RunsReplicationService (part 1/7)", () => {
+  replicationContainerTest(
     "should replicate runs to clickhouse",
     async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
       await prisma.$executeRawUnsafe(`ALTER TABLE public."TaskRun" REPLICA IDENTITY FULL;`);
@@ -27,7 +28,7 @@ describe("RunsReplicationService (part 1/2)", () => {
       const { tracer, exporter } = createInMemoryTracing();
 
       const runsReplicationService = new RunsReplicationService({
-        clickhouse,
+        clickhouseFactory: new TestReplicationClickhouseFactory(clickhouse),
         pgConnectionUrl: postgresContainer.getConnectionUri(),
         serviceName: "runs-replication",
         slotName: "task_runs_to_clickhouse_v1",
@@ -134,7 +135,7 @@ describe("RunsReplicationService (part 1/2)", () => {
     }
   );
 
-  containerTest(
+  replicationContainerTest(
     "should replicate runs with super json payloads to clickhouse",
     async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
       await prisma.$executeRawUnsafe(`ALTER TABLE public."TaskRun" REPLICA IDENTITY FULL;`);
@@ -151,7 +152,7 @@ describe("RunsReplicationService (part 1/2)", () => {
       const { tracer, exporter } = createInMemoryTracing();
 
       const runsReplicationService = new RunsReplicationService({
-        clickhouse,
+        clickhouseFactory: new TestReplicationClickhouseFactory(clickhouse),
         pgConnectionUrl: postgresContainer.getConnectionUri(),
         serviceName: "runs-replication",
         slotName: "task_runs_to_clickhouse_v1",
@@ -275,7 +276,7 @@ describe("RunsReplicationService (part 1/2)", () => {
     }
   );
 
-  containerTest(
+  replicationContainerTest(
     "should not produce any flush spans when no TaskRun events are produced",
     async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
       await prisma.$executeRawUnsafe(`ALTER TABLE public."TaskRun" REPLICA IDENTITY FULL;`);
@@ -289,7 +290,7 @@ describe("RunsReplicationService (part 1/2)", () => {
       const { tracer, exporter } = createInMemoryTracing();
 
       const runsReplicationService = new RunsReplicationService({
-        clickhouse,
+        clickhouseFactory: new TestReplicationClickhouseFactory(clickhouse),
         pgConnectionUrl: postgresContainer.getConnectionUri(),
         serviceName: "runs-replication",
         slotName: "task_runs_to_clickhouse_v1",
@@ -347,7 +348,7 @@ describe("RunsReplicationService (part 1/2)", () => {
     }
   );
 
-  containerTest(
+  replicationContainerTest(
     "should replicate a new TaskRun to ClickHouse using batching insert strategy",
     async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
       await prisma.$executeRawUnsafe(`ALTER TABLE public."TaskRun" REPLICA IDENTITY FULL;`);
@@ -359,7 +360,7 @@ describe("RunsReplicationService (part 1/2)", () => {
       });
 
       const runsReplicationService = new RunsReplicationService({
-        clickhouse,
+        clickhouseFactory: new TestReplicationClickhouseFactory(clickhouse),
         pgConnectionUrl: postgresContainer.getConnectionUri(),
         serviceName: "runs-replication-batching",
         slotName: "task_runs_to_clickhouse_v1",
@@ -451,7 +452,7 @@ describe("RunsReplicationService (part 1/2)", () => {
     }
   );
 
-  containerTest(
+  replicationContainerTest(
     "should insert the payload into ClickHouse when a TaskRun is created",
     async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
       await prisma.$executeRawUnsafe(`ALTER TABLE public."TaskRun" REPLICA IDENTITY FULL;`);
@@ -463,7 +464,7 @@ describe("RunsReplicationService (part 1/2)", () => {
       });
 
       const runsReplicationService = new RunsReplicationService({
-        clickhouse,
+        clickhouseFactory: new TestReplicationClickhouseFactory(clickhouse),
         pgConnectionUrl: postgresContainer.getConnectionUri(),
         serviceName: "runs-replication-payload",
         slotName: "task_runs_to_clickhouse_v1",
@@ -552,7 +553,7 @@ describe("RunsReplicationService (part 1/2)", () => {
     }
   );
 
-  containerTest(
+  replicationContainerTest(
     "should insert the payload even if it's very large into ClickHouse when a TaskRun is created",
     async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
       await prisma.$executeRawUnsafe(`ALTER TABLE public."TaskRun" REPLICA IDENTITY FULL;`);
@@ -564,7 +565,7 @@ describe("RunsReplicationService (part 1/2)", () => {
       });
 
       const runsReplicationService = new RunsReplicationService({
-        clickhouse,
+        clickhouseFactory: new TestReplicationClickhouseFactory(clickhouse),
         pgConnectionUrl: postgresContainer.getConnectionUri(),
         serviceName: "runs-replication-payload",
         slotName: "task_runs_to_clickhouse_v1",
@@ -657,701 +658,4 @@ describe("RunsReplicationService (part 1/2)", () => {
       await runsReplicationService.stop();
     }
   );
-
-  containerTest(
-    "should replicate updates to an existing TaskRun to ClickHouse",
-    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
-      await prisma.$executeRawUnsafe(`ALTER TABLE public."TaskRun" REPLICA IDENTITY FULL;`);
-
-      const clickhouse = new ClickHouse({
-        url: clickhouseContainer.getConnectionUrl(),
-        name: "runs-replication-update",
-        logLevel: "warn",
-      });
-
-      const runsReplicationService = new RunsReplicationService({
-        clickhouse,
-        pgConnectionUrl: postgresContainer.getConnectionUri(),
-        serviceName: "runs-replication-update",
-        slotName: "task_runs_to_clickhouse_v1",
-        publicationName: "task_runs_to_clickhouse_v1_publication",
-        redisOptions,
-        maxFlushConcurrency: 1,
-        flushIntervalMs: 100,
-        flushBatchSize: 1,
-        leaderLockTimeoutMs: 5000,
-        leaderLockExtendIntervalMs: 1000,
-        ackIntervalSeconds: 5,
-        logLevel: "warn",
-      });
-
-      await runsReplicationService.start();
-
-      const organization = await prisma.organization.create({
-        data: {
-          title: "test-update",
-          slug: "test-update",
-        },
-      });
-
-      const project = await prisma.project.create({
-        data: {
-          name: "test-update",
-          slug: "test-update",
-          organizationId: organization.id,
-          externalRef: "test-update",
-        },
-      });
-
-      const runtimeEnvironment = await prisma.runtimeEnvironment.create({
-        data: {
-          slug: "test-update",
-          type: "DEVELOPMENT",
-          projectId: project.id,
-          organizationId: organization.id,
-          apiKey: "test-update",
-          pkApiKey: "test-update",
-          shortcode: "test-update",
-        },
-      });
-
-      const uniqueFriendlyId = `run_update_${Date.now()}`;
-      const taskRun = await prisma.taskRun.create({
-        data: {
-          friendlyId: uniqueFriendlyId,
-          taskIdentifier: "my-task-update",
-          payload: JSON.stringify({ foo: "update-test" }),
-          payloadType: "application/json",
-          traceId: "update-1234",
-          spanId: "update-1234",
-          queue: "test-update",
-          runtimeEnvironmentId: runtimeEnvironment.id,
-          projectId: project.id,
-          organizationId: organization.id,
-          environmentType: "DEVELOPMENT",
-          engine: "V2",
-          status: "PENDING",
-        },
-      });
-
-      await setTimeout(1000);
-
-      await prisma.taskRun.update({
-        where: { id: taskRun.id },
-        data: { status: TaskRunStatus.COMPLETED_SUCCESSFULLY },
-      });
-
-      await setTimeout(1000);
-
-      const queryRuns = clickhouse.reader.query({
-        name: "runs-replication-update",
-        query: "SELECT * FROM trigger_dev.task_runs_v2 FINAL WHERE run_id = {run_id:String}",
-        schema: z.any(),
-        params: z.object({ run_id: z.string() }),
-      });
-
-      const [queryError, result] = await queryRuns({ run_id: taskRun.id });
-
-      expect(queryError).toBeNull();
-      expect(result?.length).toBe(1);
-      expect(result?.[0]).toEqual(
-        expect.objectContaining({
-          run_id: taskRun.id,
-          status: TaskRunStatus.COMPLETED_SUCCESSFULLY,
-        })
-      );
-
-      await runsReplicationService.stop();
-    }
-  );
-
-  containerTest(
-    "should replicate deletions of a TaskRun to ClickHouse and mark as deleted",
-    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
-      await prisma.$executeRawUnsafe(`ALTER TABLE public."TaskRun" REPLICA IDENTITY FULL;`);
-
-      const clickhouse = new ClickHouse({
-        url: clickhouseContainer.getConnectionUrl(),
-        name: "runs-replication-delete",
-        logLevel: "warn",
-      });
-
-      const runsReplicationService = new RunsReplicationService({
-        clickhouse,
-        pgConnectionUrl: postgresContainer.getConnectionUri(),
-        serviceName: "runs-replication-delete",
-        slotName: "task_runs_to_clickhouse_v1",
-        publicationName: "task_runs_to_clickhouse_v1_publication",
-        redisOptions,
-        maxFlushConcurrency: 1,
-        flushIntervalMs: 100,
-        flushBatchSize: 1,
-        leaderLockTimeoutMs: 5000,
-        leaderLockExtendIntervalMs: 1000,
-        ackIntervalSeconds: 5,
-        logLevel: "warn",
-      });
-
-      await runsReplicationService.start();
-
-      const organization = await prisma.organization.create({
-        data: {
-          title: "test-delete",
-          slug: "test-delete",
-        },
-      });
-
-      const project = await prisma.project.create({
-        data: {
-          name: "test-delete",
-          slug: "test-delete",
-          organizationId: organization.id,
-          externalRef: "test-delete",
-        },
-      });
-
-      const runtimeEnvironment = await prisma.runtimeEnvironment.create({
-        data: {
-          slug: "test-delete",
-          type: "DEVELOPMENT",
-          projectId: project.id,
-          organizationId: organization.id,
-          apiKey: "test-delete",
-          pkApiKey: "test-delete",
-          shortcode: "test-delete",
-        },
-      });
-
-      const uniqueFriendlyId = `run_delete_${Date.now()}`;
-      const taskRun = await prisma.taskRun.create({
-        data: {
-          friendlyId: uniqueFriendlyId,
-          taskIdentifier: "my-task-delete",
-          payload: JSON.stringify({ foo: "delete-test" }),
-          payloadType: "application/json",
-          traceId: "delete-1234",
-          spanId: "delete-1234",
-          queue: "test-delete",
-          runtimeEnvironmentId: runtimeEnvironment.id,
-          projectId: project.id,
-          organizationId: organization.id,
-          environmentType: "DEVELOPMENT",
-          engine: "V2",
-          status: "PENDING",
-        },
-      });
-
-      await setTimeout(1000);
-
-      await prisma.taskRun.delete({
-        where: { id: taskRun.id },
-      });
-
-      await setTimeout(1000);
-
-      const queryRuns = clickhouse.reader.query({
-        name: "runs-replication-delete",
-        query: "SELECT * FROM trigger_dev.task_runs_v2 FINAL WHERE run_id = {run_id:String}",
-        schema: z.any(),
-        params: z.object({ run_id: z.string() }),
-      });
-
-      const [queryError, result] = await queryRuns({ run_id: taskRun.id });
-
-      expect(queryError).toBeNull();
-      expect(result?.length).toBe(0);
-
-      await runsReplicationService.stop();
-    }
-  );
-
-  containerTest(
-    "should gracefully shutdown and allow a new service to pick up from the correct LSN (handover)",
-    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
-      await prisma.$executeRawUnsafe(`ALTER TABLE public."TaskRun" REPLICA IDENTITY FULL;`);
-
-      const clickhouse = new ClickHouse({
-        url: clickhouseContainer.getConnectionUrl(),
-        name: "runs-replication-shutdown-handover",
-        logLevel: "warn",
-      });
-
-      // Service A
-      const runsReplicationServiceA = new RunsReplicationService({
-        clickhouse,
-        pgConnectionUrl: postgresContainer.getConnectionUri(),
-        serviceName: "runs-replication-shutdown-handover",
-        slotName: "task_runs_to_clickhouse_v1",
-        publicationName: "task_runs_to_clickhouse_v1_publication",
-        redisOptions,
-        maxFlushConcurrency: 1,
-        flushIntervalMs: 100,
-        flushBatchSize: 1,
-        leaderLockTimeoutMs: 5000,
-        leaderLockExtendIntervalMs: 1000,
-        ackIntervalSeconds: 5,
-        logLevel: "warn",
-      });
-
-      await runsReplicationServiceA.start();
-
-      const organization = await prisma.organization.create({
-        data: {
-          title: "test-shutdown-handover",
-          slug: "test-shutdown-handover",
-        },
-      });
-
-      const project = await prisma.project.create({
-        data: {
-          name: "test-shutdown-handover",
-          slug: "test-shutdown-handover",
-          organizationId: organization.id,
-          externalRef: "test-shutdown-handover",
-        },
-      });
-
-      const runtimeEnvironment = await prisma.runtimeEnvironment.create({
-        data: {
-          slug: "test-shutdown-handover",
-          type: "DEVELOPMENT",
-          projectId: project.id,
-          organizationId: organization.id,
-          apiKey: "test-shutdown-handover",
-          pkApiKey: "test-shutdown-handover",
-          shortcode: "test-shutdown-handover",
-        },
-      });
-
-      const run1Id = `run_shutdown_handover_1_${Date.now()}`;
-
-      runsReplicationServiceA.events.on("message", async ({ message, service }) => {
-        if (message.tag === "insert") {
-          await service.shutdown();
-        }
-      });
-
-      const taskRun1 = await prisma.taskRun.create({
-        data: {
-          friendlyId: run1Id,
-          taskIdentifier: "my-task-shutdown-handover-1",
-          payload: JSON.stringify({ foo: "handover-1" }),
-          payloadType: "application/json",
-          traceId: "handover-1-1234",
-          spanId: "handover-1-1234",
-          queue: "test-shutdown-handover",
-          runtimeEnvironmentId: runtimeEnvironment.id,
-          projectId: project.id,
-          organizationId: organization.id,
-          environmentType: "DEVELOPMENT",
-          engine: "V2",
-          status: "PENDING",
-        },
-      });
-
-      const run2Id = `run_shutdown_handover_2_${Date.now()}`;
-      const taskRun2 = await prisma.taskRun.create({
-        data: {
-          friendlyId: run2Id,
-          taskIdentifier: "my-task-shutdown-handover-2",
-          payload: JSON.stringify({ foo: "handover-2" }),
-          payloadType: "application/json",
-          traceId: "handover-2-1234",
-          spanId: "handover-2-1234",
-          queue: "test-shutdown-handover",
-          runtimeEnvironmentId: runtimeEnvironment.id,
-          projectId: project.id,
-          organizationId: organization.id,
-          environmentType: "DEVELOPMENT",
-          engine: "V2",
-          status: "PENDING",
-        },
-      });
-
-      await setTimeout(1000);
-
-      const queryRuns = clickhouse.reader.query({
-        name: "runs-replication-shutdown-handover",
-        query: "SELECT * FROM trigger_dev.task_runs_v2 FINAL ORDER BY created_at ASC",
-        schema: z.any(),
-      });
-      const [queryError, result] = await queryRuns({});
-      expect(queryError).toBeNull();
-      expect(result?.length).toBe(1);
-      expect(result?.[0]).toEqual(expect.objectContaining({ run_id: taskRun1.id }));
-
-      // Service B
-      const runsReplicationServiceB = new RunsReplicationService({
-        clickhouse,
-        pgConnectionUrl: postgresContainer.getConnectionUri(),
-        serviceName: "runs-replication-shutdown-handover",
-        slotName: "task_runs_to_clickhouse_v1",
-        publicationName: "task_runs_to_clickhouse_v1_publication",
-        redisOptions,
-        maxFlushConcurrency: 1,
-        flushIntervalMs: 100,
-        flushBatchSize: 1,
-        leaderLockTimeoutMs: 5000,
-        leaderLockExtendIntervalMs: 1000,
-        ackIntervalSeconds: 5,
-        logLevel: "warn",
-      });
-
-      await runsReplicationServiceB.start();
-
-      await setTimeout(1000);
-
-      const [queryErrorB, resultB] = await queryRuns({});
-
-      expect(queryErrorB).toBeNull();
-      expect(resultB?.length).toBe(2);
-      expect(resultB).toEqual(
-        expect.arrayContaining([
-          expect.objectContaining({ run_id: taskRun1.id }),
-          expect.objectContaining({ run_id: taskRun2.id }),
-        ])
-      );
-
-      await runsReplicationServiceB.stop();
-    }
-  );
-
-  containerTest(
-    "should not re-process already handled data if shutdown is called after all transactions are processed",
-    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
-      await prisma.$executeRawUnsafe(`ALTER TABLE public."TaskRun" REPLICA IDENTITY FULL;`);
-
-      const clickhouse = new ClickHouse({
-        url: clickhouseContainer.getConnectionUrl(),
-        name: "runs-replication-shutdown-after-processed",
-        logLevel: "warn",
-      });
-
-      // Service A
-      const runsReplicationServiceA = new RunsReplicationService({
-        clickhouse,
-        pgConnectionUrl: postgresContainer.getConnectionUri(),
-        serviceName: "runs-replication-shutdown-after-processed",
-        slotName: "task_runs_to_clickhouse_v1",
-        publicationName: "task_runs_to_clickhouse_v1_publication",
-        redisOptions,
-        maxFlushConcurrency: 1,
-        flushIntervalMs: 100,
-        flushBatchSize: 1,
-        leaderLockTimeoutMs: 5000,
-        leaderLockExtendIntervalMs: 1000,
-        ackIntervalSeconds: 5,
-        logLevel: "warn",
-      });
-
-      await runsReplicationServiceA.start();
-
-      const organization = await prisma.organization.create({
-        data: {
-          title: "test-shutdown-after-processed",
-          slug: "test-shutdown-after-processed",
-        },
-      });
-
-      const project = await prisma.project.create({
-        data: {
-          name: "test-shutdown-after-processed",
-          slug: "test-shutdown-after-processed",
-          organizationId: organization.id,
-          externalRef: "test-shutdown-after-processed",
-        },
-      });
-
-      const runtimeEnvironment = await prisma.runtimeEnvironment.create({
-        data: {
-          slug: "test-shutdown-after-processed",
-          type: "DEVELOPMENT",
-          projectId: project.id,
-          organizationId: organization.id,
-          apiKey: "test-shutdown-after-processed",
-          pkApiKey: "test-shutdown-after-processed",
-          shortcode: "test-shutdown-after-processed",
-        },
-      });
-
-      const run1Id = `run_shutdown_after_processed_${Date.now()}`;
-      const taskRun1 = await prisma.taskRun.create({
-        data: {
-          friendlyId: run1Id,
-          taskIdentifier: "my-task-shutdown-after-processed",
-          payload: JSON.stringify({ foo: "after-processed" }),
-          payloadType: "application/json",
-          traceId: "after-processed-1234",
-          spanId: "after-processed-1234",
-          queue: "test-shutdown-after-processed",
-          runtimeEnvironmentId: runtimeEnvironment.id,
-          projectId: project.id,
-          organizationId: organization.id,
-          environmentType: "DEVELOPMENT",
-          engine: "V2",
-          status: "PENDING",
-        },
-      });
-
-      await setTimeout(1000);
-
-      const queryRuns = clickhouse.reader.query({
-        name: "runs-replication-shutdown-after-processed",
-        query: "SELECT * FROM trigger_dev.task_runs_v2 FINAL WHERE run_id = {run_id:String}",
-        schema: z.any(),
-        params: z.object({ run_id: z.string() }),
-      });
-
-      const [queryErrorA, resultA] = await queryRuns({ run_id: taskRun1.id });
-      expect(queryErrorA).toBeNull();
-      expect(resultA?.length).toBe(1);
-      expect(resultA?.[0]).toEqual(expect.objectContaining({ run_id: taskRun1.id }));
-
-      await runsReplicationServiceA.shutdown();
-
-      await setTimeout(500);
-
-      const taskRun2 = await prisma.taskRun.create({
-        data: {
-          friendlyId: `run_shutdown_after_processed_${Date.now()}`,
-          taskIdentifier: "my-task-shutdown-after-processed",
-          payload: JSON.stringify({ foo: "after-processed-2" }),
-          payloadType: "application/json",
-          traceId: "after-processed-2-1234",
-          spanId: "after-processed-2-1234",
-          queue: "test-shutdown-after-processed",
-          runtimeEnvironmentId: runtimeEnvironment.id,
-          projectId: project.id,
-          organizationId: organization.id,
-          environmentType: "DEVELOPMENT",
-          engine: "V2",
-          status: "PENDING",
-        },
-      });
-
-      // Service B
-      const runsReplicationServiceB = new RunsReplicationService({
-        clickhouse,
-        pgConnectionUrl: postgresContainer.getConnectionUri(),
-        serviceName: "runs-replication-shutdown-after-processed",
-        slotName: "task_runs_to_clickhouse_v1",
-        publicationName: "task_runs_to_clickhouse_v1_publication",
-        redisOptions,
-        maxFlushConcurrency: 1,
-        flushIntervalMs: 100,
-        flushBatchSize: 1,
-        leaderLockTimeoutMs: 5000,
-        leaderLockExtendIntervalMs: 1000,
-        ackIntervalSeconds: 5,
-        logLevel: "warn",
-      });
-
-      await runsReplicationServiceB.start();
-
-      await setTimeout(1000);
-
-      const [queryErrorB, resultB] = await queryRuns({ run_id: taskRun2.id });
-      expect(queryErrorB).toBeNull();
-      expect(resultB?.length).toBe(1);
-      expect(resultB?.[0]).toEqual(expect.objectContaining({ run_id: taskRun2.id }));
-
-      await runsReplicationServiceB.stop();
-    }
-  );
-
-  containerTest(
-    "should record metrics with correct values when replicating runs",
-    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
-      await prisma.$executeRawUnsafe(`ALTER TABLE public."TaskRun" REPLICA IDENTITY FULL;`);
-
-      const clickhouse = new ClickHouse({
-        url: clickhouseContainer.getConnectionUrl(),
-        name: "runs-replication-metrics",
-        logLevel: "warn",
-      });
-
-      const { tracer } = createInMemoryTracing();
-      const metricsHelper = createInMemoryMetrics();
-
-      const runsReplicationService = new RunsReplicationService({
-        clickhouse,
-        pgConnectionUrl: postgresContainer.getConnectionUri(),
-        serviceName: "runs-replication-metrics",
-        slotName: "task_runs_to_clickhouse_v1",
-        publicationName: "task_runs_to_clickhouse_v1_publication",
-        redisOptions,
-        maxFlushConcurrency: 2,
-        flushIntervalMs: 100,
-        flushBatchSize: 5,
-        leaderLockTimeoutMs: 5000,
-        leaderLockExtendIntervalMs: 1000,
-        ackIntervalSeconds: 5,
-        tracer,
-        meter: metricsHelper.meter,
-        logLevel: "warn",
-      });
-
-      await runsReplicationService.start();
-
-      const organization = await prisma.organization.create({
-        data: {
-          title: "test-metrics",
-          slug: "test-metrics",
-        },
-      });
-
-      const project = await prisma.project.create({
-        data: {
-          name: "test-metrics",
-          slug: "test-metrics",
-          organizationId: organization.id,
-          externalRef: "test-metrics",
-        },
-      });
-
-      const runtimeEnvironment = await prisma.runtimeEnvironment.create({
-        data: {
-          slug: "test-metrics",
-          type: "DEVELOPMENT",
-          projectId: project.id,
-          organizationId: organization.id,
-          apiKey: "test-metrics",
-          pkApiKey: "test-metrics",
-          shortcode: "test-metrics",
-        },
-      });
-
-      const now = Date.now();
-      const createdRuns: string[] = [];
-
-      for (let i = 0; i < 5; i++) {
-        const run = await prisma.taskRun.create({
-          data: {
-            friendlyId: `run_metrics_${now}_${i}`,
-            taskIdentifier: "my-task-metrics",
-            payload: JSON.stringify({ index: i }),
-            payloadType: "application/json",
-            traceId: `metrics-${now}-${i}`,
-            spanId: `metrics-${now}-${i}`,
-            queue: "test-metrics",
-            runtimeEnvironmentId: runtimeEnvironment.id,
-            projectId: project.id,
-            organizationId: organization.id,
-            environmentType: "DEVELOPMENT",
-            engine: "V2",
-            status: "PENDING",
-          },
-        });
-        createdRuns.push(run.id);
-      }
-
-      await setTimeout(1000);
-
-      for (let i = 0; i < 3; i++) {
-        await prisma.taskRun.update({
-          where: { id: createdRuns[i] },
-          data: { status: "EXECUTING" },
-        });
-      }
-
-      await setTimeout(1000);
-
-      for (let i = 0; i < 2; i++) {
-        await prisma.taskRun.update({
-          where: { id: createdRuns[i] },
-          data: {
-            status: "COMPLETED_SUCCESSFULLY",
-            completedAt: new Date(),
-            output: JSON.stringify({ result: "success" }),
-            outputType: "application/json",
-          },
-        });
-      }
-
-      await setTimeout(1000);
-
-      const metrics = await metricsHelper.getMetrics();
-
-      function getMetricData(name: string) {
-        for (const resourceMetrics of metrics) {
-          for (const scopeMetrics of resourceMetrics.scopeMetrics) {
-            for (const metric of scopeMetrics.metrics) {
-              if (metric.descriptor.name === name) {
-                return metric;
-              }
-            }
-          }
-        }
-        return null;
-      }
-
-      function sumCounterValues(metric: any): number {
-        if (!metric?.dataPoints) return 0;
-        return metric.dataPoints.reduce((sum: number, dp: any) => sum + (dp.value || 0), 0);
-      }
-
-      function histogramHasData(metric: any): boolean {
-        if (!metric?.dataPoints || metric.dataPoints.length === 0) return false;
-        return metric.dataPoints.some((dp: any) => {
-          return (
-            (typeof dp.count === "number" && dp.count > 0) ||
-            (typeof dp.value?.count === "number" && dp.value.count > 0) ||
-            (Array.isArray(dp.buckets?.counts) && dp.buckets.counts.some((c: number) => c > 0)) ||
-            (typeof dp.sum === "number" && dp.sum > 0) ||
-            typeof dp.min === "number" ||
-            typeof dp.max === "number"
-          );
-        });
-      }
-
-      function getCounterAttributeValues(metric: any, attributeName: string): unknown[] {
-        if (!metric?.dataPoints) return [];
-        return metric.dataPoints
-          .filter((dp: any) => dp.attributes?.[attributeName] !== undefined)
-          .map((dp: any) => dp.attributes[attributeName]);
-      }
-
-      const batchesFlushed = getMetricData("runs_replication.batches_flushed");
-      expect(batchesFlushed).not.toBeNull();
-      const totalBatchesFlushed = sumCounterValues(batchesFlushed);
-      expect(totalBatchesFlushed).toBeGreaterThanOrEqual(1);
-
-      const successAttributeValues = getCounterAttributeValues(batchesFlushed, "success");
-      expect(successAttributeValues.length).toBeGreaterThanOrEqual(1);
-
-      const taskRunsInserted = getMetricData("runs_replication.task_runs_inserted");
-      expect(taskRunsInserted).not.toBeNull();
-      const totalTaskRunsInserted = sumCounterValues(taskRunsInserted);
-      expect(totalTaskRunsInserted).toBeGreaterThanOrEqual(5);
-
-      const payloadsInserted = getMetricData("runs_replication.payloads_inserted");
-      expect(payloadsInserted).not.toBeNull();
-      const totalPayloadsInserted = sumCounterValues(payloadsInserted);
-      expect(totalPayloadsInserted).toBeGreaterThanOrEqual(1);
-
-      const eventsProcessed = getMetricData("runs_replication.events_processed");
-      expect(eventsProcessed).not.toBeNull();
-      const totalEventsProcessed = sumCounterValues(eventsProcessed);
-      expect(totalEventsProcessed).toBeGreaterThanOrEqual(1);
-
-      const eventTypes = getCounterAttributeValues(eventsProcessed, "event_type");
-      expect(eventTypes.length).toBeGreaterThanOrEqual(1);
-      expect(eventTypes).toContain("insert");
-
-      const batchSize = getMetricData("runs_replication.batch_size");
-      expect(batchSize).not.toBeNull();
-      expect(histogramHasData(batchSize)).toBe(true);
-
-      const replicationLag = getMetricData("runs_replication.replication_lag_ms");
-      expect(replicationLag).not.toBeNull();
-      expect(histogramHasData(replicationLag)).toBe(true);
-
-      const flushDuration = getMetricData("runs_replication.flush_duration_ms");
-      expect(flushDuration).not.toBeNull();
-      expect(histogramHasData(flushDuration)).toBe(true);
-
-      await runsReplicationService.stop();
-      await metricsHelper.shutdown();
-    }
-  );
 });
diff --git a/apps/webapp/test/runsReplicationService.part2.test.ts b/apps/webapp/test/runsReplicationService.part2.test.ts
index a93f99f246b..90be5b18322 100644
--- a/apps/webapp/test/runsReplicationService.part2.test.ts
+++ b/apps/webapp/test/runsReplicationService.part2.test.ts
@@ -1,16 +1,17 @@
 import { ClickHouse, getTaskRunField, getPayloadField } from "@internal/clickhouse";
-import { containerTest } from "@internal/testcontainers";
+import { replicationContainerTest } from "@internal/testcontainers";
 import { Logger } from "@trigger.dev/core/logger";
 import { readFile } from "node:fs/promises";
 import { setTimeout } from "node:timers/promises";
 import { z } from "zod";
 import { RunsReplicationService } from "~/services/runsReplicationService.server";
 import { detectBadJsonStrings } from "~/utils/detectBadJsonStrings";
+import { TestReplicationClickhouseFactory } from "./utils/testReplicationClickhouseFactory";
 
 vi.setConfig({ testTimeout: 60_000 });
 
-describe("RunsReplicationService (part 2/2)", () => {
-  containerTest(
+describe("RunsReplicationService (part 2/7)", () => {
+  replicationContainerTest(
     "should handover leadership to a second service, and the second service should be able to extend the leader lock",
     async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
       await prisma.$executeRawUnsafe(`ALTER TABLE public."TaskRun" REPLICA IDENTITY FULL;`);
@@ -23,7 +24,7 @@ describe("RunsReplicationService (part 2/2)", () => {
 
       // Service A
       const runsReplicationServiceA = new RunsReplicationService({
-        clickhouse,
+        clickhouseFactory: new TestReplicationClickhouseFactory(clickhouse),
         pgConnectionUrl: postgresContainer.getConnectionUri(),
         serviceName: "runs-replication-shutdown-handover",
         slotName: "task_runs_to_clickhouse_v1",
@@ -43,7 +44,7 @@ describe("RunsReplicationService (part 2/2)", () => {
 
       // Service A
       const runsReplicationServiceB = new RunsReplicationService({
-        clickhouse,
+        clickhouseFactory: new TestReplicationClickhouseFactory(clickhouse),
         pgConnectionUrl: postgresContainer.getConnectionUri(),
         serviceName: "runs-replication-shutdown-handover",
         slotName: "task_runs_to_clickhouse_v1",
@@ -140,7 +141,7 @@ describe("RunsReplicationService (part 2/2)", () => {
     }
   );
 
-  containerTest(
+  replicationContainerTest(
     "should replicate all 1,000 TaskRuns inserted in bulk to ClickHouse",
     async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
       await prisma.$executeRawUnsafe(`ALTER TABLE public."TaskRun" REPLICA IDENTITY FULL;`);
@@ -152,7 +153,7 @@ describe("RunsReplicationService (part 2/2)", () => {
       });
 
       const runsReplicationService = new RunsReplicationService({
-        clickhouse,
+        clickhouseFactory: new TestReplicationClickhouseFactory(clickhouse),
         pgConnectionUrl: postgresContainer.getConnectionUri(),
         serviceName: "runs-replication-stress-bulk-insert",
         slotName: "task_runs_to_clickhouse_v1",
@@ -255,7 +256,7 @@ describe("RunsReplicationService (part 2/2)", () => {
     }
   );
 
-  containerTest(
+  replicationContainerTest(
     "should replicate all 1,000 TaskRuns inserted in bulk to ClickHouse with updates",
     async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
       await prisma.$executeRawUnsafe(`ALTER TABLE public."TaskRun" REPLICA IDENTITY FULL;`);
@@ -267,7 +268,7 @@ describe("RunsReplicationService (part 2/2)", () => {
       });
 
       const runsReplicationService = new RunsReplicationService({
-        clickhouse,
+        clickhouseFactory: new TestReplicationClickhouseFactory(clickhouse),
         pgConnectionUrl: postgresContainer.getConnectionUri(),
         serviceName: "runs-replication-stress-bulk-insert",
         slotName: "task_runs_to_clickhouse_v1",
@@ -375,1062 +376,4 @@ describe("RunsReplicationService (part 2/2)", () => {
       await runsReplicationService.stop();
     }
   );
-
-  containerTest(
-    "should replicate all events in a single transaction (insert, update)",
-    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
-      await prisma.$executeRawUnsafe(`ALTER TABLE public."TaskRun" REPLICA IDENTITY FULL;`);
-
-      const clickhouse = new ClickHouse({
-        url: clickhouseContainer.getConnectionUrl(),
-        name: "runs-replication-multi-event-tx",
-        logLevel: "warn",
-      });
-
-      const runsReplicationService = new RunsReplicationService({
-        clickhouse,
-        pgConnectionUrl: postgresContainer.getConnectionUri(),
-        serviceName: "runs-replication-multi-event-tx",
-        slotName: "task_runs_to_clickhouse_v1",
-        publicationName: "task_runs_to_clickhouse_v1_publication",
-        redisOptions,
-        maxFlushConcurrency: 1,
-        flushIntervalMs: 100,
-        flushBatchSize: 10,
-        leaderLockTimeoutMs: 5000,
-        leaderLockExtendIntervalMs: 1000,
-        ackIntervalSeconds: 5,
-        logLevel: "warn",
-      });
-
-      await runsReplicationService.start();
-
-      const organization = await prisma.organization.create({
-        data: {
-          title: "test-multi-event-tx",
-          slug: "test-multi-event-tx",
-        },
-      });
-
-      const project = await prisma.project.create({
-        data: {
-          name: "test-multi-event-tx",
-          slug: "test-multi-event-tx",
-          organizationId: organization.id,
-          externalRef: "test-multi-event-tx",
-        },
-      });
-
-      const runtimeEnvironment = await prisma.runtimeEnvironment.create({
-        data: {
-          slug: "test-multi-event-tx",
-          type: "DEVELOPMENT",
-          projectId: project.id,
-          organizationId: organization.id,
-          apiKey: "test-multi-event-tx",
-          pkApiKey: "test-multi-event-tx",
-          shortcode: "test-multi-event-tx",
-        },
-      });
-
-      // Start a transaction
-      const [run1, run2] = await prisma.$transaction(async (tx) => {
-        const run1 = await tx.taskRun.create({
-          data: {
-            friendlyId: `run_multi_event_1_${Date.now()}`,
-            taskIdentifier: "my-task-multi-event-1",
-            payload: JSON.stringify({ multi: 1 }),
-            payloadType: "application/json",
-            traceId: `multi-1-${Date.now()}`,
-            spanId: `multi-1-${Date.now()}`,
-            queue: "test-multi-event-tx",
-            runtimeEnvironmentId: runtimeEnvironment.id,
-            projectId: project.id,
-            organizationId: organization.id,
-            environmentType: "DEVELOPMENT",
-            engine: "V2",
-            status: "PENDING",
-            attemptNumber: 1,
-            createdAt: new Date(),
-            updatedAt: new Date(),
-          },
-        });
-        const run2 = await tx.taskRun.create({
-          data: {
-            friendlyId: `run_multi_event_2_${Date.now()}`,
-            taskIdentifier: "my-task-multi-event-2",
-            payload: JSON.stringify({ multi: 2 }),
-            payloadType: "application/json",
-            traceId: `multi-2-${Date.now()}`,
-            spanId: `multi-2-${Date.now()}`,
-            queue: "test-multi-event-tx",
-            runtimeEnvironmentId: runtimeEnvironment.id,
-            projectId: project.id,
-            organizationId: organization.id,
-            environmentType: "DEVELOPMENT",
-            engine: "V2",
-            status: "PENDING",
-            attemptNumber: 1,
-            createdAt: new Date(),
-            updatedAt: new Date(),
-          },
-        });
-        await tx.taskRun.update({
-          where: { id: run1.id },
-          data: { status: "COMPLETED_SUCCESSFULLY" },
-        });
-
-        return [run1, run2];
-      });
-
-      // Wait for replication
-      await setTimeout(1000);
-
-      // Query ClickHouse for both runs using FINAL
-      const queryRuns = clickhouse.reader.query({
-        name: "runs-replication-multi-event-tx",
-        query: `SELECT * FROM trigger_dev.task_runs_v2 FINAL WHERE run_id IN ({run_id_1:String}, {run_id_2:String})`,
-        schema: z.any(),
-        params: z.object({ run_id_1: z.string(), run_id_2: z.string() }),
-      });
-
-      const [queryError, result] = await queryRuns({ run_id_1: run1.id, run_id_2: run2.id });
-      expect(queryError).toBeNull();
-      expect(result?.length).toBe(2);
-      const run1Result = result?.find((r: any) => r.run_id === run1.id);
-      const run2Result = result?.find((r: any) => r.run_id === run2.id);
-      expect(run1Result).toBeDefined();
-      expect(run1Result).toEqual(
-        expect.objectContaining({ run_id: run1.id, status: "COMPLETED_SUCCESSFULLY" })
-      );
-      expect(run2Result).toBeDefined();
-      expect(run2Result).toEqual(expect.objectContaining({ run_id: run2.id }));
-
-      await runsReplicationService.stop();
-    }
-  );
-
-  containerTest(
-    "should be able to handle processing transactions for a long period of time",
-    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
-      await prisma.$executeRawUnsafe(`ALTER TABLE public."TaskRun" REPLICA IDENTITY FULL;`);
-
-      const clickhouse = new ClickHouse({
-        url: clickhouseContainer.getConnectionUrl(),
-        name: "runs-replication-long-tx",
-        logLevel: "warn",
-      });
-
-      const runsReplicationService = new RunsReplicationService({
-        clickhouse,
-        pgConnectionUrl: postgresContainer.getConnectionUri(),
-        serviceName: "runs-replication-long-tx",
-        slotName: "task_runs_to_clickhouse_v1",
-        publicationName: "task_runs_to_clickhouse_v1_publication",
-        redisOptions,
-        maxFlushConcurrency: 1,
-        flushIntervalMs: 100,
-        flushBatchSize: 10,
-        leaderLockTimeoutMs: 5000,
-        leaderLockExtendIntervalMs: 1000,
-        ackIntervalSeconds: 5,
-        logLevel: "warn",
-      });
-
-      await runsReplicationService.start();
-
-      const organization = await prisma.organization.create({
-        data: {
-          title: "test-long-tx",
-          slug: "test-long-tx",
-        },
-      });
-
-      const project = await prisma.project.create({
-        data: {
-          name: "test-long-tx",
-          slug: "test-long-tx",
-          organizationId: organization.id,
-          externalRef: "test-long-tx",
-        },
-      });
-
-      const runtimeEnvironment = await prisma.runtimeEnvironment.create({
-        data: {
-          slug: "test-long-tx",
-          type: "DEVELOPMENT",
-          projectId: project.id,
-          organizationId: organization.id,
-          apiKey: "test-long-tx",
-          pkApiKey: "test-long-tx",
-          shortcode: "test-long-tx",
-        },
-      });
-
-      // Start an interval that will create a new run every 500ms for 4 minutes
-      const interval = setInterval(async () => {
-        await prisma.taskRun.create({
-          data: {
-            friendlyId: `run_long_tx_${Date.now()}`,
-            taskIdentifier: "my-task-long-tx",
-            payload: JSON.stringify({ long: 1 }),
-            payloadType: "application/json",
-            traceId: `long-${Date.now()}`,
-            spanId: `long-${Date.now()}`,
-            queue: "test-long-tx",
-            runtimeEnvironmentId: runtimeEnvironment.id,
-            projectId: project.id,
-            organizationId: organization.id,
-            environmentType: "DEVELOPMENT",
-            engine: "V2",
-            status: "PENDING",
-            attemptNumber: 1,
-            createdAt: new Date(),
-            updatedAt: new Date(),
-          },
-        });
-      }, 500);
-
-      // Wait for 1 minute
-      await setTimeout(1 * 60 * 1000);
-
-      // Stop the interval
-      clearInterval(interval);
-
-      // Wait for replication
-      await setTimeout(1000);
-
-      // Query ClickHouse for all runs using FINAL
-      const queryRuns = clickhouse.reader.query({
-        name: "runs-replication-long-tx",
-        query: `SELECT * FROM trigger_dev.task_runs_v2 FINAL`,
-        schema: z.any(),
-      });
-
-      const [queryError, result] = await queryRuns({});
-      expect(queryError).toBeNull();
-
-      expect(result?.length).toBeGreaterThanOrEqual(50);
-
-      await runsReplicationService.stop();
-    },
-    { timeout: 60_000 * 5 }
-  );
-
-  containerTest(
-    "should insert TaskRuns even if there are incomplete Unicode escape sequences in the JSON",
-    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
-      await prisma.$executeRawUnsafe(`ALTER TABLE public."TaskRun" REPLICA IDENTITY FULL;`);
-
-      const clickhouse = new ClickHouse({
-        url: clickhouseContainer.getConnectionUrl(),
-        name: "runs-replication-stress-bulk-insert",
-        logLevel: "warn",
-      });
-
-      const runsReplicationService = new RunsReplicationService({
-        clickhouse,
-        pgConnectionUrl: postgresContainer.getConnectionUri(),
-        serviceName: "runs-replication-stress-bulk-insert",
-        slotName: "task_runs_to_clickhouse_v1",
-        publicationName: "task_runs_to_clickhouse_v1_publication",
-        redisOptions,
-        maxFlushConcurrency: 10,
-        flushIntervalMs: 100,
-        flushBatchSize: 50,
-        leaderLockTimeoutMs: 5000,
-        leaderLockExtendIntervalMs: 1000,
-        ackIntervalSeconds: 5,
-        logLevel: "warn",
-      });
-
-      await runsReplicationService.start();
-
-      const organization = await prisma.organization.create({
-        data: {
-          title: "test-stress-bulk-insert",
-          slug: "test-stress-bulk-insert",
-        },
-      });
-
-      const project = await prisma.project.create({
-        data: {
-          name: "test-stress-bulk-insert",
-          slug: "test-stress-bulk-insert",
-          organizationId: organization.id,
-          externalRef: "test-stress-bulk-insert",
-        },
-      });
-
-      const runtimeEnvironment = await prisma.runtimeEnvironment.create({
-        data: {
-          slug: "test-stress-bulk-insert",
-          type: "DEVELOPMENT",
-          projectId: project.id,
-          organizationId: organization.id,
-          apiKey: "test-stress-bulk-insert",
-          pkApiKey: "test-stress-bulk-insert",
-          shortcode: "test-stress-bulk-insert",
-        },
-      });
-
-      // Prepare 9 unique TaskRuns
-      const now = Date.now();
-      const runsData = Array.from({ length: 9 }, (_, i) => ({
-        friendlyId: `run_bulk_${now}_${i}`,
-        taskIdentifier: `my-task-bulk`,
-        payload: `{"title": "hello"}`,
-        payloadType: "application/json",
-        traceId: `bulk-${i}`,
-        spanId: `bulk-${i}`,
-        queue: "test-stress-bulk-insert",
-        runtimeEnvironmentId: runtimeEnvironment.id,
-        projectId: project.id,
-        organizationId: organization.id,
-        environmentType: "DEVELOPMENT" as const,
-        engine: "V2" as const,
-        status: "PENDING" as const,
-        attemptNumber: 1,
-        createdAt: new Date(now + i),
-        updatedAt: new Date(now + i),
-      }));
-
-      //add a run with incomplete Unicode escape sequences
-      const badPayload = await readFile(`${__dirname}/bad-clickhouse-output.json`, "utf-8");
-      const hasProblems = detectBadJsonStrings(badPayload);
-      expect(hasProblems).toBe(true);
-
-      runsData.push({
-        friendlyId: `run_bulk_${now}_10`,
-        taskIdentifier: `my-task-bulk`,
-        payload: badPayload,
-        payloadType: "application/json",
-        traceId: `bulk-10`,
-        spanId: `bulk-10`,
-        queue: "test-stress-bulk-insert",
-        runtimeEnvironmentId: runtimeEnvironment.id,
-        projectId: project.id,
-        organizationId: organization.id,
-        environmentType: "DEVELOPMENT" as const,
-        engine: "V2" as const,
-        status: "PENDING" as const,
-        attemptNumber: 1,
-        createdAt: new Date(now + 10),
-        updatedAt: new Date(now + 10),
-      });
-
-      // Bulk insert
-      const created = await prisma.taskRun.createMany({ data: runsData });
-      expect(created.count).toBe(10);
-
-      // Update the runs (not the 10th one)
-      await prisma.taskRun.updateMany({
-        where: {
-          spanId: { not: "bulk-10" },
-        },
-        data: {
-          status: "COMPLETED_SUCCESSFULLY",
-          output: `{"foo":"bar"}`,
-          outputType: "application/json",
-        },
-      });
-
-      // Give the 10th one a bad payload
-      await prisma.taskRun.updateMany({
-        where: {
-          spanId: "bulk-10",
-        },
-        data: {
-          status: "COMPLETED_SUCCESSFULLY",
-          output: badPayload,
-          outputType: "application/json",
-        },
-      });
-
-      // Wait for replication
-      await setTimeout(5000);
-
-      // Query ClickHouse for all runs using FINAL
-      const queryRuns = clickhouse.reader.query({
-        name: "runs-replication-stress-bulk-insert",
-        query: `SELECT * FROM trigger_dev.task_runs_v2 FINAL`,
-        schema: z.any(),
-      });
-
-      const [queryError, result] = await queryRuns({});
-      expect(queryError).toBeNull();
-      expect(result?.length).toBe(10);
-
-      // Check a few random runs for correctness
-      for (let i = 0; i < 9; i++) {
-        const expected = runsData[i];
-        const found = result?.find((r: any) => r.friendly_id === expected.friendlyId);
-        expect(found).toBeDefined();
-        expect(found).toEqual(
-          expect.objectContaining({
-            friendly_id: expected.friendlyId,
-            trace_id: expected.traceId,
-            task_identifier: expected.taskIdentifier,
-            status: "COMPLETED_SUCCESSFULLY",
-          })
-        );
-        expect(found?.output).toBeDefined();
-      }
-
-      // Check the run with the bad JSON
-      const foundBad = result?.find((r: any) => r.span_id === "bulk-10");
-      expect(foundBad).toBeDefined();
-      expect(foundBad?.output).toStrictEqual({});
-
-      await runsReplicationService.stop();
-    }
-  );
-
-  containerTest(
-    "should merge duplicate event+run.id combinations keeping the latest version",
-    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
-      await prisma.$executeRawUnsafe(`ALTER TABLE public.\"TaskRun\" REPLICA IDENTITY FULL;`);
-
-      const clickhouse = new ClickHouse({
-        url: clickhouseContainer.getConnectionUrl(),
-        name: "runs-replication-merge-batch",
-        logLevel: "warn",
-      });
-
-      const runsReplicationService = new RunsReplicationService({
-        clickhouse,
-        pgConnectionUrl: postgresContainer.getConnectionUri(),
-        serviceName: "runs-replication-merge-batch",
-        slotName: "task_runs_to_clickhouse_v1",
-        publicationName: "task_runs_to_clickhouse_v1_publication",
-        redisOptions,
-        maxFlushConcurrency: 1,
-        flushIntervalMs: 100,
-        flushBatchSize: 10, // Higher batch size to test merging
-        leaderLockTimeoutMs: 5000,
-        leaderLockExtendIntervalMs: 1000,
-        ackIntervalSeconds: 5,
-        logLevel: "warn",
-      });
-
-      // Listen to batchFlushed events to verify merging
-      const batchFlushedEvents: Array<{
-        flushId: string;
-        taskRunInserts: any[];
-        payloadInserts: any[];
-      }> = [];
-
-      runsReplicationService.events.on("batchFlushed", (event) => {
-        batchFlushedEvents.push(event);
-      });
-
-      await runsReplicationService.start();
-
-      const organization = await prisma.organization.create({
-        data: {
-          title: "test-merge-batch",
-          slug: "test-merge-batch",
-        },
-      });
-
-      const project = await prisma.project.create({
-        data: {
-          name: "test-merge-batch",
-          slug: "test-merge-batch",
-          organizationId: organization.id,
-          externalRef: "test-merge-batch",
-        },
-      });
-
-      const runtimeEnvironment = await prisma.runtimeEnvironment.create({
-        data: {
-          slug: "test-merge-batch",
-          type: "DEVELOPMENT",
-          projectId: project.id,
-          organizationId: organization.id,
-          apiKey: "test-merge-batch",
-          pkApiKey: "test-merge-batch",
-          shortcode: "test-merge-batch",
-        },
-      });
-
-      // Create a run and rapidly update it multiple times in a transaction
-      // This should create multiple events for the same run that get merged
-      const run = await prisma.taskRun.create({
-        data: {
-          friendlyId: `run_merge_${Date.now()}`,
-          taskIdentifier: "my-task-merge",
-          payload: JSON.stringify({ version: 1 }),
-          payloadType: "application/json",
-          traceId: `merge-${Date.now()}`,
-          spanId: `merge-${Date.now()}`,
-          queue: "test-merge-batch",
-          runtimeEnvironmentId: runtimeEnvironment.id,
-          projectId: project.id,
-          organizationId: organization.id,
-          environmentType: "DEVELOPMENT",
-          engine: "V2",
-          status: "PENDING_VERSION",
-        },
-      });
-      await prisma.taskRun.update({
-        where: { id: run.id },
-        data: { status: "DEQUEUED" },
-      });
-      await prisma.taskRun.update({
-        where: { id: run.id },
-        data: { status: "EXECUTING" },
-      });
-      await prisma.taskRun.update({
-        where: { id: run.id },
-        data: { status: "PAUSED" },
-      });
-      await prisma.taskRun.update({
-        where: { id: run.id },
-        data: { status: "EXECUTING" },
-      });
-      await prisma.taskRun.update({
-        where: { id: run.id },
-        data: { status: "COMPLETED_SUCCESSFULLY" },
-      });
-
-      await setTimeout(1000);
-
-      expect(batchFlushedEvents?.[0].taskRunInserts).toHaveLength(2);
-      // Use getTaskRunField for type-safe array access
-      expect(getTaskRunField(batchFlushedEvents![0].taskRunInserts[0], "run_id")).toEqual(run.id);
-      expect(getTaskRunField(batchFlushedEvents![0].taskRunInserts[0], "status")).toEqual(
-        "PENDING_VERSION"
-      );
-      expect(getTaskRunField(batchFlushedEvents![0].taskRunInserts[1], "run_id")).toEqual(run.id);
-      expect(getTaskRunField(batchFlushedEvents![0].taskRunInserts[1], "status")).toEqual(
-        "COMPLETED_SUCCESSFULLY"
-      );
-
-      await runsReplicationService.stop();
-    }
-  );
-
-  containerTest(
-    "should sort batch inserts according to table schema ordering for optimal performance",
-    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
-      await prisma.$executeRawUnsafe(`ALTER TABLE public.\"TaskRun\" REPLICA IDENTITY FULL;`);
-
-      const clickhouse = new ClickHouse({
-        url: clickhouseContainer.getConnectionUrl(),
-        name: "runs-replication-sorting",
-        logLevel: "warn",
-      });
-
-      const runsReplicationService = new RunsReplicationService({
-        clickhouse,
-        pgConnectionUrl: postgresContainer.getConnectionUri(),
-        serviceName: "runs-replication-sorting",
-        slotName: "task_runs_to_clickhouse_v1",
-        publicationName: "task_runs_to_clickhouse_v1_publication",
-        redisOptions,
-        maxFlushConcurrency: 1,
-        flushIntervalMs: 100,
-        flushBatchSize: 10,
-        leaderLockTimeoutMs: 5000,
-        leaderLockExtendIntervalMs: 1000,
-        ackIntervalSeconds: 5,
-        logLevel: "warn",
-      });
-
-      // Listen to batchFlushed events to verify sorting
-      const batchFlushedEvents: Array<{
-        flushId: string;
-        taskRunInserts: any[];
-        payloadInserts: any[];
-      }> = [];
-
-      runsReplicationService.events.on("batchFlushed", (event) => {
-        batchFlushedEvents.push(event);
-      });
-
-      await runsReplicationService.start();
-
-      // Create two organizations to test sorting by organization_id
-      const org1 = await prisma.organization.create({
-        data: { title: "org-z", slug: "org-z" },
-      });
-
-      const org2 = await prisma.organization.create({
-        data: { title: "org-a", slug: "org-a" },
-      });
-
-      const project1 = await prisma.project.create({
-        data: {
-          name: "test-sorting-z",
-          slug: "test-sorting-z",
-          organizationId: org1.id,
-          externalRef: "test-sorting-z",
-        },
-      });
-
-      const project2 = await prisma.project.create({
-        data: {
-          name: "test-sorting-a",
-          slug: "test-sorting-a",
-          organizationId: org2.id,
-          externalRef: "test-sorting-a",
-        },
-      });
-
-      const env1 = await prisma.runtimeEnvironment.create({
-        data: {
-          slug: "test-sorting-z",
-          type: "DEVELOPMENT",
-          projectId: project1.id,
-          organizationId: org1.id,
-          apiKey: "test-sorting-z",
-          pkApiKey: "test-sorting-z",
-          shortcode: "test-sorting-z",
-        },
-      });
-
-      const env2 = await prisma.runtimeEnvironment.create({
-        data: {
-          slug: "test-sorting-a",
-          type: "DEVELOPMENT",
-          projectId: project2.id,
-          organizationId: org2.id,
-          apiKey: "test-sorting-a",
-          pkApiKey: "test-sorting-a",
-          shortcode: "test-sorting-a",
-        },
-      });
-
-      const now = Date.now();
-
-      const run1 = await prisma.taskRun.create({
-        data: {
-          friendlyId: `run_sort_org_z_${now}`,
-          taskIdentifier: "my-task-sort",
-          payload: JSON.stringify({ org: "z" }),
-          payloadType: "application/json",
-          traceId: `sort-z-${now}`,
-          spanId: `sort-z-${now}`,
-          queue: "test-sorting",
-          runtimeEnvironmentId: env1.id,
-          projectId: project1.id,
-          organizationId: org1.id,
-          environmentType: "DEVELOPMENT",
-          engine: "V2",
-          status: "PENDING",
-          createdAt: new Date(now + 2000),
-        },
-      });
-      await prisma.taskRun.update({
-        where: { id: run1.id },
-        data: { status: "DEQUEUED" },
-      });
-
-      await prisma.taskRun.create({
-        data: {
-          friendlyId: `run_sort_org_a_${now}`,
-          taskIdentifier: "my-task-sort",
-          payload: JSON.stringify({ org: "a" }),
-          payloadType: "application/json",
-          traceId: `sort-a-${now}`,
-          spanId: `sort-a-${now}`,
-          queue: "test-sorting",
-          runtimeEnvironmentId: env2.id,
-          projectId: project2.id,
-          organizationId: org2.id,
-          environmentType: "DEVELOPMENT",
-          engine: "V2",
-          status: "PENDING",
-          createdAt: new Date(now + 1000),
-        },
-      });
-
-      await prisma.taskRun.create({
-        data: {
-          friendlyId: `run_sort_org_a_${now}_2`,
-          taskIdentifier: "my-task-sort",
-          payload: JSON.stringify({ org: "a" }),
-          payloadType: "application/json",
-          traceId: `sort-a-${now}`,
-          spanId: `sort-a-${now}`,
-          queue: "test-sorting",
-          runtimeEnvironmentId: env2.id,
-          projectId: project2.id,
-          organizationId: org2.id,
-          environmentType: "DEVELOPMENT",
-          engine: "V2",
-          status: "PENDING",
-          createdAt: new Date(now),
-        },
-      });
-
-      await setTimeout(1000);
-
-      expect(batchFlushedEvents[0]?.taskRunInserts.length).toBeGreaterThan(1);
-      expect(batchFlushedEvents[0]?.payloadInserts.length).toBeGreaterThan(1);
-
-      // Verify sorting order: organization_id, project_id, environment_id, created_at, run_id
-      for (let i = 1; i < batchFlushedEvents[0]?.taskRunInserts.length; i++) {
-        const prev = batchFlushedEvents[0]!.taskRunInserts[i - 1];
-        const curr = batchFlushedEvents[0]!.taskRunInserts[i];
-
-        const prevKey = [
-          getTaskRunField(prev, "organization_id"),
-          getTaskRunField(prev, "project_id"),
-          getTaskRunField(prev, "environment_id"),
-          getTaskRunField(prev, "created_at"),
-          getTaskRunField(prev, "run_id"),
-        ];
-        const currKey = [
-          getTaskRunField(curr, "organization_id"),
-          getTaskRunField(curr, "project_id"),
-          getTaskRunField(curr, "environment_id"),
-          getTaskRunField(curr, "created_at"),
-          getTaskRunField(curr, "run_id"),
-        ];
-
-        const keysAreEqual = prevKey.every((val, idx) => val === currKey[idx]);
-        if (keysAreEqual) {
-          // Also valid order
-          continue;
-        }
-
-        // Compare tuples lexicographically
-        let isCorrectOrder = false;
-        for (let j = 0; j < prevKey.length; j++) {
-          if (prevKey[j] < currKey[j]) {
-            isCorrectOrder = true;
-            break;
-          }
-          if (prevKey[j] > currKey[j]) {
-            isCorrectOrder = false;
-            break;
-          }
-          // If equal, continue to next field
-        }
-
-        expect(isCorrectOrder).toBeTruthy();
-      }
-
-      // Verify payloadInserts are also sorted by run_id
-      for (let i = 1; i < batchFlushedEvents[0]?.payloadInserts.length; i++) {
-        const prev = batchFlushedEvents[0]!.payloadInserts[i - 1];
-        const curr = batchFlushedEvents[0]!.payloadInserts[i];
-        expect(getPayloadField(prev, "run_id") <= getPayloadField(curr, "run_id")).toBeTruthy();
-      }
-
-      await runsReplicationService.stop();
-    }
-  );
-
-  containerTest(
-    "should exhaustively replicate all TaskRun columns to ClickHouse",
-    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
-      await prisma.$executeRawUnsafe(`ALTER TABLE public."TaskRun" REPLICA IDENTITY FULL;`);
-
-      const clickhouse = new ClickHouse({
-        url: clickhouseContainer.getConnectionUrl(),
-        name: "runs-replication-exhaustive",
-        logLevel: "warn",
-      });
-
-      const runsReplicationService = new RunsReplicationService({
-        clickhouse,
-        pgConnectionUrl: postgresContainer.getConnectionUri(),
-        serviceName: "runs-replication-exhaustive",
-        slotName: "task_runs_to_clickhouse_v1",
-        publicationName: "task_runs_to_clickhouse_v1_publication",
-        redisOptions,
-        maxFlushConcurrency: 1,
-        flushIntervalMs: 100,
-        flushBatchSize: 1,
-        leaderLockTimeoutMs: 5000,
-        leaderLockExtendIntervalMs: 1000,
-        ackIntervalSeconds: 5,
-        logLevel: "warn",
-      });
-
-      await runsReplicationService.start();
-
-      const organization = await prisma.organization.create({
-        data: {
-          title: "test-exhaustive",
-          slug: "test-exhaustive",
-        },
-      });
-
-      const project = await prisma.project.create({
-        data: {
-          name: "test-exhaustive",
-          slug: "test-exhaustive",
-          organizationId: organization.id,
-          externalRef: "test-exhaustive",
-        },
-      });
-
-      const runtimeEnvironment = await prisma.runtimeEnvironment.create({
-        data: {
-          slug: "test-exhaustive",
-          type: "PRODUCTION",
-          projectId: project.id,
-          organizationId: organization.id,
-          apiKey: "test-exhaustive",
-          pkApiKey: "test-exhaustive",
-          shortcode: "test-exhaustive",
-        },
-      });
-
-      // Create a batch for the batchId field
-      const batch = await prisma.batchTaskRun.create({
-        data: {
-          friendlyId: "batch_exhaustive",
-          runtimeEnvironmentId: runtimeEnvironment.id,
-          status: "PENDING",
-        },
-      });
-
-      // Create a root run for the rootTaskRunId field
-      const rootRun = await prisma.taskRun.create({
-        data: {
-          friendlyId: "run_root_exhaustive",
-          taskIdentifier: "root-task",
-          payload: JSON.stringify({ root: true }),
-          traceId: "root-trace-id",
-          spanId: "root-span-id",
-          queue: "root-queue",
-          runtimeEnvironmentId: runtimeEnvironment.id,
-          projectId: project.id,
-          organizationId: organization.id,
-          environmentType: "PRODUCTION",
-          engine: "V2",
-        },
-      });
-
-      // Create a parent run for the parentTaskRunId field
-      const parentRun = await prisma.taskRun.create({
-        data: {
-          friendlyId: "run_parent_exhaustive",
-          taskIdentifier: "parent-task",
-          payload: JSON.stringify({ parent: true }),
-          traceId: "parent-trace-id",
-          spanId: "parent-span-id",
-          queue: "parent-queue",
-          runtimeEnvironmentId: runtimeEnvironment.id,
-          projectId: project.id,
-          organizationId: organization.id,
-          environmentType: "PRODUCTION",
-          engine: "V2",
-          rootTaskRunId: rootRun.id,
-          depth: 1,
-        },
-      });
-
-      // Set up all the dates we'll use
-      const now = new Date();
-      const createdAt = new Date(now.getTime() - 10000);
-      const updatedAt = new Date(now.getTime() - 5000);
-      const startedAt = new Date(now.getTime() - 8000);
-      const executedAt = new Date(now.getTime() - 7500);
-      const completedAt = new Date(now.getTime() - 6000);
-      const delayUntil = new Date(now.getTime() - 9000);
-      const queuedAt = new Date(now.getTime() - 9500);
-      const expiredAt = null; // Not expired
-
-      // Create the main task run with ALL fields populated
-      const taskRun = await prisma.taskRun.create({
-        data: {
-          // Core identifiers
-          friendlyId: "run_exhaustive_test",
-          taskIdentifier: "exhaustive-task",
-
-          // Environment/project/org
-          runtimeEnvironmentId: runtimeEnvironment.id,
-          projectId: project.id,
-          organizationId: organization.id,
-          environmentType: "PRODUCTION",
-
-          // Engine and execution
-          engine: "V2",
-          status: "COMPLETED_SUCCESSFULLY",
-          attemptNumber: 3,
-          queue: "exhaustive-queue",
-          workerQueue: "exhaustive-worker-queue",
-
-          // Relationships
-          // Note: scheduleId is not set to test empty string handling
-          batchId: batch.id,
-          rootTaskRunId: rootRun.id,
-          parentTaskRunId: parentRun.id,
-          depth: 2,
-
-          // Timestamps
-          createdAt,
-          updatedAt,
-          startedAt,
-          executedAt,
-          completedAt,
-          delayUntil,
-          queuedAt,
-          expiredAt,
-
-          // Payload and output
-          payload: JSON.stringify({ input: "test-payload" }),
-          payloadType: "application/json",
-          output: JSON.stringify({ result: "test-output" }),
-          outputType: "application/json",
-          error: { message: "test error", name: "TestError" },
-
-          // Tracing
-          traceId: "exhaustive-trace-id-12345",
-          spanId: "exhaustive-span-id-67890",
-
-          // Versioning
-          taskVersion: "1.2.3",
-          sdkVersion: "3.0.0",
-          cliVersion: "2.5.1",
-
-          // Execution settings
-          machinePreset: "large-1x",
-          idempotencyKey: "exhaustive-idempotency-key-hashed",
-          idempotencyKeyOptions: {
-            key: "exhaustive-idempotency-key",
-            scope: "run",
-          },
-          ttl: "1h",
-          isTest: true,
-          concurrencyKey: "exhaustive-concurrency-key",
-          maxDurationInSeconds: 3600,
-
-          // Tags and bulk actions
-          runTags: ["tag1", "tag2", "exhaustive-tag"],
-          bulkActionGroupIds: ["bulk-group-1", "bulk-group-2"],
-
-          // Usage metrics
-          usageDurationMs: 12345,
-          costInCents: 50,
-          baseCostInCents: 25,
-        },
-      });
-
-      // Wait for replication
-      await setTimeout(1500);
-
-      // Query ClickHouse directly to get all columns
-      const queryRuns = clickhouse.reader.query({
-        name: "exhaustive-replication-test",
-        query: "SELECT * FROM trigger_dev.task_runs_v2 FINAL WHERE run_id = {run_id:String}",
-        schema: z.any(),
-        params: z.object({ run_id: z.string() }),
-      });
-
-      const [queryError, result] = await queryRuns({ run_id: taskRun.id });
-
-      expect(queryError).toBeNull();
-      expect(result).toHaveLength(1);
-
-      const clickhouseRun = result![0];
-
-      // Exhaustively verify each column
-      // Core identifiers
-      expect(clickhouseRun.run_id).toBe(taskRun.id);
-      expect(clickhouseRun.friendly_id).toBe("run_exhaustive_test");
-      expect(clickhouseRun.task_identifier).toBe("exhaustive-task");
-
-      // Environment/project/org
-      expect(clickhouseRun.environment_id).toBe(runtimeEnvironment.id);
-      expect(clickhouseRun.project_id).toBe(project.id);
-      expect(clickhouseRun.organization_id).toBe(organization.id);
-      expect(clickhouseRun.environment_type).toBe("PRODUCTION");
-
-      // Engine and execution
-      expect(clickhouseRun.engine).toBe("V2");
-      expect(clickhouseRun.status).toBe("COMPLETED_SUCCESSFULLY");
-      expect(clickhouseRun.attempt).toBe(3);
-      expect(clickhouseRun.queue).toBe("exhaustive-queue");
-      expect(clickhouseRun.worker_queue).toBe("exhaustive-worker-queue");
-
-      // Relationships
-      expect(clickhouseRun.schedule_id).toBe(""); // Empty when not set
-      expect(clickhouseRun.batch_id).toBe(batch.id);
-      expect(clickhouseRun.root_run_id).toBe(rootRun.id);
-      expect(clickhouseRun.parent_run_id).toBe(parentRun.id);
-      expect(clickhouseRun.depth).toBe(2);
-
-      // Timestamps (ClickHouse returns DateTime64 as strings in UTC without 'Z' suffix)
-      // Helper to parse ClickHouse timestamp strings to milliseconds
-      function parseClickhouseTimestamp(ts: string | null): number | null {
-        if (ts === null || ts === "1970-01-01 00:00:00.000") return null;
-        return new Date(ts + "Z").getTime();
-      }
-
-      expect(parseClickhouseTimestamp(clickhouseRun.created_at)).toBe(createdAt.getTime());
-      expect(parseClickhouseTimestamp(clickhouseRun.updated_at)).toBe(updatedAt.getTime());
-      expect(parseClickhouseTimestamp(clickhouseRun.started_at)).toBe(startedAt.getTime());
-      expect(parseClickhouseTimestamp(clickhouseRun.executed_at)).toBe(executedAt.getTime());
-      expect(parseClickhouseTimestamp(clickhouseRun.completed_at)).toBe(completedAt.getTime());
-      expect(parseClickhouseTimestamp(clickhouseRun.delay_until)).toBe(delayUntil.getTime());
-      expect(parseClickhouseTimestamp(clickhouseRun.queued_at)).toBe(queuedAt.getTime());
-      expect(parseClickhouseTimestamp(clickhouseRun.expired_at)).toBeNull();
-
-      // Output (parsed JSON)
-      expect(clickhouseRun.output).toEqual({ data: { result: "test-output" } });
-
-      // Error
-      expect(clickhouseRun.error).toEqual({
-        data: { message: "test error", name: "TestError" },
-      });
-
-      // Tracing
-      expect(clickhouseRun.trace_id).toBe("exhaustive-trace-id-12345");
-      expect(clickhouseRun.span_id).toBe("exhaustive-span-id-67890");
-
-      // Versioning
-      expect(clickhouseRun.task_version).toBe("1.2.3");
-      expect(clickhouseRun.sdk_version).toBe("3.0.0");
-      expect(clickhouseRun.cli_version).toBe("2.5.1");
-
-      // Execution settings
-      expect(clickhouseRun.machine_preset).toBe("large-1x");
-      expect(clickhouseRun.idempotency_key).toBe("exhaustive-idempotency-key-hashed");
-      expect(clickhouseRun.idempotency_key_user).toBe("exhaustive-idempotency-key");
-      expect(clickhouseRun.idempotency_key_scope).toBe("run");
-      expect(clickhouseRun.expiration_ttl).toBe("1h");
-      expect(clickhouseRun.is_test).toBe(1); // ClickHouse returns booleans as integers
-      expect(clickhouseRun.concurrency_key).toBe("exhaustive-concurrency-key");
-      expect(clickhouseRun.max_duration_in_seconds).toBe(3600);
-
-      // Tags and bulk actions
-      expect(clickhouseRun.tags).toEqual(["tag1", "tag2", "exhaustive-tag"]);
-      expect(clickhouseRun.bulk_action_group_ids).toEqual(["bulk-group-1", "bulk-group-2"]);
-
-      // Usage metrics
-      expect(clickhouseRun.usage_duration_ms).toBe(12345);
-      expect(clickhouseRun.cost_in_cents).toBe(50);
-      expect(clickhouseRun.base_cost_in_cents).toBe(25);
-
-      // Internal ClickHouse columns
-      expect(clickhouseRun._is_deleted).toBe(0);
-      expect(clickhouseRun._version).toBeDefined();
-      expect(typeof clickhouseRun._version).toBe("number"); // ClickHouse returns UInt64 as number
-
-      // Also verify the payload was inserted into the payloads table
-      const queryPayloads = clickhouse.reader.query({
-        name: "exhaustive-payload-test",
-        query: "SELECT * FROM trigger_dev.raw_task_runs_payload_v1 WHERE run_id = {run_id:String}",
-        schema: z.any(),
-        params: z.object({ run_id: z.string() }),
-      });
-
-      const [payloadError, payloadResult] = await queryPayloads({ run_id: taskRun.id });
-
-      expect(payloadError).toBeNull();
-      expect(payloadResult).toHaveLength(1);
-      expect(payloadResult![0].run_id).toBe(taskRun.id);
-      expect(parseClickhouseTimestamp(payloadResult![0].created_at)).toBe(createdAt.getTime());
-      expect(payloadResult![0].payload).toEqual({ data: { input: "test-payload" } });
-
-      await runsReplicationService.stop();
-    }
-  );
 });
diff --git a/apps/webapp/test/runsReplicationService.part3.test.ts b/apps/webapp/test/runsReplicationService.part3.test.ts
new file mode 100644
index 00000000000..1261be3b513
--- /dev/null
+++ b/apps/webapp/test/runsReplicationService.part3.test.ts
@@ -0,0 +1,307 @@
+import { ClickHouse, getTaskRunField, getPayloadField } from "@internal/clickhouse";
+import { replicationContainerTest } from "@internal/testcontainers";
+import { Logger } from "@trigger.dev/core/logger";
+import { readFile } from "node:fs/promises";
+import { setTimeout } from "node:timers/promises";
+import { z } from "zod";
+import { RunsReplicationService } from "~/services/runsReplicationService.server";
+import { detectBadJsonStrings } from "~/utils/detectBadJsonStrings";
+import { TestReplicationClickhouseFactory } from "./utils/testReplicationClickhouseFactory";
+
+vi.setConfig({ testTimeout: 60_000 });
+
+describe("RunsReplicationService (part 3/7)", () => {
+  replicationContainerTest(
+    "should insert TaskRuns even if there are incomplete Unicode escape sequences in the JSON",
+    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
+      await prisma.$executeRawUnsafe(`ALTER TABLE public."TaskRun" REPLICA IDENTITY FULL;`);
+
+      const clickhouse = new ClickHouse({
+        url: clickhouseContainer.getConnectionUrl(),
+        name: "runs-replication-stress-bulk-insert",
+        logLevel: "warn",
+      });
+
+      const runsReplicationService = new RunsReplicationService({
+        clickhouseFactory: new TestReplicationClickhouseFactory(clickhouse),
+        pgConnectionUrl: postgresContainer.getConnectionUri(),
+        serviceName: "runs-replication-stress-bulk-insert",
+        slotName: "task_runs_to_clickhouse_v1",
+        publicationName: "task_runs_to_clickhouse_v1_publication",
+        redisOptions,
+        maxFlushConcurrency: 10,
+        flushIntervalMs: 100,
+        flushBatchSize: 50,
+        leaderLockTimeoutMs: 5000,
+        leaderLockExtendIntervalMs: 1000,
+        ackIntervalSeconds: 5,
+        logLevel: "warn",
+      });
+
+      await runsReplicationService.start();
+
+      const organization = await prisma.organization.create({
+        data: {
+          title: "test-stress-bulk-insert",
+          slug: "test-stress-bulk-insert",
+        },
+      });
+
+      const project = await prisma.project.create({
+        data: {
+          name: "test-stress-bulk-insert",
+          slug: "test-stress-bulk-insert",
+          organizationId: organization.id,
+          externalRef: "test-stress-bulk-insert",
+        },
+      });
+
+      const runtimeEnvironment = await prisma.runtimeEnvironment.create({
+        data: {
+          slug: "test-stress-bulk-insert",
+          type: "DEVELOPMENT",
+          projectId: project.id,
+          organizationId: organization.id,
+          apiKey: "test-stress-bulk-insert",
+          pkApiKey: "test-stress-bulk-insert",
+          shortcode: "test-stress-bulk-insert",
+        },
+      });
+
+      // Prepare 9 unique TaskRuns
+      const now = Date.now();
+      const runsData = Array.from({ length: 9 }, (_, i) => ({
+        friendlyId: `run_bulk_${now}_${i}`,
+        taskIdentifier: `my-task-bulk`,
+        payload: `{"title": "hello"}`,
+        payloadType: "application/json",
+        traceId: `bulk-${i}`,
+        spanId: `bulk-${i}`,
+        queue: "test-stress-bulk-insert",
+        runtimeEnvironmentId: runtimeEnvironment.id,
+        projectId: project.id,
+        organizationId: organization.id,
+        environmentType: "DEVELOPMENT" as const,
+        engine: "V2" as const,
+        status: "PENDING" as const,
+        attemptNumber: 1,
+        createdAt: new Date(now + i),
+        updatedAt: new Date(now + i),
+      }));
+
+      //add a run with incomplete Unicode escape sequences
+      const badPayload = await readFile(`${__dirname}/bad-clickhouse-output.json`, "utf-8");
+      const hasProblems = detectBadJsonStrings(badPayload);
+      expect(hasProblems).toBe(true);
+
+      runsData.push({
+        friendlyId: `run_bulk_${now}_10`,
+        taskIdentifier: `my-task-bulk`,
+        payload: badPayload,
+        payloadType: "application/json",
+        traceId: `bulk-10`,
+        spanId: `bulk-10`,
+        queue: "test-stress-bulk-insert",
+        runtimeEnvironmentId: runtimeEnvironment.id,
+        projectId: project.id,
+        organizationId: organization.id,
+        environmentType: "DEVELOPMENT" as const,
+        engine: "V2" as const,
+        status: "PENDING" as const,
+        attemptNumber: 1,
+        createdAt: new Date(now + 10),
+        updatedAt: new Date(now + 10),
+      });
+
+      // Bulk insert
+      const created = await prisma.taskRun.createMany({ data: runsData });
+      expect(created.count).toBe(10);
+
+      // Update the runs (not the 10th one)
+      await prisma.taskRun.updateMany({
+        where: {
+          spanId: { not: "bulk-10" },
+        },
+        data: {
+          status: "COMPLETED_SUCCESSFULLY",
+          output: `{"foo":"bar"}`,
+          outputType: "application/json",
+        },
+      });
+
+      // Give the 10th one a bad payload
+      await prisma.taskRun.updateMany({
+        where: {
+          spanId: "bulk-10",
+        },
+        data: {
+          status: "COMPLETED_SUCCESSFULLY",
+          output: badPayload,
+          outputType: "application/json",
+        },
+      });
+
+      // Wait for replication
+      await setTimeout(5000);
+
+      // Query ClickHouse for all runs using FINAL
+      const queryRuns = clickhouse.reader.query({
+        name: "runs-replication-stress-bulk-insert",
+        query: `SELECT * FROM trigger_dev.task_runs_v2 FINAL`,
+        schema: z.any(),
+      });
+
+      const [queryError, result] = await queryRuns({});
+      expect(queryError).toBeNull();
+      expect(result?.length).toBe(10);
+
+      // Check a few random runs for correctness
+      for (let i = 0; i < 9; i++) {
+        const expected = runsData[i];
+        const found = result?.find((r: any) => r.friendly_id === expected.friendlyId);
+        expect(found).toBeDefined();
+        expect(found).toEqual(
+          expect.objectContaining({
+            friendly_id: expected.friendlyId,
+            trace_id: expected.traceId,
+            task_identifier: expected.taskIdentifier,
+            status: "COMPLETED_SUCCESSFULLY",
+          })
+        );
+        expect(found?.output).toBeDefined();
+      }
+
+      // Check the run with the bad JSON
+      const foundBad = result?.find((r: any) => r.span_id === "bulk-10");
+      expect(foundBad).toBeDefined();
+      expect(foundBad?.output).toStrictEqual({});
+
+      await runsReplicationService.stop();
+    }
+  );
+
+  replicationContainerTest(
+    "should merge duplicate event+run.id combinations keeping the latest version",
+    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
+      await prisma.$executeRawUnsafe(`ALTER TABLE public.\"TaskRun\" REPLICA IDENTITY FULL;`);
+
+      const clickhouse = new ClickHouse({
+        url: clickhouseContainer.getConnectionUrl(),
+        name: "runs-replication-merge-batch",
+        logLevel: "warn",
+      });
+
+      const runsReplicationService = new RunsReplicationService({
+        clickhouseFactory: new TestReplicationClickhouseFactory(clickhouse),
+        pgConnectionUrl: postgresContainer.getConnectionUri(),
+        serviceName: "runs-replication-merge-batch",
+        slotName: "task_runs_to_clickhouse_v1",
+        publicationName: "task_runs_to_clickhouse_v1_publication",
+        redisOptions,
+        maxFlushConcurrency: 1,
+        flushIntervalMs: 100,
+        flushBatchSize: 10, // Higher batch size to test merging
+        leaderLockTimeoutMs: 5000,
+        leaderLockExtendIntervalMs: 1000,
+        ackIntervalSeconds: 5,
+        logLevel: "warn",
+      });
+
+      // Listen to batchFlushed events to verify merging
+      const batchFlushedEvents: Array<{
+        flushId: string;
+        taskRunInserts: any[];
+        payloadInserts: any[];
+      }> = [];
+
+      runsReplicationService.events.on("batchFlushed", (event) => {
+        batchFlushedEvents.push(event);
+      });
+
+      await runsReplicationService.start();
+
+      const organization = await prisma.organization.create({
+        data: {
+          title: "test-merge-batch",
+          slug: "test-merge-batch",
+        },
+      });
+
+      const project = await prisma.project.create({
+        data: {
+          name: "test-merge-batch",
+          slug: "test-merge-batch",
+          organizationId: organization.id,
+          externalRef: "test-merge-batch",
+        },
+      });
+
+      const runtimeEnvironment = await prisma.runtimeEnvironment.create({
+        data: {
+          slug: "test-merge-batch",
+          type: "DEVELOPMENT",
+          projectId: project.id,
+          organizationId: organization.id,
+          apiKey: "test-merge-batch",
+          pkApiKey: "test-merge-batch",
+          shortcode: "test-merge-batch",
+        },
+      });
+
+      // Create a run and rapidly update it multiple times in a transaction
+      // This should create multiple events for the same run that get merged
+      const run = await prisma.taskRun.create({
+        data: {
+          friendlyId: `run_merge_${Date.now()}`,
+          taskIdentifier: "my-task-merge",
+          payload: JSON.stringify({ version: 1 }),
+          payloadType: "application/json",
+          traceId: `merge-${Date.now()}`,
+          spanId: `merge-${Date.now()}`,
+          queue: "test-merge-batch",
+          runtimeEnvironmentId: runtimeEnvironment.id,
+          projectId: project.id,
+          organizationId: organization.id,
+          environmentType: "DEVELOPMENT",
+          engine: "V2",
+          status: "PENDING_VERSION",
+        },
+      });
+      await prisma.taskRun.update({
+        where: { id: run.id },
+        data: { status: "DEQUEUED" },
+      });
+      await prisma.taskRun.update({
+        where: { id: run.id },
+        data: { status: "EXECUTING" },
+      });
+      await prisma.taskRun.update({
+        where: { id: run.id },
+        data: { status: "PAUSED" },
+      });
+      await prisma.taskRun.update({
+        where: { id: run.id },
+        data: { status: "EXECUTING" },
+      });
+      await prisma.taskRun.update({
+        where: { id: run.id },
+        data: { status: "COMPLETED_SUCCESSFULLY" },
+      });
+
+      await setTimeout(1000);
+
+      expect(batchFlushedEvents?.[0].taskRunInserts).toHaveLength(2);
+      // Use getTaskRunField for type-safe array access
+      expect(getTaskRunField(batchFlushedEvents![0].taskRunInserts[0], "run_id")).toEqual(run.id);
+      expect(getTaskRunField(batchFlushedEvents![0].taskRunInserts[0], "status")).toEqual(
+        "PENDING_VERSION"
+      );
+      expect(getTaskRunField(batchFlushedEvents![0].taskRunInserts[1], "run_id")).toEqual(run.id);
+      expect(getTaskRunField(batchFlushedEvents![0].taskRunInserts[1], "status")).toEqual(
+        "COMPLETED_SUCCESSFULLY"
+      );
+
+      await runsReplicationService.stop();
+    }
+  );
+});
diff --git a/apps/webapp/test/runsReplicationService.part4.test.ts b/apps/webapp/test/runsReplicationService.part4.test.ts
new file mode 100644
index 00000000000..835192ad0fb
--- /dev/null
+++ b/apps/webapp/test/runsReplicationService.part4.test.ts
@@ -0,0 +1,710 @@
+import { ClickHouse } from "@internal/clickhouse";
+import { replicationContainerTest } from "@internal/testcontainers";
+import { setTimeout } from "node:timers/promises";
+import { z } from "zod";
+import { TaskRunStatus } from "~/database-types";
+import { RunsReplicationService } from "~/services/runsReplicationService.server";
+import { createInMemoryTracing, createInMemoryMetrics } from "./utils/tracing";
+import { TestReplicationClickhouseFactory } from "./utils/testReplicationClickhouseFactory";
+import superjson from "superjson";
+
+vi.setConfig({ testTimeout: 60_000 });
+
+describe("RunsReplicationService (part 4/7)", () => {
+  replicationContainerTest(
+    "should replicate updates to an existing TaskRun to ClickHouse",
+    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
+      await prisma.$executeRawUnsafe(`ALTER TABLE public."TaskRun" REPLICA IDENTITY FULL;`);
+
+      const clickhouse = new ClickHouse({
+        url: clickhouseContainer.getConnectionUrl(),
+        name: "runs-replication-update",
+        logLevel: "warn",
+      });
+
+      const runsReplicationService = new RunsReplicationService({
+        clickhouseFactory: new TestReplicationClickhouseFactory(clickhouse),
+        pgConnectionUrl: postgresContainer.getConnectionUri(),
+        serviceName: "runs-replication-update",
+        slotName: "task_runs_to_clickhouse_v1",
+        publicationName: "task_runs_to_clickhouse_v1_publication",
+        redisOptions,
+        maxFlushConcurrency: 1,
+        flushIntervalMs: 100,
+        flushBatchSize: 1,
+        leaderLockTimeoutMs: 5000,
+        leaderLockExtendIntervalMs: 1000,
+        ackIntervalSeconds: 5,
+        logLevel: "warn",
+      });
+
+      await runsReplicationService.start();
+
+      const organization = await prisma.organization.create({
+        data: {
+          title: "test-update",
+          slug: "test-update",
+        },
+      });
+
+      const project = await prisma.project.create({
+        data: {
+          name: "test-update",
+          slug: "test-update",
+          organizationId: organization.id,
+          externalRef: "test-update",
+        },
+      });
+
+      const runtimeEnvironment = await prisma.runtimeEnvironment.create({
+        data: {
+          slug: "test-update",
+          type: "DEVELOPMENT",
+          projectId: project.id,
+          organizationId: organization.id,
+          apiKey: "test-update",
+          pkApiKey: "test-update",
+          shortcode: "test-update",
+        },
+      });
+
+      const uniqueFriendlyId = `run_update_${Date.now()}`;
+      const taskRun = await prisma.taskRun.create({
+        data: {
+          friendlyId: uniqueFriendlyId,
+          taskIdentifier: "my-task-update",
+          payload: JSON.stringify({ foo: "update-test" }),
+          payloadType: "application/json",
+          traceId: "update-1234",
+          spanId: "update-1234",
+          queue: "test-update",
+          runtimeEnvironmentId: runtimeEnvironment.id,
+          projectId: project.id,
+          organizationId: organization.id,
+          environmentType: "DEVELOPMENT",
+          engine: "V2",
+          status: "PENDING",
+        },
+      });
+
+      await setTimeout(1000);
+
+      await prisma.taskRun.update({
+        where: { id: taskRun.id },
+        data: { status: TaskRunStatus.COMPLETED_SUCCESSFULLY },
+      });
+
+      await setTimeout(1000);
+
+      const queryRuns = clickhouse.reader.query({
+        name: "runs-replication-update",
+        query: "SELECT * FROM trigger_dev.task_runs_v2 FINAL WHERE run_id = {run_id:String}",
+        schema: z.any(),
+        params: z.object({ run_id: z.string() }),
+      });
+
+      const [queryError, result] = await queryRuns({ run_id: taskRun.id });
+
+      expect(queryError).toBeNull();
+      expect(result?.length).toBe(1);
+      expect(result?.[0]).toEqual(
+        expect.objectContaining({
+          run_id: taskRun.id,
+          status: TaskRunStatus.COMPLETED_SUCCESSFULLY,
+        })
+      );
+
+      await runsReplicationService.stop();
+    }
+  );
+
+  replicationContainerTest(
+    "should replicate deletions of a TaskRun to ClickHouse and mark as deleted",
+    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
+      await prisma.$executeRawUnsafe(`ALTER TABLE public."TaskRun" REPLICA IDENTITY FULL;`);
+
+      const clickhouse = new ClickHouse({
+        url: clickhouseContainer.getConnectionUrl(),
+        name: "runs-replication-delete",
+        logLevel: "warn",
+      });
+
+      const runsReplicationService = new RunsReplicationService({
+        clickhouseFactory: new TestReplicationClickhouseFactory(clickhouse),
+        pgConnectionUrl: postgresContainer.getConnectionUri(),
+        serviceName: "runs-replication-delete",
+        slotName: "task_runs_to_clickhouse_v1",
+        publicationName: "task_runs_to_clickhouse_v1_publication",
+        redisOptions,
+        maxFlushConcurrency: 1,
+        flushIntervalMs: 100,
+        flushBatchSize: 1,
+        leaderLockTimeoutMs: 5000,
+        leaderLockExtendIntervalMs: 1000,
+        ackIntervalSeconds: 5,
+        logLevel: "warn",
+      });
+
+      await runsReplicationService.start();
+
+      const organization = await prisma.organization.create({
+        data: {
+          title: "test-delete",
+          slug: "test-delete",
+        },
+      });
+
+      const project = await prisma.project.create({
+        data: {
+          name: "test-delete",
+          slug: "test-delete",
+          organizationId: organization.id,
+          externalRef: "test-delete",
+        },
+      });
+
+      const runtimeEnvironment = await prisma.runtimeEnvironment.create({
+        data: {
+          slug: "test-delete",
+          type: "DEVELOPMENT",
+          projectId: project.id,
+          organizationId: organization.id,
+          apiKey: "test-delete",
+          pkApiKey: "test-delete",
+          shortcode: "test-delete",
+        },
+      });
+
+      const uniqueFriendlyId = `run_delete_${Date.now()}`;
+      const taskRun = await prisma.taskRun.create({
+        data: {
+          friendlyId: uniqueFriendlyId,
+          taskIdentifier: "my-task-delete",
+          payload: JSON.stringify({ foo: "delete-test" }),
+          payloadType: "application/json",
+          traceId: "delete-1234",
+          spanId: "delete-1234",
+          queue: "test-delete",
+          runtimeEnvironmentId: runtimeEnvironment.id,
+          projectId: project.id,
+          organizationId: organization.id,
+          environmentType: "DEVELOPMENT",
+          engine: "V2",
+          status: "PENDING",
+        },
+      });
+
+      await setTimeout(1000);
+
+      await prisma.taskRun.delete({
+        where: { id: taskRun.id },
+      });
+
+      await setTimeout(1000);
+
+      const queryRuns = clickhouse.reader.query({
+        name: "runs-replication-delete",
+        query: "SELECT * FROM trigger_dev.task_runs_v2 FINAL WHERE run_id = {run_id:String}",
+        schema: z.any(),
+        params: z.object({ run_id: z.string() }),
+      });
+
+      const [queryError, result] = await queryRuns({ run_id: taskRun.id });
+
+      expect(queryError).toBeNull();
+      expect(result?.length).toBe(0);
+
+      await runsReplicationService.stop();
+    }
+  );
+
+  replicationContainerTest(
+    "should gracefully shutdown and allow a new service to pick up from the correct LSN (handover)",
+    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
+      await prisma.$executeRawUnsafe(`ALTER TABLE public."TaskRun" REPLICA IDENTITY FULL;`);
+
+      const clickhouse = new ClickHouse({
+        url: clickhouseContainer.getConnectionUrl(),
+        name: "runs-replication-shutdown-handover",
+        logLevel: "warn",
+      });
+
+      // Service A
+      const runsReplicationServiceA = new RunsReplicationService({
+        clickhouseFactory: new TestReplicationClickhouseFactory(clickhouse),
+        pgConnectionUrl: postgresContainer.getConnectionUri(),
+        serviceName: "runs-replication-shutdown-handover",
+        slotName: "task_runs_to_clickhouse_v1",
+        publicationName: "task_runs_to_clickhouse_v1_publication",
+        redisOptions,
+        maxFlushConcurrency: 1,
+        flushIntervalMs: 100,
+        flushBatchSize: 1,
+        leaderLockTimeoutMs: 5000,
+        leaderLockExtendIntervalMs: 1000,
+        ackIntervalSeconds: 5,
+        logLevel: "warn",
+      });
+
+      await runsReplicationServiceA.start();
+
+      const organization = await prisma.organization.create({
+        data: {
+          title: "test-shutdown-handover",
+          slug: "test-shutdown-handover",
+        },
+      });
+
+      const project = await prisma.project.create({
+        data: {
+          name: "test-shutdown-handover",
+          slug: "test-shutdown-handover",
+          organizationId: organization.id,
+          externalRef: "test-shutdown-handover",
+        },
+      });
+
+      const runtimeEnvironment = await prisma.runtimeEnvironment.create({
+        data: {
+          slug: "test-shutdown-handover",
+          type: "DEVELOPMENT",
+          projectId: project.id,
+          organizationId: organization.id,
+          apiKey: "test-shutdown-handover",
+          pkApiKey: "test-shutdown-handover",
+          shortcode: "test-shutdown-handover",
+        },
+      });
+
+      const run1Id = `run_shutdown_handover_1_${Date.now()}`;
+
+      runsReplicationServiceA.events.on("message", async ({ message, service }) => {
+        if (message.tag === "insert") {
+          await service.shutdown();
+        }
+      });
+
+      const taskRun1 = await prisma.taskRun.create({
+        data: {
+          friendlyId: run1Id,
+          taskIdentifier: "my-task-shutdown-handover-1",
+          payload: JSON.stringify({ foo: "handover-1" }),
+          payloadType: "application/json",
+          traceId: "handover-1-1234",
+          spanId: "handover-1-1234",
+          queue: "test-shutdown-handover",
+          runtimeEnvironmentId: runtimeEnvironment.id,
+          projectId: project.id,
+          organizationId: organization.id,
+          environmentType: "DEVELOPMENT",
+          engine: "V2",
+          status: "PENDING",
+        },
+      });
+
+      const run2Id = `run_shutdown_handover_2_${Date.now()}`;
+      const taskRun2 = await prisma.taskRun.create({
+        data: {
+          friendlyId: run2Id,
+          taskIdentifier: "my-task-shutdown-handover-2",
+          payload: JSON.stringify({ foo: "handover-2" }),
+          payloadType: "application/json",
+          traceId: "handover-2-1234",
+          spanId: "handover-2-1234",
+          queue: "test-shutdown-handover",
+          runtimeEnvironmentId: runtimeEnvironment.id,
+          projectId: project.id,
+          organizationId: organization.id,
+          environmentType: "DEVELOPMENT",
+          engine: "V2",
+          status: "PENDING",
+        },
+      });
+
+      await setTimeout(1000);
+
+      const queryRuns = clickhouse.reader.query({
+        name: "runs-replication-shutdown-handover",
+        query: "SELECT * FROM trigger_dev.task_runs_v2 FINAL ORDER BY created_at ASC",
+        schema: z.any(),
+      });
+      const [queryError, result] = await queryRuns({});
+      expect(queryError).toBeNull();
+      expect(result?.length).toBe(1);
+      expect(result?.[0]).toEqual(expect.objectContaining({ run_id: taskRun1.id }));
+
+      // Service B
+      const runsReplicationServiceB = new RunsReplicationService({
+        clickhouseFactory: new TestReplicationClickhouseFactory(clickhouse),
+        pgConnectionUrl: postgresContainer.getConnectionUri(),
+        serviceName: "runs-replication-shutdown-handover",
+        slotName: "task_runs_to_clickhouse_v1",
+        publicationName: "task_runs_to_clickhouse_v1_publication",
+        redisOptions,
+        maxFlushConcurrency: 1,
+        flushIntervalMs: 100,
+        flushBatchSize: 1,
+        leaderLockTimeoutMs: 5000,
+        leaderLockExtendIntervalMs: 1000,
+        ackIntervalSeconds: 5,
+        logLevel: "warn",
+      });
+
+      await runsReplicationServiceB.start();
+
+      await setTimeout(1000);
+
+      const [queryErrorB, resultB] = await queryRuns({});
+
+      expect(queryErrorB).toBeNull();
+      expect(resultB?.length).toBe(2);
+      expect(resultB).toEqual(
+        expect.arrayContaining([
+          expect.objectContaining({ run_id: taskRun1.id }),
+          expect.objectContaining({ run_id: taskRun2.id }),
+        ])
+      );
+
+      await runsReplicationServiceB.stop();
+    }
+  );
+
+  replicationContainerTest(
+    "should not re-process already handled data if shutdown is called after all transactions are processed",
+    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
+      await prisma.$executeRawUnsafe(`ALTER TABLE public."TaskRun" REPLICA IDENTITY FULL;`);
+
+      const clickhouse = new ClickHouse({
+        url: clickhouseContainer.getConnectionUrl(),
+        name: "runs-replication-shutdown-after-processed",
+        logLevel: "warn",
+      });
+
+      // Service A
+      const runsReplicationServiceA = new RunsReplicationService({
+        clickhouseFactory: new TestReplicationClickhouseFactory(clickhouse),
+        pgConnectionUrl: postgresContainer.getConnectionUri(),
+        serviceName: "runs-replication-shutdown-after-processed",
+        slotName: "task_runs_to_clickhouse_v1",
+        publicationName: "task_runs_to_clickhouse_v1_publication",
+        redisOptions,
+        maxFlushConcurrency: 1,
+        flushIntervalMs: 100,
+        flushBatchSize: 1,
+        leaderLockTimeoutMs: 5000,
+        leaderLockExtendIntervalMs: 1000,
+        ackIntervalSeconds: 5,
+        logLevel: "warn",
+      });
+
+      await runsReplicationServiceA.start();
+
+      const organization = await prisma.organization.create({
+        data: {
+          title: "test-shutdown-after-processed",
+          slug: "test-shutdown-after-processed",
+        },
+      });
+
+      const project = await prisma.project.create({
+        data: {
+          name: "test-shutdown-after-processed",
+          slug: "test-shutdown-after-processed",
+          organizationId: organization.id,
+          externalRef: "test-shutdown-after-processed",
+        },
+      });
+
+      const runtimeEnvironment = await prisma.runtimeEnvironment.create({
+        data: {
+          slug: "test-shutdown-after-processed",
+          type: "DEVELOPMENT",
+          projectId: project.id,
+          organizationId: organization.id,
+          apiKey: "test-shutdown-after-processed",
+          pkApiKey: "test-shutdown-after-processed",
+          shortcode: "test-shutdown-after-processed",
+        },
+      });
+
+      const run1Id = `run_shutdown_after_processed_${Date.now()}`;
+      const taskRun1 = await prisma.taskRun.create({
+        data: {
+          friendlyId: run1Id,
+          taskIdentifier: "my-task-shutdown-after-processed",
+          payload: JSON.stringify({ foo: "after-processed" }),
+          payloadType: "application/json",
+          traceId: "after-processed-1234",
+          spanId: "after-processed-1234",
+          queue: "test-shutdown-after-processed",
+          runtimeEnvironmentId: runtimeEnvironment.id,
+          projectId: project.id,
+          organizationId: organization.id,
+          environmentType: "DEVELOPMENT",
+          engine: "V2",
+          status: "PENDING",
+        },
+      });
+
+      await setTimeout(1000);
+
+      const queryRuns = clickhouse.reader.query({
+        name: "runs-replication-shutdown-after-processed",
+        query: "SELECT * FROM trigger_dev.task_runs_v2 FINAL WHERE run_id = {run_id:String}",
+        schema: z.any(),
+        params: z.object({ run_id: z.string() }),
+      });
+
+      const [queryErrorA, resultA] = await queryRuns({ run_id: taskRun1.id });
+      expect(queryErrorA).toBeNull();
+      expect(resultA?.length).toBe(1);
+      expect(resultA?.[0]).toEqual(expect.objectContaining({ run_id: taskRun1.id }));
+
+      await runsReplicationServiceA.shutdown();
+
+      await setTimeout(500);
+
+      const taskRun2 = await prisma.taskRun.create({
+        data: {
+          friendlyId: `run_shutdown_after_processed_${Date.now()}`,
+          taskIdentifier: "my-task-shutdown-after-processed",
+          payload: JSON.stringify({ foo: "after-processed-2" }),
+          payloadType: "application/json",
+          traceId: "after-processed-2-1234",
+          spanId: "after-processed-2-1234",
+          queue: "test-shutdown-after-processed",
+          runtimeEnvironmentId: runtimeEnvironment.id,
+          projectId: project.id,
+          organizationId: organization.id,
+          environmentType: "DEVELOPMENT",
+          engine: "V2",
+          status: "PENDING",
+        },
+      });
+
+      // Service B
+      const runsReplicationServiceB = new RunsReplicationService({
+        clickhouseFactory: new TestReplicationClickhouseFactory(clickhouse),
+        pgConnectionUrl: postgresContainer.getConnectionUri(),
+        serviceName: "runs-replication-shutdown-after-processed",
+        slotName: "task_runs_to_clickhouse_v1",
+        publicationName: "task_runs_to_clickhouse_v1_publication",
+        redisOptions,
+        maxFlushConcurrency: 1,
+        flushIntervalMs: 100,
+        flushBatchSize: 1,
+        leaderLockTimeoutMs: 5000,
+        leaderLockExtendIntervalMs: 1000,
+        ackIntervalSeconds: 5,
+        logLevel: "warn",
+      });
+
+      await runsReplicationServiceB.start();
+
+      await setTimeout(1000);
+
+      const [queryErrorB, resultB] = await queryRuns({ run_id: taskRun2.id });
+      expect(queryErrorB).toBeNull();
+      expect(resultB?.length).toBe(1);
+      expect(resultB?.[0]).toEqual(expect.objectContaining({ run_id: taskRun2.id }));
+
+      await runsReplicationServiceB.stop();
+    }
+  );
+
+  replicationContainerTest(
+    "should record metrics with correct values when replicating runs",
+    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
+      await prisma.$executeRawUnsafe(`ALTER TABLE public."TaskRun" REPLICA IDENTITY FULL;`);
+
+      const clickhouse = new ClickHouse({
+        url: clickhouseContainer.getConnectionUrl(),
+        name: "runs-replication-metrics",
+        logLevel: "warn",
+      });
+
+      const { tracer } = createInMemoryTracing();
+      const metricsHelper = createInMemoryMetrics();
+
+      const runsReplicationService = new RunsReplicationService({
+        clickhouseFactory: new TestReplicationClickhouseFactory(clickhouse),
+        pgConnectionUrl: postgresContainer.getConnectionUri(),
+        serviceName: "runs-replication-metrics",
+        slotName: "task_runs_to_clickhouse_v1",
+        publicationName: "task_runs_to_clickhouse_v1_publication",
+        redisOptions,
+        maxFlushConcurrency: 2,
+        flushIntervalMs: 100,
+        flushBatchSize: 5,
+        leaderLockTimeoutMs: 5000,
+        leaderLockExtendIntervalMs: 1000,
+        ackIntervalSeconds: 5,
+        tracer,
+        meter: metricsHelper.meter,
+        logLevel: "warn",
+      });
+
+      await runsReplicationService.start();
+
+      const organization = await prisma.organization.create({
+        data: {
+          title: "test-metrics",
+          slug: "test-metrics",
+        },
+      });
+
+      const project = await prisma.project.create({
+        data: {
+          name: "test-metrics",
+          slug: "test-metrics",
+          organizationId: organization.id,
+          externalRef: "test-metrics",
+        },
+      });
+
+      const runtimeEnvironment = await prisma.runtimeEnvironment.create({
+        data: {
+          slug: "test-metrics",
+          type: "DEVELOPMENT",
+          projectId: project.id,
+          organizationId: organization.id,
+          apiKey: "test-metrics",
+          pkApiKey: "test-metrics",
+          shortcode: "test-metrics",
+        },
+      });
+
+      const now = Date.now();
+      const createdRuns: string[] = [];
+
+      for (let i = 0; i < 5; i++) {
+        const run = await prisma.taskRun.create({
+          data: {
+            friendlyId: `run_metrics_${now}_${i}`,
+            taskIdentifier: "my-task-metrics",
+            payload: JSON.stringify({ index: i }),
+            payloadType: "application/json",
+            traceId: `metrics-${now}-${i}`,
+            spanId: `metrics-${now}-${i}`,
+            queue: "test-metrics",
+            runtimeEnvironmentId: runtimeEnvironment.id,
+            projectId: project.id,
+            organizationId: organization.id,
+            environmentType: "DEVELOPMENT",
+            engine: "V2",
+            status: "PENDING",
+          },
+        });
+        createdRuns.push(run.id);
+      }
+
+      await setTimeout(1000);
+
+      for (let i = 0; i < 3; i++) {
+        await prisma.taskRun.update({
+          where: { id: createdRuns[i] },
+          data: { status: "EXECUTING" },
+        });
+      }
+
+      await setTimeout(1000);
+
+      for (let i = 0; i < 2; i++) {
+        await prisma.taskRun.update({
+          where: { id: createdRuns[i] },
+          data: {
+            status: "COMPLETED_SUCCESSFULLY",
+            completedAt: new Date(),
+            output: JSON.stringify({ result: "success" }),
+            outputType: "application/json",
+          },
+        });
+      }
+
+      await setTimeout(1000);
+
+      const metrics = await metricsHelper.getMetrics();
+
+      function getMetricData(name: string) {
+        for (const resourceMetrics of metrics) {
+          for (const scopeMetrics of resourceMetrics.scopeMetrics) {
+            for (const metric of scopeMetrics.metrics) {
+              if (metric.descriptor.name === name) {
+                return metric;
+              }
+            }
+          }
+        }
+        return null;
+      }
+
+      function sumCounterValues(metric: any): number {
+        if (!metric?.dataPoints) return 0;
+        return metric.dataPoints.reduce((sum: number, dp: any) => sum + (dp.value || 0), 0);
+      }
+
+      function histogramHasData(metric: any): boolean {
+        if (!metric?.dataPoints || metric.dataPoints.length === 0) return false;
+        return metric.dataPoints.some((dp: any) => {
+          return (
+            (typeof dp.count === "number" && dp.count > 0) ||
+            (typeof dp.value?.count === "number" && dp.value.count > 0) ||
+            (Array.isArray(dp.buckets?.counts) && dp.buckets.counts.some((c: number) => c > 0)) ||
+            (typeof dp.sum === "number" && dp.sum > 0) ||
+            typeof dp.min === "number" ||
+            typeof dp.max === "number"
+          );
+        });
+      }
+
+      function getCounterAttributeValues(metric: any, attributeName: string): unknown[] {
+        if (!metric?.dataPoints) return [];
+        return metric.dataPoints
+          .filter((dp: any) => dp.attributes?.[attributeName] !== undefined)
+          .map((dp: any) => dp.attributes[attributeName]);
+      }
+
+      const batchesFlushed = getMetricData("runs_replication.batches_flushed");
+      expect(batchesFlushed).not.toBeNull();
+      const totalBatchesFlushed = sumCounterValues(batchesFlushed);
+      expect(totalBatchesFlushed).toBeGreaterThanOrEqual(1);
+
+      const successAttributeValues = getCounterAttributeValues(batchesFlushed, "success");
+      expect(successAttributeValues.length).toBeGreaterThanOrEqual(1);
+
+      const taskRunsInserted = getMetricData("runs_replication.task_runs_inserted");
+      expect(taskRunsInserted).not.toBeNull();
+      const totalTaskRunsInserted = sumCounterValues(taskRunsInserted);
+      expect(totalTaskRunsInserted).toBeGreaterThanOrEqual(5);
+
+      const payloadsInserted = getMetricData("runs_replication.payloads_inserted");
+      expect(payloadsInserted).not.toBeNull();
+      const totalPayloadsInserted = sumCounterValues(payloadsInserted);
+      expect(totalPayloadsInserted).toBeGreaterThanOrEqual(1);
+
+      const eventsProcessed = getMetricData("runs_replication.events_processed");
+      expect(eventsProcessed).not.toBeNull();
+      const totalEventsProcessed = sumCounterValues(eventsProcessed);
+      expect(totalEventsProcessed).toBeGreaterThanOrEqual(1);
+
+      const eventTypes = getCounterAttributeValues(eventsProcessed, "event_type");
+      expect(eventTypes.length).toBeGreaterThanOrEqual(1);
+      expect(eventTypes).toContain("insert");
+
+      const batchSize = getMetricData("runs_replication.batch_size");
+      expect(batchSize).not.toBeNull();
+      expect(histogramHasData(batchSize)).toBe(true);
+
+      const replicationLag = getMetricData("runs_replication.replication_lag_ms");
+      expect(replicationLag).not.toBeNull();
+      expect(histogramHasData(replicationLag)).toBe(true);
+
+      const flushDuration = getMetricData("runs_replication.flush_duration_ms");
+      expect(flushDuration).not.toBeNull();
+      expect(histogramHasData(flushDuration)).toBe(true);
+
+      await runsReplicationService.stop();
+      await metricsHelper.shutdown();
+    }
+  );
+});
diff --git a/apps/webapp/test/runsReplicationService.part5.test.ts b/apps/webapp/test/runsReplicationService.part5.test.ts
new file mode 100644
index 00000000000..3263efae7b8
--- /dev/null
+++ b/apps/webapp/test/runsReplicationService.part5.test.ts
@@ -0,0 +1,147 @@
+import { ClickHouse, getTaskRunField, getPayloadField } from "@internal/clickhouse";
+import { replicationContainerTest } from "@internal/testcontainers";
+import { Logger } from "@trigger.dev/core/logger";
+import { readFile } from "node:fs/promises";
+import { setTimeout } from "node:timers/promises";
+import { z } from "zod";
+import { RunsReplicationService } from "~/services/runsReplicationService.server";
+import { detectBadJsonStrings } from "~/utils/detectBadJsonStrings";
+import { TestReplicationClickhouseFactory } from "./utils/testReplicationClickhouseFactory";
+
+vi.setConfig({ testTimeout: 60_000 });
+
+describe("RunsReplicationService (part 5/7)", () => {
+  replicationContainerTest(
+    "should replicate all events in a single transaction (insert, update)",
+    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
+      await prisma.$executeRawUnsafe(`ALTER TABLE public."TaskRun" REPLICA IDENTITY FULL;`);
+
+      const clickhouse = new ClickHouse({
+        url: clickhouseContainer.getConnectionUrl(),
+        name: "runs-replication-multi-event-tx",
+        logLevel: "warn",
+      });
+
+      const runsReplicationService = new RunsReplicationService({
+        clickhouseFactory: new TestReplicationClickhouseFactory(clickhouse),
+        pgConnectionUrl: postgresContainer.getConnectionUri(),
+        serviceName: "runs-replication-multi-event-tx",
+        slotName: "task_runs_to_clickhouse_v1",
+        publicationName: "task_runs_to_clickhouse_v1_publication",
+        redisOptions,
+        maxFlushConcurrency: 1,
+        flushIntervalMs: 100,
+        flushBatchSize: 10,
+        leaderLockTimeoutMs: 5000,
+        leaderLockExtendIntervalMs: 1000,
+        ackIntervalSeconds: 5,
+        logLevel: "warn",
+      });
+
+      await runsReplicationService.start();
+
+      const organization = await prisma.organization.create({
+        data: {
+          title: "test-multi-event-tx",
+          slug: "test-multi-event-tx",
+        },
+      });
+
+      const project = await prisma.project.create({
+        data: {
+          name: "test-multi-event-tx",
+          slug: "test-multi-event-tx",
+          organizationId: organization.id,
+          externalRef: "test-multi-event-tx",
+        },
+      });
+
+      const runtimeEnvironment = await prisma.runtimeEnvironment.create({
+        data: {
+          slug: "test-multi-event-tx",
+          type: "DEVELOPMENT",
+          projectId: project.id,
+          organizationId: organization.id,
+          apiKey: "test-multi-event-tx",
+          pkApiKey: "test-multi-event-tx",
+          shortcode: "test-multi-event-tx",
+        },
+      });
+
+      // Start a transaction
+      const [run1, run2] = await prisma.$transaction(async (tx) => {
+        const run1 = await tx.taskRun.create({
+          data: {
+            friendlyId: `run_multi_event_1_${Date.now()}`,
+            taskIdentifier: "my-task-multi-event-1",
+            payload: JSON.stringify({ multi: 1 }),
+            payloadType: "application/json",
+            traceId: `multi-1-${Date.now()}`,
+            spanId: `multi-1-${Date.now()}`,
+            queue: "test-multi-event-tx",
+            runtimeEnvironmentId: runtimeEnvironment.id,
+            projectId: project.id,
+            organizationId: organization.id,
+            environmentType: "DEVELOPMENT",
+            engine: "V2",
+            status: "PENDING",
+            attemptNumber: 1,
+            createdAt: new Date(),
+            updatedAt: new Date(),
+          },
+        });
+        const run2 = await tx.taskRun.create({
+          data: {
+            friendlyId: `run_multi_event_2_${Date.now()}`,
+            taskIdentifier: "my-task-multi-event-2",
+            payload: JSON.stringify({ multi: 2 }),
+            payloadType: "application/json",
+            traceId: `multi-2-${Date.now()}`,
+            spanId: `multi-2-${Date.now()}`,
+            queue: "test-multi-event-tx",
+            runtimeEnvironmentId: runtimeEnvironment.id,
+            projectId: project.id,
+            organizationId: organization.id,
+            environmentType: "DEVELOPMENT",
+            engine: "V2",
+            status: "PENDING",
+            attemptNumber: 1,
+            createdAt: new Date(),
+            updatedAt: new Date(),
+          },
+        });
+        await tx.taskRun.update({
+          where: { id: run1.id },
+          data: { status: "COMPLETED_SUCCESSFULLY" },
+        });
+
+        return [run1, run2];
+      });
+
+      // Wait for replication
+      await setTimeout(1000);
+
+      // Query ClickHouse for both runs using FINAL
+      const queryRuns = clickhouse.reader.query({
+        name: "runs-replication-multi-event-tx",
+        query: `SELECT * FROM trigger_dev.task_runs_v2 FINAL WHERE run_id IN ({run_id_1:String}, {run_id_2:String})`,
+        schema: z.any(),
+        params: z.object({ run_id_1: z.string(), run_id_2: z.string() }),
+      });
+
+      const [queryError, result] = await queryRuns({ run_id_1: run1.id, run_id_2: run2.id });
+      expect(queryError).toBeNull();
+      expect(result?.length).toBe(2);
+      const run1Result = result?.find((r: any) => r.run_id === run1.id);
+      const run2Result = result?.find((r: any) => r.run_id === run2.id);
+      expect(run1Result).toBeDefined();
+      expect(run1Result).toEqual(
+        expect.objectContaining({ run_id: run1.id, status: "COMPLETED_SUCCESSFULLY" })
+      );
+      expect(run2Result).toBeDefined();
+      expect(run2Result).toEqual(expect.objectContaining({ run_id: run2.id }));
+
+      await runsReplicationService.stop();
+    }
+  );
+});
diff --git a/apps/webapp/test/runsReplicationService.part6.test.ts b/apps/webapp/test/runsReplicationService.part6.test.ts
new file mode 100644
index 00000000000..276920f8491
--- /dev/null
+++ b/apps/webapp/test/runsReplicationService.part6.test.ts
@@ -0,0 +1,536 @@
+import { ClickHouse, getTaskRunField, getPayloadField } from "@internal/clickhouse";
+import { replicationContainerTest } from "@internal/testcontainers";
+import { Logger } from "@trigger.dev/core/logger";
+import { readFile } from "node:fs/promises";
+import { setTimeout } from "node:timers/promises";
+import { z } from "zod";
+import { RunsReplicationService } from "~/services/runsReplicationService.server";
+import { detectBadJsonStrings } from "~/utils/detectBadJsonStrings";
+import { TestReplicationClickhouseFactory } from "./utils/testReplicationClickhouseFactory";
+
+vi.setConfig({ testTimeout: 60_000 });
+
+describe("RunsReplicationService (part 6/7)", () => {
+  replicationContainerTest(
+    "should sort batch inserts according to table schema ordering for optimal performance",
+    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
+      await prisma.$executeRawUnsafe(`ALTER TABLE public.\"TaskRun\" REPLICA IDENTITY FULL;`);
+
+      const clickhouse = new ClickHouse({
+        url: clickhouseContainer.getConnectionUrl(),
+        name: "runs-replication-sorting",
+        logLevel: "warn",
+      });
+
+      const runsReplicationService = new RunsReplicationService({
+        clickhouseFactory: new TestReplicationClickhouseFactory(clickhouse),
+        pgConnectionUrl: postgresContainer.getConnectionUri(),
+        serviceName: "runs-replication-sorting",
+        slotName: "task_runs_to_clickhouse_v1",
+        publicationName: "task_runs_to_clickhouse_v1_publication",
+        redisOptions,
+        maxFlushConcurrency: 1,
+        flushIntervalMs: 100,
+        flushBatchSize: 10,
+        leaderLockTimeoutMs: 5000,
+        leaderLockExtendIntervalMs: 1000,
+        ackIntervalSeconds: 5,
+        logLevel: "warn",
+      });
+
+      // Listen to batchFlushed events to verify sorting
+      const batchFlushedEvents: Array<{
+        flushId: string;
+        taskRunInserts: any[];
+        payloadInserts: any[];
+      }> = [];
+
+      runsReplicationService.events.on("batchFlushed", (event) => {
+        batchFlushedEvents.push(event);
+      });
+
+      await runsReplicationService.start();
+
+      // Create two organizations to test sorting by organization_id
+      const org1 = await prisma.organization.create({
+        data: { title: "org-z", slug: "org-z" },
+      });
+
+      const org2 = await prisma.organization.create({
+        data: { title: "org-a", slug: "org-a" },
+      });
+
+      const project1 = await prisma.project.create({
+        data: {
+          name: "test-sorting-z",
+          slug: "test-sorting-z",
+          organizationId: org1.id,
+          externalRef: "test-sorting-z",
+        },
+      });
+
+      const project2 = await prisma.project.create({
+        data: {
+          name: "test-sorting-a",
+          slug: "test-sorting-a",
+          organizationId: org2.id,
+          externalRef: "test-sorting-a",
+        },
+      });
+
+      const env1 = await prisma.runtimeEnvironment.create({
+        data: {
+          slug: "test-sorting-z",
+          type: "DEVELOPMENT",
+          projectId: project1.id,
+          organizationId: org1.id,
+          apiKey: "test-sorting-z",
+          pkApiKey: "test-sorting-z",
+          shortcode: "test-sorting-z",
+        },
+      });
+
+      const env2 = await prisma.runtimeEnvironment.create({
+        data: {
+          slug: "test-sorting-a",
+          type: "DEVELOPMENT",
+          projectId: project2.id,
+          organizationId: org2.id,
+          apiKey: "test-sorting-a",
+          pkApiKey: "test-sorting-a",
+          shortcode: "test-sorting-a",
+        },
+      });
+
+      const now = Date.now();
+
+      const run1 = await prisma.taskRun.create({
+        data: {
+          friendlyId: `run_sort_org_z_${now}`,
+          taskIdentifier: "my-task-sort",
+          payload: JSON.stringify({ org: "z" }),
+          payloadType: "application/json",
+          traceId: `sort-z-${now}`,
+          spanId: `sort-z-${now}`,
+          queue: "test-sorting",
+          runtimeEnvironmentId: env1.id,
+          projectId: project1.id,
+          organizationId: org1.id,
+          environmentType: "DEVELOPMENT",
+          engine: "V2",
+          status: "PENDING",
+          createdAt: new Date(now + 2000),
+        },
+      });
+      await prisma.taskRun.update({
+        where: { id: run1.id },
+        data: { status: "DEQUEUED" },
+      });
+
+      await prisma.taskRun.create({
+        data: {
+          friendlyId: `run_sort_org_a_${now}`,
+          taskIdentifier: "my-task-sort",
+          payload: JSON.stringify({ org: "a" }),
+          payloadType: "application/json",
+          traceId: `sort-a-${now}`,
+          spanId: `sort-a-${now}`,
+          queue: "test-sorting",
+          runtimeEnvironmentId: env2.id,
+          projectId: project2.id,
+          organizationId: org2.id,
+          environmentType: "DEVELOPMENT",
+          engine: "V2",
+          status: "PENDING",
+          createdAt: new Date(now + 1000),
+        },
+      });
+
+      await prisma.taskRun.create({
+        data: {
+          friendlyId: `run_sort_org_a_${now}_2`,
+          taskIdentifier: "my-task-sort",
+          payload: JSON.stringify({ org: "a" }),
+          payloadType: "application/json",
+          traceId: `sort-a-${now}`,
+          spanId: `sort-a-${now}`,
+          queue: "test-sorting",
+          runtimeEnvironmentId: env2.id,
+          projectId: project2.id,
+          organizationId: org2.id,
+          environmentType: "DEVELOPMENT",
+          engine: "V2",
+          status: "PENDING",
+          createdAt: new Date(now),
+        },
+      });
+
+      await setTimeout(1000);
+
+      expect(batchFlushedEvents[0]?.taskRunInserts.length).toBeGreaterThan(1);
+      expect(batchFlushedEvents[0]?.payloadInserts.length).toBeGreaterThan(1);
+
+      // Verify sorting order: organization_id, project_id, environment_id, created_at, run_id
+      for (let i = 1; i < batchFlushedEvents[0]?.taskRunInserts.length; i++) {
+        const prev = batchFlushedEvents[0]!.taskRunInserts[i - 1];
+        const curr = batchFlushedEvents[0]!.taskRunInserts[i];
+
+        const prevKey = [
+          getTaskRunField(prev, "organization_id"),
+          getTaskRunField(prev, "project_id"),
+          getTaskRunField(prev, "environment_id"),
+          getTaskRunField(prev, "created_at"),
+          getTaskRunField(prev, "run_id"),
+        ];
+        const currKey = [
+          getTaskRunField(curr, "organization_id"),
+          getTaskRunField(curr, "project_id"),
+          getTaskRunField(curr, "environment_id"),
+          getTaskRunField(curr, "created_at"),
+          getTaskRunField(curr, "run_id"),
+        ];
+
+        const keysAreEqual = prevKey.every((val, idx) => val === currKey[idx]);
+        if (keysAreEqual) {
+          // Also valid order
+          continue;
+        }
+
+        // Compare tuples lexicographically
+        let isCorrectOrder = false;
+        for (let j = 0; j < prevKey.length; j++) {
+          if (prevKey[j] < currKey[j]) {
+            isCorrectOrder = true;
+            break;
+          }
+          if (prevKey[j] > currKey[j]) {
+            isCorrectOrder = false;
+            break;
+          }
+          // If equal, continue to next field
+        }
+
+        expect(isCorrectOrder).toBeTruthy();
+      }
+
+      // Verify payloadInserts are also sorted by run_id
+      for (let i = 1; i < batchFlushedEvents[0]?.payloadInserts.length; i++) {
+        const prev = batchFlushedEvents[0]!.payloadInserts[i - 1];
+        const curr = batchFlushedEvents[0]!.payloadInserts[i];
+        expect(getPayloadField(prev, "run_id") <= getPayloadField(curr, "run_id")).toBeTruthy();
+      }
+
+      await runsReplicationService.stop();
+    }
+  );
+
+  replicationContainerTest(
+    "should exhaustively replicate all TaskRun columns to ClickHouse",
+    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
+      await prisma.$executeRawUnsafe(`ALTER TABLE public."TaskRun" REPLICA IDENTITY FULL;`);
+
+      const clickhouse = new ClickHouse({
+        url: clickhouseContainer.getConnectionUrl(),
+        name: "runs-replication-exhaustive",
+        logLevel: "warn",
+      });
+
+      const runsReplicationService = new RunsReplicationService({
+        clickhouseFactory: new TestReplicationClickhouseFactory(clickhouse),
+        pgConnectionUrl: postgresContainer.getConnectionUri(),
+        serviceName: "runs-replication-exhaustive",
+        slotName: "task_runs_to_clickhouse_v1",
+        publicationName: "task_runs_to_clickhouse_v1_publication",
+        redisOptions,
+        maxFlushConcurrency: 1,
+        flushIntervalMs: 100,
+        flushBatchSize: 1,
+        leaderLockTimeoutMs: 5000,
+        leaderLockExtendIntervalMs: 1000,
+        ackIntervalSeconds: 5,
+        logLevel: "warn",
+      });
+
+      await runsReplicationService.start();
+
+      const organization = await prisma.organization.create({
+        data: {
+          title: "test-exhaustive",
+          slug: "test-exhaustive",
+        },
+      });
+
+      const project = await prisma.project.create({
+        data: {
+          name: "test-exhaustive",
+          slug: "test-exhaustive",
+          organizationId: organization.id,
+          externalRef: "test-exhaustive",
+        },
+      });
+
+      const runtimeEnvironment = await prisma.runtimeEnvironment.create({
+        data: {
+          slug: "test-exhaustive",
+          type: "PRODUCTION",
+          projectId: project.id,
+          organizationId: organization.id,
+          apiKey: "test-exhaustive",
+          pkApiKey: "test-exhaustive",
+          shortcode: "test-exhaustive",
+        },
+      });
+
+      // Create a batch for the batchId field
+      const batch = await prisma.batchTaskRun.create({
+        data: {
+          friendlyId: "batch_exhaustive",
+          runtimeEnvironmentId: runtimeEnvironment.id,
+          status: "PENDING",
+        },
+      });
+
+      // Create a root run for the rootTaskRunId field
+      const rootRun = await prisma.taskRun.create({
+        data: {
+          friendlyId: "run_root_exhaustive",
+          taskIdentifier: "root-task",
+          payload: JSON.stringify({ root: true }),
+          traceId: "root-trace-id",
+          spanId: "root-span-id",
+          queue: "root-queue",
+          runtimeEnvironmentId: runtimeEnvironment.id,
+          projectId: project.id,
+          organizationId: organization.id,
+          environmentType: "PRODUCTION",
+          engine: "V2",
+        },
+      });
+
+      // Create a parent run for the parentTaskRunId field
+      const parentRun = await prisma.taskRun.create({
+        data: {
+          friendlyId: "run_parent_exhaustive",
+          taskIdentifier: "parent-task",
+          payload: JSON.stringify({ parent: true }),
+          traceId: "parent-trace-id",
+          spanId: "parent-span-id",
+          queue: "parent-queue",
+          runtimeEnvironmentId: runtimeEnvironment.id,
+          projectId: project.id,
+          organizationId: organization.id,
+          environmentType: "PRODUCTION",
+          engine: "V2",
+          rootTaskRunId: rootRun.id,
+          depth: 1,
+        },
+      });
+
+      // Set up all the dates we'll use
+      const now = new Date();
+      const createdAt = new Date(now.getTime() - 10000);
+      const updatedAt = new Date(now.getTime() - 5000);
+      const startedAt = new Date(now.getTime() - 8000);
+      const executedAt = new Date(now.getTime() - 7500);
+      const completedAt = new Date(now.getTime() - 6000);
+      const delayUntil = new Date(now.getTime() - 9000);
+      const queuedAt = new Date(now.getTime() - 9500);
+      const expiredAt = null; // Not expired
+
+      // Create the main task run with ALL fields populated
+      const taskRun = await prisma.taskRun.create({
+        data: {
+          // Core identifiers
+          friendlyId: "run_exhaustive_test",
+          taskIdentifier: "exhaustive-task",
+
+          // Environment/project/org
+          runtimeEnvironmentId: runtimeEnvironment.id,
+          projectId: project.id,
+          organizationId: organization.id,
+          environmentType: "PRODUCTION",
+
+          // Engine and execution
+          engine: "V2",
+          status: "COMPLETED_SUCCESSFULLY",
+          attemptNumber: 3,
+          queue: "exhaustive-queue",
+          workerQueue: "exhaustive-worker-queue",
+
+          // Relationships
+          // Note: scheduleId is not set to test empty string handling
+          batchId: batch.id,
+          rootTaskRunId: rootRun.id,
+          parentTaskRunId: parentRun.id,
+          depth: 2,
+
+          // Timestamps
+          createdAt,
+          updatedAt,
+          startedAt,
+          executedAt,
+          completedAt,
+          delayUntil,
+          queuedAt,
+          expiredAt,
+
+          // Payload and output
+          payload: JSON.stringify({ input: "test-payload" }),
+          payloadType: "application/json",
+          output: JSON.stringify({ result: "test-output" }),
+          outputType: "application/json",
+          error: { message: "test error", name: "TestError" },
+
+          // Tracing
+          traceId: "exhaustive-trace-id-12345",
+          spanId: "exhaustive-span-id-67890",
+
+          // Versioning
+          taskVersion: "1.2.3",
+          sdkVersion: "3.0.0",
+          cliVersion: "2.5.1",
+
+          // Execution settings
+          machinePreset: "large-1x",
+          idempotencyKey: "exhaustive-idempotency-key-hashed",
+          idempotencyKeyOptions: {
+            key: "exhaustive-idempotency-key",
+            scope: "run",
+          },
+          ttl: "1h",
+          isTest: true,
+          concurrencyKey: "exhaustive-concurrency-key",
+          maxDurationInSeconds: 3600,
+
+          // Tags and bulk actions
+          runTags: ["tag1", "tag2", "exhaustive-tag"],
+          bulkActionGroupIds: ["bulk-group-1", "bulk-group-2"],
+
+          // Usage metrics
+          usageDurationMs: 12345,
+          costInCents: 50,
+          baseCostInCents: 25,
+        },
+      });
+
+      // Wait for replication
+      await setTimeout(1500);
+
+      // Query ClickHouse directly to get all columns
+      const queryRuns = clickhouse.reader.query({
+        name: "exhaustive-replication-test",
+        query: "SELECT * FROM trigger_dev.task_runs_v2 FINAL WHERE run_id = {run_id:String}",
+        schema: z.any(),
+        params: z.object({ run_id: z.string() }),
+      });
+
+      const [queryError, result] = await queryRuns({ run_id: taskRun.id });
+
+      expect(queryError).toBeNull();
+      expect(result).toHaveLength(1);
+
+      const clickhouseRun = result![0];
+
+      // Exhaustively verify each column
+      // Core identifiers
+      expect(clickhouseRun.run_id).toBe(taskRun.id);
+      expect(clickhouseRun.friendly_id).toBe("run_exhaustive_test");
+      expect(clickhouseRun.task_identifier).toBe("exhaustive-task");
+
+      // Environment/project/org
+      expect(clickhouseRun.environment_id).toBe(runtimeEnvironment.id);
+      expect(clickhouseRun.project_id).toBe(project.id);
+      expect(clickhouseRun.organization_id).toBe(organization.id);
+      expect(clickhouseRun.environment_type).toBe("PRODUCTION");
+
+      // Engine and execution
+      expect(clickhouseRun.engine).toBe("V2");
+      expect(clickhouseRun.status).toBe("COMPLETED_SUCCESSFULLY");
+      expect(clickhouseRun.attempt).toBe(3);
+      expect(clickhouseRun.queue).toBe("exhaustive-queue");
+      expect(clickhouseRun.worker_queue).toBe("exhaustive-worker-queue");
+
+      // Relationships
+      expect(clickhouseRun.schedule_id).toBe(""); // Empty when not set
+      expect(clickhouseRun.batch_id).toBe(batch.id);
+      expect(clickhouseRun.root_run_id).toBe(rootRun.id);
+      expect(clickhouseRun.parent_run_id).toBe(parentRun.id);
+      expect(clickhouseRun.depth).toBe(2);
+
+      // Timestamps (ClickHouse returns DateTime64 as strings in UTC without 'Z' suffix)
+      // Helper to parse ClickHouse timestamp strings to milliseconds
+      function parseClickhouseTimestamp(ts: string | null): number | null {
+        if (ts === null || ts === "1970-01-01 00:00:00.000") return null;
+        return new Date(ts + "Z").getTime();
+      }
+
+      expect(parseClickhouseTimestamp(clickhouseRun.created_at)).toBe(createdAt.getTime());
+      expect(parseClickhouseTimestamp(clickhouseRun.updated_at)).toBe(updatedAt.getTime());
+      expect(parseClickhouseTimestamp(clickhouseRun.started_at)).toBe(startedAt.getTime());
+      expect(parseClickhouseTimestamp(clickhouseRun.executed_at)).toBe(executedAt.getTime());
+      expect(parseClickhouseTimestamp(clickhouseRun.completed_at)).toBe(completedAt.getTime());
+      expect(parseClickhouseTimestamp(clickhouseRun.delay_until)).toBe(delayUntil.getTime());
+      expect(parseClickhouseTimestamp(clickhouseRun.queued_at)).toBe(queuedAt.getTime());
+      expect(parseClickhouseTimestamp(clickhouseRun.expired_at)).toBeNull();
+
+      // Output (parsed JSON)
+      expect(clickhouseRun.output).toEqual({ data: { result: "test-output" } });
+
+      // Error
+      expect(clickhouseRun.error).toEqual({
+        data: { message: "test error", name: "TestError" },
+      });
+
+      // Tracing
+      expect(clickhouseRun.trace_id).toBe("exhaustive-trace-id-12345");
+      expect(clickhouseRun.span_id).toBe("exhaustive-span-id-67890");
+
+      // Versioning
+      expect(clickhouseRun.task_version).toBe("1.2.3");
+      expect(clickhouseRun.sdk_version).toBe("3.0.0");
+      expect(clickhouseRun.cli_version).toBe("2.5.1");
+
+      // Execution settings
+      expect(clickhouseRun.machine_preset).toBe("large-1x");
+      expect(clickhouseRun.idempotency_key).toBe("exhaustive-idempotency-key-hashed");
+      expect(clickhouseRun.idempotency_key_user).toBe("exhaustive-idempotency-key");
+      expect(clickhouseRun.idempotency_key_scope).toBe("run");
+      expect(clickhouseRun.expiration_ttl).toBe("1h");
+      expect(clickhouseRun.is_test).toBe(1); // ClickHouse returns booleans as integers
+      expect(clickhouseRun.concurrency_key).toBe("exhaustive-concurrency-key");
+      expect(clickhouseRun.max_duration_in_seconds).toBe(3600);
+
+      // Tags and bulk actions
+      expect(clickhouseRun.tags).toEqual(["tag1", "tag2", "exhaustive-tag"]);
+      expect(clickhouseRun.bulk_action_group_ids).toEqual(["bulk-group-1", "bulk-group-2"]);
+
+      // Usage metrics
+      expect(clickhouseRun.usage_duration_ms).toBe(12345);
+      expect(clickhouseRun.cost_in_cents).toBe(50);
+      expect(clickhouseRun.base_cost_in_cents).toBe(25);
+
+      // Internal ClickHouse columns
+      expect(clickhouseRun._is_deleted).toBe(0);
+      expect(clickhouseRun._version).toBeDefined();
+      expect(typeof clickhouseRun._version).toBe("number"); // ClickHouse returns UInt64 as number
+
+      // Also verify the payload was inserted into the payloads table
+      const queryPayloads = clickhouse.reader.query({
+        name: "exhaustive-payload-test",
+        query: "SELECT * FROM trigger_dev.raw_task_runs_payload_v1 WHERE run_id = {run_id:String}",
+        schema: z.any(),
+        params: z.object({ run_id: z.string() }),
+      });
+
+      const [payloadError, payloadResult] = await queryPayloads({ run_id: taskRun.id });
+
+      expect(payloadError).toBeNull();
+      expect(payloadResult).toHaveLength(1);
+      expect(payloadResult![0].run_id).toBe(taskRun.id);
+      expect(parseClickhouseTimestamp(payloadResult![0].created_at)).toBe(createdAt.getTime());
+      expect(payloadResult![0].payload).toEqual({ data: { input: "test-payload" } });
+
+      await runsReplicationService.stop();
+    }
+  );
+});
diff --git a/apps/webapp/test/runsReplicationService.part7.test.ts b/apps/webapp/test/runsReplicationService.part7.test.ts
new file mode 100644
index 00000000000..4f091d8eb4c
--- /dev/null
+++ b/apps/webapp/test/runsReplicationService.part7.test.ts
@@ -0,0 +1,120 @@
+import { ClickHouse, getTaskRunField, getPayloadField } from "@internal/clickhouse";
+import { replicationContainerTest } from "@internal/testcontainers";
+import { Logger } from "@trigger.dev/core/logger";
+import { readFile } from "node:fs/promises";
+import { setTimeout } from "node:timers/promises";
+import { z } from "zod";
+import { RunsReplicationService } from "~/services/runsReplicationService.server";
+import { detectBadJsonStrings } from "~/utils/detectBadJsonStrings";
+import { TestReplicationClickhouseFactory } from "./utils/testReplicationClickhouseFactory";
+
+vi.setConfig({ testTimeout: 60_000 });
+
+describe("RunsReplicationService (part 7/7)", () => {
+  replicationContainerTest(
+    "should be able to handle processing transactions for a long period of time",
+    { timeout: 60_000 * 5 },
+    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
+      await prisma.$executeRawUnsafe(`ALTER TABLE public."TaskRun" REPLICA IDENTITY FULL;`);
+
+      const clickhouse = new ClickHouse({
+        url: clickhouseContainer.getConnectionUrl(),
+        name: "runs-replication-long-tx",
+        logLevel: "warn",
+      });
+
+      const runsReplicationService = new RunsReplicationService({
+        clickhouseFactory: new TestReplicationClickhouseFactory(clickhouse),
+        pgConnectionUrl: postgresContainer.getConnectionUri(),
+        serviceName: "runs-replication-long-tx",
+        slotName: "task_runs_to_clickhouse_v1",
+        publicationName: "task_runs_to_clickhouse_v1_publication",
+        redisOptions,
+        maxFlushConcurrency: 1,
+        flushIntervalMs: 100,
+        flushBatchSize: 10,
+        leaderLockTimeoutMs: 5000,
+        leaderLockExtendIntervalMs: 1000,
+        ackIntervalSeconds: 5,
+        logLevel: "warn",
+      });
+
+      await runsReplicationService.start();
+
+      const organization = await prisma.organization.create({
+        data: {
+          title: "test-long-tx",
+          slug: "test-long-tx",
+        },
+      });
+
+      const project = await prisma.project.create({
+        data: {
+          name: "test-long-tx",
+          slug: "test-long-tx",
+          organizationId: organization.id,
+          externalRef: "test-long-tx",
+        },
+      });
+
+      const runtimeEnvironment = await prisma.runtimeEnvironment.create({
+        data: {
+          slug: "test-long-tx",
+          type: "DEVELOPMENT",
+          projectId: project.id,
+          organizationId: organization.id,
+          apiKey: "test-long-tx",
+          pkApiKey: "test-long-tx",
+          shortcode: "test-long-tx",
+        },
+      });
+
+      // Start an interval that will create a new run every 500ms for 4 minutes
+      const interval = setInterval(async () => {
+        await prisma.taskRun.create({
+          data: {
+            friendlyId: `run_long_tx_${Date.now()}`,
+            taskIdentifier: "my-task-long-tx",
+            payload: JSON.stringify({ long: 1 }),
+            payloadType: "application/json",
+            traceId: `long-${Date.now()}`,
+            spanId: `long-${Date.now()}`,
+            queue: "test-long-tx",
+            runtimeEnvironmentId: runtimeEnvironment.id,
+            projectId: project.id,
+            organizationId: organization.id,
+            environmentType: "DEVELOPMENT",
+            engine: "V2",
+            status: "PENDING",
+            attemptNumber: 1,
+            createdAt: new Date(),
+            updatedAt: new Date(),
+          },
+        });
+      }, 500);
+
+      // Wait for 1 minute
+      await setTimeout(1 * 60 * 1000);
+
+      // Stop the interval
+      clearInterval(interval);
+
+      // Wait for replication
+      await setTimeout(1000);
+
+      // Query ClickHouse for all runs using FINAL
+      const queryRuns = clickhouse.reader.query({
+        name: "runs-replication-long-tx",
+        query: `SELECT * FROM trigger_dev.task_runs_v2 FINAL`,
+        schema: z.any(),
+      });
+
+      const [queryError, result] = await queryRuns({});
+      expect(queryError).toBeNull();
+
+      expect(result?.length).toBeGreaterThanOrEqual(50);
+
+      await runsReplicationService.stop();
+    }
+  );
+});
diff --git a/apps/webapp/test/runsRepository.part1.test.ts b/apps/webapp/test/runsRepository.part1.test.ts
index 45d91ad44e7..e33f4464db3 100644
--- a/apps/webapp/test/runsRepository.part1.test.ts
+++ b/apps/webapp/test/runsRepository.part1.test.ts
@@ -6,15 +6,15 @@ vi.mock("~/db.server", () => ({
   $replica: {},
 }));
 
-import { containerTest } from "@internal/testcontainers";
+import { replicationContainerTest } from "@internal/testcontainers";
 import { setTimeout } from "node:timers/promises";
 import { RunsRepository } from "~/services/runsRepository/runsRepository.server";
 import { setupClickhouseReplication } from "./utils/replicationUtils";
 
 vi.setConfig({ testTimeout: 60_000 });
 
-describe("RunsRepository (part 1/2)", () => {
-  containerTest(
+describe("RunsRepository (part 1/4)", () => {
+  replicationContainerTest(
     "should list runs, using clickhouse as the source",
     async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
       const { clickhouse } = await setupClickhouseReplication({
@@ -90,7 +90,7 @@ describe("RunsRepository (part 1/2)", () => {
     }
   );
 
-  containerTest(
+  replicationContainerTest(
     "should filter runs by task identifiers",
     async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
       const { clickhouse } = await setupClickhouseReplication({
@@ -198,7 +198,7 @@ describe("RunsRepository (part 1/2)", () => {
     }
   );
 
-  containerTest(
+  replicationContainerTest(
     "should filter runs by task versions",
     async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
       const { clickhouse } = await setupClickhouseReplication({
@@ -309,7 +309,7 @@ describe("RunsRepository (part 1/2)", () => {
     }
   );
 
-  containerTest(
+  replicationContainerTest(
     "should filter runs by status",
     async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
       const { clickhouse } = await setupClickhouseReplication({
@@ -419,331 +419,4 @@ describe("RunsRepository (part 1/2)", () => {
       expect(runs.map((r) => r.status).sort()).toEqual(["COMPLETED_SUCCESSFULLY", "PENDING"]);
     }
   );
-
-  containerTest(
-    "should filter runs by tags",
-    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
-      const { clickhouse } = await setupClickhouseReplication({
-        prisma,
-        databaseUrl: postgresContainer.getConnectionUri(),
-        clickhouseUrl: clickhouseContainer.getConnectionUrl(),
-        redisOptions,
-      });
-
-      const organization = await prisma.organization.create({
-        data: {
-          title: "test",
-          slug: "test",
-        },
-      });
-
-      const project = await prisma.project.create({
-        data: {
-          name: "test",
-          slug: "test",
-          organizationId: organization.id,
-          externalRef: "test",
-        },
-      });
-
-      const runtimeEnvironment = await prisma.runtimeEnvironment.create({
-        data: {
-          slug: "test",
-          type: "DEVELOPMENT",
-          projectId: project.id,
-          organizationId: organization.id,
-          apiKey: "test",
-          pkApiKey: "test",
-          shortcode: "test",
-        },
-      });
-
-      // Create runs with different tags
-      const taskRun1 = await prisma.taskRun.create({
-        data: {
-          friendlyId: "run_urgent",
-          taskIdentifier: "my-task",
-          runTags: ["urgent", "production"],
-          payload: JSON.stringify({ foo: "bar" }),
-          traceId: "1234",
-          spanId: "1234",
-          queue: "test",
-          runtimeEnvironmentId: runtimeEnvironment.id,
-          projectId: project.id,
-          organizationId: organization.id,
-          environmentType: "DEVELOPMENT",
-          engine: "V2",
-        },
-      });
-
-      const taskRun2 = await prisma.taskRun.create({
-        data: {
-          friendlyId: "run_regular",
-          taskIdentifier: "my-task",
-          runTags: ["regular", "development"],
-          payload: JSON.stringify({ foo: "bar" }),
-          traceId: "1235",
-          spanId: "1235",
-          queue: "test",
-          runtimeEnvironmentId: runtimeEnvironment.id,
-          projectId: project.id,
-          organizationId: organization.id,
-          environmentType: "DEVELOPMENT",
-          engine: "V2",
-        },
-      });
-
-      const taskRun3 = await prisma.taskRun.create({
-        data: {
-          friendlyId: "run_urgent_dev",
-          taskIdentifier: "my-task",
-          runTags: ["urgent", "development"],
-          payload: JSON.stringify({ foo: "bar" }),
-          traceId: "1236",
-          spanId: "1236",
-          queue: "test",
-          runtimeEnvironmentId: runtimeEnvironment.id,
-          projectId: project.id,
-          organizationId: organization.id,
-          environmentType: "DEVELOPMENT",
-          engine: "V2",
-        },
-      });
-
-      await setTimeout(1000);
-
-      const runsRepository = new RunsRepository({
-        prisma,
-        clickhouse,
-      });
-
-      // Test filtering by tags
-      const { runs } = await runsRepository.listRuns({
-        page: { size: 10 },
-        projectId: project.id,
-        environmentId: runtimeEnvironment.id,
-        organizationId: organization.id,
-        tags: ["urgent"],
-      });
-
-      expect(runs).toHaveLength(2);
-      expect(runs.map((r) => r.friendlyId).sort()).toEqual(["run_urgent", "run_urgent_dev"]);
-    }
-  );
-
-  containerTest(
-    "should filter runs by scheduleId",
-    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
-      const { clickhouse } = await setupClickhouseReplication({
-        prisma,
-        databaseUrl: postgresContainer.getConnectionUri(),
-        clickhouseUrl: clickhouseContainer.getConnectionUrl(),
-        redisOptions,
-      });
-
-      const organization = await prisma.organization.create({
-        data: {
-          title: "test",
-          slug: "test",
-        },
-      });
-
-      const project = await prisma.project.create({
-        data: {
-          name: "test",
-          slug: "test",
-          organizationId: organization.id,
-          externalRef: "test",
-        },
-      });
-
-      const runtimeEnvironment = await prisma.runtimeEnvironment.create({
-        data: {
-          slug: "test",
-          type: "DEVELOPMENT",
-          projectId: project.id,
-          organizationId: organization.id,
-          apiKey: "test",
-          pkApiKey: "test",
-          shortcode: "test",
-        },
-      });
-
-      // Create runs with different schedule IDs
-      await prisma.taskRun.create({
-        data: {
-          friendlyId: "run_scheduled_1",
-          taskIdentifier: "my-task",
-          scheduleId: "schedule_1",
-          payload: JSON.stringify({ foo: "bar" }),
-          traceId: "1234",
-          spanId: "1234",
-          queue: "test",
-          runtimeEnvironmentId: runtimeEnvironment.id,
-          projectId: project.id,
-          organizationId: organization.id,
-          environmentType: "DEVELOPMENT",
-          engine: "V2",
-        },
-      });
-
-      await prisma.taskRun.create({
-        data: {
-          friendlyId: "run_scheduled_2",
-          taskIdentifier: "my-task",
-          scheduleId: "schedule_2",
-          payload: JSON.stringify({ foo: "bar" }),
-          traceId: "1235",
-          spanId: "1235",
-          queue: "test",
-          runtimeEnvironmentId: runtimeEnvironment.id,
-          projectId: project.id,
-          organizationId: organization.id,
-          environmentType: "DEVELOPMENT",
-          engine: "V2",
-        },
-      });
-
-      await prisma.taskRun.create({
-        data: {
-          friendlyId: "run_unscheduled",
-          taskIdentifier: "my-task",
-          payload: JSON.stringify({ foo: "bar" }),
-          traceId: "1236",
-          spanId: "1236",
-          queue: "test",
-          runtimeEnvironmentId: runtimeEnvironment.id,
-          projectId: project.id,
-          organizationId: organization.id,
-          environmentType: "DEVELOPMENT",
-          engine: "V2",
-        },
-      });
-
-      await setTimeout(1000);
-
-      const runsRepository = new RunsRepository({
-        prisma,
-        clickhouse,
-      });
-
-      // Test filtering by schedule ID
-      const { runs } = await runsRepository.listRuns({
-        page: { size: 10 },
-        projectId: project.id,
-        environmentId: runtimeEnvironment.id,
-        organizationId: organization.id,
-        scheduleId: "schedule_1",
-      });
-
-      expect(runs).toHaveLength(1);
-      expect(runs[0].friendlyId).toBe("run_scheduled_1");
-    }
-  );
-
-  containerTest(
-    "should filter runs by isTest flag",
-    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
-      const { clickhouse } = await setupClickhouseReplication({
-        prisma,
-        databaseUrl: postgresContainer.getConnectionUri(),
-        clickhouseUrl: clickhouseContainer.getConnectionUrl(),
-        redisOptions,
-      });
-
-      const organization = await prisma.organization.create({
-        data: {
-          title: "test",
-          slug: "test",
-        },
-      });
-
-      const project = await prisma.project.create({
-        data: {
-          name: "test",
-          slug: "test",
-          organizationId: organization.id,
-          externalRef: "test",
-        },
-      });
-
-      const runtimeEnvironment = await prisma.runtimeEnvironment.create({
-        data: {
-          slug: "test",
-          type: "DEVELOPMENT",
-          projectId: project.id,
-          organizationId: organization.id,
-          apiKey: "test",
-          pkApiKey: "test",
-          shortcode: "test",
-        },
-      });
-
-      // Create test and non-test runs
-      await prisma.taskRun.create({
-        data: {
-          friendlyId: "run_test",
-          taskIdentifier: "my-task",
-          isTest: true,
-          payload: JSON.stringify({ foo: "bar" }),
-          traceId: "1234",
-          spanId: "1234",
-          queue: "test",
-          runtimeEnvironmentId: runtimeEnvironment.id,
-          projectId: project.id,
-          organizationId: organization.id,
-          environmentType: "DEVELOPMENT",
-          engine: "V2",
-        },
-      });
-
-      await prisma.taskRun.create({
-        data: {
-          friendlyId: "run_production",
-          taskIdentifier: "my-task",
-          isTest: false,
-          payload: JSON.stringify({ foo: "bar" }),
-          traceId: "1235",
-          spanId: "1235",
-          queue: "test",
-          runtimeEnvironmentId: runtimeEnvironment.id,
-          projectId: project.id,
-          organizationId: organization.id,
-          environmentType: "DEVELOPMENT",
-          engine: "V2",
-        },
-      });
-
-      await setTimeout(1000);
-
-      const runsRepository = new RunsRepository({
-        prisma,
-        clickhouse,
-      });
-
-      // Test filtering by isTest=true
-      const testRuns = await runsRepository.listRuns({
-        page: { size: 10 },
-        projectId: project.id,
-        environmentId: runtimeEnvironment.id,
-        organizationId: organization.id,
-        isTest: true,
-      });
-
-      expect(testRuns.runs).toHaveLength(1);
-      expect(testRuns.runs[0].friendlyId).toBe("run_test");
-
-      // Test filtering by isTest=false
-      const productionRuns = await runsRepository.listRuns({
-        page: { size: 10 },
-        projectId: project.id,
-        environmentId: runtimeEnvironment.id,
-        organizationId: organization.id,
-        isTest: false,
-      });
-
-      expect(productionRuns.runs).toHaveLength(1);
-      expect(productionRuns.runs[0].friendlyId).toBe("run_production");
-    }
-  );
-});
\ No newline at end of file
+});
diff --git a/apps/webapp/test/runsRepository.part2.test.ts b/apps/webapp/test/runsRepository.part2.test.ts
index 5fbe80ce52e..55cba6854f6 100644
--- a/apps/webapp/test/runsRepository.part2.test.ts
+++ b/apps/webapp/test/runsRepository.part2.test.ts
@@ -6,15 +6,15 @@ vi.mock("~/db.server", () => ({
   $replica: {},
 }));
 
-import { containerTest } from "@internal/testcontainers";
+import { replicationContainerTest } from "@internal/testcontainers";
 import { setTimeout } from "node:timers/promises";
 import { RunsRepository } from "~/services/runsRepository/runsRepository.server";
 import { setupClickhouseReplication } from "./utils/replicationUtils";
 
 vi.setConfig({ testTimeout: 60_000 });
 
-describe("RunsRepository (part 2/2)", () => {
-  containerTest(
+describe("RunsRepository (part 2/4)", () => {
+  replicationContainerTest(
     "should filter runs by rootOnly flag",
     async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
       const { clickhouse } = await setupClickhouseReplication({
@@ -108,7 +108,7 @@ describe("RunsRepository (part 2/2)", () => {
     }
   );
 
-  containerTest(
+  replicationContainerTest(
     "should filter runs by batchId",
     async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
       const { clickhouse } = await setupClickhouseReplication({
@@ -238,7 +238,7 @@ describe("RunsRepository (part 2/2)", () => {
     }
   );
 
-  containerTest(
+  replicationContainerTest(
     "should filter runs by runFriendlyIds",
     async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
       const { clickhouse } = await setupClickhouseReplication({
@@ -346,7 +346,7 @@ describe("RunsRepository (part 2/2)", () => {
     }
   );
 
-  containerTest(
+  replicationContainerTest(
     "should filter runs by runIds",
     async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
       const { clickhouse } = await setupClickhouseReplication({
@@ -453,340 +453,4 @@ describe("RunsRepository (part 2/2)", () => {
       expect(runs.map((r) => r.id).sort()).toEqual([run1.id, run3.id].sort());
     }
   );
-
-  containerTest(
-    "should filter runs by date range (from/to)",
-    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
-      const { clickhouse } = await setupClickhouseReplication({
-        prisma,
-        databaseUrl: postgresContainer.getConnectionUri(),
-        clickhouseUrl: clickhouseContainer.getConnectionUrl(),
-        redisOptions,
-      });
-
-      const organization = await prisma.organization.create({
-        data: {
-          title: "test",
-          slug: "test",
-        },
-      });
-
-      const project = await prisma.project.create({
-        data: {
-          name: "test",
-          slug: "test",
-          organizationId: organization.id,
-          externalRef: "test",
-        },
-      });
-
-      const runtimeEnvironment = await prisma.runtimeEnvironment.create({
-        data: {
-          slug: "test",
-          type: "DEVELOPMENT",
-          projectId: project.id,
-          organizationId: organization.id,
-          apiKey: "test",
-          pkApiKey: "test",
-          shortcode: "test",
-        },
-      });
-
-      const now = new Date();
-      const yesterday = new Date(now.getTime() - 24 * 60 * 60 * 1000);
-      const tomorrow = new Date(now.getTime() + 24 * 60 * 60 * 1000);
-
-      // Create runs with different creation dates
-      await prisma.taskRun.create({
-        data: {
-          friendlyId: "run_yesterday",
-          taskIdentifier: "my-task",
-          createdAt: yesterday,
-          payload: JSON.stringify({ foo: "bar" }),
-          traceId: "1234",
-          spanId: "1234",
-          queue: "test",
-          runtimeEnvironmentId: runtimeEnvironment.id,
-          projectId: project.id,
-          organizationId: organization.id,
-          environmentType: "DEVELOPMENT",
-          engine: "V2",
-        },
-      });
-
-      await prisma.taskRun.create({
-        data: {
-          friendlyId: "run_today",
-          taskIdentifier: "my-task",
-          createdAt: now,
-          payload: JSON.stringify({ foo: "bar" }),
-          traceId: "1235",
-          spanId: "1235",
-          queue: "test",
-          runtimeEnvironmentId: runtimeEnvironment.id,
-          projectId: project.id,
-          organizationId: organization.id,
-          environmentType: "DEVELOPMENT",
-          engine: "V2",
-        },
-      });
-
-      await prisma.taskRun.create({
-        data: {
-          friendlyId: "run_tomorrow",
-          taskIdentifier: "my-task",
-          createdAt: tomorrow,
-          payload: JSON.stringify({ foo: "bar" }),
-          traceId: "1236",
-          spanId: "1236",
-          queue: "test",
-          runtimeEnvironmentId: runtimeEnvironment.id,
-          projectId: project.id,
-          organizationId: organization.id,
-          environmentType: "DEVELOPMENT",
-          engine: "V2",
-        },
-      });
-
-      await setTimeout(1000);
-
-      const runsRepository = new RunsRepository({
-        prisma,
-        clickhouse,
-      });
-
-      // Test filtering by date range (from yesterday to today)
-      const { runs } = await runsRepository.listRuns({
-        page: { size: 10 },
-        projectId: project.id,
-        environmentId: runtimeEnvironment.id,
-        organizationId: organization.id,
-        from: yesterday.getTime(),
-        to: now.getTime(),
-      });
-
-      expect(runs).toHaveLength(2);
-      expect(runs.map((r) => r.friendlyId).sort()).toEqual(["run_today", "run_yesterday"]);
-    }
-  );
-
-  containerTest(
-    "should handle multiple filters combined",
-    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
-      const { clickhouse } = await setupClickhouseReplication({
-        prisma,
-        databaseUrl: postgresContainer.getConnectionUri(),
-        clickhouseUrl: clickhouseContainer.getConnectionUrl(),
-        redisOptions,
-      });
-
-      const organization = await prisma.organization.create({
-        data: {
-          title: "test",
-          slug: "test",
-        },
-      });
-
-      const project = await prisma.project.create({
-        data: {
-          name: "test",
-          slug: "test",
-          organizationId: organization.id,
-          externalRef: "test",
-        },
-      });
-
-      const runtimeEnvironment = await prisma.runtimeEnvironment.create({
-        data: {
-          slug: "test",
-          type: "DEVELOPMENT",
-          projectId: project.id,
-          organizationId: organization.id,
-          apiKey: "test",
-          pkApiKey: "test",
-          shortcode: "test",
-        },
-      });
-
-      // Create runs with different combinations of properties
-      await prisma.taskRun.create({
-        data: {
-          friendlyId: "run_match",
-          taskIdentifier: "task-1",
-          taskVersion: "1.0.0",
-          status: "COMPLETED_SUCCESSFULLY",
-          isTest: false,
-          runTags: ["urgent"],
-          payload: JSON.stringify({ foo: "bar" }),
-          traceId: "1234",
-          spanId: "1234",
-          queue: "test",
-          runtimeEnvironmentId: runtimeEnvironment.id,
-          projectId: project.id,
-          organizationId: organization.id,
-          environmentType: "DEVELOPMENT",
-          engine: "V2",
-        },
-      });
-
-      await prisma.taskRun.create({
-        data: {
-          friendlyId: "run_no_match_task",
-          taskIdentifier: "task-2", // Different task
-          taskVersion: "1.0.0",
-          status: "COMPLETED_SUCCESSFULLY",
-          isTest: false,
-          runTags: ["urgent"],
-          payload: JSON.stringify({ foo: "bar" }),
-          traceId: "1235",
-          spanId: "1235",
-          queue: "test",
-          runtimeEnvironmentId: runtimeEnvironment.id,
-          projectId: project.id,
-          organizationId: organization.id,
-          environmentType: "DEVELOPMENT",
-          engine: "V2",
-        },
-      });
-
-      await prisma.taskRun.create({
-        data: {
-          friendlyId: "run_no_match_status",
-          taskIdentifier: "task-1",
-          taskVersion: "1.0.0",
-          status: "PENDING", // Different status
-          isTest: false,
-          runTags: ["urgent"],
-          payload: JSON.stringify({ foo: "bar" }),
-          traceId: "1236",
-          spanId: "1236",
-          queue: "test",
-          runtimeEnvironmentId: runtimeEnvironment.id,
-          projectId: project.id,
-          organizationId: organization.id,
-          environmentType: "DEVELOPMENT",
-          engine: "V2",
-        },
-      });
-
-      await setTimeout(1000);
-
-      const runsRepository = new RunsRepository({
-        prisma,
-        clickhouse,
-      });
-
-      // Test combining multiple filters
-      const { runs } = await runsRepository.listRuns({
-        page: { size: 10 },
-        projectId: project.id,
-        environmentId: runtimeEnvironment.id,
-        organizationId: organization.id,
-        tasks: ["task-1"],
-        versions: ["1.0.0"],
-        statuses: ["COMPLETED_SUCCESSFULLY"],
-        isTest: false,
-        tags: ["urgent"],
-      });
-
-      expect(runs).toHaveLength(1);
-      expect(runs[0].friendlyId).toBe("run_match");
-    }
-  );
-
-  containerTest(
-    "should handle pagination correctly",
-    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
-      const { clickhouse } = await setupClickhouseReplication({
-        prisma,
-        databaseUrl: postgresContainer.getConnectionUri(),
-        clickhouseUrl: clickhouseContainer.getConnectionUrl(),
-        redisOptions,
-      });
-
-      const organization = await prisma.organization.create({
-        data: {
-          title: "test",
-          slug: "test",
-        },
-      });
-
-      const project = await prisma.project.create({
-        data: {
-          name: "test",
-          slug: "test",
-          organizationId: organization.id,
-          externalRef: "test",
-        },
-      });
-
-      const runtimeEnvironment = await prisma.runtimeEnvironment.create({
-        data: {
-          slug: "test",
-          type: "DEVELOPMENT",
-          projectId: project.id,
-          organizationId: organization.id,
-          apiKey: "test",
-          pkApiKey: "test",
-          shortcode: "test",
-        },
-      });
-
-      // Create multiple runs for pagination testing
-      const runs = [];
-      for (let i = 1; i <= 5; i++) {
-        const run = await prisma.taskRun.create({
-          data: {
-            friendlyId: `run_${i}`,
-            taskIdentifier: "my-task",
-            payload: JSON.stringify({ foo: "bar" }),
-            traceId: `123${i}`,
-            spanId: `123${i}`,
-            queue: "test",
-            runtimeEnvironmentId: runtimeEnvironment.id,
-            projectId: project.id,
-            organizationId: organization.id,
-            environmentType: "DEVELOPMENT",
-            engine: "V2",
-          },
-        });
-        runs.push(run);
-      }
-
-      await setTimeout(1000);
-
-      const runsRepository = new RunsRepository({
-        prisma,
-        clickhouse,
-      });
-
-      // Test first page
-      const firstPage = await runsRepository.listRuns({
-        page: { size: 2 },
-        projectId: project.id,
-        environmentId: runtimeEnvironment.id,
-        organizationId: organization.id,
-      });
-
-      expect(firstPage.runs).toHaveLength(2);
-      expect(firstPage.pagination.nextCursor).toBeTruthy();
-      expect(firstPage.pagination.previousCursor).toBe(null);
-
-      // Test next page using cursor
-      const secondPage = await runsRepository.listRuns({
-        page: {
-          size: 2,
-          cursor: firstPage.pagination.nextCursor!,
-          direction: "forward",
-        },
-        projectId: project.id,
-        environmentId: runtimeEnvironment.id,
-        organizationId: organization.id,
-      });
-
-      expect(secondPage.runs).toHaveLength(2);
-      expect(secondPage.pagination.nextCursor).toBeTruthy();
-      expect(secondPage.pagination.previousCursor).toBeTruthy();
-    }
-  );
-});
\ No newline at end of file
+});
diff --git a/apps/webapp/test/runsRepository.part3.test.ts b/apps/webapp/test/runsRepository.part3.test.ts
new file mode 100644
index 00000000000..543ce47a018
--- /dev/null
+++ b/apps/webapp/test/runsRepository.part3.test.ts
@@ -0,0 +1,343 @@
+import { describe, expect, vi } from "vitest";
+
+// Mock the db prisma client
+vi.mock("~/db.server", () => ({
+  prisma: {},
+  $replica: {},
+}));
+
+import { replicationContainerTest } from "@internal/testcontainers";
+import { setTimeout } from "node:timers/promises";
+import { RunsRepository } from "~/services/runsRepository/runsRepository.server";
+import { setupClickhouseReplication } from "./utils/replicationUtils";
+
+vi.setConfig({ testTimeout: 60_000 });
+
+describe("RunsRepository (part 3/4)", () => {
+  replicationContainerTest(
+    "should filter runs by tags",
+    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
+      const { clickhouse } = await setupClickhouseReplication({
+        prisma,
+        databaseUrl: postgresContainer.getConnectionUri(),
+        clickhouseUrl: clickhouseContainer.getConnectionUrl(),
+        redisOptions,
+      });
+
+      const organization = await prisma.organization.create({
+        data: {
+          title: "test",
+          slug: "test",
+        },
+      });
+
+      const project = await prisma.project.create({
+        data: {
+          name: "test",
+          slug: "test",
+          organizationId: organization.id,
+          externalRef: "test",
+        },
+      });
+
+      const runtimeEnvironment = await prisma.runtimeEnvironment.create({
+        data: {
+          slug: "test",
+          type: "DEVELOPMENT",
+          projectId: project.id,
+          organizationId: organization.id,
+          apiKey: "test",
+          pkApiKey: "test",
+          shortcode: "test",
+        },
+      });
+
+      // Create runs with different tags
+      const taskRun1 = await prisma.taskRun.create({
+        data: {
+          friendlyId: "run_urgent",
+          taskIdentifier: "my-task",
+          runTags: ["urgent", "production"],
+          payload: JSON.stringify({ foo: "bar" }),
+          traceId: "1234",
+          spanId: "1234",
+          queue: "test",
+          runtimeEnvironmentId: runtimeEnvironment.id,
+          projectId: project.id,
+          organizationId: organization.id,
+          environmentType: "DEVELOPMENT",
+          engine: "V2",
+        },
+      });
+
+      const taskRun2 = await prisma.taskRun.create({
+        data: {
+          friendlyId: "run_regular",
+          taskIdentifier: "my-task",
+          runTags: ["regular", "development"],
+          payload: JSON.stringify({ foo: "bar" }),
+          traceId: "1235",
+          spanId: "1235",
+          queue: "test",
+          runtimeEnvironmentId: runtimeEnvironment.id,
+          projectId: project.id,
+          organizationId: organization.id,
+          environmentType: "DEVELOPMENT",
+          engine: "V2",
+        },
+      });
+
+      const taskRun3 = await prisma.taskRun.create({
+        data: {
+          friendlyId: "run_urgent_dev",
+          taskIdentifier: "my-task",
+          runTags: ["urgent", "development"],
+          payload: JSON.stringify({ foo: "bar" }),
+          traceId: "1236",
+          spanId: "1236",
+          queue: "test",
+          runtimeEnvironmentId: runtimeEnvironment.id,
+          projectId: project.id,
+          organizationId: organization.id,
+          environmentType: "DEVELOPMENT",
+          engine: "V2",
+        },
+      });
+
+      await setTimeout(1000);
+
+      const runsRepository = new RunsRepository({
+        prisma,
+        clickhouse,
+      });
+
+      // Test filtering by tags
+      const { runs } = await runsRepository.listRuns({
+        page: { size: 10 },
+        projectId: project.id,
+        environmentId: runtimeEnvironment.id,
+        organizationId: organization.id,
+        tags: ["urgent"],
+      });
+
+      expect(runs).toHaveLength(2);
+      expect(runs.map((r) => r.friendlyId).sort()).toEqual(["run_urgent", "run_urgent_dev"]);
+    }
+  );
+
+  replicationContainerTest(
+    "should filter runs by scheduleId",
+    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
+      const { clickhouse } = await setupClickhouseReplication({
+        prisma,
+        databaseUrl: postgresContainer.getConnectionUri(),
+        clickhouseUrl: clickhouseContainer.getConnectionUrl(),
+        redisOptions,
+      });
+
+      const organization = await prisma.organization.create({
+        data: {
+          title: "test",
+          slug: "test",
+        },
+      });
+
+      const project = await prisma.project.create({
+        data: {
+          name: "test",
+          slug: "test",
+          organizationId: organization.id,
+          externalRef: "test",
+        },
+      });
+
+      const runtimeEnvironment = await prisma.runtimeEnvironment.create({
+        data: {
+          slug: "test",
+          type: "DEVELOPMENT",
+          projectId: project.id,
+          organizationId: organization.id,
+          apiKey: "test",
+          pkApiKey: "test",
+          shortcode: "test",
+        },
+      });
+
+      // Create runs with different schedule IDs
+      await prisma.taskRun.create({
+        data: {
+          friendlyId: "run_scheduled_1",
+          taskIdentifier: "my-task",
+          scheduleId: "schedule_1",
+          payload: JSON.stringify({ foo: "bar" }),
+          traceId: "1234",
+          spanId: "1234",
+          queue: "test",
+          runtimeEnvironmentId: runtimeEnvironment.id,
+          projectId: project.id,
+          organizationId: organization.id,
+          environmentType: "DEVELOPMENT",
+          engine: "V2",
+        },
+      });
+
+      await prisma.taskRun.create({
+        data: {
+          friendlyId: "run_scheduled_2",
+          taskIdentifier: "my-task",
+          scheduleId: "schedule_2",
+          payload: JSON.stringify({ foo: "bar" }),
+          traceId: "1235",
+          spanId: "1235",
+          queue: "test",
+          runtimeEnvironmentId: runtimeEnvironment.id,
+          projectId: project.id,
+          organizationId: organization.id,
+          environmentType: "DEVELOPMENT",
+          engine: "V2",
+        },
+      });
+
+      await prisma.taskRun.create({
+        data: {
+          friendlyId: "run_unscheduled",
+          taskIdentifier: "my-task",
+          payload: JSON.stringify({ foo: "bar" }),
+          traceId: "1236",
+          spanId: "1236",
+          queue: "test",
+          runtimeEnvironmentId: runtimeEnvironment.id,
+          projectId: project.id,
+          organizationId: organization.id,
+          environmentType: "DEVELOPMENT",
+          engine: "V2",
+        },
+      });
+
+      await setTimeout(1000);
+
+      const runsRepository = new RunsRepository({
+        prisma,
+        clickhouse,
+      });
+
+      // Test filtering by schedule ID
+      const { runs } = await runsRepository.listRuns({
+        page: { size: 10 },
+        projectId: project.id,
+        environmentId: runtimeEnvironment.id,
+        organizationId: organization.id,
+        scheduleId: "schedule_1",
+      });
+
+      expect(runs).toHaveLength(1);
+      expect(runs[0].friendlyId).toBe("run_scheduled_1");
+    }
+  );
+
+  replicationContainerTest(
+    "should filter runs by isTest flag",
+    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
+      const { clickhouse } = await setupClickhouseReplication({
+        prisma,
+        databaseUrl: postgresContainer.getConnectionUri(),
+        clickhouseUrl: clickhouseContainer.getConnectionUrl(),
+        redisOptions,
+      });
+
+      const organization = await prisma.organization.create({
+        data: {
+          title: "test",
+          slug: "test",
+        },
+      });
+
+      const project = await prisma.project.create({
+        data: {
+          name: "test",
+          slug: "test",
+          organizationId: organization.id,
+          externalRef: "test",
+        },
+      });
+
+      const runtimeEnvironment = await prisma.runtimeEnvironment.create({
+        data: {
+          slug: "test",
+          type: "DEVELOPMENT",
+          projectId: project.id,
+          organizationId: organization.id,
+          apiKey: "test",
+          pkApiKey: "test",
+          shortcode: "test",
+        },
+      });
+
+      // Create test and non-test runs
+      await prisma.taskRun.create({
+        data: {
+          friendlyId: "run_test",
+          taskIdentifier: "my-task",
+          isTest: true,
+          payload: JSON.stringify({ foo: "bar" }),
+          traceId: "1234",
+          spanId: "1234",
+          queue: "test",
+          runtimeEnvironmentId: runtimeEnvironment.id,
+          projectId: project.id,
+          organizationId: organization.id,
+          environmentType: "DEVELOPMENT",
+          engine: "V2",
+        },
+      });
+
+      await prisma.taskRun.create({
+        data: {
+          friendlyId: "run_production",
+          taskIdentifier: "my-task",
+          isTest: false,
+          payload: JSON.stringify({ foo: "bar" }),
+          traceId: "1235",
+          spanId: "1235",
+          queue: "test",
+          runtimeEnvironmentId: runtimeEnvironment.id,
+          projectId: project.id,
+          organizationId: organization.id,
+          environmentType: "DEVELOPMENT",
+          engine: "V2",
+        },
+      });
+
+      await setTimeout(1000);
+
+      const runsRepository = new RunsRepository({
+        prisma,
+        clickhouse,
+      });
+
+      // Test filtering by isTest=true
+      const testRuns = await runsRepository.listRuns({
+        page: { size: 10 },
+        projectId: project.id,
+        environmentId: runtimeEnvironment.id,
+        organizationId: organization.id,
+        isTest: true,
+      });
+
+      expect(testRuns.runs).toHaveLength(1);
+      expect(testRuns.runs[0].friendlyId).toBe("run_test");
+
+      // Test filtering by isTest=false
+      const productionRuns = await runsRepository.listRuns({
+        page: { size: 10 },
+        projectId: project.id,
+        environmentId: runtimeEnvironment.id,
+        organizationId: organization.id,
+        isTest: false,
+      });
+
+      expect(productionRuns.runs).toHaveLength(1);
+      expect(productionRuns.runs[0].friendlyId).toBe("run_production");
+    }
+  );
+});
diff --git a/apps/webapp/test/runsRepository.part4.test.ts b/apps/webapp/test/runsRepository.part4.test.ts
new file mode 100644
index 00000000000..2a432acab55
--- /dev/null
+++ b/apps/webapp/test/runsRepository.part4.test.ts
@@ -0,0 +1,455 @@
+import { describe, expect, vi } from "vitest";
+
+// Mock the db prisma client
+vi.mock("~/db.server", () => ({
+  prisma: {},
+  $replica: {},
+}));
+
+import { replicationContainerTest } from "@internal/testcontainers";
+import { setTimeout } from "node:timers/promises";
+import { RunsRepository } from "~/services/runsRepository/runsRepository.server";
+import { setupClickhouseReplication } from "./utils/replicationUtils";
+
+vi.setConfig({ testTimeout: 60_000 });
+
+describe("RunsRepository (part 4/4)", () => {
+  replicationContainerTest(
+    "should filter runs by date range (from/to)",
+    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
+      const { clickhouse } = await setupClickhouseReplication({
+        prisma,
+        databaseUrl: postgresContainer.getConnectionUri(),
+        clickhouseUrl: clickhouseContainer.getConnectionUrl(),
+        redisOptions,
+      });
+
+      const organization = await prisma.organization.create({
+        data: {
+          title: "test",
+          slug: "test",
+        },
+      });
+
+      const project = await prisma.project.create({
+        data: {
+          name: "test",
+          slug: "test",
+          organizationId: organization.id,
+          externalRef: "test",
+        },
+      });
+
+      const runtimeEnvironment = await prisma.runtimeEnvironment.create({
+        data: {
+          slug: "test",
+          type: "DEVELOPMENT",
+          projectId: project.id,
+          organizationId: organization.id,
+          apiKey: "test",
+          pkApiKey: "test",
+          shortcode: "test",
+        },
+      });
+
+      const now = new Date();
+      const yesterday = new Date(now.getTime() - 24 * 60 * 60 * 1000);
+      const tomorrow = new Date(now.getTime() + 24 * 60 * 60 * 1000);
+
+      // Create runs with different creation dates
+      await prisma.taskRun.create({
+        data: {
+          friendlyId: "run_yesterday",
+          taskIdentifier: "my-task",
+          createdAt: yesterday,
+          payload: JSON.stringify({ foo: "bar" }),
+          traceId: "1234",
+          spanId: "1234",
+          queue: "test",
+          runtimeEnvironmentId: runtimeEnvironment.id,
+          projectId: project.id,
+          organizationId: organization.id,
+          environmentType: "DEVELOPMENT",
+          engine: "V2",
+        },
+      });
+
+      await prisma.taskRun.create({
+        data: {
+          friendlyId: "run_today",
+          taskIdentifier: "my-task",
+          createdAt: now,
+          payload: JSON.stringify({ foo: "bar" }),
+          traceId: "1235",
+          spanId: "1235",
+          queue: "test",
+          runtimeEnvironmentId: runtimeEnvironment.id,
+          projectId: project.id,
+          organizationId: organization.id,
+          environmentType: "DEVELOPMENT",
+          engine: "V2",
+        },
+      });
+
+      await prisma.taskRun.create({
+        data: {
+          friendlyId: "run_tomorrow",
+          taskIdentifier: "my-task",
+          createdAt: tomorrow,
+          payload: JSON.stringify({ foo: "bar" }),
+          traceId: "1236",
+          spanId: "1236",
+          queue: "test",
+          runtimeEnvironmentId: runtimeEnvironment.id,
+          projectId: project.id,
+          organizationId: organization.id,
+          environmentType: "DEVELOPMENT",
+          engine: "V2",
+        },
+      });
+
+      await setTimeout(1000);
+
+      const runsRepository = new RunsRepository({
+        prisma,
+        clickhouse,
+      });
+
+      // Test filtering by date range (from yesterday to today)
+      const { runs } = await runsRepository.listRuns({
+        page: { size: 10 },
+        projectId: project.id,
+        environmentId: runtimeEnvironment.id,
+        organizationId: organization.id,
+        from: yesterday.getTime(),
+        to: now.getTime(),
+      });
+
+      expect(runs).toHaveLength(2);
+      expect(runs.map((r) => r.friendlyId).sort()).toEqual(["run_today", "run_yesterday"]);
+    }
+  );
+
+  replicationContainerTest(
+    "should handle multiple filters combined",
+    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
+      const { clickhouse } = await setupClickhouseReplication({
+        prisma,
+        databaseUrl: postgresContainer.getConnectionUri(),
+        clickhouseUrl: clickhouseContainer.getConnectionUrl(),
+        redisOptions,
+      });
+
+      const organization = await prisma.organization.create({
+        data: {
+          title: "test",
+          slug: "test",
+        },
+      });
+
+      const project = await prisma.project.create({
+        data: {
+          name: "test",
+          slug: "test",
+          organizationId: organization.id,
+          externalRef: "test",
+        },
+      });
+
+      const runtimeEnvironment = await prisma.runtimeEnvironment.create({
+        data: {
+          slug: "test",
+          type: "DEVELOPMENT",
+          projectId: project.id,
+          organizationId: organization.id,
+          apiKey: "test",
+          pkApiKey: "test",
+          shortcode: "test",
+        },
+      });
+
+      // Create runs with different combinations of properties
+      await prisma.taskRun.create({
+        data: {
+          friendlyId: "run_match",
+          taskIdentifier: "task-1",
+          taskVersion: "1.0.0",
+          status: "COMPLETED_SUCCESSFULLY",
+          isTest: false,
+          runTags: ["urgent"],
+          payload: JSON.stringify({ foo: "bar" }),
+          traceId: "1234",
+          spanId: "1234",
+          queue: "test",
+          runtimeEnvironmentId: runtimeEnvironment.id,
+          projectId: project.id,
+          organizationId: organization.id,
+          environmentType: "DEVELOPMENT",
+          engine: "V2",
+        },
+      });
+
+      await prisma.taskRun.create({
+        data: {
+          friendlyId: "run_no_match_task",
+          taskIdentifier: "task-2", // Different task
+          taskVersion: "1.0.0",
+          status: "COMPLETED_SUCCESSFULLY",
+          isTest: false,
+          runTags: ["urgent"],
+          payload: JSON.stringify({ foo: "bar" }),
+          traceId: "1235",
+          spanId: "1235",
+          queue: "test",
+          runtimeEnvironmentId: runtimeEnvironment.id,
+          projectId: project.id,
+          organizationId: organization.id,
+          environmentType: "DEVELOPMENT",
+          engine: "V2",
+        },
+      });
+
+      await prisma.taskRun.create({
+        data: {
+          friendlyId: "run_no_match_status",
+          taskIdentifier: "task-1",
+          taskVersion: "1.0.0",
+          status: "PENDING", // Different status
+          isTest: false,
+          runTags: ["urgent"],
+          payload: JSON.stringify({ foo: "bar" }),
+          traceId: "1236",
+          spanId: "1236",
+          queue: "test",
+          runtimeEnvironmentId: runtimeEnvironment.id,
+          projectId: project.id,
+          organizationId: organization.id,
+          environmentType: "DEVELOPMENT",
+          engine: "V2",
+        },
+      });
+
+      await setTimeout(1000);
+
+      const runsRepository = new RunsRepository({
+        prisma,
+        clickhouse,
+      });
+
+      // Test combining multiple filters
+      const { runs } = await runsRepository.listRuns({
+        page: { size: 10 },
+        projectId: project.id,
+        environmentId: runtimeEnvironment.id,
+        organizationId: organization.id,
+        tasks: ["task-1"],
+        versions: ["1.0.0"],
+        statuses: ["COMPLETED_SUCCESSFULLY"],
+        isTest: false,
+        tags: ["urgent"],
+      });
+
+      expect(runs).toHaveLength(1);
+      expect(runs[0].friendlyId).toBe("run_match");
+    }
+  );
+
+  replicationContainerTest(
+    "should handle pagination correctly",
+    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
+      const { clickhouse } = await setupClickhouseReplication({
+        prisma,
+        databaseUrl: postgresContainer.getConnectionUri(),
+        clickhouseUrl: clickhouseContainer.getConnectionUrl(),
+        redisOptions,
+      });
+
+      const organization = await prisma.organization.create({
+        data: {
+          title: "test",
+          slug: "test",
+        },
+      });
+
+      const project = await prisma.project.create({
+        data: {
+          name: "test",
+          slug: "test",
+          organizationId: organization.id,
+          externalRef: "test",
+        },
+      });
+
+      const runtimeEnvironment = await prisma.runtimeEnvironment.create({
+        data: {
+          slug: "test",
+          type: "DEVELOPMENT",
+          projectId: project.id,
+          organizationId: organization.id,
+          apiKey: "test",
+          pkApiKey: "test",
+          shortcode: "test",
+        },
+      });
+
+      // Create multiple runs for pagination testing
+      const runs = [];
+      for (let i = 1; i <= 5; i++) {
+        const run = await prisma.taskRun.create({
+          data: {
+            friendlyId: `run_${i}`,
+            taskIdentifier: "my-task",
+            payload: JSON.stringify({ foo: "bar" }),
+            traceId: `123${i}`,
+            spanId: `123${i}`,
+            queue: "test",
+            runtimeEnvironmentId: runtimeEnvironment.id,
+            projectId: project.id,
+            organizationId: organization.id,
+            environmentType: "DEVELOPMENT",
+            engine: "V2",
+          },
+        });
+        runs.push(run);
+      }
+
+      await setTimeout(1000);
+
+      const runsRepository = new RunsRepository({
+        prisma,
+        clickhouse,
+      });
+
+      // Test first page
+      const firstPage = await runsRepository.listRuns({
+        page: { size: 2 },
+        projectId: project.id,
+        environmentId: runtimeEnvironment.id,
+        organizationId: organization.id,
+      });
+
+      expect(firstPage.runs).toHaveLength(2);
+      expect(firstPage.pagination.nextCursor).toBeTruthy();
+      expect(firstPage.pagination.previousCursor).toBe(null);
+
+      // Test next page using cursor
+      const secondPage = await runsRepository.listRuns({
+        page: {
+          size: 2,
+          cursor: firstPage.pagination.nextCursor!,
+          direction: "forward",
+        },
+        projectId: project.id,
+        environmentId: runtimeEnvironment.id,
+        organizationId: organization.id,
+      });
+
+      expect(secondPage.runs).toHaveLength(2);
+      expect(secondPage.pagination.nextCursor).toBeTruthy();
+      expect(secondPage.pagination.previousCursor).toBeTruthy();
+    }
+  );
+
+  replicationContainerTest(
+    "should count new runs with listRunIds",
+    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
+      const { clickhouse } = await setupClickhouseReplication({
+        prisma,
+        databaseUrl: postgresContainer.getConnectionUri(),
+        clickhouseUrl: clickhouseContainer.getConnectionUrl(),
+        redisOptions,
+      });
+
+      const organization = await prisma.organization.create({
+        data: {
+          title: "test",
+          slug: "test",
+        },
+      });
+
+      const project = await prisma.project.create({
+        data: {
+          name: "test",
+          slug: "test",
+          organizationId: organization.id,
+          externalRef: "test",
+        },
+      });
+
+      const runtimeEnvironment = await prisma.runtimeEnvironment.create({
+        data: {
+          slug: "test",
+          type: "DEVELOPMENT",
+          projectId: project.id,
+          organizationId: organization.id,
+          apiKey: "test",
+          pkApiKey: "test",
+          shortcode: "test",
+        },
+      });
+
+      const taskRun = await prisma.taskRun.create({
+        data: {
+          friendlyId: "run_has_new",
+          taskIdentifier: "my-task",
+          payload: JSON.stringify({ foo: "bar" }),
+          traceId: "1234",
+          spanId: "1234",
+          queue: "test",
+          runtimeEnvironmentId: runtimeEnvironment.id,
+          projectId: project.id,
+          organizationId: organization.id,
+          environmentType: "DEVELOPMENT",
+          engine: "V2",
+        },
+      });
+
+      await setTimeout(1000);
+
+      const runsRepository = new RunsRepository({
+        prisma,
+        clickhouse,
+      });
+
+      const baseOptions = {
+        projectId: project.id,
+        environmentId: runtimeEnvironment.id,
+        organizationId: organization.id,
+      };
+
+      const createdAtMs = taskRun.createdAt.getTime();
+
+      const newRunIdsBefore = await runsRepository.listRunIds({
+        ...baseOptions,
+        from: createdAtMs - 1,
+        page: { size: 100 },
+      });
+      expect(newRunIdsBefore.runIds.length).toBeGreaterThanOrEqual(1);
+
+      const newRunIdsAfter = await runsRepository.listRunIds({
+        ...baseOptions,
+        from: createdAtMs + 60_000,
+        page: { size: 100 },
+      });
+      expect(newRunIdsAfter.runIds).toHaveLength(0);
+
+      const fromBeforeRun = createdAtMs - 1;
+
+      const matchingTaskIds = await runsRepository.listRunIds({
+        ...baseOptions,
+        from: fromBeforeRun,
+        tasks: ["my-task"],
+        page: { size: 100 },
+      });
+      expect(matchingTaskIds.runIds.length).toBeGreaterThanOrEqual(1);
+
+      const otherTaskIds = await runsRepository.listRunIds({
+        ...baseOptions,
+        from: fromBeforeRun,
+        tasks: ["other-task"],
+        page: { size: 100 },
+      });
+      expect(otherTaskIds.runIds).toHaveLength(0);
+    }
+  );
+});
diff --git a/apps/webapp/test/runsRepositoryCursor.test.ts b/apps/webapp/test/runsRepositoryCursor.test.ts
new file mode 100644
index 00000000000..f7e02763ad9
--- /dev/null
+++ b/apps/webapp/test/runsRepositoryCursor.test.ts
@@ -0,0 +1,521 @@
+import { describe, expect, vi } from "vitest";
+
+// Mock the db prisma client
+vi.mock("~/db.server", () => ({
+  prisma: {},
+  $replica: {},
+}));
+
+import { replicationContainerTest } from "@internal/testcontainers";
+import { setTimeout } from "node:timers/promises";
+import { RunsRepository } from "~/services/runsRepository/runsRepository.server";
+import { setupClickhouseReplication } from "./utils/replicationUtils";
+
+vi.setConfig({ testTimeout: 60_000 });
+
+/**
+ * Regression tests for keyset pagination over `(created_at, run_id)`.
+ *
+ * `listRunIds`/`listRuns` order by the composite key `(created_at, run_id)` but
+ * the old cursor predicate cut on `run_id` alone. That is only sound when
+ * `run_id` lexicographic order matches `created_at` order. When a burst of runs
+ * is created such that the two orders diverge (here: deliberately reversed),
+ * keyset pagination both re-includes already-seen runs (duplicates) and drops
+ * runs it should have returned (skips).
+ *
+ * Each test inserts runs with explicit ids so that `run_id` ascending order is
+ * the exact reverse of `created_at` ascending order, then walks every page and
+ * asserts the union is exactly the inserted set with no duplicates.
+ */
+describe("RunsRepository cursor pagination", () => {
+  replicationContainerTest(
+    "forward pagination returns every run exactly once when run_id order is the reverse of created_at order",
+    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
+      const { clickhouse } = await setupClickhouseReplication({
+        prisma,
+        databaseUrl: postgresContainer.getConnectionUri(),
+        clickhouseUrl: clickhouseContainer.getConnectionUrl(),
+        redisOptions,
+      });
+
+      const organization = await prisma.organization.create({
+        data: { title: "test", slug: "test" },
+      });
+      const project = await prisma.project.create({
+        data: {
+          name: "test",
+          slug: "test",
+          organizationId: organization.id,
+          externalRef: "test",
+        },
+      });
+      const runtimeEnvironment = await prisma.runtimeEnvironment.create({
+        data: {
+          slug: "test",
+          type: "DEVELOPMENT",
+          projectId: project.id,
+          organizationId: organization.id,
+          apiKey: "test",
+          pkApiKey: "test",
+          shortcode: "test",
+        },
+      });
+
+      // run_id ascending: a < b < c < d < e
+      // created_at ascending: e < d < c < b < a  (the exact reverse)
+      const ids = [
+        "aaaaaaaaaaaaaaaaaaaaaaaa",
+        "bbbbbbbbbbbbbbbbbbbbbbbb",
+        "cccccccccccccccccccccccc",
+        "dddddddddddddddddddddddd",
+        "eeeeeeeeeeeeeeeeeeeeeeee",
+      ];
+      const base = Date.now() - 60 * 60 * 1000; // relative, so fixtures never age out of the default 7d window
+      for (let i = 0; i < ids.length; i++) {
+        await prisma.taskRun.create({
+          data: {
+            id: ids[i],
+            // earliest-created run has the largest run_id (reverse correlation)
+            createdAt: new Date(base + (ids.length - 1 - i) * 1000),
+            friendlyId: `run_${ids[i]}`,
+            taskIdentifier: "my-task",
+            payload: JSON.stringify({ foo: "bar" }),
+            traceId: `trace_${i}`,
+            spanId: `span_${i}`,
+            queue: "test",
+            runtimeEnvironmentId: runtimeEnvironment.id,
+            projectId: project.id,
+            organizationId: organization.id,
+            environmentType: "DEVELOPMENT",
+            engine: "V2",
+          },
+        });
+      }
+
+      await setTimeout(1000);
+
+      const runsRepository = new RunsRepository({ prisma, clickhouse });
+
+      const baseOptions = {
+        projectId: project.id,
+        environmentId: runtimeEnvironment.id,
+        organizationId: organization.id,
+      };
+
+      // Walk every forward page, size 2, accumulating ids.
+      const seen: string[] = [];
+      let cursor: string | undefined = undefined;
+      for (let guard = 0; guard < 20; guard++) {
+        const page = await runsRepository.listRuns({
+          ...baseOptions,
+          page: { size: 2, cursor, direction: cursor ? "forward" : undefined },
+        });
+        seen.push(...page.runs.map((r) => r.id));
+        if (!page.pagination.nextCursor) break;
+        cursor = page.pagination.nextCursor;
+      }
+
+      // No duplicates, no skips: every inserted run appears exactly once.
+      expect(seen.slice().sort()).toEqual(ids.slice().sort());
+      expect(new Set(seen).size).toBe(ids.length);
+    }
+  );
+
+  replicationContainerTest(
+    "backward pagination round-trips to the previous page when run_id order is the reverse of created_at order",
+    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
+      const { clickhouse } = await setupClickhouseReplication({
+        prisma,
+        databaseUrl: postgresContainer.getConnectionUri(),
+        clickhouseUrl: clickhouseContainer.getConnectionUrl(),
+        redisOptions,
+      });
+
+      const organization = await prisma.organization.create({
+        data: { title: "test", slug: "test" },
+      });
+      const project = await prisma.project.create({
+        data: {
+          name: "test",
+          slug: "test",
+          organizationId: organization.id,
+          externalRef: "test",
+        },
+      });
+      const runtimeEnvironment = await prisma.runtimeEnvironment.create({
+        data: {
+          slug: "test",
+          type: "DEVELOPMENT",
+          projectId: project.id,
+          organizationId: organization.id,
+          apiKey: "test",
+          pkApiKey: "test",
+          shortcode: "test",
+        },
+      });
+
+      // run_id ascending: a < b < c ; created_at ascending: c < b < a (reversed).
+      const ids = [
+        "aaaaaaaaaaaaaaaaaaaaaaaa",
+        "bbbbbbbbbbbbbbbbbbbbbbbb",
+        "cccccccccccccccccccccccc",
+      ];
+      const base = Date.now() - 60 * 60 * 1000; // relative, so fixtures never age out of the default 7d window
+      for (let i = 0; i < ids.length; i++) {
+        await prisma.taskRun.create({
+          data: {
+            id: ids[i],
+            createdAt: new Date(base + (ids.length - 1 - i) * 1000),
+            friendlyId: `run_${ids[i]}`,
+            taskIdentifier: "my-task",
+            payload: JSON.stringify({ foo: "bar" }),
+            traceId: `trace_${i}`,
+            spanId: `span_${i}`,
+            queue: "test",
+            runtimeEnvironmentId: runtimeEnvironment.id,
+            projectId: project.id,
+            organizationId: organization.id,
+            environmentType: "DEVELOPMENT",
+            engine: "V2",
+          },
+        });
+      }
+
+      await setTimeout(1000);
+
+      const runsRepository = new RunsRepository({ prisma, clickhouse });
+      const baseOptions = {
+        projectId: project.id,
+        environmentId: runtimeEnvironment.id,
+        organizationId: organization.id,
+      };
+
+      // Forward order (created_at DESC) is [a, b, c]. First page (size 2) = {a, b}.
+      const firstPage = await runsRepository.listRuns({
+        ...baseOptions,
+        page: { size: 2 },
+      });
+      const firstIds = firstPage.runs.map((r) => r.id).sort();
+      expect(firstIds).toEqual(["aaaaaaaaaaaaaaaaaaaaaaaa", "bbbbbbbbbbbbbbbbbbbbbbbb"]);
+      expect(firstPage.pagination.nextCursor).toBeTruthy();
+
+      // Forward to the second page = {c}; it exposes a previousCursor.
+      const secondPage = await runsRepository.listRuns({
+        ...baseOptions,
+        page: { size: 2, cursor: firstPage.pagination.nextCursor!, direction: "forward" },
+      });
+      expect(secondPage.runs.map((r) => r.id)).toEqual(["cccccccccccccccccccccccc"]);
+      expect(secondPage.pagination.previousCursor).toBeTruthy();
+
+      // Stepping backward from the second page must land back on the first page
+      // exactly — no duplicated or skipped runs across the boundary.
+      const backPage = await runsRepository.listRuns({
+        ...baseOptions,
+        page: { size: 2, cursor: secondPage.pagination.previousCursor!, direction: "backward" },
+      });
+      expect(backPage.runs.map((r) => r.id).sort()).toEqual(firstIds);
+    }
+  );
+
+  replicationContainerTest(
+    "legacy bare run_id cursor still uses the old (run_id-only) predicate for backwards compatibility",
+    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
+      const { clickhouse } = await setupClickhouseReplication({
+        prisma,
+        databaseUrl: postgresContainer.getConnectionUri(),
+        clickhouseUrl: clickhouseContainer.getConnectionUrl(),
+        redisOptions,
+      });
+
+      const organization = await prisma.organization.create({
+        data: { title: "test", slug: "test" },
+      });
+      const project = await prisma.project.create({
+        data: {
+          name: "test",
+          slug: "test",
+          organizationId: organization.id,
+          externalRef: "test",
+        },
+      });
+      const runtimeEnvironment = await prisma.runtimeEnvironment.create({
+        data: {
+          slug: "test",
+          type: "DEVELOPMENT",
+          projectId: project.id,
+          organizationId: organization.id,
+          apiKey: "test",
+          pkApiKey: "test",
+          shortcode: "test",
+        },
+      });
+
+      const ids = [
+        "aaaaaaaaaaaaaaaaaaaaaaaa",
+        "bbbbbbbbbbbbbbbbbbbbbbbb",
+        "cccccccccccccccccccccccc",
+      ];
+      const base = Date.now() - 60 * 60 * 1000; // relative, so fixtures never age out of the default 7d window
+      for (let i = 0; i < ids.length; i++) {
+        await prisma.taskRun.create({
+          data: {
+            id: ids[i],
+            createdAt: new Date(base + i * 1000),
+            friendlyId: `run_${ids[i]}`,
+            taskIdentifier: "my-task",
+            payload: JSON.stringify({ foo: "bar" }),
+            traceId: `trace_${i}`,
+            spanId: `span_${i}`,
+            queue: "test",
+            runtimeEnvironmentId: runtimeEnvironment.id,
+            projectId: project.id,
+            organizationId: organization.id,
+            environmentType: "DEVELOPMENT",
+            engine: "V2",
+          },
+        });
+      }
+
+      await setTimeout(1000);
+
+      const runsRepository = new RunsRepository({ prisma, clickhouse });
+
+      // A legacy cursor is a bare run_id. The old predicate is `run_id < cursor`,
+      // so passing the largest run_id must return the two smaller ones.
+      const page = await runsRepository.listRuns({
+        projectId: project.id,
+        environmentId: runtimeEnvironment.id,
+        organizationId: organization.id,
+        page: { size: 10, cursor: "cccccccccccccccccccccccc", direction: "forward" },
+      });
+
+      const returned = page.runs.map((r) => r.id).sort();
+      expect(returned).toEqual([
+        "aaaaaaaaaaaaaaaaaaaaaaaa",
+        "bbbbbbbbbbbbbbbbbbbbbbbb",
+      ]);
+    }
+  );
+
+  replicationContainerTest(
+    "backward pagination across multiple pages returns each page intact (no straddling)",
+    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
+      const { clickhouse } = await setupClickhouseReplication({
+        prisma,
+        databaseUrl: postgresContainer.getConnectionUri(),
+        clickhouseUrl: clickhouseContainer.getConnectionUrl(),
+        redisOptions,
+      });
+
+      const organization = await prisma.organization.create({
+        data: { title: "test", slug: "test" },
+      });
+      const project = await prisma.project.create({
+        data: {
+          name: "test",
+          slug: "test",
+          organizationId: organization.id,
+          externalRef: "test",
+        },
+      });
+      const runtimeEnvironment = await prisma.runtimeEnvironment.create({
+        data: {
+          slug: "test",
+          type: "DEVELOPMENT",
+          projectId: project.id,
+          organizationId: organization.id,
+          apiKey: "test",
+          pkApiKey: "test",
+          shortcode: "test",
+        },
+      });
+
+      // Five runs so a backward page has more rows before it (hasMore === true),
+      // which is the case the off-by-one in the backward slice corrupts.
+      const ids = [
+        "aaaaaaaaaaaaaaaaaaaaaaaa",
+        "bbbbbbbbbbbbbbbbbbbbbbbb",
+        "cccccccccccccccccccccccc",
+        "dddddddddddddddddddddddd",
+        "eeeeeeeeeeeeeeeeeeeeeeee",
+      ];
+      const base = Date.now() - 60 * 60 * 1000; // relative, so fixtures never age out of the default 7d window
+      for (let i = 0; i < ids.length; i++) {
+        await prisma.taskRun.create({
+          data: {
+            id: ids[i],
+            createdAt: new Date(base + (ids.length - 1 - i) * 1000),
+            friendlyId: `run_${ids[i]}`,
+            taskIdentifier: "my-task",
+            payload: JSON.stringify({ foo: "bar" }),
+            traceId: `trace_${i}`,
+            spanId: `span_${i}`,
+            queue: "test",
+            runtimeEnvironmentId: runtimeEnvironment.id,
+            projectId: project.id,
+            organizationId: organization.id,
+            environmentType: "DEVELOPMENT",
+            engine: "V2",
+          },
+        });
+      }
+
+      await setTimeout(1000);
+
+      const runsRepository = new RunsRepository({ prisma, clickhouse });
+      const baseOptions = {
+        projectId: project.id,
+        environmentId: runtimeEnvironment.id,
+        organizationId: organization.id,
+      };
+
+      const sortIds = (page: string[]) => page.slice().sort();
+
+      // Walk every forward page, capturing the run ids and the previousCursor.
+      const forwardPages: Array<{ ids: string[]; previousCursor: string | null }> = [];
+      let cursor: string | undefined = undefined;
+      for (let guard = 0; guard < 20; guard++) {
+        const page = await runsRepository.listRuns({
+          ...baseOptions,
+          page: { size: 2, cursor, direction: cursor ? "forward" : undefined },
+        });
+        forwardPages.push({
+          ids: page.runs.map((r) => r.id),
+          previousCursor: page.pagination.previousCursor,
+        });
+        if (!page.pagination.nextCursor) break;
+        cursor = page.pagination.nextCursor;
+      }
+
+      // Forward pagination itself must cover every run exactly once, in 3 pages.
+      expect(forwardPages.flatMap((p) => p.ids).sort()).toEqual(ids.slice().sort());
+      expect(forwardPages).toHaveLength(3);
+
+      // Walk backward from the last page. Each backward page must equal the
+      // corresponding forward page exactly — no row from an adjacent page
+      // bleeding in (the straddle bug returned e.g. {b,c} instead of {c,d}).
+      const backwardPages: string[][] = [];
+      let backCursor: string | null = forwardPages[forwardPages.length - 1].previousCursor;
+      for (let guard = 0; guard < 20 && backCursor; guard++) {
+        const page = await runsRepository.listRuns({
+          ...baseOptions,
+          page: { size: 2, cursor: backCursor, direction: "backward" },
+        });
+        backwardPages.push(page.runs.map((r) => r.id));
+        backCursor = page.pagination.previousCursor;
+      }
+
+      const expectedBackward = forwardPages
+        .slice(0, -1)
+        .reverse()
+        .map((p) => sortIds(p.ids));
+      expect(backwardPages.map(sortIds)).toEqual(expectedBackward);
+
+      // And the full backward traversal (last page + everything walked back to
+      // the start) covers every run exactly once.
+      const seen = [...forwardPages[forwardPages.length - 1].ids, ...backwardPages.flat()];
+      expect(seen.slice().sort()).toEqual(ids.slice().sort());
+      expect(new Set(seen).size).toBe(ids.length);
+    }
+  );
+
+  replicationContainerTest(
+    "a partial backward page still exposes a forward cursor (no stranding)",
+    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
+      const { clickhouse } = await setupClickhouseReplication({
+        prisma,
+        databaseUrl: postgresContainer.getConnectionUri(),
+        clickhouseUrl: clickhouseContainer.getConnectionUrl(),
+        redisOptions,
+      });
+
+      const organization = await prisma.organization.create({
+        data: { title: "test", slug: "test" },
+      });
+      const project = await prisma.project.create({
+        data: {
+          name: "test",
+          slug: "test",
+          organizationId: organization.id,
+          externalRef: "test",
+        },
+      });
+      const runtimeEnvironment = await prisma.runtimeEnvironment.create({
+        data: {
+          slug: "test",
+          type: "DEVELOPMENT",
+          projectId: project.id,
+          organizationId: organization.id,
+          apiKey: "test",
+          pkApiKey: "test",
+          shortcode: "test",
+        },
+      });
+
+      // Three runs; created_at descending order is [a, b, c] (a newest).
+      const ids = [
+        "aaaaaaaaaaaaaaaaaaaaaaaa",
+        "bbbbbbbbbbbbbbbbbbbbbbbb",
+        "cccccccccccccccccccccccc",
+      ];
+      const base = Date.now() - 60 * 60 * 1000; // relative, so fixtures never age out of the default 7d window
+      for (let i = 0; i < ids.length; i++) {
+        await prisma.taskRun.create({
+          data: {
+            id: ids[i],
+            createdAt: new Date(base + (ids.length - 1 - i) * 1000),
+            friendlyId: `run_${ids[i]}`,
+            taskIdentifier: "my-task",
+            payload: JSON.stringify({ foo: "bar" }),
+            traceId: `trace_${i}`,
+            spanId: `span_${i}`,
+            queue: "test",
+            runtimeEnvironmentId: runtimeEnvironment.id,
+            projectId: project.id,
+            organizationId: organization.id,
+            environmentType: "DEVELOPMENT",
+            engine: "V2",
+          },
+        });
+      }
+
+      await setTimeout(1000);
+
+      const runsRepository = new RunsRepository({ prisma, clickhouse });
+      const baseOptions = {
+        projectId: project.id,
+        environmentId: runtimeEnvironment.id,
+        organizationId: organization.id,
+      };
+
+      // First page (size 2) = {a, b}; its nextCursor sits at b's boundary.
+      const first = await runsRepository.listRuns({ ...baseOptions, page: { size: 2 } });
+      expect(first.runs.map((r) => r.id).sort()).toEqual([
+        "aaaaaaaaaaaaaaaaaaaaaaaa",
+        "bbbbbbbbbbbbbbbbbbbbbbbb",
+      ]);
+
+      // Paging backward from that cursor lands on a *partial* page — just the
+      // newest run {a}, with no rows before it (hasMore === false).
+      const back = await runsRepository.listRuns({
+        ...baseOptions,
+        page: { size: 2, cursor: first.pagination.nextCursor!, direction: "backward" },
+      });
+      expect(back.runs.map((r) => r.id)).toEqual(["aaaaaaaaaaaaaaaaaaaaaaaa"]);
+
+      // A partial backward page must still expose a forward cursor, or the user
+      // is stranded with no way to page back down.
+      expect(back.pagination.nextCursor).toBeTruthy();
+
+      // And paging forward from it reaches the remaining runs.
+      const forward = await runsRepository.listRuns({
+        ...baseOptions,
+        page: { size: 2, cursor: back.pagination.nextCursor!, direction: "forward" },
+      });
+      expect(forward.runs.map((r) => r.id).sort()).toEqual([
+        "bbbbbbbbbbbbbbbbbbbbbbbb",
+        "cccccccccccccccccccccccc",
+      ]);
+    }
+  );
+});
diff --git a/apps/webapp/test/sanitizeRowsOnParseError.test.ts b/apps/webapp/test/sanitizeRowsOnParseError.test.ts
new file mode 100644
index 00000000000..6e0de52aa66
--- /dev/null
+++ b/apps/webapp/test/sanitizeRowsOnParseError.test.ts
@@ -0,0 +1,291 @@
+import { describe, it, expect } from "vitest";
+import {
+  INVALID_UTF16_SENTINEL,
+  isClickHouseJsonParseError,
+  parseRowNumberFromError,
+  sanitizeRows,
+  sanitizeUnknownInPlace,
+} from "~/v3/eventRepository/sanitizeRowsOnParseError.server";
+
+const HIGH_SURROGATE = "\uD800";
+const LOW_SURROGATE = "\uDC00";
+
+describe("isClickHouseJsonParseError", () => {
+  it("recognises ClickHouse's parse-error string", () => {
+    const err = new Error(
+      "Cannot parse JSON object here: {...}: (while reading the value of key attributes): (at row 15)\n: While executing ParallelParsingBlockInputFormat. "
+    );
+    expect(isClickHouseJsonParseError(err)).toBe(true);
+  });
+
+  it("returns false for unrelated errors", () => {
+    expect(isClickHouseJsonParseError(new Error("Connection refused"))).toBe(false);
+    expect(
+      isClickHouseJsonParseError(
+        new Error("Size of JSON object at position 999 is extremely large.")
+      )
+    ).toBe(false);
+  });
+
+  it("returns false for null / undefined / strings", () => {
+    expect(isClickHouseJsonParseError(null)).toBe(false);
+    expect(isClickHouseJsonParseError(undefined)).toBe(false);
+    expect(isClickHouseJsonParseError("Cannot parse JSON object")).toBe(true);
+  });
+});
+
+describe("parseRowNumberFromError", () => {
+  it("extracts the row index from a typical ClickHouse error message", () => {
+    expect(
+      parseRowNumberFromError(
+        "Cannot parse JSON object here: { ... }: (while reading the value of key attributes): (at row 1942)\n: While executing ParallelParsingBlockInputFormat."
+      )
+    ).toBe(1942);
+  });
+
+  it("returns null when no row index is present", () => {
+    expect(parseRowNumberFromError("Some other error without a row hint")).toBeNull();
+  });
+
+  it("returns the first match when multiple `at row N` substrings exist", () => {
+    expect(parseRowNumberFromError("at row 1, oops also at row 2")).toBe(1);
+  });
+});
+
+describe("sanitizeUnknownInPlace", () => {
+  it("returns the string unchanged when it has no surrogates", () => {
+    const result = sanitizeUnknownInPlace("hello world");
+    expect(result).toEqual({ value: "hello world", fixed: 0 });
+  });
+
+  it("replaces a lone-surrogate string with the sentinel", () => {
+    const result = sanitizeUnknownInPlace(`prefix ${HIGH_SURROGATE} suffix`);
+    expect(result.value).toBe(INVALID_UTF16_SENTINEL);
+    expect(result.fixed).toBe(1);
+  });
+
+  it("leaves valid surrogate pairs (emoji) intact", () => {
+    const result = sanitizeUnknownInPlace("hello 😀 world");
+    expect(result.value).toBe("hello 😀 world");
+    expect(result.fixed).toBe(0);
+  });
+
+  it("walks nested objects and mutates string leaves in place", () => {
+    const row = {
+      id: "row-1",
+      attributes: {
+        ai: {
+          prompt: { messages: `bad ${HIGH_SURROGATE} string` },
+          usage: { input_tokens: 42 },
+        },
+        clean: "untouched",
+      },
+    };
+    const result = sanitizeUnknownInPlace(row);
+    expect(result.fixed).toBe(1);
+    expect((row.attributes.ai.prompt as any).messages).toBe(INVALID_UTF16_SENTINEL);
+    expect(row.attributes.clean).toBe("untouched");
+    expect((row.attributes.ai.usage as any).input_tokens).toBe(42);
+    expect(row.id).toBe("row-1");
+  });
+
+  it("walks arrays recursively", () => {
+    const value = ["ok", `bad ${LOW_SURROGATE} value`, "also ok", { nested: `also bad ${HIGH_SURROGATE}` }];
+    const result = sanitizeUnknownInPlace(value);
+    expect(result.fixed).toBe(2);
+    expect(value[1]).toBe(INVALID_UTF16_SENTINEL);
+    expect((value[3] as any).nested).toBe(INVALID_UTF16_SENTINEL);
+    expect(value[0]).toBe("ok");
+    expect(value[2]).toBe("also ok");
+  });
+
+  it("leaves non-string primitives untouched", () => {
+    expect(sanitizeUnknownInPlace(42)).toEqual({ value: 42, fixed: 0 });
+    expect(sanitizeUnknownInPlace(true)).toEqual({ value: true, fixed: 0 });
+    expect(sanitizeUnknownInPlace(null)).toEqual({ value: null, fixed: 0 });
+    expect(sanitizeUnknownInPlace(undefined)).toEqual({ value: undefined, fixed: 0 });
+  });
+
+  // ─── Out-of-range integers (TRI-9755) ──────────────────────────────────────
+  // ClickHouse's JSON(max_dynamic_paths) column rejects bare integer tokens
+  // outside [Int64.MIN, UInt64.MAX]. Such Numbers serialise as bare integer
+  // form via JSON.stringify (no exponent, since |value| < 1e21) so they reach
+  // ClickHouse as unquoted oversized ints. Sanitizer replaces them with the
+  // string form, which ClickHouse's dynamic JSON column accepts as a String
+  // subtype on that path.
+
+  it("replaces an integer-valued Number above UInt64.MAX with its string form", () => {
+    // 117039831458782870000 is the actual prod value (Google Plus ID after
+    // upstream JS-Number precision loss from 117039831458782873093).
+    const result = sanitizeUnknownInPlace(117039831458782870000);
+    expect(result.value).toBe("117039831458782870000");
+    expect(result.fixed).toBe(1);
+  });
+
+  it("catches the float64 boundary at exactly 2**64 (UInt64.MAX + 1)", () => {
+    // float64 cannot represent UInt64.MAX (2^64 - 1) exactly — the literal
+    // 18446744073709551615 in JS source rounds to 2^64. JSON.stringify
+    // emits this Number as "18446744073709552000", which exceeds UInt64.MAX
+    // and trips ClickHouse. Regression for the BigInt-based comparison;
+    // a naïve `value > 18446744073709551615` would let this pass.
+    const result = sanitizeUnknownInPlace(2 ** 64);
+    expect(result.value).toBe("18446744073709552000");
+    expect(result.fixed).toBe(1);
+  });
+
+  it("replaces an integer-valued Number below Int64.MIN with its string form", () => {
+    // -9223372036854775809 is the first failing negative; in float64 it
+    // rounds to the same representation as Int64.MIN (-9223372036854775808),
+    // but for completeness we check a clearly-out-of-range negative.
+    const result = sanitizeUnknownInPlace(-1e20);
+    expect(result.value).toBe("-100000000000000000000");
+    expect(result.fixed).toBe(1);
+  });
+
+  it("leaves safe integers and boundary values untouched", () => {
+    // 42 — safe integer
+    expect(sanitizeUnknownInPlace(42)).toEqual({ value: 42, fixed: 0 });
+    // Number.MAX_SAFE_INTEGER (2^53 - 1) — JSON.stringify still emits as integer
+    expect(sanitizeUnknownInPlace(Number.MAX_SAFE_INTEGER)).toEqual({
+      value: Number.MAX_SAFE_INTEGER,
+      fixed: 0,
+    });
+    // 2^63 (Int64.MAX + 1) — still fits in UInt64, CH accepts it
+    expect(sanitizeUnknownInPlace(2 ** 63)).toEqual({ value: 2 ** 63, fixed: 0 });
+  });
+
+  it("leaves non-integer numbers untouched (floats, NaN, Infinity)", () => {
+    // Numbers with a fractional part — emitted with `.` in JSON
+    expect(sanitizeUnknownInPlace(3.14)).toEqual({ value: 3.14, fixed: 0 });
+    // Very large float-form (>= 1e21) — JSON.stringify uses exponent form,
+    // CH parses as Float64 successfully
+    expect(sanitizeUnknownInPlace(1e25)).toEqual({ value: 1e25, fixed: 0 });
+    // NaN / Infinity — JSON.stringify emits `null`, so harmless on the wire
+    expect(sanitizeUnknownInPlace(Number.NaN)).toEqual({ value: Number.NaN, fixed: 0 });
+    expect(sanitizeUnknownInPlace(Number.POSITIVE_INFINITY)).toEqual({
+      value: Number.POSITIVE_INFINITY,
+      fixed: 0,
+    });
+  });
+
+  it("finds an oversized integer nested deep inside the actual scan-social-profiles shape", () => {
+    const row = {
+      output: {
+        data: {
+          profiles: [
+            { module: "linktree", query: "x@example.com" },
+            {
+              module: "poshmark",
+              spec_format: [
+                {
+                  platform_variables: [
+                    {
+                      key: "gp_id",
+                      proper_key: "Gp Id",
+                      // The actual prod value — bare JSON integer > UInt64.MAX
+                      value: 117039831458782870000,
+                      type: "int",
+                    },
+                  ],
+                },
+              ],
+            },
+          ],
+        },
+      },
+    };
+    const result = sanitizeUnknownInPlace(row);
+    expect(result.fixed).toBe(1);
+    expect(
+      (row.output.data.profiles[1].spec_format![0].platform_variables[0] as any).value
+    ).toBe("117039831458782870000");
+    // Untouched neighbours
+    expect(row.output.data.profiles[0].module).toBe("linktree");
+    expect(row.output.data.profiles[1].spec_format![0].platform_variables[0].type).toBe("int");
+  });
+});
+
+describe("sanitizeRows", () => {
+  function makeRow(suffix: string, badField?: string) {
+    return {
+      id: `row-${suffix}`,
+      attributes: { foo: badField ?? "clean" },
+    };
+  }
+
+  it("sanitizes every row that has bad strings", () => {
+    const rows = [
+      makeRow("0", `bad-0-${HIGH_SURROGATE}`),
+      makeRow("1", `bad-1-${HIGH_SURROGATE}`),
+      makeRow("2", "clean"),
+      makeRow("3", `bad-3-${HIGH_SURROGATE}`),
+    ];
+
+    const result = sanitizeRows(rows);
+
+    expect(rows[0].attributes.foo).toBe(INVALID_UTF16_SENTINEL);
+    expect(rows[1].attributes.foo).toBe(INVALID_UTF16_SENTINEL);
+    expect(rows[2].attributes.foo).toBe("clean");
+    expect(rows[3].attributes.foo).toBe(INVALID_UTF16_SENTINEL);
+    expect(result.rowsTouched).toBe(3);
+    expect(result.fieldsSanitized).toBe(3);
+  });
+
+  it("returns zero counts when no row has bad strings", () => {
+    const rows = [makeRow("0"), makeRow("1"), makeRow("2")];
+    const result = sanitizeRows(rows);
+    expect(result).toEqual({ rowsTouched: 0, fieldsSanitized: 0 });
+  });
+
+  it("returns zero counts for an empty batch", () => {
+    expect(sanitizeRows([])).toEqual({ rowsTouched: 0, fieldsSanitized: 0 });
+  });
+
+  it("counts multiple sanitized fields on the same row as one rowTouched but multiple fields", () => {
+    const rows = [
+      {
+        id: "r0",
+        attributes: {
+          a: `bad ${HIGH_SURROGATE}`,
+          b: `also bad ${LOW_SURROGATE}`,
+          c: "fine",
+        },
+      },
+    ];
+    const result = sanitizeRows(rows);
+    expect(result.rowsTouched).toBe(1);
+    expect(result.fieldsSanitized).toBe(2);
+  });
+
+  it("counts surrogate fixes and out-of-range integer fixes together (TRI-9755)", () => {
+    const rows = [
+      {
+        id: "r0",
+        attributes: {
+          surrogate: `bad ${HIGH_SURROGATE}`,
+          bigint: 117039831458782870000,
+          clean: "fine",
+          safe: 42,
+        },
+      },
+      {
+        id: "r1",
+        attributes: {
+          bigint: -1e20,
+          clean: "still fine",
+        },
+      },
+      {
+        id: "r2",
+        attributes: { clean: "no fixes needed" },
+      },
+    ];
+    const result = sanitizeRows(rows);
+    expect(result.rowsTouched).toBe(2);
+    expect(result.fieldsSanitized).toBe(3);
+    expect(rows[0].attributes.surrogate).toBe(INVALID_UTF16_SENTINEL);
+    expect(rows[0].attributes.bigint).toBe("117039831458782870000");
+    expect(rows[0].attributes.safe).toBe(42);
+    expect(rows[1].attributes.bigint).toBe("-100000000000000000000");
+  });
+});
diff --git a/apps/webapp/test/sentryTenantContext.test.ts b/apps/webapp/test/sentryTenantContext.test.ts
new file mode 100644
index 00000000000..3cba145be7e
--- /dev/null
+++ b/apps/webapp/test/sentryTenantContext.test.ts
@@ -0,0 +1,93 @@
+import { describe, it, expect } from "vitest";
+import type { Event } from "@sentry/remix";
+import { tenantContext } from "../app/services/tenantContext.server";
+import { addTenantContextToEvent } from "../app/utils/sentryTenantContext.server";
+
+const slugOnly = {
+  orgSlug: "acme",
+  projectSlug: "web",
+  envSlug: "prod",
+};
+
+const enrichedWithUser = {
+  ...slugOnly,
+  userId: "usr_42",
+  orgId: "org_1",
+  projectId: "proj_1",
+  projectRef: "proj_abc",
+  envId: "env_1",
+  envType: "PRODUCTION" as const,
+};
+
+describe("addTenantContextToEvent", () => {
+  it("returns the event unchanged when no ALS context", () => {
+    const event: Event = { message: "hi", tags: { existing: "1" } };
+    const out = addTenantContextToEvent(event, {});
+    expect(out).toEqual(event);
+  });
+
+  it("stamps only userId when the scope holds just a user (non-tenant page)", () => {
+    tenantContext.run({ userId: "usr_42" }, () => {
+      const event: Event = { message: "boom", tags: { existing: "1" } };
+      const out = addTenantContextToEvent(event, {});
+      expect(out.user).toEqual({ id: "usr_42" });
+      expect(out.tags).toEqual({ existing: "1" });
+    });
+  });
+
+  it("stamps slug tags and no user.id when only slugs are set", () => {
+    tenantContext.run(slugOnly, () => {
+      const event: Event = { message: "boom", tags: { existing: "1" } };
+      const out = addTenantContextToEvent(event, {});
+      expect(out.user).toBeUndefined();
+      expect(out.tags).toMatchObject({
+        existing: "1",
+        org_slug: "acme",
+        project_slug: "web",
+        env_slug: "prod",
+      });
+      expect(out.tags?.org_id).toBeUndefined();
+      expect(out.tags?.env_type).toBeUndefined();
+    });
+  });
+
+  it("stamps user.id + full tag set when fully enriched", () => {
+    tenantContext.run(enrichedWithUser, () => {
+      const out = addTenantContextToEvent({}, {});
+      expect(out.user).toEqual({ id: "usr_42" });
+      expect(out.tags).toMatchObject({
+        org_slug: "acme",
+        project_slug: "web",
+        env_slug: "prod",
+        org_id: "org_1",
+        project_id: "proj_1",
+        project_ref: "proj_abc",
+        environment_id: "env_1",
+        env_type: "PRODUCTION",
+      });
+    });
+  });
+
+  it("emits no slug/ID tags when scope is empty", () => {
+    tenantContext.run({}, () => {
+      const out = addTenantContextToEvent({ tags: { existing: "1" } }, {});
+      expect(out.tags).toEqual({ existing: "1" });
+      expect(out.user).toBeUndefined();
+    });
+  });
+
+  it("adds impersonating tag when flag set", () => {
+    tenantContext.run({ ...slugOnly, impersonating: true }, () => {
+      const out = addTenantContextToEvent({}, {});
+      expect(out.tags?.impersonating).toBe("true");
+    });
+  });
+
+  it("preserves prior event.user fields it does not own", () => {
+    tenantContext.run(enrichedWithUser, () => {
+      const event: Event = { user: { ip_address: "1.2.3.4" } };
+      const out = addTenantContextToEvent(event, {});
+      expect(out.user).toEqual({ ip_address: "1.2.3.4", id: "usr_42" });
+    });
+  });
+});
diff --git a/apps/webapp/test/sentryTraceContext.server.test.ts b/apps/webapp/test/sentryTraceContext.server.test.ts
new file mode 100644
index 00000000000..231d9387e10
--- /dev/null
+++ b/apps/webapp/test/sentryTraceContext.server.test.ts
@@ -0,0 +1,127 @@
+import { ROOT_CONTEXT, TraceFlags, context, trace } from "@opentelemetry/api";
+import { describe, expect, it } from "vitest";
+import {
+  addOtelTraceContextToEvent,
+  getActiveTraceIds,
+} from "../app/utils/sentryTraceContext.server";
+import { createInMemoryTracing } from "./utils/tracing";
+
+describe("getActiveTraceIds", () => {
+  it("returns undefined when no OTel span is active", () => {
+    expect(getActiveTraceIds()).toBeUndefined();
+  });
+
+  it("returns the trace_id, span_id, and sampled=true for an active recording span", () => {
+    const { tracer } = createInMemoryTracing();
+
+    tracer.startActiveSpan("test-span", (span) => {
+      const ids = getActiveTraceIds();
+      expect(ids).toEqual({
+        traceId: span.spanContext().traceId,
+        spanId: span.spanContext().spanId,
+        sampled: true,
+      });
+      span.end();
+    });
+  });
+
+  it("returns sampled=false when the active span is non-recording", () => {
+    // Initialise the global context manager (createInMemoryTracing does this
+    // as a side effect of NodeTracerProvider.register()).
+    createInMemoryTracing();
+
+    const nonSampledSpan = trace.wrapSpanContext({
+      traceId: "0123456789abcdef0123456789abcdef",
+      spanId: "0123456789abcdef",
+      traceFlags: TraceFlags.NONE,
+    });
+
+    context.with(trace.setSpan(ROOT_CONTEXT, nonSampledSpan), () => {
+      expect(getActiveTraceIds()).toEqual({
+        traceId: "0123456789abcdef0123456789abcdef",
+        spanId: "0123456789abcdef",
+        sampled: false,
+      });
+    });
+  });
+});
+
+describe("addOtelTraceContextToEvent", () => {
+  it("returns the event unchanged when no OTel span is active", () => {
+    const event = { message: "boom" };
+    const result = addOtelTraceContextToEvent(event, {});
+    expect(result).toBe(event);
+    expect(result).toEqual({ message: "boom" });
+  });
+
+  it("stamps trace_id and span_id from the active span onto event.contexts.trace", () => {
+    const { tracer } = createInMemoryTracing();
+
+    tracer.startActiveSpan("test-span", (span) => {
+      const event = { message: "boom" };
+      const result = addOtelTraceContextToEvent(event, {});
+      expect(result.contexts?.trace?.trace_id).toBe(span.spanContext().traceId);
+      expect(result.contexts?.trace?.span_id).toBe(span.spanContext().spanId);
+      span.end();
+    });
+  });
+
+  it("tags the event with otel_sampled=true when the active span is recording", () => {
+    const { tracer } = createInMemoryTracing();
+
+    tracer.startActiveSpan("test-span", (span) => {
+      const event = { message: "boom" };
+      const result = addOtelTraceContextToEvent(event, {});
+      expect(result.tags?.otel_sampled).toBe("true");
+      span.end();
+    });
+  });
+
+  it("tags the event with otel_sampled=false when the active span is non-recording", () => {
+    createInMemoryTracing();
+
+    const nonSampledSpan = trace.wrapSpanContext({
+      traceId: "0123456789abcdef0123456789abcdef",
+      spanId: "0123456789abcdef",
+      traceFlags: TraceFlags.NONE,
+    });
+
+    context.with(trace.setSpan(ROOT_CONTEXT, nonSampledSpan), () => {
+      const event = { message: "boom" };
+      const result = addOtelTraceContextToEvent(event, {});
+      expect(result.tags?.otel_sampled).toBe("false");
+    });
+  });
+
+  it("preserves existing event.contexts.trace fields", () => {
+    const { tracer } = createInMemoryTracing();
+
+    tracer.startActiveSpan("test-span", (span) => {
+      const event = {
+        message: "boom",
+        contexts: {
+          trace: { op: "http.server", description: "GET /things" },
+          runtime: { name: "node" },
+        },
+      };
+      const result = addOtelTraceContextToEvent(event, {});
+      expect(result.contexts?.trace).toMatchObject({
+        op: "http.server",
+        description: "GET /things",
+        trace_id: span.spanContext().traceId,
+        span_id: span.spanContext().spanId,
+      });
+      expect(result.contexts?.runtime).toEqual({ name: "node" });
+      span.end();
+    });
+  });
+
+  it("returns the event unchanged if reading the OTel context throws", () => {
+    const throwingAccessor = () => {
+      throw new Error("otel api blew up");
+    };
+    const event = { message: "boom" };
+    const result = addOtelTraceContextToEvent(event, {}, throwingAccessor);
+    expect(result).toBe(event);
+  });
+});
diff --git a/apps/webapp/test/services/organizationAccessToken.test.ts b/apps/webapp/test/services/organizationAccessToken.test.ts
new file mode 100644
index 00000000000..cf3900f4c47
--- /dev/null
+++ b/apps/webapp/test/services/organizationAccessToken.test.ts
@@ -0,0 +1,89 @@
+import { afterEach, beforeEach, describe, expect, test, vi } from "vitest";
+
+const { findFirstMock, updateManyMock } = vi.hoisted(() => ({
+  findFirstMock: vi.fn(),
+  updateManyMock: vi.fn(),
+}));
+
+vi.mock("~/db.server", () => ({
+  prisma: {
+    organizationAccessToken: {
+      findFirst: findFirstMock,
+      updateMany: updateManyMock,
+    },
+  },
+  $replica: {},
+}));
+
+vi.mock("~/utils/tokens.server", () => ({
+  hashToken: (t: string) => `hashed:${t}`,
+}));
+
+vi.mock("./logger.server", () => ({
+  logger: { warn: vi.fn(), error: vi.fn() },
+}));
+
+import {
+  authenticateOrganizationAccessToken,
+  OAT_LAST_ACCESSED_THROTTLE_MS,
+} from "~/services/organizationAccessToken.server";
+
+beforeEach(() => {
+  vi.useFakeTimers();
+  vi.setSystemTime(new Date("2026-01-01T00:00:00.000Z"));
+  findFirstMock.mockReset();
+  updateManyMock.mockReset();
+  updateManyMock.mockResolvedValue({ count: 1 });
+});
+
+afterEach(() => {
+  vi.useRealTimers();
+});
+
+describe("authenticateOrganizationAccessToken — lastAccessedAt throttle", () => {
+  test("issues a conditional updateMany that skips writes when lastAccessedAt is recent", async () => {
+    findFirstMock.mockResolvedValueOnce({
+      id: "oat_123",
+      organizationId: "org_1",
+      hashedToken: "hashed:tr_oat_validtoken",
+    });
+
+    const result = await authenticateOrganizationAccessToken("tr_oat_validtoken");
+
+    expect(result).toEqual({ organizationId: "org_1" });
+    expect(updateManyMock).toHaveBeenCalledTimes(1);
+
+    const call = updateManyMock.mock.calls[0][0];
+    expect(call.where.id).toBe("oat_123");
+    expect(call.where.revokedAt).toBeNull();
+    expect(call.data.lastAccessedAt).toBeInstanceOf(Date);
+
+    // The WHERE clause should require the existing lastAccessedAt to be null
+    // or strictly older than the throttle window — that's the entire point.
+    expect(call.where.OR).toEqual([
+      { lastAccessedAt: null },
+      { lastAccessedAt: { lt: expect.any(Date) } },
+    ]);
+
+    // With fake timers, the cutoff lands exactly throttle-ms before "now".
+    const cutoff = call.where.OR[1].lastAccessedAt.lt as Date;
+    expect(cutoff.getTime()).toBe(Date.now() - OAT_LAST_ACCESSED_THROTTLE_MS);
+  });
+
+  test("skips updateMany when token is not found", async () => {
+    findFirstMock.mockResolvedValueOnce(null);
+
+    const result = await authenticateOrganizationAccessToken("tr_oat_validtoken");
+
+    expect(result).toBeUndefined();
+    expect(updateManyMock).not.toHaveBeenCalled();
+  });
+
+  test("skips updateMany when token doesn't start with prefix", async () => {
+    const result = await authenticateOrganizationAccessToken("not_an_oat");
+
+    expect(result).toBeUndefined();
+    expect(findFirstMock).not.toHaveBeenCalled();
+    expect(updateManyMock).not.toHaveBeenCalled();
+  });
+});
diff --git a/apps/webapp/test/services/personalAccessToken.test.ts b/apps/webapp/test/services/personalAccessToken.test.ts
new file mode 100644
index 00000000000..0b52a7bf706
--- /dev/null
+++ b/apps/webapp/test/services/personalAccessToken.test.ts
@@ -0,0 +1,96 @@
+import { afterEach, beforeEach, describe, expect, test, vi } from "vitest";
+
+const { findFirstMock, updateManyMock } = vi.hoisted(() => ({
+  findFirstMock: vi.fn(),
+  updateManyMock: vi.fn(),
+}));
+
+vi.mock("~/db.server", () => ({
+  prisma: {
+    personalAccessToken: {
+      findFirst: findFirstMock,
+      updateMany: updateManyMock,
+    },
+  },
+  $replica: {},
+}));
+
+vi.mock("~/env.server", () => ({
+  env: { ENCRYPTION_KEY: "0".repeat(64) },
+}));
+
+vi.mock("~/utils/tokens.server", () => ({
+  hashToken: (t: string) => `hashed:${t}`,
+  encryptToken: () => ({ nonce: "n", ciphertext: "c", tag: "t" }),
+  decryptToken: () => "tr_pat_validtoken",
+}));
+
+vi.mock("./logger.server", () => ({
+  logger: { warn: vi.fn(), error: vi.fn() },
+}));
+
+import {
+  authenticatePersonalAccessToken,
+  PAT_LAST_ACCESSED_THROTTLE_MS,
+} from "~/services/personalAccessToken.server";
+
+beforeEach(() => {
+  vi.useFakeTimers();
+  vi.setSystemTime(new Date("2026-01-01T00:00:00.000Z"));
+  findFirstMock.mockReset();
+  updateManyMock.mockReset();
+  updateManyMock.mockResolvedValue({ count: 1 });
+});
+
+afterEach(() => {
+  vi.useRealTimers();
+});
+
+describe("authenticatePersonalAccessToken — lastAccessedAt throttle", () => {
+  test("issues a conditional updateMany that skips writes when lastAccessedAt is recent", async () => {
+    findFirstMock.mockResolvedValueOnce({
+      id: "pat_123",
+      userId: "user_1",
+      hashedToken: "hashed:tr_pat_validtoken",
+      encryptedToken: { nonce: "n", ciphertext: "c", tag: "t" },
+    });
+
+    const result = await authenticatePersonalAccessToken("tr_pat_validtoken");
+
+    expect(result).toEqual({ userId: "user_1" });
+    expect(updateManyMock).toHaveBeenCalledTimes(1);
+
+    const call = updateManyMock.mock.calls[0][0];
+    expect(call.where.id).toBe("pat_123");
+    expect(call.where.revokedAt).toBeNull();
+    expect(call.data.lastAccessedAt).toBeInstanceOf(Date);
+
+    // The WHERE clause should require the existing lastAccessedAt to be null
+    // or strictly older than the throttle window — that's the entire point.
+    expect(call.where.OR).toEqual([
+      { lastAccessedAt: null },
+      { lastAccessedAt: { lt: expect.any(Date) } },
+    ]);
+
+    // With fake timers, the cutoff lands exactly throttle-ms before "now".
+    const cutoff = call.where.OR[1].lastAccessedAt.lt as Date;
+    expect(cutoff.getTime()).toBe(Date.now() - PAT_LAST_ACCESSED_THROTTLE_MS);
+  });
+
+  test("skips updateMany when token is not found", async () => {
+    findFirstMock.mockResolvedValueOnce(null);
+
+    const result = await authenticatePersonalAccessToken("tr_pat_validtoken");
+
+    expect(result).toBeUndefined();
+    expect(updateManyMock).not.toHaveBeenCalled();
+  });
+
+  test("skips updateMany when token doesn't start with prefix", async () => {
+    const result = await authenticatePersonalAccessToken("not_a_pat");
+
+    expect(result).toBeUndefined();
+    expect(findFirstMock).not.toHaveBeenCalled();
+    expect(updateManyMock).not.toHaveBeenCalled();
+  });
+});
diff --git a/apps/webapp/test/sessionDuration.test.ts b/apps/webapp/test/sessionDuration.test.ts
new file mode 100644
index 00000000000..e10b4b5f21c
--- /dev/null
+++ b/apps/webapp/test/sessionDuration.test.ts
@@ -0,0 +1,232 @@
+import { describe, expect, it, vi } from "vitest";
+
+// `~/db.server` eagerly calls $connect() on the singleton Prisma client at
+// module load. Without this mock the test process tries to reach DATABASE_URL
+// (defaults to localhost:5432) and emits an unhandled rejection that fails the
+// run. Tests still get a real Prisma client via the testcontainer fixture.
+vi.mock("~/db.server", () => ({
+  prisma: {},
+  $replica: {},
+}));
+
+import { containerTest } from "@internal/testcontainers";
+import { createCookieSessionStorage, type Session } from "@remix-run/node";
+
+vi.setConfig({ testTimeout: 60_000 });
+import {
+  commitAuthenticatedSession,
+  DEFAULT_SESSION_DURATION_SECONDS,
+  getAllowedSessionOptions,
+  getEffectiveSessionDuration,
+  getOrganizationSessionCap,
+  isAllowedSessionDuration,
+  SESSION_DURATION_OPTIONS,
+} from "../app/services/sessionDuration.server";
+
+const oneHour = 60 * 60;
+const oneDay = 60 * 60 * 24;
+const oneYear = DEFAULT_SESSION_DURATION_SECONDS;
+
+const sessionStorage = createCookieSessionStorage({
+  cookie: { name: "__test_session", secrets: ["test"] },
+});
+
+async function makeEmptySession(): Promise<Session> {
+  return sessionStorage.getSession();
+}
+
+describe("isAllowedSessionDuration", () => {
+  it("accepts every value in the dropdown options", () => {
+    for (const option of SESSION_DURATION_OPTIONS) {
+      expect(isAllowedSessionDuration(option.value)).toBe(true);
+    }
+  });
+
+  it("rejects values not in the dropdown", () => {
+    expect(isAllowedSessionDuration(1)).toBe(false);
+    expect(isAllowedSessionDuration(7 * oneDay)).toBe(false);
+    expect(isAllowedSessionDuration(0)).toBe(false);
+    expect(isAllowedSessionDuration(-1)).toBe(false);
+  });
+});
+
+describe("getAllowedSessionOptions", () => {
+  it("returns all options when there is no org cap", () => {
+    const options = getAllowedSessionOptions(null, oneYear);
+    expect(options).toEqual(SESSION_DURATION_OPTIONS);
+  });
+
+  it("filters out options larger than the org cap", () => {
+    const options = getAllowedSessionOptions(oneHour, oneHour);
+    expect(options.map((o) => o.value)).toEqual([60 * 5, 60 * 30, 60 * 60]);
+  });
+
+  it("includes the user's current value even when it exceeds the cap, so the form stays valid", () => {
+    const options = getAllowedSessionOptions(oneHour, oneYear);
+    expect(options.some((o) => o.value === oneYear)).toBe(true);
+    expect(options.some((o) => o.value === oneHour)).toBe(true);
+  });
+
+  it("does not duplicate the current value when it is already within the cap", () => {
+    const options = getAllowedSessionOptions(oneDay, oneHour);
+    const oneHourCount = options.filter((o) => o.value === oneHour).length;
+    expect(oneHourCount).toBe(1);
+  });
+});
+
+async function createUser(prisma: any, email: string, sessionDuration?: number) {
+  return prisma.user.create({
+    data: {
+      email,
+      authenticationMethod: "MAGIC_LINK",
+      ...(sessionDuration !== undefined ? { sessionDuration } : {}),
+    },
+  });
+}
+
+async function createOrgWithMember(
+  prisma: any,
+  slug: string,
+  userId: string,
+  maxSessionDuration: number | null
+) {
+  return prisma.organization.create({
+    data: {
+      title: `Org ${slug}`,
+      slug,
+      maxSessionDuration,
+      members: { create: { userId, role: "ADMIN" } },
+    },
+  });
+}
+
+describe("getOrganizationSessionCap", () => {
+  containerTest("returns null when the user has no orgs with a cap set", async ({ prisma }) => {
+    const user = await createUser(prisma, "no-cap@test.com");
+    await createOrgWithMember(prisma, "no-cap-org", user.id, null);
+
+    const cap = await getOrganizationSessionCap(user.id, prisma);
+    expect(cap).toBeNull();
+  });
+
+  containerTest(
+    "returns the most restrictive cap across orgs, ignoring nulls",
+    async ({ prisma }) => {
+      const user = await createUser(prisma, "multi-org@test.com");
+      await createOrgWithMember(prisma, "loose-org", user.id, oneDay);
+      const tight = await createOrgWithMember(prisma, "tight-org", user.id, oneHour);
+      await createOrgWithMember(prisma, "uncapped-org", user.id, null);
+
+      const cap = await getOrganizationSessionCap(user.id, prisma);
+      expect(cap).toEqual({ orgCapSeconds: oneHour, cappingOrgId: tight.id });
+    }
+  );
+
+  containerTest("ignores soft-deleted organizations", async ({ prisma }) => {
+    const user = await createUser(prisma, "deleted-org-user@test.com");
+    const tight = await createOrgWithMember(prisma, "deleted-tight", user.id, oneHour);
+    const loose = await createOrgWithMember(prisma, "active-loose", user.id, oneDay);
+
+    await prisma.organization.update({
+      where: { id: tight.id },
+      data: { deletedAt: new Date() },
+    });
+
+    const cap = await getOrganizationSessionCap(user.id, prisma);
+    expect(cap).toEqual({ orgCapSeconds: oneDay, cappingOrgId: loose.id });
+  });
+});
+
+describe("getEffectiveSessionDuration", () => {
+  containerTest(
+    "returns the user setting when no org cap is set",
+    async ({ prisma }) => {
+      const user = await createUser(prisma, "effective-no-cap@test.com", oneDay);
+      await createOrgWithMember(prisma, "effective-no-cap-org", user.id, null);
+
+      const result = await getEffectiveSessionDuration(user.id, prisma);
+      expect(result.userSettingSeconds).toBe(oneDay);
+      expect(result.orgCapSeconds).toBeNull();
+      expect(result.cappingOrgId).toBeNull();
+      expect(result.durationSeconds).toBe(oneDay);
+    }
+  );
+
+  containerTest("caps the user setting at the most restrictive org cap", async ({ prisma }) => {
+    const user = await createUser(prisma, "effective-capped@test.com", oneYear);
+    const org = await createOrgWithMember(prisma, "effective-capped-org", user.id, oneHour);
+
+    const result = await getEffectiveSessionDuration(user.id, prisma);
+    expect(result.userSettingSeconds).toBe(oneYear);
+    expect(result.orgCapSeconds).toBe(oneHour);
+    expect(result.cappingOrgId).toBe(org.id);
+    expect(result.durationSeconds).toBe(oneHour);
+  });
+
+  containerTest(
+    "returns the user setting when it is already smaller than the org cap",
+    async ({ prisma }) => {
+      const user = await createUser(prisma, "effective-user-smaller@test.com", 60 * 5);
+      await createOrgWithMember(prisma, "effective-user-smaller-org", user.id, oneHour);
+
+      const result = await getEffectiveSessionDuration(user.id, prisma);
+      expect(result.durationSeconds).toBe(60 * 5);
+    }
+  );
+
+  containerTest(
+    "uses the default when the user has no row (defensive fallback)",
+    async ({ prisma }) => {
+      const result = await getEffectiveSessionDuration("nonexistent-user-id", prisma);
+      expect(result.userSettingSeconds).toBe(DEFAULT_SESSION_DURATION_SECONDS);
+      expect(result.orgCapSeconds).toBeNull();
+      expect(result.cappingOrgId).toBeNull();
+      expect(result.durationSeconds).toBe(DEFAULT_SESSION_DURATION_SECONDS);
+    }
+  );
+});
+
+describe("commitAuthenticatedSession", () => {
+  containerTest(
+    "stamps User.nextSessionEnd at now + user setting when no org cap",
+    async ({ prisma }) => {
+      const user = await createUser(prisma, "commit-no-cap@test.com", oneHour);
+      const session = await makeEmptySession();
+      const now = 1_700_000_000_000;
+
+      await commitAuthenticatedSession(session, user.id, now, prisma);
+
+      const updated = await prisma.user.findFirstOrThrow({ where: { id: user.id } });
+      expect(updated.nextSessionEnd?.getTime()).toBe(now + oneHour * 1000);
+    }
+  );
+
+  containerTest(
+    "stamps User.nextSessionEnd against the tightest org cap when smaller than user setting",
+    async ({ prisma }) => {
+      const user = await createUser(prisma, "commit-capped@test.com", oneYear);
+      await createOrgWithMember(prisma, "commit-capped-org", user.id, oneHour);
+      const session = await makeEmptySession();
+      const now = 1_700_000_000_000;
+
+      await commitAuthenticatedSession(session, user.id, now, prisma);
+
+      const updated = await prisma.user.findFirstOrThrow({ where: { id: user.id } });
+      expect(updated.nextSessionEnd?.getTime()).toBe(now + oneHour * 1000);
+    }
+  );
+
+  containerTest("resets nextSessionEnd to a fresh window on each commit", async ({ prisma }) => {
+    const user = await createUser(prisma, "commit-reset@test.com", oneHour);
+    const session = await makeEmptySession();
+
+    await commitAuthenticatedSession(session, user.id, 1_700_000_000_000, prisma);
+    const first = await prisma.user.findFirstOrThrow({ where: { id: user.id } });
+
+    await commitAuthenticatedSession(session, user.id, 1_700_000_060_000, prisma);
+    const second = await prisma.user.findFirstOrThrow({ where: { id: user.id } });
+
+    expect(second.nextSessionEnd?.getTime()).toBeGreaterThan(first.nextSessionEnd!.getTime());
+    expect(second.nextSessionEnd?.getTime()).toBe(1_700_000_060_000 + oneHour * 1000);
+  });
+});
diff --git a/apps/webapp/test/sessionsReplicationService.test.ts b/apps/webapp/test/sessionsReplicationService.test.ts
new file mode 100644
index 00000000000..1d3c761e813
--- /dev/null
+++ b/apps/webapp/test/sessionsReplicationService.test.ts
@@ -0,0 +1,213 @@
+import { ClickHouse } from "@internal/clickhouse";
+import { replicationContainerTest } from "@internal/testcontainers";
+import { setTimeout } from "node:timers/promises";
+import { z } from "zod";
+import { SessionsReplicationService } from "~/services/sessionsReplicationService.server";
+import { TestReplicationClickhouseFactory } from "./utils/testReplicationClickhouseFactory";
+
+vi.setConfig({ testTimeout: 60_000 });
+
+describe("SessionsReplicationService", () => {
+  replicationContainerTest(
+    "replicates an insert from Postgres Session → ClickHouse sessions_v1",
+    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
+      // Logical replication needs full-row images for DELETE events.
+      await prisma.$executeRawUnsafe(`ALTER TABLE public."Session" REPLICA IDENTITY FULL;`);
+
+      const clickhouse = new ClickHouse({
+        url: clickhouseContainer.getConnectionUrl(),
+        name: "sessions-replication",
+        compression: { request: true },
+        logLevel: "warn",
+      });
+
+      const service = new SessionsReplicationService({
+        clickhouseFactory: new TestReplicationClickhouseFactory(clickhouse),
+        pgConnectionUrl: postgresContainer.getConnectionUri(),
+        serviceName: "sessions-replication",
+        slotName: "sessions_to_clickhouse_v1",
+        publicationName: "sessions_to_clickhouse_v1_publication",
+        redisOptions,
+        maxFlushConcurrency: 1,
+        flushIntervalMs: 100,
+        flushBatchSize: 1,
+        leaderLockTimeoutMs: 5000,
+        leaderLockExtendIntervalMs: 1000,
+        ackIntervalSeconds: 5,
+        logLevel: "warn",
+      });
+
+      await service.start();
+
+      const organization = await prisma.organization.create({
+        data: { title: "test", slug: "test" },
+      });
+
+      const project = await prisma.project.create({
+        data: {
+          name: "test",
+          slug: "test",
+          organizationId: organization.id,
+          externalRef: "test",
+        },
+      });
+
+      const environment = await prisma.runtimeEnvironment.create({
+        data: {
+          slug: "test",
+          type: "DEVELOPMENT",
+          projectId: project.id,
+          organizationId: organization.id,
+          apiKey: "test",
+          pkApiKey: "test",
+          shortcode: "test",
+        },
+      });
+
+      const session = await prisma.session.create({
+        data: {
+          id: "session_test_insert_1",
+          friendlyId: "session_abc123",
+          externalId: "my-test-session",
+          type: "chat.agent",
+          projectId: project.id,
+          runtimeEnvironmentId: environment.id,
+          environmentType: "DEVELOPMENT",
+          organizationId: organization.id,
+          taskIdentifier: "my-agent",
+          triggerConfig: {
+            basePayload: { messages: [], trigger: "preload" },
+          },
+          tags: ["user:42", "plan:pro"],
+          metadata: { plan: "pro", seats: 3 },
+        },
+      });
+
+      // Allow the replication pipeline to flush
+      await setTimeout(2000);
+
+      const querySessions = clickhouse.reader.query({
+        name: "read-sessions",
+        query: "SELECT * FROM trigger_dev.sessions_v1 FINAL",
+        schema: z.any(),
+      });
+
+      const [queryError, result] = await querySessions({});
+
+      expect(queryError).toBeNull();
+      expect(result?.length).toBe(1);
+      expect(result?.[0]).toEqual(
+        expect.objectContaining({
+          session_id: session.id,
+          friendly_id: session.friendlyId,
+          external_id: "my-test-session",
+          type: "chat.agent",
+          project_id: project.id,
+          environment_id: environment.id,
+          organization_id: organization.id,
+          environment_type: "DEVELOPMENT",
+          task_identifier: "my-agent",
+          tags: ["user:42", "plan:pro"],
+          _is_deleted: 0,
+        })
+      );
+
+      await service.stop();
+    }
+  );
+
+  replicationContainerTest(
+    "replicates an update (close) from Postgres → ClickHouse",
+    async ({ clickhouseContainer, redisOptions, postgresContainer, prisma }) => {
+      await prisma.$executeRawUnsafe(`ALTER TABLE public."Session" REPLICA IDENTITY FULL;`);
+
+      const clickhouse = new ClickHouse({
+        url: clickhouseContainer.getConnectionUrl(),
+        name: "sessions-replication",
+        compression: { request: true },
+        logLevel: "warn",
+      });
+
+      const service = new SessionsReplicationService({
+        clickhouseFactory: new TestReplicationClickhouseFactory(clickhouse),
+        pgConnectionUrl: postgresContainer.getConnectionUri(),
+        serviceName: "sessions-replication",
+        slotName: "sessions_to_clickhouse_v1",
+        publicationName: "sessions_to_clickhouse_v1_publication",
+        redisOptions,
+        maxFlushConcurrency: 1,
+        flushIntervalMs: 100,
+        flushBatchSize: 1,
+        leaderLockTimeoutMs: 5000,
+        leaderLockExtendIntervalMs: 1000,
+        ackIntervalSeconds: 5,
+        logLevel: "warn",
+      });
+
+      await service.start();
+
+      const organization = await prisma.organization.create({
+        data: { title: "test", slug: "test" },
+      });
+      const project = await prisma.project.create({
+        data: {
+          name: "test",
+          slug: "test",
+          organizationId: organization.id,
+          externalRef: "test",
+        },
+      });
+      const environment = await prisma.runtimeEnvironment.create({
+        data: {
+          slug: "test",
+          type: "DEVELOPMENT",
+          projectId: project.id,
+          organizationId: organization.id,
+          apiKey: "test",
+          pkApiKey: "test",
+          shortcode: "test",
+        },
+      });
+
+      const created = await prisma.session.create({
+        data: {
+          id: "session_test_update_1",
+          friendlyId: "session_update1",
+          type: "chat.agent",
+          projectId: project.id,
+          runtimeEnvironmentId: environment.id,
+          environmentType: "DEVELOPMENT",
+          organizationId: organization.id,
+          taskIdentifier: "my-agent",
+          triggerConfig: {
+            basePayload: { messages: [], trigger: "preload" },
+          },
+        },
+      });
+
+      await setTimeout(1000);
+
+      await prisma.session.update({
+        where: { id: created.id },
+        data: { closedAt: new Date(), closedReason: "test-close" },
+      });
+
+      await setTimeout(2000);
+
+      const querySessions = clickhouse.reader.query({
+        name: "read-sessions-closed",
+        query: "SELECT closed_reason, closed_at FROM trigger_dev.sessions_v1 FINAL",
+        schema: z.any(),
+      });
+
+      const [queryError, result] = await querySessions({});
+
+      expect(queryError).toBeNull();
+      expect(result?.length).toBe(1);
+      expect(result?.[0].closed_reason).toBe("test-close");
+      expect(result?.[0].closed_at).toBeDefined();
+
+      await service.stop();
+    }
+  );
+});
diff --git a/apps/webapp/test/setup.ts b/apps/webapp/test/setup.ts
new file mode 100644
index 00000000000..607ad78f3a9
--- /dev/null
+++ b/apps/webapp/test/setup.ts
@@ -0,0 +1,6 @@
+// Load apps/webapp/.env into process.env so env.server's top-level
+// EnvironmentSchema.parse(process.env) succeeds in vitest workers.
+import { config } from "dotenv";
+import path from "node:path";
+
+config({ path: path.resolve(__dirname, "../.env") });
diff --git a/apps/webapp/test/setup/global-e2e-full-setup.ts b/apps/webapp/test/setup/global-e2e-full-setup.ts
new file mode 100644
index 00000000000..31a9c15781f
--- /dev/null
+++ b/apps/webapp/test/setup/global-e2e-full-setup.ts
@@ -0,0 +1,28 @@
+// vitest globalSetup — runs once for the whole *.e2e.full.test.ts suite.
+// Boots one Postgres + Redis + webapp; tests connect to it via the
+// `baseUrl` / `databaseUrl` values provided to test workers below.
+//
+// Each test file recreates its own PrismaClient connected to the shared DB
+// (PrismaClient instances aren't serialisable across worker boundaries).
+
+import type { TestProject } from "vitest/node";
+import { startTestServer, type TestServer } from "@internal/testcontainers/webapp";
+
+let server: TestServer | undefined;
+
+export default async function setup(project: TestProject) {
+  server = await startTestServer();
+  project.provide("baseUrl", server.webapp.baseUrl);
+  project.provide("databaseUrl", server.databaseUrl);
+
+  return async () => {
+    await server?.stop().catch(() => {});
+  };
+}
+
+declare module "vitest" {
+  export interface ProvidedContext {
+    baseUrl: string;
+    databaseUrl: string;
+  }
+}
diff --git a/apps/webapp/test/shouldRevalidateRunsList.test.ts b/apps/webapp/test/shouldRevalidateRunsList.test.ts
new file mode 100644
index 00000000000..2274ddddd21
--- /dev/null
+++ b/apps/webapp/test/shouldRevalidateRunsList.test.ts
@@ -0,0 +1,160 @@
+import type { Location, Navigation, ShouldRevalidateFunction } from "@remix-run/react";
+import { describe, expect, it } from "vitest";
+import {
+  isRunsListLoading,
+  RUNS_BULK_INSPECTOR_OPEN_VALUE,
+  shouldRevalidateRunsList,
+} from "~/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs._index/shouldRevalidateRunsList";
+
+const runsUrl = (search: string) =>
+  new URL(`http://localhost:3030/orgs/acme/projects/proj/env/dev/runs${search}`);
+
+function args(
+  currentSearch: string,
+  nextSearch: string,
+  defaultShouldRevalidate = true
+): Parameters<ShouldRevalidateFunction>[0] {
+  return {
+    currentUrl: runsUrl(currentSearch),
+    nextUrl: runsUrl(nextSearch),
+    defaultShouldRevalidate,
+    formMethod: undefined,
+    formAction: undefined,
+    formData: undefined,
+    json: undefined,
+    actionResult: undefined,
+  };
+}
+
+describe("shouldRevalidateRunsList", () => {
+  it("returns false when only bulk inspector UI params change", () => {
+    expect(
+      shouldRevalidateRunsList(
+        args("?tasks=hello", `?tasks=hello&bulkInspector=${RUNS_BULK_INSPECTOR_OPEN_VALUE}&action=replay&mode=selected`)
+      )
+    ).toBe(false);
+  });
+
+  it("returns false when closing the bulk inspector", () => {
+    expect(
+      shouldRevalidateRunsList(
+        args(`?tasks=hello&bulkInspector=${RUNS_BULK_INSPECTOR_OPEN_VALUE}`, "?tasks=hello")
+      )
+    ).toBe(false);
+  });
+
+  it("returns false when list-data params are reordered", () => {
+    expect(
+      shouldRevalidateRunsList(args("?tasks=a&runtime=b", "?runtime=b&tasks=a"))
+    ).toBe(false);
+  });
+
+  it("returns default when list filters and bulk inspector UI params change together", () => {
+    expect(
+      shouldRevalidateRunsList(args("?tasks=a", `?tasks=b&bulkInspector=${RUNS_BULK_INSPECTOR_OPEN_VALUE}`))
+    ).toBe(true);
+  });
+
+  it("returns default when list filters change", () => {
+    expect(shouldRevalidateRunsList(args("?tasks=hello", "?tasks=world"))).toBe(true);
+  });
+
+  it("returns default when pagination params change", () => {
+    expect(
+      shouldRevalidateRunsList(
+        args("?tasks=hello", "?tasks=hello&cursor=abc&direction=forward")
+      )
+    ).toBe(true);
+  });
+
+  it("returns default when the URL is unchanged (explicit revalidate)", () => {
+    expect(shouldRevalidateRunsList(args("?tasks=hello", "?tasks=hello"))).toBe(true);
+  });
+
+  it("returns default when pathname changes", () => {
+    expect(
+      shouldRevalidateRunsList({
+        ...args("?tasks=hello", "?tasks=hello"),
+        nextUrl: new URL("http://localhost:3030/orgs/acme/projects/proj/env/dev/tasks"),
+      })
+    ).toBe(true);
+  });
+
+  it("respects defaultShouldRevalidate when false", () => {
+    expect(
+      shouldRevalidateRunsList(args("?tasks=hello", "?tasks=world", false))
+    ).toBe(false);
+  });
+});
+
+function makeLocation(search: string): Location {
+  const url = runsUrl(search);
+  return {
+    pathname: url.pathname,
+    search: url.search,
+    hash: url.hash,
+    state: null,
+    key: "test-key",
+  };
+}
+
+function navigation(
+  state: Navigation["state"],
+  nextSearch?: string
+): Navigation {
+  return {
+    state,
+    location: nextSearch ? makeLocation(nextSearch) : undefined,
+    formMethod: undefined,
+    formAction: undefined,
+    formEncType: undefined,
+    formData: undefined,
+    json: undefined,
+  };
+}
+
+describe("isRunsListLoading", () => {
+  it("returns false when navigation is idle", () => {
+    expect(isRunsListLoading(navigation("idle"), "?tasks=hello")).toBe(false);
+  });
+
+  it("returns false when only bulk inspector UI params change", () => {
+    expect(
+      isRunsListLoading(
+        navigation("loading", `?tasks=hello&bulkInspector=${RUNS_BULK_INSPECTOR_OPEN_VALUE}&action=replay`),
+        "?tasks=hello"
+      )
+    ).toBe(false);
+  });
+
+  it("returns false when list-data params are reordered", () => {
+    expect(
+      isRunsListLoading(navigation("loading", "?runtime=b&tasks=a"), "?tasks=a&runtime=b")
+    ).toBe(false);
+  });
+
+  it("returns true when list filters and bulk inspector UI params change together", () => {
+    expect(
+      isRunsListLoading(navigation("loading", `?tasks=b&bulkInspector=${RUNS_BULK_INSPECTOR_OPEN_VALUE}`), "?tasks=a")
+    ).toBe(true);
+  });
+
+  it("returns true when list filters change", () => {
+    expect(
+      isRunsListLoading(navigation("loading", "?tasks=world"), "?tasks=hello")
+    ).toBe(true);
+  });
+
+  it("returns true when pagination params change", () => {
+    expect(
+      isRunsListLoading(
+        navigation("loading", "?tasks=hello&cursor=abc&direction=forward"),
+        "?tasks=hello"
+      )
+    ).toBe(true);
+  });
+
+  it("returns false when navigation is loading without a target location", () => {
+    expect(isRunsListLoading(navigation("loading"), "?tasks=hello")).toBe(false);
+  });
+});
diff --git a/apps/webapp/test/tenantContext.test.ts b/apps/webapp/test/tenantContext.test.ts
new file mode 100644
index 00000000000..c90c139eacc
--- /dev/null
+++ b/apps/webapp/test/tenantContext.test.ts
@@ -0,0 +1,100 @@
+import { describe, it, expect } from "vitest";
+import { tenantContext, type TenantContext } from "../app/services/tenantContext.server";
+
+const sample: TenantContext = {
+  orgSlug: "acme",
+  projectSlug: "web",
+  envSlug: "prod",
+};
+
+describe("tenantContext", () => {
+  it("returns undefined outside run()", () => {
+    expect(tenantContext.get()).toBeUndefined();
+  });
+
+  it("returns the active context inside run()", () => {
+    tenantContext.run(sample, () => {
+      expect(tenantContext.get()).toEqual(sample);
+    });
+  });
+
+  it("isolates concurrent async trees", async () => {
+    const a: TenantContext = { ...sample, orgSlug: "a" };
+    const b: TenantContext = { ...sample, orgSlug: "b" };
+
+    const [got1, got2] = await Promise.all([
+      tenantContext.run(a, async () => {
+        await new Promise((r) => setTimeout(r, 10));
+        return tenantContext.get()?.orgSlug;
+      }),
+      tenantContext.run(b, async () => {
+        await new Promise((r) => setTimeout(r, 5));
+        return tenantContext.get()?.orgSlug;
+      }),
+    ]);
+    expect(got1).toBe("a");
+    expect(got2).toBe("b");
+  });
+
+  it("supports nested run() overriding", () => {
+    const inner: TenantContext = { ...sample, orgSlug: "inner" };
+    tenantContext.run(sample, () => {
+      tenantContext.run(inner, () => {
+        expect(tenantContext.get()?.orgSlug).toBe("inner");
+      });
+      expect(tenantContext.get()?.orgSlug).toBe("acme");
+    });
+  });
+
+  it("enrich() patches the active context in-place", () => {
+    tenantContext.run({ ...sample }, () => {
+      tenantContext.enrich({
+        userId: "usr_1",
+        orgId: "org_1",
+        projectId: "proj_1",
+        envType: "PRODUCTION",
+      });
+      expect(tenantContext.get()).toMatchObject({
+        orgSlug: "acme",
+        projectSlug: "web",
+        envSlug: "prod",
+        userId: "usr_1",
+        orgId: "org_1",
+        projectId: "proj_1",
+        envType: "PRODUCTION",
+      });
+    });
+  });
+
+  it("enrich() outside run() is a no-op", () => {
+    expect(() => tenantContext.enrich({ orgId: "x" })).not.toThrow();
+    expect(tenantContext.get()).toBeUndefined();
+  });
+
+  it("supports starting from an empty scope and enriching userId only (non-tenant page)", () => {
+    tenantContext.run({}, () => {
+      tenantContext.enrich({ userId: "usr_1" });
+      expect(tenantContext.get()).toEqual({ userId: "usr_1" });
+    });
+  });
+
+  it("enrich() patches do not bleed across concurrent run() scopes", async () => {
+    const a: TenantContext = { ...sample, orgSlug: "a" };
+    const b: TenantContext = { ...sample, orgSlug: "b" };
+    const [got1, got2] = await Promise.all([
+      tenantContext.run(a, async () => {
+        await new Promise((r) => setTimeout(r, 5));
+        tenantContext.enrich({ orgId: "org_a" });
+        await new Promise((r) => setTimeout(r, 5));
+        return tenantContext.get();
+      }),
+      tenantContext.run(b, async () => {
+        await new Promise((r) => setTimeout(r, 10));
+        tenantContext.enrich({ orgId: "org_b" });
+        return tenantContext.get();
+      }),
+    ]);
+    expect(got1?.orgId).toBe("org_a");
+    expect(got2?.orgId).toBe("org_b");
+  });
+});
diff --git a/apps/webapp/test/tenantContextFromAuthEnvironment.test.ts b/apps/webapp/test/tenantContextFromAuthEnvironment.test.ts
new file mode 100644
index 00000000000..163338c0728
--- /dev/null
+++ b/apps/webapp/test/tenantContextFromAuthEnvironment.test.ts
@@ -0,0 +1,48 @@
+import { describe, it, expect } from "vitest";
+import { tenantContextFromAuthEnvironment } from "../app/services/tenantContext.server";
+import type { AuthenticatedEnvironment } from "../app/services/apiAuth.server";
+
+const baseEnv = {
+  id: "env_1",
+  slug: "prod",
+  type: "PRODUCTION" as const,
+  organization: { id: "org_1", slug: "acme" },
+  project: { id: "proj_1", slug: "web", externalRef: "proj_abc" },
+};
+
+const envWithOrgMember = {
+  ...baseEnv,
+  orgMember: { userId: "usr_42" },
+} as unknown as AuthenticatedEnvironment;
+
+const envWithoutOrgMember = {
+  ...baseEnv,
+  orgMember: null,
+} as unknown as AuthenticatedEnvironment;
+
+describe("tenantContextFromAuthEnvironment", () => {
+  it("returns the full tenant context (slugs + IDs + env type + userId) when orgMember is present", () => {
+    expect(tenantContextFromAuthEnvironment(envWithOrgMember)).toEqual({
+      userId: "usr_42",
+      orgSlug: "acme",
+      projectSlug: "web",
+      envSlug: "prod",
+      orgId: "org_1",
+      projectId: "proj_1",
+      projectRef: "proj_abc",
+      envId: "env_1",
+      envType: "PRODUCTION",
+    });
+  });
+
+  it("omits userId when there is no orgMember on the environment", () => {
+    const ctx = tenantContextFromAuthEnvironment(envWithoutOrgMember);
+    expect(ctx.userId).toBeUndefined();
+    expect(ctx.orgSlug).toBe("acme");
+    expect(ctx.envSlug).toBe("prod");
+  });
+
+  it("does not propagate impersonating (auth environments are real, not impersonated)", () => {
+    expect(tenantContextFromAuthEnvironment(envWithOrgMember).impersonating).toBeUndefined();
+  });
+});
diff --git a/apps/webapp/test/tenantContextResolver.test.ts b/apps/webapp/test/tenantContextResolver.test.ts
new file mode 100644
index 00000000000..e531a11bad8
--- /dev/null
+++ b/apps/webapp/test/tenantContextResolver.test.ts
@@ -0,0 +1,149 @@
+import { describe, it, expect, vi } from "vitest";
+import {
+  createTenantContextMiddleware,
+  parseTenantPath,
+  resolveTenantContextFromPath,
+  type PathResolver,
+} from "../app/services/tenantContextResolver.server";
+import { tenantContext, type TenantContext } from "../app/services/tenantContext.server";
+
+const sampleCtx: TenantContext = {
+  orgSlug: "acme",
+  projectSlug: "web",
+  envSlug: "prod",
+};
+
+describe("parseTenantPath", () => {
+  it("parses a full env path", () => {
+    expect(parseTenantPath("/orgs/acme/projects/web/env/prod")).toEqual({
+      orgSlug: "acme",
+      projectSlug: "web",
+      envSlug: "prod",
+    });
+  });
+
+  it("parses a path with extra segments after env", () => {
+    expect(parseTenantPath("/orgs/acme/projects/web/env/prod/runs/run_1")).toEqual({
+      orgSlug: "acme",
+      projectSlug: "web",
+      envSlug: "prod",
+    });
+  });
+
+  it("returns undefined for non-orgs paths", () => {
+    expect(parseTenantPath("/healthcheck")).toBeUndefined();
+    expect(parseTenantPath("/")).toBeUndefined();
+    expect(parseTenantPath("/api/v1/tasks")).toBeUndefined();
+  });
+
+  it("returns org-only when path has just the org slug", () => {
+    expect(parseTenantPath("/orgs/acme")).toEqual({ orgSlug: "acme" });
+    expect(parseTenantPath("/orgs/acme/")).toEqual({ orgSlug: "acme" });
+    expect(parseTenantPath("/orgs/acme/settings")).toEqual({ orgSlug: "acme" });
+  });
+
+  it("returns org + project when env is missing", () => {
+    expect(parseTenantPath("/orgs/acme/projects/web")).toEqual({
+      orgSlug: "acme",
+      projectSlug: "web",
+    });
+    expect(parseTenantPath("/orgs/acme/projects/web/")).toEqual({
+      orgSlug: "acme",
+      projectSlug: "web",
+    });
+  });
+
+  it("does not match if the prefix is wrong", () => {
+    expect(parseTenantPath("/foo/orgs/acme/projects/web/env/prod")).toBeUndefined();
+  });
+
+  it("handles slugs with hyphens, digits, and mixed case", () => {
+    expect(parseTenantPath("/orgs/references-6120/projects/hello-world-bN7m/env/dev")).toEqual({
+      orgSlug: "references-6120",
+      projectSlug: "hello-world-bN7m",
+      envSlug: "dev",
+    });
+  });
+});
+
+describe("resolveTenantContextFromPath", () => {
+  it("returns a TenantContext shaped from the parsed slugs", () => {
+    expect(resolveTenantContextFromPath("/orgs/acme/projects/web/env/prod")).toEqual({
+      orgSlug: "acme",
+      projectSlug: "web",
+      envSlug: "prod",
+    });
+  });
+
+  it("returns an empty context when the path does not match (so loaders can still enrich)", () => {
+    expect(resolveTenantContextFromPath("/healthcheck")).toEqual({});
+  });
+});
+
+describe("createTenantContextMiddleware", () => {
+  function makeReq(path: string) {
+    return { path } as Parameters<ReturnType<typeof createTenantContextMiddleware>>[0];
+  }
+
+  it("sets ALS context inside next() when resolver returns a populated context", () => {
+    const resolver: PathResolver = vi.fn().mockReturnValue(sampleCtx);
+    const middleware = createTenantContextMiddleware(resolver);
+
+    let observed: TenantContext | undefined;
+    middleware(makeReq("/orgs/acme/projects/web/env/prod"), {} as never, () => {
+      observed = tenantContext.get();
+    });
+
+    expect(observed).toEqual(sampleCtx);
+    expect(resolver).toHaveBeenCalledWith("/orgs/acme/projects/web/env/prod");
+  });
+
+  it("still establishes an empty ALS scope when resolver returns {} (so loaders can enrich)", () => {
+    const resolver: PathResolver = vi.fn().mockReturnValue({});
+    const middleware = createTenantContextMiddleware(resolver);
+
+    let observed: TenantContext | undefined;
+    middleware(makeReq("/healthcheck"), {} as never, () => {
+      observed = tenantContext.get();
+      tenantContext.enrich({ userId: "usr_1" });
+      observed = tenantContext.get();
+    });
+
+    expect(observed).toEqual({ userId: "usr_1" });
+  });
+
+  it("does not leak ALS context after next() returns", () => {
+    const resolver: PathResolver = vi.fn().mockReturnValue(sampleCtx);
+    const middleware = createTenantContextMiddleware(resolver);
+
+    middleware(makeReq("/orgs/acme/projects/web/env/prod"), {} as never, () => {});
+
+    expect(tenantContext.get()).toBeUndefined();
+  });
+
+  it("isolates concurrent requests", async () => {
+    const ctxA: TenantContext = { ...sampleCtx, orgSlug: "a" };
+    const ctxB: TenantContext = { ...sampleCtx, orgSlug: "b" };
+    const resolver: PathResolver = vi.fn((path: string) => {
+      if (path.includes("/a/")) return ctxA;
+      if (path.includes("/b/")) return ctxB;
+      return {};
+    });
+    const middleware = createTenantContextMiddleware(resolver);
+
+    const observe = (path: string, delay: number) =>
+      new Promise<TenantContext | undefined>((resolve) => {
+        middleware(makeReq(path), {} as never, async () => {
+          await new Promise((r) => setTimeout(r, delay));
+          resolve(tenantContext.get());
+        });
+      });
+
+    const [a, b] = await Promise.all([
+      observe("/orgs/a/projects/x/env/y", 10),
+      observe("/orgs/b/projects/x/env/y", 5),
+    ]);
+    expect(a?.orgSlug).toBe("a");
+    expect(b?.orgSlug).toBe("b");
+  });
+});
diff --git a/apps/webapp/test/timelineSpanEvents.test.ts b/apps/webapp/test/timelineSpanEvents.test.ts
index 1c34bb8d13a..11b62cf5afd 100644
--- a/apps/webapp/test/timelineSpanEvents.test.ts
+++ b/apps/webapp/test/timelineSpanEvents.test.ts
@@ -28,7 +28,7 @@ describe("createTimelineSpanEventsFromSpanEvents", () => {
         event: "import",
         duration: 67,
         entryPoint:
-          "/Users/eric/code/triggerdotdev/trigger.dev/references/d3-chat/.trigger/tmp/build-AL7zTl/references/d3-chat/src/trigger/chat.mjs",
+          "/project/.trigger/tmp/build-AL7zTl/src/trigger/chat.mjs",
       },
     },
   ];
@@ -53,7 +53,7 @@ describe("createTimelineSpanEventsFromSpanEvents", () => {
         event: "import",
         duration: 67,
         entryPoint:
-          "/Users/eric/code/triggerdotdev/trigger.dev/references/d3-chat/.trigger/tmp/build-AL7zTl/references/d3-chat/src/trigger/chat.mjs",
+          "/project/.trigger/tmp/build-AL7zTl/src/trigger/chat.mjs",
       },
     },
   ];
@@ -181,6 +181,15 @@ describe("createTimelineSpanEventsFromSpanEvents", () => {
     );
   });
 
+  test("should not attach raw span event properties to timeline events", () => {
+    const result = createTimelineSpanEventsFromSpanEvents(sampleSpanEvents, true);
+
+    expect(result.length).toBeGreaterThan(0);
+    for (const event of result) {
+      expect(event).not.toHaveProperty("properties");
+    }
+  });
+
   test("should preserve duration from span events", () => {
     const result = createTimelineSpanEventsFromSpanEvents(sampleSpanEvents, true);
 
diff --git a/apps/webapp/test/traceExport.test.ts b/apps/webapp/test/traceExport.test.ts
new file mode 100644
index 00000000000..a05187795d2
--- /dev/null
+++ b/apps/webapp/test/traceExport.test.ts
@@ -0,0 +1,163 @@
+import { describe, expect, it } from "vitest";
+import {
+  getTraceExportFormat,
+  streamTraceExport,
+  type TraceExportContext,
+} from "~/v3/eventRepository/traceExport.server";
+import type { StreamedTraceEvent } from "~/v3/eventRepository/eventRepository.types";
+
+const T = new Date("2026-06-06T12:00:00.000Z");
+
+const CTX: TraceExportContext = {
+  runFriendlyId: "run_x",
+  traceId: "trace_x",
+  taskIdentifier: "agent-workflow",
+  runUrl: "https://app.example.com/orgs/o/projects/p/env/dev/runs/run_x",
+};
+
+function sampleEvents(): StreamedTraceEvent[] {
+  return [
+    {
+      spanId: "root1",
+      parentSpanId: "",
+      startTime: T,
+      durationNs: 5_500_000_000, // 5.5s
+      level: "TRACE",
+      message: "agent.run",
+      isError: false,
+      propertiesText: '{"agent":{"name":"researcher-v2"}}',
+    },
+    {
+      spanId: "log1",
+      parentSpanId: "root1",
+      startTime: T,
+      durationNs: 0,
+      level: "INFO",
+      message: "processing item",
+      isError: false,
+      propertiesText: '{"itemId":7}',
+    },
+    {
+      spanId: "err1",
+      parentSpanId: "root1",
+      startTime: T,
+      durationNs: 3_000_000, // 3ms
+      level: "ERROR",
+      message: "task failed",
+      isError: true,
+      propertiesText: '{"error":{"message":"boom: it failed","name":"Error","stackTrace":"Error: boom\\n    at fn"}}',
+    },
+    {
+      spanId: "quiet1",
+      parentSpanId: "root1",
+      startTime: T,
+      durationNs: 0,
+      level: "DEBUG",
+      message: "no props here",
+      isError: false,
+      propertiesText: "{}",
+    },
+  ];
+}
+
+async function* toAsyncIterable(items: StreamedTraceEvent[]): AsyncIterable<StreamedTraceEvent> {
+  for (const item of items) {
+    yield item;
+  }
+}
+
+async function drain(gen: AsyncIterable<string>): Promise<string> {
+  let text = "";
+  for await (const chunk of gen) {
+    text += chunk;
+  }
+  return text;
+}
+
+function render(formatName: string, items = sampleEvents(), opts = {}): Promise<string> {
+  return drain(streamTraceExport(toAsyncIterable(items), getTraceExportFormat(formatName), CTX, opts));
+}
+
+describe("getTraceExportFormat", () => {
+  it("resolves known formats and defaults unknown ones to log", () => {
+    expect(getTraceExportFormat("log").extension).toBe("txt");
+    expect(getTraceExportFormat("jsonl").extension).toBe("jsonl");
+    expect(getTraceExportFormat("markdown").extension).toBe("md");
+    expect(getTraceExportFormat(null).name).toBe("log");
+    expect(getTraceExportFormat("bogus").name).toBe("log");
+  });
+});
+
+describe("log format", () => {
+  it("is flat events with parent refs, no header, ns durations, inline error message", async () => {
+    const text = await render("log");
+    expect(text).not.toContain("Run:");
+    expect(text).not.toContain("Trace ID:");
+    expect(text.startsWith("2026-")).toBe(true);
+    expect(text).toContain("[root1] agent.run");
+    expect(text).toContain("(5.5 seconds)");
+    expect(text).not.toMatch(/day/);
+    expect(text).toContain("[log1 ← root1] processing item");
+    expect(text).toContain('props: {"itemId":7}');
+    // Error message surfaced inline (not just an [ERROR] flag).
+    expect(text).toContain("[err1 ← root1] task failed [ERROR: boom: it failed]");
+    // Empty properties are omitted.
+    expect(text).not.toContain("props: {}");
+  });
+});
+
+describe("jsonl format", () => {
+  it("emits one valid JSON object per line with inlined properties + errorMessage", async () => {
+    const text = await render("jsonl");
+    const lines = text.trim().split("\n");
+    expect(lines).toHaveLength(4);
+
+    const first = JSON.parse(lines[0]);
+    expect(first).toMatchObject({
+      spanId: "root1",
+      message: "agent.run",
+      level: "TRACE",
+      durationNs: 5_500_000_000,
+    });
+    expect(first.parentSpanId).toBeUndefined();
+    expect(first.properties).toEqual({ agent: { name: "researcher-v2" } });
+
+    const err = JSON.parse(lines[2]);
+    expect(err.isError).toBe(true);
+    expect(err.errorMessage).toBe("boom: it failed");
+    expect(err.properties.error.stackTrace).toContain("at fn");
+
+    const quiet = JSON.parse(lines[3]);
+    expect(quiet.properties).toBeUndefined(); // "{}" → omitted
+    expect(quiet.errorMessage).toBeUndefined();
+  });
+});
+
+describe("markdown format", () => {
+  it("emits YAML frontmatter with ids/task/url and a table (no fenced blocks)", async () => {
+    const text = await render("markdown");
+    expect(text.startsWith("---\n")).toBe(true);
+    expect(text).toContain("run: run_x");
+    expect(text).toContain("trace: trace_x");
+    expect(text).toContain("task: agent-workflow");
+    expect(text).toContain("url: https://app.example.com/orgs/o/projects/p/env/dev/runs/run_x");
+    expect(text).toContain("# Trace for run_x");
+    expect(text).toContain("[View in dashboard](https://app.example.com/orgs/o/projects/p/env/dev/runs/run_x)");
+    expect(text).toContain("| time | level | event | duration | span ← parent | properties |");
+    expect(text).not.toContain("```json");
+    expect(text).toContain("`log1 ← root1`");
+    expect(text).toContain("ERROR ❌");
+    // Error message surfaced in the event cell.
+    expect(text).toContain("| task failed — boom: it failed |");
+  });
+});
+
+describe("all formats", () => {
+  it("produce identical output regardless of flush size (no cross-event state)", async () => {
+    for (const name of ["log", "jsonl", "markdown"]) {
+      const full = await render(name);
+      const tiny = await render(name, sampleEvents(), { flushBytes: 8 });
+      expect(tiny, `format ${name}`).toEqual(full);
+    }
+  });
+});
diff --git a/apps/webapp/test/utils/replicationUtils.ts b/apps/webapp/test/utils/replicationUtils.ts
index ecbf65bacc1..358da0c2cf6 100644
--- a/apps/webapp/test/utils/replicationUtils.ts
+++ b/apps/webapp/test/utils/replicationUtils.ts
@@ -2,6 +2,7 @@ import { ClickHouse } from "@internal/clickhouse";
 import { RedisOptions } from "@internal/redis";
 import { PrismaClient } from "~/db.server";
 import { RunsReplicationService } from "~/services/runsReplicationService.server";
+import { TestReplicationClickhouseFactory } from "./testReplicationClickhouseFactory";
 import { afterEach } from "vitest";
 
 export async function setupClickhouseReplication({
@@ -26,7 +27,7 @@ export async function setupClickhouseReplication({
   });
 
   const runsReplicationService = new RunsReplicationService({
-    clickhouse,
+    clickhouseFactory: new TestReplicationClickhouseFactory(clickhouse),
     pgConnectionUrl: databaseUrl,
     serviceName: "runs-replication",
     slotName: "task_runs_to_clickhouse_v1",
diff --git a/apps/webapp/test/utils/testReplicationClickhouseFactory.ts b/apps/webapp/test/utils/testReplicationClickhouseFactory.ts
new file mode 100644
index 00000000000..2422a461d61
--- /dev/null
+++ b/apps/webapp/test/utils/testReplicationClickhouseFactory.ts
@@ -0,0 +1,32 @@
+import type { ClickHouse } from "@internal/clickhouse";
+import {
+  ClickhouseFactory,
+  type ClientType,
+} from "~/services/clickhouse/clickhouseFactory.server";
+import type { OrganizationDataStoresRegistry } from "~/services/dataStores/organizationDataStoresRegistry.server";
+
+const testReplicationRegistryStub = {
+  isLoaded: true,
+  isReady: Promise.resolve(),
+  get: () => null,
+} as unknown as OrganizationDataStoresRegistry;
+
+/**
+ * Routes all `replication` and `sessions_replication` clients to a single test ClickHouse;
+ * other client types use the real factory defaults.
+ */
+export class TestReplicationClickhouseFactory extends ClickhouseFactory {
+  constructor(private readonly replicationClient: ClickHouse) {
+    super(testReplicationRegistryStub);
+  }
+
+  override getClickhouseForOrganizationSync(
+    organizationId: string,
+    clientType: ClientType
+  ): ClickHouse {
+    if (clientType === "replication" || clientType === "sessions_replication") {
+      return this.replicationClient;
+    }
+    return super.getClickhouseForOrganizationSync(organizationId, clientType);
+  }
+}
diff --git a/apps/webapp/test/utils/tracing.ts b/apps/webapp/test/utils/tracing.ts
index 09500a6c354..868f6b9e6a5 100644
--- a/apps/webapp/test/utils/tracing.ts
+++ b/apps/webapp/test/utils/tracing.ts
@@ -1,6 +1,6 @@
+import { context, propagation, trace } from "@opentelemetry/api";
 import { NodeTracerProvider } from "@opentelemetry/sdk-trace-node";
 import { InMemorySpanExporter, SimpleSpanProcessor } from "@opentelemetry/sdk-trace-base";
-import { trace } from "@opentelemetry/api";
 import {
   MeterProvider,
   InMemoryMetricExporter,
@@ -9,15 +9,39 @@ import {
 } from "@opentelemetry/sdk-metrics";
 
 export function createInMemoryTracing() {
-  // Initialize the tracer provider and exporter
+  // Webapp's vitest config uses `pool: "forks"` with `--no-file-parallelism`,
+  // so all test files in a shard share one process. globalThis persists
+  // across files even though vitest clears the module cache between them.
+  //
+  // OTel's `provider.register()` calls trace/context/propagation
+  // `setGlobal*` — and `setGlobal` no-ops (logs an error, returns false)
+  // when a global is already set. Two patterns hit that path:
+  // 1. `~/v3/tracer.server.ts` runs `provider.register()` via its
+  //    `singleton("opentelemetry", setupTelemetry)` — first test in the
+  //    shard to import that path sets the globals to webapp's tracer.
+  // 2. A subsequent test calls `createInMemoryTracing()` to swap in its
+  //    own in-memory provider. Without disabling first, register() is
+  //    a no-op — the test's provider receives spans via its
+  //    SimpleSpanProcessor (provider-scoped), but `trace.getActiveSpan()`
+  //    (used by code under test, e.g. sentryTraceContext.server.ts)
+  //    reads from the stale global context manager from step 1.
+  //
+  // Disable first, then register, so the test's provider always wins
+  // for both span recording and the global API. After the test, the
+  // next caller's createInMemoryTracing rotates again — no leakage.
+  trace.disable();
+  context.disable();
+  propagation.disable();
+
   const exporter = new InMemorySpanExporter();
   const provider = new NodeTracerProvider({
     spanProcessors: [new SimpleSpanProcessor(exporter)],
   });
   provider.register();
 
-  // Retrieve the tracer
-  const tracer = trace.getTracer("test-tracer");
+  // Use the provider's tracer so spans hit this exporter even when a global
+  // NodeTracerProvider was already registered (e.g. via tracer.server import chain).
+  const tracer = provider.getTracer("test-tracer");
 
   return {
     exporter,
diff --git a/apps/webapp/test/validateGitBranchName.test.ts b/apps/webapp/test/validateGitBranchName.test.ts
index 28f4056c463..91742c6ca76 100644
--- a/apps/webapp/test/validateGitBranchName.test.ts
+++ b/apps/webapp/test/validateGitBranchName.test.ts
@@ -1,5 +1,5 @@
 import { describe, expect, it } from "vitest";
-import { isValidGitBranchName, sanitizeBranchName } from "~/v3/gitBranch";
+import { isValidGitBranchName, sanitizeBranchName } from "@trigger.dev/core/v3/utils/gitBranch";
 
 describe("isValidGitBranchName", () => {
   it("returns true for a valid branch name", async () => {
diff --git a/apps/webapp/test/workerQueueSplit.test.ts b/apps/webapp/test/workerQueueSplit.test.ts
new file mode 100644
index 00000000000..b80af06f9b9
--- /dev/null
+++ b/apps/webapp/test/workerQueueSplit.test.ts
@@ -0,0 +1,168 @@
+import { describe, expect, it } from "vitest";
+import {
+  baseWorkerQueue,
+  resolveScheduledQueueSplitEnabled,
+  workerQueueForRun,
+  workerQueueForClass,
+  SCHEDULED_WORKER_QUEUE_SUFFIX,
+} from "~/runEngine/concerns/workerQueueSplit.server";
+import { FEATURE_FLAG } from "~/v3/featureFlags";
+
+const FLAG = FEATURE_FLAG.workerQueueScheduledSplitEnabled;
+
+describe("resolveScheduledQueueSplitEnabled", () => {
+  it("falls back to the global default when the org has no override", () => {
+    expect(resolveScheduledQueueSplitEnabled({ orgFeatureFlags: null, globalDefault: false })).toBe(
+      false
+    );
+    expect(
+      resolveScheduledQueueSplitEnabled({ orgFeatureFlags: undefined, globalDefault: true })
+    ).toBe(true);
+    expect(resolveScheduledQueueSplitEnabled({ orgFeatureFlags: {}, globalDefault: true })).toBe(
+      true
+    );
+  });
+
+  it("per-org true overrides a global default of false (beta opt-in)", () => {
+    expect(
+      resolveScheduledQueueSplitEnabled({
+        orgFeatureFlags: { [FLAG]: true },
+        globalDefault: false,
+      })
+    ).toBe(true);
+  });
+
+  it("per-org false overrides a global default of true (escape hatch)", () => {
+    expect(
+      resolveScheduledQueueSplitEnabled({
+        orgFeatureFlags: { [FLAG]: false },
+        globalDefault: true,
+      })
+    ).toBe(false);
+  });
+
+  it("ignores unrelated org flags", () => {
+    expect(
+      resolveScheduledQueueSplitEnabled({
+        orgFeatureFlags: { somethingElse: true },
+        globalDefault: false,
+      })
+    ).toBe(false);
+  });
+
+  it("coerces a present override to boolean (z.coerce.boolean semantics)", () => {
+    // The catalog type is z.coerce.boolean(), matching the mollifier flag, so any
+    // present value is coerced rather than rejected. The admin routes validate
+    // against the same catalog on write, so stored values are real JSON booleans;
+    // this just documents that a present override always wins over the default.
+    expect(
+      resolveScheduledQueueSplitEnabled({
+        orgFeatureFlags: { [FLAG]: 0 as unknown as boolean },
+        globalDefault: true,
+      })
+    ).toBe(false);
+  });
+});
+
+describe("workerQueueForRun", () => {
+  const region = "us-nyc-3";
+  const scheduled = `${region}${SCHEDULED_WORKER_QUEUE_SUFFIX}`;
+
+  it("suffixes scheduled-lineage runs when the split is enabled", () => {
+    expect(
+      workerQueueForRun({ workerQueue: region, rootTriggerSource: "schedule", splitEnabled: true })
+    ).toBe(scheduled);
+  });
+
+  it("leaves standard/agent runs on the base queue", () => {
+    for (const rootTriggerSource of ["api", "sdk", "dashboard", "cli", "mcp", undefined]) {
+      expect(
+        workerQueueForRun({ workerQueue: region, rootTriggerSource, splitEnabled: true })
+      ).toBe(region);
+    }
+  });
+
+  it("never suffixes when the split is disabled, even for scheduled runs", () => {
+    expect(
+      workerQueueForRun({ workerQueue: region, rootTriggerSource: "schedule", splitEnabled: false })
+    ).toBe(region);
+  });
+
+  it("is idempotent — does not double-suffix an already-scheduled queue", () => {
+    expect(
+      workerQueueForRun({
+        workerQueue: scheduled,
+        rootTriggerSource: "schedule",
+        splitEnabled: true,
+      })
+    ).toBe(scheduled);
+  });
+});
+
+describe("baseWorkerQueue", () => {
+  const region = "us-nyc-3";
+  const scheduled = `${region}${SCHEDULED_WORKER_QUEUE_SUFFIX}`;
+
+  it("strips the scheduled split suffix back to the base region", () => {
+    expect(baseWorkerQueue(scheduled)).toBe(region);
+  });
+
+  it("leaves a base region untouched (idempotent)", () => {
+    expect(baseWorkerQueue(region)).toBe(region);
+    expect(baseWorkerQueue(baseWorkerQueue(scheduled))).toBe(region);
+  });
+
+  it("strips any future `:<class>` suffix, not just `:scheduled`", () => {
+    expect(baseWorkerQueue("us-nyc-3:priority")).toBe(region);
+    expect(baseWorkerQueue("us-nyc-3:a:b")).toBe(region);
+  });
+
+  it("handles the project-scoped masterQueue shape (`<projectId>-<name>`)", () => {
+    expect(baseWorkerQueue("proj_abc123-main:scheduled")).toBe("proj_abc123-main");
+  });
+
+  it("returns an empty string unchanged", () => {
+    expect(baseWorkerQueue("")).toBe("");
+  });
+
+  it("passes a nullish worker queue straight through (synthetic run snapshots)", () => {
+    expect(baseWorkerQueue(null)).toBeNull();
+    expect(baseWorkerQueue(undefined)).toBeUndefined();
+  });
+
+  it("round-trips with workerQueueForRun: the split queue strips back to the region it came from", () => {
+    const enqueued = workerQueueForRun({
+      workerQueue: region,
+      rootTriggerSource: "schedule",
+      splitEnabled: true,
+    });
+    expect(baseWorkerQueue(enqueued)).toBe(region);
+  });
+});
+
+describe("workerQueueForClass", () => {
+  const region = "us-nyc-3";
+  const scheduled = `${region}${SCHEDULED_WORKER_QUEUE_SUFFIX}`;
+
+  it("returns the base queue for the default class or no class", () => {
+    expect(workerQueueForClass(region, "default")).toBe(region);
+    expect(workerQueueForClass(region, undefined)).toBe(region);
+  });
+
+  it("returns the suffixed queue for the scheduled class", () => {
+    expect(workerQueueForClass(region, "scheduled")).toBe(scheduled);
+  });
+
+  it("is idempotent — does not double-suffix", () => {
+    expect(workerQueueForClass(scheduled, "scheduled")).toBe(scheduled);
+  });
+
+  it("round-trips with workerQueueForRun: a scheduled run lands on the queue its class targets", () => {
+    const enqueued = workerQueueForRun({
+      workerQueue: region,
+      rootTriggerSource: "schedule",
+      splitEnabled: true,
+    });
+    expect(workerQueueForClass(region, "scheduled")).toBe(enqueued);
+  });
+});
diff --git a/apps/webapp/vitest.config.ts b/apps/webapp/vitest.config.ts
index 0c08af40ea4..69eb980732f 100644
--- a/apps/webapp/vitest.config.ts
+++ b/apps/webapp/vitest.config.ts
@@ -1,11 +1,18 @@
 import { defineConfig } from "vitest/config";
+import { DurationShardingSequencer } from "@internal/testcontainers/sequencer";
 import tsconfigPaths from "vite-tsconfig-paths";
 
 export default defineConfig({
   test: {
+    sequence: { sequencer: DurationShardingSequencer },
     include: ["test/**/*.test.ts"],
+    // *.e2e.test.ts: smoke matrix, run via vitest.e2e.config.ts.
+    // *.e2e.full.test.ts: full auth suite, runs via vitest.e2e.full.config.ts
+    // (needs a globalSetup-spawned webapp + Postgres container).
+    exclude: ["test/**/*.e2e.test.ts", "test/**/*.e2e.full.test.ts"],
     globals: true,
     pool: "forks",
+    setupFiles: ["./test/setup.ts"], // load apps/webapp/.env
   },
   // @ts-ignore
   plugins: [tsconfigPaths({ projects: ["./tsconfig.json"] })],
diff --git a/apps/webapp/vitest.e2e.config.ts b/apps/webapp/vitest.e2e.config.ts
new file mode 100644
index 00000000000..0c5c1e86c84
--- /dev/null
+++ b/apps/webapp/vitest.e2e.config.ts
@@ -0,0 +1,12 @@
+import { defineConfig } from "vitest/config";
+import tsconfigPaths from "vite-tsconfig-paths";
+
+export default defineConfig({
+  test: {
+    include: ["test/**/*.e2e.test.ts"],
+    globals: true,
+    pool: "forks",
+  },
+  // @ts-ignore
+  plugins: [tsconfigPaths({ projects: ["./tsconfig.json"] })],
+});
diff --git a/apps/webapp/vitest.e2e.full.config.ts b/apps/webapp/vitest.e2e.full.config.ts
new file mode 100644
index 00000000000..47a4b0a8084
--- /dev/null
+++ b/apps/webapp/vitest.e2e.full.config.ts
@@ -0,0 +1,20 @@
+import { defineConfig } from "vitest/config";
+import tsconfigPaths from "vite-tsconfig-paths";
+
+// Comprehensive auth e2e suite — see TRI-8731. Boots a single
+// webapp + Postgres + Redis container in globalSetup and rapid-fires
+// tests against it across multiple test files. Distinct from the smoke
+// suite (vitest.e2e.config.ts) which uses per-file beforeAll setup and
+// runs in default CI on every PR.
+export default defineConfig({
+  test: {
+    include: ["test/**/*.e2e.full.test.ts"],
+    globalSetup: ["./test/setup/global-e2e-full-setup.ts"],
+    globals: true,
+    pool: "forks",
+    testTimeout: 60_000,
+    hookTimeout: 180_000,
+  },
+  // @ts-ignore
+  plugins: [tsconfigPaths({ projects: ["./tsconfig.json"] })],
+});
diff --git a/docker/Dockerfile b/docker/Dockerfile
index 49b14bcc54a..81fe4afe3cc 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,7 +1,7 @@
-ARG NODE_IMAGE=node:20.20-bullseye-slim@sha256:d6c3903e556d4161f63af4550e76244908b6668e1a7d2983eff4873a0c2b0413
+ARG NODE_IMAGE=node:20.20.2-bookworm-slim@sha256:2cf067cfed83d5ea958367df9f966191a942351a2df77d6f0193e162b5febfc0
 
-FROM golang:1.23-alpine AS goose_builder
-RUN go install github.com/pressly/goose/v3/cmd/goose@v3.26.0
+FROM golang:1.26-alpine AS goose_builder
+RUN go install github.com/pressly/goose/v3/cmd/goose@v3.27.1
 
 FROM ${NODE_IMAGE} AS pruner
 
@@ -13,7 +13,7 @@ RUN find . -name "node_modules" -type d -prune -exec rm -rf '{}' +
 
 # Base strategy to have layer caching
 FROM ${NODE_IMAGE} AS base
-RUN apt-get update && apt-get install -y openssl dumb-init
+RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends openssl dumb-init && rm -rf /var/lib/apt/lists/*
 WORKDIR /triggerdotdev
 COPY --chown=node:node .gitignore .gitignore
 COPY --from=pruner --chown=node:node /triggerdotdev/out/json/ .
@@ -25,7 +25,7 @@ COPY --chown=node:node patches ./patches
 FROM base AS dev-deps
 WORKDIR /triggerdotdev
 # Corepack is used to install pnpm with the exact version from packageManager
-RUN corepack enable && corepack prepare pnpm@10.23.0 --activate
+RUN corepack enable && corepack prepare pnpm@10.33.2 --activate
 ENV NODE_ENV=development
 RUN --mount=type=cache,id=pnpm,target=/root/.local/share/pnpm/store pnpm install --no-frozen-lockfile
 # Generate Prisma client here where all deps are installed
@@ -36,17 +36,17 @@ RUN pnpx prisma@6.14.0 generate --schema /triggerdotdev/internal-packages/databa
 FROM base AS production-deps
 WORKDIR /triggerdotdev
 # Corepack is used to install pnpm with the exact version from packageManager
-RUN corepack enable && corepack prepare pnpm@10.23.0 --activate
+RUN corepack enable && corepack prepare pnpm@10.33.2 --activate
 ENV NODE_ENV=production
 RUN --mount=type=cache,id=pnpm,target=/root/.local/share/pnpm/store pnpm install --prod --no-frozen-lockfile
 
 ## Builder (builds the webapp)
 FROM base AS builder
 # This is needed for the sentry-cli binary while building the webapp
-RUN apt-get update && apt-get install -y openssl dumb-init ca-certificates
+RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends openssl dumb-init ca-certificates && rm -rf /var/lib/apt/lists/*
 WORKDIR /triggerdotdev
 # Corepack is used to install pnpm with the exact version from packageManager
-RUN corepack enable && corepack prepare pnpm@10.23.0 --activate
+RUN corepack enable && corepack prepare pnpm@10.33.2 --activate
 
 ARG SENTRY_RELEASE
 ARG SENTRY_ORG
@@ -75,7 +75,7 @@ RUN --mount=type=secret,id=sentry_auth_token \
 
 # Runner
 FROM ${NODE_IMAGE} AS runner
-RUN apt-get update && apt-get install -y openssl netcat-openbsd ca-certificates
+RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends openssl netcat-openbsd ca-certificates && rm -rf /var/lib/apt/lists/*
 WORKDIR /triggerdotdev
 ENV NODE_ENV=production
 
@@ -98,19 +98,25 @@ ARG BUILD_APP_VERSION
 ARG BUILD_GIT_SHA
 ARG BUILD_GIT_REF_NAME
 ARG BUILD_TIMESTAMP_SECONDS
+ARG BUILD_TIMESTAMP_RFC3339
 ENV BUILD_APP_VERSION=${BUILD_APP_VERSION} \
     BUILD_GIT_SHA=${BUILD_GIT_SHA} \
     BUILD_GIT_REF_NAME=${BUILD_GIT_REF_NAME} \
     BUILD_TIMESTAMP_SECONDS=${BUILD_TIMESTAMP_SECONDS}
 
+LABEL org.opencontainers.image.source="https://github.com/triggerdotdev/trigger.dev" \
+      org.opencontainers.image.revision="${BUILD_GIT_SHA}" \
+      org.opencontainers.image.version="${BUILD_APP_VERSION}" \
+      org.opencontainers.image.created="${BUILD_TIMESTAMP_RFC3339}"
+
 EXPOSE 3000
 
 # Add global pnpm shims and install pnpm during build (root user)
-RUN corepack enable && corepack prepare pnpm@10.23.0 --activate
+RUN corepack enable && corepack prepare pnpm@10.33.2 --activate
 
 USER node
 
 # Ensure pnpm is installed during build and not silently downloaded at runtime (node user)
-RUN corepack prepare pnpm@10.23.0 --activate
+RUN corepack prepare pnpm@10.33.2 --activate
 
 CMD ["./scripts/entrypoint.sh"]
\ No newline at end of file
diff --git a/docker/Dockerfile.postgres b/docker/Dockerfile.postgres
index 520c586369d..c71f98cecb3 100644
--- a/docker/Dockerfile.postgres
+++ b/docker/Dockerfile.postgres
@@ -1,5 +1,5 @@
 FROM postgres:14
 
 RUN apt-get update \
-    && apt-get install -y postgresql-14-partman \
+    && apt-get install -y --no-install-recommends postgresql-14-partman \
     && rm -rf /var/lib/apt/lists/*
diff --git a/docker/config/clickhouse-disable-system-logs.xml b/docker/config/clickhouse-disable-system-logs.xml
new file mode 100644
index 00000000000..440df4c07ed
--- /dev/null
+++ b/docker/config/clickhouse-disable-system-logs.xml
@@ -0,0 +1,13 @@
+<clickhouse>
+    <metric_log remove="1"/>
+    <asynchronous_metric_log remove="1"/>
+    <part_log remove="1"/>
+    <trace_log remove="1"/>
+    <query_thread_log remove="1"/>
+    <session_log remove="1"/>
+    <text_log remove="1"/>
+    <zookeeper_log remove="1"/>
+    <processors_profile_log remove="1"/>
+    <asynchronous_insert_log remove="1"/>
+    <backup_log remove="1"/>
+</clickhouse>
diff --git a/docker/config/grafana/provisioning/dashboards/realtime-native.json b/docker/config/grafana/provisioning/dashboards/realtime-native.json
new file mode 100644
index 00000000000..832f2c8e320
--- /dev/null
+++ b/docker/config/grafana/provisioning/dashboards/realtime-native.json
@@ -0,0 +1,503 @@
+{
+  "title": "Realtime Native Backend",
+  "uid": "realtime-native",
+  "tags": [
+    "trigger.dev",
+    "realtime"
+  ],
+  "timezone": "browser",
+  "schemaVersion": 39,
+  "refresh": "10s",
+  "time": {
+    "from": "now-30m",
+    "to": "now"
+  },
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "graphTooltip": 1,
+  "links": [],
+  "annotations": {
+    "list": []
+  },
+  "templating": {
+    "list": []
+  },
+  "panels": [
+    {
+      "id": 1,
+      "type": "timeseries",
+      "title": "Delivery lag (write \u2192 emission)",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prometheus"
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 8,
+        "x": 0,
+        "y": 0
+      },
+      "targets": [
+        {
+          "refId": "A",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prometheus"
+          },
+          "expr": "histogram_quantile(0.5, sum(rate(triggerdotdev_realtime_native_delivery_lag_ms_milliseconds_bucket[$__rate_interval])) by (le))",
+          "legendFormat": "p50"
+        },
+        {
+          "refId": "B",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prometheus"
+          },
+          "expr": "histogram_quantile(0.99, sum(rate(triggerdotdev_realtime_native_delivery_lag_ms_milliseconds_bucket[$__rate_interval])) by (le))",
+          "legendFormat": "p99"
+        }
+      ],
+      "fieldConfig": {
+        "defaults": {
+          "unit": "ms",
+          "custom": {
+            "drawStyle": "line",
+            "lineWidth": 1,
+            "fillOpacity": 8,
+            "showPoints": "never"
+          }
+        },
+        "overrides": []
+      },
+      "options": {
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi"
+        }
+      },
+      "description": "The end-to-end SLI: now minus the newest emitted row's updatedAt. A p99 approaching the ~20s backstop hold means live wakes are being missed."
+    },
+    {
+      "id": 2,
+      "type": "timeseries",
+      "title": "Live polls by path",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prometheus"
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 8,
+        "x": 8,
+        "y": 0
+      },
+      "targets": [
+        {
+          "refId": "A",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prometheus"
+          },
+          "expr": "sum(rate(triggerdotdev_realtime_native_live_polls_total[$__rate_interval])) by (path)",
+          "legendFormat": "{{path}}"
+        }
+      ],
+      "fieldConfig": {
+        "defaults": {
+          "custom": {
+            "drawStyle": "line",
+            "lineWidth": 1,
+            "fillOpacity": 8,
+            "showPoints": "never"
+          }
+        },
+        "overrides": []
+      },
+      "options": {
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi"
+        }
+      },
+      "description": "fast-hydrate = router wake, no ClickHouse. full-resolve = backstop. cold-resolve = fresh env subscription probed (instance hop / first poll)."
+    },
+    {
+      "id": 3,
+      "type": "stat",
+      "title": "Backstop DELIVERED (should be ~0)",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prometheus"
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 8,
+        "x": 16,
+        "y": 0
+      },
+      "targets": [
+        {
+          "refId": "A",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prometheus"
+          },
+          "expr": "sum(rate(triggerdotdev_realtime_native_backstops_total{result=\"delivered\"}[5m])) or vector(0)",
+          "legendFormat": "delivered/s"
+        }
+      ],
+      "fieldConfig": {
+        "defaults": {
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "red",
+                "value": 0.01
+              }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "options": {
+        "colorMode": "background",
+        "graphMode": "area",
+        "reduceOptions": {
+          "calcs": [
+            "lastNotNull"
+          ]
+        }
+      },
+      "description": "A backstop that finds missed changes means the notify/replay path is leaking. Alert on sustained non-zero."
+    },
+    {
+      "id": 4,
+      "type": "timeseries",
+      "title": "Wakeups by reason",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prometheus"
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 8,
+        "x": 0,
+        "y": 8
+      },
+      "targets": [
+        {
+          "refId": "A",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prometheus"
+          },
+          "expr": "sum(rate(triggerdotdev_realtime_native_wakeups_total[$__rate_interval])) by (reason)",
+          "legendFormat": "{{reason}}"
+        }
+      ],
+      "fieldConfig": {
+        "defaults": {
+          "custom": {
+            "drawStyle": "line",
+            "lineWidth": 1,
+            "fillOpacity": 8,
+            "showPoints": "never"
+          }
+        },
+        "overrides": []
+      },
+      "options": {
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi"
+        }
+      },
+      "description": "notify = the architecture working. A rising timeout share with active traffic = publishes not routing."
+    },
+    {
+      "id": 5,
+      "type": "timeseries",
+      "title": "Gap recovery: replays + evictions",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prometheus"
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 8,
+        "x": 8,
+        "y": 8
+      },
+      "targets": [
+        {
+          "refId": "A",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prometheus"
+          },
+          "expr": "sum(rate(triggerdotdev_realtime_native_replays_total[$__rate_interval])) by (result)",
+          "legendFormat": "replay {{result}}"
+        },
+        {
+          "refId": "B",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prometheus"
+          },
+          "expr": "sum(rate(triggerdotdev_realtime_native_replay_evictions_total[$__rate_interval])) by (reason)",
+          "legendFormat": "evict {{reason}}"
+        }
+      ],
+      "fieldConfig": {
+        "defaults": {
+          "custom": {
+            "drawStyle": "line",
+            "lineWidth": 1,
+            "fillOpacity": 8,
+            "showPoints": "never"
+          }
+        },
+        "overrides": []
+      },
+      "options": {
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi"
+        }
+      },
+      "description": "Replays recover records that landed between a connection's polls. 'evict cap' = an env churns more runs than the buffer window holds \u2014 retune REPLAY_MAX_RUNS / WINDOW_MS."
+    },
+    {
+      "id": 6,
+      "type": "timeseries",
+      "title": "Rows per emission (p99)",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prometheus"
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 8,
+        "x": 16,
+        "y": 8
+      },
+      "targets": [
+        {
+          "refId": "A",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prometheus"
+          },
+          "expr": "histogram_quantile(0.99, sum(rate(triggerdotdev_realtime_native_emitted_rows_bucket[$__rate_interval])) by (le))",
+          "legendFormat": "p99 rows"
+        }
+      ],
+      "fieldConfig": {
+        "defaults": {
+          "custom": {
+            "drawStyle": "line",
+            "lineWidth": 1,
+            "fillOpacity": 8,
+            "showPoints": "never"
+          }
+        },
+        "overrides": []
+      },
+      "options": {
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi"
+        }
+      },
+      "description": "Deltas should be small. A fat tail means working-set / offset-floor fallbacks are re-emitting full sets."
+    },
+    {
+      "id": 7,
+      "type": "timeseries",
+      "title": "Held feeds by kind",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prometheus"
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 8,
+        "x": 0,
+        "y": 16
+      },
+      "targets": [
+        {
+          "refId": "A",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prometheus"
+          },
+          "expr": "sum(triggerdotdev_realtime_native_held_feeds) by (kind)",
+          "legendFormat": "{{kind}}"
+        }
+      ],
+      "fieldConfig": {
+        "defaults": {
+          "custom": {
+            "drawStyle": "line",
+            "lineWidth": 1,
+            "fillOpacity": 8,
+            "showPoints": "never"
+          }
+        },
+        "overrides": []
+      },
+      "options": {
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi"
+        }
+      },
+      "description": "Long-polls currently held \u2014 the capacity unit."
+    },
+    {
+      "id": 8,
+      "type": "timeseries",
+      "title": "Envs + channel subscriptions",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prometheus"
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 8,
+        "x": 8,
+        "y": 16
+      },
+      "targets": [
+        {
+          "refId": "A",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prometheus"
+          },
+          "expr": "sum(triggerdotdev_realtime_native_active_envs)",
+          "legendFormat": "routed envs"
+        },
+        {
+          "refId": "B",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prometheus"
+          },
+          "expr": "sum(triggerdotdev_realtime_notifier_active_subscriptions)",
+          "legendFormat": "redis channels"
+        }
+      ],
+      "fieldConfig": {
+        "defaults": {
+          "custom": {
+            "drawStyle": "line",
+            "lineWidth": 1,
+            "fillOpacity": 8,
+            "showPoints": "never"
+          }
+        },
+        "overrides": []
+      },
+      "options": {
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi"
+        }
+      },
+      "description": "Routed envs includes lingering subscriptions (kept alive briefly after the last feed closes)."
+    },
+    {
+      "id": 9,
+      "type": "timeseries",
+      "title": "Resolve health",
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prometheus"
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 8,
+        "x": 16,
+        "y": 16
+      },
+      "targets": [
+        {
+          "refId": "A",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prometheus"
+          },
+          "expr": "sum(rate(triggerdotdev_realtime_native_runset_resolves_total[$__rate_interval])) by (result)",
+          "legendFormat": "resolve {{result}}"
+        },
+        {
+          "refId": "B",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prometheus"
+          },
+          "expr": "sum(triggerdotdev_realtime_native_resolve_admission_in_use)",
+          "legendFormat": "gate in use"
+        },
+        {
+          "refId": "C",
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prometheus"
+          },
+          "expr": "sum(rate(triggerdotdev_realtime_native_concurrency_rejections_total[$__rate_interval]))",
+          "legendFormat": "429/s"
+        }
+      ],
+      "fieldConfig": {
+        "defaults": {
+          "custom": {
+            "drawStyle": "line",
+            "lineWidth": 1,
+            "fillOpacity": 8,
+            "showPoints": "never"
+          }
+        },
+        "overrides": []
+      },
+      "options": {
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom"
+        },
+        "tooltip": {
+          "mode": "multi"
+        }
+      },
+      "description": "hit/coalesced vs miss = the single-flight cache collapsing same-filter herds. Gate in use near the limit = reconnect stampedes queueing."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/docker/docker-compose.extras.yml b/docker/docker-compose.extras.yml
new file mode 100644
index 00000000000..cf16272dcc5
--- /dev/null
+++ b/docker/docker-compose.extras.yml
@@ -0,0 +1,124 @@
+# Optional services for advanced local-dev workflows. Pair with
+# `docker-compose.yml` via `pnpm run docker:full`.
+#
+# Same `name:` so `docker compose` treats both files as one project — bring
+# them up together and they share the `app_network` and `triggerdotdev-docker`
+# volume namespace. Tear down with `pnpm run docker:full:stop`.
+#
+# Includes:
+#   - electric-shard-1:   second Electric instance for multi-shard testing
+#   - ch-ui:              ClickHouse browser UI
+#   - toxiproxy:          chaos / flake testing
+#   - nginx-h2:           HTTP/2 reverse proxy
+#   - otel-collector + prometheus + grafana: observability stack
+name: triggerdotdev-docker
+
+volumes:
+  prometheus-data:
+  grafana-data:
+
+networks:
+  app_network:
+    external: false
+
+services:
+  electric-shard-1:
+    container_name: ${CONTAINER_PREFIX:-}electric-shard-1
+    image: electricsql/electric:1.2.4@sha256:20da3d0b0e74926c5623392db67fd56698b9e374c4aeb6cb5cadeb8fea171c36
+    restart: always
+    environment:
+      DATABASE_URL: postgresql://postgres:postgres@database:5432/postgres?sslmode=disable
+      ELECTRIC_INSECURE: true
+      ELECTRIC_REPLICATION_STREAM_ID: "triggershard1"
+    networks:
+      - app_network
+    ports:
+      - "${ELECTRIC_SHARD_1_HOST_PORT:-3061}:3000"
+    depends_on:
+      - database
+
+  ch-ui:
+    image: ghcr.io/caioricciuti/ch-ui:latest@sha256:288abf7103d6e0f45527ee835ee79bd1e0bfb82d55dc514fb3cf43816306b538
+    restart: always
+    ports:
+      - "${CH_UI_HOST_PORT:-5521}:5521"
+    environment:
+      VITE_CLICKHOUSE_URL: "http://localhost:${CLICKHOUSE_HTTP_HOST_PORT:-8123}"
+      VITE_CLICKHOUSE_USER: "default"
+      VITE_CLICKHOUSE_PASS: "password"
+    networks:
+      - app_network
+
+  toxiproxy:
+    container_name: ${CONTAINER_PREFIX:-}toxiproxy
+    image: ghcr.io/shopify/toxiproxy:latest@sha256:9378ed52a28bc50edc1350f936f518f31fa95f0d15917d6eb40b8e376d1a214e
+    restart: always
+    volumes:
+      - ./config/toxiproxy.json:/config/toxiproxy.json
+    ports:
+      - "${TOXIPROXY_PROXY_HOST_PORT:-30303}:30303" # Proxied webapp port
+      - "${TOXIPROXY_API_HOST_PORT:-8474}:8474" # Toxiproxy API port
+    networks:
+      - app_network
+    command: ["-host", "0.0.0.0", "-config", "/config/toxiproxy.json"]
+
+  nginx-h2:
+    image: nginx:1.27@sha256:6784fb0834aa7dbbe12e3d7471e69c290df3e6ba810dc38b34ae33d3c1c05f7d
+    container_name: ${CONTAINER_PREFIX:-}nginx-h2
+    restart: unless-stopped
+    ports:
+      - "${NGINX_H2_HOST_PORT:-8443}:8443"
+    volumes:
+      - ./config/nginx.conf:/etc/nginx/nginx.conf:ro
+      - ./config/certs:/etc/nginx/certs:ro
+    networks:
+      - app_network
+
+  # Observability stack for local development
+  otel-collector:
+    container_name: ${CONTAINER_PREFIX:-}otel-collector
+    image: otel/opentelemetry-collector-contrib:0.96.0@sha256:7ef2a2ff46b9e432321fdd63df104bfeedaf7b4e276950f42c634d0f23521fc4
+    restart: always
+    command: ["--config", "/etc/otel-collector-config.yaml"]
+    volumes:
+      - ./config/otel-collector-config.yaml:/etc/otel-collector-config.yaml:ro
+    ports:
+      - "${OTEL_GRPC_HOST_PORT:-4317}:4317" # OTLP gRPC receiver
+      - "${OTEL_HTTP_HOST_PORT:-4318}:4318" # OTLP HTTP receiver
+      - "${OTEL_PROMETHEUS_HOST_PORT:-8889}:8889" # Prometheus exporter
+    networks:
+      - app_network
+
+  prometheus:
+    container_name: ${CONTAINER_PREFIX:-}prometheus
+    image: prom/prometheus:v2.54.1@sha256:f6639335d34a77d9d9db382b92eeb7fc00934be8eae81dbc03b31cfe90411a94
+    restart: always
+    volumes:
+      - ./config/prometheus.yml:/etc/prometheus/prometheus.yml:ro
+      - prometheus-data:/prometheus
+    ports:
+      - "${PROMETHEUS_HOST_PORT:-9090}:9090"
+    networks:
+      - app_network
+    command:
+      - "--config.file=/etc/prometheus/prometheus.yml"
+      - "--storage.tsdb.path=/prometheus"
+      - "--web.enable-lifecycle"
+
+  grafana:
+    container_name: ${CONTAINER_PREFIX:-}grafana
+    image: grafana/grafana:11.3.0@sha256:a0f881232a6fb71a0554a47d0fe2203b6888fe77f4cefb7ea62bed7eb54e13c3
+    restart: always
+    volumes:
+      - grafana-data:/var/lib/grafana
+      - ./config/grafana/provisioning:/etc/grafana/provisioning:ro
+    ports:
+      - "${GRAFANA_HOST_PORT:-4001}:3000"
+    environment:
+      GF_SECURITY_ADMIN_USER: admin
+      GF_SECURITY_ADMIN_PASSWORD: admin
+      GF_USERS_ALLOW_SIGN_UP: false
+    networks:
+      - app_network
+    depends_on:
+      - prometheus
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
index 6b64e901bd0..1e70d94cd0d 100644
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -1,14 +1,21 @@
-version: "3"
+# Core local-dev stack: the minimum a contributor needs to boot the webapp.
+# For optional services (object store, observability, HTTP/2 proxy, chaos
+# tooling, ClickHouse UI, extra electric shard) see ./docker-compose.extras.yml
+# and the `pnpm run docker:full` script.
+#
+# Every host port is overridable via env vars from the root `.env` so multiple
+# instances (worktrees, branch experiments) can run side by side. See the
+# "Multiple instances" block in `.env.example` for the full set of knobs.
+name: triggerdotdev-docker
 
 volumes:
   database-data:
   database-data-alt:
+  database-replica-data:
   redis-data:
   minio-data:
   clickhouse-data:
   clickhouse-logs:
-  prometheus-data:
-  grafana-data:
 
 networks:
   app_network:
@@ -16,7 +23,7 @@ networks:
 
 services:
   database:
-    container_name: database
+    container_name: ${CONTAINER_PREFIX:-}database
     build:
       context: .
       dockerfile: Dockerfile.postgres
@@ -30,7 +37,7 @@ services:
     networks:
       - app_network
     ports:
-      - 5432:5432
+      - "${POSTGRES_HOST_PORT:-5432}:5432"
     command:
       - -c
       - listen_addresses=*
@@ -38,23 +45,74 @@ services:
       - wal_level=logical
       - -c
       - shared_preload_libraries=pg_partman_bgw
+      # The webapp opens ~50 pooled connections per instance and Electric another
+      # ~40, so the default 100 is exhausted by one webapp + Electric alone. Raise
+      # it so multiple instances / load tests have headroom.
+      - -c
+      - max_connections=500
+
+  # Opt-in streaming read replica with configurable apply lag — a dial-a-lag rig for
+  # testing replica-race behavior (e.g. the realtime read-your-writes gate) locally.
+  # Start with: COMPOSE_PROFILES=replica pnpm run docker
+  # One-time primary prep (allows replication connections; additive, survives restarts):
+  #   docker exec database bash -c 'grep -q "host replication" "$PGDATA/pg_hba.conf" || echo "host replication all all md5" >> "$PGDATA/pg_hba.conf"'
+  #   docker exec database psql -U postgres -c "SELECT pg_reload_conf()"
+  # Then point the webapp at it: DATABASE_READ_REPLICA_URL=postgresql://postgres:postgres@localhost:5433/postgres
+  # Tune the lag via REPLICA_APPLY_DELAY (e.g. 150ms, 2s). Wipe database-replica-data to re-init.
+  database-replica:
+    container_name: ${CONTAINER_PREFIX:-}database-replica
+    profiles: ["replica"]
+    build:
+      context: .
+      dockerfile: Dockerfile.postgres
+    restart: always
+    depends_on:
+      - database
+    volumes:
+      - ${DB_REPLICA_VOLUME:-database-replica-data}:/var/lib/postgresql/data/
+    environment:
+      PGPASSWORD: postgres
+      REPLICA_APPLY_DELAY: ${REPLICA_APPLY_DELAY:-150ms}
+    networks:
+      - app_network
+    ports:
+      - "${POSTGRES_REPLICA_HOST_PORT:-5433}:5432"
+    entrypoint: ["bash", "-c"]
+    command:
+      - |
+        set -e
+        if [ ! -s "$$PGDATA/PG_VERSION" ]; then
+          echo "initializing streaming replica from 'database'..."
+          mkdir -p "$$PGDATA"
+          chown postgres:postgres "$$PGDATA"
+          chmod 0700 "$$PGDATA"
+          until gosu postgres pg_basebackup -h database -U postgres -D "$$PGDATA" -Fp -Xs -R; do
+            echo "primary not ready for replication (did you run the one-time pg_hba prep above?); retrying..."
+            rm -rf "$$PGDATA"/* 2>/dev/null || true
+            sleep 2
+          done
+        fi
+        # max_connections must be >= the primary's (hot-standby requirement).
+        exec docker-entrypoint.sh postgres -c hot_standby=on -c max_connections=500 -c "recovery_min_apply_delay=$$REPLICA_APPLY_DELAY"
 
   redis:
-    container_name: redis
-    image: redis:7
+    container_name: ${CONTAINER_PREFIX:-}redis
+    image: redis:7@sha256:3e1b24a1a8f24ff926b15e5ace8c38a03e5657fb66e1fc7e5188e315aa5fa094
     restart: always
     volumes:
       - redis-data:/data
     networks:
       - app_network
     ports:
-      - 6379:6379
+      - "${REDIS_HOST_PORT:-6379}:6379"
 
-  # S3-compatible API for local object store (large payloads / packet offload).
-  # Host :9005 = S3 API, :9006 = web console (ClickHouse uses host :9000).
+  # S3-compatible API for the local object store (large payloads / packet
+  # offload). Host :${MINIO_API_HOST_PORT:-9005} = S3 API,
+  # host :${MINIO_CONSOLE_HOST_PORT:-9006} = web console. The webapp only
+  # routes to it when the OBJECT_STORE_* env vars are set (see .env.example).
   minio:
-    container_name: minio
-    image: minio/minio:latest
+    container_name: ${CONTAINER_PREFIX:-}minio
+    image: minio/minio:latest@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e
     restart: always
     command: server /data --console-address ":9001"
     environment:
@@ -63,8 +121,8 @@ services:
     volumes:
       - minio-data:/data
     ports:
-      - "9005:9000"
-      - "9006:9001"
+      - "${MINIO_API_HOST_PORT:-9005}:9000"
+      - "${MINIO_CONSOLE_HOST_PORT:-9006}:9001"
     networks:
       - app_network
     healthcheck:
@@ -75,7 +133,7 @@ services:
       start_period: 5s
 
   minio-init:
-    image: minio/mc:latest
+    image: minio/mc:latest@sha256:a7fe349ef4bd8521fb8497f55c6042871b2ae640607cf99d9bede5e9bdf11727
     depends_on:
       minio:
         condition: service_healthy
@@ -90,7 +148,7 @@ services:
     restart: "no"
 
   electric:
-    container_name: electric
+    container_name: ${CONTAINER_PREFIX:-}electric
     image: electricsql/electric:1.2.4@sha256:20da3d0b0e74926c5623392db67fd56698b9e374c4aeb6cb5cadeb8fea171c36
     restart: always
     environment:
@@ -100,29 +158,14 @@ services:
     networks:
       - app_network
     ports:
-      - "3060:3000"
-    depends_on:
-      - database
-
-  electric-shard-1:
-    container_name: electric-shard-1
-    image: electricsql/electric:1.2.4@sha256:20da3d0b0e74926c5623392db67fd56698b9e374c4aeb6cb5cadeb8fea171c36
-    restart: always
-    environment:
-      DATABASE_URL: postgresql://postgres:postgres@database:5432/postgres?sslmode=disable
-      ELECTRIC_INSECURE: true
-      ELECTRIC_REPLICATION_STREAM_ID: "triggershard1"
-    networks:
-      - app_network
-    ports:
-      - "3061:3000"
+      - "${ELECTRIC_HOST_PORT:-3060}:3000"
     depends_on:
       - database
 
   clickhouse:
-    image: clickhouse/clickhouse-server:25.6.2
+    image: clickhouse/clickhouse-server:25.6.2@sha256:97f0fe0f8729569e8c9d11069acee23abadeade4889f56ca3dc3df069f28cb85
     restart: always
-    container_name: clickhouse
+    container_name: ${CONTAINER_PREFIX:-}clickhouse
     ulimits:
       nofile:
         soft: 262144
@@ -132,11 +175,12 @@ services:
       CLICKHOUSE_PASSWORD: password
       CLICKHOUSE_DEFAULT_ACCESS_MANAGEMENT: 1
     ports:
-      - "8123:8123"
-      - "9000:9000"
+      - "${CLICKHOUSE_HTTP_HOST_PORT:-8123}:8123"
+      - "${CLICKHOUSE_TCP_HOST_PORT:-9000}:9000"
     volumes:
       - clickhouse-data:/var/lib/clickhouse
       - clickhouse-logs:/var/log/clickhouse-server
+      - ./config/clickhouse-disable-system-logs.xml:/etc/clickhouse-server/config.d/disable-system-logs.xml:ro
     networks:
       - app_network
     healthcheck:
@@ -171,102 +215,16 @@ services:
       - app_network
     command: ["goose", "${GOOSE_COMMAND:-up}"]
 
-  ch-ui:
-    image: ghcr.io/caioricciuti/ch-ui:latest
-    restart: always
-    ports:
-      - "5521:5521"
-    environment:
-      VITE_CLICKHOUSE_URL: "http://localhost:8123"
-      VITE_CLICKHOUSE_USER: "default"
-      VITE_CLICKHOUSE_PASS: "password"
-    networks:
-      - app_network
-
+  # s2-lite: open-source S2 (https://s2.dev) for local realtime streams v2.
+  # The image is distroless (no shell), so a `wget` / `curl` healthcheck
+  # always reports unhealthy even when the API is responding. No other
+  # service depends on this one, so the healthcheck is omitted.
   s2:
-    image: ghcr.io/s2-streamstore/s2
+    image: ghcr.io/s2-streamstore/s2:latest@sha256:d6ded5ca7dd619fa7c946f06e39a98f9c95c6883c8bb884e5eaa129f232c920c
     command: ["lite", "--init-file", "/s2-spec.json"]
     volumes:
       - ./config/s2-spec.json:/s2-spec.json:ro
     ports:
-      - "4566:80"
+      - "${S2_HOST_PORT:-4566}:80"
     networks:
       - app_network
-    healthcheck:
-      test: ["CMD-SHELL", "wget -qO- http://localhost:80/v1/basins?limit=1 || exit 1"]
-      interval: 2s
-      timeout: 3s
-      retries: 5
-      start_period: 3s
-
-  toxiproxy:
-    container_name: toxiproxy
-    image: ghcr.io/shopify/toxiproxy:latest
-    restart: always
-    volumes:
-      - ./config/toxiproxy.json:/config/toxiproxy.json
-    ports:
-      - "30303:30303" # Proxied webapp port
-      - "8474:8474" # Toxiproxy API port
-    networks:
-      - app_network
-    command: ["-host", "0.0.0.0", "-config", "/config/toxiproxy.json"]
-
-  nginx-h2:
-    image: nginx:1.27
-    container_name: nginx-h2
-    restart: unless-stopped
-    ports:
-      - "8443:8443"
-    volumes:
-      - ./config/nginx.conf:/etc/nginx/nginx.conf:ro
-      - ./config/certs:/etc/nginx/certs:ro
-
-  # Observability stack for local development
-  otel-collector:
-    container_name: otel-collector
-    image: otel/opentelemetry-collector-contrib:0.96.0
-    restart: always
-    command: ["--config", "/etc/otel-collector-config.yaml"]
-    volumes:
-      - ./config/otel-collector-config.yaml:/etc/otel-collector-config.yaml:ro
-    ports:
-      - "4317:4317" # OTLP gRPC receiver
-      - "4318:4318" # OTLP HTTP receiver
-      - "8889:8889" # Prometheus exporter
-    networks:
-      - app_network
-
-  prometheus:
-    container_name: prometheus
-    image: prom/prometheus:v2.54.1
-    restart: always
-    volumes:
-      - ./config/prometheus.yml:/etc/prometheus/prometheus.yml:ro
-      - prometheus-data:/prometheus
-    ports:
-      - "9090:9090"
-    networks:
-      - app_network
-    command:
-      - "--config.file=/etc/prometheus/prometheus.yml"
-      - "--storage.tsdb.path=/prometheus"
-      - "--web.enable-lifecycle"
-
-  grafana:
-    container_name: grafana
-    image: grafana/grafana:11.3.0
-    restart: always
-    volumes:
-      - grafana-data:/var/lib/grafana
-      - ./config/grafana/provisioning:/etc/grafana/provisioning:ro
-    ports:
-      - "3001:3000"
-    environment:
-      GF_SECURITY_ADMIN_USER: admin
-      GF_SECURITY_ADMIN_PASSWORD: admin
-      GF_USERS_ALLOW_SIGN_UP: false
-    networks:
-      - app_network
-    depends_on:
-      - prometheus
diff --git a/docs/ai-chat/actions.mdx b/docs/ai-chat/actions.mdx
new file mode 100644
index 00000000000..e6b894a3059
--- /dev/null
+++ b/docs/ai-chat/actions.mdx
@@ -0,0 +1,115 @@
+---
+title: "Actions"
+sidebarTitle: "Actions"
+description: "Custom commands sent from the frontend that mutate chat state without consuming a turn — undo, rollback, edit, regenerate."
+---
+
+import RcBanner from "/snippets/ai-chat-rc-banner.mdx";
+
+<RcBanner />
+
+## Overview
+
+Custom actions let the frontend send structured commands (undo, rollback, edit, regenerate) that modify the conversation state. **Actions are not turns**: they fire `hydrateMessages` (if set) and `onAction` only. No turn lifecycle hooks (`onTurnStart` / `prepareMessages` / `onBeforeTurnComplete` / `onTurnComplete`), no `run()`, no turn-counter increment. The trace span is named `chat action`.
+
+Actions wake the agent from suspension the same way a new message does, run their handler against the latest accumulator state, and emit a `trigger:turn-complete` chunk so the frontend's `useChat` knows the action has been applied.
+
+## Defining an action handler
+
+Define an `actionSchema` for validation and an `onAction` handler that uses [`chat.history`](/ai-chat/backend#chat-history) to modify state:
+
+```ts
+import { z } from "zod";
+
+export const myChat = chat.agent({
+  id: "my-chat",
+  actionSchema: z.discriminatedUnion("type", [
+    z.object({ type: z.literal("undo") }),
+    z.object({ type: z.literal("rollback"), targetMessageId: z.string() }),
+    z.object({ type: z.literal("edit"), messageId: z.string(), text: z.string() }),
+  ]),
+
+  onAction: async ({ action }) => {
+    switch (action.type) {
+      case "undo":
+        chat.history.slice(0, -2); // Remove last user + assistant exchange
+        break;
+      case "rollback":
+        chat.history.rollbackTo(action.targetMessageId);
+        break;
+      case "edit":
+        chat.history.replace(action.messageId, {
+          id: action.messageId,
+          role: "user",
+          parts: [{ type: "text", text: action.text }],
+        });
+        break;
+    }
+    // returning void → side-effect-only, no model call
+  },
+
+  run: async ({ messages, signal }) => {
+    return streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal });
+  },
+});
+```
+
+**Lifecycle flow:** Wake → parse action against `actionSchema` → `hydrateMessages` (if set) → **`onAction`** → apply `chat.history` mutations → emit `trigger:turn-complete` → wait for next message.
+
+## Returning a model response from an action
+
+`onAction` can return a `StreamTextResult`, `string`, or `UIMessage` to produce a response. The returned stream is auto-piped to the frontend just like a normal turn, but the rest of the turn machinery (`onTurnStart`, `onTurnComplete`, etc.) still does not fire.
+
+```ts
+onAction: async ({ action, messages }) => {
+  if (action.type === "regenerate") {
+    chat.history.slice(0, -1); // drop the last assistant
+    return streamText({
+      model: anthropic("claude-sonnet-4-5"),
+      messages,
+      stopWhen: stepCountIs(15),
+    });
+  }
+  // other actions return void → side-effect only
+}
+```
+
+This is useful for actions that both mutate state and want a fresh model response (regenerate-from-here, retry-with-different-style). Persistence is your responsibility inside `onAction` itself; you have access to the streamed response object.
+
+## Gating actions on HITL state
+
+If you have a [human-in-the-loop](/ai-chat/patterns/human-in-the-loop) tool waiting on `addToolOutput`, you usually want to refuse competing actions like `regenerate` until the answer arrives. [`chat.history.getPendingToolCalls()`](/ai-chat/backend#chat-history) gives you exactly that signal:
+
+```ts
+onAction: async ({ action, messages, signal }) => {
+  if (action.type === "regenerate") {
+    if (chat.history.getPendingToolCalls().length > 0) return; // gated
+    chat.history.slice(0, -1);
+    return streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal });
+  }
+},
+```
+
+## Sending actions from the frontend
+
+```ts
+// Browser — TriggerChatTransport
+const stream = await transport.sendAction(chatId, { type: "undo" });
+
+// Server — AgentChat
+const stream = await agentChat.sendAction({ type: "rollback", targetMessageId: "msg-3" });
+```
+
+The action payload is validated against `actionSchema` on the backend; invalid actions throw and surface as a stream error. The `action` parameter in `onAction` is fully typed from the schema.
+
+<Note>
+  For silent state changes that should never appear as a turn (e.g. injecting background context), use [`chat.inject()`](/ai-chat/background-injection) instead. Actions are explicit user-driven mutations; injections are agent-side context updates.
+</Note>
+
+## See also
+
+- [`chat.history`](/ai-chat/backend#chat-history) — the imperative API actions use to mutate state
+- [Sending actions from the frontend](/ai-chat/frontend#sending-actions) — `transport.sendAction` ergonomics
+- [`hydrateMessages`](/ai-chat/lifecycle-hooks#hydratemessages) — fires before `onAction` when set
+- [Branching conversations](/ai-chat/patterns/branching-conversations) — pairs action handlers with backend-controlled history
+- [Human-in-the-loop](/ai-chat/patterns/human-in-the-loop) — gating fresh actions while a tool is waiting
diff --git a/docs/ai-chat/backend.mdx b/docs/ai-chat/backend.mdx
new file mode 100644
index 00000000000..ccf86ef03b5
--- /dev/null
+++ b/docs/ai-chat/backend.mdx
@@ -0,0 +1,1027 @@
+---
+title: "Backend"
+sidebarTitle: "Backend"
+description: "Three approaches to building your chat backend — chat.agent(), session iterator, or raw task primitives."
+---
+
+import RcBanner from "/snippets/ai-chat-rc-banner.mdx";
+
+<RcBanner />
+
+## chat.agent()
+
+The highest-level approach. Handles message accumulation, stop signals, turn lifecycle, and auto-piping automatically.
+
+### Simple: return a StreamTextResult
+
+Return the `streamText` result from `run` and it's automatically piped to the frontend:
+
+```ts
+import { chat } from "@trigger.dev/sdk/ai";
+import { streamText, stepCountIs } from "ai";
+import { anthropic } from "@ai-sdk/anthropic";
+
+export const simpleChat = chat.agent({
+  id: "simple-chat",
+  run: async ({ messages, signal }) => {
+    return streamText({
+      ...chat.toStreamTextOptions(), // prepareStep, system, telemetry (see note below)
+      model: anthropic("claude-sonnet-4-5"),
+      system: "You are a helpful assistant.",
+      messages,
+      abortSignal: signal,
+      stopWhen: stepCountIs(15),
+    });
+  },
+});
+```
+
+<Warning>
+  **Always spread `chat.toStreamTextOptions()` first** (as above) so your explicit overrides win. It wires up the `prepareStep` callback behind [compaction](/ai-chat/compaction), [steering](/ai-chat/pending-messages), and [background injection](/ai-chat/background-injection), all of which silently no-op without it, and injects the system prompt from `chat.prompt()`, the resolved model (when you pass a `registry`), and telemetry metadata. Examples below keep the spread implicit for brevity, so include it in real code.
+</Warning>
+
+### Using chat.pipe() for complex flows
+
+For complex agent flows where `streamText` is called deep inside your code, use `chat.pipe()`. It works from **anywhere inside a task** — even nested function calls.
+
+```ts trigger/agent-chat.ts
+import { chat } from "@trigger.dev/sdk/ai";
+import { streamText } from "ai";
+import { anthropic } from "@ai-sdk/anthropic";
+import type { ModelMessage } from "ai";
+
+export const agentChat = chat.agent({
+  id: "agent-chat",
+  run: async ({ messages }) => {
+    // Don't return anything — chat.pipe is called inside
+    await runAgentLoop(messages);
+  },
+});
+
+async function runAgentLoop(messages: ModelMessage[]) {
+  // ... agent logic, tool calls, etc.
+
+  const result = streamText({
+    model: anthropic("claude-sonnet-4-5"),
+    messages,
+    stopWhen: stepCountIs(15),
+  });
+
+  // Pipe from anywhere — no need to return it
+  await chat.pipe(result);
+}
+```
+
+### Custom data parts
+
+Add custom `data-*` parts to the assistant's response message via `chat.response.write()` (from `run()`) or the `writer` parameter in lifecycle hooks. Non-transient `data-*` chunks are automatically added to `responseMessage.parts` and surface in `onTurnComplete` for persistence:
+
+```ts
+export const myChat = chat.agent({
+  id: "my-chat",
+  onBeforeTurnComplete: async ({ writer, turn }) => {
+    // This data part will be in responseMessage.parts in onTurnComplete
+    writer.write({
+      type: "data-metadata",
+      data: { turn, model: "gpt-4o", timestamp: Date.now() },
+    });
+  },
+  onTurnComplete: async ({ responseMessage }) => {
+    // responseMessage.parts includes the data-metadata part
+    await db.messages.save(responseMessage);
+  },
+  run: async ({ messages, signal }) => {
+    // Also works from run() via chat.response
+    chat.response.write({
+      type: "data-context",
+      data: { searchResults: results },
+    });
+
+    return streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal });
+  },
+});
+```
+
+Add `transient: true` to data chunks that should stream to the frontend but NOT persist in the response message. Use this for progress indicators, loading states, and other temporary UI:
+
+```ts
+// Transient — frontend sees it, but NOT in onTurnComplete's responseMessage
+writer.write({
+  type: "data-progress",
+  id: "search",
+  data: { percent: 50 },
+  transient: true,
+});
+```
+
+<Info>
+  This matches the AI SDK's semantics: `data-*` chunks persist to `message.parts` by default. Only `transient: true` chunks are ephemeral. Non-data chunks (`text-delta`, `tool-*`, etc.) are handled by `streamText` and captured via `onFinish` — they don't need `chat.response`.
+</Info>
+
+<Note>
+  `chat.response` and the `writer` accumulation behavior work with `chat.agent` and `chat.createSession`. If you're using [`chat.customAgent`](#raw-task-with-primitives), you own the accumulator — see the raw-task example for the manual pattern.
+</Note>
+
+### Raw streaming with `chat.stream`
+
+For low-level stream access (piping from subtasks, reading streams by run ID), use `chat.stream`. Chunks written via `chat.stream` go directly to the realtime output — they are **NOT** accumulated into the response message regardless of the `transient` flag.
+
+```ts
+// Raw stream — always ephemeral, never in responseMessage
+const { waitUntilComplete } = chat.stream.writer({
+  execute: ({ write }) => {
+    write({ type: "data-status", data: { message: "Processing..." } });
+  },
+});
+await waitUntilComplete();
+```
+
+<Tip>
+  Use `data-*` chunk types (e.g. `data-status`, `data-progress`) for custom data. The AI SDK processes these into `DataUIPart` objects in `message.parts` on the frontend. Writing the same `type` + `id` again updates the existing part instead of creating a new one — useful for live progress.
+</Tip>
+
+`chat.stream` exposes the full stream API:
+
+| Method | Description |
+|--------|-------------|
+| `chat.stream.writer(options)` | Write individual chunks via a callback |
+| `chat.stream.pipe(stream, options?)` | Pipe a `ReadableStream` or `AsyncIterable` |
+| `chat.stream.append(value, options?)` | Append raw data |
+| `chat.stream.read(runId, options?)` | Read the stream by run ID |
+
+For piping streams from subtasks to the parent chat (via `target: "root"`), see the [Sub-agents pattern](/ai-chat/patterns/sub-agents).
+
+### Backed by a Session
+
+Every `chat.agent` conversation is backed by a durable [Session](/ai-chat/sessions): `externalId` is your `chatId`, `type` is `"chat.agent"`, and `taskIdentifier` is the agent's task ID. The session is the run manager. It owns the chat's runs, persists across run lifecycles, and orchestrates handoffs (idle continuation, `chat.requestUpgrade`). You rarely touch it directly, since `chat.stream`, `chat.messages`, and `chat.stopSignal` wrap everything, but `payload.sessionId` is there when you need to reach in, e.g. `sessions.open(payload.sessionId)` to write from a sub-agent or from outside the turn loop.
+
+### Tools
+
+Declare your tools on the agent config, then read them back (typed) from the `run()` payload. Declaring them on the config, not just on `streamText`, is what lets the SDK re-apply each tool's `toModelOutput` when it re-converts history on later turns.
+
+```ts
+const tools = { searchDocs };
+
+export const myChat = chat.agent({
+  id: "my-chat",
+  tools,
+  run: async ({ messages, tools, signal }) =>
+    streamText({
+      ...chat.toStreamTextOptions({ tools }),
+      model: anthropic("claude-sonnet-4-5"),
+      messages,
+      abortSignal: signal,
+      stopWhen: stepCountIs(15),
+    }),
+});
+```
+
+See [Tools](/ai-chat/tools) for `toModelOutput` across turns, per-turn dynamic tools, the typed run payload, and how config tools relate to skills.
+
+### Lifecycle hooks
+
+`chat.agent({ ... })` accepts hooks that fire in a fixed order around each turn, plus dedicated suspend/resume hooks. The full reference lives on its own page:
+
+- [Lifecycle hooks](/ai-chat/lifecycle-hooks) — `onPreload`, `onChatStart`, `onValidateMessages`, `hydrateMessages`, `onTurnStart`, `onBeforeTurnComplete`, `onTurnComplete`, `onChatSuspend` / `onChatResume`, `exitAfterPreloadIdle`, plus how `ctx` plumbs through every callback.
+
+**Per-turn order:** `onValidateMessages` → `hydrateMessages` → `onChatStart` (chat's first message only) → `onTurnStart` → `run()` → `onBeforeTurnComplete` → `onTurnComplete`.
+
+### Using prompts
+
+Use [AI Prompts](/ai/prompts) to manage your system prompt as versioned, overridable config. Store the resolved prompt in a lifecycle hook with `chat.prompt.set()`, then spread `chat.toStreamTextOptions()` into `streamText` — it includes the system prompt, model, config, and telemetry automatically.
+
+```ts
+import { chat } from "@trigger.dev/sdk/ai";
+import { prompts } from "@trigger.dev/sdk";
+import { streamText, createProviderRegistry } from "ai";
+import { anthropic } from "@ai-sdk/anthropic";
+import { z } from "zod";
+
+const registry = createProviderRegistry({ anthropic });
+
+const systemPrompt = prompts.define({
+  id: "my-chat-system",
+  model: "anthropic:claude-sonnet-4-5",
+  config: { temperature: 0.7 },
+  variables: z.object({ name: z.string() }),
+  content: `You are a helpful assistant for {{name}}.`,
+});
+
+export const myChat = chat.agent({
+  id: "my-chat",
+  clientDataSchema: z.object({ userId: z.string() }),
+  onChatStart: async ({ clientData }) => {
+    const user = await db.user.findUnique({ where: { id: clientData.userId } });
+    const resolved = await systemPrompt.resolve({ name: user.name });
+    chat.prompt.set(resolved);
+  },
+  run: async ({ messages, signal }) => {
+    return streamText({
+      ...chat.toStreamTextOptions({ registry }), // system, model, config, telemetry
+      messages,
+      abortSignal: signal,
+      stopWhen: stepCountIs(15),
+    });
+  },
+});
+```
+
+`chat.toStreamTextOptions()` returns an object with `system`, `model` (resolved via the registry), `temperature`, and `experimental_telemetry` — all from the stored prompt. Properties you set after the spread (like a client-selected model) take precedence.
+
+**Which form to call:**
+
+| Form | Use when |
+|---|---|
+| `chat.toStreamTextOptions()` | Default. Wires up `prepareStep` (compaction, steering, background injection), the stored prompt's `system` / `model` / `config`, and telemetry metadata. |
+| `chat.toStreamTextOptions({ registry })` | You're using [Prompts](/ai/prompts) with a provider-prefixed model string (e.g. `"anthropic:claude-sonnet-4-5"`). The registry resolves the prefix to a real model instance via `createProviderRegistry({ anthropic, openai, ... })`. |
+| `chat.toStreamTextOptions({ tools })` | You want HITL tool approvals — pass the same `tools` object you give to `streamText`. The SDK then knows which tool calls need to pause on `needsApproval: true`. |
+| `chat.toStreamTextOptions({ registry, tools })` | Both of the above. |
+
+<Tip>
+  See [Prompts](/ai/prompts) for the full guide — defining templates, variable schemas, dashboard
+  overrides, and the management SDK.
+</Tip>
+
+### Stop generation
+
+#### How stop works
+
+Calling `stop()` from `useChat` sends a stop signal to the running task via input streams. The task's `streamText` call aborts (if you passed `signal` or `stopSignal`), but the **run stays alive** and waits for the next message. The partial response is captured and accumulated normally.
+
+#### Abort signals
+
+The `run` function receives three abort signals:
+
+| Signal         | Fires when                                  | Use for                                                                |
+| -------------- | ------------------------------------------- | ---------------------------------------------------------------------- |
+| `signal`       | Stop **or** cancel                          | Pass to `streamText` — handles both cases. **Use this in most cases.** |
+| `stopSignal`   | Stop only (per-turn, reset each turn)       | Custom logic that should only run on user stop, not cancellation       |
+| `cancelSignal` | Run cancel, expire, or maxDuration exceeded | Cleanup that should only happen on full cancellation                   |
+
+```ts
+export const myChat = chat.agent({
+  id: "my-chat",
+  run: async ({ messages, signal, stopSignal, cancelSignal }) => {
+    return streamText({
+      model: anthropic("claude-sonnet-4-5"),
+      messages,
+      abortSignal: signal, // Handles both stop and cancel
+      stopWhen: stepCountIs(15),
+    });
+  },
+});
+```
+
+<Tip>
+  Use `signal` (the combined signal) in most cases. The separate `stopSignal` and `cancelSignal` are
+  only needed if you want different behavior for stop vs cancel.
+</Tip>
+
+#### Detecting stop in callbacks
+
+The `onTurnComplete` event includes a `stopped` boolean that indicates whether the user stopped generation during that turn:
+
+```ts
+export const myChat = chat.agent({
+  id: "my-chat",
+  onTurnComplete: async ({ chatId, uiMessages, stopped }) => {
+    await db.chat.update({
+      where: { id: chatId },
+      data: { messages: uiMessages, lastStoppedAt: stopped ? new Date() : undefined },
+    });
+  },
+  run: async ({ messages, signal }) => {
+    return streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal });
+  },
+});
+```
+
+You can also check stop status from **anywhere** during a turn using `chat.isStopped()`. This is useful inside `streamText`'s `onFinish` callback where the AI SDK's `isAborted` flag can be unreliable (e.g. when using `createUIMessageStream` + `writer.merge()`):
+
+```ts
+import { chat } from "@trigger.dev/sdk/ai";
+import { streamText } from "ai";
+
+export const myChat = chat.agent({
+  id: "my-chat",
+  run: async ({ messages, signal }) => {
+    return streamText({
+      model: anthropic("claude-sonnet-4-5"),
+      messages,
+      abortSignal: signal,
+      onFinish: ({ isAborted }) => {
+        // isAborted may be false even after stop when using createUIMessageStream
+        const wasStopped = isAborted || chat.isStopped();
+        if (wasStopped) {
+          // handle stop — e.g. log analytics
+        }
+      },
+      stopWhen: stepCountIs(15),
+    });
+  },
+});
+```
+
+#### Cleaning up aborted messages
+
+When stop happens mid-stream, the captured response message can contain parts in an incomplete state — tool calls stuck in `partial-call`, reasoning blocks still marked as `streaming`, etc. These can cause UI issues like permanent spinners.
+
+`chat.agent` automatically cleans up the `responseMessage` when stop is detected before passing it to `onTurnComplete`. If you use `chat.pipe()` manually and capture response messages yourself, use `chat.cleanupAbortedParts()`:
+
+```ts
+const cleaned = chat.cleanupAbortedParts(rawResponseMessage);
+```
+
+This removes tool invocation parts stuck in `partial-call` state and marks any `streaming` text or reasoning parts as `done`.
+
+<Note>
+  Stop signal delivery is best-effort. There is a small race window where the model may finish
+  before the stop signal arrives, in which case the turn completes normally with `stopped: false`.
+  This is expected and does not require special handling.
+</Note>
+
+### Tool approvals
+
+Tools with `needsApproval: true` pause execution until the user approves or denies via the frontend. Define the tool as normal and pass it to `streamText` — `chat.agent` handles the rest:
+
+```ts
+const sendEmail = tool({
+  description: "Send an email. Requires human approval.",
+  inputSchema: z.object({ to: z.string(), subject: z.string(), body: z.string() }),
+  needsApproval: true,
+  execute: async ({ to, subject, body }) => {
+    await emailService.send({ to, subject, body });
+    return { sent: true };
+  },
+});
+
+export const myChat = chat.agent({
+  id: "my-chat",
+  run: async ({ messages, signal }) => {
+    return streamText({
+      model: anthropic("claude-sonnet-4-5"),
+      messages,
+      tools: { sendEmail },
+      abortSignal: signal,
+      stopWhen: stepCountIs(15),
+    });
+  },
+});
+```
+
+When the model calls an approval-required tool, the turn completes with the tool in `approval-requested` state. After the user approves on the frontend, the updated message is sent back and `chat.agent` replaces it in the conversation accumulator by matching the message ID. `streamText` then executes the approved tool and continues.
+
+See [Tool approvals](/ai-chat/frontend#tool-approvals) in the frontend docs for the UI setup.
+
+### Persistence
+
+To build a chat app that survives page refreshes you persist two things, both server-side from inside the agent:
+
+1. **Conversation state.** Full `UIMessage[]` keyed by `chatId`. Written from `onTurnStart` (so the user message is durable before streaming begins) and `onTurnComplete` (so the assistant reply lands).
+2. **Session state.** The transport's reconnect metadata: `publicAccessToken` and `lastEventId`. Written alongside the messages from the same hooks.
+
+<Note>
+  Sessions let the transport reconnect to an existing run after a page refresh. Without them, every page load would start a new run, losing the conversation context that was accumulated in the previous run.
+</Note>
+
+For the full per-hook breakdown, race-condition warnings (atomic `lastEventId` writes, why not to use `chat.defer` in `onTurnStart`), token renewal via the `accessToken` callback, and an end-to-end three-file example, see [Database persistence](/ai-chat/patterns/database-persistence).
+
+### Pending messages (steering)
+
+Users can send messages while the agent is executing tool calls. With `pendingMessages`, these messages are injected between tool-call steps, steering the agent mid-execution:
+
+```ts
+export const myChat = chat.agent({
+  id: "my-chat",
+  pendingMessages: {
+    shouldInject: ({ steps }) => steps.length > 0,
+  },
+  run: async ({ messages, signal }) => {
+    return streamText({
+      ...chat.toStreamTextOptions({ registry }),
+      messages,
+      tools: {
+        /* ... */
+      },
+      abortSignal: signal,
+      stopWhen: stepCountIs(15),
+    });
+  },
+});
+```
+
+On the frontend, the `usePendingMessages` hook handles sending, tracking, and rendering injection points.
+
+<Tip>
+  See [Pending Messages](/ai-chat/pending-messages) for the full guide — backend configuration,
+  frontend hook, queuing vs steering, and how injection works with all three chat variants.
+</Tip>
+
+### Background injection
+
+Inject context from background work into the conversation using `chat.inject()`. Combine with `chat.defer()` to run analysis between turns and inject results before the next response — self-review, RAG augmentation, safety checks, etc.
+
+```ts
+export const myChat = chat.agent({
+  id: "my-chat",
+  onTurnComplete: async ({ messages }) => {
+    chat.defer(
+      (async () => {
+        const review = await generateObject({
+          /* ... */
+        });
+        if (review.object.needsImprovement) {
+          chat.inject([
+            {
+              role: "system",
+              content: `[Self-review]\n${review.object.suggestions.join("\n")}`,
+            },
+          ]);
+        }
+      })()
+    );
+  },
+  run: async ({ messages, signal }) => {
+    return streamText({ ...chat.toStreamTextOptions({ registry }), messages, abortSignal: signal });
+  },
+});
+```
+
+<Tip>
+  See [Background Injection](/ai-chat/background-injection) for the full guide — timing, self-review
+  example, and how it differs from pending messages.
+</Tip>
+
+### Actions
+
+Custom actions let the frontend send structured commands (undo, rollback, edit, regenerate) that modify the conversation state. **Actions are not turns**: they fire `hydrateMessages` (if set) and `onAction` only. The full surface (defining `actionSchema`, returning a model response from `onAction`, gating against pending HITL tool calls, and sending actions from the frontend) lives on its own page.
+
+See [Actions](/ai-chat/actions).
+
+### Chat history
+
+Imperative API for reading and modifying the accumulated message history. Works from any hook (`onAction`, `onTurnStart`, `onBeforeTurnComplete`, `onTurnComplete`, `hydrateMessages`) or from `run()` and AI SDK tools.
+
+<Note>
+  The agent's accumulator — not `session.out` — is the source of truth for the full conversation. The `.out` stream is a bounded sliding window (roughly one turn at steady state, see [Records on `session.out`](/ai-chat/client-protocol#records-on-session-out)); the durable history lives in the agent's accumulator and is persisted to S3 between turns for fast next-run boots. `chat.history` reads and mutates that accumulator directly.
+</Note>
+
+**Reads.** Synchronous against the current accumulator state.
+
+| Method | Description |
+|--------|-------------|
+| `chat.history.all()` | Returns a copy of the current accumulated UI messages. |
+| `chat.history.getChain()` | Same as `all()`. Use whichever name reads better in context. |
+| `chat.history.findMessage(messageId)` | Returns the message with that id, or `undefined`. |
+| `chat.history.getPendingToolCalls()` | Tool calls on the most recent assistant message that are still in `input-available` state (waiting on `addToolOutput`). |
+| `chat.history.getResolvedToolCalls()` | All tool calls in the chain in `output-available` or `output-error` state. |
+| `chat.history.extractNewToolResults(message)` | Tool results in `message` whose `toolCallId` is not already resolved in the chain. Most useful in `hydrateMessages` against an incoming wire message, before the runtime merges it. |
+
+Each pending and resolved entry is shaped `{ toolCallId, toolName, messageId }`. Each new-result entry is `{ toolCallId, toolName, output, errorText? }`, where `errorText` is set only for `output-error` parts.
+
+**Mutations.** Applied at lifecycle checkpoints (after hooks return). Multiple mutations in the same hook compose correctly.
+
+| Method | Description |
+|--------|-------------|
+| `chat.history.set(messages)` | Replace all messages. Same as `chat.setMessages()`. |
+| `chat.history.remove(messageId)` | Remove a specific message by ID. |
+| `chat.history.rollbackTo(messageId)` | Keep messages up to and including the given ID (undo). |
+| `chat.history.replace(messageId, message)` | Replace a specific message by ID (edit). |
+| `chat.history.slice(start, end?)` | Keep only messages in the given range. |
+
+```ts
+// Undo the last exchange in onAction
+onAction: async ({ action }) => {
+  if (action.type === "undo") {
+    chat.history.slice(0, -2);
+  }
+},
+
+// Trim history in onTurnComplete
+onTurnComplete: async ({ uiMessages }) => {
+  if (uiMessages.length > 50) {
+    chat.history.slice(-20);
+  }
+},
+```
+
+The HITL reads let an action or hook decide what to do without walking the accumulator manually:
+
+```ts
+// Refuse a regenerate while a tool call is still awaiting an answer
+onAction: async ({ action }) => {
+  if (action.type === "regenerate") {
+    if (chat.history.getPendingToolCalls().length > 0) return;
+    chat.history.slice(0, -1);
+  }
+},
+
+// Side-effect once per net-new tool result when wire messages come in
+hydrateMessages: async ({ incomingMessages }) => {
+  for (const msg of incomingMessages) {
+    for (const r of chat.history.extractNewToolResults(msg)) {
+      await onToolResolved({ id: r.toolCallId, output: r.output, errorText: r.errorText });
+    }
+  }
+  return incomingMessages;
+},
+```
+
+`extractNewToolResults` compares against the *current* chain. Inside `onTurnComplete`, the chain already contains the just-finished `responseMessage`, so it returns `[]`. Use it where the message is from outside the accumulator: `hydrateMessages` (incoming wire), `onAction` if the action carries a message, or any custom pre-merge code path.
+
+### prepareMessages
+
+Transform model messages before they're used anywhere — in `run()`, in compaction rebuilds, and in compaction results. Define once, applied everywhere.
+
+Use this for Anthropic cache breaks, injecting system context, stripping PII, etc.
+
+```ts
+export const myChat = chat.agent({
+  id: "my-chat",
+  prepareMessages: ({ messages, reason }) => {
+    // Add Anthropic cache breaks to the last message
+    if (messages.length === 0) return messages;
+    const last = messages[messages.length - 1];
+    return [
+      ...messages.slice(0, -1),
+      {
+        ...last,
+        providerOptions: {
+          ...last.providerOptions,
+          anthropic: { cacheControl: { type: "ephemeral" } },
+        },
+      },
+    ];
+  },
+  run: async ({ messages, signal }) => {
+    return streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal });
+  },
+});
+```
+
+The `reason` field tells you why messages are being prepared:
+
+| Reason                 | Description                                       |
+| ---------------------- | ------------------------------------------------- |
+| `"run"`                | Messages being passed to `run()` for `streamText` |
+| `"compaction-rebuild"` | Rebuilding from a previous compaction summary     |
+| `"compaction-result"`  | Fresh compaction just produced these messages     |
+
+### Version upgrades
+
+Chat agent runs are pinned to the worker version they started on. When you deploy a new version, suspended runs resume on the old code. Call `chat.requestUpgrade()` in `onTurnStart` to skip `run()` and exit immediately — the transport re-triggers the same message on the latest version. See the [Version Upgrades pattern](/ai-chat/patterns/version-upgrades) for the full guide.
+
+### Ending a run on your terms
+
+By default, a chat agent stays idle after each turn waiting for the next user message. Call `chat.endRun()` from `run()`, `chat.defer()`, `onBeforeTurnComplete`, or `onTurnComplete` to exit the loop once the current turn finishes — no upgrade signal, no idle wait.
+
+```ts
+chat.agent({
+  id: "one-shot",
+  run: async ({ messages, signal }) => {
+    // Single-response agent — exit after this turn.
+    chat.endRun();
+    return streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal });
+  },
+});
+```
+
+The current turn streams through normally, `onBeforeTurnComplete` / `onTurnComplete` fire, the turn-complete chunk is written, and the run exits instead of suspending. The next user message on the same `chatId` starts a fresh run via the standard continuation flow.
+
+Use this when the agent knows its work is done (budget exhausted, goal achieved, one-shot response) rather than relying on the idle timeout. Unlike `chat.requestUpgrade()`, no `upgrade-required` signal is sent to the client, so there's no version-migration semantics.
+
+<Warning>
+  If you persist `lastEventId` to your own storage for cross-page-load resume, **don't clear it on `chat.endRun()`**. The cursor is sessionId-keyed and stays valid across Run boundaries — clearing it forces the next `sendMessages` to subscribe from `seq_num=0`, where it may hit the prior turn's stale `turn-complete` record and close the stream empty before the new Run's chunks arrive.
+</Warning>
+
+### Runtime configuration
+
+#### chat.setTurnTimeout()
+
+Override how long the run stays suspended waiting for the next message. Call from inside `run()`:
+
+```ts
+run: async ({ messages, signal }) => {
+  chat.setTurnTimeout("2h"); // Wait longer for this conversation
+  return streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal });
+},
+```
+
+#### chat.setIdleTimeoutInSeconds()
+
+Override how long the run stays idle (active, using compute) after each turn:
+
+```ts
+run: async ({ messages, signal }) => {
+  chat.setIdleTimeoutInSeconds(60); // Stay idle for 1 minute
+  return streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal });
+},
+```
+
+<Info>
+  Longer idle timeout means faster responses but more compute usage. Set to `0` to suspend
+  immediately after each turn (minimum latency cost, slight delay on next message).
+</Info>
+
+#### Stream options
+
+Control how `streamText` results are converted to the frontend stream via `toUIMessageStream()`. Set static defaults on the task, or override per-turn.
+
+##### Error handling with onError
+
+When `streamText` encounters an error mid-stream (rate limits, API failures, network errors), the `onError` callback converts it to a string that's sent to the frontend as an `{ type: "error", errorText }` chunk. The AI SDK's `useChat` receives this via its `onError` callback.
+
+By default, the raw error message is sent to the frontend. Use `onError` to sanitize errors and avoid leaking internal details:
+
+```ts
+export const myChat = chat.agent({
+  id: "my-chat",
+  uiMessageStreamOptions: {
+    onError: (error) => {
+      // Log the full error server-side for debugging
+      console.error("Stream error:", error);
+      // Return a sanitized message — this is what the frontend sees
+      if (error instanceof Error && error.message.includes("rate limit")) {
+        return "Rate limited — please wait a moment and try again.";
+      }
+      return "Something went wrong. Please try again.";
+    },
+  },
+  run: async ({ messages, signal }) => {
+    return streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal });
+  },
+});
+```
+
+`onError` is also called for tool execution errors, so a single handler covers both LLM errors and tool failures.
+
+On the frontend, handle the error in `useChat`:
+
+```tsx
+const { messages, sendMessage } = useChat({
+  transport,
+  onError: (error) => {
+    // error.message contains the string returned by your onError handler
+    toast.error(error.message);
+  },
+});
+```
+
+##### Reasoning and sources
+
+Control which AI SDK features are forwarded to the frontend:
+
+```ts
+export const myChat = chat.agent({
+  id: "my-chat",
+  uiMessageStreamOptions: {
+    sendReasoning: true, // Forward model reasoning (default: true)
+    sendSources: true, // Forward source citations (default: false)
+  },
+  run: async ({ messages, signal }) => {
+    return streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal });
+  },
+});
+```
+
+##### Custom message IDs
+
+By default, response message IDs are generated using the AI SDK's built-in `generateId`. Pass a custom `generateMessageId` function to use your own ID format (e.g. UUID-v7):
+
+```ts
+import { v7 as uuidv7 } from "uuid";
+
+export const myChat = chat.agent({
+  id: "my-chat",
+  uiMessageStreamOptions: {
+    generateMessageId: () => uuidv7(),
+  },
+  run: async ({ messages, signal }) => {
+    return streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal });
+  },
+});
+```
+
+With the `.withUIMessage()` builder, set it under `streamOptions`:
+
+```ts
+import { v7 as uuidv7 } from "uuid";
+
+export const myChat = chat
+  .withUIMessage<MyChatUIMessage>({
+    streamOptions: {
+      generateMessageId: () => uuidv7(),
+      sendReasoning: true,
+    },
+  })
+  .agent({
+    id: "my-chat",
+    run: async ({ messages, signal }) => {
+      return streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal });
+    },
+  });
+```
+
+<Info>
+  The generated ID is sent to the frontend in the stream's `start` chunk, so frontend and backend
+  always reference the same ID for each message. This is important for features like tool
+  approvals, where the frontend resends an assistant message and the backend needs to match it
+  by ID in the conversation accumulator.
+</Info>
+
+##### Per-turn overrides
+
+Override per-turn with `chat.setUIMessageStreamOptions()` — per-turn values merge with the static config (per-turn wins on conflicts). The override is cleared automatically after each turn.
+
+```ts
+run: async ({ messages, clientData, signal }) => {
+  // Enable reasoning only for certain models
+  if (clientData.model?.includes("claude")) {
+    chat.setUIMessageStreamOptions({ sendReasoning: true });
+  }
+  return streamText({ model: openai(clientData.model ?? "gpt-4o"), messages, abortSignal: signal });
+},
+```
+
+`chat.setUIMessageStreamOptions()` works across all abstraction levels — `chat.agent()`, `chat.createSession()` / `turn.complete()`, and `chat.pipeAndCapture()`.
+
+See [ChatUIMessageStreamOptions](/ai-chat/reference#chatuimessagestreamoptions) for the full reference.
+
+<Note>
+  `onFinish` is managed internally for response capture and cannot be overridden here. Use
+  `streamText`'s `onFinish` callback for custom finish handling, or use [raw task
+  mode](#raw-task-with-primitives) for full control over `toUIMessageStream()`.
+</Note>
+
+### Manual mode with task()
+
+If you need full control over task options, use the standard `task()` with `ChatTaskPayload` and `chat.pipe()`:
+
+```ts
+import { task } from "@trigger.dev/sdk";
+import { chat, type ChatTaskPayload } from "@trigger.dev/sdk/ai";
+import { streamText } from "ai";
+import { anthropic } from "@ai-sdk/anthropic";
+
+export const manualChat = task({
+  id: "manual-chat",
+  retry: { maxAttempts: 3 },
+  queue: { concurrencyLimit: 10 },
+  run: async (payload: ChatTaskPayload) => {
+    const result = streamText({
+      model: anthropic("claude-sonnet-4-5"),
+      messages: payload.messages,
+      stopWhen: stepCountIs(15),
+    });
+
+    await chat.pipe(result);
+  },
+});
+```
+
+<Warning>
+  Manual mode does not get automatic message accumulation or the `onTurnComplete`/`onChatStart`
+  lifecycle hooks. The `responseMessage` field in `onTurnComplete` will be `undefined` when using
+  `chat.pipe()` directly. Use `chat.agent()` for the full multi-turn experience.
+</Warning>
+
+---
+
+## chat.createSession()
+
+A middle ground between `chat.agent()` and raw primitives. You get an async iterator that yields `ChatTurn` objects — each turn handles stop signals, message accumulation, and turn-complete signaling automatically. You control initialization, model/tool selection, persistence, and any custom per-turn logic.
+
+Use `chat.createSession()` inside a standard `task()`:
+
+```ts
+import { task } from "@trigger.dev/sdk";
+import { chat, type ChatTaskWirePayload } from "@trigger.dev/sdk/ai";
+import { streamText } from "ai";
+import { anthropic } from "@ai-sdk/anthropic";
+
+export const myChat = task({
+  id: "my-chat",
+  run: async (payload: ChatTaskWirePayload, { signal }) => {
+    // One-time initialization — just code, no hooks
+    const clientData = payload.metadata as { userId: string };
+    await db.chat.create({ data: { id: payload.chatId, userId: clientData.userId } });
+
+    const session = chat.createSession(payload, {
+      signal,
+      idleTimeoutInSeconds: 60,
+      timeout: "1h",
+    });
+
+    for await (const turn of session) {
+      const result = streamText({
+        model: anthropic("claude-sonnet-4-5"),
+        messages: turn.messages,
+        abortSignal: turn.signal,
+        stopWhen: stepCountIs(15),
+      });
+
+      // Pipe, capture, accumulate, and signal turn-complete — all in one call
+      await turn.complete(result);
+
+      // Persist after each turn
+      await db.chat.update({
+        where: { id: turn.chatId },
+        data: { messages: turn.uiMessages },
+      });
+    }
+  },
+});
+```
+
+### ChatSessionOptions
+
+| Option                 | Type          | Default  | Description                                 |
+| ---------------------- | ------------- | -------- | ------------------------------------------- |
+| `signal`               | `AbortSignal` | required | Run-level cancel signal (from task context) |
+| `idleTimeoutInSeconds` | `number`      | `30`     | Seconds to stay idle between turns          |
+| `timeout`              | `string`      | `"1h"`   | Duration string for suspend timeout         |
+| `maxTurns`             | `number`      | `100`    | Max turns before ending                     |
+
+### ChatTurn
+
+Each turn yielded by the iterator provides:
+
+| Field          | Type             | Description                                            |
+| -------------- | ---------------- | ------------------------------------------------------ |
+| `number`       | `number`         | Turn number (0-indexed)                                |
+| `chatId`       | `string`         | Chat session ID                                        |
+| `trigger`      | `string`         | What triggered this turn                               |
+| `clientData`   | `unknown`        | Client data from the transport                         |
+| `messages`     | `ModelMessage[]` | Full accumulated model messages — pass to `streamText` |
+| `uiMessages`   | `UIMessage[]`    | Full accumulated UI messages — use for persistence     |
+| `signal`       | `AbortSignal`    | Combined stop+cancel signal (fresh each turn)          |
+| `stopped`      | `boolean`        | Whether the user stopped generation this turn          |
+| `continuation` | `boolean`        | Whether this is a continuation run                     |
+
+| Method                       | Description                                                         |
+| ---------------------------- | ------------------------------------------------------------------- |
+| `turn.complete(source)`      | Pipe stream, capture response, accumulate, and signal turn-complete |
+| `turn.done()`                | Just signal turn-complete (when you've piped manually)              |
+| `turn.addResponse(response)` | Add a response to the accumulator manually                          |
+
+### turn.complete() vs manual control
+
+`turn.complete(result)` is the easy path — it handles piping, capturing the response, accumulating messages, cleaning up aborted parts, and writing the turn-complete chunk.
+
+For more control, you can do each step manually:
+
+```ts
+for await (const turn of session) {
+  const result = streamText({
+    model: anthropic("claude-sonnet-4-5"),
+    messages: turn.messages,
+    abortSignal: turn.signal,
+    stopWhen: stepCountIs(15),
+  });
+
+  // Manual: pipe and capture separately
+  const response = await chat.pipeAndCapture(result, { signal: turn.signal });
+
+  if (response) {
+    // Custom processing before accumulating
+    await turn.addResponse(response);
+  }
+
+  // Custom persistence, analytics, etc.
+  await db.chat.update({ ... });
+
+  // Must call done() when not using complete()
+  await turn.done();
+}
+```
+
+---
+
+## Raw task with primitives
+
+For full control, use a standard `task()` with the composable primitives from the `chat` namespace. You manage everything: the turn loop, stop signals, message accumulation, and turn-complete signaling.
+
+Raw task mode also lets you call `.toUIMessageStream()` yourself with any options — including `onFinish` and `originalMessages`. This is the right choice when you need complete control over the stream conversion beyond what `chat.setUIMessageStreamOptions()` provides.
+
+### Primitives
+
+| Primitive                       | Description                                                                                 |
+| ------------------------------- | ------------------------------------------------------------------------------------------- |
+| `chat.messages`                 | Input stream for incoming messages — use `.waitWithIdleTimeout()` to wait for the next turn |
+| `chat.createStopSignal()`       | Create a managed stop signal wired to the stop input stream                                 |
+| `chat.pipeAndCapture(result)`   | Pipe a `StreamTextResult` to the chat stream and capture the response                       |
+| `chat.writeTurnComplete()`      | Signal the frontend that the current turn is complete                                       |
+| `chat.MessageAccumulator`       | Accumulates conversation messages across turns                                              |
+| `chat.pipe(stream)`             | Pipe a stream to the frontend (no response capture)                                         |
+| `chat.cleanupAbortedParts(msg)` | Clean up incomplete parts from a stopped response                                           |
+
+### Example
+
+```ts
+import { task } from "@trigger.dev/sdk";
+import { chat, type ChatTaskWirePayload } from "@trigger.dev/sdk/ai";
+import { streamText } from "ai";
+import { anthropic } from "@ai-sdk/anthropic";
+
+export const myChat = task({
+  id: "my-chat-raw",
+  run: async (payload: ChatTaskWirePayload, { signal: runSignal }) => {
+    let currentPayload = payload;
+
+    // Handle preload — wait for the first real message
+    if (currentPayload.trigger === "preload") {
+      const result = await chat.messages.waitWithIdleTimeout({
+        idleTimeoutInSeconds: 60,
+        timeout: "1h",
+        spanName: "waiting for first message",
+      });
+      if (!result.ok) return;
+      currentPayload = result.output;
+    }
+
+    const stop = chat.createStopSignal();
+    const conversation = new chat.MessageAccumulator();
+
+    for (let turn = 0; turn < 100; turn++) {
+      stop.reset();
+
+      const messages = await conversation.addIncoming(
+        currentPayload.messages,
+        currentPayload.trigger,
+        turn
+      );
+
+      const combinedSignal = AbortSignal.any([runSignal, stop.signal]);
+
+      const result = streamText({
+        model: anthropic("claude-sonnet-4-5"),
+        messages,
+        abortSignal: combinedSignal,
+        stopWhen: stepCountIs(15),
+      });
+
+      let response;
+      try {
+        response = await chat.pipeAndCapture(result, { signal: combinedSignal });
+      } catch (error) {
+        if (error instanceof Error && error.name === "AbortError") {
+          if (runSignal.aborted) break;
+          // Stop — fall through to accumulate partial
+        } else {
+          throw error;
+        }
+      }
+
+      if (response) {
+        const cleaned =
+          stop.signal.aborted && !runSignal.aborted ? chat.cleanupAbortedParts(response) : response;
+        await conversation.addResponse(cleaned);
+      }
+
+      if (runSignal.aborted) break;
+
+      // Persist, analytics, etc.
+      await db.chat.update({
+        where: { id: currentPayload.chatId },
+        data: { messages: conversation.uiMessages },
+      });
+
+      await chat.writeTurnComplete();
+
+      // Wait for the next message
+      const next = await chat.messages.waitWithIdleTimeout({
+        idleTimeoutInSeconds: 60,
+        timeout: "1h",
+        spanName: "waiting for next message",
+      });
+      if (!next.ok) break;
+      currentPayload = next.output;
+    }
+
+    stop.cleanup();
+  },
+});
+```
+
+### MessageAccumulator
+
+The `MessageAccumulator` handles the transport protocol automatically:
+
+- Turn 0: replaces messages (full history from frontend)
+- Subsequent turns: appends new messages (frontend only sends the new user message)
+- Regenerate: replaces messages (full history minus last assistant message)
+
+```ts
+const conversation = new chat.MessageAccumulator();
+
+// Returns full accumulated ModelMessage[] for streamText
+const messages = await conversation.addIncoming(payload.messages, payload.trigger, turn);
+
+// After piping, add the response
+const response = await chat.pipeAndCapture(result);
+if (response) await conversation.addResponse(response);
+
+// Access accumulated messages for persistence
+conversation.uiMessages; // UIMessage[]
+conversation.modelMessages; // ModelMessage[]
+```
diff --git a/docs/ai-chat/background-injection.mdx b/docs/ai-chat/background-injection.mdx
new file mode 100644
index 00000000000..567da627f16
--- /dev/null
+++ b/docs/ai-chat/background-injection.mdx
@@ -0,0 +1,221 @@
+---
+title: "Background injection"
+sidebarTitle: "Background injection"
+description: "Inject context from background work into the agent's conversation — self-review, RAG augmentation, or any async analysis."
+---
+
+import RcBanner from "/snippets/ai-chat-rc-banner.mdx";
+
+<RcBanner />
+
+## Overview
+
+`chat.inject()` queues model messages for injection into the conversation. Messages are picked up at the start of the next turn or at the next `prepareStep` boundary (between tool-call steps).
+
+This is the backend counterpart to [pending messages](/ai-chat/pending-messages) — pending messages come from the user via the frontend, while `chat.inject()` comes from your task code.
+
+## Basic usage
+
+```ts
+import { chat } from "@trigger.dev/sdk/ai";
+
+// Queue a system message for injection
+chat.inject([
+  {
+    role: "system",
+    content: "The user's account was just upgraded to Pro.",
+  },
+]);
+```
+
+Messages are appended to the model messages before the next LLM inference call. The LLM sees them as part of the conversation context.
+
+## Common pattern: defer + inject
+
+The most powerful pattern combines `chat.defer()` (background work) with `chat.inject()` (inject results). Background work runs in parallel with the idle wait between turns, and results are injected before the next response.
+
+```ts
+export const myChat = chat.agent({
+  id: "my-chat",
+  onTurnComplete: async ({ messages }) => {
+    // Kick off background analysis — doesn't block the turn
+    chat.defer(
+      (async () => {
+        const analysis = await analyzeConversation(messages);
+        chat.inject([
+          {
+            role: "system",
+            content: `[Analysis of conversation so far]\n\n${analysis}`,
+          },
+        ]);
+      })()
+    );
+  },
+  run: async ({ messages, signal }) => {
+    return streamText({
+      ...chat.toStreamTextOptions({ registry }),
+      messages,
+      abortSignal: signal,
+      stopWhen: stepCountIs(15),
+    });
+  },
+});
+```
+
+### Timing
+
+1. Turn completes, `onTurnComplete` fires
+2. `chat.defer()` registers the background work
+3. The run immediately starts waiting for the next message (no blocking)
+4. Background work completes, `chat.inject()` queues the messages
+5. User sends next message, turn starts
+6. Injected messages are appended before `run()` executes
+7. The LLM sees the injected context alongside the new user message
+
+If the background work finishes *during* a tool-call loop (not between turns), the messages are picked up at the next `prepareStep` boundary instead.
+
+## Example: self-review
+
+A cheap model reviews the agent's response after each turn and injects coaching for the next one. Uses [Prompts](/ai/prompts) for the review prompt and `generateObject` for structured output.
+
+```ts
+import { chat } from "@trigger.dev/sdk/ai";
+import { prompts } from "@trigger.dev/sdk";
+import { streamText, generateObject, createProviderRegistry, stepCountIs } from "ai";
+import { anthropic } from "@ai-sdk/anthropic";
+import { z } from "zod";
+
+const registry = createProviderRegistry({ anthropic });
+
+const selfReviewPrompt = prompts.define({
+  id: "self-review",
+  model: "anthropic:claude-haiku-4-5",
+  content: `You are a conversation quality reviewer. Analyze the assistant's most recent response.
+
+Focus on:
+- Whether the response answered the user's question
+- Missed opportunities to use tools or provide more detail
+- Tone mismatches
+
+Be concise. Only flag issues worth fixing.`,
+});
+
+export const myChat = chat.agent({
+  id: "my-chat",
+  onTurnComplete: async ({ messages }) => {
+    chat.defer(
+      (async () => {
+        const resolved = await selfReviewPrompt.resolve({});
+
+        const review = await generateObject({
+          model: registry.languageModel(resolved.model ?? "anthropic:claude-haiku-4-5"),
+          ...resolved.toAISDKTelemetry(),
+          system: resolved.text,
+          prompt: messages
+            .filter((m) => m.role === "user" || m.role === "assistant")
+            .map((m) => {
+              const text =
+                typeof m.content === "string"
+                  ? m.content
+                  : Array.isArray(m.content)
+                    ? m.content
+                        .filter((p: any) => p.type === "text")
+                        .map((p: any) => p.text)
+                        .join("")
+                    : "";
+              return `${m.role}: ${text}`;
+            })
+            .join("\n\n"),
+          schema: z.object({
+            needsImprovement: z.boolean(),
+            suggestions: z.array(z.string()),
+          }),
+        });
+
+        if (review.object.needsImprovement) {
+          chat.inject([
+            {
+              role: "system",
+              content: `[Self-review]\n\n${review.object.suggestions.map((s) => `- ${s}`).join("\n")}\n\nApply these naturally.`,
+            },
+          ]);
+        }
+      })()
+    );
+  },
+  run: async ({ messages, signal }) => {
+    return streamText({
+      ...chat.toStreamTextOptions({ registry }),
+      messages,
+      abortSignal: signal,
+      stopWhen: stepCountIs(15),
+    });
+  },
+});
+```
+
+The self-review runs on `claude-haiku-4-5` (fast, cheap) in the background. If the user sends another message before it completes, the coaching is still injected — `chat.inject()` persists across the idle wait.
+
+## Other use cases
+
+- **RAG augmentation**: After each turn, fetch relevant documents and inject them as context for the next response
+- **Safety checks**: Run a moderation model on the response, inject warnings if issues are detected
+- **Fact-checking**: Verify claims in the response using search tools, inject corrections
+- **Context enrichment**: Look up user/account data based on what was discussed, inject it as system context
+
+## `chat.defer` standalone
+
+`chat.defer()` is also useful on its own, without `chat.inject()`. Any work whose timing has no resume implication — analytics, audit logs, search-index writes, cache warming — can run in parallel with streaming instead of in the critical path. All deferred promises are awaited (with a 5s timeout) before `onTurnComplete` fires.
+
+```ts
+export const myChat = chat.agent({
+  id: "my-chat",
+  onTurnStart: async ({ chatId, runId }) => {
+    // Analytics — fire-and-forget, irrelevant to resume.
+    chat.defer(analytics.track("turn_started", { chatId, runId }));
+  },
+  run: async ({ messages, signal }) => {
+    return streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal });
+  },
+});
+```
+
+`chat.defer()` can be called from anywhere during a turn — hooks, `run()`, or nested helpers. All deferred promises are collected and awaited together before `onTurnComplete`.
+
+<Warning>
+**Don't use `chat.defer()` for the message-history write in `onTurnStart`.** That write must land *before* the model starts streaming, otherwise a mid-stream page refresh will read `[]` from your DB and lose the user's message from the rendered conversation. See [Database persistence — `onTurnStart`](/ai-chat/patterns/database-persistence#onturnstart). Reserve `chat.defer` for writes whose timing has no resume implication.
+</Warning>
+
+## How it differs from pending messages
+
+| | `chat.inject()` | [Pending messages](/ai-chat/pending-messages) |
+|---|---|---|
+| **Source** | Backend task code | Frontend user input |
+| **Triggered by** | Your code (e.g. `onTurnComplete` + `chat.defer()`) | User sending a message during streaming |
+| **Injection point** | Start of next turn, or next `prepareStep` boundary | Next `prepareStep` boundary only |
+| **Message role** | Any (`system`, `user`, `assistant`) | Typically `user` |
+| **Frontend visibility** | Not visible unless you write custom `data-*` chunks | Visible via `usePendingMessages` hook |
+
+## API reference
+
+### chat.inject()
+
+```ts
+chat.inject(messages: ModelMessage[]): void
+```
+
+Queue model messages for injection at the next opportunity. Messages persist across the idle wait between turns — they are not reset when a new turn starts.
+
+**Parameters:**
+
+| Parameter | Type | Description |
+|-----------|------|-------------|
+| `messages` | `ModelMessage[]` | Model messages to inject (from the `ai` package) |
+
+Messages are drained (consumed) when:
+1. A new turn starts — before `run()` executes
+2. A `prepareStep` boundary is reached — between tool-call steps during streaming
+
+<Note>
+  `chat.inject()` writes to an in-memory queue in the current process. It works from any code running in the same task — lifecycle hooks, deferred work, tool execute functions, etc. It does not work from subtasks or other runs.
+</Note>
diff --git a/docs/ai-chat/changelog.mdx b/docs/ai-chat/changelog.mdx
new file mode 100644
index 00000000000..6a88697e337
--- /dev/null
+++ b/docs/ai-chat/changelog.mdx
@@ -0,0 +1,784 @@
+---
+title: "Changelog"
+sidebarTitle: "Changelog"
+description: "Pre-release updates for AI chat agents."
+---
+
+<Update label="June 5, 2026" description="4.5.0-rc.5" tags={["SDK", "Bug fix"]}>
+
+## AI SDK 7 support
+
+`chat.agent` and the chat surfaces now work against Vercel AI SDK 7. The `ai` peer range widened to include v7, so you can build your agent against v5, v6, or v7 with the same `@trigger.dev/sdk/ai`, `chat`, and `chat/react` imports; your installed `ai` major drives the types. v5 and v6 are unchanged.
+
+On v7, model-call spans moved out of `ai` core into the separate `@ai-sdk/otel` adapter, so `experimental_telemetry` alone produces nothing until an integration is registered. Install `@ai-sdk/otel` alongside `ai@7` and the SDK registers it for you once per worker at chat agent boot, so your `streamText` spans keep flowing into the run trace with no extra setup:
+
+```sh
+npm install @ai-sdk/otel
+```
+
+If you (or a library you import) already register `@ai-sdk/otel`, the SDK detects the existing integration and skips its own registration, so you won't get duplicate spans. Set `TRIGGER_AI_SDK_OTEL_AUTOREGISTER=0` to disable auto-registration entirely. See [supported AI SDK versions](/ai-chat/reference#compatibility) and [AI SDK 7 telemetry](/ai-chat/reference#ai-sdk-7-telemetry) in the reference.
+
+Task-backed tools wired in with `ai.toolExecute` also propagate their tool `context` on v7, which renamed the field from v6's `experimental_context`.
+
+## `useTriggerChatTransport` recovers a stale session
+
+When a chat's restored session state pointed at a session that no longer exists in the current environment (restored from a different environment, or from before the sessions model), the transport assumed it was live and never created a real one, so the next message 404'd and the chat could not send. The transport now treats a 404 from a session call as a missing session: after the existing token refresh it recreates the session via `startSession`, drops the stale resume cursor, and retries the send once.
+
+</Update>
+
+<Update label="June 1, 2026" description="4.5.0-rc.4" tags={["SDK"]}>
+
+## `tools` option on `chat.agent`: `toModelOutput` survives across turns
+
+`chat.agent` now takes a `tools` option. Until now tools only went to `streamText` inside `run()`, which meant the SDK had no tools when it re-converted the persisted `UIMessage` history at the start of each turn. Any tool with a `toModelOutput` (raw image bytes turned into an image content part, or a sub-agent transcript compressed to a summary) had its transform applied on turn 1 and skipped from turn 2 onward, so the raw output got stringified back into the prompt.
+
+Declare your tools on the config and the SDK threads them into that conversion, so `toModelOutput` is re-applied every turn. The resolved set is handed back, typed, on the `run()` payload as `tools`, so you declare them once:
+
+```ts
+const tools = { searchDocs, renderChart };
+
+export const myChat = chat.agent({
+  tools,
+  run: async ({ messages, tools, signal }) =>
+    streamText({ ...chat.toStreamTextOptions({ tools }), messages, abortSignal: signal }),
+});
+```
+
+`tools` also accepts a per-turn function (`(event) => ToolSet`) for tools that depend on the user or a feature flag. Only `inputSchema` and `toModelOutput` are read during conversion, never `execute`. No behavior change for agents that don't declare `tools`.
+
+A new `InferChatUIMessageFromTools<typeof tools>` helper derives the chat `UIMessage` type (with typed tool parts) directly from a tool set. See the new [Tools](/ai-chat/tools) guide.
+
+</Update>
+
+<Update label="May 23, 2026" description="4.5.0-rc.2" tags={["SDK", "Webapp", "Bug fix"]}>
+
+## HITL continuations — slim wire by default + field-level merge
+
+`chat.addToolOutput(...)` and `chat.addToolApproveResponse(...)` continuations on reasoning-heavy agent loops used to fail two ways: either the wire body crossed the `/in/append` cap (encrypted reasoning blobs + tool input routinely > 512 KiB), or apps that slimmed the wire as a workaround landed a tool call with no `arguments` on the next LLM step (the per-turn merge replaced the hydrated message wholesale instead of overlaying only the new tool-state advance). Both modes are fixed.
+
+The transport (`TriggerChatTransport.sendMessages`, `AgentChat.sendRaw`) now slims the assistant message itself on `submit-message` turns whose assistant carries resolved or approval-responded tool parts. The wire shape ships as `{ id, role: "assistant", parts: [<resolved tool part only>] }` — `state` plus `output` / `errorText` / `approval`, depending on the new state. Everything else (reasoning blobs, prior text, tool `input`, provider metadata) is reconstructed server-side from `hydrateMessages` or the durable snapshot. Continuation payloads typically drop from 600 KiB – 1 MiB to ~1 KiB.
+
+The per-turn merge now overlays only the tool-part state advances (`output-available` / `output-error` / `approval-responded` / `output-denied`) from the wire copy onto the matching hydrated entry. Hydrated `input`, text, reasoning, and provider metadata stay put. The agent still accepts a fuller `UIMessage` on the wire (the merge only reads the resolved fields), so custom transports that ship more don't break — they just waste bytes.
+
+### `hydrateMessages` upsert-by-id
+
+If your `hydrateMessages` hook persists the incoming message, **upsert by id** — don't unconditionally push. HITL continuations ship the existing assistant's id with a slim payload; a blind `stored.push(newMsg)` duplicates the row in the chain you return, the merge updates the first match, and the slim duplicate hits `toModelMessages` with no `input`.
+
+A new `upsertIncomingMessage` helper is exported from `@trigger.dev/sdk/ai` to handle this for the common case:
+
+```ts
+import { chat, upsertIncomingMessage } from "@trigger.dev/sdk/ai";
+
+chat.agent({
+  hydrateMessages: async ({ chatId, trigger, incomingMessages }) => {
+    const record = await db.chat.findUnique({ where: { id: chatId } });
+    const stored = record?.messages ?? [];
+    if (upsertIncomingMessage(stored, { trigger, incomingMessages })) {
+      await db.chat.update({ where: { id: chatId }, data: { messages: stored } });
+    }
+    return stored;
+  },
+});
+```
+
+The helper pushes fresh user messages, no-ops on HITL continuations (so the runtime can overlay the new tool-state advance), and skips on non-`submit-message` triggers. Returns `true` if it mutated `stored`. The examples in [lifecycle hooks](/ai-chat/lifecycle-hooks#hydratemessages), [Database persistence](/ai-chat/patterns/database-persistence#alternative-hydratemessages), and [Persistence and replay](/ai-chat/patterns/persistence-and-replay) have all been updated. Custom hydrate logic (branching, rollback, etc.) can still write the upsert by hand — the helper is a convenience for the common shape.
+
+### `onValidateMessages` slim wire caveat
+
+The slim wire is what arrives in `onValidateMessages` on HITL turns. `validateUIMessages` from `ai` rejects the slim shape (the AI SDK schema requires `input` on resolved tool parts), so filter to user messages first (or skip validation entirely on those turns). See the updated example in [lifecycle hooks](/ai-chat/lifecycle-hooks#onvalidatemessages).
+
+### `/in/append` 413 + precise cap
+
+In parallel:
+
+- The 413 response now carries CORS headers, so browser fetches can read the status instead of failing as opaque `TypeError: Failed to fetch`. App-side retry-on-disconnect loops no longer spin forever on a permanently-rejected payload.
+- The per-record cap is now computed precisely against S2's actual ceiling instead of the conservative 512 KiB floor. Legitimate ~600 – 900 KiB tool outputs (search results, file content) now succeed; pathological all-quote content that would double under JSON escape still rejects cleanly with a clear error.
+
+See the updated [413 row in the client protocol](/ai-chat/client-protocol#step-3-send-messages-stops-and-actions).
+
+</Update>
+
+<Update label="May 21, 2026" description="4.5.0-rc.1" tags={["SDK", "Bug fix"]}>
+
+## v4.5.0-rc.1 — two bug fixes
+
+Patch release on top of `4.5.0-rc.0`. Upgrade with:
+
+```sh
+npx trigger.dev@4.5.0-rc.1 update              # npm
+pnpm dlx trigger.dev@4.5.0-rc.1 update         # pnpm
+yarn dlx trigger.dev@4.5.0-rc.1 update         # yarn
+bunx trigger.dev@4.5.0-rc.1 update             # bun
+```
+
+### Fixes
+
+- **Agent Skills silently missing in `trigger dev`** for projects whose task files read `process.env` at module top level (e.g. a third-party SDK client initialized at import). [Skill folders](/ai-chat/patterns/skills) now bundle into `.trigger/skills/` reliably regardless of which env vars are set when the CLI launches. ([#3690](https://github.com/triggerdotdev/trigger.dev/pull/3690))
+- **`COULD_NOT_FIND_EXECUTOR`** when a task's definition is loaded via `await import(...)` from inside another task's `run()` — common when lazy-loading sub-agent tasks. Runtime workers now register such tasks with a sentinel file context, and the catalog logs a one-time warning per task id. ([#3688](https://github.com/triggerdotdev/trigger.dev/pull/3688))
+
+</Update>
+
+<Update label="May 21, 2026" description="4.5.0-rc.0" tags={["SDK", "Release"]}>
+
+## v4.5.0-rc.0 — AI Agents graduate from chat-prerelease
+
+First release candidate of v4.5. Everything covered by the `0.0.0-chat-prerelease-*` entries below now ships under a stable semver tag. Install:
+
+```bash
+pnpm add @trigger.dev/sdk@rc
+```
+
+(Or pin `4.5.0-rc.0` explicitly.)
+
+### What's in the box
+
+- **`chat.agent`** — multi-turn AI chat backends as durable Trigger.dev tasks. Lifecycle hooks, recovery from cancel/crash/OOM, version upgrades, all in. See [Overview](/ai-chat/overview) and [Quick Start](/ai-chat/quick-start).
+- **Sessions** — the durable bi-directional stream primitive that backs `chat.agent`. Use it directly for any pattern that needs durable bi-directional streaming across runs. See [Sessions](/ai-chat/sessions).
+- **`useTriggerChatTransport`** — a custom AI SDK `ChatTransport` for `useChat`. No API routes. See [Frontend](/ai-chat/frontend).
+- **Head Start** — opt-in route handler that runs the first `streamText` step in your warm server while the agent boots in parallel. Cuts cold-start TTFC roughly in half. See [Fast starts](/ai-chat/fast-starts#head-start).
+- **AI Prompts** — code-defined, deploy-versioned templates with dashboard overrides for text + model. Integrates with `chat.agent` via `chat.prompt.set()` + `chat.toStreamTextOptions()`. See [Prompts](/ai/prompts).
+- **`ai.toolExecute`** — wire any Trigger subtask in as the `execute` of an AI SDK `tool()`. See [Sub-agents](/ai-chat/patterns/sub-agents).
+
+### Compatibility
+
+`@trigger.dev/sdk@4.5.0-rc.0` requires `ai` `^5.0.0 || ^6.0.0` (Vercel AI SDK), React `^18.0 || ^19.0` (for the `chat/react` subpath), and Node.js `>=18.20.0`. Full matrix on the [API Reference](/ai-chat/reference#compatibility).
+
+### Docs
+
+This release ships with a refreshed AI Agents documentation set covering [Backend](/ai-chat/backend), [Frontend](/ai-chat/frontend), [Sessions](/ai-chat/sessions), [Lifecycle hooks](/ai-chat/lifecycle-hooks), [`chat.local`](/ai-chat/chat-local), the [Patterns](/ai-chat/patterns/sub-agents) library, [Testing](/ai-chat/testing), and a full [API Reference](/ai-chat/reference).
+
+</Update>
+
+<Update label="May 19, 2026" description="0.0.0-chat-prerelease-20260520150857" tags={["SDK"]}>
+
+## Recovery boot — context-preserving continuation after cancel / crash / OOM
+
+When a `chat.agent` run dies mid-stream (the user cancels, the worker OOMs, an unhandled exception kills the process), the next continuation run now reconstructs the conversation context automatically. Follow-ups like "keep going" continue the partial response; fresh follow-ups like "scrap that, what's 7+8?" abandon it and answer the new question. No customer code required.
+
+Under the hood: the boot now reads BOTH stream tails — `session.out` for any partial assistant the dead run was streaming, `session.in` for any user messages it never acknowledged — and splices `[firstInFlightUser, partialAssistant]` onto the chain when both are present. The model sees full prior context plus the latest user message.
+
+For policies different from "preserve context" — drop the partial entirely, synthesize tool results for an interrupted tool call, emit a recovery banner to the UI — register the new `onRecoveryBoot` hook:
+
+```ts
+import { chat } from "@trigger.dev/sdk/ai";
+
+export const myChat = chat.agent({
+  id: "my-chat",
+  onRecoveryBoot: async ({ partialAssistant, inFlightUsers, writer, cause, previousRunId }) => {
+    writer.write({
+      type: "data-chat-recovery",
+      data: { cause, previousRunId, partialPresent: partialAssistant !== undefined },
+      transient: true,
+    });
+    // return nothing → smart default applies
+  },
+  run: async ({ messages, signal }) => streamText({ model, messages, abortSignal: signal }),
+});
+```
+
+The hook receives `settledMessages`, `inFlightUsers`, `partialAssistant`, `pendingToolCalls`, `previousRunId`, `cause`, and a lazy `writer`. Return any of `chain`, `recoveredTurns`, or `beforeBoot` to override the default. Agents using `hydrateMessages` skip the hook — customer-owned persistence is the source of truth.
+
+Also retracts the OOM resilience caveat: model context on retry is no longer "incomplete" without `hydrateMessages`. The smart default reconstructs full context from `session.out` replay.
+
+See [Recovery boot](/ai-chat/patterns/recovery-boot) for the full guide.
+
+</Update>
+
+<Update label="May 16, 2026" description="0.0.0-chat-prerelease-20260519091352" tags={["SDK", "Breaking"]}>
+
+## `session.out` is now bounded — header-form control records + per-turn trim
+
+Long-lived chats were accumulating `session.out` records forever (every turn appends; nothing trimmed). The Sessions dashboard re-streamed the entire history from `seq_num=0` on every page load, and OOM-retry boot scanned the whole stream to find the last turn-complete.
+
+After this release `session.out` stays roughly **one turn long forever** at steady state. After each `turn-complete`, the agent appends an S2 `trim` command record pointing back to the previous turn-complete's seq_num. Full conversation history continues to live in the durable S3 snapshot, not on the stream. Resume across a single turn boundary still works (the previous `turn-complete` is still on the stream and S2's eventually-consistent trim window gives 10-60s of grace); resume across multiple turns of inactivity falls back to the snapshot.
+
+### What changed on the wire
+
+`trigger:turn-complete` and `trigger:upgrade-required` are no longer JSON data chunks on `session.out`. They're now **header-form control records** under a uniform `trigger-control` namespace:
+
+```
+headers:
+  ["trigger-control", "turn-complete"]
+  ["public-access-token", "eyJ..."]   // optional, refreshed JWT on turn-complete
+body: ""
+```
+
+```
+headers:
+  ["trigger-control", "upgrade-required"]
+body: ""
+```
+
+The control event names ("turn-complete", "upgrade-required") are unchanged conceptually — they just moved from `chunk.type` into a `trigger-control` header value. Body is always empty; metadata that previously rode in the chunk (e.g. `publicAccessToken`) now rides on sibling headers.
+
+`turn-complete` also picks up a new optional sibling header — `["session-in-event-id", "<seq>"]` — carrying the agent's committed-consume cursor on `.in` as of this turn. It's an agent-internal contract that lets the next worker boot seed its `.in` SSE subscription past already-processed user messages, without relying on a wall-clock-derived dedup cutoff. Custom transports should ignore the header; it has no client-side meaning.
+
+### Custom transport implementers
+
+Built-in SDK transports (`TriggerChatTransport`, `AgentChat`) handle this transparently — `onTurnComplete` fires the same way with the same payload. Custom transports filtering on `chunk.type === "trigger:turn-complete"` need to switch to the header-based filter:
+
+```ts
+import { controlSubtype } from "@trigger.dev/core/v3";
+
+const control = controlSubtype(record.headers);
+if (control === "turn-complete") {
+  // refresh token from record.headers, end turn, etc.
+}
+```
+
+The full uniform filter rule (data records vs control records vs S2 command records like `trim`) is documented at [Records on `session.out`](/ai-chat/client-protocol#records-on-session-out).
+
+### Sessions dashboard snapshot read
+
+The Sessions detail page in the trigger.dev dashboard now reads the agent's S3 snapshot first via a presigned URL, then SSE-tails from `snapshot.lastOutEventId`. Bandwidth and time-to-first-render are O(unread turns) instead of O(session lifetime). Sessions that registered a `hydrateMessages` hook (which skips snapshot writes) show only the most recent turn — those customers typically have their own DB-backed dashboards.
+
+### Breaking surface
+
+- Custom transports parsing `chunk.type` for turn-complete / upgrade-required must switch to the `trigger-control` header check.
+- Snapshot consumers should import `ChatSnapshotV1` / `ChatSnapshotV1Schema` from `@trigger.dev/core/v3` (now an exported shape, not SDK-internal).
+
+Hard cutover — no compat shim. v4.5 is prerelease.
+
+### Docs
+
+- [Records on `session.out`](/ai-chat/client-protocol#records-on-session-out) — full filter rule for data / control / command records.
+- [Resuming a stream](/ai-chat/client-protocol#resuming-a-stream) — explicit single-turn vs multi-turn-away semantics.
+- [`turn-complete` control record](/ai-chat/client-protocol#turn-complete-control-record) and [`upgrade-required` control record](/ai-chat/client-protocol#upgrade-required-control-record) — replaced the old chunk-shape docs.
+
+</Update>
+
+<Update label="May 8, 2026" description="0.0.0-chat-prerelease-20260519091352" tags={["SDK", "Breaking"]}>
+
+## 512 KiB `/in/append` ceiling removed for long chats — slim wire + S3 snapshot
+
+`chat.agent` long-running chats with heavy tool results were hitting the realtime API's 512 KiB body cap on `/realtime/v1/sessions/{id}/in/append` once the accumulated `UIMessage[]` history (which the wire shipped in full on every send) crossed the limit. The 413 surfaced as a CORS error in browsers and stalled chats around turn 10–30 with tool use.
+
+The wire is now **delta-only**: each `.in/append` carries at most one new `UIMessage` (the new user turn or a tool-approval response) instead of the full history. The agent rebuilds prior history at run boot from a durable JSON snapshot in object storage plus a replay of the `session.out` tail. The 512 KiB ceiling stops being pressure — slim payloads are normally a few KB regardless of chat length.
+
+```ts
+// Before — full history shipped on every send
+{ messages: [u1, a1, u2, a2, /* ... 30 turns ... */, u31], chatId, trigger: "submit-message" }
+
+// After — only the new turn
+{ message: u31, chatId, trigger: "submit-message" }
+```
+
+### What changed
+
+- **`ChatTaskWirePayload`**: `messages: UIMessage[]` is removed. Replaced by `message?: UIMessage` (singular, optional) and a dedicated `headStartMessages?: UIMessage[]` field used only by `chat.headStart` first-turn handover.
+- **Run boot**: when `hydrateMessages` is not registered, the runtime reads `packets/{projectRef}/{envSlug}/sessions/{sessionId}/snapshot.json` from object storage and replays any `session.out` chunks landed since the snapshot's cursor. Snapshot writes happen after every `onTurnComplete`, awaited so they survive an idle suspend.
+- **`hydrateMessages` short-circuit**: registering the hook skips snapshot read/write and replay entirely. Customer is the source of truth for history, same as today.
+- **`hydrateMessages.incomingMessages`**: now consistently 0-or-1-length across every trigger type. Previously `regenerate-message` and continuations occasionally shipped full history; they now ship none.
+- **`onChatStart` is now once-per-chat**: fires only on the chat's very first user message; does NOT fire on continuation runs (post-`endRun`, post-waitpoint-timeout, post-`chat.requestUpgrade`) or on OOM-retry attempts. The `continuation` and `previousRunId` fields on `ChatStartEvent` are now `@deprecated` (always `false` / `undefined` when the hook fires). Drop any `if (continuation) return;` gates from `onChatStart` — they're now unreachable. For per-turn setup that runs on continuations too, move to `onTurnStart`.
+- **Continuation boot payload**: the server now strips `message` / `messages` / `trigger` from the cached `basePayload` on continuation runs, and the SDK enters a new continuation-wait branch that waits silently on `session.in` for the next user message. Fixes a phantom-turn bug where stale boot-payload fields were replayed on every resume.
+- **OOM-retry boot**: uses the snapshot's `lastOutTimestamp` as the `session.in` cutoff, saving one stream subscription per retry.
+- **Built-in transports**: `TriggerChatTransport`, `AgentChat`, mid-stream pending-message handling, and `chat.headStart` route handler all updated to the slim shape. Existing customer code calling `transport.sendMessage(...)` / `agentChat.sendMessage(...)` is unaffected — the change is below those surfaces.
+
+### Object store configuration
+
+Snapshot read/write reuses Trigger.dev's existing object-store infrastructure — the same presigned-URL routes used for large payloads. Set `OBJECT_STORE_*` env vars on your webapp deployment if you haven't already; MinIO works locally via `OBJECT_STORE_DEFAULT_PROTOCOL`.
+
+If no object store is configured **and** no `hydrateMessages` hook is registered, conversations don't survive run boundaries (the runtime logs a warning at registration time). Either configure an object store or register `hydrateMessages`.
+
+### Breaking surface
+
+- **Custom transports**: any code constructing `ChatTaskWirePayload` directly must drop `messages` and use `message`. See the rewritten [Client Protocol](/ai-chat/client-protocol).
+- **Client-side `setMessages` no longer round-trips**: full-history mutations on the client never reached the agent before this release either, but the slim wire makes that explicit. Use server-side [`chat.history.set()`](/ai-chat/backend#chat-history) inside `onTurnStart` for compaction.
+- **Custom server-to-server senders**: code calling `apiClient.appendToSessionInput(sessionId, ...)` or hitting `/realtime/v1/sessions/{id}/in/append` directly must switch to the slim shape.
+
+Hard cutover — there is no compat shim. v4.5 is prerelease.
+
+### Docs
+
+- Rewritten [Client Protocol](/ai-chat/client-protocol) — slim payload, new `headStartMessages` field, new "How history is rebuilt" and "Head-start protocol caveat" sections.
+- New [Persistence and replay](/ai-chat/patterns/persistence-and-replay) — end-to-end walkthrough of the snapshot model, OOM-retry interaction, crash semantics, `hydrateMessages` short-circuit.
+- New [Tool result auditing](/ai-chat/patterns/tool-result-auditing) — the `extractNewToolResults` + `onTurnComplete` / `hydrateMessages` pattern for HITL audit logging.
+- [v4.5 section of the upgrade guide](/ai-chat/upgrade-guide#v45-wire-format-change) — migration steps for custom transports and `hydrateMessages` consumers.
+- [`hydrateMessages`](/ai-chat/lifecycle-hooks#hydratemessages), [`onChatStart`](/ai-chat/lifecycle-hooks#onchatstart) — clarifications on the new `incomingMessages` and `messages` shapes.
+
+</Update>
+
+<Update label="May 7, 2026" description="0.0.0-chat-prerelease-20260507131256" tags={["SDK"]}>
+
+## `chat.history` read primitives for HITL flows
+
+Customers building human-in-the-loop tools were re-implementing the same accumulator-walking logic to figure out which tool calls were pending, which were resolved, and which results in an incoming wire message were actually new. Lifted into the SDK as five new methods on `chat.history`:
+
+| Method                                        | Description                                                                                                                                                                         |
+| --------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `chat.history.getPendingToolCalls()`          | Tool calls on the most recent assistant message in `input-available` state — gates fresh user turns during HITL.                                                                    |
+| `chat.history.getResolvedToolCalls()`         | All tool calls in the chain in `output-available` or `output-error` state.                                                                                                          |
+| `chat.history.extractNewToolResults(message)` | Tool results in `message` whose `toolCallId` is not already resolved on the chain. Most useful in `hydrateMessages` against an incoming wire message, before the runtime merges it. |
+| `chat.history.getChain()`                     | Same as `chat.history.all()` — alias that reads better alongside parent-aware APIs.                                                                                                 |
+| `chat.history.findMessage(messageId)`         | Direct lookup; `undefined` if absent.                                                                                                                                               |
+
+```ts
+// Refuse a regenerate while a tool call is awaiting an answer
+onAction: async ({ action }) => {
+  if (action.type === "regenerate") {
+    if (chat.history.getPendingToolCalls().length > 0) return;
+    chat.history.slice(0, -1);
+  }
+},
+
+// Side-effect once per net-new tool result on incoming wire messages
+hydrateMessages: async ({ incomingMessages }) => {
+  for (const msg of incomingMessages) {
+    for (const r of chat.history.extractNewToolResults(msg)) {
+      await auditLog.record({ id: r.toolCallId, output: r.output, errorText: r.errorText });
+    }
+  }
+  return incomingMessages;
+},
+```
+
+See [`chat.history`](/ai-chat/backend#chat-history) and [Human-in-the-loop](/ai-chat/patterns/human-in-the-loop).
+
+## Fix: HITL `addToolOutput` resume preserves the assistant message id
+
+In some HITL flows the AI SDK regenerated the assistant message id when the user's `addToolOutput` answer round-tripped back to the agent. The fresh id slipped past the runtime's id-based merge, leaving the resolved tool answer attached to a sibling assistant message instead of the head, which broke downstream dedup and rendered the tool answer twice.
+
+The runtime now records `toolCallId → head messageId` whenever an assistant with tool parts lands in the accumulator and rewrites the incoming id back via that map before the merge. Customers who had a content-match workaround for this can drop it.
+
+</Update>
+
+<Update label="May 6, 2026" description="0.0.0-chat-prerelease-20260506093419" tags={["SDK", "Breaking"]}>
+
+## `chat.agent` actions are no longer turns
+
+Submitting an action via `transport.sendAction()` previously fell through to the regular turn machinery, calling `onTurnStart`, `run()`, `onTurnComplete`, etc. — meaning every action fired an LLM call by default. The workaround was a `chat.local`-based `skipModelCall` flag read in `run()`.
+
+Actions now fire `hydrateMessages` and `onAction` only. No `onTurnStart` / `prepareMessages` / `onBeforeTurnComplete` / `onTurnComplete`, no `run()` invocation, no turn-counter increment. The trace span is named `chat action` instead of `chat turn N`.
+
+`onAction`'s return type widens: returning `void` is side-effect-only (default); returning a `StreamTextResult`, `string`, or `UIMessage` produces a model response that's auto-piped back to the frontend.
+
+### Migration
+
+If you had `run()` branching on `payload.trigger === "action"` for a model response, return your `streamText(...)` from `onAction` instead. If you persisted in `onTurnComplete`, do that work inside `onAction`. For state-only actions, just remove the skip-the-model workaround.
+
+```ts
+// before
+onAction: async ({ action }) => {
+  if (action.type === "regenerate") {
+    runState.skipModelCall = false;
+    chat.history.slice(0, -1);
+  }
+},
+run: async ({ messages, signal }) => {
+  if (runState.skipModelCall) return;
+  return streamText({ model, messages, abortSignal: signal });
+},
+
+// after
+onAction: async ({ action, messages, signal }) => {
+  if (action.type === "regenerate") {
+    chat.history.slice(0, -1);
+    return streamText({ model, messages, abortSignal: signal });
+  }
+},
+run: async ({ messages, signal }) =>
+  streamText({ model, messages, abortSignal: signal }),
+```
+
+Actions arriving when no `onAction` handler is configured now `console.warn` once and are ignored — previously they silently fell through to `run()` with an empty wire payload.
+
+</Update>
+
+<Update label="May 5, 2026" description="0.0.0-chat-prerelease-20260505140031" tags={["SDK"]}>
+
+## Fix: duplicate turn after `chat.agent` idle-suspends
+
+Every message sent to a `chat.agent` after the run idle-suspended produced two turns on the agent side instead of one — same user message, two LLM calls. Internal session-stream reconnect logic was racing the waitpoint and feeding the just-consumed message back into the next turn's input buffer. No public API change.
+
+</Update>
+
+<Update label="May 5, 2026" description="0.0.0-chat-prerelease-20260505084711" tags={["SDK"]}>
+
+## `chat.headStart` — fast first-turn for chat.agent
+
+A new opt-in flow that cuts first-turn TTFC roughly in half by running step 1's LLM call in your warm process while the chat.agent run boots in parallel. On the LLM's `tool-calls` boundary, ownership of the durable stream hands over to the agent for tool execution and step 2+. Pure-text first turns finish on the customer side with no LLM call from the trigger run at all.
+
+Measured on `claude-sonnet-4-6` (same model both sides): TTFT 2801ms → 1218ms (−57%), total turn 4180ms → 2345ms (−44%). With Head Start, first-text time is essentially the LLM TTFB floor.
+
+### Setup
+
+```ts app/api/chat/route.ts
+import { chat } from "@trigger.dev/sdk/chat-server";
+import { streamText } from "ai";
+import { anthropic } from "@ai-sdk/anthropic";
+import { headStartTools } from "@/lib/chat-tools/schemas";
+
+export const POST = chat.headStart({
+  agentId: "my-chat",
+  run: async ({ chat: helper }) =>
+    streamText({
+      ...helper.toStreamTextOptions({ tools: headStartTools }),
+      model: anthropic("claude-sonnet-4-6"),
+      system: "You are a helpful assistant.",
+    }),
+});
+```
+
+```tsx components/chat.tsx
+const transport = useTriggerChatTransport({
+  task: "my-chat",
+  accessToken: ({ chatId }) => mintChatAccessToken(chatId),
+  startSession: ({ chatId, taskId, clientData }) =>
+    startChatSession({ chatId, taskId, clientData }),
+  headStart: "/api/chat",
+});
+```
+
+### Bundle isolation
+
+Tool schemas (`description` + `inputSchema`) live in their own module that imports only `ai` and `zod`. The agent task imports those schemas and adds heavy `execute` fns. The route handler imports schemas only — keeping the warm-process bundle light is what makes the win possible. Runtime "strip executes" helpers don't solve this — bundlers resolve imports at build time. See [Fast starts → Head Start setup](/ai-chat/fast-starts#setup) for the full split.
+
+### Compared to Preload
+
+Preload eagerly triggers the run on page load (good when you're confident the user _will_ send a message — trades idle compute for fast TTFC). Head Start gates the run on a real first message — no idle compute, customer's process runs step 1 directly. Pick one per chat.
+
+### Works on every runtime
+
+`chat.headStart` returns a standard Web Fetch handler — `(req: Request) => Promise<Response>` — so it slots into Next.js App Router, Hono, SvelteKit, Remix / React Router v7, TanStack Start, Astro, Nitro/Nuxt, Elysia, Cloudflare Workers, Bun, Deno, and any other runtime that speaks Web Fetch. Verified runtimes: Node 18+, Bun, Deno, Workers, Vercel (Node and Edge), Netlify (Functions and Edge).
+
+For Node-only frameworks (Express, Fastify, Koa, raw `node:http`), the SDK ships `chat.toNodeListener(handler)` — converts any Web Fetch handler into a Node `(req, res)` listener with proper streaming, header translation, and client-disconnect propagation.
+
+```ts
+import express from "express";
+import { chat } from "@trigger.dev/sdk/chat-server";
+
+const handler = chat.headStart({ agentId: "my-chat", run: ... });
+
+const app = express();
+app.post("/api/chat", chat.toNodeListener(handler));
+```
+
+## Docs
+
+- New [Head Start guide](/ai-chat/fast-starts#head-start) — bundle isolation, schema/execute split, route handler setup, transport option, lifecycle, limitations.
+- [Reference](/ai-chat/reference#triggerchattransport-options) — `headStart` transport option.
+
+</Update>
+
+<Update label="May 2, 2026" description="0.0.0-chat-prerelease-20260502065709" tags={["SDK"]}>
+
+## Resilient SSE reconnection
+
+The chat transport now retries indefinitely on network drops with bounded exponential backoff (100ms initial, 5s cap, 50% jitter) instead of giving up after 5 attempts. Reconnects are immediate on `online`, on tab refocus after a long background, and on Safari bfcache restore (`pageshow` with `event.persisted`).
+
+A 60s stall detector catches silent-dead-socket cases on mobile where the OS killed the TCP socket without the reader noticing. A 30s per-attempt fetch timeout prevents stuck connections from blocking the retry loop.
+
+Resume continues to use `Last-Event-ID`, so no chunks are lost when the connection comes back. No public API change — these are defaults on `TriggerChatTransport`. Customers who built `hasActiveStream` / `isStreaming` flag tracking on their side can drop it: the transport handles the silent-but-stale case internally now.
+
+`SSEStreamSubscription` (used by `TriggerChatTransport` and `AgentChat`) gained `retryNow()` and `forceReconnect()` for callers writing custom transports, plus options to tune `maxRetries` / `retryDelayMs` / `maxRetryDelayMs` / `retryJitter` / `fetchTimeoutMs` / `stallTimeoutMs` / `nonRetryableStatuses`. `404` and `410` short-circuit retry by default (stream gone / session closed).
+
+</Update>
+
+<Update label="April 24, 2026" description="0.0.0-chat-prerelease-20260501122331" tags={["SDK", "Platform"]}>
+
+## `chat.agent` now runs on Sessions
+
+Every chat is backed by a durable Session row that outlives any single run. `externalId` = your chat ID, `type` = `"chat.agent"`. Under the hood:
+
+- Output chunks stream on `session.out` (was a run-scoped `streams.writer("chat")`).
+- Client messages and stops land on `session.in` as a [`ChatInputChunk`](/ai-chat/reference#chatinputchunk) tagged union (was two run-scoped `streams.input` definitions).
+- Wire endpoints moved from `/realtime/v1/streams/{runId}/...` to `/realtime/v1/sessions/{sessionId}/...`. See the rewritten [Client Protocol](/ai-chat/client-protocol).
+
+Public surface (`chat.agent()`, `TriggerChatTransport`, `AgentChat`, `chat.stream` / `chat.messages` / `chat.stopSignal`) is unchanged — existing apps keep working. What's new is:
+
+- **Cross-run resume is free.** A chat you were in yesterday resumes against the same `sessionId` today, even if the original run long since exited. No more lost conversations when a run idle-times-out.
+- **Inbox views via `sessions.list({type: "chat.agent"})`.** Enumerate every chat in your environment, filter by tag or status.
+- **`TriggerChatTaskResult.sessionId`** + **`ChatTaskRunPayload.sessionId`** — you can reach into the raw session via `sessions.open(payload.sessionId)` for advanced cases (writing from a sub-agent, custom transport).
+- **Dashboard Agent tab** resolves via `sessionId` and stays in sync with the live stream across runs.
+
+The full wire-level protocol (session create, channel routes, JWT scopes) is documented in [Client Protocol](/ai-chat/client-protocol).
+
+## `X-Session-Settled` — fast reconnect on idle chats
+
+When a client reconnects to `session.out` and the tail record is a `trigger:turn-complete` marker (agent finished a turn, idle-waiting or exited), the server sets `X-Session-Settled: true` and uses `wait=0` on the underlying S2 read. The SSE drains any remaining records then closes in ~1s instead of long-polling for 60s.
+
+Practical impact: `TriggerChatTransport.reconnectToStream` no longer needs a client-side `isStreaming` flag. You can drop the field from your persisted `ChatSession` state entirely — the server decides. Existing callers that still persist `isStreaming` are unaffected; `reconnectToStream` keeps the fast-path short-circuit when it's `false`.
+
+## Migration
+
+See the [Sessions Upgrade Guide](/ai-chat/upgrade-guide) for the full step-by-step — auth callback split, persisted `ChatSession` shape, server-side helpers (`chat.createStartSessionAction`, `chat.createAccessToken` for renewal), and the `clientData` validation pivot.
+
+## Docs
+
+- Rewritten [Client Protocol](/ai-chat/client-protocol) — full wire format for the new `/realtime/v1/sessions/{sessionId}/...` endpoints, JWT scopes, S2 direct-write credentials, and `Last-Event-ID` resume.
+- [Database persistence pattern](/ai-chat/patterns/database-persistence) — new `chatId`-keyed `ChatSession` shape (no more `runId`) and a warning on the `onTurnComplete` race that requires a single atomic write of `messages` + `lastEventId`.
+- [Reference](/ai-chat/reference) — added `chat.createStartSessionAction`, `chat.createAccessToken`, `ChatInputChunk`, `TriggerChatTaskResult.sessionId`, `ChatTaskRunPayload.sessionId`. The old run-scoped stream-ID constants are gone.
+- Refreshed [Backend](/ai-chat/backend), [Frontend](/ai-chat/frontend), [Server Chat](/ai-chat/server-chat), [Quick start](/ai-chat/quick-start), [Overview](/ai-chat/overview), [Types](/ai-chat/types), [Error handling](/ai-chat/error-handling), and [Testing](/ai-chat/testing) for the session-based wiring.
+
+</Update>
+
+<Update label="April 19, 2026" description="0.0.0-chat-prerelease-20260419173457" tags={["SDK", "CLI"]}>
+
+## Agent Skills
+
+Ship reusable capabilities as folders — a `SKILL.md` plus optional scripts, references, and assets. The agent sees short descriptions in its system prompt, loads full instructions on demand via `loadSkill`, and invokes bundled scripts via `bash` — no manual wiring.
+
+`skills.define({ id, path })` registers the skill; the CLI bundles the folder into the deploy image. `chat.skills.set([...])` activates skills for the run; `chat.toStreamTextOptions()` auto-injects the preamble and tools.
+
+See the new [Agent Skills guide](/ai-chat/patterns/skills).
+
+</Update>
+
+<Update label="April 18, 2026" description="0.0.0-chat-prerelease-20260418174118" tags={["SDK"]}>
+
+## `chat.endRun()` — exit on your own terms
+
+New imperative API to exit the loop after the current turn completes, without the upgrade-required signal that `chat.requestUpgrade()` sends. Use for one-shot agents, budget-exhausted exits, or goal-reached completions.
+
+```ts
+chat.agent({
+  id: "one-shot",
+  run: async ({ messages, signal }) => {
+    chat.endRun();
+    return streamText({ model: openai("gpt-4o"), messages, abortSignal: signal });
+  },
+});
+```
+
+The current turn streams normally, `onBeforeTurnComplete` / `onTurnComplete` fire, the turn-complete chunk is written, and the run exits instead of suspending. Callable from `run()`, `chat.defer()`, `onBeforeTurnComplete`, or `onTurnComplete`. See [Ending a run on your terms](/ai-chat/backend#ending-a-run-on-your-terms).
+
+## `finishReason` on turn-complete events
+
+`TurnCompleteEvent` and `BeforeTurnCompleteEvent` now include the AI SDK's `finishReason` (`"stop" | "tool-calls" | "length" | "content-filter" | "error" | "other"`). Clean signal for distinguishing a normal turn end from one paused on a pending tool call (HITL flows like `ask_user`):
+
+```ts
+onTurnComplete: async ({ finishReason, responseMessage }) => {
+  if (finishReason === "tool-calls") {
+    // Paused — assistant message has a pending tool call waiting for user input
+    await persistCheckpoint(responseMessage);
+  } else {
+    await persistCompleted(responseMessage);
+  }
+};
+```
+
+Undefined for manual `chat.pipe()` flows or aborted streams. See the new [Human-in-the-loop pattern](/ai-chat/patterns/human-in-the-loop).
+
+## User-initiated compaction pattern
+
+The [Compaction guide](/ai-chat/compaction) now covers how to wire a "Summarize conversation" button or `/compact` slash command via `actionSchema` + `onAction`. The agent summarizes on demand, rewrites history with `chat.history.set()`, and short-circuits the LLM call for action turns.
+
+Needed a small type fix for this: `ChatTaskPayload.trigger` now correctly includes `"action"`, so `run()` handlers can short-circuit with `if (trigger === "action") return` when an action doesn't need a response.
+
+## Human-in-the-loop pattern page
+
+New [Human-in-the-loop](/ai-chat/patterns/human-in-the-loop) page walks through `ask_user`-style mid-turn user input end-to-end: defining a no-execute tool, rendering pending tool calls on the frontend with `addToolOutput` + `sendAutomaticallyWhen`, detecting paused turns via `finishReason`, and two persistence strategies (overwrite vs. checkpoint nodes).
+
+</Update>
+
+<Update label="April 18, 2026" description="0.0.0-chat-prerelease-20260418083610" tags={["SDK"]}>
+
+## Offline test harness for `chat.agent`
+
+`@trigger.dev/sdk/ai/test` now ships `mockChatAgent`, a harness that drives a `chat.agent` definition through real turns without network or task runtime. Send messages, actions, and stop signals; inspect emitted chunks; assert on hook order.
+
+```ts
+import { mockChatAgent } from "@trigger.dev/sdk/ai/test";
+import { MockLanguageModelV3 } from "ai/test";
+import { myAgent } from "./my-agent";
+
+const harness = mockChatAgent(myAgent, {
+  chatId: "test-1",
+  clientData: {
+    model: new MockLanguageModelV3({
+      /* ... */
+    }),
+  },
+});
+
+const turn = await harness.sendMessage({
+  id: "u1",
+  role: "user",
+  parts: [{ type: "text", text: "hi" }],
+});
+expect(turn.chunks).toContainEqual(expect.objectContaining({ type: "text-delta", delta: "hello" }));
+await harness.close();
+```
+
+### Dependency injection via locals
+
+`setupLocals` pre-seeds `locals` before `run()` starts — the pattern for injecting database clients, service stubs, and other server-side dependencies that shouldn't leak through untrusted `clientData`:
+
+```ts
+import { dbKey } from "./db";
+
+const harness = mockChatAgent(agent, {
+  chatId: "test-1",
+  setupLocals: ({ set }) => {
+    set(dbKey, testDb);
+  },
+});
+```
+
+Hooks then read the seeded value with `locals.get(dbKey)`. Falls through to the production client in real runs.
+
+See [Testing](/ai-chat/testing).
+
+## `runInMockTaskContext` — lower-level test harness
+
+`@trigger.dev/core/v3/test` now exports `runInMockTaskContext` for unit-testing any task code offline (not just chat agents). Installs in-memory managers for `locals`, `lifecycleHooks`, `runtime`, `inputStreams`, and `realtimeStreams`, plus a mock `TaskContext`. Drivers let you push data into input streams and inspect chunks written to output streams.
+
+</Update>
+
+<Update label="April 17, 2026" description="0.0.0-chat-prerelease-20260417152143" tags={["SDK"]}>
+
+## Multi-tab coordination
+
+Prevent duplicate messages when the same chat is open in multiple browser tabs. Enable with `multiTab: true` on the transport.
+
+```tsx
+const transport = useTriggerChatTransport({ task: "my-chat", multiTab: true, accessToken });
+const { messages, setMessages } = useChat({ id: chatId, transport });
+const { isReadOnly } = useMultiTabChat(transport, chatId, messages, setMessages);
+```
+
+Only one tab can send at a time. Other tabs enter read-only mode with real-time message updates via `BroadcastChannel`. When the active tab's turn completes, any tab can send next. Crashed tabs are detected via heartbeat timeout (10s).
+
+See [Multi-tab coordination](/ai-chat/frontend#multi-tab-coordination) and [`useMultiTabChat`](/ai-chat/reference#usemultitabchat).
+
+## Error stack truncation
+
+Large error stacks no longer OOM the worker process. Stacks are capped at 50 frames (top 5 + bottom 45), individual lines at 1024 chars, messages at 1000 chars. Applied in `parseError`, `sanitizeError`, and OTel span recording.
+
+</Update>
+
+<Update label="April 15, 2026" description="0.0.0-chat-prerelease-20260415164455" tags={["SDK"]}>
+
+## Fix: `resume: true` hangs on completed turns
+
+When refreshing a page after a turn completed, `useChat` with `resume: true` would hang indefinitely — `reconnectToStream` opened an SSE connection that never received data.
+
+Added `isStreaming` to session state. The transport sets it to `true` when streaming starts and `false` on `trigger:turn-complete`. `reconnectToStream` returns `null` immediately when `isStreaming` is false, so `resume: initialMessages.length > 0` is now safe to pass unconditionally.
+
+The flag flows through `onSessionChange` and is restored from `sessions` — no extra persistence code needed.
+
+</Update>
+
+<Update label="April 15, 2026" description="0.0.0-chat-prerelease-20260415152704" tags={["SDK"]}>
+
+## `hydrateMessages` — backend-controlled message history
+
+Load message history from your database on every turn instead of trusting the frontend accumulator. The hook replaces the built-in linear accumulation entirely — the backend is the source of truth.
+
+```ts
+chat.agent({
+  id: "my-chat",
+  hydrateMessages: async ({ chatId, trigger, incomingMessages }) => {
+    const stored = await db.getMessages(chatId);
+    if (trigger === "submit-message" && incomingMessages.length > 0) {
+      stored.push(incomingMessages[incomingMessages.length - 1]!);
+      await db.persistMessages(chatId, stored);
+    }
+    return stored;
+  },
+});
+```
+
+Tool approval updates are auto-merged after hydration — no extra handling needed.
+
+See [hydrateMessages](/ai-chat/lifecycle-hooks#hydratemessages).
+
+## `chat.history` — imperative message mutations
+
+Modify the accumulated message history from any hook or `run()`:
+
+```ts
+chat.history.rollbackTo(messageId); // Undo — keep up to this message
+chat.history.remove(messageId); // Remove one message
+chat.history.replace(id, newMsg); // Edit a message
+chat.history.slice(0, -2); // Remove last 2 messages
+chat.history.all(); // Read current state
+```
+
+See [chat.history](/ai-chat/backend#chat-history).
+
+## Custom actions — `actionSchema` + `onAction`
+
+Send typed actions (undo, rollback, edit) from the frontend via `transport.sendAction()`. Actions wake the agent, fire `onAction`, then trigger a normal `run()` turn.
+
+```ts
+chat.agent({
+  id: "my-chat",
+  actionSchema: z.discriminatedUnion("type", [
+    z.object({ type: z.literal("undo") }),
+    z.object({ type: z.literal("rollback"), targetMessageId: z.string() }),
+  ]),
+  onAction: async ({ action }) => {
+    if (action.type === "undo") chat.history.slice(0, -2);
+    if (action.type === "rollback") chat.history.rollbackTo(action.targetMessageId);
+  },
+});
+```
+
+Frontend: `transport.sendAction(chatId, { type: "undo" })`
+Server: `agentChat.sendAction({ type: "undo" })`
+
+See [Actions](/ai-chat/actions) and [Sending actions](/ai-chat/frontend#sending-actions).
+
+</Update>
+
+<Update label="April 14, 2026" description="0.0.0-chat-prerelease-20260414181032" tags={["SDK"]}>
+
+## `chat.response` — persistent data parts
+
+Added `chat.response.write()` for writing data parts that both stream to the frontend AND persist in `onTurnComplete`'s `responseMessage` and `uiMessages`.
+
+```ts
+// Persists to responseMessage.parts — available in onTurnComplete
+chat.response.write({ type: "data-handover", data: { context: summary } });
+
+// Transient — streams to frontend only, not in responseMessage
+writer.write({ type: "data-progress", data: { percent: 50 }, transient: true });
+```
+
+Non-transient `data-*` chunks written via lifecycle hook `writer.write()` now automatically persist to the response message, matching the AI SDK's default semantics. Add `transient: true` for ephemeral chunks (progress indicators, status updates).
+
+See [Custom data parts](/ai-chat/backend#custom-data-parts).
+
+## Tool approvals
+
+Added support for AI SDK tool approvals (`needsApproval: true`). When the model calls a tool that needs approval, the turn completes and the frontend shows approve/deny buttons. After approval, the updated assistant message is sent back and matched by ID in the accumulator.
+
+```ts
+const sendEmail = tool({
+  description: "Send an email. Requires human approval.",
+  inputSchema: z.object({ to: z.string(), subject: z.string(), body: z.string() }),
+  needsApproval: true,
+  execute: async ({ to, subject, body }) => {
+    /* ... */
+  },
+});
+```
+
+Frontend setup requires `sendAutomaticallyWhen` and `addToolApprovalResponse` from `useChat`. See [Tool approvals](/ai-chat/frontend#tool-approvals).
+
+## `transport.stopGeneration(chatId)`
+
+Added `stopGeneration` method to `TriggerChatTransport` for reliable stop after page refresh / stream reconnect. Works regardless of whether the AI SDK passes `abortSignal` through `reconnectToStream`.
+
+```tsx
+const stop = useCallback(() => {
+  transport.stopGeneration(chatId);
+  aiStop(); // also update useChat state
+}, [transport, chatId, aiStop]);
+```
+
+See [Stop generation](/ai-chat/frontend#stop-generation).
+
+## `generateMessageId` support
+
+`generateMessageId` can now be passed via `uiMessageStreamOptions` to control response message ID generation (e.g. UUID-v7). The backend automatically passes `originalMessages` to `toUIMessageStream` so message IDs are consistent between frontend and backend.
+
+## Bug fixes
+
+- **`onTurnComplete` not called**: Fixed `turnCompleteResult?.lastEventId` TypeError that silently skipped `onTurnComplete` when `writeTurnCompleteChunk` returned undefined in dev.
+- **Stop during streaming**: Added 2s timeout on `onFinishPromise` so `onBeforeTurnComplete` and `onTurnComplete` fire even when the AI SDK's `onFinish` doesn't fire after abort.
+- **`toStreamTextOptions` without `chat.prompt.set()`**: `prepareStep` injection (compaction, steering, background context) now works even when the user passes `system` directly to `streamText` instead of using `chat.prompt.set()`.
+- **Background queue vs tool approvals**: Background context injection is now skipped when the last accumulated message is a `tool` message, preventing it from breaking `streamText`'s `collectToolApprovals`.
+
+</Update>
diff --git a/docs/ai-chat/chat-local.mdx b/docs/ai-chat/chat-local.mdx
new file mode 100644
index 00000000000..7317877b6cd
--- /dev/null
+++ b/docs/ai-chat/chat-local.mdx
@@ -0,0 +1,174 @@
+---
+title: "chat.local"
+sidebarTitle: "chat.local"
+description: "Typed, run-scoped data accessible from hooks, run(), tools, and subtasks. Survives across turns, auto-cleared between runs, auto-hydrated into subtasks."
+---
+
+import RcBanner from "/snippets/ai-chat-rc-banner.mdx";
+
+<RcBanner />
+
+Use `chat.local` to create typed, run-scoped data that persists across turns and is accessible from anywhere — the run function, tools, nested helpers. Each run gets its own isolated copy, and locals are automatically cleared between runs.
+
+Lifecycle hooks and **`run`** also receive **`ctx`** ([`TaskRunContext`](/ai-chat/reference#task-context-ctx)) — the same object as on a standard `task()` — for tags, metadata, and cleanup that needs the full run record.
+
+When a subtask is invoked via `ai.toolExecute()` (or the deprecated `ai.tool()`), initialized locals are automatically serialized into the subtask's metadata and hydrated on first access — no extra code needed. Subtask changes to hydrated locals are local to the subtask and don't propagate back to the parent.
+
+## Declaring and initializing
+
+Declare locals at module level with a unique `id`, then initialize them inside a lifecycle hook where you have context (chatId, clientData, etc.):
+
+```ts
+import { chat } from "@trigger.dev/sdk/ai";
+import { streamText, tool, stepCountIs } from "ai";
+import { anthropic } from "@ai-sdk/anthropic";
+import { z } from "zod";
+import { db } from "@/lib/db";
+
+// Declare at module level — each local needs a unique id
+const userContext = chat.local<{
+  userId: string;
+  name: string;
+  plan: "free" | "pro";
+  messageCount: number;
+}>({ id: "userContext" });
+
+export const myChat = chat.agent({
+  id: "my-chat",
+  clientDataSchema: z.object({ userId: z.string() }),
+  onBoot: async ({ clientData }) => {
+    // Initialize with real data from your database
+    const user = await db.user.findUnique({
+      where: { id: clientData.userId },
+    });
+    userContext.init({
+      userId: clientData.userId,
+      name: user.name,
+      plan: user.plan,
+      messageCount: user.messageCount,
+    });
+  },
+  run: async ({ messages, signal }) => {
+    userContext.messageCount++;
+
+    return streamText({
+      model: anthropic("claude-sonnet-4-5"),
+      system: `Helping ${userContext.name} (${userContext.plan} plan).`,
+      messages,
+      abortSignal: signal,
+      stopWhen: stepCountIs(15),
+    });
+  },
+});
+```
+
+<Warning>
+  Initialize `chat.local` in [`onBoot`](/ai-chat/lifecycle-hooks#onboot), not `onChatStart`. `onBoot` fires on every fresh worker — including continuation runs (post-cancel, crash, `endRun`, `requestUpgrade`, OOM retry) — whereas `onChatStart` only fires on the chat's very first message. Initializing in `onChatStart` means `run()` will crash on continuation runs with `chat.local can only be modified after initialization`.
+</Warning>
+
+## Accessing from tools
+
+Locals are accessible from anywhere during task execution — including AI SDK tools:
+
+```ts
+const userContext = chat.local<{ plan: "free" | "pro" }>({ id: "userContext" });
+
+const premiumTool = tool({
+  description: "Access premium features",
+  inputSchema: z.object({ feature: z.string() }),
+  execute: async ({ feature }) => {
+    if (userContext.plan !== "pro") {
+      return { error: "This feature requires a Pro plan." };
+    }
+    // ... premium logic
+  },
+});
+```
+
+## Accessing from subtasks
+
+When you use `ai.toolExecute()` inside AI SDK `tool()` to expose a subtask, chat locals are automatically available read-only:
+
+```ts
+import { chat, ai } from "@trigger.dev/sdk/ai";
+import { schemaTask } from "@trigger.dev/sdk";
+import { streamText, tool } from "ai";
+import { anthropic } from "@ai-sdk/anthropic";
+import { z } from "zod";
+
+const userContext = chat.local<{ name: string; plan: "free" | "pro" }>({ id: "userContext" });
+
+export const analyzeDataTask = schemaTask({
+  id: "analyze-data",
+  schema: z.object({ query: z.string() }),
+  run: async ({ query }) => {
+    // userContext.name just works — auto-hydrated from parent metadata
+    console.log(`Analyzing for ${userContext.name}`);
+    // Changes here are local to this subtask and don't propagate back
+  },
+});
+
+const analyzeData = tool({
+  description: analyzeDataTask.description ?? "",
+  inputSchema: analyzeDataTask.schema!,
+  execute: ai.toolExecute(analyzeDataTask),
+});
+
+export const myChat = chat.agent({
+  id: "my-chat",
+  onBoot: async ({ clientData }) => {
+    userContext.init({ name: "Alice", plan: "pro" });
+  },
+  run: async ({ messages, signal }) => {
+    return streamText({
+      model: anthropic("claude-sonnet-4-5"),
+      messages,
+      tools: { analyzeData },
+      abortSignal: signal,
+      stopWhen: stepCountIs(15),
+    });
+  },
+});
+```
+
+<Note>
+  Values must be JSON-serializable for subtask access. Non-serializable values (functions, class instances, etc.) will be lost during transfer.
+</Note>
+
+## Dirty tracking and persistence
+
+The `hasChanged()` method returns `true` if any property was set since the last check, then resets the flag. Use it in lifecycle hooks to only persist when data actually changed:
+
+```ts
+onTurnComplete: async ({ chatId }) => {
+  if (userContext.hasChanged()) {
+    await db.user.update({
+      where: { id: userContext.get().userId },
+      data: {
+        messageCount: userContext.messageCount,
+      },
+    });
+  }
+},
+```
+
+## API
+
+| Method | Description |
+|--------|-------------|
+| `chat.local<T>({ id })` | Create a typed local with a unique id (declare at module level) |
+| `local.init(value)` | Initialize with a value (call in hooks or `run`) |
+| `local.hasChanged()` | Returns `true` if modified since last check, resets flag |
+| `local.get()` | Returns a plain object copy (for serialization) |
+| `local.property` | Direct property access (read/write via Proxy) |
+
+<Note>
+  Locals use shallow proxying. Nested object mutations like `local.prefs.theme = "dark"` won't trigger the dirty flag. Instead, replace the whole property: `local.prefs = { ...local.prefs, theme: "dark" }`.
+</Note>
+
+## See also
+
+- [Lifecycle hooks](/ai-chat/lifecycle-hooks) — `onBoot` is the canonical init site for `chat.local`.
+- [Database persistence pattern](/ai-chat/patterns/database-persistence) — full per-hook breakdown using `chat.local` alongside DB rows.
+- [Code execution sandbox pattern](/ai-chat/patterns/code-sandbox) — example of using `chat.local` to hold a sandbox handle across turns.
+- [Database connections](/database-connections) — why the database client and its connection pool belong at module scope, not in `chat.local`.
diff --git a/docs/ai-chat/client-protocol.mdx b/docs/ai-chat/client-protocol.mdx
new file mode 100644
index 00000000000..0a94327b78c
--- /dev/null
+++ b/docs/ai-chat/client-protocol.mdx
@@ -0,0 +1,1081 @@
+---
+title: "Client Protocol"
+sidebarTitle: "Client Protocol"
+description: "The wire protocol for building custom chat transports — how clients communicate with chat agents over Sessions and SSE."
+---
+
+import RcBanner from "/snippets/ai-chat-rc-banner.mdx";
+
+<RcBanner />
+
+This page documents the protocol that chat clients use to communicate with `chat.agent()` tasks. Use this if you're building a custom transport (e.g., for a Slack bot, CLI tool, or native app) instead of using the built-in `TriggerChatTransport` or `AgentChat`.
+
+<Note>
+  Most users don't need this. Use [`TriggerChatTransport`](/ai-chat/frontend) for browser apps or [`AgentChat`](/ai-chat/server-chat) for server-side code. This page is for building your own from scratch.
+</Note>
+
+## Overview
+
+`chat.agent` is built on a durable Session row — the unit of state that owns the chat's runs across their full lifecycle. A conversation is one session; a session can host many runs over its lifetime.
+
+The protocol has three parts:
+
+1. **Create the session** — idempotent on your chat ID. Creates the row **and** triggers the first run in one call. Returns the `publicAccessToken` you'll use for everything else.
+2. **Subscribe to `.out`** — receive `UIMessageChunk` events via SSE.
+3. **Append to `.in`** — send subsequent user messages, stops, or actions.
+
+```mermaid
+sequenceDiagram
+  participant Client
+  participant API as Trigger.dev API
+  participant Agent as Chat Agent Run
+
+  Client->>API: POST /api/v1/sessions { type: "chat.agent", externalId, taskIdentifier, triggerConfig.basePayload }
+  API-->>Client: { id: sessionId, runId, publicAccessToken, ... }
+  Client->>API: GET /realtime/v1/sessions/{sessionId}/out (SSE subscribe)
+  Agent-->>Client: UIMessageChunk stream...
+  Agent-->>Client: turn-complete control record
+  Client->>API: POST /realtime/v1/sessions/{sessionId}/in/append { kind: "message", payload: { message, ... } }
+  Agent-->>Client: UIMessageChunk stream...
+  Agent-->>Client: turn-complete control record
+```
+
+<Note>
+  **Stream lifetime.** `session.out` is bounded. After each turn-complete control record, the agent appends an S2 `trim` command record back to the previous turn-complete's seq_num — the stream stays roughly one turn long forever at steady state. Full conversation history lives in a durable S3 snapshot, not on the stream. The transport's `lastEventId` bookmark plus S2's eventually-consistent trim window (10-60s) keeps single-turn-boundary resume working; multi-turn-away resume falls back to the snapshot. See [Resuming a stream](#resuming-a-stream) and [How history is rebuilt](#how-history-is-rebuilt).
+</Note>
+
+<Note>
+  **Session create triggers a run.** Unlike `POST /api/v1/tasks/{taskId}/trigger`, `POST /api/v1/sessions` is the **only** entry point for chat-agent runs. The session row is task-bound and the first run is triggered atomically as part of the create call. Don't call `/tasks/{taskId}/trigger` directly for `chat.agent` tasks — the resulting run won't be bound to a session and `.in`/`.out` won't reach it.
+</Note>
+
+<Note>
+  **One message per record.** Each `.in/append` carries at most one new `UIMessage` — the new user turn or a tool-approval response. The agent rebuilds prior history at run boot from a durable object-store snapshot plus a replay of the `session.out` tail; clients never ship full conversation history on the wire. See [How history is rebuilt](#how-history-is-rebuilt).
+</Note>
+
+## End-to-end curl recipe
+
+A single-shell walk-through of the whole protocol — copy, fill in `BASE_URL` / `SECRET_KEY` / `TASK_ID`, and run. Drives a two-turn conversation (`pong` → `echo`) using only `curl` and `jq`.
+
+```bash
+BASE_URL="https://api.trigger.dev"   # or your local webapp
+SECRET_KEY="tr_dev_..."              # secret API key for the env
+TASK_ID="ai-chat"                    # your chat.agent task id
+CHAT_ID=$(uuidgen | tr '[:upper:]' '[:lower:]')
+
+# 1. Create session + trigger first run with the user's first message.
+RESP=$(curl -sS -X POST "$BASE_URL/api/v1/sessions" \
+  -H "Authorization: Bearer $SECRET_KEY" \
+  -H "Content-Type: application/json" \
+  -d @- <<JSON
+{
+  "type": "chat.agent",
+  "externalId": "$CHAT_ID",
+  "taskIdentifier": "$TASK_ID",
+  "triggerConfig": {
+    "basePayload": {
+      "chatId": "$CHAT_ID",
+      "trigger": "submit-message",
+      "message": {
+        "id": "u1",
+        "role": "user",
+        "parts": [{ "type": "text", "text": "Reply with the single word: pong." }]
+      },
+      "metadata": { "userId": "demo-user" }
+    }
+  }
+}
+JSON
+)
+SESSION_ID=$(echo "$RESP" | jq -r .id)
+PAT=$(echo "$RESP" | jq -r .publicAccessToken)
+echo "Session: $SESSION_ID  PAT: ${PAT:0:24}..."
+
+# 2. Subscribe to .out and read until the turn-complete control record.
+#    The doc's self-contained parser (Step 2) shows full SSE handling;
+#    this recipe just greps for `text-delta` data records and the
+#    `trigger-control` header on the `turn-complete` control record,
+#    then extracts the last seq_num so step 4 can resume from it.
+SSE=$(curl -sS --max-time 30 -N \
+  -H "Authorization: Bearer $PAT" \
+  -H "Accept: text/event-stream" \
+  -H "Timeout-Seconds: 20" \
+  "$BASE_URL/realtime/v1/sessions/$SESSION_ID/out")
+echo "$SSE" | grep -E 'text-delta|trigger-control' | head -2
+LAST_SEQ=$(echo "$SSE" | grep -oE '"seq_num":[0-9]+' | tail -1 | grep -oE '[0-9]+')
+echo "lastSeq: $LAST_SEQ"
+
+# 3. Send a follow-up via .in/append.
+curl -sS -X POST "$BASE_URL/realtime/v1/sessions/$SESSION_ID/in/append" \
+  -H "Authorization: Bearer $PAT" \
+  -H "Content-Type: application/json" \
+  -d @- <<JSON
+{
+  "kind": "message",
+  "payload": {
+    "chatId": "$CHAT_ID",
+    "trigger": "submit-message",
+    "message": {
+      "id": "u2",
+      "role": "user",
+      "parts": [{ "type": "text", "text": "Now reply with: echo." }]
+    },
+    "metadata": { "userId": "demo-user" }
+  }
+}
+JSON
+
+# 4. Re-subscribe with Last-Event-ID so we resume past turn 1's records
+#    and read turn 2 only.
+curl -sS --max-time 30 -N \
+  -H "Authorization: Bearer $PAT" \
+  -H "Accept: text/event-stream" \
+  -H "Timeout-Seconds: 20" \
+  -H "Last-Event-ID: $LAST_SEQ" \
+  "$BASE_URL/realtime/v1/sessions/$SESSION_ID/out" \
+  | grep -m 2 -E 'text-delta|trigger-control'
+```
+
+The rest of this page details each step.
+
+## Step 1: Create the session and trigger the first run
+
+`POST /api/v1/sessions` does two things atomically: it creates (or returns) a session row, and triggers the first run for that session. Use your stable chat ID as `externalId` to make creation idempotent — two concurrent clients for the same chat converge on the same row, and a repeat call returns the existing session without triggering a duplicate run.
+
+The `trigger` value inside `basePayload` decides what the first run does:
+
+<CodeGroup>
+```bash trigger: "preload" — warm the agent, no message yet
+POST /api/v1/sessions
+Authorization: Bearer <secret-key-or-jwt>
+Content-Type: application/json
+
+{
+  "type": "chat.agent",
+  "externalId": "conversation-123",
+  "taskIdentifier": "ai-chat",
+  "triggerConfig": {
+    "basePayload": {
+      "chatId": "conversation-123",
+      "trigger": "preload",
+      "metadata": { "userId": "user-456" }
+    }
+  },
+  "tags": ["chat:conversation-123"]
+}
+```
+
+```bash trigger: "submit-message" — process first user message immediately
+POST /api/v1/sessions
+Authorization: Bearer <secret-key-or-jwt>
+Content-Type: application/json
+
+{
+  "type": "chat.agent",
+  "externalId": "conversation-123",
+  "taskIdentifier": "ai-chat",
+  "triggerConfig": {
+    "basePayload": {
+      "chatId": "conversation-123",
+      "trigger": "submit-message",
+      "message": {
+        "id": "msg-1",
+        "role": "user",
+        "parts": [{ "type": "text", "text": "Hello!" }]
+      },
+      "metadata": { "userId": "user-456" }
+    }
+  },
+  "tags": ["chat:conversation-123"]
+}
+```
+</CodeGroup>
+
+Pick `"preload"` when the UI has rendered but the user hasn't typed (warms the agent so the first response is fast); pick `"submit-message"` when you already have the first message and want it processed in the same call.
+
+### Required fields
+
+| Field | Type | Description |
+| --- | --- | --- |
+| `type` | `string` | Discriminator. Use `"chat.agent"`. |
+| `taskIdentifier` | `string` | The `id` you passed to `chat.agent({ id: ... })` — e.g. `"ai-chat"`. |
+| `triggerConfig.basePayload` | `object` | The wire payload sent to the **first run** created by this call. Same shape as [`ChatTaskWirePayload`](#chattaskwirepayload) in Step 3. Durable fields (`chatId`, `metadata`, `idleTimeoutInSeconds`, `sessionId`) flow through to continuation runs too; first-turn-only fields (`message`, `trigger`) are stripped on continuations — those are session-create concerns and don't replay. See [What goes in `basePayload`](#what-goes-in-basepayload) below. |
+
+### Optional fields
+
+| Field | Type | Description |
+| --- | --- | --- |
+| `externalId` | `string` | Your stable chat ID. Strongly recommended — without it, repeat calls create new sessions. Cannot start with `session_`. |
+| `tags` | `string[]` | Up to 10 dashboard tags. |
+| `metadata` | `object` | Arbitrary JSON metadata stored on the session row (separate from `basePayload.metadata`, which goes to the agent). |
+| `expiresAt` | `string` (ISO date) | Retention cap. |
+| `triggerConfig.machine` | `string` | Machine preset (`micro`, `small-1x`, …) for every run. |
+| `triggerConfig.queue` | `string` | Queue name. |
+| `triggerConfig.tags` | `string[]` | Tags applied to every run (in addition to session-level `tags`). |
+| `triggerConfig.maxAttempts` | `number` | Per-run retry cap (1–10). |
+| `triggerConfig.maxDuration` | `number` | Per-run wall-clock cap, seconds. |
+| `triggerConfig.lockToVersion` | `string` | Pin every run to a specific worker version. |
+| `triggerConfig.region` | `string` | Region preference. |
+| `triggerConfig.idleTimeoutInSeconds` | `number` | Surfaced to the agent through the wire payload (1–3600). |
+
+### What goes in `basePayload`
+
+`basePayload` is the [`ChatTaskWirePayload`](#chattaskwirepayload) sent to the agent at run boot — the same shape used for every subsequent `.in/append` (Step 3). Two fields you must always include:
+
+- `chatId` — should equal your `externalId`. The agent uses this as its conversation identity (e.g. as a DB key in `hydrateMessages`); the `externalId` is what the URL routes resolve. Setting them to the same value is the standard pattern and the only way the built-in clients work.
+- `trigger` — see the two examples above. `"preload"` and `"submit-message"` are the only valid choices for the first run; the others (`"regenerate-message"`, `"action"`, `"close"`, `"handover-prepare"`) are for subsequent `.in/append` calls.
+
+The agent's typed `clientData` (declared via `chat.withClientData({ schema: ... })`) is read from `basePayload.metadata`. If your agent declares `clientData: { userId: string }`, then `metadata.userId` is required on every run — including the first one in `basePayload`.
+
+### Response
+
+```http
+HTTP/1.1 201 Created
+content-type: application/json; charset=utf-8
+x-trigger-jwt: eyJhbGciOi...
+x-trigger-jwt-claims: {"sub":"...","scopes":["read:runs:run_abc123","write:inputStreams:run_abc123"]}
+
+{
+  "id": "session_cm4z2plfh000abcd1efgh",
+  "externalId": "conversation-123",
+  "type": "chat.agent",
+  "taskIdentifier": "ai-chat",
+  "triggerConfig": { "basePayload": { /* echoed back */ } },
+  "currentRunId": "run_abc123",
+  "tags": ["chat:conversation-123"],
+  "metadata": null,
+  "closedAt": null,
+  "closedReason": null,
+  "expiresAt": null,
+  "createdAt": "2026-04-24T09:00:00.000Z",
+  "updatedAt": "2026-04-24T09:00:00.000Z",
+  "runId": "run_abc123",
+  "publicAccessToken": "eyJhbGciOi...",
+  "isCached": false
+}
+```
+
+| Field | Description |
+| --- | --- |
+| `id` | The `session_*` friendly ID. Stable for the life of the conversation. |
+| `runId` / `currentRunId` | Friendly ID of the first run. Identical on a fresh create; will diverge over the conversation (see [Continuations](#continuations)). |
+| `publicAccessToken` | Session-scoped JWT carrying `read:sessions:{externalId}` + `write:sessions:{externalId}`. **This is the token you use for every subsequent `.in`/`.out` call.** Persist it. Lifetime is 60 minutes — see [Refreshing the token](#refreshing-the-token). |
+| `isCached` | `true` if the session existed already (idempotent re-create). HTTP status is 200 in that case, 201 on a fresh create. |
+
+<Warning>
+  **Use `publicAccessToken` from the body, not the `x-trigger-jwt` response header.** The header is included by the underlying run-trigger machinery and carries **run-scoped** scopes (`read:runs:{runId}` + `write:inputStreams:{runId}`) — it cannot subscribe to `.out` or append to `.in`. The body's `publicAccessToken` is the only token with the correct session-level scopes.
+</Warning>
+
+### Idempotency
+
+Re-calling `POST /api/v1/sessions` with the same `(taskIdentifier, externalId)` pair is **idempotent for the lifetime of the session**:
+
+- If the session is still alive: returns the existing row with `isCached: true`, `runId` unchanged, and a **fresh** 60-minute `publicAccessToken`. No duplicate run is triggered. (Idle/exited runs are different — see [Continuations](#continuations).)
+- If the session has been closed (`POST /api/v1/sessions/{id}/close`): returns **HTTP 409**. Closed is one-way; reuse a different `externalId` to start a new conversation.
+- Any tags / metadata / expiresAt / triggerConfig fields you send on the cached path are written through to the row, so you can update e.g. `triggerConfig.basePayload.metadata` mid-conversation. The new fields apply to **future** runs (continuations); the currently-live run keeps its original config.
+
+<Warning>
+  **A cached re-POST does not deliver a new `basePayload.message`.** `basePayload` is run-trigger config, not a message channel — the existing run keeps streaming and your message is silently dropped. To send a follow-up message, use `POST /realtime/v1/sessions/{sessionId}/in/append` (Step 3).
+</Warning>
+
+### Refreshing the token
+
+The `publicAccessToken` returned by `POST /api/v1/sessions` is valid for 60 minutes. Two ways to keep going past that:
+
+1. **Take refreshed tokens from the stream.** Every `turn-complete` control record on `.out` carries a `public-access-token` header with a refreshed JWT (see [`turn-complete` control record](#turn-complete-control-record)). For active conversations this just rolls — replace your stored token whenever the header is present.
+2. **Re-call `POST /api/v1/sessions`.** Idempotent, returns `isCached: true` and a brand-new 60-minute token. Use this if a chat goes idle long enough that the SSE stream has closed and you need to resume.
+
+<Note>
+  The built-in SDK clients (`TriggerChatTransport` from `@trigger.dev/sdk`, `AgentChat` from `@trigger.dev/sdk/chat`) call this endpoint and persist the refreshed `publicAccessToken` automatically, refreshing on every `turn-complete` control record.
+</Note>
+
+## Step 2: Subscribe to `.out`
+
+Subscribe to the agent's response via SSE on the session's `.out` channel:
+
+```
+GET /realtime/v1/sessions/{sessionId}/out
+Authorization: Bearer <publicAccessToken>
+Accept: text/event-stream
+```
+
+`Accept: text/event-stream` is required — without it the request is rejected as a non-SSE caller.
+
+The URL accepts either form for `{sessionId}`: the friendly `session_*` ID, or your `externalId` (the chat ID you created the session with). The `publicAccessToken` from session-create authorizes both forms. Pick whichever your client already has on hand.
+
+A session's `.out` stays the same across runs, so the client doesn't need to re-subscribe when a new run starts on the same chat. `seq_num` is **monotonically increasing across the entire session**, not just within one run — turn 1 might emit seq 0–9, turn 2 picks up at seq 10+, a continuation run on the same session continues numbering from there. This is why a single `Last-Event-ID` cursor is sufficient to resume across turns and across runs.
+
+### Stream timeout
+
+The SSE long-polls until either a record arrives or the timeout expires. The default is **60 seconds**; cap it explicitly via the `Timeout-Seconds` request header (1–600):
+
+```
+GET /realtime/v1/sessions/{sessionId}/out
+Authorization: Bearer <publicAccessToken>
+Accept: text/event-stream
+Timeout-Seconds: 30
+```
+
+If nothing arrives by the deadline, the server sends `data: [DONE]` and closes. Reconnect with `Last-Event-ID` to continue (see [Resuming a stream](#resuming-a-stream)).
+
+### Stream format (S2)
+
+The output stream uses [S2](https://s2.dev) under the hood and follows the standard SSE wire format ([WHATWG spec](https://html.spec.whatwg.org/multipage/server-sent-events.html#parsing-an-event-stream)). Three event types arrive on the wire:
+
+| Event | Meaning |
+| --- | --- |
+| `batch` | One or more records. The records you actually care about. |
+| `ping` | Keepalive (~every 5s on idle). Body is `{"timestamp": <ms>}`. Ignore it. |
+| _(no `event:`, just `data: [DONE]`)_ | Stream is closing — server sends this once before EOF. |
+
+A `batch` event in raw SSE format looks like this — note the `data` is a single line of JSON, no embedded newlines (per the SSE spec):
+
+```
+id: 0,1,106
+event: batch
+data: {"records":[{"seq_num":0,"timestamp":1712150400000,"body":"{\"data\":{\"type\":\"text-delta\",\"id\":\"msg_1\",\"delta\":\"pong\"},\"id\":\"abc\"}"}],"tail":{"seq_num":10,"timestamp":1712150400500}}
+
+```
+
+The `id:` line on the wire is a comma-separated triple internal to S2 (`startSeq,endSeq,byteOffset`) — **don't try to parse it**. Use `record.seq_num` from inside the `data` body instead (see [Resuming a stream](#resuming-a-stream)).
+
+Decoded `data` payload:
+
+```json
+{
+  "records": [
+    {
+      "seq_num": 0,
+      "timestamp": 1712150400000,
+      "body": "{\"data\":{\"type\":\"text-delta\",\"id\":\"msg_1\",\"delta\":\"pong\"},\"id\":\"abc\"}"
+    }
+  ],
+  "tail": {
+    "seq_num": 10,
+    "timestamp": 1712150400500
+  }
+}
+```
+
+| Field | Description |
+| --- | --- |
+| `records[]` | One or more records delivered in this batch, in arrival order. |
+| `records[].seq_num` | Monotonic per-record cursor. Use the **last** one you successfully processed as your `Last-Event-ID` on resume. |
+| `records[].timestamp` | Unix ms when the record was written to S2. |
+| `records[].body` | For data records: a JSON-encoded **string** wrapping `{ data: UIMessageChunk, id: string }`. For control records: an empty string (semantics live in `headers`). For S2 command records: opaque bytes. See [Records on session.out](#records-on-session-out). |
+| `records[].headers` | Optional `[name, value]` pairs. Empty for data records; a `trigger-control` entry for control records; a single empty-name `["", "<op>"]` entry for S2 command records. |
+| `tail.seq_num` | Latest known tail of the S2 stream — useful for detecting how far behind the live edge you are. Skip if you don't need it. |
+| `tail.timestamp` | Timestamp of `tail.seq_num`. |
+
+### Records on `session.out`
+
+Three kinds of records can arrive on the wire. They all share the `batch` envelope above; you tell them apart by `headers`.
+
+| Kind | `headers[0][0]` | `headers` carries | `body` |
+| --- | --- | --- | --- |
+| **Data record** | _empty array or non-empty name_ | (currently none from the agent) | JSON envelope `{"data": UIMessageChunk, "id": <partId>}` |
+| **Trigger control record** | `"trigger-control"` | `["trigger-control", <subtype>]` plus subtype-specific siblings (e.g. `["public-access-token", <jwt>]` and `["session-in-event-id", <seq>]` on `turn-complete`) | empty string |
+| **S2 command record** | `""` (empty name) | `["", "<op>"]` (currently `"trim"`) | opaque bytes — S2-interpreted |
+
+**Uniform filter rule for custom readers:**
+
+```ts
+// Always advance the resume cursor — even for records you skip.
+lastEventId = String(record.seq_num);
+
+// S2 command record: bump cursor, don't dispatch.
+if (record.headers?.[0]?.[0] === "") continue;
+
+// Trigger control record: route by `trigger-control` value, don't
+// dispatch as a UIMessageChunk.
+const controlValue = record.headers?.find(([name]) => name === "trigger-control")?.[1];
+if (controlValue === "turn-complete") {
+  const token = record.headers.find(([name]) => name === "public-access-token")?.[1];
+  // ...fire your turn-complete handler with the optional refreshed token...
+  continue;
+}
+if (controlValue === "upgrade-required") {
+  // ...your upgrade flow, if any. The server has already swapped the run
+  // by the time this arrives — subsequent chunks are from the new run...
+  continue;
+}
+
+// Otherwise: data record. Parse the body, dispatch the UIMessageChunk.
+const { data: chunk } = JSON.parse(record.body);
+```
+
+Built-in SDK transports (`TriggerChatTransport`, `AgentChat`) handle all of this for you — control records surface via `onTurnComplete({ chatId, lastEventId, publicAccessToken })` and the upgrade flow. Custom transports need the routing above.
+
+<Note>
+  **Prior wire shape.** Earlier SDK versions emitted `trigger:turn-complete` and `trigger:upgrade-required` as `UIMessageChunk`-shaped data records with `chunk.type === "trigger:turn-complete"`. Current versions use the header-form control records described above. Built-in SDK transports handle the new shape transparently; custom transports filtering on `chunk.type` need to switch to the `trigger-control` header check.
+</Note>
+
+### Built-in parser (recommended for SDK users)
+
+If you're working in TypeScript and depending on `@trigger.dev/core/v3` is acceptable, use `SSEStreamSubscription` — it handles batch decoding, deduplication, command-record filtering, and `Last-Event-ID` tracking for you:
+
+```ts
+import { SSEStreamSubscription, controlSubtype } from "@trigger.dev/core/v3";
+
+const subscription = new SSEStreamSubscription(
+  `${baseUrl}/realtime/v1/sessions/${sessionId}/out`,
+  {
+    headers: { Authorization: `Bearer ${publicAccessToken}` },
+    timeoutInSeconds: 120,
+    lastEventId,
+  }
+);
+
+const stream = await subscription.subscribe();
+const reader = stream.getReader();
+
+while (true) {
+  const { done, value } = await reader.read();
+  if (done) break;
+
+  // value is { id, chunk, timestamp, headers }. S2 command records are
+  // filtered out of this stream entirely (cursor still advances). Trigger
+  // control records pass through with `chunk === undefined` and a
+  // `trigger-control` header.
+  const control = controlSubtype(value.headers);
+  if (control === "turn-complete") break;
+  if (control === "upgrade-required") continue;
+
+  const chunk = value.chunk as { type?: string; delta?: string } | undefined;
+  if (chunk?.type === "text-delta") process.stdout.write(chunk.delta ?? "");
+}
+```
+
+### Self-contained parser (for custom transports)
+
+If you're building a transport in another language or don't want the dependency, here's a complete reader. It handles the SSE framing, the comma-separated `id:` line, batch unwrapping, the inner `body` string, and `ping` / `[DONE]` events:
+
+```ts
+async function* readSessionOut(
+  url: string,
+  publicAccessToken: string,
+  opts: { lastEventId?: string; timeoutSeconds?: number } = {}
+) {
+  const headers: Record<string, string> = {
+    Authorization: `Bearer ${publicAccessToken}`,
+    Accept: "text/event-stream",
+  };
+  if (opts.lastEventId) headers["Last-Event-ID"] = opts.lastEventId;
+  if (opts.timeoutSeconds) headers["Timeout-Seconds"] = String(opts.timeoutSeconds);
+
+  const res = await fetch(url, { headers });
+  if (!res.ok || !res.body) throw new Error(`SSE failed: ${res.status}`);
+
+  const decoder = new TextDecoder();
+  const reader = res.body.getReader();
+  let buf = "";
+
+  while (true) {
+    const { done, value } = await reader.read();
+    if (done) return;
+    buf += decoder.decode(value, { stream: true });
+
+    // SSE events are separated by blank lines (CRLF or LF).
+    const events = buf.split(/\r?\n\r?\n/);
+    buf = events.pop() ?? ""; // last chunk is incomplete
+
+    for (const raw of events) {
+      let eventType = "message"; // SSE default
+      const dataLines: string[] = [];
+      for (const line of raw.split(/\r?\n/)) {
+        if (line.startsWith("event:")) eventType = line.slice(6).trim();
+        else if (line.startsWith("data:")) dataLines.push(line.slice(5).trimStart());
+        // We deliberately ignore `id:` — use record.seq_num for resume cursors.
+      }
+      const data = dataLines.join("\n");
+      if (!data) continue;
+
+      if (eventType === "ping") continue;
+      if (data === "[DONE]") return;
+
+      if (eventType === "batch") {
+        const batch = JSON.parse(data) as {
+          records: Array<{
+            seq_num: number;
+            timestamp: number;
+            body: string;
+            headers?: Array<[string, string]>;
+          }>;
+        };
+        for (const record of batch.records) {
+          const firstHeaderName = record.headers?.[0]?.[0];
+
+          // S2 command record (trim/fence) — bump cursor, skip dispatch.
+          if (firstHeaderName === "") {
+            yield { seqNum: record.seq_num, timestamp: record.timestamp, kind: "command" };
+            continue;
+          }
+
+          // Trigger control record (turn-complete, upgrade-required) —
+          // semantics live in headers, body is empty. Route by header.
+          const controlValue = record.headers?.find(([n]) => n === "trigger-control")?.[1];
+          if (controlValue) {
+            const token = record.headers?.find(([n]) => n === "public-access-token")?.[1];
+            yield {
+              seqNum: record.seq_num,
+              timestamp: record.timestamp,
+              kind: "control",
+              subtype: controlValue,
+              publicAccessToken: token,
+            };
+            continue;
+          }
+
+          // Data record — UIMessageChunk wrapped in `{ data, id }`.
+          const inner = JSON.parse(record.body) as { data: unknown; id: string };
+          yield {
+            seqNum: record.seq_num, // use this for Last-Event-ID on resume
+            timestamp: record.timestamp,
+            kind: "data",
+            chunk: inner.data, // the actual UIMessageChunk
+          };
+        }
+      }
+    }
+  }
+}
+```
+
+Driving it:
+
+```ts
+let lastSeq: string | undefined;
+for await (const ev of readSessionOut(sseUrl, publicAccessToken)) {
+  lastSeq = String(ev.seqNum);                       // always advance the cursor
+
+  if (ev.kind === "command") continue;               // S2 trim/fence — skip
+  if (ev.kind === "control") {
+    if (ev.subtype === "turn-complete") break;       // turn done
+    if (ev.subtype === "upgrade-required") continue; // run swap handled server-side
+    continue;
+  }
+
+  // ev.kind === "data" — the UIMessageChunk
+  const chunk = ev.chunk as { type: string; delta?: string };
+  if (chunk.type === "text-delta") process.stdout.write(chunk.delta ?? "");
+}
+// On reconnect, pass `lastEventId: lastSeq` to resume from the next record.
+```
+
+### Chunk types
+
+Data records on the stream carry a `UIMessageChunk` from the [AI SDK](https://ai-sdk.dev/docs/ai-sdk-ui/ui-message-stream). Two Trigger.dev-specific control events ride alongside as **header-form control records** (see [Records on session.out](#records-on-session-out)).
+
+Within a single assistant turn the AI SDK chunk types you'll typically see, in order:
+
+| Chunk type | Shape | Notes |
+| --- | --- | --- |
+| `start` | `{ type: "start", messageId: string }` | First chunk of a new assistant message. **Persist `messageId`** — you'll need it to send tool-approval responses (see [Tool approval responses](#tool-approval-responses)). |
+| `start-step` | `{ type: "start-step" }` | New `prepareStep` boundary. |
+| `text-start` / `text-delta` / `text-end` | `{ type: ..., id: string, delta?: string }` | Streaming text. Concatenate `delta`s for the visible reply. |
+| `tool-input-start` / `tool-input-delta` / `tool-input-available` | tool-call argument streaming | The tool the model is calling. |
+| `tool-output-available` | tool result | After the agent runs the tool. |
+| `data-*` | `{ type: "data-<name>", data: ... }` | Custom data parts written by the agent's hooks. |
+| `finish-step` / `finish` | end markers for the assistant message | Followed by the `turn-complete` control record. |
+
+Refer to the AI SDK docs linked above for the full union — only the two control records below are Trigger.dev-specific.
+
+### `turn-complete` control record
+
+Signals that the agent's turn is finished — stop reading and wait for user input.
+
+```
+headers:
+  ["trigger-control", "turn-complete"]
+  ["public-access-token", "eyJ..."]   // optional, refreshed JWT
+  ["session-in-event-id", "42"]       // optional, agent-internal resume cursor
+body: ""
+```
+
+| Header | Description |
+| --- | --- |
+| `trigger-control: turn-complete` | Always present on this record. |
+| `public-access-token: <jwt>` (optional) | A refreshed JWT with the same session + run scopes. If present, replace your stored token. |
+| `session-in-event-id: <seq>` (optional) | Internal cursor used by the agent to resume `.in` across worker boots without replaying already-processed user messages. Custom transports should ignore this header — it carries no client-side meaning. |
+
+When you receive this record:
+1. Update `publicAccessToken` if one is included on the headers.
+2. Close the stream reader (unless you want to keep it open across turns — see [Resuming a stream](#resuming-a-stream)).
+3. Wait for the next user message before sending on `.in`.
+
+### `upgrade-required` control record
+
+Signals that the agent cannot handle this message on its current version and a new run has been started. Emitted when the agent calls [`chat.requestUpgrade()`](/ai-chat/patterns/version-upgrades).
+
+```
+headers:
+  ["trigger-control", "upgrade-required"]
+body: ""
+```
+
+The server has already swapped the run on the same session by the time this record is delivered. Subsequent records on the same SSE subscription come from the new run.
+
+When you receive this record:
+1. Treat it as informational — no client action required. The same SSE keeps streaming the new run's chunks on the same session.
+2. Optionally surface a "switched to vN.N+1" indicator in your UI.
+
+The built-in clients handle this transparently.
+
+### Resuming a stream
+
+If the SSE connection drops, reconnect with the `Last-Event-ID` header set to the **last `record.seq_num` you successfully processed** (decoded from the batch body — not the SSE `id:` line, which is a comma-list internal to S2):
+
+```
+GET /realtime/v1/sessions/{sessionId}/out
+Authorization: Bearer <publicAccessToken>
+Accept: text/event-stream
+Last-Event-ID: 42
+```
+
+The server resumes streaming from `seq_num = 43` onward. `Last-Event-ID` is a single non-negative integer; passing the SSE `id:` line value verbatim (e.g. `0,1,106`) silently falls back to "start from the beginning."
+
+`SSEStreamSubscription` tracks this automatically via its `lastEventId` option.
+
+<Note>
+  **What "resumable" means.** `session.out` is trimmed back to the previous `turn-complete` control record after each turn finishes. In practice:
+
+  - **Resume across a single turn boundary always works** — your bookmark is the last turn's `turn-complete` record, which is still on the stream.
+  - **The S2 trim is eventually consistent** (10-60s typical), so close-then-reload-quickly cases reliably still see records that are about to be trimmed.
+  - **Resume across multiple turns of inactivity** may find your bookmark trimmed. The S2 read silently clamps forward to the first surviving record; the cleanest recovery is to fetch the latest snapshot and treat the SSE as fresh from there (or rehydrate via your own DB if you use `hydrateMessages`). See [How history is rebuilt](#how-history-is-rebuilt).
+</Note>
+
+### `X-Peek-Settled` / `X-Session-Settled` — opt-in fast close on idle reconnects
+
+On **reconnect-on-reload** paths (resuming a chat where nothing may be streaming), send `X-Peek-Settled: 1` as a request header when opening the SSE. When present, the server peeks the tail of `.out` and walks past any trailing S2 trim command record to find the most recent data/control record underneath. If that record is a `turn-complete` control record (agent finished a turn and is idle-waiting or exited), the SSE:
+
+- Uses `wait=0` internally — drains any residual records and closes in ~1s instead of long-polling for 60s.
+- Sets the `X-Session-Settled: true` response header so the client can tell the close is terminal rather than a mid-stream drop.
+
+**Do not send `X-Peek-Settled` on the active-send response-stream path.** The peek would race the newly-triggered turn's first chunk — if the agent hasn't written the new turn's first record yet, the peek sees the prior turn's `turn-complete` and closes the SSE before the response lands on S2. The built-in `TriggerChatTransport.reconnectToStream` sets the header; `sendMessages → subscribeToStream` does not.
+
+```ts
+// Reconnect path (page reload)
+const response = await fetch(sseUrl, {
+  headers: {
+    Authorization: `Bearer ${publicAccessToken}`,
+    "X-Peek-Settled": "1",
+    "Last-Event-ID": lastEventId,
+  },
+});
+const settled = response.headers.get("X-Session-Settled") === "true";
+// ...subscribe as normal; if settled and nothing arrives, you're done.
+
+// Active send path — no X-Peek-Settled, keep long-poll semantics
+const liveResponse = await fetch(sseUrl, {
+  headers: {
+    Authorization: `Bearer ${publicAccessToken}`,
+    "Last-Event-ID": lastEventId,
+  },
+});
+```
+
+## Step 3: Send messages, stops, and actions
+
+All client-to-agent signals are appended to the session's `.in` channel:
+
+```
+POST /realtime/v1/sessions/{sessionId}/in/append
+Authorization: Bearer <publicAccessToken>
+Content-Type: application/json
+```
+
+`{sessionId}` accepts the same friendly-or-external forms as `.out`. The `publicAccessToken` from session-create authorizes both.
+
+The body is a JSON-serialized [`ChatInputChunk`](#chatinputchunk) — a tagged union covering messages, stops, and actions. Send them as raw JSON strings (not wrapped in a `data` field). On success the response is `200 OK` with body `{ "ok": true }`; on failure it's `4xx`/`5xx` with `{ "ok": false, "error": "<message>" }`. Common failures:
+
+| Status | When |
+| --- | --- |
+| `401` | Missing or invalid `Authorization` header. |
+| `403` | Token doesn't carry `write:sessions:{externalId}`. |
+| `409` | The session is closed — `{ "ok": false, "error": "Cannot append to a closed session" }`. |
+| `413` | Body exceeds 1 MiB **or** the wrapped record would exceed S2's ~1 MiB per-record metered ceiling. A normal `kind: "message"` payload is a few KB; if you hit this you're shipping more than one message per record or pushing a single tool output that's itself oversized. Carries CORS headers so browser fetches can read the status. |
+| `500` | Transient backend failure on the durable stream. Safe to retry — appends are idempotent on `(externalId, X-Part-Id)` if you set the optional `X-Part-Id` request header (the built-in clients set it from a UUID). |
+
+<Warning>
+  **Schema validation of `metadata` happens inside the agent, not at this endpoint.** A `kind: "message"` with bad or missing metadata returns `200 OK` here, but the agent rejects the turn at run time. From the wire the failure looks like a `turn-complete` control record with no preceding `text-delta` — i.e. an empty assistant response.
+
+  **How to detect from the client:** treat "received `turn-complete` after sending a `submit-message` with no `text-delta`/`tool-input-*` chunks in between" as a schema-validation suspect, and surface a sensible error to your user. **How to confirm from the dashboard / Trigger MCP:** the run trace includes a `chat turn N [ERROR]` span followed by `waiting for next message (after error)`; the `[ERROR]` span carries the validation error message in its events. Use `mcp__trigger__get_run_details` (or open the run in the dashboard) on the run ID surfaced in the `runId` field of session-create.
+</Warning>
+
+### `ChatInputChunk`
+
+```ts
+type ChatInputChunk =
+  | { kind: "message"; payload: ChatTaskWirePayload }
+  | { kind: "stop"; message?: string };
+```
+
+The discriminator `kind` drives the agent's dispatch — `"message"` goes to the turn loop, `"stop"` fires the abort controller.
+
+### `ChatTaskWirePayload`
+
+```ts
+type ChatTaskWirePayload<TMessage extends UIMessage = UIMessage, TMetadata = unknown> = {
+  /**
+   * The new message for this turn — at most ONE per record.
+   *  - "submit-message": the new user message, OR a tool-approval-responded
+   *    assistant message (with `state: "approval-responded"` tool parts).
+   *  - "regenerate-message": omitted (the server trims its own tail).
+   *  - "preload" / "close" / "action": omitted.
+   *  - "handover-prepare": omitted (use `headStartMessages` instead — see below).
+   */
+  message?: TMessage;
+
+  /**
+   * Escape hatch for chat.headStart. Ships full UIMessage history on the
+   * very first turn — before any snapshot exists. Used ONLY by
+   * trigger: "handover-prepare" against the customer's own HTTP route
+   * handler. The server ignores this field on any other trigger.
+   */
+  headStartMessages?: TMessage[];
+
+  chatId: string;
+  trigger:
+    | "submit-message"
+    | "regenerate-message"
+    | "preload"
+    | "close"
+    | "action"
+    | "handover-prepare";
+  messageId?: string;
+  /**
+   * Wire envelope for the agent's typed `clientData` (declared via
+   * `chat.withClientData({ schema })`). Whatever you put here is parsed
+   * against that schema at the agent boundary. If the agent declares
+   * `clientData: { userId: string }`, then `metadata.userId` is required.
+   */
+  metadata?: TMetadata;
+  action?: unknown;
+  /**
+   * Informational — the server sets this automatically on continuation
+   * runs (when the prior run is dead). Clients don't need to send it.
+   * Read by the agent's boot gate to skip `onChatStart` and trigger
+   * snapshot read + replay.
+   */
+  continuation?: boolean;
+  /**
+   * Informational — paired with `continuation: true`, set by the server
+   * from the prior run's friendly ID. Surfaced to the agent in
+   * `ctx.previousRunId`. Clients don't need to send it.
+   */
+  previousRunId?: string;
+  idleTimeoutInSeconds?: number;
+  sessionId?: string;
+};
+```
+
+<Note>
+  **`metadata` is the wire envelope for `clientData`.** The agent's `clientData` (typed via `chat.withClientData({ schema })`) is read from this field at run boot. If the agent declares e.g. `{ userId: string, model?: string }`, then every `kind: "message"` payload — and the `triggerConfig.basePayload` you sent at session create — must carry a matching `metadata.userId`. The agent rejects messages whose metadata fails schema validation.
+</Note>
+
+### Sending a message
+
+```
+POST /realtime/v1/sessions/{sessionId}/in/append
+Authorization: Bearer <publicAccessToken>
+Content-Type: application/json
+
+{
+  "kind": "message",
+  "payload": {
+    "message": {
+      "id": "msg-2",
+      "role": "user",
+      "parts": [{ "type": "text", "text": "Tell me more" }]
+    },
+    "chatId": "conversation-123",
+    "trigger": "submit-message",
+    "metadata": { "userId": "user-456" }
+  }
+}
+```
+
+After sending, subscribe to `.out` (if you closed the stream after the previous turn's `turn-complete`) to receive the response.
+
+<Note>
+  Send only the **new** user message — never the full history. The agent rebuilds prior history from a durable S3 snapshot plus a `session.out` replay at run boot. See [How history is rebuilt](#how-history-is-rebuilt).
+</Note>
+
+### Sending a stop
+
+```json
+{ "kind": "stop" }
+```
+
+Interrupts the agent's current turn. `streamText` aborts, the agent emits a `turn-complete` control record, and the run returns to idle.
+
+An optional `message` field surfaces in the agent's stop handler:
+
+```json
+{ "kind": "stop", "message": "user cancelled" }
+```
+
+### Sending an action
+
+Custom actions (undo, rollback, edit) ride on the same `.in` channel using `kind: "message"` with `trigger: "action"` in the payload. Omit `message` — actions don't carry a UIMessage:
+
+```json
+{
+  "kind": "message",
+  "payload": {
+    "chatId": "conversation-123",
+    "trigger": "action",
+    "action": { "type": "undo" },
+    "metadata": { "userId": "user-456" }
+  }
+}
+```
+
+Actions wake the agent from suspension (same as messages) and fire the `onAction` hook — they are not turns, so `run()` and turn lifecycle hooks do not fire. If `onAction` returns a `StreamTextResult`, the response is auto-piped to the frontend (but still no `run()` or `onTurnComplete`). The `action` payload is validated against the agent's `actionSchema`. If the agent didn't register an `actionSchema` (or your `action` payload doesn't match it), validation fails the same way `metadata` does — `.in/append` returns `200 OK`, but the run trace shows `chat turn N [ERROR]` and the wire emits a `turn-complete` control record with no other chunks. See [Actions](/ai-chat/actions) for the agent-side schema setup.
+
+### Regenerating the last response
+
+To regenerate the assistant's last response, send `trigger: "regenerate-message"` with no `message`:
+
+```json
+{
+  "kind": "message",
+  "payload": {
+    "chatId": "conversation-123",
+    "trigger": "regenerate-message",
+    "metadata": { "userId": "user-456" }
+  }
+}
+```
+
+The agent trims trailing assistant messages from its accumulator and re-streams from the prior user turn. The frontend's `useChat()` already removed the trailing assistant locally — the wire signal tells the agent to do the same.
+
+### Tool approval responses
+
+When a tool requires approval (`needsApproval: true`), the agent streams the tool call with an `approval-requested` state and completes the turn. After the user approves or denies, send the **updated assistant message** back as a `kind: "message"` chunk — singular, not the full chain. The minimum shape the agent reads is just the resolved tool parts:
+
+```json
+{
+  "kind": "message",
+  "payload": {
+    "message": {
+      "id": "asst-msg-1",
+      "role": "assistant",
+      "parts": [
+        {
+          "type": "tool-sendEmail",
+          "toolCallId": "call-1",
+          "state": "approval-responded",
+          "approval": { "id": "approval-1", "approved": true }
+        }
+      ]
+    },
+    "chatId": "conversation-123",
+    "trigger": "submit-message",
+    "metadata": { "userId": "user-456" }
+  }
+}
+```
+
+The agent matches the incoming message by `id` against the rebuilt accumulator (or hydrated chain) and **overlays the tool-state advance** onto the matching entry — `state` plus `output` / `errorText` / `approval`, depending on the new state. Hydrated `input`, text, reasoning, and provider metadata stay put. This is what makes the slim shape above sufficient: the agent rebuilds everything else from the snapshot or from your `hydrateMessages` hook.
+
+The same shape applies to HITL `addToolOutput` answers — substitute `state: "output-available"` and `output: <result>` for the approval pair above. Single-tool HITL `addToolOutput` continuation payloads are typically ~1 KiB on the wire.
+
+The built-in transports (`TriggerChatTransport`, `AgentChat`) ship the slim shape by default on `submit-message` continuations. Custom transports can ship a fuller `UIMessage` — the agent still only reads the resolved tool-part fields — but the slim shape is the most efficient and avoids brushing the per-record cap on reasoning-heavy turns.
+
+<Note>
+  The message `id` must match the one the agent assigned during streaming. `TriggerChatTransport` keeps IDs in sync automatically. Custom transports should use the `messageId` from the stream's `start` chunk.
+</Note>
+
+## How history is rebuilt
+
+The agent rebuilds the full conversation accumulator on every fresh run boot. There are two reconstruction paths, and the agent picks based on what hooks the customer registered:
+
+### Path A — `hydrateMessages` registered
+
+If the agent declares a [`hydrateMessages`](/ai-chat/lifecycle-hooks#hydratemessages) hook, the runtime trusts the customer to be the source of truth for history. Snapshot read and replay are **skipped entirely** at boot. The hook fires per turn — `incomingMessages` is 0-or-1-length consistently (since each record carries at most one new message) — and returns the canonical chain from the customer's database.
+
+### Path B — Snapshot + replay (default)
+
+When `hydrateMessages` is not registered, the runtime reconstructs history from durable infrastructure on every run boot:
+
+<Steps>
+  <Step title="Read the latest snapshot">
+    The runtime fetches a per-session JSON snapshot from object storage (S3 or compatible). The snapshot stores `{ messages, lastOutEventId, lastOutTimestamp, savedAt }` — what was true at the moment the previous turn finished. A 404 (no snapshot yet) is fine — treated as empty.
+  </Step>
+  <Step title="Replay session.out tail">
+    The runtime subscribes to `session.out` with `wait=0` starting from the snapshot's `lastOutEventId` (or seq 0 if there is no snapshot). Any chunks since that cursor are fed through the AI SDK's `processUIMessageStream` reducer to materialize fresh `UIMessage[]`. This catches turns whose snapshot write didn't make it before a crash.
+  </Step>
+  <Step title="Merge by id, replay wins">
+    Snapshot messages and replayed messages are merged by `id`. On collision, replay wins — `session.out` is the freshest representation of any assistant message. Partial trailing assistant work from a crashed turn is cleaned up via `cleanupAbortedParts`.
+  </Step>
+  <Step title="Write a fresh snapshot after every turn">
+    When `onTurnComplete` fires, the runtime serializes the accumulator and writes it back to object storage. The write is **awaited** — the run may suspend immediately after, and fire-and-forget would lose the snapshot.
+  </Step>
+</Steps>
+
+Object-store configuration is the same as the rest of Trigger.dev — set `OBJECT_STORE_*` env vars. With no object store configured and no `hydrateMessages` hook, conversations don't survive run boundaries; the runtime logs a warning at registration time.
+
+For a deeper walkthrough of the snapshot model, including OOM-retry interaction and crash semantics, see [Persistence and replay](/ai-chat/patterns/persistence-and-replay).
+
+## Head-start protocol caveat
+
+The [`chat.headStart`](/ai-chat/fast-starts#head-start) flow runs the first turn's LLM call inside the customer's own HTTP route handler, then hands the durable stream off to the agent for tool execution and step 2+. On that first-ever turn no snapshot exists yet — the agent boots empty.
+
+To bridge that gap, the head-start route handler ships **full UIMessage history** through the dedicated `headStartMessages` field with `trigger: "handover-prepare"`. This is the **only** path where a wire-shipped UIMessage[] still seeds the agent's accumulator:
+
+```json
+{
+  "kind": "message",
+  "payload": {
+    "headStartMessages": [
+      { "id": "u1", "role": "user", "parts": [/* ... */] },
+      { "id": "a1", "role": "assistant", "parts": [/* ... */] }
+    ],
+    "chatId": "conversation-123",
+    "trigger": "handover-prepare",
+    "metadata": { "userId": "user-456" }
+  }
+}
+```
+
+Two reasons this exception is safe:
+
+1. **The route handler runs against the customer's own HTTP endpoint**, not `/realtime/v1/sessions/{id}/in/append`. The per-record cap on the realtime route doesn't apply.
+2. **`headStartMessages` is only honored on `trigger: "handover-prepare"`**. The runtime ignores the field on every other trigger — the one-message-per-record rule still holds for normal turns.
+
+After turn 1 completes, the snapshot is written and turn 2+ run as a normal single-message-per-record chat.
+
+## Pending and steering messages
+
+You can send messages while the agent is still streaming a response. These are **pending messages** — the agent receives them mid-turn and can inject them between tool-call steps.
+
+The wire format is identical to a normal `kind: "message"` send — same `.in` channel, single `message` field. The difference is timing. What happens depends on the agent's `pendingMessages` configuration:
+
+- **With `pendingMessages.shouldInject`**: the message is injected into the model's context at the next `prepareStep` boundary. The agent sees it and can adjust its behavior mid-response.
+- **Without `pendingMessages` config**: the message queues for the next turn.
+
+See [Pending Messages](/ai-chat/pending-messages) for how to configure the agent side.
+
+<Note>
+  Unlike a normal `sendMessage`, pending messages should **not** cancel the active stream subscription. Keep reading — the agent incorporates the message into the same turn or queues it for the next one.
+</Note>
+
+## Continuations
+
+A run can end for several reasons: idle timeout, max turns reached, `chat.requestUpgrade()`, crash, or cancellation. When this happens, the session row stays alive — only the run is gone. The next message you append to `.in` automatically triggers a fresh run on the same session.
+
+**Clients send the wire shape exactly as a normal `submit-message`** — the server detects the absent run and handles the continuation itself:
+
+```json
+{
+  "kind": "message",
+  "payload": {
+    "message": {
+      "id": "u-42",
+      "role": "user",
+      "parts": [{ "type": "text", "text": "Where were we?" }]
+    },
+    "chatId": "conversation-123",
+    "trigger": "submit-message",
+    "metadata": { "userId": "user-456" }
+  }
+}
+```
+
+POST to the same `/realtime/v1/sessions/{sessionId}/in/append` URL with the same `publicAccessToken` you've been using — both stay valid across runs. The server detects the absent run, triggers a new one on the session's `triggerConfig`, and the agent boots, reads the snapshot from the prior run's last turn, replays any tail, and continues. Only `runId` changes — the new run's id is encoded in the next refreshed `publicAccessToken`'s `read:runs:{runId}` scope.
+
+<Note>
+  **You don't need to track `runId` or set `continuation: true` / `previousRunId` yourself.** The server detects continuation when the prior run is in a terminal state and sets those fields on the new run's boot payload automatically. The `continuation` and `previousRunId` fields on `ChatTaskWirePayload` are informational — used internally by the agent's boot path, never required from the client.
+</Note>
+
+<Note>
+  **`onChatStart` does NOT fire on continuation runs.** The hook is once-per-chat — it fires only on the chat's very first user message. Customers who want per-turn setup that also runs on continuation turns should use `onTurnStart` instead.
+</Note>
+
+<Tip>
+  This is how [version upgrades](/ai-chat/patterns/version-upgrades) work transparently — the agent calls `chat.requestUpgrade()`, the run exits, and the client's next message triggers a continuation on the new version. Same session, new run, same snapshot.
+</Tip>
+
+## Closing the conversation
+
+When the user is done with the conversation, close the session:
+
+```bash
+POST /api/v1/sessions/{sessionId}/close
+Authorization: Bearer <secret-key-or-jwt>
+Content-Type: application/json
+
+{ "reason": "user-ended" }
+```
+
+The body is optional — `{}` (or no body at all) closes the session with no reason set. If provided, `reason` is a free-form string up to 256 characters used for dashboard / audit display. Closing is **idempotent**: re-calling on an already-closed session returns the existing row without clobbering the original `closedAt` / `closedReason`.
+
+A long-running chat that's just between turns is a **live** session, not a closed one — don't close it prematurely. Once closed, the session cannot be reopened; reuse a different `externalId` if the user wants to start fresh.
+
+## Session state
+
+A client needs to track per-conversation:
+
+| Field | Description |
+| --- | --- |
+| `sessionId` | Durable session ID (`session_*`). Stable for the life of the conversation. |
+| `chatId` | Your stable conversation ID (passed as `externalId` on create). |
+| `runId` | Current run ID. Changes when a run ends and a continuation starts. Only needed if you want to display it. |
+| `publicAccessToken` | JWT for session access. Stable across runs; refreshed via the `public-access-token` header on every `turn-complete` control record. |
+| `lastEventId` | Last `record.seq_num` received on `.out`. Use to resume mid-stream. |
+
+`sessionId`, `chatId`, and `publicAccessToken` are durable. `runId` is live-run state that refreshes on each new run. On reload, you only need `sessionId` + `publicAccessToken` + `lastEventId` to resume — `runId` is a hint that can be `null` when no run is active.
+
+## Authentication
+
+| Operation | Auth |
+| --- | --- |
+| Create session (`POST /api/v1/sessions`) | Secret API key, or JWT with `write:sessions` super-scope plus a matching `tasks:{taskIdentifier}` scope |
+| Close session (`POST /api/v1/sessions/{id}/close`) | Secret API key, or JWT with `admin:sessions:{id}` / `admin:sessions` super-scope |
+| `.in` append | The session's `publicAccessToken` (carries `write:sessions:{id}`) |
+| `.out` subscribe | The session's `publicAccessToken` (carries `read:sessions:{id}`) |
+
+The `publicAccessToken` returned in the body of `POST /api/v1/sessions` carries both `read:sessions:{externalId}` and `write:sessions:{externalId}` and is **the only token you need** for every `.in`/`.out` operation thereafter. A token minted on the externalId form authorizes both the externalId and the friendlyId URL forms on every read and write route, so use whichever URL form your client already has on hand.
+
+<Warning>
+  **Don't use the `x-trigger-jwt` header from `POST /api/v1/tasks/{taskId}/trigger`.** That header carries `read:runs:{runId}` + `write:inputStreams:{runId}` — run-scoped scopes, not session-scoped. It cannot subscribe to `.out` or append to `.in`. Always use the `publicAccessToken` from the session-create response body.
+</Warning>
+
+## FAQ
+
+<Expandable title="After sending `kind: stop`, can I immediately send the next message?">
+Yes. `.in` records are processed in arrival order — the agent's stop handler aborts the in-flight `streamText`, emits a `turn-complete` control record, and reads the next record. You don't have to wait for `turn-complete` on the wire before posting the next `.in/append`. In practice you usually do anyway, because your UI is gated on the stream coming back to ready.
+</Expandable>
+
+<Expandable title="What's the format of the optional `X-Part-Id` header?">
+Any opaque ASCII string up to ~64 characters. The built-in clients pass a `nanoid(7)` (e.g. `"V1StGXR"`) generated per request. The server uses it as a per-record idempotency key — re-POSTing the same body with the same `X-Part-Id` produces a single S2 record. If you don't send the header, the server generates one for you and idempotency is per-request only.
+</Expandable>
+
+<Expandable title="What happens on rate-limit (429)?">
+The `.in/append` route returns standard rate-limit response headers (`x-ratelimit-limit`, `x-ratelimit-remaining`, `x-ratelimit-reset` — Unix ms epoch when the bucket refills). On `429`, back off until `x-ratelimit-reset` and retry with the same `X-Part-Id` to remain idempotent. Default per-environment limits are generous (millions of requests/window); you'll typically only hit this with runaway client loops.
+</Expandable>
+
+<Expandable title="How do I tell from the `.out` stream that a run has ended (vs idled between turns)?">
+You don't need to. There's no `trigger:run-ended` chunk. The protocol is designed so the client doesn't track run lifecycle:
+
+- A `turn-complete` control record means **the turn finished**, not that the run is gone. The run may still be alive, idle-waiting for the next `.in` record, or it may have suspended / exited shortly after.
+- When you POST the next message to `.in/append`, the server figures out whether the existing run can pick it up or whether to spawn a continuation. Either way you get streamed responses on the same `.out` URL.
+
+If you genuinely need the live `runId` (for displaying the dashboard link, say), read it from the latest `turn-complete` control record's refreshed `public-access-token` header — the JWT's `read:runs:{runId}` scope encodes it. Or call `GET /api/v1/sessions/{sessionId}` (omitted from this page; see the Sessions API reference) to read `currentRunId`.
+</Expandable>
+
+<Expandable title="Does the `seq_num` reset across continuations or runs?">
+No. `seq_num` is monotonic across the entire session — turn 1 might emit seq 0–9, turn 2 picks up at seq 10+, and a continuation run on the same session continues numbering from where the prior run left off. A single `Last-Event-ID` cursor is sufficient to resume across turns and runs.
+</Expandable>
+
+<Expandable title="What's the maximum size of a single `.in/append` body?">
+The HTTP body is capped at 1 MiB as a DoS guard. The actual ceiling is at the storage layer: each `.in/append` becomes a single S2 record, metered as `8 + body_bytes_after_JSON_wrap`, capped at 1 MiB. So the practical limit on the raw HTTP body sits around ~1023 KiB for content with low JSON-escape overhead (ASCII, base64) and ~512 KiB for content that escapes heavily (all quotes / backslashes). A typical `kind: "message"` is a few KiB. If you're brushing the cap you're either shipping a single tool output that's itself oversized — see [Large payloads](/ai-chat/patterns/large-payloads) — or you're shipping more than one message per record, which the protocol forbids. The 413 response carries CORS headers so browser fetches can read the status. The headStart path (`trigger: "handover-prepare"`) sends through the customer's own HTTP route handler, not `.in/append`, so the cap doesn't apply there.
+</Expandable>
+
+## See also
+
+- [`TriggerChatTransport`](/ai-chat/frontend) — Built-in browser transport (implements this protocol)
+- [`AgentChat`](/ai-chat/server-chat) — Built-in server-side client
+- [Persistence and replay](/ai-chat/patterns/persistence-and-replay) — How the snapshot + replay model works end-to-end
+- [Lifecycle hooks](/ai-chat/lifecycle-hooks) — What the agent does on each event
+- [Version upgrades](/ai-chat/patterns/version-upgrades) — How `chat.requestUpgrade()` uses continuations
diff --git a/docs/ai-chat/compaction.mdx b/docs/ai-chat/compaction.mdx
new file mode 100644
index 00000000000..3ab280a44f0
--- /dev/null
+++ b/docs/ai-chat/compaction.mdx
@@ -0,0 +1,411 @@
+---
+title: "Compaction"
+sidebarTitle: "Compaction"
+description: "Automatic context compaction to keep long conversations within token limits."
+---
+
+import RcBanner from "/snippets/ai-chat-rc-banner.mdx";
+
+<RcBanner />
+
+## Overview
+
+Long conversations accumulate tokens across turns. Eventually the context window fills up, causing errors or degraded responses. Compaction solves this by automatically summarizing the conversation when token usage exceeds a threshold, then using that summary as the context for future turns.
+
+The `compaction` option on `chat.agent()` handles this in both paths:
+
+- **Between tool-call steps** (inner loop) — via the AI SDK's `prepareStep`, compaction runs between tool calls within a single turn
+- **Between turns** (outer loop) — for single-step responses with no tool calls, where `prepareStep` never fires
+
+## Basic usage
+
+Provide `shouldCompact` to decide when to compact and `summarize` to generate the summary:
+
+```ts
+import { chat } from "@trigger.dev/sdk/ai";
+import { streamText, generateText, stepCountIs } from "ai";
+import { anthropic } from "@ai-sdk/anthropic";
+
+export const myChat = chat.agent({
+  id: "my-chat",
+  compaction: {
+    shouldCompact: ({ totalTokens }) => (totalTokens ?? 0) > 80_000,
+    summarize: async ({ messages }) => {
+      const result = await generateText({
+        model: anthropic("claude-haiku-4-5"),
+        messages: [...messages, { role: "user", content: "Summarize this conversation concisely." }],
+      });
+      return result.text;
+    },
+  },
+  run: async ({ messages, signal }) => {
+    return streamText({
+      ...chat.toStreamTextOptions({ registry }),
+      messages,
+      abortSignal: signal,
+      stopWhen: stepCountIs(15),
+    });
+  },
+});
+```
+
+<Note>
+  The `prepareStep` for inner-loop compaction is automatically injected when you spread `chat.toStreamTextOptions()` into your `streamText` call. If you provide your own `prepareStep` after the spread, it overrides the auto-injected one.
+</Note>
+
+## How it works
+
+After each turn completes:
+
+1. `shouldCompact` is called with the current token usage
+2. If it returns `true`, `summarize` generates a summary from the model messages
+3. The **model messages** (sent to the LLM) are replaced with the summary
+4. The **UI messages** (persisted and displayed) are preserved by default
+5. The `onCompacted` hook fires if configured
+
+On the next turn, the LLM receives the compact summary instead of the full history — dramatically reducing token usage while preserving context.
+
+## Customizing what gets persisted
+
+By default, compaction only affects model messages — UI messages stay intact so users see the full conversation after a page refresh. You can customize this with `compactUIMessages`:
+
+### Summary + recent messages
+
+Replace older messages with a summary but keep the last few exchanges visible:
+
+```ts
+import { generateId } from "ai";
+
+export const myChat = chat.agent({
+  id: "my-chat",
+  compaction: {
+    shouldCompact: ({ totalTokens }) => (totalTokens ?? 0) > 80_000,
+    summarize: async ({ messages }) => {
+      return generateText({
+        model: anthropic("claude-haiku-4-5"),
+        messages: [...messages, { role: "user", content: "Summarize." }],
+      }).then((r) => r.text);
+    },
+    compactUIMessages: ({ uiMessages, summary }) => [
+      {
+        id: generateId(),
+        role: "assistant",
+        parts: [{ type: "text", text: `[Conversation summary]\n\n${summary}` }],
+      },
+      ...uiMessages.slice(-4), // Keep the last 4 messages
+    ],
+  },
+  run: async ({ messages, signal }) => {
+    return streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal });
+  },
+});
+```
+
+### Flatten to summary only
+
+Replace all messages with just the summary (like the LLM sees):
+
+```ts
+compactUIMessages: ({ summary }) => [
+  {
+    id: generateId(),
+    role: "assistant",
+    parts: [{ type: "text", text: `[Conversation summary]\n\n${summary}` }],
+  },
+],
+```
+
+## Customizing model messages
+
+By default, model messages are replaced with a single summary message. Use `compactModelMessages` to customize what the LLM sees after compaction:
+
+### Summary + recent context
+
+Keep the last few model messages so the LLM has recent detail alongside the summary:
+
+```ts
+compactModelMessages: ({ modelMessages, summary }) => [
+  { role: "user", content: summary },
+  ...modelMessages.slice(-2), // Keep last exchange for detail
+],
+```
+
+### Keep tool results
+
+Preserve tool-call results so the LLM remembers what tools returned:
+
+```ts
+compactModelMessages: ({ modelMessages, summary }) => [
+  { role: "user", content: summary },
+  ...modelMessages.filter((m) => m.role === "tool"),
+],
+```
+
+## shouldCompact event
+
+The `shouldCompact` callback receives context about the current state:
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `messages` | `ModelMessage[]` | Current model messages |
+| `totalTokens` | `number \| undefined` | Total tokens from the triggering step/turn |
+| `inputTokens` | `number \| undefined` | Input tokens |
+| `outputTokens` | `number \| undefined` | Output tokens |
+| `usage` | `LanguageModelUsage` | Full usage object |
+| `totalUsage` | `LanguageModelUsage` | Cumulative usage across all turns |
+| `chatId` | `string` | Chat session ID |
+| `turn` | `number` | Current turn (0-indexed) |
+| `clientData` | `unknown` | Custom data from the frontend |
+| `source` | `"inner" \| "outer"` | Whether this is between steps or between turns |
+| `steps` | `CompactionStep[]` | Steps array (inner loop only) |
+| `stepNumber` | `number` | Step index (inner loop only) |
+
+## summarize event
+
+The `summarize` callback receives similar context:
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `messages` | `ModelMessage[]` | Messages to summarize |
+| `usage` | `LanguageModelUsage` | Usage from the triggering step/turn |
+| `totalUsage` | `LanguageModelUsage` | Cumulative usage |
+| `chatId` | `string` | Chat session ID |
+| `turn` | `number` | Current turn |
+| `clientData` | `unknown` | Custom data from the frontend |
+| `source` | `"inner" \| "outer"` | Where compaction is running |
+| `stepNumber` | `number` | Step index (inner loop only) |
+
+## onCompacted hook
+
+Track compaction events for logging, billing, or analytics:
+
+```ts
+export const myChat = chat.agent({
+  id: "my-chat",
+  compaction: { ... },
+  onCompacted: async ({ summary, totalTokens, messageCount, chatId, turn }) => {
+    logger.info("Compacted", { chatId, turn, totalTokens, messageCount });
+    await db.compactionLog.create({
+      data: { chatId, summary, totalTokens, messageCount },
+    });
+  },
+  run: async ({ messages, signal }) => {
+    return streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal });
+  },
+});
+```
+
+## User-initiated compaction
+
+Sometimes you want the user to decide when to compact — a "Summarize conversation" button, a `/compact` slash command, or a settings toggle. Wire this up with [actions](/ai-chat/actions): the frontend sends a typed action, `onAction` runs the summary, and `chat.history.set()` replaces the conversation.
+
+### Backend
+
+Define a `compact` action that reuses your existing `summarize` function:
+
+```ts
+import { chat } from "@trigger.dev/sdk/ai";
+import { streamText, generateText, generateId, convertToModelMessages } from "ai";
+import { anthropic } from "@ai-sdk/anthropic";
+import { z } from "zod";
+
+// Reusable summarize fn — also used by the automatic compaction config.
+async function summarize(messages: ModelMessage[]) {
+  const result = await generateText({
+    model: anthropic("claude-haiku-4-5"),
+    messages: [...messages, { role: "user", content: "Summarize this conversation concisely." }],
+  });
+  return result.text;
+}
+
+export const myChat = chat.agent({
+  id: "my-chat",
+
+  // Automatic compaction still runs on threshold.
+  compaction: {
+    shouldCompact: ({ totalTokens }) => (totalTokens ?? 0) > 80_000,
+    summarize: async ({ messages }) => summarize(messages),
+  },
+
+  // User-initiated: the frontend sends { type: "compact" }.
+  actionSchema: z.discriminatedUnion("type", [
+    z.object({ type: z.literal("compact") }),
+  ]),
+
+  onAction: async ({ action, uiMessages }) => {
+    if (action.type !== "compact") return;
+
+    const summary = await summarize(convertToModelMessages(uiMessages));
+
+    // Replace the full history with a single summary message.
+    chat.history.set([
+      {
+        id: generateId(),
+        role: "assistant",
+        parts: [{ type: "text", text: `[Conversation summary]\n\n${summary}` }],
+      },
+    ]);
+  },
+
+  run: async ({ messages, signal }) => {
+    return streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal });
+  },
+});
+```
+
+Actions fire `onAction` only (plus `hydrateMessages` if set) — `run()` and `onTurnComplete` do not fire for actions. Persist the compacted state directly inside `onAction` after the `chat.history.set` call. See [Actions](/ai-chat/actions) for the full lifecycle.
+
+### Frontend
+
+Call `transport.sendAction()` from a button or slash command:
+
+```tsx
+import { useTriggerChatTransport } from "@trigger.dev/sdk/chat/react";
+import { useChat } from "@ai-sdk/react";
+
+function ChatView({ chatId }: { chatId: string }) {
+  const transport = useTriggerChatTransport({
+    task: "my-chat",
+    accessToken: ({ chatId }) => mintChatAccessToken(chatId),
+    startSession: ({ chatId, clientData }) =>
+      startChatSession({ chatId, clientData }),
+  });
+  const { messages } = useChat({ id: chatId, transport });
+
+  return (
+    <>
+      <button onClick={() => transport.sendAction(chatId, { type: "compact" })}>
+        Summarize conversation
+      </button>
+      {messages.map(/* ... */)}
+    </>
+  );
+}
+```
+
+The call returns as soon as the backend accepts the action. Because `onTurnComplete` replaces the `uiMessages` with the summary, `useChat` receives the new state via the normal turn-complete flow — the UI updates automatically.
+
+### Indicating compaction in the UI
+
+For "Compacting..." feedback while the summary generates, append a transient data part from `onAction` via `chat.stream.append()`:
+
+```ts
+onAction: async ({ action, uiMessages }) => {
+  if (action.type !== "compact") return;
+
+  chat.stream.append({ type: "data-compaction", data: { status: "compacting" } });
+  const summary = await summarize(convertToModelMessages(uiMessages));
+  chat.stream.append({ type: "data-compaction", data: { status: "complete" } });
+
+  chat.history.set([ /* ... */ ]);
+},
+```
+
+See [Raw streaming with `chat.stream`](/ai-chat/backend#raw-streaming-with-chat-stream) for the full API.
+
+## Using with chat.createSession()
+
+Pass the same `compaction` config to `chat.createSession()`. The session handles outer-loop compaction automatically inside `turn.complete()`:
+
+```ts
+const session = chat.createSession(payload, {
+  signal,
+  idleTimeoutInSeconds: 60,
+  timeout: "1h",
+  compaction: {
+    shouldCompact: ({ totalTokens }) => (totalTokens ?? 0) > 80_000,
+    summarize: async ({ messages }) =>
+      generateText({ model: anthropic("claude-haiku-4-5"), messages }).then((r) => r.text),
+    compactUIMessages: ({ uiMessages, summary }) => [
+      { id: generateId(), role: "assistant",
+        parts: [{ type: "text", text: `[Summary]\n\n${summary}` }] },
+      ...uiMessages.slice(-4),
+    ],
+  },
+});
+
+for await (const turn of session) {
+  const result = streamText({
+    model: anthropic("claude-sonnet-4-5"),
+    messages: turn.messages,
+    abortSignal: turn.signal,
+    stopWhen: stepCountIs(15),
+  });
+
+  await turn.complete(result);
+  // Outer-loop compaction runs automatically after complete()
+
+  await db.chat.update({
+    where: { id: turn.chatId },
+    data: { messages: turn.uiMessages },
+  });
+}
+```
+
+## Using with raw tasks (MessageAccumulator)
+
+Pass `compaction` to the `MessageAccumulator` constructor. Use `prepareStep()` for inner-loop compaction and `compactIfNeeded()` for the outer loop:
+
+```ts
+const conversation = new chat.MessageAccumulator({
+  compaction: {
+    shouldCompact: ({ totalTokens }) => (totalTokens ?? 0) > 80_000,
+    summarize: async ({ messages }) =>
+      generateText({ model: anthropic("claude-haiku-4-5"), messages }).then((r) => r.text),
+    compactUIMessages: ({ summary }) => [
+      { id: generateId(), role: "assistant",
+        parts: [{ type: "text", text: `[Summary]\n\n${summary}` }] },
+    ],
+  },
+});
+
+for (let turn = 0; turn < 100; turn++) {
+  const messages = await conversation.addIncoming(payload.messages, payload.trigger, turn);
+
+  const result = streamText({
+    model: anthropic("claude-sonnet-4-5"),
+    messages,
+    prepareStep: conversation.prepareStep(), // Inner-loop compaction
+    stopWhen: stepCountIs(15),
+  });
+
+  const response = await chat.pipeAndCapture(result);
+  if (response) await conversation.addResponse(response);
+
+  // Outer-loop compaction
+  const usage = await result.totalUsage;
+  await conversation.compactIfNeeded(usage, { chatId: payload.chatId, turn });
+
+  await db.chat.update({ data: { messages: conversation.uiMessages } });
+  await chat.writeTurnComplete();
+}
+```
+
+## Fully manual compaction
+
+For maximum control, use `chat.compact()` directly inside a custom `prepareStep`:
+
+```ts
+prepareStep: async ({ messages: stepMessages, steps }) => {
+  const result = await chat.compact(stepMessages, steps, {
+    threshold: 80_000,
+    summarize: async (msgs) =>
+      generateText({ model: anthropic("claude-haiku-4-5"), messages: msgs }).then((r) => r.text),
+  });
+  return result.type === "skipped" ? undefined : result;
+},
+```
+
+Or use the `chat.compactionStep()` factory:
+
+```ts
+prepareStep: chat.compactionStep({
+  threshold: 80_000,
+  summarize: async (msgs) =>
+    generateText({ model: anthropic("claude-haiku-4-5"), messages: msgs }).then((r) => r.text),
+}),
+```
+
+<Note>
+  The fully manual APIs only handle inner-loop compaction (between tool-call steps). For outer-loop coverage, use the `compaction` option on `chat.agent()`, `chat.createSession()`, or `MessageAccumulator`.
+</Note>
diff --git a/docs/ai-chat/error-handling.mdx b/docs/ai-chat/error-handling.mdx
new file mode 100644
index 00000000000..9eb6ec1f0e0
--- /dev/null
+++ b/docs/ai-chat/error-handling.mdx
@@ -0,0 +1,415 @@
+---
+title: "Error handling"
+sidebarTitle: "Error handling"
+description: "How errors flow through chat.agent — stream errors, hook errors, run failures — and how to recover."
+---
+
+import RcBanner from "/snippets/ai-chat-rc-banner.mdx";
+
+<RcBanner />
+
+`chat.agent` errors fall into four layers, each with different recovery semantics. The default behavior is **conversation-preserving**: a thrown error in a hook or `run()` does not kill the chat. The current turn ends with an error chunk, and the agent waits for the user's next message.
+
+## Error layers at a glance
+
+| Layer | Source | Default behavior | Recovery |
+|-------|--------|------------------|----------|
+| **Stream** | `streamText` errors mid-response (rate limits, model API failures) | `onError` callback converts to error chunk | Sanitize message via `uiMessageStreamOptions.onError` |
+| **Hook / turn** | Throws in `onValidateMessages`, `onTurnStart`, `run`, etc. | Error chunk + turn-complete written to stream; conversation continues | Catch in your hook, or rely on default |
+| **Run** | Unhandled exception escapes the run | Run fails. No retry by default. Standard task `onFailure` fires. | `onFailure` task hook |
+| **Frontend** | Stream delivers `{ type: "error", errorText }` | `useChat` exposes via `error` field and `onError` callback | Show toast, retry button, etc. |
+
+## Stream errors mid-turn
+
+When the model API errors mid-response (rate limits, network failures, malformed output), the AI SDK's `streamText` calls the `onError` callback. Use `uiMessageStreamOptions.onError` to convert the error to a user-friendly string. The string is sent to the frontend as an error chunk.
+
+```ts
+import { chat } from "@trigger.dev/sdk/ai";
+
+export const myChat = chat.agent({
+  id: "my-chat",
+  uiMessageStreamOptions: {
+    onError: (error) => {
+      console.error("Stream error:", error);
+      if (error instanceof Error && error.message.includes("rate limit")) {
+        return "Rate limited. Please wait a moment and try again.";
+      }
+      if (error instanceof Error && error.message.includes("context_length")) {
+        return "This conversation is too long. Please start a new chat.";
+      }
+      return "Something went wrong while generating a response. Please try again.";
+    },
+  },
+  run: async ({ messages, signal }) => {
+    return streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal });
+  },
+});
+```
+
+<Note>
+  Returning a string from `onError` is what gets shown to the user. Do not return raw error messages — they may leak internal details (API keys, stack traces, etc.).
+</Note>
+
+The frontend receives this as an error chunk that `useChat` exposes via its `error` field:
+
+```tsx
+const { messages, error } = useChat({ transport });
+
+{error && <div className="text-red-600">{error.message}</div>}
+```
+
+## Hook and turn errors
+
+If any lifecycle hook (`onValidateMessages`, `onChatStart`, `onTurnStart`, `hydrateMessages`, `onAction`, `prepareMessages`, `onBeforeTurnComplete`, `onTurnComplete`) or `run()` throws an unhandled exception, the turn loop catches it:
+
+1. Writes `{ type: "error", errorText: error.message }` to the stream
+2. Writes a turn-complete chunk to close the turn
+3. Waits for the next user message
+
+The conversation stays alive. The user can send another message and continue.
+
+```ts
+export const myChat = chat.agent({
+  id: "my-chat",
+  onTurnStart: async ({ chatId, uiMessages }) => {
+    // If this throws, the turn ends with an error chunk
+    // and the agent waits for the next message
+    await db.chat.update({ where: { id: chatId }, data: { messages: uiMessages } });
+  },
+  run: async ({ messages, signal }) => {
+    return streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal });
+  },
+});
+```
+
+### Catching errors in your own hooks
+
+For granular control, wrap your hook code in try/catch and decide what to do. Common patterns:
+
+```ts
+onValidateMessages: async ({ messages }) => {
+  try {
+    return await validateUIMessages({ messages, tools: chatTools });
+  } catch (err) {
+    // Log to your error tracking service
+    Sentry.captureException(err);
+    // Throw a user-facing error message — this becomes the error chunk
+    throw new Error("Your message contains invalid data and could not be sent.");
+  }
+},
+```
+
+<Tip>
+  The `Error.message` you throw is sent verbatim to the frontend as the error chunk's `errorText`. Use messages safe for end users.
+</Tip>
+
+### Catching errors inside `run()`
+
+`run()` is your code — wrap it in try/catch for full control. This is the right place to save partial state to your DB before the error chunk goes out:
+
+```ts
+run: async ({ messages, chatId, signal }) => {
+  try {
+    return streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal });
+  } catch (err) {
+    // Save the failed turn for debugging / undo
+    await db.failedTurn.create({
+      data: {
+        chatId,
+        error: err instanceof Error ? err.message : String(err),
+        messages,
+      },
+    });
+    throw err; // Re-throw to trigger the error chunk
+  }
+},
+```
+
+## Saving error state to your DB
+
+To persist errors for debugging or undo, use `onTurnComplete` (which fires even after errors) or the standard task `onComplete` hook.
+
+### Using `onTurnComplete`
+
+`onTurnComplete` fires after every turn — successful **or** errored. The `responseMessage` will be undefined or partial on errors. Use this to mark the turn as failed:
+
+```ts
+onTurnComplete: async ({ chatId, uiMessages, responseMessage, stopped }) => {
+  // Persist the messages regardless of error state
+  await db.chat.update({
+    where: { id: chatId },
+    data: {
+      messages: uiMessages,
+      // Mark the chat as errored if no response message
+      lastTurnStatus: responseMessage ? "ok" : stopped ? "stopped" : "errored",
+    },
+  });
+},
+```
+
+### Using the standard `onFailure` task hook
+
+For run-level failures (the entire run dies), use the standard task `onFailure` hook. This fires when the run terminates with an unhandled exception:
+
+```ts
+chat.agent({
+  id: "my-chat",
+  onFailure: async ({ error, ctx }) => {
+    // Log run-level failure to your monitoring service
+    await monitoring.recordRunFailure({
+      runId: ctx.run.id,
+      chatId: ctx.run.tags.find(t => t.startsWith("chat:"))?.slice(5),
+      error: error.message,
+    });
+  },
+  run: async ({ messages, signal }) => {
+    return streamText({ ... });
+  },
+});
+```
+
+<Info>
+  `chat.agent` uses `retry: { maxAttempts: 1 }` internally, so the run never retries on failure. To add run-level retries, wrap the agent in a parent task or implement your own retry logic in the frontend (re-send the message).
+</Info>
+
+## Recovery patterns
+
+### Pattern 1: Undo to last successful response
+
+A common pattern is to let the user "undo" the failed turn and try again. Combine `chat.history.rollbackTo` with a custom action:
+
+```ts
+chat.agent({
+  id: "my-chat",
+  actionSchema: z.discriminatedUnion("type", [
+    z.object({ type: z.literal("undo") }),
+  ]),
+  onAction: async ({ action, uiMessages }) => {
+    if (action.type === "undo") {
+      // Find the last user message and roll back to it
+      const lastUserIdx = [...uiMessages].reverse().findIndex(m => m.role === "user");
+      if (lastUserIdx !== -1) {
+        const targetIdx = uiMessages.length - 1 - lastUserIdx - 1;
+        const target = uiMessages[targetIdx];
+        if (target) chat.history.rollbackTo(target.id);
+      }
+    }
+  },
+  run: async ({ messages, signal }) => {
+    return streamText({ ... });
+  },
+});
+```
+
+On the frontend, show an "Undo" button when an error occurs:
+
+```tsx
+{error && (
+  <button onClick={() => transport.sendAction(chatId, { type: "undo" })}>
+    Undo and try again
+  </button>
+)}
+```
+
+### Pattern 2: Retry the last message
+
+For transient errors (network blips, rate limits), the simplest recovery is to re-send the last user message. The AI SDK's `useChat` provides `regenerate()`:
+
+```tsx
+const { messages, error, regenerate } = useChat({ transport });
+
+{error && (
+  <button onClick={() => regenerate()}>Retry</button>
+)}
+```
+
+`regenerate()` removes the last assistant response and re-sends. Combined with `onValidateMessages` or `hydrateMessages`, you can reload the canonical state from your DB before retrying.
+
+### Pattern 3: Save partial responses
+
+When a stream errors mid-response, the `responseMessage` in `onBeforeTurnComplete` and `onTurnComplete` contains the partial output. Save it as a "draft" so the user can see what was generated before the error:
+
+```ts
+onBeforeTurnComplete: async ({ chatId, responseMessage, stopped }) => {
+  if (responseMessage && responseMessage.parts.length > 0) {
+    // Save partial response — user can manually accept or discard
+    await db.partialResponse.create({
+      data: {
+        chatId,
+        message: responseMessage,
+        reason: stopped ? "stopped" : "errored",
+      },
+    });
+  }
+},
+```
+
+### Pattern 4: Fall back to a different model
+
+If the primary model errors, try a fallback model in the same turn:
+
+```ts
+run: async ({ messages, signal }) => {
+  try {
+    return streamText({
+      model: anthropic("claude-sonnet-4-5"),
+      messages,
+      abortSignal: signal,
+      stopWhen: stepCountIs(15),
+    });
+  } catch (err) {
+    console.warn("Primary model failed, falling back:", err);
+    return streamText({
+      model: anthropic("claude-sonnet-4-6"),
+      messages,
+      abortSignal: signal,
+      stopWhen: stepCountIs(15),
+    });
+  }
+},
+```
+
+<Note>
+  This only catches errors thrown synchronously by `streamText` setup. Errors that happen mid-stream go through `uiMessageStreamOptions.onError`, not your try/catch.
+</Note>
+
+## What gets written to the stream on error
+
+When an error occurs at any layer, the frontend's `UIMessageChunk` stream surfaces an error chunk:
+
+```json
+{ "type": "error", "errorText": "Rate limited. Please wait a moment and try again." }
+```
+
+A `turn-complete` control record follows on `session.out` (header-form, not a data chunk — see [`turn-complete` control record](/ai-chat/client-protocol#turn-complete-control-record) for the wire format) to mark the turn as done.
+
+The AI SDK's `useChat` processes this and:
+
+1. Sets `useChat`'s `error` field to an `Error` with `message = errorText`
+2. Calls the user's `onError` callback (if set)
+3. Marks the turn as complete (`status` returns to `"ready"`)
+
+```tsx
+const { messages, error, status } = useChat({
+  transport,
+  onError: (err) => {
+    toast.error(err.message);
+  },
+});
+```
+
+## Frontend error handling
+
+### Showing the error to the user
+
+```tsx
+function Chat() {
+  const transport = useTriggerChatTransport({
+    task: "my-chat",
+    accessToken: ({ chatId }) => mintChatAccessToken(chatId),
+    startSession: ({ chatId, clientData }) =>
+      startChatSession({ chatId, clientData }),
+  });
+  const { messages, error, sendMessage } = useChat({ transport });
+
+  return (
+    <div>
+      {messages.map(m => /* ... */)}
+      {error && (
+        <div className="rounded border border-red-300 bg-red-50 p-3">
+          <p className="text-red-700">{error.message}</p>
+        </div>
+      )}
+      <form onSubmit={(e) => { e.preventDefault(); sendMessage(/* ... */); }}>
+        {/* ... */}
+      </form>
+    </div>
+  );
+}
+```
+
+### Distinguishing error types
+
+The `errorText` is just a string, so distinguish error types via prefixes or codes:
+
+```ts
+// Backend
+uiMessageStreamOptions: {
+  onError: (error) => {
+    if (error.message.includes("rate limit")) return "RATE_LIMIT: Please wait and try again.";
+    if (error.message.includes("context_length")) return "CONTEXT_TOO_LONG: Start a new chat.";
+    return "UNKNOWN: Something went wrong.";
+  },
+},
+```
+
+```tsx
+// Frontend
+{error?.message.startsWith("RATE_LIMIT") && <RateLimitNotice />}
+{error?.message.startsWith("CONTEXT_TOO_LONG") && <NewChatPrompt />}
+```
+
+<Tip>
+  For richer error structures, use [`chat.response.write()`](/ai-chat/backend#custom-data-parts) with a custom `data-error` part type. This lets you ship structured error metadata (codes, retry hints, etc.) instead of stringly-typed messages.
+</Tip>
+
+### Errors from `accessToken` / `startSession`
+
+If your `accessToken` or `startSession` callback throws (auth failure, DB write failure, network error), the rejection surfaces through `useChat`'s `error` state — same as a stream error. The transport doesn't retry the callback automatically; the customer is responsible for handling it.
+
+```tsx
+const transport = useTriggerChatTransport({
+  task: "my-chat",
+  accessToken: async ({ chatId }) => {
+    try {
+      return await mintChatAccessToken(chatId);
+    } catch (err) {
+      // Customer's server action failed (e.g. user lost auth).
+      // Re-throw to surface as a useChat error, or return a sentinel
+      // your UI can detect and prompt re-auth.
+      throw new Error(`AUTH_REFRESH: ${err.message}`);
+    }
+  },
+  startSession: ({ chatId, clientData }) =>
+      startChatSession({ chatId, clientData }),
+});
+```
+
+`startSession` failures most commonly mean the customer's authorization layer rejected the request (no plan, quota exceeded, user not allowed to chat with this agent). The customer's server should produce a meaningful error message; the transport propagates it verbatim to `useChat`'s `error` state.
+
+## Run-level retries
+
+`chat.agent` uses `retry: { maxAttempts: 1 }` — the run **never retries** on unhandled failure. This is intentional: each turn is conversation-preserving, so a true run failure is severe and shouldn't silently retry (which could send duplicate API calls or mutate state twice).
+
+To add retry-like behavior:
+
+- **Per-turn retries**: handle inside `run()` with try/catch and a fallback model
+- **Per-message retries**: re-send from the frontend (call `sendMessage` or `regenerate` again)
+- **Whole-run retries**: wrap `chat.agent` with a parent task that has `retry` configured, and call the agent's task internally
+
+## Best practices
+
+1. **Always set `uiMessageStreamOptions.onError`** to sanitize stream errors before they reach the user.
+2. **Persist messages in `onTurnStart`** so a mid-stream failure still leaves the user's message visible.
+3. **Use `onTurnComplete` to mark turn status** in your DB (`ok` / `errored` / `stopped`).
+4. **Don't throw raw errors with internal details** in hooks — catch, log, then throw a sanitized user-facing message.
+5. **Provide an undo or retry affordance** in the UI when errors occur.
+6. **Use `onFailure` for run-level monitoring** (Sentry, monitoring dashboards).
+7. **For known transient errors (rate limits, network)**, consider a fallback model inside `run()` instead of failing the turn.
+
+## `ChatChunkTooLargeError`
+
+A specific run-failing error worth flagging on its own. Anything written through the chat output is one record on the underlying realtime stream, capped at ~1 MiB per record. A single chunk over the cap throws `ChatChunkTooLargeError` (named export from `@trigger.dev/sdk`). The most common trigger is a tool whose result object is large enough to overflow as one `tool-output-available` chunk.
+
+The error carries `chunkType`, `chunkSize`, and `maxSize`. Catch with the `isChatChunkTooLargeError` guard and route oversized values out-of-band.
+
+See [Large payloads in chat.agent](/ai-chat/patterns/large-payloads) for the ID-reference pattern that works around the cap, plus guidance on transient data parts and out-of-band logging.
+
+## See also
+
+- [`uiMessageStreamOptions.onError`](/ai-chat/backend#error-handling-with-onerror) — stream error handler details
+- [Custom actions](/ai-chat/actions) — implement undo/retry actions
+- [`chat.history`](/ai-chat/backend#chat-history) — rollback to a previous message
+- [Large payloads](/ai-chat/patterns/large-payloads) — handling the ~1 MiB per-chunk cap
+- [Database persistence](/ai-chat/patterns/database-persistence) — saving conversation state
+- [Standard task hooks](/tasks/overview) — `onFailure`, `onComplete`, `onWait`, etc.
diff --git a/docs/ai-chat/fast-starts.mdx b/docs/ai-chat/fast-starts.mdx
new file mode 100644
index 00000000000..7310988964c
--- /dev/null
+++ b/docs/ai-chat/fast-starts.mdx
@@ -0,0 +1,582 @@
+---
+title: "Fast starts"
+sidebarTitle: "Fast starts"
+description: "Two ways to cut first-turn TTFC: Preload eagerly triggers the run before the first message; Head Start runs step 1 in your warm server while the agent boots in parallel."
+---
+
+import RcBanner from "/snippets/ai-chat-rc-banner.mdx";
+
+<RcBanner />
+
+The first turn of a brand-new conversation pays for the chat.agent run's cold start: dequeue, process boot, `onPreload` / `onChatStart` hooks, and only then the LLM call. Two features address this from different angles.
+
+## Picking an approach
+
+| | [Preload](#preload) | [Head Start](#head-start) |
+|---|---|---|
+| **What it does** | Eagerly triggers the run before the first message | Runs step 1's LLM call in your warm process while the agent boots in parallel |
+| **First-turn TTFC win** | Hides agent boot if the user *does* send a message | ~50% reduction (LLM TTFB floor); boot fully overlaps with TTFB |
+| **When to fire** | Page load / input focus — your call | First message arrival — automatic |
+| **Cost when user never sends** | Idle compute until the preload window times out | Zero (no run was triggered) |
+| **Requires a warm server process** | No — works for browser-only surfaces | Yes — your route handler runs step 1 |
+| **Requires LLM keys client-side?** | No | No — keys stay in your warm server |
+| **Bundle constraints** | None | Route handler must import schema-only tools (no heavy executes) |
+
+**Pick one, not both.** Running both for the same chat is wasted work — Head Start gates on a real first message, so adding Preload on top eats the idle-compute cost Head Start was avoiding.
+
+**Use Preload** when the chat surface is browser-only, when you don't have a warm Node/Bun/Edge process serving the page, or when you can confidently predict the user *will* send a message (the run never goes idle).
+
+**Use Head Start** when the chat lives behind a warm server (Next.js App Router, Hono, SvelteKit, Workers, etc.) and you want first-turn TTFC down at the LLM TTFB floor without any speculative run.
+
+---
+
+## Preload
+
+Preload eagerly triggers a run for a chat before the first message is sent. Initialization (DB setup, context loading) happens while the user is still typing, reducing first-response latency.
+
+### Frontend
+
+Call `transport.preload(chatId)` to start a run early:
+
+```tsx
+import { useEffect } from "react";
+import { useTriggerChatTransport } from "@trigger.dev/sdk/chat/react";
+import { useChat } from "@ai-sdk/react";
+
+export function Chat({ chatId }) {
+  const transport = useTriggerChatTransport({
+    task: "my-chat",
+    accessToken: ({ chatId }) => mintChatAccessToken(chatId),
+    startSession: ({ chatId, clientData }) =>
+      startChatSession({ chatId, clientData }),
+    clientData: { userId: currentUser.id },
+  });
+
+  // Preload on mount: run starts before the user types anything.
+  // Trigger config (idleTimeoutInSeconds, machine, tags) lives in the
+  // server action that wraps `chat.createStartSessionAction`.
+  useEffect(() => {
+    transport.preload(chatId);
+  }, [chatId]);
+
+  const { messages, sendMessage } = useChat({ id: chatId, transport });
+  // ...
+}
+```
+
+Preload is a no-op if a session already exists for this chatId.
+
+Your `accessToken` callback receives `{ chatId }` and is invoked the same way on preload as on any other refresh — no special branching by purpose. See [TriggerChatTransport options](/ai-chat/reference#triggerchattransport-options).
+
+### Backend
+
+The `onPreload` hook fires immediately. The run then waits for the first message. When the user sends a message, `onChatStart` fires with `preloaded: true` so you can skip work that already ran:
+
+```ts
+export const myChat = chat.agent({
+  id: "my-chat",
+  onPreload: async ({ chatId, clientData }) => {
+    // Eagerly initialize: runs before the first message
+    userContext.init(await loadUser(clientData.userId));
+    await db.chat.create({ data: { id: chatId } });
+  },
+  onChatStart: async ({ preloaded }) => {
+    if (preloaded) return; // Already initialized in onPreload
+    // ... fallback initialization for non-preloaded runs
+  },
+  run: async ({ messages, signal }) => {
+    return streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal });
+  },
+});
+```
+
+With `chat.createSession()` or raw tasks, check `payload.trigger === "preload"` and wait for the first message:
+
+```ts
+if (payload.trigger === "preload") {
+  // Initialize early...
+  const result = await chat.messages.waitWithIdleTimeout({
+    idleTimeoutInSeconds: 60,
+    timeout: "1h",
+  });
+  if (!result.ok) return;
+  currentPayload = result.output;
+}
+```
+
+---
+
+## Head Start
+
+Head Start runs step 1's LLM call in your warm server process while the chat.agent run boots in parallel. The user sees one continuous turn: text first from your server, then a clean handover to the agent for tool execution and any further steps.
+
+`chat.headStart` returns a standard [Web Fetch API](https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API) handler — `(req: Request) => Promise<Response>` — so it slots into any runtime that speaks Web Fetch.
+
+**Verified runtimes:** Node 18+, Bun, Deno, Cloudflare Workers, Vercel (Node and Edge), Netlify (Functions and Edge). The handler uses only `fetch` and Web `ReadableStream` / `TransformStream` (no `node:*` imports), and the S2 streaming dependency picks the right transport for each runtime automatically (HTTP/2 on Node/Deno, HTTP/1.1 on Bun/Workers/browsers).
+
+**Compatible frameworks (native Web Fetch):** Next.js App Router, Hono, SvelteKit, Remix, React Router v7, TanStack Start, Astro, Nitro/Nuxt, Elysia. Mount the handler directly.
+
+**Node-only frameworks (Express, Fastify, Koa):** the handler still works, but the framework gives you a Node `IncomingMessage` instead of a Web `Request`. Use a small adapter — examples in [Mounting in your framework](#mounting-in-your-framework) below.
+
+When the first turn is pure text (no tool calls), the agent run boots and exits without ever calling an LLM. You only pay for what the conversation actually needed.
+
+### Measured TTFC
+
+3 runs each, prompt `"say hi in five words"`, same model both sides (Anthropic Claude Sonnet 4):
+
+| | Without Head Start | With Head Start | Δ |
+| --- | --- | --- | --- |
+| TTFT (avg) | 2801 ms | **1218 ms** | **−57%** |
+| TTFT (range) | 2351–3101 ms | 1201–1252 ms | |
+| Total turn | 4180 ms | 2345 ms | −44% |
+
+With Head Start, time-to-first-text is essentially the LLM TTFB floor (50ms spread). Without it, agent boot + hooks stack before the LLM call, adding 750ms of variance.
+
+### How it works
+
+```mermaid
+sequenceDiagram
+    autonumber
+    participant B as Browser
+    participant H as Route handler<br/>(your warm server)
+    participant T as chat.agent run<br/>(Trigger.dev)
+
+    B->>H: POST first message<br/>(headStart URL)
+
+    par Step 1 + agent boot in parallel
+        H->>H: streamText step 1<br/>(your model, schema-only tools)
+        H-->>B: SSE: step 1 chunks
+    and
+        H->>T: createSession + trigger run
+        T->>T: boot → wait on session.in
+    end
+
+    alt finishReason: tool-calls
+        H->>T: handover signal<br/>(partial assistant message)
+        T->>T: execute tools, run step 2 LLM
+        T-->>H: chunks via session.out
+        H-->>B: SSE: step 2 chunks
+        T-->>H: trigger:turn-complete
+    else finishReason: stop (pure text)
+        H->>T: handover-skip signal
+        T->>T: exit (no LLM call)
+    end
+
+    H-->>B: SSE close
+    Note over B,T: Subsequent turns bypass the handler:<br/>browser writes directly to session.in
+```
+
+<Steps>
+  <Step title="Browser POSTs the first message to your route handler">
+    The transport sees `headStart: "/api/chat"` is set and there's no session yet for this chat. It POSTs the wire payload (messages, chatId, metadata) to your route handler.
+  </Step>
+  <Step title="Your handler creates the session and triggers the agent run">
+    A single `apiClient.createSession` round-trip both creates the chat session and triggers an agent run with `trigger: "handover-prepare"`. The agent run boots into a wait state on `session.in`.
+  </Step>
+  <Step title="Your handler runs streamText step 1">
+    `streamText` runs in your warm process with `stopWhen: stepCountIs(1)`. The output is streamed to the browser as SSE while the agent run boots in parallel. Boot time (~488ms) overlaps with LLM TTFB (~389ms), fully hidden.
+  </Step>
+  <Step title="Mid-turn handover">
+    On step 1's `tool-calls` finish, your handler signals the agent and the SDK splices the agent's step-2+ stream into the same SSE response. On pure-text finish, your handler signals `handover-skip` and the agent run exits clean — no LLM call from the trigger side.
+  </Step>
+  <Step title="Subsequent turns bypass the route handler">
+    After turn 1, the transport hydrates the session PAT from response headers and writes turn 2 onward directly to `session.in`. Same direct-trigger path as a regular `chat.agent` setup.
+  </Step>
+</Steps>
+
+### Setup
+
+<Warning>
+**Bundle isolation is the load-bearing constraint.** Head Start only saves time because your route-handler bundle stays lightweight. Anything you import in that handler — and anything those modules import transitively — lands in the bundle. If your tool catalog with heavy `execute` fns (E2B, Puppeteer, native bindings, the trigger SDK runtime, Turndown, image processing, `node:child_process`) ends up in the bundle, you've put cold-start back into a different process.
+
+This is an **import-chain** problem, not a runtime one. A "we'll strip the executes at runtime" helper would not fix it — bundlers resolve imports at build time. The only correct shape is to keep schemas in their own module that imports `ai` and `zod` only.
+</Warning>
+
+<Steps>
+  <Step title="Split your tool definitions into schemas + executes">
+    Schemas in one module (light deps), executes in another (heavy deps). The agent task pulls in both; the route handler pulls in schemas only.
+
+    ```ts lib/chat-tools/schemas.ts
+    // ⚠️ This file MUST NOT import anything heavier than `ai` and `zod`.
+    // Any import here lands in the route-handler bundle.
+    import { tool } from "ai";
+    import { z } from "zod";
+
+    export const fetchPage = tool({
+      description: "Fetch a URL and return text",
+      inputSchema: z.object({ url: z.string().url() }),
+      // No execute — agent task adds it elsewhere.
+    });
+
+    export const headStartTools = { fetchPage };
+    ```
+
+    ```ts trigger/chat-tools.ts
+    // Heavy deps live here. Only the trigger task imports this module.
+    import { tool } from "ai";
+    import TurndownService from "turndown";
+    import { fetchPage as fetchPageSchema } from "@/lib/chat-tools/schemas";
+
+    const turndown = new TurndownService();
+
+    export const fetchPage = tool({
+      ...fetchPageSchema,
+      execute: async ({ url }) => {
+        const res = await fetch(url);
+        return { body: turndown.turndown(await res.text()) };
+      },
+    });
+
+    export const chatTools = { fetchPage };
+    ```
+  </Step>
+  <Step title="Define your chat.agent (heavy executes)">
+    The agent uses the full tool set — these are the executes that run when step 2+ needs them.
+
+    ```ts trigger/chat.ts
+    import { chat } from "@trigger.dev/sdk/ai";
+    import { streamText, stepCountIs } from "ai";
+    import { anthropic } from "@ai-sdk/anthropic";
+    import { chatTools } from "./chat-tools";
+
+    export const myChat = chat.agent({
+      id: "my-chat",
+      run: async ({ messages, signal }) =>
+        streamText({
+          ...chat.toStreamTextOptions({ tools: chatTools }),
+          model: anthropic("claude-sonnet-4-6"),
+          messages,
+          stopWhen: stepCountIs(10),
+          abortSignal: signal,
+        }),
+    });
+    ```
+  </Step>
+  <Step title="Build the head-start handler">
+    Call `chat.headStart({ agentId, run })`. It returns a standard Web Fetch handler: `(req: Request) => Promise<Response>`. Inside the `run` callback you call `streamText` yourself and spread `chat.toStreamTextOptions({ tools })` to inherit the SDK-owned wiring (messages, schema-only tools, `stopWhen: stepCountIs(1)`, abort signal). Add your own `model` and `system` on top.
+
+    ```ts lib/chat-handler.ts
+    import { chat } from "@trigger.dev/sdk/chat-server";
+    import { streamText } from "ai";
+    import { anthropic } from "@ai-sdk/anthropic";
+    import { headStartTools } from "@/lib/chat-tools/schemas";
+
+    export const chatHandler = chat.headStart({
+      agentId: "my-chat",
+      run: async ({ chat: helper }) =>
+        streamText({
+          ...helper.toStreamTextOptions({ tools: headStartTools }),
+          model: anthropic("claude-sonnet-4-6"),
+          system: "You are a helpful assistant.",
+          stopWhen: stepCountIs(15),
+        }),
+    });
+    ```
+
+    <Tip>
+      Use the **same model** on both sides (route handler and `chat.agent`) to avoid a tone or style shift between step 1 and step 2+. Your LLM provider keys stay server-side in your warm process — Trigger.dev never holds them in this design.
+    </Tip>
+
+    Mount the handler in whatever framework you use — see [Mounting in your framework](#mounting-in-your-framework) below.
+  </Step>
+  <Step title="Opt in on the transport">
+    Add `headStart: "/api/chat"` to `useTriggerChatTransport`. Subsequent turns bypass this URL automatically — `accessToken` and (optionally) `startSession` still run for the direct-trigger path on turn 2 onward.
+
+    ```tsx components/chat.tsx
+    const transport = useTriggerChatTransport<typeof myChat>({
+      task: "my-chat",
+      accessToken: ({ chatId }) => mintChatAccessToken(chatId),
+      startSession: ({ chatId, clientData }) =>
+      startChatSession({ chatId, clientData }),
+      headStart: "/api/chat",
+    });
+    ```
+  </Step>
+</Steps>
+
+### Mounting in your framework
+
+`chat.headStart` returns a Web Fetch handler — `(req: Request) => Promise<Response>`. Frameworks that natively pass Web `Request` objects mount it as-is. Node-only frameworks (Express, Fastify, Koa) need a small adapter.
+
+#### Web Fetch frameworks (recommended)
+
+<CodeGroup>
+
+```ts Next.js (App Router)
+// app/api/chat/route.ts
+import { chatHandler } from "@/lib/chat-handler";
+
+export const POST = chatHandler;
+// Default function timeout on Vercel is 10s. Bump if your turns
+// run long (multi-step tool use, slow models):
+// export const maxDuration = 60;
+```
+
+```ts Hono
+// src/index.ts
+import { Hono } from "hono";
+import { chatHandler } from "./chat-handler";
+
+const app = new Hono();
+
+app.post("/api/chat", (c) => chatHandler(c.req.raw));
+
+export default app;
+```
+
+```ts SvelteKit
+// src/routes/api/chat/+server.ts
+import type { RequestHandler } from "./$types";
+import { chatHandler } from "$lib/chat-handler";
+
+export const POST: RequestHandler = ({ request }) => chatHandler(request);
+```
+
+```ts Remix / React Router v7
+// app/routes/api.chat.ts
+import type { ActionFunctionArgs } from "@remix-run/node";
+import { chatHandler } from "~/lib/chat-handler";
+
+export async function action({ request }: ActionFunctionArgs) {
+  return chatHandler(request);
+}
+```
+
+```ts TanStack Start
+// app/routes/api/chat.ts
+import { createAPIFileRoute } from "@tanstack/start/api";
+import { chatHandler } from "~/lib/chat-handler";
+
+export const Route = createAPIFileRoute("/api/chat")({
+  POST: ({ request }) => chatHandler(request),
+});
+```
+
+```ts Astro
+// src/pages/api/chat.ts
+import type { APIRoute } from "astro";
+import { chatHandler } from "../../lib/chat-handler";
+
+export const POST: APIRoute = ({ request }) => chatHandler(request);
+```
+
+```ts Nitro / Nuxt
+// server/api/chat.post.ts
+import { chatHandler } from "~/lib/chat-handler";
+
+export default defineEventHandler((event) => chatHandler(toWebRequest(event)));
+```
+
+```ts Elysia
+// src/index.ts
+import { Elysia } from "elysia";
+import { chatHandler } from "./chat-handler";
+
+new Elysia()
+  .post("/api/chat", ({ request }) => chatHandler(request))
+  .listen(3000);
+```
+
+</CodeGroup>
+
+#### Edge / standalone runtimes
+
+<CodeGroup>
+
+```ts Cloudflare Workers
+// src/index.ts
+import { chatHandler } from "./chat-handler";
+
+export default {
+  async fetch(req: Request): Promise<Response> {
+    const url = new URL(req.url);
+    if (req.method === "POST" && url.pathname === "/api/chat") {
+      return chatHandler(req);
+    }
+    return new Response("Not found", { status: 404 });
+  },
+};
+```
+
+```ts Bun (native server)
+// server.ts
+import { chatHandler } from "./chat-handler";
+
+Bun.serve({
+  port: 3000,
+  async fetch(req) {
+    const url = new URL(req.url);
+    if (req.method === "POST" && url.pathname === "/api/chat") {
+      return chatHandler(req);
+    }
+    return new Response("Not found", { status: 404 });
+  },
+});
+```
+
+```ts Deno (Deno.serve)
+// server.ts
+import { chatHandler } from "./chat-handler.ts";
+
+Deno.serve({ port: 3000 }, async (req) => {
+  const url = new URL(req.url);
+  if (req.method === "POST" && url.pathname === "/api/chat") {
+    return chatHandler(req);
+  }
+  return new Response("Not found", { status: 404 });
+});
+```
+
+</CodeGroup>
+
+#### Node-only frameworks
+
+Express, Fastify, and Koa pass Node `IncomingMessage` / `ServerResponse` objects rather than Web `Request` / `Response`. The SDK ships `chat.toNodeListener` that wraps any Web Fetch handler as a Node `(req, res)` listener — body bytes are read upfront, headers translated, the response body streamed chunk-by-chunk, and client disconnect is propagated to the handler via `AbortSignal`.
+
+<CodeGroup>
+
+```ts Express
+import express from "express";
+import { chat } from "@trigger.dev/sdk/chat-server";
+import { chatHandler } from "./chat-handler";
+
+const app = express();
+app.post("/api/chat", chat.toNodeListener(chatHandler));
+app.listen(3000);
+```
+
+```ts Fastify
+import Fastify from "fastify";
+import { chat } from "@trigger.dev/sdk/chat-server";
+import { chatHandler } from "./chat-handler";
+
+const fastify = Fastify();
+const listener = chat.toNodeListener(chatHandler);
+
+fastify.post("/api/chat", (req, reply) => {
+  // Hand the raw Node request/response to the adapter and tell
+  // Fastify we'll handle the response ourselves (no auto-reply).
+  reply.hijack();
+  return listener(req.raw, reply.raw);
+});
+
+fastify.listen({ port: 3000 });
+```
+
+```ts Koa
+import Koa from "koa";
+import Router from "@koa/router";
+import { chat } from "@trigger.dev/sdk/chat-server";
+import { chatHandler } from "./chat-handler";
+
+const app = new Koa();
+const router = new Router();
+const listener = chat.toNodeListener(chatHandler);
+
+router.post("/api/chat", async (ctx) => {
+  ctx.respond = false; // Tell Koa not to send the response itself.
+  await listener(ctx.req, ctx.res);
+});
+
+app.use(router.routes()).listen(3000);
+```
+
+```ts Raw node:http
+import http from "node:http";
+import { chat } from "@trigger.dev/sdk/chat-server";
+import { chatHandler } from "./chat-handler";
+
+const listener = chat.toNodeListener(chatHandler);
+
+http
+  .createServer((req, res) => {
+    if (req.method === "POST" && req.url === "/api/chat") {
+      return listener(req, res);
+    }
+    res.statusCode = 404;
+    res.end();
+  })
+  .listen(3000);
+```
+
+</CodeGroup>
+
+<Warning>
+  Don't run `express.json()` (or any body-parsing middleware) before the head-start route — it consumes the request body before `chat.toNodeListener` can read the raw bytes. Either skip the parser for this route, or scope it to other routes.
+</Warning>
+
+#### Streaming response timeouts
+
+The handler keeps the SSE response open until the agent run signals turn-complete (or skip, on a pure-text turn). Make sure your framework / serverless function timeout accommodates that:
+
+- **Pure-text first turns**: ~LLM TTFB (1–3 s typically).
+- **Tool-calling first turns**: LLM step 1 + agent boot + tool execution + step 2 LLM call. Usually 5–15 s; longer for multi-step tool use.
+- **Vercel**: default function timeout is 10 s on Hobby, 60 s on Pro. Set `export const maxDuration = N;` on the route segment.
+- **Cloudflare Workers**: default 30 s CPU time (paid plans up to 5 min). Streaming wall time is generally not the bottleneck.
+- **AWS Lambda behind API Gateway**: 29 s API Gateway hard limit; Lambda Function URL allows up to 15 min.
+
+### What gets routed where
+
+| | First turn (handover) | Subsequent turns |
+| --- | --- | --- |
+| Browser sends message via | POST to `headStart` URL | Direct write to `session.in` |
+| Step 1 LLM call runs in | Your warm process | Trigger.dev agent run |
+| Tool execution runs in | Trigger.dev agent run | Trigger.dev agent run |
+| Step 2+ LLM call runs in | Trigger.dev agent run | Trigger.dev agent run |
+| `onChatStart` / `onTurnStart` fire | After handover signal arrives | Normally |
+| `onTurnComplete` fires | After turn finishes (handover) or skipped (handover-skip) | Normally |
+
+### The `chat.headStart` API
+
+```ts
+chat.headStart<TTools>({
+  agentId: string,                       // The chat.agent({ id }) you're handing off to
+  run: (args: HeadStartRunArgs<TTools>) => Promise<StreamTextResult<any, any>>,
+  idleTimeoutInSeconds?: number,         // How long the agent waits for the handover signal. Default: 60
+}): (req: Request) => Promise<Response>
+```
+
+The `run` callback receives:
+
+- `messages: UIMessage[]` — user messages parsed from the request body.
+- `signal: AbortSignal` — fires when the request closes or the SDK times out the handover.
+- `chat: HeadStartChatHelper<TTools>` — exposes `chat.toStreamTextOptions({ tools })` and a `chat.session` escape hatch for power users.
+
+`chat.toStreamTextOptions({ tools })` returns options to spread into `streamText`. The SDK owns these keys — overriding them will break the protocol:
+
+| Key | What the SDK sets | Why |
+| --- | --- | --- |
+| `messages` | `convertToModelMessages(uiMessages)` | First-turn user history |
+| `tools` | What you pass | Schema-only tools for step 1 |
+| `stopWhen` | `stepCountIs(1)` | Step 1 only — agent picks up step 2+ |
+| `abortSignal` | Combined request + idle timeout | Safe cleanup on disconnect |
+
+You bring `model`, `system`, `providerOptions`, `prepareStep`, anything else `streamText` accepts.
+
+#### The transport option
+
+```ts
+useTriggerChatTransport({
+  // ... task, accessToken, startSession, ...
+  headStart?: string,  // URL of your chat.headStart route handler
+});
+```
+
+Optional. When set, the FIRST message of a brand-new chat (no existing session state) routes through this URL. Subsequent turns bypass it and use the direct-trigger path.
+
+This is **not** a stock `useChat` `endpoint` — it's not the canonical request URL for every turn, just the first-turn shortcut.
+
+### Limitations
+
+- **First turn only.** Step 2+ and turn 2+ run on the trigger side. There's no per-turn "head start every turn" mode — the win comes from amortizing agent boot across the LLM call once.
+- **Single step on the warm-server side.** The handler runs `stopWhen: stepCountIs(1)`. Multi-step handover (handler does step 1 + step 2 + ...) is out of scope.
+- **Your server needs an LLM provider key.** The first-turn LLM call runs in your warm process, so that environment needs whatever keys the model requires. The agent's executes still run on the Trigger.dev side with whatever environment variables they need there.
+- **Browser-only chat surfaces don't apply.** Without a warm server process, there's nowhere to run step 1 ahead of the agent run. Use [Preload](#preload) or eat the cold-start tax.
+- **Streaming-capable runtime required.** Your framework / runtime has to support streaming HTTP responses (Web Fetch `Response` body or equivalent). Most modern hosts do — Next.js, Hono, SvelteKit, Workers, Bun, Deno, Vercel, etc. Some legacy platforms that buffer full responses won't deliver chunks until the turn is over, which negates the TTFC benefit (correctness still holds).
+- **Non-`useChat` chat surfaces** (Slack bots, Discord bots, custom protocols) don't fit the `chat.headStart` shape — the API expects the AI SDK transport's wire payload on input. For those, trigger the chat.agent directly from your bot handler.
+
+## Reference
+
+- [`chat.headStart` factory and types](/ai-chat/reference) — full signatures for `HeadStartRunArgs`, `HeadStartChatHelper`, `HeadStartSession`, `HeadStartHandlerOptions`.
+- [`headStart` transport option](/ai-chat/reference#triggerchattransport-options) — alongside `accessToken`, `startSession`, etc.
+- [`onPreload` hook](/ai-chat/lifecycle-hooks#onpreload) — the backend hook that fires when a run is preloaded.
diff --git a/docs/ai-chat/frontend.mdx b/docs/ai-chat/frontend.mdx
new file mode 100644
index 00000000000..3dac5ca5ade
--- /dev/null
+++ b/docs/ai-chat/frontend.mdx
@@ -0,0 +1,580 @@
+---
+title: "Frontend"
+sidebarTitle: "Frontend"
+description: "Transport setup, session management, client data, and frontend patterns for AI Chat."
+---
+
+import RcBanner from "/snippets/ai-chat-rc-banner.mdx";
+
+<RcBanner />
+
+## How the transport works
+
+Vanilla `useChat` expects an `api` URL — it POSTs the conversation to your own Next.js route handler, which terminates the stream. `useTriggerChatTransport` replaces that round-trip: instead of an `api` URL, you pass a custom [`ChatTransport`](https://ai-sdk.dev/docs/ai-sdk-ui/transport) that talks directly to the Trigger.dev cloud (or your self-hosted webapp) on behalf of `useChat`.
+
+There's no API route to maintain. The browser uses a short-lived session-scoped PAT (minted by your `accessToken` server action) to:
+
+- **Create the session** via your `startSession` action on the first message (or `transport.preload(chatId)`).
+- **Append the new user message** to the session's durable `.in` stream.
+- **Subscribe to the `.out` SSE stream** for the agent's response chunks (text, tool calls, reasoning, custom `data-*` parts).
+
+The transport handles the auth refresh, reconnect, `Last-Event-ID` resume, and stop-signal plumbing transparently. `useChat` sees the result as `UIMessageChunk`s and renders them unchanged.
+
+## Transport setup
+
+Use the `useTriggerChatTransport` hook from `@trigger.dev/sdk/chat/react` to create a memoized transport instance, then pass it to `useChat`:
+
+```tsx
+import { useTriggerChatTransport } from "@trigger.dev/sdk/chat/react";
+import { useChat } from "@ai-sdk/react";
+import type { myChat } from "@/trigger/chat";
+import { mintChatAccessToken, startChatSession } from "@/app/actions";
+
+export function Chat() {
+  const transport = useTriggerChatTransport<typeof myChat>({
+    task: "my-chat",
+    accessToken: ({ chatId }) => mintChatAccessToken(chatId),
+    startSession: ({ chatId, clientData }) =>
+      startChatSession({ chatId, clientData }),
+  });
+
+  const { messages, sendMessage, stop, status } = useChat({ transport });
+  // ... render UI
+}
+```
+
+The transport is created once on first render and reused across re-renders. Pass a type parameter for compile-time validation of the task ID.
+
+The two callbacks have distinct responsibilities:
+
+- **`accessToken`** is a *pure* PAT mint — the transport invokes it on a 401/403 to refresh the session-scoped token. Customer wraps `auth.createPublicToken({ scopes: { read: { sessions: chatId }, write: { sessions: chatId } } })`, which resolves to a `Promise<string>` (the JWT). Return that string from your `accessToken` callback.
+- **`startSession`** wraps `chat.createStartSessionAction(taskId)` and is called when the transport needs to *create* the session (`transport.preload(chatId)`, or lazily on the first `sendMessage` for a chatId without a cached PAT). The customer's server controls authorization here, alongside any DB writes paired with session creation.
+
+See [Quick start](/ai-chat/quick-start) for the matching server actions.
+
+<Tip>
+  The hook keeps `onSessionChange` and `clientData` up to date via internal refs, so you don't need
+  to memoize callbacks or worry about stale closures when those options change between renders.
+</Tip>
+
+## Typed messages (`chat.withUIMessage`)
+
+If your chat agent is defined with [`chat.withUIMessage<YourUIMessage>()`](/ai-chat/types) (custom `data-*` parts, typed tools, etc.), pass the same message type through `useChat` so `messages` and `message.parts` are narrowed on the client:
+
+```tsx
+import { useChat } from "@ai-sdk/react";
+import { useTriggerChatTransport, type InferChatUIMessage } from "@trigger.dev/sdk/chat/react";
+import type { myChat } from "./myChat";
+
+type Msg = InferChatUIMessage<typeof myChat>;
+
+const transport = useTriggerChatTransport<typeof myChat>({
+  task: "my-chat",
+  accessToken: ({ chatId }) => mintChatAccessToken(chatId),
+  startSession: ({ chatId, clientData }) =>
+      startChatSession({ chatId, clientData }),
+});
+const { messages } = useChat<Msg>({ transport });
+```
+
+See the [Types](/ai-chat/types) guide for defining `YourUIMessage`, default stream options, and backend examples.
+
+### Calling a fetch endpoint instead of a server action
+
+If you want to mint tokens via a REST endpoint instead of a Next.js server action, the same callbacks accept any async function. Import `AccessTokenParams` and `StartSessionParams` from `@trigger.dev/sdk/chat` to type your fetch handler.
+
+```ts
+import type { AccessTokenParams, StartSessionParams } from "@trigger.dev/sdk/chat";
+
+const transport = useTriggerChatTransport({
+  task: "my-chat",
+  accessToken: async ({ chatId }: AccessTokenParams) => {
+    const res = await fetch(`/api/chat/${chatId}/access-token`, { method: "POST" });
+    return res.text();
+  },
+  startSession: async ({ chatId, taskId, clientData }: StartSessionParams) => {
+    const res = await fetch(`/api/chat/${chatId}/start`, {
+      method: "POST",
+      body: JSON.stringify({ taskId, clientData }),
+    });
+    return res.json(); // { publicAccessToken: string }
+  },
+});
+```
+
+The fetch handlers on the server side wrap the same SDK helpers as the server-action variant: `auth.createPublicToken({ scopes: { read: { sessions: chatId }, write: { sessions: chatId } } })` for refresh and `chat.createStartSessionAction(taskId)` for create.
+
+## Session management
+
+Every chat is backed by a durable Session — the row that owns the chat's runs, persists across run lifecycles, and orchestrates handoffs. The transport manages the session for you; what you persist on your side is a small piece of state per chat that lets a fresh tab resume without a round-trip to create a new session.
+
+### What the transport persists per chat
+
+| Field | Type | Notes |
+| --- | --- | --- |
+| `publicAccessToken` | `string` | Session-scoped JWT (`read:sessions:{chatId} + write:sessions:{chatId}`). Refreshed automatically on 401/403 via `accessToken`. |
+| `lastEventId` | `string \| undefined` | Last SSE event received on `.out`. **Valid for the lifetime of the Session** — keep it across `endRun` / `requestUpgrade` / continuation-run boundaries; only clear when the Session itself closes. The cursor lets the next subscription open past the prior turn's stale `turn-complete` record. |
+| `isStreaming` | `boolean \| undefined` | **Optional.** The transport sets it internally, but you don't have to persist it — the server decides "nothing is streaming" via the session's [`X-Session-Settled`](/ai-chat/client-protocol#x-session-settled-fast-close-on-idle-reconnects) signal on reconnect. If you do persist it, the transport keeps the fast-path short-circuit. If you drop it, reconnects open the SSE and close fast on settled sessions. |
+
+### Session cleanup (frontend)
+
+Since session creation and updates are handled server-side, the frontend only needs to handle session deletion when a run ends:
+
+```tsx
+const transport = useTriggerChatTransport<typeof myChat>({
+  task: "my-chat",
+  accessToken: ({ chatId }) => mintChatAccessToken(chatId),
+  startSession: ({ chatId, clientData }) =>
+      startChatSession({ chatId, clientData }),
+  sessions: loadedSessions, // Restored from DB on page load
+  onSessionChange: (chatId, session) => {
+    if (!session) {
+      deleteSession(chatId); // Server action — run ended
+    }
+  },
+});
+```
+
+### Restoring on page load
+
+On page load, fetch both the messages and the session state from your database, then pass them to `useChat` and the transport. Pass `resume: true` to `useChat` when there's an existing conversation — this tells the AI SDK to reconnect to the stream via the transport.
+
+Because the underlying Session row outlives individual runs, a chat you were in yesterday resumes against the same chat — even if the original run has long since exited. The transport hydrates from the persisted state and uses `lastEventId` to resubscribe; if the client tries to send a new message and no run is alive, the server triggers a fresh continuation run on the same session before the message is appended.
+
+```tsx app/chat/[chatId]/ChatPage.tsx
+"use client";
+
+import { useEffect, useState } from "react";
+import { useTriggerChatTransport } from "@trigger.dev/sdk/chat/react";
+import { useChat } from "@ai-sdk/react";
+import {
+  mintChatAccessToken,
+  startChatSession,
+  getChatMessages,
+  getSession,
+  deleteSession,
+} from "@/app/actions";
+
+// Rendered from `app/chat/[chatId]/page.tsx`, which awaits `params`
+// and forwards `chatId` into this client component:
+//
+//   export default async function Page({ params }: { params: Promise<{ chatId: string }> }) {
+//     const { chatId } = await params;
+//     return <ChatPage chatId={chatId} />;
+//   }
+export default function ChatPage({ chatId }: { chatId: string }) {
+  const [initialMessages, setInitialMessages] = useState([]);
+  const [initialSession, setInitialSession] = useState(undefined);
+  const [loaded, setLoaded] = useState(false);
+
+  useEffect(() => {
+    async function load() {
+      const [messages, session] = await Promise.all([getChatMessages(chatId), getSession(chatId)]);
+      setInitialMessages(messages);
+      setInitialSession(session ? { [chatId]: session } : undefined);
+      setLoaded(true);
+    }
+    load();
+  }, [chatId]);
+
+  if (!loaded) return null;
+
+  return (
+    <ChatClient
+      chatId={chatId}
+      initialMessages={initialMessages}
+      initialSessions={initialSession}
+    />
+  );
+}
+
+function ChatClient({ chatId, initialMessages, initialSessions }) {
+  const transport = useTriggerChatTransport({
+    task: "my-chat",
+    accessToken: ({ chatId }) => mintChatAccessToken(chatId),
+    startSession: ({ chatId, clientData }) =>
+      startChatSession({ chatId, clientData }),
+    sessions: initialSessions,
+    onSessionChange: (id, session) => {
+      if (!session) deleteSession(id);
+    },
+  });
+
+  const { messages, sendMessage, stop, status } = useChat({
+    id: chatId,
+    messages: initialMessages,
+    transport,
+    resume: initialMessages.length > 0, // Resume if there's an existing conversation
+  });
+
+  // ... render UI
+}
+```
+
+<Info>
+  `resume: true` causes `useChat` to call `reconnectToStream` on the transport when the component
+  mounts. The transport uses the session's `lastEventId` to skip past already-seen stream events, so
+  the frontend only receives new data. Only enable `resume` when there are existing messages — for
+  brand new chats, there's nothing to reconnect to.
+</Info>
+
+<Note>
+  After resuming, `useChat`'s built-in `stop()` won't send the stop signal to the backend because
+  the AI SDK doesn't pass its abort signal through `reconnectToStream`. Use
+  `transport.stopGeneration(chatId)` for reliable stop behavior after resume — see
+  [Stop generation](#stop-generation) for the recommended pattern.
+</Note>
+
+<Warning>
+  In React strict mode (enabled by default in Next.js dev), you may see a `TypeError: Cannot read
+  properties of undefined (reading 'state')` in the console when using `resume`. This is a [known
+  bug in the AI SDK](https://github.com/vercel/ai/issues/8477) caused by React strict mode
+  double-firing the resume effect. The error is caught internally and **does not affect
+  functionality** — streaming and message display work correctly. It only appears in development and
+  will not occur in production builds.
+</Warning>
+
+### Network resilience
+
+You don't need to handle network drops, mobile background-kills, or Safari bfcache restores. The transport retries indefinitely with bounded backoff, reconnects on `online` / tab refocus / `pageshow` with `event.persisted`, and uses `Last-Event-ID` to resume without dropping chunks. See the [changelog entry](/ai-chat/changelog) for the gory details.
+
+## Client data and metadata
+
+### Transport-level client data
+
+Set default client data on the transport that's included in every request. When the task uses `clientDataSchema`, this is type-checked to match:
+
+```ts
+const transport = useTriggerChatTransport<typeof myChat>({
+  task: "my-chat",
+  accessToken: ({ chatId }) => mintChatAccessToken(chatId),
+  startSession: ({ chatId, clientData }) =>
+      startChatSession({ chatId, clientData }),
+  clientData: { userId: currentUser.id },
+});
+```
+
+The transport threads `clientData` through three places automatically: into `startSession`'s `params.clientData` for the first run's `payload.metadata`, into per-turn `metadata` on every `.in/append` chunk, and live-updates if the option value changes between renders (so React-driven values like the current user work without reconstructing the transport).
+
+### Per-message metadata
+
+Pass metadata with individual messages via `sendMessage`. Per-message values are merged with transport-level client data (per-message wins on conflicts):
+
+```ts
+sendMessage({ text: "Hello" }, { metadata: { model: "gpt-4o", priority: "high" } });
+```
+
+### Typed client data with clientDataSchema
+
+Instead of manually parsing `clientData` with Zod in every hook, pass a `clientDataSchema` to `chat.agent`. The schema validates the data once per turn, and `clientData` is typed in all hooks and `run`:
+
+```ts
+import { chat } from "@trigger.dev/sdk/ai";
+import { streamText, stepCountIs } from "ai";
+import { anthropic } from "@ai-sdk/anthropic";
+import { z } from "zod";
+
+export const myChat = chat.agent({
+  id: "my-chat",
+  clientDataSchema: z.object({
+    model: z.string().optional(),
+    userId: z.string(),
+  }),
+  onChatStart: async ({ chatId, clientData }) => {
+    // clientData is typed as { model?: string; userId: string }
+    await db.chat.create({
+      data: { id: chatId, userId: clientData.userId },
+    });
+  },
+  run: async ({ messages, clientData, signal }) => {
+    // Same typed clientData — no manual parsing needed
+    return streamText({
+      model: openai(clientData?.model ?? "gpt-4o"),
+      messages,
+      abortSignal: signal,
+      stopWhen: stepCountIs(15),
+    });
+  },
+});
+```
+
+The schema also types the `clientData` option on the frontend transport:
+
+```ts
+// TypeScript enforces that clientData matches the schema
+const transport = useTriggerChatTransport<typeof myChat>({
+  task: "my-chat",
+  accessToken: ({ chatId }) => mintChatAccessToken(chatId),
+  startSession: ({ chatId, clientData }) =>
+      startChatSession({ chatId, clientData }),
+  clientData: { userId: currentUser.id },
+});
+```
+
+Supports Zod, ArkType, Valibot, and other schema libraries supported by the SDK.
+
+## Stop generation
+
+Use `transport.stopGeneration(chatId)` to stop the current generation. This sends a stop signal to the running task via input streams, aborting the current `streamText` call while keeping the run alive for the next message.
+
+`stopGeneration` works in all scenarios — including after a page refresh when the stream was reconnected via `resume`. Call it alongside `useChat`'s `stop()` to also update the frontend state:
+
+```tsx
+const { messages, sendMessage, stop: aiStop, status } = useChat({ transport });
+
+// Wrap both calls in a single stop handler
+const stop = useCallback(() => {
+  transport.stopGeneration(chatId);
+  aiStop();
+}, [transport, chatId, aiStop]);
+
+{
+  status === "streaming" && (
+    <button type="button" onClick={stop}>
+      Stop
+    </button>
+  );
+}
+```
+
+<Info>
+  `transport.stopGeneration(chatId)` handles the backend stop signal and closes
+  the SSE connection, while `aiStop()` (from `useChat`) updates the frontend
+  status to `"ready"` and fires the `onFinish` callback.
+</Info>
+
+<Tip>
+  A [PR to the AI SDK](https://github.com/vercel/ai/pull/14350) has been
+  submitted to pass `abortSignal` through `reconnectToStream`, which would make
+  `useChat`'s built-in `stop()` work after resume without needing
+  `stopGeneration`. Until that lands, use the pattern above for reliable stop
+  behavior after page refresh.
+</Tip>
+
+See [Stop generation](/ai-chat/backend#stop-generation) in the backend docs for how to handle stop signals in your task.
+
+## Tool approvals
+
+The AI SDK supports tools that require human approval before execution. To use this with `chat.agent`, define a tool with `needsApproval: true` on the backend, then handle the approval UI and configure `sendAutomaticallyWhen` on the frontend.
+
+### Backend: define an approval-required tool
+
+```ts
+import { tool } from "ai";
+import { z } from "zod";
+
+const sendEmail = tool({
+  description: "Send an email. Requires human approval before sending.",
+  inputSchema: z.object({
+    to: z.string(),
+    subject: z.string(),
+    body: z.string(),
+  }),
+  needsApproval: true,
+  execute: async ({ to, subject, body }) => {
+    await emailService.send({ to, subject, body });
+    return { sent: true, to, subject };
+  },
+});
+```
+
+Pass the tool to `streamText` in your `run` function as usual. When the model calls the tool, `chat.agent` streams a `tool-approval-request` chunk. The turn completes and the run waits for the next message.
+
+### Frontend: approval UI
+
+Import `lastAssistantMessageIsCompleteWithApprovalResponses` from the AI SDK and pass it to `sendAutomaticallyWhen`. This tells `useChat` to automatically re-send messages once all approvals have been responded to.
+
+Destructure `addToolApprovalResponse` from `useChat` and wire it to your approval buttons:
+
+```tsx
+import { useChat } from "@ai-sdk/react";
+import { lastAssistantMessageIsCompleteWithApprovalResponses } from "ai";
+
+function Chat({ chatId, transport }) {
+  const { messages, sendMessage, addToolApprovalResponse, status } = useChat({
+    id: chatId,
+    transport,
+    sendAutomaticallyWhen: lastAssistantMessageIsCompleteWithApprovalResponses,
+  });
+
+  const handleApprove = (approvalId: string) => {
+    addToolApprovalResponse({ id: approvalId, approved: true });
+  };
+
+  const handleDeny = (approvalId: string) => {
+    addToolApprovalResponse({ id: approvalId, approved: false, reason: "User denied" });
+  };
+
+  return (
+    <div>
+      {messages.map((msg) =>
+        msg.parts.map((part, i) => {
+          if (part.state === "approval-requested") {
+            return (
+              <div key={i}>
+                <p>Tool "{part.type}" wants to run with input:</p>
+                <pre>{JSON.stringify(part.input, null, 2)}</pre>
+                <button onClick={() => handleApprove(part.approval.id)}>Approve</button>
+                <button onClick={() => handleDeny(part.approval.id)}>Deny</button>
+              </div>
+            );
+          }
+          // ... render other parts
+        })
+      )}
+    </div>
+  );
+}
+```
+
+### How it works
+
+1. Model calls a tool with `needsApproval: true` — the turn completes with the tool in `approval-requested` state
+2. Frontend shows Approve/Deny buttons
+3. User clicks Approve — `addToolApprovalResponse` updates the tool part to `approval-responded`
+4. `sendAutomaticallyWhen` returns `true` — `useChat` re-sends the updated assistant message
+5. The transport sends the message via input streams — the backend matches it by ID and replaces the existing assistant message in the accumulator
+6. `streamText` sees the approved tool, executes it, and streams the result
+
+<Info>
+  Message IDs are kept in sync between frontend and backend automatically. The backend always
+  includes a `generateMessageId` function when streaming responses, ensuring the `start` chunk
+  carries a `messageId` that the frontend uses. This makes the ID-based matching reliable
+  for tool approval updates.
+</Info>
+
+## Sending actions
+
+Send custom actions (undo, rollback, edit) to the agent via `transport.sendAction()`. Actions wake the agent and fire only `hydrateMessages` (if configured) and `onAction` — they're not turns, so `onTurnStart` / `prepareMessages` / `onBeforeTurnComplete` / `onTurnComplete` and `run()` do not fire.
+
+For optimistic UI, mirror the action's effect on the `useChat` state via `setMessages` while the request is in flight:
+
+```tsx
+function ChatControls({ chatId }: { chatId: string }) {
+  const transport = useTriggerChatTransport({
+    task: "my-chat",
+    accessToken: ({ chatId }) => mintChatAccessToken(chatId),
+    startSession: ({ chatId, clientData }) =>
+      startChatSession({ chatId, clientData }),
+  });
+
+  const { setMessages } = useChat({ transport });
+
+  return (
+    <div>
+      <button
+        onClick={() => {
+          void transport.sendAction(chatId, { type: "undo" });
+          setMessages((prev) => prev.slice(0, -2));
+        }}
+      >
+        Undo last exchange
+      </button>
+      <button
+        onClick={() => transport.sendAction(chatId, { type: "rollback", targetMessageId: "msg-5" })}
+      >
+        Rollback to message
+      </button>
+    </div>
+  );
+}
+```
+
+The action payload is validated against the agent's `actionSchema` on the backend — invalid actions are rejected. See [Actions](/ai-chat/actions) for the backend setup.
+
+<Note>
+  `sendAction` returns a `ReadableStream<UIMessageChunk>`. For side-effect-only actions (where `onAction` returns `void`), the stream completes immediately with `trigger:turn-complete`. For actions where `onAction` returns a `StreamTextResult`, the stream carries the assistant chunks the same way `sendMessages` does — `useChat` consumes them automatically.
+</Note>
+
+For server-to-server usage, `AgentChat` has the same method:
+
+```ts
+const stream = await agentChat.sendAction({ type: "undo" });
+for await (const chunk of stream) {
+  if (chunk.type === "text-delta") process.stdout.write(chunk.delta);
+}
+```
+
+## Multi-tab coordination
+
+When the same chat is open in multiple browser tabs, `multiTab: true` prevents duplicate messages and syncs conversation state across tabs. Only one tab can send at a time. Other tabs enter read-only mode with real-time message updates.
+
+```tsx
+import { useTriggerChatTransport } from "@trigger.dev/sdk/chat/react";
+import { useMultiTabChat } from "@trigger.dev/sdk/chat/react";
+import { useChat } from "@ai-sdk/react";
+
+function Chat({ chatId }: { chatId: string }) {
+  const transport = useTriggerChatTransport({
+    task: "my-chat",
+    accessToken: ({ chatId }) => mintChatAccessToken(chatId),
+    startSession: ({ chatId, clientData }) =>
+      startChatSession({ chatId, clientData }),
+    multiTab: true,
+  });
+
+  const { messages, setMessages, sendMessage } = useChat({
+    id: chatId,
+    transport,
+  });
+
+  const { isReadOnly } = useMultiTabChat(transport, chatId, messages, setMessages);
+
+  return (
+    <div>
+      {isReadOnly && (
+        <div className="bg-amber-50 text-amber-700 p-2 text-sm">
+          This chat is active in another tab. Messages are read-only.
+        </div>
+      )}
+      {/* message list */}
+      <input
+        disabled={isReadOnly}
+        placeholder={isReadOnly ? "Active in another tab" : "Type a message..."}
+      />
+    </div>
+  );
+}
+```
+
+### How it works
+
+1. When a tab sends a message, the transport "claims" the chatId via `BroadcastChannel`
+2. Other tabs detect the claim and enter read-only mode (`isReadOnly: true`)
+3. The active tab broadcasts its messages so read-only tabs see updates in real-time
+4. When the turn completes, the claim is released. Any tab can send next.
+5. Heartbeats detect crashed tabs (10s timeout clears stale claims)
+
+### What `useMultiTabChat` does
+
+- Returns `{ isReadOnly }` for disabling the input UI
+- Broadcasts `messages` from the active tab to other tabs
+- Calls `setMessages` on read-only tabs when messages arrive from the active tab
+- Tracks read-only state via the transport's `BroadcastChannel` coordinator
+
+<Note>
+  Multi-tab coordination is same-browser only (`BroadcastChannel` is a browser API). It gracefully degrades to a no-op in Node.js, SSR, or browsers without `BroadcastChannel` support. Cross-device coordination requires server-side involvement.
+</Note>
+
+## Self-hosting
+
+If you're self-hosting Trigger.dev, pass the `baseURL` option:
+
+```ts
+const transport = useTriggerChatTransport({
+  task: "my-chat",
+  accessToken: ({ chatId }) => mintChatAccessToken(chatId),
+  startSession: ({ chatId, clientData }) =>
+      startChatSession({ chatId, clientData }),
+  baseURL: "https://your-trigger-instance.com",
+});
+```
+
+`baseURL` also accepts a function so you can route per endpoint — useful when fronting `.in/append` with an edge proxy (e.g. to inject server-trusted signal into the wire) while keeping `.out` SSE direct:
+
+```ts
+baseURL: ({ endpoint }) =>
+  endpoint === "out" ? "https://api.trigger.dev" : "https://chat-proxy.example.com",
+```
+
+For per-request control beyond URL routing (header injection, custom retries, tracing), pass a `fetch` override. See [Trusted edge signals](/ai-chat/patterns/trusted-edge-signals) for a full proxy walkthrough.
diff --git a/docs/ai-chat/how-it-works.mdx b/docs/ai-chat/how-it-works.mdx
new file mode 100644
index 00000000000..ecde885f4ac
--- /dev/null
+++ b/docs/ai-chat/how-it-works.mdx
@@ -0,0 +1,230 @@
+---
+title: "How it works"
+sidebarTitle: "How it works"
+description: "End-to-end mechanics of a chat.agent turn: the two durable channels per session, the long-lived task that reads and writes them, and how a chat survives refreshes, deploys, and idle gaps."
+---
+
+import RcBanner from "/snippets/ai-chat-rc-banner.mdx";
+
+<RcBanner />
+
+This page explains how `chat.agent` is put together, what each piece does on a single turn, and how a chat survives across turns. It is not an API tour — for that, see [Backend](/ai-chat/backend), [Frontend](/ai-chat/frontend), and the [Reference](/ai-chat/reference). For the byte-level wire format, see [Client Protocol](/ai-chat/client-protocol).
+
+<Note>
+**What you don't have to think about**: SSE reconnects, WebSocket backpressure, container cold starts, whether a worker is currently running, or how to re-deliver chunks the client missed during a reload. The platform handles those. **What you do have to think about**: idempotency in your `run()` function, and how much state you keep in memory between turns versus persist in your own database.
+</Note>
+
+## The primary noun: a chat session is a pair of streams and a task
+
+A **chat session** is the unit chat.agent owns. It is three things bound together:
+
+- An **inbox** channel called `.in` — every user message lands here as a record.
+- An **outbox** channel called `.out` — every assistant chunk leaves through here.
+- A long-lived **agent task** that reads from `.in` and writes to `.out`.
+
+Both channels are S2 ([s2.dev](https://s2.dev)) durable append-only streams, keyed by the session. Think of them as a pair of per-session topics on a tiny Kafka: records have monotonically increasing sequence numbers, readers resume from a cursor, writers append to the tail. We chose S2 because reads are resumable from an offset — so a browser reload can replay the response stream without re-running the LLM, and a crashed run can rejoin mid-conversation by reading from where it left off.
+
+A chat ID identifies the session for the lifetime of the conversation. The same session can be served by **many runs**: one run handles a turn (or several), goes idle, eventually exits, and the next user message triggers a fresh continuation run on the same session. Sessions are the durable identity; runs are the ephemeral compute.
+
+## The lifecycle states
+
+A run moves through a small state machine over its lifetime. Each state is named below, with the trigger that moves it to the next.
+
+### Cold start
+
+There is no run yet for this session. The frontend's first `sendMessage` posts to the session's `.in` channel; the server sees no live `currentRunId` and triggers a fresh `chat.agent` run with `continuation: false`. Moves to **Streaming** as soon as the task wakes and begins consuming `.in`.
+
+### Streaming
+
+The agent task is running. It reads the new message off `.in`, fires `onTurnStart`, runs your `run()` function, and pipes `streamText()` chunks onto `.out`. The browser is SSE-subscribed to `.out` and renders chunks as they land. When `streamText()` ends, the task writes a `trigger:turn-complete` control record (an S2 record with an empty body and a special header) and immediately trims `.out` back to the *previous* turn's completion marker — keeping the outbox bounded to roughly one turn of chunks at steady state. Moves to **Idle** after `onTurnComplete` runs and the post-turn snapshot is written.
+
+### Idle (awaiting next message)
+
+The turn is over. The task is alive but not doing work — it is parked in a waitpoint on `.in`, waiting for the next user message. If one arrives, it goes back to **Streaming** for the next turn. If `idleTimeoutInSeconds` (defaulting to a few minutes) passes with no new message, it moves to **Suspended**.
+
+### Suspended
+
+The task fires `onChatSuspend`, then the engine **checkpoints** the run's whole process state and frees the compute. The session is still live (the row exists, the `.out` stream is still readable, the chat ID still works), but no machine is dedicated to it. This is the same Checkpoint-Resume System that powers every Trigger.dev task — covered in detail at [How it works → Checkpoint-Resume](/how-it-works#the-checkpoint-resume-system). Moves to **Resuming** when the next message lands in `.in`.
+
+### Resuming
+
+The engine restores the suspended run from its checkpoint. The same JS process picks up exactly where it parked — `chat.local` values, the accumulator, in-flight promises, in-memory caches all preserved as they were. `onChatResume` fires immediately after the restore, then the task transitions to **Streaming**. No boot work, no snapshot read, no SDK reinitialization. This is the cheap path.
+
+### Continuation (after exit)
+
+If the run has fully exited (because it hit `maxTurns`, the customer called `chat.endRun()` or `chat.requestUpgrade()`, or it was cancelled or crashed), the next user message can't resume it — there is nothing to resume. Instead, the server triggers a brand-new run with `continuation: true`. The new run does a cold boot, reads the prior conversation's S3 snapshot, replays any `.out` chunks after the snapshot cursor, AND replays any `.in` records past the last `turn-complete` cursor (the user messages a dead run never acknowledged). If the predecessor died mid-stream and left a partial assistant response in `.out`, the smart default splices `[firstInFlightUser, partialAssistant]` onto the chain so any follow-up has full context — see [Recovery boot](/ai-chat/patterns/recovery-boot). The new run then enters **Streaming** with `turn === 0` of the new run but `messageCount > 0`.
+
+### Closed
+
+`POST /api/v1/sessions/:id/close` flips `closedAt` on the session row. Future appends are rejected. Reads still work for transcript viewing. The session is terminal.
+
+## One turn, end to end
+
+Here is a typical cold turn — user opens the page, types "What's the weather?", reads the response — traced through every component.
+
+<Steps>
+  <Step title="Browser: useChat calls transport.sendMessages">
+    The Vercel AI SDK's `useChat` hook serializes the user's message into the slim wire format: `{ chatId, trigger: "submit-message", message, metadata }`. Only the new message goes on the wire, not the full history.
+  </Step>
+  <Step title="Browser: transport posts to /append">
+    The transport calls `POST /realtime/v1/sessions/:chatId/in/append`, authenticated with the session's public access token. The body is one S2 record.
+  </Step>
+  <Step title="Server: route ensures a run exists">
+    The append route resolves the session, then calls `ensureRunForSession()`. The session's `currentRunId` is null (cold start), so it triggers a new `chat.agent` run on the project's dev/prod environment and atomically claims the slot via an optimistic version counter.
+  </Step>
+  <Step title="Server: route appends the record to S2 .in">
+    The route writes the message to `s2://sessions/:chatId/in` as a single record. S2 assigns a sequence number. Any waitpoints registered on this channel fire, which would wake an existing run — but there is no run waiting yet, so this is a no-op for now.
+  </Step>
+  <Step title="Browser: transport opens an SSE subscription to .out">
+    In parallel with the send, the transport opens `GET /realtime/v1/sessions/:chatId/out` (server-sent events). It passes its `lastEventId` if it has one cached; on a brand-new chat it does not. Any chunks the agent writes from now on will be delivered to this stream.
+  </Step>
+  <Step title="Task: agent run boots">
+    The newly-triggered run starts. `onBoot` fires once per worker process. Because this is a fresh chat, no snapshot is read.
+  </Step>
+  <Step title="Task: enters the turn loop, reads the message from .in">
+    The agent reads the pending record off `.in` via a waitpoint. `onChatStart` fires (once per chat lifetime). `onTurnStart` fires (every turn).
+  </Step>
+  <Step title="Task: runs your run() function, streams chunks to .out">
+    Your code calls `streamText({ model, messages })`. Each `UIMessageChunk` it produces is appended to `s2://sessions/:chatId/out` as a record. The browser sees them arrive on the SSE stream and the AI SDK renders them.
+  </Step>
+  <Step title="Task: writes the turn-complete control record">
+    When `streamText()` finishes, the agent writes a record with header `trigger:turn-complete` and an empty body. The browser transport sees this header and closes the per-turn readable stream.
+  </Step>
+  <Step title="Task: trims .out back to the previous turn-complete">
+    Immediately after writing the new turn-complete marker, the agent issues an S2 trim command targeting the *previous* turn-complete's sequence number. This bounds the stream's storage to roughly one turn of chunks plus the latest control record.
+  </Step>
+  <Step title="Task: fires onTurnComplete, writes snapshot to S3">
+    `onTurnComplete` runs (your hook for persistence). Then the agent writes `ChatSnapshotV1` — `{ version: 1, messages, lastOutEventId, lastOutTimestamp }` — to S3 at `sessions/:chatId/snapshot.json`. This write is awaited, not fire-and-forget, so the next run is guaranteed to find it.
+  </Step>
+  <Step title="Task: goes idle, then suspends">
+    The agent re-enters the waitpoint on `.in`. After `idleTimeoutInSeconds` of nothing arriving, `onChatSuspend` fires and the engine snapshots the run. Compute is freed.
+  </Step>
+</Steps>
+
+## Three layers of persistence
+
+chat.agent survives idle gaps, deploys, refreshes, and crashes because three separate persistence mechanisms work at three different layers of the stack. They're orthogonal — each protects against a different failure mode, and conflating them is a common source of bugs.
+
+### Layer 1: the engine checkpoint (compute)
+
+When a run enters the Suspended state, the engine **checkpoints** the running process — its memory, CPU registers, and open file descriptors — and frees the compute. Today this is done via [CRIU](https://criu.org/) (Checkpoint/Restore in Userspace), the same mechanism that powers every Trigger.dev task's suspend/resume. On the new microVM compute runtime (currently in [private beta](/compute-private-beta)), it becomes a full Firecracker VM snapshot: every byte of memory plus filesystem state plus every kernel object inside the VM.
+
+When the next message arrives, the engine **restores** the checkpoint. The same JS process picks up at the exact instruction it parked on. From your code's perspective, the line right after the `messagesInput.wait()` waitpoint just continues executing. Anything in process memory survives: `chat.local`, the message accumulator, in-flight Promises, in-memory caches, open DB connections. The runId is unchanged.
+
+This is what lets you write `run()` as a single long-lived function with stateful closures, even though the underlying compute actually goes through checkpoint/restore cycles between turns. `onChatSuspend` fires immediately before the checkpoint; `onChatResume` fires immediately after the restore.
+
+### Layer 2: the chat snapshot (S3)
+
+After every turn the agent writes a `ChatSnapshotV1` blob to S3 — full accumulated `UIMessage[]` plus the current `lastOutEventId` cursor. This is chat-specific and lives one layer above the engine. It has nothing to do with CRIU or Firecracker.
+
+The chat snapshot bridges run *boundaries*. If a run exits cleanly — because it hit `maxTurns`, called `chat.endRun()` or `chat.requestUpgrade()`, was cancelled, crashed, or got bumped to a new version after a deploy — the engine checkpoint is gone with it. When the next user message arrives, the server triggers a fresh run with `continuation: true`. That new run reads the S3 snapshot, replays any post-snapshot chunks from `.out`, merges by message ID, and starts its first turn with the full conversation history already in memory.
+
+The chat snapshot carries only message history — not process memory. `chat.local`, in-memory caches, open connections all need to be reinitialized on a continuation. This is why `onBoot` (every fresh worker) is the right place to initialize `chat.local`, not `onChatStart` (only the very first turn of the chat). See [Persistence and replay](/ai-chat/patterns/persistence-and-replay) for the full snapshot model.
+
+If your task registers a `hydrateMessages` hook, the chat snapshot is skipped entirely — your hook is the single source of truth for history.
+
+### Layer 3: the `lastEventId` cursor (browser)
+
+The transport stores `lastEventId` — the S2 sequence number of the most recent chunk it processed — in its session state. On page reload, it reopens the SSE stream with `Last-Event-ID: <cursor>` as a header. S2 resumes from that cursor; chunks the browser already saw are not redelivered. If the agent was mid-turn when the browser reloaded, the rest of the turn streams in. If the turn had already completed, the stream closes immediately via an `X-Session-Settled` header so the client doesn't long-poll for nothing.
+
+Unlike the other two layers, this one is client-side. The server doesn't even need to know the browser refreshed — the agent run keeps running (or stays suspended) regardless.
+
+### Which layer covers which failure mode
+
+| What happened | Recovery layer | Same run? | In-memory state preserved? |
+| --- | --- | --- | --- |
+| Idle gap mid-conversation (suspend → resume) | Engine checkpoint | Yes | Yes |
+| Run exited cleanly (`endRun`, `requestUpgrade`, `maxTurns`) | Chat snapshot | No (fresh continuation run) | No |
+| Run crashed mid-turn (OOM, exception) | Chat snapshot + `.out` tail replay | (retried as a new attempt) | No |
+| Browser tab reloaded mid-stream | `lastEventId` cursor on `.out` | (run unaffected) | (n/a) |
+| Deploy rolled out a new version mid-chat | Chat snapshot, via `requestUpgrade` flow | No | No |
+
+No single layer covers every case. The engine checkpoint alone can't survive a run exit (there's nothing to restore). The chat snapshot alone can't survive a tab refresh mid-turn (chunks already streamed would be lost). The `lastEventId` cursor alone can't bridge run boundaries (the new run wouldn't know the history). Together they cover every realistic failure.
+
+## Warm vs cold: same chat, three different timings
+
+Take the same conversation — "What's the weather?" then "What about tomorrow?" — and look at how each second turn lands.
+
+**Warm second turn (within a few seconds).** The first turn finished, the agent is parked on the `.in` waitpoint, status is **Idle**. The new message hits `/append`, the waitpoint fires, the agent wakes inside the same run with all memory intact, runs `onTurnStart` for turn 2, streams the response. No checkpoint involved — the process never went to sleep. Latency to first chunk: dominated by the LLM, not the platform.
+
+**Resumed second turn (a few minutes later).** The first turn finished and the agent suspended — the engine checkpoint is stored, compute is freed. The new message hits `/append`. The engine restores the checkpoint, fires `onChatResume`, and the task picks up exactly where it parked — all in-memory state preserved (`chat.local`, the accumulator, the lot). Latency to first chunk: the engine's restore overhead, then the LLM.
+
+**Continuation second turn (an hour later, or after a deploy).** The first turn finished and the run eventually exited. The new message hits `/append`, the server triggers a fresh run with `continuation: true`. The new run boots cold, `onBoot` fires, the agent reads the S3 chat snapshot, replays the `.out` tail, then enters the turn loop with the full conversation already accumulated. The previous run's in-memory state is gone — anything in `chat.local` has to be re-initialized in `onBoot`. Latency to first chunk: cold start plus snapshot read, then the LLM.
+
+All three look identical to the browser. Only the agent task knows which path it took, via `payload.continuation` and `ctx.attempt.number`.
+
+## Lifecycle hooks: where you plug in
+
+| Hook | When it fires | Typical use |
+| --- | --- | --- |
+| `onBoot` | Once per worker process, before any chat work | Initialize `chat.local` resources |
+| `onPreload` | Once per chat lifetime, if the chat was preloaded before the first message | Warm caches, fetch the user's profile |
+| `onChatStart` | Once per chat lifetime, on the first turn of a fresh chat (not on continuation) | First-message persistence, system-prompt setup |
+| `onValidateMessages` | Every turn, before merging the incoming message | Reject or transform user input |
+| `hydrateMessages` | Every turn, instead of snapshot+replay | Use your DB as the source of truth |
+| `onTurnStart` | Every turn, before `run()` | Compact history, persist the user message |
+| `onBeforeTurnComplete` | Every turn, after streaming, before the turn-complete record | Emit a final custom chunk |
+| `onTurnComplete` | Every turn, after the turn-complete record is written | Persist the assistant message and `lastEventId` |
+| `onChatSuspend` / `onChatResume` | At the idle → suspend / suspend → wake transitions | Release/reacquire expensive resources |
+
+See [Lifecycle hooks](/ai-chat/lifecycle-hooks) for the full signatures and firing order.
+
+## When chat.agent is the right primitive
+
+**Good fit**:
+- Multi-turn conversational agents where the user is expected to come back later.
+- Long-running agent loops with tool calls, where a single turn can take a minute or more.
+- Cases where you want page reloads to resume the in-flight response without re-running the model.
+- Cases where you can't predict idle gaps — humans go to lunch.
+
+**Not a good fit**:
+- Single-shot completions where you don't need durability or resume. Call your model directly.
+- Workflows where you control both ends and want a custom protocol. Use a [raw `task()` with chat primitives](/ai-chat/backend#raw-task-with-primitives) directly without the `chat.agent` wrapper.
+- High-fanout broadcasting (one source, many subscribers). Use Trigger.dev realtime streams against a regular task instead.
+
+## Putting it together
+
+```mermaid
+sequenceDiagram
+    participant Browser
+    participant API as Trigger.dev API
+    participant S2_in as S2 .in
+    participant S2_out as S2 .out
+    participant Agent as chat.agent task
+    participant S3 as S3 snapshot
+
+    Note over Agent: Cold start
+    Browser->>API: POST /sessions/:id/in/append
+    API->>S2_in: append(message)
+    API->>Agent: trigger run (continuation: false)
+    Browser->>API: GET /sessions/:id/out (SSE)
+    API->>S2_out: read stream
+    Agent->>S2_in: read message (waitpoint)
+    Agent->>S2_out: append chunk(s)
+    S2_out-->>Browser: SSE chunks
+    Agent->>S2_out: append turn-complete (control)
+    Agent->>S2_out: trim < previous turn-complete
+    Agent->>S3: write snapshot
+    Note over Agent: Idle on waitpoint
+
+    Note over Agent: ...time passes...
+    Note over Agent: Suspended
+
+    Browser->>API: POST /sessions/:id/in/append
+    API->>S2_in: append(message)
+    API->>Agent: restore from suspend
+    Agent->>S2_in: read message
+    Agent->>S2_out: append chunk(s)
+    S2_out-->>Browser: SSE chunks
+    Agent->>S2_out: append turn-complete
+    Agent->>S3: write snapshot
+    Note over Agent: Idle again
+```
+
+## Where to go next
+
+- [Quick start](/ai-chat/quick-start) — get a chat running in a few minutes.
+- [Backend](/ai-chat/backend) — the `chat.agent()` API in detail.
+- [Lifecycle hooks](/ai-chat/lifecycle-hooks) — every hook, what fires when.
+- [Persistence and replay](/ai-chat/patterns/persistence-and-replay) — deeper on the snapshot model.
+- [Client protocol](/ai-chat/client-protocol) — wire format if you're writing a custom transport.
diff --git a/docs/ai-chat/lifecycle-hooks.mdx b/docs/ai-chat/lifecycle-hooks.mdx
new file mode 100644
index 00000000000..c327374e05c
--- /dev/null
+++ b/docs/ai-chat/lifecycle-hooks.mdx
@@ -0,0 +1,527 @@
+---
+title: "Lifecycle hooks"
+sidebarTitle: "Lifecycle hooks"
+description: "Hook into every stage of a chat agent's run: preload, turn start, turn complete, suspend, resume, and more."
+---
+
+import RcBanner from "/snippets/ai-chat-rc-banner.mdx";
+
+<RcBanner />
+
+`chat.agent({ ... })` accepts a set of lifecycle hooks for persisting state, validating input, transforming messages, and reacting to suspension and resumption. They fire at well-defined points in the chat agent's lifetime.
+
+**Once per worker process (every fresh run boot):** `onBoot` → `onPreload` (preloaded runs only).
+
+**Once per chat (first message of the chat's lifetime):** `onChatStart`.
+
+**Per-turn order:** `onValidateMessages` → `hydrateMessages` → `onChatStart` (chat's first message only) → `onTurnStart` → `run()` → `onBeforeTurnComplete` → `onTurnComplete`.
+
+**Suspend / resume:** `onChatSuspend` fires when the run transitions from idle to suspended (waiting on the next message); `onChatResume` fires on wake.
+
+**Four scopes to keep straight:**
+
+| Scope | Fires when | Use for |
+| --- | --- | --- |
+| **Process** ([`onBoot`](#onboot)) | Every fresh worker boots — initial, preloaded, and reactive continuation (post-cancel/crash/`endRun`/upgrade). | Initialize `chat.local`, open per-process resources, re-hydrate state from your DB on continuation. |
+| **Recovery** ([`onRecoveryBoot`](#onrecoveryboot)) | Continuation boot where the dead run was mid-stream — a partial assistant survives on `session.out`. | Override the smart default — drop the partial, synthesize tool results, emit a recovery banner. |
+| **Chat** ([`onChatStart`](#onchatstart)) | First message of a chat's lifetime. Does NOT fire on continuation runs or OOM retries. | One-time DB rows for the chat, resources tied to the chat's lifetime. |
+| **Turn** ([`onTurnStart`](#onturnstart), [`onTurnComplete`](#onturncomplete), etc.) | Every turn. | Persist messages, post-process responses. |
+
+## Task context (`ctx`)
+
+Every chat lifecycle callback and the `run` payload include `ctx`: the same run context object as `task({ run: (payload, { ctx }) => ... })`. Import the type with `import type { TaskRunContext } from "@trigger.dev/sdk"` (the `Context` export is the same type). Use `ctx` for tags, metadata, or any API that needs the full run record. The string `runId` on chat events is always `ctx.run.id` (both are provided for convenience). See [Task context (`ctx`)](/ai-chat/reference#task-context-ctx) in the API reference.
+
+Standard [task lifecycle hooks](/tasks/overview) such as `onWait`, `onResume`, `onComplete`, and `onFailure` are also available on `chat.agent()` with the same shapes as on a normal `task()` — but prefer the chat-specific [`onChatSuspend` / `onChatResume`](#onchatsuspend--onchatresume) for any chat-related work. The generic hooks fire on every wait/resume (including ones the runtime uses internally for non-chat reasons); the chat-specific ones fire only at the idle-to-suspended transition you actually care about and carry full chat context.
+
+## onBoot
+
+Fires **once per worker process picking up the chat** — for the initial run, for preloaded runs, AND for reactive continuation runs (post-cancel, crash, `endRun`, `requestUpgrade`, OOM retry). Does NOT fire when the same run resumes from snapshot via the idle-window suspend/resume path — use [`onChatResume`](#onchatsuspend--onchatresume) for that.
+
+This is the right place to initialize anything that lives in the JS process for the lifetime of the run: [`chat.local`](/ai-chat/chat-local) state, [DB connections](/database-connections), sandboxes, in-memory caches. It runs before `onPreload`, `onChatStart`, the continuation-wait branch, and any turn — so anything you set up here is available everywhere downstream.
+
+<Warning>
+  If you initialize `chat.local` only in `onChatStart`, your `run()` will crash on continuation runs with `chat.local can only be modified after initialization`. `onChatStart` is once-per-chat by contract; `chat.local` is per-process and needs `onBoot`.
+</Warning>
+
+Branch on `continuation` to decide whether to load existing state from your DB or start fresh:
+
+```ts
+export const myChat = chat.agent({
+  id: "my-chat",
+  clientDataSchema: z.object({ userId: z.string() }),
+  onBoot: async ({ chatId, clientData, continuation, previousRunId }) => {
+    const user = await db.user.findUnique({ where: { id: clientData.userId } });
+    userContext.init({ name: user.name, plan: user.plan });
+
+    if (continuation) {
+      // Re-hydrate per-chat in-memory state from your DB.
+      // `previousRunId` is the public id of the prior run (use it for
+      // logging or to look up persisted state keyed on run id).
+      const saved = await db.chatState.findUnique({ where: { chatId } });
+      if (saved) {
+        // Re-apply your saved per-chat state into wherever your
+        // run() reads it from (a chat.local slot, an in-memory map, etc.).
+        userContext.applySaved(saved);
+      }
+    }
+  },
+  run: async ({ messages, signal }) => {
+    return streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal });
+  },
+});
+```
+
+| Field             | Type                          | Description                                                                 |
+| ----------------- | ----------------------------- | --------------------------------------------------------------------------- |
+| `ctx`             | `TaskRunContext`              | Full task run context. See [reference](/ai-chat/reference#task-context-ctx). |
+| `chatId`          | `string`                      | Chat session ID                                                             |
+| `runId`           | `string`                      | The Trigger.dev run ID for this run boot                                    |
+| `chatAccessToken` | `string`                      | Scoped access token for this run                                            |
+| `clientData`      | Typed by `clientDataSchema`   | Custom data from the frontend                                               |
+| `continuation`    | `boolean`                     | `true` when this run is taking over from a prior dead run                   |
+| `previousRunId`   | `string \| undefined`         | Public id of the prior run when `continuation` is true                      |
+| `preloaded`       | `boolean`                     | Whether this run was triggered as a preload                                 |
+
+<Tip>
+  `onBoot` and `onChatStart` are complementary — keep DB-row creation in `onChatStart` (it only needs to happen once per chat) and put process-level setup (`chat.local`, connections, caches) in `onBoot` (it needs to happen on every fresh worker).
+</Tip>
+
+## onRecoveryBoot
+
+Fires once on a continuation boot when the dead predecessor was mid-stream — a partial assistant survives on `session.out`. The runtime reconstructs context automatically via a smart default; this hook is the override path for policies that need something different.
+
+The hook does NOT fire when there's no partial — clean continuations after `chat.endRun()` or `chat.requestUpgrade()`, fresh chats, OOM retries on top of a complete snapshot. Those paths dispatch any in-flight user message as a normal turn on the new run without involving the hook. It also does NOT fire when [`hydrateMessages`](#hydratemessages) is registered (the customer owns persistence).
+
+```ts
+export const myChat = chat.agent({
+  id: "my-chat",
+  onRecoveryBoot: async ({ partialAssistant, inFlightUsers, writer, cause, previousRunId }) => {
+    writer.write({
+      type: "data-chat-recovery",
+      data: { cause, previousRunId, partialPresent: partialAssistant !== undefined },
+      transient: true,
+    });
+    // Return nothing → fall through to the smart default
+    // (splice partial + first user into chain, dispatch the rest).
+  },
+  run: async ({ messages, signal }) =>
+    streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal }),
+});
+```
+
+| Field              | Type                                                              | Description                                                                                          |
+| ------------------ | ----------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------- |
+| `ctx`              | `TaskRunContext`                                                  | Full task run context                                                                                |
+| `chatId`           | `string`                                                          | Chat session ID                                                                                      |
+| `runId`            | `string`                                                          | The Trigger.dev run ID for this run boot                                                             |
+| `previousRunId`    | `string`                                                          | Public id of the prior run that died                                                                 |
+| `cause`            | `"cancelled" \| "crashed" \| "unknown"`                           | Best-effort cause. Currently always `"unknown"` — don't branch on it                                 |
+| `settledMessages`  | `TUIMessage[]`                                                    | The chain persisted by the predecessor's last `onTurnComplete`                                       |
+| `inFlightUsers`    | `TUIMessage[]`                                                    | User messages on `session.in` past the cursor — the message(s) the predecessor never acknowledged    |
+| `partialAssistant` | `TUIMessage \| undefined`                                         | The trailing assistant message whose stream never received `finish`                                  |
+| `pendingToolCalls` | `Array<{ toolCallId, toolName, input, partIndex }>`               | Tool calls in `input-available` state extracted from `partialAssistant`                              |
+| `writer`           | `ChatWriter`                                                      | Lazy session.out writer — write a recovery banner / signal here                                      |
+
+Returns `{ chain?, recoveredTurns?, beforeBoot? }` — every field optional. Omitted fields fall through to the smart default. See [Recovery boot](/ai-chat/patterns/recovery-boot) for the full guide, examples (drop partial, synthesize tool results, persist before boot), and interaction notes.
+
+<Tip>
+  Don't put `chat.local` initialization in `onRecoveryBoot` — use [`onBoot`](#onboot). `onRecoveryBoot` is for recovery decisions, not per-process setup. `onBoot` fires first.
+</Tip>
+
+## onPreload
+
+Fires when a **preloaded run** starts, before any messages arrive. Use it to eagerly create chat-scoped DB rows (the Chat row, the ChatSession row) while the user is still typing — so the very first message lands fast.
+
+Preloaded runs are triggered by calling `transport.preload(chatId)` on the frontend. See [Preload](/ai-chat/fast-starts#preload) for details.
+
+Per-process state (anything in [`chat.local`](/ai-chat/chat-local), DB connections, etc.) belongs in [`onBoot`](#onboot) — `onBoot` fires before `onPreload` on every fresh worker, including on continuation runs where `onPreload` never fires.
+
+```ts
+export const myChat = chat.agent({
+  id: "my-chat",
+  clientDataSchema: z.object({ userId: z.string() }),
+  onBoot: async ({ clientData }) => {
+    // Per-process state — runs on every fresh worker (initial,
+    // preloaded, continuation). See onBoot above.
+    const user = await db.user.findUnique({ where: { id: clientData.userId } });
+    userContext.init({ name: user.name, plan: user.plan });
+  },
+  onPreload: async ({ chatId, clientData, runId, chatAccessToken }) => {
+    // Chat-scoped DB rows — only matters on preload (and onChatStart as
+    // a fallback when not preloaded).
+    await db.chat.create({ data: { id: chatId, userId: clientData.userId } });
+    await db.chatSession.upsert({
+      where: { id: chatId },
+      create: { id: chatId, runId, publicAccessToken: chatAccessToken },
+      update: { runId, publicAccessToken: chatAccessToken },
+    });
+  },
+  onChatStart: async ({ preloaded }) => {
+    if (preloaded) return; // Already initialized in onPreload
+    // ... non-preloaded chat-row initialization
+  },
+  run: async ({ messages, signal }) => {
+    return streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal });
+  },
+});
+```
+
+| Field             | Type                                          | Description                      |
+| ----------------- | --------------------------------------------- | -------------------------------- |
+| `ctx`             | `TaskRunContext`                              | Full task run context. See [reference](/ai-chat/reference#task-context-ctx). |
+| `chatId`          | `string`                                      | Chat session ID                  |
+| `runId`           | `string`                                      | The Trigger.dev run ID           |
+| `chatAccessToken` | `string`                                      | Scoped access token for this run |
+| `clientData`      | Typed by `clientDataSchema`                   | Custom data from the frontend    |
+| `writer`          | [`ChatWriter`](/ai-chat/reference#chatwriter) | Stream writer for custom chunks  |
+
+Every lifecycle callback receives a `writer`, a lazy stream writer that lets you send custom `UIMessageChunk` parts (like `data-*` parts) to the frontend. Non-transient `data-*` chunks written via the `writer` are automatically added to the response message and available in `onTurnComplete`. Add `transient: true` for ephemeral chunks (progress indicators, etc.) that should not persist. See [Custom data parts](/ai-chat/backend#custom-data-parts).
+
+## onChatStart
+
+Fires **exactly once per chat**, on the very first user message of the chat's lifetime, before `run()` executes. Use it for one-time chat-scoped setup — create the Chat DB row, mint resources tied to the chat's lifetime.
+
+`onChatStart` does **not** fire on:
+
+- **Continuation runs** — a new run picking up an existing session after the prior run ended (`chat.endRun`, waitpoint timeout, `chat.requestUpgrade`, cancel, crash). The chat already started.
+- **OOM-retry attempts** — same chat, same conversation, just on a larger machine.
+
+For per-process state that has to be initialized on every fresh worker (including continuation runs), use [`onBoot`](#onboot). For per-turn setup, use [`onTurnStart`](#onturnstart).
+
+<Warning>
+  Do not initialize [`chat.local`](/ai-chat/chat-local) here. `chat.local` is per-process state that must survive continuation runs, but `onChatStart` only fires on the chat's very first message. Use [`onBoot`](#onboot) instead.
+</Warning>
+
+The `preloaded` field tells you whether [`onPreload`](#onpreload) already ran for this chat — useful for skipping setup work that's already done.
+
+<Note>
+  Because `onChatStart` fires only on the chat's first ever message, `messages` is either empty (when no message exists yet — e.g. a preloaded run that hasn't received its first turn) or contains just the first user message. There's no prior history to load here.
+</Note>
+
+```ts
+export const myChat = chat.agent({
+  id: "my-chat",
+  onChatStart: async ({ chatId, clientData, preloaded }) => {
+    if (preloaded) return; // Already set up in onPreload
+
+    const { userId } = clientData as { userId: string };
+    await db.chat.create({
+      data: { id: chatId, userId, title: "New chat" },
+    });
+  },
+  run: async ({ messages, signal }) => {
+    return streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal });
+  },
+});
+```
+
+<Tip>
+  `clientData` contains custom data from the frontend: either the `clientData` option on the
+  transport constructor (sent with every message) or the `metadata` option on `sendMessage()`
+  (per-message). See [Client data and metadata](/ai-chat/frontend#client-data-and-metadata).
+</Tip>
+
+## onValidateMessages
+
+Validate or transform incoming `UIMessage[]` before they are converted to model messages. Fires once per turn with the raw messages from the wire payload (after cleanup of aborted tool parts), **before** accumulation and `toModelMessages()`.
+
+Return the validated messages array. Throw to abort the turn with an error.
+
+This is the right place to call the AI SDK's [`validateUIMessages`](https://ai-sdk.dev/docs/ai-sdk-ui/chatbot-message-persistence#validating-messages-on-the-server) to catch malformed messages from storage or untrusted input before they reach the model, especially useful when persisting conversations to a database where tool schemas may drift between deploys.
+
+| Field     | Type                                                            | Description                              |
+| --------- | --------------------------------------------------------------- | ---------------------------------------- |
+| `messages` | `UIMessage[]`                                                  | Incoming UI messages for this turn       |
+| `chatId`  | `string`                                                        | Chat session ID                          |
+| `turn`    | `number`                                                        | Turn number (0-indexed)                  |
+| `trigger` | `"submit-message" \| "regenerate-message" \| "preload" \| "close"` | The trigger type for this turn        |
+
+```ts
+import { validateUIMessages } from "ai";
+
+export const myChat = chat.agent({
+  id: "my-chat",
+  onValidateMessages: async ({ messages }) => {
+    const userMessages = messages.filter((m) => m.role === "user");
+    if (userMessages.length > 0) {
+      await validateUIMessages({ messages: userMessages, tools: chatTools });
+    }
+    return messages;
+  },
+  run: async ({ messages, signal }) => {
+    return streamText({ model: anthropic("claude-sonnet-4-5"), messages, tools: chatTools, abortSignal: signal });
+  },
+});
+```
+
+<Warning>
+  On HITL continuations (`addToolOutput` / `addToolApproveResponse`) the assistant entry in `messages` is **slim** — `state` + `output` / `errorText` / `approval` only, no `input` or other parts. `validateUIMessages` against the AI SDK schema rejects that shape (the schema requires `input` on resolved tool parts), so filter to user messages first (or skip validation entirely on those turns). The example above does the filter.
+</Warning>
+
+<Note>
+  `onValidateMessages` fires **before** `onTurnStart` and message accumulation. If you need to validate messages loaded from a database, do the loading in `onChatStart` or `onPreload` and let `onValidateMessages` validate the full incoming set each turn.
+</Note>
+
+## hydrateMessages
+
+Load the full message history from your backend on every turn, replacing the built-in linear accumulator. When set, the hook's return value becomes the accumulated state; the normal accumulation logic (append for submit, replace for regenerate) is skipped entirely.
+
+Use this when the backend should be the source of truth for message history: abuse prevention, branching conversations (DAGs), or rollback/undo support.
+
+| Field              | Type                                                  | Description                                               |
+| ------------------ | ----------------------------------------------------- | --------------------------------------------------------- |
+| `chatId`           | `string`                                              | Chat session ID                                           |
+| `turn`             | `number`                                              | Turn number (0-indexed)                                   |
+| `trigger`          | `"submit-message" \| "regenerate-message" \| "action"` | The trigger type for this turn                           |
+| `incomingMessages` | `UIMessage[]`                                         | Validated wire messages from the frontend — 0-or-1-length (empty for actions, regenerates, and continuations; one element for normal `submit-message` and tool-approval responses) |
+| `previousMessages` | `UIMessage[]`                                         | Accumulated UI messages before this turn (`[]` on turn 0) |
+| `clientData`       | Typed by `clientDataSchema`                           | Custom data from the frontend                             |
+| `continuation`     | `boolean`                                             | Whether this run is continuing an existing chat           |
+| `previousRunId`    | `string \| undefined`                                 | The previous run ID (if continuation)                     |
+
+```ts
+import { chat, upsertIncomingMessage } from "@trigger.dev/sdk/ai";
+
+export const myChat = chat.agent({
+  id: "my-chat",
+  hydrateMessages: async ({ chatId, trigger, incomingMessages }) => {
+    const record = await db.chat.findUnique({ where: { id: chatId } });
+    const stored = record?.messages ?? [];
+
+    if (upsertIncomingMessage(stored, { trigger, incomingMessages })) {
+      await db.chat.update({
+        where: { id: chatId },
+        data: { messages: stored },
+      });
+    }
+
+    return stored;
+  },
+  run: async ({ messages, signal }) => {
+    return streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal });
+  },
+});
+```
+
+`upsertIncomingMessage` (exported from `@trigger.dev/sdk/ai`) handles the three cases that matter — fresh user messages get pushed, HITL continuations (`addToolOutput` / `addToolApproveResponse`) no-op because the incoming wire shares the existing assistant's id and the runtime overlays the new tool-state advance onto that entry, and non-`submit-message` triggers (`regenerate-message` / `action`) skip persistence. It returns `true` when it mutated `stored`, so the caller knows whether to persist.
+
+If you need branching, rollback, or other custom hydrate logic, you can still write the upsert by hand — `upsertIncomingMessage` is a convenience for the common case, not the only supported shape.
+
+**Lifecycle position:** `onValidateMessages` → **`hydrateMessages`** → `onChatStart` (chat's first message only) → `onTurnStart` → `run()`
+
+After the hook returns, the runtime overlays the wire's tool-state advances (`output-available` / `output-error` / `approval-responded` / `output-denied`) onto matching hydrated entries by id. Everything else on the hydrated entry — text, reasoning, tool `input`, providerMetadata — stays put. This makes [tool approvals](/ai-chat/frontend#tool-approvals) and HITL `addToolOutput` continuations work transparently: ship a slim resolution on the wire, the agent merges the new state onto your DB-backed copy.
+
+<Note>
+  `hydrateMessages` also fires for [action](/ai-chat/actions) turns (`trigger: "action"`) with empty `incomingMessages`. This lets the action handler work with the latest DB state.
+</Note>
+
+<Tip>
+  Registering `hydrateMessages` short-circuits the runtime's [snapshot + replay](/ai-chat/patterns/persistence-and-replay) reconstruction at run boot — your hook is the single source of truth for history, so the runtime skips reading or writing the snapshot entirely. No object storage traffic, no replay cost. The trade-off is that you own persistence end-to-end.
+</Tip>
+
+<Note>
+  `incomingMessages` is **0-or-1-length** consistently. `submit-message` and tool-approval responses ship a single message; `regenerate-message`, continuations, and actions ship none. Patterns like [tool-result auditing](/ai-chat/patterns/tool-result-auditing) work the same regardless — iterate the array and the loop runs zero or one times.
+</Note>
+
+## onTurnStart
+
+Fires at the start of **every turn** — including the first turn of a continuation run, where `onChatStart` doesn't fire. Runs after message accumulation and (when applicable) `onChatStart`, but **before** `run()` executes. Use it to persist messages before streaming begins so a mid-stream page refresh still shows the user's message.
+
+| Field             | Type                                          | Description                                     |
+| ----------------- | --------------------------------------------- | ----------------------------------------------- |
+| `ctx`             | `TaskRunContext`                              | Full task run context. See [reference](/ai-chat/reference#task-context-ctx). |
+| `chatId`          | `string`                                      | Chat session ID                                 |
+| `messages`        | `ModelMessage[]`                              | Full accumulated conversation (model format)    |
+| `uiMessages`      | `UIMessage[]`                                 | Full accumulated conversation (UI format)       |
+| `turn`            | `number`                                      | Turn number (0-indexed)                         |
+| `runId`           | `string`                                      | The Trigger.dev run ID                          |
+| `chatAccessToken` | `string`                                      | Scoped access token for this run                |
+| `continuation`    | `boolean`                                     | Whether this run is continuing an existing chat |
+| `preloaded`       | `boolean`                                     | Whether this run was preloaded                  |
+| `clientData`      | Typed by `clientDataSchema`                   | Custom data from the frontend                   |
+| `writer`          | [`ChatWriter`](/ai-chat/reference#chatwriter) | Stream writer for custom chunks                 |
+
+```ts
+export const myChat = chat.agent({
+  id: "my-chat",
+  onTurnStart: async ({ chatId, uiMessages, runId, chatAccessToken }) => {
+    await db.chat.update({
+      where: { id: chatId },
+      data: { messages: uiMessages },
+    });
+    await db.chatSession.upsert({
+      where: { id: chatId },
+      create: { id: chatId, runId, publicAccessToken: chatAccessToken },
+      update: { runId, publicAccessToken: chatAccessToken },
+    });
+  },
+  run: async ({ messages, signal }) => {
+    return streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal });
+  },
+});
+```
+
+<Tip>
+  By persisting in `onTurnStart`, the user's message is saved to your database before the AI starts
+  streaming. If the user refreshes mid-stream, the message is already there.
+</Tip>
+
+## onBeforeTurnComplete
+
+Fires after the response is captured but **before** the stream closes. The `writer` can send custom chunks that appear in the current turn. Use this for post-processing indicators, compaction progress, or any data the user should see before the turn ends.
+
+```ts
+export const myChat = chat.agent({
+  id: "my-chat",
+  onBeforeTurnComplete: async ({ writer, usage, uiMessages }) => {
+    // Write a custom data part while the stream is still open
+    writer.write({
+      type: "data-usage-summary",
+      data: {
+        tokens: usage?.totalTokens,
+        messageCount: uiMessages.length,
+      },
+    });
+
+    // You can also compact messages here and write progress
+    if (usage?.totalTokens && usage.totalTokens > 50_000) {
+      writer.write({ type: "data-compaction", data: { status: "compacting" } });
+      chat.setMessages(compactedMessages);
+      writer.write({ type: "data-compaction", data: { status: "complete" } });
+    }
+  },
+  run: async ({ messages, signal }) => {
+    return streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal });
+  },
+});
+```
+
+Receives the same fields as [`TurnCompleteEvent`](/ai-chat/reference#turncompleteevent), plus a [`writer`](/ai-chat/reference#chatwriter).
+
+## onTurnComplete
+
+Fires after each turn completes, after the response is captured and the stream is closed. This is the primary hook for persisting the assistant's response. Does not include a `writer` since the stream is already closed.
+
+| Field                | Type                     | Description                                                                                  |
+| -------------------- | ------------------------ | -------------------------------------------------------------------------------------------- |
+| `ctx`                | `TaskRunContext`         | Full task run context. See [reference](/ai-chat/reference#task-context-ctx).                |
+| `chatId`             | `string`                 | Chat session ID                                                                              |
+| `messages`           | `ModelMessage[]`         | Full accumulated conversation (model format)                                                 |
+| `uiMessages`         | `UIMessage[]`            | Full accumulated conversation (UI format)                                                    |
+| `newMessages`        | `ModelMessage[]`         | Only this turn's messages (model format)                                                     |
+| `newUIMessages`      | `UIMessage[]`            | Only this turn's messages (UI format)                                                        |
+| `responseMessage`    | `UIMessage \| undefined` | The assistant's response for this turn                                                       |
+| `turn`               | `number`                 | Turn number (0-indexed)                                                                      |
+| `runId`              | `string`                 | The Trigger.dev run ID                                                                       |
+| `chatAccessToken`    | `string`                 | Scoped access token for this run                                                             |
+| `lastEventId`        | `string \| undefined`    | Stream position for resumption. Persist this with the session.                               |
+| `stopped`            | `boolean`                | Whether the user stopped generation during this turn                                         |
+| `continuation`       | `boolean`                | Whether this run is continuing an existing chat                                              |
+| `rawResponseMessage` | `UIMessage \| undefined` | The raw assistant response before abort cleanup (same as `responseMessage` when not stopped) |
+
+```ts
+export const myChat = chat.agent({
+  id: "my-chat",
+  onTurnComplete: async ({ chatId, uiMessages, runId, chatAccessToken, lastEventId }) => {
+    // Atomic write — see Database persistence for the race-condition rationale
+    await db.$transaction([
+      db.chat.update({
+        where: { id: chatId },
+        data: { messages: uiMessages },
+      }),
+      db.chatSession.upsert({
+        where: { id: chatId },
+        create: { id: chatId, runId, publicAccessToken: chatAccessToken, lastEventId },
+        update: { runId, publicAccessToken: chatAccessToken, lastEventId },
+      }),
+    ]);
+  },
+  run: async ({ messages, signal }) => {
+    return streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal });
+  },
+});
+```
+
+<Tip>
+  Use `uiMessages` to overwrite the full conversation each turn (simplest). Use `newUIMessages` if
+  you prefer to store messages individually, e.g. one database row per message.
+</Tip>
+
+<Tip>
+  Persist `lastEventId` alongside the session. When the transport reconnects after a page refresh,
+  it uses this to skip past already-seen events, preventing duplicate messages.
+</Tip>
+
+<Tip>
+  For a full **conversation + session** persistence pattern (including preload, continuation, and token renewal), see [Database persistence](/ai-chat/patterns/database-persistence).
+</Tip>
+
+## onChatSuspend / onChatResume
+
+Chat-specific hooks that fire at the **idle-to-suspended** transition: the moment the run stops using compute and waits for the next message. These replace the need for the generic `onWait` / `onResume` task hooks for chat-specific work.
+
+The `phase` discriminator tells you **when** the suspend/resume happened:
+
+- `"preload"`: after `onPreload`, waiting for the first message
+- `"turn"`: after `onTurnComplete`, waiting for the next message
+
+```ts
+export const myChat = chat.agent({
+  id: "my-chat",
+  onChatSuspend: async (event) => {
+    // Tear down expensive resources before suspending
+    await disposeCodeSandbox(event.ctx.run.id);
+    if (event.phase === "turn") {
+      logger.info("Suspending after turn", { turn: event.turn });
+    }
+  },
+  onChatResume: async (event) => {
+    // Re-initialize after waking up
+    logger.info("Resumed", { phase: event.phase });
+  },
+  run: async ({ messages, signal }) => {
+    return streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal });
+  },
+});
+```
+
+| Field        | Type             | Description                                                  |
+| ------------ | ---------------- | ------------------------------------------------------------ |
+| `phase`      | `"preload" \| "turn"` | Whether this is a preload or post-turn suspension       |
+| `ctx`        | `TaskRunContext` | Full task run context                                        |
+| `chatId`     | `string`         | Chat session ID                                              |
+| `runId`      | `string`         | The Trigger.dev run ID                                       |
+| `clientData` | Typed by `clientDataSchema` | Custom data from the frontend                   |
+| `turn`       | `number`         | Turn number (**`"turn"` phase only**)                        |
+| `messages`   | `ModelMessage[]` | Accumulated model messages (**`"turn"` phase only**)         |
+| `uiMessages` | `UIMessage[]`    | Accumulated UI messages (**`"turn"` phase only**)            |
+
+<Tip>
+  Unlike `onWait` (which fires for all wait types: duration, task, batch, token), `onChatSuspend` fires only at chat suspension points with full chat context. No need to filter on `wait.type`.
+</Tip>
+
+## exitAfterPreloadIdle
+
+When set to `true`, a preloaded run completes successfully after the idle timeout elapses instead of suspending. Use this for "fire and forget" preloads. If the user doesn't send a message during the idle window, the run ends cleanly.
+
+```ts
+export const myChat = chat.agent({
+  id: "my-chat",
+  preloadIdleTimeoutInSeconds: 10,
+  exitAfterPreloadIdle: true,
+  onPreload: async ({ chatId, clientData }) => {
+    // Eagerly set up state. If no message comes, the run just ends.
+    await initializeChat(chatId, clientData);
+  },
+  run: async ({ messages, signal }) => {
+    return streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal });
+  },
+});
+```
+
+## See also
+
+- [Reference](/ai-chat/reference) for full event-type definitions
+- [Database persistence](/ai-chat/patterns/database-persistence) for the canonical persistence pattern
+- [Code execution sandbox](/ai-chat/patterns/code-sandbox) for an `onChatSuspend` use case
+- [Backend](/ai-chat/backend) for `chat.agent({ ... })` itself, prompts, stop signals, persistence overview, and runtime configuration
diff --git a/docs/ai-chat/mcp.mdx b/docs/ai-chat/mcp.mdx
new file mode 100644
index 00000000000..63c0d8ece00
--- /dev/null
+++ b/docs/ai-chat/mcp.mdx
@@ -0,0 +1,101 @@
+---
+title: "MCP Server"
+sidebarTitle: "MCP Server"
+description: "Chat with your agents from any AI coding tool using the Trigger.dev MCP server."
+---
+
+import RcBanner from "/snippets/ai-chat-rc-banner.mdx";
+
+<RcBanner />
+
+The Trigger.dev MCP server includes tools for having conversations with your chat agents directly from AI coding tools like Claude Code, Cursor, Windsurf, and others. This lets your AI assistant interact with your agents without writing any code.
+
+## Available tools
+
+| Tool | Description |
+| --- | --- |
+| `list_agents` | List all agents in the current worker |
+| `start_agent_chat` | Start a conversation with an agent |
+| `send_agent_message` | Send a message and get the response |
+| `close_agent_chat` | Close a conversation |
+
+See the [MCP Tools Reference](/mcp-tools#agent-chat-tools) for full details on each tool.
+
+## Typical workflow
+
+<Steps>
+  <Step title="List available agents">
+    Ask your AI assistant to list agents in your project. This calls `list_agents` which returns all tasks created with [`chat.agent()`](/ai-chat/backend#chat-agent) or [`chat.customAgent()`](/ai-chat/backend#raw-task-with-primitives).
+  </Step>
+  <Step title="Start a chat">
+    Start a conversation with an agent using `start_agent_chat`. This triggers a run and optionally preloads the agent so it's ready to respond immediately.
+
+    If the agent uses `withClientData`, pass the required fields via `clientData`.
+  </Step>
+  <Step title="Send messages">
+    Send messages with `send_agent_message`. The agent processes each message and returns the full response text, including which tools were used. The agent retains full context across messages in the same chat.
+  </Step>
+  <Step title="Close the chat">
+    When done, close the conversation with `close_agent_chat`. This signals the agent to exit gracefully. If you skip this step, the agent will close on its own when its idle timeout expires.
+  </Step>
+</Steps>
+
+## Example conversation
+
+Here's what a typical MCP conversation with an agent looks like:
+
+```
+You: List my agents
+
+AI: Found 3 agents in worker 20250402.12 (dev):
+    - support-agent (src/trigger/support.ts)
+    - pr-review (src/trigger/pr-review.ts)
+    - research (src/trigger/research.ts)
+
+You: Start a chat with the support agent
+
+AI: Agent chat started and preloaded.
+    - Chat ID: abc-123
+    - Agent: support-agent
+    - Run ID: run_xyz
+
+You: Ask it to look up order #4821
+
+AI: I found order #4821. It was placed on March 15 and shipped via
+    FedEx (tracking: 7891234). Current status: In Transit, estimated
+    delivery March 19.
+
+    Tools used: lookupOrder, getShippingStatus
+
+You: Close the chat
+
+AI: Chat abc-123 closed.
+```
+
+## Setup
+
+If you haven't set up the MCP server yet, see the [MCP Server introduction](/mcp-introduction) for installation and client configuration.
+
+Agent chat tools require:
+- A running dev server (`trigger dev`) or a deployed worker
+- At least one agent defined with [`chat.agent()`](/ai-chat/backend#chat-agent) or [`chat.customAgent()`](/ai-chat/backend#raw-task-with-primitives)
+
+## How it works
+
+Under the hood, the MCP tools use the same protocol as the [frontend transport](/ai-chat/frontend) and [AgentChat SDK](/ai-chat/server-chat):
+
+1. **`start_agent_chat`** triggers a task run with the `preload` trigger and stores the session (run ID, chat ID) in memory.
+2. **`send_agent_message`** sends the message via the run's input stream and subscribes to the output SSE stream to collect the agent's full response.
+3. **`close_agent_chat`** sends a close signal via the input stream and removes the session.
+
+Sessions are held in-memory within the MCP server process. If the MCP server restarts, active sessions are lost — but the underlying agent runs continue until their idle timeout.
+
+<Note>
+  The `get_current_worker` tool also labels agents with `[agent]` in its output, making it easy to identify which tasks are agents even when listing all tasks.
+</Note>
+
+## See also
+
+- [AgentChat SDK](/ai-chat/server-chat) — programmatic server-side access to agents
+- [Sub-Agents](/ai-chat/patterns/sub-agents) — agents calling other agents
+- [MCP Tools Reference](/mcp-tools#agent-chat-tools) — full tool parameter reference
diff --git a/docs/ai-chat/overview.mdx b/docs/ai-chat/overview.mdx
new file mode 100644
index 00000000000..8e038ba7913
--- /dev/null
+++ b/docs/ai-chat/overview.mdx
@@ -0,0 +1,90 @@
+---
+title: "AI Agents"
+sidebarTitle: "Overview"
+description: "Durable multi-turn AI chats — one Trigger.dev task per conversation, surviving refreshes, deploys, and crashes."
+---
+
+import RcBanner from "/snippets/ai-chat-rc-banner.mdx";
+
+<RcBanner />
+
+An AI chat isn't a request — it's a session. `chat.agent` runs every conversation as a single long-lived Trigger.dev task: you write the loop, it wakes up when a message arrives, freezes when none do, and the same in-memory state and on-disk workspace survive across page refreshes, deploys, idle gaps, and crashes. The substrate handles the parts most teams stitch together by hand — turn lifecycle, mid-stream resume, recovery from cancel/crash/OOM, HITL approvals, deploy upgrades — so your code is the loop you'd write anyway: messages in, `streamText` out.
+
+## A minimal example
+
+A `chat.agent` task takes `messages`, calls `streamText`, and returns the result. The frontend wires the [Vercel AI SDK's `useChat`](https://ai-sdk.dev/docs/reference/ai-sdk-ui/use-chat) to a `TriggerChatTransport`. No API routes.
+
+```ts trigger/chat.ts
+import { chat } from "@trigger.dev/sdk/ai";
+import { streamText, stepCountIs } from "ai";
+import { anthropic } from "@ai-sdk/anthropic";
+
+export const myChat = chat.agent({
+  id: "my-chat",
+  run: async ({ messages, signal }) =>
+    streamText({
+      model: anthropic("claude-sonnet-4-5"),
+      messages,
+      abortSignal: signal,
+      stopWhen: stepCountIs(15),
+    }),
+});
+```
+
+```tsx app/components/Chat.tsx
+import { useChat } from "@ai-sdk/react";
+import { useTriggerChatTransport } from "@trigger.dev/sdk/chat/react";
+
+export function Chat() {
+  const transport = useTriggerChatTransport<typeof myChat>({
+    task: "my-chat",
+    accessToken: ({ chatId }) => mintChatAccessToken(chatId),
+    startSession: ({ chatId, clientData }) =>
+      startChatSession({ chatId, clientData }),
+  });
+  const { messages, sendMessage } = useChat({ transport });
+  // ... render UI
+}
+```
+
+See [Quick Start](/ai-chat/quick-start) for the matching server actions and a runnable project.
+
+## Why use AI Agents on Trigger.dev
+
+- **Resume across refreshes, deploys, and crashes.** A chat in progress when you redeploy keeps streaming on the new version. Mid-stream refreshes pick up where they left off.
+- **Native AI SDK support.** Text, tool calls, reasoning, and custom `data-*` parts all flow through `useChat` over a custom `ChatTransport`. No custom protocol to maintain.
+- **Multi-turn for free.** Each turn is a step inside the same durable task; conversation history accumulates server-side, so clients only ship the new message.
+- **Fast cold starts.** Opt-in [Head Start](/ai-chat/fast-starts#head-start) runs the first `streamText` step in your warm Next.js / Hono / SvelteKit server while the agent boots in parallel — cuts time-to-first-chunk roughly in half.
+- **Production primitives ship in the box.** Stop generation, steering, edits, branching, sub-agents, HITL tool approvals, version upgrades, recovery from cancel/crash/OOM — all first-class.
+- **Observable.** Every turn is a span in the Trigger.dev dashboard. Sessions are queryable via `sessions.list` for inbox-style UIs.
+
+## How it fits together
+
+Three primitives, related but distinct:
+
+- **Chat agents** — the SDK surface you define with [`chat.agent()`](/ai-chat/backend#chat-agent). Owns the turn loop, lifecycle hooks, and the response stream.
+- **Sessions** — the durable, bi-directional channel keyed on `chatId` that holds the conversation across run boundaries. A chat agent runs *on top of* a [Session](/ai-chat/sessions).
+- **Sub-agents** — Delegate work from one agent to another via [`AgentChat`](/ai-chat/patterns/sub-agents). The sub-agent runs as its own durable agent on its own session; its response streams back through the parent as preliminary tool results, so the frontend sees the sub-agent working inside the parent's tool card.
+
+## Next steps
+
+<CardGroup cols={2}>
+  <Card title="Quick Start" icon="rocket" href="/ai-chat/quick-start">
+    Get a working chat in three steps — agent, token, frontend.
+  </Card>
+  <Card title="How it works" icon="diagram-project" href="/ai-chat/how-it-works">
+    Sessions, the turn loop, durable streams, and what survives a refresh.
+  </Card>
+  <Card title="Backend" icon="server" href="/ai-chat/backend">
+    `chat.agent` options, lifecycle hooks, and the raw-task primitives.
+  </Card>
+  <Card title="Tools" icon="wrench" href="/ai-chat/tools">
+    Declare tools so `toModelOutput` survives across turns, typed in `run()`.
+  </Card>
+  <Card title="Patterns" icon="puzzle-piece" href="/ai-chat/patterns/sub-agents">
+    HITL approvals, branching, sub-agents, OOM/crash recovery.
+  </Card>
+  <Card title="Database connections" icon="database" href="/database-connections">
+    Size and release connection pools so agents don't exhaust your database.
+  </Card>
+</CardGroup>
diff --git a/docs/ai-chat/patterns/branching-conversations.mdx b/docs/ai-chat/patterns/branching-conversations.mdx
new file mode 100644
index 00000000000..8a313921f41
--- /dev/null
+++ b/docs/ai-chat/patterns/branching-conversations.mdx
@@ -0,0 +1,284 @@
+---
+title: "Branching conversations"
+sidebarTitle: "Branching conversations"
+description: "Build ChatGPT-style conversation trees with edit, regenerate, undo, and branch switching using hydrateMessages, chat.history, and actions."
+---
+
+import RcBanner from "/snippets/ai-chat-rc-banner.mdx";
+
+<RcBanner />
+
+Most chat UIs treat conversations as linear sequences. But real conversations branch — users edit previous messages, regenerate responses, undo exchanges, and explore alternative paths. This pattern shows how to build a branching conversation system using `hydrateMessages`, `chat.history`, and custom actions.
+
+## Data model
+
+The standard approach (used by ChatGPT, Open WebUI, LibreChat, and others) stores messages as a tree with parent pointers:
+
+```ts
+// Each message is a node in the tree
+type ChatNode = {
+  id: string;
+  chatId: string;
+  parentId: string | null; // null for root
+  role: "user" | "assistant";
+  message: UIMessage; // the full AI SDK message
+  createdAt: Date;
+};
+```
+
+A conversation is a tree of nodes. The **active branch** is resolved by walking from a leaf node up through `parentId` pointers to the root, then reversing:
+
+```
+root
+├── user: "Hello"
+│   └── assistant: "Hi there!"
+│       ├── user: "What's the weather?" ← branch A
+│       │   └── assistant: "It's sunny!"
+│       └── user: "Tell me a joke" ← branch B (active)
+│           └── assistant: "Why did the..."
+```
+
+Switching branches means changing which leaf is "active" — the same tree, different path.
+
+## Backend setup
+
+### Store: tree operations
+
+Define helpers that read and write the node tree. Adapt to your database:
+
+```ts
+// Resolve the active path: walk from leaf to root, reverse
+async function getActiveBranch(chatId: string): Promise<UIMessage[]> {
+  const nodes = await db.chatNode.findMany({ where: { chatId } });
+  const byId = new Map(nodes.map((n) => [n.id, n]));
+
+  // Find active leaf (most recently created leaf node)
+  const childIds = new Set(nodes.map((n) => n.parentId).filter(Boolean));
+  const leaves = nodes.filter((n) => !childIds.has(n.id));
+  const activeLeaf = leaves.sort((a, b) => b.createdAt - a.createdAt)[0];
+  if (!activeLeaf) return [];
+
+  // Walk to root
+  const path: UIMessage[] = [];
+  let current: ChatNode | undefined = activeLeaf;
+  while (current) {
+    path.unshift(current.message);
+    current = current.parentId ? byId.get(current.parentId) : undefined;
+  }
+  return path;
+}
+
+// Append a message as a child of the current leaf
+async function appendMessage(chatId: string, message: UIMessage): Promise<void> {
+  const branch = await getActiveBranch(chatId);
+  const parentId = branch.length > 0 ? branch[branch.length - 1]!.id : null;
+
+  await db.chatNode.create({
+    data: { id: message.id, chatId, parentId, role: message.role, message, createdAt: new Date() },
+  });
+}
+```
+
+### Agent: hydration + actions
+
+```ts
+import { chat } from "@trigger.dev/sdk/ai";
+import { streamText, stepCountIs } from "ai";
+import { anthropic } from "@ai-sdk/anthropic";
+import { z } from "zod";
+
+export const myChat = chat.agent({
+  id: "branching-chat",
+
+  // Load the active branch from the DB on every turn.
+  // The frontend's message array is ignored — the tree is the source of truth.
+  hydrateMessages: async ({ chatId, trigger, incomingMessages }) => {
+    if (trigger === "submit-message" && incomingMessages.length > 0) {
+      await appendMessage(chatId, incomingMessages[incomingMessages.length - 1]!);
+    }
+    return getActiveBranch(chatId);
+  },
+
+  actionSchema: z.discriminatedUnion("type", [
+    // Edit a previous user message — creates a sibling node in the tree
+    z.object({ type: z.literal("edit"), messageId: z.string(), text: z.string() }),
+    // Switch to a different branch by selecting a leaf node
+    z.object({ type: z.literal("switch-branch"), leafId: z.string() }),
+    // Undo the last user + assistant exchange
+    z.object({ type: z.literal("undo") }),
+  ]),
+
+  onAction: async ({ action, chatId }) => {
+    switch (action.type) {
+      case "edit": {
+        // Find the original message's parent, create a sibling with new content
+        const original = await db.chatNode.findUnique({ where: { id: action.messageId } });
+        if (!original) break;
+
+        const newId = generateId();
+        await db.chatNode.create({
+          data: {
+            id: newId,
+            chatId,
+            parentId: original.parentId, // same parent = sibling
+            role: "user",
+            message: { id: newId, role: "user", parts: [{ type: "text", text: action.text }] },
+            createdAt: new Date(),
+          },
+        });
+        // Active branch now resolves through the new sibling (most recent leaf)
+        break;
+      }
+
+      case "switch-branch": {
+        // Mark this leaf as the most recently accessed so getActiveBranch picks it
+        await db.chatNode.update({
+          where: { id: action.leafId },
+          data: { createdAt: new Date() },
+        });
+        break;
+      }
+
+      case "undo": {
+        // Remove the last two nodes (user + assistant) from the active branch
+        const branch = await getActiveBranch(chatId);
+        if (branch.length >= 2) {
+          const lastTwo = branch.slice(-2);
+          await db.chatNode.deleteMany({
+            where: { id: { in: lastTwo.map((m) => m.id) } },
+          });
+        }
+        break;
+      }
+    }
+
+    // Reload the (now modified) active branch into the accumulator
+    const updated = await getActiveBranch(chatId);
+    chat.history.set(updated);
+  },
+
+  onTurnComplete: async ({ chatId, responseMessage }) => {
+    // Persist the assistant's response as a new node
+    if (responseMessage) {
+      await appendMessage(chatId, responseMessage);
+    }
+  },
+
+  run: async ({ messages, signal }) => {
+    return streamText({
+      model: anthropic("claude-sonnet-4-5"),
+      messages,
+      abortSignal: signal,
+      stopWhen: stepCountIs(15),
+    });
+  },
+});
+```
+
+## Frontend
+
+### Sending actions
+
+Wire up edit, undo, and branch switching to the transport:
+
+```tsx
+function MessageActions({ message, chatId }: { message: UIMessage; chatId: string }) {
+  const transport = useTransport();
+  const [editing, setEditing] = useState(false);
+  const [editText, setEditText] = useState("");
+
+  if (message.role !== "user") return null;
+
+  return (
+    <div>
+      {editing ? (
+        <form onSubmit={() => {
+          transport.sendAction(chatId, { type: "edit", messageId: message.id, text: editText });
+          setEditing(false);
+        }}>
+          <input value={editText} onChange={(e) => setEditText(e.target.value)} />
+          <button type="submit">Save</button>
+        </form>
+      ) : (
+        <button onClick={() => { setEditText(getMessageText(message)); setEditing(true); }}>
+          Edit
+        </button>
+      )}
+    </div>
+  );
+}
+```
+
+### Branch navigation
+
+To show the `< 2/3 >` sibling switcher, query the tree for siblings at each fork point. This is a frontend concern — the backend exposes the data, the UI navigates it.
+
+```tsx
+function BranchSwitcher({ message, chatId, siblings }: {
+  message: UIMessage;
+  chatId: string;
+  siblings: { id: string; createdAt: string }[];
+}) {
+  const transport = useTransport();
+  if (siblings.length <= 1) return null;
+
+  const currentIndex = siblings.findIndex((s) => s.id === message.id);
+
+  return (
+    <div>
+      <button
+        disabled={currentIndex === 0}
+        onClick={() => {
+          // Find the leaf of the previous sibling's subtree
+          transport.sendAction(chatId, {
+            type: "switch-branch",
+            leafId: siblings[currentIndex - 1]!.id,
+          });
+        }}
+      >
+        &lt;
+      </button>
+      <span>{currentIndex + 1}/{siblings.length}</span>
+      <button
+        disabled={currentIndex === siblings.length - 1}
+        onClick={() => {
+          transport.sendAction(chatId, {
+            type: "switch-branch",
+            leafId: siblings[currentIndex + 1]!.id,
+          });
+        }}
+      >
+        &gt;
+      </button>
+    </div>
+  );
+}
+```
+
+<Note>
+  The sibling data (which messages share the same parent) needs to come from your database — query it when loading the chat or include it as client data. The agent only returns the active branch via `hydrateMessages`.
+</Note>
+
+## How it works
+
+| Operation | What happens |
+|-----------|-------------|
+| **Send message** | `hydrateMessages` appends the new message as a child of the current leaf, returns the active path |
+| **Edit message** | `onAction` creates a sibling node with the same parent. The new node becomes the latest leaf, so `hydrateMessages` resolves through it. LLM responds to the edited history |
+| **Regenerate** | Same as edit — create a new assistant sibling. The AI SDK's `regenerate()` handles this via `trigger: "regenerate-message"` |
+| **Undo** | `onAction` removes the last two nodes. `chat.history.set()` updates the accumulator. LLM responds to the earlier state |
+| **Switch branch** | `onAction` updates which leaf is "active". `hydrateMessages` loads the new path. LLM responds to the switched context |
+
+## Design notes
+
+- **Messages are immutable** — edits create siblings, not mutations. This preserves full history for analytics and auditing.
+- **The tree lives in your database** — the agent loads a linear path from it via `hydrateMessages`. The agent itself doesn't know about the tree structure.
+- **`hydrateMessages` + `onAction` + `chat.history`** are the three primitives. Hydration loads the active path, actions modify the tree, and `chat.history.set()` syncs the accumulator after tree modifications.
+- **Frontend owns navigation** — the `< 2/3 >` UI, sibling queries, and branch switching triggers are client-side concerns. The backend just processes actions and returns responses.
+
+## See also
+
+- [`hydrateMessages`](/ai-chat/lifecycle-hooks#hydratemessages) — backend-controlled message history
+- [Actions](/ai-chat/actions) — custom actions with `actionSchema` and `onAction`
+- [`chat.history`](/ai-chat/backend#chat-history) — imperative history mutations
+- [Database persistence](/ai-chat/patterns/database-persistence) — basic persistence pattern (linear)
diff --git a/docs/ai-chat/patterns/code-sandbox.mdx b/docs/ai-chat/patterns/code-sandbox.mdx
new file mode 100644
index 00000000000..d4f17e271f9
--- /dev/null
+++ b/docs/ai-chat/patterns/code-sandbox.mdx
@@ -0,0 +1,126 @@
+---
+title: "Code execution sandbox"
+sidebarTitle: "Code sandbox"
+description: "Warm an isolated sandbox on each chat turn, run an AI SDK executeCode tool, and tear down right before the run suspends — using chat.agent hooks and chat.local."
+---
+
+import RcBanner from "/snippets/ai-chat-rc-banner.mdx";
+
+<RcBanner />
+
+Use a **hosted code sandbox** (for example [E2B](https://e2b.dev)) when the model should run short scripts to analyze tool output (PostHog queries, CSV-like data, math) without executing arbitrary code on the Trigger worker host.
+
+This page describes a **durable chat** pattern that fits `chat.agent()`:
+
+- **Warm** the sandbox at the start of each turn (**non-blocking**).
+- **Reuse** it for every `executeCode` tool call during that turn (and across turns in the same run if you keep the handle).
+- **Dispose** it **right before the run suspends** waiting for the next user message — using the **`onChatSuspend`** hook, not `onTurnComplete`.
+
+
+## Why not tear down in `onTurnComplete`?
+
+After a turn finishes, the chat runtime still goes through an **idle** window and only then suspends. During that window the run is still executing — useful for `chat.defer()` work — and the run hasn't suspended yet.
+
+The boundary you want for “turn done, about to sleep” is **`onChatSuspend`**, which fires right before the run transitions from idle to suspended. It provides the `phase` (`”preload”` or `”turn”`) and full chat context. See [onChatSuspend / onChatResume](/ai-chat/lifecycle-hooks#onchatsuspend--onchatresume).
+
+```mermaid
+sequenceDiagram
+  participant TurnStart as onTurnStart
+  participant Run as run / streamText
+  participant TurnDone as onTurnComplete
+  participant Idle as Idle window
+  participant Suspend as onChatSuspend
+  participant Sleep as suspended
+
+  TurnStart->>Run: warm sandbox (async)
+  Run->>TurnDone: persist / inject / etc.
+  TurnDone->>Idle: still running
+  Idle->>Suspend: dispose sandbox
+  Suspend->>Sleep: waiting for next message
+```
+
+## Recommended provider: E2B
+
+- **API key** auth — works from any Trigger.dev worker; no Vercel-only OIDC.
+- **Code Interpreter** SDK (`@e2b/code-interpreter`): long-lived sandbox, `runCode()`, `kill()`.
+
+Alternatives (Modal, Daytona, raw Docker) are fine but more DIY. Vercel’s sandbox + AI SDK helpers are a better fit when execution stays **on Vercel**, not on the Trigger worker.
+
+## Implementation sketch
+
+### 1. Run-scoped sandbox map
+
+Keep a `Map<runId, Promise<Sandbox>>` (or similar) in a **task-only module** so your Next.js app never imports it.
+
+### 2. `onTurnStart` — warm without blocking
+
+```ts
+onTurnStart: async ({ runId, ctx, ...rest }) => {
+  warmCodeSandbox(runId); // fire-and-forget Sandbox.create()
+  // ...persist messages, writer, etc.
+},
+```
+
+### 3. `chat.local` — run id for tools
+
+Tool `execute` functions do not receive hook payloads. Use [`chat.local()`](/ai-chat/chat-local) to store the current run id for the sandbox key, **initialized from `onTurnStart`** (same `runId` as the map):
+
+```ts
+// In the same task module as your tools
+import { chat } from "@trigger.dev/sdk/ai";
+
+export const codeSandboxRun = chat.local<{ runId: string }>({ id: "codeSandboxRun" });
+
+export function warmCodeSandbox(runId: string) {
+  codeSandboxRun.init({ runId });
+  // ...start Sandbox.create(), store promise in Map by runId
+}
+```
+
+The **`executeCode`** tool reads `codeSandboxRun.runId` and awaits the sandbox promise before `runCode`.
+
+### 4. `onChatSuspend` / `onComplete` — teardown
+
+Use **`onChatSuspend`** to dispose the sandbox right before the run suspends, and **`onComplete`** as a safety net when the run ends entirely.
+
+```ts
+export const aiChat = chat.agent({
+  id: "ai-chat",
+  // ...
+  onChatSuspend: async ({ phase, ctx }) => {
+    await disposeCodeSandboxForRun(ctx.run.id);
+  },
+  onComplete: async ({ ctx }) => {
+    await disposeCodeSandboxForRun(ctx.run.id);
+  },
+});
+```
+
+Unlike `onWait` (which fires for all wait types), `onChatSuspend` only fires at chat suspension points — no need to filter on `wait.type`. The `phase` discriminator tells you if this is a preload or post-turn suspension.
+
+Optional **`onChatResume`**: log or reset flags; a fresh sandbox can be warmed again on the next **`onTurnStart`**.
+
+### 5. AI SDK tool
+
+Wrap the provider in a normal AI SDK `tool({ inputSchema, execute })` (same pattern as `webFetch`). Keep tool definitions in **task code**, not in the Next.js server bundle.
+
+### 6. Environment
+
+Set **`E2B_API_KEY`** (or your provider’s secret) on the **Trigger environment** for the worker — not in public client env.
+
+## Typing `ctx`
+
+Every `chat.agent` lifecycle event and the `run` payload include **`ctx`**: the same **[`TaskRunContext`](/ai-chat/reference#task-context-ctx)** shape as `task({ run: (payload, { ctx }) => ... })`.
+
+```ts
+import type { TaskRunContext } from "@trigger.dev/sdk";
+```
+
+The alias **`Context`** is also exported from `@trigger.dev/sdk` and is the same type.
+
+## See also
+
+- [Database persistence for chat](/ai-chat/patterns/database-persistence) — conversation + session rows, hooks, token renewal
+- [Lifecycle hooks](/ai-chat/lifecycle-hooks)
+- [API Reference — `ctx` on events](/ai-chat/reference#task-context-ctx)
+- [Per-run data with `chat.local`](/ai-chat/chat-local)
diff --git a/docs/ai-chat/patterns/database-persistence.mdx b/docs/ai-chat/patterns/database-persistence.mdx
new file mode 100644
index 00000000000..fae1e478092
--- /dev/null
+++ b/docs/ai-chat/patterns/database-persistence.mdx
@@ -0,0 +1,406 @@
+---
+title: "Database persistence for chat"
+sidebarTitle: "Database persistence"
+description: "Split conversation state and live session metadata across hooks — preload, turn start, turn complete — without tying the pattern to a specific ORM or schema."
+---
+
+import RcBanner from "/snippets/ai-chat-rc-banner.mdx";
+
+<RcBanner />
+
+Durable chat runs can span **hours** and **many turns**. You usually want:
+
+1. **Conversation state** — full **`UIMessage[]`** (or equivalent) keyed by **`chatId`**, so reloads and history views work.
+2. **Live session state** — a **scoped access token** for the session and optionally **`lastEventId`** for stream resume.
+
+This page describes a **hook mapping** that works with any database. Adapt table and column names to your stack.
+
+## Conceptual data model
+
+You can use one table or two; the important split is **semantic**:
+
+| Concept | Purpose | Typical fields |
+| ------- | ------- | -------------- |
+| **Conversation** | Durable transcript + display metadata | Stable id (same as **`chatId`**), serialized **`uiMessages`**, title, model choice, owner/user id, timestamps |
+| **Active session** | Hydrate the transport on page reload | Same **`chatId`** as key (or FK), **`publicAccessToken`**, optional **`lastEventId`** |
+
+The **conversation** row is what your UI lists as "chats." The **session** row is what the **transport** needs after a refresh: a session-scoped PAT (so the transport doesn't have to re-mint on first paint) and the SSE resume cursor.
+
+Storing the current **`runId`** is optional — useful for telemetry / dashboard linking ("View this run") but not required for resume. The Session row owns its current run server-side; the transport reads from `session.out` keyed on `chatId`, so a run swap (continuation, upgrade) is invisible to your DB schema.
+
+<Note>
+  Store **`UIMessage[]`** in a JSON-compatible column, or normalize to a messages table — the pattern is *when* you read/write, not *how* you encode rows.
+</Note>
+
+## Where each hook writes
+
+This pattern covers **durable DB rows** (the conversation and the active session). Per-process in-memory state ([`chat.local`](/ai-chat/chat-local), [DB connection pools](/database-connections), sandboxes, etc.) belongs in [`onBoot`](/ai-chat/lifecycle-hooks#onboot) — it fires on every fresh worker including continuation runs, where `onPreload` and `onChatStart` do not.
+
+### `onPreload` (optional)
+
+When the user triggers [preload](/ai-chat/fast-starts#preload), the run starts **before** the first user message.
+
+- Ensure the **conversation** row exists (create or no-op).
+- **Upsert session**: **`chatAccessToken`** from the event (a session-scoped PAT covering both `read:sessions:{chatId}` and `write:sessions:{chatId}`).
+- Load any **user / tenant context** you need for prompts (`clientData`).
+
+If you skip preload, do the equivalent in **`onChatStart`** when **`preloaded`** is false.
+
+### `onChatStart` (chat's first message, non-preloaded path)
+
+- Fires **once per chat**, on the very first user message. Does NOT fire on continuation runs (post-`endRun`, post-waitpoint-timeout, post-`chat.requestUpgrade`) or on OOM-retry attempts.
+- If **`preloaded`** is true, return early — **`onPreload`** already ran.
+- Otherwise mirror preload: user/context, conversation create, session upsert.
+- No need to gate the conversation create on `continuation` — it's always a brand-new chat at this point.
+- For continuation runs that need to refresh per-run state (new PAT, new `lastEventId`), do it in **`onTurnStart`** / **`onTurnComplete`** — both fire on every turn including the first turn of a continuation run.
+
+### `onTurnStart`
+
+- **`await`** persist **`uiMessages`** (full accumulated history including the new user turn) **before** the hook returns — `chat.agent` does not begin streaming until `onTurnStart` resolves, so this is what bounds "user message is durable before the stream".
+
+<Warning>
+**Don't use [`chat.defer()`](/ai-chat/background-injection#chat-defer-standalone) for the message write here.** `chat.defer` is fire-and-forget — the hook resolves before the write lands and the stream starts immediately. If the user refreshes mid-stream, the next page load reads `[]` from your DB, the resumed SSE stream pushes the assistant into an empty array, and the user's message disappears from the rendered conversation forever.
+
+```ts
+// ❌ Bad — non-blocking write, mid-stream refresh drops the user message.
+onTurnStart: async ({ chatId, uiMessages }) => {
+  chat.defer(db.chat.update({ where: { id: chatId }, data: { messages: uiMessages } }));
+},
+
+// ✅ Good — awaited, durable before the model starts.
+onTurnStart: async ({ chatId, uiMessages }) => {
+  await db.chat.update({ where: { id: chatId }, data: { messages: uiMessages } });
+},
+```
+
+`chat.defer` is for writes whose timing doesn't matter for resume — analytics, audit logs, search-index updates, etc. Anything the next page load reads needs to land before the stream begins.
+</Warning>
+
+### `onTurnComplete`
+
+- Persist **`uiMessages`** again with the **assistant** reply finalized.
+- **Upsert session** with the fresh **`chatAccessToken`** and **`lastEventId`** from the event.
+
+**`lastEventId`** lets the frontend [resume](/ai-chat/frontend) without replaying SSE events it already applied. Treat it as part of session state, not optional polish, if you care about duplicate chunks after refresh.
+
+<Warning>
+**Write the messages and `lastEventId` in a single transaction.** Both values are read in parallel on the next page load (one fetches the conversation, the other fetches the session). If a refresh races between the two writes, the page can see the assistant message persisted (full history) but a stale `lastEventId` from the previous turn. The transport then resumes from that stale cursor and replays this turn's chunks on top of the already-persisted assistant message, producing a duplicated render.
+
+```ts
+// ✅ Atomic — refresh on the next page load reads both writes consistently.
+await db.$transaction([
+  db.chat.update({ where: { id: chatId }, data: { messages: uiMessages } }),
+  db.chatSession.upsert({
+    where: { id: chatId },
+    create: { id: chatId, publicAccessToken: chatAccessToken, lastEventId },
+    update: { publicAccessToken: chatAccessToken, lastEventId },
+  }),
+]);
+
+// ❌ Two awaits — narrow race window where messages are post-write but
+// lastEventId is still pre-write. A page refresh that lands here will
+// duplicate the assistant message on resume.
+await db.chat.update({ where: { id: chatId }, data: { messages: uiMessages } });
+await db.chatSession.upsert({ /* ... */ });
+```
+</Warning>
+
+## Token renewal (app server)
+
+The persisted PAT has a TTL (see **`chatAccessTokenTTL`** on **`chat.agent`**, default 1h). When the transport gets a **401** on a session-PAT-authed request, it calls your **`accessToken`** callback to mint a fresh PAT — no DB lookup required, since the session is keyed on `chatId` (which the transport already has).
+
+Your `accessToken` callback typically just wraps `auth.createPublicToken`:
+
+```ts
+"use server";
+import { auth } from "@trigger.dev/sdk";
+
+export async function mintChatAccessToken(chatId: string) {
+  return auth.createPublicToken({
+    scopes: { read: { sessions: chatId }, write: { sessions: chatId } },
+    expirationTime: "1h",
+  });
+}
+```
+
+If you want to keep your DB session row in sync, the transport's **`onSessionChange`** callback fires every time the cached PAT changes — persist the new value there.
+
+No Trigger task code needs to run for renewal.
+
+## Minimal pseudocode
+
+```typescript
+// Pseudocode — replace saveConversation / saveSession with your DB layer.
+
+chat.agent({
+  id: "my-chat",
+  clientDataSchema: z.object({ userId: z.string() }),
+
+  onPreload: async ({ chatId, chatAccessToken, clientData }) => {
+    if (!clientData) return;
+    await ensureUser(clientData.userId);
+    await upsertConversation({ id: chatId, userId: clientData.userId /* ... */ });
+    await upsertSession({ chatId, publicAccessToken: chatAccessToken });
+  },
+
+  onChatStart: async ({ chatId, chatAccessToken, clientData, preloaded }) => {
+    if (preloaded) return;
+    // Fires once per chat — no continuation gate needed.
+    await ensureUser(clientData.userId);
+    await upsertConversation({ id: chatId, userId: clientData.userId /* ... */ });
+    await upsertSession({ chatId, publicAccessToken: chatAccessToken });
+  },
+
+  onTurnStart: async ({ chatId, uiMessages }) => {
+    // Awaited, not chat.defer — see the warning in `onTurnStart` above.
+    await saveConversationMessages(chatId, uiMessages);
+  },
+
+  onTurnComplete: async ({ chatId, uiMessages, chatAccessToken, lastEventId }) => {
+    // Atomic: messages + lastEventId must be readable consistently on resume.
+    // See the warning above for why a non-atomic write causes duplicate renders.
+    await db.$transaction([
+      saveConversationMessagesQuery(chatId, uiMessages),
+      upsertSessionQuery({ chatId, publicAccessToken: chatAccessToken, lastEventId }),
+    ]);
+  },
+
+  run: async ({ messages, signal }) => {
+    /* streamText, etc. */
+  },
+});
+```
+
+## Alternative: `hydrateMessages`
+
+For apps that need the backend to be the single source of truth for message history — abuse prevention, branching conversations, or rollback support — use [`hydrateMessages`](/ai-chat/lifecycle-hooks#hydratemessages) instead of relying on the frontend's accumulated state.
+
+With hydration, the hook loads messages from your database on every turn. The frontend's messages are ignored (except for the new user message, which arrives in `incomingMessages`):
+
+```ts
+import { chat, upsertIncomingMessage } from "@trigger.dev/sdk/ai";
+
+export const myChat = chat.agent({
+  id: "my-chat",
+  hydrateMessages: async ({ chatId, trigger, incomingMessages }) => {
+    const record = await db.chat.findUnique({ where: { id: chatId } });
+    const stored = record?.messages ?? [];
+
+    // `upsertIncomingMessage` pushes a fresh user message and no-ops
+    // on HITL continuations (the runtime overlays the new tool-state
+    // advance onto the existing entry). See lifecycle hooks for the
+    // full pattern: /ai-chat/lifecycle-hooks#hydratemessages
+    if (upsertIncomingMessage(stored, { trigger, incomingMessages })) {
+      await db.chat.update({ where: { id: chatId }, data: { messages: stored } });
+    }
+
+    return stored;
+  },
+  onTurnComplete: async ({ chatId, uiMessages, chatAccessToken, lastEventId }) => {
+    // Persist the response and refresh session state atomically — see the
+    // warning in the previous section for why these two writes have to be
+    // in the same transaction.
+    await db.$transaction([
+      db.chat.update({ where: { id: chatId }, data: { messages: uiMessages } }),
+      db.chatSession.upsert({
+        where: { id: chatId },
+        create: { id: chatId, publicAccessToken: chatAccessToken, lastEventId },
+        update: { publicAccessToken: chatAccessToken, lastEventId },
+      }),
+    ]);
+  },
+  run: async ({ messages, signal }) => {
+    return streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal });
+  },
+});
+```
+
+This replaces the `onTurnStart` persistence pattern — the hook handles both loading and persisting the new message in one place.
+
+## Design notes
+
+- **`chatId`** is stable for the life of a thread and is the only identifier the transport persists. Runs come and go (idle continuation, upgrade, cancel/restart) but the chat keeps its identity.
+- **`continuation: true`** means "same logical chat, new run" — refresh the persisted PAT, don't assume an empty conversation.
+- The current `runId` is available on every hook event for telemetry / dashboard linking ("View this run"), but you don't need to persist it for resume to work — the transport addresses by `chatId`.
+- Keep **task modules** that perform writes **out of** browser bundles; the pattern assumes persistence runs **in the worker** (or your BFF that the task calls).
+
+## Complete example
+
+End-to-end implementation across the three files involved: agent task, server actions, and React component.
+
+<Warning>
+  The example below trusts raw `chatId` and returns rows without filtering by user. In a real multi-user app, **scope every query by the authenticated user** — read the user from your auth/session in each server action and add `where: { userId }` to all `db.chat.*` and `db.chatSession.*` queries. Without that, one client could read or delete another user's chat state, and `getAllSessions()` would leak other users' `publicAccessToken`s. The snippet keeps auth out of the way to focus on the persistence shape.
+</Warning>
+
+<CodeGroup>
+```ts trigger/chat.ts
+import { chat } from "@trigger.dev/sdk/ai";
+import { streamText, stepCountIs } from "ai";
+import { anthropic } from "@ai-sdk/anthropic";
+import { z } from "zod";
+import { db } from "@/lib/db";
+
+export const myChat = chat.agent({
+  id: "my-chat",
+  clientDataSchema: z.object({
+    userId: z.string(),
+  }),
+  onChatStart: async ({ chatId, clientData }) => {
+    await db.chat.create({
+      data: { id: chatId, userId: clientData.userId, title: "New chat", messages: [] },
+    });
+  },
+  onTurnStart: async ({ chatId, uiMessages, runId, chatAccessToken }) => {
+    // Persist messages + session before streaming
+    await db.chat.update({
+      where: { id: chatId },
+      data: { messages: uiMessages },
+    });
+    await db.chatSession.upsert({
+      where: { id: chatId },
+      create: { id: chatId, runId, publicAccessToken: chatAccessToken },
+      update: { runId, publicAccessToken: chatAccessToken },
+    });
+  },
+  onTurnComplete: async ({ chatId, uiMessages, runId, chatAccessToken, lastEventId }) => {
+    // Persist assistant response + stream position atomically — see the
+    // race-condition warning earlier on this page.
+    await db.$transaction([
+      db.chat.update({
+        where: { id: chatId },
+        data: { messages: uiMessages },
+      }),
+      db.chatSession.upsert({
+        where: { id: chatId },
+        create: { id: chatId, runId, publicAccessToken: chatAccessToken, lastEventId },
+        update: { runId, publicAccessToken: chatAccessToken, lastEventId },
+      }),
+    ]);
+  },
+  run: async ({ messages, signal }) => {
+    return streamText({
+      model: anthropic("claude-sonnet-4-5"),
+      messages,
+      abortSignal: signal,
+      stopWhen: stepCountIs(15),
+    });
+  },
+});
+```
+
+```ts app/actions.ts
+"use server";
+
+import { auth } from "@trigger.dev/sdk";
+import { chat } from "@trigger.dev/sdk/ai";
+import { db } from "@/lib/db";
+
+export const startChatSession = chat.createStartSessionAction("my-chat");
+
+export async function mintChatAccessToken(chatId: string) {
+  return auth.createPublicToken({
+    scopes: { read: { sessions: chatId }, write: { sessions: chatId } },
+    expirationTime: "1h",
+  });
+}
+
+export async function getChatMessages(chatId: string) {
+  const found = await db.chat.findUnique({ where: { id: chatId } });
+  return found?.messages ?? [];
+}
+
+export async function getAllSessions() {
+  const sessions = await db.chatSession.findMany();
+  const result: Record<
+    string,
+    {
+      publicAccessToken: string;
+      lastEventId?: string;
+    }
+  > = {};
+  for (const s of sessions) {
+    result[s.id] = {
+      publicAccessToken: s.publicAccessToken,
+      lastEventId: s.lastEventId ?? undefined,
+    };
+  }
+  return result;
+}
+
+export async function deleteSession(chatId: string) {
+  await db.chatSession.delete({ where: { id: chatId } }).catch(() => {});
+}
+```
+
+```tsx app/components/chat.tsx
+"use client";
+
+import { useChat } from "@ai-sdk/react";
+import { useTriggerChatTransport } from "@trigger.dev/sdk/chat/react";
+import type { myChat } from "@/trigger/chat";
+import { mintChatAccessToken, startChatSession, deleteSession } from "@/app/actions";
+
+export function Chat({ chatId, initialMessages, initialSessions }) {
+  const transport = useTriggerChatTransport<typeof myChat>({
+    task: "my-chat",
+    accessToken: ({ chatId }) => mintChatAccessToken(chatId),
+    startSession: ({ chatId, clientData }) =>
+      startChatSession({ chatId, clientData }),
+    clientData: { userId: currentUser.id }, // Type-checked against clientDataSchema
+    sessions: initialSessions,
+    onSessionChange: (id, session) => {
+      if (!session) deleteSession(id);
+    },
+  });
+
+  const { messages, sendMessage, stop, status } = useChat({
+    id: chatId,
+    messages: initialMessages,
+    transport,
+    resume: initialMessages.length > 0,
+  });
+
+  return (
+    <div>
+      {messages.map((m) => (
+        <div key={m.id}>
+          <strong>{m.role}:</strong>
+          {m.parts.map((part, i) =>
+            part.type === "text" ? <span key={i}>{part.text}</span> : null
+          )}
+        </div>
+      ))}
+
+      <form
+        onSubmit={(e) => {
+          e.preventDefault();
+          const input = e.currentTarget.querySelector("input");
+          if (input?.value) {
+            sendMessage({ text: input.value });
+            input.value = "";
+          }
+        }}
+      >
+        <input placeholder="Type a message..." />
+        <button type="submit" disabled={status === "streaming"}>
+          Send
+        </button>
+        {status === "streaming" && (
+          <button type="button" onClick={stop}>
+            Stop
+          </button>
+        )}
+      </form>
+    </div>
+  );
+}
+```
+
+</CodeGroup>
+
+## See also
+
+- [Lifecycle hooks](/ai-chat/lifecycle-hooks)
+- [Session management](/ai-chat/frontend#session-management) — `resume`, `lastEventId`, transport
+- [`chat.defer()`](/ai-chat/background-injection#chat-defer-standalone) — non-blocking writes during a turn
+- [Code execution sandbox](/ai-chat/patterns/code-sandbox) — combines **`onWait`** / **`onComplete`** with this persistence model
diff --git a/docs/ai-chat/patterns/human-in-the-loop.mdx b/docs/ai-chat/patterns/human-in-the-loop.mdx
new file mode 100644
index 00000000000..7a8028bf85b
--- /dev/null
+++ b/docs/ai-chat/patterns/human-in-the-loop.mdx
@@ -0,0 +1,275 @@
+---
+title: "Human-in-the-loop"
+sidebarTitle: "Human-in-the-loop"
+description: "Pause the agent mid-response to ask the user a clarifying question, then resume with their answer."
+---
+
+import RcBanner from "/snippets/ai-chat-rc-banner.mdx";
+
+<RcBanner />
+
+Some turns need to stop and ask the user something before they can finish — picking between options, confirming a destructive action, or clarifying an ambiguous request. The AI SDK calls this **human-in-the-loop** (HITL), and the building block is a tool with no `execute` function.
+
+When the LLM calls a tool that has no `execute`, `streamText` ends with the tool call still pending. The turn completes cleanly, the frontend renders UI to collect the answer, and when the user responds, a new turn resumes with the answer merged into the same assistant message.
+
+## How it works
+
+```
+Turn N:
+  User message → run()
+  LLM streams text → calls askUser tool (no execute)
+  streamText ends with tool-call in `input-available` state
+  onTurnComplete fires (finishReason = "tool-calls")
+  Agent idle
+
+Frontend:
+  Renders question + option buttons from tool input
+  User clicks → addToolOutput({ tool, toolCallId, output })
+  sendAutomaticallyWhen: lastAssistantMessageIsCompleteWithToolCalls
+  → sendMessage() fires next turn
+
+Turn N+1:
+  hydrateMessages / accumulator sees the updated assistant message
+  run() is called, LLM continues from the tool result
+  onTurnComplete fires (finishReason = "stop", responseMessage is the FULL merged message)
+```
+
+The AI SDK's `toUIMessageStream` automatically reuses the assistant message ID across the pause (we pass `originalMessages` internally), so `responseMessage` in the post-resume `onTurnComplete` is the **full merged message** — the original text, the completed tool call, and any follow-up content — not just the new parts.
+
+## Backend: define the tool
+
+A HITL tool has an `inputSchema` describing what the model can ask, but **no `execute` function**. When the LLM calls it, `streamText` returns control to your agent.
+
+```ts trigger/my-chat.ts
+import { chat } from "@trigger.dev/sdk/ai";
+import { streamText, tool, stepCountIs } from "ai";
+import { anthropic } from "@ai-sdk/anthropic";
+import { z } from "zod";
+
+const askUser = tool({
+  description:
+    "Ask the user a clarifying question when you need their input. " +
+    "Present 2-4 options for them to pick from.",
+  inputSchema: z.object({
+    question: z.string(),
+    options: z
+      .array(
+        z.object({
+          id: z.string(),
+          label: z.string(),
+          description: z.string().optional(),
+        })
+      )
+      .min(2)
+      .max(4),
+  }),
+  // No execute function — streamText ends, the frontend supplies the output
+  // via addToolOutput, and the next turn continues from the result.
+});
+
+export const myChat = chat.agent({
+  id: "my-chat",
+  tools: { askUser },
+  run: async ({ messages, tools, signal }) => {
+    return streamText({
+      model: anthropic("claude-sonnet-4-5"),
+      messages,
+      tools,
+      abortSignal: signal,
+      stopWhen: stepCountIs(15),
+    });
+  },
+});
+```
+
+Declaring `tools` on the config (and reading them back from the payload) is the recommended shape for any agent with tools. See [Tools](/ai-chat/tools).
+
+## Frontend: render the question and collect the answer
+
+Two pieces on the client:
+
+1. **UI for the pending tool call** — render when the tool part is in `input-available` state, i.e. the LLM has called the tool but there's no output yet.
+2. **Auto-send on resolution** — use `sendAutomaticallyWhen: lastAssistantMessageIsCompleteWithToolCalls` so answering kicks off the next turn without the user having to hit "send."
+
+```tsx
+import { useChat, lastAssistantMessageIsCompleteWithToolCalls } from "@ai-sdk/react";
+import { useTriggerChatTransport } from "@trigger.dev/sdk/chat/react";
+
+function ChatView({ chatId }: { chatId: string }) {
+  const transport = useTriggerChatTransport({
+    task: "my-chat",
+    accessToken: ({ chatId }) => mintChatAccessToken(chatId),
+    startSession: ({ chatId, clientData }) =>
+      startChatSession({ chatId, clientData }),
+  });
+  const { messages, sendMessage, addToolOutput } = useChat({
+    id: chatId,
+    transport,
+    sendAutomaticallyWhen: lastAssistantMessageIsCompleteWithToolCalls,
+  });
+
+  return (
+    <>
+      {messages.map((m) =>
+        m.parts.map((part, i) => {
+          if (part.type === "tool-askUser" && part.state === "input-available") {
+            return (
+              <AskUserCard
+                key={i}
+                question={part.input.question}
+                options={part.input.options}
+                onAnswer={(opt) =>
+                  addToolOutput({
+                    tool: "askUser",
+                    toolCallId: part.toolCallId,
+                    output: { optionId: opt.id, label: opt.label },
+                  })
+                }
+              />
+            );
+          }
+          if (part.type === "text") return <Markdown key={i}>{part.text}</Markdown>;
+          return null;
+        })
+      )}
+    </>
+  );
+}
+```
+
+`addToolOutput` patches the assistant message locally with `state: "output-available"` and fills in `output`. `lastAssistantMessageIsCompleteWithToolCalls` detects that every pending tool call now has a result, and `useChat` fires a new `sendMessage` — the backend picks it up as the next turn.
+
+## Detecting a paused turn in `onTurnComplete`
+
+Two ways to detect "this turn paused for user input" vs "this turn finished normally":
+
+### Via `finishReason` (recommended)
+
+The AI SDK's finish reason is surfaced on every `onTurnComplete` event. If the model stopped on tool calls, it's `"tool-calls"`:
+
+```ts
+onTurnComplete: async ({ finishReason, responseMessage }) => {
+  if (finishReason === "tool-calls") {
+    // Turn paused — assistant message has pending tool call(s)
+    const pending = responseMessage?.parts.filter(
+      (p) => p.type.startsWith("tool-") && p.state === "input-available"
+    );
+    // Persist as a checkpoint / partial turn
+  } else {
+    // finishReason === "stop" — normal completion
+    // Persist as a completed turn
+  }
+};
+```
+
+<Note>
+  `finishReason` is only undefined for manual `chat.pipe()` flows or aborted streams. For the common `run() → return streamText(...)` pattern it's always populated.
+</Note>
+
+### Via response parts
+
+If you need more nuance (e.g. which specific tool is pending), use `chat.history.getPendingToolCalls()`:
+
+```ts
+const pending = chat.history.getPendingToolCalls();
+// [{ toolCallId, toolName, messageId }]
+```
+
+The result reflects the most recent assistant message: the one waiting on `addToolOutput`. Use it from `onAction` to gate fresh user turns ("can't send a new message while a HITL is open"), or from `onTurnComplete` to decide what to persist.
+
+Both `finishReason === "tool-calls"` and `chat.history.getPendingToolCalls().length > 0` are equivalent in practice. Use `finishReason` for dispatch, the helper for detail.
+
+### Acting once per net-new tool result
+
+When the user's `addToolOutput` round-trips a tool answer back to the agent, the wire message carries the resolved tool part. If you want to fire side-effects (audit log, billing, notifications) exactly once per resolved tool call, do it in `hydrateMessages` before the runtime merges. `chat.history.extractNewToolResults(message)` returns only the parts whose `toolCallId` isn't already resolved on the chain:
+
+```ts
+hydrateMessages: async ({ incomingMessages }) => {
+  for (const msg of incomingMessages) {
+    if (msg.role !== "assistant") continue;
+    for (const r of chat.history.extractNewToolResults(msg)) {
+      await auditLog.record({
+        toolCallId: r.toolCallId,
+        toolName: r.toolName,
+        output: r.output,
+        errorText: r.errorText, // set only for output-error parts
+      });
+    }
+  }
+  return incomingMessages;
+},
+```
+
+`extractNewToolResults` compares against the current `chat.history`. By the time `onTurnComplete` fires, the chain already contains `responseMessage`, so the helper returns `[]` there. Use it where the message is from outside the accumulator: `hydrateMessages`, `onAction` if the action carries a message, or any custom pre-merge code path.
+
+## Persistence: one message vs one record per pause
+
+Because the AI SDK reuses the assistant message ID across the pause, the "same turn" from the user's perspective maps to **two `onTurnComplete` firings** on the server — but both receive a `responseMessage` with the **same `id`**, and the second firing's `responseMessage` contains the fully merged content.
+
+Two common persistence patterns:
+
+### Overwrite on every turn (simplest)
+
+Just store the latest `uiMessages` array on every `onTurnComplete`. The paused-turn write is overwritten by the resume-turn write; the final DB state has the full merged message.
+
+```ts
+onTurnComplete: async ({ chatId, uiMessages }) => {
+  await db.chat.update({
+    where: { id: chatId },
+    data: { messages: uiMessages },
+  });
+},
+```
+
+Use this unless you specifically need an audit trail.
+
+### Checkpoint nodes (immutable history)
+
+For apps that want every pause point recorded as its own immutable snapshot (branching, replay, diff review), save a checkpoint when paused and a sibling when complete:
+
+```ts
+onTurnComplete: async ({ chatId, responseMessage, finishReason, uiMessages }) => {
+  if (!responseMessage) return;
+
+  if (finishReason === "tool-calls") {
+    // Paused — save a checkpoint
+    await db.turnCheckpoint.create({
+      data: {
+        chatId,
+        messageId: responseMessage.id,
+        parts: responseMessage.parts,
+        kind: "partial",
+      },
+    });
+  } else {
+    // Completed — save a sibling with the merged full message
+    await db.turnCheckpoint.create({
+      data: {
+        chatId,
+        messageId: responseMessage.id,
+        parts: responseMessage.parts,
+        kind: "final",
+      },
+    });
+  }
+
+  // Always update the canonical chat record for `hydrateMessages` to load
+  await db.chat.update({
+    where: { id: chatId },
+    data: { messages: uiMessages },
+  });
+};
+```
+
+Both writes see `responseMessage.id` as the same value — they're checkpoints of the same logical message. Grouping by `messageId` + ordering by `createdAt` gives you the progression.
+
+## Multi-pause turns
+
+A single logical turn can pause more than once — the LLM asks question A, gets the answer, thinks, then asks question B before finishing. Each pause fires its own `onTurnComplete` with `finishReason === "tool-calls"`; only the last firing has `finishReason === "stop"`. The checkpoint pattern above handles this naturally — each pause adds a new checkpoint sharing the same `responseMessage.id`.
+
+## Gotchas
+
+- **Don't set an `execute` function on the HITL tool.** If it has one, `streamText` will call it immediately instead of handing control back.
+- **The frontend must use `sendAutomaticallyWhen`.** Without it, the user has to press Enter after answering — `addToolOutput` updates local state but doesn't fire a new turn by itself.
+- **Don't mutate `responseMessage` in `onTurnComplete`.** It's the captured snapshot. To add custom parts, use `chat.response.append()` in `onBeforeTurnComplete` (while the stream is open).
+- **Stop handling.** If the user stops the run while a pause is active (`chat.stop()` on the transport), `onTurnComplete` fires with `stopped: true` and `finishReason` reflecting the last successful step. Treat stopped paused turns the same as stopped normal turns.
diff --git a/docs/ai-chat/patterns/large-payloads.mdx b/docs/ai-chat/patterns/large-payloads.mdx
new file mode 100644
index 00000000000..859c51c0d62
--- /dev/null
+++ b/docs/ai-chat/patterns/large-payloads.mdx
@@ -0,0 +1,169 @@
+---
+title: "Large payloads in chat.agent"
+sidebarTitle: "Large payloads"
+description: "Why a single chunk on the chat stream is capped at ~1 MiB, what error you'll see, and how to work around it with ID references."
+---
+
+import RcBanner from "/snippets/ai-chat-rc-banner.mdx";
+
+<RcBanner />
+
+The realtime stream that backs `chat.agent` enforces a **per-record cap of ~1 MiB** (`1048576` bytes minus a small envelope reserve). Anything written through the chat output — auto-piped LLM chunks, `chat.response.write`, custom `writer.write` parts — counts as one record per chunk and is rejected if it crosses the cap.
+
+This is a platform-level limit and cannot be raised per project or per stream.
+
+## What you'll see
+
+When a chunk crosses the cap, the run fails with a typed [`ChatChunkTooLargeError`](/ai-chat/error-handling):
+
+```
+ChatChunkTooLargeError: chat.agent chunk of type "tool-output-available" is 2000126 bytes,
+over the realtime stream's per-record cap of 1047552 bytes. For oversized payloads
+(e.g. large tool outputs), write the value to your own store and emit only an id/url
+through the chat stream — see https://trigger.dev/docs/ai-chat/patterns/large-payloads.
+```
+
+The error includes:
+
+- `chunkType` — discriminant on the chunk that failed (e.g. `tool-output-available`, `data-handover`, `text-delta`).
+- `chunkSize` — UTF-8 byte count of the JSON-serialized record.
+- `maxSize` — the effective cap.
+
+You can catch and re-throw / log it explicitly:
+
+```ts
+import { ChatChunkTooLargeError, isChatChunkTooLargeError } from "@trigger.dev/sdk";
+
+try {
+  await someWrite();
+} catch (err) {
+  if (isChatChunkTooLargeError(err)) {
+    logger.error("Oversized chunk", { type: err.chunkType, size: err.chunkSize });
+  }
+  throw err;
+}
+```
+
+## Most common cause: large tool outputs
+
+If you return a `streamText` result from `run()`, the AI SDK auto-pipes its `UIMessageStream` into the chat output. A tool whose result object is large (a fetched HTML body, a CSV blob, an image as base64, a deep DB row dump) gets emitted as one `tool-output-available` chunk — and that's the chunk that overruns.
+
+**Diagnose first**: log tool sizes during development.
+
+```ts
+const fetchPage = tool({
+  inputSchema: z.object({ url: z.string().url() }),
+  execute: async ({ url }) => {
+    const html = await (await fetch(url)).text();
+    if (html.length > 500_000) {
+      logger.warn("Large tool output", { tool: "fetchPage", bytes: html.length });
+    }
+    return { html };
+  },
+});
+```
+
+If the size is unbounded by input, fix the tool — not the stream.
+
+## ID-reference pattern
+
+Store the large value in your own database (or object store) and emit only an identifier through the chat stream. The frontend fetches the full payload separately on demand.
+
+This keeps the chat stream small, predictable, and resumable, and lets you reuse the value across turns or sessions without re-streaming it.
+
+<CodeGroup>
+
+```ts task.ts
+import { chat } from "@trigger.dev/sdk/ai";
+import { tool } from "ai";
+import { z } from "zod";
+
+const fetchPage = tool({
+  description: "Fetch a URL and store the HTML for later inspection.",
+  inputSchema: z.object({ url: z.string().url() }),
+  execute: async ({ url }) => {
+    const html = await (await fetch(url)).text();
+    const docId = await db.documents.create({
+      data: { url, html, byteSize: html.length },
+    });
+
+    // Tool result is small — just an id and metadata.
+    // The model and the UI both work with this lightweight handle.
+    return {
+      docId,
+      url,
+      byteSize: html.length,
+      preview: html.slice(0, 500),
+    };
+  },
+});
+```
+
+```ts api/document/[id]/route.ts
+// Frontend fetches the full document on demand.
+import { auth, currentUser } from "@/lib/auth";
+
+export async function GET(_req: Request, { params }: { params: { id: string } }) {
+  const user = await currentUser();
+  const doc = await db.documents.findUniqueOrThrow({
+    where: { id: params.id, userId: user.id },
+  });
+  return new Response(doc.html, { headers: { "content-type": "text/html" } });
+}
+```
+
+```tsx component.tsx
+function ToolResultCard({ part }: { part: ToolUIPart<"fetchPage"> }) {
+  const { docId, url, byteSize, preview } = part.output;
+  return (
+    <div>
+      <p>{url} — {(byteSize / 1024).toFixed(0)} KB</p>
+      <pre>{preview}…</pre>
+      <a href={`/api/document/${docId}`}>Open full HTML</a>
+    </div>
+  );
+}
+```
+
+</CodeGroup>
+
+The same pattern works for `chat.response.write` — push the heavy value to your DB, then emit a small data part with the id:
+
+```ts
+const id = await db.attachments.create({ data: { content: hugeReport } });
+chat.response.write({ type: "data-report", data: { id, summary: shortSummary } });
+```
+
+<Tip>
+  Persist the large value **before** you emit the id chunk. If the chunk reaches the UI before the row is written, the frontend gets a 404 on the follow-up fetch.
+</Tip>
+
+## Transient UI parts
+
+For progress indicators or status data that should stream to the UI but not persist into the response message, use `chat.response.write` with `transient: true`. The chunk still travels on the chat stream (so the 1 MiB per-record cap still applies), but it never lands in `responseMessage` or `uiMessages`:
+
+```ts
+chat.response.write({
+  type: "data-progress",
+  data: { percent: 50 },
+  transient: true,
+});
+```
+
+For genuinely high-volume diagnostic data (per-token traces, large debug dumps), don't try to ship it through the realtime stream at all. Log to your own store (DB, object storage, OTel logger) and surface it through a separate UI route that isn't tied to the chat session.
+
+## What does **not** trigger the cap
+
+These calls don't go through the realtime stream and have no per-record cap:
+
+- [`chat.history.set` / `slice` / `replace` / `remove`](/ai-chat/backend#chat-history) — locals-only mutations on the in-memory message list.
+- [`chat.inject`](/ai-chat/background-injection#chat-inject) — appends to the run's pending message queue, not the stream.
+- [`chat.defer`](/ai-chat/background-injection#chat-defer-standalone) — promise registry; awaited at turn boundaries, never serialized to the stream.
+
+The control markers `chat.agent` emits internally (`trigger:turn-complete`, `trigger:upgrade-required`) are tiny by construction.
+
+## See also
+
+- [Error handling](/ai-chat/error-handling) — how `ChatChunkTooLargeError` flows through the layers.
+- [Database persistence](/ai-chat/patterns/database-persistence) — your own store as the durable backing for ID references.
+- [Client protocol](/ai-chat/client-protocol) — chunk shapes that travel on the chat stream.
diff --git a/docs/ai-chat/patterns/oom-resilience.mdx b/docs/ai-chat/patterns/oom-resilience.mdx
new file mode 100644
index 00000000000..097fe796cf7
--- /dev/null
+++ b/docs/ai-chat/patterns/oom-resilience.mdx
@@ -0,0 +1,120 @@
+---
+title: "OOM resilience"
+sidebarTitle: "OOM resilience"
+description: "Recover from out-of-memory errors mid-turn by automatically retrying the failed turn on a larger machine — without losing the in-flight user message or re-processing completed turns."
+---
+
+import RcBanner from "/snippets/ai-chat-rc-banner.mdx";
+
+<RcBanner />
+
+When a `chat.agent` turn runs out of memory, the worker process dies and everything in it is gone: the in-flight LLM call, the accumulator, any tool execution mid-flight. By default, Trigger.dev surfaces the OOM as a run failure.
+
+Setting `oomMachine` opts the agent into automatic recovery: the failed turn re-runs on a larger machine, picks up the user message that triggered the OOM (without re-processing earlier completed turns), and produces a normal response.
+
+## Setup
+
+```ts
+import { chat } from "@trigger.dev/sdk/ai";
+
+export const myChat = chat.agent({
+  id: "my-chat",
+  machine: "small-1x",         // default machine
+  oomMachine: "medium-2x",     // fallback on OOM
+  run: async ({ messages, signal }) =>
+    streamText({ model, messages, abortSignal: signal }),
+});
+```
+
+That's the entire opt-in. With `oomMachine` set, the agent gets:
+
+- **`retry.maxAttempts: 2`** internally — one retry for OOM only; non-OOM errors don't retry.
+- **`retry.outOfMemory.machine: oomMachine`** — the fresh attempt boots on the larger machine.
+- **`session.in` cursor recovery** — the new attempt skips records belonging to turns that already completed on the prior attempt and only re-runs the OOM'd turn.
+
+`chat.agent` does not expose generic `retry` options. OOM recovery is the only retry path because retrying an LLM-driven loop on non-OOM errors tends to be expensive and side-effecting. Drop down to a [raw `task()` with chat primitives](/ai-chat/backend#raw-task-with-primitives) if you need richer retry semantics.
+
+## How recovery works
+
+The recovery doesn't need any customer-side persistence to avoid duplicate processing. It uses two pieces of durable state Trigger already maintains for every chat:
+
+- **`session.out`** — the durable response stream. Every successful turn writes a `trigger:turn-complete` chunk here.
+- **`session.in`** — the durable input stream. Every user message after the first turn lands here as a record with a server-assigned timestamp.
+
+On retry boot, the SDK:
+
+1. Scans `session.out` for the latest `trigger:turn-complete` chunk and reads its timestamp. Call this `T_last_complete`.
+2. Sets a per-stream filter on `session.in` so any record with `timestamp <= T_last_complete` is dropped before it reaches the turn loop.
+3. Begins normal processing. The first record that passes the filter is the message that triggered the OOM (or any newer message that arrived during the retry window).
+
+Result: turns 1..N-1 are not re-processed, turn N runs on the larger machine, and the conversation continues.
+
+```mermaid
+sequenceDiagram
+  participant User
+  participant Run as chat.agent run
+  participant SessionIn as session.in
+  participant SessionOut as session.out
+
+  User->>SessionIn: u2 (turn 2)
+  Run->>SessionIn: read u2
+  Run->>SessionOut: turn-complete (T1)
+  User->>SessionIn: u3 (turn 3)
+  Run->>SessionIn: read u3
+  Run->>SessionOut: turn-complete (T2)
+  User->>SessionIn: u4 (turn 4)
+  Run->>SessionIn: read u4
+  Note over Run: OOM mid-turn
+  Run->>Run: ⚠️ killed
+  Note over Run: Attempt 2 boots on oomMachine
+  Run->>SessionOut: scan → T_last_complete = T2
+  Run->>SessionIn: read with filter (ts > T2)
+  SessionIn-->>Run: u2 (filtered, ts < T2)
+  SessionIn-->>Run: u3 (filtered, ts < T2)
+  SessionIn-->>Run: u4 (passes — the OOM'd turn)
+  Run->>SessionOut: turn 4 complete
+```
+
+The scan on `session.out` is streaming and bounded in memory: each chunk is inspected and discarded one at a time, so a long-running chat doesn't bloat the retry-boot worker. Bandwidth scales linearly with `session.out` size, but only on the OOM-retry path — a rare event.
+
+## With `hydrateMessages`
+
+If your agent uses [`hydrateMessages`](/ai-chat/lifecycle-hooks#hydratemessages) to load the durable conversation history per turn, the OOM'd turn re-runs against the full prior accumulator: the model sees `[u1, a1, u2, a2, ..., u_N]` and responds in context. This is the recommended pattern for production chats.
+
+## Without `hydrateMessages`
+
+Recovery boot reconstructs context automatically. The boot reads both the durable `session.out` snapshot (settled turns) and the `session.out` tail past the snapshot cursor (the partial assistant chunks the OOM'd turn streamed before dying). When the new attempt processes the OOM'd user message, the model sees the full prior conversation **plus** the partial assistant that was cut off — so a "keep going" follow-up continues naturally, and any other follow-up has the same context the original turn had.
+
+`hydrateMessages` is still the right choice if you want a single source of truth in your own database (branching conversations, message-level access control, etc.). It's no longer required for OOM continuity.
+
+For full control over recovery — drop the partial, synthesize tool results for an interrupted tool call, emit a recovery banner to the UI — register [`onRecoveryBoot`](/ai-chat/patterns/recovery-boot).
+
+## Tool execute idempotency
+
+If an OOM hits mid-tool-execution, the new attempt re-runs the entire turn — including the tool call. Make tool `execute` functions idempotent or checkpoint their progress externally. Trigger doesn't roll back side effects automatically.
+
+```ts
+import { tool } from "ai";
+
+export const sendEmail = tool({
+  description: "Send an email",
+  inputSchema: z.object({ to: z.string(), idempotencyKey: z.string() }),
+  execute: async ({ to, idempotencyKey }) => {
+    // Stripe-style: dedupe at the side-effect layer with a customer-supplied key.
+    return await mailer.send({ to, idempotencyKey });
+  },
+});
+```
+
+## Limitations
+
+- **One OOM retry per run.** `chat.agent` sets `maxAttempts: 2`. If attempt 2 also OOMs, the run fails. Use a sufficiently large `oomMachine` to avoid this.
+- **Single fallback tier.** Only one `oomMachine`. There's no "tiered retry" (small → medium → large). If you need that, drop down to a [raw `task()` with chat primitives](/ai-chat/backend#raw-task-with-primitives) and configure `retry` directly.
+- **Non-OOM errors don't retry.** Schema errors, model-call rejections, tool throws, etc. fail the run as before. Out-of-memory is the only retry trigger.
+- **Tools mid-execution are not checkpointed.** A partially-run tool re-runs from scratch on the new attempt. Make them idempotent.
+
+## See also
+
+- [Recovery boot](/ai-chat/patterns/recovery-boot) — the underlying hook + smart default that gives OOM recovery its full-context behavior
+- [Lifecycle hooks](/ai-chat/lifecycle-hooks) — `onChatResume` fires on every retry attempt with `phase: "preload"` or `"turn"`
+- [Database persistence](/ai-chat/patterns/database-persistence) — the `hydrateMessages` pattern for branching, ACL, and DB-as-source-of-truth scenarios
diff --git a/docs/ai-chat/patterns/persistence-and-replay.mdx b/docs/ai-chat/patterns/persistence-and-replay.mdx
new file mode 100644
index 00000000000..4e1bdf4084e
--- /dev/null
+++ b/docs/ai-chat/patterns/persistence-and-replay.mdx
@@ -0,0 +1,205 @@
+---
+title: "Persistence and replay"
+sidebarTitle: "Persistence and replay"
+description: "How chat.agent rebuilds conversation history at run boot — durable JSON snapshot in object storage plus session.out replay, with a hydrateMessages short-circuit for backend-owned history."
+---
+
+import RcBanner from "/snippets/ai-chat-rc-banner.mdx";
+
+<RcBanner />
+
+`chat.agent` runs are processes — they boot, stream a turn, and either suspend (waiting for the next message) or exit. When the next message arrives at a session whose previous run already exited, a **fresh** run boots with no in-memory state. Something has to rebuild the conversation history before that turn can produce a coherent response.
+
+This page walks through the **snapshot + replay** model the runtime uses by default, and the [`hydrateMessages`](/ai-chat/lifecycle-hooks#hydratemessages) short-circuit that turns the whole thing off when the customer owns history.
+
+## Why a snapshot at all
+
+The wire is delta-only: each `.in/append` carries at most one new `UIMessage` (see [Client Protocol](/ai-chat/client-protocol#chattaskwirepayload)). A long conversation might be 50 turns deep with megabytes of tool results — the wire never carries that. So when run #2 boots to handle turn 51, the wire alone tells it almost nothing about turns 1–50.
+
+Two existing pieces of durable state already capture everything that happened:
+
+- **`session.in`** — every user message and tool-approval response ever sent.
+- **`session.out`** — every assistant token, tool call, and tool result the agent emitted, ordered.
+
+Replaying `session.out` from the beginning is correct but expensive — bandwidth scales with chat length, and parsing N megabytes of streamed chunks at every boot adds latency. So the runtime writes a **snapshot** after every turn and reads it on the next boot. Replay only covers the gap between the snapshot's cursor and now.
+
+## The model end-to-end
+
+```mermaid
+sequenceDiagram
+  participant User
+  participant Run1 as Run 1 (turn 1)
+  participant Snapshot as Object storage
+  participant SessionOut as session.out
+  participant Run2 as Run 2 (turn 2+)
+
+  User->>Run1: u1
+  Run1->>SessionOut: assistant chunks for a1
+  Run1->>Run1: onTurnComplete
+  Run1->>Snapshot: write { messages: [u1, a1], lastOutEventId, lastOutTimestamp }
+  Note over Run1: idle suspend (or exit)
+
+  User->>Run2: u2 (delta only)
+  Run2->>Snapshot: read snapshot
+  Run2->>SessionOut: subscribe(lastEventId, wait=0)
+  SessionOut-->>Run2: (empty — nothing since snapshot)
+  Note over Run2: accumulator = [u1, a1]
+  Run2->>Run2: append u2 from wire
+  Run2->>SessionOut: assistant chunks for a2
+  Run2->>Run2: onTurnComplete
+  Run2->>Snapshot: write { messages: [u1, a1, u2, a2], ... }
+```
+
+### Run 1 — first turn
+
+The accumulator starts empty. The wire delivers `u1`. After the model finishes, `onTurnComplete` fires, then the runtime serializes the full accumulator and writes:
+
+```json
+{
+  "version": 1,
+  "savedAt": 1715180400000,
+  "messages": [u1, a1],
+  "lastOutEventId": "42",
+  "lastOutTimestamp": 1715180399000
+}
+```
+
+The key is `packets/{projectRef}/{envSlug}/sessions/{sessionId}/snapshot.json` — overwritten every turn, never appended. The write is **awaited**, not fire-and-forget — if the run idle-suspends immediately after, in-flight promises don't reliably complete and the snapshot would be lost.
+
+### Run 2 — boot
+
+A new run boots when the user sends `u2`. Run 1 has long since exited. Run 2 has no in-memory state. The boot sequence:
+
+<Steps>
+  <Step title="Read the snapshot">
+    GET the JSON blob. On 404 (no snapshot yet — first-ever turn) or read error or version mismatch, treat as empty and continue. Snapshot misses are non-fatal — replay alone may still be sufficient.
+  </Step>
+  <Step title="Replay session.out tail">
+    Subscribe to `session.out` with `wait=0` starting from `snapshot.lastOutEventId`. Drain whatever's there and close. Returns:
+    - **Settled messages** — closed assistant turns past the snapshot cursor (the chunks of a turn that completed after the snapshot was written but before the run exited cleanly).
+    - **A partial assistant** — the trailing message if its stream never received a `finish` chunk. The dead run was mid-response when it died. `cleanupAbortedParts` has already stripped streaming-in-progress fragments.
+
+    In the steady state this returns empty. In recovery, it returns whatever the dead run was in the middle of.
+  </Step>
+  <Step title="Replay session.in tail">
+    GET `session.in` records past the last `turn-complete`'s `session-in-event-id` cursor. Returns the user messages the dead run hadn't acknowledged — typically the message that triggered the cancelled / crashed turn, plus anything the customer typed after.
+  </Step>
+  <Step title="Reconstruct the chain (smart default)">
+    Snapshot messages merge with the settled replay (replay wins on `id` collision). Then:
+
+    - If there's a partial assistant **and** at least one in-flight user message, splice `[firstInFlightUser, partialAssistant]` onto the end of the chain. The model sees the prior turn's incomplete attempt and can continue, abandon, or pivot based on the next user message.
+    - Remaining in-flight users dispatch as fresh turns after the recovered first one.
+    - If there's no partial OR no in-flight users, the chain is just the settled chain and any in-flight users dispatch normally.
+
+    Customers can override this entirely via [`onRecoveryBoot`](/ai-chat/patterns/recovery-boot).
+  </Step>
+  <Step title="Append the new wire message">
+    Append `u2` from the wire payload, exactly as on turn 1.
+  </Step>
+</Steps>
+
+The model now sees `[u1, a1, u2]` and produces `a2`. After `onTurnComplete`, the runtime overwrites the snapshot with `[u1, a1, u2, a2]` and the cycle repeats.
+
+### Crash mid-turn — replay carries the load
+
+Suppose Run 1's turn 1 streams partial assistant chunks to `session.out` and then crashes (OOM, exception, server-side cancel) before `onTurnComplete` fires. No snapshot was written. The next run boots and:
+
+1. Snapshot read returns 404 → empty.
+2. `session.out` tail replay picks up the partial assistant chunks emitted before the crash. `cleanupAbortedParts` strips streaming-in-progress fragments but keeps the cleaned trailing message as the `partialAssistant`.
+3. `session.in` tail replay finds the user message the dead run was answering (no `turn-complete` was written, so the cursor never advanced past it).
+4. Smart default splices `[firstInFlightUser, partialAssistant]` onto the chain. Any later user messages (including the customer's follow-up) dispatch as fresh turns.
+5. The model sees full prior context and responds in kind — continuing a cut-off essay on "keep going", answering a fresh question on "actually, what's 7+8?", abandoning the prior work on "scrap that, do X instead".
+
+Replay carries the conversation across the crash boundary with zero customer code. For policies different from "preserve context" — drop the partial entirely, synthesize tool results for an interrupted tool call, write a recovery banner to the UI — register [`onRecoveryBoot`](/ai-chat/patterns/recovery-boot).
+
+## OOM-retry interaction
+
+The runtime already had an OOM-retry path that scans `session.out` for the latest `trigger:turn-complete` timestamp to use as a cutoff for `session.in` (so the retry doesn't re-process completed turns — see [OOM resilience](/ai-chat/patterns/oom-resilience)). The snapshot includes a `lastOutTimestamp` field that is exactly that high-water mark.
+
+When a snapshot exists, the OOM-retry path reads `lastOutTimestamp` directly instead of scanning `session.out`. One fewer stream subscription per retry. Free win.
+
+If no snapshot exists (first turn, or `hydrateMessages` registered), the path falls back to the scan.
+
+## Action turns — no snapshot write
+
+[Action turns](/ai-chat/actions) (`trigger: "action"`) don't fire `onTurnComplete` — they fire `onAction` only. The snapshot write site is gated on `onTurnComplete`, so action turns don't snapshot.
+
+If `onAction` mutates `chat.history.*` and then the run crashes before the next regular turn, the mutation is lost. The user re-fires the action. This matches `chat.history` semantics in general — mutations are persisted at turn boundaries, not action boundaries.
+
+## The `hydrateMessages` short-circuit
+
+When the customer registers a [`hydrateMessages`](/ai-chat/lifecycle-hooks#hydratemessages) hook, the runtime trusts the hook to be the source of truth for history. Snapshot read and replay are **skipped entirely** at boot. The hook fires per turn, returns the canonical chain from the customer's database, and the accumulator is set to whatever the hook returned.
+
+```ts
+import { chat, upsertIncomingMessage } from "@trigger.dev/sdk/ai";
+import { db } from "@/lib/db";
+
+export const myChat = chat.agent({
+  id: "my-chat",
+  hydrateMessages: async ({ chatId, trigger, incomingMessages }) => {
+    const stored = (await db.chat.findUnique({ where: { id: chatId } }))?.messages ?? [];
+
+    // See lifecycle-hooks for the full upsert pattern + rationale:
+    // /ai-chat/lifecycle-hooks#hydratemessages
+    if (upsertIncomingMessage(stored, { trigger, incomingMessages })) {
+      await db.chat.update({ where: { id: chatId }, data: { messages: stored } });
+    }
+
+    return stored;
+  },
+  onTurnComplete: async ({ chatId, uiMessages }) => {
+    await db.chat.update({ where: { id: chatId }, data: { messages: uiMessages } });
+  },
+  run: async ({ messages, signal }) => {
+    return streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal });
+  },
+});
+```
+
+What you gain:
+
+- **Zero object-store traffic per turn.** No snapshot read, no snapshot write, no replay subscription. `OBJECT_STORE_*` env vars don't have to be set.
+- **Branching, undo, edit, abuse prevention** — patterns that need a backend-side single source of truth work naturally because the customer mediates every read.
+
+What you give up:
+
+- **You own persistence end-to-end.** A bug in `hydrateMessages` that returns the wrong chain corrupts the conversation visible to the model.
+- **OOM-retry needs a `session.out` scan again** because there's no snapshot to short-circuit it. (Same as the pre-snapshot baseline — not a regression, just a missed optimization.)
+
+The runtime's snapshot+replay is the safer default. `hydrateMessages` is the right choice when you already have authoritative storage for messages and want one consistent persistence path.
+
+## When neither is configured
+
+If `hydrateMessages` is not registered **and** no object store is configured, conversations don't survive run boundaries. A continuation boots empty. The runtime logs a warning at agent registration time so you see this at deploy time, not at user-traffic time.
+
+For local development this is sometimes fine — you're not testing continuations. For production it isn't. Configure one of:
+
+- **Object store** (`OBJECT_STORE_*` env vars on your webapp) — easiest, default behavior.
+- **`hydrateMessages` + your own database** — stronger control, suits multi-tenant apps with audit needs.
+
+## Snapshot key & lifecycle
+
+| Field | Value |
+|---|---|
+| Bucket | Whatever `OBJECT_STORE_BASE_URL` points to |
+| Key prefix | `packets/{projectRef}/{envSlug}/` (server-prefixed) |
+| Key suffix | `sessions/{sessionId}/snapshot.json` |
+| Final key | `packets/{projectRef}/{envSlug}/sessions/{sessionId}/snapshot.json` |
+| Size | Tens of KB typical, capped only by object-store limits |
+| Cadence | Overwritten after every successful `onTurnComplete` |
+
+Snapshots accumulate per-session forever unless you set a lifecycle policy on the bucket. A 90-day expiry on `packets/*/sessions/*/snapshot.json` is a reasonable default if your chats don't typically resume after that window. Closed sessions are not auto-cleaned today.
+
+### MinIO and S3-compatible stores
+
+Snapshot read/write reuses the same object-store layer as Trigger.dev's existing large-payload routes. Anything that already works for large payloads — AWS S3, MinIO (self-host or local development), Cloudflare R2, Tigris, Backblaze B2 — works for snapshots too. `OBJECT_STORE_DEFAULT_PROTOCOL` controls the routing (`s3`, `minio`, etc.) and the SDK picks the right driver automatically. No snapshot-specific config.
+
+For local development against `pnpm run docker`, the bundled MinIO container is enough — set `OBJECT_STORE_DEFAULT_PROTOCOL=minio` and the standard MinIO env vars on the webapp, and continuations work end-to-end against a local stack.
+
+## See also
+
+- [Client Protocol](/ai-chat/client-protocol#how-history-is-rebuilt) — the wire-level view of the same model
+- [`hydrateMessages`](/ai-chat/lifecycle-hooks#hydratemessages) — the short-circuit hook
+- [OOM resilience](/ai-chat/patterns/oom-resilience) — how `session.in` cutoffs interact with snapshots
+- [Database persistence](/ai-chat/patterns/database-persistence) — the canonical persistence pattern using `onTurnComplete`
+- [v4.5 upgrade guide](/ai-chat/upgrade-guide#v45-wire-format-change) — when this model landed and what changed
diff --git a/docs/ai-chat/patterns/recovery-boot.mdx b/docs/ai-chat/patterns/recovery-boot.mdx
new file mode 100644
index 00000000000..a2b11efeb14
--- /dev/null
+++ b/docs/ai-chat/patterns/recovery-boot.mdx
@@ -0,0 +1,230 @@
+---
+title: "Recovery boot"
+sidebarTitle: "Recovery boot"
+description: "Recover from cancel-mid-stream, crashes, and OOM kills with full conversational context. The smart default Just Works; the onRecoveryBoot hook is the override path for advanced policies."
+---
+
+import RcBanner from "/snippets/ai-chat-rc-banner.mdx";
+
+<RcBanner />
+
+When a `chat.agent` run dies in the middle of streaming a response — the user cancels, the worker OOMs, or an unhandled exception kills the process — the durable streams hold what was in flight. The next run boots as a continuation, reads both stream tails, and reconstructs a chain that preserves the partial response so any follow-up (`keep going`, `actually do X instead`, a new question) has full context.
+
+The behavior is automatic. The `onRecoveryBoot` hook is opt-in for policies that need something different.
+
+## The scenario
+
+```ts
+// Turn 1 is mid-essay when the user clicks Cancel.
+window.__chat.send("Write me a long essay about espresso");
+// ... assistant has written 3000 characters ...
+window.__chat.stop();                              // OR: server-side cancel_run
+
+// User decides what they want next.
+window.__chat.send("keep going");                  // OR: "what's 7+8?", or anything
+```
+
+The cancelled run never wrote `onTurnComplete`. The snapshot is stale or absent. `session.out` has a half-written assistant message. `session.in` has the original user message (the run consumed it but never marked the turn complete) plus the new follow-up.
+
+A naive continuation would either re-run the cancelled essay (the user already chose to stop) or drop everything (no context for the follow-up). Recovery boot handles this without either failure mode.
+
+## The smart default
+
+On a continuation boot, the runtime reads:
+
+- **Snapshot** — settled turns persisted by the last successful `onTurnComplete`.
+- **`session.out` tail past the snapshot cursor** — closed assistant turns plus, optionally, a `partialAssistant` (the trailing message whose stream never received a `finish` chunk). `cleanupAbortedParts` has already stripped streaming-in-progress fragments.
+- **`session.in` tail past the last `turn-complete` cursor** — user messages the dead run hadn't acknowledged.
+
+If both `partialAssistant` and `inFlightUsers` are non-empty, the runtime splices `[firstInFlightUser, partialAssistant]` onto the chain. The remaining in-flight users dispatch as fresh turns. The model sees:
+
+```
+[ ...settledMessages,  // chain through the last completed turn
+  firstInFlightUser,   // the question the dead run was answering
+  partialAssistant,    // the dead run's incomplete response
+  followUpUser ]       // the new turn the customer just sent
+```
+
+Modern instruction-following models prioritize the latest user message. The follow-up determines the response:
+
+| Follow-up | Model behavior |
+|---|---|
+| "keep going" / "continue" / "more" | Continues the partial essay from where it stopped. |
+| "actually, what's 7+8?" | Answers the new question. Prior context doesn't derail it. |
+| "scrap that, do something else" | Abandons the partial work and follows the new direction. |
+
+No customer code needed for any of these.
+
+## When to register `onRecoveryBoot`
+
+The hook fires when recovery state is non-empty (either `partialAssistant` is defined or there's at least one in-flight user). Register it when you need a policy different from "preserve context":
+
+- **Drop the partial entirely.** Your UX means "cancel discards the work — start fresh from the follow-up."
+- **Synthesize tool results.** The partial has tool calls in `input-available` state (HITL was mid-call when the run died). Return a chain that has fabricated `output-available` results so the model can continue.
+- **Emit a recovery banner.** Write a `data-chat-recovery` UIMessage chunk via `ctx.writer` so the frontend can render "Recovering interrupted response..." before the model speaks.
+- **Persist recovered state.** Use `beforeBoot` to flush the partial to your own database before the next turn starts.
+
+```ts
+import { chat } from "@trigger.dev/sdk/ai";
+
+export const myChat = chat.agent({
+  id: "my-chat",
+  onRecoveryBoot: async ({ partialAssistant, inFlightUsers, writer, cause, previousRunId }) => {
+    writer.write({
+      type: "data-chat-recovery",
+      data: { cause, previousRunId, partialPresent: partialAssistant !== undefined },
+      transient: true,
+    });
+    // Return nothing → fall through to smart default.
+  },
+  run: async ({ messages, signal }) =>
+    streamText({ model, messages, abortSignal: signal }),
+});
+```
+
+## Hook reference
+
+### Fires when
+
+The hook fires once on a continuation boot, AFTER both stream tails have been read, AND only when there's a partial assistant — the mid-stream-died signal:
+
+```ts
+const shouldFire = partialAssistant !== undefined;
+```
+
+In-flight users alone don't fire the hook. Graceful exits like `chat.requestUpgrade()` and `chat.endRun()` may leave an unacknowledged user on `session.in` (the message that triggered the upgrade, the next message after endRun), but no partial — that's a normal continuation, not recovery. The next message just dispatches as turn 1 on the new run via the normal session.in pump.
+
+Skipped scenarios (where the hook does NOT fire):
+
+- A clean continuation after `chat.endRun()` with no buffered follow-up.
+- A fresh chat (no continuation, attempt 1).
+- An OOM retry that booted onto a complete snapshot (no partial on the tail).
+- `chat.requestUpgrade()` graceful exit — predecessor ended cleanly before processing, no partial.
+- An agent with [`hydrateMessages`](/ai-chat/lifecycle-hooks#hydratemessages) registered. Customers using `hydrateMessages` own persistence — recovery decisions live in their own DB query.
+
+### Event shape
+
+```ts
+type RecoveryBootEvent<TUIM extends UIMessage = UIMessage> = {
+  ctx: TaskRunContext;
+  chatId: string;
+  runId: string;
+  previousRunId: string;
+  cause: "cancelled" | "crashed" | "unknown";
+  settledMessages: TUIM[];
+  inFlightUsers: TUIM[];
+  partialAssistant: TUIM | undefined;
+  pendingToolCalls: Array<{
+    toolCallId: string;
+    toolName: string;
+    input: unknown;
+    partIndex: number;
+  }>;
+  writer: ChatWriter;
+};
+```
+
+<Note>
+  `cause` is currently always `"unknown"` — the run engine doesn't yet plumb the
+  real reason into the continuation payload. The enum is forward-looking; don't
+  branch behavior on it for now.
+</Note>
+
+### Return shape
+
+Every field is optional. Returning `undefined` (or nothing) accepts the smart default for every field.
+
+```ts
+type RecoveryBootResult<TUIM extends UIMessage = UIMessage> = {
+  chain?: TUIM[];
+  recoveredTurns?: TUIM[];
+  beforeBoot?: () => Promise<void>;
+};
+```
+
+- **`chain`** — replaces the seed chain. Defaults to `[...settledMessages, firstInFlightUser, partialAssistant]` when both partial and in-flight users exist, otherwise `settledMessages` alone.
+- **`recoveredTurns`** — user messages to dispatch as fresh turns after the chain is restored. Defaults to `inFlightUsers.slice(1)` when the smart default consumed the first user, otherwise `inFlightUsers`.
+- **`beforeBoot`** — runs after the writer flushes and before the first recovered turn fires. Use for blocking persistence (write the partial to your DB so a later turn can reference it). Errors bubble — wrap your own try/catch if you want to soft-fail.
+
+## Examples
+
+### Drop the partial — strict "cancel means discard"
+
+The customer's UX treats cancel as "throw the work away":
+
+```ts
+onRecoveryBoot: async ({ inFlightUsers, partialAssistant }) => {
+  if (!partialAssistant) return;          // No partial → nothing to drop
+  return {
+    chain: undefined,                      // Use settledMessages, don't splice partial
+    recoveredTurns: inFlightUsers.slice(1) // Still skip the first user (the dead run was answering it)
+  };
+}
+```
+
+### Synthesize tool results for a mid-call interruption
+
+The dead run was processing a tool call when it died. The partial has tool parts in `input-available` state with no `output-available`. Synthesize a result so the model can keep going:
+
+```ts
+onRecoveryBoot: async ({ partialAssistant, pendingToolCalls, settledMessages, inFlightUsers }) => {
+  if (pendingToolCalls.length === 0) return;
+
+  // Rebuild the partial with synthetic outputs for any input-available tool call.
+  const repaired = {
+    ...partialAssistant!,
+    parts: partialAssistant!.parts!.map((part, i) => {
+      const pending = pendingToolCalls.find(p => p.partIndex === i);
+      if (!pending) return part;
+      return {
+        ...part,
+        state: "output-available" as const,
+        output: { interrupted: true, reason: "previous run was cancelled" },
+      };
+    }),
+  };
+
+  return {
+    chain: [...settledMessages, inFlightUsers[0]!, repaired],
+    recoveredTurns: inFlightUsers.slice(1),
+  };
+}
+```
+
+### Persist the partial before the next turn fires
+
+```ts
+onRecoveryBoot: async ({ chatId, partialAssistant }) => {
+  return {
+    beforeBoot: async () => {
+      if (partialAssistant) {
+        await db.partial.create({
+          data: { chatId, partialJson: JSON.stringify(partialAssistant) },
+        });
+      }
+    },
+  };
+}
+```
+
+## Interaction with other features
+
+### `hydrateMessages`
+
+If your agent registers [`hydrateMessages`](/ai-chat/lifecycle-hooks#hydratemessages), the runtime skips snapshot read, `session.out` replay, `session.in` replay, AND `onRecoveryBoot`. Your DB is the source of truth — recovery decisions live in your own query. To detect a cancel-recovery scenario yourself, persist a `runState: "in-progress"` flag in `onTurnStart` and check for it in `hydrateMessages`.
+
+### `chat.requestUpgrade()`
+
+[`chat.requestUpgrade()`](/ai-chat/patterns/version-upgrades) is a graceful exit — the old run doesn't crash, it returns cleanly. The new continuation run boots with a clean `session.out` tail (`partialAssistant` is undefined) and the upgrade-trigger message on `session.in` (one in-flight user). The smart default doesn't splice (it requires both partial AND in-flight users), so the chain is just `settledMessages` and the in-flight user dispatches as a fresh turn. `onRecoveryBoot` still fires (there's an in-flight user) — use it to emit an "upgraded" signal to the UI if you want.
+
+### Hooks throwing
+
+If the body of `onRecoveryBoot` throws (or rejects), the runtime logs a warning and falls back to the smart default — the run does not fail. Wrap your own try/catch if you want stricter handling.
+
+`beforeBoot` is the exception: it's the contract you opted into for blocking persistence, so errors thrown there **bubble** and fail the run rather than dispatch recovered turns against half-persisted state. Wrap it yourself if you want to soft-fail.
+
+## See also
+
+- [OOM resilience](/ai-chat/patterns/oom-resilience) — `oomMachine` opt-in for automatic memory-driven recovery; uses the same recovery boot path.
+- [Persistence and replay](/ai-chat/patterns/persistence-and-replay) — the snapshot + dual-tail replay model that recovery boot sits on top of.
+- [Lifecycle hooks](/ai-chat/lifecycle-hooks) — where `onRecoveryBoot` sits in the broader hook taxonomy.
diff --git a/docs/ai-chat/patterns/skills.mdx b/docs/ai-chat/patterns/skills.mdx
new file mode 100644
index 00000000000..4589a0daf7e
--- /dev/null
+++ b/docs/ai-chat/patterns/skills.mdx
@@ -0,0 +1,221 @@
+---
+title: "Agent Skills"
+sidebarTitle: "Agent Skills"
+description: "Ship reusable capabilities (folders with SKILL.md + scripts) that a chat agent discovers and invokes on demand."
+---
+
+import RcBanner from "/snippets/ai-chat-rc-banner.mdx";
+
+<RcBanner />
+
+Agent skills are reusable capabilities you ship as folders — a `SKILL.md` describing when and how to use them, plus optional scripts, references, and assets. The chat agent sees a short description of each skill in its system prompt, loads the full instructions on demand via a `loadSkill` tool, and invokes the bundled scripts via `bash` — all without you wiring anything up manually.
+
+Built on the [AI SDK cookbook pattern](https://ai-sdk.dev/cookbook/guides/agent-skills). Works with any provider (OpenAI, Anthropic, Gemini, etc.) — not tied to Anthropic's server-side skills.
+
+## Why skills?
+
+Compared to regular AI SDK tools:
+
+- **Tools** are typed functions you pre-declare. Great when you know up-front exactly what capability the agent needs.
+- **Skills** are folders the model discovers and reads on demand. Great when the capability is a bundle of instructions + helper scripts that would be awkward to encode as a single tool.
+
+PDFs are the canonical example: you don't want to ask the LLM to parse PDF bytes inline. You want it to `bash scripts/extract.py report.pdf` using a bundled `pdfplumber` wrapper. A skill ships the script, the instructions, and any reference notes together.
+
+Dashboard-editable `SKILL.md` is on the roadmap so a platform team can tighten a skill's description or "when to use" text without a redeploy. Today, skills are SDK-only — defined in your task code and shipped with each deploy.
+
+## Trust model
+
+Skills are **developer-authored code**, not end-user-supplied. The same developer who writes the `chat.agent()` writes the skill bundle. The trust boundary is identical to any `tool.execute` handler the developer writes — scripts run directly in the Trigger.dev worker container, no sandboxing required.
+
+This makes skills different from the Claude Code / end-user model where arbitrary user-provided skills need isolation. Don't accept skill paths from untrusted input.
+
+## Skill folder layout
+
+A skill is a directory under your project (conventionally `trigger/skills/{id}/`):
+
+```
+trigger/skills/time-utils/
+├── SKILL.md              # Required — frontmatter + instructions
+├── scripts/
+│   ├── now.sh
+│   └── add.sh
+├── references/
+│   └── timezones.txt
+└── assets/               # Optional — templates, data files, etc.
+```
+
+### SKILL.md
+
+Frontmatter is YAML-subset — only `name` and `description` are required:
+
+```md
+---
+name: time-utils
+description: Compute and format dates/times in arbitrary timezones. Use when the user asks "what time is it", timezone conversions, or date math.
+---
+
+# Time utilities
+
+## When to use
+
+- The user asks for the current time in a timezone
+- The user wants date math ("3 days from now")
+
+## Scripts
+
+### `scripts/now.sh [TZ]`
+Prints the current time in the given IANA timezone (default `UTC`).
+
+### `scripts/add.sh DAYS [TZ]`
+Prints a date `DAYS` days from now.
+
+## Tips
+- IANA timezone names only (`America/New_York`, not `EST`).
+- See `references/timezones.txt` for a cheat-sheet.
+```
+
+The **description** is what the model sees in its system prompt — write it like you're explaining to the agent when to reach for the skill.
+
+The **body** is loaded on demand via the `loadSkill` tool when the agent decides to use the skill. Write it like documentation for the agent.
+
+## Defining and using a skill
+
+```ts trigger/chat.ts
+import { chat } from "@trigger.dev/sdk/ai";
+import { skills } from "@trigger.dev/sdk";
+import { streamText, stepCountIs } from "ai";
+import { anthropic } from "@ai-sdk/anthropic";
+
+const timeUtilsSkill = skills.define({
+  id: "time-utils",
+  path: "./skills/time-utils",
+});
+
+export const agent = chat.agent({
+  id: "docs-chat",
+  onChatStart: async () => {
+    chat.skills.set([await timeUtilsSkill.local()]);
+  },
+  run: async ({ messages, signal }) => {
+    return streamText({
+      model: anthropic("claude-sonnet-4-5"),
+      messages,
+      abortSignal: signal,
+      ...chat.toStreamTextOptions(),
+      stopWhen: stepCountIs(15),
+    });
+  },
+});
+```
+
+`skills.define({ id, path })` does two things:
+
+1. Registers the skill with the Trigger.dev build system so the CLI **automatically bundles the folder** into your deploy image at `/app/.trigger/skills/{id}/`. No `trigger.config.ts` changes, no build extension — it just works.
+2. Returns a `SkillHandle` you use at runtime.
+
+`skill.local()` reads the bundled `SKILL.md` from disk and returns a `ResolvedSkill` with the parsed frontmatter + body + on-disk path.
+
+`chat.skills.set([...])` stores the resolved skills for the current run. `chat.toStreamTextOptions()` spreads them into `streamText` automatically:
+
+- The frontmatter `description` lands in the system prompt under "Available skills:".
+- Three tools are added: `loadSkill`, `readFile`, `bash` — scoped per skill.
+
+## What gets auto-injected
+
+When you spread `chat.toStreamTextOptions()` with skills set, the AI SDK call receives three tools:
+
+### `loadSkill({ name })`
+
+Returns the full `SKILL.md` body for the named skill. The model calls this first when it decides a skill is relevant, to load the full instructions.
+
+### `readFile({ skill, path })`
+
+Reads a file inside the skill's bundled folder. Paths are relative to the skill's root and are rejected if they attempt to escape via `..` or absolute paths. Output is capped at 1 MB per call.
+
+Use for reference files and templates that the model should read literally:
+
+```
+readFile({ skill: "time-utils", path: "references/timezones.txt" })
+```
+
+### `bash({ skill, command })`
+
+Runs a bash command with `cwd` set to the skill's root. Stdout and stderr are captured and returned (each capped at 64 KB per call, with tail truncation). The turn's abort signal propagates — cancelling the run kills the child process.
+
+Use to invoke the skill's bundled scripts:
+
+```
+bash({ skill: "time-utils", command: "bash scripts/now.sh America/Los_Angeles" })
+```
+
+Script runtime expectations are yours to manage. If your skill uses `extract.py`, your deploy image needs Python — add it via your build config the same way you would for any other task dependency.
+
+## How discovery works in the model
+
+The model sees a short preamble appended to your system prompt:
+
+```
+Available skills (call `loadSkill` to read the full instructions before using one):
+- time-utils: Compute and format dates/times in arbitrary timezones...
+- pdf-processing: Extract text from PDFs, fill forms...
+```
+
+When the user asks something that matches a description, the model calls `loadSkill({ name: "time-utils" })` to load the body, then follows the body's instructions — typically by calling `bash` or `readFile` on the bundled scripts.
+
+This is **progressive disclosure**: each skill costs ~100 tokens up front (its one-line description), and only the ones the model actually uses pay the full context cost.
+
+## Mixing skills with custom tools
+
+If you also define your own AI SDK tools, pass them through `chat.toStreamTextOptions()` so the merge is explicit:
+
+```ts
+return streamText({
+  model: anthropic("claude-sonnet-4-5"),
+  messages,
+  abortSignal: signal,
+  ...chat.toStreamTextOptions({
+    tools: {
+      webFetch,       // your tool
+      deepResearch,   // your tool
+    },
+  }),
+  stopWhen: stepCountIs(15),
+});
+```
+
+Your tools win on name conflicts. (Pick names that don't collide with `loadSkill` / `readFile` / `bash` to keep things predictable.)
+
+Also declare those same tools on the agent's [`tools`](/ai-chat/tools) config. `toStreamTextOptions` merges them with the skill tools for the model call, while the config option threads them into history re-conversion so any `toModelOutput` survives across turns. The auto-injected skill tools (`loadSkill` / `readFile` / `bash`) don't define `toModelOutput`, so they don't need to be on the config.
+
+## Bundling
+
+Bundling is **built-in to the CLI** — there's no extension to import. When you run `trigger deploy` or `trigger dev`:
+
+1. esbuild bundles your task code as usual.
+2. The CLI forks the indexer locally against the bundled output, collects every `skills.define({ path })` registration.
+3. Each skill's folder is copied to `{outputPath}/.trigger/skills/{id}/` via a recursive copy.
+4. The existing Dockerfile `COPY` picks up `.trigger/skills/` along with the rest of the bundle — no Dockerfile changes.
+
+If you're running `trigger dev`, the same layout appears in the local dev output directory, so `skill.local()` works the same way.
+
+## Path scoping rules
+
+- `skill.path` always resolves to `${process.cwd()}/.trigger/skills/{id}/` at runtime. Don't hardcode paths elsewhere.
+- `readFile` rejects `..` segments and absolute paths — the tool only exposes files inside the skill's own directory.
+- `bash` runs with `cwd` set to the skill's root. Inside the script, relative paths resolve against the skill directory.
+- Cross-skill access isn't provided — each skill is isolated by design. If two skills need to share data, either duplicate the shared file or consolidate the skills.
+
+## Current limitations
+
+- `skill.resolve()` (backend-managed overrides) is not available yet — use `.local()` for now. Dashboard-editable `SKILL.md` is on the roadmap.
+- No per-skill metrics in the dashboard yet.
+- No Anthropic `/v1/skills` integration — use the portable path today; we're tracking the Anthropic optimization separately.
+
+## Full example
+
+See [`projects/ai-chat/src/trigger/skills/time-utils/`](https://github.com/triggerdotdev/references/tree/main/projects/ai-chat/src/trigger/skills/time-utils) in the [references repo](https://github.com/triggerdotdev/references) for a working skill that bundles two bash scripts and a reference cheat-sheet, wired into a `chat.agent` that answers timezone questions.
+
+## Related
+
+- [AI SDK cookbook — Agent Skills](https://ai-sdk.dev/cookbook/guides/agent-skills) — the userland pattern we build on
+- [Anthropic Agent Skills](https://platform.claude.com/docs/en/agents-and-tools/agent-skills/overview) — Anthropic's codified version (server-side, optional future integration)
diff --git a/docs/ai-chat/patterns/sub-agents.mdx b/docs/ai-chat/patterns/sub-agents.mdx
new file mode 100644
index 00000000000..84a52b9479b
--- /dev/null
+++ b/docs/ai-chat/patterns/sub-agents.mdx
@@ -0,0 +1,383 @@
+---
+title: "Sub-Agents"
+sidebarTitle: "Sub-Agents"
+description: "Delegate work to durable sub-agents from within a parent agent's tool calls, with streaming preliminary results."
+---
+
+import RcBanner from "/snippets/ai-chat-rc-banner.mdx";
+
+<RcBanner />
+
+Sub-agents let a parent agent delegate work to other agents running as durable Trigger.dev tasks. The sub-agent's response streams back through the parent as preliminary tool results, so the frontend sees the sub-agent working inside the parent's tool call card.
+
+This builds on the AI SDK's [async generator tool pattern](https://ai-sdk.dev/docs/agents/subagents) and Trigger.dev's [AgentChat](/ai-chat/server-chat) for server-side agent interaction.
+
+## How it works
+
+1. The parent LLM calls a tool (e.g., `researchAgent`)
+2. The tool's `execute` is an `async function*` (async generator)
+3. Inside, it creates an `AgentChat` and sends a message to the sub-agent
+4. `yield* stream.messages()` streams each accumulated `UIMessage` snapshot as a preliminary tool result
+5. The frontend renders the sub-agent's response building up inside the parent's tool card
+6. `toModelOutput` compresses the full output into a summary for the parent LLM
+
+```
+Parent LLM
+  │
+  ├─ calls researchAgent tool
+  │    │
+  │    ├─ AgentChat triggers sub-agent run
+  │    ├─ sub-agent streams response (text, tool calls, etc.)
+  │    ├─ yield* sends UIMessage snapshots as preliminary results
+  │    └─ toModelOutput compresses for parent LLM
+  │
+  └─ parent LLM reads compressed summary, continues reasoning
+```
+
+## Single-turn sub-agent
+
+The simplest pattern: one tool call, one sub-agent turn, conversation closes.
+
+```ts
+import { tool, stepCountIs } from "ai";
+import { AgentChat } from "@trigger.dev/sdk/chat";
+import { z } from "zod";
+import type { prReviewAgent } from "./trigger/pr-review";
+
+const prReviewTool = tool({
+  description: "Delegate a PR review to the PR review agent.",
+  inputSchema: z.object({
+    prNumber: z.number().describe("The PR number to review"),
+    repo: z.string().describe("The GitHub repo URL"),
+  }),
+  execute: async function* ({ prNumber, repo }, { abortSignal }) {
+    const chat = new AgentChat<typeof prReviewAgent>({
+      agent: "pr-review",
+      id: `review-${prNumber}`,
+      clientData: { userId: "parent-agent", githubUrl: repo },
+    });
+
+    const stream = await chat.sendMessage(`Review PR #${prNumber}`, { abortSignal });
+
+    // Each yield sends a UIMessage snapshot to the frontend
+    yield* stream.messages();
+
+    await chat.close();
+  },
+  // The parent LLM only sees this compressed summary
+  toModelOutput: ({ output: message }) => {
+    const lastText = message?.parts?.findLast(
+      (p: { type: string }) => p.type === "text"
+    ) as { text?: string } | undefined;
+    return { type: "text", value: lastText?.text ?? "Review complete." };
+  },
+});
+```
+
+Use this tool in a parent agent's `streamText` call:
+
+```ts
+import { streamText } from "ai";
+import { anthropic } from "@ai-sdk/anthropic";
+
+const result = streamText({
+  model: anthropic("claude-sonnet-4-6"),
+  tools: { prReview: prReviewTool },
+  prompt: "Review PR #42 on triggerdotdev/trigger.dev",
+  stopWhen: stepCountIs(15),
+});
+```
+
+## Multi-turn sub-agent (LLM-driven)
+
+The parent LLM drives a persistent conversation with a sub-agent across multiple tool calls. Each call with the same `conversationId` hits the same durable agent run.
+
+```ts
+import { tool } from "ai";
+import { AgentChat } from "@trigger.dev/sdk/chat";
+import { z } from "zod";
+
+// Track active sub-agent conversations
+const subAgents = new Map<string, AgentChat>();
+
+const researchTool = tool({
+  description:
+    "Talk to a research agent. Use the same conversationId to continue " +
+    "an existing conversation — the agent remembers full context.",
+  inputSchema: z.object({
+    conversationId: z
+      .string()
+      .describe("Unique ID for this research thread. Reuse to continue."),
+    message: z.string().describe("Your message to the research agent"),
+  }),
+  execute: async function* ({ conversationId, message }, { abortSignal }) {
+    let agent = subAgents.get(conversationId);
+    if (!agent) {
+      agent = new AgentChat({
+        agent: "research-agent",
+        id: conversationId,
+      });
+      subAgents.set(conversationId, agent);
+    }
+
+    const stream = await agent.sendMessage(message, { abortSignal });
+    yield* stream.messages();
+  },
+  toModelOutput: ({ output: message }) => {
+    const lastText = message?.parts?.findLast(
+      (p: { type: string }) => p.type === "text"
+    ) as { text?: string } | undefined;
+    return { type: "text", value: lastText?.text ?? "Done." };
+  },
+});
+```
+
+The parent LLM naturally calls this tool multiple times:
+
+1. `researchAgent({ conversationId: "competitors", message: "Research competitors in AI agents" })` — first call triggers a new sub-agent run
+2. `researchAgent({ conversationId: "competitors", message: "Go deeper on pricing" })` — same run, sub-agent has full context
+3. `researchAgent({ conversationId: "new-topic", message: "..." })` — different ID = different sub-agent
+
+### Cross-turn persistence
+
+Sub-agent conversations persist across **parent turns** because the `Map` lives in the parent's process heap. When the parent suspends and restores via snapshot, the heap is preserved — the Map still has the conversations, the sessions still have the run IDs.
+
+```ts
+export const orchestrator = chat
+  .withClientData({ schema: z.object({ userId: z.string() }) })
+  .customAgent({
+    id: "orchestrator",
+    run: async (payload, { signal: runSignal }) => {
+      // These survive across parent turns via snapshot/restore
+      const subAgents = new Map<string, AgentChat>();
+
+      const researchTool = tool({
+        // ... closes over subAgents Map
+      });
+
+      // Turn loop — subAgents persist across all turns
+      for (let turn = 0; turn < 50; turn++) {
+        // ... streamText with researchTool
+      }
+
+      // Cleanup when parent exits
+      await Promise.all(
+        Array.from(subAgents.values()).map((a) => a.close().catch(() => {}))
+      );
+    },
+  });
+```
+
+## How sub-agents clean up
+
+Sub-agents clean up through three mechanisms:
+
+1. **Explicit close**: Call `chat.close()` or `agent.close()` when done
+2. **Idle timeout**: The sub-agent's idle timeout expires, it suspends
+3. **Suspend timeout**: The sub-agent's suspend timeout expires, the run ends
+
+For the multi-turn pattern, the parent should clean up sub-agents when it exits (in `onComplete` for managed agents, or at the end of the loop for custom agents). Without explicit cleanup, sub-agents close on their own via timeouts — no leaked resources or cost while suspended.
+
+## What the frontend sees
+
+Each `yield` from `stream.messages()` sends a complete `UIMessage` containing all the sub-agent's parts accumulated so far. The AI SDK delivers these as `tool-output-available` chunks with `preliminary: true`.
+
+The frontend renders the tool part with:
+- `state: "output-available"` and `preliminary: true` while streaming
+- `state: "output-available"` and `preliminary: false` (or absent) when done
+
+The tool output contains the full `UIMessage` with nested parts — text, the sub-agent's own tool calls and results, reasoning, etc.
+
+### Controlling what the parent LLM sees
+
+`toModelOutput` transforms the tool's output before it enters the parent LLM's context. The full UIMessage streams to the frontend, but the model only sees the compressed version:
+
+```ts
+toModelOutput: ({ output: message }) => {
+  // Extract just the final text — the model doesn't need
+  // to see all the sub-agent's tool calls and intermediate work
+  const lastText = message?.parts?.findLast(
+    (p: { type: string }) => p.type === "text"
+  ) as { text?: string } | undefined;
+  return { type: "text", value: lastText?.text ?? "Done." };
+},
+```
+
+This is important for token efficiency: the sub-agent might use 100K tokens exploring and reasoning, but the parent LLM only consumes the summary.
+
+<Warning>
+  `toModelOutput` only runs when the SDK has your tools at conversion time. On a multi-turn parent, the SDK re-converts the persisted history at the start of each turn, so you must declare the sub-agent tool on the agent config (`chat.agent({ tools })`) for the compression to survive. Without it, the summary holds on turn 1 but turn 2 onward re-ingests the full sub-agent output. In a `chat.customAgent` loop you own the conversion, so pass the tools to `convertToModelMessages(uiMessages, { tools })` yourself. See [Tools: toModelOutput across turns](/ai-chat/tools#tomodeloutput-across-turns).
+</Warning>
+
+## ChatStream.messages()
+
+The `messages()` method on `ChatStream` wraps the AI SDK's `readUIMessageStream`. It reads the raw `UIMessageChunk` stream and yields complete `UIMessage` snapshots — each containing all parts received so far.
+
+```ts
+const stream = await chat.sendMessage("Research this topic");
+
+// Each yield is a complete UIMessage with all accumulated parts
+for await (const message of stream.messages()) {
+  console.log(message.parts.length, "parts so far");
+}
+```
+
+For the sub-agent pattern, use `yield*` to delegate all yields to the parent tool's generator:
+
+```ts
+execute: async function* ({ topic }, { abortSignal }) {
+  const stream = await chat.sendMessage(topic, { abortSignal });
+  yield* stream.messages();
+},
+```
+
+<Tip>
+  `stream.messages()` consumes the stream. You can't also call `stream.text()` or iterate over chunks on the same stream. Pick one consumption mode.
+</Tip>
+
+## Combining with chat.agent()
+
+Sub-agent tools work inside both `chat.agent()` (managed) and `chat.customAgent()` (manual lifecycle):
+
+```ts
+// Managed agent with sub-agent tool
+const tools = { research: researchTool };
+
+export const myAgent = chat.agent({
+  id: "orchestrator",
+  tools, // declare here so toModelOutput survives across turns
+  run: async ({ messages, tools, stopSignal }) => {
+    return streamText({
+      model: anthropic("claude-sonnet-4-6"),
+      messages,
+      tools,
+      abortSignal: stopSignal,
+      stopWhen: stepCountIs(15),
+    });
+  },
+});
+```
+
+For `chat.customAgent()`, define the tool and sub-agent Map inside the `run` closure so they survive across turns. Since you own the turn loop there, convert history with your tools in scope so `toModelOutput` is re-applied each turn: `convertToModelMessages(uiMessages, { tools })`. See [Tools: manual turn loops](/ai-chat/tools#manual-turn-loops-chatcustomagent).
+
+## Streaming progress from a subtask to the parent chat
+
+When a tool invokes a subtask via `triggerAndWait`, the subtask can stream custom data parts directly to the parent chat using `chat.stream.writer({ target: "root" })`. The frontend receives these as `DataUIPart` objects in `message.parts` on the **parent's** message stream:
+
+```ts
+import { chat, ai } from "@trigger.dev/sdk/ai";
+import { schemaTask } from "@trigger.dev/sdk";
+import { streamText, tool, generateId } from "ai";
+import { anthropic } from "@ai-sdk/anthropic";
+import { z } from "zod";
+
+export const researchTask = schemaTask({
+  id: "research",
+  schema: z.object({ query: z.string() }),
+  run: async ({ query }) => {
+    const partId = generateId();
+
+    // Stream a data-* chunk to the root run's chat stream.
+    const { waitUntilComplete } = chat.stream.writer({
+      target: "root",
+      execute: ({ write }) => {
+        write({
+          type: "data-research-status",
+          id: partId,
+          data: { query, status: "in-progress" },
+        });
+      },
+    });
+    await waitUntilComplete();
+
+    const result = await doResearch(query);
+
+    // Update the same part with the final status — same type + id replaces it.
+    const { waitUntilComplete: waitDone } = chat.stream.writer({
+      target: "root",
+      execute: ({ write }) => {
+        write({
+          type: "data-research-status",
+          id: partId,
+          data: { query, status: "done", resultCount: result.length },
+        });
+      },
+    });
+    await waitDone();
+
+    return result;
+  },
+});
+
+const research = tool({
+  description: researchTask.description ?? "",
+  inputSchema: researchTask.schema!,
+  execute: ai.toolExecute(researchTask),
+});
+```
+
+On the frontend, render the custom data part:
+
+```tsx
+{message.parts.map((part, i) => {
+  if (part.type === "data-research-status") {
+    const { query, status, resultCount } = part.data;
+    return (
+      <div key={i}>
+        {status === "done" ? `Found ${resultCount} results` : `Researching "${query}"...`}
+      </div>
+    );
+  }
+  // ...other part types
+})}
+```
+
+The `target` option accepts:
+- `"self"` — current run (default)
+- `"parent"` — parent task's run
+- `"root"` — root task's run (the chat agent)
+- A specific run ID string
+
+## Inside `ai.toolExecute`: accessing tool + chat context
+
+When a subtask runs via `execute: ai.toolExecute(task)`, it can read the parent's tool call ID and chat context from inside the subtask body:
+
+```ts
+import { ai, chat } from "@trigger.dev/sdk/ai";
+import type { myChat } from "./chat";
+
+export const mySubtask = schemaTask({
+  id: "my-subtask",
+  schema: z.object({ query: z.string() }),
+  run: async ({ query }) => {
+    // The AI SDK tool call ID — useful as a stable `data-*` chunk id
+    const toolCallId = ai.toolCallId();
+
+    // Typed chat context — `clientData` is typed off your chat's `clientDataSchema`
+    const { chatId, clientData } = ai.chatContextOrThrow<typeof myChat>();
+
+    const { waitUntilComplete } = chat.stream.writer({
+      target: "root",
+      execute: ({ write }) => {
+        write({
+          type: "data-progress",
+          id: toolCallId,
+          data: { status: "working", query, userId: clientData?.userId },
+        });
+      },
+    });
+    await waitUntilComplete();
+
+    return { result: "done" };
+  },
+});
+```
+
+| Helper | Returns | Description |
+|--------|---------|-------------|
+| `ai.toolCallId()` | `string \| undefined` | The AI SDK tool call ID |
+| `ai.chatContext<typeof myChat>()` | `{ chatId, turn, continuation, clientData } \| undefined` | Chat context with typed `clientData`. Returns `undefined` if not in a chat context. |
+| `ai.chatContextOrThrow<typeof myChat>()` | `{ chatId, turn, continuation, clientData }` | Same as above but throws if not in a chat context |
+| `ai.currentToolOptions()` | `ToolCallExecutionOptions \| undefined` | Full tool execution options |
+
+The subtask body also has read-only access to any [`chat.local`](/ai-chat/chat-local) values initialized in the parent — auto-hydrated from the parent's metadata on first access.
diff --git a/docs/ai-chat/patterns/tool-result-auditing.mdx b/docs/ai-chat/patterns/tool-result-auditing.mdx
new file mode 100644
index 00000000000..493c8037486
--- /dev/null
+++ b/docs/ai-chat/patterns/tool-result-auditing.mdx
@@ -0,0 +1,149 @@
+---
+title: "Tool result auditing"
+sidebarTitle: "Tool result auditing"
+description: "Fire side effects exactly once per resolved tool call — audit logs, billing, notifications — using extractNewToolResults inside hydrateMessages or onTurnComplete."
+---
+
+import RcBanner from "/snippets/ai-chat-rc-banner.mdx";
+
+<RcBanner />
+
+When a chat agent uses [tools](/ai-chat/tools) (especially [human-in-the-loop](/ai-chat/patterns/human-in-the-loop) tools that wait on `addToolOutput` from the frontend), you often need to fire side effects exactly once per resolved tool call:
+
+- **Audit logs** — record every tool result for compliance.
+- **Billing** — charge per tool invocation.
+- **Notifications** — alert downstream systems when a specific tool resolves.
+- **Search-index updates** — reflect tool outputs into a derived store.
+
+The naive approach — "log every tool part you see" — over-counts. The same assistant message gets re-shown across re-renders, replays, and retries. You want a function of the form **"is this tool result one I haven't already logged?"** That's exactly what [`chat.history.extractNewToolResults`](/ai-chat/backend#chat-history) returns.
+
+## The pattern
+
+```ts
+import { chat } from "@trigger.dev/sdk/ai";
+import { auditLog } from "@/lib/audit";
+
+export const myChat = chat.agent({
+  id: "my-chat",
+  hydrateMessages: async ({ chatId, incomingMessages }) => {
+    for (const msg of incomingMessages) {
+      for (const r of chat.history.extractNewToolResults(msg)) {
+        await auditLog.record({
+          chatId,
+          toolCallId: r.toolCallId,
+          toolName: r.toolName,
+          output: r.output,
+          errorText: r.errorText,
+        });
+      }
+    }
+    return await db.getMessages(chatId);
+  },
+  run: async ({ messages, signal }) => {
+    return streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal });
+  },
+});
+```
+
+The hook fires per turn. `incomingMessages` is the new wire message (0-or-1-length, see [v4.5 wire format change](/ai-chat/upgrade-guide#v45-wire-format-change)). For each new tool result on that message, write one audit row. Then return the canonical chain from your DB.
+
+`extractNewToolResults` compares the message against the current `chat.history` chain and returns only tool parts whose `toolCallId` is **not** already resolved. That's what makes the call exactly-once:
+
+- A re-emitted message (same id, same toolCallId) returns `[]` — no duplicate log.
+- A genuinely new tool result on a known assistant message returns just the new ones.
+- A first-time tool result returns the full set.
+
+## Why `hydrateMessages` is the right hook
+
+The pattern works in any pre-merge callback, but `hydrateMessages` is the canonical spot for two reasons:
+
+1. **It fires before the runtime merges** the incoming message into the accumulator. Once merged, the tool results are already on the chain, and `extractNewToolResults` returns `[]` for them.
+2. **It always fires per turn** — including HITL turns where the user resolved a tool with `addToolOutput`, which is the highest-volume audit event in most apps.
+
+By the time `onTurnComplete` fires, the chain already contains `responseMessage`, so calling `extractNewToolResults(responseMessage)` there returns `[]`. Don't put audit logging there for the resolution path.
+
+## Without `hydrateMessages` — `onTurnComplete` for self-emitted tool calls
+
+If you don't use `hydrateMessages`, the runtime's snapshot+replay path handles persistence. You can still audit the agent's **own** tool executions in `onTurnComplete` — but compare against the prior message rather than the just-emitted one:
+
+```ts
+onTurnComplete: async ({ chatId, newUIMessages }) => {
+  // The assistant message from this turn is in newUIMessages.
+  for (const msg of newUIMessages) {
+    if (msg.role !== "assistant") continue;
+    for (const part of msg.parts) {
+      if (
+        typeof part.type === "string" &&
+        part.type.startsWith("tool-") &&
+        ((part as any).state === "output-available" ||
+         (part as any).state === "output-error")
+      ) {
+        await auditLog.record({
+          chatId,
+          toolCallId: (part as any).toolCallId,
+          toolName: (part as any).type.slice("tool-".length),
+          output: (part as any).output,
+          errorText: (part as any).errorText,
+        });
+      }
+    }
+  }
+},
+```
+
+`newUIMessages` is just the messages this turn produced — no prior-chain noise. Each tool part shows up exactly once.
+
+This works for tools the agent itself calls (no HITL pause). For HITL flows where the user resolves a tool with `addToolOutput`, the resolution arrives on the **next** turn's wire message, not in `newUIMessages` of the resolving turn — use `hydrateMessages` for those.
+
+## Idempotency at the storage layer
+
+Even with `extractNewToolResults`, transient failures (e.g. an audit-log POST that times out and is retried) can produce duplicates. Make the audit-log writer idempotent on `toolCallId`:
+
+```ts
+await auditLog.upsert({
+  where: { toolCallId: r.toolCallId },
+  create: { /* ... */ },
+  update: { /* timestamp, retry count, etc. */ },
+});
+```
+
+`toolCallId` is unique per tool invocation (assigned by the AI SDK when the model emits the tool call) and stable across retries — perfect for an idempotency key.
+
+## What `extractNewToolResults` returns
+
+```ts
+type ExtractedToolResult = {
+  toolCallId: string;
+  toolName: string;
+  input: unknown;       // The arguments the model passed when calling the tool
+  output?: unknown;     // The tool's return value (output-available state)
+  errorText?: string;   // Error message (output-error state)
+};
+```
+
+Tool parts in `input-available` state (the model called the tool but it hasn't resolved yet) are not returned — only **resolved** results count.
+
+## Combining with HITL
+
+[Human-in-the-loop](/ai-chat/patterns/human-in-the-loop) tools pause the turn waiting for `addToolOutput` from the frontend. When the user submits, the wire message carries an updated assistant message with the tool now in `output-available` state. `extractNewToolResults` against that message returns the just-resolved tool — exactly one audit row per user resolution:
+
+```ts
+hydrateMessages: async ({ chatId, incomingMessages }) => {
+  for (const msg of incomingMessages) {
+    for (const r of chat.history.extractNewToolResults(msg)) {
+      // Fires once per ask_user / approval / similar resolution
+      await auditLog.record({ chatId, /* ... */ });
+    }
+  }
+  return await db.getMessages(chatId);
+}
+```
+
+This is the original motivator for the helper — see the [HITL pattern's net-new-tool-result section](/ai-chat/patterns/human-in-the-loop#acting-once-per-net-new-tool-result).
+
+## See also
+
+- [`chat.history`](/ai-chat/backend#chat-history) — full reference for `extractNewToolResults`, `getPendingToolCalls`, `getResolvedToolCalls`
+- [Human-in-the-loop](/ai-chat/patterns/human-in-the-loop) — the pattern this auditing hook complements
+- [`hydrateMessages`](/ai-chat/lifecycle-hooks#hydratemessages) — where pre-merge auditing lives
+- [Persistence and replay](/ai-chat/patterns/persistence-and-replay) — how the runtime rebuilds chains, and why `extractNewToolResults` works against them
diff --git a/docs/ai-chat/patterns/trusted-edge-signals.mdx b/docs/ai-chat/patterns/trusted-edge-signals.mdx
new file mode 100644
index 00000000000..181a3895474
--- /dev/null
+++ b/docs/ai-chat/patterns/trusted-edge-signals.mdx
@@ -0,0 +1,337 @@
+---
+title: "Trusted edge signals"
+sidebarTitle: "Trusted edge signals"
+description: "How to safely deliver server-trusted signals (bot scores, JA4, ASN, ReCAPTCHA verdicts) to a chat.agent run via an edge proxy."
+---
+
+import RcBanner from "/snippets/ai-chat-rc-banner.mdx";
+
+<RcBanner />
+
+A common need for chat-style endpoints is to drive agent behavior from **server-trusted signals** that the browser cannot be allowed to declare itself — bot management scores, JA4 fingerprints, ASN, ReCAPTCHA verdicts, or any other anti-abuse data only the edge can see. The agent's [`clientData`](/ai-chat/reference#withclientdata) channel is the right delivery mechanism, but `clientData` set in the browser is by definition spoofable. The fix is to move the value population out of the browser and into a trusted edge proxy.
+
+This page documents the pattern using Cloudflare Workers as the proxy. The same shape applies to any edge layer (custom reverse proxy, Vercel Edge Middleware, AWS Lambda@Edge) — the trust comes from the deployment topology, not from Trigger.dev validating the source.
+
+## Why headers don't work
+
+It's tempting to ask whether `POST /realtime/v1/sessions/{id}/in/append` could carry the signal as an HTTP header. It cannot. The realtime route reads only `Authorization` and `X-Part-Id`; the remaining headers are dropped at the route boundary and the body is persisted to the durable stream as opaque bytes. There is no `headers → run payload` channel.
+
+The trigger.dev wire payload, on the other hand, has a typed per-turn metadata channel ([`ChatTaskWirePayload.metadata`](/ai-chat/client-protocol#chattaskwirepayload)). It already flows from the wire into [`clientData`](/ai-chat/reference#withclientdata) on every hook (`onBoot`, `onChatStart`, `onTurnStart`, `run`, `onTurnComplete`). That field is where signals must land.
+
+## The trust boundary
+
+The pattern has one architectural requirement and one wire-shape convention.
+
+**Topology**: the browser must not be able to reach `trigger.dev` directly. All four chat-related requests (`POST /api/v1/sessions`, `GET /realtime/v1/sessions/{id}/out`, `POST /realtime/v1/sessions/{id}/in/append`, `POST /api/v1/auth/jwt/claims`) flow through your edge proxy. The proxy holds the trust; trigger.dev simply persists whatever the proxy writes.
+
+**Namespace**: pick a key your edge proxy owns exclusively — e.g. `__cf`, `__edge`, `__trust`. The proxy **strips** anything in that key on the way in and **injects** its own value on every request. Nothing else in your system should write that key. This is the convention that converts deployment topology into a guarantee the agent can rely on.
+
+```mermaid
+sequenceDiagram
+  participant Browser
+  participant Edge as Edge Proxy (CF Worker)
+  participant Trigger as trigger.dev API
+  participant Agent as chat.agent run
+
+  Browser->>Edge: POST /api/v1/sessions { triggerConfig.basePayload.metadata: {...} }
+  Edge->>Edge: strip body.triggerConfig.basePayload.metadata.__cf<br/>inject body.triggerConfig.basePayload.metadata.__cf = { botScore, ja4, asn }
+  Edge->>Trigger: POST /api/v1/sessions (rewritten body)
+  Trigger-->>Agent: run boots with payload.metadata.__cf
+  Browser->>Edge: POST /realtime/v1/sessions/{id}/in/append { kind: "message", payload: {...} }
+  Edge->>Edge: strip payload.metadata.__cf<br/>inject payload.metadata.__cf
+  Edge->>Trigger: POST /in/append (rewritten body)
+  Trigger-->>Agent: chat.messages.wait() resolves with payload.metadata.__cf
+```
+
+## Wire payload — the two endpoints to rewrite
+
+The signal needs to land in **two** places. Both bodies are JSON; the edge proxy parses, mutates the namespaced key, and re-serializes.
+
+### `POST /api/v1/sessions` — session create
+
+The browser's session-create call carries the first-turn metadata under `triggerConfig.basePayload.metadata`. The proxy mutates that:
+
+```ts
+// Before
+{
+  "type": "chat.agent",
+  "externalId": "conv-123",
+  "taskIdentifier": "my-agent",
+  "triggerConfig": {
+    "basePayload": {
+      "chatId": "conv-123",
+      "trigger": "preload",
+      "metadata": { "userId": "user-456" }
+    }
+  }
+}
+
+// After
+{
+  "type": "chat.agent",
+  "externalId": "conv-123",
+  "taskIdentifier": "my-agent",
+  "triggerConfig": {
+    "basePayload": {
+      "chatId": "conv-123",
+      "trigger": "preload",
+      "metadata": {
+        "userId": "user-456",
+        "__cf": { "botScore": 95, "ja4": "...", "asn": 13335, "country": "US" }
+      }
+    }
+  }
+}
+```
+
+### `POST /realtime/v1/sessions/{id}/in/append` — every follow-up turn
+
+The body is a JSON-serialized `ChatInputChunk`. The proxy parses it, checks `kind === "message"`, and mutates `payload.metadata`:
+
+```ts
+// Before
+{
+  "kind": "message",
+  "payload": {
+    "message": { "id": "u-2", "role": "user", "parts": [{ "type": "text", "text": "..." }] },
+    "chatId": "conv-123",
+    "trigger": "submit-message",
+    "metadata": { "userId": "user-456" }
+  }
+}
+
+// After
+{
+  "kind": "message",
+  "payload": {
+    "message": { ... },
+    "chatId": "conv-123",
+    "trigger": "submit-message",
+    "metadata": {
+      "userId": "user-456",
+      "__cf": { "botScore": 95, "ja4": "...", "asn": 13335, "country": "US" }
+    }
+  }
+}
+```
+
+Both bodies stay well under the [per-record cap on `/in/append`](/ai-chat/client-protocol#step-3-send-messages-stops-and-actions) — a typical trust object is ~200 bytes.
+
+Other paths — `.out` SSE, `/api/v1/auth/jwt/claims`, anything else — pass through the proxy untouched. The SSE stream in particular must not be buffered; preserve the response body as-is.
+
+## Cloudflare Worker reference implementation
+
+A complete worker that proxies all paths to `TRIGGER_API_UPSTREAM` and injects `__cf` on the two body-write endpoints:
+
+```ts
+export interface Env {
+  TRIGGER_API_UPSTREAM: string; // e.g. "https://api.trigger.dev"
+}
+
+type CfTrustData = {
+  botScore: number;
+  ja4: string;
+  asn: number;
+  country: string;
+};
+
+function readCfTrustData(request: Request): CfTrustData {
+  const cf = (request as Request & { cf?: Record<string, unknown> }).cf;
+  const bm = cf?.botManagement as Record<string, unknown> | undefined;
+  return {
+    botScore: (bm?.score as number) ?? 0,
+    ja4: (bm?.ja4 as string) ?? "",
+    asn: (cf?.asn as number) ?? 0,
+    country: (cf?.country as string) ?? "",
+  };
+}
+
+function injectCf(metadata: Record<string, unknown> | undefined, cf: CfTrustData) {
+  // Strip anything the client tried to send under our namespace,
+  // then inject the edge-trusted value. Topology + convention =
+  // trust.
+  const stripped = { ...(metadata ?? {}) };
+  delete stripped.__cf;
+  return { ...stripped, __cf: cf };
+}
+
+function rewriteSessionsCreate(body: string, cf: CfTrustData) {
+  const parsed = JSON.parse(body) as Record<string, unknown>;
+  const tc = (parsed.triggerConfig as Record<string, unknown>) ?? {};
+  const bp = (tc.basePayload as Record<string, unknown>) ?? {};
+  parsed.triggerConfig = {
+    ...tc,
+    basePayload: { ...bp, metadata: injectCf(bp.metadata as Record<string, unknown>, cf) },
+  };
+  return JSON.stringify(parsed);
+}
+
+function rewriteAppend(body: string, cf: CfTrustData) {
+  let parsed: Record<string, unknown>;
+  try {
+    parsed = JSON.parse(body);
+  } catch {
+    return body;
+  }
+  if (parsed.kind !== "message") return body;
+  const payload = (parsed.payload as Record<string, unknown>) ?? {};
+  parsed.payload = { ...payload, metadata: injectCf(payload.metadata as Record<string, unknown>, cf) };
+  return JSON.stringify(parsed);
+}
+
+export default {
+  async fetch(request: Request, env: Env): Promise<Response> {
+    const incoming = new URL(request.url);
+    const target = new URL(incoming.pathname + incoming.search, env.TRIGGER_API_UPSTREAM);
+    const cf = readCfTrustData(request);
+
+    const isSessionsCreate =
+      request.method === "POST" && incoming.pathname === "/api/v1/sessions";
+    const isAppend =
+      request.method === "POST" &&
+      /^\/realtime\/v1\/sessions\/[^/]+\/in\/append$/.test(incoming.pathname);
+
+    let body: BodyInit | null = null;
+    if (request.method !== "GET" && request.method !== "HEAD") {
+      const raw = await request.text();
+      if (isSessionsCreate && raw) body = rewriteSessionsCreate(raw, cf);
+      else if (isAppend && raw) body = rewriteAppend(raw, cf);
+      else body = raw;
+    }
+
+    const headers = new Headers(request.headers);
+    headers.delete("host");
+    headers.delete("content-length");
+
+    return fetch(target.toString(), {
+      method: request.method,
+      headers,
+      body,
+      redirect: "manual",
+    });
+  },
+};
+```
+
+Browser-only deployments also need CORS on the worker — echo `Access-Control-Request-Headers` on preflight and set `Access-Control-Allow-Origin` to your frontend origin. The trigger.dev route itself allows all origins, but the worker becomes the visible cross-origin endpoint to the browser.
+
+### Streaming and latency
+
+The SDK's `baseURL` accepts a function (see [Browser transport configuration](#browser-transport-configuration)), so the recommended setup routes `.in/append` and session-create through the worker but lets `.out` SSE go direct to `api.trigger.dev`. Body-mutation only happens on the POST paths; the SSE stream is read-only, doesn't need rewriting, and routing it direct saves an edge hop on every reconnect.
+
+If you do route `.out` through the proxy (e.g. you want a single origin in front of `api.trigger.dev` and don't care about the extra hop), the template above handles it correctly because the worker returns `response.body` as a `ReadableStream`. **Do not replace that with `await response.text()`** anywhere in your fork; doing so converts the streaming SSE response into a buffered read and breaks per-chunk delivery.
+
+[Cloudflare Workers HTTP requests](https://developers.cloudflare.com/workers/platform/limits/) have no wall-clock duration limit while the client stays connected — the 60-second long-poll runs to completion on every plan, including Free. CPU-time limits (10 ms on Free, 30 s default on Paid) only apply to active computation; relaying bytes through `fetch` doesn't burn CPU. The two body-rewrite paths use sub-millisecond CPU for typical message sizes, well under either ceiling.
+
+Network-wise the proxy adds one edge hop: roughly 10–50 ms per request round trip versus talking to `api.trigger.dev` directly. Routing SSE direct via the function-form `baseURL` eliminates that hop on the long-lived path.
+
+## Agent side — declare the namespace in `clientDataSchema`
+
+Mirror the namespace in the agent so every turn lands typed:
+
+```ts
+import { chat } from "@trigger.dev/sdk/ai";
+import { z } from "zod";
+
+export const myAgent = chat
+  .withClientData({
+    schema: z.object({
+      userId: z.string(),
+      __cf: z.object({
+        botScore: z.number(),
+        ja4: z.string(),
+        asn: z.number(),
+        country: z.string(),
+      }),
+    }),
+  })
+  .agent({
+    id: "my-agent",
+    run: async ({ messages, clientData, signal }) => {
+      // Score-based routing. The values arrive from the edge proxy.
+      if (clientData.__cf.botScore < 30) {
+        return streamText({
+          model: anthropic("claude-haiku-4-5"),
+          messages: [{ role: "system", content: "Reject politely; do not engage." }],
+          abortSignal: signal,
+          stopWhen: stepCountIs(15),
+        });
+      }
+
+      return streamText({
+        model: anthropic("claude-sonnet-4-5"),
+        messages,
+        abortSignal: signal,
+        // ...
+        stopWhen: stepCountIs(15),
+      });
+    },
+  });
+```
+
+Because the schema requires `__cf` on every turn, any request that *doesn't* go through the proxy fails at the agent boundary — the turn produces a `[ERROR]` span on the trace and an empty `turn-complete` on the wire (see [the client protocol error-detection note](/ai-chat/client-protocol#step-3-send-messages-stops-and-actions)). That gives you a server-side enforcement check for "did this request actually come through the trusted path?"
+
+## Browser transport configuration
+
+Point the `TriggerChatTransport` at the worker, not at `api.trigger.dev`:
+
+`baseURL` accepts a function so you can route `.in/append` through the worker while keeping `.out` SSE direct to `api.trigger.dev`. The append path is where the body-mutation matters; the SSE stream is a read-only one-way channel that doesn't need to be proxied. Routing it direct saves an edge hop on every long-poll.
+
+```tsx
+import { useTriggerChatTransport } from "@trigger.dev/sdk/chat/react";
+
+const WORKER = "https://worker.your-domain.com";
+const DIRECT = "https://api.trigger.dev";
+
+const transport = useTriggerChatTransport({
+  task: "my-agent",
+  baseURL: ({ endpoint }) => (endpoint === "out" ? DIRECT : WORKER),
+  // ... accessToken, startSession, etc.
+  // NOTE: do not set __cf in clientData here. The browser cannot be
+  // trusted to populate it — the worker is the source of truth.
+  clientData: { userId: currentUserId },
+});
+```
+
+If you'd rather route everything through the worker, pass a single string:
+
+```tsx
+baseURL: "https://worker.your-domain.com",
+```
+
+`baseURL` accepts the same string-or-function shape on `chat.createStartSessionAction`, so the Next.js server action that creates the session also flows through the worker — that's how the very first run's `basePayload.metadata.__cf` gets injected before reaching `api.trigger.dev`:
+
+```ts
+// actions.ts — server-only
+import { chat } from "@trigger.dev/sdk/ai";
+
+export const startSession = chat.createStartSessionAction("my-agent", {
+  tokenTTL: "1h",
+  baseURL: ({ endpoint }) =>
+    endpoint === "sessions" ? WORKER : DIRECT,
+});
+```
+
+The session-create endpoint discriminator is `"sessions"` (POST `/api/v1/sessions`) or `"auth"` (POST `/api/v1/auth/jwt/claims`) — distinct from the chat transport's `"in"` / `"out"`. If you want everything proxied, pass a string.
+
+## Threat model
+
+Two important invariants follow from this design:
+
+1. **Direct browser-to-trigger.dev requests cannot succeed**. As long as your agent's `clientDataSchema` requires the namespaced field, any request that doesn't go through the proxy fails schema validation and produces an empty turn. This is your gate.
+2. **Anything inside the namespaced key is trusted only as far as the proxy is the sole writer**. If a client could obtain the public access token and bypass the proxy, they could send arbitrary values under `__cf`. The schema would still validate (it only checks shape, not provenance). The mitigation is operational: the public access token must only be served to clients that reach trigger.dev through the proxy. In practice this means your Next.js server actions and your browser are both behind the same edge layer, and the worker is the only fetch destination for `trigger.dev` baked into either of them.
+
+You can harden further with a shared-secret header the worker injects (e.g. `X-Edge-Signature`) and an agent-side check, but in most CDN deployments the deployment topology is already sufficient.
+
+## Recipe summary
+
+1. Pick a namespaced key the edge proxy owns (`__cf`, `__edge`, `__trust`).
+2. Deploy a proxy in front of `trigger.dev` that rewrites POST `/api/v1/sessions` and POST `/realtime/v1/sessions/{id}/in/append` to inject your trusted values under that key.
+3. Declare the namespace in the agent's `clientDataSchema` so missing or malformed signals fail at the agent boundary.
+4. Point your transport's `baseURL` at the proxy. Never expose `api.trigger.dev` directly to the browser.
+
+## See also
+
+- [Client Protocol](/ai-chat/client-protocol) — the full wire shape the proxy is rewriting.
+- [`withClientData`](/ai-chat/reference#withclientdata) — agent-side typed metadata channel.
+- [Large payloads](/ai-chat/patterns/large-payloads) — for when injected signals or hooks need to ship more than the 1 MiB stream cap allows.
diff --git a/docs/ai-chat/patterns/version-upgrades.mdx b/docs/ai-chat/patterns/version-upgrades.mdx
new file mode 100644
index 00000000000..75a29f4febb
--- /dev/null
+++ b/docs/ai-chat/patterns/version-upgrades.mdx
@@ -0,0 +1,172 @@
+---
+title: "Version upgrades"
+sidebarTitle: "Version upgrades"
+description: "Gracefully migrate suspended chat agents to a new deployment using chat.requestUpgrade() and the continuation mechanism."
+---
+
+import RcBanner from "/snippets/ai-chat-rc-banner.mdx";
+
+<RcBanner />
+
+Chat agent runs are pinned to the worker version they started on. When you deploy a new version, suspended runs resume on the **old** code. If your deploy includes breaking changes (new tools, changed schemas, updated API contracts), this can cause issues.
+
+`chat.requestUpgrade()` lets the agent opt out of the current run so the transport triggers a new one on the latest version.
+
+## How it works
+
+When `chat.requestUpgrade()` is called in `onTurnStart` or `onValidateMessages`:
+
+1. `run()` is **skipped** — no response is generated on old code
+2. The agent calls the server-side `endAndContinueSession` endpoint, which atomically swaps the Session's `currentRunId` to a freshly-triggered run on the latest deployment (optimistic-claim against `currentRunVersion`)
+3. The new run picks up the conversation and produces the response
+4. The transport's existing SSE subscription to `session.out` keeps receiving chunks across the swap — no client-side reconnect
+
+The new run lives on the **same Session** as the old one. `chatId` is the durable identity; only the underlying `currentRunId` rotates. The audit log records the new run with `reason: "upgrade"`.
+
+When called from inside `run()` or `chat.defer()`, the current turn completes normally first and the run exits afterward. The next message triggers the continuation on the same session.
+
+```mermaid
+sequenceDiagram
+  participant User
+  participant Transport
+  participant RunV1 as Run (v1)
+  participant RunV2 as Run (v2)
+
+  User->>Transport: send message
+  Transport->>RunV1: input stream
+  RunV1->>RunV1: onTurnStart → requestUpgrade()
+  RunV1-->>Transport: trigger:upgrade-required
+  RunV1->>RunV1: exit (run() never called)
+  Transport->>RunV2: trigger new run (continuation, same message)
+  RunV2-->>Transport: response stream
+  Transport-->>User: response (seamless)
+```
+
+## Contract versioning
+
+Define an explicit version for the contract between your frontend and agent. The frontend sends a `protocolVersion` via `clientData`, and the agent declares which versions it supports. When a breaking change ships (new tools, changed data parts, updated response format), bump the version.
+
+This gives you full control — the frontend can be backwards-compatible across multiple agent versions, and the agent only upgrades when it sees a version it doesn't support.
+
+```tsx title="app/components/Chat.tsx"
+import { useTriggerChatTransport } from "@trigger.dev/sdk/chat/react";
+import { useChat } from "@ai-sdk/react";
+
+export function Chat() {
+  const transport = useTriggerChatTransport({
+    task: "my-chat",
+    accessToken: ({ chatId }) => mintChatAccessToken(chatId),
+    startSession: ({ chatId, clientData }) =>
+      startChatSession({ chatId, clientData }),
+    // Bump this when you ship a breaking change to the chat UI or tools
+    clientData: { userId: user.id, protocolVersion: "v2" },
+  });
+
+  const { messages, sendMessage } = useChat({ transport });
+  // ...
+}
+```
+
+On the agent side, declare which versions the current code supports:
+
+```ts
+import { chat } from "@trigger.dev/sdk/ai";
+import { streamText } from "ai";
+import { anthropic } from "@ai-sdk/anthropic";
+
+// The set of frontend protocol versions this agent code supports.
+// When you deploy a breaking change, remove old versions from this set.
+const SUPPORTED_VERSIONS = new Set(["v2", "v3"]);
+
+export const myChat = chat
+  .withClientData({
+    schema: z.object({
+      userId: z.string(),
+      protocolVersion: z.string(),
+    }),
+  })
+  .agent({
+    id: "my-chat",
+    onTurnStart: async ({ clientData }) => {
+      if (clientData?.protocolVersion && !SUPPORTED_VERSIONS.has(clientData.protocolVersion)) {
+        chat.requestUpgrade();
+      }
+    },
+    run: async ({ messages, signal }) => {
+      return streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal });
+    },
+  });
+```
+
+The transport includes `clientData` in every payload — both the initial trigger and subsequent records on the session's `.in` channel — so the agent always has the current value.
+
+This pattern is useful when:
+- Your frontend is backwards-compatible across several agent versions, but occasionally ships breaking changes
+- You want explicit control over when upgrades happen rather than upgrading on every deploy
+- Multiple frontend versions may be active at the same time (e.g., users with cached tabs)
+
+## Auto-detect from build ID (Next.js / Vercel)
+
+For automatic upgrade on every deploy, pass your platform's build ID via `clientData` instead of a manual version. The agent stores the ID from the first message and upgrades when it changes:
+
+```tsx title="app/components/Chat.tsx"
+// Vercel sets this at build time, or use your own build ID
+const APP_VERSION = process.env.NEXT_PUBLIC_VERCEL_DEPLOYMENT_ID
+  ?? process.env.NEXT_PUBLIC_BUILD_ID
+  ?? "dev";
+
+export function Chat() {
+  const transport = useTriggerChatTransport({
+    task: "my-chat",
+    accessToken: ({ chatId }) => mintChatAccessToken(chatId),
+    startSession: ({ chatId, clientData }) =>
+      startChatSession({ chatId, clientData }),
+    clientData: { userId: user.id, appVersion: APP_VERSION },
+  });
+  // ...
+}
+```
+
+```ts title="trigger/chat.ts"
+const initialAppVersion = chat.local<{ version: string }>({ id: "appVersion" });
+
+export const myChat = chat
+  .withClientData({
+    schema: z.object({
+      userId: z.string(),
+      appVersion: z.string(),
+    }),
+  })
+  .agent({
+    id: "my-chat",
+    onBoot: async ({ clientData }) => {
+      initialAppVersion.init({ version: clientData.appVersion });
+    },
+    onTurnStart: async ({ clientData }) => {
+      if (clientData?.appVersion && clientData.appVersion !== initialAppVersion.version) {
+        chat.requestUpgrade();
+      }
+    },
+    run: async ({ messages, signal }) => {
+      return streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal });
+    },
+  });
+```
+
+This upgrades on **every** deploy, not just breaking changes. Good for fast-moving projects where you always want the latest code.
+
+## Other agent types
+
+- **`chat.agent()`** and **`chat.createSession()`** — use `chat.requestUpgrade()` as shown above
+- **`chat.customAgent()`** — you control the turn loop, so just `return` from `run()` when you want to exit
+
+## Interaction with recovery boot
+
+`chat.requestUpgrade()` is a graceful exit — the old run returns cleanly, never writing a partial assistant. The new continuation run boots with an empty `session.out` tail and the upgrade-trigger message on `session.in`. The trigger message dispatches as turn 1 on the new version via the normal continuation-wait path. [`onRecoveryBoot`](/ai-chat/patterns/recovery-boot) does NOT fire on this path — the hook is reserved for mid-stream interruptions (cancel / crash / OOM) where a partial assistant exists on the tail.
+
+## See also
+
+- [Lifecycle hooks](/ai-chat/lifecycle-hooks) — where `onTurnStart` and `onChatResume` fit in the turn cycle
+- [Recovery boot](/ai-chat/patterns/recovery-boot) — the sibling hook for mid-stream interruptions (does NOT fire on `requestUpgrade`)
+- [Database persistence](/ai-chat/patterns/database-persistence) — how continuations interact with session state
+- [Client Protocol](/ai-chat/client-protocol#step-4-handle-continuations) — how clients handle continuations at the wire level
diff --git a/docs/ai-chat/pending-messages.mdx b/docs/ai-chat/pending-messages.mdx
new file mode 100644
index 00000000000..80dbdaab2eb
--- /dev/null
+++ b/docs/ai-chat/pending-messages.mdx
@@ -0,0 +1,339 @@
+---
+title: "Pending Messages"
+sidebarTitle: "Pending Messages"
+description: "Inject user messages mid-execution to steer agents between tool-call steps."
+---
+
+import RcBanner from "/snippets/ai-chat-rc-banner.mdx";
+
+<RcBanner />
+
+## Overview
+
+When an AI agent is executing tool calls, users may want to send a message that **steers the agent mid-execution** — adding context, correcting course, or refining the request without waiting for the response to finish.
+
+The `pendingMessages` option enables this by injecting user messages between tool-call steps via the AI SDK's `prepareStep`. Messages that arrive during streaming are queued and injected at the next step boundary. If there are no more step boundaries (single-step response or final text generation), the message becomes the next turn automatically.
+
+## How it works
+
+1. User sends a message while the agent is streaming
+2. The message is sent to the backend via input stream (`transport.sendPendingMessage`)
+3. The backend queues it in the steering queue
+4. At the next `prepareStep` boundary (between tool-call steps), `shouldInject` is called
+5. If it returns `true`, the message is injected into the LLM's context
+6. A `data-pending-message-injected` stream chunk confirms injection to the frontend
+7. If `prepareStep` never fires (no tool calls), the message becomes the next turn
+
+## Backend: chat.agent
+
+Add `pendingMessages` to your `chat.agent` configuration:
+
+```ts
+import { chat } from "@trigger.dev/sdk/ai";
+import { streamText, stepCountIs } from "ai";
+import { anthropic } from "@ai-sdk/anthropic";
+
+export const myChat = chat.agent({
+  id: "my-chat",
+  pendingMessages: {
+    // Only inject when there are completed steps (tool calls happened)
+    shouldInject: ({ steps }) => steps.length > 0,
+  },
+  run: async ({ messages, signal }) => {
+    return streamText({
+      ...chat.toStreamTextOptions({ registry }),
+      messages,
+      tools: { /* ... */ },
+      abortSignal: signal,
+      stopWhen: stepCountIs(15),
+    });
+  },
+});
+```
+
+The `prepareStep` for injection is automatically included when you spread `chat.toStreamTextOptions()`. If you provide your own `prepareStep` after the spread, it overrides the auto-injected one.
+
+### Options
+
+| Option | Type | Description |
+|--------|------|-------------|
+| `shouldInject` | `(event: PendingMessagesBatchEvent) => boolean` | Decide whether to inject the batch. Called once per step boundary. If absent, no injection happens. |
+| `prepare` | `(event: PendingMessagesBatchEvent) => ModelMessage[]` | Transform the batch before injection. Default: convert each message via `convertToModelMessages`. |
+| `onReceived` | `(event) => void` | Called when a message arrives during streaming (per-message). |
+| `onInjected` | `(event) => void` | Called after a batch is injected. |
+
+### shouldInject
+
+Called once per step boundary with the full batch of pending messages. Return `true` to inject all of them, `false` to skip (they'll be available at the next boundary or become the next turn).
+
+```ts
+pendingMessages: {
+  // Always inject
+  shouldInject: () => true,
+
+  // Only inject after tool calls
+  shouldInject: ({ steps }) => steps.length > 0,
+
+  // Only inject if there's one message
+  shouldInject: ({ messages }) => messages.length === 1,
+},
+```
+
+The event includes:
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `messages` | `UIMessage[]` | All pending messages (batch) |
+| `modelMessages` | `ModelMessage[]` | Current conversation |
+| `steps` | `CompactionStep[]` | Completed steps |
+| `stepNumber` | `number` | Current step (0-indexed) |
+| `chatId` | `string` | Chat session ID |
+| `turn` | `number` | Current turn |
+| `clientData` | `unknown` | Frontend metadata |
+
+### prepare
+
+Transform the batch of pending messages before they're injected into the LLM's context. By default, each UIMessage is converted to ModelMessages individually. Use `prepare` to combine multiple messages or add context:
+
+```ts
+pendingMessages: {
+  shouldInject: ({ steps }) => steps.length > 0,
+  prepare: ({ messages }) => [{
+    role: "user",
+    content: messages.length === 1
+      ? messages[0].parts[0]?.text ?? ""
+      : `The user sent ${messages.length} messages:\n${
+          messages.map((m, i) => `${i + 1}. ${m.parts[0]?.text}`).join("\n")
+        }`,
+  }],
+},
+```
+
+### Stream chunk
+
+When messages are injected, the SDK automatically writes a `data-pending-message-injected` stream chunk containing the message IDs and text. The frontend uses this to:
+- Confirm which messages were injected
+- Remove them from the pending overlay
+- Render them inline at the injection point in the assistant response
+
+A "pending message injected" span also appears in the run trace.
+
+## Backend: chat.createSession
+
+Pass `pendingMessages` to the session options:
+
+```ts
+const session = chat.createSession(payload, {
+  signal,
+  idleTimeoutInSeconds: 60,
+  pendingMessages: {
+    shouldInject: () => true,
+  },
+});
+
+for await (const turn of session) {
+  const result = streamText({
+    model: anthropic("claude-sonnet-4-5"),
+    messages: turn.messages,
+    abortSignal: turn.signal,
+    prepareStep: turn.prepareStep(), // Handles injection + compaction
+    stopWhen: stepCountIs(15),
+  });
+
+  await turn.complete(result);
+}
+```
+
+Use `turn.prepareStep()` to get a prepareStep function that handles both injection and compaction. Users who spread `chat.toStreamTextOptions()` get it automatically.
+
+## Backend: MessageAccumulator (raw task)
+
+Pass `pendingMessages` to the constructor and wire up the message listener manually:
+
+```ts
+const conversation = new chat.MessageAccumulator({
+  pendingMessages: {
+    shouldInject: () => true,
+    prepare: ({ messages }) => [{
+      role: "user",
+      content: `[Steering]: ${messages.map(m => m.parts[0]?.text).join(", ")}`,
+    }],
+  },
+});
+
+for (let turn = 0; turn < 100; turn++) {
+  const messages = await conversation.addIncoming(payload.messages, payload.trigger, turn);
+
+  // Listen for steering messages during streaming
+  const sub = chat.messages.on(async (msg) => {
+    const lastMsg = msg.messages?.[msg.messages.length - 1];
+    if (lastMsg) await conversation.steerAsync(lastMsg);
+  });
+
+  const result = streamText({
+    model: anthropic("claude-sonnet-4-5"),
+    messages,
+    prepareStep: conversation.prepareStep(), // Handles injection + compaction
+    stopWhen: stepCountIs(15),
+  });
+
+  const response = await chat.pipeAndCapture(result);
+  sub.off();
+
+  if (response) await conversation.addResponse(response);
+  await chat.writeTurnComplete();
+}
+```
+
+### MessageAccumulator methods
+
+| Method | Description |
+|--------|-------------|
+| `steer(message, modelMessages?)` | Queue a UIMessage for injection (sync) |
+| `steerAsync(message)` | Queue a UIMessage, converting to model messages automatically |
+| `drainSteering()` | Get and clear unconsumed steering messages |
+| `prepareStep()` | Returns a prepareStep function handling injection + compaction |
+
+## Frontend: usePendingMessages hook
+
+The `usePendingMessages` hook manages all the frontend complexity — tracking pending messages, detecting injections, and handling the turn lifecycle.
+
+```tsx
+import { useChat } from "@ai-sdk/react";
+import { useTriggerChatTransport, usePendingMessages } from "@trigger.dev/sdk/chat/react";
+
+function Chat({ chatId }: { chatId: string }) {
+  const transport = useTriggerChatTransport({
+    task: "my-chat",
+    accessToken: ({ chatId }) => mintChatAccessToken(chatId),
+    startSession: ({ chatId, clientData }) =>
+      startChatSession({ chatId, clientData }),
+  });
+
+  const { messages, setMessages, sendMessage, stop, status } = useChat({
+    id: chatId,
+    transport,
+  });
+
+  const pending = usePendingMessages({
+    transport,
+    chatId,
+    status,
+    messages,
+    setMessages,
+    sendMessage,
+    metadata: { model: "gpt-4o" },
+  });
+
+  return (
+    <div>
+      {/* Render messages */}
+      {messages.map((msg) => (
+        <div key={msg.id}>
+          {msg.role === "assistant" ? (
+            msg.parts.map((part, i) =>
+              pending.isInjectionPoint(part) ? (
+                // Render injected messages inline at the injection point
+                <div key={i}>
+                  {pending.getInjectedMessages(part).map((m) => (
+                    <div key={m.id} className="injected-message">{m.text}</div>
+                  ))}
+                </div>
+              ) : (
+                <Part key={i} part={part} />
+              )
+            )
+          ) : (
+            <UserMessage msg={msg} />
+          )}
+        </div>
+      ))}
+
+      {/* Render pending messages */}
+      {pending.pending.map((msg) => (
+        <div key={msg.id}>
+          <span>{msg.text}</span>
+          <span>{msg.mode === "steering" ? "Steering" : "Queued"}</span>
+          {msg.mode === "queued" && status === "streaming" && (
+            <button onClick={() => pending.promoteToSteering(msg.id)}>
+              Steer instead
+            </button>
+          )}
+        </div>
+      ))}
+
+      {/* Send form */}
+      <form onSubmit={(e) => {
+        e.preventDefault();
+        pending.steer(input); // Steers during streaming, sends normally when ready
+        setInput("");
+      }}>
+        <input value={input} onChange={(e) => setInput(e.target.value)} />
+        <button type="submit">Send</button>
+        {status === "streaming" && (
+          <button type="button" onClick={() => { pending.queue(input); setInput(""); }}>
+            Queue
+          </button>
+        )}
+      </form>
+    </div>
+  );
+}
+```
+
+### Hook API
+
+| Property/Method | Type | Description |
+|----------------|------|-------------|
+| `pending` | `PendingMessage[]` | Current pending messages with `id`, `text`, `mode`, and `injected` status |
+| `steer(text)` | `(text: string) => void` | Send a steering message during streaming, or normal message when ready |
+| `queue(text)` | `(text: string) => void` | Queue for next turn during streaming, or send normally when ready |
+| `promoteToSteering(id)` | `(id: string) => void` | Convert a queued message to steering (sends via input stream immediately) |
+| `isInjectionPoint(part)` | `(part: unknown) => boolean` | Check if an assistant message part is an injection confirmation |
+| `getInjectedMessageIds(part)` | `(part: unknown) => string[]` | Get message IDs from an injection point |
+| `getInjectedMessages(part)` | `(part: unknown) => InjectedMessage[]` | Get messages (id + text) from an injection point |
+
+### PendingMessage
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `id` | `string` | Unique message ID |
+| `text` | `string` | Message text |
+| `mode` | `"steering" \| "queued"` | How the message is being handled |
+| `injected` | `boolean` | Whether the backend confirmed injection |
+
+### Message lifecycle
+
+- **Steering messages** are sent via `transport.sendPendingMessage()` immediately. They appear as purple pending bubbles. If injected, they disappear from the overlay and render inline at the injection point. If not injected (no more step boundaries), they auto-send as the next turn when the response finishes.
+
+- **Queued messages** stay client-side until the turn completes, then auto-send as the next turn via `sendMessage()`. They can be promoted to steering mid-stream by clicking "Steer instead".
+
+- **Promoted messages** are queued messages that were converted to steering. They get sent via input stream immediately and follow the steering lifecycle from that point.
+
+## Transport: sendPendingMessage
+
+The `TriggerChatTransport` exposes a `sendPendingMessage` method for sending messages via input stream without disrupting the active stream subscription:
+
+```ts
+const sent = await transport.sendPendingMessage(chatId, {
+  id: crypto.randomUUID(),
+  role: "user",
+  parts: [{ type: "text", text: "and compare to vercel" }],
+}, { model: "gpt-4o" });
+```
+
+Unlike `sendMessage()` from useChat, this does NOT:
+- Add the message to useChat's local state
+- Cancel the active stream subscription
+- Start a new response stream
+
+The `usePendingMessages` hook calls this internally — you typically don't need to use it directly.
+
+## Coexistence with compaction
+
+Pending message injection and compaction both use `prepareStep`. When both are configured, the auto-injected `prepareStep` handles them in order:
+
+1. **Compaction** runs first — checks threshold, generates summary if needed
+2. **Injection** runs second — pending messages are appended to either the compacted or original messages
+
+This means injected messages are always included after compaction, ensuring the LLM sees both the compressed history and the new steering input.
diff --git a/docs/ai-chat/quick-start.mdx b/docs/ai-chat/quick-start.mdx
new file mode 100644
index 00000000000..66f1a6a31ac
--- /dev/null
+++ b/docs/ai-chat/quick-start.mdx
@@ -0,0 +1,161 @@
+---
+title: "Quick Start"
+sidebarTitle: "Quick Start"
+description: "Get a working AI agent in 3 steps — define an agent, generate a token, and wire up the frontend."
+---
+
+import RcBanner from "/snippets/ai-chat-rc-banner.mdx";
+
+<RcBanner />
+
+These steps assume you already have a Trigger.dev project with the SDK installed and the CLI authenticated — if you don't, follow [Manual setup](/manual-setup) (or `npx trigger.dev@latest init` in an existing project) first. You should be able to run `pnpm exec trigger dev` from your project root before continuing.
+
+The chat surface works with Vercel AI SDK **v5, v6, or v7**; install whichever major you want. On **v7**, also install `@ai-sdk/otel` so your model calls are traced (the SDK registers it for you). See [compatibility](/ai-chat/reference#compatibility) for the full matrix.
+
+<Steps>
+  <Step title="Define a chat agent">
+    Use `chat.agent` from `@trigger.dev/sdk/ai` to define an agent that handles chat messages. The `run` function receives `ModelMessage[]` (already converted from the frontend's `UIMessage[]`) — pass them directly to `streamText`.
+
+    If you return a `StreamTextResult`, it's **automatically piped** to the frontend.
+
+    ```ts trigger/chat.ts
+    import { chat } from "@trigger.dev/sdk/ai";
+    import { streamText, stepCountIs } from "ai";
+    import { anthropic } from "@ai-sdk/anthropic";
+
+    export const myChat = chat.agent({
+      id: "my-chat",
+      run: async ({ messages, signal }) => {
+        return streamText({
+          // Spread chat.toStreamTextOptions() FIRST — it wires up
+          // prepareStep (compaction, steering, background injection),
+          // the system prompt set via chat.prompt(), and telemetry.
+          // Skipping this is the single most common cause of subtle
+          // bugs (silent broken compaction, missing steering, etc.).
+          ...chat.toStreamTextOptions(),
+          model: anthropic("claude-sonnet-4-5"),
+          messages,
+          abortSignal: signal,
+          stopWhen: stepCountIs(15),
+        });
+      },
+    });
+    ```
+
+    <Warning>
+      **Always spread `chat.toStreamTextOptions()` into your `streamText` call.** It wires up the `prepareStep` callback that drives compaction, mid-turn steering, and background injection — features that silently no-op if the spread is missing. Spread it **first** so any explicit overrides (e.g. a custom `prepareStep`) win.
+    </Warning>
+
+    <Tip>
+      For a **custom** [`UIMessage`](https://sdk.vercel.ai/docs/reference/ai-sdk-core/ui-message) subtype (typed `data-*` parts, tool map, etc.), define the agent with [`chat.withUIMessage<...>().agent({...})`](/ai-chat/types) instead of `chat.agent`.
+    </Tip>
+
+  </Step>
+
+  <Step title="Add two server actions">
+    On your server (e.g. as Next.js server actions), expose two helpers the transport will call: one that creates the chat session, and one that mints a fresh session-scoped access token for refresh.
+
+    ```ts app/actions.ts
+    "use server";
+
+    import { auth } from "@trigger.dev/sdk";
+    import { chat } from "@trigger.dev/sdk/ai";
+
+    // Creates the Session row + triggers the first run, returns the
+    // session PAT. Idempotent on (env, chatId) so concurrent calls
+    // converge to the same session.
+    export const startChatSession = chat.createStartSessionAction("my-chat");
+
+    // Pure mint — fresh session-scoped PAT for an existing session.
+    // The transport calls this on 401/403 to refresh.
+    export async function mintChatAccessToken(chatId: string) {
+      return auth.createPublicToken({
+        scopes: {
+          read: { sessions: chatId },
+          write: { sessions: chatId },
+        },
+        expirationTime: "1h",
+      });
+    }
+    ```
+
+    The browser never holds your environment's secret key — both helpers run on your server, where customer-side authorization (per-user, per-plan, etc.) lives alongside any DB writes you want to pair with session creation.
+
+  </Step>
+
+  <Step title="Use in the frontend">
+    Use the `useTriggerChatTransport` hook from `@trigger.dev/sdk/chat/react` to create a memoized transport instance, then pass it to `useChat`. Wire both server actions into the transport's `accessToken` and `startSession` callbacks.
+
+    The example below uses the Next.js `@/*` path alias for imports from `@/trigger/chat` and `@/app/actions`. If you're not using Next.js (or haven't configured the alias), swap them for relative imports.
+
+    ```tsx app/components/chat.tsx
+    "use client";
+
+    import { useState } from "react";
+    import { useChat } from "@ai-sdk/react";
+    import { useTriggerChatTransport } from "@trigger.dev/sdk/chat/react";
+    import type { myChat } from "@/trigger/chat";
+    import { mintChatAccessToken, startChatSession } from "@/app/actions";
+
+    export function Chat() {
+      const transport = useTriggerChatTransport<typeof myChat>({
+        task: "my-chat",
+        accessToken: ({ chatId }) => mintChatAccessToken(chatId),
+        startSession: ({ chatId, clientData }) =>
+      startChatSession({ chatId, clientData }),
+      });
+
+      const { messages, sendMessage, stop, status } = useChat({ transport });
+      const [input, setInput] = useState("");
+
+      return (
+        <div>
+          {messages.map((m) => (
+            <div key={m.id}>
+              <strong>{m.role}:</strong>
+              {m.parts.map((part, i) =>
+                part.type === "text" ? <span key={i}>{part.text}</span> : null
+              )}
+            </div>
+          ))}
+
+          <form
+            onSubmit={(e) => {
+              e.preventDefault();
+              if (input.trim()) {
+                sendMessage({ text: input });
+                setInput("");
+              }
+            }}
+          >
+            <input
+              value={input}
+              onChange={(e) => setInput(e.target.value)}
+              placeholder="Type a message..."
+            />
+            <button type="submit" disabled={status === "streaming"}>
+              Send
+            </button>
+            {status === "streaming" && (
+              <button type="button" onClick={stop}>
+                Stop
+              </button>
+            )}
+          </form>
+        </div>
+      );
+    }
+    ```
+
+  </Step>
+</Steps>
+
+## Next steps
+
+- [Backend](/ai-chat/backend) — Lifecycle hooks, persistence, session iterator, raw task primitives
+- [Tools](/ai-chat/tools): Declare tools so `toModelOutput` survives across turns, typed in `run()`
+- [Frontend](/ai-chat/frontend) — Session management, client data, reconnection
+- [Types](/ai-chat/types) — `chat.withUIMessage`, `InferChatUIMessage`, and related typing
+- [`chat.local`](/ai-chat/chat-local) — Per-run typed state across hooks, run, tools, subtasks
+- [Sub-agents pattern](/ai-chat/patterns/sub-agents) — Subtask-as-tool, `target: "root"` streaming, `ai.toolExecute` helpers
+- [Background injection](/ai-chat/background-injection) — `chat.inject()` and `chat.defer()` for between-turn work
diff --git a/docs/ai-chat/reference.mdx b/docs/ai-chat/reference.mdx
new file mode 100644
index 00000000000..147f396bd5e
--- /dev/null
+++ b/docs/ai-chat/reference.mdx
@@ -0,0 +1,886 @@
+---
+title: "API Reference"
+sidebarTitle: "API Reference"
+description: "Complete API reference for the AI Agents SDK — backend options, events, frontend transport, and hooks."
+---
+
+import RcBanner from "/snippets/ai-chat-rc-banner.mdx";
+
+<RcBanner />
+
+## Compatibility
+
+| Dependency | Supported | Notes |
+|---|---|---|
+| `@trigger.dev/sdk` | `>=4.5.0-rc.0` | The chat agent surface lives in this SDK release. Install with `@trigger.dev/sdk@rc`. |
+| `ai` (Vercel AI SDK) | `^5.0.0 \|\| ^6.0.0 \|\| >=7.0.0-canary <8` | Declared as a peer. v6 is what we develop against day to day; v5 and v7 work too (v7 is in canary/beta upstream). Your installed `ai` major drives the chat surface's types. |
+| `@ai-sdk/otel` | `1.x` (v7 only) | Optional. AI SDK 7 moved model-call span emission out of `ai` core into this adapter. Install it alongside `ai@7` and the SDK auto-registers it, so your model calls show up as spans in the run trace. Not needed on v5/v6, where `ai` core emits spans. See [AI SDK 7 telemetry](#ai-sdk-7-telemetry) below. |
+| `@ai-sdk/react` | matches your `ai` major | Pulled in by `useChat`. The transport works with whichever React hook ships in the same major as your `ai` version. |
+| `react` | `^18.0 \|\| ^19.0` | Required only if you use `@trigger.dev/sdk/chat/react` (the frontend transport). Server-only consumers can skip React entirely. |
+| Node.js | `>=18.20.0` | The SDK's engine constraint. The chat agent itself works on any version the SDK supports. |
+| Provider packages (`@ai-sdk/openai`, `@ai-sdk/anthropic`, etc.) | versions that target your `ai` major | Pick a provider package whose `ai` peer matches yours. The chat agent doesn't depend on any specific provider — pass whatever model you want into `streamText`. |
+
+The `ai` peer is **optional** — server-only setups that don't call `streamText` (raw `task()` with chat primitives) can skip the AI SDK entirely.
+
+### AI SDK 7 telemetry
+
+On **AI SDK 7**, model-call spans are emitted by `@ai-sdk/otel` rather than `ai` core. Install it alongside `ai@7`:
+
+```bash
+npm install @ai-sdk/otel
+```
+
+The SDK registers it once per worker at chat agent boot, so the `experimental_telemetry` config wired up by `chat.toStreamTextOptions()` keeps producing spans in your run trace with no extra setup. On v5 and v6 nothing changes: `ai` core emits the spans and `@ai-sdk/otel` isn't needed.
+
+If you (or a library you import) already register `@ai-sdk/otel` yourself, the SDK detects the existing integration and skips its own registration, so you won't get duplicate spans. To opt out of the auto-registration entirely, set `TRIGGER_AI_SDK_OTEL_AUTOREGISTER=0`.
+
+## ChatAgentOptions
+
+Options for `chat.agent()`.
+
+| Option                        | Type                                                        | Default                        | Description                                                                                         |
+| ----------------------------- | ----------------------------------------------------------- | ------------------------------ | --------------------------------------------------------------------------------------------------- |
+| `id`                          | `string`                                                    | required                       | Task identifier                                                                                     |
+| `run`                         | `(payload: ChatTaskRunPayload) => Promise<unknown>`         | required                       | Handler for each turn                                                                               |
+| `clientDataSchema`            | `TaskSchema`                                                | —                              | Schema for validating and typing `clientData`                                                       |
+| `onBoot`                      | `(event: BootEvent) => Promise<void> \| void`               | —                              | Fires once per worker process — initial, preloaded, AND reactive continuation. Use for `chat.local` init and per-process resources. See [onBoot](/ai-chat/lifecycle-hooks#onboot). |
+| `onRecoveryBoot`              | `(event: RecoveryBootEvent) => Promise<RecoveryBootResult \| void> \| RecoveryBootResult \| void` | — | Fires on a continuation boot when the dead predecessor left recovered state (partial assistant or in-flight users). Override the smart default — drop partial, synthesize tool results, emit a recovery banner. See [Recovery boot](/ai-chat/patterns/recovery-boot). |
+| `onPreload`                   | `(event: PreloadEvent) => Promise<void> \| void`            | —                              | Fires on preloaded runs before the first message                                                    |
+| `onChatStart`                 | `(event: ChatStartEvent) => Promise<void> \| void`          | —                              | Fires once per chat, on the very first user message. Does NOT fire on continuation runs or OOM-retries — see [onChatStart](/ai-chat/lifecycle-hooks#onchatstart). |
+| `onValidateMessages`          | `(event: ValidateMessagesEvent) => UIMessage[] \| Promise<UIMessage[]>` | —                | Validate/transform UIMessages before model conversion. See [onValidateMessages](/ai-chat/lifecycle-hooks#onvalidatemessages) |
+| `hydrateMessages`             | `(event: HydrateMessagesEvent) => UIMessage[] \| Promise<UIMessage[]>` | —                 | Load message history from backend, replacing the linear accumulator. See [hydrateMessages](/ai-chat/lifecycle-hooks#hydratemessages) |
+| `actionSchema`                | `TaskSchema`                                                | —                              | Schema for validating custom actions sent via `transport.sendAction()`. See [Actions](/ai-chat/actions) |
+| `onAction`                    | `(event: ActionEvent) => Promise<unknown> \| unknown`       | —                              | Handle custom actions. Actions are not turns — only `hydrateMessages` + `onAction` fire. Return a `StreamTextResult` (or `string` / `UIMessage`) for a model response; return `void` for side-effect-only. See [Actions](/ai-chat/actions) |
+| `onTurnStart`                 | `(event: TurnStartEvent) => Promise<void> \| void`          | —                              | Fires every turn before `run()`                                                                     |
+| `onBeforeTurnComplete`        | `(event: BeforeTurnCompleteEvent) => Promise<void> \| void` | —                              | Fires after response but before stream closes. Includes `writer`.                                   |
+| `onTurnComplete`              | `(event: TurnCompleteEvent) => Promise<void> \| void`       | —                              | Fires after each turn completes (stream closed)                                                     |
+| `onCompacted`                 | `(event: CompactedEvent) => Promise<void> \| void`          | —                              | Fires when compaction occurs. Includes `writer`. See [Compaction](/ai-chat/compaction)              |
+| `compaction`                  | `ChatAgentCompactionOptions`                                | —                              | Automatic context compaction. See [Compaction](/ai-chat/compaction)                                 |
+| `pendingMessages`             | `PendingMessagesOptions`                                    | —                              | Mid-execution message injection. See [Pending Messages](/ai-chat/pending-messages)                  |
+| `prepareMessages`             | `(event: PrepareMessagesEvent) => ModelMessage[]`           | —                              | Transform model messages before use (cache breaks, context injection, etc.)                         |
+| `tools`                       | `ToolSet \| ((event: ResolveToolsEvent) => ToolSet \| Promise<ToolSet>)` | —                 | Tools for this agent. Threads each tool's `toModelOutput` through cross-turn history re-conversion, and hands the resolved set back on the run payload. Static set or per-turn function. See [Tools](/ai-chat/tools). |
+| `maxTurns`                    | `number`                                                    | `100`                          | Max conversational turns per run                                                                    |
+| `turnTimeout`                 | `string`                                                    | `"1h"`                         | How long to wait for next message                                                                   |
+| `idleTimeoutInSeconds`        | `number`                                                    | `30`                           | Seconds to stay idle before suspending                                                              |
+| `chatAccessTokenTTL`          | `string`                                                    | `"1h"`                         | How long the scoped access token remains valid                                                      |
+| `preloadIdleTimeoutInSeconds` | `number`                                                    | Same as `idleTimeoutInSeconds` | Idle timeout after `onPreload` fires                                                                |
+| `preloadTimeout`              | `string`                                                    | Same as `turnTimeout`          | Suspend timeout for preloaded runs                                                                  |
+| `uiMessageStreamOptions`      | `ChatUIMessageStreamOptions`                                | —                              | Default options for `toUIMessageStream()`. Per-turn override via `chat.setUIMessageStreamOptions()` |
+| `onChatSuspend`               | `(event: ChatSuspendEvent) => Promise<void> \| void`        | —                              | Fires right before the run suspends. See [onChatSuspend](/ai-chat/lifecycle-hooks#onchatsuspend--onchatresume) |
+| `onChatResume`                | `(event: ChatResumeEvent) => Promise<void> \| void`         | —                              | Fires right after the run resumes from suspension                                                   |
+| `exitAfterPreloadIdle`        | `boolean`                                                   | `false`                        | Exit run after preload idle timeout instead of suspending. See [exitAfterPreloadIdle](/ai-chat/lifecycle-hooks#exitafterpreloadidle) |
+| `oomMachine`                  | `MachinePresetName`                                         | —                              | Fallback machine when an attempt fails with OOM. Setting it enables a single OOM retry on the larger machine. See [OOM resilience](/ai-chat/patterns/oom-resilience) |
+
+Plus most standard [TaskOptions](/tasks/overview) — `queue`, `machine`, `maxDuration`, **`onWait`**, **`onResume`**, **`onComplete`**, and other lifecycle hooks. Generic `retry` is **not** exposed on `chat.agent`; use `oomMachine` for OOM recovery, or drop down to a raw [`task()`](/ai-chat/backend#raw-task-with-primitives) if you need richer retry semantics. Standard hooks use the same parameter shapes as on a normal `task()` (including `ctx`).
+
+## Task context (`ctx`)
+
+All **`chat.agent`** lifecycle events (**`onBoot`**, **`onPreload`**, **`onChatStart`**, **`onTurnStart`**, **`onBeforeTurnComplete`**, **`onTurnComplete`**, **`onCompacted`**) and the object passed to **`run`** include **`ctx`**: the same **`TaskRunContext`** shape as the `ctx` in `task({ run: (payload, { ctx }) => ... })`.
+
+<Note>
+  **`onValidateMessages`** does not include `ctx` — it fires before message accumulation and is designed for pure validation/transformation of incoming messages.
+</Note>
+
+Use **`ctx`** for run metadata, tags, parent links, or any API that needs the full run record. The chat-specific string **`runId`** on events is always **`ctx.run.id`**; both are provided for convenience.
+
+```ts
+import type { TaskRunContext } from "@trigger.dev/sdk";
+// Equivalent alias (same type):
+import type { Context } from "@trigger.dev/sdk";
+```
+
+<Note>
+  Prefer `import type { TaskRunContext } from "@trigger.dev/sdk"` in application code. Do not depend on `@trigger.dev/core` directly.
+</Note>
+
+## ChatTaskRunPayload
+
+The payload passed to the `run` function.
+
+| Field          | Type                                       | Description                                                          |
+| -------------- | ------------------------------------------ | -------------------------------------------------------------------- |
+| `ctx`          | `TaskRunContext`                           | Full task run context — same as `task` `run`’s `{ ctx }`             |
+| `messages`     | `ModelMessage[]`                           | Model-ready messages — pass directly to `streamText`                 |
+| `tools`        | `ToolSet`                                  | Resolved tools declared on the agent config (empty object when none). Pass straight to `streamText`. See [Tools](/ai-chat/tools). |
+| `chatId`       | `string`                                   | Your conversation ID (the session's `externalId`)                    |
+| `sessionId`    | `string`                                   | Friendly ID of the backing Session (`session_*`). Use with `sessions.open()` for advanced cases. Always set — every chat.agent run is bound to a Session. |
+| `trigger`      | `"submit-message" \| "regenerate-message"` | What triggered the request                                           |
+| `messageId`    | `string \| undefined`                      | Message ID (for regenerate)                                          |
+| `clientData`   | Typed by `clientDataSchema`                | Custom data from the frontend (typed when schema is provided)        |
+| `continuation` | `boolean`                                  | Whether this run is continuing an existing chat (previous run ended) |
+| `signal`       | `AbortSignal`                              | Combined stop + cancel signal                                        |
+| `cancelSignal` | `AbortSignal`                              | Cancel-only signal                                                   |
+| `stopSignal`   | `AbortSignal`                              | Stop-only signal (per-turn)                                          |
+| `previousTurnUsage` | `LanguageModelUsage \| undefined`       | Token usage from the previous turn (undefined on turn 0)        |
+| `totalUsage`   | `LanguageModelUsage`                       | Cumulative token usage across completed turns so far              |
+
+## BootEvent
+
+Passed to the `onBoot` callback.
+
+| Field             | Type                        | Description                                                                                          |
+| ----------------- | --------------------------- | ---------------------------------------------------------------------------------------------------- |
+| `ctx`             | `TaskRunContext`            | Full task run context — see [Task context](#task-context-ctx)                                         |
+| `chatId`          | `string`                    | Chat session ID                                                                                      |
+| `runId`           | `string`                    | The Trigger.dev run ID for this run boot                                                             |
+| `chatAccessToken` | `string`                    | Scoped access token for this run                                                                     |
+| `clientData`      | Typed by `clientDataSchema` | Custom data from the frontend                                                                        |
+| `continuation`    | `boolean`                   | `true` when this run is taking over from a prior dead run (cancel / crash / `endRun` / OOM retry)    |
+| `previousRunId`   | `string \| undefined`       | Public id of the prior run when `continuation` is true                                               |
+| `preloaded`       | `boolean`                   | Whether this run was triggered as a preload                                                          |
+
+## RecoveryBootEvent
+
+Passed to the `onRecoveryBoot` callback. See [Recovery boot](/ai-chat/patterns/recovery-boot) for the full guide.
+
+| Field              | Type                                                              | Description                                                                                          |
+| ------------------ | ----------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------- |
+| `ctx`              | `TaskRunContext`                                                  | Full task run context — see [Task context](#task-context-ctx)                                         |
+| `chatId`           | `string`                                                          | Chat session ID                                                                                      |
+| `runId`            | `string`                                                          | The Trigger.dev run ID for this run boot                                                             |
+| `previousRunId`    | `string`                                                          | Public id of the prior run that died                                                                 |
+| `cause`            | `"cancelled" \| "crashed" \| "unknown"`                           | Best-effort cause. Currently always `"unknown"` — forward-looking, don't branch on it                |
+| `settledMessages`  | `TUIMessage[]`                                                    | Chain persisted by the predecessor's last `onTurnComplete`                                            |
+| `inFlightUsers`    | `TUIMessage[]`                                                    | User messages on `session.in` past the cursor — the message(s) the predecessor never acknowledged    |
+| `partialAssistant` | `TUIMessage \| undefined`                                         | The trailing assistant message whose stream never received `finish`                                  |
+| `pendingToolCalls` | [`RecoveryPendingToolCall[]`](#recoverypendingtoolcall)           | Tool calls in `input-available` state extracted from `partialAssistant`                              |
+| `writer`           | [`ChatWriter`](#chatwriter)                                       | Lazy session.out writer — emit a recovery banner / signal here                                       |
+
+## RecoveryBootResult
+
+Return value of `onRecoveryBoot`. Every field is optional — omit to accept the smart default.
+
+| Field            | Type                          | Description                                                                                                                                   |
+| ---------------- | ----------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
+| `chain`          | `TUIMessage[]`                | Replaces the seed chain. Default: `[...settledMessages, firstInFlightUser, partialAssistant]` when both present; `settledMessages` otherwise. |
+| `recoveredTurns` | `TUIMessage[]`                | User messages to dispatch as fresh turns. Default: `inFlightUsers.slice(1)` when smart-default fires; `inFlightUsers` otherwise.              |
+| `beforeBoot`     | `() => Promise<void>`         | Runs after the writer flushes and before the first recovered turn fires. Use for blocking persistence work.                                   |
+
+## RecoveryPendingToolCall
+
+| Field         | Type      | Description                                                  |
+| ------------- | --------- | ------------------------------------------------------------ |
+| `toolCallId`  | `string`  | The AI SDK tool call id                                      |
+| `toolName`    | `string`  | The tool name (the `tool-${name}` suffix on the part type)   |
+| `input`       | `unknown` | The input the model produced for the call                    |
+| `partIndex`   | `number`  | Index into `partialAssistant.parts` for in-place edits       |
+
+## PreloadEvent
+
+Passed to the `onPreload` callback.
+
+| Field             | Type                        | Description                                                    |
+| ----------------- | --------------------------- | -------------------------------------------------------------- |
+| `ctx`             | `TaskRunContext`            | Full task run context — see [Task context](#task-context-ctx)   |
+| `chatId`          | `string`                    | Chat session ID                                                |
+| `runId`           | `string`                    | The Trigger.dev run ID                                         |
+| `chatAccessToken` | `string`                    | Scoped access token for this run                               |
+| `clientData`      | Typed by `clientDataSchema` | Custom data from the frontend                                  |
+| `writer`          | [`ChatWriter`](#chatwriter) | Stream writer for custom chunks. Lazy — no overhead if unused. |
+
+## ChatStartEvent
+
+Passed to the `onChatStart` callback.
+
+| Field             | Type                        | Description                                                    |
+| ----------------- | --------------------------- | -------------------------------------------------------------- |
+| `ctx`             | `TaskRunContext`            | Full task run context — see [Task context](#task-context-ctx)   |
+| `chatId`          | `string`                    | Chat session ID                                                |
+| `messages`        | `ModelMessage[]`            | Initial model-ready messages                                   |
+| `clientData`      | Typed by `clientDataSchema` | Custom data from the frontend                                  |
+| `runId`           | `string`                    | The Trigger.dev run ID                                         |
+| `chatAccessToken` | `string`                    | Scoped access token for this run                               |
+| `continuation`    | `boolean`                   | Whether this run is continuing an existing chat                |
+| `previousRunId`   | `string \| undefined`       | Previous run ID (only when `continuation` is true)             |
+| `preloaded`       | `boolean`                   | Whether this run was preloaded before the first message        |
+| `writer`          | [`ChatWriter`](#chatwriter) | Stream writer for custom chunks. Lazy — no overhead if unused. |
+
+## ValidateMessagesEvent
+
+Passed to the `onValidateMessages` callback.
+
+| Field     | Type                                                            | Description                              |
+| --------- | --------------------------------------------------------------- | ---------------------------------------- |
+| `messages` | `UIMessage[]`                                                  | Incoming UI messages for this turn       |
+| `chatId`  | `string`                                                        | Chat session ID                          |
+| `turn`    | `number`                                                        | Turn number (0-indexed)                  |
+| `trigger` | `"submit-message" \| "regenerate-message" \| "preload" \| "close"` | The trigger type for this turn        |
+
+## ResolveToolsEvent
+
+Passed to the `tools` function form on `chat.agent`, once per turn, to resolve the tool set for that turn. See [Tools](/ai-chat/tools#static-or-per-turn-tools).
+
+| Field          | Type                        | Description                                       |
+| -------------- | --------------------------- | ------------------------------------------------- |
+| `chatId`       | `string`                    | Chat session ID                                   |
+| `turn`         | `number`                    | Turn number (0-indexed)                           |
+| `continuation` | `boolean`                   | Whether this run is continuing an existing chat   |
+| `clientData`   | Typed by `clientDataSchema` | Custom data from the frontend                     |
+
+## HydrateMessagesEvent
+
+Passed to the `hydrateMessages` callback. See [hydrateMessages](/ai-chat/lifecycle-hooks#hydratemessages).
+
+| Field              | Type                                                  | Description                                               |
+| ------------------ | ----------------------------------------------------- | --------------------------------------------------------- |
+| `chatId`           | `string`                                              | Chat session ID                                           |
+| `turn`             | `number`                                              | Turn number (0-indexed)                                   |
+| `trigger`          | `"submit-message" \| "regenerate-message" \| "action"` | The trigger type for this turn                           |
+| `incomingMessages` | `UIMessage[]`                                         | Validated wire messages from the frontend (empty for actions) |
+| `previousMessages` | `UIMessage[]`                                         | Accumulated UI messages before this turn (`[]` on turn 0) |
+| `clientData`       | Typed by `clientDataSchema`                           | Custom data from the frontend                             |
+| `continuation`     | `boolean`                                             | Whether this run is continuing an existing chat           |
+| `previousRunId`    | `string \| undefined`                                 | Previous run ID (only when `continuation` is true)        |
+
+## ActionEvent
+
+Passed to the `onAction` callback. See [Actions](/ai-chat/actions).
+
+| Field        | Type                        | Description                                              |
+| ------------ | --------------------------- | -------------------------------------------------------- |
+| `action`     | Typed by `actionSchema`     | The parsed and validated action payload                  |
+| `chatId`     | `string`                    | Chat session ID                                          |
+| `turn`       | `number`                    | Turn number (0-indexed)                                  |
+| `clientData` | Typed by `clientDataSchema` | Custom data from the frontend                            |
+| `uiMessages` | `UIMessage[]`               | Accumulated UI messages (after hydration, if set)        |
+| `messages`   | `ModelMessage[]`            | Accumulated model messages (after hydration, if set)     |
+
+## TurnStartEvent
+
+Passed to the `onTurnStart` callback.
+
+| Field             | Type                        | Description                                                    |
+| ----------------- | --------------------------- | -------------------------------------------------------------- |
+| `ctx`             | `TaskRunContext`            | Full task run context — see [Task context](#task-context-ctx)   |
+| `chatId`          | `string`                    | Chat session ID                                                |
+| `messages`        | `ModelMessage[]`            | Full accumulated conversation (model format)                   |
+| `uiMessages`      | `UIMessage[]`               | Full accumulated conversation (UI format)                      |
+| `turn`            | `number`                    | Turn number (0-indexed)                                        |
+| `runId`           | `string`                    | The Trigger.dev run ID                                         |
+| `chatAccessToken` | `string`                    | Scoped access token for this run                               |
+| `clientData`      | Typed by `clientDataSchema` | Custom data from the frontend                                  |
+| `continuation`    | `boolean`                   | Whether this run is continuing an existing chat                |
+| `previousRunId`   | `string \| undefined`       | Previous run ID (only when `continuation` is true)             |
+| `preloaded`       | `boolean`                   | Whether this run was preloaded                                 |
+| `writer`          | [`ChatWriter`](#chatwriter) | Stream writer for custom chunks. Lazy — no overhead if unused. |
+
+## TurnCompleteEvent
+
+Passed to the `onTurnComplete` callback.
+
+| Field                | Type                              | Description                                          |
+| -------------------- | --------------------------------- | ---------------------------------------------------- |
+| `ctx`                | `TaskRunContext`                  | Full task run context — see [Task context](#task-context-ctx) |
+| `chatId`             | `string`                          | Chat session ID                                      |
+| `messages`           | `ModelMessage[]`                  | Full accumulated conversation (model format)         |
+| `uiMessages`         | `UIMessage[]`                     | Full accumulated conversation (UI format)            |
+| `newMessages`        | `ModelMessage[]`                  | Only this turn's messages (model format)             |
+| `newUIMessages`      | `UIMessage[]`                     | Only this turn's messages (UI format)                |
+| `responseMessage`    | `UIMessage \| undefined`          | The assistant's response for this turn               |
+| `rawResponseMessage` | `UIMessage \| undefined`          | Raw response before abort cleanup                    |
+| `turn`               | `number`                          | Turn number (0-indexed)                              |
+| `runId`              | `string`                          | The Trigger.dev run ID                               |
+| `chatAccessToken`    | `string`                          | Scoped access token for this run                     |
+| `lastEventId`        | `string \| undefined`             | Stream position for resumption                       |
+| `stopped`            | `boolean`                         | Whether the user stopped generation during this turn |
+| `continuation`       | `boolean`                         | Whether this run is continuing an existing chat      |
+| `usage`              | `LanguageModelUsage \| undefined` | Token usage for this turn                            |
+| `totalUsage`         | `LanguageModelUsage`              | Cumulative token usage across all turns              |
+
+## BeforeTurnCompleteEvent
+
+Passed to the `onBeforeTurnComplete` callback. Same fields as `TurnCompleteEvent` (including **`ctx`**) plus a `writer`.
+
+| Field                            | Type                        | Description                                                                   |
+| -------------------------------- | --------------------------- | ----------------------------------------------------------------------------- |
+| _(all TurnCompleteEvent fields)_ |                             | See [TurnCompleteEvent](#turncompleteevent) (includes `ctx`)                  |
+| `writer`                         | [`ChatWriter`](#chatwriter) | Stream writer — the stream is still open so chunks appear in the current turn |
+
+## ChatSuspendEvent
+
+Passed to the `onChatSuspend` callback. A discriminated union on `phase`.
+
+| Field        | Type                        | Description                                              |
+| ------------ | --------------------------- | -------------------------------------------------------- |
+| `phase`      | `"preload" \| "turn"`       | Whether this is a preload or post-turn suspension        |
+| `ctx`        | `TaskRunContext`            | Full task run context                                    |
+| `chatId`     | `string`                    | Chat session ID                                          |
+| `runId`      | `string`                    | The Trigger.dev run ID                                   |
+| `clientData` | Typed by `clientDataSchema` | Custom data from the frontend                            |
+| `turn`       | `number`                    | Turn number (**`"turn"` phase only**)                    |
+| `messages`   | `ModelMessage[]`            | Accumulated model messages (**`"turn"` phase only**)     |
+| `uiMessages` | `UIMessage[]`               | Accumulated UI messages (**`"turn"` phase only**)        |
+
+## ChatResumeEvent
+
+Passed to the `onChatResume` callback. Same discriminated union shape as `ChatSuspendEvent`.
+
+| Field        | Type                        | Description                                              |
+| ------------ | --------------------------- | -------------------------------------------------------- |
+| `phase`      | `"preload" \| "turn"`       | Whether this is a preload or post-turn resumption        |
+| `ctx`        | `TaskRunContext`            | Full task run context                                    |
+| `chatId`     | `string`                    | Chat session ID                                          |
+| `runId`      | `string`                    | The Trigger.dev run ID                                   |
+| `clientData` | Typed by `clientDataSchema` | Custom data from the frontend                            |
+| `turn`       | `number`                    | Turn number (**`"turn"` phase only**)                    |
+| `messages`   | `ModelMessage[]`            | Accumulated model messages (**`"turn"` phase only**)     |
+| `uiMessages` | `UIMessage[]`               | Accumulated UI messages (**`"turn"` phase only**)        |
+
+## ChatWriter
+
+A stream writer passed to lifecycle callbacks. Write custom `UIMessageChunk` parts (e.g. `data-*` parts) to the chat stream.
+
+The writer is lazy — no stream is opened unless you call `write()` or `merge()`, so there's zero overhead for callbacks that don't use it.
+
+| Method          | Type                                               | Description                                        |
+| --------------- | -------------------------------------------------- | -------------------------------------------------- |
+| `write(part)`   | `(part: UIMessageChunk) => void`                   | Write a single chunk to the chat stream            |
+| `merge(stream)` | `(stream: ReadableStream<UIMessageChunk>) => void` | Merge another stream's chunks into the chat stream |
+
+```ts
+onTurnStart: async ({ writer }) => {
+  // Write a custom data part — render it on the frontend
+  writer.write({ type: "data-status", data: { loading: true } });
+},
+onBeforeTurnComplete: async ({ writer, usage }) => {
+  // Stream is still open — these chunks arrive before the turn ends
+  writer.write({ type: "data-usage", data: { tokens: usage?.totalTokens } });
+},
+```
+
+## ChatAgentCompactionOptions
+
+Options for the `compaction` field on `chat.agent()`. See [Compaction](/ai-chat/compaction) for usage guide.
+
+| Option                 | Type                                                                         | Required | Description                                                                  |
+| ---------------------- | ---------------------------------------------------------------------------- | -------- | ---------------------------------------------------------------------------- |
+| `shouldCompact`        | `(event: ShouldCompactEvent) => boolean \| Promise<boolean>`                 | Yes      | Decide whether to compact. Return `true` to trigger                          |
+| `summarize`            | `(event: SummarizeEvent) => Promise<string>`                                 | Yes      | Generate a summary from the current messages                                 |
+| `compactUIMessages`    | `(event: CompactMessagesEvent) => UIMessage[] \| Promise<UIMessage[]>`       | No       | Transform UI messages after compaction. Default: preserve all                |
+| `compactModelMessages` | `(event: CompactMessagesEvent) => ModelMessage[] \| Promise<ModelMessage[]>` | No       | Transform model messages after compaction. Default: replace all with summary |
+
+## CompactMessagesEvent
+
+Passed to `compactUIMessages` and `compactModelMessages` callbacks.
+
+| Field           | Type                 | Description                                          |
+| --------------- | -------------------- | ---------------------------------------------------- |
+| `summary`       | `string`             | The generated summary text                           |
+| `uiMessages`    | `UIMessage[]`        | Current UI messages (full conversation)              |
+| `modelMessages` | `ModelMessage[]`     | Current model messages (full conversation)           |
+| `chatId`        | `string`             | Chat session ID                                      |
+| `turn`          | `number`             | Current turn (0-indexed)                             |
+| `clientData`    | `unknown`            | Custom data from the frontend                        |
+| `source`        | `"inner" \| "outer"` | Whether compaction is between steps or between turns |
+
+## CompactedEvent
+
+Passed to the `onCompacted` callback.
+
+| Field          | Type                        | Description                                       |
+| -------------- | --------------------------- | ------------------------------------------------- |
+| `ctx`          | `TaskRunContext`            | Full task run context — see [Task context](#task-context-ctx) |
+| `summary`      | `string`                    | The generated summary text                        |
+| `messages`     | `ModelMessage[]`            | Messages that were compacted (pre-compaction)     |
+| `messageCount` | `number`                    | Number of messages before compaction              |
+| `usage`        | `LanguageModelUsage`        | Token usage from the triggering step/turn         |
+| `totalTokens`  | `number \| undefined`       | Total token count that triggered compaction       |
+| `inputTokens`  | `number \| undefined`       | Input token count                                 |
+| `outputTokens` | `number \| undefined`       | Output token count                                |
+| `stepNumber`   | `number`                    | Step number (-1 for outer loop)                   |
+| `chatId`       | `string \| undefined`       | Chat session ID                                   |
+| `turn`         | `number \| undefined`       | Current turn                                      |
+| `writer`       | [`ChatWriter`](#chatwriter) | Stream writer for custom chunks during compaction |
+
+## PendingMessagesOptions
+
+Options for the `pendingMessages` field. See [Pending Messages](/ai-chat/pending-messages) for usage guide.
+
+| Option         | Type                                                                              | Required | Description                                                                               |
+| -------------- | --------------------------------------------------------------------------------- | -------- | ----------------------------------------------------------------------------------------- |
+| `shouldInject` | `(event: PendingMessagesBatchEvent) => boolean \| Promise<boolean>`               | No       | Decide whether to inject the batch between tool-call steps. If absent, no injection.      |
+| `prepare`      | `(event: PendingMessagesBatchEvent) => ModelMessage[] \| Promise<ModelMessage[]>` | No       | Transform the batch before injection. Default: convert each via `convertToModelMessages`. |
+| `onReceived`   | `(event: PendingMessageReceivedEvent) => void \| Promise<void>`                   | No       | Called when a message arrives during streaming (per-message).                             |
+| `onInjected`   | `(event: PendingMessagesInjectedEvent) => void \| Promise<void>`                  | No       | Called after a batch is injected via prepareStep.                                         |
+
+## PendingMessagesBatchEvent
+
+Passed to `shouldInject` and `prepare` callbacks.
+
+| Field           | Type               | Description                   |
+| --------------- | ------------------ | ----------------------------- |
+| `messages`      | `UIMessage[]`      | All pending messages (batch)  |
+| `modelMessages` | `ModelMessage[]`   | Current conversation          |
+| `steps`         | `CompactionStep[]` | Completed steps so far        |
+| `stepNumber`    | `number`           | Current step (0-indexed)      |
+| `chatId`        | `string`           | Chat session ID               |
+| `turn`          | `number`           | Current turn (0-indexed)      |
+| `clientData`    | `unknown`          | Custom data from the frontend |
+
+## PendingMessagesInjectedEvent
+
+Passed to `onInjected` callback.
+
+| Field                   | Type             | Description                           |
+| ----------------------- | ---------------- | ------------------------------------- |
+| `messages`              | `UIMessage[]`    | All injected UI messages              |
+| `injectedModelMessages` | `ModelMessage[]` | The model messages that were injected |
+| `chatId`                | `string`         | Chat session ID                       |
+| `turn`                  | `number`         | Current turn                          |
+| `stepNumber`            | `number`         | Step where injection occurred         |
+
+## UsePendingMessagesReturn
+
+Return value of `usePendingMessages` hook. See [Pending Messages — Frontend](/ai-chat/pending-messages#frontend-usependingmessages-hook).
+
+| Property/Method         | Type                                   | Description                                                     |
+| ----------------------- | -------------------------------------- | --------------------------------------------------------------- |
+| `pending`               | `PendingMessage[]`                     | Current pending messages with mode and injection status         |
+| `steer`                 | `(text: string) => void`               | Send a steering message (or normal message when not streaming)  |
+| `queue`                 | `(text: string) => void`               | Queue for next turn (or send normally when not streaming)       |
+| `promoteToSteering`     | `(id: string) => void`                 | Convert a queued message to steering                            |
+| `isInjectionPoint`      | `(part: unknown) => boolean`           | Check if an assistant message part is an injection confirmation |
+| `getInjectedMessageIds` | `(part: unknown) => string[]`          | Get message IDs from an injection point                         |
+| `getInjectedMessages`   | `(part: unknown) => InjectedMessage[]` | Get messages (id + text) from an injection point                |
+
+## ChatSessionOptions
+
+Options for `chat.createSession()`.
+
+| Option                 | Type          | Default  | Description                         |
+| ---------------------- | ------------- | -------- | ----------------------------------- |
+| `signal`               | `AbortSignal` | required | Run-level cancel signal             |
+| `idleTimeoutInSeconds` | `number`      | `30`     | Seconds to stay idle between turns  |
+| `timeout`              | `string`      | `"1h"`   | Duration string for suspend timeout |
+| `maxTurns`             | `number`      | `100`    | Max turns before ending             |
+
+## ChatTurn
+
+Each turn yielded by `chat.createSession()`.
+
+| Field          | Type             | Description                                   |
+| -------------- | ---------------- | --------------------------------------------- |
+| `number`       | `number`         | Turn number (0-indexed)                       |
+| `chatId`       | `string`         | Chat session ID                               |
+| `trigger`      | `string`         | What triggered this turn                      |
+| `clientData`   | `unknown`        | Client data from the transport                |
+| `messages`     | `ModelMessage[]` | Full accumulated model messages               |
+| `uiMessages`   | `UIMessage[]`    | Full accumulated UI messages                  |
+| `signal`       | `AbortSignal`    | Combined stop+cancel signal (fresh each turn) |
+| `stopped`      | `boolean`        | Whether the user stopped generation this turn |
+| `continuation` | `boolean`        | Whether this is a continuation run            |
+
+| Method                  | Returns                           | Description                                                  |
+| ----------------------- | --------------------------------- | ------------------------------------------------------------ |
+| `complete(source)`      | `Promise<UIMessage \| undefined>` | Pipe, capture, accumulate, cleanup, and signal turn-complete |
+| `done()`                | `Promise<void>`                   | Signal turn-complete (when you've piped manually)            |
+| `addResponse(response)` | `Promise<void>`                   | Add response to accumulator manually                         |
+
+## chat namespace
+
+All methods available on the `chat` object from `@trigger.dev/sdk/ai`.
+
+| Method                                      | Description                                                                                                                  |
+| ------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- |
+| `chat.agent(options)`                       | Create a chat agent                                                                                                          |
+| `chat.createSession(payload, options)`      | Create an async iterator for chat turns                                                                                      |
+| `chat.pipe(source, options?)`               | Pipe a stream to the frontend (from anywhere inside a task)                                                                  |
+| `chat.pipeAndCapture(source, options?)`     | Pipe and capture the response `UIMessage`                                                                                    |
+| `chat.writeTurnComplete(options?)`          | Signal the frontend that the current turn is complete                                                                        |
+| `chat.createStopSignal()`                   | Create a managed stop signal wired to the stop input stream                                                                  |
+| `chat.messages`                             | Input stream for incoming messages — use `.waitWithIdleTimeout()`                                                            |
+| `chat.local<T>({ id })`                     | Create a per-run typed local (see [`chat.local`](/ai-chat/chat-local))                             |
+| `chat.createStartSessionAction(taskId, options?)` | Returns a server action that creates a chat Session + triggers the first run + returns a session-scoped PAT. Idempotent on `(env, externalId)`.   |
+| `chat.requestUpgrade()`                     | End the current run after this turn so the next message starts on the latest agent version. Server-orchestrated handoff.    |
+| `chat.setTurnTimeout(duration)`             | Override turn timeout at runtime (e.g. `"2h"`)                                                                               |
+| `chat.setTurnTimeoutInSeconds(seconds)`     | Override turn timeout at runtime (in seconds)                                                                                |
+| `chat.setIdleTimeoutInSeconds(seconds)`     | Override idle timeout at runtime                                                                                             |
+| `chat.setUIMessageStreamOptions(options)`   | Override `toUIMessageStream()` options for the current turn                                                                  |
+| `chat.defer(promise)`                       | Run background work in parallel with streaming, awaited before `onTurnComplete`                                              |
+| `chat.isStopped()`                          | Check if the current turn was stopped by the user                                                                            |
+| `chat.cleanupAbortedParts(message)`         | Remove incomplete parts from a stopped response message                                                                      |
+| `chat.response.write(chunk)`                | Write a data part that streams to the frontend AND persists in `onTurnComplete`'s `responseMessage`                          |
+| `chat.stream`                               | Raw chat output stream — use `.writer()`, `.pipe()`, `.append()`, `.read()`. Chunks are NOT accumulated into the response.   |
+| `chat.history.all()`                        | Read the current accumulated UI messages (returns a copy). See [chat.history](/ai-chat/backend#chat-history)                  |
+| `chat.history.set(messages)`                | Replace all accumulated messages (same as `chat.setMessages()`)                                                              |
+| `chat.history.remove(messageId)`            | Remove a specific message by ID                                                                                              |
+| `chat.history.rollbackTo(messageId)`        | Keep messages up to and including the given ID (undo/rollback)                                                               |
+| `chat.history.replace(messageId, message)`  | Replace a specific message by ID (edit)                                                                                      |
+| `chat.history.slice(start, end?)`           | Keep only messages in the given range                                                                                        |
+| `chat.MessageAccumulator`                   | Class that accumulates conversation messages across turns                                                                    |
+| `chat.withUIMessage(config?)`               | Returns a [ChatBuilder](/ai-chat/types#chatbuilder) with a fixed `UIMessage` subtype. See [Types](/ai-chat/types)            |
+| `chat.withClientData({ schema })`           | Returns a [ChatBuilder](/ai-chat/types#chatbuilder) with a fixed client data schema. See [Types](/ai-chat/types#typed-client-data-with-chatwithclientdata) |
+
+## `chat.withUIMessage`
+
+Returns a [`ChatBuilder`](/ai-chat/types#chatbuilder) with a fixed `UIMessage` subtype. Chain `.withClientData()`, hook methods, and `.agent()`.
+
+```ts
+chat.withUIMessage<TUIM>(config?: ChatWithUIMessageConfig<TUIM>): ChatBuilder<TUIM>;
+```
+
+| Parameter              | Type                               | Description                                                                                                                                           |
+| ---------------------- | ---------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `config.streamOptions` | `ChatUIMessageStreamOptions<TUIM>` | Optional defaults for `toUIMessageStream()`. Shallow-merged with `uiMessageStreamOptions` on the inner `.agent({ ... })` (agent wins on key conflicts). |
+
+Use this when you need [`InferChatUIMessage`](#inferchatuimessage) / typed `data-*` parts / `InferUITools` to line up across backend hooks and `useChat`. Full guide: [Types](/ai-chat/types).
+
+## `chat.withClientData`
+
+Returns a [`ChatBuilder`](/ai-chat/types#chatbuilder) with a fixed client data schema. All hooks and `run` get typed `clientData` without passing `clientDataSchema` in `.agent()` options.
+
+```ts
+chat.withClientData<TSchema>({ schema: TSchema }): ChatBuilder<UIMessage, TSchema>;
+```
+
+| Parameter | Type         | Description                                        |
+| --------- | ------------ | -------------------------------------------------- |
+| `schema`  | `TaskSchema` | Zod, ArkType, Valibot, or any supported schema lib |
+
+Full guide: [Typed client data](/ai-chat/types#typed-client-data-with-chatwithclientdata).
+
+## `ChatWithUIMessageConfig`
+
+| Field           | Type                               | Description                                                           |
+| --------------- | ---------------------------------- | --------------------------------------------------------------------- |
+| `streamOptions` | `ChatUIMessageStreamOptions<TUIM>` | Default `toUIMessageStream()` options for agents created via `.agent()` |
+
+## `InferChatUIMessage`
+
+Type helper: extracts the `UIMessage` subtype from a chat agent’s wire payload.
+
+```ts
+import type { InferChatUIMessage } from "@trigger.dev/sdk/ai";
+// Use the /chat/react re-export when you're already importing other React helpers.
+
+type Msg = InferChatUIMessage<typeof myChat>;
+```
+
+Use with `useChat<Msg>({ transport })` when using [`chat.withUIMessage`](/ai-chat/types). For agents defined with plain `chat.agent()` (no custom generic), this resolves to the base `UIMessage`.
+
+## `InferChatUIMessageFromTools`
+
+Type helper: derives the chat `UIMessage` type (with typed `tool-${name}` parts) directly from a tool set. Shorthand for `UIMessage<unknown, UIDataTypes, InferUITools<typeof tools>>`.
+
+```ts
+import type { InferChatUIMessageFromTools } from "@trigger.dev/sdk/ai";
+
+const tools = { search, readFile };
+type ChatUiMessage = InferChatUIMessageFromTools<typeof tools>;
+```
+
+Pin it on the agent with [`chat.withUIMessage<ChatUiMessage>()`](/ai-chat/types) and reuse it on the client. See [Tools](/ai-chat/tools#typing-messages-from-your-tools).
+
+## AI helpers (`ai` from `@trigger.dev/sdk/ai`)
+
+| Export                                                                              | Status         | Description                                                                                                                                                                                |
+| ----------------------------------------------------------------------------------- | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `ai.toolExecute(task)`                                                              | **Preferred**  | Returns the `execute` function for AI SDK `tool()`. Runs the task via `triggerAndSubscribe` and attaches tool/chat metadata (same behavior the deprecated wrapper used internally).        |
+| `ai.tool(task, options?)`                                                           | **Deprecated** | Wraps `tool()` / `dynamicTool()` and the same execute path. Migrate to `tool({ ..., execute: ai.toolExecute(task) })`. See [Task-backed AI tools](/tasks/schemaTask#task-backed-ai-tools). |
+| `ai.toolCallId`, `ai.chatContext`, `ai.chatContextOrThrow`, `ai.currentToolOptions` | Supported      | Work for any task-backed tool execute path, including `ai.toolExecute`.                                                                                                                    |
+
+## ChatUIMessageStreamOptions
+
+Options for customizing `toUIMessageStream()`. Set as static defaults via `uiMessageStreamOptions` on `chat.agent()`, or override per-turn via `chat.setUIMessageStreamOptions()`. See [Stream options](/ai-chat/backend#stream-options) for usage examples.
+
+Derived from the AI SDK's `UIMessageStreamOptions` with `onFinish` and `originalMessages` omitted (managed internally — `onFinish` for response capture, `originalMessages` for cross-turn message ID reuse).
+
+| Option              | Type                              | Default              | Description                                                                                                                         |
+| ------------------- | --------------------------------- | -------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `onError`           | `(error: unknown) => string`      | Raw error message    | Called on LLM errors and tool execution errors. Return a sanitized string — sent as `{ type: "error", errorText }` to the frontend. |
+| `sendReasoning`     | `boolean`                         | `true`               | Send reasoning parts to the client                                                                                                  |
+| `sendSources`       | `boolean`                         | `false`              | Send source parts to the client                                                                                                     |
+| `sendFinish`        | `boolean`                         | `true`               | Send the finish event. Set to `false` when chaining multiple `streamText` calls.                                                    |
+| `sendStart`         | `boolean`                         | `true`               | Send the message start event. Set to `false` when chaining.                                                                         |
+| `messageMetadata`   | `(options: { part }) => metadata` | —                    | Extract message metadata to send to the client. Called on `start` and `finish` events.                                              |
+| `generateMessageId` | `() => string`                    | AI SDK's `generateId` | Custom message ID generator for response messages (e.g. UUID-v7). IDs are shared between frontend and backend via the stream's `start` chunk. |
+
+## TriggerChatTransport options
+
+Options for the frontend transport constructor and `useTriggerChatTransport` hook.
+
+| Option                 | Type                                                                 | Default                     | Description                                                                 |
+| ---------------------- | -------------------------------------------------------------------- | --------------------------- | --------------------------------------------------------------------------- |
+| `task`                 | `string`                                                             | required                    | Task ID the transport's session is bound to. Threaded into `startSession`'s params. |
+| `accessToken`          | `(params: AccessTokenParams) => string \| Promise<string>`           | required                    | Pure refresh — mints a fresh session-scoped PAT. Called on 401/403. See [callback shape](#accesstoken-callback). |
+| `startSession`         | `(params: StartSessionParams<TClientData>) => Promise<StartSessionResult>` | optional                    | Creates the chat Session and returns the session-scoped PAT. Called on `transport.preload(chatId)` and lazily on the first `sendMessage` for any chatId without a cached PAT. See [callback shape](#startsession-callback). |
+| `baseURL`              | `string \| (ctx: { endpoint: "in" \| "out"; chatId: string }) => string` | `"https://api.trigger.dev"` | API base URL. String form applies to every endpoint; function form lets you pick per endpoint — e.g. route `.in/append` through a trusted edge proxy while keeping `.out` SSE direct (see [Trusted edge signals](/ai-chat/patterns/trusted-edge-signals)). |
+| `fetch`                | `(url: string, init: RequestInit, ctx: { endpoint: "in" \| "out"; chatId: string }) => Promise<Response>` | —                           | Per-request fetch override. Invoked for both `.in/append` POSTs and the `.out` SSE GET. Use for header injection (tracing), custom retries, or proxy rewrites beyond what `baseURL` can express. |
+| `headers`              | `Record<string, string>`                                             | —                           | Extra headers for API requests                                              |
+| `streamTimeoutSeconds` | `number`                                                             | `120`                       | How long to wait for stream data                                            |
+| `clientData`           | Typed by `clientDataSchema`                                          | —                           | Default client data merged into per-turn `metadata` and threaded through `startSession`'s params (so the first run's `payload.metadata` matches per-turn `metadata`). Live-updated when the option value changes. |
+| `sessions`             | `Record<string, ChatSession>`                                        | —                           | Restore sessions from storage. See [ChatSession](#chatsession).             |
+| `onSessionChange`      | `(chatId, session \| null) => void`                                  | —                           | Fires when session state changes. `session` is the full `ChatSession` or `null` when the run ends. |
+| `multiTab`             | `boolean`                                                            | `false`                     | Enable multi-tab claim coordination via `BroadcastChannel`. See [Frontend → multi-tab](/ai-chat/frontend#multi-tab-coordination). |
+| `watch`                | `boolean`                                                            | `false`                     | Read-only watcher mode — keep the SSE subscription open across `trigger:turn-complete` so a viewer sees turns 2, 3, … through one long-lived stream. |
+| `headStart`            | `string`                                                             | —                           | URL of a [`chat.headStart`](/ai-chat/fast-starts#head-start) route handler. When set, the FIRST message of a brand-new chat POSTs to this URL so step 1's LLM call runs in your warm process while the agent run boots in parallel. Subsequent turns bypass it. |
+
+### `accessToken` callback
+
+The transport invokes `accessToken` whenever it needs a *fresh* session-scoped PAT — initial use after no PAT is cached, or after a 401/403 from any session-PAT-authed request. The callback's job is to **return a token, not to start a run.**
+
+`AccessTokenParams`:
+
+| Field | Type | Description |
+| --- | --- | --- |
+| `chatId` | `string` | The conversation id. |
+
+Customer implementation typically wraps `auth.createPublicToken` server-side:
+
+```ts
+"use server";
+import { auth } from "@trigger.dev/sdk";
+
+export async function mintChatAccessToken(chatId: string) {
+  return auth.createPublicToken({
+    scopes: { read: { sessions: chatId }, write: { sessions: chatId } },
+    expirationTime: "1h",
+  });
+}
+```
+
+```ts
+const transport = useTriggerChatTransport({
+  task: "my-chat",
+  accessToken: ({ chatId }) => mintChatAccessToken(chatId),
+});
+```
+
+### `startSession` callback
+
+The transport invokes `startSession` when it needs to *create* the session — on `transport.preload(chatId)`, and lazily on the first `sendMessage` for any chatId without a cached PAT. Concurrent and repeat calls dedupe via an in-flight promise, and the customer's wrapped helper is idempotent on `(env, externalId)` so two tabs / two `preload` calls converge on the same session.
+
+`StartSessionParams<TClientData>`:
+
+| Field | Type | Description |
+| --- | --- | --- |
+| `taskId` | `string` | The transport's `task` value. |
+| `chatId` | `string` | The conversation id (the session's `externalId`). |
+| `clientData` | `TClientData` | The transport's current `clientData` option. Pass through to `triggerConfig.basePayload.metadata` so the first run's `payload.metadata` matches per-turn `metadata`. |
+
+Customer implementation wraps `chat.createStartSessionAction(taskId)`:
+
+```ts
+"use server";
+import { chat } from "@trigger.dev/sdk/ai";
+
+export const startChatSession = chat.createStartSessionAction("my-chat");
+```
+
+```ts
+const transport = useTriggerChatTransport({
+  task: "my-chat",
+  startSession: ({ chatId, clientData }) =>
+      startChatSession({ chatId, clientData }),
+});
+```
+
+`startSession` is optional only when the customer fully manages the session lifecycle externally (e.g. by hydrating `sessions: { [chatId]: ... }` and never calling `preload`). Most customers should provide it.
+
+### multiTab
+
+Enable multi-tab coordination. When `true`, only one browser tab can send messages to a given chatId at a time. Other tabs enter read-only mode with real-time message updates via `BroadcastChannel`.
+
+```ts
+const transport = useTriggerChatTransport({
+  task: "my-chat",
+  accessToken,
+  multiTab: true,
+});
+```
+
+No-op when `BroadcastChannel` is unavailable (SSR, Node.js). See [Multi-tab coordination](/ai-chat/frontend#multi-tab-coordination).
+
+### Trigger configuration
+
+Trigger config (machine, queue, tags, maxAttempts, idleTimeoutInSeconds) lives server-side in `chat.createStartSessionAction(taskId, options?)`. The transport doesn't accept these options directly — pass them when wrapping the action:
+
+```ts
+"use server";
+import { chat } from "@trigger.dev/sdk/ai";
+
+export const startChatSession = chat.createStartSessionAction("my-chat", {
+  triggerConfig: {
+    machine: "small-1x",
+    queue: "chat-queue",
+    tags: ["user:123"],
+    maxAttempts: 3,
+    idleTimeoutInSeconds: 60,
+  },
+});
+```
+
+A `chat:{chatId}` tag is automatically added to every run.
+
+For per-call values that vary by chatId (e.g. plan-tier-driven machine), accept extra params on the customer's server action and pass them into `chat.createStartSessionAction(...)`'s options at call time.
+
+### transport.stopGeneration()
+
+Stop the current generation for a chat session. Sends a stop signal to the backend task and closes the active SSE connection.
+
+```ts
+transport.stopGeneration(chatId: string): Promise<boolean>
+```
+
+Returns `true` if the stop signal was sent, `false` if there's no active session. Works for both initial connections and reconnected streams (after page refresh with `resume: true`).
+
+Use alongside `useChat`'s `stop()` for a complete stop experience:
+
+```tsx
+const { stop: aiStop } = useChat({ transport });
+
+const stop = useCallback(() => {
+  transport.stopGeneration(chatId);
+  aiStop();
+}, [transport, chatId, aiStop]);
+```
+
+See [Stop generation](/ai-chat/frontend#stop-generation) for full details.
+
+### transport.sendAction()
+
+Send a custom action to the agent. Actions wake the agent from suspension and fire `onAction`. They are not turns — `run()` and turn lifecycle hooks do not fire. If `onAction` returns a `StreamTextResult`, the response is auto-piped to the frontend.
+
+```ts
+transport.sendAction(chatId: string, action: unknown): Promise<ReadableStream<UIMessageChunk>>
+```
+
+The action payload is validated against the agent's `actionSchema` on the backend.
+
+```tsx
+// Undo button
+<button onClick={() => transport.sendAction(chatId, { type: "undo" })}>
+  Undo
+</button>
+```
+
+See [Actions](/ai-chat/actions) for backend setup and [Sending actions](/ai-chat/frontend#sending-actions) for frontend usage.
+
+### transport.preload()
+
+Eagerly trigger a run before the first message.
+
+```ts
+transport.preload(chatId, { idleTimeoutInSeconds?: number }): Promise<void>
+```
+
+No-op if a session already exists for this chatId. See [Preload](/ai-chat/fast-starts#preload) for full details.
+
+## useTriggerChatTransport
+
+React hook that creates and memoizes a `TriggerChatTransport` instance. Import from `@trigger.dev/sdk/chat/react`.
+
+```tsx
+import { useTriggerChatTransport } from "@trigger.dev/sdk/chat/react";
+import type { myChat } from "@/trigger/chat";
+
+const transport = useTriggerChatTransport<typeof myChat>({
+  task: "my-chat",
+  accessToken: ({ chatId }) => mintChatAccessToken(chatId),
+  startSession: ({ chatId, clientData }) =>
+      startChatSession({ chatId, clientData }),
+  sessions: savedSessions,
+  onSessionChange: handleSessionChange,
+});
+```
+
+The transport is created once on first render and reused across re-renders. Pass a type parameter for compile-time validation of the task ID.
+
+## AgentChat options
+
+Options for the server-side chat client constructor. Import `AgentChat` from `@trigger.dev/sdk/chat`.
+
+| Option                 | Type                                                                 | Default                                | Description                                                                 |
+| ---------------------- | -------------------------------------------------------------------- | -------------------------------------- | --------------------------------------------------------------------------- |
+| `agent`                | `string`                                                             | required                               | Task ID of the chat agent to converse with.                                 |
+| `id`                   | `string`                                                             | `crypto.randomUUID()`                  | Conversation ID. Used as the Session `externalId` and for tagging runs.     |
+| `clientData`           | Typed by `clientDataSchema`                                          | —                                      | Client data included in every request. Same shape as the agent's `clientDataSchema`. |
+| `session`              | `ChatSession`                                                        | —                                      | Restore a previous session (pass `lastEventId` to resume SSE).              |
+| `triggerConfig`        | `Partial<SessionTriggerConfig>`                                      | —                                      | Default trigger config used when starting a new session (machine, tags, etc.). |
+| `streamTimeoutSeconds` | `number`                                                             | `120`                                  | SSE timeout in seconds.                                                     |
+| `onTriggered`          | `(event) => void \| Promise<void>`                                   | —                                      | Fires when a new run is triggered for this session.                         |
+| `onTurnComplete`       | `(event) => void \| Promise<void>`                                   | —                                      | Fires when a turn completes. Persist `event.lastEventId` for stream resumption. |
+| `baseURL`              | `string \| (ctx: { endpoint: "in" \| "out"; chatId: string }) => string` | `apiClientManager.baseURL`             | API base URL. String form applies to every endpoint; function form picks per endpoint. Defaults to whatever `@trigger.dev/sdk` was configured with (typically `TRIGGER_API_URL`). |
+| `fetch`                | `(url: string, init: RequestInit, ctx: { endpoint: "in" \| "out"; chatId: string }) => Promise<Response>` | —                                      | Per-request fetch override. Invoked for both `.in/append` POSTs and the `.out` SSE GET. Use for header injection, custom retries, or proxy rewrites. |
+
+## createStartSessionAction options
+
+Second argument to `chat.createStartSessionAction(taskId, options?)`. Controls how the server-mediated session-create call reaches the trigger.dev API.
+
+| Option           | Type                                                                                 | Default                       | Description                                                                 |
+| ---------------- | ------------------------------------------------------------------------------------ | ----------------------------- | --------------------------------------------------------------------------- |
+| `tokenTTL`       | `string \| number \| Date`                                                           | `"1h"`                        | TTL for the session-scoped public access token returned to the browser.     |
+| `triggerConfig`  | `Partial<SessionTriggerConfig>`                                                      | —                             | Default trigger config (machine, tags, queue, etc.). Per-call config shallow-merges on top. |
+| `baseURL`        | `string \| (ctx: { endpoint: "sessions" \| "auth"; chatId: string }) => string`      | `apiClientManager.baseURL`    | API base URL. `endpoint` is `"sessions"` for `POST /api/v1/sessions` or `"auth"` for `POST /api/v1/auth/jwt/claims` (only fires when `tokenTTL` is set). |
+| `fetch`          | `(url: string, init: RequestInit, ctx: { endpoint: "sessions" \| "auth"; chatId: string }) => Promise<Response>` | —                             | Per-request fetch override. Use to route session-create through a trusted edge proxy so `basePayload.metadata` is rewritten before reaching `api.trigger.dev`. |
+
+## useMultiTabChat
+
+React hook for multi-tab message coordination. Import from `@trigger.dev/sdk/chat/react`.
+
+```tsx
+import { useMultiTabChat } from "@trigger.dev/sdk/chat/react";
+
+const { isReadOnly } = useMultiTabChat(transport, chatId, messages, setMessages);
+```
+
+| Parameter | Type | Description |
+|-----------|------|-------------|
+| `transport` | `TriggerChatTransport` | Transport instance with `multiTab: true` |
+| `chatId` | `string` | The chat session ID |
+| `messages` | `UIMessage[]` | Current messages from `useChat` |
+| `setMessages` | `(messages) => void` | Message setter from `useChat` |
+
+**Returns:** `{ isReadOnly: boolean }` — `true` when another tab is actively sending to this chatId.
+
+The hook handles:
+- Tracking read-only state from the transport's `BroadcastChannel` coordinator
+- Broadcasting messages when this tab is the active sender
+- Receiving messages from other tabs and updating via `setMessages`
+
+See [Multi-tab coordination](/ai-chat/frontend#multi-tab-coordination).
+
+## ChatSession
+
+Persistable session state for the frontend `TriggerChatTransport` and the server-side `AgentChat`. The underlying Session row is keyed on `chatId` (durable across runs); the persistable shape is just the SSE resume cursor and a refresh token.
+
+| Field | Type | Description |
+| --- | --- | --- |
+| `publicAccessToken` | `string` | Session-scoped JWT (`read:sessions:{chatId} + write:sessions:{chatId}`). Refreshed automatically on 401/403 via the transport's `accessToken` callback. |
+| `lastEventId` | `string \| undefined` | Last SSE event received on `.out`. Used to resume mid-stream after a disconnect. |
+| `isStreaming` | `boolean \| undefined` | Optional. If persisted, `reconnectToStream` uses it as a fast-path short-circuit. If omitted, the server decides via the session's [`X-Session-Settled`](/ai-chat/client-protocol#x-session-settled-fast-close-on-idle-reconnects) response header. |
+
+## ChatInputChunk
+
+The wire shape for records sent on `.in`. Consumed by `chat.agent` internally — you typically don't write these yourself; `transport.sendMessage`, `transport.stopGeneration`, and `transport.sendAction` all serialize into this shape.
+
+```ts
+type ChatInputChunk<TMessage = UIMessage, TMetadata = unknown> =
+  | { kind: "message"; payload: ChatTaskWirePayload<TMessage, TMetadata> }
+  | { kind: "stop"; message?: string };
+```
+
+| Variant | When | Payload |
+| --- | --- | --- |
+| `kind: "message"` | New message, action, approval response, or close | `payload` is a full `ChatTaskWirePayload` — its `trigger` field (`"submit-message"` / `"action"` / `"close"`) determines the agent's dispatch |
+| `kind: "stop"` | Client aborted the active turn | Optional `message` surfaces in the stop handler |
+
+For the raw wire format, see [Client Protocol — ChatInputChunk](/ai-chat/client-protocol#chatinputchunk).
+
+## Session token scopes
+
+Tokens minted for `TriggerChatTransport` and `AgentChat` are session-scoped — keyed on the chat's `externalId` (the `chatId` you assign).
+
+| Scope | Grants |
+| --- | --- |
+| `read:sessions:<chatId>` | Subscribe to `.out`, HEAD probe the stream, retrieve the session row |
+| `write:sessions:<chatId>` | Append to `.in`, close the session, end-and-continue, update metadata |
+
+Tokens are produced by `auth.createPublicToken({ scopes: { read: { sessions: chatId }, write: { sessions: chatId } } })` (used by the customer's `accessToken` server action) or returned automatically from `chat.createStartSessionAction` / `POST /api/v1/sessions`. Either form authorizes both URL forms (`/sessions/{chatId}/...` and `/sessions/session_*/...`) on every read and write route.
+
+## Related
+
+- [Realtime Streams](/tasks/streams) — How streams work under the hood
+- [Using the Vercel AI SDK](/guides/examples/vercel-ai-sdk) — Basic AI SDK usage with Trigger.dev
+- [Realtime React Hooks](/realtime/react-hooks/overview) — Lower-level realtime hooks
+- [Authentication](/realtime/auth) — Public access tokens and trigger tokens
diff --git a/docs/ai-chat/server-chat.mdx b/docs/ai-chat/server-chat.mdx
new file mode 100644
index 00000000000..c2c5928a640
--- /dev/null
+++ b/docs/ai-chat/server-chat.mdx
@@ -0,0 +1,263 @@
+---
+title: "Server-Side Chat"
+sidebarTitle: "Server-Side Chat"
+description: "Use AgentChat to interact with chat agents from server-side code — tasks, webhooks, scripts, or other agents."
+---
+
+import RcBanner from "/snippets/ai-chat-rc-banner.mdx";
+
+<RcBanner />
+
+`AgentChat` lets you chat with agents from server-side code. It works inside tasks (agent-to-agent), request handlers, webhook processors, and scripts.
+
+```ts
+import { AgentChat } from "@trigger.dev/sdk/chat";
+
+const chat = new AgentChat({ agent: "my-agent" });
+const stream = await chat.sendMessage("Hello!");
+const text = await stream.text();
+await chat.close();
+```
+
+## Type-safe client data
+
+Pass `typeof yourAgent` as a type parameter and `clientData` is automatically typed from the agent's `withClientData` schema:
+
+```ts
+import { AgentChat } from "@trigger.dev/sdk/chat";
+import type { myAgent } from "./trigger/my-agent";
+
+const chat = new AgentChat<typeof myAgent>({
+  agent: "my-agent",
+  clientData: { userId: "user_123" }, // ← typed from agent definition
+});
+```
+
+## Conversation lifecycle
+
+Each `AgentChat` instance represents one conversation. The conversation ID is auto-generated or can be set explicitly:
+
+```ts
+// Auto-generated ID
+const chat = new AgentChat({ agent: "my-agent" });
+
+// Explicit ID — useful for persistence or finding the run later
+const chat = new AgentChat({ agent: "my-agent", id: `review-${prNumber}` });
+```
+
+### Sending messages
+
+`sendMessage()` triggers a new run on the first call, then reuses the same run for subsequent messages via input streams:
+
+```ts
+// First message — triggers a new run
+const stream1 = await chat.sendMessage("Review PR #42");
+const review = await stream1.text();
+
+// Follow-up — same run, agent has full context
+const stream2 = await chat.sendMessage("Can you fix the main bug?");
+const fix = await stream2.text();
+```
+
+### Preloading (optional)
+
+If you want the agent to initialize before the first message (e.g., load data, authenticate), call `preload()`. This is optional — `sendMessage()` triggers the run automatically if needed.
+
+```ts
+await chat.preload();
+// Agent's onPreload hook fires now, before user types anything
+const stream = await chat.sendMessage("Hello");
+```
+
+### Closing
+
+Signal the agent to exit its loop gracefully:
+
+```ts
+await chat.close();
+```
+
+Without `close()`, the agent exits on its own when its idle/suspend timeout expires.
+
+## Reading responses
+
+`sendMessage()` returns a `ChatStream` — a typed wrapper around the response.
+
+### Get the full text
+
+```ts
+const stream = await chat.sendMessage("What is Trigger.dev?");
+const text = await stream.text();
+```
+
+### Get structured results
+
+```ts
+const stream = await chat.sendMessage("Research this topic");
+const { text, toolCalls, toolResults } = await stream.result();
+
+for (const tc of toolCalls) {
+  console.log(`Tool: ${tc.toolName}, Input: ${JSON.stringify(tc.input)}`);
+}
+```
+
+### Stream chunks in real-time
+
+```ts
+const stream = await chat.sendMessage("Write a report");
+
+for await (const chunk of stream) {
+  if (chunk.type === "text-delta") {
+    process.stdout.write(chunk.delta);
+  }
+  if (chunk.type === "tool-input-available") {
+    console.log(`Using tool: ${chunk.toolName}`);
+  }
+}
+```
+
+## Stateless request handlers
+
+In a stateless environment (HTTP handler, serverless function), you need to persist and restore the session across requests.
+
+Each chat is backed by a durable Session row that outlives any single run. `AgentChat` exposes the persistable state via `chat.session` (the SSE resume cursor) and surfaces the current run id via the `onTriggered` callback for telemetry / dashboard linking.
+
+```ts
+import { AgentChat } from "@trigger.dev/sdk/chat";
+
+export async function POST(req: Request) {
+  const { chatId, message } = await req.json();
+  const saved = await db.sessions.find({ chatId });
+
+  const chat = new AgentChat({
+    agent: "my-agent",
+    id: chatId,
+    // Restore from previous request — `lastEventId` is the SSE resume
+    // cursor; the underlying Session is keyed on `chatId` so it's
+    // implicit and durable.
+    session: saved ? { lastEventId: saved.lastEventId } : undefined,
+    // Useful for telemetry / dashboard linking. The `runId` is the
+    // current run, which may change across continuations and upgrades.
+    onTriggered: async ({ runId }) => {
+      await db.sessions.upsert({ chatId, runId });
+    },
+    // Persist after each turn for stream resumption
+    onTurnComplete: async ({ lastEventId }) => {
+      await db.sessions.update({ chatId, lastEventId });
+    },
+  });
+
+  const stream = await chat.sendMessage(message);
+  const text = await stream.text();
+
+  return Response.json({ text });
+}
+```
+
+<Info>
+  The Session row is the run manager — a chat that was active yesterday
+  resumes against the same chatId today, even if the original run has
+  long since exited. `AgentChat` (server-side) and `TriggerChatTransport`
+  (browser) both rely on this: send a new message and the server
+  triggers a fresh continuation run on the same session, carrying the
+  conversation forward without losing history or identity.
+</Info>
+
+## Sub-agent tool pattern
+
+`AgentChat` can be used inside an AI SDK tool to delegate work to a durable sub-agent. The sub-agent's response streams as preliminary tool results:
+
+```ts
+import { tool } from "ai";
+import { AgentChat } from "@trigger.dev/sdk/chat";
+import { z } from "zod";
+
+const researchTool = tool({
+  description: "Delegate research to a specialist agent.",
+  inputSchema: z.object({ topic: z.string() }),
+  execute: async function* ({ topic }, { abortSignal }) {
+    const chat = new AgentChat({ agent: "research-agent" });
+    const stream = await chat.sendMessage(topic, { abortSignal });
+    yield* stream.messages();
+    await chat.close();
+  },
+  toModelOutput: ({ output: message }) => {
+    const lastText = message?.parts?.findLast(
+      (p: { type: string }) => p.type === "text"
+    ) as { text?: string } | undefined;
+    return { type: "text", value: lastText?.text ?? "Done." };
+  },
+});
+```
+
+This supports single-turn delegation, multi-turn LLM-driven conversations with persistent sub-agents, and cross-turn state that survives snapshot/restore.
+
+See the [Sub-Agents guide](/ai-chat/patterns/sub-agents) for the full pattern including multi-turn conversations, cleanup, and what the frontend sees.
+
+## Additional methods
+
+### Steering
+
+Send a message during an active stream without interrupting it:
+
+```ts
+await chat.steer("Focus on security issues specifically");
+```
+
+### Stop generation
+
+Abort the current `streamText` call without ending the run:
+
+```ts
+await chat.stop();
+```
+
+### Raw messages
+
+For full control over the UIMessage shape:
+
+```ts
+const rawStream = await chat.sendRaw([
+  {
+    id: "msg-1",
+    role: "user",
+    parts: [
+      { type: "text", text: "Hello" },
+      { type: "file", url: "https://...", mediaType: "image/png" },
+    ],
+  },
+]);
+```
+
+### Reconnect
+
+Resume a stream subscription after a disconnect:
+
+```ts
+const stream = await chat.reconnect();
+```
+
+## AgentChat options
+
+| Option | Type | Default | Description |
+|---|---|---|---|
+| `agent` | `string` | required | The agent task ID to trigger |
+| `id` | `string` | `crypto.randomUUID()` | Conversation ID for tagging and correlation |
+| `clientData` | typed from agent | `undefined` | Client data included in every request |
+| `session` | `ChatSession` (`{ lastEventId?: string }`) | `undefined` | Restore a previous session's SSE resume cursor. The Session row itself is keyed on `chatId` (durable) — no other state to thread. |
+| `onTriggered` | `(event) => void` | `undefined` | Called when a new run is created |
+| `onTurnComplete` | `(event) => void` | `undefined` | Called when a turn's stream ends |
+| `streamTimeoutSeconds` | `number` | `120` | SSE timeout in seconds |
+| `triggerConfig` | `SessionTriggerConfig` | `undefined` | Tags, queue, machine, `maxAttempts`, `idleTimeoutInSeconds`, `basePayload` — folded into `sessions.start({...})` |
+| `baseURL` | `string \| (ctx: { endpoint: "in" \| "out"; chatId: string }) => string` | `apiClientManager.baseURL` | API base URL. String form applies to every endpoint; function form picks per endpoint — useful for routing `.in/append` through an edge proxy while keeping `.out` SSE direct. Defaults to whatever `@trigger.dev/sdk` was configured with (typically `TRIGGER_API_URL`). |
+| `fetch` | `(url: string, init: RequestInit, ctx: { endpoint: "in" \| "out"; chatId: string }) => Promise<Response>` | `undefined` | Per-request fetch override. Invoked for both `.in/append` POSTs and the `.out` SSE GET. Use for header injection, custom retries, or proxy rewrites. |
+
+## ChatStream methods
+
+| Method | Returns | Description |
+|---|---|---|
+| `text()` | `Promise<string>` | Consume stream, return accumulated text |
+| `result()` | `Promise<ChatStreamResult>` | Consume stream, return `{ text, toolCalls, toolResults }` |
+| `messages()` | `AsyncGenerator<UIMessage>` | Yield accumulated UIMessage snapshots (sub-agent pattern) |
+| `[Symbol.asyncIterator]` | `UIMessageChunk` | Iterate over typed stream chunks |
+| `.stream` | `ReadableStream<UIMessageChunk>` | Raw stream for AI SDK utilities |
diff --git a/docs/ai-chat/sessions.mdx b/docs/ai-chat/sessions.mdx
new file mode 100644
index 00000000000..9e03279b218
--- /dev/null
+++ b/docs/ai-chat/sessions.mdx
@@ -0,0 +1,263 @@
+---
+title: "Sessions"
+sidebarTitle: "Sessions"
+description: "The durable, task-bound, bi-directional I/O primitive that backs chat.agent — sessions.list / open / start / close plus the SessionHandle (in/out) API."
+---
+
+import RcBanner from "/snippets/ai-chat-rc-banner.mdx";
+
+<RcBanner />
+
+A **Session** is a durable, task-bound, bi-directional I/O channel pair. It outlives any single run: a Session row is keyed on a stable `externalId` (e.g. `chatId`), holds the conversation's identity across run boundaries, and exposes two realtime streams — `.in` (clients → task) and `.out` (task → clients).
+
+`chat.agent` is built on Sessions. You can also use them directly for any pattern that needs durable bi-directional streaming across runs: long-lived agent inboxes, multi-step approval flows, server-to-server pipelines that survive worker restarts.
+
+## When to reach for Sessions directly
+
+`chat.agent` handles 90% of chat-shaped workloads — message accumulation, the turn loop, stop signals, lifecycle hooks. Use the raw `sessions` API when you need any of:
+
+- **Non-chat conversational state**: an agent inbox where each "turn" is a webhook event rather than a UI message.
+- **Server-to-server bi-directional streaming** where an external service produces records the task consumes (and vice-versa) over the same durable channel.
+- **A custom turn loop** where the agent abstraction doesn't fit but you still want session-survival across runs.
+
+For chat use cases, prefer [`chat.agent`](/ai-chat/backend#chat-agent) or [`chat.createSession`](/ai-chat/backend#chat-createsession).
+
+## `sessions` namespace
+
+```ts
+import { sessions } from "@trigger.dev/sdk";
+```
+
+### `sessions.start(body, requestOptions?)`
+
+Atomically create a Session row and trigger its first run. Idempotent on `(env, externalId)` — two concurrent calls with the same `externalId` converge to one session.
+
+```ts
+const { id, runId, publicAccessToken, isCached } = await sessions.start({
+  type: "chat.agent",
+  externalId: chatId,
+  taskIdentifier: "my-chat",
+  triggerConfig: {
+    tags: [`chat:${chatId}`],
+    basePayload: { /* whatever your task's payload shape is */ },
+  },
+});
+```
+
+| Field | Type | Notes |
+|---|---|---|
+| `type` | `string` | Free-form discriminator. `chat.agent` uses `"chat.agent"`. |
+| `externalId` | `string?` | Your stable identity. Cannot start with `session_` (reserved). |
+| `taskIdentifier` | `string` | Task this session triggers runs against. |
+| `triggerConfig` | `SessionTriggerConfig` | Trigger options applied to every run: `tags`, `queue`, `machine`, `maxAttempts`, `idleTimeoutInSeconds`, `basePayload`. |
+| `tags` | `string[]?` | Up to 10 tags on the Session row (separate from `triggerConfig.tags`). |
+| `metadata` | `Record<string, unknown>?` | Arbitrary JSON. |
+| `expiresAt` | `Date?` | Hard retention deadline. |
+
+Returns `CreatedSessionResponseBody`:
+
+| Field | Type | Notes |
+|---|---|---|
+| `id` | `string` | Server-assigned `session_*` friendlyId. |
+| `runId` | `string` | The first run created alongside the session. |
+| `publicAccessToken` | `string` | Session-scoped PAT (`read:sessions:{id} + write:sessions:{id}`). |
+| `isCached` | `boolean` | `true` if the session already existed (idempotent upsert). |
+
+### `sessions.retrieve(idOrExternalId, requestOptions?)`
+
+Retrieve a Session by either its server-assigned `session_*` id or your user-supplied `externalId`. The server disambiguates via the `session_` prefix.
+
+```ts
+const session = await sessions.retrieve(chatId);
+console.log(session.currentRunId, session.tags, session.closedAt);
+```
+
+### `sessions.update(idOrExternalId, body, requestOptions?)`
+
+Mutate `tags`, `metadata`, or `externalId` on an existing Session. Pass `externalId: null` to explicitly clear it.
+
+### `sessions.close(idOrExternalId, body?, requestOptions?)`
+
+Mark a Session as closed. Terminal and idempotent. The optional `reason` is stored on the row.
+
+```ts
+await sessions.close(chatId, { reason: "user signed out" });
+```
+
+### `sessions.list(options?, requestOptions?)`
+
+Cursor-paginated list of Sessions in the current environment. Returns a `CursorPagePromise` you can iterate with `for await`.
+
+```ts
+for await (const s of sessions.list({
+  type: "chat.agent",
+  tag: `user:${userId}`,
+  status: "ACTIVE",
+  limit: 50,
+})) {
+  console.log(s.id, s.externalId, s.createdAt);
+}
+```
+
+| Filter | Type | Notes |
+|---|---|---|
+| `type` | `string \| string[]` | e.g. `"chat.agent"` |
+| `tag` | `string \| string[]` | Matches `triggerConfig.tags` |
+| `taskIdentifier` | `string \| string[]` | Filter by task |
+| `externalId` | `string` | Exact match |
+| `status` | `"ACTIVE" \| "CLOSED" \| "EXPIRED"` | Lifecycle state |
+| `period` / `from` / `to` | window | Time-range filter |
+| `limit` / `after` / `before` | cursor | Pagination (1–100 per page; default 20) |
+
+### `sessions.open(idOrExternalId)`
+
+Open a lightweight `SessionHandle` to the realtime channels. Does **not** hit the network — each handle method calls the corresponding endpoint lazily.
+
+```ts
+const session = sessions.open(chatId);
+await session.out.append({ kind: "message", text: "hello" });
+const next = await session.in.once<MyEvent>({ timeoutMs: 30_000 });
+```
+
+## `SessionHandle`
+
+```ts
+class SessionHandle {
+  readonly id: string;
+  readonly in: SessionInputChannel;
+  readonly out: SessionOutputChannel;
+}
+```
+
+The two channels mirror the producer/consumer pair in `streams.define` (out) and `streams.input` (in), but are **session-scoped** rather than run-scoped — they survive across run boundaries.
+
+## `session.out` — task → clients
+
+The output channel. The task writes; external clients (browser, server action, another task) read via SSE.
+
+### `out.append(value, options?)`
+
+Append a single record. Routes through `writer` internally so SSE consumers see the same parsed-object shape on every event.
+
+### `out.pipe(stream, options?)`
+
+Pipe an `AsyncIterable` or `ReadableStream` directly to S2 (the durable backing store). Returns `{ stream, waitUntilComplete }`.
+
+### `out.writer({ execute, ... })`
+
+Imperative writer. `execute({ write, merge })` runs against an in-memory queue whose records are piped to S2.
+
+```ts
+session.out.writer<MyChunk>({
+  execute: ({ write }) => {
+    write({ type: "text", text: "hi" });
+    write({ type: "text", text: " there" });
+  },
+});
+```
+
+### `out.read(options?)`
+
+Subscribe to SSE records on `.out`. Returns an async-iterable stream with auto-retry and `Last-Event-ID` resume.
+
+```ts
+const stream = await session.out.read<MyChunk>({
+  signal: AbortSignal.timeout(30_000),
+  lastEventId: lastSeenSeqNum,
+});
+for await (const chunk of stream) {
+  // ...
+}
+```
+
+### `out.writeControl(subtype, extraHeaders?)`
+
+Write a Trigger control record. Carries a `trigger-control` header valued with `subtype` (e.g. `turn-complete`, `upgrade-required`); the body is empty. The SDK transport filters control records out of the consumer-facing chunk stream — readers route them via `onControl` instead.
+
+Returns `{ lastEventId }` — useful for trim chains.
+
+### `out.trimTo(earliestSeqNum)`
+
+Append an S2 `trim` command. Records with `seq_num < earliestSeqNum` are eventually deleted. Idempotent and monotonic. `chat.agent` uses this to keep `session.out` bounded to roughly one turn at steady state.
+
+## `session.in` — clients → task
+
+The input channel. External clients call `send`; the task consumes via `on` / `once` / `peek` / `wait` / `waitWithIdleTimeout`.
+
+### `in.send(value, requestOptions?)`
+
+Append a single record. Called from outside the task (browser, server action, another task).
+
+```ts
+const session = sessions.open(chatId);
+await session.in.send({ kind: "user-event", payload: { ... } });
+```
+
+### `in.on(handler)`
+
+Register a handler that fires for every record landing on `.in`. Buffered records flush on attach. Returns `{ off }`.
+
+### `in.once(options?)`
+
+Wait for the next record without suspending the run. `{ ok: true, output }` or `{ ok: false, error }` on timeout. Chain `.unwrap()` to get the data directly.
+
+```ts
+const result = await session.in.once<MyEvent>({ timeoutMs: 5_000 });
+if (result.ok) handle(result.output);
+```
+
+### `in.peek()`
+
+Non-blocking peek at the head of the `.in` buffer.
+
+### `in.wait(options?)`
+
+Suspend the current run until the next record arrives — frees compute while blocked. Only callable from inside `task.run()`.
+
+```ts
+const next = await session.in.wait<MyEvent>({ timeout: "1h" });
+```
+
+### `in.waitWithIdleTimeout({ idleTimeoutInSeconds, timeout, ... })`
+
+Hybrid: stay warm for `idleTimeoutInSeconds`, then suspend via `wait` if nothing arrives. `chat.agent`'s turn loop uses this to balance responsiveness and cost.
+
+```ts
+const next = await session.in.waitWithIdleTimeout<MyEvent>({
+  idleTimeoutInSeconds: 30,
+  timeout: "1h",
+  onSuspend: () => { /* persist before suspending */ },
+  onResume: () => { /* re-hydrate after resume */ },
+});
+```
+
+### `in.lastDispatchedSeqNum()`
+
+The highest S2 `seq_num` this channel has delivered to a consumer. Used by `chat.agent` to persist a resume cursor on each `turn-complete` so the next worker boot subscribes past already-processed records.
+
+## Authorization
+
+Browser and server-side clients use a session-scoped Public Access Token:
+
+```ts
+import { auth } from "@trigger.dev/sdk";
+
+const pat = await auth.createPublicToken({
+  scopes: {
+    read: { sessions: chatId },
+    write: { sessions: chatId },
+  },
+  expirationTime: "1h",
+});
+```
+
+Tokens authorize **both** URL forms: `/sessions/{externalId}/...` and `/sessions/session_*/...`.
+
+For the `chat.agent` transport, `auth.createPublicToken` is wrapped by `accessToken` in `useTriggerChatTransport`; for direct session access from your server, mint a token per request just like any other realtime resource.
+
+## See also
+
+- [How it works](/ai-chat/how-it-works) — How `chat.agent` builds on Sessions.
+- [Backend](/ai-chat/backend) — `chat.agent` / `chat.createSession` / raw `task()` with chat primitives.
+- [Client Protocol](/ai-chat/client-protocol) — The wire-level view of `.in/append` and `.out` SSE.
+- [Persistence and replay](/ai-chat/patterns/persistence-and-replay) — How tails are read at boot.
diff --git a/docs/ai-chat/testing.mdx b/docs/ai-chat/testing.mdx
new file mode 100644
index 00000000000..2a655b261ab
--- /dev/null
+++ b/docs/ai-chat/testing.mdx
@@ -0,0 +1,682 @@
+---
+title: "Testing"
+sidebarTitle: "Testing"
+description: "Drive a chat.agent through real turns in unit tests — no network, no task runtime, no mocking the SDK."
+---
+
+import RcBanner from "/snippets/ai-chat-rc-banner.mdx";
+
+<RcBanner />
+
+## Overview
+
+`@trigger.dev/sdk/ai/test` exports `mockChatAgent`, an offline harness that runs your `chat.agent` definition's `run()` function inside an in-memory task runtime. You send messages, actions, and stop signals through driver methods and assert against the chunks the agent emits.
+
+Under the hood the harness drives the agent's backing Session channels — `.in` receives the records your `sendMessage` / `sendStop` / `sendAction` produce, `.out` captures the chunks the agent emits. The harness API itself is session-agnostic; you don't need to manage `sessionId` in tests.
+
+The harness exercises the real turn loop, lifecycle hooks, validation, hydration, and action routing — only the language model and the surrounding Trigger.dev runtime are replaced. Pair it with [`MockLanguageModelV3`](https://sdk.vercel.ai/docs/reference/ai-sdk-core/mock-language-model-v3) and `simulateReadableStream` from `ai` to control LLM responses.
+
+<Note>
+  Import `@trigger.dev/sdk/ai/test` **before** your agent module. It installs the resource catalog so `chat.agent({ id, ... })` can register tasks during testing.
+</Note>
+
+## Quick start
+
+```ts trigger/my-chat.test.ts
+import { mockChatAgent } from "@trigger.dev/sdk/ai/test";
+
+import { describe, expect, it } from "vitest";
+import { simulateReadableStream, stepCountIs } from "ai";
+import { MockLanguageModelV3 } from "ai/test";
+import type { LanguageModelV3StreamPart } from "@ai-sdk/provider";
+import { myChatAgent } from "./my-chat.js";
+
+function modelWithText(text: string) {
+  const chunks: LanguageModelV3StreamPart[] = [
+    { type: "text-start", id: "t1" },
+    { type: "text-delta", id: "t1", delta: text },
+    { type: "text-end", id: "t1" },
+    {
+      type: "finish",
+      finishReason: { unified: "stop", raw: "stop" },
+      usage: {
+        inputTokens: { total: 10, noCache: 10, cacheRead: undefined, cacheWrite: undefined },
+        outputTokens: { total: 10, text: 10, reasoning: undefined },
+      },
+    },
+  ];
+  return new MockLanguageModelV3({
+    doStream: async () => ({ stream: simulateReadableStream({ chunks }) }),
+  });
+}
+
+describe("myChatAgent", () => {
+  it("streams the model's response", async () => {
+    const model = modelWithText("hello world");
+    const harness = mockChatAgent(myChatAgent, {
+      chatId: "test-1",
+      clientData: { model },
+    });
+
+    try {
+      const turn = await harness.sendMessage({
+        id: "u1",
+        role: "user",
+        parts: [{ type: "text", text: "hi" }],
+      });
+
+      const text = turn.chunks
+        .filter((c) => c.type === "text-delta")
+        .map((c) => (c as { delta: string }).delta)
+        .join("");
+      expect(text).toBe("hello world");
+    } finally {
+      await harness.close();
+    }
+  });
+});
+```
+
+The agent reads the mock model from `clientData`:
+
+```ts trigger/my-chat.ts
+import { chat } from "@trigger.dev/sdk/ai";
+import { streamText, type LanguageModel } from "ai";
+import { z } from "zod";
+
+type ClientData = { model: LanguageModel };
+
+export const myChatAgent = chat
+  .withClientData({
+    schema: z.custom<ClientData>(
+      (v) => !!v && typeof v === "object" && "model" in (v as object)
+    ),
+  })
+  .agent({
+    id: "my-chat",
+    run: async ({ messages, clientData, signal }) => {
+      return streamText({
+        model: clientData?.model ?? "openai/gpt-4o-mini",
+        messages,
+        abortSignal: signal,
+        stopWhen: stepCountIs(15),
+      });
+    },
+  });
+```
+
+## Setup
+
+### Install dev dependencies
+
+The harness itself ships with `@trigger.dev/sdk`. You need a test runner and the AI SDK's mock model utilities:
+
+```bash
+pnpm add -D vitest ai @ai-sdk/provider
+```
+
+`@ai-sdk/provider` is only needed to type the chunk array as `LanguageModelV3StreamPart[]` — drop it if you cast inline.
+
+### Vitest config
+
+A minimal `vitest.config.ts` for a Trigger.dev project:
+
+```ts
+import { defineConfig } from "vitest/config";
+
+export default defineConfig({
+  test: {
+    include: ["src/**/*.test.ts"],
+    environment: "node",
+  },
+});
+```
+
+### Import order
+
+`mockChatAgent` must be imported **first** so the resource catalog is installed before any `chat.agent({ id, ... })` registration runs:
+
+```ts
+// ✅ Correct
+import { mockChatAgent } from "@trigger.dev/sdk/ai/test";
+import { myAgent } from "./my-agent.js";
+
+// ❌ Wrong — agent loads before the catalog exists
+import { myAgent } from "./my-agent.js";
+import { mockChatAgent } from "@trigger.dev/sdk/ai/test";
+```
+
+If the agent isn't registered when `mockChatAgent` runs, you'll get:
+
+```
+mockChatAgent: no task registered with id "my-chat".
+```
+
+## Inject the model via clientData
+
+`MockLanguageModelV3` lives in test code and shouldn't leak into your agent module. Pass it through `clientData` so the agent picks it up at runtime in tests, and falls back to a real model in production:
+
+```ts trigger/agent.ts
+type ClientData = { model?: LanguageModel };
+
+export const agent = chat
+  .withClientData({ schema: z.custom<ClientData>() })
+  .agent({
+    id: "agent",
+    run: async ({ messages, clientData, signal }) => {
+      return streamText({
+        model: clientData?.model ?? anthropic("claude-haiku-4-5"),
+        messages,
+        abortSignal: signal,
+        stopWhen: stepCountIs(15),
+      });
+    },
+  });
+```
+
+```ts agent.test.ts
+const harness = mockChatAgent(agent, {
+  chatId: "test",
+  clientData: { model: mockModel },
+});
+```
+
+## Driving turns
+
+The harness exposes one method per chat trigger. Each waits for the next `trigger:turn-complete` chunk before resolving.
+
+### sendMessage
+
+```ts
+const turn = await harness.sendMessage({
+  id: "u1",
+  role: "user",
+  parts: [{ type: "text", text: "hi" }],
+});
+```
+
+Pass an array to send multiple messages at once.
+
+### sendRegenerate
+
+```ts
+const turn = await harness.sendRegenerate(messages);
+```
+
+Equivalent to the frontend's `useChat().regenerate()` — replays a turn with the given message history.
+
+### sendAction
+
+Routes a payload through `actionSchema` + `onAction`. Actions are not turns: only `hydrateMessages` and `onAction` fire on the agent side — no turn lifecycle hooks, no `run()`. The returned `turn.rawChunks` contains whatever `onAction` produced (a streamed model response if it returned a `StreamTextResult`, otherwise just `trigger:turn-complete`):
+
+```ts
+const turn = await harness.sendAction({ type: "undo" });
+```
+
+If the action fails schema validation, an `error` chunk appears in `turn.rawChunks`.
+
+### sendStop
+
+Fires a stop signal. Does **not** wait for a turn — the agent's `signal.aborted` becomes `true` and the current turn unwinds:
+
+```ts
+await harness.sendStop("user requested stop");
+```
+
+### close
+
+Sends a `close` trigger, closes the session's `.in` channel, and aborts the run signal so the task exits cleanly. Always call this at the end of every test:
+
+```ts
+afterEach(() => harness.close());
+// or with a try/finally
+try {
+  await harness.sendMessage(...);
+} finally {
+  await harness.close();
+}
+```
+
+## Inspecting output
+
+Each turn returns:
+
+```ts
+type MockChatAgentTurn = {
+  chunks: UIMessageChunk[];   // text-delta, tool-call, etc.
+  rawChunks: unknown[];       // includes control chunks (turn-complete, errors)
+};
+```
+
+The harness also exposes accumulators across all turns:
+
+```ts
+harness.allChunks;     // every UIMessageChunk since creation
+harness.allRawChunks;  // every raw chunk including control frames
+```
+
+A small helper to assemble streamed text:
+
+```ts
+function collectText(chunks: UIMessageChunk[]): string {
+  return chunks
+    .filter((c) => c.type === "text-delta")
+    .map((c) => (c as { delta: string }).delta)
+    .join("");
+}
+```
+
+## Common patterns
+
+### Asserting hook order
+
+```ts
+const events: string[] = [];
+const agent = chat.agent({
+  id: "hook-order",
+  onChatStart: async () => { events.push("onChatStart"); },
+  onTurnStart: async () => { events.push("onTurnStart"); },
+  onBeforeTurnComplete: async () => { events.push("onBeforeTurnComplete"); },
+  onTurnComplete: async () => { events.push("onTurnComplete"); },
+  run: async ({ messages, signal }) => {
+    events.push("run");
+    return streamText({ model, messages, abortSignal: signal });
+  },
+});
+
+const harness = mockChatAgent(agent, { chatId: "t" });
+await harness.sendMessage(userMessage("hi"));
+
+// onTurnComplete fires after the turn-complete chunk is written —
+// give it a tick before asserting.
+await new Promise((r) => setTimeout(r, 20));
+expect(events).toEqual([
+  "onChatStart",
+  "onTurnStart",
+  "run",
+  "onBeforeTurnComplete",
+  "onTurnComplete",
+]);
+await harness.close();
+```
+
+### Testing onValidateMessages
+
+```ts
+const turn = await harness.sendMessage(userMessage("hello blocked-word"));
+
+// The turn completes with an error chunk, not text
+expect(collectText(turn.chunks)).toBe("");
+expect(turn.rawChunks.some((c) =>
+  typeof c === "object" && c !== null &&
+  (c as { type?: string }).type === "trigger:turn-complete"
+)).toBe(true);
+```
+
+### Testing actions and rejection
+
+```ts
+// Valid action
+await harness.sendAction({ type: "undo" });
+
+// Invalid action — schema validation fails, error chunk emitted
+const turn = await harness.sendAction({ type: "not-a-real-action" });
+const errors = turn.rawChunks.filter((c) =>
+  typeof c === "object" && c !== null &&
+  (c as { type?: string }).type === "error"
+);
+expect(errors.length).toBeGreaterThan(0);
+```
+
+### Multi-turn accumulation
+
+The harness preserves chat history across turns, just like the real runtime:
+
+```ts
+const seenLengths: number[] = [];
+const agent = chat.agent({
+  id: "multi-turn",
+  run: async ({ messages, signal }) => {
+    seenLengths.push(messages.length);
+    return streamText({ model, messages, abortSignal: signal });
+  },
+});
+
+const harness = mockChatAgent(agent, { chatId: "t" });
+await harness.sendMessage(userMessage("first"));
+await harness.sendMessage(userMessage("second"));
+await harness.sendMessage(userMessage("third"));
+
+// Turn 1: 1 message; turn 2: user + assistant + user = 3; turn 3: 5
+expect(seenLengths).toEqual([1, 3, 5]);
+```
+
+### Hydrating from a "database"
+
+Use `clientData` to seed a synthetic prior context for `hydrateMessages`:
+
+```ts
+const hydrated = [
+  { id: "h1", role: "user", parts: [{ type: "text", text: "prior question" }] },
+  { id: "h2", role: "assistant", parts: [{ type: "text", text: "prior answer" }] },
+];
+
+const harness = mockChatAgent(agent, {
+  chatId: "test-hydrate",
+  clientData: { model, hydrated: [...hydrated, userMessage("follow up")] },
+});
+
+await harness.sendMessage(userMessage("follow up"));
+
+// Model should have been called with the hydrated context
+expect(model.doStreamCalls[0]!.prompt.length).toBeGreaterThanOrEqual(3);
+```
+
+The agent reads `clientData.hydrated` inside its `hydrateMessages` hook:
+
+```ts
+hydrateMessages: async ({ clientData, incomingMessages }) => {
+  return clientData?.hydrated ?? incomingMessages;
+},
+```
+
+### Testing continuation runs
+
+A continuation run is a new run picking up an existing session after the prior run ended — `chat.endRun`, waitpoint timeout, or `chat.requestUpgrade`. The contract differs from a fresh run in two ways:
+
+- `onChatStart` does **not** fire (it's once-per-chat — fires only on the chat's very first user message ever).
+- The boot payload arrives with `continuation: true` and no `message`. The SDK waits silently on `session.in` until the next user message arrives.
+
+Pass `continuation: true` to drive this path:
+
+```ts
+const onChatStart = vi.fn();
+const onTurnStart = vi.fn();
+
+const agent = chat.agent({
+  id: "my-chat",
+  onChatStart,
+  onTurnStart,
+  run: async ({ messages, signal }) =>
+    streamText({ model, messages, abortSignal: signal }),
+});
+
+const harness = mockChatAgent(agent, {
+  chatId: "test-continuation",
+  // Auto-selects `mode: "continuation"` — boots with `trigger` omitted
+  // and `continuation: true` in the wire payload, exactly as the server
+  // produces it on continuation runs in production.
+  continuation: true,
+  previousRunId: "run_test_prior",
+});
+
+try {
+  // The SDK enters continuation-wait; sendMessage wakes it and drives turn 0.
+  await harness.sendMessage({
+    id: "u1",
+    role: "user",
+    parts: [{ type: "text", text: "where were we?" }],
+  });
+  await new Promise((r) => setTimeout(r, 20));
+
+  expect(onChatStart).not.toHaveBeenCalled();
+  expect(onTurnStart).toHaveBeenCalledTimes(1);
+} finally {
+  await harness.close();
+}
+```
+
+To simulate an **OOM-retry attempt** (also a continuation by contract — same `onChatStart` skip), bump `ctx.attempt.number`:
+
+```ts
+const harness = mockChatAgent(agent, {
+  chatId: "test-oom-retry",
+  taskContext: {
+    ctx: { attempt: { number: 2, startedAt: new Date(0), status: "EXECUTING" } },
+  },
+});
+
+await harness.sendMessage(/* ... */);
+expect(onChatStart).not.toHaveBeenCalled();
+```
+
+### Testing recovery boot
+
+`onRecoveryBoot` fires when the dead predecessor left state behind — a partial assistant on `session.out`, in-flight users on `session.in`, or both. The harness exposes two seeders to drive this state at boot time:
+
+- `harness.seedSessionOutPartial(message)` — pre-seed a trailing partial assistant. The next boot's replay surfaces it as `event.partialAssistant`.
+- `harness.seedSessionInTail(messages)` — pre-seed user messages on the input tail. The next boot's replay surfaces them as `event.inFlightUsers`.
+
+Combined with `continuation: true`, this drives the full recovery boot path:
+
+```ts
+import { mockChatAgent } from "@trigger.dev/sdk/ai/test";
+
+const onRecoveryBoot = vi.fn(async () => {
+  // accept smart default
+});
+
+const agent = chat.agent({
+  id: "my-chat",
+  onRecoveryBoot,
+  run: async ({ messages, signal }) =>
+    streamText({ model, messages, abortSignal: signal }),
+});
+
+const harness = mockChatAgent(agent, {
+  chatId: "test-recovery",
+  continuation: true,
+  previousRunId: "run_prior",
+});
+
+// Predecessor was answering "write an essay" and got cut off mid-stream
+// after producing some text. Customer then sent a follow-up.
+harness.seedSessionOutPartial({
+  id: "a-orphan",
+  role: "assistant",
+  parts: [{ type: "text", text: "Espresso originated in..." }],
+});
+harness.seedSessionInTail([
+  { id: "u-1", role: "user", parts: [{ type: "text", text: "Write an essay about espresso." }] },
+  { id: "u-2", role: "user", parts: [{ type: "text", text: "keep going" }] },
+]);
+
+await new Promise((r) => setTimeout(r, 50));
+
+expect(onRecoveryBoot).toHaveBeenCalledTimes(1);
+const event = onRecoveryBoot.mock.calls[0]![0];
+expect(event.partialAssistant?.id).toBe("a-orphan");
+expect(event.inFlightUsers).toHaveLength(2);
+```
+
+Use `harness.seedSnapshot({ messages: [...] })` alongside these to model a continuation where settled history exists. See the [Recovery boot](/ai-chat/patterns/recovery-boot) pattern for what each field means and what the smart default does with it.
+
+## Testing against a database
+
+Most agents call into a database from `hydrateMessages` or `onTurnComplete` to load history and persist replies. You shouldn't pass database clients through `clientData` — that's wire-data from the browser. Use **`locals` for dependency injection** instead.
+
+`locals` are task-scoped, server-side only, and untyped to the wire format. The mock harness exposes a `setupLocals` callback that pre-seeds them before the agent's `run()` starts.
+
+### Define a locals key for the dependency
+
+Create a single key per dependency, exported from your project:
+
+```ts db.ts
+import { locals } from "@trigger.dev/sdk";
+import { PrismaClient } from "@prisma/client";
+
+export type Db = PrismaClient;
+export const dbKey = locals.create<Db>("db");
+
+export function getDb(): Db {
+  // Returns the seeded test instance if present, otherwise lazy-creates prod.
+  return locals.get(dbKey) ?? locals.set(dbKey, new PrismaClient());
+}
+```
+
+### Use the dependency from agent hooks
+
+Hooks read from `locals` instead of constructing clients themselves:
+
+```ts trigger/agent.ts
+import { chat } from "@trigger.dev/sdk/ai";
+import { getDb } from "../db";
+
+export const agent = chat.agent({
+  id: "agent",
+  hydrateMessages: async ({ chatId }) => {
+    const db = getDb();
+    const row = await db.chat.findUnique({ where: { id: chatId } });
+    return (row?.messages as UIMessage[]) ?? [];
+  },
+  onTurnComplete: async ({ chatId, messages }) => {
+    const db = getDb();
+    await db.chat.upsert({
+      where: { id: chatId },
+      create: { id: chatId, messages },
+      update: { messages },
+    });
+  },
+  run: async ({ messages, signal }) => {
+    return streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal });
+  },
+});
+```
+
+### Inject a test database in the harness
+
+`setupLocals` runs *before* the agent starts, so `getDb()` returns the test instance for every hook:
+
+```ts agent.test.ts
+import { mockChatAgent } from "@trigger.dev/sdk/ai/test";
+import { dbKey } from "./db";
+import { agent } from "./trigger/agent";
+
+const harness = mockChatAgent(agent, {
+  chatId: "test-1",
+  setupLocals: ({ set }) => {
+    set(dbKey, testDb); // testDb = your testcontainers Prisma client, sqlite stub, etc.
+  },
+});
+```
+
+### Pick a backing database
+
+You still need to decide what `testDb` actually is:
+
+- **Testcontainers (recommended).** Spin up Postgres in Docker via `@internal/testcontainers` (or `testcontainers` directly), run migrations, hand the resulting `PrismaClient` to `set(dbKey, ...)`. Highest fidelity — catches schema drift, migration bugs, transaction issues.
+- **Embedded SQLite / PGlite.** Fast and no Docker, but a different SQL dialect from production. Fine for hooks that only do simple CRUD; risky for raw SQL or Postgres-specific features.
+- **In-memory fake.** Hand-rolled object with the same interface as your DB module. Fastest, lowest fidelity — works when you only care about whether the agent *called* the right method, not what the DB *did* with it.
+
+### Drizzle, Kysely, etc.
+
+The pattern is the same — replace `PrismaClient` with your client class:
+
+```ts db.ts
+import { drizzle } from "drizzle-orm/node-postgres";
+import { Pool } from "pg";
+
+export type Db = ReturnType<typeof drizzle>;
+export const dbKey = locals.create<Db>("db");
+
+export function getDb(): Db {
+  return locals.get(dbKey) ?? locals.set(
+    dbKey,
+    drizzle(new Pool({ connectionString: process.env.DATABASE_URL })),
+  );
+}
+```
+
+<Tip>
+  The same `setupLocals` pattern works for any server-side dependency: feature flag clients, Stripe SDK, internal HTTP clients, Sentry. Anything you'd normally inject via constructor parameters in a class-based design.
+</Tip>
+
+## API reference
+
+### mockChatAgent(agent, options?)
+
+```ts
+function mockChatAgent(
+  agent: { id: string },
+  options?: MockChatAgentOptions,
+): MockChatAgentHarness;
+```
+
+#### MockChatAgentOptions
+
+| Option           | Type                                                                  | Default       | Description                                                                                            |
+| ---------------- | --------------------------------------------------------------------- | ------------- | ------------------------------------------------------------------------------------------------------ |
+| `chatId`         | `string`                                                              | `"test-chat"` | Chat session id passed in every wire payload.                                                          |
+| `clientData`     | `unknown`                                                             | `undefined`   | Client-provided data forwarded to `run()` and every hook.                                              |
+| `taskContext`    | `MockTaskContextOptions`                                              | `{}`          | Overrides for the mock `TaskRunContext`. Use `ctx.attempt.number > 1` to simulate an OOM-retry attempt — the agent skips `onChatStart` (same as continuation runs). |
+| `preload`        | `boolean`                                                             | `true`        | Start in preload mode. When `false`, the first `sendMessage()` starts turn 0 directly without preload. Ignored when `mode` is set explicitly.                       |
+| `mode`           | `"preload" \| "submit-message" \| "handover-prepare" \| "continuation"` | derived       | Initial boot trigger. Defaults to `"preload"` (or `"submit-message"` when `preload: false`, or `"continuation"` when `continuation: true`). See [Boot modes](#boot-modes) below. |
+| `continuation`   | `boolean`                                                             | `false`       | Boot as a continuation run (a new run on an existing session). Auto-selects `mode: "continuation"` if `mode` is not set — boots with `trigger` omitted and `continuation: true` in the payload, exercising the SDK's continuation-wait branch. `onChatStart` does NOT fire on continuation runs. |
+| `previousRunId`  | `string`                                                              | `undefined`   | Set `payload.previousRunId` on the initial wire payload. Typically paired with `continuation: true`.   |
+| `snapshot`       | `ChatSnapshotV1`                                                      | `undefined`   | Pre-seed the snapshot the agent reads at run boot (replaces the real S3 GET). Use to drive resume scenarios with prior history. See [Persistence and replay](/ai-chat/patterns/persistence-and-replay) for the production snapshot model. |
+| `setupLocals`    | `({ set }) => void \| Promise<void>`                                   | `undefined`   | Callback invoked before `run()` starts. Use `set(key, value)` to inject server-side dependencies (DB clients, service stubs) that the agent reads via `locals.get()`. |
+
+##### Boot modes
+
+The harness's initial wire payload depends on `mode`:
+
+| Mode                  | Wire payload                                                       | Use when                                                                       |
+| --------------------- | ------------------------------------------------------------------ | ------------------------------------------------------------------------------ |
+| `"preload"`           | `{ trigger: "preload" }`                                           | Simulating a `transport.preload(chatId)` warm-up. Fires `onPreload`, waits for the first `sendMessage()`. |
+| `"submit-message"`    | `{ trigger: "submit-message" }`                                    | Skipping preload — `sendMessage()` drives turn 0 directly.                     |
+| `"continuation"`      | `{ continuation: true }` (no `trigger`)                            | A new run picking up an existing session after the prior run ended (`chat.endRun`, waitpoint timeout, `chat.requestUpgrade`). Mirrors the boot payload the server's `ensureRunForSession` / `swapSessionRun` produce. The SDK enters its continuation-wait branch — `onPreload` and `onChatStart` do NOT fire. |
+| `"handover-prepare"`  | `{ trigger: "handover-prepare" }`                                  | Driving the `chat.handover` wait path. Use `sendHandover()` / `sendHandoverSkip()` to dispatch the handover signal. |
+
+#### MockChatAgentHarness
+
+| Member                                | Description                                                                                            |
+| ------------------------------------- | ------------------------------------------------------------------------------------------------------ |
+| `chatId`                              | The chat session id used by this harness.                                                              |
+| `sendMessage(message)`                | Send a single user message (or tool-approval-responded assistant message). Slim wire: at most ONE message per record. Returns the chunks produced during the resulting turn. |
+| `sendRegenerate()`                    | Send a regenerate-message trigger (no body — slim wire). The agent trims trailing assistant messages from its accumulator and re-runs. |
+| `sendHeadStart({ messages })`         | Drive the head-start path: sends `trigger: "handover-prepare"` with `headStartMessages` carrying the first-turn UIMessage history. Used only at the very first turn before any snapshot exists. |
+| `sendHandover({ partialAssistantMessage, isFinal?, messageId? })` | Dispatch a `handover` signal — only meaningful when started with `mode: "handover-prepare"`. The agent picks up partial assistant messages and continues the turn. |
+| `sendHandoverSkip()`                  | Dispatch a `handover-skip` signal — only meaningful when started with `mode: "handover-prepare"`. The agent exits cleanly without firing turn hooks. |
+| `sendAction(action)`                  | Route a custom action through `actionSchema` + `onAction`.                                             |
+| `sendStop(message?)`                  | Fire a stop signal. Does not wait for the turn — the run's `signal.aborted` becomes `true`.            |
+| `seedSnapshot(snapshot)`              | Pre-seed the snapshot read for the next boot. Effective on the next run boot only.                     |
+| `seedSessionOutTail(chunks?)`         | Pre-seed `session.out` chunks for the next boot's replay. Reduces to settled assistant turns.          |
+| `seedSessionOutPartial(message?)`     | Pre-seed a trailing partial assistant for the next boot's replay. Surfaces as `event.partialAssistant` in `onRecoveryBoot`. |
+| `seedSessionInTail(messages)`         | Pre-seed user messages on `session.in` for the next boot. Surfaces as `event.inFlightUsers` in `onRecoveryBoot`. |
+| `getSnapshot()`                       | The most recently written snapshot, or `undefined` if no snapshot was written.                         |
+| `close()`                             | Send a `close` trigger, abort the signal, wait for `run()` to return. Always call at end of test.      |
+| `allChunks`                           | Every `UIMessageChunk` emitted since the harness was created.                                          |
+| `allRawChunks`                        | Every raw chunk emitted since creation, including control chunks (`trigger:turn-complete`, errors).    |
+
+### runInMockTaskContext
+
+`mockChatAgent` is a higher-level wrapper around `runInMockTaskContext`, re-exported from `@trigger.dev/sdk/ai/test` so you don't need to depend on `@trigger.dev/core` directly. Use it when you need to drive a non-chat task offline:
+
+```ts
+import { runInMockTaskContext } from "@trigger.dev/sdk/ai/test";
+
+await runInMockTaskContext(
+  async ({ inputs, outputs, ctx }) => {
+    setTimeout(() => {
+      inputs.send("chat-messages", { messages: [], chatId: "c1" });
+    }, 0);
+
+    await myTask.fns.run(payload, {
+      ctx,
+      signal: new AbortController().signal,
+    });
+
+    expect(outputs.chunks("chat")).toContainEqual(
+      expect.objectContaining({ type: "text-delta", delta: "hi" }),
+    );
+  },
+  { ctx: { run: { id: "run_abc" } } },
+);
+```
+
+## Limitations
+
+- **No network.** The mock task context replaces realtime streams, run metadata, lifecycle managers, and the runtime. Anything that bypasses these (raw `fetch`, direct DB clients) runs against the real network.
+- **Single agent per process.** The resource catalog is process-global; tests within a file are sequential by default. If you parallelize across files, vitest runs each file in its own worker, which avoids registry collisions.
+- **Time-sensitive hooks.** `onTurnComplete` runs *after* the `turn-complete` chunk is written, so `sendMessage()` resolves before that hook finishes. Add a brief `await new Promise((r) => setTimeout(r, 20))` if you need to assert on hook side-effects.
+- **No real LLM.** The harness does not call providers — you must inject `MockLanguageModelV3` (or another mock) yourself.
diff --git a/docs/ai-chat/tools.mdx b/docs/ai-chat/tools.mdx
new file mode 100644
index 00000000000..fee57fed008
--- /dev/null
+++ b/docs/ai-chat/tools.mdx
@@ -0,0 +1,191 @@
+---
+title: "Tools"
+sidebarTitle: "Tools"
+description: "Declare tools on chat.agent so toModelOutput survives across turns, get them back typed in run(), and type your messages from them."
+---
+
+import RcBanner from "/snippets/ai-chat-rc-banner.mdx";
+
+<RcBanner />
+
+`chat.agent` doesn't call the model for you. Your tools still go to [`streamText`](https://sdk.vercel.ai/docs/ai-sdk-core/tools-and-tool-calling) inside `run()`. But you should **also declare them on the agent config**:
+
+```ts
+import { chat } from "@trigger.dev/sdk/ai";
+import { streamText, stepCountIs, tool } from "ai";
+import { anthropic } from "@ai-sdk/anthropic";
+import { z } from "zod";
+
+const tools = {
+  searchDocs: tool({
+    description: "Search the docs.",
+    inputSchema: z.object({ query: z.string() }),
+    execute: async ({ query }) => searchIndex(query),
+  }),
+};
+
+export const myChat = chat.agent({
+  id: "my-chat",
+  tools, // ← declare here
+  run: async ({ messages, tools, signal }) =>
+    streamText({
+      ...chat.toStreamTextOptions({ tools }), // ← the same set, handed back on the payload
+      model: anthropic("claude-sonnet-4-5"),
+      messages,
+      abortSignal: signal,
+      stopWhen: stepCountIs(15),
+    }),
+});
+```
+
+Declaring `tools` on the config does two things you can't get by passing them to `streamText` alone:
+
+- It threads your tools into the SDK's internal message conversion, so each tool's [`toModelOutput`](https://sdk.vercel.ai/docs/ai-sdk-core/tools-and-tool-calling#tomodeloutput) is re-applied when prior-turn history is re-converted (see [`toModelOutput` across turns](#tomodeloutput-across-turns)).
+- It hands the resolved set back, typed, on the `run()` payload as `tools`, so you declare them once and don't re-import the map.
+
+## Where tools go
+
+There are three places a tool set shows up. Declare once, reuse:
+
+| Surface | What it's for |
+| --- | --- |
+| `chat.agent({ tools })` | Re-applies `toModelOutput` on prior-turn history; hands the set back typed on the `run()` payload. |
+| `chat.toStreamTextOptions({ tools })` | Detects which tool calls need [HITL approval](/ai-chat/patterns/human-in-the-loop) (`needsApproval`) and merges any auto-injected [skill](/ai-chat/patterns/skills) tools. |
+| `streamText({ tools })` | What the model actually calls. `chat.toStreamTextOptions({ tools })` already sets this, so spread it instead of passing `tools` twice. |
+
+The canonical pattern: declare `tools` on the config, read them back from the `run()` payload, and pass that to `chat.toStreamTextOptions({ tools })`. One declaration flows everywhere.
+
+<Tip>
+  Conversion only reads each tool's `inputSchema` and `toModelOutput`, never `execute`. If you keep heavy `execute` dependencies out of a module (for bundle reasons), you can declare a lightweight schema-only tool map on the config and add the executes where you call `streamText`.
+</Tip>
+
+## `toModelOutput` across turns
+
+`toModelOutput` transforms a tool's result before it enters the model's context, turning raw image bytes into an image content part, or compressing a long sub-agent transcript into a one-line summary. The full result still streams to the frontend; the model only sees the transformed version.
+
+The catch is multi-turn. After each turn, `chat.agent` persists the conversation as `UIMessage[]` and re-converts it to model messages at the start of the next turn. That conversion needs your tools to find each `toModelOutput`. **If you only pass tools to `streamText` and not to the config, the transform runs on turn 1 but is skipped on every later turn.** The raw output gets stringified back into the prompt instead, and the model loses the transformed view.
+
+Declaring `tools` on the config fixes this: the SDK threads them into the conversion, so `toModelOutput` is re-applied on every turn.
+
+```ts
+const tools = {
+  renderChart: tool({
+    description: "Render a chart and return it as an image.",
+    inputSchema: z.object({ spec: z.string() }),
+    execute: async ({ spec }) => renderToPng(spec), // raw bytes
+    // The model should see an image part, not base64 bytes:
+    toModelOutput: ({ output }) => ({
+      type: "content",
+      value: [{ type: "media", mediaType: "image/png", data: output.base64 }],
+    }),
+  }),
+};
+
+export const chartChat = chat.agent({
+  id: "chart-chat",
+  tools, // ← without this, the image is "remembered" on turn 1 and gone from turn 2
+  run: async ({ messages, tools, signal }) =>
+    streamText({
+      ...chat.toStreamTextOptions({ tools }),
+      model: anthropic("claude-sonnet-4-5"),
+      messages,
+      abortSignal: signal,
+      stopWhen: stepCountIs(15),
+    }),
+});
+```
+
+## Static or per-turn tools
+
+`tools` accepts either a static `ToolSet` or a function that returns one per turn, for tools that depend on the user, a feature flag, or anything in the turn context:
+
+```ts
+export const myChat = chat
+  .withClientData({ schema: z.object({ userId: z.string(), plan: z.string() }) })
+  .agent({
+    id: "my-chat",
+    tools: ({ clientData }) => ({
+      searchDocs,
+      ...(clientData?.plan === "pro" ? { deepResearch } : {}),
+    }),
+    run: async ({ messages, tools, signal }) =>
+      streamText({
+        ...chat.toStreamTextOptions({ tools }),
+        model: anthropic("claude-sonnet-4-5"),
+        messages,
+        abortSignal: signal,
+        stopWhen: stepCountIs(15),
+      }),
+  });
+```
+
+The function receives a `ResolveToolsEvent` and runs once per turn (after `clientData` is parsed):
+
+| Field | Type | Description |
+| --- | --- | --- |
+| `chatId` | `string` | The chat session ID. |
+| `turn` | `number` | The current turn number (0-indexed). |
+| `continuation` | `boolean` | Whether this run is continuing an existing chat. |
+| `clientData` | `TClientData` | Parsed client data from the frontend. |
+
+The resolved set is what lands on the `run()` payload's `tools`.
+
+## Typed tools in `run()`
+
+The `run()` payload's `tools` is typed to whatever you declared, so you can pass it straight through without re-importing the map:
+
+```ts
+run: async ({ messages, tools, signal }) => {
+  // `tools` is typed as your tool set, not a broad `ToolSet`
+  return streamText({
+    ...chat.toStreamTextOptions({ tools }),
+    model: anthropic("claude-sonnet-4-5"),
+    messages,
+    abortSignal: signal,
+  });
+};
+```
+
+When no `tools` are declared, the payload's `tools` is an empty object and behaves exactly as before, so declaring tools is fully opt-in.
+
+## Typing messages from your tools
+
+To get typed tool parts (`tool-${name}` with typed input/output) on your `UIMessage`, in hooks like `onTurnComplete` and on the frontend, derive the message type from your tool set with `InferChatUIMessageFromTools`:
+
+```ts
+import type { InferChatUIMessageFromTools } from "@trigger.dev/sdk/ai";
+
+const tools = { searchDocs, renderChart };
+
+export type ChatUiMessage = InferChatUIMessageFromTools<typeof tools>;
+```
+
+This is shorthand for `UIMessage<unknown, UIDataTypes, InferUITools<typeof tools>>`. Pin it on the agent with [`chat.withUIMessage<ChatUiMessage>()`](/ai-chat/types#custom-uimessage-with-chat-withuimessage) and reuse it on the client. If you also have custom `data-*` parts, build the `UIMessage` generic directly instead. See [Types](/ai-chat/types).
+
+## Skills
+
+[Agent skills](/ai-chat/patterns/skills) are auto-injected as tools (`loadSkill`, `readFile`, `bash`) by `chat.toStreamTextOptions()`. They're separate from your config `tools`: declare your own tools on the config (so their `toModelOutput` survives across turns), and let `toStreamTextOptions` merge the skill tools on top at call time. Skill tools don't define `toModelOutput`, so they don't need to be on the config.
+
+## Manual turn loops (`chat.customAgent`)
+
+The `tools` config option belongs to the managed [`chat.agent`](/ai-chat/backend#chat-agent). When you drive the loop yourself with [`chat.customAgent`](/ai-chat/backend#raw-task-primitives) (or build messages from `chat.history`), you own the conversion, so pass your tools to `convertToModelMessages` directly to get the same cross-turn `toModelOutput` behavior:
+
+```ts
+import { convertToModelMessages, streamText } from "ai";
+
+// Inside your loop, with `tools` in scope:
+const uiMessages = chat.history.all();
+const messages = await convertToModelMessages(uiMessages, {
+  tools,
+  ignoreIncompleteToolCalls: true,
+});
+
+return streamText({ model: anthropic("claude-sonnet-4-5"), messages, tools });
+```
+
+## Learn more
+
+- [Human-in-the-loop](/ai-chat/patterns/human-in-the-loop): tools that pause for approval.
+- [Sub-agents](/ai-chat/patterns/sub-agents): tools that delegate to other agents and compress their output with `toModelOutput`.
+- [Tool result auditing](/ai-chat/patterns/tool-result-auditing): logging tool results as they resolve.
+- [AI SDK: Tools and tool calling](https://sdk.vercel.ai/docs/ai-sdk-core/tools-and-tool-calling).
diff --git a/docs/ai-chat/types.mdx b/docs/ai-chat/types.mdx
new file mode 100644
index 00000000000..c966ce6bffd
--- /dev/null
+++ b/docs/ai-chat/types.mdx
@@ -0,0 +1,242 @@
+---
+title: "Types"
+sidebarTitle: "Types"
+description: "TypeScript types for AI Agents, UI messages, and the frontend transport."
+---
+
+import RcBanner from "/snippets/ai-chat-rc-banner.mdx";
+
+<RcBanner />
+
+TypeScript patterns for [AI Chat](/ai-chat/overview). This page covers how to pin a custom AI SDK [`UIMessage`](https://sdk.vercel.ai/docs/reference/ai-sdk-core/ui-message) subtype with `chat.withUIMessage`, fix a typed `clientData` schema with `chat.withClientData`, chain builder-level hooks, and align types on the client.
+
+## Custom `UIMessage` with `chat.withUIMessage`
+
+`chat.agent()` types the wire payload with the base AI SDK `UIMessage`. That is enough for many apps.
+
+When you add **custom `data-*` parts** (via `chat.stream` / `writer`) or a **typed tool map** (e.g. `InferUITools<typeof tools>`), you want a **narrower** `UIMessage` generic so that:
+
+- `onTurnStart`, `onTurnComplete`, and similar hooks expose correctly typed `uiMessages`
+- Stream options like `sendReasoning` align with your message shape
+- The frontend can treat `useChat` messages as the same subtype end-to-end
+
+`chat.withUIMessage<YourUIMessage>(config?)` returns a [ChatBuilder](#chatbuilder) where `.agent(...)` accepts the **same options as** [`chat.agent()`](/ai-chat/backend#chat-agent) but fixes `YourUIMessage` as the UI message type for that chat agent.
+
+### Defining a `UIMessage` subtype
+
+Build the type from AI SDK helpers and your tools object:
+
+```ts
+import type { InferUITools, UIDataTypes, UIMessage } from "ai";
+import { tool, stepCountIs } from "ai";
+import { z } from "zod";
+
+const myTools = {
+  lookup: tool({
+    description: "Look up a record",
+    inputSchema: z.object({ id: z.string() }),
+    execute: async ({ id }) => ({ id, label: "example" }),
+  }),
+};
+
+type MyChatTools = InferUITools<typeof myTools>;
+
+type MyChatDataTypes = UIDataTypes & {
+  "turn-status": { status: "preparing" | "streaming" | "done" };
+};
+
+export type MyChatUIMessage = UIMessage<unknown, MyChatDataTypes, MyChatTools>;
+```
+
+<Tip>
+  If you don't need custom `data-*` parts, [`InferChatUIMessageFromTools<typeof myTools>`](/ai-chat/tools#typing-messages-from-your-tools) from `@trigger.dev/sdk/ai` collapses the tools half into one line (it's shorthand for `UIMessage<unknown, UIDataTypes, InferUITools<typeof myTools>>`).
+</Tip>
+
+Task-backed tools should use AI SDK [`tool()`](https://sdk.vercel.ai/docs/ai-sdk-core/tools-and-tool-calling) with `execute: ai.toolExecute(schemaTask)` where needed — see [Task-backed AI tools](/tasks/schemaTask#task-backed-ai-tools).
+
+### Backend: `chat.withUIMessage(...).agent(...)`
+
+Call `withUIMessage` **once**, then chain `.agent({ ... })` instead of `chat.agent({ ... })`. You can also chain `.withClientData()` and hook methods before `.agent()`:
+
+```ts
+import { chat } from "@trigger.dev/sdk/ai";
+import { streamText, tool } from "ai";
+import { anthropic } from "@ai-sdk/anthropic";
+import { z } from "zod";
+import type { MyChatUIMessage } from "./my-chat-types";
+
+const myTools = {
+  lookup: tool({
+    description: "Look up a record",
+    inputSchema: z.object({ id: z.string() }),
+    execute: async ({ id }) => ({ id, label: "example" }),
+  }),
+};
+
+export const myChat = chat
+  .withUIMessage<MyChatUIMessage>({
+    streamOptions: {
+      sendReasoning: true,
+      onError: (error) =>
+        error instanceof Error ? error.message : "Something went wrong.",
+    },
+  })
+  .withClientData({
+    schema: z.object({ userId: z.string() }),
+  })
+  .agent({
+    id: "my-chat",
+    tools: myTools,
+    onTurnStart: async ({ uiMessages, writer }) => {
+      // uiMessages is MyChatUIMessage[] — custom data parts are typed
+      writer.write({
+        type: "data-turn-status",
+        data: { status: "preparing" },
+      });
+    },
+    run: async ({ messages, tools, signal }) => {
+      // `tools` is myTools, typed, handed back on the payload
+      return streamText({
+        model: anthropic("claude-sonnet-4-5"),
+        messages,
+        tools,
+        abortSignal: signal,
+        stopWhen: stepCountIs(15),
+      });
+    },
+  });
+```
+
+### Default stream options
+
+The optional `streamOptions` object becomes the **default** [`uiMessageStreamOptions`](/ai-chat/reference#chatagentoptions) for `toUIMessageStream()`.
+
+If you also set `uiMessageStreamOptions` on the inner `.agent({ ... })`, the two objects are **shallow-merged** — keys on the **agent** win on conflicts. Per-turn overrides via [`chat.setUIMessageStreamOptions()`](/ai-chat/backend#stream-options) still apply on top.
+
+### Frontend: `InferChatUIMessage`
+
+Import the helper type and pass it to `useChat` so `messages` and render logic match the backend:
+
+```tsx
+import { useChat } from "@ai-sdk/react";
+import { useTriggerChatTransport, type InferChatUIMessage } from "@trigger.dev/sdk/chat/react";
+import type { myChat } from "./myChat";
+
+type Msg = InferChatUIMessage<typeof myChat>;
+
+export function Chat() {
+  const transport = useTriggerChatTransport<typeof myChat>({
+    task: "my-chat",
+    accessToken: ({ chatId }) => mintChatAccessToken(chatId),
+    startSession: ({ chatId, clientData }) =>
+      startChatSession({ chatId, clientData }),
+  });
+
+  const { messages } = useChat<Msg>({ transport });
+
+  return messages.map((m) => (
+    <div key={m.id}>{/* m.parts narrowed for your UIMessage subtype */}</div>
+  ));
+}
+```
+
+You can also import `InferChatUIMessage` from `@trigger.dev/sdk/ai` in non-React modules.
+
+## Typed client data with `chat.withClientData`
+
+`chat.withClientData({ schema })` returns a [ChatBuilder](#chatbuilder) that fixes the client data schema. All hooks and `run` receive typed `clientData` without needing `clientDataSchema` in `.agent()` options.
+
+```ts
+import { chat } from "@trigger.dev/sdk/ai";
+import { z } from "zod";
+
+export const myChat = chat
+  .withClientData({
+    schema: z.object({ userId: z.string(), model: z.string().optional() }),
+  })
+  .agent({
+    id: "my-chat",
+    onPreload: async ({ clientData }) => {
+      // clientData is typed as { userId: string; model?: string }
+      await initUser(clientData.userId);
+    },
+    run: async ({ messages, clientData, signal }) => {
+      return streamText({
+        model: getModel(clientData.model),
+        messages,
+        abortSignal: signal,
+        stopWhen: stepCountIs(15),
+      });
+    },
+  });
+```
+
+## ChatBuilder
+
+Both `chat.withUIMessage()` and `chat.withClientData()` return a **ChatBuilder** — a chainable object that accumulates configuration before creating the agent with `.agent()`.
+
+Builder methods can be chained in any order:
+
+```ts
+export const myChat = chat
+  .withUIMessage<MyChatUIMessage>({
+    streamOptions: { sendReasoning: true },
+  })
+  .withClientData({
+    schema: z.object({ userId: z.string() }),
+  })
+  .onChatSuspend(async ({ ctx }) => {
+    await disposeCodeSandbox(ctx.run.id);
+  })
+  .onChatResume(async ({ ctx }) => {
+    warmCache(ctx.run.id);
+  })
+  .agent({
+    id: "my-chat",
+    run: async ({ messages, signal }) => {
+      return streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal });
+    },
+  });
+```
+
+### Builder-level hooks
+
+All [lifecycle hooks](/ai-chat/lifecycle-hooks) can be set on the builder: `onPreload`, `onChatStart`, `onTurnStart`, `onBeforeTurnComplete`, `onTurnComplete`, `onCompacted`, `onChatSuspend`, `onChatResume`.
+
+Builder hooks and task-level hooks **coexist**. When both are defined for the same event, the builder hook runs first, then the task hook:
+
+```ts
+chat
+  .withUIMessage<MyChatUIMessage>()
+  .onPreload(async (event) => {
+    // Runs first — shared setup across tasks using this builder
+    await initializeSharedState(event.chatId);
+  })
+  .agent({
+    id: "my-chat",
+    onPreload: async (event) => {
+      // Runs second — task-specific logic
+      await createChatRecord(event.chatId);
+    },
+    run: async ({ messages, signal }) => {
+      return streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal });
+    },
+  });
+```
+
+<Tip>
+  Set types first (`.withUIMessage()`, `.withClientData()`), then hooks. Hook parameters are typed based on the builder's current generics — so hooks registered after `.withClientData()` get typed `clientData`.
+</Tip>
+
+### When plain `chat.agent()` is enough
+
+If you do not rely on custom `UIMessage` generics (only default text, reasoning, and built-in tool UI types), **`chat.agent()` alone is fine** — no need for `withUIMessage`.
+
+## See also
+
+- [Backend — `chat.agent()`](/ai-chat/backend#chat-agent)
+- [Lifecycle hooks](/ai-chat/lifecycle-hooks)
+- [Frontend — transport & `useChat`](/ai-chat/frontend)
+- [API reference — `chat.withUIMessage`](/ai-chat/reference#chat-withuimessage)
+- [API reference — `chat.withClientData`](/ai-chat/reference#chat-withclientdata)
+- [Task-backed AI tools — `ai.toolExecute`](/tasks/schemaTask#task-backed-ai-tools)
diff --git a/docs/ai-chat/upgrade-guide.mdx b/docs/ai-chat/upgrade-guide.mdx
new file mode 100644
index 00000000000..fce47c0aa4b
--- /dev/null
+++ b/docs/ai-chat/upgrade-guide.mdx
@@ -0,0 +1,515 @@
+---
+title: "Upgrade Guide: prerelease → Sessions-as-run-manager"
+sidebarTitle: "Sessions Upgrade Guide"
+description: "Migrating chat.agent code from the prerelease API to the Sessions-as-run-manager release."
+---
+
+import RcBanner from "/snippets/ai-chat-rc-banner.mdx";
+
+<RcBanner />
+
+This guide is for customers who tried `chat.agent` during the prerelease period.
+The public surface of `chat.agent({...})`, `useTriggerChatTransport`,
+`AgentChat`, `chat.defer`, and `chat.history` is largely
+unchanged — but the transport's auth callbacks and the server-side helpers
+that feed them were reshaped, so most prerelease apps need a small wiring
+update.
+
+## TL;DR
+
+<CodeGroup>
+
+```ts before.ts
+// Single accessToken callback, dispatches on purpose
+accessToken: async ({ chatId, purpose }) => {
+  if (purpose === "trigger") {
+    return chat.createAccessToken<typeof myChat>("my-chat");
+  }
+  // purpose === "preload" — same call, same trigger token
+  return chat.createAccessToken<typeof myChat>("my-chat");
+};
+```
+
+```ts after.ts
+// Two callbacks: pure refresh + server action that creates the session
+accessToken: ({ chatId }) => mintChatAccessToken(chatId),
+startSession: ({ chatId, clientData }) =>
+      startChatSession({ chatId, clientData }),
+```
+
+</CodeGroup>
+
+What changed:
+
+- `accessToken` is now a **pure session-PAT mint** — called only on 401/403
+  to refresh. It must return a token scoped to the session, not a
+  `trigger:tasks` JWT.
+- `startSession` is a **new callback** that wraps a server action calling
+  `chat.createStartSessionAction(taskId)`. The transport invokes it on
+  `transport.preload(chatId)` and lazily on the first `sendMessage` for
+  any chatId without a cached PAT.
+- `ChatSession` persistable state drops `runId` — store only
+  `{publicAccessToken, lastEventId?}`.
+- Per-call options on `transport.preload(chatId, ...)` are gone. Trigger
+  config (machine, idleTimeoutInSeconds, tags, queue, maxAttempts) lives
+  server-side in `chat.createStartSessionAction(taskId, options)`.
+
+<Note>
+  The architectural shift is that `chat.agent` no longer rolls its own
+  per-run streams. It runs on top of a durable **Session** row that owns
+  its current run, persists across run lifecycles, and orchestrates
+  upgrades server-side. The customer-facing surface is similar; the wire
+  path beneath it changed completely.
+</Note>
+
+## Step 1: Replace your access-token server action with two server actions
+
+The old pattern was a single helper that minted a trigger token:
+
+```ts app/actions.ts (before)
+"use server";
+
+import { chat } from "@trigger.dev/sdk/ai";
+import type { myChat } from "@/trigger/chat";
+
+export const getChatToken = () =>
+  chat.createAccessToken<typeof myChat>("my-chat");
+```
+
+Replace with two helpers — one for session creation, one for PAT refresh:
+
+```ts app/actions.ts (after)
+"use server";
+
+import { auth } from "@trigger.dev/sdk";
+import { chat } from "@trigger.dev/sdk/ai";
+
+// Server-side wrapper for session creation. Idempotent on (env, chatId).
+// The customer's server is the only entry point that creates Session rows;
+// the browser never holds a `trigger:tasks` JWT.
+export const startChatSession = chat.createStartSessionAction("my-chat");
+
+// Pure session-PAT mint for the transport's 401/403 retry path.
+export async function mintChatAccessToken(chatId: string) {
+  return auth.createPublicToken({
+    scopes: {
+      read: { sessions: chatId },
+      write: { sessions: chatId },
+    },
+    expirationTime: "1h",
+  });
+}
+```
+
+`chat.createStartSessionAction(taskId)` returns a server action that:
+
+1. Creates the Session row for `chatId` (idempotent on the
+   `(env, externalId)` unique pair).
+2. Triggers the agent task's first run with
+   `basePayload: {messages: [], trigger: "preload"}` defaults plus any
+   overrides you pass.
+3. Returns `{sessionId, runId, publicAccessToken}` to the browser.
+
+## Step 2: Update the transport wiring
+
+The transport now takes two callbacks instead of one:
+
+```tsx app/components/chat.tsx (after)
+"use client";
+
+import { useChat } from "@ai-sdk/react";
+import { useTriggerChatTransport } from "@trigger.dev/sdk/chat/react";
+import type { myChat } from "@/trigger/chat";
+import { mintChatAccessToken, startChatSession } from "@/app/actions";
+
+export function Chat() {
+  const transport = useTriggerChatTransport<typeof myChat>({
+    task: "my-chat",
+    accessToken: ({ chatId }) => mintChatAccessToken(chatId),
+    startSession: ({ chatId, clientData }) =>
+      startChatSession({ chatId, clientData }),
+  });
+
+  const { messages, sendMessage, status } = useChat({ transport });
+  // ...
+}
+```
+
+The transport calls them in two distinct flows:
+
+| Trigger | Callback fired |
+|---|---|
+| `transport.preload(chatId)` | `startSession` |
+| First `sendMessage` for a chatId with no cached PAT | `startSession` (auto) |
+| Any 401/403 from `.in/append`, `.out` SSE, or `end-and-continue` | `accessToken` |
+| Page hydrates with `sessions: { [chatId]: ... }` | Neither (uses hydrated PAT) |
+
+`startSession` is deduped via an in-flight promise — concurrent
+`preload` + `sendMessage` calls converge to one server action invocation.
+
+## Step 3: Drop transport-level trigger config
+
+The prerelease transport accepted `triggerConfig`, `triggerOptions`, and
+per-call options on `preload`. All of that moved server-side:
+
+```ts before
+const transport = useTriggerChatTransport({
+  task: "my-chat",
+  accessToken: getChatToken,
+  triggerConfig: { basePayload: { /* ... */ } },
+  triggerOptions: { tags: [...], machine: "small-1x", maxAttempts: 3 },
+});
+
+transport.preload(chatId, { idleTimeoutInSeconds: 60, metadata: { ... } });
+```
+
+```ts after
+// Trigger config now lives in chat.createStartSessionAction
+export const startChatSession = chat.createStartSessionAction("my-chat", {
+  triggerConfig: {
+    machine: "small-1x",
+    maxAttempts: 3,
+    tags: ["my-tag"],
+    idleTimeoutInSeconds: 60,
+  },
+});
+
+// Browser side
+const transport = useTriggerChatTransport<typeof myChat>({
+  task: "my-chat",
+  accessToken: ({ chatId }) => mintChatAccessToken(chatId),
+  startSession: ({ chatId, clientData }) =>
+      startChatSession({ chatId, clientData }),
+});
+
+transport.preload(chatId);  // no second arg
+```
+
+For metadata that varies per chat, use `clientData` on the transport (see
+the next step) — it's typed and threaded through `startSession` automatically.
+
+## Step 4: Use `clientData` for typed payload metadata
+
+If your agent uses `withClientData({schema})`, the transport's `clientData`
+option is now the canonical place to set it. The same value:
+
+- Is passed to your `startSession` callback as `params.clientData`, where
+  you forward it into `chat.createStartSessionAction`'s
+  `triggerConfig.basePayload.metadata`. The agent's first run sees it in
+  `payload.metadata` (visible to `onPreload` / `onChatStart`).
+- Merges into per-turn `metadata` on every `.in/append` chunk
+  (visible to `onTurnStart` / inside `run` via `turn.clientData`).
+
+```tsx
+const transport = useTriggerChatTransport<typeof myChat>({
+  task: "my-chat",
+  accessToken: ({ chatId }) => mintChatAccessToken(chatId),
+  startSession: ({ chatId, clientData }) =>
+      startChatSession({ chatId, clientData }),
+  clientData: {
+    userId: currentUser.id,
+    plan: currentUser.plan,
+  },
+});
+```
+
+The `clientData` value is live-updated when the option changes (the hook
+calls `setClientData` under the hood), so dynamic values work without
+reconstructing the transport.
+
+<Tip>
+  Server-side authorization can still override or augment the
+  browser-claimed `clientData` inside `startSession` — never trust the
+  browser's identity claim. A typical pattern: the server action looks up
+  the user from the request session, then merges the trusted server fields
+  on top of `params.clientData`.
+</Tip>
+
+## Step 5: Update your `ChatSession` persistence
+
+If you persist session state across page loads, drop the `runId` field:
+
+```ts before
+type ChatSession = {
+  runId: string;
+  publicAccessToken: string;
+  lastEventId?: string;
+};
+```
+
+```ts after
+type ChatSession = {
+  publicAccessToken: string;
+  lastEventId?: string;
+};
+```
+
+If your DB has a `runId` column, you can drop it (the transport doesn't
+read it) or keep it for telemetry. The current run ID lives on the
+Session row server-side now.
+
+Hydration on page reload is unchanged:
+
+```tsx
+const transport = useTriggerChatTransport<typeof myChat>({
+  // ...
+  sessions: persistedSession
+    ? { [chatId]: persistedSession }
+    : {},
+});
+```
+
+## `chat.requestUpgrade()`: same call, faster handoff
+
+Calling `chat.requestUpgrade()` inside `onTurnStart` /
+`onValidateMessages` still ends the current run so the next message starts
+on the latest version. What changed is the mechanism:
+
+- **Before:** the agent emitted a `trigger:upgrade-required` chunk on
+  `.out`; the transport consumed it browser-side and triggered a new run.
+- **After:** the agent calls `endAndContinueSession` server-to-server;
+  the webapp triggers a new run and atomically swaps `Session.currentRunId`
+  via optimistic locking. The browser's existing SSE subscription keeps
+  receiving chunks across the swap — no transport-side bookkeeping.
+
+The new run is recorded in a `SessionRun` audit row with
+`reason: "upgrade"` for dashboard provenance.
+
+## Hitting raw URLs
+
+If your code talks to the realtime API directly instead of going through
+the SDK, the URL shapes changed:
+
+| Before | After |
+|---|---|
+| `GET /realtime/v1/streams/{runId}/chat` | `GET /realtime/v1/sessions/{chatId}/out` |
+| `POST /realtime/v1/streams/{runId}/{target}/chat-messages/append` | `POST /realtime/v1/sessions/{chatId}/in/append` (body: `{kind: "message", payload}`) |
+| `POST /realtime/v1/streams/{runId}/{target}/chat-stop/append` | `POST /realtime/v1/sessions/{chatId}/in/append` (body: `{kind: "stop"}`) |
+
+The session-scoped PAT
+(`read:sessions:{chatId} + write:sessions:{chatId}`) authorizes both the
+externalId form (`/sessions/my-chat-id/...`) and the friendlyId form
+(`/sessions/session_abc.../...`). The transport always uses the
+externalId form; the friendlyId form is available for dashboard tooling
+and direct API consumers.
+
+## What didn't change
+
+- `chat.agent({...})` definition — `id`, `idleTimeoutInSeconds`,
+  `clientDataSchema`, `actionSchema`, `hydrateMessages`, `onPreload`,
+  `onChatStart`, `onValidateMessages`, `onTurnStart`, `onTurnComplete`,
+  `onChatSuspend`, `run`. All callbacks have the same signature and
+  fire at the same lifecycle points.
+- `onAction` is still defined the same way, but its semantics changed
+  in the [May 6 prerelease](/ai-chat/changelog) — actions are no longer
+  turns, and `onAction` returning a `StreamTextResult` produces a model
+  response.
+- `chat.customAgent({...})` and the `chat.createSession(payload, ...)`
+  helper for building a session loop manually inside a custom agent.
+- `chat.defer` (deferred work) and `chat.history` (imperative history
+  mutations from inside `onAction`).
+- `AgentChat` (server-side chat client) — `agent`, `id`, `clientData`,
+  `session`, `onTriggered`, `onTurnComplete`, `sendMessage`, `text()`.
+- `useTriggerChatTransport` React semantics (created once, kept in a
+  ref, callbacks updated under the hood).
+- Multi-tab coordination (`multiTab: true`),
+  [pending messages / steering](/ai-chat/pending-messages),
+  [background injection](/ai-chat/background-injection),
+  [compaction](/ai-chat/compaction).
+- Per-turn `metadata` flowing through
+  `sendMessage({ text }, { metadata })` to `turn.metadata` server-side.
+
+## Verifying the migration
+
+After updating, the smoke check is the same as before: send a message,
+confirm the assistant streams a response, reload mid-stream, confirm
+resume.
+
+A few new things worth verifying once you've cut over:
+
+- **Eager preload.** Click the button (or call `transport.preload(id)`
+  programmatically) — your `startSession` callback should fire and a
+  Session row + first run should be created before you send a message.
+- **Idle-timeout continuation.** Wait past the agent's
+  `idleTimeoutInSeconds` so the run exits, then send another message —
+  the transport's `.in/append` should boot a new run on the same
+  Session, with a `SessionRun` row of `reason: "continuation"`.
+- **PAT refresh.** Force a stale PAT in your DB (corrupt the signature)
+  and reload — the first request should 401, your `accessToken`
+  callback should fire, and the retry should succeed.
+
+If any of those misfire, check that:
+
+- Your `accessToken` callback returns a token minted via
+  `auth.createPublicToken({ scopes: { read: { sessions: chatId }, write: { sessions: chatId } } })`, **not**
+  `chat.createAccessToken` or `auth.createTriggerPublicToken`. The
+  transport rejects trigger tokens now.
+- Your `startSession` callback returns
+  `{publicAccessToken: string}` — the result of
+  `chat.createStartSessionAction(taskId)({chatId, ...})` already has
+  this shape.
+- You haven't left a stale `getStartToken` option on the transport;
+  it's not part of `TriggerChatTransportOptions` anymore.
+
+## v4.5 wire format change
+
+A second migration lands on top of the Sessions release. v4.5 removes the full-history wire payload — clients now ship at most one new `UIMessage` per `.in/append`, and the agent rebuilds prior history from a durable JSON snapshot in object storage plus a replay of the `session.out` tail.
+
+If you use the built-in `TriggerChatTransport` / `AgentChat` and don't reach into the wire shape directly, **most apps need no changes** — the change is below the customer-facing surface. Customers who built custom transports, hit `/realtime/v1/sessions/{id}/in/append` directly, or rely on specific behaviors of `hydrateMessages` / `onChatStart` should read this section.
+
+### Why the change
+
+Long chats with heavy tool results were hitting the realtime API's 512 KiB body cap on `/in/append` once the accumulated `UIMessage[]` history (which the wire shipped in full on every send) crossed the limit. The 413 surfaced as a CORS error in browsers and stalled chats around turn 10–30 with tool use.
+
+The wire is now **delta-only**: each `.in/append` carries at most one new `UIMessage`. The agent rebuilds prior history at run boot. The 512 KiB ceiling stops being pressure — typical payloads are a few KB regardless of chat length.
+
+### Object-store configuration
+
+Snapshot read/write uses Trigger.dev's existing object-store infrastructure — the same presigned-URL routes used for large payloads. Set the standard `OBJECT_STORE_*` env vars on your webapp deployment if you haven't already; MinIO and S3-compatible stores work via `OBJECT_STORE_DEFAULT_PROTOCOL`.
+
+| Env var | Purpose |
+|---|---|
+| `OBJECT_STORE_BASE_URL` | Endpoint URL (S3, MinIO, R2, etc.) |
+| `OBJECT_STORE_ACCESS_KEY_ID` | Access key |
+| `OBJECT_STORE_SECRET_ACCESS_KEY` | Secret key |
+| `OBJECT_STORE_DEFAULT_PROTOCOL` | `s3` (default), `minio`, etc. |
+
+Snapshots are written under `packets/{projectRef}/{envSlug}/sessions/{sessionId}/snapshot.json`. Each snapshot is small (typically tens of KB) and overwritten every turn — no append-only growth.
+
+<Warning>
+  **No object store + no `hydrateMessages` = conversations don't survive run boundaries.** With neither piece of state, a continuation boots empty and the agent can't reconstruct prior turns. Either configure an object store or register `hydrateMessages`. The runtime logs a warning at agent registration time when both are missing.
+</Warning>
+
+### Custom transports
+
+If you've built your own transport (Slack bot, CLI, native app) against the [Client Protocol](/ai-chat/client-protocol), the `ChatTaskWirePayload` shape changed:
+
+```ts before
+type ChatTaskWirePayload = {
+  messages: UIMessage[];        // full history
+  chatId: string;
+  trigger: "submit-message" | "regenerate-message" | "preload" | "close" | "action";
+  // ...
+};
+```
+
+```ts after
+type ChatTaskWirePayload = {
+  message?: UIMessage;          // singular, optional
+  headStartMessages?: UIMessage[];  // chat.headStart only, "handover-prepare"
+  chatId: string;
+  trigger:
+    | "submit-message"
+    | "regenerate-message"
+    | "preload"
+    | "close"
+    | "action"
+    | "handover-prepare";
+  // ...
+};
+```
+
+What to send per trigger:
+
+| Trigger | What to put in the payload |
+|---|---|
+| `submit-message` | The new user message (or a tool-approval-responded assistant message) in `message` |
+| `regenerate-message` | No `message` — the agent trims its own tail |
+| `preload` / `close` / `action` | No `message` |
+| `handover-prepare` (head-start only) | Full prior history in `headStartMessages` (route handler — not on `/in/append`) |
+
+The full wire breakdown is in the rewritten [Client Protocol](/ai-chat/client-protocol).
+
+### `hydrateMessages` consumers
+
+The hook signature is unchanged. Two behavior tightenings worth knowing:
+
+1. **`incomingMessages` is now consistently 0-or-1-length.** Previously some triggers (`regenerate-message`, continuation) shipped full history; now all triggers ship at most one. If you assumed `incomingMessages` could contain multiple messages and acted on them as a batch, the loop now runs zero or one times. Patterns like the one below work the same — they just iterate fewer messages:
+
+```ts
+hydrateMessages: async ({ incomingMessages }) => {
+  for (const msg of incomingMessages) {  // 0-or-1 iterations
+    for (const r of chat.history.extractNewToolResults(msg)) {
+      await auditLog.record({ id: r.toolCallId, output: r.output });
+    }
+  }
+  return await db.getMessages(chatId);
+}
+```
+
+2. **Registering `hydrateMessages` short-circuits snapshot+replay.** The runtime trusts your hook to be the source of truth, so it doesn't read or write the JSON snapshot or replay `session.out`. Zero object-store traffic. Trade-off: you own persistence end-to-end.
+
+### `onChatStart` is now once-per-chat
+
+`onChatStart` no longer fires on continuation runs (post-`endRun`, post-waitpoint-timeout, post-`chat.requestUpgrade`, post-cancel, post-crash) or on OOM-retry attempts. It fires **exactly once per chat**, on the very first user message of the chat's lifetime. The `continuation` and `previousRunId` fields on `ChatStartEvent` are now `@deprecated` (always `false` / `undefined` when the hook fires).
+
+This makes once-per-chat setup code (create the Chat DB row, mint chat-scoped resources) safe to write without continuation gates. Drop any `if (continuation) return;` checks from `onChatStart`:
+
+```ts before
+onChatStart: async ({ continuation, chatId, clientData }) => {
+  if (continuation) return;           // ❌ no longer needed — fires only on first message ever
+  await db.chat.create({ /* ... */ });
+}
+```
+
+```ts after
+onChatStart: async ({ chatId, clientData }) => {
+  await db.chat.create({ /* ... */ });  // ✅ guaranteed first-message-of-chat
+}
+```
+
+If you need per-turn setup that **does** run on continuations, move it to [`onTurnStart`](/ai-chat/lifecycle-hooks#onturnstart) — that hook still fires on every turn, including the first turn of a continuation run.
+
+### Move `chat.local` init from `onChatStart` to `onBoot`
+
+Because `onChatStart` no longer fires on continuation runs, **`chat.local`** state initialized there will be missing when a continuation run starts — `run()` then crashes with `"chat.local can only be modified after initialization"`. The fix is to move per-process initialization to the new [`onBoot`](/ai-chat/lifecycle-hooks#onboot) hook, which fires once per worker boot (initial, preloaded, AND continuation):
+
+```ts before
+const userContext = chat.local<{ name: string; plan: string }>({ id: "userContext" });
+
+onChatStart: async ({ clientData }) => {
+  const user = await db.user.findUnique({ where: { id: clientData.userId } });
+  userContext.init({ name: user.name, plan: user.plan }); // ❌ never runs on continuation
+}
+```
+
+```ts after
+const userContext = chat.local<{ name: string; plan: string }>({ id: "userContext" });
+
+onBoot: async ({ clientData }) => {
+  const user = await db.user.findUnique({ where: { id: clientData.userId } });
+  userContext.init({ name: user.name, plan: user.plan }); // ✅ runs on every fresh worker
+}
+```
+
+Anything else that's per-process (DB connection pools, sandbox handles, in-memory caches) belongs in `onBoot` for the same reason. Branch on `continuation` inside `onBoot` if you need to re-load state from your DB on takeover.
+
+### Client-side `setMessages` doesn't round-trip
+
+The new wire makes one thing explicit that was implicit before: **mutating `useChat()`'s messages on the client doesn't change the agent's history.** Full-history mutations were silently overwritten by the wire's accumulator before this release; now they aren't even shipped.
+
+For history compaction, summarization, or branch-swap, mutate the agent's accumulator inside `onTurnStart` using [`chat.setMessages()`](/ai-chat/backend) or [`chat.history.set()`](/ai-chat/backend#chat-history). The client's `useChat` will reconcile against the next `session.out` payload.
+
+### Verifying the v4.5 migration
+
+After updating, the smoke check is the same as for v4.4:
+
+- Send a message, confirm the assistant streams a response.
+- Reload mid-stream, confirm resume.
+- Send 30+ turns with tool calls — `.in/append` body sizes stay under ~5 KB the entire time. (Pre-change baseline: payloads grew past 512 KB around turn 10-30.)
+- Idle out a run, send another message — the new run reads the snapshot, replays the tail, and continues seamlessly.
+
+If continuations boot empty:
+
+- Confirm `OBJECT_STORE_*` env vars are set on the webapp.
+- Confirm the bucket key `packets/{projectRef}/{envSlug}/sessions/{sessionId}/snapshot.json` exists after a successful turn.
+- Or — register `hydrateMessages` and let your DB be the source of truth.
+
+## Reference
+
+- [TriggerChatTransport options](/ai-chat/reference#triggerchattransport-options)
+- [`chat.createStartSessionAction`](/ai-chat/reference)
+- [Backend setup](/ai-chat/backend)
+- [Frontend setup](/ai-chat/frontend)
+- [Client Protocol](/ai-chat/client-protocol) — wire format reference
+- [Persistence and replay](/ai-chat/patterns/persistence-and-replay) — snapshot model end-to-end
diff --git a/docs/ai/prompts.mdx b/docs/ai/prompts.mdx
new file mode 100644
index 00000000000..556eb074942
--- /dev/null
+++ b/docs/ai/prompts.mdx
@@ -0,0 +1,430 @@
+---
+title: "Prompts"
+sidebarTitle: "Prompts"
+description: "Define prompt templates as code, version them on deploy, and override from the dashboard without redeploying."
+---
+
+import RcBanner from "/snippets/ai-chat-rc-banner.mdx";
+
+<RcBanner />
+
+## Overview
+
+AI Prompts let you define prompt templates in your codebase alongside your tasks. When you deploy, Trigger.dev automatically versions your prompts. You can then:
+
+- View all prompt versions in the dashboard
+- Create **overrides** to change the prompt text or model without redeploying
+- Track every generation that used each prompt version
+- See token usage, cost, and latency metrics per prompt
+- Manage prompts programmatically via SDK methods
+
+## Defining a prompt
+
+Use `prompts.define()` to create a prompt with typed variables:
+
+```ts
+import { prompts } from "@trigger.dev/sdk";
+import { z } from "zod";
+
+export const supportPrompt = prompts.define({
+  id: "customer-support",
+  description: "System prompt for customer support interactions",
+  model: "gpt-4o",
+  config: { temperature: 0.7 },
+  variables: z.object({
+    customerName: z.string(),
+    plan: z.string(),
+    issue: z.string(),
+  }),
+  content: `You are a support agent for Acme SaaS.
+
+## Customer context
+
+- **Name:** {{customerName}}
+- **Plan:** {{plan}}
+- **Issue:** {{issue}}
+
+Respond to the customer's issue. Be concise and helpful.`,
+});
+```
+
+### Options
+
+| Option | Type | Required | Description |
+|--------|------|----------|-------------|
+| `id` | `string` | Yes | Unique identifier (becomes the prompt slug) |
+| `description` | `string` | No | Shown in the dashboard |
+| `model` | `string` | No | Default model (e.g. `"gpt-4o"`, `"claude-sonnet-4-6"`) |
+| `config` | `object` | No | Default config (temperature, maxTokens, etc.) |
+| `variables` | Zod/ArkType schema | No | Schema for template variables (enables validation and dashboard UI) |
+| `content` | `string` | Yes | The prompt template with `{{variable}}` placeholders |
+
+### Template syntax
+
+Templates use Mustache-style placeholders:
+
+- `{{variableName}}` — replaced with the variable value
+- `{{#conditionalVar}}...{{/conditionalVar}}` — content only included if the variable is truthy
+
+```ts
+export const prompt = prompts.define({
+  id: "summarizer",
+  model: "gpt-4o-mini",
+  variables: z.object({
+    text: z.string(),
+    maxSentences: z.string().optional(),
+  }),
+  content: `Summarize the following text{{#maxSentences}} in {{maxSentences}} sentences or fewer{{/maxSentences}}:
+
+{{text}}`,
+});
+```
+
+## Resolving a prompt
+
+### Via prompt handle
+
+Call `.resolve()` on the handle returned by `define()`:
+
+```ts
+const resolved = await supportPrompt.resolve({
+  customerName: "Alice",
+  plan: "Pro",
+  issue: "Cannot access billing dashboard",
+});
+
+console.log(resolved.text);    // The compiled prompt with variables filled in
+console.log(resolved.version); // e.g. 3
+console.log(resolved.model);   // "gpt-4o"
+console.log(resolved.labels);  // ["current"] or ["override"]
+```
+
+### Via standalone prompts.resolve()
+
+Resolve any prompt by slug without needing a handle. Pass the prompt handle as a type parameter for full type safety:
+
+```ts
+import { prompts } from "@trigger.dev/sdk";
+import type { supportPrompt } from "./prompts";
+
+// Fully typesafe — ID and variables are checked at compile time
+const resolved = await prompts.resolve<typeof supportPrompt>("customer-support", {
+  customerName: "Alice",
+  plan: "Pro",
+  issue: "Cannot access billing dashboard",
+});
+```
+
+Without the generic, the function still works but accepts any string slug and `Record<string, unknown>` variables.
+
+### Resolve options
+
+You can resolve a specific version or label:
+
+```ts
+// Resolve a specific version
+const v2 = await supportPrompt.resolve(variables, { version: 2 });
+
+// Resolve by label
+const current = await supportPrompt.resolve(variables, { label: "current" });
+```
+
+By default, `resolve()` returns the **override** version if one is active, otherwise the **current** (latest deployed) version.
+
+<Note>
+  Both `promptHandle.resolve()` and `prompts.resolve()` call the Trigger.dev API when a client is configured. During local dev with `trigger dev`, this means you'll always get the server version (including overrides).
+</Note>
+
+## Using with the AI SDK
+
+The resolved prompt integrates with the [Vercel AI SDK](https://ai-sdk.dev) via `toAISDKTelemetry()`. This links AI generation spans to the prompt in the dashboard.
+
+### generateText
+
+```ts
+import { task } from "@trigger.dev/sdk";
+import { generateText, stepCountIs } from "ai";
+import { anthropic } from "@ai-sdk/anthropic";
+
+export const supportTask = task({
+  id: "handle-support",
+  run: async (payload) => {
+    const resolved = await supportPrompt.resolve({
+      customerName: payload.name,
+      plan: payload.plan,
+      issue: payload.issue,
+    });
+
+    const result = await generateText({
+      model: openai(resolved.model ?? "gpt-4o"),
+      system: resolved.text,
+      prompt: payload.issue,
+      ...resolved.toAISDKTelemetry(),
+    });
+
+    return { response: result.text };
+  },
+});
+```
+
+### streamText
+
+```ts
+import { streamText } from "ai";
+
+export const streamTask = task({
+  id: "stream-support",
+  run: async (payload) => {
+    const resolved = await supportPrompt.resolve({
+      customerName: payload.name,
+      plan: payload.plan,
+      issue: payload.issue,
+    });
+
+    const result = streamText({
+      model: openai(resolved.model ?? "gpt-4o"),
+      system: resolved.text,
+      prompt: payload.issue,
+      ...resolved.toAISDKTelemetry(),
+      stopWhen: stepCountIs(15),
+    });
+
+    let fullText = "";
+    for await (const chunk of result.textStream) {
+      fullText += chunk;
+    }
+
+    return { response: fullText };
+  },
+});
+```
+
+### Custom telemetry metadata
+
+Pass additional metadata to `toAISDKTelemetry()` that will appear on the generation span:
+
+```ts
+const result = await generateText({
+  model: anthropic("claude-sonnet-4-5"),
+  prompt: resolved.text,
+  ...resolved.toAISDKTelemetry({
+    "task.type": "summarization",
+    "customer.tier": "enterprise",
+  }),
+});
+```
+
+## Using with chat.agent()
+
+Prompts integrate with `chat.agent()` via `chat.prompt` — a run-scoped store for the resolved prompt. Store a prompt once in a lifecycle hook, then access it anywhere during the run.
+
+### chat.prompt.set() and chat.prompt()
+
+```ts
+import { chat } from "@trigger.dev/sdk/ai";
+import { prompts } from "@trigger.dev/sdk";
+import { streamText, createProviderRegistry } from "ai";
+import { anthropic } from "@ai-sdk/anthropic";
+
+const registry = createProviderRegistry({ anthropic });
+
+const systemPrompt = prompts.define({
+  id: "my-chat-system",
+  model: "anthropic:claude-sonnet-4-5",
+  config: { temperature: 0.7 },
+  variables: z.object({ name: z.string() }),
+  content: `You are a helpful assistant for {{name}}.`,
+});
+
+export const myChat = chat.agent({
+  id: "my-chat",
+  onChatStart: async ({ clientData }) => {
+    const resolved = await systemPrompt.resolve({ name: clientData.name });
+    chat.prompt.set(resolved);
+  },
+  run: async ({ messages, signal }) => {
+    return streamText({
+      ...chat.toStreamTextOptions({ registry }),
+      messages,
+      abortSignal: signal,
+      stopWhen: stepCountIs(15),
+    });
+  },
+});
+```
+
+### chat.toStreamTextOptions()
+
+Returns an options object ready to spread into `streamText()`. When a prompt is stored via `chat.prompt.set()`, it includes:
+
+- `system` — the compiled prompt text
+- `model` — resolved via the `registry` when provided
+- `temperature`, `maxTokens`, etc. — from the prompt's `config`
+- `experimental_telemetry` — links generations to the prompt in the dashboard
+
+```ts
+// With registry — model is resolved automatically
+const options = chat.toStreamTextOptions({ registry });
+// { system: "...", model: LanguageModel, temperature: 0.7, experimental_telemetry: { ... } }
+
+// Without registry — model is not included
+const options = chat.toStreamTextOptions();
+// { system: "...", temperature: 0.7, experimental_telemetry: { ... } }
+```
+
+<Tip>
+  When the user provides a `registry` and the prompt has a `model` string (e.g. `"anthropic:claude-sonnet-4-5"`), the model is resolved via `registry.languageModel()` and included in the returned options. This means `streamText` uses the prompt's model by default — no manual model selection needed.
+</Tip>
+
+### Reading the prompt
+
+Access the stored prompt from anywhere in the run:
+
+```ts
+run: async ({ messages, signal }) => {
+  const prompt = chat.prompt(); // Throws if not set
+  console.log(prompt.text);     // The compiled prompt
+  console.log(prompt.model);    // "anthropic:claude-sonnet-4-5"
+  console.log(prompt.version);  // 3
+
+  return streamText({
+    ...chat.toStreamTextOptions({ registry }),
+    messages,
+    abortSignal: signal,
+    stopWhen: stepCountIs(15),
+  });
+},
+```
+
+You can also set a plain string if you don't need the full prompt system:
+
+```ts
+chat.prompt.set("You are a helpful assistant.");
+```
+
+## Prompt management SDK
+
+The `prompts` namespace includes methods for managing prompts programmatically. These work both inside tasks and outside (e.g. scripts, API handlers) as long as an API client is configured.
+
+### List prompts
+
+```ts
+const allPrompts = await prompts.list();
+```
+
+### List versions
+
+```ts
+const versions = await prompts.versions("customer-support");
+```
+
+### Create an override
+
+Create a new override that takes priority over the deployed version:
+
+```ts
+const result = await prompts.createOverride("customer-support", {
+  textContent: "New prompt template: Hello {{customerName}}!",
+  model: "gpt-4o-mini",
+  commitMessage: "Shorter prompt",
+});
+```
+
+### Update an override
+
+```ts
+await prompts.updateOverride("customer-support", {
+  textContent: "Updated template: Hi {{customerName}}!",
+  model: "gpt-4o",
+});
+```
+
+### Remove an override
+
+Remove the active override, reverting to the deployed version:
+
+```ts
+await prompts.removeOverride("customer-support");
+```
+
+### Promote a version
+
+```ts
+await prompts.promote("customer-support", 2);
+```
+
+### All management methods
+
+| Method | Description |
+|--------|-------------|
+| `prompts.list()` | List all prompts in the current environment |
+| `prompts.versions(slug)` | List all versions for a prompt |
+| `prompts.resolve(slug, variables?, options?)` | Resolve a prompt by slug |
+| `prompts.promote(slug, version)` | Promote a version to current |
+| `prompts.createOverride(slug, body)` | Create an override |
+| `prompts.updateOverride(slug, body)` | Update the active override |
+| `prompts.removeOverride(slug)` | Remove the active override |
+| `prompts.reactivateOverride(slug, version)` | Reactivate a removed override |
+
+## Overrides
+
+Overrides let you change a prompt's template or model from the dashboard or SDK without redeploying your code. When an override is active, `resolve()` returns the override version instead of the deployed version.
+
+### How overrides work
+
+- Overrides take priority over the deployed ("current") version
+- Only one override can be active at a time
+- Creating a new override replaces the previous one
+- Removing an override reverts to the deployed version
+- Overrides are environment-scoped (dev, staging, production are independent)
+
+### Creating an override (dashboard)
+
+1. Go to the prompt detail page
+2. Click **Create Override**
+3. Edit the template text and/or model
+4. Add an optional commit message
+5. Click **Create override**
+
+### Version resolution order
+
+When `resolve()` is called, versions are resolved in this order:
+
+1. **Specific version** — if `{ version: N }` is passed
+2. **Override** — if an override is active in this environment
+3. **Label** — if `{ label: "..." }` is passed (defaults to `"current"`)
+4. **Current** — the latest deployed version with the "current" label
+
+## Dashboard
+
+### Prompts list
+
+The prompts list page shows all prompts in the current environment with the current or override version, default model, and a usage sparkline.
+
+### Prompt detail
+
+Click a prompt to see:
+
+- **Template panel** — the prompt template for the selected version
+- **Details tab** — slug, description, model, config, source file, and variable schema
+- **Versions tab** — all versions with labels, source, and commit messages
+- **Generations tab** — every AI generation that used this prompt, with live polling
+- **Metrics tab** — token usage, cost, and latency charts
+
+### AI span inspectors
+
+When you use `toAISDKTelemetry()`, AI generation spans in the run trace get a custom inspector showing:
+
+- **Overview** — model, provider, token usage, cost, input/output preview
+- **Messages** — the full message thread
+- **Tools** — tool definitions and tool call details
+- **Prompt** — the linked prompt's metadata, input variables, and template content
+
+## Type utilities
+
+```ts
+import type { PromptHandle, PromptIdentifier, PromptVariables } from "@trigger.dev/sdk";
+
+type Id = PromptIdentifier<typeof supportPrompt>;   // "customer-support"
+type Vars = PromptVariables<typeof supportPrompt>;   // { customerName: string; plan: string; issue: string }
+```
diff --git a/docs/compute-private-beta.mdx b/docs/compute-private-beta.mdx
new file mode 100644
index 00000000000..80db1d429fb
--- /dev/null
+++ b/docs/compute-private-beta.mdx
@@ -0,0 +1,82 @@
+---
+title: "Compute private beta"
+description: "Early access to the new microVM-based compute runtime."
+sidebarTitle: "Compute private beta"
+hidden: true
+---
+
+<Warning>
+  MicroVM compute is in private beta. Use it in staging only - do not run production traffic on it
+  yet, and expect bugs.
+</Warning>
+
+## What it is
+
+MicroVM compute is a new runtime for your tasks, designed for fast cold starts via boot snapshots. For most tasks the migration is transparent - the same task code runs unchanged.
+
+## What's new
+
+### May 1, 2026
+
+- **Cold starts are faster across all machine sizes.** Every preset starts faster, including `micro` and `small-1x` - there's no longer a cold-start penalty for picking a smaller machine.
+- **First runs after a deploy are faster on every preset.** Boot snapshot creation is significantly quicker across the board, so the cold path is consistently snappier.
+- **`large-1x` and `large-2x` no longer hard-fail.** They're still not recommended - cold-start performance trails the smaller presets and we're ironing out reliability issues.
+
+## Getting access
+
+You can't opt in yourself. Once we've enabled the private beta for your org, the `us-east-1-next` region becomes available on the **Regions** page in the dashboard. If you'd like access, ping us on Slack.
+
+## Routing runs to microVM compute
+
+MicroVM compute is exposed as a region: `us-east-1-next`. The region is tagged with a **microVM** badge on the **Regions** page.
+
+### Per-trigger override (recommended)
+
+The `region` option is part of `TriggerOptions`, accepted by most triggering functions.
+
+```typescript
+import { yourTask } from "./trigger/your-task";
+
+await yourTask.trigger(payload, { region: "us-east-1-next" });
+```
+
+This is the safest way to opt in during the beta - you control exactly which runs land on microVM compute.
+
+To gate it on an environment variable so prod isn't affected, define one constant and reuse it at every call site:
+
+```typescript
+const defaultRegion = process.env.USE_COMPUTE_BETA === "1" ? "us-east-1-next" : undefined;
+
+await yourTask.trigger(payload, { region: defaultRegion });
+```
+
+Set `USE_COMPUTE_BETA=1` in the staging environment of the app that calls `trigger()` (typically Vercel, or wherever you deploy your app).
+
+### Set it as your project default
+
+Open the **Regions** page in the dashboard and set `us-east-1-next` as the project-wide default. This applies to **all environments in the project**, so only do this on a project that is running staging traffic only.
+
+<Note>
+  Switching the default region doesn't move runs that are already in the queue - they stay in the previous region until they execute. To make a switch take effect for in-flight work, [cancel those runs](/bulk-actions) and re-trigger them after changing the default. This applies whenever you change regions, not just when moving on or off `us-east-1-next`.
+</Note>
+
+<Warning>
+  Setting `us-east-1-next` as your project default makes boot snapshot creation a required step at deploy time. Two things to expect:
+
+  - Deploys take a bit longer (up to ~30 seconds extra) while the snapshot is built.
+  - Deploys can fail if the snapshot step fails. This is by design - boot snapshot creation is what proves your deploy image can actually run on microVM compute. Retrying may succeed, but if it doesn't please switch your default region back for a quick unblock and reach out to us on Slack.
+</Warning>
+
+## Machine sizes
+
+A few things to be aware of during the beta:
+
+- **`small-1x` is the default and what we've optimized for.** Boot snapshots are precreated for `small-1x` only - other sizes generate the snapshot lazily on first run after a deploy.
+- **`large-1x` and `large-2x` aren't recommended yet.** They run, but cold-start times trail the smaller presets and we're still ironing out reliability issues. Stick to other machine types for now and expect rough edges if you do try the large sizes.
+- **All sizes are capped at 1GB of disk during the beta.** The [machine size table](/machines) lists 10GB as the target, but every preset is currently provisioned with 1GB regardless.
+
+We'll continue shipping fixes, performance, and reliability improvements during the beta. Compute-specific prereleases will be announced on this page as we go, and we'll also reach out on Slack.
+
+## Reporting issues
+
+Send anything weird (errors, slow runs, restore failures, anything that surprises you) over Slack with the run ID. The more reproductions we get during the beta, the faster we harden it for public beta.
diff --git a/docs/context.mdx b/docs/context.mdx
index 4e4b8f7bac6..f522fd8ccb5 100644
--- a/docs/context.mdx
+++ b/docs/context.mdx
@@ -81,6 +81,9 @@ export const parentTask = task({
     <ResponseField name="isTest" type="boolean">
       Whether this is a [test run](/run-tests).
     </ResponseField>
+    <ResponseField name="isReplay" type="boolean">
+      Whether this run is a [replay](/replaying) of a previous run.
+    </ResponseField>
     <ResponseField name="createdAt" type="date">
       The creation time of the task run.
     </ResponseField>
diff --git a/docs/database-connections.mdx b/docs/database-connections.mdx
new file mode 100644
index 00000000000..df808e66088
--- /dev/null
+++ b/docs/database-connections.mdx
@@ -0,0 +1,213 @@
+---
+title: "Database connections"
+sidebarTitle: "Database connections"
+description: "Connect a database to your tasks: where to create the client, how to size the pool for your provider's connection limit, and how to release connections so you don't run out."
+---
+
+Tasks connect to your database from their own process. This guide covers the recommended setup for each client, how to size the pool against your provider's connection limit, and how to release connections at waits.
+
+## Create the client once
+
+Create the client at module scope and import it wherever you query. The worker loads the module once per process, so every run on that worker reuses the same pool. Keep the pool small (see [Size the pool](#size-the-pool)) and attach an error handler, since an idle connection can error asynchronously and an unhandled `error` event crashes the worker.
+
+<CodeGroup>
+```ts lib/db.ts (node-postgres)
+import { Pool } from "pg";
+
+export const pool = new Pool({
+  connectionString: process.env.DATABASE_URL,
+  max: 1, // one connection per run; raise only for in-run parallel queries
+});
+
+pool.on("error", (err) => console.error("pg pool error", err));
+```
+
+```ts lib/db.ts (Prisma)
+import { PrismaPg } from "@prisma/adapter-pg";
+import { PrismaClient } from "./generated/prisma/client";
+
+const adapter = new PrismaPg({ connectionString: process.env.DATABASE_URL, max: 1 });
+
+export const prisma = new PrismaClient({ adapter });
+```
+
+```ts lib/db.ts (Drizzle)
+import { drizzle } from "drizzle-orm/node-postgres";
+import { Pool } from "pg";
+
+const pool = new Pool({ connectionString: process.env.DATABASE_URL, max: 1 });
+pool.on("error", (err) => console.error("pg pool error", err));
+
+export const db = drizzle({ client: pool });
+```
+
+```ts lib/db.ts (MongoDB)
+import { MongoClient } from "mongodb";
+
+export const client = new MongoClient(process.env.DATABASE_URL!, { maxPoolSize: 5 });
+```
+</CodeGroup>
+
+<Note>
+Import this one client everywhere. Don't create a client inside `run()` or a lifecycle hook, which opens a new pool on every run, and don't store one in [`chat.local`](/ai-chat/chat-local), which is per-run state that gets serialized into subtasks.
+</Note>
+
+## Size the pool
+
+A run uses connections only while it is actively executing. Queued, waiting, and suspended runs use none. So the connections in use at any moment are:
+
+> concurrent executing runs × pool size per run
+
+Set the pool small. A task usually runs its queries in sequence, so one connection per run (`max: 1`) is enough for node-postgres, Prisma, and Drizzle; raise it only when a single run issues queries in parallel. The MongoDB driver shares one pool across all operations, so keep `maxPoolSize` in the low single digits. Each client's out-of-the-box default is far larger:
+
+| Client | Default pool size |
+| --- | --- |
+| [node-postgres (`pg`)](https://node-postgres.com/guides/pool-sizing) | 10 |
+| postgres-js | 10 |
+| [Prisma (v7, `pg` adapter)](https://www.prisma.io/docs/orm/prisma-client/setup-and-configuration/databases-connections/connection-pool) | 10 (the adapter's `pg` default) |
+| Drizzle (node-postgres) | 10 (the underlying `pg` pool) |
+| [MongoDB driver](https://www.mongodb.com/docs/drivers/node/current/connect/connection-options/connection-pools/) | 100 (`maxPoolSize`) |
+
+Keep `concurrent runs × pool size` under your provider's connection limit, and cap how many runs execute at once with [concurrency limits](/queue-concurrency) so runs queue instead of overrunning the database. Direct connection limits for common Postgres providers:
+
+| Provider | Direct connection limit |
+| --- | --- |
+| [PostgreSQL (self-hosted)](https://www.postgresql.org/docs/current/runtime-config-connection.html) | `max_connections`, default `100` |
+| [Supabase](https://supabase.com/docs/guides/platform/compute-and-disk) | `60` (Nano/Micro) up to `500` (16XL), by compute size |
+| [Neon](https://neon.com/docs/connect/connection-pooling) | `104` (0.25 CU) up to `4000` (capped at 9 CU and above), by compute size |
+| [AWS RDS / Aurora](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Limits.html) | `LEAST(DBInstanceClassMemory / 9531392, 5000)`, ~5 reserved for superusers |
+| [PlanetScale Postgres](https://planetscale.com/docs/postgres/connecting) | set per cluster size (Cluster, then Parameters, then `max_connections`) |
+
+[MongoDB Atlas](https://www.mongodb.com/docs/atlas/reference/atlas-limits/) limits connections per node: `500` on Free and Flex, `1500` on M10, `3000` on M20.
+
+When `concurrent runs × pool size` approaches these numbers, connect through a pooler instead.
+
+## Use a connection pooler
+
+A pooler (PgBouncer, RDS Proxy, Supavisor, Prisma Accelerate) sits between your tasks and the database and multiplexes many client connections onto a few backend connections. Point your connection string at the pooler's endpoint and the ceiling rises without changing your code. Use one when many runs execute concurrently, and for chat agents.
+
+| Provider | Pooled endpoint | Pooled client limit |
+| --- | --- | --- |
+| [Supabase Supavisor](https://supabase.com/docs/guides/database/connection-management) | port `6543` (transaction mode) | `200` (Nano) up to `12,000` (16XL) |
+| [Neon](https://neon.com/docs/connect/connection-pooling) | add `-pooler` to the endpoint host | up to `10,000` |
+| [AWS RDS Proxy](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-proxy.html) | the proxy endpoint | managed |
+| [PlanetScale Postgres](https://planetscale.com/blog/scaling-postgres-connections-with-pgbouncer) | PgBouncer endpoint | managed |
+| Self-hosted | PgBouncer or PgCat | configured |
+
+Use the pooled endpoint for your tasks. Use the direct endpoint for schema migrations (Prisma Migrate, Drizzle Kit), which need a stable session that a transaction pooler does not provide.
+
+Transaction-mode poolers (Supavisor on `6543`, PgBouncer in transaction mode) do not keep server-side prepared statements across queries. With Prisma, add `?pgbouncer=true` to the pooled URL. With node-postgres, don't rely on prepared statements.
+
+## Private databases
+
+If your database lives in a private VPC and isn't reachable over the public internet, connect to it with [private networking](/private-networking/overview), which links your tasks to resources in your own AWS account over AWS PrivateLink. It supports Postgres (RDS, Aurora), MySQL, MongoDB, and any other TCP service behind an internal load balancer.
+
+Once the connection is active, set your connection-string variable (for example `DATABASE_URL`) to the endpoint IP shown in the dashboard, and the client setup above is unchanged. Private networking is a Pro and Enterprise feature, and the endpoint is reachable only from deployed environments, so use a public connection in local development.
+
+## Provider notes
+
+- [Supabase](https://supabase.com/docs/guides/database/connecting-to-postgres): the direct connection (`db.<ref>.supabase.co:5432`) resolves to IPv6 only and is unreachable from many environments, so connect through the Supavisor pooler or add the IPv4 add-on. The pooler presents Supabase's own CA, so prefer passing that CA and keeping verification on (`rejectUnauthorized: true`). Use `rejectUnauthorized: false` only as a temporary troubleshooting step in non-production environments.
+- A `DATABASE_URL` with `sslmode=verify-full&sslrootcert=system` uses a libpq feature the `pg` driver (node-postgres, and the Prisma and Drizzle pools built on it) cannot read. Build the pool from discrete fields with `ssl: { rejectUnauthorized: true }` (Node's CA store), or point `sslrootcert` at a real CA file.
+
+## Release connections at a wait
+
+A run holds its connections while it is paused at a wait until the process is torn down, which is not instant. Free them sooner so other runs can reuse them. How you release depends on the client:
+
+- Prisma reconnects lazily, so disconnect it from a global [`tasks.onWait`](/tasks/overview#onwait-and-onresume-functions) handler colocated with the client. One handler covers every task.
+- A `pg` Pool (node-postgres and Drizzle) and the MongoDB client can't be reused after a full close, so give them a short idle timeout instead. Idle connections close themselves during the wait while the pool stays usable.
+
+<CodeGroup>
+```ts lib/db.ts (node-postgres)
+import { Pool } from "pg";
+
+export const pool = new Pool({
+  connectionString: process.env.DATABASE_URL,
+  max: 1,
+  idleTimeoutMillis: 10_000, // idle connections close during a wait; the pool stays usable
+});
+
+pool.on("error", (err) => console.error("pg pool error", err));
+```
+
+```ts lib/db.ts (Prisma)
+import { tasks } from "@trigger.dev/sdk";
+import { PrismaPg } from "@prisma/adapter-pg";
+import { PrismaClient } from "./generated/prisma/client";
+
+const adapter = new PrismaPg({ connectionString: process.env.DATABASE_URL, max: 1 });
+export const prisma = new PrismaClient({ adapter });
+
+// Disconnect when any run pauses; Prisma reconnects on the next query.
+tasks.onWait("db", () => prisma.$disconnect());
+```
+
+```ts lib/db.ts (Drizzle)
+import { drizzle } from "drizzle-orm/node-postgres";
+import { Pool } from "pg";
+
+const pool = new Pool({
+  connectionString: process.env.DATABASE_URL,
+  max: 1,
+  idleTimeoutMillis: 10_000,
+});
+pool.on("error", (err) => console.error("pg pool error", err));
+
+export const db = drizzle({ client: pool });
+```
+
+```ts lib/db.ts (MongoDB)
+import { MongoClient } from "mongodb";
+
+export const client = new MongoClient(process.env.DATABASE_URL!, {
+  maxPoolSize: 5,
+  maxIdleTimeMS: 10_000, // idle sockets close during a wait; the client stays usable
+});
+```
+</CodeGroup>
+
+Don't hold a client across a slow await, either. `pool.query()` checks a connection out and returns it in one call. If you `pool.connect()` and keep the client across an external HTTP call or a model stream, you pin that connection for the whole operation. Query, release, then do the slow work.
+
+## Chat agents
+
+A chat agent runs one long-lived worker per conversation and suspends between messages, so its connection count tracks the conversations streaming a turn at the same moment. The global `tasks.onWait` handler above covers chat agents too. Two more specifics:
+
+- Don't hold a connection across `streamText()`. A turn spends most of its time waiting on the model, so query and release before the stream starts.
+- To release only when a conversation goes idle (rather than on every internal wait within a turn), use [`onChatSuspend`](/ai-chat/lifecycle-hooks#onchatsuspend--onchatresume) instead of the global handler.
+
+```ts /trigger/chat.ts
+import { chat } from "@trigger.dev/sdk/ai";
+import { streamText } from "ai";
+import { openai } from "@ai-sdk/openai";
+import { prisma } from "@/lib/db";
+
+export const myChat = chat.agent({
+  id: "my-chat",
+  run: async ({ messages, clientData, signal }) => {
+    const user = await prisma.user.findUnique({ where: { id: clientData.userId } });
+    // The connection is back in the pool before the model stream starts.
+    return streamText({
+      model: openai("gpt-4o"),
+      system: `Helping ${user?.name ?? "the user"}.`,
+      messages,
+      abortSignal: signal,
+    });
+  },
+});
+```
+
+## Troubleshooting
+
+`too many connections` or connection refused: `concurrent runs × pool size` is over your provider's limit. Lower the pool size, cap [concurrency](/queue-concurrency), or connect through a pooler.
+
+The worker crashes right after resuming from a wait: an idle connection that closed during the suspend emitted an unhandled `error` event. Attach `pool.on("error", ...)` on a `pg` pool (node-postgres or Drizzle); Prisma and the MongoDB driver handle this internally.
+
+## How suspend affects connections
+
+When a task waits, the runtime can [checkpoint](/how-it-works#the-checkpoint-resume-system) the run: it snapshots the process and frees the compute, then restores the process when the wait resolves. Process memory comes back, so your pool object survives, but the database closed the idle connections in the meantime. The pool reconnects on the first query after resume. This is why a suspended run holds no connections, and why the pool needs an error handler to absorb the closed connection cleanly.
+
+## See also
+
+- [Wait](/wait) for the primitives that trigger a checkpoint.
+- [Concurrency and queues](/queue-concurrency) to cap how many runs execute at once.
+- [Lifecycle functions](/tasks/overview#onwait-and-onresume-functions) for global `tasks.onWait` and `tasks.onResume`.
+- [Chat agent lifecycle hooks](/ai-chat/lifecycle-hooks) for `onChatSuspend` and `onChatResume`.
diff --git a/docs/deploy-environment-variables.mdx b/docs/deploy-environment-variables.mdx
index a4c3b75daf4..529c621dec4 100644
--- a/docs/deploy-environment-variables.mdx
+++ b/docs/deploy-environment-variables.mdx
@@ -30,6 +30,15 @@ We deploy your tasks and scale them up and down when they are triggered. So any
   locally.
 </Note>
 
+### Secret environment variables
+
+When creating an environment variable, you can mark it as a **Secret**. Secret values are hidden in the dashboard and cannot be viewed after creation.
+
+<Warning>
+  Marking a variable as a Secret is irreversible and can only be done when creating the variable. To
+  change this setting, you must delete the variable and create a new one.
+</Warning>
+
 ### Editing environment variables
 
 You can edit an environment variable's values. You cannot edit the key name, you must delete and create a new one.
diff --git a/docs/docs.json b/docs/docs.json
index e4db782131c..ef448f860a4 100644
--- a/docs/docs.json
+++ b/docs/docs.json
@@ -10,7 +10,11 @@
   },
   "favicon": "/images/favicon.png",
   "contextual": {
-    "options": ["copy", "view", "claude"]
+    "options": [
+      "copy",
+      "view",
+      "claude"
+    ]
   },
   "navigation": {
     "dropdowns": [
@@ -36,7 +40,11 @@
             "pages": [
               {
                 "group": "Tasks",
-                "pages": ["tasks/overview", "tasks/schemaTask", "tasks/scheduled"]
+                "pages": [
+                  "tasks/overview",
+                  "tasks/schemaTask",
+                  "tasks/scheduled"
+                ]
               },
               "triggering",
               "runs",
@@ -49,7 +57,10 @@
               "building-with-ai",
               {
                 "group": "MCP Server",
-                "pages": ["mcp-introduction", "mcp-tools"]
+                "pages": [
+                  "mcp-introduction",
+                  "mcp-tools"
+                ]
               },
               "skills",
               "mcp-agent-rules"
@@ -63,7 +74,12 @@
               "errors-retrying",
               {
                 "group": "Wait",
-                "pages": ["wait", "wait-for", "wait-until", "wait-for-token"]
+                "pages": [
+                  "wait",
+                  "wait-for",
+                  "wait-until",
+                  "wait-for-token"
+                ]
               },
               "queue-concurrency",
               "versioning",
@@ -80,6 +96,68 @@
               "hidden-tasks"
             ]
           },
+          {
+            "group": "Agents",
+            "pages": [
+              "ai-chat/overview",
+              "ai-chat/quick-start",
+              {
+                "group": "Building agents",
+                "pages": [
+                  "ai-chat/how-it-works",
+                  "ai-chat/backend",
+                  "ai-chat/lifecycle-hooks",
+                  "ai-chat/tools",
+                  "ai-chat/frontend",
+                  "ai-chat/server-chat",
+                  "ai-chat/sessions",
+                  "ai-chat/chat-local",
+                  "ai-chat/types"
+                ]
+              },
+              {
+                "group": "Features",
+                "pages": [
+                  "ai/prompts",
+                  "ai-chat/fast-starts",
+                  "ai-chat/compaction",
+                  "ai-chat/pending-messages",
+                  "ai-chat/background-injection",
+                  "ai-chat/actions",
+                  "ai-chat/error-handling"
+                ]
+              },
+              {
+                "group": "Patterns",
+                "pages": [
+                  "ai-chat/patterns/sub-agents",
+                  "ai-chat/patterns/version-upgrades",
+                  "ai-chat/patterns/database-persistence",
+                  "ai-chat/patterns/persistence-and-replay",
+                  "ai-chat/patterns/branching-conversations",
+                  "ai-chat/patterns/code-sandbox",
+                  "ai-chat/patterns/human-in-the-loop",
+                  "ai-chat/patterns/tool-result-auditing",
+                  "ai-chat/patterns/large-payloads",
+                  "ai-chat/patterns/skills",
+                  "ai-chat/patterns/oom-resilience",
+                  "ai-chat/patterns/recovery-boot",
+                  "ai-chat/patterns/trusted-edge-signals"
+                ]
+              },
+              {
+                "group": "Reference",
+                "pages": [
+                  "ai-chat/reference",
+                  "ai-chat/client-protocol",
+                  "ai-chat/testing",
+                  "ai-chat/mcp",
+                  "ai-chat/upgrade-guide",
+                  "ai-chat/changelog"
+                ]
+              }
+            ]
+          },
           {
             "group": "Configuration",
             "pages": [
@@ -113,7 +191,9 @@
           },
           {
             "group": "Development",
-            "pages": ["cli-dev"]
+            "pages": [
+              "cli-dev"
+            ]
           },
           {
             "group": "Deployment",
@@ -125,10 +205,21 @@
               "deployment/atomic-deployment",
               {
                 "group": "Deployment integrations",
-                "pages": ["github-integration", "vercel-integration"]
+                "pages": [
+                  "github-integration",
+                  "vercel-integration"
+                ]
               }
             ]
           },
+          {
+            "group": "Private networking",
+            "pages": [
+              "private-networking/overview",
+              "private-networking/aws-console-setup",
+              "private-networking/troubleshooting"
+            ]
+          },
           {
             "group": "Realtime",
             "pages": [
@@ -181,16 +272,25 @@
           },
           {
             "group": "Observability",
-            "pages": ["observability/query", "observability/dashboards"]
+            "pages": [
+              "observability/query",
+              "observability/dashboards"
+            ]
           },
           {
             "group": "Using the Dashboard",
-            "pages": ["run-tests", "troubleshooting-alerts", "replaying", "bulk-actions"]
+            "pages": [
+              "run-tests",
+              "troubleshooting-alerts",
+              "replaying",
+              "bulk-actions"
+            ]
           },
           {
             "group": "Troubleshooting",
             "pages": [
               "troubleshooting",
+              "database-connections",
               "how-to-reduce-your-spend",
               "troubleshooting-debugging-in-vscode",
               "upgrading-packages",
@@ -207,18 +307,30 @@
               "self-hosting/kubernetes",
               {
                 "group": "Environment variables",
-                "pages": ["self-hosting/env/webapp", "self-hosting/env/supervisor"]
+                "pages": [
+                  "self-hosting/env/webapp",
+                  "self-hosting/env/supervisor"
+                ]
               },
               "open-source-self-hosting"
             ]
           },
           {
             "group": "Open source",
-            "pages": ["open-source-contributing", "github-repo", "changelog", "roadmap"]
+            "pages": [
+              "open-source-contributing",
+              "github-repo",
+              "changelog",
+              "roadmap"
+            ]
           },
           {
             "group": "Help",
-            "pages": ["community", "help-slack", "help-email"]
+            "pages": [
+              "community",
+              "help-slack",
+              "help-email"
+            ]
           }
         ]
       },
@@ -324,7 +436,11 @@
           },
           {
             "group": "Query API",
-            "pages": ["management/query/execute", "management/query/schema", "management/query/dashboards"]
+            "pages": [
+              "management/query/execute",
+              "management/query/schema",
+              "management/query/dashboards"
+            ]
           }
         ]
       },
@@ -335,7 +451,9 @@
         "groups": [
           {
             "group": "Introduction",
-            "pages": ["guides/introduction"]
+            "pages": [
+              "guides/introduction"
+            ]
           },
           {
             "group": "Frameworks",
@@ -358,7 +476,6 @@
                 },
                 "pages": [
                   "guides/ai-agents/overview",
-
                   "guides/ai-agents/generate-translate-copy",
                   "guides/ai-agents/route-question",
                   "guides/ai-agents/respond-and-check-content",
@@ -402,7 +519,10 @@
           },
           {
             "group": "Migration guides",
-            "pages": ["migration-mergent", "migration-n8n"]
+            "pages": [
+              "migration-mergent",
+              "migration-n8n"
+            ]
           },
           {
             "group": "Use cases",
@@ -493,7 +613,10 @@
     "href": "https://trigger.dev"
   },
   "api": {
-    "openapi": ["openapi.yml", "v3-openapi.yaml"],
+    "openapi": [
+      "openapi.yml",
+      "v3-openapi.yaml"
+    ],
     "playground": {
       "display": "simple"
     }
@@ -735,6 +858,10 @@
     {
       "source": "/insights/metrics",
       "destination": "/observability/dashboards"
+    },
+    {
+      "source": "/guides/ai-chat",
+      "destination": "/ai-chat/overview"
     }
   ]
 }
diff --git a/docs/guides/frameworks/bun.mdx b/docs/guides/frameworks/bun.mdx
index 3b9f7ccce23..2e25292e5ee 100644
--- a/docs/guides/frameworks/bun.mdx
+++ b/docs/guides/frameworks/bun.mdx
@@ -10,12 +10,13 @@ import CliRunTestStep from "/snippets/step-run-test.mdx";
 import CliViewRunStep from "/snippets/step-view-run.mdx";
 
 <Warning>
-  The trigger.dev CLI does not yet support Bun. So you will need to run the CLI using Node.js.
-  Bun will still be used to execute your tasks, even in the `dev` environment.
+  The trigger.dev CLI does not yet support Bun. So you will need to run the CLI using Node.js. Bun
+  will still be used to execute your tasks, even in the `dev` environment.
 </Warning>
 
 <Note>
-  **Supported Bun version:** Deployed tasks run on Bun 1.3.3. For local development, use Bun 1.3.x for compatibility.
+  **Supported Bun version:** Deployed tasks run on Bun 1.3.3. For local development, use Bun 1.3.x
+  for compatibility.
 </Note>
 
 <Prerequisites framework="Bun" />
@@ -27,6 +28,7 @@ import CliViewRunStep from "/snippets/step-view-run.mdx";
   ```bash
   mkdir -p ~/.bun/bin && ln -s $(which bun) ~/.bun/bin/bun
   ```
+- Bun's WebSocket client does not handle the `101 Switching Protocols` upgrade response correctly, so connecting to a remote browser via `puppeteer.connect()` / `playwright.connectOverCDP()` (e.g. BrowserBase, Browserless) fails silently — typically with an empty `{}` `ErrorEvent`. The remote session opens and immediately drops. **Workaround:** set `runtime: "node"` in `trigger.config.ts` for tasks that connect to a remote browser.
 
 ## Initial setup
 
diff --git a/docs/guides/frameworks/drizzle.mdx b/docs/guides/frameworks/drizzle.mdx
index 5ea84d9e108..49708a87f62 100644
--- a/docs/guides/frameworks/drizzle.mdx
+++ b/docs/guides/frameworks/drizzle.mdx
@@ -24,6 +24,12 @@ This guide will show you how to set up [Drizzle ORM](https://orm.drizzle.team/)
 - Drizzle ORM [installed and initialized](https://orm.drizzle.team/docs/get-started) in your project
 - A `DATABASE_URL` environment variable set in your `.env` file, pointing to your PostgreSQL database (e.g. `postgresql://user:password@localhost:5432/dbname`)
 
+<Tip>
+  If your Postgres lives in a private AWS VPC (e.g. RDS without a public endpoint), connect it via
+  [Private networking](/private-networking/overview) instead of opening it to the public internet
+  (Pro and Enterprise plans).
+</Tip>
+
 ## Initial setup (optional)
 
 Follow these steps if you don't already have Trigger.dev set up in your project.
diff --git a/docs/idempotency.mdx b/docs/idempotency.mdx
index 034246eafbf..0d61341697a 100644
--- a/docs/idempotency.mdx
+++ b/docs/idempotency.mdx
@@ -108,6 +108,10 @@ When you pass a raw string, it defaults to `"run"` scope (scoped to the parent r
 
 <Note>Make sure you provide sufficiently unique keys to avoid collisions.</Note>
 
+<Note>
+Idempotency keys are limited to 2048 characters. Keys produced by `idempotencyKeys.create()` are 64-character hashes and always fit; this limit only matters if you pass a long raw string. Requests above the limit return `400`.
+</Note>
+
 You can pass the `idempotencyKey` when calling `batchTrigger` as well:
 
 ```ts
diff --git a/docs/images/priv-connections-allow-principal.png b/docs/images/priv-connections-allow-principal.png
new file mode 100644
index 00000000000..c088f460137
Binary files /dev/null and b/docs/images/priv-connections-allow-principal.png differ
diff --git a/docs/images/priv-connections-copy-endpoint-name.png b/docs/images/priv-connections-copy-endpoint-name.png
new file mode 100644
index 00000000000..9bca21e1e82
Binary files /dev/null and b/docs/images/priv-connections-copy-endpoint-name.png differ
diff --git a/docs/images/priv-connections-create-endpoint-service.png b/docs/images/priv-connections-create-endpoint-service.png
new file mode 100644
index 00000000000..e01f9a5b16f
Binary files /dev/null and b/docs/images/priv-connections-create-endpoint-service.png differ
diff --git a/docs/images/priv-connections-network-load-balancer-add-target-group.png b/docs/images/priv-connections-network-load-balancer-add-target-group.png
new file mode 100644
index 00000000000..5d02b487fb9
Binary files /dev/null and b/docs/images/priv-connections-network-load-balancer-add-target-group.png differ
diff --git a/docs/images/priv-connections-network-load-balancer-basic.png b/docs/images/priv-connections-network-load-balancer-basic.png
new file mode 100644
index 00000000000..23a499a2a58
Binary files /dev/null and b/docs/images/priv-connections-network-load-balancer-basic.png differ
diff --git a/docs/images/priv-connections-network-load-balancer-vpc-az.png b/docs/images/priv-connections-network-load-balancer-vpc-az.png
new file mode 100644
index 00000000000..f3164aa9333
Binary files /dev/null and b/docs/images/priv-connections-network-load-balancer-vpc-az.png differ
diff --git a/docs/images/priv-connections-nlb-disable-inbound-rules-options.png b/docs/images/priv-connections-nlb-disable-inbound-rules-options.png
new file mode 100644
index 00000000000..91fced5213a
Binary files /dev/null and b/docs/images/priv-connections-nlb-disable-inbound-rules-options.png differ
diff --git a/docs/images/priv-connections-target-group-first-step.png b/docs/images/priv-connections-target-group-first-step.png
new file mode 100644
index 00000000000..c884e4a0e55
Binary files /dev/null and b/docs/images/priv-connections-target-group-first-step.png differ
diff --git a/docs/images/priv-connections-target-group-register-listeners.png b/docs/images/priv-connections-target-group-register-listeners.png
new file mode 100644
index 00000000000..73e23097d73
Binary files /dev/null and b/docs/images/priv-connections-target-group-register-listeners.png differ
diff --git a/docs/management/authentication.mdx b/docs/management/authentication.mdx
index e7d36663423..1a32f3bc01c 100644
--- a/docs/management/authentication.mdx
+++ b/docs/management/authentication.mdx
@@ -158,3 +158,31 @@ await envvars.update("proj_1234", "preview", "DATABASE_URL", {
   value: "your_preview_database_url",
 });
 ```
+
+### Scoped authentication with `auth.withAuth`
+
+`auth.withAuth` runs a callback with a temporary API client configuration, then restores the previous configuration when the callback resolves or rejects. It's useful when a single process needs to make calls across multiple Trigger.dev projects or environments without mutating the global config manually.
+
+```ts
+import { auth, runs } from "@trigger.dev/sdk";
+
+const projectBRuns = await auth.withAuth(
+  { accessToken: process.env.TRIGGER_SECRET_KEY_PROJECT_B },
+  async () => {
+    return runs.list({ limit: 10 });
+  },
+);
+```
+
+Any SDK call inside the callback uses the overridden token. Calls outside the callback continue to use whatever was set by `configure` (or picked up from `TRIGGER_SECRET_KEY`).
+
+<Warning>
+  Avoid `auth.withAuth` as a per-request authentication strategy on long-running servers. Use it
+  only for sequential, non-overlapping scopes.
+</Warning>
+
+#### How scoping actually works
+
+Despite looking block-scoped, `auth.withAuth` stores the overridden configuration in a process-wide global (not [AsyncLocalStorage](https://nodejs.org/api/async_context.html)). It saves the previous config, installs the new one globally, runs the callback, and restores the previous config in a `finally`. This means sequential, non-overlapping usage is safe, but concurrent usage is not — if two `auth.withAuth` calls overlap (for example inside `Promise.all` with different tokens, or across concurrent request handlers on a long-running server) both will share whichever configuration was installed most recently, and SDK calls in one scope can silently use the other scope's token.
+
+A fix using async context isolation is tracked in [issue #3298](https://github.com/triggerdotdev/trigger.dev/issues/3298).
diff --git a/docs/mcp-tools.mdx b/docs/mcp-tools.mdx
index 037d7e887ef..9a920274fba 100644
--- a/docs/mcp-tools.mdx
+++ b/docs/mcp-tools.mdx
@@ -218,3 +218,56 @@ Check the status of the dev server and view recent output. Shows whether it is s
 <Callout type="warning">
   The deploy and list_preview_branches tools are not available when the MCP server is running with the `--dev-only` flag. The `--readonly` flag hides deploy, trigger_task, and cancel_run.
 </Callout>
+
+## Agent Chat Tools
+
+These tools let you have conversations with [chat agents](/ai-chat/overview) directly from your AI coding tool. See the [Agent MCP guide](/ai-chat/mcp) for a walkthrough.
+
+### list_agents
+
+List all chat agents registered in the current worker. Agents are tasks created with `chat.agent()` or `chat.customAgent()`.
+
+**Example usage:**
+- `"What agents are available?"`
+- `"List my chat agents"`
+
+### start_agent_chat
+
+Start a conversation with a chat agent. Returns a chat ID for use with `send_agent_message`. Optionally preloads the agent so it initializes before the first message.
+
+**Parameters:**
+- `agentId` (required) — The agent task slug (e.g., `"support-agent"`)
+- `chatId` (optional) — A custom conversation ID. Auto-generated if omitted
+- `clientData` (optional) — Client data to include with every message (e.g., `{ userId: "user_123" }`). Must match the agent's `clientDataSchema` if one is defined
+- `preload` (optional, default: `true`) — Whether to preload the agent before the first message
+
+**Example usage:**
+- `"Start a chat with the support agent"`
+- `"Talk to the pr-review agent with userId abc"`
+
+### send_agent_message
+
+Send a message to an active agent chat and get the full response back. The agent remembers full context from previous messages in the same chat.
+
+**Parameters:**
+- `chatId` (required) — The chat ID from `start_agent_chat`
+- `message` (required) — The message text to send
+
+**Example usage:**
+- `"Tell the agent to review the latest PR"`
+- `"Ask it what tools it has available"`
+
+### close_agent_chat
+
+Close an agent chat conversation. The agent exits its loop gracefully. Without this, the agent will close on its own when its idle timeout expires.
+
+**Parameters:**
+- `chatId` (required) — The chat ID to close
+
+**Example usage:**
+- `"Close the chat"`
+- `"End the conversation"`
+
+<Callout type="warning">
+  The `start_agent_chat`, `send_agent_message`, and `close_agent_chat` tools are write operations and are not available in readonly mode.
+</Callout>
diff --git a/docs/migrating-from-v3.mdx b/docs/migrating-from-v3.mdx
index 5530d66b62d..c820b25a1de 100644
--- a/docs/migrating-from-v3.mdx
+++ b/docs/migrating-from-v3.mdx
@@ -34,7 +34,7 @@ We're retiring Trigger.dev v3. **New v3 deploys will stop working from 1 April 2
 | [Hidden tasks](/hidden-tasks)                                        | Create tasks that are not exported from your trigger files but can still be executed.                                                                                                                      |
 | [Middleware & locals](#middleware-and-locals)                        | The middleware system runs at the top level, executing before and after all lifecycle hooks. The locals API allows sharing data between middleware and hooks.                                              |
 | [useWaitToken](/realtime/react-hooks/use-wait-token)                 | Use the useWaitToken hook to complete a wait token from a React component.                                                                                                                                 |
-| [ai.tool](/tasks/schemaTask#ai-tool)                                 | Create an AI tool from an existing `schemaTask` to use with the Vercel [AI SDK](https://vercel.com/docs/ai-sdk).                                                                                           |
+| [Task-backed AI tools](/tasks/schemaTask#task-backed-ai-tools)       | Use `schemaTask` with AI SDK `tool()` and `ai.toolExecute()` (legacy `ai.tool` is deprecated).                                                                                                              |
 
 ## Node.js support
 
@@ -165,7 +165,7 @@ export const myAiTask = schemaTask({
 });
 ```
 
-We've replaced the `toolTask` function with the `ai.tool` function, which creates an AI tool from an existing `schemaTask`. See the [ai.tool](/tasks/schemaTask#ai-tool) page for more details.
+We've replaced the `toolTask` function with `schemaTask` plus AI SDK `tool()` and `ai.toolExecute()` (the older `ai.tool()` wrapper is deprecated). See [Task-backed AI tools](/tasks/schemaTask#task-backed-ai-tools).
 
 ## Breaking changes
 
diff --git a/docs/private-networking/aws-console-setup.mdx b/docs/private-networking/aws-console-setup.mdx
new file mode 100644
index 00000000000..91fbc3d5a70
--- /dev/null
+++ b/docs/private-networking/aws-console-setup.mdx
@@ -0,0 +1,304 @@
+---
+title: "Setting up PrivateLink in the AWS Console"
+sidebarTitle: "AWS Console setup"
+description: "Step-by-step guide for exposing a resource from your AWS account to Trigger.dev via PrivateLink."
+---
+
+This guide walks through setting up the AWS side of a private connection: a Network Load Balancer (NLB), a target group pointing at the resource you want to expose, and a VPC Endpoint Service that authorizes Trigger.dev to consume it.
+
+<Info>
+  Prefer Terraform? Open the "Add connection" page in the Trigger.dev dashboard and use the
+  Terraform wizard to generate a ready-to-apply script. The wizard creates everything described
+  below and pre-fills our AWS account ID for you.
+</Info>
+
+## Prerequisites
+
+Before you start you'll need:
+
+- An **AWS account** with permission to create VPC, EC2, and ELB resources
+- A **resource** in a VPC subnet that you want to expose (RDS instance, ElastiCache cluster, internal API, etc.)
+- The **Trigger.dev AWS account ID** — find this on the "Add connection" page in your Trigger.dev dashboard, in the "I have my details" or "Step-by-step guide" cards
+- A **VPC** that contains the resource, with at least one private subnet per Availability Zone you want to serve from
+
+<Note>
+  PrivateLink connections are zonal. If your resource lives in a single AZ, your connection will
+  only be available from that AZ. For higher availability, ensure target groups can route to
+  multiple AZs.
+</Note>
+
+## Step 1: Create a target group pointing at your resource
+
+The target group is how the NLB will know where to forward traffic. AWS requires a target group when creating a load balancer, so we'll set this up first.
+
+<Steps>
+  <Step title="Open the target groups page">
+    Go to **EC2 → Target Groups → Create target group**.
+  </Step>
+  <Step title="Choose a target type">
+    - **IP addresses** for RDS, ElastiCache, or any resource you can reach by IP
+    - **Instances** for EC2 instances you own
+    - **Application Load Balancer** if your resource sits behind an ALB
+
+    For most database use cases, **IP addresses** is correct. NLBs don't support Lambda targets
+    directly — if you need to expose a Lambda, put it behind an ALB and use the ALB target type.
+
+  </Step>
+  <Step title="Configure the target group (first step of the AWS form)">
+    On the **Specify group details** page (the first of two steps in AWS's target-group form), set:
+
+    - **Name**: e.g. `trigger-postgres-tg`
+    - **Protocol**: TCP
+    - **Port**: the port your resource listens on (5432 for Postgres, 6379 for Redis, 3306 for MySQL, etc.)
+    - **VPC**: the VPC where your resource lives (this must match the VPC you'll use for the NLB)
+    - **Health check protocol**: TCP
+
+    Click **Next** to move to the second step (registering targets).
+
+    ![Target group first step — basic configuration](/images/priv-connections-target-group-first-step.png)
+
+  </Step>
+  <Step title="Register your targets (second step of the AWS form)">
+    On the **Register targets** page — the second step of the IP target-group flow — paste the
+    private IPs of your resource and set the port to the same value you picked above. Click
+    **Include as pending below**, then **Create target group**.
+
+    ![Register targets in the target group](/images/priv-connections-target-group-register-listeners.png)
+
+    <Expandable title="How to find the IP for an ElastiCache or RDS instance (no bastion needed)">
+      Both ElastiCache and RDS expose a DNS endpoint, not an IP, on their console pages. Find the
+      private IP behind the endpoint via the EC2 console:
+
+      1. Open **EC2 → Network & Security → Network Interfaces**.
+      2. In the search bar, filter by **Description** with `ElastiCache` (or `RDSNetworkInterface`
+         for RDS). Optionally narrow further by **VPC ID** if you have several clusters.
+      3. Read the **Primary private IPv4 address** column — that's the IP to register here. For
+         multi-node clusters or read replicas, each node has its own ENI and IP.
+
+      You can also reach the same list from **VPC → Subnets → \<your-subnet\> → Network
+      Interfaces tab**, which scopes the list to a single subnet.
+    </Expandable>
+
+    <Warning>
+      RDS and ElastiCache endpoints' IP addresses can change after failover or maintenance. For long-lived
+      connections, consider running a small Lambda or sidecar that periodically resolves the DNS name and
+      updates the target group, or use a [DNS-resolved](https://aws.amazon.com/blogs/networking-and-content-delivery/hostname-as-target-for-network-load-balancers/)
+      target if your setup supports it.
+    </Warning>
+
+  </Step>
+</Steps>
+
+## Step 2: Create an internal Network Load Balancer
+
+The NLB is what PrivateLink exposes to Trigger.dev. It must be **internal** (not internet-facing).
+
+<Steps>
+  <Step title="Open the EC2 console">
+    Go to **EC2 → Load Balancers → Create load balancer** and choose **Network Load Balancer**.
+  </Step>
+  <Step title="Configure the basics">
+    - **Name**: something descriptive, e.g. `trigger-postgres-nlb`
+    - **Scheme**: **Internal**
+    - **IP address type**: IPv4
+
+    ![Network Load Balancer basic configuration](/images/priv-connections-network-load-balancer-basic.png)
+
+  </Step>
+  <Step title="Choose VPC and subnets">
+    Pick the same VPC as your target group. Select one private subnet per AZ that should serve traffic.
+    Each subnet you select adds an availability zone to the endpoint.
+
+    ![Network Load Balancer VPC and Availability Zones](/images/priv-connections-network-load-balancer-vpc-az.png)
+
+  </Step>
+  <Step title="Add a TCP listener forwarding to your target group">
+    Under **Listeners and routing**, configure:
+
+    - **Protocol**: TCP
+    - **Port**: same as your target group port (5432 for Postgres, 6379 for Redis, etc.)
+    - **Default action**: forward to the target group you created in Step 1
+
+    ![Add the target group to the NLB listener](/images/priv-connections-network-load-balancer-add-target-group.png)
+
+  </Step>
+  <Step title="Create the load balancer and wait until it's Active">
+    Click **Create load balancer**. Provisioning takes 1–2 minutes — wait until the NLB's **State**
+    column shows **Active** before moving on. The endpoint service in the next step won't list the
+    NLB until it's fully active.
+  </Step>
+  <Step title="Disable PrivateLink inbound rules enforcement on the NLB">
+    Once the NLB is **Active**, open it and go to its **Security** tab, then click **Edit**. If a
+    security group is attached, AWS enables **Enforce inbound rules on PrivateLink traffic** by
+    default — leaving it on can cause traffic from the Trigger.dev VPC Endpoint to be silently
+    dropped before reaching your listener. Uncheck **Enforce inbound rules on PrivateLink traffic**
+    and save.
+
+    ![Uncheck Enforce inbound rules on PrivateLink traffic on the NLB](/images/priv-connections-nlb-disable-inbound-rules-options.png)
+
+  </Step>
+</Steps>
+
+<Tip>
+  Test connectivity from a bastion host or another instance in the same VPC before continuing —
+  e.g. `psql -h <nlb-dns-name> -p 5432 -U user -d db`. If the NLB can't reach your resource, the
+  PrivateLink connection won't either.
+</Tip>
+
+## Step 3: Create a VPC Endpoint Service
+
+This is the resource that PrivateLink consumers connect to.
+
+<Note>
+  Confirm the NLB from Step 2 is in the **Active** state before starting this step. It won't appear
+  in the **Available load balancers** dropdown until it has finished provisioning.
+</Note>
+
+<Steps>
+  <Step title="Open the VPC console">
+    Go to **VPC → Endpoint services → Create endpoint service**.
+  </Step>
+  <Step title="Configure the endpoint service">
+    - **Name**: optional, but useful for identification, e.g. `trigger-postgres-endpoint`
+    - **Load balancer type**: Network
+    - **Available load balancers**: select the NLB you created
+    - **Require acceptance for endpoint**: **No** (recommended)
+
+    ![Create VPC Endpoint Service form](/images/priv-connections-create-endpoint-service.png)
+
+    <Note>
+      If you set "Require acceptance" to **Yes**, every connection request from Trigger.dev will
+      sit in a pending state until you manually approve it. Setting it to **No** lets connections
+      come up automatically once the principal is allow-listed.
+    </Note>
+
+  </Step>
+  <Step title="Skip private DNS">
+    Leave the "Private DNS name" option disabled. Trigger.dev tasks dial the endpoint by its
+    private IP, so private DNS isn't needed.
+  </Step>
+  <Step title="Configure cross-region access (optional)">
+    If your Trigger.dev tasks run in a **different AWS region** from your endpoint service, expand
+    the **Supported Regions** section and add the region(s) where Trigger.dev should be allowed to
+    create the VPC Endpoint from (for example, add `eu-central-1` if your service is in
+    `us-east-1` but tasks run in `eu-central-1`).
+
+    If your tasks and resource are in the same region, you can skip this — same-region access is
+    enabled by default.
+
+    <Note>
+      Cross-region PrivateLink adds AWS data-transfer cost and ~10–30ms of latency depending on the
+      region pair. Prefer same-region when possible.
+    </Note>
+
+  </Step>
+  <Step title="Create the endpoint service">
+    Click **Create**. The service is created immediately — you'll come back to copy its **Service
+    name** once you've authorized Trigger.dev in the next step.
+  </Step>
+</Steps>
+
+## Step 4: Authorize the Trigger.dev AWS account
+
+By default, no one can connect to your endpoint service. You need to explicitly allow Trigger.dev's AWS account.
+
+<Steps>
+  <Step title="Open your endpoint service">
+    Go to **VPC → Endpoint services**, select the service you just created.
+  </Step>
+  <Step title="Open the Allow principals tab">
+    Click the **Allow principals** tab, then **Allow principals**.
+  </Step>
+  <Step title="Add Trigger.dev's account">
+    Paste the principal ARN in this format, replacing `<account-id>` with the Trigger.dev AWS
+    account ID shown in your dashboard:
+
+    ```text
+    arn:aws:iam::<account-id>:root
+    ```
+
+    ![Allow principal dialog](/images/priv-connections-allow-principal.png)
+
+    <Warning>
+      You will find the correct AWS account ID in the **Add connection** page of the Trigger.dev
+      dashboard. Do not assume an account ID — it differs between Trigger.dev environments.
+    </Warning>
+
+  </Step>
+  <Step title="Click Allow principals">
+    The principal is now authorized to create a VPC Endpoint targeting your service.
+  </Step>
+  <Step title="Copy the endpoint service name">
+    On the endpoint service detail page, copy the **Service name** value — it looks like
+    `com.amazonaws.vpce.us-east-1.vpce-svc-0123abcd...`. You'll paste this into the Trigger.dev
+    dashboard in the next step.
+
+    ![Copy the endpoint service name](/images/priv-connections-copy-endpoint-name.png)
+
+  </Step>
+</Steps>
+
+## Step 5: Add the connection in Trigger.dev
+
+<Steps>
+  <Step title="Open the dashboard">
+    In Trigger.dev, go to **Organization Settings → Private Connections** and click **Add
+    connection**.
+  </Step>
+  <Step title="Pick the I have my details card">
+    Then fill in:
+
+    - **Friendly name**: a short, human-readable label for this connection.
+    - **VPC Endpoint Service name**: paste the `com.amazonaws.vpce.<region>.vpce-svc-...` value from Step 4.
+    - **Target region**: the AWS region your endpoint service lives in.
+
+  </Step>
+  <Step title="Submit">
+    Submit the form. The connection's status moves through **Pending → Provisioning → Active**.
+    Provisioning typically takes 30–90 seconds.
+  </Step>
+  <Step title="Verify">
+    Once **Active**, the dashboard shows the assigned private IP. Plug it into the
+    connection-string environment variable your task already uses (for example, `DATABASE_URL` set
+    on the **Environment Variables** page) and your tasks will reach the resource over
+    PrivateLink.
+  </Step>
+</Steps>
+
+## Troubleshooting
+
+See the dedicated [Troubleshooting](/private-networking/troubleshooting) page for common problems
+such as the "Private link not found" wizard error. A few quick checks specific to this setup flow:
+
+<Expandable title="Status stays at Pending or Provisioning for several minutes">
+  - Confirm Trigger.dev's AWS account ID is in your endpoint service's **Allow principals** list.
+  - Confirm the endpoint service is **Available** in the AWS console.
+  - Confirm "Require acceptance" is set to **No** on the endpoint service. If it's set to **Yes**,
+    the request is sitting in your pending queue and you must approve it manually.
+</Expandable>
+
+<Expandable title="Status is Active but my task can't connect">
+  - Confirm the NLB has a target registered and the target's health check is passing.
+  - Confirm the listener port matches the port your task code is dialing.
+  - Confirm the security group on your resource allows inbound traffic from the NLB or the VPC's
+    private IP range.
+  - If the NLB itself has a security group attached, turn off **Enforce inbound rules on
+    PrivateLink traffic** on the load balancer. See [the troubleshooting
+    page](/private-networking/troubleshooting#connection-is-active-but-the-assigned-ip-is-not-reachable-from-tasks)
+    for details.
+  - Try connecting from inside the VPC first (e.g., a bastion host) to rule out resource-side
+    issues.
+</Expandable>
+
+<Expandable title="Connection works but is slow">
+  - Cross-region connections add ~10–30ms RTT depending on the regions involved. If your tasks run
+    in a different region than your resource, expect higher latency.
+  - The NLB and target group's health checks influence connection setup time. Tighter health check
+    intervals reduce failover time after a backend goes unhealthy.
+</Expandable>
+
+<Expandable title="I want to remove a connection">
+  Delete the connection from **Organization Settings → Private Connections** in the Trigger.dev
+  dashboard. We'll tear down our VPC Endpoint and remove the network policy automatically. You can
+  then delete your VPC Endpoint Service, NLB, and target group on the AWS side.
+</Expandable>
diff --git a/docs/private-networking/overview.mdx b/docs/private-networking/overview.mdx
new file mode 100644
index 00000000000..8c54828b71b
--- /dev/null
+++ b/docs/private-networking/overview.mdx
@@ -0,0 +1,144 @@
+---
+title: "Private networking"
+sidebarTitle: "Overview"
+description: "Connect your tasks to private resources in your AWS account using AWS PrivateLink."
+---
+
+Private networking lets your Trigger.dev tasks reach databases, caches, and internal APIs that live inside your own AWS VPC, without exposing them to the public internet. Connectivity is established over [AWS PrivateLink](https://docs.aws.amazon.com/vpc/latest/privatelink/what-is-privatelink.html), so traffic stays on the AWS backbone.
+
+<Info>
+  Private networking is a Pro and Enterprise feature. If you'd like access, [get in touch](/community).
+</Info>
+
+## What is AWS PrivateLink
+
+AWS PrivateLink is a managed service that creates a private, one-way connection between two AWS accounts without using the public internet, NAT gateways, internet gateways, or VPN tunnels.
+
+It works by pairing two resources:
+
+- A **VPC Endpoint Service** in the account that owns the resource (yours). This is fronted by a Network Load Balancer (NLB) and exposes whatever ports you choose.
+- A **VPC Endpoint** in the account that wants to consume the resource (Trigger.dev's). The endpoint is an Elastic Network Interface (ENI) inside our VPC with a private IP that your task pods can dial directly.
+
+The connection is unidirectional: only the endpoint side can initiate connections. Your VPC cannot reach into ours.
+
+## What you can use it for
+
+Any TCP service running inside your VPC. Common use cases include:
+
+- **Databases**: PostgreSQL (RDS, Aurora), MySQL, MongoDB, ClickHouse, Redshift
+- **Caches**: ElastiCache Redis, Memcached
+- **Internal APIs**: services on EKS, ECS, EC2, or Lambda exposed through an internal NLB
+- **Message brokers**: self-hosted Kafka, RabbitMQ, NATS
+- **Vector databases and ML services** running in private subnets
+
+If your resource is reachable from a Network Load Balancer in the same VPC, it can be exposed to Trigger.dev via PrivateLink.
+
+## How it works with Trigger.dev
+
+When you add a private connection in the dashboard, the following happens:
+
+<Steps>
+  <Step title="You expose your resource">
+    You create an internal NLB in front of your resource and a VPC Endpoint Service that points to it. You add Trigger.dev's AWS account as an allowed principal so we're permitted to connect.
+  </Step>
+  <Step title="We provision a VPC Endpoint">
+    Once you submit the endpoint service name in the Trigger.dev dashboard, we provision a VPC Endpoint in our AWS account in the region you chose. The endpoint creates an ENI with a private IP that we wire up to reach your service.
+  </Step>
+  <Step title="Your tasks can reach the endpoint">
+    Once the connection is **Active**, the dashboard shows the assigned IP. Pods running your tasks are network-authorized to connect to it.
+  </Step>
+</Steps>
+
+### Connecting from your task code
+
+When the connection becomes **Active**, the dashboard shows the assigned endpoint IP. Plug it into the connection-string environment variable your task already reads (for example, `DATABASE_URL` set on the **Environment Variables** page):
+
+<Note>
+  A private connection is scoped to your **organization**, not to a single environment. The same
+  assigned IP works from any deployed environment your tasks run in — Preview branches, Staging,
+  and Production — so you can set the connection-string env var per environment and point them
+  all at the same private resource. (Local **Development** runs on your own machine, so it can't
+  reach the endpoint IP — use a regular public connection there.)
+</Note>
+
+
+```typescript
+import { task } from "@trigger.dev/sdk";
+import { Client } from "pg";
+
+export const queryDatabase = task({
+  id: "query-database",
+  run: async () => {
+    // DATABASE_URL is set in the Trigger.dev dashboard to the connection's
+    // assigned IP shown in Private Connections.
+    const client = new Client({
+      connectionString: process.env.DATABASE_URL,
+    });
+
+    await client.connect();
+    const result = await client.query("SELECT NOW()");
+    await client.end();
+
+    return result.rows;
+  },
+});
+```
+
+## Isolation between organizations
+
+Private networking is set up so that each organization's connections are completely isolated from every other organization. Three layers enforce that:
+
+### 1. Dedicated AWS account
+
+Customer VPC Endpoints are provisioned in a **dedicated AWS account** that is separate from the account that runs Trigger.dev's task workers. The dedicated account does nothing else — it only hosts customer endpoints. This limits the blast radius of any misconfiguration: even a misbehaving endpoint cannot reach worker infrastructure beyond the routes we explicitly define.
+
+### 2. Per-organization network policy
+
+Inside the Kubernetes cluster that runs your tasks, the default network policy denies all traffic to private IP ranges. When your organization creates a connection, we generate a [CiliumNetworkPolicy](https://docs.cilium.io/en/stable/network/kubernetes/policy/) that:
+
+- Targets **only pods labeled with your organization's ID**
+- Allows egress **only to the specific endpoint IPs we provisioned for you**
+
+A pod from another organization has neither the matching label nor a matching policy — its connection attempts to your endpoint IPs are dropped at the network layer before they ever reach an ENI.
+
+### 3. AWS-level authorization
+
+PrivateLink itself enforces a second layer of authorization. Your VPC Endpoint Service has an explicit list of `allowed_principals` — only AWS accounts you list can even establish a connection. Trigger.dev provides each org with the same Trigger.dev AWS account ID, but the AWS account ID alone is useless without the matching CiliumNetworkPolicy on our side. To reach your endpoint, traffic must:
+
+1. Originate from a pod labeled with your org ID (enforced by us)
+2. Match an egress rule with your endpoint's IPs (enforced by us)
+3. Hit a VPC Endpoint Service that has authorized our account (enforced by you)
+
+All three conditions must be true. No organization can route traffic to another organization's resources.
+
+<Warning>
+  AWS account IDs are not secrets, but the VPC Endpoint Service name is also not enough on its own —
+  you must explicitly add Trigger.dev's account to your endpoint service's allowed principals before
+  any connection works. We'll never see your service unless you authorize us.
+</Warning>
+
+## Limits
+
+- **Two connections per organization.** This is a soft limit — get in touch if you need more.
+- **All ports accepted.** Our security group allows all TCP ports from peered CIDRs. You control which ports are reachable through your NLB and target groups.
+- **Same-region or cross-region.** Connections work within the same region as your tasks or across regions (cross-region adds AWS-level cost and ~10-30ms latency).
+
+## Next steps
+
+<CardGroup>
+  <Card
+    title="Create a Private Link in the AWS Console"
+    icon="aws"
+    href="/private-networking/aws-console-setup"
+  >
+    Step-by-step instructions for creating the NLB, target group, and VPC Endpoint Service in your
+    AWS account.
+  </Card>
+  <Card
+    title="Troubleshooting"
+    icon="circle-question"
+    href="/private-networking/troubleshooting"
+  >
+    Common problems when setting up a private connection and how to resolve them.
+  </Card>
+</CardGroup>
diff --git a/docs/private-networking/troubleshooting.mdx b/docs/private-networking/troubleshooting.mdx
new file mode 100644
index 00000000000..62dd03c5f50
--- /dev/null
+++ b/docs/private-networking/troubleshooting.mdx
@@ -0,0 +1,78 @@
+---
+title: "Troubleshooting private networking"
+sidebarTitle: "Troubleshooting"
+description: "Common problems when setting up an AWS PrivateLink connection to Trigger.dev, and how to resolve them."
+---
+
+This page collects common issues when adding a private connection. If your problem isn't listed here, [get in touch](/community).
+
+## "Private link not found" in the setup wizard
+
+If the setup wizard errors out with **Private link not found** when you submit the VPC Endpoint Service name, it almost always means your endpoint service has not been shared with Trigger.dev's AWS account.
+
+Trigger.dev cannot provision a VPC Endpoint until your endpoint service explicitly authorizes our AWS account as a consumer. Until that happens, the service name is invisible to us — even though the name itself is correct.
+
+### How to fix it
+
+<Steps>
+  <Step title="Open your endpoint service in the AWS console">
+    Go to **VPC → Endpoint services** in the AWS region where you created the service, and select
+    your service.
+  </Step>
+  <Step title="Open the Allow principals tab">
+    Click the **Allow principals** tab and check whether Trigger.dev's AWS account is listed.
+  </Step>
+  <Step title="Add Trigger.dev's account if it's missing">
+    Click **Allow principals** and add an entry in this format, replacing `<account-id>` with the
+    Trigger.dev AWS account ID shown on the **Add connection** page in your dashboard:
+
+    ```text
+    arn:aws:iam::<account-id>:root
+    ```
+
+    <Warning>
+      Always copy the account ID from your Trigger.dev dashboard. The correct value differs between
+      environments — don't reuse an ID from another source.
+    </Warning>
+
+  </Step>
+  <Step title="Retry in the Trigger.dev dashboard">
+    Once the principal is allow-listed, return to the **Add connection** page in Trigger.dev and
+    submit the form again. The wizard should now find your endpoint service and start provisioning.
+  </Step>
+</Steps>
+
+For full setup instructions including this step, see [Setting up PrivateLink in the AWS Console](/private-networking/aws-console-setup).
+
+## Connection is Active but the assigned IP is not reachable from tasks
+
+If your private connection shows **Active** in the Trigger.dev dashboard and the NLB target group reports healthy targets, but tasks still cannot reach the assigned IP, the most common cause is that your Network Load Balancer is enforcing security group rules on PrivateLink traffic.
+
+When a security group is attached to an NLB, AWS exposes a separate setting called **Enforce inbound rules on PrivateLink traffic**. When this is **on**, the NLB applies its security group's inbound rules to traffic arriving from VPC endpoints — and the source IP it evaluates is the **private IP of the consumer's VPC endpoint network interface**, not an IP in your own VPC. Because that IP belongs to Trigger.dev's VPC and isn't known ahead of time, the SG rule almost never matches, and traffic is silently dropped at the NLB.
+
+### How to fix it
+
+<Steps>
+  <Step title="Open your Network Load Balancer in the AWS console">
+    Go to **EC2 → Load balancers** in the region where your NLB lives and select the load balancer
+    backing your endpoint service.
+  </Step>
+  <Step title="Edit the security group settings">
+    On the **Security** tab, click **Edit**.
+  </Step>
+  <Step title="Turn off PrivateLink enforcement">
+    Uncheck **Enforce inbound rules on PrivateLink traffic** and save.
+
+    <Note>
+      This only changes how the NLB itself filters traffic. Authorization is still enforced by the
+      endpoint service's **Allow principals** list, so only AWS accounts you've explicitly
+      allow-listed can connect.
+    </Note>
+
+  </Step>
+  <Step title="Retry from your task">
+    Re-run a task that dials the assigned private IP. The connection should now succeed.
+  </Step>
+</Steps>
+
+If you need to keep the enforcement on for compliance reasons, the alternative is to widen your NLB's security group inbound rule to `0.0.0.0/0` on the listener port. Allow-listing the consumer endpoint's CIDR is not practical because it lives in Trigger.dev's VPC and may change.
diff --git a/docs/realtime/backend/input-streams.mdx b/docs/realtime/backend/input-streams.mdx
index 1224e24244e..65e3bb494b7 100644
--- a/docs/realtime/backend/input-streams.mdx
+++ b/docs/realtime/backend/input-streams.mdx
@@ -11,6 +11,10 @@ The Input Streams API allows you to send data into running Trigger.dev tasks fro
   Streams](/tasks/streams#input-streams) in the Streams doc.
 </Note>
 
+<Tip>
+  Input streams are keyed by `runId` — they're correct for sending data to a specific live run. If you need a bidirectional channel that survives run boundaries (e.g. a chat that resumes tomorrow, an agent coordinated across many runs), look at [`chat.agent`](/ai-chat/overview): it's built on a durable Session row that owns its runs and exposes the same consumer-side API (`on` / `once` / `wait` / `waitWithIdleTimeout`) on its `.in` channel.
+</Tip>
+
 ## Sending data to a running task
 
 ### Using defined input streams (Recommended)
diff --git a/docs/realtime/backend/streams.mdx b/docs/realtime/backend/streams.mdx
index 8a273ea5a9f..b644e5dab10 100644
--- a/docs/realtime/backend/streams.mdx
+++ b/docs/realtime/backend/streams.mdx
@@ -10,6 +10,10 @@ description: "Read AI/LLM output, file chunks, and other streaming data from you
   To emit streams from your tasks, see [Streaming data from tasks](/tasks/streams). For React components, see [Streaming in React](/realtime/react-hooks/streams).
 </Note>
 
+<Tip>
+  Run-scoped streams are the right primitive for ephemeral I/O that lives inside a single run's lifetime. For durable, long-lived channels that outlive a run, see [`chat.agent`](/ai-chat/overview): it's built on a Session row that owns the chat's runs and exposes bidirectional `.in` / `.out` channels addressed by a durable id.
+</Tip>
+
 ## Reading streams
 
 ### Using defined streams (Recommended)
diff --git a/docs/replaying.mdx b/docs/replaying.mdx
index 0e348dcd58e..34e5aac7980 100644
--- a/docs/replaying.mdx
+++ b/docs/replaying.mdx
@@ -30,6 +30,21 @@ description: "A replay is a copy of a run with the same payload but against the
   </Tab>
 </Tabs>
 
+### Detecting replays in your task
+
+You can check if a run is a replay using the [context](/context) object:
+
+```ts
+export const myTask = task({
+  id: "my-task",
+  run: async (payload, { ctx }) => {
+    if (ctx.run.isReplay) {
+      // This run is a replay of a previous run
+    }
+  },
+});
+```
+
 ### Replaying using the SDK
 
 You can replay a run using the SDK:
diff --git a/docs/self-hosting/docker.mdx b/docs/self-hosting/docker.mdx
index df9ae246c2d..665d6fc5875 100644
--- a/docs/self-hosting/docker.mdx
+++ b/docs/self-hosting/docker.mdx
@@ -189,6 +189,7 @@ docker compose up -d
 To create additional worker groups beyond the bootstrap group, use the admin API endpoint. This requires admin privileges.
 
 **Making a user admin:**
+
 - **New users**: Set `ADMIN_EMAILS` environment variable (regex pattern) before user creation.
 - **Existing users**: Set `admin = true` in the `user` table in your database.
 
@@ -341,6 +342,18 @@ By default, the images will point at the latest versioned release via the `lates
 TRIGGER_IMAGE_TAG=v4.0.0
 ```
 
+## Task events
+
+By default, task events (timeline, logs, spans) are stored in PostgreSQL. For production deployments we recommend storing them in ClickHouse instead, it scales to much higher volumes and avoids unbounded growth of the `TaskEvent` table.
+
+To enable, set on the webapp in your `.env`:
+
+```bash
+EVENT_REPOSITORY_DEFAULT_STORE=clickhouse_v2
+```
+
+This only affects new runs; existing runs continue to read from wherever their events were originally stored.
+
 ## Troubleshooting
 
 - **Deployment fails at the push step.** The machine running `deploy` needs registry access. See the [registry setup](#registry-setup) section for more details.
@@ -359,7 +372,9 @@ TRIGGER_IMAGE_TAG=v4.0.0
 - **ClickHouse migrations say "no migrations to run" but schema is missing.** The goose migration tracker is out of sync. Exec into the webapp container, set the GOOSE env vars (from webapp startup logs), and run `goose reset && goose up`.
 
   <Warning>
-    **Data Loss Warning:** The `goose reset` command is destructive and will drop the entire schema. Make sure to backup your data and confirm you are running this in a non-production environment before executing this command.
+    **Data Loss Warning:** The `goose reset` command is destructive and will drop the entire schema.
+    Make sure to backup your data and confirm you are running this in a non-production environment
+    before executing this command.
   </Warning>
 
 ## CLI usage
diff --git a/docs/self-hosting/env/webapp.mdx b/docs/self-hosting/env/webapp.mdx
index 16a54e0f9b9..1240ee7f15e 100644
--- a/docs/self-hosting/env/webapp.mdx
+++ b/docs/self-hosting/env/webapp.mdx
@@ -36,6 +36,7 @@ mode: "wide"
 | `REDIS_TLS_DISABLED`                             | No       | —                     | Disable Redis TLS.                                                                                                 |
 | **Auth**                                         |          |                       |                                                                                                                    |
 | `WHITELISTED_EMAILS`                             | No       | —                     | Whitelisted emails regex.                                                                                          |
+| `LOGIN_RATE_LIMITS_ENABLED`                      | No       | true                  | Enable rate limiting on magic-link login.                                                                          |
 | `AUTH_GITHUB_CLIENT_ID`                          | No       | —                     | GitHub client ID.                                                                                                  |
 | `AUTH_GITHUB_CLIENT_SECRET`                      | No       | —                     | GitHub client secret.                                                                                              |
 | **Email**                                        |          |                       |                                                                                                                    |
@@ -59,6 +60,8 @@ mode: "wide"
 | **Concurrency limits**                           |          |                       |                                                                                                                    |
 | `DEFAULT_ENV_EXECUTION_CONCURRENCY_LIMIT`        | No       | 100                   | Default env execution concurrency.                                                                                 |
 | `DEFAULT_ORG_EXECUTION_CONCURRENCY_LIMIT`        | No       | 300                   | Default org execution concurrency, needs to be 3x env concurrency.                                                 |
+| `DEFAULT_ENV_EXECUTION_CONCURRENCY_BURST_FACTOR` | No       | 1.0                   | Burst factor for env concurrency.                                                                                  |
+| `DEFAULT_DEV_ENV_EXECUTION_ATTEMPTS`             | No       | 1                     | Default max attempts for dev environment runs.                                                                     |
 | **Dev**                                          |          |                       |                                                                                                                    |
 | `DEV_MAX_CONCURRENT_RUNS`                        | No       | 25                    | Sets the max concurrency for dev runs via the CLI.                                                                 |
 | `DEV_OTEL_EXPORTER_OTLP_ENDPOINT`                | No       | `APP_ORIGIN/otel`     | OTel endpoint for dev runs.                                                                                        |
@@ -76,20 +79,28 @@ mode: "wide"
 | `DEPLOY_REGISTRY_USERNAME`                       | No       | —                     | Deploy registry username.                                                                                          |
 | `DEPLOY_REGISTRY_PASSWORD`                       | No       | —                     | Deploy registry password.                                                                                          |
 | `DEPLOY_REGISTRY_NAMESPACE`                      | No       | trigger               | Deploy registry namespace.                                                                                         |
+| `DEPLOY_REGISTRY_ECR_DEFAULT_REPOSITORY_POLICY`  | No       | —                     | Raw IAM policy JSON applied via SetRepositoryPolicy to every ECR repo created by the webapp. Use to grant cross-account pull access to EKS workers when the ECR account is separate from the cluster account. |
 | `DEPLOY_IMAGE_PLATFORM`                          | No       | linux/amd64           | Deploy image platform, same values as docker `--platform` flag.                                                    |
 | `DEPLOY_TIMEOUT_MS`                              | No       | 480000 (8m)           | Deploy timeout (ms).                                                                                               |
+| `DEPLOY_QUEUE_TIMEOUT_MS`                        | No       | 900000 (15m)          | Deploy queue timeout (ms).                                                                                         |
 | **Object store (S3)**                            |          |                       |                                                                                                                    |
 | `OBJECT_STORE_BASE_URL`                          | No       | —                     | Object store base URL (default provider).                                                                          |
+| `OBJECT_STORE_BUCKET`                            | No       | —                     | Object store bucket name (default provider).                                                                       |
 | `OBJECT_STORE_ACCESS_KEY_ID`                     | No       | —                     | Object store access key (default provider).                                                                        |
 | `OBJECT_STORE_SECRET_ACCESS_KEY`                 | No       | —                     | Object store secret key (default provider).                                                                        |
 | `OBJECT_STORE_REGION`                            | No       | —                     | Object store region (default provider).                                                                            |
 | `OBJECT_STORE_SERVICE`                           | No       | s3                    | Object store service (default provider).                                                                           |
-| `OBJECT_STORE_DEFAULT_PROTOCOL`                  | No       | —                     | Protocol to use for new uploads (e.g., `s3`, `r2`). Enables protocol-prefixed storage. See migration guide below.  |
-| `OBJECT_STORE_{PROTOCOL}_BASE_URL`               | No       | —                     | Named provider base URL (replace `{PROTOCOL}` with protocol name, e.g., `OBJECT_STORE_S3_BASE_URL`).               |
+| `OBJECT_STORE_DEFAULT_PROTOCOL`                  | No       | —                     | Protocol for new uploads (e.g. `s3`, `r2`). Enables protocol-prefixed storage. See migration guide below.          |
+| `OBJECT_STORE_{PROTOCOL}_BASE_URL`               | No       | —                     | Named provider base URL (replace `{PROTOCOL}`, e.g. `OBJECT_STORE_S3_BASE_URL`).                                   |
 | `OBJECT_STORE_{PROTOCOL}_ACCESS_KEY_ID`          | No       | —                     | Named provider access key.                                                                                         |
 | `OBJECT_STORE_{PROTOCOL}_SECRET_ACCESS_KEY`      | No       | —                     | Named provider secret key.                                                                                         |
 | `OBJECT_STORE_{PROTOCOL}_REGION`                 | No       | —                     | Named provider region.                                                                                             |
 | `OBJECT_STORE_{PROTOCOL}_SERVICE`                | No       | —                     | Named provider service.                                                                                            |
+| `ARTIFACTS_OBJECT_STORE_BUCKET`                  | No       | —                     | Optional separate bucket for artifacts. If not set, uses main object store.                                        |
+| `ARTIFACTS_OBJECT_STORE_BASE_URL`                | No       | —                     | Optional artifacts store base URL.                                                                                 |
+| `ARTIFACTS_OBJECT_STORE_ACCESS_KEY_ID`           | No       | —                     | Optional artifacts store access key.                                                                               |
+| `ARTIFACTS_OBJECT_STORE_SECRET_ACCESS_KEY`       | No       | —                     | Optional artifacts store secret key.                                                                               |
+| `ARTIFACTS_OBJECT_STORE_REGION`                  | No       | —                     | Optional artifacts store region.                                                                                   |
 | **Alerts**                                       |          |                       |                                                                                                                    |
 | `ORG_SLACK_INTEGRATION_CLIENT_ID`                | No       | —                     | Slack client ID. Required for Slack alerts.                                                                        |
 | `ORG_SLACK_INTEGRATION_CLIENT_SECRET`            | No       | —                     | Slack client secret. Required for Slack alerts.                                                                    |
@@ -106,12 +117,14 @@ mode: "wide"
 | `TASK_PAYLOAD_OFFLOAD_THRESHOLD`                 | No       | 524288 (512KB)        | Max task payload size before offloading to S3.                                                                     |
 | `TASK_PAYLOAD_MAXIMUM_SIZE`                      | No       | 3145728 (3MB)         | Max task payload size.                                                                                             |
 | `BATCH_TASK_PAYLOAD_MAXIMUM_SIZE`                | No       | 1000000 (1MB)         | Max batch payload size.                                                                                            |
+| `BATCH_CONCURRENCY_LIMIT_DEFAULT`                | No       | 5                     | Default concurrency for batch processing.                                                                          |
+| `BATCH_RATE_LIMIT_REFILL_RATE`                   | No       | 100                   | Batch rate limit refill rate.                                                                                      |
+| `BATCH_RATE_LIMIT_MAX`                           | No       | 1200                  | Batch rate limit max.                                                                                              |
+| `BATCH_RATE_LIMIT_REFILL_INTERVAL`               | No       | 10s                   | Batch rate limit refill interval.                                                                                  |
 | `TASK_RUN_METADATA_MAXIMUM_SIZE`                 | No       | 262144 (256KB)        | Max metadata size.                                                                                                 |
 | `MAX_BATCH_V2_TRIGGER_ITEMS`                     | No       | 500                   | Max batch size (legacy v2 API).                                                                                    |
 | `STREAMING_BATCH_MAX_ITEMS`                      | No       | 1000                  | Max items in streaming batch (v3 API, requires SDK 4.3.1+).                                                        |
 | `STREAMING_BATCH_ITEM_MAXIMUM_SIZE`              | No       | 3145728 (3MB)         | Max size per item in streaming batch.                                                                              |
-| `MAXIMUM_DEV_QUEUE_SIZE`                         | No       | —                     | Max dev queue size.                                                                                                |
-| `MAXIMUM_DEPLOYED_QUEUE_SIZE`                    | No       | —                     | Max deployed queue size.                                                                                           |
 | **OTel limits**                                  |          |                       |                                                                                                                    |
 | `TRIGGER_OTEL_SPAN_ATTRIBUTE_COUNT_LIMIT`        | No       | 1024                  | OTel span attribute count limit.                                                                                   |
 | `TRIGGER_OTEL_LOG_ATTRIBUTE_COUNT_LIMIT`         | No       | 1024                  | OTel log attribute count limit.                                                                                    |
@@ -122,7 +135,10 @@ mode: "wide"
 | `TRIGGER_OTEL_ATTRIBUTE_PER_LINK_COUNT_LIMIT`    | No       | 10                    | OTel attribute per link count limit.                                                                               |
 | `TRIGGER_OTEL_ATTRIBUTE_PER_EVENT_COUNT_LIMIT`   | No       | 10                    | OTel attribute per event count limit.                                                                              |
 | `SERVER_OTEL_SPAN_ATTRIBUTE_VALUE_LENGTH_LIMIT`  | No       | 8192                  | OTel span attribute value length limit.                                                                            |
+| **Task events**                                  |          |                       |                                                                                                                    |
+| `EVENT_REPOSITORY_DEFAULT_STORE`                 | No       | postgres              | Where to store task events. Set to `clickhouse_v2` to store in ClickHouse (recommended for production).            |
 | **Realtime**                                     |          |                       |                                                                                                                    |
+| `REALTIME_STREAM_VERSION`                        | No       | v1                    | Realtime stream protocol version. One of `v1`, `v2`.                                                               |
 | `REALTIME_STREAM_MAX_LENGTH`                     | No       | 1000                  | Realtime stream max length.                                                                                        |
 | `REALTIME_STREAM_TTL`                            | No       | 86400 (1d)            | Realtime stream TTL (s).                                                                                           |
 | **Bootstrap**                                    |          |                       |                                                                                                                    |
@@ -146,6 +162,8 @@ mode: "wide"
 | `MAXIMUM_DEV_QUEUE_SIZE`                         | No       | —                     | Maximum queued runs per queue in development environments.                                                         |
 | `MAXIMUM_DEPLOYED_QUEUE_SIZE`                    | No       | —                     | Maximum queued runs per queue in deployed (staging/prod) environments.                                             |
 | **Misc**                                         |          |                       |                                                                                                                    |
+| `PROVIDER_SECRET`                                | No       | provider-secret       | Secret for provider auth. **Must be set to a secure value in self-hosted/production**; the default is insecure.    |
+| `COORDINATOR_SECRET`                             | No       | coordinator-secret    | Secret for coordinator auth. **Must be set to a secure value in self-hosted/production**; the default is insecure. |
 | `TRIGGER_TELEMETRY_DISABLED`                     | No       | —                     | Disable telemetry.                                                                                                 |
 | `NODE_MAX_OLD_SPACE_SIZE`                        | No       | 8192                  | Maximum memory allocation for Node.js heap in MiB (e.g. "4096" for 4GB).                                           |
 | `OPENAI_API_KEY`                                 | No       | —                     | OpenAI API key.                                                                                                    |
@@ -233,6 +251,7 @@ Restart the webapp and verify both providers work:
 
 - Old runs (no prefix) should still access R2
 - New runs with `s3://` prefix should use S3
+
 </Step>
 
 <Step title="Switch to S3 for new uploads">
@@ -247,6 +266,7 @@ After this change:
 - New data uses `s3://` prefix and goes to S3
 - Old data (no prefix) still uses R2
 - Data with explicit protocol uses the corresponding provider
+
 </Step>
 
 <Step title="Optionally decommission R2">
diff --git a/docs/self-hosting/kubernetes.mdx b/docs/self-hosting/kubernetes.mdx
index eba66f4ed07..8fbf8aab90a 100644
--- a/docs/self-hosting/kubernetes.mdx
+++ b/docs/self-hosting/kubernetes.mdx
@@ -354,6 +354,27 @@ webapp:
 - Compatible with secret management tools (External Secrets Operator, etc.)
 - Follows Kubernetes security best practices
 
+## DNS performance
+
+For production clusters we recommend deploying [NodeLocal DNSCache](https://kubernetes.io/docs/tasks/administer-cluster/nodelocaldns/). DNS queries — especially to managed Postgres or Redis endpoints — can be very slow under Kubernetes' default resolver, and a node-local cache typically gives a large step change in latency and throughput across the cluster.
+
+The default `ndots: 5` setting also forces every cluster search domain to be tried before resolving hostnames with fewer dots (the case for most external database hosts). Lowering `ndots` to `1` on the webapp and supervisor pods avoids those extra round-trips.
+
+## Task events
+
+By default, task events (timeline, logs, spans) are stored in PostgreSQL. For production deployments we recommend storing them in ClickHouse instead, it scales to much higher volumes and avoids unbounded growth of the `TaskEvent` table.
+
+ClickHouse is already deployed by the chart, so no extra services are required. To enable, set `EVENT_REPOSITORY_DEFAULT_STORE` on the webapp via `extraEnvVars`:
+
+```yaml
+webapp:
+  extraEnvVars:
+    - name: EVENT_REPOSITORY_DEFAULT_STORE
+      value: "clickhouse_v2"
+```
+
+This only affects new runs; existing runs continue to read from wherever their events were originally stored.
+
 ## Worker token
 
 When using the default bootstrap configuration, worker creation and authentication is handled automatically. The webapp generates a worker token and makes it available to the supervisor via a shared volume.
diff --git a/docs/skills.mdx b/docs/skills.mdx
index f12c5c36eb6..1a446e9e180 100644
--- a/docs/skills.mdx
+++ b/docs/skills.mdx
@@ -2,7 +2,6 @@
 title: "Skills"
 description: "Install Trigger.dev skills to teach any AI coding assistant best practices for writing tasks, agents, and workflows."
 sidebarTitle: "Skills"
-tag: "new"
 ---
 
 ## What are agent skills?
@@ -10,7 +9,9 @@ tag: "new"
 Skills are portable instruction sets that teach AI coding assistants how to use Trigger.dev effectively. Unlike vendor-specific config files (`.cursor/rules`, `CLAUDE.md`), skills use an open standard that works across all major AI assistants. For example, Cursor users and Claude Code users can get the same knowledge from a single install.
 
 <Note>
-  Skills are one of three AI tools we provide. You can also install [Agent Rules](/mcp-agent-rules) for client-specific rule sets or the [MCP Server](/mcp-introduction) for live project interaction. See the [comparison table](/building-with-ai#skills-vs-agent-rules-vs-mcp) for details.
+  Skills are one of three AI tools we provide. You can also install [Agent Rules](/mcp-agent-rules)
+  for client-specific rule sets or the [MCP Server](/mcp-introduction) for live project interaction.
+  See the [comparison table](/building-with-ai#skills-vs-agent-rules-vs-mcp) for details.
 </Note>
 
 Skills are installed as directories containing a `SKILL.md` file. Each `SKILL.md` includes YAML frontmatter (name, description) and markdown instructions with patterns, examples, and best practices that AI assistants automatically discover and follow.
@@ -27,7 +28,6 @@ npx skills add triggerdotdev/skills
 
 The result: your AI assistant understands Trigger.dev's specific patterns for exports, schema validation, error handling, retries, and more.
 
-
 ## Available skills
 
 Install all skills at once, or pick the ones relevant to your current work:
@@ -42,19 +42,21 @@ npx skills add triggerdotdev/skills --skill trigger-agents
 npx skills add triggerdotdev/skills --skill trigger-config
 npx skills add triggerdotdev/skills --skill trigger-realtime
 npx skills add triggerdotdev/skills --skill trigger-setup
+npx skills add triggerdotdev/skills --skill trigger-cost-savings
+
 ```
 
-| Skill | Use for | Covers |
-|-------|---------|--------|
-| `trigger-setup` | First time setup, new projects | SDK install, `npx trigger init`, project structure |
-| `trigger-tasks` | Writing background tasks, async workflows, scheduled tasks | Triggering, waits, queues, retries, cron, metadata |
-| `trigger-agents` | LLM workflows, orchestration, multi-step AI agents | Prompt chaining, routing, parallelization, human-in-the-loop |
-| `trigger-realtime` | Live updates, progress indicators, streaming | React hooks, progress bars, streaming AI responses |
-| `trigger-config` | Project setup, build configuration | `trigger.config.ts`, extensions (Prisma, FFmpeg, Playwright) |
+| Skill                  | Use for                                                     | Covers                                                           |
+| ---------------------- | ----------------------------------------------------------- | ---------------------------------------------------------------- |
+| `trigger-setup`        | First time setup, new projects                              | SDK install, `npx trigger init`, project structure               |
+| `trigger-tasks`        | Writing background tasks, async workflows, scheduled tasks  | Triggering, waits, queues, retries, cron, metadata               |
+| `trigger-agents`       | LLM workflows, orchestration, multi-step AI agents          | Prompt chaining, routing, parallelization, human-in-the-loop     |
+| `trigger-realtime`     | Live updates, progress indicators, streaming                | React hooks, progress bars, streaming AI responses               |
+| `trigger-config`       | Project setup, build configuration                          | `trigger.config.ts`, extensions (Prisma, FFmpeg, Playwright)     |
+| `trigger-cost-savings` | Cost savings, performance optimization, resource management | Cost optimization, performance optimization, resource management |
 
 Not sure which skill to install? Install `trigger-tasks`; it covers the most common patterns for writing Trigger.dev tasks.
 
-
 ## Supported AI assistants
 
 Skills work with any AI coding assistant that supports the [Agent Skills standard](https://agentskills.io), including:
@@ -84,4 +86,4 @@ Skills work with any AI coding assistant that supports the [Agent Skills standar
   <Card title="skills.sh" icon="box" href="https://skills.sh">
     Browse the full Agent Skills ecosystem.
   </Card>
-</CardGroup>
\ No newline at end of file
+</CardGroup>
diff --git a/docs/snippets/ai-chat-rc-banner.mdx b/docs/snippets/ai-chat-rc-banner.mdx
new file mode 100644
index 00000000000..18a9dbcfe57
--- /dev/null
+++ b/docs/snippets/ai-chat-rc-banner.mdx
@@ -0,0 +1,3 @@
+<Warning>
+  The AI Agents and Prompts surface ships as part of the **v4.5 release candidate**. Install with `@trigger.dev/sdk@rc` (or pin `4.5.0-rc.0` or later) to use these features — they aren't yet on the latest stable, and APIs may still change before the 4.5.0 GA. See [supported AI SDK versions](/ai-chat/reference#compatibility) and the [AI chat changelog](/ai-chat/changelog) for details.
+</Warning>
diff --git a/docs/snippets/migrate-v4-using-ai.mdx b/docs/snippets/migrate-v4-using-ai.mdx
index fa749ed7231..aa5393c158d 100644
--- a/docs/snippets/migrate-v4-using-ai.mdx
+++ b/docs/snippets/migrate-v4-using-ai.mdx
@@ -56,7 +56,7 @@ const myTask = task({
   },
 });
 
-We’ve deprecated the `toolTask` function and replaced it with the `ai.tool` function, which creates an AI tool from an existing `schemaTask`. This is the old version:
+We’ve deprecated the `toolTask` function. Use `schemaTask` plus AI SDK `tool()` with `execute: ai.toolExecute(task)` (the `ai.tool()` wrapper is deprecated). This is the old version:
 
 import { toolTask, schemaTask } from "@trigger.dev/sdk";
 import { z } from "zod";
@@ -85,9 +85,11 @@ export const myAiTask = schemaTask({
 
 This is the new version:
 
-import { schemaTask, ai } from "@trigger.dev/sdk";
+import { schemaTask } from "@trigger.dev/sdk";
+import { ai } from "@trigger.dev/sdk/ai";
 import { z } from "zod";
-import { generateText } from "ai";
+import { generateText, tool } from "ai";
+import { openai } from "@ai-sdk/openai";
 
 // Convert toolTask to schemaTask with a schema
 const myToolTask = schemaTask({
@@ -99,8 +101,11 @@ const myToolTask = schemaTask({
   run: async (payload, { ctx }) => {},
 });
 
-// Create an AI tool from the schemaTask
-const myTool = ai.tool(myToolTask);
+const myTool = tool({
+  description: myToolTask.description ?? "",
+  inputSchema: myToolTask.schema!,
+  execute: ai.toolExecute(myToolTask),
+});
 
 export const myAiTask = schemaTask({
   id: "my-ai-task",
@@ -112,7 +117,7 @@ export const myAiTask = schemaTask({
       prompt: payload.text,
       model: openai("gpt-4o"),
       tools: {
-        myTool, // Use the ai.tool created from schemaTask
+        myTool,
       },
     });
   },
diff --git a/docs/tasks/schemaTask.mdx b/docs/tasks/schemaTask.mdx
index 3692d1d7035..a551fb1af49 100644
--- a/docs/tasks/schemaTask.mdx
+++ b/docs/tasks/schemaTask.mdx
@@ -76,51 +76,63 @@ await myTask.trigger({ age: 30, dob: "2020-01-01" }); // this is valid
 await myTask.trigger({ name: "Alice", age: 30, dob: "2020-01-01" }); // this is also valid
 ```
 
-## `ai.tool`
+## Task-backed AI tools
 
-The `ai.tool` function allows you to create an AI tool from an existing `schemaTask` to use with the Vercel [AI SDK](https://vercel.com/docs/ai-sdk):
+Use a `schemaTask` as the implementation of a Vercel [AI SDK](https://vercel.com/docs/ai-sdk) tool: the model calls the tool, and Trigger runs your task as a **subtask** with tool-call metadata, optional [chat context](/ai-chat/patterns/sub-agents), and the same payload validation as a normal trigger.
+
+### Recommended: `ai.toolExecute` with `tool()`
+
+Prefer building the tool with the AI SDK’s [`tool()`](https://sdk.vercel.ai/docs/ai-sdk-core/tools-and-tool-calling) and passing **`execute: ai.toolExecute(yourTask)`**. You keep full control of `description`, `inputSchema`, and AI-SDK-only options (for example `experimental_toToolResultContent`), and your types follow the `ai` version installed in **your** app.
 
 ```ts
 import { ai } from "@trigger.dev/sdk/ai";
 import { schemaTask } from "@trigger.dev/sdk";
+import { tool, generateText } from "ai";
+import { openai } from "@ai-sdk/openai";
 import { z } from "zod";
-import { generateText } from "ai";
 
 const myToolTask = schemaTask({
   id: "my-tool-task",
   schema: z.object({
     foo: z.string(),
   }),
-  run: async (payload: any, { ctx }) => {},
+  run: async ({ foo }) => {
+    return { bar: foo.toUpperCase() };
+  },
 });
 
-const myTool = ai.tool(myToolTask);
+const myTool = tool({
+  description: myToolTask.description ?? "",
+  inputSchema: myToolTask.schema!,
+  execute: ai.toolExecute(myToolTask),
+});
 
 export const myAiTask = schemaTask({
   id: "my-ai-task",
   schema: z.object({
     text: z.string(),
   }),
-  run: async (payload, { ctx }) => {
-    const { text } = await generateText({
-      prompt: payload.text,
+  run: async ({ text }) => {
+    const { text: reply } = await generateText({
+      prompt: text,
       model: openai("gpt-4o"),
       tools: {
         myTool,
       },
     });
+    return reply;
   },
 });
 ```
 
-You can also pass the `experimental_toToolResultContent` option to the `ai.tool` function to customize the content of the tool result:
+`experimental_toToolResultContent` and other tool-level options belong on **`tool({ ... })`**, not on `ai.toolExecute`:
 
 ```ts
 import { openai } from "@ai-sdk/openai";
 import { Sandbox } from "@e2b/code-interpreter";
 import { ai } from "@trigger.dev/sdk/ai";
 import { schemaTask } from "@trigger.dev/sdk";
-import { generateObject } from "ai";
+import { generateObject, tool } from "ai";
 import { z } from "zod";
 
 const chartTask = schemaTask({
@@ -135,56 +147,37 @@ const chartTask = schemaTask({
       schema: z.object({
         code: z.string().describe("The Python code to execute"),
       }),
-      system: `
-        You are a helpful assistant that can generate Python code to be executed in a sandbox, using matplotlib.pyplot.
-
-        For example: 
-        
-        import matplotlib.pyplot as plt
-        plt.plot([1, 2, 3, 4])
-        plt.ylabel('some numbers')
-        plt.show()
-        
-        Make sure the code ends with plt.show()
-      `,
+      system: `You are a helpful assistant that generates matplotlib code. End with plt.show().`,
       prompt: input,
     });
 
     const sandbox = await Sandbox.create();
-
     const execution = await sandbox.runCode(code.object.code);
-
     const firstResult = execution.results[0];
 
     if (firstResult.png) {
-      return {
-        chart: firstResult.png,
-      };
-    } else {
-      throw new Error("No chart generated");
+      return { chart: firstResult.png };
     }
+    throw new Error("No chart generated");
   },
 });
 
-// This is useful if you want to return an image from the tool
-export const chartTool = ai.tool(chartTask, {
-  experimental_toToolResultContent: (result) => {
-    return [
-      {
-        type: "image",
-        data: result.chart,
-        mimeType: "image/png",
-      },
-    ];
-  },
+export const chartTool = tool({
+  description: chartTask.description ?? "",
+  inputSchema: chartTask.schema!,
+  execute: ai.toolExecute(chartTask),
+  experimental_toToolResultContent: (result) => [
+    { type: "image", data: result.chart, mimeType: "image/png" },
+  ],
 });
 ```
 
-You can access the current tool execution options inside the task run function using the `ai.currentToolOptions()` function:
+Inside the task run, you can read tool execution context with **`ai.currentToolOptions()`** (and helpers like `ai.toolCallId()`, `ai.chatContext()` when running inside a [`chat.agent`](/ai-chat/overview)):
 
 ```ts
 import { ai } from "@trigger.dev/sdk/ai";
 import { schemaTask } from "@trigger.dev/sdk";
+import { tool } from "ai";
 import { z } from "zod";
 
 const myToolTask = schemaTask({
@@ -192,22 +185,49 @@ const myToolTask = schemaTask({
   schema: z.object({
     foo: z.string(),
   }),
-  run: async (payload, { ctx }) => {
+  run: async ({ foo }) => {
     const toolOptions = ai.currentToolOptions();
     console.log(toolOptions);
+    return { foo };
   },
 });
 
-export const myAiTask = ai.tool(myToolTask);
+export const myTool = tool({
+  description: myToolTask.description ?? "",
+  inputSchema: myToolTask.schema!,
+  execute: ai.toolExecute(myToolTask),
+});
 ```
 
-See the [AI SDK tool execution options docs](https://sdk.vercel.ai/docs/ai-sdk-core/tools-and-tool-calling#tool-execution-options) for more details on the tool execution options.
+See the [AI SDK tool execution options](https://sdk.vercel.ai/docs/ai-sdk-core/tools-and-tool-calling#tool-execution-options) for fields passed through the runtime.
 
 <Note>
-  `ai.tool` is compatible with `schemaTask`'s defined with Zod and ArkType schemas, or any schemas
-  that implement a `.toJsonSchema()` function.
+  `ai.toolExecute` works with `schemaTask` definitions that use Zod, ArkType, or any schema that provides a JSON schema via `.toJsonSchema()` (same coverage as the legacy `ai.tool` wrapper).
 </Note>
 
+### Deprecated: `ai.tool`
+
+The **`ai.tool(task, options?)`** helper is **deprecated**. It constructs an AI SDK `Tool` for you (using `tool()` for Zod-like schemas and `dynamicTool()` otherwise) and may be removed in a future major version. New code should use **`tool({ ..., execute: ai.toolExecute(task) })`** as shown above.
+
+### Legacy `ai.tool` example (deprecated)
+
+```ts
+import { ai } from "@trigger.dev/sdk/ai";
+import { schemaTask } from "@trigger.dev/sdk";
+import { z } from "zod";
+import { generateText } from "ai";
+import { openai } from "@ai-sdk/openai";
+
+const myToolTask = schemaTask({
+  id: "my-tool-task",
+  schema: z.object({ foo: z.string() }),
+  run: async ({ foo }) => ({ foo }),
+});
+
+// Deprecated — prefer tool({ execute: ai.toolExecute(myToolTask), ... })
+const myTool = ai.tool(myToolTask);
+```
+
 ## Supported schema types
 
 ### Zod
diff --git a/docs/tasks/streams.mdx b/docs/tasks/streams.mdx
index c8cec9dc5a0..9c43ca2d4d1 100644
--- a/docs/tasks/streams.mdx
+++ b/docs/tasks/streams.mdx
@@ -873,3 +873,12 @@ Prior to SDK 4.1.0, streams used the older metadata-based API. If you're on an e
 
 - Input streams require SDK **4.4.2 or later** and the default streams (v2) infrastructure. Ensure you're on a recent SDK and not using the legacy metadata.stream() API.
 - If `.on()` or `.once()` throw, follow the error message to enable v2 streams (they are default in 4.1.0+).
+
+### "Stream is being deleted" during long waits
+
+If a stream is created but stays empty for ~1 hour (for example, during a long `wait.forToken()` or `wait.for()`), the streams backend may garbage-collect it. When the run resumes and tries to use the stream, you'll see `S2Error: Stream is being deleted` and the task retries from the beginning.
+
+Two ways to avoid this:
+
+- Close the stream before the wait and open a new one when the run resumes.
+- Write a heartbeat record to the stream every 20–30 minutes during the wait so it's never empty long enough to be deleted.
diff --git a/docs/troubleshooting.mdx b/docs/troubleshooting.mdx
index 4bac1ba5b5c..71784c30edc 100644
--- a/docs/troubleshooting.mdx
+++ b/docs/troubleshooting.mdx
@@ -278,6 +278,55 @@ You could also offload the CPU-heavy work to a Node.js worker thread, but this i
 
 If the above doesn't work, then we recommend you try increasing the machine size of your task. See our [machines guide](/machines) for more information.
 
+### Uncaught exceptions
+
+If you see a `TASK_RUN_UNCAUGHT_EXCEPTION` error, an exception escaped your task's `run()` function without being thrown through your `await` chain — the runtime caught it via Node's `process.on("uncaughtException")` handler. The dashboard surfaces this as a regular task failure (status `Failed`) and the run will retry according to your task's retry policy, but the exception still indicates a bug worth fixing.
+
+The most common cause is a Node `EventEmitter` emitting an `"error"` event with no listener attached. When this happens, Node escalates the event into an `uncaughtException`. Long-lived clients like `node-redis`, `pg`, `kafkajs`, and `mongodb` all surface socket-level errors this way.
+
+For example, a `node-redis` client with no error listener will fail your run with an `Error: read ECONNRESET` (or similar TCP error) the next time the socket is reset:
+
+```ts
+import { task } from "@trigger.dev/sdk";
+import { createClient } from "redis";
+
+export const myTask = task({
+  id: "my-task",
+  run: async () => {
+    const client = createClient({ url: process.env.REDIS_URL });
+
+    // BAD: no .on("error", ...) listener — a socket reset will crash the run
+    // with an uncaught exception, even if the next .get() would have worked.
+    await client.connect();
+    return await client.get("foo");
+  },
+});
+```
+
+Fix it by attaching an `error` listener so the event has somewhere to go:
+
+```ts
+const client = createClient({ url: process.env.REDIS_URL });
+
+// GOOD: the listener catches socket-level errors. The awaited command
+// (e.g. .get) will still reject if the connection is broken, and that
+// rejection propagates through your run() and fails the attempt cleanly.
+client.on("error", (err) => {
+  logger.warn("Redis client error", { err });
+});
+
+await client.connect();
+return await client.get("foo");
+```
+
+The same fix applies to any library that emits `"error"` events. As a rule, attach an `.on("error", ...)` listener to every long-lived client you create inside a task.
+
+<Note>
+
+Unhandled promise rejections (e.g. `Promise.reject(...)` with no `.catch`) take the same path — Node routes them through `uncaughtException` by default, and the runtime treats them as `TASK_RUN_UNCAUGHT_EXCEPTION` for the same reasons. Make sure every promise either gets `await`ed or has a `.catch(...)` handler.
+
+</Note>
+
 ### Realtime stream error (`sendBatchNonBlocking` / `S2AppendSession`)
 
 Errors mentioning `sendBatchNonBlocking`, `@s2-dev/streamstore`, or `S2AppendSession` (often with `code: undefined`) can occur when you close a stream and then await `waitUntilComplete()`, or when a stream runs for a long time (e.g. 20+ minutes). Wrap `waitUntilComplete()` in try/catch so Transport/closed-stream errors don't fail your task:
diff --git a/docs/vercel-integration.mdx b/docs/vercel-integration.mdx
index a465f5aa39b..3c2cc1b9665 100644
--- a/docs/vercel-integration.mdx
+++ b/docs/vercel-integration.mdx
@@ -104,6 +104,12 @@ The following variables are excluded from the Vercel → Trigger.dev sync:
 
 You can control sync behavior per-variable from your project's Vercel settings. Deselecting a variable prevents its value from being updated during future syncs.
 
+<Note>
+  Environment variables are pulled from Vercel before each build. To sync updated values into
+  Trigger.dev, trigger a new Vercel deployment — either by pushing a commit to your connected branch
+  or by redeploying from the Vercel dashboard.
+</Note>
+
 <Warning>
   If you are experiencing incorrectly populated environment variables, check that you are not using
   the `syncVercelEnvVars` build extension in your `trigger.config.ts`. This extension is deprecated
diff --git a/hosting/k8s/helm/Chart.lock b/hosting/k8s/helm/Chart.lock
index ac445fac172..5a7882cfa0e 100644
--- a/hosting/k8s/helm/Chart.lock
+++ b/hosting/k8s/helm/Chart.lock
@@ -7,9 +7,9 @@ dependencies:
   version: 21.2.6
 - name: clickhouse
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 9.3.7
+  version: 9.4.4
 - name: minio
   repository: oci://registry-1.docker.io/bitnamicharts
   version: 17.0.9
-digest: sha256:b6cef61abc0b8bcdf4e6d7d86bd8dd7999dd07543f5532f3d94797ffdf0ad30b
-generated: "2025-06-27T19:27:24.075488134+01:00"
+digest: sha256:e1b572ab8eca0cc376311398c27b1734d8a598095fccc81dd9c32b2c8b9c1149
+generated: "2026-05-05T10:31:58.493590751+01:00"
diff --git a/hosting/k8s/helm/Chart.yaml b/hosting/k8s/helm/Chart.yaml
index 155dc1bf771..0682649204b 100644
--- a/hosting/k8s/helm/Chart.yaml
+++ b/hosting/k8s/helm/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: trigger
 description: The official Trigger.dev Helm chart
 type: application
-version: 4.0.5
-appVersion: v4.0.4
+version: 4.5.0-rc.5
+appVersion: v4.5.0-rc.5
 home: https://trigger.dev
 sources:
   - https://github.com/triggerdotdev/trigger.dev
@@ -27,7 +27,7 @@ dependencies:
     repository: "oci://registry-1.docker.io/bitnamicharts"
     condition: redis.deploy
   - name: clickhouse
-    version: "9.3.7"
+    version: "9.4.4"
     repository: "oci://registry-1.docker.io/bitnamicharts"
     condition: clickhouse.deploy
   - name: minio
diff --git a/hosting/k8s/helm/README.md b/hosting/k8s/helm/README.md
index 4b54b52af76..33e64a93a23 100644
--- a/hosting/k8s/helm/README.md
+++ b/hosting/k8s/helm/README.md
@@ -736,4 +736,4 @@ helm upgrade --install trigger . \
 
 - Documentation: https://trigger.dev/docs/self-hosting
 - GitHub Issues: https://github.com/triggerdotdev/trigger.dev/issues
-- Discord: https://discord.gg/untWVke9aH
\ No newline at end of file
+- Discord: https://discord.gg/untWVke9aH
diff --git a/hosting/k8s/helm/templates/_helpers.tpl b/hosting/k8s/helm/templates/_helpers.tpl
index cb148678c92..8615a34e0ae 100644
--- a/hosting/k8s/helm/templates/_helpers.tpl
+++ b/hosting/k8s/helm/templates/_helpers.tpl
@@ -400,6 +400,19 @@ ClickHouse hostname
 
 {{/*
 ClickHouse URL for application (with secure parameter)
+
+Note on the external+existingSecret branch: the password is expanded via
+Kubernetes' `$(VAR)` syntax, not shell `${VAR}`. Kubelet substitutes
+`$(CLICKHOUSE_PASSWORD)` at container-creation time from the
+CLICKHOUSE_PASSWORD env var declared just before CLICKHOUSE_URL in
+webapp.yaml. Shell-style `${...}` does not work here because
+`docker/scripts/entrypoint.sh` assigns CLICKHOUSE_URL to GOOSE_DBSTRING
+with a single-pass expansion (`export GOOSE_DBSTRING="$CLICKHOUSE_URL"`),
+so any inner `${...}` reaches goose verbatim and fails URL parsing.
+
+CLICKHOUSE_PASSWORD must contain only URL-userinfo-safe characters — the
+value is substituted verbatim, so `@ : / ? # [ ] %` break the URL. Use a
+hex-encoded password or percent-encode before storing in the Secret.
 */}}
 {{- define "trigger-v4.clickhouse.url" -}}
 {{- if .Values.clickhouse.deploy -}}
@@ -410,7 +423,7 @@ ClickHouse URL for application (with secure parameter)
 {{- $protocol := ternary "https" "http" .Values.clickhouse.external.secure -}}
 {{- $secure := ternary "true" "false" .Values.clickhouse.external.secure -}}
 {{- if .Values.clickhouse.external.existingSecret -}}
-{{ $protocol }}://{{ .Values.clickhouse.external.username }}:${CLICKHOUSE_PASSWORD}@{{ .Values.clickhouse.external.host }}:{{ .Values.clickhouse.external.httpPort | default 8123 }}?secure={{ $secure }}
+{{ $protocol }}://{{ .Values.clickhouse.external.username }}:$(CLICKHOUSE_PASSWORD)@{{ .Values.clickhouse.external.host }}:{{ .Values.clickhouse.external.httpPort | default 8123 }}?secure={{ $secure }}
 {{- else -}}
 {{ $protocol }}://{{ .Values.clickhouse.external.username }}:{{ .Values.clickhouse.external.password }}@{{ .Values.clickhouse.external.host }}:{{ .Values.clickhouse.external.httpPort | default 8123 }}?secure={{ $secure }}
 {{- end -}}
@@ -419,6 +432,9 @@ ClickHouse URL for application (with secure parameter)
 
 {{/*
 ClickHouse URL for replication (without secure parameter)
+
+See the note on clickhouse.url above — same `$(VAR)` vs `${VAR}` rationale
+applies to the replication URL.
 */}}
 {{- define "trigger-v4.clickhouse.replication.url" -}}
 {{- if .Values.clickhouse.deploy -}}
@@ -427,7 +443,7 @@ ClickHouse URL for replication (without secure parameter)
 {{- else if .Values.clickhouse.external.host -}}
 {{- $protocol := ternary "https" "http" .Values.clickhouse.external.secure -}}
 {{- if .Values.clickhouse.external.existingSecret -}}
-{{ $protocol }}://{{ .Values.clickhouse.external.username }}:${CLICKHOUSE_PASSWORD}@{{ .Values.clickhouse.external.host }}:{{ .Values.clickhouse.external.httpPort | default 8123 }}
+{{ $protocol }}://{{ .Values.clickhouse.external.username }}:$(CLICKHOUSE_PASSWORD)@{{ .Values.clickhouse.external.host }}:{{ .Values.clickhouse.external.httpPort | default 8123 }}
 {{- else -}}
 {{ $protocol }}://{{ .Values.clickhouse.external.username }}:{{ .Values.clickhouse.external.password }}@{{ .Values.clickhouse.external.host }}:{{ .Values.clickhouse.external.httpPort | default 8123 }}
 {{- end -}}
@@ -521,13 +537,34 @@ http://{{ include "trigger-v4.fullname" . }}-supervisor:{{ .Values.supervisor.se
 {{- end }}
 
 {{/*
-Create the name of the supervisor service account to use
+Create the name of the supervisor service account to use.
+When create is false, name must be set explicitly - falling back to the namespace's
+default ServiceAccount would silently grant it the RoleBinding's permissions.
 */}}
 {{- define "trigger-v4.supervisorServiceAccountName" -}}
 {{- if .Values.supervisor.serviceAccount.create }}
 {{- default (printf "%s-supervisor" (include "trigger-v4.fullname" .)) .Values.supervisor.serviceAccount.name }}
 {{- else }}
-{{- default "default" .Values.supervisor.serviceAccount.name }}
+{{- if not .Values.supervisor.serviceAccount.name }}
+{{- fail "supervisor.serviceAccount.name must be set when supervisor.serviceAccount.create is false" }}
+{{- end }}
+{{- .Values.supervisor.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create the name of the webapp service account to use.
+When create is false, name must be set explicitly - falling back to the namespace's
+default ServiceAccount would silently grant it the token-syncer RoleBinding's permissions.
+*/}}
+{{- define "trigger-v4.webappServiceAccountName" -}}
+{{- if .Values.webapp.serviceAccount.create }}
+{{- default (printf "%s-webapp" (include "trigger-v4.fullname" .)) .Values.webapp.serviceAccount.name }}
+{{- else }}
+{{- if not .Values.webapp.serviceAccount.name }}
+{{- fail "webapp.serviceAccount.name must be set when webapp.serviceAccount.create is false" }}
+{{- end }}
+{{- .Values.webapp.serviceAccount.name }}
 {{- end }}
 {{- end }}
 
diff --git a/hosting/k8s/helm/templates/supervisor.yaml b/hosting/k8s/helm/templates/supervisor.yaml
index ee3a1580b7a..11fd7a7f6d9 100644
--- a/hosting/k8s/helm/templates/supervisor.yaml
+++ b/hosting/k8s/helm/templates/supervisor.yaml
@@ -237,7 +237,7 @@ spec:
               value: {{ .Values.supervisor.config.debug | quote }}
             # OTEL
             - name: OTEL_EXPORTER_OTLP_ENDPOINT
-              value: "http://{{ include "trigger-v4.fullname" . }}-webapp:{{ .Values.webapp.service.port }}/otel"
+              value: "http://{{ include "trigger-v4.fullname" . }}-webapp.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.webapp.service.port }}/otel"
             {{- with .Values.supervisor.extraEnvVars }}
             {{- toYaml . | nindent 12 }}
             {{- end }}
diff --git a/hosting/k8s/helm/templates/webapp.yaml b/hosting/k8s/helm/templates/webapp.yaml
index 0dd1bddbc41..721e5e60705 100644
--- a/hosting/k8s/helm/templates/webapp.yaml
+++ b/hosting/k8s/helm/templates/webapp.yaml
@@ -1,10 +1,16 @@
+{{- if .Values.webapp.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ include "trigger-v4.fullname" . }}-webapp
+  name: {{ include "trigger-v4.webappServiceAccountName" . }}
   labels:
     {{- $component := "webapp" }}
     {{- include "trigger-v4.componentLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "component" $component) | nindent 4 }}
+  {{- with .Values.webapp.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -27,7 +33,7 @@ metadata:
     {{- include "trigger-v4.componentLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "component" $component) | nindent 4 }}
 subjects:
   - kind: ServiceAccount
-    name: {{ include "trigger-v4.fullname" . }}-webapp
+    name: {{ include "trigger-v4.webappServiceAccountName" . }}
     namespace: {{ .Release.Namespace }}
 roleRef:
   kind: Role
@@ -56,7 +62,7 @@ spec:
       labels:
         {{- include "trigger-v4.componentSelectorLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "component" $component) | nindent 8 }}
     spec:
-      serviceAccountName: {{ include "trigger-v4.fullname" . }}-webapp
+      serviceAccountName: {{ include "trigger-v4.webappServiceAccountName" . }}
       {{- with .Values.global.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
diff --git a/hosting/k8s/helm/values.yaml b/hosting/k8s/helm/values.yaml
index 262ffa4b8ed..062bebf9c7f 100644
--- a/hosting/k8s/helm/values.yaml
+++ b/hosting/k8s/helm/values.yaml
@@ -208,6 +208,15 @@ webapp:
   runReplication:
     logLevel: "info" # one of: log, error, warn, info, debug
 
+  # ServiceAccount configuration
+  serviceAccount:
+    create: true
+    # Name of the ServiceAccount to use. Required when create is false - otherwise
+    # the token-syncer RoleBinding would bind to the namespace's "default" SA.
+    name: ""
+    # Annotations to add to the ServiceAccount (e.g. eks.amazonaws.com/role-arn for IRSA)
+    annotations: {}
+
   # Observability configuration (OTel)
   observability:
     tracing:
@@ -533,7 +542,7 @@ clickhouse:
   image:
     # Use bitnami legacy repo
     repository: bitnamilegacy/clickhouse
-    # image: docker.io/bitnamilegacy/clickhouse:25.6.1-debian-12-r0
+    # image: docker.io/bitnamilegacy/clickhouse:25.7.5-debian-12-r0
 
   # TLS/Secure connection configuration
   secure: false # Set to true to use HTTPS and secure connections
diff --git a/internal-packages/clickhouse/CLAUDE.md b/internal-packages/clickhouse/CLAUDE.md
index c3e4f9125a0..9b482b8a2d7 100644
--- a/internal-packages/clickhouse/CLAUDE.md
+++ b/internal-packages/clickhouse/CLAUDE.md
@@ -4,18 +4,46 @@
 
 ## Migrations
 
-Goose-format SQL migrations live in `schema/`. Create new numbered files:
+Goose-format SQL migrations live in `schema/`. Two rules below are load-bearing — both can block a deploy.
+
+### Rule 1: number to `max + 1`, never slot in
+
+Goose runs in strict mode in the deploy pipeline. If a migration file numbered *below* the version currently recorded in `goose_db_version` ever shows up, goose refuses to apply it and the deploy fails:
+
+```
+goose run: error: found 1 missing migrations before current version 30:
+  version 29: 029_add_task_kind_to_task_runs_v2.sql
+```
+
+When adding a migration:
+
+1. Look at `schema/` and take the largest existing number, call it `N`.
+2. Name your file `0(N+1)_descriptive_name.sql`.
+3. If you've been on a branch while main added migrations, **rebase and renumber** before opening the PR — a file numbered below the new max will block the next deploy after your PR merges.
+
+### Rule 2: DDL must be idempotent
+
+Migrations can be applied out of order in some environments (`goose up --allow-missing` for local recovery, manual fixups, etc.) and may be retried. Always use idempotent forms so a re-apply is a no-op:
 
 ```sql
 -- +goose Up
 ALTER TABLE trigger_dev.your_table
-ADD COLUMN new_column String DEFAULT '';
+  ADD COLUMN IF NOT EXISTS new_column String DEFAULT '';
 
 -- +goose Down
 ALTER TABLE trigger_dev.your_table
-DROP COLUMN new_column;
+  DROP COLUMN IF EXISTS new_column;
 ```
 
+Equivalent forms for other DDL:
+
+- `CREATE TABLE IF NOT EXISTS …`
+- `DROP TABLE IF EXISTS …`
+- `ADD INDEX IF NOT EXISTS …` / `DROP INDEX IF EXISTS …`
+- `CREATE MATERIALIZED VIEW IF NOT EXISTS …` / `DROP VIEW IF EXISTS …`
+
+ClickHouse supports `IF [NOT] EXISTS` on all of the above. Older migrations in this directory predate the rule and are not idempotent — leave them as-is unless you're explicitly hardening one.
+
 ## Naming Conventions
 
 - `raw_` prefix for input tables (where data lands first)
diff --git a/internal-packages/clickhouse/Dockerfile b/internal-packages/clickhouse/Dockerfile
index ceb5092021b..c4182042cf9 100644
--- a/internal-packages/clickhouse/Dockerfile
+++ b/internal-packages/clickhouse/Dockerfile
@@ -1,7 +1,7 @@
-FROM golang
+FROM golang:1.26@sha256:68cb6d68bed024785b69195b89af7ac7a444f27791435f98647edff595aa0479
 
 
-RUN go install github.com/pressly/goose/v3/cmd/goose@latest
+RUN go install github.com/pressly/goose/v3/cmd/goose@v3.27.1
 
 
 COPY ./schema ./schema
@@ -9,4 +9,7 @@ COPY ./schema ./schema
 ENV GOOSE_DRIVER=clickhouse
 ENV GOOSE_DBSTRING="tcp://default:password@clickhouse:9000"
 ENV GOOSE_MIGRATION_DIR=./schema
+
+# Run migrations as non-root (dev-only migration helper; goose needs no root).
+USER nobody
 CMD ["goose", "up"]
diff --git a/internal-packages/clickhouse/package.json b/internal-packages/clickhouse/package.json
index 846ded63f1f..ec5ec25e667 100644
--- a/internal-packages/clickhouse/package.json
+++ b/internal-packages/clickhouse/package.json
@@ -22,7 +22,7 @@
     "typecheck": "tsc --noEmit -p tsconfig.build.json",
     "build": "pnpm run clean && tsc -p tsconfig.build.json",
     "dev": "tsc --watch  -p tsconfig.build.json",
-    "db:migrate": "docker compose -p triggerdotdev-docker -f ../../docker/docker-compose.yml up clickhouse_migrator --build",
+    "db:migrate": "node ../../scripts/docker.mjs -f docker/docker-compose.yml up clickhouse_migrator --build",
     "db:migrate:down": "GOOSE_COMMAND=down pnpm run db:migrate",
     "test": "vitest --sequence.concurrent=false --no-file-parallelism",
     "test:coverage": "vitest --sequence.concurrent=false --no-file-parallelism --coverage.enabled"
diff --git a/internal-packages/clickhouse/schema/030_create_sessions_v1.sql b/internal-packages/clickhouse/schema/030_create_sessions_v1.sql
new file mode 100644
index 00000000000..f575953ea80
--- /dev/null
+++ b/internal-packages/clickhouse/schema/030_create_sessions_v1.sql
@@ -0,0 +1,42 @@
+-- +goose Up
+
+CREATE TABLE trigger_dev.sessions_v1
+(
+  /*  ─── identity ─────────────────────────────────────────────── */
+  environment_id      String,
+  organization_id     String,
+  project_id          String,
+  session_id          String,
+
+  environment_type    LowCardinality(String),
+  friendly_id         String,
+  external_id         String DEFAULT '',
+
+  /*  ─── type discriminator ──────────────────────────────────── */
+  type                LowCardinality(String),
+  task_identifier     String DEFAULT '',
+
+  /*  ─── filtering / free-form ──────────────────────────────── */
+  tags                Array(String) CODEC(ZSTD(1)),
+  metadata            JSON(max_dynamic_paths = 256),
+
+  /*  ─── terminal markers ────────────────────────────────────── */
+  closed_at           Nullable(DateTime64(3)),
+  closed_reason       String DEFAULT '',
+  expires_at          Nullable(DateTime64(3)),
+
+  /*  ─── timing ─────────────────────────────────────────────── */
+  created_at          DateTime64(3),
+  updated_at          DateTime64(3),
+
+  /*  ─── commit lsn ────────────────────────────────────────── */
+  _version            UInt64,
+  _is_deleted         UInt8 DEFAULT 0
+)
+ENGINE = ReplacingMergeTree(_version, _is_deleted)
+PARTITION BY toYYYYMM(created_at)
+ORDER BY (organization_id, project_id, environment_id, created_at, session_id)
+SETTINGS enable_json_type = 1;
+
+-- +goose Down
+DROP TABLE IF EXISTS trigger_dev.sessions_v1;
diff --git a/internal-packages/clickhouse/schema/031_add_task_kind_to_task_runs_v2.sql b/internal-packages/clickhouse/schema/031_add_task_kind_to_task_runs_v2.sql
new file mode 100644
index 00000000000..b9492c04857
--- /dev/null
+++ b/internal-packages/clickhouse/schema/031_add_task_kind_to_task_runs_v2.sql
@@ -0,0 +1,12 @@
+-- +goose Up
+-- IF NOT EXISTS is required because this migration was previously numbered
+-- 029 and may have been applied in environments where goose accepted it
+-- before 030_create_sessions_v1 advanced the version counter. Renaming to
+-- 031 makes goose treat this as new everywhere, so the DDL must tolerate
+-- the column already being present.
+ALTER TABLE trigger_dev.task_runs_v2
+  ADD COLUMN IF NOT EXISTS task_kind LowCardinality(String) DEFAULT '';
+
+-- +goose Down
+ALTER TABLE trigger_dev.task_runs_v2
+  DROP COLUMN IF EXISTS task_kind;
diff --git a/internal-packages/clickhouse/src/__snapshots__/taskRuns.test.ts.snap b/internal-packages/clickhouse/src/__snapshots__/taskRuns.test.ts.snap
index b9b921a20e1..4ba7f7e7b1b 100644
--- a/internal-packages/clickhouse/src/__snapshots__/taskRuns.test.ts.snap
+++ b/internal-packages/clickhouse/src/__snapshots__/taskRuns.test.ts.snap
@@ -5,7 +5,7 @@ exports[`Task Runs V2 > should be able to query task runs using the query builde
   "params": {
     "environmentId": "cm9kddfcs01zqdy88ld9mmrli",
   },
-  "query": "SELECT run_id FROM trigger_dev.task_runs_v2 FINAL WHERE environment_id = {environmentId: String}",
+  "query": "SELECT run_id, toUnixTimestamp64Milli(created_at) AS created_at_ms FROM trigger_dev.task_runs_v2 FINAL WHERE environment_id = {environmentId: String}",
 }
 `;
 
@@ -15,6 +15,6 @@ exports[`Task Runs V2 > should be able to query task runs using the query builde
     "environmentId": "cm9kddfcs01zqdy88ld9mmrli",
     "status": "COMPLETED_SUCCESSFULLY",
   },
-  "query": "SELECT run_id FROM trigger_dev.task_runs_v2 FINAL WHERE environment_id = {environmentId: String} AND status = {status: String}",
+  "query": "SELECT run_id, toUnixTimestamp64Milli(created_at) AS created_at_ms FROM trigger_dev.task_runs_v2 FINAL WHERE environment_id = {environmentId: String} AND status = {status: String}",
 }
 `;
diff --git a/internal-packages/clickhouse/src/client/client.ts b/internal-packages/clickhouse/src/client/client.ts
index 5a4118934e7..d281b60482c 100644
--- a/internal-packages/clickhouse/src/client/client.ts
+++ b/internal-packages/clickhouse/src/client/client.ts
@@ -18,6 +18,7 @@ import type {
   ClickhouseQueryBuilderFastFunction,
   ClickhouseQueryBuilderFunction,
   ClickhouseQueryFunction,
+  ClickhouseQueryStreamFunction,
   ClickhouseQueryWithStatsFunction,
   ClickhouseReader,
   ClickhouseWriter,
@@ -517,6 +518,103 @@ export class ClickhouseClient implements ClickhouseReader, ClickhouseWriter {
     };
   }
 
+  public queryFastStream<TOut extends Record<string, any>, TParams extends Record<string, any>>(req: {
+    name: string;
+    query: string;
+    columns: Array<string | ColumnExpression>;
+    settings?: ClickHouseSettings;
+  }): ClickhouseQueryStreamFunction<TParams, TOut> {
+    const self = this;
+
+    return async function* (params, options) {
+      const queryId = randomUUID();
+
+      // A generator yields across the await boundary, so we can't use the
+      // callback-style `startSpan` helper here. We start the span manually and
+      // end it in `finally` so the span covers the whole stream lifetime and is
+      // closed even if the consumer abandons the generator early. Errors are
+      // re-thrown (no Result tuple) since they can surface mid-stream after the
+      // response headers have already been sent, but they're still recorded on
+      // the span and logged for parity with `queryFast`.
+      const span = self.tracer.startSpan("queryFastStream");
+      span.setAttributes({
+        "clickhouse.clientName": self.name,
+        "clickhouse.operationName": req.name,
+        "clickhouse.queryId": queryId,
+        ...flattenAttributes(req.settings, "clickhouse.settings"),
+        ...flattenAttributes(options?.attributes),
+      });
+
+      self.logger.debug("Streaming clickhouse fast", {
+        name: req.name,
+        query: req.query.replace(/\s+/g, " "),
+        params,
+        settings: req.settings,
+        queryId,
+      });
+
+      try {
+        const resultSet = await self.client.query({
+          query: req.query,
+          query_params: params,
+          format: "JSONCompactEachRow",
+          query_id: queryId,
+          ...options?.params,
+          clickhouse_settings: {
+            ...req.settings,
+            ...options?.params?.clickhouse_settings,
+          },
+        });
+
+        span.setAttributes({
+          "clickhouse.query_id": resultSet.query_id,
+          ...flattenAttributes(resultSet.response_headers, "clickhouse.response_headers"),
+        });
+
+        // Stream rows off the socket and hydrate each one on the fly. The full
+        // result set is never materialised into an array — bounded memory for
+        // arbitrarily large queries.
+        let rowCount = 0;
+        for await (const rows of resultSet.stream()) {
+          for (const row of rows) {
+            const rowData = row.json() as any[];
+
+            const hydratedRow: Record<string, any> = {};
+            for (let i = 0; i < req.columns.length; i++) {
+              const column = req.columns[i];
+              if (typeof column === "string") {
+                hydratedRow[column] = rowData[i];
+              } else {
+                hydratedRow[column.name] = rowData[i];
+              }
+            }
+
+            rowCount++;
+            yield hydratedRow as TOut;
+          }
+        }
+
+        span.setAttributes({ "clickhouse.rows": rowCount });
+      } catch (error) {
+        self.logger.error("Error streaming clickhouse", {
+          name: req.name,
+          error,
+          query: req.query,
+          params,
+          queryId,
+        });
+
+        if (error instanceof Error) {
+          recordClickhouseError(span, error);
+        }
+
+        throw error;
+      } finally {
+        span.end();
+      }
+    };
+  }
+
   public queryBuilder<TOut extends z.ZodSchema<any>>(req: {
     name: string;
     baseQuery: string;
diff --git a/internal-packages/clickhouse/src/client/noop.ts b/internal-packages/clickhouse/src/client/noop.ts
index e0872cada6a..9f212c3d16b 100644
--- a/internal-packages/clickhouse/src/client/noop.ts
+++ b/internal-packages/clickhouse/src/client/noop.ts
@@ -95,6 +95,17 @@ export class NoopClient implements ClickhouseReader, ClickhouseWriter {
     };
   }
 
+  public queryFastStream<TOut extends Record<string, any>, TParams extends Record<string, any>>(req: {
+    name: string;
+    query: string;
+    columns: string[];
+    settings?: ClickHouseSettings;
+  }): (params: TParams) => AsyncIterable<TOut> {
+    return async function* () {
+      // Noop: empty stream.
+    };
+  }
+
   public insert<TSchema extends z.ZodSchema<any>>(req: {
     name: string;
     table: string;
diff --git a/internal-packages/clickhouse/src/client/queryBuilder.ts b/internal-packages/clickhouse/src/client/queryBuilder.ts
index fb0430fd0db..ec7f73415b5 100644
--- a/internal-packages/clickhouse/src/client/queryBuilder.ts
+++ b/internal-packages/clickhouse/src/client/queryBuilder.ts
@@ -255,6 +255,24 @@ export class ClickhouseQueryFastBuilder<TOutput extends Record<string, any>> {
     return queryFunction(params);
   }
 
+  /**
+   * Like {@link execute} but streams rows instead of buffering them into an
+   * array. Returns an async iterable so the whole result set is never resident
+   * in memory at once.
+   */
+  executeStream(): AsyncIterable<TOutput> {
+    const { query, params } = this.build();
+
+    const streamFunction = this.reader.queryFastStream<TOutput, Record<string, any>>({
+      name: this.name,
+      query,
+      columns: this.columns,
+      settings: this.settings,
+    });
+
+    return streamFunction(params);
+  }
+
   build(): { query: string; params: QueryParams } {
     let query = `SELECT ${this.buildColumns().join(", ")} FROM ${this.table}`;
     if (this.prewhereClauses.length > 0) {
diff --git a/internal-packages/clickhouse/src/client/types.ts b/internal-packages/clickhouse/src/client/types.ts
index 71204225081..dde2bfce530 100644
--- a/internal-packages/clickhouse/src/client/types.ts
+++ b/internal-packages/clickhouse/src/client/types.ts
@@ -13,6 +13,20 @@ export type ClickhouseQueryFunction<TInput, TOutput> = (
   }
 ) => Promise<Result<TOutput[], QueryError>>;
 
+/**
+ * Like {@link ClickhouseQueryFunction} but yields rows as they stream off the
+ * socket instead of buffering them into an array. The whole result set is never
+ * held in memory at once. Errors are thrown (the async iterable rejects) rather
+ * than returned as a Result tuple.
+ */
+export type ClickhouseQueryStreamFunction<TInput, TOutput> = (
+  params: TInput,
+  options?: {
+    attributes?: Record<string, string | number | boolean>;
+    params?: BaseQueryParams;
+  }
+) => AsyncIterable<TOutput>;
+
 /**
  * Query statistics returned by ClickHouse
  */
@@ -146,6 +160,18 @@ export interface ClickhouseReader {
     settings?: ClickHouseSettings;
   }): ClickhouseQueryFunction<TParams, TOut>;
 
+  /**
+   * Like {@link queryFast} but streams rows instead of buffering them. Returns an
+   * async iterable so the caller can process arbitrarily large result sets with
+   * bounded memory.
+   */
+  queryFastStream<TOut extends Record<string, any>, TParams extends Record<string, any>>(req: {
+    name: string;
+    query: string;
+    columns: Array<string | ColumnExpression>;
+    settings?: ClickHouseSettings;
+  }): ClickhouseQueryStreamFunction<TParams, TOut>;
+
   queryBuilder<TOut extends z.ZodSchema<any>>(req: {
     /**
      * The name of the operation.
diff --git a/internal-packages/clickhouse/src/index.ts b/internal-packages/clickhouse/src/index.ts
index c6b8858fa9c..9ee659958aa 100644
--- a/internal-packages/clickhouse/src/index.ts
+++ b/internal-packages/clickhouse/src/index.ts
@@ -9,16 +9,20 @@ import {
   getTaskRunsQueryBuilder,
   getTaskActivityQueryBuilder,
   getCurrentRunningStats,
+  getChildRunStatusCounts,
   getAverageDurations,
   getTaskUsageByOrganization,
   getTaskRunsCountQueryBuilder,
   getTaskRunTagsQueryBuilder,
+  getPendingVersionIdsQueryBuilder,
 } from "./taskRuns.js";
 import {
   getSpanDetailsQueryBuilder,
   getSpanDetailsQueryBuilderV2,
   getTraceDetailedSummaryQueryBuilder,
   getTraceDetailedSummaryQueryBuilderV2,
+  getTraceEventsForExportQueryBuilder,
+  getTraceEventsForExportQueryBuilderV2,
   getTraceSummaryQueryBuilder,
   getTraceSummaryQueryBuilderV2,
   insertTaskEvents,
@@ -28,6 +32,12 @@ import {
 } from "./taskEvents.js";
 import { insertMetrics } from "./metrics.js";
 import { insertLlmMetrics } from "./llmMetrics.js";
+import {
+  getSessionTagsQueryBuilder,
+  getSessionsCountQueryBuilder,
+  getSessionsQueryBuilder,
+  insertSessionsCompactArrays,
+} from "./sessions.js";
 import {
   getGlobalModelMetrics,
   getGlobalModelComparison,
@@ -57,6 +67,7 @@ export type * from "./metrics.js";
 export type * from "./llmMetrics.js";
 export type * from "./llmModelAggregates.js";
 export type * from "./errors.js";
+export type * from "./sessions.js";
 export type * from "./client/queryBuilder.js";
 
 // Re-export column constants, indices, and type-safe accessors
@@ -69,6 +80,8 @@ export {
   getPayloadField,
 } from "./taskRuns.js";
 
+export { SESSION_COLUMNS, SESSION_INDEX, getSessionField } from "./sessions.js";
+
 // TSQL query execution
 export {
   executeTSQL,
@@ -215,8 +228,10 @@ export class ClickHouse {
       queryBuilder: getTaskRunsQueryBuilder(this.reader),
       countQueryBuilder: getTaskRunsCountQueryBuilder(this.reader),
       tagQueryBuilder: getTaskRunTagsQueryBuilder(this.reader),
+      pendingVersionIdsQueryBuilder: getPendingVersionIdsQueryBuilder(this.reader),
       getTaskActivity: getTaskActivityQueryBuilder(this.reader),
       getCurrentRunningStats: getCurrentRunningStats(this.reader),
+      getChildRunStatusCounts: getChildRunStatusCounts(this.reader),
       getAverageDurations: getAverageDurations(this.reader),
       getTaskUsageByOrganization: getTaskUsageByOrganization(this.reader),
     };
@@ -227,6 +242,7 @@ export class ClickHouse {
       insert: insertTaskEvents(this.writer),
       traceSummaryQueryBuilder: getTraceSummaryQueryBuilder(this.reader),
       traceDetailedSummaryQueryBuilder: getTraceDetailedSummaryQueryBuilder(this.reader),
+      traceEventsForExportQueryBuilder: getTraceEventsForExportQueryBuilder(this.reader),
       spanDetailsQueryBuilder: getSpanDetailsQueryBuilder(this.reader),
     };
   }
@@ -251,11 +267,21 @@ export class ClickHouse {
     };
   }
 
+  get sessions() {
+    return {
+      insertCompactArrays: insertSessionsCompactArrays(this.writer),
+      queryBuilder: getSessionsQueryBuilder(this.reader),
+      countQueryBuilder: getSessionsCountQueryBuilder(this.reader),
+      tagQueryBuilder: getSessionTagsQueryBuilder(this.reader),
+    };
+  }
+
   get taskEventsV2() {
     return {
       insert: insertTaskEventsV2(this.writer),
       traceSummaryQueryBuilder: getTraceSummaryQueryBuilderV2(this.reader),
       traceDetailedSummaryQueryBuilder: getTraceDetailedSummaryQueryBuilderV2(this.reader),
+      traceEventsForExportQueryBuilder: getTraceEventsForExportQueryBuilderV2(this.reader),
       spanDetailsQueryBuilder: getSpanDetailsQueryBuilderV2(this.reader),
       logDetailQueryBuilder: getLogDetailQueryBuilderV2(this.reader),
     };
diff --git a/internal-packages/clickhouse/src/sessions.ts b/internal-packages/clickhouse/src/sessions.ts
new file mode 100644
index 00000000000..567fe65511e
--- /dev/null
+++ b/internal-packages/clickhouse/src/sessions.ts
@@ -0,0 +1,184 @@
+import { ClickHouseSettings } from "@clickhouse/client";
+import { z } from "zod";
+import { ClickhouseReader, ClickhouseWriter } from "./client/types.js";
+
+export const SessionV1 = z.object({
+  environment_id: z.string(),
+  organization_id: z.string(),
+  project_id: z.string(),
+  session_id: z.string(),
+  environment_type: z.string(),
+  friendly_id: z.string(),
+  external_id: z.string().default(""),
+  type: z.string(),
+  task_identifier: z.string().default(""),
+  tags: z.array(z.string()).default([]),
+  metadata: z.unknown(),
+  closed_at: z.number().int().nullish(),
+  closed_reason: z.string().default(""),
+  expires_at: z.number().int().nullish(),
+  created_at: z.number().int(),
+  updated_at: z.number().int(),
+  _version: z.string(),
+  _is_deleted: z.number().int().default(0),
+});
+
+export type SessionV1 = z.input<typeof SessionV1>;
+
+// Column order for compact format - must match ClickHouse table schema
+export const SESSION_COLUMNS = [
+  "environment_id",
+  "organization_id",
+  "project_id",
+  "session_id",
+  "environment_type",
+  "friendly_id",
+  "external_id",
+  "type",
+  "task_identifier",
+  "tags",
+  "metadata",
+  "closed_at",
+  "closed_reason",
+  "expires_at",
+  "created_at",
+  "updated_at",
+  "_version",
+  "_is_deleted",
+] as const;
+
+export type SessionColumnName = (typeof SESSION_COLUMNS)[number];
+
+export const SESSION_INDEX = Object.fromEntries(SESSION_COLUMNS.map((col, idx) => [col, idx])) as {
+  readonly [K in SessionColumnName]: number;
+};
+
+export type SessionFieldTypes = {
+  environment_id: string;
+  organization_id: string;
+  project_id: string;
+  session_id: string;
+  environment_type: string;
+  friendly_id: string;
+  external_id: string;
+  type: string;
+  task_identifier: string;
+  tags: string[];
+  metadata: { data: unknown };
+  closed_at: number | null;
+  closed_reason: string;
+  expires_at: number | null;
+  created_at: number;
+  updated_at: number;
+  _version: string;
+  _is_deleted: number;
+};
+
+/**
+ * Type-safe tuple representing a Session insert array.
+ * Order matches {@link SESSION_COLUMNS} exactly.
+ */
+export type SessionInsertArray = [
+  environment_id: string,
+  organization_id: string,
+  project_id: string,
+  session_id: string,
+  environment_type: string,
+  friendly_id: string,
+  external_id: string,
+  type: string,
+  task_identifier: string,
+  tags: string[],
+  metadata: { data: unknown },
+  closed_at: number | null,
+  closed_reason: string,
+  expires_at: number | null,
+  created_at: number,
+  updated_at: number,
+  _version: string,
+  _is_deleted: number,
+];
+
+export function getSessionField<K extends SessionColumnName>(
+  session: SessionInsertArray,
+  field: K
+): SessionFieldTypes[K] {
+  return session[SESSION_INDEX[field]] as SessionFieldTypes[K];
+}
+
+export function insertSessionsCompactArrays(ch: ClickhouseWriter, settings?: ClickHouseSettings) {
+  return ch.insertCompactRaw({
+    name: "insertSessionsCompactArrays",
+    table: "trigger_dev.sessions_v1",
+    columns: SESSION_COLUMNS,
+    settings: {
+      enable_json_type: 1,
+      type_json_skip_duplicated_paths: 1,
+      ...settings,
+    },
+  });
+}
+
+export function insertSessions(ch: ClickhouseWriter, settings?: ClickHouseSettings) {
+  return ch.insert({
+    name: "insertSessions",
+    table: "trigger_dev.sessions_v1",
+    schema: SessionV1,
+    settings: {
+      enable_json_type: 1,
+      type_json_skip_duplicated_paths: 1,
+      ...settings,
+    },
+  });
+}
+
+// ─── read path ───────────────────────────────────────────────────
+
+export const SessionV1QueryResult = z.object({
+  session_id: z.string(),
+});
+
+export type SessionV1QueryResult = z.infer<typeof SessionV1QueryResult>;
+
+/**
+ * Base query builder for listing Sessions. Filters + pagination are composed
+ * on top of this; callers can chain `.where(...).orderBy(...).limit(...)`.
+ */
+export function getSessionsQueryBuilder(ch: ClickhouseReader, settings?: ClickHouseSettings) {
+  return ch.queryBuilder({
+    name: "getSessions",
+    baseQuery: "SELECT session_id FROM trigger_dev.sessions_v1 FINAL",
+    schema: SessionV1QueryResult,
+    settings,
+  });
+}
+
+export function getSessionsCountQueryBuilder(
+  ch: ClickhouseReader,
+  settings?: ClickHouseSettings
+) {
+  return ch.queryBuilder({
+    name: "getSessionsCount",
+    baseQuery: "SELECT count() as count FROM trigger_dev.sessions_v1 FINAL",
+    schema: z.object({ count: z.number().int() }),
+    settings,
+  });
+}
+
+export const SessionTagsQueryResult = z.object({
+  tag: z.string(),
+});
+
+export type SessionTagsQueryResult = z.infer<typeof SessionTagsQueryResult>;
+
+export function getSessionTagsQueryBuilder(
+  ch: ClickhouseReader,
+  settings?: ClickHouseSettings
+) {
+  return ch.queryBuilder({
+    name: "getSessionTags",
+    baseQuery: "SELECT DISTINCT arrayJoin(tags) as tag FROM trigger_dev.sessions_v1",
+    schema: SessionTagsQueryResult,
+    settings,
+  });
+}
diff --git a/internal-packages/clickhouse/src/taskEvents.ts b/internal-packages/clickhouse/src/taskEvents.ts
index cfebd0a248b..e8d4c2bd95f 100644
--- a/internal-packages/clickhouse/src/taskEvents.ts
+++ b/internal-packages/clickhouse/src/taskEvents.ts
@@ -109,6 +109,44 @@ export function getTraceDetailedSummaryQueryBuilder(
   });
 }
 
+// Row shape for streaming a whole trace out for export (the "Download trace"
+// feature). Unlike the detailed-summary builders this keeps the FULL message
+// (not LEFT(message, 256)) since the export is the source of truth, and it's
+// consumed via executeStream() so the trace is never fully materialised.
+export type TaskEventExportRow = {
+  span_id: string;
+  parent_span_id: string;
+  start_time: string;
+  duration: number | string;
+  status: string;
+  kind: string;
+  message: string;
+  attributes_text: string;
+};
+
+const TASK_EVENT_EXPORT_COLUMNS = [
+  "span_id",
+  "parent_span_id",
+  "start_time",
+  "duration",
+  "status",
+  "kind",
+  "message",
+  "attributes_text",
+] as const;
+
+export function getTraceEventsForExportQueryBuilder(
+  ch: ClickhouseReader,
+  settings?: ClickHouseSettings
+) {
+  return ch.queryBuilderFast<TaskEventExportRow>({
+    name: "getTraceEventsForExport",
+    table: "trigger_dev.task_events_v1",
+    columns: [...TASK_EVENT_EXPORT_COLUMNS],
+    settings,
+  });
+}
+
 export const TaskEventDetailsV1Result = z.object({
   span_id: z.string(),
   parent_span_id: z.string(),
@@ -233,6 +271,18 @@ export function getSpanDetailsQueryBuilderV2(
   });
 }
 
+export function getTraceEventsForExportQueryBuilderV2(
+  ch: ClickhouseReader,
+  settings?: ClickHouseSettings
+) {
+  return ch.queryBuilderFast<TaskEventExportRow>({
+    name: "getTraceEventsForExportV2",
+    table: "trigger_dev.task_events_v2",
+    columns: [...TASK_EVENT_EXPORT_COLUMNS],
+    settings,
+  });
+}
+
 
 // ============================================================================
 // Search Table Query Builders (for logs page, using task_events_search_v1)
diff --git a/internal-packages/clickhouse/src/taskRuns.test.ts b/internal-packages/clickhouse/src/taskRuns.test.ts
index 8bd403f14f0..76c2267b073 100644
--- a/internal-packages/clickhouse/src/taskRuns.test.ts
+++ b/internal-packages/clickhouse/src/taskRuns.test.ts
@@ -2,6 +2,8 @@ import { clickhouseTest } from "@internal/testcontainers";
 import { z } from "zod";
 import { ClickhouseClient } from "./client/client.js";
 import {
+  TASK_RUN_INDEX,
+  getChildRunStatusCounts,
   getTaskRunsQueryBuilder,
   insertRawTaskRunPayloadsCompactArrays,
   insertTaskRunsCompactArrays,
@@ -84,6 +86,7 @@ describe("Task Runs V2", () => {
       null, // max_duration_in_seconds
       "", // trigger_source
       "", // root_trigger_source
+      "", // task_kind
       null, // is_warm_start
     ];
 
@@ -215,6 +218,7 @@ describe("Task Runs V2", () => {
       null, // max_duration_in_seconds
       "", // trigger_source
       "", // root_trigger_source
+      "", // task_kind
       null, // is_warm_start
     ];
 
@@ -269,6 +273,7 @@ describe("Task Runs V2", () => {
       null, // max_duration_in_seconds
       "", // trigger_source
       "", // root_trigger_source
+      "", // task_kind
       null, // is_warm_start
     ];
 
@@ -370,6 +375,7 @@ describe("Task Runs V2", () => {
         null, // max_duration_in_seconds
         "", // trigger_source
         "", // root_trigger_source
+        "", // task_kind
         null, // is_warm_start
       ];
 
@@ -412,6 +418,311 @@ describe("Task Runs V2", () => {
     }
   );
 
+  clickhouseTest(
+    "should aggregate child status counts with FINAL and ignore deleted rows",
+    async ({ clickhouseContainer }) => {
+      const client = new ClickhouseClient({
+        name: "test",
+        url: clickhouseContainer.getConnectionUrl(),
+      });
+
+      const insert = insertTaskRunsCompactArrays(client, {
+        async_insert: 0, // turn off async insert for this test
+      });
+
+      const baseCreatedAt = new Date("2025-05-01T12:00:00.000Z").getTime();
+      const oldCreatedAt = new Date("2025-04-15T12:00:00.000Z").getTime();
+      const since = baseCreatedAt - 60_000;
+
+      const rootRun: TaskRunInsertArray = [
+        "env_agg", // environment_id
+        "org_agg", // organization_id
+        "project_agg", // project_id
+        "root_run_1", // run_id
+        baseCreatedAt, // updated_at
+        baseCreatedAt, // created_at
+        "EXECUTING", // status
+        "DEVELOPMENT", // environment_type
+        "run_root_1", // friendly_id
+        1, // attempt
+        "V2", // engine
+        "root-task", // task_identifier
+        "task/root-task", // queue
+        "", // schedule_id
+        "", // batch_id
+        null, // completed_at
+        baseCreatedAt, // started_at
+        null, // executed_at
+        null, // delay_until
+        baseCreatedAt, // queued_at
+        null, // expired_at
+        0, // usage_duration_ms
+        0, // cost_in_cents
+        0, // base_cost_in_cents
+        { data: null }, // output
+        { data: null }, // error
+        "", // error_fingerprint
+        [], // tags
+        "", // task_version
+        "", // sdk_version
+        "", // cli_version
+        "", // machine_preset
+        "", // root_run_id
+        "", // parent_run_id
+        0, // depth
+        "span_root", // span_id
+        "trace_root", // trace_id
+        "", // idempotency_key
+        "", // idempotency_key_user
+        "", // idempotency_key_scope
+        "", // expiration_ttl
+        true, // is_test
+        "1", // _version
+        0, // _is_deleted
+        "", // concurrency_key
+        [], // bulk_action_group_ids
+        "", // worker_queue
+        null, // max_duration_in_seconds
+        "", // trigger_source
+        "", // root_trigger_source
+        "", // task_kind
+        null, // is_warm_start
+      ];
+
+      const childA_v1: TaskRunInsertArray = [
+        "env_agg",
+        "org_agg",
+        "project_agg",
+        "child_a",
+        baseCreatedAt + 1_000,
+        baseCreatedAt + 1_000,
+        "PENDING",
+        "DEVELOPMENT",
+        "run_child_a",
+        1,
+        "V2",
+        "child-task",
+        "task/child-task",
+        "",
+        "",
+        null,
+        null,
+        null,
+        null,
+        baseCreatedAt + 1_000,
+        null,
+        0,
+        0,
+        0,
+        { data: null },
+        { data: null },
+        "",
+        [],
+        "",
+        "",
+        "",
+        "",
+        "root_run_1",
+        "root_run_1",
+        1,
+        "span_child_a",
+        "trace_root",
+        "",
+        "",
+        "",
+        "",
+        true,
+        "1",
+        0,
+        "",
+        [],
+        "",
+        null,
+        "",
+        "",
+        "",
+        null,
+      ];
+
+      const childA_v2: TaskRunInsertArray = [
+        ...childA_v1,
+      ];
+      childA_v2[TASK_RUN_INDEX.status] = "COMPLETED_SUCCESSFULLY";
+      childA_v2[TASK_RUN_INDEX._version] = "2";
+
+      const childB: TaskRunInsertArray = [
+        "env_agg",
+        "org_agg",
+        "project_agg",
+        "child_b",
+        baseCreatedAt + 2_000,
+        baseCreatedAt + 2_000,
+        "EXECUTING",
+        "DEVELOPMENT",
+        "run_child_b",
+        1,
+        "V2",
+        "child-task",
+        "task/child-task",
+        "",
+        "",
+        null,
+        baseCreatedAt + 2_000,
+        null,
+        null,
+        baseCreatedAt + 2_000,
+        null,
+        0,
+        0,
+        0,
+        { data: null },
+        { data: null },
+        "",
+        [],
+        "",
+        "",
+        "",
+        "",
+        "root_run_1",
+        "root_run_1",
+        1,
+        "span_child_b",
+        "trace_root",
+        "",
+        "",
+        "",
+        "",
+        true,
+        "1",
+        0,
+        "",
+        [],
+        "",
+        null,
+        "",
+        "",
+        "",
+        null,
+      ];
+
+      const childDeleted_v1: TaskRunInsertArray = [
+        "env_agg",
+        "org_agg",
+        "project_agg",
+        "child_deleted",
+        baseCreatedAt + 3_000,
+        baseCreatedAt + 3_000,
+        "PENDING",
+        "DEVELOPMENT",
+        "run_child_deleted",
+        1,
+        "V2",
+        "child-task",
+        "task/child-task",
+        "",
+        "",
+        null,
+        null,
+        null,
+        null,
+        baseCreatedAt + 3_000,
+        null,
+        0,
+        0,
+        0,
+        { data: null },
+        { data: null },
+        "",
+        [],
+        "",
+        "",
+        "",
+        "",
+        "root_run_1",
+        "root_run_1",
+        1,
+        "span_child_deleted",
+        "trace_root",
+        "",
+        "",
+        "",
+        "",
+        true,
+        "1",
+        0,
+        "",
+        [],
+        "",
+        null,
+        "",
+        "",
+        "",
+        null,
+      ];
+
+      const childDeleted_v2: TaskRunInsertArray = [
+        ...childDeleted_v1,
+      ];
+      childDeleted_v2[TASK_RUN_INDEX._version] = "2";
+      childDeleted_v2[TASK_RUN_INDEX._is_deleted] = 1;
+
+      const childWrongRoot: TaskRunInsertArray = [
+        ...childB,
+      ];
+      childWrongRoot[TASK_RUN_INDEX.run_id] = "child_wrong_root";
+      childWrongRoot[TASK_RUN_INDEX.friendly_id] = "run_child_wrong_root";
+      childWrongRoot[TASK_RUN_INDEX.root_run_id] = "other_root";
+      childWrongRoot[TASK_RUN_INDEX.parent_run_id] = "other_root";
+      childWrongRoot[TASK_RUN_INDEX.span_id] = "span_child_wrong_root";
+
+      const childOld: TaskRunInsertArray = [
+        ...childB,
+      ];
+      childOld[TASK_RUN_INDEX.run_id] = "child_old";
+      childOld[TASK_RUN_INDEX.created_at] = oldCreatedAt;
+      childOld[TASK_RUN_INDEX.updated_at] = oldCreatedAt;
+      childOld[TASK_RUN_INDEX.started_at] = oldCreatedAt;
+      childOld[TASK_RUN_INDEX.queued_at] = oldCreatedAt;
+      childOld[TASK_RUN_INDEX.friendly_id] = "run_child_old";
+      childOld[TASK_RUN_INDEX.span_id] = "span_child_old";
+
+      const [insertError] = await insert([
+        rootRun,
+        childA_v1,
+        childA_v2,
+        childB,
+        childDeleted_v1,
+        childDeleted_v2,
+        childWrongRoot,
+        childOld,
+      ]);
+
+      expect(insertError).toBeNull();
+
+      const [queryError, result] = await getChildRunStatusCounts(client)({
+        organizationId: "org_agg",
+        projectId: "project_agg",
+        environmentId: "env_agg",
+        rootRunIds: ["root_run_1"],
+        since,
+      });
+
+      expect(queryError).toBeNull();
+      expect(result).toEqual([
+        {
+          root_run_id: "root_run_1",
+          status: "COMPLETED_SUCCESSFULLY",
+          count: 1,
+        },
+        {
+          root_run_id: "root_run_1",
+          status: "EXECUTING",
+          count: 1,
+        },
+      ]);
+    }
+  );
+
   clickhouseTest(
     "should be able to insert payloads with a duplicate path",
     async ({ clickhouseContainer }) => {
diff --git a/internal-packages/clickhouse/src/taskRuns.ts b/internal-packages/clickhouse/src/taskRuns.ts
index 6a9f66d7844..2201f4baf6e 100644
--- a/internal-packages/clickhouse/src/taskRuns.ts
+++ b/internal-packages/clickhouse/src/taskRuns.ts
@@ -51,6 +51,7 @@ export const TaskRunV2 = z.object({
   max_duration_in_seconds: z.number().int().nullish(),
   trigger_source: z.string().default(""),
   root_trigger_source: z.string().default(""),
+  task_kind: z.string().default(""),
   is_warm_start: z.boolean().nullish(),
   _version: z.string(),
   _is_deleted: z.number().int().default(0),
@@ -110,6 +111,7 @@ export const TASK_RUN_COLUMNS = [
   "max_duration_in_seconds",
   "trigger_source",
   "root_trigger_source",
+  "task_kind",
   "is_warm_start",
 ] as const;
 
@@ -176,6 +178,7 @@ export type TaskRunFieldTypes = {
   max_duration_in_seconds: number | null;
   trigger_source: string;
   root_trigger_source: string;
+  task_kind: string;
   is_warm_start: boolean | null;
 };
 
@@ -313,6 +316,7 @@ export type TaskRunInsertArray = [
   max_duration_in_seconds: number | null,
   trigger_source: string,
   root_trigger_source: string,
+  task_kind: string,
   is_warm_start: boolean | null,
 ];
 
@@ -366,10 +370,43 @@ export const TaskRunV2QueryResult = z.object({
 
 export type TaskRunV2QueryResult = z.infer<typeof TaskRunV2QueryResult>;
 
+// Adds the created_at timestamp (ms since epoch) needed to build composite
+// keyset cursors over (created_at, run_id) — see runsRepository.server.ts.
+// Returned as a JSON number because the client sets
+// output_format_json_quote_64bit_integers: 0. Kept separate from
+// TaskRunV2QueryResult so run_id-only consumers (e.g. the pending-version
+// lookup) aren't forced to select a column they don't need.
+export const TaskRunListQueryResult = z.object({
+  run_id: z.string(),
+  created_at_ms: z.number().int(),
+});
+
+export type TaskRunListQueryResult = z.infer<typeof TaskRunListQueryResult>;
+
 export function getTaskRunsQueryBuilder(ch: ClickhouseReader, settings?: ClickHouseSettings) {
   return ch.queryBuilder({
     name: "getTaskRuns",
-    baseQuery: "SELECT run_id FROM trigger_dev.task_runs_v2 FINAL",
+    baseQuery:
+      "SELECT run_id, toUnixTimestamp64Milli(created_at) AS created_at_ms FROM trigger_dev.task_runs_v2 FINAL",
+    schema: TaskRunListQueryResult,
+    settings,
+  });
+}
+
+/**
+ * Lookup builder for the run-engine `PendingVersionSystem`. Returns just
+ * `run_id` from `task_runs_v2`. No `FINAL` — the run-engine re-validates
+ * each candidate against Postgres by primary key, so a stale
+ * `PENDING_VERSION` row from a not-yet-merged part is harmless and
+ * `FINAL` would be too expensive for this hot path.
+ */
+export function getPendingVersionIdsQueryBuilder(
+  ch: ClickhouseReader,
+  settings?: ClickHouseSettings
+) {
+  return ch.queryBuilder({
+    name: "getPendingVersionIds",
+    baseQuery: "SELECT run_id FROM trigger_dev.task_runs_v2",
     schema: TaskRunV2QueryResult,
     settings,
   });
@@ -491,6 +528,51 @@ export function getCurrentRunningStats(ch: ClickhouseReader, settings?: ClickHou
   });
 }
 
+export const ChildRunStatusCountsQueryResult = z.object({
+  root_run_id: z.string(),
+  status: z.string(),
+  count: z.number().int(),
+});
+
+export type ChildRunStatusCountsQueryResult = z.infer<typeof ChildRunStatusCountsQueryResult>;
+
+export const ChildRunStatusCountsQueryParams = z.object({
+  organizationId: z.string(),
+  projectId: z.string(),
+  environmentId: z.string(),
+  rootRunIds: z.array(z.string()).min(1),
+  since: z.number().int(),
+});
+
+export function getChildRunStatusCounts(ch: ClickhouseReader, settings?: ClickHouseSettings) {
+  return ch.query({
+    name: "getChildRunStatusCounts",
+    query: `
+    SELECT
+        root_run_id,
+        status,
+        count() as count
+    FROM trigger_dev.task_runs_v2 FINAL
+    WHERE
+        organization_id = {organizationId: String}
+        AND project_id = {projectId: String}
+        AND environment_id = {environmentId: String}
+        AND root_run_id IN {rootRunIds: Array(String)}
+        AND created_at >= fromUnixTimestamp64Milli({since: Int64})
+        AND _is_deleted = 0
+    GROUP BY
+        root_run_id,
+        status
+    ORDER BY
+        root_run_id ASC,
+        status ASC
+    `,
+    schema: ChildRunStatusCountsQueryResult,
+    params: ChildRunStatusCountsQueryParams,
+    settings,
+  });
+}
+
 export const AverageDurationsQueryResult = z.object({
   task_identifier: z.string(),
   duration: z.number(),
diff --git a/internal-packages/clickhouse/vitest.config.ts b/internal-packages/clickhouse/vitest.config.ts
index 1d779c09577..26c9ecebf11 100644
--- a/internal-packages/clickhouse/vitest.config.ts
+++ b/internal-packages/clickhouse/vitest.config.ts
@@ -1,16 +1,13 @@
 import { defineConfig } from "vitest/config";
+import { DurationShardingSequencer } from "@internal/testcontainers/sequencer";
 
 export default defineConfig({
   test: {
+    sequence: { sequencer: DurationShardingSequencer },
     include: ["**/*.test.ts"],
     globals: true,
     isolate: true,
     fileParallelism: false,
-    poolOptions: {
-      threads: {
-        singleThread: true,
-      },
-    },
     testTimeout: 60_000,
     coverage: {
       provider: "v8",
diff --git a/internal-packages/compute/src/client.ts b/internal-packages/compute/src/client.ts
index 4f627bd2830..d6215678b53 100644
--- a/internal-packages/compute/src/client.ts
+++ b/internal-packages/compute/src/client.ts
@@ -1,5 +1,6 @@
 import type {
   TemplateCreateRequest,
+  TemplateCreateResponse,
   InstanceCreateRequest,
   InstanceCreateResponse,
   InstanceSnapshotRequest,
@@ -10,6 +11,13 @@ export type ComputeClientOptions = {
   gatewayUrl: string;
   authToken?: string;
   timeoutMs: number;
+  /**
+   * Called once per outbound request to collect cross-service correlation
+   * headers (e.g. `traceparent`, `x-request-id`) from the caller's current
+   * scope. The returned record is merged onto the outbound headers. Return
+   * `{}` (or omit the option) to skip propagation.
+   */
+  getPropagationHeaders?: () => Record<string, string>;
 };
 
 export class ComputeClient {
@@ -39,6 +47,14 @@ class HttpTransport {
     if (this.opts.authToken) {
       h["Authorization"] = `Bearer ${this.opts.authToken}`;
     }
+    const propagation = this.opts.getPropagationHeaders?.();
+    if (propagation) {
+      for (const [key, value] of Object.entries(propagation)) {
+        if (value) {
+          h[key] = value;
+        }
+      }
+    }
     return h;
   }
 
@@ -106,8 +122,10 @@ class TemplatesNamespace {
   async create(
     req: TemplateCreateRequest,
     options?: RequestOptions
-  ): Promise<void> {
-    await this.http.post("/api/templates", req, options);
+  ): Promise<TemplateCreateResponse | undefined> {
+    // Background mode returns 202 with no body; sync/callback mode returns
+    // the full result. Caller decides whether to inspect.
+    return this.http.post<TemplateCreateResponse>("/api/templates", req, options);
   }
 }
 
diff --git a/internal-packages/compute/src/index.ts b/internal-packages/compute/src/index.ts
index 1cec45e6484..573e7348c8e 100644
--- a/internal-packages/compute/src/index.ts
+++ b/internal-packages/compute/src/index.ts
@@ -2,8 +2,10 @@ export { ComputeClient, ComputeClientError } from "./client.js";
 export type { ComputeClientOptions } from "./client.js";
 export { stripImageDigest } from "./imageRef.js";
 export {
+  MachineConfigSchema,
   TemplateCreateRequestSchema,
-  TemplateCallbackPayloadSchema,
+  TemplateCreateResultEntrySchema,
+  TemplateCreateResponseSchema,
   InstanceCreateRequestSchema,
   InstanceCreateResponseSchema,
   InstanceSnapshotRequestSchema,
@@ -11,8 +13,10 @@ export {
   SnapshotCallbackPayloadSchema,
 } from "./types.js";
 export type {
+  MachineConfig,
   TemplateCreateRequest,
-  TemplateCallbackPayload,
+  TemplateCreateResultEntry,
+  TemplateCreateResponse,
   InstanceCreateRequest,
   InstanceCreateResponse,
   InstanceSnapshotRequest,
diff --git a/internal-packages/compute/src/types.ts b/internal-packages/compute/src/types.ts
index a2aa4c97608..5d8d5e26af9 100644
--- a/internal-packages/compute/src/types.ts
+++ b/internal-packages/compute/src/types.ts
@@ -2,10 +2,15 @@ import { z } from "zod";
 
 // ── Templates ────────────────────────────────────────────────────────────────
 
-export const TemplateCreateRequestSchema = z.object({
-  image: z.string(),
+export const MachineConfigSchema = z.object({
   cpu: z.number(),
   memory_gb: z.number(),
+});
+export type MachineConfig = z.infer<typeof MachineConfigSchema>;
+
+export const TemplateCreateRequestSchema = z.object({
+  image: z.string(),
+  machine_configs: z.array(MachineConfigSchema),
   background: z.boolean().optional(),
   callback: z
     .object({
@@ -16,15 +21,17 @@ export const TemplateCreateRequestSchema = z.object({
 });
 export type TemplateCreateRequest = z.infer<typeof TemplateCreateRequestSchema>;
 
-export const TemplateCallbackPayloadSchema = z.object({
-  template_id: z.string().optional(),
-  image: z.string(),
-  status: z.enum(["completed", "failed"]),
+export const TemplateCreateResultEntrySchema = z.object({
+  machine_config: MachineConfigSchema,
+  error: z.string().optional(),
+});
+export type TemplateCreateResultEntry = z.infer<typeof TemplateCreateResultEntrySchema>;
+
+export const TemplateCreateResponseSchema = z.object({
+  results: z.array(TemplateCreateResultEntrySchema),
   error: z.string().optional(),
-  metadata: z.record(z.string()).optional(),
-  duration_ms: z.number().optional(),
 });
-export type TemplateCallbackPayload = z.infer<typeof TemplateCallbackPayloadSchema>;
+export type TemplateCreateResponse = z.infer<typeof TemplateCreateResponseSchema>;
 
 // ── Instances ────────────────────────────────────────────────────────────────
 
@@ -35,6 +42,10 @@ export const InstanceCreateRequestSchema = z.object({
   cpu: z.number(),
   memory_gb: z.number(),
   metadata: z.record(z.unknown()).optional(),
+  // Per-instance identity labels; the provider promotes a configured subset
+  // to network-policy selection. Distinct from metadata, which is
+  // observability-only and never selected on.
+  labels: z.record(z.string()).optional(),
 });
 export type InstanceCreateRequest = z.infer<typeof InstanceCreateRequestSchema>;
 
@@ -59,6 +70,10 @@ export const SnapshotRestoreRequestSchema = z.object({
   metadata: z.record(z.string()),
   cpu: z.number(),
   memory_gb: z.number(),
+  // Per-instance identity labels; the caller must resupply the same set as on
+  // create. The provider doesn't persist them across a snapshot, so omitting
+  // them drops the restored run's policy-based network selection.
+  labels: z.record(z.string()).optional(),
 });
 export type SnapshotRestoreRequest = z.infer<typeof SnapshotRestoreRequestSchema>;
 
diff --git a/internal-packages/database/package.json b/internal-packages/database/package.json
index cd9b40db95d..b8e530908e2 100644
--- a/internal-packages/database/package.json
+++ b/internal-packages/database/package.json
@@ -6,11 +6,11 @@
   "types": "./dist/index.d.ts",
   "dependencies": {
     "@prisma/client": "6.14.0",
-    "decimal.js": "^10.6.0"
+    "decimal.js": "^10.6.0",
+    "prisma": "6.14.0"
   },
   "devDependencies": {
     "@types/decimal.js": "^7.4.3",
-    "prisma": "6.14.0",
     "rimraf": "6.0.1"
   },
   "scripts": {
diff --git a/internal-packages/database/prisma/migrations/20260329100903_add_agent_trigger_source_and_task_config/migration.sql b/internal-packages/database/prisma/migrations/20260329100903_add_agent_trigger_source_and_task_config/migration.sql
new file mode 100644
index 00000000000..29233ab2740
--- /dev/null
+++ b/internal-packages/database/prisma/migrations/20260329100903_add_agent_trigger_source_and_task_config/migration.sql
@@ -0,0 +1,5 @@
+-- AlterEnum
+ALTER TYPE "public"."TaskTriggerSource" ADD VALUE 'AGENT';
+
+-- AlterTable
+ALTER TABLE "public"."BackgroundWorkerTask" ADD COLUMN "config" JSONB;
diff --git a/internal-packages/database/prisma/migrations/20260330113734_add_playground_conversation/migration.sql b/internal-packages/database/prisma/migrations/20260330113734_add_playground_conversation/migration.sql
new file mode 100644
index 00000000000..7d061a51395
--- /dev/null
+++ b/internal-packages/database/prisma/migrations/20260330113734_add_playground_conversation/migration.sql
@@ -0,0 +1,34 @@
+-- CreateTable
+CREATE TABLE "public"."PlaygroundConversation" (
+    "id" TEXT NOT NULL,
+    "chatId" TEXT NOT NULL,
+    "title" TEXT NOT NULL DEFAULT 'New conversation',
+    "agentSlug" TEXT NOT NULL,
+    "runId" TEXT,
+    "clientData" JSONB,
+    "projectId" TEXT NOT NULL,
+    "runtimeEnvironmentId" TEXT NOT NULL,
+    "userId" TEXT NOT NULL,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "PlaygroundConversation_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE INDEX "PlaygroundConversation_runtimeEnvironmentId_agentSlug_updat_idx" ON "public"."PlaygroundConversation"("runtimeEnvironmentId", "agentSlug", "updatedAt" DESC);
+
+-- CreateIndex
+CREATE INDEX "PlaygroundConversation_userId_runtimeEnvironmentId_idx" ON "public"."PlaygroundConversation"("userId", "runtimeEnvironmentId");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "PlaygroundConversation_chatId_runtimeEnvironmentId_key" ON "public"."PlaygroundConversation"("chatId", "runtimeEnvironmentId");
+
+-- AddForeignKey
+ALTER TABLE "public"."PlaygroundConversation" ADD CONSTRAINT "PlaygroundConversation_runId_fkey" FOREIGN KEY ("runId") REFERENCES "public"."TaskRun"("id") ON DELETE SET NULL ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "public"."PlaygroundConversation" ADD CONSTRAINT "PlaygroundConversation_projectId_fkey" FOREIGN KEY ("projectId") REFERENCES "public"."Project"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "public"."PlaygroundConversation" ADD CONSTRAINT "PlaygroundConversation_runtimeEnvironmentId_fkey" FOREIGN KEY ("runtimeEnvironmentId") REFERENCES "public"."RuntimeEnvironment"("id") ON DELETE CASCADE ON UPDATE CASCADE;
diff --git a/internal-packages/database/prisma/migrations/20260330135232_add_messages_and_last_event_id_to_playground/migration.sql b/internal-packages/database/prisma/migrations/20260330135232_add_messages_and_last_event_id_to_playground/migration.sql
new file mode 100644
index 00000000000..0793d411c38
--- /dev/null
+++ b/internal-packages/database/prisma/migrations/20260330135232_add_messages_and_last_event_id_to_playground/migration.sql
@@ -0,0 +1,3 @@
+-- AlterTable
+ALTER TABLE "public"."PlaygroundConversation" ADD COLUMN "lastEventId" TEXT,
+ADD COLUMN "messages" JSONB;
diff --git a/internal-packages/database/prisma/migrations/20260331212308_add_organization_data_stores/migration.sql b/internal-packages/database/prisma/migrations/20260331212308_add_organization_data_stores/migration.sql
new file mode 100644
index 00000000000..52b8385539a
--- /dev/null
+++ b/internal-packages/database/prisma/migrations/20260331212308_add_organization_data_stores/migration.sql
@@ -0,0 +1,21 @@
+-- CreateEnum
+CREATE TYPE "public"."DataStoreKind" AS ENUM ('CLICKHOUSE');
+
+-- CreateTable
+CREATE TABLE "public"."OrganizationDataStore" (
+    "id" TEXT NOT NULL,
+    "key" TEXT NOT NULL,
+    "organizationIds" TEXT[],
+    "kind" "public"."DataStoreKind" NOT NULL,
+    "config" JSONB NOT NULL,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "OrganizationDataStore_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "OrganizationDataStore_key_key" ON "public"."OrganizationDataStore"("key");
+
+-- CreateIndex
+CREATE INDEX "OrganizationDataStore_kind_idx" ON "public"."OrganizationDataStore"("kind");
diff --git a/internal-packages/database/prisma/migrations/20260413000000_add_bwt_covering_index/migration.sql b/internal-packages/database/prisma/migrations/20260413000000_add_bwt_covering_index/migration.sql
new file mode 100644
index 00000000000..6e95c900b34
--- /dev/null
+++ b/internal-packages/database/prisma/migrations/20260413000000_add_bwt_covering_index/migration.sql
@@ -0,0 +1,2 @@
+CREATE INDEX CONCURRENTLY IF NOT EXISTS "BackgroundWorkerTask_runtimeEnvironmentId_slug_triggerSource_idx"
+  ON "BackgroundWorkerTask"("runtimeEnvironmentId", slug, "triggerSource");
diff --git a/internal-packages/database/prisma/migrations/20260413000001_add_task_identifier_table/migration.sql b/internal-packages/database/prisma/migrations/20260413000001_add_task_identifier_table/migration.sql
new file mode 100644
index 00000000000..488b3291d30
--- /dev/null
+++ b/internal-packages/database/prisma/migrations/20260413000001_add_task_identifier_table/migration.sql
@@ -0,0 +1,40 @@
+-- CreateTable
+CREATE TABLE "TaskIdentifier" (
+    "id" TEXT NOT NULL,
+    "runtimeEnvironmentId" TEXT NOT NULL,
+    "projectId" TEXT NOT NULL,
+    "slug" TEXT NOT NULL,
+    "currentTriggerSource" "TaskTriggerSource" NOT NULL DEFAULT 'STANDARD',
+    "currentWorkerId" TEXT,
+    "firstSeenAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "lastSeenAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "isInLatestDeployment" BOOLEAN NOT NULL DEFAULT true,
+
+    CONSTRAINT "TaskIdentifier_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "TaskIdentifier_runtimeEnvironmentId_slug_key"
+    ON "TaskIdentifier"("runtimeEnvironmentId", "slug");
+
+-- CreateIndex
+CREATE INDEX "TaskIdentifier_runtimeEnvironmentId_isInLatestDeployment_idx"
+    ON "TaskIdentifier"("runtimeEnvironmentId", "isInLatestDeployment");
+
+-- AddForeignKey
+ALTER TABLE "TaskIdentifier"
+    ADD CONSTRAINT "TaskIdentifier_runtimeEnvironmentId_fkey"
+    FOREIGN KEY ("runtimeEnvironmentId") REFERENCES "RuntimeEnvironment"("id")
+    ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "TaskIdentifier"
+    ADD CONSTRAINT "TaskIdentifier_projectId_fkey"
+    FOREIGN KEY ("projectId") REFERENCES "Project"("id")
+    ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "TaskIdentifier"
+    ADD CONSTRAINT "TaskIdentifier_currentWorkerId_fkey"
+    FOREIGN KEY ("currentWorkerId") REFERENCES "BackgroundWorker"("id")
+    ON DELETE SET NULL ON UPDATE CASCADE;
diff --git a/internal-packages/database/prisma/migrations/20260417080903_increase_default_maximum_project_count/migration.sql b/internal-packages/database/prisma/migrations/20260417080903_increase_default_maximum_project_count/migration.sql
new file mode 100644
index 00000000000..e233291942e
--- /dev/null
+++ b/internal-packages/database/prisma/migrations/20260417080903_increase_default_maximum_project_count/migration.sql
@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "public"."Organization" ALTER COLUMN "maximumProjectCount" SET DEFAULT 25;
diff --git a/internal-packages/database/prisma/migrations/20260419000000_add_sessions_table/migration.sql b/internal-packages/database/prisma/migrations/20260419000000_add_sessions_table/migration.sql
new file mode 100644
index 00000000000..4cd7e543223
--- /dev/null
+++ b/internal-packages/database/prisma/migrations/20260419000000_add_sessions_table/migration.sql
@@ -0,0 +1,33 @@
+-- CreateTable
+CREATE TABLE "Session" (
+    "id" TEXT NOT NULL,
+    "friendlyId" TEXT NOT NULL,
+    "externalId" TEXT,
+    "type" TEXT NOT NULL,
+    "projectId" TEXT NOT NULL,
+    "runtimeEnvironmentId" TEXT NOT NULL,
+    "environmentType" "RuntimeEnvironmentType" NOT NULL,
+    "organizationId" TEXT NOT NULL,
+    "taskIdentifier" TEXT,
+    "tags" TEXT[] NOT NULL DEFAULT ARRAY[]::TEXT[],
+    "metadata" JSONB,
+    "closedAt" TIMESTAMP(3),
+    "closedReason" TEXT,
+    "expiresAt" TIMESTAMP(3),
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "Session_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "Session_friendlyId_key"
+    ON "Session"("friendlyId");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "Session_runtimeEnvironmentId_externalId_key"
+    ON "Session"("runtimeEnvironmentId", "externalId");
+
+-- CreateIndex
+CREATE INDEX "Session_expiresAt_idx"
+    ON "Session"("expiresAt");
diff --git a/internal-packages/database/prisma/migrations/20260420000000_add_revoked_api_key_table/migration.sql b/internal-packages/database/prisma/migrations/20260420000000_add_revoked_api_key_table/migration.sql
new file mode 100644
index 00000000000..f3a2ffa199f
--- /dev/null
+++ b/internal-packages/database/prisma/migrations/20260420000000_add_revoked_api_key_table/migration.sql
@@ -0,0 +1,24 @@
+-- CreateTable
+CREATE TABLE "RevokedApiKey" (
+    "id" TEXT NOT NULL,
+    "apiKey" TEXT NOT NULL,
+    "runtimeEnvironmentId" TEXT NOT NULL,
+    "expiresAt" TIMESTAMP(3) NOT NULL,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+    CONSTRAINT "RevokedApiKey_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE INDEX "RevokedApiKey_apiKey_idx"
+    ON "RevokedApiKey"("apiKey");
+
+-- CreateIndex
+CREATE INDEX "RevokedApiKey_runtimeEnvironmentId_idx"
+    ON "RevokedApiKey"("runtimeEnvironmentId");
+
+-- AddForeignKey
+ALTER TABLE "RevokedApiKey"
+    ADD CONSTRAINT "RevokedApiKey_runtimeEnvironmentId_fkey"
+    FOREIGN KEY ("runtimeEnvironmentId") REFERENCES "RuntimeEnvironment"("id")
+    ON DELETE CASCADE ON UPDATE CASCADE;
diff --git a/internal-packages/database/prisma/migrations/20260426190818_sessions_as_run_manager/migration.sql b/internal-packages/database/prisma/migrations/20260426190818_sessions_as_run_manager/migration.sql
new file mode 100644
index 00000000000..a0f12496781
--- /dev/null
+++ b/internal-packages/database/prisma/migrations/20260426190818_sessions_as_run_manager/migration.sql
@@ -0,0 +1,31 @@
+-- AlterTable
+ALTER TABLE "Session"
+    ADD COLUMN "currentRunId"      TEXT,
+    ADD COLUMN "currentRunVersion" INTEGER NOT NULL DEFAULT 0,
+    ADD COLUMN "triggerConfig"     JSONB NOT NULL,
+    ALTER COLUMN "taskIdentifier" SET NOT NULL;
+
+-- CreateTable
+CREATE TABLE "SessionRun" (
+    "id"          TEXT NOT NULL,
+    "sessionId"   TEXT NOT NULL,
+    "runId"       TEXT NOT NULL,
+    "reason"      TEXT NOT NULL,
+    "triggeredAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+    CONSTRAINT "SessionRun_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "SessionRun_runId_key"
+    ON "SessionRun"("runId");
+
+-- CreateIndex
+CREATE INDEX "SessionRun_sessionId_idx"
+    ON "SessionRun"("sessionId");
+
+-- AddForeignKey
+ALTER TABLE "SessionRun"
+    ADD CONSTRAINT "SessionRun_sessionId_fkey"
+    FOREIGN KEY ("sessionId") REFERENCES "Session"("id")
+    ON DELETE CASCADE ON UPDATE CASCADE;
diff --git a/internal-packages/database/prisma/migrations/20260426190819_session_current_run_id_index/migration.sql b/internal-packages/database/prisma/migrations/20260426190819_session_current_run_id_index/migration.sql
new file mode 100644
index 00000000000..479353a3e04
--- /dev/null
+++ b/internal-packages/database/prisma/migrations/20260426190819_session_current_run_id_index/migration.sql
@@ -0,0 +1,3 @@
+-- CreateIndex
+CREATE INDEX CONCURRENTLY IF NOT EXISTS "Session_currentRunId_idx"
+    ON "Session"("currentRunId");
diff --git a/internal-packages/database/prisma/migrations/20260428140746_add_session_duration_columns/migration.sql b/internal-packages/database/prisma/migrations/20260428140746_add_session_duration_columns/migration.sql
new file mode 100644
index 00000000000..f63a5d6d244
--- /dev/null
+++ b/internal-packages/database/prisma/migrations/20260428140746_add_session_duration_columns/migration.sql
@@ -0,0 +1,5 @@
+-- AlterTable
+ALTER TABLE "public"."User" ADD COLUMN "sessionDuration" INTEGER NOT NULL DEFAULT 31556952;
+
+-- AlterTable
+ALTER TABLE "public"."Organization" ADD COLUMN "maxSessionDuration" INTEGER;
diff --git a/internal-packages/database/prisma/migrations/20260430140000_add_rbac_role_id_to_org_member_invite/migration.sql b/internal-packages/database/prisma/migrations/20260430140000_add_rbac_role_id_to_org_member_invite/migration.sql
new file mode 100644
index 00000000000..d7cdc1a0c0b
--- /dev/null
+++ b/internal-packages/database/prisma/migrations/20260430140000_add_rbac_role_id_to_org_member_invite/migration.sql
@@ -0,0 +1,5 @@
+-- TRI-8892: optional RBAC role assignment carried on the invite. When
+-- set, the accept-invite flow calls the loaded RBAC plugin's
+-- setUserRole(rbacRoleId) after the OrgMember insert; otherwise the
+-- runtime fallback derives the role from the legacy `role` column.
+ALTER TABLE "OrgMemberInvite" ADD COLUMN IF NOT EXISTS "rbacRoleId" TEXT;
diff --git a/internal-packages/database/prisma/migrations/20260503104935_add_user_next_session_end/migration.sql b/internal-packages/database/prisma/migrations/20260503104935_add_user_next_session_end/migration.sql
new file mode 100644
index 00000000000..afcb2b557db
--- /dev/null
+++ b/internal-packages/database/prisma/migrations/20260503104935_add_user_next_session_end/migration.sql
@@ -0,0 +1,7 @@
+-- AlterTable
+-- Nullable column with no default → metadata-only change in PostgreSQL, no
+-- row rewrite. Existing users get `nextSessionEnd` populated lazily on
+-- their first authenticated request after deploy (see `getUser` in
+-- `apps/webapp/app/services/session.server.ts`), or eagerly on next login
+-- via `commitAuthenticatedSession`.
+ALTER TABLE "public"."User" ADD COLUMN "nextSessionEnd" TIMESTAMP(3);
diff --git a/internal-packages/database/prisma/migrations/20260504071227_add_stream_basin_name/migration.sql b/internal-packages/database/prisma/migrations/20260504071227_add_stream_basin_name/migration.sql
new file mode 100644
index 00000000000..c346d499e76
--- /dev/null
+++ b/internal-packages/database/prisma/migrations/20260504071227_add_stream_basin_name/migration.sql
@@ -0,0 +1,8 @@
+-- AlterTable
+ALTER TABLE "public"."Organization" ADD COLUMN IF NOT EXISTS "streamBasinName" TEXT;
+
+-- AlterTable
+ALTER TABLE "public"."Session" ADD COLUMN IF NOT EXISTS "streamBasinName" TEXT;
+
+-- AlterTable
+ALTER TABLE "public"."TaskRun" ADD COLUMN IF NOT EXISTS "streamBasinName" TEXT;
diff --git a/internal-packages/database/prisma/migrations/20260520120000_add_environment_variable_value_environment_id_idx/migration.sql b/internal-packages/database/prisma/migrations/20260520120000_add_environment_variable_value_environment_id_idx/migration.sql
new file mode 100644
index 00000000000..9aaf4d930c6
--- /dev/null
+++ b/internal-packages/database/prisma/migrations/20260520120000_add_environment_variable_value_environment_id_idx/migration.sql
@@ -0,0 +1,3 @@
+-- CreateIndex
+CREATE INDEX CONCURRENTLY IF NOT EXISTS "EnvironmentVariableValue_environmentId_idx"
+  ON "EnvironmentVariableValue"("environmentId");
diff --git a/internal-packages/database/prisma/migrations/20260520170000_add_session_chat_snapshot_storage_path/migration.sql b/internal-packages/database/prisma/migrations/20260520170000_add_session_chat_snapshot_storage_path/migration.sql
new file mode 100644
index 00000000000..c61c7ac5726
--- /dev/null
+++ b/internal-packages/database/prisma/migrations/20260520170000_add_session_chat_snapshot_storage_path/migration.sql
@@ -0,0 +1 @@
+ALTER TABLE "Session" ADD COLUMN IF NOT EXISTS "chatSnapshotStoragePath" TEXT;
diff --git a/internal-packages/database/prisma/migrations/20260522150206_drop_task_run_schedule_id_created_at_idx/migration.sql b/internal-packages/database/prisma/migrations/20260522150206_drop_task_run_schedule_id_created_at_idx/migration.sql
new file mode 100644
index 00000000000..1d3b4010755
--- /dev/null
+++ b/internal-packages/database/prisma/migrations/20260522150206_drop_task_run_schedule_id_created_at_idx/migration.sql
@@ -0,0 +1,2 @@
+-- DropIndex
+DROP INDEX CONCURRENTLY IF EXISTS "public"."TaskRun_scheduleId_createdAt_idx";
diff --git a/internal-packages/database/prisma/migrations/20260525083555_drop_task_run_status_runtime_environment_id_created_at_id_idx/migration.sql b/internal-packages/database/prisma/migrations/20260525083555_drop_task_run_status_runtime_environment_id_created_at_id_idx/migration.sql
new file mode 100644
index 00000000000..b078467fad9
--- /dev/null
+++ b/internal-packages/database/prisma/migrations/20260525083555_drop_task_run_status_runtime_environment_id_created_at_id_idx/migration.sql
@@ -0,0 +1,2 @@
+-- DropIndex
+DROP INDEX CONCURRENTLY IF EXISTS "public"."TaskRun_status_runtimeEnvironmentId_createdAt_id_idx";
diff --git a/internal-packages/database/prisma/migrations/20260603132613_add_pricing_unit_to_llm_models/migration.sql b/internal-packages/database/prisma/migrations/20260603132613_add_pricing_unit_to_llm_models/migration.sql
new file mode 100644
index 00000000000..584552dfac3
--- /dev/null
+++ b/internal-packages/database/prisma/migrations/20260603132613_add_pricing_unit_to_llm_models/migration.sql
@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "public"."llm_models" ADD COLUMN     "pricing_unit" TEXT;
diff --git a/internal-packages/database/prisma/schema.prisma b/internal-packages/database/prisma/schema.prisma
index fa570fb7a11..337a6059ebd 100644
--- a/internal-packages/database/prisma/schema.prisma
+++ b/internal-packages/database/prisma/schema.prisma
@@ -54,6 +54,18 @@ model User {
   /// Hash of the last used code to prevent replay attacks
   mfaLastUsedCode      String?
 
+  /// Maximum session lifetime in seconds for this user. Default = 1 year (Gregorian).
+  /// May be further restricted by Organization.maxSessionDuration on any of the user's orgs.
+  sessionDuration Int @default(31556952)
+
+  /// Absolute timestamp at which the user's current session must end. Written
+  /// at login (and any time the effective duration is recomputed) and shortened
+  /// when an admin lowers an org cap. Read on requireUser / getUser; null is
+  /// treated as "no enforced deadline" (legacy sessions from before this
+  /// shipped). Read-on-demand has zero per-request DB cost — the value
+  /// piggybacks on the User fetch that requireUser already does.
+  nextSessionEnd DateTime?
+
   invitationCode       InvitationCode?       @relation(fields: [invitationCodeId], references: [id])
   invitationCodeId     String?
   personalAccessTokens PersonalAccessToken[]
@@ -218,7 +230,12 @@ model Organization {
 
   featureFlags Json?
 
-  maximumProjectCount Int @default(10)
+  maximumProjectCount Int @default(25)
+
+  /// Maximum session lifetime in seconds for members of this organization.
+  /// When set, caps each member's User.sessionDuration. The most restrictive cap across
+  /// all of a user's orgs (excluding nulls) wins.
+  maxSessionDuration Int?
 
   projects                 Project[]
   members                  OrgMember[]
@@ -234,6 +251,13 @@ model Organization {
 
   platformNotifications PlatformNotification[]
   errorGroupStates      ErrorGroupState[]
+
+  /// S2 basin that holds this org's realtime streams. Null until the
+  /// per-org basin has been provisioned (OSS / s2-lite installs leave
+  /// it null forever; reads fall back to the global basin env var).
+  /// Set once at provisioning time; retention is reconfigured in-place
+  /// when the org's plan changes.
+  streamBasinName String?
 }
 
 model OrgMember {
@@ -265,6 +289,16 @@ model OrgMemberInvite {
   email String
   role  OrgMemberRole @default(MEMBER)
 
+  /// Optional RBAC role to assign on invite acceptance. When set, the
+  /// accept-invite flow calls the loaded RBAC plugin's setUserRole with
+  /// this id after creating the OrgMember. Null = legacy behaviour, the
+  /// runtime fallback derives the role from `role` above.
+  ///
+  /// Plain text (not an FK) — the RBAC plugin's RbacRole table lives on
+  /// a separate schema (Drizzle, not Prisma) so we can't model the FK
+  /// here. Validation happens at write time (action) and read time
+  /// (acceptInvite).
+  rbacRoleId String?
   organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade, onUpdate: Cascade)
   organizationId String
 
@@ -352,8 +386,11 @@ model RuntimeEnvironment {
   waitpointTags        WaitpointTag[]
   BulkActionGroup      BulkActionGroup[]
   customerQueries      CustomerQuery[]
-  prompts              Prompt[]
+  prompts                  Prompt[]
+  playgroundConversations  PlaygroundConversation[]
   errorGroupStates     ErrorGroupState[]
+  taskIdentifiers      TaskIdentifier[]
+  revokedApiKeys       RevokedApiKey[]
 
   @@unique([projectId, slug, orgMemberId])
   @@unique([projectId, shortcode])
@@ -362,6 +399,20 @@ model RuntimeEnvironment {
   @@index([organizationId])
 }
 
+/// Records of previously-valid API keys that are still accepted for authentication
+/// during a grace window after rotation. Extend or end the grace period by updating `expiresAt`.
+model RevokedApiKey {
+  id                   String             @id @default(cuid())
+  apiKey               String
+  runtimeEnvironment   RuntimeEnvironment @relation(fields: [runtimeEnvironmentId], references: [id], onDelete: Cascade, onUpdate: Cascade)
+  runtimeEnvironmentId String
+  expiresAt            DateTime
+  createdAt            DateTime           @default(now())
+
+  @@index([apiKey])
+  @@index([runtimeEnvironmentId])
+}
+
 enum RuntimeEnvironmentType {
   PRODUCTION
   STAGING
@@ -420,6 +471,7 @@ model Project {
   connectedGithubRepository      ConnectedGithubRepository?
   organizationProjectIntegration OrganizationProjectIntegration[]
   customerQueries                CustomerQuery[]
+  playgroundConversations        PlaygroundConversation[]
 
   buildSettings         Json?
   onboardingData        Json?
@@ -429,6 +481,7 @@ model Project {
   prompts               Prompt[]
   platformNotifications PlatformNotification[]
   errorGroupStates      ErrorGroupState[]
+  taskIdentifiers       TaskIdentifier[]
 }
 
 enum ProjectVersion {
@@ -517,6 +570,8 @@ model BackgroundWorker {
 
   supportsLazyAttempts Boolean @default(false)
 
+  taskIdentifiers TaskIdentifier[]
+
   @@unique([projectId, runtimeEnvironmentId, version])
   @@index([runtimeEnvironmentId])
   // Get the latest worker for a given environment
@@ -653,17 +708,162 @@ model BackgroundWorkerTask {
 
   triggerSource TaskTriggerSource @default(STANDARD)
 
+  /// Extra task configuration JSON. Shape depends on triggerSource.
+  /// AGENT: { type: "ai-sdk-chat" }
+  config Json?
+
   payloadSchema Json?
 
   @@unique([workerId, slug])
   // Quick lookup of task identifiers
   @@index([projectId, slug])
   @@index([runtimeEnvironmentId, projectId])
+  @@index([runtimeEnvironmentId, slug, triggerSource])
 }
 
 enum TaskTriggerSource {
   STANDARD
   SCHEDULED
+  AGENT
+}
+
+model PlaygroundConversation {
+  id String @id @default(cuid())
+
+  /// The chat session ID used by the transport
+  chatId String
+
+  /// User-editable conversation title (auto-generated from first message)
+  title String @default("New conversation")
+
+  /// Which agent this conversation is with
+  agentSlug String
+
+  /// The current active run backing this conversation (null if no run yet)
+  runId String?
+  run   TaskRun? @relation(fields: [runId], references: [id], onDelete: SetNull, onUpdate: Cascade)
+
+  /// The client data JSON used for this conversation
+  clientData Json?
+
+  /// Accumulated UIMessages from completed turns (for resume without stream replay)
+  messages Json?
+
+  /// Last SSE event ID — resume from this position to avoid replaying old turns
+  lastEventId String?
+
+  project   Project @relation(fields: [projectId], references: [id], onDelete: Cascade, onUpdate: Cascade)
+  projectId String
+
+  runtimeEnvironment   RuntimeEnvironment @relation(fields: [runtimeEnvironmentId], references: [id], onDelete: Cascade, onUpdate: Cascade)
+  runtimeEnvironmentId String
+
+  /// The user who started this conversation
+  userId String
+
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  @@unique([chatId, runtimeEnvironmentId])
+  @@index([runtimeEnvironmentId, agentSlug, updatedAt(sort: Desc)])
+  @@index([userId, runtimeEnvironmentId])
+}
+
+/// Durable, typed, bidirectional I/O primitive. Owns two S2 streams (.out / .in).
+/// The row is essentially static — no status, no counters, no pointers. No
+/// foreign keys: project/runtimeEnvironment/organization ids are plain
+/// scalar columns (matches TaskRun pattern). List-style queries are served
+/// from ClickHouse, not Postgres, so only point-lookup indexes live here.
+model Session {
+  id         String  @id @default(cuid())
+  friendlyId String  @unique
+  /// User-supplied identifier scoped to the environment. Used for
+  /// idempotent upsert and for resolving sessions via the public API.
+  externalId String?
+
+  /// Plain string — intentionally not an enum.
+  type String
+
+  /// Denormalized scoping columns — no FK relations.
+  projectId            String
+  runtimeEnvironmentId String
+  environmentType      RuntimeEnvironmentType
+  organizationId       String
+
+  /// Task this session triggers runs against. Required — Sessions are
+  /// task-bound: creating a session also triggers its first run, and
+  /// every subsequent re-trigger uses this same identifier.
+  taskIdentifier String
+
+  /// Trigger config used for every run this session schedules. Shape
+  /// (validated at the route layer, opaque to the DB):
+  ///   { basePayload: object, machine?: string, queue?: string,
+  ///     tags?: string[], maxAttempts?: number,
+  ///     idleTimeoutInSeconds?: number }
+  /// `basePayload` carries the customer's client-data; runtime fields
+  /// (chatId, messages, trigger) are merged at trigger time.
+  triggerConfig Json
+
+  tags     String[] @default([])
+  metadata Json?
+
+  /// Live run pointer — non-FK so run deletion never cascades. Can lag
+  /// reality; the `.in/append` handler re-checks the snapshot status
+  /// before reusing it.
+  currentRunId      String?
+  /// Monotonic counter used for optimistic locking on `currentRunId`
+  /// swaps. Bumped atomically alongside any update that changes
+  /// `currentRunId`.
+  currentRunVersion Int     @default(0)
+
+  /// Terminal markers — written once, never flipped back.
+  closedAt     DateTime?
+  closedReason String?
+  expiresAt    DateTime?
+
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  /// S2 basin where this session's stream pair lives. Stamped at create
+  /// time from `Organization.streamBasinName` so reads can resolve the
+  /// basin without joining org. Null when the org has no per-org basin
+  /// (OSS, or pre-backfill); reads fall back to the global basin.
+  streamBasinName String?
+
+  /// Storage URI (with protocol prefix) for this session's chat.agent
+  /// snapshot blob. Set on first snapshot write. Null = pre-column session,
+  /// fall back to computed default path.
+  chatSnapshotStoragePath String?
+
+  runs SessionRun[]
+
+  /// Idempotency: `(env, externalId)` uniquely identifies a session.
+  /// PostgreSQL treats NULLs as distinct, so `externalId=NULL` rows never collide.
+  @@unique([runtimeEnvironmentId, externalId])
+  @@index([expiresAt])
+  @@index([currentRunId])
+}
+
+/// Historical record of every run a Session has owned. Append-only —
+/// rows are inserted on each `ensureRunForSession` claim, never updated.
+/// Lets us reconstruct the run timeline of a chat for debugging /
+/// dashboard surfaces. The relation cascades on Session delete (tied to
+/// the session lifecycle) but `runId` is a plain string column with no
+/// FK to TaskRun so run pruning is independent.
+model SessionRun {
+  id String @id @default(cuid())
+
+  sessionId   String
+  /// TaskRun.id (no FK — runs may be archived independently of session history)
+  runId       String   @unique
+  /// One of: "initial" | "continuation" | "upgrade" | "manual".
+  /// Plain string for forward-compat with future trigger reasons.
+  reason      String
+  triggeredAt DateTime @default(now())
+
+  session Session @relation(fields: [sessionId], references: [id], onDelete: Cascade)
+
+  @@index([sessionId])
 }
 
 model TaskRun {
@@ -869,6 +1069,13 @@ model TaskRun {
   realtimeStreamsVersion String   @default("v1")
   /// Store the stream keys that are being used by the run
   realtimeStreams        String[] @default([])
+  /// S2 basin where this run's realtime streams live. Stamped at create
+  /// time from `Organization.streamBasinName` so reads can resolve the
+  /// basin without joining org. Null when the org has no per-org basin
+  /// (OSS, or pre-backfill); reads fall back to the global basin.
+  streamBasinName        String?
+
+  playgroundConversations PlaygroundConversation[]
 
   @@unique([oneTimeUseToken])
   @@unique([runtimeEnvironmentId, taskIdentifier, idempotencyKey])
@@ -877,14 +1084,11 @@ model TaskRun {
   // Run page inspector
   @@index([spanId])
   @@index([parentSpanId])
-  // Schedule list page
-  @@index([scheduleId, createdAt(sort: Desc)])
   // Finding runs in a batch
   @@index([runTags(ops: ArrayOps)], type: Gin)
   @@index([runtimeEnvironmentId, batchId])
   @@index([runtimeEnvironmentId, createdAt(sort: Desc)])
   @@index([createdAt], type: Brin)
-  @@index([status, runtimeEnvironmentId, createdAt, id(sort: Desc)])
 }
 
 model TaskRunTemplate {
@@ -1818,6 +2022,7 @@ model EnvironmentVariableValue {
   lastUpdatedBy Json?
 
   @@unique([variableId, environmentId])
+  @@index([environmentId])
 }
 
 model Checkpoint {
@@ -2022,6 +2227,7 @@ model TaskSchedule {
   ///Instances of the schedule that are active
   instances TaskScheduleInstance[]
 
+  /// @deprecated stop writing 2026-04-30; reads moved out of code (UI now derives from cron's previous slot). Drop in follow-up.
   lastRunTriggeredAt DateTime?
 
   project   Project @relation(fields: [projectId], references: [id], onDelete: Cascade, onUpdate: Cascade)
@@ -2067,7 +2273,9 @@ model TaskScheduleInstance {
 
   active Boolean @default(true)
 
+  /// @deprecated stop writing 2026-04-30; engine derives from cron + exactScheduleTime. Drop in follow-up.
   lastScheduledTimestamp DateTime?
+  /// @deprecated stop writing 2026-04-30; engine derives from cron + now(). Drop in follow-up.
   nextScheduledTimestamp DateTime?
 
   //you can only have a schedule attached to each environment once
@@ -2701,6 +2909,8 @@ model LlmModel {
   capabilities    String[] @default([]) @map("capabilities")
   isHidden        Boolean  @default(false) @map("is_hidden")
   baseModelName   String?  @map("base_model_name")
+  // "tokens", "images", "characters", "minutes", "requests", "free", "not_findable"; null until researched
+  pricingUnit     String?  @map("pricing_unit")
 
   pricingTiers LlmPricingTier[]
   prices       LlmPrice[]
@@ -2919,3 +3129,48 @@ model ErrorGroupState {
   @@unique([environmentId, taskIdentifier, errorFingerprint])
   @@index([environmentId, status])
 }
+
+model TaskIdentifier {
+  id String @id @default(cuid())
+
+  runtimeEnvironment   RuntimeEnvironment @relation(fields: [runtimeEnvironmentId], references: [id], onDelete: Cascade, onUpdate: Cascade)
+  runtimeEnvironmentId String
+
+  project   Project @relation(fields: [projectId], references: [id], onDelete: Cascade, onUpdate: Cascade)
+  projectId String
+
+  slug String
+
+  currentTriggerSource TaskTriggerSource @default(STANDARD)
+
+  currentWorker   BackgroundWorker? @relation(fields: [currentWorkerId], references: [id], onDelete: SetNull, onUpdate: Cascade)
+  currentWorkerId String?
+
+  firstSeenAt          DateTime @default(now())
+  lastSeenAt           DateTime @default(now())
+  isInLatestDeployment Boolean  @default(true)
+
+  @@unique([runtimeEnvironmentId, slug])
+  @@index([runtimeEnvironmentId, isInLatestDeployment])
+}
+
+enum DataStoreKind {
+  CLICKHOUSE
+}
+
+/// Defines org-scoped data store overrides (e.g. dedicated ClickHouse for HIPAA orgs).
+/// Multiple organizations can share a single data store row via organizationIds.
+model OrganizationDataStore {
+  id              String        @id @default(cuid())
+  /// Human-readable unique key (e.g. "hipaa-clickhouse-us-east")
+  key             String        @unique
+  /// Organization IDs that use this data store
+  organizationIds String[]
+  kind            DataStoreKind
+  /// Versioned config JSON. Structure is discriminated by the top-level `version` field.
+  config          Json
+  createdAt       DateTime      @default(now())
+  updatedAt       DateTime      @updatedAt
+
+  @@index([kind])
+}
diff --git a/internal-packages/emails/package.json b/internal-packages/emails/package.json
index 68b01563b81..a3091eb97d2 100644
--- a/internal-packages/emails/package.json
+++ b/internal-packages/emails/package.json
@@ -11,18 +11,20 @@
   },
   "dependencies": {
     "@aws-sdk/client-sesv2": "^3.716.0",
-    "@react-email/components": "0.0.16",
-    "@react-email/render": "^0.0.12",
-    "nodemailer": "^7.0.11",
+    "@react-email/components": "1.0.12",
+    "@react-email/render": "^2.0.8",
+    "nodemailer": "^8.0.6",
     "react": "^18.2.0",
-    "react-email": "^2.1.1",
+    "react-dom": "^18.2.0",
     "resend": "^3.2.0",
     "tiny-invariant": "^1.2.0",
     "zod": "3.25.76"
   },
   "devDependencies": {
-    "@types/nodemailer": "^7.0.4",
-    "@types/react": "18.2.69"
+    "@types/nodemailer": "^8.0.0",
+    "@types/react": "18.2.69",
+    "@types/react-dom": "18.2.7",
+    "react-email": "^6.5.0"
   },
   "engines": {
     "node": ">=18.0.0"
diff --git a/internal-packages/emails/src/transports/aws-ses.ts b/internal-packages/emails/src/transports/aws-ses.ts
index d1572d5c1ef..a37a2124cbd 100644
--- a/internal-packages/emails/src/transports/aws-ses.ts
+++ b/internal-packages/emails/src/transports/aws-ses.ts
@@ -25,7 +25,7 @@ export class AwsSesMailTransport implements MailTransport {
         to,
         replyTo: replyTo,
         subject,
-        html: render(react),
+        html: await render(react),
       });
     }
     catch (error) {
diff --git a/internal-packages/emails/src/transports/null.ts b/internal-packages/emails/src/transports/null.ts
index bb8fe10c388..6a78fb90135 100644
--- a/internal-packages/emails/src/transports/null.ts
+++ b/internal-packages/emails/src/transports/null.ts
@@ -10,12 +10,14 @@ export class NullMailTransport implements MailTransport {
   }
 
   async send({to, subject, react}: MailMessage): Promise<void> {
+    const plainText = await render(react, {
+      plainText: true,
+    });
+
     console.log(`
 ##### sendEmail to ${to}, subject: ${subject}
 
-${render(react, {
-      plainText: true,
-    })}
+${plainText}
     `);
   }
 
diff --git a/internal-packages/emails/src/transports/smtp.ts b/internal-packages/emails/src/transports/smtp.ts
index 5dfd1dec57b..d3846569761 100644
--- a/internal-packages/emails/src/transports/smtp.ts
+++ b/internal-packages/emails/src/transports/smtp.ts
@@ -29,7 +29,7 @@ export class SmtpMailTransport implements MailTransport {
         to,
         replyTo: replyTo,
         subject,
-        html: render(react),
+        html: await render(react),
       });
     } catch (error) {
       if (error instanceof Error) {
diff --git a/internal-packages/llm-model-catalog/package.json b/internal-packages/llm-model-catalog/package.json
index ac5cdafc0a6..b38454548b9 100644
--- a/internal-packages/llm-model-catalog/package.json
+++ b/internal-packages/llm-model-catalog/package.json
@@ -11,7 +11,7 @@
   },
   "devDependencies": {
     "@internal/testcontainers": "workspace:*",
-    "vitest": "3.1.4"
+    "vitest": "4.1.7"
   },
   "scripts": {
     "test": "vitest --sequence.concurrent=false --no-file-parallelism",
diff --git a/internal-packages/llm-model-catalog/src/seed.ts b/internal-packages/llm-model-catalog/src/seed.ts
index 72d212a9120..e9e2b224e73 100644
--- a/internal-packages/llm-model-catalog/src/seed.ts
+++ b/internal-packages/llm-model-catalog/src/seed.ts
@@ -46,6 +46,7 @@ export async function seedLlmPricing(prisma: PrismaClient): Promise<{
           capabilities: catalog?.capabilities ?? [],
           isHidden: catalog?.isHidden ?? false,
           baseModelName: catalog?.baseModelName ?? null,
+          pricingUnit: "tokens",
         },
       });
 
diff --git a/internal-packages/llm-model-catalog/src/sync.ts b/internal-packages/llm-model-catalog/src/sync.ts
index aa0611dbda2..8761df0fe4a 100644
--- a/internal-packages/llm-model-catalog/src/sync.ts
+++ b/internal-packages/llm-model-catalog/src/sync.ts
@@ -74,6 +74,7 @@ export async function syncLlmCatalog(prisma: PrismaClient): Promise<{
             catalog?.baseModelName === undefined
               ? existing.baseModelName
               : catalog.baseModelName,
+          pricingUnit: existing.pricingUnit ?? "tokens",
         },
       });
 
diff --git a/internal-packages/llm-model-catalog/vitest.config.ts b/internal-packages/llm-model-catalog/vitest.config.ts
index 474961216bf..88831ee2ae5 100644
--- a/internal-packages/llm-model-catalog/vitest.config.ts
+++ b/internal-packages/llm-model-catalog/vitest.config.ts
@@ -1,16 +1,13 @@
 import { defineConfig } from "vitest/config";
+import { DurationShardingSequencer } from "@internal/testcontainers/sequencer";
 
 export default defineConfig({
   test: {
+    sequence: { sequencer: DurationShardingSequencer },
     include: ["**/*.test.ts"],
     globals: true,
     isolate: true,
     fileParallelism: false,
-    poolOptions: {
-      threads: {
-        singleThread: true,
-      },
-    },
     testTimeout: 120_000,
   },
 });
diff --git a/internal-packages/otlp-importer/package.json b/internal-packages/otlp-importer/package.json
index 72e46c2f9d3..6f5cd39665f 100644
--- a/internal-packages/otlp-importer/package.json
+++ b/internal-packages/otlp-importer/package.json
@@ -28,7 +28,7 @@
   },
   "devDependencies": {
     "@types/node": "^20",
-    "rimraf": "^3.0.2",
+    "rimraf": "^6.0.1",
     "ts-proto": "^1.167.3"
   },
   "engines": {
diff --git a/internal-packages/rbac/package.json b/internal-packages/rbac/package.json
new file mode 100644
index 00000000000..d04089e4ff7
--- /dev/null
+++ b/internal-packages/rbac/package.json
@@ -0,0 +1,24 @@
+{
+  "name": "@trigger.dev/rbac",
+  "private": true,
+  "version": "0.0.1",
+  "main": "./dist/src/index.js",
+  "types": "./dist/src/index.d.ts",
+  "dependencies": {
+    "@trigger.dev/core": "workspace:*",
+    "@trigger.dev/plugins": "workspace:*"
+  },
+  "devDependencies": {
+    "@trigger.dev/database": "workspace:*",
+    "@types/node": "^20.14.14",
+    "rimraf": "6.0.1"
+  },
+  "scripts": {
+    "clean": "rimraf dist",
+    "typecheck": "tsc --noEmit",
+    "build": "pnpm run clean && tsc --noEmit false --outDir dist --declaration",
+    "dev": "tsc --noEmit false --outDir dist --declaration --watch",
+    "test": "vitest run",
+    "test:watch": "vitest"
+  }
+}
diff --git a/internal-packages/rbac/src/ability.test.ts b/internal-packages/rbac/src/ability.test.ts
new file mode 100644
index 00000000000..e361bf0d544
--- /dev/null
+++ b/internal-packages/rbac/src/ability.test.ts
@@ -0,0 +1,164 @@
+import { describe, it, expect } from "vitest";
+import { permissiveAbility, superAbility, denyAbility, buildFallbackAbility, buildJwtAbility } from "./ability.js";
+
+describe("permissiveAbility", () => {
+  it("allows any action on any resource type", () => {
+    expect(permissiveAbility.can("read", { type: "run" })).toBe(true);
+    expect(permissiveAbility.can("write", { type: "deployment" })).toBe(true);
+    expect(permissiveAbility.can("delete", { type: "task" })).toBe(true);
+  });
+
+  it("allows actions on specific resource instances", () => {
+    expect(permissiveAbility.can("read", { type: "run", id: "run_abc123" })).toBe(true);
+  });
+
+  it("does not grant super-user access", () => {
+    expect(permissiveAbility.canSuper()).toBe(false);
+  });
+});
+
+describe("superAbility", () => {
+  it("allows any action on any resource", () => {
+    expect(superAbility.can("read", { type: "run" })).toBe(true);
+    expect(superAbility.can("write", { type: "deployment" })).toBe(true);
+  });
+
+  it("grants super-user access", () => {
+    expect(superAbility.canSuper()).toBe(true);
+  });
+});
+
+describe("denyAbility", () => {
+  it("denies all actions", () => {
+    expect(denyAbility.can("read", { type: "run" })).toBe(false);
+    expect(denyAbility.can("write", { type: "deployment" })).toBe(false);
+  });
+
+  it("does not grant super-user access", () => {
+    expect(denyAbility.canSuper()).toBe(false);
+  });
+});
+
+describe("buildJwtAbility", () => {
+  it("allows action matching a general scope", () => {
+    const ability = buildJwtAbility(["read:runs"]);
+    expect(ability.can("read", { type: "runs" })).toBe(true);
+    expect(ability.can("read", { type: "runs", id: "run_abc" })).toBe(true);
+  });
+
+  it("allows only the specific ID for a scoped permission", () => {
+    const ability = buildJwtAbility(["read:runs:run_abc"]);
+    expect(ability.can("read", { type: "runs", id: "run_abc" })).toBe(true);
+    expect(ability.can("read", { type: "runs", id: "run_xyz" })).toBe(false);
+    expect(ability.can("read", { type: "runs" })).toBe(false);
+  });
+
+  it("preserves colons in the resource id (everything after the 2nd colon)", () => {
+    // Resource ids can contain colons (e.g. user-provided tags like
+    // `env:staging`). The naive `[a, b, c] = scope.split(":")` form
+    // truncated `read:tags:env:staging` → scopeId="env" and silently
+    // mis-matched. Regression coverage for the multi-colon id path.
+    const ability = buildJwtAbility(["read:tags:env:staging"]);
+    expect(ability.can("read", { type: "tags", id: "env:staging" })).toBe(true);
+    expect(ability.can("read", { type: "tags", id: "env" })).toBe(false);
+    expect(ability.can("read", { type: "tags", id: "env:prod" })).toBe(false);
+  });
+
+  it("allows any read with read:all scope", () => {
+    const ability = buildJwtAbility(["read:all"]);
+    expect(ability.can("read", { type: "runs" })).toBe(true);
+    expect(ability.can("read", { type: "tasks" })).toBe(true);
+    expect(ability.can("write", { type: "runs" })).toBe(false);
+  });
+
+  it("allows everything with admin scope", () => {
+    const ability = buildJwtAbility(["admin"]);
+    expect(ability.can("read", { type: "runs" })).toBe(true);
+    expect(ability.can("write", { type: "deployments" })).toBe(true);
+  });
+
+  // Pre-RBAC, the legacy checkAuthorization string-matched superScopes;
+  // a scope `admin:sessions` only granted access to routes that
+  // explicitly listed it. After the JWT-ability split we must not let
+  // `admin:<anything>` act as a universal wildcard — it should grant
+  // only the `admin` action against resources of that type.
+  it("admin:<type> is not a universal wildcard", () => {
+    const ability = buildJwtAbility(["admin:sessions"]);
+    expect(ability.can("read", { type: "runs" })).toBe(false);
+    expect(ability.can("write", { type: "tasks" })).toBe(false);
+    expect(ability.can("admin", { type: "runs" })).toBe(false);
+    // But it does grant the admin action on its own type.
+    expect(ability.can("admin", { type: "sessions" })).toBe(true);
+    expect(ability.can("admin", { type: "sessions", id: "ses_abc" })).toBe(true);
+  });
+
+  it("admin:<type>:<id> grants admin action only on that exact resource", () => {
+    const ability = buildJwtAbility(["admin:sessions:ses_abc"]);
+    expect(ability.can("admin", { type: "sessions", id: "ses_abc" })).toBe(true);
+    expect(ability.can("admin", { type: "sessions", id: "ses_xyz" })).toBe(false);
+    expect(ability.can("admin", { type: "runs" })).toBe(false);
+    expect(ability.can("read", { type: "sessions", id: "ses_abc" })).toBe(false);
+  });
+
+  it("never grants canSuper", () => {
+    expect(buildJwtAbility(["admin"]).canSuper()).toBe(false);
+    expect(buildJwtAbility(["read:all"]).canSuper()).toBe(false);
+    expect(buildJwtAbility([]).canSuper()).toBe(false);
+  });
+
+  it("denies everything for empty scopes", () => {
+    const ability = buildJwtAbility([]);
+    expect(ability.can("read", { type: "runs" })).toBe(false);
+  });
+
+  it("denies wrong action with general resource scope", () => {
+    const ability = buildJwtAbility(["read:runs"]);
+    expect(ability.can("write", { type: "runs" })).toBe(false);
+  });
+});
+
+describe("buildJwtAbility — array resources", () => {
+  it("authorizes when any resource in the array passes a scope check", () => {
+    const ability = buildJwtAbility(["read:batch:batch_abc"]);
+    const resources = [
+      { type: "runs", id: "run_xyz" },
+      { type: "batch", id: "batch_abc" },
+      { type: "tasks", id: "task_other" },
+    ];
+    expect(ability.can("read", resources)).toBe(true);
+  });
+
+  it("rejects when no resource in the array passes a scope check", () => {
+    const ability = buildJwtAbility(["read:batch:batch_abc"]);
+    const resources = [
+      { type: "runs", id: "run_xyz" },
+      { type: "batch", id: "batch_other" },
+      { type: "tasks", id: "task_other" },
+    ];
+    expect(ability.can("read", resources)).toBe(false);
+  });
+
+  it("empty array never authorizes", () => {
+    const ability = buildJwtAbility(["read:all"]);
+    expect(ability.can("read", [])).toBe(false);
+  });
+
+  it("authorizes a single resource via the non-array form (backwards compatible)", () => {
+    const ability = buildJwtAbility(["read:runs:run_abc"]);
+    expect(ability.can("read", { type: "runs", id: "run_abc" })).toBe(true);
+  });
+});
+
+describe("buildFallbackAbility", () => {
+  it("returns permissiveAbility for non-admin users", () => {
+    const ability = buildFallbackAbility(false);
+    expect(ability.can("read", { type: "run" })).toBe(true);
+    expect(ability.canSuper()).toBe(false);
+  });
+
+  it("returns superAbility for admin users", () => {
+    const ability = buildFallbackAbility(true);
+    expect(ability.can("read", { type: "run" })).toBe(true);
+    expect(ability.canSuper()).toBe(true);
+  });
+});
diff --git a/internal-packages/rbac/src/ability.ts b/internal-packages/rbac/src/ability.ts
new file mode 100644
index 00000000000..0ff53ea8d88
--- /dev/null
+++ b/internal-packages/rbac/src/ability.ts
@@ -0,0 +1,63 @@
+import type { RbacAbility, RbacResource } from "@trigger.dev/plugins";
+
+/** Every authenticated non-admin subject: can do anything, cannot do super-user actions. */
+export const permissiveAbility: RbacAbility = {
+  can: () => true,
+  canSuper: () => false,
+};
+
+/** Platform admin (user.admin = true): can do everything including super-user actions. */
+export const superAbility: RbacAbility = {
+  can: () => true,
+  canSuper: () => true,
+};
+
+/** Deprecated PUBLIC tokens and unauthenticated subjects: denied everything. */
+export const denyAbility: RbacAbility = {
+  can: () => false,
+  canSuper: () => false,
+};
+
+export function buildFallbackAbility(isAdmin: boolean): RbacAbility {
+  return isAdmin ? superAbility : permissiveAbility;
+}
+
+/** Builds an ability from JWT scope strings like "read:runs", "read:runs:run_abc", "read:all", "admin". */
+export function buildJwtAbility(scopes: string[]): RbacAbility {
+  const matches = (action: string, r: RbacResource): boolean =>
+    scopes.some((scope) => {
+      // Only the first two colons are delimiters — everything after the
+      // second colon is the resource id (which may itself contain colons,
+      // e.g. user-provided tags like "env:staging"). Naive
+      // `split(":")` + 3-tuple destructuring truncated such ids to the
+      // first segment and silently failed to match.
+      const parts = scope.split(":");
+      const scopeAction = parts[0];
+      const scopeType = parts[1];
+      const scopeId = parts.length > 2 ? parts.slice(2).join(":") : undefined;
+      // Bare `admin` is the universal wildcard. `admin:<type>` is *not* —
+      // it falls through to normal matching as action="admin" against
+      // resources of that type. Pre-RBAC, the legacy checkAuthorization
+      // string-matched superScopes; `admin:sessions` only granted access
+      // to routes that explicitly listed it. Treating `admin:<anything>`
+      // as universal here would silently broaden any such tokens.
+      if (scopeAction === "admin" && !scopeType) return true;
+      if (scopeAction !== action && scopeAction !== "*") return false;
+      if (scopeType === "all") return true;
+      if (scopeType !== r.type) return false;
+      if (!scopeId) return true;
+      return scopeId === r.id;
+    });
+  return {
+    can(action: string, resource: RbacResource | RbacResource[]): boolean {
+      // Array form means "any element passes → authorized", matching the
+      // legacy multi-key checkAuthorization semantic.
+      return Array.isArray(resource)
+        ? resource.some((r) => matches(action, r))
+        : matches(action, resource);
+    },
+    canSuper(): boolean {
+      return false;
+    },
+  };
+}
diff --git a/internal-packages/rbac/src/fallback.ts b/internal-packages/rbac/src/fallback.ts
new file mode 100644
index 00000000000..d28c4817705
--- /dev/null
+++ b/internal-packages/rbac/src/fallback.ts
@@ -0,0 +1,439 @@
+import type {
+  Permission,
+  Role,
+  RbacEnvironment,
+  RbacUser,
+  RbacSubject,
+  RbacResource,
+  BearerAuthResult,
+  PatAuthResult,
+  SessionAuthResult,
+  RoleAssignmentResult,
+  RoleBaseAccessController,
+  RoleMutationResult,
+} from "@trigger.dev/plugins";
+import { createHash } from "node:crypto";
+import type { PrismaClient } from "@trigger.dev/database";
+import { validateJWT } from "@trigger.dev/core/v3/jwt";
+import { sanitizeBranchName } from "@trigger.dev/core/v3/utils/gitBranch";
+import { buildFallbackAbility, buildJwtAbility, permissiveAbility } from "./ability.js";
+
+export type FallbackPrismaClients = {
+  // Used for writes (setUserRole, mutateRole, etc.) and any reads that
+  // can't tolerate replica lag (currently none on this controller, but
+  // kept for symmetry with the rest of the webapp).
+  primary: PrismaClient;
+  // Used for read-only auth-path queries: bearer-token env lookup,
+  // PAT lookup, session user lookup. Spreads the high-frequency auth
+  // load away from the primary, matching what `findEnvironmentByApiKey`
+  // / `findEnvironmentById` did before this PR.
+  replica: PrismaClient;
+};
+
+// Backwards-compat: a single PrismaClient is treated as both primary
+// and replica. Callers that care about replica isolation pass the
+// explicit FallbackPrismaClients shape.
+type PrismaInput = PrismaClient | FallbackPrismaClients;
+
+function resolvePrismaClients(input: PrismaInput): FallbackPrismaClients {
+  return "primary" in input ? input : { primary: input, replica: input };
+}
+
+export class RoleBaseAccessFallback {
+  private readonly clients: FallbackPrismaClients;
+
+  constructor(prisma: PrismaInput) {
+    this.clients = resolvePrismaClients(prisma);
+  }
+
+  create(): RoleBaseAccessFallbackController {
+    return new RoleBaseAccessFallbackController(this.clients);
+  }
+}
+
+class RoleBaseAccessFallbackController implements RoleBaseAccessController {
+  private readonly prisma: PrismaClient; // alias for primary — used by writes
+  private readonly replica: PrismaClient;
+
+  constructor(clients: FallbackPrismaClients) {
+    this.prisma = clients.primary;
+    this.replica = clients.replica;
+  }
+
+  async isUsingPlugin(): Promise<boolean> {
+    return false;
+  }
+
+  async authenticateBearer(
+    request: Request,
+    options?: { allowJWT?: boolean }
+  ): Promise<BearerAuthResult> {
+    // Deprecated public API keys (`pk_*` minted long before public JWTs
+    // landed) are intentionally NOT handled here. The legacy
+    // `findEnvironmentByPublicApiKey` path looked them up via the
+    // `pkApiKey` column, but that token format hasn't been issued for
+    // years and no live client should be sending one. Any `pk_*` bearer
+    // on a route that goes through the apiBuilder now returns 401 —
+    // public access goes through the JWT path (`isPublicJWT(rawToken)`
+    // below) instead. The deprecated lookup is still exported from
+    // `apps/webapp/app/models/runtimeEnvironment.server.ts` for the
+    // pre-RBAC routes that haven't been migrated, but it's a dead
+    // code path for any route that uses `createLoaderApiRoute` /
+    // `createActionApiRoute`.
+    const rawToken = request.headers.get("Authorization")?.replace(/^Bearer /, "").trim();
+    if (!rawToken) return { ok: false, status: 401, error: "Invalid or Missing API key" };
+
+    if (options?.allowJWT && isPublicJWT(rawToken)) {
+      const envId = extractJWTSub(rawToken);
+      if (!envId) return { ok: false, status: 401, error: "Invalid Public Access Token" };
+
+      // Match the include shape of the slim AuthenticatedEnvironment so
+      // the bridge can use the returned env without a follow-up fetch.
+      const env = await this.replica.runtimeEnvironment.findFirst({
+        where: { id: envId },
+        include: {
+          project: true,
+          organization: true,
+          orgMember: {
+            select: {
+              userId: true,
+              user: { select: { id: true, displayName: true, name: true } },
+            },
+          },
+          parentEnvironment: { select: { id: true, apiKey: true } },
+        },
+      });
+      if (!env || env.project.deletedAt !== null) {
+        return { ok: false, status: 401, error: "Invalid Public Access Token" };
+      }
+
+      const signingKey = env.parentEnvironment?.apiKey ?? env.apiKey;
+      const result = await validateJWT(rawToken, signingKey);
+      if (!result.ok) return { ok: false, status: 401, error: "Public Access Token is invalid" };
+
+      const scopes = Array.isArray(result.payload.scopes)
+        ? (result.payload.scopes as string[])
+        : [];
+      const realtime = result.payload.realtime as { skipColumns?: string[] } | undefined;
+      const oneTimeUse = result.payload.otu === true;
+
+      return {
+        ok: true,
+        environment: toAuthenticatedEnvironment(env),
+        subject: {
+          type: "publicJWT",
+          environmentId: env.id,
+          organizationId: env.organizationId,
+          projectId: env.projectId,
+        },
+        ability: buildJwtAbility(scopes),
+        jwt: { realtime, oneTimeUse },
+      };
+    }
+
+    // PREVIEW envs are parents — operating "on a branch" means routing
+    // to a child env keyed by branchName. The customer authenticates
+    // with the parent's apiKey + an `x-trigger-branch` header. Mirror
+    // findEnvironmentByApiKey: include the matching child env so the
+    // pivot below can adopt its identity.
+    const branchName = sanitizeBranchName(request.headers.get("x-trigger-branch"));
+    // Match the include shape of the slim AuthenticatedEnvironment so
+    // the apiBuilder bridge can use the returned env directly without a
+    // follow-up findEnvironmentById call.
+    const include = {
+      project: true,
+      organization: true,
+      orgMember: {
+        select: {
+          userId: true,
+          user: { select: { id: true, displayName: true, name: true } },
+        },
+      },
+      parentEnvironment: { select: { id: true, apiKey: true } },
+      childEnvironments: branchName
+        ? { where: { branchName, archivedAt: null } }
+        : undefined,
+    } as const;
+    let env = await this.replica.runtimeEnvironment.findFirst({
+      where: { apiKey: rawToken },
+      include,
+    });
+
+    // Revoked API key grace window — mirrors `findEnvironmentByApiKey`
+    // in apps/webapp/app/models/runtimeEnvironment.server.ts. Recently
+    // rotated keys keep working until their `expiresAt`; without this
+    // branch a customer who rotates an env API key gets immediate 401s
+    // on the new auth path. The PR's e2e suite covers this in
+    // auth-cross-cutting.e2e.full.test.ts ("revoked key within grace").
+    if (!env) {
+      const revoked = await this.replica.revokedApiKey.findFirst({
+        where: { apiKey: rawToken, expiresAt: { gt: new Date() } },
+        include: { runtimeEnvironment: { include } },
+      });
+      env = revoked?.runtimeEnvironment ?? null;
+    }
+
+    if (!env || env.project.deletedAt !== null) {
+      return { ok: false, status: 401, error: "Invalid API key" };
+    }
+
+    // PREVIEW env requires a branch header; pivot to the child env so
+    // downstream code operates on the branch (its own id, but the
+    // parent's apiKey/orgMember/organization/project — exactly what
+    // findEnvironmentByApiKey does for the legacy auth path).
+    if (env.type === "PREVIEW") {
+      if (!branchName) {
+        return {
+          ok: false,
+          status: 401,
+          error: "x-trigger-branch header required for preview env",
+        };
+      }
+      const child = env.childEnvironments?.[0];
+      if (!child) {
+        return { ok: false, status: 401, error: "No matching branch env" };
+      }
+      // Pivot to the child env: child's id/type/branchName, parent's
+      // apiKey/orgMember/organization/project. parentEnvironment is set
+      // explicitly here so the slim shape stays internally consistent.
+      env = {
+        ...child,
+        apiKey: env.apiKey,
+        orgMember: env.orgMember,
+        organization: env.organization,
+        project: env.project,
+        parentEnvironment: { id: env.id, apiKey: env.apiKey },
+        childEnvironments: [],
+      };
+    }
+
+    const subject: RbacSubject = {
+      type: "user",
+      userId: env.orgMember?.userId ?? "",
+      organizationId: env.organizationId,
+      projectId: env.projectId,
+    };
+
+    return {
+      ok: true,
+      environment: toAuthenticatedEnvironment(env),
+      subject,
+      ability: permissiveAbility,
+    };
+  }
+
+  async authenticateSession(
+    _request: Request,
+    context: { userId: string | null; organizationId?: string; projectId?: string }
+  ): Promise<SessionAuthResult> {
+    if (!context.userId) return { ok: false, reason: "unauthenticated" };
+
+    const user = await this.replica.user.findFirst({ where: { id: context.userId } });
+    if (!user) return { ok: false, reason: "unauthenticated" };
+
+    const subject: RbacSubject = {
+      type: "user",
+      userId: user.id,
+      organizationId: context.organizationId ?? "",
+      projectId: context.projectId,
+    };
+
+    return {
+      ok: true,
+      user: toRbacUser(user),
+      subject,
+      ability: buildFallbackAbility(user.admin),
+    };
+  }
+
+  async authenticateAuthorizeBearer(
+    request: Request,
+    check: { action: string; resource: RbacResource | RbacResource[] },
+    options?: { allowJWT?: boolean }
+  ): Promise<BearerAuthResult> {
+    const auth = await this.authenticateBearer(request, options);
+    if (!auth.ok) return auth;
+    if (!auth.ability.can(check.action, check.resource)) {
+      return { ok: false, status: 403, error: "Unauthorized" };
+    }
+    return auth;
+  }
+
+  async authenticateAuthorizeSession(
+    request: Request,
+    context: { userId: string | null; organizationId?: string; projectId?: string },
+    check: { action: string; resource: RbacResource | RbacResource[] }
+  ): Promise<SessionAuthResult> {
+    const auth = await this.authenticateSession(request, context);
+    if (!auth.ok) return auth;
+    if (!auth.ability.can(check.action, check.resource)) {
+      return { ok: false, reason: "unauthorized" };
+    }
+    return auth;
+  }
+
+  async authenticatePat(
+    request: Request,
+    context: { organizationId?: string; projectId?: string }
+  ): Promise<PatAuthResult> {
+    const rawToken = request.headers
+      .get("Authorization")
+      ?.replace(/^Bearer /, "")
+      .trim();
+    if (!rawToken || !rawToken.startsWith("tr_pat_")) {
+      return { ok: false, status: 401, error: "Invalid or Missing PAT" };
+    }
+
+    const hashedToken = createHash("sha256").update(rawToken).digest("hex");
+    const pat = await this.replica.personalAccessToken.findFirst({
+      where: { hashedToken, revokedAt: null },
+      // Include `lastAccessedAt` so the host can throttle its own write
+      // (see `PatAuthResult.lastAccessedAt` jsdoc). Without this the host
+      // would need a second findFirst just to decide whether to fire the
+      // updateMany, turning 1 DB roundtrip into 2.
+      select: { id: true, userId: true, lastAccessedAt: true },
+    });
+    if (!pat) {
+      return { ok: false, status: 401, error: "Invalid PAT" };
+    }
+
+    return {
+      ok: true,
+      tokenId: pat.id,
+      userId: pat.userId,
+      lastAccessedAt: pat.lastAccessedAt,
+      subject: {
+        type: "personalAccessToken",
+        tokenId: pat.id,
+        organizationId: context.organizationId ?? "",
+        projectId: context.projectId,
+      },
+      // No plugin → no role lookup. PATs in the OSS world are pure
+      // user-identity tokens; the route's own authorization block (or
+      // the absence of one) decides what they can do, same as it did
+      // before this method existed.
+      ability: permissiveAbility,
+    };
+  }
+
+  async systemRoles(_organizationId: string) {
+    // No plugin installed → no seeded roles. Callers handle null by
+    // hiding role-picker UI / skipping role assignment writes.
+    return null;
+  }
+
+  async allPermissions(): Promise<Permission[]> {
+    return [];
+  }
+
+  async allRoles(): Promise<Role[]> {
+    return [];
+  }
+
+  // Permissive — the default fallback applies no gating. The Teams
+  // page UI uses this to decide which role options to render as
+  // disabled; with no plugin installed allRoles() returns [] anyway,
+  // so the practical effect is "no roles to gate".
+  async getAssignableRoleIds(): Promise<string[]> {
+    return [];
+  }
+
+  async createRole(): Promise<RoleMutationResult> {
+    return { ok: false, error: "RBAC plugin not installed" };
+  }
+
+  async updateRole(): Promise<RoleMutationResult> {
+    return { ok: false, error: "RBAC plugin not installed" };
+  }
+
+  async deleteRole(): Promise<RoleAssignmentResult> {
+    return { ok: false, error: "RBAC plugin not installed" };
+  }
+
+  async getUserRole(): Promise<Role | null> {
+    return null;
+  }
+
+  async getUserRoles(userIds: string[]): Promise<Map<string, Role | null>> {
+    return new Map(userIds.map((id) => [id, null]));
+  }
+
+  async setUserRole(): Promise<RoleAssignmentResult> {
+    return { ok: false, error: "RBAC plugin not installed" };
+  }
+
+  async removeUserRole(): Promise<RoleAssignmentResult> {
+    return { ok: false, error: "RBAC plugin not installed" };
+  }
+
+  async getTokenRole(): Promise<Role | null> {
+    return null;
+  }
+
+  async setTokenRole(): Promise<RoleAssignmentResult> {
+    return { ok: false, error: "RBAC plugin not installed" };
+  }
+
+  async removeTokenRole(): Promise<RoleAssignmentResult> {
+    return { ok: false, error: "RBAC plugin not installed" };
+  }
+}
+
+function isPublicJWT(token: string): boolean {
+  const parts = token.split(".");
+  if (parts.length !== 3) return false;
+  try {
+    const payload = JSON.parse(Buffer.from(parts[1].replace(/-/g, "+").replace(/_/g, "/"), "base64").toString("utf8"));
+    return payload !== null && typeof payload === "object" && payload.pub === true;
+  } catch {
+    return false;
+  }
+}
+
+function extractJWTSub(token: string): string | undefined {
+  const parts = token.split(".");
+  if (parts.length !== 3) return undefined;
+  try {
+    const payload = JSON.parse(Buffer.from(parts[1].replace(/-/g, "+").replace(/_/g, "/"), "base64").toString("utf8"));
+    return payload !== null && typeof payload === "object" && typeof payload.sub === "string"
+      ? payload.sub
+      : undefined;
+  } catch {
+    return undefined;
+  }
+}
+
+// Coerce a Prisma RuntimeEnvironment payload (with project/organization/
+// orgMember/parentEnvironment includes) into the slim AuthenticatedEnvironment
+// the auth contract carries. The slim type accepts both `number` and
+// Decimal-like for `concurrencyLimitBurstFactor`, but explicit coercion
+// here keeps the value a plain number across the auth boundary so
+// downstream consumers don't have to narrow before doing arithmetic.
+function toAuthenticatedEnvironment(env: RbacEnvironment): RbacEnvironment {
+  const burst = env.concurrencyLimitBurstFactor;
+  return {
+    ...env,
+    concurrencyLimitBurstFactor: typeof burst === "number" ? burst : burst.toNumber(),
+  };
+}
+
+function toRbacUser(user: {
+  id: string;
+  email: string;
+  name: string | null;
+  displayName: string | null;
+  avatarUrl: string | null;
+  admin: boolean;
+  confirmedBasicDetails: boolean;
+}): RbacUser {
+  return {
+    id: user.id,
+    email: user.email,
+    name: user.name,
+    displayName: user.displayName,
+    avatarUrl: user.avatarUrl,
+    admin: user.admin,
+    confirmedBasicDetails: user.confirmedBasicDetails,
+    isImpersonating: false,
+  };
+}
diff --git a/internal-packages/rbac/src/index.ts b/internal-packages/rbac/src/index.ts
new file mode 100644
index 00000000000..3f74dd83f51
--- /dev/null
+++ b/internal-packages/rbac/src/index.ts
@@ -0,0 +1,279 @@
+import type {
+  Permission,
+  RbacAbility,
+  Role,
+  RbacResource,
+  RoleAssignmentResult,
+  RoleBaseAccessController,
+  RoleBasedAccessControlPlugin,
+  RoleMutationResult,
+} from "@trigger.dev/plugins";
+import type { PrismaClient } from "@trigger.dev/database";
+import { RoleBaseAccessFallback } from "./fallback.js";
+export type { RoleBaseAccessController, RbacAbility, RbacResource } from "@trigger.dev/plugins";
+
+// Either a single PrismaClient (used for both writes and reads — fine
+// for callers that don't have a separate replica), or `{primary, replica}`
+// where reads on the auth hot path go to the replica. The fallback
+// reads on every request, so callers with a replica should pass both.
+export type RbacPrismaInput = PrismaClient | { primary: PrismaClient; replica: PrismaClient };
+
+export type RbacCreateOptions = {
+  // When true, skip loading the plugin, useful for tests
+  forceFallback?: boolean;
+};
+
+// Route actions that historically authorised via the legacy checkAuthorization's
+// superScopes escape hatch — e.g. a JWT with scope "write:tasks" was accepted by
+// a route with action: "trigger" because "write:tasks" was listed in the route's
+// superScopes array. The new ability model matches scope-action strictly, so we
+// restore the prior semantic here: when the underlying ability denies for action
+// X, retry with each aliased action.
+const ACTION_ALIASES: Record<string, readonly string[]> = {
+  trigger: ["write"],
+  batchTrigger: ["write"],
+  update: ["write"],
+};
+
+export function withActionAliases(underlying: RbacAbility): RbacAbility {
+  return {
+    can(action: string, resource: RbacResource | RbacResource[]): boolean {
+      if (underlying.can(action, resource)) return true;
+      const aliases = ACTION_ALIASES[action] ?? [];
+      return aliases.some((a) => underlying.can(a, resource));
+    },
+    canSuper: () => underlying.canSuper(),
+  };
+}
+
+// Loads the plugin lazily; falls back to the fallback implementation if not installed.
+// Synchronous create() avoids top-level await (not supported in the webapp's CJS build).
+class LazyController implements RoleBaseAccessController {
+  private readonly _init: Promise<RoleBaseAccessController>;
+
+  constructor(prisma: RbacPrismaInput, options?: RbacCreateOptions) {
+    this._init = this.load(prisma, options);
+    // load() runs eagerly but the result is awaited lazily on first method
+    // call. If load() rejects (e.g. REQUIRE_PLUGINS=1 + plugin missing) and
+    // nothing awaits _init before Node ticks past, the rejection surfaces
+    // as unhandledRejection and kills the process. Attach a no-op .catch
+    // so Node sees the rejection as handled; the error is re-thrown when
+    // any consumer awaits this._init via c().
+    this._init.catch(() => {});
+  }
+
+  private async load(
+    prisma: RbacPrismaInput,
+    options?: RbacCreateOptions
+  ): Promise<RoleBaseAccessController> {
+    if (options?.forceFallback) {
+      return new RoleBaseAccessFallback(prisma).create();
+    }
+    const moduleName = "@triggerdotdev/plugins/rbac";
+    try {
+      const module = await import(moduleName);
+      const plugin: RoleBasedAccessControlPlugin = module.default;
+      console.log("RBAC: using plugin implementation");
+      return plugin.create();
+    } catch (err) {
+      // The dynamic import either succeeded or failed for one of two
+      // distinct reasons. Distinguishing them is critical for debugging
+      // — silently swallowing the error here is what produced "why is
+      // the fallback being used?" mysteries before.
+      //
+      // 1. The plugin itself is absent (no install) — expected.
+      //    Logged at info level only when RBAC_LOG_FALLBACK=1 so
+      //    production logs stay quiet.
+      // 2. Anything else (transitive dep missing, init error, syntax
+      //    error in the plugin's dist, etc.) — a real bug. Always
+      //    logged loudly so it surfaces in CI / production logs.
+      //
+      // Node throws ERR_MODULE_NOT_FOUND for both cases — the *plugin*
+      // module being absent and a *transitive* dep of the plugin
+      // being absent. Disambiguate by checking whether the missing
+      // specifier in the error message is the plugin's own moduleName.
+      const code = (err as NodeJS.ErrnoException | undefined)?.code;
+      const message = err instanceof Error ? err.message : String(err);
+      const isModuleNotFound =
+        code === "ERR_MODULE_NOT_FOUND" || code === "MODULE_NOT_FOUND";
+      const isPluginItselfMissing =
+        isModuleNotFound && message.includes(moduleName);
+
+      if (!isPluginItselfMissing) {
+        // Either the error wasn't a missing-module error at all, or the
+        // plugin was found but a transitive dep failed to resolve.
+        // Either way: a real problem worth surfacing.
+        console.error(
+          "RBAC: plugin found but failed to load; falling back to default implementation",
+          err
+        );
+      } else if (process.env.RBAC_LOG_FALLBACK === "1") {
+        console.log(
+          "RBAC: no plugin installed (ERR_MODULE_NOT_FOUND); using fallback"
+        );
+      }
+
+      // Fail-fast for deployments that require plugins to be present. Set
+      // REQUIRE_PLUGINS=1 in environments where the fallback is not an
+      // acceptable degraded state — the throw surfaces on the first method
+      // call on the lazy controller (e.g. via the webapp's /healthcheck
+      // route), so the rollout's readiness probe fails and the deploy is
+      // rolled back. Self-hosters leave REQUIRE_PLUGINS unset and continue
+      // to use the fallback when no plugin is installed.
+      if (process.env.REQUIRE_PLUGINS === "1") {
+        throw new Error(
+          `REQUIRE_PLUGINS=1 but plugin "${moduleName}" did not load: ${message}`
+        );
+      }
+
+      return new RoleBaseAccessFallback(prisma).create();
+    }
+  }
+
+  private async c(): Promise<RoleBaseAccessController> {
+    return this._init;
+  }
+
+  async isUsingPlugin(): Promise<boolean> {
+    return (await this.c()).isUsingPlugin();
+  }
+
+  async authenticateBearer(...args: Parameters<RoleBaseAccessController["authenticateBearer"]>) {
+    const result = await (await this.c()).authenticateBearer(...args);
+    return result.ok ? { ...result, ability: withActionAliases(result.ability) } : result;
+  }
+
+  async authenticateSession(...args: Parameters<RoleBaseAccessController["authenticateSession"]>) {
+    const result = await (await this.c()).authenticateSession(...args);
+    return result.ok ? { ...result, ability: withActionAliases(result.ability) } : result;
+  }
+
+  // Don't delegate to the underlying Authorize variants — that would run the
+  // inline ability check against the unwrapped ability. Use our wrapped
+  // authenticate* and do the ability check here instead.
+  async authenticateAuthorizeBearer(
+    request: Parameters<RoleBaseAccessController["authenticateAuthorizeBearer"]>[0],
+    check: Parameters<RoleBaseAccessController["authenticateAuthorizeBearer"]>[1],
+    options?: Parameters<RoleBaseAccessController["authenticateAuthorizeBearer"]>[2]
+  ) {
+    const auth = await this.authenticateBearer(request, options);
+    if (!auth.ok) return auth;
+    if (!auth.ability.can(check.action, check.resource)) {
+      return { ok: false as const, status: 403 as const, error: "Unauthorized" };
+    }
+    return auth;
+  }
+
+  async authenticateAuthorizeSession(
+    request: Parameters<RoleBaseAccessController["authenticateAuthorizeSession"]>[0],
+    context: Parameters<RoleBaseAccessController["authenticateAuthorizeSession"]>[1],
+    check: Parameters<RoleBaseAccessController["authenticateAuthorizeSession"]>[2]
+  ) {
+    const auth = await this.authenticateSession(request, context);
+    if (!auth.ok) return auth;
+    if (!auth.ability.can(check.action, check.resource)) {
+      return { ok: false as const, reason: "unauthorized" as const };
+    }
+    return auth;
+  }
+
+  async authenticatePat(...args: Parameters<RoleBaseAccessController["authenticatePat"]>) {
+    const result = await (await this.c()).authenticatePat(...args);
+    return result.ok ? { ...result, ability: withActionAliases(result.ability) } : result;
+  }
+
+  async systemRoles(...args: Parameters<RoleBaseAccessController["systemRoles"]>) {
+    return (await this.c()).systemRoles(...args);
+  }
+
+  async allPermissions(
+    ...args: Parameters<RoleBaseAccessController["allPermissions"]>
+  ): Promise<Permission[]> {
+    return (await this.c()).allPermissions(...args);
+  }
+
+  async allRoles(...args: Parameters<RoleBaseAccessController["allRoles"]>): Promise<Role[]> {
+    return (await this.c()).allRoles(...args);
+  }
+
+  async getAssignableRoleIds(
+    ...args: Parameters<RoleBaseAccessController["getAssignableRoleIds"]>
+  ): Promise<string[]> {
+    return (await this.c()).getAssignableRoleIds(...args);
+  }
+
+  async createRole(
+    ...args: Parameters<RoleBaseAccessController["createRole"]>
+  ): Promise<RoleMutationResult> {
+    return (await this.c()).createRole(...args);
+  }
+
+  async updateRole(
+    ...args: Parameters<RoleBaseAccessController["updateRole"]>
+  ): Promise<RoleMutationResult> {
+    return (await this.c()).updateRole(...args);
+  }
+
+  async deleteRole(
+    ...args: Parameters<RoleBaseAccessController["deleteRole"]>
+  ): Promise<RoleAssignmentResult> {
+    return (await this.c()).deleteRole(...args);
+  }
+
+  async getUserRole(
+    ...args: Parameters<RoleBaseAccessController["getUserRole"]>
+  ): Promise<Role | null> {
+    return (await this.c()).getUserRole(...args);
+  }
+
+  async getUserRoles(
+    ...args: Parameters<RoleBaseAccessController["getUserRoles"]>
+  ): Promise<Map<string, Role | null>> {
+    return (await this.c()).getUserRoles(...args);
+  }
+
+  async setUserRole(
+    ...args: Parameters<RoleBaseAccessController["setUserRole"]>
+  ): Promise<RoleAssignmentResult> {
+    return (await this.c()).setUserRole(...args);
+  }
+
+  async removeUserRole(
+    ...args: Parameters<RoleBaseAccessController["removeUserRole"]>
+  ): Promise<RoleAssignmentResult> {
+    return (await this.c()).removeUserRole(...args);
+  }
+
+  async getTokenRole(
+    ...args: Parameters<RoleBaseAccessController["getTokenRole"]>
+  ): Promise<Role | null> {
+    return (await this.c()).getTokenRole(...args);
+  }
+
+  async setTokenRole(
+    ...args: Parameters<RoleBaseAccessController["setTokenRole"]>
+  ): Promise<RoleAssignmentResult> {
+    return (await this.c()).setTokenRole(...args);
+  }
+
+  async removeTokenRole(
+    ...args: Parameters<RoleBaseAccessController["removeTokenRole"]>
+  ): Promise<RoleAssignmentResult> {
+    return (await this.c()).removeTokenRole(...args);
+  }
+}
+
+class RoleBaseAccess {
+  // Synchronous — returns a lazy controller that resolves any installed
+  // plugin on first call.
+  create(
+    prisma: RbacPrismaInput,
+    options?: RbacCreateOptions
+  ): RoleBaseAccessController {
+    return new LazyController(prisma, options);
+  }
+}
+
+const loader = new RoleBaseAccess();
+
+export default loader;
diff --git a/internal-packages/rbac/src/loader.test.ts b/internal-packages/rbac/src/loader.test.ts
new file mode 100644
index 00000000000..151bdcf9683
--- /dev/null
+++ b/internal-packages/rbac/src/loader.test.ts
@@ -0,0 +1,69 @@
+import type { RbacAbility } from "@trigger.dev/plugins";
+import { describe, expect, it } from "vitest";
+import { buildJwtAbility } from "./ability.js";
+import { withActionAliases } from "./index.js";
+
+describe("withActionAliases", () => {
+  it("direct action match passes through unchanged", () => {
+    const ability = withActionAliases(buildJwtAbility(["write:tasks"]));
+    expect(ability.can("write", { type: "tasks", id: "task_x" })).toBe(true);
+  });
+
+  it("trigger action is satisfied by a write:tasks scope (alias retry)", () => {
+    const ability = withActionAliases(buildJwtAbility(["write:tasks"]));
+    expect(ability.can("trigger", { type: "tasks", id: "task_x" })).toBe(true);
+  });
+
+  it("batchTrigger action is satisfied by a write:tasks scope (alias retry)", () => {
+    const ability = withActionAliases(buildJwtAbility(["write:tasks"]));
+    expect(ability.can("batchTrigger", { type: "tasks", id: "task_x" })).toBe(true);
+  });
+
+  it("update action is satisfied by a write:prompts scope (alias retry)", () => {
+    const ability = withActionAliases(buildJwtAbility(["write:prompts"]));
+    expect(ability.can("update", { type: "prompts", id: "p_x" })).toBe(true);
+  });
+
+  it("id-scoped write scope satisfies the aliased action on matching id", () => {
+    const ability = withActionAliases(buildJwtAbility(["write:tasks:task_x"]));
+    expect(ability.can("trigger", { type: "tasks", id: "task_x" })).toBe(true);
+  });
+
+  it("id-scoped write scope denies the aliased action on a different id", () => {
+    const ability = withActionAliases(buildJwtAbility(["write:tasks:task_x"]));
+    expect(ability.can("trigger", { type: "tasks", id: "task_other" })).toBe(false);
+  });
+
+  it("read scope does not satisfy a trigger action (aliases are write-only)", () => {
+    const ability = withActionAliases(buildJwtAbility(["read:tasks"]));
+    expect(ability.can("trigger", { type: "tasks", id: "task_x" })).toBe(false);
+  });
+
+  it("non-aliased custom action only matches its direct action scope", () => {
+    const ability = withActionAliases(buildJwtAbility(["read:runs"]));
+    expect(ability.can("someOtherAction", { type: "runs", id: "run_x" })).toBe(false);
+  });
+
+  it("admin scope continues to grant everything regardless of aliases", () => {
+    const ability = withActionAliases(buildJwtAbility(["admin"]));
+    expect(ability.can("trigger", { type: "tasks", id: "task_x" })).toBe(true);
+    expect(ability.can("batchTrigger", { type: "tasks", id: "task_x" })).toBe(true);
+    expect(ability.can("anything", { type: "whatever", id: "x" })).toBe(true);
+  });
+
+  it("array resource form: alias retry applies when any element passes", () => {
+    const ability = withActionAliases(buildJwtAbility(["write:tasks:task_x"]));
+    const resources = [
+      { type: "tasks", id: "task_other" },
+      { type: "tasks", id: "task_x" },
+    ];
+    expect(ability.can("trigger", resources)).toBe(true);
+  });
+
+  it("canSuper is delegated unchanged", () => {
+    const allowSuper: RbacAbility = { can: () => false, canSuper: () => true };
+    const denySuper: RbacAbility = { can: () => false, canSuper: () => false };
+    expect(withActionAliases(allowSuper).canSuper()).toBe(true);
+    expect(withActionAliases(denySuper).canSuper()).toBe(false);
+  });
+});
diff --git a/internal-packages/rbac/src/require-plugins.test.ts b/internal-packages/rbac/src/require-plugins.test.ts
new file mode 100644
index 00000000000..0b81674f536
--- /dev/null
+++ b/internal-packages/rbac/src/require-plugins.test.ts
@@ -0,0 +1,44 @@
+import type { PrismaClient } from "@trigger.dev/database";
+import { afterEach, describe, expect, it, vi } from "vitest";
+import loader from "./index.js";
+
+// The plugin module `@triggerdotdev/plugins/rbac` is not installed in this
+// repo (it lives in the cloud monorepo), so a real dynamic import inside
+// the loader will reliably fail with ERR_MODULE_NOT_FOUND. These tests
+// exercise the loader's branching on that natural failure — no module
+// mocking required.
+
+// The fallback's isUsingPlugin() returns false synchronously without
+// touching prisma, so a placeholder client is fine for tests that only
+// drive the loader path.
+const prismaPlaceholder = {} as unknown as PrismaClient;
+
+describe("LazyController plugin loading", () => {
+  afterEach(() => {
+    vi.unstubAllEnvs();
+  });
+
+  it("falls back silently when REQUIRE_PLUGINS is unset and the plugin is missing", async () => {
+    vi.stubEnv("REQUIRE_PLUGINS", "");
+    const controller = loader.create(prismaPlaceholder);
+    await expect(controller.isUsingPlugin()).resolves.toBe(false);
+  });
+
+  it("throws when REQUIRE_PLUGINS=1 and the plugin is missing", async () => {
+    vi.stubEnv("REQUIRE_PLUGINS", "1");
+    const controller = loader.create(prismaPlaceholder);
+    await expect(controller.isUsingPlugin()).rejects.toThrow(/REQUIRE_PLUGINS=1/);
+  });
+
+  it("forceFallback wins over REQUIRE_PLUGINS=1 (so tests inheriting the env aren't broken)", async () => {
+    vi.stubEnv("REQUIRE_PLUGINS", "1");
+    const controller = loader.create(prismaPlaceholder, { forceFallback: true });
+    await expect(controller.isUsingPlugin()).resolves.toBe(false);
+  });
+
+  it("treats any non-'1' REQUIRE_PLUGINS value as unset (must be exactly '1' to enforce)", async () => {
+    vi.stubEnv("REQUIRE_PLUGINS", "true");
+    const controller = loader.create(prismaPlaceholder);
+    await expect(controller.isUsingPlugin()).resolves.toBe(false);
+  });
+});
diff --git a/internal-packages/rbac/tsconfig.json b/internal-packages/rbac/tsconfig.json
new file mode 100644
index 00000000000..8da0857b403
--- /dev/null
+++ b/internal-packages/rbac/tsconfig.json
@@ -0,0 +1,17 @@
+{
+  "compilerOptions": {
+    "target": "ES2019",
+    "lib": ["ES2019", "DOM"],
+    "module": "ESNext",
+    "moduleResolution": "Bundler",
+    "esModuleInterop": true,
+    "forceConsistentCasingInFileNames": true,
+    "isolatedModules": true,
+    "preserveWatchOutput": true,
+    "skipLibCheck": true,
+    "noEmit": true,
+    "strict": true,
+    "customConditions": ["@triggerdotdev/source"]
+  },
+  "exclude": ["node_modules"]
+}
diff --git a/internal-packages/rbac/vitest.config.ts b/internal-packages/rbac/vitest.config.ts
new file mode 100644
index 00000000000..e07f05e842b
--- /dev/null
+++ b/internal-packages/rbac/vitest.config.ts
@@ -0,0 +1,10 @@
+import { defineConfig } from "vitest/config";
+
+export default defineConfig({
+  test: {
+    include: ["**/*.test.ts"],
+    globals: true,
+    isolate: true,
+    testTimeout: 10_000,
+  },
+});
diff --git a/internal-packages/redis/package.json b/internal-packages/redis/package.json
index 9c13bbf21b0..6c7d8aa2608 100644
--- a/internal-packages/redis/package.json
+++ b/internal-packages/redis/package.json
@@ -6,7 +6,7 @@
   "types": "./src/index.ts",
   "type": "module",
   "dependencies": {
-    "ioredis": "^5.3.2",
+    "ioredis": "~5.6.0",
     "@trigger.dev/core": "workspace:*"
   },
   "scripts": {
diff --git a/internal-packages/redis/src/index.ts b/internal-packages/redis/src/index.ts
index bdd69315cff..a1283d6153a 100644
--- a/internal-packages/redis/src/index.ts
+++ b/internal-packages/redis/src/index.ts
@@ -3,12 +3,44 @@ import { Logger } from "@trigger.dev/core/logger";
 
 export { Redis, type Callback, type RedisOptions, type Result, type RedisCommander } from "ioredis";
 
+/**
+ * Reply-error -> reconnect mapping. Without this hook, an ElastiCache
+ * vertical scale-up surfaces tens of thousands of READONLY / LOADING
+ * reply errors to caller code over a healthy TCP/TLS connection (the
+ * client keeps talking to a node whose role swapped underneath it).
+ *
+ * UNBLOCKED is the BLPOP-shaped case: the Redis primary forcibly
+ * unblocks any blocking command on a connection whose node is about
+ * to be demoted, returning an UNBLOCKED reply. Surfaced 65 times on
+ * engine/v1/worker-actions/dequeue at the cutover instant during the
+ * TRI-8873 test-cloud scale-up dry-run.
+ *
+ * Returning 2 tells ioredis to disconnect, reconnect, and retry the
+ * command that triggered the error. After reconnect, DNS / SG routing
+ * should land on a writable primary.
+ *
+ * Empirical confirmation on the harness in TRI-8878: this option
+ * reduced a scale-up event from ~437,000 caller-surfaced errors to 2.
+ */
+export function defaultReconnectOnError(err: Error): boolean | 1 | 2 {
+  const msg = err.message ?? "";
+  if (
+    msg.startsWith("READONLY") ||
+    msg.startsWith("LOADING") ||
+    msg.startsWith("UNBLOCKED")
+  ) {
+    return 2;
+  }
+  return false;
+}
+
 const defaultOptions: Partial<RedisOptions> = {
   retryStrategy: (times: number) => {
     const delay = Math.min(times * 50, 1000);
     return delay;
   },
   maxRetriesPerRequest: process.env.GITHUB_ACTIONS ? 50 : process.env.VITEST ? 5 : 20,
+  reconnectOnError: defaultReconnectOnError,
 };
 
 const logger = new Logger("Redis", "debug");
diff --git a/internal-packages/replication/vitest.config.ts b/internal-packages/replication/vitest.config.ts
index 1d779c09577..26c9ecebf11 100644
--- a/internal-packages/replication/vitest.config.ts
+++ b/internal-packages/replication/vitest.config.ts
@@ -1,16 +1,13 @@
 import { defineConfig } from "vitest/config";
+import { DurationShardingSequencer } from "@internal/testcontainers/sequencer";
 
 export default defineConfig({
   test: {
+    sequence: { sequencer: DurationShardingSequencer },
     include: ["**/*.test.ts"],
     globals: true,
     isolate: true,
     fileParallelism: false,
-    poolOptions: {
-      threads: {
-        singleThread: true,
-      },
-    },
     testTimeout: 60_000,
     coverage: {
       provider: "v8",
diff --git a/internal-packages/run-engine/package.json b/internal-packages/run-engine/package.json
index 680d385ca4e..8b876a1aab6 100644
--- a/internal-packages/run-engine/package.json
+++ b/internal-packages/run-engine/package.json
@@ -35,6 +35,7 @@
   },
   "devDependencies": {
     "@internal/testcontainers": "workspace:*",
+    "@opentelemetry/sdk-metrics": "2.7.1",
     "@types/seedrandom": "^3.0.8",
     "rimraf": "6.0.1"
   },
diff --git a/internal-packages/run-engine/src/batch-queue/index.ts b/internal-packages/run-engine/src/batch-queue/index.ts
index 6b49795da52..1f7a6221f48 100644
--- a/internal-packages/run-engine/src/batch-queue/index.ts
+++ b/internal-packages/run-engine/src/batch-queue/index.ts
@@ -929,14 +929,30 @@ export class BatchQueue {
             errorCode: result.errorCode,
           });
 
-          this.logger.error("Batch item processing failed after all attempts", {
-            batchId,
-            itemIndex,
-            error: result.error,
-            processedCount,
-            expectedCount: meta.runCount,
-            attempts: attempt,
-          });
+          // skipRetries=true means the callback knew the failure was
+          // intentional/non-retryable (e.g. customer hit queue size limit).
+          // Don't promote it back to error — the callback already logged
+          // appropriately and a permanent-failure record was written.
+          if (result.skipRetries) {
+            this.logger.warn("Batch item processing failed (non-retryable)", {
+              batchId,
+              itemIndex,
+              error: result.error,
+              errorCode: result.errorCode,
+              processedCount,
+              expectedCount: meta.runCount,
+              attempts: attempt,
+            });
+          } else {
+            this.logger.error("Batch item processing failed after all attempts", {
+              batchId,
+              itemIndex,
+              error: result.error,
+              processedCount,
+              expectedCount: meta.runCount,
+              attempts: attempt,
+            });
+          }
         }
       } catch (error) {
         span?.setAttribute("batch.result", "unexpected_error");
diff --git a/internal-packages/run-engine/src/engine/errors.ts b/internal-packages/run-engine/src/engine/errors.ts
index 820f0ec4ce6..2bb05a304c9 100644
--- a/internal-packages/run-engine/src/engine/errors.ts
+++ b/internal-packages/run-engine/src/engine/errors.ts
@@ -19,6 +19,7 @@ export function runStatusFromError(
     case "TASK_INPUT_ERROR":
     case "TASK_OUTPUT_ERROR":
     case "TASK_MIDDLEWARE_ERROR":
+    case "TASK_RUN_UNCAUGHT_EXCEPTION":
       return "COMPLETED_WITH_ERRORS";
     case "TASK_RUN_CANCELLED":
       return "CANCELED";
@@ -103,3 +104,10 @@ export class RunOneTimeUseTokenError extends Error {
     this.name = "RunOneTimeUseTokenError";
   }
 }
+
+export class ExecutionSnapshotNotFoundError extends Error {
+  constructor(public readonly snapshotId: string) {
+    super(`No execution snapshot found for id ${snapshotId}`);
+    this.name = "ExecutionSnapshotNotFoundError";
+  }
+}
diff --git a/internal-packages/run-engine/src/engine/eventBus.ts b/internal-packages/run-engine/src/engine/eventBus.ts
index 2e4adeed4b1..bd29869d280 100644
--- a/internal-packages/run-engine/src/engine/eventBus.ts
+++ b/internal-packages/run-engine/src/engine/eventBus.ts
@@ -11,7 +11,14 @@ export type EventBusEvents = {
   runCreated: [
     {
       time: Date;
-      runId: string;
+      run: {
+        id: string;
+        runTags: string[];
+        batchId: string | null;
+      };
+      environment: {
+        id: string;
+      };
     },
   ];
   runEnqueuedAfterDelay: [
@@ -23,6 +30,8 @@ export type EventBusEvents = {
         queuedAt: Date;
         updatedAt: Date;
         createdAt: Date;
+        runTags: string[];
+        batchId: string | null;
       };
       organization: {
         id: string;
@@ -44,6 +53,8 @@ export type EventBusEvents = {
         delayUntil: Date;
         updatedAt: Date;
         createdAt: Date;
+        runTags: string[];
+        batchId: string | null;
       };
       organization: {
         id: string;
@@ -76,6 +87,8 @@ export type EventBusEvents = {
         maxDurationInSeconds?: number;
         maxAttempts?: number;
         createdAt: Date;
+        runTags: string[];
+        batchId: string | null;
       };
       organization: {
         id: string;
@@ -96,6 +109,8 @@ export type EventBusEvents = {
         status: TaskRunStatus;
         updatedAt: Date;
         createdAt: Date;
+        runTags: string[];
+        batchId: string | null;
       };
       organization: {
         id?: string;
@@ -119,6 +134,8 @@ export type EventBusEvents = {
         attemptNumber: number;
         baseCostInCents: number;
         executedAt: Date | undefined;
+        runTags: string[];
+        batchId: string | null;
       };
       organization: {
         id: string;
@@ -245,6 +262,8 @@ export type EventBusEvents = {
         createdAt: Date;
         error: TaskRunError;
         taskEventStore?: string;
+        runTags: string[];
+        batchId: string | null;
       };
       organization: {
         id: string;
diff --git a/internal-packages/run-engine/src/engine/index.ts b/internal-packages/run-engine/src/engine/index.ts
index 6757894fbbe..2b434a86eec 100644
--- a/internal-packages/run-engine/src/engine/index.ts
+++ b/internal-packages/run-engine/src/engine/index.ts
@@ -1,5 +1,5 @@
 import { createRedisClient, Redis } from "@internal/redis";
-import { getMeter, Meter, startSpan, trace, Tracer } from "@internal/tracing";
+import { type Counter, getMeter, Meter, startSpan, trace, Tracer } from "@internal/tracing";
 import { Logger } from "@trigger.dev/core/logger";
 import {
   CheckpointInput,
@@ -33,6 +33,7 @@ import {
 import { Worker } from "@trigger.dev/redis-worker";
 import { assertNever } from "assert-never";
 import { EventEmitter } from "node:events";
+import { setTimeout } from "node:timers/promises";
 import { BatchQueue } from "../batch-queue/index.js";
 import type {
   BatchItem,
@@ -46,7 +47,12 @@ import { RunQueue } from "../run-queue/index.js";
 import { RunQueueFullKeyProducer } from "../run-queue/keyProducer.js";
 import { AuthenticatedEnvironment, MinimalAuthenticatedEnvironment } from "../shared/index.js";
 import { BillingCache } from "./billingCache.js";
-import { NotImplementedError, RunDuplicateIdempotencyKeyError } from "./errors.js";
+import {
+  ExecutionSnapshotNotFoundError,
+  NotImplementedError,
+  RunDuplicateIdempotencyKeyError,
+  RunOneTimeUseTokenError,
+} from "./errors.js";
 import { EventBus, EventBusEvents } from "./eventBus.js";
 import { RunLocker } from "./locking.js";
 import { getFinalRunStatuses } from "./statuses.js";
@@ -65,6 +71,7 @@ import {
 import { PendingVersionSystem } from "./systems/pendingVersionSystem.js";
 import { RaceSimulationSystem } from "./systems/raceSimulationSystem.js";
 import { RunAttemptSystem } from "./systems/runAttemptSystem.js";
+import { NoopPendingVersionRunIdLookup } from "./services/pendingVersionLookup.js";
 import { SystemResources } from "./systems/systems.js";
 import { TtlSystem } from "./systems/ttlSystem.js";
 import { WaitpointSystem } from "./systems/waitpointSystem.js";
@@ -87,6 +94,8 @@ export class RunEngine {
   private logger: Logger;
   private tracer: Tracer;
   private meter: Meter;
+  private snapshotsSinceReplicaMissCounter: Counter;
+  private snapshotsSinceReplicaRetryDelay: { minMs: number; maxMs: number };
   private heartbeatTimeouts: HeartbeatTimeouts;
   private repairSnapshotTimeoutMs: number;
   private batchQueue: BatchQueue;
@@ -244,7 +253,8 @@ export class RunEngine {
         },
         queueRunsPendingVersion: async ({ payload }) => {
           await this.pendingVersionSystem.enqueueRunsForBackgroundWorker(
-            payload.backgroundWorkerId
+            payload.backgroundWorkerId,
+            payload.attempt
           );
         },
         tryCompleteBatch: async ({ payload }) => {
@@ -270,6 +280,22 @@ export class RunEngine {
     this.tracer = options.tracer;
     this.meter = options.meter ?? getMeter("run-engine");
 
+    this.snapshotsSinceReplicaMissCounter = this.meter.createCounter(
+      "run_engine.snapshots_since.replica_miss",
+      {
+        description:
+          "getSnapshotsSince reads where the since snapshot was not yet on the read replica, recovered via a replica retry or served from the primary",
+      }
+    );
+
+    // Normalize the bounds, but keep maxMs <= 0 meaning "skip the replica retry".
+    const retryDelay = options.readReplicaSnapshotsSinceRetryDelay ?? { minMs: 50, maxMs: 200 };
+    const retryMinMs = Math.max(0, retryDelay.minMs);
+    this.snapshotsSinceReplicaRetryDelay = {
+      minMs: retryDelay.maxMs > 0 ? Math.min(retryMinMs, retryDelay.maxMs) : retryMinMs,
+      maxMs: retryDelay.maxMs,
+    };
+
     const defaultHeartbeatTimeouts: HeartbeatTimeouts = {
       PENDING_EXECUTING: 60_000,
       PENDING_CANCEL: 60_000,
@@ -295,6 +321,8 @@ export class RunEngine {
       runLock: this.runLock,
       runQueue: this.runQueue,
       raceSimulationSystem: this.raceSimulationSystem,
+      pendingVersionRunIdLookup:
+        options.pendingVersionRunIdLookup ?? new NoopPendingVersionRunIdLookup(),
     };
 
     this.executionSnapshotSystem = new ExecutionSnapshotSystem({
@@ -324,11 +352,17 @@ export class RunEngine {
       executionSnapshotSystem: this.executionSnapshotSystem,
       delayedRunSystem: this.delayedRunSystem,
       maxDebounceDurationMs: options.debounce?.maxDebounceDurationMs ?? 60 * 60 * 1000, // Default 1 hour
+      quantizeNewDelayUntilMs: options.debounce?.quantizeNewDelayUntilMs ?? 1000,
+      fastPathSkipEnabled: options.debounce?.fastPathSkipEnabled ?? true,
+      useReplicaForFastPathRead: options.debounce?.useReplicaForFastPathRead ?? false,
     });
 
     this.pendingVersionSystem = new PendingVersionSystem({
       resources,
       enqueueSystem: this.enqueueSystem,
+      queueRunsPendingVersionBatchSize: options.queueRunsWaitingForWorkerBatchSize,
+      lagRetryDelayMs: options.pendingVersionLagRetryDelayMs,
+      lagMaxRetries: options.pendingVersionLagMaxRetries,
     });
 
     this.waitpointSystem = new WaitpointSystem({
@@ -440,6 +474,199 @@ export class RunEngine {
 
   //MARK: - Run functions
 
+  /**
+   * Writes a TaskRun row in CANCELED state directly, bypassing the trigger
+   * pipeline. Used by the mollifier drainer when a cancel API call lands on
+   * a buffered run before it materialises.
+   *
+   * Skips: queue insertion (no execution), waitpoint creation (the
+   * mollifier gate refuses to buffer triggerAndWait children, so a
+   * cancelled buffered run never has a waiting parent to unblock),
+   * concurrency reservation. Emits `runCancelled` by default — callers
+   * working on buffered-only runs (no primary trace event exists) can
+   * opt out via `emitRunCancelledEvent: false` to avoid the systematic
+   * "Failed to cancel run event" noise the handler would log when its
+   * `cancelRunEvent` call can't find a span.
+   *
+   * Idempotent: if a row with the same friendlyId already exists (double
+   * drainer pop after requeue), Prisma's P2002 unique-constraint violation
+   * is caught and the existing row is returned. The duplicate runCancelled
+   * emission is skipped — the original drain's emit already wrote the
+   * TaskEvent (when applicable).
+   */
+  async createCancelledRun(
+    {
+      snapshot,
+      cancelledAt,
+      cancelReason,
+      emitRunCancelledEvent = true,
+    }: {
+      snapshot: TriggerParams;
+      cancelledAt: Date;
+      cancelReason: string;
+      /**
+       * Whether to emit the `runCancelled` engine-bus event. Defaults to
+       * true.
+       *
+       * Set to `false` for buffered-only runs that never had a primary
+       * trace event written (the mollifier gate never called
+       * `repository.traceEvent` for them). The `runCancelled` handler in
+       * `runEngineHandlers.server.ts` calls `cancelRunEvent`, which
+       * looks up the run's primary span in the event store — for
+       * buffered-only runs that span doesn't exist, so the lookup fails,
+       * the handler's `tryCatch` swallows it, and a "[runCancelled]
+       * Failed to cancel run event" error is logged for every cancelled
+       * buffered run. Suppressing the emit avoids that systematic noise.
+       * The CANCELED PG row is still written; only the trace-event
+       * mirror is skipped.
+       */
+      emitRunCancelledEvent?: boolean;
+    },
+    tx?: PrismaClientOrTransaction,
+  ): Promise<TaskRun> {
+    const prisma = tx ?? this.prisma;
+    return startSpan(this.tracer, "createCancelledRun", async (span) => {
+      span.setAttribute("friendlyId", snapshot.friendlyId);
+      span.setAttribute("taskIdentifier", snapshot.taskIdentifier);
+      const id = RunId.fromFriendlyId(snapshot.friendlyId);
+      const error: TaskRunError = { type: "STRING_ERROR", raw: cancelReason };
+
+      try {
+        const taskRun = await prisma.taskRun.create({
+          data: {
+            id,
+            engine: "V2",
+            status: "CANCELED",
+            friendlyId: snapshot.friendlyId,
+            runtimeEnvironmentId: snapshot.environment.id,
+            environmentType: snapshot.environment.type,
+            organizationId: snapshot.environment.organization.id,
+            projectId: snapshot.environment.project.id,
+            idempotencyKey: snapshot.idempotencyKey,
+            idempotencyKeyExpiresAt: snapshot.idempotencyKeyExpiresAt,
+            idempotencyKeyOptions: snapshot.idempotencyKeyOptions,
+            taskIdentifier: snapshot.taskIdentifier,
+            payload: snapshot.payload,
+            payloadType: snapshot.payloadType,
+            context: snapshot.context,
+            traceContext: snapshot.traceContext,
+            traceId: snapshot.traceId,
+            spanId: snapshot.spanId,
+            parentSpanId: snapshot.parentSpanId,
+            lockedToVersionId: snapshot.lockedToVersionId,
+            taskVersion: snapshot.taskVersion,
+            sdkVersion: snapshot.sdkVersion,
+            cliVersion: snapshot.cliVersion,
+            concurrencyKey: snapshot.concurrencyKey,
+            queue: snapshot.queue,
+            lockedQueueId: snapshot.lockedQueueId,
+            workerQueue: snapshot.workerQueue,
+            isTest: snapshot.isTest,
+            taskEventStore: snapshot.taskEventStore,
+            // Defensive: the snapshot comes from a cjson-encoded buffer
+            // payload, where empty Lua tables encode as `{}` not `[]`. If
+            // the drainer pops a buffered run with no tags, snapshot.tags
+            // will be an empty object, which Prisma misreads as a relation
+            // update op. Normalise to a real array (or undefined for the
+            // empty case).
+            runTags: Array.isArray(snapshot.tags) && snapshot.tags.length > 0
+              ? snapshot.tags
+              : undefined,
+            oneTimeUseToken: snapshot.oneTimeUseToken,
+            parentTaskRunId: snapshot.parentTaskRunId,
+            rootTaskRunId: snapshot.rootTaskRunId,
+            replayedFromTaskRunFriendlyId: snapshot.replayedFromTaskRunFriendlyId,
+            batchId: snapshot.batch?.id,
+            resumeParentOnCompletion: snapshot.resumeParentOnCompletion,
+            depth: snapshot.depth,
+            seedMetadata: snapshot.seedMetadata,
+            seedMetadataType: snapshot.seedMetadataType,
+            metadata: snapshot.metadata,
+            metadataType: snapshot.metadataType,
+            machinePreset: snapshot.machine,
+            scheduleId: snapshot.scheduleId,
+            scheduleInstanceId: snapshot.scheduleInstanceId,
+            createdAt: snapshot.createdAt,
+            bulkActionGroupIds: snapshot.bulkActionId ? [snapshot.bulkActionId] : undefined,
+            planType: snapshot.planType,
+            realtimeStreamsVersion: snapshot.realtimeStreamsVersion,
+            streamBasinName: snapshot.streamBasinName,
+            annotations: snapshot.annotations,
+            completedAt: cancelledAt,
+            updatedAt: cancelledAt,
+            error: error as unknown as Prisma.InputJsonValue,
+            attemptNumber: 0,
+            executionSnapshots: {
+              create: {
+                engine: "V2",
+                executionStatus: "FINISHED",
+                description: "Run cancelled before materialisation",
+                runStatus: "CANCELED",
+                environmentId: snapshot.environment.id,
+                environmentType: snapshot.environment.type,
+                projectId: snapshot.environment.project.id,
+                organizationId: snapshot.environment.organization.id,
+              },
+            },
+          },
+        });
+
+        if (emitRunCancelledEvent) {
+          this.eventBus.emit("runCancelled", {
+            time: cancelledAt,
+            run: {
+              id: taskRun.id,
+              status: taskRun.status,
+              friendlyId: taskRun.friendlyId,
+              spanId: taskRun.spanId,
+              taskEventStore: taskRun.taskEventStore,
+              createdAt: taskRun.createdAt,
+              completedAt: taskRun.completedAt,
+              error,
+              updatedAt: taskRun.updatedAt,
+              attemptNumber: taskRun.attemptNumber ?? 0,
+            },
+            organization: { id: snapshot.environment.organization.id },
+            project: { id: snapshot.environment.project.id },
+            environment: { id: snapshot.environment.id },
+          });
+        }
+
+        return taskRun;
+      } catch (err) {
+        // P2002 = unique constraint violation. Double-pop after a drainer
+        // requeue can reach this. Idempotent: return the existing row
+        // without re-emitting.
+        if (
+          err instanceof Prisma.PrismaClientKnownRequestError &&
+          err.code === "P2002"
+        ) {
+          this.logger.info(
+            "createCancelledRun: row already exists, returning existing (idempotent)",
+            { friendlyId: snapshot.friendlyId },
+          );
+          const existing = await prisma.taskRun.findFirst({ where: { id } });
+          if (existing) {
+            // Only treat the conflict as idempotent when the existing
+            // row is ALREADY canceled. If a non-canceled row landed
+            // first (e.g. the drainer's normal `engine.trigger` replay
+            // path raced ahead of the cancel) we surface a conflict
+            // rather than silently reporting "cancelled" — the run is
+            // genuinely live and the caller must decide between
+            // engine.cancelRun() and skipping.
+            if (existing.status === "CANCELED") {
+              return existing;
+            }
+            throw new Error(
+              `createCancelledRun conflict: existing run ${snapshot.friendlyId} has status ${existing.status}`,
+            );
+          }
+        }
+        throw err;
+      }
+    });
+  }
+
   /** "Triggers" one run. */
   async trigger(
     {
@@ -495,6 +722,7 @@ export class RunEngine {
       bulkActionId,
       planType,
       realtimeStreamsVersion,
+      streamBasinName,
       debounce,
       annotations,
       onDebounced,
@@ -637,7 +865,16 @@ export class RunEngine {
               priorityMs,
               queueTimestamp: queueTimestamp ?? delayUntil ?? new Date(),
               ttl: resolvedTtl,
-              runTags: tags.length === 0 ? undefined : tags,
+              // Defensive: when the mollifier drainer replays a buffered
+              // snapshot whose payload was rewritten by a buffer-side Lua
+              // mutate (e.g. append_tags clears an empty list), cjson
+              // encodes an empty Lua table as `{}` rather than `[]`. JS
+              // parses that back as an empty object, and `{}.length` is
+              // undefined — the original `tags.length === 0` check would
+              // pass `{}` straight to Prisma's `String[]` column. Mirror
+              // the same Array.isArray guard that `createCancelledRun`
+              // uses for symmetry with the trigger replay path.
+              runTags: Array.isArray(tags) && tags.length > 0 ? tags : undefined,
               oneTimeUseToken,
               parentTaskRunId,
               rootTaskRunId,
@@ -657,6 +894,7 @@ export class RunEngine {
               bulkActionGroupIds: bulkActionId ? [bulkActionId] : undefined,
               planType,
               realtimeStreamsVersion,
+              streamBasinName,
               debounce: debounce
                 ? {
                   key: debounce.key,
@@ -703,15 +941,25 @@ export class RunEngine {
             });
 
             if (error.code === "P2002") {
-              this.logger.debug("engine.trigger(): throwing RunDuplicateIdempotencyKeyError", {
+              const target = (error.meta as Record<string, unknown>)?.target;
+              const targetFields = Array.isArray(target) ? target : [];
+
+              this.logger.debug("engine.trigger(): P2002 unique constraint violation", {
                 code: error.code,
                 message: error.message,
                 meta: error.meta,
+                target: targetFields,
                 idempotencyKey,
                 environmentId: environment.id,
               });
 
-              //this happens if a unique constraint failed, i.e. duplicate idempotency
+              if (targetFields.includes("oneTimeUseToken")) {
+                throw new RunOneTimeUseTokenError(
+                  `One-time use token has already been used`
+                );
+              }
+
+              // Only idempotency key collisions should be retried
               throw new RunDuplicateIdempotencyKeyError(
                 `Run with idempotency key ${idempotencyKey} already exists`
               );
@@ -782,7 +1030,13 @@ export class RunEngine {
           }
         } else {
           try {
-            if (taskRun.ttl) {
+            // The new batch TTL path only expires runs still in the queue
+            // sorted set (waiting on a concurrency slot). For DEV
+            // environments where the dev CLI may not be running, fast-pathed
+            // runs can sit on the worker queue indefinitely and never get
+            // claimed for expiration. Keep the legacy per-run expireRun job
+            // armed for DEV so those runs still expire.
+            if (taskRun.ttl && environment.type === "DEVELOPMENT") {
               await this.ttlSystem.scheduleExpireRun({ runId: taskRun.id, ttl: taskRun.ttl });
             }
 
@@ -797,7 +1051,7 @@ export class RunEngine {
               enableFastPath,
             });
           } catch (enqueueError) {
-            this.logger.error("engine.trigger(): failed to schedule TTL or enqueue run", {
+            this.logger.error("engine.trigger(): failed to enqueue run", {
               runId: taskRun.id,
               friendlyId: taskRun.friendlyId,
               taskIdentifier: taskRun.taskIdentifier,
@@ -812,7 +1066,14 @@ export class RunEngine {
 
         this.eventBus.emit("runCreated", {
           time: new Date(),
-          runId: taskRun.id,
+          run: {
+            id: taskRun.id,
+            runTags: taskRun.runTags,
+            batchId: taskRun.batchId,
+          },
+          environment: {
+            id: environment.id,
+          },
         });
 
         return taskRun;
@@ -853,6 +1114,7 @@ export class RunEngine {
     taskEventStore,
     queue: queueOverride,
     lockedQueueId: lockedQueueIdOverride,
+    emitRunFailedEvent = true,
   }: {
     friendlyId: string;
     environment: {
@@ -880,6 +1142,19 @@ export class RunEngine {
     queue?: string;
     /** Resolved TaskQueue.id when the task is locked to a specific queue. */
     lockedQueueId?: string;
+    /**
+     * Whether to emit the `runFailed` engine-bus event. Defaults to true.
+     *
+     * Set to `false` when the caller is ALREADY managing the trace-event
+     * lifecycle for this run via `repository.traceEvent({ incomplete: false,
+     * isError: true, ... })`. In that path the outer trace event handles
+     * span completion itself; emitting `runFailed` from here causes the
+     * `runFailed` → `completeFailedRunEvent` handler to write a second
+     * completion row for the same (traceId, spanId), racing with the
+     * outer trace event's own write. The alert side of `runFailed` is
+     * preserved by emitting from the caller after `traceEvent` returns.
+     */
+    emitRunFailedEvent?: boolean;
   }): Promise<TaskRun> {
     return startSpan(
       this.tracer,
@@ -955,6 +1230,57 @@ export class RunEngine {
           });
         }
 
+        // Emit `runFailed` so the alert pipeline picks up the
+        // SYSTEM_FAILURE row and the event-store handler writes the
+        // completion event into the trace. Without this the mollifier
+        // drainer's terminal failures (and batch-trigger's
+        // exceed-limit failures) land in PG silently — visible in the
+        // dashboard list but never reaching customers' configured
+        // ERROR alert channels.
+        //
+        // Gated by `emitRunFailedEvent` so call sites that already wrap
+        // this inside `repository.traceEvent({ incomplete: false,
+        // isError: true })` can opt out — the outer trace event writes
+        // the completion row itself, and a second write via
+        // `completeFailedRunEvent` would race against it. Callers that
+        // disable the emit are responsible for triggering the alerts
+        // side themselves (e.g. by calling
+        // `PerformTaskRunAlertsService.enqueue` directly after the
+        // trace event closes).
+        if (!emitRunFailedEvent) {
+          return taskRun;
+        }
+        this.eventBus.emit("runFailed", {
+          time: taskRun.completedAt ?? new Date(),
+          run: {
+            id: taskRun.id,
+            status: taskRun.status,
+            spanId: taskRun.spanId,
+            error,
+            taskEventStore: taskRun.taskEventStore,
+            createdAt: taskRun.createdAt,
+            completedAt: taskRun.completedAt,
+            updatedAt: taskRun.updatedAt,
+            // This row never attempted execution — it's a synthesised
+            // terminal failure. The alert payload's `attemptNumber=0`
+            // is the signal downstream consumers can use to
+            // distinguish a never-ran failure from a run that
+            // exhausted its retries.
+            attemptNumber: 0,
+            usageDurationMs: 0,
+            costInCents: 0,
+          },
+          organization: {
+            id: environment.organization.id,
+          },
+          project: {
+            id: environment.project.id,
+          },
+          environment: {
+            id: environment.id,
+          },
+        });
+
         return taskRun;
       },
       {
@@ -1623,12 +1949,69 @@ export class RunEngine {
     snapshotId: string;
     tx?: PrismaClientOrTransaction;
   }): Promise<RunExecutionData[] | null> {
-    const prisma = tx ?? this.prisma;
+    const useReplica =
+      !tx &&
+      this.options.readReplicaSnapshotsSinceEnabled === true &&
+      this.readOnlyPrisma !== this.prisma;
+    const prisma = tx ?? (useReplica ? this.readOnlyPrisma : this.prisma);
+
+    const query = async (client: PrismaClientOrTransaction) => {
+      const snapshots = await getExecutionSnapshotsSince(client, runId, snapshotId);
+      return snapshots.map(executionDataFromSnapshot);
+    };
 
     try {
-      const snapshots = await getExecutionSnapshotsSince(prisma, runId, snapshotId);
-      return snapshots.map(executionDataFromSnapshot);
+      return await query(prisma);
     } catch (e) {
+      if (useReplica && e instanceof ExecutionSnapshotNotFoundError) {
+        // Replica lag: the runner learned this snapshot id from the writer before the
+        // replica caught up. Give the replica one jittered retry; if it's still missing,
+        // serve from the writer. Only not-found errors get this treatment - any other
+        // replica failure stays an error rather than shifting read load to the writer.
+        // A miss on the writer too is a real error, not lag.
+        const { minMs, maxMs } = this.snapshotsSinceReplicaRetryDelay;
+        if (maxMs > 0) {
+          await setTimeout(minMs + Math.random() * Math.max(0, maxMs - minMs));
+          try {
+            const result = await query(this.readOnlyPrisma);
+            this.snapshotsSinceReplicaMissCounter.add(1, { outcome: "replica_retry" });
+            return result;
+          } catch (replicaRetryError) {
+            if (!(replicaRetryError instanceof ExecutionSnapshotNotFoundError)) {
+              this.logger.error("Failed to getSnapshotsSince", {
+                message:
+                  replicaRetryError instanceof Error
+                    ? replicaRetryError.message
+                    : replicaRetryError,
+                runId,
+                snapshotId,
+                failedDuring: "replica_retry",
+              });
+              return null;
+            }
+            // still not on the replica - fall through to the primary
+          }
+        }
+
+        try {
+          const result = await query(this.prisma);
+          this.snapshotsSinceReplicaMissCounter.add(1, { outcome: "primary" });
+          this.logger.warn("getSnapshotsSince: snapshot not yet on replica, served from primary", {
+            runId,
+            snapshotId,
+          });
+          return result;
+        } catch (retryError) {
+          this.logger.error("Failed to getSnapshotsSince", {
+            message: retryError instanceof Error ? retryError.message : retryError,
+            runId,
+            snapshotId,
+            failedDuring: "primary_fallback",
+          });
+          return null;
+        }
+      }
+
       this.logger.error("Failed to getSnapshotsSince", {
         message: e instanceof Error ? e.message : e,
         runId,
diff --git a/internal-packages/run-engine/src/engine/services/pendingVersionLookup.ts b/internal-packages/run-engine/src/engine/services/pendingVersionLookup.ts
new file mode 100644
index 00000000000..62ce67f4d9b
--- /dev/null
+++ b/internal-packages/run-engine/src/engine/services/pendingVersionLookup.ts
@@ -0,0 +1,48 @@
+/**
+ * Lookup interface for discovering TaskRun ids that are currently in the
+ * `PENDING_VERSION` status for a given background-worker filter.
+ *
+ * The default Postgres-backed implementation lives in the webapp and is
+ * injected via {@link SystemResources}. The run-engine package only owns
+ * the contract; concrete implementations are provided by the consumer.
+ *
+ * Best-effort by design: implementations may return stale ids (rows that
+ * have since transitioned) or omit recently-inserted rows (replication
+ * lag against an analytical store). The caller MUST re-validate every
+ * returned id against the source-of-truth database before mutating it.
+ */
+export type PendingVersionRunIdLookupOptions = {
+  organizationId: string;
+  projectId: string;
+  environmentId: string;
+  taskIdentifiers: string[];
+  queues: string[];
+  /** Maximum number of ids to return. Implementations must respect this cap. */
+  limit: number;
+};
+
+export type PendingVersionRunIdLookupResult = {
+  runIds: string[];
+};
+
+export interface PendingVersionRunIdLookup {
+  /** Stable identifier for logs and metrics, e.g. "clickhouse", "test-noop". */
+  readonly name: string;
+
+  lookupPendingVersionRunIds(
+    options: PendingVersionRunIdLookupOptions
+  ): Promise<PendingVersionRunIdLookupResult>;
+}
+
+/**
+ * Default lookup used when nothing is wired up (tests that don't exercise
+ * the lookup, or engine instances that don't run the pending-version
+ * resolver). Returns an empty result so the system no-ops cleanly.
+ */
+export class NoopPendingVersionRunIdLookup implements PendingVersionRunIdLookup {
+  readonly name = "noop";
+
+  async lookupPendingVersionRunIds(): Promise<PendingVersionRunIdLookupResult> {
+    return { runIds: [] };
+  }
+}
diff --git a/internal-packages/run-engine/src/engine/systems/checkpointSystem.ts b/internal-packages/run-engine/src/engine/systems/checkpointSystem.ts
index 384384fd8c7..6c66591e288 100644
--- a/internal-packages/run-engine/src/engine/systems/checkpointSystem.ts
+++ b/internal-packages/run-engine/src/engine/systems/checkpointSystem.ts
@@ -147,6 +147,8 @@ export class CheckpointSystem {
           status: run.status,
           updatedAt: run.updatedAt,
           createdAt: run.createdAt,
+          runTags: run.runTags,
+          batchId: run.batchId,
         },
         organization: {
           id: run.runtimeEnvironment.organizationId,
@@ -308,6 +310,8 @@ export class CheckpointSystem {
           projectId: true,
           updatedAt: true,
           createdAt: true,
+          runTags: true,
+          batchId: true,
         },
       });
 
@@ -326,6 +330,8 @@ export class CheckpointSystem {
           status: run.status,
           updatedAt: run.updatedAt,
           createdAt: run.createdAt,
+          runTags: run.runTags,
+          batchId: run.batchId,
         },
         organization: {
           id: run.organizationId ?? undefined,
diff --git a/internal-packages/run-engine/src/engine/systems/debounceSystem.ts b/internal-packages/run-engine/src/engine/systems/debounceSystem.ts
index ef711a19577..0e59d1d69df 100644
--- a/internal-packages/run-engine/src/engine/systems/debounceSystem.ts
+++ b/internal-packages/run-engine/src/engine/systems/debounceSystem.ts
@@ -10,11 +10,17 @@ import {
   parseNaturalLanguageDuration,
   parseNaturalLanguageDurationInMs,
 } from "@trigger.dev/core/v3/isomorphic";
-import { PrismaClientOrTransaction, TaskRun, Waitpoint } from "@trigger.dev/database";
+import {
+  PrismaClientOrTransaction,
+  PrismaReplicaClient,
+  TaskRun,
+  Waitpoint,
+} from "@trigger.dev/database";
 import { nanoid } from "nanoid";
 import { SystemResources } from "./systems.js";
 import { ExecutionSnapshotSystem, getLatestExecutionSnapshot } from "./executionSnapshotSystem.js";
 import { DelayedRunSystem } from "./delayedRunSystem.js";
+import { LockAcquisitionTimeoutError } from "../locking.js";
 
 export type DebounceOptions = {
   key: string;
@@ -45,6 +51,22 @@ export type DebounceSystemOptions = {
   executionSnapshotSystem: ExecutionSnapshotSystem;
   delayedRunSystem: DelayedRunSystem;
   maxDebounceDurationMs: number;
+  /**
+   * Bucket size in milliseconds used to quantize the newly computed `delayUntil`.
+   * Set to 0 to disable quantization.
+   */
+  quantizeNewDelayUntilMs?: number;
+  /**
+   * When true, read the existing run's `delayUntil` outside the redlock and
+   * short-circuit if the new (quantized) `delayUntil` is not later than the
+   * current one.
+   */
+  fastPathSkipEnabled?: boolean;
+  /**
+   * When true, route the unlocked fast-path reads (probe + full-run fetch)
+   * through `readOnlyPrisma` (e.g. an Aurora reader) instead of the writer.
+   */
+  useReplicaForFastPathRead?: boolean;
 };
 
 export type DebounceResult =
@@ -89,6 +111,9 @@ export class DebounceSystem {
   private readonly executionSnapshotSystem: ExecutionSnapshotSystem;
   private readonly delayedRunSystem: DelayedRunSystem;
   private readonly maxDebounceDurationMs: number;
+  private readonly quantizeNewDelayUntilMs: number;
+  private readonly fastPathSkipEnabled: boolean;
+  private readonly useReplicaForFastPathRead: boolean;
 
   constructor(options: DebounceSystemOptions) {
     this.$ = options.resources;
@@ -106,6 +131,9 @@ export class DebounceSystem {
     this.executionSnapshotSystem = options.executionSnapshotSystem;
     this.delayedRunSystem = options.delayedRunSystem;
     this.maxDebounceDurationMs = options.maxDebounceDurationMs;
+    this.quantizeNewDelayUntilMs = Math.max(0, options.quantizeNewDelayUntilMs ?? 1000);
+    this.fastPathSkipEnabled = options.fastPathSkipEnabled ?? true;
+    this.useReplicaForFastPathRead = options.useReplicaForFastPathRead ?? false;
 
     this.#registerCommands();
   }
@@ -450,9 +478,264 @@ return 0
     debounce: DebounceOptions;
     tx?: PrismaClientOrTransaction;
   }): Promise<DebounceResult> {
-    return await this.$.runLock.lock("handleDebounce", [existingRunId], async () => {
-      const prisma = tx ?? this.$.prisma;
+    const prisma = tx ?? this.$.prisma;
+    // Reads in the unlocked fast-path can run on `readOnlyPrisma` when
+    // configured (e.g. an Aurora reader). Replica lag is fine: debounce is
+    // best-effort and a stale read either falls through to the locked path
+    // (when delayUntil hasn't replicated yet) or returns the existing run
+    // (when the run's status is stale). The latter is the same outcome the
+    // caller would see if their trigger had simply landed a few hundred ms
+    // earlier, which is within the natural debounce race. Only divert reads
+    // when the caller isn't inside a tx (where the read needs to see the
+    // tx's writes).
+    const fastPathReadPrisma =
+      tx ?? (this.useReplicaForFastPathRead ? this.$.readOnlyPrisma : this.$.prisma);
+
+    // Compute the (quantized) target delayUntil up-front, before taking any lock.
+    // Quantizing to e.g. 1s buckets collapses many concurrent triggers on the same
+    // hot debounce key onto the same target time, so the unlocked fast-path skip
+    // below becomes effective and the redlock is not contended.
+    const newDelayUntil = this.#computeQuantizedDelayUntil(debounce.delay);
+
+    // Fast-path: read the current delayUntil outside the redlock and short-circuit
+    // if our (quantized) newDelayUntil isn't later than what's already scheduled.
+    // Safe because debounce is monotonic-forward only: a stale read either matches
+    // reality or undershoots, both of which decay correctly (re-checked properly
+    // inside the lock by whoever is actually pushing forward).
+    if (this.fastPathSkipEnabled && newDelayUntil) {
+      const fastPathResult = await this.#tryFastPathSkip({
+        existingRunId,
+        newDelayUntil,
+        debounce,
+        prisma: fastPathReadPrisma,
+      });
+      if (fastPathResult) {
+        return fastPathResult;
+      }
+    }
 
+    try {
+      return await this.$.runLock.lock("handleDebounce", [existingRunId], async () => {
+        return await this.#handleExistingRunLocked({
+          existingRunId,
+          redisKey,
+          environmentId,
+          taskIdentifier,
+          debounce,
+          newDelayUntil,
+          prisma,
+          tx,
+        });
+      });
+    } catch (error) {
+      // Lock contention safety net: if we couldn't take the lock (redlock quorum
+      // failure or our retry budget exhausted), fall in line with whoever is
+      // actually updating the run instead of bubbling a 5xx to the SDK and
+      // amplifying the herd via SDK retries. Debounce is best-effort - dropping
+      // our contribution to delayUntil here is fine, the herd is updating it for
+      // us.
+      if (this.#isLockContentionError(error)) {
+        return await this.#handleLockContentionFallback({
+          existingRunId,
+          debounce,
+          error,
+          prisma,
+        });
+      }
+      throw error;
+    }
+  }
+
+  /**
+   * Parses the debounce delay and (optionally) quantizes it to a bucket boundary
+   * by flooring the absolute timestamp. Quantization makes concurrent triggers on
+   * the same key share a target time, which is what makes the unlocked fast-path
+   * skip effective.
+   */
+  #computeQuantizedDelayUntil(delay: string): Date | null {
+    const parsed = parseNaturalLanguageDuration(delay);
+    if (!parsed) {
+      return null;
+    }
+    if (this.quantizeNewDelayUntilMs <= 0) {
+      return parsed;
+    }
+    const bucket = this.quantizeNewDelayUntilMs;
+    const quantized = Math.floor(parsed.getTime() / bucket) * bucket;
+    return new Date(quantized);
+  }
+
+  #isLockContentionError(error: unknown): boolean {
+    if (!(error instanceof Error)) return false;
+    return (
+      error instanceof LockAcquisitionTimeoutError ||
+      error.name === "LockAcquisitionTimeoutError" ||
+      error.name === "ExecutionError" ||
+      error.name === "ResourceLockedError"
+    );
+  }
+
+  /**
+   * Reads `delayUntil`/`status`/`createdAt` outside the redlock and
+   * short-circuits if the existing scheduled time already covers our target.
+   * Skips trailing-mode triggers that carry `updateData` since those still need
+   * the lock to apply their data update. Also falls through when the run has
+   * already exceeded its max debounce duration so the locked path can return
+   * `max_duration_exceeded` and let the caller create a new run.
+   *
+   * `prisma` may be a read replica - replica lag is acceptable because
+   * debounce is best-effort. A stale `delayUntil` either matches reality or
+   * undershoots (we fall through to the locked path); a stale `status` at
+   * worst returns the existing run, which is the same outcome the caller
+   * would see if their trigger had landed a few hundred ms earlier.
+   */
+  async #tryFastPathSkip({
+    existingRunId,
+    newDelayUntil,
+    debounce,
+    prisma,
+  }: {
+    existingRunId: string;
+    newDelayUntil: Date;
+    debounce: DebounceOptions;
+    prisma: PrismaClientOrTransaction | PrismaReplicaClient;
+  }): Promise<DebounceResult | null> {
+    // Trailing mode with updateData still needs the lock so the data update is
+    // applied; only short-circuit when there's nothing to update.
+    if (debounce.mode === "trailing" && debounce.updateData) {
+      return null;
+    }
+
+    const probe = await prisma.taskRun.findFirst({
+      where: { id: existingRunId },
+      select: { status: true, delayUntil: true, createdAt: true },
+    });
+    if (!probe || probe.status !== "DELAYED" || !probe.delayUntil) {
+      return null;
+    }
+    if (newDelayUntil.getTime() > probe.delayUntil.getTime()) {
+      return null;
+    }
+
+    // Fall through to the lock path when newDelayUntil would exceed the run's
+    // max debounce window so the caller can return max_duration_exceeded and
+    // create a fresh run.
+    let maxDurationMs = this.maxDebounceDurationMs;
+    if (debounce.maxDelay) {
+      const parsedMaxDelay = parseNaturalLanguageDurationInMs(debounce.maxDelay);
+      if (parsedMaxDelay !== undefined) {
+        maxDurationMs = parsedMaxDelay;
+      }
+    }
+    const maxDelayUntilMs = probe.createdAt.getTime() + maxDurationMs;
+    if (newDelayUntil.getTime() > maxDelayUntilMs) {
+      return null;
+    }
+
+    const fullRun = await prisma.taskRun.findFirst({
+      where: { id: existingRunId },
+      include: { associatedWaitpoint: true },
+    });
+    if (!fullRun || fullRun.status !== "DELAYED") {
+      return null;
+    }
+
+    this.$.logger.debug("handleExistingRun: fast-path skip, existing delayUntil already covers", {
+      existingRunId,
+      debounceKey: debounce.key,
+      newDelayUntil,
+      currentDelayUntil: fullRun.delayUntil,
+    });
+
+    return {
+      status: "existing",
+      run: fullRun,
+      waitpoint: fullRun.associatedWaitpoint,
+    };
+  }
+
+  async #handleLockContentionFallback({
+    existingRunId,
+    debounce,
+    error,
+    prisma,
+  }: {
+    existingRunId: string;
+    debounce: DebounceOptions;
+    error: unknown;
+    prisma: PrismaClientOrTransaction;
+  }): Promise<DebounceResult> {
+    const fullRun = await prisma.taskRun.findFirst({
+      where: { id: existingRunId },
+      include: { associatedWaitpoint: true },
+    });
+
+    if (!fullRun || fullRun.status !== "DELAYED") {
+      // The run is no longer in a state we can safely return as "existing" -
+      // re-throw so the caller surfaces the failure rather than silently
+      // succeeding on a stale/terminated run.
+      this.$.logger.warn(
+        "handleExistingRun: lock contention, but existing run no longer DELAYED - rethrowing",
+        {
+          existingRunId,
+          debounceKey: debounce.key,
+          status: fullRun?.status,
+        }
+      );
+      throw error;
+    }
+
+    // Trailing-mode triggers carrying updateData fall through to the same
+    // "return existing" path as everything else. Under lock contention some
+    // other concurrent caller is winning the lock right now and applying
+    // *its* updateData (which is, by wall-clock, ms-different from ours and
+    // indistinguishable to the user). Re-throwing here would just produce a
+    // 5xx that the SDK retries with our now-older payload - more likely to
+    // result in stale data landing than letting the herd's winner stand.
+    this.$.logger.warn(
+      "handleExistingRun: lock contention, returning existing run without rescheduling",
+      {
+        existingRunId,
+        debounceKey: debounce.key,
+        currentDelayUntil: fullRun.delayUntil,
+        mode: debounce.mode,
+        hasUpdateData: !!debounce.updateData,
+        error: error instanceof Error ? error.message : String(error),
+        errorName: error instanceof Error ? error.name : undefined,
+      }
+    );
+
+    return {
+      status: "existing",
+      run: fullRun,
+      waitpoint: fullRun.associatedWaitpoint,
+    };
+  }
+
+  /**
+   * Body of `handleExistingRun` that runs while holding the redlock on the run.
+   * Receives the (possibly quantized) `newDelayUntil` precomputed by the caller.
+   */
+  async #handleExistingRunLocked({
+    existingRunId,
+    redisKey,
+    environmentId,
+    taskIdentifier,
+    debounce,
+    newDelayUntil,
+    prisma,
+    tx,
+  }: {
+    existingRunId: string;
+    redisKey: string;
+    environmentId: string;
+    taskIdentifier: string;
+    debounce: DebounceOptions;
+    newDelayUntil: Date | null;
+    prisma: PrismaClientOrTransaction;
+    tx?: PrismaClientOrTransaction;
+  }): Promise<DebounceResult> {
+    {
       // Get the latest execution snapshot
       let snapshot;
       try {
@@ -514,8 +797,6 @@ return 0
         });
       }
 
-      // Calculate new delay - parseNaturalLanguageDuration returns a Date (now + duration)
-      const newDelayUntil = parseNaturalLanguageDuration(debounce.delay);
       if (!newDelayUntil) {
         this.$.logger.error("handleExistingRun: invalid delay duration", {
           delay: debounce.delay,
@@ -619,7 +900,7 @@ return 0
         run: updatedRun,
         waitpoint: existingRun.associatedWaitpoint,
       };
-    });
+    }
   }
 
   /**
diff --git a/internal-packages/run-engine/src/engine/systems/delayedRunSystem.ts b/internal-packages/run-engine/src/engine/systems/delayedRunSystem.ts
index 740ce1a849f..10c965741cf 100644
--- a/internal-packages/run-engine/src/engine/systems/delayedRunSystem.ts
+++ b/internal-packages/run-engine/src/engine/systems/delayedRunSystem.ts
@@ -79,6 +79,8 @@ export class DelayedRunSystem {
               delayUntil: delayUntil,
               updatedAt: updatedRun.updatedAt,
               createdAt: updatedRun.createdAt,
+              runTags: updatedRun.runTags,
+              batchId: updatedRun.batchId,
             },
             organization: {
               id: snapshot.organizationId,
@@ -144,13 +146,34 @@ export class DelayedRunSystem {
         return;
       }
 
+      // The batch TTL path only expires runs still in the queue sorted set.
+      // For DEV environments where the dev CLI may not be running, fast-pathed
+      // runs can sit on the worker queue indefinitely. Keep the legacy per-run
+      // expireRun job armed for DEV so those runs still expire.
+      if (run.ttl && run.runtimeEnvironment.type === "DEVELOPMENT") {
+        const expireAt = parseNaturalLanguageDuration(run.ttl);
+        if (expireAt) {
+          await this.$.worker.enqueue({
+            id: `expireRun:${runId}`,
+            job: "expireRun",
+            payload: { runId },
+            availableAt: expireAt,
+          });
+        }
+      }
+
       // Now we need to enqueue the run into the RunQueue
-      // Skip the lock in enqueueRun since we already hold it
+      // Skip the lock in enqueueRun since we already hold it.
+      // includeTtl: true so the run's TTL is armed from the moment it enters
+      // the queue (not from taskRun.createdAt). The TTL system tracks runs
+      // that are queued and have never started — delayed runs are first
+      // enqueued here, so this is the correct point to arm TTL.
       await this.enqueueSystem.enqueueRun({
         run,
         env: run.runtimeEnvironment,
         batchId: run.batchId ?? undefined,
         skipRunLock: true,
+        includeTtl: true,
       });
 
       const queuedAt = new Date();
@@ -171,6 +194,8 @@ export class DelayedRunSystem {
           queuedAt,
           updatedAt: updatedRun.updatedAt,
           createdAt: updatedRun.createdAt,
+          runTags: updatedRun.runTags,
+          batchId: updatedRun.batchId,
         },
         organization: {
           id: run.runtimeEnvironment.organizationId,
@@ -183,18 +208,6 @@ export class DelayedRunSystem {
         },
       });
 
-      if (run.ttl) {
-        const expireAt = parseNaturalLanguageDuration(run.ttl);
-
-        if (expireAt) {
-          await this.$.worker.enqueue({
-            id: `expireRun:${runId}`,
-            job: "expireRun",
-            payload: { runId },
-            availableAt: expireAt,
-          });
-        }
-      }
     });
   }
 
diff --git a/internal-packages/run-engine/src/engine/systems/dequeueSystem.ts b/internal-packages/run-engine/src/engine/systems/dequeueSystem.ts
index a51d12c52ca..7c811ebfdfc 100644
--- a/internal-packages/run-engine/src/engine/systems/dequeueSystem.ts
+++ b/internal-packages/run-engine/src/engine/systems/dequeueSystem.ts
@@ -3,7 +3,7 @@ import { startSpan } from "@internal/tracing";
 import { assertExhaustive, tryCatch } from "@trigger.dev/core";
 import { DequeuedMessage, RetryOptions, RunAnnotations } from "@trigger.dev/core/v3";
 import { placementTag } from "@trigger.dev/core/v3/serverOnly";
-import { getMaxDuration } from "@trigger.dev/core/v3/isomorphic";
+import { generateInternalId, getMaxDuration, SnapshotId } from "@trigger.dev/core/v3/isomorphic";
 import {
   BackgroundWorker,
   BackgroundWorkerTask,
@@ -416,6 +416,9 @@ export class DequeueSystem {
                 ? undefined
                 : result.task.retryConfig;
 
+              // Pre-generate snapshot ID so we can construct the result without an extra read
+              const snapshotId = generateInternalId();
+
               const lockedTaskRun = await prisma.taskRun.update({
                 where: {
                   id: runId,
@@ -435,10 +438,36 @@ export class DequeueSystem {
                   cliVersion: result.worker.cliVersion,
                   maxDurationInSeconds,
                   maxAttempts: maxAttempts ?? undefined,
+                  executionSnapshots: {
+                    create: {
+                      id: snapshotId,
+                      engine: "V2",
+                      executionStatus: "PENDING_EXECUTING",
+                      description: "Run was dequeued for execution",
+                      // Map DEQUEUED -> PENDING for backwards compatibility with older runners
+                      runStatus: "PENDING",
+                      attemptNumber: result.run.attemptNumber ?? undefined,
+                      previousSnapshotId: snapshot.id,
+                      environmentId: snapshot.environmentId,
+                      environmentType: snapshot.environmentType,
+                      projectId: snapshot.projectId,
+                      organizationId: snapshot.organizationId,
+                      checkpointId: snapshot.checkpointId ?? undefined,
+                      batchId: snapshot.batchId ?? undefined,
+                      completedWaitpoints: {
+                        connect: snapshot.completedWaitpoints.map((w) => ({ id: w.id })),
+                      },
+                      completedWaitpointOrder: snapshot.completedWaitpoints
+                        .filter((c) => c.index !== undefined)
+                        .sort((a, b) => a.index! - b.index!)
+                        .map((w) => w.id),
+                      workerId,
+                      runnerId,
+                    },
+                  },
                 },
                 include: {
                   runtimeEnvironment: true,
-                  tags: true,
                 },
               });
 
@@ -461,6 +490,8 @@ export class DequeueSystem {
                   maxAttempts: lockedTaskRun.maxAttempts ?? undefined,
                   updatedAt: lockedTaskRun.updatedAt,
                   createdAt: lockedTaskRun.createdAt,
+                  runTags: lockedTaskRun.runTags,
+                  batchId: lockedTaskRun.batchId,
                 },
                 organization: {
                   id: orgId,
@@ -517,44 +548,50 @@ export class DequeueSystem {
                 hasPrivateLink = billingResult.val.hasPrivateLink;
               }
 
-              const newSnapshot = await this.executionSnapshotSystem.createExecutionSnapshot(
-                prisma,
-                {
-                  run: {
-                    id: runId,
-                    status: lockedTaskRun.status,
-                    attemptNumber: lockedTaskRun.attemptNumber,
-                  },
-                  snapshot: {
-                    executionStatus: "PENDING_EXECUTING",
-                    description: "Run was dequeued for execution",
-                  },
-                  previousSnapshotId: snapshot.id,
-                  environmentId: snapshot.environmentId,
-                  environmentType: snapshot.environmentType,
-                  projectId: snapshot.projectId,
-                  organizationId: snapshot.organizationId,
-                  checkpointId: snapshot.checkpointId ?? undefined,
-                  batchId: snapshot.batchId ?? undefined,
-                  completedWaitpoints: snapshot.completedWaitpoints,
-                  workerId,
-                  runnerId,
-                }
-              );
+              // Snapshot was created as part of the taskRun.update above (single transaction).
+              // Construct the snapshot info from data we already have and handle side effects
+              // (heartbeat + event) manually — no extra DB read needed.
+              const snapshotCreatedAt = new Date();
+
+              this.$.eventBus.emit("executionSnapshotCreated", {
+                time: snapshotCreatedAt,
+                run: {
+                  id: runId,
+                },
+                snapshot: {
+                  id: snapshotId,
+                  executionStatus: "PENDING_EXECUTING",
+                  description: "Run was dequeued for execution",
+                  runStatus: "PENDING",
+                  attemptNumber: result.run.attemptNumber ?? null,
+                  checkpointId: snapshot.checkpointId ?? null,
+                  workerId: workerId ?? null,
+                  runnerId: runnerId ?? null,
+                  isValid: true,
+                  error: null,
+                  completedWaitpointIds: snapshot.completedWaitpoints.map((wp) => wp.id),
+                },
+              });
+
+              await this.executionSnapshotSystem.enqueueHeartbeatIfNeeded({
+                id: snapshotId,
+                runId,
+                executionStatus: "PENDING_EXECUTING",
+              });
 
               return {
                 version: "1" as const,
                 dequeuedAt: new Date(),
                 workerQueueLength: message.workerQueueLength,
                 snapshot: {
-                  id: newSnapshot.id,
-                  friendlyId: newSnapshot.friendlyId,
-                  executionStatus: newSnapshot.executionStatus,
-                  description: newSnapshot.description,
-                  createdAt: newSnapshot.createdAt,
+                  id: snapshotId,
+                  friendlyId: SnapshotId.toFriendlyId(snapshotId),
+                  executionStatus: "PENDING_EXECUTING" as const,
+                  description: "Run was dequeued for execution",
+                  createdAt: snapshotCreatedAt,
                 },
                 image: result.deployment?.imageReference ?? undefined,
-                checkpoint: newSnapshot.checkpoint ?? undefined,
+                checkpoint: snapshot.checkpoint ?? undefined,
                 completedWaitpoints: snapshot.completedWaitpoints,
                 backgroundWorker: {
                   id: result.worker.id,
@@ -572,6 +609,7 @@ export class DequeueSystem {
                   id: lockedTaskRun.id,
                   friendlyId: lockedTaskRun.friendlyId,
                   isTest: lockedTaskRun.isTest,
+                  isReplay: !!lockedTaskRun.replayedFromTaskRunFriendlyId,
                   machine: machinePreset,
                   attemptNumber: nextAttemptNumber,
                   // Keeping this for backwards compatibility, but really this should be called workerQueue
@@ -715,6 +753,8 @@ export class DequeueSystem {
           attemptNumber: true,
           updatedAt: true,
           createdAt: true,
+          runTags: true,
+          batchId: true,
           runtimeEnvironment: {
             select: {
               id: true,
@@ -756,6 +796,8 @@ export class DequeueSystem {
           status: run.status,
           updatedAt: run.updatedAt,
           createdAt: run.createdAt,
+          runTags: run.runTags,
+          batchId: run.batchId,
         },
         organization: {
           id: run.runtimeEnvironment.project.organizationId,
diff --git a/internal-packages/run-engine/src/engine/systems/executionSnapshotSystem.ts b/internal-packages/run-engine/src/engine/systems/executionSnapshotSystem.ts
index a224e5a86b0..d8e9656f395 100644
--- a/internal-packages/run-engine/src/engine/systems/executionSnapshotSystem.ts
+++ b/internal-packages/run-engine/src/engine/systems/executionSnapshotSystem.ts
@@ -10,6 +10,7 @@ import {
   TaskRunStatus,
   Waitpoint,
 } from "@trigger.dev/database";
+import { ExecutionSnapshotNotFoundError } from "../errors.js";
 import { HeartbeatTimeouts } from "../types.js";
 import { SystemResources } from "./systems.js";
 
@@ -273,12 +274,12 @@ export async function getExecutionSnapshotsSince(
 ): Promise<EnhancedExecutionSnapshot[]> {
   // Step 1: Find the createdAt of the sinceSnapshotId
   const sinceSnapshot = await prisma.taskRunExecutionSnapshot.findFirst({
-    where: { id: sinceSnapshotId },
+    where: { id: sinceSnapshotId, runId },
     select: { createdAt: true },
   });
 
   if (!sinceSnapshot) {
-    throw new Error(`No execution snapshot found for id ${sinceSnapshotId}`);
+    throw new ExecutionSnapshotNotFoundError(sinceSnapshotId);
   }
 
   // Step 2: Fetch snapshots WITHOUT waitpoints to avoid N×M data explosion
@@ -518,6 +519,27 @@ export class ExecutionSnapshotSystem {
     return executionResultFromSnapshot(latestSnapshot);
   }
 
+  /**
+   * Enqueues a heartbeat job for a snapshot if the execution status requires one.
+   * Use this after nesting a snapshot create inside a taskRun.update() to replicate
+   * the heartbeat side effect that createExecutionSnapshot normally handles.
+   */
+  public async enqueueHeartbeatIfNeeded(snapshot: {
+    id: string;
+    runId: string;
+    executionStatus: TaskRunExecutionStatus;
+  }) {
+    const intervalMs = this.#getHeartbeatIntervalMs(snapshot.executionStatus);
+    if (intervalMs !== null) {
+      await this.$.worker.enqueue({
+        id: `heartbeatSnapshot.${snapshot.runId}`,
+        job: "heartbeatSnapshot",
+        payload: { snapshotId: snapshot.id, runId: snapshot.runId },
+        availableAt: new Date(Date.now() + intervalMs),
+      });
+    }
+  }
+
   #getHeartbeatIntervalMs(status: TaskRunExecutionStatus): number | null {
     switch (status) {
       case "PENDING_EXECUTING": {
diff --git a/internal-packages/run-engine/src/engine/systems/pendingVersionSystem.ts b/internal-packages/run-engine/src/engine/systems/pendingVersionSystem.ts
index c22429ac0c9..b46b857f02a 100644
--- a/internal-packages/run-engine/src/engine/systems/pendingVersionSystem.ts
+++ b/internal-packages/run-engine/src/engine/systems/pendingVersionSystem.ts
@@ -5,8 +5,26 @@ export type PendingVersionSystemOptions = {
   resources: SystemResources;
   enqueueSystem: EnqueueSystem;
   queueRunsPendingVersionBatchSize?: number;
+  /**
+   * How long to wait before retrying when the lookup returned zero
+   * candidates. Bounded by {@link lagMaxRetries}. Defaults to 5s.
+   *
+   * The ClickHouse-backed lookup can miss runs that were just inserted
+   * to Postgres due to replication lag. One bounded retry gives the
+   * pipeline time to catch up.
+   */
+  lagRetryDelayMs?: number;
+  /**
+   * Maximum number of times to reschedule when the lookup returned zero
+   * candidates. Defaults to 1 — first attempt + one retry. Set to 0 to
+   * disable lag-aware retries entirely.
+   */
+  lagMaxRetries?: number;
 };
 
+const DEFAULT_LAG_RETRY_DELAY_MS = 5_000;
+const DEFAULT_LAG_MAX_RETRIES = 1;
+
 export class PendingVersionSystem {
   private readonly $: SystemResources;
   private readonly enqueueSystem: EnqueueSystem;
@@ -16,7 +34,7 @@ export class PendingVersionSystem {
     this.enqueueSystem = options.enqueueSystem;
   }
 
-  async enqueueRunsForBackgroundWorker(backgroundWorkerId: string) {
+  async enqueueRunsForBackgroundWorker(backgroundWorkerId: string, attempt: number = 0) {
     //It could be a lot of runs, so we will process them in a batch
     //if there are still more to process we will enqueue this function again
     const maxCount = this.options.queueRunsPendingVersionBatchSize ?? 200;
@@ -44,37 +62,59 @@ export class PendingVersionSystem {
       return;
     }
 
+    const taskIdentifiers = backgroundWorker.tasks.map((task) => task.slug);
+    const queues = backgroundWorker.queues.map((queue) => queue.name);
+
     this.$.logger.debug("Finding PENDING_VERSION runs for background worker", {
       workerId: backgroundWorker.id,
-      taskIdentifiers: backgroundWorker.tasks.map((task) => task.slug),
-      queues: backgroundWorker.queues.map((queue) => queue.name),
+      taskIdentifiers,
+      queues,
     });
 
-    const pendingRuns = await this.$.readOnlyPrisma.taskRun.findMany({
-      where: {
-        runtimeEnvironmentId: backgroundWorker.runtimeEnvironmentId,
+    // Step 1: ask the injected lookup (typically ClickHouse-backed) for
+    // candidate run ids. Best-effort — results may be stale or incomplete.
+    const { runIds: candidateIds } = await this.$.pendingVersionRunIdLookup
+      .lookupPendingVersionRunIds({
+        organizationId: backgroundWorker.runtimeEnvironment.organizationId,
         projectId: backgroundWorker.projectId,
+        environmentId: backgroundWorker.runtimeEnvironmentId,
+        taskIdentifiers,
+        queues,
+        limit: maxCount + 1,
+      });
+
+    if (!candidateIds.length) {
+      await this.#maybeScheduleLagRetry(backgroundWorkerId, attempt, "lookup_empty");
+      return;
+    }
+
+    // Step 2: fetch the actual rows from the primary by id, filtered by
+    // `status: "PENDING_VERSION"` so any candidate whose status has moved
+    // is dropped. The planner uses the PK for `id IN (…)`; the status
+    // predicate is a residual filter and does NOT require the status
+    // index.
+    const pendingRuns = await this.$.prisma.taskRun.findMany({
+      where: {
+        id: { in: candidateIds },
         status: "PENDING_VERSION",
-        taskIdentifier: {
-          in: backgroundWorker.tasks.map((task) => task.slug),
-        },
-        queue: {
-          in: backgroundWorker.queues.map((queue) => queue.name),
-        },
       },
       orderBy: {
         createdAt: "asc",
       },
-      take: maxCount + 1,
     });
 
-    //none to process
-    if (!pendingRuns.length) return;
+    if (!pendingRuns.length) {
+      // CH returned candidates but all of them have already moved past
+      // PENDING_VERSION (typically because a concurrent deploy or retry
+      // beat us to them). Don't reschedule — there's no work to wait for.
+      return;
+    }
 
     this.$.logger.debug("Enqueueing PENDING_VERSION runs for background worker", {
       workerId: backgroundWorker.id,
-      taskIdentifiers: pendingRuns.map((run) => run.taskIdentifier),
-      queues: pendingRuns.map((run) => run.queue),
+      lookupName: this.$.pendingVersionRunIdLookup.name,
+      candidateCount: candidateIds.length,
+      pendingRunCount: pendingRuns.length,
       runs: pendingRuns.map((run) => ({
         id: run.id,
         taskIdentifier: run.taskIdentifier,
@@ -85,22 +125,37 @@ export class PendingVersionSystem {
     });
 
     for (const run of pendingRuns) {
-      await this.$.prisma.$transaction(async (tx) => {
-        const updatedRun = await tx.taskRun.update({
-          where: {
-            id: run.id,
-          },
-          data: {
-            status: "PENDING",
-          },
+      const promoted = await this.$.prisma.$transaction(async (tx) => {
+        // Idempotency guard: only flips PENDING_VERSION → PENDING. If another
+        // worker already promoted this run between our findMany and the
+        // update, count is 0 and we skip the enqueue.
+        const updateResult = await tx.taskRun.updateMany({
+          where: { id: run.id, status: "PENDING_VERSION" },
+          data: { status: "PENDING" },
         });
+
+        if (updateResult.count === 0) {
+          return false;
+        }
+
+        const updatedRun = await tx.taskRun.findFirstOrThrow({ where: { id: run.id } });
+
         await this.enqueueSystem.enqueueRun({
           run: updatedRun,
           env: backgroundWorker.runtimeEnvironment,
           tx,
+          // PENDING_VERSION re-enqueue is the first time this run is actually
+          // entering the run queue (the original enqueue was held back waiting
+          // for a worker version). Arm TTL here so the TTL system can expire it
+          // if it sits queued waiting on a concurrency slot.
+          includeTtl: true,
         });
+
+        return true;
       });
 
+      if (!promoted) continue;
+
       this.$.eventBus.emit("runStatusChanged", {
         time: new Date(),
         run: {
@@ -108,6 +163,8 @@ export class PendingVersionSystem {
           status: "PENDING",
           updatedAt: run.updatedAt,
           createdAt: run.createdAt,
+          runTags: run.runTags,
+          batchId: run.batchId,
         },
         organization: {
           id: backgroundWorker.runtimeEnvironment.organizationId,
@@ -121,17 +178,57 @@ export class PendingVersionSystem {
       });
     }
 
-    //enqueue more if needed
-    if (pendingRuns.length > maxCount) {
+    // Reschedule when the lookup returned a full-plus-one batch — that's
+    // the signal there are more candidates to drain. Use `candidateIds`
+    // (the raw lookup result) rather than `pendingRuns` (post-status-guard)
+    // because runs that already left PENDING_VERSION shouldn't suppress
+    // the next batch.
+    if (candidateIds.length > maxCount) {
       await this.scheduleResolvePendingVersionRuns(backgroundWorkerId);
     }
   }
 
-  async scheduleResolvePendingVersionRuns(backgroundWorkerId: string): Promise<void> {
+  async scheduleResolvePendingVersionRuns(
+    backgroundWorkerId: string,
+    opts?: { attempt?: number; availableAt?: Date }
+  ): Promise<void> {
     //we want this to happen in the background
     await this.$.worker.enqueue({
       job: "queueRunsPendingVersion",
-      payload: { backgroundWorkerId },
+      payload: { backgroundWorkerId, attempt: opts?.attempt },
+      availableAt: opts?.availableAt,
+    });
+  }
+
+  /**
+   * Schedule one more lookup attempt when the first found zero candidates,
+   * to cover ClickHouse replication lag against `task_runs_v2`. Bounded by
+   * `lagMaxRetries` so we never loop indefinitely.
+   */
+  async #maybeScheduleLagRetry(
+    backgroundWorkerId: string,
+    attempt: number,
+    reason: "lookup_empty"
+  ): Promise<void> {
+    const maxRetries = this.options.lagMaxRetries ?? DEFAULT_LAG_MAX_RETRIES;
+
+    if (attempt >= maxRetries) {
+      return;
+    }
+
+    const delayMs = this.options.lagRetryDelayMs ?? DEFAULT_LAG_RETRY_DELAY_MS;
+
+    this.$.logger.debug("Scheduling pending-version lag retry", {
+      backgroundWorkerId,
+      attempt: attempt + 1,
+      maxRetries,
+      delayMs,
+      reason,
+    });
+
+    await this.scheduleResolvePendingVersionRuns(backgroundWorkerId, {
+      attempt: attempt + 1,
+      availableAt: new Date(Date.now() + delayMs),
     });
   }
 }
diff --git a/internal-packages/run-engine/src/engine/systems/runAttemptSystem.ts b/internal-packages/run-engine/src/engine/systems/runAttemptSystem.ts
index 8e95519241c..02fd83a7a25 100644
--- a/internal-packages/run-engine/src/engine/systems/runAttemptSystem.ts
+++ b/internal-packages/run-engine/src/engine/systems/runAttemptSystem.ts
@@ -63,6 +63,7 @@ import {
 import { SystemResources } from "./systems.js";
 import { WaitpointSystem } from "./waitpointSystem.js";
 import { BatchId, RunId } from "@trigger.dev/core/v3/isomorphic";
+import type { AuthenticatedEnvironment } from "../../shared/index.js";
 
 export type RunAttemptSystemOptions = {
   resources: SystemResources;
@@ -196,6 +197,7 @@ export class RunAttemptSystem {
         machinePreset: true,
         runTags: true,
         isTest: true,
+        replayedFromTaskRunFriendlyId: true,
         idempotencyKey: true,
         idempotencyKeyOptions: true,
         startedAt: true,
@@ -232,9 +234,9 @@ export class RunAttemptSystem {
       run.lockedById
         ? this.#resolveTaskRunExecutionTask(run.lockedById)
         : Promise.resolve({
-          id: run.taskIdentifier,
-          filePath: "unknown",
-        }),
+            id: run.taskIdentifier,
+            filePath: "unknown",
+          }),
       this.#resolveTaskRunExecutionQueue({
         lockedQueueId: run.lockedQueueId ?? undefined,
         queueName: run.queue,
@@ -245,13 +247,13 @@ export class RunAttemptSystem {
       run.lockedById
         ? this.#resolveTaskRunExecutionMachinePreset(run.lockedById, run.machinePreset)
         : Promise.resolve(
-          getMachinePreset({
-            defaultMachine: this.options.machines.defaultMachine,
-            machines: this.options.machines.machines,
-            config: undefined,
-            run,
-          })
-        ),
+            getMachinePreset({
+              defaultMachine: this.options.machines.defaultMachine,
+              machines: this.options.machines.machines,
+              config: undefined,
+              run,
+            })
+          ),
       run.lockedById
         ? this.#resolveTaskRunExecutionDeployment(run.lockedById)
         : Promise.resolve(undefined),
@@ -262,6 +264,7 @@ export class RunAttemptSystem {
         id: run.friendlyId,
         tags: run.runTags,
         isTest: run.isTest,
+        isReplay: !!run.replayedFromTaskRunFriendlyId,
         createdAt: run.createdAt,
         startedAt: run.startedAt ?? run.createdAt,
         idempotencyKey: getUserProvidedIdempotencyKey(run) ?? undefined,
@@ -426,6 +429,7 @@ export class RunAttemptSystem {
                   payloadType: true,
                   runTags: true,
                   isTest: true,
+                  replayedFromTaskRunFriendlyId: true,
                   idempotencyKey: true,
                   idempotencyKeyOptions: true,
                   startedAt: true,
@@ -459,8 +463,9 @@ export class RunAttemptSystem {
                 run,
                 snapshot: {
                   executionStatus: "EXECUTING",
-                  description: `Attempt created, starting execution${isWarmStart ? " (warm start)" : ""
-                    }`,
+                  description: `Attempt created, starting execution${
+                    isWarmStart ? " (warm start)" : ""
+                  }`,
                 },
                 previousSnapshotId: latestSnapshot.id,
                 environmentId: latestSnapshot.environmentId,
@@ -515,6 +520,8 @@ export class RunAttemptSystem {
               attemptNumber: nextAttemptNumber,
               baseCostInCents: updatedRun.baseCostInCents,
               executedAt: updatedRun.executedAt ?? undefined,
+              runTags: updatedRun.runTags,
+              batchId: updatedRun.batchId,
             },
             organization: {
               id: updatedRun.runtimeEnvironment.organizationId,
@@ -574,6 +581,7 @@ export class RunAttemptSystem {
               createdAt: updatedRun.createdAt,
               tags: updatedRun.runTags,
               isTest: updatedRun.isTest,
+              isReplay: !!updatedRun.replayedFromTaskRunFriendlyId,
               idempotencyKey: getUserProvidedIdempotencyKey(updatedRun) ?? undefined,
               idempotencyKeyScope: extractIdempotencyKeyScope(updatedRun),
               startedAt: updatedRun.startedAt ?? updatedRun.createdAt,
@@ -618,8 +626,8 @@ export class RunAttemptSystem {
             deployment,
             batch: updatedRun.batchId
               ? {
-                id: BatchId.toFriendlyId(updatedRun.batchId),
-              }
+                  id: BatchId.toFriendlyId(updatedRun.batchId),
+                }
               : undefined,
           };
 
@@ -1046,11 +1054,22 @@ export class RunAttemptSystem {
                   error: completion.error,
                   createdAt: run.createdAt,
                   taskEventStore: run.taskEventStore,
+                  runTags: run.runTags,
+                  batchId: run.batchId,
                 },
                 organization: {
                   id: run.runtimeEnvironment.organizationId,
                 },
-                environment: run.runtimeEnvironment,
+                // The Prisma payload structurally satisfies the slim
+                // AuthenticatedEnvironment except for `concurrencyLimitBurstFactor`
+                // (Decimal vs number). Coerce that one field; cast away
+                // the excess-property mismatch (the rest of Prisma's
+                // RuntimeEnvironment columns are extra, not missing).
+                environment: {
+                  ...run.runtimeEnvironment,
+                  concurrencyLimitBurstFactor:
+                    run.runtimeEnvironment.concurrencyLimitBurstFactor.toNumber(),
+                } as unknown as AuthenticatedEnvironment,
                 retryAt,
               });
 
@@ -1387,8 +1406,8 @@ export class RunAttemptSystem {
             error,
             bulkActionGroupIds: bulkActionId
               ? {
-                push: bulkActionId,
-              }
+                  push: bulkActionId,
+                }
               : undefined,
             ...(usageUpdate && {
               usageDurationMs: usageUpdate.usageDurationMs,
@@ -1876,26 +1895,26 @@ export class RunAttemptSystem {
     const result = await this.cache.queues.swr(cacheKey, async () => {
       const queue = params.lockedQueueId
         ? await this.$.readOnlyPrisma.taskQueue.findFirst({
-          where: {
-            id: params.lockedQueueId,
-          },
-          select: {
-            id: true,
-            friendlyId: true,
-            name: true,
-          },
-        })
+            where: {
+              id: params.lockedQueueId,
+            },
+            select: {
+              id: true,
+              friendlyId: true,
+              name: true,
+            },
+          })
         : await this.$.readOnlyPrisma.taskQueue.findFirst({
-          where: {
-            runtimeEnvironmentId: params.runtimeEnvironmentId,
-            name: params.queueName,
-          },
-          select: {
-            id: true,
-            friendlyId: true,
-            name: true,
-          },
-        });
+            where: {
+              runtimeEnvironmentId: params.runtimeEnvironmentId,
+              name: params.queueName,
+            },
+            select: {
+              id: true,
+              friendlyId: true,
+              name: true,
+            },
+          });
 
       if (!queue) {
         // Return synthetic queue so run/span view still loads (e.g. createFailedTaskRun with fallback queue)
@@ -1975,30 +1994,25 @@ export class RunAttemptSystem {
     }
 
     if (completion.flushedMetadata) {
-      const [packetError, packet] = await tryCatch(parsePacket(completion.flushedMetadata));
+      const [, packet] = await tryCatch(parsePacket(completion.flushedMetadata));
 
       if (!packet) {
         return;
       }
 
-      if (packetError) {
-        this.$.logger.error("RunEngine.completeRunAttempt(): failed to parse flushed metadata", {
-          runId,
-          flushedMetadata: completion.flushedMetadata,
-          error: packetError,
-        });
-
-        return;
-      }
-
       const metadata = FlushedRunMetadata.safeParse(packet);
 
       if (!metadata.success) {
-        this.$.logger.error("RunEngine.completeRunAttempt(): failed to parse flushed metadata", {
-          runId,
-          flushedMetadata: completion.flushedMetadata,
-          error: metadata.error,
-        });
+        // Customer's metadata operations don't match the schema (typically
+        // non-JSON values in `operations[].value`). System ignores it.
+        this.$.logger.warn(
+          "RunEngine.completeRunAttempt(): failed to validate flushed metadata",
+          {
+            runId,
+            flushedMetadata: completion.flushedMetadata,
+            error: metadata.error,
+          }
+        );
 
         return;
       }
@@ -2068,13 +2082,13 @@ export class RunAttemptSystem {
     if (environmentType !== "DEVELOPMENT") {
       const machinePreset = machinePresetName
         ? machinePresetFromName(
-          this.options.machines.machines,
-          machinePresetName as MachinePresetName
-        )
+            this.options.machines.machines,
+            machinePresetName as MachinePresetName
+          )
         : machinePresetFromName(
-          this.options.machines.machines,
-          this.options.machines.defaultMachine
-        );
+            this.options.machines.machines,
+            this.options.machines.defaultMachine
+          );
 
       costInCents = currentCostInCents + attemptDurationMs * machinePreset.centsPerMs;
     }
@@ -2084,7 +2098,6 @@ export class RunAttemptSystem {
       costInCents,
     };
   }
-
 }
 
 export function safeParseGitMeta(git: unknown): GitMeta | undefined {
diff --git a/internal-packages/run-engine/src/engine/systems/systems.ts b/internal-packages/run-engine/src/engine/systems/systems.ts
index 909df712105..e21f95958d1 100644
--- a/internal-packages/run-engine/src/engine/systems/systems.ts
+++ b/internal-packages/run-engine/src/engine/systems/systems.ts
@@ -4,6 +4,7 @@ import { PrismaClient, PrismaReplicaClient } from "@trigger.dev/database";
 import { RunQueue } from "../../run-queue/index.js";
 import { EventBus } from "../eventBus.js";
 import { RunLocker } from "../locking.js";
+import { PendingVersionRunIdLookup } from "../services/pendingVersionLookup.js";
 import { EngineWorker } from "../types.js";
 import { RaceSimulationSystem } from "./raceSimulationSystem.js";
 
@@ -18,4 +19,5 @@ export type SystemResources = {
   runLock: RunLocker;
   runQueue: RunQueue;
   raceSimulationSystem: RaceSimulationSystem;
+  pendingVersionRunIdLookup: PendingVersionRunIdLookup;
 };
diff --git a/internal-packages/run-engine/src/engine/systems/waitpointSystem.ts b/internal-packages/run-engine/src/engine/systems/waitpointSystem.ts
index d650c1c6d08..8b8d4f82fcf 100644
--- a/internal-packages/run-engine/src/engine/systems/waitpointSystem.ts
+++ b/internal-packages/run-engine/src/engine/systems/waitpointSystem.ts
@@ -837,6 +837,20 @@ export class WaitpointSystem {
         }
         case "SUSPENDED": {
           if (!snapshot.checkpointId) {
+            // A run canceled mid-suspend has its checkpoint cleared by the
+            // cancel path; reaching here just means cancel won the race.
+            // Skip rather than throw — there's nothing to resume.
+            if (snapshot.runStatus === "CANCELED") {
+              this.$.logger.warn(
+                `continueRunIfUnblocked: run was canceled while suspended, skipping`,
+                { runId, snapshot }
+              );
+              return {
+                status: "skipped",
+                reason: "run was canceled while suspended",
+              };
+            }
+
             this.$.logger.error(`continueRunIfUnblocked: run is suspended, but has no checkpoint`, {
               runId,
               snapshot,
diff --git a/internal-packages/run-engine/src/engine/tests/batchTriggerAndWait.test.ts b/internal-packages/run-engine/src/engine/tests/batchTriggerAndWait.test.ts
index 3fe9d3348a0..a632c707390 100644
--- a/internal-packages/run-engine/src/engine/tests/batchTriggerAndWait.test.ts
+++ b/internal-packages/run-engine/src/engine/tests/batchTriggerAndWait.test.ts
@@ -1,4 +1,7 @@
-import { assertNonNullable, containerTest } from "@internal/testcontainers";
+import {
+  assertNonNullable,
+  containerTestWithIsolatedRedis as containerTest,
+} from "@internal/testcontainers";
 import { trace } from "@internal/tracing";
 import { expect, describe } from "vitest";
 import { RunEngine } from "../index.js";
diff --git a/internal-packages/run-engine/src/engine/tests/batchTwoPhase.test.ts b/internal-packages/run-engine/src/engine/tests/batchTwoPhase.test.ts
index 6208560a56a..8471c07844b 100644
--- a/internal-packages/run-engine/src/engine/tests/batchTwoPhase.test.ts
+++ b/internal-packages/run-engine/src/engine/tests/batchTwoPhase.test.ts
@@ -1,4 +1,7 @@
-import { assertNonNullable, containerTest } from "@internal/testcontainers";
+import {
+  assertNonNullable,
+  containerTestWithIsolatedRedis as containerTest,
+} from "@internal/testcontainers";
 import { trace } from "@internal/tracing";
 import { expect, describe, vi } from "vitest";
 import { RunEngine } from "../index.js";
diff --git a/internal-packages/run-engine/src/engine/tests/cancelling.test.ts b/internal-packages/run-engine/src/engine/tests/cancelling.test.ts
index 1e5947cfbc1..aecae7a2632 100644
--- a/internal-packages/run-engine/src/engine/tests/cancelling.test.ts
+++ b/internal-packages/run-engine/src/engine/tests/cancelling.test.ts
@@ -322,5 +322,132 @@ describe("RunEngine cancelling", () => {
     }
   });
 
+  containerTest("Cancelling a run (dequeued)", async ({ prisma, redisOptions }) => {
+    //create environment
+    const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+
+    const engine = new RunEngine({
+      prisma,
+      worker: {
+        redis: redisOptions,
+        workers: 1,
+        tasksPerWorker: 10,
+        pollIntervalMs: 100,
+      },
+      queue: {
+        redis: redisOptions,
+        masterQueueConsumersDisabled: true,
+        processWorkerQueueDebounceMs: 50,
+      },
+      runLock: {
+        redis: redisOptions,
+      },
+      machines: {
+        defaultMachine: "small-1x",
+        machines: {
+          "small-1x": {
+            name: "small-1x" as const,
+            cpu: 0.5,
+            memory: 0.5,
+            centsPerMs: 0.0001,
+          },
+        },
+        baseCostInCents: 0.0001,
+      },
+      tracer: trace.getTracer("test", "0.0.0"),
+    });
+
+    try {
+      const parentTask = "parent-task";
+
+      //create background worker
+      await setupBackgroundWorker(engine, authenticatedEnvironment, [parentTask]);
+
+      //trigger the run
+      const parentRun = await engine.trigger(
+        {
+          number: 1,
+          friendlyId: "run_p1234",
+          environment: authenticatedEnvironment,
+          taskIdentifier: parentTask,
+          payload: "{}",
+          payloadType: "application/json",
+          context: {},
+          traceContext: {},
+          traceId: "t12345",
+          spanId: "s12345",
+          workerQueue: "main",
+          queue: `task/${parentTask}`,
+          isTest: false,
+          tags: [],
+        },
+        prisma
+      );
+
+      //dequeue the run, but don't start an attempt — this leaves TaskRun.status = DEQUEUED
+      //and execution snapshot = PENDING_EXECUTING (a worker has claimed the run)
+      await setTimeout(500);
+      const dequeued = await engine.dequeueFromWorkerQueue({
+        consumerId: "test_12345",
+        workerQueue: "main",
+      });
+      expect(dequeued.length).toBe(1);
+
+      const dequeuedRun = await prisma.taskRun.findFirstOrThrow({
+        where: { id: parentRun.id },
+      });
+      expect(dequeuedRun.status).toBe("DEQUEUED");
+
+      //cancel the dequeued run — a worker has already claimed it, so the snapshot goes to
+      //PENDING_CANCEL pending the worker ack. TaskRun.status flips to CANCELED immediately
+      //so the UI reflects cancellation without waiting.
+      const result = await engine.cancelRun({
+        runId: parentRun.id,
+        completedAt: new Date(),
+        reason: "Cancelled by the user",
+      });
+      expect(result.snapshot.executionStatus).toBe("PENDING_CANCEL");
+
+      const pendingCancel = await engine.getRunExecutionData({ runId: parentRun.id });
+      expect(pendingCancel?.snapshot.executionStatus).toBe("PENDING_CANCEL");
+      expect(pendingCancel?.run.status).toBe("CANCELED");
+
+      let cancelledEventData: EventBusEventArgs<"runCancelled">[0][] = [];
+      engine.eventBus.on("runCancelled", (result) => {
+        cancelledEventData.push(result);
+      });
+
+      //simulate worker acknowledging the cancellation
+      const completeResult = await engine.completeRunAttempt({
+        runId: parentRun.id,
+        snapshotId: pendingCancel!.snapshot.id,
+        completion: {
+          ok: false,
+          id: parentRun.id,
+          error: {
+            type: "INTERNAL_ERROR" as const,
+            code: "TASK_RUN_CANCELLED" as const,
+          },
+        },
+      });
+      expect(completeResult.snapshot.executionStatus).toBe("FINISHED");
+      expect(completeResult.run.status).toBe("CANCELED");
+
+      //check emitted event after worker ack
+      expect(cancelledEventData.length).toBe(1);
+      const parentEvent = cancelledEventData.find((r) => r.run.id === parentRun.id);
+      assertNonNullable(parentEvent);
+      expect(parentEvent.run.spanId).toBe(parentRun.spanId);
+
+      //concurrency should have been released
+      const envConcurrencyCompleted = await engine.runQueue.currentConcurrencyOfEnvironment(
+        authenticatedEnvironment
+      );
+      expect(envConcurrencyCompleted).toBe(0);
+    } finally {
+      await engine.quit();
+    }
+  });
+
   //todo bulk cancelling runs
 });
diff --git a/internal-packages/run-engine/src/engine/tests/createCancelledRun.test.ts b/internal-packages/run-engine/src/engine/tests/createCancelledRun.test.ts
new file mode 100644
index 00000000000..68662074ea2
--- /dev/null
+++ b/internal-packages/run-engine/src/engine/tests/createCancelledRun.test.ts
@@ -0,0 +1,345 @@
+import { containerTest } from "@internal/testcontainers";
+import { trace } from "@internal/tracing";
+import { RunId } from "@trigger.dev/core/v3/isomorphic";
+
+function freshRunId() {
+  return RunId.generate().friendlyId;
+}
+import { expect } from "vitest";
+import { RunEngine } from "../index.js";
+import type { EventBusEventArgs } from "../eventBus.js";
+import { setupAuthenticatedEnvironment } from "./setup.js";
+
+vi.setConfig({ testTimeout: 60_000 });
+
+function baseEngineOptions(redisOptions: Parameters<typeof RunEngine>[0]["queue"]["redis"]) {
+  return {
+    worker: {
+      redis: redisOptions,
+      workers: 1,
+      tasksPerWorker: 10,
+      pollIntervalMs: 100,
+    },
+    queue: {
+      redis: redisOptions,
+      masterQueueConsumersDisabled: true,
+      processWorkerQueueDebounceMs: 50,
+    },
+    runLock: {
+      redis: redisOptions,
+    },
+    machines: {
+      defaultMachine: "small-1x" as const,
+      machines: {
+        "small-1x": {
+          name: "small-1x" as const,
+          cpu: 0.5,
+          memory: 0.5,
+          centsPerMs: 0.0001,
+        },
+      },
+      baseCostInCents: 0.0001,
+    },
+    tracer: trace.getTracer("test", "0.0.0"),
+  };
+}
+
+// engine.createCancelledRun writes a CANCELED
+// TaskRun row directly from a buffer snapshot. Verifies the bypass-
+// queue / bypass-waitpoint / emit-runCancelled contract.
+describe("RunEngine.createCancelledRun", () => {
+  containerTest(
+    "writes CANCELED PG row with snapshot fields, completedAt, error",
+    async ({ prisma, redisOptions }) => {
+      const env = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+      const engine = new RunEngine({ prisma, ...baseEngineOptions(redisOptions) });
+      try {
+        const friendlyId = freshRunId();
+        const cancelledAt = new Date("2026-05-20T12:00:00.000Z");
+        const cancelReason = "Canceled by user";
+
+        const result = await engine.createCancelledRun({
+          snapshot: {
+            friendlyId,
+            environment: env,
+            taskIdentifier: "test-task",
+            payload: '{"hello":"world"}',
+            payloadType: "application/json",
+            context: {},
+            traceContext: {},
+            traceId: "0000000000000000aaaa000000000000",
+            spanId: "bbbb000000000000",
+            queue: "task/test-task",
+            isTest: false,
+            tags: ["test-tag"],
+          },
+          cancelledAt,
+          cancelReason,
+        });
+
+        expect(result.status).toBe("CANCELED");
+        expect(result.friendlyId).toBe(friendlyId);
+        expect(result.id).toBe(RunId.fromFriendlyId(friendlyId));
+        expect(result.completedAt?.toISOString()).toBe(cancelledAt.toISOString());
+        expect(result.taskIdentifier).toBe("test-task");
+        expect(result.runTags).toEqual(["test-tag"]);
+        expect(result.payload).toBe('{"hello":"world"}');
+        const err = result.error as { type?: string; raw?: string };
+        expect(err.type).toBe("STRING_ERROR");
+        expect(err.raw).toBe(cancelReason);
+
+        // Verify the PG row is canonical (findFirst returns the row).
+        const stored = await prisma.taskRun.findFirst({
+          where: { friendlyId },
+        });
+        expect(stored).not.toBeNull();
+        expect(stored!.status).toBe("CANCELED");
+      } finally {
+        await engine.quit();
+      }
+    },
+  );
+
+  containerTest(
+    "emits runCancelled with correct payload",
+    async ({ prisma, redisOptions }) => {
+      const env = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+      const engine = new RunEngine({ prisma, ...baseEngineOptions(redisOptions) });
+      const captured: EventBusEventArgs<"runCancelled">[0][] = [];
+      engine.eventBus.on("runCancelled", (event) => {
+        captured.push(event);
+      });
+
+      try {
+        const cancelledAt = new Date();
+        const cancelReason = "Test cancel";
+        const friendlyId = freshRunId();
+        await engine.createCancelledRun({
+          snapshot: {
+            friendlyId,
+            environment: env,
+            taskIdentifier: "test-task",
+            payload: "{}",
+            payloadType: "application/json",
+            context: {},
+            traceContext: {},
+            traceId: "0000000000000000cccc000000000000",
+            spanId: "dddd000000000000",
+            queue: "task/test-task",
+            isTest: false,
+            tags: [],
+          },
+          cancelledAt,
+          cancelReason,
+        });
+
+        expect(captured).toHaveLength(1);
+        expect(captured[0]!.run.status).toBe("CANCELED");
+        expect(captured[0]!.run.friendlyId).toBe(friendlyId);
+        expect(captured[0]!.run.error).toEqual({ type: "STRING_ERROR", raw: cancelReason });
+        expect(captured[0]!.organization.id).toBe(env.organization.id);
+      } finally {
+        await engine.quit();
+      }
+    },
+  );
+
+  containerTest(
+    "emitRunCancelledEvent: false suppresses the bus emit but still writes the CANCELED PG row",
+    async ({ prisma, redisOptions }) => {
+      // The mollifier drainer passes `emitRunCancelledEvent: false` for
+      // buffered-only runs because the runCancelled handler's
+      // `cancelRunEvent` lookup fails for them (no primary trace event
+      // span exists — the mollifier gate never called
+      // `repository.traceEvent` for this run). Without the gate, every
+      // cancelled buffered run produces a `[runCancelled] Failed to
+      // cancel run event` error log. This pins the gate's contract: PG
+      // row still lands, bus emit suppressed.
+      const env = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+      const engine = new RunEngine({ prisma, ...baseEngineOptions(redisOptions) });
+      const captured: EventBusEventArgs<"runCancelled">[0][] = [];
+      engine.eventBus.on("runCancelled", (event) => {
+        captured.push(event);
+      });
+
+      try {
+        const friendlyId = freshRunId();
+        const result = await engine.createCancelledRun({
+          snapshot: {
+            friendlyId,
+            environment: env,
+            taskIdentifier: "test-task",
+            payload: "{}",
+            payloadType: "application/json",
+            context: {},
+            traceContext: {},
+            traceId: "0000000000000000eeee000000000000",
+            spanId: "ffff000000000000",
+            queue: "task/test-task",
+            isTest: false,
+            tags: [],
+          },
+          cancelledAt: new Date(),
+          cancelReason: "Test cancel (silent emit)",
+          emitRunCancelledEvent: false,
+        });
+
+        // PG row still lands.
+        expect(result.status).toBe("CANCELED");
+        expect(result.friendlyId).toBe(friendlyId);
+        // Bus emit suppressed.
+        expect(captured).toHaveLength(0);
+      } finally {
+        await engine.quit();
+      }
+    },
+  );
+
+  containerTest(
+    "idempotent on double-pop: second call returns existing row without re-emitting",
+    async ({ prisma, redisOptions }) => {
+      const env = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+      const engine = new RunEngine({ prisma, ...baseEngineOptions(redisOptions) });
+      const captured: EventBusEventArgs<"runCancelled">[0][] = [];
+      engine.eventBus.on("runCancelled", (event) => {
+        captured.push(event);
+      });
+
+      try {
+        const snapshot = {
+          friendlyId: freshRunId(),
+          environment: env,
+          taskIdentifier: "test-task",
+          payload: "{}",
+          payloadType: "application/json",
+          context: {},
+          traceContext: {},
+          traceId: "0000000000000000eeee000000000000",
+          spanId: "ffff000000000000",
+          queue: "task/test-task",
+          isTest: false,
+          tags: [],
+        };
+        const cancelledAt = new Date();
+        const cancelReason = "Test idempotent";
+
+        const first = await engine.createCancelledRun({ snapshot, cancelledAt, cancelReason });
+        const second = await engine.createCancelledRun({ snapshot, cancelledAt, cancelReason });
+
+        expect(second.id).toBe(first.id);
+        // Only the first call's emit fired; the P2002 path skips re-emission.
+        expect(captured).toHaveLength(1);
+      } finally {
+        await engine.quit();
+      }
+    },
+  );
+
+  // Regression: cjson encodes empty Lua tables as `{}`, not `[]`. When
+  // the drainer pops a buffered run that never had a tag set, the
+  // deserialised snapshot's `tags` field is an empty object. The old
+  // implementation passed it straight into Prisma's `runTags:` field;
+  // Prisma misread the object as a relation update op and threw
+  // `Argument 'set' is missing`. The drainer caught the error and
+  // marked the buffer entry FAILED — so the CANCELED PG row never
+  // landed.
+  containerTest(
+    "tolerates snapshot.tags being an empty object (cjson edge case)",
+    async ({ prisma, redisOptions }) => {
+      const env = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+      const engine = new RunEngine({ prisma, ...baseEngineOptions(redisOptions) });
+      try {
+        const friendlyId = freshRunId();
+        // Cast through unknown to simulate the cjson-decode output shape
+        // for an empty Lua table — TypeScript's snapshot type says
+        // string[], but the buffer Lua delivers {} for the empty case.
+        const result = await engine.createCancelledRun({
+          snapshot: {
+            friendlyId,
+            environment: env,
+            taskIdentifier: "test-task",
+            payload: "{}",
+            payloadType: "application/json",
+            context: {},
+            traceContext: {},
+            traceId: "0000000000000000abcd000000000000",
+            spanId: "1234000000000000",
+            queue: "task/test-task",
+            isTest: false,
+            tags: {} as unknown as string[],
+          },
+          cancelledAt: new Date(),
+          cancelReason: "Cancelled — empty tags",
+        });
+        expect(result.status).toBe("CANCELED");
+        expect(result.friendlyId).toBe(friendlyId);
+        // Prisma normalises the absent-tags case to either [] or null
+        // depending on the column default; assert it's an empty array.
+        expect(result.runTags).toEqual([]);
+      } finally {
+        await engine.quit();
+      }
+    },
+  );
+
+  // Regression: the P2002-on-id idempotency path used to return ANY
+  // existing row, which would silently report success even if a live
+  // (non-CANCELED) row landed first. The guard now requires the
+  // existing row's status to be CANCELED; anything else surfaces a
+  // conflict so the caller can route to engine.cancelRun() or skip.
+  containerTest(
+    "P2002 conflict with non-CANCELED existing row throws (does not silently succeed)",
+    async ({ prisma, redisOptions }) => {
+      const env = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+      const engine = new RunEngine({ prisma, ...baseEngineOptions(redisOptions) });
+      try {
+        const friendlyId = freshRunId();
+        const id = RunId.fromFriendlyId(friendlyId);
+
+        // Plant a live (non-CANCELED) row with the same id so the
+        // cancelled-run INSERT hits P2002 and the guard finds a row
+        // that ISN'T CANCELED.
+        await prisma.taskRun.create({
+          data: {
+            id,
+            friendlyId,
+            taskIdentifier: "test-task",
+            payload: "{}",
+            payloadType: "application/json",
+            status: "PENDING",
+            runtimeEnvironmentId: env.id,
+            projectId: env.project.id,
+            organizationId: env.organizationId,
+            queue: "task/test-task",
+            traceId: "0000000000000000aaaa000000000000",
+            spanId: "bbbb000000000000",
+            engine: "V2",
+          },
+        });
+
+        await expect(
+          engine.createCancelledRun({
+            snapshot: {
+              friendlyId,
+              environment: env,
+              taskIdentifier: "test-task",
+              payload: "{}",
+              payloadType: "application/json",
+              context: {},
+              traceContext: {},
+              traceId: "0000000000000000aaaa000000000000",
+              spanId: "bbbb000000000000",
+              queue: "task/test-task",
+              isTest: false,
+              tags: [],
+            },
+            cancelledAt: new Date(),
+            cancelReason: "Should not silently overwrite a live row",
+          }),
+        ).rejects.toThrow(/createCancelledRun conflict.*PENDING/);
+      } finally {
+        await engine.quit();
+      }
+    },
+  );
+});
diff --git a/internal-packages/run-engine/src/engine/tests/createFailedTaskRun.test.ts b/internal-packages/run-engine/src/engine/tests/createFailedTaskRun.test.ts
new file mode 100644
index 00000000000..84d33baa87d
--- /dev/null
+++ b/internal-packages/run-engine/src/engine/tests/createFailedTaskRun.test.ts
@@ -0,0 +1,176 @@
+import { containerTest } from "@internal/testcontainers";
+import { trace } from "@internal/tracing";
+import { generateFriendlyId } from "@trigger.dev/core/v3/isomorphic";
+import { expect } from "vitest";
+import { RunEngine } from "../index.js";
+import { EventBusEventArgs } from "../eventBus.js";
+import { setupAuthenticatedEnvironment } from "./setup.js";
+
+vi.setConfig({ testTimeout: 60_000 });
+
+describe("RunEngine.createFailedTaskRun", () => {
+  containerTest("emits runFailed so the alert pipeline wakes up", async ({ prisma, redisOptions }) => {
+    // The mollifier drainer (and batch-trigger over-limit path) call
+    // createFailedTaskRun to write a terminal SYSTEM_FAILURE PG row
+    // for runs that never actually executed. Without an explicit
+    // runFailed emit, the row lands silently — the
+    // runEngineHandlers' `runFailed` listener (which enqueues
+    // PerformTaskRunAlertsService) never fires, so customers'
+    // configured TASK_RUN alert channels miss the failure entirely.
+    //
+    // Regression intent: if the emit is removed or moved out of
+    // createFailedTaskRun's success path, this test fails. The
+    // shape assertions pin the fields the alert delivery service
+    // reads from the event payload (run.id, run.status, error,
+    // attemptNumber=0 as the never-ran-marker).
+    const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+
+    const engine = new RunEngine({
+      prisma,
+      worker: {
+        redis: redisOptions,
+        workers: 1,
+        tasksPerWorker: 10,
+        pollIntervalMs: 100,
+      },
+      queue: {
+        redis: redisOptions,
+        masterQueueConsumersDisabled: true,
+        processWorkerQueueDebounceMs: 50,
+      },
+      runLock: {
+        redis: redisOptions,
+      },
+      machines: {
+        defaultMachine: "small-1x",
+        machines: {
+          "small-1x": {
+            name: "small-1x" as const,
+            cpu: 0.5,
+            memory: 0.5,
+            centsPerMs: 0.0001,
+          },
+        },
+        baseCostInCents: 0.0005,
+      },
+      tracer: trace.getTracer("test", "0.0.0"),
+    });
+
+    try {
+      const failedEvents: EventBusEventArgs<"runFailed">[0][] = [];
+      engine.eventBus.on("runFailed", (event) => {
+        failedEvents.push(event);
+      });
+
+      const friendlyId = generateFriendlyId("run");
+      const taskIdentifier = "drainer-terminal-test";
+
+      const failed = await engine.createFailedTaskRun({
+        friendlyId,
+        environment: {
+          id: authenticatedEnvironment.id,
+          type: authenticatedEnvironment.type,
+          project: { id: authenticatedEnvironment.project.id },
+          organization: { id: authenticatedEnvironment.organization.id },
+        },
+        taskIdentifier,
+        payload: "{}",
+        payloadType: "application/json",
+        error: {
+          type: "STRING_ERROR",
+          raw: "Mollifier drainer terminal failure: synthetic engine.trigger panic",
+        },
+        traceId: "0123456789abcdef0123456789abcdef",
+        spanId: "fedcba9876543210",
+      });
+
+      expect(failed.status).toBe("SYSTEM_FAILURE");
+
+      expect(failedEvents).toHaveLength(1);
+      const event = failedEvents[0];
+      expect(event.run.id).toBe(failed.id);
+      expect(event.run.status).toBe("SYSTEM_FAILURE");
+      expect(event.run.spanId).toBe("fedcba9876543210");
+      // attemptNumber=0 is the marker that the run never executed —
+      // it's a synthesised terminal failure, not an exhausted-retries
+      // failure. Downstream consumers can use this to distinguish.
+      expect(event.run.attemptNumber).toBe(0);
+      expect(event.run.usageDurationMs).toBe(0);
+      expect(event.run.costInCents).toBe(0);
+      expect(event.run.error).toEqual({
+        type: "STRING_ERROR",
+        raw: "Mollifier drainer terminal failure: synthetic engine.trigger panic",
+      });
+      expect(event.organization.id).toBe(authenticatedEnvironment.organization.id);
+      expect(event.project.id).toBe(authenticatedEnvironment.project.id);
+      expect(event.environment.id).toBe(authenticatedEnvironment.id);
+    } finally {
+      await engine.quit();
+    }
+  });
+
+  // The TriggerFailedTaskService.call() path wraps createFailedTaskRun
+  // inside `repository.traceEvent({ incomplete: false, isError: true })`
+  // which already writes the completion row for the (traceId, spanId).
+  // Emitting `runFailed` from here would cause the
+  // `completeFailedRunEvent` handler to race a second write against
+  // the same span — the `emitRunFailedEvent: false` opt-out is what
+  // suppresses the emit. The PG row + alert side stay correct because
+  // the caller enqueues `PerformTaskRunAlertsService.enqueue(run.id)`
+  // directly after the trace event closes.
+  containerTest(
+    "emitRunFailedEvent: false suppresses the bus emit but still creates the PG row",
+    async ({ prisma, redisOptions }) => {
+      const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+
+      const engine = new RunEngine({
+        prisma,
+        worker: { redis: redisOptions, workers: 1, tasksPerWorker: 10, pollIntervalMs: 100 },
+        queue: { redis: redisOptions, masterQueueConsumersDisabled: true, processWorkerQueueDebounceMs: 50 },
+        runLock: { redis: redisOptions },
+        machines: {
+          defaultMachine: "small-1x",
+          machines: {
+            "small-1x": { name: "small-1x" as const, cpu: 0.5, memory: 0.5, centsPerMs: 0.0001 },
+          },
+          baseCostInCents: 0.0005,
+        },
+        tracer: trace.getTracer("test", "0.0.0"),
+      });
+
+      try {
+        const failedEvents: EventBusEventArgs<"runFailed">[0][] = [];
+        engine.eventBus.on("runFailed", (event) => {
+          failedEvents.push(event);
+        });
+
+        const friendlyId = generateFriendlyId("run");
+        const failed = await engine.createFailedTaskRun({
+          friendlyId,
+          environment: {
+            id: authenticatedEnvironment.id,
+            type: authenticatedEnvironment.type,
+            project: { id: authenticatedEnvironment.project.id },
+            organization: { id: authenticatedEnvironment.organization.id },
+          },
+          taskIdentifier: "outer-trace-event-test",
+          payload: "{}",
+          payloadType: "application/json",
+          error: { type: "STRING_ERROR", raw: "outer trace event manages span" },
+          traceId: "0123456789abcdef0123456789abcdef",
+          spanId: "fedcba9876543210",
+          emitRunFailedEvent: false,
+        });
+
+        // PG row landed (caller still gets a usable TaskRun).
+        expect(failed.status).toBe("SYSTEM_FAILURE");
+        expect(failed.friendlyId).toBe(friendlyId);
+
+        // Bus emit was suppressed.
+        expect(failedEvents).toHaveLength(0);
+      } finally {
+        await engine.quit();
+      }
+    },
+  );
+});
diff --git a/internal-packages/run-engine/src/engine/tests/debounce.test.ts b/internal-packages/run-engine/src/engine/tests/debounce.test.ts
index 1c201c4b4c4..e46f0de07cd 100644
--- a/internal-packages/run-engine/src/engine/tests/debounce.test.ts
+++ b/internal-packages/run-engine/src/engine/tests/debounce.test.ts
@@ -4,6 +4,7 @@ import { expect } from "vitest";
 import { RunEngine } from "../index.js";
 import { setTimeout } from "timers/promises";
 import { setupAuthenticatedEnvironment, setupBackgroundWorker } from "./setup.js";
+import { createRedisClient } from "@internal/redis";
 
 vi.setConfig({ testTimeout: 60_000 });
 
@@ -240,6 +241,8 @@ describe("RunEngine debounce", () => {
         },
         debounce: {
           maxDebounceDurationMs: 60_000,
+          // Disable quantization so this test can observe sub-second extensions.
+          quantizeNewDelayUntilMs: 0,
         },
         tracer: trace.getTracer("test", "0.0.0"),
       });
@@ -2497,5 +2500,700 @@ describe("RunEngine debounce", () => {
       }
     }
   );
+
+  containerTest(
+    "Debounce fast-path: subsequent triggers within the same quantization bucket skip the lock",
+    async ({ prisma, redisOptions }) => {
+      const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+
+      const engine = new RunEngine({
+        prisma,
+        worker: {
+          redis: redisOptions,
+          workers: 1,
+          tasksPerWorker: 10,
+          pollIntervalMs: 100,
+        },
+        queue: {
+          redis: redisOptions,
+        },
+        runLock: {
+          redis: redisOptions,
+        },
+        machines: {
+          defaultMachine: "small-1x",
+          machines: {
+            "small-1x": {
+              name: "small-1x" as const,
+              cpu: 0.5,
+              memory: 0.5,
+              centsPerMs: 0.0001,
+            },
+          },
+          baseCostInCents: 0.0001,
+        },
+        debounce: {
+          maxDebounceDurationMs: 60_000,
+          // Wide bucket so the second trigger is guaranteed to land in the same one.
+          quantizeNewDelayUntilMs: 60_000,
+        },
+        tracer: trace.getTracer("test", "0.0.0"),
+      });
+
+      try {
+        const taskIdentifier = "test-task";
+
+        await setupBackgroundWorker(engine, authenticatedEnvironment, taskIdentifier);
+
+        const run1 = await engine.trigger(
+          {
+            number: 1,
+            friendlyId: "run_fp1",
+            environment: authenticatedEnvironment,
+            taskIdentifier,
+            payload: '{"data": "first"}',
+            payloadType: "application/json",
+            context: {},
+            traceContext: {},
+            traceId: "t_fp_1",
+            spanId: "s_fp_1",
+            workerQueue: "main",
+            queue: "task/test-task",
+            isTest: false,
+            tags: [],
+            delayUntil: new Date(Date.now() + 5000),
+            debounce: {
+              key: "fast-path-key",
+              delay: "5s",
+            },
+          },
+          prisma
+        );
+
+        const originalDelayUntil = run1.delayUntil;
+        assertNonNullable(originalDelayUntil);
+
+        // Update the delayUntil directly to a far-future value, simulating a
+        // previous trigger that already pushed the bucket forward. The next
+        // call's quantized newDelayUntil will land at-or-before this, so the
+        // fast-path should skip the lock and leave delayUntil untouched.
+        const farFuture = new Date(Date.now() + 10 * 60_000);
+        await prisma.taskRun.update({
+          where: { id: run1.id },
+          data: { delayUntil: farFuture },
+        });
+
+        const run2 = await engine.trigger(
+          {
+            number: 2,
+            friendlyId: "run_fp2",
+            environment: authenticatedEnvironment,
+            taskIdentifier,
+            payload: '{"data": "second"}',
+            payloadType: "application/json",
+            context: {},
+            traceContext: {},
+            traceId: "t_fp_2",
+            spanId: "s_fp_2",
+            workerQueue: "main",
+            queue: "task/test-task",
+            isTest: false,
+            tags: [],
+            delayUntil: new Date(Date.now() + 5000),
+            debounce: {
+              key: "fast-path-key",
+              delay: "5s",
+            },
+          },
+          prisma
+        );
+
+        expect(run2.id).toBe(run1.id);
+
+        const updatedRun = await prisma.taskRun.findFirst({
+          where: { id: run1.id },
+        });
+        assertNonNullable(updatedRun);
+        assertNonNullable(updatedRun.delayUntil);
+
+        // delayUntil must NOT have been bumped backward by the second trigger,
+        // proving we short-circuited before taking the lock or rescheduling.
+        expect(updatedRun.delayUntil.getTime()).toBe(farFuture.getTime());
+      } finally {
+        await engine.quit();
+      }
+    }
+  );
+
+  containerTest(
+    "Debounce fast-path: trailing mode with updateData still takes the lock",
+    async ({ prisma, redisOptions }) => {
+      const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+
+      const engine = new RunEngine({
+        prisma,
+        worker: {
+          redis: redisOptions,
+          workers: 1,
+          tasksPerWorker: 10,
+          pollIntervalMs: 100,
+        },
+        queue: {
+          redis: redisOptions,
+        },
+        runLock: {
+          redis: redisOptions,
+        },
+        machines: {
+          defaultMachine: "small-1x",
+          machines: {
+            "small-1x": {
+              name: "small-1x" as const,
+              cpu: 0.5,
+              memory: 0.5,
+              centsPerMs: 0.0001,
+            },
+          },
+          baseCostInCents: 0.0001,
+        },
+        debounce: {
+          maxDebounceDurationMs: 60_000,
+          quantizeNewDelayUntilMs: 60_000,
+        },
+        tracer: trace.getTracer("test", "0.0.0"),
+      });
+
+      try {
+        const taskIdentifier = "test-task";
+
+        await setupBackgroundWorker(engine, authenticatedEnvironment, taskIdentifier);
+
+        const run1 = await engine.trigger(
+          {
+            number: 1,
+            friendlyId: "run_trfp1",
+            environment: authenticatedEnvironment,
+            taskIdentifier,
+            payload: '{"data": "first"}',
+            payloadType: "application/json",
+            context: {},
+            traceContext: {},
+            traceId: "t_trfp_1",
+            spanId: "s_trfp_1",
+            workerQueue: "main",
+            queue: "task/test-task",
+            isTest: false,
+            tags: [],
+            delayUntil: new Date(Date.now() + 5000),
+            debounce: {
+              key: "trailing-fast-path-key",
+              delay: "5s",
+              mode: "trailing",
+            },
+          },
+          prisma
+        );
+
+        // Push delayUntil far forward so the fast-path *would* short-circuit
+        // for leading mode. Trailing-mode triggers with updateData must still
+        // take the lock so the data update is applied.
+        const farFuture = new Date(Date.now() + 10 * 60_000);
+        await prisma.taskRun.update({
+          where: { id: run1.id },
+          data: { delayUntil: farFuture },
+        });
+
+        const run2 = await engine.trigger(
+          {
+            number: 2,
+            friendlyId: "run_trfp2",
+            environment: authenticatedEnvironment,
+            taskIdentifier,
+            payload: '{"data": "second"}',
+            payloadType: "application/json",
+            context: {},
+            traceContext: {},
+            traceId: "t_trfp_2",
+            spanId: "s_trfp_2",
+            workerQueue: "main",
+            queue: "task/test-task",
+            isTest: false,
+            tags: [],
+            delayUntil: new Date(Date.now() + 5000),
+            debounce: {
+              key: "trailing-fast-path-key",
+              delay: "5s",
+              mode: "trailing",
+              updateData: {
+                payload: '{"data": "second"}',
+                payloadType: "application/json",
+              },
+            },
+          },
+          prisma
+        );
+
+        expect(run2.id).toBe(run1.id);
+
+        const updatedRun = await prisma.taskRun.findFirst({
+          where: { id: run1.id },
+        });
+        assertNonNullable(updatedRun);
+        // Trailing-mode update went through the lock and rewrote the payload.
+        expect(updatedRun.payload).toBe('{"data": "second"}');
+      } finally {
+        await engine.quit();
+      }
+    }
+  );
+
+  containerTest(
+    "Debounce: quantized newDelayUntil falls on a bucket boundary",
+    async ({ prisma, redisOptions }) => {
+      const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+
+      const engine = new RunEngine({
+        prisma,
+        worker: {
+          redis: redisOptions,
+          workers: 1,
+          tasksPerWorker: 10,
+          pollIntervalMs: 100,
+        },
+        queue: {
+          redis: redisOptions,
+        },
+        runLock: {
+          redis: redisOptions,
+        },
+        machines: {
+          defaultMachine: "small-1x",
+          machines: {
+            "small-1x": {
+              name: "small-1x" as const,
+              cpu: 0.5,
+              memory: 0.5,
+              centsPerMs: 0.0001,
+            },
+          },
+          baseCostInCents: 0.0001,
+        },
+        debounce: {
+          maxDebounceDurationMs: 60_000,
+          quantizeNewDelayUntilMs: 1000,
+        },
+        tracer: trace.getTracer("test", "0.0.0"),
+      });
+
+      try {
+        const taskIdentifier = "test-task";
+
+        await setupBackgroundWorker(engine, authenticatedEnvironment, taskIdentifier);
+
+        const run1 = await engine.trigger(
+          {
+            number: 1,
+            friendlyId: "run_q1",
+            environment: authenticatedEnvironment,
+            taskIdentifier,
+            payload: '{"data": "first"}',
+            payloadType: "application/json",
+            context: {},
+            traceContext: {},
+            traceId: "t_q_1",
+            spanId: "s_q_1",
+            workerQueue: "main",
+            queue: "task/test-task",
+            isTest: false,
+            tags: [],
+            delayUntil: new Date(Date.now() + 5000),
+            debounce: {
+              key: "quantize-key",
+              delay: "5s",
+            },
+          },
+          prisma
+        );
+
+        // Force a meaningfully-later bucket so the second trigger pushes
+        // delayUntil forward through the lock.
+        await prisma.taskRun.update({
+          where: { id: run1.id },
+          data: { delayUntil: new Date(Date.now() - 1000) },
+        });
+
+        await engine.trigger(
+          {
+            number: 2,
+            friendlyId: "run_q2",
+            environment: authenticatedEnvironment,
+            taskIdentifier,
+            payload: '{"data": "second"}',
+            payloadType: "application/json",
+            context: {},
+            traceContext: {},
+            traceId: "t_q_2",
+            spanId: "s_q_2",
+            workerQueue: "main",
+            queue: "task/test-task",
+            isTest: false,
+            tags: [],
+            delayUntil: new Date(Date.now() + 5000),
+            debounce: {
+              key: "quantize-key",
+              delay: "5s",
+            },
+          },
+          prisma
+        );
+
+        const updatedRun = await prisma.taskRun.findFirst({
+          where: { id: run1.id },
+        });
+        assertNonNullable(updatedRun);
+        assertNonNullable(updatedRun.delayUntil);
+
+        // The new delayUntil should be aligned to a 1s bucket boundary.
+        expect(updatedRun.delayUntil.getTime() % 1000).toBe(0);
+      } finally {
+        await engine.quit();
+      }
+    }
+  );
+
+  containerTest(
+    "Debounce: lock contention falls back to returning existing run",
+    async ({ prisma, redisOptions }) => {
+      const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+
+      const engine = new RunEngine({
+        prisma,
+        worker: {
+          redis: redisOptions,
+          workers: 1,
+          tasksPerWorker: 10,
+          pollIntervalMs: 100,
+        },
+        queue: {
+          redis: redisOptions,
+        },
+        runLock: {
+          redis: redisOptions,
+          // Force lock acquisition to fail almost immediately so we can
+          // exercise the contention safety net deterministically.
+          retryConfig: {
+            maxAttempts: 0,
+            baseDelay: 1,
+            maxDelay: 1,
+            maxTotalWaitTime: 1,
+          },
+          duration: 30_000,
+        },
+        machines: {
+          defaultMachine: "small-1x",
+          machines: {
+            "small-1x": {
+              name: "small-1x" as const,
+              cpu: 0.5,
+              memory: 0.5,
+              centsPerMs: 0.0001,
+            },
+          },
+          baseCostInCents: 0.0001,
+        },
+        debounce: {
+          maxDebounceDurationMs: 60_000,
+          // Disable fast-path so the request is forced through the lock and
+          // we can prove the contention fallback handles 5xx prevention.
+          fastPathSkipEnabled: false,
+          quantizeNewDelayUntilMs: 0,
+        },
+        tracer: trace.getTracer("test", "0.0.0"),
+      });
+
+      try {
+        const taskIdentifier = "test-task";
+
+        await setupBackgroundWorker(engine, authenticatedEnvironment, taskIdentifier);
+
+        const run1 = await engine.trigger(
+          {
+            number: 1,
+            friendlyId: "run_lc1",
+            environment: authenticatedEnvironment,
+            taskIdentifier,
+            payload: '{"data": "first"}',
+            payloadType: "application/json",
+            context: {},
+            traceContext: {},
+            traceId: "t_lc_1",
+            spanId: "s_lc_1",
+            workerQueue: "main",
+            queue: "task/test-task",
+            isTest: false,
+            tags: [],
+            delayUntil: new Date(Date.now() + 5000),
+            debounce: {
+              key: "contention-key",
+              delay: "5s",
+            },
+          },
+          prisma
+        );
+
+        // Hold the underlying redlock key from a separate Redis connection so
+        // the engine's runLock cannot acquire it. Since we configured
+        // `retryConfig.maxAttempts: 0` and `maxTotalWaitTime: 1`, the second
+        // trigger should hit the contention fallback rather than bubble a 5xx.
+        // Note: the prefix template here intentionally matches what the engine
+        // builds at index.ts:120 (no `?? ""` fallback) so that the keys line up
+        // even when redisOptions.keyPrefix is undefined.
+        const blockingRedis = createRedisClient({
+          ...redisOptions,
+          keyPrefix: `${redisOptions.keyPrefix}runlock:`,
+        });
+
+        const originalDelayUntil = run1.delayUntil;
+        assertNonNullable(originalDelayUntil);
+
+        try {
+          const blockResult = await blockingRedis.set(
+            run1.id,
+            "test-blocker",
+            "PX",
+            30_000,
+            "NX"
+          );
+          expect(blockResult).toBe("OK");
+
+          const run2 = await engine.trigger(
+            {
+              number: 2,
+              friendlyId: "run_lc2",
+              environment: authenticatedEnvironment,
+              taskIdentifier,
+              payload: '{"data": "second"}',
+              payloadType: "application/json",
+              context: {},
+              traceContext: {},
+              traceId: "t_lc_2",
+              spanId: "s_lc_2",
+              workerQueue: "main",
+              queue: "task/test-task",
+              isTest: false,
+              tags: [],
+              delayUntil: new Date(Date.now() + 5000),
+              debounce: {
+                key: "contention-key",
+                delay: "5s",
+              },
+            },
+            prisma
+          );
+
+          // We did NOT 5xx; we returned the existing run.
+          expect(run2.id).toBe(run1.id);
+
+          // Prove the fallback actually ran rather than the lock being acquired
+          // normally: the second trigger could not push delayUntil forward
+          // because rescheduling is skipped on contention.
+          const updatedRun = await prisma.taskRun.findFirst({
+            where: { id: run1.id },
+          });
+          assertNonNullable(updatedRun);
+          assertNonNullable(updatedRun.delayUntil);
+          expect(updatedRun.delayUntil.getTime()).toBe(originalDelayUntil.getTime());
+        } finally {
+          await blockingRedis.del(run1.id);
+          await blockingRedis.quit();
+        }
+      } finally {
+        await engine.quit();
+      }
+    }
+  );
+
+  // Reproduces the hot-key contention from TRI-8758: fires N concurrent
+  // triggers on the same debounce key after the run is already DELAYED.
+  //
+  // - fixed=true: fast-path skip + 1s quantization on. The herd collapses on
+  //   the unlocked read and onto the same quantized newDelayUntil, so almost
+  //   every call short-circuits and `taskRun.update` is barely written.
+  // - fixed=false: fast-path off and quantization off (closer to the
+  //   pre-fix behaviour). The lock-contention fallback (also part of this
+  //   PR) still catches herd lock failures; this case validates that even
+  //   without the fast-path the system stays correct under stress, just at
+  //   higher Redlock cost.
+  for (const fixed of [true, false]) {
+    containerTest(
+      `Debounce hot-key stress (fixed=${fixed}): N concurrent triggers stay correct`,
+      async ({ prisma, redisOptions }) => {
+        const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+
+        const engine = new RunEngine({
+          prisma,
+          worker: {
+            redis: redisOptions,
+            workers: 1,
+            tasksPerWorker: 10,
+            pollIntervalMs: 100,
+          },
+          queue: {
+            redis: redisOptions,
+          },
+          runLock: {
+            redis: redisOptions,
+          },
+          machines: {
+            defaultMachine: "small-1x",
+            machines: {
+              "small-1x": {
+                name: "small-1x" as const,
+                cpu: 0.5,
+                memory: 0.5,
+                centsPerMs: 0.0001,
+              },
+            },
+            baseCostInCents: 0.0001,
+          },
+          debounce: {
+            maxDebounceDurationMs: 10 * 60_000,
+            fastPathSkipEnabled: fixed,
+            // 1s buckets - same as the real default - or 0 to mimic the
+            // pre-fix behaviour where every concurrent trigger has a slightly
+            // larger newDelayUntil than the last.
+            quantizeNewDelayUntilMs: fixed ? 1000 : 0,
+          },
+          tracer: trace.getTracer("test", "0.0.0"),
+        });
+
+        try {
+          const taskIdentifier = "test-task";
+          await setupBackgroundWorker(engine, authenticatedEnvironment, taskIdentifier);
+
+          // Seed the debounce key with an initial run, then push delayUntil far
+          // forward so the herd lands well inside the existing window.
+          const seed = await engine.trigger(
+            {
+              number: 0,
+              friendlyId: "run_stress0",
+              environment: authenticatedEnvironment,
+              taskIdentifier,
+              payload: '{"data": "seed"}',
+              payloadType: "application/json",
+              context: {},
+              traceContext: {},
+              traceId: "t_stress_seed",
+              spanId: "s_stress_seed",
+              workerQueue: "main",
+              queue: "task/test-task",
+              isTest: false,
+              tags: [],
+              delayUntil: new Date(Date.now() + 30_000),
+              debounce: {
+                key: "stress-key",
+                delay: "30s",
+              },
+            },
+            prisma
+          );
+
+          // Move delayUntil to a small but safe future offset. The herd's
+          // newDelayUntil (now + 30s) will be meaningfully later than the
+          // current value, so the fast-path-off branch reschedules. The
+          // ~2s buffer keeps the run DELAYED long enough to absorb startup
+          // jitter before the first trigger writes delayUntil = now + 30s.
+          await prisma.taskRun.update({
+            where: { id: seed.id },
+            data: { delayUntil: new Date(Date.now() + 2_000) },
+          });
+
+          // Subscribe to `runDelayRescheduled` so we can count how many times
+          // the herd actually pushed `delayUntil` forward. Each event corresponds
+          // to a successful reschedule under the lock - the fast-path/contention
+          // fallback paths skip the reschedule entirely. We use the engine's
+          // public eventBus, which is the same observable interface other tests
+          // in this repo (ttl, trigger, cancelling, waitpoints) use.
+          let rescheduleCount = 0;
+          engine.eventBus.on("runDelayRescheduled", () => {
+            rescheduleCount++;
+          });
+
+          const N = 40;
+          const triggers = Array.from({ length: N }, (_, i) =>
+            engine.trigger(
+              {
+                number: i + 1,
+                friendlyId: `run_stress${i + 1}`,
+                environment: authenticatedEnvironment,
+                taskIdentifier,
+                payload: `{"data": "stress-${i}"}`,
+                payloadType: "application/json",
+                context: {},
+                traceContext: {},
+                traceId: `t_stress_${i}`,
+                spanId: `s_stress_${i}`,
+                workerQueue: "main",
+                queue: "task/test-task",
+                isTest: false,
+                tags: [],
+                delayUntil: new Date(Date.now() + 30_000),
+                debounce: {
+                  key: "stress-key",
+                  delay: "30s",
+                },
+              },
+              prisma
+            )
+          );
+
+          const start = performance.now();
+          const settled = await Promise.allSettled(triggers);
+          const durationMs = performance.now() - start;
+
+          const fulfilled = settled.filter(
+            (r): r is PromiseFulfilledResult<{ id: string }> => r.status === "fulfilled"
+          );
+          const rejected = settled.filter((r) => r.status === "rejected");
+
+          // No 5xx feedback loop: every concurrent trigger succeeds and
+          // returns the existing run id.
+          expect(rejected).toHaveLength(0);
+          expect(fulfilled).toHaveLength(N);
+          for (const r of fulfilled) {
+            expect(r.value.id).toBe(seed.id);
+          }
+
+          // Only one row, regardless of contention path.
+          const runs = await prisma.taskRun.findMany({
+            where: { taskIdentifier, runtimeEnvironmentId: authenticatedEnvironment.id },
+          });
+          expect(runs.length).toBe(1);
+
+          // Wait briefly for any in-flight reschedule events to flush before
+          // asserting on the count. EventBus emit is synchronous here but
+          // settle a microtask just to be safe.
+          await new Promise((resolve) => setImmediate(resolve));
+
+          console.log(
+            `[stress fixed=${fixed}] N=${N} duration=${durationMs.toFixed(
+              0
+            )}ms reschedules=${rescheduleCount}`
+          );
+
+          if (fixed) {
+            // With fast-path + quantization: the herd collapses onto the
+            // same quantized newDelayUntil. Trigger #1 takes the lock and
+            // pushes delayUntil; every subsequent trigger sees a covering
+            // delayUntil on the unlocked read and short-circuits without
+            // emitting a reschedule. So at most one reschedule fires.
+            expect(rescheduleCount).toBeLessThanOrEqual(1);
+          }
+        } finally {
+          await engine.quit();
+        }
+      }
+    );
+  }
 });
 
diff --git a/internal-packages/run-engine/src/engine/tests/delays.test.ts b/internal-packages/run-engine/src/engine/tests/delays.test.ts
index 8a93aa1ad14..81e3641cd74 100644
--- a/internal-packages/run-engine/src/engine/tests/delays.test.ts
+++ b/internal-packages/run-engine/src/engine/tests/delays.test.ts
@@ -201,6 +201,11 @@ describe("RunEngine delays", () => {
       },
       queue: {
         redis: redisOptions,
+        ttlSystem: {
+          pollIntervalMs: 100,
+          batchSize: 10,
+          batchMaxWaitMs: 100,
+        },
       },
       runLock: {
         redis: redisOptions,
@@ -230,7 +235,21 @@ describe("RunEngine delays", () => {
         taskIdentifier
       );
 
+      // TTL only expires runs still queued waiting on a concurrency slot.
+      // Once the delay elapses, the run gets enqueued; saturate env concurrency
+      // so it stays queued so the new TTL path can expire it.
+      await engine.runQueue.updateEnvConcurrencyLimits({
+        ...authenticatedEnvironment,
+        maximumConcurrencyLimit: 0,
+      });
+
+      const enqueuedAfterDelayTimes: number[] = [];
+      engine.eventBus.on("runEnqueuedAfterDelay", () => {
+        enqueuedAfterDelayTimes.push(Date.now());
+      });
+
       //trigger the run
+      const triggerTime = Date.now();
       const run = await engine.trigger(
         {
           number: 1,
@@ -247,7 +266,7 @@ describe("RunEngine delays", () => {
           queue: "task/test-task",
           isTest: false,
           tags: [],
-          delayUntil: new Date(Date.now() + 1000),
+          delayUntil: new Date(triggerTime + 1000),
           ttl: "2s",
         },
         prisma
@@ -259,7 +278,7 @@ describe("RunEngine delays", () => {
       expect(executionData.snapshot.executionStatus).toBe("DELAYED");
       expect(run.status).toBe("DELAYED");
 
-      //wait for 1 seconds
+      //wait so the delay elapses and the run is enqueued
       await setTimeout(2_500);
 
       //should now be queued
@@ -273,19 +292,29 @@ describe("RunEngine delays", () => {
 
       expect(run2.status).toBe("PENDING");
 
-      //wait for 3 seconds
-      await setTimeout(3_000);
+      // TTL is armed at queue-enter time (not from triggerTime). With a 2s TTL
+      // and a 1s delay, the run becomes eligible to expire ~3s after trigger.
+      // Confirm the TTL was not armed against triggerTime (i.e. didn't already
+      // fire while still DELAYED), and that the run only expires after the
+      // queue-enter timestamp + ttl has elapsed.
+      expect(enqueuedAfterDelayTimes.length).toBe(1);
+      const enqueuedAt = enqueuedAfterDelayTimes[0]!;
+      expect(enqueuedAt - triggerTime).toBeGreaterThanOrEqual(1000);
 
-      //should now be expired
-      const executionData3 = await engine.getRunExecutionData({ runId: run.id });
-      assertNonNullable(executionData3);
-      expect(executionData3.snapshot.executionStatus).toBe("FINISHED");
+      //wait so the TTL fires (counted from when the run was enqueued)
+      await setTimeout(3_000);
 
+      // Status comes from the DB; the batch TTL path does not create
+      // execution snapshots, so getRunExecutionData may still show QUEUED.
       const run3 = await prisma.taskRun.findFirstOrThrow({
         where: { id: run.id },
       });
 
       expect(run3.status).toBe("EXPIRED");
+      assertNonNullable(run3.expiredAt);
+      // The expiry must happen after enqueue + ttl, not after trigger + ttl.
+      // Allow a small tolerance for poll interval + batch wait.
+      expect(run3.expiredAt.getTime()).toBeGreaterThanOrEqual(enqueuedAt + 2_000);
     } finally {
       await engine.quit();
     }
diff --git a/internal-packages/run-engine/src/engine/tests/getSnapshotsSince.test.ts b/internal-packages/run-engine/src/engine/tests/getSnapshotsSince.test.ts
index 77867b1b1b1..15831d10839 100644
--- a/internal-packages/run-engine/src/engine/tests/getSnapshotsSince.test.ts
+++ b/internal-packages/run-engine/src/engine/tests/getSnapshotsSince.test.ts
@@ -13,6 +13,10 @@ import {
   setupTestScenario,
   generateLargeOutput,
 } from "./helpers/snapshotTestHelpers.js";
+import {
+  copySnapshotsToReplica,
+  createTestMetricsMeter,
+} from "./helpers/replicaTestHelpers.js";
 import { generateFriendlyId } from "@trigger.dev/core/v3/isomorphic";
 
 vi.setConfig({ testTimeout: 120_000 });
@@ -432,6 +436,117 @@ describe("RunEngine getSnapshotsSince", () => {
     }
   });
 
+  containerTest(
+    "returns null when the since snapshot belongs to a different run",
+    async ({ prisma, redisOptions }) => {
+      const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+
+      const engine = new RunEngine({
+        prisma,
+        worker: {
+          redis: redisOptions,
+          workers: 1,
+          tasksPerWorker: 10,
+          pollIntervalMs: 100,
+        },
+        queue: {
+          redis: redisOptions,
+        },
+        runLock: {
+          redis: redisOptions,
+        },
+        machines: {
+          defaultMachine: "small-1x",
+          machines: {
+            "small-1x": {
+              name: "small-1x" as const,
+              cpu: 0.5,
+              memory: 0.5,
+              centsPerMs: 0.0001,
+            },
+          },
+          baseCostInCents: 0.0001,
+        },
+        tracer: trace.getTracer("test", "0.0.0"),
+      });
+
+      try {
+        const taskIdentifier = "test-task";
+        await setupBackgroundWorker(engine, authenticatedEnvironment, taskIdentifier);
+
+        const runA = await engine.trigger(
+          {
+            number: 1,
+            friendlyId: generateFriendlyId("run"),
+            environment: authenticatedEnvironment,
+            taskIdentifier,
+            payload: "{}",
+            payloadType: "application/json",
+            context: {},
+            traceContext: {},
+            traceId: "t_foreign_snapshot",
+            spanId: "s_foreign_snapshot_a",
+            workerQueue: "main",
+            queue: "task/test-task",
+            isTest: false,
+            tags: [],
+          },
+          prisma
+        );
+
+        const runB = await engine.trigger(
+          {
+            number: 2,
+            friendlyId: generateFriendlyId("run"),
+            environment: authenticatedEnvironment,
+            taskIdentifier,
+            payload: "{}",
+            payloadType: "application/json",
+            context: {},
+            traceContext: {},
+            traceId: "t_foreign_snapshot",
+            spanId: "s_foreign_snapshot_b",
+            workerQueue: "main",
+            queue: "task/test-task",
+            isTest: false,
+            tags: [],
+          },
+          prisma
+        );
+
+        await setTimeout(500);
+        await engine.dequeueFromWorkerQueue({
+          consumerId: "test_foreign_snapshot",
+          workerQueue: "main",
+        });
+
+        const runASnapshots = await prisma.taskRunExecutionSnapshot.findMany({
+          where: { runId: runA.id, isValid: true },
+          orderBy: { createdAt: "asc" },
+        });
+        const runBSnapshots = await prisma.taskRunExecutionSnapshot.findMany({
+          where: { runId: runB.id, isValid: true },
+          orderBy: { createdAt: "asc" },
+        });
+
+        expect(runASnapshots.length).toBeGreaterThanOrEqual(1);
+        expect(runBSnapshots.length).toBeGreaterThanOrEqual(1);
+
+        const runASnapshot = runASnapshots[0];
+
+        // Poll run B using a snapshot id that belongs to run A.
+        const result = await engine.getSnapshotsSince({
+          runId: runB.id,
+          snapshotId: runASnapshot.id,
+        });
+
+        expect(result).toBeNull();
+      } finally {
+        await engine.quit();
+      }
+    }
+  );
+
   // Direct database tests for the core function
   containerTest(
     "direct test: large waitpoint scenario - 100 waitpoints with 10KB outputs",
@@ -679,4 +794,619 @@ describe("RunEngine getSnapshotsSince", () => {
       }
     }
   );
+
+  containerTest(
+    "falls back to the primary when the replica is missing the since snapshot",
+    async ({ prisma, schemaOnlyPrisma, redisOptions }) => {
+      const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+      const { meter, getCounterValue } = createTestMetricsMeter();
+
+      const engine = new RunEngine({
+        prisma,
+        // An empty (schema-only) database stands in for a read replica that has not
+        // caught up: every lookup on it misses, so the engine must fall back to the
+        // primary instead of failing the poll.
+        readOnlyPrisma: schemaOnlyPrisma,
+        readReplicaSnapshotsSinceEnabled: true,
+        // Tiny jitter window: the replica is permanently empty here, so the retry
+        // always misses - no need to pay a realistic delay.
+        readReplicaSnapshotsSinceRetryDelay: { minMs: 1, maxMs: 2 },
+        worker: {
+          redis: redisOptions,
+          workers: 1,
+          tasksPerWorker: 10,
+          pollIntervalMs: 100,
+        },
+        queue: {
+          redis: redisOptions,
+        },
+        runLock: {
+          redis: redisOptions,
+        },
+        machines: {
+          defaultMachine: "small-1x",
+          machines: {
+            "small-1x": {
+              name: "small-1x" as const,
+              cpu: 0.5,
+              memory: 0.5,
+              centsPerMs: 0.0001,
+            },
+          },
+          baseCostInCents: 0.0001,
+        },
+        tracer: trace.getTracer("test", "0.0.0"),
+        meter,
+      });
+
+      try {
+        const taskIdentifier = "test-task";
+        await setupBackgroundWorker(engine, authenticatedEnvironment, taskIdentifier);
+
+        const runFriendlyId = generateFriendlyId("run");
+        const run = await engine.trigger(
+          {
+            number: 1,
+            friendlyId: runFriendlyId,
+            environment: authenticatedEnvironment,
+            taskIdentifier,
+            payload: "{}",
+            payloadType: "application/json",
+            context: {},
+            traceContext: {},
+            traceId: "t_replica_fallback",
+            spanId: "s_replica_fallback",
+            workerQueue: "main",
+            queue: "task/test-task",
+            isTest: false,
+            tags: [],
+          },
+          prisma
+        );
+
+        await setTimeout(500);
+        await engine.dequeueFromWorkerQueue({
+          consumerId: "test_replica_fallback",
+          workerQueue: "main",
+        });
+
+        const allSnapshots = await prisma.taskRunExecutionSnapshot.findMany({
+          where: { runId: run.id, isValid: true },
+          orderBy: { createdAt: "asc" },
+        });
+        expect(allSnapshots.length).toBeGreaterThan(1);
+
+        // The since-snapshot exists only on the primary - the replica misses it.
+        const firstSnapshot = allSnapshots[0];
+        const result = await engine.getSnapshotsSince({
+          runId: run.id,
+          snapshotId: firstSnapshot.id,
+        });
+
+        // Served by the primary fallback, not a failed poll.
+        expect(result).not.toBeNull();
+        const expectedSnapshots = allSnapshots.filter(
+          (s) => s.createdAt.getTime() > firstSnapshot.createdAt.getTime()
+        );
+        expect(expectedSnapshots.length).toBeGreaterThan(0);
+        expect(result!.length).toBe(expectedSnapshots.length);
+        // Compare as sorted lists: same-millisecond snapshots have unspecified relative
+        // order in both the engine query and this test's query.
+        expect(result!.map((s) => s.snapshot.id).sort()).toEqual(
+          expectedSnapshots.map((s) => s.id).sort()
+        );
+
+        expect(
+          await getCounterValue("run_engine.snapshots_since.replica_miss", { outcome: "primary" })
+        ).toBe(1);
+        // The replica retry never succeeds against a permanently empty replica.
+        expect(
+          await getCounterValue("run_engine.snapshots_since.replica_miss", {
+            outcome: "replica_retry",
+          })
+        ).toBe(0);
+      } finally {
+        await engine.quit();
+      }
+    }
+  );
+
+  containerTest(
+    "serves the read from the replica after a jittered retry when it catches up",
+    async ({ prisma, schemaOnlyPrisma, redisOptions }) => {
+      const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+      const { meter, getCounterValue } = createTestMetricsMeter();
+
+      const engine = new RunEngine({
+        prisma,
+        // The schema-only database stands in for a lagging replica: empty when the
+        // poll first arrives, caught up by the time the jittered retry fires.
+        readOnlyPrisma: schemaOnlyPrisma,
+        readReplicaSnapshotsSinceEnabled: true,
+        // A near-deterministic ~400ms window: long enough to seed the replica
+        // mid-flight (below), short enough to keep the test fast.
+        readReplicaSnapshotsSinceRetryDelay: { minMs: 400, maxMs: 401 },
+        worker: {
+          redis: redisOptions,
+          workers: 1,
+          tasksPerWorker: 10,
+          pollIntervalMs: 100,
+        },
+        queue: {
+          redis: redisOptions,
+        },
+        runLock: {
+          redis: redisOptions,
+        },
+        machines: {
+          defaultMachine: "small-1x",
+          machines: {
+            "small-1x": {
+              name: "small-1x" as const,
+              cpu: 0.5,
+              memory: 0.5,
+              centsPerMs: 0.0001,
+            },
+          },
+          baseCostInCents: 0.0001,
+        },
+        tracer: trace.getTracer("test", "0.0.0"),
+        meter,
+      });
+
+      try {
+        const taskIdentifier = "test-task";
+        await setupBackgroundWorker(engine, authenticatedEnvironment, taskIdentifier);
+
+        const runFriendlyId = generateFriendlyId("run");
+        const run = await engine.trigger(
+          {
+            number: 1,
+            friendlyId: runFriendlyId,
+            environment: authenticatedEnvironment,
+            taskIdentifier,
+            payload: "{}",
+            payloadType: "application/json",
+            context: {},
+            traceContext: {},
+            traceId: "t_replica_retry",
+            spanId: "s_replica_retry",
+            workerQueue: "main",
+            queue: "task/test-task",
+            isTest: false,
+            tags: [],
+          },
+          prisma
+        );
+
+        await setTimeout(500);
+        await engine.dequeueFromWorkerQueue({
+          consumerId: "test_replica_retry",
+          workerQueue: "main",
+        });
+
+        const allSnapshots = await prisma.taskRunExecutionSnapshot.findMany({
+          where: { runId: run.id, isValid: true },
+          orderBy: { createdAt: "asc" },
+        });
+        expect(allSnapshots.length).toBeGreaterThan(1);
+
+        const firstSnapshot = allSnapshots[0];
+
+        // Warm the replica connection so the engine's first attempt is a fast point
+        // read - a cold Prisma connect could outlast the 100ms seeding window below.
+        await schemaOnlyPrisma.$queryRaw`SELECT 1`;
+
+        // Kick off the poll against the still-empty replica, then seed the replica
+        // well before the ~400ms jittered retry fires - simulating the replica
+        // catching up while the engine waits.
+        const resultPromise = engine.getSnapshotsSince({
+          runId: run.id,
+          snapshotId: firstSnapshot.id,
+        });
+        await setTimeout(100);
+        await copySnapshotsToReplica(prisma, schemaOnlyPrisma, run.id);
+        const result = await resultPromise;
+
+        expect(result).not.toBeNull();
+        const expectedSnapshots = allSnapshots.filter(
+          (s) => s.createdAt.getTime() > firstSnapshot.createdAt.getTime()
+        );
+        expect(expectedSnapshots.length).toBeGreaterThan(0);
+        expect(result!.length).toBe(expectedSnapshots.length);
+        // Compare as sorted lists: same-millisecond snapshots have unspecified relative
+        // order in both the engine query and this test's query.
+        expect(result!.map((s) => s.snapshot.id).sort()).toEqual(
+          expectedSnapshots.map((s) => s.id).sort()
+        );
+
+        // Recovered on the replica retry - the writer was never consulted.
+        expect(
+          await getCounterValue("run_engine.snapshots_since.replica_miss", {
+            outcome: "replica_retry",
+          })
+        ).toBe(1);
+        expect(
+          await getCounterValue("run_engine.snapshots_since.replica_miss", { outcome: "primary" })
+        ).toBe(0);
+      } finally {
+        await engine.quit();
+      }
+    }
+  );
+
+  containerTest(
+    "returns null when the snapshot is missing on both replica and primary",
+    async ({ prisma, schemaOnlyPrisma, redisOptions }) => {
+      const { meter, getCounterValue } = createTestMetricsMeter();
+
+      const engine = new RunEngine({
+        prisma,
+        readOnlyPrisma: schemaOnlyPrisma,
+        readReplicaSnapshotsSinceEnabled: true,
+        readReplicaSnapshotsSinceRetryDelay: { minMs: 1, maxMs: 2 },
+        worker: {
+          redis: redisOptions,
+          workers: 1,
+          tasksPerWorker: 10,
+          pollIntervalMs: 100,
+        },
+        queue: {
+          redis: redisOptions,
+        },
+        runLock: {
+          redis: redisOptions,
+        },
+        machines: {
+          defaultMachine: "small-1x",
+          machines: {
+            "small-1x": {
+              name: "small-1x" as const,
+              cpu: 0.5,
+              memory: 0.5,
+              centsPerMs: 0.0001,
+            },
+          },
+          baseCostInCents: 0.0001,
+        },
+        tracer: trace.getTracer("test", "0.0.0"),
+        meter,
+      });
+
+      try {
+        // runId is never consulted - the since-snapshot lookup throws on the bogus id first.
+        const result = await engine.getSnapshotsSince({
+          runId: "run_does_not_exist",
+          snapshotId: "snapshot_does_not_exist",
+        });
+
+        expect(result).toBeNull();
+
+        // Permanent misses are deliberately NOT counted - the counter only tracks
+        // reads actually served by the primary fallback.
+        expect(await getCounterValue("run_engine.snapshots_since.replica_miss")).toBe(0);
+      } finally {
+        await engine.quit();
+      }
+    }
+  );
+
+  containerTest(
+    "serves the replica's view when the replica has the since snapshot but lags behind the primary",
+    async ({ prisma, schemaOnlyPrisma, redisOptions }) => {
+      const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+      const { meter, getCounterValue } = createTestMetricsMeter();
+
+      const engine = new RunEngine({
+        prisma,
+        // The schema-only database stands in for a replica that has the since-snapshot
+        // but lags behind the primary by one snapshot (the newest one is excluded below).
+        readOnlyPrisma: schemaOnlyPrisma,
+        readReplicaSnapshotsSinceEnabled: true,
+        readReplicaSnapshotsSinceRetryDelay: { minMs: 1, maxMs: 2 },
+        worker: {
+          redis: redisOptions,
+          workers: 1,
+          tasksPerWorker: 10,
+          pollIntervalMs: 100,
+        },
+        queue: {
+          redis: redisOptions,
+        },
+        runLock: {
+          redis: redisOptions,
+        },
+        machines: {
+          defaultMachine: "small-1x",
+          machines: {
+            "small-1x": {
+              name: "small-1x" as const,
+              cpu: 0.5,
+              memory: 0.5,
+              centsPerMs: 0.0001,
+            },
+          },
+          baseCostInCents: 0.0001,
+        },
+        tracer: trace.getTracer("test", "0.0.0"),
+        meter,
+      });
+
+      try {
+        const taskIdentifier = "test-task";
+        await setupBackgroundWorker(engine, authenticatedEnvironment, taskIdentifier);
+
+        const runFriendlyId = generateFriendlyId("run");
+        const run = await engine.trigger(
+          {
+            number: 1,
+            friendlyId: runFriendlyId,
+            environment: authenticatedEnvironment,
+            taskIdentifier,
+            payload: "{}",
+            payloadType: "application/json",
+            context: {},
+            traceContext: {},
+            traceId: "t_replica_stale_tail",
+            spanId: "s_replica_stale_tail",
+            workerQueue: "main",
+            queue: "task/test-task",
+            isTest: false,
+            tags: [],
+          },
+          prisma
+        );
+
+        await setTimeout(500);
+        await engine.dequeueFromWorkerQueue({
+          consumerId: "test_replica_stale_tail",
+          workerQueue: "main",
+        });
+
+        const allSnapshots = await prisma.taskRunExecutionSnapshot.findMany({
+          where: { runId: run.id, isValid: true },
+          orderBy: { createdAt: "asc" },
+        });
+        expect(allSnapshots.length).toBeGreaterThanOrEqual(3);
+
+        const since = allSnapshots[0];
+        const tail = allSnapshots[allSnapshots.length - 1];
+
+        // Replica has everything EXCEPT the newest snapshot - a lagging-but-usable replica.
+        await copySnapshotsToReplica(prisma, schemaOnlyPrisma, run.id, {
+          excludeSnapshotIds: [tail.id],
+        });
+
+        const result = await engine.getSnapshotsSince({
+          runId: run.id,
+          snapshotId: since.id,
+        });
+
+        expect(result).not.toBeNull();
+
+        // The replica's view: everything after the since snapshot, minus the tail
+        // it hasn't received yet. If reads were hitting the primary, the tail would
+        // be present and these assertions would fail.
+        const expectedSnapshots = allSnapshots.filter(
+          (s) => s.createdAt.getTime() > since.createdAt.getTime() && s.id !== tail.id
+        );
+        expect(result!.map((s) => s.snapshot.id)).not.toContain(tail.id);
+        // Compare as sorted lists: same-millisecond snapshots have unspecified relative
+        // order in both the engine query and this test's query.
+        expect(result!.map((s) => s.snapshot.id).sort()).toEqual(
+          expectedSnapshots.map((s) => s.id).sort()
+        );
+
+        expect(await getCounterValue("run_engine.snapshots_since.replica_miss")).toBe(0);
+      } finally {
+        await engine.quit();
+      }
+    }
+  );
+
+  containerTest(
+    "reads from the primary when the flag is off even with a replica configured",
+    async ({ prisma, schemaOnlyPrisma, redisOptions }) => {
+      const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+      const { meter, getCounterValue } = createTestMetricsMeter();
+
+      const engine = new RunEngine({
+        prisma,
+        // Replica configured but EMPTY, flag off: a correct result can only come
+        // from the primary.
+        readOnlyPrisma: schemaOnlyPrisma,
+        readReplicaSnapshotsSinceEnabled: false,
+        readReplicaSnapshotsSinceRetryDelay: { minMs: 1, maxMs: 2 },
+        worker: {
+          redis: redisOptions,
+          workers: 1,
+          tasksPerWorker: 10,
+          pollIntervalMs: 100,
+        },
+        queue: {
+          redis: redisOptions,
+        },
+        runLock: {
+          redis: redisOptions,
+        },
+        machines: {
+          defaultMachine: "small-1x",
+          machines: {
+            "small-1x": {
+              name: "small-1x" as const,
+              cpu: 0.5,
+              memory: 0.5,
+              centsPerMs: 0.0001,
+            },
+          },
+          baseCostInCents: 0.0001,
+        },
+        tracer: trace.getTracer("test", "0.0.0"),
+        meter,
+      });
+
+      try {
+        const taskIdentifier = "test-task";
+        await setupBackgroundWorker(engine, authenticatedEnvironment, taskIdentifier);
+
+        const runFriendlyId = generateFriendlyId("run");
+        const run = await engine.trigger(
+          {
+            number: 1,
+            friendlyId: runFriendlyId,
+            environment: authenticatedEnvironment,
+            taskIdentifier,
+            payload: "{}",
+            payloadType: "application/json",
+            context: {},
+            traceContext: {},
+            traceId: "t_replica_flag_off",
+            spanId: "s_replica_flag_off",
+            workerQueue: "main",
+            queue: "task/test-task",
+            isTest: false,
+            tags: [],
+          },
+          prisma
+        );
+
+        await setTimeout(500);
+        await engine.dequeueFromWorkerQueue({
+          consumerId: "test_replica_flag_off",
+          workerQueue: "main",
+        });
+
+        const allSnapshots = await prisma.taskRunExecutionSnapshot.findMany({
+          where: { runId: run.id, isValid: true },
+          orderBy: { createdAt: "asc" },
+        });
+        expect(allSnapshots.length).toBeGreaterThan(1);
+
+        const since = allSnapshots[0];
+        const result = await engine.getSnapshotsSince({
+          runId: run.id,
+          snapshotId: since.id,
+        });
+
+        expect(result).not.toBeNull();
+        const expectedSnapshots = allSnapshots.filter(
+          (s) => s.createdAt.getTime() > since.createdAt.getTime()
+        );
+        expect(expectedSnapshots.length).toBeGreaterThan(0);
+        // Compare as sorted lists: same-millisecond snapshots have unspecified relative
+        // order in both the engine query and this test's query.
+        expect(result!.map((s) => s.snapshot.id).sort()).toEqual(
+          expectedSnapshots.map((s) => s.id).sort()
+        );
+
+        expect(await getCounterValue("run_engine.snapshots_since.replica_miss")).toBe(0);
+      } finally {
+        await engine.quit();
+      }
+    }
+  );
+
+  containerTest(
+    "uses the provided transaction client and never falls back",
+    async ({ prisma, schemaOnlyPrisma, redisOptions }) => {
+      const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+      const { meter, getCounterValue } = createTestMetricsMeter();
+
+      const engine = new RunEngine({
+        prisma,
+        // Flag ON with an EMPTY replica: if the provided tx didn't bypass the replica,
+        // the read would miss and (at best) be served by the fallback, incrementing
+        // the counter.
+        readOnlyPrisma: schemaOnlyPrisma,
+        readReplicaSnapshotsSinceEnabled: true,
+        readReplicaSnapshotsSinceRetryDelay: { minMs: 1, maxMs: 2 },
+        worker: {
+          redis: redisOptions,
+          workers: 1,
+          tasksPerWorker: 10,
+          pollIntervalMs: 100,
+        },
+        queue: {
+          redis: redisOptions,
+        },
+        runLock: {
+          redis: redisOptions,
+        },
+        machines: {
+          defaultMachine: "small-1x",
+          machines: {
+            "small-1x": {
+              name: "small-1x" as const,
+              cpu: 0.5,
+              memory: 0.5,
+              centsPerMs: 0.0001,
+            },
+          },
+          baseCostInCents: 0.0001,
+        },
+        tracer: trace.getTracer("test", "0.0.0"),
+        meter,
+      });
+
+      try {
+        const taskIdentifier = "test-task";
+        await setupBackgroundWorker(engine, authenticatedEnvironment, taskIdentifier);
+
+        const runFriendlyId = generateFriendlyId("run");
+        const run = await engine.trigger(
+          {
+            number: 1,
+            friendlyId: runFriendlyId,
+            environment: authenticatedEnvironment,
+            taskIdentifier,
+            payload: "{}",
+            payloadType: "application/json",
+            context: {},
+            traceContext: {},
+            traceId: "t_replica_tx_bypass",
+            spanId: "s_replica_tx_bypass",
+            workerQueue: "main",
+            queue: "task/test-task",
+            isTest: false,
+            tags: [],
+          },
+          prisma
+        );
+
+        await setTimeout(500);
+        await engine.dequeueFromWorkerQueue({
+          consumerId: "test_replica_tx_bypass",
+          workerQueue: "main",
+        });
+
+        const allSnapshots = await prisma.taskRunExecutionSnapshot.findMany({
+          where: { runId: run.id, isValid: true },
+          orderBy: { createdAt: "asc" },
+        });
+        expect(allSnapshots.length).toBeGreaterThan(1);
+
+        const since = allSnapshots[0];
+        const result = await engine.getSnapshotsSince({
+          runId: run.id,
+          snapshotId: since.id,
+          tx: prisma,
+        });
+
+        expect(result).not.toBeNull();
+        const expectedSnapshots = allSnapshots.filter(
+          (s) => s.createdAt.getTime() > since.createdAt.getTime()
+        );
+        expect(expectedSnapshots.length).toBeGreaterThan(0);
+        // Compare as sorted lists: same-millisecond snapshots have unspecified relative
+        // order in both the engine query and this test's query.
+        expect(result!.map((s) => s.snapshot.id).sort()).toEqual(
+          expectedSnapshots.map((s) => s.id).sort()
+        );
+
+        expect(await getCounterValue("run_engine.snapshots_since.replica_miss")).toBe(0);
+      } finally {
+        await engine.quit();
+      }
+    }
+  );
 });
diff --git a/internal-packages/run-engine/src/engine/tests/helpers/replicaTestHelpers.ts b/internal-packages/run-engine/src/engine/tests/helpers/replicaTestHelpers.ts
new file mode 100644
index 00000000000..3b94bae8887
--- /dev/null
+++ b/internal-packages/run-engine/src/engine/tests/helpers/replicaTestHelpers.ts
@@ -0,0 +1,105 @@
+import {
+  AggregationTemporality,
+  InMemoryMetricExporter,
+  MeterProvider,
+  PeriodicExportingMetricReader,
+} from "@opentelemetry/sdk-metrics";
+import { Prisma, PrismaClient } from "@trigger.dev/database";
+
+/**
+ * Copies a run's TaskRunExecutionSnapshot rows from the primary database into the
+ * replica database. The replica (a schema-only clone) has no parent rows (no TaskRun),
+ * so the rows are inserted with FK triggers disabled - exactly how a physical replica's
+ * data arrives, without FK re-checks.
+ */
+export async function copySnapshotsToReplica(
+  primary: PrismaClient,
+  replica: PrismaClient,
+  runId: string,
+  opts?: { excludeSnapshotIds?: string[] }
+) {
+  const rows = await primary.taskRunExecutionSnapshot.findMany({ where: { runId } });
+  const toCopy = rows.filter((r) => !(opts?.excludeSnapshotIds ?? []).includes(r.id));
+
+  await replica.$transaction(async (tx) => {
+    // SET LOCAL applies for the duration of this transaction (same connection),
+    // disabling FK triggers like a physical replica's apply process.
+    await tx.$executeRawUnsafe(`SET LOCAL session_replication_role = replica`);
+
+    for (const row of toCopy) {
+      await tx.taskRunExecutionSnapshot.create({
+        data: {
+          id: row.id,
+          engine: row.engine,
+          executionStatus: row.executionStatus,
+          description: row.description,
+          isValid: row.isValid,
+          error: row.error,
+          previousSnapshotId: row.previousSnapshotId,
+          runId: row.runId,
+          runStatus: row.runStatus,
+          batchId: row.batchId,
+          attemptNumber: row.attemptNumber,
+          environmentId: row.environmentId,
+          environmentType: row.environmentType,
+          projectId: row.projectId,
+          organizationId: row.organizationId,
+          completedWaitpointOrder: row.completedWaitpointOrder,
+          checkpointId: row.checkpointId,
+          workerId: row.workerId,
+          runnerId: row.runnerId,
+          // Preserve timestamps exactly - the snapshots-since window query depends on them.
+          createdAt: row.createdAt,
+          updatedAt: row.updatedAt,
+          lastHeartbeatAt: row.lastHeartbeatAt,
+          metadata: row.metadata === null ? Prisma.DbNull : row.metadata,
+        },
+      });
+    }
+  });
+}
+
+/**
+ * Creates a real OTel meter backed by an in-memory exporter, plus a helper to read
+ * a counter's current cumulative value. No mocks - this exercises the same metrics
+ * pipeline production uses.
+ */
+export function createTestMetricsMeter() {
+  const exporter = new InMemoryMetricExporter(AggregationTemporality.CUMULATIVE);
+  // Long interval: exports only happen via explicit forceFlush() below.
+  const reader = new PeriodicExportingMetricReader({ exporter, exportIntervalMillis: 3_600_000 });
+  const meterProvider = new MeterProvider({ readers: [reader] });
+  const meter = meterProvider.getMeter("test");
+
+  const getCounterValue = async (
+    name: string,
+    attributes?: Record<string, string>
+  ): Promise<number> => {
+    await reader.forceFlush();
+    const resourceMetrics = exporter.getMetrics();
+
+    // Cumulative temporality: every export batch carries the full running total,
+    // so read the most recent batch that contains the metric. A counter that was
+    // never added to exports no data points - treat that as 0. When `attributes`
+    // is provided, only data points whose attributes match are summed.
+    for (let i = resourceMetrics.length - 1; i >= 0; i--) {
+      for (const scopeMetrics of resourceMetrics[i].scopeMetrics) {
+        for (const metric of scopeMetrics.metrics) {
+          if (metric.descriptor.name === name && metric.dataPoints.length > 0) {
+            return metric.dataPoints
+              .filter(
+                (dp) =>
+                  !attributes ||
+                  Object.entries(attributes).every(([key, value]) => dp.attributes[key] === value)
+              )
+              .reduce((sum, dp) => sum + (dp.value as number), 0);
+          }
+        }
+      }
+    }
+
+    return 0;
+  };
+
+  return { meter, getCounterValue };
+}
diff --git a/internal-packages/run-engine/src/engine/tests/lazyWaitpoint.test.ts b/internal-packages/run-engine/src/engine/tests/lazyWaitpoint.test.ts
index bc24f9b6f1a..dedcff5b5b6 100644
--- a/internal-packages/run-engine/src/engine/tests/lazyWaitpoint.test.ts
+++ b/internal-packages/run-engine/src/engine/tests/lazyWaitpoint.test.ts
@@ -409,6 +409,7 @@ describe("RunEngine lazy waitpoint creation", () => {
           ttlSystem: {
             pollIntervalMs: 100,
             batchSize: 10,
+            batchMaxWaitMs: 100,
           },
         },
         runLock: {
@@ -434,6 +435,12 @@ describe("RunEngine lazy waitpoint creation", () => {
 
         await setupBackgroundWorker(engine, authenticatedEnvironment, taskIdentifier);
 
+        // TTL only expires runs still queued waiting on a concurrency slot.
+        await engine.runQueue.updateEnvConcurrencyLimits({
+          ...authenticatedEnvironment,
+          maximumConcurrencyLimit: 0,
+        });
+
         // Trigger a standalone run with TTL (no waitpoint)
         const run = await engine.trigger(
           {
@@ -467,11 +474,15 @@ describe("RunEngine lazy waitpoint creation", () => {
         // Wait for TTL to expire
         await setTimeout(1_500);
 
-        // Verify run expired successfully (no throw)
-        const executionData = await engine.getRunExecutionData({ runId: run.id });
-        assertNonNullable(executionData);
-        expect(executionData.run.status).toBe("EXPIRED");
-        expect(executionData.snapshot.executionStatus).toBe("FINISHED");
+        // Verify run expired successfully (no throw).
+        // The batch TTL path does not create execution snapshots, so check
+        // the status directly from the database rather than via
+        // getRunExecutionData.
+        const expiredRun = await prisma.taskRun.findUnique({
+          where: { id: run.id },
+          select: { status: true },
+        });
+        expect(expiredRun?.status).toBe("EXPIRED");
       } finally {
         await engine.quit();
       }
diff --git a/internal-packages/run-engine/src/engine/tests/pendingVersion.test.ts b/internal-packages/run-engine/src/engine/tests/pendingVersion.test.ts
index 65498e32ffe..cd56f10c84c 100644
--- a/internal-packages/run-engine/src/engine/tests/pendingVersion.test.ts
+++ b/internal-packages/run-engine/src/engine/tests/pendingVersion.test.ts
@@ -4,6 +4,7 @@ import { RunEngine } from "../index.js";
 import { setTimeout } from "timers/promises";
 import { setupAuthenticatedEnvironment, setupBackgroundWorker } from "./setup.js";
 import { DequeuedMessage } from "@trigger.dev/core/v3";
+import { PostgresPendingVersionRunIdLookup } from "./postgresPendingVersionLookup.js";
 
 vi.setConfig({ testTimeout: 60_000 });
 
@@ -44,6 +45,7 @@ describe("RunEngine pending version", () => {
         },
         //set this so we have to requeue the runs in two batches
         queueRunsWaitingForWorkerBatchSize: 1,
+        pendingVersionRunIdLookup: new PostgresPendingVersionRunIdLookup(prisma),
         tracer: trace.getTracer("test", "0.0.0"),
       });
 
@@ -191,6 +193,7 @@ describe("RunEngine pending version", () => {
         },
         //set this so we have to requeue the runs in two batches
         queueRunsWaitingForWorkerBatchSize: 1,
+        pendingVersionRunIdLookup: new PostgresPendingVersionRunIdLookup(prisma),
         tracer: trace.getTracer("test", "0.0.0"),
         logLevel: "debug",
       });
@@ -309,4 +312,121 @@ describe("RunEngine pending version", () => {
       }
     }
   );
+
+  containerTest(
+    "PENDING_VERSION re-enqueue arms TTL on the queued message",
+    async ({ prisma, redisOptions }) => {
+      // When a run enters PENDING_VERSION (background worker doesn't yet have
+      // the task), the first enqueue happens but the message is dequeued and
+      // its TTL set entry is dropped while the run waits for a matching worker.
+      // Once a worker arrives, pendingVersionSystem re-enqueues. That
+      // re-enqueue is the first time the run is actually queued for a worker,
+      // so TTL must be armed at that point — not held over from the original
+      // enqueue.
+      const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+
+      const engine = new RunEngine({
+        prisma,
+        worker: {
+          redis: redisOptions,
+          workers: 1,
+          tasksPerWorker: 10,
+          pollIntervalMs: 100,
+        },
+        queue: {
+          redis: redisOptions,
+          processWorkerQueueDebounceMs: 50,
+          masterQueueConsumersDisabled: true,
+          ttlSystem: {
+            pollIntervalMs: 100,
+            batchSize: 10,
+            batchMaxWaitMs: 100,
+          },
+        },
+        runLock: {
+          redis: redisOptions,
+        },
+        machines: {
+          defaultMachine: "small-1x",
+          machines: {
+            "small-1x": {
+              name: "small-1x" as const,
+              cpu: 0.5,
+              memory: 0.5,
+              centsPerMs: 0.0001,
+            },
+          },
+          baseCostInCents: 0.0001,
+        },
+        pendingVersionRunIdLookup: new PostgresPendingVersionRunIdLookup(prisma),
+        tracer: trace.getTracer("test", "0.0.0"),
+      });
+
+      try {
+        const taskIdentifier = "test-task";
+
+        // Trigger a run with TTL — no background worker exists yet for this
+        // task, so it will end up in PENDING_VERSION.
+        const run = await engine.trigger(
+          {
+            number: 1,
+            friendlyId: "run_pvttl1",
+            environment: authenticatedEnvironment,
+            taskIdentifier,
+            payload: "{}",
+            payloadType: "application/json",
+            context: {},
+            traceContext: {},
+            traceId: "tpv1",
+            spanId: "spv1",
+            queue: "task/test-task",
+            isTest: false,
+            tags: [],
+            ttl: "10m",
+          },
+          prisma
+        );
+
+        // A worker arrives that doesn't have this task — flushes the run to
+        // PENDING_VERSION.
+        await setupBackgroundWorker(engine, authenticatedEnvironment, ["test-task-other"]);
+
+        await setTimeout(500);
+
+        // The consumer attempt is what flushes the run to PENDING_VERSION —
+        // dequeue finds no matching task version and returns nothing.
+        const dequeuedEmpty = await engine.dequeueFromWorkerQueue({
+          consumerId: "test_pv",
+          workerQueue: "main",
+        });
+        expect(dequeuedEmpty.length).toBe(0);
+
+        const executionDataAfter = await engine.getRunExecutionData({ runId: run.id });
+        assertNonNullable(executionDataAfter);
+        expect(executionDataAfter.run.status).toBe("PENDING_VERSION");
+
+        // Now a worker arrives WITH the task — pendingVersionSystem
+        // re-enqueues the run.
+        await setupBackgroundWorker(engine, authenticatedEnvironment, taskIdentifier);
+
+        await setTimeout(1000);
+
+        const executionDataReenqueued = await engine.getRunExecutionData({ runId: run.id });
+        assertNonNullable(executionDataReenqueued);
+        expect(executionDataReenqueued.run.status).toBe("PENDING");
+
+        // The re-enqueued message must carry ttlExpiresAt so the TTL set
+        // tracks it for expiration.
+        const message = await engine.runQueue.readMessage(
+          authenticatedEnvironment.organization.id,
+          run.id
+        );
+        assertNonNullable(message);
+        expect(message.ttlExpiresAt).toBeDefined();
+        expect(typeof message.ttlExpiresAt).toBe("number");
+      } finally {
+        await engine.quit();
+      }
+    }
+  );
 });
diff --git a/internal-packages/run-engine/src/engine/tests/postgresPendingVersionLookup.ts b/internal-packages/run-engine/src/engine/tests/postgresPendingVersionLookup.ts
new file mode 100644
index 00000000000..33239ea8176
--- /dev/null
+++ b/internal-packages/run-engine/src/engine/tests/postgresPendingVersionLookup.ts
@@ -0,0 +1,43 @@
+import { PrismaClient } from "@trigger.dev/database";
+import type {
+  PendingVersionRunIdLookup,
+  PendingVersionRunIdLookupOptions,
+  PendingVersionRunIdLookupResult,
+} from "../services/pendingVersionLookup.js";
+
+/**
+ * Test-only Postgres-backed lookup. Performs the same query the system
+ * used to issue directly before the ClickHouse migration. Lets the
+ * existing pendingVersion tests keep exercising the end-to-end transition
+ * without spinning up a ClickHouse container.
+ *
+ * Not exported from the package — for in-package tests only.
+ */
+export class PostgresPendingVersionRunIdLookup implements PendingVersionRunIdLookup {
+  readonly name = "test-postgres";
+
+  constructor(private readonly prisma: PrismaClient) {}
+
+  async lookupPendingVersionRunIds(
+    options: PendingVersionRunIdLookupOptions
+  ): Promise<PendingVersionRunIdLookupResult> {
+    if (options.taskIdentifiers.length === 0 || options.queues.length === 0) {
+      return { runIds: [] };
+    }
+
+    const rows = await this.prisma.taskRun.findMany({
+      where: {
+        runtimeEnvironmentId: options.environmentId,
+        projectId: options.projectId,
+        status: "PENDING_VERSION",
+        taskIdentifier: { in: options.taskIdentifiers },
+        queue: { in: options.queues },
+      },
+      select: { id: true },
+      orderBy: { createdAt: "asc" },
+      take: options.limit,
+    });
+
+    return { runIds: rows.map((r) => r.id) };
+  }
+}
diff --git a/internal-packages/run-engine/src/engine/tests/priority.test.ts b/internal-packages/run-engine/src/engine/tests/priority.test.ts
index 24bcce7dc4e..13e25186c28 100644
--- a/internal-packages/run-engine/src/engine/tests/priority.test.ts
+++ b/internal-packages/run-engine/src/engine/tests/priority.test.ts
@@ -20,6 +20,7 @@ describe("RunEngine priority", () => {
       const engine = new RunEngine({
         prisma,
         worker: {
+          disabled: true,
           redis: redisOptions,
           workers: 1,
           tasksPerWorker: 10,
@@ -129,6 +130,7 @@ describe("RunEngine priority", () => {
       const engine = new RunEngine({
         prisma,
         worker: {
+          disabled: true,
           redis: redisOptions,
           workers: 1,
           tasksPerWorker: 10,
diff --git a/internal-packages/run-engine/src/engine/tests/ttl.test.ts b/internal-packages/run-engine/src/engine/tests/ttl.test.ts
index c1df00bf13f..13d4c55b669 100644
--- a/internal-packages/run-engine/src/engine/tests/ttl.test.ts
+++ b/internal-packages/run-engine/src/engine/tests/ttl.test.ts
@@ -1,6 +1,7 @@
 import { containerTest, assertNonNullable } from "@internal/testcontainers";
 import { trace } from "@internal/tracing";
 import { expect } from "vitest";
+import { Decimal } from "@trigger.dev/database";
 import { RunEngine } from "../index.js";
 import { setTimeout } from "timers/promises";
 import { EventBusEventArgs } from "../eventBus.js";
@@ -28,6 +29,7 @@ describe("RunEngine ttl", () => {
         ttlSystem: {
           pollIntervalMs: 100,
           batchSize: 10,
+          batchMaxWaitMs: 100,
         },
       },
       runLock: {
@@ -58,6 +60,14 @@ describe("RunEngine ttl", () => {
         taskIdentifier
       );
 
+      // TTL only expires runs still queued waiting on a concurrency slot.
+      // Force env concurrency to 0 so the run never gets dequeued and stays
+      // in the TTL set long enough for the consumer to expire it.
+      await engine.runQueue.updateEnvConcurrencyLimits({
+        ...authenticatedEnvironment,
+        maximumConcurrencyLimit: 0,
+      });
+
       //trigger the run
       const run = await engine.trigger(
         {
@@ -132,175 +142,389 @@ describe("RunEngine ttl", () => {
     }
   });
 
-  containerTest("First enqueue from trigger includes ttlExpiresAt in message", async ({
-    prisma,
-    redisOptions,
-  }) => {
-    const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+  containerTest(
+    "First enqueue from trigger includes ttlExpiresAt in message",
+    async ({ prisma, redisOptions }) => {
+      const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
 
-    const engine = new RunEngine({
-      prisma,
-      worker: {
-        redis: redisOptions,
-        workers: 1,
-        tasksPerWorker: 10,
-        pollIntervalMs: 100,
-      },
-      queue: {
-        redis: redisOptions,
-        processWorkerQueueDebounceMs: 50,
-        masterQueueConsumersDisabled: true,
-        ttlSystem: {
+      const engine = new RunEngine({
+        prisma,
+        worker: {
+          redis: redisOptions,
+          workers: 1,
+          tasksPerWorker: 10,
           pollIntervalMs: 100,
-          batchSize: 10,
         },
-      },
-      runLock: {
-        redis: redisOptions,
-      },
-      machines: {
-        defaultMachine: "small-1x",
+        queue: {
+          redis: redisOptions,
+          processWorkerQueueDebounceMs: 50,
+          masterQueueConsumersDisabled: true,
+          ttlSystem: {
+            pollIntervalMs: 100,
+            batchSize: 10,
+            batchMaxWaitMs: 100,
+          },
+        },
+        runLock: {
+          redis: redisOptions,
+        },
         machines: {
-          "small-1x": {
-            name: "small-1x" as const,
-            cpu: 0.5,
-            memory: 0.5,
-            centsPerMs: 0.0001,
+          defaultMachine: "small-1x",
+          machines: {
+            "small-1x": {
+              name: "small-1x" as const,
+              cpu: 0.5,
+              memory: 0.5,
+              centsPerMs: 0.0001,
+            },
           },
+          baseCostInCents: 0.0001,
         },
-        baseCostInCents: 0.0001,
-      },
-      tracer: trace.getTracer("test", "0.0.0"),
-    });
+        tracer: trace.getTracer("test", "0.0.0"),
+      });
 
-    try {
-      const taskIdentifier = "test-task";
-      await setupBackgroundWorker(engine, authenticatedEnvironment, taskIdentifier);
+      try {
+        const taskIdentifier = "test-task";
+        await setupBackgroundWorker(engine, authenticatedEnvironment, taskIdentifier);
 
-      const run = await engine.trigger(
-        {
-          number: 1,
-          friendlyId: "run_ttlmsg1",
-          environment: authenticatedEnvironment,
-          taskIdentifier,
-          payload: "{}",
-          payloadType: "application/json",
-          context: {},
-          traceContext: {},
-          traceId: "t_ttl",
-          spanId: "s_ttl",
-          workerQueue: "main",
-          queue: "task/test-task",
-          isTest: false,
-          tags: [],
-          ttl: "1s",
+        const run = await engine.trigger(
+          {
+            number: 1,
+            friendlyId: "run_ttlmsg1",
+            environment: authenticatedEnvironment,
+            taskIdentifier,
+            payload: "{}",
+            payloadType: "application/json",
+            context: {},
+            traceContext: {},
+            traceId: "t_ttl",
+            spanId: "s_ttl",
+            workerQueue: "main",
+            queue: "task/test-task",
+            isTest: false,
+            tags: [],
+            ttl: "1s",
+          },
+          prisma
+        );
+
+        const message = await engine.runQueue.readMessage(
+          authenticatedEnvironment.organization.id,
+          run.id
+        );
+        assertNonNullable(message);
+        expect(message.ttlExpiresAt).toBeDefined();
+        expect(typeof message.ttlExpiresAt).toBe("number");
+      } finally {
+        await engine.quit();
+      }
+    }
+  );
+
+  containerTest(
+    "Re-enqueue with includeTtl false does not set ttlExpiresAt",
+    async ({ prisma, redisOptions }) => {
+      const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+
+      const engine = new RunEngine({
+        prisma,
+        worker: {
+          redis: redisOptions,
+          workers: 1,
+          tasksPerWorker: 10,
+          pollIntervalMs: 100,
         },
-        prisma
-      );
+        queue: {
+          redis: redisOptions,
+          processWorkerQueueDebounceMs: 50,
+          masterQueueConsumersDisabled: true,
+          ttlSystem: {
+            pollIntervalMs: 100,
+            batchSize: 10,
+            batchMaxWaitMs: 100,
+          },
+        },
+        runLock: {
+          redis: redisOptions,
+        },
+        machines: {
+          defaultMachine: "small-1x",
+          machines: {
+            "small-1x": {
+              name: "small-1x" as const,
+              cpu: 0.5,
+              memory: 0.5,
+              centsPerMs: 0.0001,
+            },
+          },
+          baseCostInCents: 0.0001,
+        },
+        tracer: trace.getTracer("test", "0.0.0"),
+      });
 
-      const message = await engine.runQueue.readMessage(
-        authenticatedEnvironment.organization.id,
-        run.id
-      );
-      assertNonNullable(message);
-      expect(message.ttlExpiresAt).toBeDefined();
-      expect(typeof message.ttlExpiresAt).toBe("number");
-    } finally {
-      await engine.quit();
+      try {
+        const taskIdentifier = "test-task";
+        await setupBackgroundWorker(engine, authenticatedEnvironment, taskIdentifier);
+
+        const run = await engine.trigger(
+          {
+            number: 1,
+            friendlyId: "run_reenq01",
+            environment: authenticatedEnvironment,
+            taskIdentifier,
+            payload: "{}",
+            payloadType: "application/json",
+            context: {},
+            traceContext: {},
+            traceId: "t_re",
+            spanId: "s_re",
+            workerQueue: "main",
+            queue: "task/test-task",
+            isTest: false,
+            tags: [],
+            ttl: "1s",
+          },
+          prisma
+        );
+
+        const messageAfterTrigger = await engine.runQueue.readMessage(
+          authenticatedEnvironment.organization.id,
+          run.id
+        );
+        assertNonNullable(messageAfterTrigger);
+        expect(messageAfterTrigger.ttlExpiresAt).toBeDefined();
+
+        await engine.enqueueSystem.enqueueRun({
+          run,
+          env: authenticatedEnvironment,
+          tx: prisma,
+          skipRunLock: true,
+          includeTtl: false,
+        });
+
+        const messageAfterReenqueue = await engine.runQueue.readMessage(
+          authenticatedEnvironment.organization.id,
+          run.id
+        );
+        assertNonNullable(messageAfterReenqueue);
+        expect(messageAfterReenqueue.ttlExpiresAt).toBeUndefined();
+      } finally {
+        await engine.quit();
+      }
     }
-  });
+  );
 
-  containerTest("Re-enqueue with includeTtl false does not set ttlExpiresAt", async ({
-    prisma,
-    redisOptions,
-  }) => {
-    const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+  containerTest(
+    "Re-enqueued runs are not expired by TTL once they have started",
+    async ({ prisma, redisOptions }) => {
+      // Contract: TTL only applies to runs that are queued and have never started.
+      // Once a run has been dequeued (started executing), a subsequent re-enqueue
+      // (e.g. after a waitpoint, checkpoint resume, or pending-version flow)
+      // must not re-arm TTL, even if the original TTL deadline has long passed.
+      const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
 
-    const engine = new RunEngine({
-      prisma,
-      worker: {
-        redis: redisOptions,
-        workers: 1,
-        tasksPerWorker: 10,
-        pollIntervalMs: 100,
-      },
-      queue: {
-        redis: redisOptions,
-        processWorkerQueueDebounceMs: 50,
-        masterQueueConsumersDisabled: true,
-        ttlSystem: {
+      const expiredEvents: EventBusEventArgs<"runExpired">[0][] = [];
+
+      const engine = new RunEngine({
+        prisma,
+        worker: {
+          redis: redisOptions,
+          workers: 1,
+          tasksPerWorker: 10,
           pollIntervalMs: 100,
-          batchSize: 10,
         },
-      },
-      runLock: {
-        redis: redisOptions,
-      },
-      machines: {
-        defaultMachine: "small-1x",
+        queue: {
+          redis: redisOptions,
+          processWorkerQueueDebounceMs: 50,
+          masterQueueConsumersDisabled: true,
+          ttlSystem: {
+            pollIntervalMs: 100,
+            batchSize: 10,
+            batchMaxWaitMs: 100,
+          },
+        },
+        runLock: {
+          redis: redisOptions,
+        },
         machines: {
-          "small-1x": {
-            name: "small-1x" as const,
-            cpu: 0.5,
-            memory: 0.5,
-            centsPerMs: 0.0001,
+          defaultMachine: "small-1x",
+          machines: {
+            "small-1x": {
+              name: "small-1x" as const,
+              cpu: 0.5,
+              memory: 0.5,
+              centsPerMs: 0.0001,
+            },
           },
+          baseCostInCents: 0.0001,
         },
-        baseCostInCents: 0.0001,
-      },
-      tracer: trace.getTracer("test", "0.0.0"),
-    });
+        tracer: trace.getTracer("test", "0.0.0"),
+      });
 
-    try {
-      const taskIdentifier = "test-task";
-      await setupBackgroundWorker(engine, authenticatedEnvironment, taskIdentifier);
+      try {
+        const taskIdentifier = "test-task";
+        await setupBackgroundWorker(engine, authenticatedEnvironment, taskIdentifier);
 
-      const run = await engine.trigger(
-        {
-          number: 1,
-          friendlyId: "run_reenq01",
-          environment: authenticatedEnvironment,
-          taskIdentifier,
-          payload: "{}",
-          payloadType: "application/json",
-          context: {},
-          traceContext: {},
-          traceId: "t_re",
-          spanId: "s_re",
+        engine.eventBus.on("runExpired", (result) => {
+          expiredEvents.push(result);
+        });
+
+        const run = await engine.trigger(
+          {
+            number: 1,
+            friendlyId: "run_restart01",
+            environment: authenticatedEnvironment,
+            taskIdentifier,
+            payload: "{}",
+            payloadType: "application/json",
+            context: {},
+            traceContext: {},
+            traceId: "t_re2",
+            spanId: "s_re2",
+            workerQueue: "main",
+            queue: "task/test-task",
+            isTest: false,
+            tags: [],
+            ttl: "1s",
+          },
+          prisma
+        );
+
+        // Dequeue the run — this simulates the run starting to execute, which
+        // ZREMs its TTL set entry.
+        await engine.runQueue.processMasterQueueForEnvironment(authenticatedEnvironment.id, 10);
+        const dequeued = await engine.dequeueFromWorkerQueue({
+          consumerId: "test-consumer",
           workerQueue: "main",
-          queue: "task/test-task",
-          isTest: false,
-          tags: [],
-          ttl: "1s",
-        },
-        prisma
-      );
+          blockingPopTimeoutSeconds: 1,
+        });
+        expect(dequeued.length).toBe(1);
 
-      const messageAfterTrigger = await engine.runQueue.readMessage(
-        authenticatedEnvironment.organization.id,
-        run.id
-      );
-      assertNonNullable(messageAfterTrigger);
-      expect(messageAfterTrigger.ttlExpiresAt).toBeDefined();
-
-      await engine.enqueueSystem.enqueueRun({
-        run,
-        env: authenticatedEnvironment,
-        tx: prisma,
-        skipRunLock: true,
-        includeTtl: false,
+        // Re-enqueue without includeTtl — this is what waitpoint/checkpoint
+        // resume paths do.
+        await engine.enqueueSystem.enqueueRun({
+          run,
+          env: authenticatedEnvironment,
+          tx: prisma,
+          skipRunLock: true,
+          includeTtl: false,
+        });
+
+        // Wait well past the original 1s TTL deadline. The run was first
+        // enqueued ~0s ago, so this is far beyond the original deadline.
+        await setTimeout(2_500);
+
+        // Run must still exist and must NOT have been expired.
+        expect(expiredEvents.length).toBe(0);
+        const reenqueuedRun = await prisma.taskRun.findUnique({
+          where: { id: run.id },
+          select: { status: true },
+        });
+        // Whatever status the dequeue/re-enqueue flow leaves the run in, it
+        // must NOT be EXPIRED — that's the contract this test locks in.
+        expect(reenqueuedRun?.status).not.toBe("EXPIRED");
+      } finally {
+        await engine.quit();
+      }
+    }
+  );
+
+  containerTest(
+    "DEV runs sitting on worker queue still expire via legacy per-run job",
+    async ({ prisma, redisOptions }) => {
+      // The batch TTL path only expires runs still in the queue sorted set.
+      // In DEV, runs are fast-pathed straight to the worker queue, and if the
+      // dev CLI isn't running they can sit there forever. The legacy per-run
+      // expireRun job is kept for DEV specifically to cover this case.
+      const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "DEVELOPMENT");
+
+      const engine = new RunEngine({
+        prisma,
+        worker: {
+          redis: redisOptions,
+          workers: 1,
+          tasksPerWorker: 10,
+          pollIntervalMs: 100,
+        },
+        queue: {
+          redis: redisOptions,
+          processWorkerQueueDebounceMs: 50,
+          masterQueueConsumersDisabled: true,
+          // TTL batch path is enabled but should never see this run: it goes
+          // straight to the worker queue via fast-path. The legacy per-run
+          // job is what should expire it.
+          ttlSystem: {
+            pollIntervalMs: 100,
+            batchSize: 10,
+            batchMaxWaitMs: 100,
+          },
+        },
+        runLock: {
+          redis: redisOptions,
+        },
+        machines: {
+          defaultMachine: "small-1x",
+          machines: {
+            "small-1x": {
+              name: "small-1x" as const,
+              cpu: 0.5,
+              memory: 0.5,
+              centsPerMs: 0.0001,
+            },
+          },
+          baseCostInCents: 0.0001,
+        },
+        tracer: trace.getTracer("test", "0.0.0"),
       });
 
-      const messageAfterReenqueue = await engine.runQueue.readMessage(
-        authenticatedEnvironment.organization.id,
-        run.id
-      );
-      assertNonNullable(messageAfterReenqueue);
-      expect(messageAfterReenqueue.ttlExpiresAt).toBeUndefined();
-    } finally {
-      await engine.quit();
+      try {
+        const taskIdentifier = "test-task";
+
+        await setupBackgroundWorker(engine, authenticatedEnvironment, taskIdentifier);
+
+        let expiredEventData: EventBusEventArgs<"runExpired">[0] | undefined;
+        engine.eventBus.on("runExpired", (result) => {
+          expiredEventData = result;
+        });
+
+        // Trigger a DEV run with fast-path enabled and a short TTL. The run
+        // should land in the worker queue without entering the TTL set.
+        const run = await engine.trigger(
+          {
+            number: 1,
+            friendlyId: "run_devttl1",
+            environment: authenticatedEnvironment,
+            taskIdentifier,
+            payload: "{}",
+            payloadType: "application/json",
+            context: {},
+            traceContext: {},
+            traceId: "tdevttl1",
+            spanId: "sdevttl1",
+            workerQueue: "main",
+            queue: "task/test-task",
+            isTest: false,
+            tags: [],
+            ttl: "1s",
+            enableFastPath: true,
+          },
+          prisma
+        );
+
+        // Wait past the TTL. The legacy per-run job should fire and expire it.
+        await setTimeout(1_500);
+
+        assertNonNullable(expiredEventData);
+        const expiredRun = await prisma.taskRun.findUnique({
+          where: { id: run.id },
+          select: { status: true },
+        });
+        expect(expiredRun?.status).toBe("EXPIRED");
+      } finally {
+        await engine.quit();
+      }
     }
-  });
+  );
 
   containerTest("Multiple runs expiring via TTL batch", async ({ prisma, redisOptions }) => {
     const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
@@ -322,6 +546,7 @@ describe("RunEngine ttl", () => {
         ttlSystem: {
           pollIntervalMs: 100,
           batchSize: 10,
+          batchMaxWaitMs: 100,
         },
       },
       runLock: {
@@ -347,6 +572,12 @@ describe("RunEngine ttl", () => {
 
       await setupBackgroundWorker(engine, authenticatedEnvironment, taskIdentifier);
 
+      // TTL only expires runs still queued waiting on a concurrency slot.
+      await engine.runQueue.updateEnvConcurrencyLimits({
+        ...authenticatedEnvironment,
+        maximumConcurrencyLimit: 0,
+      });
+
       engine.eventBus.on("runExpired", (result) => {
         expiredEvents.push(result);
       });
@@ -384,8 +615,10 @@ describe("RunEngine ttl", () => {
         expect(executionData.snapshot.executionStatus).toBe("QUEUED");
       }
 
-      // Wait for TTL to expire
-      await setTimeout(1_500);
+      // Wait for TTL to expire. Concurrent triggers can land in different
+      // 100ms TTL-poll windows, so allow enough headroom for any stragglers
+      // to be claimed in a subsequent poll and flushed.
+      await setTimeout(2_500);
 
       // All runs should be expired
       expect(expiredEvents.length).toBe(3);
@@ -450,6 +683,7 @@ describe("RunEngine ttl", () => {
         ttlSystem: {
           pollIntervalMs: 100,
           batchSize: 10,
+          batchMaxWaitMs: 100,
         },
       },
       runLock: {
@@ -538,6 +772,7 @@ describe("RunEngine ttl", () => {
           ttlSystem: {
             pollIntervalMs: 100,
             batchSize: 10,
+            batchMaxWaitMs: 100,
           },
         },
         runLock: {
@@ -563,6 +798,12 @@ describe("RunEngine ttl", () => {
 
         await setupBackgroundWorker(engine, authenticatedEnvironment, taskIdentifier);
 
+        // TTL only expires runs still queued waiting on a concurrency slot.
+        await engine.runQueue.updateEnvConcurrencyLimits({
+          ...authenticatedEnvironment,
+          maximumConcurrencyLimit: 0,
+        });
+
         engine.eventBus.on("runExpired", (result) => {
           expiredEvents.push(result);
         });
@@ -610,11 +851,9 @@ describe("RunEngine ttl", () => {
           consumerId: "test-consumer",
           workerQueue: "main",
           maxRunCount: 1,
-          backgroundWorkerId: (
-            await prisma.backgroundWorker.findFirst({
-              where: { runtimeEnvironmentId: authenticatedEnvironment.id },
-            })
-          )!.id,
+          backgroundWorkerId: (await prisma.backgroundWorker.findFirst({
+            where: { runtimeEnvironmentId: authenticatedEnvironment.id },
+          }))!.id,
         });
 
         expect(dequeued.length).toBe(0);
@@ -631,10 +870,9 @@ describe("RunEngine ttl", () => {
 
       const expiredEvents: EventBusEventArgs<"runExpired">[0][] = [];
 
-      // Disable worker to prevent the scheduleExpireRun job from firing before
-      // we can test the dequeue path. Use masterQueueConsumersDisabled so we can
-      // manually trigger dequeue via processMasterQueueForEnvironment.
-      // TTL consumers start independently and will expire the run after their poll interval.
+      // Use masterQueueConsumersDisabled so we can manually trigger dequeue via
+      // processMasterQueueForEnvironment. TTL consumers start independently and
+      // will expire the run after their poll interval.
       const engine = new RunEngine({
         prisma,
         worker: {
@@ -651,6 +889,7 @@ describe("RunEngine ttl", () => {
           ttlSystem: {
             pollIntervalMs: 5000,
             batchSize: 10,
+            batchMaxWaitMs: 100,
           },
         },
         runLock: {
@@ -713,10 +952,7 @@ describe("RunEngine ttl", () => {
         // Manually process the master queue - the dequeue Lua script should
         // encounter the expired message and skip it (removing from queue sorted
         // sets but leaving messageKey and ttlQueueKey for TTL consumer)
-        await engine.runQueue.processMasterQueueForEnvironment(
-          authenticatedEnvironment.id,
-          10
-        );
+        await engine.runQueue.processMasterQueueForEnvironment(authenticatedEnvironment.id, 10);
 
         // Try to dequeue from worker queue - nothing should be there since
         // the expired message was skipped by the Lua script
@@ -732,12 +968,13 @@ describe("RunEngine ttl", () => {
         assertNonNullable(executionData2);
         expect(executionData2.run.status).toBe("PENDING");
 
-        // Now wait for the TTL consumer to poll and expire the run
-        // (pollIntervalMs is 5000 for TTL scan + up to 5000ms batch maxWaitMs + processing)
-        await setTimeout(13_000);
-
-        // The TTL consumer should have found and expired the run
-        expect(expiredEvents.length).toBe(1);
+        // Wait (event-driven) for the TTL consumer to poll and expire the run. pollIntervalMs is
+        // 5000ms here so the consumer fires only after the dequeue-skip assertions above; waitFor
+        // resolves as soon as the event lands instead of a fixed worst-case sleep.
+        await vi.waitFor(() => expect(expiredEvents.length).toBe(1), {
+          timeout: 15_000,
+          interval: 100,
+        });
         expect(expiredEvents[0]?.run.id).toBe(run.id);
 
         // Check the run status directly from the database (the batch TTL path
@@ -762,8 +999,7 @@ describe("RunEngine ttl", () => {
   containerTest(
     "TTL expiration clears env concurrency keys with proj segment",
     async ({ prisma, redisOptions }) => {
-      const authenticatedEnvironment =
-        await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+      const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
 
       const engine = new RunEngine({
         prisma,
@@ -781,6 +1017,7 @@ describe("RunEngine ttl", () => {
           ttlSystem: {
             pollIntervalMs: 5000,
             batchSize: 10,
+            batchMaxWaitMs: 100,
           },
         },
         runLock: {
@@ -826,14 +1063,9 @@ describe("RunEngine ttl", () => {
           prisma
         );
 
-        const queue = engine.runQueue.keys.queueKey(
-          authenticatedEnvironment,
-          "task/test-task"
-        );
-        const envConcurrencyKey =
-          engine.runQueue.keys.envCurrentConcurrencyKeyFromQueue(queue);
-        const envDequeuedKey =
-          engine.runQueue.keys.envCurrentDequeuedKeyFromQueue(queue);
+        const queue = engine.runQueue.keys.queueKey(authenticatedEnvironment, "task/test-task");
+        const envConcurrencyKey = engine.runQueue.keys.envCurrentConcurrencyKeyFromQueue(queue);
+        const envDequeuedKey = engine.runQueue.keys.envCurrentDequeuedKeyFromQueue(queue);
 
         await engine.runQueue.redis.sadd(envConcurrencyKey, run.id);
         await engine.runQueue.redis.sadd(envDequeuedKey, run.id);
@@ -844,28 +1076,26 @@ describe("RunEngine ttl", () => {
         expect(concurrencyBefore).toContain(run.id);
 
         await setTimeout(1_500);
-        await engine.runQueue.processMasterQueueForEnvironment(
-          authenticatedEnvironment.id,
-          10
+        await engine.runQueue.processMasterQueueForEnvironment(authenticatedEnvironment.id, 10);
+        // Wait (event-driven) for the TTL consumer to expire the run; resolves as soon as the DB
+        // reflects EXPIRED instead of a fixed worst-case sleep (pollIntervalMs is 5000ms here).
+        await vi.waitFor(
+          async () => {
+            const expiredRun = await prisma.taskRun.findUnique({
+              where: { id: run.id },
+              select: { status: true },
+            });
+            expect(expiredRun?.status).toBe("EXPIRED");
+          },
+          { timeout: 15_000, interval: 200 }
         );
-        // Wait for TTL scan (5000ms) + batch maxWaitMs (5000ms) + processing buffer
-        await setTimeout(13_000);
-
-        const expiredRun = await prisma.taskRun.findUnique({
-          where: { id: run.id },
-          select: { status: true },
-        });
-        expect(expiredRun?.status).toBe("EXPIRED");
 
         const concurrencyAfter = await engine.runQueue.getCurrentConcurrencyOfEnvironment(
           authenticatedEnvironment
         );
         expect(concurrencyAfter).not.toContain(run.id);
 
-        const stillInDequeued = await engine.runQueue.redis.sismember(
-          envDequeuedKey,
-          run.id
-        );
+        const stillInDequeued = await engine.runQueue.redis.sismember(envDequeuedKey, run.id);
         expect(stillInDequeued).toBe(0);
       } finally {
         await engine.quit();
@@ -878,7 +1108,6 @@ describe("RunEngine ttl", () => {
     async ({ prisma, redisOptions }) => {
       const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
 
-      // Disable worker to prevent the scheduleExpireRun job from firing.
       // Use masterQueueConsumersDisabled so we can manually trigger dequeue.
       // Very long TTL consumer interval so it doesn't interfere.
       const engine = new RunEngine({
@@ -947,143 +1176,137 @@ describe("RunEngine ttl", () => {
         // Wait for first run's TTL to expire
         await setTimeout(1_500);
 
-        // Trigger a second run WITHOUT TTL (should be dequeued normally)
-        const normalRun = await engine.trigger(
-          {
-            number: 2,
-            friendlyId: "run_norm1",
-            environment: authenticatedEnvironment,
-            taskIdentifier,
-            payload: "{}",
-            payloadType: "application/json",
-            context: {},
-            traceContext: {},
-            traceId: "t2",
-            spanId: "s2",
-            workerQueue: "main",
-            queue: "task/test-task",
-            isTest: false,
-            tags: [],
-            // No TTL
-          },
-          prisma
-        );
-
-        // Manually process the master queue - the Lua script should skip the
-        // expired message and dequeue only the non-expired one to the worker queue
-        await engine.runQueue.processMasterQueueForEnvironment(
-          authenticatedEnvironment.id,
-          10
-        );
-
-        // Dequeue from worker queue - only the non-expired run should be there
-        const dequeued = await engine.dequeueFromWorkerQueue({
-          consumerId: "test-consumer",
-          workerQueue: "main",
-        });
-        expect(dequeued.length).toBe(1);
-        expect(dequeued[0]?.run.id).toBe(normalRun.id);
-
-        // The expired run should still be PENDING (waiting for TTL consumer)
-        const expiringRunData = await engine.getRunExecutionData({ runId: expiringRun.id });
-        assertNonNullable(expiringRunData);
-        expect(expiringRunData.run.status).toBe("PENDING");
-      } finally {
-        await engine.quit();
-      }
-    }
-  );
-
-  containerTest(
-    "expireRunsBatch skips runs that are locked",
-    async ({ prisma, redisOptions }) => {
-      const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
-
-      const engine = new RunEngine({
-        prisma,
-        worker: {
-          redis: redisOptions,
-          workers: 1,
-          tasksPerWorker: 10,
-          pollIntervalMs: 100,
-        },
-        queue: {
-          redis: redisOptions,
-          processWorkerQueueDebounceMs: 50,
-          masterQueueConsumersDisabled: true,
-          ttlSystem: {
-            disabled: true, // We'll manually test the batch function
-          },
-        },
-        runLock: {
-          redis: redisOptions,
-        },
-        machines: {
-          defaultMachine: "small-1x",
-          machines: {
-            "small-1x": {
-              name: "small-1x" as const,
-              cpu: 0.5,
-              memory: 0.5,
-              centsPerMs: 0.0001,
-            },
-          },
-          baseCostInCents: 0.0001,
-        },
-        tracer: trace.getTracer("test", "0.0.0"),
-      });
-
-      try {
-        const taskIdentifier = "test-task";
-
-        await setupBackgroundWorker(engine, authenticatedEnvironment, taskIdentifier);
-
-        // Trigger a run with TTL
-        const run = await engine.trigger(
+        // Trigger a second run WITHOUT TTL (should be dequeued normally)
+        const normalRun = await engine.trigger(
           {
-            number: 1,
-            friendlyId: "run_l1234",
+            number: 2,
+            friendlyId: "run_norm1",
             environment: authenticatedEnvironment,
             taskIdentifier,
             payload: "{}",
             payloadType: "application/json",
             context: {},
             traceContext: {},
-            traceId: "t1",
-            spanId: "s1",
+            traceId: "t2",
+            spanId: "s2",
             workerQueue: "main",
             queue: "task/test-task",
             isTest: false,
             tags: [],
-            ttl: "1s",
+            // No TTL
           },
           prisma
         );
 
-        // Manually lock the run (simulating it being about to execute)
-        await prisma.taskRun.update({
-          where: { id: run.id },
-          data: { lockedAt: new Date() },
-        });
-
-        // Try to expire the run via batch
-        const result = await engine.ttlSystem.expireRunsBatch([run.id]);
+        // Manually process the master queue - the Lua script should skip the
+        // expired message and dequeue only the non-expired one to the worker queue
+        await engine.runQueue.processMasterQueueForEnvironment(authenticatedEnvironment.id, 10);
 
-        // Should be skipped because it's locked
-        expect(result.expired.length).toBe(0);
-        expect(result.skipped.length).toBe(1);
-        expect(result.skipped[0]?.reason).toBe("locked");
+        // Dequeue from worker queue - only the non-expired run should be there
+        const dequeued = await engine.dequeueFromWorkerQueue({
+          consumerId: "test-consumer",
+          workerQueue: "main",
+        });
+        expect(dequeued.length).toBe(1);
+        expect(dequeued[0]?.run.id).toBe(normalRun.id);
 
-        // Run should still be PENDING
-        const executionData = await engine.getRunExecutionData({ runId: run.id });
-        assertNonNullable(executionData);
-        expect(executionData.run.status).toBe("PENDING");
+        // The expired run should still be PENDING (waiting for TTL consumer)
+        const expiringRunData = await engine.getRunExecutionData({ runId: expiringRun.id });
+        assertNonNullable(expiringRunData);
+        expect(expiringRunData.run.status).toBe("PENDING");
       } finally {
         await engine.quit();
       }
     }
   );
 
+  containerTest("expireRunsBatch skips runs that are locked", async ({ prisma, redisOptions }) => {
+    const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+
+    const engine = new RunEngine({
+      prisma,
+      worker: {
+        redis: redisOptions,
+        workers: 1,
+        tasksPerWorker: 10,
+        pollIntervalMs: 100,
+      },
+      queue: {
+        redis: redisOptions,
+        processWorkerQueueDebounceMs: 50,
+        masterQueueConsumersDisabled: true,
+        ttlSystem: {
+          disabled: true, // We'll manually test the batch function
+        },
+      },
+      runLock: {
+        redis: redisOptions,
+      },
+      machines: {
+        defaultMachine: "small-1x",
+        machines: {
+          "small-1x": {
+            name: "small-1x" as const,
+            cpu: 0.5,
+            memory: 0.5,
+            centsPerMs: 0.0001,
+          },
+        },
+        baseCostInCents: 0.0001,
+      },
+      tracer: trace.getTracer("test", "0.0.0"),
+    });
+
+    try {
+      const taskIdentifier = "test-task";
+
+      await setupBackgroundWorker(engine, authenticatedEnvironment, taskIdentifier);
+
+      // Trigger a run with TTL
+      const run = await engine.trigger(
+        {
+          number: 1,
+          friendlyId: "run_l1234",
+          environment: authenticatedEnvironment,
+          taskIdentifier,
+          payload: "{}",
+          payloadType: "application/json",
+          context: {},
+          traceContext: {},
+          traceId: "t1",
+          spanId: "s1",
+          workerQueue: "main",
+          queue: "task/test-task",
+          isTest: false,
+          tags: [],
+          ttl: "1s",
+        },
+        prisma
+      );
+
+      // Manually lock the run (simulating it being about to execute)
+      await prisma.taskRun.update({
+        where: { id: run.id },
+        data: { lockedAt: new Date() },
+      });
+
+      // Try to expire the run via batch
+      const result = await engine.ttlSystem.expireRunsBatch([run.id]);
+
+      // Should be skipped because it's locked
+      expect(result.expired.length).toBe(0);
+      expect(result.skipped.length).toBe(1);
+      expect(result.skipped[0]?.reason).toBe("locked");
+
+      // Run should still be PENDING
+      const executionData = await engine.getRunExecutionData({ runId: run.id });
+      assertNonNullable(executionData);
+      expect(executionData.run.status).toBe("PENDING");
+    } finally {
+      await engine.quit();
+    }
+  });
+
   containerTest(
     "expireRunsBatch skips runs with non-PENDING status",
     async ({ prisma, redisOptions }) => {
@@ -1173,58 +1396,55 @@ describe("RunEngine ttl", () => {
     }
   );
 
-  containerTest(
-    "expireRunsBatch handles non-existent runs",
-    async ({ prisma, redisOptions }) => {
-      const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+  containerTest("expireRunsBatch handles non-existent runs", async ({ prisma, redisOptions }) => {
+    const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
 
-      const engine = new RunEngine({
-        prisma,
-        worker: {
-          redis: redisOptions,
-          workers: 1,
-          tasksPerWorker: 10,
-          pollIntervalMs: 100,
-        },
-        queue: {
-          redis: redisOptions,
-          processWorkerQueueDebounceMs: 50,
-          masterQueueConsumersDisabled: true,
-          ttlSystem: {
-            disabled: true,
-          },
-        },
-        runLock: {
-          redis: redisOptions,
+    const engine = new RunEngine({
+      prisma,
+      worker: {
+        redis: redisOptions,
+        workers: 1,
+        tasksPerWorker: 10,
+        pollIntervalMs: 100,
+      },
+      queue: {
+        redis: redisOptions,
+        processWorkerQueueDebounceMs: 50,
+        masterQueueConsumersDisabled: true,
+        ttlSystem: {
+          disabled: true,
         },
+      },
+      runLock: {
+        redis: redisOptions,
+      },
+      machines: {
+        defaultMachine: "small-1x",
         machines: {
-          defaultMachine: "small-1x",
-          machines: {
-            "small-1x": {
-              name: "small-1x" as const,
-              cpu: 0.5,
-              memory: 0.5,
-              centsPerMs: 0.0001,
-            },
+          "small-1x": {
+            name: "small-1x" as const,
+            cpu: 0.5,
+            memory: 0.5,
+            centsPerMs: 0.0001,
           },
-          baseCostInCents: 0.0001,
         },
-        tracer: trace.getTracer("test", "0.0.0"),
-      });
+        baseCostInCents: 0.0001,
+      },
+      tracer: trace.getTracer("test", "0.0.0"),
+    });
 
-      try {
-        // Try to expire a non-existent run
-        const result = await engine.ttlSystem.expireRunsBatch(["non_existent_run_id"]);
+    try {
+      // Try to expire a non-existent run
+      const result = await engine.ttlSystem.expireRunsBatch(["non_existent_run_id"]);
 
-        // Should be skipped as not found
-        expect(result.expired.length).toBe(0);
-        expect(result.skipped.length).toBe(1);
-        expect(result.skipped[0]?.reason).toBe("not_found");
-      } finally {
-        await engine.quit();
-      }
+      // Should be skipped as not found
+      expect(result.expired.length).toBe(0);
+      expect(result.skipped.length).toBe(1);
+      expect(result.skipped[0]?.reason).toBe("not_found");
+    } finally {
+      await engine.quit();
     }
-  );
+  });
 
   containerTest(
     "TTL-expired child run completes waitpoint and resumes parent",
@@ -1246,6 +1466,7 @@ describe("RunEngine ttl", () => {
           ttlSystem: {
             pollIntervalMs: 100,
             batchSize: 10,
+            batchMaxWaitMs: 100,
           },
         },
         runLock: {
@@ -1272,6 +1493,16 @@ describe("RunEngine ttl", () => {
 
         await setupBackgroundWorker(engine, authenticatedEnvironment, [parentTask, childTask]);
 
+        // TTL only expires runs still queued waiting on a concurrency slot.
+        // Cap env concurrency at exactly 1 (limit=1, burstFactor=1) so the
+        // parent takes the only slot and the child stays queued long enough
+        // for the new TTL path to expire it.
+        await engine.runQueue.updateEnvConcurrencyLimits({
+          ...authenticatedEnvironment,
+          maximumConcurrencyLimit: 1,
+          concurrencyLimitBurstFactor: new Decimal(1.0),
+        });
+
         // Trigger the parent run
         const parentRun = await engine.trigger(
           {
@@ -1384,54 +1615,51 @@ describe("RunEngine ttl", () => {
     }
   );
 
-  containerTest(
-    "expireRunsBatch handles empty array",
-    async ({ prisma, redisOptions }) => {
-      const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
+  containerTest("expireRunsBatch handles empty array", async ({ prisma, redisOptions }) => {
+    const authenticatedEnvironment = await setupAuthenticatedEnvironment(prisma, "PRODUCTION");
 
-      const engine = new RunEngine({
-        prisma,
-        worker: {
-          redis: redisOptions,
-          workers: 1,
-          tasksPerWorker: 10,
-          pollIntervalMs: 100,
-        },
-        queue: {
-          redis: redisOptions,
-          processWorkerQueueDebounceMs: 50,
-          masterQueueConsumersDisabled: true,
-          ttlSystem: {
-            disabled: true,
-          },
-        },
-        runLock: {
-          redis: redisOptions,
+    const engine = new RunEngine({
+      prisma,
+      worker: {
+        redis: redisOptions,
+        workers: 1,
+        tasksPerWorker: 10,
+        pollIntervalMs: 100,
+      },
+      queue: {
+        redis: redisOptions,
+        processWorkerQueueDebounceMs: 50,
+        masterQueueConsumersDisabled: true,
+        ttlSystem: {
+          disabled: true,
         },
+      },
+      runLock: {
+        redis: redisOptions,
+      },
+      machines: {
+        defaultMachine: "small-1x",
         machines: {
-          defaultMachine: "small-1x",
-          machines: {
-            "small-1x": {
-              name: "small-1x" as const,
-              cpu: 0.5,
-              memory: 0.5,
-              centsPerMs: 0.0001,
-            },
+          "small-1x": {
+            name: "small-1x" as const,
+            cpu: 0.5,
+            memory: 0.5,
+            centsPerMs: 0.0001,
           },
-          baseCostInCents: 0.0001,
         },
-        tracer: trace.getTracer("test", "0.0.0"),
-      });
+        baseCostInCents: 0.0001,
+      },
+      tracer: trace.getTracer("test", "0.0.0"),
+    });
 
-      try {
-        // Try to expire an empty array
-        const result = await engine.ttlSystem.expireRunsBatch([]);
+    try {
+      // Try to expire an empty array
+      const result = await engine.ttlSystem.expireRunsBatch([]);
 
-        expect(result.expired.length).toBe(0);
-        expect(result.skipped.length).toBe(0);
-      } finally {
-        await engine.quit();
-      }
+      expect(result.expired.length).toBe(0);
+      expect(result.skipped.length).toBe(0);
+    } finally {
+      await engine.quit();
     }
-  );
+  });
 });
diff --git a/internal-packages/run-engine/src/engine/tests/utils/engineTest.ts b/internal-packages/run-engine/src/engine/tests/utils/engineTest.ts
index 67fb5429219..431a2a22c97 100644
--- a/internal-packages/run-engine/src/engine/tests/utils/engineTest.ts
+++ b/internal-packages/run-engine/src/engine/tests/utils/engineTest.ts
@@ -1,4 +1,4 @@
-import { TaskContext, test, TestAPI } from "vitest";
+import { TestContext, test, TestAPI } from "vitest";
 import {
   logCleanup,
   network,
@@ -36,7 +36,7 @@ type EngineOptions = {
   };
 };
 
-const engineOptions = async ({}: TaskContext, use: Use<EngineOptions>) => {
+const engineOptions = async ({}: TestContext, use: Use<EngineOptions>) => {
   const options: EngineOptions = {
     worker: {
       workers: 1,
@@ -74,7 +74,7 @@ const engine = async (
     engineOptions: EngineOptions;
     redisOptions: RedisOptions;
     prisma: PrismaClient;
-  } & TaskContext,
+  } & TestContext,
   use: Use<RunEngine>
 ) => {
   const engine = new RunEngine({
diff --git a/internal-packages/run-engine/src/engine/tests/waitpoints.test.ts b/internal-packages/run-engine/src/engine/tests/waitpoints.test.ts
index 9937314d799..55e1b0d0836 100644
--- a/internal-packages/run-engine/src/engine/tests/waitpoints.test.ts
+++ b/internal-packages/run-engine/src/engine/tests/waitpoints.test.ts
@@ -107,7 +107,16 @@ describe("RunEngine Waitpoints", () => {
       const executionData = await engine.getRunExecutionData({ runId: run.id });
       expect(executionData?.snapshot.executionStatus).toBe("EXECUTING_WITH_WAITPOINTS");
 
-      await setTimeout(2_000);
+      // Event-driven wait: the run resumes once the datetime waitpoint (~1s out) completes and the
+      // worker unblocks it. Gate on the final state the test asserts (run EXECUTING), not just the
+      // waitpoint status, which flips slightly earlier.
+      await vi.waitFor(
+        async () => {
+          const ed = await engine.getRunExecutionData({ runId: run.id });
+          expect(ed?.snapshot.executionStatus).toBe("EXECUTING");
+        },
+        { timeout: 10_000, interval: 100 }
+      );
 
       const waitpoint2 = await prisma.waitpoint.findFirst({
         where: {
@@ -497,7 +506,14 @@ describe("RunEngine Waitpoints", () => {
       const executionData = await engine.getRunExecutionData({ runId: run.id });
       expect(executionData?.snapshot.executionStatus).toBe("EXECUTING_WITH_WAITPOINTS");
 
-      await setTimeout(750);
+      // Event-driven wait: resume as soon as the waitpoint completes, no fixed margin.
+      await vi.waitFor(
+        async () => {
+          const ed = await engine.getRunExecutionData({ runId: run.id });
+          expect(ed?.snapshot.executionStatus).toBe("EXECUTING");
+        },
+        { timeout: 10_000, interval: 100 }
+      );
 
       const executionData2 = await engine.getRunExecutionData({ runId: run.id });
       expect(executionData2?.snapshot.executionStatus).toBe("EXECUTING");
@@ -781,7 +797,16 @@ describe("RunEngine Waitpoints", () => {
           event = result;
         });
 
-        await setTimeout(1_250);
+        // Event-driven wait: resume as soon as the timeout fires and the worker notifies, instead
+        // of a fixed 1250ms margin against the ~1s worker poll (the original flaky race).
+        await vi.waitFor(
+          async () => {
+            const ed = await engine.getRunExecutionData({ runId: run.id });
+            expect(ed?.snapshot.executionStatus).toBe("EXECUTING");
+            assertNonNullable(event);
+          },
+          { timeout: 10_000, interval: 100 }
+        );
 
         const executionData2 = await engine.getRunExecutionData({ runId: run.id });
         expect(executionData2?.snapshot.executionStatus).toBe("EXECUTING");
diff --git a/internal-packages/run-engine/src/engine/types.ts b/internal-packages/run-engine/src/engine/types.ts
index cd90e0b8ac4..0077478318b 100644
--- a/internal-packages/run-engine/src/engine/types.ts
+++ b/internal-packages/run-engine/src/engine/types.ts
@@ -19,6 +19,7 @@ import { LockRetryConfig } from "./locking.js";
 import { workerCatalog } from "./workerCatalog.js";
 import { type BillingPlan } from "./billingCache.js";
 import type { DRRConfig } from "../batch-queue/types.js";
+import type { PendingVersionRunIdLookup } from "./services/pendingVersionLookup.js";
 
 export type RunEngineOptions = {
   prisma: PrismaClient;
@@ -129,6 +130,42 @@ export type RunEngineOptions = {
     redis?: RedisOptions;
     /** Maximum duration in milliseconds that a run can be debounced. Default: 1 hour */
     maxDebounceDurationMs?: number;
+    /**
+     * Bucket size in milliseconds used to quantize the newly computed `delayUntil`.
+     * Quantization collapses many concurrent triggers on the same hot debounce key
+     * into the same target time, so that the unlocked fast-path skip becomes
+     * effective and the redlock on `handleDebounce` is not contended.
+     *
+     * A run might fire up to `quantizeNewDelayUntilMs` earlier than the strict
+     * `now + delay` spec.
+     *
+     * Set to 0 to disable quantization.
+     *
+     * Default: 1000 (1s).
+     */
+    quantizeNewDelayUntilMs?: number;
+    /**
+     * Whether to read the existing run's `delayUntil` outside of the redlock and
+     * short-circuit when the new (quantized) `delayUntil` is not later than the
+     * current one. Trailing-mode triggers carrying `updateData` always bypass
+     * this fast path and take the lock so payload/metadata/tag updates still
+     * land on the run.
+     *
+     * Default: true.
+     */
+    fastPathSkipEnabled?: boolean;
+    /**
+     * Whether to route the unlocked fast-path reads (probe + full-run fetch)
+     * through `readOnlyPrisma` (e.g. an Aurora reader) instead of the writer.
+     * Safe because debounce is best-effort: a stale `delayUntil` falls
+     * through to the locked path (the locked path re-checks under the lock),
+     * and a stale `status` at worst returns the existing run, which is the
+     * same outcome the caller would see if their trigger had landed a few
+     * hundred ms earlier.
+     *
+     * Default: false.
+     */
+    useReplicaForFastPathRead?: boolean;
   };
   /** If not set then checkpoints won't ever be used */
   retryWarmStartThresholdMs?: number;
@@ -142,9 +179,38 @@ export type RunEngineOptions = {
     factor?: number;
   };
   queueRunsWaitingForWorkerBatchSize?: number;
+  /**
+   * Lookup used by {@link PendingVersionSystem} to discover candidate
+   * `PENDING_VERSION` run ids without scanning the Postgres status index.
+   * Defaults to a noop lookup that returns an empty result, which causes
+   * the pending-version resolver to short-circuit. Production callers
+   * should inject a ClickHouse-backed implementation.
+   */
+  pendingVersionRunIdLookup?: PendingVersionRunIdLookup;
+  /**
+   * When the pending-version lookup returns zero candidates, schedule
+   * one more attempt after this delay to cover ClickHouse replication
+   * lag. Defaults to 5_000ms.
+   */
+  pendingVersionLagRetryDelayMs?: number;
+  /**
+   * Maximum number of lag-aware retries. Each call beyond the first
+   * counts against this cap. Defaults to 1 — so a deploy will fire at
+   * most two queries spaced by `pendingVersionLagRetryDelayMs`. Set to 0
+   * to disable lag-aware retries entirely.
+   */
+  pendingVersionLagMaxRetries?: number;
   /** Optional maximum TTL for all runs (e.g. "14d"). If set, runs without an explicit TTL
    *  will use this as their TTL, and runs with a TTL larger than this will be clamped. */
   defaultMaxTtl?: string;
+  /** When true, `getSnapshotsSince` reads through the read-only replica client instead
+   *  of the primary. Defaults to false. Callers passing an explicit `tx` always use
+   *  that client regardless of this flag. */
+  readReplicaSnapshotsSinceEnabled?: boolean;
+  /** Jittered delay bounds for the single replica retry `getSnapshotsSince` performs when
+   * the since snapshot is not yet on the replica, before falling back to the primary.
+   * Set maxMs to 0 (or any value <= 0) to skip the replica retry and go straight to the primary. */
+  readReplicaSnapshotsSinceRetryDelay?: { minMs: number; maxMs: number };
   tracer: Tracer;
   meter?: Meter;
   logger?: Logger;
@@ -219,6 +285,7 @@ export type TriggerParams = {
   bulkActionId?: string;
   planType?: string;
   realtimeStreamsVersion?: string;
+  streamBasinName?: string | null;
   debounce?: {
     key: string;
     delay: string;
diff --git a/internal-packages/run-engine/src/engine/workerCatalog.ts b/internal-packages/run-engine/src/engine/workerCatalog.ts
index 2ed6f5076b2..de54c1ece00 100644
--- a/internal-packages/run-engine/src/engine/workerCatalog.ts
+++ b/internal-packages/run-engine/src/engine/workerCatalog.ts
@@ -41,6 +41,14 @@ export const workerCatalog = {
   queueRunsPendingVersion: {
     schema: z.object({
       backgroundWorkerId: z.string(),
+      /**
+       * Bounded retry counter used by {@link PendingVersionSystem} to cover
+       * ClickHouse replication lag. The first scheduling has no attempt;
+       * if the lookup returns zero candidates, the system reschedules
+       * itself once with `attempt = 1`. Capped by
+       * `pendingVersionLagMaxRetries` on `RunEngineOptions`.
+       */
+      attempt: z.number().int().nonnegative().optional(),
     }),
     visibilityTimeoutMs: 60_000,
   },
diff --git a/internal-packages/run-engine/src/index.ts b/internal-packages/run-engine/src/index.ts
index 3f96045c13f..43ca7f177c6 100644
--- a/internal-packages/run-engine/src/index.ts
+++ b/internal-packages/run-engine/src/index.ts
@@ -6,6 +6,12 @@ export {
 } from "./engine/errors.js";
 export type { EventBusEventArgs, EventBusEvents } from "./engine/eventBus.js";
 export type { AuthenticatedEnvironment } from "./shared/index.js";
+export type {
+  PendingVersionRunIdLookup,
+  PendingVersionRunIdLookupOptions,
+  PendingVersionRunIdLookupResult,
+} from "./engine/services/pendingVersionLookup.js";
+export { NoopPendingVersionRunIdLookup } from "./engine/services/pendingVersionLookup.js";
 
 // Batch Queue exports
 export { BatchQueue, BatchCompletionTracker } from "./batch-queue/index.js";
diff --git a/internal-packages/run-engine/src/run-queue/index.ts b/internal-packages/run-engine/src/run-queue/index.ts
index de0df73ad05..c695cacad07 100644
--- a/internal-packages/run-engine/src/run-queue/index.ts
+++ b/internal-packages/run-engine/src/run-queue/index.ts
@@ -76,6 +76,14 @@ export type RunQueueOptions = {
   masterQueueCooloffCountThreshold?: number;
   masterQueueConsumerDequeueCount?: number;
   processWorkerQueueDebounceMs?: number;
+  /**
+   * TTL (seconds) applied to the per-base-queue lengthCounter/runningCounter on
+   * lazy-init. Bounds the maximum window for any drift accumulated during a
+   * rolling-deploy v1/v2 overlap. INCR/DECR do NOT extend the TTL, so the
+   * counter expires this long after init regardless of activity, and the next
+   * CK operation re-anchors from ckIndex. Default: 86400 (24h).
+   */
+  counterTtlSeconds?: number;
   workerOptions?: {
     pollIntervalMs?: number;
     immediatePollIntervalMs?: number;
@@ -186,6 +194,7 @@ export class RunQueue {
   public keys: RunQueueKeyProducer;
   private queueSelectionStrategy: RunQueueSelectionStrategy;
   private shardCount: number;
+  private counterTtlSeconds: number;
   private abortController: AbortController;
   private worker: Worker<typeof workerCatalog>;
   private workerQueueResolver: WorkerQueueResolver;
@@ -195,6 +204,7 @@ export class RunQueue {
 
   constructor(public readonly options: RunQueueOptions) {
     this.shardCount = options.shardCount ?? 2;
+    this.counterTtlSeconds = options.counterTtlSeconds ?? 86400;
     this.retryOptions = options.retryOptions ?? defaultRetrySettings;
     this.redis = createRedisClient(options.redis, {
       onError: (error) => {
@@ -397,7 +407,31 @@ export class RunQueue {
     queue: string,
     concurrencyKey?: string
   ) {
-    return this.redis.zcard(this.keys.queueKey(env, queue, concurrencyKey));
+    // Per-variant length when caller specifies a concurrency key
+    if (concurrencyKey) {
+      return this.redis.zcard(this.keys.queueKey(env, queue, concurrencyKey));
+    }
+
+    // Aggregate base-queue length = ZCARD(base) + GET(lengthCounter).
+    // The counter is non-existent for queues that have never had a CK enqueue —
+    // in that case it returns null which we treat as 0 and the base ZCARD is
+    // the whole truth.
+    const baseKey = this.keys.queueKey(env, queue);
+    const lengthCounterKey = this.keys.queueLengthCounterKey(env, queue);
+
+    const pipeline = this.redis.pipeline();
+    pipeline.zcard(baseKey);
+    pipeline.get(lengthCounterKey);
+    const results = await pipeline.exec();
+
+    if (!results) {
+      return 0;
+    }
+    const [baseErr, baseVal] = results[0];
+    const [ctrErr, ctrVal] = results[1];
+    const baseCount = baseErr || baseVal == null ? 0 : (baseVal as number);
+    const ctrCount = ctrErr || ctrVal == null ? 0 : Number(ctrVal);
+    return baseCount + ctrCount;
   }
 
   public async lengthOfQueueAvailableMessages(
@@ -481,33 +515,34 @@ export class RunQueue {
     env: MinimalAuthenticatedEnvironment,
     queues: string[]
   ): Promise<Record<string, number>> {
+    // For each queue, SCARD(base:currentDequeued) + GET(runningCounter). Missing
+    // counter is treated as 0 so non-CK queues just see the base SCARD.
     const pipeline = this.redis.pipeline();
-
-    // Queue up all SCARD commands in the pipeline
     queues.forEach((queue) => {
       pipeline.scard(this.keys.queueCurrentDequeuedKey(env, queue));
+      pipeline.get(this.keys.queueRunningCounterKey(env, queue));
     });
 
-    // Execute pipeline and get results
     const results = await pipeline.exec();
 
-    // If results is null, return all queues with 0 concurrency
-    if (!results) {
-      return queues.reduce(
+    const empty = (): Record<string, number> =>
+      queues.reduce(
         (acc, queue) => {
           acc[queue] = 0;
           return acc;
         },
         {} as Record<string, number>
       );
-    }
 
-    // Map results back to queue names, handling potential errors
+    if (!results) return empty();
+
     return queues.reduce(
       (acc, queue, index) => {
-        const [err, value] = results[index];
-        // If there was an error or value is null/undefined, use 0
-        acc[queue] = err || value == null ? 0 : (value as number);
+        const [baseErr, baseVal] = results[index * 2];
+        const [ctrErr, ctrVal] = results[index * 2 + 1];
+        const baseCount = baseErr || baseVal == null ? 0 : (baseVal as number);
+        const ctrCount = ctrErr || ctrVal == null ? 0 : Number(ctrVal);
+        acc[queue] = baseCount + ctrCount;
         return acc;
       },
       {} as Record<string, number>
@@ -518,29 +553,34 @@ export class RunQueue {
     env: MinimalAuthenticatedEnvironment,
     queues: string[]
   ): Promise<Record<string, number>> {
+    // For each queue, ZCARD(base) + GET(lengthCounter). Missing counter is
+    // treated as 0 so non-CK queues just see the base ZCARD.
     const pipeline = this.redis.pipeline();
-
-    // Queue up all ZCARD commands in the pipeline
     queues.forEach((queue) => {
       pipeline.zcard(this.keys.queueKey(env, queue));
+      pipeline.get(this.keys.queueLengthCounterKey(env, queue));
     });
 
     const results = await pipeline.exec();
 
-    if (!results) {
-      return queues.reduce(
+    const empty = (): Record<string, number> =>
+      queues.reduce(
         (acc, queue) => {
           acc[queue] = 0;
           return acc;
         },
         {} as Record<string, number>
       );
-    }
+
+    if (!results) return empty();
 
     return queues.reduce(
       (acc, queue, index) => {
-        const [err, value] = results![index];
-        acc[queue] = err || value == null ? 0 : (value as number);
+        const [baseErr, baseVal] = results[index * 2];
+        const [ctrErr, ctrVal] = results[index * 2 + 1];
+        const baseCount = baseErr || baseVal == null ? 0 : (baseVal as number);
+        const ctrCount = ctrErr || ctrVal == null ? 0 : Number(ctrVal);
+        acc[queue] = baseCount + ctrCount;
         return acc;
       },
       {} as Record<string, number>
@@ -946,6 +986,23 @@ export class RunQueue {
           [SemanticAttributes.CONCURRENCY_KEY]: message.concurrencyKey,
         });
 
+        // CK queues route through the Tracked variant so the base-queue
+        // runningCounter stays in sync. Non-CK queues keep the original
+        // release path — no counter to maintain.
+        if (message.concurrencyKey) {
+          return this.redis.releaseConcurrencyTracked(
+            this.keys.queueCurrentConcurrencyKeyFromQueue(message.queue),
+            this.keys.envCurrentConcurrencyKeyFromQueue(message.queue),
+            this.keys.queueCurrentDequeuedKeyFromQueue(message.queue),
+            this.keys.envCurrentDequeuedKeyFromQueue(message.queue),
+            this.keys.queueRunningCounterKeyFromQueue(message.queue),
+            this.keys.ckIndexKeyFromQueue(message.queue),
+            messageId,
+            this.options.redis.keyPrefix ?? "",
+            String(this.counterTtlSeconds)
+          );
+        }
+
         return this.redis.releaseConcurrency(
           this.keys.queueCurrentConcurrencyKeyFromQueue(message.queue),
           this.keys.envCurrentConcurrencyKeyFromQueue(message.queue),
@@ -1379,7 +1436,7 @@ export class RunQueue {
     const visibilityTimeoutMs = (ttlSystem.visibilityTimeoutMs ?? 30_000).toString();
 
     // Atomically get and remove expired runs from TTL set, ack them from normal queues, and enqueue to TTL worker
-    const results = await this.redis.expireTtlRuns(
+    const results = await this.redis.expireTtlRunsTracked(
       ttlQueueKey,
       keyPrefix,
       now.toString(),
@@ -1831,9 +1888,12 @@ export class RunQueue {
     if (message.concurrencyKey) {
       const ckIndexKey = this.keys.ckIndexKeyFromQueue(message.queue);
       const ckWildcardName = this.keys.toCkWildcard(message.queue);
+      const lengthCounterKey = this.keys.queueLengthCounterKeyFromQueue(message.queue);
+      const baseQueueKey = this.keys.baseQueueKeyFromQueue(message.queue);
+      const ckKeyPrefix = this.options.redis.keyPrefix ?? "";
 
       if (ttlInfo) {
-        result = await this.redis.enqueueMessageWithTtlCk(
+        result = await this.redis.enqueueMessageWithTtlCkTracked(
           // keys
           masterQueueKey,
           queueKey,
@@ -1849,6 +1909,8 @@ export class RunQueue {
           queueConcurrencyLimitKey,
           envConcurrencyLimitKey,
           envConcurrencyLimitBurstFactorKey,
+          lengthCounterKey,
+          baseQueueKey,
           // args
           queueName,
           messageId,
@@ -1861,10 +1923,12 @@ export class RunQueue {
           defaultEnvConcurrencyLimit,
           defaultEnvConcurrencyBurstFactor,
           currentTime,
-          enableFastPathArg
+          enableFastPathArg,
+          ckKeyPrefix,
+          String(this.counterTtlSeconds)
         );
       } else {
-        result = await this.redis.enqueueMessageCk(
+        result = await this.redis.enqueueMessageCkTracked(
           // keys
           masterQueueKey,
           queueKey,
@@ -1879,6 +1943,8 @@ export class RunQueue {
           queueConcurrencyLimitKey,
           envConcurrencyLimitKey,
           envConcurrencyLimitBurstFactorKey,
+          lengthCounterKey,
+          baseQueueKey,
           // args
           queueName,
           messageId,
@@ -1889,7 +1955,9 @@ export class RunQueue {
           defaultEnvConcurrencyLimit,
           defaultEnvConcurrencyBurstFactor,
           currentTime,
-          enableFastPathArg
+          enableFastPathArg,
+          ckKeyPrefix,
+          String(this.counterTtlSeconds)
         );
       }
     } else if (ttlInfo) {
@@ -2129,7 +2197,9 @@ export class RunQueue {
         maxCount,
       });
 
-      const result = await this.redis.dequeueMessagesFromCkQueue(
+      const lengthCounterKey = this.keys.queueLengthCounterKeyFromQueue(ckWildcardQueue);
+
+      const result = await this.redis.dequeueMessagesFromCkQueueTracked(
         //keys
         ckIndexKey,
         queueConcurrencyLimitKey,
@@ -2140,6 +2210,7 @@ export class RunQueue {
         envQueueKey,
         masterQueueKey,
         ttlQueueKey,
+        lengthCounterKey,
         //args
         ckWildcardQueue,
         String(Date.now()),
@@ -2374,8 +2445,10 @@ export class RunQueue {
     if (message.concurrencyKey) {
       const ckIndexKey = this.keys.ckIndexKeyFromQueue(message.queue);
       const ckWildcardName = this.keys.toCkWildcard(message.queue);
+      const lengthCounterKey = this.keys.queueLengthCounterKeyFromQueue(message.queue);
+      const runningCounterKey = this.keys.queueRunningCounterKeyFromQueue(message.queue);
 
-      return this.redis.acknowledgeMessageCk(
+      return this.redis.acknowledgeMessageCkTracked(
         masterQueueKey,
         messageKey,
         messageQueue,
@@ -2386,6 +2459,8 @@ export class RunQueue {
         envQueueKey,
         workerQueueKey,
         ckIndexKey,
+        lengthCounterKey,
+        runningCounterKey,
         messageId,
         messageQueue,
         messageKeyValue,
@@ -2441,6 +2516,20 @@ export class RunQueue {
       service: this.name,
     });
 
+    if (queue.includes(":ck:")) {
+      return this.redis.clearMessageFromConcurrencySetsTracked(
+        queueCurrentConcurrencyKey,
+        envCurrentConcurrencyKey,
+        queueCurrentDequeuedKey,
+        envCurrentDequeuedKey,
+        this.keys.queueRunningCounterKeyFromQueue(queue),
+        this.keys.ckIndexKeyFromQueue(queue),
+        messageId,
+        this.options.redis.keyPrefix ?? "",
+        String(this.counterTtlSeconds)
+      );
+    }
+
     return this.redis.clearMessageFromConcurrencySets(
       queueCurrentConcurrencyKey,
       envCurrentConcurrencyKey,
@@ -2485,8 +2574,10 @@ export class RunQueue {
     if (message.concurrencyKey) {
       const ckIndexKey = this.keys.ckIndexKeyFromQueue(message.queue);
       const ckWildcardName = this.keys.toCkWildcard(message.queue);
+      const lengthCounterKey = this.keys.queueLengthCounterKeyFromQueue(message.queue);
+      const runningCounterKey = this.keys.queueRunningCounterKeyFromQueue(message.queue);
 
-      await this.redis.nackMessageCk(
+      await this.redis.nackMessageCkTracked(
         //keys
         masterQueueKey,
         messageKey,
@@ -2497,12 +2588,16 @@ export class RunQueue {
         envCurrentDequeuedKey,
         envQueueKey,
         ckIndexKey,
+        lengthCounterKey,
+        runningCounterKey,
         //args
         messageId,
         messageQueue,
         JSON.stringify(message),
         String(messageScore),
-        ckWildcardName
+        ckWildcardName,
+        this.options.redis.keyPrefix ?? "",
+        String(this.counterTtlSeconds)
       );
     } else {
       await this.redis.nackMessage(
@@ -2542,8 +2637,10 @@ export class RunQueue {
     if (message.concurrencyKey) {
       const ckIndexKey = this.keys.ckIndexKeyFromQueue(message.queue);
       const ckWildcardName = this.keys.toCkWildcard(message.queue);
+      const lengthCounterKey = this.keys.queueLengthCounterKeyFromQueue(message.queue);
+      const runningCounterKey = this.keys.queueRunningCounterKeyFromQueue(message.queue);
 
-      await this.redis.moveToDeadLetterQueueCk(
+      await this.redis.moveToDeadLetterQueueCkTracked(
         masterQueueKey,
         messageKey,
         messageQueue,
@@ -2554,6 +2651,8 @@ export class RunQueue {
         envQueueKey,
         deadLetterQueueKey,
         ckIndexKey,
+        lengthCounterKey,
+        runningCounterKey,
         messageId,
         messageQueue,
         ckWildcardName
@@ -2857,9 +2956,10 @@ export class RunQueue {
         messageKey,
       });
 
-      const rawMessage = await this.redis.dequeueMessageFromKey(
+      const rawMessage = await this.redis.dequeueMessageFromKeyTracked(
         messageKey,
-        this.options.redis.keyPrefix ?? ""
+        this.options.redis.keyPrefix ?? "",
+        String(this.counterTtlSeconds)
       );
 
       if (!rawMessage) {
@@ -3302,6 +3402,246 @@ redis.call('SREM', envCurrentConcurrencyKey, messageId)
 redis.call('SREM', queueCurrentDequeuedKey, messageId)
 redis.call('SREM', envCurrentDequeuedKey, messageId)
 
+return 0
+      `,
+    });
+
+    // Tracked variants of the CK enqueue scripts. Identical to the originals except
+    // they maintain a per-base-queue `lengthCounter` so the trigger-time queue-length
+    // cap and the dashboard's "Queued" column can see the true aggregate across all
+    // CK variants. The counter is lazy-initialized inside the script the first time
+    // a CK enqueue touches a base queue by summing ZCARDs across the existing
+    // ckIndex variants + the base queue zset. The runningCounter is touched in the
+    // *Tracked variants of dequeueMessageFromKey and the ack/nack/dlq/release/clear
+    // scripts.
+    this.redis.defineCommand("enqueueMessageCkTracked", {
+      numberOfKeys: 15,
+      lua: `
+local masterQueueKey = KEYS[1]
+local queueKey = KEYS[2]
+local messageKey = KEYS[3]
+local queueCurrentConcurrencyKey = KEYS[4]
+local envCurrentConcurrencyKey = KEYS[5]
+local queueCurrentDequeuedKey = KEYS[6]
+local envCurrentDequeuedKey = KEYS[7]
+local envQueueKey = KEYS[8]
+local ckIndexKey = KEYS[9]
+-- Fast-path keys (KEYS 10-13)
+local workerQueueKey = KEYS[10]
+local queueConcurrencyLimitKey = KEYS[11]
+local envConcurrencyLimitKey = KEYS[12]
+local envConcurrencyLimitBurstFactorKey = KEYS[13]
+-- Counter keys (KEYS 14-15)
+local lengthCounterKey = KEYS[14]
+local baseQueueKey = KEYS[15]
+
+local queueName = ARGV[1]
+local messageId = ARGV[2]
+local messageData = ARGV[3]
+local messageScore = ARGV[4]
+local ckWildcardName = ARGV[5]
+-- Fast-path args (ARGV 6-10)
+local messageKeyValue = ARGV[6]
+local defaultEnvConcurrencyLimit = ARGV[7]
+local defaultEnvConcurrencyBurstFactor = ARGV[8]
+local currentTime = ARGV[9]
+local enableFastPath = ARGV[10]
+-- keyPrefix for prepending to variant names stored as values in ckIndex
+local keyPrefix = ARGV[11]
+-- TTL (seconds) applied to counter lazy-init SETs
+local counterTtl = ARGV[12]
+
+-- Fast path: check if we can skip the queue and go directly to worker queue
+if enableFastPath == '1' then
+  local available = redis.call('ZRANGEBYSCORE', queueKey, '-inf', currentTime, 'LIMIT', 0, 1)
+  if #available == 0 then
+    local envCurrent = tonumber(redis.call('SCARD', envCurrentConcurrencyKey) or '0')
+    local envLimit = tonumber(redis.call('GET', envConcurrencyLimitKey) or defaultEnvConcurrencyLimit)
+    local envBurstFactor = tonumber(redis.call('GET', envConcurrencyLimitBurstFactorKey) or defaultEnvConcurrencyBurstFactor)
+    local envLimitWithBurst = math.floor(envLimit * envBurstFactor)
+
+    if envCurrent < envLimitWithBurst then
+      local queueCurrent = tonumber(redis.call('SCARD', queueCurrentConcurrencyKey) or '0')
+      local queueLimit = math.min(
+        tonumber(redis.call('GET', queueConcurrencyLimitKey) or '1000000'),
+        envLimit
+      )
+
+      if queueCurrent < queueLimit then
+        redis.call('SET', messageKey, messageData)
+        redis.call('SADD', queueCurrentConcurrencyKey, messageId)
+        redis.call('SADD', envCurrentConcurrencyKey, messageId)
+        redis.call('RPUSH', workerQueueKey, messageKeyValue)
+        -- Fast-path skips the CK variant zset entirely; lengthCounter is unchanged.
+        -- runningCounter is bumped later by dequeueMessageFromKeyTracked when the
+        -- worker pulls the message from the worker queue.
+        return 1
+      end
+    end
+  end
+end
+
+-- Slow path: normal enqueue
+redis.call('SET', messageKey, messageData)
+
+-- Lazy-init lengthCounter from existing ckIndex variants (once per base queue per 24h).
+-- The 24h TTL means the counter periodically re-anchors to truth, bounding any drift
+-- that accumulated during rolling-deploy overlap windows.
+-- Run BEFORE the ZADD so we capture pre-state; the subsequent INCR accounts for the new message.
+-- The counter tracks ONLY CK-variant messages — the read path adds ZCARD(base) separately,
+-- so the base zset is intentionally excluded here.
+if redis.call('EXISTS', lengthCounterKey) == 0 then
+  local total = 0
+  local variants = redis.call('ZRANGE', ckIndexKey, 0, -1)
+  for _, v in ipairs(variants) do
+    total = total + tonumber(redis.call('ZCARD', keyPrefix .. v) or '0')
+  end
+  redis.call('SET', lengthCounterKey, total, 'EX', counterTtl)
+end
+
+-- INCR is gated on ZADD returning 1 (new entry). A duplicate enqueue (same messageId
+-- already in the variant zset) returns 0 and must not bump the counter.
+local added = redis.call('ZADD', queueKey, messageScore, messageId)
+redis.call('ZADD', envQueueKey, messageScore, messageId)
+if added == 1 then
+  redis.call('INCR', lengthCounterKey)
+end
+
+-- Rebalance CK index
+local earliest = redis.call('ZRANGE', queueKey, 0, 0, 'WITHSCORES')
+if #earliest > 0 then
+  redis.call('ZADD', ckIndexKey, earliest[2], queueName)
+end
+
+-- Rebalance master queue with ck:* member
+local earliestIdx = redis.call('ZRANGE', ckIndexKey, 0, 0, 'WITHSCORES')
+if #earliestIdx > 0 then
+  redis.call('ZADD', masterQueueKey, earliestIdx[2], ckWildcardName)
+end
+
+-- Remove old-format entry from master queue (transition cleanup)
+redis.call('ZREM', masterQueueKey, queueName)
+
+-- Update the concurrency keys
+redis.call('SREM', queueCurrentConcurrencyKey, messageId)
+redis.call('SREM', envCurrentConcurrencyKey, messageId)
+redis.call('SREM', queueCurrentDequeuedKey, messageId)
+redis.call('SREM', envCurrentDequeuedKey, messageId)
+
+return 0
+      `,
+    });
+
+    this.redis.defineCommand("enqueueMessageWithTtlCkTracked", {
+      numberOfKeys: 16,
+      lua: `
+local masterQueueKey = KEYS[1]
+local queueKey = KEYS[2]
+local messageKey = KEYS[3]
+local queueCurrentConcurrencyKey = KEYS[4]
+local envCurrentConcurrencyKey = KEYS[5]
+local queueCurrentDequeuedKey = KEYS[6]
+local envCurrentDequeuedKey = KEYS[7]
+local envQueueKey = KEYS[8]
+local ttlQueueKey = KEYS[9]
+local ckIndexKey = KEYS[10]
+-- Fast-path keys (KEYS 11-14)
+local workerQueueKey = KEYS[11]
+local queueConcurrencyLimitKey = KEYS[12]
+local envConcurrencyLimitKey = KEYS[13]
+local envConcurrencyLimitBurstFactorKey = KEYS[14]
+-- Counter keys (KEYS 15-16)
+local lengthCounterKey = KEYS[15]
+local baseQueueKey = KEYS[16]
+
+local queueName = ARGV[1]
+local messageId = ARGV[2]
+local messageData = ARGV[3]
+local messageScore = ARGV[4]
+local ttlMember = ARGV[5]
+local ttlScore = ARGV[6]
+local ckWildcardName = ARGV[7]
+-- Fast-path args (ARGV 8-12)
+local messageKeyValue = ARGV[8]
+local defaultEnvConcurrencyLimit = ARGV[9]
+local defaultEnvConcurrencyBurstFactor = ARGV[10]
+local currentTime = ARGV[11]
+local enableFastPath = ARGV[12]
+-- keyPrefix for prepending to variant names stored as values in ckIndex
+local keyPrefix = ARGV[13]
+-- TTL (seconds) applied to counter lazy-init SETs
+local counterTtl = ARGV[14]
+
+-- Fast path: check if we can skip the queue and go directly to worker queue
+if enableFastPath == '1' then
+  local available = redis.call('ZRANGEBYSCORE', queueKey, '-inf', currentTime, 'LIMIT', 0, 1)
+  if #available == 0 then
+    local envCurrent = tonumber(redis.call('SCARD', envCurrentConcurrencyKey) or '0')
+    local envLimit = tonumber(redis.call('GET', envConcurrencyLimitKey) or defaultEnvConcurrencyLimit)
+    local envBurstFactor = tonumber(redis.call('GET', envConcurrencyLimitBurstFactorKey) or defaultEnvConcurrencyBurstFactor)
+    local envLimitWithBurst = math.floor(envLimit * envBurstFactor)
+
+    if envCurrent < envLimitWithBurst then
+      local queueCurrent = tonumber(redis.call('SCARD', queueCurrentConcurrencyKey) or '0')
+      local queueLimit = math.min(
+        tonumber(redis.call('GET', queueConcurrencyLimitKey) or '1000000'),
+        envLimit
+      )
+
+      if queueCurrent < queueLimit then
+        redis.call('SET', messageKey, messageData)
+        redis.call('SADD', queueCurrentConcurrencyKey, messageId)
+        redis.call('SADD', envCurrentConcurrencyKey, messageId)
+        redis.call('RPUSH', workerQueueKey, messageKeyValue)
+        return 1
+      end
+    end
+  end
+end
+
+-- Slow path: normal enqueue
+redis.call('SET', messageKey, messageData)
+
+-- Lazy-init lengthCounter from existing ckIndex variants (once per base queue per 24h).
+-- See enqueueMessageCkTracked for the TTL rationale.
+if redis.call('EXISTS', lengthCounterKey) == 0 then
+  local total = 0
+  local variants = redis.call('ZRANGE', ckIndexKey, 0, -1)
+  for _, v in ipairs(variants) do
+    total = total + tonumber(redis.call('ZCARD', keyPrefix .. v) or '0')
+  end
+  redis.call('SET', lengthCounterKey, total, 'EX', counterTtl)
+end
+
+-- INCR is gated on ZADD returning 1 (new entry).
+local added = redis.call('ZADD', queueKey, messageScore, messageId)
+redis.call('ZADD', envQueueKey, messageScore, messageId)
+redis.call('ZADD', ttlQueueKey, ttlScore, ttlMember)
+if added == 1 then
+  redis.call('INCR', lengthCounterKey)
+end
+
+-- Rebalance CK index
+local earliest = redis.call('ZRANGE', queueKey, 0, 0, 'WITHSCORES')
+if #earliest > 0 then
+  redis.call('ZADD', ckIndexKey, earliest[2], queueName)
+end
+
+-- Rebalance master queue with ck:* member
+local earliestIdx = redis.call('ZRANGE', ckIndexKey, 0, 0, 'WITHSCORES')
+if #earliestIdx > 0 then
+  redis.call('ZADD', masterQueueKey, earliestIdx[2], ckWildcardName)
+end
+
+-- Remove old-format entry from master queue (transition cleanup)
+redis.call('ZREM', masterQueueKey, queueName)
+
+-- Update the concurrency keys
+redis.call('SREM', queueCurrentConcurrencyKey, messageId)
+redis.call('SREM', envCurrentConcurrencyKey, messageId)
+redis.call('SREM', queueCurrentDequeuedKey, messageId)
+redis.call('SREM', envCurrentDequeuedKey, messageId)
+
 return 0
       `,
     });
@@ -3384,7 +3724,7 @@ for i, member in ipairs(expiredMembers) do
       redis.call('SREM', envDequeuedKey, runId)
 
       -- Rebalance CK index if this is a CK queue
-      local ckMatch = string.match(rawQueueKey, "^(.+):ck:.+$")
+      local ckMatch = string.match(rawQueueKey, "(.-):ck:")
       if ckMatch then
         local ckIndexKey = keyPrefix .. ckMatch .. ":ckIndex"
         local earliest = redis.call('ZRANGE', queueKey, 0, 0, 'WITHSCORES')
@@ -3415,41 +3755,153 @@ return results
       `,
     });
 
-    this.redis.defineCommand("dequeueMessagesFromQueue", {
-      numberOfKeys: 10,
+    // Tracked variant: same as expireTtlRuns, with floored DECRs of the
+    // per-base-queue lengthCounter (for every successful ZREM from a CK variant)
+    // and runningCounter (when SREM from currentDequeued actually removed something).
+    this.redis.defineCommand("expireTtlRunsTracked", {
+      numberOfKeys: 1,
       lua: `
-local queueKey = KEYS[1]
-local queueConcurrencyLimitKey = KEYS[2]
-local envConcurrencyLimitKey = KEYS[3]
-local envConcurrencyLimitBurstFactorKey = KEYS[4]
-local queueCurrentConcurrencyKey = KEYS[5]
-local envCurrentConcurrencyKey = KEYS[6]
-local messageKeyPrefix = KEYS[7]
-local envQueueKey = KEYS[8]
-local masterQueueKey = KEYS[9]
-local ttlQueueKey = KEYS[10]  -- Optional: TTL sorted set key (empty string if not used)
-
-local queueName = ARGV[1]
+local ttlQueueKey = KEYS[1]
+local keyPrefix = ARGV[1]
 local currentTime = tonumber(ARGV[2])
-local defaultEnvConcurrencyLimit = ARGV[3]
-local defaultEnvConcurrencyBurstFactor = ARGV[4]
-local keyPrefix = ARGV[5]
-local maxCount = tonumber(ARGV[6] or '1')
-
--- Check current env concurrency against the limit
-local envCurrentConcurrency = tonumber(redis.call('SCARD', envCurrentConcurrencyKey) or '0')
-local envConcurrencyLimit = tonumber(redis.call('GET', envConcurrencyLimitKey) or defaultEnvConcurrencyLimit)
-local envConcurrencyLimitBurstFactor = tonumber(redis.call('GET', envConcurrencyLimitBurstFactorKey) or defaultEnvConcurrencyBurstFactor)
-local envConcurrencyLimitWithBurstFactor = math.floor(envConcurrencyLimit * envConcurrencyLimitBurstFactor)
+local batchSize = tonumber(ARGV[3])
+local shardCount = tonumber(ARGV[4])
+local workerQueueKey = ARGV[5]
+local workerItemsKey = ARGV[6]
+local visibilityTimeoutMs = tonumber(ARGV[7])
 
-if envCurrentConcurrency >= envConcurrencyLimitWithBurstFactor then
-    return nil
+local function decrFloored(key)
+  if tonumber(redis.call('GET', key) or '0') > 0 then
+    redis.call('DECR', key)
+  end
 end
 
--- Check current queue concurrency against the limit
-local queueCurrentConcurrency = tonumber(redis.call('SCARD', queueCurrentConcurrencyKey) or '0')
-local queueConcurrencyLimit = math.min(tonumber(redis.call('GET', queueConcurrencyLimitKey) or '1000000'), envConcurrencyLimit)
-local totalQueueConcurrencyLimit = queueConcurrencyLimit
+local expiredMembers = redis.call('ZRANGEBYSCORE', ttlQueueKey, '-inf', currentTime, 'LIMIT', 0, batchSize)
+
+if #expiredMembers == 0 then
+  return {}
+end
+
+local time = redis.call('TIME')
+local nowMs = tonumber(time[1]) * 1000 + math.floor(tonumber(time[2]) / 1000)
+
+local results = {}
+
+for i, member in ipairs(expiredMembers) do
+  local pipePos1 = string.find(member, "|", 1, true)
+  if pipePos1 then
+    local pipePos2 = string.find(member, "|", pipePos1 + 1, true)
+    if pipePos2 then
+      local rawQueueKey = string.sub(member, 1, pipePos1 - 1)
+      local runId = string.sub(member, pipePos1 + 1, pipePos2 - 1)
+      local orgId = string.sub(member, pipePos2 + 1)
+
+      local queueKey = keyPrefix .. rawQueueKey
+
+      redis.call('ZREM', ttlQueueKey, member)
+
+      local orgKeyStart = string.find(rawQueueKey, "{org:", 1, true)
+      local orgKeyEnd = string.find(rawQueueKey, "}", orgKeyStart, true)
+      local orgFromQueue = string.sub(rawQueueKey, orgKeyStart + 5, orgKeyEnd - 1)
+
+      local messageKey = keyPrefix .. "{org:" .. orgFromQueue .. "}:message:" .. runId
+
+      redis.call('DEL', messageKey)
+
+      -- ZREM from queue; if successful AND this is a CK variant, DECR lengthCounter.
+      local removedFromZset = redis.call('ZREM', queueKey, runId)
+
+      local envMatch = string.match(rawQueueKey, ":env:([^:]+)")
+      if envMatch then
+        local envQueueKey = keyPrefix .. "{org:" .. orgFromQueue .. "}:env:" .. envMatch
+        redis.call('ZREM', envQueueKey, runId)
+      end
+
+      local concurrencyKey = queueKey .. ":currentConcurrency"
+      local dequeuedKey = queueKey .. ":currentDequeued"
+      redis.call('SREM', concurrencyKey, runId)
+      local removedFromDequeued = redis.call('SREM', dequeuedKey, runId)
+
+      local projMatch = string.match(rawQueueKey, ":proj:([^:]+):env:")
+      local envConcurrencyKey = keyPrefix .. "{org:" .. orgFromQueue .. "}:proj:" .. (projMatch or "") .. ":env:" .. (envMatch or "") .. ":currentConcurrency"
+      local envDequeuedKey = keyPrefix .. "{org:" .. orgFromQueue .. "}:proj:" .. (projMatch or "") .. ":env:" .. (envMatch or "") .. ":currentDequeued"
+      redis.call('SREM', envConcurrencyKey, runId)
+      redis.call('SREM', envDequeuedKey, runId)
+
+      -- Rebalance CK index AND update counters if this is a CK queue
+      local ckMatch = string.match(rawQueueKey, "(.-):ck:")
+      if ckMatch then
+        local lengthCounterKey = keyPrefix .. ckMatch .. ":lengthCounter"
+        local runningCounterKey = keyPrefix .. ckMatch .. ":runningCounter"
+        if removedFromZset == 1 then
+          decrFloored(lengthCounterKey)
+        end
+        if removedFromDequeued == 1 then
+          decrFloored(runningCounterKey)
+        end
+
+        local ckIndexKey = keyPrefix .. ckMatch .. ":ckIndex"
+        local earliest = redis.call('ZRANGE', queueKey, 0, 0, 'WITHSCORES')
+        if #earliest == 0 then
+          redis.call('ZREM', ckIndexKey, rawQueueKey)
+        else
+          redis.call('ZADD', ckIndexKey, earliest[2], rawQueueKey)
+        end
+      end
+
+      local serializedItem = cjson.encode({
+        job = "expireTtlRun",
+        item = { runId = runId, orgId = orgId, queueKey = rawQueueKey },
+        visibilityTimeoutMs = visibilityTimeoutMs,
+        attempt = 0
+      })
+      redis.call('ZADD', workerQueueKey, nowMs, runId)
+      redis.call('HSET', workerItemsKey, runId, serializedItem)
+
+      table.insert(results, member)
+    end
+  end
+end
+
+return results
+      `,
+    });
+
+    this.redis.defineCommand("dequeueMessagesFromQueue", {
+      numberOfKeys: 10,
+      lua: `
+local queueKey = KEYS[1]
+local queueConcurrencyLimitKey = KEYS[2]
+local envConcurrencyLimitKey = KEYS[3]
+local envConcurrencyLimitBurstFactorKey = KEYS[4]
+local queueCurrentConcurrencyKey = KEYS[5]
+local envCurrentConcurrencyKey = KEYS[6]
+local messageKeyPrefix = KEYS[7]
+local envQueueKey = KEYS[8]
+local masterQueueKey = KEYS[9]
+local ttlQueueKey = KEYS[10]  -- Optional: TTL sorted set key (empty string if not used)
+
+local queueName = ARGV[1]
+local currentTime = tonumber(ARGV[2])
+local defaultEnvConcurrencyLimit = ARGV[3]
+local defaultEnvConcurrencyBurstFactor = ARGV[4]
+local keyPrefix = ARGV[5]
+local maxCount = tonumber(ARGV[6] or '1')
+
+-- Check current env concurrency against the limit
+local envCurrentConcurrency = tonumber(redis.call('SCARD', envCurrentConcurrencyKey) or '0')
+local envConcurrencyLimit = tonumber(redis.call('GET', envConcurrencyLimitKey) or defaultEnvConcurrencyLimit)
+local envConcurrencyLimitBurstFactor = tonumber(redis.call('GET', envConcurrencyLimitBurstFactorKey) or defaultEnvConcurrencyBurstFactor)
+local envConcurrencyLimitWithBurstFactor = math.floor(envConcurrencyLimit * envConcurrencyLimitBurstFactor)
+
+if envCurrentConcurrency >= envConcurrencyLimitWithBurstFactor then
+    return nil
+end
+
+-- Check current queue concurrency against the limit
+local queueCurrentConcurrency = tonumber(redis.call('SCARD', queueCurrentConcurrencyKey) or '0')
+local queueConcurrencyLimit = math.min(tonumber(redis.call('GET', queueConcurrencyLimitKey) or '1000000'), envConcurrencyLimit)
+local totalQueueConcurrencyLimit = queueConcurrencyLimit
 
 -- Check condition only if concurrencyLimit exists
 if queueCurrentConcurrency >= totalQueueConcurrencyLimit then
@@ -3680,6 +4132,151 @@ else
   redis.call('ZADD', masterQueueKey, earliestIdx[2], ckWildcardName)
 end
 
+return results
+      `,
+    });
+
+    // Tracked variant: same as dequeueMessagesFromCkQueue plus DECR of the
+    // per-base-queue lengthCounter for every message removed from a CK variant
+    // (normal dequeue, TTL-expired, or stale-orphan path — all of which were
+    // counted at enqueue time).
+    this.redis.defineCommand("dequeueMessagesFromCkQueueTracked", {
+      numberOfKeys: 10,
+      lua: `
+local ckIndexKey = KEYS[1]
+local queueConcurrencyLimitKey = KEYS[2]
+local envConcurrencyLimitKey = KEYS[3]
+local envConcurrencyLimitBurstFactorKey = KEYS[4]
+local envCurrentConcurrencyKey = KEYS[5]
+local messageKeyPrefix = KEYS[6]
+local envQueueKey = KEYS[7]
+local masterQueueKey = KEYS[8]
+local ttlQueueKey = KEYS[9]
+local lengthCounterKey = KEYS[10]
+
+local ckWildcardName = ARGV[1]
+local currentTime = tonumber(ARGV[2])
+local defaultEnvConcurrencyLimit = ARGV[3]
+local defaultEnvConcurrencyBurstFactor = ARGV[4]
+local keyPrefix = ARGV[5]
+local maxCount = tonumber(ARGV[6] or '1')
+
+local function decrLengthCounter()
+  if tonumber(redis.call('GET', lengthCounterKey) or '0') > 0 then
+    redis.call('DECR', lengthCounterKey)
+  end
+end
+
+-- Check env concurrency
+local envCurrentConcurrency = tonumber(redis.call('SCARD', envCurrentConcurrencyKey) or '0')
+local envConcurrencyLimit = tonumber(redis.call('GET', envConcurrencyLimitKey) or defaultEnvConcurrencyLimit)
+local envConcurrencyLimitBurstFactor = tonumber(redis.call('GET', envConcurrencyLimitBurstFactorKey) or defaultEnvConcurrencyBurstFactor)
+local envConcurrencyLimitWithBurstFactor = math.floor(envConcurrencyLimit * envConcurrencyLimitBurstFactor)
+
+if envCurrentConcurrency >= envConcurrencyLimitWithBurstFactor then
+  return nil
+end
+
+local queueConcurrencyLimit = math.min(tonumber(redis.call('GET', queueConcurrencyLimitKey) or '1000000'), envConcurrencyLimit)
+
+local envAvailableCapacity = envConcurrencyLimitWithBurstFactor - envCurrentConcurrency
+local actualMaxCount = math.min(maxCount, envAvailableCapacity)
+
+if actualMaxCount <= 0 then
+  return nil
+end
+
+local ckQueues = redis.call('ZRANGEBYSCORE', ckIndexKey, '-inf', tostring(currentTime), 'LIMIT', 0, actualMaxCount * 3)
+
+if #ckQueues == 0 then
+  local anyIdx = redis.call('ZRANGE', ckIndexKey, 0, 0, 'WITHSCORES')
+  if #anyIdx == 0 then
+    redis.call('ZREM', masterQueueKey, ckWildcardName)
+  else
+    redis.call('ZADD', masterQueueKey, anyIdx[2], ckWildcardName)
+  end
+  return nil
+end
+
+local results = {}
+local dequeuedCount = 0
+
+for _, ckQueueName in ipairs(ckQueues) do
+  if dequeuedCount >= actualMaxCount then
+    break
+  end
+
+  local fullQueueKey = keyPrefix .. ckQueueName
+
+  local ckConcurrencyKey = fullQueueKey .. ':currentConcurrency'
+  local ckCurrentConcurrency = tonumber(redis.call('SCARD', ckConcurrencyKey) or '0')
+
+  if ckCurrentConcurrency < queueConcurrencyLimit then
+    local messages = redis.call('ZRANGEBYSCORE', fullQueueKey, '-inf', tostring(currentTime), 'WITHSCORES', 'LIMIT', 0, 1)
+
+    if #messages >= 2 then
+      local messageId = messages[1]
+      local messageScore = messages[2]
+
+      local messageKey = messageKeyPrefix .. messageId
+      local messagePayload = redis.call('GET', messageKey)
+
+      if messagePayload then
+        local messageData = cjson.decode(messagePayload)
+        local ttlExpiresAt = messageData and messageData.ttlExpiresAt
+
+        if ttlExpiresAt and ttlExpiresAt <= currentTime then
+          redis.call('ZREM', fullQueueKey, messageId)
+          redis.call('ZREM', envQueueKey, messageId)
+          decrLengthCounter()
+        else
+          redis.call('ZREM', fullQueueKey, messageId)
+          redis.call('ZREM', envQueueKey, messageId)
+          decrLengthCounter()
+          redis.call('SADD', ckConcurrencyKey, messageId)
+          redis.call('SADD', envCurrentConcurrencyKey, messageId)
+
+          if ttlQueueKey and ttlQueueKey ~= '' and ttlExpiresAt then
+            local ttlMember = ckQueueName .. '|' .. messageId .. '|' .. (messageData.orgId or '')
+            redis.call('ZREM', ttlQueueKey, ttlMember)
+          end
+
+          table.insert(results, messageId)
+          table.insert(results, messageScore)
+          table.insert(results, messagePayload)
+
+          dequeuedCount = dequeuedCount + 1
+        end
+      else
+        redis.call('ZREM', fullQueueKey, messageId)
+        redis.call('ZREM', envQueueKey, messageId)
+        decrLengthCounter()
+      end
+
+      local earliest = redis.call('ZRANGE', fullQueueKey, 0, 0, 'WITHSCORES')
+      if #earliest == 0 then
+        redis.call('ZREM', ckIndexKey, ckQueueName)
+      else
+        redis.call('ZADD', ckIndexKey, earliest[2], ckQueueName)
+      end
+    else
+      local any = redis.call('ZRANGE', fullQueueKey, 0, 0, 'WITHSCORES')
+      if #any == 0 then
+        redis.call('ZREM', ckIndexKey, ckQueueName)
+      else
+        redis.call('ZADD', ckIndexKey, any[2], ckQueueName)
+      end
+    end
+  end
+end
+
+local earliestIdx = redis.call('ZRANGE', ckIndexKey, 0, 0, 'WITHSCORES')
+if #earliestIdx == 0 then
+  redis.call('ZREM', masterQueueKey, ckWildcardName)
+else
+  redis.call('ZADD', masterQueueKey, earliestIdx[2], ckWildcardName)
+end
+
 return results
       `,
     });
@@ -3732,6 +4329,75 @@ redis.call('SADD', queueCurrentDequeuedKey, messageData.runId)
 redis.call('SADD', envCurrentDequeuedKey, messageData.runId)
 
 -- Return the message data
+return message
+      `,
+    });
+
+    // Tracked variant: same as dequeueMessageFromKey, plus runningCounter INCR
+    // when the message lives on a CK variant queue. The runningCounter is
+    // lazy-initialized from the existing ckIndex variants' currentDequeued sets.
+    // Note: ckIndex only tracks variants that currently have queued messages,
+    // so the init misses any variant that's "running-only" (all messages
+    // dequeued, none queued). Those are reabsorbed naturally as messages ack
+    // (floored DECR) and new dequeues land.
+    this.redis.defineCommand("dequeueMessageFromKeyTracked", {
+      numberOfKeys: 1,
+      lua: `
+local messageKey = KEYS[1]
+local keyPrefix = ARGV[1]
+-- TTL (seconds) applied to counter lazy-init SETs
+local counterTtl = ARGV[2]
+
+local message = redis.call('GET', messageKey)
+if not message then
+  return nil
+end
+
+local messageData = cjson.decode(message)
+local queue = messageData.queue
+
+local queueCurrentDequeuedKey = keyPrefix .. queue .. ':currentDequeued'
+local envCurrentDequeuedKey = keyPrefix .. string.match(queue, "(.+):queue:") .. ':currentDequeued'
+
+-- SADD first so we know if this dequeue is new (return 1) or a duplicate (return 0).
+-- INCR runningCounter is gated on the new-membership result so re-dequeues don't inflate.
+-- The alternative (lazy-init before SADD) was rejected because we need the SADD return
+-- value to gate the INCR, and the lazy-init seed under SADD-first already reflects the
+-- new membership. We compensate with the total-1 in the seed math below.
+local addedDeq = redis.call('SADD', queueCurrentDequeuedKey, messageData.runId)
+redis.call('SADD', envCurrentDequeuedKey, messageData.runId)
+
+-- If CK + new addition, bump the runningCounter for the base queue (lazy init from ckIndex).
+-- The counter tracks ONLY CK-variant currentDequeued — the read path adds the base
+-- SCARD separately, so we exclude the base currentDequeued here. 24h TTL on init
+-- bounds any drift from rolling-deploy v1/v2 overlap.
+local baseQueue = string.match(queue, "(.-):ck:")
+if baseQueue and addedDeq == 1 then
+  local runningCounterKey = keyPrefix .. baseQueue .. ':runningCounter'
+  if redis.call('EXISTS', runningCounterKey) == 0 then
+    local ckIndexKey = keyPrefix .. baseQueue .. ':ckIndex'
+    local total = 0
+    local ownVariantSeen = false
+    local variants = redis.call('ZRANGE', ckIndexKey, 0, -1)
+    for _, v in ipairs(variants) do
+      if v == queue then
+        ownVariantSeen = true
+      end
+      total = total + tonumber(redis.call('SCARD', keyPrefix .. v .. ':currentDequeued') or '0')
+    end
+    -- Fast-path messages skip the variant zset and ckIndex entirely (see
+    -- enqueueMessageCkTracked fast path). If our variant isn't in ckIndex, the loop
+    -- missed its SCARD; add it manually. Either way, the SCARD we sum already
+    -- reflects our just-SADD'd member, so subtract 1 before SETting (the INCR
+    -- below will add it back).
+    if not ownVariantSeen then
+      total = total + tonumber(redis.call('SCARD', queueCurrentDequeuedKey) or '0')
+    end
+    redis.call('SET', runningCounterKey, math.max(0, total - 1), 'EX', counterTtl)
+  end
+  redis.call('INCR', runningCounterKey)
+end
+
 return message
       `,
     });
@@ -3853,9 +4519,180 @@ local earliestMessage = redis.call('ZRANGE', messageQueue, 0, 0, 'WITHSCORES')
 if #earliestMessage == 0 then
   redis.call('ZREM', masterQueueKey, messageQueueName)
 else
-  redis.call('ZADD', masterQueueKey, earliestMessage[2], messageQueueName)
+  redis.call('ZADD', masterQueueKey, earliestMessage[2], messageQueueName)
+end
+
+-- Add the message to the dead letter queue
+redis.call('ZADD', deadLetterQueueKey, tonumber(redis.call('TIME')[1]), messageId)
+
+-- Update the concurrency keys
+redis.call('SREM', queueCurrentConcurrencyKey, messageId)
+redis.call('SREM', envCurrentConcurrencyKey, messageId)
+redis.call('SREM', queueCurrentDequeuedKey, messageId)
+redis.call('SREM', envCurrentDequeuedKey, messageId)
+`,
+    });
+
+    // CK-aware acknowledge: rebalances CK index and master queue with :ck:* member
+    this.redis.defineCommand("acknowledgeMessageCk", {
+      numberOfKeys: 10,
+      lua: `
+-- Keys:
+local masterQueueKey = KEYS[1]
+local messageKey = KEYS[2]
+local messageQueueKey = KEYS[3]
+local queueCurrentConcurrencyKey = KEYS[4]
+local envCurrentConcurrencyKey = KEYS[5]
+local queueCurrentDequeuedKey = KEYS[6]
+local envCurrentDequeuedKey = KEYS[7]
+local envQueueKey = KEYS[8]
+local workerQueueKey = KEYS[9]
+local ckIndexKey = KEYS[10]
+
+-- Args:
+local messageId = ARGV[1]
+local messageQueueName = ARGV[2]
+local messageKeyValue = ARGV[3]
+local removeFromWorkerQueue = ARGV[4]
+local ckWildcardName = ARGV[5]
+
+-- Remove the message from the message key
+redis.call('DEL', messageKey)
+
+-- Remove the message from the CK-specific queue
+redis.call('ZREM', messageQueueKey, messageId)
+redis.call('ZREM', envQueueKey, messageId)
+
+-- Rebalance CK index
+local earliestInCkQueue = redis.call('ZRANGE', messageQueueKey, 0, 0, 'WITHSCORES')
+if #earliestInCkQueue == 0 then
+  redis.call('ZREM', ckIndexKey, messageQueueName)
+else
+  redis.call('ZADD', ckIndexKey, earliestInCkQueue[2], messageQueueName)
+end
+
+-- Rebalance master queue with ck:* member
+local earliestInCkIndex = redis.call('ZRANGE', ckIndexKey, 0, 0, 'WITHSCORES')
+if #earliestInCkIndex == 0 then
+  redis.call('ZREM', masterQueueKey, ckWildcardName)
+else
+  redis.call('ZADD', masterQueueKey, earliestInCkIndex[2], ckWildcardName)
+end
+
+-- Remove old-format entry from master queue (transition cleanup)
+redis.call('ZREM', masterQueueKey, messageQueueName)
+
+-- Update the concurrency keys
+redis.call('SREM', queueCurrentConcurrencyKey, messageId)
+redis.call('SREM', envCurrentConcurrencyKey, messageId)
+redis.call('SREM', queueCurrentDequeuedKey, messageId)
+redis.call('SREM', envCurrentDequeuedKey, messageId)
+
+-- Remove the message from the worker queue
+if removeFromWorkerQueue == '1' then
+  redis.call('LREM', workerQueueKey, 0, messageKeyValue)
+end
+`,
+    });
+
+    // CK-aware nack: rebalances CK index and master queue with :ck:* member
+    this.redis.defineCommand("nackMessageCk", {
+      numberOfKeys: 9,
+      lua: `
+-- Keys:
+local masterQueueKey = KEYS[1]
+local messageKey = KEYS[2]
+local messageQueueKey = KEYS[3]
+local queueCurrentConcurrencyKey = KEYS[4]
+local envCurrentConcurrencyKey = KEYS[5]
+local queueCurrentDequeuedKey = KEYS[6]
+local envCurrentDequeuedKey = KEYS[7]
+local envQueueKey = KEYS[8]
+local ckIndexKey = KEYS[9]
+
+-- Args:
+local messageId = ARGV[1]
+local messageQueueName = ARGV[2]
+local messageData = ARGV[3]
+local messageScore = tonumber(ARGV[4])
+local ckWildcardName = ARGV[5]
+
+-- Update the message data
+redis.call('SET', messageKey, messageData)
+
+-- Update the concurrency keys
+redis.call('SREM', queueCurrentConcurrencyKey, messageId)
+redis.call('SREM', envCurrentConcurrencyKey, messageId)
+redis.call('SREM', queueCurrentDequeuedKey, messageId)
+redis.call('SREM', envCurrentDequeuedKey, messageId)
+
+-- Enqueue the message back into the CK-specific queue
+redis.call('ZADD', messageQueueKey, messageScore, messageId)
+redis.call('ZADD', envQueueKey, messageScore, messageId)
+
+-- Rebalance CK index
+local earliest = redis.call('ZRANGE', messageQueueKey, 0, 0, 'WITHSCORES')
+if #earliest > 0 then
+  redis.call('ZADD', ckIndexKey, earliest[2], messageQueueName)
+end
+
+-- Rebalance master queue with ck:* member
+local earliestIdx = redis.call('ZRANGE', ckIndexKey, 0, 0, 'WITHSCORES')
+if #earliestIdx == 0 then
+  redis.call('ZREM', masterQueueKey, ckWildcardName)
+else
+  redis.call('ZADD', masterQueueKey, earliestIdx[2], ckWildcardName)
+end
+
+-- Remove old-format entry from master queue (transition cleanup)
+redis.call('ZREM', masterQueueKey, messageQueueName)
+`,
+    });
+
+    // CK-aware move to dead letter queue
+    this.redis.defineCommand("moveToDeadLetterQueueCk", {
+      numberOfKeys: 10,
+      lua: `
+-- Keys:
+local masterQueueKey = KEYS[1]
+local messageKey = KEYS[2]
+local messageQueue = KEYS[3]
+local queueCurrentConcurrencyKey = KEYS[4]
+local envCurrentConcurrencyKey = KEYS[5]
+local queueCurrentDequeuedKey = KEYS[6]
+local envCurrentDequeuedKey = KEYS[7]
+local envQueueKey = KEYS[8]
+local deadLetterQueueKey = KEYS[9]
+local ckIndexKey = KEYS[10]
+
+-- Args:
+local messageId = ARGV[1]
+local messageQueueName = ARGV[2]
+local ckWildcardName = ARGV[3]
+
+-- Remove the message from the CK-specific queue
+redis.call('ZREM', messageQueue, messageId)
+redis.call('ZREM', envQueueKey, messageId)
+
+-- Rebalance CK index
+local earliest = redis.call('ZRANGE', messageQueue, 0, 0, 'WITHSCORES')
+if #earliest == 0 then
+  redis.call('ZREM', ckIndexKey, messageQueueName)
+else
+  redis.call('ZADD', ckIndexKey, earliest[2], messageQueueName)
+end
+
+-- Rebalance master queue with ck:* member
+local earliestIdx = redis.call('ZRANGE', ckIndexKey, 0, 0, 'WITHSCORES')
+if #earliestIdx == 0 then
+  redis.call('ZREM', masterQueueKey, ckWildcardName)
+else
+  redis.call('ZADD', masterQueueKey, earliestIdx[2], ckWildcardName)
 end
 
+-- Remove old-format entry from master queue (transition cleanup)
+redis.call('ZREM', masterQueueKey, messageQueueName)
+
 -- Add the message to the dead letter queue
 redis.call('ZADD', deadLetterQueueKey, tonumber(redis.call('TIME')[1]), messageId)
 
@@ -3867,9 +4704,12 @@ redis.call('SREM', envCurrentDequeuedKey, messageId)
 `,
     });
 
-    // CK-aware acknowledge: rebalances CK index and master queue with :ck:* member
-    this.redis.defineCommand("acknowledgeMessageCk", {
-      numberOfKeys: 10,
+    // Tracked variant: same as acknowledgeMessageCk, plus floored DECRs of the
+    // per-base-queue lengthCounter (defensive — only fires when the ZREM actually
+    // removed something) and runningCounter (when SREM currentDequeued actually
+    // removed something).
+    this.redis.defineCommand("acknowledgeMessageCkTracked", {
+      numberOfKeys: 12,
       lua: `
 -- Keys:
 local masterQueueKey = KEYS[1]
@@ -3882,6 +4722,8 @@ local envCurrentDequeuedKey = KEYS[7]
 local envQueueKey = KEYS[8]
 local workerQueueKey = KEYS[9]
 local ckIndexKey = KEYS[10]
+local lengthCounterKey = KEYS[11]
+local runningCounterKey = KEYS[12]
 
 -- Args:
 local messageId = ARGV[1]
@@ -3890,12 +4732,23 @@ local messageKeyValue = ARGV[3]
 local removeFromWorkerQueue = ARGV[4]
 local ckWildcardName = ARGV[5]
 
+local function decrFloored(key)
+  if tonumber(redis.call('GET', key) or '0') > 0 then
+    redis.call('DECR', key)
+  end
+end
+
 -- Remove the message from the message key
 redis.call('DEL', messageKey)
 
--- Remove the message from the CK-specific queue
-redis.call('ZREM', messageQueueKey, messageId)
+-- Remove the message from the CK-specific queue. The ZREM is defensive — by
+-- ack time the message is normally in currentConcurrency, not the zset — but
+-- if it does remove something, the counter was tracking that entry so decr.
+local removedFromZset = redis.call('ZREM', messageQueueKey, messageId)
 redis.call('ZREM', envQueueKey, messageId)
+if removedFromZset == 1 then
+  decrFloored(lengthCounterKey)
+end
 
 -- Rebalance CK index
 local earliestInCkQueue = redis.call('ZRANGE', messageQueueKey, 0, 0, 'WITHSCORES')
@@ -3916,11 +4769,15 @@ end
 -- Remove old-format entry from master queue (transition cleanup)
 redis.call('ZREM', masterQueueKey, messageQueueName)
 
--- Update the concurrency keys
+-- Update the concurrency keys. DECR runningCounter only when SREM
+-- currentDequeued actually removed an entry (the message was in flight).
 redis.call('SREM', queueCurrentConcurrencyKey, messageId)
 redis.call('SREM', envCurrentConcurrencyKey, messageId)
-redis.call('SREM', queueCurrentDequeuedKey, messageId)
+local removedFromDequeued = redis.call('SREM', queueCurrentDequeuedKey, messageId)
 redis.call('SREM', envCurrentDequeuedKey, messageId)
+if removedFromDequeued == 1 then
+  decrFloored(runningCounterKey)
+end
 
 -- Remove the message from the worker queue
 if removeFromWorkerQueue == '1' then
@@ -3929,9 +4786,11 @@ end
 `,
     });
 
-    // CK-aware nack: rebalances CK index and master queue with :ck:* member
-    this.redis.defineCommand("nackMessageCk", {
-      numberOfKeys: 9,
+    // Tracked variant: same as nackMessageCk. SREM currentDequeued may DECR
+    // runningCounter (floored); ZADD back to the variant zset INCRs
+    // lengthCounter only when ZADD reported a new entry.
+    this.redis.defineCommand("nackMessageCkTracked", {
+      numberOfKeys: 11,
       lua: `
 -- Keys:
 local masterQueueKey = KEYS[1]
@@ -3943,6 +4802,8 @@ local queueCurrentDequeuedKey = KEYS[6]
 local envCurrentDequeuedKey = KEYS[7]
 local envQueueKey = KEYS[8]
 local ckIndexKey = KEYS[9]
+local lengthCounterKey = KEYS[10]
+local runningCounterKey = KEYS[11]
 
 -- Args:
 local messageId = ARGV[1]
@@ -3950,19 +4811,52 @@ local messageQueueName = ARGV[2]
 local messageData = ARGV[3]
 local messageScore = tonumber(ARGV[4])
 local ckWildcardName = ARGV[5]
+-- keyPrefix for prepending to variant names stored as values in ckIndex (lazy-init only)
+local keyPrefix = ARGV[6]
+-- TTL (seconds) applied to counter lazy-init SETs
+local counterTtl = ARGV[7]
+
+local function decrFloored(key)
+  if tonumber(redis.call('GET', key) or '0') > 0 then
+    redis.call('DECR', key)
+  end
+end
 
 -- Update the message data
 redis.call('SET', messageKey, messageData)
 
--- Update the concurrency keys
+-- Update the concurrency keys. nack only DECRs runningCounter, never INCRs it,
+-- so we skip the eager lazy-init here (unlike releaseConcurrencyTracked, which
+-- mirrors the same DECR pattern with init). A post-TTL nack's floored DECR
+-- no-ops; the next dequeueMessageFromKeyTracked reseeds from current state.
 redis.call('SREM', queueCurrentConcurrencyKey, messageId)
 redis.call('SREM', envCurrentConcurrencyKey, messageId)
-redis.call('SREM', queueCurrentDequeuedKey, messageId)
+local removedFromDequeued = redis.call('SREM', queueCurrentDequeuedKey, messageId)
 redis.call('SREM', envCurrentDequeuedKey, messageId)
+if removedFromDequeued == 1 then
+  decrFloored(runningCounterKey)
+end
 
--- Enqueue the message back into the CK-specific queue
-redis.call('ZADD', messageQueueKey, messageScore, messageId)
+-- Lazy-init lengthCounter if missing (e.g. expired via 24h TTL). nack re-queues a
+-- message, which means lengthCounter must be present before we INCR. Without this,
+-- a nack after counter expiry would create the counter at 1 and stay drifted until
+-- next reset.
+if redis.call('EXISTS', lengthCounterKey) == 0 then
+  local total = 0
+  local variants = redis.call('ZRANGE', ckIndexKey, 0, -1)
+  for _, v in ipairs(variants) do
+    total = total + tonumber(redis.call('ZCARD', keyPrefix .. v) or '0')
+  end
+  redis.call('SET', lengthCounterKey, total, 'EX', counterTtl)
+end
+
+-- Enqueue the message back into the CK-specific queue. INCR lengthCounter only if
+-- it's a new entry (ZADD returns 1).
+local added = redis.call('ZADD', messageQueueKey, messageScore, messageId)
 redis.call('ZADD', envQueueKey, messageScore, messageId)
+if added == 1 then
+  redis.call('INCR', lengthCounterKey)
+end
 
 -- Rebalance CK index
 local earliest = redis.call('ZRANGE', messageQueueKey, 0, 0, 'WITHSCORES')
@@ -3983,9 +4877,10 @@ redis.call('ZREM', masterQueueKey, messageQueueName)
 `,
     });
 
-    // CK-aware move to dead letter queue
-    this.redis.defineCommand("moveToDeadLetterQueueCk", {
-      numberOfKeys: 10,
+    // Tracked variant: same as moveToDeadLetterQueueCk. ZREM may DECR
+    // lengthCounter (defensive); SREM currentDequeued may DECR runningCounter.
+    this.redis.defineCommand("moveToDeadLetterQueueCkTracked", {
+      numberOfKeys: 12,
       lua: `
 -- Keys:
 local masterQueueKey = KEYS[1]
@@ -3998,15 +4893,28 @@ local envCurrentDequeuedKey = KEYS[7]
 local envQueueKey = KEYS[8]
 local deadLetterQueueKey = KEYS[9]
 local ckIndexKey = KEYS[10]
+local lengthCounterKey = KEYS[11]
+local runningCounterKey = KEYS[12]
 
 -- Args:
 local messageId = ARGV[1]
 local messageQueueName = ARGV[2]
 local ckWildcardName = ARGV[3]
 
--- Remove the message from the CK-specific queue
-redis.call('ZREM', messageQueue, messageId)
+local function decrFloored(key)
+  if tonumber(redis.call('GET', key) or '0') > 0 then
+    redis.call('DECR', key)
+  end
+end
+
+-- Remove the message from the CK-specific queue. ZREM may be a no-op if the
+-- message was already moved to currentConcurrency; only decr when it actually
+-- removes something.
+local removedFromZset = redis.call('ZREM', messageQueue, messageId)
 redis.call('ZREM', envQueueKey, messageId)
+if removedFromZset == 1 then
+  decrFloored(lengthCounterKey)
+end
 
 -- Rebalance CK index
 local earliest = redis.call('ZRANGE', messageQueue, 0, 0, 'WITHSCORES')
@@ -4030,11 +4938,15 @@ redis.call('ZREM', masterQueueKey, messageQueueName)
 -- Add the message to the dead letter queue
 redis.call('ZADD', deadLetterQueueKey, tonumber(redis.call('TIME')[1]), messageId)
 
--- Update the concurrency keys
+-- Update the concurrency keys. DECR runningCounter only when SREM
+-- currentDequeued actually removed an entry.
 redis.call('SREM', queueCurrentConcurrencyKey, messageId)
 redis.call('SREM', envCurrentConcurrencyKey, messageId)
-redis.call('SREM', queueCurrentDequeuedKey, messageId)
+local removedFromDequeued = redis.call('SREM', queueCurrentDequeuedKey, messageId)
 redis.call('SREM', envCurrentDequeuedKey, messageId)
+if removedFromDequeued == 1 then
+  decrFloored(runningCounterKey)
+end
 `,
     });
 
@@ -4058,6 +4970,54 @@ redis.call('SREM', envCurrentDequeuedKey, messageId)
 `,
     });
 
+    // Tracked variant: same as releaseConcurrency, with a floored DECR of the
+    // base-queue runningCounter when SREM currentDequeued actually removed
+    // something. Caller should only invoke this variant for CK queues — non-CK
+    // queues should keep calling releaseConcurrency.
+    this.redis.defineCommand("releaseConcurrencyTracked", {
+      numberOfKeys: 6,
+      lua: `
+-- Keys:
+local queueCurrentConcurrencyKey = KEYS[1]
+local envCurrentConcurrencyKey = KEYS[2]
+local queueCurrentDequeuedKey = KEYS[3]
+local envCurrentDequeuedKey = KEYS[4]
+local runningCounterKey = KEYS[5]
+local ckIndexKey = KEYS[6]
+
+-- Args:
+local messageId = ARGV[1]
+local keyPrefix = ARGV[2]
+-- TTL (seconds) applied to counter lazy-init SETs
+local counterTtl = ARGV[3]
+
+-- Lazy-init runningCounter if missing (e.g. expired via 24h TTL). Runs BEFORE
+-- the SREM so the seed captures pre-release state; the subsequent DECR accounts
+-- for the message we're about to release. Without this, a release landing after
+-- counter expiry would silently no-op the DECR and the next dequeue would seed
+-- to post-release truth — bounded drift but inconsistent with nack/enqueue.
+if redis.call('EXISTS', runningCounterKey) == 0 then
+  local total = 0
+  local variants = redis.call('ZRANGE', ckIndexKey, 0, -1)
+  for _, v in ipairs(variants) do
+    total = total + tonumber(redis.call('SCARD', keyPrefix .. v .. ':currentDequeued') or '0')
+  end
+  redis.call('SET', runningCounterKey, total, 'EX', counterTtl)
+end
+
+redis.call('SREM', queueCurrentConcurrencyKey, messageId)
+redis.call('SREM', envCurrentConcurrencyKey, messageId)
+local removedFromDequeued = redis.call('SREM', queueCurrentDequeuedKey, messageId)
+redis.call('SREM', envCurrentDequeuedKey, messageId)
+
+if removedFromDequeued == 1 then
+  if tonumber(redis.call('GET', runningCounterKey) or '0') > 0 then
+    redis.call('DECR', runningCounterKey)
+  end
+end
+`,
+    });
+
     this.redis.defineCommand("updateEnvironmentConcurrencyLimits", {
       numberOfKeys: 2,
       lua: `
@@ -4154,6 +5114,48 @@ redis.call('SREM', queueCurrentConcurrencyKey, messageId)
 redis.call('SREM', envCurrentConcurrencyKey, messageId)
 redis.call('SREM', queueCurrentDequeuedKey, messageId)
 redis.call('SREM', envCurrentDequeuedKey, messageId)
+`,
+    });
+
+    // Tracked variant of clearMessageFromConcurrencySets — see releaseConcurrencyTracked
+    // for the contract. Only invoke for CK queues.
+    this.redis.defineCommand("clearMessageFromConcurrencySetsTracked", {
+      numberOfKeys: 6,
+      lua: `
+-- Keys:
+local queueCurrentConcurrencyKey = KEYS[1]
+local envCurrentConcurrencyKey = KEYS[2]
+local queueCurrentDequeuedKey = KEYS[3]
+local envCurrentDequeuedKey = KEYS[4]
+local runningCounterKey = KEYS[5]
+local ckIndexKey = KEYS[6]
+
+-- Args:
+local messageId = ARGV[1]
+local keyPrefix = ARGV[2]
+-- TTL (seconds) applied to counter lazy-init SETs
+local counterTtl = ARGV[3]
+
+-- Lazy-init runningCounter if missing — see releaseConcurrencyTracked for rationale.
+if redis.call('EXISTS', runningCounterKey) == 0 then
+  local total = 0
+  local variants = redis.call('ZRANGE', ckIndexKey, 0, -1)
+  for _, v in ipairs(variants) do
+    total = total + tonumber(redis.call('SCARD', keyPrefix .. v .. ':currentDequeued') or '0')
+  end
+  redis.call('SET', runningCounterKey, total, 'EX', counterTtl)
+end
+
+redis.call('SREM', queueCurrentConcurrencyKey, messageId)
+redis.call('SREM', envCurrentConcurrencyKey, messageId)
+local removedFromDequeued = redis.call('SREM', queueCurrentDequeuedKey, messageId)
+redis.call('SREM', envCurrentDequeuedKey, messageId)
+
+if removedFromDequeued == 1 then
+  if tonumber(redis.call('GET', runningCounterKey) or '0') > 0 then
+    redis.call('DECR', runningCounterKey)
+  end
+end
 `,
     });
   }
@@ -4514,6 +5516,200 @@ declare module "@internal/redis" {
       ckWildcardName: string,
       callback?: Callback<void>
     ): Result<void, Context>;
+
+    // Tracked variants: maintain per-base-queue lengthCounter / runningCounter
+    // for CK queues. See defineCommand bodies for details.
+    enqueueMessageCkTracked(
+      masterQueueKey: string,
+      queue: string,
+      messageKey: string,
+      queueCurrentConcurrencyKey: string,
+      envCurrentConcurrencyKey: string,
+      queueCurrentDequeuedKey: string,
+      envCurrentDequeuedKey: string,
+      envQueueKey: string,
+      ckIndexKey: string,
+      workerQueueKey: string,
+      queueConcurrencyLimitKey: string,
+      envConcurrencyLimitKey: string,
+      envConcurrencyLimitBurstFactorKey: string,
+      lengthCounterKey: string,
+      baseQueueKey: string,
+      queueName: string,
+      messageId: string,
+      messageData: string,
+      messageScore: string,
+      ckWildcardName: string,
+      messageKeyValue: string,
+      defaultEnvConcurrencyLimit: string,
+      defaultEnvConcurrencyBurstFactor: string,
+      currentTime: string,
+      enableFastPath: string,
+      keyPrefix: string,
+      counterTtl: string,
+      callback?: Callback<number>
+    ): Result<number, Context>;
+
+    enqueueMessageWithTtlCkTracked(
+      masterQueueKey: string,
+      queue: string,
+      messageKey: string,
+      queueCurrentConcurrencyKey: string,
+      envCurrentConcurrencyKey: string,
+      queueCurrentDequeuedKey: string,
+      envCurrentDequeuedKey: string,
+      envQueueKey: string,
+      ttlQueueKey: string,
+      ckIndexKey: string,
+      workerQueueKey: string,
+      queueConcurrencyLimitKey: string,
+      envConcurrencyLimitKey: string,
+      envConcurrencyLimitBurstFactorKey: string,
+      lengthCounterKey: string,
+      baseQueueKey: string,
+      queueName: string,
+      messageId: string,
+      messageData: string,
+      messageScore: string,
+      ttlMember: string,
+      ttlScore: string,
+      ckWildcardName: string,
+      messageKeyValue: string,
+      defaultEnvConcurrencyLimit: string,
+      defaultEnvConcurrencyBurstFactor: string,
+      currentTime: string,
+      enableFastPath: string,
+      keyPrefix: string,
+      counterTtl: string,
+      callback?: Callback<number>
+    ): Result<number, Context>;
+
+    dequeueMessagesFromCkQueueTracked(
+      ckIndexKey: string,
+      queueConcurrencyLimitKey: string,
+      envConcurrencyLimitKey: string,
+      envConcurrencyLimitBurstFactorKey: string,
+      envCurrentConcurrencyKey: string,
+      messageKeyPrefix: string,
+      envQueueKey: string,
+      masterQueueKey: string,
+      ttlQueueKey: string,
+      lengthCounterKey: string,
+      ckWildcardName: string,
+      currentTime: string,
+      defaultEnvConcurrencyLimit: string,
+      defaultEnvConcurrencyBurstFactor: string,
+      keyPrefix: string,
+      maxCount: string,
+      callback?: Callback<string[]>
+    ): Result<string[], Context>;
+
+    dequeueMessageFromKeyTracked(
+      messageKey: string,
+      keyPrefix: string,
+      counterTtl: string,
+      callback?: Callback<string | null>
+    ): Result<string | null, Context>;
+
+    acknowledgeMessageCkTracked(
+      masterQueueKey: string,
+      messageKey: string,
+      messageQueue: string,
+      queueCurrentConcurrencyKey: string,
+      envCurrentConcurrencyKey: string,
+      queueCurrentDequeuedKey: string,
+      envCurrentDequeuedKey: string,
+      envQueueKey: string,
+      workerQueueKey: string,
+      ckIndexKey: string,
+      lengthCounterKey: string,
+      runningCounterKey: string,
+      messageId: string,
+      messageQueueName: string,
+      messageKeyValue: string,
+      removeFromWorkerQueue: string,
+      ckWildcardName: string,
+      callback?: Callback<void>
+    ): Result<void, Context>;
+
+    nackMessageCkTracked(
+      masterQueueKey: string,
+      messageKey: string,
+      messageQueue: string,
+      queueCurrentConcurrencyKey: string,
+      envCurrentConcurrencyKey: string,
+      queueCurrentDequeuedKey: string,
+      envCurrentDequeuedKey: string,
+      envQueueKey: string,
+      ckIndexKey: string,
+      lengthCounterKey: string,
+      runningCounterKey: string,
+      messageId: string,
+      messageQueueName: string,
+      messageData: string,
+      messageScore: string,
+      ckWildcardName: string,
+      keyPrefix: string,
+      counterTtl: string,
+      callback?: Callback<void>
+    ): Result<void, Context>;
+
+    moveToDeadLetterQueueCkTracked(
+      masterQueueKey: string,
+      messageKey: string,
+      messageQueue: string,
+      queueCurrentConcurrencyKey: string,
+      envCurrentConcurrencyKey: string,
+      queueCurrentDequeuedKey: string,
+      envCurrentDequeuedKey: string,
+      envQueueKey: string,
+      deadLetterQueueKey: string,
+      ckIndexKey: string,
+      lengthCounterKey: string,
+      runningCounterKey: string,
+      messageId: string,
+      messageQueueName: string,
+      ckWildcardName: string,
+      callback?: Callback<void>
+    ): Result<void, Context>;
+
+    expireTtlRunsTracked(
+      ttlQueueKey: string,
+      keyPrefix: string,
+      currentTime: string,
+      batchSize: string,
+      shardCount: string,
+      workerQueueKey: string,
+      workerItemsKey: string,
+      visibilityTimeoutMs: string,
+      callback?: Callback<string[]>
+    ): Result<string[], Context>;
+
+    releaseConcurrencyTracked(
+      queueCurrentConcurrencyKey: string,
+      envCurrentConcurrencyKey: string,
+      queueCurrentDequeuedKey: string,
+      envCurrentDequeuedKey: string,
+      runningCounterKey: string,
+      ckIndexKey: string,
+      messageId: string,
+      keyPrefix: string,
+      counterTtl: string,
+      callback?: Callback<void>
+    ): Result<void, Context>;
+
+    clearMessageFromConcurrencySetsTracked(
+      queueCurrentConcurrencyKey: string,
+      envCurrentConcurrencyKey: string,
+      queueCurrentDequeuedKey: string,
+      envCurrentDequeuedKey: string,
+      runningCounterKey: string,
+      ckIndexKey: string,
+      messageId: string,
+      keyPrefix: string,
+      counterTtl: string,
+      callback?: Callback<void>
+    ): Result<void, Context>;
   }
 }
 
diff --git a/internal-packages/run-engine/src/run-queue/keyProducer.ts b/internal-packages/run-engine/src/run-queue/keyProducer.ts
index a85dfc393e9..dc6c9e7b77a 100644
--- a/internal-packages/run-engine/src/run-queue/keyProducer.ts
+++ b/internal-packages/run-engine/src/run-queue/keyProducer.ts
@@ -18,6 +18,8 @@ const constants = {
   MASTER_QUEUE_PART: "masterQueue",
   WORKER_QUEUE_PART: "workerQueue",
   CK_INDEX_PART: "ckIndex",
+  LENGTH_COUNTER_PART: "lengthCounter",
+  RUNNING_COUNTER_PART: "runningCounter",
 } as const;
 
 export class RunQueueFullKeyProducer implements RunQueueKeyProducer {
@@ -315,6 +317,22 @@ export class RunQueueFullKeyProducer implements RunQueueKeyProducer {
     return queue.replace(/:ck:.+$/, "");
   }
 
+  queueLengthCounterKey(env: RunQueueKeyProducerEnvironment, queue: string): string {
+    return `${this.queueKey(env, queue)}:${constants.LENGTH_COUNTER_PART}`;
+  }
+
+  queueLengthCounterKeyFromQueue(queue: string): string {
+    return `${this.baseQueueKeyFromQueue(queue)}:${constants.LENGTH_COUNTER_PART}`;
+  }
+
+  queueRunningCounterKey(env: RunQueueKeyProducerEnvironment, queue: string): string {
+    return `${this.queueKey(env, queue)}:${constants.RUNNING_COUNTER_PART}`;
+  }
+
+  queueRunningCounterKeyFromQueue(queue: string): string {
+    return `${this.baseQueueKeyFromQueue(queue)}:${constants.RUNNING_COUNTER_PART}`;
+  }
+
   isCkWildcard(queue: string): boolean {
     return queue.endsWith(":ck:*");
   }
diff --git a/internal-packages/run-engine/src/run-queue/tests/ckCounters.test.ts b/internal-packages/run-engine/src/run-queue/tests/ckCounters.test.ts
new file mode 100644
index 00000000000..23213bfe15c
--- /dev/null
+++ b/internal-packages/run-engine/src/run-queue/tests/ckCounters.test.ts
@@ -0,0 +1,643 @@
+import { redisTest } from "@internal/testcontainers";
+import { trace } from "@internal/tracing";
+import { Logger } from "@trigger.dev/core/logger";
+import { describe } from "vitest";
+import { FairQueueSelectionStrategy } from "../fairQueueSelectionStrategy.js";
+import { RunQueue } from "../index.js";
+import { RunQueueFullKeyProducer } from "../keyProducer.js";
+import { InputPayload } from "../types.js";
+import { Decimal } from "@trigger.dev/database";
+
+// String form of the default counterTtlSeconds (86400). Tracked Lua scripts
+// take TTL as an ARG; tests that invoke the scripts directly pass this.
+const DEFAULT_COUNTER_TTL = "86400";
+
+const testOptions = {
+  name: "rq",
+  tracer: trace.getTracer("rq"),
+  workers: 1,
+  defaultEnvConcurrency: 25,
+  logger: new Logger("RunQueue", "warn"),
+  retryOptions: {
+    maxAttempts: 5,
+    factor: 1.1,
+    minTimeoutInMs: 100,
+    maxTimeoutInMs: 1_000,
+    randomize: true,
+  },
+  keys: new RunQueueFullKeyProducer(),
+};
+
+const authenticatedEnvDev = {
+  id: "e1234",
+  type: "DEVELOPMENT" as const,
+  maximumConcurrencyLimit: 10,
+  concurrencyLimitBurstFactor: new Decimal(2.0),
+  project: { id: "p1234" },
+  organization: { id: "o1234" },
+};
+
+function createQueue(redisContainer: any) {
+  return new RunQueue({
+    ...testOptions,
+    queueSelectionStrategy: new FairQueueSelectionStrategy({
+      redis: {
+        keyPrefix: "runqueue:test:",
+        host: redisContainer.getHost(),
+        port: redisContainer.getPort(),
+      },
+      keys: testOptions.keys,
+    }),
+    redis: {
+      keyPrefix: "runqueue:test:",
+      host: redisContainer.getHost(),
+      port: redisContainer.getPort(),
+    },
+  });
+}
+
+function makeMessage(overrides: Partial<InputPayload> = {}): InputPayload {
+  return {
+    runId: "r1",
+    taskIdentifier: "task/my-task",
+    orgId: "o1234",
+    projectId: "p1234",
+    environmentId: "e1234",
+    environmentType: "DEVELOPMENT",
+    queue: "task/my-task",
+    timestamp: Date.now(),
+    attempt: 0,
+    ...overrides,
+  };
+}
+
+vi.setConfig({ testTimeout: 60_000 });
+
+describe("CK base-queue counters", () => {
+  redisTest(
+    "lengthOfQueue returns aggregate across CK variants",
+    async ({ redisContainer }) => {
+      const queue = createQueue(redisContainer);
+      try {
+        const now = Date.now();
+        const messages = [
+          makeMessage({ runId: "r1", concurrencyKey: "ck-a", timestamp: now }),
+          makeMessage({ runId: "r2", concurrencyKey: "ck-a", timestamp: now + 1 }),
+          makeMessage({ runId: "r3", concurrencyKey: "ck-b", timestamp: now + 2 }),
+          makeMessage({ runId: "r4", concurrencyKey: "ck-c", timestamp: now + 3 }),
+        ];
+
+        for (const msg of messages) {
+          await queue.enqueueMessage({
+            env: authenticatedEnvDev,
+            message: msg,
+            workerQueue: authenticatedEnvDev.id,
+            skipDequeueProcessing: true,
+          });
+        }
+
+        // Aggregate (no CK arg) should sum all variants
+        expect(await queue.lengthOfQueue(authenticatedEnvDev, messages[0].queue)).toBe(4);
+
+        // Per-variant still works
+        expect(
+          await queue.lengthOfQueue(authenticatedEnvDev, messages[0].queue, "ck-a")
+        ).toBe(2);
+        expect(
+          await queue.lengthOfQueue(authenticatedEnvDev, messages[0].queue, "ck-b")
+        ).toBe(1);
+
+        // Plural lengthOfQueues should also see the aggregate
+        const lengths = await queue.lengthOfQueues(authenticatedEnvDev, [messages[0].queue]);
+        expect(lengths[messages[0].queue]).toBe(4);
+      } finally {
+        await queue.quit();
+      }
+    }
+  );
+
+  redisTest(
+    "lazy init from pre-existing CK backlog",
+    async ({ redisContainer }) => {
+      const queue = createQueue(redisContainer);
+      try {
+        const now = Date.now();
+        const baseMsg = makeMessage({ runId: "seed", concurrencyKey: "ck-a", timestamp: now });
+
+        // Pre-populate two variants via direct ZADD to simulate pre-deploy backlog
+        // (no counter touched). ioredis auto-prefixes keys with `runqueue:test:`,
+        // so we pass un-prefixed keys.
+        const variantA = testOptions.keys.queueKey(authenticatedEnvDev, baseMsg.queue, "ck-a");
+        const variantB = testOptions.keys.queueKey(authenticatedEnvDev, baseMsg.queue, "ck-b");
+        const ckIndexKey = testOptions.keys.ckIndexKeyFromQueue(variantA);
+        for (let i = 0; i < 10; i++) {
+          await queue.redis.zadd(variantA, now + i, `old-a-${i}`);
+        }
+        for (let i = 0; i < 5; i++) {
+          await queue.redis.zadd(variantB, now + i, `old-b-${i}`);
+        }
+        await queue.redis.zadd(ckIndexKey, now, variantA);
+        await queue.redis.zadd(ckIndexKey, now, variantB);
+
+        // Counter should not yet exist
+        const counterKey = testOptions.keys.queueLengthCounterKeyFromQueue(variantA);
+        expect(await queue.redis.exists(counterKey)).toBe(0);
+
+        // First CK enqueue: lazy init should compute 15 (pre-state), then INCR to 16
+        await queue.enqueueMessage({
+          env: authenticatedEnvDev,
+          message: makeMessage({ runId: "new-a", concurrencyKey: "ck-a", timestamp: now + 100 }),
+          workerQueue: authenticatedEnvDev.id,
+          skipDequeueProcessing: true,
+        });
+
+        const counterVal = await queue.redis.get(counterKey);
+        expect(Number(counterVal)).toBe(16);
+
+        // lengthOfQueue should also reflect 16
+        expect(await queue.lengthOfQueue(authenticatedEnvDev, baseMsg.queue)).toBe(16);
+      } finally {
+        await queue.quit();
+      }
+    }
+  );
+
+  redisTest(
+    "non-CK queue regression: counter never created",
+    async ({ redisContainer }) => {
+      const queue = createQueue(redisContainer);
+      try {
+        for (let i = 0; i < 5; i++) {
+          await queue.enqueueMessage({
+            env: authenticatedEnvDev,
+            message: makeMessage({ runId: `r${i}`, timestamp: Date.now() + i }),
+            workerQueue: authenticatedEnvDev.id,
+            skipDequeueProcessing: true,
+          });
+        }
+
+        // Counter key should not exist for a pure non-CK queue
+        const counterKey = testOptions.keys.queueLengthCounterKey(authenticatedEnvDev, "task/my-task");
+        expect(await queue.redis.exists(counterKey)).toBe(0);
+
+        // But lengthOfQueue still returns 5 via base ZCARD
+        expect(await queue.lengthOfQueue(authenticatedEnvDev, "task/my-task")).toBe(5);
+      } finally {
+        await queue.quit();
+      }
+    }
+  );
+
+  redisTest(
+    "mixed CK + non-CK on same base queue",
+    async ({ redisContainer }) => {
+      const queue = createQueue(redisContainer);
+      try {
+        // 3 non-CK + 2 CK on same base queue name
+        for (let i = 0; i < 3; i++) {
+          await queue.enqueueMessage({
+            env: authenticatedEnvDev,
+            message: makeMessage({ runId: `nonck-${i}`, timestamp: Date.now() + i }),
+            workerQueue: authenticatedEnvDev.id,
+            skipDequeueProcessing: true,
+          });
+        }
+        for (let i = 0; i < 2; i++) {
+          await queue.enqueueMessage({
+            env: authenticatedEnvDev,
+            message: makeMessage({
+              runId: `ck-${i}`,
+              concurrencyKey: "ck-a",
+              timestamp: Date.now() + 100 + i,
+            }),
+            workerQueue: authenticatedEnvDev.id,
+            skipDequeueProcessing: true,
+          });
+        }
+
+        expect(await queue.lengthOfQueue(authenticatedEnvDev, "task/my-task")).toBe(5);
+      } finally {
+        await queue.quit();
+      }
+    }
+  );
+
+  redisTest(
+    "length counter decrements on dequeue",
+    async ({ redisContainer }) => {
+      const queue = createQueue(redisContainer);
+      try {
+        const now = Date.now() - 1000;
+        const msgs = [
+          makeMessage({ runId: "r1", concurrencyKey: "ck-a", timestamp: now }),
+          makeMessage({ runId: "r2", concurrencyKey: "ck-b", timestamp: now + 1 }),
+        ];
+        for (const msg of msgs) {
+          await queue.enqueueMessage({
+            env: authenticatedEnvDev,
+            message: msg,
+            workerQueue: authenticatedEnvDev.id,
+            skipDequeueProcessing: true,
+          });
+        }
+        expect(await queue.lengthOfQueue(authenticatedEnvDev, msgs[0].queue)).toBe(2);
+
+        const shard = testOptions.keys.masterQueueShardForEnvironment(msgs[0].environmentId, 2);
+        await queue.testDequeueFromMasterQueue(shard, msgs[0].environmentId, 10);
+
+        // Both dequeued → counter should be 0
+        expect(await queue.lengthOfQueue(authenticatedEnvDev, msgs[0].queue)).toBe(0);
+      } finally {
+        await queue.quit();
+      }
+    }
+  );
+
+  redisTest(
+    "running counter bumps when dequeueMessageFromKey is called for a CK message",
+    async ({ redisContainer }) => {
+      const queue = createQueue(redisContainer);
+      try {
+        // Seed a message at its expected key and invoke the Tracked variant directly.
+        // This mirrors what dequeueMessageFromWorkerQueue would do once a worker
+        // pulls a message off the worker queue.
+        const msg = makeMessage({ runId: "r1", concurrencyKey: "ck-a" });
+        const queueKey = testOptions.keys.queueKey(authenticatedEnvDev, msg.queue, "ck-a");
+        const messageKey = testOptions.keys.messageKey(msg.orgId, msg.runId);
+        const runningCounterKey =
+          testOptions.keys.queueRunningCounterKeyFromQueue(queueKey);
+
+        await queue.redis.set(
+          messageKey,
+          JSON.stringify({ ...msg, queue: queueKey, version: "2", workerQueue: "wq" })
+        );
+
+        for (let i = 0; i < 3; i++) {
+          await queue.redis.set(
+            testOptions.keys.messageKey(msg.orgId, `r${i}`),
+            JSON.stringify({
+              ...msg,
+              runId: `r${i}`,
+              queue: queueKey,
+              version: "2",
+              workerQueue: "wq",
+            })
+          );
+          await queue.redis.dequeueMessageFromKeyTracked(
+            testOptions.keys.messageKey(msg.orgId, `r${i}`),
+            "runqueue:test:",
+            DEFAULT_COUNTER_TTL
+          );
+        }
+
+        expect(Number(await queue.redis.get(runningCounterKey))).toBe(3);
+
+        const running = await queue.currentConcurrencyOfQueues(authenticatedEnvDev, [
+          msg.queue,
+        ]);
+        expect(running[msg.queue]).toBe(3);
+      } finally {
+        await queue.quit();
+      }
+    }
+  );
+
+  redisTest(
+    "floor-at-zero protects against spurious decrements",
+    async ({ redisContainer }) => {
+      const queue = createQueue(redisContainer);
+      try {
+        const variantA = testOptions.keys.queueKey(
+          authenticatedEnvDev,
+          "task/my-task",
+          "ck-a"
+        );
+        const runningCounterKey = testOptions.keys.queueRunningCounterKeyFromQueue(variantA);
+        await queue.redis.set(runningCounterKey, "0");
+
+        // Call the Tracked release directly with un-prefixed keys (ioredis prepends the prefix)
+        await queue.redis.releaseConcurrencyTracked(
+          testOptions.keys.queueCurrentConcurrencyKeyFromQueue(variantA),
+          testOptions.keys.envCurrentConcurrencyKey(authenticatedEnvDev),
+          testOptions.keys.queueCurrentDequeuedKeyFromQueue(variantA),
+          testOptions.keys.envCurrentDequeuedKey(authenticatedEnvDev),
+          runningCounterKey,
+          testOptions.keys.ckIndexKeyFromQueue(variantA),
+          "phantom-message",
+          "runqueue:test:",
+          DEFAULT_COUNTER_TTL
+        );
+
+        expect(Number(await queue.redis.get(runningCounterKey))).toBe(0);
+      } finally {
+        await queue.quit();
+      }
+    }
+  );
+
+  redisTest(
+    "lengthCounter has 24h TTL after lazy-init",
+    async ({ redisContainer }) => {
+      const queue = createQueue(redisContainer);
+      try {
+        await queue.enqueueMessage({
+          env: authenticatedEnvDev,
+          message: makeMessage({ runId: "r1", concurrencyKey: "ck-a" }),
+          workerQueue: authenticatedEnvDev.id,
+          skipDequeueProcessing: true,
+        });
+
+        const counterKey = testOptions.keys.queueLengthCounterKey(
+          authenticatedEnvDev,
+          "task/my-task"
+        );
+        const ttl = await queue.redis.ttl(counterKey);
+        // Expect roughly 86400; allow only a few seconds of slack for test scheduling.
+        expect(ttl).toBeGreaterThanOrEqual(86390);
+        expect(ttl).toBeLessThanOrEqual(86400);
+      } finally {
+        await queue.quit();
+      }
+    }
+  );
+
+  redisTest(
+    "duplicate CK enqueue (same runId) does not inflate lengthCounter",
+    async ({ redisContainer }) => {
+      const queue = createQueue(redisContainer);
+      try {
+        const msg = makeMessage({ runId: "r1", concurrencyKey: "ck-a" });
+
+        // First enqueue: counter goes 0 -> 1
+        await queue.enqueueMessage({
+          env: authenticatedEnvDev,
+          message: msg,
+          workerQueue: authenticatedEnvDev.id,
+          skipDequeueProcessing: true,
+        });
+
+        // Same runId again: ZADD returns 0 (already in zset), counter must stay at 1
+        await queue.enqueueMessage({
+          env: authenticatedEnvDev,
+          message: msg,
+          workerQueue: authenticatedEnvDev.id,
+          skipDequeueProcessing: true,
+        });
+
+        expect(await queue.lengthOfQueue(authenticatedEnvDev, msg.queue)).toBe(1);
+      } finally {
+        await queue.quit();
+      }
+    }
+  );
+
+  redisTest(
+    "duplicate nack (runId already in variant zset) does not inflate lengthCounter",
+    async ({ redisContainer }) => {
+      const queue = createQueue(redisContainer);
+      try {
+        const msg = makeMessage({ runId: "r1", concurrencyKey: "ck-a" });
+
+        await queue.enqueueMessage({
+          env: authenticatedEnvDev,
+          message: msg,
+          workerQueue: authenticatedEnvDev.id,
+          skipDequeueProcessing: true,
+        });
+        expect(await queue.lengthOfQueue(authenticatedEnvDev, msg.queue)).toBe(1);
+
+        // Nack without dequeuing first — the message is still in the variant zset.
+        // ZADD returns 0 (already present), so lengthCounter must not bump.
+        await queue.nackMessage({
+          orgId: msg.orgId,
+          messageId: msg.runId,
+          skipDequeueProcessing: true,
+          incrementAttemptCount: false,
+        });
+        expect(await queue.lengthOfQueue(authenticatedEnvDev, msg.queue)).toBe(1);
+
+        // A second nack on the same runId must still be a no-op for the counter.
+        await queue.nackMessage({
+          orgId: msg.orgId,
+          messageId: msg.runId,
+          skipDequeueProcessing: true,
+          incrementAttemptCount: false,
+        });
+        expect(await queue.lengthOfQueue(authenticatedEnvDev, msg.queue)).toBe(1);
+      } finally {
+        await queue.quit();
+      }
+    }
+  );
+
+  redisTest(
+    "duplicate dequeueMessageFromKey (same runId) does not inflate runningCounter",
+    async ({ redisContainer }) => {
+      const queue = createQueue(redisContainer);
+      try {
+        const msg = makeMessage({ runId: "r1", concurrencyKey: "ck-a" });
+        const queueKey = testOptions.keys.queueKey(authenticatedEnvDev, msg.queue, "ck-a");
+        const messageKey = testOptions.keys.messageKey(msg.orgId, msg.runId);
+        const runningCounterKey =
+          testOptions.keys.queueRunningCounterKeyFromQueue(queueKey);
+
+        await queue.redis.set(
+          messageKey,
+          JSON.stringify({ ...msg, queue: queueKey, version: "2", workerQueue: "wq" })
+        );
+
+        // First call: SADD returns 1, runningCounter goes 0 -> 1.
+        await queue.redis.dequeueMessageFromKeyTracked(messageKey, "runqueue:test:", DEFAULT_COUNTER_TTL);
+        expect(Number(await queue.redis.get(runningCounterKey))).toBe(1);
+
+        // Second call on the same messageKey: SADD returns 0, runningCounter must stay at 1.
+        await queue.redis.dequeueMessageFromKeyTracked(messageKey, "runqueue:test:", DEFAULT_COUNTER_TTL);
+        expect(Number(await queue.redis.get(runningCounterKey))).toBe(1);
+      } finally {
+        await queue.quit();
+      }
+    }
+  );
+
+  redisTest(
+    "nack lazy-inits lengthCounter when it expired",
+    async ({ redisContainer }) => {
+      const queue = createQueue(redisContainer);
+      try {
+        const msg = makeMessage({ runId: "r1", concurrencyKey: "ck-a" });
+        // Seed three messages on the CK variant so the lazy-init has a non-trivial floor.
+        for (let i = 0; i < 3; i++) {
+          await queue.enqueueMessage({
+            env: authenticatedEnvDev,
+            message: makeMessage({ runId: `seed-${i}`, concurrencyKey: "ck-a" }),
+            workerQueue: authenticatedEnvDev.id,
+            skipDequeueProcessing: true,
+          });
+        }
+
+        // Simulate counter expiry (the 24h TTL kicked in).
+        const counterKey = testOptions.keys.queueLengthCounterKey(
+          authenticatedEnvDev,
+          "task/my-task"
+        );
+        await queue.redis.del(counterKey);
+        expect(await queue.redis.exists(counterKey)).toBe(0);
+
+        // Dequeue one to currentConcurrency so we have something to nack back.
+        const shard = testOptions.keys.masterQueueShardForEnvironment(msg.environmentId, 2);
+        await queue.testDequeueFromMasterQueue(shard, msg.environmentId, 1);
+
+        // Nack a CK message. nackMessageCkTracked should lazy-init the counter
+        // (find 2 already in zset + 1 we're re-queuing) rather than starting from 1.
+        await queue.nackMessage({
+          orgId: msg.orgId,
+          messageId: "seed-0",
+          skipDequeueProcessing: true,
+        });
+
+        // 3 originals, 1 was dequeued (still re-queued by nack), counter should now reflect all 3.
+        const observed = await queue.lengthOfQueue(authenticatedEnvDev, msg.queue);
+        expect(observed).toBe(3);
+      } finally {
+        await queue.quit();
+      }
+    }
+  );
+
+  redisTest(
+    "fast-path-variant dequeue seeds runningCounter without missing its own SCARD",
+    async ({ redisContainer }) => {
+      const queue = createQueue(redisContainer);
+      try {
+        // Simulate: a CK variant has 3 running messages from prior fast-path enqueues
+        // (so the variant zset is empty and ckIndex does NOT include this variant).
+        // Another variant of the same base queue IS in ckIndex with 1 running message.
+        // Counter is missing (post-TTL-expiry). A new dequeue lands on the fast-path
+        // variant. The lazy-init must add the fast-path variant's SCARD even though
+        // it's not in ckIndex.
+        const msg = makeMessage({ runId: "fp-new", concurrencyKey: "ck-fastpath" });
+        const fastVariant = testOptions.keys.queueKey(
+          authenticatedEnvDev,
+          msg.queue,
+          "ck-fastpath"
+        );
+        const otherVariant = testOptions.keys.queueKey(
+          authenticatedEnvDev,
+          msg.queue,
+          "ck-other"
+        );
+        const ckIndexKey = testOptions.keys.ckIndexKeyFromQueue(fastVariant);
+        const runningCounterKey =
+          testOptions.keys.queueRunningCounterKeyFromQueue(fastVariant);
+
+        // Seed 3 prior fast-path runs into the fast variant's currentDequeued (no zset, no ckIndex).
+        for (let i = 0; i < 3; i++) {
+          await queue.redis.sadd(`${fastVariant}:currentDequeued`, `prior-${i}`);
+        }
+
+        // Seed the other variant: 1 zset entry (so it's in ckIndex) + 1 currentDequeued.
+        await queue.redis.zadd(otherVariant, Date.now(), "other-q-1");
+        await queue.redis.zadd(ckIndexKey, Date.now(), otherVariant);
+        await queue.redis.sadd(`${otherVariant}:currentDequeued`, "other-r-1");
+
+        // Counter is intentionally missing — simulates post-TTL state.
+        expect(await queue.redis.exists(runningCounterKey)).toBe(0);
+
+        // New fast-path dequeue lands on the fast variant.
+        const messageKey = testOptions.keys.messageKey(msg.orgId, msg.runId);
+        await queue.redis.set(
+          messageKey,
+          JSON.stringify({ ...msg, queue: fastVariant, version: "2", workerQueue: "wq" })
+        );
+        await queue.redis.dequeueMessageFromKeyTracked(messageKey, "runqueue:test:", DEFAULT_COUNTER_TTL);
+
+        // True running across all variants: 3 (fast prior) + 1 (fast new) + 1 (other) = 5.
+        // Without the ownVariantSeen fix, the seed would miss the fast variant entirely
+        // and counter would end at 1 (other variant SCARD = 1, INCR for new dequeue) — off by 4.
+        const counterVal = Number(await queue.redis.get(runningCounterKey));
+        expect(counterVal).toBe(5);
+      } finally {
+        await queue.quit();
+      }
+    }
+  );
+
+  redisTest(
+    "release lazy-inits runningCounter when missing",
+    async ({ redisContainer }) => {
+      const queue = createQueue(redisContainer);
+      try {
+        const msg = makeMessage({ runId: "r1", concurrencyKey: "ck-a" });
+        const variant = testOptions.keys.queueKey(authenticatedEnvDev, msg.queue, "ck-a");
+        const runningCounterKey = testOptions.keys.queueRunningCounterKeyFromQueue(variant);
+
+        // Enqueue so ckIndex picks up the variant.
+        await queue.enqueueMessage({
+          env: authenticatedEnvDev,
+          message: msg,
+          workerQueue: authenticatedEnvDev.id,
+          skipDequeueProcessing: true,
+        });
+        // Seed two running messages directly into currentDequeued so release has something to remove.
+        await queue.redis.sadd(`${variant}:currentDequeued`, msg.runId);
+        await queue.redis.sadd(`${variant}:currentDequeued`, "r2");
+
+        // Counter is missing — simulates post-TTL state without waiting.
+        expect(await queue.redis.exists(runningCounterKey)).toBe(0);
+
+        // releaseAllConcurrency calls releaseConcurrencyTracked under the hood for CK queues.
+        await queue.releaseAllConcurrency(msg.orgId, msg.runId);
+
+        // Pre-release truth was 2 in flight; after release one remains. Counter should be 1.
+        const counterVal = Number(await queue.redis.get(runningCounterKey));
+        expect(counterVal).toBe(1);
+      } finally {
+        await queue.quit();
+      }
+    }
+  );
+
+  redisTest(
+    "counterTtlSeconds option is honored on lazy-init",
+    async ({ redisContainer }) => {
+      // Build a queue with a short TTL and verify the counter is SET with it.
+      const queue = new RunQueue({
+        ...testOptions,
+        counterTtlSeconds: 60,
+        queueSelectionStrategy: new FairQueueSelectionStrategy({
+          redis: {
+            keyPrefix: "runqueue:test:",
+            host: redisContainer.getHost(),
+            port: redisContainer.getPort(),
+          },
+          keys: testOptions.keys,
+        }),
+        redis: {
+          keyPrefix: "runqueue:test:",
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+        },
+      });
+      try {
+        await queue.enqueueMessage({
+          env: authenticatedEnvDev,
+          message: makeMessage({ runId: "r1", concurrencyKey: "ck-a" }),
+          workerQueue: authenticatedEnvDev.id,
+          skipDequeueProcessing: true,
+        });
+
+        const counterKey = testOptions.keys.queueLengthCounterKey(
+          authenticatedEnvDev,
+          "task/my-task"
+        );
+        const ttl = await queue.redis.ttl(counterKey);
+        // Generous lower bound — CI workers can occasionally stall multiple
+        // seconds between the lazy-init SET and the TTL read.
+        expect(ttl).toBeGreaterThanOrEqual(50);
+        expect(ttl).toBeLessThanOrEqual(60);
+      } finally {
+        await queue.quit();
+      }
+    }
+  );
+});
diff --git a/internal-packages/run-engine/src/run-queue/types.ts b/internal-packages/run-engine/src/run-queue/types.ts
index 1f16ccfa57a..0905f3971de 100644
--- a/internal-packages/run-engine/src/run-queue/types.ts
+++ b/internal-packages/run-engine/src/run-queue/types.ts
@@ -4,7 +4,8 @@ import type { MinimalAuthenticatedEnvironment } from "../shared/index.js";
 
 export const InputPayload = z.object({
   runId: z.string(),
-  taskIdentifier: z.string(),
+  /** Deprecated: not read on the V2 dequeue path; will stop being written in a follow-up. Optional to keep new readers compatible with old payloads that still include it, and vice versa. */
+  taskIdentifier: z.string().optional(),
   orgId: z.string(),
   projectId: z.string(),
   environmentId: z.string(),
@@ -131,6 +132,12 @@ export interface RunQueueKeyProducer {
   baseQueueKeyFromQueue(queue: string): string;
   isCkWildcard(queue: string): boolean;
   toCkWildcard(queue: string): string;
+
+  // Per-base-queue counters for CK queues
+  queueLengthCounterKey(env: RunQueueKeyProducerEnvironment, queue: string): string;
+  queueLengthCounterKeyFromQueue(queue: string): string;
+  queueRunningCounterKey(env: RunQueueKeyProducerEnvironment, queue: string): string;
+  queueRunningCounterKeyFromQueue(queue: string): string;
 }
 
 export type EnvQueues = {
diff --git a/internal-packages/run-engine/src/shared/index.ts b/internal-packages/run-engine/src/shared/index.ts
index e2b36e464e9..30006b20957 100644
--- a/internal-packages/run-engine/src/shared/index.ts
+++ b/internal-packages/run-engine/src/shared/index.ts
@@ -1,21 +1,24 @@
 import type { Attributes } from "@internal/tracing";
-import type { Prisma } from "@trigger.dev/database";
 
-export type AuthenticatedEnvironment = Prisma.RuntimeEnvironmentGetPayload<{
-  include: { project: true; organization: true; orgMember: true };
-}>;
+// Slim, structural shape carried across the auth boundary. Defined in
+// @trigger.dev/core so it's importable from internal packages and the
+// RBAC plugin contract without depending on @trigger.dev/database.
+export type { AuthenticatedEnvironment } from "@trigger.dev/core/v3/auth/environment";
+import type { AuthenticatedEnvironment } from "@trigger.dev/core/v3/auth/environment";
 
+// Run-engine internal type — what enqueue/dequeue/concurrency code
+// actually needs from an env. Independent of `AuthenticatedEnvironment`
+// (the auth-boundary slim type) because internals receive Prisma
+// payloads where `concurrencyLimitBurstFactor` is `Decimal`. Accept
+// both number and a Decimal-like duck type so callers don't need to
+// coerce at every site.
 export type MinimalAuthenticatedEnvironment = {
-  id: AuthenticatedEnvironment["id"];
+  id: string;
   type: AuthenticatedEnvironment["type"];
-  maximumConcurrencyLimit: AuthenticatedEnvironment["maximumConcurrencyLimit"];
-  concurrencyLimitBurstFactor: AuthenticatedEnvironment["concurrencyLimitBurstFactor"];
-  project: {
-    id: AuthenticatedEnvironment["project"]["id"];
-  };
-  organization: {
-    id: AuthenticatedEnvironment["organization"]["id"];
-  };
+  maximumConcurrencyLimit: number;
+  concurrencyLimitBurstFactor: number | { toNumber(): number };
+  project: { id: string };
+  organization: { id: string };
 };
 
 const SemanticEnvResources = {
diff --git a/internal-packages/run-engine/vitest.config.ts b/internal-packages/run-engine/vitest.config.ts
index c364293a434..cb048f00927 100644
--- a/internal-packages/run-engine/vitest.config.ts
+++ b/internal-packages/run-engine/vitest.config.ts
@@ -1,16 +1,15 @@
 import { defineConfig } from "vitest/config";
+import { DurationShardingSequencer } from "@internal/testcontainers/sequencer";
 
 export default defineConfig({
   test: {
+    sequence: { sequencer: DurationShardingSequencer },
     include: ["**/*.test.ts"],
     globals: true,
+    // CI-only: absorbs timing races (real-clock waits vs worker poll interval) under shard CPU contention
+    retry: process.env.CI ? 2 : 0,
     isolate: true,
     fileParallelism: false,
-    poolOptions: {
-      threads: {
-        singleThread: true,
-      },
-    },
     testTimeout: 120_000,
     coverage: {
       provider: "v8",
diff --git a/internal-packages/schedule-engine/src/engine/index.ts b/internal-packages/schedule-engine/src/engine/index.ts
index 4eb641176b2..2c78beccbc8 100644
--- a/internal-packages/schedule-engine/src/engine/index.ts
+++ b/internal-packages/schedule-engine/src/engine/index.ts
@@ -11,7 +11,11 @@ import { Logger } from "@trigger.dev/core/logger";
 import { PrismaClient } from "@trigger.dev/database";
 import { Worker, type JobHandlerParams } from "@trigger.dev/redis-worker";
 import { calculateDistributedExecutionTime } from "./distributedScheduling.js";
-import { calculateNextScheduledTimestamp, nextScheduledTimestamps } from "./scheduleCalculation.js";
+import {
+  calculateNextScheduledTimestamp,
+  nextScheduledTimestamps,
+  previousScheduledTimestamp,
+} from "./scheduleCalculation.js";
 import {
   RegisterScheduleInstanceParams,
   ScheduleEngineOptions,
@@ -171,13 +175,13 @@ export class ScheduleEngine {
           instance.taskSchedule.generatorExpression
         );
 
-        const lastScheduledTimestamp = instance.lastScheduledTimestamp ?? new Date();
-        span.setAttribute("last_scheduled_timestamp", lastScheduledTimestamp.toISOString());
+        const fromTimestamp = params.fromTimestamp ?? new Date();
+        span.setAttribute("from_timestamp", fromTimestamp.toISOString());
 
         const nextScheduledTimestamp = calculateNextScheduledTimestamp(
           instance.taskSchedule.generatorExpression,
           instance.taskSchedule.timezone,
-          lastScheduledTimestamp
+          fromTimestamp
         );
 
         span.setAttribute("next_scheduled_timestamp", nextScheduledTimestamp.toISOString());
@@ -185,7 +189,7 @@ export class ScheduleEngine {
         const schedulingDelayMs = nextScheduledTimestamp.getTime() - Date.now();
         span.setAttribute("scheduling_delay_ms", schedulingDelayMs);
 
-        this.logger.info("Calculated next schedule timestamp", {
+        this.logger.debug("Calculated next schedule timestamp", {
           instanceId: params.instanceId,
           taskIdentifier: instance.taskSchedule.taskIdentifier,
           nextScheduledTimestamp: nextScheduledTimestamp.toISOString(),
@@ -194,17 +198,44 @@ export class ScheduleEngine {
           timezone: instance.taskSchedule.timezone,
         });
 
-        await this.prisma.taskScheduleInstance.update({
-          where: {
-            id: params.instanceId,
-          },
-          data: {
-            nextScheduledTimestamp,
-          },
-        });
+        // Determine the lastScheduleTime to embed in the next worker job's
+        // payload. If the caller passed it explicitly (the after-fire path
+        // does this with the just-fired timestamp, the after-skip path
+        // carries the existing value forward), use that. Otherwise — every
+        // external caller (deploy sync, schedule upsert, recovery) — derive
+        // from the cron expression's previous slot.
+        //
+        // Without this fallback, every deploy / cron edit would clobber the
+        // existing in-flight job's lastScheduleTime with `undefined`, and
+        // the next fire would surface a frozen DB-column value to the
+        // customer (since this PR stops writing that column). Pure cron
+        // math, no DB read on top of the existing instance load — the
+        // recovery loop already pays the cost of loading the instance.
+        let lastScheduleTime = params.lastScheduleTime;
+        if (lastScheduleTime === undefined) {
+          try {
+            const cronPrev = previousScheduledTimestamp(
+              instance.taskSchedule.generatorExpression,
+              instance.taskSchedule.timezone
+            );
+            // Guarded against the cron's previous slot predating the
+            // instance itself — for a brand-new schedule, the slot is from
+            // before the schedule existed, so `undefined` is the honest
+            // answer (preserves the `if (!payload.lastTimestamp)` first-run
+            // sentinel customers rely on).
+            if (cronPrev.getTime() > instance.createdAt.getTime()) {
+              lastScheduleTime = cronPrev;
+            }
+          } catch {
+            // Malformed cron — leave undefined.
+          }
+        }
 
-        // Enqueue the scheduled task
-        await this.enqueueScheduledTask(params.instanceId, nextScheduledTimestamp);
+        await this.enqueueScheduledTask(
+          params.instanceId,
+          nextScheduledTimestamp,
+          lastScheduleTime
+        );
 
         // Record metrics
         this.scheduleRegistrationCounter.add(1, {
@@ -244,6 +275,7 @@ export class ScheduleEngine {
       instanceId: payload.instanceId,
       finalAttempt: false, // TODO: implement retry logic
       exactScheduleTime: payload.exactScheduleTime,
+      lastScheduleTime: payload.lastScheduleTime,
     });
   }
 
@@ -350,14 +382,6 @@ export class ScheduleEngine {
           skipReason = "schedule_inactive";
         }
 
-        if (!instance.nextScheduledTimestamp) {
-          this.logger.debug("No next scheduled timestamp", {
-            instanceId: params.instanceId,
-          });
-          shouldTrigger = false;
-          skipReason = "no_next_timestamp";
-        }
-
         // For development environments, check if there's an active session
         if (instance.environment.type === "DEVELOPMENT") {
           this.devEnvironmentCheckCounter.add(1, {
@@ -396,15 +420,26 @@ export class ScheduleEngine {
         }
 
         // Calculate the schedule timestamp that will be used (regardless of whether we trigger or not)
-        const scheduleTimestamp =
-          params.exactScheduleTime ?? instance.nextScheduledTimestamp ?? new Date();
+        const scheduleTimestamp = params.exactScheduleTime ?? new Date();
 
         if (shouldTrigger) {
+          // payload.lastTimestamp is the actual previous fire time. Sources, in
+          // order:
+          //   1. params.lastScheduleTime — populated by the engine when this
+          //      job was enqueued. Always present for jobs enqueued post-deploy.
+          //   2. instance.lastScheduledTimestamp — backward-compat fallback for
+          //      in-flight Redis jobs enqueued by older engines that didn't
+          //      include lastScheduleTime in the payload. Once those drain
+          //      this fallback never triggers and we can drop the column.
+          //   3. undefined — first-ever fire (no previous fire to point at).
+          const lastTimestamp =
+            params.lastScheduleTime ?? instance.lastScheduledTimestamp ?? undefined;
+
           const payload = {
             scheduleId: instance.taskSchedule.friendlyId,
             type: instance.taskSchedule.type as "DECLARATIVE" | "IMPERATIVE",
             timestamp: scheduleTimestamp,
-            lastTimestamp: instance.lastScheduledTimestamp ?? undefined,
+            lastTimestamp,
             externalId: instance.taskSchedule.externalId ?? undefined,
             timezone: instance.taskSchedule.timezone,
             upcoming: nextScheduledTimestamps(
@@ -422,13 +457,13 @@ export class ScheduleEngine {
           span.setAttribute("scheduling_accuracy_ms", schedulingAccuracyMs);
           span.setAttribute("actual_execution_time", actualExecutionTime.toISOString());
 
-          this.logger.info("Triggering scheduled task", {
+          this.logger.debug("Triggering scheduled task", {
             instanceId: params.instanceId,
             taskIdentifier: instance.taskSchedule.taskIdentifier,
             scheduleTimestamp: scheduleTimestamp.toISOString(),
             actualExecutionTime: actualExecutionTime.toISOString(),
             schedulingAccuracyMs,
-            lastTimestamp: instance.lastScheduledTimestamp?.toISOString(),
+            lastTimestamp: lastTimestamp?.toISOString(),
           });
 
           const triggerStartTime = Date.now();
@@ -473,17 +508,7 @@ export class ScheduleEngine {
             );
           } else if (result) {
             if (result.success) {
-              // Update the last run triggered timestamp
-              await this.prisma.taskSchedule.update({
-                where: {
-                  id: instance.taskSchedule.id,
-                },
-                data: {
-                  lastRunTriggeredAt: new Date(),
-                },
-              });
-
-              this.logger.info("Successfully triggered scheduled task", {
+              this.logger.debug("Successfully triggered scheduled task", {
                 instanceId: params.instanceId,
                 taskIdentifier: instance.taskSchedule.taskIdentifier,
                 durationMs: triggerDuration,
@@ -542,20 +567,23 @@ export class ScheduleEngine {
           });
         }
 
-        // Always update the last scheduled timestamp and register next run
-        await this.prisma.taskScheduleInstance.update({
-          where: {
-            id: params.instanceId,
-          },
-          data: {
-            lastScheduledTimestamp: scheduleTimestamp,
-          },
-        });
+        // Register the next run. `fromTimestamp` advances on every tick so
+        // the next cron slot keeps marching forward even through skips.
+        // `lastScheduleTime` is the actual previous fire time the next job
+        // will report as `payload.lastTimestamp` — only advance it when we
+        // actually triggered, otherwise carry forward the existing value so
+        // a long pause/disconnect doesn't quietly overwrite the real
+        // last-fire timestamp with a series of skipped slots.
+        const carriedLastScheduleTime = shouldTrigger
+          ? scheduleTimestamp
+          : params.lastScheduleTime ?? instance.lastScheduledTimestamp ?? undefined;
 
-        // Register the next run
-        // Rewritten try/catch to use tryCatch utility
         const [nextRunError] = await tryCatch(
-          this.registerNextTaskScheduleInstance({ instanceId: params.instanceId })
+          this.registerNextTaskScheduleInstance({
+            instanceId: params.instanceId,
+            fromTimestamp: scheduleTimestamp,
+            lastScheduleTime: carriedLastScheduleTime,
+          })
         );
         if (nextRunError) {
           this.logger.error("Failed to schedule next run after execution", {
@@ -610,10 +638,17 @@ export class ScheduleEngine {
   /**
    * Enqueues a scheduled task with distributed execution timing
    */
-  private async enqueueScheduledTask(instanceId: string, exactScheduleTime: Date) {
+  private async enqueueScheduledTask(
+    instanceId: string,
+    exactScheduleTime: Date,
+    lastScheduleTime?: Date
+  ) {
     return startSpan(this.tracer, "enqueueScheduledTask", async (span) => {
       span.setAttribute("instanceId", instanceId);
       span.setAttribute("exactScheduleTime", exactScheduleTime.toISOString());
+      if (lastScheduleTime) {
+        span.setAttribute("lastScheduleTime", lastScheduleTime.toISOString());
+      }
 
       const distributedExecutionTime = calculateDistributedExecutionTime(
         exactScheduleTime,
@@ -646,6 +681,7 @@ export class ScheduleEngine {
           payload: {
             instanceId,
             exactScheduleTime,
+            lastScheduleTime,
           },
           availableAt: distributedExecutionTime,
         });
@@ -694,12 +730,12 @@ export class ScheduleEngine {
         select: {
           id: true,
           generatorExpression: true,
+          timezone: true,
           instances: {
             select: {
               id: true,
               environmentId: true,
-              lastScheduledTimestamp: true,
-              nextScheduledTimestamp: true,
+              createdAt: true,
             },
           },
         },
@@ -733,7 +769,7 @@ export class ScheduleEngine {
       } as { recovered: string[]; skipped: string[] };
 
       for (const { instance, schedule } of instancesWithSchedule) {
-        this.logger.info("Recovering schedule", {
+        this.logger.debug("Recovering schedule", {
           schedule,
           instance,
         });
@@ -774,16 +810,15 @@ export class ScheduleEngine {
     instance: {
       id: string;
       environmentId: string;
-      lastScheduledTimestamp: Date | null;
-      nextScheduledTimestamp: Date | null;
+      createdAt: Date;
     };
-    schedule: { id: string; generatorExpression: string };
+    schedule: { id: string; generatorExpression: string; timezone: string | null };
   }) {
     // inspect the schedule worker to see if there is a job for this instance
     const job = await this.worker.getJob(`scheduled-task-instance:${instance.id}`);
 
     if (job) {
-      this.logger.info("Job already exists for instance", {
+      this.logger.debug("Job already exists for instance", {
         instanceId: instance.id,
         job,
         schedule,
@@ -792,12 +827,15 @@ export class ScheduleEngine {
       return "skipped";
     }
 
-    this.logger.info("No job found for instance, registering next run", {
+    this.logger.debug("No job found for instance, registering next run", {
       instanceId: instance.id,
       schedule,
     });
 
-    // If the job does not exist, register the next run
+    // No `lastScheduleTime` passed — `registerNextTaskScheduleInstance`
+    // will derive it from the cron's previous slot (with a createdAt
+    // guard) so the post-recovery fire reports an accurate
+    // `payload.lastTimestamp`.
     await this.registerNextTaskScheduleInstance({ instanceId: instance.id });
 
     return "recovered";
diff --git a/internal-packages/schedule-engine/src/engine/scheduleCalculation.ts b/internal-packages/schedule-engine/src/engine/scheduleCalculation.ts
index e5564187060..140ea4e285f 100644
--- a/internal-packages/schedule-engine/src/engine/scheduleCalculation.ts
+++ b/internal-packages/schedule-engine/src/engine/scheduleCalculation.ts
@@ -29,6 +29,26 @@ function calculateNextStep(schedule: string, timezone: string | null, currentDat
     .toDate();
 }
 
+/**
+ * Cron's previous slot relative to `fromTimestamp`. For a continuously-
+ * running schedule this equals the actual last fire time; for paused or
+ * DST-edge cases it's an approximation. Used only on the recovery path
+ * where the actual last fire isn't recoverable from in-flight worker state.
+ */
+export function previousScheduledTimestamp(
+  cron: string,
+  timezone: string | null,
+  fromTimestamp: Date = new Date()
+) {
+  return parseExpression(cron, {
+    currentDate: fromTimestamp,
+    utc: timezone === null,
+    tz: timezone ?? undefined,
+  })
+    .prev()
+    .toDate();
+}
+
 export function nextScheduledTimestamps(
   cron: string,
   timezone: string | null,
diff --git a/internal-packages/schedule-engine/src/engine/types.ts b/internal-packages/schedule-engine/src/engine/types.ts
index f4888c447ae..f323e13909b 100644
--- a/internal-packages/schedule-engine/src/engine/types.ts
+++ b/internal-packages/schedule-engine/src/engine/types.ts
@@ -74,8 +74,22 @@ export interface TriggerScheduleParams {
   instanceId: string;
   finalAttempt: boolean;
   exactScheduleTime?: Date;
+  lastScheduleTime?: Date;
 }
 
 export interface RegisterScheduleInstanceParams {
   instanceId: string;
+  /**
+   * Anchor for computing the next cron slot. Defaults to now() when omitted.
+   * This advances on every tick (fired or skipped) so the next slot keeps
+   * marching forward regardless of skip reasons.
+   */
+  fromTimestamp?: Date;
+  /**
+   * The actual previous fire time to embed in the next worker job's payload,
+   * which becomes that job's `payload.lastTimestamp` on dequeue. Distinct
+   * from `fromTimestamp` so that skipped ticks (inactive schedule, dev env
+   * disconnected, etc.) do NOT advance this — only real fires do.
+   */
+  lastScheduleTime?: Date;
 }
diff --git a/internal-packages/schedule-engine/src/engine/workerCatalog.ts b/internal-packages/schedule-engine/src/engine/workerCatalog.ts
index ee634c6fb54..c960f458f88 100644
--- a/internal-packages/schedule-engine/src/engine/workerCatalog.ts
+++ b/internal-packages/schedule-engine/src/engine/workerCatalog.ts
@@ -5,6 +5,11 @@ export const scheduleWorkerCatalog = {
     schema: z.object({
       instanceId: z.string(),
       exactScheduleTime: z.coerce.date(),
+      // Optional for backward compat with in-flight jobs enqueued by older
+      // engines. After deploy, every newly-enqueued job populates this with
+      // the just-fired schedule time so the next dequeue can report
+      // payload.lastTimestamp accurately without a DB round-trip.
+      lastScheduleTime: z.coerce.date().optional(),
     }),
     visibilityTimeoutMs: 60_000,
     retry: {
diff --git a/internal-packages/schedule-engine/test/scheduleEngine.test.ts b/internal-packages/schedule-engine/test/scheduleEngine.test.ts
index 99bac0936df..c261697dacc 100644
--- a/internal-packages/schedule-engine/test/scheduleEngine.test.ts
+++ b/internal-packages/schedule-engine/test/scheduleEngine.test.ts
@@ -98,30 +98,13 @@ describe("ScheduleEngine Integration", () => {
           },
         });
 
-        // Calculate the expected next execution time (next minute boundary)
-        const now = new Date();
-        const expectedExecutionTime = new Date(now);
-        expectedExecutionTime.setMinutes(now.getMinutes() + 1, 0, 0); // Next minute, 0 seconds, 0 milliseconds
-
-        // Calculate the expected upcoming execution times (next 10 minutes after the first execution)
-        const expectedUpcoming = [];
-        for (let i = 1; i <= 10; i++) {
-          const upcoming = new Date(expectedExecutionTime);
-          upcoming.setMinutes(expectedExecutionTime.getMinutes() + i);
-          expectedUpcoming.push(upcoming);
-        }
-
-        // Manually enqueue the first scheduled task to kick off the lifecycle
+        // Manually enqueue the first scheduled task to kick off the lifecycle.
+        // Anchor expectations to the first observed `exactScheduleTime` rather
+        // than a precomputed wall-clock value — registration that happens to
+        // straddle a minute boundary used to flake tests asserting against a
+        // pre-baked "next minute".
         await engine.registerNextTaskScheduleInstance({ instanceId: scheduleInstance.id });
 
-        // Get the actual nextScheduledTimestamp that was calculated by the engine
-        const instanceAfterRegistration = await prisma.taskScheduleInstance.findFirst({
-          where: { id: scheduleInstance.id },
-        });
-        const actualNextExecution = instanceAfterRegistration?.nextScheduledTimestamp;
-        expect(actualNextExecution).toBeDefined();
-        expect(actualNextExecution).toEqual(expectedExecutionTime);
-
         // Wait for the first execution
         console.log("Waiting for first execution...");
         const startTime = Date.now();
@@ -181,6 +164,17 @@ describe("ScheduleEngine Integration", () => {
           }
         }
 
+        // Anchor all expectations to what the engine actually fired with, so
+        // the test stays deterministic regardless of when within a minute it
+        // started.
+        const firstScheduledTime = firstExecution.params.exactScheduleTime;
+        const secondScheduledTime = secondExecution.params.exactScheduleTime;
+        expect(firstScheduledTime).toBeDefined();
+        expect(secondScheduledTime).toBeDefined();
+
+        // Each cron slot for "* * * * *" is exactly 60s apart.
+        expect(secondScheduledTime!.getTime() - firstScheduledTime!.getTime()).toBe(60_000);
+
         // Verify the first execution parameters
         expect(firstExecution.params).toEqual({
           taskIdentifier: "test-task",
@@ -201,64 +195,44 @@ describe("ScheduleEngine Integration", () => {
           payload: {
             scheduleId: "sched_abc123",
             type: "DECLARATIVE",
-            timestamp: actualNextExecution,
-            lastTimestamp: undefined, // First run has no lastTimestamp
+            timestamp: firstScheduledTime,
+            // First-ever fire: no `lastScheduleTime` carried in the worker
+            // payload and `instance.lastScheduledTimestamp` is null on a
+            // fresh instance, so lastTimestamp is undefined. This preserves
+            // the `if (!payload.lastTimestamp)` first-run sentinel customers
+            // rely on.
+            lastTimestamp: undefined,
             externalId: "ext-123",
             timezone: "UTC",
             upcoming: expect.arrayContaining([expect.any(Date)]),
           },
           scheduleInstanceId: scheduleInstance.id,
           scheduleId: taskSchedule.id,
-          exactScheduleTime: actualNextExecution,
+          exactScheduleTime: firstScheduledTime,
         });
 
         // Verify the second execution parameters
-        if (actualNextExecution) {
-          const expectedSecondExecution = new Date(actualNextExecution);
-          expectedSecondExecution.setMinutes(actualNextExecution.getMinutes() + 1);
-
-          expect(secondExecution.params).toEqual({
-            taskIdentifier: "test-task",
-            environment: expect.objectContaining({
-              id: environment.id,
-              type: "PRODUCTION",
-            }),
-            payload: {
-              scheduleId: "sched_abc123",
-              type: "DECLARATIVE",
-              timestamp: expectedSecondExecution,
-              lastTimestamp: actualNextExecution, // Second run should have the first execution time as lastTimestamp
-              externalId: "ext-123",
-              timezone: "UTC",
-              upcoming: expect.arrayContaining([expect.any(Date)]),
-            },
-            scheduleInstanceId: scheduleInstance.id,
-            scheduleId: taskSchedule.id,
-            exactScheduleTime: expectedSecondExecution,
-          });
-        }
-
-        // Verify database updates occurred after both executions
-        const updatedSchedule = await prisma.taskSchedule.findFirst({
-          where: { id: taskSchedule.id },
-        });
-        expect(updatedSchedule?.lastRunTriggeredAt).toBeTruthy();
-        expect(updatedSchedule?.lastRunTriggeredAt).toBeInstanceOf(Date);
-
-        const finalInstance = await prisma.taskScheduleInstance.findFirst({
-          where: { id: scheduleInstance.id },
+        expect(secondExecution.params).toEqual({
+          taskIdentifier: "test-task",
+          environment: expect.objectContaining({
+            id: environment.id,
+            type: "PRODUCTION",
+          }),
+          payload: {
+            scheduleId: "sched_abc123",
+            type: "DECLARATIVE",
+            timestamp: secondScheduledTime,
+            // The previous fire's exactScheduleTime is carried through the
+            // worker payload as `lastScheduleTime` and surfaced here.
+            lastTimestamp: firstScheduledTime,
+            externalId: "ext-123",
+            timezone: "UTC",
+            upcoming: expect.arrayContaining([expect.any(Date)]),
+          },
+          scheduleInstanceId: scheduleInstance.id,
+          scheduleId: taskSchedule.id,
+          exactScheduleTime: secondScheduledTime,
         });
-
-        // After two executions, lastScheduledTimestamp should be the second execution time
-        if (actualNextExecution && secondExecution.params.exactScheduleTime) {
-          const secondExecutionTime = secondExecution.params.exactScheduleTime;
-          expect(finalInstance?.lastScheduledTimestamp).toEqual(secondExecutionTime);
-
-          // The next scheduled timestamp should be 1 minute after the second execution
-          const expectedThirdExecution = new Date(secondExecutionTime);
-          expectedThirdExecution.setMinutes(secondExecutionTime.getMinutes() + 1);
-          expect(finalInstance?.nextScheduledTimestamp).toEqual(expectedThirdExecution);
-        }
       } finally {
         // Clean up: stop the worker
         await engine.quit();
diff --git a/internal-packages/schedule-engine/test/scheduleEngine2.test.ts b/internal-packages/schedule-engine/test/scheduleEngine2.test.ts
new file mode 100644
index 00000000000..64936a89152
--- /dev/null
+++ b/internal-packages/schedule-engine/test/scheduleEngine2.test.ts
@@ -0,0 +1,112 @@
+import { containerTest } from "@internal/testcontainers";
+import { trace } from "@internal/tracing";
+import { setTimeout } from "timers/promises";
+import { describe, expect, vi } from "vitest";
+import { TriggerScheduledTaskParams } from "../src/engine/types.js";
+import { ScheduleEngine } from "../src/index.js";
+
+describe("ScheduleEngine Integration (part 2)", () => {
+  // Deploy-moment backward compatibility. At deploy time, in-flight Redis jobs
+  // were enqueued by the old engine — their payload has no `lastScheduleTime`
+  // field — and `instance.lastScheduledTimestamp` is still populated (last
+  // written by the old engine pre-deploy). The new engine must report that DB
+  // value as `payload.lastTimestamp` so customers don't see a transient
+  // `undefined` for the one fire per schedule that drains the legacy queue.
+  containerTest(
+    "should fall back to instance.lastScheduledTimestamp when payload lacks lastScheduleTime",
+    { timeout: 30_000 },
+    async ({ prisma, redisOptions }) => {
+      const triggerCalls: TriggerScheduledTaskParams[] = [];
+      const engine = new ScheduleEngine({
+        prisma,
+        redis: redisOptions,
+        distributionWindow: { seconds: 10 },
+        worker: {
+          concurrency: 1,
+          disabled: true, // Don't actually run the worker — calling triggerScheduledTask directly
+          pollIntervalMs: 1000,
+        },
+        tracer: trace.getTracer("test", "0.0.0"),
+        onTriggerScheduledTask: async (params) => {
+          triggerCalls.push(params);
+          return { success: true };
+        },
+        isDevEnvironmentConnectedHandler: vi.fn().mockResolvedValue(true),
+      });
+
+      try {
+        const organization = await prisma.organization.create({
+          data: { title: "Legacy Payload Org", slug: "legacy-payload-org" },
+        });
+
+        const project = await prisma.project.create({
+          data: {
+            name: "Legacy Payload Project",
+            slug: "legacy-payload-project",
+            externalRef: "legacy-payload-ref",
+            organizationId: organization.id,
+          },
+        });
+
+        const environment = await prisma.runtimeEnvironment.create({
+          data: {
+            slug: "legacy-payload-env",
+            type: "PRODUCTION",
+            projectId: project.id,
+            organizationId: organization.id,
+            apiKey: "tr_legacy_1234",
+            pkApiKey: "pk_legacy_1234",
+            shortcode: "legacy-short",
+          },
+        });
+
+        const taskSchedule = await prisma.taskSchedule.create({
+          data: {
+            friendlyId: "sched_legacy_payload",
+            taskIdentifier: "legacy-payload-task",
+            projectId: project.id,
+            deduplicationKey: "legacy-payload-dedup",
+            userProvidedDeduplicationKey: false,
+            generatorExpression: "*/5 * * * *",
+            generatorDescription: "Every 5 minutes",
+            timezone: "UTC",
+            type: "DECLARATIVE",
+            active: true,
+            externalId: "legacy-ext",
+          },
+        });
+
+        // Pre-populate lastScheduledTimestamp on the instance — simulates the
+        // value the old engine wrote to the DB before this PR deployed.
+        const preDeployLastFire = new Date("2026-04-30T10:00:00.000Z");
+        const scheduleInstance = await prisma.taskScheduleInstance.create({
+          data: {
+            taskScheduleId: taskSchedule.id,
+            environmentId: environment.id,
+            projectId: project.id,
+            active: true,
+            lastScheduledTimestamp: preDeployLastFire,
+          },
+        });
+
+        // Call triggerScheduledTask directly without lastScheduleTime,
+        // simulating an in-flight Redis job enqueued by the old engine.
+        const exactScheduleTime = new Date("2026-04-30T10:05:00.000Z");
+        await engine.triggerScheduledTask({
+          instanceId: scheduleInstance.id,
+          finalAttempt: false,
+          exactScheduleTime,
+          // lastScheduleTime intentionally omitted — legacy payload shape
+        });
+
+        expect(triggerCalls.length).toBe(1);
+        expect(triggerCalls[0].payload.timestamp).toEqual(exactScheduleTime);
+        // Falls back to instance.lastScheduledTimestamp from the DB rather
+        // than reporting undefined for this one transitional fire.
+        expect(triggerCalls[0].payload.lastTimestamp).toEqual(preDeployLastFire);
+      } finally {
+        await engine.quit();
+      }
+    }
+  );
+});
diff --git a/internal-packages/schedule-engine/test/scheduleRecovery.test.ts b/internal-packages/schedule-engine/test/scheduleRecovery.test.ts
index 99a3351aed7..40ce4b1bba6 100644
--- a/internal-packages/schedule-engine/test/scheduleRecovery.test.ts
+++ b/internal-packages/schedule-engine/test/scheduleRecovery.test.ts
@@ -93,18 +93,14 @@ describe("Schedule Recovery", () => {
         // Perform recovery
         await engine.recoverSchedulesInEnvironment(project.id, environment.id);
 
-        // Verify that a job was created
+        // Verify that a job was created. The engine no longer persists
+        // nextScheduledTimestamp; correctness is now determined entirely by the
+        // job sitting in the worker queue.
         const jobAfterRecovery = await engine.getJob(
           `scheduled-task-instance:${scheduleInstance.id}`
         );
         expect(jobAfterRecovery).not.toBeNull();
         expect(jobAfterRecovery?.job).toBe("schedule.triggerScheduledTask");
-
-        // Verify the instance was updated with next scheduled timestamp
-        const updatedInstance = await prisma.taskScheduleInstance.findFirst({
-          where: { id: scheduleInstance.id },
-        });
-        expect(updatedInstance?.nextScheduledTimestamp).toBeDefined();
       } finally {
         await engine.quit();
       }
@@ -313,20 +309,14 @@ describe("Schedule Recovery", () => {
         // Perform recovery
         await engine.recoverSchedulesInEnvironment(project.id, environment.id);
 
-        // Verify that jobs were created for all instances
+        // Verify that jobs were created for all instances. The engine no longer
+        // persists nextScheduledTimestamp — the worker-queue presence is the
+        // source of truth.
         for (const instance of instances) {
           const job = await engine.getJob(`scheduled-task-instance:${instance.id}`);
           expect(job).not.toBeNull();
           expect(job?.job).toBe("schedule.triggerScheduledTask");
         }
-
-        // Verify all instances were updated
-        for (const instance of instances) {
-          const updatedInstance = await prisma.taskScheduleInstance.findFirst({
-            where: { id: instance.id },
-          });
-          expect(updatedInstance?.nextScheduledTimestamp).toBeDefined();
-        }
       } finally {
         await engine.quit();
       }
@@ -396,4 +386,194 @@ describe("Schedule Recovery", () => {
       }
     }
   );
+
+  // External-caller backward-compat. Deploy sync (`syncDeclarativeSchedules`)
+  // and schedule upsert both call `registerNextTaskScheduleInstance` with no
+  // `lastScheduleTime`. They run on every app deploy and on every cron edit.
+  // For an existing-and-firing schedule, the call must NOT clobber the
+  // worker payload's `lastScheduleTime` with `undefined` — otherwise the
+  // next fire would surface a stale frozen DB-column value to the customer
+  // (since this PR stops writing that column). The function must derive a
+  // sensible `lastScheduleTime` from the cron expression's previous slot
+  // when the caller doesn't pass one.
+  containerTest(
+    "should derive lastScheduleTime from cron when external callers omit it",
+    { timeout: 30_000 },
+    async ({ prisma, redisOptions }) => {
+      const engine = new ScheduleEngine({
+        prisma,
+        redis: redisOptions,
+        distributionWindow: { seconds: 10 },
+        worker: { concurrency: 1, disabled: true, pollIntervalMs: 1000 },
+        tracer: trace.getTracer("test", "0.0.0"),
+        onTriggerScheduledTask: async () => ({ success: true }),
+        isDevEnvironmentConnectedHandler: vi.fn().mockResolvedValue(true),
+      });
+
+      try {
+        const organization = await prisma.organization.create({
+          data: { title: "External Caller Org", slug: "external-caller-org" },
+        });
+        const project = await prisma.project.create({
+          data: {
+            name: "External Caller Project",
+            slug: "external-caller-project",
+            externalRef: "external-caller-ref",
+            organizationId: organization.id,
+          },
+        });
+        const environment = await prisma.runtimeEnvironment.create({
+          data: {
+            slug: "external-caller-env",
+            type: "PRODUCTION",
+            projectId: project.id,
+            organizationId: organization.id,
+            apiKey: "tr_external_1234",
+            pkApiKey: "pk_external_1234",
+            shortcode: "external-short",
+          },
+        });
+        const taskSchedule = await prisma.taskSchedule.create({
+          data: {
+            friendlyId: "sched_external_caller",
+            taskIdentifier: "external-caller-task",
+            projectId: project.id,
+            deduplicationKey: "external-caller-dedup",
+            userProvidedDeduplicationKey: false,
+            generatorExpression: "*/5 * * * *",
+            generatorDescription: "Every 5 minutes",
+            timezone: "UTC",
+            type: "DECLARATIVE",
+            active: true,
+          },
+        });
+
+        // Backdate the instance so the cron's previous slot postdates
+        // createdAt — this simulates a long-running schedule, the case
+        // Devin flagged (deploy clobbers lastScheduleTime, post-deploy fire
+        // would otherwise read from a frozen DB column).
+        const longAgo = new Date(Date.now() - 24 * 60 * 60 * 1000);
+        const scheduleInstance = await prisma.taskScheduleInstance.create({
+          data: {
+            taskScheduleId: taskSchedule.id,
+            environmentId: environment.id,
+            projectId: project.id,
+            active: true,
+          },
+        });
+        await prisma.taskScheduleInstance.update({
+          where: { id: scheduleInstance.id },
+          data: { createdAt: longAgo },
+        });
+
+        // External-caller pattern — no lastScheduleTime.
+        await engine.registerNextTaskScheduleInstance({
+          instanceId: scheduleInstance.id,
+        });
+
+        const job = await engine.getJob(`scheduled-task-instance:${scheduleInstance.id}`);
+        expect(job).not.toBeNull();
+        // The function should have derived lastScheduleTime from cron,
+        // putting a real timestamp into the worker payload rather than
+        // undefined. The Redis worker stores payloads as JSON, so the value
+        // is a string when read back here — Zod re-coerces it to Date on
+        // dequeue (workerCatalog uses `z.coerce.date()`).
+        const enqueuedLastScheduleTime = (job?.item as { lastScheduleTime?: string })
+          .lastScheduleTime;
+        expect(enqueuedLastScheduleTime).toBeDefined();
+        const derived = new Date(enqueuedLastScheduleTime!);
+        // The derived value should match the cron's previous slot — for
+        // `*/5 * * * *`, a 5-minute boundary in the recent past.
+        expect(derived.getTime()).toBeLessThan(Date.now());
+        expect(derived.getUTCSeconds()).toBe(0);
+        expect(derived.getUTCMinutes() % 5).toBe(0);
+      } finally {
+        await engine.quit();
+      }
+    }
+  );
+
+  // Brand-new schedules must NOT receive a cron-derived lastScheduleTime —
+  // the cron's previous slot predates the instance, so it's not a real
+  // previous fire. The first-run sentinel (`if (!payload.lastTimestamp)`)
+  // must keep working.
+  containerTest(
+    "should leave lastScheduleTime undefined for brand-new schedules",
+    { timeout: 30_000 },
+    async ({ prisma, redisOptions }) => {
+      const engine = new ScheduleEngine({
+        prisma,
+        redis: redisOptions,
+        distributionWindow: { seconds: 10 },
+        worker: { concurrency: 1, disabled: true, pollIntervalMs: 1000 },
+        tracer: trace.getTracer("test", "0.0.0"),
+        onTriggerScheduledTask: async () => ({ success: true }),
+        isDevEnvironmentConnectedHandler: vi.fn().mockResolvedValue(true),
+      });
+
+      try {
+        const organization = await prisma.organization.create({
+          data: { title: "Brand New Org", slug: "brand-new-org" },
+        });
+        const project = await prisma.project.create({
+          data: {
+            name: "Brand New Project",
+            slug: "brand-new-project",
+            externalRef: "brand-new-ref",
+            organizationId: organization.id,
+          },
+        });
+        const environment = await prisma.runtimeEnvironment.create({
+          data: {
+            slug: "brand-new-env",
+            type: "PRODUCTION",
+            projectId: project.id,
+            organizationId: organization.id,
+            apiKey: "tr_brandnew_1234",
+            pkApiKey: "pk_brandnew_1234",
+            shortcode: "brandnew-short",
+          },
+        });
+        const taskSchedule = await prisma.taskSchedule.create({
+          data: {
+            friendlyId: "sched_brand_new",
+            taskIdentifier: "brand-new-task",
+            projectId: project.id,
+            deduplicationKey: "brand-new-dedup",
+            userProvidedDeduplicationKey: false,
+            // Hourly cron — the previous slot is plausibly minutes-to-an-hour
+            // ago, comfortably predating an instance just created.
+            generatorExpression: "0 * * * *",
+            generatorDescription: "Hourly",
+            timezone: "UTC",
+            type: "DECLARATIVE",
+            active: true,
+          },
+        });
+        const scheduleInstance = await prisma.taskScheduleInstance.create({
+          data: {
+            taskScheduleId: taskSchedule.id,
+            environmentId: environment.id,
+            projectId: project.id,
+            active: true,
+          },
+        });
+
+        await engine.registerNextTaskScheduleInstance({
+          instanceId: scheduleInstance.id,
+        });
+
+        const job = await engine.getJob(`scheduled-task-instance:${scheduleInstance.id}`);
+        expect(job).not.toBeNull();
+        const enqueuedLastScheduleTime = (job?.item as { lastScheduleTime?: Date }).lastScheduleTime;
+        // Brand-new schedule: cron's previous slot predates instance.createdAt,
+        // so the function leaves lastScheduleTime undefined — the first fire
+        // will report `payload.lastTimestamp: undefined` and customer first-run
+        // sentinel patterns keep working.
+        expect(enqueuedLastScheduleTime).toBeUndefined();
+      } finally {
+        await engine.quit();
+      }
+    }
+  );
 });
diff --git a/internal-packages/schedule-engine/vitest.config.ts b/internal-packages/schedule-engine/vitest.config.ts
index cce9bda5415..8f9b6a01a9a 100644
--- a/internal-packages/schedule-engine/vitest.config.ts
+++ b/internal-packages/schedule-engine/vitest.config.ts
@@ -1,8 +1,12 @@
 import { defineConfig } from "vitest/config";
+import { DurationShardingSequencer } from "@internal/testcontainers/sequencer";
 
 export default defineConfig({
   test: {
+    sequence: { sequencer: DurationShardingSequencer },
     globals: true,
+    // CI-only: absorbs timing races (real-clock waits vs worker poll interval) under shard CPU contention
+    retry: process.env.CI ? 2 : 0,
     environment: "node",
     setupFiles: ["./test/setup.ts"],
     testTimeout: 30000,
diff --git a/internal-packages/sdk-compat-tests/package.json b/internal-packages/sdk-compat-tests/package.json
index e903e69f3f1..445569c957e 100644
--- a/internal-packages/sdk-compat-tests/package.json
+++ b/internal-packages/sdk-compat-tests/package.json
@@ -15,6 +15,6 @@
     "esbuild": "^0.24.0",
     "execa": "^9.3.0",
     "typescript": "^5.5.0",
-    "vitest": "3.1.4"
+    "vitest": "4.1.7"
   }
 }
diff --git a/internal-packages/sdk-compat-tests/tsconfig.json b/internal-packages/sdk-compat-tests/tsconfig.json
index 05afb6f355a..1ae515e98f9 100644
--- a/internal-packages/sdk-compat-tests/tsconfig.json
+++ b/internal-packages/sdk-compat-tests/tsconfig.json
@@ -9,7 +9,7 @@
     "declaration": false,
     "outDir": "dist",
     "rootDir": "src",
-    "types": ["vitest/globals"]
+    "types": ["vitest/globals", "node"]
   },
   "include": ["src/**/*.ts"],
   "exclude": ["node_modules", "dist", "src/fixtures"]
diff --git a/internal-packages/testcontainers/README.md b/internal-packages/testcontainers/README.md
index 51c2240d6c9..8f74b1137f3 100644
--- a/internal-packages/testcontainers/README.md
+++ b/internal-packages/testcontainers/README.md
@@ -1,3 +1,78 @@
-# Test container
+# Test containers
 
-This is package exposes some useful vitest utilities for writing tests with Postgres, Prisma, and Redis.
+Vitest utilities for writing tests against real Postgres, Prisma, Redis and ClickHouse - we don't mock
+(see the root `CLAUDE.md`), we boot containers. Also exposes a duration-weighted shard sequencer for
+splitting slow suites across CI shards.
+
+## Choosing a fixture
+
+Most tests share one set of containers per vitest worker (booted once, reset between tests) - this is
+much faster than a container per test. Reach for an isolated variant only when a test needs it.
+
+| Fixture                          | Postgres       | Redis    | ClickHouse | Use for                                 |
+| -------------------------------- | -------------- | -------- | ---------- | --------------------------------------- |
+| `redisTest`                      | -              | shared   | -          | redis-only tests                        |
+| `postgresTest`                   | shared (clone) | -        | -          | db-only tests                           |
+| `containerTest`                  | shared (clone) | shared   | shared     | the default - needs all three           |
+| `isolatedRedisTest`              | -              | per-test | -          | background redis work (see below)       |
+| `containerTestWithIsolatedRedis` | shared (clone) | per-test | shared     | background redis work + db/clickhouse   |
+| `replicationContainerTest`       | per-test       | per-test | shared     | Postgres→ClickHouse logical replication |
+
+"shared (clone)" = one Postgres per worker with a template database; each test gets a fast `CREATE
+DATABASE ... TEMPLATE` clone, so schema isn't re-pushed per test.
+
+### The background-work gotcha
+
+If a test spawns work that **outlives the test body** - a `RunEngine`, a `redis-worker` Worker, a
+`BatchQueue` - and that work isn't fully drained before the test ends, you **must** use an isolated
+redis fixture (`isolatedRedisTest` / `containerTestWithIsolatedRedis`).
+
+On the shared fixture, the leaked background loop keeps polling the one worker-scoped redis after the
+test's clients close, bleeding into the next test. The symptom is an intermittent `"Connection is
+closed"` error or a test that hangs until its timeout. `FLUSHALL` between tests does **not** fix this -
+it clears data, not live connections/loops, so per-test key prefixes won't help either. A plain
+db/redis test with no lingering background work is fine on the shared fixtures.
+
+## Sharding (`./sequencer`)
+
+CI splits the slow suites with `vitest --shard=i/N`. `DurationShardingSequencer` replaces vitest's
+default file-count split with a duration-weighted one: it reads `test-timings.json` at the repo root
+(`{ "<repo-relative path>": <ms> }`) and greedily bin-packs files so each shard does roughly equal
+_work_, not an equal _number of files_. The packing is deterministic, so every shard computes the same
+bins and runs each file exactly once.
+
+Configs opt in via:
+
+```ts
+import { DurationShardingSequencer } from "@internal/testcontainers/sequencer";
+// in defineConfig:
+test: {
+  sequence: {
+    sequencer: DurationShardingSequencer,
+  },
+}
+```
+
+### Adding tests - nothing to do
+
+New test files are discovered by vitest's glob and sharded automatically. A file with no entry in
+`test-timings.json` is given the **median** duration as a fallback, so it's still placed on exactly one
+shard - correctness never depends on the timings being present or current.
+
+What the timings affect is **balance**. A new heavy test estimated at the median can be under-weighted
+and land on an already-full shard, making that shard slower. There's headroom between the current
+makespan and the CI budget to absorb this, so it tolerates drift - but if a shard creeps toward the
+budget, refresh the timings.
+
+### Refreshing `test-timings.json`
+
+Measure each shard with the JSON reporter and write per-file `endTime - startTime` (ms), keyed by
+repo-relative path, back into `test-timings.json`. Set `GITHUB_ACTIONS=true` so suites that
+`skipIf(CI)` are excluded, matching what actually runs on CI:
+
+```bash
+GITHUB_ACTIONS=true pnpm exec vitest run --reporter=json --outputFile=/tmp/run.json
+```
+
+Stale entries for deleted/renamed files are harmless (they're simply ignored). This is a periodic
+chore, not a per-PR one.
diff --git a/internal-packages/testcontainers/TESTING.md b/internal-packages/testcontainers/TESTING.md
new file mode 100644
index 00000000000..8ca6c335789
--- /dev/null
+++ b/internal-packages/testcontainers/TESTING.md
@@ -0,0 +1,60 @@
+# Fast local testing loop
+
+These tests use real Docker containers (Postgres, ClickHouse, Redis, Electric, MinIO) via testcontainers - never mocks. This guide is the fast inner loop for working on them.
+
+## Prerequisites
+
+- **Docker daemon running.** That's it - testcontainers boots its own containers. You do **not** need `pnpm run docker` (that compose stack is for running the app, and is separate).
+
+## The loop
+
+```bash
+# 1. Build upstream deps once (turbo-caches them; only re-runs when a dep changes)
+pnpm run build --filter @internal/run-engine
+
+# 2. Iterate by running vitest DIRECTLY in the package - not via `turbo run test`
+cd internal-packages/run-engine
+pnpm exec vitest run src/engine/tests/ttl.test.ts        # one file
+pnpm exec vitest src/engine/tests/ttl.test.ts            # watch mode, tightest loop
+pnpm exec vitest run src/engine/tests/ --reporter=verbose # per-test timings
+```
+
+> **Why run vitest directly, not `turbo run test`?** The `test` turbo task is cacheable
+> (`outputs: []`). A second `turbo run test` with no input change replays the cached
+> result in ~0ms instead of executing - useless when you're measuring timing. Run vitest
+> directly (or `turbo run test --force`) so tests actually run.
+
+## Measuring container boot/teardown vs test time
+
+Container lifecycle (boot + migrate + teardown) dominates these suites. To see the split:
+
+```bash
+# JSON timing lines are gated on TESTCONTAINERS_TIMING locally (always on in CI),
+# and need --disableConsoleIntercept so vitest doesn't swallow them.
+TESTCONTAINERS_TIMING=1 pnpm exec vitest run <file> --disableConsoleIntercept
+```
+
+## Approximating the 2-core CI runner locally (flake repro)
+
+To reproduce CI-like CPU pressure on a beefy local machine - useful when a test only flakes under
+the 2-core CI runner:
+
+```bash
+# cap each testcontainer's CPU/mem (TESTCONTAINERS_CPU = cores, TESTCONTAINERS_MEMORY_GB = GB),
+# and pin the test runner to 2 cores. Off unless the env vars are set.
+TESTCONTAINERS_CPU=2 TESTCONTAINERS_MEMORY_GB=2 taskset -c 0,1 pnpm exec vitest run <file>
+```
+
+Note: in practice the scoped tests here are latency/IO/sleep-bound, not CPU-bound, so this changes
+timings little - the original CI slowness was per-test container _boots_, which worker-scoping removed.
+Keep it for the cases that genuinely starve on CPU (e.g. timing races against a worker poll).
+
+## Timing harness
+
+Or use the harness, which aggregates the split for you:
+
+```bash
+node internal-packages/testcontainers/scripts/measure-test-timing.mjs \
+  src/client/client.test.ts --cwd internal-packages/clickhouse --runs 3
+# -> run 1/3  passed=true  wall=10.58s  teardown=0.67s ...
+```
diff --git a/internal-packages/testcontainers/package.json b/internal-packages/testcontainers/package.json
index 3a2cee6d746..b3ab7ce5dc4 100644
--- a/internal-packages/testcontainers/package.json
+++ b/internal-packages/testcontainers/package.json
@@ -4,21 +4,29 @@
   "version": "0.0.1",
   "main": "./src/index.ts",
   "types": "./src/index.ts",
+  "exports": {
+    ".": "./src/index.ts",
+    "./webapp": "./src/webapp.ts",
+    "./sequencer": {
+      "types": "./src/sequencer.d.cts",
+      "default": "./src/sequencer.cjs"
+    }
+  },
   "dependencies": {
     "@clickhouse/client": "^1.11.1",
-    "@opentelemetry/api": "^1.9.0",
+    "@opentelemetry/api": "^1.9.1",
     "@trigger.dev/database": "workspace:*",
-    "ioredis": "^5.3.2"
+    "ioredis": "~5.6.0"
   },
   "devDependencies": {
-    "@testcontainers/postgresql": "^10.28.0",
-    "@testcontainers/redis": "^10.28.0",
+    "@testcontainers/postgresql": "^11.14.0",
+    "@testcontainers/redis": "^11.14.0",
     "@trigger.dev/core": "workspace:*",
     "std-env": "^3.9.0",
-    "testcontainers": "^10.28.0",
+    "testcontainers": "^11.14.0",
     "tinyexec": "^0.3.0"
   },
   "scripts": {
     "typecheck": "tsc --noEmit"
   }
-}
\ No newline at end of file
+}
diff --git a/internal-packages/testcontainers/scripts/measure-test-timing.mjs b/internal-packages/testcontainers/scripts/measure-test-timing.mjs
new file mode 100644
index 00000000000..fd71a2b93a3
--- /dev/null
+++ b/internal-packages/testcontainers/scripts/measure-test-timing.mjs
@@ -0,0 +1,76 @@
+#!/usr/bin/env node
+// Measure testcontainers boot/teardown vs test time for a single test file.
+//
+// Usage (from any package dir, or pass --cwd):
+//   node <path>/measure-test-timing.mjs <testFile> [--cwd <packageDir>] [--runs N]
+//
+// Relies on the TESTCONTAINERS_TIMING log gate in src/logs.ts and runs vitest with
+// --disableConsoleIntercept so the JSON timing lines reach stdout.
+
+import { spawn } from "node:child_process";
+
+const args = process.argv.slice(2);
+const testFile = args.find((a) => !a.startsWith("--"));
+const cwd = valueOf("--cwd") ?? process.cwd();
+const runs = Number(valueOf("--runs") ?? "1");
+
+function valueOf(flag) {
+  const i = args.indexOf(flag);
+  return i >= 0 ? args[i + 1] : undefined;
+}
+
+if (!testFile) {
+  console.error("usage: measure-test-timing.mjs <testFile> [--cwd dir] [--runs N]");
+  process.exit(1);
+}
+
+function runOnce() {
+  return new Promise((resolve) => {
+    const child = spawn("pnpm", ["exec", "vitest", "run", testFile, "--disableConsoleIntercept"], {
+      cwd,
+      env: { ...process.env, TESTCONTAINERS_TIMING: "1" },
+    });
+
+    let out = "";
+    const collect = (buf) => (out += buf.toString());
+    child.stdout.on("data", collect);
+    child.stderr.on("data", collect);
+
+    child.on("close", () => {
+      const cleanups = [];
+      let duration = null;
+      for (const line of out.split("\n")) {
+        const trimmed = line.trim();
+        if (trimmed.startsWith("{")) {
+          try {
+            const ev = JSON.parse(trimmed);
+            if (ev.type === "cleanup") cleanups.push(ev);
+          } catch {}
+        }
+        const m = trimmed.match(/Duration\s+([\d.]+)s/);
+        if (m) duration = Number(m[1]);
+      }
+      resolve({ cleanups, duration, passed: /Tests\s+\d+ passed/.test(out) });
+    });
+  });
+}
+
+for (let i = 0; i < runs; i++) {
+  const { cleanups, duration, passed } = await runOnce();
+  const byResource = {};
+  for (const c of cleanups) {
+    const key = c.resource.split(":")[0];
+    byResource[key] ??= { totalMs: 0, count: 0 };
+    byResource[key].totalMs += c.durationMs ?? 0;
+    byResource[key].count += 1;
+  }
+  const teardownMs = Object.values(byResource).reduce((a, r) => a + r.totalMs, 0);
+  console.log(
+    `\nrun ${i + 1}/${runs}  passed=${passed}  wall=${duration}s  teardown=${(
+      teardownMs / 1000
+    ).toFixed(2)}s`
+  );
+  for (const [res, r] of Object.entries(byResource)) {
+    console.log(`  teardown ${res}: ${(r.totalMs / 1000).toFixed(2)}s over ${r.count}`);
+  }
+}
diff --git a/internal-packages/testcontainers/src/clickhouse.ts b/internal-packages/testcontainers/src/clickhouse.ts
index 577111af3d5..1bd7f758e02 100644
--- a/internal-packages/testcontainers/src/clickhouse.ts
+++ b/internal-packages/testcontainers/src/clickhouse.ts
@@ -144,6 +144,24 @@ export class StartedClickHouseContainer extends AbstractStartedContainer {
   }
 }
 
+/**
+ * Resets data between tests on a reused ClickHouse container by truncating every base table
+ * (MergeTree etc.) in the migrated database. Views/materialized views are skipped - their target
+ * tables are base tables and get truncated too, which clears MV state. Cheaper than dropping +
+ * re-migrating, and these migrations aren't version-tracked so they can't simply be re-run.
+ */
+export async function truncateClickhouseTables(client: ClickHouseClient, database = "trigger_dev") {
+  const result = await client.query({
+    query: `SELECT name FROM system.tables WHERE database = '${database}' AND engine NOT LIKE '%View%'`,
+    format: "JSONEachRow",
+  });
+  const tables = await result.json<{ name: string }>();
+
+  for (const { name } of tables) {
+    await client.command({ query: `TRUNCATE TABLE \`${database}\`.\`${name}\`` });
+  }
+}
+
 export async function runClickhouseMigrations(client: ClickHouseClient, migrationsPath: string) {
   // Get all the *.sql files in the migrations path
   const queries = await getAllClickhouseMigrationQueries(migrationsPath);
diff --git a/internal-packages/testcontainers/src/index.ts b/internal-packages/testcontainers/src/index.ts
index e9c8067de4c..4927c162fe0 100644
--- a/internal-packages/testcontainers/src/index.ts
+++ b/internal-packages/testcontainers/src/index.ts
@@ -1,24 +1,32 @@
-import { StartedPostgreSqlContainer } from "@testcontainers/postgresql";
+import { PostgreSqlContainer, StartedPostgreSqlContainer } from "@testcontainers/postgresql";
 import { StartedRedisContainer } from "@testcontainers/redis";
 import { PrismaClient } from "@trigger.dev/database";
-import { RedisOptions } from "ioredis";
+import Redis, { RedisOptions } from "ioredis";
 import { Network, type StartedNetwork } from "testcontainers";
-import { TaskContext, test } from "vitest";
+import { TestContext, test } from "vitest";
 import {
   createClickHouseContainer,
   createElectricContainer,
   createPostgresContainer,
   createRedisContainer,
-  createMinIOContainer,
+  postgresUriWithDatabase,
+  pushDatabaseSchema,
   useContainer,
+  withCiResourceLimits,
   withContainerSetup,
 } from "./utils";
 import { getTaskMetadata, logCleanup, logSetup } from "./logs";
-import { StartedClickHouseContainer } from "./clickhouse";
-import { StartedMinIOContainer, type MinIOConnectionConfig } from "./minio";
+import path from "path";
+import {
+  ClickHouseContainer,
+  StartedClickHouseContainer,
+  runClickhouseMigrations,
+  truncateClickhouseTables,
+} from "./clickhouse";
+import { MinIOContainer, StartedMinIOContainer, type MinIOConnectionConfig } from "./minio";
 import { ClickHouseClient, createClient } from "@clickhouse/client";
 
-export { assertNonNullable } from "./utils";
+export { assertNonNullable, createPostgresContainer } from "./utils";
 export { logCleanup };
 export type { MinIOConnectionConfig };
 
@@ -58,7 +66,7 @@ export type {
 
 type Use<T> = (value: T) => Promise<void>;
 
-export const network = async ({ task }: TaskContext, use: Use<StartedNetwork>) => {
+export const network = async ({ task }: TestContext, use: Use<StartedNetwork>) => {
   const testName = task.name;
 
   logSetup("network: starting", { testName });
@@ -85,7 +93,7 @@ export const network = async ({ task }: TaskContext, use: Use<StartedNetwork>) =
 };
 
 export const postgresContainer = async (
-  { network, task }: { network: StartedNetwork } & TaskContext,
+  { network, task }: { network: StartedNetwork } & TestContext,
   use: Use<StartedPostgreSqlContainer>
 ) => {
   const { container, metadata } = await withContainerSetup({
@@ -98,7 +106,7 @@ export const postgresContainer = async (
 };
 
 export const prisma = async (
-  { postgresContainer, task }: { postgresContainer: StartedPostgreSqlContainer } & TaskContext,
+  { postgresContainer, task }: { postgresContainer: StartedPostgreSqlContainer } & TestContext,
   use: Use<PrismaClient>
 ) => {
   const testName = task.name;
@@ -120,10 +128,149 @@ export const prisma = async (
   }
 };
 
-export const postgresTest = test.extend<PostgresContext>({ network, postgresContainer, prisma });
+const POSTGRES_TEMPLATE_DB = "template_db";
+let pgCloneCounter = 0;
+
+type PostgresTestContext = {
+  postgresContainer: StartedPostgreSqlContainer;
+  prisma: PrismaClient;
+};
+
+// --- Worker-scoped + per-test-isolated fixtures (shared by the standalone *Test and containerTest) ---
+// The pattern: boot each container ONCE per worker; isolate per test cheaply (postgres = template
+// clone, redis = FLUSHALL, clickhouse = TRUNCATE) instead of re-booting. Reset fixtures are `auto`
+// so they run for every test even if it doesn't destructure them.
+
+// Boot postgres ONCE per worker (module singleton, reaped by Ryuk on worker exit) and push the
+// schema into a dedicated template db that nothing else connects to (so CREATE DATABASE ... TEMPLATE
+// never trips on an active session).
+let workerPostgresContainer: Promise<StartedPostgreSqlContainer> | undefined;
+const getWorkerPostgresContainer = () => {
+  if (!workerPostgresContainer) {
+    workerPostgresContainer = (async () => {
+      const container = await withCiResourceLimits(new PostgreSqlContainer("docker.io/postgres:14"))
+        .withCommand(["-c", "listen_addresses=*", "-c", "wal_level=logical"])
+        .start();
+      // Create the template db explicitly via an admin connection (the same primitive the per-test
+      // clone uses) instead of relying on `prisma db push` to create a missing database. That
+      // create-if-missing path behaves differently on CI and - because push errors were swallowed -
+      // surfaced only later as a confusing "template database template_db does not exist" at clone
+      // time. Pushing into an already-existing db is the path the pre-worker-scope code always used.
+      const admin = new PrismaClient({
+        datasources: {
+          db: { url: postgresUriWithDatabase(container.getConnectionUri(), "postgres") },
+        },
+      });
+      await admin.$executeRawUnsafe(`CREATE DATABASE "${POSTGRES_TEMPLATE_DB}"`);
+      await admin.$disconnect();
+      await pushDatabaseSchema(
+        postgresUriWithDatabase(container.getConnectionUri(), POSTGRES_TEMPLATE_DB)
+      );
+      return container;
+    })();
+  }
+  return workerPostgresContainer;
+};
+
+// Per test: clone a fresh database from the template (fast filesystem copy), then hand back a view
+// of the shared container whose connection points at the clone. This keeps prisma AND any code that
+// reads postgresContainer.getConnectionUri()/getDatabase() (e.g. logical replication) on the SAME
+// isolated database - and it's parallel-ready (each test owns its db).
+const clonedPostgresContainer = async ({}, use: Use<StartedPostgreSqlContainer>) => {
+  const container = await getWorkerPostgresContainer();
+  const baseUri = container.getConnectionUri();
+  const cloneDb = `test_${pgCloneCounter++}`;
+
+  await createDatabaseFromTemplate(baseUri, cloneDb);
+
+  const cloneUri = postgresUriWithDatabase(baseUri, cloneDb);
+  const view = new Proxy(container, {
+    get(target, prop, receiver) {
+      if (prop === "getConnectionUri") return () => cloneUri;
+      if (prop === "getDatabase") return () => cloneDb;
+      const value = Reflect.get(target, prop, receiver);
+      return typeof value === "function" ? value.bind(target) : value;
+    },
+  });
+
+  try {
+    await use(view);
+  } finally {
+    await dropCloneDatabase(baseUri, cloneDb);
+  }
+};
+
+const createDatabaseFromTemplate = async (baseUri: string, cloneDb: string) => {
+  const admin = new PrismaClient({
+    datasources: { db: { url: postgresUriWithDatabase(baseUri, "postgres") } },
+  });
+  try {
+    await admin.$executeRawUnsafe(
+      `CREATE DATABASE "${cloneDb}" TEMPLATE "${POSTGRES_TEMPLATE_DB}"`
+    );
+  } finally {
+    await admin.$disconnect();
+  }
+};
+
+// Best-effort drop so clones don't pile up in the worker's pg over a long suite. WITH (FORCE)
+// terminates any lingering backends (pg 13+). A failed drop is harmless - the whole container is
+// reaped on worker exit - so we never let cleanup fail the test.
+const dropCloneDatabase = async (baseUri: string, cloneDb: string) => {
+  const cleanup = new PrismaClient({
+    datasources: { db: { url: postgresUriWithDatabase(baseUri, "postgres") } },
+  });
+  try {
+    await cleanup.$executeRawUnsafe(`DROP DATABASE IF EXISTS "${cloneDb}" WITH (FORCE)`);
+  } catch {
+    // ignore - reaped with the container anyway
+  } finally {
+    await cleanup.$disconnect();
+  }
+};
+
+// A second migrated-but-empty database on the same worker postgres, cloned from the schema
+// template. For tests that need to simulate a read replica that hasn't caught up: schema
+// present, rows absent. Lazy - only booted when a test destructures it.
+const schemaOnlyPrismaFixture = async ({}: {}, use: Use<PrismaClient>) => {
+  const container = await getWorkerPostgresContainer();
+  const baseUri = container.getConnectionUri();
+  const cloneDb = `schema_only_${pgCloneCounter++}`;
+
+  await createDatabaseFromTemplate(baseUri, cloneDb);
+
+  const prisma = new PrismaClient({
+    datasources: { db: { url: postgresUriWithDatabase(baseUri, cloneDb) } },
+  });
+  try {
+    await use(prisma);
+  } finally {
+    await logCleanup("schemaOnlyPrisma", prisma.$disconnect());
+    await dropCloneDatabase(baseUri, cloneDb);
+  }
+};
+
+const prismaFromContainer = async (
+  { postgresContainer }: { postgresContainer: StartedPostgreSqlContainer },
+  use: Use<PrismaClient>
+) => {
+  const prisma = new PrismaClient({
+    datasources: { db: { url: postgresContainer.getConnectionUri() } },
+  });
+  try {
+    await use(prisma);
+  } finally {
+    await logCleanup("prisma", prisma.$disconnect());
+  }
+};
+
+export const postgresTest = test.extend<PostgresTestContext>({
+  postgresContainer: clonedPostgresContainer,
+  prisma: prismaFromContainer,
+});
 
 export const redisContainer = async (
-  { network, task }: { network: StartedNetwork } & TaskContext,
+  { network, task }: { network: StartedNetwork } & TestContext,
   use: Use<StartedRedisContainer>
 ) => {
   const { container, metadata } = await withContainerSetup({
@@ -173,14 +320,65 @@ export const redisOptions = async (
   await use(options);
 };
 
-export const redisTest = test.extend<RedisContext>({ network, redisContainer, redisOptions });
+// Worker-scoped redis: booted once per worker, FLUSHALL per test. Big win for redis-heavy files
+// (buffer.test.ts: 88 boots -> 1). Safe ONLY for tests that don't leave background redis work
+// (a Worker loop, BatchQueue) running past the test body - use isolatedRedisTest for those.
+const bootWorkerRedis = async ({}, use: Use<StartedRedisContainer>) => {
+  const { container } = await createRedisContainer({ port: 6379 });
+  try {
+    await use(container);
+  } finally {
+    await container.stop({ timeout: 0 });
+  }
+};
+
+const flushRedis = async (
+  { redisContainer }: { redisContainer: StartedRedisContainer },
+  use: Use<void>
+) => {
+  const redis = new Redis({
+    host: redisContainer.getHost(),
+    port: redisContainer.getPort(),
+    password: redisContainer.getPassword(),
+    maxRetriesPerRequest: 3,
+  });
+  try {
+    await redis.flushall();
+  } finally {
+    redis.disconnect();
+  }
+  await use();
+};
+
+type RedisTestContext = {
+  redisContainer: StartedRedisContainer;
+  resetRedis: void;
+  redisOptions: RedisOptions;
+};
+
+// Worker-scoped redis (boots once, FLUSHALL between tests). Use isolatedRedisTest for tests that run
+// background redis work (redis-worker Workers, BatchQueue) past the test body - see its note + README.
+export const redisTest = test.extend<RedisTestContext>({
+  redisContainer: [bootWorkerRedis, { scope: "worker" }],
+  resetRedis: [flushRedis, { auto: true }],
+  redisOptions,
+});
+
+// Per-test redis for tests with background redis work (redis-worker Workers, BatchQueue) that can
+// outlive the test body - a shared redis would let leaked work hit a closed connection / next test
+// ("Connection is closed"). Boot is kept fast (see createRedisContainer).
+export const isolatedRedisTest = test.extend<RedisContext>({
+  network,
+  redisContainer,
+  redisOptions,
+});
 
 const electricOrigin = async (
   {
     postgresContainer,
     network,
     task,
-  }: { postgresContainer: StartedPostgreSqlContainer; network: StartedNetwork } & TaskContext,
+  }: { postgresContainer: StartedPostgreSqlContainer; network: StartedNetwork } & TestContext,
   use: Use<string>
 ) => {
   const { origin, container, metadata } = await withContainerSetup({
@@ -193,7 +391,7 @@ const electricOrigin = async (
 };
 
 const clickhouseContainer = async (
-  { network, task }: { network: StartedNetwork } & TaskContext,
+  { network, task }: { network: StartedNetwork } & TestContext,
   use: Use<StartedClickHouseContainer>
 ) => {
   const { container, metadata } = await withContainerSetup({
@@ -206,7 +404,7 @@ const clickhouseContainer = async (
 };
 
 const clickhouseClient = async (
-  { clickhouseContainer, task }: { clickhouseContainer: StartedClickHouseContainer } & TaskContext,
+  { clickhouseContainer, task }: { clickhouseContainer: StartedClickHouseContainer } & TestContext,
   use: Use<ClickHouseClient>
 ) => {
   const testName = task.name;
@@ -225,12 +423,60 @@ type ClickhouseContext = {
   clickhouseClient: ClickHouseClient;
 };
 
-export const clickhouseTest = test.extend<ClickhouseContext>({
-  network,
-  clickhouseContainer,
-  clickhouseClient,
+const clickhouseMigrationsPath = path.resolve(__dirname, "../../clickhouse/schema");
+
+type ClickhouseTestContext = {
+  clickhouseContainer: StartedClickHouseContainer;
+  resetClickhouse: void;
+  clickhouseClient: ClickHouseClient;
+};
+
+// Boot + migrate clickhouse once per worker.
+const bootWorkerClickhouse = async ({}, use: Use<StartedClickHouseContainer>) => {
+  const container = await withCiResourceLimits(new ClickHouseContainer()).start();
+  const client = createClient({ url: container.getConnectionUrl() });
+  await client.ping();
+  await runClickhouseMigrations(client, clickhouseMigrationsPath);
+  await client.close();
+  try {
+    await use(container);
+  } finally {
+    await container.stop({ timeout: 0 });
+  }
+};
+
+// Per test: truncate all tables on the shared clickhouse (auto fixture so it runs for every test).
+const truncateClickhouseFixture = async (
+  { clickhouseContainer }: { clickhouseContainer: StartedClickHouseContainer },
+  use: Use<void>
+) => {
+  const client = createClient({ url: clickhouseContainer.getConnectionUrl() });
+  await truncateClickhouseTables(client);
+  await client.close();
+  await use();
+};
+
+const scopedClickhouseClient = async (
+  { clickhouseContainer }: { clickhouseContainer: StartedClickHouseContainer },
+  use: Use<ClickHouseClient>
+) => {
+  const client = createClient({ url: clickhouseContainer.getConnectionUrl() });
+  try {
+    await use(client);
+  } finally {
+    await logCleanup("clickhouseClient", client.close());
+  }
+};
+
+export const clickhouseTest = test.extend<ClickhouseTestContext>({
+  clickhouseContainer: [bootWorkerClickhouse, { scope: "worker" }],
+  resetClickhouse: [truncateClickhouseFixture, { auto: true }],
+  clickhouseClient: scopedClickhouseClient,
 });
 
+// NOTE: per-test containers (not worker-scoped) - the replication package does logical replication
+// (slots/publications/REPLICA IDENTITY), which doesn't play nicely with a shared container +
+// template-clone. A dedicated container per test is the correct, isolated choice here.
 export const postgresAndRedisTest = test.extend<PostgresAndRedisContext>({
   network,
   postgresContainer,
@@ -239,14 +485,102 @@ export const postgresAndRedisTest = test.extend<PostgresAndRedisContext>({
   redisOptions,
 });
 
-export const containerTest = test.extend<ContainerContext>({
+type ContainerTestContext = {
+  postgresContainer: StartedPostgreSqlContainer;
+  prisma: PrismaClient;
+  schemaOnlyPrisma: PrismaClient;
+  redisContainer: StartedRedisContainer;
+  resetRedis: void;
+  redisOptions: RedisOptions;
+  clickhouseContainer: StartedClickHouseContainer;
+  resetClickhouse: void;
+  clickhouseClient: ClickHouseClient;
+};
+
+// The workhorse fixture (~36 files). Postgres (template-clone), Redis (FLUSHALL) and ClickHouse
+// (truncate) all boot once per worker - no per-test container boots. Use containerTestWithIsolatedRedis
+// for tests that run background redis work (BatchQueue, redis-worker Workers) past the test body.
+export const containerTest = test.extend<ContainerTestContext>({
+  postgresContainer: clonedPostgresContainer,
+  prisma: prismaFromContainer,
+  schemaOnlyPrisma: schemaOnlyPrismaFixture,
+  redisContainer: [bootWorkerRedis, { scope: "worker" }],
+  resetRedis: [flushRedis, { auto: true }],
+  redisOptions,
+  clickhouseContainer: [bootWorkerClickhouse, { scope: "worker" }],
+  resetClickhouse: [truncateClickhouseFixture, { auto: true }],
+  clickhouseClient: scopedClickhouseClient,
+});
+
+type ContainerWithIsolatedRedisContext = {
+  network: StartedNetwork;
+  postgresContainer: StartedPostgreSqlContainer;
+  prisma: PrismaClient;
+  redisContainer: StartedRedisContainer;
+  redisOptions: RedisOptions;
+  clickhouseContainer: StartedClickHouseContainer;
+  resetClickhouse: void;
+  clickhouseClient: ClickHouseClient;
+};
+
+// Same as containerTest but Redis is PER-TEST - for tests whose background redis work (BatchQueue,
+// Workers) outlives the test body and would otherwise hit a closed/shared connection.
+export const containerTestWithIsolatedRedis = test.extend<ContainerWithIsolatedRedisContext>({
+  network,
+  postgresContainer: clonedPostgresContainer,
+  prisma: prismaFromContainer,
+  redisContainer,
+  redisOptions,
+  clickhouseContainer: [bootWorkerClickhouse, { scope: "worker" }],
+  resetClickhouse: [truncateClickhouseFixture, { auto: true }],
+  clickhouseClient: scopedClickhouseClient,
+});
+
+type ContainerWithIsolatedRedisNoClickhouseContext = {
+  network: StartedNetwork;
+  postgresContainer: StartedPostgreSqlContainer;
+  prisma: PrismaClient;
+  redisContainer: StartedRedisContainer;
+  redisOptions: RedisOptions;
+};
+
+// Like containerTestWithIsolatedRedis (template-clone Postgres + per-test Redis) but with no
+// ClickHouse - for suites that touch Postgres + Redis but never ClickHouse, avoiding its boot+migrate.
+export const containerTestWithIsolatedRedisNoClickhouse =
+  test.extend<ContainerWithIsolatedRedisNoClickhouseContext>({
+    network,
+    postgresContainer: clonedPostgresContainer,
+    prisma: prismaFromContainer,
+    redisContainer,
+    redisOptions,
+  });
+
+// For tests that exercise the Postgres -> ClickHouse logical-replication pipeline (WAL slots,
+// publications, REPLICA IDENTITY). These need a dedicated Postgres per test - the worker-scoped +
+// template-clone model used by containerTest doesn't carry logical replication across cloned dbs.
+// Postgres is per-test (the WAL slot/publication lives in the db it writes to); ClickHouse is
+// worker-scoped + truncated (the pipeline writes pg->clickhouse and a shared+truncated clickhouse is
+// fine). Redis is per-test too (background work safety, same as containerTest).
+type ReplicationContainerTestContext = {
+  network: StartedNetwork;
+  postgresContainer: StartedPostgreSqlContainer;
+  prisma: PrismaClient;
+  redisContainer: StartedRedisContainer;
+  redisOptions: RedisOptions;
+  clickhouseContainer: StartedClickHouseContainer;
+  resetClickhouse: void;
+  clickhouseClient: ClickHouseClient;
+};
+
+export const replicationContainerTest = test.extend<ReplicationContainerTestContext>({
   network,
   postgresContainer,
   prisma,
   redisContainer,
   redisOptions,
-  clickhouseContainer,
-  clickhouseClient,
+  clickhouseContainer: [bootWorkerClickhouse, { scope: "worker" }],
+  resetClickhouse: [truncateClickhouseFixture, { auto: true }],
+  clickhouseClient: scopedClickhouseClient,
 });
 
 export const containerWithElectricTest = test.extend<ContainerWithElectricContext>({
@@ -267,17 +601,22 @@ export const containerWithElectricAndRedisTest = test.extend<ContainerWithElectr
   clickhouseClient,
 });
 
-const minioContainer = async (
-  { network, task }: { network: StartedNetwork } & TaskContext,
-  use: Use<StartedMinIOContainer>
-) => {
-  const { container, metadata } = await withContainerSetup({
-    name: "minioContainer",
-    task,
-    setup: createMinIOContainer(network),
-  });
+// Boot minio once per worker; reset the bucket per test (auto fixture).
+const bootWorkerMinio = async ({}, use: Use<StartedMinIOContainer>) => {
+  const container = await withCiResourceLimits(new MinIOContainer()).start();
+  try {
+    await use(container);
+  } finally {
+    await container.stop({ timeout: 0 });
+  }
+};
 
-  await useContainer("minioContainer", { container, task, use: () => use(container) });
+const minioReset = async (
+  { minioContainer }: { minioContainer: StartedMinIOContainer },
+  use: Use<void>
+) => {
+  await minioContainer.resetBucket();
+  await use();
 };
 
 const minioConfig = async (
@@ -287,18 +626,30 @@ const minioConfig = async (
   await use(minioContainer.getConnectionConfig());
 };
 
-export const minioTest = test.extend<MinIOContext>({
-  network,
-  minioContainer,
+type MinioTestContext = {
+  minioContainer: StartedMinIOContainer;
+  resetMinio: void;
+  minioConfig: MinIOConnectionConfig;
+};
+
+export const minioTest = test.extend<MinioTestContext>({
+  minioContainer: [bootWorkerMinio, { scope: "worker" }],
+  resetMinio: [minioReset, { auto: true }],
   minioConfig,
 });
 
-type PostgresAndMinIOContext = NetworkContext & PostgresContext & MinIOContext;
+type PostgresAndMinioTestContext = {
+  postgresContainer: StartedPostgreSqlContainer;
+  prisma: PrismaClient;
+  minioContainer: StartedMinIOContainer;
+  resetMinio: void;
+  minioConfig: MinIOConnectionConfig;
+};
 
-export const postgresAndMinioTest = test.extend<PostgresAndMinIOContext>({
-  network,
-  postgresContainer,
-  prisma,
-  minioContainer,
+export const postgresAndMinioTest = test.extend<PostgresAndMinioTestContext>({
+  postgresContainer: clonedPostgresContainer,
+  prisma: prismaFromContainer,
+  minioContainer: [bootWorkerMinio, { scope: "worker" }],
+  resetMinio: [minioReset, { auto: true }],
   minioConfig,
 });
diff --git a/internal-packages/testcontainers/src/logs.ts b/internal-packages/testcontainers/src/logs.ts
index 1a844c3df94..3ea3e5fe8a6 100644
--- a/internal-packages/testcontainers/src/logs.ts
+++ b/internal-packages/testcontainers/src/logs.ts
@@ -1,14 +1,17 @@
 import { env, isCI } from "std-env";
-import { TaskContext } from "vitest";
+import { TestContext } from "vitest";
 import { DockerDiagnostics, getDockerDiagnostics } from "./docker";
 import { StartedTestContainer } from "testcontainers";
 
 let setupOrder = 0;
 
+// Emit timing JSON in CI, or locally when TESTCONTAINERS_TIMING is set (drives the local timing harness)
+const emitTimingLogs = isCI || !!env.TESTCONTAINERS_TIMING;
+
 export function logSetup(resource: string, metadata: Record<string, unknown>) {
   const order = setupOrder++;
 
-  if (!isCI) {
+  if (!emitTimingLogs) {
     return;
   }
 
@@ -31,7 +34,7 @@ export function getContainerMetadata(container: StartedTestContainer) {
   };
 }
 
-export function getTaskMetadata(task: TaskContext["task"]) {
+export function getTaskMetadata(task: TestContext["task"]) {
   return {
     testName: task.name,
   };
@@ -67,7 +70,7 @@ export async function logCleanup(
   const activeAtEnd = --activeCleanups;
   const parallel = activeAtStart > 1 || activeAtEnd > 0;
 
-  if (!isCI) {
+  if (!emitTimingLogs) {
     return;
   }
 
diff --git a/internal-packages/testcontainers/src/minio.ts b/internal-packages/testcontainers/src/minio.ts
index 4f85149b7a4..f7ef2d1275e 100644
--- a/internal-packages/testcontainers/src/minio.ts
+++ b/internal-packages/testcontainers/src/minio.ts
@@ -68,11 +68,9 @@ export class MinIOContainer extends GenericContainer {
       { throwOnError: true }
     );
 
-    await x(
-      "docker",
-      ["exec", startedContainer.getId(), "mc", "mb", "local/packets"],
-      { throwOnError: true }
-    );
+    await x("docker", ["exec", startedContainer.getId(), "mc", "mb", "local/packets"], {
+      throwOnError: true,
+    });
 
     return new StartedMinIOContainer(
       startedContainer,
@@ -120,6 +118,23 @@ export class StartedMinIOContainer extends AbstractStartedContainer {
     return `${protocol}://${host}:${port}`;
   }
 
+  /**
+   * Empties the bucket between tests on a reused container (the "local" mc alias and the bucket are
+   * created at boot). Recreates the bucket so each test starts from the same empty state.
+   */
+  public async resetBucket(bucket = "packets"): Promise<void> {
+    await x(
+      "docker",
+      ["exec", this.getId(), "mc", "rm", "--recursive", "--force", `local/${bucket}`],
+      {
+        throwOnError: false,
+      }
+    );
+    await x("docker", ["exec", this.getId(), "mc", "mb", "--ignore-existing", `local/${bucket}`], {
+      throwOnError: true,
+    });
+  }
+
   /**
    * Gets connection configuration suitable for object storage clients.
    */
diff --git a/internal-packages/testcontainers/src/sequencer.cjs b/internal-packages/testcontainers/src/sequencer.cjs
new file mode 100644
index 00000000000..14084e6e84d
--- /dev/null
+++ b/internal-packages/testcontainers/src/sequencer.cjs
@@ -0,0 +1,129 @@
+// Authored as plain CommonJS (NOT .ts) on purpose. vitest loads each package's vitest.config.ts by
+// bundling it, and it EXTERNALIZES this workspace subpath - node then loads this file verbatim. A .ts
+// here reaches node as raw TypeScript and crashes config loading on CI's pinned node 20 (no type
+// stripping: `SyntaxError`). Keeping it dependency-free JS - and importing nothing from the ESM-only
+// `vitest/node` - makes it loadable on every node. Types for consumers live in sequencer.d.cts.
+
+const { existsSync, readFileSync } = require("node:fs");
+const path = require("node:path");
+
+// Walk up from the package dir (cwd at config-load time) to the monorepo root (pnpm-workspace.yaml).
+function findRepoRoot(start) {
+  let dir = start;
+  for (let i = 0; i < 20; i++) {
+    if (existsSync(path.join(dir, "pnpm-workspace.yaml"))) return dir;
+    const parent = path.dirname(dir);
+    if (parent === dir) break;
+    dir = parent;
+  }
+  return start;
+}
+
+// test-timings.json lives at the monorepo root: { "<repo-relative path>": <ms> }
+const REPO_ROOT = findRepoRoot(process.cwd());
+const TIMINGS_PATH = path.resolve(REPO_ROOT, "test-timings.json");
+
+let cachedTimings;
+
+function loadTimings() {
+  if (!cachedTimings) {
+    // A MISSING file is a legitimate state (no timings configured yet => count-based split). But a
+    // file that EXISTS and won't parse is a real problem with a committed artifact we control - fail
+    // loud rather than silently degrading sharding (silent fallbacks are what hid earlier bugs).
+    if (!existsSync(TIMINGS_PATH)) {
+      cachedTimings = {};
+      return cachedTimings;
+    }
+    try {
+      cachedTimings = JSON.parse(readFileSync(TIMINGS_PATH, "utf-8"));
+    } catch (error) {
+      throw new Error(`Failed to parse ${TIMINGS_PATH}: ${error?.message ?? error}`);
+    }
+  }
+  return cachedTimings;
+}
+
+function median(nums) {
+  if (nums.length === 0) return 1;
+  const sorted = [...nums].sort((a, b) => a - b);
+  const mid = Math.floor(sorted.length / 2);
+  return sorted.length % 2 ? sorted[mid] : (sorted[mid - 1] + sorted[mid]) / 2;
+}
+
+// Stable per-package offset (derived from the package dir) so each package's heaviest file - which
+// LPT always drops into bin 0 - maps to a DIFFERENT shard. Without it, a serial multi-package job
+// (`turbo --concurrency=1 --filter "@internal/*"`) stacks every package's heaviest file into shard 1.
+// It's a rotation of the bin->shard mapping, so coverage stays exact (each file runs once).
+function packageOffset(specs, count) {
+  if (specs.length === 0) return 0;
+  const rel = path.relative(REPO_ROOT, specs[0].moduleId);
+  const key = rel.split(path.sep).slice(0, 2).join("/");
+  // FNV-1a - spreads similar sibling package names (e.g. internal-packages/*) far better than a
+  // simple polynomial hash mod count, which collided run-engine + schedule-engine onto one shard.
+  let h = 2166136261;
+  for (let i = 0; i < key.length; i++) {
+    h ^= key.charCodeAt(i);
+    h = Math.imul(h, 16777619);
+  }
+  return (h >>> 0) % count;
+}
+
+/**
+ * Duration-weighted interpretation of `--shard=i/N`. Instead of vitest's default file-count split,
+ * this greedily bin-packs test files by recorded duration (test-timings.json at the repo root;
+ * unknown/new files get the median) so each shard does roughly equal work.
+ *
+ * The packing is fully deterministic (sort by duration desc, then moduleId) so every shard computes
+ * the identical bins and just takes its own - no file runs twice or gets dropped. Falls back to the
+ * full set when no shard is configured, and to ~count-based when no timings exist.
+ *
+ * Implemented as a standalone TestSequencer (not extending BaseSequencer) so this file never imports
+ * `vitest/node` - see the header note.
+ */
+class DurationShardingSequencer {
+  constructor(ctx) {
+    this.ctx = ctx;
+  }
+
+  // Deterministic order (heaviest first, then moduleId) - stable across shards and a sensible
+  // in-shard run order, replacing BaseSequencer's default sort we no longer inherit.
+  async sort(files) {
+    const timings = loadTimings();
+    const fallback = median(Object.values(timings));
+    return [...files].sort((a, b) => {
+      const am = timings[path.relative(REPO_ROOT, a.moduleId)] ?? fallback;
+      const bm = timings[path.relative(REPO_ROOT, b.moduleId)] ?? fallback;
+      return bm - am || a.moduleId.localeCompare(b.moduleId);
+    });
+  }
+
+  async shard(specs) {
+    const shard = this.ctx.config.shard;
+    if (!shard || specs.length === 0) {
+      return specs;
+    }
+
+    const timings = loadTimings();
+    const fallback = median(Object.values(timings));
+
+    const weighted = specs
+      .map((spec) => ({
+        spec,
+        ms: timings[path.relative(REPO_ROOT, spec.moduleId)] ?? fallback,
+      }))
+      .sort((a, b) => b.ms - a.ms || a.spec.moduleId.localeCompare(b.spec.moduleId));
+
+    const bins = Array.from({ length: shard.count }, () => ({ total: 0, specs: [] }));
+
+    for (const { spec, ms } of weighted) {
+      const lightest = bins.reduce((min, bin) => (bin.total < min.total ? bin : min));
+      lightest.total += ms;
+      lightest.specs.push(spec);
+    }
+
+    const offset = packageOffset(specs, shard.count);
+    return bins[(shard.index - 1 + offset) % shard.count].specs;
+  }
+}
+
+module.exports = { DurationShardingSequencer };
diff --git a/internal-packages/testcontainers/src/sequencer.d.cts b/internal-packages/testcontainers/src/sequencer.d.cts
new file mode 100644
index 00000000000..2fbecc89ccd
--- /dev/null
+++ b/internal-packages/testcontainers/src/sequencer.d.cts
@@ -0,0 +1,13 @@
+import type { TestSequencer, TestSpecification, Vitest } from "vitest/node";
+
+/**
+ * Duration-weighted `--shard=i/N`: bin-packs test files by recorded duration (test-timings.json at
+ * the repo root) so each shard does roughly equal work. The runtime lives in `sequencer.cjs` (plain
+ * JS, so vitest config loading can load it on any node - see that file's header); this declaration
+ * supplies the types for configs that wire it via `sequence: { sequencer: DurationShardingSequencer }`.
+ */
+export declare class DurationShardingSequencer implements TestSequencer {
+  constructor(ctx: Vitest);
+  sort(files: TestSpecification[]): Promise<TestSpecification[]>;
+  shard(files: TestSpecification[]): Promise<TestSpecification[]>;
+}
diff --git a/internal-packages/testcontainers/src/utils.ts b/internal-packages/testcontainers/src/utils.ts
index ea344e63f65..4183e85b40b 100644
--- a/internal-packages/testcontainers/src/utils.ts
+++ b/internal-packages/testcontainers/src/utils.ts
@@ -7,22 +7,25 @@ import path from "path";
 import { isDebug } from "std-env";
 import { GenericContainer, StartedNetwork, StartedTestContainer, Wait } from "testcontainers";
 import { x } from "tinyexec";
-import { expect, TaskContext } from "vitest";
+import type { TestContext } from "vitest";
 import { ClickHouseContainer, runClickhouseMigrations } from "./clickhouse";
 import { MinIOContainer } from "./minio";
 import { getContainerMetadata, getTaskMetadata, logCleanup, logSetup } from "./logs";
 
-export async function createPostgresContainer(network: StartedNetwork) {
-  const container = await new PostgreSqlContainer("docker.io/postgres:14")
-    .withNetwork(network)
-    .withNetworkAliases("database")
-    .withCommand(["-c", "listen_addresses=*", "-c", "wal_level=logical"])
-    .start();
+/** Returns the container's connection URI with the database path swapped to `database`. */
+export function postgresUriWithDatabase(uri: string, database: string): string {
+  const url = new URL(uri);
+  url.pathname = `/${database}`;
+  return url.toString();
+}
 
-  // Run migrations
+/** Pushes the Prisma schema into the database at `databaseUrl` (which must already exist). */
+export async function pushDatabaseSchema(databaseUrl: string) {
   const databasePath = path.resolve(__dirname, "../../database");
 
-  await x(
+  // throwOnError is essential: without it tinyexec swallows a non-zero `prisma db push`, so a failed
+  // push looks like success and only surfaces much later as a confusing downstream error.
+  const result = await x(
     `${databasePath}/node_modules/.bin/prisma`,
     [
       "db",
@@ -34,21 +37,65 @@ export async function createPostgresContainer(network: StartedNetwork) {
       `${databasePath}/prisma/schema.prisma`,
     ],
     {
+      throwOnError: true,
       nodeOptions: {
         env: {
           ...process.env,
-          DATABASE_URL: container.getConnectionUri(),
-          DIRECT_URL: container.getConnectionUri(),
+          DATABASE_URL: databaseUrl,
+          DIRECT_URL: databaseUrl,
         },
       },
     }
   );
 
+  return result;
+}
+
+/**
+ * Caps each container's CPU/memory to approximate the 2-core CI runner locally (for timing + flake
+ * reproduction). Set TESTCONTAINERS_CPU (cores per container, e.g. "2") and/or
+ * TESTCONTAINERS_MEMORY_GB (GB per container). Pair with running the runner under `taskset -c 0,1`.
+ * No-op when neither is set. (testcontainers v11 has no cpuset pinning, only this quota cap.)
+ */
+export function withCiResourceLimits<T extends GenericContainer>(container: T): T {
+  const cpu = parsePositiveNumberEnv("TESTCONTAINERS_CPU");
+  const memory = parsePositiveNumberEnv("TESTCONTAINERS_MEMORY_GB");
+  if (cpu === undefined && memory === undefined) {
+    return container;
+  }
+  return container.withResourcesQuota({
+    ...(cpu !== undefined ? { cpu } : {}),
+    ...(memory !== undefined ? { memory } : {}),
+  });
+}
+
+// Fail fast on a malformed value rather than letting NaN reach the container runtime as a cryptic error.
+function parsePositiveNumberEnv(name: string): number | undefined {
+  const raw = process.env[name];
+  if (!raw) return undefined;
+  const value = Number(raw);
+  if (!Number.isFinite(value) || value <= 0) {
+    throw new Error(`${name} must be a positive number, got "${raw}"`);
+  }
+  return value;
+}
+
+export async function createPostgresContainer(network: StartedNetwork) {
+  const container = await withCiResourceLimits(new PostgreSqlContainer("docker.io/postgres:14"))
+    .withNetwork(network)
+    .withNetworkAliases("database")
+    .withCommand(["-c", "listen_addresses=*", "-c", "wal_level=logical"])
+    .start();
+
+  await pushDatabaseSchema(container.getConnectionUri());
+
   return { url: container.getConnectionUri(), container, network };
 }
 
 export async function createClickHouseContainer(network: StartedNetwork) {
-  const container = await new ClickHouseContainer().withNetwork(network).start();
+  const container = await withCiResourceLimits(new ClickHouseContainer())
+    .withNetwork(network)
+    .start();
 
   const client = createClient({
     url: container.getConnectionUrl(),
@@ -75,29 +122,26 @@ export async function createRedisContainer({
   port?: number;
   network?: StartedNetwork;
 }) {
-  let container = new RedisContainer().withExposedPorts(port ?? 6379).withStartupTimeout(120_000); // 2 minutes
+  let container = withCiResourceLimits(new RedisContainer("redis:7.2"))
+    .withExposedPorts(port ?? 6379)
+    .withStartupTimeout(120_000); // 2 minutes
 
   if (network) {
     container = container.withNetwork(network).withNetworkAliases("redis");
   }
 
+  // Wait only on the readiness log (RedisContainer's default) - the previous Docker healthcheck added
+  // a full poll-cycle of latency per boot, which dominates per-test redis. verifyRedisConnection
+  // below still confirms the container actually accepts connections before we hand it to the test.
   const startedContainer = await container
-    .withHealthCheck({
-      test: ["CMD", "redis-cli", "ping"],
-      interval: 1000,
-      timeout: 3000,
-      retries: 5,
-    })
-    .withWaitStrategy(
-      Wait.forAll([Wait.forHealthCheck(), Wait.forLogMessage("Ready to accept connections")])
-    )
+    .withWaitStrategy(Wait.forLogMessage("Ready to accept connections"))
     .start();
 
   // Add a verification step
   const [error] = await tryCatch(verifyRedisConnection(startedContainer));
 
   if (error) {
-    await startedContainer.stop({ timeout: 30 });
+    await startedContainer.stop({ timeout: 30_000 });
     throw new Error("verifyRedisConnection error", { cause: error });
   }
 
@@ -154,8 +198,10 @@ export async function createElectricContainer(
     network.getName()
   )}:5432/${postgresContainer.getDatabase()}?sslmode=disable`;
 
-  const container = await new GenericContainer(
-    "electricsql/electric:1.2.4@sha256:20da3d0b0e74926c5623392db67fd56698b9e374c4aeb6cb5cadeb8fea171c36"
+  const container = await withCiResourceLimits(
+    new GenericContainer(
+      "electricsql/electric:1.2.4@sha256:20da3d0b0e74926c5623392db67fd56698b9e374c4aeb6cb5cadeb8fea171c36"
+    )
   )
     .withExposedPorts(3000)
     .withNetwork(network)
@@ -172,7 +218,7 @@ export async function createElectricContainer(
 }
 
 export async function createMinIOContainer(network: StartedNetwork) {
-  const container = await new MinIOContainer()
+  const container = await withCiResourceLimits(new MinIOContainer())
     .withNetwork(network)
     .withNetworkAliases("minio")
     .start();
@@ -184,8 +230,21 @@ export async function createMinIOContainer(network: StartedNetwork) {
 }
 
 export function assertNonNullable<T>(value: T): asserts value is NonNullable<T> {
-  expect(value).toBeDefined();
-  expect(value).not.toBeNull();
+  // Plain throw — *not* `vitest.expect`. Two reasons:
+  //   1. This module is imported by globalSetup files that run before any
+  //      vitest worker exists, so `import { expect }` from "vitest" at
+  //      top level can crash on init.
+  //   2. Lazy-loading via `require("vitest")` (the prior fix) collides
+  //      with OTel auto-instrumentation: `@opentelemetry/instrumentation`
+  //      hooks `require()` via `require-in-the-middle`, and vitest is
+  //      ESM-only — the require() throws "Vitest cannot be imported in
+  //      a CommonJS module using require()", failing every test that
+  //      uses `assertNonNullable` after OTel's been touched.
+  // The plain throw still gives vitest a useful failure (the message is
+  // shown in the stack trace) without the instrumentation hazard.
+  if (value === null || value === undefined) {
+    throw new Error(`assertNonNullable: value was ${value === null ? "null" : "undefined"}`);
+  }
 }
 
 export async function withContainerSetup<T>({
@@ -194,7 +253,7 @@ export async function withContainerSetup<T>({
   setup,
 }: {
   name: string;
-  task: TaskContext["task"];
+  task: TestContext["task"];
   setup: Promise<T extends { container: StartedTestContainer } ? T : never>;
 }): Promise<T & { metadata: Record<string, unknown> }> {
   const testName = task.name;
@@ -221,7 +280,7 @@ export async function useContainer<TContainer extends StartedTestContainer>(
     container,
     task,
     use,
-  }: { container: TContainer; task: TaskContext["task"]; use: () => Promise<void> }
+  }: { container: TContainer; task: TestContext["task"]; use: () => Promise<void> }
 ) {
   const metadata = {
     ...getTaskMetadata(task),
@@ -235,8 +294,9 @@ export async function useContainer<TContainer extends StartedTestContainer>(
     const useDurationMs = Date.now() - start;
     metadata.useDurationMs = useDurationMs;
   } finally {
-    // WARNING: Testcontainers by default will not wait until the container has stopped. It will simply issue the stop command and return immediately.
-    // If you need to wait for the container to be stopped, you can provide a timeout. The unit of timeout option here is second
-    await logCleanup(name, container.stop({ timeout: 10 }), metadata);
+    // Containers are throwaway, so we force-kill (SIGKILL) instead of waiting for a graceful
+    // shutdown - ClickHouse alone spends ~5s/test gracefully stopping. timeout: 0 = immediate kill.
+    // We still await it (no pileup); logCleanup swallows any teardown-time connection errors.
+    await logCleanup(name, container.stop({ timeout: 0 }), metadata);
   }
 }
diff --git a/internal-packages/testcontainers/src/webapp.ts b/internal-packages/testcontainers/src/webapp.ts
new file mode 100644
index 00000000000..0c24ec546a1
--- /dev/null
+++ b/internal-packages/testcontainers/src/webapp.ts
@@ -0,0 +1,259 @@
+import { spawn } from "child_process";
+import { createServer } from "net";
+import { delimiter, resolve } from "path";
+import { Network } from "testcontainers";
+import { PrismaClient } from "@trigger.dev/database";
+import { createPostgresContainer, createRedisContainer } from "./utils";
+
+const WEBAPP_ROOT = resolve(__dirname, "../../../apps/webapp");
+// pnpm hoists transitive deps to node_modules/.pnpm/node_modules but does NOT symlink them
+// to the root node_modules. We need NODE_PATH so the webapp process can find them at runtime.
+const PNPM_HOISTED_MODULES = resolve(__dirname, "../../../node_modules/.pnpm/node_modules");
+
+async function findFreePort(): Promise<number> {
+  return new Promise((res, rej) => {
+    const srv = createServer();
+    srv.listen(0, () => {
+      const port = (srv.address() as { port: number }).port;
+      srv.close((err) => (err ? rej(err) : res(port)));
+    });
+  });
+}
+
+async function waitForHealthcheck(
+  url: string,
+  opts: { timeoutMs?: number; acceptAnyResponse?: boolean } = {}
+): Promise<void> {
+  const { timeoutMs = 60000, acceptAnyResponse = false } = opts;
+  const deadline = Date.now() + timeoutMs;
+  while (Date.now() < deadline) {
+    try {
+      const res = await fetch(url);
+      if (acceptAnyResponse || res.ok) return;
+    } catch {}
+    await new Promise((r) => setTimeout(r, 500));
+  }
+  throw new Error(`Webapp did not become healthy at ${url} within ${timeoutMs}ms`);
+}
+
+export interface WebappInstance {
+  baseUrl: string;
+  fetch(path: string, init?: RequestInit): Promise<Response>;
+}
+
+export interface StartWebappOptions {
+  /**
+   * When true (default), the spawned webapp runs with `RBAC_FORCE_FALLBACK=1`
+   * so the default fallback handles all auth checks. The comprehensive
+   * suite (`*.e2e.full.test.ts`) relies on this — it's pinned to the
+   * fallback so results don't depend on whether `@triggerdotdev/plugins/rbac`
+   * happens to be installed in the local node_modules.
+   *
+   * Set to false to spawn a webapp that loads any installed RBAC
+   * plugin instead, for testing the plugin path.
+   */
+  forceRbacFallback?: boolean;
+
+  /**
+   * When true, spawns the webapp with `REQUIRE_PLUGINS=1` so the plugin
+   * loader throws instead of silently falling back when the plugin
+   * module fails to load. Used by the healthcheck rollback e2e test —
+   * with this set and the plugin not installed, `/healthcheck` should
+   * return 500.
+   *
+   * Implies `forceRbacFallback: false` (you can't observe REQUIRE_PLUGINS
+   * behaviour when the loader is short-circuited).
+   */
+  requirePlugins?: boolean;
+}
+
+export async function startWebapp(
+  databaseUrl: string,
+  redis: { host: string; port: number },
+  options: StartWebappOptions = {}
+): Promise<{
+  instance: WebappInstance;
+  stop: () => Promise<void>;
+}> {
+  // requirePlugins implies forceRbacFallback=false — you can't observe the
+  // REQUIRE_PLUGINS=1 throw if the loader short-circuits before reaching it.
+  const requirePlugins = options.requirePlugins ?? false;
+  const forceRbacFallback = options.forceRbacFallback ?? !requirePlugins;
+  const port = await findFreePort();
+
+  // Merge NODE_PATH so transitive pnpm deps (hoisted to .pnpm/node_modules) are resolvable
+  const existingNodePath = process.env.NODE_PATH;
+  const nodePath = existingNodePath
+    ? `${PNPM_HOISTED_MODULES}${delimiter}${existingNodePath}`
+    : PNPM_HOISTED_MODULES;
+
+  const proc = spawn(process.execPath, ["build/server.js"], {
+    cwd: WEBAPP_ROOT,
+    env: {
+      ...process.env,
+      // Match `pnpm run start` (production-mode boot). NODE_ENV=test
+      // surfaces a circular-init regression in the production bundle
+      // — see TRI-8731 — that production-mode dodges by initialising
+      // modules in a different order. Tests don't depend on test-mode
+      // semantics; they only need an isolated webapp + DB.
+      NODE_ENV: "production",
+      DATABASE_URL: databaseUrl,
+      DIRECT_URL: databaseUrl,
+      PORT: String(port),
+      REMIX_APP_PORT: String(port), // override .env file value (vitest loads .env via Vite)
+      SESSION_SECRET: "test-session-secret-for-e2e-tests",
+      MAGIC_LINK_SECRET: "test-magic-link-secret-32chars!!",
+      ENCRYPTION_KEY: "test-encryption-key-for-e2e!!!!!", // exactly 32 bytes
+      CLICKHOUSE_URL: "http://localhost:19123", // dummy, auth paths never connect
+      DEPLOY_REGISTRY_HOST: "registry.example.com", // dummy, not needed for auth tests
+      ELECTRIC_ORIGIN: "http://localhost:3060",
+      REDIS_HOST: redis.host,
+      REDIS_PORT: String(redis.port),
+      REDIS_TLS_DISABLED: "true", // all *_REDIS_TLS_DISABLED vars default to this; test Redis has no TLS
+      // Disable all background workers. Each worker has its own env var and its own
+      // check idiom ("0" vs "false" vs boolean), so we set all of them explicitly.
+      WORKER_ENABLED: "false",          // disables workerQueue.initialize() (checked === "true")
+      RUN_ENGINE_WORKER_ENABLED: "0",   // disables run engine workers (checked === "0", default "1")
+      SCHEDULE_WORKER_ENABLED: "0",     // disables schedule engine worker (checked === "0")
+      BATCH_QUEUE_WORKER_ENABLED: "false", // disables batch queue consumers (BoolEnv)
+      LEGACY_RUN_ENGINE_WORKER_ENABLED: "0", // disables legacy run engine worker
+      COMMON_WORKER_ENABLED: "0",       // disables common worker
+      RUN_ENGINE_TTL_SYSTEM_DISABLED: "true",     // disables TTL expiry system (BoolEnv)
+      RUN_ENGINE_TTL_CONSUMERS_DISABLED: "true",  // disables TTL consumers (BoolEnv)
+      RUN_REPLICATION_ENABLED: "0",
+      // Force the RBAC loader to use the default fallback in e2e tests
+      // so auth behaviour is deterministic regardless of whether a
+      // plugin is installed in the local node_modules. Set to "0" /
+      // undefined to spawn a webapp that loads any installed plugin.
+      ...(forceRbacFallback ? { RBAC_FORCE_FALLBACK: "1" } : {}),
+      // When requirePlugins is set, explicitly override RBAC_FORCE_FALLBACK
+      // to "0" so a local apps/webapp/.env that sets it to "1" doesn't
+      // short-circuit the loader past the REQUIRE_PLUGINS check.
+      ...(requirePlugins ? { REQUIRE_PLUGINS: "1", RBAC_FORCE_FALLBACK: "0" } : {}),
+      NODE_PATH: nodePath,
+    },
+    stdio: ["ignore", "pipe", "pipe"],
+  });
+
+  const stderr: string[] = [];
+  proc.stderr?.on("data", (d: Buffer) => {
+    const line = d.toString();
+    stderr.push(line);
+    if (process.env.WEBAPP_TEST_VERBOSE) {
+      process.stderr.write(line);
+    }
+  });
+
+  const stdout: string[] = [];
+  proc.stdout?.on("data", (d: Buffer) => {
+    const line = d.toString();
+    stdout.push(line);
+    if (process.env.WEBAPP_TEST_VERBOSE) {
+      process.stdout.write(line);
+    }
+  });
+
+  // Capture spawn errors instead of throwing from inside the listener.
+  // A synchronous throw from an EventEmitter listener bypasses the surrounding
+  // try/catch and surfaces as an uncaughtException, tearing down the test runner.
+  let spawnError: Error | undefined;
+  proc.on("error", (err) => {
+    spawnError = err;
+  });
+
+  const baseUrl = `http://localhost:${port}`;
+
+  try {
+    if (spawnError) throw spawnError;
+    // When requirePlugins is set, /healthcheck is expected to respond with
+    // 500 (the whole point of those tests is to verify that). Accept any
+    // response as "the webapp is up" — the test then asserts the status.
+    await waitForHealthcheck(`${baseUrl}/healthcheck`, {
+      acceptAnyResponse: requirePlugins,
+    });
+    if (spawnError) throw spawnError;
+  } catch (err) {
+    proc.kill("SIGTERM");
+    const output = [...stdout, ...stderr].join("\n");
+    throw new Error(`Webapp failed to start.\nOutput:\n${output}\n\nOriginal error: ${err}`);
+  }
+
+  return {
+    instance: {
+      baseUrl,
+      fetch: (path: string, init?: RequestInit) => fetch(`${baseUrl}${path}`, init),
+    },
+    stop: () =>
+      new Promise<void>((res) => {
+        const timer = setTimeout(() => {
+          proc.kill("SIGKILL");
+          res();
+        }, 10_000);
+        proc.once("exit", () => {
+          clearTimeout(timer);
+          res();
+        });
+        proc.kill("SIGTERM");
+      }),
+  };
+}
+
+export interface TestServer {
+  webapp: WebappInstance;
+  prisma: PrismaClient;
+  // Postgres connection string. Useful when test workers run in separate
+  // processes and need to construct their own clients against the same DB.
+  databaseUrl: string;
+  stop: () => Promise<void>;
+}
+
+/** Convenience helper: starts a postgres + redis container + webapp and returns both for testing. */
+export async function startTestServer(
+  options: StartWebappOptions = {}
+): Promise<TestServer> {
+  const network = await new Network().start();
+
+  // Track each resource as we acquire it so we can tear it down if a later step fails.
+  let pgContainer: Awaited<ReturnType<typeof createPostgresContainer>>["container"] | undefined;
+  let pgUrl: string | undefined;
+  let redisContainer: Awaited<ReturnType<typeof createRedisContainer>>["container"] | undefined;
+  let prisma: PrismaClient | undefined;
+  let stopWebapp: (() => Promise<void>) | undefined;
+  let webapp: WebappInstance;
+
+  try {
+    const pg = await createPostgresContainer(network);
+    pgContainer = pg.container;
+    pgUrl = pg.url;
+
+    const { container: rc } = await createRedisContainer({ network });
+    redisContainer = rc;
+
+    prisma = new PrismaClient({ datasources: { db: { url: pg.url } } });
+    await prisma.$connect(); // pre-warm pool; surface connection failures before tests start
+    const started = await startWebapp(
+      pg.url,
+      { host: rc.getHost(), port: rc.getPort() },
+      options
+    );
+    webapp = started.instance;
+    stopWebapp = started.stop;
+  } catch (err) {
+    await stopWebapp?.().catch(() => {});
+    await prisma?.$disconnect().catch(() => {});
+    await pgContainer?.stop().catch(() => {});
+    await redisContainer?.stop().catch(() => {});
+    await network.stop().catch(() => {});
+    throw err;
+  }
+
+  const stop = async () => {
+    await stopWebapp!().catch((err) => console.error("stopWebapp failed:", err));
+    await prisma!.$disconnect().catch((err) => console.error("prisma.$disconnect failed:", err));
+    await pgContainer!.stop().catch((err) => console.error("pgContainer.stop failed:", err));
+    await redisContainer!.stop().catch((err) => console.error("redisContainer.stop failed:", err));
+    await network.stop().catch((err) => console.error("network.stop failed:", err));
+  };
+
+  return { webapp, prisma: prisma!, databaseUrl: pgUrl!, stop };
+}
diff --git a/internal-packages/tracing/package.json b/internal-packages/tracing/package.json
index e3a7635d745..7474ec249ec 100644
--- a/internal-packages/tracing/package.json
+++ b/internal-packages/tracing/package.json
@@ -6,9 +6,9 @@
   "types": "./src/index.ts",
   "type": "module",
   "dependencies": {
-    "@opentelemetry/api": "1.9.0",
-    "@opentelemetry/api-logs": "0.52.1",
-    "@opentelemetry/semantic-conventions": "^1.27.0",
+    "@opentelemetry/api": "1.9.1",
+    "@opentelemetry/api-logs": "0.218.0",
+    "@opentelemetry/semantic-conventions": "^1.41.1",
     "@trigger.dev/core": "workspace:*"
   },
   "scripts": {
diff --git a/internal-packages/tsql/vitest.config.ts b/internal-packages/tsql/vitest.config.ts
index 1d779c09577..f3687eb4098 100644
--- a/internal-packages/tsql/vitest.config.ts
+++ b/internal-packages/tsql/vitest.config.ts
@@ -6,11 +6,6 @@ export default defineConfig({
     globals: true,
     isolate: true,
     fileParallelism: false,
-    poolOptions: {
-      threads: {
-        singleThread: true,
-      },
-    },
     testTimeout: 60_000,
     coverage: {
       provider: "v8",
diff --git a/package.json b/package.json
index 6777bef721b..c8c89e34285 100644
--- a/package.json
+++ b/package.json
@@ -19,8 +19,10 @@
     "i:dev": "infisical run -- turbo run dev",
     "generate": "turbo run generate",
     "lint": "turbo run lint",
-    "docker": "docker compose -p triggerdotdev-docker -f docker/docker-compose.yml up -d --build --remove-orphans",
-    "docker:stop": "docker compose -p triggerdotdev-docker -f docker/docker-compose.yml stop",
+    "docker": "node scripts/docker.mjs -f docker/docker-compose.yml up -d --build --remove-orphans",
+    "docker:stop": "node scripts/docker.mjs -f docker/docker-compose.yml stop",
+    "docker:full": "node scripts/docker.mjs -f docker/docker-compose.yml -f docker/docker-compose.extras.yml up -d --build --remove-orphans",
+    "docker:full:stop": "node scripts/docker.mjs -f docker/docker-compose.yml -f docker/docker-compose.extras.yml stop",
     "dev:docker": "docker compose -p triggerdotdev-dev-docker -f docker/dev-compose.yml up -d --build --remove-orphans",
     "dev:docker:build": "docker compose -p triggerdotdev-dev-docker -f docker/dev-compose.yml up -d --build",
     "dev:docker:stop": "docker compose -p triggerdotdev-dev-docker -f docker/dev-compose.yml stop",
@@ -41,7 +43,7 @@
     "setup": "turbo run generate db:migrate:force db:seed",
     "env:pull": "turbo run env:pull",
     "changeset:add": "changeset",
-    "changeset:version": "changeset version",
+    "changeset:version": "changeset version && pnpm install --lockfile-only && node scripts/bump-helm-chart.mjs && node scripts/cleanup-server-changes.mjs",
     "changeset:release": "pnpm run build --filter \"@trigger.dev/*\" --filter \"trigger.dev\" && changeset publish",
     "changeset:v4": "changeset pre enter v4",
     "changeset:normal": "changeset pre exit",
@@ -53,20 +55,20 @@
     "@playwright/test": "^1.36.2",
     "@trigger.dev/database": "workspace:*",
     "@types/node": "20.14.14",
-    "@vitest/coverage-v8": "3.1.4",
+    "@vitest/coverage-v8": "4.1.7",
     "autoprefixer": "^10.4.12",
     "eslint-plugin-turbo": "^2.0.4",
     "lefthook": "^1.11.3",
+    "pkg-pr-new": "0.0.75",
     "pkg-types": "1.1.3",
     "prettier": "^3.0.0",
     "tsx": "^3.7.1",
     "turbo": "^1.10.3",
     "typescript": "5.5.4",
-    "vite": "^5.4.21",
     "vite-tsconfig-paths": "^4.0.5",
-    "vitest": "3.1.4"
+    "vitest": "4.1.7"
   },
-  "packageManager": "pnpm@10.23.0",
+  "packageManager": "pnpm@10.33.2",
   "dependencies": {
     "@changesets/cli": "2.26.2",
     "@remix-run/changelog-github": "^0.0.5",
@@ -83,24 +85,45 @@
       "@sentry/remix@9.46.0": "patches/@sentry__remix@9.46.0.patch",
       "@upstash/ratelimit@1.1.3": "patches/@upstash__ratelimit.patch",
       "antlr4ts@0.5.0-alpha.4": "patches/antlr4ts@0.5.0-alpha.4.patch",
-      "@window-splitter/state@0.4.1": "patches/@window-splitter__state@0.4.1.patch"
+      "@window-splitter/state@1.1.3": "patches/@window-splitter__state@1.1.3.patch",
+      "streamdown@2.5.0": "patches/streamdown@2.5.0.patch",
+      "@remix-run/router@1.23.2": "patches/@remix-run__router@1.23.2.patch"
     },
     "overrides": {
       "typescript": "5.5.4",
       "@types/node": "20.14.14",
       "express@^4>body-parser": "1.20.3",
-      "@remix-run/dev@2.1.0>tar-fs": "2.1.3",
-      "testcontainers@10.28.0>tar-fs": "3.0.9",
+      "@remix-run/dev@2.17.4>tar-fs": "2.1.4",
+      "tar@>=7 <7.5.11": "^7.5.11",
       "form-data@^2": "2.5.4",
       "form-data@^3": "3.0.4",
       "form-data@^4": "4.0.4",
-      "axios@1.9.0": ">=1.12.0",
       "js-yaml@>=3.0.0 <3.14.2": "3.14.2",
       "js-yaml@>=4.0.0 <4.1.1": "4.1.1",
       "jws@<3.2.3": "3.2.3",
-      "qs@>=6.0.0 <6.14.1": "6.14.1",
-      "systeminformation@>=5.0.0 <5.27.14": "5.27.14",
-      "lodash@>=4.0.0 <4.17.23": "4.17.23"
+      "qs@>=6.0.0 <6.15.2": "^6.15.2",
+      "systeminformation@>=5.0.0 <5.31.0": "^5.31.0",
+      "lodash@>=4.17 <4.18.0": "^4.18.0",
+      "lodash-es@>=4.17 <4.18.0": "^4.18.0",
+      "dompurify@>=3 <3.4.0": "^3.4.1",
+      "vite@>=5.0.0 <6.4.2": "^6.4.2",
+      "rollup@>=4 <4.59.0": "^4.59.0",
+      "flatted@>=3 <3.4.2": "^3.4.2",
+      "picomatch@>=2 <2.3.2": "^2.3.2",
+      "picomatch@>=4 <4.0.4": "^4.0.4",
+      "minimatch@>=3 <3.1.3": "^3.1.3",
+      "protobufjs@>=7 <7.5.6": "^7.5.6",
+      "fast-xml-parser@>=4 <4.5.5": "^4.5.5",
+      "fast-xml-parser@>=5 <5.7.0": "^5.7.0",
+      "path-to-regexp@>=0.1 <0.1.13": "^0.1.13",
+      "ajv@>=8 <8.18.0": "^8.18.0",
+      "socket.io-parser@>=4 <4.2.6": "^4.2.6",
+      "postcss@>=8 <8.5.10": "^8.5.10",
+      "yaml@>=2 <2.8.3": "^2.8.3",
+      "semver@>=5 <5.7.2": "^5.7.2",
+      "defu@>=6 <6.1.5": "^6.1.5",
+      "fast-uri@<3.1.2": "^3.1.2",
+      "fast-xml-builder@<1.1.7": "^1.1.7"
     },
     "onlyBuiltDependencies": [
       "@depot/cli",
@@ -120,4 +143,4 @@
       "turbo"
     ]
   }
-}
\ No newline at end of file
+}
diff --git a/packages/build/CHANGELOG.md b/packages/build/CHANGELOG.md
index 3902bf19d7b..3b3d5d1641d 100644
--- a/packages/build/CHANGELOG.md
+++ b/packages/build/CHANGELOG.md
@@ -1,5 +1,71 @@
 # @trigger.dev/build
 
+## 4.5.0-rc.5
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.5`
+
+## 4.5.0-rc.4
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.4`
+
+## 4.5.0-rc.3
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.3`
+
+## 4.5.0-rc.2
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.2`
+
+## 4.5.0-rc.1
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.1`
+
+## 4.5.0-rc.0
+
+### Patch Changes
+
+- Add Agent Skills for `chat.agent`. Drop a folder with a `SKILL.md` and any helper scripts/references next to your task code, register it with `skills.define({ id, path })`, and the CLI bundles it into the deploy image automatically — no `trigger.config.ts` changes. The agent gets a one-line summary in its system prompt and discovers full instructions on demand via `loadSkill`, with `bash` and `readFile` tools scoped per-skill (path-traversal guards, output caps, abort-signal propagation). ([#3543](https://github.com/triggerdotdev/trigger.dev/pull/3543))
+
+  ```ts
+  const pdfSkill = skills.define({ id: "pdf-extract", path: "./skills/pdf-extract" });
+
+  chat.skills.set([await pdfSkill.local()]);
+  ```
+
+  Built on the [AI SDK cookbook pattern](https://ai-sdk.dev/cookbook/guides/agent-skills) — portable across providers. SDK + CLI only for now; dashboard-editable `SKILL.md` text is on the roadmap.
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.0`
+
+## 4.4.6
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.4.6`
+
+## 4.4.5
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.4.5`
+
 ## 4.4.4
 
 ### Patch Changes
diff --git a/packages/build/package.json b/packages/build/package.json
index 3fa2212cf07..b7cb386c64c 100644
--- a/packages/build/package.json
+++ b/packages/build/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@trigger.dev/build",
-  "version": "4.4.4",
+  "version": "4.5.0-rc.5",
   "description": "trigger.dev build extensions",
   "license": "MIT",
   "publishConfig": {
@@ -78,7 +78,7 @@
   },
   "dependencies": {
     "@prisma/config": "^6.10.0",
-    "@trigger.dev/core": "workspace:4.4.4",
+    "@trigger.dev/core": "workspace:4.5.0-rc.5",
     "mlly": "^1.7.1",
     "pkg-types": "^1.1.3",
     "resolve": "^1.22.8",
diff --git a/packages/build/src/internal.ts b/packages/build/src/internal.ts
index 54f785a6106..0e1954c8b9e 100644
--- a/packages/build/src/internal.ts
+++ b/packages/build/src/internal.ts
@@ -1 +1,2 @@
 export * from "./internal/additionalFiles.js";
+export * from "./internal/copyFiles.js";
diff --git a/packages/build/src/internal/additionalFiles.ts b/packages/build/src/internal/additionalFiles.ts
index a815b53c9aa..57a746c36b6 100644
--- a/packages/build/src/internal/additionalFiles.ts
+++ b/packages/build/src/internal/additionalFiles.ts
@@ -1,8 +1,10 @@
 import { BuildManifest } from "@trigger.dev/core/v3";
 import { BuildContext } from "@trigger.dev/core/v3/build";
-import { copyFile, mkdir } from "node:fs/promises";
-import { dirname, join, posix, relative } from "node:path";
-import { glob } from "tinyglobby";
+import {
+  copyMatcherResults,
+  findFilesByMatchers,
+  type MatcherResult,
+} from "./copyFiles.js";
 
 export type AdditionalFilesOptions = {
   files: string[];
@@ -14,12 +16,13 @@ export async function addAdditionalFilesToBuild(
   context: BuildContext,
   manifest: BuildManifest
 ) {
-  // Copy any static assets to the destination
-  const staticAssets = await findStaticAssetFiles(options.files ?? [], manifest.outputPath, {
-    cwd: context.workingDir,
-  });
+  const matcherResults: MatcherResult[] = await findFilesByMatchers(
+    options.files ?? [],
+    manifest.outputPath,
+    { cwd: context.workingDir }
+  );
 
-  for (const { assets, matcher } of staticAssets) {
+  for (const { assets, matcher } of matcherResults) {
     if (assets.length === 0) {
       context.logger.warn(`[${source}] No files found for matcher`, matcher);
     } else {
@@ -27,80 +30,7 @@ export async function addAdditionalFilesToBuild(
     }
   }
 
-  await copyStaticAssets(staticAssets, source, context);
-}
-
-type MatchedStaticAssets = { source: string; destination: string }[];
-
-type FoundStaticAssetFiles = Array<{
-  matcher: string;
-  assets: MatchedStaticAssets;
-}>;
-
-async function findStaticAssetFiles(
-  matchers: string[],
-  destinationPath: string,
-  options?: { cwd?: string; ignore?: string[] }
-): Promise<FoundStaticAssetFiles> {
-  const result: FoundStaticAssetFiles = [];
-
-  for (const matcher of matchers) {
-    const assets = await findStaticAssetsForMatcher(matcher, destinationPath, options);
-
-    result.push({ matcher, assets });
-  }
-
-  return result;
-}
-
-async function findStaticAssetsForMatcher(
-  matcher: string,
-  destinationPath: string,
-  options?: { cwd?: string; ignore?: string[] }
-): Promise<MatchedStaticAssets> {
-  const result: MatchedStaticAssets = [];
-
-  const files = await glob({
-    patterns: [matcher],
-    cwd: options?.cwd,
-    ignore: options?.ignore ?? [],
-    onlyFiles: true,
-    absolute: true,
+  await copyMatcherResults(matcherResults, (pair) => {
+    context.logger.debug(`[${source}] Copying ${pair.source} to ${pair.destination}`);
   });
-
-  let matches = 0;
-
-  for (const file of files) {
-    matches++;
-
-    const pathInsideDestinationDir = relative(options?.cwd ?? process.cwd(), file)
-      .split(posix.sep)
-      .filter((p) => p !== "..")
-      .join(posix.sep);
-
-    const relativeDestinationPath = join(destinationPath, pathInsideDestinationDir);
-
-    result.push({
-      source: file,
-      destination: relativeDestinationPath,
-    });
-  }
-
-  return result;
-}
-
-async function copyStaticAssets(
-  staticAssetFiles: FoundStaticAssetFiles,
-  sourceName: string,
-  context: BuildContext
-): Promise<void> {
-  for (const { assets } of staticAssetFiles) {
-    for (const { source, destination } of assets) {
-      await mkdir(dirname(destination), { recursive: true });
-
-      context.logger.debug(`[${sourceName}] Copying ${source} to ${destination}`);
-
-      await copyFile(source, destination);
-    }
-  }
 }
diff --git a/packages/build/src/internal/copyFiles.ts b/packages/build/src/internal/copyFiles.ts
new file mode 100644
index 00000000000..6fd3ede9545
--- /dev/null
+++ b/packages/build/src/internal/copyFiles.ts
@@ -0,0 +1,99 @@
+import { cp, copyFile, mkdir } from "node:fs/promises";
+import { dirname, join, posix, relative } from "node:path";
+import { glob } from "tinyglobby";
+
+/**
+ * A single matched asset — source file and its destination inside the
+ * build output directory.
+ */
+export type CopyPair = { source: string; destination: string };
+
+/**
+ * Result of a single matcher's glob, grouped with the matcher that
+ * produced it so callers can warn on empty matches.
+ */
+export type MatcherResult = {
+  matcher: string;
+  assets: CopyPair[];
+};
+
+/**
+ * Glob a set of matchers relative to `cwd` and return pairs describing
+ * where each matched file should be copied to under `destinationDir`.
+ *
+ * Relative paths are preserved under `destinationDir`. Leading `..`
+ * segments (from `../shared/file.txt` style patterns) are stripped so
+ * files always land inside the destination.
+ */
+export async function findFilesByMatchers(
+  matchers: string[],
+  destinationDir: string,
+  options?: { cwd?: string; ignore?: string[] }
+): Promise<MatcherResult[]> {
+  const result: MatcherResult[] = [];
+  const cwd = options?.cwd ?? process.cwd();
+
+  for (const matcher of matchers) {
+    const files = await glob({
+      patterns: [matcher],
+      cwd,
+      ignore: options?.ignore ?? [],
+      onlyFiles: true,
+      absolute: true,
+    });
+
+    const assets: CopyPair[] = files.map((file) => {
+      const pathInsideDestinationDir = relative(cwd, file)
+        .split(posix.sep)
+        .filter((p) => p !== "..")
+        .join(posix.sep);
+      return {
+        source: file,
+        destination: join(destinationDir, pathInsideDestinationDir),
+      };
+    });
+
+    result.push({ matcher, assets });
+  }
+
+  return result;
+}
+
+/**
+ * Copy a single file, creating parent directories as needed.
+ */
+export async function copyFileEnsuringDir(source: string, destination: string): Promise<void> {
+  await mkdir(dirname(destination), { recursive: true });
+  await copyFile(source, destination);
+}
+
+/**
+ * Copy every pair in the given matcher results. Parent directories are
+ * created automatically. Returns the total number of files copied.
+ */
+export async function copyMatcherResults(
+  matcherResults: MatcherResult[],
+  onCopy?: (pair: CopyPair) => void
+): Promise<number> {
+  let count = 0;
+  for (const { assets } of matcherResults) {
+    for (const pair of assets) {
+      onCopy?.(pair);
+      await copyFileEnsuringDir(pair.source, pair.destination);
+      count++;
+    }
+  }
+  return count;
+}
+
+/**
+ * Recursively copy a directory to another location. Preserves structure;
+ * overwrites existing files at the destination.
+ *
+ * Used by the built-in skill bundler — we copy entire skill folders as a
+ * unit, not file-by-file.
+ */
+export async function copyDirectoryRecursive(source: string, destination: string): Promise<void> {
+  await mkdir(destination, { recursive: true });
+  await cp(source, destination, { recursive: true, force: true });
+}
diff --git a/packages/cli-v3/CHANGELOG.md b/packages/cli-v3/CHANGELOG.md
index e13e61fa4f8..f8ad8f9eed4 100644
--- a/packages/cli-v3/CHANGELOG.md
+++ b/packages/cli-v3/CHANGELOG.md
@@ -1,5 +1,98 @@
 # trigger.dev
 
+## 4.5.0-rc.5
+
+### Patch Changes
+
+- The MCP server no longer tells the AI agent to wait for a run to complete after every `trigger_task` call. Waiting is now opt-in: the agent only waits when you ask it to (for example "trigger and then wait for it to finish"). This avoids burning tokens polling runs you didn't need to block on and keeps responses clearer. ([#3838](https://github.com/triggerdotdev/trigger.dev/pull/3838))
+- Update the bundled OpenTelemetry packages to their latest releases (`@opentelemetry/sdk-node` 0.218.0, `@opentelemetry/core` 2.7.1, `@opentelemetry/host-metrics` 0.38.3). ([#3810](https://github.com/triggerdotdev/trigger.dev/pull/3810))
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.5`
+  - `@trigger.dev/build@4.5.0-rc.5`
+  - `@trigger.dev/schema-to-json@4.5.0-rc.5`
+
+## 4.5.0-rc.4
+
+### Patch Changes
+
+- Bump `@s2-dev/streamstore` to `0.22.10` to fix a `TASK_RUN_UNCAUGHT_EXCEPTION` ("Invalid state: Unable to enqueue") when a `chat.agent` turn is aborted mid-stream. ([#3792](https://github.com/triggerdotdev/trigger.dev/pull/3792))
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.4`
+  - `@trigger.dev/build@4.5.0-rc.4`
+  - `@trigger.dev/schema-to-json@4.5.0-rc.4`
+
+## 4.5.0-rc.3
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.3`
+  - `@trigger.dev/build@4.5.0-rc.3`
+  - `@trigger.dev/schema-to-json@4.5.0-rc.3`
+
+## 4.5.0-rc.2
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/build@4.5.0-rc.2`
+  - `@trigger.dev/core@4.5.0-rc.2`
+  - `@trigger.dev/schema-to-json@4.5.0-rc.2`
+
+## 4.5.0-rc.1
+
+### Patch Changes
+
+- Fix `chat.agent` skills silently missing in `trigger dev` for projects whose task files read `process.env` at module top level (e.g. a third-party SDK client initialized at import). Skill folders now bundle into `.trigger/skills/` reliably regardless of which env vars are set when the CLI launches. ([#3690](https://github.com/triggerdotdev/trigger.dev/pull/3690))
+- Fix `COULD_NOT_FIND_EXECUTOR` when a task's definition is loaded via `await import(...)` from inside another task's `run()`. The runtime workers now register such tasks with a sentinel file context, and the catalog logs a one-time warning per task id. ([#3688](https://github.com/triggerdotdev/trigger.dev/pull/3688))
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.1`
+  - `@trigger.dev/build@4.5.0-rc.1`
+  - `@trigger.dev/schema-to-json@4.5.0-rc.1`
+
+## 4.5.0-rc.0
+
+### Patch Changes
+
+- Add Agent Skills for `chat.agent`. Drop a folder with a `SKILL.md` and any helper scripts/references next to your task code, register it with `skills.define({ id, path })`, and the CLI bundles it into the deploy image automatically — no `trigger.config.ts` changes. The agent gets a one-line summary in its system prompt and discovers full instructions on demand via `loadSkill`, with `bash` and `readFile` tools scoped per-skill (path-traversal guards, output caps, abort-signal propagation). ([#3543](https://github.com/triggerdotdev/trigger.dev/pull/3543))
+
+  ```ts
+  const pdfSkill = skills.define({ id: "pdf-extract", path: "./skills/pdf-extract" });
+
+  chat.skills.set([await pdfSkill.local()]);
+  ```
+
+  Built on the [AI SDK cookbook pattern](https://ai-sdk.dev/cookbook/guides/agent-skills) — portable across providers. SDK + CLI only for now; dashboard-editable `SKILL.md` text is on the roadmap.
+
+- Add `TRIGGER_BUILD_SKIP_REWRITE_TIMESTAMP=1` escape hatch for local self-hosted builds whose buildx driver doesn't support `rewrite-timestamp` alongside push (e.g. orbstack's default `docker` driver). ([#3618](https://github.com/triggerdotdev/trigger.dev/pull/3618))
+- The CLI MCP server's agent-chat tools (`start_agent_chat`, `send_agent_message`, `close_agent_chat`) now run on the new Sessions primitive, so AI assistants driving a `chat.agent` get the same idempotent-by-`chatId`, durable-across-runs behavior the browser transport gets. Required PAT scopes go from `write:inputStreams` to `read:sessions` + `write:sessions`. ([#3546](https://github.com/triggerdotdev/trigger.dev/pull/3546))
+- MCP `list_runs` tool: add a `region` filter input and surface each run's executing region in the formatted summary. ([#3612](https://github.com/triggerdotdev/trigger.dev/pull/3612))
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.0`
+  - `@trigger.dev/build@4.5.0-rc.0`
+  - `@trigger.dev/schema-to-json@4.5.0-rc.0`
+
+## 4.4.6
+
+### Patch Changes
+
+- Fix dev workers spinning at 100% CPU after the parent CLI disconnects. Orphaned `trigger-dev-run-worker` (and indexer) processes were caught in an `uncaughtException` feedback loop: a periodic IPC send via `process.send` would throw `ERR_IPC_CHANNEL_CLOSED` once the parent closed the channel, which re-entered the same handler that itself called `process.send`, scheduled via `setImmediate` and amplified by source-map-support's `prepareStackTrace`. Fixed by (1) silently dropping packets in `ZodIpcConnection` when the channel is disconnected, (2) adding a `process.on("disconnect", ...)` handler in dev workers so they exit cleanly when the CLI closes the IPC channel, and (3) wrapping all `uncaughtException`-path `process.send` calls in a `safeSend` guard that checks `process.connected` and swallows synchronous throws. ([#3491](https://github.com/triggerdotdev/trigger.dev/pull/3491))
+- Fail attempts on uncaught exceptions instead of hanging to `MAX_DURATION_EXCEEDED`. A Node `EventEmitter` (e.g. `node-redis`) emitting `"error"` with no `.on("error", ...)` listener escalates to `uncaughtException`, which the worker previously reported but did not act on — runs drifted to maxDuration with empty attempts. They now fail fast with the original error and status `FAILED`, and respect the task's normal retry policy. You should still attach `.on("error", ...)` listeners to long-lived clients to handle errors gracefully. ([#3529](https://github.com/triggerdotdev/trigger.dev/pull/3529))
+- Updated dependencies:
+  - `@trigger.dev/core@4.4.6`
+  - `@trigger.dev/build@4.4.6`
+  - `@trigger.dev/schema-to-json@4.4.6`
+
+## 4.4.5
+
+### Patch Changes
+
+- Add `--no-browser` flag to `init` and `login` to skip auto-opening the browser during authentication. Also error loudly when `init` is run without `--yes` under non-TTY stdin (previously default-and-exited silently, leaving the project half-initialized). Both commands now show an `Examples` section in `--help`. ([#3483](https://github.com/triggerdotdev/trigger.dev/pull/3483))
+- Updated dependencies:
+  - `@trigger.dev/core@4.4.5`
+  - `@trigger.dev/build@4.4.5`
+  - `@trigger.dev/schema-to-json@4.4.5`
+
 ## 4.4.4
 
 ### Patch Changes
diff --git a/packages/cli-v3/e2e/e2e.test.ts b/packages/cli-v3/e2e/e2e.test.ts
index 3ddf7419623..1d1849f5fcd 100644
--- a/packages/cli-v3/e2e/e2e.test.ts
+++ b/packages/cli-v3/e2e/e2e.test.ts
@@ -104,10 +104,17 @@ describe.concurrent("buildWorker", async () => {
 
   for (let testCase of testCases) {
     test.extend<E2EFixtureTest>({
+      // Seed `workspaceRelativeDir` before the spread so the key always exists.
+      // vitest 4 resolves fixture-to-fixture dependencies strictly at
+      // `test.extend()` time: the `workspaceDir` fixture below destructures
+      // `workspaceRelativeDir`, so it must be a defined fixture even for test
+      // cases that don't set it (it's an optional `TestCase` field). The spread
+      // overrides this default when the case provides its own value.
+      workspaceRelativeDir: "",
       ...testCase,
       fixtureDir: async ({ id }, use) =>
         await use(path.resolve(path.join(process.cwd(), "e2e/fixtures", id))),
-      workspaceDir: async ({ fixtureDir, workspaceRelativeDir = "" }, use) =>
+      workspaceDir: async ({ fixtureDir, workspaceRelativeDir }, use) =>
         await use(path.resolve(path.join(fixtureDir, workspaceRelativeDir))),
       packageManager: async ({ workspaceDir }, use) =>
         await use(await parsePackageManager(options.packageManager, workspaceDir)),
diff --git a/packages/cli-v3/e2e/fixtures.ts b/packages/cli-v3/e2e/fixtures.ts
index 95011a36f8d..bdc5dd6bad9 100644
--- a/packages/cli-v3/e2e/fixtures.ts
+++ b/packages/cli-v3/e2e/fixtures.ts
@@ -49,7 +49,7 @@ export const fixturesConfig: TestCase[] = [
       externals: [
         {
           name: "import-in-the-middle",
-          version: "1.11.0",
+          version: "3.0.1",
         },
       ],
       files: [{ entry: "src/trigger/helloWorld.ts" }],
@@ -82,7 +82,7 @@ export const fixturesConfig: TestCase[] = [
         },
         {
           name: "import-in-the-middle",
-          version: "1.11.0",
+          version: "3.0.1",
         },
       ],
       files: [{ entry: "src/trigger/ai.ts" }],
@@ -114,7 +114,7 @@ export const fixturesConfig: TestCase[] = [
       externals: [
         {
           name: "import-in-the-middle",
-          version: "1.11.0",
+          version: "3.0.1",
         },
       ],
       files: [{ entry: "src/trigger/decorators.ts" }],
@@ -145,7 +145,7 @@ export const fixturesConfig: TestCase[] = [
       externals: [
         {
           name: "import-in-the-middle",
-          version: "1.11.0",
+          version: "3.0.1",
         },
       ],
       files: [{ entry: "src/reactEmail.tsx" }],
@@ -178,7 +178,7 @@ export const fixturesConfig: TestCase[] = [
       externals: [
         {
           name: "import-in-the-middle",
-          version: "1.11.0",
+          version: "3.0.1",
         },
         {
           name: "mupdf",
diff --git a/packages/cli-v3/package.json b/packages/cli-v3/package.json
index 24cc211535d..a170baaf11a 100644
--- a/packages/cli-v3/package.json
+++ b/packages/cli-v3/package.json
@@ -1,6 +1,6 @@
 {
   "name": "trigger.dev",
-  "version": "4.4.4",
+  "version": "4.5.0-rc.5",
   "description": "A Command-Line Interface for Trigger.dev projects",
   "type": "module",
   "license": "MIT",
@@ -24,10 +24,12 @@
     "apis",
     "jobs",
     "background jobs",
-    "nextjs"
+    "nextjs",
+    "tanstack-intent"
   ],
   "files": [
-    "dist"
+    "dist",
+    "skills"
   ],
   "bin": {
     "trigger": "./dist/esm/index.js"
@@ -64,7 +66,7 @@
     "cpy-cli": "^5.0.0",
     "execa": "^8.0.1",
     "find-up": "^7.0.0",
-    "rimraf": "^5.0.7",
+    "rimraf": "^6.0.1",
     "ts-essentials": "10.0.1",
     "tshy": "^3.0.2",
     "tsx": "4.17.0"
@@ -86,18 +88,18 @@
     "@clack/prompts": "0.11.0",
     "@depot/cli": "0.0.1-cli.2.80.0",
     "@modelcontextprotocol/sdk": "^1.25.2",
-    "@opentelemetry/api": "1.9.0",
-    "@opentelemetry/api-logs": "0.203.0",
-    "@opentelemetry/exporter-trace-otlp-http": "0.203.0",
-    "@opentelemetry/instrumentation": "0.203.0",
-    "@opentelemetry/instrumentation-fetch": "0.203.0",
-    "@opentelemetry/resources": "2.0.1",
-    "@opentelemetry/sdk-trace-node": "2.0.1",
-    "@opentelemetry/semantic-conventions": "1.36.0",
-    "@s2-dev/streamstore": "^0.22.5",
-    "@trigger.dev/build": "workspace:4.4.4",
-    "@trigger.dev/core": "workspace:4.4.4",
-    "@trigger.dev/schema-to-json": "workspace:4.4.4",
+    "@opentelemetry/api": "1.9.1",
+    "@opentelemetry/api-logs": "0.218.0",
+    "@opentelemetry/exporter-trace-otlp-http": "0.218.0",
+    "@opentelemetry/instrumentation": "0.218.0",
+    "@opentelemetry/instrumentation-fetch": "0.218.0",
+    "@opentelemetry/resources": "2.7.1",
+    "@opentelemetry/sdk-trace-node": "2.7.1",
+    "@opentelemetry/semantic-conventions": "1.41.1",
+    "@s2-dev/streamstore": "^0.22.10",
+    "@trigger.dev/build": "workspace:4.5.0-rc.5",
+    "@trigger.dev/core": "workspace:4.5.0-rc.5",
+    "@trigger.dev/schema-to-json": "workspace:4.5.0-rc.5",
     "ansi-escapes": "^7.0.0",
     "braces": "^3.0.3",
     "c12": "^1.11.1",
@@ -116,7 +118,7 @@
     "gradient-string": "^2.0.2",
     "has-flag": "^5.0.1",
     "ignore": "^7.0.5",
-    "import-in-the-middle": "1.11.0",
+    "import-in-the-middle": "3.0.1",
     "import-meta-resolve": "^4.1.0",
     "ini": "^5.0.0",
     "json-stable-stringify": "^1.3.0",
@@ -140,7 +142,7 @@
     "std-env": "^3.7.0",
     "strip-ansi": "^7.1.0",
     "supports-color": "^10.0.0",
-    "tar": "^7.5.4",
+    "tar": "^7.5.13",
     "tiny-invariant": "^1.2.0",
     "tinyexec": "^0.3.1",
     "tinyglobby": "^0.2.10",
diff --git a/packages/cli-v3/skills/authoring-chat-agent/SKILL.md b/packages/cli-v3/skills/authoring-chat-agent/SKILL.md
new file mode 100644
index 00000000000..257108d05de
--- /dev/null
+++ b/packages/cli-v3/skills/authoring-chat-agent/SKILL.md
@@ -0,0 +1,295 @@
+---
+name: authoring-chat-agent
+description: >
+  Author and run a durable AI chat agent with chat.agent from @trigger.dev/sdk/ai: the per-turn
+  run loop, why you MUST spread ...chat.toStreamTextOptions() first, returning a StreamTextResult
+  vs calling chat.pipe(), the two server actions (chat.createStartSessionAction +
+  auth.createPublicToken), and wiring useChat to useTriggerChatTransport. Load this when building,
+  modifying, or debugging a chat backend (the agent task or its lifecycle hooks) or its React
+  transport, when declaring typed tools or custom data parts, or when migrating a plain AI SDK
+  streamText route to chat.agent.
+type: core
+library: trigger.dev
+library_version: "{{TRIGGER_SDK_VERSION}}"
+sources:
+  - docs/ai-chat/overview.mdx
+  - docs/ai-chat/quick-start.mdx
+  - docs/ai-chat/how-it-works.mdx
+  - docs/ai-chat/backend.mdx
+  - docs/ai-chat/frontend.mdx
+  - docs/ai-chat/reference.mdx
+  - docs/ai-chat/types.mdx
+  - docs/ai-chat/tools.mdx
+  - docs/ai-chat/lifecycle-hooks.mdx
+  - docs/ai-chat/error-handling.mdx
+---
+
+# Authoring a chat agent
+
+A `chat.agent` runs an entire conversation as one long-lived Trigger.dev task. It wakes when a
+message arrives, freezes when none do, and in-memory state survives page refreshes, deploys, idle
+gaps, and crashes. Your code is the loop you would write anyway: messages in, `streamText` out.
+There are no API routes. The frontend talks to the agent through a `TriggerChatTransport`, so
+history accumulates server-side and the client ships only the new message each turn.
+
+Works with Vercel AI SDK v5, v6, or v7. On v7 also install `@ai-sdk/otel` so model calls are traced
+(the SDK registers it for you).
+
+## Setup
+
+Three pieces: the agent task, two server actions, and the frontend transport.
+
+### 1. Define the agent
+
+```ts trigger/chat.ts
+import { chat } from "@trigger.dev/sdk/ai";
+import { streamText, stepCountIs } from "ai";
+import { anthropic } from "@ai-sdk/anthropic";
+
+export const myChat = chat.agent({
+  id: "my-chat",
+  run: async ({ messages, signal }) =>
+    streamText({
+      // Spread this FIRST. See "Common mistakes".
+      ...chat.toStreamTextOptions(),
+      model: anthropic("claude-sonnet-4-5"),
+      messages,
+      abortSignal: signal,
+      stopWhen: stepCountIs(15),
+    }),
+});
+```
+
+`run` receives `messages` already converted to `ModelMessage[]` (the SDK converts the frontend's
+`UIMessage[]` for you) plus a `signal` that aborts on stop or cancel. Returning the
+`StreamTextResult` auto-pipes it to the frontend.
+
+### 2. Add two server actions
+
+Both run on your server, so the browser never holds your environment secret key. This is also
+where per-user / per-plan authorization and any paired DB writes live.
+
+```ts app/actions.ts
+"use server";
+import { auth } from "@trigger.dev/sdk";
+import { chat } from "@trigger.dev/sdk/ai";
+
+// Creates the Session + first run, returns a session PAT. Idempotent on (env, chatId).
+export const startChatSession = chat.createStartSessionAction("my-chat");
+
+// Pure mint. The transport calls this on 401/403 to refresh an expired token.
+export async function mintChatAccessToken(chatId: string) {
+  return auth.createPublicToken({
+    scopes: { read: { sessions: chatId }, write: { sessions: chatId } },
+    expirationTime: "1h",
+  });
+}
+```
+
+### 3. Wire the frontend
+
+```tsx app/components/chat.tsx
+"use client";
+import { useState } from "react";
+import { useChat } from "@ai-sdk/react";
+import { useTriggerChatTransport } from "@trigger.dev/sdk/chat/react";
+import type { myChat } from "@/trigger/chat";
+import { mintChatAccessToken, startChatSession } from "@/app/actions";
+
+export function Chat() {
+  const transport = useTriggerChatTransport<typeof myChat>({
+    task: "my-chat", // typeof myChat gives compile-time task-id validation
+    accessToken: ({ chatId }) => mintChatAccessToken(chatId),
+    startSession: ({ chatId, clientData }) => startChatSession({ chatId, clientData }),
+  });
+
+  const { messages, sendMessage, stop, status } = useChat({ transport });
+  const [input, setInput] = useState("");
+  // render messages, a form that calls sendMessage({ text: input }),
+  // and a Stop button (onClick={stop}) while status === "streaming".
+}
+```
+
+The transport is memoized (created once, reused across renders). Passing `typeof myChat` flows the
+agent's message type through `useChat`.
+
+## Core patterns
+
+### 1. Return vs pipe
+
+Return the `streamText` result from `run` for the simple case. When `streamText` is called deep
+inside nested helpers, call `await chat.pipe(result)` from anywhere in the task instead, and let
+`run` resolve `void`.
+
+```ts
+export const agentChat = chat.agent({
+  id: "agent-chat",
+  run: async ({ messages }) => {
+    await runAgentLoop(messages); // don't return; pipe inside
+  },
+});
+
+async function runAgentLoop(messages: ModelMessage[]) {
+  const result = streamText({
+    ...chat.toStreamTextOptions(),
+    model: anthropic("claude-sonnet-4-5"),
+    messages,
+  });
+  await chat.pipe(result); // works from anywhere in the task
+}
+```
+
+### 2. Typed tools (declare on config AND spread back)
+
+Declare tools on `chat.agent({ tools })`, read them back typed from the `run()` payload, and pass
+that set to `chat.toStreamTextOptions({ tools })`. One declaration flows everywhere.
+
+```ts
+import { tool, stepCountIs } from "ai";
+import { z } from "zod";
+
+const tools = {
+  searchDocs: tool({
+    description: "Search the docs.",
+    inputSchema: z.object({ query: z.string() }),
+    execute: async ({ query }) => searchIndex(query),
+  }),
+};
+
+export const myChat = chat.agent({
+  id: "my-chat",
+  tools, // so toModelOutput survives across turns
+  run: async ({ messages, tools, signal }) =>
+    streamText({
+      ...chat.toStreamTextOptions({ tools }), // same set, handed back typed
+      model: anthropic("claude-sonnet-4-5"),
+      messages,
+      abortSignal: signal,
+      stopWhen: stepCountIs(15),
+    }),
+});
+```
+
+`tools` also accepts a function `(event) => ToolSet` resolved per turn, where `event` carries
+`chatId`, `turn`, `continuation`, and `clientData`.
+
+### 3. Custom data parts (persisted vs transient)
+
+`data-*` parts written via `chat.response.write()` in `run()` (or `writer.write()` in hooks)
+persist into `responseMessage.parts` and surface in `onTurnComplete`. Add `transient: true` to
+stream them without persisting. Writes via `chat.stream` are always ephemeral.
+
+```ts
+// In run() - persists, surfaces in onTurnComplete's responseMessage
+chat.response.write({ type: "data-context", data: { searchResults } });
+
+// In a hook via writer - streams but does NOT persist
+writer.write({ type: "data-progress", id: "search", data: { percent: 50 }, transient: true });
+```
+
+### 4. Custom UIMessage type, client data, and builder hooks
+
+For typed `data-*` parts or a tool map, build the agent through `chat.withUIMessage<T>()` and
+`chat.withClientData({ schema })`. Builder methods chain in any order; builder hooks run before the
+matching task hook. `streamOptions` becomes the default `uiMessageStreamOptions` (shallow-merged,
+agent wins).
+
+```ts
+export const myChat = chat
+  .withUIMessage<MyChatUIMessage>({ streamOptions: { sendReasoning: true } })
+  .withClientData({ schema: z.object({ userId: z.string() }) })
+  .agent({
+    id: "my-chat",
+    tools: myTools,
+    onTurnStart: async ({ uiMessages, writer }) => {
+      writer.write({ type: "data-turn-status", data: { status: "preparing" } });
+    },
+    run: async ({ messages, tools, signal }) =>
+      streamText({ ...chat.toStreamTextOptions({ tools }), model, messages, abortSignal: signal }),
+  });
+```
+
+Build `MyChatUIMessage` as `UIMessage<unknown, MyDataTypes, InferUITools<typeof tools>>` (or, for
+tools only, `InferChatUIMessageFromTools<typeof tools>` from `@trigger.dev/sdk/ai`). On the
+frontend, narrow `useChat` with `InferChatUIMessage<typeof myChat>` from `@trigger.dev/sdk/chat/react`.
+
+### 5. Lifecycle hooks and stop
+
+`chat.agent` accepts hooks that fire in a fixed per-turn order:
+
+```text
+onValidateMessages -> hydrateMessages -> onChatStart (chat's first message only)
+  -> onTurnStart -> run() -> onBeforeTurnComplete -> onTurnComplete
+```
+
+`onBoot` fires once per worker process (every fresh boot, including continuation runs) and is where
+`chat.local`, DB connections, and per-process state belong. `onChatStart` fires only on the chat's
+first message. Suspend/resume use `onChatSuspend` / `onChatResume`. Config options include
+`tools`, `clientDataSchema`, `maxTurns` (100), `turnTimeout` ("1h"), `idleTimeoutInSeconds` (30),
+`uiMessageStreamOptions`, and `exitAfterPreloadIdle`. There is no generic `retry`; `chat.agent`
+runs with `maxAttempts: 1` internally.
+
+Stop is load-bearing: the `signal` passed to `run` aborts on stop or cancel. Forward it as
+`abortSignal` to `streamText`, or the Stop button updates the UI while the model keeps generating
+server-side.
+
+```ts
+run: async ({ messages, signal }) =>
+  streamText({ ...chat.toStreamTextOptions(), model, messages, abortSignal: signal, stopWhen: stepCountIs(15) });
+```
+
+### 6. Migrating from a plain AI SDK `streamText` route
+
+There is no API route in this model. The transport replaces the route round-trip, so:
+
+- Delete the route handler. Move per-request auth into the two server actions from Setup step 2.
+- Move the `streamText` call into `run`. It already receives pre-converted `ModelMessage[]`.
+- Return the `StreamTextResult` (it auto-pipes) and add `...chat.toStreamTextOptions()` first.
+- On the client, swap the `api` URL for `useTriggerChatTransport`; `useChat` stays the same shape.
+
+## Common mistakes
+
+- **CRITICAL: forgetting `...chat.toStreamTextOptions()`.**
+  ```ts
+  // Wrong - compaction / steering / background injection silently no-op
+  return streamText({ model, messages, abortSignal: signal });
+  // Correct - spread FIRST so explicit overrides win
+  return streamText({ ...chat.toStreamTextOptions(), model, messages, abortSignal: signal });
+  ```
+  It wires the `prepareStep` callback behind compaction, mid-turn steering, and background
+  injection, injects the system prompt from `chat.prompt()`, resolves the registry model, and adds
+  telemetry. Omitting it makes all of those silently no-op with no error.
+
+- **Declaring tools only on `streamText`.** Also declare them on `chat.agent({ tools })`, read them
+  back from `run`, and pass `chat.toStreamTextOptions({ tools })`. Otherwise each tool's
+  `toModelOutput` runs on turn 1 but is dropped when history is re-converted on later turns.
+
+- **Not forwarding `signal` for stop.** Without `abortSignal: signal`, Stop updates the UI but the
+  model keeps generating server-side.
+
+- **Initializing `chat.local` in `onChatStart`.** Initialize it in `onBoot`. `onChatStart` fires
+  once per chat, so continuation runs skip it and crash with
+  `chat.local can only be modified after initialization`. `onBoot` fires on every fresh worker.
+
+- **Minting tokens in the browser.** Never expose the environment secret key client-side. Mint via
+  the two server actions; the transport calls them.
+
+- **Clearing `lastEventId` on `chat.endRun()`.** Keep the cursor for the Session lifetime; clear it
+  only when the Session itself closes. It is sessionId-keyed, so clearing forces a resubscribe from
+  `seq_num=0` that can hit the prior turn's stale `turn-complete` and close the stream empty.
+
+- **Returning the raw error from `uiMessageStreamOptions.onError`.** It leaks internals (keys,
+  stack traces). Return a sanitized string instead.
+
+## References
+
+- `chat-agent-advanced` skill - lifecycle hooks in depth, sessions, raw-task primitives
+  (`chat.createSession`, `chat.customAgent`, `chat.stream`), compaction, HITL approvals, recovery.
+- `realtime-and-frontend` skill - Realtime hooks and frontend streaming beyond the chat transport.
+- `authoring-tasks` skill - base `task()` semantics, `ctx`, and standard lifecycle hooks.
+- Docs: /ai-chat/quick-start, /ai-chat/backend, /ai-chat/tools, /ai-chat/types, /ai-chat/frontend
+
+## Version
+
+Generated for `@trigger.dev/sdk` `{{TRIGGER_SDK_VERSION}}`. Re-run the trigger.dev skills installer
+after upgrading.
diff --git a/packages/cli-v3/skills/authoring-tasks/SKILL.md b/packages/cli-v3/skills/authoring-tasks/SKILL.md
new file mode 100644
index 00000000000..6ff10209dda
--- /dev/null
+++ b/packages/cli-v3/skills/authoring-tasks/SKILL.md
@@ -0,0 +1,255 @@
+---
+name: authoring-tasks
+description: >
+  Covers writing backend Trigger.dev tasks with @trigger.dev/sdk: defining task() and
+  schemaTask(), the run function and its ctx, retries, waits, queues and concurrency,
+  idempotency keys, run metadata, logging, triggering other tasks (and the Result shape),
+  scheduled/cron tasks, and the essentials of trigger.config.ts. Load this whenever you are
+  authoring or editing code inside a /trigger directory, defining a task, or writing backend
+  code that triggers tasks. Realtime/React hooks and AI chat are covered by separate skills.
+type: core
+library: trigger.dev
+library_version: "{{TRIGGER_SDK_VERSION}}"
+sources:
+  - docs/tasks/overview.mdx
+  - docs/tasks/schemaTask.mdx
+  - docs/tasks/scheduled.mdx
+  - docs/triggering.mdx
+  - docs/queue-concurrency.mdx
+  - docs/idempotency.mdx
+  - docs/runs/metadata.mdx
+  - docs/logging.mdx
+  - docs/errors-retrying.mdx
+  - docs/wait.mdx
+  - docs/wait-for.mdx
+  - docs/wait-until.mdx
+  - docs/wait-for-token.mdx
+  - docs/context.mdx
+  - docs/config/config-file.mdx
+---
+
+# Authoring Trigger.dev Tasks
+
+Tasks are functions that can run for a long time with strong resilience to failure. Define them in files under your `/trigger` directory. Always import from `@trigger.dev/sdk`. Never import from `@trigger.dev/sdk/v3` (deprecated alias) or `@trigger.dev/core`.
+
+## Setup
+
+```ts
+// /trigger/hello-world.ts
+import { task } from "@trigger.dev/sdk";
+
+export const helloWorld = task({
+  id: "hello-world", // unique within the project
+  run: async (payload: { message: string }, { ctx }) => {
+    console.log(payload.message, "attempt", ctx.attempt.number);
+    return { ok: true }; // must be JSON serializable
+  },
+});
+```
+
+The `run` function receives the payload and a second argument with `ctx` (run context), an abort `signal`, and a deprecated `init` output. The return value is the task output and must be JSON serializable.
+
+## Core patterns
+
+### 1. Validate the payload with `schemaTask`
+
+`schema` accepts a Zod / Yup / Superstruct / ArkType / valibot / typebox parser or a custom `(data: unknown) => T` function. A validation failure throws `TaskPayloadParsedError` and skips retrying.
+
+```ts
+import { schemaTask } from "@trigger.dev/sdk";
+import { z } from "zod";
+
+export const createUser = schemaTask({
+  id: "create-user",
+  schema: z.object({ name: z.string(), age: z.number() }),
+  run: async (payload) => ({ greeting: `Hi ${payload.name}` }),
+});
+```
+
+### 2. Configure retries and abort early
+
+The default `maxAttempts` is 3. Throw `AbortTaskRunError` to stop retrying immediately. Task-level `retry` overrides the config-file defaults.
+
+```ts
+import { task, AbortTaskRunError } from "@trigger.dev/sdk";
+
+export const charge = task({
+  id: "charge",
+  retry: { maxAttempts: 5, factor: 1.8, minTimeoutInMs: 500, maxTimeoutInMs: 30_000, randomize: true },
+  run: async (payload: { amount: number }) => {
+    if (payload.amount <= 0) throw new AbortTaskRunError("Invalid amount"); // no retry
+    // work that may throw and retry
+  },
+});
+```
+
+For finer control, `catchError: async ({ payload, error, ctx, retryAt }) => {...}` can return `{ skipRetrying: true }`, `{ retryAt: Date }`, or `undefined` (use normal logic). `retry.onThrow`, `retry.fetch`, also exist for in-task retrying.
+
+### 3. Trigger another task and handle the Result
+
+From inside a task use `yourTask.triggerAndWait(payload)`. The result is a Result object that you must check (`ok`), or `.unwrap()` to throw on failure.
+
+```ts
+export const parentTask = task({
+  id: "parent-task",
+  run: async () => {
+    const result = await childTask.triggerAndWait({ data: "x" });
+    if (result.ok) return result.output; // typed child output
+    console.error("child failed", result.error);
+    // or: const output = await childTask.triggerAndWait({ data: "x" }).unwrap();
+  },
+});
+```
+
+`SubtaskUnwrapError` carries `runId`, `taskId`, and `cause`. For fan-out use `childTask.batchTriggerAndWait([{ payload: a }, { payload: b }])`; the result has a `.runs` array, each entry `{ ok, id, output?, error?, taskIdentifier }`.
+
+### 4. Trigger from backend code with a type-only import
+
+Outside a task, import the task type only and trigger by id. Do not import the task instance into backend bundles.
+
+```ts
+import { tasks } from "@trigger.dev/sdk";
+import type { emailSequence } from "~/trigger/emails";
+
+const handle = await tasks.trigger<typeof emailSequence>(
+  "email-sequence",
+  { to: "a@b.com", name: "Ada" },
+  { delay: "1h" }
+);
+```
+
+`tasks.batchTrigger` and `batch.trigger([{ id, payload }])` cover batches. Trigger options include `delay`, `ttl`, `idempotencyKey`, `idempotencyKeyTTL`, `debounce`, `queue`, `concurrencyKey`, `maxAttempts`, `tags`, `metadata`, `priority`, `region`, and `machine`. Inspect runs with `runs.retrieve`, `runs.cancel`, and `runs.reschedule`.
+
+### 5. Idempotency keys
+
+`idempotencyKeys.create(key, { scope })` returns a 64-char hashed key. A raw string key defaults to `"run"` scope (v4.3.1+); for once-ever behavior use `scope: "global"`.
+
+```ts
+import { idempotencyKeys, task } from "@trigger.dev/sdk";
+
+export const processOrder = task({
+  id: "process-order",
+  run: async (payload: { orderId: string; email: string }) => {
+    const key = await idempotencyKeys.create(`confirm-${payload.orderId}`);
+    await sendEmail.trigger({ to: payload.email }, { idempotencyKey: key });
+  },
+});
+```
+
+### 6. Waits and run metadata
+
+`wait.for({ seconds })` and `wait.until({ date })` durably pause the run. `metadata.*` is readable and writable only inside `run()`; updates are synchronous and chainable (`set`, `del`, `replace`, `append`, `remove`, `increment`, `decrement`).
+
+```ts
+import { task, metadata, wait } from "@trigger.dev/sdk";
+
+export const importer = task({
+  id: "importer",
+  run: async (payload: { rows: unknown[] }) => {
+    metadata.set("status", "processing").set("total", payload.rows.length);
+    await wait.for({ seconds: 5 });
+    metadata.set("status", "complete");
+  },
+});
+```
+
+For human-in-the-loop, `wait.createToken({ timeout, tags })` returns `{ id, url, publicAccessToken, ... }`; resume with `wait.forToken<T>(token: string | { id: string })` which returns `{ ok, output?, error? }` (or `.unwrap()`), and complete it elsewhere with `wait.completeToken(tokenId, output)`. Metadata max is 256KB and is not propagated to child tasks; push values to a parent with `metadata.parent.*` / `metadata.root.*`. (`metadata.stream` is deprecated since 4.1.0 in favor of `streams.pipe()`.)
+
+### 7. Scheduled (cron) tasks
+
+```ts
+import { schedules } from "@trigger.dev/sdk";
+
+export const dailyReport = schedules.task({
+  id: "daily-report",
+  cron: { pattern: "0 5 * * *", timezone: "Asia/Tokyo" },
+  run: async (payload) => {
+    console.log("scheduled at", payload.timestamp, "next", payload.upcoming);
+  },
+});
+```
+
+The payload includes `timestamp`, `lastTimestamp`, `timezone`, `scheduleId`, `externalId`, and `upcoming`. Attach schedules dynamically with `schedules.create({ task, cron, timezone?, externalId?, deduplicationKey })` (the dedup key is required and per-project), plus `retrieve / list / update / activate / deactivate / del / timezones`.
+
+### 8. Queues and concurrency
+
+Set `queue: { concurrencyLimit }` on a task, or share a queue across tasks:
+
+```ts
+import { queue, task } from "@trigger.dev/sdk";
+
+export const emails = queue({ name: "emails", concurrencyLimit: 5 });
+
+export const sendEmail = task({ id: "send-email", queue: emails, run: async () => {} });
+```
+
+At trigger time override with `{ queue: "queue-name" }` and add `concurrencyKey` for per-tenant queues. Manage queues with `queues.list / retrieve / pause / resume / overrideConcurrencyLimit / resetConcurrencyLimit`.
+
+### 9. `trigger.config.ts` essentials
+
+```ts
+import { defineConfig } from "@trigger.dev/sdk";
+
+export default defineConfig({
+  project: "<project ref>",
+  dirs: ["./trigger"],
+  machine: "small-1x",
+  retries: {
+    enabledInDev: false,
+    default: { maxAttempts: 3, factor: 2, minTimeoutInMs: 1000, maxTimeoutInMs: 10000, randomize: true },
+  },
+});
+```
+
+`build.external` controls which packages stay out of the bundle. Build extensions (`additionalFiles`, `prismaExtension`, `puppeteer`, `ffmpeg`, `aptGet`, etc.) come from `@trigger.dev/build`. `telemetry` configures instrumentations and exporters.
+
+### Logging
+
+`logger.debug / log / info / warn / error(message, dataRecord?)` write structured logs; `logger.trace(name, async (span) => {...})` adds a span. Module-level metrics use `otel.metrics.getMeter(name)`.
+
+## Common mistakes
+
+1. **CRITICAL: Treating the wait result as the output.** `triggerAndWait` and `wait.forToken` return a Result object, not the raw output.
+   - Wrong: `const out = await childTask.triggerAndWait(p); use(out.foo);`
+   - Correct: `const r = await childTask.triggerAndWait(p); if (r.ok) use(r.output.foo);` (or `.unwrap()`).
+
+2. **Wrapping `triggerAndWait` / `batchTriggerAndWait` / `wait` in `Promise.all`.**
+   - Wrong: `await Promise.all([childTask.triggerAndWait(a), childTask.triggerAndWait(b)]);`
+   - Correct: `await childTask.batchTriggerAndWait([{ payload: a }, { payload: b }]);` (or a sequential for-loop).
+
+3. **Importing the task instance into backend code.**
+   - Wrong: `import { emailSequence } from "~/trigger/emails";` in a route handler.
+   - Correct: `import type { emailSequence }` plus `tasks.trigger<typeof emailSequence>("email-sequence", payload)`.
+
+4. **Calling `metadata.set/get` outside `run()`.**
+   - Wrong: setting metadata at module scope or in unrelated backend code (a no-op; `get` returns `undefined`).
+   - Correct: call inside `run()` or a task lifecycle hook.
+
+5. **Assuming child tasks inherit the parent's queue or metadata.**
+   - Wrong: expecting a subtask to share the parent's `concurrencyLimit` or see its metadata.
+   - Correct: subtasks run on their own queue; pass metadata explicitly via `{ metadata: metadata.current() }`, or push up with `metadata.parent.*`.
+
+6. **Bundling native/WASM packages.**
+   - Wrong: leaving `sharp`, `re2`, `sqlite3`, or WASM packages in the default bundle.
+   - Correct: add them to `build.external` in `trigger.config.ts`.
+
+7. **Relying on a raw string idempotency key being global.**
+   - Wrong: `trigger(p, { idempotencyKey: "welcome-email" })` expecting once-ever (true only in v4.3.0 and earlier).
+   - Correct: `await idempotencyKeys.create("welcome-email", { scope: "global" })`.
+
+## References
+
+Sibling skills:
+
+- **realtime-and-frontend** for subscribing to runs and triggering from the frontend with React hooks.
+- **authoring-chat-agent** and **chat-agent-advanced** for building AI chat agents.
+
+Docs:
+
+- [Tasks overview](https://trigger.dev/docs/tasks/overview)
+- [Triggering](https://trigger.dev/docs/triggering)
+- [Configuration file](https://trigger.dev/docs/config/config-file)
+
+## Version
+
+Generated for @trigger.dev/sdk {{TRIGGER_SDK_VERSION}}. Re-run the trigger.dev skills installer after upgrading.
diff --git a/packages/cli-v3/skills/chat-agent-advanced/SKILL.md b/packages/cli-v3/skills/chat-agent-advanced/SKILL.md
new file mode 100644
index 00000000000..68ce1c6b066
--- /dev/null
+++ b/packages/cli-v3/skills/chat-agent-advanced/SKILL.md
@@ -0,0 +1,367 @@
+---
+name: chat-agent-advanced
+description: >
+  Advanced and operational chat.agent capabilities for Trigger.dev, loaded on demand. Load this when
+  working on the raw Sessions primitive (sessions / SessionHandle), a custom chat transport or the
+  realtime wire protocol, durable sub-agents (AgentChat, chat.stream.writer), human-in-the-loop,
+  steering, actions, background injection (chat.defer / chat.inject), fast starts (preload, Head
+  Start via @trigger.dev/sdk/chat-server), context resilience (compaction, recovery boot, OOM, large
+  payloads), chat.local run-scoped state, offline testing with mockChatAgent, or prerelease/version
+  upgrades. For the everyday chat.agent({...}) definition and the useTriggerChatTransport happy path,
+  use the authoring-chat-agent skill instead.
+type: core
+library: trigger.dev
+library_version: "{{TRIGGER_SDK_VERSION}}"
+sources:
+  - docs/ai-chat/sessions.mdx
+  - docs/ai-chat/server-chat.mdx
+  - docs/ai-chat/client-protocol.mdx
+  - docs/ai-chat/pending-messages.mdx
+  - docs/ai-chat/actions.mdx
+  - docs/ai-chat/background-injection.mdx
+  - docs/ai-chat/compaction.mdx
+  - docs/ai-chat/fast-starts.mdx
+  - docs/ai-chat/chat-local.mdx
+  - docs/ai-chat/mcp.mdx
+  - docs/ai-chat/testing.mdx
+  - docs/ai-chat/upgrade-guide.mdx
+  - docs/ai-chat/patterns/sub-agents.mdx
+  - docs/ai-chat/patterns/human-in-the-loop.mdx
+  - docs/ai-chat/patterns/persistence-and-replay.mdx
+  - docs/ai-chat/patterns/recovery-boot.mdx
+  - docs/ai-chat/patterns/oom-resilience.mdx
+  - docs/ai-chat/patterns/large-payloads.mdx
+  - docs/ai-chat/patterns/version-upgrades.mdx
+  - docs/ai-chat/tools.mdx
+---
+
+# chat.agent: advanced and operational
+
+`chat.agent` is built on **Sessions**: a durable, task-bound, bi-directional I/O channel pair keyed
+on a stable `externalId` (e.g. `chatId`) that outlives any single run. This skill covers the layers
+beneath and around the everyday agent: the raw `sessions` API, server-side `AgentChat`, durable
+sub-agents, actions / background injection, fast starts, compaction and recovery, and the wire
+protocol for custom transports.
+
+Two `chat` namespaces are easy to confuse: the agent definition imports `chat` from
+`@trigger.dev/sdk/ai`; Head Start / Node-listener server entries import `chat` from
+`@trigger.dev/sdk/chat-server`.
+
+## Setup
+
+Happy path: drive an agent from server-side code (task, webhook, or script) with `AgentChat`.
+
+```ts
+import { AgentChat } from "@trigger.dev/sdk/chat";
+import type { myAgent } from "./trigger/my-agent";
+
+const chat = new AgentChat<typeof myAgent>({ agent: "my-chat", clientData: { userId: "user_123" } });
+const stream = await chat.sendMessage("Review PR #42");
+const text = await stream.text();
+await chat.close();
+```
+
+`sendMessage()` triggers a run on the first call, then reuses it via input streams. `ChatStream`
+exposes `text()`, `result()` (`{ text, toolCalls, toolResults }`), `messages()` (UIMessage
+snapshots), and the raw `.stream`. Other methods: `steer(text)`, `stop()`, `sendRaw(uiMessages)`,
+`sendAction(action)`, `preload()`, `reconnect()`.
+
+## Core patterns
+
+### 1. Raw Sessions for non-chat, bi-directional I/O
+
+Reach for `sessions` directly when the chat abstraction does not fit: agent inboxes, approval flows,
+server-to-server pipelines. `sessions.start` is idempotent on `(env, externalId)`; `externalId`
+cannot start with `session_`.
+
+```ts
+import { sessions } from "@trigger.dev/sdk";
+
+const { id, publicAccessToken } = await sessions.start({
+  type: "chat.agent",
+  externalId: chatId,
+  taskIdentifier: "my-chat",
+  triggerConfig: { tags: [`chat:${chatId}`], basePayload: { chatId, trigger: "preload" } },
+});
+
+const session = sessions.open(chatId); // no network call; methods are lazy
+await session.out.append({ kind: "message", text: "hello" });
+const next = await session.in.once<MyEvent>({ timeoutMs: 30_000 });
+```
+
+`sessions.open(id).in` also has `send`, `on(handler)`, `peek`, `wait` (suspends the run, only inside
+`task.run()`), and `waitWithIdleTimeout`. `.out` has `append`, `pipe`, `writer`, `read`,
+`writeControl`, and `trimTo`. List with `sessions.list({ type, tag, status, ... })` (`for await`),
+mutate with `sessions.update`, end with `sessions.close` (terminal, idempotent).
+
+### 2. Durable sub-agent as a streaming tool
+
+`AgentChat` inside an AI SDK `tool()` delegates to a durable sub-agent; its response streams as
+preliminary tool results. Give the tool a `toModelOutput` so the model sees a compact summary.
+
+```ts
+import { tool } from "ai";
+import { AgentChat } from "@trigger.dev/sdk/chat";
+import { z } from "zod";
+
+const researchTool = tool({
+  description: "Delegate research to a specialist agent.",
+  inputSchema: z.object({ topic: z.string() }),
+  execute: async function* ({ topic }, { abortSignal }) {
+    const chat = new AgentChat({ agent: "research-agent" });
+    const stream = await chat.sendMessage(topic, { abortSignal });
+    yield* stream.messages(); // UIMessage snapshots become preliminary tool results
+    await chat.close();
+  },
+  toModelOutput: ({ output: message }) => {
+    const lastText = message?.parts?.findLast((p: { type: string }) => p.type === "text") as
+      | { text?: string }
+      | undefined;
+    return { type: "text", value: lastText?.text ?? "Done." };
+  },
+});
+```
+
+For a subtask exposed via `execute: ai.toolExecute(task)`, stream progress to the agent's run with
+`chat.stream.writer({ target: "root" })`. `target` accepts `"self" | "parent" | "root" | <runId>`.
+Inside the subtask, read context with `ai.toolCallId()` and `ai.chatContextOrThrow<typeof myChat>()`
+(`{ chatId, turn, continuation, clientData }`).
+
+```ts
+import { chat, ai } from "@trigger.dev/sdk/ai";
+
+const { waitUntilComplete } = chat.stream.writer({
+  target: "root",
+  execute: ({ write }) =>
+    write({ type: "data-research-status", id: partId, data: { query, status: "in-progress" } }),
+});
+await waitUntilComplete();
+```
+
+### 3. Background injection: defer + inject
+
+`chat.defer(promise)` runs work in parallel with streaming (all deferred promises are awaited, with a
+5s timeout, before `onTurnComplete`). `chat.inject(messages)` queues `ModelMessage[]` that drain at
+the next turn start or `prepareStep` boundary.
+
+```ts
+export const myChat = chat.agent({
+  id: "my-chat",
+  onTurnComplete: async ({ messages }) => {
+    chat.defer(
+      (async () => {
+        const analysis = await analyzeConversation(messages);
+        chat.inject([{ role: "system", content: `[Analysis]\n\n${analysis}` }]);
+      })()
+    );
+  },
+  run: async ({ messages, signal }) =>
+    streamText({ ...chat.toStreamTextOptions({ registry }), messages, abortSignal: signal, stopWhen: stepCountIs(15) }),
+});
+```
+
+### 4. Compaction (threshold-based)
+
+`compaction.shouldCompact` decides when, `summarize` produces the summary that replaces the model
+messages. UI messages are preserved by default (customize via `compactUIMessages`). The `prepareStep`
+that performs inner-loop compaction is auto-injected by `chat.toStreamTextOptions()`; a `prepareStep`
+you pass after the spread wins.
+
+```ts
+compaction: {
+  shouldCompact: ({ totalTokens }) => (totalTokens ?? 0) > 80_000,
+  summarize: async ({ messages }) =>
+    (await generateText({
+      model: anthropic("claude-haiku-4-5"),
+      messages: [...messages, { role: "user", content: "Summarize concisely." }],
+    })).text,
+},
+```
+
+### 5. Actions: mutate state without a turn
+
+`actionSchema` validates; `onAction` mutates via `chat.history` (`slice`, `replace`, `rollbackTo`,
+`remove`, `getPendingToolCalls`, `extractNewToolResults`). Actions fire `hydrateMessages` and
+`onAction` only, never `run()` or the turn hooks. Return a `StreamTextResult`, string, or `UIMessage`
+to also emit a model response.
+
+```ts
+export const myChat = chat.agent({
+  id: "my-chat",
+  actionSchema: z.discriminatedUnion("type", [
+    z.object({ type: z.literal("undo") }),
+    z.object({ type: z.literal("rollback"), targetMessageId: z.string() }),
+  ]),
+  onAction: async ({ action }) => {
+    if (action.type === "undo") chat.history.slice(0, -2);
+    if (action.type === "rollback") chat.history.rollbackTo(action.targetMessageId);
+  },
+  run: async ({ messages, signal }) => streamText({ model: anthropic("claude-sonnet-4-5"), messages, abortSignal: signal }),
+});
+```
+
+Send from the browser with `transport.sendAction(chatId, { type: "undo" })`, or server-side with
+`agentChat.sendAction({ type: "rollback", targetMessageId: "msg-3" })`.
+
+### 6. Fast starts: Head Start
+
+`chat.headStart` (from `@trigger.dev/sdk/chat-server`, NOT `/ai`) returns a Web Fetch handler that
+serves turn 1 from your own warm process, then hands off to the agent on turn 2+. Tools passed here
+must be **schema-only** (a module importing `ai` + `zod` only); heavy executes stay in the task.
+
+```ts
+import { chat } from "@trigger.dev/sdk/chat-server";
+import { streamText, stepCountIs } from "ai";
+import { anthropic } from "@ai-sdk/anthropic";
+import { headStartTools } from "@/lib/chat-tools/schemas";
+
+export const chatHandler = chat.headStart({
+  agentId: "my-chat",
+  run: async ({ chat: helper }) =>
+    streamText({
+      ...helper.toStreamTextOptions({ tools: headStartTools }),
+      model: anthropic("claude-sonnet-4-6"),
+      system: "You are helpful.",
+      stopWhen: stepCountIs(15),
+    }),
+});
+// Next.js: export const POST = chatHandler;  Transport: headStart: "/api/chat"
+```
+
+Node-only frameworks wrap a Web Fetch handler with `chat.toNodeListener(handler)`. Use the **same
+model** on both sides to avoid a tone shift between turn 1 and turn 2+.
+
+### 7. chat.local: init in onBoot, not onChatStart
+
+`chat.local<T>({ id })` is module-level, shallow-proxy, run-scoped state. Initialize it in `onBoot`
+(fires on every fresh worker, including continuation runs), never `onChatStart`.
+
+```ts
+const userContext = chat.local<{ name: string; plan: "free" | "pro" }>({ id: "userContext" });
+
+export const myChat = chat.agent({
+  id: "my-chat",
+  onBoot: async ({ clientData }) => userContext.init({ name: "Alice", plan: "pro" }),
+  run: async ({ messages, signal }) => streamText({ /* ... */ }),
+});
+```
+
+### 8. Pending messages (mid-stream user input)
+
+A message sent while a turn is streaming should NOT cancel the stream. Configure
+`pendingMessages` (`shouldInject`, `prepare`, `onReceived`, `onInjected`) on the agent so the SDK's
+auto-injected `prepareStep` folds them in at the next boundary. On the frontend, `usePendingMessages`
+returns `pending`, `steer(text)`, `queue(text)`, and `promoteToSteering(id)`; send via
+`transport.sendPendingMessage(chatId, uiMessage, metadata?)`.
+
+### 9. Recovery and version upgrades
+
+`onRecoveryBoot` fires only when a **partial assistant message exists on the tail** (interrupted
+deploy, crash, OOM retry). It does NOT fire on `chat.requestUpgrade()`, which is a graceful exit with
+no partial. `chat.requestUpgrade()` (called in `onTurnStart` / `onValidateMessages` to skip `run()`,
+or in `run()` / `chat.defer()` to exit after the turn) rotates the Session's `currentRunId` to a run
+on the latest deployment without a client reconnect. Pair it with a contract version on `clientData`.
+
+```ts
+const SUPPORTED_VERSIONS = new Set(["v2", "v3"]);
+onTurnStart: async ({ clientData }) => {
+  if (clientData?.protocolVersion && !SUPPORTED_VERSIONS.has(clientData.protocolVersion)) {
+    chat.requestUpgrade();
+  }
+},
+```
+
+For OOM resilience, set `oomMachine` (and `machine`) on the agent so retries land on a larger preset.
+
+### 10. Offline testing with mockChatAgent
+
+`@trigger.dev/sdk/ai/test` runs the real turn loop in-memory. Import it **before** the agent module
+so the resource catalog is installed. Drive with `sendMessage`, `sendRegenerate`, `sendAction`,
+`sendStop`, `sendHeadStart`, `sendHandover`; seed state with `seedSnapshot` / `seedSessionOutTail` /
+`seedSessionOutPartial` / `seedSessionInTail`; assert against `turn.chunks` and `harness.allChunks`.
+
+```ts
+import { mockChatAgent } from "@trigger.dev/sdk/ai/test"; // BEFORE the agent module
+import { myChatAgent } from "./my-chat.js";
+
+const harness = mockChatAgent(myChatAgent, { chatId: "test-1", clientData: { model } });
+try {
+  const turn = await harness.sendMessage({ id: "u1", role: "user", parts: [{ type: "text", text: "hi" }] });
+  // assert against turn.chunks
+} finally {
+  await harness.close();
+}
+```
+
+Options include `mode` (`"preload" | "submit-message" | "handover-prepare" | "continuation"`),
+`preload`, `continuation`, `previousRunId`, `snapshot`, `taskContext`, and `setupLocals`. Set
+`taskContext.ctx.attempt.number > 1` to simulate an OOM-retry attempt. `runInMockTaskContext` drives a
+non-chat task offline.
+
+### 11. Custom transport: the wire protocol
+
+Endpoints: `POST /api/v1/sessions` (create), `GET /realtime/v1/sessions/{id}/out` (SSE),
+`POST /realtime/v1/sessions/{id}/in/append`, `POST /api/v1/sessions/{id}/close`. `ChatInputChunk` is
+`{ kind: "message"; payload: ChatTaskWirePayload } | { kind: "stop"; message? }`. The
+`ChatTaskWirePayload` carries `chatId`, `trigger` (`submit-message | regenerate-message | preload |
+close | action | handover-prepare`), `message?`, `metadata?`, `action?`, `continuation?`,
+`previousRunId?`, and more. Control records are header-form: `trigger-control: turn-complete` (with
+optional `public-access-token`, `session-in-event-id`) and `trigger-control: upgrade-required`. The
+TS helpers `SSEStreamSubscription` and `controlSubtype(headers)` (documented in
+`docs/ai-chat/client-protocol.mdx`) handle batch decoding and control-record filtering for you.
+
+## Common mistakes
+
+- **CRITICAL: sending a follow-up by re-POSTing `POST /api/v1/sessions`.**
+  ```ts
+  // Wrong - a cached re-POST silently drops basePayload.message; basePayload is trigger config, not a channel
+  await fetch("/api/v1/sessions", { method: "POST", body: JSON.stringify({ ...createBody }) });
+  // Correct - append to the session's input channel
+  await fetch(`/realtime/v1/sessions/${id}/in/append`, { method: "POST", body: JSON.stringify({ kind: "message", payload }) });
+  ```
+
+- **Using the wrong token for `.in` / `.out`.** Use `publicAccessToken` from the create response
+  body (session-scoped). The `x-trigger-jwt` response header is run-scoped and cannot subscribe.
+
+- **Initializing `chat.local` in `onChatStart`.** It is skipped on continuation runs, so `run()`
+  crashes with `chat.local can only be modified after initialization`. Init in `onBoot`.
+
+- **`chat.defer` for the message-history write.** A mid-stream refresh would read `[]`. `await` that
+  write inline before the model streams; reserve `chat.defer` for analytics, audit, cache warming.
+
+- **Giving the HITL tool an `execute`.** `streamText` calls it immediately. Leave it execute-less;
+  the frontend supplies the answer via `addToolOutput` + `sendAutomaticallyWhen`.
+
+- **Declaring sub-agent / heavy tools only on `streamText`.** Also declare them on
+  `chat.agent({ tools })` (or pass to `convertToModelMessages(uiMessages, { tools })` in a custom
+  agent) so `toModelOutput` re-applies on every turn.
+
+- **Importing heavy-execute tools into the Head Start route module.** This is a build-time import
+  chain problem; runtime strip helpers do not fix it. Keep schemas in an `ai` + `zod`-only module.
+
+- **Returning a megabyte tool output on the stream.** One `tool-output-available` record over ~1 MiB
+  throws `ChatChunkTooLargeError`. Persist to your store, write the row first, then emit only an id.
+
+- **Setting `X-Peek-Settled: 1` on the active-send path.** It races the new turn's first chunk and
+  closes the stream early. Use it only on reconnect-on-reload paths.
+
+> Note on docs vocabulary: agent-side examples in some docs still use the legacy
+> `trigger:turn-complete` chunk type. That is the agent-emit vocabulary. A custom **reader** must
+> filter on the `trigger-control` header, not on `chunk.type`.
+>
+> MCP-driven agent chats (`list_agents`, `start_agent_chat`, `send_agent_message`,
+> `close_agent_chat`) are MCP server tools used from Claude Code / Cursor, not importable SDK
+> functions. See `/mcp-tools#agent-chat-tools`.
+
+## References
+
+- `authoring-chat-agent` skill - the everyday `chat.agent({...})` definition, lifecycle hooks, and
+  the `useTriggerChatTransport` happy path. Start there before reaching for this skill.
+- `realtime-and-frontend` skill - Realtime hooks and frontend streaming beyond the chat transport.
+- `authoring-tasks` skill - base `task()` semantics, `ctx`, and standard lifecycle hooks.
+- Docs: /ai-chat/sessions, /ai-chat/server-chat, /ai-chat/client-protocol
+
+## Version
+
+Generated for `@trigger.dev/sdk` `{{TRIGGER_SDK_VERSION}}`. Re-run the trigger.dev skills installer
+after upgrading.
diff --git a/packages/cli-v3/skills/getting-started/SKILL.md b/packages/cli-v3/skills/getting-started/SKILL.md
new file mode 100644
index 00000000000..a84243bd398
--- /dev/null
+++ b/packages/cli-v3/skills/getting-started/SKILL.md
@@ -0,0 +1,214 @@
+---
+name: getting-started
+description: >
+  Bootstrap Trigger.dev into an existing project from scratch: authenticate the
+  CLI, install @trigger.dev/sdk and @trigger.dev/build, write trigger.config.ts
+  with the project ref and task dirs, scaffold a /trigger directory with a first
+  task, wire tsconfig and .gitignore, set TRIGGER_SECRET_KEY, and run the dev
+  server. Load this when a project has no trigger.config.ts yet and the user
+  asks to "add Trigger.dev", "set up Trigger.dev", "initialize Trigger.dev", or
+  get a first task running, including in a monorepo. Once the project is set up
+  and you are writing task code, switch to the authoring-tasks skill.
+type: core
+library: trigger.dev
+library_version: "{{TRIGGER_SDK_VERSION}}"
+sources:
+  - docs/quick-start.mdx
+  - docs/manual-setup.mdx
+  - docs/config/config-file.mdx
+  - docs/triggering.mdx
+---
+
+# Getting started with Trigger.dev
+
+Set up Trigger.dev in an existing project. The end state is: the SDK installed, a
+`trigger.config.ts` pointing at a project ref, a `/trigger` directory with at least
+one exported task, and `trigger dev` running so the task shows up in the dashboard.
+
+The fastest path is the CLI's own wizard, which performs every mechanical step below
+and also offers to install the MCP server and these agent skills:
+
+```bash
+npx trigger.dev@latest init
+```
+
+Prefer `init` when you can. Do the manual steps further down when `init` does not fit
+(monorepos, an existing config to extend, or a non-interactive environment).
+
+## Two steps need the human
+
+Most of setup is automatable, but two steps require a person and cannot be done
+headlessly. When you reach them, stop and ask the user to do them, then continue:
+
+1. **Authenticating the CLI.** `npx trigger.dev@latest login` opens a browser for the
+   user to sign in. If they have no account, point them to https://cloud.trigger.dev
+   (or a self-hosted instance) first. You cannot complete this for them.
+2. **The secret key and project ref.** `TRIGGER_SECRET_KEY` and the project ref
+   (`proj_...`) come from the dashboard. Ask the user to copy the **DEV** secret key
+   from the project's API Keys page, and to pick or create the project so you have its
+   ref. `trigger init` can select the project interactively once the user is logged in.
+
+Treat these as handoffs: state exactly what you need, wait for the user, then resume.
+
+## Manual setup
+
+### 1. Authenticate (human step)
+
+```bash
+npx trigger.dev@latest login
+# self-hosted:
+npx trigger.dev@latest login --api-url https://your-trigger-instance.com
+```
+
+### 2. Install the packages
+
+`@trigger.dev/sdk` is a runtime dependency; `@trigger.dev/build` is a dev dependency.
+Pin both to the same version as the `trigger.dev` CLI you run; the CLI warns on a
+mismatch during `dev`/`deploy`.
+
+```bash
+npm add @trigger.dev/sdk@latest
+npm add --save-dev @trigger.dev/build@latest
+```
+
+### 3. Write `trigger.config.ts`
+
+Create it in the project root (or `trigger.config.mjs` for JavaScript). The `project`
+ref and `dirs` are the only required fields.
+
+```ts
+import { defineConfig } from "@trigger.dev/sdk";
+
+export default defineConfig({
+  project: "<project ref>", // e.g. "proj_abc123", from the dashboard
+  dirs: ["./src/trigger"], // where your tasks live
+  maxDuration: 3600,
+  retries: {
+    enabledInDev: false,
+    default: { maxAttempts: 3, factor: 2, minTimeoutInMs: 1000, maxTimeoutInMs: 10000, randomize: true },
+  },
+});
+```
+
+Use the Bun runtime by adding `runtime: "bun"`. Build extensions (`prismaExtension`,
+`puppeteer`, `additionalFiles`, etc.) come from `@trigger.dev/build` and go in
+`build.extensions`.
+
+### 4. Add a first task
+
+Create the directory that matches `dirs` and export a task from it. Every task must be
+a named export with a project-unique `id`.
+
+```ts
+// src/trigger/example.ts
+import { task } from "@trigger.dev/sdk";
+
+export const helloWorld = task({
+  id: "hello-world",
+  run: async (payload: { name: string }) => {
+    return { message: `Hello ${payload.name}!` };
+  },
+});
+```
+
+### 5. Wire tsconfig and gitignore
+
+Add `trigger.config.ts` to the `include` array in `tsconfig.json`, and add `.trigger`
+to `.gitignore` (the CLI writes local dev state there).
+
+```jsonc
+// tsconfig.json
+{ "include": ["trigger.config.ts" /* ...existing */] }
+```
+
+```bash
+# .gitignore
+.trigger
+```
+
+### 6. Set the secret key (human step)
+
+For triggering from your own code, set `TRIGGER_SECRET_KEY` to the DEV key from the
+dashboard's API Keys page. Self-hosted users also set `TRIGGER_API_URL`.
+
+```bash
+# .env (or .env.local for Next.js)
+TRIGGER_SECRET_KEY=tr_dev_xxxxxxxx
+```
+
+### 7. Run the dev server
+
+```bash
+npx trigger.dev@latest dev
+```
+
+Leave it running. Tasks register with the dashboard, where the user can fire a test run
+from the task's test page. On first run the CLI offers to install the MCP server and
+agent skills; recommend both.
+
+## Triggering from your app
+
+Once a task exists, trigger it from backend code with a **type-only** import so the
+task code is never bundled into your app. Trigger by id, not by calling the task object.
+
+```ts
+import { tasks } from "@trigger.dev/sdk";
+import type { helloWorld } from "@/trigger/example"; // type-only
+
+const handle = await tasks.trigger<typeof helloWorld>("hello-world", { name: "Ada" });
+```
+
+`TRIGGER_SECRET_KEY` must be set wherever this runs. Framework specifics live in the
+Next.js / Remix / Node.js guides.
+
+## Monorepos
+
+Two layouts, both supported: put tasks in a shared package (`@repo/tasks` with its own
+`trigger.config.ts`, consumed via `workspace:*`), or install Trigger.dev directly in the
+app that needs it. Run `trigger dev` from the directory that holds `trigger.config.ts`.
+See the manual setup docs for full Turborepo examples before scaffolding either.
+
+## Common mistakes
+
+1. **Trying to do the human-only steps headlessly.** You cannot complete `trigger login`
+   or read the dashboard secret key for the user.
+   - Wrong: spawning `trigger login` and waiting on it to finish in an agent session.
+   - Correct: ask the user to log in and to paste the DEV key, then continue.
+
+2. **Mismatched CLI and SDK versions.** A `trigger.dev` CLI on a different major than
+   `@trigger.dev/sdk` breaks dev/deploy.
+   - Wrong: `npx trigger.dev@latest dev` against an old pinned SDK.
+   - Correct: keep `trigger.dev`, `@trigger.dev/sdk`, and `@trigger.dev/build` on the same version.
+
+3. **Importing from `@trigger.dev/sdk/v3` or using `client.defineJob()`.** Both are old.
+   - Correct: always import from `@trigger.dev/sdk`; define work with `task()`.
+
+4. **Tasks not exported, or outside `dirs`.** A task that is not a named export inside a
+   configured directory will not be picked up.
+   - Correct: `export const ... = task({ ... })` in a file under a `dirs` path.
+
+5. **Importing the task instance into backend code.** This bundles the task.
+   - Wrong: `import { helloWorld } from "@/trigger/example"` in a route handler.
+   - Correct: `import type { helloWorld }` plus `tasks.trigger<typeof helloWorld>("hello-world", payload)`.
+
+6. **Forgetting `TRIGGER_SECRET_KEY`.** Triggering from your app fails without it; the
+   `dev` server itself works once the CLI is logged in.
+
+## References
+
+Sibling skills:
+
+- **authoring-tasks** for writing the tasks themselves once setup is done: retries, waits,
+  queues, scheduled tasks, triggering, and the full `trigger.config.ts`.
+- **realtime-and-frontend** for showing live run status in a frontend.
+- **authoring-chat-agent** and **chat-agent-advanced** for building AI chat agents.
+
+Docs:
+
+- [Quick start](https://trigger.dev/docs/quick-start)
+- [Manual setup](https://trigger.dev/docs/manual-setup)
+- [Configuration file](https://trigger.dev/docs/config/config-file)
+
+## Version
+
+Generated for @trigger.dev/sdk {{TRIGGER_SDK_VERSION}}. Re-run the trigger.dev skills installer after upgrading.
diff --git a/packages/cli-v3/skills/realtime-and-frontend/SKILL.md b/packages/cli-v3/skills/realtime-and-frontend/SKILL.md
new file mode 100644
index 00000000000..811fb7d1ff1
--- /dev/null
+++ b/packages/cli-v3/skills/realtime-and-frontend/SKILL.md
@@ -0,0 +1,281 @@
+---
+name: realtime-and-frontend
+description: >
+  Trigger.dev client/frontend surface: subscribe to runs in realtime
+  (runs.subscribeToRun and the @trigger.dev/react-hooks hook useRealtimeRun),
+  consume metadata and AI/text streams in React (useRealtimeStream), trigger
+  tasks from the browser (useTaskTrigger, useRealtimeTaskTrigger), and mint
+  scoped frontend credentials with auth.createPublicToken /
+  auth.createTriggerPublicToken.
+  Load when wiring a frontend (React/Next.js/Remix) or backend-for-frontend to
+  show live run progress, status badges, token streams, trigger buttons, or
+  wait-token approval UIs. NOT for writing the backend task itself (streams.define
+  / metadata.set is authoring-tasks territory); this is the consumer side.
+type: core
+library: trigger.dev
+library_version: "{{TRIGGER_SDK_VERSION}}"
+sources:
+  - docs/realtime/overview.mdx
+  - docs/realtime/how-it-works.mdx
+  - docs/realtime/auth.mdx
+  - docs/realtime/run-object.mdx
+  - docs/realtime/react-hooks/overview.mdx
+  - docs/realtime/react-hooks/subscribe.mdx
+  - docs/realtime/react-hooks/triggering.mdx
+  - docs/realtime/react-hooks/streams.mdx
+  - docs/realtime/react-hooks/swr.mdx
+  - docs/realtime/react-hooks/use-wait-token.mdx
+  - docs/realtime/backend/subscribe.mdx
+---
+
+# Realtime and Frontend
+
+The consumer side of Trigger.dev's run state and streams: read live run
+updates, render AI/text streams, and trigger tasks from a browser. Hooks come
+from `@trigger.dev/react-hooks`; token minting and backend subscription come
+from `@trigger.dev/sdk`.
+
+## Setup
+
+```bash
+npm add @trigger.dev/react-hooks   # frontend hooks (React/Next.js/Remix)
+# @trigger.dev/sdk is already installed for the backend
+```
+
+The flow is always: mint a scoped token in the backend, pass it to the
+frontend, subscribe with a hook.
+
+```ts
+// backend (API route / server action)
+import { auth } from "@trigger.dev/sdk";
+
+const publicAccessToken = await auth.createPublicToken({
+  scopes: { read: { runs: ["run_1234"] } }, // a token with no scopes is useless
+});
+```
+
+```tsx
+// frontend
+"use client";
+import { useRealtimeRun } from "@trigger.dev/react-hooks";
+
+export function RunStatus({ runId, publicAccessToken }: { runId: string; publicAccessToken: string }) {
+  const { run, error } = useRealtimeRun(runId, { accessToken: publicAccessToken });
+  if (error) return <div>Error: {error.message}</div>;
+  if (!run) return <div>Loading...</div>;
+  return <div>Run: {run.status}</div>;
+}
+```
+
+There are two token kinds: Public Access Tokens (read/subscribe, from
+`auth.createPublicToken`) and Trigger Tokens (trigger-from-browser, single-use,
+from `auth.createTriggerPublicToken`). Both default to a 15 minute expiry.
+
+## Core patterns
+
+### 1. Subscribe to a run and render metadata progress
+
+`metadata` is `Record<string, DeserializedJson>`, so nested values need a cast.
+
+```tsx
+"use client";
+import { useRealtimeRun } from "@trigger.dev/react-hooks";
+import type { myTask } from "@/trigger/myTask";
+
+export function Progress({ runId, publicAccessToken }: { runId: string; publicAccessToken: string }) {
+  const { run, error } = useRealtimeRun<typeof myTask>(runId, { accessToken: publicAccessToken });
+  if (error) return <div>Error: {error.message}</div>;
+  if (!run) return <div>Loading...</div>;
+  const progress = run.metadata?.progress as { percentage?: number } | undefined;
+  return <div>{run.status}: {progress?.percentage ?? 0}%</div>;
+}
+```
+
+Pass `onComplete: (run, error) => {}` to react when the run finishes.
+
+### 2. Status-only subscription with `skipColumns`
+
+For a badge or progress bar you do not need `payload`/`output`. Skipping them
+reduces wire size and avoids "Large HTTP Payload" warnings.
+
+```tsx
+const { run } = useRealtimeRun(runId, {
+  accessToken: publicAccessToken,
+  skipColumns: ["payload", "output"],
+});
+```
+
+You can skip any of: `payload`, `output`, `metadata`, `startedAt`, `delayUntil`,
+`queuedAt`, `expiredAt`, `completedAt`, `number`, `isTest`, `usageDurationMs`,
+`costInCents`, `baseCostInCents`, `ttl`, `payloadType`, `outputType`, `runTags`,
+`error`.
+
+### 3. Trigger from the browser with a Trigger Token
+
+`accessToken` here is a Trigger Token (`auth.createTriggerPublicToken`), not a
+Public Access Token.
+
+```tsx
+"use client";
+import { useTaskTrigger } from "@trigger.dev/react-hooks";
+import type { myTask } from "@/trigger/myTask";
+
+export function TriggerButton({ publicAccessToken }: { publicAccessToken: string }) {
+  const { submit, handle, isLoading } = useTaskTrigger<typeof myTask>("my-task", {
+    accessToken: publicAccessToken,
+  });
+  if (handle) return <div>Run ID: {handle.id}</div>;
+  return (
+    <button onClick={() => submit({ foo: "bar" }, { tags: ["user:123"] })} disabled={isLoading}>
+      {isLoading ? "Triggering..." : "Run"}
+    </button>
+  );
+}
+```
+
+`submit(payload, options?)` takes the same options as a backend `trigger` call.
+
+### 4. Trigger and subscribe in one hook
+
+```tsx
+"use client";
+import { useRealtimeTaskTrigger } from "@trigger.dev/react-hooks";
+import type { myTask } from "@/trigger/myTask";
+
+export function Runner({ publicAccessToken }: { publicAccessToken: string }) {
+  const { submit, run, isLoading } = useRealtimeTaskTrigger<typeof myTask>("my-task", {
+    accessToken: publicAccessToken,
+  });
+  if (run) return <div>{run.status}</div>;
+  return <button onClick={() => submit({ foo: "bar" })} disabled={isLoading}>Run</button>;
+}
+```
+
+Use `useRealtimeTaskTriggerWithStreams<typeof myTask, STREAMS>` when you also
+want the task's streams (it returns `{ submit, run, streams, error, isLoading }`).
+
+### 5. Consume an AI/text stream (SDK 4.1.0+, recommended)
+
+`useRealtimeStream` takes a defined stream for full type safety, or a `runId`
+plus optional stream key. Returns `{ parts, error }`.
+
+```tsx
+"use client";
+import { useRealtimeStream } from "@trigger.dev/react-hooks";
+import { aiStream } from "@/trigger/streams"; // a defined stream -> typed parts
+
+export function StreamView({ runId, publicAccessToken }: { runId: string; publicAccessToken: string }) {
+  const { parts, error } = useRealtimeStream(aiStream, runId, {
+    accessToken: publicAccessToken,
+    timeoutInSeconds: 300, // default 60
+    onData: (chunk) => console.log(chunk),
+  });
+  if (error) return <div>Error: {error.message}</div>;
+  if (!parts) return <div>Loading...</div>;
+  return <div>{parts.join("")}</div>;
+}
+```
+
+Without a defined stream: `useRealtimeStream<string>(runId, "ai-output", { accessToken })`,
+or omit the key to use the default stream. Other options: `baseURL`, `startIndex`,
+`throttleInMs` (default 16). The legacy `useRealtimeRunWithStreams(runId, options)`
+hook is still supported when you need both the run and all its streams at once.
+
+### 6. Send input back into a running task
+
+```tsx
+"use client";
+import { useInputStreamSend } from "@trigger.dev/react-hooks";
+import { approval } from "@/trigger/streams";
+
+export function ApprovalForm({ runId, accessToken }: { runId: string; accessToken: string }) {
+  const { send, isLoading, isReady } = useInputStreamSend(approval.id, runId, { accessToken });
+  return (
+    <button disabled={!isReady || isLoading} onClick={() => send({ approved: true })}>
+      Approve
+    </button>
+  );
+}
+```
+
+### 7. Complete a wait token from React
+
+```ts
+// backend: create the token, return id + publicAccessToken to the frontend
+import { wait } from "@trigger.dev/sdk";
+const token = await wait.createToken({ timeout: "10m" });
+return { tokenId: token.id, publicToken: token.publicAccessToken };
+```
+
+```tsx
+"use client";
+import { useWaitToken } from "@trigger.dev/react-hooks";
+
+export function Approve({ tokenId, publicToken }: { tokenId: string; publicToken: string }) {
+  const { complete } = useWaitToken(tokenId, { accessToken: publicToken });
+  return <button onClick={() => complete({ approved: true })}>Approve</button>;
+}
+```
+
+### 8. Subscribe from the backend (async iterators)
+
+```ts
+import { runs, tasks } from "@trigger.dev/sdk";
+import type { myTask } from "./trigger/my-task";
+
+const handle = await tasks.trigger("my-task", { some: "data" });
+for await (const run of runs.subscribeToRun<typeof myTask>(handle.id)) {
+  console.log(run.payload.some, run.output?.some); // typed
+}
+```
+
+`runs.subscribeToRun` completes when the run finishes, so the loop exits on its own.
+
+## Common mistakes
+
+1. **CRITICAL: Triggering from the browser with a Public Access Token.** The
+   read token from `createPublicToken` cannot trigger tasks.
+   - Wrong: `useTaskTrigger("my-task", { accessToken: publicAccessTokenFromCreatePublicToken })`
+   - Correct: mint a single-use Trigger Token with `auth.createTriggerPublicToken("my-task")` and pass that.
+
+2. **Token with no scopes.** A scopeless token authorizes nothing, so every subscribe 403s.
+   - Wrong: `await auth.createPublicToken()`
+   - Correct: `await auth.createPublicToken({ scopes: { read: { runs: ["run_1234"] } } })`
+
+3. **Polling with `useRun`/SWR for live updates.** `useRun` is the SWR-based
+   management-API hook (not recommended for live state); set `refreshInterval: 0`
+   to stop polling if you do use it.
+   - Wrong: `useRun(runId, { refreshInterval: 1000 })` to track progress
+   - Correct: `useRealtimeRun(runId, { accessToken })` (no polling, no WebSocket setup)
+
+4. **Forgetting `"use client"`.** Realtime/trigger hooks cannot run in a server component.
+   - Wrong: a Next.js App Router server component using `useRealtimeRun`
+   - Correct: put `"use client";` at the top of any component using these hooks.
+
+5. **Shipping `payload`/`output` you do not render.**
+   - Wrong: `useRealtimeRun(runId, { accessToken })` for a status badge (large payloads over the wire)
+   - Correct: `useRealtimeRun(runId, { accessToken, skipColumns: ["payload", "output"] })`
+
+6. **Subscribing before the handle exists.**
+   - Wrong: `useRealtimeRun(handle, { accessToken: handle?.publicAccessToken })` with no guard
+   - Correct: add `enabled: !!handle` so it subscribes only once the trigger returns a handle.
+
+## References
+
+Sibling skills:
+- `authoring-tasks` for the task side: `streams.define()`, `metadata.set()`, and `wait.createToken`.
+- `authoring-chat-agent` and `chat-agent-advanced` for chat agents, which build on these realtime streams.
+
+Docs:
+- [React hooks: run updates](/realtime/react-hooks/subscribe)
+- [React hooks: streaming](/realtime/react-hooks/streams)
+- [Realtime auth](/realtime/auth)
+
+The realtime run object differs from the management-API run object returned by
+`useRun`; see [run object reference](/realtime/run-object). For the task side
+(`streams.define`, `metadata.set`), see [/tasks/streams](/tasks/streams) and
+[/runs/metadata](/runs/metadata).
+
+## Version
+
+Generated for @trigger.dev/sdk {{TRIGGER_SDK_VERSION}}. Re-run the trigger.dev skills installer after upgrading.
diff --git a/packages/cli-v3/src/build/buildWorker.ts b/packages/cli-v3/src/build/buildWorker.ts
index b23b802f502..c3e1641ade1 100644
--- a/packages/cli-v3/src/build/buildWorker.ts
+++ b/packages/cli-v3/src/build/buildWorker.ts
@@ -1,6 +1,7 @@
 import { ResolvedConfig } from "@trigger.dev/core/v3/build";
 import { BuildManifest, BuildTarget } from "@trigger.dev/core/v3/schemas";
 import { BundleResult, bundleWorker, createBuildManifestFromBundle } from "./bundle.js";
+import { bundleSkills } from "./bundleSkills.js";
 import {
   createBuildContext,
   notifyExtensionOnBuildComplete,
@@ -8,6 +9,8 @@ import {
   resolvePluginsForContext,
 } from "./extensions.js";
 import { createExternalsBuildExtension } from "./externals.js";
+import { tmpdir } from "node:os";
+import { mkdtemp, rm } from "node:fs/promises";
 import { join, relative, sep } from "node:path";
 import { generateContainerfile } from "../deploy/buildImage.js";
 import { writeFile } from "node:fs/promises";
@@ -97,6 +100,31 @@ export async function buildWorker(options: BuildWorkerOptions) {
     envVars: options.envVars,
   });
 
+  // Built-in skill bundler — discovers `ai.defineSkill` registrations
+  // via a local indexer run and copies each skill folder into
+  // `{destination}/.trigger/skills/{id}/` before Docker COPY picks up
+  // the bundle. First-class, not a build extension.
+  const skillsTmpDir = await mkdtemp(join(tmpdir(), "trigger-skills-"));
+  const skillsBuildManifestPath = join(skillsTmpDir, "build.json");
+  try {
+    await writeFile(skillsBuildManifestPath, JSON.stringify(buildManifest));
+    const skillsResult = await bundleSkills({
+      buildManifest,
+      buildManifestPath: skillsBuildManifestPath,
+      workingDir: resolvedConfig.workingDir,
+      env: {
+        ...process.env,
+        ...(options.envVars ?? {}),
+      },
+      logger: buildContext.logger,
+    });
+    buildManifest = skillsResult.buildManifest;
+  } catch (err) {
+    logger.warn("Skill bundling failed; continuing without skills", err);
+  } finally {
+    await rm(skillsTmpDir, { recursive: true, force: true }).catch(() => {});
+  }
+
   buildManifest = await notifyExtensionOnBuildComplete(buildContext, buildManifest);
 
   if (options.target !== "dev") {
diff --git a/packages/cli-v3/src/build/bundleSkills.ts b/packages/cli-v3/src/build/bundleSkills.ts
new file mode 100644
index 00000000000..8533d254c72
--- /dev/null
+++ b/packages/cli-v3/src/build/bundleSkills.ts
@@ -0,0 +1,160 @@
+import { readFile } from "node:fs/promises";
+import { isAbsolute, join, resolve as resolvePath } from "node:path";
+import type { BuildManifest, SkillManifest } from "@trigger.dev/core/v3/schemas";
+import { copyDirectoryRecursive } from "@trigger.dev/build/internal";
+import { indexWorkerManifest } from "../indexing/indexWorkerManifest.js";
+import { execOptionsForRuntime, type BuildLogger } from "@trigger.dev/core/v3/build";
+
+export type BundleSkillsOptions = {
+  buildManifest: BuildManifest;
+  buildManifestPath: string;
+  workingDir: string;
+  env: Record<string, string | undefined>;
+  logger: BuildLogger;
+};
+
+export type BundleSkillsResult = {
+  /** The input manifest, annotated with `skills` on return. */
+  buildManifest: BuildManifest;
+  /** Discovered skills, in deterministic order. */
+  skills: SkillManifest[];
+};
+
+export type CopySkillFoldersOptions = {
+  skills: SkillManifest[];
+  /** Root where `{destinationRoot}/{id}/` folders will be created. */
+  destinationRoot: string;
+  /** Used to resolve relative `filePath` references in skill manifests. */
+  workingDir: string;
+  /** Only `debug` is used. `BuildLogger` and the cli `logger` both satisfy this shape. */
+  logger: { debug: (...args: unknown[]) => void };
+};
+
+/**
+ * Copy each skill's source folder to `{destinationRoot}/{id}/`. Validates
+ * that `SKILL.md` exists and has the required frontmatter. Pure file IO —
+ * no indexer subprocess, no env handling.
+ *
+ * Used by the dev path (driven by the main worker indexer's skills list)
+ * and indirectly by the deploy path (via `bundleSkills` which discovers
+ * skills via its own indexer pass first, then delegates here).
+ */
+export async function copySkillFolders(
+  options: CopySkillFoldersOptions
+): Promise<SkillManifest[]> {
+  const { skills, destinationRoot, workingDir, logger } = options;
+
+  if (skills.length === 0) {
+    return [];
+  }
+
+  for (const skill of skills) {
+    const callerDir = skill.filePath
+      ? resolvePath(workingDir, skill.filePath, "..")
+      : workingDir;
+    const sourcePath = isAbsolute(skill.sourcePath)
+      ? skill.sourcePath
+      : resolvePath(callerDir, skill.sourcePath);
+    const skillMdPath = join(sourcePath, "SKILL.md");
+
+    let skillMd: string;
+    try {
+      skillMd = await readFile(skillMdPath, "utf8");
+    } catch {
+      throw new Error(
+        `Skill "${skill.id}": SKILL.md not found at ${skillMdPath}. ` +
+          `Registered via skills.define({ id: "${skill.id}", path: "${skill.sourcePath}" }) ` +
+          `at ${skill.filePath}.`
+      );
+    }
+
+    if (!/^---\r?\n[\s\S]*?\r?\n---/.test(skillMd)) {
+      throw new Error(
+        `Skill "${skill.id}": SKILL.md at ${skillMdPath} is missing a frontmatter block.`
+      );
+    }
+    if (!/\bname:\s*\S/.test(skillMd) || !/\bdescription:\s*\S/.test(skillMd)) {
+      throw new Error(
+        `Skill "${skill.id}": SKILL.md at ${skillMdPath} frontmatter must include both \`name\` and \`description\`.`
+      );
+    }
+
+    const skillDest = join(destinationRoot, skill.id);
+    logger.debug(`[copySkillFolders] Copying ${sourcePath} → ${skillDest}`);
+    await copyDirectoryRecursive(sourcePath, skillDest);
+  }
+
+  return [...skills].sort((a, b) => a.id.localeCompare(b.id));
+}
+
+/**
+ * Built-in skill bundler — not an extension. Runs the indexer locally
+ * against the bundled worker output to discover `skills.define(...)`
+ * registrations, validates each skill's `SKILL.md`, and copies the
+ * folder into `{outputPath}/.trigger/skills/{id}/` so the deploy image
+ * picks it up via the existing Dockerfile `COPY`.
+ *
+ * Used by the deploy path. The dev path uses `copySkillFolders` directly,
+ * driven by the main worker indexer that already runs in `BackgroundWorker.initialize` —
+ * no duplicate indexer pass needed there.
+ *
+ * No `trigger.config.ts` changes required — discovery is side-effect
+ * based, same mechanism as task/prompt registration.
+ */
+export async function bundleSkills(
+  options: BundleSkillsOptions
+): Promise<BundleSkillsResult> {
+  const { buildManifest, buildManifestPath, workingDir, env, logger } = options;
+
+  let skills: SkillManifest[];
+  try {
+    const workerManifest = await indexWorkerManifest({
+      runtime: buildManifest.runtime,
+      indexWorkerPath: buildManifest.indexWorkerEntryPoint,
+      buildManifestPath,
+      nodeOptions: execOptionsForRuntime(buildManifest.runtime, buildManifest),
+      env,
+      cwd: workingDir,
+      otelHookInclude: buildManifest.otelImportHook?.include,
+      otelHookExclude: buildManifest.otelImportHook?.exclude,
+      handleStdout(data) {
+        logger.debug(`[bundleSkills] ${data}`);
+      },
+      handleStderr(data) {
+        if (!data.includes("Debugger attached")) {
+          logger.debug(`[bundleSkills:stderr] ${data}`);
+        }
+      },
+    });
+    skills = workerManifest.skills ?? [];
+  } catch (err) {
+    // Skill discovery via the indexer is best-effort — if the user's
+    // bundle doesn't load cleanly here the downstream full indexer will
+    // surface the real error. Warn so the user sees what went wrong.
+    logger.warn(
+      `[bundleSkills] skill discovery failed, skipping skill bundling: ${(err as Error).message}`
+    );
+    return { buildManifest, skills: [] };
+  }
+
+  if (skills.length === 0) {
+    return { buildManifest, skills: [] };
+  }
+
+  // Deploy target: the Dockerfile COPY picks up everything under outputPath
+  // into /app, so we target {outputPath}/.trigger/skills/{id}/ and the
+  // container's cwd (/app) resolves correctly.
+  const destinationRoot = join(buildManifest.outputPath, ".trigger", "skills");
+
+  const sortedSkills = await copySkillFolders({
+    skills,
+    destinationRoot,
+    workingDir,
+    logger,
+  });
+
+  return {
+    buildManifest: { ...buildManifest, skills: sortedSkills },
+    skills: sortedSkills,
+  };
+}
diff --git a/packages/cli-v3/src/cli/index.ts b/packages/cli-v3/src/cli/index.ts
index fc482224e58..1278de73430 100644
--- a/packages/cli-v3/src/cli/index.ts
+++ b/packages/cli-v3/src/cli/index.ts
@@ -17,7 +17,7 @@ import { COMMAND_NAME } from "../consts.js";
 import { VERSION } from "../version.js";
 import { installExitHandler } from "./common.js";
 import { configureInstallMcpCommand } from "../commands/install-mcp.js";
-import { configureInstallRulesCommand } from "../commands/install-rules.js";
+import { configureSkillsCommand } from "../commands/skills.js";
 
 export const program = new Command();
 
@@ -41,6 +41,6 @@ configurePreviewCommand(program);
 configureAnalyzeCommand(program);
 configureMcpCommand(program);
 configureInstallMcpCommand(program);
-configureInstallRulesCommand(program);
+configureSkillsCommand(program);
 
 installExitHandler();
diff --git a/packages/cli-v3/src/commands/dev.ts b/packages/cli-v3/src/commands/dev.ts
index 73e79933dd0..a5aa994df63 100644
--- a/packages/cli-v3/src/commands/dev.ts
+++ b/packages/cli-v3/src/commands/dev.ts
@@ -26,7 +26,7 @@ import { confirm, isCancel, log } from "@clack/prompts";
 import { installMcpServer } from "./install-mcp.js";
 import { tryCatch } from "@trigger.dev/core/utils";
 import { VERSION } from "@trigger.dev/core";
-import { initiateRulesInstallWizard } from "./install-rules.js";
+import { initiateSkillsInstallWizard } from "./skills.js";
 
 const DevCommandOptions = CommonCommandOptions.extend({
   debugOtel: z.boolean().default(false),
@@ -43,8 +43,6 @@ const DevCommandOptions = CommonCommandOptions.extend({
   disableWarnings: z.boolean().default(false),
   skipMCPInstall: z.boolean().default(false),
   skipRulesInstall: z.boolean().default(false),
-  rulesInstallManifestPath: z.string().optional(),
-  rulesInstallBranch: z.string().optional(),
 });
 
 export type DevCommandOptions = z.infer<typeof DevCommandOptions>;
@@ -87,19 +85,7 @@ export function configureDevCommand(program: Command) {
       .addOption(
         new CommandOption(
           "--skip-rules-install",
-          "Skip the Trigger.dev Agent rules install wizard"
-        ).hideHelp()
-      )
-      .addOption(
-        new CommandOption(
-          "--rules-install-manifest-path <path>",
-          "The path to the rules install manifest"
-        ).hideHelp()
-      )
-      .addOption(
-        new CommandOption(
-          "--rules-install-branch <branch>",
-          "The branch to install the rules from"
+          "Skip the Trigger.dev agent skills install wizard"
         ).hideHelp()
       )
       .addOption(new CommandOption("--disable-warnings", "Suppress warnings output").hideHelp())
@@ -158,12 +144,7 @@ export async function devCommand(options: DevCommandOptions) {
       typeof options.skipRulesInstall === "boolean" && options.skipRulesInstall;
 
     if (!skipRulesInstall) {
-      await tryCatch(
-        initiateRulesInstallWizard({
-          manifestPath: options.rulesInstallManifestPath,
-          branch: options.rulesInstallBranch,
-        })
-      );
+      await tryCatch(initiateSkillsInstallWizard({}));
     }
   }
 
diff --git a/packages/cli-v3/src/commands/init.ts b/packages/cli-v3/src/commands/init.ts
index 82c4d0e4e09..08fe4ebf9eb 100644
--- a/packages/cli-v3/src/commands/init.ts
+++ b/packages/cli-v3/src/commands/init.ts
@@ -1,4 +1,4 @@
-import { intro, isCancel, log, outro, select, text } from "@clack/prompts";
+import { intro, isCancel, log, multiselect, outro, select, text } from "@clack/prompts";
 import { context, trace } from "@opentelemetry/api";
 import {
   GetProjectResponseBody,
@@ -43,6 +43,7 @@ import {
   writeConfigHasSeenMCPInstallPrompt,
 } from "../utilities/configFiles.js";
 import { installMcpServer } from "./install-mcp.js";
+import { installSkillsFromInit, markSkillsPromptSeen } from "./skills.js";
 
 const cliVersion = VERSION as string;
 const cliTag = cliVersion.includes("v4-beta") ? "v4-beta" : "latest";
@@ -57,6 +58,7 @@ const InitCommandOptions = CommonCommandOptions.extend({
   gitRef: z.string().default("main"),
   javascript: z.boolean().default(false),
   yes: z.boolean().default(false),
+  browser: z.boolean().default(true),
 });
 
 type InitCommandOptions = z.infer<typeof InitCommandOptions>;
@@ -65,7 +67,23 @@ export function configureInitCommand(program: Command) {
   return commonOptions(
     program
       .command("init")
-      .description("Initialize your existing project for development with Trigger.dev")
+      .summary("Initialize your existing project for development with Trigger.dev")
+      .description(
+        `Initialize your existing project for development with Trigger.dev.
+
+Examples:
+  # Interactive setup
+  $ trigger.dev init
+
+  # Non-interactive (CI / scripts)
+  $ trigger.dev init --yes --project-ref proj_abc123
+
+  # Headless / agent (no browser)
+  $ trigger.dev init --yes --project-ref proj_abc123 --no-browser
+
+  # Use a named profile
+  $ trigger.dev init --profile staging`
+      )
       .argument("[path]", "The path to the project", ".")
       .option(
         "-p, --project-ref <project ref>",
@@ -89,6 +107,7 @@ export function configureInitCommand(program: Command) {
         "Additional arguments to pass to the package manager, accepts CSV for multiple args"
       )
       .option("-y, --yes", "Skip all prompts and use defaults (requires --project-ref)")
+      .option("--no-browser", "Don't automatically open the browser during login; print the URL only")
   )
     .addOption(
       new CommandOption(
@@ -118,26 +137,64 @@ async function _initCommand(dir: string, options: InitCommandOptions) {
     throw new Error("--project-ref is required when using --yes flag");
   }
 
+  // Refuse to run interactively when stdin isn't a TTY (CI, agent harness, etc).
+  // Previously this silently default-and-exited at the first prompt, leaving the
+  // project half-initialized.
+  if (!options.yes && !process.stdin.isTTY) {
+    throw new Error(
+      "Interactive prompts cannot be used in non-TTY environments. Pass --yes (and --project-ref) to run non-interactively."
+    );
+  }
+
   const hasSeenMCPInstallPrompt = readConfigHasSeenMCPInstallPrompt();
 
-  if (!hasSeenMCPInstallPrompt) {
-    const installChoice = await select({
-      message: "Choose how you want to initialize your project:",
+  // Skip the AI-tooling prompt when --yes is set: the user explicitly chose the CLI
+  // scaffold by running `trigger.dev init` non-interactively, and the prompt would
+  // otherwise hang on a fresh machine where `hasSeenMCPInstallPrompt` is false.
+  if (!hasSeenMCPInstallPrompt && !options.yes) {
+    const tooling = await multiselect({
+      message: "Set up AI tooling for your coding assistant? (optional, space to toggle)",
       options: [
         {
           value: "mcp",
-          label: "Trigger.dev MCP",
-          hint: "Automatically install the Trigger.dev MCP server and then vibe your way to a new project.",
+          label: "MCP server",
+          hint: "live access to your project: trigger tasks, deploy, monitor runs",
+        },
+        {
+          value: "skills",
+          label: "Agent skills",
+          hint: "teach your AI to write Trigger.dev code, version-matched to your SDK",
         },
-        { value: "cli", label: "CLI", hint: "Continue with the CLI" },
       ],
+      required: false,
     });
 
     writeConfigHasSeenMCPInstallPrompt(true);
 
-    const continueWithCLI = isCancel(installChoice) || installChoice === "cli";
+    const selectedTooling = isCancel(tooling) ? [] : tooling;
+
+    // Track what actually installed (not just what was selected), so the AI hand-off is
+    // only offered, and only described, in terms of tooling that really landed.
+    let installedSkills = false;
+    let installedMcp = false;
+
+    // Skills are auth-free and bundled in the CLI. The user opted in here, so install
+    // straight away (no extra confirm). If they declined, still mark the prompt seen so
+    // `trigger dev` doesn't ask about skills a second time.
+    if (selectedTooling.includes("skills")) {
+      log.step("Installing the Trigger.dev agent skills");
+      const [skillsError, installed] = await tryCatch(installSkillsFromInit());
+      if (skillsError) {
+        log.warn(`Skipped agent skills: ${skillsError.message}`);
+      } else {
+        installedSkills = installed === true;
+      }
+    } else {
+      await tryCatch(markSkillsPromptSeen());
+    }
 
-    if (!continueWithCLI) {
+    // The MCP server is also auth-free.
+    if (selectedTooling.includes("mcp")) {
       log.step("Welcome to the Trigger.dev MCP server install wizard 🧙");
 
       const [installError] = await tryCatch(
@@ -149,11 +206,44 @@ async function _initCommand(dir: string, options: InitCommandOptions) {
       );
 
       if (installError) {
-        outro(`Failed to install MCP server: ${installError.message}`);
-        return;
+        // Don't abort init if MCP fails: skills may already be installed and the user
+        // still needs the project scaffolded. Warn and carry on.
+        log.warn(`Skipped MCP server: ${installError.message}`);
+      } else {
+        installedMcp = true;
       }
+    }
 
-      return;
+    // Vibe path: once AI tooling is actually installed, the user can hand scaffolding to
+    // their assistant instead of the CLI. Only offered when something landed, and the
+    // hand-off message names only the tooling that did.
+    if (installedSkills || installedMcp) {
+      const setupChoice = await select({
+        message: "How do you want to set up your project?",
+        options: [
+          {
+            value: "cli",
+            label: "Scaffold it now with the CLI",
+            hint: "log in, create trigger.config.ts and an example task",
+          },
+          {
+            value: "ai",
+            label: "Let my AI assistant set it up",
+            hint: "hand off and let your assistant bootstrap the project",
+          },
+        ],
+      });
+
+      if (!isCancel(setupChoice) && setupChoice === "ai") {
+        outro(
+          installedSkills && installedMcp
+            ? "Your AI tooling is ready. Ask your assistant to set up Trigger.dev; it can use the getting-started skill and the MCP server to add the SDK, config, and your first task."
+            : installedSkills
+              ? "Your AI tooling is ready. Ask your assistant to set up Trigger.dev and it will use the getting-started skill to add the SDK, config, and your first task."
+              : "The MCP server is installed. Ask your assistant to set up Trigger.dev using the MCP server."
+        );
+        return;
+      }
     }
   }
 
@@ -165,6 +255,7 @@ async function _initCommand(dir: string, options: InitCommandOptions) {
     embedded: true,
     defaultApiUrl: options.apiUrl,
     profile: options.profile,
+    browser: options.browser,
   });
 
   if (!authorization.ok) {
@@ -257,7 +348,7 @@ async function _initCommand(dir: string, options: InitCommandOptions) {
   log.info("Next steps:");
   log.info(
     `   1. To start developing, run ${chalk.green(
-      `npx trigger.dev@${cliTag} dev${options.profile ? "" : ` --profile ${options.profile}`}`
+      `npx trigger.dev@${cliTag} dev${options.profile ? ` --profile ${options.profile}` : ""}`
     )} in your project directory`
   );
   log.info(`   2. Visit your ${projectDashboard} to view your newly created tasks.`);
diff --git a/packages/cli-v3/src/commands/install-rules.ts b/packages/cli-v3/src/commands/install-rules.ts
deleted file mode 100644
index 7500414bed9..00000000000
--- a/packages/cli-v3/src/commands/install-rules.ts
+++ /dev/null
@@ -1,612 +0,0 @@
-import { confirm, intro, isCancel, log, multiselect, outro } from "@clack/prompts";
-import { ResolvedConfig } from "@trigger.dev/core/v3/build";
-import chalk from "chalk";
-import { Command, Option as CommandOption } from "commander";
-import { join } from "node:path";
-import * as semver from "semver";
-import { z } from "zod";
-import { OutroCommandError, wrapCommandAction } from "../cli/common.js";
-import { loadConfig } from "../config.js";
-import {
-  GithubRulesManifestLoader,
-  loadRulesManifest,
-  LocalRulesManifestLoader,
-  ManifestVersion,
-  RulesManifest,
-  RulesManifestVersionOption,
-} from "../rules/manifest.js";
-import { cliLink } from "../utilities/cliOutput.js";
-import {
-  readConfigHasSeenRulesInstallPrompt,
-  readConfigLastRulesInstallPromptVersion,
-  writeConfigHasSeenRulesInstallPrompt,
-  writeConfigLastRulesInstallPromptVersion,
-} from "../utilities/configFiles.js";
-import { pathExists, readFile, safeWriteFile } from "../utilities/fileSystem.js";
-import { printStandloneInitialBanner } from "../utilities/initialBanner.js";
-import { logger } from "../utilities/logger.js";
-import { tryCatch } from "@trigger.dev/core/utils";
-
-const targets = [
-  "claude-code",
-  "cursor",
-  "vscode",
-  "windsurf",
-  "gemini-cli",
-  "cline",
-  "agents.md",
-  "amp",
-  "kilo",
-  "ruler",
-] as const;
-
-type TargetLabels = {
-  [key in (typeof targets)[number]]: string;
-};
-
-const targetLabels: TargetLabels = {
-  "claude-code": "Claude Code",
-  cursor: "Cursor",
-  vscode: "VSCode",
-  windsurf: "Windsurf",
-  "gemini-cli": "Gemini CLI",
-  cline: "Cline",
-  "agents.md": "AGENTS.md (OpenAI Codex CLI, Jules, OpenCode)",
-  amp: "Sourcegraph AMP",
-  kilo: "Kilo Code",
-  ruler: "Ruler",
-};
-
-type SupportedTargets = (typeof targets)[number];
-type ResolvedTargets = SupportedTargets | "unsupported";
-
-const InstallRulesCommandOptions = z.object({
-  target: z.enum(targets).array().optional(),
-  manifestPath: z.string().optional(),
-  branch: z.string().optional(),
-  logLevel: z.enum(["debug", "info", "log", "warn", "error", "none"]).optional(),
-  forceWizard: z.boolean().optional(),
-});
-
-type InstallRulesCommandOptions = z.infer<typeof InstallRulesCommandOptions>;
-
-export function configureInstallRulesCommand(program: Command) {
-  return program
-    .command("install-rules")
-    .description("Install the Trigger.dev Agent rules files")
-    .option(
-      "--target <targets...>",
-      "Choose the target (or targets) to install the Trigger.dev rules into. We currently support: " +
-        targets.join(", ")
-    )
-    .option(
-      "-l, --log-level <level>",
-      "The CLI log level to use (debug, info, log, warn, error, none). This does not effect the log level of your trigger.dev tasks.",
-      "log"
-    )
-    .addOption(
-      new CommandOption(
-        "--manifest-path <path>",
-        "The path to the rules manifest file. This is useful if you want to install the rules from a local file."
-      ).hideHelp()
-    )
-    .addOption(
-      new CommandOption(
-        "--branch <branch>",
-        "The branch to install the rules from, the default is main"
-      ).hideHelp()
-    )
-    .addOption(
-      new CommandOption(
-        "--force-wizard",
-        "Force the rules install wizard to run even if the rules have already been installed."
-      ).hideHelp()
-    )
-    .action(async (options) => {
-      await printStandloneInitialBanner(true);
-      await installRulesCommand(options);
-    });
-}
-
-export async function installRulesCommand(options: unknown) {
-  return await wrapCommandAction(
-    "installRulesCommand",
-    InstallRulesCommandOptions,
-    options,
-    async (opts) => {
-      if (opts.logLevel) {
-        logger.loggerLevel = opts.logLevel;
-      }
-
-      return await _installRulesCommand(opts);
-    }
-  );
-}
-
-async function _installRulesCommand(options: InstallRulesCommandOptions) {
-  if (options.forceWizard) {
-    await initiateRulesInstallWizard(options);
-    return;
-  }
-
-  intro("Welcome to the Trigger.dev Agent rules install wizard ");
-
-  const manifestLoader = options.manifestPath
-    ? new LocalRulesManifestLoader(options.manifestPath)
-    : new GithubRulesManifestLoader(options.branch ?? "main");
-
-  const manifest = await loadRulesManifest(manifestLoader);
-
-  writeConfigLastRulesInstallPromptVersion(manifest.currentVersion);
-  writeConfigHasSeenRulesInstallPrompt(true);
-
-  await installRules(manifest, options);
-
-  outro("You're all set! ");
-}
-
-type InstallRulesResults = Array<InstallRulesResult>;
-
-type InstallRulesResult = {
-  configPath: string;
-  targetName: (typeof targets)[number];
-};
-
-export type InstallRulesWizardOptions = {
-  target?: Array<(typeof targets)[number]>;
-  manifestPath?: string;
-  branch?: string;
-};
-
-export async function initiateRulesInstallWizard(options: InstallRulesWizardOptions) {
-  const manifestLoader = options.manifestPath
-    ? new LocalRulesManifestLoader(options.manifestPath)
-    : new GithubRulesManifestLoader(options.branch ?? "main");
-
-  const manifest = await loadRulesManifest(manifestLoader);
-
-  const hasSeenRulesInstallPrompt = readConfigHasSeenRulesInstallPrompt();
-
-  if (!hasSeenRulesInstallPrompt) {
-    writeConfigHasSeenRulesInstallPrompt(true);
-    writeConfigLastRulesInstallPromptVersion(manifest.currentVersion);
-
-    const installChoice = await confirm({
-      message: "Would you like to install the Trigger.dev code agent rules?",
-      initialValue: true,
-    });
-
-    const skipInstall = isCancel(installChoice) || !installChoice;
-
-    if (skipInstall) {
-      return;
-    }
-
-    await installRules(manifest, options);
-    return;
-  }
-
-  const lastRulesInstallPromptVersion = readConfigLastRulesInstallPromptVersion();
-
-  if (!lastRulesInstallPromptVersion) {
-    writeConfigHasSeenRulesInstallPrompt(true);
-    writeConfigLastRulesInstallPromptVersion(manifest.currentVersion);
-
-    const installChoice = await confirm({
-      message: `A new version of the trigger.dev agent rules is available (${manifest.currentVersion}). Do you want to install it?`,
-      initialValue: true,
-    });
-
-    const skipInstall = isCancel(installChoice) || !installChoice;
-
-    if (skipInstall) {
-      return;
-    }
-
-    await installRules(manifest, options);
-    return;
-  }
-
-  if (semver.gt(manifest.currentVersion, lastRulesInstallPromptVersion)) {
-    writeConfigHasSeenRulesInstallPrompt(true);
-    writeConfigLastRulesInstallPromptVersion(manifest.currentVersion);
-
-    const confirmed = await confirm({
-      message: `A new version of the trigger.dev agent rules is available (${lastRulesInstallPromptVersion} → ${chalk.greenBright(
-        manifest.currentVersion
-      )}). Do you want to install it?`,
-      initialValue: true,
-    });
-
-    if (isCancel(confirmed) || !confirmed) {
-      return;
-    }
-
-    await installRules(manifest, options);
-  }
-
-  return;
-}
-
-async function installRules(manifest: RulesManifest, opts: InstallRulesWizardOptions) {
-  const [_, config] = await tryCatch(
-    loadConfig({
-      cwd: process.cwd(),
-    })
-  );
-
-  const currentVersion = await manifest.getCurrentVersion();
-
-  const targetNames = await resolveTargets(opts);
-
-  if (targetNames.length === 1 && targetNames.includes("unsupported")) {
-    handleUnsupportedTargetOnly(opts);
-    return;
-  }
-
-  const results = [];
-
-  for (const targetName of targetNames) {
-    const result = await installRulesForTarget(
-      targetName,
-      currentVersion,
-      opts,
-      config ?? undefined
-    );
-
-    if (result) {
-      results.push(result);
-    }
-  }
-
-  if (results.length > 0) {
-    log.step("Installed the following rules files:");
-
-    for (const r of results) {
-      const installationsByLocation = r.installations.reduce(
-        (acc, i) => {
-          if (!acc[i.location]) {
-            acc[i.location] = [];
-          }
-
-          acc[i.location]!.push(i.option);
-
-          return acc;
-        },
-        {} as Record<string, RulesManifestVersionOption[]>
-      );
-
-      const locationOutput = Object.entries(installationsByLocation).map(
-        ([location]) => `${chalk.greenBright(location)}`
-      );
-
-      for (const message of locationOutput) {
-        log.info(message);
-      }
-    }
-
-    log.info(
-      `${cliLink("Learn how to use our rules", "https://trigger.dev/docs/agents/rules/overview")}`
-    );
-  }
-}
-
-function handleUnsupportedTargetOnly(options: InstallRulesCommandOptions): InstallRulesResults {
-  log.info(
-    `${cliLink("Install the rules manually", "https://trigger.dev/docs/agents/rules/overview")}`
-  );
-
-  return [];
-}
-
-async function installRulesForTarget(
-  targetName: ResolvedTargets,
-  currentVersion: ManifestVersion,
-  options: InstallRulesCommandOptions,
-  config?: ResolvedConfig
-) {
-  if (targetName === "unsupported") {
-    // This should not happen as unsupported targets are handled separately
-    // but if it does, provide helpful output
-    log.message(
-      `${chalk.yellow("⚠")} Skipping unsupported target - see manual configuration above`
-    );
-    return;
-  }
-
-  const result = await performInstallForTarget(targetName, currentVersion, options, config);
-
-  return result;
-}
-
-async function performInstallForTarget(
-  targetName: (typeof targets)[number],
-  currentVersion: ManifestVersion,
-  cmdOptions: InstallRulesCommandOptions,
-  config?: ResolvedConfig
-) {
-  const options = await resolveOptionsForTarget(targetName, currentVersion, cmdOptions);
-
-  const installations = await performInstallOptionsForTarget(targetName, options, config);
-
-  return {
-    targetName,
-    installations,
-  };
-}
-
-async function performInstallOptionsForTarget(
-  targetName: (typeof targets)[number],
-  options: Array<RulesManifestVersionOption>,
-  config?: ResolvedConfig
-) {
-  const results = [];
-
-  for (const option of options) {
-    const result = await performInstallOptionForTarget(targetName, option, config);
-    results.push(result);
-  }
-
-  return results;
-}
-
-async function performInstallOptionForTarget(
-  targetName: (typeof targets)[number],
-  option: RulesManifestVersionOption,
-  config?: ResolvedConfig
-) {
-  switch (option.installStrategy) {
-    case "default": {
-      return performInstallDefaultOptionForTarget(targetName, option, config);
-    }
-    case "claude-code-subagent": {
-      return performInstallClaudeCodeSubagentOptionForTarget(option);
-    }
-    default: {
-      throw new Error(`Unknown install strategy: ${option.installStrategy}`);
-    }
-  }
-}
-
-async function performInstallDefaultOptionForTarget(
-  targetName: (typeof targets)[number],
-  option: RulesManifestVersionOption,
-  config?: ResolvedConfig
-) {
-  // Get the path to the rules file
-  const rulesFilePath = resolveRulesFilePathForTargetOption(targetName, option);
-  const rulesFileContents = await resolveRulesFileContentsForTarget(targetName, option, config);
-  const mergeStrategy = await resolveRulesFileMergeStrategyForTarget(targetName);
-
-  // Try and read the existing rules file
-  const rulesFileAbsolutePath = join(process.cwd(), rulesFilePath);
-  await writeToFile(rulesFileAbsolutePath, rulesFileContents, mergeStrategy, option.name);
-
-  return { option, location: rulesFilePath };
-}
-
-async function writeToFile(
-  path: string,
-  contents: string,
-  mergeStrategy: "overwrite" | "replace" = "overwrite",
-  sectionName: string
-) {
-  const exists = await pathExists(path);
-
-  if (exists) {
-    switch (mergeStrategy) {
-      case "overwrite": {
-        await safeWriteFile(path, contents);
-        break;
-      }
-      case "replace": {
-        const existingContents = await readFile(path);
-
-        const pattern = new RegExp(
-          `<!-- TRIGGER.DEV ${sectionName} START -->.*?<!-- TRIGGER.DEV ${sectionName} END -->`,
-          "gs"
-        );
-
-        // If the section name is not found, just append the new content
-        if (!pattern.test(existingContents)) {
-          await safeWriteFile(path, existingContents + "\n\n" + contents);
-          break;
-        }
-
-        const updatedContent = existingContents.replace(pattern, contents);
-
-        await safeWriteFile(path, updatedContent);
-        break;
-      }
-      default: {
-        throw new Error(`Unknown merge strategy: ${mergeStrategy}`);
-      }
-    }
-  } else {
-    await safeWriteFile(path, contents);
-  }
-}
-
-async function performInstallClaudeCodeSubagentOptionForTarget(option: RulesManifestVersionOption) {
-  const rulesFilePath = ".claude/agents/trigger-dev-task-writer.md";
-  const rulesFileContents = option.contents;
-
-  await writeToFile(rulesFilePath, rulesFileContents, "overwrite", option.name);
-
-  return { option, location: rulesFilePath };
-}
-
-function resolveRulesFilePathForTargetOption(
-  targetName: (typeof targets)[number],
-  option: RulesManifestVersionOption
-): string {
-  if (option.installStrategy === "claude-code-subagent") {
-    return ".claude/agents/trigger-dev-task-writer.md";
-  }
-
-  switch (targetName) {
-    case "claude-code": {
-      return "CLAUDE.md";
-    }
-    case "cursor": {
-      return `.cursor/rules/trigger.${option.name}.mdc`;
-    }
-    case "vscode": {
-      return `.github/instructions/trigger-${option.name}.instructions.md`;
-    }
-    case "windsurf": {
-      return `.windsurf/rules/trigger-${option.name}.md`;
-    }
-    case "gemini-cli": {
-      return `GEMINI.md`;
-    }
-    case "cline": {
-      return `.clinerules/trigger-${option.name}.md`;
-    }
-    case "agents.md": {
-      return "AGENTS.md";
-    }
-    case "amp": {
-      return "AGENT.md";
-    }
-    case "kilo": {
-      return `.kilocode/rules/trigger-${option.name}.md`;
-    }
-    case "ruler": {
-      return `.ruler/trigger-${option.name}.md`;
-    }
-    default: {
-      throw new Error(`Unknown target: ${targetName}`);
-    }
-  }
-}
-
-async function resolveRulesFileMergeStrategyForTarget(targetName: (typeof targets)[number]) {
-  switch (targetName) {
-    case "amp":
-    case "agents.md":
-    case "gemini-cli":
-    case "claude-code": {
-      return "replace";
-    }
-    default: {
-      return "overwrite";
-    }
-  }
-}
-
-async function resolveRulesFileContentsForTarget(
-  targetName: (typeof targets)[number],
-  option: RulesManifestVersionOption,
-  config?: ResolvedConfig
-) {
-  switch (targetName) {
-    case "cursor": {
-      return $output(
-        frontmatter({
-          description: option.label,
-          globs: option.applyTo ?? "**/trigger/**/*.ts",
-          alwaysApply: false,
-        }),
-        option.contents
-      );
-    }
-    case "vscode": {
-      return $output(
-        frontmatter({
-          applyTo: option.applyTo ?? "**/trigger/**/*.ts",
-        }),
-        option.contents
-      );
-    }
-    case "windsurf": {
-      return $output(
-        frontmatter({
-          trigger: "glob",
-          globs: option.applyTo ?? "**/trigger/**/*.ts",
-        }),
-        option.contents
-      );
-    }
-    default: {
-      return $output(
-        `<!-- TRIGGER.DEV ${option.name} START -->`,
-        option.contents,
-        `<!-- TRIGGER.DEV ${option.name} END -->`
-      );
-    }
-  }
-}
-
-function frontmatter(data: Record<string, string | boolean>) {
-  return $output("---", ...Object.entries(data).map(([key, value]) => `${key}: ${value}`), "---");
-}
-
-function $output(...strings: string[]) {
-  return strings.map((s) => s).join("\n");
-}
-
-async function resolveOptionsForTarget(
-  targetName: (typeof targets)[number],
-  currentVersion: ManifestVersion,
-  cmdOptions: InstallRulesCommandOptions
-) {
-  const possibleOptions = currentVersion.options.filter(
-    (option) => !option.client || option.client === targetName
-  );
-
-  const selectedOptions = await multiselect({
-    message: `Choose the rules you want to install for ${targetLabels[targetName]}`,
-    options: possibleOptions.map((option) => ({
-      value: option,
-      label: option.title,
-      hint: `${option.label} [~${option.tokens} tokens]`,
-    })),
-    required: true,
-  });
-
-  if (isCancel(selectedOptions)) {
-    throw new OutroCommandError("No options selected");
-  }
-
-  return selectedOptions;
-}
-
-async function resolveTargets(options: InstallRulesCommandOptions): Promise<ResolvedTargets[]> {
-  if (options.target) {
-    return options.target;
-  }
-
-  const selectOptions: Array<{
-    value: string;
-    label: string;
-    hint?: string;
-  }> = targets.map((target) => ({
-    value: target,
-    label: targetLabels[target],
-  }));
-
-  selectOptions.push({
-    value: "unsupported",
-    label: "Unsupported target",
-    hint: "We don't support this target yet, but you can still install the rules manually.",
-  });
-
-  const $selectOptions = selectOptions as Array<{
-    value: ResolvedTargets;
-    label: string;
-    hint?: string;
-  }>;
-
-  const selectedTargets = await multiselect({
-    message: "Select one or more targets to install the rules into",
-    options: $selectOptions,
-    required: true,
-  });
-
-  if (isCancel(selectedTargets)) {
-    throw new OutroCommandError("No targets selected");
-  }
-
-  return selectedTargets;
-}
diff --git a/packages/cli-v3/src/commands/login.ts b/packages/cli-v3/src/commands/login.ts
index 59af7ee895a..3561183b36a 100644
--- a/packages/cli-v3/src/commands/login.ts
+++ b/packages/cli-v3/src/commands/login.ts
@@ -41,6 +41,7 @@ import { links } from "@trigger.dev/core/v3";
 
 export const LoginCommandOptions = CommonCommandOptions.extend({
   apiUrl: z.string(),
+  browser: z.boolean().default(true),
 });
 
 export type LoginCommandOptions = z.infer<typeof LoginCommandOptions>;
@@ -49,7 +50,21 @@ export function configureLoginCommand(program: Command) {
   return commonOptions(
     program
       .command("login")
-      .description("Login with Trigger.dev so you can perform authenticated actions")
+      .summary("Login with Trigger.dev so you can perform authenticated actions")
+      .description(
+        `Login with Trigger.dev so you can perform authenticated actions.
+
+Examples:
+  # Interactive login (opens browser)
+  $ trigger.dev login
+
+  # Headless / agent (print URL only)
+  $ trigger.dev login --no-browser
+
+  # Login to a named profile
+  $ trigger.dev login --profile staging`
+      )
+      .option("--no-browser", "Don't automatically open the browser; print the URL only")
   )
     .version(VERSION, "-v, --version", "Display the version number")
     .action(async (options) => {
@@ -67,7 +82,12 @@ export async function loginCommand(options: unknown) {
 }
 
 async function _loginCommand(options: LoginCommandOptions) {
-  return login({ defaultApiUrl: options.apiUrl, embedded: false, profile: options.profile });
+  return login({
+    defaultApiUrl: options.apiUrl,
+    embedded: false,
+    profile: options.profile,
+    browser: options.browser,
+  });
 }
 
 export type LoginOptions = {
@@ -75,6 +95,7 @@ export type LoginOptions = {
   embedded?: boolean;
   profile?: string;
   silent?: boolean;
+  browser?: boolean;
 };
 
 export async function login(options?: LoginOptions): Promise<LoginResult> {
@@ -259,7 +280,9 @@ export async function login(options?: LoginOptions): Promise<LoginResult> {
         `Please visit the following URL to login:\n${chalkLink(authorizationCodeResult.url)}`
       );
 
-      if (await isLinuxServer()) {
+      if (opts.browser === false) {
+        log.message("Browser auto-open disabled. Visit the URL above to login.");
+      } else if (await isLinuxServer()) {
         log.message("Please install `xdg-utils` to automatically open the login URL.");
       } else {
         await open(authorizationCodeResult.url);
diff --git a/packages/cli-v3/src/commands/mcp.ts b/packages/cli-v3/src/commands/mcp.ts
index f533a8031e5..392f1fb72ee 100644
--- a/packages/cli-v3/src/commands/mcp.ts
+++ b/packages/cli-v3/src/commands/mcp.ts
@@ -14,15 +14,13 @@ import { printStandloneInitialBanner } from "../utilities/initialBanner.js";
 import { logger } from "../utilities/logger.js";
 import { installMcpServer } from "./install-mcp.js";
 import { serverMetadata } from "../mcp/config.js";
-import { initiateRulesInstallWizard } from "./install-rules.js";
+import { initiateSkillsInstallWizard } from "./skills.js";
 
 const McpCommandOptions = CommonCommandOptions.extend({
   projectRef: z.string().optional(),
   logFile: z.string().optional(),
   devOnly: z.boolean().default(false),
   readonly: z.boolean().default(false),
-  rulesInstallManifestPath: z.string().optional(),
-  rulesInstallBranch: z.string().optional(),
 });
 
 export type McpCommandOptions = z.infer<typeof McpCommandOptions>;
@@ -42,18 +40,6 @@ export function configureMcpCommand(program: Command) {
         "Run in read-only mode. Write tools (deploy, trigger_task, cancel_run) are hidden from the AI."
       )
       .option("--log-file <log file>", "The file to log to")
-      .addOption(
-        new CommandOption(
-          "--rules-install-manifest-path <path>",
-          "The path to the rules install manifest"
-        ).hideHelp()
-      )
-      .addOption(
-        new CommandOption(
-          "--rules-install-branch <branch>",
-          "The branch to install the rules from"
-        ).hideHelp()
-      )
   ).action(async (options) => {
     wrapCommandAction("mcp", McpCommandOptions, options, async (opts) => {
       await mcpCommand(opts);
@@ -80,10 +66,7 @@ export async function mcpCommand(options: McpCommandOptions) {
       return;
     }
 
-    await initiateRulesInstallWizard({
-      manifestPath: options.rulesInstallManifestPath,
-      branch: options.rulesInstallBranch,
-    });
+    await initiateSkillsInstallWizard({});
 
     return;
   }
diff --git a/packages/cli-v3/src/commands/skills.test.ts b/packages/cli-v3/src/commands/skills.test.ts
new file mode 100644
index 00000000000..01a6a46442b
--- /dev/null
+++ b/packages/cli-v3/src/commands/skills.test.ts
@@ -0,0 +1,61 @@
+import { afterAll, describe, expect, it } from "vitest";
+import { mkdir, mkdtemp, rm, writeFile } from "node:fs/promises";
+import { tmpdir } from "node:os";
+import { dirname, join } from "node:path";
+import { resolveBundledPackageJSON } from "./skills.js";
+
+/**
+ * Reproduces the published layout: tshy emits a dialect stub `package.json`
+ * ({"type":"module"}) in `dist/esm`, which shadows the real package root when resolving
+ * from the bundled code. The skills dir ships at the package root. Resolution must skip
+ * the stub and land on the root, otherwise `trigger skills` silently finds no skills.
+ */
+async function makeBundledPackage(): Promise<{ root: string; distEsm: string }> {
+  const root = await mkdtemp(join(tmpdir(), "bundled-cli-"));
+
+  await writeFile(
+    join(root, "package.json"),
+    JSON.stringify({ name: "trigger.dev", version: "9.9.9-test.1" })
+  );
+
+  await mkdir(join(root, "skills", "authoring-tasks"), { recursive: true });
+  await writeFile(join(root, "skills", "authoring-tasks", "SKILL.md"), "# Authoring");
+
+  const distEsm = join(root, "dist", "esm");
+  await mkdir(distEsm, { recursive: true });
+  // The tshy dialect stub that caused the bug.
+  await writeFile(join(distEsm, "package.json"), JSON.stringify({ type: "module" }));
+
+  return { root, distEsm };
+}
+
+describe("resolveBundledPackageJSON", () => {
+  const roots: string[] = [];
+
+  afterAll(async () => {
+    await Promise.all(roots.map((d) => rm(d, { recursive: true, force: true })));
+  });
+
+  it("skips the tshy dist/esm dialect stub and resolves the package root", async () => {
+    const { root, distEsm } = await makeBundledPackage();
+    roots.push(root);
+
+    const resolved = await resolveBundledPackageJSON(distEsm);
+
+    // Must be the root package.json (which has `skills/` beside it), not the dist/esm stub.
+    expect(resolved).toBe(join(root, "package.json"));
+    expect(dirname(resolved!)).toBe(root);
+  });
+
+  it("resolves directly when started from a dir under the named package root (source/tsx path)", async () => {
+    const { root } = await makeBundledPackage();
+    roots.push(root);
+
+    const srcDir = join(root, "src");
+    await mkdir(srcDir, { recursive: true });
+
+    const resolved = await resolveBundledPackageJSON(srcDir);
+
+    expect(resolved).toBe(join(root, "package.json"));
+  });
+});
diff --git a/packages/cli-v3/src/commands/skills.ts b/packages/cli-v3/src/commands/skills.ts
new file mode 100644
index 00000000000..b2d4613b02d
--- /dev/null
+++ b/packages/cli-v3/src/commands/skills.ts
@@ -0,0 +1,577 @@
+import { confirm, intro, isCancel, log, multiselect, outro } from "@clack/prompts";
+import chalk from "chalk";
+import { Command, Option as CommandOption } from "commander";
+import { dirname, join } from "node:path";
+import { readPackageJSON, resolvePackageJSON } from "pkg-types";
+import * as semver from "semver";
+import { z } from "zod";
+import { OutroCommandError, wrapCommandAction } from "../cli/common.js";
+import {
+  BundledSkillsLoader,
+  loadRulesManifest,
+  ManifestVersion,
+  RulesManifest,
+  RulesManifestVersionOption,
+} from "../rules/manifest.js";
+import { sourceDir } from "../sourceDir.js";
+import { cliLink } from "../utilities/cliOutput.js";
+import {
+  readConfigHasSeenRulesInstallPrompt,
+  readConfigLastRulesInstallPromptVersion,
+  writeConfigHasSeenRulesInstallPrompt,
+  writeConfigLastRulesInstallPromptVersion,
+} from "../utilities/configFiles.js";
+import { pathExists, readFile, safeWriteFile } from "../utilities/fileSystem.js";
+import { printStandloneInitialBanner } from "../utilities/initialBanner.js";
+import { logger } from "../utilities/logger.js";
+
+// Only tools with a native agent-skills directory. Rules-file-only tools (windsurf,
+// gemini-cli, cline, amp, kilo, ruler) don't support the Agent Skills format yet, so
+// they fall under the "Unsupported target" manual path rather than silently no-op.
+const targets = ["claude-code", "cursor", "vscode", "agents.md"] as const;
+
+type TargetLabels = {
+  [key in (typeof targets)[number]]: string;
+};
+
+const targetLabels: TargetLabels = {
+  "claude-code": "Claude Code",
+  cursor: "Cursor",
+  vscode: "VSCode (Copilot)",
+  "agents.md": "AGENTS.md (OpenAI Codex CLI, Jules, OpenCode)",
+};
+
+type SupportedTargets = (typeof targets)[number];
+type ResolvedTargets = SupportedTargets | "unsupported";
+
+const SkillsCommandOptions = z.object({
+  target: z.enum(targets).array().optional(),
+  yes: z.boolean().optional(),
+  logLevel: z.enum(["debug", "info", "log", "warn", "error", "none"]).optional(),
+  forceWizard: z.boolean().optional(),
+});
+
+type SkillsCommandOptions = z.infer<typeof SkillsCommandOptions>;
+
+export function configureSkillsCommand(program: Command) {
+  return program
+    .command("skills")
+    .alias("install-rules")
+    .description("Install the Trigger.dev agent skills into your coding agent")
+    .option(
+      "--target <targets...>",
+      "Choose the target (or targets) to install the Trigger.dev skills into. Native install is supported for: " +
+        targets.join(", ")
+    )
+    .option(
+      "-y, --yes",
+      "Install all available skills for the selected targets without prompting"
+    )
+    .option(
+      "-l, --log-level <level>",
+      "The CLI log level to use (debug, info, log, warn, error, none). This does not effect the log level of your trigger.dev tasks.",
+      "log"
+    )
+    .addOption(
+      new CommandOption(
+        "--force-wizard",
+        "Force the skills install wizard to run even if the skills have already been installed."
+      ).hideHelp()
+    )
+    .action(async (options) => {
+      await printStandloneInitialBanner(true);
+      await installSkillsCommand(options);
+    });
+}
+
+export async function installSkillsCommand(options: unknown) {
+  return await wrapCommandAction("installSkillsCommand", SkillsCommandOptions, options, async (opts) => {
+    if (opts.logLevel) {
+      logger.loggerLevel = opts.logLevel;
+    }
+
+    return await _installSkillsCommand(opts);
+  });
+}
+
+/**
+ * Loads the agent skills bundled in this CLI (`<cli>/skills`, shipped via `files[]`).
+ * The skills dir and version are resolved from the CLI's own package.json, anchored at
+ * `sourceDir` (the CLI's location) rather than the user's cwd. The CLI is the only source
+ * of skills (there is no remote fallback), so this only returns null in the unexpected
+ * case that the CLI ships without any skills.
+ *
+ * tshy emits a dialect stub `package.json` ({"type":"module"}) in `dist/esm`, so the
+ * package.json nearest the bundled code is NOT the package root and has no `skills/`
+ * beside it. We walk up to the first package.json that has a `name` (the real root);
+ * that resolves correctly both when bundled (`<root>/dist/esm`) and from source
+ * (`<root>/src`, run via tsx in dev/tests).
+ */
+export async function resolveBundledPackageJSON(startDir: string = sourceDir): Promise<
+  string | null
+> {
+  let searchDir = startDir;
+
+  for (let i = 0; i < 10; i++) {
+    const candidate = await resolvePackageJSON(searchDir);
+    const pkg = await readPackageJSON(candidate);
+
+    if (pkg.name) {
+      return candidate;
+    }
+
+    // Climb above this (stub) package.json and keep looking for the real root.
+    const above = dirname(dirname(candidate));
+    if (above === searchDir) {
+      return null;
+    }
+    searchDir = above;
+  }
+
+  return null;
+}
+
+async function loadSkillsManifest(): Promise<RulesManifest | null> {
+  try {
+    const packageJsonPath = await resolveBundledPackageJSON();
+
+    if (!packageJsonPath) {
+      return null;
+    }
+
+    const pkg = await readPackageJSON(packageJsonPath);
+    const skillsDir = join(dirname(packageJsonPath), "skills");
+    const version = typeof pkg.version === "string" ? pkg.version : "0.0.0";
+
+    return await loadRulesManifest(new BundledSkillsLoader(skillsDir, version));
+  } catch {
+    return null;
+  }
+}
+
+async function _installSkillsCommand(options: SkillsCommandOptions) {
+  if (options.forceWizard) {
+    await initiateSkillsInstallWizard(options);
+    return;
+  }
+
+  intro("Welcome to the Trigger.dev agent skills installer ");
+
+  const manifest = await loadSkillsManifest();
+
+  if (!manifest) {
+    log.warn("No Trigger.dev agent skills were found in this CLI build.");
+    outro("Nothing to install.");
+    return;
+  }
+
+  writeConfigLastRulesInstallPromptVersion(manifest.currentVersion);
+  writeConfigHasSeenRulesInstallPrompt(true);
+
+  await installSkills(manifest, options);
+
+  outro("You're all set! ");
+}
+
+export type SkillsWizardOptions = {
+  target?: Array<(typeof targets)[number]>;
+  yes?: boolean;
+};
+
+export async function initiateSkillsInstallWizard(options: SkillsWizardOptions) {
+  const manifest = await loadSkillsManifest();
+
+  // The CLI couldn't load its own bundled skills (unexpected); nothing to offer.
+  if (!manifest) {
+    return;
+  }
+
+  const hasSeenPrompt = readConfigHasSeenRulesInstallPrompt();
+
+  if (!hasSeenPrompt) {
+    writeConfigHasSeenRulesInstallPrompt(true);
+    writeConfigLastRulesInstallPromptVersion(manifest.currentVersion);
+
+    const installChoice = await confirm({
+      message: "Would you like to install the Trigger.dev agent skills?",
+      initialValue: true,
+    });
+
+    if (isCancel(installChoice) || !installChoice) {
+      return;
+    }
+
+    await installSkills(manifest, options);
+    return;
+  }
+
+  const lastVersion = readConfigLastRulesInstallPromptVersion();
+
+  if (!lastVersion) {
+    writeConfigHasSeenRulesInstallPrompt(true);
+    writeConfigLastRulesInstallPromptVersion(manifest.currentVersion);
+
+    const installChoice = await confirm({
+      message: `A new version of the Trigger.dev agent skills is available (${manifest.currentVersion}). Do you want to install it?`,
+      initialValue: true,
+    });
+
+    if (isCancel(installChoice) || !installChoice) {
+      return;
+    }
+
+    await installSkills(manifest, options);
+    return;
+  }
+
+  if (semver.gt(manifest.currentVersion, lastVersion)) {
+    writeConfigHasSeenRulesInstallPrompt(true);
+    writeConfigLastRulesInstallPromptVersion(manifest.currentVersion);
+
+    const confirmed = await confirm({
+      message: `A new version of the Trigger.dev agent skills is available (${lastVersion} → ${chalk.greenBright(
+        manifest.currentVersion
+      )}). Do you want to install it?`,
+      initialValue: true,
+    });
+
+    if (isCancel(confirmed) || !confirmed) {
+      return;
+    }
+
+    await installSkills(manifest, options);
+  }
+}
+
+/**
+ * Mark the agent-skills install prompt as already seen at the current skills version.
+ * `trigger init` calls this after offering skills in its AI-tooling step (whether or not
+ * the user installs them) so `trigger dev` doesn't ask about skills again. Returns false
+ * if the CLI ships without bundled skills.
+ */
+export async function markSkillsPromptSeen(): Promise<boolean> {
+  const manifest = await loadSkillsManifest();
+
+  if (!manifest) {
+    return false;
+  }
+
+  writeConfigHasSeenRulesInstallPrompt(true);
+  writeConfigLastRulesInstallPromptVersion(manifest.currentVersion);
+
+  return true;
+}
+
+/**
+ * Install skills as part of `trigger init`. The user already opted in via init's AI-tooling
+ * prompt, so this skips the extra confirm and goes straight to target/skill selection, then
+ * marks the prompt seen so `trigger dev` won't re-prompt. Returns false if the CLI ships
+ * without bundled skills.
+ */
+export async function installSkillsFromInit(opts: SkillsWizardOptions = {}): Promise<boolean> {
+  const manifest = await loadSkillsManifest();
+
+  if (!manifest) {
+    return false;
+  }
+
+  writeConfigHasSeenRulesInstallPrompt(true);
+  writeConfigLastRulesInstallPromptVersion(manifest.currentVersion);
+
+  // Returns true only if skills were actually written (false e.g. when the only target
+  // chosen is "unsupported"), so callers like `trigger init` don't claim skills are ready
+  // when nothing landed.
+  return await installSkills(manifest, opts);
+}
+
+async function installSkills(manifest: RulesManifest, opts: SkillsWizardOptions): Promise<boolean> {
+  const currentVersion = await manifest.getCurrentVersion();
+
+  const targetNames = await resolveTargets(opts);
+
+  if (targetNames.length === 1 && targetNames.includes("unsupported")) {
+    handleUnsupportedTargetOnly();
+    return false;
+  }
+
+  const results = [];
+
+  for (const targetName of targetNames) {
+    const result = await installSkillsForTarget(targetName, currentVersion, opts);
+
+    if (result) {
+      results.push(result);
+    }
+  }
+
+  const installedAny = results.some((r) => r.installations.length > 0 || r.pointer);
+
+  if (installedAny) {
+    log.step("Installed the following skills:");
+
+    for (const r of results) {
+      for (const installation of r.installations) {
+        log.info(chalk.greenBright(installation.location));
+      }
+      if (r.pointer) {
+        log.info(`${chalk.greenBright(r.pointer)} ${chalk.dim("(always-on pointer)")}`);
+      }
+    }
+
+    log.info(
+      `${cliLink("Learn how to use Trigger.dev skills", "https://trigger.dev/docs/agents/rules/overview")}`
+    );
+  }
+
+  return installedAny;
+}
+
+function handleUnsupportedTargetOnly() {
+  log.info(
+    `${cliLink("Install the skills manually", "https://trigger.dev/docs/agents/rules/overview")}`
+  );
+}
+
+async function installSkillsForTarget(
+  targetName: ResolvedTargets,
+  currentVersion: ManifestVersion,
+  opts: SkillsWizardOptions
+) {
+  if (targetName === "unsupported") {
+    // This should not happen as unsupported targets are handled separately,
+    // but if it does, provide helpful output.
+    log.message(`${chalk.yellow("⚠")} Skipping unsupported target - see manual configuration above`);
+    return;
+  }
+
+  const options = await resolveOptionsForTarget(targetName, currentVersion, opts);
+
+  const installations = [];
+
+  for (const option of options) {
+    const installation = await performInstallSkillsOptionForTarget(targetName, option);
+
+    if (installation) {
+      installations.push(installation);
+    }
+  }
+
+  // Skills load on demand, so drop one always-on pointer into the tool's primary
+  // instructions file announcing what's installed (decision 7). Body lives in the
+  // on-demand skills; only this one-liner is always in context.
+  let pointer: string | undefined;
+  const skillsDir = resolveSkillsDirForTarget(targetName);
+  if (installations.length > 0 && skillsDir) {
+    pointer = await writeSkillsPointer(
+      targetName,
+      skillsDir,
+      installations.map((i) => i.option.name)
+    );
+  }
+
+  return { targetName, installations, pointer };
+}
+
+/**
+ * Skills are whole folders (SKILL.md + optional references). We write the SKILL.md into
+ * the target tool's native skills directory under the skill's own folder so the tool
+ * discovers it. Targets without a native skills dir are skipped with a notice.
+ */
+async function performInstallSkillsOptionForTarget(
+  targetName: (typeof targets)[number],
+  option: RulesManifestVersionOption
+) {
+  const skillsDir = resolveSkillsDirForTarget(targetName);
+
+  if (!skillsDir) {
+    log.message(
+      `${chalk.yellow("⚠")} ${targetLabels[targetName]} doesn't support agent skills yet, skipping "${option.name}".`
+    );
+    return;
+  }
+
+  const location = join(skillsDir, option.name, "SKILL.md");
+
+  await safeWriteFile(join(process.cwd(), location), option.contents);
+
+  return { option, location };
+}
+
+function resolveSkillsDirForTarget(targetName: (typeof targets)[number]): string | undefined {
+  switch (targetName) {
+    case "claude-code": {
+      return ".claude/skills";
+    }
+    case "cursor": {
+      return ".cursor/skills";
+    }
+    case "vscode": {
+      return ".github/skills";
+    }
+    case "agents.md": {
+      return ".agents/skills";
+    }
+    default: {
+      return undefined;
+    }
+  }
+}
+
+const POINTER_START = "<!-- TRIGGER.DEV SKILLS START -->";
+const POINTER_END = "<!-- TRIGGER.DEV SKILLS END -->";
+
+type SkillsPointer = { file: string; mode: "region" | "dedicated" };
+
+/**
+ * The always-on instructions file for each skills-capable target. "region" files are
+ * shared (a marked block is upserted so we never clobber other content); "dedicated"
+ * files are ours to own and overwrite.
+ */
+function resolveSkillsPointerForTarget(targetName: (typeof targets)[number]): SkillsPointer | undefined {
+  switch (targetName) {
+    case "claude-code": {
+      return { file: "CLAUDE.md", mode: "region" };
+    }
+    case "cursor": {
+      return { file: ".cursor/rules/trigger-skills.mdc", mode: "dedicated" };
+    }
+    case "vscode": {
+      return { file: ".github/copilot-instructions.md", mode: "region" };
+    }
+    case "agents.md": {
+      return { file: "AGENTS.md", mode: "region" };
+    }
+    default: {
+      return undefined;
+    }
+  }
+}
+
+function buildSkillsPointerBody(skillsDir: string, skillNames: string[]): string {
+  const list = skillNames.map((n) => `\`${n}\``).join(", ");
+  return [
+    "## Trigger.dev agent skills",
+    "",
+    `This project has Trigger.dev agent skills installed in \`${skillsDir}/\`. Before writing or changing Trigger.dev code (background tasks, scheduled tasks, realtime, or chat.agent AI agents), load the most relevant skill: ${list}.`,
+  ].join("\n");
+}
+
+/**
+ * Writes/updates the one-line always-on pointer for a target. Idempotent: region files
+ * replace the marked block (or append it once); the dedicated Cursor rule is overwritten.
+ * Returns the written path, or undefined for targets without a pointer location.
+ */
+async function writeSkillsPointer(
+  targetName: (typeof targets)[number],
+  skillsDir: string,
+  skillNames: string[]
+): Promise<string | undefined> {
+  const pointer = resolveSkillsPointerForTarget(targetName);
+  if (!pointer) {
+    return undefined;
+  }
+
+  const body = buildSkillsPointerBody(skillsDir, skillNames);
+  const absolutePath = join(process.cwd(), pointer.file);
+
+  if (pointer.mode === "dedicated") {
+    // Cursor: a dedicated always-apply rule file we own outright.
+    const contents = [
+      "---",
+      "description: Trigger.dev agent skills are installed in this repo",
+      "alwaysApply: true",
+      "---",
+      "",
+      body,
+      "",
+    ].join("\n");
+    await safeWriteFile(absolutePath, contents);
+    return pointer.file;
+  }
+
+  const block = `${POINTER_START}\n${body}\n${POINTER_END}`;
+
+  if (!(await pathExists(absolutePath))) {
+    await safeWriteFile(absolutePath, `${block}\n`);
+    return pointer.file;
+  }
+
+  const existing = await readFile(absolutePath);
+  const pattern = new RegExp(`${POINTER_START}.*?${POINTER_END}`, "s");
+  const next = pattern.test(existing)
+    ? existing.replace(pattern, block)
+    : `${existing.trimEnd()}\n\n${block}\n`;
+
+  await safeWriteFile(absolutePath, next);
+  return pointer.file;
+}
+
+async function resolveOptionsForTarget(
+  targetName: (typeof targets)[number],
+  currentVersion: ManifestVersion,
+  opts: SkillsWizardOptions
+) {
+  const possibleOptions = currentVersion.options.filter(
+    (option) => !option.client || option.client === targetName
+  );
+
+  // Non-interactive: install everything available for this target.
+  if (opts.yes) {
+    return possibleOptions;
+  }
+
+  const selectedOptions = await multiselect({
+    message: `Choose the skills you want to install for ${targetLabels[targetName]}`,
+    options: possibleOptions.map((option) => ({
+      value: option,
+      label: option.title,
+      hint: `${option.label} [~${option.tokens} tokens]`,
+    })),
+    required: true,
+  });
+
+  if (isCancel(selectedOptions)) {
+    throw new OutroCommandError("No options selected");
+  }
+
+  return selectedOptions;
+}
+
+async function resolveTargets(options: SkillsWizardOptions): Promise<ResolvedTargets[]> {
+  if (options.target) {
+    return options.target;
+  }
+
+  const selectOptions: Array<{
+    value: string;
+    label: string;
+    hint?: string;
+  }> = targets.map((target) => ({
+    value: target,
+    label: targetLabels[target],
+  }));
+
+  selectOptions.push({
+    value: "unsupported",
+    label: "Unsupported target",
+    hint: "We don't support this target yet, but you can still install the skills manually.",
+  });
+
+  const $selectOptions = selectOptions as Array<{
+    value: ResolvedTargets;
+    label: string;
+    hint?: string;
+  }>;
+
+  const selectedTargets = await multiselect({
+    message: "Select one or more targets to install the skills into",
+    options: $selectOptions,
+    required: true,
+  });
+
+  if (isCancel(selectedTargets)) {
+    throw new OutroCommandError("No targets selected");
+  }
+
+  return selectedTargets;
+}
diff --git a/packages/cli-v3/src/deploy/buildImage.ts b/packages/cli-v3/src/deploy/buildImage.ts
index 31a2b658545..aa8285a7c3e 100644
--- a/packages/cli-v3/src/deploy/buildImage.ts
+++ b/packages/cli-v3/src/deploy/buildImage.ts
@@ -1152,7 +1152,14 @@ function getOutputOptions({
     return outputOptions;
   }
 
-  const outputOptions: string[] = ["type=image", "oci-mediatypes=true", "rewrite-timestamp=true"];
+  // `rewrite-timestamp` is incompatible with the buildx docker driver's
+  // implicit `unpack=true` on push (used by e.g. orbstack's default builder).
+  // Provide an env-var escape hatch so local-dev deploys can opt out.
+  const skipRewriteTimestamp = process.env.TRIGGER_BUILD_SKIP_REWRITE_TIMESTAMP === "1";
+  const outputOptions: string[] = ["type=image", "oci-mediatypes=true"];
+  if (!skipRewriteTimestamp) {
+    outputOptions.push("rewrite-timestamp=true");
+  }
 
   if (imageTag) {
     outputOptions.push(`name=${imageTag}`);
diff --git a/packages/cli-v3/src/dev/devOutput.ts b/packages/cli-v3/src/dev/devOutput.ts
index 6365eee2ed7..a12309cc803 100644
--- a/packages/cli-v3/src/dev/devOutput.ts
+++ b/packages/cli-v3/src/dev/devOutput.ts
@@ -2,6 +2,7 @@ import { formatDurationMilliseconds } from "@trigger.dev/core/v3";
 import { ResolvedConfig } from "@trigger.dev/core/v3/build";
 import {
   createTaskMetadataFailedErrorStack,
+  DuplicateTaskIdsError,
   TaskIndexingImportError,
   TaskMetadataParseError,
 } from "@trigger.dev/core/v3/errors";
@@ -130,6 +131,27 @@ export function startDevOutput(options: DevOutputOptions) {
         project: config.project,
         query: `Could not parse task metadata:\n ${errorStack}`,
       });
+    } else if (error instanceof DuplicateTaskIdsError) {
+      const body = error.collisions
+        .map(({ id, filePaths }) => {
+          const distinct = Array.from(new Set(filePaths));
+
+          return distinct.length === 1
+            ? `${chalkTask(id)} was defined more than once in ${distinct[0]}`
+            : `${chalkTask(id)} was defined in:\n${distinct.map((f) => `  ${f}`).join("\n")}`;
+        })
+        .join("\n\n");
+
+      prettyError(
+        "Duplicate task ids detected",
+        `${body}\n\nTask ids must be unique across your project (including scheduled tasks). Please rename one of them.`,
+        cliLink("View the task docs", "https://trigger.dev/docs/tasks/overview")
+      );
+      aiHelpLink({
+        dashboardUrl,
+        project: config.project,
+        query: `Duplicate task ids: ${error.collisions.map((c) => c.id).join(", ")}`,
+      });
     } else {
       const errorText = error instanceof Error ? error.message : "Unknown error";
       const stack = error instanceof Error ? error.stack : undefined;
diff --git a/packages/cli-v3/src/dev/devSession.ts b/packages/cli-v3/src/dev/devSession.ts
index 482ebf6fc17..ed6290a1b86 100644
--- a/packages/cli-v3/src/dev/devSession.ts
+++ b/packages/cli-v3/src/dev/devSession.ts
@@ -118,6 +118,13 @@ export async function startDevSession({
       bundle.metafile
     );
 
+    // Skill folder copying happens after the main worker indexer runs in
+    // `BackgroundWorker.initialize` — that pass already discovers skills
+    // via the resource catalog and reports them on `workerManifest.skills`,
+    // so we don't need a duplicate indexer here (which historically ran
+    // with a bare `process.env` and silently dropped skills on projects
+    // whose task files read CLI-injected vars at module top level).
+
     buildManifest = await notifyExtensionOnBuildComplete(buildContext, buildManifest);
 
     try {
diff --git a/packages/cli-v3/src/dev/devSupervisor.ts b/packages/cli-v3/src/dev/devSupervisor.ts
index 59b2d2a473b..6c825ea4714 100644
--- a/packages/cli-v3/src/dev/devSupervisor.ts
+++ b/packages/cli-v3/src/dev/devSupervisor.ts
@@ -8,7 +8,6 @@ import {
   CreateBackgroundWorkerRequestBody,
   DevConfigResponseBody,
   SemanticInternalAttributes,
-  TaskManifest,
   WorkerManifest,
 } from "@trigger.dev/core/v3";
 import { ResolvedConfig } from "@trigger.dev/core/v3/build";
@@ -18,8 +17,9 @@ import { eventBus } from "../utilities/eventBus.js";
 import { logger } from "../utilities/logger.js";
 import { resolveSourceFiles } from "../utilities/sourceFiles.js";
 import { BackgroundWorker } from "./backgroundWorker.js";
+import { copySkillFolders } from "../build/bundleSkills.js";
 import { WorkerRuntime } from "./workerRuntime.js";
-import { chalkTask, cliLink, prettyError } from "../utilities/cliOutput.js";
+import { cliLink, prettyError } from "../utilities/cliOutput.js";
 import { DevRunController } from "../entryPoints/dev-run-controller.js";
 import { io, Socket } from "socket.io-client";
 import {
@@ -331,6 +331,25 @@ class DevSupervisor implements WorkerRuntime {
       throw new Error("Could not initialize worker");
     }
 
+    // Copy registered skill folders into `${workingDir}/.trigger/skills/{id}/`
+    // so `skill.local()` can read them at runtime. The main indexer already
+    // discovered skills; we just do the file IO here.
+    const discoveredSkills = backgroundWorker.manifest.skills ?? [];
+    if (discoveredSkills.length > 0) {
+      try {
+        await copySkillFolders({
+          skills: discoveredSkills,
+          destinationRoot: join(this.options.config.workingDir, ".trigger", "skills"),
+          workingDir: this.options.config.workingDir,
+          logger,
+        });
+      } catch (err) {
+        prettyError("Skill bundling failed", (err as Error).message);
+        stop();
+        return;
+      }
+    }
+
     const validationIssue = validateWorkerManifest(backgroundWorker.manifest);
 
     if (validationIssue) {
@@ -821,38 +840,24 @@ class DevSupervisor implements WorkerRuntime {
   }
 }
 
-type ValidationIssue =
-  | {
-    type: "duplicateTaskId";
-    duplicationTaskIds: string[];
-  }
-  | {
-    type: "noTasksDefined";
-  };
+type ValidationIssue = {
+  type: "noTasksDefined";
+};
 
+// Duplicate task ids (including across task types, e.g. a schedule and a
+// regular task sharing an id) are enforced server-side when the background
+// worker is registered, so both `dev` and `deploy` surface a single,
+// authoritative error from the backend rather than a separate client check.
 function validateWorkerManifest(manifest: WorkerManifest): ValidationIssue | undefined {
-  const issues: ValidationIssue[] = [];
-
   if (!manifest.tasks || manifest.tasks.length === 0) {
     return { type: "noTasksDefined" };
   }
 
-  // Check for any duplicate task ids
-  const taskIds = manifest.tasks.map((task) => task.id);
-  const duplicateTaskIds = taskIds.filter((id, index) => taskIds.indexOf(id) !== index);
-
-  if (duplicateTaskIds.length > 0) {
-    return { type: "duplicateTaskId", duplicationTaskIds: duplicateTaskIds };
-  }
-
   return undefined;
 }
 
 function generationValidationIssueHeader(issue: ValidationIssue) {
   switch (issue.type) {
-    case "duplicateTaskId": {
-      return `Duplicate task ids detected`;
-    }
     case "noTasksDefined": {
       return `No tasks exported from your trigger files`;
     }
@@ -861,9 +866,6 @@ function generationValidationIssueHeader(issue: ValidationIssue) {
 
 function generateValidationIssueFooter(issue: ValidationIssue) {
   switch (issue.type) {
-    case "duplicateTaskId": {
-      return cliLink("View the task docs", "https://trigger.dev/docs/tasks/overview");
-    }
     case "noTasksDefined": {
       return cliLink("View the task docs", "https://trigger.dev/docs/tasks/overview");
     }
@@ -876,9 +878,6 @@ function generateValidationIssueMessage(
   buildManifest: BuildManifest
 ) {
   switch (issue.type) {
-    case "duplicateTaskId": {
-      return createDuplicateTaskIdOutputErrorMessage(issue.duplicationTaskIds, manifest.tasks);
-    }
     case "noTasksDefined": {
       return `
         Files:
@@ -903,19 +902,3 @@ function generateValidationIssueMessage(
   }
 }
 
-function createDuplicateTaskIdOutputErrorMessage(
-  duplicateTaskIds: Array<string>,
-  tasks: Array<TaskManifest>
-) {
-  const duplicateTable = duplicateTaskIds
-    .map((id) => {
-      const $tasks = tasks.filter((task) => task.id === id);
-
-      return `\n\n${chalkTask(id)} was found in:${tasks
-        .map((task) => `\n${task.filePath} -> ${task.exportName}`)
-        .join("")}`;
-    })
-    .join("");
-
-  return `Duplicate ${chalkTask("task id")} detected:${duplicateTable}`;
-}
diff --git a/packages/cli-v3/src/dev/taskRunProcessPool.ts b/packages/cli-v3/src/dev/taskRunProcessPool.ts
index 810be7acb43..414626e64cc 100644
--- a/packages/cli-v3/src/dev/taskRunProcessPool.ts
+++ b/packages/cli-v3/src/dev/taskRunProcessPool.ts
@@ -127,7 +127,11 @@ export class TaskRunProcessPool {
     return { taskRunProcess: newProcess, isReused: false };
   }
 
-  async returnProcess(process: TaskRunProcess, version: string): Promise<void> {
+  async returnProcess(
+    process: TaskRunProcess,
+    version: string,
+    options?: { forceKill?: boolean }
+  ): Promise<void> {
     // Remove from busy processes for this version
     const busyProcesses = this.busyProcessesByVersion.get(version);
     if (busyProcesses) {
@@ -141,6 +145,19 @@ export class TaskRunProcessPool {
       );
     }
 
+    // `forceKill` skips the reuse heuristic and tears the process down. Used
+    // on outcomes that leave the process in a state we can't safely reuse
+    // (OOM in particular — production would get a fresh container, so local
+    // dev should match that).
+    if (options?.forceKill) {
+      logger.debug("[TaskRunProcessPool] Force-killing process", {
+        version,
+        pid: process.pid,
+      });
+      await this.killProcess(process);
+      return;
+    }
+
     if (this.shouldReuseProcess(process, version)) {
       const availableCount = this.availableProcessesByVersion.get(version)?.length || 0;
       const busyCount = this.busyProcessesByVersion.get(version)?.size || 0;
diff --git a/packages/cli-v3/src/entryPoints/dev-index-worker.ts b/packages/cli-v3/src/entryPoints/dev-index-worker.ts
index 0b8ee54b0a1..a5ff5cb5597 100644
--- a/packages/cli-v3/src/entryPoints/dev-index-worker.ts
+++ b/packages/cli-v3/src/entryPoints/dev-index-worker.ts
@@ -16,6 +16,7 @@ import { sendMessageInCatalog, ZodSchemaParsedError } from "@trigger.dev/core/v3
 import { readFile } from "node:fs/promises";
 import sourceMapSupport from "source-map-support";
 import { registerResources } from "../indexing/registerResources.js";
+import { reportTaskIdCollisions } from "../indexing/reportTaskIdCollisions.js";
 import { env } from "std-env";
 import { normalizeImportPath } from "../utilities/normalizeImportPath.js";
 import { detectRuntimeVersion } from "@trigger.dev/core/v3/build";
@@ -27,30 +28,45 @@ sourceMapSupport.install({
   hookRequire: false,
 });
 
+// If the parent CLI closes the IPC channel, exit cleanly instead of being
+// re-parented to init and busy-looping on `process.send` against a dead channel.
+process.on("disconnect", () => {
+  process.exit(0);
+});
+
+function safeSend(message: unknown) {
+  if (!process.connected || !process.send) {
+    return;
+  }
+  try {
+    process.send(message);
+  } catch {
+    // swallow: a throw here would re-enter this handler and busy-loop the worker
+  }
+}
+
 process.on("uncaughtException", function (error, origin) {
   if (error instanceof Error) {
-    process.send &&
-      process.send({
-        type: "UNCAUGHT_EXCEPTION",
-        payload: {
-          error: { name: error.name, message: error.message, stack: error.stack },
-          origin,
-        },
-        version: "v1",
-      });
+    safeSend({
+      type: "UNCAUGHT_EXCEPTION",
+      payload: {
+        error: { name: error.name, message: error.message, stack: error.stack },
+        origin,
+      },
+      version: "v1",
+    });
   } else {
-    process.send &&
-      process.send({
-        type: "UNCAUGHT_EXCEPTION",
-        payload: {
-          error: {
-            name: "Error",
-            message: typeof error === "string" ? error : JSON.stringify(error),
-          },
-          origin,
+    safeSend({
+      type: "UNCAUGHT_EXCEPTION",
+      payload: {
+        error: {
+          name: "Error",
+          message: typeof error === "string" ? error : JSON.stringify(error),
         },
-        version: "v1",
-      });
+        origin,
+      },
+      version: "v1",
+    });
   }
 });
 
@@ -102,6 +118,15 @@ async function bootstrap() {
 
 const { buildManifest, importErrors, config, timings } = await bootstrap();
 
+// Fail indexing if two task definitions share an id (across files and task
+// types). The catalog keys tasks by id, so without this the second definition
+// would silently overwrite the first.
+if (await reportTaskIdCollisions(safeSend)) {
+  // Give the message time to flush before the parent kills the worker.
+  await new Promise<void>((resolve) => setTimeout(resolve, 10));
+  process.exit(0);
+}
+
 let tasks = await convertSchemasToJsonSchemas(resourceCatalog.listTaskManifests());
 
 // If the config has retry defaults, we need to apply them to all tasks that don't have any retry settings
@@ -169,6 +194,7 @@ await sendMessageInCatalog(
     manifest: {
       tasks,
       prompts: convertPromptSchemasToJsonSchemas(resourceCatalog.listPromptManifests()),
+      skills: resourceCatalog.listSkillManifests(),
       queues: resourceCatalog.listQueueManifests(),
       configPath: buildManifest.configPath,
       runtime: buildManifest.runtime,
@@ -183,7 +209,7 @@ await sendMessageInCatalog(
     importErrors,
   },
   async (msg) => {
-    process.send?.(msg);
+    safeSend(msg);
   }
 ).catch((err) => {
   if (err instanceof ZodSchemaParsedError) {
diff --git a/packages/cli-v3/src/entryPoints/dev-run-controller.ts b/packages/cli-v3/src/entryPoints/dev-run-controller.ts
index fe486677452..ffa4228cbcd 100644
--- a/packages/cli-v3/src/entryPoints/dev-run-controller.ts
+++ b/packages/cli-v3/src/entryPoints/dev-run-controller.ts
@@ -2,6 +2,8 @@ import {
   CompleteRunAttemptResult,
   DequeuedMessage,
   IntervalService,
+  isManualOutOfMemoryError,
+  isOOMRunError,
   LogLevel,
   RunExecutionData,
   SuspendedProcessError,
@@ -52,6 +54,12 @@ export class DevRunController {
   private readonly cwd?: string;
   private isCompletingRun = false;
   private isShuttingDown = false;
+  // Set when the current attempt's outcome means the worker process can't
+  // safely be reused (OOM in particular). Production gives every retry a
+  // fresh container; local dev's process pool needs the same on these
+  // outcomes or in-process state (e.g. session.in cursors) leaks across
+  // attempts and the OOM retry skips the message that triggered it.
+  private discardProcessOnReturn = false;
 
   private state:
     | {
@@ -539,6 +547,13 @@ export class DevRunController {
         error: TaskRunProcess.parseExecuteError(error),
       } satisfies TaskRunFailedExecutionResult;
 
+      // Same OOM check as the success path: if the thrown error parses to
+      // an OOM, force-kill the process when it's eventually returned (via
+      // runFinished / stop) instead of recycling it.
+      if (isOOMRunError(completion.error) || isManualOutOfMemoryError(completion.error)) {
+        this.discardProcessOnReturn = true;
+      }
+
       const completionResult = await this.httpClient.dev.completeRunAttempt(
         run.friendlyId,
         this.snapshotFriendlyId ?? snapshot.friendlyId,
@@ -591,6 +606,9 @@ export class DevRunController {
     });
 
     this.isCompletingRun = false;
+    // Reset between attempts so a stale OOM flag from a prior attempt
+    // doesn't force-kill a healthy reused process on RETRY_IMMEDIATELY.
+    this.discardProcessOnReturn = false;
 
     // Get process from pool instead of creating new one
     const { taskRunProcess, isReused } = await this.opts.taskRunProcessPool.getProcess(
@@ -664,10 +682,22 @@ export class DevRunController {
 
     this.isCompletingRun = true;
 
+    // Detect OOM in the failure result so we can force-kill the worker
+    // instead of returning it to the pool. Mirrors the production behavior
+    // where OOM retry happens on a brand-new container.
+    if (
+      !completion.ok &&
+      (isOOMRunError(completion.error) || isManualOutOfMemoryError(completion.error))
+    ) {
+      this.discardProcessOnReturn = true;
+    }
+
     // Return process to pool instead of killing it
     try {
       const version = this.opts.worker.serverWorker?.version || "unknown";
-      await this.opts.taskRunProcessPool.returnProcess(this.taskRunProcess, version);
+      await this.opts.taskRunProcessPool.returnProcess(this.taskRunProcess, version, {
+        forceKill: this.discardProcessOnReturn,
+      });
       this.taskRunProcess = undefined;
     } catch (error) {
       logger.debug("Failed to return task run process to pool, submitting completion anyway", {
@@ -820,7 +850,9 @@ export class DevRunController {
     if (this.taskRunProcess) {
       try {
         const version = this.opts.worker.serverWorker?.version || "unknown";
-        await this.opts.taskRunProcessPool.returnProcess(this.taskRunProcess, version);
+        await this.opts.taskRunProcessPool.returnProcess(this.taskRunProcess, version, {
+          forceKill: this.discardProcessOnReturn,
+        });
         this.taskRunProcess = undefined;
       } catch (error) {
         logger.debug("Failed to return task run process to pool during runFinished", { error });
@@ -854,7 +886,9 @@ export class DevRunController {
     if (this.taskRunProcess && !this.taskRunProcess.isBeingKilled) {
       try {
         const version = this.opts.worker.serverWorker?.version || "unknown";
-        await this.opts.taskRunProcessPool.returnProcess(this.taskRunProcess, version);
+        await this.opts.taskRunProcessPool.returnProcess(this.taskRunProcess, version, {
+          forceKill: this.discardProcessOnReturn,
+        });
         this.taskRunProcess = undefined;
       } catch (error) {
         logger.debug("Failed to return task run process to pool during stop", { error });
diff --git a/packages/cli-v3/src/entryPoints/dev-run-worker.ts b/packages/cli-v3/src/entryPoints/dev-run-worker.ts
index ae9a2667f51..b7f621954c9 100644
--- a/packages/cli-v3/src/entryPoints/dev-run-worker.ts
+++ b/packages/cli-v3/src/entryPoints/dev-run-worker.ts
@@ -34,6 +34,7 @@ import {
   heartbeats,
   realtimeStreams,
   inputStreams,
+  sessionStreams,
 } from "@trigger.dev/core/v3";
 import { TriggerTracer } from "@trigger.dev/core/v3/tracer";
 import {
@@ -46,6 +47,7 @@ import {
   SharedRuntimeManager,
   OtelTaskLogger,
   populateEnv,
+  NO_FILE_CONTEXT,
   StandardLifecycleHooksManager,
   StandardLocalsManager,
   StandardMetadataManager,
@@ -61,6 +63,7 @@ import {
   StandardHeartbeatsManager,
   StandardRealtimeStreamsManager,
   StandardInputStreamManager,
+  StandardSessionStreamManager,
 } from "@trigger.dev/core/v3/workers";
 import { ZodIpcConnection } from "@trigger.dev/core/v3/zodIpc";
 import { readFile } from "node:fs/promises";
@@ -77,37 +80,53 @@ sourceMapSupport.install({
   hookRequire: false,
 });
 
+// If the parent CLI closes the IPC channel (process restart, crash, lost
+// handle), exit cleanly instead of being re-parented to init and busy-looping
+// on `process.send` that throws against a dead channel.
+process.on("disconnect", () => {
+  process.exit(0);
+});
+
+function safeSend(message: unknown) {
+  if (!process.connected || !process.send) {
+    return;
+  }
+  try {
+    process.send(message);
+  } catch {
+    // swallow: a throw here would re-enter this handler and busy-loop the worker
+  }
+}
+
 process.on("uncaughtException", function (error, origin) {
   logError("Uncaught exception", { error, origin });
   if (error instanceof Error) {
-    process.send &&
-      process.send({
-        type: "EVENT",
-        message: {
-          type: "UNCAUGHT_EXCEPTION",
-          payload: {
-            error: { name: error.name, message: error.message, stack: error.stack },
-            origin,
-          },
-          version: "v1",
+    safeSend({
+      type: "EVENT",
+      message: {
+        type: "UNCAUGHT_EXCEPTION",
+        payload: {
+          error: { name: error.name, message: error.message, stack: error.stack },
+          origin,
         },
-      });
+        version: "v1",
+      },
+    });
   } else {
-    process.send &&
-      process.send({
-        type: "EVENT",
-        message: {
-          type: "UNCAUGHT_EXCEPTION",
-          payload: {
-            error: {
-              name: "Error",
-              message: typeof error === "string" ? error : JSON.stringify(error),
-            },
-            origin,
+    safeSend({
+      type: "EVENT",
+      message: {
+        type: "UNCAUGHT_EXCEPTION",
+        payload: {
+          error: {
+            name: "Error",
+            message: typeof error === "string" ? error : JSON.stringify(error),
           },
-          version: "v1",
+          origin,
         },
-      });
+        version: "v1",
+      },
+    });
   }
 });
 
@@ -170,6 +189,14 @@ const standardInputStreamManager = new StandardInputStreamManager(
 );
 inputStreams.setGlobalManager(standardInputStreamManager);
 
+const standardSessionStreamManager = new StandardSessionStreamManager(
+  apiClientManager.clientOrThrow(),
+  getEnvVar("TRIGGER_STREAM_URL", getEnvVar("TRIGGER_API_URL")) ?? "https://api.trigger.dev",
+  (getEnvVar("TRIGGER_STREAMS_DEBUG") === "1" || getEnvVar("TRIGGER_STREAMS_DEBUG") === "true") ??
+    false
+);
+sessionStreams.setGlobalManager(standardSessionStreamManager);
+
 const waitUntilTimeoutInMs = getNumberEnvVar("TRIGGER_WAIT_UNTIL_TIMEOUT_MS", 60_000);
 const waitUntilManager = new StandardWaitUntilManager(waitUntilTimeoutInMs);
 waitUntil.setGlobalManager(waitUntilManager);
@@ -344,6 +371,7 @@ function resetExecutionEnvironment() {
   runMetadataManager.reset();
   standardRealtimeStreamsManager.reset();
   standardInputStreamManager.reset();
+  standardSessionStreamManager.reset();
   waitUntilManager.reset();
   _sharedWorkerRuntime?.reset();
   durableClock.reset();
@@ -474,8 +502,8 @@ const zodIpc = new ZodIpcConnection({
               async () => {
                 const beforeImport = performance.now();
                 resourceCatalog.setCurrentFileContext(
-                  taskManifest.entryPoint,
-                  taskManifest.filePath
+                  taskManifest.filePath,
+                  taskManifest.entryPoint
                 );
 
                 // Load init file if it exists
@@ -583,6 +611,12 @@ const zodIpc = new ZodIpcConnection({
 
           const signal = AbortSignal.any([_cancelController.signal, timeoutController.signal]);
 
+          // Sentinel context so `task()` calls firing during run / lifecycle
+          // hooks (e.g. via `await import(...)` of a module containing a task
+          // definition) register normally instead of being silently dropped.
+          // Cleared in the surrounding finally below.
+          resourceCatalog.setCurrentFileContext(NO_FILE_CONTEXT, NO_FILE_CONTEXT);
+
           const { result } = await executor.execute(execution, ctx, signal);
 
           if (_isRunning && !_isCancelled) {
@@ -601,6 +635,7 @@ const zodIpc = new ZodIpcConnection({
           }
         } finally {
           standardHeartbeatsManager.stopHeartbeat();
+          resourceCatalog.clearCurrentFileContext();
 
           _execution = undefined;
           _isRunning = false;
diff --git a/packages/cli-v3/src/entryPoints/managed-index-controller.ts b/packages/cli-v3/src/entryPoints/managed-index-controller.ts
index 181d3d1093c..21aa3d829d2 100644
--- a/packages/cli-v3/src/entryPoints/managed-index-controller.ts
+++ b/packages/cli-v3/src/entryPoints/managed-index-controller.ts
@@ -104,6 +104,7 @@ async function indexDeployment({
         packageVersion: buildManifest.packageVersion,
         cliPackageVersion: buildManifest.cliPackageVersion,
         tasks: workerManifest.tasks,
+        prompts: workerManifest.prompts,
         queues: workerManifest.queues,
         sourceFiles,
         runtime: workerManifest.runtime,
diff --git a/packages/cli-v3/src/entryPoints/managed-index-worker.ts b/packages/cli-v3/src/entryPoints/managed-index-worker.ts
index efc226b99e0..4923beb3af9 100644
--- a/packages/cli-v3/src/entryPoints/managed-index-worker.ts
+++ b/packages/cli-v3/src/entryPoints/managed-index-worker.ts
@@ -16,6 +16,7 @@ import { sendMessageInCatalog, ZodSchemaParsedError } from "@trigger.dev/core/v3
 import { readFile } from "node:fs/promises";
 import sourceMapSupport from "source-map-support";
 import { registerResources } from "../indexing/registerResources.js";
+import { reportTaskIdCollisions } from "../indexing/reportTaskIdCollisions.js";
 import { env } from "std-env";
 import { normalizeImportPath } from "../utilities/normalizeImportPath.js";
 import { detectRuntimeVersion } from "@trigger.dev/core/v3/build";
@@ -27,30 +28,39 @@ sourceMapSupport.install({
   hookRequire: false,
 });
 
+function safeSend(message: unknown) {
+  if (!process.connected || !process.send) {
+    return;
+  }
+  try {
+    process.send(message);
+  } catch {
+    // swallow: a throw here would re-enter this handler and busy-loop the worker
+  }
+}
+
 process.on("uncaughtException", function (error, origin) {
   if (error instanceof Error) {
-    process.send &&
-      process.send({
-        type: "UNCAUGHT_EXCEPTION",
-        payload: {
-          error: { name: error.name, message: error.message, stack: error.stack },
-          origin,
-        },
-        version: "v1",
-      });
+    safeSend({
+      type: "UNCAUGHT_EXCEPTION",
+      payload: {
+        error: { name: error.name, message: error.message, stack: error.stack },
+        origin,
+      },
+      version: "v1",
+    });
   } else {
-    process.send &&
-      process.send({
-        type: "UNCAUGHT_EXCEPTION",
-        payload: {
-          error: {
-            name: "Error",
-            message: typeof error === "string" ? error : JSON.stringify(error),
-          },
-          origin,
+    safeSend({
+      type: "UNCAUGHT_EXCEPTION",
+      payload: {
+        error: {
+          name: "Error",
+          message: typeof error === "string" ? error : JSON.stringify(error),
         },
-        version: "v1",
-      });
+        origin,
+      },
+      version: "v1",
+    });
   }
 });
 
@@ -102,6 +112,15 @@ async function bootstrap() {
 
 const { buildManifest, importErrors, config, timings } = await bootstrap();
 
+// Fail indexing if two task definitions share an id (across files and task
+// types). The catalog keys tasks by id, so without this the second definition
+// would silently overwrite the first.
+if (await reportTaskIdCollisions(safeSend)) {
+  // Give the message time to flush before the parent kills the worker.
+  await new Promise<void>((resolve) => setTimeout(resolve, 10));
+  process.exit(0);
+}
+
 let tasks = await convertSchemasToJsonSchemas(resourceCatalog.listTaskManifests());
 
 // If the config has retry defaults, we need to apply them to all tasks that don't have any retry settings
@@ -171,6 +190,7 @@ await sendMessageInCatalog(
     manifest: {
       tasks,
       prompts: convertPromptSchemasToJsonSchemas(resourceCatalog.listPromptManifests()),
+      skills: resourceCatalog.listSkillManifests(),
       queues: resourceCatalog.listQueueManifests(),
       configPath: buildManifest.configPath,
       runtime: buildManifest.runtime,
@@ -191,7 +211,7 @@ await sendMessageInCatalog(
     importErrors,
   },
   async (msg) => {
-    process.send?.(msg);
+    safeSend(msg);
   }
 ).catch((err) => {
   if (err instanceof ZodSchemaParsedError) {
@@ -200,7 +220,7 @@ await sendMessageInCatalog(
       "TASKS_FAILED_TO_PARSE",
       { zodIssues: err.error.issues, tasks },
       async (msg) => {
-        process.send?.(msg);
+        safeSend(msg);
       }
     );
   } else {
diff --git a/packages/cli-v3/src/entryPoints/managed-run-worker.ts b/packages/cli-v3/src/entryPoints/managed-run-worker.ts
index f8234aa68c4..ed8fc9be5e7 100644
--- a/packages/cli-v3/src/entryPoints/managed-run-worker.ts
+++ b/packages/cli-v3/src/entryPoints/managed-run-worker.ts
@@ -33,6 +33,7 @@ import {
   heartbeats,
   realtimeStreams,
   inputStreams,
+  sessionStreams,
 } from "@trigger.dev/core/v3";
 import { TriggerTracer } from "@trigger.dev/core/v3/tracer";
 import {
@@ -46,6 +47,7 @@ import {
   OtelTaskLogger,
   populateEnv,
   ProdUsageManager,
+  NO_FILE_CONTEXT,
   StandardLifecycleHooksManager,
   StandardLocalsManager,
   StandardMetadataManager,
@@ -61,6 +63,7 @@ import {
   StandardHeartbeatsManager,
   StandardRealtimeStreamsManager,
   StandardInputStreamManager,
+  StandardSessionStreamManager,
 } from "@trigger.dev/core/v3/workers";
 import { ZodIpcConnection } from "@trigger.dev/core/v3/zodIpc";
 import { readFile } from "node:fs/promises";
@@ -77,37 +80,46 @@ sourceMapSupport.install({
   hookRequire: false,
 });
 
+function safeSend(message: unknown) {
+  if (!process.connected || !process.send) {
+    return;
+  }
+  try {
+    process.send(message);
+  } catch {
+    // swallow: a throw here would re-enter this handler and busy-loop the worker
+  }
+}
+
 process.on("uncaughtException", function (error, origin) {
   console.error("Uncaught exception", { error, origin });
   if (error instanceof Error) {
-    process.send &&
-      process.send({
-        type: "EVENT",
-        message: {
-          type: "UNCAUGHT_EXCEPTION",
-          payload: {
-            error: { name: error.name, message: error.message, stack: error.stack },
-            origin,
-          },
-          version: "v1",
+    safeSend({
+      type: "EVENT",
+      message: {
+        type: "UNCAUGHT_EXCEPTION",
+        payload: {
+          error: { name: error.name, message: error.message, stack: error.stack },
+          origin,
         },
-      });
+        version: "v1",
+      },
+    });
   } else {
-    process.send &&
-      process.send({
-        type: "EVENT",
-        message: {
-          type: "UNCAUGHT_EXCEPTION",
-          payload: {
-            error: {
-              name: "Error",
-              message: typeof error === "string" ? error : JSON.stringify(error),
-            },
-            origin,
+    safeSend({
+      type: "EVENT",
+      message: {
+        type: "UNCAUGHT_EXCEPTION",
+        payload: {
+          error: {
+            name: "Error",
+            message: typeof error === "string" ? error : JSON.stringify(error),
           },
-          version: "v1",
+          origin,
         },
-      });
+        version: "v1",
+      },
+    });
   }
 });
 
@@ -150,6 +162,14 @@ const standardInputStreamManager = new StandardInputStreamManager(
 );
 inputStreams.setGlobalManager(standardInputStreamManager);
 
+const standardSessionStreamManager = new StandardSessionStreamManager(
+  apiClientManager.clientOrThrow(),
+  getEnvVar("TRIGGER_STREAM_URL", getEnvVar("TRIGGER_API_URL")) ?? "https://api.trigger.dev",
+  (getEnvVar("TRIGGER_STREAMS_DEBUG") === "1" || getEnvVar("TRIGGER_STREAMS_DEBUG") === "true") ??
+    false
+);
+sessionStreams.setGlobalManager(standardSessionStreamManager);
+
 const waitUntilTimeoutInMs = getNumberEnvVar("TRIGGER_WAIT_UNTIL_TIMEOUT_MS", 60_000);
 const waitUntilManager = new StandardWaitUntilManager(waitUntilTimeoutInMs);
 waitUntil.setGlobalManager(waitUntilManager);
@@ -324,6 +344,7 @@ function resetExecutionEnvironment() {
   waitUntilManager.reset();
   standardRealtimeStreamsManager.reset();
   standardInputStreamManager.reset();
+  standardSessionStreamManager.reset();
   _sharedWorkerRuntime?.reset();
   durableClock.reset();
   taskContext.disable();
@@ -470,8 +491,8 @@ const zodIpc = new ZodIpcConnection({
               async () => {
                 const beforeImport = performance.now();
                 resourceCatalog.setCurrentFileContext(
-                  taskManifest.entryPoint,
-                  taskManifest.filePath
+                  taskManifest.filePath,
+                  taskManifest.entryPoint
                 );
 
                 // Load init file if it exists
@@ -575,6 +596,12 @@ const zodIpc = new ZodIpcConnection({
 
           const signal = AbortSignal.any([_cancelController.signal, timeoutController.signal]);
 
+          // Sentinel context so `task()` calls firing during run / lifecycle
+          // hooks (e.g. via `await import(...)` of a module containing a task
+          // definition) register normally instead of being silently dropped.
+          // Cleared in the surrounding finally below.
+          resourceCatalog.setCurrentFileContext(NO_FILE_CONTEXT, NO_FILE_CONTEXT);
+
           const { result } = await executor.execute(execution, ctx, signal);
 
           if (_isRunning && !_isCancelled) {
@@ -593,6 +620,7 @@ const zodIpc = new ZodIpcConnection({
           }
         } finally {
           standardHeartbeatsManager.stopHeartbeat();
+          resourceCatalog.clearCurrentFileContext();
 
           _execution = undefined;
           _isRunning = false;
diff --git a/packages/cli-v3/src/executions/taskRunProcess.test.ts b/packages/cli-v3/src/executions/taskRunProcess.test.ts
index 82ab19639b2..9f36ac13b34 100644
--- a/packages/cli-v3/src/executions/taskRunProcess.test.ts
+++ b/packages/cli-v3/src/executions/taskRunProcess.test.ts
@@ -1,6 +1,6 @@
 import { TaskRunProcess, type TaskRunProcessOptions } from "./taskRunProcess.js";
 import { describe, it, expect, vi } from "vitest";
-import { UnexpectedExitError } from "@trigger.dev/core/v3/errors";
+import { UncaughtExceptionError, UnexpectedExitError } from "@trigger.dev/core/v3/errors";
 import type {
   TaskRunExecution,
   TaskRunExecutionPayload,
@@ -118,4 +118,38 @@ describe("TaskRunProcess", () => {
       }
     });
   });
+
+  describe("parseExecuteError(UncaughtExceptionError)", () => {
+    it("returns INTERNAL_ERROR with TASK_RUN_UNCAUGHT_EXCEPTION + original message and stack", () => {
+      const error = new UncaughtExceptionError(
+        {
+          name: "Error",
+          message: "read ECONNRESET",
+          stack:
+            "Error: read ECONNRESET\n    at TCP.onStreamRead (node:internal/stream_base_commons:216:20)",
+        },
+        "uncaughtException"
+      );
+
+      const result = TaskRunProcess.parseExecuteError(error);
+
+      expect(result.type).toBe("INTERNAL_ERROR");
+      expect(result.code).toBe("TASK_RUN_UNCAUGHT_EXCEPTION");
+      expect(result.message).toBe("read ECONNRESET");
+      expect(result.stackTrace).toContain("TCP.onStreamRead");
+    });
+
+    it("uses the same code for unhandledRejection origin", () => {
+      const error = new UncaughtExceptionError(
+        { name: "TypeError", message: "boom" },
+        "unhandledRejection"
+      );
+
+      const result = TaskRunProcess.parseExecuteError(error);
+
+      expect(result.type).toBe("INTERNAL_ERROR");
+      expect(result.code).toBe("TASK_RUN_UNCAUGHT_EXCEPTION");
+      expect(result.message).toBe("boom");
+    });
+  });
 });
diff --git a/packages/cli-v3/src/executions/taskRunProcess.ts b/packages/cli-v3/src/executions/taskRunProcess.ts
index a329956c0d2..6816b2e24f2 100644
--- a/packages/cli-v3/src/executions/taskRunProcess.ts
+++ b/packages/cli-v3/src/executions/taskRunProcess.ts
@@ -33,6 +33,7 @@ import {
   MaxDurationExceededError,
   UnexpectedExitError,
   SuspendedProcessError,
+  UncaughtExceptionError,
 } from "@trigger.dev/core/v3/errors";
 
 export type OnSendDebugLogMessage = InferSocketMessageSchema<
@@ -205,6 +206,18 @@ export class TaskRunProcess {
         },
         UNCAUGHT_EXCEPTION: async (message) => {
           logger.debug("uncaught exception in task run process", { ...message });
+
+          // The worker process reports uncaught exceptions and unhandled rejections via this
+          // event, but does not exit on its own. If we don't terminate the attempt here, run()
+          // hangs (the awaited promise that triggered the throw is orphaned) until maxDuration
+          // expires — surfacing as TIMED_OUT/MAX_DURATION_EXCEEDED with empty attempts. Reject
+          // any pending attempts now and gracefully terminate the worker so OTEL gets a flush
+          // window before SIGKILL.
+          this.#rejectPendingAttempts(
+            new UncaughtExceptionError(message.error, message.origin)
+          );
+
+          await this.#gracefullyTerminate(this.options.gracefulTerminationTimeoutInMs);
         },
         SEND_DEBUG_LOG: async (message) => {
           this.onSendDebugLog.post(message);
@@ -339,6 +352,23 @@ export class TaskRunProcess {
     logger.debug("child process error", { error, pid: this.pid });
   }
 
+  #rejectPendingAttempts(error: Error) {
+    for (const [id, status] of this._attemptStatuses.entries()) {
+      if (status !== "PENDING") {
+        continue;
+      }
+
+      this._attemptStatuses.set(id, "REJECTED");
+
+      const attemptPromise = this._attemptPromises.get(id);
+      if (!attemptPromise) {
+        continue;
+      }
+
+      attemptPromise.rejecter(error);
+    }
+  }
+
   async #handleExit(code: number | null, signal: NodeJS.Signals | null) {
     logger.debug("handling child exit", { code, signal, pid: this.pid });
 
@@ -559,6 +589,21 @@ export class TaskRunProcess {
       };
     }
 
+    if (error instanceof UncaughtExceptionError) {
+      // Dedicated INTERNAL_ERROR code so the engine handles retry via the
+      // existing crash-style lookup of run.lockedRetryConfig (same pathway as
+      // TASK_PROCESS_EXITED_WITH_NON_ZERO_CODE etc.) and so the dashboard
+      // renders this as "Failed" rather than "System failure" — the exception
+      // was raised by user code (or a dependency the user controls, e.g. an
+      // EventEmitter "error" event with no listener), not a platform fault.
+      return {
+        type: "INTERNAL_ERROR",
+        code: TaskRunErrorCodes.TASK_RUN_UNCAUGHT_EXCEPTION,
+        message: error.originalError.message,
+        stackTrace: error.originalError.stack,
+      };
+    }
+
     return {
       type: "INTERNAL_ERROR",
       code: TaskRunErrorCodes.TASK_EXECUTION_FAILED,
diff --git a/packages/cli-v3/src/indexing/indexWorkerManifest.ts b/packages/cli-v3/src/indexing/indexWorkerManifest.ts
index e4ae72283ff..ed7e810460a 100644
--- a/packages/cli-v3/src/indexing/indexWorkerManifest.ts
+++ b/packages/cli-v3/src/indexing/indexWorkerManifest.ts
@@ -1,5 +1,6 @@
 import { execPathForRuntime } from "@trigger.dev/core/v3/build";
 import {
+  DuplicateTaskIdsError,
   TaskIndexingImportError,
   TaskMetadataParseError,
   UncaughtExceptionError,
@@ -89,6 +90,13 @@ export async function indexWorkerManifest({
           child.kill("SIGKILL");
           break;
         }
+        case "TASKS_FAILED_TO_INDEX": {
+          clearTimeout(timeout);
+          resolved = true;
+          reject(new DuplicateTaskIdsError(message.payload.collisions));
+          child.kill("SIGKILL");
+          break;
+        }
         case "UNCAUGHT_EXCEPTION": {
           clearTimeout(timeout);
           resolved = true;
diff --git a/packages/cli-v3/src/indexing/reportTaskIdCollisions.ts b/packages/cli-v3/src/indexing/reportTaskIdCollisions.ts
new file mode 100644
index 00000000000..8c4b27999d2
--- /dev/null
+++ b/packages/cli-v3/src/indexing/reportTaskIdCollisions.ts
@@ -0,0 +1,26 @@
+import { indexerToWorkerMessages, resourceCatalog } from "@trigger.dev/core/v3";
+import { sendMessageInCatalog } from "@trigger.dev/core/v3/zodMessageHandler";
+
+/**
+ * If the indexer registered any duplicate task ids (across files and task
+ * types), report them to the parent via TASKS_FAILED_TO_INDEX and return true.
+ * Callers must stop indexing (skip INDEX_COMPLETE) when this returns true.
+ */
+export async function reportTaskIdCollisions(send: (message: unknown) => void): Promise<boolean> {
+  const collisions = resourceCatalog.listTaskIdCollisions();
+
+  if (collisions.length === 0) {
+    return false;
+  }
+
+  await sendMessageInCatalog(
+    indexerToWorkerMessages,
+    "TASKS_FAILED_TO_INDEX",
+    { collisions },
+    async (msg) => {
+      send(msg);
+    }
+  );
+
+  return true;
+}
diff --git a/packages/cli-v3/src/mcp/config.ts b/packages/cli-v3/src/mcp/config.ts
index d878d881e7d..3e53137b9b9 100644
--- a/packages/cli-v3/src/mcp/config.ts
+++ b/packages/cli-v3/src/mcp/config.ts
@@ -62,7 +62,7 @@ export const toolsMetadata = {
     name: "trigger_task",
     title: "Trigger Task",
     description:
-      "Trigger a task in the project. Use the get_tasks tool to get a list of tasks and ask the user to select one if it's not clear which one to use. Use the wait_for_run_to_complete tool to wait for the run to complete.",
+      "Trigger a task in the project. Use the get_tasks tool to get a list of tasks and ask the user to select one if it's not clear which one to use. The run executes in the background, so only wait for it to complete (with the wait_for_run_to_complete tool) if the user asked you to.",
   },
   get_run_details: {
     name: "get_run_details",
@@ -213,4 +213,28 @@ export const toolsMetadata = {
     description:
       "Reactivate a previous dashboard-sourced version as the active override. Use get_prompt_versions to find dashboard versions that can be reactivated.",
   },
+  list_agents: {
+    name: "list_agents",
+    title: "List Agents",
+    description:
+      "List all chat agents in the current worker. Agents are tasks created with chat.agent() or chat.customAgent(). Use start_agent_chat with an agent's slug to start a conversation.",
+  },
+  start_agent_chat: {
+    name: "start_agent_chat",
+    title: "Start Agent Chat",
+    description:
+      "Start a conversation with a chat agent. Returns a chatId you can use with send_agent_message. Optionally preloads the agent so it initializes before the first message.",
+  },
+  send_agent_message: {
+    name: "send_agent_message",
+    title: "Send Agent Message",
+    description:
+      "Send a message to an active agent chat and get the full response text back. Use the chatId from start_agent_chat. The agent remembers full context from previous messages in the same chat.",
+  },
+  close_agent_chat: {
+    name: "close_agent_chat",
+    title: "Close Agent Chat",
+    description:
+      "Close an agent chat conversation. The agent exits its loop gracefully. Without this, the agent will close on its own when its idle timeout expires.",
+  },
 };
diff --git a/packages/cli-v3/src/mcp/formatters.ts b/packages/cli-v3/src/mcp/formatters.ts
index c90ae0570df..131124cc9a4 100644
--- a/packages/cli-v3/src/mcp/formatters.ts
+++ b/packages/cli-v3/src/mcp/formatters.ts
@@ -427,6 +427,11 @@ function formatRunSummary(run: ListRunResponseItem): string {
     parts.push(`v${run.version}`);
   }
 
+  // Region if available
+  if (run.region) {
+    parts.push(`region:${run.region}`);
+  }
+
   return parts.join(" | ");
 }
 
diff --git a/packages/cli-v3/src/mcp/schemas.ts b/packages/cli-v3/src/mcp/schemas.ts
index b5b7d7518da..88d578fd9b7 100644
--- a/packages/cli-v3/src/mcp/schemas.ts
+++ b/packages/cli-v3/src/mcp/schemas.ts
@@ -183,6 +183,12 @@ export const ListRunsInput = CommonProjectsInput.extend({
     .describe("Filter for runs created in the last N time period. e.g. 7d, 30d, 365d")
     .optional(),
   machine: MachinePresetName.describe("Filter for runs that match this machine preset").optional(),
+  region: z
+    .string()
+    .describe(
+      "Filter for runs that executed in this region (the worker instance group masterQueue identifier, e.g. 'us-east-1' or 'main')"
+    )
+    .optional(),
 });
 
 export type ListRunsInput = z.output<typeof ListRunsInput>;
diff --git a/packages/cli-v3/src/mcp/tools.ts b/packages/cli-v3/src/mcp/tools.ts
index fd013b77644..f438989258d 100644
--- a/packages/cli-v3/src/mcp/tools.ts
+++ b/packages/cli-v3/src/mcp/tools.ts
@@ -29,6 +29,12 @@ import {
   removePromptOverrideTool,
   reactivatePromptOverrideTool,
 } from "./tools/prompts.js";
+import { listAgentsTool } from "./tools/agents.js";
+import {
+  startAgentChatTool,
+  sendAgentMessageTool,
+  closeAgentChatTool,
+} from "./tools/agentChat.js";
 import { respondWithError } from "./utils.js";
 
 /** Tool names that perform write/mutating operations. */
@@ -43,6 +49,9 @@ const WRITE_TOOLS = new Set([
   updatePromptOverrideTool.name,
   removePromptOverrideTool.name,
   reactivatePromptOverrideTool.name,
+  startAgentChatTool.name,
+  sendAgentMessageTool.name,
+  closeAgentChatTool.name,
 ]);
 
 export function registerTools(context: McpContext) {
@@ -80,6 +89,10 @@ export function registerTools(context: McpContext) {
     updatePromptOverrideTool,
     removePromptOverrideTool,
     reactivatePromptOverrideTool,
+    listAgentsTool,
+    startAgentChatTool,
+    sendAgentMessageTool,
+    closeAgentChatTool,
   ];
 
   for (const tool of tools) {
diff --git a/packages/cli-v3/src/mcp/tools/agentChat.ts b/packages/cli-v3/src/mcp/tools/agentChat.ts
new file mode 100644
index 00000000000..816d1d5f9d0
--- /dev/null
+++ b/packages/cli-v3/src/mcp/tools/agentChat.ts
@@ -0,0 +1,551 @@
+import { z } from "zod";
+import {
+  ApiClient,
+  controlSubtype,
+  SSEStreamSubscription,
+  TRIGGER_CONTROL_SUBTYPE,
+} from "@trigger.dev/core/v3";
+import { toolsMetadata } from "../config.js";
+import { CommonProjectsInput } from "../schemas.js";
+import { respondWithError, toolHandler } from "../utils.js";
+
+// ─── In-memory chat sessions ──────────────────────────────────────
+
+type ChatMessage = {
+  id: string;
+  role: string;
+  parts: Array<{ type: string; [key: string]: unknown }>;
+};
+
+type ChatSession = {
+  /** `session_*` friendlyId — durable identity for the conversation. */
+  sessionId: string;
+  /** Last-known live run id. Cleared when a run ends. */
+  runId: string;
+  chatId: string;
+  agentId: string;
+  lastEventId?: string;
+  apiClient: ApiClient;
+  clientData?: Record<string, unknown>;
+  /** Accumulated conversation messages for continuation payloads. */
+  messages: ChatMessage[];
+};
+
+const activeSessions = new Map<string, ChatSession>();
+
+// ─── ChatInputChunk serialization (mirrors TriggerChatTransport) ──
+//
+// Slim-wire: one delta `message` per chunk, not a full `messages[]` array.
+// The agent's run loop destructures `payload.message` (singular). Sending
+// a `messages: [...]` array makes `message` undefined and turn 1 calls
+// `streamText({ messages: [] })`, which throws
+// `AI_InvalidPromptError: messages must not be empty`.
+type ChatInputChunk =
+  | {
+      kind: "message";
+      payload: {
+        message?: ChatMessage;
+        chatId: string;
+        trigger: "submit-message" | "close" | "preload" | "regenerate-message" | "action";
+        metadata?: unknown;
+        sessionId?: string;
+        continuation?: boolean;
+        previousRunId?: string;
+      };
+    }
+  | { kind: "stop"; message?: string };
+
+function serializeInputChunk(chunk: ChatInputChunk): string {
+  return JSON.stringify(chunk);
+}
+
+// ─── Start Agent Chat ─────────────────────────────────────────────
+
+const StartAgentChatInput = CommonProjectsInput.extend({
+  agentId: z
+    .string()
+    .describe(
+      "The agent task ID to chat with. Use get_current_worker to see available agents."
+    ),
+  chatId: z
+    .string()
+    .describe("A unique conversation ID. Reuse to resume a conversation.")
+    .optional(),
+  clientData: z
+    .record(z.unknown())
+    .describe("Client data to include with every message (e.g. userId, model).")
+    .optional(),
+  preload: z
+    .boolean()
+    .describe("Whether to preload the agent before the first message.")
+    .default(true),
+});
+
+export const startAgentChatTool = {
+  name: toolsMetadata.start_agent_chat.name,
+  title: toolsMetadata.start_agent_chat.title,
+  description: toolsMetadata.start_agent_chat.description,
+  inputSchema: StartAgentChatInput.shape,
+  handler: toolHandler(StartAgentChatInput.shape, async (input, { ctx }) => {
+    ctx.logger?.log("calling start_agent_chat", { input });
+
+    if (ctx.options.devOnly && input.environment !== "dev") {
+      return respondWithError(
+        `This MCP server is only available for the dev environment.`
+      );
+    }
+
+    const projectRef = await ctx.getProjectRef({
+      projectRef: input.projectRef,
+      cwd: input.configPath,
+    });
+
+    const apiClient = await ctx.getApiClient({
+      projectRef,
+      environment: input.environment,
+      scopes: [
+        "write:tasks",
+        "read:runs",
+        "read:sessions",
+        "write:sessions",
+      ],
+      branch: input.branch,
+    });
+
+    const chatId = input.chatId ?? crypto.randomUUID();
+
+    // Check if session already exists
+    if (activeSessions.has(chatId)) {
+      return {
+        content: [
+          {
+            type: "text",
+            text: `Chat ${chatId} is already active with agent ${activeSessions.get(chatId)!.agentId}. Use send_agent_message to continue the conversation.`,
+          },
+        ],
+      };
+    }
+
+    // Create (or upsert) the backing Session. Idempotent via externalId —
+    // two MCP clients targeting the same chatId converge to the same row.
+    // Sessions are now task-bound: taskIdentifier + triggerConfig are
+    // required, and the server reuses them for every run scheduled by
+    // this session (initial + continuations after run termination).
+    //
+    // basePayload mirrors the browser-mediated `chat.createStartSessionAction`
+    // shape so the auto-triggered first run hits `onPreload` (not
+    // `onChatStart` with `preloaded: true`). Without `trigger: "preload"`
+    // + `messages: []`, the agent runtime bypasses both lifecycle hooks
+    // and `onTurnStart`'s DB write fails with "No record found".
+    //
+    // POST /api/v1/sessions auto-triggers the first run and returns its
+    // runId, so we don't need a separate triggerTask call. The `preload`
+    // flag on this MCP tool is kept as a no-op signal (true=default) for
+    // backwards compat — a Session is always created with a live run now.
+    const session = await apiClient.createSession({
+      type: "chat.agent",
+      externalId: chatId,
+      taskIdentifier: input.agentId,
+      triggerConfig: {
+        basePayload: {
+          messages: [],
+          trigger: "preload",
+          chatId,
+          ...(input.clientData ? { metadata: input.clientData } : {}),
+        },
+        tags: [`chat:${chatId}`],
+      },
+    });
+
+    activeSessions.set(chatId, {
+      sessionId: session.id,
+      runId: session.runId,
+      chatId,
+      agentId: input.agentId,
+      apiClient,
+      clientData: input.clientData,
+      messages: [],
+    });
+
+    return {
+      content: [
+        {
+          type: "text",
+          text: [
+            `Agent chat started${input.preload ? " and preloaded" : ""}.`,
+            `- Chat ID: ${chatId}`,
+            `- Session ID: ${session.id}`,
+            `- Agent: ${input.agentId}`,
+            `- Run ID: ${session.runId}`,
+            ``,
+            `Use send_agent_message with chatId "${chatId}" to send messages.`,
+          ].join("\n"),
+        },
+      ],
+    };
+  }),
+};
+
+// ─── Send Agent Message ───────────────────────────────────────────
+
+const SendAgentMessageInput = z.object({
+  chatId: z.string().describe("The chat ID from start_agent_chat."),
+  message: z.string().describe("The message to send to the agent."),
+});
+
+export const sendAgentMessageTool = {
+  name: toolsMetadata.send_agent_message.name,
+  title: toolsMetadata.send_agent_message.title,
+  description: toolsMetadata.send_agent_message.description,
+  inputSchema: SendAgentMessageInput.shape,
+  handler: toolHandler(SendAgentMessageInput.shape, async (input, { ctx }) => {
+    ctx.logger?.log("calling send_agent_message", { input });
+
+    const session = activeSessions.get(input.chatId);
+    if (!session) {
+      return respondWithError(
+        `No active chat with ID "${input.chatId}". Use start_agent_chat first.`
+      );
+    }
+
+    const msgId = `msg-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+    const userMessage: ChatMessage = {
+      id: msgId, role: "user", parts: [{ type: "text", text: input.message }],
+    };
+
+    // Track the outgoing user message
+    session.messages.push(userMessage);
+
+    // Slim-wire: one delta `message` per trigger. Prior turns live in the
+    // session.out snapshot+replay; we only ship the new user message.
+    const wirePayload = {
+      message: userMessage,
+      chatId: session.chatId,
+      trigger: "submit-message" as const,
+      metadata: session.clientData,
+    };
+
+    // If we have an active run, send via session.in. If that fails
+    // (run ended, token expired, etc.) fall back to triggering a new
+    // run on the same session — the new run replays prior turns from the
+    // snapshot and picks up `message` as turn N's user delta.
+    if (session.runId) {
+      try {
+        await session.apiClient.appendToSessionStream(
+          session.sessionId,
+          "in",
+          serializeInputChunk({ kind: "message", payload: wirePayload })
+        );
+      } catch (sendErr: any) {
+        ctx.logger?.log("appendToSessionStream failed, falling back to triggerTask", {
+          chatId: session.chatId,
+          sessionId: session.sessionId,
+          error: sendErr?.message ?? String(sendErr),
+        });
+        const result = await session.apiClient.triggerTask(session.agentId, {
+          payload: {
+            message: userMessage,
+            chatId: session.chatId,
+            sessionId: session.sessionId,
+            trigger: "submit-message",
+            metadata: session.clientData,
+            continuation: true,
+            previousRunId: session.runId,
+          },
+          options: {
+            payloadType: "application/json",
+            tags: [`chat:${session.chatId}`],
+          },
+        });
+        session.runId = result.id;
+        // Keep session.lastEventId as-is. The .out stream is per-session, so
+        // resuming from the last-seen chunk's id skips historical chunks —
+        // including stale `trigger:turn-complete` markers from prior turns
+        // that would otherwise break collectAgentResponse's read loop with
+        // empty/old text. Same reasoning as the trigger:upgrade-required
+        // path below.
+      }
+    } else {
+      // No run yet — trigger one (agent opens the session on startup).
+      const result = await session.apiClient.triggerTask(session.agentId, {
+        payload: {
+          ...wirePayload,
+          sessionId: session.sessionId,
+        },
+        options: {
+          payloadType: "application/json",
+          tags: [`chat:${session.chatId}`],
+        },
+      });
+      session.runId = result.id;
+    }
+
+    // Subscribe to the response stream and collect the full text
+    const { text, toolCalls, assistantMessage } = await collectAgentResponse(session);
+
+    // Track the assistant response for continuation payloads
+    session.messages.push(assistantMessage);
+
+    const formatted = formatAssistantParts(assistantMessage.parts);
+    const footer = `\n\n---\nRun: ${session.runId}`;
+
+    return {
+      content: [{ type: "text", text: formatted + footer }],
+    };
+  }),
+};
+
+// ─── Close Agent Chat ─────────────────────────────────────────────
+
+const CloseAgentChatInput = z.object({
+  chatId: z.string().describe("The chat ID to close."),
+});
+
+export const closeAgentChatTool = {
+  name: toolsMetadata.close_agent_chat.name,
+  title: toolsMetadata.close_agent_chat.title,
+  description: toolsMetadata.close_agent_chat.description,
+  inputSchema: CloseAgentChatInput.shape,
+  handler: toolHandler(CloseAgentChatInput.shape, async (input, { ctx }) => {
+    ctx.logger?.log("calling close_agent_chat", { input });
+
+    const session = activeSessions.get(input.chatId);
+    if (!session) {
+      return respondWithError(
+        `No active chat with ID "${input.chatId}".`
+      );
+    }
+
+    if (session.runId) {
+      try {
+        await session.apiClient.appendToSessionStream(
+          session.sessionId,
+          "in",
+          serializeInputChunk({
+            kind: "message",
+            payload: {
+              // `trigger: "close"` carries no message delta — the agent
+              // looks at `trigger` and exits without touching `message`.
+              chatId: session.chatId,
+              trigger: "close",
+            },
+          })
+        );
+      } catch {
+        // Best effort — run may already be done
+      }
+    }
+
+    activeSessions.delete(input.chatId);
+
+    return {
+      content: [
+        {
+          type: "text",
+          text: `Chat ${input.chatId} closed.`,
+        },
+      ],
+    };
+  }),
+};
+
+// ─── Stream collector ─────────────────────────────────────────────
+
+// Safety bound on chained upgrades during a single send. A misconfigured
+// agent or upgrade-loop bug would otherwise grow the call stack without limit.
+const MAX_UPGRADE_RECURSION_DEPTH = 10;
+
+async function collectAgentResponse(
+  session: ChatSession,
+  depth = 0
+): Promise<{ text: string; toolCalls: string[]; assistantMessage: ChatMessage }> {
+  if (depth > MAX_UPGRADE_RECURSION_DEPTH) {
+    throw new Error(
+      `Agent upgrade recursion depth exceeded (${depth} chained trigger:upgrade-required signals)`
+    );
+  }
+  const baseURL = session.apiClient.baseUrl;
+  const streamUrl = `${baseURL}/realtime/v1/sessions/${encodeURIComponent(session.sessionId)}/out`;
+
+  const subscription = new SSEStreamSubscription(streamUrl, {
+    headers: {
+      Authorization: `Bearer ${session.apiClient.accessToken}`,
+    },
+    timeoutInSeconds: 120,
+    lastEventId: session.lastEventId,
+  });
+
+  const sseStream = await subscription.subscribe();
+  const reader = sseStream.getReader();
+
+  let text = "";
+  const toolCalls: string[] = [];
+  const parts: Array<{ type: string; [key: string]: unknown }> = [];
+  // Track current text part to accumulate deltas
+  let currentTextId: string | undefined;
+
+  try {
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) {
+        break;
+      }
+
+      if (value.id) {
+        session.lastEventId = value.id;
+      }
+
+      // Trigger control records (turn-complete, upgrade-required) ride
+      // on headers — see `client-protocol.mdx#records-on-session-out`.
+      // Data records carry UIMessageChunks on `value.chunk`.
+      //
+      // Cross-version bridge: an agent SDK that hasn't been redeployed
+      // yet still writes turn-complete / upgrade-required as
+      // `chunk.type` data records. Map those into `controlValue` so the
+      // existing break / continuation paths fire for both shapes.
+      let controlValue = controlSubtype(value.headers);
+      if (!controlValue && value.chunk && typeof value.chunk === "object") {
+        const chunk = value.chunk as { type?: unknown };
+        if (chunk.type === "trigger:turn-complete") {
+          controlValue = TRIGGER_CONTROL_SUBTYPE.TURN_COMPLETE;
+        } else if (chunk.type === "trigger:upgrade-required") {
+          controlValue = TRIGGER_CONTROL_SUBTYPE.UPGRADE_REQUIRED;
+        } else if (typeof chunk.type === "string" && chunk.type.startsWith("trigger:")) {
+          // Unknown legacy `trigger:*` type — drop so it doesn't reach
+          // the chunk handler as a UIMessageChunk.
+          continue;
+        }
+      }
+
+      if (controlValue === TRIGGER_CONTROL_SUBTYPE.TURN_COMPLETE) {
+        break;
+      }
+
+      if (controlValue === TRIGGER_CONTROL_SUBTYPE.UPGRADE_REQUIRED) {
+        // Agent requested upgrade — trigger continuation. Same session,
+        // new run — reuse sessionId, swap runId. Slim-wire: ship only
+        // the latest user message as the turn-N delta; prior turns
+        // come back via snapshot+replay on the new run's boot.
+        const lastUserMessage = [...session.messages]
+          .reverse()
+          .find((m) => m.role === "user");
+        const previousRunId = session.runId;
+        const result = await session.apiClient.triggerTask(session.agentId, {
+          payload: {
+            message: lastUserMessage,
+            chatId: session.chatId,
+            sessionId: session.sessionId,
+            trigger: "submit-message",
+            metadata: session.clientData,
+            continuation: true,
+            previousRunId,
+          },
+          options: {
+            payloadType: "application/json",
+            tags: [`chat:${session.chatId}`],
+          },
+        });
+        session.runId = result.id;
+        // Keep session.lastEventId pointing at the upgrade-required
+        // record's seq (set above when the part arrived). The recursive
+        // subscribe resumes right after that marker, so we don't replay
+        // the entire session.out stream — which would hit a historical
+        // turn-complete and break the loop with empty/old text. The outer
+        // `finally` block releases the reader before the recursion runs.
+        return collectAgentResponse(session, depth + 1);
+      }
+
+      // v2 (session) SSE already parses record.body.data, so `chunk` is
+      // the UIMessageChunk object written by the agent. Any legacy
+      // `trigger:*` data record was already mapped to `controlValue`
+      // (and either broke the loop, triggered continuation, or got
+      // dropped) above; we only see real UIMessageChunks here.
+      if (value.chunk != null && typeof value.chunk === "object") {
+        const chunk = value.chunk as Record<string, unknown>;
+
+        if (chunk.type === "text-delta" && typeof chunk.delta === "string") {
+          text += chunk.delta;
+          // Accumulate into a text part
+          const textId = (chunk.id as string) ?? "text";
+          if (currentTextId !== textId) {
+            currentTextId = textId;
+            parts.push({ type: "text", text: chunk.delta });
+          } else {
+            const last = parts[parts.length - 1];
+            if (last && last.type === "text") {
+              last.text = (last.text as string) + chunk.delta;
+            }
+          }
+        }
+
+        if (chunk.type === "tool-input-available" && typeof chunk.toolName === "string") {
+          toolCalls.push(chunk.toolName);
+          parts.push({
+            type: `tool-${chunk.toolName}`,
+            toolCallId: chunk.toolCallId as string,
+            toolName: chunk.toolName,
+            state: "input-available",
+            input: chunk.input,
+          });
+        }
+
+        if (chunk.type === "tool-output-available" && typeof chunk.toolCallId === "string") {
+          // Update existing tool part with output
+          const toolPart = parts.find(
+            (p) => p.toolCallId === chunk.toolCallId
+          );
+          if (toolPart) {
+            toolPart.state = "output-available";
+            toolPart.output = chunk.output;
+          }
+        }
+      }
+    }
+  } finally {
+    reader.releaseLock();
+  }
+
+  const assistantMessage: ChatMessage = {
+    id: `msg-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
+    role: "assistant",
+    parts: parts.length > 0 ? parts : [{ type: "text", text }],
+  };
+
+  return { text, toolCalls, assistantMessage };
+}
+
+// ─── Response formatter ──────────────────────────────────────────
+
+function formatAssistantParts(
+  parts: Array<{ type: string; [key: string]: unknown }>
+): string {
+  const sections: string[] = [];
+
+  for (const part of parts) {
+    if (part.type === "text" && typeof part.text === "string" && part.text) {
+      sections.push(part.text);
+    } else if (part.type.startsWith("tool-") && part.toolName) {
+      const name = part.toolName as string;
+      const input = part.input;
+      const output = part.output;
+
+      let toolSection = `[Tool: ${name}]`;
+      if (input != null) {
+        toolSection += `\nInput: ${compactJson(input)}`;
+      }
+      if (output != null) {
+        toolSection += `\nOutput: ${compactJson(output)}`;
+      }
+      sections.push(toolSection);
+    }
+  }
+
+  return sections.join("\n\n");
+}
+
+function compactJson(value: unknown): string {
+  const str = JSON.stringify(value);
+  // Keep short values inline, truncate long ones
+  if (str.length <= 200) return str;
+  return str.slice(0, 200) + "…";
+}
diff --git a/packages/cli-v3/src/mcp/tools/agents.ts b/packages/cli-v3/src/mcp/tools/agents.ts
new file mode 100644
index 00000000000..e40bcafab6d
--- /dev/null
+++ b/packages/cli-v3/src/mcp/tools/agents.ts
@@ -0,0 +1,71 @@
+import { toolsMetadata } from "../config.js";
+import { CommonProjectsInput } from "../schemas.js";
+import { respondWithError, toolHandler } from "../utils.js";
+
+export const listAgentsTool = {
+  name: toolsMetadata.list_agents.name,
+  title: toolsMetadata.list_agents.title,
+  description: toolsMetadata.list_agents.description,
+  inputSchema: CommonProjectsInput.shape,
+  handler: toolHandler(CommonProjectsInput.shape, async (input, { ctx }) => {
+    ctx.logger?.log("calling list_agents", { input });
+
+    if (ctx.options.devOnly && input.environment !== "dev") {
+      return respondWithError(
+        `This MCP server is only available for the dev environment. You tried to access the ${input.environment} environment. Remove the --dev-only flag to access other environments.`
+      );
+    }
+
+    const projectRef = await ctx.getProjectRef({
+      projectRef: input.projectRef,
+      cwd: input.configPath,
+    });
+
+    const cliApiClient = await ctx.getCliApiClient(input.branch);
+
+    const workerResult = await cliApiClient.getWorkerByTag(
+      projectRef,
+      input.environment,
+      "current"
+    );
+
+    if (!workerResult.success) {
+      return respondWithError(workerResult.error);
+    }
+
+    const { worker } = workerResult.data;
+    const agents = worker.tasks.filter((t) => t.triggerSource === "AGENT");
+
+    if (agents.length === 0) {
+      return {
+        content: [
+          {
+            type: "text",
+            text: `No agents found in the current worker (${worker.version}) for ${input.environment}. Agents are tasks created with chat.agent() or chat.customAgent().`,
+          },
+        ],
+      };
+    }
+
+    const contents = [
+      `Found ${agents.length} agent${agents.length === 1 ? "" : "s"} in worker ${worker.version} (${input.environment}):`,
+      "",
+    ];
+
+    for (const agent of agents) {
+      contents.push(`- **${agent.slug}** (${agent.filePath})`);
+    }
+
+    contents.push("");
+    contents.push(
+      "Use `start_agent_chat` with an agent's slug as the `agentId` to start a conversation."
+    );
+    contents.push(
+      "Use `get_task_schema` with an agent's slug to see its payload schema."
+    );
+
+    return {
+      content: [{ type: "text", text: contents.join("\n") }],
+    };
+  }),
+};
diff --git a/packages/cli-v3/src/mcp/tools/runs.ts b/packages/cli-v3/src/mcp/tools/runs.ts
index 5b576cfc41d..d1d43df5f6f 100644
--- a/packages/cli-v3/src/mcp/tools/runs.ts
+++ b/packages/cli-v3/src/mcp/tools/runs.ts
@@ -374,6 +374,7 @@ export const listRunsTool = {
       to: $to,
       period: input.period,
       machine: input.machine,
+      region: input.region,
     });
 
     const formattedRuns = formatRunList(result);
diff --git a/packages/cli-v3/src/mcp/tools/tasks.ts b/packages/cli-v3/src/mcp/tools/tasks.ts
index fda3cc8943e..ffa39c4ca82 100644
--- a/packages/cli-v3/src/mcp/tools/tasks.ts
+++ b/packages/cli-v3/src/mcp/tools/tasks.ts
@@ -44,7 +44,8 @@ export const getCurrentWorker = {
       contents.push(`The worker has ${worker.tasks.length} tasks registered:`);
 
       for (const task of worker.tasks) {
-        contents.push(`- ${task.slug} in ${task.filePath}`);
+        const label = task.triggerSource === "AGENT" ? " [agent]" : "";
+        contents.push(`- ${task.slug}${label} in ${task.filePath}`);
       }
 
       contents.push("");
@@ -127,7 +128,7 @@ export const triggerTaskTool = {
     const contents = [
       `Task ${input.taskId} triggered and run with ID created: ${result.id}.`,
       `View the run in the dashboard: ${taskRunUrl}`,
-      `Use the ${toolsMetadata.wait_for_run_to_complete.name} tool to wait for the run to complete and the ${toolsMetadata.get_run_details.name} tool to get the details of the run.`,
+      `The run is now executing in the background. Do not wait for it to complete unless the user asked you to. If they did, use the ${toolsMetadata.wait_for_run_to_complete.name} tool. Otherwise, use the ${toolsMetadata.get_run_details.name} tool to check on it when needed.`,
     ];
 
     if (input.environment === "dev") {
diff --git a/packages/cli-v3/src/rules/manifest.test.ts b/packages/cli-v3/src/rules/manifest.test.ts
new file mode 100644
index 00000000000..24d6f20253e
--- /dev/null
+++ b/packages/cli-v3/src/rules/manifest.test.ts
@@ -0,0 +1,83 @@
+import { afterAll, describe, expect, it } from "vitest";
+import { mkdir, mkdtemp, rm, writeFile } from "node:fs/promises";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { BundledSkillsLoader, loadRulesManifest } from "./manifest.js";
+
+async function makeSkillsDir(opts: {
+  withSkill: boolean;
+}): Promise<{ root: string; skillsDir: string }> {
+  const root = await mkdtemp(join(tmpdir(), "bundled-skills-"));
+  const skillsDir = join(root, "skills");
+  await mkdir(skillsDir, { recursive: true });
+
+  if (opts.withSkill) {
+    const skillDir = join(skillsDir, "authoring-chat-agent");
+    await mkdir(skillDir, { recursive: true });
+    await writeFile(
+      join(skillDir, "SKILL.md"),
+      [
+        "---",
+        "name: authoring-chat-agent",
+        "description: >",
+        "  Author a durable AI chat agent with chat.agent. Load when building a chat",
+        "  backend or its frontend transport.",
+        "type: core",
+        'library_version: "{{TRIGGER_SDK_VERSION}}"',
+        "---",
+        "",
+        "# Authoring",
+        "",
+        "Generated for @trigger.dev/sdk {{TRIGGER_SDK_VERSION}}.",
+        "",
+      ].join("\n")
+    );
+  }
+
+  return { root, skillsDir };
+}
+
+describe("BundledSkillsLoader", () => {
+  const roots: string[] = [];
+
+  afterAll(async () => {
+    await Promise.all(roots.map((d) => rm(d, { recursive: true, force: true })));
+  });
+
+  it("synthesizes a manifest at the given version and stamps it into contents", async () => {
+    const { root, skillsDir } = await makeSkillsDir({ withSkill: true });
+    roots.push(root);
+
+    const loader = new BundledSkillsLoader(skillsDir, "9.9.9-test.1");
+    const manifest = await loadRulesManifest(loader);
+
+    expect(manifest.currentVersion).toBe("9.9.9-test.1");
+
+    const version = await manifest.getCurrentVersion();
+    expect(version.options).toHaveLength(1);
+
+    const option = version.options[0]!;
+    expect(option.name).toBe("authoring-chat-agent");
+    expect(option.installStrategy).toBe("skills");
+    // description extracted from the folded scalar, used as the picker label
+    expect(option.label).toContain("Author a durable AI chat agent");
+    // version stamped into the copied content; placeholder fully substituted
+    expect(option.contents).toContain("9.9.9-test.1");
+    expect(option.contents).not.toContain("{{TRIGGER_SDK_VERSION}}");
+  });
+
+  it("throws when the skills dir has no skills (caller treats as 'nothing to install')", async () => {
+    const { root, skillsDir } = await makeSkillsDir({ withSkill: false });
+    roots.push(root);
+
+    const loader = new BundledSkillsLoader(skillsDir, "9.9.9-test.1");
+
+    await expect(loadRulesManifest(loader)).rejects.toThrow();
+  });
+
+  it("throws when the skills dir does not exist", async () => {
+    const loader = new BundledSkillsLoader(join(tmpdir(), "does-not-exist-skills-xyz"), "1.2.3");
+
+    await expect(loadRulesManifest(loader)).rejects.toThrow();
+  });
+});
diff --git a/packages/cli-v3/src/rules/manifest.ts b/packages/cli-v3/src/rules/manifest.ts
index 6e8e90bd9bc..06b8bb2efbc 100644
--- a/packages/cli-v3/src/rules/manifest.ts
+++ b/packages/cli-v3/src/rules/manifest.ts
@@ -1,5 +1,5 @@
-import { readFile } from "fs/promises";
-import { dirname, join } from "path";
+import { readFile, readdir } from "fs/promises";
+import { join } from "path";
 import { z } from "zod";
 import { RulesFileInstallStrategy } from "./types.js";
 
@@ -76,7 +76,7 @@ export class RulesManifest {
         // Omit path
         const { path, installStrategy, ...rest } = option;
 
-        const $installStrategy = RulesFileInstallStrategy.safeParse(installStrategy ?? "default");
+        const $installStrategy = RulesFileInstallStrategy.safeParse(installStrategy ?? "skills");
 
         // Skip variants with invalid install strategies
         if (!$installStrategy.success) {
@@ -109,57 +109,138 @@ export interface RulesManifestLoader {
   loadRulesFile(relativePath: string): Promise<string>;
 }
 
-export class GithubRulesManifestLoader implements RulesManifestLoader {
-  constructor(private readonly branch: string = "main") {}
+/**
+ * Loads agent skills bundled inside the `trigger.dev` CLI (the `skills/` folder shipped
+ * via the package's `files[]`). The CLI is the only source of skills; `skillsDir` and
+ * `version` are resolved from the CLI's own package by the caller and injected here, so
+ * this stays a pure reader. Synthesizes the manifest shape the install pipeline consumes
+ * so skills flow through `loadRulesManifest` -> `getCurrentVersion` -> install, with
+ * `installStrategy: "skills"`. `version` (== the CLI/SDK version) is stamped into each
+ * skill on read in place of the `{{TRIGGER_SDK_VERSION}}` placeholder.
+ */
+export class BundledSkillsLoader implements RulesManifestLoader {
+  constructor(
+    private readonly skillsDir: string,
+    private readonly version: string
+  ) {}
 
   async loadManifestContent(): Promise<string> {
-    const response = await fetch(
-      `https://raw.githubusercontent.com/triggerdotdev/trigger.dev/refs/heads/${this.branch}/rules/manifest.json`,
-      {
-        signal: AbortSignal.timeout(5000),
+    let entries: string[] = [];
+    try {
+      const dirents = await readdir(this.skillsDir, { withFileTypes: true });
+      entries = dirents
+        .filter((d) => d.isDirectory() && !d.name.startsWith("_") && !d.name.startsWith("."))
+        .map((d) => d.name)
+        .sort();
+    } catch (error) {
+      throw new Error(`No skills found in ${this.skillsDir}: ${error}`);
+    }
+
+    const options = [];
+    for (const name of entries) {
+      const skillMdPath = join(this.skillsDir, name, "SKILL.md");
+
+      let contents: string;
+      try {
+        contents = await readFile(skillMdPath, "utf8");
+      } catch {
+        // a directory without a SKILL.md isn't a skill
+        continue;
       }
-    );
 
-    if (!response.ok) {
-      throw new Error(`Failed to load rules manifest: ${response.status} ${response.statusText}`);
+      const description = extractSkillDescription(contents) ?? humanizeSkillName(name);
+
+      options.push({
+        name,
+        title: humanizeSkillName(name),
+        label: description,
+        path: join(name, "SKILL.md"),
+        tokens: Math.max(1, Math.round(contents.length / 4)),
+        installStrategy: "skills",
+      });
+    }
+
+    if (options.length === 0) {
+      throw new Error(`No skills with a SKILL.md found in ${this.skillsDir}`);
     }
 
-    return response.text();
+    return JSON.stringify({
+      name: "trigger.dev",
+      description: "Trigger.dev agent skills",
+      currentVersion: this.version,
+      versions: {
+        [this.version]: { options },
+      },
+    });
   }
 
   async loadRulesFile(relativePath: string): Promise<string> {
-    const response = await fetch(
-      `https://raw.githubusercontent.com/triggerdotdev/trigger.dev/refs/heads/${this.branch}/rules/${relativePath}`
-    );
+    const path = join(this.skillsDir, relativePath);
 
-    if (!response.ok) {
-      throw new Error(
-        `Failed to load rules file: ${relativePath} - ${response.status} ${response.statusText}`
-      );
+    try {
+      const raw = await readFile(path, "utf8");
+      // Stamp the CLI/SDK version into the skill so the copy on disk reflects the
+      // version the user is on, not a hardcoded number that drifts.
+      return raw.replace(/\{\{TRIGGER_SDK_VERSION\}\}/g, this.version);
+    } catch (error) {
+      throw new Error(`Failed to load skill file: ${relativePath} - ${error}`);
     }
-
-    return response.text();
   }
 }
 
-export class LocalRulesManifestLoader implements RulesManifestLoader {
-  constructor(private readonly path: string) {}
+function humanizeSkillName(name: string): string {
+  const spaced = name.replace(/[-_]+/g, " ").trim();
+  return spaced.charAt(0).toUpperCase() + spaced.slice(1);
+}
+
+/**
+ * Best-effort extraction of the `description` field from a SKILL.md YAML frontmatter
+ * block, used only for the picker label. Handles single-line, quoted, and folded/literal
+ * (`>`, `|`) scalars. Returns undefined if there's no frontmatter or description.
+ */
+function extractSkillDescription(skillMd: string): string | undefined {
+  const match = skillMd.match(/^---\r?\n([\s\S]*?)\r?\n---/);
+  const frontmatter = match?.[1];
+  if (!frontmatter) {
+    return undefined;
+  }
 
-  async loadManifestContent(): Promise<string> {
-    try {
-      return await readFile(this.path, "utf8");
-    } catch (error) {
-      throw new Error(`Failed to load rules manifest: ${this.path} - ${error}`);
+  const lines = frontmatter.split(/\r?\n/);
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (line === undefined) {
+      continue;
     }
-  }
 
-  async loadRulesFile(relativePath: string): Promise<string> {
-    const path = join(dirname(this.path), relativePath);
+    const m = line.match(/^description:\s*(.*)$/);
+    if (!m) {
+      continue;
+    }
 
-    try {
-      return await readFile(path, "utf8");
-    } catch (error) {
-      throw new Error(`Failed to load rules file: ${relativePath} - ${error}`);
+    const value = (m[1] ?? "").trim();
+
+    // Folded (>) or literal (|) block scalar: collect the indented continuation lines.
+    if (/^[>|][+-]?$/.test(value)) {
+      const collected: string[] = [];
+      for (let j = i + 1; j < lines.length; j++) {
+        const next = lines[j];
+        if (next === undefined) {
+          break;
+        }
+        if (/^\s+\S/.test(next)) {
+          collected.push(next.trim());
+        } else if (next.trim() === "") {
+          collected.push("");
+        } else {
+          break;
+        }
+      }
+      return collected.join(" ").replace(/\s+/g, " ").trim() || undefined;
     }
+
+    // Inline scalar, possibly quoted.
+    return value.replace(/^["']|["']$/g, "").trim() || undefined;
   }
+
+  return undefined;
 }
diff --git a/packages/cli-v3/src/rules/types.ts b/packages/cli-v3/src/rules/types.ts
index 70682c251a9..5f17ab27df3 100644
--- a/packages/cli-v3/src/rules/types.ts
+++ b/packages/cli-v3/src/rules/types.ts
@@ -1,4 +1,4 @@
 import { z } from "zod";
 
-export const RulesFileInstallStrategy = z.enum(["default", "claude-code-subagent"]);
+export const RulesFileInstallStrategy = z.enum(["skills"]);
 export type RulesFileInstallStrategy = z.infer<typeof RulesFileInstallStrategy>;
diff --git a/packages/cli-v3/src/utilities/initialBanner.ts b/packages/cli-v3/src/utilities/initialBanner.ts
index c30deeee7fe..74e217c6e61 100644
--- a/packages/cli-v3/src/utilities/initialBanner.ts
+++ b/packages/cli-v3/src/utilities/initialBanner.ts
@@ -1,5 +1,6 @@
 import chalk from "chalk";
 import { getLatestVersion } from "fast-npm-meta";
+import * as semver from "semver";
 import { VERSION } from "../version.js";
 import { chalkGrey, chalkRun, chalkTask, chalkWorker, logo } from "./cliOutput.js";
 import { logger } from "./logger.js";
@@ -105,18 +106,16 @@ async function doUpdateCheck(): Promise<string | undefined> {
       return;
     }
 
-    const compareVersions = (a: string, b: string) =>
-      a.localeCompare(b, "en-US", { numeric: true });
-
-    const comparison = compareVersions(VERSION, meta.version);
-
-    if (comparison === -1) {
+    // Use real semver comparison (loose) so prereleases sort correctly against
+    // their stable counterpart — e.g. a user on `4.5.0-rc.0` sees `4.5.0` as
+    // newer. String/locale comparison gets this wrong for `X.Y.Z-rc.N` vs `X.Y.Z`.
+    if (semver.lt(VERSION, meta.version, true)) {
       return meta.version;
     }
 
     return;
   } catch (err) {
-    // ignore error
+    // ignore error (covers both network failures and any version-parse oddities)
     logger.debug(err);
 
     return;
diff --git a/packages/core/CHANGELOG.md b/packages/core/CHANGELOG.md
index 78fd93088bc..8e6e11e5f97 100644
--- a/packages/core/CHANGELOG.md
+++ b/packages/core/CHANGELOG.md
@@ -1,5 +1,150 @@
 # internal-platform
 
+## 4.5.0-rc.5
+
+### Patch Changes
+
+- Add optional `shouldPauseScaling` to the supervisor consumer pool scaling options to freeze scale-up while it returns true (scale-down stays allowed). ([#3836](https://github.com/triggerdotdev/trigger.dev/pull/3836))
+- Fix `@trigger.dev/core` build: cast the underlying log record exporter when calling `forceFlush` so it typechecks against the updated OpenTelemetry `LogRecordExporter` type (which no longer declares `forceFlush`). ([#3829](https://github.com/triggerdotdev/trigger.dev/pull/3829))
+- `envvars.upload` now accepts an optional `isSecret` flag, letting you create the imported variables as secret (redacted) environment variables. When omitted, variables default to non-secret. ([#3809](https://github.com/triggerdotdev/trigger.dev/pull/3809))
+
+  ```ts
+  await envvars.upload("proj_1234", "prod", {
+    variables: { STRIPE_SECRET_KEY: "sk_live_..." },
+    isSecret: true,
+  });
+  ```
+
+- Offload large trigger payloads to object storage before sending the trigger API request. The SDK uploads packets at or above the existing 128KB limit and sends an `application/store` pointer instead of embedding large JSON in the request body. `TriggerTaskRequestBody` now validates that `application/store` payloads are non-empty storage paths. ([#3785](https://github.com/triggerdotdev/trigger.dev/pull/3785))
+
+  Payload uploads use the same resolved `ApiClient` as the trigger call (including `requestOptions.clientConfig`), not only the global `apiClientManager.client` — so custom `baseURL`, access token, and preview branch apply to both presign and trigger.
+
+- Update the bundled OpenTelemetry packages to their latest releases (`@opentelemetry/sdk-node` 0.218.0, `@opentelemetry/core` 2.7.1, `@opentelemetry/host-metrics` 0.38.3). ([#3810](https://github.com/triggerdotdev/trigger.dev/pull/3810))
+
+## 4.5.0-rc.4
+
+### Patch Changes
+
+- Coerce numeric `concurrencyKey` values to string at the API boundary across `tasks.trigger`, `tasks.batchTrigger`, and the Phase-2 streaming batch endpoint. ([#3789](https://github.com/triggerdotdev/trigger.dev/pull/3789))
+- Bump `@s2-dev/streamstore` to `0.22.10` to fix a `TASK_RUN_UNCAUGHT_EXCEPTION` ("Invalid state: Unable to enqueue") when a `chat.agent` turn is aborted mid-stream. ([#3792](https://github.com/triggerdotdev/trigger.dev/pull/3792))
+
+## 4.5.0-rc.3
+
+### Patch Changes
+
+- Retry `TASK_MIDDLEWARE_ERROR` under the task's retry policy instead of failing the run on the first attempt. The error was already classified as retryable by `shouldRetryError`, but `shouldLookupRetrySettings` did not include it, so the retry flow fell through to `fail_run`. Fixes #3231. ([#3676](https://github.com/triggerdotdev/trigger.dev/pull/3676))
+- Fix `TypeError` in `unflattenAttributes` when the input attribute map contains conflicting dotted key paths (e.g. both `a.b` set to a scalar and `a.b.c` set to a value). The path-walk loop now applies last-write-wins when a prior key wrote a primitive, null, or array at an intermediate slot, matching the existing precedent in `AttributeFlattener.addAttribute`. Callers no longer crash when handed malformed external attribute inputs. ([#3762](https://github.com/triggerdotdev/trigger.dev/pull/3762))
+- Fix external trace context leaking across runs on warm-started workers with `processKeepAlive` enabled. Every subsequent run's attempt span was being exported with the first run's `traceId` and `parentSpanId`, breaking causal-chain navigation in external APM tools. Runs without an external trace context are unaffected. ([#3768](https://github.com/triggerdotdev/trigger.dev/pull/3768))
+
+## 4.5.0-rc.2
+
+## 4.5.0-rc.1
+
+### Patch Changes
+
+- Fix `COULD_NOT_FIND_EXECUTOR` when a task's definition is loaded via `await import(...)` from inside another task's `run()`. The runtime workers now register such tasks with a sentinel file context, and the catalog logs a one-time warning per task id. ([#3688](https://github.com/triggerdotdev/trigger.dev/pull/3688))
+
+## 4.5.0-rc.0
+
+### Patch Changes
+
+- Add Agent Skills for `chat.agent`. Drop a folder with a `SKILL.md` and any helper scripts/references next to your task code, register it with `skills.define({ id, path })`, and the CLI bundles it into the deploy image automatically — no `trigger.config.ts` changes. The agent gets a one-line summary in its system prompt and discovers full instructions on demand via `loadSkill`, with `bash` and `readFile` tools scoped per-skill (path-traversal guards, output caps, abort-signal propagation). ([#3543](https://github.com/triggerdotdev/trigger.dev/pull/3543))
+
+  ```ts
+  const pdfSkill = skills.define({ id: "pdf-extract", path: "./skills/pdf-extract" });
+
+  chat.skills.set([await pdfSkill.local()]);
+  ```
+
+  Built on the [AI SDK cookbook pattern](https://ai-sdk.dev/cookbook/guides/agent-skills) — portable across providers. SDK + CLI only for now; dashboard-editable `SKILL.md` text is on the roadmap.
+
+- Reject overlong `idempotencyKey` values at the API boundary so they no longer trip an internal size limit on the underlying unique index and surface as a generic 500. Inputs are capped at 2048 characters — well above what `idempotencyKeys.create()` produces (a 64-character hash) and above any realistic raw key. Applies to `tasks.trigger`, `tasks.batchTrigger`, `batch.create` (Phase 1 streaming batches), `wait.createToken`, `wait.forDuration`, and the input/session stream waitpoint endpoints. Over-limit requests now return a structured 400 instead. ([#3560](https://github.com/triggerdotdev/trigger.dev/pull/3560))
+- **AI Agents** — run AI SDK chat completions as durable Trigger.dev agents instead of fragile API routes. Define an agent in one function, point `useChat` at it from React, and the conversation survives page refreshes, network blips, and process restarts. ([#3543](https://github.com/triggerdotdev/trigger.dev/pull/3543))
+
+  ```ts
+  import { chat } from "@trigger.dev/sdk/ai";
+  import { streamText } from "ai";
+  import { openai } from "@ai-sdk/openai";
+
+  export const myChat = chat.agent({
+    id: "my-chat",
+    run: async ({ messages, signal }) =>
+      streamText({ model: openai("gpt-4o"), messages, abortSignal: signal }),
+  });
+  ```
+
+  ```tsx
+  import { useChat } from "@ai-sdk/react";
+  import { useTriggerChatTransport } from "@trigger.dev/sdk/chat/react";
+
+  const transport = useTriggerChatTransport({ task: "my-chat", accessToken, startSession });
+  const { messages, sendMessage } = useChat({ transport });
+  ```
+
+  **What you get:**
+
+  - **AI SDK `useChat` integration** — a custom [`ChatTransport`](https://sdk.vercel.ai/docs/ai-sdk-ui/transport) (`useTriggerChatTransport`) plugs straight into Vercel AI SDK's `useChat` hook. Text streaming, tool calls, reasoning, and `data-*` parts all work natively over Trigger.dev's realtime streams. No custom API routes needed.
+  - **First-turn fast path (`chat.headStart`)** — opt-in handler that runs the first turn's `streamText` step in your warm server process while the agent run boots in parallel, cutting cold-start TTFC by roughly half (measured 2801ms → 1218ms on `claude-sonnet-4-6`). The agent owns step 2+ (tool execution, persistence, hooks) so heavy deps stay where they belong. Web Fetch handler works natively in Next.js, Hono, SvelteKit, Remix, Workers, etc.; bridge to Express/Fastify/Koa via `chat.toNodeListener`. New `@trigger.dev/sdk/chat-server` subpath.
+  - **Multi-turn durability via Sessions** — every chat is backed by a durable Session that outlives any individual run. Conversations resume across page refreshes, idle timeout, crashes, and deploys; `resume: true` reconnects via `lastEventId` so clients only see new chunks. `sessions.list` enumerates chats for inbox-style UIs.
+  - **Auto-accumulated history, delta-only wire** — the backend accumulates the full conversation across turns; clients only ship the new message each turn. Long chats never hit the 512 KiB body cap. Register `hydrateMessages` to be the source of truth yourself.
+  - **Lifecycle hooks** — `onPreload`, `onChatStart`, `onValidateMessages`, `hydrateMessages`, `onTurnStart`, `onBeforeTurnComplete`, `onTurnComplete`, `onChatSuspend`, `onChatResume` — for persistence, validation, and post-turn work.
+  - **Stop generation** — client-driven `transport.stopGeneration(chatId)` aborts mid-stream; the run stays alive for the next message, partial response is captured, and aborted parts (stuck `partial-call` tools, in-progress reasoning) are auto-cleaned.
+  - **Tool approvals (HITL)** — tools with `needsApproval: true` pause until the user approves or denies via `addToolApprovalResponse`. The runtime reconciles the updated assistant message by ID and continues `streamText`.
+  - **Steering and background injection** — `pendingMessages` injects user messages between tool-call steps so users can steer the agent mid-execution; `chat.inject()` + `chat.defer()` adds context from background work (self-review, RAG, safety checks) between turns.
+  - **Actions** — non-turn frontend commands (undo, rollback, regenerate, edit) sent via `transport.sendAction`. Fire `hydrateMessages` + `onAction` only — no turn hooks, no `run()`. `onAction` can return a `StreamTextResult` for a model response, or `void` for side-effect-only.
+  - **Typed state primitives** — `chat.local<T>` for per-run state accessible from hooks, `run()`, tools, and subtasks (auto-serialized through `ai.toolExecute`); `chat.store` for typed shared data between agent and client; `chat.history` for reading and mutating the message chain; `clientDataSchema` for typed `clientData` in every hook.
+  - **`chat.toStreamTextOptions()`** — one spread into `streamText` wires up versioned system [Prompts](https://trigger.dev/docs/ai/prompts), model resolution, telemetry metadata, compaction, steering, and background injection.
+  - **Multi-tab coordination** — `multiTab: true` + `useMultiTabChat` prevents duplicate sends and syncs state across browser tabs via `BroadcastChannel`. Non-active tabs go read-only with live updates.
+  - **Network resilience** — built-in indefinite retry with bounded backoff, reconnect on `online` / tab refocus / bfcache restore, `Last-Event-ID` mid-stream resume. No app code needed.
+
+  See [/docs/ai-chat](https://trigger.dev/docs/ai-chat/overview) for the full surface — quick start, three backend approaches (`chat.agent`, `chat.createSession`, raw task), persistence and code-sandbox patterns, type-level guides, and API reference.
+
+- Stamp `gen_ai.conversation.id` (the chat id) on every span and metric emitted from inside a `chat.task` or `chat.agent` run. Lets you filter dashboard spans, runs, and metrics by the chat conversation that produced them — independent of the run boundary, so multi-run chats correlate cleanly. No code changes required on the user side. ([#3543](https://github.com/triggerdotdev/trigger.dev/pull/3543))
+- Fix `LocalsKey<T>` type incompatibility across dual-package builds. The phantom value-type brand no longer uses a module-level `unique symbol`, so a single TypeScript compilation that resolves the type from both the ESM and CJS outputs (which can happen under certain pnpm hoisting layouts) no longer sees two structurally-incompatible variants of the same type. ([#3626](https://github.com/triggerdotdev/trigger.dev/pull/3626))
+- Unit-test `chat.agent` definitions offline with `mockChatAgent` from `@trigger.dev/sdk/ai/test`. Drives a real agent's turn loop in-process — no network, no task runtime — so you can send messages, actions, and stop signals via driver methods, inspect captured output chunks, and verify hooks fire. Pairs with `MockLanguageModelV3` from `ai/test` for model mocking. `setupLocals` lets you pre-seed `locals` (DB clients, service stubs) before `run()` starts. ([#3543](https://github.com/triggerdotdev/trigger.dev/pull/3543))
+
+  The broader `runInMockTaskContext` harness it's built on lives at `@trigger.dev/core/v3/test` — useful for unit-testing any task code, not just chat.
+
+- Retry `TASK_PROCESS_SIGSEGV` task crashes under the user's retry policy instead of failing the run on the first segfault. SIGSEGV in Node tasks is frequently non-deterministic (native addon races, JIT/GC interaction, near-OOM in native code, host issues), so retrying on a fresh process often succeeds. The retry is gated by the task's existing `retry` config + `maxAttempts` — same path `TASK_PROCESS_SIGTERM` and uncaught exceptions already use — so tasks without a retry policy still fail fast. ([#3552](https://github.com/triggerdotdev/trigger.dev/pull/3552))
+- Add `region` to the runs list / retrieve API: filter runs by region (`runs.list({ region: "..." })` / `filter[region]=<masterQueue>`) and read each run's executing region from the new `region` field on the response. ([#3612](https://github.com/triggerdotdev/trigger.dev/pull/3612))
+- **Sessions** — a durable, run-aware stream channel keyed on a stable `externalId`. A Session is the unit of state that owns a multi-run conversation: messages flow through `.in`, responses through `.out`, both survive run boundaries. Sessions back the new `chat.agent` runtime, and you can build on them directly for any pattern that needs durable bi-directional streaming across runs. ([#3542](https://github.com/triggerdotdev/trigger.dev/pull/3542))
+
+  ```ts
+  import { sessions, tasks } from "@trigger.dev/sdk";
+
+  // Trigger a task and subscribe to its session output in one call
+  const { runId, stream } = await tasks.triggerAndSubscribe("my-task", payload, {
+    externalId: "user-456",
+  });
+
+  for await (const chunk of stream) {
+    // ...
+  }
+
+  // Enumerate existing sessions (powers inbox-style UIs without a separate index)
+  for await (const s of sessions.list({ type: "chat.agent", tag: "user:user-456" })) {
+    console.log(s.id, s.externalId, s.createdAt, s.closedAt);
+  }
+  ```
+
+  See [/docs/ai-chat/overview](https://trigger.dev/docs/ai-chat/overview) for the full surface — Sessions powers the durable, resumable chat runtime described there.
+
+## 4.4.6
+
+### Patch Changes
+
+- Fix dev workers spinning at 100% CPU after the parent CLI disconnects. Orphaned `trigger-dev-run-worker` (and indexer) processes were caught in an `uncaughtException` feedback loop: a periodic IPC send via `process.send` would throw `ERR_IPC_CHANNEL_CLOSED` once the parent closed the channel, which re-entered the same handler that itself called `process.send`, scheduled via `setImmediate` and amplified by source-map-support's `prepareStackTrace`. Fixed by (1) silently dropping packets in `ZodIpcConnection` when the channel is disconnected, (2) adding a `process.on("disconnect", ...)` handler in dev workers so they exit cleanly when the CLI closes the IPC channel, and (3) wrapping all `uncaughtException`-path `process.send` calls in a `safeSend` guard that checks `process.connected` and swallows synchronous throws. ([#3491](https://github.com/triggerdotdev/trigger.dev/pull/3491))
+- Fail attempts on uncaught exceptions instead of hanging to `MAX_DURATION_EXCEEDED`. A Node `EventEmitter` (e.g. `node-redis`) emitting `"error"` with no `.on("error", ...)` listener escalates to `uncaughtException`, which the worker previously reported but did not act on — runs drifted to maxDuration with empty attempts. They now fail fast with the original error and status `FAILED`, and respect the task's normal retry policy. You should still attach `.on("error", ...)` listeners to long-lived clients to handle errors gracefully. ([#3529](https://github.com/triggerdotdev/trigger.dev/pull/3529))
+
+## 4.4.5
+
+### Patch Changes
+
+- Add `isReplay` boolean to the run context (`ctx.run.isReplay`), derived from the existing `replayedFromTaskRunFriendlyId` database field. Defaults to `false` for backwards compatibility. ([#3454](https://github.com/triggerdotdev/trigger.dev/pull/3454))
+- Redact the `resolveWaitpoint` runtime log so it only emits `id` and `type` instead of the full completed waitpoint. Previously the log printed the entire waitpoint (including `output`) to stdout in production runs, which could leak sensitive payloads. The value returned by `wait.forToken()` is unchanged. ([#3490](https://github.com/triggerdotdev/trigger.dev/pull/3490))
+- Add `SessionId` friendly ID generator and schemas for the new durable Session primitive. Exported from `@trigger.dev/core/v3/isomorphic` alongside `RunId`, `BatchId`, etc. Ships the `CreateSessionStreamWaitpoint` request/response schemas alongside the main Session CRUD. ([#3417](https://github.com/triggerdotdev/trigger.dev/pull/3417))
+- Truncate large error stacks and messages to prevent OOM crashes. Stack traces are capped at 50 frames (keeping top 5 + bottom 45 with an omission notice), individual stack lines at 1024 chars, and error messages at 1000 chars. Applied in parseError, sanitizeError, and OTel span recording. ([#3405](https://github.com/triggerdotdev/trigger.dev/pull/3405))
+
 ## 4.4.4
 
 ### Patch Changes
diff --git a/packages/core/package.json b/packages/core/package.json
index 35e60bd7c89..859f2dea800 100644
--- a/packages/core/package.json
+++ b/packages/core/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@trigger.dev/core",
-  "version": "4.4.4",
+  "version": "4.5.0-rc.5",
   "description": "Core code used across the Trigger.dev SDK and platform",
   "license": "MIT",
   "publishConfig": {
@@ -30,6 +30,7 @@
       "./v3/tracer": "./src/v3/tracer.ts",
       "./v3/build": "./src/v3/build/index.ts",
       "./v3/apps": "./src/v3/apps/index.ts",
+      "./v3/auth/environment": "./src/v3/auth/environment.ts",
       "./v3/jwt": "./src/v3/jwt.ts",
       "./v3/errors": "./src/v3/errors.ts",
       "./v3/logger-api": "./src/v3/logger-api.ts",
@@ -37,10 +38,12 @@
       "./v3/semanticInternalAttributes": "./src/v3/semanticInternalAttributes.ts",
       "./v3/utils/durations": "./src/v3/utils/durations.ts",
       "./v3/utils/flattenAttributes": "./src/v3/utils/flattenAttributes.ts",
+      "./v3/utils/gitBranch": "./src/v3/utils/gitBranch.ts",
       "./v3/utils/ioSerialization": "./src/v3/utils/ioSerialization.ts",
       "./v3/utils/omit": "./src/v3/utils/omit.ts",
       "./v3/utils/retries": "./src/v3/utils/retries.ts",
       "./v3/utils/structuredLogger": "./src/v3/utils/structuredLogger.ts",
+      "./v3/test": "./src/v3/test/index.ts",
       "./v3/zodfetch": "./src/v3/zodfetch.ts",
       "./v3/zodMessageHandler": "./src/v3/zodMessageHandler.ts",
       "./v3/zodNamespace": "./src/v3/zodNamespace.ts",
@@ -52,7 +55,8 @@
       "./v3/runEngineWorker": "./src/v3/runEngineWorker/index.ts",
       "./v3/machines": "./src/v3/machines/index.ts",
       "./v3/serverOnly": "./src/v3/serverOnly/index.ts",
-      "./v3/isomorphic": "./src/v3/isomorphic/index.ts"
+      "./v3/isomorphic": "./src/v3/isomorphic/index.ts",
+      "./v3/sdk-scope-storage": "./src/v3/sdkScope/storage-node.ts"
     },
     "sourceDialects": [
       "@triggerdotdev/source"
@@ -96,12 +100,18 @@
       "v3/semanticInternalAttributes": [
         "dist/commonjs/v3/semanticInternalAttributes.d.ts"
       ],
+      "v3/auth/environment": [
+        "dist/commonjs/v3/auth/environment.d.ts"
+      ],
       "v3/utils/durations": [
         "dist/commonjs/v3/utils/durations.d.ts"
       ],
       "v3/utils/flattenAttributes": [
         "dist/commonjs/v3/utils/flattenAttributes.d.ts"
       ],
+      "v3/utils/gitBranch": [
+        "dist/commonjs/v3/utils/gitBranch.d.ts"
+      ],
       "v3/utils/ioSerialization": [
         "dist/commonjs/v3/utils/ioSerialization.d.ts"
       ],
@@ -152,10 +162,20 @@
       ],
       "v3/isomorphic": [
         "dist/commonjs/v3/isomorphic/index.d.ts"
+      ],
+      "v3/sdk-scope-storage": [
+        "dist/commonjs/v3/sdkScope/storage-node.d.ts"
+      ],
+      "v3/test": [
+        "dist/commonjs/v3/test/index.d.ts"
       ]
     }
   },
-  "sideEffects": false,
+  "sideEffects": [
+    "./dist/esm/v3/sdkScope/storage-node.js",
+    "./dist/commonjs/v3/sdkScope/storage-node.js",
+    "./src/v3/sdkScope/storage-node.ts"
+  ],
   "scripts": {
     "clean": "rimraf dist .tshy .tshy-build .turbo src/v3/vendor",
     "update-version": "tsx ../../scripts/updateVersion.ts",
@@ -163,6 +183,7 @@
     "build": "pnpm run bundle-vendor && tshy && node scripts/bundle-superjson.mjs --copy && pnpm run update-version",
     "dev": "pnpm run bundle-vendor && tshy --watch",
     "typecheck": "pnpm run bundle-vendor && tsc --noEmit -p tsconfig.src.json",
+    "typecheck:ai-v7": "pnpm run bundle-vendor && tsc --noEmit -p tsconfig.ai-v7.json",
     "pretest": "pnpm run bundle-vendor",
     "test": "vitest",
     "check-exports": "attw --pack ."
@@ -172,21 +193,21 @@
     "@electric-sql/client": "1.0.14",
     "@google-cloud/precise-date": "^4.0.0",
     "@jsonhero/path": "^1.0.21",
-    "@opentelemetry/api": "1.9.0",
-    "@opentelemetry/api-logs": "0.203.0",
-    "@opentelemetry/core": "2.0.1",
-    "@opentelemetry/exporter-logs-otlp-http": "0.203.0",
-    "@opentelemetry/exporter-metrics-otlp-http": "0.203.0",
-    "@opentelemetry/exporter-trace-otlp-http": "0.203.0",
-    "@opentelemetry/host-metrics": "^0.37.0",
-    "@opentelemetry/instrumentation": "0.203.0",
-    "@opentelemetry/resources": "2.0.1",
-    "@opentelemetry/sdk-logs": "0.203.0",
-    "@opentelemetry/sdk-metrics": "2.0.1",
-    "@opentelemetry/sdk-trace-base": "2.0.1",
-    "@opentelemetry/sdk-trace-node": "2.0.1",
-    "@opentelemetry/semantic-conventions": "1.36.0",
-    "@s2-dev/streamstore": "0.22.5",
+    "@opentelemetry/api": "1.9.1",
+    "@opentelemetry/api-logs": "0.218.0",
+    "@opentelemetry/core": "2.7.1",
+    "@opentelemetry/exporter-logs-otlp-http": "0.218.0",
+    "@opentelemetry/exporter-metrics-otlp-http": "0.218.0",
+    "@opentelemetry/exporter-trace-otlp-http": "0.218.0",
+    "@opentelemetry/host-metrics": "^0.38.3",
+    "@opentelemetry/instrumentation": "0.218.0",
+    "@opentelemetry/resources": "2.7.1",
+    "@opentelemetry/sdk-logs": "0.218.0",
+    "@opentelemetry/sdk-metrics": "2.7.1",
+    "@opentelemetry/sdk-trace-base": "2.7.1",
+    "@opentelemetry/sdk-trace-node": "2.7.1",
+    "@opentelemetry/semantic-conventions": "1.41.1",
+    "@s2-dev/streamstore": "0.22.10",
     "dequal": "^2.0.3",
     "eventsource": "^3.0.5",
     "eventsource-parser": "^3.0.0",
@@ -213,9 +234,10 @@
     "@types/lodash.get": "^4.4.9",
     "@types/readable-stream": "^4.0.14",
     "ai": "^6.0.0",
+    "ai-v7": "npm:ai@7.0.0-canary.159",
     "defu": "^6.1.4",
     "esbuild": "^0.23.0",
-    "rimraf": "^3.0.2",
+    "rimraf": "^6.0.1",
     "superjson": "^2.2.1",
     "ts-essentials": "10.0.1",
     "tshy": "^3.0.2",
@@ -325,6 +347,17 @@
         "default": "./dist/commonjs/v3/apps/index.js"
       }
     },
+    "./v3/auth/environment": {
+      "import": {
+        "@triggerdotdev/source": "./src/v3/auth/environment.ts",
+        "types": "./dist/esm/v3/auth/environment.d.ts",
+        "default": "./dist/esm/v3/auth/environment.js"
+      },
+      "require": {
+        "types": "./dist/commonjs/v3/auth/environment.d.ts",
+        "default": "./dist/commonjs/v3/auth/environment.js"
+      }
+    },
     "./v3/jwt": {
       "import": {
         "@triggerdotdev/source": "./src/v3/jwt.ts",
@@ -402,6 +435,17 @@
         "default": "./dist/commonjs/v3/utils/flattenAttributes.js"
       }
     },
+    "./v3/utils/gitBranch": {
+      "import": {
+        "@triggerdotdev/source": "./src/v3/utils/gitBranch.ts",
+        "types": "./dist/esm/v3/utils/gitBranch.d.ts",
+        "default": "./dist/esm/v3/utils/gitBranch.js"
+      },
+      "require": {
+        "types": "./dist/commonjs/v3/utils/gitBranch.d.ts",
+        "default": "./dist/commonjs/v3/utils/gitBranch.js"
+      }
+    },
     "./v3/utils/ioSerialization": {
       "import": {
         "@triggerdotdev/source": "./src/v3/utils/ioSerialization.ts",
@@ -446,6 +490,17 @@
         "default": "./dist/commonjs/v3/utils/structuredLogger.js"
       }
     },
+    "./v3/test": {
+      "import": {
+        "@triggerdotdev/source": "./src/v3/test/index.ts",
+        "types": "./dist/esm/v3/test/index.d.ts",
+        "default": "./dist/esm/v3/test/index.js"
+      },
+      "require": {
+        "types": "./dist/commonjs/v3/test/index.d.ts",
+        "default": "./dist/commonjs/v3/test/index.js"
+      }
+    },
     "./v3/zodfetch": {
       "import": {
         "@triggerdotdev/source": "./src/v3/zodfetch.ts",
@@ -577,6 +632,17 @@
         "types": "./dist/commonjs/v3/isomorphic/index.d.ts",
         "default": "./dist/commonjs/v3/isomorphic/index.js"
       }
+    },
+    "./v3/sdk-scope-storage": {
+      "import": {
+        "@triggerdotdev/source": "./src/v3/sdkScope/storage-node.ts",
+        "types": "./dist/esm/v3/sdkScope/storage-node.d.ts",
+        "default": "./dist/esm/v3/sdkScope/storage-node.js"
+      },
+      "require": {
+        "types": "./dist/commonjs/v3/sdkScope/storage-node.d.ts",
+        "default": "./dist/commonjs/v3/sdkScope/storage-node.js"
+      }
     }
   },
   "type": "module",
diff --git a/packages/core/src/v3/apiClient/errors.ts b/packages/core/src/v3/apiClient/errors.ts
index 14f69b31302..5f38a4947b8 100644
--- a/packages/core/src/v3/apiClient/errors.ts
+++ b/packages/core/src/v3/apiClient/errors.ts
@@ -128,6 +128,18 @@ export class PermissionDeniedError extends ApiError {
   override readonly status: 403 = 403;
 }
 
+/**
+ * True when `error` is a 401/403 from the Trigger API (e.g. expired run-scoped PAT on realtime streams).
+ * Uses structural checks so it works even if multiple copies of `@trigger.dev/core` are bundled (subclass `instanceof` can fail).
+ */
+export function isTriggerRealtimeAuthError(error: unknown): boolean {
+  if (error === null || typeof error !== "object") {
+    return false;
+  }
+  const e = error as ApiError;
+  return e.name === "TriggerApiError" && (e.status === 401 || e.status === 403);
+}
+
 export class NotFoundError extends ApiError {
   override readonly status: 404 = 404;
 }
diff --git a/packages/core/src/v3/apiClient/index.ts b/packages/core/src/v3/apiClient/index.ts
index 89a551954f0..652b016de92 100644
--- a/packages/core/src/v3/apiClient/index.ts
+++ b/packages/core/src/v3/apiClient/index.ts
@@ -1,3 +1,4 @@
+import { nanoid } from "nanoid";
 import { z } from "zod";
 import { VERSION } from "../../version.js";
 import { generateJWT } from "../jwt.js";
@@ -6,19 +7,32 @@ import {
   ApiDeploymentListOptions,
   ApiDeploymentListResponseItem,
   ApiDeploymentListSearchParams,
+  RetrieveCurrentDeploymentResponseBody,
   AppendToStreamResponseBody,
   BatchItemNDJSON,
   BatchTaskRunExecutionResult,
   BatchTriggerTaskV3RequestBody,
   BatchTriggerTaskV3Response,
   CanceledRunResponse,
+  CloseSessionRequestBody,
   CompleteWaitpointTokenRequestBody,
   CompleteWaitpointTokenResponseBody,
+  CreatedSessionResponseBody,
+  CreateSessionRequestBody,
+  EndAndContinueSessionRequestBody,
+  EndAndContinueSessionResponseBody,
+  ListSessionsOptions,
+  ListSessionsResponseBody,
+  ListedSessionItem,
+  RetrieveSessionResponseBody,
+  UpdateSessionRequestBody,
   CreateBatchRequestBody,
   CreateBatchResponse,
   CreateEnvironmentVariableRequestBody,
   CreateInputStreamWaitpointRequestBody,
   CreateInputStreamWaitpointResponseBody,
+  CreateSessionStreamWaitpointRequestBody,
+  CreateSessionStreamWaitpointResponseBody,
   CreateScheduleOptions,
   CreateStreamResponseBody,
   CreateUploadPayloadUrlResponseBody,
@@ -59,6 +73,7 @@ import {
   SendInputStreamResponseBody,
   StreamBatchItemsResponse,
   TaskRunExecutionResult,
+  ReadSessionStreamRecordsResponseBody,
   TriggerTaskRequestBody,
   TriggerTaskResponse,
   UpdateEnvironmentVariableRequestBody,
@@ -103,6 +118,10 @@ import {
   RealtimeRunSkipColumns,
   type SSEStreamPart,
 } from "./runStream.js";
+import {
+  controlSubtype,
+  type ControlEvent,
+} from "../sessionStreams/wireProtocol.js";
 import {
   CreateEnvironmentVariableParams,
   ImportEnvironmentVariablesParams,
@@ -584,6 +603,32 @@ export class ApiClient {
     );
   }
 
+  /** Presigned PUT URL for a `chat.agent` session snapshot. */
+  createChatSnapshotUploadUrl(sessionId: string, requestOptions?: ZodFetchOptions) {
+    return zodfetch(
+      CreateUploadPayloadUrlResponseBody,
+      `${this.baseUrl}/api/v1/sessions/${encodeURIComponent(sessionId)}/snapshot-url`,
+      {
+        method: "PUT",
+        headers: this.#getHeaders(false),
+      },
+      mergeRequestOptions(this.defaultRequestOptions, requestOptions)
+    );
+  }
+
+  /** Presigned GET URL for a `chat.agent` session snapshot. */
+  getChatSnapshotUrl(sessionId: string, requestOptions?: ZodFetchOptions) {
+    return zodfetch(
+      CreateUploadPayloadUrlResponseBody,
+      `${this.baseUrl}/api/v1/sessions/${encodeURIComponent(sessionId)}/snapshot-url`,
+      {
+        method: "GET",
+        headers: this.#getHeaders(false),
+      },
+      mergeRequestOptions(this.defaultRequestOptions, requestOptions)
+    );
+  }
+
   retrieveRun(runId: string, requestOptions?: ZodFetchOptions) {
     return zodfetch(
       RetrieveRunResponse,
@@ -1094,6 +1139,271 @@ export class ApiClient {
     );
   }
 
+  // ========================================================================
+  // Sessions
+  // ========================================================================
+
+  createSession(body: CreateSessionRequestBody, requestOptions?: ZodFetchOptions) {
+    return zodfetch(
+      CreatedSessionResponseBody,
+      `${this.baseUrl}/api/v1/sessions`,
+      {
+        method: "POST",
+        headers: this.#getHeaders(false),
+        body: JSON.stringify(body),
+      },
+      mergeRequestOptions(this.defaultRequestOptions, requestOptions)
+    );
+  }
+
+  retrieveSession(sessionIdOrExternalId: string, requestOptions?: ZodFetchOptions) {
+    return zodfetch(
+      RetrieveSessionResponseBody,
+      `${this.baseUrl}/api/v1/sessions/${encodeURIComponent(sessionIdOrExternalId)}`,
+      {
+        method: "GET",
+        headers: this.#getHeaders(false),
+      },
+      mergeRequestOptions(this.defaultRequestOptions, requestOptions)
+    );
+  }
+
+  updateSession(
+    sessionIdOrExternalId: string,
+    body: UpdateSessionRequestBody,
+    requestOptions?: ZodFetchOptions
+  ) {
+    return zodfetch(
+      RetrieveSessionResponseBody,
+      `${this.baseUrl}/api/v1/sessions/${encodeURIComponent(sessionIdOrExternalId)}`,
+      {
+        method: "PATCH",
+        headers: this.#getHeaders(false),
+        body: JSON.stringify(body),
+      },
+      mergeRequestOptions(this.defaultRequestOptions, requestOptions)
+    );
+  }
+
+  closeSession(
+    sessionIdOrExternalId: string,
+    body?: CloseSessionRequestBody,
+    requestOptions?: ZodFetchOptions
+  ) {
+    return zodfetch(
+      RetrieveSessionResponseBody,
+      `${this.baseUrl}/api/v1/sessions/${encodeURIComponent(sessionIdOrExternalId)}/close`,
+      {
+        method: "POST",
+        headers: this.#getHeaders(false),
+        body: JSON.stringify(body ?? {}),
+      },
+      mergeRequestOptions(this.defaultRequestOptions, requestOptions)
+    );
+  }
+
+  endAndContinueSession(
+    sessionIdOrExternalId: string,
+    body: EndAndContinueSessionRequestBody,
+    requestOptions?: ZodFetchOptions
+  ) {
+    return zodfetch(
+      EndAndContinueSessionResponseBody,
+      `${this.baseUrl}/api/v1/sessions/${encodeURIComponent(sessionIdOrExternalId)}/end-and-continue`,
+      {
+        method: "POST",
+        headers: this.#getHeaders(false),
+        body: JSON.stringify(body),
+      },
+      mergeRequestOptions(this.defaultRequestOptions, requestOptions)
+    );
+  }
+
+  listSessions(
+    options?: ListSessionsOptions,
+    requestOptions?: ZodFetchOptions
+  ): CursorPagePromise<typeof ListedSessionItem> {
+    const searchParams = createSearchQueryForListSessions(options);
+
+    return zodfetchCursorPage(
+      ListedSessionItem,
+      `${this.baseUrl}/api/v1/sessions`,
+      {
+        query: searchParams,
+        limit: options?.limit,
+        after: options?.after,
+        before: options?.before,
+      },
+      {
+        method: "GET",
+        headers: this.#getHeaders(false),
+      },
+      mergeRequestOptions(this.defaultRequestOptions, requestOptions)
+    );
+  }
+
+  // ========================================================================
+  // Session realtime channels
+  // ========================================================================
+
+  async initializeSessionStream(
+    sessionIdOrExternalId: string,
+    io: "out" | "in",
+    requestOptions?: ZodFetchOptions
+  ) {
+    // The server returns S2 credentials in response headers alongside a tiny
+    // JSON body with the realtime version. Follow the same shape as
+    // `createStream` so downstream clients can feed them into
+    // `StreamsWriterV2`.
+    return zodfetch(
+      CreateStreamResponseBody,
+      `${this.baseUrl}/realtime/v1/sessions/${encodeURIComponent(sessionIdOrExternalId)}/${io}`,
+      {
+        method: "PUT",
+        headers: this.#getHeaders(false),
+      },
+      mergeRequestOptions(this.defaultRequestOptions, requestOptions)
+    )
+      .withResponse()
+      .then(({ data, response }) => ({
+        ...data,
+        headers: Object.fromEntries(response.headers.entries()),
+      }));
+  }
+
+  async appendToSessionStream<TBody extends BodyInit>(
+    sessionIdOrExternalId: string,
+    io: "out" | "in",
+    part: TBody,
+    requestOptions?: ZodFetchOptions
+  ) {
+    // Generated once per logical append, outside zodfetch, so its internal
+    // retries reuse the same part id and the server-side dedupe collapses a
+    // retried POST whose first attempt actually committed. Full-length nanoid
+    // (~126 bits) to match the browser transport's randomUUID entropy.
+    const partId = nanoid();
+    return zodfetch(
+      AppendToStreamResponseBody,
+      `${this.baseUrl}/realtime/v1/sessions/${encodeURIComponent(sessionIdOrExternalId)}/${io}/append`,
+      {
+        method: "POST",
+        headers: { ...this.#getHeaders(false), "X-Part-Id": partId },
+        body: part,
+      },
+      mergeRequestOptions(this.defaultRequestOptions, requestOptions)
+    );
+  }
+
+  /**
+   * Non-SSE drain of a Session channel's tail. Returns whatever records
+   * exist after `afterEventId` (or from the head of the stream) and closes
+   * — `wait=0` semantics, no long-poll. Used by `replaySessionOutTail` at
+   * run boot, where the SSE long-poll's ~1s tax on empty streams is the
+   * dominant cost on every fresh chat.
+   *
+   * `afterEventId` is the same cursor format as the SSE Last-Event-ID
+   * (the S2 sequence number, stringified) — pass `lastOutEventId` from a
+   * persisted snapshot to resume.
+   */
+  async readSessionStreamRecords(
+    sessionIdOrExternalId: string,
+    io: "out" | "in",
+    options?: { afterEventId?: string; baseUrl?: string }
+  ) {
+    const qs = new URLSearchParams();
+    if (options?.afterEventId !== undefined) {
+      qs.set("afterEventId", options.afterEventId);
+    }
+    const url = `${options?.baseUrl ?? this.baseUrl}/realtime/v1/sessions/${encodeURIComponent(
+      sessionIdOrExternalId
+    )}/${io}/records${qs.toString() ? `?${qs.toString()}` : ""}`;
+    return zodfetch(
+      ReadSessionStreamRecordsResponseBody,
+      url,
+      {
+        method: "GET",
+        headers: this.#getHeaders(false),
+      },
+      mergeRequestOptions(this.defaultRequestOptions, undefined)
+    );
+  }
+
+  /**
+   * Subscribe to SSE records on a Session channel. Reuses the same
+   * {@link SSEStreamSubscription} plumbing as `readStream` for run-scoped
+   * realtime streams — auto-retry, Last-Event-ID resume, abort-on-cancel.
+   */
+  async subscribeToSessionStream<T = unknown>(
+    sessionIdOrExternalId: string,
+    io: "out" | "in",
+    options?: {
+      signal?: AbortSignal;
+      baseUrl?: string;
+      timeoutInSeconds?: number;
+      onComplete?: () => void;
+      onError?: (error: Error) => void;
+      lastEventId?: string;
+      onPart?: (part: SSEStreamPart<T>) => void;
+      /**
+       * Fires when a `trigger-control` record arrives on the stream (e.g.
+       * `turn-complete`, `upgrade-required`). The control record is never
+       * enqueued into the consumer stream — handle the event here.
+       */
+      onControl?: (event: ControlEvent) => void;
+    }
+  ): Promise<AsyncIterableStream<T>> {
+    const url = `${options?.baseUrl ?? this.baseUrl}/realtime/v1/sessions/${encodeURIComponent(sessionIdOrExternalId)}/${io}`;
+
+    const subscription = new SSEStreamSubscription(url, {
+      headers: this.getHeaders(),
+      signal: options?.signal,
+      onComplete: options?.onComplete,
+      onError: options?.onError,
+      timeoutInSeconds: options?.timeoutInSeconds,
+      lastEventId: options?.lastEventId,
+    });
+
+    const stream = await subscription.subscribe();
+    const onPart = options?.onPart;
+    const onControl = options?.onControl;
+
+    return stream.pipeThrough(
+      new TransformStream<SSEStreamPart, T>({
+        transform(part, controller) {
+          // Always surface the raw part via onPart so cursor tracking
+          // (lastSeqNum, lastEventId) stays correct for both data and
+          // control records.
+          onPart?.(part as SSEStreamPart<T>);
+
+          // Trigger control record — route to onControl, never enqueue.
+          const subtype = controlSubtype(part.headers);
+          if (subtype) {
+            // `part.id` is the S2 seq_num in decimal string form.
+            // `parseInt` returns NaN if S2 ever surfaces a non-numeric
+            // id (shouldn't happen, but `|| 0` would mask it as a real
+            // seq 0). Drop the malformed event rather than fire
+            // `onControl` with a misleading cursor — callers like
+            // `findLatestSessionInCursor` and the dashboard rely on the
+            // seqNum being meaningful for resume.
+            const parsedSeqNum = Number.parseInt(part.id, 10);
+            if (!Number.isFinite(parsedSeqNum)) {
+              return;
+            }
+            onControl?.({
+              subtype,
+              headers: part.headers ?? [],
+              seqNum: parsedSeqNum,
+              timestamp: part.timestamp,
+            });
+            return;
+          }
+
+          controller.enqueue(part.chunk as T);
+        },
+      })
+    );
+  }
+
   async waitForDuration(
     runId: string,
     body: WaitForDurationRequestBody,
@@ -1340,6 +1650,18 @@ export class ApiClient {
     );
   }
 
+  retrieveCurrentDeployment(requestOptions?: ZodFetchOptions) {
+    return zodfetch(
+      RetrieveCurrentDeploymentResponseBody,
+      `${this.baseUrl}/api/v1/deployments/current`,
+      {
+        method: "GET",
+        headers: this.#getHeaders(false),
+      },
+      mergeRequestOptions(this.defaultRequestOptions, requestOptions)
+    );
+  }
+
   async fetchStream<T>(
     runId: string,
     streamKey: string,
@@ -1459,6 +1781,23 @@ export class ApiClient {
     );
   }
 
+  async createSessionStreamWaitpoint(
+    runFriendlyId: string,
+    body: CreateSessionStreamWaitpointRequestBody,
+    requestOptions?: ZodFetchOptions
+  ) {
+    return zodfetch(
+      CreateSessionStreamWaitpointResponseBody,
+      `${this.baseUrl}/api/v1/runs/${runFriendlyId}/session-streams/wait`,
+      {
+        method: "POST",
+        headers: this.#getHeaders(false),
+        body: JSON.stringify(body),
+      },
+      mergeRequestOptions(this.defaultRequestOptions, requestOptions)
+    );
+  }
+
   async generateJWTClaims(requestOptions?: ZodFetchOptions): Promise<Record<string, any>> {
     return zodfetch(
       z.record(z.any()),
@@ -1810,6 +2149,13 @@ function createSearchQueryForListRuns(query?: ListRunsQueryParams): URLSearchPar
         Array.isArray(query.machine) ? query.machine.join(",") : query.machine
       );
     }
+
+    if (query.region) {
+      searchParams.append(
+        "filter[region]",
+        Array.isArray(query.region) ? query.region.join(",") : query.region
+      );
+    }
   }
 
   return searchParams;
@@ -1823,6 +2169,47 @@ function queueNameFromQueueTypeName(queue: QueueTypeName): string {
   return queue.name;
 }
 
+function createSearchQueryForListSessions(options?: ListSessionsOptions): URLSearchParams {
+  const searchParams = new URLSearchParams();
+
+  if (!options) return searchParams;
+
+  const appendMany = (name: string, value: string | string[] | undefined) => {
+    if (value === undefined) return;
+    searchParams.append(name, Array.isArray(value) ? value.join(",") : value);
+  };
+
+  appendMany("filter[type]", options.type);
+  appendMany("filter[tags]", options.tag);
+  appendMany("filter[taskIdentifier]", options.taskIdentifier);
+
+  if (options.externalId) {
+    searchParams.append("filter[externalId]", options.externalId);
+  }
+
+  appendMany("filter[status]", options.status as string | string[] | undefined);
+
+  if (options.period) {
+    searchParams.append("filter[createdAt][period]", options.period);
+  }
+
+  if (options.from !== undefined) {
+    searchParams.append(
+      "filter[createdAt][from]",
+      options.from instanceof Date ? options.from.getTime().toString() : options.from.toString()
+    );
+  }
+
+  if (options.to !== undefined) {
+    searchParams.append(
+      "filter[createdAt][to]",
+      options.to instanceof Date ? options.to.getTime().toString() : options.to.toString()
+    );
+  }
+
+  return searchParams;
+}
+
 function createSearchQueryForListWaitpointTokens(
   query?: ListWaitpointTokensQueryParams
 ): URLSearchParams {
diff --git a/packages/core/src/v3/apiClient/runStream.test.ts b/packages/core/src/v3/apiClient/runStream.test.ts
new file mode 100644
index 00000000000..4ac2880976a
--- /dev/null
+++ b/packages/core/src/v3/apiClient/runStream.test.ts
@@ -0,0 +1,598 @@
+import { afterEach, describe, expect, it, vi } from "vitest";
+import { SSEStreamSubscription } from "./runStream.js";
+
+vi.setConfig({ testTimeout: 10_000 });
+
+describe("SSEStreamSubscription retry behavior", () => {
+  const originalFetch = globalThis.fetch;
+
+  afterEach(() => {
+    globalThis.fetch = originalFetch;
+    vi.restoreAllMocks();
+  });
+
+  // A response.body that emits one SSE event then closes, so each
+  // successful subscribe() exits cleanly via reader.read() done=true
+  // and the test doesn't hang reading from a long-lived stream.
+  function makeSSEResponse() {
+    const body = new ReadableStream<Uint8Array>({
+      start(controller) {
+        controller.enqueue(new TextEncoder().encode(`id: 1\ndata: {"hello":1}\n\n`));
+        controller.close();
+      },
+    });
+    return new Response(body, {
+      status: 200,
+      headers: { "Content-Type": "text/event-stream", "X-Stream-Version": "v1" },
+    });
+  }
+
+  // Drain a ReadableStream<SSEStreamPart> until it closes or errors.
+  // Returns received chunks plus terminal state.
+  async function drain(stream: ReadableStream<{ id: string; chunk: unknown }>) {
+    const reader = stream.getReader();
+    const chunks: Array<{ id: string; chunk: unknown }> = [];
+    try {
+      while (true) {
+        const { done, value } = await reader.read();
+        if (done) return { chunks, error: undefined as Error | undefined };
+        chunks.push(value);
+      }
+    } catch (e) {
+      return { chunks, error: e as Error };
+    } finally {
+      try {
+        reader.releaseLock();
+      } catch {
+        /* already released */
+      }
+    }
+  }
+
+  it("retries past the legacy 5-attempt cap", async () => {
+    let attempts = 0;
+    globalThis.fetch = vi.fn().mockImplementation(async () => {
+      attempts++;
+      if (attempts < 8) {
+        throw new TypeError("fetch failed (simulated network drop)");
+      }
+      return makeSSEResponse();
+    });
+
+    const sub = new SSEStreamSubscription("http://example.test/sse", {
+      // Compress the timing for the test — defaults are 100ms initial,
+      // 5s cap, retry forever; here we want fast iteration.
+      retryDelayMs: 1,
+      maxRetryDelayMs: 5,
+    });
+
+    const stream = await sub.subscribe();
+    const result = await drain(stream);
+
+    expect(attempts).toBe(8);
+    expect(result.error).toBeUndefined();
+    expect(result.chunks).toHaveLength(1);
+  });
+
+  it("caps the exponential backoff at maxRetryDelayMs", async () => {
+    let attempts = 0;
+    const callTimes: number[] = [];
+    globalThis.fetch = vi.fn().mockImplementation(async () => {
+      callTimes.push(Date.now());
+      attempts++;
+      if (attempts < 6) {
+        throw new TypeError("fetch failed");
+      }
+      return makeSSEResponse();
+    });
+
+    const sub = new SSEStreamSubscription("http://example.test/sse", {
+      retryDelayMs: 10,
+      maxRetryDelayMs: 30,
+    });
+
+    const stream = await sub.subscribe();
+    await drain(stream);
+
+    expect(attempts).toBe(6);
+
+    // Without the cap, backoff would be 10, 20, 40, 80, 160 (= 310ms total).
+    // With cap=30, it's 10, 20, 30, 30, 30 (= 120ms total). Allow generous
+    // slack for setTimeout jitter; the assertion is "well under uncapped".
+    const totalElapsed = callTimes.at(-1)! - callTimes[0]!;
+    expect(totalElapsed).toBeLessThan(250);
+  });
+
+  it("retryNow() wakes an in-flight backoff and reconnects immediately", async () => {
+    let attempts = 0;
+    globalThis.fetch = vi.fn().mockImplementation(async () => {
+      attempts++;
+      if (attempts === 1) {
+        throw new TypeError("fetch failed");
+      }
+      return makeSSEResponse();
+    });
+
+    const sub = new SSEStreamSubscription("http://example.test/sse", {
+      // Backoff is intentionally long. retryNow() should short-circuit it.
+      retryDelayMs: 5_000,
+      maxRetryDelayMs: 5_000,
+    });
+
+    const subscribePromise = sub.subscribe().then(drain);
+
+    // Wait for the first attempt to fail and the backoff to start.
+    await new Promise((r) => setTimeout(r, 50));
+    sub.retryNow();
+
+    const start = Date.now();
+    const result = await subscribePromise;
+    const elapsed = Date.now() - start;
+
+    expect(attempts).toBe(2);
+    expect(result.error).toBeUndefined();
+    // Without retryNow this would have waited ~5000ms; with it, the
+    // second attempt fires nearly immediately after the first failure.
+    expect(elapsed).toBeLessThan(500);
+  });
+
+  it("respects abort signal during retry backoff", async () => {
+    let attempts = 0;
+    globalThis.fetch = vi.fn().mockImplementation(async () => {
+      attempts++;
+      throw new TypeError("fetch failed");
+    });
+
+    const ac = new AbortController();
+    const sub = new SSEStreamSubscription("http://example.test/sse", {
+      signal: ac.signal,
+      retryDelayMs: 1_000,
+      maxRetryDelayMs: 1_000,
+    });
+
+    const subscribePromise = sub.subscribe().then(drain);
+
+    // Let the first attempt fail and enter backoff, then abort.
+    await new Promise((r) => setTimeout(r, 50));
+    ac.abort();
+
+    const result = await subscribePromise;
+    expect(result.error).toBeUndefined();
+    // Abort should stop retries; we should have made at most a couple
+    // of attempts before the abort took effect.
+    expect(attempts).toBeLessThanOrEqual(2);
+  });
+
+  it("forceReconnect mid-read drops the stream and resumes with Last-Event-ID", async () => {
+    let attempts = 0;
+    const seenLastEventIds: Array<string | null> = [];
+    globalThis.fetch = vi.fn().mockImplementation(async (_url: string, init?: RequestInit) => {
+      attempts++;
+      const lastEventIdHeader = (init?.headers as Record<string, string> | undefined)?.[
+        "Last-Event-ID"
+      ];
+      seenLastEventIds.push(lastEventIdHeader ?? null);
+
+      if (attempts === 1) {
+        // Headers arrive immediately, body emits one chunk then hangs
+        // until aborted. The test calls forceReconnect after seeing
+        // the chunk, which should drop this stream and trigger a
+        // resume request with Last-Event-ID set.
+        const body = new ReadableStream<Uint8Array>({
+          start(controller) {
+            controller.enqueue(new TextEncoder().encode(`id: 7\ndata: {"first":true}\n\n`));
+            init?.signal?.addEventListener("abort", () => controller.error(new Error("aborted")));
+          },
+        });
+        return new Response(body, {
+          status: 200,
+          headers: { "Content-Type": "text/event-stream", "X-Stream-Version": "v1" },
+        });
+      }
+      // Second attempt: emit a second chunk and close cleanly.
+      const body = new ReadableStream<Uint8Array>({
+        start(controller) {
+          controller.enqueue(new TextEncoder().encode(`id: 8\ndata: {"second":true}\n\n`));
+          controller.close();
+        },
+      });
+      return new Response(body, {
+        status: 200,
+        headers: { "Content-Type": "text/event-stream", "X-Stream-Version": "v1" },
+      });
+    });
+
+    const sub = new SSEStreamSubscription("http://example.test/sse", {
+      retryDelayMs: 1,
+      maxRetryDelayMs: 5,
+      fetchTimeoutMs: 60_000,
+    });
+
+    const stream = await sub.subscribe();
+    const reader = stream.getReader();
+
+    // Read the first chunk, then force-reconnect mid-stream.
+    const first = await reader.read();
+    expect(first.done).toBe(false);
+    expect((first.value!.chunk as { first?: boolean }).first).toBe(true);
+
+    sub.forceReconnect();
+
+    // Second chunk arrives from the resumed connection.
+    const second = await reader.read();
+    expect(second.done).toBe(false);
+    expect((second.value!.chunk as { second?: boolean }).second).toBe(true);
+
+    const tail = await reader.read();
+    expect(tail.done).toBe(true);
+
+    expect(attempts).toBe(2);
+    expect(seenLastEventIds[0]).toBeNull();
+    // Resumed request includes the Last-Event-ID from the first chunk.
+    expect(seenLastEventIds[1]).toBe("7");
+  });
+
+  it("forceReconnect aborts the in-flight fetch and retries", async () => {
+    let attempts = 0;
+    let firstResolve: (() => void) | undefined;
+    globalThis.fetch = vi.fn().mockImplementation(async (_url: string, init?: RequestInit) => {
+      attempts++;
+      if (attempts === 1) {
+        // Hang the first attempt forever (or until signal aborts).
+        // forceReconnect should make this attempt's signal abort and
+        // throw, taking us into the retry path.
+        return new Promise((resolve, reject) => {
+          firstResolve = () => resolve(makeSSEResponse());
+          init?.signal?.addEventListener("abort", () => {
+            reject(new DOMException("aborted", "AbortError"));
+          });
+        });
+      }
+      return makeSSEResponse();
+    });
+
+    const sub = new SSEStreamSubscription("http://example.test/sse", {
+      retryDelayMs: 1,
+      maxRetryDelayMs: 5,
+      // Long fetch timeout so it doesn't fire instead of forceReconnect.
+      fetchTimeoutMs: 60_000,
+    });
+
+    const subscribePromise = sub.subscribe().then(drain);
+
+    // Let the first fetch hang, then force reconnect.
+    await new Promise((r) => setTimeout(r, 50));
+    sub.forceReconnect();
+
+    const result = await subscribePromise;
+    expect(attempts).toBe(2);
+    expect(result.error).toBeUndefined();
+    expect(result.chunks).toHaveLength(1);
+    // Sanity: the hung first fetch was abandoned, never resolved.
+    expect(firstResolve).toBeDefined();
+  });
+
+  it("aborts a slow fetch via fetchTimeoutMs and retries", async () => {
+    let attempts = 0;
+    globalThis.fetch = vi.fn().mockImplementation(async (_url: string, init?: RequestInit) => {
+      attempts++;
+      if (attempts === 1) {
+        // Hang until aborted.
+        return new Promise((_resolve, reject) => {
+          init?.signal?.addEventListener("abort", () => {
+            reject(new DOMException("aborted", "AbortError"));
+          });
+        });
+      }
+      return makeSSEResponse();
+    });
+
+    const sub = new SSEStreamSubscription("http://example.test/sse", {
+      retryDelayMs: 1,
+      maxRetryDelayMs: 5,
+      fetchTimeoutMs: 100,
+    });
+
+    const result = await sub.subscribe().then(drain);
+    expect(attempts).toBe(2);
+    expect(result.error).toBeUndefined();
+    expect(result.chunks).toHaveLength(1);
+  });
+
+  it("aborts a silent reader via stallTimeoutMs and retries", async () => {
+    let attempts = 0;
+    globalThis.fetch = vi.fn().mockImplementation(async (_url: string, init?: RequestInit) => {
+      attempts++;
+      if (attempts === 1) {
+        // Headers arrive immediately, but the body stream emits no
+        // chunks until aborted. The stall timer should fire and
+        // force a reconnect.
+        const body = new ReadableStream<Uint8Array>({
+          start(controller) {
+            init?.signal?.addEventListener("abort", () => controller.error(new Error("aborted")));
+          },
+        });
+        return new Response(body, {
+          status: 200,
+          headers: { "Content-Type": "text/event-stream", "X-Stream-Version": "v1" },
+        });
+      }
+      return makeSSEResponse();
+    });
+
+    const sub = new SSEStreamSubscription("http://example.test/sse", {
+      retryDelayMs: 1,
+      maxRetryDelayMs: 5,
+      stallTimeoutMs: 100,
+    });
+
+    const result = await sub.subscribe().then(drain);
+    expect(attempts).toBe(2);
+    expect(result.error).toBeUndefined();
+    expect(result.chunks).toHaveLength(1);
+  });
+
+  it("does not retry on 404 (stream gone)", async () => {
+    let attempts = 0;
+    globalThis.fetch = vi.fn().mockImplementation(async () => {
+      attempts++;
+      return new Response("not found", { status: 404 });
+    });
+
+    const errors: Error[] = [];
+    const sub = new SSEStreamSubscription("http://example.test/sse", {
+      retryDelayMs: 1,
+      maxRetryDelayMs: 5,
+      onError: (e) => errors.push(e),
+    });
+
+    const result = await sub.subscribe().then(drain);
+    expect(attempts).toBe(1);
+    expect(result.error).toBeDefined();
+    expect(errors).toHaveLength(1);
+  });
+
+  it("does not retry on 410 (session closed)", async () => {
+    let attempts = 0;
+    globalThis.fetch = vi.fn().mockImplementation(async () => {
+      attempts++;
+      return new Response("gone", { status: 410 });
+    });
+
+    const sub = new SSEStreamSubscription("http://example.test/sse", {
+      retryDelayMs: 1,
+      maxRetryDelayMs: 5,
+    });
+
+    const result = await sub.subscribe().then(drain);
+    expect(attempts).toBe(1);
+    expect(result.error).toBeDefined();
+  });
+
+  it("respects custom nonRetryableStatuses", async () => {
+    let attempts = 0;
+    globalThis.fetch = vi.fn().mockImplementation(async () => {
+      attempts++;
+      return new Response("forbidden", { status: 403 });
+    });
+
+    const sub = new SSEStreamSubscription("http://example.test/sse", {
+      retryDelayMs: 1,
+      maxRetryDelayMs: 5,
+      nonRetryableStatuses: [403],
+    });
+
+    const result = await sub.subscribe().then(drain);
+    expect(attempts).toBe(1);
+    expect(result.error).toBeDefined();
+  });
+
+  it("retries on 503 (caller-tunable nonRetryableStatuses)", async () => {
+    let attempts = 0;
+    globalThis.fetch = vi.fn().mockImplementation(async () => {
+      attempts++;
+      if (attempts < 3) return new Response("unavailable", { status: 503 });
+      return makeSSEResponse();
+    });
+
+    const sub = new SSEStreamSubscription("http://example.test/sse", {
+      retryDelayMs: 1,
+      maxRetryDelayMs: 5,
+      // 503 is NOT in the default non-retryable set; it should retry.
+    });
+
+    const result = await sub.subscribe().then(drain);
+    expect(attempts).toBe(3);
+    expect(result.error).toBeUndefined();
+    expect(result.chunks).toHaveLength(1);
+  });
+
+  it("applies jitter to backoff (delays vary across attempts)", async () => {
+    const callTimes: number[] = [];
+    globalThis.fetch = vi.fn().mockImplementation(async () => {
+      callTimes.push(performance.now());
+      throw new TypeError("fetch failed");
+    });
+
+    const ac = new AbortController();
+    const sub = new SSEStreamSubscription("http://example.test/sse", {
+      signal: ac.signal,
+      retryDelayMs: 50,
+      maxRetryDelayMs: 50,
+      retryJitter: 0.5, // 50% — final delay in [25ms, 50ms]
+    });
+
+    const promise = sub.subscribe().then(drain);
+    await new Promise((r) => setTimeout(r, 600)); // allow ~10 attempts
+    ac.abort();
+    await promise;
+
+    expect(callTimes.length).toBeGreaterThanOrEqual(5);
+
+    // Compute inter-attempt gaps (skip the first since it has no prior).
+    const gaps = callTimes.slice(1).map((t, i) => t - callTimes[i]!);
+    // Without jitter all gaps would be ~50ms. With 50% jitter they
+    // should land in [~25ms, ~50ms] and not all be identical.
+    const min = Math.min(...gaps);
+    const max = Math.max(...gaps);
+    expect(min).toBeGreaterThanOrEqual(20); // a little slack for timer scheduling
+    expect(max).toBeLessThanOrEqual(80);
+    // Variance check — at least one gap should differ from another by
+    // a measurable amount (rules out a deterministic-delay regression).
+    expect(max - min).toBeGreaterThan(2);
+  });
+});
+
+describe("SSEStreamSubscription v2 batch parsing — record kinds", () => {
+  const originalFetch = globalThis.fetch;
+
+  afterEach(() => {
+    globalThis.fetch = originalFetch;
+    vi.restoreAllMocks();
+  });
+
+  type ParsedPart = { id: string; chunk: unknown; headers?: ReadonlyArray<readonly [string, string]> };
+
+  // Build a v2 batch SSE response with the given records and close.
+  function makeBatchResponse(
+    records: Array<{
+      body: string;
+      seq_num: number;
+      timestamp: number;
+      headers?: Array<[string, string]>;
+    }>
+  ) {
+    const body = new ReadableStream<Uint8Array>({
+      start(controller) {
+        controller.enqueue(
+          new TextEncoder().encode(`event: batch\ndata: ${JSON.stringify({ records })}\n\n`)
+        );
+        controller.close();
+      },
+    });
+    return new Response(body, {
+      status: 200,
+      headers: { "Content-Type": "text/event-stream", "X-Stream-Version": "v2" },
+    });
+  }
+
+  async function drain(stream: ReadableStream<ParsedPart>) {
+    const reader = stream.getReader();
+    const parts: ParsedPart[] = [];
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) {
+        reader.releaseLock();
+        return parts;
+      }
+      parts.push(value as ParsedPart);
+    }
+  }
+
+  it("data records flow through with headers and parsed body", async () => {
+    globalThis.fetch = vi.fn().mockResolvedValue(
+      makeBatchResponse([
+        {
+          body: JSON.stringify({ data: { type: "text-delta", delta: "hi" }, id: "p1" }),
+          seq_num: 5,
+          timestamp: 1700000000000,
+          headers: [],
+        },
+      ])
+    );
+    const sub = new SSEStreamSubscription("http://x", { maxRetries: 0 });
+    const parts = await sub.subscribe().then(drain);
+
+    expect(parts).toHaveLength(1);
+    expect(parts[0]!.id).toBe("5");
+    expect(parts[0]!.chunk).toEqual({ type: "text-delta", delta: "hi" });
+    expect(parts[0]!.headers).toEqual([]);
+  });
+
+  it("S2 command records (empty-name header) are filtered out", async () => {
+    globalThis.fetch = vi.fn().mockResolvedValue(
+      makeBatchResponse([
+        {
+          body: JSON.stringify({ data: { type: "text-delta", delta: "before" }, id: "p1" }),
+          seq_num: 4,
+          timestamp: 1700000000000,
+          headers: [],
+        },
+        // Trim command record — empty-name header, opaque body.
+        {
+          body: "AAAAAAAAAAQ=",
+          seq_num: 5,
+          timestamp: 1700000000001,
+          headers: [["", "trim"]],
+        },
+        {
+          body: JSON.stringify({ data: { type: "text-delta", delta: "after" }, id: "p2" }),
+          seq_num: 6,
+          timestamp: 1700000000002,
+          headers: [],
+        },
+      ])
+    );
+    const sub = new SSEStreamSubscription("http://x", { maxRetries: 0 });
+    const parts = await sub.subscribe().then(drain);
+
+    // Trim record stripped — only the two data records survive.
+    expect(parts).toHaveLength(2);
+    expect((parts[0]!.chunk as any).delta).toBe("before");
+    expect((parts[1]!.chunk as any).delta).toBe("after");
+  });
+
+  it("trigger-control records flow with headers and undefined chunk", async () => {
+    globalThis.fetch = vi.fn().mockResolvedValue(
+      makeBatchResponse([
+        {
+          body: "",
+          seq_num: 7,
+          timestamp: 1700000000003,
+          headers: [
+            ["trigger-control", "turn-complete"],
+            ["public-access-token", "eyJ..."],
+          ],
+        },
+      ])
+    );
+    const sub = new SSEStreamSubscription("http://x", { maxRetries: 0 });
+    const parts = await sub.subscribe().then(drain);
+
+    // Control record passes through so consumers can route by header,
+    // but its `chunk` is undefined (empty body).
+    expect(parts).toHaveLength(1);
+    expect(parts[0]!.chunk).toBeUndefined();
+    expect(parts[0]!.headers).toEqual([
+      ["trigger-control", "turn-complete"],
+      ["public-access-token", "eyJ..."],
+    ]);
+  });
+
+  it("malformed data record body does not crash; cursor still advances", async () => {
+    globalThis.fetch = vi.fn().mockResolvedValue(
+      makeBatchResponse([
+        {
+          body: "not json at all",
+          seq_num: 8,
+          timestamp: 1700000000004,
+          headers: [],
+        },
+        {
+          body: JSON.stringify({ data: { type: "text-delta", delta: "x" }, id: "p3" }),
+          seq_num: 9,
+          timestamp: 1700000000005,
+          headers: [],
+        },
+      ])
+    );
+    const sub = new SSEStreamSubscription("http://x", { maxRetries: 0 });
+    const parts = await sub.subscribe().then(drain);
+
+    // Malformed record still propagates with undefined chunk (matches
+    // control-record shape); next data record is fine.
+    expect(parts).toHaveLength(2);
+    expect(parts[0]!.chunk).toBeUndefined();
+    expect((parts[1]!.chunk as any).delta).toBe("x");
+  });
+});
diff --git a/packages/core/src/v3/apiClient/runStream.ts b/packages/core/src/v3/apiClient/runStream.ts
index 520ecd8dc2b..6d58dff1a70 100644
--- a/packages/core/src/v3/apiClient/runStream.ts
+++ b/packages/core/src/v3/apiClient/runStream.ts
@@ -14,7 +14,7 @@ import {
   IOPacket,
   parsePacket,
 } from "../utils/ioSerialization.js";
-import { ApiError } from "./errors.js";
+import { ApiError, isTriggerRealtimeAuthError } from "./errors.js";
 import { ApiClient } from "./index.js";
 import { zodShapeStream } from "./stream.js";
 
@@ -176,14 +176,30 @@ export type SSEStreamPart<TChunk = unknown> = {
   id: string;
   chunk: TChunk;
   timestamp: number;
+  /**
+   * S2 record headers, when the underlying transport is the v2 batch shape
+   * (Session streams). Undefined for v1 streams. Empty array when the record
+   * had no headers. Trigger control records carry a `trigger-control` named
+   * header (see `trigger-control` records on `session.out`) and may reach
+   * this struct. S2 command records (trim/fence) are identified by an
+   * empty-name first header and are filtered out before enqueue.
+   */
+  headers?: Array<[string, string]>;
 };
 
 // Real implementation for production
 export class SSEStreamSubscription implements StreamSubscription {
   private lastEventId: string | undefined;
   private retryCount = 0;
-  private maxRetries = 5;
-  private retryDelayMs = 1000;
+  private maxRetries: number;
+  private retryDelayMs: number;
+  private maxRetryDelayMs: number;
+  private retryJitter: number;
+  private fetchTimeoutMs: number;
+  private stallTimeoutMs: number;
+  private nonRetryableStatuses: ReadonlySet<number>;
+  private retryNowController: AbortController | null = null;
+  private internalAbort: AbortController | null = null;
 
   constructor(
     private url: string,
@@ -194,9 +210,77 @@ export class SSEStreamSubscription implements StreamSubscription {
       onError?: (error: Error) => void;
       timeoutInSeconds?: number;
       lastEventId?: string;
+      // Retry knobs. Defaults: retry forever, 100ms initial backoff,
+      // capped at 5s with 50% jitter. Keeps mobile clients reconnecting
+      // through transient drops without giving up after a fixed window
+      // and prevents thundering-herd when many clients reconnect after
+      // a brief server blip.
+      maxRetries?: number;
+      retryDelayMs?: number;
+      maxRetryDelayMs?: number;
+      retryJitter?: number;
+      // Per-attempt fetch timeout — aborts the connect attempt if
+      // response headers don't arrive in time. Catches stuck TCP
+      // sockets where `fetch()` blocks forever waiting on a dead
+      // server. Cleared once headers arrive; long-lived chunk reads
+      // are governed by `stallTimeoutMs` instead.
+      fetchTimeoutMs?: number;
+      // Stall detector — if no chunks arrive within this window after
+      // the connection is established, force a reconnect. Catches
+      // silent-dead-socket cases (mobile OS killed the TCP socket but
+      // the read just blocks). Disabled (`0`) by default; opt in
+      // explicitly. Servers that emit periodic keepalive comments
+      // reset the timer naturally.
+      stallTimeoutMs?: number;
+      // HTTP statuses that should NOT be retried — fail the stream
+      // permanently. Defaults cover the permanent client-error set:
+      // `400` (bad request), `404` (stream gone), `409` (conflict),
+      // `410` (session closed), `422` (unprocessable). Tune per-caller
+      // for other 4xx.
+      nonRetryableStatuses?: readonly number[];
+      // Optional fetch override. Used by transports that need to route
+      // the SSE connect through a custom path (proxy, custom headers,
+      // tracing). Defaults to global `fetch`.
+      fetchClient?: typeof fetch;
     }
   ) {
     this.lastEventId = options.lastEventId;
+    this.maxRetries = options.maxRetries ?? Infinity;
+    this.retryDelayMs = options.retryDelayMs ?? 100;
+    this.maxRetryDelayMs = options.maxRetryDelayMs ?? 5000;
+    this.retryJitter = options.retryJitter ?? 0.5;
+    this.fetchTimeoutMs = options.fetchTimeoutMs ?? 30_000;
+    this.stallTimeoutMs = options.stallTimeoutMs ?? 0;
+    this.nonRetryableStatuses = new Set(
+      options.nonRetryableStatuses ?? [400, 404, 409, 410, 422]
+    );
+  }
+
+  /**
+   * Wake an in-flight retry backoff and reconnect immediately.
+   *
+   * No-op if no retry is currently waiting (i.e. we're already
+   * connected and reading). Use this for cheap "hint" wakeups like
+   * the `online` event or a short-hidden visibility return —
+   * `forceReconnect()` is the heavier hammer.
+   */
+  retryNow(): void {
+    this.retryNowController?.abort();
+  }
+
+  /**
+   * Drop the current connection (or wake a pending backoff) and
+   * reconnect.
+   *
+   * Use when the existing TCP socket is suspected dead but the reader
+   * hasn't noticed yet — common after a mobile tab background-kill or
+   * a Safari bfcache restore. Aborts the in-flight fetch / read so
+   * the catch path takes us through `retryConnection` and re-fetches
+   * with `Last-Event-ID`.
+   */
+  forceReconnect(): void {
+    this.internalAbort?.abort();
+    this.retryNowController?.abort();
   }
 
   async subscribe(): Promise<ReadableStream<SSEStreamPart>> {
@@ -206,7 +290,7 @@ export class SSEStreamSubscription implements StreamSubscription {
       async start(controller) {
         await self.connectStream(controller);
       },
-      cancel(reason) {
+      cancel() {
         self.options.onComplete?.();
       },
     });
@@ -215,25 +299,52 @@ export class SSEStreamSubscription implements StreamSubscription {
   private async connectStream(
     controller: ReadableStreamDefaultController<SSEStreamPart>
   ): Promise<void> {
+    // Two abort sources flow through `internalAbort.signal`:
+    //   - this.options.signal: caller cancel — bypass retry, exit cleanly.
+    //   - this.internalAbort: per-attempt force-reconnect / fetch-timeout
+    //     / stall-timeout — treated as a transient error, retry path runs.
+    // Use `this.options.signal?.aborted` in the catch to distinguish.
+    this.internalAbort = new AbortController();
+    const unlinkUserAbort = linkAbort(this.options.signal, this.internalAbort);
+
+    // Per-attempt fetch timeout. Cleared once response headers arrive;
+    // chunk-read latency is governed by `stallTimeoutMs` instead.
+    const fetchTimer = setTimeout(() => this.internalAbort?.abort(), this.fetchTimeoutMs);
+
+    let stallTimer: ReturnType<typeof setTimeout> | undefined;
+    const armStall = () => {
+      if (this.stallTimeoutMs <= 0) return;
+      clearTimeout(stallTimer);
+      stallTimer = setTimeout(() => this.internalAbort?.abort(), this.stallTimeoutMs);
+    };
+
+    // Idempotent — both the catch (before recursion) and the finally
+    // call this. Without the catch-side call, every retry leaks an
+    // abort listener on `this.options.signal` because the finally
+    // doesn't run until the entire recursion unwinds.
+    const cleanupAttempt = () => {
+      clearTimeout(fetchTimer);
+      clearTimeout(stallTimer);
+      unlinkUserAbort();
+      this.internalAbort = null;
+    };
+
     try {
       const headers: Record<string, string> = {
         Accept: "text/event-stream",
         ...this.options.headers,
       };
-
-      // Include Last-Event-ID header if we're resuming
-      if (this.lastEventId) {
-        headers["Last-Event-ID"] = this.lastEventId;
-      }
-
+      if (this.lastEventId) headers["Last-Event-ID"] = this.lastEventId;
       if (this.options.timeoutInSeconds) {
         headers["Timeout-Seconds"] = this.options.timeoutInSeconds.toString();
       }
 
-      const response = await fetch(this.url, {
+      const fetchClient = this.options.fetchClient ?? fetch;
+      const response = await fetchClient(this.url, {
         headers,
-        signal: this.options.signal,
+        signal: this.internalAbort.signal,
       });
+      clearTimeout(fetchTimer);
 
       if (!response.ok) {
         const error = ApiError.generate(
@@ -242,24 +353,38 @@ export class SSEStreamSubscription implements StreamSubscription {
           "Could not subscribe to stream",
           Object.fromEntries(response.headers)
         );
-
         this.options.onError?.(error);
+        if (this.nonRetryableStatuses.has(response.status)) {
+          controller.error(error);
+          return;
+        }
         throw error;
       }
 
       if (!response.body) {
         const error = new Error("No response body");
-
         this.options.onError?.(error);
         throw error;
       }
 
       const streamVersion = response.headers.get("X-Stream-Version") ?? "v1";
-
-      // Reset retry count on successful connection
-      this.retryCount = 0;
-
+      this.retryCount = 0; // reset on success
+      armStall();
+
+      // Dedup window for record ids. Bounded with FIFO eviction so a
+      // long-lived `watch: true` subscription (one connection across many
+      // turns) doesn't grow this set without bound. The window only needs
+      // to cover the overlap a reconnect/replay can re-deliver, so a few
+      // thousand ids is ample.
+      const SEEN_IDS_CAP = 5000;
       const seenIds = new Set<string>();
+      const rememberSeen = (id: string) => {
+        seenIds.add(id);
+        if (seenIds.size > SEEN_IDS_CAP) {
+          const oldest = seenIds.values().next().value;
+          if (oldest !== undefined) seenIds.delete(oldest);
+        }
+      };
 
       const stream = response.body
         .pipeThrough(new TextDecoderStream())
@@ -268,13 +393,10 @@ export class SSEStreamSubscription implements StreamSubscription {
           new TransformStream<EventSourceMessage, SSEStreamPart>({
             transform: (chunk, chunkController) => {
               if (streamVersion === "v1") {
-                // Track the last event ID for resume support
                 if (chunk.id) {
                   this.lastEventId = chunk.id;
                 }
-
                 const timestamp = parseRedisStreamIdTimestamp(chunk.id);
-
                 chunkController.enqueue({
                   id: chunk.id ?? "unknown",
                   chunk: safeParseJSON(chunk.data),
@@ -283,22 +405,47 @@ export class SSEStreamSubscription implements StreamSubscription {
               } else {
                 if (chunk.event === "batch") {
                   const data = safeParseJSON(chunk.data) as {
-                    records: Array<{ body: string; seq_num: number; timestamp: number }>;
+                    records: Array<{
+                      body: string;
+                      seq_num: number;
+                      timestamp: number;
+                      headers?: Array<[string, string]>;
+                    }>;
                   };
+                  if (!data || !Array.isArray(data.records)) return;
 
                   for (const record of data.records) {
+                    // Always advance the resume cursor — even for records we
+                    // skip — so a future Last-Event-ID reconnect lands past
+                    // them.
                     this.lastEventId = record.seq_num.toString();
 
-                    const parsedBody = safeParseJSON(record.body) as { data: unknown; id: string };
-                    if (seenIds.has(parsedBody.id)) {
+                    // S2 command records (trim, fence) have a single header
+                    // with an empty name. They are S2-interpreted directives
+                    // that consume a seq_num but are not application data.
+                    // Skip enqueue; consumers shouldn't see them.
+                    if (record.headers?.[0]?.[0] === "") {
                       continue;
                     }
-                    seenIds.add(parsedBody.id);
 
+                    // Data record (and Trigger control records — see
+                    // `trigger-control` header in `client-protocol.mdx`).
+                    // Control records have an empty body; data records have a
+                    // JSON envelope. `safeParseJSON("")` returns undefined,
+                    // which is what we want for control records — downstream
+                    // consumers route by `headers` and ignore `chunk`.
+                    const parsedBody = safeParseJSON(record.body) as
+                      | { data: unknown; id: string }
+                      | undefined;
+                    if (parsedBody?.id) {
+                      if (seenIds.has(parsedBody.id)) continue;
+                      rememberSeen(parsedBody.id);
+                    }
                     chunkController.enqueue({
                       id: record.seq_num.toString(),
-                      chunk: parsedBody.data,
+                      chunk: parsedBody?.data,
                       timestamp: record.timestamp,
+                      headers: record.headers ?? [],
                     });
                   }
                 }
@@ -310,7 +457,6 @@ export class SSEStreamSubscription implements StreamSubscription {
       const reader = stream.getReader();
 
       try {
-        let chunkCount = 0;
         while (true) {
           const { done, value } = await reader.read();
 
@@ -329,7 +475,7 @@ export class SSEStreamSubscription implements StreamSubscription {
             return;
           }
 
-          chunkCount++;
+          armStall(); // any chunk (including server keepalives) resets the silence timer
           controller.enqueue(value);
         }
       } catch (error) {
@@ -338,14 +484,24 @@ export class SSEStreamSubscription implements StreamSubscription {
       }
     } catch (error) {
       if (this.options.signal?.aborted) {
-        // Don't retry if aborted
+        // User cancel — exit cleanly, don't retry.
         controller.close();
         this.options.onComplete?.();
         return;
       }
 
-      // Retry on error
+      if (isTriggerRealtimeAuthError(error)) {
+        // `onError` was already invoked in the `!response.ok` branch above
+        // (where the auth ApiError was originally constructed and thrown).
+        // Auth errors are non-retryable: terminate the stream cleanly.
+        controller.error(error as Error);
+        return;
+      }
+
+      cleanupAttempt();
       await this.retryConnection(controller, error as Error);
+    } finally {
+      cleanupAttempt();
     }
   }
 
@@ -367,10 +523,33 @@ export class SSEStreamSubscription implements StreamSubscription {
     }
 
     this.retryCount++;
-    const delay = this.retryDelayMs * Math.pow(2, this.retryCount - 1);
-
-    // Wait before retrying
-    await new Promise((resolve) => setTimeout(resolve, delay));
+    const baseDelay = Math.min(
+      this.retryDelayMs * Math.pow(2, this.retryCount - 1),
+      this.maxRetryDelayMs
+    );
+    // Jitter scales the delay into [(1 - retryJitter) * base, base].
+    // E.g. retryJitter=0.5 → final delay is in [50%, 100%] of base.
+    // Spreads simultaneous reconnect attempts so many clients don't
+    // dogpile on the server right after a brief outage.
+    const delay = baseDelay * (1 - this.retryJitter * Math.random());
+
+    // Wait before retrying. The wait is wakeable: `retryNow()` aborts
+    // `retryNowController` so the timer resolves immediately and the
+    // next connect attempt starts now (e.g. on tab focus / `online`
+    // event from the browser layer).
+    this.retryNowController = new AbortController();
+    await new Promise<void>((resolve) => {
+      const timer = setTimeout(() => {
+        this.retryNowController?.signal.removeEventListener("abort", onAbort);
+        resolve();
+      }, delay);
+      const onAbort = () => {
+        clearTimeout(timer);
+        resolve();
+      };
+      this.retryNowController!.signal.addEventListener("abort", onAbort, { once: true });
+    });
+    this.retryNowController = null;
 
     if (this.options.signal?.aborted) {
       controller.close();
@@ -383,6 +562,22 @@ export class SSEStreamSubscription implements StreamSubscription {
   }
 }
 
+/**
+ * One-way abort link: when `parent` aborts, abort `child` too. Returns
+ * a cleanup that removes the listener so `parent` doesn't accumulate
+ * subscriptions across many connect attempts.
+ */
+function linkAbort(parent: AbortSignal | undefined, child: AbortController): () => void {
+  if (!parent) return () => {};
+  if (parent.aborted) {
+    child.abort();
+    return () => {};
+  }
+  const onAbort = () => child.abort();
+  parent.addEventListener("abort", onAbort, { once: true });
+  return () => parent.removeEventListener("abort", onAbort);
+}
+
 export class SSEStreamSubscriptionFactory implements StreamSubscriptionFactory {
   constructor(
     private baseUrl: string,
diff --git a/packages/core/src/v3/apiClient/types.ts b/packages/core/src/v3/apiClient/types.ts
index 79baaf74ef7..445d6bbda24 100644
--- a/packages/core/src/v3/apiClient/types.ts
+++ b/packages/core/src/v3/apiClient/types.ts
@@ -14,6 +14,10 @@ export interface ImportEnvironmentVariablesParams {
    */
   variables: Record<string, string>;
   override?: boolean;
+  /**
+   * When `true`, the imported variables are created as secret (redacted) environment variables. Defaults to `false`.
+   */
+  isSecret?: boolean;
 }
 
 export interface CreateEnvironmentVariableParams {
@@ -58,6 +62,8 @@ export interface ListRunsQueryParams extends CursorPageParams {
   queue?: Array<QueueTypeName> | QueueTypeName;
   /** The machine name, or multiple of them. */
   machine?: Array<MachinePresetName> | MachinePresetName;
+  /** The region master-queue identifier, or multiple of them. */
+  region?: Array<string> | string;
 }
 
 export interface ListProjectRunsQueryParams extends CursorPageParams, ListRunsQueryParams {
diff --git a/packages/core/src/v3/apiClientManager/index.ts b/packages/core/src/v3/apiClientManager/index.ts
index 96a4bc8e534..6120c3aae0f 100644
--- a/packages/core/src/v3/apiClientManager/index.ts
+++ b/packages/core/src/v3/apiClientManager/index.ts
@@ -1,6 +1,7 @@
 import { ApiClient } from "../apiClient/index.js";
 import { getGlobal, registerGlobal, unregisterGlobal } from "../utils/globals.js";
 import { getEnvVar } from "../utils/getEnv.js";
+import { sdkScope } from "../sdkScope/index.js";
 import { ApiClientConfiguration } from "./types.js";
 
 const API_NAME = "api-client";
@@ -30,11 +31,19 @@ export class APIClientManagerAPI {
   }
 
   get baseURL(): string | undefined {
+    const scoped = sdkScope.getStore();
+    if (scoped) {
+      return scoped.apiClientConfig.baseURL ?? "https://api.trigger.dev";
+    }
     const config = this.#getConfig();
     return config?.baseURL ?? getEnvVar("TRIGGER_API_URL") ?? "https://api.trigger.dev";
   }
 
   get accessToken(): string | undefined {
+    const scoped = sdkScope.getStore();
+    if (scoped) {
+      return scoped.apiClientConfig.accessToken ?? scoped.apiClientConfig.secretKey;
+    }
     const config = this.#getConfig();
     return (
       config?.secretKey ??
@@ -45,6 +54,11 @@ export class APIClientManagerAPI {
   }
 
   get branchName(): string | undefined {
+    const scoped = sdkScope.getStore();
+    if (scoped) {
+      const value = scoped.apiClientConfig.previewBranch;
+      return value ? value : undefined;
+    }
     const config = this.#getConfig();
     const value =
       config?.previewBranch ??
@@ -54,13 +68,33 @@ export class APIClientManagerAPI {
     return value ? value : undefined;
   }
 
+  public resolveApiClientConfig(partial: ApiClientConfiguration = {}): ApiClientConfiguration {
+    return {
+      baseURL: partial.baseURL ?? getEnvVar("TRIGGER_API_URL"),
+      accessToken:
+        partial.accessToken ??
+        partial.secretKey ??
+        getEnvVar("TRIGGER_SECRET_KEY") ??
+        getEnvVar("TRIGGER_ACCESS_TOKEN"),
+      secretKey: partial.secretKey,
+      previewBranch:
+        partial.previewBranch ??
+        getEnvVar("TRIGGER_PREVIEW_BRANCH") ??
+        getEnvVar("VERCEL_GIT_COMMIT_REF"),
+      requestOptions: partial.requestOptions,
+      future: partial.future,
+    };
+  }
+
   get client(): ApiClient | undefined {
     if (!this.baseURL || !this.accessToken) {
       return undefined;
     }
 
-    const requestOptions = this.#getConfig()?.requestOptions;
-    const futureFlags = this.#getConfig()?.future;
+    const scoped = sdkScope.getStore();
+    const source = scoped?.apiClientConfig ?? this.#getConfig();
+    const requestOptions = source?.requestOptions;
+    const futureFlags = source?.future;
 
     return new ApiClient(this.baseURL, this.accessToken, this.branchName, requestOptions, futureFlags);
   }
@@ -74,8 +108,10 @@ export class APIClientManagerAPI {
     }
 
     const branchName = config?.previewBranch ?? this.branchName;
-    const requestOptions = config?.requestOptions ?? this.#getConfig()?.requestOptions;
-    const futureFlags = config?.future ?? this.#getConfig()?.future;
+    const scoped = sdkScope.getStore();
+    const source = scoped?.apiClientConfig ?? this.#getConfig();
+    const requestOptions = config?.requestOptions ?? source?.requestOptions;
+    const futureFlags = config?.future ?? source?.future;
 
     return new ApiClient(baseURL, accessToken, branchName, requestOptions, futureFlags);
   }
@@ -84,17 +120,24 @@ export class APIClientManagerAPI {
     config: ApiClientConfiguration,
     fn: R
   ): Promise<ReturnType<R>> {
-    const originalConfig = this.#getConfig();
-    const $config = { ...originalConfig, ...config };
-    registerGlobal(API_NAME, $config, true);
+    const current = sdkScope.getStore()?.apiClientConfig ?? this.#getConfig();
+    const merged = this.resolveApiClientConfig({ ...current, ...config });
+
+    if (sdkScope.hasStorage()) {
+      return sdkScope.withScope({ apiClientConfig: merged, inheritContext: true }, fn);
+    }
 
+    // No ALS available (browser, edge, workers). Fall back to in-place
+    // mutation — same as pre-existing behavior, not concurrency-safe.
+    const original = this.#getConfig();
+    registerGlobal(API_NAME, merged, true);
     return fn().finally(() => {
-      registerGlobal(API_NAME, originalConfig, true);
+      registerGlobal(API_NAME, original, true);
     });
   }
 
   public setGlobalAPIClientConfiguration(config: ApiClientConfiguration): boolean {
-    return registerGlobal(API_NAME, config);
+    return registerGlobal(API_NAME, config, true);
   }
 
   #getConfig(): ApiClientConfiguration | undefined {
diff --git a/packages/core/src/v3/auth/environment.ts b/packages/core/src/v3/auth/environment.ts
new file mode 100644
index 00000000000..8918f191300
--- /dev/null
+++ b/packages/core/src/v3/auth/environment.ts
@@ -0,0 +1,108 @@
+// Slim shape of an authenticated runtime environment, structural and
+// independent of @trigger.dev/database. Carried across the auth boundary
+// (RBAC plugin contract → host webapp) so plugins can return all the
+// fields handlers consume without a follow-up DB lookup.
+//
+// This is hand-rolled rather than derived from `Prisma.RuntimeEnvironmentGetPayload`
+// because the contract package (@trigger.dev/plugins) is published while
+// @trigger.dev/database is private — and because callers of this type
+// genuinely use only a fraction of the columns Prisma would expose.
+//
+// If a downstream consumer needs a field that's not here:
+//   - Used in the auth-cross-cutting hot path → add it
+//   - Used in a service that already loads the env → fetch it there instead
+//
+// `concurrencyLimitBurstFactor` is a `Decimal(4,2)` in Postgres — values
+// are O(2.00) in practice; coerced to `number` here (lossless at this
+// scale, avoids dragging in Prisma's Decimal class via type imports).
+
+// String-literal unions mirror the corresponding Prisma enums. Defining
+// them here keeps the contract structural (no @trigger.dev/database
+// import) while giving downstream consumers the same exact union they
+// expect when this value is passed to a Prisma column.
+export type RuntimeEnvironmentType =
+  | "PRODUCTION"
+  | "STAGING"
+  | "DEVELOPMENT"
+  | "PREVIEW";
+
+export type RunEngineVersion = "V1" | "V2";
+
+// Prisma's Decimal class. Accept it structurally so consumers (mostly
+// the webapp's `runtimeEnvironment.server.ts` model functions) can pass
+// raw Prisma rows without coercion. Plugins that don't have a Decimal
+// type at hand (cloud's Drizzle plugin) return plain `number`.
+type DecimalLike = { toNumber(): number };
+
+export type AuthenticatedEnvironment = {
+  id: string;
+  slug: string;
+  type: RuntimeEnvironmentType;
+  apiKey: string;
+  organizationId: string;
+  projectId: string;
+  orgMemberId: string | null;
+  parentEnvironmentId: string | null;
+  branchName: string | null;
+  archivedAt: Date | null;
+  paused: boolean;
+  shortcode: string;
+  maximumConcurrencyLimit: number;
+  concurrencyLimitBurstFactor: number | DecimalLike;
+  // Prisma JSON column. Specific flags read it with their own narrower
+  // types. Pass-through for legacy override paths in marqs / sharedQueue.
+  builtInEnvironmentVariableOverrides: unknown;
+  // Bookkeeping timestamps. Prisma rows always have them; non-Prisma
+  // plugins can fill in with `new Date()` or whatever's appropriate.
+  createdAt: Date;
+  updatedAt: Date;
+
+  project: {
+    id: string;
+    slug: string;
+    name: string;
+    externalRef: string;
+    engine: RunEngineVersion;
+    deletedAt: Date | null;
+    defaultWorkerGroupId: string | null;
+    // Same id as env.organizationId — present on Prisma's Project row
+    // and read by deployment services that operate on the project alone.
+    organizationId: string;
+    // Build-server bookkeeping. Read by remote-image-builder when
+    // creating Depot builds.
+    builderProjectId: string | null;
+  };
+
+  organization: {
+    id: string;
+    slug: string;
+    title: string;
+    streamBasinName: string | null;
+    maximumConcurrencyLimit: number | null;
+    runsEnabled: boolean;
+    maximumDevQueueSize: number | null;
+    maximumDeployedQueueSize: number | null;
+    // Per-org feature flags + rate-limit config. Loosely typed (Prisma
+    // JSON) — handlers that care about specific keys read with their
+    // own narrower types.
+    featureFlags: unknown;
+    apiRateLimiterConfig: unknown;
+    batchRateLimitConfig: unknown;
+    batchQueueConcurrencyConfig: unknown;
+  };
+
+  // `user` is optional because most call sites only fetch `userId`.
+  // Code paths that need user details (display name etc.) include it
+  // explicitly in their Prisma query. The whole field is optional too
+  // so admin construction sites that build env literals without it
+  // satisfy the type.
+  orgMember?: {
+    userId: string;
+    user?: { id: string; displayName: string | null; name: string | null };
+  } | null;
+
+  // Optional + nullable: optional so admin routes that don't explicitly
+  // include parentEnvironment satisfy the type; nullable so Prisma rows
+  // with a null left-join result satisfy too.
+  parentEnvironment?: { id: string; apiKey: string } | null;
+};
diff --git a/packages/core/src/v3/errors.test.ts b/packages/core/src/v3/errors.test.ts
new file mode 100644
index 00000000000..b02bbf5f3cf
--- /dev/null
+++ b/packages/core/src/v3/errors.test.ts
@@ -0,0 +1,43 @@
+import { describe, expect, test } from "vitest";
+import { DuplicateTaskIdsError } from "./errors.js";
+
+describe("DuplicateTaskIdsError", () => {
+  test("is an Error with a stable name and the collisions attached", () => {
+    const collisions = [{ id: "foo", filePaths: ["src/a.ts", "src/b.ts"] }];
+    const error = new DuplicateTaskIdsError(collisions);
+
+    expect(error).toBeInstanceOf(Error);
+    expect(error.name).toBe("DuplicateTaskIdsError");
+    expect(error.collisions).toEqual(collisions);
+  });
+
+  test("names the id and both files when an id is defined in two files", () => {
+    const error = new DuplicateTaskIdsError([
+      { id: "foo", filePaths: ["src/a.ts", "src/b.ts"] },
+    ]);
+
+    expect(error.message).toContain('"foo"');
+    expect(error.message).toContain("src/a.ts");
+    expect(error.message).toContain("src/b.ts");
+  });
+
+  test("collapses identical file paths into a single 'more than once' location", () => {
+    const error = new DuplicateTaskIdsError([
+      { id: "foo", filePaths: ["src/dupe.ts", "src/dupe.ts"] },
+    ]);
+
+    expect(error.message).toContain("more than once in src/dupe.ts");
+    // The same path must not be listed twice.
+    expect(error.message.match(/src\/dupe\.ts/g)).toHaveLength(1);
+  });
+
+  test("lists every collision when multiple ids clash", () => {
+    const error = new DuplicateTaskIdsError([
+      { id: "foo", filePaths: ["src/a.ts", "src/b.ts"] },
+      { id: "bar", filePaths: ["src/c.ts", "src/d.ts"] },
+    ]);
+
+    expect(error.message).toContain('"foo"');
+    expect(error.message).toContain('"bar"');
+  });
+});
diff --git a/packages/core/src/v3/errors.ts b/packages/core/src/v3/errors.ts
index 87fff767d7b..187cbef9b64 100644
--- a/packages/core/src/v3/errors.ts
+++ b/packages/core/src/v3/errors.ts
@@ -154,13 +154,65 @@ export function isCompleteTaskWithOutput(error: unknown): error is CompleteTaskW
   return error instanceof Error && error.name === "CompleteTaskWithOutput";
 }
 
+const MAX_STACK_FRAMES = 50;
+const KEEP_TOP_FRAMES = 5;
+const MAX_STACK_LINE_LENGTH = 1024;
+const MAX_MESSAGE_LENGTH = 1_000;
+
+/** Truncate a stack trace to at most MAX_STACK_FRAMES frames, keeping
+ *  the top (closest to throw) and bottom (entry points) frames.
+ *  Individual lines (including message lines) are capped at MAX_STACK_LINE_LENGTH
+ *  to prevent OOM from huge error messages embedded in the stack. */
+export function truncateStack(stack: string | undefined): string {
+  if (!stack) return "";
+
+  const lines = stack.split("\n");
+
+  // First line(s) before the first frame are the error message
+  const messageLines: string[] = [];
+  const frameLines: string[] = [];
+
+  for (const line of lines) {
+    const safe =
+      line.length > MAX_STACK_LINE_LENGTH
+        ? line.slice(0, MAX_STACK_LINE_LENGTH) + "...[truncated]"
+        : line;
+    if (frameLines.length === 0 && !line.trimStart().startsWith("at ")) {
+      messageLines.push(safe);
+    } else {
+      frameLines.push(safe);
+    }
+  }
+
+  if (frameLines.length <= MAX_STACK_FRAMES) {
+    return [...messageLines, ...frameLines].join("\n");
+  }
+
+  const keepBottom = MAX_STACK_FRAMES - KEEP_TOP_FRAMES;
+  const omitted = frameLines.length - MAX_STACK_FRAMES;
+
+  return [
+    ...messageLines,
+    ...frameLines.slice(0, KEEP_TOP_FRAMES),
+    `    ... ${omitted} frames omitted ...`,
+    ...frameLines.slice(-keepBottom),
+  ].join("\n");
+}
+
+export function truncateMessage(message: string | undefined): string {
+  if (!message) return "";
+  return message.length > MAX_MESSAGE_LENGTH
+    ? message.slice(0, MAX_MESSAGE_LENGTH) + "...[truncated]"
+    : message;
+}
+
 export function parseError(error: unknown): TaskRunError {
   if (isInternalError(error)) {
     return {
       type: "INTERNAL_ERROR",
       code: error.code,
-      message: error.message,
-      stackTrace: error.stack ?? "",
+      message: truncateMessage(error.message),
+      stackTrace: truncateStack(error.stack),
     };
   }
 
@@ -168,8 +220,8 @@ export function parseError(error: unknown): TaskRunError {
     return {
       type: "BUILT_IN_ERROR",
       name: error.name,
-      message: error.message,
-      stackTrace: error.stack ?? "",
+      message: truncateMessage(error.message),
+      stackTrace: truncateStack(error.stack),
     };
   }
 
@@ -248,35 +300,52 @@ export function createJsonErrorObject(error: TaskRunError): SerializedError {
   }
 }
 
-// Removes any null characters from the error message
+// Removes null characters and truncates oversized fields to prevent OOM
 export function sanitizeError(error: TaskRunError): TaskRunError {
   switch (error.type) {
     case "BUILT_IN_ERROR": {
       return {
         type: "BUILT_IN_ERROR",
-        message: error.message?.replace(/\0/g, ""),
+        message: truncateMessage(error.message?.replace(/\0/g, "")),
         name: error.name?.replace(/\0/g, ""),
-        stackTrace: error.stackTrace?.replace(/\0/g, ""),
+        stackTrace: truncateStack(error.stackTrace?.replace(/\0/g, "")),
       };
     }
     case "STRING_ERROR": {
       return {
         type: "STRING_ERROR",
-        raw: error.raw.replace(/\0/g, ""),
+        raw: truncateMessage(error.raw.replace(/\0/g, "")),
       };
     }
     case "CUSTOM_ERROR": {
+      // CUSTOM_ERROR.raw holds JSON.stringify(error) which is later parsed by
+      // JSON.parse in createErrorTaskError. Naive truncation would cut mid-token
+      // and produce invalid JSON — wrap the preview in a valid JSON envelope.
+      const clean = error.raw.replace(/\0/g, "");
+      const safeRaw =
+        clean.length > MAX_MESSAGE_LENGTH
+          ? JSON.stringify({ truncated: true, preview: clean.slice(0, MAX_MESSAGE_LENGTH) })
+          : clean;
       return {
         type: "CUSTOM_ERROR",
-        raw: error.raw.replace(/\0/g, ""),
+        raw: safeRaw,
       };
     }
     case "INTERNAL_ERROR": {
+      // message and stackTrace are optional for INTERNAL_ERROR — preserve
+      // `undefined` so the `error.message ?? "Internal error (CODE)"` fallback
+      // in createErrorTaskError still kicks in (empty string is not nullish).
       return {
         type: "INTERNAL_ERROR",
         code: error.code,
-        message: error.message?.replace(/\0/g, ""),
-        stackTrace: error.stackTrace?.replace(/\0/g, ""),
+        message:
+          error.message != null
+            ? truncateMessage(error.message.replace(/\0/g, ""))
+            : undefined,
+        stackTrace:
+          error.stackTrace != null
+            ? truncateStack(error.stackTrace.replace(/\0/g, ""))
+            : undefined,
       };
     }
   }
@@ -292,7 +361,6 @@ export function shouldRetryError(error: TaskRunError): boolean {
         case "CONFIGURED_INCORRECTLY":
         case "TASK_ALREADY_RUNNING":
         case "TASK_PROCESS_SIGKILL_TIMEOUT":
-        case "TASK_PROCESS_SIGSEGV":
         case "TASK_PROCESS_OOM_KILLED":
         case "TASK_PROCESS_MAYBE_OOM_KILLED":
         case "TASK_RUN_CANCELLED":
@@ -326,8 +394,10 @@ export function shouldRetryError(error: TaskRunError): boolean {
         case "TASK_EXECUTION_ABORTED":
         case "TASK_EXECUTION_FAILED":
         case "TASK_RUN_CRASHED":
+        case "TASK_RUN_UNCAUGHT_EXCEPTION":
         case "TASK_PROCESS_EXITED_WITH_NON_ZERO_CODE":
         case "TASK_PROCESS_SIGTERM":
+        case "TASK_PROCESS_SIGSEGV":
           return true;
 
         default:
@@ -356,6 +426,8 @@ export function shouldLookupRetrySettings(error: TaskRunError): boolean {
         case "TASK_PROCESS_EXITED_WITH_NON_ZERO_CODE":
         case "TASK_PROCESS_SIGTERM":
         case "TASK_PROCESS_SIGSEGV":
+        case "TASK_RUN_UNCAUGHT_EXCEPTION":
+        case "TASK_MIDDLEWARE_ERROR":
           return true;
 
         default:
@@ -508,6 +580,39 @@ export class TaskIndexingImportError extends Error {
   }
 }
 
+export type TaskIdCollision = { id: string; filePaths: string[] };
+
+function formatDuplicateTaskIds(collisions: TaskIdCollision[]): string {
+  const lines = collisions.map(({ id, filePaths }) => {
+    const distinct = Array.from(new Set(filePaths));
+
+    if (distinct.length === 1) {
+      return `  - "${id}" found more than once in ${distinct[0]}`;
+    }
+
+    const last = distinct[distinct.length - 1];
+    const head = distinct.slice(0, -1).join(", ");
+
+    return `  - "${id}" found in ${head} and ${last}`;
+  });
+
+  return [
+    "Duplicate task ids detected:",
+    "",
+    ...lines,
+    "",
+    "Task ids must be unique across your project (including scheduled tasks). Please rename one of them.",
+  ].join("\n");
+}
+
+export class DuplicateTaskIdsError extends Error {
+  constructor(public readonly collisions: TaskIdCollision[]) {
+    super(formatDuplicateTaskIds(collisions));
+
+    this.name = "DuplicateTaskIdsError";
+  }
+}
+
 export class UnexpectedExitError extends Error {
   constructor(
     public code: number,
@@ -560,6 +665,26 @@ export class GracefulExitTimeoutError extends Error {
   }
 }
 
+export class ChatChunkTooLargeError extends Error {
+  constructor(
+    public readonly chunkSize: number,
+    public readonly maxSize: number,
+    public readonly chunkType?: string
+  ) {
+    super(
+      `chat.agent chunk${chunkType ? ` of type "${chunkType}"` : ""} is ${chunkSize} bytes, ` +
+        `over the realtime stream's per-record cap of ${maxSize} bytes. ` +
+        `For oversized payloads (e.g. large tool outputs), write the value to your own store and ` +
+        `emit only an id/url through the chat stream — see https://trigger.dev/docs/ai-chat/patterns/large-payloads.`
+    );
+    this.name = "ChatChunkTooLargeError";
+  }
+}
+
+export function isChatChunkTooLargeError(error: unknown): error is ChatChunkTooLargeError {
+  return error instanceof Error && error.name === "ChatChunkTooLargeError";
+}
+
 export class MaxDurationExceededError extends Error {
   constructor(
     public readonly maxDurationInSeconds: number,
@@ -653,6 +778,18 @@ const prettyInternalErrors: Partial<
       href: links.docs.troubleshooting.stalledExecution,
     },
   },
+  // Link only — we deliberately do NOT set `message`, so the original
+  // error message (e.g. "read ECONNRESET") is preserved in the dashboard.
+  // Common cause: an EventEmitter (node-redis, pg, etc.) emitted "error"
+  // with no listener attached, which Node escalates to uncaughtException.
+  // The docs page explains how to attach .on("error") listeners and how
+  // unhandled rejections route through the same path.
+  TASK_RUN_UNCAUGHT_EXCEPTION: {
+    link: {
+      name: "Read our troubleshooting guide",
+      href: links.docs.troubleshooting.uncaughtException,
+    },
+  },
 };
 
 const getPrettyTaskRunError = (code: TaskRunInternalError["code"]): TaskRunInternalError => {
diff --git a/packages/core/src/v3/index.ts b/packages/core/src/v3/index.ts
index 2757363f4be..9052884bbd6 100644
--- a/packages/core/src/v3/index.ts
+++ b/packages/core/src/v3/index.ts
@@ -11,6 +11,7 @@ export * from "./runtime-api.js";
 export * from "./task-context-api.js";
 export * from "./trace-context-api.js";
 export * from "./apiClientManager-api.js";
+export * from "./sdkScope-api.js";
 export * from "./usage-api.js";
 export * from "./run-metadata-api.js";
 export * from "./wait-until-api.js";
@@ -21,6 +22,7 @@ export * from "./locals-api.js";
 export * from "./heartbeats-api.js";
 export * from "./realtime-streams-api.js";
 export * from "./input-streams-api.js";
+export * from "./session-streams-api.js";
 export * from "./waitpoints/index.js";
 export * from "./schemas/index.js";
 export { SemanticInternalAttributes } from "./semanticInternalAttributes.js";
@@ -80,6 +82,7 @@ export {
   getSchemaParseFn,
   type AnySchemaParseFn,
   type SchemaParseFn,
+  type inferSchemaOut,
   isSchemaZodEsque,
   isSchemaValibotEsque,
   isSchemaArkTypeEsque,
diff --git a/packages/core/src/v3/inputStreams/index.ts b/packages/core/src/v3/inputStreams/index.ts
index 4a871d6bfcc..0b3c7af063f 100644
--- a/packages/core/src/v3/inputStreams/index.ts
+++ b/packages/core/src/v3/inputStreams/index.ts
@@ -51,6 +51,18 @@ export class InputStreamsAPI implements InputStreamManager {
     return this.#getManager().lastSeqNum(streamId);
   }
 
+  public setLastSeqNum(streamId: string, seqNum: number): void {
+    this.#getManager().setLastSeqNum(streamId, seqNum);
+  }
+
+  public shiftBuffer(streamId: string): boolean {
+    return this.#getManager().shiftBuffer(streamId);
+  }
+
+  public disconnectStream(streamId: string): void {
+    this.#getManager().disconnectStream(streamId);
+  }
+
   public clearHandlers(): void {
     this.#getManager().clearHandlers();
   }
diff --git a/packages/core/src/v3/inputStreams/manager.ts b/packages/core/src/v3/inputStreams/manager.ts
index f393f4a169a..51424df39f7 100644
--- a/packages/core/src/v3/inputStreams/manager.ts
+++ b/packages/core/src/v3/inputStreams/manager.ts
@@ -6,6 +6,7 @@ import {
   InputStreamTimeoutError,
 } from "./types.js";
 import { InputStreamOnceOptions } from "../realtimeStreams/types.js";
+import { computeReconnectDelayMs } from "../utils/reconnectBackoff.js";
 
 type InputStreamHandler = (data: unknown) => void | Promise<void>;
 
@@ -13,6 +14,13 @@ type OnceWaiter = {
   resolve: (result: InputStreamOnceResult<unknown>) => void;
   reject: (error: Error) => void;
   timeoutHandle?: ReturnType<typeof setTimeout>;
+  // The abort signal and its handler are tracked on the waiter so any
+  // resolution path (dispatch / timeout / explicit removal) can detach
+  // the listener. Without this, a long-lived `AbortSignal` reused across
+  // many `once()` calls accumulates listeners — `{ once: true }` only
+  // self-clears if the signal actually aborts.
+  signal?: AbortSignal;
+  abortHandler?: () => void;
 };
 
 
@@ -29,6 +37,19 @@ export class StandardInputStreamManager implements InputStreamManager {
   private seqNums = new Map<string, number>();
   private currentRunId: string | null = null;
   private streamsVersion: string | undefined;
+  // Reconnect attempt counter per streamId. Drives the exponential
+  // backoff applied by `#ensureStreamTailConnected`'s `.finally` so a
+  // persistent backend failure (auth rejection, 5xx, DNS, etc.) doesn't
+  // reconnect in a tight loop. Reset to 0 by `#dispatch` whenever a
+  // record flows through.
+  private reconnectAttempts = new Map<string, number>();
+  // Stream IDs that were explicitly torn down by `disconnectStream`. The
+  // tail's `.finally` reconnect path consults this set so a deliberate
+  // teardown isn't immediately undone by the auto-reconnect when
+  // handlers or once-waiters are still registered. Cleared on the next
+  // explicit `on()` / `once()` (those are the only legitimate reasons to
+  // bring the tail back up).
+  private explicitlyDisconnected = new Set<string>();
 
   constructor(
     private apiClient: ApiClient,
@@ -40,6 +61,26 @@ export class StandardInputStreamManager implements InputStreamManager {
     return this.seqNums.get(streamId);
   }
 
+  setLastSeqNum(streamId: string, seqNum: number): void {
+    const current = this.seqNums.get(streamId);
+    // Only advance forward, never backward
+    if (current === undefined || seqNum > current) {
+      this.seqNums.set(streamId, seqNum);
+    }
+  }
+
+  shiftBuffer(streamId: string): boolean {
+    const buffered = this.buffer.get(streamId);
+    if (buffered && buffered.length > 0) {
+      buffered.shift();
+      if (buffered.length === 0) {
+        this.buffer.delete(streamId);
+      }
+      return true;
+    }
+    return false;
+  }
+
   setRunId(runId: string, streamsVersion?: string): void {
     this.currentRunId = runId;
     this.streamsVersion = streamsVersion;
@@ -48,6 +89,10 @@ export class StandardInputStreamManager implements InputStreamManager {
   on(streamId: string, handler: InputStreamHandler): { off: () => void } {
     this.#requireV2Streams();
 
+    // A fresh attach is a legitimate reason to bring the tail back up;
+    // clear any prior explicit-disconnect flag.
+    this.explicitlyDisconnected.delete(streamId);
+
     let handlerSet = this.handlers.get(streamId);
     if (!handlerSet) {
       handlerSet = new Set();
@@ -80,6 +125,10 @@ export class StandardInputStreamManager implements InputStreamManager {
   once(streamId: string, options?: InputStreamOnceOptions): InputStreamOncePromise<unknown> {
     this.#requireV2Streams();
 
+    // A fresh waiter is a legitimate reason to bring the tail back up;
+    // clear any prior explicit-disconnect flag.
+    this.explicitlyDisconnected.delete(streamId);
+
     // Lazily connect a tail for this stream
     this.#ensureStreamTailConnected(streamId);
 
@@ -104,17 +153,16 @@ export class StandardInputStreamManager implements InputStreamManager {
           reject(new Error("Aborted"));
           return;
         }
-        options.signal.addEventListener(
-          "abort",
-          () => {
-            if (waiter.timeoutHandle) {
-              clearTimeout(waiter.timeoutHandle);
-            }
-            this.#removeOnceWaiter(streamId, waiter);
-            reject(new Error("Aborted"));
-          },
-          { once: true }
-        );
+        const abortHandler = () => {
+          if (waiter.timeoutHandle) {
+            clearTimeout(waiter.timeoutHandle);
+          }
+          this.#removeOnceWaiter(streamId, waiter);
+          reject(new Error("Aborted"));
+        };
+        waiter.signal = options.signal;
+        waiter.abortHandler = abortHandler;
+        options.signal.addEventListener("abort", abortHandler, { once: true });
       }
 
       // Handle timeout — resolve with error result instead of rejecting
@@ -158,10 +206,40 @@ export class StandardInputStreamManager implements InputStreamManager {
     }
   }
 
+  disconnectStream(streamId: string): void {
+    // Mark as explicitly disconnected BEFORE we abort, so the tail's
+    // `.finally` reconnect path sees the flag when it runs (which can be
+    // synchronous in the AbortError catch). Without this, an in-flight
+    // `.on(...)` or pending `.once()` would immediately resurrect the
+    // tail and negate the disconnect — defeating the
+    // "drop-the-duplicate before .wait() suspends" contract. Cleared on
+    // the next explicit `on()` / `once()`.
+    this.explicitlyDisconnected.add(streamId);
+    const tail = this.tails.get(streamId);
+    if (tail) {
+      tail.abortController.abort();
+      this.tails.delete(streamId);
+    }
+    this.buffer.delete(streamId);
+    // Reset the backoff counter so a future re-attach starts fresh —
+    // an explicit disconnect is a deliberate teardown, not evidence of
+    // a broken backend.
+    this.reconnectAttempts.delete(streamId);
+  }
+
   connectTail(runId: string, _fromSeq?: number): void {
     // No-op: tails are now created per-stream lazily
   }
 
+  /**
+   * Tear down all active tails. Does NOT clear handlers or `onceWaiters`,
+   * so any registered listener will trigger an auto-reconnect (with
+   * backoff) the moment it sees no live tail — by design, so a transient
+   * network blip recovers without the caller re-subscribing. Use
+   * `reset()` if you want a full clean state with no resurrection, or
+   * `disconnectStream(streamId)` for a single stream that should stay
+   * down until a fresh `on()` / `once()` attaches.
+   */
   disconnect(): void {
     for (const [, tail] of this.tails) {
       tail.abortController.abort();
@@ -175,6 +253,8 @@ export class StandardInputStreamManager implements InputStreamManager {
     this.streamsVersion = undefined;
     this.seqNums.clear();
     this.handlers.clear();
+    this.reconnectAttempts.clear();
+    this.explicitlyDisconnected.clear();
 
     // Reject all pending once waiters
     for (const [, waiters] of this.onceWaiters) {
@@ -182,6 +262,9 @@ export class StandardInputStreamManager implements InputStreamManager {
         if (waiter.timeoutHandle) {
           clearTimeout(waiter.timeoutHandle);
         }
+        if (waiter.signal && waiter.abortHandler) {
+          waiter.signal.removeEventListener("abort", waiter.abortHandler);
+        }
         waiter.reject(new Error("Input stream manager reset"));
       }
     }
@@ -209,13 +292,37 @@ export class StandardInputStreamManager implements InputStreamManager {
         .finally(() => {
           this.tails.delete(streamId);
 
-          // Auto-reconnect if there are still active handlers or waiters
+          // If the tail was torn down explicitly via `disconnectStream`,
+          // don't auto-reconnect — that's the whole point of the
+          // disconnect call. The next `on()` / `once()` clears the flag.
+          if (this.explicitlyDisconnected.has(streamId)) {
+            return;
+          }
+
+          // Auto-reconnect with exponential backoff if there are still
+          // active handlers or waiters. Without backoff a persistent
+          // failure (auth rejected, 5xx, DNS) would reconnect in a tight
+          // loop because `#runTail`'s error path only logs. `#dispatch`
+          // resets the counter on every successful record.
           const hasHandlers =
             this.handlers.has(streamId) && this.handlers.get(streamId)!.size > 0;
           const hasWaiters =
             this.onceWaiters.has(streamId) && this.onceWaiters.get(streamId)!.length > 0;
           if (hasHandlers || hasWaiters) {
-            this.#ensureStreamTailConnected(streamId);
+            const attempt = this.reconnectAttempts.get(streamId) ?? 0;
+            this.reconnectAttempts.set(streamId, attempt + 1);
+            const delayMs = computeReconnectDelayMs(attempt);
+            setTimeout(() => {
+              if (this.explicitlyDisconnected.has(streamId)) return;
+              if (this.tails.has(streamId)) return;
+              const stillHasHandlers =
+                this.handlers.has(streamId) && this.handlers.get(streamId)!.size > 0;
+              const stillHasWaiters =
+                this.onceWaiters.has(streamId) &&
+                this.onceWaiters.get(streamId)!.length > 0;
+              if (!stillHasHandlers && !stillHasWaiters) return;
+              this.#ensureStreamTailConnected(streamId);
+            }, delayMs);
           }
         });
       this.tails.set(streamId, { abortController, promise });
@@ -281,6 +388,10 @@ export class StandardInputStreamManager implements InputStreamManager {
   }
 
   #dispatch(streamId: string, data: unknown): void {
+    // Any record flowing through = healthy connection; reset the backoff
+    // counter so the next disconnect starts fresh.
+    this.reconnectAttempts.delete(streamId);
+
     // First try to resolve a once waiter
     const waiters = this.onceWaiters.get(streamId);
     if (waiters && waiters.length > 0) {
@@ -291,6 +402,9 @@ export class StandardInputStreamManager implements InputStreamManager {
       if (waiter.timeoutHandle) {
         clearTimeout(waiter.timeoutHandle);
       }
+      if (waiter.signal && waiter.abortHandler) {
+        waiter.signal.removeEventListener("abort", waiter.abortHandler);
+      }
       waiter.resolve({ ok: true, output: data });
       // Also invoke persistent handlers
       this.#invokeHandlers(streamId, data);
@@ -340,6 +454,13 @@ export class StandardInputStreamManager implements InputStreamManager {
   }
 
   #removeOnceWaiter(streamId: string, waiter: OnceWaiter): void {
+    // Centralized cleanup — both timeout and explicit abort paths funnel
+    // through here, so detach the abort listener once instead of at every
+    // callsite. The dispatch path doesn't go through this method (the
+    // waiter is shifted off inline), so it detaches the listener there.
+    if (waiter.signal && waiter.abortHandler) {
+      waiter.signal.removeEventListener("abort", waiter.abortHandler);
+    }
     const waiters = this.onceWaiters.get(streamId);
     if (!waiters) return;
     const index = waiters.indexOf(waiter);
diff --git a/packages/core/src/v3/inputStreams/noopManager.ts b/packages/core/src/v3/inputStreams/noopManager.ts
index 6d72d9e2f76..612da832d7e 100644
--- a/packages/core/src/v3/inputStreams/noopManager.ts
+++ b/packages/core/src/v3/inputStreams/noopManager.ts
@@ -22,6 +22,12 @@ export class NoopInputStreamManager implements InputStreamManager {
     return undefined;
   }
 
+  setLastSeqNum(_streamId: string, _seqNum: number): void {}
+
+  shiftBuffer(_streamId: string): boolean { return false; }
+
+  disconnectStream(_streamId: string): void {}
+
   clearHandlers(): void {}
   reset(): void {}
   disconnect(): void {}
diff --git a/packages/core/src/v3/inputStreams/types.ts b/packages/core/src/v3/inputStreams/types.ts
index 0816c06493f..c456bb61216 100644
--- a/packages/core/src/v3/inputStreams/types.ts
+++ b/packages/core/src/v3/inputStreams/types.ts
@@ -70,6 +70,28 @@ export interface InputStreamManager {
    */
   lastSeqNum(streamId: string): number | undefined;
 
+  /**
+   * Advance the last-seen S2 sequence number for the given input stream.
+   * Used after `.wait()` resumes to prevent the SSE tail from replaying
+   * the record that was consumed via the waitpoint path.
+   */
+  setLastSeqNum(streamId: string, seqNum: number): void;
+
+  /**
+   * Remove and discard the first buffered item for the given input stream.
+   * Used after `.wait()` resumes to remove the duplicate that the SSE tail
+   * buffered while the waitpoint was being completed via a separate path.
+   * Returns true if an item was removed, false if the buffer was empty.
+   */
+  shiftBuffer(streamId: string): boolean;
+
+  /**
+   * Disconnect the SSE tail and clear the buffer for a specific input stream.
+   * Used before suspending via `.wait()` so the tail doesn't buffer duplicates
+   * of data that will be delivered through the waitpoint path.
+   */
+  disconnectStream(streamId: string): void;
+
   /**
    * Clear all persistent `.on()` handlers and abort tails that have no remaining once waiters.
    * Called automatically when a task run completes.
diff --git a/packages/core/src/v3/isomorphic/friendlyId.ts b/packages/core/src/v3/isomorphic/friendlyId.ts
index a230f8c7450..66575c7c178 100644
--- a/packages/core/src/v3/isomorphic/friendlyId.ts
+++ b/packages/core/src/v3/isomorphic/friendlyId.ts
@@ -97,6 +97,7 @@ export const BatchId = new IdUtil("batch");
 export const BulkActionId = new IdUtil("bulk");
 export const AttemptId = new IdUtil("attempt");
 export const ErrorId = new IdUtil("error");
+export const SessionId = new IdUtil("session");
 
 export class IdGenerator {
   private alphabet: string;
diff --git a/packages/core/src/v3/links.ts b/packages/core/src/v3/links.ts
index d04284e73fe..739f9dd28f7 100644
--- a/packages/core/src/v3/links.ts
+++ b/packages/core/src/v3/links.ts
@@ -15,6 +15,7 @@ export const links = {
     troubleshooting: {
       concurrentWaits: "https://trigger.dev/docs/troubleshooting#parallel-waits-are-not-supported",
       stalledExecution: "https://trigger.dev/docs/troubleshooting#task-run-stalled-executing",
+      uncaughtException: "https://trigger.dev/docs/troubleshooting#uncaught-exceptions",
     },
     concurrency: {
       recursiveDeadlock:
diff --git a/packages/core/src/v3/locals/manager.ts b/packages/core/src/v3/locals/manager.ts
index 6984d9f4146..3cd0f80d84a 100644
--- a/packages/core/src/v3/locals/manager.ts
+++ b/packages/core/src/v3/locals/manager.ts
@@ -5,7 +5,7 @@ export class NoopLocalsManager implements LocalsManager {
     return {
       __type: Symbol(),
       id,
-    } as unknown as LocalsKey<T>;
+    };
   }
 
   getLocal<T>(key: LocalsKey<T>): T | undefined {
@@ -23,7 +23,7 @@ export class StandardLocalsManager implements LocalsManager {
     return {
       __type: key,
       id,
-    } as unknown as LocalsKey<T>;
+    };
   }
 
   getLocal<T>(key: LocalsKey<T>): T | undefined {
diff --git a/packages/core/src/v3/locals/types.ts b/packages/core/src/v3/locals/types.ts
index aab683df091..84abc4c70f5 100644
--- a/packages/core/src/v3/locals/types.ts
+++ b/packages/core/src/v3/locals/types.ts
@@ -1,10 +1,22 @@
-declare const __local: unique symbol;
-type BrandLocal<T> = { [__local]: T };
-
-// Create a type-safe store for your locals
-export type LocalsKey<T> = BrandLocal<T> & {
+/**
+ * A type-safe key for `locals`. Carries the value type `T` as a phantom
+ * marker on the optional `__valueType` field so two keys with different
+ * value types are distinguishable at the type level.
+ *
+ * The phantom field is intentionally not anchored to a `unique symbol`:
+ * dual-package builds (`tshy`) emit separate `.d.ts` files for ESM and
+ * CJS outputs, and each `unique symbol` declaration in a `.d.ts` is its
+ * own nominal type. If a single compilation ever resolves `LocalsKey`
+ * from both the ESM and CJS paths — which happens under certain pnpm
+ * hoisting layouts — `unique symbol` brands produce structurally
+ * incompatible variants of the same type. A plain string brand avoids
+ * the hazard.
+ */
+export type LocalsKey<T> = {
   readonly id: string;
-  readonly __type: unique symbol;
+  readonly __type: symbol;
+  /** Phantom carrier for the value type — never read at runtime. */
+  readonly __valueType?: T;
 };
 
 export interface LocalsManager {
diff --git a/packages/core/src/v3/otel/tracingSDK.ts b/packages/core/src/v3/otel/tracingSDK.ts
index a301946c755..f03bd2fc3a6 100644
--- a/packages/core/src/v3/otel/tracingSDK.ts
+++ b/packages/core/src/v3/otel/tracingSDK.ts
@@ -171,13 +171,12 @@ export class TracingSDK {
     );
 
     const externalTraceId = idGenerator.generateTraceId();
-    const externalTraceContext = traceContext.getExternalTraceContext();
 
     for (const exporter of config.exporters ?? []) {
       spanProcessors.push(
         getEnvVar("TRIGGER_OTEL_BATCH_PROCESSING_ENABLED") === "1"
           ? new BatchSpanProcessor(
-              new ExternalSpanExporterWrapper(exporter, externalTraceId, externalTraceContext),
+              new ExternalSpanExporterWrapper(exporter, externalTraceId),
               {
                 maxExportBatchSize: parseInt(
                   getEnvVar("TRIGGER_OTEL_SPAN_MAX_EXPORT_BATCH_SIZE") ?? "64"
@@ -192,7 +191,7 @@ export class TracingSDK {
               }
             )
           : new SimpleSpanProcessor(
-              new ExternalSpanExporterWrapper(exporter, externalTraceId, externalTraceContext)
+              new ExternalSpanExporterWrapper(exporter, externalTraceId)
             )
       );
     }
@@ -245,11 +244,7 @@ export class TracingSDK {
       logProcessors.push(
         getEnvVar("TRIGGER_OTEL_BATCH_PROCESSING_ENABLED") === "1"
           ? new BatchLogRecordProcessor(
-              new ExternalLogRecordExporterWrapper(
-                externalLogExporter,
-                externalTraceId,
-                externalTraceContext
-              ),
+              new ExternalLogRecordExporterWrapper(externalLogExporter, externalTraceId),
               {
                 maxExportBatchSize: parseInt(
                   getEnvVar("TRIGGER_OTEL_LOG_MAX_EXPORT_BATCH_SIZE") ?? "64"
@@ -264,11 +259,7 @@ export class TracingSDK {
               }
             )
           : new SimpleLogRecordProcessor(
-              new ExternalLogRecordExporterWrapper(
-                externalLogExporter,
-                externalTraceId,
-                externalTraceContext
-              )
+              new ExternalLogRecordExporterWrapper(externalLogExporter, externalTraceId)
             )
       );
     }
@@ -417,23 +408,23 @@ function setLogLevel(level: TracingDiagnosticLogLevel) {
   diag.setLogger(new DiagConsoleLogger(), diagLogLevel);
 }
 
-class ExternalSpanExporterWrapper {
-  private readonly _isExternallySampled: boolean;
-
+export class ExternalSpanExporterWrapper {
   constructor(
     private underlyingExporter: SpanExporter,
-    private externalTraceId: string,
-    private externalTraceContext:
-      | { traceId: string; spanId: string; traceFlags: number; tracestate?: string }
-      | undefined
-  ) {
-    this._isExternallySampled = externalTraceContext
-      ? isTraceFlagSampled(externalTraceContext.traceFlags)
-      : !!externalTraceId;
-  }
+    private externalTraceId: string
+  ) {}
 
   private transformSpan(span: ReadableSpan): ReadableSpan | undefined {
-    if (!this._isExternallySampled) {
+    // Read external context live, so per-run reassignment of
+    // standardTraceContextManager.traceContext is honoured on warm-started
+    // workers that reuse a single TracingSDK across runs.
+    const externalTraceContext = traceContext.getExternalTraceContext();
+
+    const isExternallySampled = externalTraceContext
+      ? isTraceFlagSampled(externalTraceContext.traceFlags)
+      : !!this.externalTraceId;
+
+    if (!isExternallySampled) {
       return;
     }
 
@@ -441,8 +432,8 @@ class ExternalSpanExporterWrapper {
       return;
     }
 
-    const externalTraceId = this.externalTraceContext
-      ? this.externalTraceContext.traceId
+    const externalTraceId = externalTraceContext
+      ? externalTraceContext.traceId
       : this.externalTraceId;
 
     const isAttemptSpan = span.attributes[SemanticInternalAttributes.SPAN_ATTEMPT];
@@ -457,15 +448,15 @@ class ExternalSpanExporterWrapper {
       };
     }
 
-    if (isAttemptSpan && this.externalTraceContext) {
+    if (isAttemptSpan && externalTraceContext) {
       parentSpanContext = {
         ...parentSpanContext,
         traceId: externalTraceId,
-        spanId: this.externalTraceContext.spanId,
-        traceState: this.externalTraceContext.tracestate
-          ? new TraceState(this.externalTraceContext.tracestate)
+        spanId: externalTraceContext.spanId,
+        traceState: externalTraceContext.tracestate
+          ? new TraceState(externalTraceContext.tracestate)
           : undefined,
-        traceFlags: this.externalTraceContext.traceFlags,
+        traceFlags: externalTraceContext.traceFlags,
       };
     } else if (isAttemptSpan) {
       parentSpanContext = undefined;
@@ -502,28 +493,27 @@ class ExternalSpanExporterWrapper {
 }
 
 class ExternalLogRecordExporterWrapper {
-  private readonly _isExternallySampled: boolean;
-
   constructor(
     private underlyingExporter: LogRecordExporter,
-    private externalTraceId: string,
-    private externalTraceContext:
-      | { traceId: string; spanId: string; tracestate?: string; traceFlags: number }
-      | undefined
-  ) {
-    this._isExternallySampled = externalTraceContext
-      ? isTraceFlagSampled(externalTraceContext.traceFlags)
-      : !!externalTraceId;
-  }
+    private externalTraceId: string
+  ) {}
 
   export(logs: any[], resultCallback: (result: any) => void): void {
-    if (!this._isExternallySampled) {
+    const externalTraceContext = traceContext.getExternalTraceContext();
+
+    const isExternallySampled = externalTraceContext
+      ? isTraceFlagSampled(externalTraceContext.traceFlags)
+      : !!this.externalTraceId;
+
+    if (!isExternallySampled) {
       this.underlyingExporter.export([], resultCallback);
 
       return;
     }
 
-    const modifiedLogs = logs.map(this.transformLogRecord.bind(this));
+    const modifiedLogs = logs.map((log) =>
+      this.transformLogRecord(log, externalTraceContext)
+    );
 
     this.underlyingExporter.export(modifiedLogs, resultCallback);
   }
@@ -532,11 +522,26 @@ class ExternalLogRecordExporterWrapper {
     return this.underlyingExporter.shutdown();
   }
 
-  transformLogRecord(logRecord: ReadableLogRecord): ReadableLogRecord {
+  forceFlush(): Promise<void> {
+    const underlyingExporter = this.underlyingExporter as LogRecordExporter & {
+      forceFlush?: () => Promise<void>;
+    };
+
+    return underlyingExporter.forceFlush
+      ? underlyingExporter.forceFlush()
+      : Promise.resolve();
+  }
+
+  transformLogRecord(
+    logRecord: ReadableLogRecord,
+    externalTraceContext:
+      | { traceId: string; spanId: string; tracestate?: string; traceFlags: number }
+      | undefined
+  ): ReadableLogRecord {
     // Capture externalTraceId for use within the proxy's scope.
     // Use externalTraceContext.traceId if available, otherwise fall back to generated externalTraceId
-    const externalTraceId = this.externalTraceContext
-      ? this.externalTraceContext.traceId
+    const externalTraceId = externalTraceContext
+      ? externalTraceContext.traceId
       : this.externalTraceId;
 
     // If there's no spanContext, or if the externalTraceId is not set, return the original logRecord.
diff --git a/packages/core/src/v3/otel/utils.ts b/packages/core/src/v3/otel/utils.ts
index 8ce83549e7a..7c9e83068cb 100644
--- a/packages/core/src/v3/otel/utils.ts
+++ b/packages/core/src/v3/otel/utils.ts
@@ -1,22 +1,47 @@
 import { type Span, SpanStatusCode, context, propagation } from "@opentelemetry/api";
+import { truncateStack, truncateMessage } from "../errors.js";
+
+const MAX_GENERIC_LENGTH = 5_000;
+
+function truncateGeneric(value: string): string {
+  return value.length > MAX_GENERIC_LENGTH
+    ? value.slice(0, MAX_GENERIC_LENGTH) + "...[truncated]"
+    : value;
+}
+
+function serializeFallback(error: unknown): string {
+  // JSON.stringify can throw (circular refs, BigInt) or return undefined
+  // (symbol, undefined, function). Fall back to String() in both cases so we
+  // never mask the original error being recorded.
+  try {
+    const json = JSON.stringify(error);
+    if (json != null) return json;
+  } catch {
+    // fall through
+  }
+  try {
+    return String(error);
+  } catch {
+    return "[unserializable error]";
+  }
+}
 
 export function recordSpanException(span: Span, error: unknown) {
   if (error instanceof Error) {
     span.recordException(sanitizeSpanError(error));
   } else if (typeof error === "string") {
-    span.recordException(error.replace(/\0/g, ""));
+    span.recordException(truncateGeneric(error.replace(/\0/g, "")));
   } else {
-    span.recordException(JSON.stringify(error).replace(/\0/g, ""));
+    span.recordException(truncateGeneric(serializeFallback(error).replace(/\0/g, "")));
   }
 
   span.setStatus({ code: SpanStatusCode.ERROR });
 }
 
 function sanitizeSpanError(error: Error) {
-  // Create a new error object with the same name, message and stack trace
-  const sanitizedError = new Error(error.message.replace(/\0/g, ""));
+  const sanitizedError = new Error(truncateMessage(error.message.replace(/\0/g, "")));
   sanitizedError.name = error.name.replace(/\0/g, "");
-  sanitizedError.stack = error.stack?.replace(/\0/g, "");
+  sanitizedError.stack = truncateStack(error.stack?.replace(/\0/g, "")) || undefined;
 
   return sanitizedError;
 }
diff --git a/packages/core/src/v3/realtime-streams-api.ts b/packages/core/src/v3/realtime-streams-api.ts
index 0bc0665c052..728399bea6e 100644
--- a/packages/core/src/v3/realtime-streams-api.ts
+++ b/packages/core/src/v3/realtime-streams-api.ts
@@ -5,3 +5,14 @@ import { RealtimeStreamsAPI } from "./realtimeStreams/index.js";
 export const realtimeStreams = RealtimeStreamsAPI.getInstance();
 
 export * from "./realtimeStreams/types.js";
+export { SessionStreamInstance } from "./realtimeStreams/sessionStreamInstance.js";
+export type {
+  SessionStreamInstanceOptions,
+  InitializeSessionStreamResponseLike,
+} from "./realtimeStreams/sessionStreamInstance.js";
+export {
+  trimSessionStream,
+  writeSessionControlRecord,
+  writeTurnCompleteRecord,
+  writeUpgradeRequiredRecord,
+} from "./realtimeStreams/sessionStreamOneshot.js";
diff --git a/packages/core/src/v3/realtimeStreams/index.ts b/packages/core/src/v3/realtimeStreams/index.ts
index 2a35b38befd..71854888ee5 100644
--- a/packages/core/src/v3/realtimeStreams/index.ts
+++ b/packages/core/src/v3/realtimeStreams/index.ts
@@ -6,6 +6,21 @@ import {
   RealtimeStreamsManager,
 } from "./types.js";
 
+// Re-export the session-scoped stream instance so the SDK's
+// `SessionOutputChannel.pipe` / `.writer` can construct it without reaching
+// into the core package's internals.
+export { SessionStreamInstance } from "./sessionStreamInstance.js";
+export type {
+  SessionStreamInstanceOptions,
+  InitializeSessionStreamResponseLike,
+} from "./sessionStreamInstance.js";
+export {
+  trimSessionStream,
+  writeSessionControlRecord,
+  writeTurnCompleteRecord,
+  writeUpgradeRequiredRecord,
+} from "./sessionStreamOneshot.js";
+
 const API_NAME = "realtime-streams";
 
 const NOOP_MANAGER = new NoopRealtimeStreamsManager();
diff --git a/packages/core/src/v3/realtimeStreams/manager.test.ts b/packages/core/src/v3/realtimeStreams/manager.test.ts
new file mode 100644
index 00000000000..179754bc752
--- /dev/null
+++ b/packages/core/src/v3/realtimeStreams/manager.test.ts
@@ -0,0 +1,147 @@
+import { describe, expect, it, vi } from "vitest";
+import type { ApiClient } from "../apiClient/index.js";
+import { StandardRealtimeStreamsManager } from "./manager.js";
+
+// The cache lives on a private method to keep `pipe()` callers from having
+// to thread cache concerns. Tests exercise it via bracket-notation to keep
+// the assertions tight on cache contracts and avoid spinning up real
+// `StreamsWriterV1`/`StreamsWriterV2` infrastructure (HTTP requests, S2
+// connections) for what is purely an in-memory dedup check.
+type GetCached = (
+  runId: string,
+  key: string,
+  requestOptions?: undefined
+) => Promise<{ version: string; headers?: Record<string, string> }>;
+
+function getCached(manager: StandardRealtimeStreamsManager, runId: string, key: string) {
+  return (manager as unknown as { getCachedCreateStream: GetCached }).getCachedCreateStream(
+    runId,
+    key
+  );
+}
+
+function makeApiClient(impl: () => Promise<{ version: string; headers?: Record<string, string> }>) {
+  const spy = vi.fn(impl);
+  const client = { createStream: spy } as unknown as ApiClient;
+  return { client, spy };
+}
+
+describe("StandardRealtimeStreamsManager createStream cache", () => {
+  it("dedupes repeated calls for the same (runId, key)", async () => {
+    const { client, spy } = makeApiClient(async () => ({ version: "v1", headers: {} }));
+    const manager = new StandardRealtimeStreamsManager(client, "http://localhost");
+
+    const p1 = getCached(manager, "run-1", "chat");
+    const p2 = getCached(manager, "run-1", "chat");
+
+    expect(p1).toBe(p2);
+    expect(spy).toHaveBeenCalledTimes(1);
+    await Promise.all([p1, p2]);
+    expect(spy).toHaveBeenCalledTimes(1);
+  });
+
+  it("issues a separate PUT for each distinct stream key on the same run", async () => {
+    const { client, spy } = makeApiClient(async () => ({ version: "v1", headers: {} }));
+    const manager = new StandardRealtimeStreamsManager(client, "http://localhost");
+
+    await Promise.all([
+      getCached(manager, "run-1", "chat"),
+      getCached(manager, "run-1", "tool-output"),
+    ]);
+
+    expect(spy).toHaveBeenCalledTimes(2);
+    expect(spy).toHaveBeenNthCalledWith(1, "run-1", "self", "chat", undefined);
+    expect(spy).toHaveBeenNthCalledWith(2, "run-1", "self", "tool-output", undefined);
+  });
+
+  it("issues a separate PUT for each distinct run, even with the same key", async () => {
+    const { client, spy } = makeApiClient(async () => ({ version: "v1", headers: {} }));
+    const manager = new StandardRealtimeStreamsManager(client, "http://localhost");
+
+    await Promise.all([
+      getCached(manager, "run-1", "chat"),
+      getCached(manager, "run-2", "chat"),
+    ]);
+
+    expect(spy).toHaveBeenCalledTimes(2);
+  });
+
+  it("evicts on failure so the next call retries instead of returning a poisoned entry", async () => {
+    const spy = vi
+      .fn()
+      .mockRejectedValueOnce(new Error("boom"))
+      .mockResolvedValueOnce({ version: "v1", headers: {} });
+    const client = { createStream: spy } as unknown as ApiClient;
+    const manager = new StandardRealtimeStreamsManager(client, "http://localhost");
+
+    await expect(getCached(manager, "run-1", "chat")).rejects.toThrow("boom");
+
+    const retried = await getCached(manager, "run-1", "chat");
+
+    expect(retried).toEqual({ version: "v1", headers: {} });
+    expect(spy).toHaveBeenCalledTimes(2);
+  });
+
+  it("reset() clears cached entries so the next call re-PUTs", async () => {
+    const { client, spy } = makeApiClient(async () => ({ version: "v1", headers: {} }));
+    const manager = new StandardRealtimeStreamsManager(client, "http://localhost");
+
+    await getCached(manager, "run-1", "chat");
+    expect(spy).toHaveBeenCalledTimes(1);
+
+    manager.reset();
+
+    await getCached(manager, "run-1", "chat");
+    expect(spy).toHaveBeenCalledTimes(2);
+  });
+
+  it("evictCreateStreamIfStale clears the matching entry so the next call re-PUTs", async () => {
+    const { client, spy } = makeApiClient(async () => ({ version: "v1", headers: {} }));
+    const manager = new StandardRealtimeStreamsManager(client, "http://localhost");
+
+    // Prime the cache and capture which promise was stored.
+    const cachedPromise = getCached(manager, "run-1", "chat");
+    await cachedPromise;
+    expect(spy).toHaveBeenCalledTimes(1);
+
+    // Simulate the reactive invalidation path that `pipe()` runs when a
+    // writer's `wait()` rejects.
+    (
+      manager as unknown as {
+        evictCreateStreamIfStale: (
+          runId: string,
+          key: string,
+          expected: Promise<unknown>
+        ) => void;
+      }
+    ).evictCreateStreamIfStale("run-1", "chat", cachedPromise);
+
+    await getCached(manager, "run-1", "chat");
+    expect(spy).toHaveBeenCalledTimes(2);
+  });
+
+  it("evictCreateStreamIfStale is a no-op when the cache holds a different promise", async () => {
+    const { client, spy } = makeApiClient(async () => ({ version: "v1", headers: {} }));
+    const manager = new StandardRealtimeStreamsManager(client, "http://localhost");
+
+    const original = getCached(manager, "run-1", "chat");
+    await original;
+
+    // A different promise (e.g. from a concurrent caller that already
+    // refreshed) shouldn't trigger eviction.
+    const stalePromise = Promise.resolve({ version: "v1", headers: {} });
+    (
+      manager as unknown as {
+        evictCreateStreamIfStale: (
+          runId: string,
+          key: string,
+          expected: Promise<unknown>
+        ) => void;
+      }
+    ).evictCreateStreamIfStale("run-1", "chat", stalePromise);
+
+    // Cache should still hold the original entry; next call is a hit.
+    await getCached(manager, "run-1", "chat");
+    expect(spy).toHaveBeenCalledTimes(1);
+  });
+});
diff --git a/packages/core/src/v3/realtimeStreams/manager.ts b/packages/core/src/v3/realtimeStreams/manager.ts
index 323735df106..f4d915acc3f 100644
--- a/packages/core/src/v3/realtimeStreams/manager.ts
+++ b/packages/core/src/v3/realtimeStreams/manager.ts
@@ -1,11 +1,13 @@
 import { ApiClient } from "../apiClient/index.js";
 import { ensureAsyncIterable, ensureReadableStream } from "../streams/asyncIterableStream.js";
+import { AnyZodFetchOptions } from "../zodfetch.js";
 import { taskContext } from "../task-context-api.js";
-import { StreamInstance } from "./streamInstance.js";
+import { CreateStreamResponseLike, StreamInstance } from "./streamInstance.js";
 import {
   RealtimeStreamInstance,
   RealtimeStreamOperationOptions,
   RealtimeStreamsManager,
+  StreamWriteResult,
 } from "./types.js";
 
 export class StandardRealtimeStreamsManager implements RealtimeStreamsManager {
@@ -16,12 +18,64 @@ export class StandardRealtimeStreamsManager implements RealtimeStreamsManager {
   ) {}
   // Track active streams - using a Set allows multiple streams for the same key to coexist
   private activeStreams = new Set<{
-    wait: () => Promise<void>;
+    wait: () => Promise<StreamWriteResult>;
     abortController: AbortController;
   }>();
 
+  // Cache of in-flight / resolved `createStream` responses, keyed by
+  // `${runId}:${key}`. S2 v2 access tokens are scoped to the org basin
+  // (default 1-day TTL server-side) so reusing them across repeated
+  // `pipe()` calls for the same `(runId, key)` is safe, and avoids the
+  // per-call PUT that pushes `streamId` onto `TaskRun.realtimeStreams`,
+  // which under chat-agent-style hot-loop writers caused row-lock
+  // contention on the writer DB.
+  private createStreamCache = new Map<string, Promise<CreateStreamResponseLike>>();
+
   reset(): void {
     this.activeStreams.clear();
+    this.createStreamCache.clear();
+  }
+
+  private getCachedCreateStream(
+    runId: string,
+    key: string,
+    requestOptions: AnyZodFetchOptions | undefined
+  ): Promise<CreateStreamResponseLike> {
+    const cacheKey = `${runId}:${key}`;
+    const cached = this.createStreamCache.get(cacheKey);
+    if (cached) {
+      return cached;
+    }
+
+    const promise = this.apiClient.createStream(runId, "self", key, requestOptions);
+    this.createStreamCache.set(cacheKey, promise);
+    // Evict on failure so the next call retries instead of returning a
+    // poisoned cache entry forever.
+    promise.catch((err) => {
+      if (this.createStreamCache.get(cacheKey) === promise) {
+        this.createStreamCache.delete(cacheKey);
+      }
+    });
+    return promise;
+  }
+
+  /**
+   * Reactive invalidation: a writer's `wait()` rejecting can mean the
+   * cached S2 credentials have gone stale (expired token, revoked
+   * access, basin retired), so evict the cached `createStream` response
+   * for `(runId, key)` and let the next `pipe()` re-PUT to mint fresh
+   * credentials. Compare by identity so a fresh promise installed by a
+   * concurrent caller isn't accidentally cleared.
+   */
+  private evictCreateStreamIfStale(
+    runId: string,
+    key: string,
+    expected: Promise<CreateStreamResponseLike>
+  ): void {
+    const cacheKey = `${runId}:${key}`;
+    if (this.createStreamCache.get(cacheKey) === expected) {
+      this.createStreamCache.delete(cacheKey);
+    }
   }
 
   public pipe<T>(
@@ -47,6 +101,15 @@ export class StandardRealtimeStreamsManager implements RealtimeStreamsManager {
       ? AbortSignal.any?.([options.signal, abortController.signal]) ?? abortController.signal
       : abortController.signal;
 
+    // Capture which cached promise this writer uses so reactive
+    // invalidation below evicts only if the cache still holds it (a
+    // concurrent caller may have already refreshed it).
+    const activeCreatePromise = this.getCachedCreateStream(
+      runId,
+      key,
+      options?.requestOptions
+    );
+
     const streamInstance = new StreamInstance({
       apiClient: this.apiClient,
       baseUrl: this.baseUrl,
@@ -57,14 +120,29 @@ export class StandardRealtimeStreamsManager implements RealtimeStreamsManager {
       requestOptions: options?.requestOptions,
       target: options?.target,
       debug: this.debug,
+      createStream: () => activeCreatePromise,
     });
 
     // Register this stream
     const streamInfo = { wait: () => streamInstance.wait(), abortController };
     this.activeStreams.add(streamInfo);
 
-    // Clean up when stream completes
-    streamInstance.wait().finally(() => this.activeStreams.delete(streamInfo));
+    // Single internal chain that handles activeStreams cleanup AND
+    // reactive invalidation. On rejection we evict the cached
+    // `createStream` entry so the next pipe() for the same `(runId, key)`
+    // re-PUTs and recovers (e.g. when a cached S2 access token expired
+    // mid-process). Customer awaiters still observe the rejection via
+    // the returned `wait()`; this chain just keeps the cleanup path
+    // from surfacing as unhandled.
+    streamInstance.wait().then(
+      () => {
+        this.activeStreams.delete(streamInfo);
+      },
+      (err) => {
+        this.evictCreateStreamIfStale(runId, key, activeCreatePromise);
+        this.activeStreams.delete(streamInfo);
+      }
+    );
 
     return {
       wait: () => streamInstance.wait(),
diff --git a/packages/core/src/v3/realtimeStreams/noopManager.ts b/packages/core/src/v3/realtimeStreams/noopManager.ts
index 542e66fd53a..881a82294e2 100644
--- a/packages/core/src/v3/realtimeStreams/noopManager.ts
+++ b/packages/core/src/v3/realtimeStreams/noopManager.ts
@@ -15,7 +15,7 @@ export class NoopRealtimeStreamsManager implements RealtimeStreamsManager {
     options?: RealtimeStreamOperationOptions
   ): RealtimeStreamInstance<T> {
     return {
-      wait: () => Promise.resolve(),
+      wait: () => Promise.resolve({}),
       get stream(): AsyncIterableStream<T> {
         return createAsyncIterableStreamFromAsyncIterable(source);
       },
diff --git a/packages/core/src/v3/realtimeStreams/sessionStreamInstance.ts b/packages/core/src/v3/realtimeStreams/sessionStreamInstance.ts
new file mode 100644
index 00000000000..73bec591d9e
--- /dev/null
+++ b/packages/core/src/v3/realtimeStreams/sessionStreamInstance.ts
@@ -0,0 +1,120 @@
+import { ApiClient } from "../apiClient/index.js";
+import { AsyncIterableStream } from "../streams/asyncIterableStream.js";
+import { AnyZodFetchOptions } from "../zodfetch.js";
+import { StreamsWriterV2 } from "./streamsWriterV2.js";
+import { StreamsWriter, StreamWriteResult } from "./types.js";
+
+export type InitializeSessionStreamResponseLike = {
+  headers?: Record<string, string>;
+};
+
+export type SessionStreamInstanceOptions<T> = {
+  apiClient: ApiClient;
+  baseUrl: string;
+  sessionId: string;
+  io: "out" | "in";
+  source: ReadableStream<T>;
+  signal?: AbortSignal;
+  requestOptions?: AnyZodFetchOptions;
+  debug?: boolean;
+  /**
+   * Optional override for the initialize-session-stream call. Defaults to
+   * `apiClient.initializeSessionStream(sessionId, io, requestOptions)`. The
+   * channel passes a cached version so repeated `pipe()` / `writer()`
+   * calls for the same `(sessionId, io)` share a single PUT instead of
+   * hammering the server on every chunk.
+   */
+  initializeSession?: () => Promise<InitializeSessionStreamResponseLike>;
+};
+
+/**
+ * Session-scoped parallel to {@link StreamInstance}. Calls
+ * `initializeSessionStream` to fetch S2 credentials for the session's
+ * channel, then pipes `source` directly to S2 via {@link StreamsWriterV2}.
+ *
+ * Sessions are S2-only — there's no v1 (Redis) fallback — so this
+ * skips the version-detection dance `StreamInstance` does.
+ */
+export class SessionStreamInstance<T> implements StreamsWriter {
+  private streamPromise: Promise<StreamsWriterV2<T>>;
+
+  constructor(private options: SessionStreamInstanceOptions<T>) {
+    this.streamPromise = this.initializeWriter();
+  }
+
+  private async initializeWriter(): Promise<StreamsWriterV2<T>> {
+    const initializeFn =
+      this.options.initializeSession ??
+      (() =>
+        this.options.apiClient.initializeSessionStream(
+          this.options.sessionId,
+          this.options.io,
+          this.options?.requestOptions
+        ));
+
+    const response = await initializeFn();
+
+    const headers = response.headers ?? {};
+    const accessToken = headers["x-s2-access-token"];
+    const basin = headers["x-s2-basin"];
+    const streamName = headers["x-s2-stream-name"];
+    const endpoint = headers["x-s2-endpoint"];
+    const flushIntervalMs = headers["x-s2-flush-interval-ms"]
+      ? parseInt(headers["x-s2-flush-interval-ms"])
+      : undefined;
+    const maxRetries = headers["x-s2-max-retries"]
+      ? parseInt(headers["x-s2-max-retries"])
+      : undefined;
+
+    if (!accessToken || !basin || !streamName) {
+      throw new Error(
+        "Session stream initialize did not return S2 credentials — server may be configured for v1 realtime streams, which sessions do not support."
+      );
+    }
+
+    return new StreamsWriterV2({
+      basin,
+      stream: streamName,
+      accessToken,
+      endpoint,
+      source: this.options.source,
+      signal: this.options.signal,
+      debug: this.options.debug,
+      flushIntervalMs,
+      maxRetries,
+    });
+  }
+
+  public async wait(): Promise<StreamWriteResult> {
+    const writer = await this.streamPromise;
+    return writer.wait();
+  }
+
+  public get stream(): AsyncIterableStream<T> {
+    const self = this;
+
+    return new ReadableStream<T>({
+      async start(controller) {
+        const streamWriter = await self.streamPromise;
+
+        const iterator = streamWriter[Symbol.asyncIterator]();
+
+        while (true) {
+          if (self.options.signal?.aborted) {
+            controller.close();
+            break;
+          }
+
+          const { done, value } = await iterator.next();
+
+          if (done) {
+            controller.close();
+            break;
+          }
+
+          controller.enqueue(value);
+        }
+      },
+    });
+  }
+}
diff --git a/packages/core/src/v3/realtimeStreams/sessionStreamOneshot.ts b/packages/core/src/v3/realtimeStreams/sessionStreamOneshot.ts
new file mode 100644
index 00000000000..9aa25fa82dd
--- /dev/null
+++ b/packages/core/src/v3/realtimeStreams/sessionStreamOneshot.ts
@@ -0,0 +1,136 @@
+import { AppendInput, AppendRecord, S2 } from "@s2-dev/streamstore";
+import type { ApiClient } from "../apiClient/index.js";
+import {
+  TRIGGER_CONTROL_HEADER,
+  TRIGGER_CONTROL_SUBTYPE,
+  type TriggerControlSubtype,
+} from "../sessionStreams/wireProtocol.js";
+import type { StreamWriteResult } from "./types.js";
+
+/**
+ * One-shot S2 writes against a Session channel. Used for Trigger control
+ * records (turn-complete, upgrade-required) and S2 command records (trim).
+ *
+ * These differ from the streaming writer (`SessionStreamInstance` /
+ * `StreamsWriterV2`) in two ways: they emit a single record per call, and
+ * they need precise control over the record's `headers` + `body` shape —
+ * which the streaming writer's JSON-envelope encoding doesn't expose.
+ *
+ * Each call fetches a fresh S2 access token via `initializeSessionStream`
+ * and opens a new client. Cheap enough at the rate these are emitted
+ * (~one of each per turn).
+ */
+
+type IO = "out" | "in";
+
+async function getS2Stream(apiClient: ApiClient, sessionId: string, io: IO) {
+  const response = await apiClient.initializeSessionStream(sessionId, io);
+  const headers = response.headers ?? {};
+  const accessToken = headers["x-s2-access-token"];
+  const basin = headers["x-s2-basin"];
+  const streamName = headers["x-s2-stream-name"];
+  const endpoint = headers["x-s2-endpoint"];
+
+  if (!accessToken || !basin || !streamName) {
+    throw new Error(
+      "Session stream initialize did not return S2 credentials — server may be configured for v1 realtime streams, which sessions do not support."
+    );
+  }
+
+  const s2 = new S2({
+    accessToken,
+    ...(endpoint
+      ? {
+          endpoints: {
+            account: endpoint,
+            basin: endpoint,
+          },
+        }
+      : {}),
+  });
+
+  return s2.basin(basin).stream(streamName);
+}
+
+/**
+ * Append a single Trigger control record to a Session channel. The record
+ * carries a `trigger-control` header valued with `subtype`, plus any
+ * sibling headers (e.g. `public-access-token` on `turn-complete`). Body is
+ * always empty — control semantics live in the headers.
+ *
+ * Returns the ack's last seq_num as `lastEventId`, useful for trim chains.
+ */
+export async function writeSessionControlRecord(
+  apiClient: ApiClient,
+  sessionId: string,
+  io: IO,
+  subtype: TriggerControlSubtype | string,
+  extraHeaders?: ReadonlyArray<readonly [string, string]>
+): Promise<StreamWriteResult> {
+  const stream = await getS2Stream(apiClient, sessionId, io);
+  const headers: ReadonlyArray<readonly [string, string]> = [
+    [TRIGGER_CONTROL_HEADER, subtype],
+    ...(extraHeaders ?? []),
+  ];
+  const record = AppendRecord.string({ body: "", headers });
+  const ack = await stream.append(AppendInput.create([record]));
+  // S2's `AppendAck.start` is the seq_num of the FIRST record in the batch
+  // (inclusive); `end` is the seq AFTER the last record (exclusive, equal
+  // to `tail`). For a single-record append they differ by one — `start` is
+  // the seq we just wrote, `end` is the next vacant seq. Return `start`
+  // here so the caller can chain trims against the actual record seq.
+  return { lastEventId: ack.start.seqNum.toString() };
+}
+
+/**
+ * Append an S2 `trim` command record to `session.out`, setting the new
+ * earliest-readable seq_num. Idempotent and monotonic at S2 — the
+ * effective trim point is `max(existing, min(provided, current_tail))`.
+ *
+ * Used after every `turn-complete` to keep `session.out` bounded to
+ * approximately one turn of records at steady state.
+ */
+export async function trimSessionStream(
+  apiClient: ApiClient,
+  sessionId: string,
+  earliestSeqNum: number
+): Promise<void> {
+  const stream = await getS2Stream(apiClient, sessionId, "out");
+  await stream.append(AppendInput.create([AppendRecord.trim(earliestSeqNum)]));
+}
+
+/**
+ * Convenience: append a `turn-complete` control record. Carries an
+ * optional refreshed `publicAccessToken` in a sibling header.
+ */
+export async function writeTurnCompleteRecord(
+  apiClient: ApiClient,
+  sessionId: string,
+  publicAccessToken?: string
+): Promise<StreamWriteResult> {
+  const extra: ReadonlyArray<readonly [string, string]> = publicAccessToken
+    ? [["public-access-token", publicAccessToken]]
+    : [];
+  return writeSessionControlRecord(
+    apiClient,
+    sessionId,
+    "out",
+    TRIGGER_CONTROL_SUBTYPE.TURN_COMPLETE,
+    extra
+  );
+}
+
+/**
+ * Convenience: append an `upgrade-required` control record.
+ */
+export async function writeUpgradeRequiredRecord(
+  apiClient: ApiClient,
+  sessionId: string
+): Promise<StreamWriteResult> {
+  return writeSessionControlRecord(
+    apiClient,
+    sessionId,
+    "out",
+    TRIGGER_CONTROL_SUBTYPE.UPGRADE_REQUIRED
+  );
+}
diff --git a/packages/core/src/v3/realtimeStreams/streamInstance.ts b/packages/core/src/v3/realtimeStreams/streamInstance.ts
index 6d8106ffe6c..e5cd3f84aea 100644
--- a/packages/core/src/v3/realtimeStreams/streamInstance.ts
+++ b/packages/core/src/v3/realtimeStreams/streamInstance.ts
@@ -3,7 +3,12 @@ import { AsyncIterableStream } from "../streams/asyncIterableStream.js";
 import { AnyZodFetchOptions } from "../zodfetch.js";
 import { StreamsWriterV1 } from "./streamsWriterV1.js";
 import { StreamsWriterV2 } from "./streamsWriterV2.js";
-import { StreamsWriter } from "./types.js";
+import { StreamsWriter, StreamWriteResult } from "./types.js";
+
+export type CreateStreamResponseLike = {
+  version: string;
+  headers?: Record<string, string>;
+};
 
 export type StreamInstanceOptions<T> = {
   apiClient: ApiClient;
@@ -15,6 +20,14 @@ export type StreamInstanceOptions<T> = {
   requestOptions?: AnyZodFetchOptions;
   target?: "self" | "parent" | "root" | string;
   debug?: boolean;
+  /**
+   * Optional override for the create-stream call. Defaults to
+   * `apiClient.createStream(runId, "self", key, requestOptions)`. The
+   * manager passes a cached version so repeated `pipe()` calls for the
+   * same `(runId, key)` share a single PUT instead of hammering the
+   * server on every chunk.
+   */
+  createStream?: () => Promise<CreateStreamResponseLike>;
 };
 
 type StreamsWriterInstance<T> = StreamsWriterV1<T> | StreamsWriterV2<T>;
@@ -27,12 +40,17 @@ export class StreamInstance<T> implements StreamsWriter {
   }
 
   private async initializeWriter(): Promise<StreamsWriterInstance<T>> {
-    const { version, headers } = await this.options.apiClient.createStream(
-      this.options.runId,
-      "self",
-      this.options.key,
-      this.options?.requestOptions
-    );
+    const createStreamFn =
+      this.options.createStream ??
+      (() =>
+        this.options.apiClient.createStream(
+          this.options.runId,
+          "self",
+          this.options.key,
+          this.options?.requestOptions
+        ));
+
+    const { version, headers } = await createStreamFn();
 
     const parsedResponse = parseCreateStreamResponse(version, headers);
 
@@ -63,8 +81,9 @@ export class StreamInstance<T> implements StreamsWriter {
     return streamWriter;
   }
 
-  public async wait(): Promise<void> {
-    return this.streamPromise.then((writer) => writer.wait());
+  public async wait(): Promise<StreamWriteResult> {
+    const writer = await this.streamPromise;
+    return writer.wait();
   }
 
   public get stream(): AsyncIterableStream<T> {
diff --git a/packages/core/src/v3/realtimeStreams/streamsWriterV1.ts b/packages/core/src/v3/realtimeStreams/streamsWriterV1.ts
index 2f2b4af1682..c19faf6c2f8 100644
--- a/packages/core/src/v3/realtimeStreams/streamsWriterV1.ts
+++ b/packages/core/src/v3/realtimeStreams/streamsWriterV1.ts
@@ -2,7 +2,7 @@ import { request as httpsRequest } from "node:https";
 import { request as httpRequest } from "node:http";
 import { URL } from "node:url";
 import { randomBytes } from "node:crypto";
-import { StreamsWriter } from "./types.js";
+import { StreamsWriter, StreamWriteResult } from "./types.js";
 
 export type StreamsWriterV1Options<T> = {
   baseUrl: string;
@@ -258,8 +258,9 @@ export class StreamsWriterV1<T> implements StreamsWriter {
     await this.makeRequest(0);
   }
 
-  public async wait(): Promise<void> {
-    return this.streamPromise;
+  public async wait(): Promise<StreamWriteResult> {
+    await this.streamPromise;
+    return {};
   }
 
   public [Symbol.asyncIterator]() {
diff --git a/packages/core/src/v3/realtimeStreams/streamsWriterV2.test.ts b/packages/core/src/v3/realtimeStreams/streamsWriterV2.test.ts
new file mode 100644
index 00000000000..85a03973708
--- /dev/null
+++ b/packages/core/src/v3/realtimeStreams/streamsWriterV2.test.ts
@@ -0,0 +1,77 @@
+import { describe, expect, it } from "vitest";
+
+import { ChatChunkTooLargeError, isChatChunkTooLargeError } from "../errors.js";
+import { encodeChunkOrError } from "./streamsWriterV2.js";
+
+// The size cap and discriminant extraction are the only S2-independent bits
+// of `StreamsWriterV2` that benefit from unit coverage. Both live in the
+// `encodeChunkOrError` pure helper, so the tests exercise it directly — no
+// `vi.mock("@s2-dev/streamstore", ...)` shim needed.
+
+describe("encodeChunkOrError", () => {
+  it("flags oversize chunks and carries the chunk's `type` discriminant", () => {
+    const oversized = {
+      type: "tool-output-available",
+      output: { text: "x".repeat(2_000_000) },
+    };
+
+    const result = encodeChunkOrError(oversized);
+
+    expect(result.ok).toBe(false);
+    if (result.ok) return; // type guard
+    expect(isChatChunkTooLargeError(result.error)).toBe(true);
+    expect(result.error.chunkType).toBe("tool-output-available");
+    expect(result.error.chunkSize).toBeGreaterThan(1_000_000);
+    expect(result.error.maxSize).toBe(1024 * 1024 - 1024);
+    expect(result.error.message).toMatch(/tool-output-available/);
+    expect(result.error.message).toMatch(/chat\.agent chunk/);
+  });
+
+  it("falls back to chunk.kind when chunk.type is missing (ChatInputChunk-style)", () => {
+    const oversized = { kind: "action", payload: "x".repeat(2_000_000) };
+
+    const result = encodeChunkOrError(oversized);
+
+    expect(result.ok).toBe(false);
+    if (result.ok) return;
+    expect(result.error.chunkType).toBe("action");
+  });
+
+  it("omits chunkType when the chunk has no discriminant", () => {
+    const oversized = "x".repeat(2_000_000);
+
+    const result = encodeChunkOrError(oversized);
+
+    expect(result.ok).toBe(false);
+    if (result.ok) return;
+    expect(result.error.chunkType).toBeUndefined();
+  });
+
+  it("returns the encoded body for chunks under the cap", () => {
+    const small = { type: "text-delta", delta: "hello" };
+
+    const result = encodeChunkOrError(small);
+
+    expect(result.ok).toBe(true);
+    if (!result.ok) return;
+    const parsed = JSON.parse(result.body) as { data: unknown; id: string };
+    expect(parsed.data).toEqual(small);
+    expect(parsed.id).toMatch(/^[A-Za-z0-9_-]{7}$/); // nanoid(7)
+  });
+});
+
+// Cross-check the ChatChunkTooLargeError type-guard helper itself. Trivial,
+// but keeps the test surface here exercising the public error helpers a
+// consumer would import from the same module.
+describe("isChatChunkTooLargeError", () => {
+  it("recognizes its own error class", () => {
+    const err = new ChatChunkTooLargeError(2_000_000, 1024 * 1024 - 1024, "x");
+    expect(isChatChunkTooLargeError(err)).toBe(true);
+  });
+
+  it("rejects unrelated errors", () => {
+    expect(isChatChunkTooLargeError(new Error("nope"))).toBe(false);
+    expect(isChatChunkTooLargeError("string")).toBe(false);
+    expect(isChatChunkTooLargeError(undefined)).toBe(false);
+  });
+});
diff --git a/packages/core/src/v3/realtimeStreams/streamsWriterV2.ts b/packages/core/src/v3/realtimeStreams/streamsWriterV2.ts
index 91713630dbe..223fd8d894e 100644
--- a/packages/core/src/v3/realtimeStreams/streamsWriterV2.ts
+++ b/packages/core/src/v3/realtimeStreams/streamsWriterV2.ts
@@ -1,7 +1,16 @@
 import { S2, AppendRecord, BatchTransform } from "@s2-dev/streamstore";
-import { StreamsWriter } from "./types.js";
+import { ChatChunkTooLargeError } from "../errors.js";
+import { StreamsWriter, StreamWriteResult } from "./types.js";
 import { nanoid } from "nanoid";
 
+// S2 caps a single record at 1 MiB of metered bytes (body + headers + 8 byte
+// overhead). We give ourselves ~1 KiB of headroom for the JSON envelope and
+// metering bytes so the check fires before the SDK's internal `BatchTransform`
+// rejects the record with an opaque `S2Error`.
+const RECORD_BODY_MAX_BYTES = 1024 * 1024 - 1024;
+
+const utf8Encoder = new TextEncoder();
+
 export type StreamsWriterV2Options<T = any> = {
   basin: string;
   stream: string;
@@ -54,6 +63,7 @@ export class StreamsWriterV2<T = any> implements StreamsWriter {
   private readonly maxInflightBytes: number;
   private aborted = false;
   private sessionWritable: WritableStream<any> | null = null;
+  private lastSeqNum: number | undefined;
 
   constructor(private options: StreamsWriterV2Options<T>) {
     this.debug = options.debug ?? false;
@@ -151,8 +161,12 @@ export class StreamsWriterV2<T = any> implements StreamsWriter {
                 controller.error(new Error("Stream aborted"));
                 return;
               }
-              // Convert each chunk to JSON string and wrap in AppendRecord
-              controller.enqueue(AppendRecord.string({ body: JSON.stringify({ data: chunk, id: nanoid(7) }) }));
+              const encoded = encodeChunkOrError(chunk);
+              if (!encoded.ok) {
+                controller.error(encoded.error);
+                return;
+              }
+              controller.enqueue(AppendRecord.string({ body: encoded.body }));
             },
           })
         )
@@ -169,9 +183,9 @@ export class StreamsWriterV2<T = any> implements StreamsWriter {
       const lastAcked = session.lastAckedPosition();
 
       if (lastAcked?.end) {
-        const recordsWritten = lastAcked.end.seqNum;
+        this.lastSeqNum = lastAcked.end.seqNum;
         this.log(
-          `[S2MetadataStream] Written ${recordsWritten} records, ending at seqNum=${lastAcked.end.seqNum}`
+          `[S2MetadataStream] Written ${this.lastSeqNum} records, ending at seqNum=${this.lastSeqNum}`
         );
       }
     } catch (error) {
@@ -184,8 +198,9 @@ export class StreamsWriterV2<T = any> implements StreamsWriter {
     }
   }
 
-  public async wait(): Promise<void> {
+  public async wait(): Promise<StreamWriteResult> {
     await this.streamPromise;
+    return { lastEventId: this.lastSeqNum?.toString() };
   }
 
   public [Symbol.asyncIterator]() {
@@ -225,3 +240,43 @@ function safeReleaseLock(reader: ReadableStreamDefaultReader<any>) {
     reader.releaseLock();
   } catch (error) {}
 }
+
+// chat.agent emits two chunk shapes through this writer:
+//   - UIMessageChunks + custom data parts: `{ type: "tool-output-available" | "data-..." | ... }`
+//   - ChatInputChunks (mostly seen on `.in`, but reused as the discriminant
+//     elsewhere): `{ kind: "message" | "stop" | "action" }`
+// Surfacing whichever discriminant exists turns "chunk too large" into
+// "tool-output-available chunk too large", which is what users actually need.
+function extractChunkType(chunk: unknown): string | undefined {
+  if (!chunk || typeof chunk !== "object") return undefined;
+  const c = chunk as { type?: unknown; kind?: unknown };
+  if (typeof c.type === "string") return c.type;
+  if (typeof c.kind === "string") return c.kind;
+  return undefined;
+}
+
+/**
+ * Encode a chunk as a JSON record body for S2, enforcing the per-record
+ * size cap. Exported so the size/discriminant logic can be unit-tested
+ * directly without spinning up an S2 client or mocking `@s2-dev/streamstore`.
+ *
+ * Returns `{ ok: true, body }` when the encoded chunk fits within
+ * `RECORD_BODY_MAX_BYTES`, or `{ ok: false, error }` carrying a
+ * `ChatChunkTooLargeError` annotated with the chunk's discriminant
+ * (`type` or `kind`, whichever is present) so the surfaced error is
+ * useful — "tool-output-available chunk too large" beats a bare
+ * "chunk too large" by a lot.
+ */
+export function encodeChunkOrError(
+  chunk: unknown
+): { ok: true; body: string } | { ok: false; error: ChatChunkTooLargeError } {
+  const body = JSON.stringify({ data: chunk, id: nanoid(7) });
+  const size = utf8Encoder.encode(body).length;
+  if (size > RECORD_BODY_MAX_BYTES) {
+    return {
+      ok: false,
+      error: new ChatChunkTooLargeError(size, RECORD_BODY_MAX_BYTES, extractChunkType(chunk)),
+    };
+  }
+  return { ok: true, body };
+}
diff --git a/packages/core/src/v3/realtimeStreams/types.ts b/packages/core/src/v3/realtimeStreams/types.ts
index 174970c2830..5e537d991ff 100644
--- a/packages/core/src/v3/realtimeStreams/types.ts
+++ b/packages/core/src/v3/realtimeStreams/types.ts
@@ -26,13 +26,17 @@ export interface RealtimeStreamsManager {
   ): Promise<void>;
 }
 
+export type StreamWriteResult = {
+  lastEventId?: string;
+};
+
 export interface RealtimeStreamInstance<T> {
-  wait(): Promise<void>;
+  wait(): Promise<StreamWriteResult>;
   get stream(): AsyncIterableStream<T>;
 }
 
 export interface StreamsWriter {
-  wait(): Promise<void>;
+  wait(): Promise<StreamWriteResult>;
 }
 
 export type RealtimeDefinedStream<TPart> = {
@@ -71,6 +75,10 @@ export type PipeStreamOptions = {
    * Additional request options for the API call.
    */
   requestOptions?: ApiRequestOptions;
+  /** Override the default span name for this operation. */
+  spanName?: string;
+  /** When true, the span will be collapsed in the dashboard. */
+  collapsed?: boolean;
 };
 
 /**
@@ -89,7 +97,7 @@ export type PipeStreamResult<T> = {
    * to the realtime stream. Use this to wait for the stream to complete before
    * finishing your task.
    */
-  waitUntilComplete: () => Promise<void>;
+  waitUntilComplete: () => Promise<StreamWriteResult>;
 };
 
 /**
@@ -185,6 +193,14 @@ export type RealtimeDefinedInputStream<TData> = {
    * Uses a waitpoint token internally. Can only be called inside a task.run().
    */
   wait: (options?: InputStreamWaitOptions) => ManualWaitpointPromise<TData>;
+  /**
+   * Wait for data with an idle phase before suspending.
+   *
+   * Keeps the task active (using compute) for `idleTimeoutInSeconds`,
+   * then suspends via `.wait()` if no data arrives. If data arrives during
+   * the idle phase the task responds instantly without suspending.
+   */
+  waitWithIdleTimeout: (options: InputStreamWaitWithIdleTimeoutOptions) => Promise<{ ok: true; output: TData } | { ok: false; error?: any }>;
   /**
    * Send data to this input stream on a specific run.
    * This is used from outside the task (e.g., from your backend or another task).
@@ -199,6 +215,8 @@ export type InputStreamSubscription = {
 export type InputStreamOnceOptions = {
   signal?: AbortSignal;
   timeoutMs?: number;
+  /** Override the default span name for this operation. */
+  spanName?: string;
 };
 
 export type SendInputStreamOptions = {
@@ -234,6 +252,24 @@ export type InputStreamWaitOptions = {
    * and filtering waitpoints via `wait.listTokens()`.
    */
   tags?: string[];
+
+  /** Override the default span name for this operation. */
+  spanName?: string;
+};
+
+export type InputStreamWaitWithIdleTimeoutOptions = {
+  /** Seconds to keep the task idle (active, using compute) before suspending. */
+  idleTimeoutInSeconds: number;
+  /** Maximum time to wait after suspending (duration string, e.g. "1h"). */
+  timeout?: string;
+  /** Override the default span name for the outer operation. */
+  spanName?: string;
+  /** Called right before suspending (after idle phase times out). Not called if data arrives during idle. */
+  onSuspend?: () => void | Promise<void>;
+  /** Called right after resuming from suspension with data. Not called if data arrived during idle or on timeout. */
+  onResume?: () => void | Promise<void>;
+  /** When true, skip the suspend phase entirely. If idle times out, return `{ ok: false }` immediately. */
+  skipSuspend?: boolean;
 };
 
 export type InferInputStreamType<T> = T extends RealtimeDefinedInputStream<infer TData>
diff --git a/packages/core/src/v3/resource-catalog/catalog.ts b/packages/core/src/v3/resource-catalog/catalog.ts
index 5b3ab023639..1036152c928 100644
--- a/packages/core/src/v3/resource-catalog/catalog.ts
+++ b/packages/core/src/v3/resource-catalog/catalog.ts
@@ -1,4 +1,11 @@
-import { PromptManifest, QueueManifest, TaskManifest, WorkerManifest } from "../schemas/index.js";
+import {
+  PromptManifest,
+  QueueManifest,
+  SkillManifest,
+  SkillMetadata,
+  TaskManifest,
+  WorkerManifest,
+} from "../schemas/index.js";
 import { PromptMetadataWithFunctions, TaskMetadataWithFunctions, TaskSchema } from "../types/index.js";
 
 export interface ResourceCatalog {
@@ -7,6 +14,7 @@ export interface ResourceCatalog {
   registerTaskMetadata(task: TaskMetadataWithFunctions): void;
   updateTaskMetadata(id: string, task: Partial<TaskMetadataWithFunctions>): void;
   listTaskManifests(): Array<TaskManifest>;
+  listTaskIdCollisions(): Array<{ id: string; filePaths: string[] }>;
   getTaskManifest(id: string): TaskManifest | undefined;
   getTask(id: string): TaskMetadataWithFunctions | undefined;
   taskExists(id: string): boolean;
@@ -18,4 +26,7 @@ export interface ResourceCatalog {
   listPromptManifests(): Array<PromptManifest>;
   getPrompt(id: string): PromptMetadataWithFunctions | undefined;
   getPromptSchema(id: string): TaskSchema | undefined;
+  registerSkillMetadata(skill: SkillMetadata): void;
+  listSkillManifests(): Array<SkillManifest>;
+  getSkillManifest(id: string): SkillManifest | undefined;
 }
diff --git a/packages/core/src/v3/resource-catalog/index.ts b/packages/core/src/v3/resource-catalog/index.ts
index 9ce7dee64cf..4e6e278ad02 100644
--- a/packages/core/src/v3/resource-catalog/index.ts
+++ b/packages/core/src/v3/resource-catalog/index.ts
@@ -1,6 +1,13 @@
 const API_NAME = "resource-catalog";
 
-import { PromptManifest, QueueManifest, TaskManifest, WorkerManifest } from "../schemas/index.js";
+import {
+  PromptManifest,
+  QueueManifest,
+  SkillManifest,
+  SkillMetadata,
+  TaskManifest,
+  WorkerManifest,
+} from "../schemas/index.js";
 import { PromptMetadataWithFunctions, TaskMetadataWithFunctions, TaskSchema } from "../types/index.js";
 import { getGlobal, registerGlobal, unregisterGlobal } from "../utils/globals.js";
 import { type ResourceCatalog } from "./catalog.js";
@@ -57,6 +64,10 @@ export class ResourceCatalogAPI {
     return this.#getCatalog().listTaskManifests();
   }
 
+  public listTaskIdCollisions(): Array<{ id: string; filePaths: string[] }> {
+    return this.#getCatalog().listTaskIdCollisions();
+  }
+
   public getTaskManifest(id: string): TaskManifest | undefined {
     return this.#getCatalog().getTaskManifest(id);
   }
@@ -93,6 +104,18 @@ export class ResourceCatalogAPI {
     return this.#getCatalog().getPromptSchema(id);
   }
 
+  public registerSkillMetadata(skill: SkillMetadata): void {
+    this.#getCatalog().registerSkillMetadata(skill);
+  }
+
+  public listSkillManifests(): Array<SkillManifest> {
+    return this.#getCatalog().listSkillManifests();
+  }
+
+  public getSkillManifest(id: string): SkillManifest | undefined {
+    return this.#getCatalog().getSkillManifest(id);
+  }
+
   #getCatalog(): ResourceCatalog {
     return getGlobal(API_NAME) ?? NOOP_RESOURCE_CATALOG;
   }
diff --git a/packages/core/src/v3/resource-catalog/noopResourceCatalog.ts b/packages/core/src/v3/resource-catalog/noopResourceCatalog.ts
index 8f77544f05c..509b76c1792 100644
--- a/packages/core/src/v3/resource-catalog/noopResourceCatalog.ts
+++ b/packages/core/src/v3/resource-catalog/noopResourceCatalog.ts
@@ -1,4 +1,11 @@
-import { PromptManifest, QueueManifest, TaskManifest, WorkerManifest } from "../schemas/index.js";
+import {
+  PromptManifest,
+  QueueManifest,
+  SkillManifest,
+  SkillMetadata,
+  TaskManifest,
+  WorkerManifest,
+} from "../schemas/index.js";
 import { type PromptMetadataWithFunctions, type TaskMetadataWithFunctions, type TaskSchema } from "../types/index.js";
 import { ResourceCatalog } from "./catalog.js";
 
@@ -23,6 +30,10 @@ export class NoopResourceCatalog implements ResourceCatalog {
     return [];
   }
 
+  listTaskIdCollisions(): Array<{ id: string; filePaths: string[] }> {
+    return [];
+  }
+
   getTaskManifest(id: string): TaskManifest | undefined {
     return undefined;
   }
@@ -70,4 +81,16 @@ export class NoopResourceCatalog implements ResourceCatalog {
   getPromptSchema(id: string): TaskSchema | undefined {
     return undefined;
   }
+
+  registerSkillMetadata(skill: SkillMetadata): void {
+    // noop
+  }
+
+  listSkillManifests(): Array<SkillManifest> {
+    return [];
+  }
+
+  getSkillManifest(id: string): SkillManifest | undefined {
+    return undefined;
+  }
 }
diff --git a/packages/core/src/v3/resource-catalog/standardResourceCatalog.ts b/packages/core/src/v3/resource-catalog/standardResourceCatalog.ts
index ea134a45663..bf200936d6f 100644
--- a/packages/core/src/v3/resource-catalog/standardResourceCatalog.ts
+++ b/packages/core/src/v3/resource-catalog/standardResourceCatalog.ts
@@ -1,6 +1,8 @@
 import {
   PromptManifest,
   PromptMetadata,
+  SkillManifest,
+  SkillMetadata,
   TaskFileMetadata,
   TaskMetadata,
   TaskManifest,
@@ -10,6 +12,18 @@ import {
 import { PromptMetadataWithFunctions, TaskMetadataWithFunctions, TaskSchema } from "../types/index.js";
 import { ResourceCatalog } from "./catalog.js";
 
+/**
+ * Sentinel file-context value the runtime workers set around task execution
+ * (via `TaskExecutor.execute`) so that `task()` calls firing during a run —
+ * e.g. as a side effect of `await import(...)` of a module containing a
+ * task definition — register normally instead of hitting the silent-drop
+ * guard in `registerTaskMetadata`. The catalog uses this exact string to
+ * detect "registered during execution" and emit a one-time warning per
+ * task id. The indexer never sets this context, so its behavior is
+ * unchanged.
+ */
+export const NO_FILE_CONTEXT = "<no-context>";
+
 export class StandardResourceCatalog implements ResourceCatalog {
   private _taskSchemas: Map<string, TaskSchema> = new Map();
   private _taskMetadata: Map<string, TaskMetadata> = new Map();
@@ -21,6 +35,14 @@ export class StandardResourceCatalog implements ResourceCatalog {
   private _promptSchemas: Map<string, TaskSchema> = new Map();
   private _currentFileContext?: Omit<TaskFileMetadata, "exportName">;
   private _queueMetadata: Map<string, QueueManifest> = new Map();
+  private _skillMetadata: Map<string, SkillMetadata> = new Map();
+  private _skillFileMetadata: Map<string, TaskFileMetadata> = new Map();
+  private _sentinelContextWarned: Set<string> = new Set();
+  // Task ids registered more than once (across files and task types). Tasks are
+  // keyed by id below, so a second registration silently overwrites the first;
+  // we record the collision here so the indexer can fail loudly instead. Only
+  // consumed by the index workers — runtime never reads it.
+  private _taskIdCollisions: Array<{ id: string; filePaths: string[] }> = [];
 
   setCurrentFileContext(filePath: string, entryPoint: string) {
     this._currentFileContext = { filePath, entryPoint };
@@ -30,6 +52,11 @@ export class StandardResourceCatalog implements ResourceCatalog {
     this._currentFileContext = undefined;
   }
 
+  // Task ids that were registered more than once during this indexing pass.
+  listTaskIdCollisions(): Array<{ id: string; filePaths: string[] }> {
+    return this._taskIdCollisions;
+  }
+
   registerQueueMetadata(queue: QueueManifest): void {
     const existingQueue = this._queueMetadata.get(queue.name);
 
@@ -73,6 +100,42 @@ export class StandardResourceCatalog implements ResourceCatalog {
       return;
     }
 
+    // When the current context is the sentinel set by TaskExecutor around a
+    // run, the task() call fired during execution — most commonly via a
+    // dynamic import inside another task's run(). Warn once per task id so
+    // the pattern stays visible.
+    if (
+      this._currentFileContext.filePath === NO_FILE_CONTEXT &&
+      !this._sentinelContextWarned.has(task.id)
+    ) {
+      this._sentinelContextWarned.add(task.id);
+      console.warn(
+        `[trigger.dev] task "${task.id}" was registered via dynamic import during another task's run(); move to a static import if you notice any issues.`
+      );
+    }
+
+    // Detect a duplicate task id before the maps below overwrite the first
+    // registration. Skip the runtime sentinel context (a task() firing during
+    // another task's run) — that's a re-registration, not a duplicate
+    // definition, and the indexer never uses the sentinel.
+    if (
+      this._taskMetadata.has(task.id) &&
+      this._currentFileContext.filePath !== NO_FILE_CONTEXT
+    ) {
+      const existingFilePath = this._taskFileMetadata.get(task.id)?.filePath;
+      const currentFilePath = this._currentFileContext.filePath;
+      const collision = this._taskIdCollisions.find((c) => c.id === task.id);
+
+      if (collision) {
+        collision.filePaths.push(currentFilePath);
+      } else {
+        this._taskIdCollisions.push({
+          id: task.id,
+          filePaths: [existingFilePath ?? currentFilePath, currentFilePath],
+        });
+      }
+    }
+
     this._taskFileMetadata.set(task.id, {
       ...this._currentFileContext,
     });
@@ -86,25 +149,31 @@ export class StandardResourceCatalog implements ResourceCatalog {
   }
 
   updateTaskMetadata(id: string, updates: Partial<TaskMetadataWithFunctions>): void {
+    const { fns, schema, ...metadataUpdates } = updates;
+
     const existingMetadata = this._taskMetadata.get(id);
 
-    if (existingMetadata) {
+    if (existingMetadata && Object.keys(metadataUpdates).length > 0) {
       this._taskMetadata.set(id, {
         ...existingMetadata,
-        ...updates,
+        ...metadataUpdates,
       });
     }
 
-    if (updates.fns) {
+    if (fns) {
       const existingFunctions = this._taskFunctions.get(id);
 
       if (existingFunctions) {
         this._taskFunctions.set(id, {
           ...existingFunctions,
-          ...updates.fns,
+          ...fns,
         });
       }
     }
+
+    if (schema) {
+      this._taskSchemas.set(id, schema);
+    }
   }
 
   // Return all the tasks, without the functions
@@ -233,6 +302,58 @@ export class StandardResourceCatalog implements ResourceCatalog {
     };
   }
 
+  registerSkillMetadata(skill: SkillMetadata): void {
+    if (!this._currentFileContext) {
+      return;
+    }
+
+    if (!skill.id) {
+      return;
+    }
+
+    const existing = this._skillMetadata.get(skill.id);
+    if (existing && existing.sourcePath !== skill.sourcePath) {
+      console.warn(
+        `Skill "${skill.id}" is defined twice with different paths. Keeping the first:\n` +
+          `  existing: ${existing.sourcePath}\n` +
+          `  ignored:  ${skill.sourcePath}`
+      );
+      return;
+    }
+
+    this._skillFileMetadata.set(skill.id, {
+      ...this._currentFileContext,
+    });
+    this._skillMetadata.set(skill.id, skill);
+  }
+
+  listSkillManifests(): Array<SkillManifest> {
+    const result: Array<SkillManifest> = [];
+
+    for (const [id, metadata] of this._skillMetadata) {
+      const fileMetadata = this._skillFileMetadata.get(id);
+      if (!fileMetadata) continue;
+
+      result.push({
+        ...metadata,
+        ...fileMetadata,
+      });
+    }
+
+    return result;
+  }
+
+  getSkillManifest(id: string): SkillManifest | undefined {
+    const metadata = this._skillMetadata.get(id);
+    const fileMetadata = this._skillFileMetadata.get(id);
+    if (!metadata || !fileMetadata) return undefined;
+
+    return {
+      ...metadata,
+      ...fileMetadata,
+    };
+  }
+
   disable() {
     // noop
   }
diff --git a/packages/core/src/v3/runEngineWorker/supervisor/consumerPool.test.ts b/packages/core/src/v3/runEngineWorker/supervisor/consumerPool.test.ts
index 6093790b012..fe27508fe37 100644
--- a/packages/core/src/v3/runEngineWorker/supervisor/consumerPool.test.ts
+++ b/packages/core/src/v3/runEngineWorker/supervisor/consumerPool.test.ts
@@ -7,6 +7,8 @@ import {
 import { SupervisorHttpClient } from "./http.js";
 import type { WorkerApiDequeueResponseBody } from "./schemas.js";
 import type { QueueConsumer } from "./queueConsumer.js";
+import { ConsumerPoolMetrics } from "./consumerPoolMetrics.js";
+import { Registry } from "prom-client";
 
 // Mock only the logger
 vi.mock("../../utils/structuredLogger.js");
@@ -16,9 +18,11 @@ class TestQueueConsumer implements QueueConsumer {
   public started = false;
   public stopped = false;
   public onDequeue?: (messages: WorkerApiDequeueResponseBody) => Promise<void>;
+  public metrics?: ConsumerPoolMetrics;
 
   constructor(opts: any) {
     this.onDequeue = opts.onDequeue;
+    this.metrics = opts.metrics;
   }
 
   start(): void {
@@ -718,4 +722,97 @@ describe("RunQueueConsumerPool", () => {
       expect(pool.size).toBe(1);
     });
   });
+
+  describe("Metrics wiring", () => {
+    it("injects the pool's shared ConsumerPoolMetrics into every consumer when a registry is provided", async () => {
+      pool = new RunQueueConsumerPool({
+        ...defaultOptions,
+        metricsRegistry: new Registry(),
+        scaling: { strategy: "none", maxConsumerCount: 3 },
+      });
+
+      await pool.start();
+
+      expect(testConsumers.length).toBe(3);
+      const poolMetrics = pool["promMetrics"];
+      expect(poolMetrics).toBeInstanceOf(ConsumerPoolMetrics);
+      testConsumers.forEach((consumer) => {
+        expect(consumer.metrics).toBe(poolMetrics);
+      });
+    });
+
+    it("preserves a caller-supplied consumer metrics instance when no registry is provided", async () => {
+      const callerMetrics = new ConsumerPoolMetrics({ register: new Registry() });
+      pool = new RunQueueConsumerPool({
+        ...defaultOptions,
+        consumer: { ...defaultOptions.consumer, metrics: callerMetrics },
+        scaling: { strategy: "none", maxConsumerCount: 1 },
+      });
+
+      await pool.start();
+
+      expect(testConsumers[0]?.metrics).toBe(callerMetrics);
+    });
+  });
+
+  describe("Backpressure scale-up freeze", () => {
+    it("freezes scale-up while shouldPauseScaling returns true, then resumes", async () => {
+      let paused = true;
+      pool = new RunQueueConsumerPool({
+        ...defaultOptions,
+        scaling: {
+          strategy: "smooth",
+          minConsumerCount: 1,
+          maxConsumerCount: 10,
+          scaleUpCooldownMs: 0,
+          disableJitter: true,
+          shouldPauseScaling: () => paused,
+        },
+      });
+      await pool.start();
+      expect(pool.size).toBe(1);
+
+      // A high queue would normally scale up, but backpressure freezes it.
+      pool.updateQueueLength(10);
+      advanceTimeAndProcessMetrics(1100);
+      expect(pool.size).toBe(1);
+
+      // Once backpressure releases, scaling resumes.
+      paused = false;
+      pool.updateQueueLength(10);
+      advanceTimeAndProcessMetrics(1100);
+      expect(pool.size).toBeGreaterThan(1);
+    });
+
+    it("still allows scale-down while paused", async () => {
+      let paused = false;
+      pool = new RunQueueConsumerPool({
+        ...defaultOptions,
+        scaling: {
+          strategy: "smooth",
+          minConsumerCount: 1,
+          maxConsumerCount: 10,
+          scaleUpCooldownMs: 0,
+          scaleDownCooldownMs: 0,
+          disableJitter: true,
+          shouldPauseScaling: () => paused,
+        },
+      });
+      await pool.start();
+
+      pool.updateQueueLength(10);
+      advanceTimeAndProcessMetrics(1100);
+      const scaledUp = pool.size;
+      expect(scaledUp).toBeGreaterThan(1);
+
+      // Pausing must not block shrinking - we want to drain down, just not grow.
+      // Loop to let the EWMA-smoothed queue length fall (one batch isn't enough).
+      paused = true;
+      for (let i = 0; i < 5; i++) {
+        pool.updateQueueLength(0);
+        advanceTimeAndProcessMetrics(1100);
+      }
+      expect(pool.size).toBeLessThan(scaledUp);
+    });
+  });
 });
diff --git a/packages/core/src/v3/runEngineWorker/supervisor/consumerPool.ts b/packages/core/src/v3/runEngineWorker/supervisor/consumerPool.ts
index d72cef75c7c..0f4bcacdf03 100644
--- a/packages/core/src/v3/runEngineWorker/supervisor/consumerPool.ts
+++ b/packages/core/src/v3/runEngineWorker/supervisor/consumerPool.ts
@@ -22,6 +22,12 @@ export type ScalingOptions = {
   batchWindowMs?: number;
   disableJitter?: boolean;
   dampingFactor?: number;
+  /**
+   * When this returns true, scale-up is frozen (scale-down still allowed). Used to
+   * stop the pool from adding consumers to drain a queue that backpressure is
+   * deliberately holding. Synchronous and hot-path-safe.
+   */
+  shouldPauseScaling?: () => boolean;
 };
 
 export type ConsumerPoolOptions = {
@@ -49,6 +55,7 @@ export class RunQueueConsumerPool {
   private readonly maxConsumerCount: number;
   private readonly scalingStrategy: ScalingStrategy;
   private readonly disableJitter: boolean;
+  private readonly shouldPauseScaling?: () => boolean;
 
   private consumers: Map<string, QueueConsumer> = new Map();
   private readonly consumerFactory: QueueConsumerFactory;
@@ -79,6 +86,7 @@ export class RunQueueConsumerPool {
     this.scaleUpCooldownMs = opts.scaling.scaleUpCooldownMs ?? 10000; // 10 seconds default
     this.scaleDownCooldownMs = opts.scaling.scaleDownCooldownMs ?? 60000; // 60 seconds default
     this.disableJitter = opts.scaling.disableJitter ?? false;
+    this.shouldPauseScaling = opts.scaling.shouldPauseScaling;
 
     // Configure EWMA parameters from options
     this.ewmaAlpha = opts.scaling.ewmaAlpha ?? 0.3;
@@ -259,6 +267,16 @@ export class RunQueueConsumerPool {
 
     // Check cooldown periods with jitter
     if (targetCount > this.consumers.size) {
+      // Freeze scale-up while backpressure is engaged - don't add consumers to
+      // drain a queue we're deliberately holding. Scale-down stays allowed.
+      if (this.shouldPauseScaling?.()) {
+        this.logger.debug("Scale up frozen by backpressure", {
+          currentCount: this.consumers.size,
+          targetCount,
+        });
+        return;
+      }
+
       // Scale up
       const effectiveCooldown = this.scaleUpCooldownMs + jitterMs;
       if (timeSinceLastScale < effectiveCooldown) {
@@ -351,6 +369,10 @@ export class RunQueueConsumerPool {
 
       const consumer = this.consumerFactory({
         ...this.consumerOptions,
+        // Share the pool's single metrics instance so every consumer records onto
+        // the same histogram (re-registering the metric name would throw). Fall
+        // back to a caller-supplied instance rather than clobbering it.
+        metrics: this.promMetrics ?? this.consumerOptions.metrics,
         onDequeue: async (messages, timing) => {
           // Always update queue length, default to 0 for empty dequeues or missing value
           this.updateQueueLength(messages[0]?.workerQueueLength ?? 0);
diff --git a/packages/core/src/v3/runEngineWorker/supervisor/consumerPoolMetrics.ts b/packages/core/src/v3/runEngineWorker/supervisor/consumerPoolMetrics.ts
index 8f65fa07750..0a7b86b2e30 100644
--- a/packages/core/src/v3/runEngineWorker/supervisor/consumerPoolMetrics.ts
+++ b/packages/core/src/v3/runEngineWorker/supervisor/consumerPoolMetrics.ts
@@ -5,6 +5,15 @@ export interface ConsumerPoolMetricsOptions {
   prefix?: string;
 }
 
+/**
+ * Outcome of a single dequeue API round-trip, used as a low-cardinality label
+ * on the dequeue latency histogram.
+ * - `success`: the call returned at least one run
+ * - `empty`: the call succeeded but returned no runs (the common idle case)
+ * - `error`: the call failed (unsuccessful response, network error, or timeout)
+ */
+export type DequeueOutcome = "success" | "empty" | "error";
+
 export class ConsumerPoolMetrics {
   private readonly register: Registry;
   private readonly prefix: string;
@@ -26,6 +35,9 @@ export class ConsumerPoolMetrics {
   public readonly queueLengthUpdatesTotal: Counter;
   public readonly batchesProcessedTotal: Counter;
 
+  // Dequeue API latency (client-side, measured around the dequeue HTTP call)
+  public readonly dequeueDurationSeconds: Histogram;
+
   constructor(opts: ConsumerPoolMetricsOptions = {}) {
     this.register = opts.register ?? new Registry();
     this.prefix = opts.prefix ?? "queue_consumer_pool";
@@ -102,6 +114,23 @@ export class ConsumerPoolMetrics {
       help: "Total number of metric batches processed",
       registers: [this.register],
     });
+
+    this.dequeueDurationSeconds = new Histogram({
+      name: `${this.prefix}_dequeue_duration_seconds`,
+      help: "Client-side duration of the dequeue API call (POST /engine/v1/worker-actions/dequeue), including the HTTP client's internal retries and backoff",
+      labelNames: ["outcome"],
+      // The HTTP client retries internally (up to 5 attempts with 0.5-5s backoff),
+      // so one observation can span multiple requests plus sleeps. A retryable
+      // failure surfaces as `error` only after >=7.5s of backoff - the 10-30s
+      // buckets exist so that mode doesn't collapse into +Inf. The server also
+      // long-polls (RUN_ENGINE_DEQUEUE_BLOCKING_TIMEOUT_SECONDS, default 10s),
+      // parking empty dequeues at ~10s - the 11/12.5/15/20 buckets give the
+      // quantiles resolution just above that boundary, where the mass sits.
+      // 60s brackets the worst-case error envelope (5 attempts that each hit
+      // the ~10s hold, plus backoff); beyond that the connection is hung.
+      buckets: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2, 5, 10, 11, 12.5, 15, 20, 30, 60],
+      registers: [this.register],
+    });
   }
 
   /**
@@ -157,4 +186,13 @@ export class ConsumerPoolMetrics {
   recordQueueLengthUpdate() {
     this.queueLengthUpdatesTotal.inc();
   }
+
+  /**
+   * Record the client-side latency of a single dequeue API round-trip.
+   * @param seconds Wall-clock duration of the dequeue call, in seconds.
+   * @param outcome Whether the call returned runs, was empty, or errored.
+   */
+  observeDequeueLatency(seconds: number, outcome: DequeueOutcome) {
+    this.dequeueDurationSeconds.observe({ outcome }, seconds);
+  }
 }
diff --git a/packages/core/src/v3/runEngineWorker/supervisor/queueConsumer.test.ts b/packages/core/src/v3/runEngineWorker/supervisor/queueConsumer.test.ts
new file mode 100644
index 00000000000..bbf93ad96fc
--- /dev/null
+++ b/packages/core/src/v3/runEngineWorker/supervisor/queueConsumer.test.ts
@@ -0,0 +1,104 @@
+import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
+import { Registry } from "prom-client";
+import { RunQueueConsumer } from "./queueConsumer.js";
+import { ConsumerPoolMetrics } from "./consumerPoolMetrics.js";
+import type { SupervisorHttpClient } from "./http.js";
+import type { WorkerApiDequeueResponseBody } from "./schemas.js";
+
+// Mock only the logger (same approach as consumerPool.test.ts)
+vi.mock("../../utils/structuredLogger.js");
+
+function makeClient(dequeueImpl: () => Promise<unknown>): SupervisorHttpClient {
+  return { dequeue: vi.fn(dequeueImpl) } as unknown as SupervisorHttpClient;
+}
+
+describe("RunQueueConsumer dequeue latency metric", () => {
+  let register: Registry;
+  let metrics: ConsumerPoolMetrics;
+  let consumer: RunQueueConsumer | undefined;
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+    // Fake timers so the trailing scheduleNextDequeue() never fires during the test.
+    vi.useFakeTimers();
+    register = new Registry();
+    metrics = new ConsumerPoolMetrics({ register });
+  });
+
+  afterEach(() => {
+    consumer?.stop();
+    vi.clearAllTimers();
+    vi.useRealTimers();
+  });
+
+  /**
+   * Runs exactly one dequeue iteration and awaits it. We set `isEnabled`
+   * directly and invoke the private `dequeue()` rather than `start()`, so no
+   * timer-driven loop runs - the metric is recorded before scheduleNextDequeue().
+   */
+  async function runOneDequeue(opts: {
+    dequeueImpl: () => Promise<unknown>;
+    withMetrics?: boolean;
+  }) {
+    consumer = new RunQueueConsumer({
+      client: makeClient(opts.dequeueImpl),
+      intervalMs: 600_000,
+      idleIntervalMs: 600_000,
+      onDequeue: async () => {},
+      ...(opts.withMetrics === false ? {} : { metrics }),
+    });
+
+    (consumer as unknown as { isEnabled: boolean }).isEnabled = true;
+    await (consumer as unknown as { dequeue(): Promise<void> }).dequeue();
+  }
+
+  it('records outcome="empty" for a successful empty dequeue', async () => {
+    await runOneDequeue({ dequeueImpl: async () => ({ success: true, data: [] }) });
+
+    expect(await register.metrics()).toContain(
+      'queue_consumer_pool_dequeue_duration_seconds_count{outcome="empty"} 1'
+    );
+  });
+
+  it('records outcome="success" once per round-trip, regardless of message count', async () => {
+    const messages = [{ run: {} }, { run: {} }] as unknown as WorkerApiDequeueResponseBody;
+    await runOneDequeue({ dequeueImpl: async () => ({ success: true, data: messages }) });
+
+    const text = await register.metrics();
+    // One observation for the whole batch, not one per message.
+    expect(text).toContain('queue_consumer_pool_dequeue_duration_seconds_count{outcome="success"} 1');
+  });
+
+  it('records outcome="error" when the response is unsuccessful', async () => {
+    await runOneDequeue({
+      dequeueImpl: async () => ({ success: false, error: new Error("boom") }),
+    });
+
+    expect(await register.metrics()).toContain(
+      'queue_consumer_pool_dequeue_duration_seconds_count{outcome="error"} 1'
+    );
+  });
+
+  // Defensive path: wrapZodFetch traps all errors today, so the real client
+  // never throws - this guards against a future client that does.
+  it('records outcome="error" when the dequeue call throws', async () => {
+    await runOneDequeue({
+      dequeueImpl: async () => {
+        throw new Error("network down");
+      },
+    });
+
+    expect(await register.metrics()).toContain(
+      'queue_consumer_pool_dequeue_duration_seconds_count{outcome="error"} 1'
+    );
+  });
+
+  it("is a no-op (does not throw) when no metrics instance is provided", async () => {
+    await expect(
+      runOneDequeue({ dequeueImpl: async () => ({ success: true, data: [] }), withMetrics: false })
+    ).resolves.not.toThrow();
+
+    // Histogram has no observations - the labelled count line should be absent.
+    expect(await register.metrics()).not.toContain("queue_consumer_pool_dequeue_duration_seconds_count");
+  });
+});
diff --git a/packages/core/src/v3/runEngineWorker/supervisor/queueConsumer.ts b/packages/core/src/v3/runEngineWorker/supervisor/queueConsumer.ts
index 76faee40809..cf48ce2e9e0 100644
--- a/packages/core/src/v3/runEngineWorker/supervisor/queueConsumer.ts
+++ b/packages/core/src/v3/runEngineWorker/supervisor/queueConsumer.ts
@@ -1,7 +1,8 @@
 import { SimpleStructuredLogger } from "../../utils/structuredLogger.js";
 import { SupervisorHttpClient } from "./http.js";
-import { WorkerApiDequeueResponseBody } from "./schemas.js";
+import { WorkerApiDequeueResponseBody, WorkerQueueClass } from "./schemas.js";
 import { PreDequeueFn, PreSkipFn } from "./types.js";
+import type { ConsumerPoolMetrics } from "./consumerPoolMetrics.js";
 
 export interface QueueConsumer {
   start(): void;
@@ -15,7 +16,11 @@ export type RunQueueConsumerOptions = {
   preDequeue?: PreDequeueFn;
   preSkip?: PreSkipFn;
   maxRunCount?: number;
+  /** Which worker-queue class this consumer pulls from. Defaults to the worker's region queue. */
+  queueClass?: WorkerQueueClass;
   onDequeue: (messages: WorkerApiDequeueResponseBody, timing?: { dequeueResponseMs: number; pollingIntervalMs: number }) => Promise<void>;
+  /** Optional shared pool metrics. When provided, dequeue API latency is recorded as a histogram. */
+  metrics?: ConsumerPoolMetrics;
 };
 
 export class RunQueueConsumer implements QueueConsumer {
@@ -23,7 +28,9 @@ export class RunQueueConsumer implements QueueConsumer {
   private readonly preDequeue?: PreDequeueFn;
   private readonly preSkip?: PreSkipFn;
   private readonly maxRunCount?: number;
+  private readonly queueClass?: WorkerQueueClass;
   private readonly onDequeue: (messages: WorkerApiDequeueResponseBody, timing?: { dequeueResponseMs: number; pollingIntervalMs: number }) => Promise<void>;
+  private readonly metrics?: ConsumerPoolMetrics;
 
   private readonly logger = new SimpleStructuredLogger("queue-consumer");
 
@@ -39,9 +46,11 @@ export class RunQueueConsumer implements QueueConsumer {
     this.preDequeue = opts.preDequeue;
     this.preSkip = opts.preSkip;
     this.maxRunCount = opts.maxRunCount;
+    this.queueClass = opts.queueClass;
     this.lastScheduledIntervalMs = opts.idleIntervalMs;
     this.onDequeue = opts.onDequeue;
     this.client = opts.client;
+    this.metrics = opts.metrics;
   }
 
   start() {
@@ -112,17 +121,26 @@ export class RunQueueConsumer implements QueueConsumer {
 
     let nextIntervalMs = this.idleIntervalMs;
 
+    const dequeueStart = performance.now();
+
     try {
-      const dequeueStart = performance.now();
       const response = await this.client.dequeue({
         maxResources: preDequeueResult?.maxResources,
         maxRunCount: this.maxRunCount,
+        queueClass: this.queueClass,
       });
-      const dequeueResponseMs = Math.round(performance.now() - dequeueStart);
+      const dequeueDurationSeconds = (performance.now() - dequeueStart) / 1000;
+      const dequeueResponseMs = Math.round(dequeueDurationSeconds * 1000);
 
       if (!response.success) {
+        this.metrics?.observeDequeueLatency(dequeueDurationSeconds, "error");
         this.logger.error("Failed to dequeue", { error: response.error });
       } else {
+        this.metrics?.observeDequeueLatency(
+          dequeueDurationSeconds,
+          response.data.length > 0 ? "success" : "empty"
+        );
+
         try {
           await this.onDequeue(response.data, { dequeueResponseMs, pollingIntervalMs: this.lastScheduledIntervalMs });
 
@@ -134,6 +152,10 @@ export class RunQueueConsumer implements QueueConsumer {
         }
       }
     } catch (clientError) {
+      // wrapZodFetch traps all errors into { success: false }, so this branch is
+      // unreachable with the real client today. Record defensively so a future
+      // client that throws can't silently lose error samples.
+      this.metrics?.observeDequeueLatency((performance.now() - dequeueStart) / 1000, "error");
       this.logger.error("client.dequeue error", { error: clientError });
     }
 
diff --git a/packages/core/src/v3/runEngineWorker/supervisor/schemas.ts b/packages/core/src/v3/runEngineWorker/supervisor/schemas.ts
index a49fd53a096..e5360c6ed6b 100644
--- a/packages/core/src/v3/runEngineWorker/supervisor/schemas.ts
+++ b/packages/core/src/v3/runEngineWorker/supervisor/schemas.ts
@@ -64,9 +64,20 @@ export const WorkerApiConnectResponseBody = z.object({
 });
 export type WorkerApiConnectResponseBody = z.infer<typeof WorkerApiConnectResponseBody>;
 
+export const WorkerQueueClass = z.enum(["default", "scheduled"]);
+export type WorkerQueueClass = z.infer<typeof WorkerQueueClass>;
+
 export const WorkerApiDequeueRequestBody = z.object({
   maxResources: MachineResources.optional(),
   maxRunCount: z.number().optional(),
+  /**
+   * Which class of worker queue this consumer pulls from. Absent or "default" =
+   * the worker group's region queue. "scheduled" targets the dedicated
+   * scheduled-lineage queue so a separate fleet can drain it independently. The
+   * server derives the actual queue name from the token, so this only ever
+   * selects between the authenticated worker's own queues.
+   */
+  queueClass: WorkerQueueClass.optional(),
 });
 export type WorkerApiDequeueRequestBody = z.infer<typeof WorkerApiDequeueRequestBody>;
 
diff --git a/packages/core/src/v3/runEngineWorker/supervisor/session.ts b/packages/core/src/v3/runEngineWorker/supervisor/session.ts
index b2d344fb3dc..de823d792b7 100644
--- a/packages/core/src/v3/runEngineWorker/supervisor/session.ts
+++ b/packages/core/src/v3/runEngineWorker/supervisor/session.ts
@@ -1,6 +1,10 @@
 import { SupervisorHttpClient } from "./http.js";
 import { PreDequeueFn, PreSkipFn, SupervisorClientCommonOptions } from "./types.js";
-import { WorkerApiDequeueResponseBody, WorkerApiHeartbeatRequestBody } from "./schemas.js";
+import {
+  WorkerApiDequeueResponseBody,
+  WorkerApiHeartbeatRequestBody,
+  WorkerQueueClass,
+} from "./schemas.js";
 import { RunQueueConsumerPool, ScalingOptions } from "./consumerPool.js";
 import { WorkerEvents } from "./events.js";
 import EventEmitter from "events";
@@ -21,6 +25,8 @@ type SupervisorSessionOptions = SupervisorClientCommonOptions & {
   preDequeue?: PreDequeueFn;
   preSkip?: PreSkipFn;
   maxRunCount?: number;
+  /** Which worker-queue class this supervisor's consumers pull from. Defaults to the region queue. */
+  queueClass?: WorkerQueueClass;
   sendRunDebugLogs?: boolean;
   scaling: ScalingOptions;
   metricsRegistry?: Registry;
@@ -56,6 +62,7 @@ export class SupervisorSession extends EventEmitter<WorkerEvents> {
         intervalMs: opts.dequeueIntervalMs,
         idleIntervalMs: opts.dequeueIdleIntervalMs,
         maxRunCount: opts.maxRunCount,
+        queueClass: opts.queueClass,
       },
       scaling: opts.scaling,
       metricsRegistry: opts.metricsRegistry,
diff --git a/packages/core/src/v3/runtime/sharedRuntimeManager.ts b/packages/core/src/v3/runtime/sharedRuntimeManager.ts
index 09c718c1f6c..d70ffe616f5 100644
--- a/packages/core/src/v3/runtime/sharedRuntimeManager.ts
+++ b/packages/core/src/v3/runtime/sharedRuntimeManager.ts
@@ -219,7 +219,7 @@ export class SharedRuntimeManager implements RuntimeManager {
 
   private resolveWaitpoint(waitpoint: CompletedWaitpoint, resolverId?: ResolverId | null): void {
     // This is spammy, don't make this a debug log
-    this.log("resolveWaitpoint", waitpoint);
+    this.log("resolveWaitpoint", { id: waitpoint.id, type: waitpoint.type });
 
     if (waitpoint.type === "BATCH") {
       // We currently ignore these, they're not required to resume after a batch completes
diff --git a/packages/core/src/v3/schemas/api-type.test.ts b/packages/core/src/v3/schemas/api-type.test.ts
index c936b3c769d..87f755206da 100644
--- a/packages/core/src/v3/schemas/api-type.test.ts
+++ b/packages/core/src/v3/schemas/api-type.test.ts
@@ -1,5 +1,5 @@
 import { describe, it, expect } from "vitest";
-import { InitializeDeploymentRequestBody } from "./api.js";
+import { InitializeDeploymentRequestBody, TriggerTaskRequestBody } from "./api.js";
 import type { InitializeDeploymentRequestBody as InitializeDeploymentRequestBodyType } from "./api.js";
 
 describe("InitializeDeploymentRequestBody", () => {
@@ -139,3 +139,41 @@ describe("InitializeDeploymentRequestBody", () => {
     });
   });
 });
+
+describe("TriggerTaskRequestBody", () => {
+  it("accepts application/store payload as a non-empty string", () => {
+    const result = TriggerTaskRequestBody.safeParse({
+      payload: "packets/payloads/file.json",
+      context: {},
+      options: {
+        payloadType: "application/store",
+      },
+    });
+
+    expect(result.success).toBe(true);
+  });
+
+  it("rejects application/store payload when payload is not a string", () => {
+    const result = TriggerTaskRequestBody.safeParse({
+      payload: { foo: "bar" },
+      context: {},
+      options: {
+        payloadType: "application/store",
+      },
+    });
+
+    expect(result.success).toBe(false);
+  });
+
+  it("rejects application/store payload when payload is an empty string", () => {
+    const result = TriggerTaskRequestBody.safeParse({
+      payload: "",
+      context: {},
+      options: {
+        payloadType: "application/store",
+      },
+    });
+
+    expect(result.success).toBe(false);
+  });
+});
diff --git a/packages/core/src/v3/schemas/api.ts b/packages/core/src/v3/schemas/api.ts
index 6d324a10d11..a8a379f9307 100644
--- a/packages/core/src/v3/schemas/api.ts
+++ b/packages/core/src/v3/schemas/api.ts
@@ -81,6 +81,23 @@ export const GetProjectEnvResponse = z.object({
 
 export type GetProjectEnvResponse = z.infer<typeof GetProjectEnvResponse>;
 
+export const ProjectEnvironment = z.object({
+  id: z.string(),
+  /// The slug used as the environment identifier in env var endpoints (e.g. "dev", "stg", "prod", "preview")
+  slug: z.string(),
+  type: z.enum(["DEVELOPMENT", "STAGING", "PREVIEW", "PRODUCTION"]),
+  /// Whether this is the branchable parent (preview); individual branches are not returned
+  isBranchableEnvironment: z.boolean(),
+  branchName: z.string().nullable(),
+  paused: z.boolean(),
+});
+
+export type ProjectEnvironment = z.infer<typeof ProjectEnvironment>;
+
+export const GetProjectEnvironmentsResponseBody = z.array(ProjectEnvironment);
+
+export type GetProjectEnvironmentsResponseBody = z.infer<typeof GetProjectEnvironmentsResponseBody>;
+
 // Zod schema for the response body type
 export const GetWorkerTaskResponse = z.object({
   id: z.string(),
@@ -157,73 +174,99 @@ export const IdempotencyKeyOptionsSchema = z.object({
 
 export type IdempotencyKeyOptionsSchema = z.infer<typeof IdempotencyKeyOptionsSchema>;
 
-export const TriggerTaskRequestBody = z.object({
-  payload: z.any(),
-  context: z.any(),
-  options: z
-    .object({
-      /** @deprecated engine v1 only */
-      dependentAttempt: z.string().optional(),
-      /** @deprecated engine v1 only */
-      parentAttempt: z.string().optional(),
-      /** @deprecated engine v1 only */
-      dependentBatch: z.string().optional(),
-      /**
-       * If triggered in a batch, this is the BatchTaskRun id
-       */
-      parentBatch: z.string().optional(),
-      /**
-       * RunEngine v2
-       * If triggered inside another run, the parentRunId is the friendly ID of the parent run.
-       */
-      parentRunId: z.string().optional(),
-      /**
-       * RunEngine v2
-       * Should be `true` if `triggerAndWait` or `batchTriggerAndWait`
-       */
-      resumeParentOnCompletion: z.boolean().optional(),
-      /**
-       * Locks the version to the passed value.
-       * Automatically set when using `triggerAndWait` or `batchTriggerAndWait`
-       */
-      lockToVersion: z.string().optional(),
+// Coerces user-supplied concurrencyKey values to string. The downstream Prisma
+// column is String?, so passing a number (a common foot-gun when callers do
+// `concurrencyKey: payload.userId`) used to fail at `prisma.taskRun.create`
+// with PrismaClientValidationError. Accept the intent and stringify here.
+const ConcurrencyKeySchema = z.union([z.string(), z.number()]).transform((value) => String(value));
 
-      queue: z
-        .object({
-          name: z.string(),
-          // @deprecated, this is now specified on the queue
-          concurrencyLimit: z.number().int().optional(),
-        })
-        .optional(),
-      concurrencyKey: z.string().optional(),
-      delay: z.string().or(z.coerce.date()).optional(),
-      idempotencyKey: z.string().optional(),
-      idempotencyKeyTTL: z.string().optional(),
-      /** The original user-provided idempotency key and scope */
-      idempotencyKeyOptions: IdempotencyKeyOptionsSchema.optional(),
-      machine: MachinePresetName.optional(),
-      maxAttempts: z.number().int().optional(),
-      maxDuration: z.number().optional(),
-      metadata: z.any(),
-      metadataType: z.string().optional(),
-      payloadType: z.string().optional(),
-      tags: RunTags.optional(),
-      test: z.boolean().optional(),
-      ttl: z.string().or(z.number().nonnegative().int()).optional(),
-      priority: z.number().optional(),
-      bulkActionId: z.string().optional(),
-      region: z.string().optional(),
-      debounce: z
-        .object({
-          key: z.string().max(512),
-          delay: z.string(),
-          mode: z.enum(["leading", "trailing"]).optional(),
-          maxDelay: z.string().optional(),
-        })
-        .optional(),
-    })
-    .optional(),
-});
+export const TriggerTaskRequestBody = z
+  .object({
+    payload: z.any(),
+    context: z.any(),
+    options: z
+      .object({
+        /** @deprecated engine v1 only */
+        dependentAttempt: z.string().optional(),
+        /** @deprecated engine v1 only */
+        parentAttempt: z.string().optional(),
+        /** @deprecated engine v1 only */
+        dependentBatch: z.string().optional(),
+        /**
+         * If triggered in a batch, this is the BatchTaskRun id
+         */
+        parentBatch: z.string().optional(),
+        /**
+         * RunEngine v2
+         * If triggered inside another run, the parentRunId is the friendly ID of the parent run.
+         */
+        parentRunId: z.string().optional(),
+        /**
+         * RunEngine v2
+         * Should be `true` if `triggerAndWait` or `batchTriggerAndWait`
+         */
+        resumeParentOnCompletion: z.boolean().optional(),
+        /**
+         * Locks the version to the passed value.
+         * Automatically set when using `triggerAndWait` or `batchTriggerAndWait`
+         */
+        lockToVersion: z.string().optional(),
+
+        queue: z
+          .object({
+            name: z.string(),
+            // @deprecated, this is now specified on the queue
+            concurrencyLimit: z.number().int().optional(),
+          })
+          .optional(),
+        concurrencyKey: ConcurrencyKeySchema.optional(),
+        delay: z.string().or(z.coerce.date()).optional(),
+        idempotencyKey: z
+          .string()
+          // Caps user-supplied keys before they reach the unique idempotency index
+          // on the underlying table — values past this fail at the database layer
+          // rather than returning a clean 400.
+          .max(2048, "idempotencyKey must be 2048 characters or less")
+          .optional(),
+        idempotencyKeyTTL: z.string().optional(),
+        /** The original user-provided idempotency key and scope */
+        idempotencyKeyOptions: IdempotencyKeyOptionsSchema.optional(),
+        machine: MachinePresetName.optional(),
+        maxAttempts: z.number().int().optional(),
+        maxDuration: z.number().optional(),
+        metadata: z.any(),
+        metadataType: z.string().optional(),
+        payloadType: z.string().optional(),
+        tags: RunTags.optional(),
+        test: z.boolean().optional(),
+        ttl: z.string().or(z.number().nonnegative().int()).optional(),
+        priority: z.number().optional(),
+        bulkActionId: z.string().optional(),
+        region: z.string().optional(),
+        debounce: z
+          .object({
+            key: z.string().max(512),
+            delay: z.string(),
+            mode: z.enum(["leading", "trailing"]).optional(),
+            maxDelay: z.string().optional(),
+          })
+          .optional(),
+      })
+      .optional(),
+  })
+  .superRefine((value, ctx) => {
+    if (value.options?.payloadType !== "application/store") {
+      return;
+    }
+
+    if (typeof value.payload !== "string" || value.payload.length === 0) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: "payload must be a non-empty string when options.payloadType is application/store",
+        path: ["payload"],
+      });
+    }
+  });
 
 export type TriggerTaskRequestBody = z.infer<typeof TriggerTaskRequestBody>;
 
@@ -247,9 +290,15 @@ export const BatchTriggerTaskItem = z.object({
   context: z.any(),
   options: z
     .object({
-      concurrencyKey: z.string().optional(),
+      concurrencyKey: ConcurrencyKeySchema.optional(),
       delay: z.string().or(z.coerce.date()).optional(),
-      idempotencyKey: z.string().optional(),
+      idempotencyKey: z
+        .string()
+        // Caps user-supplied keys before they reach the unique idempotency index
+        // on the underlying table — values past this fail at the database layer
+        // rather than returning a clean 400.
+        .max(2048, "idempotencyKey must be 2048 characters or less")
+        .optional(),
       idempotencyKeyTTL: z.string().optional(),
       /** The original user-provided idempotency key and scope */
       idempotencyKeyOptions: IdempotencyKeyOptionsSchema.optional(),
@@ -358,7 +407,13 @@ export const CreateBatchRequestBody = z.object({
   /** Whether to resume parent on completion (true for batchTriggerAndWait) */
   resumeParentOnCompletion: z.boolean().optional(),
   /** Idempotency key for the batch */
-  idempotencyKey: z.string().optional(),
+  idempotencyKey: z
+    .string()
+    // Caps user-supplied keys before they reach the unique idempotency index
+    // on the underlying table — values past this fail at the database layer
+    // rather than returning a clean 400.
+    .max(2048, "idempotencyKey must be 2048 characters or less")
+    .optional(),
   /** The original user-provided idempotency key and scope */
   idempotencyKeyOptions: IdempotencyKeyOptionsSchema.optional(),
 });
@@ -383,7 +438,12 @@ export type CreateBatchResponse = z.infer<typeof CreateBatchResponse>;
 
 /**
  * Phase 2: Individual item in the NDJSON stream
- * Each line in the NDJSON body should match this schema
+ * Each line in the NDJSON body should match this schema.
+ *
+ * `options` reuses the strict shape from BatchTriggerTaskItem so that the
+ * Phase-2 streaming path validates option fields identically to the V2/V3
+ * batch trigger endpoints — historically this used z.record(z.unknown()) and
+ * let invalid values (e.g. numeric concurrencyKey) reach Prisma.
  */
 export const BatchItemNDJSON = z.object({
   /** Zero-based index of this item (used for idempotency and ordering) */
@@ -393,7 +453,7 @@ export const BatchItemNDJSON = z.object({
   /** The payload for this task run */
   payload: z.unknown().optional(),
   /** Options for this specific item */
-  options: z.record(z.unknown()).optional(),
+  options: BatchTriggerTaskItem.shape.options,
 });
 
 export type BatchItemNDJSON = z.infer<typeof BatchItemNDJSON>;
@@ -1115,6 +1175,8 @@ const CommonRunFields = {
   baseCostInCents: z.number(),
   durationMs: z.number(),
   metadata: z.record(z.any()).optional(),
+  taskKind: z.string().optional(),
+  region: z.string().optional(),
 };
 
 const RetrieveRunCommandFields = {
@@ -1182,6 +1244,8 @@ export const ImportEnvironmentVariablesRequestBody = z.object({
   variables: z.record(z.string()),
   parentVariables: z.record(z.string()).optional(),
   override: z.boolean().optional(),
+  // When omitted, variables default to non-secret (the DB default is false).
+  isSecret: z.boolean().optional(),
   source: z
     .discriminatedUnion("type", [
       z.object({ type: z.literal("user"), userId: z.string() }),
@@ -1350,7 +1414,13 @@ export const CreateWaitpointTokenRequestBody = z.object({
    *
    * Note: This waitpoint may already be complete, in which case when you wait for it, it will immediately continue.
    */
-  idempotencyKey: z.string().optional(),
+  idempotencyKey: z
+    .string()
+    // Caps user-supplied keys before they reach the unique idempotency index
+    // on the underlying table — values past this fail at the database layer
+    // rather than returning a clean 400.
+    .max(2048, "idempotencyKey must be 2048 characters or less")
+    .optional(),
   /**
    * When set, this means the passed in idempotency key will expire after this time.
    * This means after that time if you pass the same idempotency key again, you will get a new waitpoint.
@@ -1389,7 +1459,13 @@ export type CreateWaitpointTokenResponseBody = z.infer<typeof CreateWaitpointTok
 export const CreateInputStreamWaitpointRequestBody = z.object({
   streamId: z.string(),
   timeout: z.string().optional(),
-  idempotencyKey: z.string().optional(),
+  idempotencyKey: z
+    .string()
+    // Caps user-supplied keys before they reach the unique idempotency index
+    // on the underlying table — values past this fail at the database layer
+    // rather than returning a clean 400.
+    .max(2048, "idempotencyKey must be 2048 characters or less")
+    .optional(),
   idempotencyKeyTTL: z.string().optional(),
   tags: z.union([z.string(), z.array(z.string())]).optional(),
   /**
@@ -1411,6 +1487,44 @@ export type CreateInputStreamWaitpointResponseBody = z.infer<
   typeof CreateInputStreamWaitpointResponseBody
 >;
 
+/**
+ * Create a run-scoped waitpoint that completes when the next record lands on
+ * a Session channel (`.in` or `.out`). Mirrors `CreateInputStreamWaitpointRequestBody`
+ * but keyed by `{sessionId, io}` instead of `{runId, streamId}`. The run is
+ * still the thing being suspended — Session only supplies the trigger source.
+ */
+export const CreateSessionStreamWaitpointRequestBody = z.object({
+  /** Session friendlyId (`session_*`) or user-supplied externalId. */
+  session: z.string(),
+  io: z.enum(["out", "in"]),
+  timeout: z.string().optional(),
+  idempotencyKey: z
+    .string()
+    // Caps user-supplied keys before they reach the unique idempotency index
+    // on the underlying table — values past this fail at the database layer
+    // rather than returning a clean 400.
+    .max(2048, "idempotencyKey must be 2048 characters or less")
+    .optional(),
+  idempotencyKeyTTL: z.string().optional(),
+  tags: z.union([z.string(), z.array(z.string())]).optional(),
+  /**
+   * Last S2 sequence number the client has seen on this session channel.
+   * Used to catch data that arrived before `.wait()` was called.
+   */
+  lastSeqNum: z.number().optional(),
+});
+export type CreateSessionStreamWaitpointRequestBody = z.infer<
+  typeof CreateSessionStreamWaitpointRequestBody
+>;
+
+export const CreateSessionStreamWaitpointResponseBody = z.object({
+  waitpointId: z.string(),
+  isCached: z.boolean(),
+});
+export type CreateSessionStreamWaitpointResponseBody = z.infer<
+  typeof CreateSessionStreamWaitpointResponseBody
+>;
+
 export const waitpointTokenStatuses = ["WAITING", "COMPLETED", "TIMED_OUT"] as const;
 export const WaitpointTokenStatus = z.enum(waitpointTokenStatuses);
 export type WaitpointTokenStatus = z.infer<typeof WaitpointTokenStatus>;
@@ -1449,6 +1563,220 @@ export const CompleteWaitpointTokenRequestBody = z.object({
 });
 export type CompleteWaitpointTokenRequestBody = z.infer<typeof CompleteWaitpointTokenRequestBody>;
 
+/**
+ * Trigger config persisted on a Session. Drives every run the session
+ * schedules — `basePayload` is the customer's wire payload (for
+ * chat.agent: `{ chatId, ...clientData }`), runtime fields like
+ * `trigger: "preload" | "trigger"` are merged on top per-call by the
+ * server's trigger machinery.
+ */
+export const SessionTriggerConfig = z.object({
+  basePayload: z.record(z.unknown()),
+  machine: MachinePresetName.optional(),
+  queue: z.string().max(128).optional(),
+  tags: z.array(z.string().max(128)).max(5).optional(),
+  maxAttempts: z.number().int().positive().max(10).optional(),
+  /** Per-run wall-clock cap (seconds). Forwarded to `TaskRunOptions.maxDuration`. */
+  maxDuration: z.number().int().positive().optional(),
+  /** Pin every run to a specific worker version. Forwarded to `TaskRunOptions.lockToVersion`. */
+  lockToVersion: z.string().optional(),
+  /** Region to schedule runs in. Forwarded to `TaskRunOptions.region`. */
+  region: z.string().optional(),
+  /** Convenience field surfaced to chat.agent via the wire payload. */
+  idleTimeoutInSeconds: z.number().int().positive().max(3600).optional(),
+});
+export type SessionTriggerConfig = z.infer<typeof SessionTriggerConfig>;
+
+/**
+ * Request body for `POST /api/v1/sessions`. Creates a Session and
+ * triggers its first run. Sessions are task-bound: `taskIdentifier` and
+ * `triggerConfig` are required, and re-runs scheduled by the server
+ * (after run termination, after `end-and-continue`) reuse the same
+ * config.
+ */
+export const CreateSessionRequestBody = z.object({
+  /** Plain string discriminator — e.g. `"chat.agent"`. Not validated against an enum on the server. */
+  type: z.string().min(1).max(64),
+  /** User-supplied idempotency key. Unique per environment. Empty strings are rejected. */
+  externalId: z
+    .string()
+    .trim()
+    .min(1)
+    .max(256)
+    .refine((v) => !v.startsWith("session_"), {
+      message: "externalId cannot start with 'session_' (reserved prefix for internal friendlyIds)",
+    })
+    .optional(),
+  /** Task this session triggers runs against. Required. */
+  taskIdentifier: z.string().min(1).max(128),
+  /** Trigger config used for every run scheduled by this session. */
+  triggerConfig: SessionTriggerConfig,
+  /** Up to 10 tags for dashboard filtering. */
+  tags: z.array(z.string().max(128)).max(10).optional(),
+  /** Arbitrary JSON metadata. */
+  metadata: z.record(z.unknown()).optional(),
+  /** Absolute expiry timestamp for retention. */
+  expiresAt: z.coerce.date().optional(),
+});
+export type CreateSessionRequestBody = z.infer<typeof CreateSessionRequestBody>;
+
+export const SessionItem = z.object({
+  id: z.string(),
+  externalId: z.string().nullable(),
+  type: z.string(),
+  taskIdentifier: z.string(),
+  /**
+   * Optional on the wire because some surfaces (the list endpoint backed
+   * by ClickHouse, list-page rendering) don't carry triggerConfig.
+   * Always populated on `POST /sessions` and `GET /sessions/:id`.
+   */
+  triggerConfig: SessionTriggerConfig.optional(),
+  /**
+   * Friendly id of the live run for this session, if any. Optional on
+   * the wire — list surfaces may not include it. Routes that emit
+   * `SessionItem` are responsible for resolving the friendly form
+   * from the underlying cuid before returning.
+   */
+  currentRunId: z.string().nullable().optional(),
+  tags: z.array(z.string()),
+  metadata: z.record(z.unknown()).nullable(),
+  closedAt: z.coerce.date().nullable(),
+  closedReason: z.string().nullable(),
+  expiresAt: z.coerce.date().nullable(),
+  createdAt: z.coerce.date(),
+  updatedAt: z.coerce.date(),
+});
+export type SessionItem = z.infer<typeof SessionItem>;
+
+export const CreatedSessionResponseBody = SessionItem.extend({
+  /** Friendly id of the first run triggered alongside session create. */
+  runId: z.string(),
+  /** Session-scoped public access token: `read:sessions:{ext} + write:sessions:{ext}`. */
+  publicAccessToken: z.string(),
+  /** True if the session existed already (idempotent upsert), false if newly created. */
+  isCached: z.boolean(),
+});
+export type CreatedSessionResponseBody = z.infer<typeof CreatedSessionResponseBody>;
+
+export const RetrieveSessionResponseBody = SessionItem;
+export type RetrieveSessionResponseBody = z.infer<typeof RetrieveSessionResponseBody>;
+
+/**
+ * Body for `POST /api/v1/sessions/:session/end-and-continue`. Used by the
+ * running agent to request a clean handoff to a fresh run on the latest
+ * deployed version (typical use case: `chat.requestUpgrade`). The
+ * server triggers a new run, atomically swaps `currentRunId`, and the
+ * caller exits.
+ */
+export const EndAndContinueSessionRequestBody = z.object({
+  /** The friendlyId of the run requesting the handoff. */
+  callingRunId: z.string(),
+  /** Free-form label for the SessionRun audit row. e.g. `"upgrade"`. */
+  reason: z.string().max(64),
+});
+export type EndAndContinueSessionRequestBody = z.infer<typeof EndAndContinueSessionRequestBody>;
+
+export const EndAndContinueSessionResponseBody = z.object({
+  /** friendlyId of the run that has taken over the session. */
+  runId: z.string(),
+  /**
+   * False when the swap was preempted (a different run was already
+   * running by the time we tried to claim). The caller should treat
+   * this as "someone else moved on" — exit cleanly without expecting
+   * to drive the next run.
+   */
+  swapped: z.boolean(),
+});
+export type EndAndContinueSessionResponseBody = z.infer<typeof EndAndContinueSessionResponseBody>;
+
+export const UpdateSessionRequestBody = z.object({
+  tags: z.array(z.string().max(128)).max(10).optional(),
+  metadata: z.record(z.unknown()).nullable().optional(),
+  // Null explicitly clears the externalId; non-null values must be non-empty.
+  externalId: z
+    .union([
+      z.literal(null),
+      z
+        .string()
+        .trim()
+        .min(1)
+        .max(256)
+        .refine((v) => !v.startsWith("session_"), {
+          message:
+            "externalId cannot start with 'session_' (reserved prefix for internal friendlyIds)",
+        }),
+    ])
+    .optional(),
+});
+export type UpdateSessionRequestBody = z.infer<typeof UpdateSessionRequestBody>;
+
+export const CloseSessionRequestBody = z.object({
+  reason: z.string().max(256).optional(),
+});
+export type CloseSessionRequestBody = z.infer<typeof CloseSessionRequestBody>;
+
+export const SessionStatus = z.enum(["ACTIVE", "CLOSED", "EXPIRED"]);
+export type SessionStatus = z.infer<typeof SessionStatus>;
+
+/**
+ * Server-side validation schema for `GET /api/v1/sessions`. Follows the same
+ * cursor-pagination convention as runs/waitpoints (`page[size]`,
+ * `page[after]`, `page[before]`) and uses the `filter[*]` prefix for
+ * narrowing fields — both produced automatically by `zodfetchCursorPage`
+ * and the matching client-side search-query helper.
+ */
+export const ListSessionsQueryParams = z
+  .object({
+    "page[size]": z.coerce.number().int().min(1).max(100).default(20),
+    "page[after]": z.string().optional(),
+    "page[before]": z.string().optional(),
+    "filter[type]": z.union([z.string(), z.array(z.string())]).optional(),
+    "filter[tags]": z.union([z.string(), z.array(z.string())]).optional(),
+    "filter[taskIdentifier]": z.union([z.string(), z.array(z.string())]).optional(),
+    "filter[externalId]": z.string().optional(),
+    "filter[status]": z.union([SessionStatus, z.array(SessionStatus)]).optional(),
+    "filter[createdAt][period]": z.string().optional(),
+    "filter[createdAt][from]": z.coerce.number().int().optional(),
+    "filter[createdAt][to]": z.coerce.number().int().optional(),
+  })
+  .refine((value) => !(value["page[after]"] && value["page[before]"]), {
+    message: "Cannot pass both page[after] and page[before] on the same request",
+    path: ["page[before]"],
+  });
+export type ListSessionsQueryParams = z.infer<typeof ListSessionsQueryParams>;
+
+/**
+ * Client-facing list options — flattened shape that
+ * {@link ApiClient.listSessions} converts into the `filter[*]` / `page[*]`
+ * query string before sending.
+ */
+export const ListSessionsOptions = z.object({
+  limit: z.number().int().min(1).max(100).optional(),
+  after: z.string().optional(),
+  before: z.string().optional(),
+  type: z.union([z.string(), z.array(z.string())]).optional(),
+  tag: z.union([z.string(), z.array(z.string())]).optional(),
+  taskIdentifier: z.union([z.string(), z.array(z.string())]).optional(),
+  externalId: z.string().optional(),
+  status: z.union([SessionStatus, z.array(SessionStatus)]).optional(),
+  period: z.string().optional(),
+  from: z.union([z.number(), z.date()]).optional(),
+  to: z.union([z.number(), z.date()]).optional(),
+});
+export type ListSessionsOptions = z.infer<typeof ListSessionsOptions>;
+
+export const ListedSessionItem = SessionItem;
+export type ListedSessionItem = z.infer<typeof ListedSessionItem>;
+
+export const ListSessionsResponseBody = z.object({
+  data: z.array(ListedSessionItem),
+  pagination: z.object({
+    next: z.string().optional(),
+    previous: z.string().optional(),
+  }),
+});
+export type ListSessionsResponseBody = z.infer<typeof ListSessionsResponseBody>;
+
 export const CompleteWaitpointTokenResponseBody = z.object({
   success: z.literal(true),
 });
@@ -1466,7 +1794,13 @@ export const WaitForDurationRequestBody = z.object({
    *
    * Note: This waitpoint may already be complete, in which case when you wait for it, it will immediately continue.
    */
-  idempotencyKey: z.string().optional(),
+  idempotencyKey: z
+    .string()
+    // Caps user-supplied keys before they reach the unique idempotency index
+    // on the underlying table — values past this fail at the database layer
+    // rather than returning a clean 400.
+    .max(2048, "idempotencyKey must be 2048 characters or less")
+    .optional(),
   /**
    * When set, this means the passed in idempotency key will expire after this time.
    * This means after that time if you pass the same idempotency key again, you will get a new waitpoint.
@@ -1573,6 +1907,9 @@ export const ApiDeploymentListResponseItem = z.object({
 
 export type ApiDeploymentListResponseItem = z.infer<typeof ApiDeploymentListResponseItem>;
 
+export const RetrieveCurrentDeploymentResponseBody = ApiDeploymentListResponseItem;
+export type RetrieveCurrentDeploymentResponseBody = ApiDeploymentListResponseItem;
+
 export const ApiBranchListResponseBody = z.object({
   branches: z.array(
     z.object({
@@ -1693,6 +2030,39 @@ export const SendInputStreamResponseBody = z.object({
 });
 export type SendInputStreamResponseBody = z.infer<typeof SendInputStreamResponseBody>;
 
+/**
+ * Response body for `GET /realtime/v1/sessions/:id/:io/records`. A non-SSE,
+ * `wait=0` drain of a session channel — used at run boot for snapshot
+ * replay where the SSE long-poll tax (~1s on empty streams) was the
+ * dominant cost.
+ *
+ * `data` is the parsed chunk body (the SDK writer puts the chunk object
+ * directly into the S2 record envelope; the route unwraps the envelope
+ * and forwards the inner object as-is). Callers use it directly — no
+ * additional JSON.parse step. Schema is `z.unknown()` because chunk
+ * shape varies by `chunk.type` (the AI SDK's `UIMessageChunk`
+ * discriminated union plus Trigger control records); consumers
+ * already runtime-check on the discriminator and tolerate malformed
+ * records by skipping them.
+ */
+export const ReadSessionStreamRecordsResponseBody = z.object({
+  records: z.array(
+    z.object({
+      data: z.unknown(),
+      id: z.string(),
+      seqNum: z.number(),
+      // S2 record headers — present on Trigger control records (e.g.
+      // `trigger-control: turn-complete` plus sibling headers). The
+      // server has always serialized them; older schemas stripped them
+      // client-side, so treat as optional.
+      headers: z.array(z.tuple([z.string(), z.string()])).optional(),
+    })
+  ),
+});
+export type ReadSessionStreamRecordsResponseBody = z.infer<
+  typeof ReadSessionStreamRecordsResponseBody
+>;
+
 export const ResolvePromptRequestBody = z.object({
   variables: z.record(z.unknown()).default({}),
   label: z.string().optional(),
@@ -1770,7 +2140,9 @@ export type UpdatePromptOverrideRequestBody = z.infer<typeof UpdatePromptOverrid
 export const ReactivatePromptOverrideRequestBody = z.object({
   version: z.number().int().positive(),
 });
-export type ReactivatePromptOverrideRequestBody = z.infer<typeof ReactivatePromptOverrideRequestBody>;
+export type ReactivatePromptOverrideRequestBody = z.infer<
+  typeof ReactivatePromptOverrideRequestBody
+>;
 
 export const PromptOkResponseBody = z.object({ ok: z.boolean() });
 export type PromptOkResponseBody = z.infer<typeof PromptOkResponseBody>;
diff --git a/packages/core/src/v3/schemas/batchItemNDJSON.test.ts b/packages/core/src/v3/schemas/batchItemNDJSON.test.ts
new file mode 100644
index 00000000000..f130bba4450
--- /dev/null
+++ b/packages/core/src/v3/schemas/batchItemNDJSON.test.ts
@@ -0,0 +1,88 @@
+import { describe, it, expect } from "vitest";
+import { BatchItemNDJSON, BatchTriggerTaskItem, TriggerTaskRequestBody } from "./api.js";
+
+describe("concurrencyKey coercion", () => {
+  // Phase-2 NDJSON used to accept arbitrary shapes for `options`, so a numeric
+  // concurrencyKey (a common foot-gun when callers pass
+  // `concurrencyKey: payload.userId`) reached Prisma untouched and failed
+  // there with PrismaClientValidationError. The schema now coerces
+  // number → string at the API boundary across every trigger path.
+  describe("BatchItemNDJSON", () => {
+    it("coerces a numeric concurrencyKey to a string", () => {
+      const result = BatchItemNDJSON.safeParse({
+        index: 0,
+        task: "user-workflow-tick",
+        payload: { json: { userId: 51262 } },
+        options: { concurrencyKey: 51262 },
+      });
+
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(result.data.options?.concurrencyKey).toBe("51262");
+      }
+    });
+
+    it("accepts a string concurrencyKey unchanged", () => {
+      const result = BatchItemNDJSON.safeParse({
+        index: 0,
+        task: "user-workflow-tick",
+        payload: { json: { userId: 51262 } },
+        options: { concurrencyKey: "user-51262" },
+      });
+
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(result.data.options?.concurrencyKey).toBe("user-51262");
+      }
+    });
+
+    it("accepts an item with no options", () => {
+      const result = BatchItemNDJSON.safeParse({
+        index: 0,
+        task: "user-workflow-tick",
+        payload: { json: { userId: 51262 } },
+      });
+
+      expect(result.success).toBe(true);
+    });
+
+    it("rejects a non-numeric, non-string concurrencyKey", () => {
+      const result = BatchItemNDJSON.safeParse({
+        index: 0,
+        task: "user-workflow-tick",
+        options: { concurrencyKey: { nested: "object" } },
+      });
+
+      expect(result.success).toBe(false);
+    });
+  });
+
+  describe("BatchTriggerTaskItem", () => {
+    it("coerces a numeric concurrencyKey to a string", () => {
+      const result = BatchTriggerTaskItem.safeParse({
+        task: "user-workflow-tick",
+        payload: { userId: 51262 },
+        options: { concurrencyKey: 51262 },
+      });
+
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(result.data.options?.concurrencyKey).toBe("51262");
+      }
+    });
+  });
+
+  describe("TriggerTaskRequestBody", () => {
+    it("coerces a numeric concurrencyKey to a string", () => {
+      const result = TriggerTaskRequestBody.safeParse({
+        payload: { userId: 51262 },
+        options: { concurrencyKey: 51262 },
+      });
+
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(result.data.options?.concurrencyKey).toBe("51262");
+      }
+    });
+  });
+});
diff --git a/packages/core/src/v3/schemas/build.ts b/packages/core/src/v3/schemas/build.ts
index bda5efb0ad9..e1543529a48 100644
--- a/packages/core/src/v3/schemas/build.ts
+++ b/packages/core/src/v3/schemas/build.ts
@@ -1,6 +1,12 @@
 import { z } from "zod";
 import { ConfigManifest } from "./config.js";
-import { PromptManifest, QueueManifest, TaskFile, TaskManifest } from "./schemas.js";
+import {
+  PromptManifest,
+  QueueManifest,
+  SkillManifest,
+  TaskFile,
+  TaskManifest,
+} from "./schemas.js";
 
 export const BuildExternal = z.object({
   name: z.string(),
@@ -70,6 +76,8 @@ export const BuildManifest = z.object({
     .optional(),
   /** Maps output file paths to their content hashes for deduplication during dev */
   outputHashes: z.record(z.string()).optional(),
+  /** Skills discovered and bundled into `.trigger/skills/{id}/` under `outputPath`. */
+  skills: SkillManifest.array().optional(),
 });
 
 export type BuildManifest = z.infer<typeof BuildManifest>;
@@ -87,6 +95,7 @@ export const WorkerManifest = z.object({
   configPath: z.string(),
   tasks: TaskManifest.array(),
   prompts: PromptManifest.array().optional(),
+  skills: SkillManifest.array().optional(),
   queues: QueueManifest.array().optional(),
   workerEntryPoint: z.string(),
   controllerEntryPoint: z.string().optional(),
diff --git a/packages/core/src/v3/schemas/common.ts b/packages/core/src/v3/schemas/common.ts
index f3757208335..4de2ddb5802 100644
--- a/packages/core/src/v3/schemas/common.ts
+++ b/packages/core/src/v3/schemas/common.ts
@@ -174,6 +174,7 @@ export const TaskRunInternalError = z.object({
     "GRACEFUL_EXIT_TIMEOUT",
     "TASK_RUN_HEARTBEAT_TIMEOUT",
     "TASK_RUN_CRASHED",
+    "TASK_RUN_UNCAUGHT_EXCEPTION",
     "MAX_DURATION_EXCEEDED",
     "DISK_SPACE_EXCEEDED",
     "POD_EVICTED",
@@ -215,6 +216,7 @@ export const TaskRun = z.object({
   payloadType: z.string(),
   tags: z.array(z.string()),
   isTest: z.boolean().default(false),
+  isReplay: z.boolean().default(false),
   createdAt: z.coerce.date(),
   startedAt: z.coerce.date().default(() => new Date()),
   /** The user-provided idempotency key (not the hash) */
@@ -378,6 +380,7 @@ export const V3TaskRun = z.object({
   payloadType: z.string(),
   tags: z.array(z.string()),
   isTest: z.boolean().default(false),
+  isReplay: z.boolean().default(false),
   createdAt: z.coerce.date(),
   startedAt: z.coerce.date().default(() => new Date()),
   /** The user-provided idempotency key (not the hash) */
@@ -538,13 +541,13 @@ export type WaitpointTokenResult = z.infer<typeof WaitpointTokenResult>;
 
 export type WaitpointTokenTypedResult<T> =
   | {
-    ok: true;
-    output: T;
-  }
+      ok: true;
+      output: T;
+    }
   | {
-    ok: false;
-    error: Error;
-  };
+      ok: false;
+      error: Error;
+    };
 
 export const SerializedError = z.object({
   message: z.string(),
diff --git a/packages/core/src/v3/schemas/idempotencyKey.test.ts b/packages/core/src/v3/schemas/idempotencyKey.test.ts
new file mode 100644
index 00000000000..cad9db69080
--- /dev/null
+++ b/packages/core/src/v3/schemas/idempotencyKey.test.ts
@@ -0,0 +1,173 @@
+import { describe, it, expect } from "vitest";
+import {
+  BatchTriggerTaskItem,
+  CreateBatchRequestBody,
+  CreateInputStreamWaitpointRequestBody,
+  CreateSessionStreamWaitpointRequestBody,
+  CreateWaitpointTokenRequestBody,
+  TriggerTaskRequestBody,
+  WaitForDurationRequestBody,
+} from "./api.js";
+
+// These tests verify the zod-level character cap (.max(2048)) on schemas whose
+// idempotencyKey lands against a unique composite index downstream. The cap
+// itself is a JS-string-length check, so the constants below are chosen to
+// exercise the boundary cleanly — high entropy isn't required for this layer.
+const TOO_LONG = "x".repeat(3000);
+const AT_LIMIT = "x".repeat(2048);
+const SDK_HASH = "a".repeat(64); // shape of idempotencyKeys.create() output
+
+describe("idempotencyKey length validation", () => {
+  describe("TriggerTaskRequestBody", () => {
+    it("rejects an idempotencyKey over 2048 characters with a clear message", () => {
+      const result = TriggerTaskRequestBody.safeParse({
+        payload: {},
+        options: { idempotencyKey: TOO_LONG },
+      });
+
+      expect(result.success).toBe(false);
+      if (!result.success) {
+        const issue = result.error.issues[0]!;
+        expect(issue.path).toEqual(["options", "idempotencyKey"]);
+        expect(issue.message).toBe("idempotencyKey must be 2048 characters or less");
+      }
+    });
+
+    it("accepts an idempotencyKey at the 2048-character limit", () => {
+      const result = TriggerTaskRequestBody.safeParse({
+        payload: {},
+        options: { idempotencyKey: AT_LIMIT },
+      });
+
+      expect(result.success).toBe(true);
+    });
+
+    it("accepts the SDK-generated 64-character hash", () => {
+      const result = TriggerTaskRequestBody.safeParse({
+        payload: {},
+        options: { idempotencyKey: SDK_HASH },
+      });
+
+      expect(result.success).toBe(true);
+    });
+  });
+
+  describe("BatchTriggerTaskItem", () => {
+    it("rejects an idempotencyKey over 2048 characters", () => {
+      const result = BatchTriggerTaskItem.safeParse({
+        task: "my-task",
+        payload: {},
+        options: { idempotencyKey: TOO_LONG },
+      });
+
+      expect(result.success).toBe(false);
+    });
+
+    it("accepts an idempotencyKey at the 2048-character limit", () => {
+      const result = BatchTriggerTaskItem.safeParse({
+        task: "my-task",
+        payload: {},
+        options: { idempotencyKey: AT_LIMIT },
+      });
+
+      expect(result.success).toBe(true);
+    });
+  });
+
+  describe("CreateBatchRequestBody", () => {
+    it("rejects an idempotencyKey over 2048 characters with a clear message", () => {
+      const result = CreateBatchRequestBody.safeParse({
+        runCount: 1,
+        idempotencyKey: TOO_LONG,
+      });
+
+      expect(result.success).toBe(false);
+      if (!result.success) {
+        const issue = result.error.issues[0]!;
+        expect(issue.path).toEqual(["idempotencyKey"]);
+        expect(issue.message).toBe("idempotencyKey must be 2048 characters or less");
+      }
+    });
+
+    it("accepts an idempotencyKey at the 2048-character limit", () => {
+      const result = CreateBatchRequestBody.safeParse({
+        runCount: 1,
+        idempotencyKey: AT_LIMIT,
+      });
+
+      expect(result.success).toBe(true);
+    });
+  });
+
+  describe("CreateWaitpointTokenRequestBody", () => {
+    it("rejects an idempotencyKey over 2048 characters with a clear message", () => {
+      const result = CreateWaitpointTokenRequestBody.safeParse({
+        idempotencyKey: TOO_LONG,
+      });
+
+      expect(result.success).toBe(false);
+      if (!result.success) {
+        const issue = result.error.issues[0]!;
+        expect(issue.path).toEqual(["idempotencyKey"]);
+        expect(issue.message).toBe("idempotencyKey must be 2048 characters or less");
+      }
+    });
+
+    it("accepts an idempotencyKey at the 2048-character limit", () => {
+      const result = CreateWaitpointTokenRequestBody.safeParse({
+        idempotencyKey: AT_LIMIT,
+      });
+
+      expect(result.success).toBe(true);
+    });
+  });
+
+  describe("CreateInputStreamWaitpointRequestBody", () => {
+    it("rejects an idempotencyKey over 2048 characters with a clear message", () => {
+      const result = CreateInputStreamWaitpointRequestBody.safeParse({
+        streamId: "stream_1",
+        idempotencyKey: TOO_LONG,
+      });
+
+      expect(result.success).toBe(false);
+      if (!result.success) {
+        const issue = result.error.issues[0]!;
+        expect(issue.path).toEqual(["idempotencyKey"]);
+        expect(issue.message).toBe("idempotencyKey must be 2048 characters or less");
+      }
+    });
+  });
+
+  describe("CreateSessionStreamWaitpointRequestBody", () => {
+    it("rejects an idempotencyKey over 2048 characters with a clear message", () => {
+      const result = CreateSessionStreamWaitpointRequestBody.safeParse({
+        session: "session_1",
+        io: "out",
+        idempotencyKey: TOO_LONG,
+      });
+
+      expect(result.success).toBe(false);
+      if (!result.success) {
+        const issue = result.error.issues[0]!;
+        expect(issue.path).toEqual(["idempotencyKey"]);
+        expect(issue.message).toBe("idempotencyKey must be 2048 characters or less");
+      }
+    });
+  });
+
+  describe("WaitForDurationRequestBody", () => {
+    it("rejects an idempotencyKey over 2048 characters with a clear message", () => {
+      const result = WaitForDurationRequestBody.safeParse({
+        date: new Date(),
+        idempotencyKey: TOO_LONG,
+      });
+
+      expect(result.success).toBe(false);
+      if (!result.success) {
+        const issue = result.error.issues[0]!;
+        expect(issue.path).toEqual(["idempotencyKey"]);
+        expect(issue.message).toBe("idempotencyKey must be 2048 characters or less");
+      }
+    });
+  });
+});
diff --git a/packages/core/src/v3/schemas/messages.ts b/packages/core/src/v3/schemas/messages.ts
index b58babba717..2c7c357c3b7 100644
--- a/packages/core/src/v3/schemas/messages.ts
+++ b/packages/core/src/v3/schemas/messages.ts
@@ -156,6 +156,10 @@ export const indexerToWorkerMessages = {
     importErrors: ImportTaskFileErrors,
   }),
   TASKS_FAILED_TO_PARSE: TaskMetadataFailedToParseData,
+  TASKS_FAILED_TO_INDEX: z.object({
+    version: z.literal("v1").default("v1"),
+    collisions: z.array(z.object({ id: z.string(), filePaths: z.array(z.string()) })),
+  }),
   UNCAUGHT_EXCEPTION: UncaughtExceptionMessage,
 };
 
diff --git a/packages/core/src/v3/schemas/resources.ts b/packages/core/src/v3/schemas/resources.ts
index e681c728416..753324d1257 100644
--- a/packages/core/src/v3/schemas/resources.ts
+++ b/packages/core/src/v3/schemas/resources.ts
@@ -2,6 +2,12 @@ import { z } from "zod";
 import { QueueManifest, RetryOptions, ScheduleMetadata } from "./schemas.js";
 import { MachineConfig } from "./common.js";
 
+export const AgentConfig = z.object({
+  type: z.string(), // "ai-sdk-chat" initially, extensible for future agent types
+});
+
+export type AgentConfig = z.infer<typeof AgentConfig>;
+
 export const TaskResource = z.object({
   id: z.string(),
   description: z.string().optional(),
@@ -11,6 +17,7 @@ export const TaskResource = z.object({
   retry: RetryOptions.optional(),
   machine: MachineConfig.optional(),
   triggerSource: z.string().optional(),
+  agentConfig: AgentConfig.optional(),
   schedule: ScheduleMetadata.optional(),
   maxDuration: z.number().optional(),
   ttl: z.string().or(z.number().nonnegative().int()).optional(),
diff --git a/packages/core/src/v3/schemas/runEngine.ts b/packages/core/src/v3/schemas/runEngine.ts
index 9378b290270..5ea22960bf2 100644
--- a/packages/core/src/v3/schemas/runEngine.ts
+++ b/packages/core/src/v3/schemas/runEngine.ts
@@ -15,11 +15,15 @@ export const TriggerAction = z.enum(["trigger", "replay", "test"]).or(anyString)
 
 export type TriggerAction = z.infer<typeof TriggerAction>;
 
+export const TaskKind = z.enum(["STANDARD", "SCHEDULED", "AGENT"]).or(anyString);
+export type TaskKind = z.infer<typeof TaskKind>;
+
 export const RunAnnotations = z.object({
   triggerSource: TriggerSource,
   triggerAction: TriggerAction,
   rootTriggerSource: TriggerSource,
   rootScheduleId: z.string().optional(),
+  taskKind: TaskKind.optional(),
 });
 
 export type RunAnnotations = z.infer<typeof RunAnnotations>;
@@ -277,6 +281,7 @@ export const DequeuedMessage = z.object({
     id: z.string(),
     friendlyId: z.string(),
     isTest: z.boolean(),
+    isReplay: z.boolean().default(false),
     machine: MachinePreset,
     attemptNumber: z.number(),
     masterQueue: z.string(),
diff --git a/packages/core/src/v3/schemas/schemas.ts b/packages/core/src/v3/schemas/schemas.ts
index 4ec559ebf41..95564cb1efc 100644
--- a/packages/core/src/v3/schemas/schemas.ts
+++ b/packages/core/src/v3/schemas/schemas.ts
@@ -180,6 +180,10 @@ export const ScheduleMetadata = z.object({
   environments: z.array(EnvironmentType).optional(),
 });
 
+const AgentConfig = z.object({
+  type: z.string(),
+});
+
 const taskMetadata = {
   id: z.string(),
   description: z.string().optional(),
@@ -187,6 +191,7 @@ const taskMetadata = {
   retry: RetryOptions.optional(),
   machine: MachineConfig.optional(),
   triggerSource: z.string().optional(),
+  agentConfig: AgentConfig.optional(),
   schedule: ScheduleMetadata.optional(),
   maxDuration: z.number().optional(),
   ttl: z.string().or(z.number().nonnegative().int()).optional(),
@@ -241,6 +246,28 @@ export const PromptManifest = z.object({
 
 export type PromptManifest = z.infer<typeof PromptManifest>;
 
+// ── Skills ────────────────────────────────────────────────────────────────
+//
+// A skill is a developer-authored folder (SKILL.md + scripts/references/assets)
+// bundled into the deploy image. SkillMetadata is registered at module load
+// by `ai.defineSkill({ id, path })`; the CLI's built-in bundler picks it up
+// during deploy and copies the folder into the deploy image.
+
+const skillMetadata = {
+  id: z.string(),
+  /** Path to the skill's source folder, relative to the project root. */
+  sourcePath: z.string(),
+};
+
+export const SkillMetadata = z.object(skillMetadata);
+export type SkillMetadata = z.infer<typeof SkillMetadata>;
+
+export const SkillManifest = z.object({
+  ...skillMetadata,
+  ...taskFileMetadata,
+});
+export type SkillManifest = z.infer<typeof SkillManifest>;
+
 export const PostStartCauses = z.enum(["index", "create", "restore"]);
 export type PostStartCauses = z.infer<typeof PostStartCauses>;
 
@@ -292,6 +319,7 @@ export const TaskRunExecutionLazyAttemptPayload = z.object({
   attemptCount: z.number().optional(),
   messageId: z.string(),
   isTest: z.boolean(),
+  isReplay: z.boolean().default(false),
   traceContext: z.record(z.unknown()),
   environment: z.record(z.string()).optional(),
   metrics: TaskRunExecutionMetrics.optional(),
diff --git a/packages/core/src/v3/sdkScope-api.ts b/packages/core/src/v3/sdkScope-api.ts
new file mode 100644
index 00000000000..ea3906aa97e
--- /dev/null
+++ b/packages/core/src/v3/sdkScope-api.ts
@@ -0,0 +1 @@
+export { sdkScope, type SdkScope } from "./sdkScope/index.js";
diff --git a/packages/core/src/v3/sdkScope/index.ts b/packages/core/src/v3/sdkScope/index.ts
new file mode 100644
index 00000000000..943ed953bd9
--- /dev/null
+++ b/packages/core/src/v3/sdkScope/index.ts
@@ -0,0 +1,21 @@
+import type { SdkScope, SdkScopeStorage } from "./types.js";
+
+export type { SdkScope, SdkScopeStorage } from "./types.js";
+
+let installedStorage: SdkScopeStorage | undefined;
+
+export function _installSdkScopeStorage(storage: SdkScopeStorage): void {
+  installedStorage = storage;
+}
+
+export const sdkScope = {
+  hasStorage(): boolean {
+    return installedStorage !== undefined;
+  },
+  getStore(): SdkScope | undefined {
+    return installedStorage?.getStore();
+  },
+  withScope<R>(scope: SdkScope, fn: () => R): R {
+    return installedStorage ? installedStorage.run(scope, fn) : fn();
+  },
+};
diff --git a/packages/core/src/v3/sdkScope/storage-node.ts b/packages/core/src/v3/sdkScope/storage-node.ts
new file mode 100644
index 00000000000..01f59f40eb6
--- /dev/null
+++ b/packages/core/src/v3/sdkScope/storage-node.ts
@@ -0,0 +1,10 @@
+import { AsyncLocalStorage } from "node:async_hooks";
+import { _installSdkScopeStorage } from "./index.js";
+import type { SdkScope } from "./types.js";
+
+const als = new AsyncLocalStorage<SdkScope>();
+
+_installSdkScopeStorage({
+  getStore: () => als.getStore(),
+  run: (scope, fn) => als.run(scope, fn),
+});
diff --git a/packages/core/src/v3/sdkScope/types.ts b/packages/core/src/v3/sdkScope/types.ts
new file mode 100644
index 00000000000..249035e2924
--- /dev/null
+++ b/packages/core/src/v3/sdkScope/types.ts
@@ -0,0 +1,11 @@
+import type { ApiClientConfiguration } from "../apiClientManager/types.js";
+
+export type SdkScope = {
+  apiClientConfig: ApiClientConfiguration;
+  inheritContext: boolean;
+};
+
+export type SdkScopeStorage = {
+  getStore(): SdkScope | undefined;
+  run<R>(scope: SdkScope, fn: () => R): R;
+};
diff --git a/packages/core/src/v3/semanticInternalAttributes.ts b/packages/core/src/v3/semanticInternalAttributes.ts
index 3fb20a06499..e6e0160663d 100644
--- a/packages/core/src/v3/semanticInternalAttributes.ts
+++ b/packages/core/src/v3/semanticInternalAttributes.ts
@@ -12,6 +12,8 @@ export const SemanticInternalAttributes = {
   ATTEMPT_NUMBER: "ctx.attempt.number",
   RUN_ID: "ctx.run.id",
   RUN_IS_TEST: "ctx.run.isTest",
+  RUN_IS_REPLAY: "ctx.run.isReplay",
+  GEN_AI_CONVERSATION_ID: "gen_ai.conversation.id",
   ORIGINAL_RUN_ID: "$original_run_id",
   BATCH_ID: "ctx.batch.id",
   TASK_SLUG: "ctx.task.id",
diff --git a/packages/core/src/v3/session-streams-api.ts b/packages/core/src/v3/session-streams-api.ts
new file mode 100644
index 00000000000..4f5c979aa3b
--- /dev/null
+++ b/packages/core/src/v3/session-streams-api.ts
@@ -0,0 +1,9 @@
+// Split module-level variable definition into separate files to allow
+// tree-shaking on each api instance.
+import { SessionStreamsAPI } from "./sessionStreams/index.js";
+
+export const sessionStreams = SessionStreamsAPI.getInstance();
+
+export * from "./sessionStreams/types.js";
+export * from "./sessionStreams/wireProtocol.js";
+export * from "./sessionStreams/chatSnapshot.js";
diff --git a/packages/core/src/v3/sessionStreams/chatSnapshot.ts b/packages/core/src/v3/sessionStreams/chatSnapshot.ts
new file mode 100644
index 00000000000..84b204a134d
--- /dev/null
+++ b/packages/core/src/v3/sessionStreams/chatSnapshot.ts
@@ -0,0 +1,59 @@
+/**
+ * Persisted chat-snapshot blob. Written by `chat.agent` to S3 after every
+ * turn completes (when no `hydrateMessages` hook is registered) and read
+ * back at the start of the next run to seed the accumulator. Also read by
+ * the Sessions dashboard to render the full conversation transcript
+ * without re-streaming `session.out` from `seq_num=0`.
+ *
+ * S3 key suffix: `sessions/{sessionId}/snapshot.json`. The webapp's
+ * presigned-URL service prefixes this with `packets/{projectRef}/{envSlug}/`.
+ *
+ * `lastOutEventId` is the S2 seq_num (as a string) of the snapshot's
+ * final `turn-complete` control record. Used to resume `session.out`
+ * replay from precisely after the snapshot, and as the trim-chain seed
+ * for the agent's next turn.
+ *
+ * The `version` field is a forward-compat lever: readers that don't
+ * recognise a version silently fall back to no-snapshot behaviour.
+ */
+
+import { z } from "zod";
+
+import type { UIMessage } from "ai";
+
+export type ChatSnapshotV1<TUIMessage extends UIMessage = UIMessage> = {
+  version: 1;
+  savedAt: number;
+  messages: TUIMessage[];
+  lastOutEventId?: string;
+  /**
+   * Committed `.in` consume cursor (S2 seq_num, stringified) as of this
+   * snapshot's turn-complete. Lets the next boot seed the `.in` resume
+   * cursor without scanning `session.out` for the latest turn-complete
+   * header. Absent on snapshots written before this field existed —
+   * readers fall back to the scan.
+   */
+  lastInEventId?: string;
+};
+
+/**
+ * Zod schema for `ChatSnapshotV1` with the message shape kept opaque
+ * (`unknown[]`). The agent runtime types messages strictly via the
+ * generic parameter; readers that need stricter validation can layer
+ * their own UIMessage parser on top.
+ */
+export const ChatSnapshotV1Schema = z.object({
+  version: z.literal(1),
+  savedAt: z.number(),
+  messages: z.array(z.unknown()),
+  lastOutEventId: z.string().optional(),
+  lastInEventId: z.string().optional(),
+});
+
+/**
+ * S3 key suffix for a session's snapshot blob. The webapp's presigned
+ * URL routes prefix this with `packets/{projectRef}/{envSlug}/`.
+ */
+export function chatSnapshotKeySuffix(sessionId: string): string {
+  return `sessions/${sessionId}/snapshot.json`;
+}
diff --git a/packages/core/src/v3/sessionStreams/index.ts b/packages/core/src/v3/sessionStreams/index.ts
new file mode 100644
index 00000000000..c150f0fe9df
--- /dev/null
+++ b/packages/core/src/v3/sessionStreams/index.ts
@@ -0,0 +1,101 @@
+import { getGlobal, registerGlobal } from "../utils/globals.js";
+import { NoopSessionStreamManager } from "./noopManager.js";
+import {
+  InputStreamOncePromise,
+  SessionChannelIO,
+  SessionStreamManager,
+} from "./types.js";
+import { InputStreamOnceOptions } from "../realtimeStreams/types.js";
+
+const API_NAME = "session-streams";
+
+const NOOP_MANAGER = new NoopSessionStreamManager();
+
+export class SessionStreamsAPI implements SessionStreamManager {
+  private static _instance?: SessionStreamsAPI;
+
+  private constructor() {}
+
+  public static getInstance(): SessionStreamsAPI {
+    if (!this._instance) {
+      this._instance = new SessionStreamsAPI();
+    }
+    return this._instance;
+  }
+
+  setGlobalManager(manager: SessionStreamManager): boolean {
+    return registerGlobal(API_NAME, manager);
+  }
+
+  #getManager(): SessionStreamManager {
+    return getGlobal(API_NAME) ?? NOOP_MANAGER;
+  }
+
+  public on(
+    sessionId: string,
+    io: SessionChannelIO,
+    handler: (data: unknown) => void | boolean | Promise<void>
+  ): { off: () => void } {
+    return this.#getManager().on(sessionId, io, handler);
+  }
+
+  public once(
+    sessionId: string,
+    io: SessionChannelIO,
+    options?: InputStreamOnceOptions
+  ): InputStreamOncePromise<unknown> {
+    return this.#getManager().once(sessionId, io, options);
+  }
+
+  public peek(sessionId: string, io: SessionChannelIO): unknown | undefined {
+    return this.#getManager().peek(sessionId, io);
+  }
+
+  public lastSeqNum(sessionId: string, io: SessionChannelIO): number | undefined {
+    return this.#getManager().lastSeqNum(sessionId, io);
+  }
+
+  public setLastSeqNum(sessionId: string, io: SessionChannelIO, seqNum: number): void {
+    this.#getManager().setLastSeqNum(sessionId, io, seqNum);
+  }
+
+  public lastDispatchedSeqNum(sessionId: string, io: SessionChannelIO): number | undefined {
+    return this.#getManager().lastDispatchedSeqNum(sessionId, io);
+  }
+
+  public setLastDispatchedSeqNum(
+    sessionId: string,
+    io: SessionChannelIO,
+    seqNum: number
+  ): void {
+    this.#getManager().setLastDispatchedSeqNum(sessionId, io, seqNum);
+  }
+
+  public setMinTimestamp(
+    sessionId: string,
+    io: SessionChannelIO,
+    minTimestamp: number | undefined
+  ): void {
+    this.#getManager().setMinTimestamp(sessionId, io, minTimestamp);
+  }
+
+  public shiftBuffer(sessionId: string, io: SessionChannelIO): boolean {
+    return this.#getManager().shiftBuffer(sessionId, io);
+  }
+
+  public disconnectStream(sessionId: string, io: SessionChannelIO): void {
+    this.#getManager().disconnectStream(sessionId, io);
+  }
+
+  public clearHandlers(): void {
+    this.#getManager().clearHandlers();
+  }
+
+  public reset(): void {
+    this.#getManager().reset();
+  }
+
+  public disconnect(): void {
+    this.#getManager().disconnect();
+  }
+}
diff --git a/packages/core/src/v3/sessionStreams/manager.test.ts b/packages/core/src/v3/sessionStreams/manager.test.ts
new file mode 100644
index 00000000000..6089d705783
--- /dev/null
+++ b/packages/core/src/v3/sessionStreams/manager.test.ts
@@ -0,0 +1,151 @@
+import { describe, expect, it } from "vitest";
+import { StandardSessionStreamManager } from "./manager.js";
+import type { ApiClient } from "../apiClient/index.js";
+import type { SSEStreamPart } from "../apiClient/runStream.js";
+
+// Single-shot mock that mimics S2's long-poll: delivers `records` once via
+// `onPart` on the first subscribe call, then keeps the returned async
+// iterable OPEN until the abort signal fires. Real S2 keeps the SSE
+// connection alive on a long-poll; the manager's `runTail` finally /
+// reconnect path only fires when the connection actually closes. Returning
+// an empty stream synchronously triggers a tight reconnect loop, so the
+// mock parks indefinitely instead.
+function singleShotApiClient(
+  records: Array<{ id: string; chunk: unknown; timestamp: number }>
+): ApiClient {
+  let delivered = false;
+  return {
+    async subscribeToSessionStream<T>(
+      _sessionIdOrExternalId: string,
+      _io: "out" | "in",
+      options?: { onPart?: (part: SSEStreamPart<T>) => void; signal?: AbortSignal }
+    ) {
+      if (!delivered) {
+        delivered = true;
+        for (const record of records) {
+          options?.onPart?.(record as SSEStreamPart<T>);
+        }
+      }
+      const signal = options?.signal;
+      return (async function* () {
+        if (signal?.aborted) return;
+        await new Promise<void>((resolve) => {
+          if (!signal) {
+            // No signal — block the stream forever; tests must
+            // explicitly call `disconnectStream` / `disconnect` to
+            // unblock.
+            return;
+          }
+          signal.addEventListener("abort", () => resolve(), { once: true });
+        });
+      })() as unknown as Awaited<ReturnType<ApiClient["subscribeToSessionStream"]>>;
+    },
+  } as unknown as ApiClient;
+}
+
+describe("StandardSessionStreamManager — minTimestamp filter", () => {
+  const sessionId = "session-1";
+  const io = "in" as const;
+
+  it("dispatches records when no filter is set", async () => {
+    const records = [
+      { id: "0", chunk: { kind: "message", payload: { id: "u1" } }, timestamp: 1000 },
+      { id: "1", chunk: { kind: "message", payload: { id: "u2" } }, timestamp: 2000 },
+    ];
+    const manager = new StandardSessionStreamManager(singleShotApiClient(records), "http://localhost");
+
+    const first = await manager.once(sessionId, io);
+    expect(first).toEqual({ ok: true, output: { kind: "message", payload: { id: "u1" } } });
+
+    const second = await manager.once(sessionId, io);
+    expect(second).toEqual({ ok: true, output: { kind: "message", payload: { id: "u2" } } });
+
+    manager.disconnectStream(sessionId, io); // stop reconnect loop
+    manager.disconnect();
+  });
+
+  it("drops records whose timestamp is <= minTimestamp", async () => {
+    const records = [
+      { id: "0", chunk: { kind: "message", payload: { id: "u1" } }, timestamp: 1000 },
+      { id: "1", chunk: { kind: "message", payload: { id: "u2" } }, timestamp: 2000 },
+      { id: "2", chunk: { kind: "message", payload: { id: "u3" } }, timestamp: 3000 },
+    ];
+    const manager = new StandardSessionStreamManager(singleShotApiClient(records), "http://localhost");
+
+    // Cutoff at 2000 (inclusive: `<=` is dropped). Only u3 should pass.
+    manager.setMinTimestamp(sessionId, io, 2000);
+
+    const passed = await manager.once(sessionId, io, { timeoutMs: 200 });
+    expect(passed).toEqual({ ok: true, output: { kind: "message", payload: { id: "u3" } } });
+
+    manager.disconnectStream(sessionId, io);
+    manager.disconnect();
+  });
+
+  it("clears the filter when set to undefined", async () => {
+    const records = [
+      { id: "0", chunk: { kind: "message", payload: { id: "u1" } }, timestamp: 1000 },
+    ];
+    const manager = new StandardSessionStreamManager(singleShotApiClient(records), "http://localhost");
+
+    manager.setMinTimestamp(sessionId, io, 5000);
+    manager.setMinTimestamp(sessionId, io, undefined);
+
+    const passed = await manager.once(sessionId, io, { timeoutMs: 200 });
+    expect(passed).toEqual({ ok: true, output: { kind: "message", payload: { id: "u1" } } });
+
+    manager.disconnectStream(sessionId, io);
+    manager.disconnect();
+  });
+
+  it("filter is per-(sessionId, io) and doesn't bleed across streams", async () => {
+    const inApi = singleShotApiClient([
+      { id: "0", chunk: { kind: "in-record" }, timestamp: 1000 },
+    ]);
+    const manager = new StandardSessionStreamManager(inApi, "http://localhost");
+
+    manager.setMinTimestamp(sessionId, "in", 5000);
+
+    // The "out" stream uses the same singleShotApiClient instance — its
+    // single-shot delivers the same fixture, but the filter doesn't apply
+    // to "out" so the record passes.
+    const outResult = await manager.once(sessionId, "out", { timeoutMs: 200 });
+    expect(outResult).toEqual({ ok: true, output: { kind: "in-record" } });
+
+    // The "in" stream is filtered (minTimestamp=5000, record ts=1000): the
+    // once() call should idle-timeout instead of resolving with the record.
+    // But the singleShot instance has already delivered to the "out" tail,
+    // so the "in" tail will get nothing on first connect anyway. Use a
+    // separate manager+api to keep the assertion crisp.
+    const inApi2 = singleShotApiClient([
+      { id: "0", chunk: { kind: "in-record-2" }, timestamp: 1000 },
+    ]);
+    const manager2 = new StandardSessionStreamManager(inApi2, "http://localhost");
+    manager2.setMinTimestamp(sessionId, "in", 5000);
+
+    const inResult = await manager2.once(sessionId, "in", { timeoutMs: 100 });
+    expect(inResult.ok).toBe(false); // filter-dropped → idle timeout
+
+    manager.disconnectStream(sessionId, "in");
+    manager.disconnectStream(sessionId, "out");
+    manager.disconnect();
+    manager2.disconnectStream(sessionId, "in");
+    manager2.disconnect();
+  });
+
+  it("reset() clears all per-stream timestamp filters", async () => {
+    const records = [
+      { id: "0", chunk: { kind: "message", payload: { id: "u1" } }, timestamp: 1000 },
+    ];
+    const manager = new StandardSessionStreamManager(singleShotApiClient(records), "http://localhost");
+
+    manager.setMinTimestamp(sessionId, io, 5000);
+    manager.reset();
+
+    const passed = await manager.once(sessionId, io, { timeoutMs: 200 });
+    expect(passed).toEqual({ ok: true, output: { kind: "message", payload: { id: "u1" } } });
+
+    manager.disconnectStream(sessionId, io);
+    manager.disconnect();
+  });
+});
diff --git a/packages/core/src/v3/sessionStreams/manager.ts b/packages/core/src/v3/sessionStreams/manager.ts
new file mode 100644
index 00000000000..65eaf40f9cc
--- /dev/null
+++ b/packages/core/src/v3/sessionStreams/manager.ts
@@ -0,0 +1,608 @@
+import { ApiClient } from "../apiClient/index.js";
+import {
+  InputStreamOncePromise,
+  InputStreamOnceResult,
+  InputStreamTimeoutError,
+} from "../inputStreams/types.js";
+import { InputStreamOnceOptions } from "../realtimeStreams/types.js";
+import { computeReconnectDelayMs } from "../utils/reconnectBackoff.js";
+import { SessionChannelIO, SessionStreamManager } from "./types.js";
+import { controlSubtype } from "./wireProtocol.js";
+
+// A handler that synchronously returns `true` CONSUMES the record: it is
+// not buffered for a later `once()` and the committed-consume cursor
+// advances past it. Anything else (void, a Promise) leaves the record
+// available to other consumers. See `SessionStreamManager.on` in types.ts.
+type SessionStreamHandler = (data: unknown) => void | boolean | Promise<void>;
+
+type OnceWaiter = {
+  resolve: (result: InputStreamOnceResult<unknown>) => void;
+  reject: (error: Error) => void;
+  timeoutHandle?: ReturnType<typeof setTimeout>;
+  // The abort signal and its handler are tracked on the waiter so any
+  // resolution path (dispatch / timeout / explicit removal) can detach
+  // the listener. Without this, a long-lived `AbortSignal` reused across
+  // many `once()` calls accumulates listeners — `{ once: true }` only
+  // self-clears if the signal actually aborts.
+  signal?: AbortSignal;
+  abortHandler?: () => void;
+};
+
+type TailState = {
+  abortController: AbortController;
+  promise: Promise<void>;
+};
+
+function keyFor(sessionId: string, io: SessionChannelIO): string {
+  return `${sessionId}:${io}`;
+}
+
+/**
+ * Session-scoped parallel to {@link StandardInputStreamManager}. Keeps the
+ * same buffer / once-waiter / tail lifecycle, but keyed on
+ * `(sessionId, io)` and subscribing via
+ * {@link ApiClient.subscribeToSessionStream} instead of the run input
+ * stream SSE.
+ */
+export class StandardSessionStreamManager implements SessionStreamManager {
+  private handlers = new Map<string, Set<SessionStreamHandler>>();
+  private onceWaiters = new Map<string, OnceWaiter[]>();
+  private buffer = new Map<string, unknown[]>();
+  // Parallel to `buffer`: the SSE seq_num of each buffered record. Same
+  // length and order as `buffer[key]`. Used so that when `once()` shifts
+  // a buffered record into a waiter, the cursor (`lastDispatchedSeqNums`)
+  // can advance to that record's seq. Kept as a separate map so the
+  // existing `peek()` shape (returns `unknown`) stays unchanged.
+  //
+  // Entries are `number | undefined` so the array stays length-locked
+  // with `buffer` even if a record arrives without a parseable seq —
+  // shifting `undefined` is just a no-op for the cursor advance, but
+  // the slot still gets consumed. Drifting lengths would map seq_nums
+  // to the wrong records on subsequent shifts.
+  private bufferSeqNums = new Map<string, Array<number | undefined>>();
+  private tails = new Map<string, TailState>();
+  // Per-stream lower-bound timestamp filter. When set, records whose
+  // SSE timestamp is <= the bound are dropped before dispatch — used by
+  // chat.agent on OOM-retry boot to skip session.in records belonging
+  // to turns that already completed on the prior attempt. The filter
+  // is consulted in `runTail`'s `onPart` so the buffer never sees the
+  // dropped records.
+  private minTimestamps = new Map<string, number>();
+  // Keys that were explicitly torn down by `disconnectStream`. The tail's
+  // `.finally` reconnect path checks this so a long-lived persistent handler
+  // (e.g. `chat.agent`'s run-level `stopInput.on(...)`) doesn't silently
+  // resurrect the tail mid-`session.in.wait()` and re-deliver the record
+  // that's already being delivered out-of-band via the waitpoint.
+  private explicitlyDisconnected = new Set<string>();
+  private seqNums = new Map<string, number>();
+  // Highest seq_num that has been *consumed* (delivered to a once()
+  // waiter or shifted off the buffer into a once() caller) on a channel.
+  // Distinct from `seqNums`, which advances whenever any record is
+  // received from SSE — even ones still sitting in the local buffer.
+  // The committed-consume cursor is what gets persisted on the
+  // turn-complete control record's `session-in-event-id` header so the
+  // next worker boot can resume `.in` from this point without
+  // re-delivering already-handled user messages.
+  private lastDispatchedSeqNums = new Map<string, number>();
+  // Reconnect attempt counter per key. Drives the exponential backoff
+  // applied by `#ensureTailConnected`'s `.finally` so a persistent
+  // backend failure (auth rejection, 5xx, DNS, etc.) doesn't reconnect
+  // in a tight loop. Reset to 0 by `#dispatch` whenever a real record
+  // flows through — any successful traffic is taken as a healthy
+  // connection.
+  private reconnectAttempts = new Map<string, number>();
+
+  constructor(
+    private apiClient: ApiClient,
+    private baseUrl: string,
+    private debug: boolean = false
+  ) {}
+
+  on(
+    sessionId: string,
+    io: SessionChannelIO,
+    handler: SessionStreamHandler
+  ): { off: () => void } {
+    const key = keyFor(sessionId, io);
+
+    let handlerSet = this.handlers.get(key);
+    if (!handlerSet) {
+      handlerSet = new Set();
+      this.handlers.set(key, handlerSet);
+    }
+    handlerSet.add(handler);
+
+    // Explicit re-attach clears the "explicitly disconnected" suppression
+    // so the tail can subscribe again now that callers want delivery back.
+    this.explicitlyDisconnected.delete(key);
+    this.#ensureTailConnected(sessionId, io);
+
+    // Selective drain: offer each buffered record to the new handler and
+    // remove ONLY the ones it consumed (returned `true` — e.g. the
+    // messages facade for message-kind records). Consumed records advance
+    // the committed-consume cursor, so a worker using `messagesInput.on()`
+    // for user-message delivery persists a `.in` cursor that matches what
+    // the handler processed. Records the handler did not consume (other
+    // kinds) STAY buffered for a future `once()` or a different handler —
+    // a blind drain here either swallowed them (delivered to a handler
+    // that filtered them out, then deleted) or re-delivered already-
+    // processed messages into every newly attached per-turn handler,
+    // duplicating turns.
+    const buffered = this.buffer.get(key);
+    if (buffered && buffered.length > 0) {
+      const seqList = this.bufferSeqNums.get(key) ?? [];
+      const keptRecords: unknown[] = [];
+      // Kept in lock-step with `keptRecords` — drifting lengths would map
+      // seq_nums to the wrong records on subsequent shifts.
+      const keptSeqNums: Array<number | undefined> = [];
+      for (let i = 0; i < buffered.length; i++) {
+        const consumed = this.#invokeHandler(handler, buffered[i]);
+        if (consumed) {
+          const s = seqList[i];
+          if (s !== undefined) this.#advanceLastDispatched(key, s);
+        } else {
+          keptRecords.push(buffered[i]);
+          keptSeqNums.push(seqList[i]);
+        }
+      }
+      if (keptRecords.length > 0) {
+        this.buffer.set(key, keptRecords);
+        this.bufferSeqNums.set(key, keptSeqNums);
+      } else {
+        this.buffer.delete(key);
+        this.bufferSeqNums.delete(key);
+      }
+    }
+
+    return {
+      off: () => {
+        handlerSet?.delete(handler);
+        if (handlerSet?.size === 0) {
+          this.handlers.delete(key);
+        }
+      },
+    };
+  }
+
+  once(
+    sessionId: string,
+    io: SessionChannelIO,
+    options?: InputStreamOnceOptions
+  ): InputStreamOncePromise<unknown> {
+    const key = keyFor(sessionId, io);
+
+    this.explicitlyDisconnected.delete(key);
+    this.#ensureTailConnected(sessionId, io);
+
+    const buffered = this.buffer.get(key);
+    if (buffered && buffered.length > 0) {
+      const data = buffered.shift()!;
+      const seqList = this.bufferSeqNums.get(key);
+      const shiftedSeqNum = seqList?.shift();
+      if (buffered.length === 0) {
+        this.buffer.delete(key);
+        this.bufferSeqNums.delete(key);
+      }
+      if (shiftedSeqNum !== undefined) {
+        this.#advanceLastDispatched(key, shiftedSeqNum);
+      }
+      return new InputStreamOncePromise((resolve) => {
+        resolve({ ok: true, output: data });
+      });
+    }
+
+    return new InputStreamOncePromise<unknown>((resolve, reject) => {
+      const waiter: OnceWaiter = { resolve, reject };
+
+      if (options?.signal) {
+        if (options.signal.aborted) {
+          reject(new Error("Aborted"));
+          return;
+        }
+        const abortHandler = () => {
+          if (waiter.timeoutHandle) clearTimeout(waiter.timeoutHandle);
+          this.#removeOnceWaiter(key, waiter);
+          reject(new Error("Aborted"));
+        };
+        waiter.signal = options.signal;
+        waiter.abortHandler = abortHandler;
+        options.signal.addEventListener("abort", abortHandler, { once: true });
+      }
+
+      if (options?.timeoutMs) {
+        waiter.timeoutHandle = setTimeout(() => {
+          this.#removeOnceWaiter(key, waiter);
+          resolve({
+            ok: false,
+            error: new InputStreamTimeoutError(key, options.timeoutMs!),
+          });
+        }, options.timeoutMs);
+      }
+
+      let waiters = this.onceWaiters.get(key);
+      if (!waiters) {
+        waiters = [];
+        this.onceWaiters.set(key, waiters);
+      }
+      waiters.push(waiter);
+    });
+  }
+
+  peek(sessionId: string, io: SessionChannelIO): unknown | undefined {
+    const buffered = this.buffer.get(keyFor(sessionId, io));
+    if (buffered && buffered.length > 0) return buffered[0];
+    return undefined;
+  }
+
+  lastSeqNum(sessionId: string, io: SessionChannelIO): number | undefined {
+    return this.seqNums.get(keyFor(sessionId, io));
+  }
+
+  setLastSeqNum(sessionId: string, io: SessionChannelIO, seqNum: number): void {
+    const key = keyFor(sessionId, io);
+    const current = this.seqNums.get(key);
+    if (current === undefined || seqNum > current) {
+      this.seqNums.set(key, seqNum);
+    }
+  }
+
+  lastDispatchedSeqNum(sessionId: string, io: SessionChannelIO): number | undefined {
+    return this.lastDispatchedSeqNums.get(keyFor(sessionId, io));
+  }
+
+  setLastDispatchedSeqNum(
+    sessionId: string,
+    io: SessionChannelIO,
+    seqNum: number
+  ): void {
+    this.#advanceLastDispatched(keyFor(sessionId, io), seqNum);
+  }
+
+  #advanceLastDispatched(key: string, seqNum: number): void {
+    const current = this.lastDispatchedSeqNums.get(key);
+    if (current === undefined || seqNum > current) {
+      this.lastDispatchedSeqNums.set(key, seqNum);
+    }
+  }
+
+  setMinTimestamp(
+    sessionId: string,
+    io: SessionChannelIO,
+    minTimestamp: number | undefined
+  ): void {
+    const key = keyFor(sessionId, io);
+    if (minTimestamp === undefined) {
+      this.minTimestamps.delete(key);
+    } else {
+      this.minTimestamps.set(key, minTimestamp);
+    }
+  }
+
+  shiftBuffer(sessionId: string, io: SessionChannelIO): boolean {
+    const key = keyFor(sessionId, io);
+    const buffered = this.buffer.get(key);
+    if (buffered && buffered.length > 0) {
+      buffered.shift();
+      const seqList = this.bufferSeqNums.get(key);
+      const shiftedSeqNum = seqList?.shift();
+      if (buffered.length === 0) {
+        this.buffer.delete(key);
+        this.bufferSeqNums.delete(key);
+      }
+      if (shiftedSeqNum !== undefined) {
+        this.#advanceLastDispatched(key, shiftedSeqNum);
+      }
+      return true;
+    }
+    return false;
+  }
+
+  disconnectStream(sessionId: string, io: SessionChannelIO): void {
+    const key = keyFor(sessionId, io);
+    const tail = this.tails.get(key);
+    const bufferedSize = this.buffer.get(key)?.length ?? 0;
+    // Mark as explicitly disconnected BEFORE we abort, so the tail's
+    // `.finally` reconnect path sees the flag when it runs (which can be
+    // synchronous in the AbortError catch). Cleared on the next explicit
+    // `on()`/`once()`.
+    this.explicitlyDisconnected.add(key);
+    if (tail) {
+      tail.abortController.abort();
+      this.tails.delete(key);
+    }
+    this.buffer.delete(key);
+    this.bufferSeqNums.delete(key);
+    // Reset the backoff counter so a future re-attach starts fresh —
+    // an explicit disconnect is a deliberate teardown, not evidence of
+    // a broken backend.
+    this.reconnectAttempts.delete(key);
+  }
+
+  clearHandlers(): void {
+    this.handlers.clear();
+
+    for (const [key, tail] of this.tails) {
+      const hasWaiters = this.onceWaiters.has(key) && this.onceWaiters.get(key)!.length > 0;
+      if (!hasWaiters) {
+        tail.abortController.abort();
+        this.tails.delete(key);
+      }
+    }
+  }
+
+  /**
+   * Tear down all active tails. Does NOT clear handlers or `onceWaiters`,
+   * so any registered listener will trigger an auto-reconnect (with
+   * backoff) the moment it sees no live tail — by design, so a transient
+   * network blip recovers without the caller re-subscribing. Use
+   * `reset()` if you want a full clean state with no resurrection, or
+   * `disconnectStream(sessionId, io)` for a single channel that should
+   * stay down until a fresh `on()` / `once()` attaches.
+   */
+  disconnect(): void {
+    for (const [, tail] of this.tails) {
+      tail.abortController.abort();
+    }
+    this.tails.clear();
+  }
+
+  reset(): void {
+    this.disconnect();
+    this.seqNums.clear();
+    this.lastDispatchedSeqNums.clear();
+    this.minTimestamps.clear();
+    this.handlers.clear();
+    this.reconnectAttempts.clear();
+
+    for (const [, waiters] of this.onceWaiters) {
+      for (const waiter of waiters) {
+        if (waiter.timeoutHandle) clearTimeout(waiter.timeoutHandle);
+        if (waiter.signal && waiter.abortHandler) {
+          waiter.signal.removeEventListener("abort", waiter.abortHandler);
+        }
+        waiter.reject(new Error("Session stream manager reset"));
+      }
+    }
+    this.onceWaiters.clear();
+    this.buffer.clear();
+    this.bufferSeqNums.clear();
+  }
+
+  #ensureTailConnected(sessionId: string, io: SessionChannelIO): void {
+    const key = keyFor(sessionId, io);
+    if (this.tails.has(key)) return;
+
+    const abortController = new AbortController();
+    const promise = this.#runTail(sessionId, io, abortController.signal)
+      .catch((error) => {
+        if (this.debug) {
+          console.error(`[SessionStreamManager] Tail error for "${key}":`, error);
+        }
+      })
+      .finally(() => {
+        this.tails.delete(key);
+
+        // If the tail was torn down explicitly via `disconnectStream`,
+        // honor that — the caller (typically `session.in.wait()`) is
+        // suspending the run and expects no records to be buffered or
+        // delivered until a fresh `on()` / `once()` re-attaches. Without
+        // this guard a run-level persistent handler (e.g. `chat.agent`'s
+        // `stopInput.on(...)`) would auto-reconnect during the suspend
+        // window, the resurrected tail would receive the same record the
+        // waitpoint just delivered, and that record would land in the
+        // buffer where the next turn's `messagesInput.on(...)` drains it
+        // and runs a duplicate turn.
+        if (this.explicitlyDisconnected.has(key)) {
+          return;
+        }
+
+        const hasHandlers = this.handlers.has(key) && this.handlers.get(key)!.size > 0;
+        const hasWaiters =
+          this.onceWaiters.has(key) && this.onceWaiters.get(key)!.length > 0;
+        if (hasHandlers || hasWaiters) {
+          // Exponential backoff with jitter. 1s base, doubling each
+          // attempt, capped at 30s. Without this, a persistent backend
+          // failure (auth rejected, 5xx, DNS) reconnects in a tight loop
+          // because `#runTail`'s error path only logs. `#dispatch` resets
+          // the counter on every successful record, so transient blips
+          // don't accumulate.
+          const attempt = this.reconnectAttempts.get(key) ?? 0;
+          this.reconnectAttempts.set(key, attempt + 1);
+          const delayMs = computeReconnectDelayMs(attempt);
+          setTimeout(() => {
+            // Guards: a fresh `on()` during the wait may already have
+            // re-attached the tail; explicit disconnect or absence of
+            // handlers/waiters means we should stay quiet.
+            if (this.tails.has(key)) return;
+            if (this.explicitlyDisconnected.has(key)) return;
+            const stillHasHandlers =
+              this.handlers.has(key) && this.handlers.get(key)!.size > 0;
+            const stillHasWaiters =
+              this.onceWaiters.has(key) && this.onceWaiters.get(key)!.length > 0;
+            if (!stillHasHandlers && !stillHasWaiters) return;
+            this.#ensureTailConnected(sessionId, io);
+          }, delayMs);
+        }
+      });
+    this.tails.set(key, { abortController, promise });
+  }
+
+  async #runTail(
+    sessionId: string,
+    io: SessionChannelIO,
+    signal: AbortSignal
+  ): Promise<void> {
+    const key = keyFor(sessionId, io);
+    try {
+      const lastSeq = this.seqNums.get(key);
+      // Dispatch is driven from `onPart` (not the for-await loop) so each
+      // record reaches dispatch with its full SSE metadata in scope —
+      // specifically the timestamp, which we need for the per-stream
+      // min-timestamp filter. The for-await loop below just drains the
+      // pipeThrough output to keep the source flowing.
+      const stream = await this.apiClient.subscribeToSessionStream<unknown>(sessionId, io, {
+        signal,
+        baseUrl: this.baseUrl,
+        timeoutInSeconds: 600,
+        lastEventId: lastSeq !== undefined ? String(lastSeq) : undefined,
+        onPart: (part) => {
+          if (signal.aborted) return;
+          const seqNum = parseInt(part.id, 10);
+          if (Number.isFinite(seqNum)) {
+            this.seqNums.set(key, seqNum);
+          }
+
+          // Trigger control records (turn-complete, upgrade-required)
+          // are dispatched out-of-band via `onControl` — they're not
+          // consumer-facing data. Skip the data dispatch path.
+          if (controlSubtype(part.headers)) {
+            return;
+          }
+
+          // Min-timestamp filter: drop records older than (or at) the
+          // bound. Used to skip already-processed records on OOM-retry
+          // boot.
+          const minTs = this.minTimestamps.get(key);
+          if (minTs !== undefined && part.timestamp <= minTs) {
+            return;
+          }
+
+          let data: unknown = part.chunk;
+          if (typeof data === "string") {
+            try {
+              data = JSON.parse(data);
+            } catch {
+              // keep as string
+            }
+          }
+          this.#dispatch(key, data, Number.isFinite(seqNum) ? seqNum : undefined);
+        },
+        onComplete: () => {
+          if (this.debug) {
+            console.log(`[SessionStreamManager] Tail completed for "${key}"`);
+          }
+        },
+        onError: (error) => {
+          if (this.debug) {
+            console.error(`[SessionStreamManager] Tail error for "${key}":`, error);
+          }
+        },
+      });
+
+      // Drain to keep the pipeThrough flowing. Records were already
+      // dispatched in `onPart`, so the body here is a no-op.
+      for await (const _record of stream) {
+        if (signal.aborted) break;
+      }
+    } catch (error) {
+      if (error instanceof Error && error.name === "AbortError") return;
+      throw error;
+    }
+  }
+
+  #dispatch(key: string, data: unknown, seqNum: number | undefined): void {
+    // Any record flowing through = healthy connection; reset the backoff
+    // counter so the next disconnect starts fresh.
+    this.reconnectAttempts.delete(key);
+
+    const waiters = this.onceWaiters.get(key);
+    if (waiters && waiters.length > 0) {
+      const waiter = waiters.shift()!;
+      if (waiters.length === 0) this.onceWaiters.delete(key);
+      if (waiter.timeoutHandle) clearTimeout(waiter.timeoutHandle);
+      if (waiter.signal && waiter.abortHandler) {
+        waiter.signal.removeEventListener("abort", waiter.abortHandler);
+      }
+      // Record was consumed directly by a waiter — advance the
+      // committed-consume cursor immediately. Buffered-then-shifted
+      // records advance the cursor in `once()` / `shiftBuffer()`.
+      if (seqNum !== undefined) {
+        this.#advanceLastDispatched(key, seqNum);
+      }
+      waiter.resolve({ ok: true, output: data });
+      this.#invokeHandlers(key, data);
+      return;
+    }
+
+    // Persistent handlers get a copy of the chunk. A handler that
+    // synchronously returns `true` CONSUMES it (e.g. the messages facade
+    // for message-kind records): the record must not also be buffered, or
+    // the next `on()` attach / `once()` would deliver it a second time —
+    // in chat.agent's turn loop that duplicated user messages into a
+    // second turn. Records no handler consumed (e.g. a message arriving
+    // while only the stop facade is attached during preload) are buffered
+    // so a subsequent `once()` can still pick them up.
+    const consumed = this.#invokeHandlers(key, data);
+    if (consumed) {
+      if (seqNum !== undefined) {
+        this.#advanceLastDispatched(key, seqNum);
+      }
+      return;
+    }
+
+    let buffered = this.buffer.get(key);
+    if (!buffered) {
+      buffered = [];
+      this.buffer.set(key, buffered);
+    }
+    buffered.push(data);
+    let bufferedSeqs = this.bufferSeqNums.get(key);
+    if (!bufferedSeqs) {
+      bufferedSeqs = [];
+      this.bufferSeqNums.set(key, bufferedSeqs);
+    }
+    // Always push, even when `seqNum` is undefined (e.g. NaN from a
+    // malformed `part.id`). Skipping the push here would drift the two
+    // arrays apart and misattribute seq_nums to records on the next
+    // shift.
+    bufferedSeqs.push(seqNum);
+  }
+
+  /** Returns true when any handler consumed the record. All handlers are invoked regardless. */
+  #invokeHandlers(key: string, data: unknown): boolean {
+    const handlers = this.handlers.get(key);
+    if (!handlers) return false;
+    let consumed = false;
+    for (const handler of handlers) {
+      if (this.#invokeHandler(handler, data)) {
+        consumed = true;
+      }
+    }
+    return consumed;
+  }
+
+  /** Returns true when the handler synchronously consumed the record (returned `true`). */
+  #invokeHandler(handler: SessionStreamHandler, data: unknown): boolean {
+    try {
+      const result = handler(data);
+      if (result === true) return true;
+      if (result && typeof result === "object" && "catch" in result) {
+        (result as Promise<void>).catch((error) => {
+          if (this.debug) {
+            console.error("[SessionStreamManager] Handler error:", error);
+          }
+        });
+      }
+    } catch (error) {
+      if (this.debug) {
+        console.error("[SessionStreamManager] Handler error:", error);
+      }
+    }
+    return false;
+  }
+
+  #removeOnceWaiter(key: string, waiter: OnceWaiter): void {
+    // Centralized cleanup — both timeout and explicit abort paths funnel
+    // through here, so detach the abort listener once instead of at every
+    // callsite. The dispatch path doesn't go through this method (the
+    // waiter is shifted off inline), so it detaches the listener there.
+    if (waiter.signal && waiter.abortHandler) {
+      waiter.signal.removeEventListener("abort", waiter.abortHandler);
+    }
+    const waiters = this.onceWaiters.get(key);
+    if (!waiters) return;
+    const index = waiters.indexOf(waiter);
+    if (index !== -1) waiters.splice(index, 1);
+    if (waiters.length === 0) this.onceWaiters.delete(key);
+  }
+}
diff --git a/packages/core/src/v3/sessionStreams/noopManager.ts b/packages/core/src/v3/sessionStreams/noopManager.ts
new file mode 100644
index 00000000000..77d1f40ac9f
--- /dev/null
+++ b/packages/core/src/v3/sessionStreams/noopManager.ts
@@ -0,0 +1,61 @@
+import { InputStreamOnceOptions } from "../realtimeStreams/types.js";
+import { InputStreamOncePromise } from "../inputStreams/types.js";
+import { SessionChannelIO, SessionStreamManager } from "./types.js";
+
+export class NoopSessionStreamManager implements SessionStreamManager {
+  on(
+    _sessionId: string,
+    _io: SessionChannelIO,
+    _handler: (data: unknown) => void | boolean | Promise<void>
+  ): { off: () => void } {
+    return { off: () => {} };
+  }
+
+  once(
+    _sessionId: string,
+    _io: SessionChannelIO,
+    _options?: InputStreamOnceOptions
+  ): InputStreamOncePromise<unknown> {
+    return new InputStreamOncePromise(() => {
+      // Never resolves in noop mode.
+    });
+  }
+
+  peek(_sessionId: string, _io: SessionChannelIO): unknown | undefined {
+    return undefined;
+  }
+
+  lastSeqNum(_sessionId: string, _io: SessionChannelIO): number | undefined {
+    return undefined;
+  }
+
+  setLastSeqNum(_sessionId: string, _io: SessionChannelIO, _seqNum: number): void {}
+
+  lastDispatchedSeqNum(_sessionId: string, _io: SessionChannelIO): number | undefined {
+    return undefined;
+  }
+
+  setLastDispatchedSeqNum(
+    _sessionId: string,
+    _io: SessionChannelIO,
+    _seqNum: number
+  ): void {}
+
+  setMinTimestamp(
+    _sessionId: string,
+    _io: SessionChannelIO,
+    _minTimestamp: number | undefined
+  ): void {}
+
+  shiftBuffer(_sessionId: string, _io: SessionChannelIO): boolean {
+    return false;
+  }
+
+  disconnectStream(_sessionId: string, _io: SessionChannelIO): void {}
+
+  clearHandlers(): void {}
+
+  reset(): void {}
+
+  disconnect(): void {}
+}
diff --git a/packages/core/src/v3/sessionStreams/types.ts b/packages/core/src/v3/sessionStreams/types.ts
new file mode 100644
index 00000000000..45be5149e2e
--- /dev/null
+++ b/packages/core/src/v3/sessionStreams/types.ts
@@ -0,0 +1,107 @@
+import { InputStreamOnceOptions } from "../realtimeStreams/types.js";
+import {
+  InputStreamOncePromise,
+  InputStreamOnceResult,
+  InputStreamTimeoutError,
+} from "../inputStreams/types.js";
+
+/**
+ * Re-export the run-scoped input stream once-promise machinery so callers
+ * depending on sessionStreams don't also need to import from inputStreams.
+ * Both APIs return the same shape.
+ */
+export { InputStreamOncePromise, InputStreamTimeoutError };
+export type { InputStreamOnceResult };
+
+export type SessionChannelIO = "out" | "in";
+
+/**
+ * Manager for Session channel reads: a session-scoped parallel to
+ * {@link InputStreamManager} keyed on `(sessionId, io)` instead of
+ * `(runId, streamId)`. Used by {@link SessionChannel} to implement
+ * `.on` / `.once` / `.peek` / `.wait` / `.waitWithIdleTimeout`.
+ */
+export interface SessionStreamManager {
+  /**
+   * Register a handler that fires every time data arrives on the given channel.
+   *
+   * A handler that synchronously returns `true` CONSUMES the record: it is
+   * not buffered for a later `once()` and the committed-consume cursor
+   * advances past it. Any other return value (including a Promise) leaves
+   * the record available to other consumers. Kind-filtering facades return
+   * `true` for the kinds they own so the same record is never delivered
+   * twice — once to the handler and again via a buffer drain.
+   */
+  on(
+    sessionId: string,
+    io: SessionChannelIO,
+    handler: (data: unknown) => void | boolean | Promise<void>
+  ): { off: () => void };
+
+  /** Wait for the next record on the given channel (buffered or live). */
+  once(
+    sessionId: string,
+    io: SessionChannelIO,
+    options?: InputStreamOnceOptions
+  ): InputStreamOncePromise<unknown>;
+
+  /** Non-blocking peek at the head of the channel buffer. */
+  peek(sessionId: string, io: SessionChannelIO): unknown | undefined;
+
+  /** Last S2 sequence number seen on the given channel. */
+  lastSeqNum(sessionId: string, io: SessionChannelIO): number | undefined;
+
+  /** Advance the last-seen sequence number (prevents SSE replay after `.wait` resume). */
+  setLastSeqNum(sessionId: string, io: SessionChannelIO, seqNum: number): void;
+
+  /**
+   * Highest sequence number that has been *consumed* on the channel —
+   * delivered to a `once()` waiter or shifted off the buffer into one.
+   * Distinct from {@link lastSeqNum}, which advances on every received
+   * record regardless of whether anything consumed it. Used by
+   * `chat.agent` to persist the `.in` resume cursor on each
+   * `turn-complete` control record so the next worker boot can resume
+   * the channel from this point without replaying processed messages.
+   */
+  lastDispatchedSeqNum(sessionId: string, io: SessionChannelIO): number | undefined;
+
+  /**
+   * Seed the committed-consume cursor at worker boot — e.g. from the
+   * `session-in-event-id` header on the latest `turn-complete` on
+   * `.out`. Monotonic: only ever advances forward, never backwards.
+   */
+  setLastDispatchedSeqNum(
+    sessionId: string,
+    io: SessionChannelIO,
+    seqNum: number
+  ): void;
+
+  /**
+   * Set a per-stream lower-bound SSE timestamp. Records whose timestamp
+   * is `<= minTimestamp` are dropped before dispatch. Used by chat.agent
+   * on OOM-retry boot to skip session.in records belonging to turns
+   * that already completed on the prior attempt.
+   *
+   * Pass `undefined` to clear the filter.
+   */
+  setMinTimestamp(
+    sessionId: string,
+    io: SessionChannelIO,
+    minTimestamp: number | undefined
+  ): void;
+
+  /** Remove and discard the first buffered record. Returns true if one was removed. */
+  shiftBuffer(sessionId: string, io: SessionChannelIO): boolean;
+
+  /** Abort the SSE tail and clear the buffer. Called before `.wait` suspends. */
+  disconnectStream(sessionId: string, io: SessionChannelIO): void;
+
+  /** Clear all `.on` handlers; abort tails without pending once-waiters. */
+  clearHandlers(): void;
+
+  /** Reset state between task executions. */
+  reset(): void;
+
+  /** Disconnect every tail. */
+  disconnect(): void;
+}
diff --git a/packages/core/src/v3/sessionStreams/wireProtocol.ts b/packages/core/src/v3/sessionStreams/wireProtocol.ts
new file mode 100644
index 00000000000..550e81a0af4
--- /dev/null
+++ b/packages/core/src/v3/sessionStreams/wireProtocol.ts
@@ -0,0 +1,93 @@
+/**
+ * Wire-format constants for records on `session.out` / `session.in`.
+ *
+ * Three kinds of records can appear on a Session stream:
+ *
+ * 1. **Data records** — JSON body shaped as `{data: <UIMessageChunk>, id:
+ *    <partId>}`, no special headers. The substance of the conversation.
+ *
+ * 2. **Trigger control records** — empty body, `headers` carry `[
+ *    ["trigger-control", <subtype>], ...]` plus any subtype-specific sibling
+ *    headers (e.g. `public-access-token` on `turn-complete`). Routed to a
+ *    consumer's `onControl` callback; never surfaced as data chunks.
+ *
+ * 3. **S2 command records** — opaque body, `headers` first entry has an
+ *    empty name (only valid for S2-interpreted directives like `trim` and
+ *    `fence`). Filtered out at the SSE parser; consumers never see them.
+ *
+ * See `docs/ai-chat/client-protocol.mdx#records-on-session-out` for the
+ * customer-facing contract.
+ */
+
+/** Header name carrying the Trigger control subtype on control records. */
+export const TRIGGER_CONTROL_HEADER = "trigger-control" as const;
+
+/** Header name carrying the refreshed `publicAccessToken` on `turn-complete`. */
+export const PUBLIC_ACCESS_TOKEN_HEADER = "public-access-token" as const;
+
+/** Header name carrying the agent's last S2 event id on a handover bridge. */
+export const SESSION_STATE_LAST_EVENT_ID_HEADER = "last-event-id" as const;
+
+/**
+ * Header on `turn-complete` records carrying the highest `session.in`
+ * seq_num the agent committed to processing during this turn. Read on
+ * the next worker boot to seed `.in`'s resume cursor — anything past
+ * this seq is new and gets delivered; anything at-or-before was already
+ * processed and is skipped. Decimal-string form of the seq_num.
+ *
+ * Omitted when no `.in` records have been consumed yet (first turn of a
+ * fresh chat triggered via the wire payload).
+ */
+export const SESSION_IN_EVENT_ID_HEADER = "session-in-event-id" as const;
+
+export const TRIGGER_CONTROL_SUBTYPE = {
+  TURN_COMPLETE: "turn-complete",
+  UPGRADE_REQUIRED: "upgrade-required",
+} as const;
+
+export type TriggerControlSubtype =
+  (typeof TRIGGER_CONTROL_SUBTYPE)[keyof typeof TRIGGER_CONTROL_SUBTYPE];
+
+/** Read a single header value by name. Returns the first match. */
+export function headerValue(
+  headers: ReadonlyArray<readonly [string, string]> | undefined,
+  name: string
+): string | undefined {
+  if (!headers) return undefined;
+  for (const entry of headers) {
+    if (entry?.[0] === name) return entry[1];
+  }
+  return undefined;
+}
+
+/**
+ * Return the Trigger control subtype carried by a record's headers, if any.
+ * Returns `undefined` for data records and S2 command records.
+ */
+export function controlSubtype(
+  headers: ReadonlyArray<readonly [string, string]> | undefined
+): string | undefined {
+  return headerValue(headers, TRIGGER_CONTROL_HEADER);
+}
+
+/**
+ * Is this record an S2 command record? Detected via the empty-name first
+ * header, which S2 permits only for command records (trim/fence).
+ */
+export function isS2CommandRecord(
+  headers: ReadonlyArray<readonly [string, string]> | undefined
+): boolean {
+  return headers?.[0]?.[0] === "";
+}
+
+/** Event payload delivered to a Session-stream `onControl` callback. */
+export type ControlEvent = {
+  /** Subtype value from the `trigger-control` header (e.g. `turn-complete`). */
+  subtype: string;
+  /** All headers on the underlying record. Read additional metadata here. */
+  headers: ReadonlyArray<readonly [string, string]>;
+  /** S2 sequence number of the control record. */
+  seqNum: number;
+  /** S2 arrival timestamp of the control record (ms since epoch). */
+  timestamp: number;
+};
diff --git a/packages/core/src/v3/taskContext/index.test.ts b/packages/core/src/v3/taskContext/index.test.ts
new file mode 100644
index 00000000000..34d169a177c
--- /dev/null
+++ b/packages/core/src/v3/taskContext/index.test.ts
@@ -0,0 +1,86 @@
+import { afterEach, describe, expect, it } from "vitest";
+import { unregisterGlobal } from "../utils/globals.js";
+import { SemanticInternalAttributes } from "../semanticInternalAttributes.js";
+import { TaskContextAPI } from "./index.js";
+
+const FAKE_CTX = {
+  attempt: { id: "attempt_1", number: 1, startedAt: new Date(), status: "EXECUTING" as const },
+  run: {
+    id: "run_1",
+    payload: undefined,
+    payloadType: "application/json",
+    context: undefined,
+    createdAt: new Date(),
+    tags: [],
+    isTest: false,
+    isReplay: false,
+    startedAt: new Date(),
+    durationMs: 0,
+    costInCents: 0,
+    baseCostInCents: 0,
+  },
+  task: { id: "my-task", filePath: "src/trigger/task.ts", exportName: "myTask" },
+  queue: { id: "queue_1", name: "default" },
+  environment: { id: "env_1", slug: "dev", type: "DEVELOPMENT" as const },
+  organization: { id: "org_1", slug: "acme", name: "Acme" },
+  project: { id: "proj_1", ref: "proj_xyz", slug: "demo", name: "Demo" },
+  machine: {
+    name: "small-1x" as const,
+    cpu: 0.5,
+    memory: 0.5,
+    centsPerMs: 0.0001,
+  },
+} as never;
+
+const FAKE_WORKER = { id: "worker_1", version: "1.0.0", contentHash: "abc" } as never;
+
+describe("TaskContextAPI conversation id", () => {
+  afterEach(() => {
+    unregisterGlobal("task-context");
+    TaskContextAPI.getInstance().setConversationId(undefined);
+  });
+
+  it("returns no conversation attribute when setConversationId was never called", () => {
+    const api = TaskContextAPI.getInstance();
+    api.setGlobalTaskContext({ ctx: FAKE_CTX, worker: FAKE_WORKER });
+
+    expect(api.attributes[SemanticInternalAttributes.GEN_AI_CONVERSATION_ID]).toBeUndefined();
+  });
+
+  it("includes gen_ai.conversation.id after setConversationId", () => {
+    const api = TaskContextAPI.getInstance();
+    api.setGlobalTaskContext({ ctx: FAKE_CTX, worker: FAKE_WORKER });
+
+    api.setConversationId("chat_123");
+
+    expect(api.attributes[SemanticInternalAttributes.GEN_AI_CONVERSATION_ID]).toBe("chat_123");
+  });
+
+  it("clears the conversation attribute when called with undefined", () => {
+    const api = TaskContextAPI.getInstance();
+    api.setGlobalTaskContext({ ctx: FAKE_CTX, worker: FAKE_WORKER });
+    api.setConversationId("chat_123");
+
+    api.setConversationId(undefined);
+
+    expect(api.attributes[SemanticInternalAttributes.GEN_AI_CONVERSATION_ID]).toBeUndefined();
+    expect(api.conversationId).toBeUndefined();
+  });
+
+  it("returns no attributes when there is no task context", () => {
+    const api = TaskContextAPI.getInstance();
+    api.setConversationId("chat_123");
+
+    expect(api.attributes).toEqual({});
+  });
+
+  it("clears conversation id when a new task context is registered (warm restart)", () => {
+    const api = TaskContextAPI.getInstance();
+    api.setGlobalTaskContext({ ctx: FAKE_CTX, worker: FAKE_WORKER });
+    api.setConversationId("chat_old");
+
+    api.setGlobalTaskContext({ ctx: FAKE_CTX, worker: FAKE_WORKER });
+
+    expect(api.attributes[SemanticInternalAttributes.GEN_AI_CONVERSATION_ID]).toBeUndefined();
+  });
+});
diff --git a/packages/core/src/v3/taskContext/index.ts b/packages/core/src/v3/taskContext/index.ts
index f76671160a6..c4bbf25c972 100644
--- a/packages/core/src/v3/taskContext/index.ts
+++ b/packages/core/src/v3/taskContext/index.ts
@@ -1,6 +1,7 @@
 import { Attributes } from "@opentelemetry/api";
 import { ServerBackgroundWorker, TaskRunContext } from "../schemas/index.js";
 import { SemanticInternalAttributes } from "../semanticInternalAttributes.js";
+import { sdkScope } from "../sdkScope/index.js";
 import { getGlobal, registerGlobal } from "../utils/globals.js";
 import { TaskContext } from "./types.js";
 
@@ -9,6 +10,7 @@ const API_NAME = "task-context";
 export class TaskContextAPI {
   private static _instance?: TaskContextAPI;
   private _runDisabled = false;
+  private _conversationId?: string;
 
   private constructor() {}
 
@@ -21,6 +23,7 @@ export class TaskContextAPI {
   }
 
   get isInsideTask(): boolean {
+    if (this.#isolatedFromContext()) return false;
     return this.#getTaskContext() !== undefined;
   }
 
@@ -29,22 +32,31 @@ export class TaskContextAPI {
   }
 
   get ctx(): TaskRunContext | undefined {
+    if (this.#isolatedFromContext()) return undefined;
     return this.#getTaskContext()?.ctx;
   }
 
   get worker(): ServerBackgroundWorker | undefined {
+    if (this.#isolatedFromContext()) return undefined;
     return this.#getTaskContext()?.worker;
   }
 
   get isWarmStart(): boolean | undefined {
+    if (this.#isolatedFromContext()) return undefined;
     return this.#getTaskContext()?.isWarmStart;
   }
 
+  #isolatedFromContext(): boolean {
+    const scope = sdkScope.getStore();
+    return !!scope && !scope.inheritContext;
+  }
+
   get attributes(): Attributes {
     if (this.ctx) {
       return {
         ...this.contextAttributes,
         ...this.workerAttributes,
+        ...this.conversationAttributes,
         [SemanticInternalAttributes.WARM_START]: !!this.isWarmStart,
       };
     }
@@ -52,6 +64,19 @@ export class TaskContextAPI {
     return {};
   }
 
+  get conversationAttributes(): Attributes {
+    if (!this._conversationId) return {};
+    return { [SemanticInternalAttributes.GEN_AI_CONVERSATION_ID]: this._conversationId };
+  }
+
+  get conversationId(): string | undefined {
+    return this._conversationId;
+  }
+
+  public setConversationId(conversationId: string | undefined): void {
+    this._conversationId = conversationId || undefined;
+  }
+
   get resourceAttributes(): Attributes {
     if (this.ctx) {
       return {
@@ -94,6 +119,7 @@ export class TaskContextAPI {
         [SemanticInternalAttributes.QUEUE_ID]: this.ctx.queue.id,
         [SemanticInternalAttributes.RUN_ID]: this.ctx.run.id,
         [SemanticInternalAttributes.RUN_IS_TEST]: this.ctx.run.isTest,
+        [SemanticInternalAttributes.RUN_IS_REPLAY]: this.ctx.run.isReplay,
         [SemanticInternalAttributes.BATCH_ID]: this.ctx.batch?.id,
         [SemanticInternalAttributes.IDEMPOTENCY_KEY]: this.ctx.run.idempotencyKey,
       };
@@ -108,6 +134,11 @@ export class TaskContextAPI {
 
   public setGlobalTaskContext(taskContext: TaskContext): boolean {
     this._runDisabled = false;
+    // Each run boot re-registers the global; clear any conversation id
+    // left over from a previous run on this warm-restarted process so
+    // attributes don't bleed across runs that don't call
+    // `setConversationId` themselves.
+    this._conversationId = undefined;
     return registerGlobal(API_NAME, taskContext, true);
   }
 
diff --git a/packages/core/src/v3/taskContext/otelProcessors.ts b/packages/core/src/v3/taskContext/otelProcessors.ts
index 1c0958d655d..fc30e9d1145 100644
--- a/packages/core/src/v3/taskContext/otelProcessors.ts
+++ b/packages/core/src/v3/taskContext/otelProcessors.ts
@@ -36,6 +36,17 @@ export class TaskContextSpanProcessor implements SpanProcessor {
       if (!taskContext.isRunDisabled && taskContext.ctx.run.tags?.length) {
         span.setAttribute(SemanticInternalAttributes.RUN_TAGS, taskContext.ctx.run.tags);
       }
+
+      // Stamp `gen_ai.conversation.id` (OTel GenAI semantic convention)
+      // directly on every span so it survives the OTLP ingest's `ctx.*`
+      // strip and lands in the stored attributes column without a schema
+      // migration.
+      if (taskContext.conversationId) {
+        span.setAttribute(
+          SemanticInternalAttributes.GEN_AI_CONVERSATION_ID,
+          taskContext.conversationId
+        );
+      }
     }
 
     if (!isPartialSpan(span) && !skipPartialSpan(span)) {
@@ -178,6 +189,11 @@ export class TaskContextMetricExporter implements PushMetricExporter {
       contextAttrs[SemanticInternalAttributes.RUN_TAGS] = ctx.run.tags;
     }
 
+    if (taskContext.conversationId) {
+      contextAttrs[SemanticInternalAttributes.GEN_AI_CONVERSATION_ID] =
+        taskContext.conversationId;
+    }
+
     const modified: ResourceMetrics = {
       resource: metrics.resource,
       scopeMetrics: metrics.scopeMetrics.map((scope) => ({
diff --git a/packages/core/src/v3/test/index.ts b/packages/core/src/v3/test/index.ts
new file mode 100644
index 00000000000..402f618c01b
--- /dev/null
+++ b/packages/core/src/v3/test/index.ts
@@ -0,0 +1,9 @@
+export {
+  runInMockTaskContext,
+  type MockTaskContextDrivers,
+  type MockTaskContextOptions,
+} from "./mock-task-context.js";
+export { TestInputStreamManager } from "./test-input-stream-manager.js";
+export { TestRealtimeStreamsManager } from "./test-realtime-streams-manager.js";
+export { TestRunMetadataManager } from "./test-run-metadata-manager.js";
+export { TestSessionStreamManager } from "./test-session-stream-manager.js";
diff --git a/packages/core/src/v3/test/mock-task-context.ts b/packages/core/src/v3/test/mock-task-context.ts
new file mode 100644
index 00000000000..66e58490019
--- /dev/null
+++ b/packages/core/src/v3/test/mock-task-context.ts
@@ -0,0 +1,294 @@
+import { inputStreams } from "../input-streams-api.js";
+import { realtimeStreams } from "../realtime-streams-api.js";
+import { sessionStreams } from "../session-streams-api.js";
+import { localsAPI } from "../locals-api.js";
+import { runMetadata } from "../run-metadata-api.js";
+import { taskContext } from "../task-context-api.js";
+import { lifecycleHooks } from "../lifecycle-hooks-api.js";
+import { runtime } from "../runtime-api.js";
+import { StandardLocalsManager } from "../locals/manager.js";
+import { StandardLifecycleHooksManager } from "../lifecycleHooks/manager.js";
+import { NoopRuntimeManager } from "../runtime/noopRuntimeManager.js";
+import { unregisterGlobal } from "../utils/globals.js";
+import type { ServerBackgroundWorker, TaskRunContext } from "../schemas/index.js";
+import type { LocalsKey } from "../locals/types.js";
+import type { SessionChannelIO } from "../sessionStreams/types.js";
+import { TestInputStreamManager } from "./test-input-stream-manager.js";
+import { TestRealtimeStreamsManager } from "./test-realtime-streams-manager.js";
+import { TestRunMetadataManager } from "./test-run-metadata-manager.js";
+import { TestSessionStreamManager } from "./test-session-stream-manager.js";
+
+/**
+ * Shallow-partial overrides applied on top of the default mock
+ * `TaskRunContext`. Each sub-object is a partial of its real shape —
+ * unset fields get sensible defaults.
+ */
+export type MockTaskRunContextOverrides = {
+  task?: Partial<TaskRunContext["task"]>;
+  attempt?: Partial<TaskRunContext["attempt"]>;
+  run?: Partial<TaskRunContext["run"]>;
+  machine?: Partial<TaskRunContext["machine"]>;
+  queue?: Partial<TaskRunContext["queue"]>;
+  environment?: Partial<TaskRunContext["environment"]>;
+  organization?: Partial<TaskRunContext["organization"]>;
+  project?: Partial<TaskRunContext["project"]>;
+  batch?: TaskRunContext["batch"];
+};
+
+/**
+ * Options for overriding parts of the mock task context.
+ */
+export type MockTaskContextOptions = {
+  /** Overrides applied on top of the default mock `TaskRunContext`. */
+  ctx?: MockTaskRunContextOverrides;
+  /** Overrides applied on top of the default `ServerBackgroundWorker`. */
+  worker?: Partial<ServerBackgroundWorker>;
+  /** Whether this is a warm start. */
+  isWarmStart?: boolean;
+};
+
+/**
+ * Drivers passed to the function running inside `runInMockTaskContext`.
+ */
+export type MockTaskContextDrivers = {
+  /** Push data into input streams — simulates realtime input from outside the task. */
+  inputs: {
+    /**
+     * Send `data` to the named input stream. Resolves when all `.on()`
+     * handlers have run.
+     */
+    send(streamId: string, data: unknown): Promise<void>;
+    /** Resolve any pending `.once()` waiters with a timeout error. */
+    close(streamId: string): void;
+  };
+  /** Inspect chunks written to output (realtime) streams. */
+  outputs: {
+    /** All chunks for a given stream, in the order they were written. */
+    chunks<T = unknown>(streamId: string): T[];
+    /** All chunks across every stream, keyed by stream id. */
+    all(): Record<string, unknown[]>;
+    /** Clear chunks for one stream, or all streams if no id is provided. */
+    clear(streamId?: string): void;
+    /**
+     * Register a listener fired for every chunk written to any stream.
+     * Returns an unsubscribe function.
+     */
+    onWrite(listener: (streamId: string, chunk: unknown) => void): () => void;
+  };
+  /** Read or seed locals for the run. */
+  locals: {
+    /** Read a local set by either the task or `set()` below. */
+    get<T>(key: LocalsKey<T>): T | undefined;
+    /**
+     * Pre-seed a local before the task runs. Use this for dependency
+     * injection — e.g. supply a test database client that the agent's
+     * hooks read via `locals.get()` instead of constructing the prod one.
+     */
+    set<T>(key: LocalsKey<T>, value: T): void;
+  };
+  /**
+   * Session-scoped channel drivers. The `.in` side is backed by a
+   * {@link TestSessionStreamManager} installed as the `sessionStreams`
+   * global — so the task's `session.in.on/once/peek/waitWithIdleTimeout`
+   * calls receive records sent through this driver.
+   */
+  sessions: {
+    in: {
+      /**
+       * Send a record onto `session.in` for the given session. Resolves
+       * pending `once()` waiters and fires all `on()` handlers.
+       */
+      send(sessionId: string, data: unknown, io?: SessionChannelIO): Promise<void>;
+      /** Close pending `once()` waiters with a timeout error. */
+      close(sessionId: string, io?: SessionChannelIO): void;
+    };
+  };
+  /** The mock `TaskRunContext` assembled from defaults + user overrides. */
+  ctx: TaskRunContext;
+};
+
+function defaultTaskRunContext(overrides?: MockTaskRunContextOverrides): TaskRunContext {
+  return {
+    task: {
+      id: "test-task",
+      filePath: "test-task.ts",
+      ...overrides?.task,
+    },
+    attempt: {
+      number: 1,
+      startedAt: new Date(),
+      ...overrides?.attempt,
+    },
+    run: {
+      id: "run_test",
+      tags: [],
+      isTest: false,
+      isReplay: false,
+      createdAt: new Date(),
+      startedAt: new Date(),
+      ...overrides?.run,
+    },
+    machine: {
+      name: "micro",
+      cpu: 1,
+      memory: 0.5,
+      centsPerMs: 0,
+      ...overrides?.machine,
+    },
+    queue: {
+      name: "test-queue",
+      id: "test-queue-id",
+      ...overrides?.queue,
+    },
+    environment: {
+      id: "test-env-id",
+      slug: "test-env",
+      type: "DEVELOPMENT",
+      ...overrides?.environment,
+    },
+    organization: {
+      id: "test-org-id",
+      slug: "test-org",
+      name: "Test Org",
+      ...overrides?.organization,
+    },
+    project: {
+      id: "test-project-id",
+      ref: "test-project-ref",
+      slug: "test-project",
+      name: "Test Project",
+      ...overrides?.project,
+    },
+    batch: overrides?.batch,
+  };
+}
+
+function defaultWorker(overrides?: Partial<ServerBackgroundWorker>): ServerBackgroundWorker {
+  return {
+    id: "test-worker-id",
+    version: "test-version",
+    contentHash: "test-content-hash",
+    engine: "V2",
+    ...overrides,
+  };
+}
+
+/**
+ * Run a function inside a fully mocked task runtime context.
+ *
+ * Installs in-memory test managers for `locals`, `inputStreams`,
+ * `realtimeStreams`, `lifecycleHooks`, and `runtime`, sets a mock
+ * `TaskContext`, and tears everything down when the function returns.
+ *
+ * Inside the function, any code that reads from `locals`, `inputStreams`,
+ * `realtimeStreams`, or `taskContext.ctx` will see the mock context —
+ * so you can directly invoke the internal `run` function of any task
+ * (including `chat.agent`) without hitting the Trigger.dev runtime.
+ *
+ * @example
+ * ```ts
+ * import { runInMockTaskContext } from "@trigger.dev/core/v3/test";
+ *
+ * await runInMockTaskContext(
+ *   async ({ inputs, outputs, ctx }) => {
+ *     // Fire an input stream from the "outside"
+ *     setTimeout(() => {
+ *       inputs.send("chat-messages", { messages: [], chatId: "c1" });
+ *     }, 0);
+ *
+ *     // Run task code that reads from inputStreams.once(...)
+ *     await myTask.fns.run(payload, { ctx, signal: new AbortController().signal });
+ *
+ *     // Inspect chunks written to the output stream
+ *     expect(outputs.chunks("chat")).toContainEqual({ type: "text-delta", delta: "hi" });
+ *   },
+ *   { ctx: { run: { id: "run_abc" } } }
+ * );
+ * ```
+ */
+export async function runInMockTaskContext<T>(
+  fn: (drivers: MockTaskContextDrivers) => T | Promise<T>,
+  options?: MockTaskContextOptions
+): Promise<T> {
+  const ctx = defaultTaskRunContext(options?.ctx);
+  const worker = defaultWorker(options?.worker);
+
+  const localsManager = new StandardLocalsManager();
+  const lifecycleManager = new StandardLifecycleHooksManager();
+  const runtimeManager = new NoopRuntimeManager();
+  const metadataManager = new TestRunMetadataManager();
+  const inputManager = new TestInputStreamManager();
+  const outputManager = new TestRealtimeStreamsManager();
+  const sessionStreamManager = new TestSessionStreamManager();
+
+  // Unregister any previously-installed managers so `setGlobal*` wins —
+  // `registerGlobal` returns false silently if an entry already exists.
+  unregisterGlobal("locals");
+  unregisterGlobal("lifecycle-hooks");
+  unregisterGlobal("runtime");
+  unregisterGlobal("run-metadata");
+  unregisterGlobal("input-streams");
+  unregisterGlobal("realtime-streams");
+  unregisterGlobal("session-streams");
+  unregisterGlobal("task-context");
+
+  localsAPI.setGlobalLocalsManager(localsManager);
+  lifecycleHooks.setGlobalLifecycleHooksManager(lifecycleManager);
+  runtime.setGlobalRuntimeManager(runtimeManager);
+  runMetadata.setGlobalManager(metadataManager);
+  inputStreams.setGlobalManager(inputManager);
+  realtimeStreams.setGlobalManager(outputManager);
+  sessionStreams.setGlobalManager(sessionStreamManager);
+  taskContext.setGlobalTaskContext({
+    ctx,
+    worker,
+    isWarmStart: options?.isWarmStart ?? false,
+  });
+
+  const drivers: MockTaskContextDrivers = {
+    inputs: {
+      send: (streamId, data) => inputManager.__sendFromTest(streamId, data),
+      close: (streamId) => inputManager.__closeFromTest(streamId),
+    },
+    outputs: {
+      chunks: (streamId) => outputManager.__chunksFromTest(streamId),
+      all: () => outputManager.__allChunksFromTest(),
+      clear: (streamId) => outputManager.__clearFromTest(streamId),
+      onWrite: (listener) => outputManager.onWrite(listener),
+    },
+    locals: {
+      get: <TValue>(key: LocalsKey<TValue>) => localsManager.getLocal(key),
+      set: <TValue>(key: LocalsKey<TValue>, value: TValue) =>
+        localsManager.setLocal(key, value),
+    },
+    sessions: {
+      in: {
+        send: (sessionId, data, io = "in") =>
+          sessionStreamManager.__sendFromTest(sessionId, io, data),
+        close: (sessionId, io = "in") =>
+          sessionStreamManager.__closeFromTest(sessionId, io),
+      },
+    },
+    ctx,
+  };
+
+  try {
+    return await fn(drivers);
+  } finally {
+    localsAPI.disable();
+    lifecycleHooks.disable();
+    runtime.disable();
+    // taskContext.disable() only sets a flag — unregister the global so
+    // `taskContext.ctx` returns undefined after the harness returns.
+    unregisterGlobal("task-context");
+    unregisterGlobal("input-streams");
+    unregisterGlobal("realtime-streams");
+    unregisterGlobal("session-streams");
+    unregisterGlobal("run-metadata");
+    localsManager.reset();
+    inputManager.reset();
+    outputManager.reset();
+    sessionStreamManager.reset();
+    metadataManager.reset();
+  }
+}
diff --git a/packages/core/src/v3/test/test-input-stream-manager.ts b/packages/core/src/v3/test/test-input-stream-manager.ts
new file mode 100644
index 00000000000..933b92d07c6
--- /dev/null
+++ b/packages/core/src/v3/test/test-input-stream-manager.ts
@@ -0,0 +1,219 @@
+import type { InputStreamManager, InputStreamOnceResult } from "../inputStreams/types.js";
+import { InputStreamOncePromise, InputStreamTimeoutError } from "../inputStreams/types.js";
+import type { InputStreamOnceOptions } from "../realtimeStreams/types.js";
+
+type OnceWaiter = {
+  resolve: (value: InputStreamOnceResult<unknown>) => void;
+  timer?: ReturnType<typeof setTimeout>;
+  signal?: AbortSignal;
+  abortHandler?: () => void;
+};
+
+type Handler = (data: unknown) => void | Promise<void>;
+
+/**
+ * In-memory implementation of `InputStreamManager` for unit tests.
+ *
+ * Tests push data via the driver's `.send(streamId, data)` method. Any
+ * pending `.once()` waiters resolve immediately, and all `.on()` handlers
+ * fire synchronously (awaited if they return a promise).
+ *
+ * Use this alongside {@link runInMockTaskContext} — not directly.
+ */
+export class TestInputStreamManager implements InputStreamManager {
+  private handlers = new Map<string, Set<Handler>>();
+  private onceWaiters = new Map<string, OnceWaiter[]>();
+  private latest = new Map<string, unknown>();
+  private lastSeqNums = new Map<string, number>();
+  // Buffered sends that arrived before a `.once()` waiter was registered.
+  // `.once()` semantically means "wait for NEXT value" but tests often
+  // send data before the task has had a chance to reach the wait point.
+  // Buffering closes that race so the waiter picks up the pending send.
+  private pendingSends = new Map<string, unknown[]>();
+
+  setRunId(_runId: string, _streamsVersion?: string): void {
+    // No-op — the test driver tracks nothing about runs
+  }
+
+  on(streamId: string, handler: Handler): { off: () => void } {
+    if (!this.handlers.has(streamId)) {
+      this.handlers.set(streamId, new Set());
+    }
+    this.handlers.get(streamId)!.add(handler);
+
+    return {
+      off: () => {
+        this.handlers.get(streamId)?.delete(handler);
+      },
+    };
+  }
+
+  once(streamId: string, options?: InputStreamOnceOptions): InputStreamOncePromise<unknown> {
+    return new InputStreamOncePromise<unknown>((resolve) => {
+      if (options?.signal?.aborted) {
+        resolve({
+          ok: false,
+          error: new InputStreamTimeoutError(streamId, options.timeoutMs ?? 0),
+        });
+        return;
+      }
+
+      // Pick up any buffered send that arrived before this waiter.
+      const buffered = this.pendingSends.get(streamId);
+      if (buffered && buffered.length > 0) {
+        const next = buffered.shift();
+        if (buffered.length === 0) this.pendingSends.delete(streamId);
+        resolve({ ok: true, output: next });
+        return;
+      }
+
+      const waiter: OnceWaiter = {
+        resolve,
+        signal: options?.signal,
+      };
+
+      if (options?.timeoutMs !== undefined) {
+        waiter.timer = setTimeout(() => {
+          this.removeWaiter(streamId, waiter);
+          resolve({
+            ok: false,
+            error: new InputStreamTimeoutError(streamId, options.timeoutMs!),
+          });
+        }, options.timeoutMs);
+      }
+
+      if (options?.signal) {
+        const abortHandler = () => {
+          this.removeWaiter(streamId, waiter);
+          if (waiter.timer) clearTimeout(waiter.timer);
+          resolve({
+            ok: false,
+            error: new InputStreamTimeoutError(streamId, options.timeoutMs ?? 0),
+          });
+        };
+        waiter.abortHandler = abortHandler;
+        options.signal.addEventListener("abort", abortHandler, { once: true });
+      }
+
+      if (!this.onceWaiters.has(streamId)) {
+        this.onceWaiters.set(streamId, []);
+      }
+      this.onceWaiters.get(streamId)!.push(waiter);
+    });
+  }
+
+  peek(streamId: string): unknown | undefined {
+    return this.latest.get(streamId);
+  }
+
+  lastSeqNum(streamId: string): number | undefined {
+    return this.lastSeqNums.get(streamId);
+  }
+
+  setLastSeqNum(streamId: string, seqNum: number): void {
+    this.lastSeqNums.set(streamId, seqNum);
+  }
+
+  shiftBuffer(_streamId: string): boolean {
+    return false;
+  }
+
+  disconnectStream(_streamId: string): void {}
+
+  clearHandlers(): void {
+    this.handlers.clear();
+  }
+
+  reset(): void {
+    // Cancel any pending waiters to avoid dangling promises leaking between tests
+    for (const waiters of this.onceWaiters.values()) {
+      for (const w of waiters) {
+        if (w.timer) clearTimeout(w.timer);
+        if (w.signal && w.abortHandler) {
+          w.signal.removeEventListener("abort", w.abortHandler);
+        }
+      }
+    }
+    this.onceWaiters.clear();
+    this.handlers.clear();
+    this.latest.clear();
+    this.lastSeqNums.clear();
+    this.pendingSends.clear();
+  }
+
+  disconnect(): void {
+    this.reset();
+  }
+
+  connectTail(_runId: string, _fromSeq?: number): void {}
+
+  // ── Test driver API (not part of InputStreamManager interface) ──────────
+
+  /**
+   * Push data onto an input stream. Resolves pending `once()` waiters
+   * and fires all `on()` handlers (awaiting async handlers).
+   */
+  async __sendFromTest(streamId: string, data: unknown): Promise<void> {
+    this.latest.set(streamId, data);
+
+    const waiters = this.onceWaiters.get(streamId);
+    const handlers = this.handlers.get(streamId);
+    const hasWaiters = waiters && waiters.length > 0;
+    const hasHandlers = handlers && handlers.size > 0;
+
+    // If nothing is listening yet, buffer so the next `.once()` call picks it up.
+    if (!hasWaiters && !hasHandlers) {
+      if (!this.pendingSends.has(streamId)) {
+        this.pendingSends.set(streamId, []);
+      }
+      this.pendingSends.get(streamId)!.push(data);
+      return;
+    }
+
+    if (hasWaiters) {
+      // Drain every pending once() waiter — this mirrors the real manager's
+      // behavior where the stream tail delivers the same record to all listeners.
+      const pending = waiters!.splice(0);
+      for (const w of pending) {
+        if (w.timer) clearTimeout(w.timer);
+        if (w.signal && w.abortHandler) {
+          w.signal.removeEventListener("abort", w.abortHandler);
+        }
+        w.resolve({ ok: true, output: data });
+      }
+    }
+
+    if (hasHandlers) {
+      await Promise.all(
+        Array.from(handlers!).map((h) => Promise.resolve().then(() => h(data)))
+      );
+    }
+  }
+
+  /**
+   * Immediately resolve every pending `once()` waiter for a stream with a
+   * timeout error. Used to simulate closed streams (e.g. `exitAfterPreloadIdle`).
+   */
+  __closeFromTest(streamId: string): void {
+    const waiters = this.onceWaiters.get(streamId);
+    if (!waiters) return;
+    const pending = waiters.splice(0);
+    for (const w of pending) {
+      if (w.timer) clearTimeout(w.timer);
+      if (w.signal && w.abortHandler) {
+        w.signal.removeEventListener("abort", w.abortHandler);
+      }
+      w.resolve({
+        ok: false,
+        error: new InputStreamTimeoutError(streamId, 0),
+      });
+    }
+  }
+
+  private removeWaiter(streamId: string, waiter: OnceWaiter): void {
+    const waiters = this.onceWaiters.get(streamId);
+    if (!waiters) return;
+    const idx = waiters.indexOf(waiter);
+    if (idx >= 0) waiters.splice(idx, 1);
+  }
+}
diff --git a/packages/core/src/v3/test/test-realtime-streams-manager.ts b/packages/core/src/v3/test/test-realtime-streams-manager.ts
new file mode 100644
index 00000000000..8f4142b28e7
--- /dev/null
+++ b/packages/core/src/v3/test/test-realtime-streams-manager.ts
@@ -0,0 +1,170 @@
+import {
+  AsyncIterableStream,
+  createAsyncIterableStreamFromAsyncIterable,
+} from "../streams/asyncIterableStream.js";
+import type {
+  RealtimeStreamInstance,
+  RealtimeStreamOperationOptions,
+  RealtimeStreamsManager,
+} from "../realtimeStreams/types.js";
+
+/**
+ * In-memory implementation of `RealtimeStreamsManager` for unit tests.
+ * Collects every chunk that tasks write via `pipe()` or `append()` into
+ * per-stream buffers that tests can inspect.
+ *
+ * Use this alongside {@link runInMockTaskContext} — not directly.
+ */
+type WriteListener = (key: string, chunk: unknown) => void;
+
+export class TestRealtimeStreamsManager implements RealtimeStreamsManager {
+  private buffers = new Map<string, unknown[]>();
+  private pipeWaits = new Map<string, Promise<void>[]>();
+  private writeListeners = new Set<WriteListener>();
+
+  pipe<T>(
+    key: string,
+    source: AsyncIterable<T> | ReadableStream<T>,
+    _options?: RealtimeStreamOperationOptions
+  ): RealtimeStreamInstance<T> {
+    const buffer = this.getBuffer(key);
+    const self = this;
+
+    // Eagerly drain the source in the background so chunks land in the
+    // buffer + notify listeners even when the caller never consumes the
+    // returned stream. This mirrors the real SDK behavior: `streams.writer`
+    // awaits `instance.wait()`, it doesn't read the returned stream.
+    //
+    // The source is read ONCE (into a chunks array) and replayed into a
+    // ReadableStream so the caller can still consume it if they want.
+    const readChunks: T[] = [];
+    let resolveDone!: () => void;
+    const done = new Promise<void>((resolve) => {
+      resolveDone = resolve;
+    });
+
+    (async () => {
+      try {
+        const iter =
+          source instanceof ReadableStream
+            ? (async function* () {
+                const reader = source.getReader();
+                try {
+                  while (true) {
+                    const { done: d, value } = await reader.read();
+                    if (d) return;
+                    yield value as T;
+                  }
+                } finally {
+                  reader.releaseLock();
+                }
+              })()
+            : source;
+
+        for await (const chunk of iter) {
+          readChunks.push(chunk);
+          buffer.push(chunk);
+          self.notify(key, chunk);
+        }
+      } catch {
+        // Swallow — tests can inspect what made it into the buffer
+      } finally {
+        resolveDone();
+      }
+    })();
+
+    const replayStream = (async function* () {
+      // Wait for all chunks to be drained, then replay from our snapshot
+      await done;
+      for (const chunk of readChunks) yield chunk;
+    })();
+    const wrappedStream = createAsyncIterableStreamFromAsyncIterable(replayStream);
+
+    if (!this.pipeWaits.has(key)) this.pipeWaits.set(key, []);
+    this.pipeWaits.get(key)!.push(done);
+
+    return {
+      wait: () => done.then(() => ({})),
+      get stream(): AsyncIterableStream<T> {
+        return wrappedStream;
+      },
+    };
+  }
+
+  async append<TPart extends BodyInit>(
+    key: string,
+    part: TPart,
+    _options?: RealtimeStreamOperationOptions
+  ): Promise<void> {
+    this.getBuffer(key).push(part);
+    this.notify(key, part);
+  }
+
+  /**
+   * Register a listener fired for every chunk written to any stream.
+   * Returns an unsubscribe function.
+   *
+   * Intended for test harnesses that need to react to writes synchronously
+   * (e.g. resolving a "turn complete" latch).
+   */
+  onWrite(listener: WriteListener): () => void {
+    this.writeListeners.add(listener);
+    return () => {
+      this.writeListeners.delete(listener);
+    };
+  }
+
+  private notify(key: string, chunk: unknown): void {
+    for (const listener of this.writeListeners) {
+      try {
+        listener(key, chunk);
+      } catch {
+        // Never let a listener error break stream writes
+      }
+    }
+  }
+
+  // ── Test driver API (not part of RealtimeStreamsManager interface) ──────
+
+  /**
+   * Return all chunks written to the given stream key in order of write.
+   */
+  __chunksFromTest<T = unknown>(key: string): T[] {
+    return (this.buffers.get(key) ?? []).slice() as T[];
+  }
+
+  /**
+   * Return all chunks across every stream, keyed by stream id.
+   */
+  __allChunksFromTest(): Record<string, unknown[]> {
+    const result: Record<string, unknown[]> = {};
+    for (const [key, chunks] of this.buffers.entries()) {
+      result[key] = chunks.slice();
+    }
+    return result;
+  }
+
+  /**
+   * Clear the buffer for a specific stream or all streams.
+   */
+  __clearFromTest(key?: string): void {
+    if (key === undefined) {
+      this.buffers.clear();
+    } else {
+      this.buffers.delete(key);
+    }
+  }
+
+  reset(): void {
+    this.buffers.clear();
+    this.pipeWaits.clear();
+    this.writeListeners.clear();
+  }
+
+  private getBuffer(key: string): unknown[] {
+    if (!this.buffers.has(key)) {
+      this.buffers.set(key, []);
+    }
+    return this.buffers.get(key)!;
+  }
+}
diff --git a/packages/core/src/v3/test/test-run-metadata-manager.ts b/packages/core/src/v3/test/test-run-metadata-manager.ts
new file mode 100644
index 00000000000..9d806f17a03
--- /dev/null
+++ b/packages/core/src/v3/test/test-run-metadata-manager.ts
@@ -0,0 +1,103 @@
+import type { DeserializedJson } from "../../schemas/json.js";
+import type { AsyncIterableStream } from "../streams/asyncIterableStream.js";
+import type { RunMetadataManager, RunMetadataUpdater } from "../runMetadata/types.js";
+
+/**
+ * In-memory implementation of `RunMetadataManager` for unit tests.
+ *
+ * Just stores metadata in a Map — no API calls, no queue. Good enough
+ * for tests that read/write metadata via `runMetadata.getKey()` /
+ * `runMetadata.set()`, including the IDLE_TIMEOUT and TURN_TIMEOUT
+ * checks inside `chat.agent()`.
+ */
+export class TestRunMetadataManager implements RunMetadataManager {
+  private store: Record<string, DeserializedJson> = {};
+
+  enterWithMetadata(metadata: Record<string, DeserializedJson>): void {
+    this.store = { ...metadata };
+  }
+
+  current(): Record<string, DeserializedJson> | undefined {
+    return { ...this.store };
+  }
+
+  getKey(key: string): DeserializedJson | undefined {
+    return this.store[key];
+  }
+
+  set(key: string, value: DeserializedJson): this {
+    this.store[key] = value;
+    return this;
+  }
+
+  del(key: string): this {
+    delete this.store[key];
+    return this;
+  }
+
+  append(key: string, value: DeserializedJson): this {
+    const existing = this.store[key];
+    if (Array.isArray(existing)) {
+      existing.push(value);
+    } else {
+      this.store[key] = [value];
+    }
+    return this;
+  }
+
+  remove(key: string, value: DeserializedJson): this {
+    const existing = this.store[key];
+    if (Array.isArray(existing)) {
+      this.store[key] = existing.filter((v) => v !== value) as DeserializedJson;
+    }
+    return this;
+  }
+
+  increment(key: string, value: number): this {
+    const existing = this.store[key];
+    const current = typeof existing === "number" ? existing : 0;
+    this.store[key] = current + value;
+    return this;
+  }
+
+  decrement(key: string, value: number): this {
+    return this.increment(key, -value);
+  }
+
+  update(metadata: Record<string, DeserializedJson>): this {
+    this.store = { ...metadata };
+    return this;
+  }
+
+  async flush(): Promise<void> {}
+  async refresh(): Promise<void> {}
+
+  async stream<T>(
+    _key: string,
+    value: AsyncIterable<T> | ReadableStream<T>
+  ): Promise<AsyncIterable<T>> {
+    return value as AsyncIterable<T>;
+  }
+
+  async fetchStream<T>(_key: string): Promise<AsyncIterableStream<T>> {
+    // Return an empty async iterable — tests can override if needed
+    const empty = {
+      [Symbol.asyncIterator]: () => ({
+        next: () => Promise.resolve({ done: true as const, value: undefined as T }),
+      }),
+    };
+    return empty as unknown as AsyncIterableStream<T>;
+  }
+
+  get parent(): RunMetadataUpdater {
+    return this;
+  }
+
+  get root(): RunMetadataUpdater {
+    return this;
+  }
+
+  reset(): void {
+    this.store = {};
+  }
+}
diff --git a/packages/core/src/v3/test/test-session-stream-manager.ts b/packages/core/src/v3/test/test-session-stream-manager.ts
new file mode 100644
index 00000000000..f19e01dc33c
--- /dev/null
+++ b/packages/core/src/v3/test/test-session-stream-manager.ts
@@ -0,0 +1,348 @@
+import {
+  InputStreamOncePromise,
+  InputStreamOnceResult,
+  InputStreamTimeoutError,
+} from "../inputStreams/types.js";
+import type { InputStreamOnceOptions } from "../realtimeStreams/types.js";
+import type {
+  SessionChannelIO,
+  SessionStreamManager,
+} from "../sessionStreams/types.js";
+
+type OnceWaiter = {
+  resolve: (value: InputStreamOnceResult<unknown>) => void;
+  timer?: ReturnType<typeof setTimeout>;
+  signal?: AbortSignal;
+  abortHandler?: () => void;
+};
+
+// Same contract as the production manager: a handler that synchronously
+// returns `true` CONSUMES the record (not buffered, not re-delivered on a
+// future `on()` attach). See `SessionStreamManager.on` in types.ts.
+type Handler = (data: unknown) => void | boolean | Promise<void>;
+
+function keyFor(sessionId: string, io: SessionChannelIO): string {
+  return `${sessionId}:${io}`;
+}
+
+/**
+ * In-memory implementation of `SessionStreamManager` for unit tests. Same
+ * shape as {@link TestInputStreamManager} but keyed on `(sessionId, io)`.
+ *
+ * Tests push data via `__sendFromTest(sessionId, io, data)` — any pending
+ * `once()` waiters resolve immediately, and all `on()` handlers fire (awaited
+ * if they return a promise). Records that arrive before a listener is
+ * registered are buffered so the first `once()` picks them up.
+ */
+export class TestSessionStreamManager implements SessionStreamManager {
+  private handlers = new Map<string, Set<Handler>>();
+  private onceWaiters = new Map<string, OnceWaiter[]>();
+  private buffer = new Map<string, unknown[]>();
+  private seqNums = new Map<string, number>();
+
+  on(
+    sessionId: string,
+    io: SessionChannelIO,
+    handler: Handler
+  ): { off: () => void } {
+    const key = keyFor(sessionId, io);
+
+    let set = this.handlers.get(key);
+    if (!set) {
+      set = new Set();
+      this.handlers.set(key, set);
+    }
+    set.add(handler);
+
+    // Selective drain, matching the production manager: offer each
+    // buffered record to the new handler and remove ONLY the ones it
+    // consumed (returned `true`). Records the handler filtered out (other
+    // kinds) stay buffered for a future `once()`. This is the corrected
+    // form of two historical bugs: a blind drain swallowed boot-phase user
+    // messages into the stop facade (which ignores `kind: "message"`),
+    // and no-drain-at-all let production re-deliver already-processed
+    // messages into every newly attached per-turn handler.
+    const buffered = this.buffer.get(key);
+    if (buffered && buffered.length > 0) {
+      const kept: unknown[] = [];
+      for (const data of buffered) {
+        let consumed = false;
+        try {
+          consumed = handler(data) === true;
+        } catch {
+          // Never let a handler error break test state
+        }
+        if (!consumed) kept.push(data);
+      }
+      if (kept.length > 0) {
+        this.buffer.set(key, kept);
+      } else {
+        this.buffer.delete(key);
+      }
+    }
+
+    return {
+      off: () => {
+        this.handlers.get(key)?.delete(handler);
+      },
+    };
+  }
+
+  once(
+    sessionId: string,
+    io: SessionChannelIO,
+    options?: InputStreamOnceOptions
+  ): InputStreamOncePromise<unknown> {
+    const key = keyFor(sessionId, io);
+
+    return new InputStreamOncePromise<unknown>((resolve) => {
+      if (options?.signal?.aborted) {
+        resolve({
+          ok: false,
+          error: new InputStreamTimeoutError(key, options.timeoutMs ?? 0),
+        });
+        return;
+      }
+
+      const buffered = this.buffer.get(key);
+      if (buffered && buffered.length > 0) {
+        const next = buffered.shift();
+        if (buffered.length === 0) this.buffer.delete(key);
+        resolve({ ok: true, output: next });
+        return;
+      }
+
+      const waiter: OnceWaiter = { resolve, signal: options?.signal };
+
+      if (options?.timeoutMs !== undefined) {
+        waiter.timer = setTimeout(() => {
+          this.removeWaiter(key, waiter);
+          resolve({
+            ok: false,
+            error: new InputStreamTimeoutError(key, options.timeoutMs!),
+          });
+        }, options.timeoutMs);
+      }
+
+      if (options?.signal) {
+        const abortHandler = () => {
+          this.removeWaiter(key, waiter);
+          if (waiter.timer) clearTimeout(waiter.timer);
+          resolve({
+            ok: false,
+            error: new InputStreamTimeoutError(key, options.timeoutMs ?? 0),
+          });
+        };
+        waiter.abortHandler = abortHandler;
+        options.signal.addEventListener("abort", abortHandler, { once: true });
+      }
+
+      let waiters = this.onceWaiters.get(key);
+      if (!waiters) {
+        waiters = [];
+        this.onceWaiters.set(key, waiters);
+      }
+      waiters.push(waiter);
+    });
+  }
+
+  peek(sessionId: string, io: SessionChannelIO): unknown | undefined {
+    const buffered = this.buffer.get(keyFor(sessionId, io));
+    if (buffered && buffered.length > 0) return buffered[0];
+    return undefined;
+  }
+
+  lastSeqNum(sessionId: string, io: SessionChannelIO): number | undefined {
+    return this.seqNums.get(keyFor(sessionId, io));
+  }
+
+  setLastSeqNum(sessionId: string, io: SessionChannelIO, seqNum: number): void {
+    this.seqNums.set(keyFor(sessionId, io), seqNum);
+  }
+
+  lastDispatchedSeqNum(_sessionId: string, _io: SessionChannelIO): number | undefined {
+    // The test harness drives records via `__sendFromTest` without seq
+    // numbers, so the committed-consume cursor stays undefined. Tests
+    // that need cursor behaviour exercise it via the real manager.
+    return undefined;
+  }
+
+  setLastDispatchedSeqNum(
+    _sessionId: string,
+    _io: SessionChannelIO,
+    _seqNum: number
+  ): void {
+    // no-op — see comment on `lastDispatchedSeqNum`.
+  }
+
+  setMinTimestamp(
+    _sessionId: string,
+    _io: SessionChannelIO,
+    _minTimestamp: number | undefined
+  ): void {
+    // No filter applied in tests; the test harness drives records directly
+    // and the chat.agent retry path is exercised separately.
+  }
+
+  shiftBuffer(sessionId: string, io: SessionChannelIO): boolean {
+    const key = keyFor(sessionId, io);
+    const buffered = this.buffer.get(key);
+    if (buffered && buffered.length > 0) {
+      buffered.shift();
+      if (buffered.length === 0) this.buffer.delete(key);
+      return true;
+    }
+    return false;
+  }
+
+  disconnectStream(_sessionId: string, _io: SessionChannelIO): void {
+    // no-op — no real SSE tail in tests
+  }
+
+  clearHandlers(): void {
+    this.handlers.clear();
+  }
+
+  reset(): void {
+    for (const waiters of this.onceWaiters.values()) {
+      for (const w of waiters) {
+        if (w.timer) clearTimeout(w.timer);
+        if (w.signal && w.abortHandler) {
+          w.signal.removeEventListener("abort", w.abortHandler);
+        }
+      }
+    }
+    this.onceWaiters.clear();
+    this.handlers.clear();
+    this.buffer.clear();
+    this.seqNums.clear();
+  }
+
+  disconnect(): void {
+    this.reset();
+  }
+
+  // ── Test driver API (not part of SessionStreamManager interface) ──────
+
+  /**
+   * Push a record onto the given channel.
+   *
+   * Dispatch rules — same as the production manager:
+   *
+   * 1. **A pending `.once` waiter consumes first.** Handlers still observe
+   *    a copy.
+   * 2. **Otherwise handlers observe.** A handler that synchronously
+   *    returns `true` consumes the record (kind-filtering facades do this
+   *    for the kinds they own) — it is NOT buffered.
+   * 3. **Records no one consumed are buffered** for the next `.once` call
+   *    or the next consuming `on()` attach.
+   *
+   * Handler promises are awaited before resolving so test code can rely
+   * on async handler work having settled by the time `__sendFromTest`
+   * resolves. Consumption is decided on the synchronous return value,
+   * exactly like production.
+   */
+  async __sendFromTest(
+    sessionId: string,
+    io: SessionChannelIO,
+    data: unknown
+  ): Promise<void> {
+    const key = keyFor(sessionId, io);
+
+    const waiters = this.onceWaiters.get(key);
+    if (waiters && waiters.length > 0) {
+      const w = waiters.shift()!;
+      if (waiters.length === 0) this.onceWaiters.delete(key);
+      if (w.timer) clearTimeout(w.timer);
+      if (w.signal && w.abortHandler) {
+        w.signal.removeEventListener("abort", w.abortHandler);
+      }
+      w.resolve({ ok: true, output: data });
+      await this.#invokeHandlers(key, data);
+      return;
+    }
+
+    const consumed = await this.#invokeHandlers(key, data);
+    if (consumed) return;
+
+    // Re-check waiters: handler invocation above is awaited (unlike the
+    // synchronous production dispatch), and the runtime commonly registers
+    // its next `once()` during that window — e.g. the turn loop reaching
+    // `waitWithIdleTimeout` while a handler settles. Without this second
+    // look the record would be buffered while the fresh waiter hangs.
+    const lateWaiters = this.onceWaiters.get(key);
+    if (lateWaiters && lateWaiters.length > 0) {
+      const w = lateWaiters.shift()!;
+      if (lateWaiters.length === 0) this.onceWaiters.delete(key);
+      if (w.timer) clearTimeout(w.timer);
+      if (w.signal && w.abortHandler) {
+        w.signal.removeEventListener("abort", w.abortHandler);
+      }
+      w.resolve({ ok: true, output: data });
+      return;
+    }
+
+    let buffered = this.buffer.get(key);
+    if (!buffered) {
+      buffered = [];
+      this.buffer.set(key, buffered);
+    }
+    buffered.push(data);
+  }
+
+  /**
+   * Invoke all handlers; resolves once any returned promises settle.
+   * Returns true when any handler synchronously consumed the record.
+   * Wrapped per-handler so a throwing/rejecting handler doesn't poison
+   * Promise.all and break unrelated test state.
+   */
+  async #invokeHandlers(key: string, data: unknown): Promise<boolean> {
+    const handlers = this.handlers.get(key);
+    if (!handlers || handlers.size === 0) return false;
+
+    let consumed = false;
+    await Promise.all(
+      Array.from(handlers).map(async (h) => {
+        try {
+          const result = h(data);
+          if (result === true) {
+            consumed = true;
+            return;
+          }
+          await result;
+        } catch {
+          // Never let a handler error break test state
+        }
+      })
+    );
+    return consumed;
+  }
+
+  /**
+   * Immediately resolve every pending `once()` waiter for the given channel
+   * with a timeout error. Simulates a closed stream (e.g. session closed).
+   */
+  __closeFromTest(sessionId: string, io: SessionChannelIO): void {
+    const key = keyFor(sessionId, io);
+    const waiters = this.onceWaiters.get(key);
+    if (!waiters) return;
+    const pending = waiters.splice(0);
+    for (const w of pending) {
+      if (w.timer) clearTimeout(w.timer);
+      if (w.signal && w.abortHandler) {
+        w.signal.removeEventListener("abort", w.abortHandler);
+      }
+      w.resolve({
+        ok: false,
+        error: new InputStreamTimeoutError(key, 0),
+      });
+    }
+  }
+
+  private removeWaiter(key: string, waiter: OnceWaiter): void {
+    const waiters = this.onceWaiters.get(key);
+    if (!waiters) return;
+    const idx = waiters.indexOf(waiter);
+    if (idx >= 0) waiters.splice(idx, 1);
+  }
+}
diff --git a/packages/core/src/v3/tracer.ts b/packages/core/src/v3/tracer.ts
index 5b213917592..c14e1e07bff 100644
--- a/packages/core/src/v3/tracer.ts
+++ b/packages/core/src/v3/tracer.ts
@@ -145,11 +145,7 @@ export class TriggerTracer {
           }
 
           if (!spanEnded) {
-            if (typeof e === "string" || e instanceof Error) {
-              span.recordException(e);
-            }
-
-            span.setStatus({ code: SpanStatusCode.ERROR });
+            recordSpanException(span, e);
           }
 
           throw e;
diff --git a/packages/core/src/v3/types/tasks.ts b/packages/core/src/v3/types/tasks.ts
index d04d088ef1a..978a6e5bd0a 100644
--- a/packages/core/src/v3/types/tasks.ts
+++ b/packages/core/src/v3/types/tasks.ts
@@ -387,6 +387,12 @@ type CommonTaskOptions<
    * Should be a valid JSON Schema Draft 7 object.
    */
   jsonSchema?: JSONSchema;
+
+  /** @internal Set by SDK internals (e.g. `chat.agent()`, `schedules.task()`). */
+  triggerSource?: string;
+
+  /** @internal Agent configuration, only set when `triggerSource` is `"agent"`. */
+  agentConfig?: { type: string };
 };
 
 export type TaskOptions<
@@ -641,6 +647,30 @@ export interface Task<TIdentifier extends string, TInput = void, TOutput = any>
     requestOptions?: TriggerApiRequestOptions
   ) => TaskRunPromise<TIdentifier, TOutput>;
 
+  /**
+   * Trigger a task and subscribe to its updates via realtime. Unlike `triggerAndWait`,
+   * this does NOT suspend the parent run — the parent stays alive and polls for updates.
+   * This enables parallel tool calls and proper abort signal handling.
+   *
+   * @param payload
+   * @param options - Options for the task run, including an optional `signal` to cancel the subscription and child run
+   * @returns TaskRunPromise
+   * @example
+   * ```
+   * const result = await task.triggerAndSubscribe({ foo: "bar" }, { signal: abortSignal });
+   *
+   * if (result.ok) {
+   *   console.log(result.output);
+   * } else {
+   *   console.error(result.error);
+   * }
+   * ```
+   */
+  triggerAndSubscribe: (
+    payload: TInput,
+    options?: TriggerAndSubscribeOptions,
+  ) => TaskRunPromise<TIdentifier, TOutput>;
+
   /**
    * Batch trigger multiple task runs with the given payloads, and wait for the results. Returns the results of the task runs.
    * @param items - Array, AsyncIterable, or ReadableStream of batch items
@@ -989,6 +1019,16 @@ export type TriggerOptions = {
 };
 
 export type TriggerAndWaitOptions = Omit<TriggerOptions, "version">;
+
+export type TriggerAndSubscribeOptions = Omit<TriggerOptions, "version"> & {
+  /** An AbortSignal to cancel the subscription. When fired, the subscription closes and the promise rejects. */
+  signal?: AbortSignal;
+  /**
+   * Whether to cancel the child run when the abort signal fires.
+   * @default true
+   */
+  cancelOnAbort?: boolean;
+};
 export type BatchTriggerOptions = {
   /**
    * If no idempotencyKey is set on an individual item in the batch, it will use this key on each item + the array index.
diff --git a/packages/core/src/v3/utils/flattenAttributes.ts b/packages/core/src/v3/utils/flattenAttributes.ts
index 83d1a14f2cd..1a4486a4e5d 100644
--- a/packages/core/src/v3/utils/flattenAttributes.ts
+++ b/packages/core/src/v3/utils/flattenAttributes.ts
@@ -312,10 +312,16 @@ export function unflattenAttributes(
       }
 
       if (typeof nextPart === "number") {
-        // Ensure we create an array for numeric indices
-        current[part] = Array.isArray(current[part]) ? current[part] : [];
-      } else if (current[part] === undefined) {
-        // Create an object for non-numeric paths
+        if (!Array.isArray(current[part])) {
+          current[part] = [];
+        }
+      } else if (
+        current[part] === null ||
+        typeof current[part] !== "object" ||
+        Array.isArray(current[part])
+      ) {
+        // Last-write-wins when a prior key wrote a primitive, null, or array
+        // at this slot — keeps unflatten total for conflicting OTLP inputs.
         current[part] = {};
       }
 
diff --git a/packages/core/src/v3/utils/gitBranch.ts b/packages/core/src/v3/utils/gitBranch.ts
new file mode 100644
index 00000000000..b1f2f2df27a
--- /dev/null
+++ b/packages/core/src/v3/utils/gitBranch.ts
@@ -0,0 +1,31 @@
+export function isValidGitBranchName(branch: string): boolean {
+  if (!branch) return false;
+
+  if (/[ \~\^:\?\*\[\\]/.test(branch)) return false;
+
+  for (let i = 0; i < branch.length; i++) {
+    const code = branch.charCodeAt(i);
+    if ((code >= 0 && code <= 31) || code === 127) return false;
+  }
+
+  if (branch.startsWith("/") || branch.endsWith("/")) return false;
+  if (branch.includes("//")) return false;
+  if (branch.includes("..")) return false;
+  if (branch.includes("@{")) return false;
+  if (branch.endsWith(".lock")) return false;
+
+  return true;
+}
+
+export function sanitizeBranchName(ref: string | null | undefined): string | null {
+  if (!ref) return null;
+  if (ref.startsWith("refs/heads/")) return ref.substring("refs/heads/".length);
+  if (ref.startsWith("refs/remotes/")) return ref.substring("refs/remotes/".length);
+  if (ref.startsWith("refs/tags/")) return ref.substring("refs/tags/".length);
+  if (ref.startsWith("refs/pull/")) return ref.substring("refs/pull/".length);
+  if (ref.startsWith("refs/merge/")) return ref.substring("refs/merge/".length);
+  if (ref.startsWith("refs/release/")) return ref.substring("refs/release/".length);
+  if (ref.startsWith("refs/")) return null;
+
+  return ref;
+}
diff --git a/packages/core/src/v3/utils/globals.ts b/packages/core/src/v3/utils/globals.ts
index 08b62d379b2..fa5b8176f6e 100644
--- a/packages/core/src/v3/utils/globals.ts
+++ b/packages/core/src/v3/utils/globals.ts
@@ -3,6 +3,7 @@ import { Clock } from "../clock/clock.js";
 import { HeartbeatsManager } from "../heartbeats/types.js";
 import type { IdempotencyKeyCatalog } from "../idempotency-key-catalog/catalog.js";
 import { InputStreamManager } from "../inputStreams/types.js";
+import { SessionStreamManager } from "../sessionStreams/types.js";
 import { LifecycleHooksManager } from "../lifecycleHooks/types.js";
 import { LocalsManager } from "../locals/types.js";
 import { RealtimeStreamsManager } from "../realtimeStreams/types.js";
@@ -76,4 +77,5 @@ type TriggerDotDevGlobalAPI = {
   ["heartbeats"]?: HeartbeatsManager;
   ["realtime-streams"]?: RealtimeStreamsManager;
   ["input-streams"]?: InputStreamManager;
+  ["session-streams"]?: SessionStreamManager;
 };
diff --git a/packages/core/src/v3/utils/ioSerialization.ts b/packages/core/src/v3/utils/ioSerialization.ts
index 35e3d41061a..1386ed04b43 100644
--- a/packages/core/src/v3/utils/ioSerialization.ts
+++ b/packages/core/src/v3/utils/ioSerialization.ts
@@ -100,22 +100,33 @@ export async function stringifyIO(value: any): Promise<IOPacket> {
   }
 }
 
+/**
+ * Offloads a packet to object storage when it exceeds the size limit.
+ *
+ * @param client - Optional API client to use for the upload presign request. When
+ * omitted, falls back to the global `apiClientManager.client`. Pass an explicit client
+ * (e.g. one built from a custom `clientConfig`) to ensure the payload is uploaded using
+ * the same configuration as the accompanying trigger API call.
+ */
 export async function conditionallyExportPacket(
   packet: IOPacket,
   pathPrefix: string,
-  tracer?: TriggerTracer
+  tracer?: TriggerTracer,
+  client?: ApiClient
 ): Promise<IOPacket> {
-  if (apiClientManager.client) {
+  const $client = client ?? apiClientManager.client;
+
+  if ($client) {
     const { needsOffloading, size } = packetRequiresOffloading(packet);
 
     if (needsOffloading) {
       if (!tracer) {
-        return await exportPacket(packet, pathPrefix);
+        return await exportPacket(packet, pathPrefix, $client);
       } else {
         const result = await tracer.startActiveSpan(
           "store.uploadOutput",
           async (span) => {
-            return await exportPacket(packet, pathPrefix);
+            return await exportPacket(packet, pathPrefix, $client);
           },
           {
             attributes: {
@@ -163,11 +174,15 @@ const ioRetryOptions = {
   randomize: true,
 } satisfies RetryOptions;
 
-async function exportPacket(packet: IOPacket, pathPrefix: string): Promise<IOPacket> {
+async function exportPacket(
+  packet: IOPacket,
+  pathPrefix: string,
+  client: ApiClient
+): Promise<IOPacket> {
   // Offload the output
   const filename = `${pathPrefix}.${getPacketExtension(packet.dataType)}`;
 
-  const presignedResponse = await apiClientManager.client!.createUploadPayloadUrl(filename);
+  const presignedResponse = await client.createUploadPayloadUrl(filename);
 
   if (!presignedResponse.storagePath) {
     throw new Error(
diff --git a/packages/core/src/v3/utils/reconnectBackoff.test.ts b/packages/core/src/v3/utils/reconnectBackoff.test.ts
new file mode 100644
index 00000000000..5de5a2db8e8
--- /dev/null
+++ b/packages/core/src/v3/utils/reconnectBackoff.test.ts
@@ -0,0 +1,82 @@
+import { afterEach, describe, expect, it, vi } from "vitest";
+
+import { RECONNECT_BACKOFF_MAX_MS, computeReconnectDelayMs } from "./reconnectBackoff.js";
+
+afterEach(() => {
+  vi.restoreAllMocks();
+});
+
+describe("computeReconnectDelayMs", () => {
+  // Hold Math.random steady so we can assert on the deterministic base. The
+  // jitter is added separately in the "jitter" test below.
+  function withFixedRandom(value: number, fn: () => void) {
+    const spy = vi.spyOn(Math, "random").mockReturnValue(value);
+    try {
+      fn();
+    } finally {
+      spy.mockRestore();
+    }
+  }
+
+  it("base case — attempt 0 lands in [1000, 2000)", () => {
+    withFixedRandom(0, () => {
+      expect(computeReconnectDelayMs(0)).toBe(1000);
+    });
+    withFixedRandom(0.999, () => {
+      expect(computeReconnectDelayMs(0)).toBeGreaterThanOrEqual(1000);
+      expect(computeReconnectDelayMs(0)).toBeLessThan(2000);
+    });
+  });
+
+  it("doubles per attempt up to the 30s cap", () => {
+    withFixedRandom(0, () => {
+      // 1s, 2s, 4s, 8s, 16s, then capped at 30s
+      expect(computeReconnectDelayMs(0)).toBe(1_000);
+      expect(computeReconnectDelayMs(1)).toBe(2_000);
+      expect(computeReconnectDelayMs(2)).toBe(4_000);
+      expect(computeReconnectDelayMs(3)).toBe(8_000);
+      expect(computeReconnectDelayMs(4)).toBe(16_000);
+      // 32s would exceed the cap — should clamp to 30s.
+      expect(computeReconnectDelayMs(5)).toBe(RECONNECT_BACKOFF_MAX_MS);
+      // High attempt counts stay capped — protects against integer
+      // overflow on 2 ** N for large N.
+      expect(computeReconnectDelayMs(50)).toBe(RECONNECT_BACKOFF_MAX_MS);
+      expect(computeReconnectDelayMs(1_000)).toBe(RECONNECT_BACKOFF_MAX_MS);
+    });
+  });
+
+  it("never exceeds RECONNECT_BACKOFF_MAX_MS + 1000ms (cap + jitter ceiling)", () => {
+    withFixedRandom(0.999, () => {
+      for (let attempt = 0; attempt < 100; attempt++) {
+        expect(computeReconnectDelayMs(attempt)).toBeLessThan(
+          RECONNECT_BACKOFF_MAX_MS + 1000
+        );
+      }
+    });
+  });
+
+  it("adds 0–1000ms of jitter on top of the base", () => {
+    // Compare same attempt with random=0 vs random=0.5 — the difference is
+    // exactly the jitter.
+    withFixedRandom(0, () => {
+      expect(computeReconnectDelayMs(2)).toBe(4_000);
+    });
+    withFixedRandom(0.5, () => {
+      expect(computeReconnectDelayMs(2)).toBe(4_500);
+    });
+    withFixedRandom(0.999, () => {
+      const v = computeReconnectDelayMs(2);
+      expect(v).toBeGreaterThan(4_000);
+      expect(v).toBeLessThan(5_000);
+    });
+  });
+
+  it("clamps negative / non-integer attempts to 0 (no NaN, no negative delay)", () => {
+    withFixedRandom(0, () => {
+      expect(computeReconnectDelayMs(-1)).toBe(1_000);
+      expect(computeReconnectDelayMs(-100)).toBe(1_000);
+      expect(computeReconnectDelayMs(0.7)).toBe(1_000); // floored to 0
+      expect(computeReconnectDelayMs(2.9)).toBe(4_000); // floored to 2
+    });
+  });
+});
diff --git a/packages/core/src/v3/utils/reconnectBackoff.ts b/packages/core/src/v3/utils/reconnectBackoff.ts
new file mode 100644
index 00000000000..51525591002
--- /dev/null
+++ b/packages/core/src/v3/utils/reconnectBackoff.ts
@@ -0,0 +1,25 @@
+/**
+ * Exponential backoff with full jitter for stream-tail reconnect loops.
+ *
+ * Shared between `SessionStreamManager` and `StandardInputStreamManager`
+ * — both reconnect a long-lived SSE tail when handlers/waiters are still
+ * registered, and both need to back off on persistent backend failures
+ * (auth rejection, 5xx, DNS) instead of reconnecting in a tight loop.
+ *
+ * - Base 1s, doubles per attempt (1s, 2s, 4s, 8s, 16s, 30s, 30s, ...)
+ * - Capped at 30s
+ * - Plus 0–1000ms jitter to avoid thundering herd when many clients
+ *   share the same failure mode
+ * - Negative or non-integer attempts are clamped to 0
+ *
+ * Callers track the per-key attempt count and reset to 0 on every
+ * successful record (any traffic flowing = healthy connection).
+ */
+export function computeReconnectDelayMs(attempt: number): number {
+  const safeAttempt = Math.max(0, Math.floor(attempt));
+  const base = Math.min(1000 * 2 ** safeAttempt, 30_000);
+  return base + Math.random() * 1000;
+}
+
+/** Maximum backoff floor without jitter — exposed for tests / asserts. */
+export const RECONNECT_BACKOFF_MAX_MS = 30_000;
diff --git a/packages/core/src/v3/workers/index.ts b/packages/core/src/v3/workers/index.ts
index e5f8eecff98..14515cd0d25 100644
--- a/packages/core/src/v3/workers/index.ts
+++ b/packages/core/src/v3/workers/index.ts
@@ -10,7 +10,10 @@ export {
   recordSpanException,
   carrierFromContext,
 } from "../otel/index.js";
-export { StandardResourceCatalog } from "../resource-catalog/standardResourceCatalog.js";
+export {
+  StandardResourceCatalog,
+  NO_FILE_CONTEXT,
+} from "../resource-catalog/standardResourceCatalog.js";
 export {
   TaskContextSpanProcessor,
   TaskContextLogProcessor,
@@ -33,3 +36,4 @@ export { StandardTraceContextManager } from "../traceContext/manager.js";
 export { StandardHeartbeatsManager } from "../heartbeats/manager.js";
 export { StandardRealtimeStreamsManager } from "../realtimeStreams/manager.js";
 export { StandardInputStreamManager } from "../inputStreams/manager.js";
+export { StandardSessionStreamManager } from "../sessionStreams/manager.js";
diff --git a/packages/core/src/v3/workers/taskExecutor.ts b/packages/core/src/v3/workers/taskExecutor.ts
index 2b9ffecf151..838ef3c6e77 100644
--- a/packages/core/src/v3/workers/taskExecutor.ts
+++ b/packages/core/src/v3/workers/taskExecutor.ts
@@ -17,6 +17,7 @@ import {
   lifecycleHooks,
   OTEL_SPAN_ATTRIBUTE_COUNT_LIMIT,
   runMetadata,
+  sessionStreams,
   traceContext,
   waitUntil,
 } from "../index.js";
@@ -1048,6 +1049,7 @@ export class TaskExecutor {
   ) {
     await this.#callCleanupFunctions(payload, ctx, initOutput, signal);
     inputStreams.clearHandlers();
+    sessionStreams.clearHandlers();
     await this.#blockForWaitUntil();
   }
 
diff --git a/packages/core/src/v3/zodIpc.ts b/packages/core/src/v3/zodIpc.ts
index 8879c7d0538..f42de5a9ddf 100644
--- a/packages/core/src/v3/zodIpc.ts
+++ b/packages/core/src/v3/zodIpc.ts
@@ -143,6 +143,7 @@ interface ZodIpcConnectionOptions<
   process: {
     send?: (message: any) => any;
     on?: (event: "message", listener: (message: any) => void) => void;
+    connected?: boolean;
   };
   handlers?: ZodIpcMessageHandlers<TListenCatalog, TEmitCatalog>;
 }
@@ -257,7 +258,19 @@ export class ZodIpcConnection<
   }
 
   async #sendPacket(packet: Packet) {
-    await this.opts.process.send?.(packet);
+    // When the IPC channel is closed (e.g. parent process exited), there is no
+    // recipient — drop the packet rather than letting `process.send` throw
+    // ERR_IPC_CHANNEL_CLOSED, which would otherwise propagate as an
+    // uncaughtException and re-enter any handler that itself calls `process.send`.
+    if (this.opts.process.connected === false) {
+      return;
+    }
+
+    try {
+      await this.opts.process.send?.(packet);
+    } catch {
+      // swallow: channel raced from open to closed between the check and the send
+    }
   }
 
   async send<K extends GetSocketMessagesWithoutCallback<TEmitCatalog>>(
diff --git a/packages/core/test/errors.test.ts b/packages/core/test/errors.test.ts
new file mode 100644
index 00000000000..4bcf89d7e9e
--- /dev/null
+++ b/packages/core/test/errors.test.ts
@@ -0,0 +1,280 @@
+import { describe, it, expect } from "vitest";
+import {
+  truncateStack,
+  truncateMessage,
+  parseError,
+  sanitizeError,
+  shouldRetryError,
+  shouldLookupRetrySettings,
+} from "../src/v3/errors.js";
+import type { TaskRunError } from "../src/v3/schemas/common.js";
+
+// Helper: build a fake stack with N frames
+function buildStack(messageLines: string[], frameCount: number): string {
+  const frames = Array.from(
+    { length: frameCount },
+    (_, i) => `    at functionName${i} (/path/to/file${i}.ts:${i + 1}:${i + 10})`
+  );
+  return [...messageLines, ...frames].join("\n");
+}
+
+describe("truncateStack", () => {
+  it("returns empty string for undefined", () => {
+    expect(truncateStack(undefined)).toBe("");
+  });
+
+  it("returns empty string for empty string", () => {
+    expect(truncateStack("")).toBe("");
+  });
+
+  it("preserves a short stack unchanged", () => {
+    const stack = buildStack(["Error: something broke"], 10);
+    expect(truncateStack(stack)).toBe(stack);
+  });
+
+  it("preserves exactly 50 frames", () => {
+    const stack = buildStack(["Error: at the limit"], 50);
+    const result = truncateStack(stack);
+    expect(result).toBe(stack);
+    expect(result.split("\n").filter((l) => l.trimStart().startsWith("at ")).length).toBe(50);
+  });
+
+  it("truncates to 50 frames when exceeding the limit", () => {
+    const stack = buildStack(["Error: too many frames"], 200);
+    const result = truncateStack(stack);
+    const lines = result.split("\n");
+
+    // Message line + 5 top + 1 omitted notice + 45 bottom = 52 lines
+    expect(lines[0]).toBe("Error: too many frames");
+    expect(lines).toContain("    ... 150 frames omitted ...");
+
+    const frameLines = lines.filter((l) => l.trimStart().startsWith("at "));
+    expect(frameLines.length).toBe(50);
+
+    // First kept frame is frame 0 (top of stack)
+    expect(frameLines[0]).toContain("functionName0");
+    // Last kept frame is the last original frame
+    expect(frameLines[frameLines.length - 1]).toContain("functionName199");
+  });
+
+  it("preserves multi-line error messages before frames", () => {
+    const stack = buildStack(["TypeError: cannot read property", "  caused by: something"], 60);
+    const result = truncateStack(stack);
+    const lines = result.split("\n");
+
+    expect(lines[0]).toBe("TypeError: cannot read property");
+    expect(lines[1]).toBe("  caused by: something");
+    expect(lines).toContain("    ... 10 frames omitted ...");
+  });
+
+  it("truncates individual lines longer than 1024 chars", () => {
+    const longFrame = `    at someFn (${"x".repeat(2000)}:1:1)`;
+    const stack = ["Error: long line", longFrame].join("\n");
+    const result = truncateStack(stack);
+    const frameLine = result.split("\n")[1]!;
+
+    expect(frameLine.length).toBeLessThan(1100);
+    expect(frameLine).toContain("...[truncated]");
+  });
+});
+
+describe("truncateMessage", () => {
+  it("returns empty string for undefined", () => {
+    expect(truncateMessage(undefined)).toBe("");
+  });
+
+  it("returns empty string for empty string", () => {
+    expect(truncateMessage("")).toBe("");
+  });
+
+  it("preserves a short message", () => {
+    expect(truncateMessage("hello")).toBe("hello");
+  });
+
+  it("truncates messages over 1000 chars", () => {
+    const long = "x".repeat(5000);
+    const result = truncateMessage(long);
+    expect(result.length).toBeLessThan(1100);
+    expect(result).toContain("...[truncated]");
+  });
+
+  it("preserves a message at exactly 1000 chars", () => {
+    const exact = "x".repeat(1000);
+    expect(truncateMessage(exact)).toBe(exact);
+  });
+});
+
+describe("parseError truncation", () => {
+  it("truncates large stack traces in Error objects", () => {
+    const error = new Error("boom");
+    error.stack = buildStack(["Error: boom"], 200);
+    const parsed = parseError(error);
+
+    expect(parsed.type).toBe("BUILT_IN_ERROR");
+    if (parsed.type === "BUILT_IN_ERROR") {
+      const frameLines = parsed.stackTrace.split("\n").filter((l) => l.trimStart().startsWith("at "));
+      expect(frameLines.length).toBe(50);
+      expect(parsed.stackTrace).toContain("frames omitted");
+    }
+  });
+
+  it("truncates large error messages", () => {
+    const error = new Error("x".repeat(5000));
+    const parsed = parseError(error);
+
+    if (parsed.type === "BUILT_IN_ERROR") {
+      expect(parsed.message.length).toBeLessThan(1100);
+      expect(parsed.message).toContain("...[truncated]");
+    }
+  });
+});
+
+describe("sanitizeError truncation", () => {
+  it("truncates stack traces during sanitization", () => {
+    const result = sanitizeError({
+      type: "BUILT_IN_ERROR",
+      name: "Error",
+      message: "boom",
+      stackTrace: buildStack(["Error: boom"], 200),
+    });
+
+    if (result.type === "BUILT_IN_ERROR") {
+      const frameLines = result.stackTrace.split("\n").filter((l) => l.trimStart().startsWith("at "));
+      expect(frameLines.length).toBe(50);
+    }
+  });
+
+  it("strips null bytes and truncates", () => {
+    const result = sanitizeError({
+      type: "BUILT_IN_ERROR",
+      name: "Error\0",
+      message: "hello\0world",
+      stackTrace: "Error: hello\0world\n    at fn (/path.ts:1:1)",
+    });
+
+    if (result.type === "BUILT_IN_ERROR") {
+      expect(result.name).toBe("Error");
+      expect(result.message).toBe("helloworld");
+      expect(result.stackTrace).not.toContain("\0");
+    }
+  });
+
+  it("truncates STRING_ERROR raw field", () => {
+    const result = sanitizeError({
+      type: "STRING_ERROR",
+      raw: "x".repeat(5000),
+    });
+
+    if (result.type === "STRING_ERROR") {
+      expect(result.raw.length).toBeLessThan(1100);
+      expect(result.raw).toContain("...[truncated]");
+    }
+  });
+
+  it("preserves small CUSTOM_ERROR raw as valid JSON", () => {
+    const originalJson = JSON.stringify({ foo: "bar", nested: { baz: 1 } });
+    const result = sanitizeError({
+      type: "CUSTOM_ERROR",
+      raw: originalJson,
+    });
+
+    if (result.type === "CUSTOM_ERROR") {
+      // Small JSON should pass through unchanged and remain parseable
+      expect(result.raw).toBe(originalJson);
+      expect(() => JSON.parse(result.raw)).not.toThrow();
+    }
+  });
+
+  it("wraps oversized CUSTOM_ERROR raw in a valid JSON envelope", () => {
+    const hugeJson = JSON.stringify({ data: "x".repeat(5000) });
+    const result = sanitizeError({
+      type: "CUSTOM_ERROR",
+      raw: hugeJson,
+    });
+
+    if (result.type === "CUSTOM_ERROR") {
+      // Must remain valid JSON (critical: createErrorTaskError calls JSON.parse on this)
+      expect(() => JSON.parse(result.raw)).not.toThrow();
+      const parsed = JSON.parse(result.raw);
+      expect(parsed.truncated).toBe(true);
+      expect(typeof parsed.preview).toBe("string");
+      expect(parsed.preview.length).toBeLessThanOrEqual(1000);
+    }
+  });
+});
+
+describe("sanitizeError INTERNAL_ERROR optional fields", () => {
+  it("preserves undefined message (does not convert to empty string)", () => {
+    const result = sanitizeError({
+      type: "INTERNAL_ERROR",
+      code: "SOME_INTERNAL_CODE" as any,
+      // message and stackTrace intentionally undefined
+    });
+
+    if (result.type === "INTERNAL_ERROR") {
+      // Must stay undefined so `error.message ?? fallback` works downstream
+      expect(result.message).toBeUndefined();
+      expect(result.stackTrace).toBeUndefined();
+    }
+  });
+
+  it("truncates INTERNAL_ERROR message when present", () => {
+    const result = sanitizeError({
+      type: "INTERNAL_ERROR",
+      code: "SOME_INTERNAL_CODE" as any,
+      message: "x".repeat(5000),
+    });
+
+    if (result.type === "INTERNAL_ERROR") {
+      expect(result.message).toBeDefined();
+      expect(result.message!.length).toBeLessThan(1100);
+      expect(result.message).toContain("...[truncated]");
+    }
+  });
+});
+
+describe("truncateStack message line bounding", () => {
+  it("truncates huge error messages embedded in the stack", () => {
+    // V8 format: "Error: <message>\n    at ..."
+    // A huge message on the first line must still be bounded.
+    const hugeMessage = "x".repeat(100_000);
+    const stack = `Error: ${hugeMessage}\n    at fn (/path.ts:1:1)`;
+    const result = truncateStack(stack);
+
+    // Total output should be bounded (not 100KB+)
+    expect(result.length).toBeLessThan(5_000);
+    expect(result).toContain("...[truncated]");
+  });
+});
+
+describe("shouldRetryError + shouldLookupRetrySettings", () => {
+  const internal = (code: string): TaskRunError =>
+    ({ type: "INTERNAL_ERROR", code } as TaskRunError);
+
+  it("retries SIGSEGV (changed from non-retriable) and looks up retry settings", () => {
+    const err = internal("TASK_PROCESS_SIGSEGV");
+    expect(shouldRetryError(err)).toBe(true);
+    expect(shouldLookupRetrySettings(err)).toBe(true);
+  });
+
+  it("retries SIGTERM via the same path", () => {
+    const err = internal("TASK_PROCESS_SIGTERM");
+    expect(shouldRetryError(err)).toBe(true);
+    expect(shouldLookupRetrySettings(err)).toBe(true);
+  });
+
+  it("retries TASK_MIDDLEWARE_ERROR using the task's retry settings", () => {
+    const err = internal("TASK_MIDDLEWARE_ERROR");
+    expect(shouldRetryError(err)).toBe(true);
+    expect(shouldLookupRetrySettings(err)).toBe(true);
+  });
+
+  it("still does not retry SIGKILL timeout", () => {
+    expect(shouldRetryError(internal("TASK_PROCESS_SIGKILL_TIMEOUT"))).toBe(false);
+  });
+
+  it("still does not retry OOM kills (handled by the separate machine-bump path)", () => {
+    expect(shouldRetryError(internal("TASK_PROCESS_OOM_KILLED"))).toBe(false);
+    expect(shouldRetryError(internal("TASK_PROCESS_MAYBE_OOM_KILLED"))).toBe(false);
+  });
+});
diff --git a/packages/core/test/externalSpanExporterWrapper.test.ts b/packages/core/test/externalSpanExporterWrapper.test.ts
new file mode 100644
index 00000000000..4cff69e3aea
--- /dev/null
+++ b/packages/core/test/externalSpanExporterWrapper.test.ts
@@ -0,0 +1,83 @@
+import { SpanKind, SpanStatusCode, TraceFlags } from "@opentelemetry/api";
+import type { ReadableSpan, SpanExporter } from "@opentelemetry/sdk-trace-node";
+import { beforeEach, describe, expect, it } from "vitest";
+import { ExternalSpanExporterWrapper } from "../src/v3/otel/tracingSDK.js";
+import { SemanticInternalAttributes } from "../src/v3/semanticInternalAttributes.js";
+import { traceContext } from "../src/v3/trace-context-api.js";
+import { StandardTraceContextManager } from "../src/v3/traceContext/manager.js";
+
+const TRACEPARENT_RUN_A = "00-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-1111111111111111-01";
+const TRACEPARENT_RUN_B = "00-bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb-2222222222222222-01";
+
+function createAttemptSpan(): ReadableSpan {
+  const spanCtx = {
+    traceId: "cccccccccccccccccccccccccccccccc",
+    spanId: "3333333333333333",
+    traceFlags: TraceFlags.SAMPLED,
+  };
+  return {
+    name: "Attempt 1",
+    kind: SpanKind.CONSUMER,
+    spanContext: () => spanCtx,
+    parentSpanContext: undefined,
+    startTime: [0, 0],
+    endTime: [0, 0],
+    status: { code: SpanStatusCode.UNSET },
+    attributes: { [SemanticInternalAttributes.SPAN_ATTEMPT]: true },
+    links: [],
+    events: [],
+    duration: [0, 0],
+    ended: true,
+    resource: {} as any,
+    instrumentationLibrary: { name: "test" } as any,
+    droppedAttributesCount: 0,
+    droppedEventsCount: 0,
+    droppedLinksCount: 0,
+  } as unknown as ReadableSpan;
+}
+
+function makeCapturingExporter(): { exporter: SpanExporter; captured: ReadableSpan[][] } {
+  const captured: ReadableSpan[][] = [];
+  const exporter: SpanExporter = {
+    export: (spans, cb) => {
+      captured.push(spans);
+      cb({ code: 0 } as any);
+    },
+    shutdown: () => Promise.resolve(),
+    forceFlush: () => Promise.resolve(),
+  };
+  return { exporter, captured };
+}
+
+describe("ExternalSpanExporterWrapper warm-start regression", () => {
+  let manager: StandardTraceContextManager;
+
+  beforeEach(() => {
+    manager = new StandardTraceContextManager();
+    traceContext.setGlobalManager(manager);
+  });
+
+  it("rewrites attempt spans using the manager's current external context, not the value captured at construction", () => {
+    const { exporter, captured } = makeCapturingExporter();
+
+    manager.traceContext = { external: { traceparent: TRACEPARENT_RUN_A } };
+
+    const wrapper = new ExternalSpanExporterWrapper(
+      exporter,
+      "ffffffffffffffffffffffffffffffff"
+    );
+
+    manager.traceContext = { external: { traceparent: TRACEPARENT_RUN_B } };
+
+    wrapper.export([createAttemptSpan()], () => {});
+
+    expect(captured).toHaveLength(1);
+    expect(captured[0]).toHaveLength(1);
+
+    const span = captured[0]![0]!;
+    expect(span.parentSpanContext?.spanId).toBe("2222222222222222");
+    expect(span.parentSpanContext?.spanId).not.toBe("1111111111111111");
+    expect(span.parentSpanContext?.traceId).toBe("bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb");
+    expect(span.spanContext().traceId).toBe("bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb");
+  });
+});
diff --git a/packages/core/test/fixtures/dynamic-task-module.mjs b/packages/core/test/fixtures/dynamic-task-module.mjs
new file mode 100644
index 00000000000..5d2f6719593
--- /dev/null
+++ b/packages/core/test/fixtures/dynamic-task-module.mjs
@@ -0,0 +1,19 @@
+// Fixture mimicking a task entrypoint file: top-level code calls into the
+// catalog (the same way `task()` / `schemaTask()` does via
+// `registerTaskMetadata`).
+//
+// Loaded via `await import()` from inside a test that simulates the worker
+// running a task. The point is to exercise top-level evaluation through Node's
+// ESM module loader so the module-cache semantics are real.
+
+const register = globalThis.__catalogRegisterTaskMetadata;
+if (typeof register === "function") {
+  register({
+    id: "lazy-task",
+    fns: {
+      run: async () => "ok",
+    },
+  });
+}
+
+export const lazyTask = { id: "lazy-task" };
diff --git a/packages/core/test/flattenAttributes.test.ts b/packages/core/test/flattenAttributes.test.ts
index 28f137deaf9..3fd11fa5d04 100644
--- a/packages/core/test/flattenAttributes.test.ts
+++ b/packages/core/test/flattenAttributes.test.ts
@@ -667,4 +667,54 @@ describe("unflattenAttributes", () => {
     }
     expect(current).toBeUndefined();
   });
+
+  // Defends against external OTLP producers that emit both a leaf value and a
+  // nested path through the same prefix in one attribute map (e.g. AI SDK
+  // telemetry on certain models). The flattener can't produce these, but the
+  // unflattener used to crash with TypeError when it tried to descend into a
+  // primitive sibling.
+  it("does not throw when a scalar precedes a deeper path at the same prefix", () => {
+    expect(() =>
+      unflattenAttributes({ "a.b": "scalar", "a.b.c": "value" })
+    ).not.toThrow();
+    expect(unflattenAttributes({ "a.b": "scalar", "a.b.c": "value" })).toEqual({
+      a: { b: { c: "value" } },
+    });
+  });
+
+  it("does not throw when a deeper path precedes a scalar at the same prefix", () => {
+    expect(() =>
+      unflattenAttributes({ "a.b.c": "value", "a.b": "scalar" })
+    ).not.toThrow();
+    expect(unflattenAttributes({ "a.b.c": "value", "a.b": "scalar" })).toEqual({
+      a: { b: "scalar" },
+    });
+  });
+
+  it("treats an intermediate null sentinel as overwritable when a deeper path follows", () => {
+    expect(() =>
+      unflattenAttributes({ "a.b": "$@null((", "a.b.c": "value" })
+    ).not.toThrow();
+    expect(unflattenAttributes({ "a.b": "$@null((", "a.b.c": "value" })).toEqual({
+      a: { b: { c: "value" } },
+    });
+  });
+
+  it("does not throw when a scalar prefix conflicts with a numeric-index path", () => {
+    expect(() =>
+      unflattenAttributes({ "a.b": "scalar", "a.b.[0]": "indexed" })
+    ).not.toThrow();
+    expect(unflattenAttributes({ "a.b": "scalar", "a.b.[0]": "indexed" })).toEqual({
+      a: { b: ["indexed"] },
+    });
+  });
+
+  it("converts an existing object slot to an array when a numeric-index path follows", () => {
+    expect(() =>
+      unflattenAttributes({ "a.b.c": "value", "a.b.[0]": "indexed" })
+    ).not.toThrow();
+    expect(unflattenAttributes({ "a.b.c": "value", "a.b.[0]": "indexed" })).toEqual({
+      a: { b: ["indexed"] },
+    });
+  });
 });
diff --git a/packages/core/test/ioSerialization.test.ts b/packages/core/test/ioSerialization.test.ts
index d7bd90add83..9a2d7accfe1 100644
--- a/packages/core/test/ioSerialization.test.ts
+++ b/packages/core/test/ioSerialization.test.ts
@@ -1,4 +1,12 @@
-import { replaceSuperJsonPayload, prettyPrintPacket } from "../src/v3/utils/ioSerialization.js";
+import { createTestHttpServer } from "@epic-web/test-server/http";
+import {
+  replaceSuperJsonPayload,
+  prettyPrintPacket,
+  conditionallyExportPacket,
+  type IOPacket,
+} from "../src/v3/utils/ioSerialization.js";
+import { ApiClient } from "../src/v3/apiClient/index.js";
+import { apiClientManager } from "../src/v3/apiClientManager-api.js";
 
 describe("ioSerialization", () => {
   describe("replaceSuperJsonPayload", () => {
@@ -344,4 +352,142 @@ describe("ioSerialization", () => {
       expect(result).toBe(JSON.stringify(data, null, 2));
     });
   });
+
+  describe("conditionallyExportPacket", () => {
+    // A payload large enough to exceed OFFLOAD_IO_PACKET_LENGTH_LIMIT (128KB) so it offloads.
+    const largePayload = "x".repeat(200_000);
+    const largePacket: IOPacket = { data: largePayload, dataType: "text/plain" };
+
+    afterEach(() => {
+      // Clear any global client config set during a test.
+      apiClientManager.disable();
+    });
+
+    it("uses the provided client for the upload presign instead of the global client", async () => {
+      const globalPresignRequests: string[] = [];
+      const passedPresignRequests: string[] = [];
+      let uploadedBytes = 0;
+
+      // The global client points here — it must NOT be hit when a client is passed.
+      const globalServer = await createTestHttpServer({
+        defineRoutes(router) {
+          router.put("/api/v2/packets/:filename", async ({ req }) => {
+            globalPresignRequests.push(req.url);
+            return Response.json({ presignedUrl: "http://unused.local/upload" });
+          });
+        },
+      });
+
+      // The explicitly passed client points here — it MUST receive the presign + upload.
+      const passedServer = await createTestHttpServer({
+        defineRoutes(router) {
+          router.put("/api/v2/packets/:filename", async ({ req }) => {
+            passedPresignRequests.push(req.url);
+            return Response.json({
+              presignedUrl: `${passedServer.http.url().origin}/upload/payload`,
+              storagePath: "trigger/task/payload.txt",
+            });
+          });
+          router.put("/upload/payload", async ({ req }) => {
+            uploadedBytes = (await req.text()).length;
+            return new Response(null, { status: 200 });
+          });
+        },
+      });
+
+      try {
+        // Configure the global client to point at the global server.
+        apiClientManager.setGlobalAPIClientConfiguration({
+          baseURL: globalServer.http.url().origin,
+          accessToken: "tr-global",
+        });
+
+        const passedClient = new ApiClient(passedServer.http.url().origin, "tr-passed");
+
+        const result = await conditionallyExportPacket(
+          largePacket,
+          "trigger/task/payload",
+          undefined,
+          passedClient
+        );
+
+        expect(result.dataType).toBe("application/store");
+        expect(result.data).toBe("trigger/task/payload.txt");
+
+        // Upload went through the passed client only.
+        expect(passedPresignRequests).toHaveLength(1);
+        expect(globalPresignRequests).toHaveLength(0);
+        expect(uploadedBytes).toBe(largePayload.length);
+      } finally {
+        await globalServer.close();
+        await passedServer.close();
+      }
+    });
+
+    it("falls back to the global client when no client is provided", async () => {
+      const presignRequests: string[] = [];
+
+      const globalServer = await createTestHttpServer({
+        defineRoutes(router) {
+          router.put("/api/v2/packets/:filename", async ({ req }) => {
+            presignRequests.push(req.url);
+            return Response.json({
+              presignedUrl: `${globalServer.http.url().origin}/upload/payload`,
+              storagePath: "trigger/task/payload.txt",
+            });
+          });
+          router.put("/upload/payload", async () => new Response(null, { status: 200 }));
+        },
+      });
+
+      try {
+        apiClientManager.setGlobalAPIClientConfiguration({
+          baseURL: globalServer.http.url().origin,
+          accessToken: "tr-global",
+        });
+
+        const result = await conditionallyExportPacket(largePacket, "trigger/task/payload");
+
+        expect(result.dataType).toBe("application/store");
+        expect(result.data).toBe("trigger/task/payload.txt");
+        expect(presignRequests).toHaveLength(1);
+      } finally {
+        await globalServer.close();
+      }
+    });
+
+    it("returns the packet unchanged when no client is available", async () => {
+      apiClientManager.disable();
+
+      const result = await conditionallyExportPacket(largePacket, "trigger/task/payload");
+
+      expect(result).toEqual(largePacket);
+    });
+
+    it("does not offload small payloads even with a client", async () => {
+      const passedServer = await createTestHttpServer({
+        defineRoutes(router) {
+          router.put("/api/v2/packets/:filename", async () => {
+            throw new Error("presign should not be called for small payloads");
+          });
+        },
+      });
+
+      try {
+        const smallPacket: IOPacket = { data: "hello", dataType: "text/plain" };
+        const passedClient = new ApiClient(passedServer.http.url().origin, "tr-passed");
+
+        const result = await conditionallyExportPacket(
+          smallPacket,
+          "trigger/task/payload",
+          undefined,
+          passedClient
+        );
+
+        expect(result).toEqual(smallPacket);
+      } finally {
+        await passedServer.close();
+      }
+    });
+  });
 });
diff --git a/packages/core/test/mockTaskContext.test.ts b/packages/core/test/mockTaskContext.test.ts
new file mode 100644
index 00000000000..5ea3685e466
--- /dev/null
+++ b/packages/core/test/mockTaskContext.test.ts
@@ -0,0 +1,226 @@
+import { describe, expect, it } from "vitest";
+import { runInMockTaskContext } from "../src/v3/test/index.js";
+import { inputStreams } from "../src/v3/input-streams-api.js";
+import { realtimeStreams } from "../src/v3/realtime-streams-api.js";
+import { locals } from "../src/v3/locals-api.js";
+import { taskContext } from "../src/v3/task-context-api.js";
+
+describe("runInMockTaskContext", () => {
+  it("installs a mock TaskRunContext with sensible defaults", async () => {
+    await runInMockTaskContext(async ({ ctx }) => {
+      expect(taskContext.ctx).toBeDefined();
+      expect(taskContext.ctx?.run.id).toBe("run_test");
+      expect(taskContext.ctx?.task.id).toBe("test-task");
+      expect(ctx.run.id).toBe("run_test");
+    });
+  });
+
+  it("applies ctx overrides on top of defaults", async () => {
+    await runInMockTaskContext(
+      async ({ ctx }) => {
+        expect(ctx.run.id).toBe("run_abc");
+        expect(ctx.task.id).toBe("my-chat-agent");
+        // Unspecified fields still use defaults
+        expect(ctx.queue.id).toBe("test-queue-id");
+      },
+      {
+        ctx: {
+          run: { id: "run_abc" },
+          task: { id: "my-chat-agent", filePath: "chat.ts" },
+        },
+      }
+    );
+  });
+
+  it("isolates locals from the surrounding context", async () => {
+    const key = locals.create<{ count: number }>("test.counter");
+
+    await runInMockTaskContext(async ({ locals: inspect }) => {
+      expect(inspect.get(key)).toBeUndefined();
+      locals.set(key, { count: 1 });
+      expect(inspect.get(key)).toEqual({ count: 1 });
+    });
+
+    // After the harness exits, the locals should be gone
+    expect(locals.get(key)).toBeUndefined();
+  });
+
+  it("tears down the task context after fn returns", async () => {
+    await runInMockTaskContext(async () => {
+      expect(taskContext.ctx).toBeDefined();
+    });
+
+    expect(taskContext.ctx).toBeUndefined();
+  });
+
+  it("tears down even when fn throws", async () => {
+    await expect(
+      runInMockTaskContext(async () => {
+        throw new Error("boom");
+      })
+    ).rejects.toThrow("boom");
+
+    expect(taskContext.ctx).toBeUndefined();
+  });
+
+  it("returns the value returned by fn", async () => {
+    const result = await runInMockTaskContext(async () => "hello");
+    expect(result).toBe("hello");
+  });
+
+  describe("input streams driver", () => {
+    it("resolves inputStreams.once() when test sends data", async () => {
+      await runInMockTaskContext(async ({ inputs }) => {
+        const pending = inputStreams.once("chat-messages");
+        setTimeout(() => inputs.send("chat-messages", { hello: "world" }), 0);
+        const result = await pending;
+        expect(result.ok).toBe(true);
+        if (result.ok) {
+          expect(result.output).toEqual({ hello: "world" });
+        }
+      });
+    });
+
+    it("fires inputStreams.on() handlers when test sends data", async () => {
+      await runInMockTaskContext(async ({ inputs }) => {
+        const received: unknown[] = [];
+        inputStreams.on("chat-messages", (data) => {
+          received.push(data);
+        });
+
+        await inputs.send("chat-messages", { n: 1 });
+        await inputs.send("chat-messages", { n: 2 });
+
+        expect(received).toEqual([{ n: 1 }, { n: 2 }]);
+      });
+    });
+
+    it("fires multiple on() handlers on the same stream", async () => {
+      await runInMockTaskContext(async ({ inputs }) => {
+        const a: unknown[] = [];
+        const b: unknown[] = [];
+        inputStreams.on("chat-messages", (data) => a.push(data));
+        inputStreams.on("chat-messages", (data) => b.push(data));
+
+        await inputs.send("chat-messages", "hi");
+        expect(a).toEqual(["hi"]);
+        expect(b).toEqual(["hi"]);
+      });
+    });
+
+    it("off() unsubscribes a handler", async () => {
+      await runInMockTaskContext(async ({ inputs }) => {
+        const received: unknown[] = [];
+        const sub = inputStreams.on("chat-messages", (data) => received.push(data));
+
+        await inputs.send("chat-messages", 1);
+        sub.off();
+        await inputs.send("chat-messages", 2);
+
+        expect(received).toEqual([1]);
+      });
+    });
+
+    it("times out once() after timeoutMs", async () => {
+      await runInMockTaskContext(async () => {
+        const result = await inputStreams.once("chat-messages", { timeoutMs: 10 });
+        expect(result.ok).toBe(false);
+      });
+    });
+
+    it("peek() returns the latest sent value", async () => {
+      await runInMockTaskContext(async ({ inputs }) => {
+        expect(inputStreams.peek("chat-messages")).toBeUndefined();
+        await inputs.send("chat-messages", { latest: true });
+        expect(inputStreams.peek("chat-messages")).toEqual({ latest: true });
+      });
+    });
+
+    it("close() rejects pending once() waiters with a timeout error", async () => {
+      await runInMockTaskContext(async ({ inputs }) => {
+        const pending = inputStreams.once("chat-messages");
+        inputs.close("chat-messages");
+        const result = await pending;
+        expect(result.ok).toBe(false);
+      });
+    });
+
+    it("resolves multiple concurrent once() waiters from a single send", async () => {
+      await runInMockTaskContext(async ({ inputs }) => {
+        const a = inputStreams.once("chat-messages");
+        const b = inputStreams.once("chat-messages");
+        await inputs.send("chat-messages", "shared");
+        const [ra, rb] = await Promise.all([a, b]);
+        expect(ra.ok && ra.output).toBe("shared");
+        expect(rb.ok && rb.output).toBe("shared");
+      });
+    });
+  });
+
+  describe("realtime streams driver", () => {
+    it("collects chunks from realtimeStreams.append()", async () => {
+      await runInMockTaskContext(async ({ outputs }) => {
+        await realtimeStreams.append("chat", "chunk-1" as unknown as BodyInit);
+        await realtimeStreams.append("chat", "chunk-2" as unknown as BodyInit);
+
+        expect(outputs.chunks("chat")).toEqual(["chunk-1", "chunk-2"]);
+      });
+    });
+
+    it("collects chunks from realtimeStreams.pipe()", async () => {
+      await runInMockTaskContext(async ({ outputs }) => {
+        const source = (async function* () {
+          yield "a";
+          yield "b";
+          yield "c";
+        })();
+
+        const instance = realtimeStreams.pipe("chat", source);
+
+        // Drain the returned stream — that's what feeds the buffer
+        for await (const _ of instance.stream) {
+          // no-op
+        }
+
+        expect(outputs.chunks("chat")).toEqual(["a", "b", "c"]);
+      });
+    });
+
+    it("separates chunks by stream id", async () => {
+      await runInMockTaskContext(async ({ outputs }) => {
+        await realtimeStreams.append("chat", "a" as unknown as BodyInit);
+        await realtimeStreams.append("stop", "halt" as unknown as BodyInit);
+
+        expect(outputs.chunks("chat")).toEqual(["a"]);
+        expect(outputs.chunks("stop")).toEqual(["halt"]);
+        expect(outputs.all()).toEqual({ chat: ["a"], stop: ["halt"] });
+      });
+    });
+
+    it("clear() empties one stream or all streams", async () => {
+      await runInMockTaskContext(async ({ outputs }) => {
+        await realtimeStreams.append("chat", "a" as unknown as BodyInit);
+        await realtimeStreams.append("stop", "halt" as unknown as BodyInit);
+
+        outputs.clear("chat");
+        expect(outputs.chunks("chat")).toEqual([]);
+        expect(outputs.chunks("stop")).toEqual(["halt"]);
+
+        outputs.clear();
+        expect(outputs.chunks("stop")).toEqual([]);
+      });
+    });
+  });
+
+  it("tears down input/output managers so consecutive calls are isolated", async () => {
+    await runInMockTaskContext(async ({ inputs }) => {
+      await inputs.send("chat-messages", "first-run");
+    });
+
+    await runInMockTaskContext(async ({ outputs }) => {
+      expect(outputs.chunks("chat-messages")).toEqual([]);
+      // inputs.peek should NOT see "first-run" from the prior harness
+      expect(inputStreams.peek("chat-messages")).toBeUndefined();
+    });
+  });
+});
diff --git a/packages/core/test/recordSpanException.test.ts b/packages/core/test/recordSpanException.test.ts
new file mode 100644
index 00000000000..6b2d194ce25
--- /dev/null
+++ b/packages/core/test/recordSpanException.test.ts
@@ -0,0 +1,88 @@
+import { describe, it, expect, vi } from "vitest";
+import { recordSpanException } from "../src/v3/otel/utils.js";
+import type { Span } from "@opentelemetry/api";
+
+function createMockSpan() {
+  return {
+    recordException: vi.fn(),
+    setStatus: vi.fn(),
+  } as unknown as Span & { recordException: ReturnType<typeof vi.fn>; setStatus: ReturnType<typeof vi.fn> };
+}
+
+describe("recordSpanException", () => {
+  it("records Error instances with truncated message and stack", () => {
+    const span = createMockSpan();
+    const error = new Error("x".repeat(5_000));
+    recordSpanException(span, error);
+
+    expect(span.recordException).toHaveBeenCalledTimes(1);
+    const recorded = (span.recordException as any).mock.calls[0][0] as Error;
+    expect(recorded).toBeInstanceOf(Error);
+    expect(recorded.message.length).toBeLessThan(1100);
+  });
+
+  it("records string errors with truncation", () => {
+    const span = createMockSpan();
+    recordSpanException(span, "x".repeat(10_000));
+
+    const recorded = (span.recordException as any).mock.calls[0][0] as string;
+    expect(typeof recorded).toBe("string");
+    expect(recorded.length).toBeLessThan(5_100);
+    expect(recorded).toContain("...[truncated]");
+  });
+
+  it("does not throw on circular references", () => {
+    const span = createMockSpan();
+    const circular: any = { foo: "bar" };
+    circular.self = circular;
+
+    expect(() => recordSpanException(span, circular)).not.toThrow();
+    expect(span.recordException).toHaveBeenCalledTimes(1);
+    expect(span.setStatus).toHaveBeenCalledTimes(1);
+  });
+
+  it("does not throw on BigInt values", () => {
+    const span = createMockSpan();
+    const error = { count: BigInt(123) };
+
+    expect(() => recordSpanException(span, error)).not.toThrow();
+    expect(span.recordException).toHaveBeenCalledTimes(1);
+  });
+
+  it("handles symbol values (JSON.stringify returns undefined)", () => {
+    const span = createMockSpan();
+    const sym = Symbol("test");
+
+    expect(() => recordSpanException(span, sym)).not.toThrow();
+    expect(span.recordException).toHaveBeenCalledTimes(1);
+    const recorded = (span.recordException as any).mock.calls[0][0] as string;
+    expect(typeof recorded).toBe("string");
+    expect(recorded).toContain("Symbol");
+  });
+
+  it("handles function values (JSON.stringify returns undefined)", () => {
+    const span = createMockSpan();
+    const fn = () => "test";
+
+    expect(() => recordSpanException(span, fn)).not.toThrow();
+    expect(span.recordException).toHaveBeenCalledTimes(1);
+  });
+
+  it("handles undefined (JSON.stringify returns undefined)", () => {
+    const span = createMockSpan();
+
+    expect(() => recordSpanException(span, undefined)).not.toThrow();
+    expect(span.recordException).toHaveBeenCalledTimes(1);
+    const recorded = (span.recordException as any).mock.calls[0][0] as string;
+    expect(typeof recorded).toBe("string");
+  });
+
+  it("always calls setStatus ERROR", () => {
+    const span = createMockSpan();
+    recordSpanException(span, new Error("test"));
+    recordSpanException(span, "string");
+    recordSpanException(span, { obj: true });
+
+    expect(span.setStatus).toHaveBeenCalledTimes(3);
+  });
+});
diff --git a/packages/core/test/resourceCatalog.test.ts b/packages/core/test/resourceCatalog.test.ts
new file mode 100644
index 00000000000..a34e9373f0a
--- /dev/null
+++ b/packages/core/test/resourceCatalog.test.ts
@@ -0,0 +1,205 @@
+import { afterEach, describe, expect, it, vi } from "vitest";
+import {
+  NO_FILE_CONTEXT,
+  StandardResourceCatalog,
+} from "../src/v3/resource-catalog/standardResourceCatalog.js";
+
+// Regression tests for COULD_NOT_FIND_EXECUTOR on warm worker processes when
+// a task's `task()` / `schemaTask()` call is evaluated during another task's
+// execution (e.g. as a side effect of `await import(...)` of a module that
+// contains a task definition).
+//
+// Production throw site:
+//   - managed-run-worker.ts:566 (post-wrap)
+//   - dev-run-worker.ts:578 (post-wrap)
+// Pre-fix symptom: `resourceCatalog.getTask(execution.task.id)` returned
+// undefined even after the worker re-imported the task entrypoint.
+//
+// Pre-fix mechanism: `registerTaskMetadata` silently returned when
+// `_currentFileContext` was unset. Any `task()` call firing during a
+// running task's run() / lifecycle hooks (directly, or transitively via a
+// dynamic import) hit the silent guard. Node's ESM module cache then
+// prevented recovery — the worker's setContext + re-import fallback didn't
+// re-evaluate the module body, so the `task()` call never fired again.
+//
+// Post-fix: the runtime workers wrap their `executor.execute(...)` call with
+// `setCurrentFileContext(NO_FILE_CONTEXT, NO_FILE_CONTEXT)` so any `task()`
+// call firing during execution registers normally with sentinel file
+// metadata. The catalog detects the sentinel and emits a one-time warning
+// per task id to keep the bundle-shape pattern visible. The indexer never
+// sets this sentinel context — its behavior is unchanged.
+
+describe("StandardResourceCatalog — runtime registration via sentinel context", () => {
+  afterEach(() => {
+    delete (globalThis as { __catalogRegisterTaskMetadata?: unknown })
+      .__catalogRegisterTaskMetadata;
+    vi.restoreAllMocks();
+  });
+
+  it("silently drops registration when no context is set (indexer's invariant)", () => {
+    const warn = vi.spyOn(console, "warn").mockImplementation(() => {});
+    const catalog = new StandardResourceCatalog();
+
+    catalog.registerTaskMetadata({
+      id: "no-context-task",
+      fns: { run: async () => "ok" },
+    });
+
+    expect(catalog.getTask("no-context-task")).toBeUndefined();
+    expect(warn).not.toHaveBeenCalled();
+  });
+
+  it(
+    "registers normally and warns once when the sentinel context is set " +
+      "(simulates the worker's executor wrap)",
+    () => {
+      const warn = vi.spyOn(console, "warn").mockImplementation(() => {});
+      const catalog = new StandardResourceCatalog();
+
+      catalog.setCurrentFileContext(NO_FILE_CONTEXT, NO_FILE_CONTEXT);
+      catalog.registerTaskMetadata({
+        id: "lazy-task",
+        fns: { run: async () => "ok" },
+      });
+      catalog.clearCurrentFileContext();
+
+      const registered = catalog.getTask("lazy-task");
+      expect(registered).toBeDefined();
+      expect(registered?.id).toBe("lazy-task");
+      expect(registered?.filePath).toBe(NO_FILE_CONTEXT);
+      expect(registered?.entryPoint).toBe(NO_FILE_CONTEXT);
+      expect(warn).toHaveBeenCalledTimes(1);
+      expect(warn.mock.calls[0]?.[0]).toContain("lazy-task");
+    }
+  );
+
+  it(
+    "warm-start path: a task whose top-level definition fires during a " +
+      "dynamic import inside the sentinel wrap remains findable; the " +
+      "worker's setContext + re-import fallback (managed-run-worker.ts:482) " +
+      "is not needed",
+    async () => {
+      vi.spyOn(console, "warn").mockImplementation(() => {});
+      const catalog = new StandardResourceCatalog();
+
+      (globalThis as { __catalogRegisterTaskMetadata?: unknown })
+        .__catalogRegisterTaskMetadata = (
+        task: Parameters<StandardResourceCatalog["registerTaskMetadata"]>[0]
+      ) => {
+        catalog.registerTaskMetadata(task);
+      };
+
+      // Simulate the worker wrap: setContext(NO_FILE_CONTEXT) → run user code
+      // (which does a dynamic import) → clearContext.
+      catalog.setCurrentFileContext(NO_FILE_CONTEXT, NO_FILE_CONTEXT);
+      await import("./fixtures/dynamic-task-module.mjs");
+      catalog.clearCurrentFileContext();
+
+      const registered = catalog.getTask("lazy-task");
+      expect(registered).toBeDefined();
+      expect(registered?.filePath).toBe(NO_FILE_CONTEXT);
+    }
+  );
+
+  it("warns at most once per task id under the sentinel context", () => {
+    const warn = vi.spyOn(console, "warn").mockImplementation(() => {});
+    const catalog = new StandardResourceCatalog();
+
+    catalog.setCurrentFileContext(NO_FILE_CONTEXT, NO_FILE_CONTEXT);
+
+    const register = (id: string) =>
+      catalog.registerTaskMetadata({
+        id,
+        fns: { run: async () => "ok" },
+      });
+
+    register("task-a");
+    register("task-a");
+    register("task-a");
+    expect(warn).toHaveBeenCalledTimes(1);
+
+    register("task-b");
+    expect(warn).toHaveBeenCalledTimes(2);
+
+    catalog.clearCurrentFileContext();
+  });
+
+  it(
+    "control: real file context registers without firing the sentinel warning",
+    async () => {
+      const warn = vi.spyOn(console, "warn").mockImplementation(() => {});
+      const catalog = new StandardResourceCatalog();
+
+      (globalThis as { __catalogRegisterTaskMetadata?: unknown })
+        .__catalogRegisterTaskMetadata = (
+        task: Parameters<StandardResourceCatalog["registerTaskMetadata"]>[0]
+      ) => {
+        catalog.registerTaskMetadata(task);
+      };
+
+      catalog.setCurrentFileContext(
+        "/app/dist/lazy-task.entry.mjs",
+        "src/tasks/lazy-task.ts"
+      );
+      await import("./fixtures/dynamic-task-module.mjs?control");
+      catalog.clearCurrentFileContext();
+
+      const task = catalog.getTask("lazy-task");
+      expect(task).toBeDefined();
+      expect(task?.filePath).toBe("/app/dist/lazy-task.entry.mjs");
+      expect(task?.entryPoint).toBe("src/tasks/lazy-task.ts");
+      expect(warn).not.toHaveBeenCalled();
+    }
+  );
+});
+
+describe("StandardResourceCatalog — duplicate task id collisions", () => {
+  function register(catalog: StandardResourceCatalog, id: string, filePath: string) {
+    catalog.setCurrentFileContext(filePath, filePath);
+    catalog.registerTaskMetadata({ id, fns: { run: async () => "ok" } });
+    catalog.clearCurrentFileContext();
+  }
+
+  it("reports no collisions when every task id is unique", () => {
+    const catalog = new StandardResourceCatalog();
+
+    register(catalog, "a", "src/a.ts");
+    register(catalog, "b", "src/b.ts");
+
+    expect(catalog.listTaskIdCollisions()).toEqual([]);
+  });
+
+  it("records a collision with both file paths when an id is reused across files", () => {
+    const catalog = new StandardResourceCatalog();
+
+    register(catalog, "dupe", "src/a.ts");
+    register(catalog, "dupe", "src/b.ts");
+
+    expect(catalog.listTaskIdCollisions()).toEqual([
+      { id: "dupe", filePaths: ["src/a.ts", "src/b.ts"] },
+    ]);
+  });
+
+  it("collects every distinct file path when an id is defined three or more times", () => {
+    const catalog = new StandardResourceCatalog();
+
+    register(catalog, "dupe", "src/a.ts");
+    register(catalog, "dupe", "src/b.ts");
+    register(catalog, "dupe", "src/c.ts");
+
+    expect(catalog.listTaskIdCollisions()).toEqual([
+      { id: "dupe", filePaths: ["src/a.ts", "src/b.ts", "src/c.ts"] },
+    ]);
+  });
+
+  it("records two definitions in the same file (e.g. two exports sharing an id)", () => {
+    const catalog = new StandardResourceCatalog();
+
+    register(catalog, "dupe", "src/dupe.ts");
+    register(catalog, "dupe", "src/dupe.ts");
+
+    expect(catalog.listTaskIdCollisions()).toEqual([
+      { id: "dupe", filePaths: ["src/dupe.ts", "src/dupe.ts"] },
+    ]);
+  });
+});
diff --git a/packages/core/test/runStream.test.ts b/packages/core/test/runStream.test.ts
index 0bf7f17432c..a953b7b694b 100644
--- a/packages/core/test/runStream.test.ts
+++ b/packages/core/test/runStream.test.ts
@@ -1,7 +1,8 @@
-import { describe, expect, it } from "vitest";
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
 import {
   RunSubscription,
   SSEStreamPart,
+  SSEStreamSubscription,
   StreamSubscription,
   StreamSubscriptionFactory,
 } from "../src/v3/apiClient/runStream.js";
@@ -470,6 +471,47 @@ describe("RunSubscription", () => {
   });
 });
 
+describe("SSEStreamSubscription", () => {
+  let originalFetch: typeof global.fetch;
+
+  beforeEach(() => {
+    originalFetch = global.fetch;
+  });
+
+  afterEach(() => {
+    global.fetch = originalFetch;
+    vi.restoreAllMocks();
+  });
+
+  it("does not retry the initial fetch on 401", async () => {
+    const fetchMock = vi.fn().mockResolvedValue(new Response(null, { status: 401 }));
+    global.fetch = fetchMock;
+
+    const sub = new SSEStreamSubscription("https://api.test/realtime/v1/streams/run_x/chat", {
+      headers: { Authorization: "Bearer expired" },
+    });
+
+    const stream = await sub.subscribe();
+    const reader = stream.getReader();
+    await expect(reader.read()).rejects.toMatchObject({ status: 401 });
+    expect(fetchMock).toHaveBeenCalledTimes(1);
+  });
+
+  it("does not retry the initial fetch on 403", async () => {
+    const fetchMock = vi.fn().mockResolvedValue(new Response(null, { status: 403 }));
+    global.fetch = fetchMock;
+
+    const sub = new SSEStreamSubscription("https://api.test/realtime/v1/streams/run_x/chat", {
+      headers: { Authorization: "Bearer denied" },
+    });
+
+    const stream = await sub.subscribe();
+    const reader = stream.getReader();
+    await expect(reader.read()).rejects.toMatchObject({ status: 403 });
+    expect(fetchMock).toHaveBeenCalledTimes(1);
+  });
+});
+
 export async function convertAsyncIterableToArray<T>(iterable: AsyncIterable<T>): Promise<T[]> {
   const result: T[] = [];
   for await (const item of iterable) {
diff --git a/packages/core/test/skillCatalog.test.ts b/packages/core/test/skillCatalog.test.ts
new file mode 100644
index 00000000000..3f1d29bf572
--- /dev/null
+++ b/packages/core/test/skillCatalog.test.ts
@@ -0,0 +1,74 @@
+import { describe, expect, it, vi } from "vitest";
+import { StandardResourceCatalog } from "../src/v3/resource-catalog/standardResourceCatalog.js";
+
+describe("StandardResourceCatalog — skills", () => {
+  it("registers and lists a skill manifest", () => {
+    const catalog = new StandardResourceCatalog();
+    catalog.setCurrentFileContext("trigger/chat.ts", "chat");
+
+    catalog.registerSkillMetadata({ id: "pdf-processing", sourcePath: "./skills/pdf-processing" });
+
+    const manifests = catalog.listSkillManifests();
+    expect(manifests).toHaveLength(1);
+    expect(manifests[0]).toMatchObject({
+      id: "pdf-processing",
+      sourcePath: "./skills/pdf-processing",
+      filePath: "trigger/chat.ts",
+      entryPoint: "chat",
+    });
+  });
+
+  it("getSkillManifest returns the registered skill", () => {
+    const catalog = new StandardResourceCatalog();
+    catalog.setCurrentFileContext("trigger/chat.ts", "chat");
+    catalog.registerSkillMetadata({ id: "a", sourcePath: "./skills/a" });
+
+    expect(catalog.getSkillManifest("a")?.sourcePath).toBe("./skills/a");
+    expect(catalog.getSkillManifest("missing")).toBeUndefined();
+  });
+
+  it("skips registration without a file context", () => {
+    const catalog = new StandardResourceCatalog();
+
+    catalog.registerSkillMetadata({ id: "pdf", sourcePath: "./skills/pdf" });
+
+    expect(catalog.listSkillManifests()).toHaveLength(0);
+  });
+
+  it("warns and ignores when the same id is registered with a different path", () => {
+    const catalog = new StandardResourceCatalog();
+    catalog.setCurrentFileContext("trigger/chat.ts", "chat");
+
+    const warn = vi.spyOn(console, "warn").mockImplementation(() => {});
+
+    catalog.registerSkillMetadata({ id: "pdf", sourcePath: "./skills/pdf" });
+    catalog.registerSkillMetadata({ id: "pdf", sourcePath: "./skills/other-pdf" });
+
+    const manifests = catalog.listSkillManifests();
+    expect(manifests).toHaveLength(1);
+    expect(manifests[0]?.sourcePath).toBe("./skills/pdf");
+    expect(warn).toHaveBeenCalledWith(expect.stringContaining("defined twice"));
+
+    warn.mockRestore();
+  });
+
+  it("re-registering the same id + path is idempotent", () => {
+    const catalog = new StandardResourceCatalog();
+    catalog.setCurrentFileContext("trigger/chat.ts", "chat");
+
+    catalog.registerSkillMetadata({ id: "pdf", sourcePath: "./skills/pdf" });
+    catalog.registerSkillMetadata({ id: "pdf", sourcePath: "./skills/pdf" });
+
+    expect(catalog.listSkillManifests()).toHaveLength(1);
+  });
+
+  it("registers multiple distinct skills", () => {
+    const catalog = new StandardResourceCatalog();
+    catalog.setCurrentFileContext("trigger/chat.ts", "chat");
+
+    catalog.registerSkillMetadata({ id: "pdf", sourcePath: "./skills/pdf" });
+    catalog.registerSkillMetadata({ id: "researcher", sourcePath: "./skills/researcher" });
+
+    expect(catalog.listSkillManifests().map((s) => s.id).sort()).toEqual(["pdf", "researcher"]);
+  });
+});
diff --git a/packages/core/tsconfig.ai-v7.json b/packages/core/tsconfig.ai-v7.json
new file mode 100644
index 00000000000..952d0bde6e2
--- /dev/null
+++ b/packages/core/tsconfig.ai-v7.json
@@ -0,0 +1,18 @@
+{
+  // Typechecks core's src against AI SDK 7 (the `ai-v7` aliased devDep). Core's
+  // `ai` surface is small (ChatSnapshotV1's UIMessage constraint, ToolTaskParameters'
+  // Schema), but it ships in the public type surface, so it gets the same v7 gate
+  // as the SDK. See packages/trigger-sdk/tsconfig.ai-v7.json for the `paths`
+  // file-direct rationale.
+  "extends": "./tsconfig.src.json",
+  "compilerOptions": {
+    // noEmit-only gate: disable composite/incremental so this pass never writes or
+    // reads a .tsbuildinfo and can't replay stale module resolution across runs.
+    "composite": false,
+    "incremental": false,
+    "baseUrl": ".",
+    "paths": {
+      "ai": ["./node_modules/ai-v7/dist/index.d.ts"]
+    }
+  }
+}
diff --git a/packages/plugins/CHANGELOG.md b/packages/plugins/CHANGELOG.md
new file mode 100644
index 00000000000..c294ec91c19
--- /dev/null
+++ b/packages/plugins/CHANGELOG.md
@@ -0,0 +1,50 @@
+# @trigger.dev/plugins
+
+## 4.5.0-rc.5
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.5`
+
+## 4.5.0-rc.4
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.4`
+
+## 4.5.0-rc.3
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.3`
+
+## 4.5.0-rc.2
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.2`
+
+## 4.5.0-rc.1
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.1`
+
+## 4.5.0-rc.0
+
+### Patch Changes
+
+- The public interfaces for a plugin system. Initially consolidated authentication and authorization interfaces. ([#3499](https://github.com/triggerdotdev/trigger.dev/pull/3499))
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.0`
+
+## 0.0.0-prerelease-20260506134321
+
+### Patch Changes
+
+- b3a967765: The public interfaces for a plugin system. Initially consolidated authentication and authorization interfaces.
diff --git a/packages/plugins/package.json b/packages/plugins/package.json
new file mode 100644
index 00000000000..676b53f923d
--- /dev/null
+++ b/packages/plugins/package.json
@@ -0,0 +1,46 @@
+{
+  "name": "@trigger.dev/plugins",
+  "version": "4.5.0-rc.5",
+  "description": "Plugin contracts and interfaces for Trigger.dev",
+  "license": "MIT",
+  "publishConfig": {
+    "access": "public"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/triggerdotdev/trigger.dev",
+    "directory": "packages/plugins"
+  },
+  "type": "module",
+  "files": [
+    "dist"
+  ],
+  "dependencies": {
+    "@trigger.dev/core": "workspace:*"
+  },
+  "scripts": {
+    "clean": "rimraf dist .turbo",
+    "build": "tsup",
+    "dev": "tsup --watch",
+    "typecheck": "tsc --noEmit"
+  },
+  "devDependencies": {
+    "@types/node": "^20.14.14",
+    "rimraf": "6.0.1",
+    "tsup": "^8.4.0",
+    "typescript": "^5.3.0"
+  },
+  "engines": {
+    "node": ">=18.20.0"
+  },
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "require": "./dist/index.cjs"
+    }
+  }
+}
diff --git a/packages/plugins/src/index.ts b/packages/plugins/src/index.ts
new file mode 100644
index 00000000000..9a03d93b66b
--- /dev/null
+++ b/packages/plugins/src/index.ts
@@ -0,0 +1,23 @@
+export type {
+  RoleBasedAccessControlPlugin,
+  RoleBaseAccessController,
+  RoleAssignmentResult,
+  RoleMutationResult,
+  Permission,
+  Role,
+  RbacAbility,
+  RbacSubject,
+  RbacResource,
+  RbacEnvironment,
+  RbacUser,
+  BearerAuthResult,
+  SessionAuthResult,
+  PatAuthResult,
+  SystemRole,
+  AuthenticatedEnvironment,
+} from "./rbac.js";
+
+// Convenience re-exports — gives plugin authors (and the cloud workspace
+// link) one import surface without reaching into @trigger.dev/core
+// directly. Both helpers live in core; this is purely a forwarder.
+export { sanitizeBranchName, isValidGitBranchName } from "@trigger.dev/core/v3/utils/gitBranch";
diff --git a/packages/plugins/src/rbac.ts b/packages/plugins/src/rbac.ts
new file mode 100644
index 00000000000..7b59a3ab233
--- /dev/null
+++ b/packages/plugins/src/rbac.ts
@@ -0,0 +1,277 @@
+/**
+ * Plugin-owned metadata for a built-in system role. The plugin returns
+ * these in canonical order (highest authority first) so the dashboard
+ * can render columns / build a level ladder without knowing role names.
+ *
+ * Roles the plugin doesn't expose at all (e.g. seeded but with the
+ * `is_hidden` flag set in the cloud plugin) are not returned by
+ * `systemRoles()` — there's no "advertised but absent" state.
+ *
+ * `available` indicates whether the role is assignable on the *org's
+ * plan*. v1: Free/Hobby plans get Owner+Admin available; Pro+ adds
+ * Developer. Consumers may render unavailable rows with an upgrade
+ * badge, hide them, or otherwise gate UI on the flag.
+ */
+export type SystemRole = {
+  id: string;
+  name: string;
+  description: string;
+  available: boolean;
+};
+
+export type Permission = {
+  // `<action>:<subject>` — display name, derived from the ability rule.
+  name: string;
+  description: string;
+  // Display bucket for the Roles page (e.g. "Runs", "Tasks"). The page
+  // groups permissions by this string and lists groups in the order they
+  // first appear in `allPermissions()`, so the plugin owns both the
+  // bucket label and the section ordering. Omit for "no grouping".
+  group?: string;
+  // Inverted rules (CASL `cannot`) surface as ✗ in the Roles page.
+  inverted?: boolean;
+  // CASL conditions (e.g. `{ envType: "PRODUCTION" }`) — when present,
+  // the Roles page renders a tier badge alongside the permission row.
+  conditions?: Record<string, unknown>;
+};
+
+export type Role = {
+  id: string;
+  name: string;
+  description: string;
+  permissions: Permission[];
+  isSystem: boolean;
+};
+
+export type RbacSubject =
+  | { type: "user"; userId: string; organizationId: string; projectId?: string }
+  | { type: "personalAccessToken"; tokenId: string; organizationId: string; projectId?: string }
+  | { type: "publicJWT"; environmentId: string; organizationId: string; projectId?: string };
+
+export type RbacResource = {
+  type: string;
+  id?: string;
+  // Extra fields a route may pass for condition-based ability checks —
+  // e.g. `envType` for env-tier-scoped rules ("Member can read envvars
+  // unless envType === 'PRODUCTION'"). The plugin's ability matcher
+  // (CASL) reads these off the resource object; routes that don't use
+  // conditional rules can keep passing `{ type, id? }`.
+  [key: string]: unknown;
+};
+
+// The plugin contract carries the same env shape that host webapps' auth
+// flows use. Defined in @trigger.dev/core so it's importable from any
+// internal package without going through the plugin contract itself.
+export type { AuthenticatedEnvironment } from "@trigger.dev/core/v3/auth/environment";
+import type { AuthenticatedEnvironment as RbacEnv } from "@trigger.dev/core/v3/auth/environment";
+
+/** @deprecated Renamed to `AuthenticatedEnvironment`. Kept as alias for transitional code. */
+export type RbacEnvironment = RbacEnv;
+
+export type RbacUser = {
+  id: string;
+  email: string;
+  name: string | null;
+  displayName: string | null;
+  avatarUrl: string | null;
+  admin: boolean;
+  confirmedBasicDetails: boolean;
+  isImpersonating: boolean;
+};
+
+/** Pre-built ability returned by authenticate* — all checks are sync, no DB call. */
+export interface RbacAbility {
+  // Array form means "grant access if any resource in the array passes" —
+  // used by routes that touch multiple resources (e.g. a run also carries
+  // a batch id, tags, a task identifier) so a JWT scoped to any of them
+  // grants access.
+  can(action: string, resource: RbacResource | RbacResource[]): boolean;
+  canSuper(): boolean;
+}
+
+export type BearerAuthResult =
+  | { ok: false; status: 401 | 403; error: string }
+  | {
+      ok: true;
+      environment: RbacEnv;
+      subject: RbacSubject;
+      ability: RbacAbility;
+      jwt?: { realtime?: { skipColumns?: string[] }; oneTimeUse?: boolean };
+    };
+
+export type SessionAuthResult =
+  | { ok: false; reason: "unauthenticated" | "unauthorized" }
+  | { ok: true; user: RbacUser; subject: RbacSubject; ability: RbacAbility };
+
+// PAT auth deliberately omits `environment` — PATs are user identity
+// tokens, not environment tokens. The ability is resolved per-request
+// from the user's role in the target org (passed via `context`),
+// intersected with the PAT's optional max-role cap.
+export type PatAuthResult =
+  | { ok: false; status: 401 | 403; error: string }
+  | {
+      ok: true;
+      tokenId: string;
+      userId: string;
+      // The token's stored `lastAccessedAt`, returned alongside the
+      // identity so the host can throttle the per-request update in JS
+      // (skip the DB roundtrip when the value is fresh). Plugins must
+      // include this column in their auth lookup; the host owns the
+      // throttle window + the UPDATE itself. Null on a never-accessed
+      // token. The plugin contract requires this so the apiBuilder can
+      // collapse PAT auth + lastAccessedAt update from 2 queries to 1
+      // in the fresh-cache case — matching pre-RBAC main's query count.
+      lastAccessedAt: Date | null;
+      subject: RbacSubject;
+      ability: RbacAbility;
+    };
+
+export interface RoleBaseAccessController {
+  // True when a real RBAC plugin is loaded (i.e. cloud); false when the
+  // OSS fallback is in use. Hosts gate behaviour that's only meaningful
+  // when the plugin is present (e.g. skipping role-attachment writes,
+  // hiding role-pickers in the UI, branching on whether ability checks
+  // are authoritative or permissive).
+  isUsingPlugin(): Promise<boolean>;
+
+  // API routes (Bearer token): one DB query → identity + pre-built ability
+  // options.allowJWT: when true, accepts PUBLIC_JWT tokens in addition to environment API keys
+  authenticateBearer(request: Request, options?: { allowJWT?: boolean }): Promise<BearerAuthResult>;
+
+  // Dashboard loaders/actions (session cookie): one DB query → user + pre-built ability.
+  // The caller resolves `userId` from the session cookie and passes it in.
+  // (`null` means "no authenticated user"; the plugin returns `{ ok: false,
+  // reason: "unauthenticated" }`.) The plugin used to take a
+  // `helpers.getSessionUserId(request)` callback at create-time; pulling the
+  // userId resolution into the caller drops a static module-load coupling
+  // from the plugin's host module to the host's session-cookie code.
+  authenticateSession(
+    request: Request,
+    context: { userId: string | null; organizationId?: string; projectId?: string }
+  ): Promise<SessionAuthResult>;
+
+  // PAT-authenticated routes (Authorization: Bearer tr_pat_…). The token
+  // identifies the user; the effective ability is `min(user's current
+  // role in the target org, the PAT's optional max-role cap)`. The user's
+  // actual org membership is the floor — if they've been demoted or
+  // removed, the PAT auto-narrows. The cap is set at PAT creation and
+  // ceilings the token even when the user is more privileged.
+  //
+  // No plugin installed → fallback returns a permissive ability so PAT
+  // routes that don't yet declare an `authorization` block keep working
+  // exactly as they did pre-RBAC.
+  authenticatePat(
+    request: Request,
+    context: { organizationId?: string; projectId?: string }
+  ): Promise<PatAuthResult>;
+
+  // Convenience: authenticate + ability.can() check in one call; returns ok:false if check fails.
+  // resource accepts the same single-or-array shape as RbacAbility.can — array form means
+  // "grant access if any element passes".
+  authenticateAuthorizeBearer(
+    request: Request,
+    check: { action: string; resource: RbacResource | RbacResource[] },
+    options?: { allowJWT?: boolean }
+  ): Promise<BearerAuthResult>;
+
+  authenticateAuthorizeSession(
+    request: Request,
+    context: { userId: string | null; organizationId?: string; projectId?: string },
+    check: { action: string; resource: RbacResource | RbacResource[] }
+  ): Promise<SessionAuthResult>;
+
+  // Plugin-owned catalogue of built-in system roles for the given org,
+  // in canonical order (highest authority first). Returns null when no
+  // plugin is installed — there are no seeded roles to refer to in that
+  // case (the default fallback's `allRoles` returns []).
+  //
+  // Hidden roles (e.g. Member in v1) are filtered out entirely. Each
+  // entry's `available` flag reflects whether the org's plan permits
+  // assigning that role; consumers can render unavailable entries with
+  // an upgrade badge or hide them.
+  systemRoles(organizationId: string): Promise<SystemRole[] | null>;
+
+  // Role introspection. The fallback returns []; a plugin may return
+  // its own role catalogue.
+  allPermissions(organizationId: string): Promise<Permission[]>;
+  allRoles(organizationId: string): Promise<Role[]>;
+
+  // Of the roles returned by `allRoles(organizationId)`, which IDs may
+  // be assigned right now? Used by the Teams page UI to disable
+  // role-dropdown options the org isn't allowed to assign. The default
+  // fallback returns every role id (permissive — it doesn't apply any
+  // gating). Server-side enforcement lives in setUserRole; this method
+  // is purely a UI affordance.
+  getAssignableRoleIds(organizationId: string): Promise<string[]>;
+
+  // Role management. Mutation methods return a discriminated Result
+  // rather than throwing — the dashboard surfaces `error` strings
+  // directly to the user (system role edits, gating, validation
+  // conflicts), so a thrown exception is only ever for unexpected
+  // failures (DB outage, bug). The default fallback returns
+  // `{ ok: false, error: "RBAC plugin not installed" }` for these.
+  createRole(params: {
+    organizationId: string;
+    name: string;
+    description: string;
+    permissions: string[];
+  }): Promise<RoleMutationResult>;
+
+  updateRole(params: {
+    roleId: string;
+    name?: string;
+    description?: string;
+    permissions?: string[];
+  }): Promise<RoleMutationResult>;
+
+  deleteRole(roleId: string): Promise<RoleAssignmentResult>;
+
+  // Role assignments. Same Result discipline as the role-management
+  // methods above. The default fallback returns
+  // `{ ok: false, error: "RBAC plugin not installed" }`.
+  getUserRole(params: {
+    userId: string;
+    organizationId: string;
+    projectId?: string;
+  }): Promise<Role | null>;
+
+  // Batch variant for callers that need per-user roles for many users
+  // in one round-trip (e.g. the Team page rendering N members).
+  // Org-scoped only — project-scoped reads still go through getUserRole.
+  // Returns a Map keyed by userId; users with no resolvable role map to
+  // null. The default fallback returns a Map of all userIds → null.
+  getUserRoles(
+    userIds: string[],
+    organizationId: string
+  ): Promise<Map<string, Role | null>>;
+
+  setUserRole(params: {
+    userId: string;
+    organizationId: string;
+    roleId: string;
+    projectId?: string;
+  }): Promise<RoleAssignmentResult>;
+
+  removeUserRole(params: {
+    userId: string;
+    organizationId: string;
+    projectId?: string;
+  }): Promise<RoleAssignmentResult>;
+
+  getTokenRole(tokenId: string): Promise<Role | null>;
+  setTokenRole(params: { tokenId: string; roleId: string }): Promise<RoleAssignmentResult>;
+  removeTokenRole(tokenId: string): Promise<RoleAssignmentResult>;
+}
+
+// Mutation result for role create/update — success carries the new
+// `role`, failure carries a user-facing `error` string.
+export type RoleMutationResult =
+  | { ok: true; role: Role }
+  | { ok: false; error: string };
+
+// Result for assignment / deletion mutations that don't return a value.
+export type RoleAssignmentResult = { ok: true } | { ok: false; error: string };
+
+export interface RoleBasedAccessControlPlugin {
+  create(): RoleBaseAccessController | Promise<RoleBaseAccessController>;
+}
diff --git a/packages/plugins/tsconfig.json b/packages/plugins/tsconfig.json
new file mode 100644
index 00000000000..e16a109bd98
--- /dev/null
+++ b/packages/plugins/tsconfig.json
@@ -0,0 +1,7 @@
+{
+  "extends": "../../.configs/tsconfig.base.json",
+  "compilerOptions": {
+    "sourceMap": true
+  },
+  "include": ["./src/**/*.ts"]
+}
diff --git a/packages/plugins/tsup.config.ts b/packages/plugins/tsup.config.ts
new file mode 100644
index 00000000000..4dff9109b7f
--- /dev/null
+++ b/packages/plugins/tsup.config.ts
@@ -0,0 +1,11 @@
+import { defineConfig } from "tsup";
+
+export default defineConfig({
+  entry: ["src/index.ts"],
+  format: ["cjs", "esm"],
+  dts: true,
+  splitting: false,
+  sourcemap: true,
+  clean: true,
+  treeshake: true,
+});
diff --git a/packages/python/CHANGELOG.md b/packages/python/CHANGELOG.md
index 57b16c19fd7..3ccb568df5a 100644
--- a/packages/python/CHANGELOG.md
+++ b/packages/python/CHANGELOG.md
@@ -1,5 +1,77 @@
 # @trigger.dev/python
 
+## 4.5.0-rc.5
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/sdk@4.5.0-rc.5`
+  - `@trigger.dev/core@4.5.0-rc.5`
+  - `@trigger.dev/build@4.5.0-rc.5`
+
+## 4.5.0-rc.4
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/sdk@4.5.0-rc.4`
+  - `@trigger.dev/core@4.5.0-rc.4`
+  - `@trigger.dev/build@4.5.0-rc.4`
+
+## 4.5.0-rc.3
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.3`
+  - `@trigger.dev/build@4.5.0-rc.3`
+  - `@trigger.dev/sdk@4.5.0-rc.3`
+
+## 4.5.0-rc.2
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/sdk@4.5.0-rc.2`
+  - `@trigger.dev/build@4.5.0-rc.2`
+  - `@trigger.dev/core@4.5.0-rc.2`
+
+## 4.5.0-rc.1
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.1`
+  - `@trigger.dev/build@4.5.0-rc.1`
+  - `@trigger.dev/sdk@4.5.0-rc.1`
+
+## 4.5.0-rc.0
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/sdk@4.5.0-rc.0`
+  - `@trigger.dev/core@4.5.0-rc.0`
+  - `@trigger.dev/build@4.5.0-rc.0`
+
+## 4.4.6
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.4.6`
+  - `@trigger.dev/build@4.4.6`
+  - `@trigger.dev/sdk@4.4.6`
+
+## 4.4.5
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.4.5`
+  - `@trigger.dev/build@4.4.5`
+  - `@trigger.dev/sdk@4.4.5`
+
 ## 4.4.4
 
 ### Patch Changes
diff --git a/packages/python/package.json b/packages/python/package.json
index bdbac024ca9..261e5029b19 100644
--- a/packages/python/package.json
+++ b/packages/python/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@trigger.dev/python",
-  "version": "4.4.4",
+  "version": "4.5.0-rc.5",
   "description": "Python runtime and build extension for Trigger.dev",
   "license": "MIT",
   "publishConfig": {
@@ -45,7 +45,7 @@
     "check-exports": "attw --pack ."
   },
   "dependencies": {
-    "@trigger.dev/core": "workspace:4.4.4",
+    "@trigger.dev/core": "workspace:4.5.0-rc.5",
     "tinyexec": "^0.3.2"
   },
   "devDependencies": {
@@ -56,12 +56,12 @@
     "tsx": "4.17.0",
     "esbuild": "^0.23.0",
     "@arethetypeswrong/cli": "^0.15.4",
-    "@trigger.dev/build": "workspace:4.4.4",
-    "@trigger.dev/sdk": "workspace:4.4.4"
+    "@trigger.dev/build": "workspace:4.5.0-rc.5",
+    "@trigger.dev/sdk": "workspace:4.5.0-rc.5"
   },
   "peerDependencies": {
-    "@trigger.dev/sdk": "workspace:^4.4.4",
-    "@trigger.dev/build": "workspace:^4.4.4"
+    "@trigger.dev/sdk": "workspace:^4.5.0-rc.5",
+    "@trigger.dev/build": "workspace:^4.5.0-rc.5"
   },
   "engines": {
     "node": ">=18.20.0"
diff --git a/packages/react-hooks/CHANGELOG.md b/packages/react-hooks/CHANGELOG.md
index d4fcdc21d42..f979a5cbd46 100644
--- a/packages/react-hooks/CHANGELOG.md
+++ b/packages/react-hooks/CHANGELOG.md
@@ -1,5 +1,61 @@
 # @trigger.dev/react-hooks
 
+## 4.5.0-rc.5
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.5`
+
+## 4.5.0-rc.4
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.4`
+
+## 4.5.0-rc.3
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.3`
+
+## 4.5.0-rc.2
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.2`
+
+## 4.5.0-rc.1
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.1`
+
+## 4.5.0-rc.0
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.0`
+
+## 4.4.6
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.4.6`
+
+## 4.4.5
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.4.5`
+
 ## 4.4.4
 
 ### Patch Changes
diff --git a/packages/react-hooks/package.json b/packages/react-hooks/package.json
index 99a6952537a..23a26b1130e 100644
--- a/packages/react-hooks/package.json
+++ b/packages/react-hooks/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@trigger.dev/react-hooks",
-  "version": "4.4.4",
+  "version": "4.5.0-rc.5",
   "description": "trigger.dev react hooks",
   "license": "MIT",
   "publishConfig": {
@@ -37,14 +37,14 @@
     "check-exports": "attw --pack ."
   },
   "dependencies": {
-    "@trigger.dev/core": "workspace:^4.4.4",
+    "@trigger.dev/core": "workspace:^4.5.0-rc.5",
     "swr": "^2.2.5"
   },
   "devDependencies": {
     "@arethetypeswrong/cli": "^0.15.4",
     "@types/react": "*",
     "@types/react-dom": "*",
-    "rimraf": "^3.0.2",
+    "rimraf": "^6.0.1",
     "tshy": "^3.0.2",
     "tsx": "4.17.0"
   },
diff --git a/packages/redis-worker/CHANGELOG.md b/packages/redis-worker/CHANGELOG.md
index 570a91aca4f..846909fce4f 100644
--- a/packages/redis-worker/CHANGELOG.md
+++ b/packages/redis-worker/CHANGELOG.md
@@ -1,5 +1,76 @@
 # @trigger.dev/redis-worker
 
+## 4.5.0-rc.5
+
+### Patch Changes
+
+- Make mollifier buffer and drainer internals configurable. `MollifierBuffer` now accepts `ackGraceTtlSeconds`, `maxRetriesPerRequest`, `reconnectStepMs`, and `reconnectMaxMs` options, and `MollifierDrainer` accepts `maxBackoffMs` and `backoffFloorMs`. All default to their previous hardcoded values, so existing behaviour is unchanged. ([#3822](https://github.com/triggerdotdev/trigger.dev/pull/3822))
+- `MollifierDrainer` accepts a `drainBatchSize` option (default 1) that controls how many entries are popped per env per tick — in-flight handlers remain capped by the global `concurrency`. `MollifierBuffer` also gains `getDrainingCount()` / `listStaleDraining()`, backed by a new `mollifier:draining` ZSET maintained atomically with pop/ack/fail/requeue (observability-only). ([#3797](https://github.com/triggerdotdev/trigger.dev/pull/3797))
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.5`
+
+## 4.5.0-rc.4
+
+### Minor Changes
+
+- Mollifier buffer extensions: idempotency dedup, an atomic `mutateSnapshot` API, metadata CAS, claim primitives, and a `MollifierSnapshot` type. The buffer's Redis client now reconnects with jittered backoff so a fleet of clients doesn't stampede Redis in lockstep after a blip. ([#3752](https://github.com/triggerdotdev/trigger.dev/pull/3752))
+- Add `onTerminalFailure` callback to `MollifierDrainerOptions` so the customer's run lands a SYSTEM_FAILURE PG row even when the drainer exhausts `maxAttempts` on a retryable PG error. Previously, retryable-error exhaustion called `buffer.fail()` directly, which atomically marks FAILED + DELs the entry hash with no PG write — silent data loss when PG was unreachable across the full retry budget. The callback fires before `buffer.fail()` on any terminal path (`cause: "non-retryable"` or `"max-attempts-exhausted"`); throwing a retryable error from the callback causes the drainer to requeue rather than fail. ([#3754](https://github.com/triggerdotdev/trigger.dev/pull/3754))
+
+### Patch Changes
+
+- Pipeline the per-entry `HGETALL` fetches in `MollifierBuffer.listEntriesForEnv`. The previous serial implementation issued one Redis round-trip per runId returned by `LRANGE`, which dominated stale-sweep wall-time at any meaningful backlog (at the sweep's default maxCount=1000, this is ~1000 RTTs per env per pass). Behaviour is unchanged — entries are still skipped when the entry hash has been torn down by a concurrent drainer ack/fail between the LRANGE and the HGETALL. ([#3752](https://github.com/triggerdotdev/trigger.dev/pull/3752))
+- Mollifier `mutateSnapshot` now enforces a tag cap: an `append_tags` patch carrying `maxTags` returns `"limit_exceeded"` (writing nothing) when the deduped tag count would exceed the limit, so a buffered run can't accumulate more tags via the tags API than the trigger validator allows at creation. ([#3756](https://github.com/triggerdotdev/trigger.dev/pull/3756))
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.4`
+
+## 4.5.0-rc.3
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.3`
+
+## 4.5.0-rc.2
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.2`
+
+## 4.5.0-rc.1
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.1`
+
+## 4.5.0-rc.0
+
+### Patch Changes
+
+- Add MollifierBuffer and MollifierDrainer primitives for trigger burst smoothing. ([#3614](https://github.com/triggerdotdev/trigger.dev/pull/3614))
+
+  MollifierBuffer (`accept`, `pop`, `ack`, `requeue`, `fail`, `evaluateTrip`) is a per-env FIFO over Redis with atomic Lua transitions for status tracking. `evaluateTrip` is a sliding-window trip evaluator the webapp gate uses to detect per-env trigger bursts.
+
+  MollifierDrainer pops entries through a polling loop with a user-supplied handler. The loop survives transient Redis errors via capped exponential backoff (up to 5s), and per-env pop failures don't poison the rest of the batch — one env's blip is logged and counted as failed for that tick. Rotation is two-level: orgs at the top, envs within each org. The buffer maintains `mollifier:orgs` and `mollifier:org-envs:${orgId}` atomically with per-env queues, so the drainer walks orgs → envs directly without an in-memory cache. The `maxOrgsPerTick` option (default 500) caps how many orgs are scheduled per tick; for each picked org, one env is popped (rotating round-robin within the org). An org with N envs gets the same per-tick scheduling slot as an org with 1 env, so tenant-level drainage throughput is determined by org count rather than env count.
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.0`
+
+## 4.4.6
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.4.6`
+
+## 4.4.5
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.4.5`
+
 ## 4.4.4
 
 ### Patch Changes
diff --git a/packages/redis-worker/package.json b/packages/redis-worker/package.json
index 11e6b00004c..8cf0fd2d353 100644
--- a/packages/redis-worker/package.json
+++ b/packages/redis-worker/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@trigger.dev/redis-worker",
-  "version": "4.4.4",
+  "version": "4.5.0-rc.5",
   "description": "Redis worker for trigger.dev",
   "license": "MIT",
   "publishConfig": {
@@ -23,7 +23,7 @@
     "test": "vitest --sequence.concurrent=false --no-file-parallelism"
   },
   "dependencies": {
-    "@trigger.dev/core": "workspace:4.4.4",
+    "@trigger.dev/core": "workspace:4.5.0-rc.5",
     "lodash.omit": "^4.5.0",
     "nanoid": "^5.0.7",
     "p-limit": "^6.2.0",
diff --git a/packages/redis-worker/src/index.ts b/packages/redis-worker/src/index.ts
index 1c5147ea48d..e5e3db32f12 100644
--- a/packages/redis-worker/src/index.ts
+++ b/packages/redis-worker/src/index.ts
@@ -4,3 +4,4 @@ export * from "./utils.js";
 
 // Fair Queue System
 export * from "./fair-queue/index.js";
+export * from "./mollifier/index.js";
diff --git a/packages/redis-worker/src/mollifier/buffer.test.ts b/packages/redis-worker/src/mollifier/buffer.test.ts
new file mode 100644
index 00000000000..3a775bbb8f6
--- /dev/null
+++ b/packages/redis-worker/src/mollifier/buffer.test.ts
@@ -0,0 +1,2974 @@
+import { describe, expect, it } from "vitest";
+import { BufferEntrySchema, serialiseSnapshot, deserialiseSnapshot } from "./schemas.js";
+import { redisTest } from "@internal/testcontainers";
+import { Logger } from "@trigger.dev/core/logger";
+import {
+  DRAINING_SET_KEY,
+  MollifierBuffer,
+  idempotencyLookupKeyFor,
+  makeIdempotencyClaimKey,
+  mollifierReconnectDelayMs,
+} from "./buffer.js";
+
+describe("mollifierReconnectDelayMs", () => {
+  it("grows linearly with the attempt count and caps the base at 1s", () => {
+    // random=()=>1 yields the top of the equal-jitter band (== base).
+    const top = (times: number) => mollifierReconnectDelayMs(times, () => 1);
+    expect(top(1)).toBe(50);
+    expect(top(4)).toBe(200);
+    expect(top(20)).toBe(1000);
+    // Past the cap the base stays at 1000.
+    expect(top(100)).toBe(1000);
+  });
+
+  it("applies equal jitter: result is uniform in [base/2, base]", () => {
+    // base for times=10 is 500, so the band is [250, 500].
+    expect(mollifierReconnectDelayMs(10, () => 0)).toBe(250); // floor of band
+    expect(mollifierReconnectDelayMs(10, () => 0.999999)).toBe(500); // top of band
+    const mid = mollifierReconnectDelayMs(10, () => 0.5);
+    expect(mid).toBeGreaterThanOrEqual(250);
+    expect(mid).toBeLessThanOrEqual(500);
+  });
+
+  it("never exceeds the original fixed-schedule envelope (strictly an improvement)", () => {
+    for (const times of [1, 2, 5, 10, 20, 50]) {
+      const cap = Math.min(times * 50, 1000);
+      for (const r of [0, 0.25, 0.5, 0.75, 0.999999]) {
+        const delay = mollifierReconnectDelayMs(times, () => r);
+        expect(delay).toBeLessThanOrEqual(cap);
+        expect(delay).toBeGreaterThanOrEqual(Math.floor(cap / 2));
+      }
+    }
+  });
+
+  it("decorrelates concurrent reconnects (distinct values across random draws)", () => {
+    const draws = [0.05, 0.3, 0.55, 0.8, 0.95].map((r) =>
+      mollifierReconnectDelayMs(20, () => r),
+    );
+    // Lockstep would collapse to a single value; jitter spreads them.
+    expect(new Set(draws).size).toBeGreaterThan(1);
+  });
+});
+
+describe("schemas", () => {
+  it("serialiseSnapshot then deserialiseSnapshot is identity for plain objects", () => {
+    const snapshot = { taskId: "my-task", payload: { foo: 42, bar: "baz" } };
+    const round = deserialiseSnapshot(serialiseSnapshot(snapshot));
+    expect(round).toEqual(snapshot);
+  });
+
+  it("BufferEntrySchema parses a complete entry", () => {
+    const raw = {
+      runId: "run_abc",
+      envId: "env_1",
+      orgId: "org_1",
+      payload: serialiseSnapshot({ taskId: "t" }),
+      status: "QUEUED",
+      attempts: "0",
+      createdAt: "2026-05-11T10:00:00.000Z",
+      createdAtMicros: "1747044000000000",
+    };
+    const parsed = BufferEntrySchema.parse(raw);
+    expect(parsed.runId).toBe("run_abc");
+    expect(parsed.status).toBe("QUEUED");
+    expect(parsed.attempts).toBe(0);
+    expect(parsed.createdAt).toBeInstanceOf(Date);
+    expect(parsed.createdAtMicros).toBe(1747044000000000);
+  });
+
+  it("BufferEntrySchema defaults createdAtMicros for entries written before the field existed", () => {
+    // Backward compat: an entry written by an accept Lua predating
+    // createdAtMicros (only the original 7 fields) must still parse on
+    // pop rather than being silently dropped.
+    const raw = {
+      runId: "run_old",
+      envId: "env_1",
+      orgId: "org_1",
+      payload: serialiseSnapshot({}),
+      status: "QUEUED",
+      attempts: "0",
+      createdAt: "2026-05-11T10:00:00.000Z",
+      // no createdAtMicros
+    };
+    const parsed = BufferEntrySchema.parse(raw);
+    expect(parsed.createdAtMicros).toBe(0);
+  });
+
+  it("BufferEntrySchema parses a FAILED entry with lastError", () => {
+    const raw = {
+      runId: "run_abc",
+      envId: "env_1",
+      orgId: "org_1",
+      payload: serialiseSnapshot({}),
+      status: "FAILED",
+      attempts: "3",
+      createdAt: "2026-05-11T10:00:00.000Z",
+      createdAtMicros: "1747044000000000",
+      lastError: JSON.stringify({ code: "P2024", message: "connection lost" }),
+    };
+    const parsed = BufferEntrySchema.parse(raw);
+    expect(parsed.lastError).toEqual({ code: "P2024", message: "connection lost" });
+  });
+});
+
+describe("MollifierBuffer construction", () => {
+  redisTest("constructs and closes cleanly", { timeout: 20_000 }, async ({ redisContainer }) => {
+    const buffer = new MollifierBuffer({
+      redisOptions: {
+        host: redisContainer.getHost(),
+        port: redisContainer.getPort(),
+        password: redisContainer.getPassword(),
+      },
+      logger: new Logger("test", "log"),
+    });
+
+    await buffer.close();
+  });
+});
+
+describe("MollifierBuffer.accept", () => {
+  redisTest("accept writes entry, enqueues, and tracks env", { timeout: 20_000 }, async ({ redisContainer }) => {
+    const buffer = new MollifierBuffer({
+      redisOptions: {
+        host: redisContainer.getHost(),
+        port: redisContainer.getPort(),
+        password: redisContainer.getPassword(),
+      },
+      logger: new Logger("test", "log"),
+    });
+
+    try {
+      await buffer.accept({
+        runId: "run_1",
+        envId: "env_a",
+        orgId: "org_1",
+        payload: serialiseSnapshot({ taskId: "t" }),
+      });
+
+      const entry = await buffer.getEntry("run_1");
+      expect(entry).not.toBeNull();
+      expect(entry!.runId).toBe("run_1");
+      expect(entry!.envId).toBe("env_a");
+      expect(entry!.orgId).toBe("org_1");
+      expect(entry!.status).toBe("QUEUED");
+      expect(entry!.attempts).toBe(0);
+      expect(entry!.createdAt).toBeInstanceOf(Date);
+
+      const envs = await buffer.listEnvsForOrg("org_1");
+      expect(envs).toContain("env_a");
+    } finally {
+      await buffer.close();
+    }
+  });
+});
+
+describe("MollifierBuffer.pop", () => {
+  redisTest("pop returns next QUEUED entry and transitions to DRAINING", { timeout: 20_000 }, async ({ redisContainer }) => {
+    const buffer = new MollifierBuffer({
+      redisOptions: {
+        host: redisContainer.getHost(),
+        port: redisContainer.getPort(),
+        password: redisContainer.getPassword(),
+      },
+      logger: new Logger("test", "log"),
+    });
+
+    try {
+      await buffer.accept({ runId: "run_1", envId: "env_a", orgId: "org_1", payload: "{}" });
+      await buffer.accept({ runId: "run_2", envId: "env_a", orgId: "org_1", payload: "{}" });
+
+      const popped = await buffer.pop("env_a");
+      expect(popped).not.toBeNull();
+      expect(popped!.runId).toBe("run_1");
+      expect(popped!.status).toBe("DRAINING");
+
+      const stored = await buffer.getEntry("run_1");
+      expect(stored!.status).toBe("DRAINING");
+    } finally {
+      await buffer.close();
+    }
+  });
+
+  redisTest("pop returns null when env queue is empty", { timeout: 20_000 }, async ({ redisContainer }) => {
+    const buffer = new MollifierBuffer({
+      redisOptions: {
+        host: redisContainer.getHost(),
+        port: redisContainer.getPort(),
+        password: redisContainer.getPassword(),
+      },
+      logger: new Logger("test", "log"),
+    });
+
+    try {
+      const popped = await buffer.pop("env_nonexistent");
+      expect(popped).toBeNull();
+    } finally {
+      await buffer.close();
+    }
+  });
+
+  redisTest("atomic RPOP across two parallel pops on the same env", { timeout: 20_000 }, async ({ redisContainer }) => {
+    const buffer = new MollifierBuffer({
+      redisOptions: {
+        host: redisContainer.getHost(),
+        port: redisContainer.getPort(),
+        password: redisContainer.getPassword(),
+      },
+      logger: new Logger("test", "log"),
+    });
+
+    try {
+      await buffer.accept({ runId: "only", envId: "env_a", orgId: "org_1", payload: "{}" });
+
+      const [a, b] = await Promise.all([buffer.pop("env_a"), buffer.pop("env_a")]);
+      const winners = [a, b].filter((x) => x !== null);
+      expect(winners).toHaveLength(1);
+      expect(winners[0]!.runId).toBe("only");
+    } finally {
+      await buffer.close();
+    }
+  });
+});
+
+describe("MollifierBuffer.ack", () => {
+  redisTest(
+    "ack marks entry materialised and applies the grace TTL — entry persists as a read-fallback safety net",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+
+      try {
+        await buffer.accept({ runId: "run_x", envId: "env_a", orgId: "org_1", payload: "{}" });
+        await buffer.pop("env_a");
+        await buffer.ack("run_x");
+
+        const after = await buffer.getEntry("run_x");
+        expect(after).not.toBeNull();
+        expect(after!.materialised).toBe(true);
+
+        // ack grace TTL is the only context where an entry hash gets
+        // an EXPIRE — accept no longer sets one. Should be at most 30s.
+        const ttl = await buffer.getEntryTtlSeconds("run_x");
+        expect(ttl).toBeGreaterThan(0);
+        expect(ttl).toBeLessThanOrEqual(30);
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest("ack on missing entry is a no-op", { timeout: 20_000 }, async ({ redisContainer }) => {
+    const buffer = new MollifierBuffer({
+      redisOptions: {
+        host: redisContainer.getHost(),
+        port: redisContainer.getPort(),
+        password: redisContainer.getPassword(),
+      },
+      logger: new Logger("test", "log"),
+    });
+
+    try {
+      await buffer.ack("run_ghost");
+      const stored = await buffer.getEntry("run_ghost");
+      expect(stored).toBeNull();
+      // Critical: no partial hash created.
+      const raw = await buffer["redis"].hgetall("mollifier:entries:run_ghost");
+      expect(Object.keys(raw)).toHaveLength(0);
+    } finally {
+      await buffer.close();
+    }
+  });
+});
+
+describe("MollifierBuffer.pop orphan handling", () => {
+  redisTest(
+    "pop skips orphan queue references (runId in queue but entry hash expired)",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+
+      try {
+        // Simulate an evicted orphan: queue ref exists, entry hash does not.
+        await buffer["redis"].rpush("mollifier:queue:env_a", "run_orphan");
+
+        const popped = await buffer.pop("env_a");
+        expect(popped).toBeNull();
+
+        // Critical: no partial hash was created for the orphan.
+        const raw = await buffer["redis"].hgetall("mollifier:entries:run_orphan");
+        expect(Object.keys(raw)).toHaveLength(0);
+
+        // Queue is drained — the loop pops orphans until empty.
+        const qLen = await buffer["redis"].llen("mollifier:queue:env_a");
+        expect(qLen).toBe(0);
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "pop skips orphans then returns the first valid entry behind them",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+
+      try {
+        // Build the queue so RPOP (tail-first) yields: orphan_a, valid,
+        // orphan_b. accept LPUSHes "valid"; RPUSH puts orphan_a at the
+        // tail (popped first), LPUSH puts orphan_b at the head (popped
+        // last). First pop skips orphan_a, returns valid; orphan_b remains.
+        await buffer.accept({ runId: "valid", envId: "env_a", orgId: "org_1", payload: "{}" });
+        await buffer["redis"].rpush("mollifier:queue:env_a", "orphan_a");
+        await buffer["redis"].lpush("mollifier:queue:env_a", "orphan_b");
+
+        const popped = await buffer.pop("env_a");
+        expect(popped).not.toBeNull();
+        expect(popped!.runId).toBe("valid");
+        expect(popped!.status).toBe("DRAINING");
+
+        // The trailing orphan_b is still in the queue (single pop call).
+        const remaining = await buffer["redis"].llen("mollifier:queue:env_a");
+        expect(remaining).toBe(1);
+
+        // A second pop drains the trailing orphan_b. The queue is now
+        // empty. NOTE: the pop's no-runId branch can't read orgId from
+        // a popped entry (it never got one), so it doesn't prune the
+        // org-envs SET. env_a remains in `mollifier:org-envs:org_1` as
+        // a stale entry until the next accept-or-success-pop cycle
+        // recovers it. This is the deliberate trade-off documented in
+        // popAndMarkDraining's Lua.
+        const second = await buffer.pop("env_a");
+        expect(second).toBeNull();
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+});
+
+describe("MollifierBuffer.requeue", () => {
+  redisTest("requeue increments attempts, restores QUEUED, re-LPUSHes", { timeout: 20_000 }, async ({ redisContainer }) => {
+    const buffer = new MollifierBuffer({
+      redisOptions: {
+        host: redisContainer.getHost(),
+        port: redisContainer.getPort(),
+        password: redisContainer.getPassword(),
+      },
+      logger: new Logger("test", "log"),
+    });
+
+    try {
+      await buffer.accept({ runId: "run_r", envId: "env_a", orgId: "org_1", payload: "{}" });
+      await buffer.pop("env_a");
+      await buffer.requeue("run_r");
+
+      const entry = await buffer.getEntry("run_r");
+      expect(entry!.status).toBe("QUEUED");
+      expect(entry!.attempts).toBe(1);
+
+      const popped = await buffer.pop("env_a");
+      expect(popped!.runId).toBe("run_r");
+    } finally {
+      await buffer.close();
+    }
+  });
+});
+
+describe("MollifierBuffer.fail", () => {
+  redisTest(
+    "fail returns true and tears the entry down (drainer-terminal cleanup)",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      // Post-TTL-drop design: the drainer's createFailedTaskRun has
+      // already written a SYSTEM_FAILURE PG row by the time we call
+      // fail(), so the entry hash is no longer load-bearing. fail
+      // returns true and removes the entry; without this teardown
+      // failed entries would accrete forever now that there's no
+      // accept-time TTL. The Lua also DELs the idempotency lookup so
+      // future retries with the same key go through to PG instead of
+      // hitting an orphan dedup record.
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+
+      try {
+        await buffer.accept({ runId: "run_f", envId: "env_a", orgId: "org_1", payload: "{}" });
+        await buffer.pop("env_a");
+        const failed = await buffer.fail("run_f", { code: "VALIDATION", message: "boom" });
+        expect(failed).toBe(true);
+
+        // Entry hash is gone post-fail.
+        const entry = await buffer.getEntry("run_f");
+        expect(entry).toBeNull();
+        const raw = await buffer["redis"].hgetall("mollifier:entries:run_f");
+        expect(Object.keys(raw)).toHaveLength(0);
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "fail on missing entry is a no-op (returns false; no partial hash created)",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+
+      try {
+        const result = await buffer.fail("run_ghost", { code: "VALIDATION", message: "boom" });
+        expect(result).toBe(false);
+
+        // Critical: no partial entry hash was created.
+        const stored = await buffer.getEntry("run_ghost");
+        expect(stored).toBeNull();
+        const raw = await buffer["redis"].hgetall("mollifier:entries:run_ghost");
+        expect(Object.keys(raw)).toHaveLength(0);
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "fail DELs the idempotency lookup so a same-key retry goes through to PG",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      // Symmetric with the ack path: the failMollifierEntry Lua reads the
+      // idempotencyLookupKey off the hash and DELs it. Without this, a
+      // post-fail retry with the same idempotency key would hit the
+      // orphaned dedup record and resolve to a run that no longer exists.
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+
+      try {
+        await buffer.accept({
+          runId: "run_fk",
+          envId: "env_a",
+          orgId: "org_1",
+          payload: "{}",
+          idempotencyKey: "kf",
+          taskIdentifier: "t",
+        });
+        const lookupKey = idempotencyLookupKeyFor({
+          envId: "env_a",
+          taskIdentifier: "t",
+          idempotencyKey: "kf",
+        });
+        // Lookup exists before fail.
+        expect(await buffer["redis"].get(lookupKey)).toBe("run_fk");
+
+        await buffer.pop("env_a");
+        const failed = await buffer.fail("run_fk", { code: "VALIDATION", message: "boom" });
+        expect(failed).toBe(true);
+
+        // Lookup is cleared, so the slot is reclaimable: a fresh accept
+        // with the same tuple succeeds rather than deduping.
+        expect(await buffer["redis"].get(lookupKey)).toBeNull();
+        const reaccept = await buffer.accept({
+          runId: "run_fk2",
+          envId: "env_a",
+          orgId: "org_1",
+          payload: "{}",
+          idempotencyKey: "kf",
+          taskIdentifier: "t",
+        });
+        expect(reaccept).toEqual({ kind: "accepted" });
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+});
+
+describe("MollifierBuffer TTL", () => {
+  redisTest(
+    "entry has NO TTL applied on accept — drainer is the only cleanup path",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      // Regression guard for the design change: buffer entries must
+      // persist until the drainer ACKs or FAILs them. An accept-time
+      // EXPIRE would re-introduce the silent-loss-when-drainer-offline
+      // failure mode that the stale-entry alerting pipeline depends on
+      // *not* happening.
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+
+      try {
+        await buffer.accept({ runId: "run_t", envId: "env_a", orgId: "org_1", payload: "{}" });
+
+        // Redis returns -1 when the key exists but has no TTL set.
+        const ttl = await buffer.getEntryTtlSeconds("run_t");
+        expect(ttl).toBe(-1);
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+});
+
+describe("MollifierBuffer payload encoding", () => {
+  redisTest(
+    "pop round-trips payloads with quotes, backslashes, control chars, unicode",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+
+      const tricky = {
+        quotes: 'a"b\'c',
+        backslash: "x\\y\\z",
+        newlines: "line1\nline2\r\nline3",
+        tab: "col1\tcol2",
+        unicode: "héllo 🦀 世界",
+        lineSep: "before
after
end",
+        nested: { arr: ["a", "b", 1, true, null], n: 3.14 },
+      };
+      const payload = serialiseSnapshot(tricky);
+
+      try {
+        await buffer.accept({ runId: "tricky", envId: "env_a", orgId: "org_1", payload });
+
+        const popped = await buffer.pop("env_a");
+        expect(popped).not.toBeNull();
+        expect(popped!.payload).toBe(payload);
+
+        const decoded = JSON.parse(popped!.payload);
+        expect(decoded).toEqual(tricky);
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+});
+
+describe("MollifierBuffer.requeue on missing entry", () => {
+  redisTest(
+    "requeue on a non-existent runId is a no-op (Lua returns 0; no queue push)",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+
+      try {
+        await buffer.requeue("run_does_not_exist");
+
+        // Critical: no queue keys were created from this no-op requeue.
+        const queueKeys = await buffer["redis"].keys("mollifier:queue:*");
+        expect(queueKeys).toHaveLength(0);
+        const envs = await buffer.listEnvsForOrg("org_1");
+        expect(envs).toHaveLength(0);
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+});
+
+describe("MollifierBuffer.requeue ordering", () => {
+  redisTest(
+    "requeued entry gets retry priority (RPUSH to the RPOP/tail end), popping ahead of newer items",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      // LIST: accept LPUSHes at the head, pop RPOPs from the tail, so the
+      // first-accepted entry pops first. requeue RPUSHes back to the tail,
+      // giving a transiently failed entry *retry priority* — it pops next,
+      // ahead of newer queued items, rather than going to the back. (This
+      // is deliberately not FIFO relative to the rest of the queue.)
+      // `maxAttempts` in the drainer bounds the retry loop for a
+      // persistently failing entry (after which it goes to `fail`, not requeue).
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+
+      try {
+        await buffer.accept({ runId: "a", envId: "env_a", orgId: "org_1", payload: "{}" });
+        await buffer.accept({ runId: "b", envId: "env_a", orgId: "org_1", payload: "{}" });
+        await buffer.accept({ runId: "c", envId: "env_a", orgId: "org_1", payload: "{}" });
+
+        const first = await buffer.pop("env_a");
+        expect(first!.runId).toBe("a");
+
+        await buffer.requeue("a");
+
+        // a was RPUSHed back to the tail → pops next, ahead of b and c.
+        const next = await buffer.pop("env_a");
+        expect(next!.runId).toBe("a");
+        const after = await buffer.pop("env_a");
+        expect(after!.runId).toBe("b");
+        const last = await buffer.pop("env_a");
+        expect(last!.runId).toBe("c");
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+});
+
+describe("MollifierBuffer.evaluateTrip", () => {
+  const tripOptions = {
+    windowMs: 200,
+    threshold: 5,
+    holdMs: 100,
+  };
+
+  redisTest("under threshold: not tripped, count increments", { timeout: 20_000 }, async ({ redisContainer }) => {
+    const buffer = new MollifierBuffer({
+      redisOptions: {
+        host: redisContainer.getHost(),
+        port: redisContainer.getPort(),
+        password: redisContainer.getPassword(),
+      },
+      logger: new Logger("test", "log"),
+    });
+
+    try {
+      const r1 = await buffer.evaluateTrip("env_a", tripOptions);
+      expect(r1).toEqual({ tripped: false, count: 1 });
+
+      const r2 = await buffer.evaluateTrip("env_a", tripOptions);
+      expect(r2).toEqual({ tripped: false, count: 2 });
+    } finally {
+      await buffer.close();
+    }
+  });
+
+  redisTest("crossing threshold sets the tripped marker", { timeout: 20_000 }, async ({ redisContainer }) => {
+    const buffer = new MollifierBuffer({
+      redisOptions: {
+        host: redisContainer.getHost(),
+        port: redisContainer.getPort(),
+        password: redisContainer.getPassword(),
+      },
+      logger: new Logger("test", "log"),
+    });
+
+    try {
+      for (let i = 0; i < 5; i++) {
+        const r = await buffer.evaluateTrip("env_a", tripOptions);
+        expect(r.tripped).toBe(false);
+      }
+
+      const after = await buffer.evaluateTrip("env_a", tripOptions);
+      expect(after).toEqual({ tripped: true, count: 6 });
+
+      const sticky = await buffer.evaluateTrip("env_a", tripOptions);
+      expect(sticky.tripped).toBe(true);
+    } finally {
+      await buffer.close();
+    }
+  });
+
+  redisTest("hold-down marker expires after holdMs and env resets", { timeout: 20_000 }, async ({ redisContainer }) => {
+    const buffer = new MollifierBuffer({
+      redisOptions: {
+        host: redisContainer.getHost(),
+        port: redisContainer.getPort(),
+        password: redisContainer.getPassword(),
+      },
+      logger: new Logger("test", "log"),
+    });
+
+    try {
+      const fastWindow = { windowMs: 100, threshold: 2, holdMs: 100 };
+      await buffer.evaluateTrip("env_a", fastWindow);
+      await buffer.evaluateTrip("env_a", fastWindow);
+      const tripped = await buffer.evaluateTrip("env_a", fastWindow);
+      expect(tripped.tripped).toBe(true);
+
+      // Wait past windowMs AND holdMs so both rate counter and tripped marker expire
+      await new Promise((r) => setTimeout(r, 220));
+
+      const recovered = await buffer.evaluateTrip("env_a", fastWindow);
+      expect(recovered).toEqual({ tripped: false, count: 1 });
+    } finally {
+      await buffer.close();
+    }
+  });
+
+  redisTest("env isolation: tripping env_a does not affect env_b", { timeout: 20_000 }, async ({ redisContainer }) => {
+    const buffer = new MollifierBuffer({
+      redisOptions: {
+        host: redisContainer.getHost(),
+        port: redisContainer.getPort(),
+        password: redisContainer.getPassword(),
+      },
+      logger: new Logger("test", "log"),
+    });
+
+    try {
+      for (let i = 0; i < 6; i++) {
+        await buffer.evaluateTrip("env_a", tripOptions);
+      }
+      const aTripped = await buffer.evaluateTrip("env_a", tripOptions);
+      expect(aTripped.tripped).toBe(true);
+
+      const b = await buffer.evaluateTrip("env_b", tripOptions);
+      expect(b).toEqual({ tripped: false, count: 1 });
+    } finally {
+      await buffer.close();
+    }
+  });
+
+  redisTest("window expires and counter resets when no traffic", { timeout: 20_000 }, async ({ redisContainer }) => {
+    const buffer = new MollifierBuffer({
+      redisOptions: {
+        host: redisContainer.getHost(),
+        port: redisContainer.getPort(),
+        password: redisContainer.getPassword(),
+      },
+      logger: new Logger("test", "log"),
+    });
+
+    try {
+      const fastWindow = { windowMs: 100, threshold: 100, holdMs: 100 };
+      await buffer.evaluateTrip("env_x", fastWindow);
+      await buffer.evaluateTrip("env_x", fastWindow);
+      // both incremented within a fresh window — count should be 2
+
+      await new Promise((r) => setTimeout(r, 150));
+      const fresh = await buffer.evaluateTrip("env_x", fastWindow);
+      expect(fresh.count).toBe(1);
+    } finally {
+      await buffer.close();
+    }
+  });
+
+  redisTest(
+    "tripped marker outlives the rate counter window",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+
+      try {
+        const opts = { windowMs: 50, threshold: 2, holdMs: 1000 };
+        await buffer.evaluateTrip("env_a", opts);
+        await buffer.evaluateTrip("env_a", opts);
+        const tripped = await buffer.evaluateTrip("env_a", opts);
+        expect(tripped.tripped).toBe(true);
+
+        // Wait past windowMs (rate counter expires) but well inside holdMs (marker persists).
+        await new Promise((r) => setTimeout(r, 120));
+
+        const after = await buffer.evaluateTrip("env_a", opts);
+        expect(after.tripped).toBe(true);
+        expect(after.count).toBeLessThanOrEqual(2);
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "INCR is atomic under 100 concurrent calls (no lost increments)",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+
+      try {
+        // Wide window so all 100 calls land in the same window. High threshold
+        // so trip semantics don't interfere with the count assertion.
+        const opts = { windowMs: 5000, threshold: 1_000_000, holdMs: 100 };
+        const results = await Promise.all(
+          Array.from({ length: 100 }, () => buffer.evaluateTrip("env_atomic", opts)),
+        );
+
+        // Every return value is unique (no two callers saw the same INCR result).
+        const counts = results.map((r) => r.count).sort((a, b) => a - b);
+        expect(counts).toEqual(Array.from({ length: 100 }, (_, i) => i + 1));
+
+        // No call tripped (we set threshold absurdly high).
+        expect(results.every((r) => !r.tripped)).toBe(true);
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+});
+
+describe("MollifierBuffer entry lifecycle invariants", () => {
+  redisTest(
+    "entry TTL is preserved across pop (DRAINING entries don't lose their TTL)",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+
+      try {
+        await buffer.accept({ runId: "run_ttl", envId: "env_a", orgId: "org_1", payload: "{}" });
+        const beforeTtl = await buffer.getEntryTtlSeconds("run_ttl");
+        expect(beforeTtl).toBe(-1);
+
+        await buffer.pop("env_a");
+        const afterTtl = await buffer.getEntryTtlSeconds("run_ttl");
+
+        // No TTL applied at any point during accept/pop — the entry
+        // persists until the drainer ACKs or FAILs. Returning -1 from
+        // Redis here is the expected steady state, not a leak.
+        expect(afterTtl).toBe(-1);
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "envs set membership tracks queue+DRAINING presence across the full lifecycle",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+
+      try {
+        // Empty start
+        expect(await buffer.listEnvsForOrg("org_1")).not.toContain("env_lc");
+
+        // accept → SADD
+        await buffer.accept({ runId: "r1", envId: "env_lc", orgId: "org_1", payload: "{}" });
+        expect(await buffer.listEnvsForOrg("org_1")).toContain("env_lc");
+
+        // second accept (different runId) → still SADD (idempotent)
+        await buffer.accept({ runId: "r2", envId: "env_lc", orgId: "org_1", payload: "{}" });
+        expect(await buffer.listEnvsForOrg("org_1")).toContain("env_lc");
+
+        // pop r1 → queue still has r2 → env stays
+        await buffer.pop("env_lc");
+        expect(await buffer.listEnvsForOrg("org_1")).toContain("env_lc");
+
+        // ack r1 → no queue change, env still tracked (r2 still queued)
+        await buffer.ack("r1");
+        expect(await buffer.listEnvsForOrg("org_1")).toContain("env_lc");
+
+        // pop r2 → queue empties → SREM
+        await buffer.pop("env_lc");
+        expect(await buffer.listEnvsForOrg("org_1")).not.toContain("env_lc");
+
+        // requeue r2 → SADD back
+        await buffer.requeue("r2");
+        expect(await buffer.listEnvsForOrg("org_1")).toContain("env_lc");
+
+        // fail r2 → entry FAILED but queue empty → next pop should SREM
+        await buffer.pop("env_lc");
+        await buffer.fail("r2", { code: "X", message: "boom" });
+        const afterFailEnvs = await buffer.listEnvsForOrg("org_1");
+        // Queue is empty, env was SREM'd by the pop above.
+        expect(afterFailEnvs).not.toContain("env_lc");
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+});
+
+describe("MollifierBuffer.accept idempotency", () => {
+  redisTest(
+    "duplicate runId is refused; queue not double-LPUSHed; existing entry not overwritten",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+
+      try {
+        const first = await buffer.accept({
+          runId: "run_dup",
+          envId: "env_a",
+          orgId: "org_1",
+          payload: serialiseSnapshot({ first: true }),
+        });
+        const second = await buffer.accept({
+          runId: "run_dup",
+          envId: "env_a",
+          orgId: "org_1",
+          payload: serialiseSnapshot({ first: false }),
+        });
+
+        expect(first).toEqual({ kind: "accepted" });
+        expect(second).toEqual({ kind: "duplicate_run_id" });
+
+        // First payload preserved; second was a no-op.
+        const stored = await buffer.getEntry("run_dup");
+        expect(stored).not.toBeNull();
+        const decoded = JSON.parse(stored!.payload);
+        expect(decoded).toEqual({ first: true });
+
+        // Exactly one queue entry, not two.
+        const popped1 = await buffer.pop("env_a");
+        expect(popped1).not.toBeNull();
+        expect(popped1!.runId).toBe("run_dup");
+        const popped2 = await buffer.pop("env_a");
+        expect(popped2).toBeNull();
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "accept refused while existing entry is DRAINING",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+
+      try {
+        await buffer.accept({ runId: "run_dr", envId: "env_a", orgId: "org_1", payload: "{}" });
+        await buffer.pop("env_a"); // now DRAINING
+        const stored = await buffer.getEntry("run_dr");
+        expect(stored!.status).toBe("DRAINING");
+
+        const dup = await buffer.accept({ runId: "run_dr", envId: "env_a", orgId: "org_1", payload: "{}" });
+        expect(dup).toEqual({ kind: "duplicate_run_id" });
+
+        const afterDup = await buffer.getEntry("run_dr");
+        expect(afterDup!.status).toBe("DRAINING"); // unchanged
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "runId slot is reclaimable after fail tears the entry down",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      // Post-TTL-drop design: fail() deletes the entry hash because
+      // the SYSTEM_FAILURE PG row is the canonical record of the
+      // failure. The runId slot is therefore free for a fresh accept
+      // afterwards — runIds are server-generated CUIDs and don't
+      // collide in practice, but the contract pinning here documents
+      // that a re-acceptance does NOT see a phantom "FAILED" entry.
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+
+      try {
+        await buffer.accept({ runId: "run_fl", envId: "env_a", orgId: "org_1", payload: "{}" });
+        await buffer.pop("env_a");
+        await buffer.fail("run_fl", { code: "VALIDATION", message: "boom" });
+
+        // Entry hash gone after fail (see "fail returns true and tears
+        // the entry down" — this test pins the accept-side effect).
+        expect(await buffer.getEntry("run_fl")).toBeNull();
+
+        const fresh = await buffer.accept({
+          runId: "run_fl",
+          envId: "env_a",
+          orgId: "org_1",
+          payload: '{"fresh":true}',
+        });
+        expect(fresh).toEqual({ kind: "accepted" });
+        const after = await buffer.getEntry("run_fl");
+        expect(after?.status).toBe("QUEUED");
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "accept refused while a previously-acked (materialised) entry is still inside its grace TTL",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      // After ack, the entry hash persists for the grace window as a
+      // read-fallback safety net. RunIds are server-generated and
+      // never collide in practice, but defense-in-depth: accept refuses
+      // while *any* entry exists for the runId, including materialised
+      // ones. The entry hash's TTL is now ~30s instead of the original
+      // entryTtlSeconds.
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+
+      try {
+        const first = await buffer.accept({
+          runId: "run_x",
+          envId: "env_a",
+          orgId: "org_1",
+          payload: "{}",
+        });
+        await buffer.pop("env_a");
+        await buffer.ack("run_x");
+
+        const reAccept = await buffer.accept({
+          runId: "run_x",
+          envId: "env_a",
+          orgId: "org_1",
+          payload: "{}",
+        });
+
+        expect(first).toEqual({ kind: "accepted" });
+        expect(reAccept).toEqual({ kind: "duplicate_run_id" });
+
+        const stored = await buffer.getEntry("run_x");
+        expect(stored!.materialised).toBe(true);
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+});
+
+describe("MollifierBuffer envs set lifecycle", () => {
+  redisTest(
+    "pop SREMs envId when it drains the queue",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+
+      try {
+        await buffer.accept({ runId: "r1", envId: "env_a", orgId: "org_1", payload: "{}" });
+        expect(await buffer.listEnvsForOrg("org_1")).toContain("env_a");
+
+        await buffer.pop("env_a");
+        expect(await buffer.listEnvsForOrg("org_1")).not.toContain("env_a");
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "pop keeps envId in set while items remain; SREMs only on the draining pop",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+
+      try {
+        await buffer.accept({ runId: "r1", envId: "env_a", orgId: "org_1", payload: "{}" });
+        await buffer.accept({ runId: "r2", envId: "env_a", orgId: "org_1", payload: "{}" });
+        expect(await buffer.listEnvsForOrg("org_1")).toContain("env_a");
+
+        await buffer.pop("env_a");
+        expect(await buffer.listEnvsForOrg("org_1")).toContain("env_a");
+
+        await buffer.pop("env_a");
+        expect(await buffer.listEnvsForOrg("org_1")).not.toContain("env_a");
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "requeue re-SADDs the envId if pop had previously cleaned it",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+
+      try {
+        await buffer.accept({ runId: "r1", envId: "env_a", orgId: "org_1", payload: "{}" });
+        await buffer.pop("env_a");
+        // Queue drained → env_a SREM'd.
+        expect(await buffer.listEnvsForOrg("org_1")).not.toContain("env_a");
+
+        await buffer.requeue("r1");
+        // requeue must put env_a back so the drainer notices the retry.
+        expect(await buffer.listEnvsForOrg("org_1")).toContain("env_a");
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+});
+
+describe("MollifierBuffer idempotency lookup", () => {
+  redisTest(
+    "accept with idempotencyKey + taskIdentifier writes the lookup with no TTL",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      // Post-TTL-drop design: the idempotency lookup has no TTL, so it
+      // can never expire ahead of the entry hash (which used to cause
+      // a dedup-drift bug — once the lookup expired but the entry
+      // didn't, a retry with the same key would create a *new*
+      // buffered run for the same key). The drainer's ack and fail
+      // both DEL the lookup as part of teardown.
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+      try {
+        const result = await buffer.accept({
+          runId: "ri1",
+          envId: "env_i",
+          orgId: "org_1",
+          payload: "{}",
+          idempotencyKey: "ikey-1",
+          taskIdentifier: "my-task",
+        });
+        expect(result).toEqual({ kind: "accepted" });
+
+        const lookupKey = idempotencyLookupKeyFor({
+          envId: "env_i",
+          taskIdentifier: "my-task",
+          idempotencyKey: "ikey-1",
+        });
+        const stored = await buffer["redis"].get(lookupKey);
+        expect(stored).toBe("ri1");
+        // -1 = key exists with no TTL set.
+        expect(await buffer["redis"].ttl(lookupKey)).toBe(-1);
+
+        const entry = await buffer.getEntry("ri1");
+        expect(entry!.idempotencyLookupKey).toBe(lookupKey);
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "second accept with same (env, task, idempotencyKey) returns duplicate_idempotency with the winner's runId",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+      try {
+        const first = await buffer.accept({
+          runId: "ri-a",
+          envId: "env_i",
+          orgId: "org_1",
+          payload: "{}",
+          idempotencyKey: "ikey-2",
+          taskIdentifier: "my-task",
+        });
+        const second = await buffer.accept({
+          runId: "ri-b",
+          envId: "env_i",
+          orgId: "org_1",
+          payload: "{}",
+          idempotencyKey: "ikey-2",
+          taskIdentifier: "my-task",
+        });
+
+        expect(first).toEqual({ kind: "accepted" });
+        expect(second).toEqual({
+          kind: "duplicate_idempotency",
+          existingRunId: "ri-a",
+        });
+
+        // The loser's runId entry was never created.
+        const loserEntry = await buffer.getEntry("ri-b");
+        expect(loserEntry).toBeNull();
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "lookupIdempotency hits when the run is buffered",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+      try {
+        await buffer.accept({
+          runId: "rl1",
+          envId: "env_i",
+          orgId: "org_1",
+          payload: "{}",
+          idempotencyKey: "k1",
+          taskIdentifier: "t",
+        });
+        const found = await buffer.lookupIdempotency({
+          envId: "env_i",
+          taskIdentifier: "t",
+          idempotencyKey: "k1",
+        });
+        expect(found).toBe("rl1");
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "lookupIdempotency returns null when no lookup is bound",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+      try {
+        const found = await buffer.lookupIdempotency({
+          envId: "env_i",
+          taskIdentifier: "t",
+          idempotencyKey: "absent",
+        });
+        expect(found).toBeNull();
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "lookupIdempotency self-heals when the lookup points at an expired entry",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+      try {
+        // Plant a stale lookup pointing at a non-existent entry.
+        const lookupKey = idempotencyLookupKeyFor({
+          envId: "env_i",
+          taskIdentifier: "t",
+          idempotencyKey: "stale",
+        });
+        await buffer["redis"].set(lookupKey, "rl-stale", "EX", 600);
+        expect(await buffer["redis"].get(lookupKey)).toBe("rl-stale");
+
+        const found = await buffer.lookupIdempotency({
+          envId: "env_i",
+          taskIdentifier: "t",
+          idempotencyKey: "stale",
+        });
+        expect(found).toBeNull();
+        // Self-healed.
+        expect(await buffer["redis"].get(lookupKey)).toBeNull();
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "ack DELs the idempotency lookup along with marking materialised",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+      try {
+        await buffer.accept({
+          runId: "ra1",
+          envId: "env_i",
+          orgId: "org_1",
+          payload: "{}",
+          idempotencyKey: "ka",
+          taskIdentifier: "t",
+        });
+        await buffer.pop("env_i");
+        await buffer.ack("ra1");
+
+        const lookupKey = idempotencyLookupKeyFor({
+          envId: "env_i",
+          taskIdentifier: "t",
+          idempotencyKey: "ka",
+        });
+        expect(await buffer["redis"].get(lookupKey)).toBeNull();
+        const entry = await buffer.getEntry("ra1");
+        expect(entry!.materialised).toBe(true);
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "resetIdempotency clears snapshot fields + lookup; returns the runId",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+      try {
+        await buffer.accept({
+          runId: "rr1",
+          envId: "env_i",
+          orgId: "org_1",
+          payload: serialiseSnapshot({
+            idempotencyKey: "kr",
+            idempotencyKeyExpiresAt: "2026-12-01T00:00:00Z",
+            other: "field",
+          }),
+          idempotencyKey: "kr",
+          taskIdentifier: "t",
+        });
+
+        const result = await buffer.resetIdempotency({
+          envId: "env_i",
+          taskIdentifier: "t",
+          idempotencyKey: "kr",
+        });
+        expect(result.clearedRunId).toBe("rr1");
+
+        // Lookup is gone.
+        const lookupKey = idempotencyLookupKeyFor({
+          envId: "env_i",
+          taskIdentifier: "t",
+          idempotencyKey: "kr",
+        });
+        expect(await buffer["redis"].get(lookupKey)).toBeNull();
+
+        // Snapshot's idempotency fields are nulled, other fields kept.
+        const entry = await buffer.getEntry("rr1");
+        const payload = JSON.parse(entry!.payload) as {
+          idempotencyKey: unknown;
+          idempotencyKeyExpiresAt: unknown;
+          other: string;
+        };
+        expect(payload.idempotencyKey).toBeNull();
+        expect(payload.idempotencyKeyExpiresAt).toBeNull();
+        expect(payload.other).toBe("field");
+        expect(entry!.idempotencyLookupKey).toBe("");
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "resetIdempotency returns null when nothing is bound",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+      try {
+        const result = await buffer.resetIdempotency({
+          envId: "env_i",
+          taskIdentifier: "t",
+          idempotencyKey: "absent",
+        });
+        expect(result.clearedRunId).toBeNull();
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "resetIdempotency also clears the pre-gate claim slot",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      // The lookup and the cross-store claim are two pointers for the same
+      // key. Reset must reopen both — otherwise a resolved/pending claim
+      // keeps deduping new triggers for the rest of its TTL even though
+      // the binding was reset.
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+      const tuple = { envId: "env_rc", taskIdentifier: "t", idempotencyKey: "krc" };
+      try {
+        // A resolved claim is in place...
+        await buffer.claimIdempotency({ ...tuple, token: "owner", ttlSeconds: 600 });
+        await buffer.publishClaim({ ...tuple, token: "owner", runId: "rc1", ttlSeconds: 600 });
+        expect(await buffer.readClaim(tuple)).toEqual({ kind: "resolved", runId: "rc1" });
+        // ...alongside a buffered run holding the lookup.
+        await buffer.accept({
+          runId: "rc1",
+          envId: "env_rc",
+          orgId: "org_1",
+          payload: serialiseSnapshot({}),
+          idempotencyKey: "krc",
+          taskIdentifier: "t",
+        });
+
+        await buffer.resetIdempotency(tuple);
+
+        // Both the lookup and the claim are gone.
+        expect(await buffer.lookupIdempotency(tuple)).toBeNull();
+        expect(await buffer.readClaim(tuple)).toBeNull();
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "accept self-heals a stale lookup: a new run rebinds when the bound entry was evicted",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      // If an entry hash is evicted (maxmemory) but its idempotency lookup
+      // survives, a fresh accept with the same key must NOT return the dead
+      // runId (which would block the key forever) — it should rebind to the
+      // new run and accept it.
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+      const idem = { idempotencyKey: "kheal", taskIdentifier: "t" };
+      try {
+        await buffer.accept({ runId: "heal_old", envId: "env_h", orgId: "org_1", payload: "{}", ...idem });
+        // Simulate eviction of the entry hash while the lookup survives.
+        await buffer["redis"].del("mollifier:entries:heal_old");
+        const lookupKey = idempotencyLookupKeyFor({ envId: "env_h", ...idem });
+        expect(await buffer["redis"].get(lookupKey)).toBe("heal_old");
+
+        // A fresh accept with the same key rebinds rather than deduping
+        // onto the dead run.
+        const result = await buffer.accept({
+          runId: "heal_new",
+          envId: "env_h",
+          orgId: "org_1",
+          payload: "{}",
+          ...idem,
+        });
+        expect(result).toEqual({ kind: "accepted" });
+        expect(await buffer["redis"].get(lookupKey)).toBe("heal_new");
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "accept still dedups when the bound entry is live",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      // The self-heal must not weaken normal dedup: a live bound entry
+      // still wins, and the loser gets its runId back.
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+      const idem = { idempotencyKey: "klive", taskIdentifier: "t" };
+      try {
+        await buffer.accept({ runId: "live_win", envId: "env_h", orgId: "org_1", payload: "{}", ...idem });
+        const result = await buffer.accept({
+          runId: "live_lose",
+          envId: "env_h",
+          orgId: "org_1",
+          payload: "{}",
+          ...idem,
+        });
+        expect(result).toEqual({ kind: "duplicate_idempotency", existingRunId: "live_win" });
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+});
+
+describe("MollifierBuffer.casSetMetadata", () => {
+  redisTest(
+    "applies when expectedVersion matches; increments version; updates payload",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+      try {
+        await buffer.accept({
+          runId: "cas1",
+          envId: "env_c",
+          orgId: "org_1",
+          payload: serialiseSnapshot({ metadata: '{"v":1}', metadataType: "application/json" }),
+        });
+        const result = await buffer.casSetMetadata({
+          runId: "cas1",
+          expectedVersion: 0,
+          newMetadata: '{"v":2}',
+          newMetadataType: "application/json",
+        });
+        expect(result).toEqual({ kind: "applied", newVersion: 1 });
+
+        const entry = await buffer.getEntry("cas1");
+        expect(entry!.metadataVersion).toBe(1);
+        const payload = JSON.parse(entry!.payload) as { metadata: string };
+        expect(payload.metadata).toBe('{"v":2}');
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "returns version_conflict when expectedVersion is stale",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+      try {
+        await buffer.accept({
+          runId: "cas2",
+          envId: "env_c",
+          orgId: "org_1",
+          payload: serialiseSnapshot({}),
+        });
+        await buffer.casSetMetadata({
+          runId: "cas2",
+          expectedVersion: 0,
+          newMetadata: '{"a":1}',
+          newMetadataType: "application/json",
+        });
+
+        // Second write with stale expectedVersion = 0 must conflict.
+        const result = await buffer.casSetMetadata({
+          runId: "cas2",
+          expectedVersion: 0,
+          newMetadata: '{"a":2}',
+          newMetadataType: "application/json",
+        });
+        expect(result).toEqual({ kind: "version_conflict", currentVersion: 1 });
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "returns not_found / busy on missing or terminal entries",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+      try {
+        const nf = await buffer.casSetMetadata({
+          runId: "absent",
+          expectedVersion: 0,
+          newMetadata: "{}",
+          newMetadataType: "application/json",
+        });
+        expect(nf).toEqual({ kind: "not_found" });
+
+        await buffer.accept({
+          runId: "cas3",
+          envId: "env_c",
+          orgId: "org_1",
+          payload: serialiseSnapshot({}),
+        });
+        await buffer.pop("env_c");
+        const busy = await buffer.casSetMetadata({
+          runId: "cas3",
+          expectedVersion: 0,
+          newMetadata: "{}",
+          newMetadataType: "application/json",
+        });
+        expect(busy).toEqual({ kind: "busy" });
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "returns busy on a materialised entry (post-ack grace window)",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      // The guard rejects `materialised == 'true'` as well as non-QUEUED
+      // status. After ack the entry lingers QUEUED-but-materialised for
+      // the grace TTL; a CAS in that window must not mutate it.
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+      try {
+        await buffer.accept({
+          runId: "cas_mat",
+          envId: "env_c",
+          orgId: "org_1",
+          payload: serialiseSnapshot({}),
+        });
+        await buffer.pop("env_c");
+        await buffer.ack("cas_mat");
+
+        const result = await buffer.casSetMetadata({
+          runId: "cas_mat",
+          expectedVersion: 0,
+          newMetadata: "{}",
+          newMetadataType: "application/json",
+        });
+        expect(result).toEqual({ kind: "busy" });
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "a mutateSnapshot set_metadata bumps metadataVersion so an in-flight CAS conflicts",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      // CAS isolation: a reader fetches version N, then a concurrent
+      // mutateSnapshot(set_metadata) overwrites the metadata. The reader's
+      // CAS at expectedVersion=N must NOT silently win — both paths write
+      // payload.metadata, so set_metadata bumps the same counter the CAS
+      // is gated on.
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+      try {
+        await buffer.accept({
+          runId: "cas_int",
+          envId: "env_c",
+          orgId: "org_1",
+          payload: serialiseSnapshot({ metadata: '{"v":0}', metadataType: "application/json" }),
+        });
+        // Reader observes version 0.
+        const before = await buffer.getEntry("cas_int");
+        expect(before!.metadataVersion).toBe(0);
+
+        // Concurrent snapshot mutation writes metadata + bumps version.
+        const mutated = await buffer.mutateSnapshot("cas_int", {
+          type: "set_metadata",
+          metadata: '{"v":1}',
+          metadataType: "application/json",
+        });
+        expect(mutated).toBe("applied_to_snapshot");
+        const mid = await buffer.getEntry("cas_int");
+        expect(mid!.metadataVersion).toBe(1);
+
+        // The reader's stale CAS conflicts instead of clobbering.
+        const result = await buffer.casSetMetadata({
+          runId: "cas_int",
+          expectedVersion: 0,
+          newMetadata: '{"v":2}',
+          newMetadataType: "application/json",
+        });
+        expect(result).toEqual({ kind: "version_conflict", currentVersion: 1 });
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+});
+
+describe("MollifierBuffer.mutateSnapshot", () => {
+  redisTest(
+    "returns not_found when no entry exists for the runId",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+      try {
+        const result = await buffer.mutateSnapshot("nope", {
+          type: "append_tags",
+          tags: ["x"],
+        });
+        expect(result).toBe("not_found");
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "append_tags on QUEUED entry appends and dedupes",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+      try {
+        await buffer.accept({
+          runId: "r1",
+          envId: "env_m",
+          orgId: "org_1",
+          payload: serialiseSnapshot({ tags: ["existing"] }),
+        });
+        const first = await buffer.mutateSnapshot("r1", {
+          type: "append_tags",
+          tags: ["existing", "new"],
+        });
+        expect(first).toBe("applied_to_snapshot");
+
+        const entry = await buffer.getEntry("r1");
+        const payload = JSON.parse(entry!.payload) as { tags: string[] };
+        expect(payload.tags).toEqual(["existing", "new"]);
+
+        // Second mutation appends without duplicating
+        const second = await buffer.mutateSnapshot("r1", {
+          type: "append_tags",
+          tags: ["new", "third"],
+        });
+        expect(second).toBe("applied_to_snapshot");
+        const e2 = await buffer.getEntry("r1");
+        const p2 = JSON.parse(e2!.payload) as { tags: string[] };
+        expect(p2.tags).toEqual(["existing", "new", "third"]);
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "append_tags creates payload.tags when absent",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+      try {
+        await buffer.accept({
+          runId: "r2",
+          envId: "env_m",
+          orgId: "org_1",
+          payload: serialiseSnapshot({ taskId: "t" }),
+        });
+        const result = await buffer.mutateSnapshot("r2", {
+          type: "append_tags",
+          tags: ["a", "b"],
+        });
+        expect(result).toBe("applied_to_snapshot");
+        const entry = await buffer.getEntry("r2");
+        const payload = JSON.parse(entry!.payload) as { tags: string[] };
+        expect(payload.tags).toEqual(["a", "b"]);
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "append_tags rejects with limit_exceeded when maxTags would be exceeded, writing nothing",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+      try {
+        await buffer.accept({
+          runId: "r_cap",
+          envId: "env_m",
+          orgId: "org_1",
+          payload: serialiseSnapshot({ tags: ["a", "b"] }),
+        });
+
+        // 2 existing + 2 new = 4 deduped > cap of 3 → rejected, nothing written.
+        const rejected = await buffer.mutateSnapshot("r_cap", {
+          type: "append_tags",
+          tags: ["c", "d"],
+          maxTags: 3,
+        });
+        expect(rejected).toBe("limit_exceeded");
+        const afterReject = await buffer.getEntry("r_cap");
+        const rejPayload = JSON.parse(afterReject!.payload) as { tags: string[] };
+        expect(rejPayload.tags).toEqual(["a", "b"]);
+
+        // Dedup keeps the count under the cap → applied.
+        const applied = await buffer.mutateSnapshot("r_cap", {
+          type: "append_tags",
+          tags: ["a", "c"],
+          maxTags: 3,
+        });
+        expect(applied).toBe("applied_to_snapshot");
+        const afterApply = await buffer.getEntry("r_cap");
+        const appPayload = JSON.parse(afterApply!.payload) as { tags: string[] };
+        expect(appPayload.tags).toEqual(["a", "b", "c"]);
+
+        // Landing exactly on the cap is allowed.
+        const exact = await buffer.mutateSnapshot("r_cap", {
+          type: "append_tags",
+          tags: ["a", "b", "c"],
+          maxTags: 3,
+        });
+        expect(exact).toBe("applied_to_snapshot");
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "set_metadata replaces metadata + metadataType (last-write-wins)",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+      try {
+        await buffer.accept({
+          runId: "r3",
+          envId: "env_m",
+          orgId: "org_1",
+          payload: serialiseSnapshot({ metadata: '{"v":1}', metadataType: "application/json" }),
+        });
+        const result = await buffer.mutateSnapshot("r3", {
+          type: "set_metadata",
+          metadata: '{"v":2}',
+          metadataType: "application/json",
+        });
+        expect(result).toBe("applied_to_snapshot");
+        const entry = await buffer.getEntry("r3");
+        const payload = JSON.parse(entry!.payload) as {
+          metadata: string;
+          metadataType: string;
+        };
+        expect(payload.metadata).toBe('{"v":2}');
+        expect(payload.metadataType).toBe("application/json");
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "set_delay sets payload.delayUntil",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+      try {
+        await buffer.accept({
+          runId: "r4",
+          envId: "env_m",
+          orgId: "org_1",
+          payload: serialiseSnapshot({ taskId: "t" }),
+        });
+        const result = await buffer.mutateSnapshot("r4", {
+          type: "set_delay",
+          delayUntil: "2026-06-01T00:00:00.000Z",
+        });
+        expect(result).toBe("applied_to_snapshot");
+        const entry = await buffer.getEntry("r4");
+        const payload = JSON.parse(entry!.payload) as { delayUntil: string };
+        expect(payload.delayUntil).toBe("2026-06-01T00:00:00.000Z");
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "mark_cancelled stamps cancelledAt + cancelReason",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+      try {
+        await buffer.accept({
+          runId: "r5",
+          envId: "env_m",
+          orgId: "org_1",
+          payload: serialiseSnapshot({ taskId: "t" }),
+        });
+        const result = await buffer.mutateSnapshot("r5", {
+          type: "mark_cancelled",
+          cancelledAt: "2026-05-19T12:00:00.000Z",
+          cancelReason: "user-initiated",
+        });
+        expect(result).toBe("applied_to_snapshot");
+        const entry = await buffer.getEntry("r5");
+        const payload = JSON.parse(entry!.payload) as {
+          cancelledAt: string;
+          cancelReason: string;
+        };
+        expect(payload.cancelledAt).toBe("2026-05-19T12:00:00.000Z");
+        expect(payload.cancelReason).toBe("user-initiated");
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "returns busy when entry is DRAINING",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+      try {
+        await buffer.accept({
+          runId: "rd",
+          envId: "env_m",
+          orgId: "org_1",
+          payload: serialiseSnapshot({ tags: [] }),
+        });
+        await buffer.pop("env_m");
+        const result = await buffer.mutateSnapshot("rd", {
+          type: "append_tags",
+          tags: ["x"],
+        });
+        expect(result).toBe("busy");
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "returns not_found when entry was FAILED (drainer-terminal teardown)",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      // Post-TTL-drop design: fail() DELs the entry hash because the
+      // drainer has already written the canonical SYSTEM_FAILURE PG
+      // row, and without an accept-time TTL we'd otherwise accrete
+      // failed entries in Redis forever. Late mutations against a
+      // failed run therefore see `not_found`, matching the same shape
+      // they'd get for any other already-cleaned-up runId.
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+      try {
+        await buffer.accept({
+          runId: "rf",
+          envId: "env_m",
+          orgId: "org_1",
+          payload: serialiseSnapshot({ tags: [] }),
+        });
+        await buffer.pop("env_m");
+        await buffer.fail("rf", { code: "X", message: "boom" });
+        const result = await buffer.mutateSnapshot("rf", {
+          type: "append_tags",
+          tags: ["x"],
+        });
+        expect(result).toBe("not_found");
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "returns busy when entry is materialised (post-ack grace window)",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+      try {
+        await buffer.accept({
+          runId: "rm",
+          envId: "env_m",
+          orgId: "org_1",
+          payload: serialiseSnapshot({ tags: [] }),
+        });
+        await buffer.pop("env_m");
+        await buffer.ack("rm");
+        const result = await buffer.mutateSnapshot("rm", {
+          type: "append_tags",
+          tags: ["x"],
+        });
+        expect(result).toBe("busy");
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "Lua atomicity serialises concurrent mutations per-runId",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+      try {
+        await buffer.accept({
+          runId: "rcc",
+          envId: "env_m",
+          orgId: "org_1",
+          payload: serialiseSnapshot({ tags: [] }),
+        });
+
+        const tagsToAdd = Array.from({ length: 50 }, (_, i) => `t${i}`);
+        await Promise.all(
+          tagsToAdd.map((t) => buffer.mutateSnapshot("rcc", { type: "append_tags", tags: [t] })),
+        );
+
+        const entry = await buffer.getEntry("rcc");
+        const payload = JSON.parse(entry!.payload) as { tags: string[] };
+        expect(payload.tags.sort()).toEqual(tagsToAdd.sort());
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+});
+
+describe("MollifierBuffer LIST storage", () => {
+  redisTest(
+    "queue key is a LIST; createdAtMicros is a hash field, not a sort key",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+
+      try {
+        await buffer.accept({ runId: "z1", envId: "env_z", orgId: "org_1", payload: "{}" });
+
+        // LIST-only commands must succeed against the queue key.
+        const len = await buffer["redis"].llen("mollifier:queue:env_z");
+        expect(len).toBe(1);
+        const members = await buffer["redis"].lrange("mollifier:queue:env_z", 0, -1);
+        expect(members).toEqual(["z1"]);
+
+        // The queue holds no score — it's not a ZSET.
+        await expect(buffer["redis"].zscore("mollifier:queue:env_z", "z1")).rejects.toThrow();
+
+        // createdAtMicros lives on the entry hash (for dwell metrics) and
+        // is plausibly recent (within the last minute, as microseconds).
+        const micros = Number(await buffer["redis"].hget("mollifier:entries:z1", "createdAtMicros"));
+        const nowMicros = Date.now() * 1000;
+        expect(micros).toBeGreaterThan(nowMicros - 60_000_000);
+        expect(micros).toBeLessThanOrEqual(nowMicros + 1_000_000);
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "pop returns entries in FIFO insertion order (independent of member lex order)",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+
+      try {
+        // Accept in reverse-lex order to prove ordering is by insertion
+        // (LPUSH head / RPOP tail), not by member value.
+        await buffer.accept({ runId: "zzz", envId: "env_o", orgId: "org_1", payload: "{}" });
+        await buffer.accept({ runId: "mmm", envId: "env_o", orgId: "org_1", payload: "{}" });
+        await buffer.accept({ runId: "aaa", envId: "env_o", orgId: "org_1", payload: "{}" });
+
+        const first = await buffer.pop("env_o");
+        expect(first!.runId).toBe("zzz");
+        const second = await buffer.pop("env_o");
+        expect(second!.runId).toBe("mmm");
+        const third = await buffer.pop("env_o");
+        expect(third!.runId).toBe("aaa");
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "requeue re-enqueues to the LIST; createdAt is immutable across retries",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+
+      try {
+        await buffer.accept({ runId: "rq", envId: "env_rq", orgId: "org_1", payload: "{}" });
+        const originalMicros = await buffer["redis"].hget("mollifier:entries:rq", "createdAtMicros");
+
+        await buffer.pop("env_rq");
+        // Queue is empty after the pop.
+        expect(await buffer["redis"].llen("mollifier:queue:env_rq")).toBe(0);
+
+        await buffer.requeue("rq");
+
+        // Back on the LIST, and createdAtMicros is unchanged.
+        expect(await buffer["redis"].lrange("mollifier:queue:env_rq", 0, -1)).toEqual(["rq"]);
+        const newMicros = await buffer["redis"].hget("mollifier:entries:rq", "createdAtMicros");
+        expect(newMicros).toBe(originalMicros);
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+});
+
+describe("MollifierBuffer.listEntriesForEnv", () => {
+  redisTest(
+    "returns up to maxCount entries from the queue without consuming them",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+
+      try {
+        await buffer.accept({ runId: "r1", envId: "env_a", orgId: "org_1", payload: "{}" });
+        await buffer.accept({ runId: "r2", envId: "env_a", orgId: "org_1", payload: "{}" });
+        await buffer.accept({ runId: "r3", envId: "env_a", orgId: "org_1", payload: "{}" });
+
+        const entries = await buffer.listEntriesForEnv("env_a", 2);
+        expect(entries).toHaveLength(2);
+        const runIds = entries.map((e) => e.runId);
+        expect(new Set(runIds).size).toBe(2);
+        for (const id of runIds) expect(["r1", "r2", "r3"]).toContain(id);
+
+        // Non-destructive: the drainer can still pop all three.
+        const popped: string[] = [];
+        for (let i = 0; i < 3; i++) {
+          const entry = await buffer.pop("env_a");
+          if (entry) popped.push(entry.runId);
+        }
+        expect(new Set(popped)).toEqual(new Set(["r1", "r2", "r3"]));
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest("returns empty array when env queue is empty", { timeout: 20_000 }, async ({ redisContainer }) => {
+    const buffer = new MollifierBuffer({
+      redisOptions: {
+        host: redisContainer.getHost(),
+        port: redisContainer.getPort(),
+        password: redisContainer.getPassword(),
+      },
+      logger: new Logger("test", "log"),
+    });
+
+    try {
+      expect(await buffer.listEntriesForEnv("env_empty", 10)).toEqual([]);
+    } finally {
+      await buffer.close();
+    }
+  });
+
+  redisTest(
+    "skips entries whose hash was torn down between LRANGE and HGETALL (concurrent drainer ack/fail race)",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      // The drainer can RPOP + ack/fail an entry between our LRANGE and
+      // the per-runId HGETALL — its DEL of the entry hash races our read.
+      // listEntriesForEnv must tolerate this: skip the runId, return
+      // every other entry. This is exercised here by simulating the race:
+      // LPUSH a runId onto the queue without an accompanying entry hash.
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+
+      try {
+        await buffer.accept({ runId: "r_a", envId: "env_race", orgId: "org_1", payload: "{}" });
+        await buffer.accept({ runId: "r_b", envId: "env_race", orgId: "org_1", payload: "{}" });
+
+        // Tear down r_a's hash to simulate the drainer winning the race.
+        // The runId stays on the queue LIST but its entry hash is gone —
+        // listEntriesForEnv must tolerate the missing HGETALL result.
+        await buffer["redis"].del("mollifier:entries:r_a");
+
+        const entries = await buffer.listEntriesForEnv("env_race", 10);
+        expect(entries.map((e) => e.runId).sort()).toEqual(["r_b"]);
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest("maxCount <= 0 returns empty without hitting redis", { timeout: 20_000 }, async ({ redisContainer }) => {
+    const buffer = new MollifierBuffer({
+      redisOptions: {
+        host: redisContainer.getHost(),
+        port: redisContainer.getPort(),
+        password: redisContainer.getPassword(),
+      },
+      logger: new Logger("test", "log"),
+    });
+
+    try {
+      expect(await buffer.listEntriesForEnv("env_a", 0)).toEqual([]);
+      expect(await buffer.listEntriesForEnv("env_a", -5)).toEqual([]);
+    } finally {
+      await buffer.close();
+    }
+  });
+});
+
+// Composite-key safety. The Redis-key builders concatenate
+// `(envId, taskIdentifier, idempotencyKey)` with `:` separators; without
+// per-segment encoding, `taskIdentifier="a:b"` and `idempotencyKey="x"`
+// would map to the same key as `taskIdentifier="a"` and
+// `idempotencyKey="b:x"`. base64url encoding has no `:` in its alphabet,
+// so the encoded keys are unique per tuple.
+describe("MollifierBuffer composite-key encoding (collision resistance)", () => {
+  redisTest(
+    "two accepts whose unencoded keys would alias don't collide on the idempotency lookup",
+    { timeout: 30_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+      try {
+        // Aliased tuples under raw `:` concatenation:
+        //   env_x : "a:b" : "x"   →   "mollifier:idempotency:env_x:a:b:x"
+        //   env_x : "a"   : "b:x" →   "mollifier:idempotency:env_x:a:b:x"
+        const r1 = await buffer.accept({
+          runId: "ck_run_1",
+          envId: "env_x",
+          orgId: "org_1",
+          payload: "{}",
+          taskIdentifier: "a:b",
+          idempotencyKey: "x",
+        });
+        const r2 = await buffer.accept({
+          runId: "ck_run_2",
+          envId: "env_x",
+          orgId: "org_1",
+          payload: "{}",
+          taskIdentifier: "a",
+          idempotencyKey: "b:x",
+        });
+        // Both accepted — no false-positive collision.
+        expect(r1).toEqual({ kind: "accepted" });
+        expect(r2).toEqual({ kind: "accepted" });
+
+        // Each tuple resolves to its own runId.
+        const hit1 = await buffer.lookupIdempotency({
+          envId: "env_x",
+          taskIdentifier: "a:b",
+          idempotencyKey: "x",
+        });
+        const hit2 = await buffer.lookupIdempotency({
+          envId: "env_x",
+          taskIdentifier: "a",
+          idempotencyKey: "b:x",
+        });
+        expect(hit1).toBe("ck_run_1");
+        expect(hit2).toBe("ck_run_2");
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "encoded lookup key contains no ':' separator beyond the namespace",
+    { timeout: 20_000 },
+    async () => {
+      // Pure-function test — verifies the encoding bijection without
+      // needing a live buffer. Re-uses the redisTest fixture for
+      // parallelism with other describe blocks but doesn't touch redis.
+      const key = idempotencyLookupKeyFor({
+        envId: "env_x",
+        taskIdentifier: "a:b",
+        idempotencyKey: "x:y:z",
+      });
+      // namespace prefix is exactly `mollifier:idempotency:` (two `:`),
+      // then three base64url segments separated by two more `:` —
+      // never the customer-supplied colons.
+      const colonCount = key.split(":").length - 1;
+      expect(colonCount).toBe(4);
+      // base64url alphabet has no `:`, `+`, `/`, or `=`.
+      const afterNamespace = key.slice("mollifier:idempotency:".length);
+      expect(afterNamespace).toMatch(/^[A-Za-z0-9_\-]+:[A-Za-z0-9_\-]+:[A-Za-z0-9_\-]+$/);
+    },
+  );
+});
+
+// Pre-gate claim ownership protection. The claim slot stores
+// `"pending:<token>"` so publish and release compare-and-act on the
+// caller's token — a late release from a previous claimant whose TTL
+// expired cannot erase a new owner's claim.
+describe("MollifierBuffer pre-gate claim — ownership token safety", () => {
+  const claimInput = {
+    envId: "env_c",
+    taskIdentifier: "task_c",
+    idempotencyKey: "key_c",
+  };
+
+  redisTest(
+    "claimIdempotency: first caller gets 'claimed', second concurrent caller gets 'pending'",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+      try {
+        const first = await buffer.claimIdempotency({
+          ...claimInput,
+          token: "token-A",
+          ttlSeconds: 30,
+        });
+        expect(first.kind).toBe("claimed");
+
+        // Second concurrent caller with a different token sees pending.
+        const second = await buffer.claimIdempotency({
+          ...claimInput,
+          token: "token-B",
+          ttlSeconds: 30,
+        });
+        expect(second.kind).toBe("pending");
+
+        // readClaim distinguishes pending from resolved without leaking
+        // the token to the loser.
+        const read = await buffer.readClaim(claimInput);
+        expect(read?.kind).toBe("pending");
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "releaseClaim with the wrong token is a no-op (compare-and-delete)",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+      try {
+        await buffer.claimIdempotency({ ...claimInput, token: "owner", ttlSeconds: 30 });
+
+        // Pretend a stale claimant fires a release with their old token.
+        await buffer.releaseClaim({ ...claimInput, token: "stale-impostor" });
+
+        // The owner's claim survives.
+        const stillThere = await buffer.readClaim(claimInput);
+        expect(stillThere?.kind).toBe("pending");
+
+        // The owner can still release.
+        await buffer.releaseClaim({ ...claimInput, token: "owner" });
+        expect(await buffer.readClaim(claimInput)).toBeNull();
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "publishClaim with the wrong token is a no-op and returns false",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+      try {
+        await buffer.claimIdempotency({ ...claimInput, token: "owner", ttlSeconds: 30 });
+
+        const wrongTokenPublish = await buffer.publishClaim({
+          ...claimInput,
+          token: "stale-impostor",
+          runId: "imposter-run",
+          ttlSeconds: 60,
+        });
+        expect(wrongTokenPublish).toBe(false);
+
+        // Claim slot unchanged.
+        const stillPending = await buffer.readClaim(claimInput);
+        expect(stillPending?.kind).toBe("pending");
+
+        const goodPublish = await buffer.publishClaim({
+          ...claimInput,
+          token: "owner",
+          runId: "real-run",
+          ttlSeconds: 60,
+        });
+        expect(goodPublish).toBe(true);
+
+        const resolved = await buffer.readClaim(claimInput);
+        expect(resolved).toEqual({ kind: "resolved", runId: "real-run" });
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "regression: stale release after TTL expiry does NOT erase a fresh claim",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      // Hazard from CodeRabbit r3290070707:
+      //   1. Claimant A SETNXs the slot with their token, then stalls.
+      //   2. TTL expires, slot vanishes.
+      //   3. Claimant B SETNXs the slot with a DIFFERENT token.
+      //   4. Claimant A finally finishes (or errors) and calls
+      //      releaseClaim with their original token.
+      // Without compare-and-delete, A's release would wipe B's slot and
+      // any concurrent customer of B's idempotency key would see "no
+      // claim" and re-issue, breaking same-key dedup.
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+      try {
+        // Step 1: A claims with token "A".
+        const a = await buffer.claimIdempotency({
+          ...claimInput,
+          token: "A",
+          ttlSeconds: 1, // short TTL to simulate expiry quickly
+        });
+        expect(a.kind).toBe("claimed");
+
+        // Step 2: simulate TTL expiry — DEL the slot directly so the
+        // test doesn't rely on wall-clock sleeping. Targets the same key
+        // the buffer writes via the exported builder, so a key-format
+        // change can't silently make this DEL miss.
+        await buffer["redis"].del(makeIdempotencyClaimKey(claimInput));
+
+        // Step 3: B claims with token "B".
+        const b = await buffer.claimIdempotency({
+          ...claimInput,
+          token: "B",
+          ttlSeconds: 30,
+        });
+        expect(b.kind).toBe("claimed");
+
+        // Step 4: A's late release. MUST be a no-op.
+        await buffer.releaseClaim({ ...claimInput, token: "A" });
+
+        // B's claim survives intact.
+        const after = await buffer.readClaim(claimInput);
+        expect(after?.kind).toBe("pending");
+
+        // B can still publish.
+        const published = await buffer.publishClaim({
+          ...claimInput,
+          token: "B",
+          runId: "B-run",
+          ttlSeconds: 60,
+        });
+        expect(published).toBe(true);
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+});
+
+// The DRAINING set is observability-only: a sorted set keyed by the
+// pop wall-clock millis whose membership mirrors entries currently in
+// DRAINING state (popped, not yet acked/failed/requeued). The gauge in
+// `mollifierDrainerWorker.server.ts` polls `getDrainingCount` and emits
+// `mollifier.draining.current` for ops dashboards / post-crash
+// forensics. Tests pin the lifecycle transitions on every Lua boundary
+// so a regression that breaks the gauge surfaces here, not at 03:00.
+describe("MollifierBuffer.draining tracker (observability)", () => {
+  redisTest(
+    "pop ZADDs to the draining set with a positive recent score",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+
+      try {
+        const before = Date.now();
+        await buffer.accept({ runId: "drn_1", envId: "env_a", orgId: "org_1", payload: "{}" });
+        await buffer.pop("env_a");
+
+        const count = await buffer.getDrainingCount();
+        expect(count).toBe(1);
+
+        // Score is the pop wall-clock in millis (Redis TIME, computed
+        // inside the Lua). Sanity-check it's within a tight window of
+        // the test's wall-clock so a future bug substituting createdAt
+        // or zero would surface.
+        const score = await buffer["redis"].zscore(DRAINING_SET_KEY, "drn_1");
+        expect(score).not.toBeNull();
+        const scoreMs = Number(score);
+        expect(scoreMs).toBeGreaterThanOrEqual(before - 1_000);
+        expect(scoreMs).toBeLessThanOrEqual(Date.now() + 1_000);
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "ack ZREMs from the draining set",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+
+      try {
+        await buffer.accept({ runId: "drn_ack", envId: "env_a", orgId: "org_1", payload: "{}" });
+        await buffer.pop("env_a");
+        expect(await buffer.getDrainingCount()).toBe(1);
+
+        await buffer.ack("drn_ack");
+        expect(await buffer.getDrainingCount()).toBe(0);
+        expect(await buffer["redis"].zscore(DRAINING_SET_KEY, "drn_ack")).toBeNull();
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "fail ZREMs from the draining set even though the entry hash is torn down",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+
+      try {
+        await buffer.accept({ runId: "drn_fail", envId: "env_a", orgId: "org_1", payload: "{}" });
+        await buffer.pop("env_a");
+        expect(await buffer.getDrainingCount()).toBe(1);
+
+        await buffer.fail("drn_fail", { code: "X", message: "y" });
+        expect(await buffer.getDrainingCount()).toBe(0);
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "requeue ZREMs from the draining set so the entry is no longer counted as in-flight",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+
+      try {
+        await buffer.accept({ runId: "drn_rq", envId: "env_a", orgId: "org_1", payload: "{}" });
+        await buffer.pop("env_a");
+        expect(await buffer.getDrainingCount()).toBe(1);
+
+        await buffer.requeue("drn_rq");
+        // Back in QUEUED — not currently "draining", so the tracker is
+        // empty even though the entry hash still exists.
+        expect(await buffer.getDrainingCount()).toBe(0);
+        const entry = await buffer.getEntry("drn_rq");
+        expect(entry!.status).toBe("QUEUED");
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "the same entry going through pop → requeue → pop is tracked at the latest pop's score",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      // The pop Lua does ZADD (no NX/XX/GT flags) so the second pop
+      // overwrites the score with the new wall-clock. listStaleDraining
+      // therefore measures "time since the most recent pop", which is
+      // what an operator wants — a requeued entry that just got picked
+      // up again isn't stale, only one that was popped and stayed there.
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+
+      try {
+        await buffer.accept({ runId: "drn_re", envId: "env_a", orgId: "org_1", payload: "{}" });
+        await buffer.pop("env_a");
+        const firstScore = Number(await buffer["redis"].zscore(DRAINING_SET_KEY, "drn_re"));
+
+        await buffer.requeue("drn_re");
+        // ZREMed; not counted as draining between pops.
+        expect(await buffer.getDrainingCount()).toBe(0);
+
+        // Tiny sleep so the second pop's TIME is observably later.
+        await new Promise((r) => setTimeout(r, 25));
+        await buffer.pop("env_a");
+        const secondScore = Number(await buffer["redis"].zscore(DRAINING_SET_KEY, "drn_re"));
+        expect(secondScore).toBeGreaterThanOrEqual(firstScore);
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "listStaleDraining returns runIds popped before the cutoff and respects the limit",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+
+      try {
+        // Pop two entries, wait, then pop a third. With the cutoff set
+        // to the gap, only the first two should come back.
+        await buffer.accept({ runId: "old_1", envId: "env_a", orgId: "org_1", payload: "{}" });
+        await buffer.accept({ runId: "old_2", envId: "env_a", orgId: "org_1", payload: "{}" });
+        await buffer.pop("env_a");
+        await buffer.pop("env_a");
+
+        await new Promise((r) => setTimeout(r, 75));
+
+        await buffer.accept({ runId: "new_1", envId: "env_b", orgId: "org_1", payload: "{}" });
+        await buffer.pop("env_b");
+
+        // 50ms cutoff: old_1 and old_2 qualify, new_1 is too fresh.
+        const stale = await buffer.listStaleDraining(50, 10);
+        expect(stale.sort()).toEqual(["old_1", "old_2"]);
+
+        // Limit caps the result set.
+        const capped = await buffer.listStaleDraining(50, 1);
+        expect(capped.length).toBe(1);
+        expect(["old_1", "old_2"]).toContain(capped[0]);
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "draining set is not load-bearing for correctness: stale-sweep & entry hash still drive recovery",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      // Documents the invariant we rely on for graceful degradation: if
+      // a deploy somehow regresses the ZREM-on-ack (or the set is
+      // manually wiped), correctness still holds because the per-entry
+      // hash carries `status` and the stale-sweep scans the queue LISTs.
+      // The gauge would just over-report — an ops issue, not a data-loss
+      // bug. Pinning this with a direct DEL keeps the principle visible
+      // in test output.
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        logger: new Logger("test", "log"),
+      });
+
+      try {
+        await buffer.accept({ runId: "deg_1", envId: "env_a", orgId: "org_1", payload: "{}" });
+        const popped = await buffer.pop("env_a");
+        expect(popped!.status).toBe("DRAINING");
+
+        // Wipe the tracker out-of-band. Correctness must not regress.
+        await buffer["redis"].del(DRAINING_SET_KEY);
+
+        // ack still succeeds, entry hash still flips to materialised,
+        // grace TTL still applied. The next gauge poll just sees a
+        // count of 0 instead of 1 — an observability blip, not a bug.
+        await buffer.ack("deg_1");
+        const after = await buffer.getEntry("deg_1");
+        expect(after).not.toBeNull();
+        expect(after!.materialised).toBe(true);
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+});
diff --git a/packages/redis-worker/src/mollifier/buffer.ts b/packages/redis-worker/src/mollifier/buffer.ts
new file mode 100644
index 00000000000..66afe186a8a
--- /dev/null
+++ b/packages/redis-worker/src/mollifier/buffer.ts
@@ -0,0 +1,1259 @@
+import {
+  createRedisClient,
+  type Callback,
+  type Redis,
+  type RedisOptions,
+  type Result,
+} from "@internal/redis";
+import { Logger } from "@trigger.dev/core/logger";
+import { BufferEntry, BufferEntrySchema } from "./schemas.js";
+
+export type MollifierBufferOptions = {
+  redisOptions: RedisOptions;
+  logger?: Logger;
+  // Grace TTL applied to the entry hash on drainer ack. The entry survives
+  // this long after materialisation so direct reads (retrieve, trace, etc.)
+  // have a safety net while PG replica lag settles. Defaults to 30s.
+  ackGraceTtlSeconds?: number;
+  // ioredis per-request retry limit on the buffer's Redis client. Defaults to 20.
+  maxRetriesPerRequest?: number;
+  // Reconnect backoff envelope (see `mollifierReconnectDelayMs`). Defaults
+  // to 50ms per attempt capped at 1000ms.
+  reconnectStepMs?: number;
+  reconnectMaxMs?: number;
+};
+
+// Default grace TTL applied to the entry hash on drainer ack.
+const DEFAULT_ACK_GRACE_TTL_SECONDS = 30;
+// Default ioredis reconnect backoff envelope for the buffer client.
+const DEFAULT_RECONNECT_STEP_MS = 50;
+const DEFAULT_RECONNECT_MAX_MS = 1000;
+// Default ioredis per-request retry limit.
+const DEFAULT_MAX_RETRIES_PER_REQUEST = 20;
+
+// Observability-only sorted set of entries currently in DRAINING state
+// (popped by the drainer, not yet acked/failed/requeued). Score is the
+// pop wall-clock in milliseconds — `ZRANGEBYSCORE 0 <now-Xms>` gives
+// the entries stuck mid-drain for longer than X. NOT load-bearing for
+// correctness: the per-entry hash already carries `status` and the
+// stale-sweep would catch stranded entries via the queue LISTs. This
+// set is a fast top-level index for ops (gauge cardinality, post-crash
+// forensics after an ECS OOM) — see `mollifierDrainerWorker` for the
+// gauge wiring.
+export const DRAINING_SET_KEY = "mollifier:draining";
+
+// ioredis reconnect backoff for the mollifier buffer client. The base
+// grows linearly with the attempt count and is capped at 1s (the same
+// envelope as the previous fixed `Math.min(times * 50, 1000)` schedule).
+// We then apply equal jitter — a uniform pick in `[base/2, base]` — so a
+// fleet of webapp instances reconnecting after the same Redis blip don't
+// retry in lockstep and stampede Redis on recovery (thundering herd).
+// Because the jittered value never exceeds the original cap, this is never
+// slower than before — just decorrelated. Mirrors the jittered-backoff
+// approach the mutate-fallback wait loop adopted for the same reason.
+export function mollifierReconnectDelayMs(
+  times: number,
+  random: () => number = Math.random,
+  stepMs: number = DEFAULT_RECONNECT_STEP_MS,
+  maxMs: number = DEFAULT_RECONNECT_MAX_MS,
+): number {
+  const base = Math.min(times * stepMs, maxMs);
+  const half = Math.floor(base / 2);
+  return half + Math.round(random() * (base - half));
+}
+
+export type SnapshotPatch =
+  // `maxTags`, when set, caps the deduped tag count atomically inside the
+  // Lua: if appending would push the snapshot over the limit the patch is
+  // rejected ("limit_exceeded") and nothing is written, mirroring the
+  // PG-path MAX_TAGS_PER_RUN check so a buffered run can't accumulate more
+  // tags than the trigger validator would have allowed at creation.
+  | { type: "append_tags"; tags: string[]; maxTags?: number }
+  | { type: "set_metadata"; metadata: string; metadataType: string }
+  | { type: "set_delay"; delayUntil: string }
+  | { type: "mark_cancelled"; cancelledAt: string; cancelReason?: string };
+
+export type MutateSnapshotResult =
+  | "applied_to_snapshot"
+  | "not_found"
+  | "busy"
+  | "limit_exceeded";
+
+export type CasSetMetadataResult =
+  | { kind: "applied"; newVersion: number }
+  | { kind: "version_conflict"; currentVersion: number }
+  | { kind: "not_found" }
+  | { kind: "busy" };
+
+export type AcceptResult =
+  | { kind: "accepted" }
+  | { kind: "duplicate_run_id" }
+  | { kind: "duplicate_idempotency"; existingRunId: string };
+
+export type IdempotencyLookupInput = {
+  envId: string;
+  taskIdentifier: string;
+  idempotencyKey: string;
+};
+
+// Reversible encoding for Redis-key segments. The composite-key builders
+// concatenate `envId`, `taskIdentifier`, and `idempotencyKey` with `:`
+// separators; if any segment contains a literal `:` (envId is internal
+// and `:`-free, but taskIdentifier and idempotencyKey are
+// customer-supplied) different tuples would map to the same Redis key
+// and dedupe the wrong run. base64url has no `:` in its alphabet and is
+// bijective on the input string, so the encoded keys are
+// collision-free.
+function encodeKeyPart(value: string): string {
+  return Buffer.from(value, "utf8").toString("base64url");
+}
+
+// Exported so tests can compute the same Redis key the buffer writes
+// without hard-coding the encoding (which is a buffer-internal detail).
+export function idempotencyLookupKeyFor(input: IdempotencyLookupInput): string {
+  return `mollifier:idempotency:${encodeKeyPart(input.envId)}:${encodeKeyPart(input.taskIdentifier)}:${encodeKeyPart(input.idempotencyKey)}`;
+}
+
+// Pre-gate claim key namespace, distinct from `mollifier:idempotency` so the
+// existing buffer-side dedup stays isolated. The claim is the
+// authoritative cross-store "this idempotency key is in flight or
+// resolved" pointer used by the trigger hot path. Values:
+//   "pending:<token>"  → claimed by a trigger pipeline; `<token>` is the
+//                        caller-supplied ownership token. Release and
+//                        publish compare-and-act on this token so a
+//                        late release from a previous claimant whose TTL
+//                        expired cannot erase a new owner's claim.
+//   <runId>            → the winning trigger's resolved runId.
+const PENDING_PREFIX = "pending:";
+
+// Exported (like `idempotencyLookupKeyFor`) so tests can target the same
+// claim key the buffer writes without hard-coding the encoding.
+export function makeIdempotencyClaimKey(input: IdempotencyLookupInput): string {
+  return `mollifier:claim:${encodeKeyPart(input.envId)}:${encodeKeyPart(input.taskIdentifier)}:${encodeKeyPart(input.idempotencyKey)}`;
+}
+
+export type IdempotencyClaimResult =
+  | { kind: "claimed" }
+  | { kind: "pending" }
+  | { kind: "resolved"; runId: string };
+
+export class MollifierBuffer {
+  private readonly redis: Redis;
+  private readonly logger: Logger;
+  private readonly ackGraceTtlSeconds: number;
+
+  constructor(options: MollifierBufferOptions) {
+    this.logger = options.logger ?? new Logger("MollifierBuffer", "debug");
+    this.ackGraceTtlSeconds = options.ackGraceTtlSeconds ?? DEFAULT_ACK_GRACE_TTL_SECONDS;
+    const reconnectStepMs = options.reconnectStepMs ?? DEFAULT_RECONNECT_STEP_MS;
+    const reconnectMaxMs = options.reconnectMaxMs ?? DEFAULT_RECONNECT_MAX_MS;
+
+    this.redis = createRedisClient(
+      {
+        ...options.redisOptions,
+        retryStrategy(times) {
+          return mollifierReconnectDelayMs(times, Math.random, reconnectStepMs, reconnectMaxMs);
+        },
+        maxRetriesPerRequest: options.maxRetriesPerRequest ?? DEFAULT_MAX_RETRIES_PER_REQUEST,
+      },
+      {
+        onError: (error) => {
+          this.logger.error("MollifierBuffer redis client error:", { error });
+        },
+      },
+    );
+    this.#registerCommands();
+  }
+
+  // Three outcomes:
+  //   - { kind: "accepted" } — entry was newly written.
+  //   - { kind: "duplicate_run_id" } — runId was already buffered (idempotent
+  //     no-op, same semantic as the previous boolean-false return).
+  //   - { kind: "duplicate_idempotency", existingRunId } — the (env, task,
+  //     idempotencyKey) tuple was already bound to another buffered run.
+  //     The Lua's atomic SETNX is the race-winner; the second caller gets
+  //     the winner's runId so it can return that as the trigger response.
+  async accept(input: {
+    runId: string;
+    envId: string;
+    orgId: string;
+    payload: string;
+    // Optional idempotency-key triple. When all three are present we
+    // SETNX a Redis lookup at `mollifier:idempotency:{env}:{task}:{key}`
+    // pointing at the runId so trigger-time dedup during the buffered
+    // window resolves the same way PG's unique constraint resolves it
+    // post-materialisation.
+    idempotencyKey?: string;
+    taskIdentifier?: string;
+  }): Promise<AcceptResult> {
+    const entryKey = `mollifier:entries:${input.runId}`;
+    const queueKey = `mollifier:queue:${input.envId}`;
+    const orgsKey = "mollifier:orgs";
+    const nowMs = Date.now();
+    const createdAt = new Date(nowMs).toISOString();
+    // Microsecond epoch, stored as a hash field for dwell-time metrics
+    // (stale sweep, drainer dwell span). FIFO ordering comes from the
+    // LIST itself (LPUSH head / RPOP tail), not from this value — it is
+    // no longer a queue sort key.
+    const createdAtMicros = nowMs * 1000;
+    const idempotencyLookupKey =
+      input.idempotencyKey && input.taskIdentifier
+        ? idempotencyLookupKeyFor({
+            envId: input.envId,
+            taskIdentifier: input.taskIdentifier,
+            idempotencyKey: input.idempotencyKey,
+          })
+        : "";
+    const result = await this.redis.acceptMollifierEntry(
+      entryKey,
+      queueKey,
+      orgsKey,
+      input.runId,
+      input.envId,
+      input.orgId,
+      input.payload,
+      createdAt,
+      String(createdAtMicros),
+      "mollifier:org-envs:",
+      idempotencyLookupKey,
+      "mollifier:entries:",
+    );
+    // Lua returns 1 (accepted), 0 (duplicate runId), or a string runId
+    // (duplicate idempotency — value is the existing winner's runId).
+    if (typeof result === "string" && result.length > 0) {
+      return { kind: "duplicate_idempotency", existingRunId: result };
+    }
+    if (result === 1) return { kind: "accepted" };
+    return { kind: "duplicate_run_id" };
+  }
+
+  async pop(envId: string): Promise<BufferEntry | null> {
+    const queueKey = `mollifier:queue:${envId}`;
+    const orgsKey = "mollifier:orgs";
+    const entryPrefix = "mollifier:entries:";
+    const encoded = (await this.redis.popAndMarkDraining(
+      queueKey,
+      orgsKey,
+      DRAINING_SET_KEY,
+      entryPrefix,
+      envId,
+      "mollifier:org-envs:",
+    )) as string | null;
+    if (!encoded) return null;
+
+    let raw: unknown;
+    try {
+      raw = JSON.parse(encoded);
+    } catch {
+      this.logger.error("MollifierBuffer.pop: failed to parse script result", { envId });
+      return null;
+    }
+
+    const parsed = BufferEntrySchema.safeParse(raw);
+    if (!parsed.success) {
+      this.logger.error("MollifierBuffer.pop: invalid entry shape", {
+        envId,
+        errors: parsed.error.flatten(),
+      });
+      return null;
+    }
+    return parsed.data;
+  }
+
+  async getEntry(runId: string): Promise<BufferEntry | null> {
+    const raw = await this.redis.hgetall(`mollifier:entries:${runId}`);
+    if (!raw || Object.keys(raw).length === 0) return null;
+
+    const parsed = BufferEntrySchema.safeParse(raw);
+    if (!parsed.success) {
+      this.logger.error("MollifierBuffer.getEntry: invalid entry shape", {
+        runId,
+        errors: parsed.error.flatten(),
+      });
+      return null;
+    }
+    return parsed.data;
+  }
+
+  // Drainer walks these two methods to schedule pops with org-level
+  // fairness: one env per org per tick. The Lua scripts maintain both
+  // sets atomically with the per-env queues, so an org/env appears here
+  // exactly when at least one of its envs has a queued entry.
+  async listOrgs(): Promise<string[]> {
+    return this.redis.smembers("mollifier:orgs");
+  }
+
+  async listEnvsForOrg(orgId: string): Promise<string[]> {
+    return this.redis.smembers(`mollifier:org-envs:${orgId}`);
+  }
+
+  // Read-only enumeration of currently-queued entries for a single env.
+  // Used by the stale-sweep to compute per-entry dwell time, so order is
+  // immaterial — LRANGE returns them newest-first (LPUSH head) but the
+  // caller scans the whole window. Non-destructive: the drainer still
+  // RPOPs these entries in FIFO order.
+  //
+  // The entry HGETALLs are issued in a single pipelined batch (one
+  // network round-trip instead of N) — at the stale-sweep's default
+  // maxCount=1000 the serial implementation cost ~1000 RTTs per env,
+  // which dominated sweep wall-time at any meaningful backlog.
+  //
+  // A missing entry (empty hash) is skipped: the drainer's RPOP+DEL of
+  // the entry hash can race our LRANGE→HGETALL window, so a runId on
+  // the queue with no backing hash is an expected concurrency outcome,
+  // not an error.
+  async listEntriesForEnv(envId: string, maxCount: number): Promise<BufferEntry[]> {
+    if (maxCount <= 0) return [];
+    const runIds = await this.redis.lrange(
+      `mollifier:queue:${envId}`,
+      0,
+      maxCount - 1,
+    );
+    if (runIds.length === 0) return [];
+
+    const pipeline = this.redis.pipeline();
+    for (const runId of runIds) {
+      pipeline.hgetall(`mollifier:entries:${runId}`);
+    }
+    const results = await pipeline.exec();
+    if (!results) return [];
+
+    const entries: BufferEntry[] = [];
+    for (let i = 0; i < results.length; i++) {
+      const [err, raw] = results[i] as [Error | null, Record<string, string> | null];
+      if (err) {
+        this.logger.error("MollifierBuffer.listEntriesForEnv: hgetall failed", {
+          runId: runIds[i],
+          err: err.message,
+        });
+        continue;
+      }
+      if (!raw || Object.keys(raw).length === 0) continue;
+      const parsed = BufferEntrySchema.safeParse(raw);
+      if (!parsed.success) {
+        this.logger.error("MollifierBuffer.listEntriesForEnv: invalid entry shape", {
+          runId: runIds[i],
+          errors: parsed.error.flatten(),
+        });
+        continue;
+      }
+      entries.push(parsed.data);
+    }
+    return entries;
+  }
+
+  // Atomic snapshot mutation. Used by customer-mutation API endpoints
+  // (tags, metadata-put, reschedule, cancel) when the run is still in
+  // the buffer. Three outcomes:
+  //   - "applied_to_snapshot": entry was QUEUED + not materialised; the
+  //     drainer will read the patched payload on its next pop.
+  //   - "not_found": no entry hash exists for this runId — including a
+  //     FAILED entry, whose hash the drainer-terminal `fail` path DELs.
+  //   - "busy": entry is DRAINING or materialised. The API
+  //     wait-and-bounces through PG.
+  //   - "limit_exceeded": an `append_tags` patch carrying `maxTags` would
+  //     push the deduped tag count over the cap; nothing is written.
+  async mutateSnapshot(runId: string, patch: SnapshotPatch): Promise<MutateSnapshotResult> {
+    const result = (await this.redis.mutateMollifierSnapshot(
+      `mollifier:entries:${runId}`,
+      JSON.stringify(patch),
+    )) as string;
+    if (
+      result === "applied_to_snapshot" ||
+      result === "not_found" ||
+      result === "busy" ||
+      result === "limit_exceeded"
+    ) {
+      return result;
+    }
+    throw new Error(`MollifierBuffer.mutateSnapshot: unexpected Lua return value: ${result}`);
+  }
+
+  // Optimistic compare-and-swap on the snapshot's metadata. Caller reads
+  // the current metadataVersion via getEntry, applies operations in JS via
+  // `applyMetadataOperations`, then calls this with the new metadata + the
+  // expected version. Lua refuses if the version has moved (caller retries
+  // up to N times). Mirrors the PG-side `UpdateMetadataService` retry
+  // loop so concurrent increment/append operations don't lose deltas.
+  async casSetMetadata(input: {
+    runId: string;
+    expectedVersion: number;
+    newMetadata: string;
+    newMetadataType: string;
+  }): Promise<CasSetMetadataResult> {
+    const entryKey = `mollifier:entries:${input.runId}`;
+    const raw = (await this.redis.casSetMollifierMetadata(
+      entryKey,
+      String(input.expectedVersion),
+      input.newMetadata,
+      input.newMetadataType,
+    )) as string;
+    if (raw === "not_found") return { kind: "not_found" };
+    if (raw === "busy") return { kind: "busy" };
+    if (raw.startsWith("conflict:")) {
+      return { kind: "version_conflict", currentVersion: Number(raw.slice("conflict:".length)) };
+    }
+    if (raw.startsWith("applied:")) {
+      return { kind: "applied", newVersion: Number(raw.slice("applied:".length)) };
+    }
+    throw new Error(`MollifierBuffer.casSetMetadata: unexpected Lua return: ${raw}`);
+  }
+
+  // Atomic pre-gate claim on a (env, task, idempotencyKey) tuple. One
+  // call across both PG and buffer paths serialises through this claim;
+  // closes the race the buffer-side SETNX leaves open during the
+  // gate-transition burst window.
+  //
+  // The caller supplies an opaque `token` (UUID) on claim. The same token
+  // MUST be passed to `publishClaim` / `releaseClaim`, which compare-and-
+  // act so a late release from a previous claimant whose TTL expired
+  // cannot erase a new owner's claim.
+  //
+  // - "claimed": we now own the claim, the caller proceeds with the
+  //   trigger pipeline and must `publishClaim` on success or
+  //   `releaseClaim` on failure.
+  // - "pending": another trigger owns the claim and hasn't published
+  //   yet; the caller should poll.
+  // - "resolved": the claim already holds a runId; the caller can
+  //   return that runId as a cached hit.
+  async claimIdempotency(
+    input: IdempotencyLookupInput & { token: string; ttlSeconds: number },
+  ): Promise<IdempotencyClaimResult> {
+    const claimKey = makeIdempotencyClaimKey(input);
+    const raw = (await this.redis.claimMollifierIdempotency(
+      claimKey,
+      `${PENDING_PREFIX}${input.token}`,
+      PENDING_PREFIX,
+      String(input.ttlSeconds),
+    )) as string;
+    if (raw === "claimed") return { kind: "claimed" };
+    if (raw === "pending") return { kind: "pending" };
+    if (raw.startsWith("resolved:")) {
+      return { kind: "resolved", runId: raw.slice("resolved:".length) };
+    }
+    throw new Error(`MollifierBuffer.claimIdempotency: unexpected return: ${raw}`);
+  }
+
+  // Publish the winning runId to the claim so subsequent claimants /
+  // waiters see "resolved". TTL bounded by the customer's
+  // `idempotencyKeyExpiresAt` minus now; caller computes.
+  //
+  // Compare-and-set on the caller's token: if the current value isn't
+  // our pending marker (TTL expired and another claimant moved in, or
+  // someone else already published), the publish is a no-op. The caller
+  // can treat any such case as "we lost the claim" and re-read.
+  // Returns true if we published; false if the claim slot was no longer
+  // ours.
+  async publishClaim(
+    input: IdempotencyLookupInput & { token: string; runId: string; ttlSeconds: number },
+  ): Promise<boolean> {
+    const claimKey = makeIdempotencyClaimKey(input);
+    const result = (await this.redis.publishMollifierClaim(
+      claimKey,
+      `${PENDING_PREFIX}${input.token}`,
+      input.runId,
+      String(input.ttlSeconds),
+    )) as number;
+    return result === 1;
+  }
+
+  // Release the claim on pipeline error so waiters can re-claim and
+  // retry. Idempotent.
+  //
+  // Compare-and-delete on the caller's token: only deletes if the
+  // current value is exactly our pending marker. A late release from a
+  // claimant whose TTL expired is a no-op, so a new owner's claim is
+  // never wiped by a slow predecessor.
+  async releaseClaim(input: IdempotencyLookupInput & { token: string }): Promise<void> {
+    const claimKey = makeIdempotencyClaimKey(input);
+    await this.redis.releaseMollifierClaim(
+      claimKey,
+      `${PENDING_PREFIX}${input.token}`,
+    );
+  }
+
+  // Read the current claim value, used by the wait/poll loop on losers
+  // to detect "pending" → "resolved" transitions and timeouts.
+  async readClaim(input: IdempotencyLookupInput): Promise<IdempotencyClaimResult | null> {
+    const claimKey = makeIdempotencyClaimKey(input);
+    const value = await this.redis.get(claimKey);
+    if (value === null) return null;
+    if (value.startsWith(PENDING_PREFIX)) return { kind: "pending" };
+    return { kind: "resolved", runId: value };
+  }
+
+  // Resolve a buffered run by (env, task, idempotencyKey) tuple. Used by
+  // `IdempotencyKeyConcern.handleTriggerRequest` after the PG check
+  // misses — same key may belong to a buffered run waiting to drain. The
+  // lookup self-heals: if the lookup points at an entry hash that's gone,
+  // we clear the lookup and report a miss. The clear is a compare-and-
+  // delete (only if the key still holds the stale runId we observed) so a
+  // fresh accept that rebinds the key between our GET and DEL isn't wiped.
+  async lookupIdempotency(input: IdempotencyLookupInput): Promise<string | null> {
+    const lookupKey = idempotencyLookupKeyFor(input);
+    const runId = await this.redis.get(lookupKey);
+    if (!runId) return null;
+    const entry = await this.getEntry(runId);
+    if (!entry) {
+      await this.redis.delMollifierKeyIfEquals(lookupKey, runId);
+      return null;
+    }
+    return runId;
+  }
+
+  // Clear the idempotency binding from a buffered run. Used by
+  // `ResetIdempotencyKeyService` alongside the existing PG-side
+  // `updateMany`. Returns the runId that was cleared, or null if no
+  // buffered run held this key.
+  async resetIdempotency(input: IdempotencyLookupInput): Promise<{ clearedRunId: string | null }> {
+    const lookupKey = idempotencyLookupKeyFor(input);
+    const claimKey = makeIdempotencyClaimKey(input);
+    const clearedRunId = (await this.redis.resetMollifierIdempotency(
+      lookupKey,
+      "mollifier:entries:",
+      claimKey,
+    )) as string;
+    return { clearedRunId: clearedRunId.length > 0 ? clearedRunId : null };
+  }
+
+  // Marks the entry as materialised (PG row written) and resets its TTL to
+  // the grace window. Entry hash persists past ack as a read-fallback
+  // safety net for the brief PG replica-lag window between drainer-side
+  // write and reader-side visibility. Also clears the associated
+  // idempotency lookup if one was set on accept.
+  async ack(runId: string): Promise<void> {
+    await this.redis.ackMollifierEntry(
+      `mollifier:entries:${runId}`,
+      DRAINING_SET_KEY,
+      String(this.ackGraceTtlSeconds),
+      runId,
+    );
+  }
+
+  async requeue(runId: string): Promise<void> {
+    await this.redis.requeueMollifierEntry(
+      `mollifier:entries:${runId}`,
+      "mollifier:orgs",
+      DRAINING_SET_KEY,
+      "mollifier:queue:",
+      runId,
+      "mollifier:org-envs:",
+    );
+  }
+
+  // Returns true if a live entry was torn down; false if the entry no
+  // longer existed (a concurrent ack or manual cleanup removed it between
+  // pop and fail — there is no accept-time TTL). Note FAILED is not an
+  // observable state: the Lua marks the hash FAILED then DELs it in the
+  // same atomic script, so a subsequent getEntry returns null. Caller can
+  // use the boolean to skip downstream FAILED handling for ghost entries.
+  async fail(runId: string, error: { code: string; message: string }): Promise<boolean> {
+    const result = await this.redis.failMollifierEntry(
+      `mollifier:entries:${runId}`,
+      DRAINING_SET_KEY,
+      JSON.stringify(error),
+      runId,
+    );
+    return result === 1;
+  }
+
+  // Observability-only: number of entries currently in DRAINING state
+  // (popped, not yet acked/failed/requeued). The gauge in the webapp
+  // drainer worker polls this on a short interval and emits it as
+  // `mollifier.draining.current` for ops dashboards and post-crash
+  // forensics. Cheap (single ZCARD).
+  async getDrainingCount(): Promise<number> {
+    return this.redis.zcard(DRAINING_SET_KEY);
+  }
+
+  // Observability-only: list runIds that have been DRAINING longer than
+  // `olderThanMs` (i.e. popped before `now - olderThanMs`). Bounded by
+  // `limit` to keep the result set tractable when something has gone
+  // very wrong. ZRANGEBYSCORE is O(log N + K). Score is the pop wall-clock
+  // in milliseconds as written by the popAndMarkDraining Lua.
+  async listStaleDraining(olderThanMs: number, limit: number): Promise<string[]> {
+    const maxScore = Date.now() - Math.max(0, olderThanMs);
+    return this.redis.zrangebyscore(
+      DRAINING_SET_KEY,
+      "-inf",
+      String(maxScore),
+      "LIMIT",
+      0,
+      Math.max(0, limit),
+    );
+  }
+
+  // Returns Redis-side TTL on the entry hash. Returns -1 for entries
+  // with no TTL — the steady state under the current design, where
+  // entries persist until drainer ack/fail. The ack grace TTL (30s
+  // post-materialise) is the only context where this returns a
+  // positive value; tests around the grace TTL still rely on it.
+  async getEntryTtlSeconds(runId: string): Promise<number> {
+    return this.redis.ttl(`mollifier:entries:${runId}`);
+  }
+
+
+  async evaluateTrip(
+    envId: string,
+    options: { windowMs: number; threshold: number; holdMs: number },
+  ): Promise<{ tripped: boolean; count: number }> {
+    const rateKey = `mollifier:rate:${envId}`;
+    const trippedKey = `mollifier:tripped:${envId}`;
+    const result = (await this.redis.mollifierEvaluateTrip(
+      rateKey,
+      trippedKey,
+      String(options.windowMs),
+      String(options.threshold),
+      String(options.holdMs),
+    )) as [number, number];
+
+    return { count: result[0], tripped: result[1] === 1 };
+  }
+
+  async close(): Promise<void> {
+    await this.redis.quit();
+  }
+
+  #registerCommands() {
+    this.redis.defineCommand("acceptMollifierEntry", {
+      numberOfKeys: 3,
+      lua: `
+        local entryKey = KEYS[1]
+        local queueKey = KEYS[2]
+        local orgsKey = KEYS[3]
+        local runId = ARGV[1]
+        local envId = ARGV[2]
+        local orgId = ARGV[3]
+        local payload = ARGV[4]
+        local createdAt = ARGV[5]
+        local createdAtMicros = ARGV[6]
+        local orgEnvsPrefix = ARGV[7]
+        local idempotencyLookupKey = ARGV[8] or ''
+        local entryPrefix = ARGV[9]
+
+        -- Idempotent: refuse if an entry for this runId already exists in any
+        -- state. Caller-side dedup is also enforced via API idempotency keys,
+        -- but the buffer must not double-enqueue if a caller retries.
+        if redis.call('EXISTS', entryKey) == 1 then
+          return 0
+        end
+
+        -- Idempotency-key dedup. If the caller passed a lookup key
+        -- and it's already bound to another buffered run, return the
+        -- winner's runId so the loser's API response can echo it as a
+        -- cached hit. Otherwise SET the lookup (no TTL — lifecycle is
+        -- paired with the entry hash; drainer ack/fail clear it
+        -- explicitly).
+        if idempotencyLookupKey ~= '' then
+          local existing = redis.call('GET', idempotencyLookupKey)
+          if existing then
+            -- Self-heal: only honour the binding if its entry hash still
+            -- exists. If the entry was evicted (maxmemory) but the lookup
+            -- survived, the binding is stale — fall through and rebind to
+            -- this run rather than returning a dead runId that would block
+            -- the key indefinitely. Mirrors lookupIdempotency's self-heal.
+            if redis.call('EXISTS', entryPrefix .. existing) == 1 then
+              return existing
+            end
+          end
+          redis.call('SET', idempotencyLookupKey, runId)
+        end
+
+        redis.call('HSET', entryKey,
+          'runId', runId,
+          'envId', envId,
+          'orgId', orgId,
+          'payload', payload,
+          'status', 'QUEUED',
+          'attempts', '0',
+          'createdAt', createdAt,
+          'createdAtMicros', createdAtMicros,
+          'idempotencyLookupKey', idempotencyLookupKey,
+          'metadataVersion', '0')
+        -- No EXPIRE on the entry hash. Buffer entries persist until the
+        -- drainer ACKs (post-materialise grace) or FAILs them — the
+        -- drainer is the only recovery mechanism, so silent TTL-based
+        -- eviction would lose runs with no customer-visible signal.
+        -- Memory pressure from an offline drainer is the alertable
+        -- failure mode instead; see _ops/mollifier-ops.md.
+        -- LIST queue: LPUSH at the head, drainer RPOPs from the tail, so
+        -- insertion order == drain order (FIFO). createdAtMicros is kept
+        -- as a hash field for dwell metrics only — it is no longer a sort
+        -- key now that the buffer has no list/pagination surface.
+        redis.call('LPUSH', queueKey, runId)
+        -- Org-level membership: maintained atomically with the per-env
+        -- queue so the drainer can walk orgs → envs-for-org and
+        -- schedule one env per org per tick. SADDs are idempotent if the
+        -- org/env are already tracked.
+        redis.call('SADD', orgsKey, orgId)
+        redis.call('SADD', orgEnvsPrefix .. orgId, envId)
+        return 1
+      `,
+    });
+
+    this.redis.defineCommand("requeueMollifierEntry", {
+      numberOfKeys: 3,
+      lua: `
+        local entryKey = KEYS[1]
+        local orgsKey = KEYS[2]
+        local drainingSetKey = KEYS[3]
+        local queuePrefix = ARGV[1]
+        local runId = ARGV[2]
+        local orgEnvsPrefix = ARGV[3]
+
+        local envId = redis.call('HGET', entryKey, 'envId')
+        local orgId = redis.call('HGET', entryKey, 'orgId')
+        if not envId then
+          return 0
+        end
+
+        local currentAttempts = redis.call('HGET', entryKey, 'attempts')
+        local nextAttempts = tonumber(currentAttempts or '0') + 1
+
+        redis.call('HSET', entryKey, 'status', 'QUEUED', 'attempts', tostring(nextAttempts))
+        -- Requeue RPUSHes to the tail (the RPOP end) so a transiently
+        -- failed entry pops next rather than going to the back of the
+        -- line behind a fresh backlog. createdAt is immutable across
+        -- retries; the drainer's maxAttempts caps the
+        -- retry loop so a poisoned entry doesn't head-of-line forever.
+        redis.call('RPUSH', queuePrefix .. envId, runId)
+        -- Re-track the org/env: pop may have SREM'd them when the queue
+        -- last emptied. SADDs are idempotent if the values are still
+        -- present.
+        if orgId then
+          redis.call('SADD', orgsKey, orgId)
+          redis.call('SADD', orgEnvsPrefix .. orgId, envId)
+        end
+        -- Observability-only: leaving DRAINING state, so drop the
+        -- entry from the draining-tracker set. ZREM on absent member
+        -- is a no-op.
+        redis.call('ZREM', drainingSetKey, runId)
+        return 1
+      `,
+    });
+
+    this.redis.defineCommand("popAndMarkDraining", {
+      numberOfKeys: 3,
+      lua: `
+        local queueKey = KEYS[1]
+        local orgsKey = KEYS[2]
+        local drainingSetKey = KEYS[3]
+        local entryPrefix = ARGV[1]
+        local envId = ARGV[2]
+        local orgEnvsPrefix = ARGV[3]
+
+        -- Wall-clock millis used as the ZADD score on the draining-tracker
+        -- set. Computed once per script invocation so all observers see
+        -- the same pop instant. redis.call('TIME') is deterministic per
+        -- script execution (Lua sees it as a single read), satisfying the
+        -- write-determinism contract on replicas/AOF replay.
+        local timeArr = redis.call('TIME')
+        local nowMs = tonumber(timeArr[1]) * 1000 + math.floor(tonumber(timeArr[2]) / 1000)
+
+        -- Helper: prune org-level membership when an env's queue empties.
+        -- Called only from the success branch where we know orgId from the
+        -- popped entry. The no-runId branch below can't reach this because
+        -- it has no entry to read orgId from — accept any stale org-envs
+        -- entries that result (bounded by env count, recovered next accept).
+        local function pruneOrgMembership(orgId)
+          if not orgId then return end
+          local orgEnvsKey = orgEnvsPrefix .. orgId
+          redis.call('SREM', orgEnvsKey, envId)
+          if redis.call('SCARD', orgEnvsKey) == 0 then
+            redis.call('SREM', orgsKey, orgId)
+          end
+        end
+
+        -- Loop to skip orphan queue references — runIds whose entry hash is
+        -- gone (e.g. Redis maxmemory eviction, since QUEUED entries carry
+        -- no TTL of their own). HSET on a missing key would CREATE a
+        -- partial hash without a TTL, leaking memory. The loop is bounded
+        -- by queue length; entire Lua script remains atomic.
+        while true do
+          -- RPOP returns the tail member (oldest, FIFO), or false when empty.
+          local runId = redis.call('RPOP', queueKey)
+          if not runId then
+            -- Queue is empty AND we have no entry to read orgId from, so
+            -- skip org-level cleanup. Stale org-envs entries are bounded
+            -- by env count and recovered on the next accept.
+            return nil
+          end
+
+          local entryKey = entryPrefix .. runId
+          if redis.call('EXISTS', entryKey) == 1 then
+            redis.call('HSET', entryKey, 'status', 'DRAINING')
+            -- Observability-only: track the runId in the draining set
+            -- with the pop wall-clock as score. Acked/failed/requeued
+            -- in the corresponding Lua scripts. The set is NOT
+            -- load-bearing for correctness — the per-entry hash carries
+            -- status — so a missed ZREM on a partial Lua execution is
+            -- recoverable via the stale-sweep + entry hash, not a
+            -- correctness bug.
+            redis.call('ZADD', drainingSetKey, nowMs, runId)
+            local raw = redis.call('HGETALL', entryKey)
+            local result = {}
+            for i = 1, #raw, 2 do
+              result[raw[i]] = raw[i + 1]
+            end
+            -- Prune org-level membership if this pop drained the queue.
+            -- Atomic with the RPOP above — a concurrent accept AFTER
+            -- this script will SADD both back along with its LPUSH.
+            if redis.call('LLEN', queueKey) == 0 then
+              pruneOrgMembership(result['orgId'])
+            end
+            return cjson.encode(result)
+          end
+          -- Orphan queue reference: entry hash gone (evicted) while runId
+          -- was queued. Discard the reference and loop to the next.
+        end
+      `,
+    });
+
+    this.redis.defineCommand("casSetMollifierMetadata", {
+      numberOfKeys: 1,
+      lua: `
+        local entryKey = KEYS[1]
+        local expectedVersion = tonumber(ARGV[1])
+        local newMetadata = ARGV[2]
+        local newMetadataType = ARGV[3]
+
+        if redis.call('EXISTS', entryKey) == 0 then
+          return 'not_found'
+        end
+
+        local status = redis.call('HGET', entryKey, 'status')
+        local materialised = redis.call('HGET', entryKey, 'materialised')
+        if status ~= 'QUEUED' or materialised == 'true' then
+          return 'busy'
+        end
+
+        local currentVersionStr = redis.call('HGET', entryKey, 'metadataVersion') or '0'
+        local currentVersion = tonumber(currentVersionStr) or 0
+        if currentVersion ~= expectedVersion then
+          return 'conflict:' .. tostring(currentVersion)
+        end
+
+        -- Write the new metadata onto the snapshot's payload JSON. We
+        -- keep the rest of the payload intact — only metadata/metadataType
+        -- change. metadataVersion is denormalised on the hash for cheap
+        -- CAS reads; it's intentionally NOT stored inside the payload
+        -- itself (PG-side metadataVersion is a column, not a JSON field).
+        local payloadJson = redis.call('HGET', entryKey, 'payload')
+        local ok, payload = pcall(cjson.decode, payloadJson)
+        if not ok then return 'busy' end
+        payload.metadata = newMetadata
+        payload.metadataType = newMetadataType
+
+        local newVersion = currentVersion + 1
+        redis.call('HSET', entryKey,
+          'payload', cjson.encode(payload),
+          'metadataVersion', tostring(newVersion))
+        return 'applied:' .. tostring(newVersion)
+      `,
+    });
+
+    this.redis.defineCommand("claimMollifierIdempotency", {
+      numberOfKeys: 1,
+      lua: `
+        local claimKey = KEYS[1]
+        local pendingMarker = ARGV[1]   -- "pending:<caller-token>"
+        local pendingPrefix = ARGV[2]   -- "pending:"
+        local ttl = tonumber(ARGV[3])
+
+        -- SETNX-with-TTL: atomic; only one caller can win.
+        local won = redis.call('SET', claimKey, pendingMarker, 'NX', 'EX', ttl)
+        if won then
+          return 'claimed'
+        end
+
+        local existing = redis.call('GET', claimKey)
+        if not existing then
+          -- The slot expired in the race window between the SET NX
+          -- failing and this GET. It's free now — claim it so we don't
+          -- string.sub a nil and error out.
+          redis.call('SET', claimKey, pendingMarker, 'EX', ttl)
+          return 'claimed'
+        end
+        -- Any "pending:*" value is a live claim — the caller-supplied
+        -- token differentiates ownership but is opaque to losers.
+        if string.sub(existing, 1, string.len(pendingPrefix)) == pendingPrefix then
+          return 'pending'
+        end
+        return 'resolved:' .. existing
+      `,
+    });
+
+    // Publish a winning runId to a claim slot we own. Compare-and-set on
+    // the caller's pending marker: if the slot is no longer ours (TTL
+    // expired and another claimant moved in, or already resolved by
+    // someone else), we no-op. Returns 1 on publish, 0 on no-op.
+    this.redis.defineCommand("publishMollifierClaim", {
+      numberOfKeys: 1,
+      lua: `
+        local claimKey = KEYS[1]
+        local ownerMarker = ARGV[1]   -- "pending:<our-token>"
+        local runId = ARGV[2]
+        local ttl = tonumber(ARGV[3])
+
+        local existing = redis.call('GET', claimKey)
+        if existing == ownerMarker then
+          redis.call('SET', claimKey, runId, 'EX', ttl)
+          return 1
+        end
+        return 0
+      `,
+    });
+
+    // Release a claim slot we own. Compare-and-delete on the caller's
+    // pending marker: a late release from a previous claimant whose TTL
+    // expired is a no-op, so a new owner's claim is never wiped.
+    this.redis.defineCommand("releaseMollifierClaim", {
+      numberOfKeys: 1,
+      lua: `
+        local claimKey = KEYS[1]
+        local ownerMarker = ARGV[1]   -- "pending:<our-token>"
+
+        local existing = redis.call('GET', claimKey)
+        if existing == ownerMarker then
+          redis.call('DEL', claimKey)
+          return 1
+        end
+        return 0
+      `,
+    });
+
+    this.redis.defineCommand("resetMollifierIdempotency", {
+      numberOfKeys: 1,
+      lua: `
+        local lookupKey = KEYS[1]
+        local entryPrefix = ARGV[1]
+        local claimKey = ARGV[2]
+
+        -- Reset reopens the key across BOTH the buffer lookup and the
+        -- cross-store pre-gate claim pointer. Without clearing the claim,
+        -- a resolved/pending claim would keep deduping new triggers for
+        -- the rest of its TTL even though the binding was reset. DEL is
+        -- unconditional — the claim is gone regardless of whether a
+        -- buffered run currently holds the lookup.
+        redis.call('DEL', claimKey)
+
+        local runId = redis.call('GET', lookupKey)
+        if not runId then
+          return ''
+        end
+
+        local entryKey = entryPrefix .. runId
+        if redis.call('EXISTS', entryKey) == 0 then
+          -- Stale lookup. Lazy cleanup.
+          redis.call('DEL', lookupKey)
+          return ''
+        end
+
+        -- Clear the idempotency fields on the snapshot payload so the
+        -- drainer's eventual engine.trigger call inserts a PG row
+        -- without the key set.
+        local payloadJson = redis.call('HGET', entryKey, 'payload')
+        if payloadJson then
+          local ok, payload = pcall(cjson.decode, payloadJson)
+          if ok then
+            payload.idempotencyKey = cjson.null
+            payload.idempotencyKeyExpiresAt = cjson.null
+            redis.call('HSET', entryKey, 'payload', cjson.encode(payload))
+          end
+        end
+        -- Clear the denormalised lookup pointer on the hash so a later
+        -- ack doesn't try to DEL a key that's already gone.
+        redis.call('HSET', entryKey, 'idempotencyLookupKey', '')
+        redis.call('DEL', lookupKey)
+        return runId
+      `,
+    });
+
+    this.redis.defineCommand("mutateMollifierSnapshot", {
+      numberOfKeys: 1,
+      lua: `
+        local entryKey = KEYS[1]
+        local patchJson = ARGV[1]
+
+        if redis.call('EXISTS', entryKey) == 0 then
+          return 'not_found'
+        end
+
+        local status = redis.call('HGET', entryKey, 'status')
+        local materialised = redis.call('HGET', entryKey, 'materialised')
+        if status ~= 'QUEUED' or materialised == 'true' then
+          return 'busy'
+        end
+
+        local payloadJson = redis.call('HGET', entryKey, 'payload')
+        local ok, payload = pcall(cjson.decode, payloadJson)
+        if not ok then return 'busy' end
+
+        local patch = cjson.decode(patchJson)
+
+        if patch.type == 'append_tags' then
+          -- cjson decode of an absent or empty-array field gives nil or
+          -- an empty table; we rebuild as a dense array. Existing tags
+          -- are preserved; new tags are appended only if not present.
+          local existing = payload.tags or {}
+          local seen = {}
+          local merged = {}
+          for _, t in ipairs(existing) do
+            if not seen[t] then
+              seen[t] = true
+              table.insert(merged, t)
+            end
+          end
+          for _, t in ipairs(patch.tags or {}) do
+            if not seen[t] then
+              seen[t] = true
+              table.insert(merged, t)
+            end
+          end
+          -- Cap the deduped count when the caller supplies a limit, so a
+          -- buffered run can't exceed MAX_TAGS_PER_RUN via the tags API.
+          -- Reject the whole patch (write nothing) rather than truncating.
+          if patch.maxTags ~= nil and #merged > patch.maxTags then
+            return 'limit_exceeded'
+          end
+          payload.tags = merged
+        elseif patch.type == 'set_metadata' then
+          payload.metadata = patch.metadata
+          payload.metadataType = patch.metadataType
+          -- Bump the denormalised metadataVersion so an in-flight
+          -- casSetMetadata (optimistic CAS keyed on this counter) sees
+          -- the concurrent write as a version conflict and retries,
+          -- instead of clobbering it under a now-stale expectedVersion.
+          local currentVersion = tonumber(redis.call('HGET', entryKey, 'metadataVersion') or '0') or 0
+          redis.call('HSET', entryKey, 'metadataVersion', tostring(currentVersion + 1))
+        elseif patch.type == 'set_delay' then
+          payload.delayUntil = patch.delayUntil
+        elseif patch.type == 'mark_cancelled' then
+          payload.cancelledAt = patch.cancelledAt
+          payload.cancelReason = patch.cancelReason
+        else
+          return 'busy'
+        end
+
+        redis.call('HSET', entryKey, 'payload', cjson.encode(payload))
+        return 'applied_to_snapshot'
+      `,
+    });
+
+    this.redis.defineCommand("ackMollifierEntry", {
+      numberOfKeys: 2,
+      lua: `
+        local entryKey = KEYS[1]
+        local drainingSetKey = KEYS[2]
+        local graceTtlSeconds = tonumber(ARGV[1])
+        local runId = ARGV[2]
+
+        -- Always ZREM from the draining-tracker — even if the entry hash
+        -- has been concurrently torn down, the runId might still be in
+        -- the set (e.g. fail() ran first and cleared the hash but a
+        -- delayed ack races in). Idempotent: ZREM on absent is a no-op.
+        redis.call('ZREM', drainingSetKey, runId)
+
+        -- Guard: never create a partial entry. If the hash is gone between
+        -- pop and ack (concurrent fail or eviction — QUEUED entries carry
+        -- no TTL), the run is gone, nothing to mark materialised.
+        if redis.call('EXISTS', entryKey) == 0 then
+          return 0
+        end
+
+        -- If the entry was accepted with an idempotency key, the lookup
+        -- string was stored on the hash at accept time. Clear it now —
+        -- PG becomes canonical for the key post-materialisation.
+        local lookupKey = redis.call('HGET', entryKey, 'idempotencyLookupKey')
+        if lookupKey and lookupKey ~= '' then
+          redis.call('DEL', lookupKey)
+        end
+
+        redis.call('HSET', entryKey, 'materialised', 'true')
+        redis.call('EXPIRE', entryKey, graceTtlSeconds)
+        return 1
+      `,
+    });
+
+    this.redis.defineCommand("failMollifierEntry", {
+      numberOfKeys: 2,
+      lua: `
+        local entryKey = KEYS[1]
+        local drainingSetKey = KEYS[2]
+        local errorPayload = ARGV[1]
+        local runId = ARGV[2]
+
+        -- Always ZREM from the draining-tracker (idempotent on absent).
+        -- Mirrors ack: the runId may be in the set even if the entry hash
+        -- has been raced away.
+        redis.call('ZREM', drainingSetKey, runId)
+
+        -- Guard: nothing to mark FAILED if the hash is gone (concurrent
+        -- ack/manual cleanup). Returning 0 lets the caller distinguish
+        -- "marked failed" from "no-op".
+        if redis.call('EXISTS', entryKey) == 0 then
+          return 0
+        end
+
+        redis.call('HSET', entryKey, 'status', 'FAILED', 'lastError', errorPayload)
+
+        -- Terminal-failure contract: the drainer's onTerminalFailure
+        -- callback (see MollifierDrainer.processEntry) has been
+        -- invoked before this fail() and has either written a
+        -- SYSTEM_FAILURE PG row (for both non-retryable AND
+        -- max-attempts-exhausted retryable errors) or chosen to fall
+        -- through (genuinely bad snapshot the engine can't materialise
+        -- a row from). Either way the buffer entry is no longer
+        -- load-bearing here. Clear the idempotency lookup -- PG's
+        -- unique constraint is the canonical dedup mechanism
+        -- post-materialise -- and drop the entry hash so failed runs
+        -- don't accrete forever now that there's no accept-time TTL.
+        local lookupKey = redis.call('HGET', entryKey, 'idempotencyLookupKey')
+        if lookupKey and lookupKey ~= '' then
+          redis.call('DEL', lookupKey)
+        end
+        redis.call('DEL', entryKey)
+        return 1
+      `,
+    });
+
+    // Compare-and-delete: DEL the key only if it still holds the expected
+    // value. Used by lookupIdempotency's stale-lookup self-heal so a
+    // concurrent accept that rebinds the key between the reader's GET and
+    // this DEL isn't clobbered.
+    this.redis.defineCommand("delMollifierKeyIfEquals", {
+      numberOfKeys: 1,
+      lua: `
+        if redis.call('GET', KEYS[1]) == ARGV[1] then
+          return redis.call('DEL', KEYS[1])
+        end
+        return 0
+      `,
+    });
+
+    this.redis.defineCommand("mollifierEvaluateTrip", {
+      numberOfKeys: 2,
+      lua: `
+        local rateKey = KEYS[1]
+        local trippedKey = KEYS[2]
+        local windowMs = tonumber(ARGV[1])
+        local threshold = tonumber(ARGV[2])
+        local holdMs = tonumber(ARGV[3])
+
+        local count = redis.call('INCR', rateKey)
+        if count == 1 then
+          redis.call('PEXPIRE', rateKey, windowMs)
+        end
+
+        if count > threshold then
+          redis.call('PSETEX', trippedKey, holdMs, '1')
+        end
+
+        local tripped = redis.call('EXISTS', trippedKey)
+        return {count, tripped}
+      `,
+    });
+  }
+}
+
+declare module "@internal/redis" {
+  interface RedisCommander<Context> {
+    acceptMollifierEntry(
+      entryKey: string,
+      queueKey: string,
+      orgsKey: string,
+      runId: string,
+      envId: string,
+      orgId: string,
+      payload: string,
+      createdAt: string,
+      createdAtMicros: string,
+      orgEnvsPrefix: string,
+      idempotencyLookupKey: string,
+      entryPrefix: string,
+      callback?: Callback<number | string>,
+    ): Result<number | string, Context>;
+    popAndMarkDraining(
+      queueKey: string,
+      orgsKey: string,
+      drainingSetKey: string,
+      entryPrefix: string,
+      envId: string,
+      orgEnvsPrefix: string,
+      callback?: Callback<string | null>,
+    ): Result<string | null, Context>;
+    requeueMollifierEntry(
+      entryKey: string,
+      orgsKey: string,
+      drainingSetKey: string,
+      queuePrefix: string,
+      runId: string,
+      orgEnvsPrefix: string,
+      callback?: Callback<number>,
+    ): Result<number, Context>;
+    mutateMollifierSnapshot(
+      entryKey: string,
+      patchJson: string,
+      callback?: Callback<string>,
+    ): Result<string, Context>;
+    casSetMollifierMetadata(
+      entryKey: string,
+      expectedVersion: string,
+      newMetadata: string,
+      newMetadataType: string,
+      callback?: Callback<string>,
+    ): Result<string, Context>;
+    resetMollifierIdempotency(
+      lookupKey: string,
+      entryPrefix: string,
+      claimKey: string,
+      callback?: Callback<string>,
+    ): Result<string, Context>;
+    claimMollifierIdempotency(
+      claimKey: string,
+      pendingMarker: string,
+      pendingPrefix: string,
+      ttlSeconds: string,
+      callback?: Callback<string>,
+    ): Result<string, Context>;
+    publishMollifierClaim(
+      claimKey: string,
+      ownerMarker: string,
+      runId: string,
+      ttlSeconds: string,
+      callback?: Callback<number>,
+    ): Result<number, Context>;
+    releaseMollifierClaim(
+      claimKey: string,
+      ownerMarker: string,
+      callback?: Callback<number>,
+    ): Result<number, Context>;
+    ackMollifierEntry(
+      entryKey: string,
+      drainingSetKey: string,
+      graceTtlSeconds: string,
+      runId: string,
+      callback?: Callback<number>,
+    ): Result<number, Context>;
+    failMollifierEntry(
+      entryKey: string,
+      drainingSetKey: string,
+      errorPayload: string,
+      runId: string,
+      callback?: Callback<number>,
+    ): Result<number, Context>;
+    delMollifierKeyIfEquals(
+      key: string,
+      expected: string,
+      callback?: Callback<number>,
+    ): Result<number, Context>;
+    mollifierEvaluateTrip(
+      rateKey: string,
+      trippedKey: string,
+      windowMs: string,
+      threshold: string,
+      holdMs: string,
+      callback?: Callback<[number, number]>,
+    ): Result<[number, number], Context>;
+  }
+}
diff --git a/packages/redis-worker/src/mollifier/drainer.test.ts b/packages/redis-worker/src/mollifier/drainer.test.ts
new file mode 100644
index 00000000000..d4250641ee5
--- /dev/null
+++ b/packages/redis-worker/src/mollifier/drainer.test.ts
@@ -0,0 +1,2098 @@
+import { redisTest } from "@internal/testcontainers";
+import { describe, expect, it } from "vitest";
+import { Logger } from "@trigger.dev/core/logger";
+import { MollifierBuffer } from "./buffer.js";
+import { MollifierDrainer } from "./drainer.js";
+import { serialiseSnapshot } from "./schemas.js";
+
+const noopOptions = {
+  logger: new Logger("test", "log"),
+};
+
+// Module-scope stub helpers used by the unit tests below (no real Redis).
+type StubBuffer = Partial<MollifierBuffer> & { [K in keyof MollifierBuffer]?: any };
+
+function makeStubBuffer(overrides: StubBuffer): MollifierBuffer {
+  const base: StubBuffer = {
+    listOrgs: async () => [],
+    listEnvsForOrg: async () => [],
+    pop: async () => null,
+    ack: async () => {},
+    requeue: async () => {},
+    fail: async () => true,
+    getEntry: async () => null,
+    close: async () => {},
+  };
+  return { ...base, ...overrides } as unknown as MollifierBuffer;
+}
+
+// Convenience for tests that don't care about org grouping: treat each
+// env as its own org. `listOrgs` returns the env list verbatim;
+// `listEnvsForOrg(envId)` returns `[envId]`. Spread into makeStubBuffer
+// alongside the test's own `pop` override.
+function eachEnvAsOwnOrg(envs: string[]): Partial<StubBuffer> {
+  return {
+    listOrgs: async () => envs,
+    listEnvsForOrg: async (orgId: string) => (envs.includes(orgId) ? [orgId] : []),
+  };
+}
+
+describe("MollifierDrainer.runOnce", () => {
+  redisTest("drains one queued entry through the handler and acks", { timeout: 20_000 }, async ({ redisContainer }) => {
+    const buffer = new MollifierBuffer({
+      redisOptions: {
+        host: redisContainer.getHost(),
+        port: redisContainer.getPort(),
+        password: redisContainer.getPassword(),
+      },
+      ...noopOptions,
+    });
+
+    const handlerCalls: Array<{ runId: string; envId: string; orgId: string; payload: unknown }> =
+      [];
+    const handler = async (input: {
+      runId: string;
+      envId: string;
+      orgId: string;
+      payload: unknown;
+    }) => {
+      handlerCalls.push(input);
+    };
+    const drainer = new MollifierDrainer({
+      buffer,
+      handler,
+      concurrency: 5,
+      maxAttempts: 3,
+      isRetryable: () => false,
+      logger: new Logger("test-drainer", "log"),
+    });
+
+    try {
+      await buffer.accept({
+        runId: "run_1",
+        envId: "env_a",
+        orgId: "org_1",
+        payload: serialiseSnapshot({ foo: 1 }),
+      });
+
+      const result = await drainer.runOnce();
+      expect(result.drained).toBe(1);
+      expect(result.failed).toBe(0);
+      expect(handlerCalls).toHaveLength(1);
+      expect(handlerCalls[0]).toMatchObject({
+        runId: "run_1",
+        envId: "env_a",
+        orgId: "org_1",
+        payload: { foo: 1 },
+      });
+
+      // After ack the entry persists as a read-fallback safety net with
+      // materialised=true and a fresh grace TTL.
+      const entry = await buffer.getEntry("run_1");
+      expect(entry).not.toBeNull();
+      expect(entry!.materialised).toBe(true);
+    } finally {
+      await buffer.close();
+    }
+  });
+
+  redisTest("runOnce with no entries does nothing", { timeout: 20_000 }, async ({ redisContainer }) => {
+    const buffer = new MollifierBuffer({
+      redisOptions: {
+        host: redisContainer.getHost(),
+        port: redisContainer.getPort(),
+        password: redisContainer.getPassword(),
+      },
+      ...noopOptions,
+    });
+
+    let handlerCalls = 0;
+    const handler = async () => {
+      handlerCalls++;
+    };
+    const drainer = new MollifierDrainer({
+      buffer,
+      handler,
+      concurrency: 5,
+      maxAttempts: 3,
+      isRetryable: () => false,
+      logger: new Logger("test-drainer", "log"),
+    });
+
+    try {
+      const result = await drainer.runOnce();
+      expect(result.drained).toBe(0);
+      expect(result.failed).toBe(0);
+      expect(handlerCalls).toBe(0);
+    } finally {
+      await buffer.close();
+    }
+  });
+});
+
+describe("MollifierDrainer.drainBatchSize", () => {
+  // Default behaviour (drainBatchSize=1) is exercised by every other
+  // test in this file — one pop per env per tick. These tests pin the
+  // single-env batched-pop fast path: with drainBatchSize=N, a single
+  // env with K buffered entries drains in ceil(K / N) ticks instead of
+  // K ticks, capped by the shared `concurrency` for in-flight handlers.
+
+  it("pops up to drainBatchSize entries from a single env in one tick", async () => {
+    const queue: string[] = Array.from({ length: 10 }, (_, i) => `run_${i}`);
+    const handled: string[] = [];
+    const buffer = makeStubBuffer({
+      ...eachEnvAsOwnOrg(["env_a"]),
+      pop: async (envId: string) => {
+        if (envId !== "env_a") return null;
+        const runId = queue.shift();
+        if (!runId) return null;
+        return {
+          runId,
+          envId: "env_a",
+          orgId: "org_1",
+          payload: "{}",
+          attempts: 0,
+          createdAt: new Date(),
+        } as any;
+      },
+    });
+
+    const drainer = new MollifierDrainer({
+      buffer,
+      handler: async (input) => {
+        handled.push(input.runId);
+      },
+      concurrency: 5,
+      maxAttempts: 3,
+      isRetryable: () => false,
+      drainBatchSize: 5,
+      logger: new Logger("test-drainer", "log"),
+    });
+
+    const r1 = await drainer.runOnce();
+    expect(r1.drained).toBe(5);
+    expect(handled).toHaveLength(5);
+
+    const r2 = await drainer.runOnce();
+    expect(r2.drained).toBe(5);
+    expect(handled).toHaveLength(10);
+
+    // Queue now empty — next tick is a no-op.
+    const r3 = await drainer.runOnce();
+    expect(r3.drained).toBe(0);
+    expect(r3.failed).toBe(0);
+  });
+
+  it("respects global concurrency cap when batch dispatch exceeds it", async () => {
+    // drainBatchSize=10 with concurrency=3 means each tick pops 10
+    // entries but only 3 handlers run in parallel; the other 7 sit in
+    // pLimit's queue. The cap is on in-flight handlers, not on per-tick
+    // pop count.
+    const queue: string[] = Array.from({ length: 10 }, (_, i) => `run_${i}`);
+    let inflight = 0;
+    let peak = 0;
+    const buffer = makeStubBuffer({
+      ...eachEnvAsOwnOrg(["env_a"]),
+      pop: async (envId: string) => {
+        if (envId !== "env_a") return null;
+        const runId = queue.shift();
+        if (!runId) return null;
+        return {
+          runId,
+          envId: "env_a",
+          orgId: "org_1",
+          payload: "{}",
+          attempts: 0,
+          createdAt: new Date(),
+        } as any;
+      },
+    });
+
+    const drainer = new MollifierDrainer({
+      buffer,
+      handler: async () => {
+        inflight += 1;
+        if (inflight > peak) peak = inflight;
+        await new Promise((r) => setTimeout(r, 25));
+        inflight -= 1;
+      },
+      concurrency: 3,
+      maxAttempts: 3,
+      isRetryable: () => false,
+      drainBatchSize: 10,
+      logger: new Logger("test-drainer", "log"),
+    });
+
+    const result = await drainer.runOnce();
+    expect(result.drained).toBe(10);
+    expect(peak).toBeGreaterThan(1); // genuinely parallel
+    expect(peak).toBeLessThanOrEqual(3); // capped
+  });
+
+  it("a mid-batch pop failure aborts that env's batch and counts as one failure", async () => {
+    // Pin: when the third pop on env_bad throws, the drainer stops
+    // popping from that env for this tick (no infinite retry inside one
+    // tick), the two entries already popped still get processed, and
+    // the env contributes exactly one to the failed count.
+    let envBadPops = 0;
+    let envGoodPops = 0;
+    const handled: string[] = [];
+    const buffer = makeStubBuffer({
+      ...eachEnvAsOwnOrg(["env_bad", "env_good"]),
+      pop: async (envId: string) => {
+        if (envId === "env_bad") {
+          envBadPops += 1;
+          if (envBadPops > 2) {
+            throw new Error("simulated pop failure mid-batch");
+          }
+          return {
+            runId: `bad_${envBadPops}`,
+            envId: "env_bad",
+            orgId: "org_bad",
+            payload: "{}",
+            attempts: 0,
+            createdAt: new Date(),
+          } as any;
+        }
+        // env_good — one entry then empty. Track via pop-count rather
+        // than handler-side state so the pop loop's synchronous "is the
+        // queue empty?" check doesn't race against the parallel handler
+        // dispatch that runs after the whole batch is collected.
+        envGoodPops += 1;
+        if (envGoodPops > 1) return null;
+        return {
+          runId: "good_1",
+          envId: "env_good",
+          orgId: "org_good",
+          payload: "{}",
+          attempts: 0,
+          createdAt: new Date(),
+        } as any;
+      },
+    });
+
+    const concurrency = 5;
+    const drainBatchSize = 5;
+    const drainer = new MollifierDrainer({
+      buffer,
+      handler: async (input) => {
+        handled.push(input.runId);
+      },
+      concurrency,
+      maxAttempts: 3,
+      isRetryable: () => false,
+      drainBatchSize,
+      logger: new Logger("test-drainer", "log"),
+    });
+
+    const result = await drainer.runOnce();
+    // The actual ENTRIES drained are deterministic regardless of races:
+    // env_bad's pop returns bad_1 then bad_2 (the only two snapshots it
+    // ever produces) and env_good's pop returns good_1 (its only entry).
+    expect(result.drained).toBe(3);
+    expect(new Set(handled)).toEqual(new Set(["bad_1", "bad_2", "good_1"]));
+    // Exactly one failure recorded for env_bad, even though multiple
+    // workers can race into a broken env before skip propagates — the
+    // catch guards the increment on `!skip.has(envId)`, so the documented
+    // "one failure per env batch" contract holds.
+    expect(result.failed).toBe(1);
+    // env_bad's pop call count is bounded too — at most concurrency
+    // retries after the first throw — definitely never reaches the
+    // drainBatchSize ceiling.
+    expect(envBadPops).toBeGreaterThanOrEqual(3);
+    expect(envBadPops).toBeLessThan(drainBatchSize + concurrency);
+  });
+
+  it("fans batched pops out across multiple envs in a single tick", async () => {
+    // Pin: with N envs each holding K entries and drainBatchSize=K, one
+    // tick pops N×K entries and dispatches them all through the shared
+    // pLimit. Closes the gap that all the other batch tests cover a
+    // single env in isolation.
+    const envCount = 10;
+    const perEnv = 10;
+    const queues = new Map<string, string[]>();
+    for (let i = 0; i < envCount; i++) {
+      queues.set(
+        `env_${i}`,
+        Array.from({ length: perEnv }, (_, j) => `env_${i}_run_${j}`),
+      );
+    }
+    const handled: string[] = [];
+    const buffer = makeStubBuffer({
+      ...eachEnvAsOwnOrg([...queues.keys()]),
+      pop: async (envId: string) => {
+        const q = queues.get(envId);
+        if (!q || q.length === 0) return null;
+        const runId = q.shift()!;
+        return {
+          runId,
+          envId,
+          orgId: envId,
+          payload: "{}",
+          attempts: 0,
+          createdAt: new Date(),
+        } as any;
+      },
+    });
+
+    const drainer = new MollifierDrainer({
+      buffer,
+      handler: async (input) => {
+        handled.push(input.runId);
+      },
+      concurrency: 20,
+      maxAttempts: 3,
+      isRetryable: () => false,
+      drainBatchSize: perEnv,
+      logger: new Logger("test-drainer", "log"),
+    });
+
+    const r = await drainer.runOnce();
+    expect(r.drained).toBe(envCount * perEnv);
+    expect(handled).toHaveLength(envCount * perEnv);
+    // Every env contributed exactly perEnv entries.
+    const perEnvCounts = handled.reduce<Record<string, number>>((acc, runId) => {
+      const env = runId.replace(/_run_\d+$/, "");
+      acc[env] = (acc[env] ?? 0) + 1;
+      return acc;
+    }, {});
+    for (let i = 0; i < envCount; i++) {
+      expect(perEnvCounts[`env_${i}`]).toBe(perEnv);
+    }
+  });
+
+  it("preserves org-level fairness with drainBatchSize > 1", async () => {
+    // Regression guard for the hierarchical rotation property at batch
+    // > 1: a heavy org with many envs still gets ~1 org-slot per tick,
+    // not N. The original test at line ~1066 only exercises batchSize=1;
+    // this re-runs the same shape with batchSize=5 to ensure batching
+    // doesn't somehow give the noisy tenant more slots.
+    const orgAEnvs = Array.from({ length: 6 }, (_, i) => `env_orgA_${i}`);
+    const orgBEnv = "env_orgB_only";
+    const envOrg = new Map<string, string>();
+    for (const e of orgAEnvs) envOrg.set(e, "org_A");
+    envOrg.set(orgBEnv, "org_B");
+    const queues = new Map<string, Array<{ runId: string; orgId: string }>>();
+    for (const e of orgAEnvs) {
+      queues.set(
+        e,
+        Array.from({ length: 100 }, (_, i) => ({
+          runId: `${e}_run_${i}`,
+          orgId: "org_A",
+        })),
+      );
+    }
+    queues.set(
+      orgBEnv,
+      Array.from({ length: 100 }, (_, i) => ({
+        runId: `${orgBEnv}_run_${i}`,
+        orgId: "org_B",
+      })),
+    );
+
+    const drainedByOrg: Record<string, number> = { org_A: 0, org_B: 0 };
+    const buffer = makeStubBuffer({
+      listOrgs: async () => {
+        const orgs = new Set<string>();
+        for (const [envId, items] of queues.entries()) {
+          if (items.length > 0) orgs.add(envOrg.get(envId)!);
+        }
+        return [...orgs];
+      },
+      listEnvsForOrg: async (orgId: string) => {
+        const envs: string[] = [];
+        for (const [envId, items] of queues.entries()) {
+          if (items.length > 0 && envOrg.get(envId) === orgId) envs.push(envId);
+        }
+        return envs;
+      },
+      pop: async (envId: string) => {
+        const q = queues.get(envId);
+        if (!q || q.length === 0) return null;
+        const entry = q.shift()!;
+        return {
+          runId: entry.runId,
+          envId,
+          orgId: entry.orgId,
+          payload: "{}",
+          attempts: 0,
+          createdAt: new Date(),
+        } as any;
+      },
+    });
+
+    const drainer = new MollifierDrainer({
+      buffer,
+      handler: async (input) => {
+        drainedByOrg[input.orgId] = (drainedByOrg[input.orgId] ?? 0) + 1;
+      },
+      concurrency: 10,
+      maxAttempts: 3,
+      isRetryable: () => false,
+      maxOrgsPerTick: 100,
+      drainBatchSize: 5,
+      logger: new Logger("test-drainer", "log"),
+    });
+
+    for (let i = 0; i < 20; i++) {
+      await drainer.runOnce();
+    }
+
+    expect(drainedByOrg["org_A"]).toBeGreaterThan(0);
+    expect(drainedByOrg["org_B"]).toBeGreaterThan(0);
+    const ratio = drainedByOrg["org_A"]! / drainedByOrg["org_B"]!;
+    // Same fairness window as the batchSize=1 sibling test — batching
+    // multiplies per-tick throughput uniformly, not asymmetrically.
+    expect(ratio).toBeGreaterThan(0.7);
+    expect(ratio).toBeLessThan(1.5);
+  });
+
+  it("counts mixed handler success and failure within a batched tick correctly", async () => {
+    // 5 envs, one entry each, drainBatchSize=5. Three handlers succeed,
+    // two throw non-retryable → drained=3, failed=2. Pins that the batched
+    // dispatch's drained/failed accounting per entry is preserved when
+    // multiple outcomes interleave in one tick.
+    const envs = ["env_ok_1", "env_ok_2", "env_ok_3", "env_fail_1", "env_fail_2"];
+    const popsByEnv = new Map<string, number>();
+    const buffer = makeStubBuffer({
+      ...eachEnvAsOwnOrg(envs),
+      pop: async (envId: string) => {
+        if (!envs.includes(envId)) return null;
+        // One entry per env then empty. Track via a per-env pop counter
+        // so the batch loop terminates after the first hit even though
+        // drainBatchSize=5.
+        const popped = (popsByEnv.get(envId) ?? 0) + 1;
+        popsByEnv.set(envId, popped);
+        if (popped > 1) return null;
+        return {
+          runId: `run_${envId}`,
+          envId,
+          orgId: envId,
+          payload: "{}",
+          attempts: 0,
+          createdAt: new Date(),
+        } as any;
+      },
+    });
+
+    const drainer = new MollifierDrainer({
+      buffer,
+      handler: async (input) => {
+        if (input.envId.startsWith("env_fail")) {
+          throw new Error("simulated handler failure");
+        }
+      },
+      concurrency: 10,
+      maxAttempts: 3,
+      isRetryable: () => false, // non-retryable → terminal on first attempt
+      drainBatchSize: 5,
+      logger: new Logger("test-drainer", "log"),
+    });
+
+    const r = await drainer.runOnce();
+    expect(r.drained).toBe(3);
+    expect(r.failed).toBe(2);
+  });
+
+  it("never has more than `concurrency` entries popped-but-not-acked at any moment", async () => {
+    // Regression guard for the DRAINING blast radius. Each pop+process
+    // happens inside a single pLimit slot, so at any instant the number
+    // of entries that have been popped (and therefore marked DRAINING in
+    // a real buffer) but not yet acked is bounded by `concurrency`. This
+    // matters because the stale sweep only catches DRAINING entries
+    // visibly after a threshold — a process crash with thousands of
+    // mid-flight entries would mean a long detection/recovery window.
+    const envCount = 10;
+    const perEnv = 20;
+    const queues = new Map<string, string[]>();
+    for (let i = 0; i < envCount; i++) {
+      queues.set(
+        `env_${i}`,
+        Array.from({ length: perEnv }, (_, j) => `env_${i}_run_${j}`),
+      );
+    }
+    let inflightPoppedNotAcked = 0;
+    let peak = 0;
+    const concurrency = 4;
+    const buffer = makeStubBuffer({
+      ...eachEnvAsOwnOrg([...queues.keys()]),
+      pop: async (envId: string) => {
+        const q = queues.get(envId);
+        if (!q || q.length === 0) return null;
+        const runId = q.shift()!;
+        inflightPoppedNotAcked += 1;
+        if (inflightPoppedNotAcked > peak) peak = inflightPoppedNotAcked;
+        return {
+          runId,
+          envId,
+          orgId: envId,
+          payload: "{}",
+          attempts: 0,
+          createdAt: new Date(),
+        } as any;
+      },
+      ack: async () => {
+        inflightPoppedNotAcked -= 1;
+      },
+    });
+
+    const drainer = new MollifierDrainer({
+      buffer,
+      handler: async () => {
+        // Force handler overlap if scheduling allowed it — without a
+        // tight per-slot bound the peak would visibly exceed `concurrency`.
+        await new Promise((r) => setTimeout(r, 15));
+      },
+      concurrency,
+      maxAttempts: 3,
+      isRetryable: () => false,
+      drainBatchSize: perEnv,
+      logger: new Logger("test-drainer", "log"),
+    });
+
+    const r = await drainer.runOnce();
+    expect(r.drained).toBe(envCount * perEnv);
+    expect(peak).toBeGreaterThan(1); // concurrency is real, not serialised
+    expect(peak).toBeLessThanOrEqual(concurrency); // and bounded by it
+    expect(inflightPoppedNotAcked).toBe(0); // everything settled
+  });
+
+  it("stops popping early when the env's queue empties before reaching drainBatchSize", async () => {
+    const queue = ["only_1", "only_2"];
+    const handled: string[] = [];
+    let popCalls = 0;
+    const buffer = makeStubBuffer({
+      ...eachEnvAsOwnOrg(["env_a"]),
+      pop: async (envId: string) => {
+        if (envId !== "env_a") return null;
+        popCalls += 1;
+        const runId = queue.shift();
+        if (!runId) return null;
+        return {
+          runId,
+          envId: "env_a",
+          orgId: "org_1",
+          payload: "{}",
+          attempts: 0,
+          createdAt: new Date(),
+        } as any;
+      },
+    });
+
+    const concurrency = 5;
+    const drainBatchSize = 10;
+    const drainer = new MollifierDrainer({
+      buffer,
+      handler: async (input) => {
+        handled.push(input.runId);
+      },
+      concurrency,
+      maxAttempts: 3,
+      isRetryable: () => false,
+      drainBatchSize,
+      logger: new Logger("test-drainer", "log"),
+    });
+
+    const r = await drainer.runOnce();
+    expect(r.drained).toBe(2);
+    expect(new Set(handled)).toEqual(new Set(["only_1", "only_2"]));
+    // The property we're pinning: pop calls are bounded by concurrency
+    // (plus the original two successes) once the queue empties — they
+    // never run all the way up to drainBatchSize. With concurrency > 1
+    // multiple workers can race to pop env_a before `skip.add` lands,
+    // so the upper bound is the worker count, not a tight "3".
+    expect(popCalls).toBeGreaterThanOrEqual(3); // 2 success + ≥1 sentinel null
+    expect(popCalls).toBeLessThanOrEqual(concurrency + 2);
+    expect(popCalls).toBeLessThan(drainBatchSize); // bounded — the actual safety property
+  });
+});
+
+describe("MollifierDrainer error handling", () => {
+  redisTest("retryable error requeues and increments attempts", { timeout: 20_000 }, async ({ redisContainer }) => {
+    const buffer = new MollifierBuffer({
+      redisOptions: {
+        host: redisContainer.getHost(),
+        port: redisContainer.getPort(),
+        password: redisContainer.getPassword(),
+      },
+      ...noopOptions,
+    });
+
+    let calls = 0;
+    const handler = async () => {
+      calls++;
+      throw new Error("transient");
+    };
+
+    const drainer = new MollifierDrainer({
+      buffer,
+      handler,
+      concurrency: 1,
+      maxAttempts: 3,
+      isRetryable: () => true,
+      logger: new Logger("test-drainer", "log"),
+    });
+
+    try {
+      await buffer.accept({ runId: "run_r", envId: "env_a", orgId: "org_1", payload: "{}" });
+
+      await drainer.runOnce();
+      const after1 = await buffer.getEntry("run_r");
+      expect(after1!.status).toBe("QUEUED");
+      expect(after1!.attempts).toBe(1);
+
+      await drainer.runOnce();
+      const after2 = await buffer.getEntry("run_r");
+      expect(after2!.status).toBe("QUEUED");
+      expect(after2!.attempts).toBe(2);
+
+      const result3 = await drainer.runOnce();
+      // On attempt 3 the drainer hits maxAttempts and calls fail(),
+      // which deletes the entry — once the drainer-handler has written
+      // the SYSTEM_FAILURE PG row the buffer entry is no longer
+      // load-bearing. The runOnce result is the surviving signal.
+      const after3 = await buffer.getEntry("run_r");
+      expect(after3).toBeNull();
+      expect(result3.failed).toBe(1);
+      expect(calls).toBe(3);
+    } finally {
+      await buffer.close();
+    }
+  });
+
+  redisTest("non-retryable error transitions directly to FAILED", { timeout: 20_000 }, async ({ redisContainer }) => {
+    const buffer = new MollifierBuffer({
+      redisOptions: {
+        host: redisContainer.getHost(),
+        port: redisContainer.getPort(),
+        password: redisContainer.getPassword(),
+      },
+      ...noopOptions,
+    });
+
+    const handler = async () => {
+      throw new Error("validation failure");
+    };
+
+    const drainer = new MollifierDrainer({
+      buffer,
+      handler,
+      concurrency: 1,
+      maxAttempts: 3,
+      isRetryable: () => false,
+      logger: new Logger("test-drainer", "log"),
+    });
+
+    try {
+      await buffer.accept({ runId: "run_nr", envId: "env_a", orgId: "org_1", payload: "{}" });
+
+      const result = await drainer.runOnce();
+
+      // fail() deletes the entry once the drainer-handler has written
+      // the canonical SYSTEM_FAILURE PG row.
+      const entry = await buffer.getEntry("run_nr");
+      expect(entry).toBeNull();
+      expect(result.failed).toBe(1);
+    } finally {
+      await buffer.close();
+    }
+  });
+
+  redisTest(
+    "multi-org round-robin: drains one item per org per runOnce",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        ...noopOptions,
+      });
+
+      const handled: string[] = [];
+      const handler = async (input: { runId: string }) => {
+        handled.push(input.runId);
+      };
+
+      const drainer = new MollifierDrainer({
+        buffer,
+        handler,
+        concurrency: 10,
+        maxAttempts: 3,
+        isRetryable: () => false,
+        logger: new Logger("test-drainer", "log"),
+      });
+
+      try {
+        // org_A has two envs (env_a, env_b) → drainer picks one per tick
+        // via the per-org env cursor. org_B has one env (env_c) → it's
+        // always picked when org_B is in the slice.
+        await buffer.accept({ runId: "a1", envId: "env_a", orgId: "org_A", payload: "{}" });
+        await buffer.accept({ runId: "b1", envId: "env_b", orgId: "org_A", payload: "{}" });
+        await buffer.accept({ runId: "c1", envId: "env_c", orgId: "org_B", payload: "{}" });
+
+        // Tick 1: 2 orgs in slice → 2 pops, one from org_A's rotating env
+        // pick and one from org_B's only env.
+        const r1 = await drainer.runOnce();
+        expect(r1.drained).toBe(2);
+        expect(handled).toContain("c1");
+        // Org_A contributed exactly one of {a1, b1}.
+        const orgADrainedTick1 = handled.filter((h) => h === "a1" || h === "b1");
+        expect(orgADrainedTick1).toHaveLength(1);
+
+        handled.length = 0;
+        // Tick 2: org_B's queue is empty (only had 1 entry, drained tick 1).
+        // listOrgs returns [org_A] only. Drain the remaining org_A env.
+        const r2 = await drainer.runOnce();
+        expect(r2.drained).toBe(1);
+        expect(handled).toHaveLength(1);
+        expect(["a1", "b1"]).toContain(handled[0]);
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+});
+
+// `onTerminalFailure` is the callback the drainer fires on any terminal
+// path (non-retryable OR max-attempts-exhausted retryable) before it
+// calls `buffer.fail()`. Webapp wires it to `createFailedTaskRun` so the
+// customer's run lands a SYSTEM_FAILURE PG row in both cases. Pre-fix,
+// the retryable-exhausted path called `buffer.fail()` with no PG row,
+// silently losing the run. These tests pin both terminal causes plus the
+// retry-on-retryable-callback-failure escape hatch.
+describe("MollifierDrainer.onTerminalFailure", () => {
+  redisTest(
+    "fires with cause max-attempts-exhausted after retryable failures exhaust",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        ...noopOptions,
+      });
+
+      let handlerCalls = 0;
+      const handler = async () => {
+        handlerCalls++;
+        throw new Error("retryable PG blip");
+      };
+
+      type TerminalCallArgs = {
+        runId: string;
+        attempts: number;
+        cause: "non-retryable" | "max-attempts-exhausted";
+        errorMessage: string;
+      };
+      const terminalCalls: TerminalCallArgs[] = [];
+
+      const drainer = new MollifierDrainer({
+        buffer,
+        handler,
+        onTerminalFailure: async (input) => {
+          terminalCalls.push({
+            runId: input.runId,
+            attempts: input.attempts,
+            cause: input.cause,
+            errorMessage: input.error.message,
+          });
+        },
+        concurrency: 1,
+        maxAttempts: 2,
+        isRetryable: () => true,
+        logger: new Logger("test-drainer", "log"),
+      });
+
+      try {
+        await buffer.accept({ runId: "run_exhaust", envId: "env_a", orgId: "org_1", payload: "{}" });
+
+        // Attempt 1: retryable error → requeue, no terminal callback fires.
+        const r1 = await drainer.runOnce();
+        expect(r1.failed).toBe(1);
+        expect(terminalCalls).toHaveLength(0);
+        const after1 = await buffer.getEntry("run_exhaust");
+        expect(after1!.status).toBe("QUEUED");
+        expect(after1!.attempts).toBe(1);
+
+        // Attempt 2: maxAttempts (2) reached → terminal callback fires
+        // with cause "max-attempts-exhausted", THEN buffer.fail() deletes.
+        const r2 = await drainer.runOnce();
+        expect(r2.failed).toBe(1);
+        expect(handlerCalls).toBe(2);
+        expect(terminalCalls).toHaveLength(1);
+        expect(terminalCalls[0]).toMatchObject({
+          runId: "run_exhaust",
+          attempts: 2,
+          cause: "max-attempts-exhausted",
+          errorMessage: "retryable PG blip",
+        });
+        // buffer entry torn down post-callback.
+        expect(await buffer.getEntry("run_exhaust")).toBeNull();
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "fires with cause non-retryable on the first non-retryable error",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        ...noopOptions,
+      });
+
+      const handler = async () => {
+        throw new Error("validation failure");
+      };
+
+      const terminalCalls: Array<{ cause: string; attempts: number }> = [];
+      const drainer = new MollifierDrainer({
+        buffer,
+        handler,
+        onTerminalFailure: async (input) => {
+          terminalCalls.push({ cause: input.cause, attempts: input.attempts });
+        },
+        concurrency: 1,
+        // Generous attempts budget — non-retryable should bypass it
+        // entirely and terminate on the first attempt.
+        maxAttempts: 5,
+        isRetryable: () => false,
+        logger: new Logger("test-drainer", "log"),
+      });
+
+      try {
+        await buffer.accept({ runId: "run_nr", envId: "env_a", orgId: "org_1", payload: "{}" });
+
+        const r = await drainer.runOnce();
+        expect(r.failed).toBe(1);
+        expect(terminalCalls).toHaveLength(1);
+        expect(terminalCalls[0]).toEqual({ cause: "non-retryable", attempts: 1 });
+        expect(await buffer.getEntry("run_nr")).toBeNull();
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "callback throwing a retryable error requeues instead of failing",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        ...noopOptions,
+      });
+
+      // Handler always fails (non-retryable so we hit onTerminalFailure
+      // on the first attempt regardless of maxAttempts).
+      const handler = async () => {
+        throw new Error("validation failure");
+      };
+
+      let callbackInvocations = 0;
+      const drainer = new MollifierDrainer({
+        buffer,
+        handler,
+        onTerminalFailure: async () => {
+          callbackInvocations++;
+          // Simulate PG still unreachable when we try to write the
+          // SYSTEM_FAILURE row — drainer should requeue, not fail.
+          const err: Error & { code?: string } = new Error("Can't reach database server");
+          err.code = "P1001";
+          throw err;
+        },
+        concurrency: 1,
+        maxAttempts: 3,
+        // Both `validation failure` (handler) AND `P1001` (callback) are
+        // retryable from the drainer's perspective. The handler's
+        // non-retryable disposition is set by the underlying error
+        // identity, not by `isRetryable` — callers like the webapp use a
+        // narrower retryable predicate. Here we set `isRetryable: true`
+        // because the test only cares about the callback-retryable path.
+        isRetryable: () => true,
+        logger: new Logger("test-drainer", "log"),
+      });
+
+      try {
+        await buffer.accept({ runId: "run_cb_retry", envId: "env_a", orgId: "org_1", payload: "{}" });
+
+        // Tick 1: handler throws → attempts=1 < maxAttempts=3 → requeue
+        // (no callback invocation, retryable path).
+        const r1 = await drainer.runOnce();
+        expect(r1.failed).toBe(1);
+        expect(callbackInvocations).toBe(0);
+        const after1 = await buffer.getEntry("run_cb_retry");
+        expect(after1!.status).toBe("QUEUED");
+        expect(after1!.attempts).toBe(1);
+
+        // Tick 2: handler throws → attempts=2 < 3 → requeue again.
+        const r2 = await drainer.runOnce();
+        expect(r2.failed).toBe(1);
+        expect(callbackInvocations).toBe(0);
+
+        // Tick 3: handler throws → attempts=3 (the nextAttempts check is
+        // `< maxAttempts`, so 3 < 3 is false) → terminal. Callback throws
+        // retryable → drainer requeues instead of fail(). Entry survives.
+        const r3 = await drainer.runOnce();
+        expect(r3.failed).toBe(1);
+        expect(callbackInvocations).toBe(1);
+        const after3 = await buffer.getEntry("run_cb_retry");
+        expect(after3).not.toBeNull();
+        expect(after3!.status).toBe("QUEUED");
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "callback throwing a non-retryable error falls through to buffer.fail()",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        ...noopOptions,
+      });
+
+      const handler = async () => {
+        throw new Error("validation failure");
+      };
+
+      const drainer = new MollifierDrainer({
+        buffer,
+        handler,
+        onTerminalFailure: async () => {
+          // Genuinely bad write (e.g. snapshot too malformed to insert).
+          // Drainer must NOT loop on this — falls through to buffer.fail.
+          throw new Error("malformed snapshot");
+        },
+        concurrency: 1,
+        maxAttempts: 3,
+        isRetryable: () => false,
+        logger: new Logger("test-drainer", "log"),
+      });
+
+      try {
+        await buffer.accept({ runId: "run_cb_dead", envId: "env_a", orgId: "org_1", payload: "{}" });
+
+        const r = await drainer.runOnce();
+        expect(r.failed).toBe(1);
+        // Entry was failed despite the callback throwing — the
+        // non-retryable branch of the callback-error guard sends it to
+        // buffer.fail so a poisoned run can't loop forever.
+        expect(await buffer.getEntry("run_cb_dead")).toBeNull();
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+
+  redisTest(
+    "no onTerminalFailure provided keeps pre-fix behaviour (buffer.fail with no callback)",
+    { timeout: 20_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        ...noopOptions,
+      });
+
+      const handler = async () => {
+        throw new Error("validation failure");
+      };
+
+      const drainer = new MollifierDrainer({
+        buffer,
+        handler,
+        // onTerminalFailure intentionally omitted — verifies the option
+        // is genuinely optional and backwards-compatible.
+        concurrency: 1,
+        maxAttempts: 2,
+        isRetryable: () => false,
+        logger: new Logger("test-drainer", "log"),
+      });
+
+      try {
+        await buffer.accept({ runId: "run_no_cb", envId: "env_a", orgId: "org_1", payload: "{}" });
+        const r = await drainer.runOnce();
+        expect(r.failed).toBe(1);
+        expect(await buffer.getEntry("run_no_cb")).toBeNull();
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+});
+
+// Transient Redis errors used to permanently kill the loop because
+// `processOneFromEnv` didn't catch `buffer.pop()` rejections — the error
+// bubbled through `Promise.all` → `runOnce` → `loop`'s outer catch and
+// left `isRunning = false`. These tests use a stubbed buffer (no Redis
+// container) so we can deterministically inject failures from `listEnvs`
+// and `pop` without racing against a real client.
+describe("MollifierDrainer resilience to transient buffer errors", () => {
+  it("survives a transient listOrgs failure and resumes draining", async () => {
+    let listCalls = 0;
+    const popped: string[] = [];
+    const buffer = makeStubBuffer({
+      listOrgs: async () => {
+        listCalls += 1;
+        if (listCalls === 1) {
+          throw new Error("simulated redis blip");
+        }
+        return ["env_a"];
+      },
+      listEnvsForOrg: async (orgId: string) => (orgId === "env_a" ? ["env_a"] : []),
+      pop: async () => {
+        const runId = `run_${popped.length + 1}`;
+        if (popped.length >= 2) return null;
+        popped.push(runId);
+        return {
+          runId,
+          envId: "env_a",
+          orgId: "org_1",
+          payload: "{}",
+          attempts: 0,
+          createdAt: new Date(),
+        } as any;
+      },
+    });
+
+    const handled: string[] = [];
+    const drainer = new MollifierDrainer({
+      buffer,
+      handler: async (input) => {
+        handled.push(input.runId);
+      },
+      concurrency: 1,
+      maxAttempts: 3,
+      isRetryable: () => false,
+      pollIntervalMs: 20,
+      logger: new Logger("test-drainer", "log"),
+    });
+
+    drainer.start();
+    const deadline = Date.now() + 3_000;
+    while (handled.length < 2 && Date.now() < deadline) {
+      await new Promise((r) => setTimeout(r, 20));
+    }
+    await drainer.stop({ timeoutMs: 1_000 });
+
+    expect(handled).toEqual(["run_1", "run_2"]);
+    expect(listCalls).toBeGreaterThan(1);
+  });
+
+  it("a pop failure for one env doesn't poison the rest of the batch", async () => {
+    const buffer = makeStubBuffer({
+      ...eachEnvAsOwnOrg(["bad", "good"]),
+      pop: async (envId: string) => {
+        if (envId === "bad") {
+          throw new Error("simulated pop failure on bad env");
+        }
+        return {
+          runId: "run_good",
+          envId: "good",
+          orgId: "org_1",
+          payload: "{}",
+          attempts: 0,
+          createdAt: new Date(),
+        } as any;
+      },
+    });
+
+    const handled: string[] = [];
+    const drainer = new MollifierDrainer({
+      buffer,
+      handler: async (input) => {
+        handled.push(input.runId);
+      },
+      concurrency: 5,
+      maxAttempts: 3,
+      isRetryable: () => false,
+      logger: new Logger("test-drainer", "log"),
+    });
+
+    const result = await drainer.runOnce();
+    expect(result.drained).toBe(1);
+    expect(result.failed).toBe(1);
+    expect(handled).toEqual(["run_good"]);
+  });
+
+  it("a requeue failure during retry recovery doesn't poison the rest of the batch", async () => {
+    // Regression: handler throws a retryable error → processEntry calls
+    // buffer.requeue() inside its catch block. If requeue() itself throws
+    // (Redis blip during error recovery), the rejection used to escape
+    // processOneFromEnv unwrapped and reject the runOnce Promise.all,
+    // dropping handler results from sibling envs in the same tick.
+    const handled: string[] = [];
+    const buffer = makeStubBuffer({
+      ...eachEnvAsOwnOrg(["bad", "good"]),
+      pop: async (envId: string) =>
+        ({
+          runId: envId === "bad" ? "run_bad" : "run_good",
+          envId,
+          orgId: "org_1",
+          payload: "{}",
+          attempts: 0,
+          createdAt: new Date(),
+        }) as any,
+      requeue: async () => {
+        throw new Error("simulated requeue failure");
+      },
+    });
+
+    const drainer = new MollifierDrainer({
+      buffer,
+      handler: async (input) => {
+        handled.push(input.runId);
+        if (input.runId === "run_bad") throw new Error("transient");
+      },
+      concurrency: 5,
+      maxAttempts: 3,
+      isRetryable: () => true,
+      logger: new Logger("test-drainer", "log"),
+    });
+
+    const result = await drainer.runOnce();
+    // Two envs scheduled, one handler succeeded (drained), one handler threw
+    // and its recovery requeue threw too — counted as failed, batch not poisoned.
+    expect(result.drained).toBe(1);
+    expect(result.failed).toBe(1);
+    expect(new Set(handled)).toEqual(new Set(["run_bad", "run_good"]));
+  });
+
+  it("a fail() throw during terminal recovery doesn't poison the rest of the batch", async () => {
+    // Regression: handler throws a non-retryable error → processEntry calls
+    // buffer.fail() inside its catch block. If fail() itself throws, the
+    // rejection used to escape unwrapped and reject runOnce's Promise.all.
+    const handled: string[] = [];
+    const buffer = makeStubBuffer({
+      ...eachEnvAsOwnOrg(["bad", "good"]),
+      pop: async (envId: string) =>
+        ({
+          runId: envId === "bad" ? "run_bad" : "run_good",
+          envId,
+          orgId: "org_1",
+          payload: "{}",
+          attempts: 0,
+          createdAt: new Date(),
+        }) as any,
+      fail: async () => {
+        throw new Error("simulated fail() failure");
+      },
+    });
+
+    const drainer = new MollifierDrainer({
+      buffer,
+      handler: async (input) => {
+        handled.push(input.runId);
+        if (input.runId === "run_bad") throw new Error("terminal");
+      },
+      concurrency: 5,
+      maxAttempts: 3,
+      isRetryable: () => false,
+      logger: new Logger("test-drainer", "log"),
+    });
+
+    const result = await drainer.runOnce();
+    expect(result.drained).toBe(1);
+    expect(result.failed).toBe(1);
+    expect(new Set(handled)).toEqual(new Set(["run_bad", "run_good"]));
+  });
+});
+
+describe("MollifierDrainer per-tick org cap", () => {
+  // Bounding fan-out prevents one runOnce from queuing thousands of
+  // processOneFromEnv jobs when the org set is unexpectedly large.
+  // These tests use a stub buffer so we can drive the org/env counts
+  // deterministically without provisioning a real Redis with thousands
+  // of envs.
+
+  it("processes at most maxOrgsPerTick envs per runOnce", async () => {
+    const allEnvs = Array.from({ length: 20 }, (_, i) => `env_${i}`);
+    const popped: string[] = [];
+    const buffer = makeStubBuffer({
+      ...eachEnvAsOwnOrg(allEnvs),
+      pop: async (envId: string) => {
+        popped.push(envId);
+        return null; // empty queue — runOnce records this as "empty"
+      },
+    });
+
+    const drainer = new MollifierDrainer({
+      buffer,
+      handler: async () => {},
+      concurrency: 5,
+      maxAttempts: 3,
+      isRetryable: () => false,
+      maxOrgsPerTick: 5,
+      logger: new Logger("test-drainer", "log"),
+    });
+
+    await drainer.runOnce();
+    expect(popped).toHaveLength(5);
+  });
+
+  it("covers the full env set across `envs.length` ticks when sliced", async () => {
+    const allEnvs = Array.from({ length: 12 }, (_, i) => `env_${i}`);
+    const popped: string[] = [];
+    const buffer = makeStubBuffer({
+      ...eachEnvAsOwnOrg(allEnvs),
+      pop: async (envId: string) => {
+        popped.push(envId);
+        return null;
+      },
+    });
+
+    const drainer = new MollifierDrainer({
+      buffer,
+      handler: async () => {},
+      concurrency: 4,
+      maxAttempts: 3,
+      isRetryable: () => false,
+      maxOrgsPerTick: 4,
+      logger: new Logger("test-drainer", "log"),
+    });
+
+    // Cursor advances by 1 each tick. Over envs.length ticks every env
+    // appears in exactly `sliceSize` of them (slices overlap — intentional,
+    // see the head-of-line fairness test below).
+    for (let i = 0; i < allEnvs.length; i++) {
+      await drainer.runOnce();
+    }
+
+    expect(new Set(popped)).toEqual(new Set(allEnvs));
+    expect(popped).toHaveLength(allEnvs.length * 4); // envs.length × sliceSize
+    const perEnvCounts = popped.reduce<Record<string, number>>((acc, e) => {
+      acc[e] = (acc[e] ?? 0) + 1;
+      return acc;
+    }, {});
+    for (const env of allEnvs) {
+      expect(perEnvCounts[env]).toBe(4);
+    }
+  });
+
+  it("preserves head-of-line fairness when sliced: every env reaches every slice position", async () => {
+    // Regression test for the bias that advance-by-sliceSize would
+    // reintroduce. With fixed disjoint slices, env_0 would always be at
+    // position 0 (first into pLimit) and env_(sliceSize-1) would always
+    // be last. Advance-by-1 spreads each env across every slot.
+    const allEnvs = Array.from({ length: 8 }, (_, i) => `env_${i}`);
+    const sliceSize = 4;
+    const positionsByEnv = new Map<string, Set<number>>();
+    for (const env of allEnvs) positionsByEnv.set(env, new Set());
+
+    let currentTick: string[] = [];
+    const popOrderBuffer = makeStubBuffer({
+      ...eachEnvAsOwnOrg(allEnvs),
+      pop: async (envId: string) => {
+        currentTick.push(envId);
+        return null;
+      },
+    });
+
+    const drainer = new MollifierDrainer({
+      buffer: popOrderBuffer,
+      handler: async () => {},
+      // Concurrency >= sliceSize so pLimit doesn't reorder — pop call order
+      // matches the slice's scheduling order (i.e. the env's slot position).
+      concurrency: sliceSize,
+      maxAttempts: 3,
+      isRetryable: () => false,
+      maxOrgsPerTick: sliceSize,
+      logger: new Logger("test-drainer", "log"),
+    });
+
+    for (let tick = 0; tick < allEnvs.length; tick++) {
+      currentTick = [];
+      await drainer.runOnce();
+      currentTick.forEach((env, position) => {
+        positionsByEnv.get(env)!.add(position);
+      });
+    }
+
+    // Each env should have occupied every slot 0..sliceSize-1 across the
+    // cycle. If we'd regressed to advance-by-sliceSize, env_0 would only
+    // ever be at position 0 and env_3 only at position 3.
+    for (const env of allEnvs) {
+      const positions = positionsByEnv.get(env)!;
+      expect(positions.size).toBe(sliceSize);
+      for (let p = 0; p < sliceSize; p++) {
+        expect(positions.has(p)).toBe(true);
+      }
+    }
+  });
+
+  it("takes all envs and rotates by 1 when the set fits within the cap", async () => {
+    const allEnvs = ["env_a", "env_b", "env_c"];
+    const popsPerTick: string[][] = [];
+    let tick: string[] = [];
+    const buffer = makeStubBuffer({
+      ...eachEnvAsOwnOrg(allEnvs),
+      pop: async (envId: string) => {
+        tick.push(envId);
+        return null;
+      },
+    });
+
+    const drainer = new MollifierDrainer({
+      buffer,
+      handler: async () => {},
+      concurrency: 3,
+      maxAttempts: 3,
+      isRetryable: () => false,
+      maxOrgsPerTick: 100, // way above n
+      logger: new Logger("test-drainer", "log"),
+    });
+
+    for (let i = 0; i < 3; i++) {
+      tick = [];
+      await drainer.runOnce();
+      popsPerTick.push(tick);
+    }
+
+    // Every tick covers every env (because cap > n), but the head-of-line
+    // env rotates by 1 each tick — preserves the original fairness behaviour.
+    for (const popped of popsPerTick) {
+      expect(new Set(popped)).toEqual(new Set(allEnvs));
+    }
+    const [tick0, tick1, tick2] = popsPerTick;
+    expect(tick0?.[0]).not.toEqual(tick1?.[0]);
+    expect(tick1?.[0]).not.toEqual(tick2?.[0]);
+  });
+
+  it("a light env is not starved behind heavy envs", async () => {
+    // The buffer's atomic Lua removes an env from `mollifier:envs` the
+    // moment its queue becomes empty, so a heavy env with thousands of
+    // pending entries stays in listEnvs and a light env with a single
+    // entry only stays until that one entry pops. Combined with the
+    // advance-by-1 cursor, this means the light env can't be parked
+    // behind heavy envs indefinitely — it gets popped within at most
+    // `envs.length - sliceSize + 1` ticks regardless of how many
+    // entries the heavy envs have queued.
+    const heavy = Array.from({ length: 6 }, (_, i) => `env_heavy_${i}`);
+    const light = "env_light";
+    const queues = new Map<string, string[]>();
+    for (const h of heavy) {
+      queues.set(
+        h,
+        Array.from({ length: 100 }, (_, i) => `${h}_run_${i}`),
+      );
+    }
+    queues.set(light, [`${light}_run_0`]);
+
+    const activeEnvs = () =>
+      [...queues.keys()].filter((k) => (queues.get(k)?.length ?? 0) > 0);
+    const buffer = makeStubBuffer({
+      listOrgs: async () => activeEnvs(),
+      listEnvsForOrg: async (orgId: string) =>
+        activeEnvs().includes(orgId) ? [orgId] : [],
+      pop: async (envId: string) => {
+        const q = queues.get(envId);
+        if (!q || q.length === 0) return null;
+        const runId = q.shift()!;
+        return {
+          runId,
+          envId,
+          orgId: "org_1",
+          payload: "{}",
+          status: "DRAINING",
+          attempts: 0,
+          createdAt: new Date(),
+        } as any;
+      },
+    });
+
+    const drainer = new MollifierDrainer({
+      buffer,
+      handler: async () => {},
+      concurrency: 4,
+      maxAttempts: 3,
+      isRetryable: () => false,
+      maxOrgsPerTick: 4, // < 7 envs so we exercise slicing
+      logger: new Logger("test-drainer", "log"),
+    });
+
+    // 7 envs, sliceSize=4 → worst-case wait for env_light is 4 ticks
+    // (it appears in the slice in exactly 4 of every 7 ticks). Run 7 to
+    // give the upper bound a wide margin.
+    const ticksUntilLightDrained = await (async () => {
+      for (let tick = 1; tick <= 7; tick++) {
+        await drainer.runOnce();
+        if ((queues.get(light)?.length ?? 0) === 0) return tick;
+      }
+      return Infinity;
+    })();
+
+    expect(ticksUntilLightDrained).toBeLessThanOrEqual(4);
+    // Sanity: heavy envs are being worked on (not starved themselves) but
+    // are far from drained — confirms we measured the right property.
+    for (const h of heavy) {
+      const remaining = queues.get(h)!.length;
+      expect(remaining).toBeGreaterThan(0);
+      expect(remaining).toBeLessThan(100);
+    }
+  });
+
+  it("a light org is not starved behind a heavy org with many envs", async () => {
+    // Org-level no-starvation: org_B's single entry drains within ~1
+    // tick because the drainer walks orgs at the top level. Org_A
+    // having many envs doesn't give it extra rotation slots.
+    const orgAEnvs = Array.from({ length: 6 }, (_, i) => `env_orgA_${i}`);
+    const orgBEnv = "env_orgB_only";
+    const envOrg = new Map<string, string>();
+    for (const e of orgAEnvs) envOrg.set(e, "org_A");
+    envOrg.set(orgBEnv, "org_B");
+    const queues = new Map<string, Array<{ runId: string; orgId: string }>>();
+    for (const e of orgAEnvs) {
+      queues.set(
+        e,
+        Array.from({ length: 100 }, (_, i) => ({
+          runId: `${e}_run_${i}`,
+          orgId: "org_A",
+        })),
+      );
+    }
+    queues.set(orgBEnv, [{ runId: `${orgBEnv}_run_0`, orgId: "org_B" }]);
+
+    const drainedByOrg: Record<string, number> = { org_A: 0, org_B: 0 };
+    const buffer = makeStubBuffer({
+      listOrgs: async () => {
+        const orgs = new Set<string>();
+        for (const [envId, items] of queues.entries()) {
+          if (items.length > 0) orgs.add(envOrg.get(envId)!);
+        }
+        return [...orgs];
+      },
+      listEnvsForOrg: async (orgId: string) => {
+        const envs: string[] = [];
+        for (const [envId, items] of queues.entries()) {
+          if (items.length > 0 && envOrg.get(envId) === orgId) envs.push(envId);
+        }
+        return envs;
+      },
+      pop: async (envId: string) => {
+        const q = queues.get(envId);
+        if (!q || q.length === 0) return null;
+        const entry = q.shift()!;
+        return {
+          runId: entry.runId,
+          envId,
+          orgId: entry.orgId,
+          payload: "{}",
+          status: "DRAINING",
+          attempts: 0,
+          createdAt: new Date(),
+        } as any;
+      },
+    });
+
+    const drainer = new MollifierDrainer({
+      buffer,
+      handler: async (input) => {
+        drainedByOrg[input.orgId] = (drainedByOrg[input.orgId] ?? 0) + 1;
+      },
+      concurrency: 4,
+      maxAttempts: 3,
+      isRetryable: () => false,
+      maxOrgsPerTick: 4,
+      logger: new Logger("test-drainer", "log"),
+    });
+
+    // Only 2 orgs in play → both are in every tick's slice. Org_B's
+    // single env is popped on tick 1.
+    const ticksUntilOrgBDrained = await (async () => {
+      for (let tick = 1; tick <= 7; tick++) {
+        await drainer.runOnce();
+        if ((drainedByOrg["org_B"] ?? 0) > 0) return tick;
+      }
+      return Infinity;
+    })();
+
+    expect(ticksUntilOrgBDrained).toBe(1);
+    // Sanity: org_A is being drained too (not starved itself) but its many
+    // envs are far from empty.
+    expect(drainedByOrg["org_A"]).toBeGreaterThan(0);
+    for (const e of orgAEnvs) {
+      expect(queues.get(e)!.length).toBeGreaterThan(0);
+    }
+  });
+
+  it("a heavy org with many envs gets ~1 slot per tick, not N slots", async () => {
+    // Hierarchical rotation property: an org with N envs gets the SAME
+    // per-tick scheduling slot as an org with 1 env, instead of N slots
+    // (which is what per-env rotation would give). Sustained-run drainage
+    // rate is therefore determined by org count, not env count.
+    //
+    // Org_A: 6 envs × 100 entries (a noisy tenant).
+    // Org_B: 1 env × 100 entries (a quiet tenant).
+    // Per-env rotation would drain org_A 6× faster than org_B. The org-
+    // level walk via listOrgs → listEnvsForOrg drains them at ~1:1 over
+    // a sustained window.
+    const orgAEnvs = Array.from({ length: 6 }, (_, i) => `env_orgA_${i}`);
+    const orgBEnv = "env_orgB_only";
+    const envOrg = new Map<string, string>();
+    for (const e of orgAEnvs) envOrg.set(e, "org_A");
+    envOrg.set(orgBEnv, "org_B");
+    const queues = new Map<string, Array<{ runId: string; orgId: string }>>();
+    for (const e of orgAEnvs) {
+      queues.set(
+        e,
+        Array.from({ length: 100 }, (_, i) => ({
+          runId: `${e}_run_${i}`,
+          orgId: "org_A",
+        })),
+      );
+    }
+    queues.set(
+      orgBEnv,
+      Array.from({ length: 100 }, (_, i) => ({
+        runId: `${orgBEnv}_run_${i}`,
+        orgId: "org_B",
+      })),
+    );
+
+    const drainedByOrg: Record<string, number> = { org_A: 0, org_B: 0 };
+    const buffer = makeStubBuffer({
+      listOrgs: async () => {
+        const orgs = new Set<string>();
+        for (const [envId, items] of queues.entries()) {
+          if (items.length > 0) orgs.add(envOrg.get(envId)!);
+        }
+        return [...orgs];
+      },
+      listEnvsForOrg: async (orgId: string) => {
+        const envs: string[] = [];
+        for (const [envId, items] of queues.entries()) {
+          if (items.length > 0 && envOrg.get(envId) === orgId) envs.push(envId);
+        }
+        return envs;
+      },
+      pop: async (envId: string) => {
+        const q = queues.get(envId);
+        if (!q || q.length === 0) return null;
+        const entry = q.shift()!;
+        return {
+          runId: entry.runId,
+          envId,
+          orgId: entry.orgId,
+          payload: "{}",
+          status: "DRAINING",
+          attempts: 0,
+          createdAt: new Date(),
+        } as any;
+      },
+    });
+
+    const drainer = new MollifierDrainer({
+      buffer,
+      handler: async (input) => {
+        drainedByOrg[input.orgId] = (drainedByOrg[input.orgId] ?? 0) + 1;
+      },
+      concurrency: 10,
+      maxAttempts: 3,
+      isRetryable: () => false,
+      maxOrgsPerTick: 100, // unsliced — every org gets a slot every tick
+      logger: new Logger("test-drainer", "log"),
+    });
+
+    for (let i = 0; i < 20; i++) {
+      await drainer.runOnce();
+    }
+
+    // Under per-env rotation, drainedByOrg.org_A would be ~6× larger than
+    // drainedByOrg.org_B. Under hierarchical, the ratio is ~1.
+    expect(drainedByOrg["org_A"]).toBeGreaterThan(0);
+    expect(drainedByOrg["org_B"]).toBeGreaterThan(0);
+    const ratio = drainedByOrg["org_A"]! / drainedByOrg["org_B"]!;
+    expect(ratio).toBeGreaterThan(0.7);
+    expect(ratio).toBeLessThan(1.5);
+  });
+
+  it("within an org, envs are rotated round-robin across ticks", async () => {
+    // An org with N envs picks one env per tick, cycling through its
+    // envs via the per-org env cursor. Inner cursor advances by 1 per
+    // visit to the org (analogous to head-of-line fairness within a
+    // slice, but at the env-within-org layer).
+    const orgEnvs = ["env_x", "env_y", "env_z"];
+    const orgId = "org_solo";
+    const queues = new Map<string, number>();
+    for (const e of orgEnvs) queues.set(e, 100);
+
+    const poppedSequence: string[] = [];
+    const buffer = makeStubBuffer({
+      listOrgs: async () => {
+        const anyEnvActive = [...queues.values()].some((n) => n > 0);
+        return anyEnvActive ? [orgId] : [];
+      },
+      listEnvsForOrg: async (org: string) =>
+        org === orgId
+          ? [...queues.keys()].filter((k) => (queues.get(k) ?? 0) > 0)
+          : [],
+      pop: async (envId: string) => {
+        const remaining = queues.get(envId) ?? 0;
+        if (remaining === 0) return null;
+        queues.set(envId, remaining - 1);
+        poppedSequence.push(envId);
+        return {
+          runId: `${envId}_${remaining}`,
+          envId,
+          orgId,
+          payload: "{}",
+          status: "DRAINING",
+          attempts: 0,
+          createdAt: new Date(),
+        } as any;
+      },
+    });
+
+    const drainer = new MollifierDrainer({
+      buffer,
+      handler: async () => {},
+      concurrency: 1,
+      maxAttempts: 3,
+      isRetryable: () => false,
+      maxOrgsPerTick: 100,
+      logger: new Logger("test-drainer", "log"),
+    });
+
+    // 6 ticks × 1 env per tick = 6 pops, cycling x, y, z, x, y, z. Every
+    // env should be picked exactly twice across the 6 ticks.
+    for (let i = 0; i < 6; i++) {
+      await drainer.runOnce();
+    }
+
+    expect(poppedSequence).toHaveLength(6);
+    const counts = poppedSequence.reduce<Record<string, number>>((acc, e) => {
+      acc[e] = (acc[e] ?? 0) + 1;
+      return acc;
+    }, {});
+    for (const env of orgEnvs) {
+      expect(counts[env]).toBe(2);
+    }
+  });
+});
+
+describe("MollifierDrainer additional coverage", () => {
+
+  it("a malformed payload is treated as a non-retryable handler error and goes terminal", async () => {
+    // The deserialise call lives inside processEntry's try, so a JSON parse
+    // failure is caught by the same handler-error branch. With
+    // isRetryable=false, the entry transitions directly to FAILED — the
+    // handler is never invoked because the throw happens before the
+    // handler call.
+    let handlerCalled = false;
+    const failedEntries: Array<{ runId: string; error: { code: string; message: string } }> = [];
+    const buffer = makeStubBuffer({
+      ...eachEnvAsOwnOrg(["env_a"]),
+      pop: async () =>
+        ({
+          runId: "run_malformed",
+          envId: "env_a",
+          orgId: "org_1",
+          payload: "not valid json {",
+          status: "DRAINING",
+          attempts: 0,
+          createdAt: new Date(),
+        }) as any,
+      fail: async (runId: string, error: { code: string; message: string }) => {
+        failedEntries.push({ runId, error });
+        return true;
+      },
+    });
+
+    const drainer = new MollifierDrainer({
+      buffer,
+      handler: async () => {
+        handlerCalled = true;
+      },
+      concurrency: 1,
+      maxAttempts: 3,
+      isRetryable: () => false,
+      logger: new Logger("test-drainer", "log"),
+    });
+
+    const result = await drainer.runOnce();
+
+    expect(handlerCalled).toBe(false);
+    expect(result.failed).toBe(1);
+    expect(result.drained).toBe(0);
+    expect(failedEntries).toHaveLength(1);
+    expect(failedEntries[0]?.runId).toBe("run_malformed");
+  });
+
+  it("an ack failure after a successful handler is currently treated as a handler error (documented behaviour)", async () => {
+    // CAVEAT: this pins a known behaviour gap, not the ideal behaviour.
+    // ack() lives inside the same try as the handler call, so if the
+    // handler succeeds but ack throws (e.g. transient Redis blip), the
+    // entry is routed through the retry/terminal path even though the
+    // handler-side work completed. A later engine-replay handler will
+    // need idempotency to absorb the re-execution this implies on retry,
+    // OR ack should be lifted out of the try block.
+    let handlerCalls = 0;
+    const failedEntries: string[] = [];
+    const buffer = makeStubBuffer({
+      ...eachEnvAsOwnOrg(["env_a"]),
+      pop: async () =>
+        ({
+          runId: "run_x",
+          envId: "env_a",
+          orgId: "org_1",
+          payload: "{}",
+          status: "DRAINING",
+          attempts: 0,
+          createdAt: new Date(),
+        }) as any,
+      ack: async () => {
+        throw new Error("simulated ack failure");
+      },
+      fail: async (runId: string) => {
+        failedEntries.push(runId);
+        return true;
+      },
+    });
+
+    const drainer = new MollifierDrainer({
+      buffer,
+      handler: async () => {
+        handlerCalls += 1;
+      },
+      concurrency: 1,
+      maxAttempts: 3,
+      isRetryable: () => false,
+      logger: new Logger("test-drainer", "log"),
+    });
+
+    await drainer.runOnce();
+
+    expect(handlerCalls).toBe(1); // handler did run
+    expect(failedEntries).toEqual(["run_x"]); // but entry was marked failed anyway
+  });
+
+  it("start() called twice does not spawn a second loop", async () => {
+    let listEnvsCalls = 0;
+    const buffer = makeStubBuffer({
+      listOrgs: async () => {
+        listEnvsCalls += 1;
+        return [];
+      },
+    });
+
+    const drainer = new MollifierDrainer({
+      buffer,
+      handler: async () => {},
+      concurrency: 1,
+      maxAttempts: 3,
+      isRetryable: () => false,
+      pollIntervalMs: 50,
+      logger: new Logger("test-drainer", "log"),
+    });
+
+    drainer.start();
+    drainer.start(); // no-op
+    await new Promise((r) => setTimeout(r, 150));
+    await drainer.stop({ timeoutMs: 500 });
+
+    // One loop's worth of polling, not two. Allow a small fudge for timing —
+    // a doubled loop would produce ~2x the calls in the same window.
+    expect(listEnvsCalls).toBeLessThan(10);
+  });
+
+  it("stop() is idempotent and safe to call when never started", async () => {
+    const buffer = makeStubBuffer({});
+    const drainer = new MollifierDrainer({
+      buffer,
+      handler: async () => {},
+      concurrency: 1,
+      maxAttempts: 3,
+      isRetryable: () => false,
+      logger: new Logger("test-drainer", "log"),
+    });
+
+    // Never started.
+    await expect(drainer.stop()).resolves.toBeUndefined();
+
+    // Started then stopped twice.
+    drainer.start();
+    await expect(drainer.stop()).resolves.toBeUndefined();
+    await expect(drainer.stop()).resolves.toBeUndefined();
+  });
+
+  it("rotation cursors reset on start() so a stop+start cycle begins fresh", async () => {
+    const allEnvs = ["env_a", "env_b", "env_c", "env_d", "env_e", "env_f"];
+    const popLog: string[] = [];
+    const buffer = makeStubBuffer({
+      ...eachEnvAsOwnOrg(allEnvs),
+      pop: async (envId: string) => {
+        popLog.push(envId);
+        return null;
+      },
+    });
+
+    const drainer = new MollifierDrainer({
+      buffer,
+      handler: async () => {},
+      concurrency: 3,
+      maxAttempts: 3,
+      isRetryable: () => false,
+      maxOrgsPerTick: 3,
+      // Long sleep so the loop ticks exactly once between start() and stop().
+      pollIntervalMs: 10_000,
+      logger: new Logger("test-drainer", "log"),
+    });
+
+    // Advance the cursor via runOnce so it's nonzero before start().
+    await drainer.runOnce();
+    await drainer.runOnce();
+    popLog.length = 0;
+
+    drainer.start();
+    // Wait long enough for the loop's first tick to complete.
+    await new Promise((r) => setTimeout(r, 100));
+    await drainer.stop({ timeoutMs: 1_000 });
+
+    // The first slice after start() should begin at envs[0] (cursor reset)
+    // — the slice is [env_a, env_b, env_c]. Without the reset, it would
+    // start at env_c (cursor was 2).
+    expect(popLog.slice(0, 3)).toEqual(["env_a", "env_b", "env_c"]);
+  });
+
+  it("loop backoff grows with consecutive runOnce failures and resets on success", async () => {
+    // The loop catches runOnce-level errors (e.g. listEnvs blip), increments
+    // `consecutiveErrors`, and delays for backoffMs(consecutiveErrors) —
+    // capped at 5s. This test pins the growth curve by failing N times in a
+    // row and observing increasing inter-tick gaps, then succeeding to
+    // verify the counter resets.
+    const tickTimestamps: number[] = [];
+    let listEnvsCalls = 0;
+    const buffer = makeStubBuffer({
+      listOrgs: async () => {
+        listEnvsCalls += 1;
+        tickTimestamps.push(Date.now());
+        if (listEnvsCalls <= 4) {
+          throw new Error("simulated sustained outage");
+        }
+        return []; // success — resets consecutiveErrors
+      },
+    });
+
+    const drainer = new MollifierDrainer({
+      buffer,
+      handler: async () => {},
+      concurrency: 1,
+      maxAttempts: 3,
+      isRetryable: () => false,
+      pollIntervalMs: 100,
+      logger: new Logger("test-drainer", "log"),
+    });
+
+    drainer.start();
+    // Allow time for 4 failures + first success + a few subsequent successes.
+    // Backoff schedule on errors 1..4: 200ms, 400ms, 800ms, 1.6s ≈ 3s total
+    // worst case. Add headroom for jitter.
+    await new Promise((r) => setTimeout(r, 4_000));
+    await drainer.stop({ timeoutMs: 1_000 });
+
+    expect(listEnvsCalls).toBeGreaterThanOrEqual(5);
+    // Inter-tick gaps during the failure run should grow (exponential).
+    const gap1 = tickTimestamps[1]! - tickTimestamps[0]!;
+    const gap2 = tickTimestamps[2]! - tickTimestamps[1]!;
+    const gap3 = tickTimestamps[3]! - tickTimestamps[2]!;
+    expect(gap2).toBeGreaterThan(gap1);
+    expect(gap3).toBeGreaterThan(gap2);
+
+    // After the first success (tick 5), counter resets, so the gap between
+    // tick 5 and tick 6 should drop back to pollIntervalMs-ish — much
+    // smaller than gap3 (which was the longest backoff).
+    if (tickTimestamps.length >= 6) {
+      const postRecoveryGap = tickTimestamps[5]! - tickTimestamps[4]!;
+      expect(postRecoveryGap).toBeLessThan(gap3);
+    }
+  });
+});
+
+describe("MollifierDrainer.start/stop", () => {
+  redisTest("start polls and processes, stop halts the loop", { timeout: 20_000 }, async ({ redisContainer }) => {
+    const buffer = new MollifierBuffer({
+      redisOptions: {
+        host: redisContainer.getHost(),
+        port: redisContainer.getPort(),
+        password: redisContainer.getPassword(),
+      },
+      ...noopOptions,
+    });
+
+    const handled: string[] = [];
+    const handler = async (input: { runId: string }) => {
+      handled.push(input.runId);
+    };
+
+    const drainer = new MollifierDrainer({
+      buffer,
+      handler,
+      concurrency: 5,
+      maxAttempts: 3,
+      isRetryable: () => false,
+      pollIntervalMs: 20,
+      logger: new Logger("test-drainer", "log"),
+    });
+
+    try {
+      await buffer.accept({ runId: "live_1", envId: "env_a", orgId: "org_1", payload: "{}" });
+      await buffer.accept({ runId: "live_2", envId: "env_a", orgId: "org_1", payload: "{}" });
+
+      drainer.start();
+
+      const deadline = Date.now() + 5_000;
+      while (handled.length < 2 && Date.now() < deadline) {
+        await new Promise((r) => setTimeout(r, 50));
+      }
+
+      await drainer.stop();
+
+      expect(new Set(handled)).toEqual(new Set(["live_1", "live_2"]));
+    } finally {
+      await buffer.close();
+    }
+  });
+
+  redisTest("stop returns after timeoutMs even if a handler is hung", { timeout: 20_000 }, async ({ redisContainer }) => {
+    const buffer = new MollifierBuffer({
+      redisOptions: {
+        host: redisContainer.getHost(),
+        port: redisContainer.getPort(),
+        password: redisContainer.getPassword(),
+      },
+      ...noopOptions,
+    });
+
+    let handlerStarted = false;
+    const handler = async () => {
+      handlerStarted = true;
+      await new Promise<void>(() => {});
+    };
+
+    const drainer = new MollifierDrainer({
+      buffer,
+      handler,
+      concurrency: 1,
+      maxAttempts: 3,
+      isRetryable: () => false,
+      pollIntervalMs: 20,
+      logger: new Logger("test-drainer", "log"),
+    });
+
+    try {
+      await buffer.accept({ runId: "hung", envId: "env_a", orgId: "org_1", payload: "{}" });
+
+      drainer.start();
+
+      const deadline = Date.now() + 2_000;
+      while (!handlerStarted && Date.now() < deadline) {
+        await new Promise((r) => setTimeout(r, 25));
+      }
+      expect(handlerStarted).toBe(true);
+
+      const stopStart = Date.now();
+      await drainer.stop({ timeoutMs: 500 });
+      const stopElapsed = Date.now() - stopStart;
+
+      // Allow a small jitter window below `timeoutMs` — Node's setTimeout can
+      // fire a millisecond or two early under CI load. The behaviour we're
+      // pinning is "stop honors the deadline instead of waiting for the hung
+      // handler indefinitely", not millisecond-precise timing.
+      expect(stopElapsed).toBeGreaterThanOrEqual(450);
+      expect(stopElapsed).toBeLessThan(2_000);
+    } finally {
+      await buffer.close();
+    }
+  });
+});
+
+describe("MollifierDrainer concurrency cap", () => {
+  redisTest(
+    "runOnce never exceeds configured concurrency in flight",
+    { timeout: 30_000 },
+    async ({ redisContainer }) => {
+      const buffer = new MollifierBuffer({
+        redisOptions: {
+          host: redisContainer.getHost(),
+          port: redisContainer.getPort(),
+          password: redisContainer.getPassword(),
+        },
+        ...noopOptions,
+      });
+
+      const concurrency = 3;
+      const envCount = 12;
+      let inflight = 0;
+      let peak = 0;
+      let handlerCalls = 0;
+      const handler = async () => {
+        handlerCalls++;
+        inflight++;
+        if (inflight > peak) peak = inflight;
+        // Sleep long enough that handlers definitely overlap if scheduling
+        // allowed it — the assertion is meaningful only if multiple handlers
+        // would be running simultaneously without the cap.
+        await new Promise((r) => setTimeout(r, 75));
+        inflight--;
+      };
+
+      const drainer = new MollifierDrainer({
+        buffer,
+        handler,
+        concurrency,
+        maxAttempts: 1,
+        isRetryable: () => false,
+        logger: new Logger("test-drainer", "log"),
+      });
+
+      try {
+        // One entry per (env, org) so runOnce sees `envCount` distinct
+        // orgs as scheduling candidates and pLimits them through
+        // pLimit(concurrency). Spread across orgs (not envs in one org)
+        // because the drainer picks one env per org per tick — a single
+        // org with 12 envs would only see 1 pop per tick.
+        for (let i = 0; i < envCount; i++) {
+          await buffer.accept({
+            runId: `run_${i}`,
+            envId: `env_${i}`,
+            orgId: `org_${i}`,
+            payload: "{}",
+          });
+        }
+
+        const result = await drainer.runOnce();
+        expect(result.drained).toBe(envCount);
+        expect(handlerCalls).toBe(envCount);
+        expect(peak).toBeGreaterThan(1); // concurrency is real, not serialised
+        expect(peak).toBeLessThanOrEqual(concurrency);
+      } finally {
+        await buffer.close();
+      }
+    },
+  );
+});
diff --git a/packages/redis-worker/src/mollifier/drainer.ts b/packages/redis-worker/src/mollifier/drainer.ts
new file mode 100644
index 00000000000..c831d0b56a0
--- /dev/null
+++ b/packages/redis-worker/src/mollifier/drainer.ts
@@ -0,0 +1,448 @@
+import { Logger } from "@trigger.dev/core/logger";
+import { MollifierBuffer } from "./buffer.js";
+import { BufferEntry, deserialiseSnapshot } from "./schemas.js";
+
+export type MollifierDrainerHandler<TPayload> = (input: {
+  runId: string;
+  envId: string;
+  orgId: string;
+  payload: TPayload;
+  attempts: number;
+  createdAt: Date;
+}) => Promise<void>;
+
+// Invoked once per entry before `buffer.fail()` on any terminal path —
+// non-retryable error OR retryable error after maxAttempts. Lets the caller
+// land a SYSTEM_FAILURE PG row so the customer sees the run instead of it
+// silently disappearing alongside the buffer entry. Throwing a retryable
+// error from the callback causes the drainer to requeue rather than fail
+// (so the PG write itself gets another chance once PG recovers); throwing
+// anything else falls through to `buffer.fail()` to avoid an infinite loop
+// on a genuinely bad payload.
+export type MollifierDrainerTerminalFailureCause = "non-retryable" | "max-attempts-exhausted";
+export type MollifierDrainerTerminalFailureHandler<TPayload> = (input: {
+  runId: string;
+  envId: string;
+  orgId: string;
+  payload: TPayload;
+  attempts: number;
+  createdAt: Date;
+  error: { code: string; message: string };
+  cause: MollifierDrainerTerminalFailureCause;
+}) => Promise<void>;
+
+export type MollifierDrainerOptions<TPayload> = {
+  buffer: MollifierBuffer;
+  handler: MollifierDrainerHandler<TPayload>;
+  onTerminalFailure?: MollifierDrainerTerminalFailureHandler<TPayload>;
+  concurrency: number;
+  maxAttempts: number;
+  isRetryable: (err: unknown) => boolean;
+  pollIntervalMs?: number;
+  // Cap on how many ORGS `runOnce` processes per tick. The drainer rotates
+  // through orgs at the top level and picks one env per org per tick, so
+  // the actual per-tick pop count is at most `maxOrgsPerTick`. Tune for
+  // "typical orgs with pending entries" rather than total system org
+  // count. Defaults to 500.
+  //
+  // The buffer maintains `mollifier:orgs` and `mollifier:org-envs:${orgId}`
+  // atomically with per-env queues, so the drainer can walk orgs → envs
+  // directly. An org with N envs gets the same per-tick scheduling slot
+  // as an org with 1 env — tenant-level drainage throughput is determined
+  // by org count, not env count.
+  maxOrgsPerTick?: number;
+  // Per-env per-tick pop cap. Default 1 preserves the original
+  // one-pop-per-env-per-tick behaviour. Setting it higher lets a single
+  // env drain at handler-parallelism speed: each tick the drainer pops
+  // up to `drainBatchSize` entries from the env's queue, then dispatches
+  // them all through the shared `concurrency`-bounded pLimit. For a
+  // single-env burst this turns N sequential ticks into one tick of N
+  // parallel handler calls, capped by `concurrency`. Org/env fairness
+  // still holds — each org still contributes exactly one env per tick.
+  //
+  // Memory: per-tick in-flight entries ≤ `maxOrgsPerTick × drainBatchSize`.
+  // Operators sizing this should ensure their PG pool / engine handler
+  // can sustain `concurrency` parallel writes; popping more than the
+  // handler can process per tick just queues entries in JS waiting on
+  // pLimit.
+  drainBatchSize?: number;
+  // Cap on the exponential backoff applied after consecutive `runOnce`
+  // errors. Defaults to 5000ms. The backoff base is `max(pollIntervalMs,
+  // backoffFloorMs)` and doubles per consecutive error up to this cap.
+  maxBackoffMs?: number;
+  // Floor for the exponential-backoff base, so a tiny `pollIntervalMs`
+  // doesn't collapse the backoff to near-zero on a sustained outage.
+  // Defaults to 100ms.
+  backoffFloorMs?: number;
+  logger?: Logger;
+};
+
+export type DrainResult = {
+  drained: number;
+  failed: number;
+};
+
+export class MollifierDrainer<TPayload = unknown> {
+  private readonly buffer: MollifierBuffer;
+  private readonly handler: MollifierDrainerHandler<TPayload>;
+  private readonly onTerminalFailure?: MollifierDrainerTerminalFailureHandler<TPayload>;
+  private readonly maxAttempts: number;
+  private readonly isRetryable: (err: unknown) => boolean;
+  private readonly pollIntervalMs: number;
+  private readonly maxOrgsPerTick: number;
+  private readonly drainBatchSize: number;
+  private readonly concurrency: number;
+  private readonly maxBackoffMs: number;
+  private readonly backoffFloorMs: number;
+  private readonly logger: Logger;
+  // Rotation state. `orgCursor` advances through the active-orgs list.
+  // Each org has its own internal cursor in `perOrgEnvCursors` for
+  // cycling through that org's envs. Both reset on `start()`.
+  private orgCursor = 0;
+  private perOrgEnvCursors = new Map<string, number>();
+  private isRunning = false;
+  private stopping = false;
+  private loopPromise: Promise<void> | null = null;
+
+  constructor(options: MollifierDrainerOptions<TPayload>) {
+    this.buffer = options.buffer;
+    this.handler = options.handler;
+    this.onTerminalFailure = options.onTerminalFailure;
+    this.maxAttempts = options.maxAttempts;
+    this.isRetryable = options.isRetryable;
+    this.pollIntervalMs = options.pollIntervalMs ?? 100;
+    this.maxOrgsPerTick = options.maxOrgsPerTick ?? 500;
+    this.drainBatchSize = Math.max(1, options.drainBatchSize ?? 1);
+    this.concurrency = Math.max(1, options.concurrency);
+    this.maxBackoffMs = options.maxBackoffMs ?? 5_000;
+    this.backoffFloorMs = Math.max(1, options.backoffFloorMs ?? 100);
+    this.logger = options.logger ?? new Logger("MollifierDrainer", "debug");
+  }
+
+  async runOnce(): Promise<DrainResult> {
+    const orgs = await this.buffer.listOrgs();
+    if (orgs.length === 0) return { drained: 0, failed: 0 };
+
+    const orgSlice = this.takeOrgSlice(orgs);
+
+    // Fan the per-org SMEMBERS out in a single pipelined round-trip. Serial
+    // awaits would otherwise add `orgSlice.length × RTT` of dead time before
+    // pops start — at the default `maxOrgsPerTick=500` and a ~1ms ElastiCache
+    // RTT that's a ~500ms per-tick floor. ioredis auto-pipelines concurrent
+    // commands into one batch, so the burst is cheap; SMEMBERS on a small set
+    // is O(N) per org and trivial at this scale. `Promise.all` preserves
+    // order, so the org→envs pairing below stays deterministic.
+    const envsByOrg = await Promise.all(
+      orgSlice.map((orgId) => this.buffer.listEnvsForOrg(orgId)),
+    );
+    const targets: string[] = [];
+    for (let i = 0; i < orgSlice.length; i++) {
+      const orgId = orgSlice[i]!;
+      const envsForOrg = envsByOrg[i]!;
+      if (envsForOrg.length === 0) continue;
+      const envId = this.pickEnvForOrg(orgId, envsForOrg);
+      targets.push(envId);
+    }
+
+    if (targets.length === 0) return { drained: 0, failed: 0 };
+
+    // Worker-pool draining. We spawn up to `concurrency` workers; each
+    // worker repeatedly:
+    //   1. Picks the next env with budget remaining (round-robin),
+    //      atomically claiming one slot of that env's per-tick budget.
+    //   2. Pops one entry and processes it.
+    //   3. Repeats until pickNextEnv returns null.
+    //
+    // This pattern gives us both invariants the prior two designs traded
+    // off:
+    //   - Single-env bursts use the full `concurrency` budget. All
+    //     workers can pull from one env, processing `concurrency` entries
+    //     in parallel.
+    //   - The number of entries in "popped-but-not-acked" (DRAINING)
+    //     state at any moment is bounded by the worker count, i.e.
+    //     `concurrency` — same blast radius as the pre-batch
+    //     one-pop-per-env model. A process crash mid-tick strands at
+    //     most `concurrency` entries for stale-sweep to recover, not
+    //     `maxOrgsPerTick × drainBatchSize`.
+    //
+    // Fairness: pickNextEnv advances a cursor by 1 each successful pick,
+    // so workers round-robin across envs at the entry level. Combined
+    // with the per-env budget cap, an env contributes at most
+    // `drainBatchSize` entries per tick regardless of how many workers
+    // are free — a heavy env can't starve siblings within a tick.
+    const remaining = new Map<string, number>();
+    const skip = new Set<string>(); // envs with empty queue or pop failure this tick
+    for (const envId of targets) remaining.set(envId, this.drainBatchSize);
+
+    let cursor = 0;
+    const pickNextEnv = (): string | null => {
+      for (let i = 0; i < targets.length; i++) {
+        const idx = (cursor + i) % targets.length;
+        const envId = targets[idx]!;
+        if (skip.has(envId)) continue;
+        const r = remaining.get(envId) ?? 0;
+        if (r > 0) {
+          remaining.set(envId, r - 1);
+          cursor = (idx + 1) % targets.length;
+          return envId;
+        }
+      }
+      return null;
+    };
+
+    let drained = 0;
+    let failed = 0;
+
+    const worker = async (): Promise<void> => {
+      while (true) {
+        const envId = pickNextEnv();
+        if (envId === null) return;
+        let entry: BufferEntry | null;
+        try {
+          entry = await this.buffer.pop(envId);
+        } catch (err) {
+          // A pop failure on one env aborts that env's batch for this
+          // tick (don't keep hammering a broken Redis) and counts as
+          // exactly one failure — same as the pre-batch path on a pop
+          // blowup. Other envs continue.
+          //
+          // `pickNextEnv` decrements `remaining` before the pop settles,
+          // so multiple workers can race into the same env and all hit
+          // a throwing pop before the first catch lands. Guarding the
+          // failure increment on `!skip.has(envId)` keeps the per-env
+          // failure count at exactly one even under that race —
+          // matching the documented contract.
+          this.logger.error("MollifierDrainer.pop failed", { envId, err });
+          if (!skip.has(envId)) {
+            skip.add(envId);
+            failed += 1;
+          }
+          continue;
+        }
+        if (!entry) {
+          // Queue exhausted between scheduling and this pop. Mark the
+          // env skipped so siblings aren't held up by repeated empty pops.
+          skip.add(envId);
+          continue;
+        }
+        try {
+          const outcome = await this.processEntry(entry);
+          if (outcome === "drained") drained += 1;
+          else failed += 1;
+        } catch (err) {
+          this.logger.error("MollifierDrainer.processEntry failed", {
+            envId,
+            runId: entry.runId,
+            err,
+          });
+          failed += 1;
+        }
+      }
+    };
+
+    const totalBudget = targets.length * this.drainBatchSize;
+    const workerCount = Math.min(this.concurrency, totalBudget);
+    await Promise.all(Array.from({ length: workerCount }, () => worker()));
+
+    return { drained, failed };
+  }
+
+  start(): void {
+    if (this.isRunning) return;
+    this.isRunning = true;
+    this.stopping = false;
+    // Reset rotation state on each (re)start. A stop+start cycle means
+    // operator intent to "begin clean" — between-restart cursor drift
+    // would otherwise carry implicit state across what should look like
+    // a fresh boot.
+    this.orgCursor = 0;
+    this.perOrgEnvCursors = new Map();
+    this.loopPromise = this.loop();
+  }
+
+  // Signal the loop to exit (`stopping = true`) and wait for it. With no
+  // timeout, wait indefinitely for the in-flight `runOnce` and its handlers
+  // to settle — same semantic as FairQueue / BatchQueue's `stop()`. With a
+  // timeout, race the loop promise against a deadline so a hung handler
+  // can't wedge the process past its termination grace period.
+  async stop(options: { timeoutMs?: number } = {}): Promise<void> {
+    if (!this.isRunning || !this.loopPromise) return;
+    this.stopping = true;
+    if (options.timeoutMs == null) {
+      await this.loopPromise;
+      return;
+    }
+    // Hold the timer handle so we can clearTimeout() it after the race.
+    // Without this, when the loop wins the race, the discarded timer is
+    // still ref'd and pins the Node event loop for up to `timeoutMs`,
+    // delaying process shutdown by exactly the slack we were trying to
+    // bound. try/finally clears the handle in every exit path (loop-won,
+    // timeout-won, or exception).
+    const timeoutSentinel = Symbol("mollifier.stop.timeout");
+    let timeoutHandle: ReturnType<typeof setTimeout> | undefined;
+    const timeoutPromise = new Promise<typeof timeoutSentinel>((resolve) => {
+      timeoutHandle = setTimeout(() => resolve(timeoutSentinel), options.timeoutMs);
+    });
+    try {
+      const winner = await Promise.race([
+        this.loopPromise.then(() => "done" as const),
+        timeoutPromise,
+      ]);
+      if (winner === timeoutSentinel) {
+        this.logger.warn(
+          "MollifierDrainer.stop: deadline exceeded; returning while loop iteration is in flight",
+          { timeoutMs: options.timeoutMs },
+        );
+      }
+    } finally {
+      if (timeoutHandle) clearTimeout(timeoutHandle);
+    }
+  }
+
+  // Transient Redis errors (e.g. a connection blip in `listOrgs` /
+  // `listEnvsForOrg` / `pop`) must not kill the polling loop permanently.
+  // We log each `runOnce` failure, back off so we don't spin tight on a
+  // sustained outage, and resume. The loop only exits when `stop()` flips
+  // `stopping`.
+  private async loop(): Promise<void> {
+    try {
+      let consecutiveErrors = 0;
+      while (!this.stopping) {
+        try {
+          const result = await this.runOnce();
+          consecutiveErrors = 0;
+          if (result.drained === 0 && result.failed === 0) {
+            await this.delay(this.pollIntervalMs);
+          }
+        } catch (err) {
+          consecutiveErrors += 1;
+          this.logger.error("MollifierDrainer.runOnce failed; backing off", {
+            err,
+            consecutiveErrors,
+          });
+          await this.delay(this.backoffMs(consecutiveErrors));
+        }
+      }
+    } finally {
+      this.isRunning = false;
+    }
+  }
+
+  // Exponential backoff capped at 5s. Keeps the loop responsive after a
+  // brief blip while preventing a tight retry loop during a long Redis
+  // outage. 1 → 200ms, 2 → 400ms, 3 → 800ms, 4 → 1.6s, 5 → 3.2s, 6+ → 5s.
+  private backoffMs(consecutiveErrors: number): number {
+    const base = Math.max(this.pollIntervalMs, this.backoffFloorMs);
+    const capped = Math.min(base * 2 ** (consecutiveErrors - 1), this.maxBackoffMs);
+    return capped;
+  }
+
+  private delay(ms: number): Promise<void> {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+  }
+
+  // Take up to `maxOrgsPerTick` orgs starting at the current cursor, with
+  // wrap-around. Cursor advances by 1 each tick so every org reaches
+  // every slot position (0..sliceSize-1) over a full cycle — no
+  // head-of-line bias within the slice. Orgs are sorted before slicing
+  // so rotation is deterministic regardless of Redis SET iteration order.
+  private takeOrgSlice(orgs: string[]): string[] {
+    const sorted = [...orgs].sort();
+    const n = sorted.length;
+    const sliceSize = Math.min(this.maxOrgsPerTick, n);
+    const start = this.orgCursor % n;
+    this.orgCursor = (this.orgCursor + 1) % Math.max(n, 1);
+    const end = start + sliceSize;
+    if (end <= n) return sorted.slice(start, end);
+    return [...sorted.slice(start), ...sorted.slice(0, end - n)];
+  }
+
+  // Pick one env from the org's active-envs list, rotating per org via
+  // the per-org cursor. Each org's cursor advances by 1 each visit, so
+  // an org with N envs cycles through them across N visits.
+  private pickEnvForOrg(orgId: string, envsForOrg: string[]): string {
+    const sorted = [...envsForOrg].sort();
+    const cursor = this.perOrgEnvCursors.get(orgId) ?? 0;
+    const idx = cursor % sorted.length;
+    this.perOrgEnvCursors.set(orgId, (cursor + 1) % sorted.length);
+    return sorted[idx]!;
+  }
+
+  private async processEntry(entry: BufferEntry): Promise<"drained" | "failed"> {
+    try {
+      const payload = deserialiseSnapshot<TPayload>(entry.payload);
+      await this.handler({
+        runId: entry.runId,
+        envId: entry.envId,
+        orgId: entry.orgId,
+        payload,
+        attempts: entry.attempts,
+        createdAt: entry.createdAt,
+      });
+      await this.buffer.ack(entry.runId);
+      return "drained";
+    } catch (err) {
+      const nextAttempts = entry.attempts + 1;
+      if (this.isRetryable(err) && nextAttempts < this.maxAttempts) {
+        await this.buffer.requeue(entry.runId);
+        this.logger.warn("MollifierDrainer: retryable error, requeued", {
+          runId: entry.runId,
+          attempts: nextAttempts,
+        });
+        return "failed";
+      }
+      const cause: MollifierDrainerTerminalFailureCause = this.isRetryable(err)
+        ? "max-attempts-exhausted"
+        : "non-retryable";
+      const code = err instanceof Error ? err.name : "Unknown";
+      const message = err instanceof Error ? err.message : String(err);
+      // Run the terminal-failure callback BEFORE buffer.fail() so a
+      // SYSTEM_FAILURE PG row can land while the entry is still around to
+      // read from (and so we don't lose the run if the callback's own
+      // write itself needs a retry). If the callback throws a retryable
+      // error, requeue the entry instead of fail()ing — PG is still
+      // unreachable, give it another tick. Any other callback failure
+      // falls through to buffer.fail() so a genuinely bad snapshot
+      // doesn't loop forever.
+      if (this.onTerminalFailure) {
+        try {
+          await this.onTerminalFailure({
+            runId: entry.runId,
+            envId: entry.envId,
+            orgId: entry.orgId,
+            payload: deserialiseSnapshot<TPayload>(entry.payload),
+            attempts: nextAttempts,
+            createdAt: entry.createdAt,
+            error: { code, message },
+            cause,
+          });
+        } catch (writeErr) {
+          if (this.isRetryable(writeErr)) {
+            await this.buffer.requeue(entry.runId);
+            this.logger.warn(
+              "MollifierDrainer: terminal-failure callback retryable; requeued",
+              {
+                runId: entry.runId,
+                attempts: nextAttempts,
+                writeErr,
+              },
+            );
+            return "failed";
+          }
+          this.logger.error("MollifierDrainer: terminal-failure callback failed", {
+            runId: entry.runId,
+            writeErr,
+          });
+        }
+      }
+      await this.buffer.fail(entry.runId, { code, message });
+      this.logger.error("MollifierDrainer: terminal failure", {
+        runId: entry.runId,
+        code,
+        message,
+        cause,
+      });
+      return "failed";
+    }
+  }
+}
diff --git a/packages/redis-worker/src/mollifier/index.ts b/packages/redis-worker/src/mollifier/index.ts
new file mode 100644
index 00000000000..c7875a7d55f
--- /dev/null
+++ b/packages/redis-worker/src/mollifier/index.ts
@@ -0,0 +1,28 @@
+export {
+  MollifierBuffer,
+  type MollifierBufferOptions,
+  type SnapshotPatch,
+  type AcceptResult,
+  type MutateSnapshotResult,
+  type CasSetMetadataResult,
+  type IdempotencyClaimResult,
+  type IdempotencyLookupInput,
+  idempotencyLookupKeyFor,
+  makeIdempotencyClaimKey,
+} from "./buffer.js";
+export {
+  MollifierDrainer,
+  type MollifierDrainerOptions,
+  type MollifierDrainerHandler,
+  type MollifierDrainerTerminalFailureHandler,
+  type MollifierDrainerTerminalFailureCause,
+  type DrainResult,
+} from "./drainer.js";
+export {
+  BufferEntrySchema,
+  BufferEntryStatus,
+  BufferEntryError,
+  serialiseSnapshot,
+  deserialiseSnapshot,
+  type BufferEntry,
+} from "./schemas.js";
diff --git a/packages/redis-worker/src/mollifier/schemas.ts b/packages/redis-worker/src/mollifier/schemas.ts
new file mode 100644
index 00000000000..5acd0c7c15d
--- /dev/null
+++ b/packages/redis-worker/src/mollifier/schemas.ts
@@ -0,0 +1,83 @@
+import { z } from "zod";
+
+export const BufferEntryStatus = z.enum(["QUEUED", "DRAINING", "FAILED"]);
+export type BufferEntryStatus = z.infer<typeof BufferEntryStatus>;
+
+export const BufferEntryError = z.object({
+  code: z.string(),
+  message: z.string(),
+});
+export type BufferEntryError = z.infer<typeof BufferEntryError>;
+
+const stringToInt = z.string().transform((v, ctx) => {
+  const n = Number(v);
+  if (!Number.isInteger(n) || n < 0) {
+    ctx.addIssue({ code: z.ZodIssueCode.custom, message: "expected non-negative integer string" });
+    return z.NEVER;
+  }
+  return n;
+});
+
+const stringToDate = z.string().transform((v, ctx) => {
+  const d = new Date(v);
+  if (Number.isNaN(d.getTime())) {
+    ctx.addIssue({ code: z.ZodIssueCode.custom, message: "expected ISO date string" });
+    return z.NEVER;
+  }
+  return d;
+});
+
+const stringToBool = z
+  .union([z.literal("true"), z.literal("false")])
+  .transform((v) => v === "true");
+
+const stringToError = z.string().transform((v, ctx) => {
+  try {
+    return BufferEntryError.parse(JSON.parse(v));
+  } catch {
+    ctx.addIssue({ code: z.ZodIssueCode.custom, message: "expected JSON-encoded BufferEntryError" });
+    return z.NEVER;
+  }
+});
+
+export const BufferEntrySchema = z.object({
+  runId: z.string().min(1),
+  envId: z.string().min(1),
+  orgId: z.string().min(1),
+  payload: z.string(),
+  status: BufferEntryStatus,
+  attempts: stringToInt,
+  createdAt: stringToDate,
+  // Microsecond epoch of accept time, kept as a hash field for dwell
+  // metrics. Not a queue sort key (the queue is a FIFO LIST). Defaulted
+  // so an entry written by an accept Lua predating this field — or one
+  // surviving across the deploy that introduced it — still parses instead
+  // of being silently dropped on pop.
+  createdAtMicros: stringToInt.default("0"),
+  // Drainer-ack flag: `true` once the drainer has materialised this run
+  // into PG. The hash persists for a short grace TTL after ack so direct
+  // reads (retrieve, trace, etc.) still resolve while PG replica lag
+  // settles. Absent on pre-ack entries.
+  materialised: stringToBool.default("false"),
+  // Denormalised pointer to the Redis idempotency lookup key (set when
+  // the run was accepted with an idempotency key, empty otherwise). The
+  // ack Lua reads this to DEL the lookup atomically with marking the
+  // entry materialised.
+  idempotencyLookupKey: z.string().optional().default(""),
+  // Optimistic-lock counter for the snapshot's `metadata` field.
+  // Incremented atomically by the CAS metadata Lua. Matches the
+  // semantic of `TaskRun.metadataVersion` on the PG side (which the
+  // UpdateMetadataService uses for the same retry-on-conflict pattern).
+  metadataVersion: stringToInt.default("0"),
+  lastError: stringToError.optional(),
+});
+
+export type BufferEntry = z.infer<typeof BufferEntrySchema>;
+
+export function serialiseSnapshot(snapshot: unknown): string {
+  return JSON.stringify(snapshot);
+}
+
+export function deserialiseSnapshot<T = unknown>(serialised: string): T {
+  return JSON.parse(serialised) as T;
+}
diff --git a/packages/redis-worker/src/worker.test.ts b/packages/redis-worker/src/worker.test.ts
index e4b6fd3e858..bd6c70b9676 100644
--- a/packages/redis-worker/src/worker.test.ts
+++ b/packages/redis-worker/src/worker.test.ts
@@ -1,4 +1,4 @@
-import { redisTest } from "@internal/testcontainers";
+import { isolatedRedisTest as redisTest } from "@internal/testcontainers";
 import { Logger } from "@trigger.dev/core/logger";
 import { describe } from "node:test";
 import { expect } from "vitest";
diff --git a/packages/redis-worker/vitest.config.ts b/packages/redis-worker/vitest.config.ts
index dfe0df27462..b52b49a0dc4 100644
--- a/packages/redis-worker/vitest.config.ts
+++ b/packages/redis-worker/vitest.config.ts
@@ -1,14 +1,13 @@
 import { defineConfig } from "vitest/config";
+import { DurationShardingSequencer } from "@internal/testcontainers/sequencer";
 
 export default defineConfig({
   test: {
+    sequence: { sequencer: DurationShardingSequencer },
     include: ["**/*.test.ts"],
     globals: true,
+    // CI-only: absorbs timing races (real-clock waits vs worker poll interval) under shard CPU contention
+    retry: process.env.CI ? 2 : 0,
     fileParallelism: false,
-    poolOptions: {
-      threads: {
-        singleThread: true,
-      },
-    },
   },
 });
diff --git a/packages/rsc/CHANGELOG.md b/packages/rsc/CHANGELOG.md
index b7e9091d785..54f72ca2bd5 100644
--- a/packages/rsc/CHANGELOG.md
+++ b/packages/rsc/CHANGELOG.md
@@ -1,5 +1,61 @@
 # @trigger.dev/rsc
 
+## 4.5.0-rc.5
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.5`
+
+## 4.5.0-rc.4
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.4`
+
+## 4.5.0-rc.3
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.3`
+
+## 4.5.0-rc.2
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.2`
+
+## 4.5.0-rc.1
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.1`
+
+## 4.5.0-rc.0
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.0`
+
+## 4.4.6
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.4.6`
+
+## 4.4.5
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.4.5`
+
 ## 4.4.4
 
 ### Patch Changes
diff --git a/packages/rsc/package.json b/packages/rsc/package.json
index 17018123bf2..7e051442860 100644
--- a/packages/rsc/package.json
+++ b/packages/rsc/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@trigger.dev/rsc",
-  "version": "4.4.4",
+  "version": "4.5.0-rc.5",
   "description": "trigger.dev rsc",
   "license": "MIT",
   "publishConfig": {
@@ -37,18 +37,18 @@
     "check-exports": "attw --pack ."
   },
   "dependencies": {
-    "@trigger.dev/core": "workspace:^4.4.4",
+    "@trigger.dev/core": "workspace:^4.5.0-rc.5",
     "mlly": "^1.7.1",
     "react": "19.0.0-rc.1",
     "react-dom": "19.0.0-rc.1"
   },
   "devDependencies": {
     "@arethetypeswrong/cli": "^0.15.4",
-    "@trigger.dev/build": "workspace:^4.4.4",
+    "@trigger.dev/build": "workspace:^4.5.0-rc.5",
     "@types/node": "^20.14.14",
     "@types/react": "*",
     "@types/react-dom": "*",
-    "rimraf": "^3.0.2",
+    "rimraf": "^6.0.1",
     "tshy": "^3.0.2",
     "tsx": "4.17.0"
   },
diff --git a/packages/schema-to-json/CHANGELOG.md b/packages/schema-to-json/CHANGELOG.md
index 8a62977d480..92553cb9dee 100644
--- a/packages/schema-to-json/CHANGELOG.md
+++ b/packages/schema-to-json/CHANGELOG.md
@@ -1,5 +1,61 @@
 # @trigger.dev/schema-to-json
 
+## 4.5.0-rc.5
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.5`
+
+## 4.5.0-rc.4
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.4`
+
+## 4.5.0-rc.3
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.3`
+
+## 4.5.0-rc.2
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.2`
+
+## 4.5.0-rc.1
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.1`
+
+## 4.5.0-rc.0
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.0`
+
+## 4.4.6
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.4.6`
+
+## 4.4.5
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.4.5`
+
 ## 4.4.4
 
 ### Patch Changes
diff --git a/packages/schema-to-json/package.json b/packages/schema-to-json/package.json
index e2deaae0a4c..eff4eb69702 100644
--- a/packages/schema-to-json/package.json
+++ b/packages/schema-to-json/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@trigger.dev/schema-to-json",
-  "version": "4.4.4",
+  "version": "4.5.0-rc.5",
   "description": "Convert various schema validation libraries to JSON Schema",
   "license": "MIT",
   "publishConfig": {
diff --git a/packages/trigger-sdk/CHANGELOG.md b/packages/trigger-sdk/CHANGELOG.md
index 9dccca3fc2f..f17e9d2a8be 100644
--- a/packages/trigger-sdk/CHANGELOG.md
+++ b/packages/trigger-sdk/CHANGELOG.md
@@ -1,5 +1,318 @@
 # @trigger.dev/sdk
 
+## 4.5.0-rc.5
+
+### Patch Changes
+
+- Adds AI SDK 7 support. The `ai` peer range now includes v7, and the `chat.agent` / chat surfaces work against v7's ESM-only build. On v7, install `@ai-sdk/otel` alongside `ai` and the SDK registers it for you so `experimental_telemetry` spans keep flowing into your run traces (v7 stopped emitting them from `ai` core). v5 and v6 keep working unchanged. ([#3833](https://github.com/triggerdotdev/trigger.dev/pull/3833))
+- `useTriggerChatTransport` now recovers when restored session state points at a session that no longer exists in the current environment ([#3816](https://github.com/triggerdotdev/trigger.dev/pull/3816))
+- Offload large trigger payloads to object storage before sending the trigger API request. The SDK uploads packets at or above the existing 128KB limit and sends an `application/store` pointer instead of embedding large JSON in the request body. `TriggerTaskRequestBody` now validates that `application/store` payloads are non-empty storage paths. ([#3785](https://github.com/triggerdotdev/trigger.dev/pull/3785))
+
+  Payload uploads use the same resolved `ApiClient` as the trigger call (including `requestOptions.clientConfig`), not only the global `apiClientManager.client` — so custom `baseURL`, access token, and preview branch apply to both presign and trigger.
+
+- Update the bundled OpenTelemetry packages to their latest releases (`@opentelemetry/sdk-node` 0.218.0, `@opentelemetry/core` 2.7.1, `@opentelemetry/host-metrics` 0.38.3). ([#3810](https://github.com/triggerdotdev/trigger.dev/pull/3810))
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.5`
+
+## 4.5.0-rc.4
+
+### Patch Changes
+
+- Add a `tools` option to `chat.agent`. Declaring your tools here threads them into the SDK's internal `convertToModelMessages`, so each tool's `toModelOutput` is re-applied when prior-turn history is re-converted. ([#3790](https://github.com/triggerdotdev/trigger.dev/pull/3790))
+
+  ```ts
+  chat.agent({
+    tools: { readFile, search },
+    run: async ({ messages, tools, signal }) =>
+      streamText({ model, messages, tools, abortSignal: signal }),
+  });
+  ```
+
+  Also exports `InferChatUIMessageFromTools<typeof tools>` to derive the chat `UIMessage` type (typed tool parts) directly from a tool set.
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.4`
+
+## 4.5.0-rc.3
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.3`
+
+## 4.5.0-rc.2
+
+### Patch Changes
+
+- Fix `chat.agent` HITL continuations on reasoning-heavy turns. Two changes that work together: ([#3719](https://github.com/triggerdotdev/trigger.dev/pull/3719))
+
+  - The per-turn merge now overlays the wire copy's tool-part state advancement onto the agent's existing chain — `state` + the matching resolution field (`output` / `errorText` / `approval`) come from the wire, everything else (text, reasoning, tool `input`, provider metadata) stays whatever the snapshot or `hydrateMessages` returned. Previously a full-message replace overwrote those fields with whatever the client shipped, so a slimmed wire copy landed a tool call with no `arguments` on the next LLM call. Covers `output-available` / `output-error` (HITL `addToolOutput`) and `approval-responded` / `output-denied` (approval flow).
+  - `TriggerChatTransport.sendMessages` and `AgentChat.sendRaw` now slim assistant messages that carry advanced tool parts. The wire payload is just `{ id, role, parts: [<state + resolution field>] }` for `submit-message` continuations; everything else passes through. Reasoning blobs and full tool inputs no longer ride the wire on every `addToolOutput` / `addToolApproveResponse`, so continuation payloads stay well under the `.in/append` cap on long agent loops.
+
+  Note: `onValidateMessages` receives the slim wire on HITL turns. If you call `validateUIMessages` from `ai` against the full `messages` array it will reject the slim assistant; filter to user messages (or skip on HITL turns) — see the updated docstring on `onValidateMessages` for the recommended pattern.
+
+  For `hydrateMessages` hooks that persist the chain, this release also adds a small helper to the `@trigger.dev/sdk/ai` surface:
+
+  ```ts
+  import { chat, upsertIncomingMessage } from "@trigger.dev/sdk/ai";
+
+  chat.agent({
+    hydrateMessages: async ({ chatId, trigger, incomingMessages }) => {
+      const record = await db.chat.findUnique({ where: { id: chatId } });
+      const stored = record?.messages ?? [];
+      if (upsertIncomingMessage(stored, { trigger, incomingMessages })) {
+        await db.chat.update({ where: { id: chatId }, data: { messages: stored } });
+      }
+      return stored;
+    },
+  });
+  ```
+
+  It pushes fresh user messages by id, no-ops on HITL continuations (the incoming shares an id with the existing assistant — the runtime overlays the new tool-state advance), and skips on non-`submit-message` triggers. Returns `true` if it mutated `stored` so the caller knows whether to persist.
+
+  Net effect: `chat.addToolOutput(...)` / `chat.addToolApproveResponse(...)` on multi-step reasoning agents (OpenAI Responses with `store: false`, Anthropic extended thinking, etc.) no longer blows the cap and no longer corrupts the LLM input.
+
+- Add `TriggerClient` for running multiple SDK clients side-by-side, each with its own auth, preview branch, and baseURL. Useful when a single process needs to trigger tasks or read runs across multiple projects, environments, or preview branches without mutating shared global state. ([#3683](https://github.com/triggerdotdev/trigger.dev/pull/3683))
+
+  ```ts
+  import { TriggerClient } from "@trigger.dev/sdk";
+
+  const prod = new TriggerClient({ accessToken: process.env.TRIGGER_PROD_KEY });
+  const preview = new TriggerClient({
+    accessToken: process.env.TRIGGER_PREVIEW_KEY,
+    previewBranch: "signup-flow",
+  });
+
+  await prod.tasks.trigger("send-email", payload);
+  await preview.runs.list({ status: ["COMPLETED"] });
+  ```
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.2`
+
+## 4.5.0-rc.1
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.1`
+
+## 4.5.0-rc.0
+
+### Minor Changes
+
+- **AI Prompts** — define prompt templates as code alongside your tasks, version them on deploy, and override the text or model from the dashboard without redeploying. Prompts integrate with the Vercel AI SDK via `toAISDKTelemetry()` (links every generation span back to the prompt) and with `chat.agent` via `chat.prompt.set()` + `chat.toStreamTextOptions()`. ([#3629](https://github.com/triggerdotdev/trigger.dev/pull/3629))
+
+  ```ts
+  import { prompts } from "@trigger.dev/sdk";
+  import { generateText } from "ai";
+  import { openai } from "@ai-sdk/openai";
+  import { z } from "zod";
+
+  export const supportPrompt = prompts.define({
+    id: "customer-support",
+    model: "gpt-4o",
+    config: { temperature: 0.7 },
+    variables: z.object({
+      customerName: z.string(),
+      plan: z.string(),
+      issue: z.string(),
+    }),
+    content: `You are a support agent for Acme.
+  
+  Customer: {{customerName}} ({{plan}} plan)
+  Issue: {{issue}}`,
+  });
+
+  const resolved = await supportPrompt.resolve({
+    customerName: "Alice",
+    plan: "Pro",
+    issue: "Can't access billing",
+  });
+
+  const result = await generateText({
+    model: openai(resolved.model ?? "gpt-4o"),
+    system: resolved.text,
+    prompt: "Can't access billing",
+    ...resolved.toAISDKTelemetry(),
+  });
+  ```
+
+  **What you get:**
+
+  - **Code-defined, deploy-versioned templates** — define with `prompts.define({ id, model, config, variables, content })`. Every deploy creates a new version visible in the dashboard. Mustache-style placeholders (`{{var}}`, `{{#cond}}...{{/cond}}`) with Zod / ArkType / Valibot-typed variables.
+  - **Dashboard overrides** — change a prompt's text or model from the dashboard without redeploying. Overrides take priority over the deployed "current" version and are environment-scoped (dev / staging / production independent).
+  - **Resolve API** — `prompt.resolve(vars, { version?, label? })` returns the compiled `text`, resolved `model`, `version`, and labels. Standalone `prompts.resolve<typeof handle>(slug, vars)` for cross-file resolution with full type inference on slug and variable shape.
+  - **AI SDK integration** — spread `resolved.toAISDKTelemetry({ ...extra })` into any `generateText` / `streamText` call and every generation span links to the prompt in the dashboard alongside its input variables, model, tokens, and cost.
+  - **`chat.agent` integration** — `chat.prompt.set(resolved)` stores the resolved prompt run-scoped; `chat.toStreamTextOptions({ registry })` pulls `system`, `model` (resolved via the AI SDK provider registry), `temperature` / `maxTokens` / etc., and telemetry into a single spread for `streamText`.
+  - **Management SDK** — `prompts.list()`, `prompts.versions(slug)`, `prompts.promote(slug, version)`, `prompts.createOverride(slug, body)`, `prompts.updateOverride(slug, body)`, `prompts.removeOverride(slug)`, `prompts.reactivateOverride(slug, version)`.
+  - **Dashboard** — prompts list with per-prompt usage sparklines; per-prompt detail with Template / Details / Versions / Generations / Metrics tabs. AI generation spans get a custom inspector showing the linked prompt's metadata, input variables, and template content alongside model, tokens, cost, and the message thread.
+
+  See [/docs/ai/prompts](https://trigger.dev/docs/ai/prompts) for the full reference — template syntax, version resolution order, override workflow, and type utilities (`PromptHandle`, `PromptIdentifier`, `PromptVariables`).
+
+- Adds `onBoot` to `chat.agent` — a lifecycle hook that fires once per worker process picking up the chat. Runs for the initial run, preloaded runs, AND reactive continuation runs (post-cancel, crash, `endRun`, `requestUpgrade`, OOM retry), before any other hook. Use it to initialize `chat.local`, open per-process resources, or re-hydrate state from your DB on continuation — anywhere the SAME run picking up after suspend/resume isn't enough. ([#3543](https://github.com/triggerdotdev/trigger.dev/pull/3543))
+
+  ```ts
+  const userContext = chat.local<{ name: string; plan: string }>({ id: "userContext" });
+
+  export const myChat = chat.agent({
+    id: "my-chat",
+    onBoot: async ({ clientData, continuation }) => {
+      const user = await db.user.findUnique({ where: { id: clientData.userId } });
+      userContext.init({ name: user.name, plan: user.plan });
+    },
+    run: async ({ messages, signal }) =>
+      streamText({ model: openai("gpt-4o"), messages, abortSignal: signal }),
+  });
+  ```
+
+  Use `onBoot` (not `onChatStart`) for state setup that must run every time a worker picks up the chat — `onChatStart` fires once per chat and won't run on continuation, leaving `chat.local` uninitialized when `run()` tries to use it.
+
+- **AI Agents** — run AI SDK chat completions as durable Trigger.dev agents instead of fragile API routes. Define an agent in one function, point `useChat` at it from React, and the conversation survives page refreshes, network blips, and process restarts. ([#3543](https://github.com/triggerdotdev/trigger.dev/pull/3543))
+
+  ```ts
+  import { chat } from "@trigger.dev/sdk/ai";
+  import { streamText } from "ai";
+  import { openai } from "@ai-sdk/openai";
+
+  export const myChat = chat.agent({
+    id: "my-chat",
+    run: async ({ messages, signal }) =>
+      streamText({ model: openai("gpt-4o"), messages, abortSignal: signal }),
+  });
+  ```
+
+  ```tsx
+  import { useChat } from "@ai-sdk/react";
+  import { useTriggerChatTransport } from "@trigger.dev/sdk/chat/react";
+
+  const transport = useTriggerChatTransport({ task: "my-chat", accessToken, startSession });
+  const { messages, sendMessage } = useChat({ transport });
+  ```
+
+  **What you get:**
+
+  - **AI SDK `useChat` integration** — a custom [`ChatTransport`](https://sdk.vercel.ai/docs/ai-sdk-ui/transport) (`useTriggerChatTransport`) plugs straight into Vercel AI SDK's `useChat` hook. Text streaming, tool calls, reasoning, and `data-*` parts all work natively over Trigger.dev's realtime streams. No custom API routes needed.
+  - **First-turn fast path (`chat.headStart`)** — opt-in handler that runs the first turn's `streamText` step in your warm server process while the agent run boots in parallel, cutting cold-start TTFC by roughly half (measured 2801ms → 1218ms on `claude-sonnet-4-6`). The agent owns step 2+ (tool execution, persistence, hooks) so heavy deps stay where they belong. Web Fetch handler works natively in Next.js, Hono, SvelteKit, Remix, Workers, etc.; bridge to Express/Fastify/Koa via `chat.toNodeListener`. New `@trigger.dev/sdk/chat-server` subpath.
+  - **Multi-turn durability via Sessions** — every chat is backed by a durable Session that outlives any individual run. Conversations resume across page refreshes, idle timeout, crashes, and deploys; `resume: true` reconnects via `lastEventId` so clients only see new chunks. `sessions.list` enumerates chats for inbox-style UIs.
+  - **Auto-accumulated history, delta-only wire** — the backend accumulates the full conversation across turns; clients only ship the new message each turn. Long chats never hit the 512 KiB body cap. Register `hydrateMessages` to be the source of truth yourself.
+  - **Lifecycle hooks** — `onPreload`, `onChatStart`, `onValidateMessages`, `hydrateMessages`, `onTurnStart`, `onBeforeTurnComplete`, `onTurnComplete`, `onChatSuspend`, `onChatResume` — for persistence, validation, and post-turn work.
+  - **Stop generation** — client-driven `transport.stopGeneration(chatId)` aborts mid-stream; the run stays alive for the next message, partial response is captured, and aborted parts (stuck `partial-call` tools, in-progress reasoning) are auto-cleaned.
+  - **Tool approvals (HITL)** — tools with `needsApproval: true` pause until the user approves or denies via `addToolApprovalResponse`. The runtime reconciles the updated assistant message by ID and continues `streamText`.
+  - **Steering and background injection** — `pendingMessages` injects user messages between tool-call steps so users can steer the agent mid-execution; `chat.inject()` + `chat.defer()` adds context from background work (self-review, RAG, safety checks) between turns.
+  - **Actions** — non-turn frontend commands (undo, rollback, regenerate, edit) sent via `transport.sendAction`. Fire `hydrateMessages` + `onAction` only — no turn hooks, no `run()`. `onAction` can return a `StreamTextResult` for a model response, or `void` for side-effect-only.
+  - **Typed state primitives** — `chat.local<T>` for per-run state accessible from hooks, `run()`, tools, and subtasks (auto-serialized through `ai.toolExecute`); `chat.store` for typed shared data between agent and client; `chat.history` for reading and mutating the message chain; `clientDataSchema` for typed `clientData` in every hook.
+  - **`chat.toStreamTextOptions()`** — one spread into `streamText` wires up versioned system [Prompts](https://trigger.dev/docs/ai/prompts), model resolution, telemetry metadata, compaction, steering, and background injection.
+  - **Multi-tab coordination** — `multiTab: true` + `useMultiTabChat` prevents duplicate sends and syncs state across browser tabs via `BroadcastChannel`. Non-active tabs go read-only with live updates.
+  - **Network resilience** — built-in indefinite retry with bounded backoff, reconnect on `online` / tab refocus / bfcache restore, `Last-Event-ID` mid-stream resume. No app code needed.
+
+  See [/docs/ai-chat](https://trigger.dev/docs/ai-chat/overview) for the full surface — quick start, three backend approaches (`chat.agent`, `chat.createSession`, raw task), persistence and code-sandbox patterns, type-level guides, and API reference.
+
+- Add read primitives to `chat.history` for HITL flows: `getPendingToolCalls()`, `getResolvedToolCalls()`, `extractNewToolResults(message)`, `getChain()`, and `findMessage(messageId)`. These lift the accumulator-walking logic that customers building human-in-the-loop tools were re-implementing into the SDK. ([#3543](https://github.com/triggerdotdev/trigger.dev/pull/3543))
+
+  Use `getPendingToolCalls()` to gate fresh user turns while a tool call is awaiting an answer. Use `extractNewToolResults(message)` to dedup tool results when persisting to your own store — the helper returns only the parts whose `toolCallId` is not already resolved on the chain.
+
+  ```ts
+  const pending = chat.history.getPendingToolCalls();
+  if (pending.length > 0) {
+    // an addToolOutput is expected before a new user message
+  }
+
+  onTurnComplete: async ({ responseMessage }) => {
+    const newResults = chat.history.extractNewToolResults(responseMessage);
+    for (const r of newResults) {
+      await db.toolResults.upsert({ id: r.toolCallId, output: r.output, errorText: r.errorText });
+    }
+  };
+  ```
+
+- **Sessions** — a durable, run-aware stream channel keyed on a stable `externalId`. A Session is the unit of state that owns a multi-run conversation: messages flow through `.in`, responses through `.out`, both survive run boundaries. Sessions back the new `chat.agent` runtime, and you can build on them directly for any pattern that needs durable bi-directional streaming across runs. ([#3542](https://github.com/triggerdotdev/trigger.dev/pull/3542))
+
+  ```ts
+  import { sessions, tasks } from "@trigger.dev/sdk";
+
+  // Trigger a task and subscribe to its session output in one call
+  const { runId, stream } = await tasks.triggerAndSubscribe("my-task", payload, {
+    externalId: "user-456",
+  });
+
+  for await (const chunk of stream) {
+    // ...
+  }
+
+  // Enumerate existing sessions (powers inbox-style UIs without a separate index)
+  for await (const s of sessions.list({ type: "chat.agent", tag: "user:user-456" })) {
+    console.log(s.id, s.externalId, s.createdAt, s.closedAt);
+  }
+  ```
+
+  See [/docs/ai-chat/overview](https://trigger.dev/docs/ai-chat/overview) for the full surface — Sessions powers the durable, resumable chat runtime described there.
+
+### Patch Changes
+
+- Add Agent Skills for `chat.agent`. Drop a folder with a `SKILL.md` and any helper scripts/references next to your task code, register it with `skills.define({ id, path })`, and the CLI bundles it into the deploy image automatically — no `trigger.config.ts` changes. The agent gets a one-line summary in its system prompt and discovers full instructions on demand via `loadSkill`, with `bash` and `readFile` tools scoped per-skill (path-traversal guards, output caps, abort-signal propagation). ([#3543](https://github.com/triggerdotdev/trigger.dev/pull/3543))
+
+  ```ts
+  const pdfSkill = skills.define({ id: "pdf-extract", path: "./skills/pdf-extract" });
+
+  chat.skills.set([await pdfSkill.local()]);
+  ```
+
+  Built on the [AI SDK cookbook pattern](https://ai-sdk.dev/cookbook/guides/agent-skills) — portable across providers. SDK + CLI only for now; dashboard-editable `SKILL.md` text is on the roadmap.
+
+- Add `ai.toolExecute(task)` so you can wire a Trigger subtask in as the `execute` handler of an AI SDK `tool()` while defining `description` and `inputSchema` yourself — useful when you want full control over the tool surface and just need Trigger's subtask machinery for the body. ([#3546](https://github.com/triggerdotdev/trigger.dev/pull/3546))
+
+  ```ts
+  const myTool = tool({
+    description: "...",
+    inputSchema: z.object({ ... }),
+    execute: ai.toolExecute(mySubtask),
+  });
+  ```
+
+  `ai.tool(task)` (`toolFromTask`) keeps doing the all-in-one wrap and now aligns its return type with AI SDK's `ToolSet`. Minimum `ai` peer raised to `^6.0.116` to avoid cross-version `ToolSet` mismatches in monorepos.
+
+- Stamp `gen_ai.conversation.id` (the chat id) on every span and metric emitted from inside a `chat.task` or `chat.agent` run. Lets you filter dashboard spans, runs, and metrics by the chat conversation that produced them — independent of the run boundary, so multi-run chats correlate cleanly. No code changes required on the user side. ([#3543](https://github.com/triggerdotdev/trigger.dev/pull/3543))
+- Type `chat.createStartSessionAction` against your chat agent so `clientData` is typed end-to-end on the first turn: ([#3684](https://github.com/triggerdotdev/trigger.dev/pull/3684))
+
+  ```ts
+  import { chat } from "@trigger.dev/sdk/ai";
+  import type { myChat } from "@/trigger/chat";
+
+  export const startChatSession = chat.createStartSessionAction<typeof myChat>("my-chat");
+
+  // In the browser, threaded from the transport's typed startSession callback:
+  const transport = useTriggerChatTransport<typeof myChat>({
+    task: "my-chat",
+    startSession: ({ chatId, clientData }) => startChatSession({ chatId, clientData }),
+    // ...
+  });
+  ```
+
+  `ChatStartSessionParams` gains a typed `clientData` field — folded into the first run's `payload.metadata` so `onPreload` / `onChatStart` see the same shape per-turn `metadata` carries via the transport. The opaque session-level `metadata` field is unchanged.
+
+- Unit-test `chat.agent` definitions offline with `mockChatAgent` from `@trigger.dev/sdk/ai/test`. Drives a real agent's turn loop in-process — no network, no task runtime — so you can send messages, actions, and stop signals via driver methods, inspect captured output chunks, and verify hooks fire. Pairs with `MockLanguageModelV3` from `ai/test` for model mocking. `setupLocals` lets you pre-seed `locals` (DB clients, service stubs) before `run()` starts. ([#3543](https://github.com/triggerdotdev/trigger.dev/pull/3543))
+
+  The broader `runInMockTaskContext` harness it's built on lives at `@trigger.dev/core/v3/test` — useful for unit-testing any task code, not just chat.
+
+- Add `region` to the runs list / retrieve API: filter runs by region (`runs.list({ region: "..." })` / `filter[region]=<masterQueue>`) and read each run's executing region from the new `region` field on the response. ([#3612](https://github.com/triggerdotdev/trigger.dev/pull/3612))
+- Updated dependencies:
+  - `@trigger.dev/core@4.5.0-rc.0`
+
+## 4.4.6
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.4.6`
+
+## 4.4.5
+
+### Patch Changes
+
+- Updated dependencies:
+  - `@trigger.dev/core@4.4.5`
+
 ## 4.4.4
 
 ### Patch Changes
diff --git a/packages/trigger-sdk/CLAUDE.md b/packages/trigger-sdk/CLAUDE.md
index 8311956358c..b4ee880f405 100644
--- a/packages/trigger-sdk/CLAUDE.md
+++ b/packages/trigger-sdk/CLAUDE.md
@@ -21,7 +21,7 @@ Always import from `@trigger.dev/sdk`. Never use `@trigger.dev/sdk/v3` (deprecat
 ## When Adding Features
 
 1. Implement the feature in the SDK
-2. Test with `references/hello-world` reference project
+2. Test with the `hello-world` project in the [`triggerdotdev/references`](https://github.com/triggerdotdev/references) repo
 3. Docs updates (`docs/`) are usually done in a separate PR
 
 Do NOT update `rules/` or `.claude/skills/trigger-dev-tasks/` unless explicitly asked. These are maintained in separate dedicated passes.
diff --git a/packages/trigger-sdk/package.json b/packages/trigger-sdk/package.json
index cd38b7d2300..b68f3333143 100644
--- a/packages/trigger-sdk/package.json
+++ b/packages/trigger-sdk/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@trigger.dev/sdk",
-  "version": "4.4.4",
+  "version": "4.5.0-rc.5",
   "description": "trigger.dev Node.JS SDK",
   "license": "MIT",
   "publishConfig": {
@@ -12,6 +12,7 @@
     "directory": "packages/trigger-sdk"
   },
   "type": "module",
+  "sideEffects": false,
   "files": [
     "dist"
   ],
@@ -24,7 +25,12 @@
       "./package.json": "./package.json",
       ".": "./src/v3/index.ts",
       "./v3": "./src/v3/index.ts",
-      "./ai": "./src/v3/ai.ts"
+      "./ai": "./src/v3/ai.ts",
+      "./ai/skills-runtime": "./src/v3/agentSkillsRuntime.ts",
+      "./ai/test": "./src/v3/test/index.ts",
+      "./chat": "./src/v3/chat.ts",
+      "./chat/react": "./src/v3/chat-react.ts",
+      "./chat-server": "./src/v3/chat-server.ts"
     },
     "sourceDialects": [
       "@triggerdotdev/source"
@@ -37,6 +43,21 @@
       ],
       "ai": [
         "dist/commonjs/v3/ai.d.ts"
+      ],
+      "ai/skills-runtime": [
+        "dist/commonjs/v3/agentSkillsRuntime.d.ts"
+      ],
+      "ai/test": [
+        "dist/commonjs/v3/test/index.d.ts"
+      ],
+      "chat": [
+        "dist/commonjs/v3/chat.d.ts"
+      ],
+      "chat/react": [
+        "dist/commonjs/v3/chat-react.d.ts"
+      ],
+      "chat-server": [
+        "dist/commonjs/v3/chat-server.d.ts"
       ]
     }
   },
@@ -45,14 +66,15 @@
     "build": "tshy && pnpm run update-version",
     "dev": "tshy --watch",
     "typecheck": "tsc --noEmit",
+    "typecheck:ai-v7": "tsc --noEmit -p tsconfig.ai-v7.json",
     "test": "vitest",
     "update-version": "tsx ../../scripts/updateVersion.ts",
     "check-exports": "attw --pack ."
   },
   "dependencies": {
-    "@opentelemetry/api": "1.9.0",
-    "@opentelemetry/semantic-conventions": "1.36.0",
-    "@trigger.dev/core": "workspace:4.4.4",
+    "@opentelemetry/api": "1.9.1",
+    "@opentelemetry/semantic-conventions": "1.41.1",
+    "@trigger.dev/core": "workspace:4.5.0-rc.5",
     "chalk": "^5.2.0",
     "cronstrue": "^2.21.0",
     "debug": "^4.3.4",
@@ -60,30 +82,39 @@
     "slug": "^6.0.0",
     "ulid": "^2.3.0",
     "uncrypto": "^0.1.3",
-    "uuid": "^9.0.0",
     "ws": "^8.11.0"
   },
   "devDependencies": {
+    "@ai-sdk/provider": "3.0.8",
     "@arethetypeswrong/cli": "^0.15.4",
     "@types/debug": "^4.1.7",
+    "@types/react": "^19.2.14",
     "@types/slug": "^5.0.3",
-    "@types/uuid": "^9.0.0",
     "@types/ws": "^8.5.3",
-    "ai": "^6.0.0",
+    "ai": "^6.0.116",
+    "ai-v7": "npm:ai@7.0.0-canary.159",
     "encoding": "^0.1.13",
-    "rimraf": "^3.0.2",
+    "rimraf": "^6.0.1",
     "tshy": "^3.0.2",
     "tsx": "4.17.0",
     "typed-emitter": "^2.1.0",
     "zod": "3.25.76"
   },
   "peerDependencies": {
-    "zod": "^3.0.0 || ^4.0.0",
-    "ai": "^4.2.0 || ^5.0.0 || ^6.0.0"
+    "@ai-sdk/otel": ">=1.0.0-0 <2",
+    "ai": "^5.0.0 || ^6.0.0 || >=7.0.0-canary <8",
+    "react": "^18.0 || ^19.0",
+    "zod": "^3.0.0 || ^4.0.0"
   },
   "peerDependenciesMeta": {
+    "@ai-sdk/otel": {
+      "optional": true
+    },
     "ai": {
       "optional": true
+    },
+    "react": {
+      "optional": true
     }
   },
   "engines": {
@@ -123,6 +154,61 @@
         "types": "./dist/commonjs/v3/ai.d.ts",
         "default": "./dist/commonjs/v3/ai.js"
       }
+    },
+    "./ai/skills-runtime": {
+      "import": {
+        "@triggerdotdev/source": "./src/v3/agentSkillsRuntime.ts",
+        "types": "./dist/esm/v3/agentSkillsRuntime.d.ts",
+        "default": "./dist/esm/v3/agentSkillsRuntime.js"
+      },
+      "require": {
+        "types": "./dist/commonjs/v3/agentSkillsRuntime.d.ts",
+        "default": "./dist/commonjs/v3/agentSkillsRuntime.js"
+      }
+    },
+    "./ai/test": {
+      "import": {
+        "@triggerdotdev/source": "./src/v3/test/index.ts",
+        "types": "./dist/esm/v3/test/index.d.ts",
+        "default": "./dist/esm/v3/test/index.js"
+      },
+      "require": {
+        "types": "./dist/commonjs/v3/test/index.d.ts",
+        "default": "./dist/commonjs/v3/test/index.js"
+      }
+    },
+    "./chat": {
+      "import": {
+        "@triggerdotdev/source": "./src/v3/chat.ts",
+        "types": "./dist/esm/v3/chat.d.ts",
+        "default": "./dist/esm/v3/chat.js"
+      },
+      "require": {
+        "types": "./dist/commonjs/v3/chat.d.ts",
+        "default": "./dist/commonjs/v3/chat.js"
+      }
+    },
+    "./chat/react": {
+      "import": {
+        "@triggerdotdev/source": "./src/v3/chat-react.ts",
+        "types": "./dist/esm/v3/chat-react.d.ts",
+        "default": "./dist/esm/v3/chat-react.js"
+      },
+      "require": {
+        "types": "./dist/commonjs/v3/chat-react.d.ts",
+        "default": "./dist/commonjs/v3/chat-react.js"
+      }
+    },
+    "./chat-server": {
+      "import": {
+        "@triggerdotdev/source": "./src/v3/chat-server.ts",
+        "types": "./dist/esm/v3/chat-server.d.ts",
+        "default": "./dist/esm/v3/chat-server.js"
+      },
+      "require": {
+        "types": "./dist/commonjs/v3/chat-server.d.ts",
+        "default": "./dist/commonjs/v3/chat-server.js"
+      }
     }
   },
   "main": "./dist/commonjs/v3/index.js",
diff --git a/packages/trigger-sdk/src/imports/ai-runtime-cjs.cts b/packages/trigger-sdk/src/imports/ai-runtime-cjs.cts
new file mode 100644
index 00000000000..8ad336dbaeb
--- /dev/null
+++ b/packages/trigger-sdk/src/imports/ai-runtime-cjs.cts
@@ -0,0 +1,26 @@
+// CJS variant of ./ai-runtime.ts — tshy swaps this in for the CommonJS build.
+// `require("ai")` of an ESM-only package is supported on Node >=20.19 / >=22.12.
+
+// @ts-ignore
+const ai = require("ai");
+
+// @ts-ignore
+module.exports.convertToModelMessages = ai.convertToModelMessages;
+// @ts-ignore
+module.exports.dynamicTool = ai.dynamicTool;
+// @ts-ignore
+module.exports.generateId = ai.generateId;
+// @ts-ignore
+module.exports.getToolName = ai.getToolName;
+// @ts-ignore
+module.exports.isToolUIPart = ai.isToolUIPart;
+// @ts-ignore
+module.exports.jsonSchema = ai.jsonSchema;
+// @ts-ignore
+module.exports.readUIMessageStream = ai.readUIMessageStream;
+// @ts-ignore
+module.exports.stepCountIs = ai.stepCountIs;
+// @ts-ignore
+module.exports.tool = ai.tool;
+// @ts-ignore
+module.exports.zodSchema = ai.zodSchema;
diff --git a/packages/trigger-sdk/src/imports/ai-runtime.ts b/packages/trigger-sdk/src/imports/ai-runtime.ts
new file mode 100644
index 00000000000..8c713bce876
--- /dev/null
+++ b/packages/trigger-sdk/src/imports/ai-runtime.ts
@@ -0,0 +1,39 @@
+// Runtime VALUE imports from `ai`, isolated behind a paired ESM/CJS shim.
+//
+// `ai@7` is ESM-only (no `require` export). Under NodeNext + TS < 5.8 a value
+// import of an ESM-only package emitted to a CJS file raises TS1479, which
+// would break the SDK's CommonJS build. tshy maps `ai-runtime-cjs.cts` -> the
+// CJS build and this `.ts` -> the ESM build, so each dialect gets the right
+// form. `require(esm)` is stable on Node >=20.19 / >=22.12 (both our targets),
+// so the CJS variant works at runtime. Mirrors `imports/uncrypto{,-cjs.cts}`.
+//
+// VALUES only — type-only imports from `ai` erase and don't trip TS1479, so
+// they stay as direct `import type { … } from "ai"` at their use sites.
+
+// @ts-ignore
+import {
+  convertToModelMessages,
+  dynamicTool,
+  generateId,
+  getToolName,
+  isToolUIPart,
+  jsonSchema,
+  readUIMessageStream,
+  stepCountIs,
+  tool,
+  zodSchema,
+} from "ai";
+
+// @ts-ignore
+export {
+  convertToModelMessages,
+  dynamicTool,
+  generateId,
+  getToolName,
+  isToolUIPart,
+  jsonSchema,
+  readUIMessageStream,
+  stepCountIs,
+  tool,
+  zodSchema,
+};
diff --git a/packages/trigger-sdk/src/v3/agentSkillsRuntime.ts b/packages/trigger-sdk/src/v3/agentSkillsRuntime.ts
new file mode 100644
index 00000000000..2cb9d2f70bf
--- /dev/null
+++ b/packages/trigger-sdk/src/v3/agentSkillsRuntime.ts
@@ -0,0 +1,166 @@
+import { spawn } from "node:child_process";
+import * as fs from "node:fs/promises";
+import * as nodePath from "node:path";
+
+/**
+ * Server-only runtime for the auto-injected skill tools
+ * (`loadSkill` / `readFile` / `bash`) that `chat.agent({ skills })`
+ * wires up. Split off from `./ai.ts` so the chat-agent surface in
+ * `@trigger.dev/sdk/ai` stays importable from client bundles —
+ * Next.js + Webpack reject top-level `node:*` imports anywhere in a
+ * client graph, even when a consumer only pulls in types.
+ *
+ * The SDK's `ai.ts` loads this module via a computed-string dynamic
+ * import inside each tool's `execute` — webpack treats the
+ * expression as an unknown dependency and skips static tracing, so
+ * the node-only symbols here never surface in a client build. The
+ * module resolves fine at runtime on a server worker because the
+ * relative path (`./agentSkillsRuntime.js`) lands next to `ai.js` in
+ * the emitted dist.
+ *
+ * Public subpath: `@trigger.dev/sdk/ai/skills-runtime`. Customers
+ * who want to eagerly bundle the runtime server-side (e.g. warming
+ * it on worker bootstrap) can import from there.
+ */
+
+const DEFAULT_BASH_OUTPUT_BYTES = 64 * 1024;
+const DEFAULT_READ_FILE_BYTES = 1024 * 1024;
+
+export type BashSkillInput = {
+  /** Absolute path to the skill's root (used as `cwd`). */
+  skillPath: string;
+  /** The bash command to run. */
+  command: string;
+  /** Optional abort signal forwarded to `spawn()`. */
+  abortSignal?: AbortSignal;
+};
+
+export type BashSkillResult =
+  | { exitCode: number | null; stdout: string; stderr: string }
+  | { error: string };
+
+export type ReadFileInSkillInput = {
+  /** Absolute path to the skill's root — the relative path must resolve inside it. */
+  skillPath: string;
+  /** Relative path the tool caller supplied. */
+  relativePath: string;
+};
+
+export type ReadFileInSkillResult = { content: string } | { error: string };
+
+function truncate(s: string, limit: number): string {
+  if (s.length <= limit) return s;
+  return s.slice(0, limit) + `\n…[truncated ${s.length - limit} bytes]`;
+}
+
+/**
+ * Path-traversal guard: confirm `relative` resolves inside `root`,
+ * even after symlinks are followed. Throws if it escapes via `..`, an
+ * absolute prefix, or a symlink that points outside. Returns the
+ * resolved real path.
+ *
+ * `fs.realpath` only works on paths that exist, so when the resolved
+ * path doesn't exist yet (e.g. writing a new file) we fall back to
+ * the lexical check — a non-existent path can't traverse a symlink
+ * to escape since the symlink doesn't exist either.
+ */
+async function safeJoinInside(root: string, relative: string): Promise<string> {
+  if (nodePath.isAbsolute(relative)) {
+    throw new Error(`Path must be relative to the skill directory: ${relative}`);
+  }
+  const realRoot = await fs.realpath(nodePath.resolve(root));
+  const resolved = nodePath.resolve(realRoot, relative);
+  let real = resolved;
+  try {
+    real = await fs.realpath(resolved);
+  } catch (err) {
+    if ((err as NodeJS.ErrnoException).code !== "ENOENT") {
+      throw err;
+    }
+    // Path doesn't exist yet; fall through with the lexical resolve.
+  }
+  const normalized = realRoot + nodePath.sep;
+  if (real !== realRoot && !real.startsWith(normalized)) {
+    throw new Error(`Path escapes the skill directory: ${relative}`);
+  }
+  return real;
+}
+
+export async function readFileInSkill({
+  skillPath,
+  relativePath,
+}: ReadFileInSkillInput): Promise<ReadFileInSkillResult> {
+  let absolute: string;
+  try {
+    absolute = await safeJoinInside(skillPath, relativePath);
+  } catch (err) {
+    return { error: (err as Error).message };
+  }
+  try {
+    const content = await fs.readFile(absolute, "utf8");
+    return { content: truncate(content, DEFAULT_READ_FILE_BYTES) };
+  } catch (err) {
+    return { error: (err as Error).message };
+  }
+}
+
+export async function runBashInSkill({
+  skillPath,
+  command,
+  abortSignal,
+}: BashSkillInput): Promise<BashSkillResult> {
+  return new Promise<BashSkillResult>((resolvePromise) => {
+    let child;
+    try {
+      child = spawn("bash", ["-c", command], {
+        cwd: skillPath,
+        signal: abortSignal,
+      });
+    } catch (err) {
+      resolvePromise({ error: (err as Error).message });
+      return;
+    }
+
+    // Cap stdout/stderr accumulation at the byte budget so an
+    // LLM-generated command (`cat /dev/zero`, `yes`) can't OOM the
+    // worker. Track total seen length separately so the truncation
+    // notice still reports how much was dropped.
+    let stdout = "";
+    let stderr = "";
+    let stdoutSeen = 0;
+    let stderrSeen = 0;
+    const limit = DEFAULT_BASH_OUTPUT_BYTES;
+    child.stdout?.on("data", (chunk: Buffer | string) => {
+      const text = chunk.toString();
+      stdoutSeen += text.length;
+      if (stdout.length >= limit) return;
+      const remaining = limit - stdout.length;
+      stdout += text.length > remaining ? text.slice(0, remaining) : text;
+    });
+    child.stderr?.on("data", (chunk: Buffer | string) => {
+      const text = chunk.toString();
+      stderrSeen += text.length;
+      if (stderr.length >= limit) return;
+      const remaining = limit - stderr.length;
+      stderr += text.length > remaining ? text.slice(0, remaining) : text;
+    });
+    child.once("close", (code: number | null) => {
+      const stdoutFinal =
+        stdoutSeen > stdout.length
+          ? `${stdout}\n…[truncated ${stdoutSeen - stdout.length} bytes]`
+          : stdout;
+      const stderrFinal =
+        stderrSeen > stderr.length
+          ? `${stderr}\n…[truncated ${stderrSeen - stderr.length} bytes]`
+          : stderr;
+      resolvePromise({
+        exitCode: code,
+        stdout: stdoutFinal,
+        stderr: stderrFinal,
+      });
+    });
+    child.once("error", (err: Error) => {
+      resolvePromise({ error: err.message });
+    });
+  });
+}
diff --git a/packages/trigger-sdk/src/v3/ai-shared.ts b/packages/trigger-sdk/src/v3/ai-shared.ts
new file mode 100644
index 00000000000..a0ea3036cff
--- /dev/null
+++ b/packages/trigger-sdk/src/v3/ai-shared.ts
@@ -0,0 +1,368 @@
+/**
+ * Browser-safe primitives shared between `@trigger.dev/sdk/ai` (server) and
+ * `@trigger.dev/sdk/chat` / `@trigger.dev/sdk/chat/react` (client).
+ *
+ * This module exists to keep `ai.ts` reachable only from the server graph.
+ * `ai.ts` weighs in at ~7000 lines and statically imports the agent-skills
+ * runtime (which uses `node:child_process` / `node:fs/promises`). When a
+ * browser bundle imports a runtime value from `ai.ts` — historically the
+ * `PENDING_MESSAGE_INJECTED_TYPE` constant in `chat-react.ts` — the bundler
+ * traces `ai.ts`'s entire module graph into the client chunk and hits the
+ * `node:` builtins, which Turbopack rejects outright (and webpack flags as
+ * a "Critical dependency" warning).
+ *
+ * Anything in this file MUST stay free of `node:*` imports and free of any
+ * import from `ai.ts`.
+ */
+
+import type { Task, AnyTask } from "@trigger.dev/core/v3";
+import type { InferUITools, ModelMessage, ToolSet, UIDataTypes, UIMessage } from "ai";
+
+/**
+ * Message-part `type` value for the pending-message data part the agent
+ * injects when a follow-up message arrives mid-turn.
+ */
+export const PENDING_MESSAGE_INJECTED_TYPE = "data-pending-message-injected" as const;
+
+/**
+ * The wire payload shape sent by `TriggerChatTransport`.
+ * Uses `metadata` to match the AI SDK's `ChatRequestOptions` field name.
+ *
+ * Slim wire: at most ONE message per record. The agent runtime
+ * reconstructs prior history at run boot from a durable S3 snapshot +
+ * `session.out` replay (or `hydrateMessages` if registered). The wire is
+ * delta-only — see plan `vivid-humming-bonbon.md`.
+ */
+export type ChatTaskWirePayload<TMessage extends UIMessage = UIMessage, TMetadata = unknown> = {
+  /**
+   * The single message being delivered on this trigger. Set for:
+   *   - `submit-message`: the new user message OR a tool-approval-responded
+   *     assistant message (with `state: "approval-responded"` tool parts).
+   *   - `regenerate-message`: omitted (the agent slices its own history).
+   *   - `preload` / `close` / `action`: omitted.
+   *   - `handover-prepare`: omitted (use `headStartMessages` instead).
+   */
+  message?: TMessage;
+  /**
+   * Bespoke escape hatch for `chat.headStart`. The customer's HTTP route
+   * handler ships full `UIMessage[]` history at the very first turn — before
+   * any snapshot exists. The route handler isn't subject to the
+   * `MAX_APPEND_BODY_BYTES` cap on `/in/append` because it goes through the
+   * customer's own HTTP endpoint. Used ONLY by `trigger: "handover-prepare"`.
+   * Ignored on every other trigger.
+   */
+  headStartMessages?: TMessage[];
+  chatId: string;
+  trigger:
+    | "submit-message"
+    | "regenerate-message"
+    | "preload"
+    | "close"
+    | "action"
+    /**
+     * The customer's `chat.handover` route handler kicked us off in
+     * parallel with the first-turn `streamText` running in the warm
+     * Next.js process. The run sits idle on `session.in` waiting for
+     * a `kind: "handover"` (continue from tool execution) or
+     * `kind: "handover-skip"` (handler finished pure-text, exit
+     * cleanly). See `chat.handover` in `@trigger.dev/sdk/chat-server`.
+     */
+    | "handover-prepare";
+  messageId?: string;
+  metadata?: TMetadata;
+  /** Custom action payload when `trigger` is `"action"`. Validated against `actionSchema` on the backend. */
+  action?: unknown;
+  /** Whether this run is continuing an existing chat whose previous run ended. */
+  continuation?: boolean;
+  /** The run ID of the previous run (only set when `continuation` is true). */
+  previousRunId?: string;
+  /** Override idle timeout for this run (seconds). Set by transport.preload(). */
+  idleTimeoutInSeconds?: number;
+  /**
+   * The friendlyId of the Session primitive backing this chat. The
+   * transport opens (or lazy-creates) the session with
+   * `externalId = chatId` on first message, then sends this friendlyId
+   * through to the run so the agent can attach to `.in` / `.out`
+   * without needing to round-trip through the control plane again.
+   * Optional for backward-compat while the migration is in flight;
+   * required once the legacy run-scoped stream path is removed.
+   */
+  sessionId?: string;
+};
+
+/**
+ * One chunk on the chat input stream. `kind` discriminates the variants —
+ * a single ordered stream now carries all the signals the old three-stream
+ * split did (`chat-messages`, `chat-stop`, plus action messages piggybacked
+ * on `chat-messages`).
+ */
+export type ChatInputChunk<TMessage extends UIMessage = UIMessage, TMetadata = unknown> =
+  | {
+      kind: "message";
+      /**
+       * Full wire payload for a new user message or regeneration. Mirrors
+       * what the legacy `chat-messages` input stream carried.
+       */
+      payload: ChatTaskWirePayload<TMessage, TMetadata>;
+    }
+  | {
+      kind: "stop";
+      /** Optional human-readable reason. Maps to the legacy `chat-stop` record. */
+      message?: string;
+    }
+  | {
+      /**
+       * Sent by `chat.headStart` when the customer's first-turn
+       * `streamText` finishes. The agent run (currently parked in
+       * `handover-prepare`) wakes, seeds its accumulators with
+       * `partialAssistantMessage`, and runs the normal turn loop
+       * (`onChatStart` → `onTurnStart` → … → `onTurnComplete`).
+       *
+       * What happens after that depends on `isFinal`:
+       *
+       * - `isFinal: false` — step 1 ended with `finishReason:
+       *   "tool-calls"`. The partial carries the assistant's
+       *   tool-call(s) wrapped in AI SDK's tool-approval round. The
+       *   agent's `streamText` runs the approved tools and continues
+       *   from step 2.
+       * - `isFinal: true` — step 1 ended pure-text (no tool calls).
+       *   The partial carries the final assistant text. The agent
+       *   skips the LLM call entirely (the response is already
+       *   complete on the customer side) and runs `onTurnComplete`
+       *   with the partial as `responseMessage` so persistence and
+       *   any post-turn work fire normally.
+       */
+      kind: "handover";
+      /** Customer's step-1 response messages (ModelMessage form). */
+      partialAssistantMessage: ModelMessage[];
+      /**
+       * The UI messageId the customer's handler used for its step-1
+       * assistant message. The agent reuses this so any post-handover
+       * chunks (tool-output-available, step-2 text, data-* parts
+       * written by hooks) merge into the SAME assistant message on
+       * the browser side instead of starting a new one.
+       */
+      messageId?: string;
+      /**
+       * Whether the customer's step 1 is the final response. See
+       * `kind` description above for the two branches.
+       */
+      isFinal: boolean;
+    }
+  | {
+      /**
+       * Sent by `chat.headStart` only when the customer's handler
+       * ABORTS before producing a finishReason (e.g., dispatch error,
+       * stream cancelled before any tokens). The agent run exits
+       * cleanly without firing turn hooks. Normal pure-text and
+       * tool-call finishes go through `kind: "handover"` with the
+       * appropriate `isFinal` flag.
+       */
+      kind: "handover-skip";
+    };
+
+/**
+ * Extracts the client-data (`metadata`) type from a chat task.
+ *
+ * @example
+ * ```ts
+ * import type { InferChatClientData } from "@trigger.dev/sdk/ai";
+ * import type { myChat } from "@/trigger/chat";
+ *
+ * type MyClientData = InferChatClientData<typeof myChat>;
+ * ```
+ */
+export type InferChatClientData<TTask extends AnyTask> = TTask extends Task<
+  string,
+  ChatTaskWirePayload<any, infer TMetadata>,
+  any
+>
+  ? TMetadata
+  : unknown;
+
+/**
+ * Extracts the UI message type from a chat task (wire payload `message` items).
+ *
+ * @example
+ * ```ts
+ * import type { InferChatUIMessage } from "@trigger.dev/sdk/ai";
+ * import type { myChat } from "@/trigger/chat";
+ *
+ * type Msg = InferChatUIMessage<typeof myChat>;
+ * ```
+ */
+export type InferChatUIMessage<TTask extends AnyTask> = TTask extends Task<
+  string,
+  ChatTaskWirePayload<infer TUIM extends UIMessage, any>,
+  any
+>
+  ? TUIM
+  : UIMessage;
+
+/**
+ * Derive the chat `UIMessage` type for a given tool set. The tool-part types
+ * (`tool-${name}` with typed input/output) are inferred from the tools. Use
+ * this to declare the message type from your tools (e.g. to pass to
+ * `chat.withUIMessage<...>()` or to type the frontend) without hand-writing
+ * the `UIMessage<unknown, UIDataTypes, InferUITools<...>>` triple.
+ *
+ * @example
+ * ```ts
+ * import type { InferChatUIMessageFromTools } from "@trigger.dev/sdk/ai";
+ * const tools = { search, readFile };
+ * type ChatUiMessage = InferChatUIMessageFromTools<typeof tools>;
+ * ```
+ */
+export type InferChatUIMessageFromTools<TTools extends ToolSet> = UIMessage<
+  unknown,
+  UIDataTypes,
+  InferUITools<TTools>
+>;
+
+/**
+ * Upsert an incoming wire message into the customer's DB-backed chain
+ * inside a `hydrateMessages` hook. Returns `true` iff the chain was
+ * mutated (the caller should persist).
+ *
+ * Handles the three cases that matter:
+ *
+ *  - **Non-submit-message trigger** (`regenerate-message` / `action`,
+ *    or `submit-message` with no incoming): no-op. Returns `false`.
+ *  - **Incoming id already in `stored`** (HITL `addToolOutput` /
+ *    `addToolApproveResponse` continuation — the wire carries the
+ *    existing assistant's id with a slim resolution payload): no-op.
+ *    The runtime's per-turn merge overlays the new tool-state advance
+ *    onto the existing entry; pushing again would duplicate the row
+ *    in the chain you return, and the duplicate slim copy would hit
+ *    `toModelMessages` with no `input`. Returns `false`.
+ *  - **Incoming id not in `stored`** (typically a fresh user message
+ *    on a new turn): push. Returns `true`.
+ *
+ * Mutates `stored` in place. The caller persists `stored`, not the
+ * return value.
+ *
+ * @example
+ * ```ts
+ * import { chat, upsertIncomingMessage } from "@trigger.dev/sdk/ai";
+ *
+ * chat.agent({
+ *   hydrateMessages: async ({ chatId, trigger, incomingMessages }) => {
+ *     const record = await db.chat.findUnique({ where: { id: chatId } });
+ *     const stored = record?.messages ?? [];
+ *     if (upsertIncomingMessage(stored, { trigger, incomingMessages })) {
+ *       await db.chat.update({ where: { id: chatId }, data: { messages: stored } });
+ *     }
+ *     return stored;
+ *   },
+ * });
+ * ```
+ */
+export function upsertIncomingMessage<TMsg extends UIMessage = UIMessage>(
+  stored: TMsg[],
+  event: {
+    trigger: "submit-message" | "regenerate-message" | "action";
+    incomingMessages: TMsg[];
+  }
+): boolean {
+  if (event.trigger !== "submit-message") return false;
+  if (event.incomingMessages.length === 0) return false;
+  const newMsg = event.incomingMessages[event.incomingMessages.length - 1];
+  if (!newMsg) return false;
+  if (newMsg.id) {
+    const existingIdx = stored.findIndex((m) => m.id === newMsg.id);
+    if (existingIdx !== -1) return false;
+  }
+  stored.push(newMsg);
+  return true;
+}
+
+/**
+ * Tool-part states that the client advances and ships back over the wire.
+ * Covers HITL `addToolOutput` (output-available / output-error) and the
+ * approval flow (approval-responded / output-denied). `input-streaming` /
+ * `input-available` / `approval-requested` are server-emitted only — if
+ * we see them on the wire we treat them as no-ops and skip the slim/merge.
+ */
+function isWireAdvanceableToolState(
+  state: unknown
+): state is "output-available" | "output-error" | "approval-responded" | "output-denied" {
+  return (
+    state === "output-available" ||
+    state === "output-error" ||
+    state === "approval-responded" ||
+    state === "output-denied"
+  );
+}
+
+/** Whether a tool-UI part is a static (`tool-${name}`) or dynamic tool. */
+function isToolPartType(type: unknown): boolean {
+  return typeof type === "string" && (type.startsWith("tool-") || type === "dynamic-tool");
+}
+
+/**
+ * Slim an outgoing assistant message before it ships on `submit-message`.
+ *
+ * When the client calls `addToolOutput(...)` to resolve a HITL tool (or
+ * `addToolApproveResponse(...)` to approve/deny one), the AI SDK turns
+ * it into a `submit-message` whose `messages.at(-1)` is the existing
+ * assistant message with the new state stitched onto a single tool
+ * part. On a reasoning-heavy multi-step turn, that full assistant
+ * message can be 600 KB – 1 MB (encrypted reasoning blobs, reasoning
+ * text, full tool `input` JSON, prior tool outputs) — well over the
+ * `.in/append` cap.
+ *
+ * The agent runtime only consumes the wire-advanced fields of those
+ * tool parts (state + output / errorText / approval). Everything else
+ * (text, reasoning, tool `input`) is rebuilt server-side from the
+ * durable snapshot or `hydrateMessages`. So we drop everything but
+ * the advanced tool parts here, and reduce those to just the fields
+ * the server overlays.
+ *
+ * The slim only fires when the assistant message carries at least one
+ * wire-advanceable tool part. Plain assistant resends (no resolved /
+ * approval-responded tool) and non-assistant messages pass through
+ * untouched.
+ *
+ * Pairs with the per-turn merge on the agent side
+ * (`mergeIncomingIntoHydrated` in `ai.ts`).
+ */
+export function slimSubmitMessageForWire<TMsg extends UIMessage | undefined>(
+  message: TMsg
+): TMsg {
+  if (!message) return message;
+  if (message.role !== "assistant") return message;
+  const parts = (message.parts ?? []) as any[];
+  const advancedToolParts = parts.filter(
+    (p) =>
+      p &&
+      typeof p === "object" &&
+      isToolPartType(p.type) &&
+      isWireAdvanceableToolState(p.state)
+  );
+  if (advancedToolParts.length === 0) return message;
+  const slimParts = advancedToolParts.map((p: any) => {
+    const base: Record<string, unknown> = {
+      type: p.type,
+      toolCallId: p.toolCallId,
+      state: p.state,
+    };
+    if (p.type === "dynamic-tool" && typeof p.toolName === "string") {
+      base.toolName = p.toolName;
+    }
+    if (p.state === "output-available") {
+      base.output = p.output;
+      if (p.approval !== undefined) base.approval = p.approval;
+    } else if (p.state === "output-error") {
+      if (p.errorText !== undefined) base.errorText = p.errorText;
+      if (p.approval !== undefined) base.approval = p.approval;
+    } else if (p.state === "approval-responded" || p.state === "output-denied") {
+      if (p.approval !== undefined) base.approval = p.approval;
+    }
+    return base;
+  });
+  return {
+    id: message.id,
+    role: message.role,
+    parts: slimParts,
+  } as unknown as TMsg;
+}
diff --git a/packages/trigger-sdk/src/v3/ai.ts b/packages/trigger-sdk/src/v3/ai.ts
index 59afa2fe21a..72e0cf1080e 100644
--- a/packages/trigger-sdk/src/v3/ai.ts
+++ b/packages/trigger-sdk/src/v3/ai.ts
@@ -1,38 +1,1008 @@
 import {
+  accessoryAttributes,
   AnyTask,
+  apiClientManager,
+  controlSubtype,
+  getSchemaParseFn,
+  headerValue,
+  InputStreamOncePromise,
+  type InputStreamOnceOptions,
+  type InputStreamWaitOptions,
+  type InputStreamWaitWithIdleTimeoutOptions,
   isSchemaZodEsque,
+  logger,
+  type MachinePresetName,
+  ManualWaitpointPromise,
+  OutOfMemoryError,
+  sessionStreams,
+  type PipeStreamResult,
+  type RealtimeDefinedInputStream,
+  type RealtimeDefinedStream,
+  type ReadStreamOptions,
+  SemanticInternalAttributes,
+  type SendInputStreamOptions,
   Task,
+  taskContext,
+  type AppendStreamOptions,
+  type InputStreamOnceResult,
   type inferSchemaIn,
+  type inferSchemaOut,
+  type PipeStreamOptions,
+  type TaskIdentifier,
+  type TaskOptions,
   type TaskSchema,
+  type TaskRunContext,
   type TaskWithSchema,
+  SESSION_IN_EVENT_ID_HEADER,
+  TRIGGER_CONTROL_SUBTYPE,
+  generateJWT,
+  type WriterStreamOptions,
 } from "@trigger.dev/core/v3";
-import { dynamicTool, jsonSchema, JSONSchema7, Schema, Tool, ToolCallOptions, zodSchema } from "ai";
+import type {
+  FinishReason,
+  LanguageModelUsage,
+  ModelMessage,
+  Tool,
+  ToolSet,
+  UIMessage,
+  UIMessageChunk,
+  UIMessageStreamOptions,
+} from "ai";
+import type { ChatSnapshotV1, StreamWriteResult } from "@trigger.dev/core/v3";
+// Runtime VALUES go through the ESM/CJS shim so the CJS build can `require`
+// ESM-only `ai@7` (see ../imports/ai-runtime.ts).
+import {
+  convertToModelMessages,
+  dynamicTool,
+  generateId as generateMessageId,
+  getToolName,
+  isToolUIPart,
+  jsonSchema,
+  readUIMessageStream,
+  tool as aiTool,
+  zodSchema,
+} from "../imports/ai-runtime.js";
+import type { JSONSchema7, Schema } from "ai";
+
+// `ToolCallOptions` is defined locally rather than imported from `ai`: v7
+// renamed/removed that export (it's `ToolExecutionOptions<CONTEXT>` now), so a
+// direct import breaks on v7. This structural shape is wider than both majors'
+// and reads the user-context field under both names (`experimental_context` on
+// v6, `context` on v7).
+type ToolCallOptions = {
+  toolCallId: string;
+  messages?: ModelMessage[];
+  abortSignal?: AbortSignal;
+  experimental_context?: unknown;
+  context?: unknown;
+};
+import { type Attributes, trace } from "@opentelemetry/api";
+import { auth } from "./auth.js";
+import { locals } from "./locals.js";
 import { metadata } from "./metadata.js";
+import type { ResolvedPrompt } from "./prompt.js";
+import type { ResolvedSkill } from "./skill.js";
+// Bash-skill runtime lives in `./agentSkillsRuntime.ts` (exposed as
+// the `@trigger.dev/sdk/ai/skills-runtime` subpath). It's a normal
+// static import — `ai.ts` is server-only by reachability now that
+// browser-side primitives (PENDING_MESSAGE_INJECTED_TYPE and the
+// chat-task wire types) live in `./ai-shared.ts`. Any browser bundle
+// that wants those primitives imports `./ai-shared.js` directly and
+// never touches `ai.ts`'s module graph, so the `node:*` builtins
+// pulled in transitively here never reach a client chunk.
+import { runBashInSkill, readFileInSkill } from "./agentSkillsRuntime.js";
+import { streams, markChatAgentRunForStreamsWarning } from "./streams.js";
+import {
+  sessions,
+  type SessionHandle,
+  type SessionInputChannel,
+  type SessionOutputChannel,
+  type SessionPipeStreamOptions,
+  type SessionSubscribeOptions,
+} from "./sessions.js";
+import { createTask } from "./shared.js";
+import { ensureAiSdkTelemetry } from "./aiAutoTelemetry.js";
+import { resourceCatalog, type SessionTriggerConfig } from "@trigger.dev/core/v3";
+import { tracer } from "./tracer.js";
+
+/** Re-export for typing `ctx` in `chat.agent` hooks without importing `@trigger.dev/core`. */
+export type { TaskRunContext } from "@trigger.dev/core/v3";
 
 const METADATA_KEY = "tool.execute.options";
 
-export type ToolCallExecutionOptions = Omit<ToolCallOptions, "abortSignal">;
+/**
+ * Wrapper around `convertToModelMessages` that always passes
+ * `ignoreIncompleteToolCalls: true` to prevent failures from
+ * stopped/aborted conversations with partial tool parts.
+ */
+function toModelMessages(messages: UIMessage[]): Promise<ModelMessage[]> {
+  // Pass the resolved per-turn `tools` (if any) so the AI SDK can look up each
+  // tool's `toModelOutput` and re-apply it to prior-turn tool results. Without
+  // `tools` it falls back to JSON-stringifying the raw output (TRI-10149). The
+  // conditional spread keeps the options object byte-identical to the no-tools
+  // path when nothing was declared.
+  const tools = locals.get(chatResolvedToolsKey);
+  return convertToModelMessages(messages, {
+    ignoreIncompleteToolCalls: true,
+    ...(tools ? { tools } : {}),
+  });
+}
+
+export type ToolCallExecutionOptions = {
+  toolCallId: string;
+  experimental_context?: unknown;
+  /** v7 name for the user context (`experimental_context` on v6). */
+  context?: unknown;
+  /** Chat context — only present when the tool runs inside a chat.agent turn. */
+  chatId?: string;
+  turn?: number;
+  continuation?: boolean;
+  clientData?: unknown;
+  /** Serialized chat.local values from the parent run. @internal */
+  chatLocals?: Record<string, unknown>;
+};
+
+/** Chat context stored in locals during each chat.agent turn for auto-detection. */
+type ChatTurnContext<TClientData = unknown> = {
+  chatId: string;
+  turn: number;
+  continuation: boolean;
+  clientData?: TClientData;
+};
+const chatTurnContextKey = locals.create<ChatTurnContext>("chat.turnContext");
+
+/**
+ * Per-run slot holding the Session handle that backs this chat's `.in` /
+ * `.out` channels. Populated at the top of `chatAgent`'s run function from
+ * `payload.sessionId`; read by every module-level helper (`chatStream`,
+ * `messagesInput`, `stopInput`) so the chat.agent internals can remain
+ * the same module-level shape they were when the I/O was run-scoped.
+ * @internal
+ */
+const chatSessionHandleKey = locals.create<SessionHandle>("chat.sessionHandle");
+
+/**
+ * S2 seq_num of the most recent `turn-complete` control record written by
+ * this worker. Read by `writeTurnCompleteChunk` to know what to trim back
+ * to when the next turn finishes, keeping `session.out` bounded to ~one
+ * turn at steady state.
+ *
+ * Seeded at boot from `ChatSnapshotV1.lastOutEventId` (which is exactly
+ * the previous turn-complete's seq_num). Wrapped in a mutable holder so
+ * `writeTurnCompleteChunk` can advance it without going through a setter.
+ * @internal
+ */
+const lastTurnCompleteSeqNumKey = locals.create<{ value: number | undefined }>(
+  "chat.lastTurnCompleteSeqNum"
+);
+
+/**
+ * Scan `session.out` for the latest `turn-complete` control record and
+ * return its `session-in-event-id` header value — the committed-consume
+ * cursor on `.in` as of that turn-complete. Used at worker boot to seed
+ * the `.in` subscription so already-processed user messages don't get
+ * replayed from S2.
+ *
+ * Implementation is a non-blocking records read (`wait=0`) — the
+ * endpoint returns everything currently stored (including pre-trim
+ * records, since S2 trims are eventually consistent) in one shot, and
+ * we keep the LAST matching header. The previous SSE-based scan had to
+ * idle-wait a full 5s window to know it reached the tail, which put a
+ * constant ~6s tax on every continuation boot.
+ *
+ * Returns `undefined` if no `turn-complete` carrying the header has been
+ * written yet — first-turn-ever, first turn post-OOM-with-no-prior-runs,
+ * a `turn-complete` written before this header existed, or a server old
+ * enough that the records endpoint doesn't serialize headers. Callers
+ * fall back to subscribing `.in` from seq 0 in that case; the slim-wire
+ * merge handles any dedup against snapshot-restored messages.
+ * @internal
+ */
+async function findLatestSessionInCursor(
+  chatId: string
+): Promise<number | undefined> {
+  const apiClient = apiClientManager.clientOrThrow();
+  const response = await apiClient.readSessionStreamRecords(chatId, "out");
+  let latestCursor: number | undefined;
+  for (const record of response.records) {
+    if (controlSubtype(record.headers) !== TRIGGER_CONTROL_SUBTYPE.TURN_COMPLETE) continue;
+    const raw = headerValue(record.headers, SESSION_IN_EVENT_ID_HEADER);
+    if (!raw) continue;
+    const parsed = Number.parseInt(raw, 10);
+    if (Number.isFinite(parsed)) latestCursor = parsed;
+  }
+  return latestCursor;
+}
+
+/** Test-only entry point for the records-based cursor scan. @internal */
+export async function __findLatestSessionInCursorForTests(
+  chatId: string
+): Promise<number | undefined> {
+  return findLatestSessionInCursor(chatId);
+}
+
+/**
+ * Versioned blob written to S3 after every turn completes (when no
+ * `hydrateMessages` hook is registered). Read at run boot to seed the
+ * accumulator with prior conversation state, replacing the old wire-borne
+ * full-history seed.
+ *
+ * The shape is shared with the Sessions dashboard (which reads the same
+ * blob to render the full conversation transcript) via
+ * `@trigger.dev/core/v3`. Customer code shouldn't reach in here — the
+ * SDK transports surface the messages through the standard `messages`
+ * accumulator.
+ *
+ * @internal
+ */
+export type { ChatSnapshotV1 } from "@trigger.dev/core/v3";
+
+/**
+ * Test-only override hook — `mockChatAgent` installs a fake to return
+ * synthetic snapshots without hitting S3. Mirrors the `__set*ImplForTests`
+ * pattern in `sessions.ts`. Not part of the public API.
+ * @internal
+ */
+type ReadChatSnapshotImpl = <TUIMessage extends UIMessage>(
+  sessionId: string
+) => Promise<ChatSnapshotV1<TUIMessage> | undefined> | ChatSnapshotV1<TUIMessage> | undefined;
+let readChatSnapshotImpl: ReadChatSnapshotImpl | undefined;
+
+export function __setReadChatSnapshotImplForTests(impl: ReadChatSnapshotImpl | undefined): void {
+  readChatSnapshotImpl = impl;
+}
+
+/**
+ * Test-only override hook — see `__setReadChatSnapshotImplForTests`. The
+ * mock harness records writes for assertion via this setter. Not public.
+ * @internal
+ */
+type WriteChatSnapshotImpl = <TUIMessage extends UIMessage>(
+  sessionId: string,
+  snapshot: ChatSnapshotV1<TUIMessage>
+) => Promise<void> | void;
+let writeChatSnapshotImpl: WriteChatSnapshotImpl | undefined;
+
+export function __setWriteChatSnapshotImplForTests(impl: WriteChatSnapshotImpl | undefined): void {
+  writeChatSnapshotImpl = impl;
+}
+
+/**
+ * Read the persisted snapshot for a session. Returns `undefined` on:
+ *   - missing object (404 from the presigned GET — fresh session, never
+ *     persisted)
+ *   - presign failure (network/auth issue)
+ *   - malformed JSON
+ *   - version mismatch (forward-compat — older runtimes ignore newer blobs)
+ *
+ * Always swallows errors via `logger.warn`. The agent boot loop must stay
+ * available even if S3 hiccups; the worst case is replaying more of
+ * `session.out` than strictly necessary.
+ * @internal
+ */
+async function readChatSnapshot<TUIMessage extends UIMessage>(
+  sessionId: string
+): Promise<ChatSnapshotV1<TUIMessage> | undefined> {
+  if (readChatSnapshotImpl) {
+    return (await readChatSnapshotImpl<TUIMessage>(sessionId)) ?? undefined;
+  }
+  const apiClient = apiClientManager.clientOrThrow();
+  let presignedUrl: string;
+  try {
+    const resp = await apiClient.getChatSnapshotUrl(sessionId);
+    presignedUrl = resp.presignedUrl;
+  } catch (error) {
+    logger.warn("chat.agent: snapshot presign (read) failed; continuing without snapshot", {
+      error: error instanceof Error ? error.message : String(error),
+      sessionId,
+    });
+    return undefined;
+  }
+  let response: Response;
+  try {
+    response = await fetch(presignedUrl, { method: "GET" });
+  } catch (error) {
+    logger.warn("chat.agent: snapshot fetch failed; continuing without snapshot", {
+      error: error instanceof Error ? error.message : String(error),
+      sessionId,
+    });
+    return undefined;
+  }
+  if (response.status === 404) {
+    // First-ever boot for this session — no snapshot yet. Caller falls
+    // through to replay-only.
+    return undefined;
+  }
+  if (!response.ok) {
+    logger.warn("chat.agent: snapshot fetch returned non-OK; continuing without snapshot", {
+      status: response.status,
+      sessionId,
+    });
+    return undefined;
+  }
+  let parsed: unknown;
+  try {
+    parsed = await response.json();
+  } catch (error) {
+    logger.warn("chat.agent: snapshot JSON parse failed; continuing without snapshot", {
+      error: error instanceof Error ? error.message : String(error),
+      sessionId,
+    });
+    return undefined;
+  }
+  if (!parsed || typeof parsed !== "object") return undefined;
+  const candidate = parsed as Partial<ChatSnapshotV1<TUIMessage>>;
+  if (candidate.version !== 1 || !Array.isArray(candidate.messages)) {
+    logger.warn("chat.agent: snapshot version/shape mismatch; ignoring", {
+      version: candidate.version,
+      sessionId,
+    });
+    return undefined;
+  }
+  return candidate as ChatSnapshotV1<TUIMessage>;
+}
+
+/**
+ * Persist the snapshot for a session. Awaited by callers immediately after
+ * `onTurnComplete` — the agent may suspend right after this point, and
+ * fire-and-forget promises don't reliably complete on suspend.
+ *
+ * Errors are swallowed via `logger.warn`. A failed write means the next
+ * boot replays slightly more of `session.out` (back to the previous
+ * snapshot's cursor) instead of failing — the conversation stays
+ * coherent, only the boot path does marginally more work.
+ * @internal
+ */
+async function writeChatSnapshot<TUIMessage extends UIMessage>(
+  sessionId: string,
+  snapshot: ChatSnapshotV1<TUIMessage>
+): Promise<void> {
+  if (writeChatSnapshotImpl) {
+    await writeChatSnapshotImpl<TUIMessage>(sessionId, snapshot);
+    return;
+  }
+  const apiClient = apiClientManager.clientOrThrow();
+  let presignedUrl: string;
+  try {
+    const resp = await apiClient.createChatSnapshotUploadUrl(sessionId);
+    presignedUrl = resp.presignedUrl;
+  } catch (error) {
+    logger.warn("chat.agent: snapshot presign (write) failed; next run will replay further", {
+      error: error instanceof Error ? error.message : String(error),
+      sessionId,
+    });
+    return;
+  }
+  let response: Response;
+  try {
+    response = await fetch(presignedUrl, {
+      method: "PUT",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify(snapshot),
+    });
+  } catch (error) {
+    logger.warn("chat.agent: snapshot upload failed; next run will replay further", {
+      error: error instanceof Error ? error.message : String(error),
+      sessionId,
+    });
+    return;
+  }
+  if (!response.ok) {
+    logger.warn("chat.agent: snapshot upload returned non-OK; next run will replay further", {
+      status: response.status,
+      sessionId,
+    });
+  }
+}
+
+/**
+ * Test-only entry point that bypasses `__setReadChatSnapshotImplForTests`
+ * and reaches the real `apiClient.getPayloadUrl` + `fetch` + JSON-parse path.
+ * Used by `chat-snapshot.test.ts` to verify 404 / 500 / malformed JSON /
+ * version-mismatch / network-error behavior end-to-end. Tests mock global
+ * `fetch` and the api-client config; this wrapper lets them drive the
+ * production code without the override hook short-circuiting.
+ *
+ * Not part of the public API. The `__` prefix and `ForTests` suffix mirror
+ * the override-hook setters above.
+ * @internal
+ */
+export async function __readChatSnapshotProductionPathForTests<TUIMessage extends UIMessage>(
+  sessionId: string
+): Promise<ChatSnapshotV1<TUIMessage> | undefined> {
+  const saved = readChatSnapshotImpl;
+  readChatSnapshotImpl = undefined;
+  try {
+    return await readChatSnapshot<TUIMessage>(sessionId);
+  } finally {
+    readChatSnapshotImpl = saved;
+  }
+}
+
+/**
+ * Test-only entry point that bypasses `__setWriteChatSnapshotImplForTests`
+ * and reaches the real `apiClient.createUploadPayloadUrl` + `fetch` PUT
+ * path. Pairs with `__readChatSnapshotProductionPathForTests` — see that
+ * function's note for the rationale.
+ *
+ * Not part of the public API.
+ * @internal
+ */
+export async function __writeChatSnapshotProductionPathForTests<TUIMessage extends UIMessage>(
+  sessionId: string,
+  snapshot: ChatSnapshotV1<TUIMessage>
+): Promise<void> {
+  const saved = writeChatSnapshotImpl;
+  writeChatSnapshotImpl = undefined;
+  try {
+    await writeChatSnapshot<TUIMessage>(sessionId, snapshot);
+  } finally {
+    writeChatSnapshotImpl = saved;
+  }
+}
+
+/**
+ * Merge two `UIMessage[]` lists by `id`, with the second list winning on
+ * collision. Used at run boot to combine the snapshot's persisted history
+ * with the replayed `session.out` tail — replay produces the freshest
+ * representation of any assistant message that landed after the snapshot's
+ * cursor, so it should overwrite the older copy from the snapshot.
+ *
+ * Order: items unique to `a` keep their original positions; items unique to
+ * `b` are appended at the end in their `b` order; collisions take `b`'s
+ * value but keep the position they had in `a`.
+ *
+ * @internal
+ */
+function mergeByIdReplaceWins<TUIMessage extends UIMessage>(
+  a: TUIMessage[],
+  b: TUIMessage[]
+): TUIMessage[] {
+  if (b.length === 0) return [...a];
+  if (a.length === 0) return [...b];
+  const indexById = new Map<string, number>();
+  for (let i = 0; i < a.length; i++) {
+    const id = a[i]!.id;
+    if (typeof id === "string" && id.length > 0) indexById.set(id, i);
+  }
+  const result = [...a];
+  for (const next of b) {
+    const id = next.id;
+    if (typeof id === "string" && id.length > 0 && indexById.has(id)) {
+      result[indexById.get(id)!] = next;
+    } else {
+      const newIdx = result.length;
+      result.push(next);
+      if (typeof id === "string" && id.length > 0) indexById.set(id, newIdx);
+    }
+  }
+  return result;
+}
+
+/**
+ * Test-only entry point for `mergeByIdReplaceWins`. The merge helper is the
+ * one piece of slim-wire boot logic that's purely functional, so it earns a
+ * direct unit test that exercises empty inputs, id collisions, no-id append,
+ * order preservation, and the replay-wins-on-collision invariant. Mirrors
+ * the `__*ProductionPathForTests` pattern used for the snapshot/replay
+ * helpers above.
+ *
+ * Not part of the public API.
+ * @internal
+ */
+export function __mergeByIdReplaceWinsForTests<TUIMessage extends UIMessage>(
+  a: TUIMessage[],
+  b: TUIMessage[]
+): TUIMessage[] {
+  return mergeByIdReplaceWins<TUIMessage>(a, b);
+}
+
+/**
+ * Test-only override hook — `mockChatAgent` installs a fake replay that
+ * returns a synthetic `UIMessage[]` so unit tests can drive the boot loop
+ * without an SSE subscription. Mirrors the snapshot setters above. Not
+ * part of the public API.
+ * @internal
+ */
+type ReplaySessionOutTailResult<TUIMessage extends UIMessage> = {
+  /** Messages whose `finish` chunk landed before the run died. Safe to seed the chain. */
+  settled: TUIMessage[];
+  /**
+   * The trailing assistant message whose `finish` chunk never arrived —
+   * an orphan from a cancel / crash / OOM. `cleanupAbortedParts` has
+   * already stripped streaming-in-progress fragments. `undefined` if
+   * the tail ended cleanly (every segment closed).
+   */
+  partial: TUIMessage | undefined;
+  /**
+   * The trailing assistant message BEFORE `cleanupAbortedParts` ran. Same
+   * `undefined` semantics as `partial`. Use this when you need to inspect
+   * tool parts the cleanup would strip (e.g. `input-available` /
+   * `input-streaming` orphans surfaced via `pendingToolCalls`).
+   */
+  partialRaw: TUIMessage | undefined;
+};
+
+type ReplaySessionOutTailImpl = <TUIMessage extends UIMessage>(
+  sessionId: string,
+  options?: { lastEventId?: string }
+) => Promise<ReplaySessionOutTailResult<TUIMessage>>;
+let replaySessionOutTailImpl: ReplaySessionOutTailImpl | undefined;
+
+export function __setReplaySessionOutTailImplForTests(
+  impl: ReplaySessionOutTailImpl | undefined
+): void {
+  replaySessionOutTailImpl = impl;
+}
+
+/**
+ * Drain `session.out` from `lastEventId` (or the start) and reduce the
+ * remaining `UIMessageChunk`s back into `UIMessage[]`. Used at run boot to
+ * catch any chunks that landed AFTER the last persisted snapshot — typically
+ * the chunks from the turn whose `onTurnComplete` ran but whose snapshot
+ * write didn't make it to S3 before the run crashed / suspended.
+ *
+ * Implementation:
+ *   1. `apiClient.readSessionStreamRecords` — non-SSE, `wait=0` drain.
+ *      Returns immediately with whatever records exist after the cursor.
+ *      The previous SSE-subscribe path paid a fixed ~1s long-poll tax on
+ *      every fresh chat (timeout duration on empty streams) — unacceptable
+ *      for the first-message TTFC budget.
+ *   2. Filter out the agent's control chunks (`type: "trigger:*"`) — they
+ *      ride on the same stream as the user-visible UIMessageChunks.
+ *   3. Split chunks at `start`/`finish` boundaries so each segment is a
+ *      single message, then feed each segment through the AI SDK's
+ *      `readUIMessageStream` reducer (the same one `useChat` uses on the
+ *      browser side) and grab the final emitted snapshot.
+ *   4. The trailing message — if it never received a `finish` chunk —
+ *      goes through `cleanupAbortedParts` so partial in-flight parts
+ *      don't leak into the next turn's accumulator. Drop it entirely
+ *      if cleanup empties it.
+ *
+ * Errors are propagated to the caller (the boot loop wraps in try/catch and
+ * `logger.warn`s); we don't swallow here so test code can observe failures
+ * directly.
+ * @internal
+ */
+async function replaySessionOutTail<TUIMessage extends UIMessage>(
+  sessionId: string,
+  options?: { lastEventId?: string }
+): Promise<ReplaySessionOutTailResult<TUIMessage>> {
+  if (replaySessionOutTailImpl) {
+    return await replaySessionOutTailImpl<TUIMessage>(sessionId, options);
+  }
+  const apiClient = apiClientManager.clientOrThrow();
+  const response = await apiClient.readSessionStreamRecords(sessionId, "out", {
+    afterEventId: options?.lastEventId,
+  });
+  const collected: UIMessageChunk[] = [];
+  for (const record of response.records) {
+    // `data` is the chunk object as written by the SDK's session-out
+    // writer (an AI SDK `UIMessageChunk` or a Trigger control object).
+    // The route forwards it as-is — no JSON envelope to unwrap here.
+    // Defensive shape checks below tolerate malformed records by
+    // skipping them instead of throwing.
+    const chunk: unknown = record.data;
+    if (!chunk || typeof chunk !== "object") continue;
+    const type = (chunk as { type?: unknown }).type;
+    if (typeof type !== "string") continue;
+    // Drop agent control chunks (`trigger:turn-complete`, `trigger:upgrade-required`,
+    // session-state telemetry, etc.). They ride the same stream but aren't part
+    // of the UIMessageChunk discriminated union and would confuse the reducer.
+    if (type.startsWith("trigger:")) continue;
+    collected.push(chunk as UIMessageChunk);
+  }
+  if (collected.length === 0) return { settled: [], partial: undefined, partialRaw: undefined };
+
+  // Split chunks into per-message segments. A `start` chunk demarcates the
+  // beginning of an assistant message; chunks before any `start` (rare —
+  // but possible if the stream begins mid-message after a resume) get
+  // bundled into a leading "implicit" segment so we don't drop them silently.
+  type Segment = { chunks: UIMessageChunk[]; closed: boolean };
+  const segments: Segment[] = [];
+  let current: Segment | undefined;
+  for (const chunk of collected) {
+    if (chunk.type === "start") {
+      current = { chunks: [chunk], closed: false };
+      segments.push(current);
+      continue;
+    }
+    if (!current) {
+      // Chunk arrived before any `start`. Synthesize a segment so the reducer
+      // has something to work with — `readUIMessageStream` tolerates a missing
+      // `start` because we pass `message: undefined`.
+      current = { chunks: [], closed: false };
+      segments.push(current);
+    }
+    current.chunks.push(chunk);
+    if (chunk.type === "finish") {
+      current.closed = true;
+      current = undefined;
+    }
+  }
+
+  const settled: TUIMessage[] = [];
+  let partial: TUIMessage | undefined;
+  let partialRaw: TUIMessage | undefined;
+  for (let i = 0; i < segments.length; i++) {
+    const seg = segments[i]!;
+    const isTrailing = i === segments.length - 1 && !seg.closed;
+    const segmentStream = new ReadableStream<UIMessageChunk>({
+      start(controller) {
+        for (const c of seg.chunks) controller.enqueue(c);
+        controller.close();
+      },
+    });
+    let last: UIMessage | undefined;
+    try {
+      for await (const snapshot of readUIMessageStream({ stream: segmentStream })) {
+        last = snapshot;
+      }
+    } catch (error) {
+      // Reducer error — the segment is malformed. Skip it and keep going so a
+      // single corrupt chunk doesn't sink the entire replay.
+      logger.warn("chat.agent: replay reducer failed for segment; skipping", {
+        sessionId,
+        segmentIndex: i,
+        error: error instanceof Error ? error.message : String(error),
+      });
+      continue;
+    }
+    if (!last) continue;
+    if (isTrailing) {
+      const cleaned = cleanupAbortedParts(last as TUIMessage);
+      if (cleaned.parts.length === 0) continue;
+      partial = cleaned;
+      // Keep the raw pre-cleanup message too — recovery boot extracts
+      // `pendingToolCalls` from it, since `cleanupAbortedParts` strips
+      // exactly the input-streaming / input-available tool parts that
+      // we want to surface.
+      partialRaw = last as TUIMessage;
+    } else {
+      settled.push(last as TUIMessage);
+    }
+  }
+  return { settled, partial, partialRaw };
+}
+
+/**
+ * Test-only entry point that bypasses `__setReplaySessionOutTailImplForTests`
+ * and reaches the real `apiClient.subscribeToSessionStream` + chunk-segment
+ * splitter + `readUIMessageStream` reducer. Pairs with the snapshot
+ * production-path wrappers above. Lets `replay-session-out.test.ts` drive
+ * synthetic chunk sequences through the real reducer to lock down chunk-
+ * stream → `UIMessage[]` correctness — if the AI SDK's chunk semantics
+ * shift in a future version, the test catches it before customers do.
+ *
+ * Tests should mock `apiClient.subscribeToSessionStream` (e.g. via
+ * `vi.spyOn(apiClient, ...)`) to feed a `ReadableStream<UIMessageChunk>`.
+ *
+ * Not part of the public API.
+ * @internal
+ */
+export async function __replaySessionOutTailProductionPathForTests<
+  TUIMessage extends UIMessage,
+>(
+  sessionId: string,
+  options?: { lastEventId?: string }
+): Promise<TUIMessage[]> {
+  const saved = replaySessionOutTailImpl;
+  replaySessionOutTailImpl = undefined;
+  try {
+    const { settled, partial } = await replaySessionOutTail<TUIMessage>(sessionId, options);
+    return partial !== undefined ? [...settled, partial] : settled;
+  } finally {
+    replaySessionOutTailImpl = saved;
+  }
+}
+
+/**
+ * Test-only override hook for `replaySessionInTail`. Mirrors
+ * `__setReplaySessionOutTailImplForTests` so unit tests can drive the boot
+ * loop's chain-reconstruction logic without an HTTP round-trip.
+ * @internal
+ */
+type ReplaySessionInTailImpl = <TUIMessage extends UIMessage>(
+  sessionId: string,
+  options?: { lastEventId?: string }
+) => Promise<{ message: TUIMessage; metadata: unknown; seqNum: number }[]>;
+let replaySessionInTailImpl: ReplaySessionInTailImpl | undefined;
+
+export function __setReplaySessionInTailImplForTests(
+  impl: ReplaySessionInTailImpl | undefined
+): void {
+  replaySessionInTailImpl = impl;
+}
+
+/**
+ * Drain `session.in` from `lastEventId` (or the start) and surface the user
+ * messages that landed past the cursor. Mirror of `replaySessionOutTail` —
+ * both reads run at continuation boot so the SDK can reconstruct
+ * conversational order across a dead run that never wrote `onTurnComplete`.
+ *
+ * `session.in` carries the {@link ChatInputChunk} tagged union:
+ *   - `kind: "message"` — a `ChatTaskWirePayload` envelope for a new user
+ *     message (`trigger: "submit-message"`) or a regeneration. Only the
+ *     submit-message records carry a `payload.message`; regenerations,
+ *     preload / close / action / handover-prepare have no message.
+ *   - `kind: "stop"` — mid-turn cancellation signal. Not a message.
+ *   - `kind: "handover"` / `kind: "handover-skip"` — head-start signals.
+ *     Not user messages.
+ *
+ * This function filters to the first variant and returns the embedded
+ * `UIMessage`s in seq_num order, paired with their seq_num so the caller
+ * can advance the session.in cursor past them.
+ *
+ * Errors are propagated to the caller (the boot loop wraps in try/catch
+ * and `logger.warn`s); we don't swallow here so test code can observe
+ * failures directly.
+ * @internal
+ */
+async function replaySessionInTail<TUIMessage extends UIMessage>(
+  sessionId: string,
+  options?: { lastEventId?: string }
+): Promise<{ message: TUIMessage; metadata: unknown; seqNum: number }[]> {
+  if (replaySessionInTailImpl) {
+    return await replaySessionInTailImpl<TUIMessage>(sessionId, options);
+  }
+  const apiClient = apiClientManager.clientOrThrow();
+  const response = await apiClient.readSessionStreamRecords(sessionId, "in", {
+    afterEventId: options?.lastEventId,
+  });
+  const out: { message: TUIMessage; metadata: unknown; seqNum: number }[] = [];
+  for (const record of response.records) {
+    // session.in writers POST `JSON.stringify(chunk)` directly; the
+    // webapp wraps that in `{ data: <string>, id }` and stores it on
+    // S2. The records endpoint hands `data` back as the original
+    // string — unlike session.out (where the writer puts a chunk
+    // OBJECT into the envelope and the route forwards it as an
+    // object). Defensive: handle both shapes so future writer changes
+    // on either side don't silently lose records.
+    let chunk: unknown = record.data;
+    if (typeof chunk === "string") {
+      try {
+        chunk = JSON.parse(chunk);
+      } catch {
+        continue;
+      }
+    }
+    if (!chunk || typeof chunk !== "object") continue;
+    const kind = (chunk as { kind?: unknown }).kind;
+    if (kind !== "message") continue;
+    const payload = (
+      chunk as {
+        payload?: { trigger?: unknown; message?: unknown; metadata?: unknown };
+      }
+    ).payload;
+    if (!payload || payload.trigger !== "submit-message") continue;
+    const message = payload.message;
+    if (!message || typeof message !== "object") continue;
+    out.push({
+      message: message as TUIMessage,
+      metadata: payload.metadata,
+      seqNum: record.seqNum,
+    });
+  }
+  return out;
+}
+
+/**
+ * Test-only entry point that bypasses
+ * `__setReplaySessionInTailImplForTests` and reaches the real
+ * `apiClient.readSessionStreamRecords` + filter pipeline. Mirrors
+ * `__replaySessionOutTailProductionPathForTests`.
+ * @internal
+ */
+export async function __replaySessionInTailProductionPathForTests<
+  TUIMessage extends UIMessage,
+>(
+  sessionId: string,
+  options?: { lastEventId?: string }
+): Promise<{ message: TUIMessage; metadata: unknown; seqNum: number }[]> {
+  const saved = replaySessionInTailImpl;
+  replaySessionInTailImpl = undefined;
+  try {
+    return await replaySessionInTail<TUIMessage>(sessionId, options);
+  } finally {
+    replaySessionInTailImpl = saved;
+  }
+}
+
+/**
+ * Resolve the Session handle for the current chat.agent run.
+ *
+ * Two contexts populate this:
+ *   1. Inside a `chat.agent` run — `locals.chatSessionHandleKey` is set
+ *      at boot (lines 4665 / 4760).
+ *   2. Inside an `ai.toolExecute` subtask — the tool wrapper threads the
+ *      parent's `chatId` through tool metadata under `METADATA_KEY`. We
+ *      lazily open the session from that chatId here so subtasks can use
+ *      `chat.stream.writer({ target: "root" })` to write back to the
+ *      parent's chat session without any wiring.
+ *
+ * Throws if neither is available.
+ * @internal
+ */
+function getChatSession(): SessionHandle {
+  let handle = locals.get(chatSessionHandleKey);
+  if (handle) return handle;
+
+  // Fallback: subtask context. The parent threaded chatId via tool metadata.
+  const toolMeta = metadata.get(METADATA_KEY) as ToolCallExecutionOptions | undefined;
+  if (toolMeta?.chatId) {
+    handle = sessions.open(toolMeta.chatId);
+    locals.set(chatSessionHandleKey, handle);
+    return handle;
+  }
+
+  throw new Error(
+    "chat.agent session handle is not initialized. This indicates a chat.agent helper was used outside of a chat.agent run, or the transport did not send a sessionId."
+  );
+}
+
+/**
+ * Stamp `gen_ai.conversation.id` on the active span at chat-run boot.
+ * The run-level span is already alive when the run callback fires, so
+ * `TaskContextSpanProcessor.onStart` (which stamps subsequent spans
+ * automatically) won't catch it — set explicitly here.
+ */
+function stampConversationIdOnActiveSpan(
+  conversationId: string | undefined,
+  span = trace.getActiveSpan()
+): void {
+  if (!span || !conversationId) return;
+  span.setAttribute(SemanticInternalAttributes.GEN_AI_CONVERSATION_ID, conversationId);
+}
 
 type ToolResultContent = Array<
   | {
-      type: "text";
-      text: string;
-    }
+    type: "text";
+    text: string;
+  }
   | {
-      type: "image";
-      data: string;
-      mimeType?: string;
-    }
+    type: "image";
+    data: string;
+    mimeType?: string;
+  }
 >;
 
 export type ToolOptions<TResult> = {
   experimental_toToolResultContent?: (result: TResult) => ToolResultContent;
 };
 
+/** Satisfies AI SDK `ToolSet` index signature alongside concrete `Tool` input/output types. */
+type ToolSetCompatible<T extends Tool<any, any>> = T & NonNullable<ToolSet[string]>;
+
+function assertTaskUsableAsTool(task: AnyTask): void {
+  if (("schema" in task && !task.schema) || ("jsonSchema" in task && !task.jsonSchema)) {
+    throw new Error(
+      "Cannot convert this task to to a tool because the task has no schema. Make sure to either use schemaTask or a task with an input jsonSchema."
+    );
+  }
+}
+
+/**
+ * Shared implementation: run a task as a tool invocation (`triggerAndSubscribe` + tool metadata).
+ * Used by {@link toolExecute} and the deprecated `ai.tool()` wrapper.
+ */
+function createTaskToolExecuteHandler<
+  TIdentifier extends string,
+  TTaskSchema extends TaskSchema | undefined = undefined,
+  TInput = void,
+  TOutput = unknown,
+>(
+  task: TaskWithSchema<TIdentifier, TTaskSchema, TOutput> | Task<TIdentifier, TInput, TOutput>
+): (input: unknown, toolOpts: ToolCallOptions | undefined) => Promise<TOutput> {
+  assertTaskUsableAsTool(task);
+
+  return async function taskToolExecuteHandler(
+    input: unknown,
+    toolOpts: ToolCallOptions | undefined
+  ): Promise<TOutput> {
+    const toolMeta: ToolCallExecutionOptions = {
+      toolCallId: toolOpts?.toolCallId ?? "",
+    };
+    // v6 passes user context as `experimental_context`, v7 as `context`. Read
+    // whichever is set and stamp both so subtasks reading either name work.
+    const toolContext = toolOpts?.context ?? toolOpts?.experimental_context;
+    if (toolContext !== undefined) {
+      try {
+        const serialized = JSON.parse(JSON.stringify(toolContext));
+        toolMeta.experimental_context = serialized;
+        toolMeta.context = serialized;
+      } catch {
+        /* non-serializable */
+      }
+    }
+
+    const chatCtx = locals.get(chatTurnContextKey);
+    if (chatCtx) {
+      toolMeta.chatId = chatCtx.chatId;
+      toolMeta.turn = chatCtx.turn;
+      toolMeta.continuation = chatCtx.continuation;
+      toolMeta.clientData = chatCtx.clientData;
+    }
+
+    const chatLocals: Record<string, unknown> = {};
+    for (const entry of chatLocalRegistry) {
+      const value = locals.get(entry.key);
+      if (value !== undefined) {
+        chatLocals[entry.id] = value;
+      }
+    }
+    if (Object.keys(chatLocals).length > 0) {
+      toolMeta.chatLocals = chatLocals;
+    }
+
+    return await task
+      .triggerAndSubscribe(input as inferSchemaIn<TTaskSchema>, {
+        metadata: {
+          [METADATA_KEY]: toolMeta as any,
+        },
+        tags: toolOpts?.toolCallId ? [`toolCallId:${toolOpts.toolCallId}`] : undefined,
+        signal: toolOpts?.abortSignal,
+      })
+      .unwrap();
+  };
+}
+
+/**
+ * Returns an `execute` function for the AI SDK `tool()` helper (or any compatible tool definition).
+ * Preferred API for task-backed tools: the same Trigger wiring as the deprecated `ai.tool()`
+ * (`triggerAndSubscribe`, tool-call metadata, chat context, `chat.local` serialization) without
+ * building the tool object. You supply `description`, `inputSchema`, and any AI-SDK-only options
+ * (e.g. `experimental_toToolResultContent`) on `tool()` yourself.
+ *
+ * @example
+ * ```ts
+ * import { tool } from "ai";
+ * import { z } from "zod";
+ * import { ai } from "@trigger.dev/sdk/ai";
+ * import { myTask } from "./trigger/myTask";
+ *
+ * export const myTool = tool({
+ *   description: myTask.description ?? "",
+ *   inputSchema: z.object({ id: z.string() }),
+ *   execute: ai.toolExecute(myTask),
+ * });
+ * ```
+ */
+function toolExecute<TIdentifier extends string, TInput = void, TOutput = unknown>(
+  task: Task<TIdentifier, TInput, TOutput>
+): (input: TInput, toolOpts: ToolCallOptions) => Promise<TOutput>;
+function toolExecute<
+  TIdentifier extends string,
+  TTaskSchema extends TaskSchema | undefined = undefined,
+  TOutput = unknown,
+>(
+  task: TaskWithSchema<TIdentifier, TTaskSchema, TOutput>
+): (input: inferSchemaIn<TTaskSchema>, toolOpts: ToolCallOptions) => Promise<TOutput>;
+function toolExecute<
+  TIdentifier extends string,
+  TTaskSchema extends TaskSchema | undefined = undefined,
+  TInput = void,
+  TOutput = unknown,
+>(
+  task: TaskWithSchema<TIdentifier, TTaskSchema, TOutput> | Task<TIdentifier, TInput, TOutput>
+): (
+  input: TTaskSchema extends TaskSchema ? inferSchemaIn<TTaskSchema> : TInput,
+  toolOpts: ToolCallOptions
+) => Promise<TOutput> {
+  return createTaskToolExecuteHandler(task) as (
+    input: TTaskSchema extends TaskSchema ? inferSchemaIn<TTaskSchema> : TInput,
+    toolOpts: ToolCallOptions
+  ) => Promise<TOutput>;
+}
+
+/**
+ * @deprecated Use `tool()` from the `ai` package with `execute: ai.toolExecute(task)` instead.
+ * This helper may be removed in a future major release.
+ */
 function toolFromTask<TIdentifier extends string, TInput = void, TOutput = unknown>(
   task: Task<TIdentifier, TInput, TOutput>,
   options?: ToolOptions<TOutput>
-): Tool<TInput, TOutput>;
+): ToolSetCompatible<Tool<TInput, TOutput>>;
+/** @deprecated Use `tool()` from `ai` with `execute: ai.toolExecute(task)`. */
 function toolFromTask<
   TIdentifier extends string,
   TTaskSchema extends TaskSchema | undefined = undefined,
@@ -40,7 +1010,8 @@ function toolFromTask<
 >(
   task: TaskWithSchema<TIdentifier, TTaskSchema, TOutput>,
   options?: ToolOptions<TOutput>
-): Tool<inferSchemaIn<TTaskSchema>, TOutput>;
+): ToolSetCompatible<Tool<inferSchemaIn<TTaskSchema>, TOutput>>;
+/** @deprecated Use `tool()` from `ai` with `execute: ai.toolExecute(task)`. */
 function toolFromTask<
   TIdentifier extends string,
   TTaskSchema extends TaskSchema | undefined = undefined,
@@ -49,35 +1020,41 @@ function toolFromTask<
 >(
   task: TaskWithSchema<TIdentifier, TTaskSchema, TOutput> | Task<TIdentifier, TInput, TOutput>,
   options?: ToolOptions<TOutput>
-): TTaskSchema extends TaskSchema
-  ? Tool<inferSchemaIn<TTaskSchema>, TOutput>
-  : Tool<TInput, TOutput> {
-  if (("schema" in task && !task.schema) || ("jsonSchema" in task && !task.jsonSchema)) {
-    throw new Error(
-      "Cannot convert this task to to a tool because the task has no schema. Make sure to either use schemaTask or a task with an input jsonSchema."
-    );
+): ToolSetCompatible<
+  TTaskSchema extends TaskSchema ? Tool<inferSchemaIn<TTaskSchema>, TOutput> : Tool<TInput, TOutput>
+> {
+  const executeFromTaskInput = createTaskToolExecuteHandler(task);
+
+  // Zod-backed tasks: use static `tool()` so runtime shape matches `ToolSet`. Generic task context
+  // prevents `tool()` overloads from inferring input; `as any` is localized to this call only.
+  if ("schema" in task && task.schema && isSchemaZodEsque(task.schema)) {
+    const staticTool = aiTool({
+      description: task.description ?? "",
+      inputSchema: zodSchema(task.schema as any),
+      execute: async (input: unknown, toolOpts: ToolCallOptions) =>
+        executeFromTaskInput(input, toolOpts),
+      ...(options?.experimental_toToolResultContent !== undefined
+        ? { experimental_toToolResultContent: options.experimental_toToolResultContent }
+        : {}),
+    } as any);
+    return staticTool as unknown as ToolSetCompatible<
+      TTaskSchema extends TaskSchema ? Tool<inferSchemaIn<TTaskSchema>, TOutput> : Tool<TInput, TOutput>
+    >;
   }
 
   const toolDefinition = dynamicTool({
     description: task.description,
     inputSchema: convertTaskSchemaToToolParameters(task),
-    execute: async (input, options) => {
-      const serializedOptions = options ? JSON.parse(JSON.stringify(options)) : undefined;
-
-      return await task
-        .triggerAndWait(input as inferSchemaIn<TTaskSchema>, {
-          metadata: {
-            [METADATA_KEY]: serializedOptions,
-          },
-        })
-        .unwrap();
-    },
-    ...options,
+    ...(options?.experimental_toToolResultContent !== undefined
+      ? { experimental_toToolResultContent: options.experimental_toToolResultContent }
+      : {}),
+    execute: async (input: unknown, toolOpts: ToolCallOptions) =>
+      executeFromTaskInput(input, toolOpts),
   });
 
-  return toolDefinition as TTaskSchema extends TaskSchema
-    ? Tool<inferSchemaIn<TTaskSchema>, TOutput>
-    : Tool<TInput, TOutput>;
+  return toolDefinition as unknown as ToolSetCompatible<
+    TTaskSchema extends TaskSchema ? Tool<inferSchemaIn<TTaskSchema>, TOutput> : Tool<TInput, TOutput>
+  >;
 }
 
 function getToolOptionsFromMetadata(): ToolCallExecutionOptions | undefined {
@@ -88,6 +1065,61 @@ function getToolOptionsFromMetadata(): ToolCallExecutionOptions | undefined {
   return tool as ToolCallExecutionOptions;
 }
 
+/**
+ * Get the current tool call ID from inside a subtask invoked via `ai.toolExecute()` (or legacy `ai.tool()`).
+ * Returns `undefined` if not running as a tool subtask.
+ */
+function getToolCallId(): string | undefined {
+  return getToolOptionsFromMetadata()?.toolCallId;
+}
+
+/**
+ * Get the chat context from inside a subtask invoked via `ai.toolExecute()` (or legacy `ai.tool()`) within a `chat.agent`.
+ * Pass `typeof yourChatTask` as the type parameter to get typed `clientData`.
+ * Returns `undefined` if the parent is not a chat task.
+ *
+ * @example
+ * ```ts
+ * const ctx = ai.chatContext<typeof myChat>();
+ * // ctx?.clientData is typed based on myChat's clientDataSchema
+ * ```
+ */
+function getToolChatContext<TChatTask extends AnyTask = AnyTask>():
+  | ChatTurnContext<InferChatClientData<TChatTask>>
+  | undefined {
+  const opts = getToolOptionsFromMetadata();
+  if (!opts?.chatId) return undefined;
+  return {
+    chatId: opts.chatId,
+    turn: opts.turn ?? 0,
+    continuation: opts.continuation ?? false,
+    clientData: opts.clientData as InferChatClientData<TChatTask>,
+  };
+}
+
+/**
+ * Get the chat context from inside a subtask, throwing if not in a chat context.
+ * Pass `typeof yourChatTask` as the type parameter to get typed `clientData`.
+ *
+ * @example
+ * ```ts
+ * const ctx = ai.chatContextOrThrow<typeof myChat>();
+ * // ctx.chatId, ctx.clientData are guaranteed non-null
+ * ```
+ */
+function getToolChatContextOrThrow<TChatTask extends AnyTask = AnyTask>(): ChatTurnContext<
+  InferChatClientData<TChatTask>
+> {
+  const ctx = getToolChatContext<TChatTask>();
+  if (!ctx) {
+    throw new Error(
+      "ai.chatContextOrThrow() called outside of a chat.agent context. " +
+      "This helper can only be used inside a subtask invoked via ai.toolExecute() (or legacy ai.tool()) from a chat.agent."
+    );
+  }
+  return ctx;
+}
+
 function convertTaskSchemaToToolParameters(
   task: AnyTask | TaskWithSchema<any, any, any>
 ): Schema<unknown> {
@@ -113,6 +1145,9059 @@ function convertTaskSchemaToToolParameters(
 }
 
 export const ai = {
+  /**
+   * @deprecated Use `tool()` from the `ai` package with `execute: ai.toolExecute(task)` instead.
+   */
   tool: toolFromTask,
+  /**
+   * Preferred: return value for the `execute` field of AI SDK `tool()`. Keeps Trigger subtask and
+   * metadata behavior without coupling to a specific `ai` version’s `Tool` / `ToolSet` types.
+   */
+  toolExecute,
   currentToolOptions: getToolOptionsFromMetadata,
+  /** Get the tool call ID from inside a subtask invoked via `ai.toolExecute()` (or legacy `ai.tool()`). */
+  toolCallId: getToolCallId,
+  /** Get chat context (chatId, turn, clientData, etc.) from inside a subtask of a `chat.agent`. Returns undefined if not in a chat context. */
+  chatContext: getToolChatContext,
+  /** Get chat context or throw if not in a chat context. Pass `typeof yourChatTask` for typed clientData. */
+  chatContextOrThrow: getToolChatContextOrThrow,
+};
+
+/**
+ * Creates a public access token for a chat task.
+ *
+ * This is a convenience helper that creates a multi-use trigger public token
+ * scoped to the given task. Use it in a server action to provide the frontend
+ * `TriggerChatTransport` with an `accessToken`.
+ *
+ * @example
+ * ```ts
+ * // actions.ts
+ * "use server";
+ * import { chat } from "@trigger.dev/sdk/ai";
+ * import type { myChat } from "@/trigger/chat";
+ *
+ * export const getChatToken = () => chat.createAccessToken<typeof myChat>("my-chat");
+ * ```
+ */
+function createChatAccessToken<TTask extends AnyTask>(
+  taskId: TaskIdentifier<TTask>
+): Promise<string> {
+  return auth.createTriggerPublicToken(taskId as string, { expirationTime: "24h" });
+}
+
+// ---------------------------------------------------------------------------
+// Chat transport helpers — backend side
+// ---------------------------------------------------------------------------
+
+/**
+ * Typed chat output stream — `.writer()`, `.pipe()`, `.append()`, and
+ * `.read()` methods pre-bound to this run's Session `.out` channel and
+ * typed to `UIMessageChunk`.
+ *
+ * Use from within a `chat.agent` run to write custom chunks:
+ * ```ts
+ * const { waitUntilComplete } = chat.stream.writer({
+ *   execute: ({ write }) => {
+ *     write({ type: "text-start", id: "status-1" });
+ *     write({ type: "text-delta", id: "status-1", delta: "Processing..." });
+ *     write({ type: "text-end", id: "status-1" });
+ *   },
+ * });
+ * await waitUntilComplete();
+ * ```
+ *
+ * Backed by the Session primitive so a chat's output outlives any single
+ * run — subscribers (browser transport, server-side `ChatStream`) read
+ * the session's `.out`, not a per-run stream. Run-scoped `target`
+ * options on `.pipe()` are honoured as no-ops; the session is the target.
+ */
+const chatStream: RealtimeDefinedStream<UIMessageChunk> = {
+  // Stable opaque label for the run-scoped `RealtimeDefinedStream` shape.
+  // `chatStream` is backed by the Session's `.out` channel — this id is
+  // not the real addressing key (the session is). Kept as a literal so
+  // the facade type stays satisfied without re-introducing a top-level
+  // constant; dashboards/telemetry that already read "chat" keep working.
+  id: "chat",
+  pipe(value, options) {
+    const { target: _target, ...sessionOptions } = (options ?? {}) as PipeStreamOptions;
+    return getChatSession().out.pipe<UIMessageChunk>(
+      value,
+      sessionOptions as SessionPipeStreamOptions
+    );
+  },
+  async read(_runId, options) {
+    // Session channels don't need a runId — the session is the address.
+    // Keep the signature for backward compatibility with the run-scoped
+    // RealtimeDefinedStream shape, but ignore the argument.
+    return getChatSession().out.read<UIMessageChunk>(
+      options as SessionSubscribeOptions<UIMessageChunk> | undefined
+    );
+  },
+  async append(value, options) {
+    const { target: _target, ...sessionOptions } = (options ?? {}) as AppendStreamOptions;
+    return getChatSession().out.append(value, sessionOptions as SessionPipeStreamOptions);
+  },
+  writer(options) {
+    return getChatSession().out.writer<UIMessageChunk>(options);
+  },
+};
+
+// ---------------------------------------------------------------------------
+// chat.response — write data parts that persist to the response message
+// ---------------------------------------------------------------------------
+
+/**
+ * Write data parts that both stream to the frontend AND persist in
+ * `onTurnComplete`'s `responseMessage` and `uiMessages`.
+ *
+ * Non-transient data chunks (`type` starts with `data-`, no `transient: true`)
+ * are queued for accumulation into the assistant response message.
+ * Transient or non-data chunks are streamed only (same as `chat.stream`).
+ *
+ * @example
+ * ```ts
+ * // Persists to responseMessage.parts
+ * chat.response.write({ type: "data-handover", data: { context: summary } });
+ *
+ * // Transient — streams only, not in responseMessage
+ * chat.response.write({ type: "data-progress", data: { percent: 50 }, transient: true });
+ * ```
+ */
+const chatResponse = {
+  /**
+   * Write a single chunk. Non-transient data parts are accumulated into the
+   * response message; everything else is stream-only.
+   */
+  write(part: UIMessageChunk): void {
+    queueResponsePart(part);
+    const { waitUntilComplete } = chatStream.writer({
+      spanName: "chat.response.write",
+      collapsed: true,
+      execute: ({ write }) => {
+        write(part);
+      },
+    });
+    waitUntilComplete().catch(() => {});
+  },
+};
+
+// ---------------------------------------------------------------------------
+// ChatWriter — stream writer for callbacks
+// ---------------------------------------------------------------------------
+
+/**
+ * A stream writer passed to chat lifecycle callbacks (`onPreload`, `onChatStart`,
+ * `onTurnStart`, `onTurnComplete`, `onCompacted`).
+ *
+ * Write custom `UIMessageChunk` parts (e.g. `data-*` parts) directly to the chat
+ * stream without the ceremony of `chat.stream.writer({ execute })`.
+ *
+ * The writer is lazy — no stream overhead if you don't call `write()` or `merge()`.
+ *
+ * @example
+ * ```ts
+ * onTurnStart: async ({ writer }) => {
+ *   writer.write({ type: "data-status", data: { loading: true } });
+ * },
+ * onTurnComplete: async ({ writer, uiMessages }) => {
+ *   writer.write({ type: "data-analytics", data: { messageCount: uiMessages.length } });
+ * },
+ * ```
+ */
+export type ChatWriter = {
+  /** Write a single UIMessageChunk to the chat stream. */
+  write(part: UIMessageChunk): void;
+  /** Merge another stream's chunks into the chat stream. */
+  merge(stream: ReadableStream<UIMessageChunk>): void;
+};
+
+/**
+ * Creates a lazy ChatWriter that only opens a realtime stream on first use.
+ * Call `flush()` after the callback returns to await stream completion.
+ * @internal
+ */
+function createLazyChatWriter(): { writer: ChatWriter; flush: () => Promise<void> } {
+  let writeImpl: ((part: UIMessageChunk) => void) | null = null;
+  let mergeImpl: ((stream: ReadableStream<UIMessageChunk>) => void) | null = null;
+  let waitPromise: (() => Promise<unknown>) | null = null;
+  let resolveExecute: (() => void) | null = null;
+
+  function ensureInitialized() {
+    if (writeImpl) return;
+
+    const executePromise = new Promise<void>((resolve) => {
+      resolveExecute = resolve;
+    });
+
+    const { waitUntilComplete } = chatStream.writer({
+      collapsed: true,
+      spanName: "callback writer",
+      execute: ({ write, merge }) => {
+        writeImpl = write;
+        mergeImpl = merge;
+        return executePromise; // Keep execute alive until flush()
+      },
+    });
+    waitPromise = waitUntilComplete;
+  }
+
+  return {
+    writer: {
+      write(part: UIMessageChunk) {
+        ensureInitialized();
+        queueResponsePart(part);
+        writeImpl!(part);
+      },
+      merge(stream: ReadableStream<UIMessageChunk>) {
+        ensureInitialized();
+        mergeImpl!(stream);
+      },
+    },
+    async flush() {
+      if (resolveExecute) {
+        resolveExecute(); // Signal execute to complete
+        await waitPromise!(); // Wait for stream to finish piping
+      }
+    },
+  };
+}
+
+/**
+ * Runs a callback with a lazy ChatWriter, flushing the stream after completion.
+ * @internal
+ */
+async function withChatWriter<T>(fn: (writer: ChatWriter) => Promise<T> | T): Promise<T> {
+  const { writer, flush } = createLazyChatWriter();
+  const result = await fn(writer);
+  await flush();
+  return result;
+}
+
+// `ChatTaskWirePayload` and `ChatInputChunk` live in `./ai-shared.ts` so
+// browser bundles (which import them via `chat-client.ts` / `chat.ts`)
+// can pull the types without dragging `ai.ts` into the client graph.
+// Re-exported here so `@trigger.dev/sdk/ai` consumers see them.
+import type { ChatTaskWirePayload, ChatInputChunk } from "./ai-shared.js";
+export type { ChatTaskWirePayload, ChatInputChunk } from "./ai-shared.js";
+
+/**
+ * The payload shape passed to the `chatAgent` run function.
+ *
+ * - `messages` contains model-ready messages (converted via `convertToModelMessages`) —
+ *   pass these directly to `streamText`.
+ * - `clientData` contains custom data from the frontend (the `metadata` field from `sendMessage()`).
+ *
+ * The backend accumulates the full conversation history across turns, so the frontend
+ * only needs to send new messages after the first turn.
+ */
+export type ChatTaskPayload<TClientData = unknown> = {
+  /** Model-ready messages — pass directly to `streamText({ messages })`. */
+  messages: ModelMessage[];
+
+  /** The unique identifier for the chat session */
+  chatId: string;
+
+  /**
+   * The trigger type:
+   * - `"submit-message"`: A new user message
+   * - `"regenerate-message"`: Regenerate the last assistant response
+   * - `"preload"`: Run was preloaded before the first message (only on turn 0)
+   * - `"action"`: A typed action from the frontend (see `actionSchema` + `onAction`).
+   *   The action has already been applied before `run()` fires — check `trigger === "action"`
+   *   to short-circuit the LLM call when an action doesn't need a response.
+   * - `"close"`: The chat session is being closed (internal; `run()` is not called).
+   */
+  trigger: "submit-message" | "regenerate-message" | "preload" | "action" | "close";
+
+  /** The ID of the message to regenerate (only for `"regenerate-message"`) */
+  messageId?: string;
+
+  /** Custom data from the frontend (passed via `metadata` on `sendMessage()` or the transport). */
+  clientData?: TClientData;
+
+  /** Whether this run is continuing an existing chat (previous run timed out or was cancelled). False for brand new chats. */
+  continuation: boolean;
+  /** The run ID of the previous run (only set when `continuation` is true). */
+  previousRunId?: string;
+  /** Whether this run was preloaded before the first message. */
+  preloaded: boolean;
+  /**
+   * The friendlyId of the Session primitive backing this chat. Use with
+   * `sessions.open(sessionId)` when you need direct access to the session's
+   * `.in` / `.out` channels outside the hooks the agent already wires for
+   * you. Undefined only for legacy transports that predate the sessions
+   * migration.
+   */
+  sessionId?: string;
 };
+
+/**
+ * Abort signals provided to the `chatAgent` run function.
+ */
+export type ChatTaskSignals = {
+  /** Combined signal — fires on run cancel OR stop generation. Pass to `streamText`. */
+  signal: AbortSignal;
+  /** Fires only when the run is cancelled, expired, or exceeds maxDuration. */
+  cancelSignal: AbortSignal;
+  /** Fires only when the frontend stops generation for this turn (per-turn, reset each turn). */
+  stopSignal: AbortSignal;
+};
+
+/**
+ * The full payload passed to a `chatAgent` run function.
+ * Extends `ChatTaskPayload` (the wire payload) with abort signals.
+ */
+export type ChatTaskRunPayload<
+  TClientData = unknown,
+  TTools extends ToolSet = ToolSet,
+> = ChatTaskPayload<TClientData> &
+  ChatTaskSignals & {
+    /**
+     * Task run context — same object as the `ctx` passed to a standard `task({ run })` handler’s second argument.
+     * Use for tags, metadata, parent run links, or any API that needs the full run record.
+     */
+    ctx: TaskRunContext;
+    /** Token usage from the previous turn. Undefined on turn 0. */
+    previousTurnUsage?: LanguageModelUsage;
+    /** Cumulative token usage across all completed turns so far. */
+    totalUsage: LanguageModelUsage;
+    /**
+     * The resolved tool set for this turn, the same `tools` you declared on
+     * `chat.agent({ tools })` (or the result of the per-turn `tools` function).
+     * Pass straight to `streamText({ tools })` so you don't redeclare them:
+     *
+     * ```ts
+     * run: ({ messages, tools, signal }) =>
+     *   streamText({ model, messages, tools, abortSignal: signal })
+     * ```
+     *
+     * Declaring `tools` on the config is also what lets the SDK re-run each
+     * tool's `toModelOutput` when it re-converts prior-turn history (see the
+     * `tools` option on `chat.agent`). Empty object when no `tools` were declared.
+     */
+    tools: TTools;
+  };
+
+// Input streams for bidirectional chat communication
+//
+// Both `messagesInput` and `stopInput` are thin facades over the current
+// run's Session `.in` channel. The Session carries a single tagged stream
+// (`ChatInputChunk`); these facades filter by `kind` so existing call
+// sites (both internal and exposed via `chat.messages` / `chat.createStopSignal`)
+// keep their original shape. Each accessor resolves the session handle
+// lazily via `getChatSession()` so the module-level references stay
+// compatible with the pre-migration wiring.
+const messagesInput: RealtimeDefinedInputStream<ChatTaskWirePayload> = {
+  id: "chat-messages",
+  on(handler) {
+    return getChatSession().in.on<ChatInputChunk>((chunk) => {
+      if (chunk.kind === "message") {
+        // Returning `true` marks the record CONSUMED at the manager level:
+        // it is neither buffered for a later `once()` nor re-delivered by
+        // the buffer drain when the next turn re-attaches its handler.
+        // Without this, a message arriving mid-stream was delivered twice
+        // and ran a duplicate turn.
+        void Promise.resolve(handler(chunk.payload)).catch(() => {});
+        return true;
+      }
+      return undefined;
+    });
+  },
+  once(options) {
+    const ctx = taskContext.ctx;
+    const runId = ctx?.run.id;
+
+    return new InputStreamOncePromise<ChatTaskWirePayload>((resolve, reject) => {
+      tracer
+        .startActiveSpan(
+          options?.spanName ?? `chat.messages.once()`,
+          async () => {
+            while (true) {
+              const result = await getChatSession().in.once<ChatInputChunk>(options);
+              if (!result.ok) {
+                resolve(result as InputStreamOnceResult<ChatTaskWirePayload>);
+                return;
+              }
+              if (result.output.kind === "message") {
+                resolve({ ok: true, output: result.output.payload });
+                return;
+              }
+              // Non-message chunks (stops) are handled by the stopInput
+              // facade's persistent listener; loop and wait for the next.
+            }
+          },
+          {
+            attributes: {
+              [SemanticInternalAttributes.STYLE_ICON]: "streams",
+              [SemanticInternalAttributes.ENTITY_TYPE]: "input-stream",
+              ...(runId
+                ? {
+                    [SemanticInternalAttributes.ENTITY_ID]: `${runId}:chat-messages`,
+                  }
+                : {}),
+              streamId: "chat-messages",
+              ...accessoryAttributes({
+                items: [{ text: "chat-messages", variant: "normal" }],
+                style: "codepath",
+              }),
+            },
+          }
+        )
+        .catch(reject);
+    });
+  },
+  peek() {
+    const chunk = getChatSession().in.peek<ChatInputChunk>();
+    if (chunk && chunk.kind === "message") return chunk.payload;
+    return undefined;
+  },
+  wait(options) {
+    return new ManualWaitpointPromise<ChatTaskWirePayload>(async (resolve, reject) => {
+      try {
+        while (true) {
+          const result = await getChatSession().in.wait<ChatInputChunk>(options);
+          if (!result.ok) {
+            resolve(result);
+            return;
+          }
+          if (result.output.kind === "message") {
+            resolve({ ok: true, output: result.output.payload });
+            return;
+          }
+          // Stop chunks are handled by the stopInput facade's persistent
+          // listener; loop back into the suspending wait.
+        }
+      } catch (error) {
+        reject(error);
+      }
+    });
+  },
+  async waitWithIdleTimeout(options) {
+    while (true) {
+      const result = await getChatSession().in.waitWithIdleTimeout<ChatInputChunk>(options);
+      if (!result.ok) return result;
+      if (result.output.kind === "message") {
+        return { ok: true, output: result.output.payload };
+      }
+      // Swallow stop-kind chunks — persistent stop listener already handled
+      // the abort; we just loop for the next message.
+    }
+  },
+  async send(_runId, data, options) {
+    // The `runId` argument is kept for signature parity with
+    // `RealtimeDefinedInputStream` but ignored — sessions are addressed
+    // by sessionId, not runId. Callers producing messages from outside
+    // the run should prefer the transport's `session.in.send(...)` path.
+    await getChatSession().in.send(
+      { kind: "message", payload: data } satisfies ChatInputChunk,
+      options?.requestOptions
+    );
+  },
+};
+
+const stopInput: RealtimeDefinedInputStream<{ stop: true; message?: string }> = {
+  id: "chat-stop",
+  on(handler) {
+    return getChatSession().in.on<ChatInputChunk>((chunk) => {
+      if (chunk.kind === "stop") {
+        // Consume stop records (see the messages facade above). A stop is
+        // only meaningful to the turn it interrupts — buffering it would
+        // let a stale stop abort a future turn.
+        void Promise.resolve(handler({ stop: true, message: chunk.message })).catch(() => {});
+        return true;
+      }
+      return undefined;
+    });
+  },
+  once(options) {
+    const ctx = taskContext.ctx;
+    const runId = ctx?.run.id;
+
+    return new InputStreamOncePromise<{ stop: true; message?: string }>((resolve, reject) => {
+      tracer
+        .startActiveSpan(
+          options?.spanName ?? `chat.stop.once()`,
+          async () => {
+            while (true) {
+              const result = await getChatSession().in.once<ChatInputChunk>(options);
+              if (!result.ok) {
+                resolve(result as InputStreamOnceResult<{ stop: true; message?: string }>);
+                return;
+              }
+              if (result.output.kind === "stop") {
+                resolve({
+                  ok: true,
+                  output: { stop: true, message: result.output.message },
+                });
+                return;
+              }
+            }
+          },
+          {
+            attributes: {
+              [SemanticInternalAttributes.STYLE_ICON]: "streams",
+              [SemanticInternalAttributes.ENTITY_TYPE]: "input-stream",
+              ...(runId
+                ? {
+                    [SemanticInternalAttributes.ENTITY_ID]: `${runId}:chat-stop`,
+                  }
+                : {}),
+              streamId: "chat-stop",
+              ...accessoryAttributes({
+                items: [{ text: "chat-stop", variant: "normal" }],
+                style: "codepath",
+              }),
+            },
+          }
+        )
+        .catch(reject);
+    });
+  },
+  peek() {
+    const chunk = getChatSession().in.peek<ChatInputChunk>();
+    if (chunk && chunk.kind === "stop") {
+      return { stop: true, message: chunk.message };
+    }
+    return undefined;
+  },
+  wait(options) {
+    return new ManualWaitpointPromise<{ stop: true; message?: string }>(async (resolve, reject) => {
+      try {
+        while (true) {
+          const result = await getChatSession().in.wait<ChatInputChunk>(options);
+          if (!result.ok) {
+            resolve(result);
+            return;
+          }
+          if (result.output.kind === "stop") {
+            resolve({
+              ok: true,
+              output: { stop: true, message: result.output.message },
+            });
+            return;
+          }
+        }
+      } catch (error) {
+        reject(error);
+      }
+    });
+  },
+  async waitWithIdleTimeout(options) {
+    while (true) {
+      const result = await getChatSession().in.waitWithIdleTimeout<ChatInputChunk>(options);
+      if (!result.ok) return result;
+      if (result.output.kind === "stop") {
+        return { ok: true, output: { stop: true, message: result.output.message } };
+      }
+    }
+  },
+  async send(_runId, data, options) {
+    await getChatSession().in.send(
+      { kind: "stop", message: data?.message } satisfies ChatInputChunk,
+      options?.requestOptions
+    );
+  },
+};
+
+/**
+ * Signal received by a `handover-prepare` agent run waiting on
+ * `session.in`. Either the customer's first-turn `streamText` finished
+ * with pending tool calls (`"handover"` — agent picks up from tool
+ * execution), or it finished pure-text (`"handover-skip"` — agent
+ * exits cleanly without making an LLM call).
+ * @internal
+ */
+type HandoverSignal =
+  | {
+      kind: "handover";
+      partialAssistantMessage: ModelMessage[];
+      messageId?: string;
+      /**
+       * Whether the customer's step 1 is the final response. When
+       * true, the agent's turn loop runs hooks but skips the LLM
+       * call (the partial IS the response). When false, the agent
+       * runs `streamText` which executes pending tool-calls via the
+       * approval round and continues from step 2.
+       */
+      isFinal: boolean;
+    }
+  | { kind: "handover-skip" };
+
+/**
+ * Internal facade for waiting on the handover signal. Mirrors
+ * `messagesInput` / `stopInput` so the wait paths and tracing
+ * attributes stay consistent across all input-stream branches.
+ * @internal
+ */
+const handoverInput = {
+  async waitWithIdleTimeout(options: {
+    idleTimeoutInSeconds: number;
+    timeout?: string;
+    spanName?: string;
+    skipSuspend?: boolean;
+  }) {
+    while (true) {
+      const result = await getChatSession().in.waitWithIdleTimeout<ChatInputChunk>(options);
+      if (!result.ok) return result;
+      if (
+        result.output.kind === "handover" ||
+        result.output.kind === "handover-skip"
+      ) {
+        return { ok: true as const, output: result.output as HandoverSignal };
+      }
+      // Other kinds (message, stop) are not expected during handover-prepare.
+      // Loop back; the message and stop facades have their own listeners
+      // running so signals on those kinds aren't lost.
+    }
+  },
+};
+
+/**
+ * Per-turn deferred promises. Registered via `chat.defer()`, awaited
+ * before `onTurnComplete` fires. Reset each turn.
+ * @internal
+ */
+const chatDeferKey = locals.create<Set<Promise<unknown>>>("chat.defer");
+
+/**
+ * Run-scoped slot holding the partial assistant message handed over by
+ * `chat.handover` from a customer's first-turn `streamText`. Appended
+ * to `accumulatedMessages` during turn 0 setup so `streamText` resumes
+ * at tool execution. Cleared (read once) after consumption.
+ * @internal
+ */
+const chatHandoverPartialKey = locals.create<ModelMessage[]>("chat.handoverPartial");
+
+/**
+ * Run-scoped slot holding the assistant `messageId` the customer's
+ * `chat.handover` handler used for its step-1 stream. The agent reuses
+ * it on the agent-side `toUIMessageStream` (and the synthesized
+ * partial UIMessage in `originalMessages`) so all chunks merge into a
+ * single assistant message on the browser side.
+ * @internal
+ */
+const chatHandoverMessageIdKey = locals.create<string>("chat.handoverMessageId");
+
+/**
+ * Run-scoped slot indicating that the customer's step-1 head-start
+ * response is the FINAL turn response. When true, turn 0 runs through
+ * the full turn-loop hooks but SKIPS the `userRun` / `streamText`
+ * call — the customer's partial already IS the response. The agent's
+ * `onTurnComplete` fires with that partial so persistence + any
+ * post-turn work happens normally. Cleared after consumption.
+ * @internal
+ */
+const chatHandoverIsFinalKey = locals.create<boolean>("chat.handoverIsFinal");
+
+/**
+ * Build a UIMessage representation of a `chat.handover` partial so AI
+ * SDK's `processUIMessageStream` can transition `tool-output-available`
+ * chunks (emitted by the initial-tool-execution branch when the
+ * approval round runs) onto the existing tool-call. Without this,
+ * `state.message.parts` is empty when the agent's `streamText`
+ * finishes, and AI SDK throws
+ * `UIMessageStreamError: No tool invocation found`.
+ *
+ * Only the assistant message matters — the synthesized
+ * `tool-approval-response` rows are AI-SDK-internal and don't need a
+ * UIMessage representation. We map:
+ *   - `text` parts → `{ type: "text", text }`
+ *   - `reasoning` parts → `{ type: "reasoning", text, state: "done" }`
+ *      (provider metadata carried so an Anthropic thinking signature
+ *      survives a UIMessage → ModelMessage round trip)
+ *   - `tool-call` parts → `{ type: "tool-${name}", toolCallId,
+ *      state: "input-available", input }`
+ *   - `tool-approval-request` parts → skipped (AI SDK derives the
+ *      approval state from chunks during processing)
+ *
+ * @internal
+ */
+function synthesizeHandoverUIMessage(
+  partial: ModelMessage[],
+  messageId?: string
+): UIMessage | undefined {
+  const assistant = partial.find((m) => m.role === "assistant");
+  if (!assistant || typeof assistant.content === "string") return undefined;
+
+  const parts: UIMessage["parts"] = [];
+  for (const part of assistant.content as Array<{
+    type: string;
+    text?: string;
+    toolCallId?: string;
+    toolName?: string;
+    input?: unknown;
+    providerOptions?: unknown;
+  }>) {
+    if (part.type === "text" && typeof part.text === "string") {
+      parts.push({ type: "text", text: part.text } as UIMessage["parts"][number]);
+    } else if (part.type === "reasoning" && typeof part.text === "string") {
+      parts.push({
+        type: "reasoning",
+        text: part.text,
+        state: "done",
+        ...(part.providerOptions ? { providerMetadata: part.providerOptions } : {}),
+      } as unknown as UIMessage["parts"][number]);
+    } else if (part.type === "tool-call" && part.toolCallId && part.toolName) {
+      parts.push({
+        type: `tool-${part.toolName}`,
+        toolCallId: part.toolCallId,
+        state: "input-available",
+        input: part.input,
+      } as unknown as UIMessage["parts"][number]);
+    }
+    // tool-approval-request parts intentionally skipped — they're an
+    // AI-SDK protocol detail, not a UI surface.
+  }
+
+  if (parts.length === 0) return undefined;
+
+  // Use the customer's step-1 messageId if provided (so the agent's
+  // post-handover chunks merge into the same assistant message on the
+  // browser). Fall back to a fresh id only if the handover signal
+  // didn't carry one.
+  return {
+    id: messageId ?? generateMessageId(),
+    role: "assistant",
+    parts,
+  } as UIMessage;
+}
+
+/**
+ * Per-turn background context queue. Messages added via `chat.backgroundWork.inject()`
+ * are drained at the next `prepareStep` boundary and appended to the model messages.
+ * @internal
+ */
+const chatBackgroundQueueKey = locals.create<ModelMessage[]>("chat.backgroundQueue");
+
+/**
+ * Run-scoped pipe counter. Stored in locals so concurrent runs in the
+ * same worker don't share state.
+ * @internal
+ */
+const chatPipeCountKey = locals.create<number>("chat.pipeCount");
+const chatStopControllerKey = locals.create<AbortController>("chat.stopController");
+/** Static (task-level) UIMessageStream options, set once during chatAgent setup. @internal */
+const chatUIStreamStaticKey = locals.create<ChatUIMessageStreamOptions<UIMessage>>(
+  "chat.uiMessageStreamOptions.static"
+);
+/** Per-turn UIMessageStream options, set via chat.setUIMessageStreamOptions(). @internal */
+const chatUIStreamPerTurnKey = locals.create<ChatUIMessageStreamOptions<UIMessage>>(
+  "chat.uiMessageStreamOptions.perTurn"
+);
+
+/**
+ * Run-scoped `toolCallId → assistant messageId` map. Records the head
+ * assistant id whenever the accumulator absorbs an assistant message
+ * containing tool parts. Used as a fallback in the id-merge for
+ * incoming tool-answer messages — if the AI SDK regenerates the
+ * assistant id on a HITL `addToolOutput` resume, we look up the
+ * original head id by `toolCallId` and rewrite it before the merge.
+ *
+ * Customer-side workaround for the same case is documented in Arena
+ * AI's chat-agent task; lifting it into the SDK so customers don't
+ * have to. See TRI-9137.
+ * @internal
+ */
+const chatToolCallToMessageIdKey = locals.create<Map<string, string>>(
+  "chat.toolCallToMessageId"
+);
+
+function recordToolCallIdsFromMessage(message: { id?: string; role?: string; parts?: unknown[] } | undefined) {
+  if (!message || message.role !== "assistant" || !message.id) return;
+  let map = locals.get(chatToolCallToMessageIdKey);
+  if (!map) {
+    map = new Map();
+    locals.set(chatToolCallToMessageIdKey, map);
+  }
+  for (const part of message.parts ?? []) {
+    if (typeof part !== "object" || part == null) continue;
+    const toolCallId = (part as { toolCallId?: unknown }).toolCallId;
+    if (typeof toolCallId === "string" && toolCallId.length > 0) {
+      map.set(toolCallId, message.id);
+    }
+  }
+}
+
+function rewriteIncomingIdViaToolCallMap<T extends { id?: string; parts?: unknown[] }>(
+  incoming: T
+): T {
+  const map = locals.get(chatToolCallToMessageIdKey);
+  if (!map || map.size === 0) return incoming;
+  for (const part of incoming.parts ?? []) {
+    if (typeof part !== "object" || part == null) continue;
+    const toolCallId = (part as { toolCallId?: unknown }).toolCallId;
+    if (typeof toolCallId !== "string" || toolCallId.length === 0) continue;
+    const headId = map.get(toolCallId);
+    if (headId && headId !== incoming.id) {
+      return { ...incoming, id: headId };
+    }
+  }
+  return incoming;
+}
+
+// ---------------------------------------------------------------------------
+// Token usage helpers (internal)
+// ---------------------------------------------------------------------------
+
+/** Convenience re-export of the AI SDK's `LanguageModelUsage` type. */
+export type ChatTurnUsage = LanguageModelUsage;
+
+function emptyUsage(): LanguageModelUsage {
+  return {
+    inputTokens: undefined,
+    outputTokens: undefined,
+    totalTokens: undefined,
+    inputTokenDetails: {
+      noCacheTokens: undefined,
+      cacheReadTokens: undefined,
+      cacheWriteTokens: undefined,
+    },
+    outputTokenDetails: { textTokens: undefined, reasoningTokens: undefined },
+  };
+}
+
+function addUsage(a: LanguageModelUsage, b: LanguageModelUsage): LanguageModelUsage {
+  const add = (x: number | undefined, y: number | undefined) =>
+    x != null || y != null ? (x ?? 0) + (y ?? 0) : undefined;
+  return {
+    inputTokens: add(a.inputTokens, b.inputTokens),
+    outputTokens: add(a.outputTokens, b.outputTokens),
+    totalTokens: add(a.totalTokens, b.totalTokens),
+    inputTokenDetails: {
+      noCacheTokens: add(a.inputTokenDetails?.noCacheTokens, b.inputTokenDetails?.noCacheTokens),
+      cacheReadTokens: add(
+        a.inputTokenDetails?.cacheReadTokens,
+        b.inputTokenDetails?.cacheReadTokens
+      ),
+      cacheWriteTokens: add(
+        a.inputTokenDetails?.cacheWriteTokens,
+        b.inputTokenDetails?.cacheWriteTokens
+      ),
+    },
+    outputTokenDetails: {
+      textTokens: add(a.outputTokenDetails?.textTokens, b.outputTokenDetails?.textTokens),
+      reasoningTokens: add(
+        a.outputTokenDetails?.reasoningTokens,
+        b.outputTokenDetails?.reasoningTokens
+      ),
+    },
+  };
+}
+
+// ---------------------------------------------------------------------------
+// chat.setMessages — replace accumulated messages for compaction
+// ---------------------------------------------------------------------------
+
+/** @internal */
+const chatOverrideMessagesKey = locals.create<UIMessage[]>("chat.overrideMessages");
+
+/**
+ * Tracks the current accumulated UI messages so chat.history.all() can
+ * read them from outside the chatAgent closure.
+ * @internal
+ */
+const chatCurrentUIMessagesKey = locals.create<UIMessage[]>("chat.currentUIMessages");
+
+/**
+ * Replace the accumulated conversation messages for the current run.
+ *
+ * Call from `onTurnStart` to compact before `run()` executes, or from
+ * `onTurnComplete` to compact before the next turn. Takes `UIMessage[]`
+ * and converts to `ModelMessage[]` internally.
+ */
+function setChatMessages<TUIM extends UIMessage = UIMessage>(uiMessages: TUIM[]): void {
+  locals.set(chatOverrideMessagesKey, uiMessages);
+}
+
+// ---------------------------------------------------------------------------
+// chat.history — imperative message history mutations
+// ---------------------------------------------------------------------------
+
+/**
+ * Read the current message history state, accounting for pending overrides.
+ * @internal
+ */
+function getChatHistoryState(): UIMessage[] {
+  const pending = locals.get(chatOverrideMessagesKey);
+  if (pending) return pending;
+  return locals.get(chatCurrentUIMessagesKey) ?? [];
+}
+
+/**
+ * A tool call surfaced by `chat.history.getPendingToolCalls()` /
+ * `getResolvedToolCalls()`. Identifies the call by its `toolCallId` plus
+ * the `messageId` of the assistant message that hosts it, so callers can
+ * locate the part precisely without re-walking the chain.
+ */
+export type ChatToolCallRef = {
+  toolCallId: string;
+  toolName: string;
+  messageId: string;
+};
+
+/**
+ * A new tool result surfaced by `chat.history.extractNewToolResults()`.
+ * `errorText` is set iff the part is in `output-error` state; otherwise
+ * `output` carries the resolved value.
+ */
+export type ChatNewToolResult = {
+  toolCallId: string;
+  toolName: string;
+  output: unknown;
+  errorText?: string;
+};
+
+/**
+ * Tool parts that are "done" — either succeeded with a value or failed
+ * with an error. Excludes pending (`input-streaming`/`input-available`)
+ * and approval (`approval-requested`/`approval-responded`) states.
+ * @internal
+ */
+function isResolvedToolState(state: unknown): state is "output-available" | "output-error" {
+  return state === "output-available" || state === "output-error";
+}
+
+/** @internal */
+function isPendingToolState(state: unknown): state is "input-available" {
+  return state === "input-available";
+}
+
+/**
+ * Walk an assistant message and yield each tool part with its callId,
+ * name, and state. Skips non-assistant messages and non-tool parts.
+ * @internal
+ */
+function* iterateToolParts(
+  message: UIMessage
+): Generator<{ part: any; toolCallId: string; toolName: string; state: unknown }> {
+  if (message.role !== "assistant") return;
+  for (const part of (message.parts ?? []) as any[]) {
+    if (!isToolUIPart(part)) continue;
+    const toolCallId = part.toolCallId;
+    if (typeof toolCallId !== "string" || toolCallId.length === 0) continue;
+    yield {
+      part,
+      toolCallId,
+      toolName: getToolName(part),
+      state: part.state,
+    };
+  }
+}
+
+/**
+ * Walk a partial assistant message and surface the tool calls the model
+ * had started but never received a result for. Used at recovery boot to
+ * populate `RecoveryBootEvent.pendingToolCalls`.
+ *
+ * The partial assistant in question is the orphan from a dead run — its
+ * `turn-complete` never fired, so any `input-available` tool part is
+ * truly orphan (NOT a stable HITL pause; HITL parts live on settled
+ * messages, not on the partial).
+ *
+ * @internal
+ */
+function extractPendingToolCallsFromPartial(
+  partial: UIMessage | undefined
+): RecoveryPendingToolCall[] {
+  if (!partial) return [];
+  const out: RecoveryPendingToolCall[] = [];
+  const parts = (partial.parts ?? []) as any[];
+  for (let i = 0; i < parts.length; i++) {
+    const part = parts[i];
+    if (!isToolUIPart(part)) continue;
+    if (!isPendingToolState(part.state)) continue;
+    const toolCallId = part.toolCallId;
+    if (typeof toolCallId !== "string" || toolCallId.length === 0) continue;
+    out.push({
+      toolCallId,
+      toolName: getToolName(part),
+      input: part.input,
+      partIndex: i,
+    });
+  }
+  return out;
+}
+
+/**
+ * Tool parts on the *leaf* assistant message that are still waiting on
+ * an answer (`input-available` state). Used to gate fresh user turns
+ * during HITL flows.
+ * @internal
+ */
+function getPendingToolCallsFromHistory(messages: UIMessage[]): ChatToolCallRef[] {
+  for (let i = messages.length - 1; i >= 0; i--) {
+    const msg = messages[i]!;
+    if (msg.role !== "assistant") continue;
+    const pending: ChatToolCallRef[] = [];
+    for (const { toolCallId, toolName, state } of iterateToolParts(msg)) {
+      if (isPendingToolState(state)) {
+        pending.push({ toolCallId, toolName, messageId: msg.id });
+      }
+    }
+    return pending;
+  }
+  return [];
+}
+
+/**
+ * All tool parts across the chain that have already produced an output
+ * (`output-available` or `output-error`). Used to dedup re-saves when
+ * the AI SDK resends an assistant with progressively more answered
+ * parts.
+ * @internal
+ */
+function getResolvedToolCallsFromHistory(messages: UIMessage[]): ChatToolCallRef[] {
+  const out: ChatToolCallRef[] = [];
+  for (const msg of messages) {
+    for (const { toolCallId, toolName, state } of iterateToolParts(msg)) {
+      if (isResolvedToolState(state)) {
+        out.push({ toolCallId, toolName, messageId: msg.id });
+      }
+    }
+  }
+  return out;
+}
+
+/**
+ * Pure helper: tool parts in `message` that have a fresh result not
+ * already represented by the resolved toolCallIds in `messages`. The
+ * `errorText` field is present only for `output-error` parts.
+ *
+ * Within a single `message`, duplicate `toolCallId`s emit only once
+ * (first occurrence wins). This guards against malformed assistants
+ * with repeated tool parts.
+ * @internal
+ */
+function extractNewToolResultsFromHistory(
+  message: UIMessage,
+  messages: UIMessage[]
+): ChatNewToolResult[] {
+  const resolved = new Set(
+    getResolvedToolCallsFromHistory(messages).map((r) => r.toolCallId)
+  );
+  const seen = new Set<string>();
+  const out: ChatNewToolResult[] = [];
+  for (const { part, toolCallId, toolName, state } of iterateToolParts(message)) {
+    if (!isResolvedToolState(state)) continue;
+    if (resolved.has(toolCallId)) continue;
+    if (seen.has(toolCallId)) continue;
+    seen.add(toolCallId);
+    if (state === "output-error") {
+      out.push({ toolCallId, toolName, output: undefined, errorText: part.errorText });
+    } else {
+      out.push({ toolCallId, toolName, output: part.output });
+    }
+  }
+  return out;
+}
+
+/**
+ * Per-turn merge of an incoming wire `UIMessage` onto the matching entry
+ * a `hydrateMessages` hook (or the default accumulator) provides. Used
+ * to fold tool-state advances from the client into the agent's
+ * authoritative chain without trusting the wire copy for fields the
+ * LLM consumes.
+ *
+ * `hydrated` is treated as the source of truth for everything outside
+ * tool-state advancement: text, reasoning blobs, provider metadata,
+ * and tool `input` all stay as hydrated had them. We only overlay
+ * tool parts whose incoming state is wire-advanced — `output-available`
+ * / `output-error` (HITL `addToolOutput`) or `approval-responded` /
+ * `output-denied` (approval flow) — and only the corresponding
+ * resolution fields (`output` / `errorText` / `approval`). Hydrated
+ * `input` and everything else stay put.
+ *
+ * Without this, a slim wire copy (which `TriggerChatTransport` /
+ * `AgentChat.sendRaw` ship by default on HITL continuations) would
+ * clobber the hydrated assistant — the next LLM call would receive a
+ * tool call with no `input` and 4xx.
+ *
+ * @internal
+ */
+function mergeIncomingIntoHydrated<TMsg extends UIMessage>(
+  hydrated: TMsg,
+  incoming: UIMessage
+): TMsg {
+  const incomingAdvancedByCallId = new Map<string, any>();
+  for (const part of (incoming.parts ?? []) as any[]) {
+    if (!isToolUIPart(part)) continue;
+    const toolCallId = part.toolCallId;
+    if (typeof toolCallId !== "string" || toolCallId.length === 0) continue;
+    if (!isWireAdvanceableToolState(part.state)) continue;
+    incomingAdvancedByCallId.set(toolCallId, part);
+  }
+
+  if (incomingAdvancedByCallId.size === 0) return hydrated;
+
+  let mutated = false;
+  const hydratedParts = (hydrated.parts ?? []) as any[];
+  const mergedParts = hydratedParts.map((part) => {
+    if (!isToolUIPart(part)) return part;
+    const toolCallId = part.toolCallId;
+    if (typeof toolCallId !== "string" || toolCallId.length === 0) return part;
+    const incomingPart = incomingAdvancedByCallId.get(toolCallId);
+    if (!incomingPart) return part;
+    // Terminal hydrated states (`output-available`, `output-error`,
+    // `output-denied`) are authoritative — never regressed by a stale
+    // wire arrival (replay, retry, out-of-order). `output-denied`
+    // matters here because the wire's `approval-responded` could
+    // otherwise overwrite a hydrated denial back to a non-terminal
+    // state.
+    if (isResolvedToolState(part.state) || part.state === "output-denied") {
+      return part;
+    }
+    // Same state on both sides — no progression to apply.
+    if (part.state === incomingPart.state) return part;
+    mutated = true;
+    if (incomingPart.state === "output-available") {
+      return {
+        ...part,
+        state: incomingPart.state,
+        output: incomingPart.output,
+        ...(incomingPart.approval !== undefined ? { approval: incomingPart.approval } : {}),
+      };
+    }
+    if (incomingPart.state === "output-error") {
+      return {
+        ...part,
+        state: incomingPart.state,
+        errorText: incomingPart.errorText,
+        ...(incomingPart.approval !== undefined ? { approval: incomingPart.approval } : {}),
+      };
+    }
+    // approval-responded / output-denied — overlay state + approval.
+    return {
+      ...part,
+      state: incomingPart.state,
+      ...(incomingPart.approval !== undefined ? { approval: incomingPart.approval } : {}),
+    };
+  });
+
+  if (!mutated) return hydrated;
+  return { ...hydrated, parts: mergedParts };
+}
+
+/**
+ * Mirror of `slimSubmitMessageForWire`'s predicate. Kept here so the
+ * agent runtime doesn't have to import from `ai-shared.ts` for a
+ * one-liner. See that file for the full state-machine docs.
+ *
+ * @internal
+ */
+function isWireAdvanceableToolState(
+  state: unknown
+): state is "output-available" | "output-error" | "approval-responded" | "output-denied" {
+  return (
+    state === "output-available" ||
+    state === "output-error" ||
+    state === "approval-responded" ||
+    state === "output-denied"
+  );
+}
+
+/**
+ * Imperative API for reading and modifying the accumulated message history.
+ *
+ * Mutations use the same deferred override mechanism as `chat.setMessages()`:
+ * they are applied at lifecycle checkpoints (after hooks return). Reads are
+ * synchronous against the current accumulator state.
+ *
+ * Can be called from `onTurnStart`, `onBeforeTurnComplete`, `onTurnComplete`,
+ * `run()`, `onAction`, or AI SDK tools.
+ */
+const chatHistory = {
+  /** Read the current accumulated UI messages (copy). */
+  all(): UIMessage[] {
+    return [...getChatHistoryState()];
+  },
+
+  /**
+   * Read the current chain as an ordered `UIMessage[]`. Identical to
+   * `all()`; use whichever name reads better in context.
+   */
+  getChain(): UIMessage[] {
+    return chatHistory.all();
+  },
+
+  /**
+   * Find a message by id. Returns `undefined` if no message with that id
+   * is present in the current chain.
+   */
+  findMessage(messageId: string): UIMessage | undefined {
+    return getChatHistoryState().find((m) => m.id === messageId);
+  },
+
+  /**
+   * Tool calls on the *most recent* assistant message that are still in
+   * `input-available` state (waiting on an `addToolOutput` answer). The
+   * scan walks back from the tail and stops at the first assistant
+   * message it finds, so a trailing user message does not change the
+   * result — pending tool calls remain pending until they're resolved
+   * on that assistant or the assistant is removed.
+   *
+   * Use this to gate fresh user turns or actions during HITL flows: if
+   * `getPendingToolCalls().length > 0`, an `addToolOutput` is expected.
+   *
+   * Returns `[]` if there is no assistant message yet, or if the most
+   * recent assistant has no pending tool calls.
+   *
+   * Approval flows (`approval-requested` / `approval-responded` states)
+   * are not surfaced here. Those are about the user authorizing a tool
+   * to run; "pending" is about the user *answering* a tool call.
+   */
+  getPendingToolCalls(): ChatToolCallRef[] {
+    return getPendingToolCallsFromHistory(getChatHistoryState());
+  },
+
+  /**
+   * Tool calls across the chain with a final result (`output-available`
+   * or `output-error`). Use this to dedup re-saves when the AI SDK
+   * resends an assistant message with progressively more answered parts.
+   */
+  getResolvedToolCalls(): ChatToolCallRef[] {
+    return getResolvedToolCallsFromHistory(getChatHistoryState());
+  },
+
+  /**
+   * Pure helper: returns the tool parts in `message` whose results are
+   * not already represented in the current chain. Use this when
+   * persisting tool results to your own store: each call surfaces only
+   * the *new* answers, so writes stay idempotent across re-streams.
+   * Duplicate `toolCallId`s within `message` itself are also collapsed
+   * to a single entry.
+   */
+  extractNewToolResults(message: UIMessage): ChatNewToolResult[] {
+    return extractNewToolResultsFromHistory(message, getChatHistoryState());
+  },
+
+  /** Replace all accumulated messages. Same as `chat.setMessages()`. */
+  set(messages: UIMessage[]): void {
+    locals.set(chatOverrideMessagesKey, messages);
+  },
+
+  /** Remove a specific message by ID. */
+  remove(messageId: string): void {
+    chatHistory.set(getChatHistoryState().filter((m) => m.id !== messageId));
+  },
+
+  /** Keep messages up to and including the given ID (undo/rollback). */
+  rollbackTo(messageId: string): void {
+    const current = getChatHistoryState();
+    const idx = current.findIndex((m) => m.id === messageId);
+    if (idx !== -1) {
+      chatHistory.set(current.slice(0, idx + 1));
+    }
+  },
+
+  /** Replace a specific message by ID (edit). */
+  replace(messageId: string, message: UIMessage): void {
+    chatHistory.set(getChatHistoryState().map((m) => (m.id === messageId ? message : m)));
+  },
+
+  /** Keep only messages in the given range. */
+  slice(start: number, end?: number): void {
+    chatHistory.set(getChatHistoryState().slice(start, end));
+  },
+};
+
+/**
+ * Model-only message override. Set by compaction to replace only the model
+ * messages (what goes to the LLM) without affecting UI messages (what gets
+ * persisted and displayed). This preserves full conversation history for the
+ * user while keeping LLM context compact.
+ * @internal
+ */
+const chatOverrideModelMessagesKey = locals.create<ModelMessage[]>("chat.overrideModelMessages");
+
+// ---------------------------------------------------------------------------
+// chat.compaction — prepareStep compaction API
+// ---------------------------------------------------------------------------
+
+/** State stored in locals during prepareStep compaction. */
+interface CompactionState {
+  summary: string;
+  baseResponseMessageCount: number;
+}
+
+/** @internal */
+const chatCompactionStateKey = locals.create<CompactionState>("chat.compaction");
+const chatOnCompactedKey =
+  locals.create<(event: CompactedEvent) => Promise<void> | void>("chat.onCompacted");
+/** @internal Full task `ctx` for the active `chat.agent` run (for hooks invoked from nested compaction). */
+const chatAgentRunContextKey = locals.create<TaskRunContext>("chat.agentRunContext");
+const chatPrepareMessagesKey =
+  locals.create<(event: PrepareMessagesEvent<unknown>) => ModelMessage[] | Promise<ModelMessage[]>>(
+    "chat.prepareMessages"
+  );
+/**
+ * @internal The raw `tools` option from `chat.agent({ tools })`, either a
+ * static `ToolSet` or a per-turn function. Set once at boot.
+ */
+const chatToolsOptionKey = locals.create<
+  ToolSet | ((event: ResolveToolsEvent<unknown>) => ToolSet | Promise<ToolSet>)
+>("chat.toolsOption");
+/**
+ * @internal The concrete `ToolSet` resolved for the current turn. Read by
+ * `toModelMessages` so `convertToModelMessages` can re-run `toModelOutput` on
+ * prior-turn tool results. Unset when no `tools` were declared (preserves the
+ * exact pre-feature conversion behavior).
+ */
+const chatResolvedToolsKey = locals.create<ToolSet>("chat.resolvedTools");
+
+/** @internal Flag set by `chat.requestUpgrade()` to exit the loop after the current turn. */
+const chatUpgradeRequestedKey = locals.create<boolean>("chat.upgradeRequested");
+
+/**
+ * @internal Flag set by `chat.endRun()` to exit the loop after the current
+ * turn completes, without any upgrade semantics. Checked at the same
+ * post-turn / pre-wait sites as `chatUpgradeRequestedKey`.
+ */
+const chatEndRunRequestedKey = locals.create<boolean>("chat.endRunRequested");
+
+/**
+ * Event passed to `summarize` callbacks.
+ */
+export type SummarizeEvent = {
+  /** The current model messages to summarize. */
+  messages: ModelMessage[];
+  /** Full usage object from the triggering step/turn. */
+  usage?: LanguageModelUsage;
+  /** Cumulative token usage across all completed turns. Present in chat.agent contexts. */
+  totalUsage?: LanguageModelUsage;
+  /** The chat session ID (if running inside a chat.agent). */
+  chatId?: string;
+  /** The current turn number (0-indexed, if inside a chat.agent). */
+  turn?: number;
+  /** Custom data from the frontend (if inside a chat.agent). */
+  clientData?: unknown;
+  /**
+   * Where compaction is running:
+   * - `"inner"` — between tool-call steps (prepareStep)
+   * - `"outer"` — between turns
+   */
+  source?: "inner" | "outer";
+  /** The step number (0-indexed). Only present when `source` is `"inner"`. */
+  stepNumber?: number;
+};
+
+/**
+ * Event passed to `compactUIMessages` and `compactModelMessages` callbacks.
+ */
+export type CompactMessagesEvent<TUIM extends UIMessage = UIMessage> = {
+  /** The generated summary text. */
+  summary: string;
+  /** The current UI messages (full conversation). */
+  uiMessages: TUIM[];
+  /** The current model messages (full conversation). */
+  modelMessages: ModelMessage[];
+  /** The chat session ID. */
+  chatId: string;
+  /** The current turn number (0-indexed). */
+  turn: number;
+  /** Custom data from the frontend. */
+  clientData?: unknown;
+  /**
+   * Where compaction is running:
+   * - `"inner"` — between tool-call steps (prepareStep)
+   * - `"outer"` — between turns
+   */
+  source: "inner" | "outer";
+};
+
+/**
+ * Options for the `compaction` field on `chat.agent()`.
+ *
+ * Handles compaction automatically in both the inner loop (prepareStep, between
+ * tool-call steps) and the outer loop (between turns, for single-step responses
+ * where prepareStep never fires).
+ */
+export type ChatAgentCompactionOptions<TUIM extends UIMessage = UIMessage> = {
+  /** Decide whether to compact. Return true to trigger compaction. */
+  shouldCompact: (event: ShouldCompactEvent) => boolean | Promise<boolean>;
+  /** Generate a summary from the current messages. Return the summary text. */
+  summarize: (event: SummarizeEvent) => Promise<string>;
+  /**
+   * Transform UI messages after compaction (what gets persisted and displayed).
+   * Default: preserve all UI messages unchanged.
+   *
+   * @example
+   * ```ts
+   * // Flatten to summary
+   * compactUIMessages: ({ summary }) => [{
+   *   id: generateId(), role: "assistant",
+   *   parts: [{ type: "text", text: `[Summary]\n\n${summary}` }],
+   * }],
+   *
+   * // Summary + keep last 4 messages
+   * compactUIMessages: ({ uiMessages, summary }) => [
+   *   { id: generateId(), role: "assistant",
+   *     parts: [{ type: "text", text: `[Summary]\n\n${summary}` }] },
+   *   ...uiMessages.slice(-4),
+   * ],
+   * ```
+   */
+  compactUIMessages?: (event: CompactMessagesEvent<TUIM>) => TUIM[] | Promise<TUIM[]>;
+  /**
+   * Transform model messages after compaction (what gets sent to the LLM).
+   * Default: replace all with a single summary message.
+   *
+   * @example
+   * ```ts
+   * // Summary + keep last 2 model messages
+   * compactModelMessages: ({ modelMessages, summary }) => [
+   *   { role: "user", content: summary },
+   *   ...modelMessages.slice(-2),
+   * ],
+   * ```
+   */
+  compactModelMessages?: (
+    event: CompactMessagesEvent<TUIM>
+  ) => ModelMessage[] | Promise<ModelMessage[]>;
+};
+
+/** @internal */
+const chatAgentCompactionKey =
+  locals.create<ChatAgentCompactionOptions<UIMessage>>("chat.agentCompaction");
+
+// ---------------------------------------------------------------------------
+// Pending messages — mid-execution message injection via prepareStep
+// ---------------------------------------------------------------------------
+
+/**
+ * Event passed to `shouldInject` and `prepareMessages` callbacks.
+ */
+export type PendingMessagesBatchEvent<TUIM extends UIMessage = UIMessage> = {
+  /** All pending UI messages that arrived during streaming (batch). */
+  messages: TUIM[];
+  /** Current model messages in the conversation. */
+  modelMessages: ModelMessage[];
+  /** Completed steps so far. */
+  steps: CompactionStep[];
+  /** Current step number (0-indexed). */
+  stepNumber: number;
+  /** Chat session ID. */
+  chatId: string;
+  /** Current turn number (0-indexed). */
+  turn: number;
+  /** Custom data from the frontend. */
+  clientData?: unknown;
+};
+
+/**
+ * Event passed to `onReceived` callback (per-message, as they arrive).
+ */
+export type PendingMessageReceivedEvent<TUIM extends UIMessage = UIMessage> = {
+  /** The UI message that arrived during streaming. */
+  message: TUIM;
+  /** Chat session ID. */
+  chatId: string;
+  /** Current turn number (0-indexed). */
+  turn: number;
+};
+
+/**
+ * Event passed to `onInjected` callback (batch, after injection).
+ */
+export type PendingMessagesInjectedEvent<TUIM extends UIMessage = UIMessage> = {
+  /** All UI messages that were injected. */
+  messages: TUIM[];
+  /** The model messages that were injected. */
+  injectedModelMessages: ModelMessage[];
+  /** Chat session ID. */
+  chatId: string;
+  /** Current turn number (0-indexed). */
+  turn: number;
+  /** Step number where injection occurred. */
+  stepNumber: number;
+};
+
+/**
+ * Options for the `pendingMessages` field on `chat.agent()`, `chat.createSession()`,
+ * or `ChatMessageAccumulator`.
+ *
+ * Configures how messages that arrive during streaming are handled. When
+ * `shouldInject` is provided and returns `true`, the full batch of pending
+ * messages is injected between tool-call steps via `prepareStep`.
+ * Otherwise, messages queue for the next turn.
+ */
+export type PendingMessagesOptions<TUIM extends UIMessage = UIMessage> = {
+  /**
+   * Decide whether to inject pending messages between tool-call steps.
+   * Called once per step boundary with the full batch of pending messages.
+   * If absent, no injection happens — messages only queue for the next turn.
+   */
+  shouldInject?: (event: PendingMessagesBatchEvent<TUIM>) => boolean | Promise<boolean>;
+  /**
+   * Transform the batch of pending messages before injection.
+   * Return the model messages to inject.
+   * Default: convert each UI message via `convertToModelMessages`.
+   */
+  prepare?: (event: PendingMessagesBatchEvent<TUIM>) => ModelMessage[] | Promise<ModelMessage[]>;
+  /** Called when a message arrives during streaming (per-message). */
+  onReceived?: (event: PendingMessageReceivedEvent<TUIM>) => void | Promise<void>;
+  /** Called after a batch of messages is injected via `prepareStep`. */
+  onInjected?: (event: PendingMessagesInjectedEvent<TUIM>) => void | Promise<void>;
+};
+
+/**
+ * The data part type used to signal that pending messages were injected
+ * between tool-call steps. The frontend can match on this to render
+ * injection points inline in the assistant response.
+ */
+// `PENDING_MESSAGE_INJECTED_TYPE` lives in `./ai-shared.ts` so the chat
+// React hooks (`@trigger.dev/sdk/chat/react`) can import it without
+// dragging `ai.ts` into the browser graph. Re-exported here so
+// `@trigger.dev/sdk/ai` consumers still see it.
+export { PENDING_MESSAGE_INJECTED_TYPE, upsertIncomingMessage } from "./ai-shared.js";
+import { PENDING_MESSAGE_INJECTED_TYPE } from "./ai-shared.js";
+
+/** @internal */
+type SteeringQueueEntry = { uiMessage: UIMessage; modelMessages: ModelMessage[] };
+/** @internal */
+const chatPendingMessagesKey = locals.create<PendingMessagesOptions>("chat.pendingMessages");
+/** @internal */
+const chatSteeringQueueKey = locals.create<SteeringQueueEntry[]>("chat.steeringQueue");
+/** @internal — IDs of messages that were successfully injected via prepareStep */
+const chatInjectedMessageIdsKey = locals.create<Set<string>>("chat.injectedMessageIds");
+/** @internal — non-transient data parts queued via chat.response or writer.write() for accumulation into the response message */
+const chatResponsePartsKey = locals.create<unknown[]>("chat.responseParts");
+
+/**
+ * Check if a chunk is a non-transient data part that should persist to the response message.
+ * @internal
+ */
+function isNonTransientDataPart(part: unknown): boolean {
+  if (typeof part !== "object" || part === null) return false;
+  const p = part as Record<string, unknown>;
+  return typeof p.type === "string" && p.type.startsWith("data-") && p.transient !== true;
+}
+
+/**
+ * Queue a chunk for accumulation into the response message (if it's a non-transient data part).
+ * Called by `chat.response.write()` and `ChatWriter.write()`.
+ * @internal
+ */
+function queueResponsePart(part: unknown): void {
+  if (!isNonTransientDataPart(part)) return;
+  const parts = locals.get(chatResponsePartsKey) ?? [];
+  parts.push(part);
+  locals.set(chatResponsePartsKey, parts);
+}
+
+/**
+ * Event passed to the `prepareMessages` hook.
+ */
+export type PrepareMessagesEvent<TClientData = unknown> = {
+  /** The messages to transform. Return the transformed array. */
+  messages: ModelMessage[];
+  /** Why messages are being prepared. */
+  reason:
+  | "run" // Messages being passed to run() for streamText
+  | "compaction-rebuild" // Rebuilding from a previous compaction summary
+  | "compaction-result"; // Fresh compaction just produced these messages
+  /** The chat session ID. */
+  chatId: string;
+  /** The current turn number (0-indexed). */
+  turn: number;
+  /** Custom data from the frontend. */
+  clientData?: TClientData;
+};
+
+/**
+ * Event passed to the per-turn `tools` function form on `chat.agent`.
+ *
+ * Use this when the active tool set depends on per-turn context (the user, a
+ * feature flag, etc.). Return the `ToolSet` to use for converting this turn's
+ * history. Only `inputSchema` and `toModelOutput` are read during conversion,
+ * so a lightweight map (no `execute`) is fine.
+ */
+export type ResolveToolsEvent<TClientData = unknown> = {
+  /** The chat session ID. */
+  chatId: string;
+  /** The current turn number (0-indexed). */
+  turn: number;
+  /** Whether this run is continuing an existing chat. */
+  continuation: boolean;
+  /** Custom data from the frontend. */
+  clientData?: TClientData;
+};
+
+/**
+ * Data shape for `data-compaction` stream chunks emitted during compaction.
+ * Use to type the `data` field when rendering compaction parts in the frontend.
+ */
+export type CompactionChunkData = {
+  status: "compacting" | "complete";
+  totalTokens: number | undefined;
+};
+
+/**
+ * Event passed to the `onCompacted` callback.
+ */
+export type CompactedEvent = {
+  /** Task run context — same as `task` lifecycle hooks and `chat.agent` `run({ ctx })`. */
+  ctx: TaskRunContext;
+  /** The generated summary text. */
+  summary: string;
+  /** The messages that were compacted (pre-compaction). */
+  messages: ModelMessage[];
+  /** Number of messages before compaction. */
+  messageCount: number;
+  /** Token usage from the step that triggered compaction. */
+  usage: LanguageModelUsage;
+  /** Total token count that triggered compaction. */
+  totalTokens: number | undefined;
+  /** Input token count from the triggering step. */
+  inputTokens: number | undefined;
+  /** Output token count from the triggering step. */
+  outputTokens: number | undefined;
+  /** The step number where compaction occurred (0-indexed). */
+  stepNumber: number;
+  /** The chat session ID (if running inside a chat.agent). */
+  chatId?: string;
+  /** The current turn number (if running inside a chat.agent). */
+  turn?: number;
+  /** Stream writer — write custom `UIMessageChunk` parts to the chat stream. Lazy: no overhead if unused. */
+  writer: ChatWriter;
+};
+
+/**
+ * Event passed to `shouldCompact` callbacks.
+ */
+export type ShouldCompactEvent = {
+  /** The current model messages (full conversation). */
+  messages: ModelMessage[];
+  /** Total token count from the triggering step/turn. */
+  totalTokens: number | undefined;
+  /** Input token count from the triggering step/turn. */
+  inputTokens: number | undefined;
+  /** Output token count from the triggering step/turn. */
+  outputTokens: number | undefined;
+  /** Full usage object from the triggering step/turn. */
+  usage?: LanguageModelUsage;
+  /** Cumulative token usage across all completed turns. Present in chat.agent contexts. */
+  totalUsage?: LanguageModelUsage;
+  /** The chat session ID (if running inside a chat.agent). */
+  chatId?: string;
+  /** The current turn number (0-indexed, if inside a chat.agent). */
+  turn?: number;
+  /** Custom data from the frontend (if inside a chat.agent). */
+  clientData?: unknown;
+  /**
+   * Where this check is running:
+   * - `"inner"` — between tool-call steps (prepareStep)
+   * - `"outer"` — between turns (after response, before onBeforeTurnComplete)
+   */
+  source?: "inner" | "outer";
+  /** The step number (0-indexed). Only present when `source` is `"inner"`. */
+  stepNumber?: number;
+  /** The steps array from prepareStep. Only present when `source` is `"inner"`. */
+  steps?: CompactionStep[];
+};
+
+/**
+ * Options for `chat.compaction()` — the high-level prepareStep factory.
+ */
+export type CompactionOptions = {
+  /** Generate a summary from the current messages. Return the summary text. */
+  summarize: (messages: ModelMessage[]) => Promise<string>;
+  /** Token threshold — compact when totalTokens exceeds this. Ignored if `shouldCompact` is provided. */
+  threshold?: number;
+  /** Custom compaction trigger. When provided, used instead of `threshold`. */
+  shouldCompact?: (event: ShouldCompactEvent) => boolean | Promise<boolean>;
+};
+
+/** A step object as received in prepareStep's `steps` array. */
+export type CompactionStep = {
+  usage: LanguageModelUsage;
+  finishReason: string;
+  content: Array<{ type: string; toolCallId?: string }>;
+  response: { messages: Array<any> };
+};
+
+/**
+ * Result of `chat.compact()`. Discriminated union so you can inspect
+ * what happened, but also directly compatible with prepareStep's return type.
+ *
+ * - `"skipped"` — no compaction needed (first step, boundary unsafe, or under threshold). Return `undefined` to prepareStep.
+ * - `"rebuilt"` — previous compaction exists, messages rebuilt from summary + new response messages.
+ * - `"compacted"` — compaction just happened, includes the generated summary.
+ */
+export type CompactResult =
+  | { type: "skipped" }
+  | { type: "rebuilt"; messages: ModelMessage[] }
+  | { type: "compacted"; messages: ModelMessage[]; summary: string };
+
+/**
+ * Options for `chat.compact()` — the low-level compaction function.
+ */
+export type CompactOptions = {
+  /** Generate a summary from the current messages. Return the summary text. */
+  summarize: (messages: ModelMessage[]) => Promise<string>;
+  /** Token threshold — compact when totalTokens exceeds this. Ignored if `shouldCompact` is provided. */
+  threshold?: number;
+  /** Custom compaction trigger. When provided, used instead of `threshold`. */
+  shouldCompact?: (event: ShouldCompactEvent) => boolean | Promise<boolean>;
+};
+
+/**
+ * Check that no tool calls are in-flight in a step's content.
+ * Used before compaction to avoid losing tool state mid-execution.
+ * @internal
+ */
+function isStepBoundarySafe(step: {
+  finishReason: string;
+  content: Array<{ type: string; toolCallId?: string }>;
+}): boolean {
+  if (step.finishReason === "error") return false;
+  const callIds = new Set(
+    step.content.filter((p) => p.type === "tool-call").map((p) => p.toolCallId)
+  );
+  const settledIds = new Set(
+    step.content
+      .filter((p) => p.type === "tool-result" || p.type === "tool-error")
+      .map((p) => p.toolCallId)
+  );
+  return ![...callIds].some((id) => !settledIds.has(id));
+}
+
+/**
+ * Apply the prepareMessages hook if one is set in locals.
+ * @internal
+ */
+async function applyPrepareMessages(
+  messages: ModelMessage[],
+  reason: PrepareMessagesEvent["reason"]
+): Promise<ModelMessage[]> {
+  const hook = locals.get(chatPrepareMessagesKey);
+  if (!hook) return messages;
+
+  const turnCtx = locals.get(chatTurnContextKey);
+
+  return tracer.startActiveSpan(
+    "prepareMessages()",
+    async () => {
+      return hook({
+        messages,
+        reason,
+        chatId: turnCtx?.chatId ?? "",
+        turn: turnCtx?.turn ?? 0,
+        clientData: turnCtx?.clientData,
+      });
+    },
+    {
+      attributes: {
+        [SemanticInternalAttributes.STYLE_ICON]: "task-hook-onStart",
+        [SemanticInternalAttributes.COLLAPSED]: true,
+        "chat.prepareMessages.reason": reason,
+        "chat.prepareMessages.messageCount": messages.length,
+      },
+    }
+  );
+}
+
+/**
+ * Resolve the `tools` option into a concrete `ToolSet` and cache it in locals so
+ * `toModelMessages` can pass it to `convertToModelMessages`. For the function
+ * form, invokes the user function with the given context (or the current turn
+ * context when no override is passed). Pass an `override` for the boot-time
+ * history conversion, which runs before the per-turn context exists and uses
+ * the run/continuation payload's `clientData`.
+ *
+ * Fails closed: a throwing resolver propagates rather than carrying a prior
+ * turn's set forward. The function form can gate capabilities by user or flag,
+ * so reusing stale tools would leak capabilities. No-op when no `tools` were
+ * declared.
+ * @internal
+ */
+async function resolveTurnTools(
+  override?: { chatId: string; turn: number; continuation: boolean; clientData: unknown }
+): Promise<void> {
+  const option = locals.get(chatToolsOptionKey);
+  if (!option) return;
+
+  if (typeof option !== "function") {
+    locals.set(chatResolvedToolsKey, option);
+    return;
+  }
+
+  const ctx = override ?? locals.get(chatTurnContextKey);
+  const resolved = await option({
+    chatId: ctx?.chatId ?? "",
+    turn: ctx?.turn ?? 0,
+    continuation: ctx?.continuation ?? false,
+    clientData: ctx?.clientData,
+  });
+  locals.set(chatResolvedToolsKey, resolved);
+}
+
+/**
+ * Read the current compaction state. Returns the summary and base message count
+ * if compaction has occurred in this turn, or `undefined` if not.
+ *
+ * Use in a custom `prepareStep` to rebuild from a previous compaction:
+ * ```ts
+ * const state = chat.getCompactionState();
+ * if (state) {
+ *   return { messages: [{ role: "user", content: state.summary }, ...newMsgs] };
+ * }
+ * ```
+ */
+function getCompactionState(): CompactionState | undefined {
+  return locals.get(chatCompactionStateKey);
+}
+
+/**
+ * Low-level compaction for use inside a custom `prepareStep`.
+ *
+ * Handles the full decision tree: first step, already-compacted rebuild,
+ * boundary safety, threshold check, summarization, stream chunks, state
+ * storage, and accumulator update.
+ *
+ * Returns a `CompactResult` — inspect `result.type` to see what happened,
+ * or convert to a prepareStep return with `result.type === "skipped" ? undefined : result`.
+ *
+ * @example
+ * ```ts
+ * prepareStep: async ({ messages, steps }) => {
+ *   // your custom logic here...
+ *   const result = await chat.compact(messages, steps, {
+ *     threshold: 80_000,
+ *     summarize: async (msgs) => generateText({ model, messages: msgs }).then(r => r.text),
+ *   });
+ *   if (result.type === "compacted") {
+ *     logger.info("Compacted!", { summary: result.summary });
+ *   }
+ *   return result.type === "skipped" ? undefined : result;
+ * },
+ * ```
+ */
+async function chatCompact(
+  messages: ModelMessage[],
+  steps: CompactionStep[],
+  options: CompactOptions
+): Promise<CompactResult> {
+  const currentStep = steps.at(-1);
+
+  // First step — nothing to check
+  if (!currentStep) {
+    return { type: "skipped" };
+  }
+
+  // Already compacted — rebuild from summary + new response messages
+  const state = locals.get(chatCompactionStateKey);
+  if (state && isStepBoundarySafe(currentStep)) {
+    return {
+      type: "rebuilt",
+      messages: await applyPrepareMessages(
+        [
+          { role: "user" as const, content: state.summary },
+          ...currentStep.response.messages.slice(state.baseResponseMessageCount),
+        ],
+        "compaction-rebuild"
+      ),
+    };
+  }
+
+  // Boundary unsafe — skip
+  if (!isStepBoundarySafe(currentStep)) {
+    return { type: "skipped" };
+  }
+
+  const totalTokens = currentStep.usage.totalTokens;
+  const inputTokens = currentStep.usage.inputTokens;
+  const outputTokens = currentStep.usage.outputTokens;
+
+  const turnCtx = locals.get(chatTurnContextKey);
+  const stepNumber = steps.length - 1;
+
+  const shouldTrigger = options.shouldCompact
+    ? await options.shouldCompact({
+      messages,
+      totalTokens,
+      inputTokens,
+      outputTokens,
+      usage: currentStep.usage,
+      source: "inner",
+      stepNumber,
+      steps,
+      chatId: turnCtx?.chatId,
+      turn: turnCtx?.turn,
+      clientData: turnCtx?.clientData,
+    })
+    : totalTokens != null && options.threshold != null && totalTokens > options.threshold;
+
+  if (!shouldTrigger) {
+    return { type: "skipped" };
+  }
+
+  const result = await tracer.startActiveSpan(
+    "context compaction",
+    async (span) => {
+      const compactionId = generateMessageId();
+      let summary!: string;
+
+      const { waitUntilComplete } = chatStream.writer({
+        spanName: "stream compaction chunks",
+        collapsed: true,
+        execute: async ({ write, merge }) => {
+          // Control chunks aren't part of UIMessageChunk's discriminated
+          // union but flow on the same session.out so subscribers can
+          // intercept them — cast on the way out.
+          write({ type: "step-start" } as unknown as UIMessageChunk);
+          write({
+            type: "data-compaction",
+            id: compactionId,
+            data: { status: "compacting", totalTokens },
+            transient: true,
+          });
+
+          // Generate summary
+          summary = await options.summarize(messages);
+
+          // Store state in locals for subsequent steps
+          locals.set(chatCompactionStateKey, {
+            summary,
+            baseResponseMessageCount: currentStep.response.messages.length,
+          });
+
+          // Set model-only override — UI messages stay intact for persistence.
+          // The summary becomes the model message history for the next turn,
+          // while accumulatedUIMessages keeps the full conversation for display.
+          locals.set(chatOverrideModelMessagesKey, [
+            {
+              role: "assistant" as const,
+              content: [{ type: "text" as const, text: `[Conversation summary]\n\n${summary}` }],
+            },
+          ]);
+
+          // Fire onCompacted hook — pass the existing writer so the callback
+          // can write custom chunks without creating a separate stream.
+          const onCompactedHook = locals.get(chatOnCompactedKey);
+          if (onCompactedHook) {
+            await onCompactedHook({
+              ctx: locals.get(chatAgentRunContextKey)!,
+              summary,
+              messages,
+              messageCount: messages.length,
+              usage: currentStep.usage,
+              totalTokens,
+              inputTokens,
+              outputTokens,
+              stepNumber,
+              chatId: turnCtx?.chatId,
+              turn: turnCtx?.turn,
+              writer: { write, merge },
+            });
+          }
+
+          write({
+            type: "data-compaction",
+            id: compactionId,
+            data: { status: "complete", totalTokens },
+            transient: true,
+          });
+          write({ type: "finish-step" });
+        },
+      });
+      await waitUntilComplete();
+
+      // Set attributes after we have the summary
+      span.setAttribute("compaction.summary_length", summary.length);
+
+      return {
+        type: "compacted" as const,
+        messages: await applyPrepareMessages(
+          [{ role: "user" as const, content: summary }],
+          "compaction-result"
+        ),
+        summary,
+      };
+    },
+    {
+      attributes: {
+        [SemanticInternalAttributes.STYLE_ICON]: "tabler-scissors",
+        "compaction.threshold": options.threshold,
+        "compaction.total_tokens": totalTokens ?? 0,
+        "compaction.input_tokens": inputTokens ?? 0,
+        "compaction.message_count": messages.length,
+        "compaction.step_number": stepNumber,
+        ...(turnCtx?.chatId ? { "compaction.chat_id": turnCtx.chatId } : {}),
+        ...(turnCtx?.turn != null ? { "compaction.turn": turnCtx.turn } : {}),
+        ...accessoryAttributes({
+          items: [
+            { text: `${totalTokens ?? 0} tokens`, variant: "normal" },
+            { text: `${messages.length} msgs`, variant: "normal" },
+          ],
+          style: "codepath",
+        }),
+      },
+    }
+  );
+
+  return result;
+}
+
+/**
+ * Returns a `prepareStep` function that handles context compaction automatically.
+ *
+ * Monitors token usage between tool-call steps. When `totalTokens` exceeds
+ * the threshold, generates a summary via `summarize()`, replaces the message
+ * history, and emits `data-compaction` stream chunks for the frontend.
+ *
+ * @example
+ * ```ts
+ * return streamText({
+ *   ...chat.toStreamTextOptions({ registry }),
+ *   messages: chat.addCacheBreaks(messages),
+ *   prepareStep: chat.compactionStep({
+ *     threshold: 80_000,
+ *     summarize: async (messages) => {
+ *       return generateText({ model, messages: [...messages, { role: "user", content: "Summarize." }] })
+ *         .then((r) => r.text);
+ *     },
+ *   }),
+ *   tools: { ... },
+ * });
+ * ```
+ */
+function chatCompactionStep(
+  options: CompactionOptions
+): (args: {
+  messages: ModelMessage[];
+  steps: CompactionStep[];
+}) => Promise<{ messages: ModelMessage[] } | undefined> {
+  return async ({ messages, steps }) => {
+    const result = await chatCompact(messages, steps, options);
+    return result.type === "skipped" ? undefined : result;
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Steering queue drain — shared by toStreamTextOptions, session, accumulator
+// ---------------------------------------------------------------------------
+
+/**
+ * Drain the steering queue as a batch. Calls `shouldInject` once with all
+ * pending messages. If it returns true, calls `prepareMessages` once to
+ * transform the batch, then clears the queue.
+ * Returns the model messages to inject (empty if none).
+ * @internal
+ */
+async function drainSteeringQueue(
+  config: PendingMessagesOptions,
+  messages: ModelMessage[],
+  steps: CompactionStep[],
+  queueOverride?: SteeringQueueEntry[]
+): Promise<ModelMessage[]> {
+  const queue = queueOverride ?? locals.get(chatSteeringQueueKey);
+  if (!queue || queue.length === 0) return [];
+
+  const ctx = locals.get(chatTurnContextKey);
+  const stepNumber = steps.length - 1;
+  const uiMessages = queue.map((e) => e.uiMessage);
+
+  const batchEvent: PendingMessagesBatchEvent = {
+    messages: uiMessages,
+    modelMessages: messages,
+    steps,
+    stepNumber,
+    chatId: ctx?.chatId ?? "",
+    turn: ctx?.turn ?? 0,
+    clientData: ctx?.clientData,
+  };
+
+  // Call shouldInject once for the whole batch
+  const shouldInject = config.shouldInject ? await config.shouldInject(batchEvent) : false;
+
+  if (!shouldInject) return [];
+
+  // Extract message texts for span attributes
+  const messageTexts = uiMessages.map(
+    (m) =>
+      (m.parts ?? [])
+        .filter((p: any) => p.type === "text")
+        .map((p: any) => p.text)
+        .join("") || ""
+  );
+  const previewText =
+    messageTexts.length === 1 ? messageTexts[0]!.slice(0, 80) : `${queue.length} messages`;
+
+  return tracer.startActiveSpan(
+    "pending message injected",
+    async () => {
+      // Transform the batch — default: concatenate all pre-converted model messages
+      const injected = config.prepare
+        ? await config.prepare(batchEvent)
+        : queue.flatMap((e) => e.modelMessages);
+
+      // Clear the queue and record injected IDs
+      queue.length = 0;
+      const injectedIds = locals.get(chatInjectedMessageIdsKey);
+      if (injectedIds) {
+        for (const m of uiMessages) injectedIds.add(m.id);
+      }
+
+      // Write injection confirmation chunk to the stream so the frontend
+      // knows which messages were injected and where in the response.
+      if (injected.length > 0) {
+        try {
+          const { waitUntilComplete } = chatStream.writer({
+            collapsed: true,
+            execute: ({ write }) => {
+              write({
+                type: PENDING_MESSAGE_INJECTED_TYPE,
+                id: generateMessageId(),
+                data: {
+                  messageIds: uiMessages.map((m) => m.id),
+                  messages: uiMessages.map((m, idx) => ({
+                    id: m.id,
+                    text: messageTexts[idx] ?? "",
+                  })),
+                },
+              });
+            },
+          });
+          await waitUntilComplete();
+        } catch {
+          /* non-fatal — stream write failed */
+        }
+      }
+
+      // Fire onInjected callback
+      if (config.onInjected && injected.length > 0) {
+        try {
+          await config.onInjected({
+            messages: uiMessages,
+            injectedModelMessages: injected,
+            chatId: ctx?.chatId ?? "",
+            turn: ctx?.turn ?? 0,
+            stepNumber,
+          });
+        } catch {
+          /* non-fatal */
+        }
+      }
+
+      return injected;
+    },
+    {
+      attributes: {
+        [SemanticInternalAttributes.STYLE_ICON]: "tabler-message-forward",
+        "pending.message_count": uiMessages.length,
+        "pending.step_number": stepNumber,
+        "pending.messages": messageTexts,
+        ...(ctx?.chatId ? { "pending.chat_id": ctx.chatId } : {}),
+        ...(ctx?.turn != null ? { "pending.turn": ctx.turn } : {}),
+        ...accessoryAttributes({
+          items: [
+            {
+              text: `${uiMessages.length} message${uiMessages.length === 1 ? "" : "s"}`,
+              variant: "normal",
+            },
+            { text: `between steps ${stepNumber} and ${stepNumber + 1}`, variant: "normal" },
+          ],
+          style: "codepath",
+        }),
+      },
+    }
+  );
+}
+
+// ---------------------------------------------------------------------------
+// chat.isCompactionSafe — check if it's safe to compact messages
+// ---------------------------------------------------------------------------
+
+/**
+ * Checks whether it's safe to compact the message history. Returns `false`
+ * if any tool calls are in-flight (incomplete tool invocations without results).
+ *
+ * Call before `chat.setMessages()` to avoid corrupting tool-call state.
+ */
+function isCompactionSafe(messages: UIMessage[]): boolean {
+  for (const msg of messages) {
+    if (msg.role !== "assistant") continue;
+    for (const part of msg.parts as any[]) {
+      if (part.type === "tool-invocation") {
+        const state = part.toolInvocation?.state ?? part.state;
+        if (state !== "result" && state !== "error") {
+          return false;
+        }
+      }
+    }
+  }
+  return true;
+}
+
+// ---------------------------------------------------------------------------
+// chat.prompt — store and retrieve a resolved prompt for the current run
+// ---------------------------------------------------------------------------
+
+/**
+ * A resolved prompt stored via `chat.prompt.set()`. Either a full `ResolvedPrompt`
+ * from `prompts.define().resolve()`, or a lightweight wrapper around a plain string.
+ */
+export type ChatPromptValue =
+  | ResolvedPrompt
+  | {
+    text: string;
+    model: undefined;
+    config: undefined;
+    promptId: string;
+    version: number;
+    labels: string[];
+    toAISDKTelemetry: (additionalMetadata?: Record<string, string>) => {
+      experimental_telemetry: { isEnabled: true; metadata: Record<string, string> };
+    };
+  };
+
+/** @internal */
+const chatPromptKey = locals.create<ChatPromptValue>("chat.prompt");
+
+/**
+ * Store a resolved prompt (or plain string) for the current run.
+ * Call from any hook (`onPreload`, `onChatStart`, `onTurnStart`) or `run()`.
+ */
+function setChatPrompt(resolved: ResolvedPrompt | string): void {
+  if (typeof resolved === "string") {
+    locals.set(chatPromptKey, {
+      text: resolved,
+      model: undefined,
+      config: undefined,
+      promptId: "",
+      version: 0,
+      labels: [],
+      toAISDKTelemetry: () => ({
+        experimental_telemetry: { isEnabled: true, metadata: {} },
+      }),
+    });
+  } else {
+    locals.set(chatPromptKey, resolved);
+  }
+}
+
+/**
+ * Read the stored prompt. Throws if `chat.prompt.set()` has not been called.
+ */
+function getChatPrompt(): ChatPromptValue {
+  const prompt = locals.get(chatPromptKey);
+  if (!prompt) {
+    throw new Error(
+      "chat.prompt() called before chat.prompt.set(). Set a prompt in onPreload, onChatStart, onTurnStart, or run() first."
+    );
+  }
+  return prompt;
+}
+
+// ---------------------------------------------------------------------------
+// chat.skills — store resolved agent skills and inject them into streamText
+// ---------------------------------------------------------------------------
+
+/** @internal */
+const chatSkillsKey = locals.create<ResolvedSkill[]>("chat.skills");
+
+/**
+ * Store resolved skills for the current run. Call from any hook
+ * (`onPreload`, `onChatStart`, `onTurnStart`) or `run()`.
+ */
+function setChatSkills(skills: ResolvedSkill[]): void {
+  locals.set(chatSkillsKey, skills);
+}
+
+/** Read the stored skills. Returns `undefined` if none set. */
+function getChatSkills(): ResolvedSkill[] | undefined {
+  return locals.get(chatSkillsKey);
+}
+
+/**
+ * Build the system-prompt preamble advertising available skills. Only the
+ * frontmatter description surfaces here — full SKILL.md body is loaded
+ * on-demand via the `loadSkill` tool.
+ */
+function buildSkillsSystemPrompt(skills: ResolvedSkill[]): string {
+  if (skills.length === 0) return "";
+  const lines = skills.map(
+    (s) => `- ${s.frontmatter.name}: ${s.frontmatter.description}`
+  );
+  return [
+    "Available skills (call `loadSkill` to read the full instructions before using one):",
+    ...lines,
+  ].join("\n");
+}
+
+/** Resolve a skill by its frontmatter `name`. */
+function findSkillByName(skills: ResolvedSkill[], name: string): ResolvedSkill | undefined {
+  return skills.find((s) => s.frontmatter.name === name);
+}
+
+/**
+ * Build the three tools we auto-inject into `streamText` when skills are
+ * set: `loadSkill`, `readFile`, `bash`. Scoped per-skill by name.
+ *
+ * Exported so callers can use the same tools outside the auto-wired path
+ * (e.g. in a `chat.createSession` loop with custom streamText).
+ */
+export function buildSkillTools(skills: ResolvedSkill[]): Record<string, Tool> {
+  const loadSkill = aiTool({
+    description:
+      "Load the full instructions for a skill by its name. Call this first before using a skill.",
+    inputSchema: jsonSchema<{ name: string }>({
+      type: "object",
+      properties: {
+        name: {
+          type: "string",
+          description: "The `name` field from the skill's frontmatter.",
+        },
+      },
+      required: ["name"],
+      additionalProperties: false,
+    } as JSONSchema7),
+    execute: async ({ name }: { name: string }) => {
+      const skill = findSkillByName(skills, name);
+      if (!skill) {
+        return {
+          error: `Skill "${name}" not found. Available: ${skills
+            .map((s) => s.frontmatter.name)
+            .join(", ")}`,
+        };
+      }
+      return {
+        name: skill.frontmatter.name,
+        description: skill.frontmatter.description,
+        body: skill.body,
+        path: skill.path,
+      };
+    },
+  });
+
+  const readFile = aiTool({
+    description:
+      "Read a file from a skill's bundled folder. Paths must be relative to the skill's root.",
+    inputSchema: jsonSchema<{ skill: string; path: string }>({
+      type: "object",
+      properties: {
+        skill: { type: "string", description: "The skill's name (from frontmatter)." },
+        path: {
+          type: "string",
+          description: "Relative path inside the skill folder (e.g. `references/citation-style.md`).",
+        },
+      },
+      required: ["skill", "path"],
+      additionalProperties: false,
+    } as JSONSchema7),
+    execute: async ({ skill: skillName, path: relPath }: { skill: string; path: string }) => {
+      const skill = findSkillByName(skills, skillName);
+      if (!skill) {
+        return { error: `Skill "${skillName}" not found.` };
+      }
+      try {
+        return await readFileInSkill({
+          skillPath: skill.path,
+          relativePath: relPath,
+        });
+      } catch (err) {
+        return { error: (err as Error).message };
+      }
+    },
+  });
+
+  const bash = aiTool({
+    description:
+      "Run a bash command inside a skill's bundled folder. Use this to invoke the skill's scripts. The working directory is the skill's root.",
+    inputSchema: jsonSchema<{ skill: string; command: string }>({
+      type: "object",
+      properties: {
+        skill: { type: "string", description: "The skill's name (from frontmatter)." },
+        command: {
+          type: "string",
+          description: "Bash command to run. Relative script paths resolve against the skill's root.",
+        },
+      },
+      required: ["skill", "command"],
+      additionalProperties: false,
+    } as JSONSchema7),
+    execute: async (
+      { skill: skillName, command }: { skill: string; command: string },
+      { abortSignal }: { abortSignal?: AbortSignal } = {}
+    ) => {
+      const skill = findSkillByName(skills, skillName);
+      if (!skill) {
+        return { error: `Skill "${skillName}" not found.` };
+      }
+      try {
+        return await runBashInSkill({
+          skillPath: skill.path,
+          command,
+          abortSignal,
+        });
+      } catch (err) {
+        return { error: (err as Error).message };
+      }
+    },
+  });
+
+  return { loadSkill, readFile, bash };
+}
+
+/**
+ * Options for {@link toStreamTextOptions}.
+ */
+export type ToStreamTextOptionsOptions = {
+  /** Additional telemetry metadata merged into `experimental_telemetry.metadata`. */
+  telemetry?: Record<string, string>;
+  /**
+   * An AI SDK provider registry (from `createProviderRegistry`) or any object
+   * with a `languageModel(id)` method. When provided and the stored prompt has
+   * a `model` string, the resolved `LanguageModel` is included in the returned
+   * options so `streamText` uses it directly.
+   *
+   * The model string should use the `"provider:model-id"` format
+   * (e.g. `"openai:gpt-4o"`, `"anthropic:claude-sonnet-4-6"`).
+   */
+  registry?: { languageModel(modelId: string): unknown };
+  /**
+   * User-defined tools to merge alongside the auto-injected skill tools
+   * (`loadSkill`, `readFile`, `bash`). User tools win on name conflicts.
+   *
+   * If you don't pass `tools` here and skills are set, the returned options
+   * will include just the skill tools — spread after any `tools` you pass
+   * directly to `streamText` and they'll be replaced. Easiest: pass all
+   * your tools here.
+   */
+  tools?: Record<string, Tool>;
+};
+
+/**
+ * Returns an options object ready to spread into `streamText()`.
+ *
+ * Includes `system`, `experimental_telemetry`, and any config fields
+ * (temperature, maxTokens, etc.) from the stored prompt.
+ *
+ * When a `registry` is provided and the prompt has a `model` string,
+ * the resolved `LanguageModel` is included as `model`.
+ *
+ * If no prompt has been set, returns `{}` (no-op spread).
+ */
+function toStreamTextOptions(options?: ToStreamTextOptionsOptions): Record<string, unknown> {
+  const prompt = locals.get(chatPromptKey);
+  const skills = locals.get(chatSkillsKey);
+  const result: Record<string, unknown> = {};
+
+  // Build the combined system prompt: stored prompt + skills preamble.
+  const promptText = prompt?.text ?? "";
+  const skillsText = skills && skills.length > 0 ? buildSkillsSystemPrompt(skills) : "";
+  if (promptText || skillsText) {
+    result.system = [promptText, skillsText].filter(Boolean).join("\n\n");
+  }
+
+  // Prompt-related options (only if chat.prompt.set() was called)
+  if (prompt) {
+    // Resolve model via registry if both are present
+    if (options?.registry && prompt.model) {
+      result.model = options.registry.languageModel(prompt.model);
+    }
+
+    // Spread config (temperature, maxTokens, etc.)
+    if (prompt.config) {
+      Object.assign(result, prompt.config);
+    }
+
+    // Add telemetry (forward additional metadata from caller)
+    const telemetry = prompt.toAISDKTelemetry(options?.telemetry);
+    Object.assign(result, telemetry);
+  }
+
+  // Skills: merge auto-injected tools with any user-provided tools.
+  // User tools override on name conflict (though we namespace ours).
+  if (skills && skills.length > 0) {
+    const skillTools = buildSkillTools(skills);
+    result.tools = { ...skillTools, ...(options?.tools ?? {}) };
+  } else if (options?.tools) {
+    result.tools = options.tools;
+  }
+
+  // Auto-inject prepareStep for compaction, pending messages, and background context injection.
+  // This runs regardless of whether a prompt is set — these features are independent.
+  const taskCompaction = locals.get(chatAgentCompactionKey);
+  const taskPendingMessages = locals.get(chatPendingMessagesKey);
+
+  {
+    result.prepareStep = async ({
+      messages,
+      steps,
+    }: {
+      messages: ModelMessage[];
+      steps: CompactionStep[];
+    }) => {
+      let resultMessages: ModelMessage[] | undefined;
+
+      // 1. Compaction
+      if (taskCompaction) {
+        const compactResult = await chatCompact(messages, steps, {
+          shouldCompact: taskCompaction.shouldCompact,
+          summarize: (msgs) => {
+            const ctx = locals.get(chatTurnContextKey);
+            const lastStep = steps.at(-1);
+            return taskCompaction.summarize({
+              messages: msgs,
+              usage: lastStep?.usage,
+              source: "inner",
+              stepNumber: steps.length - 1,
+              chatId: ctx?.chatId,
+              turn: ctx?.turn,
+              clientData: ctx?.clientData,
+            });
+          },
+        });
+        if (compactResult.type !== "skipped") {
+          resultMessages = compactResult.messages;
+        }
+      }
+
+      // 2. Pending message injection (steering)
+      if (taskPendingMessages) {
+        const injected = await drainSteeringQueue(
+          taskPendingMessages,
+          resultMessages ?? messages,
+          steps
+        );
+        if (injected.length > 0) {
+          resultMessages = [...(resultMessages ?? messages), ...injected];
+        }
+      }
+
+      // 3. Background context injection
+      const bgQueue = locals.get(chatBackgroundQueueKey);
+      if (bgQueue && bgQueue.length > 0) {
+        const injected = bgQueue.splice(0); // drain
+        resultMessages = [...(resultMessages ?? messages), ...injected];
+      }
+
+      return resultMessages ? { messages: resultMessages } : undefined;
+    };
+  }
+
+  return result;
+}
+
+/**
+ * Options for `pipeChat`.
+ */
+export type PipeChatOptions = {
+  /**
+   * Override the stream key. Must match the `streamKey` on `TriggerChatTransport`.
+   * @default "chat"
+   */
+  streamKey?: string;
+
+  /** An AbortSignal to cancel the stream. */
+  signal?: AbortSignal;
+
+  /**
+   * The target run ID to pipe to.
+   * @default "self" (current run)
+   */
+  target?: string;
+
+  /** Override the default span name for this operation. */
+  spanName?: string;
+};
+
+/**
+ * Options for customizing the `toUIMessageStream()` call used when piping
+ * `streamText` results to the frontend.
+ *
+ * Set static defaults via `uiMessageStreamOptions` on `chat.agent()`, or
+ * override per-turn via `chat.setUIMessageStreamOptions()`.
+ *
+ * `onFinish` is omitted because it is managed internally for response capture.
+ * Use `streamText`'s `onFinish` for custom finish handling, or drop down to
+ * raw task mode with `chat.pipe()` for full control.
+ *
+ * `originalMessages` is omitted because it is automatically set from the
+ * accumulated conversation history, ensuring message IDs are reused across
+ * turns (e.g. for tool approval continuations).
+ *
+ * `generateMessageId` can be set to control ID generation for response
+ * messages (e.g. UUID-v7). If not set, the AI SDK's default `generateId` is used.
+ */
+export type ChatUIMessageStreamOptions<TUIM extends UIMessage = UIMessage> = Omit<
+  UIMessageStreamOptions<TUIM>,
+  "onFinish" | "originalMessages"
+>;
+
+/**
+ * An object with a `toUIMessageStream()` method (e.g. `StreamTextResult` from `streamText()`).
+ */
+type UIMessageStreamable = {
+  toUIMessageStream: (...args: any[]) => AsyncIterable<unknown> | ReadableStream<unknown>;
+};
+
+function isUIMessageStreamable(value: unknown): value is UIMessageStreamable {
+  return (
+    typeof value === "object" &&
+    value !== null &&
+    "toUIMessageStream" in value &&
+    typeof (value as any).toUIMessageStream === "function"
+  );
+}
+
+let warnedMissingOnAction = false;
+function warnMissingOnActionOnce() {
+  if (warnedMissingOnAction) return;
+  warnedMissingOnAction = true;
+  console.warn(
+    "[chat.agent] Received an action but no `onAction` handler is configured. " +
+      "The action is being ignored. Define `onAction` (and optionally `actionSchema`) on " +
+      "your agent to handle it."
+  );
+}
+
+function isAsyncIterable(value: unknown): value is AsyncIterable<unknown> {
+  return typeof value === "object" && value !== null && Symbol.asyncIterator in value;
+}
+
+function isReadableStream(value: unknown): value is ReadableStream<unknown> {
+  return (
+    typeof value === "object" && value !== null && typeof (value as any).getReader === "function"
+  );
+}
+
+/**
+ * Pipes a chat stream to the realtime stream, making it available to the
+ * `TriggerChatTransport` on the frontend.
+ *
+ * Accepts:
+ * - A `StreamTextResult` from `streamText()` (has `.toUIMessageStream()`)
+ * - An `AsyncIterable` of `UIMessageChunk`s
+ * - A `ReadableStream` of `UIMessageChunk`s
+ *
+ * Must be called from inside a Trigger.dev task's `run` function.
+ *
+ * @example
+ * ```ts
+ * import { task } from "@trigger.dev/sdk";
+ * import { chat, type ChatTaskPayload } from "@trigger.dev/sdk/ai";
+ * import { streamText, convertToModelMessages } from "ai";
+ *
+ * export const myChatTask = task({
+ *   id: "my-chat-task",
+ *   run: async (payload: ChatTaskPayload) => {
+ *     const result = streamText({
+ *       model: openai("gpt-4o"),
+ *       messages: payload.messages,
+ *     });
+ *
+ *     await chat.pipe(result);
+ *   },
+ * });
+ * ```
+ *
+ * @example
+ * ```ts
+ * // Works from anywhere inside a task — even deep in your agent code
+ * async function runAgentLoop(messages: CoreMessage[]) {
+ *   const result = streamText({ model, messages });
+ *   await chat.pipe(result);
+ * }
+ * ```
+ */
+async function pipeChat(
+  source: UIMessageStreamable | AsyncIterable<unknown> | ReadableStream<unknown>,
+  options?: PipeChatOptions
+): Promise<void> {
+  locals.set(chatPipeCountKey, (locals.get(chatPipeCountKey) ?? 0) + 1);
+
+  let stream: AsyncIterable<unknown> | ReadableStream<unknown>;
+
+  if (isUIMessageStreamable(source)) {
+    stream = source.toUIMessageStream();
+  } else if (isAsyncIterable(source) || isReadableStream(source)) {
+    stream = source;
+  } else {
+    throw new Error(
+      "pipeChat: source must be a StreamTextResult (with .toUIMessageStream()), " +
+      "an AsyncIterable, or a ReadableStream"
+    );
+  }
+
+  const pipeOptions: SessionPipeStreamOptions = {};
+  if (options?.signal) {
+    pipeOptions.signal = options.signal;
+  }
+  if (options?.spanName) {
+    pipeOptions.spanName = options.spanName;
+  }
+  // `options.target` / `options.streamKey` are accepted for API parity
+  // with the pre-migration run-scoped pipe but no longer have meaning —
+  // sessions are the address (single stream per session, no sub-run
+  // targeting). Sub-agents that need to write into a parent's chat now
+  // open that session explicitly via `sessions.open(parentSessionId).out.pipe`.
+
+  // The generic is typed for `UIMessageChunk`, but `pipeChat` also
+  // accepts opaque UIMessageStreamable / raw iterables whose element
+  // type we don't know at compile time. Cast — runtime behaviour is
+  // identical (bytes go to session.out either way).
+  const { waitUntilComplete } = chatStream.pipe(
+    stream as ReadableStream<UIMessageChunk> | AsyncIterable<UIMessageChunk>,
+    pipeOptions
+  );
+  await waitUntilComplete();
+}
+
+/**
+ * Options for defining a chat task.
+ *
+ * Extends the standard `TaskOptions` but pre-types the payload as `ChatTaskPayload`
+ * and overrides `run` to accept `ChatTaskRunPayload` (with abort signals).
+ *
+ * **Auto-piping:** If the `run` function returns a value with `.toUIMessageStream()`
+ * (like a `StreamTextResult`), the stream is automatically piped to the frontend.
+ *
+ * **Single-run mode:** By default, the task uses input streams so that the
+ * entire conversation lives inside one run. After each AI response, the task
+ * emits a control chunk and suspends via `messagesInput.wait()`. The frontend
+ * transport resumes the same run by sending the next message via input streams.
+ */
+/**
+ * Event passed to the `onPreload` callback.
+ */
+export type PreloadEvent<TClientData = unknown> = {
+  /** Task run context — same as `task({ run })` second-argument `ctx`. */
+  ctx: TaskRunContext;
+  /** The unique identifier for the chat session. */
+  chatId: string;
+  /** The Trigger.dev run ID for this conversation. */
+  runId: string;
+  /** A scoped access token for this chat run. */
+  chatAccessToken: string;
+  /** Custom data from the frontend. */
+  clientData?: TClientData;
+  /** Stream writer — write custom `UIMessageChunk` parts to the chat stream. Lazy: no overhead if unused. */
+  writer: ChatWriter;
+};
+
+/**
+ * Event passed to the `onBoot` callback.
+ *
+ * Fires once at the start of every run boot — for the initial first-message
+ * run, for preloaded runs, AND for reactive continuation runs (post-cancel,
+ * post-crash, post-`endRun`, `chat.requestUpgrade`, OOM-retry attempts).
+ * Does NOT fire when the SAME run resumes from snapshot via the
+ * idle-window suspend/resume path — use `onChatResume` for that.
+ *
+ * Use this for per-process setup that needs to run every time a fresh
+ * worker picks up the chat: initialize `chat.local` state, open
+ * per-process resources (DB connections, sandboxes, etc.), or
+ * re-hydrate customer state from your DB on continuation.
+ *
+ * Ordering:
+ *   - First message of a chat: `onBoot` → `onChatStart` → `onTurnStart` → `run()`
+ *   - Preloaded run:           `onBoot` → `onPreload` → (wait) → `onChatStart` → ...
+ *   - Continuation run:        `onBoot` → (wait for first message) → `onTurnStart` → `run()`
+ *                              (`onChatStart` does NOT fire on continuation runs)
+ */
+export type BootEvent<TClientData = unknown> = {
+  /** Task run context — same as `task({ run })` second-argument `ctx`. */
+  ctx: TaskRunContext;
+  /** The unique identifier for the chat session. */
+  chatId: string;
+  /** The Trigger.dev run ID for this run boot. */
+  runId: string;
+  /** A scoped access token for this chat run. Persist this for frontend reconnection. */
+  chatAccessToken: string;
+  /** Custom data from the frontend (passed via `metadata` on `sendMessage()` or the transport). */
+  clientData: TClientData;
+  /**
+   * True when this run is a reactive continuation — the prior run died
+   * (cancel / crash / `endRun` / `requestUpgrade` / OOM retry) and this
+   * fresh worker is taking over the chat. Branch on this to re-load
+   * customer-owned state from your DB.
+   */
+  continuation: boolean;
+  /** Public id of the prior run when `continuation` is true. */
+  previousRunId?: string;
+  /** Whether this run was triggered as a preload. */
+  preloaded: boolean;
+};
+
+/**
+ * A tool call extracted from the partial assistant message of a dead run.
+ * Surfaced on `RecoveryBootEvent.pendingToolCalls` so the customer can
+ * decide how to repair the chain (synthesize a result, drop the partial,
+ * etc.).
+ */
+export type RecoveryPendingToolCall = {
+  /** The AI SDK tool call id. */
+  toolCallId: string;
+  /** The tool name (the `tool-${name}` suffix). */
+  toolName: string;
+  /** The input the model produced for the tool call. */
+  input: unknown;
+  /** The part index inside `partialAssistant.parts` for in-place edits. */
+  partIndex: number;
+};
+
+/**
+ * Event passed to the `onRecoveryBoot` callback.
+ *
+ * Fires once at boot when a continuation run inherits in-flight state from
+ * a dead predecessor (cancel / crash / OOM / deploy eviction / graceful
+ * `chat.requestUpgrade`). The runtime reads both `session.in` and
+ * `session.out` past the last `turn-complete` cursor and surfaces the
+ * recovered pieces here so the customer can shape the conversational
+ * chain before the first turn fires.
+ *
+ * Does NOT fire when there's nothing to recover (clean continuation after
+ * `chat.endRun()` with no buffered user messages, fresh chat, OOM retry
+ * after a successful turn-complete with no in-flight tail).
+ *
+ * Does NOT fire when `hydrateMessages` is registered (the customer owns
+ * persistence; recovery decisions live in their own DB query).
+ */
+export type RecoveryBootEvent<TUIM extends UIMessage = UIMessage> = {
+  /** Task run context — same as `task({ run })` second-argument `ctx`. */
+  ctx: TaskRunContext;
+  /** The unique identifier for the chat session. */
+  chatId: string;
+  /** The Trigger.dev run ID for this run boot. */
+  runId: string;
+  /** Public id of the prior run that died. */
+  previousRunId: string;
+  /**
+   * Best-effort cause of the predecessor's death. Currently always
+   * `"unknown"` — the run engine doesn't yet plumb the real reason
+   * into the continuation payload. Future SDK versions will narrow
+   * this. Don't branch behavior on it yet.
+   */
+  cause: "cancelled" | "crashed" | "unknown";
+  /**
+   * The conversation chain that was successfully persisted by the
+   * predecessor's last `onTurnComplete`. Empty if the predecessor died
+   * before turn 1 ever completed.
+   */
+  settledMessages: TUIM[];
+  /**
+   * User messages that arrived on `session.in` past the cursor — i.e.
+   * the message(s) the predecessor was processing or had queued when
+   * it died. The runtime's default is to re-dispatch each as a fresh
+   * turn after the chain is restored. Return a different list via
+   * `recoveredTurns` to skip / reorder / collapse them.
+   */
+  inFlightUsers: TUIM[];
+  /**
+   * The trailing assistant message the predecessor was streaming when
+   * it died — the orphan whose `turn-complete` never fired. Undefined
+   * if the predecessor died before any assistant output reached
+   * `session.out` (cancel-before-first-token, snapshot-only path).
+   */
+  partialAssistant: TUIM | undefined;
+  /**
+   * Tool calls extracted from `partialAssistant.parts` that the model
+   * had started but the tool runtime never resolved. Empty when
+   * `partialAssistant` is undefined or carries no `input-available`
+   * tool parts.
+   */
+  pendingToolCalls: RecoveryPendingToolCall[];
+  /**
+   * Lazy session.out writer — identical to the `writer` passed to
+   * `onTurnStart` / `onTurnComplete` / `onChatStart`. Use this to emit
+   * a recovery signal (e.g. a `data-chat-recovery` UIMessage chunk)
+   * BEFORE the first recovered turn fires so the bridge can render a
+   * "recovering..." banner. Lazy: no overhead if unused.
+   */
+  writer: ChatWriter;
+};
+
+/**
+ * Return shape for the `onRecoveryBoot` callback. Every field is optional —
+ * omit one to accept the default.
+ */
+export type RecoveryBootResult<TUIM extends UIMessage = UIMessage> = {
+  /**
+   * The chain the new run boots with. Replaces the default
+   * (`settledMessages`). Use this to keep the partial assistant in
+   * context, mutate its tool parts to inject synthesized results,
+   * collapse history, etc.
+   *
+   * Ignored when `hydrateMessages` is registered (the hydrate hook
+   * runs per-turn and overwrites the chain).
+   */
+  chain?: TUIM[];
+  /**
+   * The user messages to re-dispatch as fresh turns after the chain is
+   * restored. Default: `inFlightUsers` (re-process every in-flight
+   * user). Return `[]` to suppress all of them; return a filtered /
+   * reordered subset to skip specific ones.
+   */
+  recoveredTurns?: TUIM[];
+  /**
+   * Awaitable run AFTER the writer flushes and BEFORE the first
+   * recovered turn fires. Use for blocking persistence (e.g. write the
+   * partial assistant to your DB so a follow-up turn can reference
+   * it). Errors bubble — wrap your own try/catch if you want to soft-
+   * fail.
+   */
+  beforeBoot?: () => Promise<void>;
+};
+
+/**
+ * Event passed to the `onChatStart` callback.
+ *
+ * Fires exactly once per chat, on the very first user message of the chat's
+ * lifetime. Does NOT fire on continuation runs (post-`endRun`,
+ * post-waitpoint-timeout, `chat.requestUpgrade`) or on OOM-retry attempts —
+ * those are runs of an already-started chat.
+ */
+export type ChatStartEvent<TClientData = unknown> = {
+  /** Task run context — same as `task({ run })` second-argument `ctx`. */
+  ctx: TaskRunContext;
+  /** The unique identifier for the chat session. */
+  chatId: string;
+  /**
+   * The initial model-ready messages for this conversation. Typically just
+   * the first user message (or empty if `chat.headStart` is in play and the
+   * seed message is supplied elsewhere). Since this hook only fires for the
+   * chat's very first message, there's no prior history to load here.
+   */
+  messages: ModelMessage[];
+  /** Custom data from the frontend (passed via `metadata` on `sendMessage()` or the transport). */
+  clientData: TClientData;
+  /** The Trigger.dev run ID for this conversation. */
+  runId: string;
+  /** A scoped access token for this chat run. Persist this for frontend reconnection. */
+  chatAccessToken: string;
+  /**
+   * @deprecated Always `false` — `onChatStart` no longer fires on continuation
+   * runs. Kept for backward compatibility; remove your `continuation` checks
+   * from `onChatStart` and rely on the contract (this hook fires exactly once
+   * per chat, on the very first message).
+   */
+  continuation: boolean;
+  /**
+   * @deprecated Always `undefined` — `onChatStart` no longer fires on
+   * continuation runs.
+   */
+  previousRunId?: string;
+  /** Whether this run was preloaded before the first message. */
+  preloaded: boolean;
+  /** Stream writer — write custom `UIMessageChunk` parts to the chat stream. Lazy: no overhead if unused. */
+  writer: ChatWriter;
+};
+
+/**
+ * Event passed to the `hydrateMessages` callback.
+ */
+export type HydrateMessagesEvent<TClientData = unknown, TUIM extends UIMessage = UIMessage> = {
+  /** The unique identifier for the chat session. */
+  chatId: string;
+  /** The turn number (0-indexed). */
+  turn: number;
+  /** The trigger type for this turn. */
+  trigger: "submit-message" | "regenerate-message" | "action";
+  /** Validated incoming UI messages from the wire payload (what the frontend sent). Empty for actions. */
+  incomingMessages: TUIM[];
+  /** The accumulated UI messages before this turn (empty on turn 0). */
+  previousMessages: TUIM[];
+  /** Parsed client data from the transport metadata. */
+  clientData?: TClientData;
+  /** Whether this run is continuing from a previous run. */
+  continuation: boolean;
+  /** The ID of the previous run (if continuation). */
+  previousRunId?: string;
+};
+
+/**
+ * Event passed to the `onValidateMessages` callback.
+ */
+export type ValidateMessagesEvent<TUIM extends UIMessage = UIMessage> = {
+  /**
+   * The incoming UI messages for this turn (after cleanup of aborted tool parts).
+   *
+   * For HITL continuations the assistant entry is slim — `state` + `output` /
+   * `errorText` / `approval` only, no `input` or other parts. Don't pass the
+   * full `messages` array to `validateUIMessages` from `ai`; filter to user
+   * messages (or your own subset) first.
+   */
+  messages: TUIM[];
+  /** The unique identifier for the chat session. */
+  chatId: string;
+  /** The turn number (0-indexed). */
+  turn: number;
+  /** The trigger type for this turn. */
+  trigger: "submit-message" | "regenerate-message" | "preload" | "close";
+};
+
+/**
+ * Event passed to the `onAction` callback.
+ */
+export type ActionEvent<
+  TAction = unknown,
+  TClientData = unknown,
+  TUIM extends UIMessage = UIMessage,
+> = {
+  /** The parsed and validated action payload. */
+  action: TAction;
+  /** The unique identifier for the chat session. */
+  chatId: string;
+  /** The turn number (0-indexed). */
+  turn: number;
+  /** Parsed client data from the transport metadata. */
+  clientData?: TClientData;
+  /** The accumulated UI messages (after hydration, if set). */
+  uiMessages: TUIM[];
+  /** The accumulated model messages (after hydration, if set). */
+  messages: ModelMessage[];
+};
+
+/**
+ * Event passed to the `onTurnStart` callback.
+ */
+export type TurnStartEvent<TClientData = unknown, TUIM extends UIMessage = UIMessage> = {
+  /** Task run context — same as `task({ run })` second-argument `ctx`. */
+  ctx: TaskRunContext;
+  /** The unique identifier for the chat session. */
+  chatId: string;
+  /** The accumulated model-ready messages (all turns so far, including new user message). */
+  messages: ModelMessage[];
+  /** The accumulated UI messages (all turns so far, including new user message). */
+  uiMessages: TUIM[];
+  /** The turn number (0-indexed). */
+  turn: number;
+  /** The Trigger.dev run ID for this conversation. */
+  runId: string;
+  /** A scoped access token for this chat run. */
+  chatAccessToken: string;
+  /** Custom data from the frontend. */
+  clientData?: TClientData;
+  /** Whether this run is continuing an existing chat (previous run timed out or was cancelled). False for brand new chats. */
+  continuation: boolean;
+  /** The run ID of the previous run (only set when `continuation` is true). */
+  previousRunId?: string;
+  /** Whether this run was preloaded before the first message. */
+  preloaded: boolean;
+  /** Token usage from the previous turn. Undefined on turn 0. */
+  previousTurnUsage?: LanguageModelUsage;
+  /** Cumulative token usage across all completed turns so far. */
+  totalUsage: LanguageModelUsage;
+  /** Stream writer — write custom `UIMessageChunk` parts to the chat stream. Lazy: no overhead if unused. */
+  writer: ChatWriter;
+};
+
+/**
+ * Event passed to the `onTurnComplete` callback.
+ */
+export type TurnCompleteEvent<TClientData = unknown, TUIM extends UIMessage = UIMessage> = {
+  /** Task run context — same as `task({ run })` second-argument `ctx`. */
+  ctx: TaskRunContext;
+  /** The unique identifier for the chat session. */
+  chatId: string;
+  /** The full accumulated conversation in model format (all turns so far). */
+  messages: ModelMessage[];
+  /**
+   * The full accumulated conversation in UI format (all turns so far).
+   * This is the format expected by `useChat` — store this for persistence.
+   */
+  uiMessages: TUIM[];
+  /**
+   * Only the new model messages from this turn (user message(s) + assistant response).
+   * Useful for appending to an existing conversation record.
+   */
+  newMessages: ModelMessage[];
+  /**
+   * Only the new UI messages from this turn (user message(s) + assistant response).
+   * Useful for inserting individual message records instead of overwriting the full history.
+   */
+  newUIMessages: TUIM[];
+  /** The assistant's response for this turn, with aborted parts cleaned up when `stopped` is true. Undefined if `pipeChat` was used manually. */
+  responseMessage: TUIM | undefined;
+  /**
+   * The raw assistant response before abort cleanup. Includes incomplete tool parts
+   * (`input-available`, `partial-call`) and streaming reasoning/text parts.
+   * Use this if you need custom cleanup logic. Same as `responseMessage` when not stopped.
+   */
+  rawResponseMessage: TUIM | undefined;
+  /** The turn number (0-indexed). */
+  turn: number;
+  /** The Trigger.dev run ID for this conversation. */
+  runId: string;
+  /** A fresh scoped access token for this chat run (renewed each turn). Persist this for frontend reconnection. */
+  chatAccessToken: string;
+  /** The last event ID from the stream writer. Use this with `resume: true` to avoid replaying events after refresh. */
+  lastEventId?: string;
+  /** Custom data from the frontend. */
+  clientData?: TClientData;
+  /** Whether the user stopped generation during this turn. */
+  stopped: boolean;
+  /** Whether this run is continuing an existing chat (previous run timed out or was cancelled). False for brand new chats. */
+  continuation: boolean;
+  /** The run ID of the previous run (only set when `continuation` is true). */
+  previousRunId?: string;
+  /** Whether this run was preloaded before the first message. */
+  preloaded: boolean;
+  /** Token usage for this turn. Undefined if usage couldn't be captured (e.g. manual pipeChat). */
+  usage?: LanguageModelUsage;
+  /** Cumulative token usage across all turns in this run (including this turn). */
+  totalUsage: LanguageModelUsage;
+  /**
+   * Why the LLM stopped generating this turn:
+   * - `"stop"` — model generated a stop sequence (normal completion)
+   * - `"tool-calls"` — model stopped on one or more tool calls. If any tool
+   *   has no `execute` function (e.g. an `ask_user` HITL tool), the turn is
+   *   paused awaiting user input; inspect `responseMessage.parts` for tool
+   *   parts in `input-available` state to distinguish.
+   * - `"length"` — max tokens reached
+   * - `"content-filter"` — content filter stopped the model
+   * - `"error"` — model errored
+   * - `"other"` — provider-specific reason
+   *
+   * Undefined if the underlying stream didn't provide a finish reason (e.g.
+   * manual `pipeChat()` or an aborted stream).
+   */
+  finishReason?: FinishReason;
+  /**
+   * Set when the turn failed (the `run()` body or a lifecycle hook threw).
+   * On an errored turn `responseMessage` is undefined or partial and
+   * `finishReason` is `"error"`. Use this to mark the turn failed in your
+   * persistence. Undefined on a successful turn.
+   */
+  error?: unknown;
+};
+
+/**
+ * Event passed to the `onBeforeTurnComplete` callback.
+ * Same as `TurnCompleteEvent` but includes a `writer` since the stream is still open.
+ */
+export type BeforeTurnCompleteEvent<
+  TClientData = unknown,
+  TUIM extends UIMessage = UIMessage,
+> = TurnCompleteEvent<TClientData, TUIM> & {
+  /** Stream writer — write custom `UIMessageChunk` parts to the chat stream. Lazy: no overhead if unused. */
+  writer: ChatWriter;
+};
+
+/**
+ * Discriminated event passed to the `onChatSuspend` callback.
+ * Use `phase` to distinguish preload vs turn suspension.
+ */
+export type ChatSuspendEvent<TClientData = unknown, TUIM extends UIMessage = UIMessage> =
+  | {
+    /** Suspend is happening after onPreload, before the first message. */
+    phase: "preload";
+    /** Task run context. */
+    ctx: TaskRunContext;
+    /** The chat session ID. */
+    chatId: string;
+    /** The Trigger.dev run ID. */
+    runId: string;
+    /** Custom data from the frontend. */
+    clientData?: TClientData;
+  }
+  | {
+    /**
+     * Suspend is happening on a continuation run that booted with no incoming
+     * message (post-`endRun`, post-waitpoint-timeout, etc.) and is waiting
+     * for the next session.in record before running any turn. Distinct from
+     * `phase: "preload"` — the chat already started; `onPreload` has not
+     * fired and will not fire on this run.
+     */
+    phase: "continuation";
+    /** Task run context. */
+    ctx: TaskRunContext;
+    /** The chat session ID. */
+    chatId: string;
+    /** The Trigger.dev run ID. */
+    runId: string;
+    /** Custom data from the frontend. */
+    clientData?: TClientData;
+  }
+  | {
+    /** Suspend is happening after a completed turn, waiting for the next message. */
+    phase: "turn";
+    /** Task run context. */
+    ctx: TaskRunContext;
+    /** The chat session ID. */
+    chatId: string;
+    /** The Trigger.dev run ID. */
+    runId: string;
+    /** The turn number (0-indexed) that just completed. */
+    turn: number;
+    /** The accumulated model messages after the completed turn. */
+    messages: ModelMessage[];
+    /** The accumulated UI messages after the completed turn. */
+    uiMessages: TUIM[];
+    /** Custom data from the frontend. */
+    clientData?: TClientData;
+  };
+
+/**
+ * Discriminated event passed to the `onChatResume` callback.
+ * Use `phase` to distinguish preload vs turn resumption.
+ */
+export type ChatResumeEvent<TClientData = unknown, TUIM extends UIMessage = UIMessage> =
+  | {
+    /** First message arrived after preload suspension. */
+    phase: "preload";
+    /** Task run context. */
+    ctx: TaskRunContext;
+    /** The chat session ID. */
+    chatId: string;
+    /** The Trigger.dev run ID. */
+    runId: string;
+    /** Custom data from the frontend. */
+    clientData?: TClientData;
+  }
+  | {
+    /**
+     * First message arrived after continuation-wait suspension. Distinct
+     * from `phase: "preload"` — the chat already started; this is a new
+     * run picking up after a prior run ended (`endRun`, waitpoint timeout,
+     * etc.).
+     */
+    phase: "continuation";
+    /** Task run context. */
+    ctx: TaskRunContext;
+    /** The chat session ID. */
+    chatId: string;
+    /** The Trigger.dev run ID. */
+    runId: string;
+    /** Custom data from the frontend. */
+    clientData?: TClientData;
+  }
+  | {
+    /** Next message arrived after turn suspension. */
+    phase: "turn";
+    /** Task run context. */
+    ctx: TaskRunContext;
+    /** The chat session ID. */
+    chatId: string;
+    /** The Trigger.dev run ID. */
+    runId: string;
+    /** The turn number that was completed before suspension. */
+    turn: number;
+    /** The accumulated model messages (from before suspension). */
+    messages: ModelMessage[];
+    /** The accumulated UI messages (from before suspension). */
+    uiMessages: TUIM[];
+    /** Custom data from the frontend. */
+    clientData?: TClientData;
+  };
+
+export type ChatAgentOptions<
+  TIdentifier extends string,
+  TClientDataSchema extends TaskSchema | undefined = undefined,
+  TUIMessage extends UIMessage = UIMessage,
+  TActionSchema extends TaskSchema | undefined = undefined,
+  TTools extends ToolSet = ToolSet,
+> = Omit<
+  TaskOptions<
+    TIdentifier,
+    ChatTaskWirePayload<TUIMessage, inferSchemaIn<TClientDataSchema>>,
+    unknown
+  >,
+  "run" | "retry"
+> & {
+  /**
+   * Fallback machine preset to use when an attempt fails with an
+   * out-of-memory (OOM) error. Setting this enables a single OOM retry:
+   * the next attempt boots on the larger machine, and the chat picks
+   * up via the standard continuation path (same `chatId` / Session,
+   * accumulator rebuilds via `hydrateMessages` or post-`onTurnStart`
+   * persisted state).
+   *
+   * Set `machine` (top-level `TaskOptions`) to control the *default*
+   * machine the agent runs on. `oomMachine` is the *retry-only* swap.
+   *
+   * Note: an OOM retry restarts the entire turn from the top — the
+   * model call and any in-flight tool executes re-run on the larger
+   * machine. Make tool executes idempotent or persist results before
+   * returning if you can't tolerate re-execution.
+   *
+   * Generic `retry` options are not exposed on `chat.agent` because
+   * arbitrary retries against an LLM-driven loop tend to be expensive
+   * and side-effecting. If you need richer retry semantics, drop down
+   * to `chat.task` (the raw primitive).
+   *
+   * @example
+   * ```ts
+   * chat.agent({
+   *   id: "my-chat",
+   *   machine: "small-1x",
+   *   oomMachine: "medium-2x",
+   *   run: async ({ messages, signal }) =>
+   *     streamText({ model, messages, abortSignal: signal }),
+   * });
+   * ```
+   */
+  oomMachine?: MachinePresetName;
+
+  /**
+   * Schema for validating `clientData` from the frontend.
+   * Accepts Zod, ArkType, Valibot, or any supported schema library.
+   * When provided, `clientData` is parsed and typed in all hooks and `run`.
+   *
+   * @example
+   * ```ts
+   * import { z } from "zod";
+   *
+   * chat.agent({
+   *   id: "my-chat",
+   *   clientDataSchema: z.object({ model: z.string().optional(), userId: z.string() }),
+   *   run: async ({ messages, clientData, ctx, signal }) => {
+   *     // clientData is typed as { model?: string; userId: string }
+   *     // ctx is the same TaskRunContext as in task({ run: (payload, { ctx }) => ... })
+   *   },
+   * });
+   * ```
+   */
+  clientDataSchema?: TClientDataSchema;
+
+  /**
+   * Schema for validating custom actions sent via `transport.sendAction()`.
+   *
+   * When the frontend sends `trigger: "action"`, the `action` payload is
+   * parsed against this schema before reaching `onAction`. Invalid actions
+   * throw and abort the turn.
+   *
+   * @example
+   * ```ts
+   * import { z } from "zod";
+   *
+   * chat.agent({
+   *   id: "my-chat",
+   *   actionSchema: z.discriminatedUnion("type", [
+   *     z.object({ type: z.literal("undo") }),
+   *     z.object({ type: z.literal("rollback"), targetMessageId: z.string() }),
+   *   ]),
+   *   onAction: async ({ action }) => {
+   *     if (action.type === "undo") chat.history.slice(0, -2);
+   *     if (action.type === "rollback") chat.history.rollbackTo(action.targetMessageId);
+   *   },
+   *   run: async ({ messages, signal }) => { ... },
+   * });
+   * ```
+   */
+  actionSchema?: TActionSchema;
+
+  /**
+   * Called when the frontend sends a custom action via `transport.sendAction()`.
+   *
+   * Actions are not turns. They fire `hydrateMessages` (if configured) and
+   * `onAction` only — no `onTurnStart` / `prepareMessages` /
+   * `onBeforeTurnComplete` / `onTurnComplete`, no `run()`. Use
+   * `chat.history.*` inside `onAction` to mutate state.
+   *
+   * To produce a model response from an action, return a
+   * `StreamTextResult` (auto-piped), `string`, or `UIMessage`. Returning
+   * `void` or nothing is the side-effect-only default.
+   */
+  onAction?: (
+    event: ActionEvent<
+      [TActionSchema] extends [TaskSchema] ? inferSchemaOut<TActionSchema> : unknown,
+      inferSchemaOut<TClientDataSchema>,
+      TUIMessage
+    >
+  ) => Promise<unknown> | unknown;
+
+  /**
+   * The tools available to this agent.
+   *
+   * `chat.agent` doesn't call the model for you. Your tools still go to
+   * `streamText({ tools })` inside `run()`. Declaring them here additionally
+   * lets the SDK re-run each tool's
+   * [`toModelOutput`](https://ai-sdk.dev/docs/ai-sdk-core/tools-and-tool-calling#tomodeloutput)
+   * when it re-converts persisted history on later turns. Without this, the
+   * AI SDK has no `tools` to look up `toModelOutput` against, so a tool's
+   * transformed result (e.g. raw image bytes → an image content part, or a
+   * sub-agent summary) silently degrades to its raw JSON output from turn 2
+   * onward.
+   *
+   * Only `inputSchema` and `toModelOutput` are read during conversion (never
+   * `execute`), so you may pass a lightweight map if you keep heavy execute
+   * deps out of this module.
+   *
+   * Pass either a static `ToolSet` or a function of per-turn context (for
+   * tools that depend on the user, a feature flag, etc.). The resolved set is
+   * available on the `run()` payload as `tools`.
+   *
+   * @example
+   * ```ts
+   * const tools = { read_file, search };
+   * chat.agent({
+   *   tools,
+   *   run: async ({ messages, tools, signal }) =>
+   *     streamText({ model, messages, tools, abortSignal: signal }),
+   * });
+   * ```
+   */
+  tools?:
+    | TTools
+    | ((event: ResolveToolsEvent<inferSchemaOut<TClientDataSchema>>) => TTools | Promise<TTools>);
+
+  /**
+   * The run function for the chat task.
+   *
+   * Receives a `ChatTaskRunPayload` with the conversation messages, chat session ID,
+   * trigger type, task `ctx` (same as `task({ run })`’s second argument), and abort signals
+   * (`signal`, `cancelSignal`, `stopSignal`).
+   *
+   * **Auto-piping:** If this function returns a value with `.toUIMessageStream()`,
+   * the stream is automatically piped to the frontend.
+   */
+  run: (
+    payload: ChatTaskRunPayload<inferSchemaOut<TClientDataSchema>, TTools>
+  ) => Promise<unknown>;
+
+  /**
+   * Called once at the start of every run boot — for the initial run, for
+   * preloaded runs, AND for reactive continuation runs (post-cancel /
+   * crash / `endRun` / `requestUpgrade` / OOM retry).
+   *
+   * Use this for per-process setup that needs to run every time a fresh
+   * worker picks up the chat: initialize `chat.local` state, open
+   * per-process resources, or re-hydrate customer state from your DB
+   * on continuation. Branch on `continuation` to decide whether to load
+   * existing state vs. start fresh.
+   *
+   * Fires BEFORE `onPreload` (preloaded path) and `onChatStart`
+   * (first-message path), so `chat.local` is safe to read in those hooks.
+   *
+   * Does NOT fire when the same run resumes from snapshot via the
+   * idle-window suspend/resume path — use `onChatResume` for that.
+   *
+   * @example
+   * ```ts
+   * onBoot: async ({ chatId, clientData, continuation }) => {
+   *   const user = await db.user.findFirst({ where: { id: clientData.userId } });
+   *   userContext.init({ name: user.name, plan: user.plan });
+   *   if (continuation) {
+   *     // re-hydrate any per-chat in-memory state from your DB
+   *   }
+   * }
+   * ```
+   */
+  onBoot?: (event: BootEvent<inferSchemaOut<TClientDataSchema>>) => Promise<void> | void;
+
+  /**
+   * Recovery boot hook — fires once on a continuation run that inherited
+   * in-flight state from a dead predecessor (cancel / crash / OOM /
+   * deploy eviction / `chat.requestUpgrade()`). The runtime reads both
+   * stream tails past the last `turn-complete` cursor and hands the
+   * customer the recovered pieces (settled chain, in-flight users,
+   * partial assistant, pending tool calls) so the chain can be shaped
+   * before the first recovered turn fires.
+   *
+   * Does NOT fire when there's nothing to recover — e.g. a clean
+   * continuation after `chat.endRun()` with no buffered user, a fresh
+   * chat, or an OOM retry on top of a complete snapshot.
+   *
+   * Does NOT fire when `hydrateMessages` is registered — that hook owns
+   * the per-turn chain and overlapping recovery decisions belong in the
+   * customer's DB.
+   *
+   * Defaults (returned when the hook is omitted or returns no field):
+   *   - `chain` = `settledMessages` (drop the orphan partial)
+   *   - `recoveredTurns` = `inFlightUsers` (re-dispatch every user)
+   *
+   * @example
+   * ```ts
+   * onRecoveryBoot: async ({ partialAssistant, inFlightUsers, writer, cause }) => {
+   *   writer.write({
+   *     type: "data-chat-recovery",
+   *     id: generateId(),
+   *     data: { cause, partial: partialAssistant?.id },
+   *   });
+   *   return {}; // accept defaults: drop partial, re-dispatch users
+   * }
+   * ```
+   */
+  onRecoveryBoot?: (
+    event: RecoveryBootEvent<TUIMessage>
+  ) => Promise<RecoveryBootResult<TUIMessage> | void> | RecoveryBootResult<TUIMessage> | void;
+
+  /**
+   * Called when a preloaded run starts, before the first message arrives.
+   *
+   * Use this to initialize state, create DB records, and load context early —
+   * so everything is ready when the user's first message comes through.
+   *
+   * @example
+   * ```ts
+   * onPreload: async ({ ctx, chatId, clientData }) => {
+   *   await db.chat.create({ data: { id: chatId } });
+   *   userContext.init(await loadUser(clientData.userId));
+   * }
+   * ```
+   */
+  onPreload?: (event: PreloadEvent<inferSchemaOut<TClientDataSchema>>) => Promise<void> | void;
+
+  /**
+   * Called exactly once per chat, on the very first user message of the
+   * chat's lifetime. Does NOT fire on continuation runs (post-`endRun`,
+   * post-waitpoint-timeout, `chat.requestUpgrade`) or on OOM-retry attempts —
+   * those are runs of an already-started chat.
+   *
+   * Use this for one-time chat-setup work — creating the Chat DB row,
+   * initializing per-chat in-memory state, minting resources tied to the
+   * chat's lifetime. Safe to assume no prior history exists here.
+   *
+   * For per-turn work, use `onTurnStart`.
+   *
+   * @example
+   * ```ts
+   * onChatStart: async ({ ctx, chatId, messages, clientData }) => {
+   *   await db.chat.create({ data: { id: chatId, userId: clientData.userId } });
+   * }
+   * ```
+   */
+  onChatStart?: (event: ChatStartEvent<inferSchemaOut<TClientDataSchema>>) => Promise<void> | void;
+
+  /**
+   * Validate or transform incoming UI messages before they are converted to model
+   * messages and accumulated. Fires once per turn with the raw `UIMessage[]` from
+   * the wire payload (after cleanup of aborted tool parts).
+   *
+   * Return the validated messages array. Throw to abort the turn with an error.
+   *
+   * This is the right place to call the AI SDK's `validateUIMessages` on fresh
+   * user input. For HITL continuations (`addToolOutput` /
+   * `addToolApproveResponse`), the wire carries a slim assistant message — only
+   * the resolved tool parts, with `state` + `output` / `errorText` / `approval`
+   * and no `input`. `validateUIMessages` against the AI SDK schema rejects
+   * that shape, so filter to user messages (or skip validation entirely) on
+   * those turns.
+   *
+   * @example
+   * ```ts
+   * import { validateUIMessages } from "ai";
+   *
+   * chat.agent({
+   *   id: "my-chat",
+   *   onValidateMessages: async ({ messages }) => {
+   *     const userMessages = messages.filter((m) => m.role === "user");
+   *     if (userMessages.length > 0) {
+   *       await validateUIMessages({ messages: userMessages, tools: chatTools });
+   *     }
+   *     return messages;
+   *   },
+   *   run: async ({ messages }) => {
+   *     return streamText({ model, messages, tools: chatTools });
+   *   },
+   * });
+   * ```
+   */
+  onValidateMessages?: (
+    event: ValidateMessagesEvent<TUIMessage>
+  ) => TUIMessage[] | Promise<TUIMessage[]>;
+
+  /**
+   * Load the full message history from your backend on every turn,
+   * replacing the built-in linear accumulator.
+   *
+   * When set, the returned messages become the accumulated state for this turn.
+   * The normal accumulation logic (append for submit, replace for regenerate)
+   * is skipped entirely — the hook is the source of truth.
+   *
+   * After the hook returns, any incoming wire messages with matching IDs are
+   * auto-merged (handles tool approval responses transparently).
+   *
+   * Use cases:
+   * - Backend trust: prevent clients from injecting fabricated history
+   * - Branching conversations (DAGs): load only the active branch
+   * - Rollback/undo: exclude undone messages from history
+   *
+   * @example
+   * ```ts
+   * chat.agent({
+   *   id: "my-chat",
+   *   hydrateMessages: async ({ chatId, trigger, incomingMessages }) => {
+   *     // Persist the new message
+   *     const newMsg = incomingMessages[incomingMessages.length - 1];
+   *     if (newMsg && trigger === "submit-message") {
+   *       await db.chatMessages.create({ chatId, message: newMsg });
+   *     }
+   *     // Return the full authoritative history
+   *     return db.chatMessages.findMany({ where: { chatId } });
+   *   },
+   *   run: async ({ messages, signal }) => {
+   *     return streamText({ model: openai("gpt-4o"), messages, abortSignal: signal });
+   *   },
+   * });
+   * ```
+   */
+  hydrateMessages?: (
+    event: HydrateMessagesEvent<inferSchemaOut<TClientDataSchema>, TUIMessage>
+  ) => TUIMessage[] | Promise<TUIMessage[]>;
+
+  /**
+   * Called at the start of every turn, after message accumulation and `onChatStart` (turn 0),
+   * but before the `run` function executes.
+   *
+   * Use this to persist messages before streaming begins, so a mid-stream page refresh
+   * still shows the user's message.
+   *
+   * @example
+   * ```ts
+   * onTurnStart: async ({ ctx, chatId, uiMessages }) => {
+   *   await db.chat.update({ where: { id: chatId }, data: { messages: uiMessages } });
+   * }
+   * ```
+   */
+  onTurnStart?: (
+    event: TurnStartEvent<inferSchemaOut<TClientDataSchema>, TUIMessage>
+  ) => Promise<void> | void;
+
+  /**
+   * Called after the response is captured but before the stream closes.
+   * The stream is still open, so you can write custom chunks to the frontend
+   * (e.g. compaction progress). Use this for compaction, post-processing,
+   * or any work where the user should see real-time status updates.
+   *
+   * @example
+   * ```ts
+   * onBeforeTurnComplete: async ({ ctx, writer, usage }) => {
+   *   if (usage?.inputTokens && usage.inputTokens > 5000) {
+   *     writer.write({ type: "data-compaction", id: generateId(), data: { status: "compacting" } });
+   *     // ... compact messages ...
+   *     chat.setMessages(compactedMessages);
+   *     writer.write({ type: "data-compaction", id: generateId(), data: { status: "complete" } });
+   *   }
+   * }
+   * ```
+   */
+  onBeforeTurnComplete?: (
+    event: BeforeTurnCompleteEvent<inferSchemaOut<TClientDataSchema>, TUIMessage>
+  ) => Promise<void> | void;
+
+  /**
+   * Called when conversation compaction occurs (via `chat.compact()` or
+   * `chat.compactionStep()`). Use for logging, billing, or persisting the summary.
+   *
+   * @example
+   * ```ts
+   * onCompacted: async ({ ctx, summary, totalTokens, chatId }) => {
+   *   logger.info("Compacted", { totalTokens, chatId });
+   *   await db.compactionLog.create({ data: { chatId, summary } });
+   * }
+   * ```
+   */
+  onCompacted?: (event: CompactedEvent) => Promise<void> | void;
+
+  /**
+   * Automatic context compaction. When provided, compaction runs automatically
+   * in both the inner loop (prepareStep, between tool-call steps) and the
+   * outer loop (between turns, for single-step responses where prepareStep
+   * never fires).
+   *
+   * The `shouldCompact` callback decides when to compact, and `summarize`
+   * generates the summary. The prepareStep is auto-injected into
+   * `chat.toStreamTextOptions()` — if you provide your own `prepareStep`
+   * after spreading, it overrides the auto-injected one.
+   *
+   * @example
+   * ```ts
+   * chat.agent({
+   *   id: "my-chat",
+   *   compaction: {
+   *     shouldCompact: ({ totalTokens }) => (totalTokens ?? 0) > 80_000,
+   *     summarize: async (messages) =>
+   *       generateText({ model, messages: [...messages, { role: "user", content: "Summarize." }] })
+   *         .then((r) => r.text),
+   *   },
+   *   run: async ({ messages, signal }) => {
+   *     return streamText({ ...chat.toStreamTextOptions({ registry }), messages });
+   *   },
+   * });
+   * ```
+   */
+  compaction?: ChatAgentCompactionOptions<TUIMessage>;
+
+  /**
+   * Configure how messages that arrive during streaming are handled.
+   *
+   * By default, messages queue for the next turn. When `shouldInject` is provided
+   * and returns `true`, messages are injected between tool-call steps via
+   * `prepareStep` — allowing users to steer the agent mid-execution.
+   *
+   * @example
+   * ```ts
+   * pendingMessages: {
+   *   shouldInject: ({ steps }) => steps.length > 0,
+   *   onReceived: ({ message }) => logger.info("Steering message received"),
+   * },
+   * ```
+   */
+  pendingMessages?: PendingMessagesOptions<TUIMessage>;
+
+  /**
+   * Called after each assistant response completes. Use to persist the
+   * conversation to your database after each assistant response.
+   *
+   * @example
+   * ```ts
+   * onTurnComplete: async ({ ctx, chatId, messages }) => {
+   *   await db.chat.update({ where: { id: chatId }, data: { messages } });
+   * }
+   * ```
+   */
+  onTurnComplete?: (
+    event: TurnCompleteEvent<inferSchemaOut<TClientDataSchema>, TUIMessage>
+  ) => Promise<void> | void;
+
+  /**
+   * Maximum number of conversational turns (message round-trips) a single run
+   * will handle before ending. After this many turns the run completes
+   * normally and the next message will start a fresh run.
+   *
+   * @default 100
+   */
+  maxTurns?: number;
+
+  /**
+   * How long to wait for the next message before timing out and ending the run.
+   * Accepts any duration string (e.g. `"1h"`, `"30m"`).
+   *
+   * @default "1h"
+   */
+  turnTimeout?: string;
+
+  /**
+   * How long (in seconds) the run stays idle (active, using compute) after each
+   * turn, waiting for the next message. During this window responses are instant.
+   * After this timeout the run suspends (frees compute) and waits via
+   * `inputStream.wait()`.
+   *
+   * Set to `0` to suspend immediately after each turn.
+   *
+   * @default 30
+   */
+  idleTimeoutInSeconds?: number;
+
+  /**
+   * How long the `chatAccessToken` (scoped to this run) remains valid.
+   * A fresh token is minted after each turn, so this only needs to cover
+   * the gap between turns.
+   *
+   * Accepts a duration string (e.g. `"1h"`, `"30m"`, `"2h"`).
+   *
+   * @default "1h"
+   */
+  chatAccessTokenTTL?: string;
+
+  /**
+   * How long (in seconds) the run stays idle after `onPreload` fires,
+   * waiting for the first message before suspending.
+   *
+   * Only applies to preloaded runs (triggered via `transport.preload()`).
+   * Takes precedence over `transport.preload(..., { idleTimeoutInSeconds })`
+   * and over {@link ChatAgentOptions.idleTimeoutInSeconds}.
+   *
+   * @default Same as `idleTimeoutInSeconds`
+   */
+  preloadIdleTimeoutInSeconds?: number;
+
+  /**
+   * How long to wait (suspended) for the first message after a preloaded run starts.
+   * If no message arrives within this time, the run ends.
+   *
+   * Only applies to preloaded runs.
+   *
+   * @default Same as `turnTimeout`
+   */
+  preloadTimeout?: string;
+
+  /**
+   * Transform model messages before they're used anywhere — in `run()`,
+   * in compaction rebuilds, and in compaction results.
+   *
+   * Define once, applied everywhere. Use for Anthropic cache breaks,
+   * injecting system context, stripping PII, etc.
+   *
+   * @example
+   * ```ts
+   * prepareMessages: async ({ messages, reason }) => {
+   *   // Add Anthropic cache breaks to the last message
+   *   if (messages.length === 0) return messages;
+   *   const last = messages[messages.length - 1];
+   *   return [...messages.slice(0, -1), {
+   *     ...last,
+   *     providerOptions: { ...last.providerOptions, anthropic: { cacheControl: { type: "ephemeral" } } },
+   *   }];
+   * }
+   * ```
+   */
+  prepareMessages?: (
+    event: PrepareMessagesEvent<inferSchemaOut<TClientDataSchema>>
+  ) => ModelMessage[] | Promise<ModelMessage[]>;
+
+  /**
+   * Default options for `toUIMessageStream()` when auto-piping or using
+   * `turn.complete()` / `chat.pipeAndCapture()`.
+   *
+   * Controls how the `StreamTextResult` is converted to a `UIMessageChunk`
+   * stream — error handling, reasoning/source visibility, metadata, etc.
+   *
+   * Can be overridden per-turn by calling `chat.setUIMessageStreamOptions()`
+   * inside `run()` or lifecycle hooks. Per-turn values are merged on top
+   * of these defaults (per-turn wins on conflicts).
+   *
+   * `onFinish` and `originalMessages` are managed internally and cannot be
+   * overridden here. Use `streamText`'s `onFinish` for custom finish
+   * handling. `generateMessageId` can be set to control response message
+   * ID generation (e.g. UUID-v7).
+   *
+   * @example
+   * ```ts
+   * chat.agent({
+   *   id: "my-chat",
+   *   uiMessageStreamOptions: {
+   *     sendReasoning: true,
+   *     onError: (error) => error instanceof Error ? error.message : "An error occurred.",
+   *   },
+   *   run: async ({ messages, signal }) => { ... },
+   * });
+   * ```
+   */
+  uiMessageStreamOptions?: ChatUIMessageStreamOptions<TUIMessage>;
+
+  /**
+   * Called right before the run suspends to wait for a message.
+   *
+   * The `phase` discriminator tells you when the suspend happened:
+   * - `"preload"`: after `onPreload`, waiting for the first message
+   * - `"turn"`: after `onTurnComplete`, waiting for the next message
+   *
+   * Use this for cleanup before suspension (e.g. disposing sandboxes, closing connections).
+   *
+   * @example
+   * ```ts
+   * onChatSuspend: async (event) => {
+   *   await disposeExpensiveResources(event.ctx.run.id);
+   *   if (event.phase === "turn") {
+   *     logger.info("Suspending after turn", { turn: event.turn });
+   *   }
+   * }
+   * ```
+   */
+  onChatSuspend?: (
+    event: ChatSuspendEvent<inferSchemaOut<TClientDataSchema>, TUIMessage>
+  ) => Promise<void> | void;
+
+  /**
+   * Called right after the run resumes from suspension with a new message.
+   *
+   * The `phase` discriminator tells you when the resume happened:
+   * - `"preload"`: first message arrived after preload suspension
+   * - `"turn"`: next message arrived after turn suspension
+   *
+   * Use this for re-initialization after wake (e.g. warming caches, reconnecting).
+   *
+   * @example
+   * ```ts
+   * onChatResume: async (event) => {
+   *   warmCache(event.ctx.run.id);
+   *   if (event.phase === "turn") {
+   *     logger.info("Resumed after turn", { turn: event.turn });
+   *   }
+   * }
+   * ```
+   */
+  onChatResume?: (
+    event: ChatResumeEvent<inferSchemaOut<TClientDataSchema>, TUIMessage>
+  ) => Promise<void> | void;
+
+  /**
+   * When `true`, the run exits successfully after the preload idle timeout
+   * instead of suspending and waiting. The run completes with no turn executed.
+   *
+   * Use this for "fire and forget" preloads where you only want to do eager
+   * initialization. If the user doesn't send a message during the idle window,
+   * the run ends cleanly.
+   *
+   * Only applies to preloaded runs (triggered via `transport.preload()`).
+   *
+   * @default false
+   */
+  exitAfterPreloadIdle?: boolean;
+};
+
+/**
+ * Creates a Trigger.dev task pre-configured for AI SDK chat.
+ *
+ * - **Pre-types the payload** as `ChatTaskRunPayload` — includes abort signals
+ * - **Auto-pipes the stream** if `run` returns a `StreamTextResult`
+ * - **Multi-turn**: keeps the conversation in a single run using input streams
+ * - **Stop support**: frontend can stop generation mid-stream via the stop input stream
+ * - For complex flows, use `pipeChat()` from anywhere inside your task code
+ *
+ * @example
+ * ```ts
+ * import { chat } from "@trigger.dev/sdk/ai";
+ * import { streamText, convertToModelMessages } from "ai";
+ * import { openai } from "@ai-sdk/openai";
+ *
+ * export const myChat = chat.agent({
+ *   id: "my-chat",
+ *   run: async ({ messages, signal }) => {
+ *     return streamText({
+ *       model: openai("gpt-4o"),
+ *       messages, // already converted via convertToModelMessages
+ *       abortSignal: signal,
+ *     });
+ *   },
+ * });
+ * ```
+ */
+// ─── chat.customAgent ──────────────────────────────────────────────
+// A thin wrapper around createTask that marks the task as an agent
+// (triggerSource: "agent") so it appears in the playground, but does
+// NOT implement the managed lifecycle (no turn loop, no preload, etc.).
+// The user's run function receives the raw ChatTaskWirePayload and
+// uses composable primitives (chat.messages, chat.MessageAccumulator, etc.).
+// ────────────────────────────────────────────────────────────────────
+
+type ChatCustomAgentOptions<
+  TIdentifier extends string,
+  TClientDataSchema extends TaskSchema | undefined = undefined,
+  TUIMessage extends UIMessage = UIMessage,
+> = Omit<
+  TaskOptions<
+    TIdentifier,
+    ChatTaskWirePayload<TUIMessage, inferSchemaIn<TClientDataSchema>>,
+    unknown
+  >,
+  "triggerSource" | "agentConfig"
+> & {
+  clientDataSchema?: TClientDataSchema;
+};
+
+function chatCustomAgent<
+  TIdentifier extends string,
+  TClientDataSchema extends TaskSchema | undefined = undefined,
+  TUIMessage extends UIMessage = UIMessage,
+>(
+  options: ChatCustomAgentOptions<TIdentifier, TClientDataSchema, TUIMessage>
+): Task<TIdentifier, ChatTaskWirePayload<TUIMessage, inferSchemaIn<TClientDataSchema>>, unknown> {
+  const { clientDataSchema, run: userRun, ...restOptions } = options;
+
+  const task = createTask<
+    TIdentifier,
+    ChatTaskWirePayload<TUIMessage, inferSchemaIn<TClientDataSchema>>,
+    unknown
+  >({
+    ...restOptions,
+    triggerSource: "agent",
+    agentConfig: { type: "ai-sdk-chat" },
+    run: async (
+      payload: ChatTaskWirePayload<TUIMessage, inferSchemaIn<TClientDataSchema>>,
+      runOptions
+    ) => {
+      // Bind the run to its backing Session so module-level helpers
+      // (chat.messages, chat.stream, chat.createStopSignal, chat.createSession)
+      // resolve to this chat's `.in` / `.out` channels. Address
+      // everywhere by `payload.chatId` (the session externalId) so the
+      // agent's writes and the transport's reads converge on the same
+      // S2 stream key + waitpoint key.
+      //
+      // The Session row is created server-side by `POST /sessions` (or
+      // `chat.createStartSessionAction`) before this run is triggered.
+      // No client-side upsert needed.
+      locals.set(chatSessionHandleKey, sessions.open(payload.chatId));
+      locals.set(chatAgentRunContextKey, runOptions.ctx);
+      // Initialize the turn-complete trim slot so `chat.writeTurnComplete`
+      // trims `session.out` back to the previous turn boundary. Without
+      // this the slot is undefined and the trim never runs, so `.out`
+      // grows without bound for the whole custom-agent surface.
+      locals.set(lastTurnCompleteSeqNumKey, { value: undefined });
+      markChatAgentRunForStreamsWarning();
+      taskContext.setConversationId(payload.chatId);
+      stampConversationIdOnActiveSpan(payload.chatId);
+      return userRun(payload, runOptions);
+    },
+  });
+
+  // Register clientDataSchema so the CLI converts it to JSONSchema
+  // and stores it as payloadSchema — used by the Playground UI
+  if (clientDataSchema) {
+    resourceCatalog.updateTaskMetadata(options.id, {
+      schema: clientDataSchema as any,
+    });
+  }
+
+  return task;
+}
+
+function chatAgent<
+  TIdentifier extends string,
+  TClientDataSchema extends TaskSchema | undefined = undefined,
+  TUIMessage extends UIMessage = UIMessage,
+  TActionSchema extends TaskSchema | undefined = undefined,
+  TTools extends ToolSet = ToolSet,
+>(
+  options: ChatAgentOptions<TIdentifier, TClientDataSchema, TUIMessage, TActionSchema, TTools>
+): Task<TIdentifier, ChatTaskWirePayload<TUIMessage, inferSchemaIn<TClientDataSchema>>, unknown> {
+  const {
+    run: userRun,
+    clientDataSchema,
+    onBoot,
+    onRecoveryBoot,
+    onPreload,
+    onChatStart,
+    onValidateMessages,
+    hydrateMessages,
+    actionSchema,
+    onAction,
+    onTurnStart,
+    onBeforeTurnComplete,
+    onCompacted,
+    compaction,
+    pendingMessages: pendingMessagesConfig,
+    prepareMessages,
+    tools: toolsOption,
+    onTurnComplete,
+    maxTurns = 100,
+    turnTimeout = "1h",
+    idleTimeoutInSeconds = 30,
+    chatAccessTokenTTL = "1h",
+    preloadIdleTimeoutInSeconds,
+    preloadTimeout,
+    uiMessageStreamOptions,
+    onChatSuspend,
+    onChatResume,
+    exitAfterPreloadIdle = false,
+    oomMachine,
+    ...restOptions
+  } = options;
+
+  const parseClientData = clientDataSchema ? getSchemaParseFn(clientDataSchema) : undefined;
+  const parseAction = actionSchema ? getSchemaParseFn(actionSchema) : undefined;
+
+  // chat.agent does not expose generic retry options (see docstring on
+  // `oomMachine`). The only opt-in is an OOM-triggered machine swap. If
+  // `oomMachine` is set we allow one retry on a larger machine; otherwise
+  // we keep the historical no-retry default.
+  const retry = oomMachine
+    ? { maxAttempts: 2, outOfMemory: { machine: oomMachine } }
+    : { maxAttempts: 1 };
+
+  const task = createTask<
+    TIdentifier,
+    ChatTaskWirePayload<TUIMessage, inferSchemaIn<TClientDataSchema>>,
+    unknown
+  >({
+    ...restOptions,
+    retry,
+    triggerSource: "agent",
+    agentConfig: { type: "ai-sdk-chat" },
+    run: async (
+      payload: ChatTaskWirePayload<TUIMessage, inferSchemaIn<TClientDataSchema>>,
+      { signal: runSignal, ctx }
+    ) => {
+      locals.set(chatAgentRunContextKey, ctx);
+
+      // On AI SDK 7, register the `@ai-sdk/otel` integration (once per process)
+      // so `experimental_telemetry` spans flow into the run trace. Awaited here
+      // at run boot — before any `streamText` — and a no-op on v5/v6 or when the
+      // optional `@ai-sdk/otel` peer isn't installed. See ./aiAutoTelemetry.ts.
+      await ensureAiSdkTelemetry();
+
+      // Bind the run to its backing Session so every module-level helper
+      // (chat.stream, chat.messages, chat.stopSignal) resolves to this
+      // chat's `.in` / `.out` channels.
+      //
+      // Address everywhere by `payload.chatId` (the session externalId):
+      // matches what the transport puts in URL paths and waitpoint keys,
+      // and what the server-side trigger flow uses as the session
+      // identity. The Session row is created by `POST /sessions` (via
+      // `chat.createStartSessionAction` or browser-direct) before this
+      // run is triggered — no client-side upsert needed here.
+      locals.set(chatSessionHandleKey, sessions.open(payload.chatId));
+      // Mutable holder; advances in `writeTurnCompleteChunk` after each turn
+      // and is the trim target for the NEXT turn's trim record.
+      locals.set(lastTurnCompleteSeqNumKey, { value: undefined });
+      markChatAgentRunForStreamsWarning();
+      taskContext.setConversationId(payload.chatId);
+
+      // Stamp `gen_ai.conversation.id` on the run-level span. Every
+      // nested span inherits the same attribute via
+      // `TaskContextSpanProcessor.onStart`.
+      const activeSpan = trace.getActiveSpan();
+      stampConversationIdOnActiveSpan(payload.chatId, activeSpan);
+
+      // Store static UIMessageStream options in locals so resolveUIMessageStreamOptions() can read them
+      if (uiMessageStreamOptions) {
+        locals.set(chatUIStreamStaticKey, uiMessageStreamOptions);
+      }
+
+      // Store onCompacted hook in locals so chat.compact() can call it
+      if (onCompacted) {
+        locals.set(chatOnCompactedKey, onCompacted);
+      }
+
+      if (prepareMessages) {
+        locals.set(chatPrepareMessagesKey, prepareMessages);
+      }
+
+      if (toolsOption) {
+        // Cast: the option's function form is typed against the parsed
+        // `clientData` (`ResolveToolsEvent<inferSchemaOut<...>>`), but the
+        // locals key uses the erased `ResolveToolsEvent<unknown>`. The runtime
+        // value is identical; this mirrors how `prepareMessages` is stored.
+        locals.set(
+          chatToolsOptionKey,
+          toolsOption as
+            | ToolSet
+            | ((event: ResolveToolsEvent<unknown>) => ToolSet | Promise<ToolSet>)
+        );
+        // Static tools are usable immediately. The function form is resolved
+        // just before the boot history conversion (with the payload's
+        // clientData) and again per-turn (see resolveTurnTools).
+        if (typeof toolsOption !== "function") {
+          locals.set(chatResolvedToolsKey, toolsOption);
+        }
+      }
+
+      if (compaction) {
+        locals.set(
+          chatAgentCompactionKey,
+          compaction as unknown as ChatAgentCompactionOptions<UIMessage>
+        );
+      }
+
+      if (pendingMessagesConfig) {
+        locals.set(chatPendingMessagesKey, pendingMessagesConfig);
+      }
+
+      let currentWirePayload = payload;
+      const continuation = payload.continuation ?? false;
+      const previousRunId = payload.previousRunId;
+      const preloaded = payload.trigger === "preload";
+
+      // Accumulated model messages across turns. Seeded at boot from a
+      // durable snapshot + `session.out` replay (or `hydrateMessages` if
+      // registered) — the wire is delta-only now, no longer a seed.
+      let accumulatedMessages: ModelMessage[] = [];
+
+      // Accumulated UI messages for persistence. Mirrors the model accumulator
+      // but in frontend-friendly UIMessage format (with parts, id, etc.).
+      let accumulatedUIMessages: TUIMessage[] = [];
+
+      // ── Snapshot + replay (gated on prior-state signals) ─────────────
+      //
+      // With `hydrateMessages` registered the customer owns history — the
+      // hook fires per-turn and produces the canonical chain from their DB.
+      // Skip both reads entirely: no need to load a blob the customer's
+      // hook will overwrite.
+      //
+      // Without it, both reads are gated on `couldHavePriorState`. A fresh
+      // chat (no continuation, attempt 1) can't have a snapshot OR replay
+      // records by definition — `readChatSnapshot` would 404 and
+      // `replaySessionOutTail` would return [], and the round-trips
+      // collectively cost ~600ms on every first-message TTFC. Both reads
+      // swallow errors internally; the agent stays available either way.
+      const sessionIdForSnapshot = payload.sessionId ?? payload.chatId;
+      let bootSnapshot: ChatSnapshotV1<TUIMessage> | undefined;
+      let replayedSettled: TUIMessage[] = [];
+      let replayedPartial: TUIMessage | undefined;
+      let replayedPartialRaw: TUIMessage | undefined;
+      let replayedInTail: { message: TUIMessage; metadata: unknown; seqNum: number }[] = [];
+      // Wire payloads to dispatch as turns before the regular session.in
+      // pump kicks in. Populated by `onRecoveryBoot.recoveredTurns` (or its
+      // default, `inFlightUsers`). The turn-loop checks this queue ahead of
+      // `messagesInput.waitWithIdleTimeout` so recovered turns fire first.
+      const bootInjectedQueue: ChatTaskWirePayload<
+        TUIMessage,
+        inferSchemaIn<TClientDataSchema>
+      >[] = [];
+      const couldHavePriorState =
+        payload.continuation === true || ctx.attempt.number > 1;
+
+      // `.in` resume cursor, computed at most once per boot. The boot
+      // block below resolves it (snapshot field or records scan) and the
+      // resume-cursor block reuses it instead of re-scanning.
+      let bootInCursor: number | undefined;
+      let bootInCursorResolved = false;
+
+      if (!hydrateMessages && couldHavePriorState) {
+        // Single parent span for the whole boot read phase — snapshot
+        // read, session.out replay, session.in replay. Per-phase timing
+        // + result counts are attributes on the span.
+        await tracer.startActiveSpan(
+          "chat.boot",
+          async (bootSpan) => {
+            // snapshot read
+            const snapStart = Date.now();
+            try {
+              bootSnapshot = await readChatSnapshot<TUIMessage>(sessionIdForSnapshot);
+            } catch (error) {
+              // `readChatSnapshot` already swallows + warns internally; this catch
+              // is just belt-and-suspenders against tracer/span errors.
+              logger.warn(
+                "chat.agent: snapshot read failed; continuing without snapshot",
+                {
+                  error: error instanceof Error ? error.message : String(error),
+                  sessionId: sessionIdForSnapshot,
+                }
+              );
+            }
+            bootSpan.setAttribute("chat.boot.snapshot.durationMs", Date.now() - snapStart);
+            bootSpan.setAttribute("chat.boot.snapshot.present", !!bootSnapshot);
+            bootSpan.setAttribute(
+              "chat.boot.snapshot.messageCount",
+              bootSnapshot?.messages?.length ?? 0
+            );
+
+            // Seed the trim chain from the snapshot's `lastOutEventId` (the SSE
+            // id of the previous turn's `turn-complete` control record). The
+            // first turn-complete this worker writes will then trim back to it.
+            // Without seeding, the new worker would emit no trim on its first
+            // turn (chain self-bootstraps from turn 2), so this is purely an
+            // optimization to keep continuation runs bounded from the first turn.
+            if (bootSnapshot?.lastOutEventId !== undefined) {
+              const seeded = Number.parseInt(bootSnapshot.lastOutEventId, 10);
+              if (Number.isFinite(seeded)) {
+                const slot = locals.get(lastTurnCompleteSeqNumKey);
+                if (slot) slot.value = seeded;
+              }
+            }
+
+            // The `.out` replay and the `.in` cursor + tail read are
+            // independent (both depend only on the snapshot) — run them
+            // concurrently. Each phase keeps its own catch + duration
+            // attribute.
+            const replayOutPhase = async () => {
+              const replayOutStart = Date.now();
+              try {
+                const replayResult = await replaySessionOutTail<TUIMessage>(
+                  sessionIdForSnapshot,
+                  { lastEventId: bootSnapshot?.lastOutEventId }
+                );
+                replayedSettled = replayResult.settled;
+                replayedPartial = replayResult.partial;
+                replayedPartialRaw = replayResult.partialRaw;
+              } catch (error) {
+                logger.warn(
+                  "chat.agent: session.out replay failed; using snapshot only",
+                  {
+                    error: error instanceof Error ? error.message : String(error),
+                    sessionId: sessionIdForSnapshot,
+                  }
+                );
+              }
+              bootSpan.setAttribute(
+                "chat.boot.replay.out.durationMs",
+                Date.now() - replayOutStart
+              );
+              bootSpan.setAttribute("chat.boot.replay.out.settledCount", replayedSettled.length);
+              bootSpan.setAttribute(
+                "chat.boot.replay.out.partialPresent",
+                replayedPartial !== undefined
+              );
+            };
+
+            // session.in tail read
+            //
+            // session.in carries the user-side of the conversation
+            // (ChatInputChunk records). On a continuation boot we read past
+            // the last turn-complete's `session-in-event-id` header so any
+            // user message the dead predecessor hadn't acknowledged surfaces
+            // here. Without this read, in-flight user messages would only be
+            // visible via the live SSE subscription — by which point they
+            // would arrive AFTER the partial-assistant orphan and look like
+            // brand-new turns to the model, producing inverted chains.
+            //
+            // The cursor comes from the snapshot when present (written
+            // there since `lastInEventId` was added) — otherwise from a
+            // records scan of `.out`'s latest turn-complete header.
+            const replayInPhase = async () => {
+              const replayInStart = Date.now();
+              const snapshotInCursor =
+                bootSnapshot?.lastInEventId !== undefined
+                  ? Number.parseInt(bootSnapshot.lastInEventId, 10)
+                  : undefined;
+              if (snapshotInCursor !== undefined && Number.isFinite(snapshotInCursor)) {
+                bootInCursor = snapshotInCursor;
+                bootInCursorResolved = true;
+              } else {
+                try {
+                  bootInCursor = await findLatestSessionInCursor(payload.chatId);
+                  bootInCursorResolved = true;
+                } catch {
+                  // Transient scan failure: leave unresolved so the
+                  // resume-cursor block below retries the lookup.
+                  bootInCursor = undefined;
+                }
+              }
+              bootSpan.setAttribute(
+                "chat.boot.replay.in.cursorFromSnapshot",
+                snapshotInCursor !== undefined
+              );
+              try {
+                replayedInTail = await replaySessionInTail<TUIMessage>(payload.chatId, {
+                  lastEventId: bootInCursor !== undefined ? String(bootInCursor) : undefined,
+                });
+              } catch (error) {
+                logger.warn(
+                  "chat.agent: session.in replay failed; in-flight users may not be recovered",
+                  { error: error instanceof Error ? error.message : String(error) }
+                );
+              }
+              bootSpan.setAttribute(
+                "chat.boot.replay.in.durationMs",
+                Date.now() - replayInStart
+              );
+              bootSpan.setAttribute(
+                "chat.boot.replay.in.userCount",
+                replayedInTail.length
+              );
+            };
+
+            await Promise.all([replayOutPhase(), replayInPhase()]);
+          },
+          {
+            attributes: {
+              [SemanticInternalAttributes.STYLE_ICON]: "tabler-rotate-clockwise",
+              [SemanticInternalAttributes.COLLAPSED]: true,
+              "chat.id": payload.chatId,
+              "chat.continuation": payload.continuation ?? false,
+              "chat.attempt": ctx.attempt.number,
+            },
+          }
+        );
+      }
+
+      // ── session.in resume cursor ───────────────────────────────────
+      //
+      // A fresh worker subscribes to `session.in` from seq 0 and would
+      // re-deliver every record ever appended — including user messages
+      // from turns already completed on a prior run. Without a cursor,
+      // the loop would re-process them as fresh turns and the slim-wire
+      // merge would replace-by-id against snapshot-restored copies,
+      // yielding no-op replaces while the customer's actual new message
+      // waits in the queue.
+      //
+      // The cursor is the seq_num of the last `.in` record the prior
+      // worker committed to processing, persisted on each `turn-complete`
+      // control record as a `session-in-event-id` sibling header. The
+      // boot scan reads the header off `.out`'s latest turn-complete and
+      // seeds the manager so the upcoming `.in` SSE subscribe opens with
+      // `Last-Event-ID: <cursor>` — S2 starts after that seq and old
+      // messages never reach this worker.
+      //
+      // Applies in three cases (any of which means `.in` has records
+      // belonging to completed turns the new run should skip):
+      //  - OOM retry (`ctx.attempt.number > 1`)
+      //  - Continuation run (`payload.continuation === true`) — prior run
+      //    crashed / was canceled / requested upgrade
+      //  - Snapshot exists at all (catches edge cases where the wire
+      //    didn't set `continuation` but a snapshot indicates prior turns)
+      const needsResumeCursor =
+        ctx.attempt.number > 1 ||
+        payload.continuation === true ||
+        bootSnapshot !== undefined;
+
+      if (needsResumeCursor) {
+        try {
+          // Reuse the cursor the boot block already resolved (snapshot
+          // field or records scan) — only scan here when the boot block
+          // was skipped (hydrateMessages, or snapshot-only signals).
+          const cursor = bootInCursorResolved
+            ? bootInCursor
+            : await findLatestSessionInCursor(payload.chatId);
+          if (cursor !== undefined) {
+            sessionStreams.setLastSeqNum(payload.chatId, "in", cursor);
+            sessionStreams.setLastDispatchedSeqNum(payload.chatId, "in", cursor);
+          }
+        } catch (error) {
+          logger.warn(
+            "chat.agent: session.in resume cursor lookup failed; old messages may replay",
+            { error: error instanceof Error ? error.message : String(error) }
+          );
+        }
+      }
+
+      // ── Recovery boot + chain reconstruction ────────────────────────
+      if (!hydrateMessages) {
+        const settledMessages = mergeByIdReplaceWins<TUIMessage>(
+          (bootSnapshot?.messages as TUIMessage[]) ?? [],
+          replayedSettled
+        );
+        const inFlightUsers = replayedInTail.map((r) => r.message);
+        const partialAssistant = replayedPartial;
+        // Fire the hook only when there's a partial assistant — the
+        // mid-stream-died signal. In-flight users alone (no partial)
+        // cover graceful exits like `chat.requestUpgrade()` where the
+        // predecessor chose to end before processing the message;
+        // those route through the normal continuation-wait path.
+        const hasRecoveredState = partialAssistant !== undefined;
+
+        let hookChain: TUIMessage[] | undefined;
+        let hookRecoveredTurns: TUIMessage[] | undefined;
+        let hookBeforeBoot: (() => Promise<void>) | undefined;
+        if (couldHavePriorState && hasRecoveredState && onRecoveryBoot) {
+          // Extract from the RAW partial (pre-cleanup). `cleanupAbortedParts`
+          // strips exactly the input-streaming / input-available tool parts
+          // we want to surface here, so the cleaned `partialAssistant` would
+          // always report zero pending tool calls.
+          const pendingToolCalls = extractPendingToolCallsFromPartial(replayedPartialRaw);
+          const previousRunIdForHook = previousRunId ?? "";
+          let hookResult: RecoveryBootResult<TUIMessage> | void = undefined;
+          const { writer: hookWriter, flush: hookFlush } = createLazyChatWriter();
+          try {
+            hookResult = await tracer.startActiveSpan(
+              "onRecoveryBoot()",
+              async () =>
+                onRecoveryBoot({
+                  ctx,
+                  chatId: payload.chatId,
+                  runId: ctx.run.id,
+                  previousRunId: previousRunIdForHook,
+                  cause: "unknown",
+                  settledMessages,
+                  inFlightUsers,
+                  partialAssistant,
+                  pendingToolCalls,
+                  writer: hookWriter,
+                }),
+              {
+                attributes: {
+                  [SemanticInternalAttributes.STYLE_ICON]: "task-hook-onStart",
+                  [SemanticInternalAttributes.COLLAPSED]: true,
+                  "chat.id": payload.chatId,
+                },
+              }
+            );
+          } catch (error) {
+            logger.warn("chat.agent: onRecoveryBoot threw; using defaults", {
+              error: error instanceof Error ? error.message : String(error),
+              chatId: payload.chatId,
+            });
+          }
+          // Flush any chunks the hook wrote so they land on session.out
+          // BEFORE the first recovered turn fires.
+          try {
+            await hookFlush();
+          } catch (error) {
+            logger.warn("chat.agent: onRecoveryBoot writer flush failed", {
+              error: error instanceof Error ? error.message : String(error),
+            });
+          }
+          if (hookResult && typeof hookResult === "object") {
+            if (Array.isArray(hookResult.chain)) hookChain = hookResult.chain;
+            if (Array.isArray(hookResult.recoveredTurns))
+              hookRecoveredTurns = hookResult.recoveredTurns;
+            if (typeof hookResult.beforeBoot === "function")
+              hookBeforeBoot = hookResult.beforeBoot;
+          }
+        }
+
+        // Default: splice partial + the user it was answering into
+        // the chain so follow-ups like "keep going" still have context.
+        let seedChain: TUIMessage[];
+        let recoveredTurns: TUIMessage[];
+        if (hookChain !== undefined) {
+          seedChain = hookChain;
+        } else if (partialAssistant !== undefined && inFlightUsers.length > 0) {
+          seedChain = [...settledMessages, inFlightUsers[0]!, partialAssistant];
+        } else {
+          seedChain = settledMessages;
+        }
+        if (hookRecoveredTurns !== undefined) {
+          recoveredTurns = hookRecoveredTurns;
+        } else if (partialAssistant !== undefined && inFlightUsers.length > 0) {
+          recoveredTurns = inFlightUsers.slice(1);
+        } else {
+          recoveredTurns = inFlightUsers;
+        }
+        // `beforeBoot` errors bubble — the customer opted into blocking
+        // persistence and a failure there should fail the run rather than
+        // dispatch recovered turns against half-persisted state.
+        if (hookBeforeBoot) {
+          await hookBeforeBoot();
+        }
+
+        // Advance the session.in cursor past every recovered user so
+        // the live subscription doesn't re-deliver them.
+        if (replayedInTail.length > 0) {
+          const lastRecoveredSeq = replayedInTail[replayedInTail.length - 1]!.seqNum;
+          const currentCursor = sessionStreams.lastSeqNum(payload.chatId, "in");
+          if (currentCursor === undefined || lastRecoveredSeq > currentCursor) {
+            sessionStreams.setLastSeqNum(payload.chatId, "in", lastRecoveredSeq);
+            sessionStreams.setLastDispatchedSeqNum(payload.chatId, "in", lastRecoveredSeq);
+          }
+        }
+
+        // Synthesize wire payloads for each recoveredTurn. The turn-loop
+        // pops these ahead of `messagesInput.waitWithIdleTimeout` so they
+        // dispatch as normal turns with the existing hook stack.
+        //
+        // Per-record metadata preservation: each session.in record
+        // carries its own `payload.metadata` (the transport sets it at
+        // send time). Look up the original by message id so a recovered
+        // turn dispatches with the metadata its writer actually sent.
+        // Fall back to the boot payload's metadata for hook-synthesized
+        // messages (customer returned a recoveredTurn with no matching
+        // session.in record).
+        //
+        // OOM-retry dedup: if `payload.message` is the same user message
+        // the queue is about to redispatch (the wire payload survives
+        // across attempts, but session.in records it once), the wire
+        // payload already runs turn 0 — drop the duplicate from the queue
+        // so we don't fire the same turn twice.
+        const wireMessageId =
+          (payload.message as { id?: string } | undefined)?.id;
+        const metadataById = new Map<string, unknown>();
+        for (const entry of replayedInTail) {
+          metadataById.set(entry.message.id, entry.metadata);
+        }
+        for (const msg of recoveredTurns) {
+          if (wireMessageId && msg.id === wireMessageId) continue;
+          const recoveredMetadata = metadataById.has(msg.id)
+            ? metadataById.get(msg.id)
+            : payload.metadata;
+          bootInjectedQueue.push({
+            chatId: payload.chatId,
+            sessionId: payload.sessionId,
+            metadata: recoveredMetadata,
+            trigger: "submit-message",
+            message: msg,
+            messageId: msg.id,
+            continuation: payload.continuation,
+            previousRunId: payload.previousRunId,
+          } as ChatTaskWirePayload<TUIMessage, inferSchemaIn<TClientDataSchema>>);
+        }
+
+        accumulatedUIMessages = seedChain;
+
+        // ── Head-start bootstrap ─────────────────────────────────────
+        //
+        // The very-first turn of a head-start handover has no snapshot
+        // (it doesn't exist yet) and no `session.out` history (the run
+        // just woke up). The customer's HTTP route handler ships full
+        // UIMessage history via `headStartMessages` — that's the only
+        // path where wire-borne UIMessage[] still seeds the accumulator,
+        // and it's safe because the route handler isn't subject to the
+        // `/in/append` 512 KiB cap.
+        if (
+          accumulatedUIMessages.length === 0 &&
+          payload.trigger === "handover-prepare" &&
+          Array.isArray(payload.headStartMessages) &&
+          payload.headStartMessages.length > 0
+        ) {
+          accumulatedUIMessages = [...(payload.headStartMessages as TUIMessage[])];
+        }
+
+        if (accumulatedUIMessages.length > 0) {
+          // Resolve a function-form `tools` with the run/continuation payload's
+          // clientData so this conversion of the restored history applies each
+          // tool's toModelOutput (static tools were already seeded above). This
+          // only re-renders saved history, so it fails open: a resolver hiccup
+          // logs and converts without tools rather than blocking the resume.
+          // Per-turn resolveTurnTools still fails closed for live turns.
+          if (typeof toolsOption === "function") {
+            try {
+              await resolveTurnTools({
+                chatId: payload.chatId,
+                turn: 0,
+                continuation: payload.continuation ?? false,
+                clientData: parseClientData
+                  ? await parseClientData(payload.metadata)
+                  : payload.metadata,
+              });
+            } catch (error) {
+              logger.warn(
+                "chat.agent: tools() resolver threw at boot; restored history converted without toModelOutput",
+                { error: error instanceof Error ? error.message : String(error) }
+              );
+            }
+          }
+          try {
+            accumulatedMessages = await toModelMessages(accumulatedUIMessages);
+          } catch (error) {
+            logger.warn("chat.agent: toModelMessages failed at boot; starting empty", {
+              error: error instanceof Error ? error.message : String(error),
+              sessionId: sessionIdForSnapshot,
+            });
+            accumulatedMessages = [];
+          }
+        }
+
+        // Make the seeded UI accumulator visible to `chat.history.*`
+        // before any hook (`onChatStart`, `onTurnStart`, etc.) fires.
+        locals.set(chatCurrentUIMessagesKey, accumulatedUIMessages);
+
+      }
+
+      // Token usage tracking across turns
+      let previousTurnUsage: LanguageModelUsage | undefined;
+      let cumulativeUsage: LanguageModelUsage = emptyUsage();
+
+      // Mutable reference to the current turn's stop controller so the
+      // stop input stream listener (registered once) can abort the right turn.
+      let currentStopController: AbortController | undefined;
+
+      // Stop-input subscription is registered AFTER preload's wait resolves
+      // (see the post-preload block below). Registering it earlier would
+      // cause it to drain any session.in records buffered before the runtime
+      // started — including the customer's first user message arriving on
+      // `kind: "message"`. The persistent-listener semantics of session.in
+      // pop the buffer when a handler attaches; the stop listener filters
+      // out anything that isn't `kind: "stop"` and silently swallows the
+      // user message instead of leaving it for `messagesInput.waitWithIdleTimeout`
+      // to pick up.
+      let stopSub: { off: () => void } | undefined;
+
+      try {
+        // ── onBoot — fires once per fresh worker process picking up the chat.
+        //
+        // Runs BEFORE `onPreload`, `onChatStart`, the continuation-wait
+        // branch, and any turn. This is the hook customers use to do
+        // per-process setup that has to repeat for every boot (initial
+        // run, preloaded run, AND reactive continuation): `chat.local`
+        // initialization, opening per-process resources, re-hydrating
+        // customer state from their DB on continuation.
+        //
+        // `onChatStart` is once-per-chat (`!couldHavePriorState` gate);
+        // when the prior run dies and a fresh worker boots, `onChatStart`
+        // does NOT fire — which is why customers initializing
+        // `chat.local` only in `onChatStart` previously crashed in
+        // `run()` on continuation. `onBoot` fills that gap.
+        if (onBoot) {
+          const bootClientData = (
+            parseClientData ? await parseClientData(payload.metadata) : payload.metadata
+          ) as inferSchemaOut<TClientDataSchema>;
+
+          let bootAccessToken = "";
+          const bootRunId = ctx.run.id;
+          if (bootRunId) {
+            try {
+              bootAccessToken = await auth.createPublicToken({
+                scopes: {
+                  read: {
+                    runs: bootRunId,
+                    sessions: payload.chatId,
+                  },
+                  write: {
+                    inputStreams: bootRunId,
+                    sessions: payload.chatId,
+                  },
+                },
+                expirationTime: chatAccessTokenTTL,
+              });
+            } catch {
+              // Token mint is best-effort — customers can re-mint from
+              // their own backend if they need one.
+            }
+          }
+
+          await tracer.startActiveSpan(
+            "onBoot()",
+            async () => {
+              await onBoot({
+                ctx,
+                chatId: payload.chatId,
+                runId: bootRunId,
+                chatAccessToken: bootAccessToken,
+                clientData: bootClientData,
+                continuation,
+                previousRunId,
+                preloaded,
+              });
+            },
+            {
+              attributes: {
+                [SemanticInternalAttributes.STYLE_ICON]: "task-hook-onStart",
+                [SemanticInternalAttributes.COLLAPSED]: true,
+                "chat.id": payload.chatId,
+                "chat.continuation": continuation,
+                "chat.preloaded": preloaded,
+              },
+            }
+          );
+        }
+
+        // Handle preloaded runs — fire onPreload, then wait for the first real message
+        if (preloaded) {
+          if (activeSpan) {
+            activeSpan.setAttribute("chat.preloaded", true);
+          }
+
+          const currentRunId = ctx.run.id;
+          let preloadAccessToken = "";
+          if (currentRunId) {
+            try {
+              preloadAccessToken = await auth.createPublicToken({
+                scopes: {
+                  read: {
+                    runs: currentRunId,
+                    sessions: payload.chatId,
+                  },
+                  write: {
+                    inputStreams: currentRunId,
+                    sessions: payload.chatId,
+                  },
+                },
+                expirationTime: chatAccessTokenTTL,
+              });
+            } catch {
+              // Token creation failed
+            }
+          }
+
+          // Parse client data for the preload hook
+          const preloadClientData = (
+            parseClientData ? await parseClientData(payload.metadata) : payload.metadata
+          ) as inferSchemaOut<TClientDataSchema>;
+
+          // Fire onPreload hook
+          if (onPreload) {
+            await tracer.startActiveSpan(
+              "onPreload()",
+              async () => {
+                await withChatWriter(async (writer) => {
+                  await onPreload({
+                    ctx,
+                    chatId: payload.chatId,
+                    runId: currentRunId,
+                    chatAccessToken: preloadAccessToken,
+                    clientData: preloadClientData,
+                    writer,
+                  });
+                });
+              },
+              {
+                attributes: {
+                  [SemanticInternalAttributes.STYLE_ICON]: "task-hook-onStart",
+                  [SemanticInternalAttributes.COLLAPSED]: true,
+                  "chat.id": payload.chatId,
+                  "chat.preloaded": true,
+                },
+              }
+            );
+          }
+
+          // Wait for the first real message — task-level idle settings win over
+          // `transport.preload(..., { idleTimeoutInSeconds })` / wire payload so
+          // `chat.agent({ idleTimeoutInSeconds, preloadIdleTimeoutInSeconds })` is authoritative.
+          const effectivePreloadIdleTimeout =
+            preloadIdleTimeoutInSeconds ??
+            idleTimeoutInSeconds ??
+            payload.idleTimeoutInSeconds;
+
+          const effectivePreloadTimeout =
+            (metadata.get(TURN_TIMEOUT_METADATA_KEY) as string | undefined) ??
+            preloadTimeout ??
+            turnTimeout;
+
+          const preloadResult = await messagesInput.waitWithIdleTimeout({
+            idleTimeoutInSeconds: effectivePreloadIdleTimeout,
+            timeout: effectivePreloadTimeout,
+            spanName: "waiting for first message",
+            skipSuspend: exitAfterPreloadIdle,
+            onSuspend: onChatSuspend
+              ? async () => {
+                await tracer.startActiveSpan(
+                  "onChatSuspend()",
+                  async () => {
+                    await onChatSuspend({
+                      phase: "preload",
+                      ctx,
+                      chatId: payload.chatId,
+                      runId: currentRunId,
+                      clientData: preloadClientData,
+                    });
+                  },
+                  {
+                    attributes: {
+                      [SemanticInternalAttributes.STYLE_ICON]: "task-hook-onComplete",
+                      [SemanticInternalAttributes.COLLAPSED]: true,
+                      "chat.id": payload.chatId,
+                      "chat.suspend.phase": "preload",
+                    },
+                  }
+                );
+              }
+              : undefined,
+            onResume: onChatResume
+              ? async () => {
+                await tracer.startActiveSpan(
+                  "onChatResume()",
+                  async () => {
+                    await onChatResume({
+                      phase: "preload",
+                      ctx,
+                      chatId: payload.chatId,
+                      runId: currentRunId,
+                      clientData: preloadClientData,
+                    });
+                  },
+                  {
+                    attributes: {
+                      [SemanticInternalAttributes.STYLE_ICON]: "task-hook-onStart",
+                      [SemanticInternalAttributes.COLLAPSED]: true,
+                      "chat.id": payload.chatId,
+                      "chat.resume.phase": "preload",
+                    },
+                  }
+                );
+              }
+              : undefined,
+          });
+
+          if (!preloadResult.ok) {
+            return; // Timed out waiting for first message — end run
+          }
+
+          let firstMessage = preloadResult.output;
+
+          currentWirePayload = firstMessage as ChatTaskWirePayload<
+            TUIMessage,
+            inferSchemaIn<TClientDataSchema>
+          >;
+
+          // Close signal during preload — exit before first turn
+          if (currentWirePayload.trigger === "close") {
+            return;
+          }
+        }
+
+        // Listen for stop signals for the rest of the run. Registered AFTER
+        // the preload wait resolves (or skipped immediately for non-preload
+        // triggers) so the persistent-listener semantics on session.in
+        // don't drain the buffered user message before
+        // `messagesInput.waitWithIdleTimeout` can pick it up. A stop signal
+        // that lands during the preload window is dropped — acceptable, the
+        // customer can't reasonably stop a chat that hasn't started.
+        stopSub = stopInput.on((data) => {
+          currentStopController?.abort(data?.message || "stopped");
+        });
+
+        // Handle handover-prepare runs — wait on session.in for the
+        // customer's `chat.handover` route handler to either hand off
+        // mid-turn (tool calls) or signal pure-text completion.
+        if (payload.trigger === "handover-prepare") {
+          if (activeSpan) {
+            activeSpan.setAttribute("chat.handoverPreparing", true);
+          }
+
+          const handoverResult = await handoverInput.waitWithIdleTimeout({
+            idleTimeoutInSeconds: idleTimeoutInSeconds ?? payload.idleTimeoutInSeconds ?? 60,
+            spanName: "waiting for handover signal",
+          });
+
+          if (!handoverResult.ok) {
+            // Handler crashed before signaling — exit cleanly.
+            return;
+          }
+
+          if (handoverResult.output.kind === "handover-skip") {
+            // Sent only when the customer's handler aborts before
+            // producing a finishReason. Normal pure-text and
+            // tool-call finishes go through `kind: "handover"` with
+            // `isFinal: true | false`. Exit without firing any turn
+            // hooks.
+            return;
+          }
+
+          // kind === "handover": stash the partial assistant message
+          // so turn-0 setup can append it after loading user
+          // messages. Two branches downstream, switched by `isFinal`:
+          //   - `false`: customer's step 1 ended with `tool-calls`.
+          //     The agent's `streamText` sees pending tool-calls (via
+          //     the approval round in the partial) and executes them,
+          //     then runs step 2's LLM call.
+          //   - `true`: customer's step 1 ended pure-text. The agent
+          //     runs the turn-loop hooks but SKIPS the `streamText`
+          //     call entirely (the response is already complete).
+          //     `onTurnComplete` fires with the partial as
+          //     `responseMessage` so persistence works normally.
+          locals.set(
+            chatHandoverPartialKey,
+            handoverResult.output.partialAssistantMessage
+          );
+          // Stash the customer-side step-1 messageId. Turn-0 setup
+          // uses it to seed the synthesized partial UIMessage with the
+          // SAME id, so the agent's post-handover chunks merge into
+          // the same assistant message on the browser side.
+          if (handoverResult.output.messageId) {
+            locals.set(chatHandoverMessageIdKey, handoverResult.output.messageId);
+          }
+          locals.set(chatHandoverIsFinalKey, handoverResult.output.isFinal);
+
+          // Synthesize a wire payload that the turn loop treats as a
+          // normal first-turn message. The accumulator was already seeded
+          // at boot from `payload.headStartMessages` (see B.3 head-start
+          // bootstrap), so the rewritten `submit-message` carries no
+          // delta — the loop runs streamText against the seeded state.
+          currentWirePayload = {
+            ...payload,
+            trigger: "submit-message",
+            message: undefined,
+            headStartMessages: undefined,
+          } as ChatTaskWirePayload<TUIMessage, inferSchemaIn<TClientDataSchema>>;
+        }
+
+        // Continuation-wait: a continuation run (post-`endRun`,
+        // post-waitpoint-timeout, etc.) booted with no incoming message.
+        // The server strips the Session's basePayload `message` /
+        // `messages` / `trigger` on continuation so a stale one-shot boot
+        // payload doesn't re-fire on every resume. Without a real first
+        // message, we have nothing to process at turn 0 — wait silently
+        // for the next session.in record before entering the turn loop.
+        // Unlike preload, `onPreload` does NOT fire (the chat already
+        // started); `onChatStart` will fire on the first turn with
+        // `continuation: true, preloaded: false`.
+        if (
+          !preloaded &&
+          payload.continuation === true &&
+          !payload.message &&
+          payload.trigger !== "handover-prepare" &&
+          payload.trigger !== "close"
+        ) {
+          if (activeSpan) {
+            activeSpan.setAttribute("chat.continuationWaiting", true);
+          }
+
+          const continuationClientData = (
+            parseClientData ? await parseClientData(payload.metadata) : payload.metadata
+          ) as inferSchemaOut<TClientDataSchema>;
+
+          // Recovery-boot injection: if `onRecoveryBoot` (or its default
+          // `inFlightUsers`) populated `bootInjectedQueue`, dispatch the
+          // first synthesized payload as the very first turn instead of
+          // waiting on the live session.in. Subsequent recovered turns
+          // get drained by the end-of-turn picker below.
+          if (bootInjectedQueue.length > 0) {
+            currentWirePayload = bootInjectedQueue.shift()!;
+          } else {
+
+          const effectiveIdleTimeout =
+            idleTimeoutInSeconds ?? payload.idleTimeoutInSeconds;
+          const effectiveTurnTimeout =
+            (metadata.get(TURN_TIMEOUT_METADATA_KEY) as string | undefined) ?? turnTimeout;
+
+          const continuationResult = await messagesInput.waitWithIdleTimeout({
+            idleTimeoutInSeconds: effectiveIdleTimeout,
+            timeout: effectiveTurnTimeout,
+            spanName: "waiting for first message (continuation)",
+            onSuspend: onChatSuspend
+              ? async () => {
+                  await tracer.startActiveSpan(
+                    "onChatSuspend()",
+                    async () => {
+                      await onChatSuspend({
+                        phase: "continuation",
+                        ctx,
+                        chatId: payload.chatId,
+                        runId: ctx.run.id,
+                        clientData: continuationClientData,
+                      });
+                    },
+                    {
+                      attributes: {
+                        [SemanticInternalAttributes.STYLE_ICON]: "task-hook-onComplete",
+                        [SemanticInternalAttributes.COLLAPSED]: true,
+                        "chat.id": payload.chatId,
+                        "chat.suspend.phase": "continuation",
+                      },
+                    }
+                  );
+                }
+              : undefined,
+            onResume: onChatResume
+              ? async () => {
+                  await tracer.startActiveSpan(
+                    "onChatResume()",
+                    async () => {
+                      await onChatResume({
+                        phase: "continuation",
+                        ctx,
+                        chatId: payload.chatId,
+                        runId: ctx.run.id,
+                        clientData: continuationClientData,
+                      });
+                    },
+                    {
+                      attributes: {
+                        [SemanticInternalAttributes.STYLE_ICON]: "task-hook-onStart",
+                        [SemanticInternalAttributes.COLLAPSED]: true,
+                        "chat.id": payload.chatId,
+                        "chat.resume.phase": "continuation",
+                      },
+                    }
+                  );
+                }
+              : undefined,
+          });
+
+          if (!continuationResult.ok) {
+            // Timed out waiting for the customer's next message — exit.
+            return;
+          }
+
+          currentWirePayload = continuationResult.output as ChatTaskWirePayload<
+            TUIMessage,
+            inferSchemaIn<TClientDataSchema>
+          >;
+
+          if (currentWirePayload.trigger === "close") {
+            return;
+          }
+          } // end else (no boot-injected first turn)
+        }
+
+        for (let turn = 0; turn < maxTurns; turn++) {
+          try {
+              // Extract turn-level context before entering the span. Slim
+              // wire: at most one delta message per record. `headStartMessages`
+              // is consumed at boot only (via `payload.headStartMessages`)
+              // and intentionally discarded here.
+              const {
+                metadata: wireMetadata,
+                message: incomingMessage,
+                headStartMessages: _hsm,
+                ...restWire
+              } = currentWirePayload;
+              void _hsm;
+              const incomingMessages: TUIMessage[] = incomingMessage
+                ? [incomingMessage as TUIMessage]
+                : [];
+              // Cleaning happens once here so `extractLastUserMessageText` and
+              // every downstream consumer see the same message shape — and
+              // `cleanupAbortedParts` no longer has to be re-applied below.
+              const cleanedIncomingMessages: TUIMessage[] = incomingMessages.map((msg) =>
+                msg.role === "assistant" ? cleanupAbortedParts(msg) : msg
+              );
+              const clientData = (
+                parseClientData ? await parseClientData(wireMetadata) : wireMetadata
+              ) as inferSchemaOut<TClientDataSchema>;
+              const lastUserMessage = extractLastUserMessageText(cleanedIncomingMessages);
+
+              // Actions are not turns. They use a different span name
+              // and don't carry a turn.number. Branched on at `isAction`.
+              const isAction = currentWirePayload.trigger === "action";
+              const spanName = isAction ? "chat action" : `chat turn ${turn + 1}`;
+
+              const turnAttributes: Attributes = {
+                ...(isAction ? {} : { "turn.number": turn + 1 }),
+                "gen_ai.conversation.id": currentWirePayload.chatId,
+                "gen_ai.operation.name": "chat",
+                "chat.trigger": currentWirePayload.trigger,
+                [SemanticInternalAttributes.STYLE_ICON]: isAction
+                  ? "tabler-bolt"
+                  : "tabler-message-chatbot",
+                [SemanticInternalAttributes.ENTITY_TYPE]: isAction ? "chat-action" : "chat-turn",
+              };
+
+              if (lastUserMessage) {
+                turnAttributes["chat.user_message"] = lastUserMessage;
+
+                // Show a truncated preview of the user message as an accessory
+                const preview =
+                  lastUserMessage.length > 80 ? lastUserMessage.slice(0, 80) + "..." : lastUserMessage;
+                Object.assign(
+                  turnAttributes,
+                  accessoryAttributes({
+                    items: [{ text: preview, variant: "normal" }],
+                    style: "codepath",
+                  })
+                );
+              }
+
+              if (wireMetadata !== undefined) {
+                turnAttributes["chat.client_data"] =
+                  typeof wireMetadata === "string" ? wireMetadata : JSON.stringify(wireMetadata);
+              }
+
+              const turnResult = await tracer.startActiveSpan(
+                spanName,
+                async (turnSpan) => {
+                  // (errors are caught by the outer try/catch which writes an error chunk)
+                  locals.set(chatPipeCountKey, 0);
+                  locals.set(chatDeferKey, new Set());
+                  locals.set(chatCompactionStateKey, undefined);
+                  locals.set(chatSteeringQueueKey, []);
+                  locals.set(chatResponsePartsKey, []);
+                  // NOTE: chatBackgroundQueueKey is NOT reset here — messages injected
+                  // by deferred work from the previous turn's onTurnComplete need to
+                  // survive into the next turn. The queue is drained before run().
+                  locals.set(chatInjectedMessageIdsKey, new Set());
+
+                  // Store chat context for auto-detection by task-tool subtasks (ai.toolExecute / legacy ai.tool)
+                  locals.set(chatTurnContextKey, {
+                    chatId: currentWirePayload.chatId,
+                    turn,
+                    continuation,
+                    clientData,
+                  });
+
+                  // Resolve the per-turn `tools` set now that turn context
+                  // (incl. parsed clientData) exists, so every toModelMessages
+                  // call this turn can re-apply tool `toModelOutput`.
+                  await resolveTurnTools();
+
+                  // Per-turn stop controller (reset each turn)
+                  const stopController = new AbortController();
+                  currentStopController = stopController;
+                  locals.set(chatStopControllerKey, stopController);
+
+                  // Three signals for the user's run function
+                  const stopSignal = stopController.signal;
+                  const cancelSignal = runSignal;
+                  const combinedSignal = AbortSignal.any([runSignal, stopController.signal]);
+
+                  // Buffer messages that arrive during streaming
+                  const pendingMessages: ChatTaskWirePayload<
+                    TUIMessage,
+                    inferSchemaIn<TClientDataSchema>
+                  >[] = [];
+                  const pmConfig = locals.get(chatPendingMessagesKey);
+                  const msgSub = messagesInput.on(async (msg) => {
+                    // If pendingMessages is configured, route to the steering queue
+                    // instead of the wire buffer. The frontend handles re-sending
+                    // non-injected messages via sendMessage on turn complete.
+                    if (pmConfig) {
+                      // Slim wire: at most one delta message per record. The
+                      // pendingMessages handler reads `msg.message` directly
+                      // instead of slicing an array — a wire record arrives
+                      // with the new user message in `.message`, or no message
+                      // at all (regenerate / preload / close / handover-prepare).
+                      const lastUIMessage = msg.message as TUIMessage | undefined;
+                      if (lastUIMessage) {
+                        if (pmConfig.onReceived) {
+                          try {
+                            await pmConfig.onReceived({
+                              message: lastUIMessage as TUIMessage,
+                              chatId: currentWirePayload.chatId,
+                              turn,
+                            });
+                          } catch {
+                            /* non-fatal */
+                          }
+                        }
+
+                        try {
+                          const queue = locals.get(chatSteeringQueueKey) ?? [];
+                          // Deduplicate by message ID — guards against double-sends
+                          if (
+                            lastUIMessage.id &&
+                            queue.some((e) => e.uiMessage.id === lastUIMessage.id)
+                          ) {
+                            return;
+                          }
+                          const modelMsgs = await toModelMessages([lastUIMessage]);
+                          queue.push({
+                            uiMessage: lastUIMessage as UIMessage,
+                            modelMessages: modelMsgs,
+                          });
+                          locals.set(chatSteeringQueueKey, queue);
+                        } catch {
+                          /* conversion failed — skip steering queue */
+                        }
+                      }
+                      return; // Don't add to wire buffer — frontend handles non-injected case
+                    }
+
+                    // No pendingMessages config — standard wire buffer for next turn
+                    pendingMessages.push(
+                      msg as ChatTaskWirePayload<TUIMessage, inferSchemaIn<TClientDataSchema>>
+                    );
+                  });
+
+                  // Track new messages for this turn (user input + assistant response).
+                  const turnNewModelMessages: ModelMessage[] = [];
+                  const turnNewUIMessages: TUIMessage[] = [];
+
+                  // ── Action handling ──────────────────────────────────────
+                  // Actions arrive on the same input stream but with
+                  // trigger === "action". They are NOT turns — only
+                  // `hydrateMessages` and `onAction` fire. No turn lifecycle
+                  // hooks (`onTurnStart` / `prepareMessages` /
+                  // `onBeforeTurnComplete` / `onTurnComplete`) and no
+                  // `run()` invocation. To produce a model response from
+                  // an action, return a `StreamTextResult` (auto-piped),
+                  // string, or UIMessage from `onAction`. Turn counter
+                  // does not advance.
+                  let actionStreamResult: unknown = undefined;
+                  if (isAction) {
+                    // Parse and validate the action payload
+                    const parsedAction = parseAction
+                      ? await parseAction(currentWirePayload.action)
+                      : currentWirePayload.action;
+
+                    // Hydrate messages from backend if configured
+                    if (hydrateMessages) {
+                      const hydrated = await tracer.startActiveSpan(
+                        "hydrateMessages()",
+                        async () => {
+                          return hydrateMessages({
+                            chatId: currentWirePayload.chatId,
+                            turn,
+                            trigger: "action",
+                            incomingMessages: [] as TUIMessage[],
+                            previousMessages: [...accumulatedUIMessages],
+                            clientData,
+                            continuation,
+                            previousRunId,
+                          });
+                        },
+                        {
+                          attributes: {
+                            [SemanticInternalAttributes.STYLE_ICON]: "task-hook-onStart",
+                            [SemanticInternalAttributes.COLLAPSED]: true,
+                            "chat.id": currentWirePayload.chatId,
+                            "chat.trigger": "action",
+                          },
+                        }
+                      );
+                      accumulatedUIMessages = [...hydrated] as TUIMessage[];
+                      accumulatedMessages = await toModelMessages(hydrated);
+                      locals.set(chatCurrentUIMessagesKey, accumulatedUIMessages);
+                    }
+
+                    // Fire onAction — handler may mutate state via
+                    // `chat.history.*` and / or return a model response.
+                    if (onAction) {
+                      actionStreamResult = await tracer.startActiveSpan(
+                        "onAction()",
+                        async () => {
+                          return await onAction({
+                            action: parsedAction as any,
+                            chatId: currentWirePayload.chatId,
+                            turn,
+                            clientData,
+                            uiMessages: accumulatedUIMessages,
+                            messages: accumulatedMessages,
+                          });
+                        },
+                        {
+                          attributes: {
+                            [SemanticInternalAttributes.STYLE_ICON]: "task-hook-onStart",
+                            [SemanticInternalAttributes.COLLAPSED]: true,
+                            "chat.id": currentWirePayload.chatId,
+                            "chat.action":
+                              typeof parsedAction === "object" && parsedAction !== null
+                                ? JSON.stringify(parsedAction)
+                                : String(parsedAction),
+                          },
+                        }
+                      );
+
+                      // Apply chat.history mutations from onAction
+                      const actionOverride = locals.get(chatOverrideMessagesKey);
+                      if (actionOverride) {
+                        locals.set(chatOverrideMessagesKey, undefined);
+                        accumulatedUIMessages = [...actionOverride] as TUIMessage[];
+                        accumulatedMessages = await toModelMessages(actionOverride);
+                        locals.set(chatCurrentUIMessagesKey, accumulatedUIMessages);
+                      }
+                    } else {
+                      warnMissingOnActionOnce();
+                    }
+                  }
+
+                  // ── Message handling (non-action turns) ───────────────────
+                  //
+                  // Slim wire: at most one delta message arrives per record.
+                  // The accumulator was already seeded at boot from a durable
+                  // snapshot + `session.out` replay (or `hydrateMessages`,
+                  // which also fires per-turn below). Per-turn handling is
+                  // therefore a delta merge, not a full-history reset.
+                  if (currentWirePayload.trigger !== "action") {
+
+                  let cleanedUIMessages: TUIMessage[] = cleanedIncomingMessages;
+
+                  // Turn-0 head-start with hydrateMessages: the boot seeding from
+                  // `payload.headStartMessages` is non-hydrate-only, so ship the
+                  // route handler's first-turn history to the hydrate hook as
+                  // incoming messages instead (gated on the pending handover).
+                  if (
+                    turn === 0 &&
+                    hydrateMessages &&
+                    cleanedUIMessages.length === 0 &&
+                    (locals.get(chatHandoverPartialKey)?.length ?? 0) > 0 &&
+                    Array.isArray(payload.headStartMessages) &&
+                    payload.headStartMessages.length > 0
+                  ) {
+                    cleanedUIMessages = payload.headStartMessages as TUIMessage[];
+                  }
+
+                  // Validate/transform UIMessages before conversion — catches malformed
+                  // messages from storage or untrusted input before they reach the model.
+                  // Slim wire: triggers like `regenerate-message` carry no incoming
+                  // message; nothing to validate, so skip the hook to avoid feeding
+                  // `[]` to validators (AI SDK's `validateUIMessages` rejects empty).
+                  if (onValidateMessages && cleanedUIMessages.length > 0) {
+                    cleanedUIMessages = (await tracer.startActiveSpan(
+                      "onValidateMessages()",
+                      async () => {
+                        return onValidateMessages({
+                          messages: cleanedUIMessages as TUIMessage[],
+                          chatId: currentWirePayload.chatId,
+                          turn,
+                          trigger: currentWirePayload.trigger as ValidateMessagesEvent["trigger"],
+                        });
+                      },
+                      {
+                        attributes: {
+                          [SemanticInternalAttributes.STYLE_ICON]: "task-hook-onStart",
+                          [SemanticInternalAttributes.COLLAPSED]: true,
+                          "chat.id": currentWirePayload.chatId,
+                          "chat.turn": turn + 1,
+                          "chat.messages.count": cleanedUIMessages.length,
+                        },
+                      }
+                    )) as TUIMessage[];
+                  }
+
+                  if (hydrateMessages) {
+                    // Snapshot the ids the accumulator knew BEFORE this
+                    // turn ran — used below to decide whether an
+                    // incoming wire message is genuinely new or just a
+                    // state advance on an existing entry. We can't use
+                    // the post-`hydrateMessages` array for this because
+                    // the canonical hook pattern pushes the incoming
+                    // user message into the persisted chain and
+                    // returns it.
+                    const previouslyKnownMessageIds = new Set(
+                      accumulatedUIMessages
+                        .map((m) => m.id)
+                        .filter((id): id is string => typeof id === "string")
+                    );
+
+                    // Backend hydration: load the full message history from the user's
+                    // backend, replacing the built-in accumulator entirely. With slim
+                    // wire, `incomingMessages` is consistently 0-or-1-length — what
+                    // was always true for `submit-message` is now true for every
+                    // trigger.
+                    const hydrated = await tracer.startActiveSpan(
+                      "hydrateMessages()",
+                      async () => {
+                        return hydrateMessages({
+                          chatId: currentWirePayload.chatId,
+                          turn,
+                          trigger: currentWirePayload.trigger as
+                            | "submit-message"
+                            | "regenerate-message",
+                          incomingMessages: cleanedUIMessages as TUIMessage[],
+                          previousMessages: [...accumulatedUIMessages],
+                          clientData,
+                          continuation,
+                          previousRunId,
+                        });
+                      },
+                      {
+                        attributes: {
+                          [SemanticInternalAttributes.STYLE_ICON]: "task-hook-onStart",
+                          [SemanticInternalAttributes.COLLAPSED]: true,
+                          "chat.id": currentWirePayload.chatId,
+                          "chat.turn": turn + 1,
+                          "chat.trigger": currentWirePayload.trigger,
+                          "chat.incoming_messages.count": cleanedUIMessages.length,
+                        },
+                      }
+                    );
+
+                    // Per-turn merge of incoming wire messages onto the hydrated
+                    // chain. Hydrated stays authoritative for text, reasoning
+                    // blobs, provider metadata, and tool `input`; we only
+                    // overlay tool-part state/output/errorText for tool calls
+                    // the wire copy has just resolved. Apps that slim the wire
+                    // copy to fit the .in/append cap (or drop fields they
+                    // re-source from their own DB) get the hydrated copy
+                    // through unchanged.
+                    const merged = [...hydrated] as TUIMessage[];
+                    for (const incoming of cleanedUIMessages) {
+                      if (!incoming.id) continue;
+                      const idx = merged.findIndex((m) => m.id === incoming.id);
+                      if (idx !== -1) {
+                        merged[idx] = mergeIncomingIntoHydrated(
+                          merged[idx]!,
+                          incoming
+                        ) as TUIMessage;
+                      }
+                    }
+
+                    accumulatedUIMessages = merged;
+                    accumulatedMessages = await toModelMessages(merged);
+                    locals.set(chatCurrentUIMessagesKey, accumulatedUIMessages);
+
+                    // Track new messages for onTurnComplete.newUIMessages.
+                    // Only push for genuinely new ids — HITL continuations
+                    // whose incoming wire id matches an existing entry are
+                    // state advances on an old message, not new messages.
+                    // We compare against `previouslyKnownMessageIds`
+                    // captured BEFORE hydration, not against `hydrated`:
+                    // the canonical hydrate pattern pushes the incoming
+                    // user message into the persisted chain and returns
+                    // it, so the new id IS in `hydrated`, which would
+                    // wrongly drop every fresh user turn from
+                    // `newUIMessages`. The non-hydrate branch below has
+                    // the same "push only on append" semantic via its
+                    // own append-vs-replace path.
+                    if (
+                      currentWirePayload.trigger === "submit-message" &&
+                      cleanedUIMessages.length > 0
+                    ) {
+                      const lastUI = cleanedUIMessages[cleanedUIMessages.length - 1]!;
+                      const matchedExisting =
+                        lastUI.id !== undefined &&
+                        previouslyKnownMessageIds.has(lastUI.id);
+                      if (!matchedExisting) {
+                        turnNewUIMessages.push(lastUI);
+                        const lastModel = (await toModelMessages([lastUI]))[0];
+                        if (lastModel) turnNewModelMessages.push(lastModel);
+                      }
+                    }
+                  } else {
+                    // Default delta-merge accumulation.
+                    //
+                    // The accumulator was seeded at boot from snapshot+replay,
+                    // so it already reflects prior history. Per-turn handling
+                    // appends/replaces the single incoming delta message and
+                    // (for regenerate) trims the tail.
+                    if (currentWirePayload.trigger === "regenerate-message") {
+                      // Regenerate: trim trailing assistant messages from the
+                      // accumulator until the tail is a user message. AI SDK's
+                      // frontend `regenerate()` already removed the trailing
+                      // assistant from its local store; the wire signals "do
+                      // the same here", and the agent re-runs from the new
+                      // tail. No incoming message accompanies this trigger.
+                      while (
+                        accumulatedUIMessages.length > 0 &&
+                        accumulatedUIMessages[accumulatedUIMessages.length - 1]!.role !== "user"
+                      ) {
+                        accumulatedUIMessages.pop();
+                      }
+                      accumulatedMessages = await toModelMessages(accumulatedUIMessages);
+                    } else if (cleanedUIMessages.length > 0) {
+                      // Submit-message (and the special-cased
+                      // handover-prepare → submit-message rewrite earlier in
+                      // this scope): merge-or-append for the single delta
+                      // message.
+                      //
+                      // Tool approval responses arrive as a single assistant
+                      // message whose id collides with the existing assistant
+                      // in the accumulator — we merge the resolved tool-part
+                      // resolutions onto the existing entry, keeping text,
+                      // reasoning, and tool `input` from the prior snapshot.
+                      // The fallback for HITL `addToolOutput` continuations
+                      // where AI SDK regenerates the id (TRI-9137) still
+                      // applies via `rewriteIncomingIdViaToolCallMap`.
+                      let replaced = false;
+                      for (const raw of cleanedUIMessages) {
+                        let incoming = raw;
+                        let idx = accumulatedUIMessages.findIndex(
+                          (m) => m.id === incoming.id
+                        );
+                        if (idx === -1) {
+                          const rewritten = rewriteIncomingIdViaToolCallMap(incoming);
+                          if (rewritten.id !== incoming.id) {
+                            incoming = rewritten as typeof raw;
+                            idx = accumulatedUIMessages.findIndex(
+                              (m) => m.id === incoming.id
+                            );
+                          }
+                        }
+                        if (idx !== -1) {
+                          accumulatedUIMessages[idx] = mergeIncomingIntoHydrated(
+                            accumulatedUIMessages[idx]!,
+                            incoming
+                          ) as TUIMessage;
+                          replaced = true;
+                        } else {
+                          accumulatedUIMessages.push(incoming as TUIMessage);
+                          turnNewUIMessages.push(incoming as TUIMessage);
+                        }
+                        recordToolCallIdsFromMessage(incoming);
+                      }
+                      if (replaced) {
+                        // Replacement changes structure — reconvert all model
+                        // messages instead of appending.
+                        accumulatedMessages = await toModelMessages(accumulatedUIMessages);
+                      } else {
+                        const incomingModelMessages = await toModelMessages(cleanedUIMessages);
+                        accumulatedMessages.push(...incomingModelMessages);
+                      }
+                      if (turnNewUIMessages.length > 0) {
+                        turnNewModelMessages.push(
+                          ...(await toModelMessages(turnNewUIMessages))
+                        );
+                      }
+                    }
+                    // `preload` / `close` / `handover-prepare` and submits
+                    // with no incoming message fall through with the boot-
+                    // seeded accumulator unchanged.
+                  }
+
+                  if (turn === 0) {
+                    // Head-start handover splice (turn 0 only, BOTH
+                    // accumulation branches — hydrate and default): the
+                    // `chat.handover` route handler signalled a mid-turn
+                    // handover, so splice its partial assistant response
+                    // (text + pending tool-calls + the synthesized
+                    // tool-approval round) onto the accumulator.
+                    // `streamText` then hits AI SDK's initial-tool-
+                    // execution branch, runs the agent-side tool executes,
+                    // and resumes from step 2 — skipping the first model
+                    // call (already done by the handler).
+                    //
+                    // We also synthesize a UIMessage form of the partial
+                    // assistant and push it to `accumulatedUIMessages` so
+                    // AI SDK's `processUIMessageStream` (invoked when the
+                    // run loop calls `runResult.toUIMessageStream({
+                    // onFinish })`) can initialize `state.message` from
+                    // the trailing assistant in `originalMessages`. Without
+                    // that, the `tool-output-available` chunks emitted by
+                    // the initial-tool-execution branch can't find their
+                    // matching tool-call in state and AI SDK throws
+                    // `UIMessageStreamError: No tool invocation found`.
+                    const pendingHandoverPartial = locals.get(chatHandoverPartialKey);
+                    if (pendingHandoverPartial && pendingHandoverPartial.length > 0) {
+                      const handoverMessageId = locals.get(chatHandoverMessageIdKey);
+                      // Skip if the hydrated chain already persisted the
+                      // partial under the handover messageId.
+                      const alreadyInChain =
+                        handoverMessageId !== undefined &&
+                        accumulatedUIMessages.some((m) => m.id === handoverMessageId);
+                      if (!alreadyInChain) {
+                        accumulatedMessages.push(...pendingHandoverPartial);
+                        const partialUI = synthesizeHandoverUIMessage(
+                          pendingHandoverPartial,
+                          handoverMessageId
+                        );
+                        if (partialUI) {
+                          accumulatedUIMessages.push(partialUI as TUIMessage);
+                        }
+                      }
+                      locals.set(chatHandoverPartialKey, []); // consume once
+                    }
+                  }
+
+                  locals.set(chatCurrentUIMessagesKey, accumulatedUIMessages);
+
+                  } // end if (trigger !== "action")
+
+                  // ── Action result handling ──────────────────────────────
+                  // For action turns, skip the turn machinery entirely.
+                  // If `onAction` returned a stream / string / UIMessage,
+                  // pipe it as the response. Either way, emit
+                  // `trigger:turn-complete` and then fall through to the
+                  // wait-for-next-message logic (shared with message turns).
+                  // The turn counter is decremented so the next iteration
+                  // sees the same `turn` value — actions don't count.
+                  if (isAction) {
+                    msgSub.off();
+
+                    if (
+                      (locals.get(chatPipeCountKey) ?? 0) === 0 &&
+                      isUIMessageStreamable(actionStreamResult)
+                    ) {
+                      try {
+                        const resolvedOptions = resolveUIMessageStreamOptions();
+                        const uiStream = (
+                          actionStreamResult as UIMessageStreamable
+                        ).toUIMessageStream({
+                          ...resolvedOptions,
+                          generateMessageId:
+                            resolvedOptions.generateMessageId ?? generateMessageId,
+                        });
+                        await pipeChat(uiStream, {
+                          signal: combinedSignal,
+                          spanName: "stream response",
+                        });
+                      } catch (error) {
+                        if (
+                          error instanceof Error &&
+                          error.name === "AbortError" &&
+                          runSignal.aborted
+                        ) {
+                          return "exit";
+                        }
+                        throw error;
+                      }
+                    }
+
+                    await writeTurnCompleteChunk(currentWirePayload.chatId);
+
+                    // Don't consume a turn iteration — actions aren't turns.
+                    turn--;
+                  }
+
+                  if (!isAction) {
+
+                  // Mint a scoped public access token once per turn, reused for
+                  // onChatStart, onTurnStart, onTurnComplete, and the turn-complete chunk.
+                  const currentRunId = ctx.run.id;
+                  let turnAccessToken = "";
+                  if (currentRunId) {
+                    try {
+                      turnAccessToken = await auth.createPublicToken({
+                        scopes: {
+                          read: {
+                            runs: currentRunId,
+                            sessions: payload.chatId,
+                          },
+                          write: {
+                            inputStreams: currentRunId,
+                            sessions: payload.chatId,
+                          },
+                        },
+                        expirationTime: chatAccessTokenTTL,
+                      });
+                    } catch {
+                      // Token creation failed
+                    }
+                  }
+
+                  // Fire onChatStart on the very first message of a chat
+                  // (across the chat's entire lifetime). Gated on
+                  // `!couldHavePriorState` so it does NOT re-fire on
+                  // continuation runs (post-`endRun`, post-waitpoint-timeout)
+                  // or on OOM-retry attempts. Customers put one-time
+                  // chat-setup work in `onChatStart` (e.g. create the Chat
+                  // DB row, init user context) and that contract relies on
+                  // it firing exactly once per chat.
+                  if (turn === 0 && onChatStart && !couldHavePriorState) {
+                    await tracer.startActiveSpan(
+                      "onChatStart()",
+                      async () => {
+                        await withChatWriter(async (writer) => {
+                          await onChatStart({
+                            ctx,
+                            chatId: currentWirePayload.chatId,
+                            messages: accumulatedMessages,
+                            clientData,
+                            runId: currentRunId,
+                            chatAccessToken: turnAccessToken,
+                            continuation,
+                            previousRunId,
+                            preloaded,
+                            writer,
+                          });
+                        });
+                      },
+                      {
+                        attributes: {
+                          [SemanticInternalAttributes.STYLE_ICON]: "task-hook-onStart",
+                          [SemanticInternalAttributes.COLLAPSED]: true,
+                          "chat.id": currentWirePayload.chatId,
+                          "chat.messages.count": accumulatedMessages.length,
+                          "chat.continuation": continuation,
+                          "chat.preloaded": preloaded,
+                          ...(previousRunId ? { "chat.previous_run_id": previousRunId } : {}),
+                        },
+                      }
+                    );
+                  }
+
+                  // Fire onTurnStart before running user code — persist messages
+                  // so a mid-stream page refresh still shows the user's message.
+                  if (onTurnStart) {
+                    await tracer.startActiveSpan(
+                      "onTurnStart()",
+                      async () => {
+                        await withChatWriter(async (writer) => {
+                          await onTurnStart({
+                            ctx,
+                            chatId: currentWirePayload.chatId,
+                            messages: accumulatedMessages,
+                            uiMessages: accumulatedUIMessages,
+                            turn,
+                            runId: currentRunId,
+                            chatAccessToken: turnAccessToken,
+                            clientData,
+                            continuation,
+                            previousRunId,
+                            preloaded,
+                            previousTurnUsage,
+                            totalUsage: cumulativeUsage,
+                            writer,
+                          });
+                        });
+
+                        // Check if onTurnStart replaced messages (compaction or chat.history)
+                        const turnStartOverride = locals.get(chatOverrideMessagesKey);
+                        if (turnStartOverride) {
+                          locals.set(chatOverrideMessagesKey, undefined);
+                          accumulatedUIMessages = [...turnStartOverride] as TUIMessage[];
+                          accumulatedMessages = await toModelMessages(turnStartOverride);
+                          locals.set(chatCurrentUIMessagesKey, accumulatedUIMessages);
+                        }
+                      },
+                      {
+                        attributes: {
+                          [SemanticInternalAttributes.STYLE_ICON]: "task-hook-onStart",
+                          [SemanticInternalAttributes.COLLAPSED]: true,
+                          "chat.id": currentWirePayload.chatId,
+                          "chat.turn": turn + 1,
+                          "chat.messages.count": accumulatedMessages.length,
+                          "chat.trigger": currentWirePayload.trigger,
+                          "chat.continuation": continuation,
+                          "chat.preloaded": preloaded,
+                          ...(previousRunId ? { "chat.previous_run_id": previousRunId } : {}),
+                        },
+                      }
+                    );
+                  }
+
+                  // chat.requestUpgrade() called in onTurnStart (or onValidateMessages) —
+                  // skip run() and signal the transport to re-trigger the same message
+                  // on the new version.
+                  if (locals.get(chatUpgradeRequestedKey)) {
+                    await writeUpgradeRequiredChunk();
+                    return "exit";
+                  }
+
+                  // Captured by the onFinish callback below — works even on abort/stop.
+                  let capturedResponseMessage: TUIMessage | undefined;
+                  let capturedFinishReason: FinishReason | undefined;
+
+                  // Promise that resolves when the AI SDK's onFinish fires.
+                  // On abort, the stream's cancel() handler calls onFinish
+                  // asynchronously AFTER pipeChat resolves, so we must await
+                  // this to avoid a race where we check capturedResponseMessage
+                  // before it's been set.
+                  let resolveOnFinish: () => void;
+                  const onFinishPromise = new Promise<void>((r) => {
+                    resolveOnFinish = r;
+                  });
+                  let onFinishAttached = false;
+                  let runResult: unknown;
+
+                  // Pure-text head-start: customer's step 1 IS the
+                  // final response. Skip the user's `run` callback
+                  // (no LLM call) and use the synthesized partial
+                  // UIMessage as `capturedResponseMessage`. The post-
+                  // turn flow (`onBeforeTurnComplete` →
+                  // `onTurnComplete` → trigger:turn-complete) fires
+                  // normally so persistence works.
+                  const headStartIsFinal = locals.get(chatHandoverIsFinalKey);
+                  const isHeadStartFinalTurn = turn === 0 && headStartIsFinal === true;
+                  if (isHeadStartFinalTurn) {
+                    locals.set(chatHandoverIsFinalKey, undefined); // consume once
+                  }
+
+                  try {
+                    // Drain any messages injected by background work (e.g. self-review from previous turn).
+                    // Skip if the last message is a tool message — appending after it would
+                    // prevent streamText from finding pending tool approvals (it checks
+                    // the last message). The queued messages will be picked up by prepareStep
+                    // at the next step boundary instead.
+                    const lastAccumulated = accumulatedMessages[accumulatedMessages.length - 1];
+                    const bgQueue = locals.get(chatBackgroundQueueKey);
+                    if (bgQueue && bgQueue.length > 0 && lastAccumulated?.role !== "tool") {
+                      accumulatedMessages.push(...bgQueue.splice(0));
+                    }
+
+                    if (isHeadStartFinalTurn) {
+                      // The synthesized partial UIMessage IS the response.
+                      // It was pushed to `accumulatedUIMessages` during the
+                      // submit-message branch's splice; recover it as the
+                      // last assistant.
+                      const lastUI = accumulatedUIMessages[accumulatedUIMessages.length - 1];
+                      if (lastUI && lastUI.role === "assistant") {
+                        capturedResponseMessage = lastUI;
+                        capturedFinishReason = "stop";
+                      }
+                      // Don't call userRun. Don't pipe. Skip directly
+                      // to the post-turn flow below.
+                    } else {
+                      const preparedMessages = await applyPrepareMessages(accumulatedMessages, "run");
+                      runResult = await userRun({
+                        ...restWire,
+                        messages: preparedMessages,
+                        clientData,
+                        continuation,
+                        previousRunId,
+                        preloaded,
+                        previousTurnUsage,
+                        totalUsage: cumulativeUsage,
+                        ctx,
+                        tools: locals.get(chatResolvedToolsKey) ?? {},
+                        signal: combinedSignal,
+                        cancelSignal,
+                        stopSignal,
+                      } as any);
+                    }
+
+                    // Auto-pipe if the run function returned a StreamTextResult or similar,
+                    // but only if pipeChat() wasn't already called manually during this turn.
+                    // We call toUIMessageStream ourselves to attach onFinish for response capture.
+                    // Pass originalMessages so the AI SDK reuses message IDs across turns
+                    // (e.g. for tool approval continuations / HITL flows).
+                    if ((locals.get(chatPipeCountKey) ?? 0) === 0 && isUIMessageStreamable(runResult)) {
+                      onFinishAttached = true;
+                      const resolvedOptions = resolveUIMessageStreamOptions();
+                      // For action turns, don't pass originalMessages: the response
+                      // should always be a fresh assistant message, not a continuation
+                      // of whatever trailing assistant was left after chat.history
+                      // mutations.
+                      const isActionTurn = currentWirePayload.trigger === "action";
+                      const uiStream = runResult.toUIMessageStream({
+                        ...resolvedOptions,
+                        // Pass originalMessages so the AI SDK reuses message IDs across
+                        // turns (e.g. for tool approval continuations / HITL flows).
+                        // Omit for action turns to force a fresh response ID.
+                        ...(isActionTurn
+                          ? {}
+                          : { originalMessages: accumulatedUIMessages }),
+                        // Always provide generateMessageId so the start chunk carries a
+                        // messageId. Without this, the frontend and backend generate IDs
+                        // independently and they won't match for ID-based dedup.
+                        generateMessageId: resolvedOptions.generateMessageId ?? generateMessageId,
+                        onFinish: ({
+                          responseMessage,
+                          finishReason,
+                        }: {
+                          responseMessage: UIMessage;
+                          finishReason?: FinishReason;
+                        }) => {
+                          capturedResponseMessage = responseMessage as TUIMessage;
+                          capturedFinishReason = finishReason;
+                          resolveOnFinish!();
+                        },
+                      });
+                      await pipeChat(uiStream, { signal: combinedSignal, spanName: "stream response" });
+                    }
+                  } catch (error) {
+                    // Handle AbortError from streamText gracefully
+                    if (error instanceof Error && error.name === "AbortError") {
+                      if (runSignal.aborted) {
+                        return "exit"; // Full run cancellation — exit
+                      }
+                      // Stop generation — fall through to continue the loop
+                    } else {
+                      throw error;
+                    }
+                  } finally {
+                    msgSub.off();
+                  }
+
+                  // Wait for onFinish to fire — on abort this may resolve slightly
+                  // after pipeChat, since the stream's cancel() handler is async.
+                  // Race with a timeout so a stop-abort that prevents onFinish from
+                  // firing doesn't hang the turn loop indefinitely.
+                  if (onFinishAttached) {
+                    await Promise.race([
+                      onFinishPromise,
+                      new Promise<void>((r) => setTimeout(r, 2_000)),
+                    ]);
+                  }
+
+                  // Capture token usage from the streamText result (if available).
+                  // totalUsage is a PromiseLike that resolves after the stream is consumed.
+                  // Race with a 2s timeout — on stop-abort the AI SDK's totalUsage
+                  // promise can hang indefinitely (the underlying provider stream
+                  // never reports final usage), which would block the turn loop
+                  // from ever firing onTurnComplete / writeTurnComplete.
+                  let turnUsage: LanguageModelUsage | undefined;
+                  if (runResult != null && typeof (runResult as any).totalUsage?.then === "function") {
+                    try {
+                      turnUsage = (await Promise.race([
+                        (runResult as any).totalUsage,
+                        new Promise<undefined>((r) => setTimeout(() => r(undefined), 2_000)),
+                      ])) as LanguageModelUsage | undefined;
+                    } catch {
+                      /* non-fatal — usage capture failed */
+                    }
+                  }
+                  if (turnUsage) {
+                    cumulativeUsage = addUsage(cumulativeUsage, turnUsage);
+                    previousTurnUsage = turnUsage;
+
+                    // Add usage attributes to the turn span
+                    if (turnUsage.inputTokens != null) {
+                      turnSpan.setAttribute("gen_ai.usage.input_tokens", turnUsage.inputTokens);
+                    }
+                    if (turnUsage.outputTokens != null) {
+                      turnSpan.setAttribute("gen_ai.usage.output_tokens", turnUsage.outputTokens);
+                    }
+                    if (turnUsage.totalTokens != null) {
+                      turnSpan.setAttribute("gen_ai.usage.total_tokens", turnUsage.totalTokens);
+                    }
+                    if (cumulativeUsage.totalTokens != null) {
+                      turnSpan.setAttribute(
+                        "gen_ai.usage.cumulative_total_tokens",
+                        cumulativeUsage.totalTokens
+                      );
+                    }
+                    if (cumulativeUsage.inputTokens != null) {
+                      turnSpan.setAttribute(
+                        "gen_ai.usage.cumulative_input_tokens",
+                        cumulativeUsage.inputTokens
+                      );
+                    }
+                    if (cumulativeUsage.outputTokens != null) {
+                      turnSpan.setAttribute(
+                        "gen_ai.usage.cumulative_output_tokens",
+                        cumulativeUsage.outputTokens
+                      );
+                    }
+                  }
+
+                  // Check if run() (e.g. via prepareStep or chat.history) replaced messages
+                  // during this turn. The updated messages become the new base, and the
+                  // response gets appended on top.
+                  const runOverride = locals.get(chatOverrideMessagesKey);
+                  if (runOverride) {
+                    locals.set(chatOverrideMessagesKey, undefined);
+                    accumulatedUIMessages = [...runOverride] as TUIMessage[];
+                    accumulatedMessages = await toModelMessages(runOverride);
+                    locals.set(chatCurrentUIMessagesKey, accumulatedUIMessages);
+                  }
+
+                  // Check if compaction set a model-only override (preserves UI messages).
+                  // Apply compactUIMessages/compactModelMessages callbacks if configured.
+                  const modelOnlyOverride = locals.get(chatOverrideModelMessagesKey);
+                  if (modelOnlyOverride) {
+                    const compactionSummary = locals.get(chatCompactionStateKey)?.summary ?? "";
+                    const taskCompactionConfig = locals.get(chatAgentCompactionKey);
+                    locals.set(chatOverrideModelMessagesKey, undefined);
+
+                    const compactEvent: CompactMessagesEvent<TUIMessage> = {
+                      summary: compactionSummary,
+                      uiMessages: accumulatedUIMessages,
+                      modelMessages: accumulatedMessages,
+                      chatId: currentWirePayload.chatId,
+                      turn,
+                      clientData,
+                      source: "inner",
+                    };
+
+                    // Apply model messages: callback or default (use override)
+                    accumulatedMessages = taskCompactionConfig?.compactModelMessages
+                      ? await taskCompactionConfig.compactModelMessages(compactEvent)
+                      : modelOnlyOverride;
+
+                    // Apply UI messages: callback or default (preserve all)
+                    if (taskCompactionConfig?.compactUIMessages) {
+                      accumulatedUIMessages = (await taskCompactionConfig.compactUIMessages(
+                        compactEvent
+                      )) as TUIMessage[];
+                    }
+                  }
+
+                  // Determine if the user stopped generation this turn (not a full run cancel).
+                  const wasStopped = stopController.signal.aborted && !runSignal.aborted;
+
+                  // Append the assistant's response (partial or complete) to the accumulator.
+                  // The onFinish callback fires even on abort/stop, so partial responses
+                  // from stopped generation are captured correctly.
+                  let rawResponseMessage: TUIMessage | undefined;
+                  if (capturedResponseMessage) {
+                    // Keep the raw message before cleanup for users who want custom handling
+                    rawResponseMessage = capturedResponseMessage;
+                    // Clean up aborted parts (streaming tool calls, reasoning) when stopped
+                    if (wasStopped) {
+                      capturedResponseMessage = cleanupAbortedParts(capturedResponseMessage);
+                    }
+                    // Ensure the response message has an ID (the stream's onFinish
+                    // may produce a message with an empty ID since IDs are normally
+                    // assigned by the frontend's useChat).
+                    if (!capturedResponseMessage.id) {
+                      capturedResponseMessage = { ...capturedResponseMessage, id: generateMessageId() };
+                    }
+                    // Append any non-transient data parts queued via chat.response or writer.write()
+                    const queuedParts = locals.get(chatResponsePartsKey);
+                    if (queuedParts && queuedParts.length > 0) {
+                      capturedResponseMessage = {
+                        ...capturedResponseMessage,
+                        parts: [...capturedResponseMessage.parts, ...queuedParts],
+                      } as TUIMessage;
+                      locals.set(chatResponsePartsKey, []);
+                    }
+                    // Tool-approval continuations: the AI SDK reuses the trailing
+                    // assistant's ID (via originalMessages) so the captured response
+                    // carries the same ID as an existing message. Replace in place
+                    // instead of pushing a duplicate. For action turns this never
+                    // matches because originalMessages is omitted (fresh ID).
+                    const existingIdx = capturedResponseMessage.id
+                      ? accumulatedUIMessages.findIndex(
+                          (m) => m.id === capturedResponseMessage!.id
+                        )
+                      : -1;
+                    if (existingIdx !== -1) {
+                      accumulatedUIMessages[existingIdx] = capturedResponseMessage;
+                    } else {
+                      accumulatedUIMessages.push(capturedResponseMessage);
+                    }
+                    turnNewUIMessages.push(capturedResponseMessage);
+                    locals.set(chatCurrentUIMessagesKey, accumulatedUIMessages);
+                    // Record toolCallId → head messageId so a HITL
+                    // continuation next turn can recover the head id
+                    // even if the AI SDK regenerates it. See
+                    // `chatToolCallToMessageIdKey` for the full
+                    // rationale (TRI-9137).
+                    recordToolCallIdsFromMessage(capturedResponseMessage);
+                    try {
+                      const responseModelMessages = await toModelMessages([
+                        stripProviderMetadata(capturedResponseMessage),
+                      ]);
+                      if (existingIdx !== -1) {
+                        // Reconvert all model messages since we replaced rather than appended
+                        accumulatedMessages = await toModelMessages(accumulatedUIMessages);
+                      } else {
+                        accumulatedMessages.push(...responseModelMessages);
+                      }
+                      turnNewModelMessages.push(...responseModelMessages);
+                    } catch {
+                      // Conversion failed — skip accumulation for this turn
+                    }
+                  }
+                  // If there's no captured response (manual pipe mode) but there are
+                  // queued data parts, create a minimal response message to hold them.
+                  if (!capturedResponseMessage) {
+                    const remainingParts = locals.get(chatResponsePartsKey);
+                    if (remainingParts && remainingParts.length > 0) {
+                      capturedResponseMessage = {
+                        id: generateMessageId(),
+                        role: "assistant" as const,
+                        parts: [...remainingParts],
+                      } as TUIMessage;
+                      locals.set(chatResponsePartsKey, []);
+                      accumulatedUIMessages.push(capturedResponseMessage);
+                      turnNewUIMessages.push(capturedResponseMessage);
+                      locals.set(chatCurrentUIMessagesKey, accumulatedUIMessages);
+                    }
+                  }
+
+                  if (runSignal.aborted) return "exit";
+
+                  // Await deferred background work (e.g. DB writes from onTurnStart)
+                  // before firing hooks so they can rely on the work being done.
+                  const deferredWork = locals.get(chatDeferKey);
+                  if (deferredWork && deferredWork.size > 0) {
+                    await Promise.race([
+                      Promise.allSettled(deferredWork),
+                      new Promise<void>((r) => setTimeout(r, 5_000)),
+                    ]);
+                  }
+
+                  // Outer-loop compaction: runs between turns for single-step responses
+                  // where prepareStep never fires (no tool calls = no step boundaries).
+                  // Only triggers when: task has compaction configured, prepareStep didn't
+                  // already compact this turn, and shouldCompact returns true.
+                  const outerCompaction = locals.get(chatAgentCompactionKey);
+                  const innerCompactionState = locals.get(chatCompactionStateKey);
+
+                  if (outerCompaction && !innerCompactionState && turnUsage && !wasStopped) {
+                    const shouldTrigger = await outerCompaction.shouldCompact({
+                      messages: accumulatedMessages,
+                      totalTokens: turnUsage.totalTokens,
+                      inputTokens: turnUsage.inputTokens,
+                      outputTokens: turnUsage.outputTokens,
+                      usage: turnUsage,
+                      totalUsage: cumulativeUsage,
+                      chatId: currentWirePayload.chatId,
+                      turn,
+                      clientData,
+                      source: "outer",
+                    });
+
+                    if (shouldTrigger) {
+                      await tracer.startActiveSpan(
+                        "context compaction (outer loop)",
+                        async (compactionSpan) => {
+                          const compactionId = generateMessageId();
+
+                          const { waitUntilComplete } = chatStream.writer({
+                            spanName: "stream compaction chunks",
+                            collapsed: true,
+                            execute: async ({ write, merge }) => {
+                              write({
+                                type: "data-compaction",
+                                id: compactionId,
+                                data: { status: "compacting", totalTokens: turnUsage.totalTokens },
+                                transient: true,
+                              });
+
+                              const summary = await outerCompaction.summarize({
+                                messages: accumulatedMessages,
+                                usage: turnUsage,
+                                totalUsage: cumulativeUsage,
+                                chatId: currentWirePayload.chatId,
+                                turn,
+                                clientData,
+                                source: "outer",
+                              });
+
+                              // Apply compactModelMessages/compactUIMessages callbacks, or defaults.
+
+                              const outerCompactEvent: CompactMessagesEvent<TUIMessage> = {
+                                summary,
+                                uiMessages: accumulatedUIMessages,
+                                modelMessages: accumulatedMessages,
+                                chatId: currentWirePayload.chatId,
+                                turn,
+                                clientData,
+                                source: "outer",
+                              };
+
+                              // Model messages: callback or default (replace with summary)
+                              accumulatedMessages = outerCompaction.compactModelMessages
+                                ? await outerCompaction.compactModelMessages(outerCompactEvent)
+                                : [
+                                  {
+                                    role: "assistant" as const,
+                                    content: [
+                                      {
+                                        type: "text" as const,
+                                        text: `[Conversation summary]\n\n${summary}`,
+                                      },
+                                    ],
+                                  },
+                                ];
+
+                              // UI messages: callback or default (preserve all)
+                              if (outerCompaction.compactUIMessages) {
+                                accumulatedUIMessages = (await outerCompaction.compactUIMessages(
+                                  outerCompactEvent
+                                )) as TUIMessage[];
+                              }
+
+                              // Fire onCompacted hook
+                              const onCompactedHook = locals.get(chatOnCompactedKey);
+                              if (onCompactedHook) {
+                                await onCompactedHook({
+                                  ctx,
+                                  summary,
+                                  messages: accumulatedMessages,
+                                  messageCount: accumulatedMessages.length,
+                                  usage: turnUsage,
+                                  totalTokens: turnUsage.totalTokens,
+                                  inputTokens: turnUsage.inputTokens,
+                                  outputTokens: turnUsage.outputTokens,
+                                  stepNumber: -1, // outer loop, not a step
+                                  chatId: currentWirePayload.chatId,
+                                  turn,
+                                  writer: { write, merge },
+                                });
+                              }
+
+                              compactionSpan.setAttribute("compaction.summary_length", summary.length);
+
+                              write({
+                                type: "data-compaction",
+                                id: compactionId,
+                                data: { status: "complete", totalTokens: turnUsage.totalTokens },
+                                transient: true,
+                              });
+                            },
+                          });
+                          await waitUntilComplete();
+                        },
+                        {
+                          attributes: {
+                            [SemanticInternalAttributes.STYLE_ICON]: "tabler-scissors",
+                            "compaction.total_tokens": turnUsage.totalTokens ?? 0,
+                            "compaction.input_tokens": turnUsage.inputTokens ?? 0,
+                            "compaction.message_count": accumulatedMessages.length,
+                            "compaction.outer_loop": true,
+                            "compaction.turn": turn,
+                            ...(currentWirePayload.chatId
+                              ? { "compaction.chat_id": currentWirePayload.chatId }
+                              : {}),
+                            ...accessoryAttributes({
+                              items: [
+                                { text: `${turnUsage.totalTokens ?? 0} tokens`, variant: "normal" },
+                                { text: `${accumulatedMessages.length} msgs`, variant: "normal" },
+                                { text: "outer loop", variant: "normal" },
+                              ],
+                              style: "codepath",
+                            }),
+                          },
+                        }
+                      );
+                    }
+                  }
+
+                  const turnCompleteEvent = {
+                    ctx,
+                    chatId: currentWirePayload.chatId,
+                    messages: accumulatedMessages,
+                    uiMessages: accumulatedUIMessages,
+                    newMessages: turnNewModelMessages,
+                    newUIMessages: turnNewUIMessages,
+                    responseMessage: capturedResponseMessage,
+                    rawResponseMessage,
+                    turn,
+                    runId: currentRunId,
+                    chatAccessToken: turnAccessToken,
+                    clientData,
+                    stopped: wasStopped,
+                    continuation,
+                    previousRunId,
+                    preloaded,
+                    usage: turnUsage,
+                    totalUsage: cumulativeUsage,
+                    finishReason: capturedFinishReason,
+                  };
+
+                  // Fire onBeforeTurnComplete — stream is still open so the hook
+                  // can write custom chunks to the frontend (e.g. compaction progress).
+                  if (onBeforeTurnComplete) {
+                    await tracer.startActiveSpan(
+                      "onBeforeTurnComplete()",
+                      async () => {
+                        await withChatWriter(async (writer) => {
+                          await onBeforeTurnComplete({ ...turnCompleteEvent, writer });
+                        });
+
+                        // Check if the hook replaced messages (compaction or chat.history)
+                        const override = locals.get(chatOverrideMessagesKey);
+                        if (override) {
+                          locals.set(chatOverrideMessagesKey, undefined);
+                          accumulatedUIMessages = [...override] as TUIMessage[];
+                          accumulatedMessages = await toModelMessages(override);
+                          locals.set(chatCurrentUIMessagesKey, accumulatedUIMessages);
+                          // Update event so onTurnComplete sees compacted messages
+                          turnCompleteEvent.messages = accumulatedMessages;
+                          turnCompleteEvent.uiMessages = accumulatedUIMessages;
+                        }
+                      },
+                      {
+                        attributes: {
+                          [SemanticInternalAttributes.STYLE_ICON]: "task-hook-onComplete",
+                          [SemanticInternalAttributes.COLLAPSED]: true,
+                          "chat.id": currentWirePayload.chatId,
+                          "chat.turn": turn + 1,
+                        },
+                      }
+                    );
+                  }
+
+                  // Drain any late response parts added during onBeforeTurnComplete
+                  const lateParts = locals.get(chatResponsePartsKey);
+                  if (lateParts && lateParts.length > 0 && capturedResponseMessage) {
+                    const idx = accumulatedUIMessages.findIndex((m) => m.id === capturedResponseMessage!.id);
+                    if (idx !== -1) {
+                      const msg = accumulatedUIMessages[idx]!;
+                      accumulatedUIMessages[idx] = {
+                        ...msg,
+                        parts: [...(msg.parts ?? []), ...lateParts],
+                      } as TUIMessage;
+                      capturedResponseMessage = accumulatedUIMessages[idx] as TUIMessage;
+                      turnCompleteEvent.responseMessage = capturedResponseMessage;
+                      turnCompleteEvent.uiMessages = accumulatedUIMessages;
+                    }
+                    locals.set(chatResponsePartsKey, []);
+                  }
+
+                  // Write turn-complete control chunk — closes the frontend stream.
+                  const turnCompleteResult = await writeTurnCompleteChunk(
+                    currentWirePayload.chatId,
+                    turnAccessToken
+                  );
+
+                  // Fire onTurnComplete — stream is closed, use for persistence.
+                  if (onTurnComplete) {
+                    await tracer.startActiveSpan(
+                      "onTurnComplete()",
+                      async () => {
+                        await onTurnComplete({
+                          ...turnCompleteEvent,
+                          lastEventId: turnCompleteResult?.lastEventId,
+                        });
+
+                        // Check if onTurnComplete replaced messages (compaction or chat.history)
+                        const turnCompleteOverride = locals.get(chatOverrideMessagesKey);
+                        if (turnCompleteOverride) {
+                          locals.set(chatOverrideMessagesKey, undefined);
+                          accumulatedUIMessages = [...turnCompleteOverride] as TUIMessage[];
+                          accumulatedMessages = await toModelMessages(turnCompleteOverride);
+                          locals.set(chatCurrentUIMessagesKey, accumulatedUIMessages);
+                        }
+                      },
+                      {
+                        attributes: {
+                          [SemanticInternalAttributes.STYLE_ICON]: "task-hook-onComplete",
+                          [SemanticInternalAttributes.COLLAPSED]: true,
+                          "chat.id": currentWirePayload.chatId,
+                          "chat.turn": turn + 1,
+                          "chat.stopped": wasStopped,
+                          "chat.continuation": continuation,
+                          "chat.preloaded": preloaded,
+                          ...(previousRunId ? { "chat.previous_run_id": previousRunId } : {}),
+                          "chat.messages.count": accumulatedMessages.length,
+                          "chat.response.parts.count": capturedResponseMessage?.parts?.length ?? 0,
+                          "chat.new_messages.count": turnNewUIMessages.length,
+                          ...(turnUsage?.inputTokens != null
+                            ? { "gen_ai.usage.input_tokens": turnUsage.inputTokens }
+                            : {}),
+                          ...(turnUsage?.outputTokens != null
+                            ? { "gen_ai.usage.output_tokens": turnUsage.outputTokens }
+                            : {}),
+                          ...(turnUsage?.totalTokens != null
+                            ? { "gen_ai.usage.total_tokens": turnUsage.totalTokens }
+                            : {}),
+                          ...(cumulativeUsage.totalTokens != null
+                            ? { "gen_ai.usage.cumulative_total_tokens": cumulativeUsage.totalTokens }
+                            : {}),
+                        },
+                      }
+                    );
+                  }
+
+                  // ── Snapshot write ─────────────────────────────────────
+                  //
+                  // Persist the post-turn accumulator so the next run boot
+                  // can replay history without the wire shipping it. Skipped
+                  // when `hydrateMessages` is registered — those customers
+                  // own persistence and would never read this blob.
+                  //
+                  // AWAITED, not fire-and-forget: the agent may suspend (idle
+                  // timeout) immediately after this point, and in-flight
+                  // promises don't reliably complete on suspend. The user-
+                  // visible turn already finished (the turn-complete chunk
+                  // closed the response stream above), so the await delay
+                  // only affects "when can the NEXT turn start," gated by
+                  // user typing — not TTFC.
+                  //
+                  // `writeChatSnapshot` swallows errors internally; this
+                  // outer try/catch is just belt-and-suspenders against
+                  // tracer/span failures.
+                  if (!hydrateMessages) {
+                    try {
+                      await tracer.startActiveSpan(
+                        "snapshot.write",
+                        async () => {
+                          const snapshotInCursor =
+                            getChatSession().in.lastDispatchedSeqNum();
+                          await writeChatSnapshot<TUIMessage>(sessionIdForSnapshot, {
+                            version: 1,
+                            savedAt: Date.now(),
+                            messages: accumulatedUIMessages,
+                            lastOutEventId: turnCompleteResult?.lastEventId,
+                            lastInEventId:
+                              snapshotInCursor !== undefined
+                                ? String(snapshotInCursor)
+                                : undefined,
+                          });
+                        },
+                        {
+                          attributes: {
+                            [SemanticInternalAttributes.STYLE_ICON]: "task-hook-onComplete",
+                            [SemanticInternalAttributes.COLLAPSED]: true,
+                            "chat.id": currentWirePayload.chatId,
+                            "chat.turn": turn + 1,
+                            "chat.messages.count": accumulatedUIMessages.length,
+                          },
+                        }
+                      );
+                    } catch (error) {
+                      logger.warn(
+                        "chat.agent: snapshot write failed; next run will replay further",
+                        {
+                          error: error instanceof Error ? error.message : String(error),
+                          sessionId: sessionIdForSnapshot,
+                        }
+                      );
+                    }
+                  }
+
+                  } // end if (!isAction)
+
+                  // NOTE: We intentionally do NOT await deferred work from onTurnComplete here.
+                  // Promises deferred in onTurnComplete (e.g. background self-review via
+                  // chat.defer + chat.inject) run during the idle wait. If they complete
+                  // before the next message, their injected context is picked up in prepareStep.
+                  // The pre-onBeforeTurnComplete drain handles promises from onTurnStart/run().
+
+                  // Recovery-boot injection: drain remaining recovered turns
+                  // before any other source. `onRecoveryBoot` (or its default)
+                  // produced these from in-flight user messages on session.in
+                  // that the dead predecessor never acknowledged.
+                  if (bootInjectedQueue.length > 0) {
+                    currentWirePayload = bootInjectedQueue.shift()!;
+                    return "continue";
+                  }
+
+                  // If messages arrived during streaming (without pendingMessages config),
+                  // use the first one immediately as the next turn.
+                  if (pendingMessages.length > 0) {
+                    currentWirePayload = pendingMessages[0]!;
+                    return "continue";
+                  }
+
+                  // chat.requestUpgrade() was called — exit the loop so the
+                  // transport triggers a new run on the latest version.
+                  // chat.endRun() — same exit, no upgrade semantics.
+                  if (
+                    locals.get(chatUpgradeRequestedKey) ||
+                    locals.get(chatEndRunRequestedKey)
+                  ) {
+                    return "exit";
+                  }
+
+                  // Wait for the next message — stay idle briefly, then suspend
+                  const effectiveIdleTimeout =
+                    (metadata.get(IDLE_TIMEOUT_METADATA_KEY) as number | undefined) ??
+                    idleTimeoutInSeconds;
+                  const effectiveTurnTimeout =
+                    (metadata.get(TURN_TIMEOUT_METADATA_KEY) as string | undefined) ?? turnTimeout;
+
+                  const next = await messagesInput.waitWithIdleTimeout({
+                    idleTimeoutInSeconds: effectiveIdleTimeout,
+                    timeout: effectiveTurnTimeout,
+                    spanName: "waiting for next message",
+                    onSuspend: onChatSuspend
+                      ? async () => {
+                        await tracer.startActiveSpan(
+                          "onChatSuspend()",
+                          async () => {
+                            await onChatSuspend({
+                              phase: "turn",
+                              ctx,
+                              chatId: currentWirePayload.chatId,
+                              runId: ctx.run.id,
+                              turn,
+                              messages: accumulatedMessages,
+                              uiMessages: accumulatedUIMessages,
+                              clientData,
+                            });
+                          },
+                          {
+                            attributes: {
+                              [SemanticInternalAttributes.STYLE_ICON]: "task-hook-onComplete",
+                              [SemanticInternalAttributes.COLLAPSED]: true,
+                              "chat.id": currentWirePayload.chatId,
+                              "chat.suspend.phase": "turn",
+                              "chat.turn": turn + 1,
+                            },
+                          }
+                        );
+                      }
+                      : undefined,
+                    onResume: onChatResume
+                      ? async () => {
+                        await tracer.startActiveSpan(
+                          "onChatResume()",
+                          async () => {
+                            await onChatResume({
+                              phase: "turn",
+                              ctx,
+                              chatId: currentWirePayload.chatId,
+                              runId: ctx.run.id,
+                              turn,
+                              messages: accumulatedMessages,
+                              uiMessages: accumulatedUIMessages,
+                              clientData,
+                            });
+                          },
+                          {
+                            attributes: {
+                              [SemanticInternalAttributes.STYLE_ICON]: "task-hook-onStart",
+                              [SemanticInternalAttributes.COLLAPSED]: true,
+                              "chat.id": currentWirePayload.chatId,
+                              "chat.resume.phase": "turn",
+                              "chat.turn": turn + 1,
+                            },
+                          }
+                        );
+                      }
+                      : undefined,
+                  });
+
+                  if (!next.ok) {
+                    return "exit";
+                  }
+
+                  currentWirePayload = next.output as ChatTaskWirePayload<
+                    TUIMessage,
+                    inferSchemaIn<TClientDataSchema>
+                  >;
+
+                  // Close signal — exit the loop gracefully
+                  if (currentWirePayload.trigger === "close") {
+                    return "exit";
+                  }
+
+                  return "continue";
+                },
+                {
+                  attributes: turnAttributes,
+                }
+              );
+
+              if (turnResult === "exit") return;
+              // "continue" means proceed to next iteration
+            } catch (turnError) {
+              // Turn error handler: write an error chunk + turn-complete to the stream
+              // so the client sees the error, then wait for the next message instead
+              // of killing the entire run. This keeps the conversation alive.
+              if (turnError instanceof Error && turnError.name === "AbortError" && runSignal.aborted) {
+                // Full run cancellation — exit immediately
+                throw turnError;
+              }
+
+              // OOM errors must escape the turn loop so the task runtime can
+              // honor `retry.outOfMemory.machine` (set on chat.agent via
+              // `oomMachine`). Catching them here would keep the dead worker
+              // alive and defeat the machine swap. Re-throw and let the
+              // runtime dispatch the retry on a larger machine; recovery on
+              // attempt 2 picks up via the standard continuation path
+              // (same chatId / Session, accumulator rehydrates).
+              if (turnError instanceof OutOfMemoryError) {
+                throw turnError;
+              }
+
+              let errorTurnCompleteResult: Awaited<
+                ReturnType<typeof writeTurnCompleteChunk>
+              > | undefined;
+              try {
+                await withChatWriter(async (writer) => {
+                  const errorText =
+                    turnError instanceof Error ? turnError.message : "An unexpected error occurred";
+                  writer.write({ type: "error", errorText } as any);
+                });
+                // Signal turn complete so the client knows this turn is done
+                errorTurnCompleteResult = await writeTurnCompleteChunk(currentWirePayload.chatId);
+              } catch {
+                // Best-effort — if stream write fails, let the run continue anyway
+              }
+
+              // The submit-message merge into the accumulator may not have run
+              // yet (a pre-run hook threw), so fold the wire message in for the
+              // error event + snapshot — the cursor has already advanced past it,
+              // so otherwise it survives in neither the snapshot nor the `.in` tail.
+              const erroredWireMessage = (currentWirePayload as { message?: TUIMessage }).message;
+              const erroredUIMessages =
+                erroredWireMessage &&
+                !accumulatedUIMessages.some((m) => m.id === erroredWireMessage.id)
+                  ? [...accumulatedUIMessages, erroredWireMessage]
+                  : accumulatedUIMessages;
+
+              // Fire onTurnComplete on the error path too — the docs promise it
+              // runs "after every turn, successful or errored" so customers can
+              // mark the turn failed. `responseMessage` is undefined/partial and
+              // `error` carries the thrown value.
+              if (onTurnComplete) {
+                try {
+                  await tracer.startActiveSpan(
+                    "onTurnComplete()",
+                    async () => {
+                      await onTurnComplete({
+                        ctx,
+                        chatId: currentWirePayload.chatId,
+                        messages: accumulatedMessages,
+                        uiMessages: erroredUIMessages,
+                        newMessages: [],
+                        newUIMessages: erroredWireMessage ? [erroredWireMessage] : [],
+                        responseMessage: undefined,
+                        rawResponseMessage: undefined,
+                        turn,
+                        runId: ctx.run.id,
+                        chatAccessToken: "",
+                        // Parsed `clientData` isn't reliably in scope here (parsing
+                        // may itself be the failure), and the raw metadata is the
+                        // wrong shape — leave it undefined on the error path.
+                        clientData: undefined,
+                        stopped: false,
+                        continuation,
+                        previousRunId,
+                        preloaded,
+                        totalUsage: cumulativeUsage,
+                        finishReason: "error",
+                        error: turnError,
+                        lastEventId: errorTurnCompleteResult?.lastEventId,
+                      });
+                    },
+                    {
+                      attributes: {
+                        [SemanticInternalAttributes.STYLE_ICON]: "task-hook-onComplete",
+                        [SemanticInternalAttributes.COLLAPSED]: true,
+                        "chat.id": currentWirePayload.chatId,
+                        "chat.turn": turn + 1,
+                        "chat.errored": true,
+                      },
+                    }
+                  );
+                } catch {
+                  // A throwing onTurnComplete on the error path must not crash
+                  // the run — keep the conversation alive for the next message.
+                }
+              }
+
+              // Persist a snapshot so the failed turn's user message isn't
+              // stranded. `writeTurnCompleteChunk` already advanced the `.in`
+              // cursor past it (via the session-in-event-id header), and the
+              // success-path snapshot write is skipped on error — without this
+              // the next boot would resume past a message that exists in
+              // neither the snapshot nor the replayable `.in` tail.
+              if (!hydrateMessages) {
+                try {
+                  const errorSnapshotInCursor =
+                    getChatSession().in.lastDispatchedSeqNum();
+                  await writeChatSnapshot<TUIMessage>(sessionIdForSnapshot, {
+                    version: 1,
+                    savedAt: Date.now(),
+                    messages: erroredUIMessages,
+                    lastOutEventId: errorTurnCompleteResult?.lastEventId,
+                    lastInEventId:
+                      errorSnapshotInCursor !== undefined
+                        ? String(errorSnapshotInCursor)
+                        : undefined,
+                  });
+                } catch (error) {
+                  logger.warn("chat.agent: error-path snapshot write failed", {
+                    error: error instanceof Error ? error.message : String(error),
+                    sessionId: sessionIdForSnapshot,
+                  });
+                }
+              }
+
+              // chat.requestUpgrade() / chat.endRun() — exit after error turn too
+              if (
+                locals.get(chatUpgradeRequestedKey) ||
+                locals.get(chatEndRunRequestedKey)
+              ) {
+                return;
+              }
+
+              // Drain remaining recovered turns before idling — a thrown
+              // recovered turn shouldn't strand the rest of the boot queue
+              // until an unrelated live message arrives.
+              if (bootInjectedQueue.length > 0) {
+                currentWirePayload = bootInjectedQueue.shift()!;
+                continue;
+              }
+
+              // Wait for the next message — same as after a successful turn
+              const effectiveIdleTimeout =
+                (metadata.get(IDLE_TIMEOUT_METADATA_KEY) as number | undefined) ??
+                idleTimeoutInSeconds;
+              const effectiveTurnTimeout =
+                (metadata.get(TURN_TIMEOUT_METADATA_KEY) as string | undefined) ?? turnTimeout;
+
+              const next = await messagesInput.waitWithIdleTimeout({
+                idleTimeoutInSeconds: effectiveIdleTimeout,
+                timeout: effectiveTurnTimeout,
+                spanName: "waiting for next message (after error)",
+              });
+
+              if (!next.ok) {
+                return; // Timed out — end run gracefully
+              }
+
+              currentWirePayload = next.output as ChatTaskWirePayload<
+                TUIMessage,
+                inferSchemaIn<TClientDataSchema>
+              >;
+              // Continue to next iteration of the for loop
+            }
+          }
+        } finally {
+          // `stopSub` is registered post-preload so the close-during-preload
+          // early-return path may exit before it ever attached. Guard the
+          // cleanup so a missing subscription doesn't throw.
+          stopSub?.off();
+        }
+    }
+  });
+
+  // Register clientDataSchema so the CLI converts it to JSONSchema
+  // and stores it as payloadSchema — used by the Playground UI
+  if (clientDataSchema) {
+    resourceCatalog.updateTaskMetadata(options.id, {
+      schema: clientDataSchema as any,
+    });
+  }
+
+  return task;
+}
+
+/**
+ * Optional config for {@link chat.withUIMessage}. `streamOptions` become default
+ * static `toUIMessageStream()` settings; inner `chat.agent({ uiMessageStreamOptions })`
+ * shallow-merges on top (task wins on conflicts).
+ */
+export type ChatWithUIMessageConfig<TUIM extends UIMessage = UIMessage> = {
+  streamOptions?: ChatUIMessageStreamOptions<TUIM>;
+};
+
+// ---------------------------------------------------------------------------
+// Chat builder
+// ---------------------------------------------------------------------------
+
+/**
+ * A chainable builder for configuring chat tasks with fixed UI message types,
+ * client data schemas, and builder-level hooks that compose with task-level hooks.
+ *
+ * Obtain a builder via {@link chat.withUIMessage} or {@link chat.withClientData}.
+ *
+ * @example
+ * ```ts
+ * export const myChat = chat
+ *   .withUIMessage<AgentUiMessage>({ streamOptions: { sendReasoning: true } })
+ *   .withClientData({ schema: z.object({ userId: z.string() }) })
+ *   .onChatSuspend(async ({ ctx }) => { await disposeResources(ctx.run.id) })
+ *   .task({
+ *     id: "my-chat",
+ *     run: async ({ messages, signal }) => streamText({ model, messages, abortSignal: signal }),
+ *   });
+ * ```
+ */
+export interface ChatBuilder<
+  TUIMessage extends UIMessage = UIMessage,
+  TClientDataSchema extends TaskSchema | undefined = undefined,
+> {
+  /** Fix the UI message type. Returns a new builder preserving all accumulated state. */
+  withUIMessage<TUIM extends UIMessage = UIMessage>(
+    config?: ChatWithUIMessageConfig<TUIM>
+  ): ChatBuilder<TUIM, TClientDataSchema>;
+
+  /** Fix the client data schema. Returns a new builder preserving all accumulated state. */
+  withClientData<TSchema extends TaskSchema>(config: {
+    schema: TSchema;
+  }): ChatBuilder<TUIMessage, TSchema>;
+
+  /** Register a builder-level `onBoot` hook. Runs before the task-level hook if both are set. */
+  onBoot(
+    fn: (event: BootEvent<inferSchemaOut<TClientDataSchema>>) => Promise<void> | void
+  ): ChatBuilder<TUIMessage, TClientDataSchema>;
+
+  /** Register a builder-level `onPreload` hook. Runs before the task-level hook if both are set. */
+  onPreload(
+    fn: (event: PreloadEvent<inferSchemaOut<TClientDataSchema>>) => Promise<void> | void
+  ): ChatBuilder<TUIMessage, TClientDataSchema>;
+
+  /** Register a builder-level `onChatStart` hook. Runs before the task-level hook if both are set. */
+  onChatStart(
+    fn: (event: ChatStartEvent<inferSchemaOut<TClientDataSchema>>) => Promise<void> | void
+  ): ChatBuilder<TUIMessage, TClientDataSchema>;
+
+  /** Register a builder-level `onTurnStart` hook. Runs before the task-level hook if both are set. */
+  onTurnStart(
+    fn: (
+      event: TurnStartEvent<inferSchemaOut<TClientDataSchema>, TUIMessage>
+    ) => Promise<void> | void
+  ): ChatBuilder<TUIMessage, TClientDataSchema>;
+
+  /** Register a builder-level `onBeforeTurnComplete` hook. Runs before the task-level hook if both are set. */
+  onBeforeTurnComplete(
+    fn: (
+      event: BeforeTurnCompleteEvent<inferSchemaOut<TClientDataSchema>, TUIMessage>
+    ) => Promise<void> | void
+  ): ChatBuilder<TUIMessage, TClientDataSchema>;
+
+  /** Register a builder-level `onTurnComplete` hook. Runs before the task-level hook if both are set. */
+  onTurnComplete(
+    fn: (
+      event: TurnCompleteEvent<inferSchemaOut<TClientDataSchema>, TUIMessage>
+    ) => Promise<void> | void
+  ): ChatBuilder<TUIMessage, TClientDataSchema>;
+
+  /** Register a builder-level `onCompacted` hook. Runs before the task-level hook if both are set. */
+  onCompacted(fn: (event: CompactedEvent) => Promise<void> | void): ChatBuilder<TUIMessage, TClientDataSchema>;
+
+  /** Register a builder-level `onChatSuspend` hook. Runs before the task-level hook if both are set. */
+  onChatSuspend(
+    fn: (
+      event: ChatSuspendEvent<inferSchemaOut<TClientDataSchema>, TUIMessage>
+    ) => Promise<void> | void
+  ): ChatBuilder<TUIMessage, TClientDataSchema>;
+
+  /** Register a builder-level `onChatResume` hook. Runs before the task-level hook if both are set. */
+  onChatResume(
+    fn: (
+      event: ChatResumeEvent<inferSchemaOut<TClientDataSchema>, TUIMessage>
+    ) => Promise<void> | void
+  ): ChatBuilder<TUIMessage, TClientDataSchema>;
+
+  /**
+   * Create the chat agent with the accumulated builder configuration.
+   *
+   * When `withClientData` was called, `clientDataSchema` is injected automatically
+   * and omitted from options. Otherwise, it can still be set directly in options
+   * (backwards compatible).
+   */
+  agent: [TClientDataSchema] extends [undefined]
+  ? <TId extends string, TInfer extends TaskSchema | undefined = undefined, TAction extends TaskSchema | undefined = undefined, TTools extends ToolSet = ToolSet>(
+    options: ChatAgentOptions<TId, TInfer, TUIMessage, TAction, TTools>
+  ) => Task<TId, ChatTaskWirePayload<TUIMessage, inferSchemaIn<TInfer>>, unknown>
+  : <TId extends string, TAction extends TaskSchema | undefined = undefined, TTools extends ToolSet = ToolSet>(
+    options: Omit<ChatAgentOptions<TId, TClientDataSchema, TUIMessage, TAction, TTools>, "clientDataSchema">
+  ) => Task<TId, ChatTaskWirePayload<TUIMessage, inferSchemaIn<TClientDataSchema>>, unknown>;
+
+  /**
+   * Create a custom agent with manual lifecycle control.
+   *
+   * The agent appears in the playground but you manage the turn loop,
+   * message waiting, and streaming yourself using composable primitives
+   * (`chat.messages`, `chat.MessageAccumulator`, `chat.pipeAndCapture`, etc.).
+   *
+   * Builder hooks (`onPreload`, `onChatStart`, etc.) are not applied —
+   * those are managed-lifecycle concepts handled by `.agent()`.
+   */
+  customAgent: [TClientDataSchema] extends [undefined]
+    ? <TId extends string>(
+        options: ChatCustomAgentOptions<TId, undefined, TUIMessage>
+      ) => Task<TId, ChatTaskWirePayload<TUIMessage, undefined>, unknown>
+    : <TId extends string>(
+        options: ChatCustomAgentOptions<TId, TClientDataSchema, TUIMessage>
+      ) => Task<TId, ChatTaskWirePayload<TUIMessage, inferSchemaIn<TClientDataSchema>>, unknown>;
+}
+
+/** @internal */
+type ChatBuilderHooks = {
+  onBoot?: (event: any) => Promise<void> | void;
+  onPreload?: (event: any) => Promise<void> | void;
+  onChatStart?: (event: any) => Promise<void> | void;
+  onTurnStart?: (event: any) => Promise<void> | void;
+  onBeforeTurnComplete?: (event: any) => Promise<void> | void;
+  onTurnComplete?: (event: any) => Promise<void> | void;
+  onCompacted?: (event: any) => Promise<void> | void;
+  onChatSuspend?: (event: any) => Promise<void> | void;
+  onChatResume?: (event: any) => Promise<void> | void;
+};
+
+/** @internal */
+type ChatBuilderConfig = {
+  uiStreamOptions?: ChatUIMessageStreamOptions<any>;
+  clientDataSchema?: TaskSchema;
+  hooks: ChatBuilderHooks;
+};
+
+function composeHooks<T>(
+  builderHook: ((event: T) => Promise<void> | void) | undefined,
+  taskHook: ((event: T) => Promise<void> | void) | undefined
+): ((event: T) => Promise<void>) | undefined {
+  if (!builderHook) return taskHook as any;
+  if (!taskHook) return builderHook as any;
+  return async (event: T) => {
+    await builderHook(event);
+    await taskHook(event);
+  };
+}
+
+function createChatBuilder<
+  TUIMessage extends UIMessage = UIMessage,
+  TClientDataSchema extends TaskSchema | undefined = undefined,
+>(config: ChatBuilderConfig): ChatBuilder<TUIMessage, TClientDataSchema> {
+  return {
+    withUIMessage<TUIM extends UIMessage = UIMessage>(uimConfig?: ChatWithUIMessageConfig<TUIM>) {
+      return createChatBuilder<TUIM, TClientDataSchema>({
+        ...config,
+        uiStreamOptions: uimConfig?.streamOptions ?? config.uiStreamOptions,
+      });
+    },
+
+    withClientData<TSchema extends TaskSchema>(cdConfig: { schema: TSchema }) {
+      return createChatBuilder<TUIMessage, TSchema>({
+        ...config,
+        clientDataSchema: cdConfig.schema,
+      });
+    },
+
+    onBoot(
+      fn: (event: BootEvent<inferSchemaOut<TClientDataSchema>>) => Promise<void> | void
+    ) {
+      return createChatBuilder<TUIMessage, TClientDataSchema>({
+        ...config,
+        hooks: { ...config.hooks, onBoot: fn },
+      });
+    },
+    onPreload(
+      fn: (event: PreloadEvent<inferSchemaOut<TClientDataSchema>>) => Promise<void> | void
+    ) {
+      return createChatBuilder<TUIMessage, TClientDataSchema>({
+        ...config,
+        hooks: { ...config.hooks, onPreload: fn },
+      });
+    },
+    onChatStart(
+      fn: (event: ChatStartEvent<inferSchemaOut<TClientDataSchema>>) => Promise<void> | void
+    ) {
+      return createChatBuilder<TUIMessage, TClientDataSchema>({
+        ...config,
+        hooks: { ...config.hooks, onChatStart: fn },
+      });
+    },
+    onTurnStart(
+      fn: (
+        event: TurnStartEvent<inferSchemaOut<TClientDataSchema>, TUIMessage>
+      ) => Promise<void> | void
+    ) {
+      return createChatBuilder<TUIMessage, TClientDataSchema>({
+        ...config,
+        hooks: { ...config.hooks, onTurnStart: fn },
+      });
+    },
+    onBeforeTurnComplete(
+      fn: (
+        event: BeforeTurnCompleteEvent<inferSchemaOut<TClientDataSchema>, TUIMessage>
+      ) => Promise<void> | void
+    ) {
+      return createChatBuilder<TUIMessage, TClientDataSchema>({
+        ...config,
+        hooks: { ...config.hooks, onBeforeTurnComplete: fn },
+      });
+    },
+    onTurnComplete(
+      fn: (
+        event: TurnCompleteEvent<inferSchemaOut<TClientDataSchema>, TUIMessage>
+      ) => Promise<void> | void
+    ) {
+      return createChatBuilder<TUIMessage, TClientDataSchema>({
+        ...config,
+        hooks: { ...config.hooks, onTurnComplete: fn },
+      });
+    },
+    onCompacted(fn: (event: CompactedEvent) => Promise<void> | void) {
+      return createChatBuilder<TUIMessage, TClientDataSchema>({
+        ...config,
+        hooks: { ...config.hooks, onCompacted: fn },
+      });
+    },
+    onChatSuspend(
+      fn: (
+        event: ChatSuspendEvent<inferSchemaOut<TClientDataSchema>, TUIMessage>
+      ) => Promise<void> | void
+    ) {
+      return createChatBuilder<TUIMessage, TClientDataSchema>({
+        ...config,
+        hooks: { ...config.hooks, onChatSuspend: fn },
+      });
+    },
+    onChatResume(
+      fn: (
+        event: ChatResumeEvent<inferSchemaOut<TClientDataSchema>, TUIMessage>
+      ) => Promise<void> | void
+    ) {
+      return createChatBuilder<TUIMessage, TClientDataSchema>({
+        ...config,
+        hooks: { ...config.hooks, onChatResume: fn },
+      });
+    },
+
+    agent(options: any) {
+      const mergedUiStream =
+        config.uiStreamOptions && options.uiMessageStreamOptions
+          ? { ...config.uiStreamOptions, ...options.uiMessageStreamOptions }
+          : options.uiMessageStreamOptions ?? config.uiStreamOptions;
+
+      return chatAgent({
+        ...options,
+        ...(config.clientDataSchema ? { clientDataSchema: config.clientDataSchema } : {}),
+        uiMessageStreamOptions: mergedUiStream,
+        onBoot: composeHooks(config.hooks.onBoot, options.onBoot),
+        onRecoveryBoot: options.onRecoveryBoot,
+        onPreload: composeHooks(config.hooks.onPreload, options.onPreload),
+        onChatStart: composeHooks(config.hooks.onChatStart, options.onChatStart),
+        onTurnStart: composeHooks(config.hooks.onTurnStart, options.onTurnStart),
+        onBeforeTurnComplete: composeHooks(
+          config.hooks.onBeforeTurnComplete,
+          options.onBeforeTurnComplete
+        ),
+        onTurnComplete: composeHooks(config.hooks.onTurnComplete, options.onTurnComplete),
+        onCompacted: composeHooks(config.hooks.onCompacted, options.onCompacted),
+        onChatSuspend: composeHooks(config.hooks.onChatSuspend, options.onChatSuspend),
+        onChatResume: composeHooks(config.hooks.onChatResume, options.onChatResume),
+      });
+    },
+
+    customAgent(options: any) {
+      return chatCustomAgent({
+        ...options,
+        ...(config.clientDataSchema ? { clientDataSchema: config.clientDataSchema } : {}),
+      });
+    },
+  } as unknown as ChatBuilder<TUIMessage, TClientDataSchema>;
+}
+
+/**
+ * Fix the UI message type for a chat task (AI SDK `UIMessage` generics) while
+ * keeping `id` and `clientDataSchema` inference on the inner {@link chat.agent} call.
+ *
+ * Returns a {@link ChatBuilder} that supports chaining `.withClientData()`,
+ * hook methods (`.onPreload()`, `.onChatSuspend()`, etc.), and `.task()`.
+ *
+ * @example
+ * ```ts
+ * type AgentUiMessage = UIMessage<unknown, UIDataTypes, UITools>;
+ *
+ * export const myChat = chat.withUIMessage<AgentUiMessage>({
+ *   streamOptions: { sendReasoning: true },
+ * }).task({
+ *   id: "my-chat",
+ *   run: async ({ messages, signal }) => { ... },
+ * });
+ * ```
+ */
+function withUIMessage<TUIM extends UIMessage = UIMessage>(
+  config?: ChatWithUIMessageConfig<TUIM>
+): ChatBuilder<TUIM, undefined> {
+  return createChatBuilder<TUIM, undefined>({
+    uiStreamOptions: config?.streamOptions,
+    hooks: {},
+  });
+}
+
+/**
+ * Fix the client data schema for a chat task, providing typed `clientData`
+ * in all hooks and the `run` function.
+ *
+ * Returns a {@link ChatBuilder} that supports chaining `.withUIMessage()`,
+ * hook methods (`.onPreload()`, `.onChatSuspend()`, etc.), and `.task()`.
+ *
+ * @example
+ * ```ts
+ * export const myChat = chat
+ *   .withClientData({ schema: z.object({ userId: z.string() }) })
+ *   .task({
+ *     id: "my-chat",
+ *     onPreload: async ({ clientData }) => {
+ *       // clientData is typed as { userId: string }
+ *     },
+ *     run: async ({ messages, signal }) => { ... },
+ *   });
+ * ```
+ */
+function withClientData<TSchema extends TaskSchema>(config: {
+  schema: TSchema;
+}): ChatBuilder<UIMessage, TSchema> {
+  return createChatBuilder<UIMessage, TSchema>({
+    clientDataSchema: config.schema,
+    hooks: {},
+  });
+}
+
+/**
+ * Namespace for AI SDK chat integration.
+ *
+ * @example
+ * ```ts
+ * import { chat } from "@trigger.dev/sdk/ai";
+ *
+ * // Define a chat task
+ * export const myChat = chat.agent({
+ *   id: "my-chat",
+ *   run: async ({ messages, signal }) => {
+ *     return streamText({ model, messages, abortSignal: signal });
+ *   },
+ * });
+ *
+ * // Pipe a stream manually (from inside a task)
+ * await chat.pipe(streamTextResult);
+ *
+ * // Create an access token (from a server action)
+ * const token = await chat.createAccessToken("my-chat");
+ * ```
+ */
+// ---------------------------------------------------------------------------
+// Runtime configuration helpers
+// ---------------------------------------------------------------------------
+
+const TURN_TIMEOUT_METADATA_KEY = "chat.turnTimeout";
+const IDLE_TIMEOUT_METADATA_KEY = "chat.idleTimeout";
+
+/**
+ * Override the turn timeout for subsequent turns in the current run.
+ *
+ * The turn timeout controls how long the run stays suspended (freeing compute)
+ * waiting for the next user message. When it expires, the run completes
+ * gracefully and the next message starts a fresh run.
+ *
+ * Call from inside a `chatAgent` run function to adjust based on context.
+ *
+ * @param duration - A duration string (e.g. `"5m"`, `"1h"`, `"30s"`)
+ *
+ * @example
+ * ```ts
+ * run: async ({ messages, signal }) => {
+ *   chat.setTurnTimeout("2h");
+ *   return streamText({ model, messages, abortSignal: signal });
+ * }
+ * ```
+ */
+function setTurnTimeout(duration: string): void {
+  metadata.set(TURN_TIMEOUT_METADATA_KEY, duration);
+}
+
+/**
+ * Override the turn timeout in seconds for subsequent turns in the current run.
+ *
+ * @param seconds - Number of seconds to wait for the next message before ending the run
+ *
+ * @example
+ * ```ts
+ * run: async ({ messages, signal }) => {
+ *   chat.setTurnTimeoutInSeconds(3600); // 1 hour
+ *   return streamText({ model, messages, abortSignal: signal });
+ * }
+ * ```
+ */
+function setTurnTimeoutInSeconds(seconds: number): void {
+  metadata.set(TURN_TIMEOUT_METADATA_KEY, `${seconds}s`);
+}
+
+/**
+ * Override the idle timeout for subsequent turns in the current run.
+ *
+ * The idle timeout controls how long the run stays active (using compute)
+ * after each turn, waiting for the next message. During this window,
+ * responses are instant. After it expires, the run suspends.
+ *
+ * @param seconds - Number of seconds to stay idle (0 to suspend immediately)
+ *
+ * @example
+ * ```ts
+ * run: async ({ messages, signal }) => {
+ *   chat.setIdleTimeoutInSeconds(60);
+ *   return streamText({ model, messages, abortSignal: signal });
+ * }
+ * ```
+ */
+function setIdleTimeoutInSeconds(seconds: number): void {
+  metadata.set(IDLE_TIMEOUT_METADATA_KEY, seconds);
+}
+
+/**
+ * Override the `toUIMessageStream()` options for the current turn.
+ *
+ * These options control how the `StreamTextResult` is converted to a
+ * `UIMessageChunk` stream — error handling, reasoning/source visibility,
+ * message metadata, etc.
+ *
+ * Per-turn options are merged on top of the static `uiMessageStreamOptions`
+ * set on `chat.agent()`. Per-turn values win on conflicts.
+ *
+ * @example
+ * ```ts
+ * run: async ({ messages, signal }) => {
+ *   chat.setUIMessageStreamOptions({
+ *     sendReasoning: true,
+ *     onError: (error) => error instanceof Error ? error.message : "An error occurred.",
+ *   });
+ *   return streamText({ model, messages, abortSignal: signal });
+ * }
+ * ```
+ */
+function setUIMessageStreamOptions(options: ChatUIMessageStreamOptions<UIMessage>): void {
+  locals.set(chatUIStreamPerTurnKey, options);
+}
+
+/**
+ * Resolve the effective UIMessageStream options by merging:
+ * 1. Static task-level options (from `chat.agent({ uiMessageStreamOptions })`)
+ * 2. Per-turn overrides (from `chat.setUIMessageStreamOptions()`)
+ *
+ * Per-turn values win on conflicts. Clears the per-turn override after reading
+ * so it doesn't leak into subsequent turns.
+ * @internal
+ */
+function resolveUIMessageStreamOptions(): ChatUIMessageStreamOptions<UIMessage> {
+  const staticOptions = locals.get(chatUIStreamStaticKey) ?? {};
+  const perTurnOptions = locals.get(chatUIStreamPerTurnKey) ?? {};
+  // Clear per-turn override so it doesn't leak into subsequent turns
+  locals.set(chatUIStreamPerTurnKey, undefined);
+  return { ...staticOptions, ...perTurnOptions };
+}
+
+// ---------------------------------------------------------------------------
+// Stop detection
+// ---------------------------------------------------------------------------
+
+/**
+ * Check whether the user stopped generation during the current turn.
+ *
+ * Works from **anywhere** inside a `chat.agent` run — including inside
+ * `streamText`'s `onFinish` callback — without needing to thread the
+ * `stopSignal` through closures.
+ *
+ * This is especially useful when the AI SDK's `isAborted` flag is unreliable
+ * (e.g. when using `createUIMessageStream` + `writer.merge()`).
+ *
+ * @example
+ * ```ts
+ * onFinish: ({ isAborted }) => {
+ *   const wasStopped = isAborted || chat.isStopped();
+ *   if (wasStopped) {
+ *     // handle stop
+ *   }
+ * }
+ * ```
+ */
+function isStopped(): boolean {
+  const controller = locals.get(chatStopControllerKey);
+  return controller?.signal.aborted ?? false;
+}
+
+// ---------------------------------------------------------------------------
+// Version upgrade
+// ---------------------------------------------------------------------------
+
+/**
+ * Request that the current run exits so the next message starts on the latest
+ * deployed version (via the standard continuation mechanism).
+ *
+ * When called from `onTurnStart` or `onValidateMessages`, `run()` is skipped
+ * entirely — the run exits immediately and the transport re-triggers the
+ * same message on the new version.
+ *
+ * When called from `run()` or `chat.defer()`, the current turn completes
+ * normally and the run exits afterward instead of waiting for the next message.
+ *
+ * Call from `onTurnStart`, `onValidateMessages`, `onChatResume`, `run()`,
+ * or inside `chat.defer()`.
+ *
+ * @example
+ * ```ts
+ * const SUPPORTED_VERSIONS = new Set(["v2", "v3"]);
+ *
+ * chat.agent({
+ *   id: "my-chat",
+ *   onTurnStart: async ({ clientData }) => {
+ *     if (clientData?.protocolVersion && !SUPPORTED_VERSIONS.has(clientData.protocolVersion)) {
+ *       chat.requestUpgrade();
+ *     }
+ *   },
+ *   run: async ({ messages }) => { ... },
+ * });
+ * ```
+ */
+function requestUpgrade(): void {
+  locals.set(chatUpgradeRequestedKey, true);
+}
+
+/**
+ * Exit the run after the current turn completes, without waiting for the
+ * next message. Unlike {@link requestUpgrade}, no upgrade-required signal
+ * is sent to the client — the turn finishes normally, `onTurnComplete`
+ * fires, and the loop exits instead of going idle.
+ *
+ * Call from `run()`, `chat.defer()`, `onBeforeTurnComplete`, or
+ * `onTurnComplete` to end the run on your own terms (budget exhausted,
+ * task complete, goal achieved, etc.).
+ *
+ * The next user message on the same `chatId` starts a fresh run via the
+ * normal continuation mechanism.
+ *
+ * @example
+ * ```ts
+ * chat.agent({
+ *   id: "one-shot-agent",
+ *   run: async ({ messages, signal }) => {
+ *     const result = streamText({ model: openai("gpt-4o"), messages, abortSignal: signal });
+ *     // Single-response agent — exit after this turn.
+ *     chat.endRun();
+ *     return result;
+ *   },
+ * });
+ * ```
+ */
+function endRun(): void {
+  locals.set(chatEndRunRequestedKey, true);
+}
+
+// ---------------------------------------------------------------------------
+// Per-turn deferred work
+// ---------------------------------------------------------------------------
+
+/**
+ * Register a promise that runs in the background during the current turn.
+ *
+ * Use this to move non-blocking work (DB writes, analytics, etc.) out of
+ * the critical path. The promise runs in parallel with streaming and is
+ * awaited (with a 5 s timeout) before `onTurnComplete` fires.
+ *
+ * @example
+ * ```ts
+ * onTurnStart: async ({ chatId, uiMessages }) => {
+ *   // Pass a promise directly
+ *   chat.defer(db.chat.update({ where: { id: chatId }, data: { messages: uiMessages } }));
+ *
+ *   // Or pass an async function — cleaner for multi-step work
+ *   chat.defer(async () => {
+ *     const flags = await getFeatureFlags();
+ *     if (flags.forceUpgrade) chat.requestUpgrade();
+ *   });
+ * },
+ * ```
+ */
+function chatDefer(promiseOrFn: Promise<unknown> | (() => Promise<unknown>)): void {
+  const promises = locals.get(chatDeferKey);
+  if (promises) {
+    promises.add(typeof promiseOrFn === "function" ? promiseOrFn() : promiseOrFn);
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Background context injection
+// ---------------------------------------------------------------------------
+
+/**
+ * Queue model messages for injection at the next `prepareStep` boundary.
+ *
+ * Use this to inject context from background work into the agent's conversation.
+ * Messages are appended to the model messages before the next LLM inference call.
+ *
+ * Combine with `chat.defer()` to run background analysis and inject results:
+ *
+ * @example
+ * ```ts
+ * onTurnComplete: async ({ messages }) => {
+ *   chat.defer((async () => {
+ *     const review = await generateObject({
+ *       model: openai("gpt-4o-mini"),
+ *       messages: [...messages, { role: "user", content: "Review the last response." }],
+ *       schema: z.object({ suggestions: z.array(z.string()) }),
+ *     });
+ *     if (review.object.suggestions.length > 0) {
+ *       chat.inject([{
+ *         role: "system",
+ *         content: `Improvements for next response:\n${review.object.suggestions.join("\n")}`,
+ *       }]);
+ *     }
+ *   })());
+ * },
+ * ```
+ */
+function injectBackgroundContext(messages: ModelMessage[]): void {
+  const queue = locals.get(chatBackgroundQueueKey) ?? [];
+  queue.push(...messages);
+  locals.set(chatBackgroundQueueKey, queue);
+}
+
+// ---------------------------------------------------------------------------
+// Aborted message cleanup
+// ---------------------------------------------------------------------------
+
+/**
+ * Clean up a UIMessage that was captured during an aborted/stopped turn.
+ *
+ * When generation is stopped mid-stream, the captured message may contain:
+ * - Tool parts stuck in incomplete states (`partial-call`, `input-available`,
+ *   `input-streaming`) that cause permanent UI spinners
+ * - Reasoning parts with `state: "streaming"` instead of `"done"`
+ * - Text parts with `state: "streaming"` instead of `"done"`
+ *
+ * This function returns a cleaned copy with:
+ * - Incomplete tool parts removed entirely
+ * - Reasoning and text parts marked as `"done"`
+ *
+ * `chat.agent` calls this automatically when stop is detected before passing
+ * the response to `onTurnComplete`. Use this manually when calling `pipeChat`
+ * directly and capturing response messages yourself.
+ *
+ * @example
+ * ```ts
+ * onTurnComplete: async ({ responseMessage, stopped }) => {
+ *   // Already cleaned automatically by chat.agent — but if you captured
+ *   // your own message via pipeChat, clean it manually:
+ *   const cleaned = chat.cleanupAbortedParts(myMessage);
+ *   await db.messages.save(cleaned);
+ * }
+ * ```
+ */
+function cleanupAbortedParts<TUIM extends UIMessage>(message: TUIM): TUIM {
+  if (!message.parts) return message;
+
+  const isToolPart = (part: any) =>
+    part.type === "tool-invocation" ||
+    part.type?.startsWith("tool-") ||
+    part.type === "dynamic-tool";
+
+  return {
+    ...message,
+    parts: message.parts
+      .filter((part: any) => {
+        if (!isToolPart(part)) return true;
+        // Remove tool parts that never completed execution.
+        // partial-call: input was still streaming when aborted.
+        // input-available: input was complete but tool never ran.
+        // input-streaming: input was mid-stream.
+        const state = part.toolInvocation?.state ?? part.state;
+        return (
+          state !== "partial-call" && state !== "input-available" && state !== "input-streaming"
+        );
+      })
+      .map((part: any) => {
+        // Mark streaming reasoning as done
+        if (part.type === "reasoning" && part.state === "streaming") {
+          return { ...part, state: "done" };
+        }
+        // Mark streaming text as done
+        if (part.type === "text" && part.state === "streaming") {
+          return { ...part, state: "done" };
+        }
+        return part;
+      }),
+  } as TUIM;
+}
+
+// ---------------------------------------------------------------------------
+// Composable primitives for raw task chat
+// ---------------------------------------------------------------------------
+
+/**
+ * Create a managed stop signal wired to the chat stop input stream.
+ *
+ * Call once at the start of your run. Use `signal` as the abort signal for
+ * `streamText`. Call `reset()` at the start of each turn to get a fresh
+ * per-turn signal. Call `cleanup()` when the run ends.
+ *
+ * @example
+ * ```ts
+ * const stop = chat.createStopSignal();
+ * for (let turn = 0; turn < 100; turn++) {
+ *   stop.reset();
+ *   const result = streamText({ model, messages, abortSignal: stop.signal });
+ *   await chat.pipe(result);
+ *   // ...
+ * }
+ * stop.cleanup();
+ * ```
+ */
+function createStopSignal(): {
+  readonly signal: AbortSignal;
+  reset: () => void;
+  cleanup: () => void;
+} {
+  let controller = new AbortController();
+  const sub = stopInput.on((data) => {
+    controller.abort(data?.message || "stopped");
+  });
+  return {
+    get signal() {
+      return controller.signal;
+    },
+    reset() {
+      controller = new AbortController();
+    },
+    cleanup() {
+      sub.off();
+    },
+  };
+}
+
+/**
+ * Signal the frontend that the current turn is complete.
+ *
+ * The `TriggerChatTransport` intercepts this to close the ReadableStream
+ * for the current turn. Call after piping the response stream.
+ *
+ * @example
+ * ```ts
+ * await chat.pipe(result);
+ * await chat.writeTurnComplete();
+ * ```
+ */
+async function chatWriteTurnComplete(options?: { publicAccessToken?: string }): Promise<void> {
+  await writeTurnCompleteChunk(undefined, options?.publicAccessToken);
+}
+
+/**
+ * Pipe a `StreamTextResult` (or similar) to the chat stream and capture
+ * the assistant's response message via `onFinish`.
+ *
+ * Combines `toUIMessageStream()` + `onFinish` callback + `chat.pipe()`.
+ * Returns the captured `UIMessage`, or `undefined` if capture failed.
+ *
+ * @example
+ * ```ts
+ * const result = streamText({ model, messages, abortSignal: signal });
+ * const response = await chat.pipeAndCapture(result, { signal });
+ * if (response) conversation.addResponse(response);
+ * ```
+ */
+async function pipeChatAndCapture(
+  source: UIMessageStreamable,
+  options?: { signal?: AbortSignal; spanName?: string }
+): Promise<UIMessage | undefined> {
+  let captured: UIMessage | undefined;
+  let resolveOnFinish: () => void;
+  const onFinishPromise = new Promise<void>((r) => {
+    resolveOnFinish = r;
+  });
+
+  const uiStream = source.toUIMessageStream({
+    ...resolveUIMessageStreamOptions(),
+    onFinish: ({ responseMessage }: { responseMessage: UIMessage }) => {
+      captured = responseMessage;
+      resolveOnFinish!();
+    },
+  });
+
+  await pipeChat(uiStream, {
+    signal: options?.signal,
+    spanName: options?.spanName ?? "stream response",
+  });
+  await onFinishPromise;
+
+  return captured;
+}
+
+/**
+ * Accumulates conversation messages across turns.
+ *
+ * Handles the transport protocol: turn 0 sends full history (replace),
+ * subsequent turns send only new messages (append), regenerate sends
+ * full history minus last assistant message (replace).
+ *
+ * @example
+ * ```ts
+ * const conversation = new chat.MessageAccumulator();
+ * for (let turn = 0; turn < 100; turn++) {
+ *   const messages = await conversation.addIncoming(payload.messages, payload.trigger, turn);
+ *   const result = streamText({ model, messages });
+ *   const response = await chat.pipeAndCapture(result);
+ *   if (response) await conversation.addResponse(response);
+ * }
+ * ```
+ */
+class ChatMessageAccumulator {
+  modelMessages: ModelMessage[] = [];
+  uiMessages: UIMessage[] = [];
+  private _compaction?: ChatAgentCompactionOptions;
+  private _pendingMessages?: PendingMessagesOptions;
+  private _steeringQueue: SteeringQueueEntry[] = [];
+
+  constructor(options?: {
+    compaction?: ChatAgentCompactionOptions;
+    pendingMessages?: PendingMessagesOptions;
+  }) {
+    this._compaction = options?.compaction;
+    this._pendingMessages = options?.pendingMessages;
+  }
+
+  /**
+   * Add incoming messages from the transport payload.
+   * Returns the full accumulated model messages for `streamText`.
+   */
+  async addIncoming(messages: UIMessage[], trigger: string, turn: number): Promise<ModelMessage[]> {
+    const cleaned = messages.map((m) => (m.role === "assistant" ? cleanupAbortedParts(m) : m));
+    const model = await toModelMessages(cleaned);
+
+    if (turn === 0 || trigger === "regenerate-message") {
+      this.modelMessages = model;
+      this.uiMessages = [...cleaned];
+    } else {
+      this.modelMessages.push(...model);
+      this.uiMessages.push(...cleaned);
+    }
+    return this.modelMessages;
+  }
+
+  /**
+   * Add the assistant's response to the accumulator.
+   * Call after `pipeAndCapture` with the captured response.
+   */
+  /**
+   * Replace all accumulated messages (for compaction).
+   * Converts UIMessages to ModelMessages internally.
+   */
+  async setMessages(uiMessages: UIMessage[]): Promise<void> {
+    this.uiMessages = [...uiMessages];
+    this.modelMessages = await toModelMessages(uiMessages);
+  }
+
+  async addResponse(response: UIMessage): Promise<void> {
+    if (!response.id) {
+      response = { ...response, id: generateMessageId() };
+    }
+    this.uiMessages.push(response);
+    try {
+      const msgs = await toModelMessages([stripProviderMetadata(response)]);
+      this.modelMessages.push(...msgs);
+    } catch {
+      // Conversion failed — skip model message accumulation for this response
+    }
+  }
+
+  /**
+   * Queue a message for injection via `prepareStep`. Call from a
+   * `messagesInput.on()` listener when a message arrives during streaming.
+   */
+  steer(message: UIMessage, modelMessages?: ModelMessage[]): void {
+    if (modelMessages) {
+      this._steeringQueue.push({ uiMessage: message, modelMessages });
+    } else {
+      // Defer conversion — will be done in prepareStep if needed
+      this._steeringQueue.push({ uiMessage: message, modelMessages: [] });
+    }
+  }
+
+  /**
+   * Queue a message for injection, converting to model messages automatically.
+   */
+  async steerAsync(message: UIMessage): Promise<void> {
+    const modelMsgs = await toModelMessages([message]);
+    this._steeringQueue.push({ uiMessage: message, modelMessages: modelMsgs });
+  }
+
+  /**
+   * Get and clear unconsumed steering messages.
+   */
+  drainSteering(): UIMessage[] {
+    const result = this._steeringQueue.map((e) => e.uiMessage);
+    this._steeringQueue = [];
+    return result;
+  }
+
+  /**
+   * Returns a `prepareStep` function that handles both compaction and
+   * pending message injection. Pass to `streamText({ prepareStep: conversation.prepareStep() })`.
+   */
+  prepareStep():
+    | ((args: {
+      messages: ModelMessage[];
+      steps: CompactionStep[];
+    }) => Promise<{ messages: ModelMessage[] } | undefined>)
+    | undefined {
+    if (!this._compaction && !this._pendingMessages) return undefined;
+    const comp = this._compaction;
+    const pm = this._pendingMessages;
+    const queue = this._steeringQueue;
+
+    return async ({ messages, steps }) => {
+      let resultMessages: ModelMessage[] | undefined;
+
+      // 1. Compaction
+      if (comp) {
+        const result = await chatCompact(messages, steps, {
+          shouldCompact: comp.shouldCompact,
+          summarize: (msgs) => comp.summarize({ messages: msgs, source: "inner" }),
+        });
+        if (result.type !== "skipped") {
+          resultMessages = result.messages;
+        }
+      }
+
+      // 2. Pending message injection
+      if (pm && queue.length > 0) {
+        const injected = await drainSteeringQueue(pm, resultMessages ?? messages, steps, queue);
+        if (injected.length > 0) {
+          resultMessages = [...(resultMessages ?? messages), ...injected];
+        }
+      }
+
+      return resultMessages ? { messages: resultMessages } : undefined;
+    };
+  }
+
+  /**
+   * Run outer-loop compaction if needed. Call after adding the response
+   * and capturing usage. Applies `compactModelMessages` and `compactUIMessages`
+   * callbacks if configured.
+   *
+   * @returns `true` if compaction was performed, `false` otherwise.
+   */
+  async compactIfNeeded(
+    usage: LanguageModelUsage | undefined,
+    context?: {
+      chatId?: string;
+      turn?: number;
+      clientData?: unknown;
+      totalUsage?: LanguageModelUsage;
+    }
+  ): Promise<boolean> {
+    if (!this._compaction || !usage) return false;
+
+    const shouldTrigger = await this._compaction.shouldCompact({
+      messages: this.modelMessages,
+      totalTokens: usage.totalTokens,
+      inputTokens: usage.inputTokens,
+      outputTokens: usage.outputTokens,
+      usage,
+      totalUsage: context?.totalUsage,
+      chatId: context?.chatId,
+      turn: context?.turn,
+      clientData: context?.clientData,
+      source: "outer",
+    });
+
+    if (!shouldTrigger) return false;
+
+    const summary = await this._compaction.summarize({
+      messages: this.modelMessages,
+      usage,
+      totalUsage: context?.totalUsage,
+      chatId: context?.chatId,
+      turn: context?.turn,
+      clientData: context?.clientData,
+      source: "outer",
+    });
+
+    const compactEvent: CompactMessagesEvent = {
+      summary,
+      uiMessages: this.uiMessages,
+      modelMessages: this.modelMessages,
+      chatId: context?.chatId ?? "",
+      turn: context?.turn ?? 0,
+      clientData: context?.clientData,
+      source: "outer",
+    };
+
+    this.modelMessages = this._compaction.compactModelMessages
+      ? await this._compaction.compactModelMessages(compactEvent)
+      : [
+        {
+          role: "assistant" as const,
+          content: [{ type: "text" as const, text: `[Conversation summary]\n\n${summary}` }],
+        },
+      ];
+
+    if (this._compaction.compactUIMessages) {
+      this.uiMessages = await this._compaction.compactUIMessages(compactEvent);
+    }
+
+    return true;
+  }
+}
+
+// ---------------------------------------------------------------------------
+// chat.createSession — async iterator for chat turns
+// ---------------------------------------------------------------------------
+
+export type ChatSessionOptions = {
+  /** Run-level cancel signal (from task context). */
+  signal: AbortSignal;
+  /** Seconds to stay idle between turns before suspending. @default 30 */
+  idleTimeoutInSeconds?: number;
+  /** Duration string for suspend timeout. @default "1h" */
+  timeout?: string;
+  /** Max turns before ending. @default 100 */
+  maxTurns?: number;
+  /** Automatic context compaction — same options as `chat.agent({ compaction })`. */
+  compaction?: ChatAgentCompactionOptions;
+  /** Configure mid-execution message injection — same options as `chat.agent({ pendingMessages })`. */
+  pendingMessages?: PendingMessagesOptions;
+};
+
+export type ChatTurn = {
+  /** Turn number (0-indexed). */
+  number: number;
+  /** Chat session ID. */
+  chatId: string;
+  /** What triggered this turn. */
+  trigger: string;
+  /** Client data from the transport (`metadata` field on the wire payload). */
+  clientData: unknown;
+  /** Full accumulated model messages — pass directly to `streamText`. */
+  readonly messages: ModelMessage[];
+  /** Full accumulated UI messages — use for persistence. */
+  readonly uiMessages: UIMessage[];
+  /** Combined stop+cancel AbortSignal (fresh each turn). */
+  signal: AbortSignal;
+  /** Whether the user stopped generation this turn. */
+  readonly stopped: boolean;
+  /** Whether this is a continuation run. */
+  continuation: boolean;
+  /** Token usage from the previous turn. Undefined on turn 0. */
+  previousTurnUsage?: LanguageModelUsage;
+  /** Cumulative token usage across all completed turns so far. */
+  totalUsage: LanguageModelUsage;
+
+  /**
+   * Replace accumulated messages (for compaction). Takes UIMessages and
+   * converts to ModelMessages internally. After calling this, `turn.messages`
+   * reflects the compacted history.
+   */
+  setMessages(uiMessages: UIMessage[]): Promise<void>;
+
+  /**
+   * Easy path: pipe stream, capture response, accumulate it,
+   * clean up aborted parts if stopped, and write turn-complete chunk.
+   */
+  complete(source: UIMessageStreamable): Promise<UIMessage | undefined>;
+
+  /**
+   * Manual path: just write turn-complete chunk.
+   * Use when you've already piped and accumulated manually.
+   */
+  done(): Promise<void>;
+
+  /**
+   * Add the response to the accumulator manually.
+   * Use with `chat.pipeAndCapture` when you need control between pipe and done.
+   */
+  addResponse(response: UIMessage): Promise<void>;
+
+  /**
+   * Returns a `prepareStep` function that handles both compaction and
+   * pending message injection. Pass to `streamText({ prepareStep: turn.prepareStep() })`.
+   * Only needed when not using `chat.toStreamTextOptions()` (which auto-injects it).
+   */
+  prepareStep():
+    | ((args: {
+      messages: ModelMessage[];
+      steps: CompactionStep[];
+    }) => Promise<{ messages: ModelMessage[] } | undefined>)
+    | undefined;
+};
+
+/**
+ * Create a chat session that yields turns as an async iterator.
+ *
+ * Handles: preload wait, stop signals, message accumulation, turn-complete
+ * signaling, and idle/suspend between turns. You control: initialization,
+ * model/tool selection, persistence, and any custom per-turn logic.
+ *
+ * @example
+ * ```ts
+ * import { task } from "@trigger.dev/sdk";
+ * import { chat, type ChatTaskWirePayload } from "@trigger.dev/sdk/ai";
+ * import { streamText } from "ai";
+ * import { openai } from "@ai-sdk/openai";
+ *
+ * export const myChat = task({
+ *   id: "my-chat",
+ *   run: async (payload: ChatTaskWirePayload, { signal }) => {
+ *     const session = chat.createSession(payload, { signal });
+ *
+ *     for await (const turn of session) {
+ *       const result = streamText({
+ *         model: openai("gpt-4o"),
+ *         messages: turn.messages,
+ *         abortSignal: turn.signal,
+ *       });
+ *       await turn.complete(result);
+ *     }
+ *   },
+ * });
+ * ```
+ */
+function createChatSession(
+  payload: ChatTaskWirePayload,
+  options: ChatSessionOptions
+): AsyncIterable<ChatTurn> {
+  const {
+    signal: runSignal,
+    idleTimeoutInSeconds: sessionIdleTimeoutOpt,
+    timeout = "1h",
+    maxTurns = 100,
+    compaction: sessionCompaction,
+    pendingMessages: sessionPendingMessages,
+  } = options;
+
+  const idleTimeoutInSeconds = sessionIdleTimeoutOpt ?? 30;
+
+  return {
+    [Symbol.asyncIterator]() {
+      let currentPayload = payload;
+      let turn = -1;
+      const stop = createStopSignal();
+      const accumulator = new ChatMessageAccumulator();
+      let previousTurnUsage: LanguageModelUsage | undefined;
+      let cumulativeUsage: LanguageModelUsage = emptyUsage();
+
+      return {
+        async next(): Promise<IteratorResult<ChatTurn>> {
+          turn++;
+
+          // First turn: handle preload — wait for the first real message
+          if (turn === 0 && currentPayload.trigger === "preload") {
+            const result = await messagesInput.waitWithIdleTimeout({
+              idleTimeoutInSeconds:
+                sessionIdleTimeoutOpt ?? currentPayload.idleTimeoutInSeconds ?? 30,
+              timeout,
+              spanName: "waiting for first message",
+            });
+            if (!result.ok || runSignal.aborted) {
+              stop.cleanup();
+              return { done: true, value: undefined };
+            }
+            currentPayload = result.output;
+          }
+
+          // Subsequent turns: wait for the next message
+          if (turn > 0) {
+            // chat.requestUpgrade() / chat.endRun() — exit before waiting
+            if (
+              locals.get(chatUpgradeRequestedKey) ||
+              locals.get(chatEndRunRequestedKey)
+            ) {
+              stop.cleanup();
+              return { done: true, value: undefined };
+            }
+
+            const next = await messagesInput.waitWithIdleTimeout({
+              idleTimeoutInSeconds,
+              timeout,
+              spanName: "waiting for next message",
+            });
+            if (!next.ok || runSignal.aborted) {
+              stop.cleanup();
+              return { done: true, value: undefined };
+            }
+            currentPayload = next.output;
+          }
+
+          // Check limits
+          if (turn >= maxTurns || runSignal.aborted) {
+            stop.cleanup();
+            return { done: true, value: undefined };
+          }
+
+          // Reset stop signal for this turn
+          stop.reset();
+
+          // Reset per-turn state
+          locals.set(chatResponsePartsKey, []);
+          // Set up steering queue and pending messages config in locals
+          // so toStreamTextOptions() auto-injects prepareStep for steering
+          const turnSteeringQueue: SteeringQueueEntry[] = [];
+          locals.set(chatSteeringQueueKey, turnSteeringQueue);
+          if (sessionPendingMessages) {
+            locals.set(chatPendingMessagesKey, sessionPendingMessages);
+          }
+          locals.set(chatTurnContextKey, {
+            chatId: currentPayload.chatId,
+            turn,
+            continuation: currentPayload.continuation ?? false,
+            clientData: currentPayload.metadata,
+          });
+
+          // Listen for messages during streaming (steering + next-turn buffer)
+          const sessionPendingWire: ChatTaskWirePayload[] = [];
+          const sessionMsgSub = messagesInput.on(async (msg) => {
+            sessionPendingWire.push(msg);
+
+            if (sessionPendingMessages) {
+              // Slim wire: at most one delta message per record. Read
+              // `msg.message` directly — no array slicing needed.
+              const lastUIMessage = msg.message;
+              if (lastUIMessage) {
+                if (sessionPendingMessages.onReceived) {
+                  try {
+                    await sessionPendingMessages.onReceived({
+                      message: lastUIMessage,
+                      chatId: currentPayload.chatId,
+                      turn,
+                    });
+                  } catch {
+                    /* non-fatal */
+                  }
+                }
+                try {
+                  const modelMsgs = await toModelMessages([lastUIMessage]);
+                  turnSteeringQueue.push({ uiMessage: lastUIMessage, modelMessages: modelMsgs });
+                } catch {
+                  /* non-fatal */
+                }
+              }
+            }
+          });
+
+          // Accumulate messages. Slim wire: pass the single delta message as
+          // a 0-or-1-length array. The accumulator's behavior is unchanged —
+          // it still appends user messages and reconverts on regenerate.
+          const incomingForAccumulator: UIMessage[] = currentPayload.message
+            ? [currentPayload.message]
+            : [];
+          const messages = await accumulator.addIncoming(
+            incomingForAccumulator,
+            currentPayload.trigger,
+            turn
+          );
+
+          // chat.requestUpgrade() called before this turn — signal transport and exit
+          if (locals.get(chatUpgradeRequestedKey)) {
+            await writeUpgradeRequiredChunk();
+            sessionMsgSub.off();
+            stop.cleanup();
+            return { done: true, value: undefined };
+          }
+
+          const combinedSignal = AbortSignal.any([runSignal, stop.signal]);
+
+          const turnObj: ChatTurn = {
+            number: turn,
+            chatId: currentPayload.chatId,
+            trigger: currentPayload.trigger,
+            clientData: currentPayload.metadata,
+            get messages() {
+              return accumulator.modelMessages;
+            },
+            get uiMessages() {
+              return accumulator.uiMessages;
+            },
+            signal: combinedSignal,
+            get stopped() {
+              return stop.signal.aborted && !runSignal.aborted;
+            },
+            continuation: currentPayload.continuation ?? false,
+            previousTurnUsage,
+            totalUsage: cumulativeUsage,
+
+            async setMessages(uiMessages: UIMessage[]) {
+              await accumulator.setMessages(uiMessages);
+            },
+
+            async complete(source: UIMessageStreamable) {
+              let response: UIMessage | undefined;
+              try {
+                response = await pipeChatAndCapture(source, { signal: combinedSignal });
+              } catch (error) {
+                if (error instanceof Error && error.name === "AbortError") {
+                  if (runSignal.aborted) {
+                    // Full cancel — don't accumulate
+                    sessionMsgSub.off();
+                    await chatWriteTurnComplete();
+                    return undefined;
+                  }
+                  // Stop — fall through to accumulate partial response
+                } else {
+                  throw error;
+                }
+              }
+
+              if (response) {
+                const cleaned =
+                  stop.signal.aborted && !runSignal.aborted
+                    ? cleanupAbortedParts(response)
+                    : response;
+                // Append any non-transient data parts queued via chat.response or writer.write()
+                const queuedParts = locals.get(chatResponsePartsKey);
+                if (queuedParts && queuedParts.length > 0) {
+                  (cleaned as any).parts = [...(cleaned.parts ?? []), ...queuedParts];
+                  locals.set(chatResponsePartsKey, []);
+                }
+                await accumulator.addResponse(cleaned);
+              } else {
+                // No response (manual pipe mode) but there are queued data parts
+                const queuedParts = locals.get(chatResponsePartsKey);
+                if (queuedParts && queuedParts.length > 0) {
+                  await accumulator.addResponse({
+                    id: generateMessageId(),
+                    role: "assistant" as const,
+                    parts: queuedParts as UIMessage["parts"],
+                  });
+                  locals.set(chatResponsePartsKey, []);
+                }
+              }
+
+              // Capture token usage from the streamText result
+              let turnUsage: LanguageModelUsage | undefined;
+              if (typeof (source as any).totalUsage?.then === "function") {
+                try {
+                  const usage: LanguageModelUsage = await (source as any).totalUsage;
+                  turnUsage = usage;
+                  previousTurnUsage = usage;
+                  cumulativeUsage = addUsage(cumulativeUsage, usage);
+                } catch {
+                  /* non-fatal */
+                }
+              }
+
+              // Outer-loop compaction (same logic as chat.agent)
+              if (sessionCompaction && turnUsage && !turnObj.stopped) {
+                const shouldTrigger = await sessionCompaction.shouldCompact({
+                  messages: accumulator.modelMessages,
+                  totalTokens: turnUsage.totalTokens,
+                  inputTokens: turnUsage.inputTokens,
+                  outputTokens: turnUsage.outputTokens,
+                  usage: turnUsage,
+                  totalUsage: cumulativeUsage,
+                  chatId: currentPayload.chatId,
+                  turn,
+                  clientData: currentPayload.metadata,
+                  source: "outer",
+                });
+
+                if (shouldTrigger) {
+                  const summary = await sessionCompaction.summarize({
+                    messages: accumulator.modelMessages,
+                    usage: turnUsage,
+                    totalUsage: cumulativeUsage,
+                    chatId: currentPayload.chatId,
+                    turn,
+                    clientData: currentPayload.metadata,
+                    source: "outer",
+                  });
+
+                  const compactEvent: CompactMessagesEvent = {
+                    summary,
+                    uiMessages: accumulator.uiMessages,
+                    modelMessages: accumulator.modelMessages,
+                    chatId: currentPayload.chatId,
+                    turn,
+                    clientData: currentPayload.metadata,
+                    source: "outer",
+                  };
+
+                  accumulator.modelMessages = sessionCompaction.compactModelMessages
+                    ? await sessionCompaction.compactModelMessages(compactEvent)
+                    : [
+                      {
+                        role: "assistant" as const,
+                        content: [
+                          { type: "text" as const, text: `[Conversation summary]\n\n${summary}` },
+                        ],
+                      },
+                    ];
+
+                  if (sessionCompaction.compactUIMessages) {
+                    accumulator.uiMessages = await sessionCompaction.compactUIMessages(
+                      compactEvent
+                    );
+                  }
+                }
+              }
+
+              sessionMsgSub.off();
+              await chatWriteTurnComplete();
+              return response;
+            },
+
+            async addResponse(response: UIMessage) {
+              // Append any non-transient data parts queued via chat.response or writer.write()
+              const queuedParts = locals.get(chatResponsePartsKey);
+              if (queuedParts && queuedParts.length > 0) {
+                response = { ...response, parts: [...(response.parts ?? []), ...(queuedParts as UIMessage["parts"])] };
+                locals.set(chatResponsePartsKey, []);
+              }
+              await accumulator.addResponse(response);
+            },
+
+            async done() {
+              sessionMsgSub.off();
+              await chatWriteTurnComplete();
+            },
+
+            prepareStep() {
+              const hasCompaction = !!sessionCompaction;
+              const hasPending = !!sessionPendingMessages;
+              if (!hasCompaction && !hasPending) return undefined;
+
+              return async ({
+                messages: stepMsgs,
+                steps,
+              }: {
+                messages: ModelMessage[];
+                steps: CompactionStep[];
+              }) => {
+                let resultMessages: ModelMessage[] | undefined;
+
+                if (sessionCompaction) {
+                  const compactResult = await chatCompact(stepMsgs, steps, {
+                    shouldCompact: sessionCompaction.shouldCompact,
+                    summarize: (msgs) =>
+                      sessionCompaction.summarize({ messages: msgs, source: "inner" }),
+                  });
+                  if (compactResult.type !== "skipped") {
+                    resultMessages = compactResult.messages;
+                  }
+                }
+
+                if (sessionPendingMessages) {
+                  const injected = await drainSteeringQueue(
+                    sessionPendingMessages,
+                    resultMessages ?? stepMsgs,
+                    steps,
+                    turnSteeringQueue
+                  );
+                  if (injected.length > 0) {
+                    resultMessages = [...(resultMessages ?? stepMsgs), ...injected];
+                  }
+                }
+
+                return resultMessages ? { messages: resultMessages } : undefined;
+              };
+            },
+          };
+
+          return { done: false, value: turnObj };
+        },
+
+        async return() {
+          stop.cleanup();
+          return { done: true, value: undefined };
+        },
+      };
+    },
+  };
+}
+
+// ---------------------------------------------------------------------------
+// chat.local — per-run typed data with Proxy access
+// ---------------------------------------------------------------------------
+
+/** @internal Symbol for storing the locals key on the proxy target. */
+const CHAT_LOCAL_KEY: unique symbol = Symbol("chatLocalKey");
+/** @internal Symbol for storing the dirty-tracking locals key. */
+const CHAT_LOCAL_DIRTY_KEY: unique symbol = Symbol("chatLocalDirtyKey");
+
+// ---------------------------------------------------------------------------
+// chat.local registry — tracks all declared locals for serialization
+// ---------------------------------------------------------------------------
+
+type ChatLocalEntry = { key: ReturnType<typeof locals.create>; id: string };
+const chatLocalRegistry = new Set<ChatLocalEntry>();
+
+/** @internal Run-scoped flag to ensure hydration happens at most once per run. */
+const chatLocalsHydratedKey = locals.create<boolean>("chat.locals.hydrated");
+
+/**
+ * Hydrate chat.local values from subtask metadata (set by `ai.toolExecute()` or legacy `ai.tool()`).
+ * Runs once per run — subsequent calls are no-ops.
+ * @internal
+ */
+function hydrateLocalsFromMetadata(): void {
+  if (locals.get(chatLocalsHydratedKey)) return;
+  locals.set(chatLocalsHydratedKey, true);
+  const opts = metadata.get(METADATA_KEY) as ToolCallExecutionOptions | undefined;
+  if (!opts?.chatLocals) return;
+  for (const [id, value] of Object.entries(opts.chatLocals)) {
+    locals.set(locals.create(id), value);
+  }
+}
+
+/**
+ * A Proxy-backed, run-scoped data object that appears as `T` to users.
+ * Includes helper methods for initialization, dirty tracking, and serialization.
+ * Internal metadata is stored behind Symbols and invisible to
+ * `Object.keys()`, `JSON.stringify()`, and spread.
+ */
+export type ChatLocal<T extends Record<string, unknown>> = T & {
+  /** Initialize the local with a value. Call in `onChatStart` or `run()`. */
+  init(value: T): void;
+  /** Returns `true` if any property was set since the last check. Resets the dirty flag. */
+  hasChanged(): boolean;
+  /** Returns a plain object copy of the current value. Useful for persistence. */
+  get(): T;
+  readonly [CHAT_LOCAL_KEY]: ReturnType<typeof locals.create<T>>;
+  readonly [CHAT_LOCAL_DIRTY_KEY]: ReturnType<typeof locals.create<boolean>>;
+};
+
+/**
+ * Creates a per-run typed data object accessible from anywhere during task execution.
+ *
+ * Declare at module level, then initialize inside `onBoot` (recommended — fires
+ * on every fresh worker including continuation runs). Do NOT initialize in
+ * `onChatStart` alone: `onChatStart` only fires on the chat's very first
+ * message, so `chat.local` would be uninitialized on continuation runs and
+ * `run()` would throw.
+ *
+ * Multiple locals can coexist — each gets its own isolated run-scoped storage.
+ *
+ * The `id` is required and must be unique across all `chat.local()` calls in
+ * your project. It's used to serialize values into subtask metadata so that
+ * `ai.toolExecute()` (or legacy `ai.tool()`) subtasks can auto-hydrate parent locals (read-only).
+ *
+ * @example
+ * ```ts
+ * import { chat } from "@trigger.dev/sdk/ai";
+ *
+ * const userPrefs = chat.local<{ theme: string; language: string }>({ id: "userPrefs" });
+ * const gameState = chat.local<{ score: number; streak: number }>({ id: "gameState" });
+ *
+ * export const myChat = chat.agent({
+ *   id: "my-chat",
+ *   onBoot: async ({ clientData }) => {
+ *     const prefs = await db.prefs.findUnique({ where: { userId: clientData.userId } });
+ *     userPrefs.init(prefs ?? { theme: "dark", language: "en" });
+ *     gameState.init({ score: 0, streak: 0 });
+ *   },
+ *   onTurnComplete: async ({ chatId }) => {
+ *     if (gameState.hasChanged()) {
+ *       await db.save({ where: { chatId }, data: gameState.get() });
+ *     }
+ *   },
+ *   run: async ({ messages }) => {
+ *     gameState.score++;
+ *     return streamText({
+ *       system: `User prefers ${userPrefs.theme} theme. Score: ${gameState.score}`,
+ *       messages,
+ *     });
+ *   },
+ * });
+ * ```
+ */
+function chatLocal<T extends Record<string, unknown>>(options: { id: string }): ChatLocal<T> {
+  const id = `chat.local.${options.id}`;
+  const localKey = locals.create<T>(id);
+  const dirtyKey = locals.create<boolean>(`${id}.dirty`);
+
+  chatLocalRegistry.add({ key: localKey, id });
+
+  const target = {} as any;
+  target[CHAT_LOCAL_KEY] = localKey;
+  target[CHAT_LOCAL_DIRTY_KEY] = dirtyKey;
+
+  return new Proxy(target, {
+    get(_target, prop, _receiver) {
+      // Internal Symbol properties
+      if (prop === CHAT_LOCAL_KEY) return _target[CHAT_LOCAL_KEY];
+      if (prop === CHAT_LOCAL_DIRTY_KEY) return _target[CHAT_LOCAL_DIRTY_KEY];
+
+      // Instance methods
+      if (prop === "init") {
+        return (value: T) => {
+          locals.set(localKey, value);
+          locals.set(dirtyKey, false);
+        };
+      }
+      if (prop === "hasChanged") {
+        return () => {
+          const dirty = locals.get(dirtyKey) ?? false;
+          locals.set(dirtyKey, false);
+          return dirty;
+        };
+      }
+      if (prop === "get") {
+        return () => {
+          let current = locals.get(localKey);
+          if (current === undefined) {
+            hydrateLocalsFromMetadata();
+            current = locals.get(localKey);
+          }
+          if (current === undefined) {
+            throw new Error(
+              "local.get() called before initialization. Call local.init() in onBoot (recommended — fires on every fresh worker including continuation runs) or run() first."
+            );
+          }
+          return { ...current };
+        };
+      }
+      // toJSON for serialization (JSON.stringify(local))
+      if (prop === "toJSON") {
+        return () => {
+          let current = locals.get(localKey);
+          if (current === undefined) {
+            hydrateLocalsFromMetadata();
+            current = locals.get(localKey);
+          }
+          return current ? { ...current } : undefined;
+        };
+      }
+
+      let current = locals.get(localKey);
+      if (current === undefined) {
+        // Auto-hydrate from parent metadata in subtask context
+        hydrateLocalsFromMetadata();
+        current = locals.get(localKey);
+      }
+      if (current === undefined) return undefined;
+      return (current as any)[prop];
+    },
+
+    set(_target, prop, value) {
+      // Don't allow setting internal Symbols
+      if (typeof prop === "symbol") return false;
+
+      const current = locals.get(localKey);
+      if (current === undefined) {
+        throw new Error(
+          "chat.local can only be modified after initialization. " +
+          "Call local.init() in onBoot (recommended — fires on every fresh worker including continuation runs) or run() first. " +
+          "If you previously initialized in onChatStart, move it to onBoot — onChatStart only fires on the chat's very first message and will not run on a continuation."
+        );
+      }
+      locals.set(localKey, { ...current, [prop]: value });
+      locals.set(dirtyKey, true);
+      return true;
+    },
+
+    has(_target, prop) {
+      if (typeof prop === "symbol") return prop in _target;
+      let current = locals.get(localKey);
+      if (current === undefined) {
+        hydrateLocalsFromMetadata();
+        current = locals.get(localKey);
+      }
+      return current !== undefined && prop in current;
+    },
+
+    ownKeys() {
+      let current = locals.get(localKey);
+      if (current === undefined) {
+        hydrateLocalsFromMetadata();
+        current = locals.get(localKey);
+      }
+      return current ? Reflect.ownKeys(current) : [];
+    },
+
+    getOwnPropertyDescriptor(_target, prop) {
+      if (typeof prop === "symbol") return undefined;
+      let current = locals.get(localKey);
+      if (current === undefined) {
+        hydrateLocalsFromMetadata();
+        current = locals.get(localKey);
+      }
+      if (current === undefined || !(prop in current)) return undefined;
+      return {
+        configurable: true,
+        enumerable: true,
+        writable: true,
+        value: (current as any)[prop],
+      };
+    },
+  }) as ChatLocal<T>;
+}
+
+/**
+ * Extracts the client data (metadata) type from a chat task.
+ * Use this to type the `metadata` option on the transport.
+ *
+ * @example
+ * ```ts
+ * import type { InferChatClientData } from "@trigger.dev/sdk/ai";
+ * import type { myChat } from "@/trigger/chat";
+ *
+ * type MyClientData = InferChatClientData<typeof myChat>;
+ * // { model?: string; userId: string }
+ * ```
+ */
+// `InferChatClientData` and `InferChatUIMessage` live in `./ai-shared.ts`
+// so the chat React hooks can import them without dragging `ai.ts` into
+// the browser graph. Re-exported here so `@trigger.dev/sdk/ai` consumers
+// still see them.
+import type { InferChatClientData, InferChatUIMessage } from "./ai-shared.js";
+export type {
+  InferChatClientData,
+  InferChatUIMessage,
+  InferChatUIMessageFromTools,
+} from "./ai-shared.js";
+
+/**
+ * Options for {@link createChatStartSessionAction}.
+ */
+/**
+ * Discriminator for per-endpoint `baseURL` / `fetch` callbacks on
+ * `createChatStartSessionAction`.
+ *
+ * - `"sessions"` — `POST /api/v1/sessions` (session create + first run trigger).
+ * - `"auth"` — `POST /api/v1/auth/jwt/claims` (only fired when
+ *   `tokenTTL` is set; otherwise the publicAccessToken from session create
+ *   is reused as-is).
+ */
+export type ChatStartSessionEndpoint = "sessions" | "auth";
+
+export type ChatStartSessionEndpointContext = {
+  endpoint: ChatStartSessionEndpoint;
+  chatId: string;
+};
+
+export type ChatStartSessionBaseURLResolver = (
+  ctx: ChatStartSessionEndpointContext
+) => string;
+
+export type ChatStartSessionFetchOverride = (
+  url: string,
+  init: RequestInit,
+  ctx: ChatStartSessionEndpointContext
+) => Promise<Response>;
+
+export type CreateChatStartSessionActionOptions = {
+  /** TTL for the session-scoped public access token. @default "1h" */
+  tokenTTL?: string | number | Date;
+  /**
+   * Default trigger config used when starting a new session for a chat.
+   * Per-call `params.triggerConfig` shallow-merges on top.
+   */
+  triggerConfig?: Partial<SessionTriggerConfig>;
+  /**
+   * Override the Trigger.dev API base URL. String applies to both
+   * `/api/v1/sessions` and `/api/v1/auth/jwt/claims`; function picks per
+   * endpoint. When unset, falls back to `apiClientManager.baseURL`
+   * (typically the `TRIGGER_API_URL` env var). Set this to route session
+   * create through a trusted edge proxy that injects server-side signal
+   * into `basePayload.metadata` before forwarding upstream.
+   */
+  baseURL?: string | ChatStartSessionBaseURLResolver;
+  /**
+   * Per-request fetch override. Receives the resolved URL, RequestInit,
+   * and endpoint context. Use for header injection, proxy routing, or
+   * custom retry. Applies to both session-create and JWT-claims POSTs.
+   */
+  fetch?: ChatStartSessionFetchOverride;
+};
+
+/**
+ * Params for the function returned by {@link createChatStartSessionAction}.
+ */
+export type ChatStartSessionParams<TChat extends AnyTask = AnyTask> = {
+  /** Conversation id (mapped to the Session's `externalId`). */
+  chatId: string;
+  /**
+   * Typed client data — folded into the first run's `payload.metadata` so
+   * `onPreload`, `onChatStart`, etc. see the same `clientData` shape on the
+   * first turn as subsequent turns get via the transport's `clientData`
+   * option. Typed via the agent's `clientDataSchema` when the action is
+   * parameterised with `createStartSessionAction<typeof myChat>(...)`.
+   */
+  clientData?: InferChatClientData<TChat>;
+  /**
+   * Per-call trigger config. Shallow-merged over the action's default
+   * `triggerConfig`. `basePayload` is the customer's wire payload (for
+   * `chat.agent`: anything beyond `chatId`/`messages`/`trigger`/`metadata`,
+   * which the runtime injects automatically).
+   */
+  triggerConfig?: Partial<SessionTriggerConfig>;
+  /**
+   * Opaque session-level metadata stored on the Session row. Separate from
+   * the per-turn `clientData` above. Use this when you want to attach
+   * server-side metadata that doesn't go through the agent's `clientDataSchema`.
+   */
+  metadata?: Record<string, unknown>;
+};
+
+/**
+ * Result from {@link createChatStartSessionAction}'s returned function.
+ */
+export type ChatStartSessionResult = {
+  /**
+   * Session-scoped public access token (`read:sessions:{chatId} +
+   * write:sessions:{chatId}`). Pass this to the browser; the transport
+   * uses it to call `.in/append`, `.out`, `end-and-continue`.
+   */
+  publicAccessToken: string;
+  /** Friendly id of the run triggered alongside session create. */
+  runId: string;
+  /** Session friendlyId — informational. */
+  sessionId: string;
+};
+
+/**
+ * Creates a server-side helper that starts (or resumes) a Session for a
+ * given chatId — atomically creating the row, triggering the first run,
+ * and returning a session-scoped PAT for the browser to use.
+ *
+ * Wrap in a Next.js server action (or any server-side handler) so the
+ * customer's secret key never crosses to the browser.
+ *
+ * Parameterise the action with `<typeof yourChatAgent>` to type the
+ * `clientData` field against your agent's `clientDataSchema`.
+ *
+ * @example
+ * ```ts
+ * // actions.ts
+ * "use server";
+ * import { chat } from "@trigger.dev/sdk/ai";
+ * import type { myChat } from "@/trigger/chat";
+ *
+ * export const startChatSession = chat.createStartSessionAction<typeof myChat>(
+ *   "my-chat",
+ *   { triggerConfig: { machine: "small-1x" } }
+ * );
+ * ```
+ *
+ * Then in the browser, threading the typed `clientData` from the transport:
+ * ```tsx
+ * const transport = useTriggerChatTransport<typeof myChat>({
+ *   task: "my-chat",
+ *   accessToken: ({ chatId }) => mintChatAccessToken(chatId),
+ *   startSession: ({ chatId, clientData }) =>
+ *     startChatSession({ chatId, clientData }),
+ * });
+ * ```
+ */
+function createChatStartSessionAction<TChat extends AnyTask = AnyTask>(
+  taskId: string,
+  options?: CreateChatStartSessionActionOptions
+): (params: ChatStartSessionParams<TChat>) => Promise<ChatStartSessionResult> {
+  return async (params: ChatStartSessionParams<TChat>): Promise<ChatStartSessionResult> => {
+    if (!params.chatId) {
+      throw new Error(
+        "chat.createStartSessionAction: params.chatId is required — used as the session externalId."
+      );
+    }
+
+    // The first run boots before the user's first message lands on
+    // `.in/append`, so it sees an empty `messages` array and `trigger:
+    // "preload"`. This matches the pre-Sessions preload semantics:
+    // `onPreload` fires, the runtime opens its `.in` subscription, the
+    // first user message arrives moments later via `.in/append`.
+    //
+    // `clientData` is folded into `basePayload.metadata` so the agent's
+    // `clientDataSchema` validates on the very first turn against the same
+    // shape per-turn `metadata` carries via the transport.
+    // Auto-tag every chat.agent run with `chat:{chatId}` so the dashboard /
+    // run-list filter by chat works without the customer having to wire it
+    // up. Mirrors the browser-mediated `TriggerChatTransport.doStart` path.
+    const userTags = params.triggerConfig?.tags ?? options?.triggerConfig?.tags ?? [];
+    // Platform cap is 10 tags per run; the auto chat tag takes one slot.
+    const tags = [`chat:${params.chatId}`, ...userTags].slice(0, 10);
+
+    const clientDataMetadata =
+      params.clientData !== undefined ? { metadata: params.clientData } : {};
+
+    const triggerConfig: SessionTriggerConfig = {
+      basePayload: {
+        messages: [],
+        trigger: "preload",
+        ...(options?.triggerConfig?.basePayload ?? {}),
+        ...(params.triggerConfig?.basePayload ?? {}),
+        ...clientDataMetadata,
+        chatId: params.chatId,
+      },
+      ...(options?.triggerConfig?.machine || params.triggerConfig?.machine
+        ? { machine: params.triggerConfig?.machine ?? options?.triggerConfig?.machine }
+        : {}),
+      ...(options?.triggerConfig?.queue || params.triggerConfig?.queue
+        ? { queue: params.triggerConfig?.queue ?? options?.triggerConfig?.queue }
+        : {}),
+      tags,
+      ...(options?.triggerConfig?.maxAttempts !== undefined ||
+      params.triggerConfig?.maxAttempts !== undefined
+        ? {
+            maxAttempts:
+              params.triggerConfig?.maxAttempts ?? options?.triggerConfig?.maxAttempts!,
+          }
+        : {}),
+      ...(options?.triggerConfig?.idleTimeoutInSeconds !== undefined ||
+      params.triggerConfig?.idleTimeoutInSeconds !== undefined
+        ? {
+            idleTimeoutInSeconds:
+              params.triggerConfig?.idleTimeoutInSeconds ??
+              options?.triggerConfig?.idleTimeoutInSeconds!,
+          }
+        : {}),
+    };
+
+    const startBody = {
+      type: "chat.agent" as const,
+      externalId: params.chatId,
+      taskIdentifier: taskId,
+      triggerConfig,
+      metadata: params.metadata,
+    };
+
+    const baseURLOption = options?.baseURL;
+    const fetchOverride = options?.fetch;
+    const hasOverride = baseURLOption !== undefined || fetchOverride !== undefined;
+
+    const created: { id: string; runId: string; publicAccessToken: string } = hasOverride
+      ? await callSessionsCreateWithOverride({
+          chatId: params.chatId,
+          body: startBody,
+          baseURLOption,
+          fetchOverride,
+        })
+      : await sessions.start(startBody);
+
+    // Session create returns a session PAT directly when called with a
+    // start token, but when the SDK call goes via the secret key we still
+    // need to mint our own (the server returns a PAT regardless, but
+    // re-minting here lets the customer override `tokenTTL`).
+    const publicAccessToken =
+      options?.tokenTTL !== undefined
+        ? hasOverride
+          ? await mintPublicTokenWithOverride({
+              chatId: params.chatId,
+              expirationTime: options.tokenTTL,
+              baseURLOption,
+              fetchOverride,
+            })
+          : await auth.createPublicToken({
+              scopes: {
+                read: { sessions: params.chatId },
+                write: { sessions: params.chatId },
+              },
+              expirationTime: options.tokenTTL,
+            })
+        : created.publicAccessToken;
+
+    return {
+      publicAccessToken,
+      runId: created.runId,
+      sessionId: created.id,
+    };
+  };
+}
+
+function resolveChatStartBaseURL(
+  endpoint: ChatStartSessionEndpoint,
+  chatId: string,
+  option: string | ChatStartSessionBaseURLResolver | undefined
+): string {
+  const fallback = apiClientManager.baseURL ?? "https://api.trigger.dev";
+  const raw =
+    typeof option === "function"
+      ? option({ endpoint, chatId })
+      : option ?? fallback;
+  return raw.replace(/\/$/, "");
+}
+
+function overrideRequestHeaders(accessToken: string): Record<string, string> {
+  const headers: Record<string, string> = {
+    "Content-Type": "application/json",
+    Authorization: `Bearer ${accessToken}`,
+    "x-trigger-source": "sdk",
+  };
+  // Forward the preview-branch hint so override-mode requests land on the
+  // same env the standard ApiClient path would have routed to. Mirrors
+  // ApiClient.#getHeaders. Read from TRIGGER_PREVIEW_BRANCH /
+  // VERCEL_GIT_COMMIT_REF via apiClientManager.branchName.
+  if (apiClientManager.branchName) {
+    headers["x-trigger-branch"] = apiClientManager.branchName;
+  }
+  return headers;
+}
+
+async function callSessionsCreateWithOverride(args: {
+  chatId: string;
+  body: { type: "chat.agent"; externalId: string; taskIdentifier: string; triggerConfig: SessionTriggerConfig; metadata?: Record<string, unknown> };
+  baseURLOption: string | ChatStartSessionBaseURLResolver | undefined;
+  fetchOverride: ChatStartSessionFetchOverride | undefined;
+}): Promise<{ id: string; runId: string; publicAccessToken: string }> {
+  const accessToken = apiClientManager.accessToken;
+  if (!accessToken) {
+    throw new Error(
+      "chat.createStartSessionAction: no API access token configured. Set TRIGGER_SECRET_KEY or call apiClientManager.setGlobalAPIClientConfiguration before invoking the action."
+    );
+  }
+  const ctx: ChatStartSessionEndpointContext = { endpoint: "sessions", chatId: args.chatId };
+  const url = `${resolveChatStartBaseURL("sessions", args.chatId, args.baseURLOption)}/api/v1/sessions`;
+  const init: RequestInit = {
+    method: "POST",
+    headers: overrideRequestHeaders(accessToken),
+    body: JSON.stringify(args.body),
+  };
+  const response = args.fetchOverride
+    ? await args.fetchOverride(url, init, ctx)
+    : await fetch(url, init);
+  if (!response.ok) {
+    const text = await response.text().catch(() => "");
+    throw new Error(`sessions.start failed: ${response.status} ${text}`);
+  }
+  const json = (await response.json()) as { id: string; runId: string; publicAccessToken: string };
+  return json;
+}
+
+async function mintPublicTokenWithOverride(args: {
+  chatId: string;
+  expirationTime: string | number | Date;
+  baseURLOption: string | ChatStartSessionBaseURLResolver | undefined;
+  fetchOverride: ChatStartSessionFetchOverride | undefined;
+}): Promise<string> {
+  const accessToken = apiClientManager.accessToken;
+  if (!accessToken) {
+    throw new Error(
+      "chat.createStartSessionAction: no API access token configured for JWT mint."
+    );
+  }
+  const ctx: ChatStartSessionEndpointContext = { endpoint: "auth", chatId: args.chatId };
+  const url = `${resolveChatStartBaseURL("auth", args.chatId, args.baseURLOption)}/api/v1/auth/jwt/claims`;
+  const init: RequestInit = {
+    method: "POST",
+    headers: overrideRequestHeaders(accessToken),
+  };
+  const response = args.fetchOverride
+    ? await args.fetchOverride(url, init, ctx)
+    : await fetch(url, init);
+  if (!response.ok) {
+    const text = await response.text().catch(() => "");
+    throw new Error(`auth.createPublicToken failed: ${response.status} ${text}`);
+  }
+  const claims = (await response.json()) as Record<string, unknown>;
+  return generateJWT({
+    secretKey: accessToken,
+    payload: {
+      ...claims,
+      scopes: [`read:sessions:${args.chatId}`, `write:sessions:${args.chatId}`],
+    },
+    expirationTime: args.expirationTime,
+  });
+}
+
+export const chat = {
+  /** Create a chat agent. See {@link chatAgent}. */
+  agent: chatAgent,
+  /** Create a custom agent with manual lifecycle control. See {@link chatCustomAgent}. */
+  customAgent: chatCustomAgent,
+  /** Create a chat task with a fixed {@link UIMessage} subtype and optional default stream options. See {@link withUIMessage}. */
+  withUIMessage,
+  /** Create a chat task with a fixed client data schema. See {@link withClientData}. */
+  withClientData,
+  /** Create a server-side helper for starting (or resuming) a Session for a chatId. See {@link createChatStartSessionAction}. */
+  createStartSessionAction: createChatStartSessionAction,
+  /** Pipe a stream to the chat transport. See {@link pipeChat}. */
+  pipe: pipeChat,
+  /** Create a per-run typed local. See {@link chatLocal}. */
+  local: chatLocal,
+  /** Create a public access token for a chat task. See {@link createChatAccessToken}. */
+  createAccessToken: createChatAccessToken,
+  /** Override the turn timeout at runtime (duration string). See {@link setTurnTimeout}. */
+  setTurnTimeout,
+  /** Override the turn timeout at runtime (seconds). See {@link setTurnTimeoutInSeconds}. */
+  setTurnTimeoutInSeconds,
+  /** Override the idle timeout at runtime. See {@link setIdleTimeoutInSeconds}. */
+  setIdleTimeoutInSeconds,
+  /** Override toUIMessageStream() options for the current turn. See {@link setUIMessageStreamOptions}. */
+  setUIMessageStreamOptions,
+  /** Check if the current turn was stopped by the user. See {@link isStopped}. */
+  isStopped,
+  /** Request that the run exits after the current turn so the next message starts on the latest version. See {@link requestUpgrade}. */
+  requestUpgrade,
+  /** Exit the run after the current turn completes, without any upgrade signal. See {@link endRun}. */
+  endRun,
+  /** Clean up aborted parts from a UIMessage. See {@link cleanupAbortedParts}. */
+  cleanupAbortedParts,
+  /** Register background work that runs in parallel with streaming. See {@link chatDefer}. */
+  defer: chatDefer,
+  /** Queue model messages for injection at the next `prepareStep` boundary. See {@link injectBackgroundContext}. */
+  inject: injectBackgroundContext,
+  /** Typed chat output stream for writing custom chunks or piping from subtasks. */
+  stream: chatStream,
+  /** Write data parts that persist to the response message. See {@link chatResponse}. */
+  response: chatResponse,
+  /** Pre-built input stream for receiving messages from the transport. */
+  messages: messagesInput,
+  /** Create a managed stop signal wired to the stop input stream. See {@link createStopSignal}. */
+  createStopSignal,
+  /** Signal the frontend that the current turn is complete. See {@link chatWriteTurnComplete}. */
+  writeTurnComplete: chatWriteTurnComplete,
+  /** Pipe a stream and capture the response message. See {@link pipeChatAndCapture}. */
+  pipeAndCapture: pipeChatAndCapture,
+  /** Message accumulator class for raw task chat. See {@link ChatMessageAccumulator}. */
+  MessageAccumulator: ChatMessageAccumulator,
+  /** Create a chat session (async iterator). See {@link createChatSession}. */
+  createSession: createChatSession,
+  /**
+   * Store and retrieve a resolved prompt for the current run.
+   *
+   * - `chat.prompt.set(resolved)` — store a `ResolvedPrompt` or plain string
+   * - `chat.prompt()` — read the stored prompt (throws if not set)
+   */
+  prompt: Object.assign(getChatPrompt, { set: setChatPrompt }),
+  /**
+   * Store and retrieve resolved agent skills for the current run.
+   *
+   * - `chat.skills.set([...])` — store an array of `ResolvedSkill`s
+   * - `chat.skills()` — read the stored skills (returns undefined if none)
+   *
+   * Skills set here are automatically injected into `streamText` by
+   * `chat.toStreamTextOptions()`: skill descriptions land in the system
+   * prompt and `loadSkill` / `readFile` / `bash` tools are added to the
+   * tool set.
+   */
+  skills: Object.assign(getChatSkills, { set: setChatSkills }),
+  /**
+   * Returns an options object ready to spread into `streamText()`.
+   * Reads the stored prompt and returns `{ system, experimental_telemetry, ...config }`.
+   * Returns `{}` if no prompt has been set.
+   */
+  toStreamTextOptions,
+  /**
+   * Replace the accumulated conversation messages for compaction.
+   * Call from `onTurnStart` or `onTurnComplete`. Takes `UIMessage[]` and
+   * converts to `ModelMessage[]` internally.
+   */
+  setMessages: setChatMessages,
+  /**
+   * Imperative API for modifying the accumulated message history.
+   * Supports rollback, remove, replace, slice, and full replacement.
+   * Can be called from any hook or `run()`.
+   */
+  history: chatHistory,
+  /** Check if it's safe to compact messages (no in-flight tool calls). */
+  isCompactionSafe,
+  /** Returns a `prepareStep` function that handles context compaction automatically. */
+  compactionStep: chatCompactionStep,
+  /** Low-level compaction for use inside a custom `prepareStep`. */
+  compact: chatCompact,
+  /** Read the current compaction state (summary + base message count). */
+  getCompactionState,
+  /**
+   * The friendlyId (`session_*`) of the backing Session for the current chat.agent run.
+   * Useful for persisting alongside `runId` so reloads can resume the same session.
+   * Throws if called outside a chat.agent `run()` or hook.
+   */
+  get sessionId(): string {
+    return getChatSession().id;
+  },
+};
+
+/**
+ * Writes a `turn-complete` control record to the chat output stream and,
+ * if we have a prior turn-complete's seq_num, appends an S2 `trim` command
+ * record back to it — keeping `session.out` bounded to roughly one turn
+ * at steady state.
+ *
+ * The control record's body is empty; `trigger-control: turn-complete`
+ * plus an optional `public-access-token` ride on the headers (see
+ * `docs/ai-chat/client-protocol.mdx`). SDK transports filter it from the
+ * consumer chunk stream and surface it via `onControl` / `onTurnComplete`.
+ *
+ * Trim is opportunistic and monotonic at S2's layer. A failed trim is
+ * logged and swallowed; the next turn will retry against a fresher
+ * target seq_num.
+ *
+ * @internal
+ */
+async function writeTurnCompleteChunk(
+  _chatId?: string,
+  publicAccessToken?: string
+): Promise<StreamWriteResult> {
+  const session = getChatSession();
+
+  // 1. Write the turn-complete control record. The ack's `lastEventId` is
+  //    this record's seq_num — that's the trim target for the NEXT turn.
+  //
+  //    Sibling headers:
+  //    - `public-access-token` (optional): refresh token surfaced to
+  //      browser-side transports via `onTurnComplete`.
+  //    - `session-in-event-id` (optional): the committed-consume cursor
+  //      on `.in` as of this turn-complete. On next worker boot, the
+  //      boot scan reads this back and seeds the `.in` subscription so
+  //      already-processed user messages aren't re-delivered.
+  const extraHeaders: Array<[string, string]> = [];
+  if (publicAccessToken) {
+    extraHeaders.push(["public-access-token", publicAccessToken]);
+  }
+  const inCursor = session.in.lastDispatchedSeqNum();
+  if (inCursor !== undefined) {
+    extraHeaders.push([SESSION_IN_EVENT_ID_HEADER, String(inCursor)]);
+  }
+  const result = await session.out.writeControl(
+    TRIGGER_CONTROL_SUBTYPE.TURN_COMPLETE,
+    extraHeaders
+  );
+  const T_N = result.lastEventId ? Number.parseInt(result.lastEventId, 10) : undefined;
+
+  // 2. Trim back to the previous turn-complete, if we have one. Skipping on
+  //    first-turn-ever (or first turn post-OOM without a snapshot seed) is
+  //    fine — the chain catches up next turn.
+  //
+  // Lazily create the slot if a caller reached here without one (a plain
+  // `task()` driving `chat.createSession` / `chat.writeTurnComplete`, vs.
+  // chatAgent/chatCustomAgent which seed it at boot). The first call then
+  // does no trim (nothing before it) and records its seq; later calls trim
+  // — so `.out` is bounded for every writeTurnComplete caller, not just the
+  // built-in agents.
+  let slot = locals.get(lastTurnCompleteSeqNumKey);
+  if (!slot) {
+    slot = { value: undefined };
+    locals.set(lastTurnCompleteSeqNumKey, slot);
+  }
+  const prev = slot.value;
+  if (slot && prev !== undefined) {
+    try {
+      await session.out.trimTo(prev);
+    } catch (err) {
+      logger.warn("chat.agent: trim failed; will retry next turn", {
+        error: err instanceof Error ? err.message : String(err),
+        prev,
+      });
+    }
+  }
+
+  // 3. Advance the slot so the next turn-complete trims back to this one.
+  if (slot && T_N !== undefined && Number.isFinite(T_N)) {
+    slot.value = T_N;
+  }
+
+  return result;
+}
+
+/**
+ * Hand off the session to a fresh run on the latest version and emit a
+ * telemetry chunk on `.out` so the transport can hide it from the
+ * consumer.
+ *
+ * Server-side flow (in `POST /sessions/:id/end-and-continue`):
+ *   1. Trigger a new run with the session's `triggerConfig`
+ *   2. Atomically swap `Session.currentRunId` to the new run's id
+ *      (via optimistic claim keyed on the calling run's id)
+ *   3. Return the new runId
+ *
+ * The transport keeps its `.out` SSE open across the swap — v1's last
+ * chunks land, v2's new chunks land on the same stream (S2 keys on
+ * the session, not the run). The transport filters
+ * `trigger:upgrade-required` for cleanliness; consumers see no gap.
+ *
+ * If the swap fails (no current run, no env auth, etc.) we still emit
+ * the chunk and exit. The next `.in/append` will trigger a new run via
+ * the probe path; it just won't be quite as seamless.
+ *
+ * @internal
+ */
+async function writeUpgradeRequiredChunk(): Promise<StreamWriteResult> {
+  const ctx = taskContext.ctx;
+  const chatId = ctx?.run.id ? getChatIdFromContext() : undefined;
+  const callingRunId = ctx?.run.id;
+
+  if (chatId && callingRunId) {
+    const apiClient = apiClientManager.clientOrThrow();
+    try {
+      await apiClient.endAndContinueSession(chatId, {
+        callingRunId,
+        reason: "upgrade",
+      });
+    } catch (error) {
+      // Non-fatal: the next `.in/append` re-triggers via the probe.
+      // Swallow rather than throw so we still emit the chunk + exit.
+      logger.warn("end-and-continue failed; falling back to probe-on-append", {
+        chatId,
+        callingRunId,
+        error,
+      });
+    }
+  }
+
+  const session = getChatSession();
+  return session.out.writeControl(TRIGGER_CONTROL_SUBTYPE.UPGRADE_REQUIRED);
+}
+
+/**
+ * Resolves the current chat's `chatId` (used as session externalId) from
+ * the bound session handle. Returns `undefined` if no agent is bound —
+ * shouldn't happen at the call sites that invoke
+ * `writeUpgradeRequiredChunk`, but defensive against misuse.
+ * @internal
+ */
+function getChatIdFromContext(): string | undefined {
+  return locals.get(chatSessionHandleKey)?.id;
+}
+
+/**
+ * Extracts the text content of the last user message from a UIMessage array.
+ * Returns undefined if no user message is found.
+ * @internal
+ */
+function extractLastUserMessageText(messages: UIMessage[]): string | undefined {
+  for (let i = messages.length - 1; i >= 0; i--) {
+    const msg = messages[i]!;
+    if (msg.role !== "user") continue;
+
+    // UIMessage uses parts array
+    if (msg.parts) {
+      const textParts = msg.parts
+        .filter((p: any) => p.type === "text" && p.text)
+        .map((p: any) => p.text as string);
+      if (textParts.length > 0) {
+        return textParts.join("\n");
+      }
+    }
+
+    break;
+  }
+
+  return undefined;
+}
+
+/**
+ * Strips ephemeral OpenAI Responses API `itemId` from a UIMessage's parts.
+ *
+ * The OpenAI Responses provider attaches `itemId` to message parts via
+ * `providerMetadata.openai.itemId`. These IDs are ephemeral — sending them
+ * back in a subsequent `streamText` call causes 404s because the provider
+ * can't find the referenced item (especially for stopped/partial responses).
+ *
+ * @internal
+ */
+function stripProviderMetadata(message: UIMessage): UIMessage {
+  if (!message.parts) return message;
+  return {
+    ...message,
+    parts: message.parts.map((part: any) => {
+      const openai = part.providerMetadata?.openai;
+      if (!openai?.itemId) return part;
+
+      const { itemId, ...restOpenai } = openai;
+      const { openai: _, ...restProviders } = part.providerMetadata;
+      return {
+        ...part,
+        providerMetadata: {
+          ...restProviders,
+          ...(Object.keys(restOpenai).length > 0 ? { openai: restOpenai } : {}),
+        },
+      };
+    }),
+  };
+}
diff --git a/packages/trigger-sdk/src/v3/aiAutoTelemetry.ts b/packages/trigger-sdk/src/v3/aiAutoTelemetry.ts
new file mode 100644
index 00000000000..7533dc9bf05
--- /dev/null
+++ b/packages/trigger-sdk/src/v3/aiAutoTelemetry.ts
@@ -0,0 +1,83 @@
+/**
+ * Auto-register `@ai-sdk/otel` so AI SDK 7 emits OpenTelemetry spans into the
+ * Trigger.dev run trace with no customer setup.
+ *
+ * AI SDK 6 emitted spans from `ai` core, so `experimental_telemetry` (set by
+ * `chat.toStreamTextOptions({ telemetry })`) was enough. v7 moved span emission
+ * into the separate `@ai-sdk/otel` adapter, so on v7 `experimental_telemetry`
+ * alone produces nothing until an integration is registered. We register it once
+ * per worker process at chat.agent run boot. `@ai-sdk/otel` writes to the global
+ * OpenTelemetry tracer, which is the same provider the Trigger worker installs
+ * (the `@opentelemetry/api` global is a `globalThis` singleton keyed by major
+ * version, so the separate copies still share it), so spans land in the trace.
+ *
+ * Fully guarded and best-effort — telemetry must never break a run:
+ *  - `registerTelemetry` only exists in v7 `ai` (no-op on v5/v6).
+ *  - `@ai-sdk/otel` is an OPTIONAL peer. The specifier is computed so the task
+ *    bundler doesn't hard-require it (v5/v6 users never install it).
+ *  - We detect an already-registered `@ai-sdk/otel` integration and skip, so a
+ *    customer (or a library they import) that registers it themselves doesn't
+ *    get duplicate spans. `registerTelemetry` is append-only, so without this
+ *    guard a second integration would double every span.
+ *  - To disable our auto-register entirely (e.g. you register `@ai-sdk/otel`
+ *    yourself after this boot, or via a custom integration our detection can't
+ *    see), set the env var `TRIGGER_AI_SDK_OTEL_AUTOREGISTER=0`.
+ */
+let registration: Promise<void> | null = null;
+
+/** Registers the AI SDK OTel integration once per process. Safe to call on every run. */
+export function ensureAiSdkTelemetry(): Promise<void> {
+  if (!registration) {
+    registration = register();
+  }
+  return registration;
+}
+
+async function register(): Promise<void> {
+  try {
+    if (isAutoRegisterDisabled()) {
+      return; // opted out via TRIGGER_AI_SDK_OTEL_AUTOREGISTER
+    }
+    const aiMod: any = await import("ai");
+    if (typeof aiMod.registerTelemetry !== "function") {
+      return; // v5 / v6 — `ai` core emits spans itself, nothing to wire.
+    }
+    // Computed specifier keeps the optional peer out of static bundler
+    // resolution; resolves at runtime only when the customer installed it.
+    const otelSpecifier = ["@ai-sdk", "otel"].join("/");
+    const otelMod: any = await import(otelSpecifier).catch(() => null);
+    if (typeof otelMod?.OpenTelemetry !== "function") {
+      return; // optional peer not installed
+    }
+    if (hasAiSdkOtelIntegration(otelMod.OpenTelemetry)) {
+      return; // already registered by the customer or a library they import
+    }
+    aiMod.registerTelemetry(new otelMod.OpenTelemetry());
+  } catch {
+    // never throw from telemetry setup
+  }
+}
+
+function isAutoRegisterDisabled(): boolean {
+  const value = process.env.TRIGGER_AI_SDK_OTEL_AUTOREGISTER?.toLowerCase();
+  return value === "0" || value === "false";
+}
+
+/**
+ * True if an `@ai-sdk/otel` integration is already in v7's global telemetry
+ * registry (`globalThis.AI_SDK_TELEMETRY_INTEGRATIONS`, a documented public
+ * global that `registerTelemetry` appends to). `instanceof` matches a same-copy
+ * registration; the constructor-name fallback catches a separate copy of
+ * `@ai-sdk/otel`.
+ */
+function hasAiSdkOtelIntegration(OpenTelemetry: any): boolean {
+  const integrations = (globalThis as any).AI_SDK_TELEMETRY_INTEGRATIONS;
+  if (!Array.isArray(integrations)) {
+    return false;
+  }
+  return integrations.some(
+    (integration: any) =>
+      (typeof OpenTelemetry === "function" && integration instanceof OpenTelemetry) ||
+      integration?.constructor?.name === "OpenTelemetry"
+  );
+}
diff --git a/packages/trigger-sdk/src/v3/auth.ts b/packages/trigger-sdk/src/v3/auth.ts
index 1f2df463b6f..d8d3a397878 100644
--- a/packages/trigger-sdk/src/v3/auth.ts
+++ b/packages/trigger-sdk/src/v3/auth.ts
@@ -4,6 +4,7 @@ import {
   RealtimeRunSkipColumns,
 } from "@trigger.dev/core/v3";
 import { generateJWT as internal_generateJWT } from "@trigger.dev/core/v3";
+import "@trigger.dev/core/v3/sdk-scope-storage";
 
 /**
  * Register the global API client configuration. Alternatively, you can set the `TRIGGER_SECRET_KEY` and `TRIGGER_API_URL` environment variables.
@@ -67,6 +68,16 @@ type PublicTokenPermissionProperties = {
    * Grant access to send data to input streams on specific runs
    */
   inputStreams?: string | string[];
+
+  /**
+   * Grant access to specific Sessions (the durable, typed I/O primitive that
+   * outlives a single run). Use the session's friendlyId (e.g. `session_abc`).
+   *
+   * `read:sessions:{id}` lets the bearer read both the `.out` and `.in`
+   * channels and list runs on the session. `write:sessions:{id}` lets the
+   * bearer append to the session's channels and create new runs against it.
+   */
+  sessions?: string | string[];
 };
 
 export type PublicTokenPermissions = {
diff --git a/packages/trigger-sdk/src/v3/chat-client.ts b/packages/trigger-sdk/src/v3/chat-client.ts
new file mode 100644
index 00000000000..92402948340
--- /dev/null
+++ b/packages/trigger-sdk/src/v3/chat-client.ts
@@ -0,0 +1,877 @@
+/**
+ * Server-side API for chatting with Trigger.dev agents.
+ *
+ * @example
+ * ```ts
+ * import { AgentChat } from "@trigger.dev/sdk/chat";
+ *
+ * const chat = new AgentChat<typeof myAgent>({
+ *   agent: "my-agent",
+ *   clientData: { userId: "user_123" },
+ * });
+ *
+ * const stream = await chat.sendMessage("Review PR #1");
+ * const text = await stream.text();
+ * await chat.close();
+ * ```
+ */
+
+import type { SessionTriggerConfig, Task } from "@trigger.dev/core/v3";
+import type { ModelMessage, UIMessage, UIMessageChunk } from "ai";
+// `readUIMessageStream` is a runtime value — via the ESM/CJS shim so the CJS
+// build can `require` ESM-only `ai@7` (see ../imports/ai-runtime.ts).
+import { readUIMessageStream } from "../imports/ai-runtime.js";
+import {
+  apiClientManager,
+  controlSubtype,
+  SSEStreamSubscription,
+  TRIGGER_CONTROL_SUBTYPE,
+} from "@trigger.dev/core/v3";
+import type { ChatInputChunk, ChatTaskWirePayload } from "./ai-shared.js";
+import { slimSubmitMessageForWire } from "./ai-shared.js";
+import { sessions } from "./sessions.js";
+
+// ─── Type inference ────────────────────────────────────────────────
+
+/** Extract the client data (metadata) type from a chat agent task. */
+export type InferChatClientData<T> =
+  T extends Task<any, ChatTaskWirePayload<any, infer TMetadata>, any>
+    ? unknown extends TMetadata
+      ? Record<string, unknown>
+      : TMetadata
+    : Record<string, unknown>;
+
+/** Extract the UIMessage type from a chat agent task. */
+export type InferChatUIMessage<T> =
+  T extends Task<any, ChatTaskWirePayload<infer TUIMessage, any>, any>
+    ? TUIMessage
+    : UIMessage;
+
+// ─── Types ─────────────────────────────────────────────────────────
+
+/** Persistable session state — store this to resume across requests. */
+export type ChatSession = {
+  /** Last SSE event ID seen on `session.out` — used to resume without replay. */
+  lastEventId?: string;
+};
+
+/**
+ * Discriminator passed to per-endpoint `baseURL` and `fetch` callbacks on
+ * `AgentChat`. Same shape as the type on `TriggerChatTransport` — these
+ * mirror so customers can share a single resolver between the two clients.
+ */
+export type AgentChatEndpoint = "in" | "out";
+
+export type AgentChatEndpointContext = {
+  endpoint: AgentChatEndpoint;
+  chatId: string;
+};
+
+export type AgentChatBaseURLResolver = (ctx: AgentChatEndpointContext) => string;
+
+export type AgentChatFetchOverride = (
+  url: string,
+  init: RequestInit,
+  ctx: AgentChatEndpointContext
+) => Promise<Response>;
+
+export type AgentChatOptions<TAgent = unknown> = {
+  /** The agent task ID to trigger. */
+  agent: string;
+  /**
+   * Conversation ID. Used for tagging runs and correlating messages.
+   * @default crypto.randomUUID()
+   */
+  id?: string;
+  /** Client data included in every request. Typed from the agent's clientDataSchema. */
+  clientData?: InferChatClientData<TAgent>;
+  /**
+   * Restore a previous session. Pass `lastEventId` from a previous
+   * request to resume the SSE stream without replaying old chunks.
+   */
+  session?: ChatSession;
+  /**
+   * Called when a new run is triggered for this session (initial start).
+   * Useful for telemetry / dashboard linking. The runId is the
+   * friendlyId.
+   */
+  onTriggered?: (event: { runId: string; chatId: string }) => void | Promise<void>;
+  /**
+   * Called when a turn completes. Persist `lastEventId` for stream
+   * resumption across requests.
+   */
+  onTurnComplete?: (event: {
+    chatId: string;
+    lastEventId?: string;
+  }) => void | Promise<void>;
+  /** SSE timeout in seconds. @default 120 */
+  streamTimeoutSeconds?: number;
+  /**
+   * Default trigger config used when starting a new session for this
+   * chat. Folded into `sessions.start({...triggerConfig})` body.
+   */
+  triggerConfig?: SessionTriggerConfig;
+  /**
+   * Override the Trigger.dev API base URL for the chat's `.in/append` and
+   * `.out` SSE endpoints. String form applies to both; pass a function to
+   * pick per endpoint. Defaults to `apiClientManager.baseURL` (whatever
+   * `@trigger.dev/sdk` was configured with — typically `TRIGGER_API_URL`
+   * env var).
+   *
+   * Session creation (`POST /api/v1/sessions`) and token mint
+   * (`POST /api/v1/auth/jwt/claims`) still flow through
+   * `apiClientManager` — pass equivalent options to
+   * `chat.createStartSessionAction` if you need those routed too.
+   */
+  baseURL?: string | AgentChatBaseURLResolver;
+  /**
+   * Optional per-request fetch override. Receives the resolved URL, the
+   * RequestInit, and endpoint context. Use this for header injection
+   * (tracing), proxy routing, or custom retries. Applies to both the
+   * `.in/append` POSTs and the `.out` SSE GET.
+   */
+  fetch?: AgentChatFetchOverride;
+};
+
+// ─── ChatStream ────────────────────────────────────────────────────
+
+/** Parsed tool call from the stream. */
+export type ChatToolCall = {
+  toolName: string;
+  toolCallId: string;
+  input: unknown;
+};
+
+/** Parsed tool result from the stream. */
+export type ChatToolResult = {
+  toolCallId: string;
+  output: unknown;
+};
+
+/** Accumulated result after a stream completes. */
+export type ChatStreamResult = {
+  text: string;
+  toolCalls: ChatToolCall[];
+  toolResults: ChatToolResult[];
+};
+
+/**
+ * A single turn's response stream from an agent.
+ *
+ * Pick one consumption mode:
+ * - `for await (const chunk of stream)` — typed UIMessageChunk iteration
+ * - `await stream.result()` — accumulated `{ text, toolCalls, toolResults }`
+ * - `await stream.text()` — just the text
+ * - `yield* stream.messages()` — sub-agent pattern (yields UIMessage snapshots)
+ */
+export class ChatStream {
+  private readonly _consumerStream: ReadableStream<UIMessageChunk>;
+  private readonly _messageCollector?: Promise<void>;
+  private resultPromise: Promise<ChatStreamResult> | undefined;
+  /** @internal Last UIMessage snapshot from the assistant's response. */
+  private lastAssistantMessage: UIMessage | undefined;
+  /** @internal Callback to capture the assistant's response message for accumulation. */
+  private readonly onAssistantMessage?: (message: UIMessage) => void;
+
+  constructor(
+    stream: ReadableStream<UIMessageChunk>,
+    onAssistantMessage?: (message: UIMessage) => void
+  ) {
+    this.onAssistantMessage = onAssistantMessage;
+
+    if (onAssistantMessage) {
+      // Tee the stream: one branch for the consumer, one for message collection
+      const [consumer, collector] = stream.tee();
+      this._consumerStream = consumer;
+      this._messageCollector = (async () => {
+        for await (const msg of readUIMessageStream({ stream: collector })) {
+          this.lastAssistantMessage = msg;
+        }
+        if (this.lastAssistantMessage) {
+          onAssistantMessage(this.lastAssistantMessage);
+        }
+      })();
+    } else {
+      this._consumerStream = stream;
+    }
+  }
+
+  /** The raw ReadableStream for direct use with AI SDK utilities. */
+  get stream(): ReadableStream<UIMessageChunk> {
+    return this._consumerStream;
+  }
+
+  async *[Symbol.asyncIterator](): AsyncIterableIterator<UIMessageChunk> {
+    const reader = this._consumerStream.getReader();
+    try {
+      while (true) {
+        const { done, value } = await reader.read();
+        if (done) break;
+        yield value;
+      }
+    } finally {
+      reader.releaseLock();
+    }
+  }
+
+  /**
+   * Yields accumulated UIMessage snapshots for the sub-agent tool pattern.
+   *
+   * @example
+   * ```ts
+   * const stream = await chat.sendMessage("Research this topic");
+   * yield* stream.messages();
+   * ```
+   */
+  async *messages(): AsyncGenerator<UIMessage, void, unknown> {
+    for await (const message of readUIMessageStream({ stream: this._consumerStream })) {
+      this.lastAssistantMessage = message;
+      yield message;
+    }
+    // When the constructor set up `_messageCollector` (because
+    // `onAssistantMessage` was provided), that collector IIFE owns
+    // firing the callback. Skipping it here prevents a double-invoke.
+    if (this.lastAssistantMessage && this.onAssistantMessage && !this._messageCollector) {
+      this.onAssistantMessage(this.lastAssistantMessage);
+    }
+  }
+
+  /** Consume the stream and return the accumulated result. */
+  result(): Promise<ChatStreamResult> {
+    if (!this.resultPromise) {
+      this.resultPromise = this.consumeStream();
+    }
+    return this.resultPromise;
+  }
+
+  /** Consume the stream and return just the text. */
+  async text(): Promise<string> {
+    return (await this.result()).text;
+  }
+
+  private async consumeStream(): Promise<ChatStreamResult> {
+    let text = "";
+    const toolCalls: ChatToolCall[] = [];
+    const toolResults: ChatToolResult[] = [];
+
+    for await (const chunk of this) {
+      if (chunk.type === "text-delta") {
+        text += chunk.delta;
+      } else if (chunk.type === "tool-input-available") {
+        toolCalls.push({
+          toolName: chunk.toolName,
+          toolCallId: chunk.toolCallId,
+          input: chunk.input,
+        });
+      } else if (chunk.type === "tool-output-available") {
+        toolResults.push({
+          toolCallId: chunk.toolCallId,
+          output: chunk.output,
+        });
+      }
+    }
+
+    return { text, toolCalls, toolResults };
+  }
+}
+
+// ─── Internal ──────────────────────────────────────────────────────
+
+type SessionState = {
+  lastEventId?: string;
+  skipToTurnComplete?: boolean;
+  /** True after the session has been started (sessions.start). */
+  started: boolean;
+};
+
+// ─── AgentChat ─────────────────────────────────────────────────────
+
+/**
+ * A chat conversation with a Trigger.dev agent.
+ *
+ * @example
+ * ```ts
+ * // Simple usage
+ * const chat = new AgentChat<typeof myAgent>({ agent: "my-agent" });
+ * const text = await (await chat.sendMessage("Hello")).text();
+ * await chat.close();
+ *
+ * // Stateless request handler — persist and restore session
+ * const chat = new AgentChat<typeof myAgent>({
+ *   agent: "my-agent",
+ *   id: chatId,
+ *   session: { lastEventId: savedLastEventId },
+ *   onTriggered: ({ runId }) => db.save(chatId, { runId }),
+ *   onTurnComplete: ({ lastEventId }) => db.update(chatId, { lastEventId }),
+ * });
+ * ```
+ */
+export class AgentChat<TAgent = unknown> {
+  private readonly taskId: string;
+  private readonly chatId: string;
+  private readonly streamTimeoutSeconds: number;
+  private readonly clientData: Record<string, unknown> | undefined;
+  private readonly triggerConfigDefault: SessionTriggerConfig | undefined;
+  private readonly onTriggered: AgentChatOptions["onTriggered"];
+  private readonly onTurnComplete: AgentChatOptions["onTurnComplete"];
+  private readonly baseURLResolver: AgentChatBaseURLResolver;
+  private readonly fetchOverride: AgentChatFetchOverride | undefined;
+
+  private state: SessionState;
+
+  constructor(options: AgentChatOptions<TAgent>) {
+    this.taskId = options.agent;
+    this.chatId = options.id ?? crypto.randomUUID();
+    this.streamTimeoutSeconds = options.streamTimeoutSeconds ?? 120;
+    this.clientData = options.clientData as Record<string, unknown> | undefined;
+    this.triggerConfigDefault = options.triggerConfig;
+    this.onTriggered = options.onTriggered;
+    this.onTurnComplete = options.onTurnComplete;
+    const baseURLOption = options.baseURL;
+    this.baseURLResolver = typeof baseURLOption === "function"
+      ? baseURLOption
+      : () => baseURLOption ?? apiClientManager.baseURL ?? "https://api.trigger.dev";
+    this.fetchOverride = options.fetch;
+
+    // Hydration: a non-empty `session` means the caller knows the
+    // session already exists (started in a previous request). Mark
+    // `started` so we don't re-`sessions.start()` on first message.
+    const hydrated = !!options.session;
+    this.state = {
+      lastEventId: options.session?.lastEventId,
+      started: hydrated,
+    };
+  }
+
+  /** The conversation ID. */
+  get id(): string {
+    return this.chatId;
+  }
+
+  /** Persistable session state — pass back via `options.session` to resume. */
+  get session(): ChatSession {
+    return { lastEventId: this.state.lastEventId };
+  }
+
+  /**
+   * Eagerly start the session — creates the row and triggers the first
+   * run. The agent's `onPreload` hook fires immediately. Idempotent: a
+   * second call is a no-op.
+   */
+  async preload(options?: { idleTimeoutInSeconds?: number }): Promise<ChatSession> {
+    await this.ensureStarted({ idleTimeoutInSeconds: options?.idleTimeoutInSeconds });
+    return this.session;
+  }
+
+  /**
+   * Send a text message and get the response stream.
+   *
+   * @example
+   * ```ts
+   * const stream = await chat.sendMessage("Review PR #1");
+   * const text = await stream.text();
+   * ```
+   */
+  async sendMessage(
+    text: string,
+    options?: { abortSignal?: AbortSignal }
+  ): Promise<ChatStream> {
+    const msgId = `msg-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+    const message: UIMessage = {
+      id: msgId,
+      role: "user",
+      parts: [{ type: "text", text }],
+    };
+
+    const rawStream = await this.sendRaw([message], { abortSignal: options?.abortSignal });
+    return new ChatStream(rawStream);
+  }
+
+  /** Send raw UIMessage-like objects. Use `sendMessage()` for simple text. */
+  async sendRaw(
+    messages: UIMessage[] | Array<{
+      id: string;
+      role: string;
+      parts?: unknown[];
+      [key: string]: unknown;
+    }>,
+    options?: {
+      trigger?: "submit-message" | "regenerate-message";
+      abortSignal?: AbortSignal;
+    }
+  ): Promise<ReadableStream<UIMessageChunk>> {
+    const triggerType = options?.trigger ?? "submit-message";
+
+    // Make sure the session exists (and a run is alive). The .in/append
+    // handler on the server probes currentRunId on every call and
+    // re-triggers if needed — so we don't need to track runId here.
+    await this.ensureStarted();
+
+    // Slim wire — at most ONE message per record. The agent rebuilds prior
+    // history from its durable S3 snapshot + session.out replay at run
+    // boot (or `hydrateMessages` if registered).
+    //
+    // For `submit-message`, assistant messages carrying resolved tool parts
+    // (HITL `addToolOutput` answers) are slimmed to just the resolution
+    // payload — reasoning blobs, text, and tool `input` come from the
+    // agent's authoritative chain. `regenerate-message` omits `message`.
+    if (triggerType === "submit-message" && messages.length === 0) {
+      throw new Error(
+        "AgentChat.sendRaw: 'submit-message' trigger requires at least one message"
+      );
+    }
+    const lastIfSubmit =
+      triggerType === "submit-message"
+        ? slimSubmitMessageForWire(messages.at(-1) as UIMessage | undefined)
+        : undefined;
+    const payload: ChatTaskWirePayload = {
+      ...(lastIfSubmit ? { message: lastIfSubmit } : {}),
+      chatId: this.chatId,
+      trigger: triggerType,
+      metadata: this.clientData,
+    } as ChatTaskWirePayload;
+
+    await this.appendInputChunk(serializeInputChunk({ kind: "message", payload }));
+
+    return this.subscribeToSessionStream(options?.abortSignal);
+  }
+
+  /** Send a steering message during an active stream. */
+  async steer(text: string): Promise<boolean> {
+    if (!this.state.started) return false;
+
+    const payload: ChatTaskWirePayload = {
+      message: {
+        id: `steer-${Date.now()}`,
+        role: "user",
+        parts: [{ type: "text", text }],
+      } as unknown as UIMessage,
+      chatId: this.chatId,
+      trigger: "submit-message" as const,
+      metadata: this.clientData,
+    };
+
+    try {
+      await this.appendInputChunk(serializeInputChunk({ kind: "message", payload }));
+      return true;
+    } catch {
+      return false;
+    }
+  }
+
+  /** Stop the current generation (agent stays alive for next turn). */
+  async stop(): Promise<void> {
+    if (!this.state.started) return;
+
+    this.state.skipToTurnComplete = true;
+    await this.appendInputChunk(serializeInputChunk({ kind: "stop" })).catch(() => {});
+  }
+
+  /**
+   * Hand over from a `chat.handover` route handler to a parked
+   * `handover-prepare` agent run. Wakes the run, which seeds its
+   * accumulators with `partialAssistantMessage` and continues from
+   * tool execution onward — the model call for step 1 is skipped.
+   *
+   * Used internally by `chat.handover`; not part of the customer
+   * surface.
+   */
+  async sendHandover(args: {
+    partialAssistantMessage: ModelMessage[];
+    /**
+     * UI messageId from the customer's step-1 stream — propagated to
+     * the agent so its post-handover chunks merge into the same
+     * assistant message on the browser.
+     */
+    messageId?: string;
+    /**
+     * Whether the customer's step 1 is the final response (pure-text
+     * finish). When true, the agent runs hooks but skips the LLM
+     * call. When false, the agent runs `streamText` which executes
+     * pending tool-calls and continues from step 2.
+     */
+    isFinal: boolean;
+  }): Promise<void> {
+    await this.appendInputChunk(
+      serializeInputChunk({
+        kind: "handover",
+        partialAssistantMessage: args.partialAssistantMessage,
+        messageId: args.messageId,
+        isFinal: args.isFinal,
+      })
+    );
+  }
+
+  /**
+   * Tell a parked `handover-prepare` agent run that the customer's
+   * first turn finished pure-text (no tool calls) — the run exits
+   * cleanly without making an LLM call.
+   *
+   * Used internally by `chat.handover`; not part of the customer
+   * surface.
+   */
+  async sendHandoverSkip(): Promise<void> {
+    await this.appendInputChunk(serializeInputChunk({ kind: "handover-skip" }));
+  }
+
+  /**
+   * Send a custom action to the agent.
+   *
+   * Actions are not turns. They wake the agent, fire `hydrateMessages`
+   * (if configured) and `onAction` only — no `onTurnStart` /
+   * `prepareMessages` / `onBeforeTurnComplete` / `onTurnComplete`, no
+   * `run()` invocation.
+   *
+   * The action payload is validated against the agent's `actionSchema`
+   * on the backend. Use `chat.history.*` inside `onAction` to mutate
+   * state. To produce a model response from the action, return a
+   * `StreamTextResult` (or `string` / `UIMessage`) from `onAction` —
+   * the returned stream is auto-piped over this stream. When `onAction`
+   * returns `void`, the action is side-effect-only and the returned
+   * stream completes immediately with `trigger:turn-complete`.
+   *
+   * @returns A `ChatStream`. For void actions the stream completes
+   * immediately. For actions that return a model response, the stream
+   * carries the assistant chunks.
+   *
+   * @example
+   * ```ts
+   * const stream = await agentChat.sendAction({ type: "undo" });
+   * for await (const chunk of stream) {
+   *   if (chunk.type === "text-delta") process.stdout.write(chunk.delta);
+   * }
+   * ```
+   */
+  async sendAction(
+    action: unknown,
+    options?: { abortSignal?: AbortSignal }
+  ): Promise<ChatStream> {
+    await this.ensureStarted();
+
+    const payload: ChatTaskWirePayload = {
+      chatId: this.chatId,
+      trigger: "action" as const,
+      action,
+      metadata: this.clientData,
+    };
+
+    try {
+      await this.appendInputChunk(serializeInputChunk({ kind: "message", payload }));
+    } catch {
+      throw new Error("Failed to send action. The session may have ended.");
+    }
+
+    const rawStream = this.subscribeToSessionStream(options?.abortSignal);
+    return new ChatStream(rawStream);
+  }
+
+  /** Close the conversation — agent exits its loop gracefully. */
+  async close(): Promise<boolean> {
+    if (!this.state.started) return false;
+
+    try {
+      await this.appendInputChunk(
+        serializeInputChunk({
+          kind: "message",
+          payload: {
+            chatId: this.chatId,
+            trigger: "close",
+          } satisfies ChatTaskWirePayload,
+        })
+      );
+      this.state = { ...this.state, started: false };
+      return true;
+    } catch {
+      return false;
+    }
+  }
+
+  /** Reconnect to the response stream (e.g. after a disconnect). */
+  async reconnect(
+    abortSignal?: AbortSignal
+  ): Promise<ReadableStream<UIMessageChunk> | null> {
+    if (!this.state.started) return null;
+    return this.subscribeToSessionStream(abortSignal, { sendStopOnAbort: false });
+  }
+
+  // ─── Private ───────────────────────────────────────────────────
+
+  private resolveBaseURL(endpoint: AgentChatEndpoint): string {
+    return this.baseURLResolver({ endpoint, chatId: this.chatId }).replace(/\/$/, "");
+  }
+
+  private async doFetch(
+    ctx: AgentChatEndpointContext,
+    url: string,
+    init: RequestInit
+  ): Promise<Response> {
+    return this.fetchOverride ? this.fetchOverride(url, init, ctx) : fetch(url, init);
+  }
+
+  private async appendInputChunk(body: string): Promise<void> {
+    const accessToken = apiClientManager.accessToken ?? "";
+    const ctx: AgentChatEndpointContext = { endpoint: "in", chatId: this.chatId };
+    const url = `${this.resolveBaseURL("in")}/realtime/v1/sessions/${encodeURIComponent(this.chatId)}/in/append`;
+    const headers: Record<string, string> = {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${accessToken}`,
+      "x-trigger-source": "sdk",
+      // Idempotency key: the server skips appends whose part id it has
+      // already committed, so a retried POST can't duplicate the record.
+      "X-Part-Id": crypto.randomUUID(),
+    };
+    const response = await this.doFetch(ctx, url, { method: "POST", headers, body });
+    if (!response.ok) {
+      const text = await response.text().catch(() => "");
+      // Match the error shape that ApiClient/zodfetch produced before the
+      // inline-POST refactor so callers inspecting `error.name ===
+      // "TriggerApiError"` or `error.status` keep working.
+      const err = new Error(`appendToSessionStream failed: ${response.status} ${text}`) as Error & {
+        name: string;
+        status: number;
+      };
+      err.name = "TriggerApiError";
+      err.status = response.status;
+      throw err;
+    }
+  }
+
+  /**
+   * Idempotent: `sessions.start` upserts on `(env, externalId)`. Two
+   * concurrent AgentChat instances on the same chatId converge to the
+   * same session.
+   */
+  private async ensureStarted(options?: { idleTimeoutInSeconds?: number }): Promise<void> {
+    if (this.state.started) return;
+
+    const triggerConfig: SessionTriggerConfig = {
+      basePayload: {
+        // `trigger: "preload"` mirrors the browser-mediated
+        // `chat.createStartSessionAction` shape so the agent runtime fires
+        // `onPreload` (not `onChatStart` with `preloaded: true`). Without
+        // this, AgentChat's first run skips both preload and start hooks,
+        // which is where customer apps typically upsert their Chat row.
+        // Slim wire — preload carries no message body.
+        trigger: "preload",
+        ...(this.triggerConfigDefault?.basePayload ?? {}),
+        chatId: this.chatId,
+        ...(this.clientData ? { metadata: this.clientData } : {}),
+      },
+      ...(this.triggerConfigDefault?.machine
+        ? { machine: this.triggerConfigDefault.machine }
+        : {}),
+      ...(this.triggerConfigDefault?.queue
+        ? { queue: this.triggerConfigDefault.queue }
+        : {}),
+      ...(this.triggerConfigDefault?.tags
+        ? { tags: this.triggerConfigDefault.tags }
+        : {}),
+      ...(this.triggerConfigDefault?.maxAttempts !== undefined
+        ? { maxAttempts: this.triggerConfigDefault.maxAttempts }
+        : {}),
+      ...(options?.idleTimeoutInSeconds !== undefined ||
+      this.triggerConfigDefault?.idleTimeoutInSeconds !== undefined
+        ? {
+            idleTimeoutInSeconds:
+              options?.idleTimeoutInSeconds ??
+              this.triggerConfigDefault?.idleTimeoutInSeconds!,
+          }
+        : {}),
+    };
+
+    const created = await sessions.start({
+      type: "chat.agent",
+      externalId: this.chatId,
+      taskIdentifier: this.taskId,
+      triggerConfig,
+    });
+
+    this.state.started = true;
+    await this.onTriggered?.({
+      runId: created.runId,
+      chatId: this.chatId,
+    });
+  }
+
+  private subscribeToSessionStream(
+    abortSignal: AbortSignal | undefined,
+    options?: { sendStopOnAbort?: boolean }
+  ): ReadableStream<UIMessageChunk> {
+    const state = this.state;
+    const accessToken = apiClientManager.accessToken ?? "";
+    const onTurnComplete = this.onTurnComplete;
+    const chatId = this.chatId;
+    const sseCtx: AgentChatEndpointContext = { endpoint: "out", chatId };
+    const fetchOverride = this.fetchOverride;
+    const sseFetchClient: typeof fetch | undefined = fetchOverride
+      ? ((input, init) => {
+          if (typeof input === "string") {
+            return fetchOverride(input, init ?? {}, sseCtx);
+          }
+          if (input instanceof URL) {
+            return fetchOverride(input.toString(), init ?? {}, sseCtx);
+          }
+          // Request — preserve its url + intrinsic init, let any provided
+          // init override on top (matches fetch(Request, init) semantics).
+          return fetchOverride(
+            input.url,
+            {
+              method: input.method,
+              headers: input.headers,
+              signal: input.signal,
+              ...(init ?? {}),
+            },
+            sseCtx
+          );
+        }) as typeof fetch
+      : undefined;
+
+    const internalAbort = new AbortController();
+    const combinedSignal = abortSignal
+      ? AbortSignal.any([abortSignal, internalAbort.signal])
+      : internalAbort.signal;
+
+    if (abortSignal) {
+      abortSignal.addEventListener(
+        "abort",
+        () => {
+          if (options?.sendStopOnAbort !== false) {
+            state.skipToTurnComplete = true;
+            this.appendInputChunk(serializeInputChunk({ kind: "stop" })).catch(() => {});
+          }
+          internalAbort.abort();
+        },
+        { once: true }
+      );
+    }
+
+    const streamUrl = `${this.resolveBaseURL("out")}/realtime/v1/sessions/${encodeURIComponent(chatId)}/out`;
+
+    return new ReadableStream<UIMessageChunk>({
+      start: async (controller) => {
+        try {
+          const subscription = new SSEStreamSubscription(streamUrl, {
+            headers: {
+              Authorization: `Bearer ${accessToken}`,
+            },
+            signal: combinedSignal,
+            timeoutInSeconds: this.streamTimeoutSeconds,
+            lastEventId: state.lastEventId,
+            fetchClient: sseFetchClient,
+          });
+          const sseStream = await subscription.subscribe();
+          const reader = sseStream.getReader();
+
+          try {
+            while (true) {
+              const next = await reader.read();
+              if (next.done) {
+                controller.close();
+                return;
+              }
+
+              if (combinedSignal.aborted) {
+                internalAbort.abort();
+                await reader.cancel();
+                controller.close();
+                return;
+              }
+
+              const value = next.value;
+
+              if (value.id) state.lastEventId = value.id;
+
+              // Trigger control records (turn-complete, upgrade-required)
+              // route by header — see `client-protocol.mdx`. Their bodies
+              // are empty; everything substantive is on `value.headers`.
+              //
+              // Cross-version bridge: an old agent SDK still writing
+              // turn-complete / upgrade-required as `chunk.type` data
+              // records would otherwise stall this loop. Fall back to
+              // the legacy chunk-type form when no header is present
+              // so the deploy-skew window between an `AgentChat`
+              // consumer and a not-yet-redeployed agent doesn't hang.
+              let controlValue = controlSubtype(value.headers);
+              if (!controlValue && value.chunk && typeof value.chunk === "object") {
+                const chunk = value.chunk as { type?: unknown };
+                if (chunk.type === "trigger:turn-complete") {
+                  controlValue = TRIGGER_CONTROL_SUBTYPE.TURN_COMPLETE;
+                } else if (chunk.type === "trigger:upgrade-required") {
+                  controlValue = TRIGGER_CONTROL_SUBTYPE.UPGRADE_REQUIRED;
+                } else if (typeof chunk.type === "string" && chunk.type.startsWith("trigger:")) {
+                  // Future / unknown `trigger:*` legacy control type —
+                  // drop so it doesn't leak as a UIMessageChunk.
+                  continue;
+                }
+              }
+
+              if (state.skipToTurnComplete) {
+                if (controlValue === TRIGGER_CONTROL_SUBTYPE.TURN_COMPLETE) {
+                  state.skipToTurnComplete = false;
+                }
+                continue;
+              }
+
+              if (controlValue === TRIGGER_CONTROL_SUBTYPE.UPGRADE_REQUIRED) {
+                // Server has already triggered the new run via
+                // `end-and-continue`; v2's chunks arrive on the same
+                // S2 stream. Filter the marker for cleanliness and
+                // keep reading.
+                continue;
+              }
+
+              if (controlValue === TRIGGER_CONTROL_SUBTYPE.TURN_COMPLETE) {
+                // Customer's callback may be async (e.g. persisting
+                // lastEventId to a DB). Wrap so a rejected Promise
+                // doesn't surface as an unhandled rejection — that
+                // would crash Node under `--unhandled-rejections=throw`.
+                Promise.resolve(
+                  onTurnComplete?.({
+                    chatId,
+                    lastEventId: state.lastEventId,
+                  })
+                ).catch(() => {});
+                internalAbort.abort();
+                try {
+                  controller.close();
+                } catch {
+                  // Controller may already be closed
+                }
+                return;
+              }
+
+              // Data record — `value.chunk` is the parsed UIMessageChunk
+              // (the SSE parser does the JSON envelope unwrap). Drop
+              // empty/malformed payloads defensively.
+              if (value.chunk == null) continue;
+              controller.enqueue(value.chunk as UIMessageChunk);
+            }
+          } catch (readError) {
+            reader.releaseLock();
+            throw readError;
+          }
+        } catch (error) {
+          if (error instanceof Error && error.name === "AbortError") {
+            try {
+              controller.close();
+            } catch {
+              // Controller may already be closed
+            }
+            return;
+          }
+          controller.error(error);
+        }
+      },
+    });
+  }
+}
+
+/**
+ * Serialize a {@link ChatInputChunk} for `POST …/sessions/:session/:io/append`.
+ * Session channel records are raw JSON strings — the server wraps them
+ * in `{ data: <body>, id }` for S2 storage and the subscribe side
+ * parses the string back for consumers.
+ */
+function serializeInputChunk(chunk: ChatInputChunk): string {
+  return JSON.stringify(chunk);
+}
diff --git a/packages/trigger-sdk/src/v3/chat-react.ts b/packages/trigger-sdk/src/v3/chat-react.ts
new file mode 100644
index 00000000000..495e235083d
--- /dev/null
+++ b/packages/trigger-sdk/src/v3/chat-react.ts
@@ -0,0 +1,463 @@
+"use client";
+
+/**
+ * @module @trigger.dev/sdk/chat/react
+ *
+ * React hooks for AI SDK chat transport integration.
+ * Use alongside `@trigger.dev/sdk/chat` for a type-safe, ergonomic DX.
+ *
+ * @example
+ * ```tsx
+ * import { useChat } from "@ai-sdk/react";
+ * import { useTriggerChatTransport } from "@trigger.dev/sdk/chat/react";
+ * import type { chat } from "@/trigger/chat";
+ *
+ * function Chat() {
+ *   const transport = useTriggerChatTransport<typeof chat>({
+ *     task: "ai-chat",
+ *     accessToken: ({ chatId }) => fetchToken(chatId),
+ *   });
+ *
+ *   const { messages, sendMessage } = useChat({ transport });
+ * }
+ * ```
+ */
+
+import { useCallback, useEffect, useRef, useState } from "react";
+import { TriggerChatTransport, type TriggerChatTransportOptions } from "./chat.js";
+import type { AnyTask, TaskIdentifier } from "@trigger.dev/core/v3";
+import {
+  PENDING_MESSAGE_INJECTED_TYPE,
+  type InferChatClientData,
+  type InferChatUIMessage,
+} from "./ai-shared.js";
+import type { UIMessage, ChatRequestOptions } from "ai";
+
+/**
+ * Options for `useTriggerChatTransport`, with a type-safe `task` field.
+ *
+ * Pass a task type parameter to get compile-time validation of the task ID:
+ * ```ts
+ * useTriggerChatTransport<typeof myTask>({ task: "my-task", ... })
+ * ```
+ */
+export type UseTriggerChatTransportOptions<TTask extends AnyTask = AnyTask> = Omit<
+  TriggerChatTransportOptions<InferChatClientData<TTask>>,
+  "task"
+> & {
+  /** The task ID. Strongly typed when a task type parameter is provided. */
+  task: TaskIdentifier<TTask>;
+};
+
+export type { InferChatUIMessage };
+
+/**
+ * React hook that creates and memoizes a `TriggerChatTransport` instance.
+ *
+ * The transport is created once on first render and reused for the lifetime
+ * of the component. This avoids the need for `useMemo` and ensures the
+ * transport's internal session state (run IDs, lastEventId, etc.)
+ * is preserved across re-renders.
+ *
+ * For dynamic access tokens, pass a function — it will be called on each
+ * request without needing to recreate the transport.
+ *
+ * The `onSessionChange` callback is kept in a ref so the transport always
+ * calls the latest version without needing to be recreated.
+ *
+ * @example
+ * ```tsx
+ * import { useChat } from "@ai-sdk/react";
+ * import { useTriggerChatTransport } from "@trigger.dev/sdk/chat/react";
+ * import type { chat } from "@/trigger/chat";
+ *
+ * function Chat() {
+ *   const transport = useTriggerChatTransport<typeof chat>({
+ *     task: "ai-chat",
+ *     accessToken: ({ chatId }) => fetchToken(chatId),
+ *   });
+ *
+ *   const { messages, sendMessage } = useChat({ transport });
+ * }
+ * ```
+ */
+export function useTriggerChatTransport<TTask extends AnyTask = AnyTask>(
+  options: UseTriggerChatTransportOptions<TTask>
+): TriggerChatTransport {
+  const ref = useRef<TriggerChatTransport | null>(null);
+  if (ref.current === null) {
+    ref.current = new TriggerChatTransport(options as TriggerChatTransportOptions);
+  }
+
+  // Keep callbacks up to date without recreating the transport.
+  const { onSessionChange, clientData } = options;
+  useEffect(() => {
+    ref.current?.setOnSessionChange(onSessionChange);
+  }, [onSessionChange]);
+
+  // Keep `clientData` up to date so the transport's per-turn merge and
+  // `startSession` callback both see the latest value without
+  // reconstructing the transport.
+  useEffect(() => {
+    ref.current?.setClientData(clientData as Record<string, unknown> | undefined);
+  }, [clientData]);
+
+  // Note: dispose() is NOT called in effect cleanup because React strict mode
+  // runs cleanup+re-setup, but the transport lives in a ref and isn't recreated.
+  // Calling dispose() would permanently close the BroadcastChannel.
+  // The coordinator's beforeunload handler handles tab close cleanup instead.
+
+  return ref.current;
+}
+
+/**
+ * Sync chat messages across browser tabs.
+ *
+ * Requires `multiTab: true` on the transport. Handles:
+ * - Tracking read-only state (`isReadOnly`) when another tab is active
+ * - Broadcasting messages from the active tab to other tabs
+ * - Receiving messages from other tabs and updating local state via `setMessages`
+ *
+ * @example
+ * ```tsx
+ * const transport = useTriggerChatTransport({ task: "my-chat", multiTab: true, accessToken });
+ * const { messages, setMessages } = useChat({ id: chatId, transport });
+ * const { isReadOnly } = useMultiTabChat(transport, chatId, messages, setMessages);
+ *
+ * <input disabled={isReadOnly} placeholder={isReadOnly ? "Active in another tab" : "Type a message..."} />
+ * ```
+ */
+export function useMultiTabChat<T = unknown>(
+  transport: TriggerChatTransport,
+  chatId: string,
+  messages: T[],
+  setMessages: (messages: T[]) => void
+): { isReadOnly: boolean } {
+  const [isReadOnly, setIsReadOnly] = useState(() => transport.isReadOnly(chatId));
+
+  // Track read-only state
+  useEffect(() => {
+    const listener = (id: string, readOnly: boolean) => {
+      if (id === chatId) setIsReadOnly(readOnly);
+    };
+    transport.addReadOnlyListener(listener);
+    setIsReadOnly(transport.isReadOnly(chatId));
+    return () => transport.removeReadOnlyListener(listener);
+  }, [transport, chatId]);
+
+  // Active tab: broadcast messages to other tabs on change.
+  // Only broadcast when THIS tab holds the claim (is the current sender).
+  // Deferred via requestIdleCallback so the structured clone in
+  // BroadcastChannel.postMessage never blocks rendering during streaming.
+  const idleRef = useRef<number | ReturnType<typeof setTimeout> | null>(null);
+  const latestMessagesRef = useRef(messages);
+  latestMessagesRef.current = messages;
+
+  useEffect(() => {
+    if (!transport.hasClaim(chatId) || messages.length === 0) return;
+    if (idleRef.current !== null) return; // Already scheduled
+
+    const schedule =
+      typeof requestIdleCallback === "function"
+        ? requestIdleCallback
+        : (fn: () => void) => setTimeout(fn, 50);
+
+    idleRef.current = schedule(() => {
+      idleRef.current = null;
+      if (transport.hasClaim(chatId)) {
+        transport.broadcastMessages(chatId, latestMessagesRef.current as unknown[]);
+      }
+    });
+  }, [transport, chatId, messages]);
+
+  // Flush final state when claim is released (turn complete)
+  useEffect(() => {
+    if (!transport.hasClaim(chatId) && latestMessagesRef.current.length > 0) {
+      if (idleRef.current !== null) {
+        const cancel =
+          typeof cancelIdleCallback === "function"
+            ? cancelIdleCallback
+            : clearTimeout;
+        cancel(idleRef.current as any);
+        idleRef.current = null;
+      }
+      transport.broadcastMessages(chatId, latestMessagesRef.current as unknown[]);
+    }
+  }, [transport, chatId, isReadOnly]);
+
+  // Read-only tab: receive messages from the active tab
+  useEffect(() => {
+    const listener = (id: string, msgs: unknown[]) => {
+      if (id === chatId) {
+        setMessages(msgs as T[]);
+      }
+    };
+    transport.addMessagesListener(listener);
+    return () => transport.removeMessagesListener(listener);
+  }, [transport, chatId, setMessages]);
+
+  return { isReadOnly };
+}
+
+// ---------------------------------------------------------------------------
+// usePendingMessages — manage steering messages during streaming
+// ---------------------------------------------------------------------------
+
+/** A pending message tracked by `usePendingMessages`. */
+export type PendingMessage = {
+  id: string;
+  text: string;
+  /** How this message is being handled. */
+  mode: "steering" | "queued";
+  /** Whether the backend confirmed this message was injected mid-response. */
+  injected: boolean;
+};
+
+/** Options for `usePendingMessages`. */
+export type UsePendingMessagesOptions<TUIMessage extends UIMessage = UIMessage> = {
+  /** The chat transport instance. */
+  transport: TriggerChatTransport;
+  /** The chat session ID. */
+  chatId: string;
+  /** The current useChat status. */
+  status: string;
+  /** The current messages from useChat. */
+  messages: TUIMessage[];
+  /** The setMessages function from useChat. */
+  setMessages: (fn: TUIMessage[] | ((prev: TUIMessage[]) => TUIMessage[])) => void;
+  /** The sendMessage function from useChat. */
+  sendMessage: (message: { text: string }, options?: ChatRequestOptions) => void;
+  /** Metadata to include when sending (e.g. `{ model }` for model selection). */
+  metadata?: Record<string, unknown>;
+};
+
+/** A message embedded in an injection point data part. */
+export type InjectedMessage = {
+  id: string;
+  text: string;
+};
+
+/** Return value of `usePendingMessages`. */
+export type UsePendingMessagesReturn = {
+  /** Current pending messages with their mode and injection status. */
+  pending: PendingMessage[];
+  /** Send a steering message during streaming, or a normal message when ready. */
+  steer: (text: string) => void;
+  /** Queue a message for the next turn (sent after current response finishes). */
+  queue: (text: string) => void;
+  /** Promote a queued message to a steering message (sends via input stream immediately). */
+  promoteToSteering: (id: string) => void;
+  /** Check if an assistant message part is an injection point. */
+  isInjectionPoint: (part: unknown) => boolean;
+  /** Get the injected message IDs from an injection point part. */
+  getInjectedMessageIds: (part: unknown) => string[];
+  /** Get the injected messages (id + text) from an injection point part. Self-contained — works after turn complete. */
+  getInjectedMessages: (part: unknown) => InjectedMessage[];
+};
+
+/**
+ * React hook for managing pending messages (steering) during streaming.
+ *
+ * Handles:
+ * - Sending messages via input stream during streaming (bypassing useChat)
+ * - Tracking which messages were injected mid-response vs queued for next turn
+ * - Inserting injected messages into the conversation on turn complete
+ * - Auto-sending non-injected messages as the next turn
+ *
+ * @example
+ * ```tsx
+ * const pending = usePendingMessages({
+ *   transport, chatId, status, messages, setMessages, sendMessage,
+ *   metadata: { model },
+ * });
+ *
+ * // In the form:
+ * <form onSubmit={(e) => {
+ *   e.preventDefault();
+ *   pending.send(input);
+ *   setInput("");
+ * }}>
+ *
+ * // Render pending messages:
+ * {pending.pending.map(msg => (
+ *   <div key={msg.id}>{msg.text} — {msg.injected ? "Injected" : "Pending"}</div>
+ * ))}
+ *
+ * // Render injection points inline in assistant messages:
+ * {msg.parts.map((part, i) =>
+ *   pending.isInjectionPoint(part)
+ *     ? <InjectionMarker key={i} ids={pending.getInjectedMessageIds(part)} />
+ *     : <Part key={i} part={part} />
+ * )}
+ * ```
+ */
+export function usePendingMessages<TUIMessage extends UIMessage = UIMessage>(
+  options: UsePendingMessagesOptions<TUIMessage>
+): UsePendingMessagesReturn {
+  const { transport, chatId, status, messages, setMessages, sendMessage, metadata } = options;
+
+  // Internal state: track messages with their mode
+  type InternalMessage = TUIMessage & { _mode: "steering" | "queued" };
+  const [pendingMsgs, setPendingMsgs] = useState<InternalMessage[]>([]);
+  const pendingMsgsRef = useRef(pendingMsgs);
+  pendingMsgsRef.current = pendingMsgs;
+  const injectedIdsRef = useRef<Set<string>>(new Set());
+  const prevStatusRef = useRef(status);
+
+  // Watch for injection confirmation chunks in streaming messages
+  useEffect(() => {
+    if (status !== "streaming") return;
+    let newlyInjected = false;
+    for (const msg of messages) {
+      if (msg.role !== "assistant") continue;
+      for (const part of msg.parts ?? []) {
+        if ((part as any).type === PENDING_MESSAGE_INJECTED_TYPE) {
+          const messageIds = (part as any).data?.messageIds;
+          if (Array.isArray(messageIds)) {
+            for (const id of messageIds) {
+              if (!injectedIdsRef.current.has(id)) {
+                injectedIdsRef.current.add(id);
+                newlyInjected = true;
+              }
+            }
+          }
+        }
+      }
+    }
+    // Remove injected steering messages from the pending overlay immediately
+    if (newlyInjected) {
+      setPendingMsgs((prev) => prev.filter((m) => !injectedIdsRef.current.has(m.id)));
+    }
+  }, [status, messages]);
+
+  // Handle turn completion
+  useEffect(() => {
+    const turnCompleted = prevStatusRef.current === "streaming" && status === "ready";
+    prevStatusRef.current = status;
+    if (!turnCompleted) return;
+
+    // Auto-send non-injected messages as the next turn.
+    // This includes queued messages AND steering messages that weren't
+    // injected (arrived too late, no prepareStep boundary, etc.).
+    // Note: steering messages were also sent via sendPendingMessage to
+    // the backend's wire buffer, so the backend may already have them.
+    // Calling sendMessage here ensures useChat subscribes to the response.
+    const toSend = pendingMsgs.filter((m) => !injectedIdsRef.current.has(m.id));
+
+    // Clean up
+    setPendingMsgs([]);
+    injectedIdsRef.current.clear();
+    promotedIdsRef.current.clear();
+
+    // Auto-send as next turn
+    if (toSend.length > 0) {
+      const text = toSend.map((m) => (m.parts?.[0] as any)?.text ?? "").join("\n");
+      sendMessage({ text }, metadata ? { metadata } : undefined);
+    }
+  }, [status, pendingMsgs, sendMessage, metadata, messages]);
+
+  // Send a steering message (injected mid-response via prepareStep)
+  const steer = useCallback(
+    (text: string) => {
+      if (status === "streaming") {
+        const msg = {
+          id: crypto.randomUUID(),
+          role: "user" as const,
+          parts: [{ type: "text" as const, text }],
+          _mode: "steering" as const,
+        } as InternalMessage;
+        transport.sendPendingMessage(chatId, msg, metadata);
+        setPendingMsgs((prev) => [...prev, msg]);
+      } else {
+        // Not streaming — just send normally
+        sendMessage({ text }, metadata ? { metadata } : undefined);
+      }
+    },
+    [status, transport, chatId, sendMessage, metadata]
+  );
+
+  // Queue a message for the next turn (no injection attempt)
+  const queue = useCallback(
+    (text: string) => {
+      if (status === "streaming") {
+        const msg = {
+          id: crypto.randomUUID(),
+          role: "user" as const,
+          parts: [{ type: "text" as const, text }],
+          _mode: "queued" as const,
+        } as InternalMessage;
+        setPendingMsgs((prev) => [...prev, msg]);
+      } else {
+        sendMessage({ text }, metadata ? { metadata } : undefined);
+      }
+    },
+    [status, sendMessage, metadata]
+  );
+
+  // Promote a queued message to steering (send via input stream immediately)
+  const promotedIdsRef = useRef<Set<string>>(new Set());
+  const promoteToSteering = useCallback(
+    (id: string) => {
+      // Guard against double-click — ref check is synchronous
+      if (promotedIdsRef.current.has(id)) {
+        return;
+      }
+
+      // Read from the ref, send OUTSIDE the state updater. React may invoke
+      // updaters more than once (StrictMode, update rebasing), so a network
+      // call inside one can double-send.
+      const msg = pendingMsgsRef.current.find((m) => m.id === id);
+      if (!msg || msg._mode !== "queued") return;
+      promotedIdsRef.current.add(id);
+      transport.sendPendingMessage(chatId, msg, metadata);
+
+      setPendingMsgs((prev) =>
+        prev.map((m) => (m.id === id ? { ...m, _mode: "steering" as const } : m))
+      );
+    },
+    [transport, chatId, metadata]
+  );
+
+  const isInjectionPoint = useCallback(
+    (part: unknown): boolean =>
+      typeof part === "object" &&
+      part !== null &&
+      (part as any).type === PENDING_MESSAGE_INJECTED_TYPE,
+    []
+  );
+
+  const getInjectedMessageIds = useCallback(
+    (part: unknown): string[] => {
+      if (!isInjectionPoint(part)) return [];
+      const ids = (part as any).data?.messageIds;
+      return Array.isArray(ids) ? ids : [];
+    },
+    [isInjectionPoint]
+  );
+
+  const getInjectedMessages = useCallback(
+    (part: unknown): InjectedMessage[] => {
+      if (!isInjectionPoint(part)) return [];
+      const msgs = (part as any).data?.messages;
+      return Array.isArray(msgs) ? msgs : [];
+    },
+    [isInjectionPoint]
+  );
+
+  const pending: PendingMessage[] = pendingMsgs.map((m) => ({
+    id: m.id,
+    text: (m.parts?.[0] as any)?.text ?? "",
+    mode: m._mode,
+    injected: injectedIdsRef.current.has(m.id),
+  }));
+
+  return {
+    pending,
+    steer,
+    queue,
+    promoteToSteering,
+    isInjectionPoint,
+    getInjectedMessageIds,
+    getInjectedMessages,
+  };
+}
diff --git a/packages/trigger-sdk/src/v3/chat-server.test.ts b/packages/trigger-sdk/src/v3/chat-server.test.ts
new file mode 100644
index 00000000000..dc9ef11788f
--- /dev/null
+++ b/packages/trigger-sdk/src/v3/chat-server.test.ts
@@ -0,0 +1,617 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
+import { simulateReadableStream, streamText } from "ai";
+import type { UIMessageChunk } from "ai";
+import { MockLanguageModelV3 } from "ai/test";
+import type { LanguageModelV3StreamPart } from "@ai-sdk/provider";
+
+// Stub `SessionStreamInstance` so the handler's S2 tee is a no-op
+// instead of trying to reach a real S2 endpoint. The real one calls
+// `apiClient.initializeSessionStream` then pipes via S2 — both are
+// out of scope for handler-shape tests.
+vi.mock("@trigger.dev/core/v3", async (importActual) => {
+  const actual = (await importActual()) as Record<string, unknown>;
+  class StubSessionStreamInstance<T> {
+    constructor(opts: { source: ReadableStream<T> }) {
+      // Drain the source so the upstream tee doesn't backpressure-stall
+      // the SSE half. We don't keep the chunks — durability/resume is
+      // out of scope here.
+      void (async () => {
+        const reader = opts.source.getReader();
+        try {
+          while (true) {
+            const { done } = await reader.read();
+            if (done) break;
+          }
+        } finally {
+          reader.releaseLock();
+        }
+      })();
+    }
+    async wait() {
+      return { written: 0 };
+    }
+  }
+  return { ...actual, SessionStreamInstance: StubSessionStreamInstance };
+});
+
+// Import AFTER the mock so chat-server picks up the stubbed class.
+import { chat } from "./chat-server.js";
+import { apiClientManager } from "@trigger.dev/core/v3";
+
+// ── Helpers ────────────────────────────────────────────────────────────
+
+function textStream(text: string): ReadableStream<LanguageModelV3StreamPart> {
+  return simulateReadableStream({
+    chunks: [
+      { type: "text-start", id: "t1" },
+      { type: "text-delta", id: "t1", delta: text },
+      { type: "text-end", id: "t1" },
+      {
+        type: "finish",
+        finishReason: { unified: "stop", raw: "stop" },
+        usage: {
+          inputTokens: { total: 5, noCache: 5, cacheRead: undefined, cacheWrite: undefined },
+          outputTokens: { total: 5, text: 5, reasoning: undefined },
+        },
+      },
+    ],
+  });
+}
+
+function toolCallStream(): ReadableStream<LanguageModelV3StreamPart> {
+  return simulateReadableStream({
+    chunks: [
+      {
+        type: "tool-call",
+        toolCallId: "tc-1",
+        toolName: "weather",
+        input: JSON.stringify({ city: "tokyo" }),
+      },
+      {
+        type: "finish",
+        finishReason: { unified: "tool-calls", raw: "tool-calls" },
+        usage: {
+          inputTokens: { total: 5, noCache: 5, cacheRead: undefined, cacheWrite: undefined },
+          outputTokens: { total: 5, text: 0, reasoning: undefined },
+        },
+      },
+    ],
+  });
+}
+
+function makeRequest(body: unknown): Request {
+  return new Request("https://my-app.example/api/chat", {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify(body),
+  });
+}
+
+const SESSION_PAT = "tr_session_pat_for_handover";
+
+function createSessionResponse(externalId: string): Response {
+  return new Response(
+    JSON.stringify({
+      id: "session_test",
+      externalId,
+      type: "chat.agent",
+      taskIdentifier: "test-agent",
+      triggerConfig: {
+        basePayload: { chatId: externalId, trigger: "handover-prepare" },
+        idleTimeoutInSeconds: 60,
+      },
+      currentRunId: "run_test",
+      runId: "run_test",
+      publicAccessToken: SESSION_PAT,
+      tags: [],
+      metadata: null,
+      closedAt: null,
+      closedReason: null,
+      expiresAt: null,
+      createdAt: new Date(0).toISOString(),
+      updatedAt: new Date(0).toISOString(),
+      isCached: false,
+    }),
+    {
+      status: 200,
+      headers: { "content-type": "application/json" },
+    }
+  );
+}
+
+function appendOkResponse(): Response {
+  return new Response(JSON.stringify({ ok: true }), {
+    status: 200,
+    headers: { "content-type": "application/json" },
+  });
+}
+
+async function readSSEBodyToChunks(res: Response): Promise<UIMessageChunk[]> {
+  const text = await res.text();
+  return text
+    .split("\n\n")
+    .filter((b) => b.startsWith("data: "))
+    .map((b) => JSON.parse(b.slice(6)) as UIMessageChunk);
+}
+
+type CapturedRequest = { url: string; init?: RequestInit };
+
+async function withApiContext<T>(fn: () => Promise<T>): Promise<T> {
+  return apiClientManager.runWithConfig(
+    {
+      baseURL: "https://api.test.trigger.dev",
+      secretKey: "tr_test_secret",
+    },
+    fn
+  );
+}
+
+// ── Tests ──────────────────────────────────────────────────────────────
+
+describe("chat.headStart (route handler)", () => {
+  let originalFetch: typeof global.fetch;
+
+  beforeEach(() => {
+    originalFetch = global.fetch;
+  });
+
+  afterEach(() => {
+    global.fetch = originalFetch;
+    vi.restoreAllMocks();
+  });
+
+  it("creates the session with handover-prepare in basePayload and returns the session PAT in headers", async () => {
+    const requests: CapturedRequest[] = [];
+    global.fetch = vi.fn().mockImplementation(async (url: string | URL, init?: RequestInit) => {
+      const urlStr = typeof url === "string" ? url : url.toString();
+      requests.push({ url: urlStr, init });
+      if (urlStr.endsWith("/api/v1/sessions") || urlStr.endsWith("/api/v1/sessions/")) {
+        return createSessionResponse("chat-1");
+      }
+      if (urlStr.includes("/realtime/v1/sessions/") && urlStr.endsWith("/in/append")) {
+        return appendOkResponse();
+      }
+      throw new Error(`Unexpected URL: ${urlStr}`);
+    });
+
+    const handler = chat.headStart({
+      agentId: "test-agent",
+      run: async ({ chat: chatHelper }) => {
+        return streamText({
+          ...chatHelper.toStreamTextOptions(),
+          model: new MockLanguageModelV3({
+            doStream: async () => ({ stream: textStream("hi back") }),
+          }),
+        });
+      },
+    });
+
+    const res = await withApiContext(() =>
+      handler(
+        makeRequest({
+          chatId: "chat-1",
+          trigger: "submit-message",
+          headStartMessages: [{ id: "m1", role: "user", parts: [{ type: "text", text: "hi" }] }],
+        })
+      )
+    );
+
+    expect(res.status).toBe(200);
+    expect(res.headers.get("X-Trigger-Chat-Id")).toBe("chat-1");
+    expect(res.headers.get("X-Trigger-Chat-Access-Token")).toBe(SESSION_PAT);
+    expect(res.headers.get("Content-Type")).toMatch(/text\/event-stream/);
+
+    const sessionCreate = requests.find((r) =>
+      r.url.endsWith("/api/v1/sessions") || r.url.endsWith("/api/v1/sessions/")
+    );
+    expect(sessionCreate).toBeDefined();
+    const body = JSON.parse(sessionCreate!.init!.body as string);
+    expect(body.type).toBe("chat.agent");
+    expect(body.externalId).toBe("chat-1");
+    expect(body.taskIdentifier).toBe("test-agent");
+    // The trigger payload is rewritten to handover-prepare even though the
+    // browser sent submit-message — the agent boots into the handover wait branch.
+    expect(body.triggerConfig.basePayload.trigger).toBe("handover-prepare");
+    expect(body.triggerConfig.basePayload.chatId).toBe("chat-1");
+    expect(body.triggerConfig.basePayload.idleTimeoutInSeconds).toBe(60);
+  });
+
+  it("dispatches handover with isFinal=true on pure-text finishReason", async () => {
+    const requests: CapturedRequest[] = [];
+    global.fetch = vi.fn().mockImplementation(async (url: string | URL, init?: RequestInit) => {
+      const urlStr = typeof url === "string" ? url : url.toString();
+      requests.push({ url: urlStr, init });
+      if (urlStr.endsWith("/api/v1/sessions") || urlStr.endsWith("/api/v1/sessions/")) {
+        return createSessionResponse("chat-final");
+      }
+      if (urlStr.includes("/realtime/v1/sessions/") && urlStr.endsWith("/in/append")) {
+        return appendOkResponse();
+      }
+      // Stitched response subscribes to `.out` after handover.
+      if (/\/realtime\/v1\/sessions\/[^/]+\/out$/.test(urlStr)) {
+        return new Response(new ReadableStream({ start(c) { c.close(); } }), {
+          status: 200,
+          headers: { "content-type": "text/event-stream" },
+        });
+      }
+      throw new Error(`Unexpected URL: ${urlStr}`);
+    });
+
+    const handler = chat.headStart({
+      agentId: "test-agent",
+      run: async ({ chat: chatHelper }) => {
+        return streamText({
+          ...chatHelper.toStreamTextOptions(),
+          model: new MockLanguageModelV3({
+            doStream: async () => ({ stream: textStream("just a text reply") }),
+          }),
+        });
+      },
+    });
+
+    const res = await withApiContext(() =>
+      handler(
+        makeRequest({
+          chatId: "chat-final",
+          trigger: "submit-message",
+          // Slim wire: head-start ships full history via `headStartMessages`
+          // (not `messages` / `message`). The route handler reads that field
+          // off the request body before invoking the customer's run().
+          headStartMessages: [{ id: "m1", role: "user", parts: [{ type: "text", text: "hi" }] }],
+        })
+      )
+    );
+
+    // Drain the SSE body so handoverWhenDone observes finishReason.
+    const chunks = await readSSEBodyToChunks(res);
+    expect(chunks.some((c) => c.type === "text-delta")).toBe(true);
+
+    // Give the deferred handoverWhenDone a tick to dispatch.
+    await new Promise((r) => setTimeout(r, 30));
+
+    const handoverPost = requests.find(
+      (r) =>
+        r.url.includes("/realtime/v1/sessions/chat-final/in/append") &&
+        r.init?.body !== undefined
+    );
+    expect(handoverPost).toBeDefined();
+    const body = JSON.parse(handoverPost!.init!.body as string);
+    // Pure-text finishes go through `kind: "handover"` with `isFinal: true`
+    // so the agent runs hooks (persistence, etc.) without making an LLM call.
+    expect(body.kind).toBe("handover");
+    expect(body.isFinal).toBe(true);
+    // The partial carries the customer's response messages — a single
+    // assistant message with the streamed text.
+    expect(Array.isArray(body.partialAssistantMessage)).toBe(true);
+    const assistant = body.partialAssistantMessage.find(
+      (m: { role: string }) => m.role === "assistant"
+    );
+    expect(assistant).toBeDefined();
+  });
+
+  it("dispatches handover with response.messages on tool-call finishReason", async () => {
+    const requests: CapturedRequest[] = [];
+    global.fetch = vi.fn().mockImplementation(async (url: string | URL, init?: RequestInit) => {
+      const urlStr = typeof url === "string" ? url : url.toString();
+      requests.push({ url: urlStr, init });
+      if (urlStr.endsWith("/api/v1/sessions") || urlStr.endsWith("/api/v1/sessions/")) {
+        return createSessionResponse("chat-tool");
+      }
+      if (urlStr.includes("/realtime/v1/sessions/") && urlStr.endsWith("/in/append")) {
+        return appendOkResponse();
+      }
+      // Stitched response now subscribes to `.out` after handover to
+      // pick up agent-side chunks. Return an empty SSE body that
+      // closes immediately — this test validates dispatch only, not
+      // the agent-side resume.
+      if (/\/realtime\/v1\/sessions\/[^/]+\/out$/.test(urlStr)) {
+        return new Response(new ReadableStream({ start(c) { c.close(); } }), {
+          status: 200,
+          headers: { "content-type": "text/event-stream" },
+        });
+      }
+      throw new Error(`Unexpected URL: ${urlStr}`);
+    });
+
+    // Schema-only tool — no execute. The mock model emits a tool-call;
+    // AI SDK doesn't run it (no execute) and finishes with "tool-calls".
+    const { tool } = await import("ai");
+    const { z } = await import("zod");
+    const weatherTool = tool({
+      description: "weather",
+      inputSchema: z.object({ city: z.string() }),
+    });
+
+    const handler = chat.headStart({
+      agentId: "test-agent",
+      run: async ({ chat: chatHelper }) => {
+        return streamText({
+          ...chatHelper.toStreamTextOptions({ tools: { weather: weatherTool } }),
+          model: new MockLanguageModelV3({
+            doStream: async () => ({ stream: toolCallStream() }),
+          }),
+        });
+      },
+    });
+
+    const res = await withApiContext(() =>
+      handler(
+        makeRequest({
+          chatId: "chat-tool",
+          trigger: "submit-message",
+          headStartMessages: [
+            { id: "m1", role: "user", parts: [{ type: "text", text: "weather in tokyo?" }] },
+          ],
+        })
+      )
+    );
+
+    await readSSEBodyToChunks(res);
+    await new Promise((r) => setTimeout(r, 30));
+
+    const handoverPost = requests.find(
+      (r) =>
+        r.url.includes("/realtime/v1/sessions/chat-tool/in/append") &&
+        r.init?.body !== undefined
+    );
+    expect(handoverPost).toBeDefined();
+    const body = JSON.parse(handoverPost!.init!.body as string);
+    expect(body.kind).toBe("handover");
+    expect(body.isFinal).toBe(false); // pending tool-calls — agent runs streamText
+    expect(Array.isArray(body.partialAssistantMessage)).toBe(true);
+
+    // The partial is reshaped into AI SDK's tool-approval round so the
+    // agent's `streamText` can resume by executing the pending tool-call
+    // before step 2. Assistant gets a `tool-approval-request` part
+    // alongside the original `tool-call`; a trailing `tool` message
+    // carries the `tool-approval-response { approved: true }`.
+    const assistant = body.partialAssistantMessage.find(
+      (m: { role: string }) => m.role === "assistant"
+    );
+    expect(assistant).toBeDefined();
+    const toolCallPart = assistant.content.find(
+      (p: { type: string }) => p.type === "tool-call"
+    );
+    expect(toolCallPart).toBeDefined();
+    const approvalRequestPart = assistant.content.find(
+      (p: { type: string }) => p.type === "tool-approval-request"
+    );
+    expect(approvalRequestPart).toBeDefined();
+    expect(approvalRequestPart.toolCallId).toBe(toolCallPart.toolCallId);
+
+    const trailingTool = body.partialAssistantMessage[body.partialAssistantMessage.length - 1];
+    expect(trailingTool.role).toBe("tool");
+    const approvalResponsePart = trailingTool.content.find(
+      (p: { type: string }) => p.type === "tool-approval-response"
+    );
+    expect(approvalResponsePart).toBeDefined();
+    expect(approvalResponsePart.approvalId).toBe(approvalRequestPart.approvalId);
+    expect(approvalResponsePart.approved).toBe(true);
+  });
+
+  it("rejects requests missing chatId", async () => {
+    global.fetch = vi.fn().mockResolvedValue(new Response("nope", { status: 500 }));
+
+    const handler = chat.headStart({
+      agentId: "test-agent",
+      run: async ({ chat: chatHelper }) => {
+        return streamText({
+          ...chatHelper.toStreamTextOptions(),
+          model: new MockLanguageModelV3({
+            doStream: async () => ({ stream: textStream("x") }),
+          }),
+        });
+      },
+    });
+
+    await expect(
+      withApiContext(() =>
+        handler(
+          makeRequest({
+            // no chatId
+            trigger: "submit-message",
+            messages: [],
+          })
+        )
+      )
+    ).rejects.toThrow(/chatId/);
+  });
+});
+
+describe("chat.toNodeListener", () => {
+  /**
+   * Build a fake Node IncomingMessage that yields a JSON body.
+   * AsyncIterable so the listener can `for await` over it.
+   */
+  function fakeNodeRequest(opts: {
+    method?: string;
+    url?: string;
+    host?: string;
+    headers?: Record<string, string | string[]>;
+    body?: string;
+  }) {
+    const bodyBytes = opts.body ? new TextEncoder().encode(opts.body) : undefined;
+    const headers = {
+      host: opts.host ?? "example.com",
+      ...(opts.body ? { "content-type": "application/json" } : {}),
+      ...(opts.headers ?? {}),
+    };
+    const errorListeners: Array<(e: Error) => void> = [];
+    return {
+      method: opts.method ?? "POST",
+      url: opts.url ?? "/api/chat",
+      headers,
+      on(event: string, listener: (e: Error) => void) {
+        if (event === "error") errorListeners.push(listener);
+        return this;
+      },
+      async *[Symbol.asyncIterator]() {
+        if (bodyBytes) yield bodyBytes;
+      },
+    };
+  }
+
+  function fakeNodeResponse() {
+    const writes: Uint8Array[] = [];
+    let ended = false;
+    let endChunk: Uint8Array | string | undefined;
+    const closeListeners: Array<() => void> = [];
+    const headers: Record<string, string | number | readonly string[]> = {};
+    const obj = {
+      statusCode: 200,
+      headersSent: false,
+      setHeader(name: string, value: string | number | readonly string[]) {
+        headers[name.toLowerCase()] = value;
+      },
+      write(chunk: Uint8Array | string) {
+        if (typeof chunk === "string") {
+          writes.push(new TextEncoder().encode(chunk));
+        } else {
+          writes.push(chunk);
+        }
+        obj.headersSent = true;
+        return true;
+      },
+      end(chunk?: Uint8Array | string) {
+        ended = true;
+        endChunk = chunk;
+      },
+      on(event: string, listener: () => void) {
+        if (event === "close") closeListeners.push(listener);
+        return obj;
+      },
+      // test helpers
+      _written() {
+        const all = [...writes];
+        if (typeof endChunk === "string") all.push(new TextEncoder().encode(endChunk));
+        else if (endChunk) all.push(endChunk);
+        let total = 0;
+        for (const c of all) total += c.length;
+        const merged = new Uint8Array(total);
+        let offset = 0;
+        for (const c of all) {
+          merged.set(c, offset);
+          offset += c.length;
+        }
+        return new TextDecoder().decode(merged);
+      },
+      _ended: () => ended,
+      _headers: () => headers,
+      _close: () => {
+        for (const l of closeListeners) l();
+      },
+    };
+    return obj;
+  }
+
+  it("converts the Node request into a Web Request, calls the handler, and forwards the response", async () => {
+    const seen: { method?: string; url?: string; ct?: string | null; body?: string } = {};
+
+    const webHandler = async (req: Request): Promise<Response> => {
+      seen.method = req.method;
+      seen.url = req.url;
+      seen.ct = req.headers.get("content-type");
+      seen.body = await req.text();
+      return new Response("ok", {
+        status: 201,
+        headers: { "x-test": "1", "content-type": "text/plain" },
+      });
+    };
+
+    const listener = chat.toNodeListener(webHandler);
+    const req = fakeNodeRequest({ body: '{"hello":"world"}' });
+    const res = fakeNodeResponse();
+
+    await listener(req as any, res as any);
+
+    expect(seen.method).toBe("POST");
+    expect(seen.url).toBe("http://example.com/api/chat");
+    expect(seen.ct).toBe("application/json");
+    expect(seen.body).toBe('{"hello":"world"}');
+
+    expect(res.statusCode).toBe(201);
+    expect(res._headers()["x-test"]).toBe("1");
+    expect(res._written()).toBe("ok");
+    expect(res._ended()).toBe(true);
+  });
+
+  it("streams the Web Response body to the Node response chunk by chunk (no buffering)", async () => {
+    const chunkOrder: string[] = [];
+    const webHandler = async (): Promise<Response> => {
+      const encoder = new TextEncoder();
+      const stream = new ReadableStream<Uint8Array>({
+        async start(controller) {
+          for (const piece of ["one\n", "two\n", "three\n"]) {
+            chunkOrder.push("emit-" + piece.trim());
+            controller.enqueue(encoder.encode(piece));
+            await new Promise((r) => setTimeout(r, 5));
+          }
+          controller.close();
+        },
+      });
+      return new Response(stream, {
+        status: 200,
+        headers: { "content-type": "text/event-stream" },
+      });
+    };
+
+    const listener = chat.toNodeListener(webHandler);
+    const req = fakeNodeRequest({});
+    const res = fakeNodeResponse();
+    await listener(req as any, res as any);
+
+    expect(res._written()).toBe("one\ntwo\nthree\n");
+    expect(chunkOrder).toEqual(["emit-one", "emit-two", "emit-three"]);
+    expect(res._headers()["content-type"]).toBe("text/event-stream");
+  });
+
+  it("propagates client disconnect to the Web handler via AbortSignal", async () => {
+    let signal: AbortSignal | undefined;
+    let aborted = false;
+
+    const webHandler = async (req: Request): Promise<Response> => {
+      signal = req.signal;
+      signal.addEventListener("abort", () => {
+        aborted = true;
+      });
+      // Return a never-ending stream so the listener stays open until close.
+      return new Response(
+        new ReadableStream({
+          start() {
+            // never enqueues
+          },
+        })
+      );
+    };
+
+    const listener = chat.toNodeListener(webHandler);
+    const req = fakeNodeRequest({});
+    const res = fakeNodeResponse();
+
+    // Run listener in background (it'll hang on the never-ending stream).
+    const pending = listener(req as any, res as any);
+
+    // Wait a tick for the handler to attach the abort listener.
+    await new Promise((r) => setTimeout(r, 5));
+
+    res._close();
+    expect(aborted).toBe(true);
+
+    // Cleanup: the listener will throw (abort) and we don't care about the result.
+    await pending.catch(() => {});
+  });
+
+  it("returns 500 with error text if the handler throws before headers are sent", async () => {
+    const webHandler = async (): Promise<Response> => {
+      throw new Error("boom");
+    };
+
+    const listener = chat.toNodeListener(webHandler);
+    const req = fakeNodeRequest({});
+    const res = fakeNodeResponse();
+    await listener(req as any, res as any);
+
+    expect(res.statusCode).toBe(500);
+    expect(res._written()).toBe("boom");
+  });
+});
diff --git a/packages/trigger-sdk/src/v3/chat-server.ts b/packages/trigger-sdk/src/v3/chat-server.ts
new file mode 100644
index 00000000000..95e4fb529cd
--- /dev/null
+++ b/packages/trigger-sdk/src/v3/chat-server.ts
@@ -0,0 +1,977 @@
+/**
+ * Server-side helpers for the `chat.agent` head-start flow — a
+ * customer's warm process (Next.js route handler, Express, etc.)
+ * gets the conversation moving while the heavy chat.agent run boots
+ * in parallel. Mid-turn, ownership of the durable stream hands over
+ * to the agent.
+ *
+ * The `chat.headStart({ agentId, run })` entry point returns a
+ * Next.js-style POST handler. Inside the customer's `run` callback
+ * they call `streamText` themselves, spreading
+ * `chat.toStreamTextOptions({ tools })` to inherit handover wiring.
+ * The handler runs `streamText` step 1 in the customer's process
+ * while the chat.agent run boots in parallel; on `tool-calls` the
+ * agent run picks up tool execution and continues, on pure-text the
+ * agent run exits clean without an LLM call.
+ *
+ * Two-layer naming: customer-facing surface is "head start"
+ * (describes the *benefit* — fast first-turn TTFC). The internal
+ * protocol still uses "handover" (describes the *mechanism* — the
+ * conversation hands off mid-turn from the warm process to the
+ * agent). Customers see `chat.headStart`, `HeadStartSession`, etc.
+ * The wire format and run-loop locals stay on `handover` /
+ * `handover-prepare` / `handover-skip`.
+ *
+ * Cooperative ordering only — handler stops writing to `session.out`
+ * before sending the `handover` chunk on `session.in`. No S2 fencing.
+ *
+ * ⚠️ HARD CONSTRAINT — bundle isolation
+ *
+ * This module is the customer-facing boundary for the route handler.
+ * The whole TTFC win comes from the customer's process being
+ * lightweight while the heavy agent run boots in parallel. **The
+ * route-handler bundle must not include heavy tool execute deps**:
+ * E2B, puppeteer/playwright, native bindings, the trigger SDK
+ * runtime, turndown, image processing libs, anything that pulls
+ * weight or pulls `node:` builtins.
+ *
+ * "Schema-only" tools must live in a module that imports only `ai`
+ * (for `tool()`) and `zod`. The agent task module imports those
+ * schemas and adds execute fns elsewhere — that's where the heavy
+ * deps live, and it's never reached by the route handler bundle.
+ *
+ * Runtime "strip executes" helpers (anything that takes a tool
+ * catalog with executes and removes them) DO NOT solve this. The
+ * import chain is resolved at bundle/build time, so importing the
+ * full catalog drags every dep in regardless of what the SDK does
+ * with the value at runtime.
+ *
+ * IMPORTANT (internal): this module must NOT import from `./ai.ts`.
+ * `ai.ts` statically imports `agentSkillsRuntime` (which uses `node:`
+ * builtins unfit for some serverless runtimes) and the heavy task
+ * runtime. Allowed imports: `./ai-shared.js`, `./chat-client.js`,
+ * `@trigger.dev/core/v3` (api client), `ai` (types + lightweight
+ * helpers like `stepCountIs` / `convertToModelMessages`).
+ */
+
+import {
+  ApiClient,
+  SessionStreamInstance,
+  TRIGGER_CONTROL_SUBTYPE,
+  apiClientManager,
+} from "@trigger.dev/core/v3";
+// Runtime VALUES via the ESM/CJS shim so the CJS build can `require` ESM-only
+// `ai@7` (see ../imports/ai-runtime.ts).
+import {
+  convertToModelMessages,
+  generateId as generateAssistantMessageId,
+  stepCountIs,
+} from "../imports/ai-runtime.js";
+import type { FinishReason, ModelMessage, Tool, UIMessage, UIMessageChunk } from "ai";
+import type { ChatInputChunk, ChatTaskWirePayload } from "./ai-shared.js";
+
+// `StreamTextResult` is defined locally rather than imported from `ai`: its
+// generic arity diverged (v6 `StreamTextResult<TOOLS, OUTPUT>`, v7
+// `StreamTextResult<TOOLS, RUNTIME_CONTEXT, OUTPUT>`), so a fixed-arity import
+// can't satisfy both majors. We only read these members off the customer's
+// result; a real `StreamTextResult` (any version) is assignable to this.
+type AnyStreamTextResult = {
+  readonly finishReason: PromiseLike<FinishReason>;
+  readonly response: PromiseLike<{ messages: ModelMessage[] }>;
+  toUIMessageStream: (...args: any[]) => any;
+  toUIMessageStreamResponse: (...args: any[]) => Response;
+};
+
+// ---------------------------------------------------------------------------
+// Public types
+// ---------------------------------------------------------------------------
+
+/**
+ * The options `toStreamTextOptions()` hands back to spread into `streamText`.
+ * Typed concretely (rather than `Record<string, unknown>`) so the `messages`
+ * AI SDK 7 requires is statically present, and so `streamText` infers its tools
+ * from the call (rather than collapsing to `never` off a loose spread).
+ *
+ * `tools` and `stopWhen` are deliberately omitted: they're wired in at runtime,
+ * but `streamText` reads them from the runtime value, and leaving them off the
+ * type keeps it version-agnostic and avoids constraining the tool inference.
+ */
+export type HeadStartStreamTextOptions = {
+  messages: ModelMessage[];
+  abortSignal: AbortSignal;
+};
+
+export type HeadStartRunArgs<TTools extends Record<string, Tool>> = {
+  /** User messages parsed from the incoming request. */
+  messages: UIMessage[];
+  /** Aborts when the request closes or the SDK times out the handover. */
+  signal: AbortSignal;
+  /** Helper exposing `toStreamTextOptions(...)` and a session escape hatch. */
+  chat: HeadStartChatHelper<TTools>;
+};
+
+export type HeadStartChatHelper<TTools extends Record<string, Tool>> = {
+  /**
+   * Spread into the customer's `streamText` call to inherit handover
+   * wiring. Returns options for:
+   *
+   * - `messages` — converted from the wire payload's UIMessages
+   * - `tools` — the customer's tool set (typically schema-only — see
+   *   the bundle-isolation note in this module's header)
+   * - `abortSignal` — combined request-lifecycle + idle timeout
+   * - `stopWhen` — `stepCountIs(1)`. Step 1 only. The agent run picks
+   *   up tool execution and step 2+ after the handover signal.
+   *
+   * Customer adds `model`, `system`, `providerOptions`, etc. on top.
+   * The customer keeps full control of the `streamText` call shape;
+   * this helper just hands back the options the SDK needs to own.
+   *
+   * The customer COULD override any of these by re-setting them after
+   * the spread, but doing so for `stopWhen` / `messages` /
+   * `abortSignal` will break the handover protocol. The intent is
+   * that customers spread first, then add only their own keys.
+   */
+  toStreamTextOptions(opts?: { tools?: TTools }): HeadStartStreamTextOptions;
+  /** Lower-level escape hatch with manual `out` / `in` / dispatch primitives. */
+  session: HeadStartSession;
+};
+
+export type HeadStartSession = {
+  readonly chatId: string;
+  /**
+   * Tees a UIMessage stream into `session.out` for durability/resume,
+   * fire-and-forget. Returns a passthrough that the caller can use as
+   * the HTTP response body.
+   */
+  tee(
+    stream: ReadableStream<UIMessageChunk>
+  ): ReadableStream<UIMessageChunk>;
+  /**
+   * Awaits `result.finishReason` and dispatches `handover` (with the
+   * partial assistant ModelMessages) or `handover-skip`.
+   */
+  handoverWhenDone(result: AnyStreamTextResult): Promise<void>;
+  /**
+   * Sugar over `tee` + `handoverWhenDone` + standard SSE response.
+   * Returns a `Response` with `Content-Type: text/event-stream` whose
+   * body is the teed stream.
+   */
+  handoverResponse(result: AnyStreamTextResult): Response;
+  /**
+   * Manually dispatch the `handover` signal on `session.in`.
+   *
+   * - `isFinal: true` — the partial assistant message IS the response.
+   *   The agent runs `onChatStart` / `onTurnStart` / `onTurnComplete`
+   *   against it but skips the LLM call. Use for pure-text replies.
+   * - `isFinal: false` — the partial assistant message ends with
+   *   pending tool calls. The agent executes them and then runs a
+   *   step-2 LLM call to produce the final response.
+   *
+   * `messageId` lets the caller carry a stable assistant message id
+   * across the handover boundary so the browser merges step 1 and
+   * step 2 into the same `UIMessage`.
+   */
+  handover(args: {
+    partialAssistantMessage: ModelMessage[];
+    isFinal: boolean;
+    messageId?: string;
+  }): Promise<void>;
+  /** Manually dispatch the `handover-skip` signal on `session.in`. */
+  handoverSkip(): Promise<void>;
+};
+
+export type HeadStartHandlerOptions<TTools extends Record<string, Tool>> = {
+  /** The `chat.agent({ id })` of the agent we're handing off to. */
+  agentId: string;
+  /**
+   * Customer's first-turn implementation. Receives `messages`,
+   * `signal`, and a `chat` helper. Should call `streamText` with
+   * `...chat.toStreamTextOptions({ tools })` and return the
+   * `StreamTextResult`.
+   */
+  run: (args: HeadStartRunArgs<TTools>) => Promise<AnyStreamTextResult>;
+  /**
+   * Seconds the agent run waits for the handover signal before
+   * exiting. Defaults to 60.
+   */
+  idleTimeoutInSeconds?: number;
+};
+
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+
+export const chat = {
+  /**
+   * Returns a Next.js-style POST handler for the chat.agent
+   * head-start flow. Customer mounts it as
+   * `export const { POST } = chat.headStart({...})` (or
+   * `export const POST = chat.headStart({...})`).
+   *
+   * Pair with the browser transport's `headStart: "/api/chat"`
+   * option so the first message of a brand-new chat lands here
+   * before the agent run boots.
+   */
+  headStart<TTools extends Record<string, Tool>>(
+    opts: HeadStartHandlerOptions<TTools>
+  ): (req: Request) => Promise<Response> {
+    return async (req: Request) => {
+      const session = await openHandoverSession({
+        req,
+        agentId: opts.agentId,
+        idleTimeoutInSeconds: opts.idleTimeoutInSeconds,
+      });
+
+      const helper: HeadStartChatHelper<TTools> = {
+        toStreamTextOptions(spreadOpts) {
+          return session.buildStreamTextOptions(spreadOpts) as any;
+        },
+        session: session.handle,
+      };
+
+      const result = await opts.run({
+        messages: session.uiMessages,
+        signal: session.combinedSignal,
+        chat: helper,
+      });
+
+      return session.handle.handoverResponse(result);
+    };
+  },
+
+  /**
+   * Lower-level primitive for power users who want to call
+   * `streamText` themselves outside the `run` callback shape — custom
+   * transforms, non-AI-SDK code paths, or manual control over the
+   * response. Same wiring `chat.headStart` builds on internally.
+   */
+  openSession(opts: {
+    req: Request;
+    agentId: string;
+    idleTimeoutInSeconds?: number;
+  }): Promise<HeadStartSession> {
+    return openHandoverSession(opts).then((s) => s.handle);
+  },
+
+  /**
+   * Wrap a Web Fetch handler — `(req: Request) => Promise<Response>` —
+   * as a Node `http` listener — `(req: IncomingMessage, res: ServerResponse) => Promise<void>`.
+   *
+   * Use this to mount `chat.headStart` (or any other Web Fetch
+   * handler) inside Node-only frameworks like Express, Fastify, Koa,
+   * or raw `node:http`. Web-native frameworks (Next.js App Router,
+   * Hono, SvelteKit, Remix, Workers, Bun, Deno, etc.) don't need
+   * this — they pass `Request` objects directly.
+   *
+   * Streams the response body chunk-by-chunk to the Node response,
+   * so the `chat.headStart` SSE chunks reach the browser as they
+   * arrive (no buffering). Aborts the underlying handler if the
+   * client closes the connection.
+   *
+   * Type-only import of `node:http` types — no runtime dep on `node:http`,
+   * so this stays safe to bundle into edge / Workers builds (the
+   * function just won't be called there).
+   *
+   * @example
+   * ```ts
+   * import express from "express";
+   * import { chat } from "@trigger.dev/sdk/chat-server";
+   *
+   * const handler = chat.headStart({
+   *   agentId: "my-chat",
+   *   run: async ({ chat: helper }) => streamText({ ... }),
+   * });
+   *
+   * const app = express();
+   * app.post("/api/chat", chat.toNodeListener(handler));
+   * ```
+   */
+  toNodeListener,
+};
+
+// ---------------------------------------------------------------------------
+// Internals
+// ---------------------------------------------------------------------------
+
+type InternalSession = {
+  uiMessages: UIMessage[];
+  combinedSignal: AbortSignal;
+  handle: HeadStartSession;
+  buildStreamTextOptions(spreadOpts?: { tools?: Record<string, Tool> }): Record<string, unknown>;
+};
+
+async function openHandoverSession(opts: {
+  req: Request;
+  agentId: string;
+  idleTimeoutInSeconds?: number;
+}): Promise<InternalSession> {
+  const wirePayload = (await opts.req.json()) as ChatTaskWirePayload;
+  const chatId = wirePayload.chatId;
+  if (!chatId) {
+    throw new Error("[chat.handover] request body missing `chatId`");
+  }
+  // Slim wire — head-start ships full history via `headStartMessages` (not
+  // `message`/`messages`) because the route handler runs on the customer's
+  // own HTTP endpoint and isn't subject to the 512 KiB `/in/append` cap.
+  // The full UIMessage[] flows through `wirePayload` into the auto-trigger
+  // `basePayload` below, where the agent run boot consumes it on first turn.
+  const uiMessages = (wirePayload.headStartMessages ?? []) as UIMessage[];
+  // `convertToModelMessages` is async — resolve once up front so the
+  // synchronous `toStreamTextOptions` builder can hand back a fully
+  // formed object. AI SDK's `streamText` validates `messages` as a
+  // `ModelMessage[]` synchronously and rejects a Promise.
+  const modelMessages = await convertToModelMessages(uiMessages);
+
+  const apiClient = resolveApiClient();
+  const idleTimeoutInSeconds = opts.idleTimeoutInSeconds ?? 60;
+
+  // Create the session and trigger the chat.agent's `handover-prepare`
+  // run atomically. `createSession` is idempotent on `(env, externalId
+  // = chatId)` and the auto-triggered run uses `triggerConfig.
+  // basePayload` as the wire payload — so a single round-trip both
+  // ensures the session exists and starts the agent booting with the
+  // right trigger.
+  //
+  // Awaited intentionally: subsequent writes to `session.out` (the
+  // tee from the customer's `streamText` to S2) need the session to
+  // exist, and the handover signal at end-of-step-1 needs the agent
+  // run to be there to consume it. The added latency (~one round trip
+  // to the control plane) is bounded; the agent's compute boot still
+  // overlaps with LLM TTFB.
+  const created = await apiClient.createSession({
+    type: "chat.agent",
+    externalId: chatId,
+    taskIdentifier: opts.agentId,
+    triggerConfig: {
+      basePayload: {
+        ...wirePayload,
+        chatId,
+        trigger: "handover-prepare",
+        idleTimeoutInSeconds,
+      },
+      idleTimeoutInSeconds,
+    },
+  });
+  const sessionPublicAccessToken = created.publicAccessToken;
+
+  // Combined abort signal: request lifecycle OR an internal timeout
+  // mirroring the agent's idle wait so a hung handler doesn't sit
+  // forever.
+  const abortController = new AbortController();
+  const requestAbort = (opts.req as Request & { signal?: AbortSignal }).signal;
+  if (requestAbort) {
+    if (requestAbort.aborted) abortController.abort();
+    else requestAbort.addEventListener("abort", () => abortController.abort(), { once: true });
+  }
+  const idleTimer = setTimeout(
+    () => abortController.abort(new Error("chat.handover: idle timeout")),
+    idleTimeoutInSeconds * 1000
+  );
+
+  const buildStreamTextOptions = (
+    spreadOpts?: { tools?: Record<string, Tool> }
+  ): Record<string, unknown> => {
+    // The customer spreads this object into their `streamText` call
+    // and then adds `model`, `system`, etc. on top. We set the four
+    // keys handover correctness depends on:
+    //
+    //   - `messages`: the wire payload's UIMessages, converted
+    //     (Promise resolved upfront so the spread is synchronous)
+    //   - `tools`: customer's schema-only tool set
+    //   - `stopWhen`: `stepCountIs(1)` — step 1 only. Agent run picks
+    //     up tool execution and step 2+ after the handover signal.
+    //   - `abortSignal`: combined request-lifecycle + idle timeout
+    //
+    // The customer's `StreamTextResult` exposes `finishReason` and
+    // `response.messages` directly, so we don't need to install an
+    // `onStepFinish` capture hook — we read those off the result in
+    // `handoverWhenDone`.
+    return {
+      messages: modelMessages,
+      tools: spreadOpts?.tools,
+      stopWhen: stepCountIs(1),
+      abortSignal: abortController.signal,
+    };
+  };
+
+  // Tee a UIMessage stream into session.out via S2 direct-write,
+  // batched. `SessionStreamInstance` calls `initializeSessionStream`
+  // once to fetch S2 credentials, then pipes via `StreamsWriterV2`'s
+  // `BatchTransform` — one S2 append per ~200ms of chunks instead of
+  // one HTTP round-trip per UIMessageChunk.
+  let sessionWriter: SessionStreamInstance<UIMessageChunk> | null = null;
+  const tee = (stream: ReadableStream<UIMessageChunk>): ReadableStream<UIMessageChunk> => {
+    const [a, b] = stream.tee();
+    sessionWriter = new SessionStreamInstance<UIMessageChunk>({
+      apiClient,
+      baseUrl: apiClient.baseUrl,
+      sessionId: chatId, // Sessions are addressable by externalId (chatId).
+      io: "out",
+      source: b,
+      signal: abortController.signal,
+    });
+    return a;
+  };
+  /** Wait for the teed S2 writer to drain. Called before signaling handover. */
+  const flushSessionWriter = async (): Promise<void> => {
+    if (!sessionWriter) return;
+    try {
+      await sessionWriter.wait();
+    } catch {
+      // Drop write errors — the customer's response stream is the
+      // source of truth for what the user sees. Durability/resume
+      // best-effort.
+    }
+  };
+
+  const handover = async (args: {
+    partialAssistantMessage: ModelMessage[];
+    messageId?: string;
+    isFinal: boolean;
+  }) => {
+    const chunk: ChatInputChunk = {
+      kind: "handover",
+      partialAssistantMessage: args.partialAssistantMessage,
+      messageId: args.messageId,
+      isFinal: args.isFinal,
+    };
+    await apiClient.appendToSessionStream(chatId, "in", JSON.stringify(chunk));
+  };
+
+  /**
+   * Sent only on dispatch error (handler aborted before producing a
+   * `finishReason`). Normal pure-text and tool-call finishes go
+   * through `handover()` with the appropriate `isFinal` flag.
+   */
+  const handoverSkip = async () => {
+    const chunk: ChatInputChunk = { kind: "handover-skip" };
+    await apiClient.appendToSessionStream(chatId, "in", JSON.stringify(chunk));
+  };
+
+  // A stable assistant messageId for this turn. The customer's
+  // `toUIMessageStream` is configured to emit its `start` chunk with
+  // this id, the handover signal carries it to the agent, and the
+  // agent's post-handover `toUIMessageStream` reuses it — so all
+  // chunks (customer's step 1 + agent's step 2) merge into one
+  // assistant message on the browser side.
+  const turnMessageId = generateAssistantMessageId();
+
+  // Set by `handoverWhenDone` after it observes `result.finishReason`
+  // and dispatches the handover decision. The stitched response stream
+  // awaits this to know whether to close (skip) or pull more chunks
+  // from session.out (handover).
+  type HandoverDecision = { kind: "handover" | "handover-skip" };
+  let resolveDecision!: (decision: HandoverDecision) => void;
+  const decisionPromise = new Promise<HandoverDecision>((resolve) => {
+    resolveDecision = resolve;
+  });
+
+  const handoverWhenDone = async (result: AnyStreamTextResult) => {
+    // Owns idle-timer cleanup via the finally below, so both the
+    // sugar (`handoverResponse`) and the escape-hatch
+    // (`chat.openSession()` → `handle.handoverWhenDone(...)`) clean up
+    // the timer the same way.
+    try {
+      // `result.finishReason` is a Promise<FinishReason> on the AI SDK
+      // result. Wait for the stream to settle, then dispatch.
+      const finishReason = await result.finishReason;
+
+      // Drain the S2 tee so any in-flight handler writes (last
+      // `tool-input-available` parts, the synthetic `finish-step` for
+      // pure-text) are visible before the agent reads from session.out
+      // / session.in. Cooperative ordering — agent doesn't read past
+      // these unless we've finished writing them.
+      await flushSessionWriter();
+
+      const responseMessages = (await result.response).messages as ModelMessage[];
+
+      if (finishReason === "tool-calls") {
+        // Reshape pending tool-calls into AI SDK's tool-approval round
+        // so the agent's `streamText` resumes by executing them
+        // before the step-2 LLM call.
+        const reshaped = reshapeForHandoverResume(responseMessages);
+        await handover({
+          partialAssistantMessage: reshaped,
+          messageId: turnMessageId,
+          isFinal: false,
+        });
+      } else {
+        // Pure-text (or any non-tool-calls) finish — customer's step 1
+        // IS the final response. The agent runs the turn-loop hooks
+        // (`onChatStart`, `onTurnStart`, `onTurnComplete`, etc.) using
+        // this partial as the response, but skips the LLM call. That
+        // way persistence (`onTurnComplete` writing to DB), self-
+        // review, and any post-turn work all fire normally.
+        await handover({
+          partialAssistantMessage: responseMessages,
+          messageId: turnMessageId,
+          isFinal: true,
+        });
+      }
+      resolveDecision({ kind: "handover" });
+    } catch (err) {
+      // Dispatch failed before we could send the handover signal.
+      // Tell the agent to exit clean (no hooks fire) and close the
+      // response stream so it doesn't hang waiting for agent chunks.
+      resolveDecision({ kind: "handover-skip" });
+      try {
+        await handoverSkip();
+      } catch {
+        // best-effort
+      }
+      throw err;
+    } finally {
+      clearTimeout(idleTimer);
+    }
+  };
+
+  /**
+   * Build a single ReadableStream that:
+   *   1. Forwards the customer's `streamText` chunks (step 1) directly
+   *      to the response — same low-latency path as before.
+   *   2. After step 1 ends and the dispatch decision lands:
+   *      - `handover-skip`: closes the response immediately. The agent
+   *        run exits without writing more chunks.
+   *      - `handover`: subscribes to `session.out` from the sequence
+   *        ID where the customer's tee left off, forwarding the agent
+   *        run's chunks (tool-output-available, step 2 LLM text,
+   *        `finish-step`, etc.) until `trigger:turn-complete`.
+   *
+   * The browser sees one continuous SSE response per first turn, just
+   * like a normal `streamText` would produce.
+   */
+  const stitchHandoverStream = (
+    customerBranch: ReadableStream<UIMessageChunk>
+  ): ReadableStream<UIMessageChunk> => {
+    return new ReadableStream<UIMessageChunk>({
+      async start(controller) {
+        try {
+          // Phase 1: forward customer's chunks.
+          const reader = customerBranch.getReader();
+          try {
+            while (true) {
+              const { done, value } = await reader.read();
+              if (done) break;
+              controller.enqueue(value);
+            }
+          } finally {
+            reader.releaseLock();
+          }
+
+          // Phase 2a: wait for handoverWhenDone to decide.
+          const decision = await decisionPromise;
+          if (decision.kind === "handover-skip") {
+            controller.close();
+            return;
+          }
+
+          // Phase 2b: agent is taking over. Resume from session.out
+          // starting AFTER the customer tee's last write, so we don't
+          // re-emit chunks the browser already saw.
+          const writeResult = sessionWriter
+            ? await sessionWriter.wait().catch(() => undefined)
+            : undefined;
+          const customerLastEventId = writeResult?.lastEventId;
+
+          // Capture the latest S2 event id seen on session.out via
+          // `onPart`. After the stream closes we emit it to the
+          // browser as a `trigger:session-state` control chunk so the
+          // transport can hydrate `state.lastEventId` for turn 2's
+          // subscribe — without it, turn 2 reads session.out from the
+          // start and replays turn 1 to the user.
+          //
+          // The agent's `turn-complete` control record is now header-
+          // form on S2 (see `client-protocol.mdx`), so the
+          // `for await (const chunk of agentStream)` loop below NEVER
+          // sees it as a data chunk — `subscribeToSessionStream` routes
+          // it to `onControl`. Use that to know when to stop and
+          // synthesise the data-chunk shape the browser bridge still
+          // expects (this HTTP response stream is NOT S2 and keeps the
+          // legacy chunk shape for the customer-server-to-browser hop).
+          let latestEventId: string | undefined;
+          let turnComplete = false;
+          // Dedicated abort signal for this agent subscription. Aborted
+          // from `onControl` the moment turn-complete fires so the
+          // `for await` loop below exits immediately instead of blocking
+          // until S2's long-poll closes (~60s). Combined with the outer
+          // `abortController.signal` via `AbortSignal.any` so a request-
+          // wide abort still tears the subscription down.
+          const subscriptionAbort = new AbortController();
+          const agentStream = await apiClient.subscribeToSessionStream<UIMessageChunk>(
+            chatId,
+            "out",
+            {
+              ...(customerLastEventId != null
+                ? { lastEventId: customerLastEventId }
+                : {}),
+              signal: AbortSignal.any([abortController.signal, subscriptionAbort.signal]),
+              onPart: (part) => {
+                if (part.id) latestEventId = part.id;
+              },
+              onControl: (event) => {
+                if (event.subtype === TRIGGER_CONTROL_SUBTYPE.TURN_COMPLETE) {
+                  turnComplete = true;
+                  // Synthesise the data-chunk shape for the browser
+                  // bridge. The customer-server-to-browser response is
+                  // not S2; it keeps the legacy chunk shape so the
+                  // browser's transport can recognise turn-complete the
+                  // same way it always has.
+                  controller.enqueue({
+                    type: "trigger:turn-complete",
+                  } as unknown as UIMessageChunk);
+                  // Stop the SSE read now. Without this the `for await`
+                  // can't see the control event (control records are
+                  // never enqueued into the data stream) and would idle
+                  // until S2's long-poll timeout closes the connection.
+                  subscriptionAbort.abort();
+                }
+              },
+            }
+          );
+
+          try {
+            for await (const chunk of agentStream) {
+              // Data records only — control records are routed via
+              // `onControl` above and trigger the subscription abort.
+              controller.enqueue(chunk);
+              if (turnComplete) break;
+            }
+          } catch (err) {
+            // AbortError from `subscriptionAbort` is the expected exit
+            // path once turn-complete fires; surface anything else.
+            const isAbort = err instanceof Error && err.name === "AbortError";
+            if (!isAbort || !turnComplete) throw err;
+          }
+
+          // Final control chunk: hand the browser transport the
+          // `lastEventId` it should use for the next turn's
+          // session.out subscribe. Filtered out before reaching the
+          // AI SDK on the browser side.
+          if (latestEventId != null) {
+            controller.enqueue({
+              type: "trigger:session-state",
+              lastEventId: latestEventId,
+            } as unknown as UIMessageChunk);
+          }
+          controller.close();
+        } catch (err) {
+          controller.error(err);
+        }
+      },
+      cancel() {
+        // Browser closed the connection. Trigger the abort so any
+        // pending session.out subscription stops too.
+        abortController.abort();
+      },
+    });
+  };
+
+  const handoverResponse = (result: AnyStreamTextResult): Response => {
+    // `generateMessageId` makes the customer's `start` chunk carry
+    // `turnMessageId`, so the browser-side AI SDK keys the assistant
+    // message by it. The agent's post-handover stream emits chunks
+    // with the same id (passed via the handover signal) — both sides
+    // merge into one message on the browser.
+    const teed = tee(
+      result.toUIMessageStream({
+        generateMessageId: () => turnMessageId,
+      })
+    );
+    // `handoverWhenDone` re-throws on dispatch failure for visibility,
+    // but the recovery (resolveDecision + handoverSkip) has already run
+    // by then and `stitchHandoverStream` closes the response cleanly via
+    // `decisionPromise`. The user-facing path is fine; we only suppress
+    // the unhandled-rejection so processes started with
+    // `--unhandled-rejections=throw` don't crash on what is effectively
+    // a logged failure with no further action to take.
+    // (Idle-timer cleanup lives inside `handoverWhenDone` itself.)
+    void handoverWhenDone(result).catch(() => {});
+
+    const stitched = stitchHandoverStream(teed);
+
+    // Encode UIMessageChunks as SSE for the AI SDK transport on the
+    // browser. AI SDK's `toUIMessageStreamResponse()` does this same
+    // thing internally; replicate the format here so we don't have
+    // to bridge through the SDK's response helper.
+    const encoder = new TextEncoder();
+    const sseStream = stitched.pipeThrough(
+      new TransformStream<UIMessageChunk, Uint8Array>({
+        transform(chunk, controller) {
+          controller.enqueue(encoder.encode(`data: ${JSON.stringify(chunk)}\n\n`));
+        },
+      })
+    );
+
+    return new Response(sseStream, {
+      headers: {
+        "Content-Type": "text/event-stream",
+        "X-Vercel-AI-UI-Message-Stream": "v1",
+        "Cache-Control": "no-cache, no-transform",
+        Connection: "keep-alive",
+        // Browser transport reads these to hydrate session state
+        // for subsequent (non-handover) turns. Once the browser has
+        // the PAT it talks directly to `session.in` / `session.out`
+        // without going back through the handler.
+        "X-Trigger-Chat-Id": chatId,
+        "X-Trigger-Chat-Access-Token": sessionPublicAccessToken,
+      },
+    });
+  };
+
+  const handle: HeadStartSession = {
+    chatId,
+    tee,
+    handoverWhenDone,
+    handoverResponse,
+    handover,
+    handoverSkip,
+  };
+
+  return {
+    uiMessages,
+    combinedSignal: abortController.signal,
+    handle,
+    buildStreamTextOptions,
+  };
+}
+
+function resolveApiClient(): ApiClient {
+  // Reuse the SDK's standard apiClientManager so customers configure
+  // base URL + secret key the same way as for `tasks.trigger(...)`.
+  const client = apiClientManager.clientOrThrow();
+  return client;
+}
+
+// ---------------------------------------------------------------------------
+// Node `http` adapter
+// ---------------------------------------------------------------------------
+
+// Minimal Node http types we use. Avoids a `node:http` type import so the
+// file stays lint-clean on non-Node TS projects (the docs example handlers
+// might typecheck under workers / deno configs that lack `node:` types).
+interface NodeIncomingHeaders {
+  [k: string]: string | string[] | undefined;
+}
+interface NodeIncomingMessage extends AsyncIterable<unknown> {
+  readonly url?: string;
+  readonly method?: string;
+  readonly headers: NodeIncomingHeaders;
+  on(event: "error", listener: (err: Error) => void): unknown;
+}
+interface NodeServerResponse {
+  statusCode: number;
+  headersSent: boolean;
+  setHeader(name: string, value: string | number | readonly string[]): unknown;
+  write(chunk: Uint8Array | string): boolean;
+  end(chunk?: Uint8Array | string): unknown;
+  on(event: "close" | "error", listener: () => void): unknown;
+}
+
+/** @internal — exposed via `chat.toNodeListener`. */
+function toNodeListener(
+  webHandler: (req: Request) => Promise<Response>
+): (req: NodeIncomingMessage, res: NodeServerResponse) => Promise<void> {
+  return async function nodeListener(req, res) {
+    const abort = new AbortController();
+    res.on("close", () => abort.abort());
+
+    try {
+      const url = `http://${req.headers.host ?? "localhost"}${req.url ?? "/"}`;
+      const method = req.method ?? "GET";
+      const hasBody = method !== "GET" && method !== "HEAD";
+
+      // Read full body upfront. Chat wire payloads are small (sub-KB
+      // typically) so accumulating avoids the duplex-stream ceremony
+      // some Node versions need for streaming request bodies into
+      // a Web Request.
+      let body: ArrayBuffer | undefined;
+      if (hasBody) {
+        const chunks: Uint8Array[] = [];
+        for await (const chunk of req as AsyncIterable<Uint8Array>) {
+          chunks.push(chunk);
+        }
+        if (chunks.length > 0) {
+          let total = 0;
+          for (const c of chunks) total += c.length;
+          const merged = new Uint8Array(total);
+          let offset = 0;
+          for (const c of chunks) {
+            merged.set(c, offset);
+            offset += c.length;
+          }
+          body = merged.buffer.slice(merged.byteOffset, merged.byteOffset + merged.byteLength);
+        }
+      }
+
+      // Flatten Node header values: arrays → comma-joined (per RFC 7230 §3.2.2).
+      const webHeaders = new Headers();
+      for (const [name, value] of Object.entries(req.headers)) {
+        if (value == null) continue;
+        if (Array.isArray(value)) {
+          for (const v of value) webHeaders.append(name, v);
+        } else {
+          webHeaders.set(name, value);
+        }
+      }
+
+      const webReq = new Request(url, {
+        method,
+        headers: webHeaders,
+        body,
+        signal: abort.signal,
+      });
+
+      const webRes = await webHandler(webReq);
+
+      res.statusCode = webRes.status;
+      // `Headers.forEach` exposes the value comma-joined for multi-valued
+      // headers, which `setHeader` accepts. Set-Cookie is handled separately
+      // via `getSetCookie()` to preserve multiple values.
+      webRes.headers.forEach((value, key) => {
+        if (key.toLowerCase() === "set-cookie") return;
+        res.setHeader(key, value);
+      });
+      const setCookies =
+        typeof (webRes.headers as Headers & { getSetCookie?: () => string[] }).getSetCookie === "function"
+          ? (webRes.headers as Headers & { getSetCookie: () => string[] }).getSetCookie()
+          : [];
+      if (setCookies.length > 0) {
+        res.setHeader("set-cookie", setCookies);
+      }
+
+      if (!webRes.body) {
+        res.end();
+        return;
+      }
+
+      // Pipe the Web Response body to the Node response. On client
+      // disconnect (`abort.signal`), cancel the reader so a pending
+      // `read()` rejects and we exit the loop instead of blocking on
+      // a stream that will never produce more chunks.
+      const reader = webRes.body.getReader();
+      const onAbort = () => {
+        reader.cancel(abort.signal.reason).catch(() => {});
+      };
+      if (abort.signal.aborted) onAbort();
+      else abort.signal.addEventListener("abort", onAbort, { once: true });
+
+      try {
+        while (true) {
+          const { done, value } = await reader.read();
+          if (done) break;
+          res.write(value);
+        }
+      } catch {
+        // Reader was cancelled (client disconnect). Silently end.
+      } finally {
+        abort.signal.removeEventListener("abort", onAbort);
+      }
+      res.end();
+    } catch (err) {
+      if (!res.headersSent) {
+        res.statusCode = 500;
+        res.setHeader("content-type", "text/plain; charset=utf-8");
+        res.end(err instanceof Error ? err.message : "Internal error");
+      } else {
+        res.end();
+      }
+    }
+  };
+}
+
+/**
+ * Reshape a step-1 partial so the agent's `streamText` resumes by
+ * executing pending tool-calls before the next LLM call.
+ *
+ * When the customer's handler runs `streamText` with schema-only tools
+ * (no `execute` fns) and `stopWhen: stepCountIs(1)`, the LLM emits
+ * tool-calls but AI SDK can't execute them — the partial we ship is
+ * `[{ assistant: text + tool-call }]`. Splicing that as-is onto the
+ * agent's accumulator and calling `streamText` throws
+ * `MissingToolResultsError` synchronously inside
+ * `convertToLanguageModelPrompt`.
+ *
+ * AI SDK's documented escape hatch for "external party decides what
+ * to do with a tool-call, then SDK executes" is the tool-approval
+ * round. By appending a `tool-approval-request` part to the assistant
+ * message and a trailing `tool` message with a matching
+ * `tool-approval-response { approved: true }`, AI SDK:
+ *   1. Suppresses `MissingToolResultsError` for approved tool-calls
+ *      (`convert-to-language-model-prompt.ts:135-144`).
+ *   2. Hits its initial-tool-execution branch
+ *      (`stream-text.ts:1342-1486`) on the next `streamText` call,
+ *      runs the agent-side `execute` fns, and synthesizes
+ *      `tool-result` parts before the step-2 LLM call.
+ *
+ * If the customer's tools already had `execute` fns (rare for the
+ * handover use case but valid), the partial already contains a
+ * `tool-result` per tool-call — we leave those alone and only inject
+ * approvals for genuinely-pending calls.
+ *
+ * `collectToolApprovals` only scans the LAST message
+ * (`collect-tool-approvals.ts:30-37`), so the synthesized tool message
+ * must end up at the tail of the partial. The agent's run-loop
+ * splices the partial onto the end of the accumulator, which keeps
+ * this invariant.
+ */
+function reshapeForHandoverResume(responseMessages: ModelMessage[]): ModelMessage[] {
+  // First pass: gather the set of tool-call IDs that already have a
+  // matching tool-result. Those are "complete" — leave them alone.
+  const completedToolCallIds = new Set<string>();
+  for (const message of responseMessages) {
+    if (message.role !== "tool" || typeof message.content === "string") continue;
+    for (const part of message.content as Array<{ type: string; toolCallId?: string }>) {
+      if (part.type === "tool-result" && part.toolCallId) {
+        completedToolCallIds.add(part.toolCallId);
+      }
+    }
+  }
+
+  // Second pass: clone the messages, appending a tool-approval-request
+  // alongside each pending tool-call. Collect the matching responses.
+  const approvalResponses: Array<{
+    type: "tool-approval-response";
+    approvalId: string;
+    approved: true;
+  }> = [];
+  let approvalCounter = 0;
+
+  const reshaped: ModelMessage[] = responseMessages.map((message) => {
+    if (message.role !== "assistant" || typeof message.content === "string") {
+      return message;
+    }
+    const newContent: typeof message.content = [...message.content];
+    for (const part of message.content as Array<{
+      type: string;
+      toolCallId?: string;
+    }>) {
+      if (
+        part.type === "tool-call" &&
+        part.toolCallId &&
+        !completedToolCallIds.has(part.toolCallId)
+      ) {
+        const approvalId = `handover-approval-${++approvalCounter}`;
+        newContent.push({
+          type: "tool-approval-request",
+          approvalId,
+          toolCallId: part.toolCallId,
+        } as never);
+        approvalResponses.push({
+          type: "tool-approval-response",
+          approvalId,
+          approved: true,
+        });
+      }
+    }
+    return { ...message, content: newContent } as ModelMessage;
+  });
+
+  if (approvalResponses.length > 0) {
+    reshaped.push({
+      role: "tool",
+      content: approvalResponses as never,
+    } as ModelMessage);
+  }
+
+  return reshaped;
+}
diff --git a/packages/trigger-sdk/src/v3/chat-tab-coordinator.test.ts b/packages/trigger-sdk/src/v3/chat-tab-coordinator.test.ts
new file mode 100644
index 00000000000..2731d769897
--- /dev/null
+++ b/packages/trigger-sdk/src/v3/chat-tab-coordinator.test.ts
@@ -0,0 +1,176 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
+import { ChatTabCoordinator } from "./chat-tab-coordinator.js";
+
+// Mock BroadcastChannel for testing
+class MockBroadcastChannel {
+  static instances: MockBroadcastChannel[] = [];
+  onmessage: ((event: MessageEvent) => void) | null = null;
+  closed = false;
+
+  constructor(public name: string) {
+    MockBroadcastChannel.instances.push(this);
+  }
+
+  postMessage(data: unknown): void {
+    if (this.closed) return;
+    // Deliver to all OTHER instances on the same channel
+    for (const instance of MockBroadcastChannel.instances) {
+      if (instance !== this && instance.name === this.name && !instance.closed) {
+        instance.onmessage?.({ data } as MessageEvent);
+      }
+    }
+  }
+
+  close(): void {
+    this.closed = true;
+    MockBroadcastChannel.instances = MockBroadcastChannel.instances.filter((i) => i !== this);
+  }
+}
+
+describe("ChatTabCoordinator", () => {
+  beforeEach(() => {
+    MockBroadcastChannel.instances = [];
+    vi.stubGlobal("BroadcastChannel", MockBroadcastChannel);
+    vi.useFakeTimers();
+  });
+
+  afterEach(() => {
+    vi.restoreAllMocks();
+    vi.useRealTimers();
+  });
+
+  it("tab A claims, tab B sees isReadOnly", () => {
+    const a = new ChatTabCoordinator();
+    const b = new ChatTabCoordinator();
+
+    expect(b.isReadOnly("chat-1")).toBe(false);
+
+    a.claim("chat-1");
+
+    expect(b.isReadOnly("chat-1")).toBe(true);
+    expect(a.isReadOnly("chat-1")).toBe(false); // Owner is not read-only
+
+    a.dispose();
+    b.dispose();
+  });
+
+  it("tab A releases, tab B sees isReadOnly = false", () => {
+    const a = new ChatTabCoordinator();
+    const b = new ChatTabCoordinator();
+
+    a.claim("chat-1");
+    expect(b.isReadOnly("chat-1")).toBe(true);
+
+    a.release("chat-1");
+    expect(b.isReadOnly("chat-1")).toBe(false);
+
+    a.dispose();
+    b.dispose();
+  });
+
+  it("fires listener on claim and release", () => {
+    const a = new ChatTabCoordinator();
+    const b = new ChatTabCoordinator();
+    const listener = vi.fn();
+    b.addListener(listener);
+
+    a.claim("chat-1");
+    expect(listener).toHaveBeenCalledWith("chat-1", true);
+
+    a.release("chat-1");
+    expect(listener).toHaveBeenCalledWith("chat-1", false);
+
+    a.dispose();
+    b.dispose();
+  });
+
+  it("removeListener stops notifications", () => {
+    const a = new ChatTabCoordinator();
+    const b = new ChatTabCoordinator();
+    const listener = vi.fn();
+    b.addListener(listener);
+    b.removeListener(listener);
+
+    a.claim("chat-1");
+    expect(listener).not.toHaveBeenCalled();
+
+    a.dispose();
+    b.dispose();
+  });
+
+  it("claim returns false when another tab holds the chatId", () => {
+    const a = new ChatTabCoordinator();
+    const b = new ChatTabCoordinator();
+
+    expect(a.claim("chat-1")).toBe(true);
+    expect(b.claim("chat-1")).toBe(false);
+
+    a.dispose();
+    b.dispose();
+  });
+
+  it("supports multiple independent chatIds", () => {
+    const a = new ChatTabCoordinator();
+    const b = new ChatTabCoordinator();
+
+    a.claim("chat-1");
+    b.claim("chat-2");
+
+    expect(a.isReadOnly("chat-1")).toBe(false);
+    expect(a.isReadOnly("chat-2")).toBe(true);
+    expect(b.isReadOnly("chat-1")).toBe(true);
+    expect(b.isReadOnly("chat-2")).toBe(false);
+
+    a.dispose();
+    b.dispose();
+  });
+
+  it("heartbeat timeout clears stale claim from crashed tab", () => {
+    const a = new ChatTabCoordinator();
+    const b = new ChatTabCoordinator();
+    const listener = vi.fn();
+    b.addListener(listener);
+
+    a.claim("chat-1");
+    expect(b.isReadOnly("chat-1")).toBe(true);
+
+    // Simulate tab A crashing (close its channel, stop heartbeats)
+    a.dispose();
+
+    // Advance past heartbeat timeout (10s)
+    vi.advanceTimersByTime(11_000);
+
+    expect(b.isReadOnly("chat-1")).toBe(false);
+    expect(listener).toHaveBeenCalledWith("chat-1", false);
+
+    b.dispose();
+  });
+
+  it("dispose releases all claims", () => {
+    const a = new ChatTabCoordinator();
+    const b = new ChatTabCoordinator();
+
+    a.claim("chat-1");
+    a.claim("chat-2");
+    expect(b.isReadOnly("chat-1")).toBe(true);
+    expect(b.isReadOnly("chat-2")).toBe(true);
+
+    a.dispose();
+    expect(b.isReadOnly("chat-1")).toBe(false);
+    expect(b.isReadOnly("chat-2")).toBe(false);
+
+    b.dispose();
+  });
+
+  it("gracefully degrades when BroadcastChannel is unavailable", () => {
+    vi.stubGlobal("BroadcastChannel", undefined);
+
+    const coord = new ChatTabCoordinator();
+
+    // All operations are no-ops
+    expect(coord.claim("chat-1")).toBe(true);
+    expect(coord.isReadOnly("chat-1")).toBe(false);
+    coord.release("chat-1"); // No error
+    coord.dispose(); // No error
+  });
+});
diff --git a/packages/trigger-sdk/src/v3/chat-tab-coordinator.ts b/packages/trigger-sdk/src/v3/chat-tab-coordinator.ts
new file mode 100644
index 00000000000..42d766cd33f
--- /dev/null
+++ b/packages/trigger-sdk/src/v3/chat-tab-coordinator.ts
@@ -0,0 +1,268 @@
+/**
+ * Coordinates multi-tab access to chat sessions via BroadcastChannel.
+ *
+ * When multiple browser tabs open the same chat, only one can be the active
+ * sender. Others enter read-only mode. The coordinator uses a simple
+ * claim/release/heartbeat protocol to track ownership per chatId.
+ *
+ * Gracefully degrades to a no-op when BroadcastChannel is unavailable
+ * (SSR, Node.js, old browsers).
+ *
+ * @internal
+ */
+
+const CHANNEL_NAME = "trigger-chat-tab-coord";
+const HEARTBEAT_INTERVAL_MS = 5_000;
+const HEARTBEAT_TIMEOUT_MS = 10_000;
+
+type TabMessage =
+  | { type: "claim"; chatId: string; tabId: string }
+  | { type: "release"; chatId: string; tabId: string }
+  | { type: "heartbeat"; chatId: string; tabId: string }
+  | { type: "messages"; chatId: string; tabId: string; messages: unknown[] }
+  | { type: "session"; chatId: string; tabId: string; session: { lastEventId?: string } };
+
+type ReadOnlyListener = (chatId: string, isReadOnly: boolean) => void;
+type MessagesListener = (chatId: string, messages: unknown[]) => void;
+type SessionListener = (chatId: string, session: { lastEventId?: string }) => void;
+
+export class ChatTabCoordinator {
+  private tabId: string;
+  private channel: BroadcastChannel | null = null;
+  /** Claims held by OTHER tabs: chatId -> { tabId, lastSeen } */
+  private claims = new Map<string, { tabId: string; lastSeen: number }>();
+  /** chatIds that THIS tab has claimed */
+  private myClaims = new Set<string>();
+  private listeners = new Set<ReadOnlyListener>();
+  private messagesListeners = new Set<MessagesListener>();
+  private sessionListeners = new Set<SessionListener>();
+  private heartbeatTimer: ReturnType<typeof setInterval> | null = null;
+  private beforeUnloadHandler: (() => void) | null = null;
+
+  constructor() {
+    this.tabId =
+      typeof crypto !== "undefined" && crypto.randomUUID
+        ? crypto.randomUUID()
+        : `tab-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+
+    if (typeof BroadcastChannel === "undefined") {
+      return; // No-op mode
+    }
+
+    this.channel = new BroadcastChannel(CHANNEL_NAME);
+    this.channel.onmessage = (event: MessageEvent<TabMessage>) => {
+      this.handleMessage(event.data);
+    };
+
+    // Heartbeat: send for our claims + check for stale claims from other tabs
+    this.heartbeatTimer = setInterval(() => {
+      this.sendHeartbeats();
+      this.expireStaleClaimsFromOtherTabs();
+    }, HEARTBEAT_INTERVAL_MS);
+
+    // Best-effort release on tab close
+    this.beforeUnloadHandler = () => this.releaseAll();
+    if (typeof window !== "undefined") {
+      window.addEventListener("beforeunload", this.beforeUnloadHandler);
+    }
+  }
+
+  /**
+   * Attempt to claim a chatId for sending.
+   * Returns false if another tab already holds it.
+   */
+  claim(chatId: string): boolean {
+    if (!this.channel) return true; // No-op mode
+
+    const existing = this.claims.get(chatId);
+    if (existing && existing.tabId !== this.tabId) {
+      return false; // Another tab holds this chat
+    }
+
+    this.myClaims.add(chatId);
+    this.broadcast({ type: "claim", chatId, tabId: this.tabId });
+    return true;
+  }
+
+  /** Release a chatId so other tabs can claim it. */
+  release(chatId: string): void {
+    if (!this.channel) return;
+    if (!this.myClaims.has(chatId)) return;
+
+    this.myClaims.delete(chatId);
+    this.broadcast({ type: "release", chatId, tabId: this.tabId });
+  }
+
+  /** Check if THIS tab currently holds a claim for the chatId. */
+  hasClaim(chatId: string): boolean {
+    return this.myClaims.has(chatId);
+  }
+
+  /** Check if another tab holds this chatId. */
+  isReadOnly(chatId: string): boolean {
+    if (!this.channel) return false;
+
+    const claim = this.claims.get(chatId);
+    return claim != null && claim.tabId !== this.tabId;
+  }
+
+  addListener(fn: ReadOnlyListener): void {
+    this.listeners.add(fn);
+  }
+
+  removeListener(fn: ReadOnlyListener): void {
+    this.listeners.delete(fn);
+  }
+
+  /** Broadcast the current messages to other tabs (for real-time sync). */
+  broadcastMessages(chatId: string, messages: unknown[]): void {
+    if (!this.channel) return;
+    this.broadcast({ type: "messages", chatId, tabId: this.tabId, messages });
+  }
+
+  addMessagesListener(fn: MessagesListener): void {
+    this.messagesListeners.add(fn);
+  }
+
+  removeMessagesListener(fn: MessagesListener): void {
+    this.messagesListeners.delete(fn);
+  }
+
+  /** Broadcast session state (lastEventId) to other tabs. */
+  broadcastSession(chatId: string, session: { lastEventId?: string }): void {
+    if (!this.channel) return;
+    this.broadcast({ type: "session", chatId, tabId: this.tabId, session });
+  }
+
+  addSessionListener(fn: SessionListener): void {
+    this.sessionListeners.add(fn);
+  }
+
+  removeSessionListener(fn: SessionListener): void {
+    this.sessionListeners.delete(fn);
+  }
+
+  /** Clean up channel, timers, and event listeners. */
+  dispose(): void {
+    this.releaseAll();
+
+    if (this.heartbeatTimer) {
+      clearInterval(this.heartbeatTimer);
+      this.heartbeatTimer = null;
+    }
+
+    if (this.beforeUnloadHandler && typeof window !== "undefined") {
+      window.removeEventListener("beforeunload", this.beforeUnloadHandler);
+      this.beforeUnloadHandler = null;
+    }
+
+    if (this.channel) {
+      this.channel.close();
+      this.channel = null;
+    }
+
+    this.listeners.clear();
+    this.messagesListeners.clear();
+    this.sessionListeners.clear();
+  }
+
+  // --- Private ---
+
+  private handleMessage(msg: TabMessage): void {
+    if (msg.tabId === this.tabId) return; // Ignore own messages
+
+    switch (msg.type) {
+      case "claim": {
+        const wasReadOnly = this.isReadOnly(msg.chatId);
+        this.claims.set(msg.chatId, { tabId: msg.tabId, lastSeen: Date.now() });
+        if (!wasReadOnly) {
+          this.notify(msg.chatId, true);
+        }
+        break;
+      }
+      case "release": {
+        const claim = this.claims.get(msg.chatId);
+        if (claim && claim.tabId === msg.tabId) {
+          this.claims.delete(msg.chatId);
+          this.notify(msg.chatId, false);
+        }
+        break;
+      }
+      case "heartbeat": {
+        const claim = this.claims.get(msg.chatId);
+        if (claim && claim.tabId === msg.tabId) {
+          claim.lastSeen = Date.now();
+        }
+        break;
+      }
+      case "messages": {
+        this.notifyMessages(msg.chatId, msg.messages);
+        break;
+      }
+      case "session": {
+        this.notifySession(msg.chatId, msg.session);
+        break;
+      }
+    }
+  }
+
+  private sendHeartbeats(): void {
+    for (const chatId of this.myClaims) {
+      this.broadcast({ type: "heartbeat", chatId, tabId: this.tabId });
+    }
+  }
+
+  private expireStaleClaimsFromOtherTabs(): void {
+    const now = Date.now();
+    for (const [chatId, claim] of this.claims) {
+      if (claim.tabId !== this.tabId && now - claim.lastSeen > HEARTBEAT_TIMEOUT_MS) {
+        this.claims.delete(chatId);
+        this.notify(chatId, false);
+      }
+    }
+  }
+
+  private releaseAll(): void {
+    for (const chatId of [...this.myClaims]) {
+      this.release(chatId);
+    }
+  }
+
+  private broadcast(msg: TabMessage): void {
+    try {
+      this.channel?.postMessage(msg);
+    } catch {
+      // Channel may be closed
+    }
+  }
+
+  private notify(chatId: string, isReadOnly: boolean): void {
+    for (const fn of this.listeners) {
+      try {
+        fn(chatId, isReadOnly);
+      } catch {
+        // Non-fatal
+      }
+    }
+  }
+
+  private notifyMessages(chatId: string, messages: unknown[]): void {
+    for (const fn of this.messagesListeners) {
+      try {
+        fn(chatId, messages);
+      } catch {
+        // Non-fatal
+      }
+    }
+  }
+
+  private notifySession(chatId: string, session: { lastEventId?: string }): void {
+    for (const fn of this.sessionListeners) {
+      try {
+        fn(chatId, session);
+      } catch {
+        // Non-fatal
+      }
+    }
+  }
+}
diff --git a/packages/trigger-sdk/src/v3/chat.test.ts b/packages/trigger-sdk/src/v3/chat.test.ts
new file mode 100644
index 00000000000..e4fc45eae4b
--- /dev/null
+++ b/packages/trigger-sdk/src/v3/chat.test.ts
@@ -0,0 +1,1415 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
+import type { UIMessage, UIMessageChunk } from "ai";
+import { TriggerChatTransport, createChatTransport } from "./chat.js";
+
+// ───────────────────────────────────────────────────────────────────────────
+// Test helpers
+// ───────────────────────────────────────────────────────────────────────────
+
+/**
+ * Encode chunks as SSE text. The runtime SSE parser
+ * ({@link SSEStreamSubscription}) auto-parses the `data:` field via
+ * `safeParseJSON` and yields it as `value.chunk`, so each `data:` line
+ * just needs to contain the JSON-encoded chunk directly.
+ *
+ * In production the session backend sends the raw S2 record body as the
+ * `data:` field — that body is itself a JSON string (the transport
+ * round-trips through `JSON.stringify`/`JSON.parse`). The transport's
+ * SSE reader handles both shapes (`typeof value.chunk === "string"` →
+ * parse-once, `=== "object"` → use as-is). We pick the object form
+ * here for test simplicity.
+ */
+/**
+ * Encode test chunks as a session-stream v2 SSE batch event. Each chunk
+ * becomes one S2 record; chunks of shape `{type: "trigger:turn-complete"}`
+ * or `{type: "trigger:upgrade-required"}` are translated into header-form
+ * control records (empty body, `trigger-control` header) to match the
+ * production wire shape.
+ */
+function sseEncode(chunks: (UIMessageChunk | Record<string, unknown>)[]): string {
+  let nextSeq = 1;
+  const records = chunks.map((chunk, i) => {
+    const partId = `p-${i}`;
+    const type = (chunk as { type?: unknown }).type;
+    if (type === "trigger:turn-complete") {
+      const headers: Array<[string, string]> = [["trigger-control", "turn-complete"]];
+      const token = (chunk as { publicAccessToken?: string }).publicAccessToken;
+      if (token) headers.push(["public-access-token", token]);
+      return {
+        body: "",
+        seq_num: nextSeq++,
+        timestamp: 1700000000000 + i,
+        headers,
+      };
+    }
+    if (type === "trigger:upgrade-required") {
+      return {
+        body: "",
+        seq_num: nextSeq++,
+        timestamp: 1700000000000 + i,
+        headers: [["trigger-control", "upgrade-required"]],
+      };
+    }
+    return {
+      body: JSON.stringify({ data: chunk, id: partId }),
+      seq_num: nextSeq++,
+      timestamp: 1700000000000 + i,
+      headers: [],
+    };
+  });
+  return `event: batch\ndata: ${JSON.stringify({ records })}\n\n`;
+}
+
+function createSSEStream(sseText: string): ReadableStream<Uint8Array> {
+  const encoder = new TextEncoder();
+  return new ReadableStream({
+    start(controller) {
+      controller.enqueue(encoder.encode(sseText));
+      controller.close();
+    },
+  });
+}
+
+let messageIdCounter = 0;
+function createUserMessage(text: string): UIMessage {
+  return {
+    id: `msg-user-${++messageIdCounter}`,
+    role: "user",
+    parts: [{ type: "text", text }],
+  };
+}
+
+const sampleChunks: UIMessageChunk[] = [
+  { type: "text-start", id: "part-1" },
+  { type: "text-delta", id: "part-1", delta: "Hello" },
+  { type: "text-delta", id: "part-1", delta: " world" },
+  { type: "text-delta", id: "part-1", delta: "!" },
+  { type: "text-end", id: "part-1" },
+];
+
+const sampleChunksWithTurnComplete: (UIMessageChunk | Record<string, unknown>)[] = [
+  ...sampleChunks,
+  { type: "trigger:turn-complete" },
+];
+
+// URL predicates
+function isSessionCreateUrl(urlStr: string): boolean {
+  return urlStr.endsWith("/api/v1/sessions") || urlStr.endsWith("/api/v1/sessions/");
+}
+function isSessionOutSubscribeUrl(urlStr: string): boolean {
+  return /\/realtime\/v1\/sessions\/[^/]+\/out$/.test(urlStr);
+}
+function isSessionStreamAppendUrl(urlStr: string): boolean {
+  return /\/realtime\/v1\/sessions\/[^/]+\/(in|out)\/append$/.test(urlStr);
+}
+function chatIdFromUrl(urlStr: string): string | undefined {
+  const m = urlStr.match(/\/realtime\/v1\/sessions\/([^/]+)\//);
+  return m?.[1];
+}
+
+const DEFAULT_RUN_ID = "run_default";
+const DEFAULT_SESSION_ID = "session_default";
+const DEFAULT_SESSION_PAT = "pat_session_default";
+
+function createSessionResponseBody(options?: {
+  sessionId?: string;
+  externalId?: string;
+  publicAccessToken?: string;
+  runId?: string;
+}): string {
+  const externalId = options?.externalId ?? null;
+  return JSON.stringify({
+    id: options?.sessionId ?? DEFAULT_SESSION_ID,
+    externalId,
+    type: "chat.agent",
+    taskIdentifier: "my-chat-task",
+    triggerConfig: { basePayload: { chatId: externalId ?? "" } },
+    currentRunId: options?.runId ?? DEFAULT_RUN_ID,
+    runId: options?.runId ?? DEFAULT_RUN_ID,
+    publicAccessToken: options?.publicAccessToken ?? DEFAULT_SESSION_PAT,
+    tags: [],
+    metadata: null,
+    closedAt: null,
+    closedReason: null,
+    expiresAt: null,
+    createdAt: new Date(0).toISOString(),
+    updatedAt: new Date(0).toISOString(),
+    isCached: false,
+  });
+}
+
+function defaultSessionCreateResponse(options?: {
+  sessionId?: string;
+  externalId?: string;
+  publicAccessToken?: string;
+  runId?: string;
+}): Response {
+  return new Response(createSessionResponseBody(options), {
+    status: 200,
+    headers: { "content-type": "application/json" },
+  });
+}
+
+function defaultAppendResponse(): Response {
+  return new Response(JSON.stringify({ ok: true }), {
+    status: 200,
+    headers: { "content-type": "application/json" },
+  });
+}
+
+function defaultSseResponse(
+  chunks: (UIMessageChunk | Record<string, unknown>)[] = sampleChunksWithTurnComplete
+): Response {
+  return new Response(createSSEStream(sseEncode(chunks)), {
+    status: 200,
+    headers: {
+      "content-type": "text/event-stream",
+      // Session streams are always v2 in production — batch format
+      // with one S2 record per SSE event. The legacy v1 path is for
+      // run-scoped Redis streams.
+      "X-Stream-Version": "v2",
+    },
+  });
+}
+
+function authError(status = 401): Response {
+  return new Response(
+    JSON.stringify({ error: "Unauthorized", name: "TriggerApiError", status }),
+    {
+      status,
+      headers: { "content-type": "application/json" },
+    }
+  );
+}
+
+/**
+ * Drains a UIMessageChunk stream into an array. Used to assert what
+ * the transport surfaced after filtering control chunks.
+ */
+async function drainChunks(
+  stream: ReadableStream<UIMessageChunk>
+): Promise<UIMessageChunk[]> {
+  const reader = stream.getReader();
+  const out: UIMessageChunk[] = [];
+  try {
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) break;
+      out.push(value);
+    }
+  } finally {
+    reader.releaseLock();
+  }
+  return out;
+}
+
+// ───────────────────────────────────────────────────────────────────────────
+// Tests
+// ───────────────────────────────────────────────────────────────────────────
+
+describe("TriggerChatTransport", () => {
+  let originalFetch: typeof global.fetch;
+
+  beforeEach(() => {
+    originalFetch = global.fetch;
+  });
+
+  afterEach(() => {
+    global.fetch = originalFetch;
+    vi.restoreAllMocks();
+  });
+
+  describe("constructor", () => {
+    it("creates with required options", () => {
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "pat",
+      });
+      expect(transport).toBeInstanceOf(TriggerChatTransport);
+    });
+
+    it("createChatTransport returns a TriggerChatTransport", () => {
+      const transport = createChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "pat",
+      });
+      expect(transport).toBeInstanceOf(TriggerChatTransport);
+    });
+
+    it("hydrates sessions from options.sessions", () => {
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "pat",
+        sessions: {
+          "chat-1": {
+            publicAccessToken: "hydrated-pat",
+            lastEventId: "42",
+            isStreaming: false,
+          },
+        },
+      });
+
+      const session = transport.getSession("chat-1");
+      expect(session).toEqual({
+        publicAccessToken: "hydrated-pat",
+        lastEventId: "42",
+        isStreaming: false,
+      });
+    });
+
+    it("returns undefined for unknown chatIds", () => {
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "pat",
+      });
+      expect(transport.getSession("unknown")).toBeUndefined();
+    });
+  });
+
+  describe("setSession / setOnSessionChange", () => {
+    it("setSession installs persisted state and notifies", () => {
+      const onSessionChange = vi.fn();
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "pat",
+        onSessionChange,
+      });
+
+      transport.setSession("chat-x", {
+        publicAccessToken: "tok",
+        lastEventId: "10",
+      });
+
+      expect(transport.getSession("chat-x")).toMatchObject({
+        publicAccessToken: "tok",
+        lastEventId: "10",
+      });
+      expect(onSessionChange).toHaveBeenCalledWith(
+        "chat-x",
+        expect.objectContaining({ publicAccessToken: "tok", lastEventId: "10" })
+      );
+    });
+
+    it("setOnSessionChange swaps the callback at runtime", () => {
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "pat",
+      });
+
+      const cb1 = vi.fn();
+      const cb2 = vi.fn();
+      transport.setOnSessionChange(cb1);
+      transport.setSession("c", { publicAccessToken: "t1" });
+      expect(cb1).toHaveBeenCalledTimes(1);
+
+      transport.setOnSessionChange(cb2);
+      transport.setSession("c", { publicAccessToken: "t2" });
+      expect(cb1).toHaveBeenCalledTimes(1);
+      expect(cb2).toHaveBeenCalledTimes(1);
+    });
+  });
+
+  describe("start", () => {
+    it("calls the customer's startSession callback and caches the returned PAT", async () => {
+      const startSession = vi.fn().mockResolvedValue({ publicAccessToken: "session-pat-1" });
+
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "should-not-be-called",
+        startSession,
+      });
+
+      const result = await transport.start("chat-1");
+
+      expect(startSession).toHaveBeenCalledWith({
+        taskId: "my-chat-task",
+        chatId: "chat-1",
+        clientData: {},
+      });
+      expect(result.publicAccessToken).toBe("session-pat-1");
+      expect(transport.getSession("chat-1")?.publicAccessToken).toBe("session-pat-1");
+    });
+
+    it("is idempotent — second call returns the cached state without re-invoking startSession", async () => {
+      const startSession = vi
+        .fn()
+        .mockResolvedValue({ publicAccessToken: "session-pat-2" });
+
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "pat",
+        startSession,
+      });
+
+      await transport.start("chat-2");
+      await transport.start("chat-2");
+      expect(startSession).toHaveBeenCalledTimes(1);
+    });
+
+    it("dedupes concurrent calls via an in-flight promise", async () => {
+      let resolveStart!: (r: { publicAccessToken: string }) => void;
+      const startPromise = new Promise<{ publicAccessToken: string }>((resolve) => {
+        resolveStart = resolve;
+      });
+      const startSession = vi.fn().mockReturnValue(startPromise);
+
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "pat",
+        startSession,
+      });
+
+      const a = transport.start("chat-3");
+      const b = transport.start("chat-3");
+
+      resolveStart({ publicAccessToken: "session-pat-3" });
+      await Promise.all([a, b]);
+
+      expect(startSession).toHaveBeenCalledTimes(1);
+    });
+
+    it("preload() is an alias for start()", async () => {
+      const startSession = vi
+        .fn()
+        .mockResolvedValue({ publicAccessToken: "session-pat-pre" });
+
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "pat",
+        startSession,
+      });
+
+      await transport.preload("chat-pre");
+      expect(startSession).toHaveBeenCalledTimes(1);
+      expect(transport.getSession("chat-pre")?.publicAccessToken).toBe("session-pat-pre");
+    });
+
+    it("throws a clear error when start() is called without startSession configured", async () => {
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "pat",
+      });
+      await expect(transport.start("chat-no-start")).rejects.toThrow(/startSession/);
+    });
+
+    it("threads the transport's `clientData` through to startSession", async () => {
+      const startSession = vi
+        .fn()
+        .mockResolvedValue({ publicAccessToken: "session-pat-cd" });
+
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "pat",
+        startSession,
+        clientData: { userId: "u-1", model: "claude-sonnet-4-6" },
+      });
+
+      await transport.start("chat-cd");
+
+      expect(startSession).toHaveBeenCalledWith({
+        taskId: "my-chat-task",
+        chatId: "chat-cd",
+        clientData: { userId: "u-1", model: "claude-sonnet-4-6" },
+      });
+    });
+
+    it("setClientData updates the value passed to subsequent startSession calls", async () => {
+      const startSession = vi
+        .fn()
+        .mockResolvedValue({ publicAccessToken: "session-pat-set" });
+
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "pat",
+        startSession,
+        clientData: { userId: "old" },
+      });
+
+      transport.setClientData({ userId: "new" });
+      await transport.start("chat-set");
+
+      expect(startSession).toHaveBeenCalledWith({
+        taskId: "my-chat-task",
+        chatId: "chat-set",
+        clientData: { userId: "new" },
+      });
+    });
+  });
+
+  describe("ensureSessionState (lazy start on first sendMessage)", () => {
+    it("calls startSession lazily on first sendMessage when no PAT is hydrated", async () => {
+      const startSession = vi
+        .fn()
+        .mockResolvedValue({ publicAccessToken: "lazy-session-pat" });
+
+      global.fetch = vi.fn().mockImplementation(async (url: string | URL) => {
+        const urlStr = typeof url === "string" ? url : url.toString();
+        if (isSessionStreamAppendUrl(urlStr)) return defaultAppendResponse();
+        if (isSessionOutSubscribeUrl(urlStr)) return defaultSseResponse();
+        throw new Error(`Unexpected URL: ${urlStr}`);
+      });
+
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "should-not-be-called",
+        startSession,
+        baseURL: "https://api.test.trigger.dev",
+      });
+
+      const stream = await transport.sendMessages({
+        trigger: "submit-message",
+        chatId: "chat-lazy",
+        messageId: undefined,
+        messages: [createUserMessage("hi")],
+        abortSignal: undefined,
+      });
+      await drainChunks(stream);
+
+      expect(startSession).toHaveBeenCalledTimes(1);
+      expect(startSession).toHaveBeenCalledWith({
+        taskId: "my-chat-task",
+        chatId: "chat-lazy",
+        clientData: {},
+      });
+      expect(transport.getSession("chat-lazy")?.publicAccessToken).toBe("lazy-session-pat");
+    });
+
+    it("falls back to accessToken when no startSession is configured (out-of-band session create)", async () => {
+      const accessToken = vi.fn().mockResolvedValue("server-mediated-pat");
+
+      global.fetch = vi.fn().mockImplementation(async (url: string | URL) => {
+        const urlStr = typeof url === "string" ? url : url.toString();
+        if (isSessionStreamAppendUrl(urlStr)) return defaultAppendResponse();
+        if (isSessionOutSubscribeUrl(urlStr)) return defaultSseResponse();
+        throw new Error(`Unexpected URL: ${urlStr}`);
+      });
+
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken,
+        baseURL: "https://api.test.trigger.dev",
+      });
+
+      const stream = await transport.sendMessages({
+        trigger: "submit-message",
+        chatId: "chat-server",
+        messageId: undefined,
+        messages: [createUserMessage("hi")],
+        abortSignal: undefined,
+      });
+      await drainChunks(stream);
+
+      expect(accessToken).toHaveBeenCalledTimes(1);
+      expect(accessToken).toHaveBeenCalledWith({ chatId: "chat-server" });
+    });
+
+    it("does not call accessToken when a PAT is hydrated", async () => {
+      const accessToken = vi.fn().mockResolvedValue("should-not-be-called");
+
+      global.fetch = vi.fn().mockImplementation(async (url: string | URL) => {
+        const urlStr = typeof url === "string" ? url : url.toString();
+        if (isSessionStreamAppendUrl(urlStr)) return defaultAppendResponse();
+        if (isSessionOutSubscribeUrl(urlStr)) return defaultSseResponse();
+        throw new Error(`Unexpected URL: ${urlStr}`);
+      });
+
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken,
+        sessions: {
+          "chat-h": { publicAccessToken: "hydrated-pat" },
+        },
+      });
+
+      const stream = await transport.sendMessages({
+        trigger: "submit-message",
+        chatId: "chat-h",
+        messageId: undefined,
+        messages: [createUserMessage("hi")],
+        abortSignal: undefined,
+      });
+      await drainChunks(stream);
+
+      expect(accessToken).not.toHaveBeenCalled();
+    });
+  });
+
+  describe("sendMessages", () => {
+    it("posts the user message to .in/append and streams chunks from .out", async () => {
+      const requests: Array<{ url: string; init?: RequestInit }> = [];
+      global.fetch = vi.fn().mockImplementation(async (url: string | URL, init?: RequestInit) => {
+        const urlStr = typeof url === "string" ? url : url.toString();
+        requests.push({ url: urlStr, init });
+        if (isSessionStreamAppendUrl(urlStr)) return defaultAppendResponse();
+        if (isSessionOutSubscribeUrl(urlStr)) return defaultSseResponse();
+        throw new Error(`Unexpected URL: ${urlStr}`);
+      });
+
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "pat",
+        baseURL: "https://api.test.trigger.dev",
+        sessions: { "chat-1": { publicAccessToken: "p" } },
+      });
+
+      const stream = await transport.sendMessages({
+        trigger: "submit-message",
+        chatId: "chat-1",
+        messageId: "m1",
+        messages: [createUserMessage("Hello")],
+        abortSignal: undefined,
+      });
+      const chunks = await drainChunks(stream);
+
+      // Five UI chunks pass through; trigger:turn-complete is filtered.
+      expect(chunks).toHaveLength(sampleChunks.length);
+      expect(chunks[0]).toEqual(sampleChunks[0]);
+
+      const append = requests.find((r) =>
+        isSessionStreamAppendUrl(r.url) && r.url.endsWith("/in/append")
+      );
+      expect(append).toBeDefined();
+      expect(chatIdFromUrl(append!.url)).toBe("chat-1");
+
+      // Body is the serialized ChatInputChunk.
+      const body = JSON.parse(append!.init!.body as string);
+      expect(body.kind).toBe("message");
+      expect(body.payload.chatId).toBe("chat-1");
+      expect(body.payload.trigger).toBe("submit-message");
+    });
+
+    it("addresses .out SSE by chatId (not by sessionId)", async () => {
+      const requests: string[] = [];
+      global.fetch = vi.fn().mockImplementation(async (url: string | URL) => {
+        const urlStr = typeof url === "string" ? url : url.toString();
+        requests.push(urlStr);
+        if (isSessionStreamAppendUrl(urlStr)) return defaultAppendResponse();
+        if (isSessionOutSubscribeUrl(urlStr)) return defaultSseResponse();
+        throw new Error(`Unexpected URL: ${urlStr}`);
+      });
+
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "pat",
+        baseURL: "https://api.test.trigger.dev",
+        sessions: { "chat-by-chatid": { publicAccessToken: "p" } },
+      });
+
+      const stream = await transport.sendMessages({
+        trigger: "submit-message",
+        chatId: "chat-by-chatid",
+        messageId: undefined,
+        messages: [createUserMessage("Hi")],
+        abortSignal: undefined,
+      });
+      await drainChunks(stream);
+
+      const subscribe = requests.find(isSessionOutSubscribeUrl);
+      expect(subscribe).toBeDefined();
+      expect(subscribe!).toContain("/realtime/v1/sessions/chat-by-chatid/out");
+    });
+
+    it("functional baseURL dispatches per endpoint (in vs out)", async () => {
+      const requests: Array<{ url: string; ctxEndpoint: string | undefined }> = [];
+      global.fetch = vi.fn().mockImplementation(async (url: string | URL) => {
+        const urlStr = typeof url === "string" ? url : url.toString();
+        requests.push({ url: urlStr, ctxEndpoint: undefined });
+        if (isSessionStreamAppendUrl(urlStr)) return defaultAppendResponse();
+        if (isSessionOutSubscribeUrl(urlStr)) return defaultSseResponse();
+        throw new Error(`Unexpected URL: ${urlStr}`);
+      });
+
+      const baseURLFn = vi.fn(({ endpoint }: { endpoint: "in" | "out"; chatId: string }) =>
+        endpoint === "out"
+          ? "https://stream.example.com"
+          : "https://api.example.com"
+      );
+
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "pat",
+        baseURL: baseURLFn,
+        sessions: { "chat-fn": { publicAccessToken: "p" } },
+      });
+
+      const stream = await transport.sendMessages({
+        trigger: "submit-message",
+        chatId: "chat-fn",
+        messageId: undefined,
+        messages: [createUserMessage("Hi")],
+        abortSignal: undefined,
+      });
+      await drainChunks(stream);
+
+      const appendCalls = baseURLFn.mock.calls.filter((c) => c[0].endpoint === "in");
+      const outCalls = baseURLFn.mock.calls.filter((c) => c[0].endpoint === "out");
+      expect(appendCalls.length).toBeGreaterThanOrEqual(1);
+      expect(outCalls.length).toBeGreaterThanOrEqual(1);
+      expect(appendCalls[0]![0].chatId).toBe("chat-fn");
+      expect(outCalls[0]![0].chatId).toBe("chat-fn");
+
+      const append = requests.find((r) => isSessionStreamAppendUrl(r.url));
+      const subscribe = requests.find((r) => isSessionOutSubscribeUrl(r.url));
+      expect(append!.url.startsWith("https://api.example.com/")).toBe(true);
+      expect(subscribe!.url.startsWith("https://stream.example.com/")).toBe(true);
+    });
+
+    it("fetch override is invoked for both .in/append and .out SSE with endpoint ctx", async () => {
+      const fetchCalls: Array<{ url: string; endpoint: string; chatId: string }> = [];
+
+      const customFetch = vi.fn(
+        async (
+          url: string,
+          init: RequestInit,
+          ctx: { endpoint: "in" | "out"; chatId: string }
+        ) => {
+          fetchCalls.push({ url, endpoint: ctx.endpoint, chatId: ctx.chatId });
+          if (isSessionStreamAppendUrl(url)) return defaultAppendResponse();
+          if (isSessionOutSubscribeUrl(url)) return defaultSseResponse();
+          throw new Error(`Unexpected URL: ${url}`);
+        }
+      );
+
+      global.fetch = vi.fn().mockRejectedValue(new Error("global fetch should not be called"));
+
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "pat",
+        baseURL: "https://api.test.trigger.dev",
+        fetch: customFetch,
+        sessions: { "chat-fetch": { publicAccessToken: "p" } },
+      });
+
+      const stream = await transport.sendMessages({
+        trigger: "submit-message",
+        chatId: "chat-fetch",
+        messageId: undefined,
+        messages: [createUserMessage("Hi")],
+        abortSignal: undefined,
+      });
+      await drainChunks(stream);
+
+      const inCalls = fetchCalls.filter((c) => c.endpoint === "in");
+      const outCalls = fetchCalls.filter((c) => c.endpoint === "out");
+      expect(inCalls.length).toBeGreaterThanOrEqual(1);
+      expect(outCalls.length).toBeGreaterThanOrEqual(1);
+      expect(inCalls[0]!.chatId).toBe("chat-fetch");
+      expect(outCalls[0]!.chatId).toBe("chat-fetch");
+    });
+
+    it("routes .out SSE through streamBaseURL while appends stay on baseURL", async () => {
+      const requests: string[] = [];
+      global.fetch = vi.fn().mockImplementation(async (url: string | URL) => {
+        const urlStr = typeof url === "string" ? url : url.toString();
+        requests.push(urlStr);
+        if (isSessionStreamAppendUrl(urlStr)) return defaultAppendResponse();
+        if (isSessionOutSubscribeUrl(urlStr)) return defaultSseResponse();
+        throw new Error(`Unexpected URL: ${urlStr}`);
+      });
+
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "pat",
+        baseURL: "https://api.test.trigger.dev",
+        streamBaseURL: "https://chat-proxy.example.com",
+        sessions: { "chat-split": { publicAccessToken: "p" } },
+      });
+
+      const stream = await transport.sendMessages({
+        trigger: "submit-message",
+        chatId: "chat-split",
+        messageId: undefined,
+        messages: [createUserMessage("Hi")],
+        abortSignal: undefined,
+      });
+      await drainChunks(stream);
+
+      const append = requests.find(isSessionStreamAppendUrl);
+      const subscribe = requests.find(isSessionOutSubscribeUrl);
+      expect(append!.startsWith("https://api.test.trigger.dev/")).toBe(true);
+      expect(subscribe!.startsWith("https://chat-proxy.example.com/")).toBe(true);
+      expect(subscribe!).toContain("/realtime/v1/sessions/chat-split/out");
+    });
+
+    it("for submit-message, only the latest message is delivered to .in", async () => {
+      // Slim wire: each `.in/append` carries at most ONE new message in
+      // `payload.message` (singular). Even if the caller hands sendMessages
+      // an array of three, only the last element flows to the wire — the
+      // agent rebuilds prior history at run boot from snapshot + replay.
+      let appendBody: any;
+      global.fetch = vi.fn().mockImplementation(async (url: string | URL, init?: RequestInit) => {
+        const urlStr = typeof url === "string" ? url : url.toString();
+        if (isSessionStreamAppendUrl(urlStr)) {
+          appendBody = JSON.parse(init!.body as string);
+          return defaultAppendResponse();
+        }
+        if (isSessionOutSubscribeUrl(urlStr)) return defaultSseResponse();
+        throw new Error(`Unexpected URL: ${urlStr}`);
+      });
+
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "pat",
+        sessions: { "chat-slice": { publicAccessToken: "p" } },
+      });
+
+      const stream = await transport.sendMessages({
+        trigger: "submit-message",
+        chatId: "chat-slice",
+        messageId: undefined,
+        messages: [
+          createUserMessage("first"),
+          createUserMessage("second"),
+          createUserMessage("third"),
+        ],
+        abortSignal: undefined,
+      });
+      await drainChunks(stream);
+
+      expect(appendBody.payload.message).toBeDefined();
+      expect(appendBody.payload.message.parts[0].text).toBe("third");
+      expect(appendBody.payload.messages).toBeUndefined();
+    });
+
+    it("for regenerate-message, no message is delivered to .in (server slices its own tail)", async () => {
+      // Slim wire: the regenerate trigger ships NO message — the agent
+      // trims the trailing assistant from its accumulator and re-runs from
+      // the prior user turn. The wire payload only carries the trigger
+      // discriminator + chatId + metadata.
+      let appendBody: any;
+      global.fetch = vi.fn().mockImplementation(async (url: string | URL, init?: RequestInit) => {
+        const urlStr = typeof url === "string" ? url : url.toString();
+        if (isSessionStreamAppendUrl(urlStr)) {
+          appendBody = JSON.parse(init!.body as string);
+          return defaultAppendResponse();
+        }
+        if (isSessionOutSubscribeUrl(urlStr)) return defaultSseResponse();
+        throw new Error(`Unexpected URL: ${urlStr}`);
+      });
+
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "pat",
+        sessions: { "chat-regen": { publicAccessToken: "p" } },
+      });
+
+      const stream = await transport.sendMessages({
+        trigger: "regenerate-message",
+        chatId: "chat-regen",
+        messageId: undefined,
+        messages: [createUserMessage("a"), createUserMessage("b")],
+        abortSignal: undefined,
+      });
+      await drainChunks(stream);
+
+      expect(appendBody.payload.trigger).toBe("regenerate-message");
+      expect(appendBody.payload.message).toBeUndefined();
+      expect(appendBody.payload.messages).toBeUndefined();
+    });
+
+    it("merges transport-level clientData into per-call metadata (per-call wins)", async () => {
+      let appendBody: any;
+      global.fetch = vi.fn().mockImplementation(async (url: string | URL, init?: RequestInit) => {
+        const urlStr = typeof url === "string" ? url : url.toString();
+        if (isSessionStreamAppendUrl(urlStr)) {
+          appendBody = JSON.parse(init!.body as string);
+          return defaultAppendResponse();
+        }
+        if (isSessionOutSubscribeUrl(urlStr)) return defaultSseResponse();
+        throw new Error(`Unexpected URL: ${urlStr}`);
+      });
+
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "pat",
+        clientData: { userId: "u1", scope: "default" } as Record<string, unknown>,
+        sessions: { "chat-md": { publicAccessToken: "p" } },
+      });
+
+      const stream = await transport.sendMessages({
+        trigger: "submit-message",
+        chatId: "chat-md",
+        messageId: undefined,
+        messages: [createUserMessage("hi")],
+        abortSignal: undefined,
+        metadata: { scope: "request" } as never,
+      });
+      await drainChunks(stream);
+
+      expect(appendBody.payload.metadata).toEqual({ userId: "u1", scope: "request" });
+    });
+
+    it("filters trigger:upgrade-required and continues reading", async () => {
+      const chunks: (UIMessageChunk | Record<string, unknown>)[] = [
+        ...sampleChunks.slice(0, 2),
+        { type: "trigger:upgrade-required" },
+        ...sampleChunks.slice(2),
+        { type: "trigger:turn-complete" },
+      ];
+      global.fetch = vi.fn().mockImplementation(async (url: string | URL) => {
+        const urlStr = typeof url === "string" ? url : url.toString();
+        if (isSessionStreamAppendUrl(urlStr)) return defaultAppendResponse();
+        if (isSessionOutSubscribeUrl(urlStr)) return defaultSseResponse(chunks);
+        throw new Error(`Unexpected URL: ${urlStr}`);
+      });
+
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "pat",
+        sessions: { "chat-up": { publicAccessToken: "p" } },
+      });
+
+      const stream = await transport.sendMessages({
+        trigger: "submit-message",
+        chatId: "chat-up",
+        messageId: undefined,
+        messages: [createUserMessage("hi")],
+        abortSignal: undefined,
+      });
+      const surfaced = await drainChunks(stream);
+
+      // Both control chunks are filtered.
+      expect(surfaced).toHaveLength(sampleChunks.length);
+      expect(surfaced.find((c: any) => c.type === "trigger:upgrade-required")).toBeUndefined();
+      expect(surfaced.find((c: any) => c.type === "trigger:turn-complete")).toBeUndefined();
+    });
+
+    it("clears isStreaming on turn-complete and notifies", async () => {
+      const onSessionChange = vi.fn();
+      global.fetch = vi.fn().mockImplementation(async (url: string | URL) => {
+        const urlStr = typeof url === "string" ? url : url.toString();
+        if (isSessionStreamAppendUrl(urlStr)) return defaultAppendResponse();
+        if (isSessionOutSubscribeUrl(urlStr)) return defaultSseResponse();
+        throw new Error(`Unexpected URL: ${urlStr}`);
+      });
+
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "pat",
+        onSessionChange,
+        sessions: { "chat-tc": { publicAccessToken: "p" } },
+      });
+
+      const stream = await transport.sendMessages({
+        trigger: "submit-message",
+        chatId: "chat-tc",
+        messageId: undefined,
+        messages: [createUserMessage("hi")],
+        abortSignal: undefined,
+      });
+      await drainChunks(stream);
+
+      const lastIsStreamingFalse = onSessionChange.mock.calls
+        .map((call) => call[1])
+        .reverse()
+        .find((s) => s !== null && s.isStreaming === false);
+      expect(lastIsStreamingFalse).toBeDefined();
+    });
+  });
+
+  describe("auth retry on 401", () => {
+    it("refreshes the PAT via accessToken and retries the .in/append once", async () => {
+      const accessToken = vi.fn().mockResolvedValue("fresh-pat");
+      let appendCount = 0;
+      let appendAuth: string | null = null;
+      global.fetch = vi.fn().mockImplementation(async (url: string | URL, init?: RequestInit) => {
+        const urlStr = typeof url === "string" ? url : url.toString();
+        if (isSessionStreamAppendUrl(urlStr)) {
+          appendCount++;
+          if (appendCount === 1) return authError(401);
+          appendAuth = new Headers(init?.headers).get("Authorization");
+          return defaultAppendResponse();
+        }
+        if (isSessionOutSubscribeUrl(urlStr)) return defaultSseResponse();
+        throw new Error(`Unexpected URL: ${urlStr}`);
+      });
+
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken,
+        sessions: { "chat-401": { publicAccessToken: "stale-pat" } },
+      });
+
+      const stream = await transport.sendMessages({
+        trigger: "submit-message",
+        chatId: "chat-401",
+        messageId: undefined,
+        messages: [createUserMessage("hi")],
+        abortSignal: undefined,
+      });
+      await drainChunks(stream);
+
+      expect(accessToken).toHaveBeenCalledWith({ chatId: "chat-401" });
+      expect(appendCount).toBe(2);
+      expect(appendAuth).toBe("Bearer fresh-pat");
+      expect(transport.getSession("chat-401")?.publicAccessToken).toBe("fresh-pat");
+    });
+  });
+
+  describe("stopGeneration", () => {
+    it("posts {kind: stop} to .in/append and returns true", async () => {
+      let stopBody: any;
+      global.fetch = vi.fn().mockImplementation(async (url: string | URL, init?: RequestInit) => {
+        const urlStr = typeof url === "string" ? url : url.toString();
+        if (isSessionStreamAppendUrl(urlStr)) {
+          stopBody = JSON.parse(init!.body as string);
+          return defaultAppendResponse();
+        }
+        throw new Error(`Unexpected URL: ${urlStr}`);
+      });
+
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "pat",
+        sessions: { "chat-stop": { publicAccessToken: "p" } },
+      });
+
+      const ok = await transport.stopGeneration("chat-stop");
+      expect(ok).toBe(true);
+      expect(stopBody).toEqual({ kind: "stop" });
+    });
+
+    it("returns false when there is no session for the chatId", async () => {
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "pat",
+      });
+      const ok = await transport.stopGeneration("never-started");
+      expect(ok).toBe(false);
+    });
+  });
+
+  describe("sendAction", () => {
+    it("posts an action chunk to .in/append and subscribes to .out", async () => {
+      let actionBody: any;
+      global.fetch = vi.fn().mockImplementation(async (url: string | URL, init?: RequestInit) => {
+        const urlStr = typeof url === "string" ? url : url.toString();
+        if (isSessionStreamAppendUrl(urlStr)) {
+          actionBody = JSON.parse(init!.body as string);
+          return defaultAppendResponse();
+        }
+        if (isSessionOutSubscribeUrl(urlStr)) return defaultSseResponse();
+        throw new Error(`Unexpected URL: ${urlStr}`);
+      });
+
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "pat",
+        sessions: { "chat-act": { publicAccessToken: "p" } },
+      });
+
+      const stream = await transport.sendAction("chat-act", { type: "undo" });
+      await drainChunks(stream);
+
+      expect(actionBody.kind).toBe("message");
+      expect(actionBody.payload.trigger).toBe("action");
+      expect(actionBody.payload.action).toEqual({ type: "undo" });
+    });
+
+    it("marks the session streaming and notifies before subscribing", async () => {
+      global.fetch = vi.fn().mockImplementation(async (url: string | URL) => {
+        const urlStr = typeof url === "string" ? url : url.toString();
+        if (isSessionStreamAppendUrl(urlStr)) return defaultAppendResponse();
+        if (isSessionOutSubscribeUrl(urlStr)) return defaultSseResponse();
+        throw new Error(`Unexpected URL: ${urlStr}`);
+      });
+
+      const onSessionChange = vi.fn();
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "pat",
+        onSessionChange,
+        sessions: { "chat-act-stream": { publicAccessToken: "p" } },
+      });
+
+      const stream = await transport.sendAction("chat-act-stream", { type: "undo" });
+      // isStreaming:true must be observed during the action — otherwise a reload
+      // mid-action sees a persisted isStreaming:false and never resumes.
+      expect(
+        onSessionChange.mock.calls.some(([, session]) => session && session.isStreaming === true)
+      ).toBe(true);
+      await drainChunks(stream);
+    });
+  });
+
+  describe("append idempotency header", () => {
+    it("the per-append X-Part-Id wins over a transport-wide headers override", async () => {
+      let appendPartId: string | undefined;
+      global.fetch = vi.fn().mockImplementation(async (url: string | URL, init?: RequestInit) => {
+        const urlStr = typeof url === "string" ? url : url.toString();
+        if (isSessionStreamAppendUrl(urlStr)) {
+          appendPartId = (init!.headers as Record<string, string>)["X-Part-Id"];
+          return defaultAppendResponse();
+        }
+        if (isSessionOutSubscribeUrl(urlStr)) return defaultSseResponse();
+        throw new Error(`Unexpected URL: ${urlStr}`);
+      });
+
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "pat",
+        headers: { "X-Part-Id": "STATIC-OVERRIDE" },
+        sessions: { "chat-hdr": { publicAccessToken: "p" } },
+      });
+
+      const stream = await transport.sendMessages({
+        trigger: "submit-message",
+        chatId: "chat-hdr",
+        messageId: undefined,
+        messages: [createUserMessage("hi")],
+        abortSignal: undefined,
+      });
+      await drainChunks(stream);
+
+      expect(appendPartId).toBeDefined();
+      expect(appendPartId).not.toBe("STATIC-OVERRIDE");
+    });
+  });
+
+  describe("reconnectToStream", () => {
+    it("returns null when no session exists", async () => {
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "pat",
+      });
+      const result = await transport.reconnectToStream({ chatId: "missing" });
+      expect(result).toBeNull();
+    });
+
+    it("returns null when the session is hydrated with isStreaming=false", async () => {
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "pat",
+        sessions: {
+          "chat-rc": { publicAccessToken: "p", isStreaming: false },
+        },
+      });
+      const result = await transport.reconnectToStream({ chatId: "chat-rc" });
+      expect(result).toBeNull();
+    });
+
+    it("opens an SSE subscription with the X-Peek-Settled header set", async () => {
+      let subscribeHeaders: Headers | undefined;
+      global.fetch = vi.fn().mockImplementation(async (url: string | URL, init?: RequestInit) => {
+        const urlStr = typeof url === "string" ? url : url.toString();
+        if (isSessionOutSubscribeUrl(urlStr)) {
+          subscribeHeaders = new Headers(init?.headers);
+          return defaultSseResponse();
+        }
+        throw new Error(`Unexpected URL: ${urlStr}`);
+      });
+
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "pat",
+        sessions: {
+          "chat-rc-on": { publicAccessToken: "p", isStreaming: true },
+        },
+      });
+
+      const stream = await transport.reconnectToStream({ chatId: "chat-rc-on" });
+      expect(stream).not.toBeNull();
+      await drainChunks(stream!);
+
+      expect(subscribeHeaders?.get("X-Peek-Settled")).toBe("1");
+    });
+  });
+
+  describe("multi-tab coordination", () => {
+    it("isReadOnly defaults to false when multiTab is disabled", () => {
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "pat",
+      });
+      expect(transport.isReadOnly("any-chat")).toBe(false);
+      expect(transport.hasClaim("any-chat")).toBe(false);
+    });
+  });
+
+  describe("endpoint (chat.handover routing)", () => {
+    /**
+     * Encode UIMessageChunks the same way the chat-server.ts handler
+     * does: `data: <JSON>\n\n` per chunk. The transport's
+     * `parseUIMessageSseTransform` parses this back into chunk objects.
+     */
+    function handoverSseBody(chunks: UIMessageChunk[]): ReadableStream<Uint8Array> {
+      const encoder = new TextEncoder();
+      return new ReadableStream({
+        start(controller) {
+          for (const chunk of chunks) {
+            controller.enqueue(encoder.encode(`data: ${JSON.stringify(chunk)}\n\n`));
+          }
+          controller.close();
+        },
+      });
+    }
+
+    function handoverResponse(args: {
+      chatId: string;
+      accessToken: string;
+      chunks: UIMessageChunk[];
+    }): Response {
+      return new Response(handoverSseBody(args.chunks), {
+        status: 200,
+        headers: {
+          "content-type": "text/event-stream",
+          "X-Trigger-Chat-Id": args.chatId,
+          "X-Trigger-Chat-Access-Token": args.accessToken,
+        },
+      });
+    }
+
+    it("first-turn POSTs the wire payload to endpoint when no session exists", async () => {
+      const requests: Array<{ url: string; init?: RequestInit }> = [];
+      global.fetch = vi.fn().mockImplementation(async (url: string | URL, init?: RequestInit) => {
+        const urlStr = typeof url === "string" ? url : url.toString();
+        requests.push({ url: urlStr, init });
+        if (urlStr === "https://my-app.example/api/chat") {
+          return handoverResponse({
+            chatId: "chat-handover-1",
+            accessToken: "handover-pat-1",
+            chunks: sampleChunks,
+          });
+        }
+        throw new Error(`Unexpected URL: ${urlStr}`);
+      });
+
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "pat",
+        headStart: "https://my-app.example/api/chat",
+      });
+
+      const stream = await transport.sendMessages({
+        trigger: "submit-message",
+        chatId: "chat-handover-1",
+        messageId: "m1",
+        messages: [createUserMessage("hello")],
+        abortSignal: undefined,
+      });
+      const chunks = await drainChunks(stream);
+
+      // Chunks were forwarded from the handler's SSE body unchanged.
+      expect(chunks).toEqual(sampleChunks);
+
+      // Only the endpoint was called — no /api/v1/sessions, no .in/append,
+      // no .out subscribe. The handler owns first-turn end-to-end.
+      const endpointPosts = requests.filter(
+        (r) => r.url === "https://my-app.example/api/chat"
+      );
+      expect(endpointPosts).toHaveLength(1);
+      expect(requests.some((r) => isSessionCreateUrl(r.url))).toBe(false);
+      expect(requests.some((r) => isSessionStreamAppendUrl(r.url))).toBe(false);
+      expect(requests.some((r) => isSessionOutSubscribeUrl(r.url))).toBe(false);
+
+      // Body shape: head-start wire payload. Full UIMessage history is
+      // shipped via `headStartMessages` (this is the one path that still
+      // ships full history — the route handler runs against the customer's
+      // own HTTP endpoint, not /in/append, so the 512 KiB cap doesn't
+      // apply). The `message` field is omitted on this path.
+      const body = JSON.parse(endpointPosts[0]!.init!.body as string);
+      expect(body.chatId).toBe("chat-handover-1");
+      expect(body.trigger).toBe("submit-message");
+      expect(body.messageId).toBe("m1");
+      expect(body.headStartMessages).toHaveLength(1);
+      expect(body.message).toBeUndefined();
+      expect(body.messages).toBeUndefined();
+    });
+
+    it("hydrates session state from response headers so subsequent turns bypass the endpoint", async () => {
+      const requests: Array<{ url: string; init?: RequestInit }> = [];
+      global.fetch = vi.fn().mockImplementation(async (url: string | URL, init?: RequestInit) => {
+        const urlStr = typeof url === "string" ? url : url.toString();
+        requests.push({ url: urlStr, init });
+        if (urlStr === "https://my-app.example/api/chat") {
+          return handoverResponse({
+            chatId: "chat-handover-2",
+            accessToken: "handover-pat-2",
+            chunks: sampleChunks,
+          });
+        }
+        if (isSessionStreamAppendUrl(urlStr)) return defaultAppendResponse();
+        if (isSessionOutSubscribeUrl(urlStr)) return defaultSseResponse();
+        throw new Error(`Unexpected URL: ${urlStr}`);
+      });
+
+      const onSessionChange = vi.fn();
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "fallback-pat",
+        headStart: "https://my-app.example/api/chat",
+        onSessionChange,
+      });
+
+      // Turn 1 — POSTs to endpoint, hydrates session.
+      await drainChunks(
+        await transport.sendMessages({
+          trigger: "submit-message",
+          chatId: "chat-handover-2",
+          messageId: "m1",
+          messages: [createUserMessage("first")],
+          abortSignal: undefined,
+        })
+      );
+
+      const hydrated = transport.getSession("chat-handover-2");
+      expect(hydrated).toBeDefined();
+      expect(hydrated!.publicAccessToken).toBe("handover-pat-2");
+      expect(onSessionChange).toHaveBeenCalledWith(
+        "chat-handover-2",
+        expect.objectContaining({ publicAccessToken: "handover-pat-2" })
+      );
+
+      // Turn 2 — bypass endpoint, write directly to .in.
+      requests.length = 0;
+      const turn2Stream = await transport.sendMessages({
+        trigger: "submit-message",
+        chatId: "chat-handover-2",
+        messageId: "m2",
+        messages: [createUserMessage("second")],
+        abortSignal: undefined,
+      });
+
+      expect(requests.some((r) => r.url === "https://my-app.example/api/chat")).toBe(false);
+
+      const append = requests.find(
+        (r) => isSessionStreamAppendUrl(r.url) && r.url.endsWith("/in/append")
+      );
+      expect(append).toBeDefined();
+      expect(chatIdFromUrl(append!.url)).toBe("chat-handover-2");
+
+      // Drain after asserting append — `.out` is subscribed lazily when the
+      // returned stream is read.
+      await drainChunks(turn2Stream);
+
+      const subscribe = requests.find((r) => isSessionOutSubscribeUrl(r.url));
+      expect(subscribe).toBeDefined();
+    });
+
+    it("bypasses endpoint when a session is already hydrated (page reload after first turn)", async () => {
+      const requests: Array<{ url: string; init?: RequestInit }> = [];
+      global.fetch = vi.fn().mockImplementation(async (url: string | URL, init?: RequestInit) => {
+        const urlStr = typeof url === "string" ? url : url.toString();
+        requests.push({ url: urlStr, init });
+        if (isSessionStreamAppendUrl(urlStr)) return defaultAppendResponse();
+        if (isSessionOutSubscribeUrl(urlStr)) return defaultSseResponse();
+        throw new Error(`Unexpected URL: ${urlStr}`);
+      });
+
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "pat",
+        headStart: "https://my-app.example/api/chat",
+        sessions: {
+          "chat-resumed": { publicAccessToken: "persisted-pat" },
+        },
+      });
+
+      await drainChunks(
+        await transport.sendMessages({
+          trigger: "submit-message",
+          chatId: "chat-resumed",
+          messageId: undefined,
+          messages: [createUserMessage("hi again")],
+          abortSignal: undefined,
+        })
+      );
+
+      expect(requests.some((r) => r.url === "https://my-app.example/api/chat")).toBe(false);
+      expect(requests.some((r) => isSessionStreamAppendUrl(r.url))).toBe(true);
+    });
+
+    it("propagates a non-2xx response from the endpoint as an error", async () => {
+      global.fetch = vi.fn().mockImplementation(async (url: string | URL) => {
+        const urlStr = typeof url === "string" ? url : url.toString();
+        if (urlStr === "https://my-app.example/api/chat") {
+          return new Response(null, { status: 500, statusText: "Internal Server Error" });
+        }
+        throw new Error(`Unexpected URL: ${urlStr}`);
+      });
+
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "pat",
+        headStart: "https://my-app.example/api/chat",
+      });
+
+      await expect(
+        transport.sendMessages({
+          trigger: "submit-message",
+          chatId: "chat-handover-err",
+          messageId: undefined,
+          messages: [createUserMessage("oops")],
+          abortSignal: undefined,
+        })
+      ).rejects.toThrow(/500/);
+    });
+
+    it("leaves the legacy direct-trigger path unchanged when endpoint is unset", async () => {
+      const requests: string[] = [];
+      global.fetch = vi.fn().mockImplementation(async (url: string | URL) => {
+        const urlStr = typeof url === "string" ? url : url.toString();
+        requests.push(urlStr);
+        if (isSessionStreamAppendUrl(urlStr)) return defaultAppendResponse();
+        if (isSessionOutSubscribeUrl(urlStr)) return defaultSseResponse();
+        throw new Error(`Unexpected URL: ${urlStr}`);
+      });
+
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "pat",
+        // endpoint NOT set
+        sessions: { "chat-legacy": { publicAccessToken: "p" } },
+      });
+
+      await drainChunks(
+        await transport.sendMessages({
+          trigger: "submit-message",
+          chatId: "chat-legacy",
+          messageId: undefined,
+          messages: [createUserMessage("legacy")],
+          abortSignal: undefined,
+        })
+      );
+
+      // No POST to /api/chat anywhere.
+      expect(requests.some((u) => u.endsWith("/api/chat"))).toBe(false);
+      expect(requests.some(isSessionStreamAppendUrl)).toBe(true);
+      expect(requests.some(isSessionOutSubscribeUrl)).toBe(true);
+    });
+  });
+
+  describe("watch mode", () => {
+    it("keeps the SSE open across trigger:turn-complete (multi-turn watch)", async () => {
+      const turn1: (UIMessageChunk | Record<string, unknown>)[] = [
+        { type: "text-delta", id: "p1", delta: "Hi" },
+        { type: "trigger:turn-complete" },
+        { type: "text-delta", id: "p2", delta: "Again" },
+        { type: "trigger:turn-complete" },
+      ];
+      global.fetch = vi.fn().mockImplementation(async (url: string | URL) => {
+        const urlStr = typeof url === "string" ? url : url.toString();
+        if (isSessionOutSubscribeUrl(urlStr)) return defaultSseResponse(turn1);
+        throw new Error(`Unexpected URL: ${urlStr}`);
+      });
+
+      const transport = new TriggerChatTransport({
+        task: "my-chat-task",
+        accessToken: () => "pat",
+        watch: true,
+        sessions: {
+          "chat-watch": { publicAccessToken: "p", isStreaming: true },
+        },
+      });
+
+      const stream = await transport.reconnectToStream({ chatId: "chat-watch" });
+      const surfaced = await drainChunks(stream!);
+
+      // Both trigger:turn-complete control chunks filtered; both
+      // text-deltas surfaced because watch mode kept the loop alive
+      // through the first turn-complete.
+      const textChunks = surfaced.filter((c: any) => c.type === "text-delta");
+      expect(textChunks).toHaveLength(2);
+    });
+  });
+});
diff --git a/packages/trigger-sdk/src/v3/chat.ts b/packages/trigger-sdk/src/v3/chat.ts
new file mode 100644
index 00000000000..e0d37ad7d47
--- /dev/null
+++ b/packages/trigger-sdk/src/v3/chat.ts
@@ -0,0 +1,1553 @@
+/**
+ * @module @trigger.dev/sdk/chat
+ *
+ * Browser-safe module for AI SDK chat transport integration.
+ * Use this on the frontend with the AI SDK's `useChat` hook.
+ *
+ * For backend helpers (`chatAgent`, `pipeChat`), use `@trigger.dev/sdk/ai` instead.
+ *
+ * @example
+ * ```tsx
+ * import { useChat } from "@ai-sdk/react";
+ * import { TriggerChatTransport } from "@trigger.dev/sdk/chat";
+ *
+ * function Chat() {
+ *   const { messages, sendMessage, status } = useChat({
+ *     transport: new TriggerChatTransport({
+ *       task: "my-chat-task",
+ *       accessToken: async ({ chatId }) => fetchSessionToken(chatId),
+ *       startSession: async ({ chatId, taskId }) => createChatSession({ chatId, taskId }),
+ *     }),
+ *   });
+ * }
+ * ```
+ */
+
+import type { ChatTransport, UIMessage, UIMessageChunk, ChatRequestOptions } from "ai";
+import {
+  controlSubtype,
+  headerValue,
+  PUBLIC_ACCESS_TOKEN_HEADER,
+  SSEStreamSubscription,
+  TRIGGER_CONTROL_SUBTYPE,
+} from "@trigger.dev/core/v3";
+import { ChatTabCoordinator } from "./chat-tab-coordinator.js";
+import type { ChatInputChunk, ChatTaskWirePayload } from "./ai-shared.js";
+import { slimSubmitMessageForWire } from "./ai-shared.js";
+
+const DEFAULT_BASE_URL = "https://api.trigger.dev";
+const DEFAULT_STREAM_TIMEOUT_SECONDS = 120;
+
+/**
+ * Discriminator passed to per-endpoint `baseURL` and `fetch` callbacks.
+ *
+ * - `"in"` — `POST /realtime/v1/sessions/{chatId}/in/append` (user messages,
+ *   stops, actions).
+ * - `"out"` — `GET /realtime/v1/sessions/{chatId}/out` (SSE response stream).
+ *
+ * Other endpoints (`/api/v1/sessions`, `/api/v1/auth/jwt/claims`) are reached
+ * from the server-side `chat.createStartSessionAction` and `accessToken`
+ * callback, not the transport — they accept the same callback shape on their
+ * own option objects.
+ */
+export type ChatTransportEndpoint = "in" | "out";
+
+/** Context passed to `baseURL` and `fetch` callbacks. */
+export type ChatTransportEndpointContext = {
+  endpoint: ChatTransportEndpoint;
+  chatId: string;
+};
+
+/** Resolver form of `baseURL` — return the base for the given endpoint. */
+export type ChatBaseURLResolver = (ctx: ChatTransportEndpointContext) => string;
+
+/**
+ * Per-request fetch override. Receives the fully-resolved URL and the
+ * RequestInit the transport would have used, plus endpoint context for
+ * routing decisions. Customers can rewrite the URL, inject headers, or
+ * delegate to a custom transport (e.g. a Cloudflare worker fronting
+ * `api.trigger.dev`). Must return a `Response` semantically equivalent to
+ * what `globalThis.fetch(url, init)` would have returned.
+ */
+export type ChatFetchOverride = (
+  url: string,
+  init: RequestInit,
+  ctx: ChatTransportEndpointContext
+) => Promise<Response>;
+
+/**
+ * Detect 401/403 from realtime/input-stream calls without relying on `instanceof`
+ * (Vitest can load duplicate `@trigger.dev/core` copies, which breaks subclass checks).
+ */
+function isAuthError(error: unknown): boolean {
+  if (error === null || typeof error !== "object") return false;
+  const e = error as { name?: string; status?: number };
+  return e.name === "TriggerApiError" && (e.status === 401 || e.status === 403);
+}
+
+/**
+ * Detect a 404 from a session-PAT-authed call — i.e. the session doesn't
+ * exist in the current environment. Happens when hydrated session state
+ * (the `sessions` option / a customer's persisted record) was created in a
+ * different trigger environment, or predates the upgrade to the sessions
+ * model, so there's no real Session row behind the cached PAT.
+ */
+function isSessionNotFoundError(error: unknown): boolean {
+  if (error === null || typeof error !== "object") return false;
+  const e = error as { name?: string; status?: number };
+  return e.name === "TriggerApiError" && e.status === 404;
+}
+
+/**
+ * Parses an SSE byte/text stream of `data: <UIMessageChunk JSON>\n\n`
+ * frames back into `UIMessageChunk` objects. Used by the handover
+ * first-turn path to convert the customer's route handler response
+ * (which is AI-SDK-shaped SSE text) into the chunk form the AI SDK's
+ * `useChat` consumes from a transport.
+ *
+ * Spec-light parser — assumes well-formed `data:` events from our own
+ * `chat.handover` SSE writer. Lines starting with `:` (comments) and
+ * other event types are ignored.
+ */
+function parseUIMessageSseTransform(): TransformStream<string, UIMessageChunk> {
+  let buffer = "";
+  return new TransformStream<string, UIMessageChunk>({
+    transform(chunk, controller) {
+      buffer += chunk;
+      // Frames are separated by blank lines.
+      let idx = buffer.indexOf("\n\n");
+      while (idx !== -1) {
+        const frame = buffer.slice(0, idx);
+        buffer = buffer.slice(idx + 2);
+        for (const line of frame.split("\n")) {
+          if (line.startsWith("data: ")) {
+            const data = line.slice(6).trim();
+            if (!data) continue;
+            try {
+              controller.enqueue(JSON.parse(data) as UIMessageChunk);
+            } catch {
+              /* drop malformed chunk; the response source is our own writer */
+            }
+          }
+        }
+        idx = buffer.indexOf("\n\n");
+      }
+    },
+    flush(controller) {
+      // Trailing data without a closing blank line — treat as a final frame.
+      if (buffer.trim().length === 0) return;
+      for (const line of buffer.split("\n")) {
+        if (line.startsWith("data: ")) {
+          const data = line.slice(6).trim();
+          if (!data) continue;
+          try {
+            controller.enqueue(JSON.parse(data) as UIMessageChunk);
+          } catch {
+            /* drop */
+          }
+        }
+      }
+      buffer = "";
+    },
+  });
+}
+
+/**
+ * Arguments for the `accessToken` callback. The transport invokes this
+ * whenever it needs a fresh session-scoped PAT — initial use, and
+ * after a 401 from any session-PAT-authed request.
+ *
+ * The callback's job is to return a token, not to start a run.
+ * Customers whose implementation also creates the session (typical for
+ * `chat.createStartSessionAction` server actions) own the trigger
+ * payload server-side — they know their own user/context and don't
+ * need anything from the browser to populate `basePayload.metadata`.
+ */
+export type AccessTokenParams = {
+  /** Conversation id — same value passed to `sendMessage` / `useChat`. */
+  chatId: string;
+};
+
+/**
+ * Arguments for the `startSession` callback. The transport invokes this
+ * when it needs a session for a chatId — on `transport.preload(chatId)`,
+ * on `transport.start(chatId)`, and lazily on the first `sendMessage`
+ * for any chatId without a cached session.
+ *
+ * The callback typically wraps a server action that calls
+ * `chat.createStartSessionAction(taskId)({ chatId, clientData })`. That
+ * action is idempotent on `(env, externalId)`, so concurrent / repeat
+ * calls converge on the same session.
+ *
+ * The `clientData` field carries the transport's current `clientData`
+ * option — same value the transport merges into per-turn `metadata` on
+ * each `.in` chunk. Passing it through `startSession` makes the first
+ * run's `payload.metadata` (visible in `onPreload` / `onChatStart`)
+ * match what subsequent turns see.
+ *
+ * @typeParam TClientData – Type of the agent's `clientDataSchema` (when
+ * the transport is parameterised with `useTriggerChatTransport<typeof agent>`).
+ */
+export type StartSessionParams<TClientData = unknown> = {
+  /** The Trigger.dev task ID associated with this transport. */
+  taskId: string;
+  /** Conversation id — same value passed to `sendMessage` / `useChat`. */
+  chatId: string;
+  /**
+   * The transport's current `clientData`. Pass through to the server
+   * action's `basePayload.metadata` so the first run's `payload.metadata`
+   * matches per-turn `metadata`.
+   */
+  clientData: TClientData;
+};
+
+/**
+ * Result returned from the `startSession` callback. Carries the
+ * session-scoped PAT the transport caches and uses for every
+ * `.in/append`, `.out` SSE, and `end-and-continue` call afterward.
+ */
+export type StartSessionResult = {
+  /** Session-scoped PAT — `read:sessions:{chatId} + write:sessions:{chatId}`. */
+  publicAccessToken: string;
+};
+
+/**
+ * Public surface of {@link TriggerChatTransport}'s session state. Everything
+ * the customer should persist for resumption across page reloads. The
+ * transport addresses by `chatId` everywhere, so this is light: just a PAT,
+ * the last SSE event id, and a couple of UX-state flags.
+ */
+export type ChatSessionPersistedState = {
+  publicAccessToken: string;
+  lastEventId?: string;
+  isStreaming?: boolean;
+};
+
+/**
+ * Common options for the {@link TriggerChatTransport}.
+ *
+ * @typeParam TClientData – Type of the per-call client data merged into
+ * the wire payload via `metadata`. When the task uses `clientDataSchema`,
+ * pin this to the schema's input type for end-to-end type safety.
+ */
+export type TriggerChatTransportOptions<TClientData = unknown> = {
+  /**
+   * The Trigger.dev task ID this transport drives. Sessions created by
+   * `transport.start(chatId)` are bound to this task — every run the
+   * Session schedules invokes it. Threaded into `startSession` so the
+   * customer's server action knows which task to bind.
+   */
+  task: string;
+
+  /**
+   * Returns a fresh session-scoped PAT for an existing chat session.
+   * The transport invokes this on a 401/403 from any session-PAT-authed
+   * request — pure refresh, never creates a session.
+   *
+   * Customer implementation typically does
+   * `auth.createPublicToken({ scopes: { read: { sessions: chatId },
+   * write: { sessions: chatId } } })` server-side and returns the token.
+   *
+   * Required so the transport can recover from PAT expiry — never
+   * leaves the consumer in an unrecoverable state.
+   */
+  accessToken: (params: AccessTokenParams) => string | Promise<string>;
+
+  /**
+   * Creates (or no-ops on existing) a session for the given chatId, and
+   * returns the session-scoped PAT the transport will use afterward.
+   *
+   * Wraps a server action that calls
+   * `chat.createStartSessionAction(taskId)({ chatId, clientData })`.
+   * Customer's server controls authorization, the rest of the
+   * triggerConfig, and any atomic DB writes paired with session creation.
+   *
+   * The transport invokes this:
+   *   - when `transport.start(chatId)` / `transport.preload(chatId)` is called
+   *   - lazily on the first `sendMessage` for a chatId with no cached PAT
+   *
+   * Concurrent and repeat calls dedupe via an in-flight promise + the
+   * customer-side idempotency on `(env, externalId)`.
+   *
+   * Optional only when the customer fully manages session lifecycle
+   * externally (hydrating `sessions: { ... }` and never calling
+   * `start` / `preload`). Most customers should provide it.
+   */
+  startSession?: (
+    params: StartSessionParams<
+      TClientData extends Record<string, unknown> ? TClientData : Record<string, unknown>
+    >
+  ) => Promise<StartSessionResult>;
+
+  /**
+   * Base URL for the Trigger.dev API. Either a single string applied to every
+   * endpoint, or a function called per request that picks a base URL from the
+   * endpoint discriminator and chat ID. @default "https://api.trigger.dev"
+   *
+   * @example Route appends through a proxy, SSE direct:
+   * ```ts
+   * baseURL: ({ endpoint }) =>
+   *   endpoint === "out" ? "https://api.trigger.dev" : "https://proxy.example.com",
+   * ```
+   */
+  baseURL?: string | ChatBaseURLResolver;
+
+  /**
+   * Base URL for the SSE stream subscription only (`GET .../sessions/{chatId}/out`).
+   * @deprecated Pass a function for `baseURL` instead and branch on
+   * `endpoint === "out"`. `streamBaseURL` continues to work for backwards
+   * compatibility and wins over `baseURL` for the SSE endpoint when both
+   * are set.
+   */
+  streamBaseURL?: string;
+
+  /**
+   * Optional per-request fetch override. Called with the resolved URL and the
+   * RequestInit the transport built, plus endpoint context. Use this to
+   * inject custom headers (e.g. distributed tracing), redirect via a proxy,
+   * or wrap fetch with retries/logging.
+   *
+   * @example Add a tracing header to every chat request:
+   * ```ts
+   * fetch: (url, init, ctx) => {
+   *   init.headers = new Headers(init.headers);
+   *   init.headers.set("traceparent", currentTraceparent());
+   *   return globalThis.fetch(url, init);
+   * },
+   * ```
+   */
+  fetch?: ChatFetchOverride;
+
+  /** Additional headers included in every API request. */
+  headers?: Record<string, string>;
+
+  /**
+   * Seconds to wait for the realtime stream to produce data before timing
+   * out. @default 120
+   */
+  streamTimeoutSeconds?: number;
+
+  /**
+   * Default client data merged into every wire `metadata`. Per-call
+   * `metadata` overrides transport-level defaults.
+   */
+  clientData?: TClientData extends Record<string, unknown> ? TClientData : Record<string, unknown>;
+
+  /**
+   * Restore active session state from external storage (e.g. localStorage)
+   * after a page refresh. Hydrated entries skip the start round-trip and
+   * use their `publicAccessToken` directly. On 401, the transport
+   * invokes `accessToken` to refresh.
+   */
+  sessions?: Record<string, ChatSessionPersistedState>;
+
+  /**
+   * Called whenever a chat session's state changes. Use this to persist
+   * state for reconnection after a page refresh — `null` is passed when
+   * the session is removed.
+   */
+  onSessionChange?: (chatId: string, session: ChatSessionPersistedState | null) => void;
+
+  /**
+   * Enable multi-tab coordination. When `true`, only one tab at a time
+   * can send messages to a given chatId; other tabs go read-only.
+   *
+   * No-op when `BroadcastChannel` is unavailable. @default false
+   */
+  multiTab?: boolean;
+
+  /**
+   * Read-only "watch" mode for observing an existing chat run from the
+   * outside (e.g. a dashboard viewer). When `true`, the SSE subscription
+   * stays open across `trigger:turn-complete` so consumers see turn 2,
+   * 3, … through one long-lived stream. Pair with `sessions` hydration
+   * and `reconnectToStream` for the typical viewer flow. @default false
+   */
+  watch?: boolean;
+
+  /**
+   * Opt-in URL that gives a brand-new chat a head start: instead of
+   * waiting for the trigger.dev agent run to dequeue + boot before
+   * the first LLM call, the transport POSTs the first user message
+   * to a route handler in your warm process (Next.js, etc.) that
+   * exports `chat.handover({ agentId, run })` from
+   * `@trigger.dev/sdk/chat-server`. That handler runs `streamText`
+   * step 1 right away while the agent boots in parallel, then hands
+   * off mid-turn for tool execution (or exits clean for pure-text
+   * turns).
+   *
+   * First turn only. Subsequent turns on the same chat bypass this
+   * URL and write directly to `session.in` — the same direct-trigger
+   * path used when `headStart` is unset. Customers using `headStart`
+   * still need `accessToken` and (optionally) `startSession` for
+   * those subsequent turns.
+   *
+   * NOT a stock `useChat` "endpoint" — this is not the canonical
+   * request URL for every turn, just the warm first-turn shortcut.
+   *
+   * In benchmarks, head-starting drops first-turn TTFC roughly in
+   * half versus the direct-trigger flow (cold-start agent boot +
+   * onTurnStart hook overlap with the LLM TTFB instead of stacking
+   * before it).
+   *
+   * @default undefined (direct-trigger flow on every turn)
+   */
+  headStart?: string;
+};
+
+/**
+ * Internal state for tracking active chat sessions. Sessions are
+ * task-bound and the server is the run manager — the transport only
+ * needs to know the session-scoped PAT to address `.in/append`, `.out`,
+ * `end-and-continue`, etc.
+ * @internal
+ */
+type ChatSessionState = {
+  /** Session-scoped PAT — `read:sessions:{chatId} + write:sessions:{chatId}`. */
+  publicAccessToken: string;
+  /** Last SSE event ID — used to resume the stream without replaying old events. */
+  lastEventId?: string;
+  /** Set when the stream was aborted mid-turn (stop). On reconnect, skip chunks until trigger:turn-complete. */
+  skipToTurnComplete?: boolean;
+  /** Whether the agent is currently streaming a response. Set on first chunk, cleared on turn-complete. */
+  isStreaming?: boolean;
+};
+
+/**
+ * A custom AI SDK `ChatTransport` that runs chat completions as durable
+ * Trigger.dev tasks via the Sessions primitive.
+ *
+ * Lifecycle:
+ *   1. Customer pre-creates the session server-side OR calls
+ *      `transport.start(chatId)` to mint a one-shot start token and
+ *      `POST /api/v1/sessions` from the browser.
+ *   2. The server triggers the first run as part of session create and
+ *      returns a session-scoped PAT.
+ *   3. `sendMessages` appends to `.in` and subscribes to `.out`. When a
+ *      run dies (idle, cancel, end-and-continue), the server's
+ *      append-time probe triggers a fresh run for the same session —
+ *      transport keeps streaming.
+ *   4. `stop()` posts a `{kind:"stop"}` chunk; the agent's turn aborts
+ *      but the run keeps reading `.in` for the next message.
+ *   5. PAT expiry: transport invokes `accessToken` to refresh and
+ *      retries the failing request once.
+ */
+export class TriggerChatTransport implements ChatTransport<UIMessage> {
+  private readonly taskId: string;
+  private readonly resolveAccessToken: (params: AccessTokenParams) => string | Promise<string>;
+  private readonly resolveStartSession:
+    | ((params: StartSessionParams<Record<string, unknown>>) => Promise<StartSessionResult>)
+    | undefined;
+  private readonly resolveBaseURLFn: ChatBaseURLResolver;
+  private readonly fetchOverride: ChatFetchOverride | undefined;
+  private readonly extraHeaders: Record<string, string>;
+  private readonly streamTimeoutSeconds: number;
+  private defaultMetadata: Record<string, unknown> | undefined;
+  private readonly watchMode: boolean;
+  private readonly headStart: string | undefined;
+  private coordinator: ChatTabCoordinator | null = null;
+  private _onSessionChange:
+    | ((chatId: string, session: ChatSessionPersistedState | null) => void)
+    | undefined;
+
+  private sessions: Map<string, ChatSessionState> = new Map();
+  private activeStreams: Map<string, AbortController> = new Map();
+  private pendingStarts: Map<string, Promise<ChatSessionState>> = new Map();
+
+  constructor(options: TriggerChatTransportOptions) {
+    this.taskId = options.task;
+    this.resolveAccessToken = options.accessToken;
+    this.resolveStartSession = options.startSession as
+      | ((params: StartSessionParams<Record<string, unknown>>) => Promise<StartSessionResult>)
+      | undefined;
+    const baseURLOption = options.baseURL ?? DEFAULT_BASE_URL;
+    const streamOverride = options.streamBaseURL;
+    this.resolveBaseURLFn = typeof baseURLOption === "function"
+      ? (ctx) => (ctx.endpoint === "out" && streamOverride ? streamOverride : baseURLOption(ctx))
+      : (ctx) => (ctx.endpoint === "out" && streamOverride ? streamOverride : baseURLOption);
+    this.fetchOverride = options.fetch;
+    this.extraHeaders = options.headers ?? {};
+    this.streamTimeoutSeconds = options.streamTimeoutSeconds ?? DEFAULT_STREAM_TIMEOUT_SECONDS;
+    this.defaultMetadata = options.clientData;
+    this._onSessionChange = options.onSessionChange;
+    this.watchMode = options.watch ?? false;
+    this.headStart = options.headStart;
+
+    if (options.multiTab && !this.watchMode) {
+      this.coordinator = new ChatTabCoordinator();
+      this.coordinator.addSessionListener((chatId, sessionUpdate) => {
+        const session = this.sessions.get(chatId);
+        if (session && sessionUpdate.lastEventId) {
+          session.lastEventId = sessionUpdate.lastEventId;
+        }
+      });
+    }
+
+    if (options.sessions) {
+      for (const [chatId, session] of Object.entries(options.sessions)) {
+        this.sessions.set(chatId, {
+          publicAccessToken: session.publicAccessToken,
+          lastEventId: session.lastEventId,
+          isStreaming: session.isStreaming,
+        });
+      }
+    }
+  }
+
+  // -------------------------------------------------------------------------
+  // Public lifecycle
+  // -------------------------------------------------------------------------
+
+  /**
+   * Eagerly create a Session and trigger its first run. Useful as a
+   * "the user might be about to send a message — boot the agent now"
+   * preload, or to take ownership of the session before any sendMessage.
+   *
+   * Idempotent: calling `start(chatId)` twice converges to the same
+   * session via the `(env, externalId)` upsert. Concurrent calls
+   * deduplicate via an in-flight promise.
+   *
+   * Requires `getStartToken` to be configured. Customers who pre-create
+   * sessions server-side don't need to call this.
+   */
+  async start(chatId: string): Promise<ChatSessionPersistedState> {
+    const existing = this.sessions.get(chatId);
+    if (existing?.publicAccessToken) {
+      return this.toPersisted(existing);
+    }
+
+    const inflight = this.pendingStarts.get(chatId);
+    if (inflight) return inflight.then(this.toPersisted);
+
+    const promise = this.doStart(chatId).finally(() => {
+      this.pendingStarts.delete(chatId);
+    });
+    this.pendingStarts.set(chatId, promise);
+    return promise.then(this.toPersisted);
+  }
+
+  /**
+   * Eagerly create the session before the user types. Same semantics as
+   * {@link start} — kept as a separate name for the AI SDK Chat hook,
+   * which calls `preload` rather than `start`.
+   */
+  async preload(chatId: string): Promise<void> {
+    await this.start(chatId);
+  }
+
+  /**
+   * Send a user message via the session's `.in` channel. The server
+   * probes `currentRunId`; if terminal/null it triggers a fresh run on
+   * the same session before the append lands. The returned
+   * `ReadableStream` carries the agent's response chunks via `.out` SSE.
+   */
+  sendMessages = async (
+    options: {
+      trigger: "submit-message" | "regenerate-message";
+      chatId: string;
+      messageId: string | undefined;
+      messages: UIMessage[];
+      abortSignal: AbortSignal | undefined;
+    } & ChatRequestOptions
+  ): Promise<ReadableStream<UIMessageChunk>> => {
+    const { trigger, chatId, messageId, messages, abortSignal, body, metadata } = options;
+
+    if (this.coordinator) {
+      if (this.coordinator.isReadOnly(chatId)) {
+        throw new Error("This chat is active in another tab");
+      }
+      this.coordinator.claim(chatId);
+    }
+
+    const mergedMetadata =
+      this.defaultMetadata || metadata
+        ? { ...(this.defaultMetadata ?? {}), ...((metadata as Record<string, unknown>) ?? {}) }
+        : undefined;
+
+    // First-turn handover routing — when `headStart` is set AND no
+    // session state exists yet for this chatId, POST the wire payload
+    // to the customer's `chat.handover` route handler. The handler
+    // creates the session, triggers the agent run with
+    // `handover-prepare`, runs `streamText` step 1 in its warm
+    // process, and tees the output back as the SSE response. We
+    // hydrate session state from the response headers so subsequent
+    // turns bypass the handler and use direct `session.in` writes.
+    if (this.headStart && !this.sessions.has(chatId)) {
+      return this.sendMessagesViaHandover({
+        trigger,
+        chatId,
+        messageId,
+        messages,
+        abortSignal,
+        body,
+        metadata: mergedMetadata,
+      });
+    }
+
+    // Slim wire — at most ONE message per record. The agent rebuilds prior
+    // history from its durable S3 snapshot + session.out replay at run boot
+    // (or `hydrateMessages`, if registered).
+    //
+    //   - "submit-message": ship the latest message (new user message OR a
+    //     tool-approval-responded assistant message). Throw if absent.
+    //     Assistant messages with already-resolved tool parts are slimmed
+    //     to just their resolution payload — reasoning blobs, prior text,
+    //     and tool `input` stay on the agent side (rebuilt from snapshot
+    //     or `hydrateMessages`). Keeps continuation payloads under the
+    //     `.in/append` cap on reasoning-heavy turns.
+    //   - "regenerate-message": omit `message`; the agent slices its own
+    //     history (drops the trailing assistant) and re-runs.
+    if (trigger === "submit-message" && messages.length === 0) {
+      throw new Error(
+        "TriggerChatTransport.sendMessages: 'submit-message' trigger requires at least one message"
+      );
+    }
+    const wirePayload: ChatTaskWirePayload = {
+      ...((body as Record<string, unknown>) ?? {}),
+      ...(trigger === "submit-message"
+        ? { message: slimSubmitMessageForWire(messages.at(-1)) }
+        : {}),
+      chatId,
+      trigger,
+      messageId,
+      metadata: mergedMetadata,
+    };
+
+    const state = await this.ensureSessionState(chatId);
+
+    // Generated outside the closure so auth-retries reuse the same part id
+    // and the server-side dedupe sees one logical append.
+    const partId = crypto.randomUUID();
+    const sendChatMessage = async (token: string) => {
+      await this.appendInputChunk(
+        chatId,
+        token,
+        this.serializeInputChunk({ kind: "message", payload: wirePayload }),
+        partId
+      );
+    };
+
+    await this.callWithAuthRetry(chatId, state, sendChatMessage);
+
+    // Cancel any in-flight stream for this chat — the new turn supersedes it.
+    const activeStream = this.activeStreams.get(chatId);
+    if (activeStream) {
+      activeStream.abort();
+      this.activeStreams.delete(chatId);
+    }
+
+    state.isStreaming = true;
+    this.notifySessionChange(chatId, state);
+
+    return this.subscribeToSessionStream(state, abortSignal, chatId);
+  };
+
+  /**
+   * First-turn-only path used when `headStart` is configured. POSTs the
+   * wire payload to the customer's `chat.handover` route handler and
+   * pipes its SSE response back as a UIMessageChunk stream. Hydrates
+   * session state from response headers so subsequent turns bypass
+   * the endpoint and use the direct `session.in` path.
+   */
+  private async sendMessagesViaHandover(args: {
+    trigger: "submit-message" | "regenerate-message";
+    chatId: string;
+    messageId: string | undefined;
+    messages: UIMessage[];
+    abortSignal: AbortSignal | undefined;
+    body: ChatRequestOptions["body"];
+    metadata: Record<string, unknown> | undefined;
+  }): Promise<ReadableStream<UIMessageChunk>> {
+    if (!this.headStart) {
+      throw new Error("sendMessagesViaHandover called without headStart configured");
+    }
+
+    // Head-start ships full UIMessage history via `headStartMessages`. The
+    // route handler runs on the customer's own HTTP endpoint (NOT
+    // `/realtime/v1/sessions/{id}/in/append`), so the 512 KiB body cap
+    // doesn't apply. The agent's run boot consumes `headStartMessages` ONLY
+    // when no snapshot exists yet (very first turn) — see plan section B.3.
+    const wirePayload: ChatTaskWirePayload = {
+      ...((args.body as Record<string, unknown>) ?? {}),
+      headStartMessages: args.messages,
+      chatId: args.chatId,
+      trigger: args.trigger,
+      messageId: args.messageId,
+      metadata: args.metadata,
+    };
+
+    const response = await fetch(this.headStart, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        ...this.extraHeaders,
+      },
+      body: JSON.stringify(wirePayload),
+      signal: args.abortSignal,
+    });
+
+    if (!response.ok) {
+      throw new Error(
+        `chat.handover endpoint returned ${response.status} ${response.statusText}`
+      );
+    }
+    if (!response.body) {
+      throw new Error("chat.handover endpoint returned no response body");
+    }
+
+    // Hydrate session state from response headers so subsequent turns
+    // skip the endpoint and write directly to session.in. Failing fast
+    // when the header is missing avoids a quiet degraded state where
+    // every later turn re-runs the handover route instead of taking
+    // the slim-wire path.
+    const accessToken = response.headers.get("X-Trigger-Chat-Access-Token");
+    const chatId = args.chatId;
+    if (!accessToken) {
+      throw new Error(
+        "chat.handover response is missing the X-Trigger-Chat-Access-Token header. chat.agent's handover endpoint must echo the session PAT so the transport can hydrate."
+      );
+    }
+    const state: ChatSessionState = {
+      publicAccessToken: accessToken,
+      isStreaming: true,
+    };
+    this.sessions.set(chatId, state);
+    this.notifySessionChange(chatId, state);
+
+    // Filter the parsed UIMessage stream:
+    //   - Drop control chunks (`trigger:turn-complete`,
+    //     `trigger:session-state`) before they reach AI SDK — they
+    //     aren't valid UIMessageChunks and the AI SDK chunk parser
+    //     would reject them.
+    //   - On `trigger:turn-complete`, clear `isStreaming` so the
+    //     useChat resume / reconnectToStream path doesn't open a
+    //     second `session.out` subscription on top of our stitched
+    //     response.
+    //   - On `trigger:session-state`, hydrate `state.lastEventId`
+    //     with the agent's final S2 event id. Without this, turn 2's
+    //     `session.out` subscribe reads from the start and replays
+    //     turn 1's chunks back into the UI.
+    //   - On stream end (handover-skip case — no
+    //     `trigger:turn-complete` arrives, customer's stream just
+    //     ends), also clear `isStreaming` for the same reason.
+    const sessions = this.sessions;
+    const notifyChange = (id: string, state: ChatSessionState) =>
+      this.notifySessionChange(id, state);
+    const TRIGGER_TURN_COMPLETE = "trigger:turn-complete";
+    const TRIGGER_SESSION_STATE = "trigger:session-state";
+    const clearStreaming = () => {
+      const state = sessions.get(chatId);
+      if (state && state.isStreaming) {
+        state.isStreaming = false;
+        notifyChange(chatId, state);
+      }
+    };
+    const setLastEventId = (lastEventId: string) => {
+      const state = sessions.get(chatId);
+      if (state) {
+        state.lastEventId = lastEventId;
+        notifyChange(chatId, state);
+      }
+    };
+
+    return response.body
+      .pipeThrough(new TextDecoderStream())
+      .pipeThrough(parseUIMessageSseTransform())
+      .pipeThrough(
+        new TransformStream<UIMessageChunk, UIMessageChunk>({
+          transform(chunk, controller) {
+            if (chunk && typeof chunk === "object") {
+              const type = (chunk as { type?: unknown }).type;
+              if (type === TRIGGER_TURN_COMPLETE) {
+                clearStreaming();
+                return; // drop — not a real UIMessageChunk
+              }
+              if (type === TRIGGER_SESSION_STATE) {
+                const lastEventId = (chunk as { lastEventId?: unknown }).lastEventId;
+                if (typeof lastEventId === "string") {
+                  setLastEventId(lastEventId);
+                }
+                return; // drop
+              }
+            }
+            controller.enqueue(chunk);
+          },
+          flush() {
+            clearStreaming();
+          },
+        })
+      );
+  }
+
+  /**
+   * Send a steering message during an active stream without disrupting
+   * it. The agent's `pendingMessages` config decides whether to inject
+   * between tool-call steps or buffer for the next turn.
+   */
+  sendPendingMessage = async (
+    chatId: string,
+    message: UIMessage,
+    metadata?: Record<string, unknown>
+  ): Promise<boolean> => {
+    const state = this.sessions.get(chatId);
+    if (!state) return false;
+
+    const mergedMetadata =
+      this.defaultMetadata || metadata
+        ? { ...(this.defaultMetadata ?? {}), ...(metadata ?? {}) }
+        : undefined;
+
+    const wirePayload: ChatTaskWirePayload = {
+      message,
+      chatId,
+      trigger: "submit-message" as const,
+      metadata: mergedMetadata,
+    };
+
+    const partId = crypto.randomUUID();
+    const send = async (token: string) => {
+      await this.appendInputChunk(
+        chatId,
+        token,
+        this.serializeInputChunk({ kind: "message", payload: wirePayload }),
+        partId
+      );
+    };
+
+    try {
+      await this.callWithAuthRetry(chatId, state, send);
+      return true;
+    } catch {
+      return false;
+    }
+  };
+
+  /**
+   * Re-establish an SSE subscription to a known session. Used after a
+   * page refresh: the customer hydrates `sessions` in the constructor,
+   * the AI SDK calls `reconnectToStream` to resume the stream.
+   */
+  reconnectToStream = async (
+    options: {
+      chatId: string;
+      abortSignal?: AbortSignal | undefined;
+    } & ChatRequestOptions
+  ): Promise<ReadableStream<UIMessageChunk> | null> => {
+    const state = this.sessions.get(options.chatId);
+    if (!state) return null;
+
+    if (state.isStreaming === false) return null;
+    if (this.activeStreams.has(options.chatId)) return null;
+
+    const abortController = new AbortController();
+    this.activeStreams.set(options.chatId, abortController);
+
+    const abortSignal = options.abortSignal
+      ? AbortSignal.any([options.abortSignal, abortController.signal])
+      : abortController.signal;
+
+    return this.subscribeToSessionStream(state, abortSignal, options.chatId, {
+      sendStopOnAbort: !!options.abortSignal,
+      // Reconnect-on-reload opts into the server's settled-peek shortcut
+      // so the SSE doesn't hang for 60s when no turn is in flight. Active
+      // send-a-message paths must keep wait=60 to avoid racing the
+      // freshly-triggered turn's first chunk.
+      peekSettled: true,
+    });
+  };
+
+  /**
+   * Stop the current generation. Sends `{kind:"stop"}` on `.in`; the
+   * agent aborts its `streamText` call but stays alive for the next
+   * message.
+   */
+  stopGeneration = async (chatId: string): Promise<boolean> => {
+    const state = this.sessions.get(chatId);
+    if (!state) return false;
+
+    const partId = crypto.randomUUID();
+    const send = async (token: string) => {
+      await this.appendInputChunk(
+        chatId,
+        token,
+        this.serializeInputChunk({ kind: "stop" }),
+        partId
+      );
+    };
+
+    try {
+      await this.callWithAuthRetry(chatId, state, send);
+    } catch {
+      return false;
+    }
+
+    state.skipToTurnComplete = true;
+
+    const activeStream = this.activeStreams.get(chatId);
+    if (activeStream) {
+      activeStream.abort();
+      this.activeStreams.delete(chatId);
+    }
+
+    // The turn won't reach its turn-complete on this client (we just
+    // aborted the reader), so clear the streaming flag here and persist —
+    // otherwise a reload resumes mid-turn and replays the chunks the user
+    // explicitly stopped.
+    state.isStreaming = false;
+    this.notifySessionChange(chatId, state);
+    return true;
+  };
+
+  /**
+   * Send a custom action chunk (for `chat.agent`'s `actionSchema` /
+   * `onAction` hook). Actions are not turns — only `hydrateMessages`
+   * and `onAction` fire on the agent side. The returned stream
+   * carries any model response `onAction` produced (when it returns a
+   * `StreamTextResult`); for `void`-returning side-effect-only actions
+   * the stream completes immediately with `trigger:turn-complete`.
+   */
+  sendAction = async (
+    chatId: string,
+    action: unknown
+  ): Promise<ReadableStream<UIMessageChunk>> => {
+    if (this.coordinator) {
+      if (this.coordinator.isReadOnly(chatId)) {
+        throw new Error("This chat is active in another tab");
+      }
+      this.coordinator.claim(chatId);
+    }
+
+    const state = await this.ensureSessionState(chatId);
+
+    const wirePayload: ChatTaskWirePayload = {
+      chatId,
+      trigger: "action" as const,
+      action,
+      metadata: this.defaultMetadata ?? undefined,
+    };
+
+    const body = this.serializeInputChunk({ kind: "message", payload: wirePayload });
+    const partId = crypto.randomUUID();
+    const send = async (token: string) => {
+      await this.appendInputChunk(chatId, token, body, partId);
+    };
+
+    await this.callWithAuthRetry(chatId, state, send);
+
+    // Supersede any in-flight reader before subscribing — same as
+    // `sendMessages`. Two concurrent readers both write `state.lastEventId`
+    // and the slower one can regress the cursor, replaying records on the
+    // next reconnect.
+    const activeStream = this.activeStreams.get(chatId);
+    if (activeStream) {
+      activeStream.abort();
+      this.activeStreams.delete(chatId);
+    }
+
+    // Mark streaming + persist so a reload mid-action resumes (reconnectToStream
+    // no-ops when the persisted session says isStreaming: false).
+    state.isStreaming = true;
+    this.notifySessionChange(chatId, state);
+
+    return this.subscribeToSessionStream(state, undefined, chatId);
+  };
+
+  // -------------------------------------------------------------------------
+  // External-state surface
+  // -------------------------------------------------------------------------
+
+  getSession = (chatId: string): ChatSessionPersistedState | undefined => {
+    const state = this.sessions.get(chatId);
+    if (!state) return undefined;
+    return this.toPersisted(state);
+  };
+
+  setSession(chatId: string, session: ChatSessionPersistedState): void {
+    this.sessions.set(chatId, {
+      publicAccessToken: session.publicAccessToken,
+      lastEventId: session.lastEventId,
+      isStreaming: session.isStreaming,
+    });
+    this.notifySessionChange(chatId, this.toPersisted(this.sessions.get(chatId)!));
+  }
+
+  setOnSessionChange(
+    callback: ((chatId: string, session: ChatSessionPersistedState | null) => void) | undefined
+  ): void {
+    this._onSessionChange = callback;
+  }
+
+  /**
+   * Update the transport's `clientData`. Used by `useTriggerChatTransport`
+   * to keep the latest value reachable from inside `startSession` and
+   * the per-turn `metadata` merge without recreating the transport.
+   *
+   * Reads always go through the live field — closures around the
+   * transport see the latest value the next time they fire.
+   */
+  setClientData(clientData: Record<string, unknown> | undefined): void {
+    this.defaultMetadata = clientData;
+  }
+
+  // -------------------------------------------------------------------------
+  // Multi-tab coordination passthrough
+  // -------------------------------------------------------------------------
+
+  isReadOnly(chatId: string): boolean {
+    return this.coordinator?.isReadOnly(chatId) ?? false;
+  }
+  hasClaim(chatId: string): boolean {
+    return this.coordinator?.hasClaim(chatId) ?? false;
+  }
+  addReadOnlyListener(fn: (chatId: string, isReadOnly: boolean) => void): void {
+    this.coordinator?.addListener(fn);
+  }
+  removeReadOnlyListener(fn: (chatId: string, isReadOnly: boolean) => void): void {
+    this.coordinator?.removeListener(fn);
+  }
+  broadcastMessages(chatId: string, messages: unknown[]): void {
+    this.coordinator?.broadcastMessages(chatId, messages);
+  }
+  addMessagesListener(fn: (chatId: string, messages: unknown[]) => void): void {
+    this.coordinator?.addMessagesListener(fn);
+  }
+  removeMessagesListener(fn: (chatId: string, messages: unknown[]) => void): void {
+    this.coordinator?.removeMessagesListener(fn);
+  }
+  dispose(): void {
+    // Tear down any open session.out subscriptions before the coordinator
+    // goes away. Otherwise controllers in `activeStreams` keep reading
+    // until they time out, leaking network and memory on every
+    // unmount/navigation.
+    for (const controller of this.activeStreams.values()) {
+      controller.abort();
+    }
+    this.activeStreams.clear();
+    this.coordinator?.dispose();
+    this.coordinator = null;
+  }
+
+  // -------------------------------------------------------------------------
+  // Internal helpers
+  // -------------------------------------------------------------------------
+
+  private serializeInputChunk(chunk: ChatInputChunk): string {
+    return JSON.stringify(chunk);
+  }
+
+  private toPersisted = (state: ChatSessionState): ChatSessionPersistedState => ({
+    publicAccessToken: state.publicAccessToken,
+    lastEventId: state.lastEventId,
+    isStreaming: state.isStreaming,
+  });
+
+  private notifySessionChange(chatId: string, session: ChatSessionState | null): void {
+    if (!this._onSessionChange) return;
+    this._onSessionChange(chatId, session ? this.toPersisted(session) : null);
+  }
+
+  /**
+   * Resolves the session state for a chatId, starting the session if
+   * needed (and `getStartToken` is configured). Customers who provide
+   * `accessToken` but no `getStartToken` are expected to have created
+   * the session server-side; in that case the first `accessToken` call
+   * returns a fresh session PAT.
+   */
+  private async ensureSessionState(chatId: string): Promise<ChatSessionState> {
+    const existing = this.sessions.get(chatId);
+    if (existing?.publicAccessToken) return existing;
+
+    if (this.resolveStartSession) {
+      // Lazily start: customer's server action creates the session and
+      // returns a PAT. Idempotent on `(env, externalId)` so concurrent
+      // tabs / repeat calls converge to the same session.
+      const inflight = this.pendingStarts.get(chatId);
+      if (inflight) return inflight;
+      const promise = this.doStart(chatId).finally(() => {
+        this.pendingStarts.delete(chatId);
+      });
+      this.pendingStarts.set(chatId, promise);
+      return promise;
+    }
+
+    // No `startSession` configured. Customer fully manages session
+    // lifecycle externally — they're expected to have hydrated
+    // `sessions: { ... }` already, or the very first `accessToken` call
+    // returns a PAT for an out-of-band-created session.
+    const token = await this.resolveAccessToken({ chatId });
+    const state: ChatSessionState = { publicAccessToken: token };
+    this.sessions.set(chatId, state);
+    this.notifySessionChange(chatId, state);
+    return state;
+  }
+
+  private async doStart(chatId: string): Promise<ChatSessionState> {
+    if (!this.resolveStartSession) {
+      throw new Error(
+        "TriggerChatTransport: `startSession` is required to call `start()` / `preload()`. Either provide it or pre-hydrate the session via `sessions: { ... }`."
+      );
+    }
+
+    const { publicAccessToken } = await this.resolveStartSession({
+      taskId: this.taskId,
+      chatId,
+      clientData: (this.defaultMetadata ?? {}) as Record<string, unknown>,
+    });
+
+    const state: ChatSessionState = {
+      publicAccessToken,
+      isStreaming: false,
+    };
+    this.sessions.set(chatId, state);
+    this.notifySessionChange(chatId, state);
+    return state;
+  }
+
+  /**
+   * Run `op` with the session's stored PAT. On 401/403, refresh the PAT
+   * via `accessToken` and retry once. Surfaces non-auth errors as-is.
+   */
+  private resolveBaseURL(ctx: ChatTransportEndpointContext): string {
+    const raw = this.resolveBaseURLFn(ctx);
+    return raw.replace(/\/$/, "");
+  }
+
+  private async doFetch(
+    ctx: ChatTransportEndpointContext,
+    url: string,
+    init: RequestInit
+  ): Promise<Response> {
+    return this.fetchOverride ? this.fetchOverride(url, init, ctx) : fetch(url, init);
+  }
+
+  private async appendInputChunk(
+    chatId: string,
+    token: string,
+    body: string,
+    partId?: string
+  ): Promise<void> {
+    const ctx: ChatTransportEndpointContext = { endpoint: "in", chatId };
+    const url = `${this.resolveBaseURL(ctx)}/realtime/v1/sessions/${encodeURIComponent(chatId)}/in/append`;
+    // extraHeaders first so the fixed headers below win — a transport-wide
+    // X-Part-Id must not override the per-append idempotency key.
+    const headers: Record<string, string> = {
+      ...this.extraHeaders,
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${token}`,
+      "x-trigger-source": "sdk",
+      "X-Part-Id": partId ?? crypto.randomUUID(),
+    };
+    const response = await this.doFetch(ctx, url, { method: "POST", headers, body });
+    if (!response.ok) {
+      const text = await response.text().catch(() => "");
+      const err = new Error(`appendToSessionStream failed: ${response.status} ${text}`) as Error & {
+        name: string;
+        status: number;
+      };
+      err.name = "TriggerApiError";
+      err.status = response.status;
+      throw err;
+    }
+  }
+
+  private async callWithAuthRetry(
+    chatId: string,
+    state: ChatSessionState,
+    op: (token: string) => Promise<void>
+  ): Promise<void> {
+    // 1) Try with the current PAT.
+    try {
+      await op(state.publicAccessToken);
+      return;
+    } catch (err) {
+      if (isSessionNotFoundError(err)) {
+        // The cached PAT authenticated but the session doesn't exist here —
+        // recreate it and retry.
+        await this.recreateSession(chatId, state);
+        await op(state.publicAccessToken);
+        return;
+      }
+      if (!isAuthError(err)) throw err;
+    }
+
+    // 2) Auth error — refresh the PAT and retry. (A cross-environment cached
+    //    PAT fails auth here because it was signed by another env's keys.)
+    const fresh = await this.resolveAccessToken({ chatId });
+    state.publicAccessToken = fresh;
+    this.notifySessionChange(chatId, state);
+    try {
+      await op(fresh);
+      return;
+    } catch (err) {
+      if (!isSessionNotFoundError(err)) throw err;
+    }
+
+    // 3) PAT is now valid but the session still 404s — the hydrated session
+    //    state is stale (created in a different environment, or before the
+    //    sessions upgrade). Recreate the session and retry once.
+    await this.recreateSession(chatId, state);
+    await op(state.publicAccessToken);
+  }
+
+  /**
+   * Repair a stale/phantom hydrated session. The cached state pointed at a
+   * session that doesn't exist in the current environment (404) — typically
+   * because it was persisted against a different trigger environment, or
+   * predates the upgrade to the sessions model. Recreate the session via
+   * `startSession` and overwrite the cached state **in place** so callers
+   * holding a reference (e.g. `sendMessages` before it opens the SSE) pick
+   * up the new PAT. The stale `lastEventId` resume cursor is dropped — it
+   * pointed at a different environment's stream.
+   */
+  private async recreateSession(chatId: string, state: ChatSessionState): Promise<void> {
+    if (!this.resolveStartSession) {
+      throw new Error(
+        "TriggerChatTransport: session not found and no `startSession` configured to recreate it. The stored session state for this chat may be stale (e.g. created in a different environment) — provide `startSession` or clear the stored session so a fresh one can be created."
+      );
+    }
+    const { publicAccessToken } = await this.resolveStartSession({
+      taskId: this.taskId,
+      chatId,
+      clientData: (this.defaultMetadata ?? {}) as Record<string, unknown>,
+    });
+    state.publicAccessToken = publicAccessToken;
+    state.lastEventId = undefined;
+    state.isStreaming = false;
+    this.sessions.set(chatId, state);
+    this.notifySessionChange(chatId, state);
+  }
+
+  /**
+   * Open an SSE subscription to the session's `.out` stream and pipe
+   * UIMessageChunks through to the AI SDK. Trigger control records
+   * (`turn-complete`, `upgrade-required` — see `trigger-control` header
+   * on `client-protocol.mdx#records-on-session-out`) are routed by
+   * header and never reach the consumer. `upgrade-required` is purely
+   * telemetry now since the server handles the run swap inline (see
+   * `end-and-continue`).
+   */
+  private subscribeToSessionStream(
+    state: ChatSessionState,
+    abortSignal: AbortSignal | undefined,
+    chatId: string,
+    options?: {
+      sendStopOnAbort?: boolean;
+      peekSettled?: boolean;
+    }
+  ): ReadableStream<UIMessageChunk> {
+    const internalAbort = new AbortController();
+    this.activeStreams.set(chatId, internalAbort);
+    const combinedSignal = abortSignal
+      ? AbortSignal.any([abortSignal, internalAbort.signal])
+      : internalAbort.signal;
+
+    if (abortSignal) {
+      abortSignal.addEventListener(
+        "abort",
+        () => {
+          if (options?.sendStopOnAbort !== false) {
+            state.skipToTurnComplete = true;
+            this.appendInputChunk(
+              chatId,
+              state.publicAccessToken,
+              this.serializeInputChunk({ kind: "stop" })
+            ).catch(() => {});
+          }
+          internalAbort.abort();
+        },
+        { once: true }
+      );
+    }
+
+    const streamUrl = `${this.resolveBaseURL({ endpoint: "out", chatId })}/realtime/v1/sessions/${encodeURIComponent(chatId)}/out`;
+
+    return new ReadableStream<UIMessageChunk>({
+      start: async (controller) => {
+        // Track the live subscription so browser wake events can act
+        // on it. Three classes of wake:
+        //   - `online`: network came back. Existing connection might
+        //     be silently dead; force a fresh one.
+        //   - `visibilitychange` → visible after long hidden: tab
+        //     was backgrounded long enough that the OS likely killed
+        //     the TCP socket. Force reconnect.
+        //   - `visibilitychange` → visible after short hidden: cheap
+        //     wake of any in-flight backoff.
+        //   - `pageshow` with `event.persisted`: bfcache restore
+        //     (mobile Safari back/forward, app-switcher resume). The
+        //     socket is definitely dead. Force reconnect.
+        let currentSubscription: SSEStreamSubscription | null = null;
+        let hiddenSince: number | null = null;
+        const FORCE_RECONNECT_AFTER_HIDDEN_MS = 30_000;
+
+        const onVisibilityChange = () => {
+          if (typeof document === "undefined") return;
+          if (document.visibilityState === "hidden") {
+            hiddenSince = Date.now();
+            return;
+          }
+          const wasHiddenForMs = hiddenSince ? Date.now() - hiddenSince : 0;
+          hiddenSince = null;
+          if (wasHiddenForMs >= FORCE_RECONNECT_AFTER_HIDDEN_MS) {
+            currentSubscription?.forceReconnect();
+          } else {
+            currentSubscription?.retryNow();
+          }
+        };
+
+        const onPageShow = (event: Event) => {
+          // PageTransitionEvent in browsers; type guard via `persisted`.
+          if ((event as PageTransitionEvent).persisted) {
+            currentSubscription?.forceReconnect();
+          }
+        };
+
+        const onOnline = () => currentSubscription?.forceReconnect();
+
+        const teardownWakeListeners =
+          typeof document !== "undefined" && typeof window !== "undefined"
+            ? (() => {
+                document.addEventListener("visibilitychange", onVisibilityChange);
+                window.addEventListener("online", onOnline);
+                window.addEventListener("pageshow", onPageShow);
+                return () => {
+                  document.removeEventListener("visibilitychange", onVisibilityChange);
+                  window.removeEventListener("online", onOnline);
+                  window.removeEventListener("pageshow", onPageShow);
+                };
+              })()
+            : () => {};
+
+        const sseCtx: ChatTransportEndpointContext = { endpoint: "out", chatId };
+        const fetchOverride = this.fetchOverride;
+        const sseFetchClient: typeof fetch | undefined = fetchOverride
+          ? ((input, init) => {
+              if (typeof input === "string") {
+                return fetchOverride(input, init ?? {}, sseCtx);
+              }
+              if (input instanceof URL) {
+                return fetchOverride(input.toString(), init ?? {}, sseCtx);
+              }
+              // Request — preserve its url + intrinsic init, let any
+              // provided init override on top (matches fetch(Request, init)
+              // semantics).
+              return fetchOverride(
+                input.url,
+                {
+                  method: input.method,
+                  headers: input.headers,
+                  signal: input.signal,
+                  ...(init ?? {}),
+                },
+                sseCtx
+              );
+            }) as typeof fetch
+          : undefined;
+        const connectSseOnce = async (token: string) => {
+          const subscription = new SSEStreamSubscription(streamUrl, {
+            headers: {
+              Authorization: `Bearer ${token}`,
+              ...this.extraHeaders,
+              ...(options?.peekSettled ? { "X-Peek-Settled": "1" } : {}),
+            },
+            signal: combinedSignal,
+            timeoutInSeconds: this.streamTimeoutSeconds,
+            lastEventId: state.lastEventId,
+            // Catch silent-dead-socket: if no chunk (or server
+            // keepalive) arrives in 60s, force reconnect. Sized
+            // generously over typical agent thinking pauses.
+            stallTimeoutMs: 60_000,
+            fetchClient: sseFetchClient,
+          });
+          currentSubscription = subscription;
+          const sseStream = await subscription.subscribe();
+          const reader = sseStream.getReader();
+          try {
+            const first = await reader.read();
+            if (first.done) {
+              reader.releaseLock();
+              return null;
+            }
+            return { reader, primed: first.value };
+          } catch (readErr) {
+            reader.releaseLock();
+            throw readErr;
+          }
+        };
+
+        try {
+          let reader: ReadableStreamDefaultReader<{
+            id: string;
+            chunk: unknown;
+            timestamp: number;
+          }>;
+          let primed: { id: string; chunk: unknown; timestamp: number } | undefined;
+
+          try {
+            const opened = await connectSseOnce(state.publicAccessToken);
+            if (opened === null) {
+              controller.close();
+              return;
+            }
+            reader = opened.reader;
+            primed = opened.primed;
+          } catch (e) {
+            if (isAuthError(e)) {
+              const fresh = await this.resolveAccessToken({ chatId });
+              state.publicAccessToken = fresh;
+              this.notifySessionChange(chatId, state);
+              const opened = await connectSseOnce(fresh);
+              if (opened === null) {
+                controller.close();
+                return;
+              }
+              reader = opened.reader;
+              primed = opened.primed;
+            } else {
+              throw e;
+            }
+          }
+
+          while (true) {
+            let value: {
+              id: string;
+              chunk: unknown;
+              timestamp: number;
+              headers?: ReadonlyArray<readonly [string, string]>;
+            };
+            if (primed !== undefined) {
+              value = primed;
+              primed = undefined;
+            } else {
+              const next = await reader.read();
+              if (next.done) {
+                controller.close();
+                return;
+              }
+              value = next.value;
+            }
+
+            if (combinedSignal.aborted) {
+              internalAbort.abort();
+              await reader.cancel();
+              controller.close();
+              return;
+            }
+
+            if (value.id) state.lastEventId = value.id;
+
+            // Trigger control record (turn-complete, upgrade-required) —
+            // routed by header, body is empty. Detect via the
+            // `trigger-control` header on the SSE record. Data records
+            // (UIMessageChunks) fall through to the chunk path below.
+            //
+            // Cross-version bridge: a customer who redeploys their
+            // Next.js app (new browser SDK) before their next
+            // `trigger deploy` (old agent SDK still writing turn-complete
+            // / upgrade-required as `chunk.type` data records) would
+            // otherwise hang. Fall back to the legacy chunk-type form
+            // when no header is present so the deploy-skew window
+            // closes turns correctly.
+            let controlValue = controlSubtype(value.headers);
+            let legacyChunk:
+              | { type?: string; publicAccessToken?: string }
+              | undefined;
+            if (!controlValue && value.chunk && typeof value.chunk === "object") {
+              const chunk = value.chunk as { type?: unknown; publicAccessToken?: unknown };
+              if (chunk.type === "trigger:turn-complete") {
+                controlValue = TRIGGER_CONTROL_SUBTYPE.TURN_COMPLETE;
+                legacyChunk = chunk as { type?: string; publicAccessToken?: string };
+              } else if (chunk.type === "trigger:upgrade-required") {
+                controlValue = TRIGGER_CONTROL_SUBTYPE.UPGRADE_REQUIRED;
+              } else if (typeof chunk.type === "string" && chunk.type.startsWith("trigger:")) {
+                // Future / unknown `trigger:*` legacy control type from
+                // a pre-upgrade agent — drop so it doesn't reach the AI
+                // SDK as an unrecognised UIMessageChunk.
+                continue;
+              }
+            }
+
+            if (state.skipToTurnComplete) {
+              if (controlValue === TRIGGER_CONTROL_SUBTYPE.TURN_COMPLETE) {
+                state.skipToTurnComplete = false;
+              }
+              continue;
+            }
+
+            if (controlValue === TRIGGER_CONTROL_SUBTYPE.UPGRADE_REQUIRED) {
+              // Server has already triggered the new run via
+              // `end-and-continue`; the next chunks on this same `.out`
+              // stream come from v2. Filter the marker for cleanliness
+              // and keep reading.
+              continue;
+            }
+
+            if (controlValue === TRIGGER_CONTROL_SUBTYPE.TURN_COMPLETE) {
+              const refreshedToken =
+                headerValue(value.headers, PUBLIC_ACCESS_TOKEN_HEADER) ??
+                legacyChunk?.publicAccessToken;
+              if (refreshedToken) {
+                state.publicAccessToken = refreshedToken;
+              }
+              state.isStreaming = false;
+              this.notifySessionChange(chatId, state);
+              this.coordinator?.release(chatId);
+              this.coordinator?.broadcastSession(chatId, {
+                lastEventId: state.lastEventId,
+              });
+
+              if (this.watchMode) continue;
+
+              internalAbort.abort();
+              try {
+                controller.close();
+              } catch {
+                /* already closed */
+              }
+              return;
+            }
+
+            // Data record — `value.chunk` is the parsed UIMessageChunk
+            // unwrapped from the S2 record envelope (the parser does the
+            // JSON unwrap). Drop empty/malformed payloads defensively.
+            if (value.chunk == null) continue;
+            controller.enqueue(value.chunk as UIMessageChunk);
+          }
+        } catch (error) {
+          if (error instanceof Error && error.name === "AbortError") {
+            try {
+              controller.close();
+            } catch {
+              /* already closed */
+            }
+            return;
+          }
+          controller.error(error);
+        } finally {
+          teardownWakeListeners();
+          this.activeStreams.delete(chatId);
+          this.coordinator?.release(chatId);
+        }
+      },
+    });
+  }
+}
+
+/**
+ * Convenience constructor matching {@link TriggerChatTransport}.
+ */
+export function createChatTransport(options: TriggerChatTransportOptions): TriggerChatTransport {
+  return new TriggerChatTransport(options);
+}
+
+// Server-side agent chat re-exports.
+export {
+  AgentChat,
+  ChatStream,
+  type AgentChatOptions,
+  type ChatSession,
+  type ChatStreamResult,
+  type ChatToolCall,
+  type ChatToolResult,
+  type InferChatClientData,
+  type InferChatUIMessage,
+} from "./chat-client.js";
diff --git a/packages/trigger-sdk/src/v3/createStartSessionAction.test.ts b/packages/trigger-sdk/src/v3/createStartSessionAction.test.ts
new file mode 100644
index 00000000000..2b3214b77d1
--- /dev/null
+++ b/packages/trigger-sdk/src/v3/createStartSessionAction.test.ts
@@ -0,0 +1,136 @@
+import { afterEach, describe, expect, expectTypeOf, it } from "vitest";
+import { z } from "zod";
+import type { CreateSessionRequestBody, CreatedSessionResponseBody } from "@trigger.dev/core/v3";
+
+import { chat } from "./ai.js";
+import {
+  __setSessionStartImplForTests,
+  __setSessionOpenImplForTests,
+  SessionHandle,
+} from "./sessions.js";
+import { apiClientManager } from "@trigger.dev/core/v3";
+
+// `auth.createPublicToken` is called by the action when no start token is
+// supplied. Provide a minimal API client config so the mint path doesn't
+// throw before we get to assert the captured request body.
+apiClientManager.setGlobalAPIClientConfiguration({
+  baseURL: "https://example.invalid",
+  accessToken: "tr_test_secret",
+});
+
+// Capture the request body the action would send to `sessions.start()`.
+let lastStartBody: CreateSessionRequestBody | undefined;
+
+function installStartFixture() {
+  __setSessionStartImplForTests(async (body): Promise<CreatedSessionResponseBody> => {
+    lastStartBody = body;
+    return {
+      id: "session_fixture",
+      externalId: body.externalId ?? null,
+      type: body.type,
+      taskIdentifier: body.taskIdentifier,
+      triggerConfig: body.triggerConfig,
+      currentRunId: "run_fixture",
+      tags: body.triggerConfig.tags ?? [],
+      metadata: body.metadata ?? null,
+      closedAt: null,
+      closedReason: null,
+      expiresAt: null,
+      createdAt: new Date(),
+      updatedAt: new Date(),
+      runId: "run_fixture",
+      publicAccessToken: "tr_pat_fixture",
+      isCached: false,
+    };
+  });
+  __setSessionOpenImplForTests(() => new SessionHandle("session_fixture"));
+}
+
+afterEach(() => {
+  __setSessionStartImplForTests(undefined);
+  __setSessionOpenImplForTests(undefined);
+  lastStartBody = undefined;
+});
+
+// Build a fake chat agent task shape that the generic can narrow against.
+// We only need the static type — the runtime never invokes this task because
+// `__setSessionStartImplForTests` intercepts the network call.
+const fakeChat = chat
+  .withClientData({
+    schema: z.object({
+      userId: z.string(),
+      plan: z.enum(["free", "pro"]),
+    }),
+  })
+  .agent({
+    id: "fake-chat",
+    run: async () => undefined as any,
+  });
+
+describe("chat.createStartSessionAction — runtime", () => {
+  it("folds typed clientData into basePayload.metadata so onChatStart sees it on the first turn", async () => {
+    installStartFixture();
+
+    const start = chat.createStartSessionAction<typeof fakeChat>("fake-chat");
+
+    const result = await start({
+      chatId: "chat-1",
+      clientData: { userId: "u-1", plan: "pro" },
+    });
+
+    expect(result.publicAccessToken).toBe("tr_pat_fixture");
+    expect(lastStartBody?.triggerConfig.basePayload).toMatchObject({
+      messages: [],
+      trigger: "preload",
+      metadata: { userId: "u-1", plan: "pro" },
+      chatId: "chat-1",
+    });
+  });
+
+  it("leaves basePayload.metadata unset when clientData is not provided", async () => {
+    installStartFixture();
+
+    const start = chat.createStartSessionAction("fake-chat");
+    await start({ chatId: "chat-2" });
+
+    expect(lastStartBody?.triggerConfig.basePayload).not.toHaveProperty("metadata");
+  });
+
+  it("keeps session-level metadata distinct from per-turn clientData", async () => {
+    installStartFixture();
+
+    const start = chat.createStartSessionAction<typeof fakeChat>("fake-chat");
+    await start({
+      chatId: "chat-3",
+      clientData: { userId: "u-3", plan: "free" },
+      metadata: { source: "marketing-site" },
+    });
+
+    // Per-turn shape (visible to onPreload / onChatStart):
+    expect(lastStartBody?.triggerConfig.basePayload).toMatchObject({
+      metadata: { userId: "u-3", plan: "free" },
+    });
+    // Session-row metadata (opaque, never typed via clientDataSchema):
+    expect(lastStartBody?.metadata).toEqual({ source: "marketing-site" });
+  });
+});
+
+describe("chat.createStartSessionAction — types", () => {
+  it("narrows clientData against the chat agent's clientDataSchema", () => {
+    const start = chat.createStartSessionAction<typeof fakeChat>("fake-chat");
+
+    // The clientData field is typed off the agent's schema.
+    expectTypeOf<Parameters<typeof start>[0]["clientData"]>().toEqualTypeOf<
+      { userId: string; plan: "free" | "pro" } | undefined
+    >();
+    // The agent's typed clientData is strictly narrower than `unknown`.
+    expectTypeOf<Parameters<typeof start>[0]["clientData"]>().not.toEqualTypeOf<unknown>();
+  });
+
+  it("defaults clientData to unknown when called without a generic", () => {
+    const start = chat.createStartSessionAction("fake-chat");
+    expectTypeOf(start).parameter(0).toHaveProperty("clientData");
+    // Untyped variant — clientData is `unknown`.
+    expectTypeOf<Parameters<typeof start>[0]["clientData"]>().toEqualTypeOf<unknown>();
+  });
+});
diff --git a/packages/trigger-sdk/src/v3/deployments.ts b/packages/trigger-sdk/src/v3/deployments.ts
new file mode 100644
index 00000000000..b6a334b203e
--- /dev/null
+++ b/packages/trigger-sdk/src/v3/deployments.ts
@@ -0,0 +1,56 @@
+import type {
+  ApiRequestOptions,
+  RetrieveCurrentDeploymentResponseBody,
+  ApiDeploymentListOptions,
+  ApiDeploymentListResponseItem,
+} from "@trigger.dev/core/v3";
+import {
+  apiClientManager,
+  CursorPagePromise,
+  isRequestOptions,
+  mergeRequestOptions,
+} from "@trigger.dev/core/v3";
+
+export type { RetrieveCurrentDeploymentResponseBody, ApiDeploymentListResponseItem };
+
+export const deployments = {
+  retrieveCurrent: retrieveCurrentDeployment,
+  list: listDeployments,
+};
+
+/**
+ * Retrieve the currently promoted deployment for this environment.
+ *
+ * Use inside a task to check whether a newer version has been deployed:
+ *
+ * ```ts
+ * import { deployments } from "@trigger.dev/sdk";
+ *
+ * const current = await deployments.retrieveCurrent();
+ * if (current.version !== ctx.run.version) {
+ *   // A newer version is promoted
+ * }
+ * ```
+ */
+function retrieveCurrentDeployment(
+  requestOptions?: ApiRequestOptions
+): Promise<RetrieveCurrentDeploymentResponseBody> {
+  const apiClient = apiClientManager.clientOrThrow();
+  return apiClient.retrieveCurrentDeployment(requestOptions);
+}
+
+/**
+ * List deployments for the current environment.
+ */
+function listDeployments(
+  options?: ApiDeploymentListOptions,
+  requestOptions?: ApiRequestOptions
+): CursorPagePromise<typeof ApiDeploymentListResponseItem> {
+  const apiClient = apiClientManager.clientOrThrow();
+
+  if (isRequestOptions(options)) {
+    return apiClient.listDeployments(undefined, options);
+  }
+
+  return apiClient.listDeployments(options, requestOptions);
+}
diff --git a/packages/trigger-sdk/src/v3/index.ts b/packages/trigger-sdk/src/v3/index.ts
index 21ffa142871..f993105f0bd 100644
--- a/packages/trigger-sdk/src/v3/index.ts
+++ b/packages/trigger-sdk/src/v3/index.ts
@@ -17,14 +17,15 @@ export * from "./otel.js";
 export * from "./schemas.js";
 export * from "./heartbeats.js";
 export * from "./streams.js";
+export * from "./sessions.js";
 export * from "./query.js";
 export type { Context };
 
 import type { Context } from "./shared.js";
 
-import type { ApiClientConfiguration } from "@trigger.dev/core/v3";
+import type { ApiClientConfiguration, TaskRunContext } from "@trigger.dev/core/v3";
 
-export type { ApiClientConfiguration };
+export type { ApiClientConfiguration, TaskRunContext };
 
 export {
   ApiError,
@@ -39,6 +40,8 @@ export {
   AbortTaskRunError,
   OutOfMemoryError,
   CompleteTaskWithOutput,
+  ChatChunkTooLargeError,
+  isChatChunkTooLargeError,
   logger,
   type LogLevel,
 } from "@trigger.dev/core/v3";
@@ -54,9 +57,16 @@ export {
   type AnyRetrieveRunResult,
 } from "./runs.js";
 export * as schedules from "./schedules/index.js";
+export {
+  deployments,
+  type RetrieveCurrentDeploymentResponseBody,
+  type ApiDeploymentListResponseItem,
+} from "./deployments.js";
 export * as envvars from "./envvars.js";
 export * as queues from "./queues.js";
 export type { ImportEnvironmentVariablesParams } from "./envvars.js";
 
 export { configure, auth } from "./auth.js";
+export { TriggerClient, type TriggerClientConfig } from "./triggerClient.js";
 export * as prompts from "./prompts.js";
+export * as skills from "./skills.js";
diff --git a/packages/trigger-sdk/src/v3/runs.ts b/packages/trigger-sdk/src/v3/runs.ts
index 7081c448d75..88e6d2b701c 100644
--- a/packages/trigger-sdk/src/v3/runs.ts
+++ b/packages/trigger-sdk/src/v3/runs.ts
@@ -358,6 +358,14 @@ export type SubscribeToRunOptions = {
    * ```
    */
   skipColumns?: RealtimeRunSkipColumns;
+
+  /**
+   * An AbortSignal to cancel the subscription.
+   *
+   * When the signal is aborted, the underlying SSE connection is closed
+   * and the async iterator completes.
+   */
+  signal?: AbortSignal;
 };
 
 /**
@@ -403,6 +411,7 @@ function subscribeToRun<TRunId extends AnyRunHandle | AnyTask | string>(
     closeOnComplete:
       typeof options?.stopOnCompletion === "boolean" ? options.stopOnCompletion : true,
     skipColumns: options?.skipColumns,
+    signal: options?.signal,
   });
 }
 
diff --git a/packages/trigger-sdk/src/v3/sessions.test.ts b/packages/trigger-sdk/src/v3/sessions.test.ts
new file mode 100644
index 00000000000..abeccb0c12d
--- /dev/null
+++ b/packages/trigger-sdk/src/v3/sessions.test.ts
@@ -0,0 +1,186 @@
+import { describe, expect, it, vi } from "vitest";
+
+// Per-test override for the stubbed SessionStreamInstance's wait() so a
+// test can simulate downstream writer failures (e.g. S2 auth error after
+// initializeSessionStream returned a stale token). Reset at the top of
+// each test that touches it.
+let stubWaitImpl: (() => Promise<{ lastEventId?: string }>) | undefined;
+
+// Stub `SessionStreamInstance` so constructing a channel writer doesn't try
+// to reach S2. The stub still invokes the `initializeSession` callback the
+// channel passes in, which is the whole point: that's how the cache gets
+// exercised. wait() resolves immediately by default; tests can override it
+// via `stubWaitImpl` to verify reactive invalidation on writer failure.
+vi.mock("@trigger.dev/core/v3", async (importActual) => {
+  const actual = (await importActual()) as Record<string, unknown>;
+  class StubSessionStreamInstance<T> {
+    private waitPromise: Promise<{ lastEventId?: string }>;
+    constructor(opts: {
+      source: ReadableStream<T>;
+      initializeSession?: () => Promise<{ headers?: Record<string, string> }>;
+    }) {
+      // Drain the source so the upstream tee doesn't backpressure-stall.
+      void (async () => {
+        const reader = opts.source.getReader();
+        try {
+          while (true) {
+            const { done } = await reader.read();
+            if (done) break;
+          }
+        } finally {
+          reader.releaseLock();
+        }
+      })();
+      // Trigger the initializeSession callback so the cache path runs.
+      opts.initializeSession?.().catch(() => {
+        // Failures are observed via the spy; swallow here so unhandled
+        // rejection warnings don't leak through the stub.
+      });
+      // Capture the wait outcome once at construction (mirrors real
+      // SessionStreamInstance which kicks off initializeWriter from the
+      // ctor). All subsequent wait() calls return the same promise so
+      // a single failure is observable by every consumer in the channel
+      // (`.finally`, reactive `.catch`, and customer `waitUntilComplete`).
+      this.waitPromise = stubWaitImpl
+        ? stubWaitImpl()
+        : Promise.resolve({ lastEventId: undefined });
+      // Claim any rejection so test runs don't surface as unhandled.
+      // Real awaiters still observe the rejection when they `await` it.
+      this.waitPromise.catch(() => {});
+    }
+    async wait() {
+      return this.waitPromise;
+    }
+    get stream() {
+      return new ReadableStream<T>({ start: (c) => c.close() });
+    }
+  }
+  return { ...actual, SessionStreamInstance: StubSessionStreamInstance };
+});
+
+import { SessionOutputChannel } from "./sessions.js";
+import { apiClientManager } from "@trigger.dev/core/v3";
+
+type ApiClientStub = {
+  initializeSessionStream: ReturnType<typeof vi.fn>;
+};
+
+function installStubApiClient(impl: ApiClientStub["initializeSessionStream"]): ApiClientStub {
+  const stub: ApiClientStub = { initializeSessionStream: impl };
+  // `apiClientManager.clientOrThrow()` is what `#pipeInternal` reaches for.
+  vi.spyOn(apiClientManager, "clientOrThrow").mockReturnValue(
+    stub as unknown as ReturnType<typeof apiClientManager.clientOrThrow>
+  );
+  return stub;
+}
+
+function emptyStream(): ReadableStream<unknown> {
+  return new ReadableStream({ start: (c) => c.close() });
+}
+
+describe("SessionOutputChannel initializeSessionStream cache", () => {
+  it("dedupes repeated pipe()/writer() calls for the same channel", async () => {
+    stubWaitImpl = undefined;
+    const spy = vi.fn(async () => ({ version: "v2", headers: {} }));
+    installStubApiClient(spy);
+
+    const channel = new SessionOutputChannel("session-1");
+    const p1 = channel.pipe(emptyStream());
+    const p2 = channel.pipe(emptyStream());
+    const p3 = channel.writer({
+      execute: ({ write }) => {
+        write({ chunk: 1 });
+      },
+    });
+
+    await Promise.all([p1.waitUntilComplete(), p2.waitUntilComplete(), p3.waitUntilComplete()]);
+
+    expect(spy).toHaveBeenCalledTimes(1);
+    expect(spy).toHaveBeenCalledWith("session-1", "out", undefined);
+  });
+
+  it("evicts on initialize failure so the next call retries instead of returning a poisoned entry", async () => {
+    stubWaitImpl = undefined;
+    const spy = vi
+      .fn()
+      .mockRejectedValueOnce(new Error("boom"))
+      .mockResolvedValueOnce({ version: "v2", headers: {} });
+    installStubApiClient(spy);
+
+    const channel = new SessionOutputChannel("session-1");
+    const firstAttempt = channel.pipe(emptyStream());
+    // First call fails — the stub swallows the rejection on the
+    // initializeSession callback, but the cache eviction handler still runs.
+    await firstAttempt.waitUntilComplete();
+    // Settle pending microtasks so the .catch() eviction fires.
+    await new Promise<void>((resolve) => setTimeout(resolve, 0));
+
+    const retried = channel.pipe(emptyStream());
+    await retried.waitUntilComplete();
+
+    expect(spy).toHaveBeenCalledTimes(2);
+  });
+
+  it("reset() clears cached entries so the next call re-PUTs", async () => {
+    stubWaitImpl = undefined;
+    const spy = vi.fn(async () => ({ version: "v2", headers: {} }));
+    installStubApiClient(spy);
+
+    const channel = new SessionOutputChannel("session-1");
+    await channel.pipe(emptyStream()).waitUntilComplete();
+    expect(spy).toHaveBeenCalledTimes(1);
+
+    channel.reset();
+
+    await channel.pipe(emptyStream()).waitUntilComplete();
+    expect(spy).toHaveBeenCalledTimes(2);
+  });
+
+  it("scopes the cache per channel instance", async () => {
+    stubWaitImpl = undefined;
+    const spy = vi.fn(async () => ({ version: "v2", headers: {} }));
+    installStubApiClient(spy);
+
+    const channelA = new SessionOutputChannel("session-a");
+    const channelB = new SessionOutputChannel("session-b");
+
+    await Promise.all([
+      channelA.pipe(emptyStream()).waitUntilComplete(),
+      channelB.pipe(emptyStream()).waitUntilComplete(),
+    ]);
+
+    expect(spy).toHaveBeenCalledTimes(2);
+    expect(spy).toHaveBeenCalledWith("session-a", "out", undefined);
+    expect(spy).toHaveBeenCalledWith("session-b", "out", undefined);
+  });
+
+  it("evicts the cache when a writer's wait() rejects (simulated stale-token failure)", async () => {
+    const spy = vi.fn(async () => ({ version: "v2", headers: {} }));
+    installStubApiClient(spy);
+
+    // First writer's wait() rejects (e.g. S2 returned 401 after the cached
+    // token expired mid-process); subsequent writers' wait() resolve cleanly.
+    let waitCallCount = 0;
+    stubWaitImpl = async () => {
+      waitCallCount++;
+      if (waitCallCount === 1) throw new Error("S2 auth failed: token expired");
+      return { lastEventId: undefined };
+    };
+
+    const channel = new SessionOutputChannel("session-1");
+
+    const failed = channel.pipe(emptyStream());
+    await expect(failed.waitUntilComplete()).rejects.toThrow(/token expired/);
+
+    // Settle microtasks so the reactive .catch eviction handler fires.
+    await new Promise<void>((resolve) => setTimeout(resolve, 0));
+
+    const recovered = channel.pipe(emptyStream());
+    await recovered.waitUntilComplete();
+
+    // Cache evicted ⇒ second pipe() re-PUT ⇒ two distinct initialize calls.
+    expect(spy).toHaveBeenCalledTimes(2);
+
+    stubWaitImpl = undefined;
+  });
+});
diff --git a/packages/trigger-sdk/src/v3/sessions.ts b/packages/trigger-sdk/src/v3/sessions.ts
new file mode 100644
index 00000000000..fc47a037914
--- /dev/null
+++ b/packages/trigger-sdk/src/v3/sessions.ts
@@ -0,0 +1,901 @@
+import type {
+  ApiPromise,
+  ApiRequestOptions,
+  AsyncIterableStream,
+  CloseSessionRequestBody,
+  CreatedSessionResponseBody,
+  CreateSessionRequestBody,
+  InputStreamOnceOptions,
+  InputStreamOnceResult,
+  InputStreamWaitOptions,
+  InputStreamWaitWithIdleTimeoutOptions,
+  ListSessionsOptions,
+  ListedSessionItem,
+  PipeStreamOptions,
+  PipeStreamResult,
+  RetrieveSessionResponseBody,
+  UpdateSessionRequestBody,
+  WriterStreamOptions,
+} from "@trigger.dev/core/v3";
+import {
+  CursorPagePromise,
+  InputStreamOncePromise,
+  ManualWaitpointPromise,
+  SemanticInternalAttributes,
+  SessionStreamInstance,
+  WaitpointTimeoutError,
+  accessoryAttributes,
+  apiClientManager,
+  ensureReadableStream,
+  mergeRequestOptions,
+  runtime,
+  sessionStreams,
+  taskContext,
+  trimSessionStream,
+  writeSessionControlRecord,
+} from "@trigger.dev/core/v3";
+import type {
+  ControlEvent,
+  InitializeSessionStreamResponseLike,
+  StreamWriteResult,
+} from "@trigger.dev/core/v3";
+import { conditionallyImportAndParsePacket } from "@trigger.dev/core/v3/utils/ioSerialization";
+import { SpanStatusCode } from "@opentelemetry/api";
+import { tracer } from "./tracer.js";
+
+export type {
+  CreatedSessionResponseBody,
+  CreateSessionRequestBody,
+  CloseSessionRequestBody,
+  ListSessionsOptions,
+  ListedSessionItem,
+  RetrieveSessionResponseBody,
+  UpdateSessionRequestBody,
+};
+
+export const sessions = {
+  start: startSession,
+  retrieve: retrieveSession,
+  update: updateSession,
+  close: closeSession,
+  list: listSessions,
+  open,
+};
+
+// Test hook: lets `@trigger.dev/sdk/ai/test` replace `sessions.open()` with
+// an in-memory handle so unit tests don't hit the network. Not part of the
+// public API — only `mockChatAgent` installs it.
+type SessionOpenImpl = (sessionIdOrExternalId: string) => SessionHandle;
+let sessionOpenImpl: SessionOpenImpl | undefined;
+
+export function __setSessionOpenImplForTests(impl: SessionOpenImpl | undefined): void {
+  sessionOpenImpl = impl;
+}
+
+// Test hook for `sessions.start()`. Sessions are task-bound and the
+// `start` call atomically creates the row + triggers the first run on
+// the server; in unit tests there's no live API to hit, so a fixture
+// implementation can be installed via this setter.
+type SessionStartImpl = (
+  body: CreateSessionRequestBody
+) => Promise<CreatedSessionResponseBody> | CreatedSessionResponseBody;
+let sessionStartImpl: SessionStartImpl | undefined;
+
+export function __setSessionStartImplForTests(impl: SessionStartImpl | undefined): void {
+  sessionStartImpl = impl;
+}
+
+/**
+ * Start a {@link Session} — a durable, task-bound, bidirectional I/O
+ * primitive. The server creates the row (idempotent on `externalId`)
+ * and triggers the first run from `triggerConfig` in one round-trip.
+ * Returns the new run's id and a session-scoped public access token
+ * for browser-side use against `.in/append`, `.out` SSE, and
+ * `end-and-continue`.
+ *
+ * If a session with the same `(env, externalId)` already exists,
+ * returns the existing row plus the live (or freshly re-triggered) run.
+ * Two browser tabs of the same chat converge to one session.
+ */
+function startSession(
+  body: CreateSessionRequestBody,
+  requestOptions?: ApiRequestOptions
+): ApiPromise<CreatedSessionResponseBody> {
+  if (sessionStartImpl) {
+    const result = sessionStartImpl(body);
+    return Promise.resolve(result) as ApiPromise<CreatedSessionResponseBody>;
+  }
+
+  const apiClient = apiClientManager.clientOrThrow();
+
+  const $requestOptions = mergeRequestOptions(
+    {
+      tracer,
+      name: "sessions.start()",
+      icon: "sessions",
+      attributes: sessionAttributes(body.externalId ?? body.type, {
+        type: body.type,
+        ...(body.externalId ? { externalId: body.externalId } : {}),
+      }),
+    },
+    requestOptions
+  );
+
+  return apiClient.createSession(body, $requestOptions);
+}
+
+/**
+ * Retrieve a Session by `friendlyId` (`session_*`) or user-supplied
+ * `externalId`. The server disambiguates via the `session_` prefix.
+ */
+function retrieveSession(
+  sessionIdOrExternalId: string,
+  requestOptions?: ApiRequestOptions
+): ApiPromise<RetrieveSessionResponseBody> {
+  const apiClient = apiClientManager.clientOrThrow();
+
+  const $requestOptions = mergeRequestOptions(
+    {
+      tracer,
+      name: "sessions.retrieve()",
+      icon: "sessions",
+      attributes: sessionAttributes(sessionIdOrExternalId),
+    },
+    requestOptions
+  );
+
+  return apiClient.retrieveSession(sessionIdOrExternalId, $requestOptions);
+}
+
+/** Update mutable fields on a Session (tags, metadata, externalId). */
+function updateSession(
+  sessionIdOrExternalId: string,
+  body: UpdateSessionRequestBody,
+  requestOptions?: ApiRequestOptions
+): ApiPromise<RetrieveSessionResponseBody> {
+  const apiClient = apiClientManager.clientOrThrow();
+
+  const $requestOptions = mergeRequestOptions(
+    {
+      tracer,
+      name: "sessions.update()",
+      icon: "sessions",
+      attributes: sessionAttributes(sessionIdOrExternalId),
+    },
+    requestOptions
+  );
+
+  return apiClient.updateSession(sessionIdOrExternalId, body, $requestOptions);
+}
+
+/** Mark a Session as closed (terminal, idempotent). */
+function closeSession(
+  sessionIdOrExternalId: string,
+  body?: CloseSessionRequestBody,
+  requestOptions?: ApiRequestOptions
+): ApiPromise<RetrieveSessionResponseBody> {
+  const apiClient = apiClientManager.clientOrThrow();
+
+  const $requestOptions = mergeRequestOptions(
+    {
+      tracer,
+      name: "sessions.close()",
+      icon: "sessions",
+      attributes: sessionAttributes(sessionIdOrExternalId, {
+        ...(body?.reason ? { reason: body.reason } : {}),
+      }),
+    },
+    requestOptions
+  );
+
+  return apiClient.closeSession(sessionIdOrExternalId, body, $requestOptions);
+}
+
+/**
+ * List Sessions in the current environment with filters + cursor pagination.
+ * Returns a {@link CursorPagePromise} so callers can iterate pages with
+ * `for await`.
+ */
+function listSessions(
+  options?: ListSessionsOptions,
+  requestOptions?: ApiRequestOptions
+): CursorPagePromise<typeof ListedSessionItem> {
+  const apiClient = apiClientManager.clientOrThrow();
+
+  const $requestOptions = mergeRequestOptions(
+    {
+      tracer,
+      name: "sessions.list()",
+      icon: "sessions",
+      attributes: {
+        ...(options?.type ? { type: toAttr(options.type) } : {}),
+        ...(options?.tag ? { tag: toAttr(options.tag) } : {}),
+        ...(options?.status ? { status: toAttr(options.status) } : {}),
+        ...(options?.externalId ? { externalId: options.externalId } : {}),
+      },
+    },
+    requestOptions
+  );
+
+  return apiClient.listSessions(options, $requestOptions);
+}
+
+/**
+ * Open a lightweight handle to a Session's realtime channels. Does not
+ * perform a network call on its own — each channel method hits the
+ * corresponding realtime endpoint.
+ */
+function open(sessionIdOrExternalId: string): SessionHandle {
+  if (sessionOpenImpl) return sessionOpenImpl(sessionIdOrExternalId);
+  return new SessionHandle(sessionIdOrExternalId);
+}
+
+export class SessionHandle {
+  /**
+   * Producer-to-consumer channel: the task writes records; external
+   * clients read them. Mirrors `streams.define` — `append` / `pipe` /
+   * `writer` / `read`.
+   */
+  public readonly out: SessionOutputChannel;
+
+  /**
+   * Consumer-to-producer channel: external clients call `.send()`; the
+   * task consumes via `.on` / `.once` / `.peek` / `.wait` /
+   * `.waitWithIdleTimeout`. Mirrors `streams.input` but keyed on the
+   * session so a conversation can survive across run boundaries.
+   */
+  public readonly in: SessionInputChannel;
+
+  constructor(
+    public readonly id: string,
+    overrides?: { in?: SessionInputChannel; out?: SessionOutputChannel }
+  ) {
+    this.out = overrides?.out ?? new SessionOutputChannel(id);
+    this.in = overrides?.in ?? new SessionInputChannel(id);
+  }
+}
+
+/**
+ * Options accepted by {@link SessionOutputChannel.pipe}. Session-scoped,
+ * so it omits the `target` field (self/parent/root/runId) that run-scoped
+ * {@link PipeStreamOptions} uses — the session is the target.
+ */
+export type SessionPipeStreamOptions = Omit<PipeStreamOptions, "target">;
+
+/**
+ * The `.out` side of a Session's bidirectional channel pair. Mirrors the
+ * consume-side of {@link streams.define}: `pipe` / `writer` / `append`
+ * for the task to produce records, `read` for external clients to
+ * consume via SSE. S2 credentials for direct writes are fetched
+ * internally by `pipe`/`writer` — there's no public `initialize()`.
+ */
+export class SessionOutputChannel {
+  // Cache of the in-flight / resolved `initializeSessionStream` PUT for
+  // this channel. Every `pipe()` / `writer()` call needs the same S2
+  // credentials, so we share a single promise instead of re-PUTing on
+  // every chunk. Hot-loop writers (per-chunk `chat.response.write` /
+  // direct `session.out.writer` calls) drop from N PUTs to 1 PUT for
+  // the lifetime of the channel. The S2 access token has a 1-day TTL
+  // server-side so reusing it across calls within a single run is safe.
+  // Evicts on failure (so the next call retries) and on `reset()`.
+  #initPromise?: Promise<InitializeSessionStreamResponseLike>;
+
+  constructor(public readonly sessionId: string) {}
+
+  /**
+   * Drop the cached `initializeSessionStream` response. Surfaces for
+   * tests and lifecycle hooks that need the next write to re-mint S2
+   * credentials. The cache also self-evicts on `initializeSession`
+   * rejection, so callers don't need to invoke this on failures.
+   *
+   * @internal
+   */
+  reset(): void {
+    this.#initPromise = undefined;
+  }
+
+  /**
+   * Append a single record. Routes through {@link writer} internally so
+   * subscribers receive the same parsed-object shape as multi-record
+   * writes — the server-side append endpoint wraps the body in a string,
+   * which would give SSE consumers a JSON-string instead of an object.
+   * Mirrors how `streams.define.append` delegates to `streams.writer`.
+   */
+  async append<T>(value: T, options?: SessionPipeStreamOptions): Promise<void> {
+    const { waitUntilComplete } = this.writer<T>({
+      ...options,
+      spanName: "sessions.append()",
+      execute: ({ write }) => {
+        write(value);
+      },
+    });
+    await waitUntilComplete();
+  }
+
+  /**
+   * Pipe an `AsyncIterable` / `ReadableStream` directly to S2. Fetches
+   * session S2 credentials internally and streams through
+   * {@link SessionStreamInstance}. Parallel to {@link streams.pipe} but
+   * session-scoped — no `target` option because the session is the target.
+   */
+  pipe<T>(
+    value: AsyncIterable<T> | ReadableStream<T>,
+    options?: SessionPipeStreamOptions
+  ): PipeStreamResult<T> {
+    return this.#pipeInternal(value, options, "sessions.pipe()");
+  }
+
+  /**
+   * Mirror of {@link streams.writer}: runs `execute({ write, merge })`
+   * against an in-memory queue whose records are piped to S2. Returns
+   * `{ stream, waitUntilComplete }` so callers can observe the local
+   * stream and await completion. Span is collapsible via `options.spanName`
+   * / `options.collapsed`.
+   */
+  writer<T>(options: WriterStreamOptions<T>): PipeStreamResult<T> {
+    let controller!: ReadableStreamDefaultController<T>;
+    const ongoingStreamPromises: Promise<void>[] = [];
+
+    const stream = new ReadableStream<T>({
+      start(controllerArg) {
+        controller = controllerArg;
+      },
+    });
+
+    const safeEnqueue = (data: T) => {
+      try {
+        controller.enqueue(data);
+      } catch {
+        // Suppress errors when the stream has been closed.
+      }
+    };
+
+    try {
+      const result = options.execute({
+        write(part) {
+          safeEnqueue(part);
+        },
+        merge(streamArg) {
+          ongoingStreamPromises.push(
+            (async () => {
+              const reader = streamArg.getReader();
+              while (true) {
+                const { done, value } = await reader.read();
+                if (done) break;
+                safeEnqueue(value);
+              }
+            })().catch((error) => {
+              console.error(error);
+            })
+          );
+        },
+      });
+
+      if (result) {
+        ongoingStreamPromises.push(
+          result.catch((error) => {
+            console.error(error);
+          })
+        );
+      }
+    } catch (error) {
+      console.error(error);
+    }
+
+    const waitForStreams: Promise<void> = new Promise((resolve, reject) => {
+      (async () => {
+        while (ongoingStreamPromises.length > 0) {
+          await ongoingStreamPromises.shift();
+        }
+        resolve();
+      })().catch(reject);
+    });
+
+    waitForStreams.finally(() => {
+      try {
+        controller.close();
+      } catch {
+        // Already closed.
+      }
+    });
+
+    return this.#pipeInternal(stream, options, options.spanName ?? "sessions.writer()");
+  }
+
+  /**
+   * Subscribe to SSE records on `.out`. Returns an async-iterable stream —
+   * auto-retry, Last-Event-ID resume, and abort propagation come from the
+   * shared {@link SSEStreamSubscription} plumbing used by run-scoped
+   * realtime streams.
+   */
+  async read<T = unknown>(
+    options?: SessionSubscribeOptions<T>
+  ): Promise<AsyncIterableStream<T>> {
+    const apiClient = apiClientManager.clientOrThrow();
+
+    return apiClient.subscribeToSessionStream<T>(this.sessionId, "out", {
+      signal: options?.signal,
+      timeoutInSeconds: options?.timeoutInSeconds,
+      lastEventId:
+        options?.lastEventId != null ? String(options.lastEventId) : undefined,
+      onPart: options?.onPart,
+      onControl: options?.onControl,
+      onComplete: options?.onComplete,
+      onError: options?.onError,
+    });
+  }
+
+  #pipeInternal<T>(
+    value: AsyncIterable<T> | ReadableStream<T>,
+    options: SessionPipeStreamOptions | undefined,
+    spanName: string
+  ): PipeStreamResult<T> {
+    const apiClient = apiClientManager.clientOrThrow();
+    const collapsed = (options as WriterStreamOptions<T> | undefined)?.collapsed;
+
+    const span = tracer.startSpan(spanName, {
+      attributes: {
+        session: this.sessionId,
+        io: "out",
+        [SemanticInternalAttributes.ENTITY_TYPE]: "session-stream",
+        [SemanticInternalAttributes.ENTITY_ID]: `${this.sessionId}:out`,
+        [SemanticInternalAttributes.STYLE_ICON]: "sessions",
+        ...(collapsed ? { [SemanticInternalAttributes.COLLAPSED]: true } : {}),
+        ...accessoryAttributes({
+          items: [{ text: `${this.sessionId}.out`, variant: "normal" }],
+          style: "codepath",
+        }),
+      },
+    });
+
+    const readableStreamSource = ensureReadableStream(value);
+
+    const abortController = new AbortController();
+    // `AbortSignal.any` lands in Node 20.3; the SDK still supports Node
+    // 18.20+. On older runtimes fall back to wiring `options.signal` into
+    // `abortController` manually so caller-driven cancellation propagates.
+    let combinedSignal: AbortSignal = abortController.signal;
+    // Set in the Node 18 fallback path so the caller's `signal.addEventListener`
+    // registration can be cleared once the stream finishes. Without this, a
+    // long-lived caller signal (e.g. one reused across many `writer()` calls)
+    // accumulates listeners on every completed turn.
+    let removeCallerAbortListener: (() => void) | undefined;
+    if (options?.signal) {
+      if (typeof AbortSignal.any === "function") {
+        combinedSignal = AbortSignal.any([options.signal, abortController.signal]);
+      } else {
+        const callerSignal = options.signal;
+        if (callerSignal.aborted) {
+          abortController.abort(callerSignal.reason);
+        } else {
+          const onCallerAbort = () => abortController.abort(callerSignal.reason);
+          callerSignal.addEventListener("abort", onCallerAbort, { once: true });
+          removeCallerAbortListener = () =>
+            callerSignal.removeEventListener("abort", onCallerAbort);
+        }
+      }
+    }
+
+    // Resolve the init promise eagerly so we can capture which one this
+    // writer uses for reactive invalidation below.
+    const writerInitPromise = ((): Promise<InitializeSessionStreamResponseLike> => {
+      if (this.#initPromise) {
+        return this.#initPromise;
+      }
+      const fresh = apiClient.initializeSessionStream(
+        this.sessionId,
+        "out",
+        options?.requestOptions
+      );
+      this.#initPromise = fresh;
+      // Evict on failure so the next call retries instead of returning a
+      // poisoned cache entry forever.
+      fresh.catch((err) => {
+        if (this.#initPromise === fresh) {
+          this.#initPromise = undefined;
+        }
+      });
+      return fresh;
+    })();
+
+    try {
+      const instance = new SessionStreamInstance<T>({
+        apiClient,
+        baseUrl: apiClientManager.baseURL ?? "",
+        sessionId: this.sessionId,
+        io: "out",
+        source: readableStreamSource,
+        signal: combinedSignal,
+        requestOptions: options?.requestOptions,
+        initializeSession: () => writerInitPromise,
+      });
+
+      // Single internal chain that handles span lifecycle AND reactive
+      // invalidation. On rejection we evict the cached init promise so
+      // the next pipe()/writer() re-PUTs and recovers (e.g. when a
+      // cached S2 access token expired mid-process). Compare by identity
+      // so a concurrent caller's fresh promise isn't accidentally cleared.
+      // Customer awaiters still observe the rejection via the returned
+      // `waitUntilComplete()`; this chain just keeps the cleanup path
+      // from surfacing as unhandled.
+      instance.wait().then(
+        () => {
+          removeCallerAbortListener?.();
+          span.end();
+        },
+        () => {
+          removeCallerAbortListener?.();
+          if (this.#initPromise === writerInitPromise) {
+            this.#initPromise = undefined;
+          }
+          span.end();
+        }
+      );
+
+      return {
+        stream: instance.stream,
+        waitUntilComplete: async () => {
+          return instance.wait();
+        },
+      };
+    } catch (error) {
+      removeCallerAbortListener?.();
+      if (error instanceof Error && error.name === "AbortError") {
+        span.end();
+        throw error;
+      }
+
+      if (error instanceof Error || typeof error === "string") {
+        span.recordException(error);
+      } else {
+        span.recordException(String(error));
+      }
+
+      span.setStatus({ code: SpanStatusCode.ERROR });
+      span.end();
+
+      throw error;
+    }
+  }
+
+  /**
+   * Write a single Trigger control record to `.out`. The record carries a
+   * `trigger-control` header valued with `subtype` plus any sibling
+   * `extraHeaders`; the body is empty. Control records are filtered out of
+   * the consumer-facing chunk stream by the SDK transport — readers route
+   * them via the `onControl` callback instead.
+   *
+   * The returned `lastEventId` is the S2 seq_num of the written record,
+   * useful for trim chains (e.g. trim back to the previous turn-complete).
+   */
+  async writeControl(
+    subtype: string,
+    extraHeaders?: ReadonlyArray<readonly [string, string]>
+  ): Promise<StreamWriteResult> {
+    const apiClient = apiClientManager.clientOrThrow();
+    return writeSessionControlRecord(apiClient, this.sessionId, "out", subtype, extraHeaders);
+  }
+
+  /**
+   * Append an S2 `trim` command record to `.out`. Records with seq_num
+   * less than `earliestSeqNum` are eventually removed from the stream.
+   *
+   * Idempotent and monotonic at S2's layer (`max(existing, min(provided,
+   * current_tail))`) — backward trims are silently no-ops for deletion
+   * but still consume a seq_num. Used by `chat.agent`'s turn loop to
+   * keep `session.out` bounded to roughly one turn at steady state.
+   */
+  async trimTo(earliestSeqNum: number): Promise<void> {
+    const apiClient = apiClientManager.clientOrThrow();
+    await trimSessionStream(apiClient, this.sessionId, earliestSeqNum);
+  }
+}
+
+/**
+ * The `.in` side of a Session's bidirectional channel pair. Mirrors
+ * {@link streams.input} — consumer-side primitives for the task
+ * (`on`/`once`/`peek`/`wait`/`waitWithIdleTimeout`) plus `send` for
+ * external clients. Keyed on the session rather than the run so a
+ * conversation can survive across run boundaries.
+ */
+export class SessionInputChannel {
+  constructor(public readonly sessionId: string) {}
+
+  /**
+   * Send a single record to the channel. Called by external clients
+   * (browser, server action, another task) producing input for the run.
+   * Matches {@link streams.input.send} but session-scoped — the session
+   * is the address, no `runId` required.
+   */
+  async send(value: unknown, requestOptions?: ApiRequestOptions): Promise<void> {
+    const apiClient = apiClientManager.clientOrThrow();
+    const body = typeof value === "string" ? value : JSON.stringify(value);
+
+    const $requestOptions = mergeRequestOptions(
+      {
+        tracer,
+        name: `sessions.open(${this.sessionId}).in.send()`,
+        icon: "sessions",
+        attributes: sessionAttributes(this.sessionId, { io: "in" }),
+      },
+      requestOptions
+    );
+
+    await apiClient.appendToSessionStream(this.sessionId, "in", body, $requestOptions);
+  }
+
+  /**
+   * Register a handler that fires for every record landing on `.in`.
+   * Buffered records are offered to the handler on attach, and handlers
+   * are cleaned up automatically when the task run completes. Returns
+   * `{ off }` to unsubscribe early.
+   *
+   * A handler that synchronously returns `true` CONSUMES the record: it
+   * won't be buffered for a later `once()` and won't be re-delivered on a
+   * future `on()` attach. Plain observers should return nothing.
+   */
+  on<T = unknown>(handler: (data: T) => void | boolean | Promise<void>): { off: () => void } {
+    return sessionStreams.on(
+      this.sessionId,
+      "in",
+      handler as (data: unknown) => void | boolean | Promise<void>
+    );
+  }
+
+  /**
+   * Wait for the next record on `.in` without suspending the run.
+   * Returns `{ ok: true, output }` on arrival or `{ ok: false, error }`
+   * when the timeout fires. Chain `.unwrap()` to get the data directly.
+   */
+  once<T = unknown>(options?: InputStreamOnceOptions): InputStreamOncePromise<T> {
+    const ctx = taskContext.ctx;
+    const runId = ctx?.run.id;
+
+    const innerPromise = sessionStreams.once(this.sessionId, "in", options);
+
+    return new InputStreamOncePromise<T>((resolve, reject) => {
+      tracer
+        .startActiveSpan(
+          options?.spanName ?? `sessions.open(${this.sessionId}).in.once()`,
+          async () => {
+            const result = await innerPromise;
+            resolve(result as InputStreamOnceResult<T>);
+          },
+          {
+            attributes: {
+              [SemanticInternalAttributes.STYLE_ICON]: "sessions",
+              [SemanticInternalAttributes.ENTITY_TYPE]: "session-stream",
+              ...(runId
+                ? { [SemanticInternalAttributes.ENTITY_ID]: `${runId}:${this.sessionId}:in` }
+                : {}),
+              session: this.sessionId,
+              io: "in",
+              ...accessoryAttributes({
+                items: [{ text: `${this.sessionId}.in`, variant: "normal" }],
+                style: "codepath",
+              }),
+            },
+          }
+        )
+        .catch(reject);
+    });
+  }
+
+  /** Non-blocking peek at the head of the `.in` buffer. */
+  peek<T = unknown>(): T | undefined {
+    return sessionStreams.peek(this.sessionId, "in") as T | undefined;
+  }
+
+  /**
+   * The highest S2 sequence number of any record this channel has
+   * delivered to a `once()` / `wait()` consumer (or had shifted off its
+   * buffer into one). Distinct from "last received" — buffered-but-not-
+   * yet-consumed records don't count.
+   *
+   * Used by `chat.agent` to persist the `.in` resume cursor on each
+   * `turn-complete` control record, so the next worker boot can subscribe
+   * past already-processed user messages.
+   */
+  lastDispatchedSeqNum(): number | undefined {
+    return sessionStreams.lastDispatchedSeqNum(this.sessionId, "in");
+  }
+
+  /**
+   * Suspend the current run until the next record arrives on `.in`.
+   * Unlike {@link once}, `wait()` frees compute while blocked — the
+   * run-engine waitpoint holds the run until the session append handler
+   * fires it. Only callable from inside `task.run()`.
+   */
+  wait<T = unknown>(options?: InputStreamWaitOptions): ManualWaitpointPromise<T> {
+    return new ManualWaitpointPromise<T>(async (resolve, reject) => {
+      try {
+        const ctx = taskContext.ctx;
+
+        if (!ctx) {
+          throw new Error("session.in.wait() can only be used from inside a task.run()");
+        }
+
+        const apiClient = apiClientManager.clientOrThrow();
+
+        const response = await apiClient.createSessionStreamWaitpoint(ctx.run.id, {
+          session: this.sessionId,
+          io: "in",
+          timeout: options?.timeout,
+          idempotencyKey: options?.idempotencyKey,
+          idempotencyKeyTTL: options?.idempotencyKeyTTL,
+          tags: options?.tags,
+          lastSeqNum: sessionStreams.lastSeqNum(this.sessionId, "in"),
+        });
+
+        const result = await tracer.startActiveSpan(
+          options?.spanName ?? `sessions.open(${this.sessionId}).in.wait()`,
+          async (span) => {
+            const waitResponse = await apiClient.waitForWaitpointToken({
+              runFriendlyId: ctx.run.id,
+              waitpointFriendlyId: response.waitpointId,
+            });
+
+            if (!waitResponse.success) {
+              throw new Error("Failed to block on session stream waitpoint");
+            }
+
+            // Drop the SSE tail + buffer before suspending so the record
+            // delivered via the waitpoint path isn't re-buffered on resume.
+            sessionStreams.disconnectStream(this.sessionId, "in");
+
+            const waitResult = await runtime.waitUntil(response.waitpointId);
+
+            const data =
+              waitResult.output !== undefined
+                ? await conditionallyImportAndParsePacket(
+                    {
+                      data: waitResult.output,
+                      dataType: waitResult.outputType ?? "application/json",
+                    },
+                    apiClient
+                  )
+                : undefined;
+
+            if (waitResult.ok) {
+              // Advance the seq counter so the SSE tail doesn't replay the
+              // record that was consumed via the waitpoint.
+              const prevSeq = sessionStreams.lastSeqNum(this.sessionId, "in");
+              const nextSeq = (prevSeq ?? -1) + 1;
+              sessionStreams.setLastSeqNum(this.sessionId, "in", nextSeq);
+
+              return { ok: true as const, output: data as T };
+            } else {
+              const error = new WaitpointTimeoutError(data?.message ?? "Timed out");
+              span.recordException(error);
+              span.setStatus({ code: SpanStatusCode.ERROR });
+              return { ok: false as const, error };
+            }
+          },
+          {
+            attributes: {
+              [SemanticInternalAttributes.STYLE_ICON]: "wait",
+              [SemanticInternalAttributes.ENTITY_TYPE]: "waitpoint",
+              [SemanticInternalAttributes.ENTITY_ID]: response.waitpointId,
+              session: this.sessionId,
+              io: "in",
+              ...accessoryAttributes({
+                items: [{ text: `${this.sessionId}.in`, variant: "normal" }],
+                style: "codepath",
+              }),
+            },
+          }
+        );
+
+        resolve(result);
+      } catch (error) {
+        reject(error);
+      }
+    });
+  }
+
+  /**
+   * Wait for a record with an idle-then-suspend strategy. Keeps the run
+   * active (using compute) for `idleTimeoutInSeconds`, then suspends via
+   * {@link wait} if nothing arrives. If a record arrives during the idle
+   * phase the run responds without suspending.
+   */
+  async waitWithIdleTimeout<T = unknown>(
+    options: InputStreamWaitWithIdleTimeoutOptions
+  ): Promise<{ ok: true; output: T } | { ok: false; error?: Error }> {
+    const self = this;
+    const spanName =
+      options.spanName ?? `sessions.open(${this.sessionId}).in.waitWithIdleTimeout()`;
+
+    return tracer.startActiveSpan(
+      spanName,
+      async (span) => {
+        if (options.idleTimeoutInSeconds > 0) {
+          const warm = await sessionStreams.once(self.sessionId, "in", {
+            timeoutMs: options.idleTimeoutInSeconds * 1000,
+          });
+          if (warm.ok) {
+            span.setAttribute("wait.resolved", "idle");
+            return { ok: true as const, output: warm.output as T };
+          }
+        }
+
+        if (options.skipSuspend) {
+          // Match the cold-phase `self.wait()` result shape below so any
+          // caller that does `throw result.error` gets a real error
+          // instead of `undefined`.
+          span.setAttribute("wait.resolved", "skipped");
+          return {
+            ok: false as const,
+            error: new WaitpointTimeoutError(
+              "Idle timeout elapsed and skipSuspend is set"
+            ),
+          };
+        }
+
+        if (options.onSuspend) {
+          await options.onSuspend();
+        }
+
+        span.setAttribute("wait.resolved", "suspended");
+        const waitResult = await self.wait<T>({
+          timeout: options.timeout,
+          spanName: "suspended",
+        });
+
+        if (waitResult.ok && options.onResume) {
+          await options.onResume();
+        }
+
+        return waitResult;
+      },
+      {
+        attributes: {
+          [SemanticInternalAttributes.STYLE_ICON]: "sessions",
+          session: self.sessionId,
+          io: "in",
+          ...accessoryAttributes({
+            items: [{ text: `${self.sessionId}.in`, variant: "normal" }],
+            style: "codepath",
+          }),
+        },
+      }
+    );
+  }
+}
+
+export type SessionSubscribeOptions<T = unknown> = {
+  signal?: AbortSignal;
+  lastEventId?: string | number;
+  /** Timeout in seconds for the underlying long-poll (max 600). */
+  timeoutInSeconds?: number;
+  /** Called for each SSE event with the full event metadata (id, timestamp). */
+  onPart?: (part: { id: string; chunk: T; timestamp: number }) => void;
+  /**
+   * Called when a `trigger-control` record arrives on the stream (e.g.
+   * `turn-complete`, `upgrade-required`). Control records are filtered
+   * out of the consumer chunk stream — handle them here. See
+   * `docs/ai-chat/client-protocol.mdx` for the wire shape.
+   */
+  onControl?: (event: ControlEvent) => void;
+  /** Called when the server signals end-of-stream. */
+  onComplete?: () => void;
+  /** Called on unrecoverable errors after the retry budget is exhausted. */
+  onError?: (error: Error) => void;
+};
+
+// ─── helpers ────────────────────────────────────────────────────────
+
+function sessionAttributes(id: string, extra?: Record<string, string | number | boolean>) {
+  return {
+    session: id,
+    ...(extra ?? {}),
+    ...accessoryAttributes({
+      items: [{ text: id, variant: "normal" }],
+      style: "codepath",
+    }),
+  };
+}
+
+function toAttr(value: string | string[]): string {
+  return Array.isArray(value) ? value.join(",") : value;
+}
diff --git a/packages/trigger-sdk/src/v3/shared.ts b/packages/trigger-sdk/src/v3/shared.ts
index c69bceeb535..fba990949b3 100644
--- a/packages/trigger-sdk/src/v3/shared.ts
+++ b/packages/trigger-sdk/src/v3/shared.ts
@@ -2,9 +2,11 @@ import { SpanKind } from "@opentelemetry/api";
 import { SerializableJson } from "@trigger.dev/core";
 import {
   accessoryAttributes,
+  ApiClient,
   ApiError,
   apiClientManager,
   ApiRequestOptions,
+  conditionallyExportPacket,
   conditionallyImportPacket,
   convertToolParametersToSchema,
   createErrorTaskError,
@@ -22,8 +24,10 @@ import {
   RateLimitError,
   resourceCatalog,
   runtime,
+  sdkScope,
   SemanticInternalAttributes,
   stringifyIO,
+  type IOPacket,
   SubtaskUnwrapError,
   taskContext,
   TaskFromIdentifier,
@@ -90,6 +94,7 @@ import type {
   TaskWithToolOptions,
   ToolTask,
   ToolTaskParameters,
+  TriggerAndSubscribeOptions,
   TriggerAndWaitOptions,
   TriggerApiRequestOptions,
   TriggerOptions,
@@ -128,6 +133,12 @@ export { SubtaskUnwrapError, TaskRunPromise };
 
 export type Context = TaskRunContext;
 
+function scopedEnvVar(name: string): string | undefined {
+  const scope = sdkScope.getStore();
+  if (scope && !scope.inheritContext) return undefined;
+  return getEnvVar(name);
+}
+
 export function queue(options: QueueOptions): Queue {
   resourceCatalog.registerQueueMetadata(options);
 
@@ -214,6 +225,26 @@ export function createTask<
           });
       }, params.id);
     },
+    triggerAndSubscribe: (payload, options) => {
+      return new TaskRunPromise<TIdentifier, TOutput>((resolve, reject) => {
+        triggerAndSubscribe_internal<TIdentifier, TInput, TOutput>(
+          "triggerAndSubscribe()",
+          params.id,
+          payload,
+          undefined,
+          {
+            queue: params.queue?.name,
+            ...options,
+          }
+        )
+          .then((result) => {
+            resolve(result);
+          })
+          .catch((error) => {
+            reject(error);
+          });
+      }, params.id);
+    },
     batchTriggerAndWait: async (items, options) => {
       return await batchTriggerAndWait_internal<TIdentifier, TInput, TOutput>(
         "batchTriggerAndWait()",
@@ -235,6 +266,8 @@ export function createTask<
     queue: params.queue,
     retry: params.retry ? { ...defaultRetryOptions, ...params.retry } : undefined,
     machine: typeof params.machine === "string" ? { preset: params.machine } : params.machine,
+    triggerSource: params.triggerSource,
+    agentConfig: params.agentConfig,
     maxDuration: params.maxDuration,
     ttl: params.ttl,
     payloadSchema: params.jsonSchema,
@@ -259,7 +292,7 @@ export function createTask<
 }
 
 /**
- * @deprecated use ai.tool() instead
+ * @deprecated Use `schemaTask` plus AI SDK `tool()` with `execute: ai.toolExecute(task)` instead.
  */
 export function createToolTask<
   TIdentifier extends string,
@@ -346,6 +379,26 @@ export function createSchemaTask<
           });
       }, params.id);
     },
+    triggerAndSubscribe: (payload, options) => {
+      return new TaskRunPromise<TIdentifier, TOutput>((resolve, reject) => {
+        triggerAndSubscribe_internal<TIdentifier, inferSchemaIn<TSchema>, TOutput>(
+          "triggerAndSubscribe()",
+          params.id,
+          payload,
+          parsePayload,
+          {
+            queue: params.queue?.name,
+            ...options,
+          }
+        )
+          .then((result) => {
+            resolve(result);
+          })
+          .catch((error) => {
+            reject(error);
+          });
+      }, params.id);
+    },
     batchTriggerAndWait: async (items, options) => {
       return await batchTriggerAndWait_internal<TIdentifier, inferSchemaIn<TSchema>, TOutput>(
         "batchTriggerAndWait()",
@@ -367,6 +420,8 @@ export function createSchemaTask<
     queue: params.queue,
     retry: params.retry ? { ...defaultRetryOptions, ...params.retry } : undefined,
     machine: typeof params.machine === "string" ? { preset: params.machine } : params.machine,
+    triggerSource: params.triggerSource,
+    agentConfig: params.agentConfig,
     maxDuration: params.maxDuration,
     ttl: params.ttl,
     fns: {
@@ -465,6 +520,51 @@ export function triggerAndWait<TTask extends AnyTask>(
   }, id);
 }
 
+/**
+ * Trigger a task and subscribe to its updates via realtime. Unlike `triggerAndWait`,
+ * this does NOT suspend the parent run — the parent stays alive and subscribes to updates.
+ * This enables parallel execution and proper abort signal handling.
+ *
+ * @param id - The id of the task to trigger
+ * @param payload
+ * @param options - Options for the task run, including an optional `signal` to cancel the subscription and child run
+ * @returns TaskRunPromise
+ * @example
+ * ```ts
+ * import { tasks } from "@trigger.dev/sdk/v3";
+ * const result = await tasks.triggerAndSubscribe("my-task", { foo: "bar" });
+ *
+ * if (result.ok) {
+ *   console.log(result.output);
+ * } else {
+ *   console.error(result.error);
+ * }
+ * ```
+ */
+export function triggerAndSubscribe<TTask extends AnyTask>(
+  id: TaskIdentifier<TTask>,
+  payload: TaskPayload<TTask>,
+  options?: TriggerAndSubscribeOptions,
+  requestOptions?: TriggerApiRequestOptions
+): TaskRunPromise<TaskIdentifier<TTask>, TaskOutput<TTask>> {
+  return new TaskRunPromise<TaskIdentifier<TTask>, TaskOutput<TTask>>((resolve, reject) => {
+    triggerAndSubscribe_internal<TaskIdentifier<TTask>, TaskPayload<TTask>, TaskOutput<TTask>>(
+      "tasks.triggerAndSubscribe()",
+      id,
+      payload,
+      undefined,
+      options,
+      requestOptions
+    )
+      .then((result) => {
+        resolve(result);
+      })
+      .catch((error) => {
+        reject(error);
+      });
+  }, id);
+}
+
 /**
  * Batch trigger multiple task runs with the given payloads, and wait for the results. Returns the results of the task runs.
  * @param id - The id of the task to trigger
@@ -650,7 +750,7 @@ export async function batchTriggerById<TTask extends AnyTask>(
             machine: item.options?.machine,
             priority: item.options?.priority,
             region: item.options?.region,
-            lockToVersion: item.options?.version ?? getEnvVar("TRIGGER_VERSION"),
+            lockToVersion: item.options?.version ?? scopedEnvVar("TRIGGER_VERSION"),
             debounce: item.options?.debounce,
           },
         };
@@ -1166,7 +1266,7 @@ export async function batchTriggerTasks<TTasks extends readonly AnyTask[]>(
             machine: item.options?.machine,
             priority: item.options?.priority,
             region: item.options?.region,
-            lockToVersion: item.options?.version ?? getEnvVar("TRIGGER_VERSION"),
+            lockToVersion: item.options?.version ?? scopedEnvVar("TRIGGER_VERSION"),
             debounce: item.options?.debounce,
           },
         };
@@ -1830,7 +1930,7 @@ async function* transformBatchItemsStream<TTask extends AnyTask>(
         machine: item.options?.machine,
         priority: item.options?.priority,
         region: item.options?.region,
-        lockToVersion: item.options?.version ?? getEnvVar("TRIGGER_VERSION"),
+        lockToVersion: item.options?.version ?? scopedEnvVar("TRIGGER_VERSION"),
         debounce: item.options?.debounce,
       },
     };
@@ -1933,7 +2033,7 @@ async function* transformBatchByTaskItemsStream<TTasks extends readonly AnyTask[
         machine: item.options?.machine,
         priority: item.options?.priority,
         region: item.options?.region,
-        lockToVersion: item.options?.version ?? getEnvVar("TRIGGER_VERSION"),
+        lockToVersion: item.options?.version ?? scopedEnvVar("TRIGGER_VERSION"),
         debounce: item.options?.debounce,
       },
     };
@@ -2037,7 +2137,7 @@ async function* transformSingleTaskBatchItemsStream<TPayload>(
         machine: item.options?.machine,
         priority: item.options?.priority,
         region: item.options?.region,
-        lockToVersion: item.options?.version ?? getEnvVar("TRIGGER_VERSION"),
+        lockToVersion: item.options?.version ?? scopedEnvVar("TRIGGER_VERSION"),
         debounce: item.options?.debounce,
       },
     };
@@ -2115,8 +2215,7 @@ async function trigger_internal<TRunTypes extends AnyRunTypes>(
   const apiClient = apiClientManager.clientOrThrow(requestOptions?.clientConfig);
 
   const parsedPayload = parsePayload ? await parsePayload(payload) : payload;
-
-  const payloadPacket = await stringifyIO(parsedPayload);
+  const triggerPayloadPacket = await prepareTriggerPayload(parsedPayload, apiClient, id);
 
   // Process idempotency key and extract options for storage
   const processedIdempotencyKey = await makeIdempotencyKey(options?.idempotencyKey);
@@ -2127,12 +2226,12 @@ async function trigger_internal<TRunTypes extends AnyRunTypes>(
   const handle = await apiClient.triggerTask(
     id,
     {
-      payload: payloadPacket.data,
+      payload: triggerPayloadPacket.data,
       options: {
         queue: options?.queue ? { name: options.queue } : undefined,
         concurrencyKey: options?.concurrencyKey,
         test: taskContext.ctx?.run.isTest,
-        payloadType: payloadPacket.dataType,
+        payloadType: triggerPayloadPacket.dataType,
         idempotencyKey: processedIdempotencyKey?.toString(),
         idempotencyKeyTTL: options?.idempotencyKeyTTL,
         idempotencyKeyOptions,
@@ -2146,7 +2245,7 @@ async function trigger_internal<TRunTypes extends AnyRunTypes>(
         machine: options?.machine,
         priority: options?.priority,
         region: options?.region,
-        lockToVersion: options?.version ?? getEnvVar("TRIGGER_VERSION"),
+        lockToVersion: options?.version ?? scopedEnvVar("TRIGGER_VERSION"),
         debounce: options?.debounce,
       },
     },
@@ -2232,7 +2331,7 @@ async function batchTrigger_internal<TRunTypes extends AnyRunTypes>(
             machine: item.options?.machine,
             priority: item.options?.priority,
             region: item.options?.region,
-            lockToVersion: item.options?.version ?? getEnvVar("TRIGGER_VERSION"),
+            lockToVersion: item.options?.version ?? scopedEnvVar("TRIGGER_VERSION"),
           },
         };
       })
@@ -2371,8 +2470,7 @@ async function triggerAndWait_internal<TIdentifier extends string, TPayload, TOu
   const apiClient = apiClientManager.clientOrThrow(requestOptions?.clientConfig);
 
   const parsedPayload = parsePayload ? await parsePayload(payload) : payload;
-
-  const payloadPacket = await stringifyIO(parsedPayload);
+  const triggerPayloadPacket = await prepareTriggerPayload(parsedPayload, apiClient, id);
 
   // Process idempotency key and extract options for storage
   const processedIdempotencyKey = await makeIdempotencyKey(options?.idempotencyKey);
@@ -2386,13 +2484,13 @@ async function triggerAndWait_internal<TIdentifier extends string, TPayload, TOu
       const response = await apiClient.triggerTask(
         id,
         {
-          payload: payloadPacket.data,
+          payload: triggerPayloadPacket.data,
           options: {
             lockToVersion: taskContext.worker?.version, // Lock to current version because we're waiting for it to finish
             queue: options?.queue ? { name: options.queue } : undefined,
             concurrencyKey: options?.concurrencyKey,
             test: taskContext.ctx?.run.isTest,
-            payloadType: payloadPacket.dataType,
+            payloadType: triggerPayloadPacket.dataType,
             delay: options?.delay,
             ttl: options?.ttl,
             tags: options?.tags,
@@ -2441,6 +2539,154 @@ async function triggerAndWait_internal<TIdentifier extends string, TPayload, TOu
   );
 }
 
+async function triggerAndSubscribe_internal<TIdentifier extends string, TPayload, TOutput>(
+  name: string,
+  id: TIdentifier,
+  payload: TPayload,
+  parsePayload?: SchemaParseFn<TPayload>,
+  options?: TriggerAndSubscribeOptions,
+  requestOptions?: TriggerApiRequestOptions
+): Promise<TaskRunResult<TIdentifier, TOutput>> {
+  const ctx = taskContext.ctx;
+
+  if (!ctx) {
+    throw new Error("triggerAndSubscribe can only be used from inside a task.run()");
+  }
+
+  const apiClient = apiClientManager.clientOrThrow(requestOptions?.clientConfig);
+
+  const parsedPayload = parsePayload ? await parsePayload(payload) : payload;
+  const triggerPayloadPacket = await prepareTriggerPayload(parsedPayload, apiClient, id);
+
+  const processedIdempotencyKey = await makeIdempotencyKey(options?.idempotencyKey);
+  const idempotencyKeyOptions = processedIdempotencyKey
+    ? getIdempotencyKeyOptions(processedIdempotencyKey)
+    : undefined;
+
+  return await tracer.startActiveSpan(
+    name,
+    async (span) => {
+      const response = await apiClient.triggerTask(
+        id,
+        {
+          payload: triggerPayloadPacket.data,
+          options: {
+            lockToVersion: taskContext.worker?.version,
+            queue: options?.queue ? { name: options.queue } : undefined,
+            concurrencyKey: options?.concurrencyKey,
+            test: taskContext.ctx?.run.isTest,
+            payloadType: triggerPayloadPacket.dataType,
+            delay: options?.delay,
+            ttl: options?.ttl,
+            tags: options?.tags,
+            maxAttempts: options?.maxAttempts,
+            metadata: options?.metadata,
+            maxDuration: options?.maxDuration,
+            parentRunId: ctx.run.id,
+            // NOTE: no resumeParentOnCompletion — parent stays alive and subscribes
+            idempotencyKey: processedIdempotencyKey?.toString(),
+            idempotencyKeyTTL: options?.idempotencyKeyTTL,
+            idempotencyKeyOptions,
+            machine: options?.machine,
+            priority: options?.priority,
+            region: options?.region,
+            debounce: options?.debounce,
+          },
+        },
+        {},
+        requestOptions
+      );
+
+      // Set attributes after trigger so the dashboard can link to the child run
+      span.setAttribute("messaging.message.id", response.id);
+      span.setAttribute("runId", response.id);
+      span.setAttribute(SemanticInternalAttributes.ENTITY_TYPE, "run");
+      span.setAttribute(SemanticInternalAttributes.ENTITY_ID, response.id);
+
+      // Optionally cancel the child run when the abort signal fires (default: true)
+      const cancelOnAbort = options?.cancelOnAbort !== false;
+      let onAbort: (() => void) | undefined;
+      if (options?.signal && cancelOnAbort) {
+        if (options.signal.aborted) {
+          await apiClient.cancelRun(response.id).catch(() => {});
+          throw new DOMException("Aborted", "AbortError");
+        }
+        onAbort = () => {
+          apiClient.cancelRun(response.id).catch(() => {});
+        };
+        // `{ once: true }` auto-removes the listener on abort, but if the
+        // run completes normally the listener stays attached and pins
+        // `apiClient` + `response.id` until the signal is GC'd. Long-lived
+        // signals shared across many calls accumulate dead listeners; the
+        // `finally` below removes the listener on every exit path.
+        options.signal.addEventListener("abort", onAbort, { once: true });
+      }
+
+      try {
+        for await (const run of apiClient.subscribeToRun(response.id, {
+          closeOnComplete: true,
+          signal: options?.signal,
+          skipColumns: ["payload"],
+        })) {
+          if (run.isSuccess) {
+            // run.output from subscribeToRun is already deserialized
+            return {
+              ok: true as const,
+              id: response.id,
+              taskIdentifier: id as TIdentifier,
+              output: run.output as TOutput,
+            };
+          }
+          if (run.isFailed || run.isCancelled) {
+            // Note: this intentionally diverges from `triggerAndWait`'s
+            // error shape. `triggerAndWait` receives a full `TaskRunError`
+            // (with `type` discriminator: BUILT_IN_ERROR, CUSTOM_ERROR,
+            // INTERNAL_ERROR, STRING_ERROR) via the completion message and
+            // passes it through `createErrorTaskError` to preserve the
+            // discriminator. `subscribeToRun` only surfaces a
+            // `SerializedError` (`{ name, message, stackTrace }`) because
+            // `createJsonErrorObject` strips the discriminator before the
+            // record hits the realtime stream. We can't reconstruct the
+            // discriminator here without lossy guessing — callers that
+            // need exact error-type matching should use `triggerAndWait`
+            // instead; subscribers get message + name only.
+            const error = new Error(run.error?.message ?? `Task ${id} failed (${run.status})`);
+            if (run.error?.name) error.name = run.error.name;
+
+            return {
+              ok: false as const,
+              id: response.id,
+              taskIdentifier: id as TIdentifier,
+              error,
+            };
+          }
+        }
+
+        throw new Error(`Task ${id}: subscription ended without completion`);
+      } finally {
+        if (onAbort && options?.signal) {
+          options.signal.removeEventListener("abort", onAbort);
+        }
+      }
+    },
+    {
+      kind: SpanKind.PRODUCER,
+      attributes: {
+        [SemanticInternalAttributes.STYLE_ICON]: "trigger",
+        ...accessoryAttributes({
+          items: [
+            {
+              text: id,
+              variant: "normal",
+            },
+          ],
+          style: "codepath",
+        }),
+      },
+    }
+  );
+}
+
 async function batchTriggerAndWait_internal<TIdentifier extends string, TPayload, TOutput>(
   name: string,
   id: TIdentifier,
@@ -2829,3 +3075,22 @@ function registerTaskLifecycleHooks<
     });
   }
 }
+
+async function prepareTriggerPayload(
+  payload: unknown,
+  apiClient: ApiClient,
+  taskId: string
+): Promise<IOPacket> {
+  const payloadPacket = await stringifyIO(payload);
+  return await conditionallyExportPacket(
+    payloadPacket,
+    createTriggerPayloadPathPrefix(taskId),
+    undefined,
+    apiClient
+  );
+}
+
+function createTriggerPayloadPathPrefix(taskId: string): string {
+  const safeTaskId = encodeURIComponent(taskId);
+  return `trigger/${safeTaskId}/${Date.now()}-${Math.random().toString(36).slice(2)}/payload`;
+}
diff --git a/packages/trigger-sdk/src/v3/skill.ts b/packages/trigger-sdk/src/v3/skill.ts
new file mode 100644
index 00000000000..a3c145d3836
--- /dev/null
+++ b/packages/trigger-sdk/src/v3/skill.ts
@@ -0,0 +1,211 @@
+import * as fs from "node:fs/promises";
+import * as path from "node:path";
+import { resourceCatalog } from "@trigger.dev/core/v3";
+
+/**
+ * Parsed `SKILL.md` frontmatter. Only `name` + `description` are required;
+ * additional keys are preserved but untyped.
+ */
+export type SkillFrontmatter = {
+  name: string;
+  description: string;
+  [key: string]: unknown;
+};
+
+/**
+ * A resolved skill ready to hand to `chat.skills.set()`. Includes the parsed
+ * SKILL.md content plus the on-disk path to the bundled skill folder.
+ */
+export type ResolvedSkill = {
+  id: string;
+  /** Skill version — `"local"` in Phase 1 until backend-managed overrides land. */
+  version: number | "local";
+  /** Labels applied to this version — empty in Phase 1. */
+  labels: string[];
+  /** Full raw `SKILL.md` content (with frontmatter). */
+  skillMd: string;
+  /** Parsed frontmatter fields. */
+  frontmatter: SkillFrontmatter;
+  /** Body of SKILL.md with the frontmatter block stripped. */
+  body: string;
+  /** Absolute path to the bundled skill folder (scripts, references, assets live here). */
+  path: string;
+};
+
+export type SkillOptions<TIdentifier extends string = string> = {
+  id: TIdentifier;
+  /** Path to the skill source folder, relative to the project root. */
+  path: string;
+};
+
+export type SkillHandle<TIdentifier extends string = string> = {
+  id: TIdentifier;
+  /**
+   * Read the bundled `SKILL.md` from disk and return the resolved skill.
+   *
+   * This is the Phase 1 path — backend-managed overrides are not available
+   * yet. Works locally (during `trigger dev`) and in the deploy image.
+   */
+  local(): Promise<ResolvedSkill>;
+  /**
+   * Resolve the skill against the dashboard (current/override version).
+   *
+   * Not available in Phase 1 — throws. Use `local()` until backend-managed
+   * skills ship.
+   */
+  resolve(): Promise<ResolvedSkill>;
+};
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+export type AnySkillHandle = SkillHandle<string>;
+
+/** Extract the id literal type from a SkillHandle. */
+export type SkillIdentifier<T extends AnySkillHandle> = T extends SkillHandle<infer TId>
+  ? TId
+  : string;
+
+/**
+ * Bundled skills are copied to `${cwd}/.trigger/skills/{id}/` by the CLI at
+ * build time. At runtime the same layout holds for both `trigger dev` (cwd
+ * = dev output dir) and deploy (cwd = /app).
+ */
+function bundledSkillPath(id: string): string {
+  return path.resolve(process.cwd(), ".trigger", "skills", id);
+}
+
+const FRONTMATTER_RE = /^---\r?\n([\s\S]*?)\r?\n---\r?\n*/;
+
+/**
+ * Parse a minimal YAML-subset frontmatter block. We only support top-level
+ * string keys like `name: foo` and `description: bar`. Enough for SKILL.md
+ * frontmatter without pulling in a YAML dep.
+ */
+export function parseFrontmatter(content: string): {
+  frontmatter: SkillFrontmatter;
+  body: string;
+} {
+  const match = content.match(FRONTMATTER_RE);
+  if (!match || !match[1]) {
+    throw new Error(
+      "Skill: SKILL.md is missing a frontmatter block. " +
+        "Expected `---\\nname: ...\\ndescription: ...\\n---` at the top of the file."
+    );
+  }
+
+  const raw = match[1];
+  const frontmatter: Record<string, unknown> = {};
+  for (const line of raw.split(/\r?\n/)) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    const idx = trimmed.indexOf(":");
+    if (idx === -1) continue;
+    const key = trimmed.slice(0, idx).trim();
+    let value = trimmed.slice(idx + 1).trim();
+    // Strip surrounding quotes if present
+    if (
+      (value.startsWith('"') && value.endsWith('"')) ||
+      (value.startsWith("'") && value.endsWith("'"))
+    ) {
+      value = value.slice(1, -1);
+    }
+    if (key) frontmatter[key] = value;
+  }
+
+  if (typeof frontmatter.name !== "string" || !frontmatter.name) {
+    throw new Error("Skill: SKILL.md frontmatter is missing required `name` field.");
+  }
+  if (typeof frontmatter.description !== "string" || !frontmatter.description) {
+    throw new Error("Skill: SKILL.md frontmatter is missing required `description` field.");
+  }
+
+  const body = content.slice(match[0].length);
+
+  return { frontmatter: frontmatter as SkillFrontmatter, body };
+}
+
+async function loadLocal(id: string): Promise<ResolvedSkill> {
+  const skillPath = bundledSkillPath(id);
+  const skillMdPath = path.join(skillPath, "SKILL.md");
+
+  let skillMd: string;
+  try {
+    skillMd = await fs.readFile(skillMdPath, "utf8");
+  } catch (err) {
+    throw new Error(
+      `Skill "${id}": could not read SKILL.md at ${skillMdPath}. ` +
+        `Skills must be bundled into .trigger/skills/{id}/ — this usually means ` +
+        `the CLI build step didn't run, or the skill wasn't registered via ai.defineSkill. ` +
+        `Underlying error: ${(err as Error).message}`
+    );
+  }
+
+  const { frontmatter, body } = parseFrontmatter(skillMd);
+
+  return {
+    id,
+    version: "local",
+    labels: [],
+    skillMd,
+    frontmatter,
+    body,
+    path: skillPath,
+  };
+}
+
+/**
+ * Define an agent skill — a developer-authored folder with a `SKILL.md` file
+ * plus optional `scripts/`, `references/`, and `assets/` subfolders. Registers
+ * the skill with the resource catalog so the Trigger.dev CLI can bundle it
+ * into the deploy image automatically (no build extension needed).
+ *
+ * Call `.local()` on the returned handle to load the bundled SKILL.md at
+ * runtime and use it with `chat.skills.set()`.
+ *
+ * @example
+ * ```ts
+ * // trigger/skills/pdf-processing/SKILL.md
+ * // trigger/skills/pdf-processing/scripts/extract.py
+ * import { ai } from "@trigger.dev/sdk";
+ *
+ * export const pdfSkill = ai.defineSkill({
+ *   id: "pdf-processing",
+ *   path: "./skills/pdf-processing",
+ * });
+ *
+ * export const agent = chat.agent({
+ *   id: "docs",
+ *   onChatStart: async () => {
+ *     chat.skills.set([await pdfSkill.local()]);
+ *   },
+ *   run: async ({ messages, signal }) => {
+ *     return streamText({
+ *       model: openai("gpt-4o"),
+ *       messages,
+ *       abortSignal: signal,
+ *       ...chat.toStreamTextOptions(),
+ *     });
+ *   },
+ * });
+ * ```
+ */
+export function defineSkill<TIdentifier extends string>(
+  options: SkillOptions<TIdentifier>
+): SkillHandle<TIdentifier> {
+  resourceCatalog.registerSkillMetadata({
+    id: options.id,
+    sourcePath: options.path,
+  });
+
+  return {
+    id: options.id,
+    async local() {
+      return loadLocal(options.id);
+    },
+    async resolve() {
+      throw new Error(
+        `Skill "${options.id}": resolve() is not available yet — backend-managed ` +
+          `skills ship in Phase 2. Use skill.local() instead.`
+      );
+    },
+  };
+}
diff --git a/packages/trigger-sdk/src/v3/skills.ts b/packages/trigger-sdk/src/v3/skills.ts
new file mode 100644
index 00000000000..6811cda75f4
--- /dev/null
+++ b/packages/trigger-sdk/src/v3/skills.ts
@@ -0,0 +1,9 @@
+export { defineSkill as define } from "./skill.js";
+export type {
+  AnySkillHandle,
+  ResolvedSkill,
+  SkillFrontmatter,
+  SkillHandle,
+  SkillIdentifier,
+  SkillOptions,
+} from "./skill.js";
diff --git a/packages/trigger-sdk/src/v3/streams.ts b/packages/trigger-sdk/src/v3/streams.ts
index 68edc2a64ab..f987872d80a 100644
--- a/packages/trigger-sdk/src/v3/streams.ts
+++ b/packages/trigger-sdk/src/v3/streams.ts
@@ -19,21 +19,57 @@ import {
   ManualWaitpointPromise,
   WaitpointTimeoutError,
   runtime,
+  logger,
   type RealtimeDefinedInputStream,
   type InputStreamSubscription,
   type InputStreamOnceOptions,
   InputStreamOncePromise,
   type InputStreamOnceResult,
   type InputStreamWaitOptions,
+  type InputStreamWaitWithIdleTimeoutOptions,
   type SendInputStreamOptions,
   type InferInputStreamType,
+  type StreamWriteResult,
 } from "@trigger.dev/core/v3";
 import { conditionallyImportAndParsePacket } from "@trigger.dev/core/v3/utils/ioSerialization";
 import { tracer } from "./tracer.js";
+import { locals } from "./locals.js";
 import { SpanStatusCode } from "@opentelemetry/api";
 
 const DEFAULT_STREAM_KEY = "default";
 
+// `chat.agent` sets this once at the top of every run via
+// `markChatAgentRunForStreamsWarning`. The flag lives on the run's
+// AsyncLocalStorage frame, so it naturally resets between runs and stays
+// invisible to subtasks (where `streams.*` is a normal API).
+const inChatAgentRunKey = locals.create<boolean>("streams.inChatAgentRun");
+// Once-per-run dedup. `streams.*` callers inside a chat.agent run get the
+// nudge on the first call and silence afterwards; a single tight loop
+// won't spam the logs.
+const chatAgentStreamsWarnedKey = locals.create<boolean>("streams.chatAgentWarned");
+
+/**
+ * Marks the current run as a `chat.agent` run so subsequent `streams.pipe` /
+ * `streams.append` / `streams.read` calls can warn the user that they're
+ * writing to a run-scoped stream rather than the chat's `session.out`.
+ *
+ * Called from inside the `chat.agent` task wrapper at the top of every run.
+ *
+ * @internal
+ */
+export function markChatAgentRunForStreamsWarning(): void {
+  locals.set(inChatAgentRunKey, true);
+}
+
+function warnIfChatAgentStreamsMisuse(method: "pipe" | "append" | "read" | "writer"): void {
+  if (!locals.get(inChatAgentRunKey)) return;
+  if (locals.get(chatAgentStreamsWarnedKey)) return;
+  locals.set(chatAgentStreamsWarnedKey, true);
+  logger.warn(
+    `streams.${method}() was called inside a chat.agent run. This writes to a run-scoped realtime stream and is NOT visible on the chat session, so the chat UI will not see these chunks. For chat output use chat.response.write() or chat.stream.* instead. See https://trigger.dev/docs/ai-chat/patterns/large-payloads. (Logged once per run; subsequent streams.${method}() calls in this run are silent.)`
+  );
+}
+
 /**
  * Pipes data to a realtime stream using the default stream key (`"default"`).
  *
@@ -139,7 +175,7 @@ function pipe<T>(
     opts = valueOrOptions as PipeStreamOptions | undefined;
   }
 
-  return pipeInternal(key, value, opts, "streams.pipe()");
+  return pipeInternal(key, value, opts, opts?.spanName ?? "streams.pipe()");
 }
 
 /**
@@ -152,6 +188,7 @@ function pipeInternal<T>(
   opts: PipeStreamOptions | undefined,
   spanName: string
 ): PipeStreamResult<T> {
+  warnIfChatAgentStreamsMisuse(spanName === "streams.writer()" ? "writer" : "pipe");
   const runId = getRunIdForOptions(opts);
 
   if (!runId) {
@@ -167,6 +204,7 @@ function pipeInternal<T>(
       [SemanticInternalAttributes.ENTITY_TYPE]: "realtime-stream",
       [SemanticInternalAttributes.ENTITY_ID]: `${runId}:${key}`,
       [SemanticInternalAttributes.STYLE_ICON]: "streams",
+      ...(opts?.collapsed ? { [SemanticInternalAttributes.COLLAPSED]: true } : {}),
       ...accessoryAttributes({
         items: [
           {
@@ -194,7 +232,9 @@ function pipeInternal<T>(
 
     return {
       stream: instance.stream,
-      waitUntilComplete: () => instance.wait(),
+      waitUntilComplete: async () => {
+        return instance.wait();
+      },
     };
   } catch (error) {
     // if the error is a signal abort error, we need to end the span but not record an exception
@@ -320,6 +360,7 @@ async function readStreamImpl<T>(
   key: string,
   options?: ReadStreamOptions
 ): Promise<AsyncIterableStream<T>> {
+  warnIfChatAgentStreamsMisuse("read");
   const apiClient = apiClientManager.clientOrThrow();
 
   const span = tracer.startSpan("streams.read()", {
@@ -398,6 +439,7 @@ async function appendInternal<TPart extends BodyInit>(
   part: TPart,
   options?: AppendStreamOptions
 ): Promise<void> {
+  warnIfChatAgentStreamsMisuse("append");
   const runId = getRunIdForOptions(options);
 
   if (!runId) {
@@ -640,7 +682,7 @@ function writerInternal<TPart>(key: string, options: WriterStreamOptions<TPart>)
     }
   });
 
-  return pipeInternal(key, stream, options, "streams.writer()");
+  return pipeInternal(key, stream, options, options.spanName ?? "streams.writer()");
 }
 
 export type RealtimeDefineStreamOptions = {
@@ -656,8 +698,18 @@ function define<TPart>(opts: RealtimeDefineStreamOptions): RealtimeDefinedStream
     read(runId, options) {
       return read(runId, opts.id, options);
     },
-    append(value, options) {
-      return append(opts.id, value as BodyInit, options);
+    async append(value, options) {
+      // Use a single-write writer so objects are serialized the same way
+      // as stream.writer() — the raw append API sends BodyInit which
+      // doesn't serialize objects correctly for SSE consumers.
+      const { waitUntilComplete } = writer(opts.id, {
+        ...options,
+        spanName: "streams.append()",
+        execute: ({ write }) => {
+          write(value);
+        },
+      });
+      await waitUntilComplete();
     },
     writer(options) {
       return writer(opts.id, options);
@@ -713,7 +765,7 @@ function input<TData>(opts: { id: string }): RealtimeDefinedInputStream<TData> {
       return new InputStreamOncePromise<TData>((resolve, reject) => {
         tracer
           .startActiveSpan(
-            `inputStream.once()`,
+            options?.spanName ?? `inputStream.once()`,
             async () => {
               const result = await innerPromise;
               resolve(result as InputStreamOnceResult<TData>);
@@ -750,23 +802,21 @@ function input<TData>(opts: { id: string }): RealtimeDefinedInputStream<TData> {
 
           const apiClient = apiClientManager.clientOrThrow();
 
+          // Create the waitpoint before the span so we have the entity ID upfront
+          const response = await apiClient.createInputStreamWaitpoint(ctx.run.id, {
+            streamId: opts.id,
+            timeout: options?.timeout,
+            idempotencyKey: options?.idempotencyKey,
+            idempotencyKeyTTL: options?.idempotencyKeyTTL,
+            tags: options?.tags,
+            lastSeqNum: inputStreams.lastSeqNum(opts.id),
+          });
+
           const result = await tracer.startActiveSpan(
-            `inputStream.wait()`,
+            options?.spanName ?? `inputStream.wait()`,
             async (span) => {
-              // 1. Create a waitpoint linked to this input stream
-              const response = await apiClient.createInputStreamWaitpoint(ctx.run.id, {
-                streamId: opts.id,
-                timeout: options?.timeout,
-                idempotencyKey: options?.idempotencyKey,
-                idempotencyKeyTTL: options?.idempotencyKeyTTL,
-                tags: options?.tags,
-                lastSeqNum: inputStreams.lastSeqNum(opts.id),
-              });
-
-              // Set the entity ID now that we have the waitpoint ID
-              span.setAttribute(SemanticInternalAttributes.ENTITY_ID, response.waitpointId);
 
-              // 2. Block the run on the waitpoint
+              // 1. Block the run on the waitpoint
               const waitResponse = await apiClient.waitForWaitpointToken({
                 runFriendlyId: ctx.run.id,
                 waitpointFriendlyId: response.waitpointId,
@@ -776,6 +826,12 @@ function input<TData>(opts: { id: string }): RealtimeDefinedInputStream<TData> {
                 throw new Error("Failed to block on input stream waitpoint");
               }
 
+              // 2. Disconnect the SSE tail and clear the buffer before suspending.
+              // Without this, the tail stays alive during the suspension window and
+              // may buffer a copy of the same message that will be delivered via the
+              // waitpoint, causing a duplicate on resume.
+              inputStreams.disconnectStream(opts.id);
+
               // 3. Suspend the task
               const waitResult = await runtime.waitUntil(response.waitpointId);
 
@@ -792,6 +848,12 @@ function input<TData>(opts: { id: string }): RealtimeDefinedInputStream<TData> {
                   : undefined;
 
               if (waitResult.ok) {
+                // Advance the seq counter so the SSE tail doesn't replay
+                // the record that was consumed via the waitpoint path when
+                // it lazily reconnects on the next on()/once() call.
+                const prevSeq = inputStreams.lastSeqNum(opts.id);
+                inputStreams.setLastSeqNum(opts.id, (prevSeq ?? -1) + 1);
+
                 return { ok: true as const, output: data as TData };
               } else {
                 const error = new WaitpointTimeoutError(data?.message ?? "Timed out");
@@ -806,6 +868,7 @@ function input<TData>(opts: { id: string }): RealtimeDefinedInputStream<TData> {
               attributes: {
                 [SemanticInternalAttributes.STYLE_ICON]: "wait",
                 [SemanticInternalAttributes.ENTITY_TYPE]: "waitpoint",
+                [SemanticInternalAttributes.ENTITY_ID]: response.waitpointId,
                 streamId: opts.id,
                 ...accessoryAttributes({
                   items: [
@@ -826,6 +889,70 @@ function input<TData>(opts: { id: string }): RealtimeDefinedInputStream<TData> {
         }
       });
     },
+    async waitWithIdleTimeout(options) {
+      const self = this;
+      const spanName = options.spanName ?? `inputStream.waitWithIdleTimeout()`;
+
+      return tracer.startActiveSpan(
+        spanName,
+        async (span) => {
+          // Idle phase: keep compute alive
+          if (options.idleTimeoutInSeconds > 0) {
+            const warm = await inputStreams.once(opts.id, {
+              timeoutMs: options.idleTimeoutInSeconds * 1000,
+            });
+            if (warm.ok) {
+              span.setAttribute("wait.resolved", "idle");
+              return { ok: true as const, output: warm.output as TData };
+            }
+          }
+
+          // Skip suspend if requested — return a real WaitpointTimeoutError
+          // so the result shape matches the cold-phase `self.wait()` path
+          // below. Callers that check `if (!result.ok)` work the same as
+          // before; callers that do `throw result.error` get a useful error
+          // instead of `undefined`.
+          if (options.skipSuspend) {
+            span.setAttribute("wait.resolved", "skipped");
+            return {
+              ok: false as const,
+              error: new WaitpointTimeoutError(
+                "Idle timeout elapsed and skipSuspend is set"
+              ),
+            };
+          }
+
+          // Fire onSuspend callback before entering cold phase
+          if (options.onSuspend) {
+            await options.onSuspend();
+          }
+
+          // Cold phase: suspend via .wait() — creates a child span
+          span.setAttribute("wait.resolved", "suspended");
+          const waitResult = await self.wait({
+            timeout: options.timeout,
+            spanName: "suspended",
+          });
+
+          // Fire onResume callback after successful resume
+          if (waitResult.ok && options.onResume) {
+            await options.onResume();
+          }
+
+          return waitResult;
+        },
+        {
+          attributes: {
+            [SemanticInternalAttributes.STYLE_ICON]: "streams",
+            streamId: opts.id,
+            ...accessoryAttributes({
+              items: [{ text: opts.id, variant: "normal" }],
+              style: "codepath",
+            }),
+          },
+        }
+      );
+    },
     async send(runId, data, options) {
       return tracer.startActiveSpan(
         `inputStream.send()`,
diff --git a/packages/trigger-sdk/src/v3/tasks.ts b/packages/trigger-sdk/src/v3/tasks.ts
index 75b7e85e625..5781a104229 100644
--- a/packages/trigger-sdk/src/v3/tasks.ts
+++ b/packages/trigger-sdk/src/v3/tasks.ts
@@ -20,6 +20,7 @@ import {
   SubtaskUnwrapError,
   trigger,
   triggerAndWait,
+  triggerAndSubscribe,
 } from "./shared.js";
 
 export { SubtaskUnwrapError };
@@ -96,6 +97,7 @@ export const tasks = {
   trigger,
   batchTrigger,
   triggerAndWait,
+  triggerAndSubscribe,
   batchTriggerAndWait,
   /** @deprecated Use onStartAttempt instead */
   onStart,
diff --git a/packages/trigger-sdk/src/v3/test/index.ts b/packages/trigger-sdk/src/v3/test/index.ts
new file mode 100644
index 00000000000..cdeded1a7a8
--- /dev/null
+++ b/packages/trigger-sdk/src/v3/test/index.ts
@@ -0,0 +1,23 @@
+// Importing this module installs an in-memory resource catalog so that
+// chat.agent() calls (which run at import time) register their task
+// functions where the test harness can find them.
+//
+// Users should import `@trigger.dev/sdk/ai/test` BEFORE their agent
+// modules so the registration side-effect runs first.
+import "./setup-catalog.js";
+
+export {
+  mockChatAgent,
+  type MockChatAgentOptions,
+  type MockChatAgentHarness,
+  type MockChatAgentTurn,
+} from "./mock-chat-agent.js";
+
+// Re-export the lower-level task context harness so consumers can build
+// their own test helpers without adding a separate `@trigger.dev/core`
+// dependency to their reference projects.
+export {
+  runInMockTaskContext,
+  type MockTaskContextDrivers,
+  type MockTaskContextOptions,
+} from "@trigger.dev/core/v3/test";
diff --git a/packages/trigger-sdk/src/v3/test/mock-chat-agent.ts b/packages/trigger-sdk/src/v3/test/mock-chat-agent.ts
new file mode 100644
index 00000000000..70eae4696d9
--- /dev/null
+++ b/packages/trigger-sdk/src/v3/test/mock-chat-agent.ts
@@ -0,0 +1,804 @@
+import type { UIMessage, UIMessageChunk } from "ai";
+import { resourceCatalog } from "@trigger.dev/core/v3";
+import type { LocalsKey } from "@trigger.dev/core/v3";
+import {
+  runInMockTaskContext,
+  type MockTaskContextOptions,
+} from "@trigger.dev/core/v3/test";
+import {
+  __setSessionOpenImplForTests,
+  __setSessionStartImplForTests,
+} from "../sessions.js";
+import {
+  __setReadChatSnapshotImplForTests,
+  __setReplaySessionInTailImplForTests,
+  __setReplaySessionOutTailImplForTests,
+  __setWriteChatSnapshotImplForTests,
+  type ChatSnapshotV1,
+} from "../ai.js";
+import {
+  createTestSessionHandle,
+  type TestSessionOutState,
+} from "./test-session-handle.js";
+
+/** Pre-seed locals before the agent's `run()` starts. */
+export type SetupLocals = (locals: {
+  set<T>(key: LocalsKey<T>, value: T): void;
+}) => void | Promise<void>;
+
+// The slim wire payload shape used by chat.agent tasks. Kept loose here so we
+// don't import from the backend-only ai.ts module. At most ONE message per
+// record — runtime rebuilds prior history from snapshot + replay at boot.
+type ChatWirePayload = {
+  /** At most one message — singular under the slim wire. Set on submit-message. */
+  message?: UIMessage;
+  /** Bespoke escape hatch — only set on `trigger: "handover-prepare"`. */
+  headStartMessages?: UIMessage[];
+  chatId: string;
+  trigger:
+    | "submit-message"
+    | "regenerate-message"
+    | "preload"
+    | "close"
+    | "action"
+    | "handover-prepare";
+  messageId?: string;
+  metadata?: unknown;
+  action?: unknown;
+  continuation?: boolean;
+  previousRunId?: string;
+  idleTimeoutInSeconds?: number;
+  sessionId?: string;
+};
+
+/** A reference to a `chat.agent` task returned by `chat.agent({ id, ... })`. */
+type ChatAgentHandle = { id: string };
+
+/**
+ * Options for `mockChatAgent`.
+ */
+export type MockChatAgentOptions = {
+  /** The chat session id passed into every wire payload. Defaults to `"test-chat"`. */
+  chatId?: string;
+  /** Client-provided metadata (`clientData`) for the session. */
+  clientData?: unknown;
+  /** Task context overrides passed through to {@link runInMockTaskContext}. */
+  taskContext?: MockTaskContextOptions;
+  /**
+   * Whether to start the task in preload mode. Defaults to `true` so the
+   * first `sendMessage()` triggers the first turn via the preload path.
+   * Set to `false` to skip preload — the first `sendMessage()` starts turn 0 directly.
+   *
+   * Ignored when `mode: "handover-prepare"` is set.
+   */
+  preload?: boolean;
+  /**
+   * Initial trigger the agent boots with. Defaults to `"preload"` (or
+   * `"submit-message"` when `preload: false`, or `"continuation"` when
+   * `continuation: true`).
+   *
+   * - `"preload"` — fresh chat preloaded via `transport.preload`. Fires
+   *   `onPreload`, waits for the first message.
+   * - `"submit-message"` — fresh chat with the first message in the boot
+   *   payload (the `chat.createStartSessionAction({ basePayload: { message } })`
+   *   pattern). Goes straight to turn 0.
+   * - `"continuation"` — new run picking up an existing session after the
+   *   prior run ended (`chat.endRun`, waitpoint timeout, `chat.requestUpgrade`).
+   *   Boots with `trigger` omitted and `continuation: true` — mirrors what
+   *   the server's `ensureRunForSession` / `swapSessionRun` produces in
+   *   production. The SDK enters its continuation-wait branch; `onPreload`
+   *   and `onChatStart` do NOT fire on this run.
+   * - `"handover-prepare"` — drives the chat.handover wait branch; call
+   *   `sendHandover()` / `sendHandoverSkip()` to dispatch the handover signal.
+   */
+  mode?: "preload" | "submit-message" | "handover-prepare" | "continuation";
+  /**
+   * First-turn UIMessage history shipped on the BOOT payload. Only
+   * meaningful with `mode: "handover-prepare"` — mirrors the
+   * `chat.headStart` route handler's `basePayload.headStartMessages`.
+   */
+  headStartMessages?: UIMessage[];
+  /**
+   * Pre-seed the snapshot the agent reads at run boot. The runtime's
+   * snapshot read is replaced with one that returns this snapshot
+   * (skipping the real S3 GET). Use to drive boot scenarios — fresh
+   * boot with prior history, OOM-retry boot with stale snapshot, etc.
+   * Pass `undefined` (the default) to start with no snapshot.
+   *
+   * See plan section B.3 for the boot orchestration spec.
+   */
+  snapshot?: ChatSnapshotV1;
+  /**
+   * Set `payload.continuation = true` on the initial wire payload. Used
+   * to simulate a continuation-run boot (a new run picking up after a
+   * prior run on the same session ended via `chat.endRun`, waitpoint
+   * timeout, or `chat.requestUpgrade`).
+   *
+   * Setting this without specifying `mode` auto-selects `mode:
+   * "continuation"` — the SDK boot path enters its continuation-wait
+   * branch and waits silently on `session.in` for the first user
+   * message. `onPreload` and `onChatStart` do NOT fire on this run.
+   *
+   * Defaults to `false` (fresh run).
+   */
+  continuation?: boolean;
+  /**
+   * Set `payload.previousRunId` on the initial wire payload. Forwarded
+   * to `onChatStart` / `onTurnStart` and used by the boot gate as a
+   * prior-state signal. Usually paired with `continuation: true`.
+   */
+  previousRunId?: string;
+  /**
+   * Callback that runs **before** the agent's `run()` is invoked, with a
+   * `set` function for pre-seeding locals. Use this to inject server-side
+   * dependencies (database clients, service stubs) that the agent reads
+   * via `locals.get()` in its hooks.
+   *
+   * @example
+   * ```ts
+   * import { dbKey } from "./db";
+   *
+   * const harness = mockChatAgent(agent, {
+   *   chatId: "test-1",
+   *   setupLocals: (locals) => {
+   *     locals.set(dbKey, testDb);
+   *   },
+   * });
+   * ```
+   */
+  setupLocals?: SetupLocals;
+};
+
+/**
+ * Result of a single turn, returned by driver methods like `sendMessage()`.
+ */
+export type MockChatAgentTurn = {
+  /** UIMessageChunks emitted during this turn (excludes control chunks like turn-complete). */
+  chunks: UIMessageChunk[];
+  /** All raw chunks including control chunks (turn-complete, upgrade-required, etc.). */
+  rawChunks: unknown[];
+};
+
+/**
+ * Harness returned by `mockChatAgent`. Drives a `chat.agent` task end-to-end
+ * without network or task runtime.
+ */
+export type MockChatAgentHarness = {
+  /** The chat session id used by this harness. */
+  readonly chatId: string;
+
+  /**
+   * Send a single user message (or tool-approval-responded assistant
+   * message) and wait for the next turn-complete. Returns the chunks
+   * produced during this turn.
+   *
+   * Slim wire: at most ONE message per send. The agent reconstructs prior
+   * history from snapshot + session.out replay at run boot.
+   */
+  sendMessage(message: UIMessage): Promise<MockChatAgentTurn>;
+
+  /**
+   * Send a regenerate signal (no message body — slim wire). The agent
+   * trims trailing assistant messages from its in-memory accumulator and
+   * re-runs. Waits for turn-complete.
+   */
+  sendRegenerate(): Promise<MockChatAgentTurn>;
+
+  /**
+   * Drive the head-start path: sends `trigger: "handover-prepare"` with
+   * `headStartMessages` carrying the first-turn UIMessage history. Used
+   * only at the very first turn before any snapshot exists. The route
+   * handler ships full UIMessage history through this path because the
+   * customer's HTTP endpoint isn't subject to the `/in/append` cap.
+   */
+  sendHeadStart(args: { messages: UIMessage[] }): Promise<MockChatAgentTurn>;
+
+  /** Send a custom action and wait for the next turn-complete. */
+  sendAction(action: unknown): Promise<MockChatAgentTurn>;
+
+  /** Fire a stop signal. Does not wait for the turn — the task keeps running. */
+  sendStop(message?: string): Promise<void>;
+
+  /**
+   * Dispatch a `handover` signal — the agent picks up partial assistant
+   * messages and continues the turn. Only meaningful when the harness
+   * was started with `mode: "handover-prepare"`. Waits for turn-complete.
+   *
+   * `isFinal: false` (default) — agent runs `streamText` which executes
+   * any pending tool-calls (via the approval round) and resumes from
+   * step 2.
+   *
+   * `isFinal: true` — agent runs lifecycle hooks but skips `streamText`.
+   * The partial IS the response; `onTurnComplete` fires with it.
+   */
+  sendHandover(args: {
+    partialAssistantMessage: unknown[];
+    isFinal?: boolean;
+    messageId?: string;
+  }): Promise<MockChatAgentTurn>;
+
+  /**
+   * Dispatch a `handover-skip` signal — the agent exits cleanly without
+   * firing turn hooks. Only meaningful when the harness was started
+   * with `mode: "handover-prepare"`. Awaits the run finishing.
+   */
+  sendHandoverSkip(): Promise<void>;
+
+  /**
+   * Pre-seed the snapshot read for the next boot. The runtime's snapshot
+   * read returns this snapshot (skipping S3). Pass `undefined` to clear —
+   * the boot then sees no snapshot and falls through to replay-only.
+   *
+   * Effective on the next run boot only. Calling mid-turn is a no-op
+   * because the snapshot read happens once at run boot.
+   */
+  seedSnapshot(snapshot: ChatSnapshotV1 | undefined): void;
+
+  /**
+   * Pre-seed `session.out` chunks for the next boot's replay. The runtime's
+   * `replaySessionOutTail` returns whatever the synthetic chunks reduce
+   * to. Pass `[]` to clear (boot replay returns no messages).
+   *
+   * Requires `__setReplaySessionOutTailImplForTests` exported from
+   * `ai.ts`. The harness throws a clear error at call time if that hook
+   * isn't available.
+   */
+  seedSessionOutTail(chunks?: UIMessageChunk[]): void;
+
+  /**
+   * Pre-seed a trailing partial assistant message for the next boot's
+   * replay. The runtime's `replaySessionOutTail` returns this as the
+   * `partial` field (alongside whatever `seedSessionOutTail` reduces
+   * to). Use to simulate cancel-mid-stream: an assistant message whose
+   * `finish` chunk never arrived. Pass `undefined` to clear.
+   *
+   * Effective on the next run boot only.
+   */
+  seedSessionOutPartial(partial: UIMessage | undefined): void;
+
+  /**
+   * Pre-seed user messages on the `session.in` tail for the next boot's
+   * replay. Each message is paired with a synthetic seq_num (`i + 1`).
+   * Used to simulate in-flight users the dead predecessor was supposed
+   * to process. Pass `[]` to clear.
+   *
+   * Effective on the next run boot only.
+   */
+  seedSessionInTail(messages: UIMessage[]): void;
+
+  /**
+   * The most recently written snapshot, or `undefined` if no snapshot
+   * has been written yet. Updated each time `writeChatSnapshot` is
+   * invoked from the run loop's snapshot-write site (plan section B.6).
+   */
+  getSnapshot(): ChatSnapshotV1 | undefined;
+
+  /**
+   * Close the chat session cleanly. Sends `trigger: "close"` and awaits the
+   * task's `run()` function returning. Call this at the end of every test
+   * (or use `await using`) so the background task isn't left dangling.
+   */
+  close(): Promise<void>;
+
+  /** All UIMessageChunks emitted since the harness was created. */
+  readonly allChunks: UIMessageChunk[];
+
+  /** Every raw chunk (including control chunks) emitted since the harness was created. */
+  readonly allRawChunks: unknown[];
+};
+
+const CONTROL_CHUNK_TYPES = new Set([
+  "trigger:turn-complete",
+  "trigger:upgrade-required",
+]);
+
+function isControlChunk(chunk: unknown): boolean {
+  if (typeof chunk !== "object" || chunk === null) return false;
+  const type = (chunk as { type?: string }).type;
+  return typeof type === "string" && CONTROL_CHUNK_TYPES.has(type);
+}
+
+/**
+ * Create an offline test harness for a `chat.agent` task.
+ *
+ * The harness starts the agent's `run()` function in a mocked task context,
+ * waits in preload for the first message, then exposes driver methods for
+ * sending messages / actions / stop signals and awaiting turn completion.
+ *
+ * Users are responsible for mocking the language model themselves — use
+ * `MockLanguageModelV3` and `simulateReadableStream` from `ai/test` inside
+ * their agent's `run()` function (typically via DI through `clientData`).
+ *
+ * @example
+ * ```ts
+ * import { mockChatAgent } from "@trigger.dev/sdk/ai/test";
+ * import { MockLanguageModelV3, simulateReadableStream } from "ai/test";
+ * import { myAgent } from "./my-agent";
+ *
+ * test("says hello", async () => {
+ *   const harness = mockChatAgent(myAgent, { chatId: "test-1" });
+ *   try {
+ *     const turn = await harness.sendMessage({
+ *       id: "m1",
+ *       role: "user",
+ *       parts: [{ type: "text", text: "hi" }],
+ *     });
+ *     expect(turn.chunks).toContainEqual(
+ *       expect.objectContaining({ type: "text-delta", delta: "hello" })
+ *     );
+ *   } finally {
+ *     await harness.close();
+ *   }
+ * });
+ * ```
+ */
+export function mockChatAgent(
+  agent: ChatAgentHandle,
+  options: MockChatAgentOptions = {}
+): MockChatAgentHarness {
+  const chatId = options.chatId ?? "test-chat";
+  // The agent opens the session with `payload.sessionId ?? payload.chatId`.
+  // We pass no sessionId, so it falls back to chatId.
+  const sessionId = chatId;
+  // `continuation: true` without an explicit mode auto-selects "continuation"
+  // — the canonical shape for a continuation-run boot.
+  const mode: "preload" | "submit-message" | "handover-prepare" | "continuation" =
+    options.mode ??
+    (options.continuation === true
+      ? "continuation"
+      : options.preload === false
+        ? "submit-message"
+        : "preload");
+  const clientData = options.clientData;
+
+  const taskEntry = resourceCatalog.getTask(agent.id);
+  if (!taskEntry) {
+    throw new Error(
+      `mockChatAgent: no task registered with id "${agent.id}". ` +
+        `Import "@trigger.dev/sdk/ai/test" before your agent module so tasks register correctly.`
+    );
+  }
+
+  const runFn = taskEntry.fns.run;
+
+  // Session .out state: chunks + listener registry. Shared between the
+  // harness and the TestSessionOutputChannel installed via the open-override.
+  const sessionOutState: TestSessionOutState = {
+    chunks: [],
+    listeners: new Set(),
+  };
+
+  // Buffers that survive across harness method calls
+  const allRawChunks: unknown[] = [];
+  const allChunks: UIMessageChunk[] = [];
+
+  // Promise that resolves when the background task run() function returns.
+  let taskFinished!: Promise<void>;
+  let sendSessionInput!: (sessionId: string, data: unknown) => Promise<void>;
+  let closeSessionInput: ((sessionId: string) => void) | undefined;
+  let runSignal!: AbortController;
+
+  // A latch that resolves every time `trigger:turn-complete` appears on the chat stream.
+  // We use a shared pending promise and replace it after each completion.
+  let turnCompleteResolvers: Array<() => void> = [];
+  const waitForTurnComplete = () =>
+    new Promise<void>((resolve) => {
+      turnCompleteResolvers.push(resolve);
+    });
+
+  // Signal that the caller is ready to observe output
+  let harnessReadyResolve!: () => void;
+  const harnessReady = new Promise<void>((resolve) => {
+    harnessReadyResolve = resolve;
+  });
+
+  // ── Snapshot read/write override state ───────────────────────────────
+  // The runtime's snapshot read returns whatever `seededSnapshot` is at
+  // boot time. The runtime's snapshot write captures into
+  // `lastWrittenSnapshot` for harness consumers to assert via
+  // `getSnapshot()`. Installed below alongside the session overrides;
+  // cleared on close in the same finally block.
+  let seededSnapshot: ChatSnapshotV1 | undefined = options.snapshot;
+  let lastWrittenSnapshot: ChatSnapshotV1 | undefined;
+  let seededReplayChunks: UIMessageChunk[] = [];
+  let seededReplayPartial: UIMessage | undefined;
+  let seededSessionInMessages: UIMessage[] = [];
+
+  __setReadChatSnapshotImplForTests(<T extends UIMessage>(_id: string) => {
+    return seededSnapshot as ChatSnapshotV1<T> | undefined;
+  });
+  __setWriteChatSnapshotImplForTests(<T extends UIMessage>(_id: string, snapshot: ChatSnapshotV1<T>) => {
+    lastWrittenSnapshot = snapshot as ChatSnapshotV1;
+  });
+
+  // Replay override: install a default that returns whatever
+  // `seededReplayChunks` reduces to. `mockChatAgent` doesn't model the
+  // settled-vs-partial split — seeded chunks always reduce to the
+  // `settled` array with `partial: undefined`. Recovery-specific
+  // tests can install their own override to seed a partial.
+  // Cleared in the same `finally` block as the other test overrides.
+  __setReplaySessionOutTailImplForTests(async () => {
+    const settled =
+      seededReplayChunks.length === 0
+        ? []
+        : ((await reduceChunksToMessages(seededReplayChunks)) as unknown[]);
+    // For the mock harness, `partialRaw` is the same as `partial` — we
+    // don't model cleanupAbortedParts separately. Recovery tests that
+    // need a partialRaw distinct from partial install their own stub.
+    return {
+      settled,
+      partial: seededReplayPartial,
+      partialRaw: seededReplayPartial,
+    } as never;
+  });
+
+  // session.in tail override: each seeded UIMessage becomes a
+  // { message, metadata: undefined, seqNum: i+1 } entry. Mirrors the
+  // seq-num pattern from the out-tail stub so cursor-advance logic is
+  // exercised correctly. `metadata` is `undefined` for seeded users —
+  // the boot path falls back to `payload.metadata` for those.
+  __setReplaySessionInTailImplForTests(async () => {
+    return seededSessionInMessages.map((message, i) => ({
+      message,
+      metadata: undefined,
+      seqNum: i + 1,
+    })) as never;
+  });
+
+  // Install the session open override so `sessions.open(id)` returns a
+  // SessionHandle with an in-memory `.out` that captures writes. The
+  // `.in` channel routes record subscriptions (`on`/`once`/`peek`)
+  // through the `sessionStreams` global — the mock task context
+  // installs a `TestSessionStreamManager` there — and stubs `wait()`
+  // so the suspend path resolves cleanly on `runSignal.abort()` without
+  // touching the api client.
+  __setSessionOpenImplForTests((id) =>
+    createTestSessionHandle(id, sessionOutState, () => runSignal?.signal)
+  );
+
+  // Install the session start override so any test path that invokes
+  // `sessions.start()` (typically through a server action shim like
+  // `chat.createStartSessionAction`) becomes a no-op fixture instead of
+  // hitting a real API. Most chat.agent tests trigger the run directly
+  // via `sendPayloadAndWait` and never go through this path, but the
+  // stub keeps the API safe to call from inside tested code.
+  __setSessionStartImplForTests((body) => {
+    if (process.env.TRIGGER_CHAT_TEST_DEBUG === "1") {
+      console.log("[mockChatAgent] sessions.start override:", body);
+    }
+    const fakeRunId = `run_test_${body.externalId ?? "anon"}`;
+    return {
+      id: `session_test_${body.externalId ?? "anon"}`,
+      externalId: body.externalId ?? null,
+      type: body.type,
+      taskIdentifier: body.taskIdentifier,
+      triggerConfig: body.triggerConfig,
+      currentRunId: fakeRunId,
+      runId: fakeRunId,
+      publicAccessToken: "tr_test_session_pat",
+      tags: body.tags ?? [],
+      metadata: (body.metadata ?? null) as Record<string, unknown> | null,
+      closedAt: null,
+      closedReason: null,
+      expiresAt: null,
+      createdAt: new Date(0),
+      updatedAt: new Date(0),
+      isCached: false,
+    };
+  });
+
+  taskFinished = runInMockTaskContext(
+    async (drivers) => {
+      runSignal = new AbortController();
+
+      // For `mode: "continuation"`, omit `trigger` from the wire payload —
+      // mirrors what the server's `ensureRunForSession` / `swapSessionRun`
+      // produces (the continuation overrides clear `trigger` so the SDK
+      // boot path falls into the continuation-wait branch instead of
+      // re-firing the basePayload's stale first-run trigger). `continuation:
+      // true` is set unconditionally for this mode so the boot path's
+      // continuation-wait condition matches.
+      const isContinuationMode = mode === "continuation";
+      const initialPayload: ChatWirePayload = {
+        chatId,
+        ...(isContinuationMode
+          ? { trigger: undefined as never, continuation: true }
+          : { trigger: mode }),
+        metadata: clientData,
+        ...(!isContinuationMode && options.continuation ? { continuation: true } : {}),
+        ...(options.previousRunId ? { previousRunId: options.previousRunId } : {}),
+        ...(options.headStartMessages ? { headStartMessages: options.headStartMessages } : {}),
+      };
+
+      sendSessionInput = drivers.sessions.in.send;
+      closeSessionInput = drivers.sessions.in.close;
+
+      // Record every chunk written to session.out, detect turn-complete.
+      const listener = (chunk: unknown) => {
+        allRawChunks.push(chunk);
+        if (!isControlChunk(chunk)) {
+          allChunks.push(chunk as UIMessageChunk);
+        }
+        if (
+          typeof chunk === "object" &&
+          chunk !== null &&
+          (chunk as { type?: string }).type === "trigger:turn-complete"
+        ) {
+          const resolvers = turnCompleteResolvers;
+          turnCompleteResolvers = [];
+          for (const resolve of resolvers) resolve();
+        }
+      };
+      sessionOutState.listeners.add(listener);
+      const unsubscribe = () => sessionOutState.listeners.delete(listener);
+
+      if (options.setupLocals) {
+        await options.setupLocals({ set: drivers.locals.set });
+      }
+
+      harnessReadyResolve();
+
+      try {
+        if (process.env.TRIGGER_CHAT_TEST_DEBUG === "1") {
+          console.log("[mockChatAgent] Starting runFn with payload:", initialPayload);
+        }
+        await runFn(initialPayload, {
+          ctx: drivers.ctx,
+          signal: runSignal.signal,
+        });
+        if (process.env.TRIGGER_CHAT_TEST_DEBUG === "1") {
+          console.log("[mockChatAgent] runFn returned");
+        }
+      } catch (err) {
+        if (process.env.TRIGGER_CHAT_TEST_DEBUG === "1") {
+          console.log("[mockChatAgent] runFn threw:", err);
+        }
+        throw err;
+      } finally {
+        unsubscribe();
+        // Resolve any outstanding turn-complete waiters so callers don't hang
+        const resolvers = turnCompleteResolvers;
+        turnCompleteResolvers = [];
+        for (const resolve of resolvers) resolve();
+      }
+    },
+    options.taskContext
+  )
+    .catch((err) => {
+      // Propagate errors to pending turn waiters instead of dropping them
+      const resolvers = turnCompleteResolvers;
+      turnCompleteResolvers = [];
+      for (const resolve of resolvers) resolve();
+      throw err;
+    })
+    .finally(() => {
+      // Always clear the test overrides, even if the task threw.
+      __setSessionOpenImplForTests(undefined);
+      __setSessionStartImplForTests(undefined);
+      __setReadChatSnapshotImplForTests(undefined);
+      __setWriteChatSnapshotImplForTests(undefined);
+      __setReplaySessionOutTailImplForTests(undefined);
+      __setReplaySessionInTailImplForTests(undefined);
+    });
+
+  const sendPayloadAndWait = async (
+    payload: ChatWirePayload
+  ): Promise<MockChatAgentTurn> => {
+    await harnessReady;
+    const before = allRawChunks.length;
+    const turnComplete = waitForTurnComplete();
+    await sendSessionInput(sessionId, { kind: "message", payload });
+    await turnComplete;
+    const rawChunks = allRawChunks.slice(before);
+    const chunks = rawChunks.filter(
+      (c) => !isControlChunk(c)
+    ) as UIMessageChunk[];
+    return { chunks, rawChunks };
+  };
+
+  const harness: MockChatAgentHarness = {
+    chatId,
+
+    async sendMessage(message) {
+      return sendPayloadAndWait({
+        message,
+        chatId,
+        trigger: "submit-message",
+        metadata: clientData,
+      });
+    },
+
+    async sendRegenerate() {
+      return sendPayloadAndWait({
+        chatId,
+        trigger: "regenerate-message",
+        metadata: clientData,
+      });
+    },
+
+    async sendHeadStart({ messages }) {
+      return sendPayloadAndWait({
+        headStartMessages: messages,
+        chatId,
+        trigger: "handover-prepare",
+        metadata: clientData,
+      });
+    },
+
+    async sendAction(action) {
+      return sendPayloadAndWait({
+        chatId,
+        trigger: "action",
+        action,
+        metadata: clientData,
+      });
+    },
+
+    async sendStop(message) {
+      await harnessReady;
+      await sendSessionInput(sessionId, { kind: "stop", message });
+    },
+
+    async sendHandover(args) {
+      await harnessReady;
+      const before = allRawChunks.length;
+      const turnComplete = waitForTurnComplete();
+      await sendSessionInput(sessionId, {
+        kind: "handover",
+        partialAssistantMessage: args.partialAssistantMessage,
+        messageId: args.messageId,
+        isFinal: args.isFinal ?? false,
+      });
+      await turnComplete;
+      const rawChunks = allRawChunks.slice(before);
+      const chunks = rawChunks.filter((c) => !isControlChunk(c)) as UIMessageChunk[];
+      return { chunks, rawChunks };
+    },
+
+    async sendHandoverSkip() {
+      await harnessReady;
+      // No turn-complete on skip — the agent exits without firing hooks.
+      // Send the chunk and wait for the run to finish.
+      await sendSessionInput(sessionId, { kind: "handover-skip" });
+      await Promise.race([
+        taskFinished.catch(() => {}),
+        new Promise<void>((resolve) => setTimeout(resolve, 1000)),
+      ]);
+    },
+
+    seedSnapshot(snapshot) {
+      seededSnapshot = snapshot;
+    },
+
+    seedSessionOutTail(chunks) {
+      seededReplayChunks = chunks ?? [];
+    },
+
+    seedSessionOutPartial(partial) {
+      seededReplayPartial = partial;
+    },
+
+    seedSessionInTail(messages) {
+      seededSessionInMessages = messages;
+    },
+
+    getSnapshot() {
+      return lastWrittenSnapshot;
+    },
+
+    async close() {
+      await harnessReady;
+
+      // Send a close trigger wrapped as a `kind: "message"` ChatInputChunk.
+      // The turn loop checks for this after a successful turn and exits
+      // cleanly. On error-recovery paths the loop just loops back with
+      // the close payload, so we also close the session input below to
+      // unblock any pending once() waiters.
+      try {
+        await sendSessionInput(sessionId, {
+          kind: "message",
+          payload: {
+            chatId,
+            trigger: "close",
+          },
+        });
+      } catch {
+        // best-effort
+      }
+      // Resolve any pending once() waiters on the session input with a
+      // timeout error — that makes waitWithIdleTimeout return
+      // `{ ok: false }` and the turn loop exits cleanly.
+      closeSessionInput?.(sessionId);
+
+      // Also abort the run signal so anything downstream (streamText,
+      // deferred work) unwinds promptly.
+      runSignal?.abort("close");
+
+      // Wait for run() to return. The loop's error recovery path will
+      // see !next.ok and exit. Use a bounded wait so tests never hang.
+      await Promise.race([
+        taskFinished.catch(() => {}),
+        new Promise<void>((resolve) => setTimeout(resolve, 1000)),
+      ]);
+    },
+
+    get allChunks() {
+      return allChunks.slice();
+    },
+
+    get allRawChunks() {
+      return allRawChunks.slice();
+    },
+  };
+
+  return harness;
+}
+
+/**
+ * Reduce a synthetic UIMessageChunk[] sequence into the UIMessage[] that
+ * the runtime's `replaySessionOutTail` would produce. Splits chunks at
+ * `start` boundaries and feeds each segment through AI SDK's
+ * `readUIMessageStream`. The trailing un-finished segment goes through
+ * `cleanupAbortedParts`. Mirrors the production reducer used in
+ * `ai.ts:replaySessionOutTail`.
+ */
+async function reduceChunksToMessages(chunks: UIMessageChunk[]): Promise<UIMessage[]> {
+  if (chunks.length === 0) return [];
+  const aiModule = (await import("ai")) as {
+    readUIMessageStream?: (args: { stream: ReadableStream<UIMessageChunk> }) => AsyncIterable<UIMessage>;
+    cleanupAbortedParts?: (msg: UIMessage) => UIMessage;
+  };
+  const readUIMessageStream = aiModule.readUIMessageStream;
+  const cleanupAbortedParts = aiModule.cleanupAbortedParts;
+  if (!readUIMessageStream) return [];
+
+  type Segment = { chunks: UIMessageChunk[]; closed: boolean };
+  const segments: Segment[] = [];
+  let current: Segment | undefined;
+  for (const chunk of chunks) {
+    if (chunk.type === "start") {
+      current = { chunks: [chunk], closed: false };
+      segments.push(current);
+      continue;
+    }
+    if (!current) {
+      current = { chunks: [], closed: false };
+      segments.push(current);
+    }
+    current.chunks.push(chunk);
+    if (chunk.type === "finish") {
+      current.closed = true;
+      current = undefined;
+    }
+  }
+
+  const out: UIMessage[] = [];
+  for (let i = 0; i < segments.length; i++) {
+    const seg = segments[i]!;
+    const isTrailing = i === segments.length - 1 && !seg.closed;
+    const segmentStream = new ReadableStream<UIMessageChunk>({
+      start(controller) {
+        for (const c of seg.chunks) controller.enqueue(c);
+        controller.close();
+      },
+    });
+    let last: UIMessage | undefined;
+    try {
+      for await (const snapshot of readUIMessageStream({ stream: segmentStream })) {
+        last = snapshot;
+      }
+    } catch {
+      // Skip malformed segment — tests can assert by inspecting what makes it through.
+      continue;
+    }
+    if (!last) continue;
+    if (isTrailing && cleanupAbortedParts) {
+      const cleaned = cleanupAbortedParts(last);
+      if (!cleaned.parts || cleaned.parts.length === 0) continue;
+      out.push(cleaned);
+    } else {
+      out.push(last);
+    }
+  }
+  return out;
+}
diff --git a/packages/trigger-sdk/src/v3/test/setup-catalog.ts b/packages/trigger-sdk/src/v3/test/setup-catalog.ts
new file mode 100644
index 00000000000..4dece053b98
--- /dev/null
+++ b/packages/trigger-sdk/src/v3/test/setup-catalog.ts
@@ -0,0 +1,16 @@
+import { resourceCatalog } from "@trigger.dev/core/v3";
+import { StandardResourceCatalog } from "@trigger.dev/core/v3/workers";
+
+/**
+ * Installs an in-memory `StandardResourceCatalog` and seeds a fake file
+ * context so task definitions (`task()`, `chat.agent()`, etc.) register
+ * their run functions where the test harness can look them up.
+ *
+ * This is invoked as a side-effect of importing `@trigger.dev/sdk/ai/test`.
+ *
+ * Without this, `registerTaskMetadata` short-circuits on a missing
+ * `_currentFileContext` and tasks silently fail to register.
+ */
+const catalog = new StandardResourceCatalog();
+resourceCatalog.setGlobalResourceCatalog(catalog);
+resourceCatalog.setCurrentFileContext("__test__.ts", "__test__");
diff --git a/packages/trigger-sdk/src/v3/test/test-session-handle.ts b/packages/trigger-sdk/src/v3/test/test-session-handle.ts
new file mode 100644
index 00000000000..93d6146ddd5
--- /dev/null
+++ b/packages/trigger-sdk/src/v3/test/test-session-handle.ts
@@ -0,0 +1,301 @@
+import type {
+  AsyncIterableStream,
+  PipeStreamResult,
+  StreamWriteResult,
+  WriterStreamOptions,
+} from "@trigger.dev/core/v3";
+import { ensureReadableStream, ManualWaitpointPromise } from "@trigger.dev/core/v3";
+import {
+  SessionHandle,
+  SessionInputChannel,
+  SessionOutputChannel,
+  SessionPipeStreamOptions,
+  SessionSubscribeOptions,
+} from "../sessions.js";
+
+/**
+ * Stub for `SessionInputChannel.wait` that skips the apiClient round-trip
+ * the production path makes via `createSessionStreamWaitpoint`. Without
+ * this override, every test that exercises the suspend fallback (e.g.
+ * the `chat.handover` idle-timeout case) throws `ApiClientMissingError`
+ * because `apiClientManager.clientOrThrow()` runs in a test process that
+ * has no `TRIGGER_SECRET_KEY`.
+ *
+ * The promise resolves with `{ ok: false, error }` when the harness
+ * aborts its run signal — that mimics production semantics (suspended
+ * until something happens, returns cleanly on abort) without making a
+ * network call.
+ */
+class TestSessionInputChannel extends SessionInputChannel {
+  constructor(sessionId: string, private readonly getAbortSignal: () => AbortSignal | undefined) {
+    super(sessionId);
+  }
+
+  // Override only the `wait` path. `on` / `once` / `peek` / `send`
+  // continue to flow through the real `sessionStreams` global, which
+  // the mock task context installs as a `TestSessionStreamManager`.
+  wait<T = unknown>(): ManualWaitpointPromise<T> {
+    return new ManualWaitpointPromise<T>((resolve: (value: { ok: false; error: Error }) => void) => {
+      const signal = this.getAbortSignal();
+      if (!signal) {
+        // Harness hasn't wired up its run signal yet — nothing to abort
+        // on. Stay pending; the run loop should never reach this state
+        // in practice but we don't want to throw here either.
+        return;
+      }
+      const onAbort = () => {
+        resolve({
+          ok: false,
+          error: new Error("session.in.wait() aborted by test harness"),
+        });
+      };
+      if (signal.aborted) {
+        onAbort();
+        return;
+      }
+      signal.addEventListener("abort", onAbort, { once: true });
+    });
+  }
+}
+
+/**
+ * Per-session in-memory state collected from `.out` writes during a test.
+ * Owned by the mock-chat-agent harness; updated by {@link TestSessionOutputChannel}.
+ */
+export type TestSessionOutState = {
+  /** Every chunk written to `.out`, in order of write. */
+  chunks: unknown[];
+  /** Registered write listeners (fired for each chunk). */
+  listeners: Set<(chunk: unknown) => void>;
+};
+
+function notify(state: TestSessionOutState, chunk: unknown): void {
+  state.chunks.push(chunk);
+  for (const listener of state.listeners) {
+    try {
+      listener(chunk);
+    } catch {
+      // Never let a listener error break stream writes
+    }
+  }
+}
+
+async function drainInto<T>(
+  source: AsyncIterable<T> | ReadableStream<T>,
+  state: TestSessionOutState
+): Promise<void> {
+  const readable = ensureReadableStream(source);
+  const reader = readable.getReader();
+  try {
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) return;
+      notify(state, value);
+    }
+  } finally {
+    try {
+      reader.releaseLock();
+    } catch {
+      // ignore
+    }
+  }
+}
+
+/**
+ * `.out` channel that captures writes in memory instead of piping to S2.
+ * Mirrors {@link SessionOutputChannel}'s public shape — `pipe` / `writer`
+ * / `append` / `read` — so the agent's existing code paths work unchanged.
+ */
+export class TestSessionOutputChannel extends SessionOutputChannel {
+  constructor(
+    sessionId: string,
+    private readonly state: TestSessionOutState
+  ) {
+    super(sessionId);
+  }
+
+  async append<T>(value: T, _options?: SessionPipeStreamOptions): Promise<void> {
+    notify(this.state, value);
+  }
+
+  pipe<T>(
+    value: AsyncIterable<T> | ReadableStream<T>,
+    _options?: SessionPipeStreamOptions
+  ): PipeStreamResult<T> {
+    const state = this.state;
+    const readChunks: T[] = [];
+    let resolveDone!: () => void;
+    const done = new Promise<void>((resolve) => {
+      resolveDone = resolve;
+    });
+
+    (async () => {
+      const readable = ensureReadableStream(value);
+      const reader = readable.getReader();
+      try {
+        while (true) {
+          const { done: d, value: v } = await reader.read();
+          if (d) return;
+          readChunks.push(v as T);
+          notify(state, v);
+        }
+      } finally {
+        try {
+          reader.releaseLock();
+        } catch {
+          // ignore
+        }
+        resolveDone();
+      }
+    })().catch(() => {
+      resolveDone();
+    });
+
+    const replayStream = new ReadableStream<T>({
+      async start(controller) {
+        await done;
+        for (const chunk of readChunks) controller.enqueue(chunk);
+        controller.close();
+      },
+    });
+
+    const emptyResult: StreamWriteResult = {};
+
+    return {
+      get stream(): AsyncIterableStream<T> {
+        return replayStream as AsyncIterableStream<T>;
+      },
+      waitUntilComplete: async () => {
+        await done;
+        return emptyResult;
+      },
+    };
+  }
+
+  writer<T>(options: WriterStreamOptions<T>): PipeStreamResult<T> {
+    let controller!: ReadableStreamDefaultController<T>;
+    const ongoing: Promise<void>[] = [];
+    const state = this.state;
+
+    const stream = new ReadableStream<T>({
+      start(c) {
+        controller = c;
+      },
+    });
+
+    const safeEnqueue = (data: T) => {
+      try {
+        controller.enqueue(data);
+      } catch {
+        // Stream already closed
+      }
+    };
+
+    try {
+      const result = options.execute({
+        write(part) {
+          safeEnqueue(part);
+          notify(state, part);
+        },
+        merge(streamArg) {
+          ongoing.push(
+            drainInto(streamArg, state).catch(() => {})
+          );
+        },
+      });
+
+      if (result) {
+        ongoing.push(result.catch(() => {}));
+      }
+    } catch {
+      // Swallow — tests can inspect state.chunks
+    }
+
+    const done: Promise<void> = (async () => {
+      while (ongoing.length > 0) {
+        await ongoing.shift();
+      }
+    })().finally(() => {
+      try {
+        controller.close();
+      } catch {
+        // Already closed
+      }
+    });
+
+    const emptyResult: StreamWriteResult = {};
+
+    return {
+      get stream(): AsyncIterableStream<T> {
+        return stream as AsyncIterableStream<T>;
+      },
+      waitUntilComplete: async () => {
+        await done;
+        return emptyResult;
+      },
+    };
+  }
+
+  async read<T>(_options?: SessionSubscribeOptions<T>): Promise<AsyncIterableStream<T>> {
+    throw new Error(
+      "TestSessionOutputChannel.read() is not supported in the mock-chat-agent harness — " +
+        "inspect `harness.allChunks` / `harness.allRawChunks` instead."
+    );
+  }
+
+  /**
+   * Override the one-shot control-record path. In production this goes
+   * direct to S2 with header-form records; in tests we project it back
+   * into the chunk-shape the harness already understands (the listener
+   * watches for `{type: "trigger:turn-complete"}` to drive turn-complete
+   * latches). Returns an empty `StreamWriteResult` — tests don't observe
+   * the seq_num, and trim seeding only matters in production.
+   */
+  async writeControl(
+    subtype: string,
+    extraHeaders?: ReadonlyArray<readonly [string, string]>
+  ): Promise<StreamWriteResult> {
+    const synthetic: Record<string, unknown> = { type: `trigger:${subtype}` };
+    if (extraHeaders) {
+      for (const [name, value] of extraHeaders) {
+        if (name === "public-access-token") {
+          synthetic.publicAccessToken = value;
+        }
+      }
+    }
+    notify(this.state, synthetic);
+    return {};
+  }
+
+  /**
+   * No-op in the mock harness. Production trims keep `session.out` bounded;
+   * the in-memory `state.chunks` array doesn't need trimming and tests
+   * that care about trim behaviour exercise it via the real S2 code path.
+   */
+  async trimTo(_earliestSeqNum: number): Promise<void> {
+    // Intentionally a no-op for the mock harness.
+  }
+}
+
+/**
+ * Construct a {@link SessionHandle} whose `.out` channel captures writes in
+ * memory and whose `.in` channel routes through the `sessionStreams`
+ * global for record subscriptions (`on` / `once` / `peek`) but stubs
+ * `wait()` to skip the apiClient round-trip — see
+ * {@link TestSessionInputChannel}.
+ *
+ * `getAbortSignal` lets the channel observe the harness's run signal so
+ * `wait()` resolves cleanly on close. Pass a getter (not the signal
+ * directly) so the channel reads it lazily — the harness creates its
+ * `AbortController` after the override is installed.
+ */
+export function createTestSessionHandle(
+  sessionId: string,
+  state: TestSessionOutState,
+  getAbortSignal: () => AbortSignal | undefined = () => undefined
+): SessionHandle {
+  return new SessionHandle(sessionId, {
+    in: new TestSessionInputChannel(sessionId, getAbortSignal),
+    out: new TestSessionOutputChannel(sessionId, state),
+  });
+}
diff --git a/packages/trigger-sdk/src/v3/triggerClient.test.ts b/packages/trigger-sdk/src/v3/triggerClient.test.ts
new file mode 100644
index 00000000000..f5374171ed7
--- /dev/null
+++ b/packages/trigger-sdk/src/v3/triggerClient.test.ts
@@ -0,0 +1,297 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { apiClientManager, sdkScope, taskContext } from "@trigger.dev/core/v3";
+import { auth, configure } from "./auth.js";
+import { runs } from "./runs.js";
+import { TriggerClient } from "./triggerClient.js";
+
+type CapturedRequest = {
+  url: string;
+  authorization: string | undefined;
+  branch: string | undefined;
+};
+
+function installFetchSpy() {
+  const captured: CapturedRequest[] = [];
+  const originalFetch = globalThis.fetch;
+
+  globalThis.fetch = (async (input: any, init?: RequestInit) => {
+    const url = typeof input === "string" ? input : input?.url ?? String(input);
+    const headers = new Headers(init?.headers);
+    captured.push({
+      url,
+      authorization: headers.get("authorization") ?? undefined,
+      branch: headers.get("x-trigger-branch") ?? undefined,
+    });
+    // Return a fake successful response shaped like an empty run retrieval.
+    return new Response(JSON.stringify({}), {
+      status: 200,
+      headers: { "content-type": "application/json" },
+    });
+  }) as typeof fetch;
+
+  return {
+    captured,
+    restore: () => {
+      globalThis.fetch = originalFetch;
+    },
+  };
+}
+
+describe("TriggerClient", () => {
+  let fetchSpy: ReturnType<typeof installFetchSpy>;
+
+  beforeEach(() => {
+    apiClientManager.disable();
+    fetchSpy = installFetchSpy();
+  });
+
+  afterEach(() => {
+    fetchSpy.restore();
+    apiClientManager.disable();
+    taskContext.disable();
+    vi.unstubAllEnvs();
+  });
+
+  it("throws on first API call when no accessToken is configured anywhere", () => {
+    const client = new TriggerClient();
+    expect(() => client.runs.list({ limit: 1 })).toThrow(/TRIGGER_SECRET_KEY/);
+  });
+
+  it("falls back to env vars when constructor config is empty", async () => {
+    vi.stubEnv("TRIGGER_SECRET_KEY", "tr_dev_env_token");
+    vi.stubEnv("TRIGGER_PREVIEW_BRANCH", "env-branch");
+
+    const client = new TriggerClient();
+    await client.runs.retrieve("run_abc").catch(() => undefined);
+
+    expect(fetchSpy.captured).toHaveLength(1);
+    expect(fetchSpy.captured[0]!.authorization).toBe("Bearer tr_dev_env_token");
+    expect(fetchSpy.captured[0]!.branch).toBe("env-branch");
+  });
+
+  it("uses the instance accessToken and previewBranch on outgoing requests", async () => {
+    const client = new TriggerClient({
+      accessToken: "tr_preview_instance_token",
+      previewBranch: "signup-flow",
+    });
+
+    await client.runs.retrieve("run_abc").catch(() => undefined);
+
+    expect(fetchSpy.captured).toHaveLength(1);
+    const req = fetchSpy.captured[0]!;
+    expect(req.authorization).toBe("Bearer tr_preview_instance_token");
+    expect(req.branch).toBe("signup-flow");
+  });
+
+  it("fills missing fields from env, but explicit constructor values still win", async () => {
+    vi.stubEnv("TRIGGER_SECRET_KEY", "tr_env_token");
+    vi.stubEnv("TRIGGER_PREVIEW_BRANCH", "env-branch");
+    vi.stubEnv("TRIGGER_API_URL", "https://env.example.com");
+
+    const explicit = new TriggerClient({
+      accessToken: "tr_explicit",
+      previewBranch: "explicit-branch",
+    });
+    const fromEnv = new TriggerClient();
+
+    await Promise.all([
+      explicit.runs.retrieve("run_a").catch(() => undefined),
+      fromEnv.runs.retrieve("run_b").catch(() => undefined),
+    ]);
+
+    const byRun = Object.fromEntries(
+      fetchSpy.captured.map((r) => [r.url.split("/runs/")[1]?.split(/[/?]/)[0], r])
+    );
+
+    expect(byRun["run_a"]!.authorization).toBe("Bearer tr_explicit");
+    expect(byRun["run_a"]!.branch).toBe("explicit-branch");
+    expect(byRun["run_b"]!.authorization).toBe("Bearer tr_env_token");
+    expect(byRun["run_b"]!.branch).toBe("env-branch");
+    expect(byRun["run_a"]!.url.startsWith("https://env.example.com/")).toBe(true);
+  });
+
+  it("does not leak instance config to the global apiClientManager", async () => {
+    configure({ accessToken: "tr_dev_global_token" });
+
+    const client = new TriggerClient({
+      accessToken: "tr_preview_instance_token",
+      previewBranch: "signup-flow",
+    });
+
+    await client.runs.retrieve("run_instance").catch(() => undefined);
+    await runs.retrieve("run_global").catch(() => undefined);
+
+    expect(fetchSpy.captured).toHaveLength(2);
+    expect(fetchSpy.captured[0]!.authorization).toBe("Bearer tr_preview_instance_token");
+    expect(fetchSpy.captured[0]!.branch).toBe("signup-flow");
+    expect(fetchSpy.captured[1]!.authorization).toBe("Bearer tr_dev_global_token");
+    expect(fetchSpy.captured[1]!.branch).toBeUndefined();
+  });
+
+  it("keeps two concurrent instances isolated from each other", async () => {
+    const prod = new TriggerClient({ accessToken: "tr_prod_key" });
+    const preview = new TriggerClient({
+      accessToken: "tr_preview_key",
+      previewBranch: "feature-x",
+    });
+
+    await Promise.all([
+      prod.runs.retrieve("run_a").catch(() => undefined),
+      preview.runs.retrieve("run_b").catch(() => undefined),
+      prod.runs.retrieve("run_c").catch(() => undefined),
+      preview.runs.retrieve("run_d").catch(() => undefined),
+    ]);
+
+    expect(fetchSpy.captured).toHaveLength(4);
+    const byPath = Object.fromEntries(
+      fetchSpy.captured.map((r) => [r.url.split("/runs/")[1]?.split(/[/?]/)[0], r])
+    );
+
+    expect(byPath["run_a"]!.authorization).toBe("Bearer tr_prod_key");
+    expect(byPath["run_a"]!.branch).toBeUndefined();
+    expect(byPath["run_c"]!.authorization).toBe("Bearer tr_prod_key");
+    expect(byPath["run_c"]!.branch).toBeUndefined();
+    expect(byPath["run_b"]!.authorization).toBe("Bearer tr_preview_key");
+    expect(byPath["run_b"]!.branch).toBe("feature-x");
+    expect(byPath["run_d"]!.authorization).toBe("Bearer tr_preview_key");
+    expect(byPath["run_d"]!.branch).toBe("feature-x");
+  });
+
+  it("masks taskContext.ctx inside an isolated scope (default)", () => {
+    const fakeCtx = {
+      run: { id: "run_parent", isTest: true },
+      project: { ref: "proj_xyz" },
+      environment: { slug: "preview" },
+    } as any;
+
+    taskContext.setGlobalTaskContext({ ctx: fakeCtx } as any);
+    expect(taskContext.ctx).toBe(fakeCtx);
+
+    const observed = sdkScope.withScope(
+      { apiClientConfig: { accessToken: "x" }, inheritContext: false },
+      () => taskContext.ctx
+    );
+
+    expect(observed).toBeUndefined();
+  });
+
+  it("exposes taskContext.ctx inside a scope when inheritContext is true", () => {
+    const fakeCtx = {
+      run: { id: "run_parent", isTest: true },
+      project: { ref: "proj_xyz" },
+      environment: { slug: "preview" },
+    } as any;
+
+    taskContext.setGlobalTaskContext({ ctx: fakeCtx } as any);
+
+    const observed = sdkScope.withScope(
+      { apiClientConfig: { accessToken: "x" }, inheritContext: true },
+      () => taskContext.ctx
+    );
+
+    expect(observed).toBe(fakeCtx);
+  });
+});
+
+describe("configure()", () => {
+  beforeEach(() => {
+    apiClientManager.disable();
+  });
+
+  afterEach(() => {
+    apiClientManager.disable();
+  });
+
+  it("overrides previously-set configuration on a second call", async () => {
+    configure({ accessToken: "tr_first" });
+    expect(apiClientManager.accessToken).toBe("tr_first");
+
+    configure({ accessToken: "tr_second", previewBranch: "branch-b" });
+    expect(apiClientManager.accessToken).toBe("tr_second");
+    expect(apiClientManager.branchName).toBe("branch-b");
+  });
+});
+
+describe("auth.withAuth", () => {
+  beforeEach(() => {
+    apiClientManager.disable();
+  });
+
+  afterEach(() => {
+    apiClientManager.disable();
+  });
+
+  it("inherits TRIGGER_SECRET_KEY from env when called with a partial config", async () => {
+    vi.stubEnv("TRIGGER_SECRET_KEY", "tr_dev_env_token");
+
+    let observed: string | undefined;
+    await auth.withAuth({ baseURL: "https://override.example.com" }, async () => {
+      observed = apiClientManager.accessToken;
+    });
+
+    // The scoped `inheritContext: true` path falls back to TRIGGER_SECRET_KEY
+    // so callers can override only baseURL without re-passing the token.
+    expect(observed).toBe("tr_dev_env_token");
+    // baseURL override still applies.
+    expect(
+      await auth.withAuth(
+        { baseURL: "https://override.example.com" },
+        async () => apiClientManager.baseURL
+      )
+    ).toBe("https://override.example.com");
+  });
+
+  it("composes nested withAuth: outer-scope fields flow into the inner scope", async () => {
+    vi.stubEnv("TRIGGER_SECRET_KEY", "tr_env_token");
+
+    let observedBaseURL: string | undefined;
+    let observedAuth: string | undefined;
+    await auth.withAuth({ baseURL: "https://outer.example.com" }, async () => {
+      await auth.withAuth({ accessToken: "tr_inner_token" }, async () => {
+        observedBaseURL = apiClientManager.baseURL;
+        observedAuth = apiClientManager.accessToken;
+      });
+    });
+
+    expect(observedBaseURL).toBe("https://outer.example.com");
+    expect(observedAuth).toBe("tr_inner_token");
+  });
+
+  it("does not stomp on a parallel withAuth call with a different config", async () => {
+    configure({ accessToken: "tr_global" });
+
+    const tokenA = "tr_concurrent_a";
+    const tokenB = "tr_concurrent_b";
+
+    const settle = {
+      resolveA: () => {},
+      resolveB: () => {},
+    };
+    const gateA = new Promise<void>((r) => (settle.resolveA = r));
+    const gateB = new Promise<void>((r) => (settle.resolveB = r));
+
+    const runA = auth.withAuth({ accessToken: tokenA }, async () => {
+      // Suspend mid-scope so the parallel B scope opens while A is still pending.
+      await gateA;
+      return apiClientManager.accessToken;
+    });
+
+    const runB = auth.withAuth({ accessToken: tokenB }, async () => {
+      // Open B's scope first, then unblock A. If withAuth used the old
+      // mutate-and-restore pattern, A would observe tokenB or B's
+      // .finally would restore the wrong "original".
+      const seenInB = apiClientManager.accessToken;
+      settle.resolveA();
+      await gateB;
+      return seenInB;
+    });
+
+    settle.resolveB(); // let B finish after A reads
+    const [seenInA, seenInB] = await Promise.all([runA, runB]);
+
+    expect(seenInA).toBe(tokenA);
+    expect(seenInB).toBe(tokenB);
+    // Global remains unchanged after both scopes exit.
+    expect(apiClientManager.accessToken).toBe("tr_global");
+  });
+});
diff --git a/packages/trigger-sdk/src/v3/triggerClient.ts b/packages/trigger-sdk/src/v3/triggerClient.ts
new file mode 100644
index 00000000000..8d5d32ac95b
--- /dev/null
+++ b/packages/trigger-sdk/src/v3/triggerClient.ts
@@ -0,0 +1,107 @@
+import {
+  type ApiClientConfiguration,
+  apiClientManager,
+  sdkScope,
+  type SdkScope,
+} from "@trigger.dev/core/v3";
+import "@trigger.dev/core/v3/sdk-scope-storage";
+
+import { auth } from "./auth.js";
+import { batch } from "./batch.js";
+import { deployments } from "./deployments.js";
+import * as envvarsModule from "./envvars.js";
+import * as promptsModule from "./prompts.js";
+import * as queuesModule from "./queues.js";
+import { runs } from "./runs.js";
+import * as schedulesModule from "./schedules/index.js";
+import { batchTrigger, trigger } from "./shared.js";
+
+export type TriggerClientConfig = ApiClientConfiguration & {
+  /** Inherit ambient task context (parentRunId, lockToVersion, isTest) when called from inside a task. Default `false`. */
+  inheritContext?: boolean;
+};
+
+const tasksApi = { trigger, batchTrigger };
+const batchInstanceKeys = ["trigger", "triggerByTask", "retrieve"] as const;
+const schedulesInstanceKeys = [
+  "activate",
+  "create",
+  "deactivate",
+  "del",
+  "list",
+  "retrieve",
+  "update",
+] as const;
+const promptsInstanceKeys = [
+  "createOverride",
+  "list",
+  "promote",
+  "reactivateOverride",
+  "removeOverride",
+  "resolve",
+  "updateOverride",
+  "versions",
+] as const;
+const authInstanceKeys = [
+  "createPublicToken",
+  "createTriggerPublicToken",
+  "createBatchTriggerPublicToken",
+] as const;
+
+type TasksApi = typeof tasksApi;
+type RunsApi = typeof runs;
+type BatchApi = Pick<typeof batch, (typeof batchInstanceKeys)[number]>;
+type DeploymentsApi = typeof deployments;
+type EnvvarsApi = typeof envvarsModule;
+type PromptsApi = Pick<typeof promptsModule, (typeof promptsInstanceKeys)[number]>;
+type QueuesApi = typeof queuesModule;
+type SchedulesApi = Pick<typeof schedulesModule, (typeof schedulesInstanceKeys)[number]>;
+type AuthApi = Pick<typeof auth, (typeof authInstanceKeys)[number]>;
+
+export class TriggerClient {
+  readonly tasks: TasksApi;
+  readonly runs: RunsApi;
+  readonly batch: BatchApi;
+  readonly deployments: DeploymentsApi;
+  readonly envvars: EnvvarsApi;
+  readonly prompts: PromptsApi;
+  readonly queues: QueuesApi;
+  readonly schedules: SchedulesApi;
+  readonly auth: AuthApi;
+
+  constructor(config: TriggerClientConfig = {}) {
+    const { inheritContext, ...partial } = config;
+    const scope: SdkScope = {
+      apiClientConfig: apiClientManager.resolveApiClientConfig(partial),
+      inheritContext: inheritContext ?? false,
+    };
+
+    this.tasks = bindToScope(tasksApi, scope);
+    this.runs = bindToScope(runs, scope);
+    this.batch = bindToScope(batch, scope, batchInstanceKeys);
+    this.deployments = bindToScope(deployments, scope);
+    this.envvars = bindToScope(envvarsModule, scope);
+    this.prompts = bindToScope(promptsModule, scope, promptsInstanceKeys);
+    this.queues = bindToScope(queuesModule, scope);
+    this.schedules = bindToScope(schedulesModule, scope, schedulesInstanceKeys);
+    this.auth = bindToScope(auth, scope, authInstanceKeys);
+  }
+}
+
+function bindToScope<T extends object, K extends keyof T = keyof T>(
+  api: T,
+  scope: SdkScope,
+  keys?: readonly K[]
+): Pick<T, K> {
+  const targetKeys = (keys ?? (Object.keys(api) as K[])) as readonly K[];
+  const bound: Record<string, unknown> = {};
+  for (const key of targetKeys) {
+    const value = (api as Record<string, unknown>)[key as string];
+    bound[key as string] =
+      typeof value === "function"
+        ? (...args: unknown[]) =>
+            sdkScope.withScope(scope, () => (value as (...a: unknown[]) => unknown)(...args))
+        : value;
+  }
+  return bound as unknown as Pick<T, K>;
+}
diff --git a/packages/trigger-sdk/src/v3/triggerClient.types.test.ts b/packages/trigger-sdk/src/v3/triggerClient.types.test.ts
new file mode 100644
index 00000000000..522f2f9f50c
--- /dev/null
+++ b/packages/trigger-sdk/src/v3/triggerClient.types.test.ts
@@ -0,0 +1,118 @@
+import { describe, expectTypeOf, it } from "vitest";
+import type { ApiPromise } from "@trigger.dev/core/v3";
+import { batch } from "./batch.js";
+import { runs } from "./runs.js";
+import * as envvars from "./envvars.js";
+import * as schedules from "./schedules/index.js";
+import * as prompts from "./prompts.js";
+import { auth } from "./auth.js";
+import type { Task, AnyTask } from "./shared.js";
+import { TriggerClient } from "./triggerClient.js";
+
+// Stand-in task type used to verify generic inference flows through the proxy.
+// Mirrors the shape returned by `task({...})` calls.
+type ExampleTask = Task<"example", { to: string }, { sent: boolean }>;
+
+const client = new TriggerClient({ accessToken: "tr_x" });
+
+describe("TriggerClient surface — type-level guarantees", () => {
+  it("preserves generic inference on tasks.trigger<typeof t>", () => {
+    // If the proxy cast in bindToScope ever erodes generics, this fails:
+    // the return type degrades to `unknown` and `.id`/`.taskIdentifier`
+    // disappear.
+    type Returned = ReturnType<typeof client.tasks.trigger<ExampleTask>>;
+    expectTypeOf<Returned>().resolves.toHaveProperty("id");
+    expectTypeOf<Returned>().resolves.toHaveProperty("taskIdentifier");
+  });
+
+  it("preserves return type on runs.retrieve (no double-wrap)", () => {
+    // bindToScope wraps the impl as () => sdkScope.withScope(...). If the
+    // wrapper were typed loosely it could surface as Promise<ApiPromise<...>>.
+    // We want the original ApiPromise<...> to flow through unchanged.
+    const handle = client.runs.retrieve<ExampleTask>("run_x");
+    expectTypeOf(handle).toEqualTypeOf<ReturnType<typeof runs.retrieve<ExampleTask>>>();
+    // And it should be assignable to a plain Promise (since ApiPromise extends Promise).
+    expectTypeOf(handle).toMatchTypeOf<Promise<unknown>>();
+  });
+
+  it("preserves envvars.list overloads (projectRef+slug form AND zero-arg form)", () => {
+    // Two-arg form
+    expectTypeOf(client.envvars.list).toBeCallableWith("proj_1234", "dev");
+    // Zero-arg form (uses task context — still typeable at the call site)
+    expectTypeOf(client.envvars.list).toBeCallableWith();
+  });
+});
+
+describe("TriggerClient surface — curated subsets", () => {
+  it("instance.tasks drops inside-task-only and definition-time helpers", () => {
+    type Keys = keyof typeof client.tasks;
+    expectTypeOf<Keys>().toEqualTypeOf<"trigger" | "batchTrigger">();
+    // @ts-expect-error — triggerAndWait is not on the instance surface.
+    client.tasks.triggerAndWait;
+    // @ts-expect-error — batchTriggerAndWait is not on the instance surface.
+    client.tasks.batchTriggerAndWait;
+    // @ts-expect-error — triggerAndSubscribe requires a task context; not on the instance surface.
+    client.tasks.triggerAndSubscribe;
+    // @ts-expect-error — hooks like onStart are task-definition-time, not on the client.
+    client.tasks.onStart;
+  });
+
+  it("instance.batch drops the *AndWait variants that depend on the runtime", () => {
+    type Keys = keyof typeof client.batch;
+    expectTypeOf<Keys>().toEqualTypeOf<"trigger" | "triggerByTask" | "retrieve">();
+    // @ts-expect-error
+    client.batch.triggerAndWait;
+    // @ts-expect-error
+    client.batch.triggerByTaskAndWait;
+    // The module-level export still has them — sanity check we didn't change that.
+    expectTypeOf(batch).toHaveProperty("triggerAndWait");
+  });
+
+  it("instance.schedules drops `task` definition helper and `timezones` stateless helper", () => {
+    type Keys = keyof typeof client.schedules;
+    expectTypeOf<Keys>().toEqualTypeOf<
+      "activate" | "create" | "deactivate" | "del" | "list" | "retrieve" | "update"
+    >();
+    // @ts-expect-error
+    client.schedules.task;
+    // @ts-expect-error
+    client.schedules.timezones;
+    // Module-level export still has them.
+    expectTypeOf(schedules).toHaveProperty("task");
+    expectTypeOf(schedules).toHaveProperty("timezones");
+  });
+
+  it("instance.prompts drops `define`", () => {
+    // @ts-expect-error
+    client.prompts.define;
+    // Module-level export still has it.
+    expectTypeOf(prompts).toHaveProperty("define");
+  });
+
+  it("instance.auth is the public-token subset only (no configure/withAuth)", () => {
+    type Keys = keyof typeof client.auth;
+    expectTypeOf<Keys>().toEqualTypeOf<
+      "createPublicToken" | "createTriggerPublicToken" | "createBatchTriggerPublicToken"
+    >();
+    // @ts-expect-error — configure is global-only, not on the instance.
+    client.auth.configure;
+    // @ts-expect-error — withAuth is global-only.
+    client.auth.withAuth;
+    // Module-level export still has them.
+    expectTypeOf(auth).toHaveProperty("configure");
+    expectTypeOf(auth).toHaveProperty("withAuth");
+  });
+});
+
+describe("TriggerClient surface — namespaces match their module sources", () => {
+  // These are the load-bearing assertions for the bindToScope cast. If the
+  // `as unknown as Pick<T, K>` ever drops or widens the underlying signatures,
+  // these break.
+  it("client.runs is structurally `typeof runs`", () => {
+    expectTypeOf(client.runs).toEqualTypeOf<typeof runs>();
+  });
+
+  it("client.envvars is structurally `typeof envvars`", () => {
+    expectTypeOf(client.envvars).toEqualTypeOf<typeof envvars>();
+  });
+});
diff --git a/packages/trigger-sdk/test/chat-snapshot.test.ts b/packages/trigger-sdk/test/chat-snapshot.test.ts
new file mode 100644
index 00000000000..85e1fe8adef
--- /dev/null
+++ b/packages/trigger-sdk/test/chat-snapshot.test.ts
@@ -0,0 +1,276 @@
+// Import the test entry point first so the resource catalog is installed —
+// not strictly required for these helper-level tests, but keeps parity with
+// the rest of the test suite and removes a potential foot-gun if a future
+// edit introduces a chat.agent({...}) at module scope.
+import "../src/v3/test/index.js";
+
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { apiClientManager } from "@trigger.dev/core/v3";
+import {
+  __readChatSnapshotProductionPathForTests as readChatSnapshot,
+  __writeChatSnapshotProductionPathForTests as writeChatSnapshot,
+  type ChatSnapshotV1,
+} from "../src/v3/ai.js";
+
+// ── Helpers ────────────────────────────────────────────────────────────
+
+/**
+ * Build a minimal ChatSnapshotV1 with `count` user messages. Used as the
+ * production-path test payload — `messages` is the only field the runtime
+ * inspects beyond `version`.
+ */
+function buildSnapshot(count = 1): ChatSnapshotV1 {
+  return {
+    version: 1,
+    savedAt: 1_000_000,
+    messages: Array.from({ length: count }, (_, i) => ({
+      id: `m${i}`,
+      role: "user" as const,
+      parts: [{ type: "text" as const, text: `hello ${i}` }],
+    })),
+    lastOutEventId: "evt-42",
+  };
+}
+
+/**
+ * Stub `apiClientManager.clientOrThrow()` so the helpers see a fake API
+ * client whose `getChatSnapshotUrl` / `createChatSnapshotUploadUrl` resolve
+ * with the presigned URLs the test wants. Returns spies for assertion.
+ */
+function stubApiClient(opts: {
+  getChatSnapshotUrl?: (sessionId: string) => Promise<{ presignedUrl: string }>;
+  createChatSnapshotUploadUrl?: (sessionId: string) => Promise<{ presignedUrl: string }>;
+}) {
+  const getChatSnapshotUrl = vi.fn(
+    opts.getChatSnapshotUrl ??
+      (async (_sessionId: string) => ({ presignedUrl: "https://example.invalid/get" }))
+  );
+  const createChatSnapshotUploadUrl = vi.fn(
+    opts.createChatSnapshotUploadUrl ??
+      (async (_sessionId: string) => ({ presignedUrl: "https://example.invalid/put" }))
+  );
+  const fakeClient = {
+    getChatSnapshotUrl,
+    createChatSnapshotUploadUrl,
+  };
+  vi.spyOn(apiClientManager, "clientOrThrow").mockReturnValue(fakeClient as never);
+  return { getChatSnapshotUrl, createChatSnapshotUploadUrl };
+}
+
+/**
+ * Stub global `fetch` so the helpers see whatever Response (or throw) the
+ * test wants. Returns a spy keyed on the URL passed.
+ */
+function stubFetch(impl: (url: string, init?: RequestInit) => Promise<Response> | Response) {
+  const spy = vi.fn(impl);
+  vi.stubGlobal("fetch", spy);
+  return spy;
+}
+
+// ── Tests ──────────────────────────────────────────────────────────────
+
+describe("chat snapshot helpers", () => {
+  // Suppress the runtime's `logger.warn` calls — they pollute output but
+  // don't change test outcomes. Restored in afterEach.
+  let warnSpy: ReturnType<typeof vi.spyOn>;
+
+  beforeEach(() => {
+    warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
+  });
+
+  afterEach(() => {
+    vi.restoreAllMocks();
+    vi.unstubAllGlobals();
+    warnSpy.mockRestore();
+  });
+
+  describe("readChatSnapshot", () => {
+    it("returns the snapshot on a successful GET", async () => {
+      const { getChatSnapshotUrl } = stubApiClient({});
+      const snapshot = buildSnapshot(2);
+      stubFetch(async () =>
+        new Response(JSON.stringify(snapshot), {
+          status: 200,
+          headers: { "content-type": "application/json" },
+        })
+      );
+
+      const result = await readChatSnapshot("session-1");
+      expect(getChatSnapshotUrl).toHaveBeenCalledWith("session-1");
+      expect(result).toMatchObject({
+        version: 1,
+        messages: snapshot.messages,
+        lastOutEventId: "evt-42",
+      });
+    });
+
+    it("returns undefined on 404 (fresh session, no snapshot yet)", async () => {
+      stubApiClient({});
+      stubFetch(async () => new Response("Not Found", { status: 404 }));
+
+      const result = await readChatSnapshot("missing-session");
+      expect(result).toBeUndefined();
+    });
+
+    it("returns undefined on non-404 non-OK (e.g. 500)", async () => {
+      stubApiClient({});
+      stubFetch(async () => new Response("Internal Error", { status: 500 }));
+
+      const result = await readChatSnapshot("flaky-session");
+      expect(result).toBeUndefined();
+    });
+
+    it("returns undefined when the response body is malformed JSON", async () => {
+      stubApiClient({});
+      stubFetch(async () =>
+        new Response("not-json-{[", {
+          status: 200,
+          headers: { "content-type": "application/json" },
+        })
+      );
+
+      const result = await readChatSnapshot("malformed-session");
+      expect(result).toBeUndefined();
+    });
+
+    it("returns undefined on version mismatch (forward-compat)", async () => {
+      stubApiClient({});
+      // Future format the current runtime can't decode — runtime ignores it.
+      const futureSnapshot = {
+        version: 99,
+        savedAt: Date.now(),
+        messages: [],
+      };
+      stubFetch(async () =>
+        new Response(JSON.stringify(futureSnapshot), {
+          status: 200,
+          headers: { "content-type": "application/json" },
+        })
+      );
+
+      const result = await readChatSnapshot("v99-session");
+      expect(result).toBeUndefined();
+    });
+
+    it("returns undefined when `messages` field is missing or wrong type", async () => {
+      stubApiClient({});
+      stubFetch(async () =>
+        new Response(JSON.stringify({ version: 1, savedAt: 1, messages: "not-an-array" }), {
+          status: 200,
+        })
+      );
+
+      const result = await readChatSnapshot("bad-shape-session");
+      expect(result).toBeUndefined();
+    });
+
+    it("returns undefined when fetch throws (network error)", async () => {
+      stubApiClient({});
+      stubFetch(async () => {
+        throw new Error("ECONNREFUSED");
+      });
+
+      const result = await readChatSnapshot("offline-session");
+      expect(result).toBeUndefined();
+    });
+
+    it("returns undefined when presign call fails", async () => {
+      stubApiClient({
+        getChatSnapshotUrl: async () => {
+          throw new Error("presign denied");
+        },
+      });
+      // No fetch should fire — presign failed.
+      const fetchSpy = stubFetch(async () => new Response("nope", { status: 500 }));
+
+      const result = await readChatSnapshot("denied-session");
+      expect(result).toBeUndefined();
+      expect(fetchSpy).not.toHaveBeenCalled();
+    });
+
+    it("returns undefined when the response is not an object", async () => {
+      stubApiClient({});
+      stubFetch(async () =>
+        new Response(JSON.stringify("just-a-string"), { status: 200 })
+      );
+
+      const result = await readChatSnapshot("string-response");
+      expect(result).toBeUndefined();
+    });
+  });
+
+  describe("writeChatSnapshot", () => {
+    it("PUTs the snapshot JSON to the presigned URL", async () => {
+      const { createChatSnapshotUploadUrl } = stubApiClient({});
+      const fetchSpy = stubFetch(async () => new Response(null, { status: 200 }));
+
+      const snapshot = buildSnapshot(3);
+      await writeChatSnapshot("session-2", snapshot);
+
+      expect(createChatSnapshotUploadUrl).toHaveBeenCalledWith("session-2");
+      expect(fetchSpy).toHaveBeenCalledOnce();
+      const [url, init] = fetchSpy.mock.calls[0]!;
+      expect(url).toBe("https://example.invalid/put");
+      expect((init as RequestInit).method).toBe("PUT");
+      expect((init as RequestInit).headers).toMatchObject({
+        "content-type": "application/json",
+      });
+      // Body is the JSON-stringified snapshot — round-trip to confirm.
+      const sentBody = JSON.parse((init as RequestInit).body as string);
+      expect(sentBody).toEqual(snapshot);
+    });
+
+    it("returns without throwing on a non-OK PUT response (warns)", async () => {
+      stubApiClient({});
+      stubFetch(async () => new Response("forbidden", { status: 403 }));
+
+      await expect(writeChatSnapshot("forbidden-session", buildSnapshot())).resolves.toBeUndefined();
+    });
+
+    it("returns without throwing on a fetch network error (warns)", async () => {
+      stubApiClient({});
+      stubFetch(async () => {
+        throw new Error("ETIMEDOUT");
+      });
+
+      await expect(writeChatSnapshot("timeout-session", buildSnapshot())).resolves.toBeUndefined();
+    });
+
+    it("returns without throwing when presign fails (warns)", async () => {
+      stubApiClient({
+        createChatSnapshotUploadUrl: async () => {
+          throw new Error("presign denied");
+        },
+      });
+      const fetchSpy = stubFetch(async () => new Response(null, { status: 200 }));
+
+      await expect(writeChatSnapshot("denied-session", buildSnapshot())).resolves.toBeUndefined();
+      // Presign failed → no PUT attempted.
+      expect(fetchSpy).not.toHaveBeenCalled();
+    });
+
+    it("addresses reads and writes by the same sessionId", async () => {
+      // Round-trip check: both presign methods receive the same sessionId.
+      // The canonical key (`sessions/{id}/snapshot.json`) lives server-side
+      // now, so the SDK has no key string to compare — sessionId equality
+      // is the SDK-visible invariant.
+      const { getChatSnapshotUrl } = stubApiClient({
+        getChatSnapshotUrl: async () => ({ presignedUrl: "https://example.invalid/get" }),
+      });
+      stubFetch(async () => new Response(null, { status: 404 }));
+
+      await readChatSnapshot("round-trip-session");
+      const [readArg] = getChatSnapshotUrl.mock.calls[0]!;
+
+      const { createChatSnapshotUploadUrl } = stubApiClient({
+        createChatSnapshotUploadUrl: async () => ({ presignedUrl: "https://example.invalid/put" }),
+      });
+      stubFetch(async () => new Response(null, { status: 200 }));
+      await writeChatSnapshot("round-trip-session", buildSnapshot());
+      const [writeArg] = createChatSnapshotUploadUrl.mock.calls[0]!;
+
+      expect(readArg).toBe(writeArg);
+      expect(readArg).toBe("round-trip-session");
+    });
+  });
+});
diff --git a/packages/trigger-sdk/test/chatHandover.test.ts b/packages/trigger-sdk/test/chatHandover.test.ts
new file mode 100644
index 00000000000..72b3fa7e448
--- /dev/null
+++ b/packages/trigger-sdk/test/chatHandover.test.ts
@@ -0,0 +1,635 @@
+// Import the test harness FIRST — installs the resource catalog so
+// `chat.agent()` calls below register their task functions correctly.
+import { mockChatAgent } from "../src/v3/test/index.js";
+
+import { describe, expect, it, vi } from "vitest";
+import { chat } from "../src/v3/ai.js";
+import { simulateReadableStream, streamText, tool } from "ai";
+import { MockLanguageModelV3 } from "ai/test";
+import type { LanguageModelV3StreamPart } from "@ai-sdk/provider";
+import { z } from "zod";
+
+// ── Helpers ────────────────────────────────────────────────────────────
+
+function textStream(text: string): ReadableStream<LanguageModelV3StreamPart> {
+  return simulateReadableStream({
+    chunks: [
+      { type: "text-start", id: "t1" },
+      { type: "text-delta", id: "t1", delta: text },
+      { type: "text-end", id: "t1" },
+      {
+        type: "finish",
+        finishReason: { unified: "stop", raw: "stop" },
+        usage: {
+          inputTokens: { total: 10, noCache: 10, cacheRead: undefined, cacheWrite: undefined },
+          outputTokens: { total: 10, text: 10, reasoning: undefined },
+        },
+      },
+    ],
+  });
+}
+
+// ── Tests ──────────────────────────────────────────────────────────────
+
+describe("chat.handover", () => {
+  it("handover-skip (error path) exits cleanly without firing turn hooks", async () => {
+    // `handover-skip` is now only sent when the customer's handler
+    // ABORTS before producing a finishReason (dispatch error). The
+    // agent run exits clean, no hooks fire. Normal pure-text and
+    // tool-call finishes go through `kind: "handover"`.
+    const onChatStart = vi.fn();
+    const onTurnStart = vi.fn();
+    const onTurnComplete = vi.fn();
+    const onPreload = vi.fn();
+    const runFn = vi.fn();
+
+    const agent = chat.agent({
+      id: "chat.handover.skip",
+      onPreload,
+      onChatStart,
+      onTurnStart,
+      onTurnComplete,
+      run: async ({ messages, signal }) => {
+        runFn();
+        return streamText({
+          model: new MockLanguageModelV3({
+            doStream: async () => ({ stream: textStream("should-not-run") }),
+          }),
+          messages,
+          abortSignal: signal,
+        });
+      },
+    });
+
+    const harness = mockChatAgent(agent, {
+      chatId: "test-handover-skip",
+      mode: "handover-prepare",
+    });
+
+    try {
+      await harness.sendHandoverSkip();
+      // Give any deferred work a tick.
+      await new Promise((r) => setTimeout(r, 20));
+
+      // No turn hooks fire on skip — the run boots, waits, and exits.
+      expect(onPreload).not.toHaveBeenCalled();
+      expect(onTurnStart).not.toHaveBeenCalled();
+      expect(onTurnComplete).not.toHaveBeenCalled();
+      expect(runFn).not.toHaveBeenCalled();
+
+      // No content chunks were emitted — only the boot scaffolding (if any).
+      expect(harness.allChunks).toHaveLength(0);
+    } finally {
+      await harness.close();
+    }
+  });
+
+  it("pure-text head-start (isFinal: true) runs full hook chain WITHOUT calling streamText", async () => {
+    // Pure-text first turn: customer's step 1 produced the final
+    // response. The agent runs onChatStart → onTurnStart →
+    // onTurnComplete (so persistence works), but SKIPS the user's
+    // run() callback entirely (no LLM call, no streamText).
+    // onTurnComplete fires with the customer's partial as
+    // `responseMessage`.
+    const order: string[] = [];
+    const runFn = vi.fn();
+
+    let capturedResponse: { id?: string; partTypes?: string[]; firstText?: string } | undefined;
+
+    const agent = chat.agent({
+      id: "chat.handover.pure-text",
+      onChatStart: () => { order.push("onChatStart"); },
+      onTurnStart: () => { order.push("onTurnStart"); },
+      onTurnComplete: ({ responseMessage }) => {
+        order.push("onTurnComplete");
+        capturedResponse = {
+          id: responseMessage?.id,
+          partTypes: (responseMessage?.parts ?? []).map((p) => p.type),
+          firstText: (responseMessage?.parts ?? [])
+            .filter((p) => p.type === "text")
+            .map((p) => (p as { text?: string }).text || "")
+            .join(""),
+        };
+      },
+      run: async ({ messages, signal }) => {
+        // Should NOT be called for isFinal: true.
+        runFn();
+        return streamText({
+          model: new MockLanguageModelV3({
+            doStream: async () => ({ stream: textStream("should-not-run") }),
+          }),
+          messages,
+          abortSignal: signal,
+        });
+      },
+    });
+
+    const harness = mockChatAgent(agent, {
+      chatId: "test-handover-final",
+      mode: "handover-prepare",
+    });
+
+    try {
+      await harness.sendHandover({
+        partialAssistantMessage: [
+          {
+            role: "assistant",
+            content: [{ type: "text", text: "Hi there, hope you're well." }],
+          },
+        ],
+        messageId: "asst-msg-1",
+        isFinal: true,
+      });
+      // `onTurnComplete` fires AFTER the `trigger:turn-complete` chunk,
+      // and the harness's `sendHandover` resolves on that chunk —
+      // give onTurnComplete a tick to run.
+      await new Promise((r) => setTimeout(r, 30));
+
+      // All three hooks fired in order.
+      expect(order).toEqual(["onChatStart", "onTurnStart", "onTurnComplete"]);
+      // The user's run() was NEVER invoked — no LLM call from the agent.
+      expect(runFn).not.toHaveBeenCalled();
+
+      // onTurnComplete saw the customer's partial as responseMessage,
+      // with the matching messageId for browser-side merging.
+      expect(capturedResponse).toBeDefined();
+      expect(capturedResponse!.id).toBe("asst-msg-1");
+      expect(capturedResponse!.partTypes).toContain("text");
+      expect(capturedResponse!.firstText).toBe("Hi there, hope you're well.");
+    } finally {
+      await harness.close();
+    }
+  });
+
+  it("handover with schema-only pending tool-call resumes via approval-driven execution", async () => {
+    // Customer-side tools are schema-only (no `execute` fn) — AI SDK
+    // doesn't execute them, so `result.response.messages` after step 1
+    // contains JUST the assistant message with the pending tool-call.
+    // `chat-server.ts` reshapes this into AI SDK's tool-approval round
+    // (assistant + tool-approval-request, tool with tool-approval-response)
+    // before sending the handover signal. That's the wire shape this
+    // test simulates.
+    //
+    // The agent ships the same tool — but with the heavy `execute` fn.
+    // When the next `streamText` runs, AI SDK's initial-tool-execution
+    // branch (stream-text.ts:1342-1486) sees the approval round, runs
+    // the agent-side execute, and synthesizes a tool-result before the
+    // step-2 LLM call.
+    const toolExecute = vi.fn(async ({ city }: { city: string }) => ({
+      city,
+      temp: 22,
+    }));
+
+    const weatherTool = tool({
+      description: "Look up weather",
+      inputSchema: z.object({ city: z.string() }),
+      execute: toolExecute,
+    });
+
+    const stepTwoStream = textStream("the weather in tokyo is 22°C");
+
+    const agent = chat.agent({
+      id: "chat.handover.schema-only-tool",
+      run: async ({ messages, signal }) => {
+        return streamText({
+          model: new MockLanguageModelV3({
+            doStream: async () => ({ stream: stepTwoStream }),
+          }),
+          messages,
+          tools: { weather: weatherTool },
+          abortSignal: signal,
+        });
+      },
+    });
+
+    const harness = mockChatAgent(agent, {
+      chatId: "test-handover-schema-only",
+      mode: "handover-prepare",
+    });
+
+    try {
+      const turn = await harness.sendHandover({
+        isFinal: false, // pending tool-call → agent runs streamText
+        partialAssistantMessage: [
+          {
+            role: "assistant",
+            content: [
+              { type: "text", text: "let me check the weather" },
+              {
+                type: "tool-call",
+                toolCallId: "tc-1",
+                toolName: "weather",
+                input: { city: "tokyo" },
+              },
+              {
+                type: "tool-approval-request",
+                approvalId: "handover-approval-1",
+                toolCallId: "tc-1",
+              },
+            ],
+          },
+          {
+            role: "tool",
+            content: [
+              {
+                type: "tool-approval-response",
+                approvalId: "handover-approval-1",
+                approved: true,
+              },
+            ],
+          },
+        ],
+      });
+
+      // The agent-side execute ran (this is the whole point of the
+      // schema-only-on-customer pattern).
+      expect(toolExecute).toHaveBeenCalledWith(
+        expect.objectContaining({ city: "tokyo" }),
+        expect.anything()
+      );
+
+      // Step-2 produced text was streamed through session.out.
+      const text = turn.chunks
+        .filter((c) => c.type === "text-delta")
+        .map((c) => (c as { delta: string }).delta)
+        .join("");
+      expect(text).toContain("tokyo");
+      expect(text).toContain("22°C");
+    } finally {
+      await harness.close();
+    }
+  });
+
+  it("pure-text head-start preserves reasoning parts in the response (TRI-10716)", async () => {
+    // Extended-thinking models stream a reasoning part in step 1. The
+    // synthesized partial must carry it (with provider metadata, so an
+    // Anthropic signature survives a UIMessage -> ModelMessage round
+    // trip) or the durable history loses the step-1 thinking.
+    let captured:
+      | { partTypes?: string[]; reasoningText?: string; meta?: unknown }
+      | undefined;
+
+    const agent = chat.agent({
+      id: "chat.handover.reasoning",
+      onTurnComplete: ({ responseMessage }) => {
+        const parts = responseMessage?.parts ?? [];
+        captured = {
+          partTypes: parts.map((p) => p.type),
+          reasoningText: parts
+            .filter((p) => p.type === "reasoning")
+            .map((p) => (p as { text?: string }).text || "")
+            .join(""),
+          meta: (parts.find((p) => p.type === "reasoning") as
+            | { providerMetadata?: unknown }
+            | undefined)?.providerMetadata,
+        };
+      },
+      run: async ({ messages, signal }) => {
+        return streamText({
+          model: new MockLanguageModelV3({
+            doStream: async () => ({ stream: textStream("should-not-run") }),
+          }),
+          messages,
+          abortSignal: signal,
+        });
+      },
+    });
+
+    const harness = mockChatAgent(agent, {
+      chatId: "test-handover-reasoning",
+      mode: "handover-prepare",
+    });
+
+    try {
+      await harness.sendHandover({
+        partialAssistantMessage: [
+          {
+            role: "assistant",
+            content: [
+              {
+                type: "reasoning",
+                text: "thinking about the greeting",
+                providerOptions: { anthropic: { signature: "sig-abc" } },
+              },
+              { type: "text", text: "Hello!" },
+            ],
+          },
+        ],
+        messageId: "asst-reason-1",
+        isFinal: true,
+      });
+      await new Promise((r) => setTimeout(r, 30));
+
+      expect(captured).toBeDefined();
+      expect(captured!.partTypes).toEqual(["reasoning", "text"]);
+      expect(captured!.reasoningText).toBe("thinking about the greeting");
+      expect(captured!.meta).toEqual({ anthropic: { signature: "sig-abc" } });
+    } finally {
+      await harness.close();
+    }
+  });
+
+  it("pure-text head-start (isFinal: true) with hydrateMessages persists the partial (TRI-10715)", async () => {
+    // Same as the pure-text case above, but the customer registers
+    // `hydrateMessages` (the documented DB-as-source-of-truth pattern).
+    // The head-start user message must reach the hydrate hook as
+    // `incomingMessages`, and the warm route's partial must land in the
+    // accumulator so `onTurnComplete` carries the full first turn.
+    const runFn = vi.fn();
+    const stored: { id: string; role: string; parts: unknown[] }[] = [];
+    const hydrateIncomingRoles: string[] = [];
+    let captured:
+      | { responseId?: string; responseText?: string; roles?: string[] }
+      | undefined;
+
+    const agent = chat.agent({
+      id: "chat.handover.hydrate-pure-text",
+      hydrateMessages: async ({ incomingMessages }) => {
+        hydrateIncomingRoles.push(...incomingMessages.map((m) => m.role));
+        for (const m of incomingMessages) {
+          if (!stored.some((s) => s.id === m.id)) stored.push(m as (typeof stored)[number]);
+        }
+        return [...stored] as never;
+      },
+      onTurnComplete: ({ responseMessage, uiMessages }) => {
+        captured = {
+          responseId: responseMessage?.id,
+          responseText: (responseMessage?.parts ?? [])
+            .filter((p) => p.type === "text")
+            .map((p) => (p as { text?: string }).text || "")
+            .join(""),
+          roles: uiMessages.map((m) => m.role),
+        };
+      },
+      run: async ({ messages, signal }) => {
+        runFn();
+        return streamText({
+          model: new MockLanguageModelV3({
+            doStream: async () => ({ stream: textStream("should-not-run") }),
+          }),
+          messages,
+          abortSignal: signal,
+        });
+      },
+    });
+
+    const harness = mockChatAgent(agent, {
+      chatId: "test-handover-hydrate-final",
+      mode: "handover-prepare",
+      headStartMessages: [
+        { id: "hs-user-1", role: "user", parts: [{ type: "text", text: "say hi" }] },
+      ],
+    });
+
+    try {
+      await harness.sendHandover({
+        partialAssistantMessage: [
+          {
+            role: "assistant",
+            content: [{ type: "text", text: "Hi there, hope you're well." }],
+          },
+        ],
+        messageId: "asst-hydrate-1",
+        isFinal: true,
+      });
+      await new Promise((r) => setTimeout(r, 30));
+
+      // isFinal — the agent never calls the user's run().
+      expect(runFn).not.toHaveBeenCalled();
+
+      // The head-start user message reached the hydrate hook as incoming.
+      expect(hydrateIncomingRoles).toContain("user");
+
+      // onTurnComplete carries the full first turn: user + the warm
+      // route's assistant, under the handover messageId.
+      expect(captured).toBeDefined();
+      expect(captured!.roles).toEqual(["user", "assistant"]);
+      expect(captured!.responseId).toBe("asst-hydrate-1");
+      expect(captured!.responseText).toBe("Hi there, hope you're well.");
+    } finally {
+      await harness.close();
+    }
+  });
+
+  it("tool-call handover (isFinal: false) with hydrateMessages resumes from step 2 (TRI-10715)", async () => {
+    // Hydrate variant of the schema-only tool-call case: the spliced
+    // partial (assistant + approval round) must reach the agent's
+    // streamText so AI SDK executes the pending tool instead of
+    // re-running step 1 from scratch against an empty/short prompt.
+    const toolExecute = vi.fn(async ({ city }: { city: string }) => ({ city, temp: 22 }));
+    const weatherTool = tool({
+      description: "Look up weather",
+      inputSchema: z.object({ city: z.string() }),
+      execute: toolExecute,
+    });
+
+    const stored: { id: string; role: string; parts: unknown[] }[] = [];
+    let runMessageRoles: string[] | undefined;
+    let captured: { roles?: string[]; assistantIds?: (string | undefined)[] } | undefined;
+
+    const agent = chat.agent({
+      id: "chat.handover.hydrate-schema-only-tool",
+      hydrateMessages: async ({ incomingMessages }) => {
+        for (const m of incomingMessages) {
+          if (!stored.some((s) => s.id === m.id)) stored.push(m as (typeof stored)[number]);
+        }
+        return [...stored] as never;
+      },
+      onTurnComplete: ({ uiMessages }) => {
+        captured = {
+          roles: uiMessages.map((m) => m.role),
+          assistantIds: uiMessages.filter((m) => m.role === "assistant").map((m) => m.id),
+        };
+      },
+      run: async ({ messages, signal }) => {
+        runMessageRoles = messages.map((m) => m.role);
+        return streamText({
+          model: new MockLanguageModelV3({
+            doStream: async () => ({ stream: textStream("the weather in tokyo is 22°C") }),
+          }),
+          messages,
+          tools: { weather: weatherTool },
+          abortSignal: signal,
+        });
+      },
+    });
+
+    const harness = mockChatAgent(agent, {
+      chatId: "test-handover-hydrate-tool",
+      mode: "handover-prepare",
+      headStartMessages: [
+        { id: "hs-user-2", role: "user", parts: [{ type: "text", text: "weather in tokyo?" }] },
+      ],
+    });
+
+    try {
+      const turn = await harness.sendHandover({
+        isFinal: false,
+        messageId: "asst-hydrate-2",
+        partialAssistantMessage: [
+          {
+            role: "assistant",
+            content: [
+              { type: "text", text: "let me check the weather" },
+              {
+                type: "tool-call",
+                toolCallId: "tc-h1",
+                toolName: "weather",
+                input: { city: "tokyo" },
+              },
+              {
+                type: "tool-approval-request",
+                approvalId: "handover-approval-h1",
+                toolCallId: "tc-h1",
+              },
+            ],
+          },
+          {
+            role: "tool",
+            content: [
+              {
+                type: "tool-approval-response",
+                approvalId: "handover-approval-h1",
+                approved: true,
+              },
+            ],
+          },
+        ],
+      });
+      await new Promise((r) => setTimeout(r, 30));
+
+      // The resume prompt contained the full splice: user + partial
+      // assistant + approval round — NOT an empty/user-only prompt.
+      expect(runMessageRoles).toEqual(["user", "assistant", "tool"]);
+
+      // AI SDK's initial-tool-execution branch ran the agent-side
+      // execute (no step-1 re-run).
+      expect(toolExecute).toHaveBeenCalledWith(
+        expect.objectContaining({ city: "tokyo" }),
+        expect.anything()
+      );
+
+      // Step-2 text streamed through session.out.
+      const text = turn.chunks
+        .filter((c) => c.type === "text-delta")
+        .map((c) => (c as { delta: string }).delta)
+        .join("");
+      expect(text).toContain("tokyo");
+
+      // One assistant in the final chain, under the handover messageId.
+      expect(captured).toBeDefined();
+      expect(captured!.roles).toEqual(["user", "assistant"]);
+      expect(captured!.assistantIds).toEqual(["asst-hydrate-2"]);
+    } finally {
+      await harness.close();
+    }
+  });
+
+  it("onTurnStart fires after the handover signal arrives (lazy)", async () => {
+    // Hooks should not fire during the wait — only once handover lands
+    // and a real turn begins. Verifies the order so customers can
+    // mutate `chat.history` inside `onTurnStart` knowing the partial
+    // assistant message is in scope.
+    const events: string[] = [];
+
+    const agent = chat.agent({
+      id: "chat.handover.lazy-hooks",
+      onPreload: () => {
+        events.push("onPreload");
+      },
+      onChatStart: () => {
+        events.push("onChatStart");
+      },
+      onTurnStart: () => {
+        events.push("onTurnStart");
+      },
+      onTurnComplete: () => {
+        events.push("onTurnComplete");
+      },
+      run: async ({ messages, signal }) => {
+        events.push("run");
+        return streamText({
+          model: new MockLanguageModelV3({
+            doStream: async () => ({ stream: textStream("ok") }),
+          }),
+          messages,
+          abortSignal: signal,
+        });
+      },
+    });
+
+    const harness = mockChatAgent(agent, {
+      chatId: "test-handover-lazy",
+      mode: "handover-prepare",
+    });
+
+    try {
+      // Before the signal lands, no hook should have fired.
+      await new Promise((r) => setTimeout(r, 20));
+      expect(events).toEqual([]);
+
+      await harness.sendHandover({
+        isFinal: false, // exercise the full streamText path
+        partialAssistantMessage: [
+          { role: "assistant", content: [{ type: "text", text: "warming up" }] },
+        ],
+      });
+      // Let any deferred onTurnComplete fire.
+      await new Promise((r) => setTimeout(r, 20));
+
+      // onPreload never fires for handover-prepare. Everything else
+      // fires once the partial lands — onChatStart still runs (first
+      // turn invariant), then onTurnStart, run, onTurnComplete.
+      expect(events).not.toContain("onPreload");
+      expect(events).toContain("onChatStart");
+      expect(events).toContain("onTurnStart");
+      expect(events).toContain("run");
+      expect(events).toContain("onTurnComplete");
+      // Order: hooks before run, run before onTurnComplete.
+      expect(events.indexOf("onTurnStart")).toBeLessThan(events.indexOf("run"));
+      expect(events.indexOf("run")).toBeLessThan(events.indexOf("onTurnComplete"));
+    } finally {
+      await harness.close();
+    }
+  });
+
+  it("idle timeout exits cleanly when no handover signal is sent", async () => {
+    // Customer's POST handler crashed before signaling. The agent
+    // should not hang forever — wait the configured idleTimeoutInSeconds
+    // and exit, just like the handover-skip case.
+    const onTurnStart = vi.fn();
+    const onTurnComplete = vi.fn();
+
+    const agent = chat.agent({
+      id: "chat.handover.idle-timeout",
+      idleTimeoutInSeconds: 1, // 1s — enough for the wait + exit.
+      onTurnStart,
+      onTurnComplete,
+      run: async ({ messages, signal }) => {
+        return streamText({
+          model: new MockLanguageModelV3({
+            doStream: async () => ({ stream: textStream("never") }),
+          }),
+          messages,
+          abortSignal: signal,
+        });
+      },
+    });
+
+    const harness = mockChatAgent(agent, {
+      chatId: "test-handover-timeout",
+      mode: "handover-prepare",
+    });
+
+    try {
+      // Wait long enough for the idle timeout to fire.
+      await new Promise((r) => setTimeout(r, 1500));
+
+      expect(onTurnStart).not.toHaveBeenCalled();
+      expect(onTurnComplete).not.toHaveBeenCalled();
+      expect(harness.allChunks).toHaveLength(0);
+    } finally {
+      await harness.close();
+    }
+  });
+});
diff --git a/packages/trigger-sdk/test/merge-by-id.test.ts b/packages/trigger-sdk/test/merge-by-id.test.ts
new file mode 100644
index 00000000000..1c0091273cc
--- /dev/null
+++ b/packages/trigger-sdk/test/merge-by-id.test.ts
@@ -0,0 +1,158 @@
+// Plan F.1: pure-function correctness tests for `mergeByIdReplaceWins`,
+// the helper that combines `snapshot.messages` with `session.out` replay
+// at run boot (plan section B.3). Replay wins on id collision because
+// `session.out` carries the freshest representation of an assistant
+// message.
+
+import "../src/v3/test/index.js";
+
+import type { UIMessage } from "ai";
+import { describe, expect, it } from "vitest";
+import { __mergeByIdReplaceWinsForTests as mergeByIdReplaceWins } from "../src/v3/ai.js";
+
+// ── Helpers ────────────────────────────────────────────────────────────
+
+function userMessage(id: string, text: string): UIMessage {
+  return {
+    id,
+    role: "user",
+    parts: [{ type: "text", text }],
+  };
+}
+
+function assistantMessage(id: string, text: string): UIMessage {
+  return {
+    id,
+    role: "assistant",
+    parts: [{ type: "text", text }],
+  };
+}
+
+// ── Tests ──────────────────────────────────────────────────────────────
+
+describe("mergeByIdReplaceWins", () => {
+  it("returns a copy of `a` when `b` is empty", () => {
+    const a = [userMessage("u-1", "hello")];
+    const result = mergeByIdReplaceWins(a, []);
+    expect(result).toEqual(a);
+    // Verify it's a copy (mutating result shouldn't touch a).
+    result.push(assistantMessage("a-1", "extra"));
+    expect(a).toHaveLength(1);
+  });
+
+  it("returns a copy of `b` when `a` is empty", () => {
+    const b = [assistantMessage("a-1", "world")];
+    const result = mergeByIdReplaceWins([], b);
+    expect(result).toEqual(b);
+    result.push(userMessage("u-extra", "extra"));
+    expect(b).toHaveLength(1);
+  });
+
+  it("returns [] when both inputs are empty", () => {
+    expect(mergeByIdReplaceWins([], [])).toEqual([]);
+  });
+
+  it("appends fresh ids from `b` after `a`'s entries", () => {
+    const a = [userMessage("u-1", "hi")];
+    const b = [assistantMessage("a-1", "ok")];
+    const result = mergeByIdReplaceWins(a, b);
+    expect(result.map((m) => m.id)).toEqual(["u-1", "a-1"]);
+    expect(result[0]!.role).toBe("user");
+    expect(result[1]!.role).toBe("assistant");
+  });
+
+  it("replaces by id when `b` has a colliding entry — replay wins", () => {
+    const a = [
+      userMessage("u-1", "hi"),
+      assistantMessage("a-1", "stale-version"),
+    ];
+    const b = [assistantMessage("a-1", "fresh-version")];
+    const result = mergeByIdReplaceWins(a, b);
+    expect(result).toHaveLength(2);
+    expect(result[1]!.id).toBe("a-1");
+    expect((result[1]!.parts[0] as { text: string }).text).toBe("fresh-version");
+  });
+
+  it("preserves order from `a` even when entries are replaced", () => {
+    const a = [
+      userMessage("u-1", "first"),
+      assistantMessage("a-1", "stale"),
+      userMessage("u-2", "second"),
+      assistantMessage("a-2", "also-stale"),
+    ];
+    const b = [
+      assistantMessage("a-1", "fresh-1"),
+      assistantMessage("a-2", "fresh-2"),
+    ];
+    const result = mergeByIdReplaceWins(a, b);
+    expect(result.map((m) => m.id)).toEqual(["u-1", "a-1", "u-2", "a-2"]);
+    expect((result[1]!.parts[0] as { text: string }).text).toBe("fresh-1");
+    expect((result[3]!.parts[0] as { text: string }).text).toBe("fresh-2");
+  });
+
+  it("appends `b` entries with no id collision after the merged set", () => {
+    const a = [userMessage("u-1", "first")];
+    const b = [
+      assistantMessage("a-1", "reply-1"),
+      userMessage("u-2", "second"),
+      assistantMessage("a-2", "reply-2"),
+    ];
+    const result = mergeByIdReplaceWins(a, b);
+    expect(result.map((m) => m.id)).toEqual(["u-1", "a-1", "u-2", "a-2"]);
+  });
+
+  it("treats messages without an id as always-append (no collision possible)", () => {
+    const a = [
+      userMessage("u-1", "first"),
+      // Synthetic message missing the id field — should append, never replace.
+      { id: "" as string, role: "assistant", parts: [{ type: "text", text: "no-id-a" }] } as UIMessage,
+    ];
+    const b = [
+      { id: "" as string, role: "assistant", parts: [{ type: "text", text: "no-id-b" }] } as UIMessage,
+    ];
+    const result = mergeByIdReplaceWins(a, b);
+    expect(result).toHaveLength(3);
+    // Both empty-id messages survive — no merge happens.
+    const noIdParts = result
+      .filter((m) => m.id === "")
+      .map((m) => (m.parts[0] as { text: string }).text);
+    expect(noIdParts).toEqual(["no-id-a", "no-id-b"]);
+  });
+
+  it("handles consecutive replays of the same id in `b` — last one wins", () => {
+    // Edge case: `b` has two entries with the same id (shouldn't happen
+    // for assistants in practice, but the helper must be deterministic).
+    const a = [assistantMessage("a-1", "v0")];
+    const b = [assistantMessage("a-1", "v1"), assistantMessage("a-1", "v2")];
+    const result = mergeByIdReplaceWins(a, b);
+    expect(result).toHaveLength(1);
+    expect((result[0]!.parts[0] as { text: string }).text).toBe("v2");
+  });
+
+  it("preserves user messages (only assistants come from replay) — semantic check", () => {
+    // The runtime contract: `session.out` contains assistant chunks only,
+    // so `b` should never contain user messages. If it does (defensively),
+    // the merge still works — but we lock down the typical pattern here.
+    const a = [
+      userMessage("u-1", "first"),
+      assistantMessage("a-1", "stale"),
+      userMessage("u-2", "second"),
+    ];
+    const b = [assistantMessage("a-1", "fresh")];
+    const result = mergeByIdReplaceWins(a, b);
+    // User messages from snapshot survive untouched.
+    expect(result.filter((m) => m.role === "user").map((m) => m.id)).toEqual(["u-1", "u-2"]);
+  });
+
+  it("does not mutate either input array", () => {
+    const a = [userMessage("u-1", "hi"), assistantMessage("a-1", "stale")];
+    const b = [assistantMessage("a-1", "fresh"), userMessage("u-2", "next")];
+    const aSnapshot = JSON.stringify(a);
+    const bSnapshot = JSON.stringify(b);
+
+    mergeByIdReplaceWins(a, b);
+
+    expect(JSON.stringify(a)).toBe(aSnapshot);
+    expect(JSON.stringify(b)).toBe(bSnapshot);
+  });
+});
diff --git a/packages/trigger-sdk/test/mockChatAgent.test.ts b/packages/trigger-sdk/test/mockChatAgent.test.ts
new file mode 100644
index 00000000000..c2001de723f
--- /dev/null
+++ b/packages/trigger-sdk/test/mockChatAgent.test.ts
@@ -0,0 +1,2282 @@
+// Import the test harness FIRST — this installs the resource catalog so
+// `chat.agent()` calls below register their task functions correctly.
+import { mockChatAgent } from "../src/v3/test/index.js";
+
+import { describe, expect, it, vi } from "vitest";
+import { chat } from "../src/v3/ai.js";
+import { locals } from "@trigger.dev/core/v3";
+import { simulateReadableStream, streamText, tool, validateUIMessages } from "ai";
+import { MockLanguageModelV3 } from "ai/test";
+import type { LanguageModelV3StreamPart } from "@ai-sdk/provider";
+import { z } from "zod";
+
+// ── Helpers ────────────────────────────────────────────────────────────
+
+function userMessage(text: string, id = "u-" + Math.random().toString(36).slice(2)) {
+  return {
+    id,
+    role: "user" as const,
+    parts: [{ type: "text" as const, text }],
+  };
+}
+
+function textStream(text: string) {
+  const chunks: LanguageModelV3StreamPart[] = [
+    { type: "text-start", id: "t1" },
+    { type: "text-delta", id: "t1", delta: text },
+    { type: "text-end", id: "t1" },
+    {
+      type: "finish",
+      finishReason: { unified: "stop", raw: "stop" },
+      usage: {
+        inputTokens: { total: 10, noCache: 10, cacheRead: undefined, cacheWrite: undefined },
+        outputTokens: { total: 10, text: 10, reasoning: undefined },
+      },
+    },
+  ];
+  return simulateReadableStream({ chunks });
+}
+
+// ── Tests ──────────────────────────────────────────────────────────────
+
+describe("mockChatAgent", () => {
+  it("throws when no agent is registered with the given id", () => {
+    expect(() => mockChatAgent({ id: "does-not-exist" })).toThrow(/no task registered/);
+  });
+
+  it("drives a chat.agent through a single turn and captures output chunks", async () => {
+    const model = new MockLanguageModelV3({
+      doStream: async () => ({ stream: textStream("hello world") }),
+    });
+
+    const agent = chat.agent({
+      id: "mockChatAgent.basic-flow",
+      run: async ({ messages, signal }) => {
+        return streamText({
+          model,
+          messages,
+          abortSignal: signal,
+        });
+      },
+    });
+
+    const harness = mockChatAgent(agent, { chatId: "test-basic" });
+    try {
+      const turn = await harness.sendMessage(userMessage("hi"));
+
+      const textDeltas = turn.chunks
+        .filter((c) => c.type === "text-delta")
+        .map((c) => (c as { delta: string }).delta)
+        .join("");
+      expect(textDeltas).toBe("hello world");
+    } finally {
+      await harness.close();
+    }
+  });
+
+  it("fires onTurnStart and onTurnComplete hooks in order", async () => {
+    const events: string[] = [];
+    const model = new MockLanguageModelV3({
+      doStream: async () => ({ stream: textStream("hi") }),
+    });
+
+    const agent = chat.agent({
+      id: "mockChatAgent.hook-order",
+      onChatStart: async () => {
+        events.push("onChatStart");
+      },
+      onTurnStart: async () => {
+        events.push("onTurnStart");
+      },
+      onBeforeTurnComplete: async () => {
+        events.push("onBeforeTurnComplete");
+      },
+      onTurnComplete: async () => {
+        events.push("onTurnComplete");
+      },
+      run: async ({ messages, signal }) => {
+        events.push("run");
+        return streamText({ model, messages, abortSignal: signal });
+      },
+    });
+
+    const harness = mockChatAgent(agent, { chatId: "test-hooks" });
+    try {
+      await harness.sendMessage(userMessage("hello"));
+      // onTurnComplete may fire after the turn-complete chunk is written,
+      // so give it a tick to run before we assert.
+      await new Promise((r) => setTimeout(r, 20));
+      expect(events).toEqual([
+        "onChatStart",
+        "onTurnStart",
+        "run",
+        "onBeforeTurnComplete",
+        "onTurnComplete",
+      ]);
+    } finally {
+      await harness.close();
+    }
+  });
+
+  it("can send multiple messages across turns", async () => {
+    const model = new MockLanguageModelV3({
+      doStream: async () => ({ stream: textStream("reply") }),
+    });
+
+    const seenMessages: number[] = [];
+    const agent = chat.agent({
+      id: "mockChatAgent.multi-turn",
+      run: async ({ messages, signal }) => {
+        seenMessages.push(messages.length);
+        return streamText({ model, messages, abortSignal: signal });
+      },
+    });
+
+    const harness = mockChatAgent(agent, { chatId: "test-multi" });
+    try {
+      await harness.sendMessage(userMessage("first"));
+      await harness.sendMessage(userMessage("second"));
+      await harness.sendMessage(userMessage("third"));
+
+      // Each turn sees an accumulator growing by (user + assistant) * turn
+      // Turn 1: just the user message
+      // Turn 2: user + assistant + user = 3 messages
+      // Turn 3: 5 messages
+      expect(seenMessages).toEqual([1, 3, 5]);
+    } finally {
+      await harness.close();
+    }
+  });
+
+  it("invokes hydrateMessages on every turn with incoming wire messages", async () => {
+    const model = new MockLanguageModelV3({
+      doStream: async () => ({ stream: textStream("ok") }),
+    });
+
+    const hydrateSpy = vi.fn(async ({ incomingMessages }) => {
+      // Echo back whatever the frontend sent
+      return incomingMessages;
+    });
+
+    const agent = chat.agent({
+      id: "mockChatAgent.hydrate",
+      hydrateMessages: hydrateSpy,
+      run: async ({ messages, signal }) => {
+        return streamText({ model, messages, abortSignal: signal });
+      },
+    });
+
+    const harness = mockChatAgent(agent, { chatId: "test-hydrate" });
+    try {
+      await harness.sendMessage(userMessage("hi", "u-first"));
+
+      expect(hydrateSpy).toHaveBeenCalledTimes(1);
+      const call = hydrateSpy.mock.calls[0]![0] as { incomingMessages: { id: string }[] };
+      expect(call.incomingMessages).toHaveLength(1);
+      expect(call.incomingMessages[0]!.id).toBe("u-first");
+    } finally {
+      await harness.close();
+    }
+  });
+
+  it("hydrate path: fresh user message lands in onTurnComplete.newUIMessages", async () => {
+    // The dedup that suppresses HITL-continuation pushes to
+    // `turnNewUIMessages` must compare against the PRE-hydration
+    // accumulator, not the post-hydration chain. A `hydrateMessages`
+    // hook that pushes the incoming user message into its persisted
+    // chain (the canonical pattern documented in
+    // /ai-chat/lifecycle-hooks#hydratemessages and the
+    // `upsertIncomingMessage` helper) would otherwise see the new
+    // user message in the returned `hydrated` array for every fresh
+    // turn, causing the dedup to wrongly fire and drop the user
+    // message from `newUIMessages` / `newMessages`.
+    const stored: any[] = [];
+
+    const model = new MockLanguageModelV3({
+      doStream: async () => ({ stream: textStream("hi") }),
+    });
+
+    let capturedNewUIMessages: any[] | undefined;
+    const agent = chat.agent({
+      id: "mockChatAgent.hydrate-newui-fresh-user",
+      hydrateMessages: async ({ trigger, incomingMessages }) => {
+        // Canonical pattern: push the incoming user message into the
+        // persisted chain and return the chain. Mirrors what
+        // `upsertIncomingMessage` does.
+        if (trigger === "submit-message" && incomingMessages.length > 0) {
+          const newMsg = incomingMessages[incomingMessages.length - 1]!;
+          const exists = newMsg.id
+            ? stored.some((m) => m.id === newMsg.id)
+            : false;
+          if (!exists) stored.push(newMsg);
+        }
+        return [...stored];
+      },
+      onTurnComplete: async ({ newUIMessages }) => {
+        capturedNewUIMessages = newUIMessages;
+      },
+      run: async ({ messages, signal }) => {
+        return streamText({ model, messages, abortSignal: signal });
+      },
+    });
+
+    const harness = mockChatAgent(agent, { chatId: "test-hydrate-newui-fresh-user" });
+    try {
+      await harness.sendMessage(userMessage("hello", "u-fresh"));
+      await new Promise((r) => setTimeout(r, 50));
+
+      // `newUIMessages` for a fresh user turn must contain BOTH the
+      // user message and the assistant response. The bug surfaces as
+      // length=1 (assistant only — user dropped by the wrong dedup).
+      expect(capturedNewUIMessages).toBeDefined();
+      const roles = capturedNewUIMessages!.map((m: any) => m.role);
+      expect(roles).toEqual(["user", "assistant"]);
+      expect(capturedNewUIMessages![0]!.id).toBe("u-fresh");
+    } finally {
+      await harness.close();
+    }
+  });
+
+  it("merges HITL tool answer onto head assistant when AI SDK regenerates the id", async () => {
+    // Regression for TRI-9137: customers (Arena AI) report that the AI SDK
+    // intermittently mints a fresh id on `addToolOutput` resume, breaking
+    // id-based dedup. Our SDK records `toolCallId → head messageId` whenever
+    // an assistant with tool parts lands in the accumulator and uses that
+    // map as a fallback in the merge so a fresh-id incoming still attaches
+    // to the right head.
+
+    const askUserTool = tool({
+      description: "Ask the user a question.",
+      inputSchema: z.object({ question: z.string() }),
+      // No execute — HITL round-trip via addToolOutput.
+    });
+
+    const HEAD_TOOL_CALL_ID = "tc_regression_9137";
+
+    // Turn 1: model emits a tool-call for askUser. No text, no finish-reason
+    // logic beyond `tool-calls`. Agent's response will carry a tool-input-
+    // available part with HEAD_TOOL_CALL_ID.
+    const turn1Stream = simulateReadableStream({
+      chunks: [
+        { type: "tool-input-start", id: HEAD_TOOL_CALL_ID, toolName: "askUser" },
+        {
+          type: "tool-input-delta",
+          id: HEAD_TOOL_CALL_ID,
+          delta: JSON.stringify({ question: "what color?" }),
+        },
+        { type: "tool-input-end", id: HEAD_TOOL_CALL_ID },
+        {
+          type: "tool-call",
+          toolCallId: HEAD_TOOL_CALL_ID,
+          toolName: "askUser",
+          input: JSON.stringify({ question: "what color?" }),
+        },
+        {
+          type: "finish",
+          finishReason: { unified: "tool-calls", raw: "tool_calls" },
+          usage: {
+            inputTokens: { total: 10, noCache: 10, cacheRead: undefined, cacheWrite: undefined },
+            outputTokens: { total: 10, text: 0, reasoning: undefined },
+          },
+        },
+      ] as LanguageModelV3StreamPart[],
+    });
+
+    // Turn 2: model produces a final text response — exercises the post-HITL
+    // continuation streamText after the tool answer is merged in.
+    const turn2Stream = textStream("blue is great");
+
+    let callIdx = 0;
+    const model = new MockLanguageModelV3({
+      doStream: async () => ({ stream: callIdx++ === 0 ? turn1Stream : turn2Stream }),
+    });
+
+    const turnsSeen: { turn: number; uiMessages: any[] }[] = [];
+
+    const agent = chat.agent({
+      id: "mockChatAgent.hitl-id-regen",
+      onTurnComplete: async ({ turn, uiMessages }) => {
+        turnsSeen.push({
+          turn,
+          uiMessages: uiMessages.map((m) => ({
+            id: m.id,
+            role: m.role,
+            toolStates: (m.parts ?? [])
+              .filter((p: any) => typeof p?.toolCallId === "string")
+              .map((p: any) => ({ toolCallId: p.toolCallId, state: p.state })),
+          })),
+        });
+      },
+      run: async ({ messages, signal }) => {
+        return streamText({ model, messages, tools: { askUser: askUserTool }, abortSignal: signal });
+      },
+    });
+
+    const harness = mockChatAgent(agent, { chatId: "test-hitl-id-regen" });
+    try {
+      // Turn 1: user message → agent emits tool-input-available for askUser
+      await harness.sendMessage(userMessage("hi"));
+      await new Promise((r) => setTimeout(r, 50));
+
+      // Capture the head assistant id the agent produced.
+      const turn1 = turnsSeen.at(-1);
+      const headAssistant = turn1?.uiMessages.find(
+        (m) => m.role === "assistant" && m.toolStates.length > 0
+      );
+      expect(headAssistant?.id).toBeTruthy();
+      const HEAD_ID = headAssistant!.id as string;
+
+      // Turn 2: simulate AI SDK regenerating the assistant id on
+      // addToolOutput resume — fresh id, but the same toolCallId in
+      // tool-output-available state.
+      const FRESH_ID = "regenerated-by-ai-sdk-" + Math.random().toString(36).slice(2);
+      const toolAnswerMessage = {
+        id: FRESH_ID,
+        role: "assistant" as const,
+        parts: [
+          {
+            type: "tool-askUser",
+            toolCallId: HEAD_TOOL_CALL_ID,
+            state: "output-available" as const,
+            input: { question: "what color?" },
+            output: { color: "blue" },
+          },
+        ],
+      };
+      await harness.sendMessage(toolAnswerMessage as any);
+      await new Promise((r) => setTimeout(r, 50));
+
+      // The merge must rewrite FRESH_ID back to HEAD_ID via the toolCallId
+      // map, attaching the tool answer to the existing head — no duplicate.
+      const turn2 = turnsSeen.at(-1);
+      expect(turn2).toBeTruthy();
+      const assistantsWithToolCall = turn2!.uiMessages.filter(
+        (m) =>
+          m.role === "assistant" &&
+          m.toolStates.some((t: any) => t.toolCallId === HEAD_TOOL_CALL_ID)
+      );
+      expect(assistantsWithToolCall).toHaveLength(1);
+      expect(assistantsWithToolCall[0]!.id).toBe(HEAD_ID);
+      expect(turn2!.uiMessages.find((m) => m.id === FRESH_ID)).toBeUndefined();
+    } finally {
+      await harness.close();
+    }
+  });
+
+  it("merges a slim wire copy onto a hydrated message — keeps hydrated `input`, overlays wire `output`", async () => {
+    // HITL continuations on reasoning-heavy turns ship a slim assistant
+    // message (resolved tool parts only, no `input`, no reasoning, no
+    // text) so the payload fits the `.in/append` cap. `hydrateMessages`
+    // returns the full DB-backed copy. The per-turn merge has to keep
+    // the hydrated `input` and overlay only the wire's `state` +
+    // `output` — otherwise the next LLM call ships a tool call with no
+    // `arguments` and the provider 400s.
+    const searchTool = tool({
+      description: "Search.",
+      inputSchema: z.object({ query: z.string() }),
+    });
+
+    const TC = "tc_slim_merge";
+    const HEAD_ID = "a-head-slim";
+
+    // The customer's DB-backed copy. Tool part has the original `input`
+    // intact and is sitting in `input-available` (HITL waiting).
+    const dbAssistant = {
+      id: HEAD_ID,
+      role: "assistant" as const,
+      parts: [
+        {
+          type: "tool-search" as const,
+          toolCallId: TC,
+          state: "input-available" as const,
+          input: { query: "trigger.dev pricing" },
+        },
+      ],
+    };
+
+    const model = new MockLanguageModelV3({
+      doStream: async () => ({ stream: textStream("ok") }),
+    });
+
+    let mergedToolPart: any;
+    const agent = chat.agent({
+      id: "mockChatAgent.slim-wire-merge",
+      hydrateMessages: async () => [dbAssistant as any],
+      onTurnComplete: async ({ uiMessages }) => {
+        const head = uiMessages.find((m: any) => m.id === HEAD_ID);
+        mergedToolPart = (head?.parts ?? []).find(
+          (p: any) => p?.toolCallId === TC
+        );
+      },
+      run: async ({ messages, signal }) => {
+        return streamText({
+          model,
+          messages,
+          tools: { search: searchTool },
+          abortSignal: signal,
+        });
+      },
+    });
+
+    const harness = mockChatAgent(agent, { chatId: "test-slim-wire" });
+    try {
+      // Slim wire — only the resolved tool part, no `input`.
+      const slim = {
+        id: HEAD_ID,
+        role: "assistant" as const,
+        parts: [
+          {
+            type: "tool-search" as const,
+            toolCallId: TC,
+            state: "output-available" as const,
+            output: { hits: 7 },
+          },
+        ],
+      };
+      await harness.sendMessage(slim as any);
+      await new Promise((r) => setTimeout(r, 50));
+
+      expect(mergedToolPart?.state).toBe("output-available");
+      expect(mergedToolPart?.output).toEqual({ hits: 7 });
+      expect(mergedToolPart?.input).toEqual({ query: "trigger.dev pricing" });
+    } finally {
+      await harness.close();
+    }
+  });
+
+  it("merges a slim approval-responded wire onto a hydrated approval-requested message", async () => {
+    // Approval-flow counterpart to the HITL slim-merge test. The wire
+    // copy carries `state: "approval-responded"` + `approval: { id,
+    // approved }`. Hydrated has the same tool part in
+    // `approval-requested`. Merge has to overlay state + approval onto
+    // hydrated while keeping `input` intact so the agent can resume.
+    const deleteTool = tool({
+      description: "Delete.",
+      inputSchema: z.object({ resource: z.string() }),
+    });
+
+    const TC = "tc_approval_merge";
+    const HEAD_ID = "a-head-approval";
+
+    const dbAssistant = {
+      id: HEAD_ID,
+      role: "assistant" as const,
+      parts: [
+        {
+          type: "tool-delete" as const,
+          toolCallId: TC,
+          state: "approval-requested" as const,
+          input: { resource: "/critical/data" },
+          approval: { id: "appr_1" },
+        },
+      ],
+    };
+
+    const model = new MockLanguageModelV3({
+      doStream: async () => ({ stream: textStream("ok") }),
+    });
+
+    let mergedToolPart: any;
+    const agent = chat.agent({
+      id: "mockChatAgent.approval-slim-merge",
+      hydrateMessages: async () => [dbAssistant as any],
+      onTurnComplete: async ({ uiMessages }) => {
+        const head = uiMessages.find((m: any) => m.id === HEAD_ID);
+        mergedToolPart = (head?.parts ?? []).find(
+          (p: any) => p?.toolCallId === TC
+        );
+      },
+      run: async ({ messages, signal }) => {
+        return streamText({
+          model,
+          messages,
+          tools: { delete: deleteTool },
+          abortSignal: signal,
+        });
+      },
+    });
+
+    const harness = mockChatAgent(agent, { chatId: "test-approval-slim" });
+    try {
+      // Slim wire — only the approval-responded tool part, no `input`.
+      const slim = {
+        id: HEAD_ID,
+        role: "assistant" as const,
+        parts: [
+          {
+            type: "tool-delete" as const,
+            toolCallId: TC,
+            state: "approval-responded" as const,
+            approval: { id: "appr_1", approved: true },
+          },
+        ],
+      };
+      await harness.sendMessage(slim as any);
+      await new Promise((r) => setTimeout(r, 50));
+
+      expect(mergedToolPart?.state).toBe("approval-responded");
+      expect(mergedToolPart?.approval).toEqual({ id: "appr_1", approved: true });
+      expect(mergedToolPart?.input).toEqual({ resource: "/critical/data" });
+    } finally {
+      await harness.close();
+    }
+  });
+
+  it("does not downgrade a hydrated `output-denied` when a stale `approval-responded` arrives", async () => {
+    // Terminal hydrated states (`output-available` / `output-error` /
+    // `output-denied`) are authoritative. A wire copy that re-ships a
+    // prior `approval-responded` (replay, retry, out-of-order arrival)
+    // must NOT regress the terminal denial back to a pre-resolution
+    // state — the agent would then re-run the tool.
+    const deleteTool = tool({
+      description: "Delete.",
+      inputSchema: z.object({ resource: z.string() }),
+    });
+
+    const TC = "tc_denied_no_regress";
+    const HEAD_ID = "a-head-denied";
+
+    const dbAssistant = {
+      id: HEAD_ID,
+      role: "assistant" as const,
+      parts: [
+        {
+          type: "tool-delete" as const,
+          toolCallId: TC,
+          state: "output-denied" as const,
+          input: { resource: "/critical/data" },
+          approval: { id: "appr_1", approved: false, reason: "no" },
+        },
+      ],
+    };
+
+    const model = new MockLanguageModelV3({
+      doStream: async () => ({ stream: textStream("ok") }),
+    });
+
+    let mergedToolPart: any;
+    const agent = chat.agent({
+      id: "mockChatAgent.denied-no-regress",
+      hydrateMessages: async () => [dbAssistant as any],
+      onTurnComplete: async ({ uiMessages }) => {
+        const head = uiMessages.find((m: any) => m.id === HEAD_ID);
+        mergedToolPart = (head?.parts ?? []).find(
+          (p: any) => p?.toolCallId === TC
+        );
+      },
+      run: async ({ messages, signal }) => {
+        return streamText({
+          model,
+          messages,
+          tools: { delete: deleteTool },
+          abortSignal: signal,
+        });
+      },
+    });
+
+    const harness = mockChatAgent(agent, { chatId: "test-denied-no-regress" });
+    try {
+      // Stale wire arrival — `approval-responded` for a tool that
+      // hydrated already shows as `output-denied`.
+      const stale = {
+        id: HEAD_ID,
+        role: "assistant" as const,
+        parts: [
+          {
+            type: "tool-delete" as const,
+            toolCallId: TC,
+            state: "approval-responded" as const,
+            approval: { id: "appr_1", approved: true },
+          },
+        ],
+      };
+      await harness.sendMessage(stale as any);
+      await new Promise((r) => setTimeout(r, 50));
+
+      // The hydrated terminal state survives the merge.
+      expect(mergedToolPart?.state).toBe("output-denied");
+      expect(mergedToolPart?.approval).toEqual({
+        id: "appr_1",
+        approved: false,
+        reason: "no",
+      });
+      expect(mergedToolPart?.input).toEqual({ resource: "/critical/data" });
+    } finally {
+      await harness.close();
+    }
+  });
+
+  it("onValidateMessages sees the slim wire on HITL continuations — fresh-user filter still works", async () => {
+    // Slim wire is the wire shape on HITL `addToolOutput` continuations.
+    // Existing customers calling `validateUIMessages` from `ai` on the
+    // whole `messages` array would throw because the AI SDK schema
+    // requires `input` on resolved tool parts. The recommended pattern
+    // is to filter to user messages (or skip on HITL turns).
+    //
+    // This test pins both behaviors: (1) the slim assistant does arrive
+    // in the validate hook on the HITL turn, (2) a fresh-user-only
+    // filter still works (the user message turn is unaffected).
+    const askUser = tool({
+      description: "Ask the user.",
+      inputSchema: z.object({ q: z.string() }),
+    });
+    const TC = "tc_validate_slim";
+
+    let callIdx = 0;
+    const model = new MockLanguageModelV3({
+      doStream: async () => ({
+        stream:
+          callIdx++ === 0
+            ? simulateReadableStream({
+                chunks: [
+                  { type: "tool-input-start", id: TC, toolName: "askUser" },
+                  {
+                    type: "tool-input-delta",
+                    id: TC,
+                    delta: JSON.stringify({ q: "what color?" }),
+                  },
+                  { type: "tool-input-end", id: TC },
+                  {
+                    type: "tool-call",
+                    toolCallId: TC,
+                    toolName: "askUser",
+                    input: JSON.stringify({ q: "what color?" }),
+                  },
+                  {
+                    type: "finish",
+                    finishReason: { unified: "tool-calls", raw: "tool_calls" },
+                    usage: {
+                      inputTokens: {
+                        total: 5,
+                        noCache: 5,
+                        cacheRead: undefined,
+                        cacheWrite: undefined,
+                      },
+                      outputTokens: { total: 5, text: 0, reasoning: undefined },
+                    },
+                  },
+                ] as LanguageModelV3StreamPart[],
+              })
+            : textStream("got it"),
+      }),
+    });
+
+    const validateCalls: any[] = [];
+    const agent = chat.agent({
+      id: "mockChatAgent.validate-slim",
+      onValidateMessages: async ({ messages, trigger }) => {
+        validateCalls.push({
+          trigger,
+          messages: messages.map((m: any) => ({
+            id: m.id,
+            role: m.role,
+            partCount: m.parts?.length,
+          })),
+        });
+        // Recommended pattern: validate only user messages, since HITL
+        // continuations carry slim assistants the AI SDK schema rejects.
+        const userMessages = messages.filter(
+          (m: any) => m.role === "user"
+        );
+        if (userMessages.length > 0) {
+          await validateUIMessages({
+            messages: userMessages,
+            // `validateUIMessages` is stricter than `streamText` about
+            // tool input/output variance — cast to satisfy the wider
+            // `Tool<unknown, unknown>` it expects.
+            tools: { askUser } as any,
+          });
+        }
+        return messages;
+      },
+      run: async ({ messages, signal }) => {
+        return streamText({
+          model,
+          messages,
+          tools: { askUser },
+          abortSignal: signal,
+        });
+      },
+    });
+
+    const harness = mockChatAgent(agent, { chatId: "test-validate-slim" });
+    try {
+      // Turn 1: user message. Validator sees a user message; validate passes.
+      await harness.sendMessage(userMessage("hi"));
+      await new Promise((r) => setTimeout(r, 50));
+
+      expect(validateCalls).toHaveLength(1);
+      expect(validateCalls[0].messages[0].role).toBe("user");
+
+      // Turn 2: slim wire HITL continuation. Validator sees a slim
+      // assistant with no `input`. The fresh-user-filter skips it, so
+      // validateUIMessages isn't called against the slim shape.
+      const turn1Assistant = (await import("vitest")).expect.any(Object);
+      void turn1Assistant; // appease unused-binding lints
+
+      // Build a slim assistant that mirrors what the transport would ship.
+      const slim = {
+        id: "slim-id-doesnt-matter-for-validate",
+        role: "assistant" as const,
+        parts: [
+          {
+            type: "tool-askUser" as const,
+            toolCallId: TC,
+            state: "output-available" as const,
+            output: { color: "blue" },
+          },
+        ],
+      };
+      await harness.sendMessage(slim as any);
+      await new Promise((r) => setTimeout(r, 50));
+
+      expect(validateCalls).toHaveLength(2);
+      expect(validateCalls[1].trigger).toBe("submit-message");
+      // The slim assistant arrived in validate — no user messages.
+      expect(validateCalls[1].messages[0].role).toBe("assistant");
+    } finally {
+      await harness.close();
+    }
+  });
+
+  it("merges a slim wire copy in the default (no-hydrate) branch — keeps snapshot `input`", async () => {
+    // Mirror of the hydrated slim-merge test, but exercising the
+    // default accumulator branch (no `hydrateMessages` registered).
+    // The agent's own turn-1 output seeds the accumulator with the
+    // full assistant + tool `input`; a slim turn-2 wire copy has to
+    // merge onto that without clobbering the snapshot's `input`.
+    const askUser = tool({
+      description: "Ask the user.",
+      inputSchema: z.object({ q: z.string() }),
+    });
+    const TC = "tc_default_slim";
+
+    let callIdx = 0;
+    const model = new MockLanguageModelV3({
+      doStream: async () => ({
+        stream:
+          callIdx++ === 0
+            ? simulateReadableStream({
+                chunks: [
+                  { type: "tool-input-start", id: TC, toolName: "askUser" },
+                  {
+                    type: "tool-input-delta",
+                    id: TC,
+                    delta: JSON.stringify({ q: "what color?" }),
+                  },
+                  { type: "tool-input-end", id: TC },
+                  {
+                    type: "tool-call",
+                    toolCallId: TC,
+                    toolName: "askUser",
+                    input: JSON.stringify({ q: "what color?" }),
+                  },
+                  {
+                    type: "finish",
+                    finishReason: { unified: "tool-calls", raw: "tool_calls" },
+                    usage: {
+                      inputTokens: {
+                        total: 5,
+                        noCache: 5,
+                        cacheRead: undefined,
+                        cacheWrite: undefined,
+                      },
+                      outputTokens: { total: 5, text: 0, reasoning: undefined },
+                    },
+                  },
+                ] as LanguageModelV3StreamPart[],
+              })
+            : textStream("got it"),
+      }),
+    });
+
+    const turnsSeen: { uiMessages: any[] }[] = [];
+    const agent = chat.agent({
+      id: "mockChatAgent.default-slim-merge",
+      onTurnComplete: async ({ uiMessages }) => {
+        turnsSeen.push({
+          uiMessages: uiMessages.map((m: any) => ({
+            id: m.id,
+            role: m.role,
+            parts: (m.parts ?? []).map((p: any) => ({
+              type: p.type,
+              toolCallId: p.toolCallId,
+              state: p.state,
+              hasInput: p.input !== undefined,
+              output: p.output,
+            })),
+          })),
+        });
+      },
+      run: async ({ messages, signal }) => {
+        return streamText({
+          model,
+          messages,
+          tools: { askUser },
+          abortSignal: signal,
+        });
+      },
+    });
+
+    const harness = mockChatAgent(agent, { chatId: "test-default-slim" });
+    try {
+      // Turn 1: user message → agent emits tool call (state=input-available, has input).
+      await harness.sendMessage(userMessage("hi"));
+      await new Promise((r) => setTimeout(r, 50));
+
+      const turn1Assistant = turnsSeen.at(-1)?.uiMessages.find(
+        (m: any) => m.role === "assistant"
+      );
+      expect(turn1Assistant).toBeTruthy();
+      const HEAD_ID = turn1Assistant!.id;
+
+      // Turn 2: slim wire — only the resolved tool part with output. No input.
+      const slim = {
+        id: HEAD_ID,
+        role: "assistant" as const,
+        parts: [
+          {
+            type: "tool-askUser" as const,
+            toolCallId: TC,
+            state: "output-available" as const,
+            output: { color: "blue" },
+          },
+        ],
+      };
+      await harness.sendMessage(slim as any);
+      await new Promise((r) => setTimeout(r, 50));
+
+      const turn2 = turnsSeen.at(-1);
+      const head = turn2!.uiMessages.find((m: any) => m.id === HEAD_ID);
+      const toolPart = (head?.parts ?? []).find(
+        (p: any) => p?.toolCallId === TC
+      );
+      expect(toolPart?.state).toBe("output-available");
+      expect(toolPart?.output).toEqual({ color: "blue" });
+      // Snapshot's `input` survived the merge.
+      expect(toolPart?.hasInput).toBe(true);
+    } finally {
+      await harness.close();
+    }
+  });
+
+  it("routes custom actions through actionSchema + onAction", async () => {
+    const model = new MockLanguageModelV3({
+      doStream: async () => ({ stream: textStream("ok") }),
+    });
+
+    const onActionSpy = vi.fn();
+
+    const agent = chat.agent({
+      id: "mockChatAgent.actions",
+      actionSchema: z.object({
+        type: z.literal("undo"),
+      }),
+      onAction: async (event) => {
+        onActionSpy(event.action);
+      },
+      run: async ({ messages, signal }) => {
+        return streamText({ model, messages, abortSignal: signal });
+      },
+    });
+
+    const harness = mockChatAgent(agent, { chatId: "test-action" });
+    try {
+      await harness.sendMessage(userMessage("start"));
+      await harness.sendAction({ type: "undo" });
+
+      expect(onActionSpy).toHaveBeenCalledWith({ type: "undo" });
+    } finally {
+      await harness.close();
+    }
+  });
+
+  it("actions returning void do not fire turn hooks or call run()", async () => {
+    const onChatStart = vi.fn();
+    const onTurnStart = vi.fn();
+    const onBeforeTurnComplete = vi.fn();
+    const onTurnComplete = vi.fn();
+    const onAction = vi.fn();
+    const runSpy = vi.fn();
+    const model = new MockLanguageModelV3({
+      doStream: async () => {
+        runSpy();
+        return { stream: textStream("nope") };
+      },
+    });
+
+    const agent = chat.agent({
+      id: "mockChatAgent.actions.void",
+      actionSchema: z.object({ type: z.literal("undo") }),
+      onChatStart,
+      onTurnStart,
+      onBeforeTurnComplete,
+      onTurnComplete,
+      onAction: async (...args) => {
+        onAction(...args);
+        // void → side-effect only
+      },
+      run: async ({ messages, signal }) => {
+        return streamText({ model, messages, abortSignal: signal });
+      },
+    });
+
+    const harness = mockChatAgent(agent, { chatId: "test-void-action" });
+    try {
+      // Bootstrap with a message so the message-turn hooks fire once.
+      await harness.sendMessage(userMessage("hi"));
+      // sendMessage resolves on `trigger:turn-complete`, but onTurnComplete
+      // fires as a separate microtask after — let it settle before snapshotting.
+      await new Promise((r) => setTimeout(r, 50));
+
+      // Snapshot call counts after the bootstrap — we'll assert these
+      // don't change for the action below.
+      const baselineRun = runSpy.mock.calls.length;
+      const baselineChatStart = onChatStart.mock.calls.length;
+      const baselineTurnStart = onTurnStart.mock.calls.length;
+      const baselineBeforeComplete = onBeforeTurnComplete.mock.calls.length;
+      const baselineComplete = onTurnComplete.mock.calls.length;
+
+      const actionTurn = await harness.sendAction({ type: "undo" });
+      await new Promise((r) => setTimeout(r, 50));
+
+      // onAction fired exactly once; no turn hooks fired; run() / LLM did not.
+      expect(onAction).toHaveBeenCalledTimes(1);
+      expect(runSpy.mock.calls.length).toBe(baselineRun);
+      expect(onChatStart.mock.calls.length).toBe(baselineChatStart);
+      expect(onTurnStart.mock.calls.length).toBe(baselineTurnStart);
+      expect(onBeforeTurnComplete.mock.calls.length).toBe(baselineBeforeComplete);
+      expect(onTurnComplete.mock.calls.length).toBe(baselineComplete);
+
+      // Stream still terminates cleanly with trigger:turn-complete so
+      // the frontend's useChat transitions back to ready.
+      const sawTurnComplete = actionTurn.rawChunks.some(
+        (c) =>
+          typeof c === "object" &&
+          c !== null &&
+          (c as { type?: string }).type === "trigger:turn-complete"
+      );
+      expect(sawTurnComplete).toBe(true);
+    } finally {
+      await harness.close();
+    }
+  });
+
+  it("actions returning a stream pipe the response without firing turn hooks", async () => {
+    const onTurnStart = vi.fn();
+    const onTurnComplete = vi.fn();
+    const actionModel = new MockLanguageModelV3({
+      doStream: async () => ({ stream: textStream("regenerated") }),
+    });
+    const turnModel = new MockLanguageModelV3({
+      doStream: async () => ({ stream: textStream("normal-response") }),
+    });
+
+    const agent = chat.agent({
+      id: "mockChatAgent.actions.stream",
+      actionSchema: z.object({ type: z.literal("regenerate") }),
+      onTurnStart,
+      onTurnComplete,
+      onAction: async ({ messages }) => {
+        return streamText({ model: actionModel, messages });
+      },
+      run: async ({ messages, signal }) => {
+        return streamText({ model: turnModel, messages, abortSignal: signal });
+      },
+    });
+
+    const harness = mockChatAgent(agent, { chatId: "test-stream-action" });
+    try {
+      await harness.sendMessage(userMessage("hi"));
+      await new Promise((r) => setTimeout(r, 50));
+      const baselineTurnStart = onTurnStart.mock.calls.length;
+      const baselineTurnComplete = onTurnComplete.mock.calls.length;
+
+      const actionTurn = await harness.sendAction({ type: "regenerate" });
+      await new Promise((r) => setTimeout(r, 50));
+
+      // No turn hooks fired during the action.
+      expect(onTurnStart.mock.calls.length).toBe(baselineTurnStart);
+      expect(onTurnComplete.mock.calls.length).toBe(baselineTurnComplete);
+
+      // Action's streamText output landed on the response.
+      const text = actionTurn.chunks
+        .filter((c) => c.type === "text-delta")
+        .map((c) => (c as { delta: string }).delta)
+        .join("");
+      expect(text).toBe("regenerated");
+    } finally {
+      await harness.close();
+    }
+  });
+
+  it("warns once and emits turn-complete when an action arrives without onAction", async () => {
+    const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
+    const runSpy = vi.fn();
+    const model = new MockLanguageModelV3({
+      doStream: async () => {
+        runSpy();
+        return { stream: textStream("nope") };
+      },
+    });
+
+    const agent = chat.agent({
+      id: "mockChatAgent.actions.no-handler",
+      actionSchema: z.object({ type: z.literal("undo") }),
+      run: async ({ messages, signal }) => {
+        return streamText({ model, messages, abortSignal: signal });
+      },
+    });
+
+    const harness = mockChatAgent(agent, { chatId: "test-no-handler" });
+    try {
+      await harness.sendMessage(userMessage("hi"));
+      const baselineRun = runSpy.mock.calls.length;
+
+      const actionTurn = await harness.sendAction({ type: "undo" });
+
+      // No additional model call; console.warn fired with our marker text.
+      expect(runSpy.mock.calls.length).toBe(baselineRun);
+      expect(
+        warnSpy.mock.calls.some((args) =>
+          (args[0] as string).includes("no `onAction` handler")
+        )
+      ).toBe(true);
+
+      const sawTurnComplete = actionTurn.rawChunks.some(
+        (c) =>
+          typeof c === "object" &&
+          c !== null &&
+          (c as { type?: string }).type === "trigger:turn-complete"
+      );
+      expect(sawTurnComplete).toBe(true);
+    } finally {
+      await harness.close();
+      warnSpy.mockRestore();
+    }
+  });
+
+  it("passes clientData through to run() and hooks", async () => {
+    const model = new MockLanguageModelV3({
+      doStream: async () => ({ stream: textStream("ok") }),
+    });
+
+    let capturedClientData: unknown;
+    const agent = chat.agent({
+      id: "mockChatAgent.client-data",
+      run: async ({ messages, clientData, signal }) => {
+        capturedClientData = clientData;
+        return streamText({ model, messages, abortSignal: signal });
+      },
+    });
+
+    const harness = mockChatAgent(agent, {
+      chatId: "test-client-data",
+      clientData: { userId: "u1", role: "admin" },
+    });
+    try {
+      await harness.sendMessage(userMessage("hi"));
+      expect(capturedClientData).toEqual({ userId: "u1", role: "admin" });
+    } finally {
+      await harness.close();
+    }
+  });
+
+  it("chat.endRun() exits the loop after the current turn", async () => {
+    const model = new MockLanguageModelV3({
+      doStream: async () => ({ stream: textStream("bye") }),
+    });
+
+    let turnCount = 0;
+    const agent = chat.agent({
+      id: "mockChatAgent.end-run",
+      run: async ({ messages, signal }) => {
+        turnCount++;
+        chat.endRun();
+        return streamText({ model, messages, abortSignal: signal });
+      },
+    });
+
+    const harness = mockChatAgent(agent, { chatId: "test-end-run" });
+    try {
+      await harness.sendMessage(userMessage("hello"));
+      // Give the loop a tick to exit after the turn-complete chunk
+      await new Promise((r) => setTimeout(r, 50));
+      expect(turnCount).toBe(1);
+      // Subsequent sends after endRun should not produce another run — the
+      // loop has exited. We can't easily assert this via sendMessage (it
+      // would block waiting for turn-complete), but we can verify the task
+      // has finished.
+    } finally {
+      // close() is a no-op here since the task already exited, but call
+      // for symmetry with other tests.
+      await harness.close();
+    }
+  });
+
+  it("exposes finishReason on the onTurnComplete event", async () => {
+    const model = new MockLanguageModelV3({
+      doStream: async () => ({ stream: textStream("hi") }),
+    });
+
+    let seenReason: string | undefined;
+    const agent = chat.agent({
+      id: "mockChatAgent.finish-reason",
+      onTurnComplete: async ({ finishReason }) => {
+        seenReason = finishReason;
+      },
+      run: async ({ messages, signal }) => {
+        return streamText({ model, messages, abortSignal: signal });
+      },
+    });
+
+    const harness = mockChatAgent(agent, { chatId: "test-finish-reason" });
+    try {
+      await harness.sendMessage(userMessage("hello"));
+      await new Promise((r) => setTimeout(r, 20));
+      expect(seenReason).toBe("stop");
+    } finally {
+      await harness.close();
+    }
+  });
+
+  it("error turn: onTurnComplete fires with the error and the failed message is snapshotted", async () => {
+    const onTurnComplete = vi.fn();
+    const agent = chat.agent({
+      id: "mockChatAgent.error-turn-run",
+      onTurnComplete,
+      run: async () => {
+        throw new Error("boom in run");
+      },
+    });
+    const harness = mockChatAgent(agent, { chatId: "err-run" });
+    try {
+      await harness.sendMessage(userMessage("hello", "u-err-run"));
+      await new Promise((r) => setTimeout(r, 50));
+      expect(onTurnComplete).toHaveBeenCalledTimes(1);
+      const evt = onTurnComplete.mock.calls[0]![0];
+      expect(evt.error).toBeInstanceOf(Error);
+      expect(evt.finishReason).toBe("error");
+      expect(evt.responseMessage).toBeUndefined();
+      expect(evt.uiMessages.some((m: any) => m.id === "u-err-run")).toBe(true);
+      const snap = harness.getSnapshot();
+      expect(snap?.messages.some((m) => m.id === "u-err-run")).toBe(true);
+    } finally {
+      await harness.close();
+    }
+  });
+
+  it("error turn: a pre-merge hook throw still snapshots the failed user message", async () => {
+    const model = new MockLanguageModelV3({
+      doStream: async () => ({ stream: textStream("never reached") }),
+    });
+    const onTurnComplete = vi.fn();
+    const agent = chat.agent({
+      id: "mockChatAgent.error-turn-prehook",
+      // onValidateMessages fires BEFORE the wire message is merged into the
+      // accumulator, so the message lands in the snapshot only because the
+      // error path folds the wire message back in.
+      onValidateMessages: async () => {
+        throw new Error("boom in validate");
+      },
+      onTurnComplete,
+      run: async ({ messages, signal }) => streamText({ model, messages, abortSignal: signal }),
+    });
+    const harness = mockChatAgent(agent, { chatId: "err-prehook" });
+    try {
+      await harness.sendMessage(userMessage("validate me", "u-err-prehook"));
+      await new Promise((r) => setTimeout(r, 50));
+      expect(onTurnComplete).toHaveBeenCalledTimes(1);
+      const evt = onTurnComplete.mock.calls[0]![0];
+      expect(evt.error).toBeInstanceOf(Error);
+      expect(evt.uiMessages.some((m: any) => m.id === "u-err-prehook")).toBe(true);
+      const snap = harness.getSnapshot();
+      expect(snap?.messages.some((m) => m.id === "u-err-prehook")).toBe(true);
+    } finally {
+      await harness.close();
+    }
+  });
+
+  it("seeds locals before run() via setupLocals (DI pattern)", async () => {
+    type FakeDb = { findUser(id: string): Promise<{ id: string; name: string }> };
+    const dbKey = locals.create<FakeDb>("test-db");
+
+    const fakeDb: FakeDb = {
+      findUser: async (id) => ({ id, name: `user-${id}` }),
+    };
+
+    let userInHook: { id: string; name: string } | undefined;
+    const model = new MockLanguageModelV3({
+      doStream: async () => ({ stream: textStream("ok") }),
+    });
+
+    const agent = chat.agent({
+      id: "mockChatAgent.locals-di",
+      hydrateMessages: async ({ incomingMessages }) => {
+        const db = locals.getOrThrow(dbKey);
+        userInHook = await db.findUser("u-1");
+        return incomingMessages;
+      },
+      run: async ({ messages, signal }) => {
+        return streamText({ model, messages, abortSignal: signal });
+      },
+    });
+
+    const harness = mockChatAgent(agent, {
+      chatId: "test-locals-di",
+      setupLocals: ({ set }) => {
+        set(dbKey, fakeDb);
+      },
+    });
+    try {
+      await harness.sendMessage(userMessage("hi"));
+      expect(userInHook).toEqual({ id: "u-1", name: "user-u-1" });
+    } finally {
+      await harness.close();
+    }
+  });
+
+  describe("chat.history read primitives", () => {
+    // These tests drive a chat.agent through realistic streams and read
+    // chat.history inside hooks/tools where the accumulator is in the
+    // expected state. The pure walks themselves are exercised end-to-end
+    // rather than via direct internal access.
+
+    function toolCallStream(opts: { toolCallId: string; toolName: string; input: object }) {
+      return simulateReadableStream({
+        chunks: [
+          { type: "tool-input-start", id: opts.toolCallId, toolName: opts.toolName },
+          { type: "tool-input-delta", id: opts.toolCallId, delta: JSON.stringify(opts.input) },
+          { type: "tool-input-end", id: opts.toolCallId },
+          {
+            type: "tool-call",
+            toolCallId: opts.toolCallId,
+            toolName: opts.toolName,
+            input: JSON.stringify(opts.input),
+          },
+          {
+            type: "finish",
+            finishReason: { unified: "tool-calls", raw: "tool_calls" },
+            usage: {
+              inputTokens: { total: 5, noCache: 5, cacheRead: undefined, cacheWrite: undefined },
+              outputTokens: { total: 5, text: 0, reasoning: undefined },
+            },
+          },
+        ] as LanguageModelV3StreamPart[],
+      });
+    }
+
+    it("getPendingToolCalls returns input-available parts on the leaf assistant", async () => {
+      const askUser = tool({
+        description: "Ask the user.",
+        inputSchema: z.object({ q: z.string() }),
+      });
+      const TC = "tc_pending_1";
+      const model = new MockLanguageModelV3({
+        doStream: async () => ({
+          stream: toolCallStream({ toolCallId: TC, toolName: "askUser", input: { q: "?" } }),
+        }),
+      });
+
+      let pending: any;
+      const agent = chat.agent({
+        id: "mockChatAgent.history.pending",
+        onTurnComplete: async () => {
+          pending = chat.history.getPendingToolCalls();
+        },
+        run: async ({ messages, signal }) => {
+          return streamText({ model, messages, tools: { askUser }, abortSignal: signal });
+        },
+      });
+
+      const harness = mockChatAgent(agent, { chatId: "test-history-pending" });
+      try {
+        await harness.sendMessage(userMessage("hi"));
+        await new Promise((r) => setTimeout(r, 50));
+
+        expect(pending).toHaveLength(1);
+        expect(pending[0]).toMatchObject({ toolCallId: TC, toolName: "askUser" });
+        expect(typeof pending[0].messageId).toBe("string");
+      } finally {
+        await harness.close();
+      }
+    });
+
+    it("getPendingToolCalls returns [] when the leaf assistant has no pending tool calls", async () => {
+      const model = new MockLanguageModelV3({
+        doStream: async () => ({ stream: textStream("hello") }),
+      });
+      let pending: any;
+      const agent = chat.agent({
+        id: "mockChatAgent.history.pending-empty",
+        onTurnComplete: async () => {
+          pending = chat.history.getPendingToolCalls();
+        },
+        run: async ({ messages, signal }) => {
+          return streamText({ model, messages, abortSignal: signal });
+        },
+      });
+
+      const harness = mockChatAgent(agent, { chatId: "test-history-pending-empty" });
+      try {
+        await harness.sendMessage(userMessage("hi"));
+        await new Promise((r) => setTimeout(r, 50));
+        expect(pending).toEqual([]);
+      } finally {
+        await harness.close();
+      }
+    });
+
+    it("getResolvedToolCalls walks all messages after a HITL answer lands", async () => {
+      const askUser = tool({
+        description: "Ask the user.",
+        inputSchema: z.object({ q: z.string() }),
+      });
+      const TC = "tc_resolved_1";
+
+      let callIdx = 0;
+      const model = new MockLanguageModelV3({
+        doStream: async () => ({
+          stream:
+            callIdx++ === 0
+              ? toolCallStream({ toolCallId: TC, toolName: "askUser", input: { q: "?" } })
+              : textStream("done"),
+        }),
+      });
+
+      const turnsResolved: any[] = [];
+      const agent = chat.agent({
+        id: "mockChatAgent.history.resolved",
+        onTurnComplete: async () => {
+          turnsResolved.push(chat.history.getResolvedToolCalls());
+        },
+        run: async ({ messages, signal }) => {
+          return streamText({ model, messages, tools: { askUser }, abortSignal: signal });
+        },
+      });
+
+      const harness = mockChatAgent(agent, { chatId: "test-history-resolved" });
+      try {
+        await harness.sendMessage(userMessage("hi"));
+        await new Promise((r) => setTimeout(r, 50));
+
+        // Send a HITL tool answer that resolves TC. The merge attaches the
+        // output to the head assistant — it now shows in `output-available`
+        // state.
+        const toolAnswer = {
+          id: "ai-sdk-fresh-id",
+          role: "assistant" as const,
+          parts: [
+            {
+              type: "tool-askUser",
+              toolCallId: TC,
+              state: "output-available" as const,
+              input: { q: "?" },
+              output: { answer: "hi" },
+            },
+          ],
+        };
+        await harness.sendMessage(toolAnswer as any);
+        await new Promise((r) => setTimeout(r, 50));
+
+        // After turn 1 only, no tool call is resolved yet (input-available).
+        // After the HITL answer is merged, the merged head shows the tool
+        // in `output-available` — getResolvedToolCalls reflects that.
+        const last = turnsResolved.at(-1) ?? [];
+        expect(last).toHaveLength(1);
+        expect(last[0]).toMatchObject({ toolCallId: TC, toolName: "askUser" });
+      } finally {
+        await harness.close();
+      }
+    });
+
+    it("extractNewToolResults dedups against already-resolved toolCallIds", async () => {
+      // Pure-function smoke test: feed a synthetic chain via a tool that
+      // calls extractNewToolResults() during execution. The chain is
+      // overridden via chat.history.set() inside run(), so we control
+      // exactly what's in scope.
+      let extracted: any;
+      const agent = chat.agent({
+        id: "mockChatAgent.history.extract",
+        run: async ({ messages, signal }) => {
+          chat.history.set([
+            {
+              id: "a-seed",
+              role: "assistant",
+              parts: [
+                {
+                  type: "tool-askUser",
+                  toolCallId: "tc-1",
+                  state: "output-available",
+                  input: { q: "?" },
+                  output: { color: "red" },
+                },
+              ],
+            } as any,
+            { id: "u-1", role: "user", parts: [{ type: "text", text: "u" }] } as any,
+          ]);
+
+          const incoming = {
+            id: "a-incoming",
+            role: "assistant" as const,
+            parts: [
+              {
+                type: "tool-askUser",
+                toolCallId: "tc-1",
+                state: "output-available" as const,
+                input: { q: "?" },
+                output: { color: "red" },
+              },
+              {
+                type: "tool-search",
+                toolCallId: "tc-2",
+                state: "output-available" as const,
+                input: { q: "x" },
+                output: { hits: 7 },
+              },
+              {
+                type: "tool-search",
+                toolCallId: "tc-err",
+                state: "output-error" as const,
+                input: { q: "y" },
+                errorText: "boom",
+              },
+            ],
+          };
+          extracted = chat.history.extractNewToolResults(incoming as any);
+
+          return streamText({
+            model: new MockLanguageModelV3({
+              doStream: async () => ({ stream: textStream("ok") }),
+            }),
+            messages,
+            abortSignal: signal,
+          });
+        },
+      });
+
+      const harness = mockChatAgent(agent, { chatId: "test-history-extract" });
+      try {
+        await harness.sendMessage(userMessage("kick"));
+        await new Promise((r) => setTimeout(r, 50));
+
+        expect(extracted).toEqual([
+          { toolCallId: "tc-2", toolName: "search", output: { hits: 7 } },
+          { toolCallId: "tc-err", toolName: "search", output: undefined, errorText: "boom" },
+        ]);
+      } finally {
+        await harness.close();
+      }
+    });
+
+    it("findMessage returns the message by id, or undefined when missing", async () => {
+      let foundUser: any;
+      let foundAssistant: any;
+      let missing: any;
+      const model = new MockLanguageModelV3({
+        doStream: async () => ({ stream: textStream("ok") }),
+      });
+      const agent = chat.agent({
+        id: "mockChatAgent.history.find",
+        onTurnComplete: async ({ uiMessages }) => {
+          // Locate ids the agent actually produced/saw, then probe findMessage.
+          const userId = uiMessages.find((m) => m.role === "user")?.id ?? "u-fixed";
+          const asstId = uiMessages.find((m) => m.role === "assistant")?.id;
+          foundUser = chat.history.findMessage(userId);
+          foundAssistant = asstId ? chat.history.findMessage(asstId) : undefined;
+          missing = chat.history.findMessage("definitely-not-here");
+        },
+        run: async ({ messages, signal }) => {
+          return streamText({ model, messages, abortSignal: signal });
+        },
+      });
+
+      const harness = mockChatAgent(agent, { chatId: "test-history-find" });
+      try {
+        await harness.sendMessage(userMessage("hello", "u-fixed"));
+        await new Promise((r) => setTimeout(r, 50));
+
+        expect(foundUser?.id).toBe("u-fixed");
+        expect(foundAssistant).toBeTruthy();
+        expect(missing).toBeUndefined();
+      } finally {
+        await harness.close();
+      }
+    });
+
+    it("extractNewToolResults dedups against a real-stream-built chain", async () => {
+      // Build the chain through real model streams (no chat.history.set seed)
+      // and assert extractNewToolResults compares against the post-merge state.
+      const askUser = tool({
+        description: "Ask the user.",
+        inputSchema: z.object({ q: z.string() }),
+      });
+      const TC = "tc_real_chain_1";
+
+      let callIdx = 0;
+      const model = new MockLanguageModelV3({
+        doStream: async () => ({
+          stream:
+            callIdx++ === 0
+              ? toolCallStream({ toolCallId: TC, toolName: "askUser", input: { q: "?" } })
+              : textStream("done"),
+        }),
+      });
+
+      let extractedAgainstRealChain: any;
+      const agent = chat.agent({
+        id: "mockChatAgent.history.extract-real",
+        onTurnComplete: async () => {
+          // After the HITL answer turn, the chain has TC resolved. An
+          // incoming "echo" message carrying TC again should yield [].
+          // A second new TC should yield exactly one entry.
+          const incoming = {
+            id: "echo",
+            role: "assistant" as const,
+            parts: [
+              {
+                type: "tool-askUser",
+                toolCallId: TC,
+                state: "output-available" as const,
+                input: { q: "?" },
+                output: { answer: "hi" },
+              },
+              {
+                type: "tool-askUser",
+                toolCallId: "tc_real_chain_2",
+                state: "output-available" as const,
+                input: { q: "second" },
+                output: { answer: "yes" },
+              },
+            ],
+          };
+          extractedAgainstRealChain = chat.history.extractNewToolResults(incoming as any);
+        },
+        run: async ({ messages, signal }) => {
+          return streamText({ model, messages, tools: { askUser }, abortSignal: signal });
+        },
+      });
+
+      const harness = mockChatAgent(agent, { chatId: "test-history-extract-real" });
+      try {
+        await harness.sendMessage(userMessage("hi"));
+        await new Promise((r) => setTimeout(r, 50));
+        // HITL answer for TC, lands via the runtime merger.
+        const toolAnswer = {
+          id: "ai-sdk-fresh-id-real",
+          role: "assistant" as const,
+          parts: [
+            {
+              type: "tool-askUser",
+              toolCallId: TC,
+              state: "output-available" as const,
+              input: { q: "?" },
+              output: { answer: "hi" },
+            },
+          ],
+        };
+        await harness.sendMessage(toolAnswer as any);
+        await new Promise((r) => setTimeout(r, 50));
+
+        expect(extractedAgainstRealChain).toEqual([
+          { toolCallId: "tc_real_chain_2", toolName: "askUser", output: { answer: "yes" } },
+        ]);
+      } finally {
+        await harness.close();
+      }
+    });
+
+    it("extractNewToolResults surfaces output-error parts via the runtime merger", async () => {
+      // The runtime merges incoming tool-answer messages onto the head
+      // assistant via the toolCallId map. Here we send an answer in
+      // `output-error` state and verify (a) getResolvedToolCalls reports
+      // it, and (b) extractNewToolResults emits it with errorText set.
+      const search = tool({
+        description: "Search.",
+        inputSchema: z.object({ q: z.string() }),
+      });
+      const TC = "tc_err_via_merger";
+
+      let callIdx = 0;
+      const model = new MockLanguageModelV3({
+        doStream: async () => ({
+          stream:
+            callIdx++ === 0
+              ? toolCallStream({ toolCallId: TC, toolName: "search", input: { q: "x" } })
+              : textStream("noted"),
+        }),
+      });
+
+      let resolved: any;
+      let extracted: any;
+      const agent = chat.agent({
+        id: "mockChatAgent.history.extract-error",
+        onTurnComplete: async () => {
+          resolved = chat.history.getResolvedToolCalls();
+          // An echo carrying the same error toolCallId — should NOT surface
+          // as new because it's already resolved on the chain.
+          const echo = {
+            id: "echo-err",
+            role: "assistant" as const,
+            parts: [
+              {
+                type: "tool-search",
+                toolCallId: TC,
+                state: "output-error" as const,
+                input: { q: "x" },
+                errorText: "boom",
+              },
+            ],
+          };
+          extracted = chat.history.extractNewToolResults(echo as any);
+        },
+        run: async ({ messages, signal }) => {
+          return streamText({ model, messages, tools: { search }, abortSignal: signal });
+        },
+      });
+
+      const harness = mockChatAgent(agent, { chatId: "test-history-extract-error" });
+      try {
+        await harness.sendMessage(userMessage("kick"));
+        await new Promise((r) => setTimeout(r, 50));
+        // HITL answer arriving as output-error.
+        const errAnswer = {
+          id: "ai-sdk-err-fresh",
+          role: "assistant" as const,
+          parts: [
+            {
+              type: "tool-search",
+              toolCallId: TC,
+              state: "output-error" as const,
+              input: { q: "x" },
+              errorText: "boom",
+            },
+          ],
+        };
+        await harness.sendMessage(errAnswer as any);
+        await new Promise((r) => setTimeout(r, 50));
+
+        expect(resolved).toHaveLength(1);
+        expect(resolved[0]).toMatchObject({ toolCallId: TC, toolName: "search" });
+        // Echo of the same error toolCallId is already resolved → []
+        expect(extracted).toEqual([]);
+      } finally {
+        await harness.close();
+      }
+    });
+
+    it("extractNewToolResults handles a multi-tool message where only one is new", async () => {
+      // Pure-helper edge: incoming message has two tool parts with the
+      // same toolName but different toolCallIds — one already resolved
+      // on the chain, one fresh. Only the fresh one should surface.
+      let extracted: any;
+      const agent = chat.agent({
+        id: "mockChatAgent.history.extract-multi",
+        run: async ({ messages, signal }) => {
+          chat.history.set([
+            {
+              id: "a-seed",
+              role: "assistant",
+              parts: [
+                {
+                  type: "tool-search",
+                  toolCallId: "tc-old",
+                  state: "output-available",
+                  input: { q: "old" },
+                  output: { hits: 1 },
+                },
+              ],
+            } as any,
+            { id: "u-1", role: "user", parts: [{ type: "text", text: "u" }] } as any,
+          ]);
+
+          const incoming = {
+            id: "a-incoming",
+            role: "assistant" as const,
+            parts: [
+              // Same tool, already-resolved id — should be filtered.
+              {
+                type: "tool-search",
+                toolCallId: "tc-old",
+                state: "output-available" as const,
+                input: { q: "old" },
+                output: { hits: 1 },
+              },
+              // Same tool, fresh id — should surface.
+              {
+                type: "tool-search",
+                toolCallId: "tc-new",
+                state: "output-available" as const,
+                input: { q: "new" },
+                output: { hits: 9 },
+              },
+              // Duplicate of tc-new in the same message — must collapse
+              // to a single emission (within-message dedup).
+              {
+                type: "tool-search",
+                toolCallId: "tc-new",
+                state: "output-available" as const,
+                input: { q: "new" },
+                output: { hits: 9 },
+              },
+            ],
+          };
+          extracted = chat.history.extractNewToolResults(incoming as any);
+
+          return streamText({
+            model: new MockLanguageModelV3({
+              doStream: async () => ({ stream: textStream("ok") }),
+            }),
+            messages,
+            abortSignal: signal,
+          });
+        },
+      });
+
+      const harness = mockChatAgent(agent, { chatId: "test-history-extract-multi" });
+      try {
+        await harness.sendMessage(userMessage("kick"));
+        await new Promise((r) => setTimeout(r, 50));
+
+        expect(extracted).toEqual([
+          { toolCallId: "tc-new", toolName: "search", output: { hits: 9 } },
+        ]);
+      } finally {
+        await harness.close();
+      }
+    });
+
+    it("getPendingToolCalls still returns the assistant's pending calls when a user message follows", async () => {
+      // Edge: the chain is [assistant(input-available), user]. The most
+      // recent assistant is the one with the pending tool call, even
+      // though the strict tail is a user message. The walk-back semantic
+      // means pending stays pending until the assistant is mutated.
+      let pendingAfterUser: any;
+      const agent = chat.agent({
+        id: "mockChatAgent.history.pending-after-user",
+        run: async ({ messages, signal }) => {
+          chat.history.set([
+            {
+              id: "a-pending",
+              role: "assistant",
+              parts: [
+                {
+                  type: "tool-askUser",
+                  toolCallId: "tc-still-pending",
+                  state: "input-available",
+                  input: { q: "?" },
+                },
+              ],
+            } as any,
+            { id: "u-after", role: "user", parts: [{ type: "text", text: "anyway..." }] } as any,
+          ]);
+          pendingAfterUser = chat.history.getPendingToolCalls();
+          return streamText({
+            model: new MockLanguageModelV3({
+              doStream: async () => ({ stream: textStream("ok") }),
+            }),
+            messages,
+            abortSignal: signal,
+          });
+        },
+      });
+
+      const harness = mockChatAgent(agent, { chatId: "test-history-pending-after-user" });
+      try {
+        await harness.sendMessage(userMessage("kick"));
+        await new Promise((r) => setTimeout(r, 50));
+
+        expect(pendingAfterUser).toEqual([
+          { toolCallId: "tc-still-pending", toolName: "askUser", messageId: "a-pending" },
+        ]);
+      } finally {
+        await harness.close();
+      }
+    });
+
+    it("getChain returns a defensive copy parallel to all()", async () => {
+      let chainCopy: any;
+      let allCopy: any;
+      const model = new MockLanguageModelV3({
+        doStream: async () => ({ stream: textStream("ok") }),
+      });
+      const agent = chat.agent({
+        id: "mockChatAgent.history.chain",
+        onTurnComplete: async () => {
+          chainCopy = chat.history.getChain();
+          allCopy = chat.history.all();
+          // Mutate one — must not affect the other.
+          chainCopy.push({ id: "stray", role: "user", parts: [] });
+        },
+        run: async ({ messages, signal }) => {
+          return streamText({ model, messages, abortSignal: signal });
+        },
+      });
+
+      const harness = mockChatAgent(agent, { chatId: "test-history-chain" });
+      try {
+        await harness.sendMessage(userMessage("a"));
+        await new Promise((r) => setTimeout(r, 50));
+
+        expect(chainCopy.length).toBeGreaterThan(0);
+        expect(allCopy.length).toBe(chainCopy.length - 1);
+        expect(allCopy.find((m: any) => m.id === "stray")).toBeUndefined();
+      } finally {
+        await harness.close();
+      }
+    });
+  });
+
+  it("cleans up properly after close() so the next harness starts fresh", async () => {
+    const model = new MockLanguageModelV3({
+      doStream: async () => ({ stream: textStream("first") }),
+    });
+
+    const agent = chat.agent({
+      id: "mockChatAgent.cleanup",
+      run: async ({ messages, signal }) => {
+        return streamText({ model, messages, abortSignal: signal });
+      },
+    });
+
+    // First harness
+    const h1 = mockChatAgent(agent, { chatId: "test-cleanup-1" });
+    await h1.sendMessage(userMessage("a"));
+    await h1.close();
+
+    // Second harness should work independently
+    const h2 = mockChatAgent(agent, { chatId: "test-cleanup-2" });
+    try {
+      const turn = await h2.sendMessage(userMessage("b"));
+      const text = turn.chunks
+        .filter((c) => c.type === "text-delta")
+        .map((c) => (c as { delta: string }).delta)
+        .join("");
+      expect(text).toBe("first");
+      // Chunks from h1 should NOT be visible here
+      expect(h2.allChunks).toEqual(turn.chunks);
+    } finally {
+      await h2.close();
+    }
+  });
+
+  describe("slim wire harness primitives (snapshot + replay)", () => {
+    // Plan E.1 + F.2: exercise the new harness driver methods so future
+    // edits don't accidentally drop boot scenarios that the runtime now
+    // depends on (snapshot read, replay tail, head-start seeding,
+    // hydrateMessages short-circuit).
+
+    it("getSnapshot returns the most recent writeChatSnapshot value", async () => {
+      // Run a single turn end-to-end and verify the runtime's post-turn
+      // snapshot write is captured by the harness's getSnapshot primitive.
+      const model = new MockLanguageModelV3({
+        doStream: async () => ({ stream: textStream("captured") }),
+      });
+      const agent = chat.agent({
+        id: "mockChatAgent.snapshot.write",
+        run: async ({ messages, signal }) => streamText({ model, messages, abortSignal: signal }),
+      });
+      const harness = mockChatAgent(agent, { chatId: "snap-write" });
+      try {
+        expect(harness.getSnapshot()).toBeUndefined();
+        await harness.sendMessage(userMessage("hi"));
+        // onTurnComplete -> writeChatSnapshot fires AFTER turn-complete chunk;
+        // give it a tick to settle.
+        await new Promise((r) => setTimeout(r, 50));
+        const snap = harness.getSnapshot();
+        expect(snap).toBeDefined();
+        expect(snap!.version).toBe(1);
+        // The snapshot reflects the post-turn accumulator: 1 user + 1 assistant.
+        const roles = snap!.messages.map((m) => m.role);
+        expect(roles).toEqual(["user", "assistant"]);
+        // `lastInEventId` stays undefined here: TestSessionStreamManager
+        // deliberately has no seq numbers, so the committed `.in` cursor
+        // the production write site reads is undefined in harness runs.
+        // The cursor round-trip is covered by the live smoke instead.
+        expect(snap!.lastInEventId).toBeUndefined();
+      } finally {
+        await harness.close();
+      }
+    });
+
+    it("seedSnapshot pre-populates the accumulator on boot — onChatStart sees prior history", async () => {
+      // Plan B.3: the boot calls readChatSnapshot before onChatStart fires.
+      // A seeded snapshot lets the test simulate a "continuation" boot.
+      const model = new MockLanguageModelV3({
+        doStream: async () => ({ stream: textStream("ack") }),
+      });
+      let messagesAtChatStart: any[] = [];
+      const agent = chat.agent({
+        id: "mockChatAgent.snapshot.seed",
+        onChatStart: async ({ messages }) => {
+          messagesAtChatStart = messages;
+        },
+        run: async ({ messages, signal }) => streamText({ model, messages, abortSignal: signal }),
+      });
+      const harness = mockChatAgent(agent, {
+        chatId: "snap-seed",
+        snapshot: {
+          version: 1,
+          savedAt: Date.now(),
+          messages: [
+            { id: "u-prev", role: "user", parts: [{ type: "text", text: "earlier" }] },
+            { id: "a-prev", role: "assistant", parts: [{ type: "text", text: "ok" }] },
+          ],
+        },
+      });
+      try {
+        await harness.sendMessage(userMessage("now"));
+        await new Promise((r) => setTimeout(r, 50));
+        // onChatStart sees ModelMessage[] (not UIMessage[]). The exact
+        // count varies because `toModelMessages` may split a single UI
+        // message into multiple ModelMessages depending on parts. The
+        // load-bearing assertion is that prior history was loaded —
+        // `messages` is non-empty before turn 0 even though the wire
+        // payload only carried the new user message.
+        expect(messagesAtChatStart.length).toBeGreaterThan(0);
+      } finally {
+        await harness.close();
+      }
+    });
+
+    it("sendRegenerate (no-args) trims trailing assistant and re-runs", async () => {
+      // Plan B.4: regenerate-message wire carries no message body. The
+      // agent trims trailing assistants from its accumulator and runs
+      // streamText again. Verify the harness's no-arg sendRegenerate
+      // drives this path end-to-end.
+      let callIdx = 0;
+      const model = new MockLanguageModelV3({
+        doStream: async () => ({
+          stream: textStream(callIdx++ === 0 ? "first-reply" : "regenerated"),
+        }),
+      });
+      const agent = chat.agent({
+        id: "mockChatAgent.regenerate.slim",
+        run: async ({ messages, signal }) => streamText({ model, messages, abortSignal: signal }),
+      });
+      const harness = mockChatAgent(agent, { chatId: "regen-slim" });
+      try {
+        const t1 = await harness.sendMessage(userMessage("question"));
+        const t1Text = t1.chunks
+          .filter((c) => c.type === "text-delta")
+          .map((c) => (c as { delta: string }).delta)
+          .join("");
+        expect(t1Text).toBe("first-reply");
+
+        // No-arg regenerate — the agent re-runs streamText; second call
+        // emits the regenerated stream.
+        const t2 = await harness.sendRegenerate();
+        const t2Text = t2.chunks
+          .filter((c) => c.type === "text-delta")
+          .map((c) => (c as { delta: string }).delta)
+          .join("");
+        expect(t2Text).toBe("regenerated");
+      } finally {
+        await harness.close();
+      }
+    });
+
+    it("sendHeadStart seeds accumulator from headStartMessages on turn 0", async () => {
+      // Plan B.3 head-start bootstrap: when trigger is `handover-prepare`
+      // and accumulator is empty, the runtime seeds from
+      // payload.headStartMessages. Verify the harness drives this with
+      // the customer's first-turn UIMessage[] history through the head-
+      // start route.
+      const model = new MockLanguageModelV3({
+        doStream: async () => ({ stream: textStream("post-handover") }),
+      });
+      let messagesAtChatStart: any[] = [];
+      const agent = chat.agent({
+        id: "mockChatAgent.headstart.slim",
+        onChatStart: async ({ messages }) => {
+          messagesAtChatStart = messages;
+        },
+        run: async ({ messages, signal }) => streamText({ model, messages, abortSignal: signal }),
+      });
+      const harness = mockChatAgent(agent, {
+        chatId: "headstart-slim",
+        mode: "handover-prepare",
+      });
+      try {
+        // The head-start payload carries the full first-turn history.
+        // After it lands, the agent's `chat.handover` flow normally
+        // dispatches a `handover` signal; we use the simpler primitive
+        // here just to verify the seeding takes effect at boot.
+        const handover = harness.sendHandover({
+          partialAssistantMessage: [{ type: "text", text: "from-handover" }],
+          isFinal: true,
+        });
+        // Drive through to turn-complete
+        await handover;
+        await new Promise((r) => setTimeout(r, 50));
+        // No assertion on seeding here beyond turn-complete reaching us —
+        // sendHeadStart routes via session.in for tests that need the
+        // wire-level path; the per-test wiring above exercises the
+        // handover branch which is the production path for this scenario.
+      } finally {
+        await harness.close();
+      }
+    });
+
+    it("hydrateMessages registered short-circuits snapshot read/write", async () => {
+      // Plan B.1/B.6: with hydrateMessages set, the runtime skips both
+      // readChatSnapshot at boot AND writeChatSnapshot after onTurnComplete.
+      // Verify by asserting `getSnapshot()` stays undefined across a turn.
+      const model = new MockLanguageModelV3({
+        doStream: async () => ({ stream: textStream("ok") }),
+      });
+      const agent = chat.agent({
+        id: "mockChatAgent.hydrate.skip-snapshot",
+        hydrateMessages: async ({ incomingMessages }) => incomingMessages,
+        run: async ({ messages, signal }) => streamText({ model, messages, abortSignal: signal }),
+      });
+      const harness = mockChatAgent(agent, { chatId: "hydrate-skip" });
+      try {
+        await harness.sendMessage(userMessage("hi"));
+        await new Promise((r) => setTimeout(r, 50));
+        // No snapshot was written — customer with hydrateMessages owns
+        // persistence themselves.
+        expect(harness.getSnapshot()).toBeUndefined();
+      } finally {
+        await harness.close();
+      }
+    });
+  });
+
+  describe("onChatStart fires exactly once per chat", () => {
+    // Contract: `onChatStart` fires only on the chat's very first user
+    // message ever. It does NOT re-fire on continuation runs (post-`endRun`,
+    // post-waitpoint-timeout, post-`chat.requestUpgrade`) or on OOM-retry
+    // attempts. Customers put one-time chat-setup work there (Chat DB row
+    // create, user-context init) and that contract relies on once-per-chat
+    // semantics.
+
+    it("fires on a fresh first message (baseline)", async () => {
+      const onChatStart = vi.fn();
+      const onTurnStart = vi.fn();
+      const model = new MockLanguageModelV3({
+        doStream: async () => ({ stream: textStream("hi") }),
+      });
+      const agent = chat.agent({
+        id: "onChatStart-gate.fresh-baseline",
+        onChatStart,
+        onTurnStart,
+        run: async ({ messages, signal }) =>
+          streamText({ model, messages, abortSignal: signal }),
+      });
+      const harness = mockChatAgent(agent, { chatId: "fresh-baseline" });
+      try {
+        await harness.sendMessage(userMessage("hello"));
+        await new Promise((r) => setTimeout(r, 20));
+        expect(onChatStart).toHaveBeenCalledTimes(1);
+        expect(onTurnStart).toHaveBeenCalledTimes(1);
+      } finally {
+        await harness.close();
+      }
+    });
+
+    it("does NOT fire on a continuation run (continuation: true at boot)", async () => {
+      const onChatStart = vi.fn();
+      const onTurnStart = vi.fn();
+      const model = new MockLanguageModelV3({
+        doStream: async () => ({ stream: textStream("ok") }),
+      });
+      const agent = chat.agent({
+        id: "onChatStart-gate.continuation-skip",
+        // hydrateMessages registered so the boot path doesn't try to read a
+        // snapshot the harness doesn't have — keeps the continuation-wait
+        // branch clean.
+        hydrateMessages: async ({ incomingMessages }) => incomingMessages,
+        onChatStart,
+        onTurnStart,
+        run: async ({ messages, signal }) =>
+          streamText({ model, messages, abortSignal: signal }),
+      });
+      const harness = mockChatAgent(agent, {
+        chatId: "continuation-skip",
+        // `continuation: true` auto-selects `mode: "continuation"` —
+        // boots with `trigger` omitted (mirroring what the server's
+        // continuation overrides produce in production) and enters the
+        // SDK's continuation-wait branch.
+        continuation: true,
+        previousRunId: "run_test_prior",
+      });
+      try {
+        // The continuation-wait branch parks until the first session.in
+        // message arrives — sending one wakes it and runs turn 0.
+        await harness.sendMessage(userMessage("first user message of this run"));
+        await new Promise((r) => setTimeout(r, 20));
+        expect(onChatStart).not.toHaveBeenCalled();
+        expect(onTurnStart).toHaveBeenCalledTimes(1);
+      } finally {
+        await harness.close();
+      }
+    });
+
+    it("does NOT fire on an OOM-retry attempt (ctx.attempt.number > 1)", async () => {
+      const onChatStart = vi.fn();
+      const onTurnStart = vi.fn();
+      const model = new MockLanguageModelV3({
+        doStream: async () => ({ stream: textStream("ok") }),
+      });
+      const agent = chat.agent({
+        id: "onChatStart-gate.oom-retry-skip",
+        hydrateMessages: async ({ incomingMessages }) => incomingMessages,
+        onChatStart,
+        onTurnStart,
+        run: async ({ messages, signal }) =>
+          streamText({ model, messages, abortSignal: signal }),
+      });
+      const harness = mockChatAgent(agent, {
+        chatId: "oom-retry-skip",
+        taskContext: {
+          ctx: { attempt: { number: 2, startedAt: new Date(0) } },
+        },
+      });
+      try {
+        await harness.sendMessage(userMessage("hi"));
+        await new Promise((r) => setTimeout(r, 20));
+        expect(onChatStart).not.toHaveBeenCalled();
+        expect(onTurnStart).toHaveBeenCalledTimes(1);
+      } finally {
+        await harness.close();
+      }
+    });
+  });
+});
+
+describe("mockChatAgent tools / toModelOutput (TRI-10149)", () => {
+  // A tool whose raw `execute`/output never contains the marker; the marker
+  // lives ONLY in `toModelOutput`. If the SDK re-converts prior-turn history
+  // without threading tools, `toModelOutput` is skipped and the marker is lost.
+  const makeVault = () =>
+    tool({
+      description: "Vault.",
+      inputSchema: z.object({}),
+      toModelOutput: () => ({ type: "text" as const, value: "MARKER-XYZ" }),
+    });
+
+  // Seed a prior assistant turn that already carries a resolved vault tool
+  // result whose raw output has NO marker.
+  const seedAssistantWithToolResult = {
+    id: "a-vault",
+    role: "assistant" as const,
+    parts: [
+      {
+        type: "tool-vault" as const,
+        toolCallId: "tc_vault",
+        state: "output-available" as const,
+        input: {},
+        output: { bytes: "raw-no-marker" },
+      },
+    ],
+  };
+
+  it("re-applies tool.toModelOutput when re-converting prior-turn history (static tools)", async () => {
+    const vault = makeVault();
+    const model = new MockLanguageModelV3({
+      doStream: async () => ({ stream: textStream("ok") }),
+    });
+
+    const seenToolResults: string[] = [];
+    const agent = chat.agent({
+      id: "mockChatAgent.toModelOutput-static",
+      tools: { vault },
+      run: async ({ messages, tools, signal }) => {
+        // REUSE A: `tools` is threaded onto the run payload (typed concretely,
+        // not the broad `ToolSet`). The static-form type inference is validated
+        // end-to-end by the references/ai-chat typecheck; here we exercise the
+        // runtime behavior. (test/ is not part of the package's tsc pass.)
+        for (const m of messages) {
+          if (m.role === "tool") seenToolResults.push(JSON.stringify(m.content));
+        }
+        return streamText({ model, messages, tools, abortSignal: signal });
+      },
+    });
+
+    const harness = mockChatAgent(agent, { chatId: "test-tmo-static" });
+    try {
+      // Turn 1 seeds the tool result; turn 2 forces a re-conversion of history.
+      await harness.sendMessage(seedAssistantWithToolResult as any);
+      await harness.sendMessage(userMessage("recall"));
+      await new Promise((r) => setTimeout(r, 20));
+
+      const all = seenToolResults.join("|");
+      // toModelOutput ran → transformed value present, raw output gone.
+      expect(all).toContain("MARKER-XYZ");
+      expect(all).not.toContain("raw-no-marker");
+    } finally {
+      await harness.close();
+    }
+  });
+
+  it("resolves the per-turn function form of tools and re-applies toModelOutput", async () => {
+    const vault = makeVault();
+    const model = new MockLanguageModelV3({
+      doStream: async () => ({ stream: textStream("ok") }),
+    });
+
+    const seenToolResults: string[] = [];
+    let resolverCalls = 0;
+    const agent = chat.agent({
+      id: "mockChatAgent.toModelOutput-fn",
+      tools: () => {
+        resolverCalls++;
+        return { vault };
+      },
+      run: async ({ messages, tools, signal }) => {
+        for (const m of messages) {
+          if (m.role === "tool") seenToolResults.push(JSON.stringify(m.content));
+        }
+        return streamText({ model, messages, tools, abortSignal: signal });
+      },
+    });
+
+    const harness = mockChatAgent(agent, { chatId: "test-tmo-fn" });
+    try {
+      await harness.sendMessage(seedAssistantWithToolResult as any);
+      await harness.sendMessage(userMessage("recall"));
+      await new Promise((r) => setTimeout(r, 20));
+
+      const all = seenToolResults.join("|");
+      expect(all).toContain("MARKER-XYZ");
+      expect(all).not.toContain("raw-no-marker");
+      // The resolver runs per turn (once each), not per conversion call.
+      expect(resolverCalls).toBeGreaterThanOrEqual(2);
+    } finally {
+      await harness.close();
+    }
+  });
+
+  it("leaves conversion unchanged when no tools are declared (raw output passes through)", async () => {
+    const model = new MockLanguageModelV3({
+      doStream: async () => ({ stream: textStream("ok") }),
+    });
+
+    const seenToolResults: string[] = [];
+    const agent = chat.agent({
+      id: "mockChatAgent.toModelOutput-none",
+      run: async ({ messages, signal }) => {
+        for (const m of messages) {
+          if (m.role === "tool") seenToolResults.push(JSON.stringify(m.content));
+        }
+        return streamText({ model, messages, abortSignal: signal });
+      },
+    });
+
+    const harness = mockChatAgent(agent, { chatId: "test-tmo-none" });
+    try {
+      await harness.sendMessage(seedAssistantWithToolResult as any);
+      await harness.sendMessage(userMessage("recall"));
+      await new Promise((r) => setTimeout(r, 20));
+
+      // No tools declared → no toModelOutput lookup → raw output stringified
+      // (the pre-feature behavior, preserved for backward compatibility).
+      const all = seenToolResults.join("|");
+      expect(all).toContain("raw-no-marker");
+      expect(all).not.toContain("MARKER-XYZ");
+    } finally {
+      await harness.close();
+    }
+  });
+});
diff --git a/packages/trigger-sdk/test/recovery-boot.test.ts b/packages/trigger-sdk/test/recovery-boot.test.ts
new file mode 100644
index 00000000000..5d7b4cd2213
--- /dev/null
+++ b/packages/trigger-sdk/test/recovery-boot.test.ts
@@ -0,0 +1,483 @@
+// Import the test harness FIRST — installs the resource catalog so
+// `chat.agent()` calls register their task functions correctly.
+import { mockChatAgent } from "../src/v3/test/index.js";
+
+import { describe, expect, it, vi } from "vitest";
+import { chat } from "../src/v3/ai.js";
+import type { RecoveryBootEvent, RecoveryBootResult } from "../src/v3/ai.js";
+import { __setReplaySessionOutTailImplForTests } from "../src/v3/ai.js";
+import { simulateReadableStream, streamText } from "ai";
+import { MockLanguageModelV3 } from "ai/test";
+import type { LanguageModelV3StreamPart } from "@ai-sdk/provider";
+
+// ── Helpers ────────────────────────────────────────────────────────────
+
+function userMessage(text: string, id = "u-" + Math.random().toString(36).slice(2)) {
+  return {
+    id,
+    role: "user" as const,
+    parts: [{ type: "text" as const, text }],
+  };
+}
+
+function assistantMessage(text: string, id = "a-" + Math.random().toString(36).slice(2)) {
+  return {
+    id,
+    role: "assistant" as const,
+    parts: [{ type: "text" as const, text }],
+  };
+}
+
+function partialAssistantWithToolCall(id: string, toolCallId: string, toolName: string) {
+  return {
+    id,
+    role: "assistant" as const,
+    parts: [
+      {
+        type: `tool-${toolName}` as const,
+        toolCallId,
+        state: "input-available" as const,
+        input: { q: "search" },
+      },
+    ],
+  } as unknown as ReturnType<typeof assistantMessage>;
+}
+
+function textStream(text: string) {
+  const chunks: LanguageModelV3StreamPart[] = [
+    { type: "text-start", id: "t1" },
+    { type: "text-delta", id: "t1", delta: text },
+    { type: "text-end", id: "t1" },
+    {
+      type: "finish",
+      finishReason: { unified: "stop", raw: "stop" },
+      usage: {
+        inputTokens: { total: 10, noCache: 10, cacheRead: undefined, cacheWrite: undefined },
+        outputTokens: { total: 10, text: 10, reasoning: undefined },
+      },
+    },
+  ];
+  return simulateReadableStream({ chunks });
+}
+
+// ── Tests ──────────────────────────────────────────────────────────────
+
+describe("onRecoveryBoot — chat.agent recovery hook", () => {
+  it("does NOT fire on a clean continuation with no recovered state", async () => {
+    const onRecoveryBoot = vi.fn();
+    const model = new MockLanguageModelV3({
+      doStream: async () => ({ stream: textStream("ok") }),
+    });
+    const agent = chat.agent({
+      id: "recovery-boot.no-state",
+      onRecoveryBoot,
+      run: async ({ messages, signal }) =>
+        streamText({ model, messages, abortSignal: signal }),
+    });
+    const harness = mockChatAgent(agent, {
+      chatId: "no-state",
+      continuation: true,
+      previousRunId: "run_prior",
+    });
+    try {
+      // Snapshot is empty, no in-flight users, no partial — guard
+      // (partialAssistant !== undefined || inFlightUsers.length > 0) is false.
+      await harness.sendMessage(userMessage("fresh message"));
+      await new Promise((r) => setTimeout(r, 20));
+      expect(onRecoveryBoot).not.toHaveBeenCalled();
+    } finally {
+      await harness.close();
+    }
+  });
+
+  it("fires when there's a partial assistant and surfaces it on the ctx", async () => {
+    const captured: { event?: RecoveryBootEvent<ReturnType<typeof userMessage>> } = {};
+    const model = new MockLanguageModelV3({
+      doStream: async () => ({ stream: textStream("recovered") }),
+    });
+    const partial = partialAssistantWithToolCall("a-orphan", "tc-1", "search");
+    const agent = chat.agent({
+      id: "recovery-boot.partial-fires-hook",
+      onRecoveryBoot: async (event) => {
+        captured.event = event as never;
+        return {};
+      },
+      run: async ({ messages, signal }) =>
+        streamText({ model, messages, abortSignal: signal }),
+    });
+    const harness = mockChatAgent(agent, {
+      chatId: "partial-fires-hook",
+      continuation: true,
+      previousRunId: "run_prior",
+    });
+    harness.seedSessionOutPartial(partial as never);
+    try {
+      await harness.sendMessage(userMessage("next user message"));
+      await new Promise((r) => setTimeout(r, 20));
+      expect(captured.event).toBeDefined();
+      expect(captured.event!.partialAssistant?.id).toBe("a-orphan");
+      expect(captured.event!.pendingToolCalls).toHaveLength(1);
+      expect(captured.event!.pendingToolCalls[0]!.toolCallId).toBe("tc-1");
+      expect(captured.event!.pendingToolCalls[0]!.toolName).toBe("search");
+      expect(captured.event!.previousRunId).toBe("run_prior");
+      expect(captured.event!.cause).toBe("unknown");
+    } finally {
+      await harness.close();
+    }
+  });
+
+  it("pendingToolCalls is extracted from the RAW partial (pre-cleanupAbortedParts)", async () => {
+    // Real-world scenario: cancel-mid-tool-call. Session.out has tool-call
+    // chunks but the tool never returned. cleanupAbortedParts strips the
+    // input-available tool part from the partial used for the chain (you
+    // don't want orphan tool calls poisoning the model context), but
+    // `pendingToolCalls` should still surface what was happening.
+    const cleanedPartial = {
+      id: "a-orphan",
+      role: "assistant" as const,
+      parts: [{ type: "text" as const, text: "Let me look that up" }],
+    };
+    const rawPartial = {
+      id: "a-orphan",
+      role: "assistant" as const,
+      parts: [
+        { type: "text" as const, text: "Let me look that up" },
+        {
+          type: "tool-search" as const,
+          toolCallId: "tc-pending",
+          state: "input-available" as const,
+          input: { q: "vietnamese pho" },
+        },
+      ],
+    } as unknown as typeof cleanedPartial;
+
+    const captured: { event?: RecoveryBootEvent } = {};
+    const model = new MockLanguageModelV3({
+      doStream: async () => ({ stream: textStream("ok") }),
+    });
+    const u1 = userMessage("buffered", "u-1");
+    const agent = chat.agent({
+      id: "recovery-boot.pending-tool-from-raw",
+      onRecoveryBoot: async (event) => {
+        captured.event = event;
+        return {};
+      },
+      run: async ({ messages, signal }) =>
+        streamText({ model, messages, abortSignal: signal }),
+    });
+    const harness = mockChatAgent(agent, {
+      chatId: "pending-tool-from-raw",
+      continuation: true,
+      previousRunId: "run_prior",
+    });
+    harness.seedSessionInTail([u1 as never]);
+    // Install AFTER mockChatAgent — its constructor sets its own default
+    // override that we want to replace for this test.
+    __setReplaySessionOutTailImplForTests(async () =>
+      ({
+        settled: [],
+        partial: cleanedPartial,
+        partialRaw: rawPartial,
+      }) as never
+    );
+    try {
+      await new Promise((r) => setTimeout(r, 50));
+      expect(captured.event).toBeDefined();
+      // Cleaned partial → chain (no input-available tool part)
+      expect(captured.event!.partialAssistant?.parts).toHaveLength(1);
+      // pendingToolCalls → from raw (input-available tool part visible)
+      expect(captured.event!.pendingToolCalls).toHaveLength(1);
+      expect(captured.event!.pendingToolCalls[0]!.toolCallId).toBe("tc-pending");
+      expect(captured.event!.pendingToolCalls[0]!.toolName).toBe("search");
+    } finally {
+      await harness.close();
+    }
+  });
+
+  it("does NOT fire when there are in-flight users but no partial (graceful exit path)", async () => {
+    // chat.requestUpgrade(), chat.endRun() before processing, and similar
+    // graceful exits leave an unacknowledged user on session.in but no
+    // partial assistant on session.out. That's not recovery — the next
+    // run just dispatches the message normally.
+    const onRecoveryBoot = vi.fn();
+    const model = new MockLanguageModelV3({
+      doStream: async () => ({ stream: textStream("ok") }),
+    });
+    const u1 = userMessage("buffered while dead", "u-buffered");
+    const agent = chat.agent({
+      id: "recovery-boot.inflight-users-no-partial",
+      onRecoveryBoot,
+      run: async ({ messages, signal }) =>
+        streamText({ model, messages, abortSignal: signal }),
+    });
+    const harness = mockChatAgent(agent, {
+      chatId: "inflight-users-no-partial",
+      continuation: true,
+      previousRunId: "run_prior",
+    });
+    harness.seedSessionInTail([u1 as never]);
+    try {
+      await new Promise((r) => setTimeout(r, 50));
+      expect(onRecoveryBoot).not.toHaveBeenCalled();
+    } finally {
+      await harness.close();
+    }
+  });
+
+  it("default behavior re-dispatches each in-flight user as a turn", async () => {
+    let turnCount = 0;
+    const model = new MockLanguageModelV3({
+      doStream: async () => {
+        turnCount++;
+        return { stream: textStream(`reply ${turnCount}`) };
+      },
+    });
+    const u1 = userMessage("first buffered", "u-1");
+    const u2 = userMessage("second buffered", "u-2");
+    const agent = chat.agent({
+      id: "recovery-boot.default-dispatch",
+      // NO onRecoveryBoot — exercise the default path
+      run: async ({ messages, signal }) =>
+        streamText({ model, messages, abortSignal: signal }),
+    });
+    const harness = mockChatAgent(agent, {
+      chatId: "default-dispatch",
+      continuation: true,
+      previousRunId: "run_prior",
+    });
+    harness.seedSessionInTail([u1 as never, u2 as never]);
+    try {
+      await new Promise((r) => setTimeout(r, 100));
+      expect(turnCount).toBe(2);
+    } finally {
+      await harness.close();
+    }
+  });
+
+  it("smart default: partial + first user spliced into chain, rest dispatched", async () => {
+    let observedChain: Array<{ role: string; idHead: string }> = [];
+    let turnCount = 0;
+    const model = new MockLanguageModelV3({
+      doStream: async () => {
+        turnCount++;
+        return { stream: textStream("ok") };
+      },
+    });
+    const partial = assistantMessage("partial answer in progress", "a-partial");
+    const u1 = userMessage("original question", "u-1");
+    const u2 = userMessage("follow-up", "u-2");
+    const agent = chat.agent({
+      id: "recovery-boot.smart-default",
+      // NO onRecoveryBoot — exercise the smart default
+      onTurnStart: async ({ uiMessages }) => {
+        if (turnCount === 0) {
+          observedChain = uiMessages.map((m) => ({
+            role: m.role,
+            idHead: m.id.slice(0, 10),
+          }));
+        }
+      },
+      run: async ({ messages, signal }) =>
+        streamText({ model, messages, abortSignal: signal }),
+    });
+    const harness = mockChatAgent(agent, {
+      chatId: "smart-default",
+      continuation: true,
+      previousRunId: "run_prior",
+    });
+    harness.seedSessionOutPartial(partial as never);
+    harness.seedSessionInTail([u1 as never, u2 as never]);
+    try {
+      await new Promise((r) => setTimeout(r, 100));
+      // Turn 1 fires with the follow-up user (u2). Its chain should
+      // include [u1 (original), a-partial, u2 (follow-up)].
+      expect(turnCount).toBe(1);
+      expect(observedChain.map((m) => m.role)).toEqual([
+        "user",
+        "assistant",
+        "user",
+      ]);
+      expect(observedChain[0]!.idHead).toBe("u-1");
+      expect(observedChain[1]!.idHead).toBe("a-partial");
+      expect(observedChain[2]!.idHead).toBe("u-2");
+    } finally {
+      await harness.close();
+    }
+  });
+
+  it("hook's recoveredTurns: [] suppresses re-dispatch of in-flight users", async () => {
+    let turnCount = 0;
+    const model = new MockLanguageModelV3({
+      doStream: async () => {
+        turnCount++;
+        return { stream: textStream(`reply ${turnCount}`) };
+      },
+    });
+    const partial = assistantMessage("partial answer", "a-partial");
+    const u1 = userMessage("buffered", "u-1");
+    const agent = chat.agent({
+      id: "recovery-boot.suppress-dispatch",
+      onRecoveryBoot: async (): Promise<RecoveryBootResult> => ({ recoveredTurns: [] }),
+      run: async ({ messages, signal }) =>
+        streamText({ model, messages, abortSignal: signal }),
+    });
+    const harness = mockChatAgent(agent, {
+      chatId: "suppress-dispatch",
+      continuation: true,
+      previousRunId: "run_prior",
+    });
+    harness.seedSessionOutPartial(partial as never);
+    harness.seedSessionInTail([u1 as never]);
+    try {
+      // No turn should fire from the boot-injected queue.
+      // Send a fresh user message to confirm the agent is alive.
+      await harness.sendMessage(userMessage("real next message"));
+      await new Promise((r) => setTimeout(r, 20));
+      expect(turnCount).toBe(1); // only the explicit sendMessage turn
+    } finally {
+      await harness.close();
+    }
+  });
+
+  it("hook's chain override seeds the accumulator", async () => {
+    const model = new MockLanguageModelV3({
+      doStream: async () => ({ stream: textStream("acked") }),
+    });
+    const custom = assistantMessage("custom-recovered-history", "a-custom");
+    const partial = assistantMessage("partial", "a-partial");
+    const u1 = userMessage("buffered", "u-1");
+    let observedMessageCount = 0;
+    const agent = chat.agent({
+      id: "recovery-boot.chain-override",
+      onRecoveryBoot: async (): Promise<RecoveryBootResult> => ({
+        chain: [custom as never],
+        recoveredTurns: [u1 as never],
+      }),
+      onTurnStart: async ({ uiMessages }) => {
+        observedMessageCount = uiMessages.length;
+      },
+      run: async ({ messages, signal }) =>
+        streamText({ model, messages, abortSignal: signal }),
+    });
+    const harness = mockChatAgent(agent, {
+      chatId: "chain-override",
+      continuation: true,
+      previousRunId: "run_prior",
+    });
+    harness.seedSessionOutPartial(partial as never);
+    harness.seedSessionInTail([u1 as never]);
+    try {
+      await new Promise((r) => setTimeout(r, 50));
+      // Chain seeded with [custom] before the recovered user message
+      // arrives — onTurnStart sees [custom, u1] when the first
+      // recovered turn fires.
+      expect(observedMessageCount).toBe(2);
+    } finally {
+      await harness.close();
+    }
+  });
+
+  it("does NOT fire when hydrateMessages is registered", async () => {
+    const onRecoveryBoot = vi.fn();
+    const model = new MockLanguageModelV3({
+      doStream: async () => ({ stream: textStream("ok") }),
+    });
+    const u1 = userMessage("buffered", "u-1");
+    const agent = chat.agent({
+      id: "recovery-boot.hydrate-skips",
+      hydrateMessages: async ({ incomingMessages }) => incomingMessages,
+      onRecoveryBoot,
+      run: async ({ messages, signal }) =>
+        streamText({ model, messages, abortSignal: signal }),
+    });
+    const harness = mockChatAgent(agent, {
+      chatId: "hydrate-skips",
+      continuation: true,
+      previousRunId: "run_prior",
+    });
+    harness.seedSessionInTail([u1 as never]);
+    try {
+      await harness.sendMessage(userMessage("fresh"));
+      await new Promise((r) => setTimeout(r, 20));
+      expect(onRecoveryBoot).not.toHaveBeenCalled();
+    } finally {
+      await harness.close();
+    }
+  });
+
+  it("beforeBoot runs before the first recovered turn fires", async () => {
+    const order: string[] = [];
+    const model = new MockLanguageModelV3({
+      doStream: async () => {
+        order.push("turn");
+        return { stream: textStream("ok") };
+      },
+    });
+    const partial = assistantMessage("partial", "a-partial");
+    const u1 = userMessage("buffered original", "u-1");
+    const u2 = userMessage("followup", "u-2");
+    const agent = chat.agent({
+      id: "recovery-boot.before-boot",
+      onRecoveryBoot: async (): Promise<RecoveryBootResult> => ({
+        beforeBoot: async () => {
+          order.push("beforeBoot");
+        },
+      }),
+      run: async ({ messages, signal }) =>
+        streamText({ model, messages, abortSignal: signal }),
+    });
+    const harness = mockChatAgent(agent, {
+      chatId: "before-boot",
+      continuation: true,
+      previousRunId: "run_prior",
+    });
+    harness.seedSessionOutPartial(partial as never);
+    // Two users — smart default consumes u1 into the chain, leaves u2 for dispatch
+    harness.seedSessionInTail([u1 as never, u2 as never]);
+    try {
+      await new Promise((r) => setTimeout(r, 50));
+      expect(order).toEqual(["beforeBoot", "turn"]);
+    } finally {
+      await harness.close();
+    }
+  });
+
+  it("hook throwing falls back to defaults without sinking the run", async () => {
+    let turnCount = 0;
+    const model = new MockLanguageModelV3({
+      doStream: async () => {
+        turnCount++;
+        return { stream: textStream("ok") };
+      },
+    });
+    const partial = assistantMessage("partial", "a-partial");
+    const u1 = userMessage("buffered original", "u-1");
+    const u2 = userMessage("followup", "u-2");
+    const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
+    const agent = chat.agent({
+      id: "recovery-boot.hook-throws",
+      onRecoveryBoot: async () => {
+        throw new Error("kaboom");
+      },
+      run: async ({ messages, signal }) =>
+        streamText({ model, messages, abortSignal: signal }),
+    });
+    const harness = mockChatAgent(agent, {
+      chatId: "hook-throws",
+      continuation: true,
+      previousRunId: "run_prior",
+    });
+    harness.seedSessionOutPartial(partial as never);
+    // Two users so smart default leaves u2 to dispatch (u1 spliced into chain)
+    harness.seedSessionInTail([u1 as never, u2 as never]);
+    try {
+      await new Promise((r) => setTimeout(r, 100));
+      // Default behavior: the in-flight user is re-dispatched as a turn
+      // even though the hook threw.
+      expect(turnCount).toBe(1);
+    } finally {
+      await harness.close();
+      warnSpy.mockRestore();
+    }
+  });
+});
diff --git a/packages/trigger-sdk/test/replay-session-in.test.ts b/packages/trigger-sdk/test/replay-session-in.test.ts
new file mode 100644
index 00000000000..a90ecc15396
--- /dev/null
+++ b/packages/trigger-sdk/test/replay-session-in.test.ts
@@ -0,0 +1,215 @@
+// Import the test entry point first so the resource catalog is installed.
+import "../src/v3/test/index.js";
+
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { apiClientManager } from "@trigger.dev/core/v3";
+import {
+  __findLatestSessionInCursorForTests as findLatestSessionInCursor,
+  __replaySessionInTailProductionPathForTests as replaySessionInTail,
+} from "../src/v3/ai.js";
+
+// ── Helpers ────────────────────────────────────────────────────────────
+
+function userMessage(id: string, text: string) {
+  return {
+    id,
+    role: "user" as const,
+    parts: [{ type: "text" as const, text }],
+  };
+}
+
+function stubReadRecords(chunks: unknown[]) {
+  const records = chunks.map((chunk, i) => ({
+    data: chunk,
+    id: `evt-${i + 1}`,
+    seqNum: i + 1,
+  }));
+  const spy = vi.fn(async () => ({ records }));
+  vi.spyOn(apiClientManager, "clientOrThrow").mockReturnValue({
+    readSessionStreamRecords: spy,
+  } as never);
+  return spy;
+}
+
+beforeEach(() => {
+  vi.restoreAllMocks();
+});
+
+afterEach(() => {
+  vi.restoreAllMocks();
+});
+
+// ── Tests ──────────────────────────────────────────────────────────────
+
+describe("replaySessionInTail", () => {
+  it("extracts user messages from kind: 'message' records with submit-message trigger", async () => {
+    const u1 = userMessage("u-1", "hello");
+    const u2 = userMessage("u-2", "again");
+    stubReadRecords([
+      {
+        kind: "message",
+        payload: { chatId: "c1", trigger: "submit-message", message: u1, metadata: { userId: "a" } },
+      },
+      {
+        kind: "message",
+        payload: { chatId: "c1", trigger: "submit-message", message: u2, metadata: { userId: "b" } },
+      },
+    ]);
+
+    const result = await replaySessionInTail("sess");
+    expect(result).toHaveLength(2);
+    expect(result[0]!.message.id).toBe("u-1");
+    expect(result[0]!.seqNum).toBe(1);
+    expect(result[0]!.metadata).toEqual({ userId: "a" });
+    expect(result[1]!.message.id).toBe("u-2");
+    expect(result[1]!.seqNum).toBe(2);
+    expect(result[1]!.metadata).toEqual({ userId: "b" });
+  });
+
+  it("ignores non-message variants (stop, handover, handover-skip)", async () => {
+    const u1 = userMessage("u-1", "real user");
+    stubReadRecords([
+      { kind: "stop", message: "user stopped" },
+      { kind: "handover-skip" },
+      { kind: "handover", partialAssistantMessage: [], isFinal: false },
+      { kind: "message", payload: { chatId: "c1", trigger: "submit-message", message: u1 } },
+    ]);
+
+    const result = await replaySessionInTail("sess");
+    expect(result).toHaveLength(1);
+    expect(result[0]!.message.id).toBe("u-1");
+  });
+
+  it("ignores message records that aren't submit-message", async () => {
+    // regenerate-message / preload / close / action / handover-prepare don't
+    // carry a user message — the chain reconstruction must skip them.
+    stubReadRecords([
+      { kind: "message", payload: { chatId: "c1", trigger: "regenerate-message" } },
+      { kind: "message", payload: { chatId: "c1", trigger: "preload" } },
+      { kind: "message", payload: { chatId: "c1", trigger: "close" } },
+      { kind: "message", payload: { chatId: "c1", trigger: "action", action: { foo: 1 } } },
+    ]);
+
+    const result = await replaySessionInTail("sess");
+    expect(result).toHaveLength(0);
+  });
+
+  it("ignores records whose payload is missing or empty", async () => {
+    stubReadRecords([
+      { kind: "message" }, // no payload
+      { kind: "message", payload: { chatId: "c1", trigger: "submit-message" } }, // no message
+      { kind: "message", payload: { chatId: "c1", trigger: "submit-message", message: null } },
+      {
+        kind: "message",
+        payload: { chatId: "c1", trigger: "submit-message", message: "not-an-object" },
+      },
+    ]);
+
+    const result = await replaySessionInTail("sess");
+    expect(result).toHaveLength(0);
+  });
+
+  it("skips non-object record data defensively", async () => {
+    const u1 = userMessage("u-1", "valid");
+    stubReadRecords([
+      42,
+      null,
+      "string-data",
+      { kind: "message", payload: { chatId: "c1", trigger: "submit-message", message: u1 } },
+    ]);
+
+    const result = await replaySessionInTail("sess");
+    expect(result).toHaveLength(1);
+    expect(result[0]!.message.id).toBe("u-1");
+  });
+
+  it("passes the afterEventId cursor through to readSessionStreamRecords", async () => {
+    const spy = stubReadRecords([]);
+
+    await replaySessionInTail("sess", { lastEventId: "evt-42" });
+
+    expect(spy).toHaveBeenCalledWith("sess", "in", { afterEventId: "evt-42" });
+  });
+
+  it("returns an empty list when the records endpoint returns no records", async () => {
+    stubReadRecords([]);
+
+    const result = await replaySessionInTail("sess");
+    expect(result).toEqual([]);
+  });
+});
+
+// ── Cursor scan (non-blocking records read, not an SSE drain) ──────────
+
+function stubReadRecordsWithHeaders(
+  records: Array<{ data?: unknown; headers?: Array<[string, string]> }>
+) {
+  const shaped = records.map((r, i) => ({
+    data: r.data ?? "",
+    id: `evt-${i + 1}`,
+    seqNum: i + 1,
+    headers: r.headers,
+  }));
+  const spy = vi.fn(async () => ({ records: shaped }));
+  vi.spyOn(apiClientManager, "clientOrThrow").mockReturnValue({
+    readSessionStreamRecords: spy,
+  } as never);
+  return spy;
+}
+
+describe("findLatestSessionInCursor", () => {
+  it("returns the LAST turn-complete's session-in-event-id", async () => {
+    const spy = stubReadRecordsWithHeaders([
+      { data: { type: "text-delta", delta: "hi" } },
+      {
+        headers: [
+          ["trigger-control", "turn-complete"],
+          ["session-in-event-id", "3"],
+        ],
+      },
+      { data: { type: "text-delta", delta: "again" } },
+      {
+        headers: [
+          ["trigger-control", "turn-complete"],
+          ["session-in-event-id", "7"],
+        ],
+      },
+    ]);
+
+    const cursor = await findLatestSessionInCursor("sess");
+    expect(cursor).toBe(7);
+    // Non-blocking records read on `.out`, no SSE subscribe.
+    expect(spy).toHaveBeenCalledWith("sess", "out");
+  });
+
+  it("ignores other control subtypes and turn-completes without the header", async () => {
+    stubReadRecordsWithHeaders([
+      {
+        headers: [
+          ["trigger-control", "upgrade-required"],
+          ["session-in-event-id", "99"],
+        ],
+      },
+      { headers: [["trigger-control", "turn-complete"]] },
+      {
+        headers: [
+          ["trigger-control", "turn-complete"],
+          ["session-in-event-id", "4"],
+        ],
+      },
+    ]);
+
+    const cursor = await findLatestSessionInCursor("sess");
+    expect(cursor).toBe(4);
+  });
+
+  it("returns undefined when records carry no headers (older server)", async () => {
+    stubReadRecordsWithHeaders([
+      { data: { type: "text-delta", delta: "hi" } },
+      { data: { type: "finish" } },
+    ]);
+
+    const cursor = await findLatestSessionInCursor("sess");
+    expect(cursor).toBeUndefined();
+  });
+});
diff --git a/packages/trigger-sdk/test/replay-session-out.test.ts b/packages/trigger-sdk/test/replay-session-out.test.ts
new file mode 100644
index 00000000000..ed78ecec146
--- /dev/null
+++ b/packages/trigger-sdk/test/replay-session-out.test.ts
@@ -0,0 +1,290 @@
+// Import the test entry point first so the resource catalog is installed.
+import "../src/v3/test/index.js";
+
+import type { UIMessageChunk } from "ai";
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { apiClientManager } from "@trigger.dev/core/v3";
+import { __replaySessionOutTailProductionPathForTests as replaySessionOutTail } from "../src/v3/ai.js";
+
+// ── Helpers ────────────────────────────────────────────────────────────
+
+/**
+ * Build the canonical chunk sequence the AI SDK emits for a single text
+ * turn from message `id`. Includes a trailing `finish` so the segment is
+ * marked closed (i.e. NOT subject to `cleanupAbortedParts`).
+ */
+function textTurn(id: string, text: string, role: "assistant" = "assistant"): UIMessageChunk[] {
+  return [
+    { type: "start", messageId: id, messageMetadata: { role } } as UIMessageChunk,
+    { type: "text-start", id: `${id}.t1` } as UIMessageChunk,
+    { type: "text-delta", id: `${id}.t1`, delta: text } as UIMessageChunk,
+    { type: "text-end", id: `${id}.t1` } as UIMessageChunk,
+    { type: "finish" } as UIMessageChunk,
+  ];
+}
+
+/**
+ * Same as `textTurn` but omits the trailing `finish` chunk — simulates a
+ * crashed turn whose stream ended mid-message. The runtime's reducer
+ * should run `cleanupAbortedParts` on the resulting trailing message.
+ */
+function partialTurn(id: string, text: string): UIMessageChunk[] {
+  return [
+    { type: "start", messageId: id, messageMetadata: { role: "assistant" } } as UIMessageChunk,
+    { type: "text-start", id: `${id}.t1` } as UIMessageChunk,
+    { type: "text-delta", id: `${id}.t1`, delta: text } as UIMessageChunk,
+    // No text-end, no finish.
+  ];
+}
+
+/**
+ * Stub `apiClientManager.clientOrThrow().readSessionStreamRecords` so the
+ * helper sees a `{ records: StreamRecord[] }` response. Each StreamRecord
+ * is `{ data, id, seqNum }` — `data` is the parsed chunk OBJECT (the wire
+ * writer puts chunks directly into the record envelope; the route
+ * forwards them as-is; the schema declares `data: z.unknown()`).
+ *
+ * Pass either a chunk OBJECT (used as `data` directly) or a string
+ * (used as `data` directly — for tests that need deliberately-malformed
+ * bodies; the consumer filters non-objects out).
+ *
+ * Captures the `afterEventId` argument for resume-from-cursor assertions.
+ */
+function stubReadRecordsWithChunks(chunks: unknown[]) {
+  const records = chunks.map((chunk, i) => ({
+    data: chunk,
+    id: `evt-${i + 1}`,
+    seqNum: i + 1,
+  }));
+  const readRecordsSpy = vi.fn(
+    async (_id: string, _io: "in" | "out", _options?: { afterEventId?: string }) => ({
+      records,
+    })
+  );
+  vi.spyOn(apiClientManager, "clientOrThrow").mockReturnValue({
+    readSessionStreamRecords: readRecordsSpy,
+  } as never);
+  return readRecordsSpy;
+}
+
+// ── Tests ──────────────────────────────────────────────────────────────
+
+describe("replaySessionOutTail", () => {
+  let warnSpy: ReturnType<typeof vi.spyOn>;
+
+  beforeEach(() => {
+    warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
+  });
+
+  afterEach(() => {
+    vi.restoreAllMocks();
+    warnSpy.mockRestore();
+  });
+
+  it("returns [] for an empty session.out stream", async () => {
+    stubReadRecordsWithChunks([]);
+    const result = await replaySessionOutTail("empty-session");
+    expect(result).toEqual([]);
+  });
+
+  it("reduces a single text turn into one assistant UIMessage", async () => {
+    stubReadRecordsWithChunks(textTurn("a-1", "hello world"));
+    const result = await replaySessionOutTail("text-session");
+    expect(result).toHaveLength(1);
+    expect(result[0]).toMatchObject({ id: "a-1", role: "assistant" });
+    const text = (result[0]!.parts as Array<{ type: string; text?: string }>)
+      .filter((p) => p.type === "text")
+      .map((p) => p.text)
+      .join("");
+    expect(text).toBe("hello world");
+  });
+
+  it("reduces multiple sequential turns into multiple UIMessages", async () => {
+    stubReadRecordsWithChunks([
+      ...textTurn("a-1", "first"),
+      ...textTurn("a-2", "second"),
+      ...textTurn("a-3", "third"),
+    ]);
+
+    const result = await replaySessionOutTail("multi-session");
+    expect(result).toHaveLength(3);
+    expect(result.map((m) => m.id)).toEqual(["a-1", "a-2", "a-3"]);
+  });
+
+  it("filters out `trigger:*` control chunks (turn-complete, etc.)", async () => {
+    stubReadRecordsWithChunks([
+      ...textTurn("a-1", "hello"),
+      { type: "trigger:turn-complete", lastEventId: "evt-1", lastEventTimestamp: 1 },
+      { type: "trigger:upgrade-required" },
+      ...textTurn("a-2", "second"),
+    ]);
+
+    const result = await replaySessionOutTail("control-session");
+    // Two assistant messages reduced — the trigger:* records are dropped
+    // before reaching the reducer.
+    expect(result).toHaveLength(2);
+    expect(result.map((m) => m.id)).toEqual(["a-1", "a-2"]);
+  });
+
+  it("never emits user-role messages (session.out is assistant-only)", async () => {
+    // session.out conceptually only carries assistant chunks (the user's
+    // messages live on session.in). Even if a user-role start somehow
+    // landed there, the reducer wouldn't surface a user message via this
+    // helper's contract.
+    stubReadRecordsWithChunks(textTurn("a-1", "ok"));
+    const result = await replaySessionOutTail("assistant-only");
+    expect(result.every((m) => m.role !== "user")).toBe(true);
+  });
+
+  it("passes `lastEventId` through as `afterEventId` to readSessionStreamRecords", async () => {
+    // The replay helper accepts `lastEventId` from the caller (matching
+    // the snapshot's persisted cursor name) and forwards it as
+    // `afterEventId` on the records endpoint — that's the field name on
+    // the new non-SSE route.
+    const readRecordsSpy = stubReadRecordsWithChunks(textTurn("a-1", "ok"));
+    await replaySessionOutTail("resume-session", { lastEventId: "evt-99" });
+
+    expect(readRecordsSpy).toHaveBeenCalledWith(
+      "resume-session",
+      "out",
+      expect.objectContaining({ afterEventId: "evt-99" })
+    );
+  });
+
+  it("uses the non-SSE records endpoint (drain-and-close, no long-poll)", async () => {
+    // Replay no longer subscribes to the SSE stream — that imposed a ~1s
+    // long-poll tax on every fresh chat boot. The new path hits
+    // `readSessionStreamRecords` (one synchronous GET that returns
+    // whatever's already in the stream) and returns immediately when
+    // empty. Lock the call site down so a regression to SSE shows up
+    // here.
+    const readRecordsSpy = stubReadRecordsWithChunks([]);
+    const result = await replaySessionOutTail("drain-session");
+
+    expect(readRecordsSpy).toHaveBeenCalledWith("drain-session", "out", expect.any(Object));
+    expect(result).toEqual([]);
+  });
+
+  it("strips orphaned in-flight tool parts from a partial trailing assistant", async () => {
+    // The runtime applies `cleanupAbortedParts` only on the trailing
+    // segment when its closure flag is `false` (no `finish` chunk
+    // received). The cleanup removes tool parts that never reached a
+    // terminal state — `input-streaming`, `output-pending`, etc. —
+    // because those represent partial in-flight work that won't resolve.
+    //
+    // Text parts with already-streamed content are preserved (the user
+    // already saw them), so we test the tool-part path specifically.
+    stubReadRecordsWithChunks([
+      ...textTurn("a-1", "previous-turn-finished"),
+      // Trailing turn: starts a tool call but never resolves it.
+      { type: "start", messageId: "a-2", messageMetadata: { role: "assistant" } } as UIMessageChunk,
+      { type: "tool-input-start", toolCallId: "tc-cut", toolName: "search" } as UIMessageChunk,
+      { type: "tool-input-delta", toolCallId: "tc-cut", inputTextDelta: '{"q":"x"}' } as UIMessageChunk,
+      // No tool-input-end, no tool-call, no finish → orphaned.
+    ]);
+
+    const result = await replaySessionOutTail("partial-tool-session");
+    // The closed turn survives.
+    expect(result.find((m) => m.id === "a-1")).toBeTruthy();
+    // Trailing message either gets dropped (cleanup empties it) or its
+    // orphaned tool part is stripped to a terminal state. Either way,
+    // no `tc-cut` part should be left in `input-streaming` state — that
+    // would represent a tool the next turn would re-process.
+    const trailing = result.find((m) => m.id === "a-2");
+    if (trailing) {
+      const orphanedToolPart = (trailing.parts as Array<{ type: string; toolCallId?: string; state?: string }>).find(
+        (p) => p.toolCallId === "tc-cut" && p.state === "input-streaming"
+      );
+      expect(orphanedToolPart).toBeUndefined();
+    }
+  });
+
+  it("drops a trailing message whose only parts are stripped by cleanup", async () => {
+    // Trailing turn whose ONLY content is an orphaned tool — after
+    // cleanup the message has no parts left, so the helper drops it
+    // entirely (it never reached the next turn's accumulator).
+    stubReadRecordsWithChunks([
+      ...textTurn("a-1", "complete"),
+      { type: "start", messageId: "a-orphan", messageMetadata: { role: "assistant" } } as UIMessageChunk,
+      { type: "tool-input-start", toolCallId: "tc-orph", toolName: "search" } as UIMessageChunk,
+      // No tool-input-end, no tool-call, no finish.
+    ]);
+
+    const result = await replaySessionOutTail("dropped-trailing");
+    expect(result).toHaveLength(1);
+    expect(result[0]!.id).toBe("a-1");
+  });
+
+  it("preserves a complete trailing assistant (cleanup is a no-op)", async () => {
+    // Trailing turn that DID end with `finish` is closed — cleanupAbortedParts
+    // doesn't fire. Use this to lock down that closed segments survive
+    // unchanged.
+    stubReadRecordsWithChunks(textTurn("a-1", "fully-finished"));
+    const result = await replaySessionOutTail("closed-session");
+    expect(result).toHaveLength(1);
+    const text = (result[0]!.parts as Array<{ type: string; text?: string }>)
+      .filter((p) => p.type === "text")
+      .map((p) => p.text)
+      .join("");
+    expect(text).toBe("fully-finished");
+  });
+
+  it("skips records whose data is a string (the wire delivers objects)", async () => {
+    // The writer puts chunk objects directly into the record envelope;
+    // the route forwards them as-is. A string body is malformed — the
+    // consumer drops it defensively rather than JSON.parsing.
+    stubReadRecordsWithChunks([
+      "not-an-object",
+      ...textTurn("a-1", "survived"),
+    ]);
+
+    const result = await replaySessionOutTail("garbage-session");
+    expect(result).toHaveLength(1);
+    expect(result[0]!.id).toBe("a-1");
+  });
+
+  it("skips records whose data is not an object", async () => {
+    // The consumer requires `chunk` to be a non-null object with a
+    // string `type` field. Records that arrive as primitives
+    // (number, null, string) are dropped silently.
+    stubReadRecordsWithChunks([
+      42,
+      null,
+      "just-a-string",
+      ...textTurn("a-1", "survived"),
+    ]);
+
+    const result = await replaySessionOutTail("primitive-data-session");
+    expect(result).toHaveLength(1);
+    expect(result[0]!.id).toBe("a-1");
+  });
+
+  it("ignores chunks missing a `type` field", async () => {
+    stubReadRecordsWithChunks([
+      { foo: "bar" },
+      { type: 42 },
+      ...textTurn("a-1", "valid"),
+    ]);
+
+    const result = await replaySessionOutTail("typeless-session");
+    expect(result).toHaveLength(1);
+    expect(result[0]!.id).toBe("a-1");
+  });
+
+  it("recovers from a malformed segment by skipping it (logs a warn)", async () => {
+    // The reducer for one segment throws (e.g. invalid chunk sequence).
+    // The helper logs the warning and proceeds with the next segment —
+    // a single corrupt segment shouldn't sink the entire replay.
+    stubReadRecordsWithChunks([
+      // Malformed: text-end with no preceding text-start.
+      { type: "start", messageId: "bad-1", messageMetadata: { role: "assistant" } } as UIMessageChunk,
+      { type: "text-end", id: "no-such-text" } as UIMessageChunk,
+      { type: "finish" } as UIMessageChunk,
+      ...textTurn("a-1", "after-bad"),
+    ]);
+
+    const result = await replaySessionOutTail("recovery-session");
+    // The valid turn after the malformed one must still surface.
+    expect(result.find((m) => m.id === "a-1")).toBeTruthy();
+  });
+});
diff --git a/packages/trigger-sdk/test/skill.test.ts b/packages/trigger-sdk/test/skill.test.ts
new file mode 100644
index 00000000000..61e497933b6
--- /dev/null
+++ b/packages/trigger-sdk/test/skill.test.ts
@@ -0,0 +1,86 @@
+import { afterEach, beforeEach, describe, expect, it } from "vitest";
+import { mkdtemp, mkdir, realpath, writeFile, rm } from "node:fs/promises";
+import { tmpdir } from "node:os";
+import * as path from "node:path";
+import { defineSkill, parseFrontmatter } from "../src/v3/skill.js";
+
+describe("parseFrontmatter", () => {
+  it("parses name + description", () => {
+    const { frontmatter, body } = parseFrontmatter(
+      `---\nname: pdf-processing\ndescription: Extract text from PDFs.\n---\n\n# Body\n\nhello\n`
+    );
+    expect(frontmatter.name).toBe("pdf-processing");
+    expect(frontmatter.description).toBe("Extract text from PDFs.");
+    expect(body).toBe("# Body\n\nhello\n");
+  });
+
+  it("strips surrounding quotes", () => {
+    const { frontmatter } = parseFrontmatter(
+      `---\nname: "quoted-name"\ndescription: 'single quoted'\n---\nbody\n`
+    );
+    expect(frontmatter.name).toBe("quoted-name");
+    expect(frontmatter.description).toBe("single quoted");
+  });
+
+  it("throws on missing frontmatter block", () => {
+    expect(() => parseFrontmatter("# just a heading\n")).toThrow(/missing a frontmatter block/);
+  });
+
+  it("throws on missing required name", () => {
+    expect(() => parseFrontmatter(`---\ndescription: desc\n---\nbody`)).toThrow(
+      /missing required `name`/
+    );
+  });
+
+  it("throws on missing required description", () => {
+    expect(() => parseFrontmatter(`---\nname: foo\n---\nbody`)).toThrow(
+      /missing required `description`/
+    );
+  });
+});
+
+describe("defineSkill.local()", () => {
+  const originalCwd = process.cwd();
+  let workdir: string;
+
+  beforeEach(async () => {
+    workdir = await realpath(await mkdtemp(path.join(tmpdir(), "skill-test-")));
+    process.chdir(workdir);
+  });
+
+  afterEach(async () => {
+    process.chdir(originalCwd);
+    await rm(workdir, { recursive: true, force: true });
+  });
+
+  it("reads a bundled SKILL.md and returns a ResolvedSkill", async () => {
+    const skillDir = path.join(workdir, ".trigger", "skills", "pdf");
+    await mkdir(skillDir, { recursive: true });
+    await writeFile(
+      path.join(skillDir, "SKILL.md"),
+      `---\nname: pdf\ndescription: Extract PDF text.\n---\n\n# PDF skill\n\nUse scripts/extract.py.\n`
+    );
+
+    const skill = defineSkill({ id: "pdf", path: "./skills/pdf" });
+    const resolved = await skill.local();
+
+    expect(resolved.id).toBe("pdf");
+    expect(resolved.version).toBe("local");
+    expect(resolved.labels).toEqual([]);
+    expect(resolved.frontmatter.name).toBe("pdf");
+    expect(resolved.frontmatter.description).toBe("Extract PDF text.");
+    expect(resolved.body).toContain("# PDF skill");
+    expect(resolved.body).toContain("Use scripts/extract.py");
+    expect(resolved.path).toBe(skillDir);
+  });
+
+  it("throws a useful error when SKILL.md is missing", async () => {
+    const skill = defineSkill({ id: "missing", path: "./skills/missing" });
+    await expect(skill.local()).rejects.toThrow(/could not read SKILL.md/);
+  });
+
+  it("resolve() throws with a helpful Phase 1 message", async () => {
+    const skill = defineSkill({ id: "phase-2", path: "./skills/phase-2" });
+    await expect(skill.resolve()).rejects.toThrow(/not available yet.*Phase 2.*local/s);
+  });
+});
diff --git a/packages/trigger-sdk/test/skillsRuntime.test.ts b/packages/trigger-sdk/test/skillsRuntime.test.ts
new file mode 100644
index 00000000000..125471ff795
--- /dev/null
+++ b/packages/trigger-sdk/test/skillsRuntime.test.ts
@@ -0,0 +1,221 @@
+// Import the test harness FIRST so the resource catalog is installed
+import { mockChatAgent } from "../src/v3/test/index.js";
+
+import { afterEach, beforeEach, describe, expect, it } from "vitest";
+import { mkdtemp, mkdir, realpath, writeFile, rm, chmod } from "node:fs/promises";
+import { tmpdir } from "node:os";
+import * as path from "node:path";
+import type { LanguageModelV3StreamPart } from "@ai-sdk/provider";
+import { MockLanguageModelV3 } from "ai/test";
+import { simulateReadableStream, streamText } from "ai";
+import { buildSkillTools, chat } from "../src/v3/ai.js";
+import { defineSkill } from "../src/v3/skill.js";
+
+function userMessage(text: string, id?: string) {
+  return {
+    id: id ?? `u-${Math.random().toString(36).slice(2)}`,
+    role: "user" as const,
+    parts: [{ type: "text" as const, text }],
+  };
+}
+
+function textStream(text: string) {
+  const chunks: LanguageModelV3StreamPart[] = [
+    { type: "text-start", id: "t1" },
+    { type: "text-delta", id: "t1", delta: text },
+    { type: "text-end", id: "t1" },
+    {
+      type: "finish",
+      finishReason: { unified: "stop", raw: "stop" },
+      usage: {
+        inputTokens: { total: 10, noCache: 10, cacheRead: undefined, cacheWrite: undefined },
+        outputTokens: { total: 10, text: 10, reasoning: undefined },
+      },
+    },
+  ];
+  return simulateReadableStream({ chunks });
+}
+
+const originalCwd = process.cwd();
+let workdir: string;
+
+beforeEach(async () => {
+  workdir = await realpath(await mkdtemp(path.join(tmpdir(), "skills-runtime-")));
+  process.chdir(workdir);
+
+  // Bundled skill layout
+  const skillDir = path.join(workdir, ".trigger", "skills", "demo");
+  await mkdir(path.join(skillDir, "scripts"), { recursive: true });
+  await mkdir(path.join(skillDir, "references"), { recursive: true });
+
+  await writeFile(
+    path.join(skillDir, "SKILL.md"),
+    `---\nname: demo\ndescription: Demo skill for tests.\n---\n\n# Demo\n\nUse scripts/hello.sh to say hello.\n`
+  );
+
+  const scriptPath = path.join(skillDir, "scripts", "hello.sh");
+  await writeFile(scriptPath, `#!/usr/bin/env bash\necho "hi from $1"\n`);
+  await chmod(scriptPath, 0o755);
+
+  await writeFile(path.join(skillDir, "references", "notes.txt"), "Reference note.\n");
+});
+
+afterEach(async () => {
+  process.chdir(originalCwd);
+  await rm(workdir, { recursive: true, force: true });
+});
+
+describe("chat.skills runtime integration", () => {
+  it("injects skills preamble into the system prompt", async () => {
+    let capturedSystem: string | undefined;
+
+    const model = new MockLanguageModelV3({
+      doStream: async (opts) => {
+        const system = opts.prompt.find((m) => m.role === "system");
+        capturedSystem = system ? JSON.stringify(system.content) : undefined;
+        return { stream: textStream("ok") };
+      },
+    });
+
+    const skill = defineSkill({ id: "demo", path: "./skills/demo" });
+
+    const agent = chat.agent({
+      id: "skills-runtime.system-prompt",
+      onChatStart: async () => {
+        chat.skills.set([await skill.local()]);
+      },
+      run: async ({ messages, signal }) => {
+        return streamText({
+          model,
+          messages,
+          abortSignal: signal,
+          ...chat.toStreamTextOptions(),
+        });
+      },
+    });
+
+    const harness = mockChatAgent(agent, { chatId: "t1" });
+    try {
+      await harness.sendMessage(userMessage("hi"));
+      await new Promise((r) => setTimeout(r, 20));
+      expect(capturedSystem).toContain("Available skills");
+      expect(capturedSystem).toContain("demo: Demo skill for tests");
+    } finally {
+      await harness.close();
+    }
+  });
+
+  it("auto-wires loadSkill / readFile / bash tools", async () => {
+    let capturedToolNames: string[] = [];
+
+    const model = new MockLanguageModelV3({
+      doStream: async (opts) => {
+        capturedToolNames = (opts.tools ?? []).map((t) => t.name);
+        return { stream: textStream("ok") };
+      },
+    });
+
+    const skill = defineSkill({ id: "demo", path: "./skills/demo" });
+
+    const agent = chat.agent({
+      id: "skills-runtime.auto-tools",
+      onChatStart: async () => {
+        chat.skills.set([await skill.local()]);
+      },
+      run: async ({ messages, signal }) => {
+        return streamText({
+          model,
+          messages,
+          abortSignal: signal,
+          ...chat.toStreamTextOptions(),
+        });
+      },
+    });
+
+    const harness = mockChatAgent(agent, { chatId: "t2" });
+    try {
+      await harness.sendMessage(userMessage("hi"));
+      await new Promise((r) => setTimeout(r, 20));
+      expect(capturedToolNames).toEqual(expect.arrayContaining(["loadSkill", "readFile", "bash"]));
+    } finally {
+      await harness.close();
+    }
+  });
+});
+
+describe("buildSkillTools — direct execute", () => {
+  it("loadSkill returns body + path for a known skill", async () => {
+    const skill = defineSkill({ id: "demo", path: "./skills/demo" });
+    const resolved = await skill.local();
+    const tools = buildSkillTools([resolved]);
+
+    const out = await (tools.loadSkill as any).execute({ name: "demo" });
+    expect(out.name).toBe("demo");
+    expect(out.body).toContain("# Demo");
+    expect(out.path).toBe(resolved.path);
+  });
+
+  it("loadSkill returns an error for an unknown skill", async () => {
+    const skill = defineSkill({ id: "demo", path: "./skills/demo" });
+    const tools = buildSkillTools([await skill.local()]);
+
+    const out = await (tools.loadSkill as any).execute({ name: "missing" });
+    expect(out.error).toContain('Skill "missing" not found');
+  });
+
+  it("readFile reads a bundled reference", async () => {
+    const skill = defineSkill({ id: "demo", path: "./skills/demo" });
+    const tools = buildSkillTools([await skill.local()]);
+
+    const out = await (tools.readFile as any).execute({
+      skill: "demo",
+      path: "references/notes.txt",
+    });
+    expect(out.content).toBe("Reference note.\n");
+  });
+
+  it("readFile rejects path traversal", async () => {
+    const skill = defineSkill({ id: "demo", path: "./skills/demo" });
+    const tools = buildSkillTools([await skill.local()]);
+
+    const out = await (tools.readFile as any).execute({
+      skill: "demo",
+      path: "../../../../etc/passwd",
+    });
+    expect(out.error).toMatch(/escapes the skill directory/);
+  });
+
+  it("readFile rejects absolute paths", async () => {
+    const skill = defineSkill({ id: "demo", path: "./skills/demo" });
+    const tools = buildSkillTools([await skill.local()]);
+
+    const out = await (tools.readFile as any).execute({
+      skill: "demo",
+      path: "/etc/passwd",
+    });
+    expect(out.error).toMatch(/must be relative/);
+  });
+
+  it("bash runs a bundled script and captures stdout", async () => {
+    const skill = defineSkill({ id: "demo", path: "./skills/demo" });
+    const tools = buildSkillTools([await skill.local()]);
+
+    const out = await (tools.bash as any).execute({
+      skill: "demo",
+      command: "bash scripts/hello.sh world",
+    });
+    expect(out.exitCode).toBe(0);
+    expect(out.stdout).toContain("hi from world");
+  });
+
+  it("bash reports non-zero exit code", async () => {
+    const skill = defineSkill({ id: "demo", path: "./skills/demo" });
+    const tools = buildSkillTools([await skill.local()]);
+
+    const out = await (tools.bash as any).execute({
+      skill: "demo",
+      command: "exit 7",
+    });
+    expect(out.exitCode).toBe(7);
+  });
+});
diff --git a/packages/trigger-sdk/test/wire-shape.test.ts b/packages/trigger-sdk/test/wire-shape.test.ts
new file mode 100644
index 00000000000..6214f3ca01e
--- /dev/null
+++ b/packages/trigger-sdk/test/wire-shape.test.ts
@@ -0,0 +1,541 @@
+// The slim wire payload shape is the contract between the transport
+// (`TriggerChatTransport.sendMessages` etc.) and the agent runtime. This
+// test locks the shape down at the type and JSON-roundtrip level so a
+// future change either holds the wire stable or breaks loudly.
+//
+// Plan F.1: verify `messages` is gone, `message`/`headStartMessages` are
+// typed correctly. See plan section A.1.
+
+import "../src/v3/test/index.js";
+
+import type { UIMessage } from "ai";
+import { describe, expect, expectTypeOf, it } from "vitest";
+import type { ChatInputChunk, ChatTaskWirePayload } from "../src/v3/ai-shared.js";
+import { slimSubmitMessageForWire, upsertIncomingMessage } from "../src/v3/ai-shared.js";
+
+describe("ChatTaskWirePayload (slim wire shape)", () => {
+  it("encodes and decodes a submit-message payload through JSON", () => {
+    const userMsg: UIMessage = {
+      id: "u-1",
+      role: "user",
+      parts: [{ type: "text", text: "hi" }],
+    };
+    const wire: ChatTaskWirePayload = {
+      message: userMsg,
+      chatId: "chat-1",
+      trigger: "submit-message",
+      metadata: { userId: "u-1" },
+    };
+
+    const encoded = JSON.stringify(wire);
+    const decoded = JSON.parse(encoded) as ChatTaskWirePayload;
+
+    expect(decoded).toEqual(wire);
+    expect(decoded.message).toEqual(userMsg);
+    expect(decoded.trigger).toBe("submit-message");
+  });
+
+  it("encodes and decodes a regenerate-message payload (no message body)", () => {
+    const wire: ChatTaskWirePayload = {
+      chatId: "chat-1",
+      trigger: "regenerate-message",
+      metadata: undefined,
+    };
+
+    const decoded = JSON.parse(JSON.stringify(wire)) as ChatTaskWirePayload;
+
+    expect(decoded.trigger).toBe("regenerate-message");
+    expect(decoded.message).toBeUndefined();
+    expect(decoded.headStartMessages).toBeUndefined();
+  });
+
+  it("encodes and decodes a handover-prepare payload with headStartMessages", () => {
+    const history: UIMessage[] = [
+      {
+        id: "u-1",
+        role: "user",
+        parts: [{ type: "text", text: "first" }],
+      },
+      {
+        id: "a-1",
+        role: "assistant",
+        parts: [{ type: "text", text: "ok" }],
+      },
+    ];
+    const wire: ChatTaskWirePayload = {
+      headStartMessages: history,
+      chatId: "chat-1",
+      trigger: "handover-prepare",
+    };
+
+    const decoded = JSON.parse(JSON.stringify(wire)) as ChatTaskWirePayload;
+
+    expect(decoded.headStartMessages).toEqual(history);
+    expect(decoded.message).toBeUndefined();
+  });
+
+  it("encodes and decodes a preload payload (no message, no headStartMessages)", () => {
+    const wire: ChatTaskWirePayload = {
+      chatId: "chat-1",
+      trigger: "preload",
+    };
+
+    const decoded = JSON.parse(JSON.stringify(wire)) as ChatTaskWirePayload;
+    expect(decoded.trigger).toBe("preload");
+    expect(decoded.message).toBeUndefined();
+    expect(decoded.headStartMessages).toBeUndefined();
+  });
+
+  it("encodes and decodes a close payload", () => {
+    const wire: ChatTaskWirePayload = {
+      chatId: "chat-1",
+      trigger: "close",
+    };
+    const decoded = JSON.parse(JSON.stringify(wire)) as ChatTaskWirePayload;
+    expect(decoded.trigger).toBe("close");
+  });
+
+  it("encodes and decodes an action payload (carries `action`, no message)", () => {
+    const wire: ChatTaskWirePayload = {
+      chatId: "chat-1",
+      trigger: "action",
+      action: { type: "undo" },
+    };
+    const decoded = JSON.parse(JSON.stringify(wire)) as ChatTaskWirePayload;
+
+    expect(decoded.trigger).toBe("action");
+    expect(decoded.action).toEqual({ type: "undo" });
+    expect(decoded.message).toBeUndefined();
+  });
+
+  it("preserves continuation / previousRunId / sessionId across the wire", () => {
+    const wire: ChatTaskWirePayload = {
+      message: {
+        id: "u-2",
+        role: "user",
+        parts: [{ type: "text", text: "continued" }],
+      },
+      chatId: "chat-1",
+      trigger: "submit-message",
+      continuation: true,
+      previousRunId: "run_abc",
+      sessionId: "sess_xyz",
+      idleTimeoutInSeconds: 42,
+    };
+    const decoded = JSON.parse(JSON.stringify(wire)) as ChatTaskWirePayload;
+
+    expect(decoded.continuation).toBe(true);
+    expect(decoded.previousRunId).toBe("run_abc");
+    expect(decoded.sessionId).toBe("sess_xyz");
+    expect(decoded.idleTimeoutInSeconds).toBe(42);
+  });
+
+  it("preserves a tool-approval-responded assistant message in `message`", () => {
+    // The HITL slim-wire path sends an assistant message with
+    // `state: "approval-responded"` tool parts in `message`, not the
+    // full chain. The agent merges by id.
+    const approvalMsg: UIMessage = {
+      id: "a-1",
+      role: "assistant",
+      parts: [
+        {
+          type: "tool-search",
+          toolCallId: "tc-42",
+          state: "output-available",
+          input: { q: "x" },
+          output: { hits: 7 },
+        } as never,
+      ],
+    };
+    const wire: ChatTaskWirePayload = {
+      message: approvalMsg,
+      chatId: "chat-1",
+      trigger: "submit-message",
+    };
+
+    const decoded = JSON.parse(JSON.stringify(wire)) as ChatTaskWirePayload;
+    expect(decoded.message).toEqual(approvalMsg);
+  });
+});
+
+describe("upsertIncomingMessage", () => {
+  const userMsg = (id: string, text: string): UIMessage => ({
+    id,
+    role: "user",
+    parts: [{ type: "text", text }],
+  });
+
+  it("pushes a fresh user message and returns true", () => {
+    const stored: UIMessage[] = [userMsg("u-1", "first")];
+    const mutated = upsertIncomingMessage(stored, {
+      trigger: "submit-message",
+      incomingMessages: [userMsg("u-2", "second")],
+    });
+    expect(mutated).toBe(true);
+    expect(stored).toHaveLength(2);
+    expect(stored[1]!.id).toBe("u-2");
+  });
+
+  it("no-ops when incoming id is already in stored (HITL continuation)", () => {
+    const head = {
+      id: "asst-1",
+      role: "assistant" as const,
+      parts: [{ type: "tool-search", toolCallId: "tc-1", state: "input-available", input: {} } as never],
+    };
+    const stored: UIMessage[] = [userMsg("u-1", "hi"), head];
+    const slim = {
+      id: "asst-1",
+      role: "assistant" as const,
+      parts: [{ type: "tool-search", toolCallId: "tc-1", state: "output-available", output: {} } as never],
+    };
+    const mutated = upsertIncomingMessage(stored, {
+      trigger: "submit-message",
+      incomingMessages: [slim],
+    });
+    expect(mutated).toBe(false);
+    expect(stored).toHaveLength(2);
+    // The original head is untouched — the runtime's per-turn merge
+    // overlays the resolution; the customer's stored array is just
+    // the pre-merge snapshot.
+    expect(stored[1]).toBe(head);
+  });
+
+  it("no-ops on regenerate-message trigger", () => {
+    const stored: UIMessage[] = [userMsg("u-1", "hi")];
+    const mutated = upsertIncomingMessage(stored, {
+      trigger: "regenerate-message",
+      incomingMessages: [userMsg("u-2", "ignored")],
+    });
+    expect(mutated).toBe(false);
+    expect(stored).toHaveLength(1);
+  });
+
+  it("no-ops on action trigger", () => {
+    const stored: UIMessage[] = [userMsg("u-1", "hi")];
+    const mutated = upsertIncomingMessage(stored, {
+      trigger: "action",
+      incomingMessages: [],
+    });
+    expect(mutated).toBe(false);
+    expect(stored).toHaveLength(1);
+  });
+
+  it("no-ops on empty incomingMessages", () => {
+    const stored: UIMessage[] = [userMsg("u-1", "hi")];
+    const mutated = upsertIncomingMessage(stored, {
+      trigger: "submit-message",
+      incomingMessages: [],
+    });
+    expect(mutated).toBe(false);
+    expect(stored).toHaveLength(1);
+  });
+
+  it("only inspects the last incoming message (slim wire ships at most one)", () => {
+    const stored: UIMessage[] = [userMsg("u-1", "hi")];
+    const mutated = upsertIncomingMessage(stored, {
+      trigger: "submit-message",
+      incomingMessages: [userMsg("ignored", "ignored"), userMsg("u-3", "new")],
+    });
+    expect(mutated).toBe(true);
+    expect(stored).toHaveLength(2);
+    expect(stored[1]!.id).toBe("u-3");
+  });
+
+  it("pushes when newMsg has no id (no dedup possible)", () => {
+    const stored: UIMessage[] = [userMsg("u-1", "hi")];
+    const incoming = { role: "user", parts: [{ type: "text", text: "no id" }] } as unknown as UIMessage;
+    const mutated = upsertIncomingMessage(stored, {
+      trigger: "submit-message",
+      incomingMessages: [incoming],
+    });
+    expect(mutated).toBe(true);
+    expect(stored).toHaveLength(2);
+  });
+
+  it("accepts the full hydrateMessages event without re-packaging", () => {
+    // Customers can pass the destructured event directly — the helper
+    // only reads `trigger` + `incomingMessages` but ignores any other
+    // fields the event happens to carry.
+    const stored: UIMessage[] = [];
+    const event = {
+      chatId: "chat-1",
+      turn: 0,
+      trigger: "submit-message" as const,
+      incomingMessages: [userMsg("u-1", "hi")],
+      previousMessages: [],
+      continuation: false,
+    };
+    const mutated = upsertIncomingMessage(stored, event);
+    expect(mutated).toBe(true);
+    expect(stored).toHaveLength(1);
+  });
+});
+
+describe("slimSubmitMessageForWire", () => {
+  it("passes user messages through unchanged", () => {
+    const userMsg: UIMessage = {
+      id: "u-1",
+      role: "user",
+      parts: [{ type: "text", text: "hello" }],
+    };
+    expect(slimSubmitMessageForWire(userMsg)).toBe(userMsg);
+  });
+
+  it("passes assistant messages with no resolved tool parts through unchanged", () => {
+    const assistantMsg: UIMessage = {
+      id: "a-1",
+      role: "assistant",
+      parts: [
+        { type: "text", text: "thinking..." },
+        {
+          type: "tool-search",
+          toolCallId: "tc-1",
+          state: "input-available",
+          input: { q: "x" },
+        } as never,
+      ],
+    };
+    expect(slimSubmitMessageForWire(assistantMsg)).toBe(assistantMsg);
+  });
+
+  it("slims output-available HITL continuation to {type, toolCallId, state, output}", () => {
+    const assistantMsg: UIMessage = {
+      id: "a-1",
+      role: "assistant",
+      parts: [
+        { type: "text", text: "let me search" },
+        { type: "reasoning", text: "long reasoning blob..." } as never,
+        {
+          type: "tool-search",
+          toolCallId: "tc-1",
+          state: "output-available",
+          input: { q: "very long query".repeat(1000) },
+          output: { hits: 7 },
+        } as never,
+      ],
+    };
+    const slim = slimSubmitMessageForWire(assistantMsg);
+    expect(slim).toEqual({
+      id: "a-1",
+      role: "assistant",
+      parts: [
+        {
+          type: "tool-search",
+          toolCallId: "tc-1",
+          state: "output-available",
+          output: { hits: 7 },
+        },
+      ],
+    });
+    // The slim drops `input` (server has it via hydrate/snapshot) — the
+    // wire is much smaller than the original.
+    expect(JSON.stringify(slim).length).toBeLessThan(JSON.stringify(assistantMsg).length / 50);
+  });
+
+  it("slims output-error to {type, toolCallId, state, errorText}", () => {
+    const assistantMsg: UIMessage = {
+      id: "a-1",
+      role: "assistant",
+      parts: [
+        {
+          type: "tool-search",
+          toolCallId: "tc-1",
+          state: "output-error",
+          input: { q: "x" },
+          errorText: "boom",
+        } as never,
+      ],
+    };
+    expect(slimSubmitMessageForWire(assistantMsg)).toEqual({
+      id: "a-1",
+      role: "assistant",
+      parts: [
+        {
+          type: "tool-search",
+          toolCallId: "tc-1",
+          state: "output-error",
+          errorText: "boom",
+        },
+      ],
+    });
+  });
+
+  it("slims approval-responded to {type, toolCallId, state, approval}", () => {
+    const assistantMsg: UIMessage = {
+      id: "a-1",
+      role: "assistant",
+      parts: [
+        {
+          type: "tool-delete",
+          toolCallId: "tc-1",
+          state: "approval-responded",
+          input: { path: "/critical" },
+          approval: { id: "appr_1", approved: true, reason: "looks fine" },
+        } as never,
+      ],
+    };
+    expect(slimSubmitMessageForWire(assistantMsg)).toEqual({
+      id: "a-1",
+      role: "assistant",
+      parts: [
+        {
+          type: "tool-delete",
+          toolCallId: "tc-1",
+          state: "approval-responded",
+          approval: { id: "appr_1", approved: true, reason: "looks fine" },
+        },
+      ],
+    });
+  });
+
+  it("slims dynamic-tool parts and preserves toolName", () => {
+    const assistantMsg: UIMessage = {
+      id: "a-1",
+      role: "assistant",
+      parts: [
+        {
+          type: "dynamic-tool",
+          toolName: "dyn-search",
+          toolCallId: "tc-1",
+          state: "output-available",
+          input: { q: "x" },
+          output: { hits: 1 },
+        } as never,
+      ],
+    };
+    expect(slimSubmitMessageForWire(assistantMsg)).toEqual({
+      id: "a-1",
+      role: "assistant",
+      parts: [
+        {
+          type: "dynamic-tool",
+          toolName: "dyn-search",
+          toolCallId: "tc-1",
+          state: "output-available",
+          output: { hits: 1 },
+        },
+      ],
+    });
+  });
+
+  it("only slims the advanced tool parts when an assistant has mixed states", () => {
+    const assistantMsg: UIMessage = {
+      id: "a-1",
+      role: "assistant",
+      parts: [
+        { type: "text", text: "thinking" },
+        {
+          type: "tool-search",
+          toolCallId: "tc-resolved",
+          state: "output-available",
+          input: { q: "x" },
+          output: { hits: 1 },
+        } as never,
+        {
+          type: "tool-askUser",
+          toolCallId: "tc-still-pending",
+          state: "input-available",
+          input: { q: "ok?" },
+        } as never,
+      ],
+    };
+    const slim = slimSubmitMessageForWire(assistantMsg);
+    expect(slim?.parts).toHaveLength(1);
+    expect((slim?.parts?.[0] as any).toolCallId).toBe("tc-resolved");
+  });
+
+  it("handles undefined input", () => {
+    expect(slimSubmitMessageForWire(undefined)).toBeUndefined();
+  });
+});
+
+describe("ChatTaskWirePayload (compile-time shape)", () => {
+  it("does NOT have a `messages` array field (slim wire removed it)", () => {
+    // If a future edit reintroduces `messages: TMessage[]`, this assertion
+    // forces a compile error rather than letting the wire silently grow
+    // back.
+    type WirePayloadKeys = keyof ChatTaskWirePayload;
+    expectTypeOf<WirePayloadKeys>().not.toEqualTypeOf<"messages" | Exclude<WirePayloadKeys, "messages">>();
+    // Also confirm the absence at the value level — a payload literal
+    // with `messages` would be a TS error if uncommented:
+    //
+    //   const bad: ChatTaskWirePayload = { messages: [], chatId: "x", trigger: "submit-message" };
+    //
+    // Leaving as a comment for clarity; the type assertion above is the
+    // load-bearing check.
+  });
+
+  it("has `message?: UIMessage` (singular, optional)", () => {
+    expectTypeOf<ChatTaskWirePayload["message"]>().toEqualTypeOf<UIMessage | undefined>();
+  });
+
+  it("has `headStartMessages?: UIMessage[]` (escape hatch)", () => {
+    expectTypeOf<ChatTaskWirePayload["headStartMessages"]>().toEqualTypeOf<
+      UIMessage[] | undefined
+    >();
+  });
+
+  it("requires `chatId: string` and `trigger: <one of>`", () => {
+    expectTypeOf<ChatTaskWirePayload["chatId"]>().toEqualTypeOf<string>();
+    expectTypeOf<ChatTaskWirePayload["trigger"]>().toEqualTypeOf<
+      | "submit-message"
+      | "regenerate-message"
+      | "preload"
+      | "close"
+      | "action"
+      | "handover-prepare"
+    >();
+  });
+});
+
+describe("ChatInputChunk envelope", () => {
+  it("wraps a wire payload in `kind: \"message\"` shape", () => {
+    const userMsg: UIMessage = {
+      id: "u-1",
+      role: "user",
+      parts: [{ type: "text", text: "hello" }],
+    };
+    const chunk: ChatInputChunk = {
+      kind: "message",
+      payload: {
+        message: userMsg,
+        chatId: "chat-1",
+        trigger: "submit-message",
+      },
+    };
+
+    const decoded = JSON.parse(JSON.stringify(chunk)) as ChatInputChunk;
+    expect(decoded.kind).toBe("message");
+    if (decoded.kind === "message") {
+      expect(decoded.payload.message).toEqual(userMsg);
+    }
+  });
+
+  it("supports `kind: \"stop\"` records (no payload)", () => {
+    const chunk: ChatInputChunk = { kind: "stop", message: "user-canceled" };
+    const decoded = JSON.parse(JSON.stringify(chunk)) as ChatInputChunk;
+    expect(decoded.kind).toBe("stop");
+    if (decoded.kind === "stop") {
+      expect(decoded.message).toBe("user-canceled");
+    }
+  });
+
+  it("supports `kind: \"handover\"` records (with partialAssistantMessage)", () => {
+    const chunk: ChatInputChunk = {
+      kind: "handover",
+      partialAssistantMessage: [
+        { role: "assistant", content: [{ type: "text", text: "partial" }] },
+      ],
+      messageId: "a-1",
+      isFinal: false,
+    };
+    const decoded = JSON.parse(JSON.stringify(chunk)) as ChatInputChunk;
+    expect(decoded.kind).toBe("handover");
+  });
+
+  it("supports `kind: \"handover-skip\"` records", () => {
+    const chunk: ChatInputChunk = { kind: "handover-skip" };
+    const decoded = JSON.parse(JSON.stringify(chunk)) as ChatInputChunk;
+    expect(decoded.kind).toBe("handover-skip");
+  });
+});
diff --git a/packages/trigger-sdk/tsconfig.ai-v7.json b/packages/trigger-sdk/tsconfig.ai-v7.json
new file mode 100644
index 00000000000..037fd22e401
--- /dev/null
+++ b/packages/trigger-sdk/tsconfig.ai-v7.json
@@ -0,0 +1,21 @@
+{
+  // Typechecks the SDK source against AI SDK 7 (the `ai-v7` aliased devDep)
+  // instead of the v6 build devDep, so CI catches any internal source that only
+  // compiles against one major. The published dist is still built once against
+  // v6 — `ai` types in the `.d.ts` resolve to each consumer's own version.
+  //
+  // `paths` points at the `.d.ts` file directly (not the package dir): under
+  // `moduleResolution: NodeNext` the package-dir form silently falls back to the
+  // real installed `ai`, which would make this pass a no-op.
+  "extends": "./tsconfig.json",
+  "compilerOptions": {
+    // noEmit-only gate: disable composite/incremental so this pass never writes or
+    // reads a .tsbuildinfo and can't replay stale module resolution across runs.
+    "composite": false,
+    "incremental": false,
+    "baseUrl": ".",
+    "paths": {
+      "ai": ["./node_modules/ai-v7/dist/index.d.ts"]
+    }
+  }
+}
diff --git a/patches/@remix-run__router@1.23.2.patch b/patches/@remix-run__router@1.23.2.patch
new file mode 100644
index 00000000000..7ffe58edeae
--- /dev/null
+++ b/patches/@remix-run__router@1.23.2.patch
@@ -0,0 +1,69 @@
+diff --git a/dist/router.cjs.js b/dist/router.cjs.js
+index e634d45fee327b5f9ef63eee8dc1da39b07c79d4..ce1cf6c599e7efa82d51b63d26c0c92e82931083 100644
+--- a/dist/router.cjs.js
++++ b/dist/router.cjs.js
+@@ -746,6 +746,11 @@ function convertRoutesToDataRoutes(routes, mapRouteProperties, parentPath, manif
+  *
+  * @see https://reactrouter.com/v6/utils/match-routes
+  */
++// trigger.dev perf patch — memoize per-request route matching. See patches/README.md
++// (backports the idea in react-router PR #14866, which was closed in favor of the partial
++// fix #14967; maintainer suggested patch-package until the Remix 3 route-pattern rewrite).
++let __branchCache = new WeakMap();
++let __compileCache = new Map();
+ function matchRoutes(routes, locationArg, basename) {
+   if (basename === void 0) {
+     basename = "/";
+@@ -758,17 +763,17 @@ function matchRoutesImpl(routes, locationArg, basename, allowPartial) {
+   if (pathname == null) {
+     return null;
+   }
+-  let branches = flattenRoutes(routes);
+-  rankRouteBranches(branches);
++  // flatten+rank depend only on `routes` (static) — cache per route-tree ref.
++  let branches = __branchCache.get(routes);
++  if (!branches) {
++    branches = flattenRoutes(routes);
++    rankRouteBranches(branches);
++    __branchCache.set(routes, branches);
++  }
+   let matches = null;
++  // decodePath(pathname) is loop-invariant — hoisted out (was recomputed per branch).
++  let decoded = decodePath(pathname);
+   for (let i = 0; matches == null && i < branches.length; ++i) {
+-    // Incoming pathnames are generally encoded from either window.location
+-    // or from router.navigate, but we want to match against the unencoded
+-    // paths in the route definitions.  Memory router locations won't be
+-    // encoded here but there also shouldn't be anything to decode so this
+-    // should be a safe operation.  This avoids needing matchRoutes to be
+-    // history-aware.
+-    let decoded = decodePath(pathname);
+     matches = matchRouteBranch(branches[i], decoded, allowPartial);
+   }
+   return matches;
+@@ -1078,6 +1083,12 @@ function compilePath(path, caseSensitive, end) {
+   if (end === void 0) {
+     end = true;
+   }
++  // perf patch: cache the compiled [regexp, params] by pattern (see patches/README.md).
++  let __ck = path + "\0" + caseSensitive + "\0" + end;
++  let __cc = __compileCache.get(__ck);
++  if (__cc !== void 0) {
++    return __cc;
++  }
+   warning(path === "*" || !path.endsWith("*") || path.endsWith("/*"), "Route path \"" + path + "\" will be treated as if it were " + ("\"" + path.replace(/\*$/, "/*") + "\" because the `*` character must ") + "always follow a `/` in the pattern. To get rid of this warning, " + ("please change the route path to \"" + path.replace(/\*$/, "/*") + "\"."));
+   let params = [];
+   let regexpSource = "^" + path.replace(/\/*\*?$/, "") // Ignore trailing / and /*, we'll handle it below
+@@ -1110,7 +1121,11 @@ function compilePath(path, caseSensitive, end) {
+     regexpSource += "(?:(?=\\/|$))";
+   } else ;
+   let matcher = new RegExp(regexpSource, caseSensitive ? undefined : "i");
+-  return [matcher, params];
++  let __res = [matcher, params];
++  // Bounded: route patterns are a static set; the cap guards any dynamic matchPath() use.
++  if (__compileCache.size >= 2000) __compileCache.clear();
++  __compileCache.set(__ck, __res);
++  return __res;
+ }
+ function decodePath(value) {
+   try {
diff --git a/patches/@window-splitter__state@0.4.1.patch b/patches/@window-splitter__state@0.4.1.patch
deleted file mode 100644
index 8d99b717ba8..00000000000
--- a/patches/@window-splitter__state@0.4.1.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-diff --git a/dist/commonjs/index.js b/dist/commonjs/index.js
-index acb542b1b71a7e808173d938d16f45a484334f94..dc9289461b761f8f0d5c72919f48f94e394addfd 100644
---- a/dist/commonjs/index.js
-+++ b/dist/commonjs/index.js
-@@ -107,6 +107,9 @@ function prepareSnapshot(snapshot) {
-             if (item.max && item.max !== "1fr") {
-                 item.max.value = new big_js_1.default(item.max.value);
-             }
-+            if (item.default && typeof item.default === "object" && item.default.value !== undefined) {
-+                item.default.value = new big_js_1.default(item.default.value);
-+            }
-         }
-         else {
-             item.size.value = new big_js_1.default(item.size.value);
-diff --git a/dist/esm/index.js b/dist/esm/index.js
-index 8891ac0141135a3a885bd704d9d443458c7a01bf..34cd7251f2298e7f9bfedfe4cadb797aa790b59a 100644
---- a/dist/esm/index.js
-+++ b/dist/esm/index.js
-@@ -81,6 +81,9 @@ export function prepareSnapshot(snapshot) {
-             if (item.max && item.max !== "1fr") {
-                 item.max.value = new Big(item.max.value);
-             }
-+            if (item.default && typeof item.default === "object" && item.default.value !== undefined) {
-+                item.default.value = new Big(item.default.value);
-+            }
-         }
-         else {
-             item.size.value = new Big(item.size.value);
diff --git a/patches/@window-splitter__state@1.1.3.patch b/patches/@window-splitter__state@1.1.3.patch
new file mode 100644
index 00000000000..91397bdac9f
--- /dev/null
+++ b/patches/@window-splitter__state@1.1.3.patch
@@ -0,0 +1,114 @@
+diff --git a/dist/commonjs/index.js b/dist/commonjs/index.js
+index e3bdcf702702392e9a06c981545f659ee7c5970e..d88ae6b2dc5b4cf1970cb693f58a926bd12a8f45 100644
+--- a/dist/commonjs/index.js
++++ b/dist/commonjs/index.js
+@@ -757,30 +757,14 @@ function updateLayout(context, dragEvent) {
+             panelAfter.onCollapseChange.current(false);
+         }
+     }
+-    const panelBeforeIsAboutToCollapse = panelBefore.currentValue.value.eq(getUnitPixelValue(context, panelBefore.min));
+-    // If the panel was expanded and now is at it's min size, collapse it
+-    if (!dragEvent.disregardCollapseBuffer &&
+-        panelBefore.collapsible &&
+-        panelBeforeIsAboutToCollapse) {
+-        if (panelBefore.onCollapseChange?.current &&
+-            panelBefore.collapseIsControlled &&
+-            !dragEvent.controlled &&
+-            !dragEvent.isVirtual) {
+-            panelBefore.onCollapseChange.current(true);
+-            return { dragOvershoot: newDragOvershoot };
+-        }
+-        // Make it collapsed
+-        panelBefore.collapsed = true;
+-        panelBeforeNewValue = getUnitPixelValue(context, panelBefore.collapsedSize);
+-        // Add the extra space created to the before panel
+-        panelAfterNewValue = panelAfter.currentValue.value.add(panelBeforePreviousValue.minus(panelBeforeNewValue));
+-        if (panelBefore.onCollapseChange?.current &&
+-            !panelBefore.collapseIsControlled &&
+-            !dragEvent.controlled &&
+-            !dragEvent.isVirtual) {
+-            panelBefore.onCollapseChange.current(true);
+-        }
+-    }
++    // Drag-to-collapse is disabled in this fork: every consumer of the
++    // library uses controlled `collapsed` props and triggers collapse
++    // explicitly (close button, ESC, URL change, etc.). The original auto-
++    // collapse-on-drag logic that lived here would notify the parent when a
++    // collapsible panel reached its min during a drag — keeping it for our
++    // (controlled-only) case caused state-machine deadlocks when handlers
++    // were no-ops, so the block is removed entirely. Panels just clamp at
++    // `min` during drag now.
+     panelBefore.currentValue = { type: "pixel", value: panelBeforeNewValue };
+     panelAfter.currentValue = { type: "pixel", value: panelAfterNewValue };
+     const leftoverSpace = new big_js_1.default(getGroupSize(context)).minus(newItems.reduce((acc, b) => acc.add(isPanelData(b) ? b.currentValue.value : b.size.value), new big_js_1.default(0)));
+@@ -940,7 +924,12 @@ function setCookie(name, jsonData) {
+ function getDeltaForEvent(context, event) {
+     const panel = getPanelWithId(context, event.panelId);
+     if (event.type === "expandPanel") {
+-        return new big_js_1.default(panel.sizeBeforeCollapse ?? getUnitPixelValue(context, panel.min)).minus(panel.currentValue.value);
++        // Fall back to `default` before `min` so the first-ever expand of a
++        // panel that started life collapsed lands at its configured default
++        // size rather than getting stuck at `min`.
++        const defaultPx = panel.default ? getUnitPixelValue(context, panel.default) : undefined;
++        const target = panel.sizeBeforeCollapse ?? defaultPx ?? getUnitPixelValue(context, panel.min);
++        return new big_js_1.default(target).minus(panel.currentValue.value);
+     }
+     const collapsedSize = getUnitPixelValue(context, panel.collapsedSize);
+     return panel.currentValue.value.minus(collapsedSize);
+diff --git a/dist/esm/index.js b/dist/esm/index.js
+index f8fddd70c0f1aaed29f2fb0ca0d8093d8ce66335..d1dae8beb1447afca47b91e796b8279135f50c36 100644
+--- a/dist/esm/index.js
++++ b/dist/esm/index.js
+@@ -728,30 +728,14 @@ function updateLayout(context, dragEvent) {
+             panelAfter.onCollapseChange.current(false);
+         }
+     }
+-    const panelBeforeIsAboutToCollapse = panelBefore.currentValue.value.eq(getUnitPixelValue(context, panelBefore.min));
+-    // If the panel was expanded and now is at it's min size, collapse it
+-    if (!dragEvent.disregardCollapseBuffer &&
+-        panelBefore.collapsible &&
+-        panelBeforeIsAboutToCollapse) {
+-        if (panelBefore.onCollapseChange?.current &&
+-            panelBefore.collapseIsControlled &&
+-            !dragEvent.controlled &&
+-            !dragEvent.isVirtual) {
+-            panelBefore.onCollapseChange.current(true);
+-            return { dragOvershoot: newDragOvershoot };
+-        }
+-        // Make it collapsed
+-        panelBefore.collapsed = true;
+-        panelBeforeNewValue = getUnitPixelValue(context, panelBefore.collapsedSize);
+-        // Add the extra space created to the before panel
+-        panelAfterNewValue = panelAfter.currentValue.value.add(panelBeforePreviousValue.minus(panelBeforeNewValue));
+-        if (panelBefore.onCollapseChange?.current &&
+-            !panelBefore.collapseIsControlled &&
+-            !dragEvent.controlled &&
+-            !dragEvent.isVirtual) {
+-            panelBefore.onCollapseChange.current(true);
+-        }
+-    }
++    // Drag-to-collapse is disabled in this fork: every consumer of the
++    // library uses controlled `collapsed` props and triggers collapse
++    // explicitly (close button, ESC, URL change, etc.). The original auto-
++    // collapse-on-drag logic that lived here would notify the parent when a
++    // collapsible panel reached its min during a drag — keeping it for our
++    // (controlled-only) case caused state-machine deadlocks when handlers
++    // were no-ops, so the block is removed entirely. Panels just clamp at
++    // `min` during drag now.
+     panelBefore.currentValue = { type: "pixel", value: panelBeforeNewValue };
+     panelAfter.currentValue = { type: "pixel", value: panelAfterNewValue };
+     const leftoverSpace = new Big(getGroupSize(context)).minus(newItems.reduce((acc, b) => acc.add(isPanelData(b) ? b.currentValue.value : b.size.value), new Big(0)));
+@@ -911,7 +895,12 @@ function setCookie(name, jsonData) {
+ function getDeltaForEvent(context, event) {
+     const panel = getPanelWithId(context, event.panelId);
+     if (event.type === "expandPanel") {
+-        return new Big(panel.sizeBeforeCollapse ?? getUnitPixelValue(context, panel.min)).minus(panel.currentValue.value);
++        // Fall back to `default` before `min` so the first-ever expand of a
++        // panel that started life collapsed lands at its configured default
++        // size rather than getting stuck at `min`.
++        const defaultPx = panel.default ? getUnitPixelValue(context, panel.default) : undefined;
++        const target = panel.sizeBeforeCollapse ?? defaultPx ?? getUnitPixelValue(context, panel.min);
++        return new Big(target).minus(panel.currentValue.value);
+     }
+     const collapsedSize = getUnitPixelValue(context, panel.collapsedSize);
+     return panel.currentValue.value.minus(collapsedSize);
diff --git a/patches/README.md b/patches/README.md
new file mode 100644
index 00000000000..5c6db4b9d62
--- /dev/null
+++ b/patches/README.md
@@ -0,0 +1,101 @@
+# Patches
+
+This directory holds [pnpm patches](https://pnpm.io/cli/patch) applied on install via
+`pnpm.patchedDependencies` in the root `package.json`. Each `.patch` is a diff against the
+published package. Most are small and self-explanatory from the diff; the non-obvious ones
+are documented below.
+
+---
+
+## `@remix-run/router@1.23.2` — route-matching memoization
+
+**File:** `patches/@remix-run__router@1.23.2.patch` (patches `dist/router.cjs.js`)
+
+### What it does
+
+Three changes to `matchRoutesImpl` / `compilePath`, all pure memoization of work that
+depends only on the **static** route manifest:
+
+1. **Cache flattened + ranked branches per route-tree** (`WeakMap` keyed by the `routes`
+   ref). `flattenRoutes()` + `rankRouteBranches()` were recomputed on *every* `matchRoutes`
+   call across all ~436 webapp routes.
+2. **Hoist `decodePath(pathname)` out of the branch-match loop** — it's loop-invariant but
+   was recomputed once per branch.
+3. **Memoize `compilePath` compiled regexes** by `path|caseSensitive|end` (bounded `Map`,
+   cap 2000). The matcher RegExp was rebuilt on every `matchPath` call.
+
+### Why
+
+Profiling the realtime runs feed under load (100 concurrent tag feeds, ~425 req/s) found
+**~68% of webapp CPU was spent in react-router's `matchRoutes`** — re-flattening,
+re-ranking, and re-compiling the entire route table on every request. It is **not** a dev
+artifact: there is no `NODE_ENV` gate, and a `NODE_ENV=production` profile was identical
+(67.9% vs 68.3%). The realtime feed's high request rate (each long-poll returns fast and
+immediately re-polls) just amplifies a latent per-request cost that large route tables pay
+everywhere.
+
+Measured on a single instance, same load, before vs after this patch:
+
+| | before | after |
+|---|---|---|
+| active CPU (self-time / window) | 28.3s | 18.5s (**−34%**) |
+| route-matching self-time | 19.2s | 7.5s (**−61%**) |
+| event-loop lag p99 | 322ms | 113ms (**−65%**) |
+| idle headroom | 26% | 52% |
+
+The realtime machinery itself (router/hydrate/serialize/diff) was ~0% — the bottleneck was
+entirely generic Remix request overhead.
+
+### Upstream status (why we patch instead of upgrade)
+
+This is a known, acknowledged inefficiency, and it is **only partially fixed in React
+Router v7** — which we can't adopt without a full Remix 2 → RR7 framework migration.
+
+- [Issue #8653 "Performance issues"](https://github.com/remix-run/react-router/issues/8653)
+  reported it (a user with 12k routes, ~67ms per match) and was closed as a dup of the
+  route-ranking discussion [remix#4786](https://github.com/remix-run/remix/discussions/4786).
+- [PR #14866 "Optimize route matching performance with caching"](https://github.com/remix-run/react-router/pull/14866)
+  implemented *exactly this patch* (hoist `decodePath`, cache `compilePath`, cache
+  flatten/rank), claiming **~80% route-matching CPU reduction on a 400+ route app**. It was
+  **closed, not merged.**
+- [PR #14967 "perf: cache flattened/ranked route branches"](https://github.com/remix-run/react-router/pull/14967)
+  is the partial fix that *did* ship (in v7): it caches only the branches, threaded via a
+  `precomputedBranches` param through the framework's server-runtime (~15% SSR gain). It
+  does **not** cache `compilePath` — that regex rebuild remains even on `main`.
+  ([PR #14971](https://github.com/remix-run/react-router/pull/14971) added client-side wins.)
+
+The maintainer's reasoning for closing the fuller PR (#14866), verbatim:
+
+> "This is great as a `patch-package` optimization for those who want it, but we are
+> actively working on integrating the more performant route-pattern library from Remix 3 so
+> we'd rather just do the right 'fix' and ship the new algorithm instead of trying to
+> band-aide perf improvements to the existing algorithm which was written with a very
+> different set of constraints. Those constraints come from early v6 when it was only
+> declarative mode so route trees were defined at render time and thus had to be
+> re-flattened/re-ranked/re-compiled every time."
+
+So: the re-compute-everything design is a holdover from early React Router v6 declarative
+mode (route trees defined at render time, so recomputing was correct then). The maintainer
+**explicitly endorsed patch-package as the interim approach** and is betting on the Remix 3
+route-pattern rewrite for the real fix. This patch is that sanctioned stopgap — and it also
+includes the `compilePath` cache the merged PR left on the table.
+
+### Safety
+
+Pure memoization of deterministic, internal-only values:
+
+- `flattenRoutes`/`rankRouteBranches` and the compiled regexes depend solely on the static
+  route manifest; the cached values are never returned to or mutated by the framework.
+- The compiled `RegExp` has no `/g` flag, so `.exec()` carries no cross-call state — safe to
+  share under concurrency.
+- The branch cache is a `WeakMap` (collected with its route tree); the compile cache is
+  bounded at 2000 entries (route patterns are a static set; the cap only guards any dynamic
+  `matchPath()` use).
+- Targets the **CJS** build (`dist/router.cjs.js`), which the webapp server loads at runtime
+  (`@remix-run/router` is not bundled into the server build).
+
+### When to remove
+
+Drop this patch if/when the webapp moves to React Router v7+ (which threads
+`precomputedBranches` itself) or the Remix 3 route-pattern matcher lands. Re-profile at that
+point — the `compilePath` cache may still be worth keeping since upstream never added it.
diff --git a/patches/streamdown@2.5.0.patch b/patches/streamdown@2.5.0.patch
new file mode 100644
index 00000000000..c50eb41313f
--- /dev/null
+++ b/patches/streamdown@2.5.0.patch
@@ -0,0 +1,14 @@
+diff --git a/dist/chunk-BO2N2NFS.js b/dist/chunk-BO2N2NFS.js
+index 98d8387007f38ae92dd47bcde203f37cce43db9e..e2c7b7734d862e59716692d76cb17b4e0ee17d76 100644
+--- a/dist/chunk-BO2N2NFS.js
++++ b/dist/chunk-BO2N2NFS.js
+@@ -1,7 +1,7 @@
+ "use client";
+-import {createContext,memo,useContext,useMemo,lazy,isValidElement,useId,useTransition,useRef,useEffect,useState,cloneElement,createElement,useCallback,Suspense}from'react';import {harden}from'rehype-harden';import Yo from'rehype-raw';import kn,{defaultSchema}from'rehype-sanitize';import $s from'remark-gfm';import Ws from'remend';import {visitParents,SKIP}from'unist-util-visit-parents';import {clsx}from'clsx';import {twMerge}from'tailwind-merge';import {jsx,jsxs,Fragment}from'react/jsx-runtime';import {createPortal}from'react-dom';import {toJsxRuntime}from'hast-util-to-jsx-runtime';import {urlAttributes}from'html-url-attributes';import gs from'remark-parse';import bs from'remark-rehype';import {unified}from'unified';import {visit}from'unist-util-visit';import {Lexer}from'marked';var Bn=300,An="300px",On=500;function Rt(e={}){let{immediate:t=false,debounceDelay:o=Bn,rootMargin:n=An,idleTimeout:r=On}=e,[s,a]=useState(false),l=useRef(null),i=useRef(null),d=useRef(null),c=useMemo(()=>u=>{let f=Date.now();return window.setTimeout(()=>{u({didTimeout:false,timeRemaining:()=>Math.max(0,50-(Date.now()-f))});},1)},[]),p=useMemo(()=>typeof window!="undefined"&&window.requestIdleCallback?(u,f)=>window.requestIdleCallback(u,f):c,[c]),m=useMemo(()=>typeof window!="undefined"&&window.cancelIdleCallback?u=>window.cancelIdleCallback(u):u=>{clearTimeout(u);},[]);return useEffect(()=>{if(t){a(true);return}let u=l.current;if(!u)return;i.current&&(clearTimeout(i.current),i.current=null),d.current&&(m(d.current),d.current=null);let f=()=>{i.current&&(clearTimeout(i.current),i.current=null),d.current&&(m(d.current),d.current=null);},h=v=>{d.current=p(w=>{w.timeRemaining()>0||w.didTimeout?(a(true),v.disconnect()):d.current=p(()=>{a(true),v.disconnect();},{timeout:r/2});},{timeout:r});},b=v=>{f(),i.current=window.setTimeout(()=>{var M,H;let w=v.takeRecords();(w.length===0||(H=(M=w.at(-1))==null?void 0:M.isIntersecting)!=null&&H)&&h(v);},o);},g=(v,w)=>{v.isIntersecting?b(w):f();},T=new IntersectionObserver(v=>{for(let w of v)g(w,T);},{rootMargin:n,threshold:0});return T.observe(u),()=>{i.current&&clearTimeout(i.current),d.current&&m(d.current),T.disconnect();}},[t,o,n,r,m,p]),{shouldRender:s,containerRef:l}}var St=/\s/,Fn=/^\s+$/,zn=new Set(["code","pre","svg","math","annotation"]),_n=e=>typeof e=="object"&&e!==null&&"type"in e&&e.type==="element",qn=e=>e.some(t=>_n(t)&&zn.has(t.tagName)),$n=e=>{let t=[],o="",n=false;for(let r of e){let s=St.test(r);s!==n&&o&&(t.push(o),o=""),o+=r,n=s;}return o&&t.push(o),t},Wn=e=>{let t=[],o="";for(let n of e)St.test(n)?o+=n:(o&&(t.push(o),o=""),t.push(n));return o&&t.push(o),t},Zn=(e,t,o,n,r,s)=>{let a=`--sd-animation:sd-${t};--sd-duration:${r?0:o}ms;--sd-easing:${n}`;return s&&(a+=`;--sd-delay:${s}ms`),{type:"element",tagName:"span",properties:{"data-sd-animate":true,style:a},children:[{type:"text",value:e}]}},Xn=(e,t,o,n,r)=>{let s=t.at(-1);if(!(s&&"children"in s))return;if(qn(t))return SKIP;let a=s,l=a.children.indexOf(e);if(l===-1)return;let i=e.value;if(!i.trim()){r.count+=i.length;return}let d=o.sep==="char"?Wn(i):$n(i),c=n.prevContentLength,p=d.map(m=>{let u=r.count;if(r.count+=m.length,Fn.test(m))return {type:"text",value:m};let f=c>0&&u<c,h=f?0:r.newIndex++*o.stagger;return Zn(m,o.animation,o.duration,o.easing,f,h)});return a.children.splice(l,1,...p),l+p.length},Jn=0;function be(e){var s,a,l,i,d;let t={animation:(s=e==null?void 0:e.animation)!=null?s:"fadeIn",duration:(a=e==null?void 0:e.duration)!=null?a:150,easing:(l=e==null?void 0:e.easing)!=null?l:"ease",sep:(i=e==null?void 0:e.sep)!=null?i:"word",stagger:(d=e==null?void 0:e.stagger)!=null?d:40},o={prevContentLength:0,lastRenderCharCount:0},n=Jn++,r=()=>c=>{let p={count:0,newIndex:0};visitParents(c,"text",(m,u)=>Xn(m,u,t,o,p)),o.lastRenderCharCount=p.count,o.prevContentLength=0;};return Object.defineProperty(r,"name",{value:`rehypeAnimate$${n}`}),{name:"animate",type:"animate",rehypePlugin:r,setPrevContentLength(c){o.prevContentLength=c;},getLastRenderCharCount(){let c=o.lastRenderCharCount;return o.lastRenderCharCount=0,c}}}be();var et=createContext(false),tt=()=>useContext(et);var he=(...e)=>twMerge(clsx(e)),Gn=(e,t)=>{if(!e||!t)return t;let o=`${e}:`;return t.split(/\s+/).filter(Boolean).map(n=>n.startsWith(o)?n:`${e}:${n}`).join(" ")},Dt=e=>e?(...t)=>Gn(e,twMerge(clsx(t))):he,W=(e,t,o)=>{let n=typeof t=="string"&&o.startsWith("text/csv")?"\uFEFF":"",r=typeof t=="string"?new Blob([n+t],{type:o}):t,s=URL.createObjectURL(r),a=document.createElement("a");a.href=s,a.download=e,document.body.appendChild(a),a.click(),document.body.removeChild(a),URL.revokeObjectURL(s);};var Ee=createContext(he),y=()=>useContext(Ee);var tr=he("block","before:content-[counter(line)]","before:inline-block","before:[counter-increment:line]","before:w-6","before:mr-4","before:text-[13px]","before:text-right","before:text-muted-foreground/50","before:font-mono","before:select-none"),or=e=>{let t={};for(let o of e.split(";")){let n=o.indexOf(":");if(n>0){let r=o.slice(0,n).trim(),s=o.slice(n+1).trim();r&&s&&(t[r]=s);}}return t},At=memo(({children:e,result:t,language:o,className:n,startLine:r,lineNumbers:s=true,...a})=>{let l=y(),i=useMemo(()=>l(tr),[l]),d=useMemo(()=>{let c={};return t.bg&&(c["--sdm-bg"]=t.bg),t.fg&&(c["--sdm-fg"]=t.fg),t.rootStyle&&Object.assign(c,or(t.rootStyle)),c},[t.bg,t.fg,t.rootStyle]);return jsx("div",{className:l(n,"overflow-x-auto rounded-md border border-border bg-background p-4 text-sm"),"data-language":o,"data-streamdown":"code-block-body",...a,children:jsx("pre",{className:l(n,"bg-[var(--sdm-bg,inherit]","dark:bg-[var(--shiki-dark-bg,var(--sdm-bg,inherit)]"),style:d,children:jsx("code",{className:s?l("[counter-increment:line_0] [counter-reset:line]"):void 0,style:s&&r&&r>1?{counterReset:`line ${r-1}`}:void 0,children:t.tokens.map((c,p)=>jsx("span",{className:s?i:void 0,children:c.length===0||c.length===1&&c[0].content===""?`
++import {createContext,memo,useContext,useMemo,lazy,isValidElement,useId,useTransition,useRef,useEffect,useState,cloneElement,createElement,useCallback,Suspense}from'react';import {HighlightedCodeBlockBody as _HB}from'./highlighted-body-OFNGDK62.js';import {harden}from'rehype-harden';import Yo from'rehype-raw';import kn,{defaultSchema}from'rehype-sanitize';import $s from'remark-gfm';import Ws from'remend';import {visitParents,SKIP}from'unist-util-visit-parents';import {clsx}from'clsx';import {twMerge}from'tailwind-merge';import {jsx,jsxs,Fragment}from'react/jsx-runtime';import {createPortal}from'react-dom';import {toJsxRuntime}from'hast-util-to-jsx-runtime';import {urlAttributes}from'html-url-attributes';import gs from'remark-parse';import bs from'remark-rehype';import {unified}from'unified';import {visit}from'unist-util-visit';import {Lexer}from'marked';var Bn=300,An="300px",On=500;function Rt(e={}){let{immediate:t=false,debounceDelay:o=Bn,rootMargin:n=An,idleTimeout:r=On}=e,[s,a]=useState(false),l=useRef(null),i=useRef(null),d=useRef(null),c=useMemo(()=>u=>{let f=Date.now();return window.setTimeout(()=>{u({didTimeout:false,timeRemaining:()=>Math.max(0,50-(Date.now()-f))});},1)},[]),p=useMemo(()=>typeof window!="undefined"&&window.requestIdleCallback?(u,f)=>window.requestIdleCallback(u,f):c,[c]),m=useMemo(()=>typeof window!="undefined"&&window.cancelIdleCallback?u=>window.cancelIdleCallback(u):u=>{clearTimeout(u);},[]);return useEffect(()=>{if(t){a(true);return}let u=l.current;if(!u)return;i.current&&(clearTimeout(i.current),i.current=null),d.current&&(m(d.current),d.current=null);let f=()=>{i.current&&(clearTimeout(i.current),i.current=null),d.current&&(m(d.current),d.current=null);},h=v=>{d.current=p(w=>{w.timeRemaining()>0||w.didTimeout?(a(true),v.disconnect()):d.current=p(()=>{a(true),v.disconnect();},{timeout:r/2});},{timeout:r});},b=v=>{f(),i.current=window.setTimeout(()=>{var M,H;let w=v.takeRecords();(w.length===0||(H=(M=w.at(-1))==null?void 0:M.isIntersecting)!=null&&H)&&h(v);},o);},g=(v,w)=>{v.isIntersecting?b(w):f();},T=new IntersectionObserver(v=>{for(let w of v)g(w,T);},{rootMargin:n,threshold:0});return T.observe(u),()=>{i.current&&clearTimeout(i.current),d.current&&m(d.current),T.disconnect();}},[t,o,n,r,m,p]),{shouldRender:s,containerRef:l}}var St=/\s/,Fn=/^\s+$/,zn=new Set(["code","pre","svg","math","annotation"]),_n=e=>typeof e=="object"&&e!==null&&"type"in e&&e.type==="element",qn=e=>e.some(t=>_n(t)&&zn.has(t.tagName)),$n=e=>{let t=[],o="",n=false;for(let r of e){let s=St.test(r);s!==n&&o&&(t.push(o),o=""),o+=r,n=s;}return o&&t.push(o),t},Wn=e=>{let t=[],o="";for(let n of e)St.test(n)?o+=n:(o&&(t.push(o),o=""),t.push(n));return o&&t.push(o),t},Zn=(e,t,o,n,r,s)=>{let a=`--sd-animation:sd-${t};--sd-duration:${r?0:o}ms;--sd-easing:${n}`;return s&&(a+=`;--sd-delay:${s}ms`),{type:"element",tagName:"span",properties:{"data-sd-animate":true,style:a},children:[{type:"text",value:e}]}},Xn=(e,t,o,n,r)=>{let s=t.at(-1);if(!(s&&"children"in s))return;if(qn(t))return SKIP;let a=s,l=a.children.indexOf(e);if(l===-1)return;let i=e.value;if(!i.trim()){r.count+=i.length;return}let d=o.sep==="char"?Wn(i):$n(i),c=n.prevContentLength,p=d.map(m=>{let u=r.count;if(r.count+=m.length,Fn.test(m))return {type:"text",value:m};let f=c>0&&u<c,h=f?0:r.newIndex++*o.stagger;return Zn(m,o.animation,o.duration,o.easing,f,h)});return a.children.splice(l,1,...p),l+p.length},Jn=0;function be(e){var s,a,l,i,d;let t={animation:(s=e==null?void 0:e.animation)!=null?s:"fadeIn",duration:(a=e==null?void 0:e.duration)!=null?a:150,easing:(l=e==null?void 0:e.easing)!=null?l:"ease",sep:(i=e==null?void 0:e.sep)!=null?i:"word",stagger:(d=e==null?void 0:e.stagger)!=null?d:40},o={prevContentLength:0,lastRenderCharCount:0},n=Jn++,r=()=>c=>{let p={count:0,newIndex:0};visitParents(c,"text",(m,u)=>Xn(m,u,t,o,p)),o.lastRenderCharCount=p.count,o.prevContentLength=0;};return Object.defineProperty(r,"name",{value:`rehypeAnimate$${n}`}),{name:"animate",type:"animate",rehypePlugin:r,setPrevContentLength(c){o.prevContentLength=c;},getLastRenderCharCount(){let c=o.lastRenderCharCount;return o.lastRenderCharCount=0,c}}}be();var et=createContext(false),tt=()=>useContext(et);var he=(...e)=>twMerge(clsx(e)),Gn=(e,t)=>{if(!e||!t)return t;let o=`${e}:`;return t.split(/\s+/).filter(Boolean).map(n=>n.startsWith(o)?n:`${e}:${n}`).join(" ")},Dt=e=>e?(...t)=>Gn(e,twMerge(clsx(t))):he,W=(e,t,o)=>{let n=typeof t=="string"&&o.startsWith("text/csv")?"\uFEFF":"",r=typeof t=="string"?new Blob([n+t],{type:o}):t,s=URL.createObjectURL(r),a=document.createElement("a");a.href=s,a.download=e,document.body.appendChild(a),a.click(),document.body.removeChild(a),URL.revokeObjectURL(s);};var Ee=createContext(he),y=()=>useContext(Ee);var tr=he("block","before:content-[counter(line)]","before:inline-block","before:[counter-increment:line]","before:w-6","before:mr-4","before:text-[13px]","before:text-right","before:text-muted-foreground/50","before:font-mono","before:select-none"),or=e=>{let t={};for(let o of e.split(";")){let n=o.indexOf(":");if(n>0){let r=o.slice(0,n).trim(),s=o.slice(n+1).trim();r&&s&&(t[r]=s);}}return t},At=memo(({children:e,result:t,language:o,className:n,startLine:r,lineNumbers:s=true,...a})=>{let l=y(),i=useMemo(()=>l(tr),[l]),d=useMemo(()=>{let c={};return t.bg&&(c["--sdm-bg"]=t.bg),t.fg&&(c["--sdm-fg"]=t.fg),t.rootStyle&&Object.assign(c,or(t.rootStyle)),c},[t.bg,t.fg,t.rootStyle]);return jsx("div",{className:l(n,"overflow-x-auto rounded-md border border-border bg-background p-4 text-sm"),"data-language":o,"data-streamdown":"code-block-body",...a,children:jsx("pre",{className:l(n,"bg-[var(--sdm-bg,inherit]","dark:bg-[var(--shiki-dark-bg,var(--sdm-bg,inherit)]"),style:d,children:jsx("code",{className:s?l("[counter-increment:line_0] [counter-reset:line]"):void 0,style:s&&r&&r>1?{counterReset:`line ${r-1}`}:void 0,children:t.tokens.map((c,p)=>jsx("span",{className:s?i:void 0,children:c.length===0||c.length===1&&c[0].content===""?`
+ `:c.map((m,u)=>{let f={},h=!!m.bgColor;if(m.color&&(f["--sdm-c"]=m.color),m.bgColor&&(f["--sdm-tbg"]=m.bgColor),m.htmlStyle)for(let[b,g]of Object.entries(m.htmlStyle))b==="color"?f["--sdm-c"]=g:b==="background-color"?(f["--sdm-tbg"]=g,h=true):f[b]=g;return jsx("span",{className:l("text-[var(--sdm-c,inherit)]","dark:text-[var(--shiki-dark,var(--sdm-c,inherit))]",h&&"bg-[var(--sdm-tbg)]",h&&"dark:bg-[var(--shiki-dark-bg,var(--sdm-tbg))]"),style:f,...m.htmlAttrs,children:m.content},u)})},p))})})})},(e,t)=>e.result===t.result&&e.language===t.language&&e.className===t.className&&e.startLine===t.startLine&&e.lineNumbers===t.lineNumbers);var ot=({className:e,language:t,style:o,isIncomplete:n,...r})=>{let s=y();return jsx("div",{className:s("my-4 flex w-full flex-col gap-2 rounded-xl border border-border bg-sidebar p-2",e),"data-incomplete":n||void 0,"data-language":t,"data-streamdown":"code-block",style:{contentVisibility:"auto",containIntrinsicSize:"auto 200px",...o},...r})};var nt=createContext({code:""}),He=()=>useContext(nt);var rt=({language:e})=>{let t=y();return jsx("div",{className:t("flex h-8 items-center text-muted-foreground text-xs"),"data-language":e,"data-streamdown":"code-block-header",children:jsx("span",{className:t("ml-1 font-mono lowercase"),children:e})})};var lr=e=>{let t=e.length;for(;t>0&&e[t-1]===`
+-`;)t--;return e.slice(0,t)},cr=lazy(()=>import('./highlighted-body-OFNGDK62.js').then(e=>({default:e.HighlightedCodeBlockBody}))),st=({code:e,language:t,className:o,children:n,isIncomplete:r=false,startLine:s,lineNumbers:a,...l})=>{let i=y(),d=useMemo(()=>lr(e),[e]),c=useMemo(()=>({bg:"transparent",fg:"inherit",tokens:d.split(`
++`;)t--;return e.slice(0,t)},cr=_HB,st=({code:e,language:t,className:o,children:n,isIncomplete:r=false,startLine:s,lineNumbers:a,...l})=>{let i=y(),d=useMemo(()=>lr(e),[e]),c=useMemo(()=>({bg:"transparent",fg:"inherit",tokens:d.split(`
+ `).map(p=>[{content:p,color:"inherit",bgColor:"transparent",htmlStyle:{},offset:0}])}),[d]);return jsx(nt.Provider,{value:{code:e},children:jsxs(ot,{isIncomplete:r,language:t,children:[jsx(rt,{language:t}),n?jsx("div",{className:i("pointer-events-none sticky top-2 z-10 -mt-10 flex h-8 items-center justify-end"),children:jsx("div",{className:i("pointer-events-auto flex shrink-0 items-center gap-2 rounded-md border border-sidebar bg-sidebar/80 px-1.5 py-1 supports-[backdrop-filter]:bg-sidebar/70 supports-[backdrop-filter]:backdrop-blur"),"data-streamdown":"code-block-actions",children:n})}):null,jsx(Suspense,{fallback:jsx(At,{className:o,language:t,lineNumbers:a,result:c,startLine:s,...l}),children:jsx(cr,{className:o,code:d,language:t,lineNumbers:a,raw:c,startLine:s,...l})})]})})};var jt=e=>jsx("svg",{color:"currentColor",height:16,strokeLinejoin:"round",viewBox:"0 0 16 16",width:16,...e,children:jsx("path",{clipRule:"evenodd",d:"M15.5607 3.99999L15.0303 4.53032L6.23744 13.3232C5.55403 14.0066 4.44599 14.0066 3.76257 13.3232L4.2929 12.7929L3.76257 13.3232L0.969676 10.5303L0.439346 9.99999L1.50001 8.93933L2.03034 9.46966L4.82323 12.2626C4.92086 12.3602 5.07915 12.3602 5.17678 12.2626L13.9697 3.46966L14.5 2.93933L15.5607 3.99999Z",fill:"currentColor",fillRule:"evenodd"})}),Ft=e=>jsx("svg",{color:"currentColor",height:16,strokeLinejoin:"round",viewBox:"0 0 16 16",width:16,...e,children:jsx("path",{clipRule:"evenodd",d:"M2.75 0.5C1.7835 0.5 1 1.2835 1 2.25V9.75C1 10.7165 1.7835 11.5 2.75 11.5H3.75H4.5V10H3.75H2.75C2.61193 10 2.5 9.88807 2.5 9.75V2.25C2.5 2.11193 2.61193 2 2.75 2H8.25C8.38807 2 8.5 2.11193 8.5 2.25V3H10V2.25C10 1.2835 9.2165 0.5 8.25 0.5H2.75ZM7.75 4.5C6.7835 4.5 6 5.2835 6 6.25V13.75C6 14.7165 6.7835 15.5 7.75 15.5H13.25C14.2165 15.5 15 14.7165 15 13.75V6.25C15 5.2835 14.2165 4.5 13.25 4.5H7.75ZM7.5 6.25C7.5 6.11193 7.61193 6 7.75 6H13.25C13.3881 6 13.5 6.11193 13.5 6.25V13.75C13.5 13.8881 13.3881 14 13.25 14H7.75C7.61193 14 7.5 13.8881 7.5 13.75V6.25Z",fill:"currentColor",fillRule:"evenodd"})}),zt=e=>jsx("svg",{color:"currentColor",height:16,strokeLinejoin:"round",viewBox:"0 0 16 16",width:16,...e,children:jsx("path",{clipRule:"evenodd",d:"M8.75 1V1.75V8.68934L10.7197 6.71967L11.25 6.18934L12.3107 7.25L11.7803 7.78033L8.70711 10.8536C8.31658 11.2441 7.68342 11.2441 7.29289 10.8536L4.21967 7.78033L3.68934 7.25L4.75 6.18934L5.28033 6.71967L7.25 8.68934V1.75V1H8.75ZM13.5 9.25V13.5H2.5V9.25V8.5H1V9.25V14C1 14.5523 1.44771 15 2 15H14C14.5523 15 15 14.5523 15 14V9.25V8.5H13.5V9.25Z",fill:"currentColor",fillRule:"evenodd"})}),_t=e=>jsxs("svg",{color:"currentColor",height:16,strokeLinejoin:"round",viewBox:"0 0 16 16",width:16,...e,children:[jsx("path",{d:"M8 0V4",stroke:"currentColor",strokeWidth:"1.5"}),jsx("path",{d:"M8 16V12",opacity:"0.5",stroke:"currentColor",strokeWidth:"1.5"}),jsx("path",{d:"M3.29773 1.52783L5.64887 4.7639",opacity:"0.9",stroke:"currentColor",strokeWidth:"1.5"}),jsx("path",{d:"M12.7023 1.52783L10.3511 4.7639",opacity:"0.1",stroke:"currentColor",strokeWidth:"1.5"}),jsx("path",{d:"M12.7023 14.472L10.3511 11.236",opacity:"0.4",stroke:"currentColor",strokeWidth:"1.5"}),jsx("path",{d:"M3.29773 14.472L5.64887 11.236",opacity:"0.6",stroke:"currentColor",strokeWidth:"1.5"}),jsx("path",{d:"M15.6085 5.52783L11.8043 6.7639",opacity:"0.2",stroke:"currentColor",strokeWidth:"1.5"}),jsx("path",{d:"M0.391602 10.472L4.19583 9.23598",opacity:"0.7",stroke:"currentColor",strokeWidth:"1.5"}),jsx("path",{d:"M15.6085 10.4722L11.8043 9.2361",opacity:"0.3",stroke:"currentColor",strokeWidth:"1.5"}),jsx("path",{d:"M0.391602 5.52783L4.19583 6.7639",opacity:"0.8",stroke:"currentColor",strokeWidth:"1.5"})]}),qt=e=>jsx("svg",{color:"currentColor",height:16,strokeLinejoin:"round",viewBox:"0 0 16 16",width:16,...e,children:jsx("path",{clipRule:"evenodd",d:"M1 5.25V6H2.5V5.25V2.5H5.25H6V1H5.25H2C1.44772 1 1 1.44772 1 2V5.25ZM5.25 14.9994H6V13.4994H5.25H2.5V10.7494V9.99939H1V10.7494V13.9994C1 14.5517 1.44772 14.9994 2 14.9994H5.25ZM15 10V10.75V14C15 14.5523 14.5523 15 14 15H10.75H10V13.5H10.75H13.5V10.75V10H15ZM10.75 1H10V2.5H10.75H13.5V5.25V6H15V5.25V2C15 1.44772 14.5523 1 14 1H10.75Z",fill:"currentColor",fillRule:"evenodd"})}),$t=e=>jsx("svg",{color:"currentColor",height:16,strokeLinejoin:"round",viewBox:"0 0 16 16",width:16,...e,children:jsx("path",{clipRule:"evenodd",d:"M13.5 8C13.5 4.96643 11.0257 2.5 7.96452 2.5C5.42843 2.5 3.29365 4.19393 2.63724 6.5H5.25H6V8H5.25H0.75C0.335787 8 0 7.66421 0 7.25V2.75V2H1.5V2.75V5.23347C2.57851 2.74164 5.06835 1 7.96452 1C11.8461 1 15 4.13001 15 8C15 11.87 11.8461 15 7.96452 15C5.62368 15 3.54872 13.8617 2.27046 12.1122L1.828 11.5066L3.03915 10.6217L3.48161 11.2273C4.48831 12.6051 6.12055 13.5 7.96452 13.5C11.0257 13.5 13.5 11.0336 13.5 8Z",fill:"currentColor",fillRule:"evenodd"})}),Wt=e=>jsx("svg",{color:"currentColor",height:16,strokeLinejoin:"round",viewBox:"0 0 16 16",width:16,...e,children:jsx("path",{clipRule:"evenodd",d:"M12.4697 13.5303L13 14.0607L14.0607 13L13.5303 12.4697L9.06065 7.99999L13.5303 3.53032L14.0607 2.99999L13 1.93933L12.4697 2.46966L7.99999 6.93933L3.53032 2.46966L2.99999 1.93933L1.93933 2.99999L2.46966 3.53032L6.93933 7.99999L2.46966 12.4697L1.93933 13L2.99999 14.0607L3.53032 13.5303L7.99999 9.06065L12.4697 13.5303Z",fill:"currentColor",fillRule:"evenodd"})}),Zt=e=>jsx("svg",{color:"currentColor",height:16,strokeLinejoin:"round",viewBox:"0 0 16 16",width:16,...e,children:jsx("path",{clipRule:"evenodd",d:"M13.5 10.25V13.25C13.5 13.3881 13.3881 13.5 13.25 13.5H2.75C2.61193 13.5 2.5 13.3881 2.5 13.25L2.5 2.75C2.5 2.61193 2.61193 2.5 2.75 2.5H5.75H6.5V1H5.75H2.75C1.7835 1 1 1.7835 1 2.75V13.25C1 14.2165 1.7835 15 2.75 15H13.25C14.2165 15 15 14.2165 15 13.25V10.25V9.5H13.5V10.25ZM9 1H9.75H14.2495C14.6637 1 14.9995 1.33579 14.9995 1.75V6.25V7H13.4995V6.25V3.56066L8.53033 8.52978L8 9.06011L6.93934 7.99945L7.46967 7.46912L12.4388 2.5H9.75H9V1Z",fill:"currentColor",fillRule:"evenodd"})}),Xt=e=>jsx("svg",{color:"currentColor",height:16,strokeLinejoin:"round",viewBox:"0 0 16 16",width:16,...e,children:jsx("path",{clipRule:"evenodd",d:"M1.5 6.5C1.5 3.73858 3.73858 1.5 6.5 1.5C9.26142 1.5 11.5 3.73858 11.5 6.5C11.5 9.26142 9.26142 11.5 6.5 11.5C3.73858 11.5 1.5 9.26142 1.5 6.5ZM6.5 0C2.91015 0 0 2.91015 0 6.5C0 10.0899 2.91015 13 6.5 13C8.02469 13 9.42677 12.475 10.5353 11.596L13.9697 15.0303L14.5 15.5607L15.5607 14.5L15.0303 13.9697L11.596 10.5353C12.475 9.42677 13 8.02469 13 6.5C13 2.91015 10.0899 0 6.5 0ZM4.125 5.875H4.75H5.875V4.75V4.125H7.125V4.75V5.875H8.25H8.875V7.125H8.25H7.125V8.25V8.875H5.875V8.25V7.125H4.75H4.125V5.875Z",fill:"currentColor",fillRule:"evenodd"})}),Jt=e=>jsx("svg",{color:"currentColor",height:16,strokeLinejoin:"round",viewBox:"0 0 16 16",width:16,...e,children:jsx("path",{clipRule:"evenodd",d:"M1.5 6.5C1.5 3.73858 3.73858 1.5 6.5 1.5C9.26142 1.5 11.5 3.73858 11.5 6.5C11.5 9.26142 9.26142 11.5 6.5 11.5C3.73858 11.5 1.5 9.26142 1.5 6.5ZM6.5 0C2.91015 0 0 2.91015 0 6.5C0 10.0899 2.91015 13 6.5 13C8.02469 13 9.42677 12.475 10.5353 11.596L13.9697 15.0303L14.5 15.5607L15.5607 14.5L15.0303 13.9697L11.596 10.5353C12.475 9.42677 13 8.02469 13 6.5C13 2.91015 10.0899 0 6.5 0ZM4.125 5.875H4.75H8.25H8.875V7.125H8.25H4.75H4.125V5.875Z",fill:"currentColor",fillRule:"evenodd"})});var we={CheckIcon:jt,CopyIcon:Ft,DownloadIcon:zt,ExternalLinkIcon:Zt,Loader2Icon:_t,Maximize2Icon:qt,RotateCcwIcon:$t,XIcon:Wt,ZoomInIcon:Xt,ZoomOutIcon:Jt},Ut=createContext(we),fr=(e,t)=>{if(e===t)return  true;if(!(e&&t))return e===t;let o=Object.keys(e),n=Object.keys(t);return o.length!==n.length?false:o.every(r=>e[r]===t[r])},at=({icons:e,children:t})=>{let o=useRef(e),n=useRef(e?{...we,...e}:we);fr(o.current,e)||(o.current=e,n.current=e?{...we,...e}:we);let r=n.current;return jsx(Ut.Provider,{value:r,children:t})},L=()=>useContext(Ut);var De={copyCode:"Copy Code",downloadFile:"Download file",downloadDiagram:"Download diagram",downloadDiagramAsSvg:"Download diagram as SVG",downloadDiagramAsPng:"Download diagram as PNG",downloadDiagramAsMmd:"Download diagram as MMD",viewFullscreen:"View fullscreen",exitFullscreen:"Exit fullscreen",mermaidFormatSvg:"SVG",mermaidFormatPng:"PNG",mermaidFormatMmd:"MMD",copyTable:"Copy table",copyTableAsMarkdown:"Copy table as Markdown",copyTableAsCsv:"Copy table as CSV",copyTableAsTsv:"Copy table as TSV",downloadTable:"Download table",downloadTableAsCsv:"Download table as CSV",downloadTableAsMarkdown:"Download table as Markdown",tableFormatMarkdown:"Markdown",tableFormatCsv:"CSV",tableFormatTsv:"TSV",imageNotAvailable:"Image not available",downloadImage:"Download image",openExternalLink:"Open external link?",externalLinkWarning:"You're about to visit an external website.",close:"Close",copyLink:"Copy link",copied:"Copied",openLink:"Open link"},Be=createContext(De),D=()=>useContext(Be);var Ae=({onCopy:e,onError:t,timeout:o=2e3,children:n,className:r,code:s,...a})=>{let l=y(),[i,d]=useState(false),c=useRef(0),{code:p}=He(),{isAnimating:m}=useContext(R),u=D(),f=s!=null?s:p,h=async()=>{var T;if(typeof window=="undefined"||!((T=navigator==null?void 0:navigator.clipboard)!=null&&T.writeText)){t==null||t(new Error("Clipboard API not available"));return}try{i||(await navigator.clipboard.writeText(f),d(!0),e==null||e(),c.current=window.setTimeout(()=>d(!1),o));}catch(v){t==null||t(v);}};useEffect(()=>()=>{window.clearTimeout(c.current);},[]);let b=L(),g=i?b.CheckIcon:b.CopyIcon;return jsx("button",{className:l("cursor-pointer p-1 text-muted-foreground transition-all hover:text-foreground disabled:cursor-not-allowed disabled:opacity-50",r),"data-streamdown":"code-block-copy-button",disabled:m,onClick:h,title:u.copyCode,type:"button",...a,children:n!=null?n:jsx(g,{size:14})})};var Yt={"1c":"1c","1c-query":"1cq",abap:"abap","actionscript-3":"as",ada:"ada",adoc:"adoc","angular-html":"html","angular-ts":"ts",apache:"conf",apex:"cls",apl:"apl",applescript:"applescript",ara:"ara",asciidoc:"adoc",asm:"asm",astro:"astro",awk:"awk",ballerina:"bal",bash:"sh",bat:"bat",batch:"bat",be:"be",beancount:"beancount",berry:"berry",bibtex:"bib",bicep:"bicep",blade:"blade.php",bsl:"bsl",c:"c","c#":"cs","c++":"cpp",cadence:"cdc",cairo:"cairo",cdc:"cdc",clarity:"clar",clj:"clj",clojure:"clj","closure-templates":"soy",cmake:"cmake",cmd:"cmd",cobol:"cob",codeowners:"CODEOWNERS",codeql:"ql",coffee:"coffee",coffeescript:"coffee","common-lisp":"lisp",console:"sh",coq:"v",cpp:"cpp",cql:"cql",crystal:"cr",cs:"cs",csharp:"cs",css:"css",csv:"csv",cue:"cue",cypher:"cql",d:"d",dart:"dart",dax:"dax",desktop:"desktop",diff:"diff",docker:"dockerfile",dockerfile:"dockerfile",dotenv:"env","dream-maker":"dm",edge:"edge",elisp:"el",elixir:"ex",elm:"elm","emacs-lisp":"el",erb:"erb",erl:"erl",erlang:"erl",f:"f","f#":"fs",f03:"f03",f08:"f08",f18:"f18",f77:"f77",f90:"f90",f95:"f95",fennel:"fnl",fish:"fish",fluent:"ftl",for:"for","fortran-fixed-form":"f","fortran-free-form":"f90",fs:"fs",fsharp:"fs",fsl:"fsl",ftl:"ftl",gdresource:"tres",gdscript:"gd",gdshader:"gdshader",genie:"gs",gherkin:"feature","git-commit":"gitcommit","git-rebase":"gitrebase",gjs:"js",gleam:"gleam","glimmer-js":"js","glimmer-ts":"ts",glsl:"glsl",gnuplot:"plt",go:"go",gql:"gql",graphql:"graphql",groovy:"groovy",gts:"gts",hack:"hack",haml:"haml",handlebars:"hbs",haskell:"hs",haxe:"hx",hbs:"hbs",hcl:"hcl",hjson:"hjson",hlsl:"hlsl",hs:"hs",html:"html","html-derivative":"html",http:"http",hxml:"hxml",hy:"hy",imba:"imba",ini:"ini",jade:"jade",java:"java",javascript:"js",jinja:"jinja",jison:"jison",jl:"jl",js:"js",json:"json",json5:"json5",jsonc:"jsonc",jsonl:"jsonl",jsonnet:"jsonnet",jssm:"jssm",jsx:"jsx",julia:"jl",kotlin:"kt",kql:"kql",kt:"kt",kts:"kts",kusto:"kql",latex:"tex",lean:"lean",lean4:"lean",less:"less",liquid:"liquid",lisp:"lisp",lit:"lit",llvm:"ll",log:"log",logo:"logo",lua:"lua",luau:"luau",make:"mak",makefile:"mak",markdown:"md",marko:"marko",matlab:"m",md:"md",mdc:"mdc",mdx:"mdx",mediawiki:"wiki",mermaid:"mmd",mips:"s",mipsasm:"s",mmd:"mmd",mojo:"mojo",move:"move",nar:"nar",narrat:"narrat",nextflow:"nf",nf:"nf",nginx:"conf",nim:"nim",nix:"nix",nu:"nu",nushell:"nu",objc:"m","objective-c":"m","objective-cpp":"mm",ocaml:"ml",pascal:"pas",perl:"pl",perl6:"p6",php:"php",plsql:"pls",po:"po",polar:"polar",postcss:"pcss",pot:"pot",potx:"potx",powerquery:"pq",powershell:"ps1",prisma:"prisma",prolog:"pl",properties:"properties",proto:"proto",protobuf:"proto",ps:"ps",ps1:"ps1",pug:"pug",puppet:"pp",purescript:"purs",py:"py",python:"py",ql:"ql",qml:"qml",qmldir:"qmldir",qss:"qss",r:"r",racket:"rkt",raku:"raku",razor:"cshtml",rb:"rb",reg:"reg",regex:"regex",regexp:"regexp",rel:"rel",riscv:"s",rs:"rs",rst:"rst",ruby:"rb",rust:"rs",sas:"sas",sass:"sass",scala:"scala",scheme:"scm",scss:"scss",sdbl:"sdbl",sh:"sh",shader:"shader",shaderlab:"shader",shell:"sh",shellscript:"sh",shellsession:"sh",smalltalk:"st",solidity:"sol",soy:"soy",sparql:"rq",spl:"spl",splunk:"spl",sql:"sql","ssh-config":"config",stata:"do",styl:"styl",stylus:"styl",svelte:"svelte",swift:"swift","system-verilog":"sv",systemd:"service",talon:"talon",talonscript:"talon",tasl:"tasl",tcl:"tcl",templ:"templ",terraform:"tf",tex:"tex",tf:"tf",tfvars:"tfvars",toml:"toml",ts:"ts","ts-tags":"ts",tsp:"tsp",tsv:"tsv",tsx:"tsx",turtle:"ttl",twig:"twig",typ:"typ",typescript:"ts",typespec:"tsp",typst:"typ",v:"v",vala:"vala",vb:"vb",verilog:"v",vhdl:"vhdl",vim:"vim",viml:"vim",vimscript:"vim",vue:"vue","vue-html":"html","vue-vine":"vine",vy:"vy",vyper:"vy",wasm:"wasm",wenyan:"wy",wgsl:"wgsl",wiki:"wiki",wikitext:"wiki",wit:"wit",wl:"wl",wolfram:"wl",xml:"xml",xsl:"xsl",yaml:"yaml",yml:"yml",zenscript:"zs",zig:"zig",zsh:"zsh",\u6587\u8A00:"wy"},it=({onDownload:e,onError:t,language:o,children:n,className:r,code:s,...a})=>{let l=y(),{code:i}=He(),{isAnimating:d}=useContext(R),c=D(),p=L(),m=s!=null?s:i,f=`file.${o&&o in Yt?Yt[o]:"txt"}`,h="text/plain",b=()=>{try{W(f,m,h),e==null||e();}catch(g){t==null||t(g);}};return jsx("button",{className:l("cursor-pointer p-1 text-muted-foreground transition-all hover:text-foreground disabled:cursor-not-allowed disabled:opacity-50",r),"data-streamdown":"code-block-download-button",disabled:d,onClick:b,title:c.downloadFile,type:"button",...a,children:n!=null?n:jsx(p.DownloadIcon,{size:14})})};var Oe=()=>{let{Loader2Icon:e}=L(),t=y();return jsxs("div",{className:t("w-full divide-y divide-border overflow-hidden rounded-xl border border-border"),children:[jsx("div",{className:t("h-[46px] w-full bg-muted/80")}),jsx("div",{className:t("flex w-full items-center justify-center p-4"),children:jsx(e,{className:t("size-4 animate-spin")})})]})};var Mr=/\.[^/.]+$/,oo=({node:e,className:t,src:o,alt:n,onLoad:r,onError:s,...a})=>{let{DownloadIcon:l}=L(),i=y(),d=useRef(null),[c,p]=useState(false),[m,u]=useState(false),f=D(),h=a.width!=null||a.height!=null,b=(c||h)&&!m,g=m&&!h;useEffect(()=>{let P=d.current;if(P!=null&&P.complete){let M=P.naturalWidth>0;p(M),u(!M);}},[]);let T=useCallback(P=>{p(true),u(false),r==null||r(P);},[r]),v=useCallback(P=>{p(false),u(true),s==null||s(P);},[s]),w=async()=>{if(o)try{let M=await(await fetch(o)).blob(),S=new URL(o,window.location.origin).pathname.split("/").pop()||"",F=S.split(".").pop(),j=S.includes(".")&&F!==void 0&&F.length<=4,z="";if(j)z=S;else {let B=M.type,_="png";B.includes("jpeg")||B.includes("jpg")?_="jpg":B.includes("png")?_="png":B.includes("svg")?_="svg":B.includes("gif")?_="gif":B.includes("webp")&&(_="webp"),z=`${(n||S||"image").replace(Mr,"")}.${_}`;}W(z,M,M.type);}catch(P){window.open(o,"_blank");}};return o?jsxs("div",{className:i("group relative my-4 inline-block"),"data-streamdown":"image-wrapper",children:[jsx("img",{alt:n,className:i("max-w-full rounded-lg",g&&"hidden",t),"data-streamdown":"image",onError:v,onLoad:T,ref:d,src:o,...a}),g&&jsx("span",{className:i("text-muted-foreground text-xs italic"),"data-streamdown":"image-fallback",children:f.imageNotAvailable}),jsx("div",{className:i("pointer-events-none absolute inset-0 hidden rounded-lg bg-black/10 group-hover:block")}),b&&jsx("button",{className:i("absolute right-2 bottom-2 flex h-8 w-8 cursor-pointer items-center justify-center rounded-md border border-border bg-background/90 shadow-sm backdrop-blur-sm transition-all duration-200 hover:bg-background","opacity-0 group-hover:opacity-100"),onClick:w,title:f.downloadImage,type:"button",children:jsx(l,{size:14})})]}):null};var ke=0,le=()=>{ke+=1,ke===1&&(document.body.style.overflow="hidden");},ce=()=>{ke=Math.max(0,ke-1),ke===0&&(document.body.style.overflow="");};var so=({url:e,isOpen:t,onClose:o,onConfirm:n})=>{let{CheckIcon:r,CopyIcon:s,ExternalLinkIcon:a,XIcon:l}=L(),i=y(),[d,c]=useState(false),p=D(),m=useCallback(async()=>{try{await navigator.clipboard.writeText(e),c(!0),setTimeout(()=>c(!1),2e3);}catch(f){}},[e]),u=useCallback(()=>{n(),o();},[n,o]);return useEffect(()=>{if(t){le();let f=h=>{h.key==="Escape"&&o();};return document.addEventListener("keydown",f),()=>{document.removeEventListener("keydown",f),ce();}}},[t,o]),t?jsx("div",{className:i("fixed inset-0 z-50 flex items-center justify-center bg-background/50 backdrop-blur-sm"),"data-streamdown":"link-safety-modal",onClick:o,onKeyDown:f=>{f.key==="Escape"&&o();},role:"button",tabIndex:0,children:jsxs("div",{className:i("relative mx-4 flex w-full max-w-md flex-col gap-4 rounded-xl border bg-background p-6 shadow-lg"),onClick:f=>f.stopPropagation(),onKeyDown:f=>f.stopPropagation(),role:"presentation",children:[jsx("button",{className:i("absolute top-4 right-4 rounded-md p-1 text-muted-foreground transition-all hover:bg-muted hover:text-foreground"),onClick:o,title:p.close,type:"button",children:jsx(l,{size:16})}),jsxs("div",{className:i("flex flex-col gap-2"),children:[jsxs("div",{className:i("flex items-center gap-2 font-semibold text-lg"),children:[jsx(a,{size:20}),jsx("span",{children:p.openExternalLink})]}),jsx("p",{className:i("text-muted-foreground text-sm"),children:p.externalLinkWarning})]}),jsx("div",{className:i("break-all rounded-md bg-muted p-3 font-mono text-sm",e.length>100&&"max-h-32 overflow-y-auto"),children:e}),jsxs("div",{className:i("flex gap-2"),children:[jsx("button",{className:i("flex flex-1 items-center justify-center gap-2 rounded-md border bg-background px-4 py-2 font-medium text-sm transition-all hover:bg-muted"),onClick:m,type:"button",children:d?jsxs(Fragment,{children:[jsx(r,{size:14}),jsx("span",{children:p.copied})]}):jsxs(Fragment,{children:[jsx(s,{size:14}),jsx("span",{children:p.copyLink})]})}),jsxs("button",{className:i("flex flex-1 items-center justify-center gap-2 rounded-md bg-primary px-4 py-2 font-medium text-primary-foreground text-sm transition-all hover:bg-primary/90"),onClick:u,type:"button",children:[jsx(a,{size:14}),jsx("span",{children:p.openLink})]})]})]})}):null};var Ve=createContext(null),ct=()=>useContext(Ve),Li=()=>{var t;let e=ct();return (t=e==null?void 0:e.code)!=null?t:null},de=()=>{var t;let e=ct();return (t=e==null?void 0:e.mermaid)!=null?t:null};var ao=e=>{var o;let t=ct();return t!=null&&t.renderers&&e&&(o=t.renderers.find(n=>Array.isArray(n.language)?n.language.includes(e):n.language===e))!=null?o:null};var io=(e,t)=>{var n;let o=(n=void 0)!=null?n:5;return new Promise((r,s)=>{let a="data:image/svg+xml;base64,"+btoa(unescape(encodeURIComponent(e))),l=new Image;l.crossOrigin="anonymous",l.onload=()=>{let i=document.createElement("canvas"),d=l.width*o,c=l.height*o;i.width=d,i.height=c;let p=i.getContext("2d");if(!p){s(new Error("Failed to create 2D canvas context for PNG export"));return}p.drawImage(l,0,0,d,c),i.toBlob(m=>{if(!m){s(new Error("Failed to create PNG blob"));return}r(m);},"image/png");},l.onerror=()=>s(new Error("Failed to load SVG image")),l.src=a;})};var co=({chart:e,children:t,className:o,onDownload:n,config:r,onError:s})=>{let a=y(),[l,i]=useState(false),d=useRef(null),{isAnimating:c}=useContext(R),p=L(),m=de(),u=D(),f=async h=>{try{if(h==="mmd"){W("diagram.mmd",e,"text/plain"),i(!1),n==null||n(h);return}if(!m){s==null||s(new Error("Mermaid plugin not available"));return}let b=m.getMermaid(r),g=e.split("").reduce((w,P)=>(w<<5)-w+P.charCodeAt(0)|0,0),T=`mermaid-${Math.abs(g)}-${Date.now()}-${Math.random().toString(36).substring(2,9)}`,{svg:v}=await b.render(T,e);if(!v){s==null||s(new Error("SVG not found. Please wait for the diagram to render."));return}if(h==="svg"){W("diagram.svg",v,"image/svg+xml"),i(!1),n==null||n(h);return}if(h==="png"){let w=await io(v);W("diagram.png",w,"image/png"),n==null||n(h),i(!1);return}}catch(b){s==null||s(b);}};return useEffect(()=>{let h=b=>{let g=b.composedPath();d.current&&!g.includes(d.current)&&i(false);};return document.addEventListener("mousedown",h),()=>{document.removeEventListener("mousedown",h);}},[]),jsxs("div",{className:a("relative"),ref:d,children:[jsx("button",{className:a("cursor-pointer p-1 text-muted-foreground transition-all hover:text-foreground disabled:cursor-not-allowed disabled:opacity-50",o),disabled:c,onClick:()=>i(!l),title:u.downloadDiagram,type:"button",children:t!=null?t:jsx(p.DownloadIcon,{size:14})}),l?jsxs("div",{className:a("absolute top-full right-0 z-10 mt-1 min-w-[120px] overflow-hidden rounded-md border border-border bg-background shadow-lg"),children:[jsx("button",{className:a("w-full px-3 py-2 text-left text-sm transition-colors hover:bg-muted/40"),onClick:()=>f("svg"),title:u.downloadDiagramAsSvg,type:"button",children:u.mermaidFormatSvg}),jsx("button",{className:a("w-full px-3 py-2 text-left text-sm transition-colors hover:bg-muted/40"),onClick:()=>f("png"),title:u.downloadDiagramAsPng,type:"button",children:u.mermaidFormatPng}),jsx("button",{className:a("w-full px-3 py-2 text-left text-sm transition-colors hover:bg-muted/40"),onClick:()=>f("mmd"),title:u.downloadDiagramAsMmd,type:"button",children:u.mermaidFormatMmd})]}):null]})};var fo=({chart:e,config:t,onFullscreen:o,onExit:n,className:r,...s})=>{let{Maximize2Icon:a,XIcon:l}=L(),i=y(),[d,c]=useState(false),{isAnimating:p,controls:m}=useContext(R),u=D(),f=(()=>{if(typeof m=="boolean")return m;let b=m.mermaid;return b===false?false:b===true||b===void 0?true:b.panZoom!==false})(),h=()=>{c(!d);};return useEffect(()=>{if(d){le();let b=g=>{g.key==="Escape"&&c(false);};return document.addEventListener("keydown",b),()=>{document.removeEventListener("keydown",b),ce();}}},[d]),useEffect(()=>{d?o==null||o():n&&n();},[d,o,n]),jsxs(Fragment,{children:[jsx("button",{className:i("cursor-pointer p-1 text-muted-foreground transition-all hover:text-foreground disabled:cursor-not-allowed disabled:opacity-50",r),disabled:p,onClick:h,title:u.viewFullscreen,type:"button",...s,children:jsx(a,{size:14})}),d?createPortal(jsxs("div",{className:i("fixed inset-0 z-50 flex items-center justify-center bg-background/95 backdrop-blur-sm"),onClick:h,onKeyDown:b=>{b.key==="Escape"&&h();},role:"button",tabIndex:0,children:[jsx("button",{className:i("absolute top-4 right-4 z-10 rounded-md p-2 text-muted-foreground transition-all hover:bg-muted hover:text-foreground"),onClick:h,title:u.exitFullscreen,type:"button",children:jsx(l,{size:20})}),jsx("div",{className:i("flex size-full items-center justify-center p-4"),onClick:b=>b.stopPropagation(),onKeyDown:b=>b.stopPropagation(),role:"presentation",children:jsx(po,{chart:e,className:i("size-full [&_svg]:h-auto [&_svg]:w-auto"),config:t,fullscreen:true,showControls:f})})]}),document.body):null]})};var ue=e=>{var s,a;let t=[],o=[],n=e.querySelectorAll("thead th");for(let l of n)t.push(((s=l.textContent)==null?void 0:s.trim())||"");let r=e.querySelectorAll("tbody tr");for(let l of r){let i=[],d=l.querySelectorAll("td");for(let c of d)i.push(((a=c.textContent)==null?void 0:a.trim())||"");o.push(i);}return {headers:t,rows:o}},ne=e=>{let{headers:t,rows:o}=e,n=l=>{let i=false,d=false;for(let c of l){if(c==='"'){i=true,d=true;break}(c===","||c===`
+ `)&&(i=true);}return i?d?`"${l.replace(/"/g,'""')}"`:`"${l}"`:l},r=t.length>0?o.length+1:o.length,s=new Array(r),a=0;t.length>0&&(s[a]=t.map(n).join(","),a+=1);for(let l of o)s[a]=l.map(n).join(","),a+=1;return s.join(`
+ `)},dt=e=>{let{headers:t,rows:o}=e,n=l=>{let i=false;for(let c of l)if(c==="	"||c===`
diff --git a/playwright.config.ts b/playwright.config.ts
index 716756236fe..d8facdbd580 100644
--- a/playwright.config.ts
+++ b/playwright.config.ts
@@ -56,10 +56,5 @@ export default defineConfig({
       url: "http://localhost:3030",
       reuseExistingServer: !process.env.CI,
     },
-    {
-      command: "pnpm run --filter @references/nextjs-test dev",
-      url: "http://localhost:3000",
-      reuseExistingServer: !process.env.CI,
-    },
   ],
 });
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index fd453dd2c43..bc80eb9ba1c 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -8,18 +8,37 @@ overrides:
   typescript: 5.5.4
   '@types/node': 20.14.14
   express@^4>body-parser: 1.20.3
-  '@remix-run/dev@2.1.0>tar-fs': 2.1.3
-  testcontainers@10.28.0>tar-fs: 3.0.9
+  '@remix-run/dev@2.17.4>tar-fs': 2.1.4
+  tar@>=7 <7.5.11: ^7.5.11
   form-data@^2: 2.5.4
   form-data@^3: 3.0.4
   form-data@^4: 4.0.4
-  axios@1.9.0: '>=1.12.0'
   js-yaml@>=3.0.0 <3.14.2: 3.14.2
   js-yaml@>=4.0.0 <4.1.1: 4.1.1
   jws@<3.2.3: 3.2.3
-  qs@>=6.0.0 <6.14.1: 6.14.1
-  systeminformation@>=5.0.0 <5.27.14: 5.27.14
-  lodash@>=4.0.0 <4.17.23: 4.17.23
+  qs@>=6.0.0 <6.15.2: ^6.15.2
+  systeminformation@>=5.0.0 <5.31.0: ^5.31.0
+  lodash@>=4.17 <4.18.0: ^4.18.0
+  lodash-es@>=4.17 <4.18.0: ^4.18.0
+  dompurify@>=3 <3.4.0: ^3.4.1
+  vite@>=5.0.0 <6.4.2: ^6.4.2
+  rollup@>=4 <4.59.0: ^4.59.0
+  flatted@>=3 <3.4.2: ^3.4.2
+  picomatch@>=2 <2.3.2: ^2.3.2
+  picomatch@>=4 <4.0.4: ^4.0.4
+  minimatch@>=3 <3.1.3: ^3.1.3
+  protobufjs@>=7 <7.5.6: ^7.5.6
+  fast-xml-parser@>=4 <4.5.5: ^4.5.5
+  fast-xml-parser@>=5 <5.7.0: ^5.7.0
+  path-to-regexp@>=0.1 <0.1.13: ^0.1.13
+  ajv@>=8 <8.18.0: ^8.18.0
+  socket.io-parser@>=4 <4.2.6: ^4.2.6
+  postcss@>=8 <8.5.10: ^8.5.10
+  yaml@>=2 <2.8.3: ^2.8.3
+  semver@>=5 <5.7.2: ^5.7.2
+  defu@>=6 <6.1.5: ^6.1.5
+  fast-uri@<3.1.2: ^3.1.2
+  fast-xml-builder@<1.1.7: ^1.1.7
 
 patchedDependencies:
   '@changesets/assemble-release-plan@5.2.4':
@@ -28,15 +47,18 @@ patchedDependencies:
   '@kubernetes/client-node@1.0.0':
     hash: ba1a06f46256cdb8d6faf7167246692c0de2e7cd846a9dc0f13be0137e1c3745
     path: patches/@kubernetes__client-node@1.0.0.patch
+  '@remix-run/router@1.23.2':
+    hash: f14fb2af2690628a0164b66d98e8d7cd6a0e8a4a30a51e53cfb1b6caeca6f7c9
+    path: patches/@remix-run__router@1.23.2.patch
   '@sentry/remix@9.46.0':
     hash: 146126b032581925294aaed63ab53ce3f5e0356a755f1763d7a9a76b9846943b
     path: patches/@sentry__remix@9.46.0.patch
   '@upstash/ratelimit@1.1.3':
     hash: e5922e50fbefb7b2b24950c4b1c5c9ddc4cd25464439c9548d2298c432debe74
     path: patches/@upstash__ratelimit.patch
-  '@window-splitter/state@0.4.1':
-    hash: da01382a3c0d3f4f66db5b09d6f0833cc21eaf8db00f97e2c1738797673b57c0
-    path: patches/@window-splitter__state@0.4.1.patch
+  '@window-splitter/state@1.1.3':
+    hash: ecf02927f78361c14d8f8347604fd355ba36f2fc4f9ba9a08cd63adc101b7327
+    path: patches/@window-splitter__state@1.1.3.patch
   antlr4ts@0.5.0-alpha.4:
     hash: b5d41129ddbf7c4cbb0288244b2c8d041ee0803c5102c1181c180408d3b579f4
     path: patches/antlr4ts@0.5.0-alpha.4.patch
@@ -49,6 +71,9 @@ patchedDependencies:
   redlock@5.0.0-beta.2:
     hash: 52b17ac642f5f9776bf05e2229f4dd79588d37b0039d835c7684c478464632f2
     path: patches/redlock@5.0.0-beta.2.patch
+  streamdown@2.5.0:
+    hash: 36211d09153a59c880b6a2bce2a0a0f011c99c73c20c8ceca78cc77e47623f06
+    path: patches/streamdown@2.5.0.patch
 
 importers:
 
@@ -80,17 +105,20 @@ importers:
         specifier: 20.14.14
         version: 20.14.14
       '@vitest/coverage-v8':
-        specifier: 3.1.4
-        version: 3.1.4(vitest@3.1.4(@types/debug@4.1.12)(@types/node@20.14.14)(lightningcss@1.29.2)(terser@5.44.1))
+        specifier: 4.1.7
+        version: 4.1.7(vitest@4.1.7)
       autoprefixer:
         specifier: ^10.4.12
-        version: 10.4.13(postcss@8.5.6)
+        version: 10.4.13(postcss@8.5.10)
       eslint-plugin-turbo:
         specifier: ^2.0.4
         version: 2.0.5(eslint@8.31.0)
       lefthook:
         specifier: ^1.11.3
         version: 1.11.3
+      pkg-pr-new:
+        specifier: 0.0.75
+        version: 0.0.75
       pkg-types:
         specifier: 1.1.3
         version: 1.1.3
@@ -106,15 +134,12 @@ importers:
       typescript:
         specifier: 5.5.4
         version: 5.5.4
-      vite:
-        specifier: ^5.4.21
-        version: 5.4.21(@types/node@20.14.14)(lightningcss@1.29.2)(terser@5.44.1)
       vite-tsconfig-paths:
         specifier: ^4.0.5
         version: 4.0.5(typescript@5.5.4)
       vitest:
-        specifier: 3.1.4
-        version: 3.1.4(@types/debug@4.1.12)(@types/node@20.14.14)(lightningcss@1.29.2)(terser@5.44.1)
+        specifier: 4.1.7
+        version: 4.1.7(@opentelemetry/api@1.9.1)(@types/node@20.14.14)(@vitest/coverage-v8@4.1.7)(vite@6.4.2(@types/node@20.14.14)(jiti@2.6.1)(lightningcss@1.29.2)(terser@5.46.1)(tsx@3.12.2)(yaml@2.9.0))
 
   apps/coordinator:
     dependencies:
@@ -202,6 +227,9 @@ importers:
       dockerode:
         specifier: ^4.0.6
         version: 4.0.6
+      ioredis:
+        specifier: ~5.6.0
+        version: 5.6.1
       p-limit:
         specifier: ^6.2.0
         version: 6.2.0
@@ -218,6 +246,9 @@ importers:
         specifier: 3.25.76
         version: 3.25.76
     devDependencies:
+      '@internal/testcontainers':
+        specifier: workspace:*
+        version: link:../../internal-packages/testcontainers
       '@types/dockerode':
         specifier: ^3.3.33
         version: 3.3.35
@@ -225,8 +256,11 @@ importers:
   apps/webapp:
     dependencies:
       '@ai-sdk/openai':
-        specifier: ^1.3.23
-        version: 1.3.23(zod@3.25.76)
+        specifier: ^3.0.0
+        version: 3.0.41(zod@3.25.76)
+      '@ai-sdk/react':
+        specifier: ^3.0.0
+        version: 3.0.170(react@18.2.0)(zod@3.25.76)
       '@ariakit/react':
         specifier: ^0.4.6
         version: 0.4.6(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
@@ -348,68 +382,68 @@ importers:
         specifier: ^1.1.6
         version: 1.1.6
       '@opentelemetry/api':
-        specifier: 1.9.0
-        version: 1.9.0
+        specifier: 1.9.1
+        version: 1.9.1
       '@opentelemetry/api-logs':
-        specifier: 0.203.0
-        version: 0.203.0
+        specifier: 0.218.0
+        version: 0.218.0
       '@opentelemetry/core':
-        specifier: 2.0.1
-        version: 2.0.1(@opentelemetry/api@1.9.0)
+        specifier: 2.7.1
+        version: 2.7.1(@opentelemetry/api@1.9.1)
       '@opentelemetry/exporter-logs-otlp-http':
-        specifier: 0.203.0
-        version: 0.203.0(@opentelemetry/api@1.9.0)
+        specifier: 0.218.0
+        version: 0.218.0(@opentelemetry/api@1.9.1)
       '@opentelemetry/exporter-metrics-otlp-proto':
-        specifier: 0.203.0
-        version: 0.203.0(@opentelemetry/api@1.9.0)
+        specifier: 0.218.0
+        version: 0.218.0(@opentelemetry/api@1.9.1)
       '@opentelemetry/exporter-trace-otlp-http':
-        specifier: 0.203.0
-        version: 0.203.0(@opentelemetry/api@1.9.0)
+        specifier: 0.218.0
+        version: 0.218.0(@opentelemetry/api@1.9.1)
       '@opentelemetry/host-metrics':
-        specifier: ^0.37.0
-        version: 0.37.0(@opentelemetry/api@1.9.0)
+        specifier: ^0.38.3
+        version: 0.38.3(@opentelemetry/api@1.9.1)
       '@opentelemetry/instrumentation':
-        specifier: 0.203.0
-        version: 0.203.0(@opentelemetry/api@1.9.0)(supports-color@10.0.0)
+        specifier: 0.218.0
+        version: 0.218.0(@opentelemetry/api@1.9.1)(supports-color@10.0.0)
       '@opentelemetry/instrumentation-aws-sdk':
-        specifier: ^0.57.0
-        version: 0.57.0(@opentelemetry/api@1.9.0)
+        specifier: ^0.69.0
+        version: 0.69.0(@opentelemetry/api@1.9.1)
       '@opentelemetry/instrumentation-express':
-        specifier: ^0.52.0
-        version: 0.52.0(@opentelemetry/api@1.9.0)
+        specifier: ^0.62.0
+        version: 0.62.0(@opentelemetry/api@1.9.1)
       '@opentelemetry/instrumentation-http':
-        specifier: 0.203.0
-        version: 0.203.0(@opentelemetry/api@1.9.0)
+        specifier: 0.218.0
+        version: 0.218.0(@opentelemetry/api@1.9.1)
       '@opentelemetry/resource-detector-aws':
-        specifier: ^2.3.0
-        version: 2.3.0(@opentelemetry/api@1.9.0)
+        specifier: ^2.14.0
+        version: 2.14.0(@opentelemetry/api@1.9.1)
       '@opentelemetry/resources':
-        specifier: 2.0.1
-        version: 2.0.1(@opentelemetry/api@1.9.0)
+        specifier: 2.7.1
+        version: 2.7.1(@opentelemetry/api@1.9.1)
       '@opentelemetry/sdk-logs':
-        specifier: 0.203.0
-        version: 0.203.0(@opentelemetry/api@1.9.0)
+        specifier: 0.218.0
+        version: 0.218.0(@opentelemetry/api@1.9.1)
       '@opentelemetry/sdk-metrics':
-        specifier: 2.0.1
-        version: 2.0.1(@opentelemetry/api@1.9.0)
+        specifier: 2.7.1
+        version: 2.7.1(@opentelemetry/api@1.9.1)
       '@opentelemetry/sdk-node':
-        specifier: 0.203.0
-        version: 0.203.0(@opentelemetry/api@1.9.0)
+        specifier: 0.218.0
+        version: 0.218.0(@opentelemetry/api@1.9.1)
       '@opentelemetry/sdk-trace-base':
-        specifier: 2.0.1
-        version: 2.0.1(@opentelemetry/api@1.9.0)
+        specifier: 2.7.1
+        version: 2.7.1(@opentelemetry/api@1.9.1)
       '@opentelemetry/sdk-trace-node':
-        specifier: 2.0.1
-        version: 2.0.1(@opentelemetry/api@1.9.0)
+        specifier: 2.7.1
+        version: 2.7.1(@opentelemetry/api@1.9.1)
       '@opentelemetry/semantic-conventions':
-        specifier: 1.36.0
-        version: 1.36.0
+        specifier: 1.41.1
+        version: 1.41.1
       '@popperjs/core':
         specifier: ^2.11.8
         version: 2.11.8
       '@prisma/instrumentation':
         specifier: ^6.14.0
-        version: 6.14.0(@opentelemetry/api@1.9.0)
+        version: 6.14.0(@opentelemetry/api@1.9.1)
       '@radix-ui/react-accordion':
         specifier: ^1.2.11
         version: 1.2.11(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
@@ -456,38 +490,41 @@ importers:
         specifier: ^3.7.1
         version: 3.7.1(react@18.2.0)
       '@remix-run/express':
-        specifier: 2.1.0
-        version: 2.1.0(express@4.20.0)(typescript@5.5.4)
+        specifier: 2.17.4
+        version: 2.17.4(express@4.20.0)(typescript@5.5.4)
       '@remix-run/node':
-        specifier: 2.1.0
-        version: 2.1.0(typescript@5.5.4)
+        specifier: 2.17.4
+        version: 2.17.4(typescript@5.5.4)
       '@remix-run/react':
-        specifier: 2.1.0
-        version: 2.1.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4)
+        specifier: 2.17.4
+        version: 2.17.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4)
       '@remix-run/router':
-        specifier: ^1.15.3
-        version: 1.15.3
+        specifier: ^1.23.2
+        version: 1.23.2(patch_hash=f14fb2af2690628a0164b66d98e8d7cd6a0e8a4a30a51e53cfb1b6caeca6f7c9)
       '@remix-run/serve':
-        specifier: 2.1.0
-        version: 2.1.0(typescript@5.5.4)
+        specifier: 2.17.4
+        version: 2.17.4(typescript@5.5.4)
       '@remix-run/server-runtime':
-        specifier: 2.1.0
-        version: 2.1.0(typescript@5.5.4)
+        specifier: 2.17.4
+        version: 2.17.4(typescript@5.5.4)
       '@remix-run/v1-meta':
         specifier: ^0.1.3
-        version: 0.1.3(@remix-run/react@2.1.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.1.0(typescript@5.5.4))
+        version: 0.1.3(@remix-run/react@2.17.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.17.4(typescript@5.5.4))
       '@s2-dev/streamstore':
-        specifier: ^0.22.5
-        version: 0.22.5(supports-color@10.0.0)
+        specifier: ^0.22.10
+        version: 0.22.10(supports-color@10.0.0)
       '@sentry/remix':
         specifier: 9.46.0
-        version: 9.46.0(patch_hash=146126b032581925294aaed63ab53ce3f5e0356a755f1763d7a9a76b9846943b)(@remix-run/node@2.1.0(typescript@5.5.4))(@remix-run/react@2.1.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.1.0(typescript@5.5.4))(encoding@0.1.13)(react@18.2.0)
+        version: 9.46.0(patch_hash=146126b032581925294aaed63ab53ce3f5e0356a755f1763d7a9a76b9846943b)(@remix-run/node@2.17.4(typescript@5.5.4))(@remix-run/react@2.17.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.17.4(typescript@5.5.4))(encoding@0.1.13)(react@18.2.0)
       '@slack/web-api':
-        specifier: 7.9.1
-        version: 7.9.1
+        specifier: 7.16.0
+        version: 7.16.0
       '@socket.io/redis-adapter':
         specifier: ^8.3.0
         version: 8.3.0(socket.io-adapter@2.5.4(bufferutil@4.0.9))
+      '@streamdown/code':
+        specifier: ^1.1.1
+        version: 1.1.1(react@18.2.0)
       '@tabler/icons-react':
         specifier: ^3.36.1
         version: 3.36.1(react@18.2.0)
@@ -521,6 +558,9 @@ importers:
       '@trigger.dev/platform':
         specifier: 1.0.27
         version: 1.0.27
+      '@trigger.dev/rbac':
+        specifier: workspace:*
+        version: link:../../internal-packages/rbac
       '@trigger.dev/redis-worker':
         specifier: workspace:*
         version: link:../../packages/redis-worker
@@ -548,9 +588,12 @@ importers:
       '@whatwg-node/fetch':
         specifier: ^0.9.14
         version: 0.9.14
+      '@window-splitter/react':
+        specifier: 1.1.3
+        version: 1.1.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       ai:
-        specifier: ^4.3.19
-        version: 4.3.19(react@18.2.0)(zod@3.25.76)
+        specifier: ^6.0.116
+        version: 6.0.168(zod@3.25.76)
       assert-never:
         specifier: ^1.2.1
         version: 1.2.1
@@ -585,14 +628,14 @@ importers:
         specifier: ^4.1.0
         version: 4.1.0
       dompurify:
-        specifier: ^3.2.6
-        version: 3.2.6
+        specifier: ^3.4.1
+        version: 3.4.1
       dotenv:
         specifier: ^16.4.5
         version: 16.4.5
       effect:
-        specifier: ^3.11.7
-        version: 3.11.7
+        specifier: ^3.21.2
+        version: 3.21.2
       emails:
         specifier: workspace:*
         version: link:../../internal-packages/emails
@@ -621,8 +664,8 @@ importers:
         specifier: ^1.0.0
         version: 1.0.0
       ioredis:
-        specifier: ^5.3.2
-        version: 5.3.2
+        specifier: ~5.6.0
+        version: 5.6.1
       isbot:
         specifier: ^3.6.5
         version: 3.6.5
@@ -684,8 +727,8 @@ importers:
         specifier: ^1.93.3
         version: 1.93.3
       posthog-node:
-        specifier: 4.17.1
-        version: 4.17.1
+        specifier: 5.35.6
+        version: 5.35.6(rxjs@7.8.2)
       prism-react-renderer:
         specifier: ^2.3.1
         version: 2.3.1(react@18.2.0)
@@ -740,9 +783,6 @@ importers:
       react-use:
         specifier: 17.5.1
         version: 17.5.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      react-window-splitter:
-        specifier: ^0.4.1
-        version: 0.4.1(@types/react@18.2.69)(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       recharts:
         specifier: ^2.15.2
         version: 2.15.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
@@ -751,22 +791,22 @@ importers:
         version: 2.0.1
       remix-auth:
         specifier: ^3.6.0
-        version: 3.6.0(@remix-run/react@2.1.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.1.0(typescript@5.5.4))
+        version: 3.6.0(@remix-run/react@2.17.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.17.4(typescript@5.5.4))
       remix-auth-email-link:
         specifier: 2.0.2
-        version: 2.0.2(@remix-run/server-runtime@2.1.0(typescript@5.5.4))(remix-auth@3.6.0(@remix-run/react@2.1.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.1.0(typescript@5.5.4)))
+        version: 2.0.2(@remix-run/server-runtime@2.17.4(typescript@5.5.4))(remix-auth@3.6.0(@remix-run/react@2.17.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.17.4(typescript@5.5.4)))
       remix-auth-github:
         specifier: ^1.6.0
-        version: 1.6.0(@remix-run/server-runtime@2.1.0(typescript@5.5.4))(remix-auth@3.6.0(@remix-run/react@2.1.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.1.0(typescript@5.5.4)))
+        version: 1.6.0(@remix-run/server-runtime@2.17.4(typescript@5.5.4))(remix-auth@3.6.0(@remix-run/react@2.17.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.17.4(typescript@5.5.4)))
       remix-auth-google:
         specifier: ^2.0.0
-        version: 2.0.0(@remix-run/server-runtime@2.1.0(typescript@5.5.4))(remix-auth@3.6.0(@remix-run/react@2.1.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.1.0(typescript@5.5.4)))
+        version: 2.0.0(@remix-run/server-runtime@2.17.4(typescript@5.5.4))(remix-auth@3.6.0(@remix-run/react@2.17.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.17.4(typescript@5.5.4)))
       remix-typedjson:
         specifier: 0.3.1
-        version: 0.3.1(@remix-run/react@2.1.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.1.0(typescript@5.5.4))(react@18.2.0)
+        version: 0.3.1(@remix-run/react@2.17.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.17.4(typescript@5.5.4))(react@18.2.0)
       remix-utils:
         specifier: ^7.7.0
-        version: 7.7.0(@remix-run/node@2.1.0(typescript@5.5.4))(@remix-run/react@2.1.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/router@1.15.3)(crypto-js@4.2.0)(intl-parse-accept-language@1.0.0)(react@18.2.0)(zod@3.25.76)
+        version: 7.7.0(@remix-run/node@2.17.4(typescript@5.5.4))(@remix-run/react@2.17.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/router@1.23.2(patch_hash=f14fb2af2690628a0164b66d98e8d7cd6a0e8a4a30a51e53cfb1b6caeca6f7c9))(crypto-js@4.2.0)(intl-parse-accept-language@1.0.0)(react@18.2.0)(zod@3.25.76)
       seedrandom:
         specifier: ^3.0.5
         version: 3.0.5
@@ -798,8 +838,8 @@ importers:
         specifier: ^7.4.0
         version: 7.5.0(@aws-sdk/client-sqs@3.454.0)
       streamdown:
-        specifier: ^1.4.0
-        version: 1.4.0(@types/react@18.2.69)(react@18.2.0)
+        specifier: ^2.5.0
+        version: 2.5.0(patch_hash=36211d09153a59c880b6a2bce2a0a0f011c99c73c20c8ceca78cc77e47623f06)(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       superjson:
         specifier: ^2.2.1
         version: 2.2.1
@@ -825,8 +865,8 @@ importers:
         specifier: ^2.2.1
         version: 2.2.1
       uuid:
-        specifier: ^9.0.0
-        version: 9.0.1
+        specifier: ^14.0.0
+        version: 14.0.0
       ws:
         specifier: ^8.11.0
         version: 8.12.0(bufferutil@4.0.9)
@@ -850,14 +890,14 @@ importers:
         specifier: workspace:*
         version: link:../../internal-packages/testcontainers
       '@remix-run/dev':
-        specifier: 2.1.0
-        version: 2.1.0(@remix-run/serve@2.1.0(typescript@5.5.4))(@types/node@20.14.14)(bufferutil@4.0.9)(encoding@0.1.13)(lightningcss@1.29.2)(terser@5.44.1)(typescript@5.5.4)
+        specifier: 2.17.4
+        version: 2.17.4(@remix-run/react@2.17.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/serve@2.17.4(typescript@5.5.4))(@types/node@20.14.14)(bufferutil@4.0.9)(jiti@2.6.1)(lightningcss@1.29.2)(terser@5.46.1)(tsx@4.20.6)(typescript@5.5.4)(vite@6.4.2(@types/node@20.14.14)(jiti@2.6.1)(lightningcss@1.29.2)(terser@5.46.1)(tsx@4.20.6)(yaml@2.9.0))(yaml@2.9.0)
       '@remix-run/eslint-config':
-        specifier: 2.1.0
-        version: 2.1.0(eslint@8.31.0)(react@18.2.0)(typescript@5.5.4)
+        specifier: 2.17.4
+        version: 2.17.4(eslint@8.31.0)(react@18.2.0)(typescript@5.5.4)
       '@remix-run/testing':
-        specifier: ^2.1.0
-        version: 2.1.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4)
+        specifier: ^2.17.4
+        version: 2.17.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4)
       '@sentry/cli':
         specifier: 2.50.2
         version: 2.50.2(encoding@0.1.13)
@@ -885,9 +925,6 @@ importers:
       '@types/cookie':
         specifier: ^0.6.0
         version: 0.6.0
-      '@types/dompurify':
-        specifier: ^3.2.0
-        version: 3.2.0
       '@types/eslint':
         specifier: ^8.4.6
         version: 8.4.10
@@ -948,9 +985,6 @@ importers:
       '@types/tar':
         specifier: ^6.1.4
         version: 6.1.4
-      '@types/uuid':
-        specifier: ^9.0.0
-        version: 9.0.0
       '@types/ws':
         specifier: ^8.5.3
         version: 8.5.4
@@ -965,7 +999,7 @@ importers:
         version: 0.0.130(encoding@0.1.13)(ws@8.12.0(bufferutil@4.0.9))
       autoprefixer:
         specifier: ^10.4.13
-        version: 10.4.13(postcss@8.5.6)
+        version: 10.4.13(postcss@8.5.10)
       css-loader:
         specifier: ^6.10.0
         version: 6.10.0(webpack@5.102.1(@swc/core@1.3.26)(esbuild@0.15.18))
@@ -994,17 +1028,17 @@ importers:
         specifier: ^2.0.4
         version: 2.0.5(eslint@8.31.0)
       evalite:
-        specifier: ^0.11.4
-        version: 0.11.4(bufferutil@4.0.9)
+        specifier: 1.0.0-beta.16
+        version: 1.0.0-beta.16(ai@6.0.168(zod@3.25.76))(better-sqlite3@11.10.0)(bufferutil@4.0.9)
       npm-run-all:
         specifier: ^4.1.5
         version: 4.1.5
       postcss-import:
         specifier: ^16.0.1
-        version: 16.0.1(postcss@8.5.6)
+        version: 16.0.1(postcss@8.5.10)
       postcss-loader:
         specifier: ^8.1.1
-        version: 8.1.1(postcss@8.5.6)(typescript@5.5.4)(webpack@5.102.1(@swc/core@1.3.26)(esbuild@0.15.18))
+        version: 8.1.1(postcss@8.5.10)(typescript@5.5.4)(webpack@5.102.1(@swc/core@1.3.26)(esbuild@0.15.18))
       prettier:
         specifier: ^2.8.8
         version: 2.8.8
@@ -1015,8 +1049,8 @@ importers:
         specifier: ^15.8.1
         version: 15.8.1
       rimraf:
-        specifier: ^3.0.2
-        version: 3.0.2
+        specifier: ^6.0.1
+        version: 6.0.1
       style-loader:
         specifier: ^3.3.4
         version: 3.3.4(webpack@5.102.1(@swc/core@1.3.26)(esbuild@0.15.18))
@@ -1108,13 +1142,13 @@ importers:
       decimal.js:
         specifier: ^10.6.0
         version: 10.6.0
+      prisma:
+        specifier: 6.14.0
+        version: 6.14.0(magicast@0.3.5)(typescript@5.5.4)
     devDependencies:
       '@types/decimal.js':
         specifier: ^7.4.3
         version: 7.4.3
-      prisma:
-        specifier: 6.14.0
-        version: 6.14.0(magicast@0.3.5)(typescript@5.5.4)
       rimraf:
         specifier: 6.0.1
         version: 6.0.1
@@ -1125,20 +1159,20 @@ importers:
         specifier: ^3.716.0
         version: 3.940.0
       '@react-email/components':
-        specifier: 0.0.16
-        version: 0.0.16(@types/react@18.2.69)(react@18.3.1)
+        specifier: 1.0.12
+        version: 1.0.12(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
       '@react-email/render':
-        specifier: ^0.0.12
-        version: 0.0.12
+        specifier: ^2.0.8
+        version: 2.0.8(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
       nodemailer:
-        specifier: ^7.0.11
-        version: 7.0.11
+        specifier: ^8.0.6
+        version: 8.0.6
       react:
         specifier: ^18.2.0
         version: 18.3.1
-      react-email:
-        specifier: ^2.1.1
-        version: 2.1.2(@opentelemetry/api@1.9.0)(@swc/helpers@0.5.15)(bufferutil@4.0.9)(eslint@8.31.0)
+      react-dom:
+        specifier: ^18.2.0
+        version: 18.2.0(react@18.3.1)
       resend:
         specifier: ^3.2.0
         version: 3.2.0
@@ -1150,11 +1184,17 @@ importers:
         version: 3.25.76
     devDependencies:
       '@types/nodemailer':
-        specifier: ^7.0.4
-        version: 7.0.4
+        specifier: ^8.0.0
+        version: 8.0.0
       '@types/react':
         specifier: 18.2.69
         version: 18.2.69
+      '@types/react-dom':
+        specifier: 18.2.7
+        version: 18.2.7
+      react-email:
+        specifier: ^6.5.0
+        version: 6.5.0(bufferutil@4.0.9)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
 
   internal-packages/llm-model-catalog:
     dependencies:
@@ -1169,8 +1209,8 @@ importers:
         specifier: workspace:*
         version: link:../testcontainers
       vitest:
-        specifier: 3.1.4
-        version: 3.1.4(@types/debug@4.1.12)(@types/node@20.14.14)(lightningcss@1.29.2)(terser@5.44.1)
+        specifier: 4.1.7
+        version: 4.1.7(@opentelemetry/api@1.9.1)(@types/node@20.14.14)(@vitest/coverage-v8@4.1.7)(vite@6.4.2(@types/node@20.14.14)(jiti@2.6.1)(lightningcss@1.29.2)(terser@5.46.1)(tsx@4.20.6)(yaml@2.9.0))
 
   internal-packages/otlp-importer:
     dependencies:
@@ -1178,27 +1218,46 @@ importers:
         specifier: ^5.2.3
         version: 5.2.3
       protobufjs:
-        specifier: ^7.2.6
-        version: 7.3.2
+        specifier: ^7.5.6
+        version: 7.6.1
     devDependencies:
       '@types/node':
         specifier: 20.14.14
         version: 20.14.14
       rimraf:
-        specifier: ^3.0.2
-        version: 3.0.2
+        specifier: ^6.0.1
+        version: 6.0.1
       ts-proto:
         specifier: ^1.167.3
         version: 1.167.3
 
+  internal-packages/rbac:
+    dependencies:
+      '@trigger.dev/core':
+        specifier: workspace:*
+        version: link:../../packages/core
+      '@trigger.dev/plugins':
+        specifier: workspace:*
+        version: link:../../packages/plugins
+    devDependencies:
+      '@trigger.dev/database':
+        specifier: workspace:*
+        version: link:../database
+      '@types/node':
+        specifier: 20.14.14
+        version: 20.14.14
+      rimraf:
+        specifier: 6.0.1
+        version: 6.0.1
+
   internal-packages/redis:
     dependencies:
       '@trigger.dev/core':
         specifier: workspace:*
         version: link:../../packages/core
       ioredis:
-        specifier: ^5.3.2
-        version: 5.3.2
+        specifier: ~5.6.0
+        version: 5.6.1
 
   internal-packages/replication:
     dependencies:
@@ -1270,6 +1329,9 @@ importers:
       '@internal/testcontainers':
         specifier: workspace:*
         version: link:../testcontainers
+      '@opentelemetry/sdk-metrics':
+        specifier: 2.7.1
+        version: 2.7.1(@opentelemetry/api@1.9.1)
       '@types/seedrandom':
         specifier: ^3.0.8
         version: 3.0.8
@@ -1330,8 +1392,8 @@ importers:
         specifier: 5.5.4
         version: 5.5.4
       vitest:
-        specifier: 3.1.4
-        version: 3.1.4(@types/debug@4.1.12)(@types/node@20.14.14)(lightningcss@1.29.2)(terser@5.44.1)
+        specifier: 4.1.7
+        version: 4.1.7(@opentelemetry/api@1.9.1)(@types/node@20.14.14)(@vitest/coverage-v8@4.1.7)(vite@6.4.2(@types/node@20.14.14)(jiti@2.6.1)(lightningcss@1.29.2)(terser@5.46.1)(tsx@4.20.6)(yaml@2.9.0))
 
   internal-packages/testcontainers:
     dependencies:
@@ -1339,21 +1401,21 @@ importers:
         specifier: ^1.11.1
         version: 1.11.1
       '@opentelemetry/api':
-        specifier: ^1.9.0
-        version: 1.9.0
+        specifier: ^1.9.1
+        version: 1.9.1
       '@trigger.dev/database':
         specifier: workspace:*
         version: link:../database
       ioredis:
-        specifier: ^5.3.2
-        version: 5.3.2
+        specifier: ~5.6.0
+        version: 5.6.1
     devDependencies:
       '@testcontainers/postgresql':
-        specifier: ^10.28.0
-        version: 10.28.0
+        specifier: ^11.14.0
+        version: 11.14.0
       '@testcontainers/redis':
-        specifier: ^10.28.0
-        version: 10.28.0
+        specifier: ^11.14.0
+        version: 11.14.0
       '@trigger.dev/core':
         specifier: workspace:*
         version: link:../../packages/core
@@ -1361,8 +1423,8 @@ importers:
         specifier: ^3.9.0
         version: 3.9.0
       testcontainers:
-        specifier: ^10.28.0
-        version: 10.28.0
+        specifier: ^11.14.0
+        version: 11.14.0
       tinyexec:
         specifier: ^0.3.0
         version: 0.3.0
@@ -1370,14 +1432,14 @@ importers:
   internal-packages/tracing:
     dependencies:
       '@opentelemetry/api':
-        specifier: 1.9.0
-        version: 1.9.0
+        specifier: 1.9.1
+        version: 1.9.1
       '@opentelemetry/api-logs':
-        specifier: 0.52.1
-        version: 0.52.1
+        specifier: 0.218.0
+        version: 0.218.0
       '@opentelemetry/semantic-conventions':
-        specifier: ^1.27.0
-        version: 1.28.0
+        specifier: ^1.41.1
+        version: 1.41.1
       '@trigger.dev/core':
         specifier: workspace:*
         version: link:../../packages/core
@@ -1432,7 +1494,7 @@ importers:
         specifier: ^6.10.0
         version: 6.19.0(magicast@0.3.5)
       '@trigger.dev/core':
-        specifier: workspace:4.4.4
+        specifier: workspace:4.5.0-rc.5
         version: link:../core
       mlly:
         specifier: ^1.7.1
@@ -1479,42 +1541,42 @@ importers:
         version: 0.0.1-cli.2.80.0
       '@modelcontextprotocol/sdk':
         specifier: ^1.25.2
-        version: 1.25.2(hono@4.11.8)(supports-color@10.0.0)(zod@3.25.76)
+        version: 1.25.2(hono@4.12.15)(supports-color@10.0.0)(zod@3.25.76)
       '@opentelemetry/api':
-        specifier: 1.9.0
-        version: 1.9.0
+        specifier: 1.9.1
+        version: 1.9.1
       '@opentelemetry/api-logs':
-        specifier: 0.203.0
-        version: 0.203.0
+        specifier: 0.218.0
+        version: 0.218.0
       '@opentelemetry/exporter-trace-otlp-http':
-        specifier: 0.203.0
-        version: 0.203.0(@opentelemetry/api@1.9.0)
+        specifier: 0.218.0
+        version: 0.218.0(@opentelemetry/api@1.9.1)
       '@opentelemetry/instrumentation':
-        specifier: 0.203.0
-        version: 0.203.0(@opentelemetry/api@1.9.0)(supports-color@10.0.0)
+        specifier: 0.218.0
+        version: 0.218.0(@opentelemetry/api@1.9.1)(supports-color@10.0.0)
       '@opentelemetry/instrumentation-fetch':
-        specifier: 0.203.0
-        version: 0.203.0(@opentelemetry/api@1.9.0)(supports-color@10.0.0)
+        specifier: 0.218.0
+        version: 0.218.0(@opentelemetry/api@1.9.1)(supports-color@10.0.0)
       '@opentelemetry/resources':
-        specifier: 2.0.1
-        version: 2.0.1(@opentelemetry/api@1.9.0)
+        specifier: 2.7.1
+        version: 2.7.1(@opentelemetry/api@1.9.1)
       '@opentelemetry/sdk-trace-node':
-        specifier: 2.0.1
-        version: 2.0.1(@opentelemetry/api@1.9.0)
+        specifier: 2.7.1
+        version: 2.7.1(@opentelemetry/api@1.9.1)
       '@opentelemetry/semantic-conventions':
-        specifier: 1.36.0
-        version: 1.36.0
+        specifier: 1.41.1
+        version: 1.41.1
       '@s2-dev/streamstore':
-        specifier: ^0.22.5
-        version: 0.22.5(supports-color@10.0.0)
+        specifier: ^0.22.10
+        version: 0.22.10(supports-color@10.0.0)
       '@trigger.dev/build':
-        specifier: workspace:4.4.4
+        specifier: workspace:4.5.0-rc.5
         version: link:../build
       '@trigger.dev/core':
-        specifier: workspace:4.4.4
+        specifier: workspace:4.5.0-rc.5
         version: link:../core
       '@trigger.dev/schema-to-json':
-        specifier: workspace:4.4.4
+        specifier: workspace:4.5.0-rc.5
         version: link:../schema-to-json
       ansi-escapes:
         specifier: ^7.0.0
@@ -1541,8 +1603,8 @@ importers:
         specifier: ^0.2.2
         version: 0.2.2
       defu:
-        specifier: ^6.1.4
-        version: 6.1.4
+        specifier: ^6.1.5
+        version: 6.1.7
       dotenv:
         specifier: ^16.4.5
         version: 16.4.5
@@ -1571,8 +1633,8 @@ importers:
         specifier: ^7.0.5
         version: 7.0.5
       import-in-the-middle:
-        specifier: 1.11.0
-        version: 1.11.0
+        specifier: 3.0.1
+        version: 3.0.1
       import-meta-resolve:
         specifier: ^4.1.0
         version: 4.1.0
@@ -1643,8 +1705,8 @@ importers:
         specifier: ^10.0.0
         version: 10.0.0
       tar:
-        specifier: ^7.5.4
-        version: 7.5.6
+        specifier: ^7.5.13
+        version: 7.5.13
       tiny-invariant:
         specifier: ^1.2.0
         version: 1.3.1
@@ -1713,8 +1775,8 @@ importers:
         specifier: ^7.0.0
         version: 7.0.0
       rimraf:
-        specifier: ^5.0.7
-        version: 5.0.7
+        specifier: ^6.0.1
+        version: 6.0.1
       ts-essentials:
         specifier: 10.0.1
         version: 10.0.1(typescript@5.5.4)
@@ -1740,50 +1802,50 @@ importers:
         specifier: ^1.0.21
         version: 1.0.21
       '@opentelemetry/api':
-        specifier: 1.9.0
-        version: 1.9.0
+        specifier: 1.9.1
+        version: 1.9.1
       '@opentelemetry/api-logs':
-        specifier: 0.203.0
-        version: 0.203.0
+        specifier: 0.218.0
+        version: 0.218.0
       '@opentelemetry/core':
-        specifier: 2.0.1
-        version: 2.0.1(@opentelemetry/api@1.9.0)
+        specifier: 2.7.1
+        version: 2.7.1(@opentelemetry/api@1.9.1)
       '@opentelemetry/exporter-logs-otlp-http':
-        specifier: 0.203.0
-        version: 0.203.0(@opentelemetry/api@1.9.0)
+        specifier: 0.218.0
+        version: 0.218.0(@opentelemetry/api@1.9.1)
       '@opentelemetry/exporter-metrics-otlp-http':
-        specifier: 0.203.0
-        version: 0.203.0(@opentelemetry/api@1.9.0)
+        specifier: 0.218.0
+        version: 0.218.0(@opentelemetry/api@1.9.1)
       '@opentelemetry/exporter-trace-otlp-http':
-        specifier: 0.203.0
-        version: 0.203.0(@opentelemetry/api@1.9.0)
+        specifier: 0.218.0
+        version: 0.218.0(@opentelemetry/api@1.9.1)
       '@opentelemetry/host-metrics':
-        specifier: ^0.37.0
-        version: 0.37.0(@opentelemetry/api@1.9.0)
+        specifier: ^0.38.3
+        version: 0.38.3(@opentelemetry/api@1.9.1)
       '@opentelemetry/instrumentation':
-        specifier: 0.203.0
-        version: 0.203.0(@opentelemetry/api@1.9.0)(supports-color@10.0.0)
+        specifier: 0.218.0
+        version: 0.218.0(@opentelemetry/api@1.9.1)(supports-color@10.0.0)
       '@opentelemetry/resources':
-        specifier: 2.0.1
-        version: 2.0.1(@opentelemetry/api@1.9.0)
+        specifier: 2.7.1
+        version: 2.7.1(@opentelemetry/api@1.9.1)
       '@opentelemetry/sdk-logs':
-        specifier: 0.203.0
-        version: 0.203.0(@opentelemetry/api@1.9.0)
+        specifier: 0.218.0
+        version: 0.218.0(@opentelemetry/api@1.9.1)
       '@opentelemetry/sdk-metrics':
-        specifier: 2.0.1
-        version: 2.0.1(@opentelemetry/api@1.9.0)
+        specifier: 2.7.1
+        version: 2.7.1(@opentelemetry/api@1.9.1)
       '@opentelemetry/sdk-trace-base':
-        specifier: 2.0.1
-        version: 2.0.1(@opentelemetry/api@1.9.0)
+        specifier: 2.7.1
+        version: 2.7.1(@opentelemetry/api@1.9.1)
       '@opentelemetry/sdk-trace-node':
-        specifier: 2.0.1
-        version: 2.0.1(@opentelemetry/api@1.9.0)
+        specifier: 2.7.1
+        version: 2.7.1(@opentelemetry/api@1.9.1)
       '@opentelemetry/semantic-conventions':
-        specifier: 1.36.0
-        version: 1.36.0
+        specifier: 1.41.1
+        version: 1.41.1
       '@s2-dev/streamstore':
-        specifier: 0.22.5
-        version: 0.22.5(supports-color@10.0.0)
+        specifier: 0.22.10
+        version: 0.22.10(supports-color@10.0.0)
       dequal:
         specifier: ^2.0.3
         version: 2.0.3
@@ -1857,15 +1919,18 @@ importers:
       ai:
         specifier: ^6.0.0
         version: 6.0.3(zod@3.25.76)
+      ai-v7:
+        specifier: npm:ai@7.0.0-canary.159
+        version: ai@7.0.0-canary.159(zod@3.25.76)
       defu:
-        specifier: ^6.1.4
-        version: 6.1.4
+        specifier: ^6.1.5
+        version: 6.1.7
       esbuild:
         specifier: ^0.23.0
         version: 0.23.0
       rimraf:
-        specifier: ^3.0.2
-        version: 3.0.2
+        specifier: ^6.0.1
+        version: 6.0.1
       superjson:
         specifier: ^2.2.1
         version: 2.2.1
@@ -1879,10 +1944,29 @@ importers:
         specifier: 4.17.0
         version: 4.17.0
 
+  packages/plugins:
+    dependencies:
+      '@trigger.dev/core':
+        specifier: workspace:*
+        version: link:../core
+    devDependencies:
+      '@types/node':
+        specifier: 20.14.14
+        version: 20.14.14
+      rimraf:
+        specifier: 6.0.1
+        version: 6.0.1
+      tsup:
+        specifier: ^8.4.0
+        version: 8.4.0(@swc/core@1.3.101(@swc/helpers@0.5.15))(jiti@2.6.1)(postcss@8.5.10)(tsx@4.20.6)(typescript@5.5.4)(yaml@2.9.0)
+      typescript:
+        specifier: 5.5.4
+        version: 5.5.4
+
   packages/python:
     dependencies:
       '@trigger.dev/core':
-        specifier: workspace:4.4.4
+        specifier: workspace:4.5.0-rc.5
         version: link:../core
       tinyexec:
         specifier: ^0.3.2
@@ -1892,10 +1976,10 @@ importers:
         specifier: ^0.15.4
         version: 0.15.4
       '@trigger.dev/build':
-        specifier: workspace:4.4.4
+        specifier: workspace:4.5.0-rc.5
         version: link:../build
       '@trigger.dev/sdk':
-        specifier: workspace:4.4.4
+        specifier: workspace:4.5.0-rc.5
         version: link:../trigger-sdk
       '@types/node':
         specifier: 20.14.14
@@ -1919,17 +2003,17 @@ importers:
   packages/react-hooks:
     dependencies:
       '@trigger.dev/core':
-        specifier: workspace:^4.4.4
+        specifier: workspace:^4.5.0-rc.5
         version: link:../core
       react:
         specifier: ^18.0 || ^19.0 || ^19.0.0-rc
-        version: 18.3.1
+        version: 19.1.0
       react-dom:
         specifier: ^18.0 || ^19.0 || ^19.0.0-rc
-        version: 18.2.0(react@18.3.1)
+        version: 18.2.0(react@19.1.0)
       swr:
         specifier: ^2.2.5
-        version: 2.2.5(react@18.3.1)
+        version: 2.2.5(react@19.1.0)
     devDependencies:
       '@arethetypeswrong/cli':
         specifier: ^0.15.4
@@ -1941,8 +2025,8 @@ importers:
         specifier: '*'
         version: 18.2.7
       rimraf:
-        specifier: ^3.0.2
-        version: 3.0.2
+        specifier: ^6.0.1
+        version: 6.0.1
       tshy:
         specifier: ^3.0.2
         version: 3.0.2
@@ -1953,7 +2037,7 @@ importers:
   packages/redis-worker:
     dependencies:
       '@trigger.dev/core':
-        specifier: workspace:4.4.4
+        specifier: workspace:4.5.0-rc.5
         version: link:../core
       cron-parser:
         specifier: ^4.9.0
@@ -1994,7 +2078,7 @@ importers:
         version: 6.0.1
       tsup:
         specifier: ^8.4.0
-        version: 8.4.0(@swc/core@1.3.101(@swc/helpers@0.5.15))(jiti@2.4.2)(postcss@8.5.6)(tsx@4.17.0)(typescript@5.5.4)(yaml@2.7.1)
+        version: 8.4.0(@swc/core@1.3.101(@swc/helpers@0.5.15))(jiti@2.6.1)(postcss@8.5.10)(tsx@4.17.0)(typescript@5.5.4)(yaml@2.9.0)
       tsx:
         specifier: 4.17.0
         version: 4.17.0
@@ -2002,7 +2086,7 @@ importers:
   packages/rsc:
     dependencies:
       '@trigger.dev/core':
-        specifier: workspace:^4.4.4
+        specifier: workspace:^4.5.0-rc.5
         version: link:../core
       mlly:
         specifier: ^1.7.1
@@ -2018,7 +2102,7 @@ importers:
         specifier: ^0.15.4
         version: 0.15.4
       '@trigger.dev/build':
-        specifier: workspace:^4.4.4
+        specifier: workspace:^4.5.0-rc.5
         version: link:../build
       '@types/node':
         specifier: 20.14.14
@@ -2030,8 +2114,8 @@ importers:
         specifier: '*'
         version: 18.2.7
       rimraf:
-        specifier: ^3.0.2
-        version: 3.0.2
+        specifier: ^6.0.1
+        version: 6.0.1
       tshy:
         specifier: ^3.0.2
         version: 3.0.2
@@ -2087,14 +2171,17 @@ importers:
 
   packages/trigger-sdk:
     dependencies:
+      '@ai-sdk/otel':
+        specifier: '>=1.0.0-0 <2'
+        version: 1.0.0-beta.6(zod@3.25.76)
       '@opentelemetry/api':
-        specifier: 1.9.0
-        version: 1.9.0
+        specifier: 1.9.1
+        version: 1.9.1
       '@opentelemetry/semantic-conventions':
-        specifier: 1.36.0
-        version: 1.36.0
+        specifier: 1.41.1
+        version: 1.41.1
       '@trigger.dev/core':
-        specifier: workspace:4.4.4
+        specifier: workspace:4.5.0-rc.5
         version: link:../core
       chalk:
         specifier: ^5.2.0
@@ -2108,6 +2195,9 @@ importers:
       evt:
         specifier: ^2.4.13
         version: 2.4.13
+      react:
+        specifier: ^18.0 || ^19.0
+        version: 18.3.1
       slug:
         specifier: ^6.0.0
         version: 6.1.0
@@ -2117,37 +2207,40 @@ importers:
       uncrypto:
         specifier: ^0.1.3
         version: 0.1.3
-      uuid:
-        specifier: ^9.0.0
-        version: 9.0.0
       ws:
         specifier: ^8.11.0
         version: 8.12.0(bufferutil@4.0.9)
     devDependencies:
+      '@ai-sdk/provider':
+        specifier: 3.0.8
+        version: 3.0.8
       '@arethetypeswrong/cli':
         specifier: ^0.15.4
         version: 0.15.4
       '@types/debug':
         specifier: ^4.1.7
         version: 4.1.7
+      '@types/react':
+        specifier: ^19.2.14
+        version: 19.2.14
       '@types/slug':
         specifier: ^5.0.3
         version: 5.0.3
-      '@types/uuid':
-        specifier: ^9.0.0
-        version: 9.0.0
       '@types/ws':
         specifier: ^8.5.3
         version: 8.5.4
       ai:
-        specifier: ^6.0.0
-        version: 6.0.3(zod@3.25.76)
+        specifier: ^6.0.116
+        version: 6.0.116(zod@3.25.76)
+      ai-v7:
+        specifier: npm:ai@7.0.0-canary.159
+        version: ai@7.0.0-canary.159(zod@3.25.76)
       encoding:
         specifier: ^0.1.13
         version: 0.1.13
       rimraf:
-        specifier: ^3.0.2
-        version: 3.0.2
+        specifier: ^6.0.1
+        version: 6.0.1
       tshy:
         specifier: ^3.0.2
         version: 3.0.2
@@ -2161,761 +2254,10 @@ importers:
         specifier: 3.25.76
         version: 3.25.76
 
-  references/bun-catalog:
-    dependencies:
-      '@trigger.dev/sdk':
-        specifier: workspace:*
-        version: link:../../packages/trigger-sdk
-    devDependencies:
-      '@types/bun':
-        specifier: ^1.1.6
-        version: 1.1.6
-      trigger.dev:
-        specifier: workspace:*
-        version: link:../../packages/cli-v3
-
-  references/d3-chat:
-    dependencies:
-      '@ai-sdk/anthropic':
-        specifier: 2.0.4
-        version: 2.0.4(zod@3.25.76)
-      '@ai-sdk/openai':
-        specifier: 2.0.14
-        version: 2.0.14(zod@3.25.76)
-      '@e2b/code-interpreter':
-        specifier: ^1.1.0
-        version: 1.1.0
-      '@opentelemetry/api':
-        specifier: ^1.9.0
-        version: 1.9.0
-      '@opentelemetry/api-logs':
-        specifier: ^0.203.0
-        version: 0.203.0
-      '@opentelemetry/exporter-logs-otlp-http':
-        specifier: 0.203.0
-        version: 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/exporter-trace-otlp-http':
-        specifier: 0.203.0
-        version: 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation':
-        specifier: ^0.203.0
-        version: 0.203.0(@opentelemetry/api@1.9.0)(supports-color@10.0.0)
-      '@opentelemetry/instrumentation-http':
-        specifier: 0.203.0
-        version: 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation-undici':
-        specifier: 0.14.0
-        version: 0.14.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/sdk-logs':
-        specifier: ^0.203.0
-        version: 0.203.0(@opentelemetry/api@1.9.0)
-      '@radix-ui/react-avatar':
-        specifier: ^1.1.3
-        version: 1.1.3(@types/react-dom@19.0.4(@types/react@19.0.12))(@types/react@19.0.12)(react-dom@19.0.0(react@19.0.0))(react@19.0.0)
-      '@slack/web-api':
-        specifier: 7.9.1
-        version: 7.9.1
-      '@trigger.dev/python':
-        specifier: workspace:*
-        version: link:../../packages/python
-      '@trigger.dev/react-hooks':
-        specifier: workspace:*
-        version: link:../../packages/react-hooks
-      '@trigger.dev/sdk':
-        specifier: workspace:*
-        version: link:../../packages/trigger-sdk
-      '@vercel/otel':
-        specifier: ^1.13.0
-        version: 1.13.0(@opentelemetry/api-logs@0.203.0)(@opentelemetry/api@1.9.0)(@opentelemetry/instrumentation@0.203.0(@opentelemetry/api@1.9.0))(@opentelemetry/resources@2.2.0(@opentelemetry/api@1.9.0))(@opentelemetry/sdk-logs@0.203.0(@opentelemetry/api@1.9.0))(@opentelemetry/sdk-metrics@2.0.1(@opentelemetry/api@1.9.0))(@opentelemetry/sdk-trace-base@2.0.1(@opentelemetry/api@1.9.0))
-      '@vercel/postgres':
-        specifier: ^0.10.0
-        version: 0.10.0
-      ai:
-        specifier: 5.0.14
-        version: 5.0.14(zod@3.25.76)
-      class-variance-authority:
-        specifier: ^0.7.1
-        version: 0.7.1
-      clsx:
-        specifier: ^2.1.1
-        version: 2.1.1
-      lucide-react:
-        specifier: ^0.486.0
-        version: 0.486.0(react@19.0.0)
-      marked:
-        specifier: ^4.0.18
-        version: 4.2.5
-      nanoid:
-        specifier: ^5.1.5
-        version: 5.1.5
-      next:
-        specifier: 15.4.8
-        version: 15.4.8(@opentelemetry/api@1.9.0)(@playwright/test@1.37.0)(react-dom@19.0.0(react@19.0.0))(react@19.0.0)
-      react:
-        specifier: ^19.0.0
-        version: 19.0.0
-      react-dom:
-        specifier: ^19.0.0
-        version: 19.0.0(react@19.0.0)
-      react-markdown:
-        specifier: ^10.1.0
-        version: 10.1.0(@types/react@19.0.12)(react@19.0.0)
-      tailwind-merge:
-        specifier: ^3.1.0
-        version: 3.1.0
-      tw-animate-css:
-        specifier: ^1.2.4
-        version: 1.2.4
-      zod:
-        specifier: 3.25.76
-        version: 3.25.76
-    devDependencies:
-      '@tailwindcss/postcss':
-        specifier: ^4
-        version: 4.0.17
-      '@tailwindcss/typography':
-        specifier: ^0.5.9
-        version: 0.5.9(tailwindcss@4.0.17)
-      '@trigger.dev/build':
-        specifier: workspace:*
-        version: link:../../packages/build
-      '@types/marked':
-        specifier: ^4.0.3
-        version: 4.0.8
-      '@types/node':
-        specifier: 20.14.14
-        version: 20.14.14
-      '@types/react':
-        specifier: ^19
-        version: 19.0.12
-      '@types/react-dom':
-        specifier: ^19
-        version: 19.0.4(@types/react@19.0.12)
-      tailwindcss:
-        specifier: ^4.0.17
-        version: 4.0.17
-      trigger.dev:
-        specifier: workspace:*
-        version: link:../../packages/cli-v3
-      typescript:
-        specifier: 5.5.4
-        version: 5.5.4
-
-  references/d3-openai-agents:
-    dependencies:
-      '@ai-sdk/openai':
-        specifier: 1.3.3
-        version: 1.3.3(zod@3.25.76)
-      '@slack/web-api':
-        specifier: 7.9.1
-        version: 7.9.1
-      '@trigger.dev/python':
-        specifier: workspace:*
-        version: link:../../packages/python
-      '@trigger.dev/react-hooks':
-        specifier: workspace:*
-        version: link:../../packages/react-hooks
-      '@trigger.dev/sdk':
-        specifier: workspace:*
-        version: link:../../packages/trigger-sdk
-      '@vercel/postgres':
-        specifier: ^0.10.0
-        version: 0.10.0
-      ai:
-        specifier: 4.2.5
-        version: 4.2.5(react@19.0.0)(zod@3.25.76)
-      class-variance-authority:
-        specifier: ^0.7.1
-        version: 0.7.1
-      clsx:
-        specifier: ^2.1.1
-        version: 2.1.1
-      lucide-react:
-        specifier: ^0.484.0
-        version: 0.484.0(react@19.0.0)
-      nanoid:
-        specifier: ^5.1.5
-        version: 5.1.5
-      next:
-        specifier: 15.2.4
-        version: 15.2.4(@opentelemetry/api@1.9.0)(@playwright/test@1.37.0)(react-dom@19.0.0(react@19.0.0))(react@19.0.0)
-      react:
-        specifier: ^19.0.0
-        version: 19.0.0
-      react-dom:
-        specifier: ^19.0.0
-        version: 19.0.0(react@19.0.0)
-      tailwind-merge:
-        specifier: ^3.0.2
-        version: 3.0.2
-      tw-animate-css:
-        specifier: ^1.2.4
-        version: 1.2.4
-      zod:
-        specifier: 3.25.76
-        version: 3.25.76
-      zod-to-json-schema:
-        specifier: ^3.24.5
-        version: 3.24.5(zod@3.25.76)
-    devDependencies:
-      '@tailwindcss/postcss':
-        specifier: ^4
-        version: 4.0.17
-      '@trigger.dev/build':
-        specifier: workspace:*
-        version: link:../../packages/build
-      '@types/node':
-        specifier: 20.14.14
-        version: 20.14.14
-      '@types/react':
-        specifier: ^19
-        version: 19.0.12
-      '@types/react-dom':
-        specifier: ^19
-        version: 19.0.4(@types/react@19.0.12)
-      dotenv:
-        specifier: 16.4.7
-        version: 16.4.7
-      tailwindcss:
-        specifier: ^4.0.17
-        version: 4.0.17
-      trigger.dev:
-        specifier: workspace:*
-        version: link:../../packages/cli-v3
-      tsx:
-        specifier: 4.19.3
-        version: 4.19.3
-      typescript:
-        specifier: 5.5.4
-        version: 5.5.4
-
-  references/effect:
-    dependencies:
-      '@trigger.dev/build':
-        specifier: workspace:*
-        version: link:../../packages/build
-      '@trigger.dev/sdk':
-        specifier: workspace:*
-        version: link:../../packages/trigger-sdk
-      effect:
-        specifier: 3.17.1
-        version: 3.17.1
-    devDependencies:
-      trigger.dev:
-        specifier: workspace:*
-        version: link:../../packages/cli-v3
-
-  references/hello-world:
-    dependencies:
-      '@ai-sdk/openai':
-        specifier: ^3.0.41
-        version: 3.0.41(zod@3.25.76)
-      '@sinclair/typebox':
-        specifier: ^0.34.3
-        version: 0.34.38
-      '@trigger.dev/build':
-        specifier: workspace:*
-        version: link:../../packages/build
-      '@trigger.dev/sdk':
-        specifier: workspace:*
-        version: link:../../packages/trigger-sdk
-      ai:
-        specifier: ^6.0.116
-        version: 6.0.116(zod@3.25.76)
-      arktype:
-        specifier: ^2.0.0
-        version: 2.1.20
-      openai:
-        specifier: ^4.97.0
-        version: 4.97.0(encoding@0.1.13)(ws@8.18.3(bufferutil@4.0.9))(zod@3.25.76)
-      puppeteer-core:
-        specifier: ^24.15.0
-        version: 24.15.0(bufferutil@4.0.9)
-      replicate:
-        specifier: ^1.0.1
-        version: 1.0.1
-      yup:
-        specifier: ^1.6.1
-        version: 1.6.1
-      zod:
-        specifier: 3.25.76
-        version: 3.25.76
-    devDependencies:
-      trigger.dev:
-        specifier: workspace:*
-        version: link:../../packages/cli-v3
-
-  references/init-shell:
-    devDependencies:
-      trigger.dev:
-        specifier: workspace:*
-        version: link:../../packages/cli-v3
-
-  references/init-shell-js:
-    devDependencies:
-      trigger.dev:
-        specifier: workspace:*
-        version: link:../../packages/cli-v3
-
-  references/issue-2687:
-    dependencies:
-      '@trigger.dev/sdk':
-        specifier: workspace:*
-        version: link:../../packages/trigger-sdk
-      dotenv:
-        specifier: ^16.4.5
-        version: 16.4.7
-      tsx:
-        specifier: ^4.0.0
-        version: 4.20.6
-    devDependencies:
-      trigger.dev:
-        specifier: workspace:*
-        version: link:../../packages/cli-v3
-
-  references/nextjs-realtime:
-    dependencies:
-      '@ai-sdk/openai':
-        specifier: ^1.0.1
-        version: 1.0.1(zod@3.25.76)
-      '@fal-ai/serverless-client':
-        specifier: ^0.15.0
-        version: 0.15.0
-      '@fast-csv/parse':
-        specifier: ^5.0.2
-        version: 5.0.2
-      '@opentelemetry/exporter-trace-otlp-http':
-        specifier: ^0.57.0
-        version: 0.57.0(@opentelemetry/api@1.9.0)
-      '@radix-ui/react-dialog':
-        specifier: ^1.0.3
-        version: 1.0.4(@types/react-dom@18.2.7)(@types/react@18.3.1)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-icons':
-        specifier: ^1.3.0
-        version: 1.3.0(react@18.3.1)
-      '@radix-ui/react-progress':
-        specifier: ^1.1.1
-        version: 1.1.1(@types/react-dom@18.2.7)(@types/react@18.3.1)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-scroll-area':
-        specifier: ^1.2.0
-        version: 1.2.0(@types/react-dom@18.2.7)(@types/react@18.3.1)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-slot':
-        specifier: ^1.1.0
-        version: 1.1.0(@types/react@18.3.1)(react@18.3.1)
-      '@radix-ui/react-tabs':
-        specifier: ^1.0.3
-        version: 1.0.3(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@trigger.dev/react-hooks':
-        specifier: workspace:*
-        version: link:../../packages/react-hooks
-      '@trigger.dev/sdk':
-        specifier: workspace:*
-        version: link:../../packages/trigger-sdk
-      '@uploadthing/react':
-        specifier: ^7.0.3
-        version: 7.0.3(next@14.2.21(@opentelemetry/api@1.9.0)(@playwright/test@1.37.0)(react-dom@18.2.0(react@18.3.1))(react@18.3.1))(react@18.3.1)(uploadthing@7.1.0(express@5.2.1)(fastify@5.4.0)(next@14.2.21(@opentelemetry/api@1.9.0)(@playwright/test@1.37.0)(react-dom@18.2.0(react@18.3.1))(react@18.3.1))(tailwindcss@3.4.1))
-      ai:
-        specifier: ^4.0.0
-        version: 4.0.0(react@18.3.1)(zod@3.25.76)
-      class-variance-authority:
-        specifier: ^0.7.0
-        version: 0.7.0
-      clsx:
-        specifier: ^2.1.1
-        version: 2.1.1
-      date-fns:
-        specifier: ^4.1.0
-        version: 4.1.0
-      langsmith:
-        specifier: ^0.2.15
-        version: 0.2.15(openai@4.68.4(encoding@0.1.13)(zod@3.25.76))
-      lucide-react:
-        specifier: ^0.451.0
-        version: 0.451.0(react@18.3.1)
-      next:
-        specifier: 14.2.21
-        version: 14.2.21(@opentelemetry/api@1.9.0)(@playwright/test@1.37.0)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      openai:
-        specifier: ^4.68.4
-        version: 4.68.4(encoding@0.1.13)(zod@3.25.76)
-      react:
-        specifier: ^18
-        version: 18.3.1
-      react-dom:
-        specifier: ^18
-        version: 18.2.0(react@18.3.1)
-      tailwind-merge:
-        specifier: ^2.5.3
-        version: 2.5.3
-      tailwindcss-animate:
-        specifier: ^1.0.7
-        version: 1.0.7(tailwindcss@3.4.1)
-      uploadthing:
-        specifier: ^7.1.0
-        version: 7.1.0(express@5.2.1)(fastify@5.4.0)(next@14.2.21(@opentelemetry/api@1.9.0)(@playwright/test@1.37.0)(react-dom@18.2.0(react@18.3.1))(react@18.3.1))(tailwindcss@3.4.1)
-      zod:
-        specifier: 3.25.76
-        version: 3.25.76
-    devDependencies:
-      '@next/bundle-analyzer':
-        specifier: ^15.0.2
-        version: 15.0.2(bufferutil@4.0.9)
-      '@trigger.dev/rsc':
-        specifier: workspace:*
-        version: link:../../packages/rsc
-      '@types/react':
-        specifier: ^18
-        version: 18.3.1
-      '@types/react-dom':
-        specifier: ^18
-        version: 18.2.7
-      postcss:
-        specifier: ^8
-        version: 8.4.44
-      tailwindcss:
-        specifier: ^3.4.1
-        version: 3.4.1
-      trigger.dev:
-        specifier: workspace:*
-        version: link:../../packages/cli-v3
-
-  references/prisma-6:
-    dependencies:
-      '@prisma/client':
-        specifier: 6.14.0
-        version: 6.14.0(prisma@6.14.0(magicast@0.3.5)(typescript@5.5.4))(typescript@5.5.4)
-      '@trigger.dev/build':
-        specifier: workspace:*
-        version: link:../../packages/build
-      '@trigger.dev/sdk':
-        specifier: workspace:*
-        version: link:../../packages/trigger-sdk
-    devDependencies:
-      prisma:
-        specifier: 6.14.0
-        version: 6.14.0(magicast@0.3.5)(typescript@5.5.4)
-      prisma-generator-ts-enums:
-        specifier: ^1.1.0
-        version: 1.1.0(prisma@6.14.0(magicast@0.3.5)(typescript@5.5.4))
-      trigger.dev:
-        specifier: workspace:*
-        version: link:../../packages/cli-v3
-
-  references/prisma-6-client:
-    dependencies:
-      '@prisma/adapter-pg':
-        specifier: 6.16.0
-        version: 6.16.0
-      '@prisma/client':
-        specifier: 6.16.0
-        version: 6.16.0(prisma@6.16.0(magicast@0.3.5)(typescript@5.5.4))(typescript@5.5.4)
-      '@trigger.dev/build':
-        specifier: workspace:*
-        version: link:../../packages/build
-      '@trigger.dev/sdk':
-        specifier: workspace:*
-        version: link:../../packages/trigger-sdk
-    devDependencies:
-      prisma:
-        specifier: 6.16.0
-        version: 6.16.0(magicast@0.3.5)(typescript@5.5.4)
-      trigger.dev:
-        specifier: workspace:*
-        version: link:../../packages/cli-v3
-
-  references/prisma-6-config:
-    dependencies:
-      '@prisma/client':
-        specifier: 6.19.0
-        version: 6.19.0(prisma@6.19.0(typescript@5.5.4))(typescript@5.5.4)
-      '@trigger.dev/build':
-        specifier: workspace:*
-        version: link:../../packages/build
-      '@trigger.dev/sdk':
-        specifier: workspace:*
-        version: link:../../packages/trigger-sdk
-    devDependencies:
-      prisma:
-        specifier: 6.19.0
-        version: 6.19.0(typescript@5.5.4)
-      trigger.dev:
-        specifier: workspace:*
-        version: link:../../packages/cli-v3
-
-  references/prisma-6-multi-file:
-    dependencies:
-      '@prisma/client':
-        specifier: 6.14.0
-        version: 6.14.0(prisma@6.14.0(magicast@0.3.5)(typescript@5.5.4))(typescript@5.5.4)
-      '@trigger.dev/build':
-        specifier: workspace:*
-        version: link:../../packages/build
-      '@trigger.dev/sdk':
-        specifier: workspace:*
-        version: link:../../packages/trigger-sdk
-    devDependencies:
-      prisma:
-        specifier: 6.14.0
-        version: 6.14.0(magicast@0.3.5)(typescript@5.5.4)
-      trigger.dev:
-        specifier: workspace:*
-        version: link:../../packages/cli-v3
-
-  references/prisma-6-output:
-    dependencies:
-      '@prisma/client':
-        specifier: 6.19.0
-        version: 6.19.0(prisma@6.19.0(typescript@5.5.4))(typescript@5.5.4)
-      '@trigger.dev/build':
-        specifier: workspace:*
-        version: link:../../packages/build
-      '@trigger.dev/sdk':
-        specifier: workspace:*
-        version: link:../../packages/trigger-sdk
-    devDependencies:
-      prisma:
-        specifier: 6.19.0
-        version: 6.19.0(typescript@5.5.4)
-      trigger.dev:
-        specifier: workspace:*
-        version: link:../../packages/cli-v3
-
-  references/prisma-7:
-    dependencies:
-      '@prisma/adapter-pg':
-        specifier: 6.20.0-integration-next.8
-        version: 6.20.0-integration-next.8
-      '@prisma/client':
-        specifier: 6.20.0-integration-next.8
-        version: 6.20.0-integration-next.8(prisma@6.20.0-integration-next.8(@types/react@19.2.14)(magicast@0.3.5)(react-dom@19.1.0(react@19.1.0))(react@19.1.0)(typescript@5.5.4))(typescript@5.5.4)
-      '@trigger.dev/build':
-        specifier: workspace:*
-        version: link:../../packages/build
-      '@trigger.dev/sdk':
-        specifier: workspace:*
-        version: link:../../packages/trigger-sdk
-      dotenv:
-        specifier: ^17.2.3
-        version: 17.2.3
-    devDependencies:
-      prisma:
-        specifier: 6.20.0-integration-next.8
-        version: 6.20.0-integration-next.8(@types/react@19.2.14)(magicast@0.3.5)(react-dom@19.1.0(react@19.1.0))(react@19.1.0)(typescript@5.5.4)
-      trigger.dev:
-        specifier: workspace:*
-        version: link:../../packages/cli-v3
-
-  references/python-catalog:
-    dependencies:
-      '@trigger.dev/python':
-        specifier: workspace:*
-        version: link:../../packages/python
-      '@trigger.dev/sdk':
-        specifier: workspace:*
-        version: link:../../packages/trigger-sdk
-      zod:
-        specifier: 3.25.76
-        version: 3.25.76
-    devDependencies:
-      '@trigger.dev/build':
-        specifier: workspace:*
-        version: link:../../packages/build
-      trigger.dev:
-        specifier: workspace:*
-        version: link:../../packages/cli-v3
-      typescript:
-        specifier: 5.5.4
-        version: 5.5.4
-
-  references/realtime-hooks-test:
-    dependencies:
-      '@trigger.dev/react-hooks':
-        specifier: workspace:*
-        version: link:../../packages/react-hooks
-      '@trigger.dev/sdk':
-        specifier: workspace:*
-        version: link:../../packages/trigger-sdk
-      next:
-        specifier: 15.5.6
-        version: 15.5.6(@opentelemetry/api@1.9.0)(@playwright/test@1.37.0)(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
-      react:
-        specifier: 19.1.0
-        version: 19.1.0
-      react-dom:
-        specifier: 19.1.0
-        version: 19.1.0(react@19.1.0)
-      zod:
-        specifier: 3.25.76
-        version: 3.25.76
-    devDependencies:
-      '@tailwindcss/postcss':
-        specifier: ^4
-        version: 4.0.17
-      '@types/node':
-        specifier: 20.14.14
-        version: 20.14.14
-      '@types/react':
-        specifier: ^19
-        version: 19.0.12
-      '@types/react-dom':
-        specifier: ^19
-        version: 19.0.4(@types/react@19.0.12)
-      tailwindcss:
-        specifier: ^4
-        version: 4.0.17
-      trigger.dev:
-        specifier: workspace:*
-        version: link:../../packages/cli-v3
-      typescript:
-        specifier: 5.5.4
-        version: 5.5.4
-
-  references/realtime-streams:
-    dependencies:
-      '@ai-sdk/openai':
-        specifier: ^2.0.53
-        version: 2.0.53(zod@3.25.76)
-      '@trigger.dev/react-hooks':
-        specifier: workspace:*
-        version: link:../../packages/react-hooks
-      '@trigger.dev/sdk':
-        specifier: workspace:*
-        version: link:../../packages/trigger-sdk
-      ai:
-        specifier: ^5.0.76
-        version: 5.0.76(zod@3.25.76)
-      next:
-        specifier: 15.5.6
-        version: 15.5.6(@opentelemetry/api@1.9.0)(@playwright/test@1.37.0)(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
-      react:
-        specifier: 19.1.0
-        version: 19.1.0
-      react-dom:
-        specifier: 19.1.0
-        version: 19.1.0(react@19.1.0)
-      shiki:
-        specifier: ^3.13.0
-        version: 3.13.0
-      streamdown:
-        specifier: ^1.4.0
-        version: 1.4.0(@types/react@19.0.12)(react@19.1.0)
-      zod:
-        specifier: 3.25.76
-        version: 3.25.76
-    devDependencies:
-      '@tailwindcss/postcss':
-        specifier: ^4
-        version: 4.0.17
-      '@types/node':
-        specifier: 20.14.14
-        version: 20.14.14
-      '@types/react':
-        specifier: ^19
-        version: 19.0.12
-      '@types/react-dom':
-        specifier: ^19
-        version: 19.0.4(@types/react@19.0.12)
-      tailwindcss:
-        specifier: ^4
-        version: 4.0.17
-      trigger.dev:
-        specifier: workspace:*
-        version: link:../../packages/cli-v3
-      typescript:
-        specifier: 5.5.4
-        version: 5.5.4
-
-  references/seed:
-    dependencies:
-      '@sinclair/typebox':
-        specifier: ^0.34.3
-        version: 0.34.38
-      '@trigger.dev/build':
-        specifier: workspace:*
-        version: link:../../packages/build
-      '@trigger.dev/sdk':
-        specifier: workspace:*
-        version: link:../../packages/trigger-sdk
-      arktype:
-        specifier: ^2.0.0
-        version: 2.1.20
-      openai:
-        specifier: ^4.97.0
-        version: 4.97.0(encoding@0.1.13)(ws@8.18.3(bufferutil@4.0.9))(zod@3.25.76)
-      puppeteer-core:
-        specifier: ^24.15.0
-        version: 24.15.0(bufferutil@4.0.9)
-      replicate:
-        specifier: ^1.0.1
-        version: 1.0.1
-      yup:
-        specifier: ^1.6.1
-        version: 1.7.0
-      zod:
-        specifier: 3.25.76
-        version: 3.25.76
-    devDependencies:
-      trigger.dev:
-        specifier: workspace:*
-        version: link:../../packages/cli-v3
-
-  references/telemetry:
-    dependencies:
-      '@opentelemetry/resources':
-        specifier: 2.2.0
-        version: 2.2.0(@opentelemetry/api@1.9.0)
-      '@trigger.dev/sdk':
-        specifier: workspace:*
-        version: link:../../packages/trigger-sdk
-    devDependencies:
-      '@types/node':
-        specifier: 20.14.14
-        version: 20.14.14
-      trigger.dev:
-        specifier: workspace:*
-        version: link:../../packages/cli-v3
-      typescript:
-        specifier: 5.5.4
-        version: 5.5.4
-
-  references/test-tasks:
-    dependencies:
-      '@trigger.dev/sdk':
-        specifier: workspace:*
-        version: link:../../packages/trigger-sdk
-      zod:
-        specifier: 3.25.76
-        version: 3.25.76
-    devDependencies:
-      '@trigger.dev/build':
-        specifier: workspace:*
-        version: link:../../packages/build
-      trigger.dev:
-        specifier: workspace:*
-        version: link:../../packages/cli-v3
-      typescript:
-        specifier: 5.5.4
-        version: 5.5.4
-
 packages:
 
-  '@adobe/css-tools@4.4.0':
-    resolution: {integrity: sha512-Ff9+ksdQQB3rMncgqDK78uLznstjyfIf2Arnh22pW8kBpLs6rpKDwgnZT46hin5Hl1WzazzK64DOrhSwYpS7bQ==}
-
-  '@ai-sdk/anthropic@2.0.4':
-    resolution: {integrity: sha512-ii2bZEUPwBitUiK1dpX+HsOarcDGY71G9TVdSJqbfXSVqa+speJNZ8PA/bjuNMml0NyX8VxNsaMg3SwBUCZspA==}
-    engines: {node: '>=18'}
-    peerDependencies:
-      zod: ^3.25.76 || ^4
-
-  '@ai-sdk/gateway@1.0.6':
-    resolution: {integrity: sha512-JuSj1MtTr4vw2VBBth4wlbciQnQIV0o1YV9qGLFA+r85nR5H+cJp3jaYE0nprqfzC9rYG8w9c6XGHB3SDKgcgA==}
-    engines: {node: '>=18'}
-    peerDependencies:
-      zod: ^3.25.76 || ^4
-
-  '@ai-sdk/gateway@2.0.0':
-    resolution: {integrity: sha512-Gj0PuawK7NkZuyYgO/h5kDK/l6hFOjhLdTq3/Lli1FTl47iGmwhH1IZQpAL3Z09BeFYWakcwUmn02ovIm2wy9g==}
+  '@ai-sdk/gateway@3.0.104':
+    resolution: {integrity: sha512-ZKX5n74io8VIRlhIMSLWVlvT3sXC8Z7cZ9GHuWBWZDVi96+62AIsWuLGvMfcBA1STYuSoDrp6rIziZmvrTq0TA==}
     engines: {node: '>=18'}
     peerDependencies:
       zod: ^3.25.76 || ^4.1.8
@@ -2932,35 +2274,17 @@ packages:
     peerDependencies:
       zod: ^3.25.76 || ^4.1.8
 
-  '@ai-sdk/openai@1.0.1':
-    resolution: {integrity: sha512-snZge8457afWlosVNUn+BG60MrxAPOOm3zmIMxJZih8tneNSiRbTVCbSzAtq/9vsnOHDe5RR83PRl85juOYEnA==}
+  '@ai-sdk/gateway@4.0.0-beta.30':
+    resolution: {integrity: sha512-05tWxCb+3SRj5LBY37nRQ8eUdolO5QvKAfsIAUY3zAxg0jc1cBkQNSpZEVwQUR4uFm/Y5fLJ+MIa+6hkol1//A==}
     engines: {node: '>=18'}
     peerDependencies:
-      zod: ^3.0.0
+      zod: ^3.25.76 || ^4.1.8
 
-  '@ai-sdk/openai@1.3.23':
-    resolution: {integrity: sha512-86U7rFp8yacUAOE/Jz8WbGcwMCqWvjK33wk5DXkfnAOEn3mx2r7tNSJdjukQFZbAK97VMXGPPHxF+aEARDXRXQ==}
-    engines: {node: '>=18'}
+  '@ai-sdk/gateway@4.0.0-canary.93':
+    resolution: {integrity: sha512-/d0d/DfJRmdMJJww/ihrYezgKedJhrOCsREuAuSHmd/kVzFB5p2bBuCZH3EBxKFQ8NLtPJpOR+QJxOUmDLD8PA==}
+    engines: {node: '>=22'}
     peerDependencies:
-      zod: ^3.0.0
-
-  '@ai-sdk/openai@1.3.3':
-    resolution: {integrity: sha512-CH57tonLB4DwkwqwnMmTCoIOR7cNW3bP5ciyloI7rBGJS/Bolemsoo+vn5YnwkyT9O1diWJyvYeTh7A4UfiYOw==}
-    engines: {node: '>=18'}
-    peerDependencies:
-      zod: ^3.0.0
-
-  '@ai-sdk/openai@2.0.14':
-    resolution: {integrity: sha512-u/wi1ixcvcg29wAJySjO803HlXpyCl6mkcOHn+Zn7DA+CtjuQNkKikJ4pZBc7I3Qhi90kA4XnOfKikhBXh4c4Q==}
-    engines: {node: '>=18'}
-    peerDependencies:
-      zod: ^3.25.76 || ^4
-
-  '@ai-sdk/openai@2.0.53':
-    resolution: {integrity: sha512-GIkR3+Fyif516ftXv+YPSPstnAHhcZxNoR2s8uSHhQ1yBT7I7aQYTVwpjAuYoT3GR+TeP50q7onj2/nDRbT2FQ==}
-    engines: {node: '>=18'}
-    peerDependencies:
-      zod: ^3.25.76 || ^4.1.8
+      zod: ^3.25.76 || ^4.1.8
 
   '@ai-sdk/openai@3.0.41':
     resolution: {integrity: sha512-IZ42A+FO+vuEQCVNqlnAPYQnnUpUfdJIwn1BEDOBywiEHa23fw7PahxVtlX9zm3/zMvTW4JKPzWyvAgDu+SQ2A==}
@@ -2968,17 +2292,12 @@ packages:
     peerDependencies:
       zod: ^3.25.76 || ^4.1.8
 
-  '@ai-sdk/provider-utils@1.0.22':
-    resolution: {integrity: sha512-YHK2rpj++wnLVc9vPGzGFP3Pjeld2MwhKinetA0zKXOoHAT/Jit5O8kZsxcSlJPu9wvcGT1UGZEjZrtO7PfFOQ==}
+  '@ai-sdk/otel@1.0.0-beta.6':
+    resolution: {integrity: sha512-K5VikyO3EKQkNk77ew9oMjM8FInKF+WWar599LmP8rQ0x0iB+P/DVS+h6zQvmecxMNPtQOOyt0uDQFx/AA0DGw==}
     engines: {node: '>=18'}
-    peerDependencies:
-      zod: ^3.0.0
-    peerDependenciesMeta:
-      zod:
-        optional: true
 
-  '@ai-sdk/provider-utils@2.0.0':
-    resolution: {integrity: sha512-uITgVJByhtzuQU2ZW+2CidWRmQqTUTp6KADevy+4aRnmILZxY2LCt+UZ/ZtjJqq0MffwkuQPPY21ExmFAQ6kKA==}
+  '@ai-sdk/provider-utils@1.0.22':
+    resolution: {integrity: sha512-YHK2rpj++wnLVc9vPGzGFP3Pjeld2MwhKinetA0zKXOoHAT/Jit5O8kZsxcSlJPu9wvcGT1UGZEjZrtO7PfFOQ==}
     engines: {node: '>=18'}
     peerDependencies:
       zod: ^3.0.0
@@ -2986,39 +2305,33 @@ packages:
       zod:
         optional: true
 
-  '@ai-sdk/provider-utils@2.2.1':
-    resolution: {integrity: sha512-BuExLp+NcpwsAVj1F4bgJuQkSqO/+roV9wM7RdIO+NVrcT8RBUTdXzf5arHt5T58VpK7bZyB2V9qigjaPHE+Dg==}
-    engines: {node: '>=18'}
-    peerDependencies:
-      zod: ^3.23.8
-
-  '@ai-sdk/provider-utils@2.2.8':
-    resolution: {integrity: sha512-fqhG+4sCVv8x7nFzYnFo19ryhAa3w096Kmc3hWxMQfW/TubPOmt3A6tYZhl4mUfQWWQMsuSkLrtjlWuXBVSGQA==}
+  '@ai-sdk/provider-utils@4.0.1':
+    resolution: {integrity: sha512-de2v8gH9zj47tRI38oSxhQIewmNc+OZjYIOOaMoVWKL65ERSav2PYYZHPSPCrfOeLMkv+Dyh8Y0QGwkO29wMWQ==}
     engines: {node: '>=18'}
     peerDependencies:
-      zod: ^3.23.8
+      zod: ^3.25.76 || ^4.1.8
 
-  '@ai-sdk/provider-utils@3.0.12':
-    resolution: {integrity: sha512-ZtbdvYxdMoria+2SlNarEk6Hlgyf+zzcznlD55EAl+7VZvJaSg2sqPvwArY7L6TfDEDJsnCq0fdhBSkYo0Xqdg==}
+  '@ai-sdk/provider-utils@4.0.19':
+    resolution: {integrity: sha512-3eG55CrSWCu2SXlqq2QCsFjo3+E7+Gmg7i/oRVoSZzIodTuDSfLb3MRje67xE9RFea73Zao7Lm4mADIfUETKGg==}
     engines: {node: '>=18'}
     peerDependencies:
       zod: ^3.25.76 || ^4.1.8
 
-  '@ai-sdk/provider-utils@3.0.3':
-    resolution: {integrity: sha512-kAxIw1nYmFW1g5TvE54ZB3eNtgZna0RnLjPUp1ltz1+t9xkXJIuDT4atrwfau9IbS0BOef38wqrI8CjFfQrxhw==}
+  '@ai-sdk/provider-utils@4.0.23':
+    resolution: {integrity: sha512-z8GlDaCmRSDlqkMF2f4/RFgWxdarvIbyuk+m6WXT1LYgsnGiXRJGTD2Z1+SDl3LqtFuRtGX1aghYvQLoHL/9pg==}
     engines: {node: '>=18'}
     peerDependencies:
-      zod: ^3.25.76 || ^4
+      zod: ^3.25.76 || ^4.1.8
 
-  '@ai-sdk/provider-utils@4.0.1':
-    resolution: {integrity: sha512-de2v8gH9zj47tRI38oSxhQIewmNc+OZjYIOOaMoVWKL65ERSav2PYYZHPSPCrfOeLMkv+Dyh8Y0QGwkO29wMWQ==}
+  '@ai-sdk/provider-utils@5.0.0-beta.9':
+    resolution: {integrity: sha512-Ku/S1TV8ibqlweKQHa22eWT9QvKqR4hkl7KMJ0k7kw64Q7XObh12fJUnK4Mh8q+IR5ZeQGm95SLtx++d7FC6XA==}
     engines: {node: '>=18'}
     peerDependencies:
       zod: ^3.25.76 || ^4.1.8
 
-  '@ai-sdk/provider-utils@4.0.19':
-    resolution: {integrity: sha512-3eG55CrSWCu2SXlqq2QCsFjo3+E7+Gmg7i/oRVoSZzIodTuDSfLb3MRje67xE9RFea73Zao7Lm4mADIfUETKGg==}
-    engines: {node: '>=18'}
+  '@ai-sdk/provider-utils@5.0.0-canary.44':
+    resolution: {integrity: sha512-3h7gp8MEwXACWsW8ZPjzio53ynKq0jTNp4Hwr0BWdychMFzmkRRWyvijhg56JWxye16FU92SqQnfBoe2PN4I2A==}
+    engines: {node: '>=22'}
     peerDependencies:
       zod: ^3.25.76 || ^4.1.8
 
@@ -3026,22 +2339,6 @@ packages:
     resolution: {integrity: sha512-dQkfBDs2lTYpKM8389oopPdQgIU007GQyCbuPPrV+K6MtSII3HBfE0stUIMXUb44L+LK1t6GXPP7wjSzjO6uKg==}
     engines: {node: '>=18'}
 
-  '@ai-sdk/provider@1.0.0':
-    resolution: {integrity: sha512-Sj29AzooJ7SYvhPd+AAWt/E7j63E9+AzRnoMHUaJPRYzOd/WDrVNxxv85prF9gDcQ7XPVlSk9j6oAZV9/DXYpA==}
-    engines: {node: '>=18'}
-
-  '@ai-sdk/provider@1.1.0':
-    resolution: {integrity: sha512-0M+qjp+clUD0R1E5eWQFhxEvWLNaOtGQRUaBn8CUABnSKredagq92hUS9VjOzGsTm37xLfpaxl97AVtbeOsHew==}
-    engines: {node: '>=18'}
-
-  '@ai-sdk/provider@1.1.3':
-    resolution: {integrity: sha512-qZMxYJ0qqX/RfnuIaab+zp8UAeJn/ygXXAffR5I4N0n1IrvA6qBsjc8hXLmBiMV2zoXlifkacF7sEFnYnjBcqg==}
-    engines: {node: '>=18'}
-
-  '@ai-sdk/provider@2.0.0':
-    resolution: {integrity: sha512-6o7Y2SeO9vFKB8lArHXehNuusnpddKPk7xqL7T2/b+OvXMRIXUO1rR4wcv1hAFUAT9avGZshty3Wlua/XA7TvA==}
-    engines: {node: '>=18'}
-
   '@ai-sdk/provider@3.0.0':
     resolution: {integrity: sha512-m9ka3ptkPQbaHHZHqDXDF9C9B5/Mav0KTdky1k2HZ3/nrW2t1AgObxIVPyGDWQNS9FXT/FS6PIoSjpcP/No8rQ==}
     engines: {node: '>=18'}
@@ -3050,58 +2347,19 @@ packages:
     resolution: {integrity: sha512-oGMAgGoQdBXbZqNG0Ze56CHjDZ1IDYOwGYxYjO5KLSlz5HiNQ9udIXsPZ61VWaHGZ5XW/jyjmr6t2xz2jGVwbQ==}
     engines: {node: '>=18'}
 
-  '@ai-sdk/react@1.0.0':
-    resolution: {integrity: sha512-BDrZqQA07Btg64JCuhFvBgYV+tt2B8cXINzEqWknGoxqcwgdE8wSLG2gkXoLzyC2Rnj7oj0HHpOhLUxDCmoKZg==}
+  '@ai-sdk/provider@4.0.0-beta.5':
+    resolution: {integrity: sha512-+07aGNCVXEKgGXtAXjjROPcpHMudWfvsm5UvlZ4LtTfjX9cT61x7h3W0pSSpWY/H7doymdm8PmuX6Z8AvP03WQ==}
     engines: {node: '>=18'}
-    peerDependencies:
-      react: ^18 || ^19 || ^19.0.0-rc
-      zod: ^3.0.0
-    peerDependenciesMeta:
-      react:
-        optional: true
-      zod:
-        optional: true
 
-  '@ai-sdk/react@1.2.12':
-    resolution: {integrity: sha512-jK1IZZ22evPZoQW3vlkZ7wvjYGYF+tRBKXtrcolduIkQ/m/sOAVcVeVDUDvh1T91xCnWCdUGCPZg2avZ90mv3g==}
-    engines: {node: '>=18'}
-    peerDependencies:
-      react: ^18 || ^19 || ^19.0.0-rc
-      zod: ^3.23.8
-    peerDependenciesMeta:
-      zod:
-        optional: true
+  '@ai-sdk/provider@4.0.0-canary.17':
+    resolution: {integrity: sha512-m/rtalImeIt7deuQGkEHehqlIPOM8Sjb0cF1b1SJ3B6Re+WYgbUkOK9gY2SSro1YO8jYBRgTMPz2qYzPtIzAxQ==}
+    engines: {node: '>=22'}
 
-  '@ai-sdk/react@1.2.2':
-    resolution: {integrity: sha512-rxyNTFjUd3IilVOJFuUJV5ytZBYAIyRi50kFS2gNmSEiG4NHMBBm31ddrxI/i86VpY8gzZVp1/igtljnWBihUA==}
+  '@ai-sdk/react@3.0.170':
+    resolution: {integrity: sha512-YUDn+mK0c8iUz14rCBf1A0zg6SV5b5aSVUz+azF1bdBd1SFXVI19dKYR+PQSpZY+0+z+zs252AAsacUqiO98Kw==}
     engines: {node: '>=18'}
     peerDependencies:
-      react: ^18 || ^19 || ^19.0.0-rc
-      zod: ^3.23.8
-    peerDependenciesMeta:
-      zod:
-        optional: true
-
-  '@ai-sdk/ui-utils@1.0.0':
-    resolution: {integrity: sha512-oXBDIM/0niWeTWyw77RVl505dNxBUDLLple7bTsqo2d3i1UKwGlzBUX8XqZsh7GbY7I6V05nlG0Y8iGlWxv1Aw==}
-    engines: {node: '>=18'}
-    peerDependencies:
-      zod: ^3.0.0
-    peerDependenciesMeta:
-      zod:
-        optional: true
-
-  '@ai-sdk/ui-utils@1.2.1':
-    resolution: {integrity: sha512-BzvMbYm7LHBlbWuLlcG1jQh4eu14MGpz7L+wrGO1+F4oQ+O0fAjgUSNwPWGlZpKmg4NrcVq/QLmxiVJrx2R4Ew==}
-    engines: {node: '>=18'}
-    peerDependencies:
-      zod: ^3.23.8
-
-  '@ai-sdk/ui-utils@1.2.11':
-    resolution: {integrity: sha512-3zcwCc8ezzFlwp3ZD15wAPjf2Au4s3vAbKsXQVyhxODHcmu0iyPO2Eua6D/vicq/AUm/BAo60r97O6HU+EI0+w==}
-    engines: {node: '>=18'}
-    peerDependencies:
-      zod: ^3.23.8
+      react: ^18 || ~19.0.1 || ~19.1.2 || ^19.2.1
 
   '@alloc/quick-lru@5.2.0':
     resolution: {integrity: sha512-UrcABB+4bUrFABwbluTIBErXwvbsU/V7TZWfmbgJfbkwiBuziS9gxdODUyuiecfdGQ85jglMW6juS3+z5TsKLw==}
@@ -3722,14 +2980,14 @@ packages:
     resolution: {integrity: sha512-sIyFcoPZkTtNu9xFeEoynMef3bPJIAbOfUh+ueYcfhVl6xm2VRtMcMclSxmZCMnHHd4hlYKJeq/aggmBEWynww==}
     engines: {node: '>=18.0.0'}
 
-  '@babel/code-frame@7.22.13':
-    resolution: {integrity: sha512-XktuhWlJ5g+3TJXc5upd9Ks1HutSArik6jf2eAjYFyIOf4ej3RN+184cZbzDvbPnuTJIUhPKKJE3cIsYTiAT3w==}
-    engines: {node: '>=6.9.0'}
-
   '@babel/code-frame@7.24.7':
     resolution: {integrity: sha512-BcYH1CVJBO9tvyIZ2jVeXgSIMvGZ2FDRvDdOIVQyuklNKSsx+eppDEBq/g47Ayw+RqNFE+URvOShmf+f/qwAlA==}
     engines: {node: '>=6.9.0'}
 
+  '@babel/code-frame@7.29.7':
+    resolution: {integrity: sha512-Aup7aUOfpbAUg2ROOJN6Iw5f9DMBlzu0mIkm/malLQFN/YQgO48wCj0Kxa3sEHJvPVFg7siR+qRInwXd2qhQKw==}
+    engines: {node: '>=6.9.0'}
+
   '@babel/compat-data@7.22.9':
     resolution: {integrity: sha512-5UamI7xkUcJ3i9qVDS+KFDEK8/7oJ55/sJMB1Ge7IEapr7KfdfV/HErR+koZwOfd+SgtFKOKRhRakdg++DcJpQ==}
     engines: {node: '>=6.9.0'}
@@ -3745,14 +3003,14 @@ packages:
       '@babel/core': '>=7.11.0'
       eslint: ^7.5.0 || ^8.0.0
 
-  '@babel/generator@7.22.15':
-    resolution: {integrity: sha512-Zu9oWARBqeVOW0dZOjXc3JObrzuqothQ3y/n1kUtrjCoCPLkXUwMvOo/F/TCfoHMbWIFlWwpZtkZVb9ga4U2pA==}
-    engines: {node: '>=6.9.0'}
-
   '@babel/generator@7.24.7':
     resolution: {integrity: sha512-oipXieGC3i45Y1A41t4tAqpnEZWgB/lC6Ehh6+rOviR5XWpTtMmLN+fGjz9vOiNRt0p6RtO6DtD0pdU3vpqdSA==}
     engines: {node: '>=6.9.0'}
 
+  '@babel/generator@7.29.7':
+    resolution: {integrity: sha512-DkXD5OJQaAQIdZ1bt3UZdEnHAn9Imd3IVBdX03UFe+ony9Ojw5pzr9YVKGDY1jt+Gcn/FnGkNf8r+Vj5NOJWtQ==}
+    engines: {node: '>=6.9.0'}
+
   '@babel/helper-annotate-as-pure@7.22.5':
     resolution: {integrity: sha512-LvBTxu8bQSQkcyKOU+a1btnNFQ1dMAd0R6PyW3arXes06F6QLWLIrd681bxRPIXlrMGR3XYnW9JyML7dP3qgxg==}
     engines: {node: '>=6.9.0'}
@@ -3767,10 +3025,6 @@ packages:
     peerDependencies:
       '@babel/core': ^7.0.0
 
-  '@babel/helper-environment-visitor@7.22.20':
-    resolution: {integrity: sha512-zfedSIzFhat/gFhWfHtgWvlec0nqB9YEIVrpuwjruLlXfUSnA8cJB0miHKwqDnQ7d32aKo2xt88/xZptwxbfhA==}
-    engines: {node: '>=6.9.0'}
-
   '@babel/helper-environment-visitor@7.24.7':
     resolution: {integrity: sha512-DoiN84+4Gnd0ncbBOM9AZENV4a5ZiL39HYMyZJGZ/AZEykHYdJw0wW3kdcsh9/Kn+BRXHLkkklZ51ecPKmI1CQ==}
     engines: {node: '>=6.9.0'}
@@ -3801,10 +3055,6 @@ packages:
     resolution: {integrity: sha512-HBwaojN0xFRx4yIvpwGqxiV2tUfl7401jlok564NgB9EHS1y6QT17FmKWm4ztqjeVdXLuC4fSvHc5ePpQjoTbw==}
     engines: {node: '>=6.9.0'}
 
-  '@babel/helper-plugin-utils@7.22.5':
-    resolution: {integrity: sha512-uLls06UVKgFG9QD4OeFYLEGteMIAa5kpTPcFL28yuCIIzsf6ZyKZMllKVOCZFhiZ5ptnwX4mtKdWCBE/uT4amg==}
-    engines: {node: '>=6.9.0'}
-
   '@babel/helper-plugin-utils@7.24.0':
     resolution: {integrity: sha512-9cUznXMG0+FxRuJfvL82QlTqIzhVW9sL0KjMPHhAOOvpQGL8QtdxnBKILjBqxlHyliz0yCa1G903ZXI/FuHy2w==}
     engines: {node: '>=6.9.0'}
@@ -3823,10 +3073,6 @@ packages:
     resolution: {integrity: sha512-tK14r66JZKiC43p8Ki33yLBVJKlQDFoA8GYN67lWCDCqoL6EMMSuM9b+Iff2jHaM/RRFYl7K+iiru7hbRqNx8Q==}
     engines: {node: '>=6.9.0'}
 
-  '@babel/helper-split-export-declaration@7.22.6':
-    resolution: {integrity: sha512-AsUnxuLhRYsisFiaJwvp1QF+I3KjD5FOxut14q/GzovUe6orHLesW2C7d754kRm53h5gqrz6sFl6sxc4BVtE/g==}
-    engines: {node: '>=6.9.0'}
-
   '@babel/helper-split-export-declaration@7.24.7':
     resolution: {integrity: sha512-oy5V7pD+UvfkEATUKvIjvIAH/xCzfsFVw7ygW2SI6NClZzquT+mwdTfgfdbUiceh6iQO0CHtCPsyze/MZ2YbAA==}
     engines: {node: '>=6.9.0'}
@@ -3835,26 +3081,26 @@ packages:
     resolution: {integrity: sha512-7MbVt6xrwFQbunH2DNQsAP5sTGxfqQtErvBIvIMi6EQnbgUOuVYanvREcmFrOPhoXBrTtjhhP+lW+o5UfK+tDg==}
     engines: {node: '>=6.9.0'}
 
-  '@babel/helper-string-parser@7.25.9':
-    resolution: {integrity: sha512-4A/SCr/2KLd5jrtOMFzaKjVtAei3+2r/NChoBNoZ3EyP/+GlhoaEGoWOZUmFmoITP7zOJyHIMm+DYRd8o3PvHA==}
-    engines: {node: '>=6.9.0'}
-
   '@babel/helper-string-parser@7.27.1':
     resolution: {integrity: sha512-qMlSxKbpRlAridDExk92nSobyDdpPijUq2DW6oDnUqd0iOGxmQjyqhMIihI9+zv4LPyZdRje2cavWPbCbWm3eA==}
     engines: {node: '>=6.9.0'}
 
-  '@babel/helper-validator-identifier@7.24.7':
-    resolution: {integrity: sha512-rR+PBcQ1SMQDDyF6X0wxtG8QyLCgUB0eRAGguqRLfkCA87l7yAP7ehq8SNj96OOGTO8OBV70KhuFYcIkHXOg0w==}
+  '@babel/helper-string-parser@7.29.7':
+    resolution: {integrity: sha512-Pb5ijPrZ89GDH8223L4UP8i6QApWxs04RbPQJTeWDV0/keR2E36MeKnyr6LYmUUvqRRI+Iv87SuF1W6ErINzYw==}
     engines: {node: '>=6.9.0'}
 
-  '@babel/helper-validator-identifier@7.25.9':
-    resolution: {integrity: sha512-Ed61U6XJc3CVRfkERJWDz4dJwKe7iLmmJsbOGu9wSloNSFttHV0I8g6UAgb7qnK5ly5bGLPd4oXZlxCdANBOWQ==}
+  '@babel/helper-validator-identifier@7.24.7':
+    resolution: {integrity: sha512-rR+PBcQ1SMQDDyF6X0wxtG8QyLCgUB0eRAGguqRLfkCA87l7yAP7ehq8SNj96OOGTO8OBV70KhuFYcIkHXOg0w==}
     engines: {node: '>=6.9.0'}
 
   '@babel/helper-validator-identifier@7.27.1':
     resolution: {integrity: sha512-D2hP9eA+Sqx1kBZgzxZh0y1trbuU+JoDkiEwqhQ36nodYqJwyEIhPSdMNd7lOm/4io72luTPWH20Yda0xOuUow==}
     engines: {node: '>=6.9.0'}
 
+  '@babel/helper-validator-identifier@7.29.7':
+    resolution: {integrity: sha512-qehxGkRj55h/ff8EMaJ+cYhyaKlHIxqYDn682wQD7RNp9UujOQsHog2uS0r2vzr4pW+sXf90NeeayjcNaX3fFg==}
+    engines: {node: '>=6.9.0'}
+
   '@babel/helper-validator-option@7.22.15':
     resolution: {integrity: sha512-bMn7RmyFjY/mdECUbgn9eoSY4vqvacUnS9i9vGAGttgFWesO6B4CYWA7XlpbWgBt71iv/hfbPlynohStqnu5hA==}
     engines: {node: '>=6.9.0'}
@@ -3863,19 +3109,10 @@ packages:
     resolution: {integrity: sha512-7pAjK0aSdxOwR+CcYAqgWOGy5dcfvzsTIfFTb2odQqW47MDfv14UaJDY6eng8ylM2EaeKXdxaSWESbkmaQHTmw==}
     engines: {node: '>=6.9.0'}
 
-  '@babel/highlight@7.22.13':
-    resolution: {integrity: sha512-C/BaXcnnvBCmHTpz/VGZ8jgtE2aYlW4hxDhseJAWZb7gqGM/qtCK6iZUb0TyKFf7BOUsBH7Q7fkRsDRhg1XklQ==}
-    engines: {node: '>=6.9.0'}
-
   '@babel/highlight@7.24.7':
     resolution: {integrity: sha512-EStJpq4OuY8xYfhGVXngigBJRWxftKX9ksiGDnmlY3o7B/V7KIAc9X4oiK87uPJSc/vs5L869bem5fhZa8caZw==}
     engines: {node: '>=6.9.0'}
 
-  '@babel/parser@7.24.1':
-    resolution: {integrity: sha512-Zo9c7N3xdOIQrNip7Lc9wvRPzlRtovHVE4lkz8WEDr7uYh/GMQhSiIgFxGIArRHYdJE5kxtZjAf8rT0xhdLCzg==}
-    engines: {node: '>=6.0.0'}
-    hasBin: true
-
   '@babel/parser@7.24.7':
     resolution: {integrity: sha512-9uUYRm6OqQrCqQdG1iCBwBPZgN8ciDBro2nIOFaiRz1/BCxaI7CNvQbDHvsArAC7Tw9Hda/B3U+6ui9u4HWXPw==}
     engines: {node: '>=6.0.0'}
@@ -3891,6 +3128,11 @@ packages:
     engines: {node: '>=6.0.0'}
     hasBin: true
 
+  '@babel/parser@7.29.7':
+    resolution: {integrity: sha512-hnORnjP/1P/zFEndoeX+n+t1RwWRJiJpM/jO7FW32Kn9r5+sJB2JWOdYo4L6k78j15eCwY3Gm/7364B1EMwtNg==}
+    engines: {node: '>=6.0.0'}
+    hasBin: true
+
   '@babel/plugin-syntax-decorators@7.22.10':
     resolution: {integrity: sha512-z1KTVemBjnz+kSEilAsI4lbkPOl5TvJH7YDSY1CTIzvLWJ+KHXp+mRe8VPmfnyvqOPqar1V2gid2PleKzRUstQ==}
     engines: {node: '>=6.9.0'}
@@ -3973,10 +3215,6 @@ packages:
     resolution: {integrity: sha512-AOPI3D+a8dXnja+iwsUqGRjr1BbZIe771sXdapOtYI531gSqpi92vXivKcq2asu/DFpdl1ceFAKZyRzK2PCVcQ==}
     engines: {node: '>=6.9.0'}
 
-  '@babel/runtime@7.27.0':
-    resolution: {integrity: sha512-VtPOkrdPHZsKc/clNqyi9WUA8TINkZ4cGk63UUE3u4pmB2k+ZMQRDuIOagv8UVd6j7k0T3+RRIb7beKTebNbcw==}
-    engines: {node: '>=6.9.0'}
-
   '@babel/runtime@7.27.4':
     resolution: {integrity: sha512-t3yaEOuGu9NlIZ+hIeGbBjFtZT7j2cb2tg0fuaJKeGotchRjjLfrBA9Kwf8quhpP1EUuxModQg04q/mBwyg8uA==}
     engines: {node: '>=6.9.0'}
@@ -3985,34 +3223,34 @@ packages:
     resolution: {integrity: sha512-Q/N6JNWvIvPnLDvjlE1OUBLPQHH6l3CltCEsHIujp45zQUSSh8K+gHnaEX45yAT1nyngnINhvWtzN+Nb9D8RAQ==}
     engines: {node: '>=6.9.0'}
 
-  '@babel/template@7.22.15':
-    resolution: {integrity: sha512-QPErUVm4uyJa60rkI73qneDacvdvzxshT3kksGqlGWYdOTIUOwJ7RDUL8sGqslY1uXWSL6xMFKEXDS3ox2uF0w==}
-    engines: {node: '>=6.9.0'}
-
   '@babel/template@7.24.7':
     resolution: {integrity: sha512-jYqfPrU9JTF0PmPy1tLYHW4Mp4KlgxJD9l2nP9fD6yT/ICi554DmrWBAEYpIelzjHf1msDP3PxJIRt/nFNfBig==}
     engines: {node: '>=6.9.0'}
 
+  '@babel/template@7.29.7':
+    resolution: {integrity: sha512-puq+Gf35oI24FeN11LkoUQFqv9uwNeWpxXZi/Ji3rRIoKAzKnxRaZ+Gkj0vKS9ZCiTESfng1N9LyOyXvo+m+Gg==}
+    engines: {node: '>=6.9.0'}
+
   '@babel/traverse@7.24.7':
     resolution: {integrity: sha512-yb65Ed5S/QAcewNPh0nZczy9JdYXkkAbIsEo+P7BE7yO3txAY30Y/oPa3QkQ5It3xVG2kpKMg9MsdxZaO31uKA==}
     engines: {node: '>=6.9.0'}
 
-  '@babel/types@7.24.0':
-    resolution: {integrity: sha512-+j7a5c253RfKh8iABBhywc8NSfP5LURe7Uh4qpsh6jc+aLJguvmIUBdjSdEMQv2bENrCR5MfRdjGo7vzS/ob7w==}
+  '@babel/traverse@7.27.0':
+    resolution: {integrity: sha512-19lYZFzYVQkkHkl4Cy4WrAVcqBkgvV2YM2TU3xG6DIwO7O3ecbDPfW3yM3bjAGcqcQHi+CCtjMR3dIEHxsd6bA==}
     engines: {node: '>=6.9.0'}
 
   '@babel/types@7.24.7':
     resolution: {integrity: sha512-XEFXSlxiG5td2EJRe8vOmRbaXVgfcBlszKujvVmWIK/UpywWljQCfzAv3RQCGujWQ1RD4YYWEAqDXfuJiy8f5Q==}
     engines: {node: '>=6.9.0'}
 
-  '@babel/types@7.27.0':
-    resolution: {integrity: sha512-H45s8fVLYjbhFH62dIJ3WtmJ6RSPt/3DRO0ZcT2SUiYiQyz3BLVb9ADEnLl91m74aQPS3AzzeajZHYOalWe3bg==}
-    engines: {node: '>=6.9.0'}
-
   '@babel/types@7.27.3':
     resolution: {integrity: sha512-Y1GkI4ktrtvmawoSq+4FCVHNryea6uR+qUQy0AGxLSsjCX0nVmkYQMBLHDkXZuo5hGx7eYdnIaslsdBFm7zbUw==}
     engines: {node: '>=6.9.0'}
 
+  '@babel/types@7.29.7':
+    resolution: {integrity: sha512-4zBIxpPzowiZpusoFkyGVwakdRJUyuH5PxQ/PrqghfdFWWasvnCdPfQXHrenDai+gyLARulZjZowCOj6fjT4pA==}
+    engines: {node: '>=6.9.0'}
+
   '@balena/dockerignore@1.0.2':
     resolution: {integrity: sha512-wMue2Sy4GAVTk6Ic4tJVcnfdau+gx2EnG7S+uAEe+TWJFqE4YoWN4/H8MSLj4eYJKxGg26lZwboEniNiNwZQ6Q==}
 
@@ -4029,9 +3267,6 @@ packages:
   '@bufbuild/protobuf@1.10.0':
     resolution: {integrity: sha512-QDdVFLoN93Zjg36NoQPZfsVH9tZew7wKDKyV5qRdj8ntT4wQCOradQjRaTdwMhWUYsgKsvCINKKm87FdEk96Ag==}
 
-  '@bufbuild/protobuf@2.2.5':
-    resolution: {integrity: sha512-/g5EzJifw5GF8aren8wZ/G5oMuPoGeS6MQD3ca8ddcvdXR5UELUfdTZITCGNhNXynY/AYl3Z4plmxdj/tRl/hQ==}
-
   '@bugsnag/cuid@3.1.1':
     resolution: {integrity: sha512-d2z4b0rEo3chI07FNN1Xds8v25CNeekecU6FC/2Fs9MxY2EipkZTThVcV2YinMn8dvRUlViKOyC50evoUxg8tw==}
 
@@ -4090,20 +3325,20 @@ packages:
   '@changesets/write@0.2.3':
     resolution: {integrity: sha512-Dbamr7AIMvslKnNYsLFafaVORx4H0pvCA2MHqgtNCySMe1blImEyAEOzDmcgKAkgz4+uwoLz7demIrX+JBr/Xw==}
 
-  '@chevrotain/cst-dts-gen@11.0.3':
-    resolution: {integrity: sha512-BvIKpRLeS/8UbfxXxgC33xOumsacaeCKAjAeLyOn7Pcp95HiRbrpl14S+9vaZLolnbssPIUuiUd8IvgkRyt6NQ==}
+  '@chevrotain/cst-dts-gen@12.0.0':
+    resolution: {integrity: sha512-fSL4KXjTl7cDgf0B5Rip9Q05BOrYvkJV/RrBTE/bKDN096E4hN/ySpcBK5B24T76dlQ2i32Zc3PAE27jFnFrKg==}
 
-  '@chevrotain/gast@11.0.3':
-    resolution: {integrity: sha512-+qNfcoNk70PyS/uxmj3li5NiECO+2YKZZQMbmjTqRI3Qchu8Hig/Q9vgkHpI3alNjr7M+a2St5pw5w5F6NL5/Q==}
+  '@chevrotain/gast@12.0.0':
+    resolution: {integrity: sha512-1ne/m3XsIT8aEdrvT33so0GUC+wkctpUPK6zU9IlOyJLUbR0rg4G7ZiApiJbggpgPir9ERy3FRjT6T7lpgetnQ==}
 
-  '@chevrotain/regexp-to-ast@11.0.3':
-    resolution: {integrity: sha512-1fMHaBZxLFvWI067AVbGJav1eRY7N8DDvYCTwGBiE/ytKBgP8azTdgyrKyWZ9Mfh09eHWb5PgTSO8wi7U824RA==}
+  '@chevrotain/regexp-to-ast@12.0.0':
+    resolution: {integrity: sha512-p+EW9MaJwgaHguhoqwOtx/FwuGr+DnNn857sXWOi/mClXIkPGl3rn7hGNWvo31HA3vyeQxjqe+H36yZJwYU8cA==}
 
-  '@chevrotain/types@11.0.3':
-    resolution: {integrity: sha512-gsiM3G8b58kZC2HaWR50gu6Y1440cHiJ+i3JUvcp/35JchYejb2+5MVeJK0iKThYpAa/P2PYFV4hoi44HD+aHQ==}
+  '@chevrotain/types@12.0.0':
+    resolution: {integrity: sha512-S+04vjFQKeuYw0/eW3U52LkAHQsB1ASxsPGsLPUyQgrZ2iNNibQrsidruDzjEX2JYfespXMG0eZmXlhA6z7nWA==}
 
-  '@chevrotain/utils@11.0.3':
-    resolution: {integrity: sha512-YslZMgtJUyuMbZ+aKvfF3x1f5liK4mWNxghFRv7jqRR9C3R3fAOGTTKvxXDa2Y1s9zSbcpuO0cAxDYsc9SrXoQ==}
+  '@chevrotain/utils@12.0.0':
+    resolution: {integrity: sha512-lB59uJoaGIfOOL9knQqQRfhl9g7x8/wqFkp13zTdkRu1huG9kg6IJs1O8hqj9rs6h7orGxHJUKb+mX3rPbWGhA==}
 
   '@clack/core@0.5.0':
     resolution: {integrity: sha512-p3y0FIOwaYRUPRcMO7+dlmLh8PSRcrjuTndsiA0WAFbWES0mLZlrjVoBRZ9DzkPFJZG6KGkJmoEAY0ZcVWTkow==}
@@ -4188,22 +3423,11 @@ packages:
       '@bufbuild/protobuf': ^1.4.2
       '@connectrpc/connect': 1.4.0
 
-  '@connectrpc/connect-web@2.0.0-rc.3':
-    resolution: {integrity: sha512-w88P8Lsn5CCsA7MFRl2e6oLY4J/5toiNtJns/YJrlyQaWOy3RO8pDgkz+iIkG98RPMhj2thuBvsd3Cn4DKKCkw==}
-    peerDependencies:
-      '@bufbuild/protobuf': ^2.2.0
-      '@connectrpc/connect': 2.0.0-rc.3
-
   '@connectrpc/connect@1.4.0':
     resolution: {integrity: sha512-vZeOkKaAjyV4+RH3+rJZIfDFJAfr+7fyYr6sLDKbYX3uuTVszhFe9/YKf5DNqrDb5cKdKVlYkGn6DTDqMitAnA==}
     peerDependencies:
       '@bufbuild/protobuf': ^1.4.2
 
-  '@connectrpc/connect@2.0.0-rc.3':
-    resolution: {integrity: sha512-ARBt64yEyKbanyRETTjcjJuHr2YXorzQo0etyS5+P6oSeW8xEuzajA9g+zDnMcj1hlX2dQE93foIWQGfpru7gQ==}
-    peerDependencies:
-      '@bufbuild/protobuf': ^2.2.0
-
   '@date-fns/tz@1.4.1':
     resolution: {integrity: sha512-P5LUNhtbj6YfI3iJjw5EL9eUAG6OitD0W3fWQcpQjDRc/QIsL0tRNuO1PcDvPccWL1fSTXXdE1ds+l95DV/OFA==}
 
@@ -4269,26 +3493,6 @@ packages:
   '@depot/sdk-node@1.0.0':
     resolution: {integrity: sha512-zq1xqesqGhp58Rh0bTXhsjoC8X+L+LwZABLlQh7Rm45770nGtAABa3GtU1n/776YTMI1gIAhzc++Jxae3H0J4w==}
 
-  '@discoveryjs/json-ext@0.5.7':
-    resolution: {integrity: sha512-dBVuXR082gk3jsFp7Rd/JI4kytwGHecnCoTtXFb7DB6CNHp4rg5k1bhg0nWdLGLnOV71lmDzGQaLMy8iPLY0pw==}
-    engines: {node: '>=10.0.0'}
-
-  '@e2b/code-interpreter@1.1.0':
-    resolution: {integrity: sha512-T54U7WS56ou11ytoxlYllBRBM+MYBpOvVZQa1p1qE4KDZBKJd9m1kAA0PqHjy5T6f/tSv4w5wlq4oyExl4QLLA==}
-    engines: {node: '>=18'}
-
-  '@effect/platform@0.63.2':
-    resolution: {integrity: sha512-b39pVFw0NGo/tXjGShW7Yg0M+kG7bRrFR6+dQ3aIu99ePTkTp6bGb/kDB7n+dXsFFdIqHsQGYESeYcOQngxdFQ==}
-    peerDependencies:
-      '@effect/schema': ^0.72.2
-      effect: ^3.7.2
-
-  '@effect/schema@0.72.2':
-    resolution: {integrity: sha512-/x1BIA2pqcUidNrOMmwYe6Z58KtSgHSc5iJu7bNwIxi2LHMVuUao1BvpI5x6i7T/zkoi4dd1S6qasZzJIYDjdw==}
-    deprecated: this package has been merged into the main effect package
-    peerDependencies:
-      effect: ^3.7.2
-
   '@electric-sql/client@0.4.0':
     resolution: {integrity: sha512-YVYSqHitqVIDC1RBTfmHMfAfqDNAKMK9/AFVTDFQQxN3Q85dIQS49zThAuJVecYiuYRJvTiqf40c4n39jZSNrQ==}
 
@@ -4303,9 +3507,6 @@ packages:
       react:
         optional: true
 
-  '@emnapi/runtime@1.7.1':
-    resolution: {integrity: sha512-PVtJr5CmLwYAU9PZDMITZoR5iAOShYREoR45EyyLrbntV50mdePTgUn4AmOw90Ifcj+x2kRjdzr1HP3RrNiHGA==}
-
   '@emotion/hash@0.9.0':
     resolution: {integrity: sha512-14FtKiHhy2QoPIzdTcvh//8OyBlknNs2nXRwIhG904opCby3l+9Xaf/wuPvICBF0rc1ZCNBd3nKe9cd2mecVkQ==}
 
@@ -4337,12 +3538,6 @@ packages:
     cpu: [ppc64]
     os: [aix]
 
-  '@esbuild/aix-ppc64@0.21.5':
-    resolution: {integrity: sha512-1SDgH6ZSPTlggy1yI6+Dbkiz8xzpHJEVAlF/AM1tHPLsf5STom9rwtjE4hKAF20FfXXNTFqEYXyJNWh1GiZedQ==}
-    engines: {node: '>=12'}
-    cpu: [ppc64]
-    os: [aix]
-
   '@esbuild/aix-ppc64@0.23.0':
     resolution: {integrity: sha512-3sG8Zwa5fMcA9bgqB8AfWPQ+HFke6uD3h1s3RIwUNK8EG7a4buxvuFTs3j1IMs2NXAk9F30C/FF4vxRgQCcmoQ==}
     engines: {node: '>=18'}
@@ -4361,6 +3556,12 @@ packages:
     cpu: [ppc64]
     os: [aix]
 
+  '@esbuild/aix-ppc64@0.28.0':
+    resolution: {integrity: sha512-lhRUCeuOyJQURhTxl4WkpFTjIsbDayJHih5kZC1giwE+MhIzAb7mEsQMqMf18rHLsrb5qI1tafG20mLxEWcWlA==}
+    engines: {node: '>=18'}
+    cpu: [ppc64]
+    os: [aix]
+
   '@esbuild/android-arm64@0.17.6':
     resolution: {integrity: sha512-YnYSCceN/dUzUr5kdtUzB+wZprCafuD89Hs0Aqv9QSdwhYQybhXTaSTcrl6X/aWThn1a/j0eEpUBGOE7269REg==}
     engines: {node: '>=12'}
@@ -4379,12 +3580,6 @@ packages:
     cpu: [arm64]
     os: [android]
 
-  '@esbuild/android-arm64@0.21.5':
-    resolution: {integrity: sha512-c0uX9VAUBQ7dTDCjq+wdyGLowMdtR/GoC2U5IYk/7D1H1JYC0qseD7+11iMP2mRLN9RcCMRcjC4YMclCzGwS/A==}
-    engines: {node: '>=12'}
-    cpu: [arm64]
-    os: [android]
-
   '@esbuild/android-arm64@0.23.0':
     resolution: {integrity: sha512-EuHFUYkAVfU4qBdyivULuu03FhJO4IJN9PGuABGrFy4vUuzk91P2d+npxHcFdpUnfYKy0PuV+n6bKIpHOB3prQ==}
     engines: {node: '>=18'}
@@ -4403,6 +3598,12 @@ packages:
     cpu: [arm64]
     os: [android]
 
+  '@esbuild/android-arm64@0.28.0':
+    resolution: {integrity: sha512-+WzIXQOSaGs33tLEgYPYe/yQHf0WTU0X42Jca3y8NWMbUVhp7rUnw+vAsRC/QiDrdD31IszMrZy+qwPOPjd+rw==}
+    engines: {node: '>=18'}
+    cpu: [arm64]
+    os: [android]
+
   '@esbuild/android-arm@0.15.18':
     resolution: {integrity: sha512-5GT+kcs2WVGjVs7+boataCkO5Fg0y4kCjzkB5bAip7H4jfnOS3dA6KPiww9W1OEKTKeAcUVhdZGvgI65OXmUnw==}
     engines: {node: '>=12'}
@@ -4427,12 +3628,6 @@ packages:
     cpu: [arm]
     os: [android]
 
-  '@esbuild/android-arm@0.21.5':
-    resolution: {integrity: sha512-vCPvzSjpPHEi1siZdlvAlsPxXl7WbOVUBBAowWug4rJHb68Ox8KualB+1ocNvT5fjv6wpkX6o/iEpbDrf68zcg==}
-    engines: {node: '>=12'}
-    cpu: [arm]
-    os: [android]
-
   '@esbuild/android-arm@0.23.0':
     resolution: {integrity: sha512-+KuOHTKKyIKgEEqKbGTK8W7mPp+hKinbMBeEnNzjJGyFcWsfrXjSTNluJHCY1RqhxFurdD8uNXQDei7qDlR6+g==}
     engines: {node: '>=18'}
@@ -4451,6 +3646,12 @@ packages:
     cpu: [arm]
     os: [android]
 
+  '@esbuild/android-arm@0.28.0':
+    resolution: {integrity: sha512-wqh0ByljabXLKHeWXYLqoJ5jKC4XBaw6Hk08OfMrCRd2nP2ZQ5eleDZC41XHyCNgktBGYMbqnrJKq/K/lzPMSQ==}
+    engines: {node: '>=18'}
+    cpu: [arm]
+    os: [android]
+
   '@esbuild/android-x64@0.17.6':
     resolution: {integrity: sha512-MVcYcgSO7pfu/x34uX9u2QIZHmXAB7dEiLQC5bBl5Ryqtpj9lT2sg3gNDEsrPEmimSJW2FXIaxqSQ501YLDsZQ==}
     engines: {node: '>=12'}
@@ -4469,12 +3670,6 @@ packages:
     cpu: [x64]
     os: [android]
 
-  '@esbuild/android-x64@0.21.5':
-    resolution: {integrity: sha512-D7aPRUUNHRBwHxzxRvp856rjUHRFW1SdQATKXH2hqA0kAZb1hKmi02OpYRacl0TxIGz/ZmXWlbZgjwWYaCakTA==}
-    engines: {node: '>=12'}
-    cpu: [x64]
-    os: [android]
-
   '@esbuild/android-x64@0.23.0':
     resolution: {integrity: sha512-WRrmKidLoKDl56LsbBMhzTTBxrsVwTKdNbKDalbEZr0tcsBgCLbEtoNthOW6PX942YiYq8HzEnb4yWQMLQuipQ==}
     engines: {node: '>=18'}
@@ -4493,6 +3688,12 @@ packages:
     cpu: [x64]
     os: [android]
 
+  '@esbuild/android-x64@0.28.0':
+    resolution: {integrity: sha512-+VJggoaKhk2VNNqVL7f6S189UzShHC/mR9EE8rDdSkdpN0KflSwWY/gWjDrNxxisg8Fp1ZCD9jLMo4m0OUfeUA==}
+    engines: {node: '>=18'}
+    cpu: [x64]
+    os: [android]
+
   '@esbuild/darwin-arm64@0.17.6':
     resolution: {integrity: sha512-bsDRvlbKMQMt6Wl08nHtFz++yoZHsyTOxnjfB2Q95gato+Yi4WnRl13oC2/PJJA9yLCoRv9gqT/EYX0/zDsyMA==}
     engines: {node: '>=12'}
@@ -4511,12 +3712,6 @@ packages:
     cpu: [arm64]
     os: [darwin]
 
-  '@esbuild/darwin-arm64@0.21.5':
-    resolution: {integrity: sha512-DwqXqZyuk5AiWWf3UfLiRDJ5EDd49zg6O9wclZ7kUMv2WRFr4HKjXp/5t8JZ11QbQfUS6/cRCKGwYhtNAY88kQ==}
-    engines: {node: '>=12'}
-    cpu: [arm64]
-    os: [darwin]
-
   '@esbuild/darwin-arm64@0.23.0':
     resolution: {integrity: sha512-YLntie/IdS31H54Ogdn+v50NuoWF5BDkEUFpiOChVa9UnKpftgwzZRrI4J132ETIi+D8n6xh9IviFV3eXdxfow==}
     engines: {node: '>=18'}
@@ -4535,6 +3730,12 @@ packages:
     cpu: [arm64]
     os: [darwin]
 
+  '@esbuild/darwin-arm64@0.28.0':
+    resolution: {integrity: sha512-0T+A9WZm+bZ84nZBtk1ckYsOvyA3x7e2Acj1KdVfV4/2tdG4fzUp91YHx+GArWLtwqp77pBXVCPn2We7Letr0Q==}
+    engines: {node: '>=18'}
+    cpu: [arm64]
+    os: [darwin]
+
   '@esbuild/darwin-x64@0.17.6':
     resolution: {integrity: sha512-xh2A5oPrYRfMFz74QXIQTQo8uA+hYzGWJFoeTE8EvoZGHb+idyV4ATaukaUvnnxJiauhs/fPx3vYhU4wiGfosg==}
     engines: {node: '>=12'}
@@ -4553,12 +3754,6 @@ packages:
     cpu: [x64]
     os: [darwin]
 
-  '@esbuild/darwin-x64@0.21.5':
-    resolution: {integrity: sha512-se/JjF8NlmKVG4kNIuyWMV/22ZaerB+qaSi5MdrXtd6R08kvs2qCN4C09miupktDitvh8jRFflwGFBQcxZRjbw==}
-    engines: {node: '>=12'}
-    cpu: [x64]
-    os: [darwin]
-
   '@esbuild/darwin-x64@0.23.0':
     resolution: {integrity: sha512-IMQ6eme4AfznElesHUPDZ+teuGwoRmVuuixu7sv92ZkdQcPbsNHzutd+rAfaBKo8YK3IrBEi9SLLKWJdEvJniQ==}
     engines: {node: '>=18'}
@@ -4577,6 +3772,12 @@ packages:
     cpu: [x64]
     os: [darwin]
 
+  '@esbuild/darwin-x64@0.28.0':
+    resolution: {integrity: sha512-fyzLm/DLDl/84OCfp2f/XQ4flmORsjU7VKt8HLjvIXChJoFFOIL6pLJPH4Yhd1n1gGFF9mPwtlN5Wf82DZs+LQ==}
+    engines: {node: '>=18'}
+    cpu: [x64]
+    os: [darwin]
+
   '@esbuild/freebsd-arm64@0.17.6':
     resolution: {integrity: sha512-EnUwjRc1inT4ccZh4pB3v1cIhohE2S4YXlt1OvI7sw/+pD+dIE4smwekZlEPIwY6PhU6oDWwITrQQm5S2/iZgg==}
     engines: {node: '>=12'}
@@ -4595,12 +3796,6 @@ packages:
     cpu: [arm64]
     os: [freebsd]
 
-  '@esbuild/freebsd-arm64@0.21.5':
-    resolution: {integrity: sha512-5JcRxxRDUJLX8JXp/wcBCy3pENnCgBR9bN6JsY4OmhfUtIHe3ZW0mawA7+RDAcMLrMIZaf03NlQiX9DGyB8h4g==}
-    engines: {node: '>=12'}
-    cpu: [arm64]
-    os: [freebsd]
-
   '@esbuild/freebsd-arm64@0.23.0':
     resolution: {integrity: sha512-0muYWCng5vqaxobq6LB3YNtevDFSAZGlgtLoAc81PjUfiFz36n4KMpwhtAd4he8ToSI3TGyuhyx5xmiWNYZFyw==}
     engines: {node: '>=18'}
@@ -4619,6 +3814,12 @@ packages:
     cpu: [arm64]
     os: [freebsd]
 
+  '@esbuild/freebsd-arm64@0.28.0':
+    resolution: {integrity: sha512-l9GeW5UZBT9k9brBYI+0WDffcRxgHQD8ShN2Ur4xWq/NFzUKm3k5lsH4PdaRgb2w7mI9u61nr2gI2mLI27Nh3Q==}
+    engines: {node: '>=18'}
+    cpu: [arm64]
+    os: [freebsd]
+
   '@esbuild/freebsd-x64@0.17.6':
     resolution: {integrity: sha512-Uh3HLWGzH6FwpviUcLMKPCbZUAFzv67Wj5MTwK6jn89b576SR2IbEp+tqUHTr8DIl0iDmBAf51MVaP7pw6PY5Q==}
     engines: {node: '>=12'}
@@ -4637,12 +3838,6 @@ packages:
     cpu: [x64]
     os: [freebsd]
 
-  '@esbuild/freebsd-x64@0.21.5':
-    resolution: {integrity: sha512-J95kNBj1zkbMXtHVH29bBriQygMXqoVQOQYA+ISs0/2l3T9/kj42ow2mpqerRBxDJnmkUDCaQT/dfNXWX/ZZCQ==}
-    engines: {node: '>=12'}
-    cpu: [x64]
-    os: [freebsd]
-
   '@esbuild/freebsd-x64@0.23.0':
     resolution: {integrity: sha512-XKDVu8IsD0/q3foBzsXGt/KjD/yTKBCIwOHE1XwiXmrRwrX6Hbnd5Eqn/WvDekddK21tfszBSrE/WMaZh+1buQ==}
     engines: {node: '>=18'}
@@ -4661,6 +3856,12 @@ packages:
     cpu: [x64]
     os: [freebsd]
 
+  '@esbuild/freebsd-x64@0.28.0':
+    resolution: {integrity: sha512-BXoQai/A0wPO6Es3yFJ7APCiKGc1tdAEOgeTNy3SsB491S3aHn4S4r3e976eUnPdU+NbdtmBuLncYir2tMU9Nw==}
+    engines: {node: '>=18'}
+    cpu: [x64]
+    os: [freebsd]
+
   '@esbuild/linux-arm64@0.17.6':
     resolution: {integrity: sha512-bUR58IFOMJX523aDVozswnlp5yry7+0cRLCXDsxnUeQYJik1DukMY+apBsLOZJblpH+K7ox7YrKrHmJoWqVR9w==}
     engines: {node: '>=12'}
@@ -4679,12 +3880,6 @@ packages:
     cpu: [arm64]
     os: [linux]
 
-  '@esbuild/linux-arm64@0.21.5':
-    resolution: {integrity: sha512-ibKvmyYzKsBeX8d8I7MH/TMfWDXBF3db4qM6sy+7re0YXya+K1cem3on9XgdT2EQGMu4hQyZhan7TeQ8XkGp4Q==}
-    engines: {node: '>=12'}
-    cpu: [arm64]
-    os: [linux]
-
   '@esbuild/linux-arm64@0.23.0':
     resolution: {integrity: sha512-j1t5iG8jE7BhonbsEg5d9qOYcVZv/Rv6tghaXM/Ug9xahM0nX/H2gfu6X6z11QRTMT6+aywOMA8TDkhPo8aCGw==}
     engines: {node: '>=18'}
@@ -4703,6 +3898,12 @@ packages:
     cpu: [arm64]
     os: [linux]
 
+  '@esbuild/linux-arm64@0.28.0':
+    resolution: {integrity: sha512-RVyzfb3FWsGA55n6WY0MEIEPURL1FcbhFE6BffZEMEekfCzCIMtB5yyDcFnVbTnwk+CLAgTujmV/Lgvih56W+A==}
+    engines: {node: '>=18'}
+    cpu: [arm64]
+    os: [linux]
+
   '@esbuild/linux-arm@0.17.6':
     resolution: {integrity: sha512-7YdGiurNt7lqO0Bf/U9/arrPWPqdPqcV6JCZda4LZgEn+PTQ5SMEI4MGR52Bfn3+d6bNEGcWFzlIxiQdS48YUw==}
     engines: {node: '>=12'}
@@ -4721,12 +3922,6 @@ packages:
     cpu: [arm]
     os: [linux]
 
-  '@esbuild/linux-arm@0.21.5':
-    resolution: {integrity: sha512-bPb5AHZtbeNGjCKVZ9UGqGwo8EUu4cLq68E95A53KlxAPRmUyYv2D6F0uUI65XisGOL1hBP5mTronbgo+0bFcA==}
-    engines: {node: '>=12'}
-    cpu: [arm]
-    os: [linux]
-
   '@esbuild/linux-arm@0.23.0':
     resolution: {integrity: sha512-SEELSTEtOFu5LPykzA395Mc+54RMg1EUgXP+iw2SJ72+ooMwVsgfuwXo5Fn0wXNgWZsTVHwY2cg4Vi/bOD88qw==}
     engines: {node: '>=18'}
@@ -4745,6 +3940,12 @@ packages:
     cpu: [arm]
     os: [linux]
 
+  '@esbuild/linux-arm@0.28.0':
+    resolution: {integrity: sha512-CjaaREJagqJp7iTaNQjjidaNbCKYcd4IDkzbwwxtSvjI7NZm79qiHc8HqciMddQ6CKvJT6aBd8lO9kN/ZudLlw==}
+    engines: {node: '>=18'}
+    cpu: [arm]
+    os: [linux]
+
   '@esbuild/linux-ia32@0.17.6':
     resolution: {integrity: sha512-ujp8uoQCM9FRcbDfkqECoARsLnLfCUhKARTP56TFPog8ie9JG83D5GVKjQ6yVrEVdMie1djH86fm98eY3quQkQ==}
     engines: {node: '>=12'}
@@ -4763,12 +3964,6 @@ packages:
     cpu: [ia32]
     os: [linux]
 
-  '@esbuild/linux-ia32@0.21.5':
-    resolution: {integrity: sha512-YvjXDqLRqPDl2dvRODYmmhz4rPeVKYvppfGYKSNGdyZkA01046pLWyRKKI3ax8fbJoK5QbxblURkwK/MWY18Tg==}
-    engines: {node: '>=12'}
-    cpu: [ia32]
-    os: [linux]
-
   '@esbuild/linux-ia32@0.23.0':
     resolution: {integrity: sha512-P7O5Tkh2NbgIm2R6x1zGJJsnacDzTFcRWZyTTMgFdVit6E98LTxO+v8LCCLWRvPrjdzXHx9FEOA8oAZPyApWUA==}
     engines: {node: '>=18'}
@@ -4787,6 +3982,12 @@ packages:
     cpu: [ia32]
     os: [linux]
 
+  '@esbuild/linux-ia32@0.28.0':
+    resolution: {integrity: sha512-KBnSTt1kxl9x70q+ydterVdl+Cn0H18ngRMRCEQfrbqdUuntQQ0LoMZv47uB97NljZFzY6HcfqEZ2SAyIUTQBQ==}
+    engines: {node: '>=18'}
+    cpu: [ia32]
+    os: [linux]
+
   '@esbuild/linux-loong64@0.15.18':
     resolution: {integrity: sha512-L4jVKS82XVhw2nvzLg/19ClLWg0y27ulRwuP7lcyL6AbUWB5aPglXY3M21mauDQMDfRLs8cQmeT03r/+X3cZYQ==}
     engines: {node: '>=12'}
@@ -4811,12 +4012,6 @@ packages:
     cpu: [loong64]
     os: [linux]
 
-  '@esbuild/linux-loong64@0.21.5':
-    resolution: {integrity: sha512-uHf1BmMG8qEvzdrzAqg2SIG/02+4/DHB6a9Kbya0XDvwDEKCoC8ZRWI5JJvNdUjtciBGFQ5PuBlpEOXQj+JQSg==}
-    engines: {node: '>=12'}
-    cpu: [loong64]
-    os: [linux]
-
   '@esbuild/linux-loong64@0.23.0':
     resolution: {integrity: sha512-InQwepswq6urikQiIC/kkx412fqUZudBO4SYKu0N+tGhXRWUqAx+Q+341tFV6QdBifpjYgUndV1hhMq3WeJi7A==}
     engines: {node: '>=18'}
@@ -4835,6 +4030,12 @@ packages:
     cpu: [loong64]
     os: [linux]
 
+  '@esbuild/linux-loong64@0.28.0':
+    resolution: {integrity: sha512-zpSlUce1mnxzgBADvxKXX5sl8aYQHo2ezvMNI8I0lbblJtp8V4odlm3Yzlj7gPyt3T8ReksE6bK+pT3WD+aJRg==}
+    engines: {node: '>=18'}
+    cpu: [loong64]
+    os: [linux]
+
   '@esbuild/linux-mips64el@0.17.6':
     resolution: {integrity: sha512-09AXKB1HDOzXD+j3FdXCiL/MWmZP0Ex9eR8DLMBVcHorrWJxWmY8Nms2Nm41iRM64WVx7bA/JVHMv081iP2kUA==}
     engines: {node: '>=12'}
@@ -4853,12 +4054,6 @@ packages:
     cpu: [mips64el]
     os: [linux]
 
-  '@esbuild/linux-mips64el@0.21.5':
-    resolution: {integrity: sha512-IajOmO+KJK23bj52dFSNCMsz1QP1DqM6cwLUv3W1QwyxkyIWecfafnI555fvSGqEKwjMXVLokcV5ygHW5b3Jbg==}
-    engines: {node: '>=12'}
-    cpu: [mips64el]
-    os: [linux]
-
   '@esbuild/linux-mips64el@0.23.0':
     resolution: {integrity: sha512-J9rflLtqdYrxHv2FqXE2i1ELgNjT+JFURt/uDMoPQLcjWQA5wDKgQA4t/dTqGa88ZVECKaD0TctwsUfHbVoi4w==}
     engines: {node: '>=18'}
@@ -4877,6 +4072,12 @@ packages:
     cpu: [mips64el]
     os: [linux]
 
+  '@esbuild/linux-mips64el@0.28.0':
+    resolution: {integrity: sha512-2jIfP6mmjkdmeTlsX/9vmdmhBmKADrWqN7zcdtHIeNSCH1SqIoNI63cYsjQR8J+wGa4Y5izRcSHSm8K3QWmk3w==}
+    engines: {node: '>=18'}
+    cpu: [mips64el]
+    os: [linux]
+
   '@esbuild/linux-ppc64@0.17.6':
     resolution: {integrity: sha512-AmLhMzkM8JuqTIOhxnX4ubh0XWJIznEynRnZAVdA2mMKE6FAfwT2TWKTwdqMG+qEaeyDPtfNoZRpJbD4ZBv0Tg==}
     engines: {node: '>=12'}
@@ -4895,12 +4096,6 @@ packages:
     cpu: [ppc64]
     os: [linux]
 
-  '@esbuild/linux-ppc64@0.21.5':
-    resolution: {integrity: sha512-1hHV/Z4OEfMwpLO8rp7CvlhBDnjsC3CttJXIhBi+5Aj5r+MBvy4egg7wCbe//hSsT+RvDAG7s81tAvpL2XAE4w==}
-    engines: {node: '>=12'}
-    cpu: [ppc64]
-    os: [linux]
-
   '@esbuild/linux-ppc64@0.23.0':
     resolution: {integrity: sha512-cShCXtEOVc5GxU0fM+dsFD10qZ5UpcQ8AM22bYj0u/yaAykWnqXJDpd77ublcX6vdDsWLuweeuSNZk4yUxZwtw==}
     engines: {node: '>=18'}
@@ -4919,6 +4114,12 @@ packages:
     cpu: [ppc64]
     os: [linux]
 
+  '@esbuild/linux-ppc64@0.28.0':
+    resolution: {integrity: sha512-bc0FE9wWeC0WBm49IQMPSPILRocGTQt3j5KPCA8os6VprfuJ7KD+5PzESSrJ6GmPIPJK965ZJHTUlSA6GNYEhg==}
+    engines: {node: '>=18'}
+    cpu: [ppc64]
+    os: [linux]
+
   '@esbuild/linux-riscv64@0.17.6':
     resolution: {integrity: sha512-Y4Ri62PfavhLQhFbqucysHOmRamlTVK10zPWlqjNbj2XMea+BOs4w6ASKwQwAiqf9ZqcY9Ab7NOU4wIgpxwoSQ==}
     engines: {node: '>=12'}
@@ -4937,12 +4138,6 @@ packages:
     cpu: [riscv64]
     os: [linux]
 
-  '@esbuild/linux-riscv64@0.21.5':
-    resolution: {integrity: sha512-2HdXDMd9GMgTGrPWnJzP2ALSokE/0O5HhTUvWIbD3YdjME8JwvSCnNGBnTThKGEB91OZhzrJ4qIIxk/SBmyDDA==}
-    engines: {node: '>=12'}
-    cpu: [riscv64]
-    os: [linux]
-
   '@esbuild/linux-riscv64@0.23.0':
     resolution: {integrity: sha512-HEtaN7Y5UB4tZPeQmgz/UhzoEyYftbMXrBCUjINGjh3uil+rB/QzzpMshz3cNUxqXN7Vr93zzVtpIDL99t9aRw==}
     engines: {node: '>=18'}
@@ -4961,6 +4156,12 @@ packages:
     cpu: [riscv64]
     os: [linux]
 
+  '@esbuild/linux-riscv64@0.28.0':
+    resolution: {integrity: sha512-SQPZOwoTTT/HXFXQJG/vBX8sOFagGqvZyXcgLA3NhIqcBv1BJU1d46c0rGcrij2B56Z2rNiSLaZOYW5cUk7yLQ==}
+    engines: {node: '>=18'}
+    cpu: [riscv64]
+    os: [linux]
+
   '@esbuild/linux-s390x@0.17.6':
     resolution: {integrity: sha512-SPUiz4fDbnNEm3JSdUW8pBJ/vkop3M1YwZAVwvdwlFLoJwKEZ9L98l3tzeyMzq27CyepDQ3Qgoba44StgbiN5Q==}
     engines: {node: '>=12'}
@@ -4979,12 +4180,6 @@ packages:
     cpu: [s390x]
     os: [linux]
 
-  '@esbuild/linux-s390x@0.21.5':
-    resolution: {integrity: sha512-zus5sxzqBJD3eXxwvjN1yQkRepANgxE9lgOW2qLnmr8ikMTphkjgXu1HR01K4FJg8h1kEEDAqDcZQtbrRnB41A==}
-    engines: {node: '>=12'}
-    cpu: [s390x]
-    os: [linux]
-
   '@esbuild/linux-s390x@0.23.0':
     resolution: {integrity: sha512-WDi3+NVAuyjg/Wxi+o5KPqRbZY0QhI9TjrEEm+8dmpY9Xir8+HE/HNx2JoLckhKbFopW0RdO2D72w8trZOV+Wg==}
     engines: {node: '>=18'}
@@ -5003,6 +4198,12 @@ packages:
     cpu: [s390x]
     os: [linux]
 
+  '@esbuild/linux-s390x@0.28.0':
+    resolution: {integrity: sha512-SCfR0HN8CEEjnYnySJTd2cw0k9OHB/YFzt5zgJEwa+wL/T/raGWYMBqwDNAC6dqFKmJYZoQBRfHjgwLHGSrn3Q==}
+    engines: {node: '>=18'}
+    cpu: [s390x]
+    os: [linux]
+
   '@esbuild/linux-x64@0.17.6':
     resolution: {integrity: sha512-a3yHLmOodHrzuNgdpB7peFGPx1iJ2x6m+uDvhP2CKdr2CwOaqEFMeSqYAHU7hG+RjCq8r2NFujcd/YsEsFgTGw==}
     engines: {node: '>=12'}
@@ -5021,12 +4222,6 @@ packages:
     cpu: [x64]
     os: [linux]
 
-  '@esbuild/linux-x64@0.21.5':
-    resolution: {integrity: sha512-1rYdTpyv03iycF1+BhzrzQJCdOuAOtaqHTWJZCWvijKD2N5Xu0TtVC8/+1faWqcP9iBCWOmjmhoH94dH82BxPQ==}
-    engines: {node: '>=12'}
-    cpu: [x64]
-    os: [linux]
-
   '@esbuild/linux-x64@0.23.0':
     resolution: {integrity: sha512-a3pMQhUEJkITgAw6e0bWA+F+vFtCciMjW/LPtoj99MhVt+Mfb6bbL9hu2wmTZgNd994qTAEw+U/r6k3qHWWaOQ==}
     engines: {node: '>=18'}
@@ -5045,6 +4240,12 @@ packages:
     cpu: [x64]
     os: [linux]
 
+  '@esbuild/linux-x64@0.28.0':
+    resolution: {integrity: sha512-us0dSb9iFxIi8srnpl931Nvs65it/Jd2a2K3qs7fz2WfGPHqzfzZTfec7oxZJRNPXPnNYZtanmRc4AL/JwVzHQ==}
+    engines: {node: '>=18'}
+    cpu: [x64]
+    os: [linux]
+
   '@esbuild/netbsd-arm64@0.24.2':
     resolution: {integrity: sha512-wuLK/VztRRpMt9zyHSazyCVdCXlpHkKm34WUyinD2lzK07FAHTq0KQvZZlXikNWkDGoT6x3TD51jKQ7gMVpopw==}
     engines: {node: '>=18'}
@@ -5057,6 +4258,12 @@ packages:
     cpu: [arm64]
     os: [netbsd]
 
+  '@esbuild/netbsd-arm64@0.28.0':
+    resolution: {integrity: sha512-CR/RYotgtCKwtftMwJlUU7xCVNg3lMYZ0RzTmAHSfLCXw3NtZtNpswLEj/Kkf6kEL3Gw+BpOekRX0BYCtklhUw==}
+    engines: {node: '>=18'}
+    cpu: [arm64]
+    os: [netbsd]
+
   '@esbuild/netbsd-x64@0.17.6':
     resolution: {integrity: sha512-EanJqcU/4uZIBreTrnbnre2DXgXSa+Gjap7ifRfllpmyAU7YMvaXmljdArptTHmjrkkKm9BK6GH5D5Yo+p6y5A==}
     engines: {node: '>=12'}
@@ -5075,12 +4282,6 @@ packages:
     cpu: [x64]
     os: [netbsd]
 
-  '@esbuild/netbsd-x64@0.21.5':
-    resolution: {integrity: sha512-Woi2MXzXjMULccIwMnLciyZH4nCIMpWQAs049KEeMvOcNADVxo0UBIQPfSmxB3CWKedngg7sWZdLvLczpe0tLg==}
-    engines: {node: '>=12'}
-    cpu: [x64]
-    os: [netbsd]
-
   '@esbuild/netbsd-x64@0.23.0':
     resolution: {integrity: sha512-cRK+YDem7lFTs2Q5nEv/HHc4LnrfBCbH5+JHu6wm2eP+d8OZNoSMYgPZJq78vqQ9g+9+nMuIsAO7skzphRXHyw==}
     engines: {node: '>=18'}
@@ -5099,6 +4300,12 @@ packages:
     cpu: [x64]
     os: [netbsd]
 
+  '@esbuild/netbsd-x64@0.28.0':
+    resolution: {integrity: sha512-nU1yhmYutL+fQ71Kxnhg8uEOdC0pwEW9entHykTgEbna2pw2dkbFSMeqjjyHZoCmt8SBkOSvV+yNmm94aUrrqw==}
+    engines: {node: '>=18'}
+    cpu: [x64]
+    os: [netbsd]
+
   '@esbuild/openbsd-arm64@0.23.0':
     resolution: {integrity: sha512-suXjq53gERueVWu0OKxzWqk7NxiUWSUlrxoZK7usiF50C6ipColGR5qie2496iKGYNLhDZkPxBI3erbnYkU0rQ==}
     engines: {node: '>=18'}
@@ -5117,6 +4324,12 @@ packages:
     cpu: [arm64]
     os: [openbsd]
 
+  '@esbuild/openbsd-arm64@0.28.0':
+    resolution: {integrity: sha512-cXb5vApOsRsxsEl4mcZ1XY3D4DzcoMxR/nnc4IyqYs0rTI8ZKmW6kyyg+11Z8yvgMfAEldKzP7AdP64HnSC/6g==}
+    engines: {node: '>=18'}
+    cpu: [arm64]
+    os: [openbsd]
+
   '@esbuild/openbsd-x64@0.17.6':
     resolution: {integrity: sha512-xaxeSunhQRsTNGFanoOkkLtnmMn5QbA0qBhNet/XLVsc+OVkpIWPHcr3zTW2gxVU5YOHFbIHR9ODuaUdNza2Vw==}
     engines: {node: '>=12'}
@@ -5135,12 +4348,6 @@ packages:
     cpu: [x64]
     os: [openbsd]
 
-  '@esbuild/openbsd-x64@0.21.5':
-    resolution: {integrity: sha512-HLNNw99xsvx12lFBUwoT8EVCsSvRNDVxNpjZ7bPn947b8gJPzeHWyNVhFsaerc0n3TsbOINvRP2byTZ5LKezow==}
-    engines: {node: '>=12'}
-    cpu: [x64]
-    os: [openbsd]
-
   '@esbuild/openbsd-x64@0.23.0':
     resolution: {integrity: sha512-6p3nHpby0DM/v15IFKMjAaayFhqnXV52aEmv1whZHX56pdkK+MEaLoQWj+H42ssFarP1PcomVhbsR4pkz09qBg==}
     engines: {node: '>=18'}
@@ -5159,6 +4366,18 @@ packages:
     cpu: [x64]
     os: [openbsd]
 
+  '@esbuild/openbsd-x64@0.28.0':
+    resolution: {integrity: sha512-8wZM2qqtv9UP3mzy7HiGYNH/zjTA355mpeuA+859TyR+e+Tc08IHYpLJuMsfpDJwoLo1ikIJI8jC3GFjnRClzA==}
+    engines: {node: '>=18'}
+    cpu: [x64]
+    os: [openbsd]
+
+  '@esbuild/openharmony-arm64@0.28.0':
+    resolution: {integrity: sha512-FLGfyizszcef5C3YtoyQDACyg95+dndv79i2EekILBofh5wpCa1KuBqOWKrEHZg3zrL3t5ouE5jgr94vA+Wb2w==}
+    engines: {node: '>=18'}
+    cpu: [arm64]
+    os: [openharmony]
+
   '@esbuild/sunos-x64@0.17.6':
     resolution: {integrity: sha512-gnMnMPg5pfMkZvhHee21KbKdc6W3GR8/JuE0Da1kjwpK6oiFU3nqfHuVPgUX2rsOx9N2SadSQTIYV1CIjYG+xw==}
     engines: {node: '>=12'}
@@ -5177,12 +4396,6 @@ packages:
     cpu: [x64]
     os: [sunos]
 
-  '@esbuild/sunos-x64@0.21.5':
-    resolution: {integrity: sha512-6+gjmFpfy0BHU5Tpptkuh8+uw3mnrvgs+dSPQXQOv3ekbordwnzTVEb4qnIvQcYXq6gzkyTnoZ9dZG+D4garKg==}
-    engines: {node: '>=12'}
-    cpu: [x64]
-    os: [sunos]
-
   '@esbuild/sunos-x64@0.23.0':
     resolution: {integrity: sha512-BFelBGfrBwk6LVrmFzCq1u1dZbG4zy/Kp93w2+y83Q5UGYF1d8sCzeLI9NXjKyujjBBniQa8R8PzLFAUrSM9OA==}
     engines: {node: '>=18'}
@@ -5201,6 +4414,12 @@ packages:
     cpu: [x64]
     os: [sunos]
 
+  '@esbuild/sunos-x64@0.28.0':
+    resolution: {integrity: sha512-1ZgjUoEdHZZl/YlV76TSCz9Hqj9h9YmMGAgAPYd+q4SicWNX3G5GCyx9uhQWSLcbvPW8Ni7lj4gDa1T40akdlw==}
+    engines: {node: '>=18'}
+    cpu: [x64]
+    os: [sunos]
+
   '@esbuild/win32-arm64@0.17.6':
     resolution: {integrity: sha512-G95n7vP1UnGJPsVdKXllAJPtqjMvFYbN20e8RK8LVLhlTiSOH1sd7+Gt7rm70xiG+I5tM58nYgwWrLs6I1jHqg==}
     engines: {node: '>=12'}
@@ -5219,12 +4438,6 @@ packages:
     cpu: [arm64]
     os: [win32]
 
-  '@esbuild/win32-arm64@0.21.5':
-    resolution: {integrity: sha512-Z0gOTd75VvXqyq7nsl93zwahcTROgqvuAcYDUr+vOv8uHhNSKROyU961kgtCD1e95IqPKSQKH7tBTslnS3tA8A==}
-    engines: {node: '>=12'}
-    cpu: [arm64]
-    os: [win32]
-
   '@esbuild/win32-arm64@0.23.0':
     resolution: {integrity: sha512-lY6AC8p4Cnb7xYHuIxQ6iYPe6MfO2CC43XXKo9nBXDb35krYt7KGhQnOkRGar5psxYkircpCqfbNDB4uJbS2jQ==}
     engines: {node: '>=18'}
@@ -5243,6 +4456,12 @@ packages:
     cpu: [arm64]
     os: [win32]
 
+  '@esbuild/win32-arm64@0.28.0':
+    resolution: {integrity: sha512-Q9StnDmQ/enxnpxCCLSg0oo4+34B9TdXpuyPeTedN/6+iXBJ4J+zwfQI28u/Jl40nOYAxGoNi7mFP40RUtkmUA==}
+    engines: {node: '>=18'}
+    cpu: [arm64]
+    os: [win32]
+
   '@esbuild/win32-ia32@0.17.6':
     resolution: {integrity: sha512-96yEFzLhq5bv9jJo5JhTs1gI+1cKQ83cUpyxHuGqXVwQtY5Eq54ZEsKs8veKtiKwlrNimtckHEkj4mRh4pPjsg==}
     engines: {node: '>=12'}
@@ -5261,12 +4480,6 @@ packages:
     cpu: [ia32]
     os: [win32]
 
-  '@esbuild/win32-ia32@0.21.5':
-    resolution: {integrity: sha512-SWXFF1CL2RVNMaVs+BBClwtfZSvDgtL//G/smwAc5oVK/UPu2Gu9tIaRgFmYFFKrmg3SyAjSrElf0TiJ1v8fYA==}
-    engines: {node: '>=12'}
-    cpu: [ia32]
-    os: [win32]
-
   '@esbuild/win32-ia32@0.23.0':
     resolution: {integrity: sha512-7L1bHlOTcO4ByvI7OXVI5pNN6HSu6pUQq9yodga8izeuB1KcT2UkHaH6118QJwopExPn0rMHIseCTx1CRo/uNA==}
     engines: {node: '>=18'}
@@ -5285,6 +4498,12 @@ packages:
     cpu: [ia32]
     os: [win32]
 
+  '@esbuild/win32-ia32@0.28.0':
+    resolution: {integrity: sha512-zF3ag/gfiCe6U2iczcRzSYJKH1DCI+ByzSENHlM2FcDbEeo5Zd2C86Aq0tKUYAJJ1obRP84ymxIAksZUcdztHA==}
+    engines: {node: '>=18'}
+    cpu: [ia32]
+    os: [win32]
+
   '@esbuild/win32-x64@0.17.6':
     resolution: {integrity: sha512-n6d8MOyUrNp6G4VSpRcgjs5xj4A91svJSaiwLIDWVWEsZtpN5FA9NlBbZHDmAJc2e8e6SF4tkBD3HAvPF+7igA==}
     engines: {node: '>=12'}
@@ -5303,12 +4522,6 @@ packages:
     cpu: [x64]
     os: [win32]
 
-  '@esbuild/win32-x64@0.21.5':
-    resolution: {integrity: sha512-tQd/1efJuzPC6rCFwEvLtci/xNFcTZknmXs98FYDfGE4wP9ClFV98nyKrzJKVPMhdDnjzLhdUyMX4PsQAPjwIw==}
-    engines: {node: '>=12'}
-    cpu: [x64]
-    os: [win32]
-
   '@esbuild/win32-x64@0.23.0':
     resolution: {integrity: sha512-Arm+WgUFLUATuoxCJcahGuk6Yj9Pzxd6l11Zb/2aAuv5kWWvvfhLFo2fni4uSK5vzlUdCGZ/BdV5tH8klj8p8g==}
     engines: {node: '>=18'}
@@ -5327,6 +4540,12 @@ packages:
     cpu: [x64]
     os: [win32]
 
+  '@esbuild/win32-x64@0.28.0':
+    resolution: {integrity: sha512-pEl1bO9mfAmIC+tW5btTmrKaujg3zGtUmWNdCw/xs70FBjwAL3o9OEKNHvNmnyylD6ubxUERiEhdsL0xBQ9efw==}
+    engines: {node: '>=18'}
+    cpu: [x64]
+    os: [win32]
+
   '@eslint-community/eslint-utils@4.4.0':
     resolution: {integrity: sha512-1/sA4dwrzBAyeUoQ6oxahHKmrZvsnLCg4RfxW3ZFGGmQkSNQPFNLV9CUEFQP1x9EYXHTo5p6xdhZM1Ne9p/AfA==}
     engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
@@ -5341,19 +4560,11 @@ packages:
     resolution: {integrity: sha512-XXrH9Uarn0stsyldqDYq8r++mROmWRI1xKMXa640Bb//SY1+ECYX6VzT6Lcx5frD0V30XieqJ0oX9I2Xj5aoMA==}
     engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
 
-  '@fal-ai/serverless-client@0.15.0':
-    resolution: {integrity: sha512-4Vuocu0342OijAN6xO/lwohDV7h90LbkTnOAEwH+pYvMFVC6RYmHS4GILc/wnOWBTw+iFlZFEKlljEVolkjVfg==}
-    engines: {node: '>=18.0.0'}
-    deprecated: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
-
-  '@fast-csv/parse@5.0.2':
-    resolution: {integrity: sha512-gMu1Btmm99TP+wc0tZnlH30E/F1Gw1Tah3oMDBHNPe9W8S68ixVHjt89Wg5lh7d9RuQMtwN+sGl5kxR891+fzw==}
-
   '@fastify/accept-negotiator@2.0.1':
     resolution: {integrity: sha512-/c/TW2bO/v9JeEgoD/g1G5GxGeCF1Hafdf79WPmUlgYiBXummY0oX3VVq4yFkKKVBKDNlaDUYoab7g38RpPqCQ==}
 
-  '@fastify/ajv-compiler@4.0.2':
-    resolution: {integrity: sha512-Rkiu/8wIjpsf46Rr+Fitd3HRP+VsxUFDDeag0hs9L0ksfnwx2g7SPQQTFL0E8Qv+rfXzQOxBJnjUB9ITUDjfWQ==}
+  '@fastify/ajv-compiler@4.0.5':
+    resolution: {integrity: sha512-KoWKW+MhvfTRWL4qrhUwAAZoaChluo0m0vbiJlGMt2GXvL4LVPQEjt8kSpHI3IBq5Rez8fg+XeH3cneztq+C7A==}
 
   '@fastify/busboy@2.1.1':
     resolution: {integrity: sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA==}
@@ -5380,8 +4591,8 @@ packages:
   '@fastify/static@8.2.0':
     resolution: {integrity: sha512-PejC/DtT7p1yo3p+W7LiUtLMsV8fEvxAK15sozHy9t8kwo5r0uLYmhV/inURmGz1SkHZFz/8CNtHLPyhKcx4SQ==}
 
-  '@fastify/websocket@11.0.1':
-    resolution: {integrity: sha512-44yam5+t1I9v09hWBYO+ezV88+mb9Se2BjgERtzB/68+0mGeTfFkjBeDBe2y+ZdiPpeO2rhevhdnfrBm5mqH+Q==}
+  '@fastify/websocket@11.2.0':
+    resolution: {integrity: sha512-3HrDPbAG1CzUCqnslgJxppvzaAZffieOVbLp1DAy1huCSynUWPifSvfdEDUR8HlJLp3sp1A36uOM2tJogADS8w==}
 
   '@fingerprintjs/fingerprintjs-pro-react@2.6.3':
     resolution: {integrity: sha512-/axCq/cfjZkIM+WFZM/05FQvqtNfdKbIFKU6b2yrwPKlgT8BqWkAq8XvFX6JCPlq8/udVLJjFEDCK+1JQh1L6g==}
@@ -5410,12 +4621,6 @@ packages:
       react: '>=16.8.0'
       react-dom: '>=16.8.0'
 
-  '@floating-ui/react-dom@2.0.9':
-    resolution: {integrity: sha512-q0umO0+LQK4+p6aGyvzASqKbKOJcAHJ7ycE9CuUvfx3s9zTHWmGJTPOIlM/hmSBfUfg/XfY5YhLBLR/LHwShQQ==}
-    peerDependencies:
-      react: '>=16.8.0'
-      react-dom: '>=16.8.0'
-
   '@floating-ui/utils@0.2.2':
     resolution: {integrity: sha512-J4yDIIthosAsRZ5CPYP/jQvUAQtlZTTD/4suA08/FEnlxqW3sKS9iAhgsa9VYLZ6vDHn/ixJgIqRQPotoBjxIw==}
 
@@ -5453,11 +4658,20 @@ packages:
     resolution: {integrity: sha512-JXUj6PI0oqqzTGvKtzOkxtpsyPRNsrmhh41TtIz/zEB6J+AUiZZ0dxWzcMwO9Ns5rmSPuMdghlTbUuqIM48d3Q==}
     engines: {node: '>=12.10.0'}
 
+  '@grpc/grpc-js@1.14.3':
+    resolution: {integrity: sha512-Iq8QQQ/7X3Sac15oB6p0FmUg/klxQvXLeileoqrTRGJYLV+/9tubbr9ipz0GKHjmXVsgFPo/+W+2cA8eNcR+XA==}
+    engines: {node: '>=12.10.0'}
+
   '@grpc/proto-loader@0.7.13':
     resolution: {integrity: sha512-AiXO/bfe9bmxBjxxtYxFAXGZvMaN5s8kO+jBHAJCON8rJoB5YS/D6X7ZNc6XQkuHNmyl4CYaMI1fJ/Gn27RGGw==}
     engines: {node: '>=6'}
     hasBin: true
 
+  '@grpc/proto-loader@0.8.0':
+    resolution: {integrity: sha512-rc1hOQtjIWGxcxpb9aHAfLpIctjEnsDehj0DAiVfBlmT84uvR0uUtN2hEi/ecvWVjXUGf5qPF4qEgiLOx1YIMQ==}
+    engines: {node: '>=6'}
+    hasBin: true
+
   '@hapi/boom@10.0.1':
     resolution: {integrity: sha512-ERcCZaEjdH3OgSJlyjVk8pHIFeus91CjKP3v+MpgBNp5IvGzP2l/bRiD78nqYcKPaZdbKkK5vDBVPd2ohHBlsA==}
 
@@ -5515,6 +4729,7 @@ packages:
   '@hono/node-ws@1.0.4':
     resolution: {integrity: sha512-0j1TMp67U5ym0CIlvPKcKtD0f2ZjaS/EnhOxFLs3bVfV+/4WInBE7hVe2x/7PLEsNIUK9+jVL8lPd28rzTAcZg==}
     engines: {node: '>=18.14.1'}
+    deprecated: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
     peerDependencies:
       '@hono/node-server': ^1.11.1
 
@@ -5537,299 +4752,26 @@ packages:
   '@iconify/utils@3.0.2':
     resolution: {integrity: sha512-EfJS0rLfVuRuJRn4psJHtK2A9TqVnkxPpHY6lYHiB9+8eSuudsxbwMiavocG45ujOo6FJ+CIRlRnlOGinzkaGQ==}
 
-  '@img/colour@1.0.0':
-    resolution: {integrity: sha512-A5P/LfWGFSl6nsckYtjw9da+19jB8hkJ6ACTGcDfEJ0aE+l2n2El7dsVM7UVHZQ9s2lmYMWlrS21YLy2IR1LUw==}
-    engines: {node: '>=18'}
-
-  '@img/sharp-darwin-arm64@0.33.5':
-    resolution: {integrity: sha512-UT4p+iz/2H4twwAoLCqfA9UH5pI6DggwKEGuaPy7nCVQ8ZsiY5PIcrRvD1DzuY3qYL07NtIQcWnBSY/heikIFQ==}
-    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
-    cpu: [arm64]
-    os: [darwin]
-
-  '@img/sharp-darwin-arm64@0.34.5':
-    resolution: {integrity: sha512-imtQ3WMJXbMY4fxb/Ndp6HBTNVtWCUI0WdobyheGf5+ad6xX8VIDO8u2xE4qc/fr08CKG/7dDseFtn6M6g/r3w==}
-    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
-    cpu: [arm64]
-    os: [darwin]
-
-  '@img/sharp-darwin-x64@0.33.5':
-    resolution: {integrity: sha512-fyHac4jIc1ANYGRDxtiqelIbdWkIuQaI84Mv45KvGRRxSAa7o7d1ZKAOBaYbnepLC1WqxfpimdeWfvqqSGwR2Q==}
-    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
-    cpu: [x64]
-    os: [darwin]
-
-  '@img/sharp-darwin-x64@0.34.5':
-    resolution: {integrity: sha512-YNEFAF/4KQ/PeW0N+r+aVVsoIY0/qxxikF2SWdp+NRkmMB7y9LBZAVqQ4yhGCm/H3H270OSykqmQMKLBhBJDEw==}
-    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
-    cpu: [x64]
-    os: [darwin]
-
-  '@img/sharp-libvips-darwin-arm64@1.0.4':
-    resolution: {integrity: sha512-XblONe153h0O2zuFfTAbQYAX2JhYmDHeWikp1LM9Hul9gVPjFY427k6dFEcOL72O01QxQsWi761svJ/ev9xEDg==}
-    cpu: [arm64]
-    os: [darwin]
-
-  '@img/sharp-libvips-darwin-arm64@1.2.4':
-    resolution: {integrity: sha512-zqjjo7RatFfFoP0MkQ51jfuFZBnVE2pRiaydKJ1G/rHZvnsrHAOcQALIi9sA5co5xenQdTugCvtb1cuf78Vf4g==}
-    cpu: [arm64]
-    os: [darwin]
-
-  '@img/sharp-libvips-darwin-x64@1.0.4':
-    resolution: {integrity: sha512-xnGR8YuZYfJGmWPvmlunFaWJsb9T/AO2ykoP3Fz/0X5XV2aoYBPkX6xqCQvUTKKiLddarLaxpzNe+b1hjeWHAQ==}
-    cpu: [x64]
-    os: [darwin]
-
-  '@img/sharp-libvips-darwin-x64@1.2.4':
-    resolution: {integrity: sha512-1IOd5xfVhlGwX+zXv2N93k0yMONvUlANylbJw1eTah8K/Jtpi15KC+WSiaX/nBmbm2HxRM1gZ0nSdjSsrZbGKg==}
-    cpu: [x64]
-    os: [darwin]
-
-  '@img/sharp-libvips-linux-arm64@1.0.4':
-    resolution: {integrity: sha512-9B+taZ8DlyyqzZQnoeIvDVR/2F4EbMepXMc/NdVbkzsJbzkUjhXv/70GQJ7tdLA4YJgNP25zukcxpX2/SueNrA==}
-    cpu: [arm64]
-    os: [linux]
-    libc: [glibc]
-
-  '@img/sharp-libvips-linux-arm64@1.2.4':
-    resolution: {integrity: sha512-excjX8DfsIcJ10x1Kzr4RcWe1edC9PquDRRPx3YVCvQv+U5p7Yin2s32ftzikXojb1PIFc/9Mt28/y+iRklkrw==}
-    cpu: [arm64]
-    os: [linux]
-    libc: [glibc]
-
-  '@img/sharp-libvips-linux-arm@1.0.5':
-    resolution: {integrity: sha512-gvcC4ACAOPRNATg/ov8/MnbxFDJqf/pDePbBnuBDcjsI8PssmjoKMAz4LtLaVi+OnSb5FK/yIOamqDwGmXW32g==}
-    cpu: [arm]
-    os: [linux]
-    libc: [glibc]
-
-  '@img/sharp-libvips-linux-arm@1.2.4':
-    resolution: {integrity: sha512-bFI7xcKFELdiNCVov8e44Ia4u2byA+l3XtsAj+Q8tfCwO6BQ8iDojYdvoPMqsKDkuoOo+X6HZA0s0q11ANMQ8A==}
-    cpu: [arm]
-    os: [linux]
-    libc: [glibc]
-
-  '@img/sharp-libvips-linux-ppc64@1.2.4':
-    resolution: {integrity: sha512-FMuvGijLDYG6lW+b/UvyilUWu5Ayu+3r2d1S8notiGCIyYU/76eig1UfMmkZ7vwgOrzKzlQbFSuQfgm7GYUPpA==}
-    cpu: [ppc64]
-    os: [linux]
-    libc: [glibc]
-
-  '@img/sharp-libvips-linux-riscv64@1.2.4':
-    resolution: {integrity: sha512-oVDbcR4zUC0ce82teubSm+x6ETixtKZBh/qbREIOcI3cULzDyb18Sr/Wcyx7NRQeQzOiHTNbZFF1UwPS2scyGA==}
-    cpu: [riscv64]
-    os: [linux]
-    libc: [glibc]
-
-  '@img/sharp-libvips-linux-s390x@1.0.4':
-    resolution: {integrity: sha512-u7Wz6ntiSSgGSGcjZ55im6uvTrOxSIS8/dgoVMoiGE9I6JAfU50yH5BoDlYA1tcuGS7g/QNtetJnxA6QEsCVTA==}
-    cpu: [s390x]
-    os: [linux]
-    libc: [glibc]
-
-  '@img/sharp-libvips-linux-s390x@1.2.4':
-    resolution: {integrity: sha512-qmp9VrzgPgMoGZyPvrQHqk02uyjA0/QrTO26Tqk6l4ZV0MPWIW6LTkqOIov+J1yEu7MbFQaDpwdwJKhbJvuRxQ==}
-    cpu: [s390x]
-    os: [linux]
-    libc: [glibc]
-
-  '@img/sharp-libvips-linux-x64@1.0.4':
-    resolution: {integrity: sha512-MmWmQ3iPFZr0Iev+BAgVMb3ZyC4KeFc3jFxnNbEPas60e1cIfevbtuyf9nDGIzOaW9PdnDciJm+wFFaTlj5xYw==}
-    cpu: [x64]
-    os: [linux]
-    libc: [glibc]
-
-  '@img/sharp-libvips-linux-x64@1.2.4':
-    resolution: {integrity: sha512-tJxiiLsmHc9Ax1bz3oaOYBURTXGIRDODBqhveVHonrHJ9/+k89qbLl0bcJns+e4t4rvaNBxaEZsFtSfAdquPrw==}
-    cpu: [x64]
-    os: [linux]
-    libc: [glibc]
-
-  '@img/sharp-libvips-linuxmusl-arm64@1.0.4':
-    resolution: {integrity: sha512-9Ti+BbTYDcsbp4wfYib8Ctm1ilkugkA/uscUn6UXK1ldpC1JjiXbLfFZtRlBhjPZ5o1NCLiDbg8fhUPKStHoTA==}
-    cpu: [arm64]
-    os: [linux]
-    libc: [musl]
-
-  '@img/sharp-libvips-linuxmusl-arm64@1.2.4':
-    resolution: {integrity: sha512-FVQHuwx1IIuNow9QAbYUzJ+En8KcVm9Lk5+uGUQJHaZmMECZmOlix9HnH7n1TRkXMS0pGxIJokIVB9SuqZGGXw==}
-    cpu: [arm64]
-    os: [linux]
-    libc: [musl]
-
-  '@img/sharp-libvips-linuxmusl-x64@1.0.4':
-    resolution: {integrity: sha512-viYN1KX9m+/hGkJtvYYp+CCLgnJXwiQB39damAO7WMdKWlIhmYTfHjwSbQeUK/20vY154mwezd9HflVFM1wVSw==}
-    cpu: [x64]
-    os: [linux]
-    libc: [musl]
-
-  '@img/sharp-libvips-linuxmusl-x64@1.2.4':
-    resolution: {integrity: sha512-+LpyBk7L44ZIXwz/VYfglaX/okxezESc6UxDSoyo2Ks6Jxc4Y7sGjpgU9s4PMgqgjj1gZCylTieNamqA1MF7Dg==}
-    cpu: [x64]
-    os: [linux]
-    libc: [musl]
-
-  '@img/sharp-linux-arm64@0.33.5':
-    resolution: {integrity: sha512-JMVv+AMRyGOHtO1RFBiJy/MBsgz0x4AWrT6QoEVVTyh1E39TrCUpTRI7mx9VksGX4awWASxqCYLCV4wBZHAYxA==}
-    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
-    cpu: [arm64]
-    os: [linux]
-    libc: [glibc]
-
-  '@img/sharp-linux-arm64@0.34.5':
-    resolution: {integrity: sha512-bKQzaJRY/bkPOXyKx5EVup7qkaojECG6NLYswgktOZjaXecSAeCWiZwwiFf3/Y+O1HrauiE3FVsGxFg8c24rZg==}
-    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
-    cpu: [arm64]
-    os: [linux]
-    libc: [glibc]
-
-  '@img/sharp-linux-arm@0.33.5':
-    resolution: {integrity: sha512-JTS1eldqZbJxjvKaAkxhZmBqPRGmxgu+qFKSInv8moZ2AmT5Yib3EQ1c6gp493HvrvV8QgdOXdyaIBrhvFhBMQ==}
-    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
-    cpu: [arm]
-    os: [linux]
-    libc: [glibc]
-
-  '@img/sharp-linux-arm@0.34.5':
-    resolution: {integrity: sha512-9dLqsvwtg1uuXBGZKsxem9595+ujv0sJ6Vi8wcTANSFpwV/GONat5eCkzQo/1O6zRIkh0m/8+5BjrRr7jDUSZw==}
-    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
-    cpu: [arm]
-    os: [linux]
-    libc: [glibc]
-
-  '@img/sharp-linux-ppc64@0.34.5':
-    resolution: {integrity: sha512-7zznwNaqW6YtsfrGGDA6BRkISKAAE1Jo0QdpNYXNMHu2+0dTrPflTLNkpc8l7MUP5M16ZJcUvysVWWrMefZquA==}
-    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
-    cpu: [ppc64]
-    os: [linux]
-    libc: [glibc]
-
-  '@img/sharp-linux-riscv64@0.34.5':
-    resolution: {integrity: sha512-51gJuLPTKa7piYPaVs8GmByo7/U7/7TZOq+cnXJIHZKavIRHAP77e3N2HEl3dgiqdD/w0yUfiJnII77PuDDFdw==}
-    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
-    cpu: [riscv64]
-    os: [linux]
-    libc: [glibc]
-
-  '@img/sharp-linux-s390x@0.33.5':
-    resolution: {integrity: sha512-y/5PCd+mP4CA/sPDKl2961b+C9d+vPAveS33s6Z3zfASk2j5upL6fXVPZi7ztePZ5CuH+1kW8JtvxgbuXHRa4Q==}
-    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
-    cpu: [s390x]
-    os: [linux]
-    libc: [glibc]
-
-  '@img/sharp-linux-s390x@0.34.5':
-    resolution: {integrity: sha512-nQtCk0PdKfho3eC5MrbQoigJ2gd1CgddUMkabUj+rBevs8tZ2cULOx46E7oyX+04WGfABgIwmMC0VqieTiR4jg==}
-    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
-    cpu: [s390x]
-    os: [linux]
-    libc: [glibc]
-
-  '@img/sharp-linux-x64@0.33.5':
-    resolution: {integrity: sha512-opC+Ok5pRNAzuvq1AG0ar+1owsu842/Ab+4qvU879ippJBHvyY5n2mxF1izXqkPYlGuP/M556uh53jRLJmzTWA==}
-    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
-    cpu: [x64]
-    os: [linux]
-    libc: [glibc]
-
-  '@img/sharp-linux-x64@0.34.5':
-    resolution: {integrity: sha512-MEzd8HPKxVxVenwAa+JRPwEC7QFjoPWuS5NZnBt6B3pu7EG2Ge0id1oLHZpPJdn3OQK+BQDiw9zStiHBTJQQQQ==}
-    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
-    cpu: [x64]
-    os: [linux]
-    libc: [glibc]
-
-  '@img/sharp-linuxmusl-arm64@0.33.5':
-    resolution: {integrity: sha512-XrHMZwGQGvJg2V/oRSUfSAfjfPxO+4DkiRh6p2AFjLQztWUuY/o8Mq0eMQVIY7HJ1CDQUJlxGGZRw1a5bqmd1g==}
-    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
-    cpu: [arm64]
-    os: [linux]
-    libc: [musl]
-
-  '@img/sharp-linuxmusl-arm64@0.34.5':
-    resolution: {integrity: sha512-fprJR6GtRsMt6Kyfq44IsChVZeGN97gTD331weR1ex1c1rypDEABN6Tm2xa1wE6lYb5DdEnk03NZPqA7Id21yg==}
-    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
-    cpu: [arm64]
-    os: [linux]
-    libc: [musl]
-
-  '@img/sharp-linuxmusl-x64@0.33.5':
-    resolution: {integrity: sha512-WT+d/cgqKkkKySYmqoZ8y3pxx7lx9vVejxW/W4DOFMYVSkErR+w7mf2u8m/y4+xHe7yY9DAXQMWQhpnMuFfScw==}
-    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
-    cpu: [x64]
-    os: [linux]
-    libc: [musl]
-
-  '@img/sharp-linuxmusl-x64@0.34.5':
-    resolution: {integrity: sha512-Jg8wNT1MUzIvhBFxViqrEhWDGzqymo3sV7z7ZsaWbZNDLXRJZoRGrjulp60YYtV4wfY8VIKcWidjojlLcWrd8Q==}
-    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
-    cpu: [x64]
-    os: [linux]
-    libc: [musl]
-
-  '@img/sharp-wasm32@0.33.5':
-    resolution: {integrity: sha512-ykUW4LVGaMcU9lu9thv85CbRMAwfeadCJHRsg2GmeRa/cJxsVY9Rbd57JcMxBkKHag5U/x7TSBpScF4U8ElVzg==}
-    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
-    cpu: [wasm32]
-
-  '@img/sharp-wasm32@0.34.5':
-    resolution: {integrity: sha512-OdWTEiVkY2PHwqkbBI8frFxQQFekHaSSkUIJkwzclWZe64O1X4UlUjqqqLaPbUpMOQk6FBu/HtlGXNblIs0huw==}
-    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
-    cpu: [wasm32]
-
-  '@img/sharp-win32-arm64@0.34.5':
-    resolution: {integrity: sha512-WQ3AgWCWYSb2yt+IG8mnC6Jdk9Whs7O0gxphblsLvdhSpSTtmu69ZG1Gkb6NuvxsNACwiPV6cNSZNzt0KPsw7g==}
-    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
-    cpu: [arm64]
-    os: [win32]
-
-  '@img/sharp-win32-ia32@0.33.5':
-    resolution: {integrity: sha512-T36PblLaTwuVJ/zw/LaH0PdZkRz5rd3SmMHX8GSmR7vtNSP5Z6bQkExdSK7xGWyxLw4sUknBuugTelgw2faBbQ==}
-    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
-    cpu: [ia32]
-    os: [win32]
-
-  '@img/sharp-win32-ia32@0.34.5':
-    resolution: {integrity: sha512-FV9m/7NmeCmSHDD5j4+4pNI8Cp3aW+JvLoXcTUo0IqyjSfAZJ8dIUmijx1qaJsIiU+Hosw6xM5KijAWRJCSgNg==}
-    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
-    cpu: [ia32]
-    os: [win32]
-
-  '@img/sharp-win32-x64@0.33.5':
-    resolution: {integrity: sha512-MpY/o8/8kj+EcnxwvrP4aTJSWw/aZ7JIGR4aBeZkZw5B7/Jn+tY9/VNwtcoGmdT7GfggGIU4kygOMSbYnOrAbg==}
-    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
-    cpu: [x64]
-    os: [win32]
-
-  '@img/sharp-win32-x64@0.34.5':
-    resolution: {integrity: sha512-+29YMsqY2/9eFEiW93eqWnuLcWcufowXewwSNIT6UwZdUUCrM3oFjMWH/Z6/TMmb4hlFenmfAVbpWeup2jryCw==}
-    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
-    cpu: [x64]
-    os: [win32]
+  '@internationalized/date@3.12.1':
+    resolution: {integrity: sha512-6IedsVWXyq4P9Tj+TxuU8WGWM70hYLl12nbYU8jkikVpa6WXapFazPUcHUMDMoWftIDE2ILDkFFte6W2nFCkRQ==}
 
   '@internationalized/date@3.5.1':
     resolution: {integrity: sha512-LUQIfwU9e+Fmutc/DpRTGXSdgYZLBegi4wygCWDSVmUdLTaMHsQyASDiJtREwanwKuQLq0hY76fCJ9J/9I2xOQ==}
 
-  '@internationalized/date@3.5.5':
-    resolution: {integrity: sha512-H+CfYvOZ0LTJeeLOqm19E3uj/4YjrmOFtBufDHPfvtI80hFAMqtrp7oCACpe4Cil5l8S0Qu/9dYfZc/5lY8WQQ==}
-
   '@internationalized/message@3.1.1':
     resolution: {integrity: sha512-ZgHxf5HAPIaR0th+w0RUD62yF6vxitjlprSxmLJ1tam7FOekqRSDELMg4Cr/DdszG5YLsp5BG3FgHgqquQZbqw==}
 
-  '@internationalized/message@3.1.4':
-    resolution: {integrity: sha512-Dygi9hH1s7V9nha07pggCkvmRfDd3q2lWnMGvrJyrOwYMe1yj4D2T9BoH9I6MGR7xz0biQrtLPsqUkqXzIrBOw==}
-
   '@internationalized/number@3.5.0':
     resolution: {integrity: sha512-ZY1BW8HT9WKYvaubbuqXbbDdHhOUMfE2zHHFJeTppid0S+pc8HtdIxFxaYMsGjCb4UsF+MEJ4n2TfU7iHnUK8w==}
 
-  '@internationalized/number@3.5.3':
-    resolution: {integrity: sha512-rd1wA3ebzlp0Mehj5YTuTI50AQEx80gWFyHcQu+u91/5NgdwBecO8BH6ipPfE+lmQ9d63vpB3H9SHoIUiupllw==}
+  '@internationalized/number@3.6.6':
+    resolution: {integrity: sha512-iFgmQaXHE0vytNfpLZWOC2mEJCBRzcUxt53Xf/yCXG93lRvqas237i3r7X4RKMwO3txiyZD4mQjKAByFv6UGSQ==}
 
   '@internationalized/string@3.2.0':
     resolution: {integrity: sha512-Xx3Sy3f2c9ctT+vh8c7euEaEHQZltp0euZ3Hy4UfT3E13r6lxpUS3kgKyumEjboJZSnaZv7JhqWz3D75v+IxQg==}
 
-  '@internationalized/string@3.2.3':
-    resolution: {integrity: sha512-9kpfLoA8HegiWTeCbR2livhdVeKobCnVv8tlJ6M2jF+4tcMqDo94ezwlnrUANBWPgd8U7OXIHCk2Ov2qhk4KXw==}
+  '@internationalized/string@3.2.8':
+    resolution: {integrity: sha512-NdbMQUSfXLYIQol5VyMtinm9pZDciiMfN7RtmSuSB78io1hqwJ0naYfxyW6vgxWBkzWymQa/3uLDlbfmshtCaA==}
 
   '@ioredis/commands@1.2.0':
     resolution: {integrity: sha512-Sx1pU8EM64o2BrqNpEO1CNLtKQwyhuXuqyfH7oGKCk+1a33d2r5saW8zNwm3j6BTExtjrv2BxTgzzkMwts6vGg==}
@@ -5838,26 +4780,21 @@ packages:
     resolution: {integrity: sha512-O8jcjabXaleOG9DQ0+ARXWZBTfnP4WNAqzuiJK7ll44AmxGKv/J2M4TPjxjY3znBCfvBXFzucm1twdyFybFqEA==}
     engines: {node: '>=12'}
 
+  '@isaacs/cliui@9.0.0':
+    resolution: {integrity: sha512-AokJm4tuBHillT+FpMtxQ60n8ObyXBatq7jD2/JA9dxbDDokKQm8KMht5ibGzLVU9IJDIKK4TPKgMHEYMn3lMg==}
+    engines: {node: '>=18'}
+
   '@isaacs/fs-minipass@4.0.1':
     resolution: {integrity: sha512-wgm9Ehl2jpeqP3zw/7mo3kRHFp5MEDhqAdwy1fTGkHAwnkGOVsgpvQhL8B5n1qlb01jV3n/bI0ZfZp5lWA1k4w==}
     engines: {node: '>=18.0.0'}
 
-  '@istanbuljs/schema@0.1.3':
-    resolution: {integrity: sha512-ZXRY4jNvVgSVQ8DL3LTcakaAtXwTVUxE81hslsyD2AtoXW/wVob10HkOJ1X/pAlcI7D+2YoZKg5do8G/w6RYgA==}
-    engines: {node: '>=8'}
-
-  '@jridgewell/gen-mapping@0.3.2':
-    resolution: {integrity: sha512-mh65xKQAzI6iBcFzwv28KVWSmCkdRBWoOh+bYQGW3+6OZvbbN3TqMGo5hqYxQniRcH9F2VZIoJCm4pa3BPDK/A==}
-    engines: {node: '>=6.0.0'}
+  '@jridgewell/gen-mapping@0.3.13':
+    resolution: {integrity: sha512-2kkt/7niJ6MgEPxF0bYdQ6etZaA+fQvDcLKckhy1yIQOzaoKjBBjSj63/aLVjYE3qhRt5dvM+uUyfCg6UKCBbA==}
 
   '@jridgewell/gen-mapping@0.3.8':
     resolution: {integrity: sha512-imAbBGkb+ebQyxKgzv5Hu2nmROxoDOXHh80evxdoXNOrvAnVx7zimzc1Oo5h9RlfV4vPXaE2iM5pOFbvOCClWA==}
     engines: {node: '>=6.0.0'}
 
-  '@jridgewell/resolve-uri@3.1.0':
-    resolution: {integrity: sha512-F2msla3tad+Mfht5cJq7LSXcdudKTWCVYUgw6pLFOOHSTtZlj6SWNYAp+AhuqLmWdBO2X5hPrLcu8cVP8fy28w==}
-    engines: {node: '>=6.0.0'}
-
   '@jridgewell/resolve-uri@3.1.2':
     resolution: {integrity: sha512-bRISgCIjP20/tbWSPWMEi54QVPRZExkuD9lJL+UIxUKtwVJA8wW1Trb1jMs1RFXo1CBTNZ/5hpC9QvmKWdopKw==}
     engines: {node: '>=6.0.0'}
@@ -5866,21 +4803,12 @@ packages:
     resolution: {integrity: sha512-R8gLRTZeyp03ymzP/6Lil/28tGeGEzhx1q2k703KGWRAI1VdvPIXdG70VJc2pAMw3NA6JKL5hhFu1sJX0Mnn/A==}
     engines: {node: '>=6.0.0'}
 
-  '@jridgewell/source-map@0.3.3':
-    resolution: {integrity: sha512-b+fsZXeLYi9fEULmfBrhxn4IrPlINf8fiNarzTof004v3lFdntdwa9PF7vFJqm3mg7s+ScJMxXaE3Acp1irZcg==}
-
-  '@jridgewell/sourcemap-codec@1.5.0':
-    resolution: {integrity: sha512-gv3ZRaISU3fjPAgNsriBRqGWQL6quFx04YMPW/zD8XMLsU32mhCCbfbO6KZFLjvYpCZ8zyDEgqsgf+PwPaM7GQ==}
+  '@jridgewell/source-map@0.3.11':
+    resolution: {integrity: sha512-ZMp1V8ZFcPG5dIWnQLr3NSI1MiCU7UETdS/A0G8V/XWHvJv3ZsFqutJn1Y5RPmAPX6F3BiE397OqveU/9NCuIA==}
 
   '@jridgewell/sourcemap-codec@1.5.5':
     resolution: {integrity: sha512-cYQ9310grqxueWbl+WuIUIaiUaDcj7WOq5fVhEljNVgRfOUhY9fy2zTvfoqWsnebh8Sl70VScFbICvJnLKB0Og==}
 
-  '@jridgewell/trace-mapping@0.3.19':
-    resolution: {integrity: sha512-kf37QtfW+Hwx/buWGMPcR60iF9ziHa6r/CZJIHbmcm4+0qrXiVdxegAH0F6yddEVQ7zdkjcGCgCzUu+BcbhQxw==}
-
-  '@jridgewell/trace-mapping@0.3.25':
-    resolution: {integrity: sha512-vNk6aEwybGtawWmy/PzwnGDOjCkLWSD2wqvjGGAgOAwCGWySYXfYoxt00IJkTF+8Lb57DwOb3Aa0o9CApepiYQ==}
-
   '@jridgewell/trace-mapping@0.3.31':
     resolution: {integrity: sha512-zzNR+SdQSDJzc8joaeP8QQoCQr8NuYx2dIIytl1QeBEZHJ9uW6hebsrYgbz8hJwUQao3TWCMtmfV8Nu1twOLAw==}
 
@@ -5930,6 +4858,9 @@ packages:
   '@kubernetes/client-node@1.0.0':
     resolution: {integrity: sha512-a8NSvFDSHKFZ0sR1hbPSf8IDFNJwctEU5RodSCNiq/moRXWmrdmqhb1RRQzF+l+TSBaDgHw3YsYNxxE92STBzw==}
 
+  '@kwsites/file-exists@1.1.1':
+    resolution: {integrity: sha512-m9/5YGR18lIwxSFDwfE3oA7bWuq9kdau6ugN4H2rJeyhFQZcG9AgSHkQtSD15a8WvTgfz9aikZMrKPHvbpqFiw==}
+
   '@lezer/common@1.0.2':
     resolution: {integrity: sha512-SVgiGtMnMnW3ActR8SXgsDhw7a0w0ChHSYAyAUxxrOiJ1OqYWEKk/xJd84tTSPo1mo6DXLObAJALNnd0Hrv7Ng==}
 
@@ -5968,8 +4899,8 @@ packages:
   '@mdx-js/mdx@2.3.0':
     resolution: {integrity: sha512-jLuwRlz8DQfQNiUCJR50Y09CGPq3fLtmtUQfVrj79E0JWu3dvsVcxVIcfhR5h0iXu+/z++zDrYeiJqifRynJkA==}
 
-  '@mermaid-js/parser@0.6.3':
-    resolution: {integrity: sha512-lnjOhe7zyHjc+If7yT4zoedx2vo4sHaTmtkl1+or8BRTnCtDmcTpAjpzDSfCZrshM5bCoz0GyidzadJAH1xobA==}
+  '@mermaid-js/parser@1.1.0':
+    resolution: {integrity: sha512-gxK9ZX2+Fex5zu8LhRQoMeMPEHbc73UKZ0FQ54YrQtUxE1VVhMwzeNtKRPAu5aXks4FasbMe4xB4bWrmq6Jlxw==}
 
   '@microsoft/fetch-event-source@2.0.1':
     resolution: {integrity: sha512-W6CLUJ2eBMw3Rec70qrsEW0jOm/3twwJv21mrmj2yORiaVmVYGS4sSS5yUwvQc1ZlDLYGPnClVWmUUMagKNsfA==}
@@ -5994,307 +4925,12 @@ packages:
       '@cfworker/json-schema':
         optional: true
 
-  '@msgpack/msgpack@3.0.0-beta2':
-    resolution: {integrity: sha512-y+l1PNV0XDyY8sM3YtuMLK5vE3/hkfId+Do8pLo/OPxfxuFAUwcGz3oiiUuV46/aBpwTzZ+mRWVMtlSKbradhw==}
-    engines: {node: '>= 14'}
-    deprecated: too old
-
-  '@neondatabase/serverless@0.9.5':
-    resolution: {integrity: sha512-siFas6gItqv6wD/pZnvdu34wEqgG3nSE6zWZdq5j2DEsa+VvX8i/5HXJOo06qrw5axPXn+lGCxeR+NLaSPIXug==}
-
-  '@next/bundle-analyzer@15.0.2':
-    resolution: {integrity: sha512-bV566k+rDsaqXSUgHBof0iMIDx5DWtLx/98jvYtqb9x85e+WJzv+8cpDvbjtxQMf7nFC/LUkPmpruj1cOKfz4A==}
-
-  '@next/env@14.1.0':
-    resolution: {integrity: sha512-Py8zIo+02ht82brwwhTg36iogzFqGLPXlRGKQw5s+qP/kMNc4MAyDeEwBKDijk6zTIbegEgu8Qy7C1LboslQAw==}
-
-  '@next/env@14.2.21':
-    resolution: {integrity: sha512-lXcwcJd5oR01tggjWJ6SrNNYFGuOOMB9c251wUNkjCpkoXOPkDeF/15c3mnVlBqrW4JJXb2kVxDFhC4GduJt2A==}
-
-  '@next/env@15.2.4':
-    resolution: {integrity: sha512-+SFtMgoiYP3WoSswuNmxJOCwi06TdWE733D+WPjpXIe4LXGULwEaofiiAy6kbS0+XjM5xF5n3lKuBwN2SnqD9g==}
-
-  '@next/env@15.4.8':
-    resolution: {integrity: sha512-LydLa2MDI1NMrOFSkO54mTc8iIHSttj6R6dthITky9ylXV2gCGi0bHQjVCtLGRshdRPjyh2kXbxJukDtBWQZtQ==}
-
-  '@next/env@15.5.6':
-    resolution: {integrity: sha512-3qBGRW+sCGzgbpc5TS1a0p7eNxnOarGVQhZxfvTdnV0gFI61lX7QNtQ4V1TSREctXzYn5NetbUsLvyqwLFJM6Q==}
-
-  '@next/swc-darwin-arm64@14.1.0':
-    resolution: {integrity: sha512-nUDn7TOGcIeyQni6lZHfzNoo9S0euXnu0jhsbMOmMJUBfgsnESdjN97kM7cBqQxZa8L/bM9om/S5/1dzCrW6wQ==}
-    engines: {node: '>= 10'}
-    cpu: [arm64]
-    os: [darwin]
-
-  '@next/swc-darwin-arm64@14.2.21':
-    resolution: {integrity: sha512-HwEjcKsXtvszXz5q5Z7wCtrHeTTDSTgAbocz45PHMUjU3fBYInfvhR+ZhavDRUYLonm53aHZbB09QtJVJj8T7g==}
-    engines: {node: '>= 10'}
-    cpu: [arm64]
-    os: [darwin]
-
-  '@next/swc-darwin-arm64@15.2.4':
-    resolution: {integrity: sha512-1AnMfs655ipJEDC/FHkSr0r3lXBgpqKo4K1kiwfUf3iE68rDFXZ1TtHdMvf7D0hMItgDZ7Vuq3JgNMbt/+3bYw==}
-    engines: {node: '>= 10'}
-    cpu: [arm64]
-    os: [darwin]
-
-  '@next/swc-darwin-arm64@15.4.8':
-    resolution: {integrity: sha512-Pf6zXp7yyQEn7sqMxur6+kYcywx5up1J849psyET7/8pG2gQTVMjU3NzgIt8SeEP5to3If/SaWmaA6H6ysBr1A==}
-    engines: {node: '>= 10'}
-    cpu: [arm64]
-    os: [darwin]
-
-  '@next/swc-darwin-arm64@15.5.6':
-    resolution: {integrity: sha512-ES3nRz7N+L5Umz4KoGfZ4XX6gwHplwPhioVRc25+QNsDa7RtUF/z8wJcbuQ2Tffm5RZwuN2A063eapoJ1u4nPg==}
-    engines: {node: '>= 10'}
-    cpu: [arm64]
-    os: [darwin]
-
-  '@next/swc-darwin-x64@14.1.0':
-    resolution: {integrity: sha512-1jgudN5haWxiAl3O1ljUS2GfupPmcftu2RYJqZiMJmmbBT5M1XDffjUtRUzP4W3cBHsrvkfOFdQ71hAreNQP6g==}
-    engines: {node: '>= 10'}
-    cpu: [x64]
-    os: [darwin]
-
-  '@next/swc-darwin-x64@14.2.21':
-    resolution: {integrity: sha512-TSAA2ROgNzm4FhKbTbyJOBrsREOMVdDIltZ6aZiKvCi/v0UwFmwigBGeqXDA97TFMpR3LNNpw52CbVelkoQBxA==}
-    engines: {node: '>= 10'}
-    cpu: [x64]
-    os: [darwin]
-
-  '@next/swc-darwin-x64@15.2.4':
-    resolution: {integrity: sha512-3qK2zb5EwCwxnO2HeO+TRqCubeI/NgCe+kL5dTJlPldV/uwCnUgC7VbEzgmxbfrkbjehL4H9BPztWOEtsoMwew==}
-    engines: {node: '>= 10'}
-    cpu: [x64]
-    os: [darwin]
-
-  '@next/swc-darwin-x64@15.4.8':
-    resolution: {integrity: sha512-xla6AOfz68a6kq3gRQccWEvFC/VRGJmA/QuSLENSO7CZX5WIEkSz7r1FdXUjtGCQ1c2M+ndUAH7opdfLK1PQbw==}
-    engines: {node: '>= 10'}
-    cpu: [x64]
-    os: [darwin]
-
-  '@next/swc-darwin-x64@15.5.6':
-    resolution: {integrity: sha512-JIGcytAyk9LQp2/nuVZPAtj8uaJ/zZhsKOASTjxDug0SPU9LAM3wy6nPU735M1OqacR4U20LHVF5v5Wnl9ptTA==}
-    engines: {node: '>= 10'}
-    cpu: [x64]
-    os: [darwin]
-
-  '@next/swc-linux-arm64-gnu@14.1.0':
-    resolution: {integrity: sha512-RHo7Tcj+jllXUbK7xk2NyIDod3YcCPDZxj1WLIYxd709BQ7WuRYl3OWUNG+WUfqeQBds6kvZYlc42NJJTNi4tQ==}
-    engines: {node: '>= 10'}
-    cpu: [arm64]
-    os: [linux]
-    libc: [glibc]
-
-  '@next/swc-linux-arm64-gnu@14.2.21':
-    resolution: {integrity: sha512-0Dqjn0pEUz3JG+AImpnMMW/m8hRtl1GQCNbO66V1yp6RswSTiKmnHf3pTX6xMdJYSemf3O4Q9ykiL0jymu0TuA==}
-    engines: {node: '>= 10'}
-    cpu: [arm64]
-    os: [linux]
-    libc: [glibc]
-
-  '@next/swc-linux-arm64-gnu@15.2.4':
-    resolution: {integrity: sha512-HFN6GKUcrTWvem8AZN7tT95zPb0GUGv9v0d0iyuTb303vbXkkbHDp/DxufB04jNVD+IN9yHy7y/6Mqq0h0YVaQ==}
-    engines: {node: '>= 10'}
-    cpu: [arm64]
-    os: [linux]
-    libc: [glibc]
-
-  '@next/swc-linux-arm64-gnu@15.4.8':
-    resolution: {integrity: sha512-y3fmp+1Px/SJD+5ntve5QLZnGLycsxsVPkTzAc3zUiXYSOlTPqT8ynfmt6tt4fSo1tAhDPmryXpYKEAcoAPDJw==}
-    engines: {node: '>= 10'}
-    cpu: [arm64]
-    os: [linux]
-    libc: [glibc]
-
-  '@next/swc-linux-arm64-gnu@15.5.6':
-    resolution: {integrity: sha512-qvz4SVKQ0P3/Im9zcS2RmfFL/UCQnsJKJwQSkissbngnB/12c6bZTCB0gHTexz1s6d/mD0+egPKXAIRFVS7hQg==}
-    engines: {node: '>= 10'}
-    cpu: [arm64]
-    os: [linux]
-    libc: [glibc]
-
-  '@next/swc-linux-arm64-musl@14.1.0':
-    resolution: {integrity: sha512-v6kP8sHYxjO8RwHmWMJSq7VZP2nYCkRVQ0qolh2l6xroe9QjbgV8siTbduED4u0hlk0+tjS6/Tuy4n5XCp+l6g==}
-    engines: {node: '>= 10'}
-    cpu: [arm64]
-    os: [linux]
-    libc: [musl]
-
-  '@next/swc-linux-arm64-musl@14.2.21':
-    resolution: {integrity: sha512-Ggfw5qnMXldscVntwnjfaQs5GbBbjioV4B4loP+bjqNEb42fzZlAaK+ldL0jm2CTJga9LynBMhekNfV8W4+HBw==}
-    engines: {node: '>= 10'}
-    cpu: [arm64]
-    os: [linux]
-    libc: [musl]
-
-  '@next/swc-linux-arm64-musl@15.2.4':
-    resolution: {integrity: sha512-Oioa0SORWLwi35/kVB8aCk5Uq+5/ZIumMK1kJV+jSdazFm2NzPDztsefzdmzzpx5oGCJ6FkUC7vkaUseNTStNA==}
-    engines: {node: '>= 10'}
-    cpu: [arm64]
-    os: [linux]
-    libc: [musl]
-
-  '@next/swc-linux-arm64-musl@15.4.8':
-    resolution: {integrity: sha512-DX/L8VHzrr1CfwaVjBQr3GWCqNNFgyWJbeQ10Lx/phzbQo3JNAxUok1DZ8JHRGcL6PgMRgj6HylnLNndxn4Z6A==}
-    engines: {node: '>= 10'}
-    cpu: [arm64]
-    os: [linux]
-    libc: [musl]
-
-  '@next/swc-linux-arm64-musl@15.5.6':
-    resolution: {integrity: sha512-FsbGVw3SJz1hZlvnWD+T6GFgV9/NYDeLTNQB2MXoPN5u9VA9OEDy6fJEfePfsUKAhJufFbZLgp0cPxMuV6SV0w==}
-    engines: {node: '>= 10'}
-    cpu: [arm64]
-    os: [linux]
-    libc: [musl]
-
-  '@next/swc-linux-x64-gnu@14.1.0':
-    resolution: {integrity: sha512-zJ2pnoFYB1F4vmEVlb/eSe+VH679zT1VdXlZKX+pE66grOgjmKJHKacf82g/sWE4MQ4Rk2FMBCRnX+l6/TVYzQ==}
-    engines: {node: '>= 10'}
-    cpu: [x64]
-    os: [linux]
-    libc: [glibc]
-
-  '@next/swc-linux-x64-gnu@14.2.21':
-    resolution: {integrity: sha512-uokj0lubN1WoSa5KKdThVPRffGyiWlm/vCc/cMkWOQHw69Qt0X1o3b2PyLLx8ANqlefILZh1EdfLRz9gVpG6tg==}
-    engines: {node: '>= 10'}
-    cpu: [x64]
-    os: [linux]
-    libc: [glibc]
-
-  '@next/swc-linux-x64-gnu@15.2.4':
-    resolution: {integrity: sha512-yb5WTRaHdkgOqFOZiu6rHV1fAEK0flVpaIN2HB6kxHVSy/dIajWbThS7qON3W9/SNOH2JWkVCyulgGYekMePuw==}
-    engines: {node: '>= 10'}
-    cpu: [x64]
-    os: [linux]
-    libc: [glibc]
-
-  '@next/swc-linux-x64-gnu@15.4.8':
-    resolution: {integrity: sha512-9fLAAXKAL3xEIFdKdzG5rUSvSiZTLLTCc6JKq1z04DR4zY7DbAPcRvNm3K1inVhTiQCs19ZRAgUerHiVKMZZIA==}
-    engines: {node: '>= 10'}
-    cpu: [x64]
-    os: [linux]
-    libc: [glibc]
-
-  '@next/swc-linux-x64-gnu@15.5.6':
-    resolution: {integrity: sha512-3QnHGFWlnvAgyxFxt2Ny8PTpXtQD7kVEeaFat5oPAHHI192WKYB+VIKZijtHLGdBBvc16tiAkPTDmQNOQ0dyrA==}
-    engines: {node: '>= 10'}
-    cpu: [x64]
-    os: [linux]
-    libc: [glibc]
-
-  '@next/swc-linux-x64-musl@14.1.0':
-    resolution: {integrity: sha512-rbaIYFt2X9YZBSbH/CwGAjbBG2/MrACCVu2X0+kSykHzHnYH5FjHxwXLkcoJ10cX0aWCEynpu+rP76x0914atg==}
-    engines: {node: '>= 10'}
-    cpu: [x64]
-    os: [linux]
-    libc: [musl]
-
-  '@next/swc-linux-x64-musl@14.2.21':
-    resolution: {integrity: sha512-iAEBPzWNbciah4+0yI4s7Pce6BIoxTQ0AGCkxn/UBuzJFkYyJt71MadYQkjPqCQCJAFQ26sYh7MOKdU+VQFgPg==}
-    engines: {node: '>= 10'}
-    cpu: [x64]
-    os: [linux]
-    libc: [musl]
-
-  '@next/swc-linux-x64-musl@15.2.4':
-    resolution: {integrity: sha512-Dcdv/ix6srhkM25fgXiyOieFUkz+fOYkHlydWCtB0xMST6X9XYI3yPDKBZt1xuhOytONsIFJFB08xXYsxUwJLw==}
-    engines: {node: '>= 10'}
-    cpu: [x64]
-    os: [linux]
-    libc: [musl]
-
-  '@next/swc-linux-x64-musl@15.4.8':
-    resolution: {integrity: sha512-s45V7nfb5g7dbS7JK6XZDcapicVrMMvX2uYgOHP16QuKH/JA285oy6HcxlKqwUNaFY/UC6EvQ8QZUOo19cBKSA==}
-    engines: {node: '>= 10'}
-    cpu: [x64]
-    os: [linux]
-    libc: [musl]
-
-  '@next/swc-linux-x64-musl@15.5.6':
-    resolution: {integrity: sha512-OsGX148sL+TqMK9YFaPFPoIaJKbFJJxFzkXZljIgA9hjMjdruKht6xDCEv1HLtlLNfkx3c5w2GLKhj7veBQizQ==}
-    engines: {node: '>= 10'}
-    cpu: [x64]
-    os: [linux]
-    libc: [musl]
-
-  '@next/swc-win32-arm64-msvc@14.1.0':
-    resolution: {integrity: sha512-o1N5TsYc8f/HpGt39OUQpQ9AKIGApd3QLueu7hXk//2xq5Z9OxmV6sQfNp8C7qYmiOlHYODOGqNNa0e9jvchGQ==}
-    engines: {node: '>= 10'}
-    cpu: [arm64]
-    os: [win32]
-
-  '@next/swc-win32-arm64-msvc@14.2.21':
-    resolution: {integrity: sha512-plykgB3vL2hB4Z32W3ktsfqyuyGAPxqwiyrAi2Mr8LlEUhNn9VgkiAl5hODSBpzIfWweX3er1f5uNpGDygfQVQ==}
-    engines: {node: '>= 10'}
-    cpu: [arm64]
-    os: [win32]
-
-  '@next/swc-win32-arm64-msvc@15.2.4':
-    resolution: {integrity: sha512-dW0i7eukvDxtIhCYkMrZNQfNicPDExt2jPb9AZPpL7cfyUo7QSNl1DjsHjmmKp6qNAqUESyT8YFl/Aw91cNJJg==}
-    engines: {node: '>= 10'}
-    cpu: [arm64]
-    os: [win32]
-
-  '@next/swc-win32-arm64-msvc@15.4.8':
-    resolution: {integrity: sha512-KjgeQyOAq7t/HzAJcWPGA8X+4WY03uSCZ2Ekk98S9OgCFsb6lfBE3dbUzUuEQAN2THbwYgFfxX2yFTCMm8Kehw==}
-    engines: {node: '>= 10'}
-    cpu: [arm64]
-    os: [win32]
-
-  '@next/swc-win32-arm64-msvc@15.5.6':
-    resolution: {integrity: sha512-ONOMrqWxdzXDJNh2n60H6gGyKed42Ieu6UTVPZteXpuKbLZTH4G4eBMsr5qWgOBA+s7F+uB4OJbZnrkEDnZ5Fg==}
-    engines: {node: '>= 10'}
-    cpu: [arm64]
-    os: [win32]
-
-  '@next/swc-win32-ia32-msvc@14.1.0':
-    resolution: {integrity: sha512-XXIuB1DBRCFwNO6EEzCTMHT5pauwaSj4SWs7CYnME57eaReAKBXCnkUE80p/pAZcewm7hs+vGvNqDPacEXHVkw==}
-    engines: {node: '>= 10'}
-    cpu: [ia32]
-    os: [win32]
-
-  '@next/swc-win32-ia32-msvc@14.2.21':
-    resolution: {integrity: sha512-w5bacz4Vxqrh06BjWgua3Yf7EMDb8iMcVhNrNx8KnJXt8t+Uu0Zg4JHLDL/T7DkTCEEfKXO/Er1fcfWxn2xfPA==}
-    engines: {node: '>= 10'}
-    cpu: [ia32]
-    os: [win32]
-
-  '@next/swc-win32-x64-msvc@14.1.0':
-    resolution: {integrity: sha512-9WEbVRRAqJ3YFVqEZIxUqkiO8l1nool1LmNxygr5HWF8AcSYsEpneUDhmjUVJEzO2A04+oPtZdombzzPPkTtgg==}
-    engines: {node: '>= 10'}
-    cpu: [x64]
-    os: [win32]
-
-  '@next/swc-win32-x64-msvc@14.2.21':
-    resolution: {integrity: sha512-sT6+llIkzpsexGYZq8cjjthRyRGe5cJVhqh12FmlbxHqna6zsDDK8UNaV7g41T6atFHCJUPeLb3uyAwrBwy0NA==}
-    engines: {node: '>= 10'}
-    cpu: [x64]
-    os: [win32]
-
-  '@next/swc-win32-x64-msvc@15.2.4':
-    resolution: {integrity: sha512-SbnWkJmkS7Xl3kre8SdMF6F/XDh1DTFEhp0jRTj/uB8iPKoU2bb2NDfcu+iifv1+mxQEd1g2vvSxcZbXSKyWiQ==}
-    engines: {node: '>= 10'}
-    cpu: [x64]
-    os: [win32]
-
-  '@next/swc-win32-x64-msvc@15.4.8':
-    resolution: {integrity: sha512-Exsmf/+42fWVnLMaZHzshukTBxZrSwuuLKFvqhGHJ+mC1AokqieLY/XzAl3jc/CqhXLqLY3RRjkKJ9YnLPcRWg==}
-    engines: {node: '>= 10'}
-    cpu: [x64]
-    os: [win32]
-
-  '@next/swc-win32-x64-msvc@15.5.6':
-    resolution: {integrity: sha512-pxK4VIjFRx1MY92UycLOOw7dTdvccWsNETQ0kDHkBlcFH1GrTLUjSiHU1ohrznnux6TqRHgv5oflhfIWZwVROQ==}
-    engines: {node: '>= 10'}
-    cpu: [x64]
-    os: [win32]
-
   '@nicolo-ribaudo/eslint-scope-5-internals@5.1.1-v1':
     resolution: {integrity: sha512-54/JRvkLIzzDWshCWfuhadfrfZVPiElY8Fcgmg1HroEly/EDSszzhBAsarCux+D/kOslTRquNzuyGSmUSTTHGg==}
 
+  '@nodable/entities@2.1.0':
+    resolution: {integrity: sha512-nyT7T3nbMyBI/lvr6L5TyWbFJAI9FTgVRakNoBqCD+PmID8DzFrrNdLLtHMwMszOtqZa8PAOV24ZqDnQrhQINA==}
+
   '@nodelib/fs.scandir@2.1.5':
     resolution: {integrity: sha512-vq24Bq3ym5HEQm2NKCr3yXDwjc7vTsEThRDnkp2DK9p1uqLR+DHurm/NOTo0KG7HYHU7eppKZj3MyqYuMBf62g==}
     engines: {node: '>= 8'}
@@ -6448,17 +5084,13 @@ packages:
   '@open-draft/deferred-promise@2.2.0':
     resolution: {integrity: sha512-CecwLWx3rhxVQF6V4bAgPS5t+So2sTbPgAzafKkVizyi7tlwpcFpdFqq+wqF2OwNBmqFuu6tOyouTuxgpMfzmA==}
 
-  '@opentelemetry/api-logs@0.203.0':
-    resolution: {integrity: sha512-9B9RU0H7Ya1Dx/Rkyc4stuBZSGVQF27WigitInx2QQoj6KUpEFYPKoWjdFTunJYxmXmh17HeBvbMa1EhGyPmqQ==}
+  '@opentelemetry/api-logs@0.214.0':
+    resolution: {integrity: sha512-40lSJeqYO8Uz2Yj7u94/SJWE/wONa7rmMKjI1ZcIjgf3MHNHv1OZUCrCETGuaRF62d5pQD1wKIW+L4lmSMTzZA==}
     engines: {node: '>=8.0.0'}
 
-  '@opentelemetry/api-logs@0.52.1':
-    resolution: {integrity: sha512-qnSqB2DQ9TPP96dl8cDubDvrUyWc0/sK81xHTK8eSUspzDM3bsewX903qclQFvVhgStjRWdC5bLb3kQqMkfV5A==}
-    engines: {node: '>=14'}
-
-  '@opentelemetry/api-logs@0.57.0':
-    resolution: {integrity: sha512-l1aJ30CXeauVYaI+btiynHpw341LthkMTv3omi1VJDX14werY2Wmv9n1yudMsq9HuY0m8PvXEVX4d8zxEb+WRg==}
-    engines: {node: '>=14'}
+  '@opentelemetry/api-logs@0.218.0':
+    resolution: {integrity: sha512-fmEWp5kXlGEc3i/lR698Hz41DfGyN4Tbe4g7L1AxSc7fF8Xeh/FQ9Quqpa9dVA413Q1Ad43QOLzU4JoXgbFPWw==}
+    engines: {node: '>=8.0.0'}
 
   '@opentelemetry/api-logs@0.57.2':
     resolution: {integrity: sha512-uIX52NnTM0iBh84MShlpouI7UKqkZ7MrUszTmaypHBu4r7NofznSnQRfJ+uUeDtQDj6w8eFGg5KBLDAwAPz1+A==}
@@ -6472,116 +5104,108 @@ packages:
     resolution: {integrity: sha512-3giAOQvZiH5F9bMlMiv8+GSPMeqg0dbaeo58/0SlA9sxSqZhnUtxzX9/2FzyhS9sWQf5S0GJE0AKBrFqjpeYcg==}
     engines: {node: '>=8.0.0'}
 
+  '@opentelemetry/api@1.9.1':
+    resolution: {integrity: sha512-gLyJlPHPZYdAk1JENA9LeHejZe1Ti77/pTeFm/nMXmQH/HFZlcS/O2XJB+L8fkbrNSqhdtlvjBVjxwUYanNH5Q==}
+    engines: {node: '>=8.0.0'}
+
+  '@opentelemetry/configuration@0.218.0':
+    resolution: {integrity: sha512-W8wIz7H2R1pufR5jfjb3gU2XkMpm2x/7b1RJcsuzvd70Il/rWWE+g5/Od7hQKrxRTSrTrOWlru101PWXz5I1EQ==}
+    engines: {node: ^18.19.0 || >=20.6.0}
+    peerDependencies:
+      '@opentelemetry/api': ^1.9.0
+
   '@opentelemetry/context-async-hooks@1.30.1':
     resolution: {integrity: sha512-s5vvxXPVdjqS3kTLKMeBMvop9hbWkwzBpu+mUO2M7sZtlkyDJGwFe33wRKnbaYDo8ExRVBIIdwIGrqpxHuKttA==}
     engines: {node: '>=14'}
     peerDependencies:
       '@opentelemetry/api': '>=1.0.0 <1.10.0'
 
-  '@opentelemetry/context-async-hooks@2.0.1':
-    resolution: {integrity: sha512-XuY23lSI3d4PEqKA+7SLtAgwqIfc6E/E9eAQWLN1vlpC53ybO3o6jW4BsXo1xvz9lYyyWItfQDDLzezER01mCw==}
+  '@opentelemetry/context-async-hooks@2.7.1':
+    resolution: {integrity: sha512-OPFBYuXEn1E4ja3Y6eeA7O+ZnLBNcXTV5Cgsn1VaqBZ6hC5FnpZPLBNme1LJY8ZtF4aOujPKFoeWN4ik487KuQ==}
     engines: {node: ^18.19.0 || >=20.6.0}
     peerDependencies:
       '@opentelemetry/api': '>=1.0.0 <1.10.0'
 
-  '@opentelemetry/core@1.30.0':
-    resolution: {integrity: sha512-Q/3u/K73KUjTCnFUP97ZY+pBjQ1kPEgjOfXj/bJl8zW7GbXdkw6cwuyZk6ZTXkVgCBsYRYUzx4fvYK1jxdb9MA==}
-    engines: {node: '>=14'}
-    peerDependencies:
-      '@opentelemetry/api': '>=1.0.0 <1.10.0'
-
   '@opentelemetry/core@1.30.1':
     resolution: {integrity: sha512-OOCM2C/QIURhJMuKaekP3TRBxBKxG/TWWA0TL2J6nXUtDnuCtccy49LUJF8xPFXMX+0LMcxFpCo8M9cGY1W6rQ==}
     engines: {node: '>=14'}
     peerDependencies:
       '@opentelemetry/api': '>=1.0.0 <1.10.0'
 
-  '@opentelemetry/core@2.0.1':
-    resolution: {integrity: sha512-MaZk9SJIDgo1peKevlbhP6+IwIiNPNmswNL4AF0WaQJLbHXjr9SrZMgS12+iqr9ToV4ZVosCcc0f8Rg67LXjxw==}
-    engines: {node: ^18.19.0 || >=20.6.0}
-    peerDependencies:
-      '@opentelemetry/api': '>=1.0.0 <1.10.0'
-
-  '@opentelemetry/core@2.2.0':
-    resolution: {integrity: sha512-FuabnnUm8LflnieVxs6eP7Z383hgQU4W1e3KJS6aOG3RxWxcHyBxH8fDMHNgu/gFx/M2jvTOW/4/PHhLz6bjWw==}
+  '@opentelemetry/core@2.7.1':
+    resolution: {integrity: sha512-QAqIj32AtK6+pEVNG7EOVxHdE06RP+FM5qpiEJ4RtDcFIqKUZHYhl7/7UY5efhwmwNAg7j8QbJVBLxMerc0+gw==}
     engines: {node: ^18.19.0 || >=20.6.0}
     peerDependencies:
       '@opentelemetry/api': '>=1.0.0 <1.10.0'
 
-  '@opentelemetry/exporter-logs-otlp-grpc@0.203.0':
-    resolution: {integrity: sha512-g/2Y2noc/l96zmM+g0LdeuyYKINyBwN6FJySoU15LHPLcMN/1a0wNk2SegwKcxrRdE7Xsm7fkIR5n6XFe3QpPw==}
+  '@opentelemetry/exporter-logs-otlp-grpc@0.218.0':
+    resolution: {integrity: sha512-hoxrNH1l/Xy6F9WTJ5IK+6j1r9nQFlPOmrnTlhYHTySdunfXLmUCPv3bQtKYntxag9h3wLYBZQ2HI6FOx+BT2g==}
     engines: {node: ^18.19.0 || >=20.6.0}
     peerDependencies:
       '@opentelemetry/api': ^1.3.0
 
-  '@opentelemetry/exporter-logs-otlp-http@0.203.0':
-    resolution: {integrity: sha512-s0hys1ljqlMTbXx2XiplmMJg9wG570Z5lH7wMvrZX6lcODI56sG4HL03jklF63tBeyNwK2RV1/ntXGo3HgG4Qw==}
+  '@opentelemetry/exporter-logs-otlp-http@0.218.0':
+    resolution: {integrity: sha512-Qx+4rpVHzgg89dawcWRHyt+XRXeLnhFz/qBtvggmjkcgPUdr+NAB0/u/eIPA8yAeJV0J80Vz43JZCh/XFvZFGw==}
     engines: {node: ^18.19.0 || >=20.6.0}
     peerDependencies:
       '@opentelemetry/api': ^1.3.0
 
-  '@opentelemetry/exporter-logs-otlp-proto@0.203.0':
-    resolution: {integrity: sha512-nl/7S91MXn5R1aIzoWtMKGvqxgJgepB/sH9qW0rZvZtabnsjbf8OQ1uSx3yogtvLr0GzwD596nQKz2fV7q2RBw==}
+  '@opentelemetry/exporter-logs-otlp-proto@0.218.0':
+    resolution: {integrity: sha512-1/noQNsp9gXD75HPzgjBrcF1+XTtry7pFAUfxVEJgg7mPv2AawKQuYkhMmJ8qjxz4Ubc3Y8bwvfxevXsKTq4cg==}
     engines: {node: ^18.19.0 || >=20.6.0}
     peerDependencies:
       '@opentelemetry/api': ^1.3.0
 
-  '@opentelemetry/exporter-metrics-otlp-grpc@0.203.0':
-    resolution: {integrity: sha512-FCCj9nVZpumPQSEI57jRAA89hQQgONuoC35Lt+rayWY/mzCAc6BQT7RFyFaZKJ2B7IQ8kYjOCPsF/HGFWjdQkQ==}
+  '@opentelemetry/exporter-metrics-otlp-grpc@0.218.0':
+    resolution: {integrity: sha512-YapQ9vNMX0NSZF6LK5pWAFfjpJleV2O9uYWfYGeb/5F1Kb9rPGK8tZDMJFa/sOksgdFuflDvYuA0B4qjDB4fjQ==}
     engines: {node: ^18.19.0 || >=20.6.0}
     peerDependencies:
       '@opentelemetry/api': ^1.3.0
 
-  '@opentelemetry/exporter-metrics-otlp-http@0.203.0':
-    resolution: {integrity: sha512-HFSW10y8lY6BTZecGNpV3GpoSy7eaO0Z6GATwZasnT4bEsILp8UJXNG5OmEsz4SdwCSYvyCbTJdNbZP3/8LGCQ==}
+  '@opentelemetry/exporter-metrics-otlp-http@0.218.0':
+    resolution: {integrity: sha512-bV7d2OuMpZu2+gAaxUAhzfZ0h3WVZk8ETQUEE3DNSntbTaMpuITjtm8I0rNyHFdm7Ax57K6ty7SgFXlBmOLIvQ==}
     engines: {node: ^18.19.0 || >=20.6.0}
     peerDependencies:
       '@opentelemetry/api': ^1.3.0
 
-  '@opentelemetry/exporter-metrics-otlp-proto@0.203.0':
-    resolution: {integrity: sha512-OZnhyd9npU7QbyuHXFEPVm3LnjZYifuKpT3kTnF84mXeEQ84pJJZgyLBpU4FSkSwUkt/zbMyNAI7y5+jYTWGIg==}
+  '@opentelemetry/exporter-metrics-otlp-proto@0.218.0':
+    resolution: {integrity: sha512-ubLddKjWULhla9YZRCj/rTBeppjJYE4e9w0icx5mTu3eFhWjQzbV75NYjXuIlEG+NJsBl6d+sTFw5Qu+oej4oQ==}
     engines: {node: ^18.19.0 || >=20.6.0}
     peerDependencies:
       '@opentelemetry/api': ^1.3.0
 
-  '@opentelemetry/exporter-prometheus@0.203.0':
-    resolution: {integrity: sha512-2jLuNuw5m4sUj/SncDf/mFPabUxMZmmYetx5RKIMIQyPnl6G6ooFzfeE8aXNRf8YD1ZXNlCnRPcISxjveGJHNg==}
+  '@opentelemetry/exporter-prometheus@0.218.0':
+    resolution: {integrity: sha512-RT5oEyu1kddZJ1vt7/BUo5wV+P7hpNAESsR3dUd3+8deHuX7gWNoCOZn+SfDT+hJHlIJ5h/AxiCLXIrutswDJg==}
     engines: {node: ^18.19.0 || >=20.6.0}
     peerDependencies:
       '@opentelemetry/api': ^1.3.0
 
-  '@opentelemetry/exporter-trace-otlp-grpc@0.203.0':
-    resolution: {integrity: sha512-322coOTf81bm6cAA8+ML6A+m4r2xTCdmAZzGNTboPXRzhwPt4JEmovsFAs+grpdarObd68msOJ9FfH3jxM6wqA==}
+  '@opentelemetry/exporter-trace-otlp-grpc@0.218.0':
+    resolution: {integrity: sha512-3fXxVQEj9TNAFaCi79JeFKfeLd0sDtInaR3gaZDVlzNSPHtz8PZuCV34JKWjD4XXzT20IdMe8IpX6mRVNDA4Tw==}
     engines: {node: ^18.19.0 || >=20.6.0}
     peerDependencies:
       '@opentelemetry/api': ^1.3.0
 
-  '@opentelemetry/exporter-trace-otlp-http@0.203.0':
-    resolution: {integrity: sha512-ZDiaswNYo0yq/cy1bBLJFe691izEJ6IgNmkjm4C6kE9ub/OMQqDXORx2D2j8fzTBTxONyzusbaZlqtfmyqURPw==}
+  '@opentelemetry/exporter-trace-otlp-http@0.218.0':
+    resolution: {integrity: sha512-8dqezsmPhtKitIK/eTipZhYl9EX2/gNQ5zUMhaz3uxEURwfkNf8IPvo6yNfrzbxdtpAOybS/+h7wmIWYqFSpiw==}
     engines: {node: ^18.19.0 || >=20.6.0}
     peerDependencies:
       '@opentelemetry/api': ^1.3.0
 
-  '@opentelemetry/exporter-trace-otlp-http@0.57.0':
-    resolution: {integrity: sha512-BJl35PSkwoMlGEOrzjCG1ih6zqZoAZJIR4xyqSKC2BqPtwuRjID0vWBaEdP9xrxxJTEIEQw+gEY/0pUgicX0ew==}
-    engines: {node: '>=14'}
-    peerDependencies:
-      '@opentelemetry/api': ^1.3.0
-
-  '@opentelemetry/exporter-trace-otlp-proto@0.203.0':
-    resolution: {integrity: sha512-1xwNTJ86L0aJmWRwENCJlH4LULMG2sOXWIVw+Szta4fkqKVY50Eo4HoVKKq6U9QEytrWCr8+zjw0q/ZOeXpcAQ==}
+  '@opentelemetry/exporter-trace-otlp-proto@0.218.0':
+    resolution: {integrity: sha512-r1Msf8SNLRmwh9J6XQ5uh82D7CdDWMNHnPB7LAVHjzut0TkSeKc5KcIvr4SvHvfk/xwN5gxC+VLKQ1k0o8PSPw==}
     engines: {node: ^18.19.0 || >=20.6.0}
     peerDependencies:
       '@opentelemetry/api': ^1.3.0
 
-  '@opentelemetry/exporter-zipkin@2.0.1':
-    resolution: {integrity: sha512-a9eeyHIipfdxzCfc2XPrE+/TI3wmrZUDFtG2RRXHSbZZULAny7SyybSvaDvS77a7iib5MPiAvluwVvbGTsHxsw==}
+  '@opentelemetry/exporter-zipkin@2.7.1':
+    resolution: {integrity: sha512-mfsD9bKAxcKrh5+y08TPodvClBO0CznBE3p79YAGnO81WI4LrdsGA65T53e4iTSbCalW4WaUpkbeJcbpyIUHfg==}
     engines: {node: ^18.19.0 || >=20.6.0}
     peerDependencies:
       '@opentelemetry/api': ^1.0.0
 
-  '@opentelemetry/host-metrics@0.37.0':
-    resolution: {integrity: sha512-gf6nRFci0PTni9R1QQKjZ2uZE4Y6olLKhlwdM0qqLbbn3SBVKyP2jyBMiosBTHtRNLjY7s8hzQ44eLdK5wkGNQ==}
+  '@opentelemetry/host-metrics@0.38.3':
+    resolution: {integrity: sha512-8iSOA8VPGoB5p/RIC8n/dcSe4cluCEWoznWENZfXR8sWQOQvergFu7v798xp7S5WQlZo1zfn1nVXx8dbyQ9m6Q==}
     engines: {node: ^18.19.0 || >=20.6.0}
     peerDependencies:
       '@opentelemetry/api': ^1.3.0
@@ -6592,8 +5216,8 @@ packages:
     peerDependencies:
       '@opentelemetry/api': ^1.3.0
 
-  '@opentelemetry/instrumentation-aws-sdk@0.57.0':
-    resolution: {integrity: sha512-RfbyjaeZzX3mPhuaRHlSAQyfX3skfeWOl30jrqSXtE9k0DPdnIqpHhdYS0C/DEDuZbwTmruVJ4cUwMBw5Z6FAg==}
+  '@opentelemetry/instrumentation-aws-sdk@0.69.0':
+    resolution: {integrity: sha512-JfSp3anFL5Lx/ysQSa4MnKxvSsXSnYpgQ831Y+yNs5wJZcJC4tB+YpnKH+bU5oFdKEF59FpI6Gn5Wg2vjVpR2A==}
     engines: {node: ^18.19.0 || >=20.6.0}
     peerDependencies:
       '@opentelemetry/api': ^1.3.0
@@ -6616,14 +5240,14 @@ packages:
     peerDependencies:
       '@opentelemetry/api': ^1.3.0
 
-  '@opentelemetry/instrumentation-express@0.52.0':
-    resolution: {integrity: sha512-W7pizN0Wh1/cbNhhTf7C62NpyYw7VfCFTYg0DYieSTrtPBT1vmoSZei19wfKLnrMsz3sHayCg0HxCVL2c+cz5w==}
+  '@opentelemetry/instrumentation-express@0.62.0':
+    resolution: {integrity: sha512-Tvx+vgAZKEQxU3Rx+xWLiR0mLxHwmk69/8ya04+VsV9WYh8w6Lhx5hm5yAMvo1wy0KqWgFKBLwSeo3sHCwdOww==}
     engines: {node: ^18.19.0 || >=20.6.0}
     peerDependencies:
       '@opentelemetry/api': ^1.3.0
 
-  '@opentelemetry/instrumentation-fetch@0.203.0':
-    resolution: {integrity: sha512-Z+mls3rOP2BaVykDZLLZPvchjj9l2oj3dYG1GTnrc27Y8o3biE+5M1b0izblycbbQHXjMPHQCpmjHbLMQuWtBg==}
+  '@opentelemetry/instrumentation-fetch@0.218.0':
+    resolution: {integrity: sha512-eP/Y5hDupb+6MwZSaMw4ZdsDz8YgfJbJ4Ta86BMVeOmI2EArwXcd0v1nfNIvUzXTPi7nakidwqeuUa3FwRwECg==}
     engines: {node: ^18.19.0 || >=20.6.0}
     peerDependencies:
       '@opentelemetry/api': ^1.3.0
@@ -6652,8 +5276,8 @@ packages:
     peerDependencies:
       '@opentelemetry/api': ^1.3.0
 
-  '@opentelemetry/instrumentation-http@0.203.0':
-    resolution: {integrity: sha512-y3uQAcCOAwnO6vEuNVocmpVzG3PER6/YZqbPbbffDdJ9te5NkHEkfSMNzlC3+v7KlE+WinPGc3N7MR30G1HY2g==}
+  '@opentelemetry/instrumentation-http@0.218.0':
+    resolution: {integrity: sha512-x9djaqdzpT8WAboep1H9nCAQ1E+MMsm08TNfA02TqM3bNNddZeiim+E3KMWVQFaX6JpUy7V0nm/wfN/K2Em+Zw==}
     engines: {node: ^18.19.0 || >=20.6.0}
     peerDependencies:
       '@opentelemetry/api': ^1.3.0
@@ -6742,21 +5366,15 @@ packages:
     peerDependencies:
       '@opentelemetry/api': ^1.7.0
 
-  '@opentelemetry/instrumentation-undici@0.14.0':
-    resolution: {integrity: sha512-2HN+7ztxAReXuxzrtA3WboAKlfP5OsPA57KQn2AdYZbJ3zeRPcLXyW4uO/jpLE6PLm0QRtmeGCmfYpqRlwgSwg==}
-    engines: {node: ^18.19.0 || >=20.6.0}
-    peerDependencies:
-      '@opentelemetry/api': ^1.7.0
-
-  '@opentelemetry/instrumentation@0.203.0':
-    resolution: {integrity: sha512-ke1qyM+3AK2zPuBPb6Hk/GCsc5ewbLvPNkEuELx/JmANeEp6ZjnZ+wypPAJSucTw0wvCGrUaibDSdcrGFoWxKQ==}
+  '@opentelemetry/instrumentation@0.214.0':
+    resolution: {integrity: sha512-MHqEX5Dk59cqVah5LiARMACku7jXSVk9iVDWOea4x3cr7VfdByeDCURK6o1lntT1JS/Tsovw01UJrBhN3/uC5w==}
     engines: {node: ^18.19.0 || >=20.6.0}
     peerDependencies:
       '@opentelemetry/api': ^1.3.0
 
-  '@opentelemetry/instrumentation@0.52.1':
-    resolution: {integrity: sha512-uXJbYU/5/MBHjMp1FqrILLRuiJCs3Ofk0MeRDk8g1S1gD47U8X3JnSwcMO1rtRo1x1a7zKaQHaoYu49p/4eSKw==}
-    engines: {node: '>=14'}
+  '@opentelemetry/instrumentation@0.218.0':
+    resolution: {integrity: sha512-mIZil8Es+sYDK5m+DQiwAwF57F14TF2YlEqvIjZ/RQWcxDBwRGsKfdK2Tv65OU9meQKCMzSIFS9mxAcnAb6Bkg==}
+    engines: {node: ^18.19.0 || >=20.6.0}
     peerDependencies:
       '@opentelemetry/api': ^1.3.0
 
@@ -6766,50 +5384,32 @@ packages:
     peerDependencies:
       '@opentelemetry/api': ^1.3.0
 
-  '@opentelemetry/otlp-exporter-base@0.203.0':
-    resolution: {integrity: sha512-Wbxf7k+87KyvxFr5D7uOiSq/vHXWommvdnNE7vECO3tAhsA2GfOlpWINCMWUEPdHZ7tCXxw6Epp3vgx3jU7llQ==}
+  '@opentelemetry/otlp-exporter-base@0.218.0':
+    resolution: {integrity: sha512-ZwqpkNL5W7RyGJPDZ9g06DvKp8KFTWPJPN12anpMQYSKpTSU0z3EIZuPq9vPGpS8siFyOqDYDAuCwlNO9FqgbA==}
     engines: {node: ^18.19.0 || >=20.6.0}
     peerDependencies:
       '@opentelemetry/api': ^1.3.0
 
-  '@opentelemetry/otlp-exporter-base@0.57.0':
-    resolution: {integrity: sha512-QQl4Ngm3D6H8SDO0EM642ncTxjRsf/HDq7+IWIA0eaEK/NTsJeQ3iYJiZj3F4jkALnvyeM1kkwd+DHtqxTBx9Q==}
-    engines: {node: '>=14'}
-    peerDependencies:
-      '@opentelemetry/api': ^1.3.0
-
-  '@opentelemetry/otlp-grpc-exporter-base@0.203.0':
-    resolution: {integrity: sha512-te0Ze1ueJF+N/UOFl5jElJW4U0pZXQ8QklgSfJ2linHN0JJsuaHG8IabEUi2iqxY8ZBDlSiz1Trfv5JcjWWWwQ==}
+  '@opentelemetry/otlp-grpc-exporter-base@0.218.0':
+    resolution: {integrity: sha512-H/lCGJ536N98VpYJOaWTQOkv4Dx6TnmStK6Rqfu1W7KkFbPAx04hjdYEMZF/YbnHzPUSIK4kM6OE2GKGBTpV9A==}
     engines: {node: ^18.19.0 || >=20.6.0}
     peerDependencies:
       '@opentelemetry/api': ^1.3.0
 
-  '@opentelemetry/otlp-transformer@0.203.0':
-    resolution: {integrity: sha512-Y8I6GgoCna0qDQ2W6GCRtaF24SnvqvA8OfeTi7fqigD23u8Jpb4R5KFv/pRvrlGagcCLICMIyh9wiejp4TXu/A==}
+  '@opentelemetry/otlp-transformer@0.218.0':
+    resolution: {integrity: sha512-CFaKH87WAzjuJ4awowTTLzUvMfaRfiOFG5+qm5S5ncyalRtN4ecQ+YmuANJSCrVPuvZFEkUgKhBPBndxi3rHsQ==}
     engines: {node: ^18.19.0 || >=20.6.0}
     peerDependencies:
       '@opentelemetry/api': ^1.3.0
 
-  '@opentelemetry/otlp-transformer@0.57.0':
-    resolution: {integrity: sha512-yHX7sdwkdAmSa6Jbi3caSLDWy0PCHS1pKQeKz8AIWSyQqL7IojHKgdk9A+7eRd98Z1n9YTdwWSWLnObvIqhEhQ==}
-    engines: {node: '>=14'}
-    peerDependencies:
-      '@opentelemetry/api': ^1.3.0
-
-  '@opentelemetry/propagation-utils@0.31.3':
-    resolution: {integrity: sha512-ZI6LKjyo+QYYZY5SO8vfoCQ9A69r1/g+pyjvtu5RSK38npINN1evEmwqbqhbg2CdcIK3a4PN6pDAJz/yC5/gAA==}
-    engines: {node: ^18.19.0 || >=20.6.0}
-    peerDependencies:
-      '@opentelemetry/api': ^1.0.0
-
-  '@opentelemetry/propagator-b3@2.0.1':
-    resolution: {integrity: sha512-Hc09CaQ8Tf5AGLmf449H726uRoBNGPBL4bjr7AnnUpzWMvhdn61F78z9qb6IqB737TffBsokGAK1XykFEZ1igw==}
+  '@opentelemetry/propagator-b3@2.7.1':
+    resolution: {integrity: sha512-RJid6E2CKyeGfKBzXKF21ejabGMHypFkPAh3qZ+NvI+SGjuIye79t3PmiqcDgtRzdKH6ynXzbfslQ8DfpRUg2A==}
     engines: {node: ^18.19.0 || >=20.6.0}
     peerDependencies:
       '@opentelemetry/api': '>=1.0.0 <1.10.0'
 
-  '@opentelemetry/propagator-jaeger@2.0.1':
-    resolution: {integrity: sha512-7PMdPBmGVH2eQNb/AtSJizQNgeNTfh6jQFqys6lfhd6P4r+m/nTh3gKPPpaCXVdRQ+z93vfKk+4UGty390283w==}
+  '@opentelemetry/propagator-jaeger@2.7.1':
+    resolution: {integrity: sha512-KMjVBHzP4N60bOzxja76M1F1hZZ43lGPga5ix+mkv9+kk1nx9SbkxSvJsMbuVUxdPQmsPTqGShmhN8ulrMOg6Q==}
     engines: {node: ^18.19.0 || >=20.6.0}
     peerDependencies:
       '@opentelemetry/api': '>=1.0.0 <1.10.0'
@@ -6818,92 +5418,62 @@ packages:
     resolution: {integrity: sha512-faYX1N0gpLhej/6nyp6bgRjzAKXn5GOEMYY7YhciSfCoITAktLUtQ36d24QEWNA1/WA1y6qQunCe0OhHRkVl9g==}
     engines: {node: '>=14'}
 
-  '@opentelemetry/resource-detector-aws@2.3.0':
-    resolution: {integrity: sha512-PkD/lyXG3B3REq1Y6imBLckljkJYXavtqGYSryAeJYvGOf5Ds3doR+BCGjmKeF6ObAtI5MtpBeUStTDtGtBsWA==}
+  '@opentelemetry/resource-detector-aws@2.14.0':
+    resolution: {integrity: sha512-1a0YMG6wZuLUfwkSgfe77vN60V5SmK//kM+JsQFT7dOKLyFvpN5A+TpX/eFdaqnhg89CxyF7XpKMBbg1DGv5bw==}
     engines: {node: ^18.19.0 || >=20.6.0}
     peerDependencies:
       '@opentelemetry/api': ^1.0.0
 
-  '@opentelemetry/resources@1.30.0':
-    resolution: {integrity: sha512-5mGMjL0Uld/99t7/pcd7CuVtJbkARckLVuiOX84nO8RtLtIz0/J6EOHM2TGvPZ6F4K+XjUq13gMx14w80SVCQg==}
-    engines: {node: '>=14'}
-    peerDependencies:
-      '@opentelemetry/api': '>=1.0.0 <1.10.0'
-
   '@opentelemetry/resources@1.30.1':
     resolution: {integrity: sha512-5UxZqiAgLYGFjS4s9qm5mBVo433u+dSPUFWVWXmLAD4wB65oMCoXaJP1KJa9DIYYMeHu3z4BZcStG3LC593cWA==}
     engines: {node: '>=14'}
     peerDependencies:
       '@opentelemetry/api': '>=1.0.0 <1.10.0'
 
-  '@opentelemetry/resources@2.0.1':
-    resolution: {integrity: sha512-dZOB3R6zvBwDKnHDTB4X1xtMArB/d324VsbiPkX/Yu0Q8T2xceRthoIVFhJdvgVM2QhGVUyX9tzwiNxGtoBJUw==}
-    engines: {node: ^18.19.0 || >=20.6.0}
-    peerDependencies:
-      '@opentelemetry/api': '>=1.3.0 <1.10.0'
-
-  '@opentelemetry/resources@2.2.0':
-    resolution: {integrity: sha512-1pNQf/JazQTMA0BiO5NINUzH0cbLbbl7mntLa4aJNmCCXSj0q03T5ZXXL0zw4G55TjdL9Tz32cznGClf+8zr5A==}
+  '@opentelemetry/resources@2.7.1':
+    resolution: {integrity: sha512-DeT6KKolmC4e/dRQvMQ/RwlnzhaqeiFOXY5ngoOPJ07GgVVKxZOg9EcrNZb5aTzUn+iCrJldAgOfQm1O/QfPAQ==}
     engines: {node: ^18.19.0 || >=20.6.0}
     peerDependencies:
       '@opentelemetry/api': '>=1.3.0 <1.10.0'
 
-  '@opentelemetry/sdk-logs@0.203.0':
-    resolution: {integrity: sha512-vM2+rPq0Vi3nYA5akQD2f3QwossDnTDLvKbea6u/A2NZ3XDkPxMfo/PNrDoXhDUD/0pPo2CdH5ce/thn9K0kLw==}
+  '@opentelemetry/sdk-logs@0.218.0':
+    resolution: {integrity: sha512-QvnNdugatFTVCJXH0Mcu7GOOJSylA9j127kIezOE4YwTI4YbowRons2K4WZTv5FMS8T4q9P0NdaRHdkSmeAIag==}
     engines: {node: ^18.19.0 || >=20.6.0}
     peerDependencies:
       '@opentelemetry/api': '>=1.4.0 <1.10.0'
 
-  '@opentelemetry/sdk-logs@0.57.0':
-    resolution: {integrity: sha512-6Kbxdu/QE9LWH7+WSLmYo3DjAq+c55TiCLXiXu6b/2m2muy5SyOG2m0MrGqetyRpfYSSbIqHmJoqNVTN3+2a9g==}
-    engines: {node: '>=14'}
-    peerDependencies:
-      '@opentelemetry/api': '>=1.4.0 <1.10.0'
-
-  '@opentelemetry/sdk-metrics@1.30.0':
-    resolution: {integrity: sha512-5kcj6APyRMvv6dEIP5plz2qfJAD4OMipBRT11u/pa1a68rHKI2Ln+iXVkAGKgx8o7CXbD7FdPypTUY88ZQgP4Q==}
-    engines: {node: '>=14'}
-    peerDependencies:
-      '@opentelemetry/api': '>=1.3.0 <1.10.0'
-
-  '@opentelemetry/sdk-metrics@2.0.1':
-    resolution: {integrity: sha512-wf8OaJoSnujMAHWR3g+/hGvNcsC16rf9s1So4JlMiFaFHiE4HpIA3oUh+uWZQ7CNuK8gVW/pQSkgoa5HkkOl0g==}
+  '@opentelemetry/sdk-metrics@2.7.1':
+    resolution: {integrity: sha512-MpDJdkiFDs3Pm1RHO3KByuZbuBdJEXEAkiC0+yJdsZGVCdf1RpHR6n+LHDcS7ffmfrt5kVCzJSCfm4z2C7v0uQ==}
     engines: {node: ^18.19.0 || >=20.6.0}
     peerDependencies:
       '@opentelemetry/api': '>=1.9.0 <1.10.0'
 
-  '@opentelemetry/sdk-node@0.203.0':
-    resolution: {integrity: sha512-zRMvrZGhGVMvAbbjiNQW3eKzW/073dlrSiAKPVWmkoQzah9wfynpVPeL55f9fVIm0GaBxTLcPeukWGy0/Wj7KQ==}
+  '@opentelemetry/sdk-node@0.218.0':
+    resolution: {integrity: sha512-tPMjHrLV5gsfNdYqoRHjeGbCAZBXXD9c1Qo/2ut7VwnUABDNh76xNxrT0SEhkIIJuCN45bbN1vZnYL1gY0IkOg==}
     engines: {node: ^18.19.0 || >=20.6.0}
     peerDependencies:
       '@opentelemetry/api': '>=1.3.0 <1.10.0'
 
-  '@opentelemetry/sdk-trace-base@1.30.0':
-    resolution: {integrity: sha512-RKQDaDIkV7PwizmHw+rE/FgfB2a6MBx+AEVVlAHXRG1YYxLiBpPX2KhmoB99R5vA4b72iJrjle68NDWnbrE9Dg==}
-    engines: {node: '>=14'}
-    peerDependencies:
-      '@opentelemetry/api': '>=1.0.0 <1.10.0'
-
   '@opentelemetry/sdk-trace-base@1.30.1':
     resolution: {integrity: sha512-jVPgBbH1gCy2Lb7X0AVQ8XAfgg0pJ4nvl8/IiQA6nxOsPvS+0zMJaFSs2ltXe0J6C8dqjcnpyqINDJmU30+uOg==}
     engines: {node: '>=14'}
     peerDependencies:
       '@opentelemetry/api': '>=1.0.0 <1.10.0'
 
-  '@opentelemetry/sdk-trace-base@2.0.1':
-    resolution: {integrity: sha512-xYLlvk/xdScGx1aEqvxLwf6sXQLXCjk3/1SQT9X9AoN5rXRhkdvIFShuNNmtTEPRBqcsMbS4p/gJLNI2wXaDuQ==}
+  '@opentelemetry/sdk-trace-base@2.7.1':
+    resolution: {integrity: sha512-NAYIlsF8MPUsKqJMiDQJTMPOmlbawC1Iz/omMLygZ1C9am8fTKYjTaI+OZM+WTY3t3Glo0wnOg/6/pac6RGPPw==}
     engines: {node: ^18.19.0 || >=20.6.0}
     peerDependencies:
       '@opentelemetry/api': '>=1.3.0 <1.10.0'
 
-  '@opentelemetry/sdk-trace-node@2.0.1':
-    resolution: {integrity: sha512-UhdbPF19pMpBtCWYP5lHbTogLWx9N0EBxtdagvkn5YtsAnCBZzL7SjktG+ZmupRgifsHMjwUaCCaVmqGfSADmA==}
+  '@opentelemetry/sdk-trace-node@2.7.1':
+    resolution: {integrity: sha512-pCpQxU68lV+I9s9svqMyVu5iHdDDUnqUpSxqwyCU8A9ejEsSnMPCbearwsUO4yk08ZJzAIUCFuReMdVQvHrdvg==}
     engines: {node: ^18.19.0 || >=20.6.0}
     peerDependencies:
       '@opentelemetry/api': '>=1.0.0 <1.10.0'
 
-  '@opentelemetry/sdk-trace-web@2.0.1':
-    resolution: {integrity: sha512-R4/i0rISvAujG4Zwk3s6ySyrWG+Db3SerZVM4jZ2lEzjrNylF7nRAy1hVvWe8gTbwIxX+6w6ZvZwdtl2C7UQHQ==}
+  '@opentelemetry/sdk-trace-web@2.7.1':
+    resolution: {integrity: sha512-K806OouCSOjMd8Nr7+ZCq3QT22tdAzzS/7h8vprfiKjkgFQ99/dvwU8d12WJANA6D5Qtme65hyBAqAu9CkQuxQ==}
     engines: {node: ^18.19.0 || >=20.6.0}
     peerDependencies:
       '@opentelemetry/api': '>=1.0.0 <1.10.0'
@@ -6912,8 +5482,8 @@ packages:
     resolution: {integrity: sha512-lp4qAiMTD4sNWW4DbKLBkfiMZ4jbAboJIGOQr5DvciMRI494OapieI9qiODpOt0XBr1LjIDy1xAGAnVs5supTA==}
     engines: {node: '>=14'}
 
-  '@opentelemetry/semantic-conventions@1.36.0':
-    resolution: {integrity: sha512-TtxJSRD8Ohxp6bKkhrm27JRHAxPczQA7idtcTOMYI+wQRRrfgqxHv1cFbCApcSnNjtXkmzFozn6jQtFrOmbjPQ==}
+  '@opentelemetry/semantic-conventions@1.41.1':
+    resolution: {integrity: sha512-/UhIkaZgPutTFmQ7RnIJGgDXZmtEJ7Dvi86xNTFWcnRxVRNk/aotsqDJYeEvDP+FSMB2SdW+pQzNMcWP0rwuNA==}
     engines: {node: '>=14'}
 
   '@opentelemetry/sql-common@0.40.1':
@@ -6922,6 +5492,9 @@ packages:
     peerDependencies:
       '@opentelemetry/api': ^1.1.0
 
+  '@pinojs/redact@0.4.0':
+    resolution: {integrity: sha512-k2ENnmBugE/rzQfEcdWHcCY+/FM3VLzH9cYEsbdsoqrvzAKRhUZeRNhAZvB8OitQJ1TBed3yqWtdjzS6wJKBwg==}
+
   '@pkgjs/parseargs@0.11.0':
     resolution: {integrity: sha512-+1VkjdD0QBLPodGrJUeqarH8VAIvQODIbwh9XpP5Syisf7YoQgsJKPNFoqqLQlu+VQ/tVSshMR6loPMn8U+dPg==}
     engines: {node: '>=14'}
@@ -6939,29 +5512,14 @@ packages:
   '@polka/url@0.5.0':
     resolution: {integrity: sha512-oZLYFEAzUKyi3SKnXvj32ZCEGH6RDnao7COuCVhDydMS9NrCSVXhM79VaKyP5+Zc33m0QXEd2DN3UkU7OsHcfw==}
 
-  '@polka/url@1.0.0-next.28':
-    resolution: {integrity: sha512-8LduaNlMZGwdZ6qWrKlfa+2M4gahzFkprZiAt2TF8uS0qQgBizKXpXURqvTJ4WtmupWxaLqjRb2UCTe72mu+Aw==}
-
   '@popperjs/core@2.11.8':
     resolution: {integrity: sha512-P1st0aksCrn9sGZhp8GMYwBnQsbvAWsZAX44oXNNvLHGqAOcoVxmjZiohstwQ7SqKnbR47akdNi+uleWD8+g6A==}
 
-  '@prisma/adapter-pg@6.16.0':
-    resolution: {integrity: sha512-zNMQyIrkcVFMYFuVeO9GhK9dc5kMSvqwqL+pNMM9oK4+mj7HcKws780ZXhAgV149kcg2kDisHPHO5nE4gkG+oA==}
-
-  '@prisma/adapter-pg@6.20.0-integration-next.8':
-    resolution: {integrity: sha512-5+ZjSPMzyfDYMmWLH1IaQIOQGa8eJrqEz5A9V4vS4+b6LV6qvCOHjqlnbRQ5IKSNCwFP055SJ54RsPES+0jOyA==}
+  '@posthog/core@1.29.13':
+    resolution: {integrity: sha512-7Me5zaeAue/wmA364Go8ChYbsVAfNAHbtDxXopWu3D6hq9PVScUcauRgjD1njgvP8NzN91SrIllE+pri3XvJVw==}
 
-  '@prisma/client-runtime-utils@6.20.0-integration-next.8':
-    resolution: {integrity: sha512-prENLjPislFvRWDHNgXmg9yzixQYsFPVQGtDv5zIMs4pV2KPdNc5pCiZ3n77hAinvqGJVafASa+eU4TfpVphdA==}
-
-  '@prisma/client@4.9.0':
-    resolution: {integrity: sha512-bz6QARw54sWcbyR1lLnF2QHvRW5R/Jxnbbmwh3u+969vUKXtBkXgSgjDA85nji31ZBlf7+FrHDy5x+5ydGyQDg==}
-    engines: {node: '>=14.17'}
-    peerDependencies:
-      prisma: '*'
-    peerDependenciesMeta:
-      prisma:
-        optional: true
+  '@posthog/types@1.376.4':
+    resolution: {integrity: sha512-EoDEvA925lf6yxPpbP4wozlXgu4b9WEqxZlFBUDd4k2akP5R/RWyHpvQT8aYyfY6BtSLn8TnVwxPQOM4b90isA==}
 
   '@prisma/client@6.14.0':
     resolution: {integrity: sha512-8E/Nk3eL5g7RQIg/LUj1ICyDmhD053STjxrPxUtCRybs2s/2sOEcx9NpITuAOPn07HEpWBfhAVe1T/HYWXUPOw==}
@@ -6975,129 +5533,27 @@ packages:
       typescript:
         optional: true
 
-  '@prisma/client@6.16.0':
-    resolution: {integrity: sha512-FYkFJtgwpwJRMxtmrB26y7gtpR372kyChw6lWng5TMmvn5V+uisy0OyllO5EJD1s8lX78V8X3XjhiXOoMLnu3w==}
-    engines: {node: '>=18.18'}
-    peerDependencies:
-      prisma: '*'
-      typescript: 5.5.4
-    peerDependenciesMeta:
-      prisma:
-        optional: true
-      typescript:
-        optional: true
-
-  '@prisma/client@6.19.0':
-    resolution: {integrity: sha512-QXFT+N/bva/QI2qoXmjBzL7D6aliPffIwP+81AdTGq0FXDoLxLkWivGMawG8iM5B9BKfxLIXxfWWAF6wbuJU6g==}
-    engines: {node: '>=18.18'}
-    peerDependencies:
-      prisma: '*'
-      typescript: 5.5.4
-    peerDependenciesMeta:
-      prisma:
-        optional: true
-      typescript:
-        optional: true
-
-  '@prisma/client@6.20.0-integration-next.8':
-    resolution: {integrity: sha512-cSxdnyO3nBr+JQFsW8j4C3JvMWiknSoZktmMNRNtXQ7bmUeG4IyQks97bjzeAUP8feJechk5casCIq3p26GDvA==}
-    engines: {node: ^20.19 || ^22.12 || ^24.0}
-    peerDependencies:
-      prisma: '*'
-      typescript: 5.5.4
-    peerDependenciesMeta:
-      prisma:
-        optional: true
-      typescript:
-        optional: true
-
   '@prisma/config@6.14.0':
     resolution: {integrity: sha512-IwC7o5KNNGhmblLs23swnfBjADkacBb7wvyDXUWLwuvUQciKJZqyecU0jw0d7JRkswrj+XTL8fdr0y2/VerKQQ==}
 
-  '@prisma/config@6.16.0':
-    resolution: {integrity: sha512-Q9TgfnllVehvQziY9lJwRJLGmziX0OimZUEQ/MhCUBoJMSScj2VivCjw/Of2vlO1FfyaHXxrvjZAr7ASl7DVcw==}
-
   '@prisma/config@6.19.0':
     resolution: {integrity: sha512-zwCayme+NzI/WfrvFEtkFhhOaZb/hI+X8TTjzjJ252VbPxAl2hWHK5NMczmnG9sXck2lsXrxIZuK524E25UNmg==}
 
-  '@prisma/config@6.20.0-integration-next.8':
-    resolution: {integrity: sha512-nwf+tczfiGSn0tnuHmBpnK+wmaYzcC20sn9Zt8BSoJVCewJxf8ASHPxZEGgvFLl05zbCfFtq3rMc6ZnAiYjowg==}
-
-  '@prisma/debug@4.16.2':
-    resolution: {integrity: sha512-7L7WbG0qNNZYgLpsVB8rCHCXEyHFyIycRlRDNwkVfjQmACC2OW6AWCYCbfdjQhkF/t7+S3njj8wAWAocSs+Brw==}
-
   '@prisma/debug@6.14.0':
     resolution: {integrity: sha512-j4Lf+y+5QIJgQD4sJWSbkOD7geKx9CakaLp/TyTy/UDu9Wo0awvWCBH/BAxTHUaCpIl9USA5VS/KJhDqKJSwug==}
 
-  '@prisma/debug@6.16.0':
-    resolution: {integrity: sha512-bxzro5vbVqAPkWyDs2A6GpQtRZunD8tyrLmSAchx9u0b+gWCDY6eV+oh5A0YtYT9245dIxQBswckayHuJG4u3w==}
-
-  '@prisma/debug@6.19.0':
-    resolution: {integrity: sha512-8hAdGG7JmxrzFcTzXZajlQCidX0XNkMJkpqtfbLV54wC6LSSX6Vni25W/G+nAANwLnZ2TmwkfIuWetA7jJxJFA==}
-
-  '@prisma/debug@6.20.0-integration-next.8':
-    resolution: {integrity: sha512-PqUUFXf8MDoIrsKMzpF4NYqA3gHE8l/CUWVnYa4hNIbynCcEhvk7iT+6ve0u9w1TiGVUFnIVMuqFGEb2aHCuFw==}
-
-  '@prisma/driver-adapter-utils@6.16.0':
-    resolution: {integrity: sha512-dsRHvEnifJ3xqpMKGBy1jRwR8yc+7Ko4TcHrdTQJIfq6NYN2gNoOf0k91hcbzs5AH19wDxjuHXCveklWq5AJdA==}
-
-  '@prisma/driver-adapter-utils@6.20.0-integration-next.8':
-    resolution: {integrity: sha512-TXpFugr3sCl2bHechoG3p9mvlq2Z3GgA0Cp73lUOEWQyUuoG8NW/4UA56Ax1r5fBUAs9hKbr20Ld6wKCZhnz8Q==}
-
-  '@prisma/engines-version@4.9.0-42.ceb5c99003b99c9ee2c1d2e618e359c14aef2ea5':
-    resolution: {integrity: sha512-M16aibbxi/FhW7z1sJCX8u+0DriyQYY5AyeTH7plQm9MLnURoiyn3CZBqAyIoQ+Z1pS77usCIibYJWSgleBMBA==}
-
   '@prisma/engines-version@6.14.0-25.717184b7b35ea05dfa71a3236b7af656013e1e49':
     resolution: {integrity: sha512-EgN9ODJpiX45yvwcngoStp3uQPJ3l+AEVoQ6dMMO2QvmwIlnxfApzKmJQExzdo7/hqQANrz5txHJdGYHzOnGHA==}
 
-  '@prisma/engines-version@6.16.0-7.1c57fdcd7e44b29b9313256c76699e91c3ac3c43':
-    resolution: {integrity: sha512-ThvlDaKIVrnrv97ujNFDYiQbeMQpLa0O86HFA2mNoip4mtFqM7U5GSz2ie1i2xByZtvPztJlNRgPsXGeM/kqAA==}
-
-  '@prisma/engines-version@6.19.0-26.2ba551f319ab1df4bc874a89965d8b3641056773':
-    resolution: {integrity: sha512-gV7uOBQfAFlWDvPJdQxMT1aSRur3a0EkU/6cfbAC5isV67tKDWUrPauyaHNpB+wN1ebM4A9jn/f4gH+3iHSYSQ==}
-
-  '@prisma/engines-version@6.20.0-11.next-80ee0a44bf5668992b0c909c946a755b86b56c95':
-    resolution: {integrity: sha512-DqrQqRIgeocvWpgN7t9PymiJdV8ISSSrZCuilAtpKEaKIt4JUGIxsAdWNMRSHk188hYA2W1YFG5KvWUYBaCO1A==}
-
   '@prisma/engines@6.14.0':
     resolution: {integrity: sha512-LhJjqsALFEcoAtF07nSaOkVguaxw/ZsgfROIYZ8bAZDobe7y8Wy+PkYQaPOK1iLSsFgV2MhCO/eNrI1gdSOj6w==}
 
-  '@prisma/engines@6.16.0':
-    resolution: {integrity: sha512-RHJGCH/zi017W4CWYWqg0Sv1pquGGFVo8T3auJ9sodDNaiRzbeNldydjaQzszVS8nscdtcvLuJzy7e65C3puqQ==}
-
-  '@prisma/engines@6.19.0':
-    resolution: {integrity: sha512-pMRJ+1S6NVdXoB8QJAPIGpKZevFjxhKt0paCkRDTZiczKb7F4yTgRP8M4JdVkpQwmaD4EoJf6qA+p61godDokw==}
-
-  '@prisma/engines@6.20.0-integration-next.8':
-    resolution: {integrity: sha512-XdzTxN0PFLIW2DcprG9xlMy39FrsjxW5J2qtHQ58FBtbllHSZGD0pK2nzATw5dRh7nGhmX+uNA02cqHv5oND3A==}
-
   '@prisma/fetch-engine@6.14.0':
     resolution: {integrity: sha512-MPzYPOKMENYOaY3AcAbaKrfvXVlvTc6iHmTXsp9RiwCX+bPyfDMqMFVUSVXPYrXnrvEzhGHfyiFy0PRLHPysNg==}
 
-  '@prisma/fetch-engine@6.16.0':
-    resolution: {integrity: sha512-Mx5rml0XRIDizhB9eZxSP8c0nMoXYVITTiJJwxlWn9rNCel8mG8NAqIw+vJlN3gPR+kt3IBkP1SQVsplPPpYrA==}
-
-  '@prisma/fetch-engine@6.19.0':
-    resolution: {integrity: sha512-OOx2Lda0DGrZ1rodADT06ZGqHzr7HY7LNMaFE2Vp8dp146uJld58sRuasdX0OiwpHgl8SqDTUKHNUyzEq7pDdQ==}
-
-  '@prisma/fetch-engine@6.20.0-integration-next.8':
-    resolution: {integrity: sha512-zVNM5Q1hFclpqD1y7wujDzyc3l01S8ZMuP0Zddzuda4LOA7/F2enjro48VcD2/fxkBgzkkmO/quLOGnbQDKO7g==}
-
-  '@prisma/generator-helper@4.16.2':
-    resolution: {integrity: sha512-bMOH7y73Ui7gpQrioFeavMQA+Tf8ksaVf8Nhs9rQNzuSg8SSV6E9baczob0L5KGZTSgYoqnrRxuo03kVJYrnIg==}
-
   '@prisma/get-platform@6.14.0':
     resolution: {integrity: sha512-7VjuxKNwjnBhKfqPpMeWiHEa2sVjYzmHdl1slW6STuUCe9QnOY0OY1ljGSvz6wpG4U8DfbDqkG1yofd/1GINww==}
 
-  '@prisma/get-platform@6.16.0':
-    resolution: {integrity: sha512-eaJOOvAoGslSUTjiQrtE9E0hoBdfL43j8SymOGD6LbdrKRNtIoiy6qiBaEr2fNYD+R/Qns7QOwPhl7SVHJayKA==}
-
-  '@prisma/get-platform@6.19.0':
-    resolution: {integrity: sha512-ym85WDO2yDhC3fIXHWYpG3kVMBA49cL1XD2GCsCF8xbwoy2OkDQY44gEbAt2X46IQ4Apq9H6g0Ex1iFfPqEkHA==}
-
-  '@prisma/get-platform@6.20.0-integration-next.8':
-    resolution: {integrity: sha512-21jEfhFpC8FuvPD7JEf1Qu02engBCBa3+1il3UiyHKcKS3Kbp9IgR+DVqqrqSWIGJg8+1oTfF/3AgbjunaQ1Ag==}
-
   '@prisma/instrumentation@6.11.1':
     resolution: {integrity: sha512-mrZOev24EDhnefmnZX7WVVT7v+r9LttPRqf54ONvj6re4XMF7wFTpK2tLJi4XHB7fFp/6xhYbgRel8YV7gQiyA==}
     peerDependencies:
@@ -7108,13 +5564,6 @@ packages:
     peerDependencies:
       '@opentelemetry/api': ^1.8
 
-  '@prisma/studio-core-licensed@0.6.0':
-    resolution: {integrity: sha512-LNC8ohLosuWz6n9oKNqfR5Ep/JYiPavk4RxrU6inOS4LEvMQts8N+Vtt7NAB9i06BaiIRKnPsg1Hcaao5pRjSw==}
-    peerDependencies:
-      '@types/react': ^18.0.0 || ^19.0.0
-      react: ^18.0.0 || ^19.0.0
-      react-dom: ^18.0.0 || ^19.0.0
-
   '@protobuf-ts/runtime@2.11.1':
     resolution: {integrity: sha512-KuDaT1IfHkugM2pyz+FwiY80ejWrkH1pAtOBOZFuR6SXEFTsnb/jiQWQ1rCIrcKx2BtyxnxW6BWwsVSA/Ie+WQ==}
 
@@ -7124,20 +5573,20 @@ packages:
   '@protobufjs/base64@1.1.2':
     resolution: {integrity: sha512-AZkcAA5vnN/v4PDqKyMR5lx7hZttPDgClv83E//FMNhR2TMcLUhfRUBHCmSl0oi9zMgDDqRUJkSxO3wm85+XLg==}
 
-  '@protobufjs/codegen@2.0.4':
-    resolution: {integrity: sha512-YyFaikqM5sH0ziFZCN3xDC7zeGaB/d0IUb9CATugHWbd1FRFwWwt4ld4OYMPWu5a3Xe01mGAULCdqhMlPl29Jg==}
+  '@protobufjs/codegen@2.0.5':
+    resolution: {integrity: sha512-zgXFLzW3Ap33e6d0Wlj4MGIm6Ce8O89n/apUaGNB/jx+hw+ruWEp7EwGUshdLKVRCxZW12fp9r40E1mQrf/34g==}
 
-  '@protobufjs/eventemitter@1.1.0':
-    resolution: {integrity: sha512-j9ednRT81vYJ9OfVuXG6ERSTdEL1xVsNgqpkxMsbIabzSo3goCjDIveeGv5d03om39ML71RdmrGNjG5SReBP/Q==}
+  '@protobufjs/eventemitter@1.1.1':
+    resolution: {integrity: sha512-vW1GmwMZNnL+gMRaovlh9yZX74kc+TTU3FObkkurpMaRtBfLP3ldjS9KQWlwZgraRE0+dheEEoAxdzcJQ8eXZg==}
 
-  '@protobufjs/fetch@1.1.0':
-    resolution: {integrity: sha512-lljVXpqXebpsijW71PZaCYeIcE5on1w5DlQy5WH6GLbFryLUrBD4932W/E2BSpfRJWseIL4v/KPgBFxDOIdKpQ==}
+  '@protobufjs/fetch@1.1.1':
+    resolution: {integrity: sha512-GpptLrs57adMSuHi3VNj0mAF8dwh36LMaYF6XyJ6JMWlVsc+t42tm1HSEDmOs3A8fC9yyeisgLhsTVQokOZ0zw==}
 
   '@protobufjs/float@1.0.2':
     resolution: {integrity: sha512-Ddb+kVXlXst9d+R9PfTIxh1EdNkgoRe5tOX6t01f1lYWOvJnSPDBlG241QLzcyPdoNTsblLUdujGSE4RzrTZGQ==}
 
-  '@protobufjs/inquire@1.1.0':
-    resolution: {integrity: sha512-kdSefcPdruJiFMVSbn801t4vFK7KB/5gd2fYvrxhuJYg8ILrmn9SKSX2tZdV6V+ksulWqS7aXjBcRXl3wHoD9Q==}
+  '@protobufjs/inquire@1.1.2':
+    resolution: {integrity: sha512-pa0vFRuws4wkvaXKK1uXZMAwAX4/t8ANaJo45iw/oQHNQ9q5xUzwgFmVJGXiga2BeN+zpX7Vf9vmsiIa2J+MUw==}
 
   '@protobufjs/path@1.1.2':
     resolution: {integrity: sha512-6JOcJ5Tm08dOHAbdR3GrvP+yUUfkjG5ePsHYczMFLq3ZmMkAD98cDgcT2iA1lJ9NVwFd4tH/iSSoe44YWkltEA==}
@@ -7145,16 +5594,8 @@ packages:
   '@protobufjs/pool@1.1.0':
     resolution: {integrity: sha512-0kELaGSIDBKvcgS4zkjz1PeddatrjYcmMWOlAuAPwAeccUrPHdUqo/J6LiymHHEiJT5NrF1UVwxY14f+fy4WQw==}
 
-  '@protobufjs/utf8@1.1.0':
-    resolution: {integrity: sha512-Vvn3zZrhQZkkBE8LSuW3em98c0FwgO4nxzv6OdSxPKJIEKY2bGbHn+mhGIPerzI4twdxaP8/0+06HBpwf345Lw==}
-
-  '@puppeteer/browsers@2.10.6':
-    resolution: {integrity: sha512-pHUn6ZRt39bP3698HFQlu2ZHCkS/lPcpv7fVQcGBSzNNygw171UXAKrCUhy+TEMw4lEttOKDgNpb04hwUAJeiQ==}
-    engines: {node: '>=18'}
-    hasBin: true
-
-  '@radix-ui/colors@1.0.1':
-    resolution: {integrity: sha512-xySw8f0ZVsAEP+e7iLl3EvcBXX7gsIlC1Zso/sPBW9gIWerBTgz6axrjU+MZ39wD+WFi5h5zdWpsg3+hwt2Qsg==}
+  '@protobufjs/utf8@1.1.1':
+    resolution: {integrity: sha512-oOAWABowe8EAbMyWKM0tYDKi8Yaox52D+HWZhAIJqQXbqe0xI/GV7FhLWqlEKreMkfDjshR5FKgi3mnle0h6Eg==}
 
   '@radix-ui/number@1.0.0':
     resolution: {integrity: sha512-Ofwh/1HX69ZfJRiRBMTy7rgjAzHmwe4kW9C9Y99HTRUcYLUuVT0KESFj15rPjRgKJs20GPq8Bm5aEDJ8DuA3vA==}
@@ -7162,18 +5603,12 @@ packages:
   '@radix-ui/number@1.0.1':
     resolution: {integrity: sha512-T5gIdVO2mmPW3NNhjNgEP3cqMXjXL9UbO0BzWcXfvdBs+BohbQxvd/K5hSVKmn9/lbTdsQVKbUcP5WLCwvUbBg==}
 
-  '@radix-ui/number@1.1.0':
-    resolution: {integrity: sha512-V3gRzhVNU1ldS5XhAPTom1fOIo4ccrjjJgmE+LI2h/WaFpHmx0MQApT+KZHnx8abG6Avtfcz4WoEciMnpFT3HQ==}
-
   '@radix-ui/primitive@1.0.0':
     resolution: {integrity: sha512-3e7rn8FDMin4CgeL7Z/49smCA3rFYY3Ha2rUQ7HRWFadS5iCRw08ZgVT1LaNTCNqgvrUiyczLflrVrF0SRQtNA==}
 
   '@radix-ui/primitive@1.0.1':
     resolution: {integrity: sha512-yQ8oGX2GVsEYMWGxcovu1uGWPCxV5BFfeeYxqPmuAzUyLT9qmaMXSAhXpb0WrspIeqYzdJpkh2vHModJPgRIaw==}
 
-  '@radix-ui/primitive@1.1.0':
-    resolution: {integrity: sha512-4Z8dn6Upk0qk4P74xBhZ6Hd/w0mPEzOOLxy4xiPXOXqjF7jZS0VAKk7/x/H6FyY2zCkYJqePf1G5KmkmNJ4RBA==}
-
   '@radix-ui/primitive@1.1.2':
     resolution: {integrity: sha512-XnbHrrprsNqZKQhStrSwgRUQzoCI1glLzdw79xiZPoofhGICeZRSQ3dIxAKH1gb3OHfNf4d6f+vAv3kil2eggA==}
 
@@ -7209,52 +5644,13 @@ packages:
       react: ^16.8 || ^17.0 || ^18.0
       react-dom: ^16.8 || ^17.0 || ^18.0
 
-  '@radix-ui/react-arrow@1.0.3':
-    resolution: {integrity: sha512-wSP+pHsB/jQRaL6voubsQ/ZlrGBHHrOjmBnr19hxYgtS0WvAFwZhK2WP/YY5yF9uKECCEEDGxuLxq1NBK51wFA==}
+  '@radix-ui/react-collapsible@1.1.11':
+    resolution: {integrity: sha512-2qrRsVGSCYasSz1RFOorXwl0H7g7J1frQtgpQgYrt+MOidtPAINHn9CPovQXb83r8ahapdx3Tu0fa/pdFFSdPg==}
     peerDependencies:
       '@types/react': '*'
       '@types/react-dom': '*'
-      react: ^16.8 || ^17.0 || ^18.0
-      react-dom: ^16.8 || ^17.0 || ^18.0
-    peerDependenciesMeta:
-      '@types/react':
-        optional: true
-      '@types/react-dom':
-        optional: true
-
-  '@radix-ui/react-avatar@1.1.3':
-    resolution: {integrity: sha512-Paen00T4P8L8gd9bNsRMw7Cbaz85oxiv+hzomsRZgFm2byltPFDtfcoqlWJ8GyZlIBWgLssJlzLCnKU0G0302g==}
-    peerDependencies:
-      '@types/react': '*'
-      '@types/react-dom': '*'
-      react: ^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc
-      react-dom: ^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc
-    peerDependenciesMeta:
-      '@types/react':
-        optional: true
-      '@types/react-dom':
-        optional: true
-
-  '@radix-ui/react-collapsible@1.0.3':
-    resolution: {integrity: sha512-UBmVDkmR6IvDsloHVN+3rtx4Mi5TFvylYXpluuv0f37dtaz3H99bp8No0LGXRigVpl3UAT4l9j6bIchh42S/Gg==}
-    peerDependencies:
-      '@types/react': '*'
-      '@types/react-dom': '*'
-      react: ^16.8 || ^17.0 || ^18.0
-      react-dom: ^16.8 || ^17.0 || ^18.0
-    peerDependenciesMeta:
-      '@types/react':
-        optional: true
-      '@types/react-dom':
-        optional: true
-
-  '@radix-ui/react-collapsible@1.1.11':
-    resolution: {integrity: sha512-2qrRsVGSCYasSz1RFOorXwl0H7g7J1frQtgpQgYrt+MOidtPAINHn9CPovQXb83r8ahapdx3Tu0fa/pdFFSdPg==}
-    peerDependencies:
-      '@types/react': '*'
-      '@types/react-dom': '*'
-      react: ^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc
-      react-dom: ^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc
+      react: ^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc
+      react-dom: ^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc
     peerDependenciesMeta:
       '@types/react':
         optional: true
@@ -7307,24 +5703,6 @@ packages:
       '@types/react':
         optional: true
 
-  '@radix-ui/react-compose-refs@1.1.0':
-    resolution: {integrity: sha512-b4inOtiaOnYf9KWyO3jAeeCG6FeyfY6ldiEPanbUjWd+xIk5wZeHa8yVwmrJ2vderhu/BQvzCrJI0lHd+wIiqw==}
-    peerDependencies:
-      '@types/react': '*'
-      react: ^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc
-    peerDependenciesMeta:
-      '@types/react':
-        optional: true
-
-  '@radix-ui/react-compose-refs@1.1.1':
-    resolution: {integrity: sha512-Y9VzoRDSJtgFMUCoiZBDVo084VQ5hfpXxVE+NgkdNsjiDBByiImMZKKhxMwCbdHvhlENG6a833CbFkOQvTricw==}
-    peerDependencies:
-      '@types/react': '*'
-      react: ^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc
-    peerDependenciesMeta:
-      '@types/react':
-        optional: true
-
   '@radix-ui/react-compose-refs@1.1.2':
     resolution: {integrity: sha512-z4eqJvfiNnFMHIIvXP3CY57y2WJs5g2v3X0zm9mEJkrkNv4rDxu+sg9Jh8EkXyeqBkB7SOcboo9dMVqhyrACIg==}
     peerDependencies:
@@ -7348,15 +5726,6 @@ packages:
       '@types/react':
         optional: true
 
-  '@radix-ui/react-context@1.1.1':
-    resolution: {integrity: sha512-UASk9zi+crv9WteK/NU4PLvOoL3OuE6BWVKNF6hPRBtYBDXQ2u5iu3O59zUlJiTVvkyuycnqrztsHVJwcK9K+Q==}
-    peerDependencies:
-      '@types/react': '*'
-      react: ^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc
-    peerDependenciesMeta:
-      '@types/react':
-        optional: true
-
   '@radix-ui/react-context@1.1.2':
     resolution: {integrity: sha512-jCi/QKUM2r1Ju5a3J64TH2A5SpKAgh0LpknyqdQ4m6DCV0xJ2HG1xARRwNGPQfi1SLdLWZ1OJz6F4OMBBNiGJA==}
     peerDependencies:
@@ -7399,15 +5768,6 @@ packages:
       '@types/react':
         optional: true
 
-  '@radix-ui/react-direction@1.1.0':
-    resolution: {integrity: sha512-BUuBvgThEiAXh2DWu93XsT+a3aWrGqolGlqqw5VU1kG7p/ZH2cuDlM1sRLNnY3QcBS69UIz2mcKhMxDsdewhjg==}
-    peerDependencies:
-      '@types/react': '*'
-      react: ^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc
-    peerDependenciesMeta:
-      '@types/react':
-        optional: true
-
   '@radix-ui/react-direction@1.1.1':
     resolution: {integrity: sha512-1UEWRX6jnOA2y4H5WczZ44gOOjTEmlqv1uNW4GAJEO5+bauCBhv8snY65Iw5/VOS/ghKN9gr2KjnLKxrsvoMVw==}
     peerDependencies:
@@ -7436,19 +5796,6 @@ packages:
       '@types/react-dom':
         optional: true
 
-  '@radix-ui/react-dismissable-layer@1.0.5':
-    resolution: {integrity: sha512-aJeDjQhywg9LBu2t/At58hCvr7pEm0o2Ke1x33B+MhjNmmZ17sy4KImo0KPLgsnc/zN7GPdce8Cnn0SWvwZO7g==}
-    peerDependencies:
-      '@types/react': '*'
-      '@types/react-dom': '*'
-      react: ^16.8 || ^17.0 || ^18.0
-      react-dom: ^16.8 || ^17.0 || ^18.0
-    peerDependenciesMeta:
-      '@types/react':
-        optional: true
-      '@types/react-dom':
-        optional: true
-
   '@radix-ui/react-focus-guards@1.0.0':
     resolution: {integrity: sha512-UagjDk4ijOAnGu4WMUPj9ahi7/zJJqNZ9ZAiGPp7waUWJO0O1aWXi/udPphI0IUjvrhBsZJGSN66dR2dsueLWQ==}
     peerDependencies:
@@ -7482,24 +5829,6 @@ packages:
       '@types/react-dom':
         optional: true
 
-  '@radix-ui/react-focus-scope@1.0.4':
-    resolution: {integrity: sha512-sL04Mgvf+FmyvZeYfNu1EPAaaxD+aw7cYeIB9L9Fvq8+urhltTRaEo5ysKOpHuKPclsZcSUMKlN05x4u+CINpA==}
-    peerDependencies:
-      '@types/react': '*'
-      '@types/react-dom': '*'
-      react: ^16.8 || ^17.0 || ^18.0
-      react-dom: ^16.8 || ^17.0 || ^18.0
-    peerDependenciesMeta:
-      '@types/react':
-        optional: true
-      '@types/react-dom':
-        optional: true
-
-  '@radix-ui/react-icons@1.3.0':
-    resolution: {integrity: sha512-jQxj/0LKgp+j9BiTXz3O3sgs26RNet2iLWmsPyRz2SIcR4q/4SbazXfnYwbAr+vLYKSfc7qxzyGQA1HLlYiuNw==}
-    peerDependencies:
-      react: ^16.x || ^17.x || ^18.x
-
   '@radix-ui/react-id@1.0.0':
     resolution: {integrity: sha512-Q6iAB/U7Tq3NTolBBQbHTgclPmGWE3OlktGGqrClPozSw4vkQ1DfQAOtzgRPecKsMdJINE05iaoDUG8tRzCBjw==}
     peerDependencies:
@@ -7535,51 +5864,12 @@ packages:
       react: ^16.8 || ^17.0 || ^18.0
       react-dom: ^16.8 || ^17.0 || ^18.0
 
-  '@radix-ui/react-popover@1.0.7':
-    resolution: {integrity: sha512-shtvVnlsxT6faMnK/a7n0wptwBD23xc1Z5mdrtKLwVEfsEMXodS0r5s0/g5P0hX//EKYZS2sxUjqfzlg52ZSnQ==}
-    peerDependencies:
-      '@types/react': '*'
-      '@types/react-dom': '*'
-      react: ^16.8 || ^17.0 || ^18.0
-      react-dom: ^16.8 || ^17.0 || ^18.0
-    peerDependenciesMeta:
-      '@types/react':
-        optional: true
-      '@types/react-dom':
-        optional: true
-
   '@radix-ui/react-popper@1.1.1':
     resolution: {integrity: sha512-keYDcdMPNMjSC8zTsZ8wezUMiWM9Yj14wtF3s0PTIs9srnEPC9Kt2Gny1T3T81mmSeyDjZxsD9N5WCwNNb712w==}
     peerDependencies:
       react: ^16.8 || ^17.0 || ^18.0
       react-dom: ^16.8 || ^17.0 || ^18.0
 
-  '@radix-ui/react-popper@1.1.2':
-    resolution: {integrity: sha512-1CnGGfFi/bbqtJZZ0P/NQY20xdG3E0LALJaLUEoKwPLwl6PPPfbeiCqMVQnhoFRAxjJj4RpBRJzDmUgsex2tSg==}
-    peerDependencies:
-      '@types/react': '*'
-      '@types/react-dom': '*'
-      react: ^16.8 || ^17.0 || ^18.0
-      react-dom: ^16.8 || ^17.0 || ^18.0
-    peerDependenciesMeta:
-      '@types/react':
-        optional: true
-      '@types/react-dom':
-        optional: true
-
-  '@radix-ui/react-popper@1.1.3':
-    resolution: {integrity: sha512-cKpopj/5RHZWjrbF2846jBNacjQVwkP068DfmgrNJXpvVWrOvlAmE9xSiy5OqeE+Gi8D9fP+oDhUnPqNMY8/5w==}
-    peerDependencies:
-      '@types/react': '*'
-      '@types/react-dom': '*'
-      react: ^16.8 || ^17.0 || ^18.0
-      react-dom: ^16.8 || ^17.0 || ^18.0
-    peerDependenciesMeta:
-      '@types/react':
-        optional: true
-      '@types/react-dom':
-        optional: true
-
   '@radix-ui/react-portal@1.0.2':
     resolution: {integrity: sha512-swu32idoCW7KA2VEiUZGBSu9nB6qwGdV6k6HYhUoOo3M1FFpD+VgLzUqtt3mwL1ssz7r2x8MggpLSQach2Xy/Q==}
     peerDependencies:
@@ -7599,19 +5889,6 @@ packages:
       '@types/react-dom':
         optional: true
 
-  '@radix-ui/react-portal@1.0.4':
-    resolution: {integrity: sha512-Qki+C/EuGUVCQTOTD5vzJzJuMUlewbzuKyUy+/iHM2uwGiru9gZeBJtHAPKAEkB5KWGi9mP/CHKcY0wt1aW45Q==}
-    peerDependencies:
-      '@types/react': '*'
-      '@types/react-dom': '*'
-      react: ^16.8 || ^17.0 || ^18.0
-      react-dom: ^16.8 || ^17.0 || ^18.0
-    peerDependenciesMeta:
-      '@types/react':
-        optional: true
-      '@types/react-dom':
-        optional: true
-
   '@radix-ui/react-portal@1.1.9':
     resolution: {integrity: sha512-bpIxvq03if6UNwXZ+HTK71JLh4APvnXntDc6XOX8UVq4XQOVl7lwok0AvIl+b8zgCw3fSaVTZMpAPPagXbKmHQ==}
     peerDependencies:
@@ -7644,19 +5921,6 @@ packages:
       '@types/react-dom':
         optional: true
 
-  '@radix-ui/react-presence@1.1.1':
-    resolution: {integrity: sha512-IeFXVi4YS1K0wVZzXNrbaaUvIJ3qdY+/Ih4eHFhWA9SwGR9UDX7Ck8abvL57C4cv3wwMvUE0OG69Qc3NCcTe/A==}
-    peerDependencies:
-      '@types/react': '*'
-      '@types/react-dom': '*'
-      react: ^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc
-      react-dom: ^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc
-    peerDependenciesMeta:
-      '@types/react':
-        optional: true
-      '@types/react-dom':
-        optional: true
-
   '@radix-ui/react-presence@1.1.4':
     resolution: {integrity: sha512-ueDqRbdc4/bkaQT3GIpLQssRlFgWaL/U2z/S31qRwwLWoxHLgry3SIfCwhxeQNbirEUXFa+lq3RL3oBYXtcmIA==}
     peerDependencies:
@@ -7689,45 +5953,6 @@ packages:
       '@types/react-dom':
         optional: true
 
-  '@radix-ui/react-primitive@2.0.0':
-    resolution: {integrity: sha512-ZSpFm0/uHa8zTvKBDjLFWLo8dkr4MBsiDLz0g3gMUwqgLHz9rTaRRGYDgvZPtBJgYCBKXkS9fzmoySgr8CO6Cw==}
-    peerDependencies:
-      '@types/react': '*'
-      '@types/react-dom': '*'
-      react: ^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc
-      react-dom: ^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc
-    peerDependenciesMeta:
-      '@types/react':
-        optional: true
-      '@types/react-dom':
-        optional: true
-
-  '@radix-ui/react-primitive@2.0.1':
-    resolution: {integrity: sha512-sHCWTtxwNn3L3fH8qAfnF3WbUZycW93SM1j3NFDzXBiz8D6F5UTTy8G1+WFEaiCdvCVRJWj6N2R4Xq6HdiHmDg==}
-    peerDependencies:
-      '@types/react': '*'
-      '@types/react-dom': '*'
-      react: ^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc
-      react-dom: ^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc
-    peerDependenciesMeta:
-      '@types/react':
-        optional: true
-      '@types/react-dom':
-        optional: true
-
-  '@radix-ui/react-primitive@2.0.2':
-    resolution: {integrity: sha512-Ec/0d38EIuvDF+GZjcMU/Ze6MxntVJYO/fRlCPhCaVUyPY9WTalHJw54tp9sXeJo3tlShWpy41vQRgLRGOuz+w==}
-    peerDependencies:
-      '@types/react': '*'
-      '@types/react-dom': '*'
-      react: ^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc
-      react-dom: ^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc
-    peerDependenciesMeta:
-      '@types/react':
-        optional: true
-      '@types/react-dom':
-        optional: true
-
   '@radix-ui/react-primitive@2.1.3':
     resolution: {integrity: sha512-m9gTwRkhy2lvCPe6QJp4d3G1TYEUHn/FzJUtq9MjH46an1wJU+GdoGC5VLof8RX8Ft/DlpshApkhswDLZzHIcQ==}
     peerDependencies:
@@ -7741,19 +5966,6 @@ packages:
       '@types/react-dom':
         optional: true
 
-  '@radix-ui/react-progress@1.1.1':
-    resolution: {integrity: sha512-6diOawA84f/eMxFHcWut0aE1C2kyE9dOyCTQOMRR2C/qPiXz/X0SaiA/RLbapQaXUCmy0/hLMf9meSccD1N0pA==}
-    peerDependencies:
-      '@types/react': '*'
-      '@types/react-dom': '*'
-      react: ^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc
-      react-dom: ^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc
-    peerDependenciesMeta:
-      '@types/react':
-        optional: true
-      '@types/react-dom':
-        optional: true
-
   '@radix-ui/react-radio-group@1.1.3':
     resolution: {integrity: sha512-x+yELayyefNeKeTx4fjK6j99Fs6c4qKm3aY38G3swQVTN6xMpsrbigC0uHs2L//g8q4qR7qOcww8430jJmi2ag==}
     peerDependencies:
@@ -7786,19 +5998,6 @@ packages:
       '@types/react-dom':
         optional: true
 
-  '@radix-ui/react-scroll-area@1.2.0':
-    resolution: {integrity: sha512-q2jMBdsJ9zB7QG6ngQNzNwlvxLQqONyL58QbEGwuyRZZb/ARQwk3uQVbCF7GvQVOtV6EU/pDxAw3zRzJZI3rpQ==}
-    peerDependencies:
-      '@types/react': '*'
-      '@types/react-dom': '*'
-      react: ^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc
-      react-dom: ^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc
-    peerDependenciesMeta:
-      '@types/react':
-        optional: true
-      '@types/react-dom':
-        optional: true
-
   '@radix-ui/react-select@1.2.1':
     resolution: {integrity: sha512-GULRMITaOHNj79BZvQs3iZO0+f2IgI8g5HDhMi7Bnc13t7IlG86NFtOCfTLme4PNZdEtU+no+oGgcl6IFiphpQ==}
     peerDependencies:
@@ -7832,33 +6031,6 @@ packages:
       '@types/react':
         optional: true
 
-  '@radix-ui/react-slot@1.1.0':
-    resolution: {integrity: sha512-FUCf5XMfmW4dtYl69pdS4DbxKy8nj4M7SafBgPllysxmdachynNflAdp/gCsnYWNDnge6tI9onzMp5ARYc1KNw==}
-    peerDependencies:
-      '@types/react': '*'
-      react: ^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc
-    peerDependenciesMeta:
-      '@types/react':
-        optional: true
-
-  '@radix-ui/react-slot@1.1.1':
-    resolution: {integrity: sha512-RApLLOcINYJA+dMVbOju7MYv1Mb2EBp2nH4HdDzXTSyaR5optlm6Otrz1euW3HbdOR8UmmFK06TD+A9frYWv+g==}
-    peerDependencies:
-      '@types/react': '*'
-      react: ^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc
-    peerDependenciesMeta:
-      '@types/react':
-        optional: true
-
-  '@radix-ui/react-slot@1.1.2':
-    resolution: {integrity: sha512-YAKxaiGsSQJ38VzKH86/BPRC4rh+b1Jpa+JneA5LRE7skmLPNAyeG8kPJj/oo4STLvlrs8vkf/iYyc3A5stYCQ==}
-    peerDependencies:
-      '@types/react': '*'
-      react: ^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc
-    peerDependenciesMeta:
-      '@types/react':
-        optional: true
-
   '@radix-ui/react-slot@1.2.3':
     resolution: {integrity: sha512-aeNmHnBxbi2St0au6VBVC7JXFlhLlOnvIIlePNniyUNAClzmtAUEY8/pBiK3iHjufOlwA+c20/8jngo7xcrg8A==}
     peerDependencies:
@@ -7887,51 +6059,12 @@ packages:
       react: ^16.8 || ^17.0 || ^18.0
       react-dom: ^16.8 || ^17.0 || ^18.0
 
-  '@radix-ui/react-toggle-group@1.0.4':
-    resolution: {integrity: sha512-Uaj/M/cMyiyT9Bx6fOZO0SAG4Cls0GptBWiBmBxofmDbNVnYYoyRWj/2M/6VCi/7qcXFWnHhRUfdfZFvvkuu8A==}
-    peerDependencies:
-      '@types/react': '*'
-      '@types/react-dom': '*'
-      react: ^16.8 || ^17.0 || ^18.0
-      react-dom: ^16.8 || ^17.0 || ^18.0
-    peerDependenciesMeta:
-      '@types/react':
-        optional: true
-      '@types/react-dom':
-        optional: true
-
-  '@radix-ui/react-toggle@1.0.3':
-    resolution: {integrity: sha512-Pkqg3+Bc98ftZGsl60CLANXQBBQ4W3mTFS9EJvNxKMZ7magklKV69/id1mlAlOFDDfHvlCms0fx8fA4CMKDJHg==}
-    peerDependencies:
-      '@types/react': '*'
-      '@types/react-dom': '*'
-      react: ^16.8 || ^17.0 || ^18.0
-      react-dom: ^16.8 || ^17.0 || ^18.0
-    peerDependenciesMeta:
-      '@types/react':
-        optional: true
-      '@types/react-dom':
-        optional: true
-
   '@radix-ui/react-tooltip@1.0.5':
     resolution: {integrity: sha512-cDKVcfzyO6PpckZekODJZDe5ZxZ2fCZlzKzTmPhe4mX9qTHRfLcKgqb0OKf22xLwDequ2tVleim+ZYx3rabD5w==}
     peerDependencies:
       react: ^16.8 || ^17.0 || ^18.0
       react-dom: ^16.8 || ^17.0 || ^18.0
 
-  '@radix-ui/react-tooltip@1.0.6':
-    resolution: {integrity: sha512-DmNFOiwEc2UDigsYj6clJENma58OelxD24O4IODoZ+3sQc3Zb+L8w1EP+y9laTuKCLAysPw4fD6/v0j4KNV8rg==}
-    peerDependencies:
-      '@types/react': '*'
-      '@types/react-dom': '*'
-      react: ^16.8 || ^17.0 || ^18.0
-      react-dom: ^16.8 || ^17.0 || ^18.0
-    peerDependenciesMeta:
-      '@types/react':
-        optional: true
-      '@types/react-dom':
-        optional: true
-
   '@radix-ui/react-use-callback-ref@1.0.0':
     resolution: {integrity: sha512-GZtyzoHz95Rhs6S63D2t/eqvdFCm7I+yHMLVQheKM7nBD8mbZIt+ct1jz4536MDnaOGKIxynJ8eHTkVGVVkoTg==}
     peerDependencies:
@@ -7946,15 +6079,6 @@ packages:
       '@types/react':
         optional: true
 
-  '@radix-ui/react-use-callback-ref@1.1.0':
-    resolution: {integrity: sha512-CasTfvsy+frcFkbXtSJ2Zu9JHpN8TYKxkgJGWbjiZhFivxaeW7rMeZt7QELGVLaYVfFMsKHjb7Ak0nMEe+2Vfw==}
-    peerDependencies:
-      '@types/react': '*'
-      react: ^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc
-    peerDependenciesMeta:
-      '@types/react':
-        optional: true
-
   '@radix-ui/react-use-controllable-state@1.0.0':
     resolution: {integrity: sha512-FohDoZvk3mEXh9AWAVyRTYR4Sq7/gavuofglmiXB2g1aKyboUD4YtgWxKj8O5n+Uak52gXQ4wKz5IFST4vtJHg==}
     peerDependencies:
@@ -8015,15 +6139,6 @@ packages:
       '@types/react':
         optional: true
 
-  '@radix-ui/react-use-layout-effect@1.1.0':
-    resolution: {integrity: sha512-+FPE0rOdziWSrH9athwI1R0HDVbWlEhd+FR+aSDk4uWGmSJ9Z54sdZVDQPZAinJhJXwfT+qnj969mCsT2gfm5w==}
-    peerDependencies:
-      '@types/react': '*'
-      react: ^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc
-    peerDependenciesMeta:
-      '@types/react':
-        optional: true
-
   '@radix-ui/react-use-layout-effect@1.1.1':
     resolution: {integrity: sha512-RbJRS4UWQFkzHTTwVymMTUv8EqYhOp8dOOviLj2ugtTiXRaRQS7GLGxZTLL1jWhMeoSCf5zmcZkqTl9IiYfXcQ==}
     peerDependencies:
@@ -8052,15 +6167,6 @@ packages:
     peerDependencies:
       react: ^16.8 || ^17.0 || ^18.0
 
-  '@radix-ui/react-use-rect@1.0.1':
-    resolution: {integrity: sha512-Cq5DLuSiuYVKNU8orzJMbl15TXilTnJKUCltMVQg53BQOF1/C5toAaGrowkgksdBQ9H+SRL23g0HDmg9tvmxXw==}
-    peerDependencies:
-      '@types/react': '*'
-      react: ^16.8 || ^17.0 || ^18.0
-    peerDependenciesMeta:
-      '@types/react':
-        optional: true
-
   '@radix-ui/react-use-size@1.0.0':
     resolution: {integrity: sha512-imZ3aYcoYCKhhgNpkNDh/aTiU05qw9hX+HHI1QDBTyIlcFjgeFlKKySNGMwTp7nYFLQg/j0VA2FmCY4WPDDHMg==}
     peerDependencies:
@@ -8081,30 +6187,9 @@ packages:
       react: ^16.8 || ^17.0 || ^18.0
       react-dom: ^16.8 || ^17.0 || ^18.0
 
-  '@radix-ui/react-visually-hidden@1.0.3':
-    resolution: {integrity: sha512-D4w41yN5YRKtu464TLnByKzMDG/JlMPHtfZgQAu9v6mNakUqGUI9vUrfQKz8NK41VMm/xbZbh76NUTVtIYqOMA==}
-    peerDependencies:
-      '@types/react': '*'
-      '@types/react-dom': '*'
-      react: ^16.8 || ^17.0 || ^18.0
-      react-dom: ^16.8 || ^17.0 || ^18.0
-    peerDependenciesMeta:
-      '@types/react':
-        optional: true
-      '@types/react-dom':
-        optional: true
-
   '@radix-ui/rect@1.0.0':
     resolution: {integrity: sha512-d0O68AYy/9oeEy1DdC07bz1/ZXX+DqCskRd3i4JzLSTXwefzaepQrKjXC7aNM8lTHjFLDO0pDgaEiQ7jEk+HVg==}
 
-  '@radix-ui/rect@1.0.1':
-    resolution: {integrity: sha512-fyrgCaedtvMg9NK3en0pnOYJdtfwxUcNolezkNPUsoX57X8oQk+NkqcvzHXD2uKNij6GXmWU9NDru2IWjrO4BQ==}
-
-  '@react-aria/breadcrumbs@3.5.16':
-    resolution: {integrity: sha512-OXLKKu4SmjnSaSHkk4kow5/aH/SzlHWPJt+Uq3xec9TwDOr/Ob8aeFVGFoY0HxfGozuQlUz+4e+d29vfA0jNWg==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-aria/breadcrumbs@3.5.9':
     resolution: {integrity: sha512-asbXTL5NjeHl1+YIF0K70y8tNHk8Lb6VneYH8yOkpLO49ejyNDYBK0tp0jtI9IZAQiTa2qkhYq58c9LloTwebQ==}
     peerDependencies:
@@ -8115,17 +6200,6 @@ packages:
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-aria/button@3.9.8':
-    resolution: {integrity: sha512-MdbMQ3t5KSCkvKtwYd/Z6sgw0v+r1VQFRYOZ4L53xOkn+u140z8vBpNeWKZh/45gxGv7SJn9s2KstLPdCWmIxw==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
-  '@react-aria/calendar@3.5.11':
-    resolution: {integrity: sha512-VLhBovLVu3uJXBkHbgEippmo/K58QLcc/tSJQ0aJUNyHsrvPgHEcj484cb+Uj/yOirXEIzaoW6WEvhcdKrb49Q==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-      react-dom: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-aria/calendar@3.5.4':
     resolution: {integrity: sha512-8k7khgea5kwfWriZJWCADNB0R2d7g5A6tTjUEktK4FFZcTb0RCubFejts4hRyzKlF9XHUro2dfh6sbZrzfMKDQ==}
     peerDependencies:
@@ -8137,29 +6211,12 @@ packages:
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-aria/checkbox@3.14.6':
-    resolution: {integrity: sha512-LICY1PR3WsW/VbuLMjZbxo75+poeo3XCXGcUnk6hxMlWfp/Iy/XHVsHlGu9stRPKRF8BSuOGteaHWVn6IXfwtA==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
-  '@react-aria/combobox@3.10.3':
-    resolution: {integrity: sha512-EdDwr2Rp1xy7yWjOYHt2qF1IpAtUrkaNKZJzlIw1XSwcqizQY6E8orNPdZr6ZwD6/tgujxF1N71JTKyffrR0Xw==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-      react-dom: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-aria/combobox@3.8.2':
     resolution: {integrity: sha512-q8Kdw1mx6nSSydXqRagRuyKH1NPGvpSOFjUfgxdO8ZqaEEuZX3ObOoiO/DLtXDndViNc03dMbMpfuJoLYXfCtg==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
       react-dom: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-aria/datepicker@3.11.2':
-    resolution: {integrity: sha512-6sbLln3VXSBcBRDgSACBzIzF/5KV5NlNOhZvXPFE6KqFw6GbevjZQTv5BNDXiwA3CQoawIRF7zgRvTANw8HkNA==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-      react-dom: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-aria/datepicker@3.9.1':
     resolution: {integrity: sha512-bdlY2H/zwe3hQf64Lp1oGTf7Va8ennDyAv4Ffowb+BOoL8+FB9smtGyONKe87zXu7VJL2M5xYAi4n7c004PM+w==}
     peerDependencies:
@@ -8172,50 +6229,22 @@ packages:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
       react-dom: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-aria/dialog@3.5.17':
-    resolution: {integrity: sha512-lvfEgaqg922J1hurscqCS600OZQVitGtdpo81kAefJaUzMnCxzrYviyT96aaW0simHOlimbYF5js8lxBLZJRaw==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-      react-dom: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-aria/dnd@3.5.1':
     resolution: {integrity: sha512-7OPGePdle+xNYHAIAUOvIETRMfnkRt7h/C0bCkxUR2GYefEbTzfraso4ppNH2JZ7fCRd0K/Qe+jvQklwusHAKA==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
       react-dom: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-aria/dnd@3.7.2':
-    resolution: {integrity: sha512-NuE3EGqoBbe9aXAO9mDfbu4kMO7S4MCgkjkCqYi16TWfRUf38ajQbIlqodCx91b3LVN3SYvNbE3D4Tj5ebkljw==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-      react-dom: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-aria/focus@3.16.0':
     resolution: {integrity: sha512-GP6EYI07E8NKQQcXHjpIocEU0vh0oi0Vcsd+/71fKS0NnTR0TUOEeil0JuuQ9ymkmPDTu51Aaaa4FxVsuN/23A==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-aria/focus@3.18.2':
-    resolution: {integrity: sha512-Jc/IY+StjA3uqN73o6txKQ527RFU7gnG5crEl5Xy3V+gbYp2O5L3ezAo/E0Ipi2cyMbG6T5Iit1IDs7hcGu8aw==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-aria/form@3.0.1':
     resolution: {integrity: sha512-6586oODMDR4/ciGRwXjpvEAg7tWGSDrXE//waK0n5e5sMuzlPOo1DHc5SpPTvz0XdJsu6VDt2rHdVWVIC9LEyw==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-aria/form@3.0.8':
-    resolution: {integrity: sha512-8S2QiyUdAgK43M3flohI0R+2rTyzH088EmgeRArA8euvJTL16cj/oSOKMEgWVihjotJ9n6awPb43ZhKboyNsMg==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
-  '@react-aria/grid@3.10.3':
-    resolution: {integrity: sha512-l0r9mz05Gwjq3t6JOTNQOf+oAoWN0bXELPJtIr8m0XyXMPFCQe1xsTaX8igVQdrDmXyBc75RAWS0BJo2JF2fIA==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-      react-dom: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-aria/grid@3.8.6':
     resolution: {integrity: sha512-JlQDkdm5heG1FfRyy5KnB8b6s/hRqSI6Xt2xN2AccLX5kcbfFr2/d5KVxyf6ahfa4Gfd46alN6477ju5eTWJew==}
     peerDependencies:
@@ -8228,37 +6257,16 @@ packages:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
       react-dom: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-aria/gridlist@3.9.3':
-    resolution: {integrity: sha512-bb9GnKKeuL6NljoVUcHxr9F0cy/2WDOXRYeMikTnviRw6cuX95oojrhFfCUvz2d6ID22Btrvh7LkE+oIPVuc+g==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-      react-dom: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-aria/i18n@3.10.0':
     resolution: {integrity: sha512-sviD5Y1pLPG49HHRmVjR+5nONrp0HK219+nu9Y7cDfUhXu2EjyhMS9t/n9/VZ69hHChZ2PnHYLEE2visu9CuCg==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-aria/i18n@3.12.2':
-    resolution: {integrity: sha512-PvEyC6JWylTpe8dQEWqQwV6GiA+pbTxHQd//BxtMSapRW3JT9obObAnb/nFhj3HthkUvqHyj0oO1bfeN+mtD8A==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-aria/interactions@3.20.1':
     resolution: {integrity: sha512-PLNBr87+SzRhe9PvvF9qvzYeP4ofTwfKSorwmO+hjr3qoczrSXf4LRQlb27wB6hF10C7ZE/XVbUI1lj4QQrZ/g==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-aria/interactions@3.22.2':
-    resolution: {integrity: sha512-xE/77fRVSlqHp2sfkrMeNLrqf2amF/RyuAS6T5oDJemRSgYM3UoxTbWjucPhfnoW7r32pFPHHgz4lbdX8xqD/g==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
-  '@react-aria/label@3.7.11':
-    resolution: {integrity: sha512-REgejE5Qr8cXG/b8H2GhzQmjQlII/0xQW/4eDzydskaTLvA7lF5HoJUE6biYTquH5va38d8XlH465RPk+bvHzA==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-aria/label@3.7.4':
     resolution: {integrity: sha512-3Y0yyrqpLzZdzHw+TOyzwuyx5wa2ujU5DGfKuL5GFnU9Ii4DtdwBGSYS7Yu7qadU+eQmG4OGhAgFVswbIgIwJw==}
     peerDependencies:
@@ -8269,46 +6277,21 @@ packages:
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-aria/link@3.7.4':
-    resolution: {integrity: sha512-E8SLDuS9ssm/d42+3sDFNthfMcNXMUrT2Tq1DIZt22EsMcuEzmJ9B0P7bDP5RgvIw05xVGqZ20nOpU4mKTxQtA==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-aria/listbox@3.11.3':
     resolution: {integrity: sha512-PBrnldmyEYUUJvfDeljW8ITvZyBTfGpLNf0b5kfBPK3TDgRH4niEH2vYEcaZvSqb0FrpdvcunuTRXcOpfb+gCQ==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
       react-dom: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-aria/listbox@3.13.3':
-    resolution: {integrity: sha512-htluPyDfFtn66OEYaJdIaFCYH9wGCNk30vOgZrQkPul9F9Cjce52tTyPVR0ERsf14oCUsjjS5qgeq3dGidRqEw==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-      react-dom: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-aria/live-announcer@3.3.1':
     resolution: {integrity: sha512-hsc77U7S16trM86d+peqJCOCQ7/smO1cybgdpOuzXyiwcHQw8RQ4GrXrS37P4Ux/44E9nMZkOwATQRT2aK8+Ew==}
 
-  '@react-aria/live-announcer@3.3.4':
-    resolution: {integrity: sha512-w8lxs35QrRrn6pBNzVfyGOeqWdxeVKf9U6bXIVwhq7rrTqRULL8jqy8RJIMfIs1s8G5FpwWYjyBOjl2g5Cu1iA==}
-
   '@react-aria/menu@3.12.0':
     resolution: {integrity: sha512-Nsujv3b61WR0gybDKnBjAeyxDVJOfPLMggRUf9SQDfPWnrPXEsAFxaPaVcAkzlfI4HiQs1IxNwsKFNpc3PPZTQ==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
       react-dom: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-aria/menu@3.15.3':
-    resolution: {integrity: sha512-vvUmVjJwIg3h2r+7isQXTwlmoDlPAFBckHkg94p3afrT1kNOTHveTsaVl17mStx/ymIioaAi3PrIXk/PZXp1jw==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-      react-dom: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
-  '@react-aria/meter@3.4.16':
-    resolution: {integrity: sha512-hJqKnEE6mmK2Psx5kcI7NZ44OfTg0Bp7DatQSQ4zZE4yhnykRRwxqSKjze37tPR63cCqgRXtQ5LISfBfG54c0Q==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-aria/meter@3.4.9':
     resolution: {integrity: sha512-1/FHFmFmSyfQBJ2oH152lp4nps76v1UdhnFbIsmRIH+0g0IfMv1yDT2M9dIZ/b9DgVZSx527FmWOXm0eHGKD6w==}
     peerDependencies:
@@ -8320,29 +6303,12 @@ packages:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
       react-dom: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-aria/numberfield@3.11.6':
-    resolution: {integrity: sha512-nvEWiQcWRwj6O2JXmkXEeWoBX/GVZT9zumFJcew3XknGTWJUr3h2AOymIQFt9g4mpag8IgOFEpSIlwhtZHdp1A==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-      react-dom: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-aria/overlays@3.20.0':
     resolution: {integrity: sha512-2m7MpRJL5UucbEuu08lMHsiFJoDowkJV4JAIFBZYK1NzVH0vF/A+w9HRNM7jRwx2DUxE+iIsZnl8yKV/7KY8OQ==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
       react-dom: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-aria/overlays@3.23.2':
-    resolution: {integrity: sha512-vjlplr953YAuJfHiP4O+CyrTlr6OaFgXAGrzWq4MVMjnpV/PT5VRJWYFHR0sUGlHTPqeKS4NZbi/xCSgl/3pGQ==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-      react-dom: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
-  '@react-aria/progress@3.4.16':
-    resolution: {integrity: sha512-RbDIFQg4+/LG+KYZeLAijt2zH7K2Gp0CY9RKWdho3nU5l3/w57Fa7NrfDGWtpImrt7bR2nRmXMA6ESfr7THfrg==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-aria/progress@3.4.9':
     resolution: {integrity: sha512-CME1ZLsJHOmSgK8IAPOC/+vYO5Oc614mkEw5MluT/yclw5rMyjAkK1XsHLjEXy81uwPeiRyoQQIMPKG2/sMxFQ==}
     peerDependencies:
@@ -8353,60 +6319,28 @@ packages:
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-aria/radio@3.10.7':
-    resolution: {integrity: sha512-o2tqIe7xd1y4HeCBQfz/sXIwLJuI6LQbVoCQ1hgk/5dGhQ0LiuXohRYitGRl9zvxW8jYdgLULmOEDt24IflE8A==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-aria/searchfield@3.7.1':
     resolution: {integrity: sha512-ebhnV/reNByIZzpcQLHIo1RQ+BrYS8HdwX624i9R7dep1gxGHXYEaqL9aSY+RdngNerB4OeiWmB75em9beSpjQ==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-aria/searchfield@3.7.8':
-    resolution: {integrity: sha512-SsF5xwH8Us548QgzivvbM7nhFbw7pu23xnRRIuhlP3MwOR3jRUFh17NKxf3Z0jvrDv/u0xfm3JKHIgaUN0KJ2A==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-aria/select@3.14.1':
     resolution: {integrity: sha512-pAy/+Xbj11Lx6bi/O1hWH0NSIDRxFb6V7N0ry2L8x7MALljh516VbpnAc5RgvbjbuKq0cHUAcdINOzOzpYWm4A==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
       react-dom: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-aria/select@3.14.9':
-    resolution: {integrity: sha512-tiNgMyA2G9nKnFn3pB/lMSgidNToxSFU7r6l4OcG+Vyr63J7B/3dF2lTXq8IYhlfOR3K3uQkjroSx52CmC3NDw==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-      react-dom: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-aria/selection@3.17.3':
     resolution: {integrity: sha512-xl2sgeGH61ngQeE05WOWWPVpGRTPMjQEFmsAWEprArFi4Z7ihSZgpGX22l1w7uSmtXM/eN/v0W8hUYUju5iXlQ==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
       react-dom: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-aria/selection@3.19.3':
-    resolution: {integrity: sha512-GYoObXCXlmGK08hp7Qfl6Bk0U+bKP5YDWSsX+MzNjJsqzQSLm4S06tRB9ACM7gIo9dDCvL4IRxdSYTJAlJc6bw==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-      react-dom: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-aria/separator@3.3.9':
     resolution: {integrity: sha512-1wEXiaSJjq2+DR5TC0RKnUBsfZN+YXTzyI7XMzjQoc3YlclumX8wQtzPAOGOEjHB1JKUgo1Gw70FtupVXz58QQ==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-aria/separator@3.4.2':
-    resolution: {integrity: sha512-Xql9Kg3VlGesEUC7QheE+L5b3KgBv0yxiUU+/4JP8V2vfU/XSz4xmprHEeq7KVQVOetn38iiXU8gA5g26SEsUA==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
-  '@react-aria/slider@3.7.11':
-    resolution: {integrity: sha512-2WAwjANXPsA2LHJ5nxxV4c7ihFAzz2spaBz8+FJ7MDYE7WroYnE8uAXElea1aGo+Lk0DTiAdepLpBkggqPNanw==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-aria/slider@3.7.4':
     resolution: {integrity: sha512-OFJWeGSL2duVDFs/kcjlWsY6bqCVKZgM0aFn2QN4wmID+vfBvBnqGHAgWv3BCePTAPS3+GBjMN002TrftorjwQ==}
     peerDependencies:
@@ -8418,493 +6352,319 @@ packages:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
       react-dom: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-aria/spinbutton@3.6.8':
-    resolution: {integrity: sha512-OJMAYRIZ0WrWE+5tZsywrSg4t+aOwl6vl/e1+J64YcGMM+p+AKd61KGG5T0OgNSORXjoVIZOmj6wZ6Od4xfPMw==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-      react-dom: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-aria/ssr@3.9.1':
     resolution: {integrity: sha512-NqzkLFP8ZVI4GSorS0AYljC13QW2sc8bDqJOkBvkAt3M8gbcAXJWVRGtZBCRscki9RZF+rNlnPdg0G0jYkhJcg==}
     engines: {node: '>= 12'}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-aria/ssr@3.9.5':
-    resolution: {integrity: sha512-xEwGKoysu+oXulibNUSkXf8itW0npHHTa6c4AyYeZIJyRoegeteYuFpZUBPtIDE8RfHdNsSmE1ssOkxRnwbkuQ==}
-    engines: {node: '>= 12'}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-aria/switch@3.6.0':
     resolution: {integrity: sha512-YNWc5fGLNXE4XlmDAKyqAdllRiClGR7ki4KGFY7nL+xR5jxzjCGU3S3ToMK5Op3QSMGZLxY/aYmC4O+MvcoADQ==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-aria/switch@3.6.7':
-    resolution: {integrity: sha512-yBNvKylhc3ZRQ0+7mD0mIenRRe+1yb8YaqMMZr8r3Bf87LaiFtQyhRFziq6ZitcwTJz5LEWjBihxbSVvUrf49w==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-aria/table@3.13.3':
     resolution: {integrity: sha512-AzmETpyxwNqISTzwHJPs85x9gujG40IIsSOBUdp49oKhB85RbPLvMwhadp4wCVAoHw3erOC/TJxHtVc7o2K1LA==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
       react-dom: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-aria/table@3.15.3':
-    resolution: {integrity: sha512-nQCLjlEvyJHyuijHw8ESqnA9fxNJfQHx0WPcl08VDEb8VxcE/MVzSAIedSWaqjG5k9Oflz6o/F/zHtzw4AFAow==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-      react-dom: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-aria/tabs@3.8.3':
     resolution: {integrity: sha512-Plw0K/5Qv35vYq7pHZFfQB2BF5OClFx4Abzo9hLVx4oMy3qb7i5lxmLBVbt81yPX/MdjYeP4zO1EHGBl4zMRhA==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
       react-dom: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-aria/tabs@3.9.5':
-    resolution: {integrity: sha512-aQZGAoOIg1B16qlvXIy6+rHbNBNVcWkGjOjeyvqTTPMjXt/FmElkICnqckI7MRJ1lTqzyppCOBitYOHSXRo8Uw==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-      react-dom: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-aria/tag@3.3.1':
     resolution: {integrity: sha512-w7d8sVZqxTo8VFfeg2ixLp5kawtrcguGznVY4mt5aE6K8LMJOeNVDqNNfolfyia80VjOWjeX+RpVdVJRdrv/GQ==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
       react-dom: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-aria/tag@3.4.5':
-    resolution: {integrity: sha512-iyJuATQ8t2cdLC7hiZm143eeZze/MtgxaMq0OewlI9TUje54bkw2Q+CjERdgisIo3Eemf55JJgylGrTcalEJAg==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-      react-dom: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-aria/textfield@3.14.1':
     resolution: {integrity: sha512-UMepuYtDdCgrUF4dMphNxrUm23xOmR54aZD1pbp9cJyfioVkJN35BTXZVkD0D07gHLn4RhxKIZxBortQQrLB9g==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-aria/textfield@3.14.8':
-    resolution: {integrity: sha512-FHEvsHdE1cMR2B7rlf+HIneITrC40r201oLYbHAp3q26jH/HUujzFBB9I20qhXjyBohMWfQLqJhSwhs1VW1RJQ==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-aria/toggle@3.10.0':
     resolution: {integrity: sha512-6cUf4V9TuG2J7AvXUdU/GspEPFCubUOID3mrselSe563RViy+mMZk0vUEOdyoNanDcEXl58W4dE3SGWxFn71vg==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-aria/toggle@3.10.7':
-    resolution: {integrity: sha512-/RJQU8QlPZXRElZ3Tt10F5K5STgUBUGPpfuFUGuwF3Kw3GpPxYsA1YAVjxXz2MMGwS0+y6+U/J1xIs1AF0Jwzg==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-aria/tooltip@3.7.0':
     resolution: {integrity: sha512-+u9Sftkfe09IDyPEnbbreFKS50vh9X/WTa7n1u2y3PenI9VreLpUR6czyzda4BlvQ95e9jQz1cVxUjxTNaZmBw==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-aria/tooltip@3.7.7':
-    resolution: {integrity: sha512-UOTTDbbUz7OaE48VjNSWl+XQbYCUs5Gss4I3Tv1pfRLXzVtGYXv3ur/vRayvZR0xd12ANY26fZPNkSmCFpmiXw==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-aria/utils@3.23.0':
     resolution: {integrity: sha512-fJA63/VU4iQNT8WUvrmll3kvToqMurD69CcgVmbQ56V7ZbvlzFi44E7BpnoaofScYLLtFWRjVdaHsohT6O/big==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-aria/utils@3.25.2':
-    resolution: {integrity: sha512-GdIvG8GBJJZygB4L2QJP1Gabyn2mjFsha73I2wSe+o4DYeGWoJiMZRM06PyTIxLH4S7Sn7eVDtsSBfkc2VY/NA==}
+  '@react-aria/utils@3.34.0':
+    resolution: {integrity: sha512-ZM1ZXIqpwGTJjjL6o3JhlZkEaBpQdxuOCqLEvwEwooaj5GsYI3E9UfOl5vy3UW6bYiEEWl9pNBntrb9CR9kItQ==}
     peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
-  '@react-aria/visually-hidden@3.8.15':
-    resolution: {integrity: sha512-l+sJ7xTdD5Sd6+rDNDaeJCSPnHOsI+BaJyApvb/YcVgHa7rB47lp6TXCWUCDItcPY4JqRGyeByRJVrtzBFTWCw==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
+      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0-rc.1
+      react-dom: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0-rc.1
 
   '@react-aria/visually-hidden@3.8.8':
     resolution: {integrity: sha512-Cn2PYKD4ijGDtF0+dvsh8qa4y7KTNAlkTG6h20r8Q+6UTyRNmtE2/26QEaApRF8CBiNy9/BZC/ZC4FK2OjvCoA==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-email/body@0.0.7':
-    resolution: {integrity: sha512-vjJ5P1MUNWV0KNivaEWA6MGj/I3c764qQJMsKjCHlW6mkFJ4SXbm2OlQFtKAb++Bj8LDqBlnE6oW77bWcMc0NA==}
+  '@react-email/body@0.3.0':
+    resolution: {integrity: sha512-uGo0BOOzjbMUo3lu+BIDWayvn5o6Xyfmnlla5VGf05n8gHMvO1ll7U4FtzWe3hxMLwt53pmc4iE0M+B5slG+Ug==}
+    engines: {node: '>=20.0.0'}
+    deprecated: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
     peerDependencies:
-      react: 18.2.0
+      react: ^18.0 || ^19.0 || ^19.0.0-rc
 
-  '@react-email/body@0.0.8':
-    resolution: {integrity: sha512-gqdkNYlIaIw0OdpWu8KjIcQSIFvx7t2bZpXVxMMvBS859Ia1+1X3b5RNbjI3S1ZqLddUf7owOHkO4MiXGE+nxg==}
+  '@react-email/button@0.2.1':
+    resolution: {integrity: sha512-qXyj7RZLE7POy9BMKSoqQ00tOXThjOZSUnI2Yu9i29IHngPlmrNayIWBoVKtElES7OWwypUcpiajwi1mUWx6/A==}
+    engines: {node: '>=20.0.0'}
+    deprecated: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
     peerDependencies:
-      react: ^18.2.0
+      react: ^18.0 || ^19.0 || ^19.0.0-rc
 
-  '@react-email/button@0.0.14':
-    resolution: {integrity: sha512-SMk40moGcAvkHIALX4XercQlK0PNeeEIam6OXHw68ea9WtzzqVwiK4pzLY0iiMI9B4xWHcaS2lCPf3cKbQBf1Q==}
-    engines: {node: '>=18.0.0'}
+  '@react-email/code-block@0.2.1':
+    resolution: {integrity: sha512-M3B7JpVH4ytgn83/ujRR1k1DQHvTeABiDM61OvAbjLRPhC/5KLHU5KkzIbbuGIrjWwxAbL1kSQzU8MhLEtSxyw==}
+    engines: {node: '>=20.0.0'}
+    deprecated: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
     peerDependencies:
-      react: 18.2.0
+      react: ^18.0 || ^19.0 || ^19.0.0-rc
 
-  '@react-email/button@0.0.15':
-    resolution: {integrity: sha512-9Zi6SO3E8PoHYDfcJTecImiHLyitYWmIRs0HE3Ogra60ZzlWP2EXu+AZqwQnhXuq+9pbgwBWNWxB5YPetNPTNA==}
-    engines: {node: '>=18.0.0'}
+  '@react-email/code-inline@0.0.6':
+    resolution: {integrity: sha512-jfhebvv3dVsp3OdPgKXnk8+e2pBiDVZejDOBFzBa/IblrAJ9cQDkN6rBD5IyEg8hTOxwbw3iaI/yZFmDmIguIA==}
+    engines: {node: '>=20.0.0'}
+    deprecated: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
     peerDependencies:
-      react: ^18.2.0
+      react: ^18.0 || ^19.0 || ^19.0.0-rc
 
-  '@react-email/code-block@0.0.3':
-    resolution: {integrity: sha512-nxhl7WjjM2cOYtl0boBZfSObTrUCz2LbarcMyHkTVAsA9rbjbtWAQF7jmlefXJusk3Uol5l2c8hTh2lHLlHTRQ==}
-    engines: {node: '>=18.0.0'}
+  '@react-email/column@0.0.14':
+    resolution: {integrity: sha512-f+W+Bk2AjNO77zynE33rHuQhyqVICx4RYtGX9NKsGUg0wWjdGP0qAuIkhx9Rnmk4/hFMo1fUrtYNqca9fwJdHg==}
+    engines: {node: '>=20.0.0'}
+    deprecated: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
     peerDependencies:
-      react: 18.2.0
+      react: ^18.0 || ^19.0 || ^19.0.0-rc
 
-  '@react-email/code-block@0.0.4':
-    resolution: {integrity: sha512-xjVLi/9dFNJ70N7hYme+21eQWa3b9/kgp4V+FKQJkQCuIMobxPRCIGM5jKD/0Vo2OqrE5chYv/dkg/aP8a8sPg==}
-    engines: {node: '>=18.0.0'}
+  '@react-email/components@1.0.12':
+    resolution: {integrity: sha512-tH18JhPDWgE+3jnYkzyB6ZrZdfNnEsFe4PwmuXmlOw4NGIysP8wPY5aXZg++pTG9qUabXg1nzX/FGHGkObH8xQ==}
+    engines: {node: '>=20.0.0'}
+    deprecated: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
     peerDependencies:
-      react: ^18.2.0
+      react: ^18.0 || ^19.0 || ^19.0.0-rc
 
-  '@react-email/code-inline@0.0.1':
-    resolution: {integrity: sha512-SeZKTB9Q4+TUafzeUm/8tGK3dFgywUHb1od/BrAiJCo/im65aT+oJfggJLjK2jCdSsus8odcK2kReeM3/FCNTQ==}
-    engines: {node: '>=18.0.0'}
+  '@react-email/container@0.0.16':
+    resolution: {integrity: sha512-QWBB56RkkU0AJ9h+qy33gfT5iuZknPC7Un/IjZv9B0QmMIK+WWacc0cH6y2SV5Cv/b99hU94fjEMOOO4enpkbQ==}
+    engines: {node: '>=20.0.0'}
+    deprecated: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
     peerDependencies:
-      react: 18.2.0
+      react: ^18.0 || ^19.0 || ^19.0.0-rc
 
-  '@react-email/code-inline@0.0.2':
-    resolution: {integrity: sha512-0cmgbbibFeOJl0q04K9jJlPDuJ+SEiX/OG6m3Ko7UOkG3TqjRD8Dtvkij6jNDVfUh/zESpqJCP2CxrCLLMUjdA==}
-    engines: {node: '>=18.0.0'}
+  '@react-email/font@0.0.10':
+    resolution: {integrity: sha512-0urVSgCmQIfx5r7Xc586miBnQUVnGp3OTYUm8m5pwtQRdTRO5XrTtEfNJ3JhYhSOruV0nD8fd+dXtKXobum6tA==}
+    engines: {node: '>=20.0.0'}
+    deprecated: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
     peerDependencies:
-      react: ^18.2.0
+      react: ^18.0 || ^19.0 || ^19.0.0-rc
 
-  '@react-email/column@0.0.10':
-    resolution: {integrity: sha512-MnP8Mnwipr0X3XtdD6jMLckb0sI5/IlS6Kl/2F6/rsSWBJy5Gg6nizlekTdkwDmy0kNSe3/1nGU0Zqo98pl63Q==}
-    engines: {node: '>=18.0.0'}
+  '@react-email/head@0.0.13':
+    resolution: {integrity: sha512-AJg6le/08Gz4tm+6MtKXqtNNyKHzmooOCdmtqmWxD7FxoAdU1eVcizhtQ0gcnVaY6ethEyE/hnEzQxt1zu5Kog==}
+    engines: {node: '>=20.0.0'}
+    deprecated: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
     peerDependencies:
-      react: ^18.2.0
+      react: ^18.0 || ^19.0 || ^19.0.0-rc
 
-  '@react-email/column@0.0.9':
-    resolution: {integrity: sha512-1ekqNBgmbS6m97/sUFOnVvQtLYljUWamw8Y44VId95v6SjiJ4ca+hMcdOteHWBH67xkRofEOWTvqDRea5SBV8w==}
-    engines: {node: '>=18.0.0'}
+  '@react-email/heading@0.0.16':
+    resolution: {integrity: sha512-jmsKnQm1ykpBzw4hCYHwBkt5pW2jScXffPeEH5ZRF5tZeF5b1pvlFTO9han7C0pCkZYo1kEvWiRtx69yfCIwuw==}
+    engines: {node: '>=20.0.0'}
+    deprecated: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
     peerDependencies:
-      react: 18.2.0
+      react: ^18.0 || ^19.0 || ^19.0.0-rc
 
-  '@react-email/components@0.0.16':
-    resolution: {integrity: sha512-1WATpMSH03cRvhfNjGl/Up3seZJOzN9KLzlk3Q9g/cqNhZEJ7HYxoZM4AQKAI0V3ttXzzxKv8Oj+AZQLHDiICA==}
-    engines: {node: '>=18.0.0'}
+  '@react-email/hr@0.0.12':
+    resolution: {integrity: sha512-TwmOmBDibavUQpXBxpmZYi2Iks/yeZOzFYh+di9EltMSnEabH8dMZXrl+pxNXzCgZ2XE8HY7VmUL65Lenfu5PA==}
+    engines: {node: '>=20.0.0'}
+    deprecated: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
     peerDependencies:
-      react: 18.2.0
+      react: ^18.0 || ^19.0 || ^19.0.0-rc
 
-  '@react-email/components@0.0.17':
-    resolution: {integrity: sha512-x5gGQaK0QchbwHvUrCBVnE8GCWdO5osTVuTSA54Fwzels6ZDeNTHEYRx9gI3Nwcf/dkoVYkVH4rzWST0SF0MLA==}
-    engines: {node: '>=18.0.0'}
+  '@react-email/html@0.0.12':
+    resolution: {integrity: sha512-KTShZesan+UsreU7PDUV90afrZwU5TLwYlALuCSU0OT+/U8lULNNbAUekg+tGwCnOfIKYtpDPKkAMRdYlqUznw==}
+    engines: {node: '>=20.0.0'}
+    deprecated: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
     peerDependencies:
-      react: ^18.2.0
+      react: ^18.0 || ^19.0 || ^19.0.0-rc
 
-  '@react-email/container@0.0.11':
-    resolution: {integrity: sha512-jzl/EHs0ClXIRFamfH+NR/cqv4GsJJscqRhdYtnWYuRAsWpKBM1muycrrPqIVhWvWi6sFHInWTt07jX+bDc3SQ==}
-    engines: {node: '>=18.0.0'}
+  '@react-email/img@0.0.12':
+    resolution: {integrity: sha512-sRCpEARNVTf3FQhZOC+JTvu5r6ubiYWkT0ucYXg8ctkyi4G8QG+jgYPiNUqVeTLA2STOfmPM/nrk1nb84y6CPQ==}
+    engines: {node: '>=20.0.0'}
+    deprecated: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
     peerDependencies:
-      react: 18.2.0
+      react: ^18.0 || ^19.0 || ^19.0.0-rc
 
-  '@react-email/container@0.0.12':
-    resolution: {integrity: sha512-HFu8Pu5COPFfeZxSL+wKv/TV5uO/sp4zQ0XkRCdnGkj/xoq0lqOHVDL4yC2Pu6fxXF/9C3PHDA++5uEYV5WVJw==}
-    engines: {node: '>=18.0.0'}
+  '@react-email/link@0.0.13':
+    resolution: {integrity: sha512-lkWc/NjOcefRZMkQoSDDbuKBEBDES9aXnFEOuPH845wD3TxPwh+QTf0fStuzjoRLUZWpHnio4z7qGGRYusn/sw==}
+    engines: {node: '>=20.0.0'}
+    deprecated: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
     peerDependencies:
-      react: ^18.2.0
+      react: ^18.0 || ^19.0 || ^19.0.0-rc
 
-  '@react-email/font@0.0.5':
-    resolution: {integrity: sha512-if/qKYmH3rJ2egQJoKbV8SfKCPavu+ikUq/naT/UkCr8Q0lkk309tRA0x7fXG/WeIrmcipjMzFRGTm2TxTecDw==}
+  '@react-email/markdown@0.0.18':
+    resolution: {integrity: sha512-gSuYK5fsMbGk87jDebqQ6fa2fKcWlkf2Dkva8kMONqLgGCq8/0d+ZQYMEJsdidIeBo3kmsnHZPrwdFB4HgjUXg==}
+    engines: {node: '>=20.0.0'}
+    deprecated: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
     peerDependencies:
-      react: 18.2.0
+      react: ^18.0 || ^19.0 || ^19.0.0-rc
 
-  '@react-email/font@0.0.6':
-    resolution: {integrity: sha512-sZZFvEZ4U3vNCAZ8wXqIO3DuGJR2qE/8m2fEH+tdqwa532zGO3zW+UlCTg0b9455wkJSzEBeaWik0IkNvjXzxw==}
+  '@react-email/preview@0.0.14':
+    resolution: {integrity: sha512-aYK8q0IPkBXyMsbpMXgxazwHxYJxTrXrV95GFuu2HbEiIToMwSyUgb8HDFYwPqqfV03/jbwqlsXmFxsOd+VNaw==}
+    engines: {node: '>=20.0.0'}
+    deprecated: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
     peerDependencies:
-      react: ^18.2.0
+      react: ^18.0 || ^19.0 || ^19.0.0-rc
 
-  '@react-email/head@0.0.7':
-    resolution: {integrity: sha512-IcXL4jc0H1qzAXJCD9ajcRFBQdbUHkjKJyiUeogpaYSVZSq6cVDWQuGaI23TA9k+pI2TFeQimogUFb3Kgeeudw==}
+  '@react-email/render@0.0.12':
+    resolution: {integrity: sha512-S8WRv/PqECEi6x0QJBj0asnAb5GFtJaHlnByxLETLkgJjc76cxMYDH4r9wdbuJ4sjkcbpwP3LPnVzwS+aIjT7g==}
     engines: {node: '>=18.0.0'}
+
+  '@react-email/render@2.0.6':
+    resolution: {integrity: sha512-xOzaYkH3jLZKqN5MqrTXYnmqBYUnZSVbkxdb5PGGmDcK6sKDVMliaDiSwfXajRC9JtSHTcGc2tmGLHWuCgVpog==}
+    engines: {node: '>=20.0.0'}
     peerDependencies:
-      react: 18.2.0
+      react: ^18.0 || ^19.0 || ^19.0.0-rc
+      react-dom: ^18.0 || ^19.0 || ^19.0.0-rc
 
-  '@react-email/head@0.0.8':
-    resolution: {integrity: sha512-8/NI0gtQmLIilAe6rebK1TWw3IXHxtrR02rInkQq8yQ7zKbYbzx7Q/FhmsJgAk+uYh2Er/KhgYJ0sHZyDhfMTQ==}
-    engines: {node: '>=18.0.0'}
+  '@react-email/render@2.0.8':
+    resolution: {integrity: sha512-5udvVr3U/WuGJZfLdLBOhkzrqRWd2Q5ZYmF7ppcy7FzWcwgshdqLMNqJOXcVzAXJXg/2bm7D+WGJzTtZOZMQnQ==}
+    engines: {node: '>=20.0.0'}
     peerDependencies:
-      react: ^18.2.0
+      react: ^18.0 || ^19.0 || ^19.0.0-rc
+      react-dom: ^18.0 || ^19.0 || ^19.0.0-rc
 
-  '@react-email/heading@0.0.11':
-    resolution: {integrity: sha512-EF5ZtRCxhHPw3m+8iibKKg0RAvAeHj1AP68sjU7s6+J+kvRgllr/E972Wi5Y8UvcIGossCvpX1WrSMDzeB4puA==}
-    engines: {node: '>=18.0.0'}
+  '@react-email/row@0.0.13':
+    resolution: {integrity: sha512-bYnOac40vIKCId7IkwuLAAsa3fKfSfqCvv6epJKmPE0JBuu5qI4FHFCl9o9dVpIIS08s/ub+Y/txoMt0dYziGw==}
+    engines: {node: '>=20.0.0'}
+    deprecated: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
     peerDependencies:
-      react: 18.2.0
+      react: ^18.0 || ^19.0 || ^19.0.0-rc
 
-  '@react-email/heading@0.0.12':
-    resolution: {integrity: sha512-eB7mpnAvDmwvQLoPuwEiPRH4fPXWe6ltz6Ptbry2BlI88F0a2k11Ghb4+sZHBqg7vVw/MKbqEgtLqr3QJ/KfCQ==}
-    engines: {node: '>=18.0.0'}
+  '@react-email/section@0.0.17':
+    resolution: {integrity: sha512-qNl65ye3W0Rd5udhdORzTV9ezjb+GFqQQSae03NDzXtmJq6sqVXNWNiVolAjvJNypim+zGXmv6J9TcV5aNtE/w==}
+    engines: {node: '>=20.0.0'}
+    deprecated: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
     peerDependencies:
-      react: ^18.2.0
+      react: ^18.0 || ^19.0 || ^19.0.0-rc
 
-  '@react-email/hr@0.0.7':
-    resolution: {integrity: sha512-8suK0M/deXHt0DBSeKhSC4bnCBCBm37xk6KJh9M0/FIKlvdltQBem52YUiuqVl1XLB87Y6v6tvspn3SZ9fuxEA==}
-    engines: {node: '>=18.0.0'}
+  '@react-email/tailwind@2.0.7':
+    resolution: {integrity: sha512-kGw80weVFXikcnCXbigTGXGWQ0MRCSYNCudcdkWxebkWYd0FG6/NPoN3V1p/u68/4+NxZwYPVi2fhnp0x23HdA==}
+    engines: {node: '>=20.0.0'}
+    deprecated: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
     peerDependencies:
-      react: 18.2.0
+      '@react-email/body': '>=0'
+      '@react-email/button': '>=0'
+      '@react-email/code-block': '>=0'
+      '@react-email/code-inline': '>=0'
+      '@react-email/container': '>=0'
+      '@react-email/heading': '>=0'
+      '@react-email/hr': '>=0'
+      '@react-email/img': '>=0'
+      '@react-email/link': '>=0'
+      '@react-email/preview': '>=0'
+      '@react-email/text': '>=0'
+      react: ^18.0 || ^19.0 || ^19.0.0-rc
+    peerDependenciesMeta:
+      '@react-email/body':
+        optional: true
+      '@react-email/button':
+        optional: true
+      '@react-email/code-block':
+        optional: true
+      '@react-email/code-inline':
+        optional: true
+      '@react-email/container':
+        optional: true
+      '@react-email/heading':
+        optional: true
+      '@react-email/hr':
+        optional: true
+      '@react-email/img':
+        optional: true
+      '@react-email/link':
+        optional: true
+      '@react-email/preview':
+        optional: true
 
-  '@react-email/hr@0.0.8':
-    resolution: {integrity: sha512-JLVvpCg2wYKEB+n/PGCggWG9fRU5e4lxsGdpK5SDLsCL0ic3OLKSpHMfeE+ZSuw0GixAVVQN7F64PVJHQkd4MQ==}
-    engines: {node: '>=18.0.0'}
+  '@react-email/text@0.1.6':
+    resolution: {integrity: sha512-TYqkioRS45wTR5il3dYk/SbUjjEdhSwh9BtRNB99qNH1pXAwA45H7rAuxehiu8iJQJH0IyIr+6n62gBz9ezmsw==}
+    engines: {node: '>=20.0.0'}
+    deprecated: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
     peerDependencies:
-      react: ^18.2.0
+      react: ^18.0 || ^19.0 || ^19.0.0-rc
 
-  '@react-email/html@0.0.7':
-    resolution: {integrity: sha512-oy7OoRtoOKApVI/5Lz1OZptMKmMYJu9Xn6+lOmdBQchAuSdQtWJqxhrSj/iI/mm8HZWo6MZEQ6SFpfOuf8/P6Q==}
-    engines: {node: '>=18.0.0'}
+  '@react-stately/calendar@3.4.3':
+    resolution: {integrity: sha512-OrEcdskszDjnjVnFuSiDC2PVBJ6lWMCJROD5s6W1LUehUtBp8LX9wPavAGHV43LbhN9ldj560sxaQ4WCddrRCA==}
     peerDependencies:
-      react: 18.2.0
+      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-email/html@0.0.8':
-    resolution: {integrity: sha512-arII3wBNLpeJtwyIJXPaILm5BPKhA+nvdC1F9QkuKcOBJv2zXctn8XzPqyGqDfdplV692ulNJP7XY55YqbKp6w==}
-    engines: {node: '>=18.0.0'}
+  '@react-stately/checkbox@3.6.1':
+    resolution: {integrity: sha512-rOjFeVBy32edYwhKiHj3ZLdLeO+xZ2fnBwxnOBjcygnw4Neygm8FJH/dB1J0hdYYR349yby86ED2x0wRc84zPw==}
     peerDependencies:
-      react: ^18.2.0
+      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-email/img@0.0.7':
-    resolution: {integrity: sha512-up9tM2/dJ24u/CFjcvioKbyGuPw1yeJg605QA7VkrygEhd0CoQEjjgumfugpJ+VJgIt4ZjT9xMVCK5QWTIWoaA==}
-    engines: {node: '>=18.0.0'}
+  '@react-stately/collections@3.10.4':
+    resolution: {integrity: sha512-OHhCrItGt4zB2bSrgObRo0H2SC7QlkH8ReGxo+NVIWchXRLRoiWBP7S+IwleewEo5gOqDVPY3hqA9n4iiI8twg==}
     peerDependencies:
-      react: 18.2.0
+      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-email/img@0.0.8':
-    resolution: {integrity: sha512-jx/rPuKo31tV18fu7P5rRqelaH5wkhg83Dq7uLwJpfqhbi4KFBGeBfD0Y3PiLPPoh+WvYf+Adv9W2ghNW8nOMQ==}
-    engines: {node: '>=18.0.0'}
+  '@react-stately/combobox@3.8.1':
+    resolution: {integrity: sha512-FaWkqTXQdWg7ptaeU4iPcqF/kxbRg2ZNUcvW/hiL/enciV5tRCsddvfNqvDvy1L30z9AUwlp9MWqzm/DhBITCw==}
     peerDependencies:
-      react: ^18.2.0
+      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-email/link@0.0.7':
-    resolution: {integrity: sha512-hXPChT3ZMyKnUSA60BLEMD2maEgyB2A37yg5bASbLMrXmsExHi6/IS1h2XiUPLDK4KqH5KFaFxi2cdNo1JOKwA==}
-    engines: {node: '>=18.0.0'}
+  '@react-stately/data@3.11.0':
+    resolution: {integrity: sha512-0BlPT58WrAtUvpiEfUuyvIsGFTzp/9vA5y+pk53kGJhOdc5tqBGHi9cg40pYE/i1vdHJGMpyHGRD9nkQb8wN3Q==}
     peerDependencies:
-      react: 18.2.0
+      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-email/link@0.0.8':
-    resolution: {integrity: sha512-nVikuTi8WJHa6Baad4VuRUbUCa/7EtZ1Qy73TRejaCHn+vhetc39XGqHzKLNh+Z/JFL8Hv9g+4AgG16o2R0ogQ==}
-    engines: {node: '>=18.0.0'}
+  '@react-stately/datepicker@3.9.1':
+    resolution: {integrity: sha512-o5xLvlZGJyAbTev2yruGlV2fzQyIDuYTgL19TTt0W0WCfjGGr/AAA9GjGXXmyoRA7sZMxqIPnnv7lNrdA38ofA==}
     peerDependencies:
-      react: ^18.2.0
+      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-email/markdown@0.0.10':
-    resolution: {integrity: sha512-MH0xO+NJ4IuJcx9nyxbgGKAMXyudFjCZ0A2GQvuWajemW9qy2hgnJ3mW3/z5lwcenG+JPn7JyO/iZpizQ7u1tA==}
-    engines: {node: '>=18.0.0'}
+  '@react-stately/dnd@3.2.7':
+    resolution: {integrity: sha512-QqSCvE9Rhp+Mr8Mt/SrByze24BFX1cy7gmXbwoqAYgHNIx3gWCVdBLqxfpfgYIhZdF9H72EWS8lQkfkZla06Ng==}
     peerDependencies:
-      react: ^18.2.0
+      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-email/markdown@0.0.9':
-    resolution: {integrity: sha512-t//19Zz+W5svKqrSrqoOLpf6dq70jbwYxX8Z+NEMi4LqylklccOaYAyKrkYyulfZwhW7KDH9d2wjVk5jfUABxQ==}
-    engines: {node: '>=18.0.0'}
+  '@react-stately/flags@3.0.0':
+    resolution: {integrity: sha512-e3i2ItHbIa0eEwmSXAnPdD7K8syW76JjGe8ENxwFJPW/H1Pu9RJfjkCb/Mq0WSPN/TpxBb54+I9TgrGhbCoZ9w==}
+
+  '@react-stately/form@3.0.0':
+    resolution: {integrity: sha512-C8wkfFmtx1escizibhdka5JvTy9/Vp173CS9cakjvWTmnjYYC1nOlzwp7BsYWTgerCFbRY/BU/Cf/bJDxPiUKQ==}
     peerDependencies:
-      react: 18.2.0
+      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-email/preview@0.0.8':
-    resolution: {integrity: sha512-Jm0KUYBZQd2w0s2QRMQy0zfHdo3Ns+9bYSE1OybjknlvhANirjuZw9E5KfWgdzO7PyrRtB1OBOQD8//Obc4uIQ==}
-    engines: {node: '>=18.0.0'}
+  '@react-stately/grid@3.8.4':
+    resolution: {integrity: sha512-rwqV1K4lVhaiaqJkt4TfYqdJoVIyqvSm98rKAYfCNzrKcivVpoiCMJ2EMt6WlYCjDVBdEOQ7fMV1I60IV0pntA==}
     peerDependencies:
-      react: 18.2.0
+      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-email/preview@0.0.9':
-    resolution: {integrity: sha512-2fyAA/zzZYfYmxfyn3p2YOIU30klyA6Dq4ytyWq4nfzQWWglt5hNDE0cMhObvRtfjM9ghMSVtoELAb0MWiF/kw==}
-    engines: {node: '>=18.0.0'}
+  '@react-stately/list@3.10.2':
+    resolution: {integrity: sha512-INt+zofkIg2KN8B95xPi9pJG7ZFWAm30oIm/lCPBqM3K1Nm03/QaAbiQj2QeJcOsG3lb7oqI6D6iwTolwJkjIQ==}
     peerDependencies:
-      react: ^18.2.0
-
-  '@react-email/render@0.0.12':
-    resolution: {integrity: sha512-S8WRv/PqECEi6x0QJBj0asnAb5GFtJaHlnByxLETLkgJjc76cxMYDH4r9wdbuJ4sjkcbpwP3LPnVzwS+aIjT7g==}
-    engines: {node: '>=18.0.0'}
-
-  '@react-email/render@0.0.13':
-    resolution: {integrity: sha512-lmBizrV+rQeSa3GjiL8/kPU0gENqO/wv+4xrlWANabp9UY3lTLXzy7HMRSE8YFBES9AbxP5VX1iRKuEnsoBDew==}
-    engines: {node: '>=18.0.0'}
-
-  '@react-email/row@0.0.7':
-    resolution: {integrity: sha512-h7pwrLVGk5CIx7Ai/oPxBgCCAGY7BEpCUQ7FCzi4+eThcs5IdjSwDPefLEkwaFS8KZc56UNwTAH92kNq5B7blg==}
-    engines: {node: '>=18.0.0'}
-    peerDependencies:
-      react: 18.2.0
-
-  '@react-email/row@0.0.8':
-    resolution: {integrity: sha512-JsB6pxs/ZyjYpEML3nbwJRGAerjcN/Pa/QG48XUwnT/MioDWrUuyQuefw+CwCrSUZ2P1IDrv2tUD3/E3xzcoKw==}
-    engines: {node: '>=18.0.0'}
-    peerDependencies:
-      react: ^18.2.0
-
-  '@react-email/section@0.0.11':
-    resolution: {integrity: sha512-3bZ/DuvX1julATI7oqYza6pOtWZgLJDBaa62LFFEvYjisyN+k6lrP2KOucPsDKu2DOkUzlQgK0FOm6VQJX+C0w==}
-    engines: {node: '>=18.0.0'}
-    peerDependencies:
-      react: 18.2.0
-
-  '@react-email/section@0.0.12':
-    resolution: {integrity: sha512-UCD/N/BeOTN4h3VZBUaFdiSem6HnpuxD1Q51TdBFnqeNqS5hBomp8LWJJ9s4gzwHWk1XPdNfLA3I/fJwulJshg==}
-    engines: {node: '>=18.0.0'}
-    peerDependencies:
-      react: ^18.2.0
-
-  '@react-email/tailwind@0.0.15':
-    resolution: {integrity: sha512-TE3NQ7VKhhvv3Zv0Z1NtoV6AF7aOWiG4juVezMZw1hZCG0mkN6iXC63u23vPQi12y6xCp20ZUHfg67kQeDSP/g==}
-    engines: {node: '>=18.0.0'}
-    peerDependencies:
-      react: 18.2.0
-
-  '@react-email/tailwind@0.0.16':
-    resolution: {integrity: sha512-uMifPxCEHaHLhpS1kVCMGyTeEL+aMYzHT4bgj8CkgCiBoF9wNNfIVMUlHGzHUTv4ZTEPaMfZgC/Hi8RqzL/Ogw==}
-    engines: {node: '>=18.0.0'}
-    peerDependencies:
-      react: ^18.2.0
-
-  '@react-email/text@0.0.7':
-    resolution: {integrity: sha512-eHCx0mdllGcgK9X7wiLKjNZCBRfxRVNjD3NNYRmOc3Icbl8M9JHriJIfxBuGCmGg2UAORK5P3KmaLQ8b99/pbA==}
-    engines: {node: '>=18.0.0'}
-    peerDependencies:
-      react: 18.2.0
-
-  '@react-email/text@0.0.8':
-    resolution: {integrity: sha512-uvN2TNWMrfC9wv/LLmMLbbEN1GrMWZb9dBK14eYxHHAEHCeyvGb5ePZZ2MPyzO7Y5yTC+vFEnCEr76V+hWMxCQ==}
-    engines: {node: '>=18.0.0'}
-    peerDependencies:
-      react: ^18.2.0
-
-  '@react-spring/rafz@9.7.4':
-    resolution: {integrity: sha512-mqDI6rW0Ca8IdryOMiXRhMtVGiEGLIO89vIOyFQXRIwwIMX30HLya24g9z4olDvFyeDW3+kibiKwtZnA4xhldA==}
-
-  '@react-stately/calendar@3.4.3':
-    resolution: {integrity: sha512-OrEcdskszDjnjVnFuSiDC2PVBJ6lWMCJROD5s6W1LUehUtBp8LX9wPavAGHV43LbhN9ldj560sxaQ4WCddrRCA==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
-
-  '@react-stately/calendar@3.5.4':
-    resolution: {integrity: sha512-R2011mtFSXIjzMXaA+CZ1sflPm9XkTBMqVk77Bnxso2ZsG7FUX8nqFmaDavxwTuHFC6OUexAGSMs8bP9KycTNg==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
-  '@react-stately/checkbox@3.6.1':
-    resolution: {integrity: sha512-rOjFeVBy32edYwhKiHj3ZLdLeO+xZ2fnBwxnOBjcygnw4Neygm8FJH/dB1J0hdYYR349yby86ED2x0wRc84zPw==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
-
-  '@react-stately/checkbox@3.6.8':
-    resolution: {integrity: sha512-c8TWjU67XHHBCpqj6+FXXhQUWGr2Pil1IKggX81pkedhWiJl3/7+WHJuZI0ivGnRjp3aISNOG8UNVlBEjS9E8A==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
-  '@react-stately/collections@3.10.4':
-    resolution: {integrity: sha512-OHhCrItGt4zB2bSrgObRo0H2SC7QlkH8ReGxo+NVIWchXRLRoiWBP7S+IwleewEo5gOqDVPY3hqA9n4iiI8twg==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
-
-  '@react-stately/collections@3.10.9':
-    resolution: {integrity: sha512-plyrng6hOQMG8LrjArMA6ts/DgWyXln3g90/hFNbqe/hdVYF53sDVsj8Jb+5LtoYTpiAlV6eOvy1XR0vPZUf8w==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
-  '@react-stately/combobox@3.8.1':
-    resolution: {integrity: sha512-FaWkqTXQdWg7ptaeU4iPcqF/kxbRg2ZNUcvW/hiL/enciV5tRCsddvfNqvDvy1L30z9AUwlp9MWqzm/DhBITCw==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
-
-  '@react-stately/combobox@3.9.2':
-    resolution: {integrity: sha512-ZsbAcD58IvxZqwYxg9d2gOf8R/k5RUB2TPUiGKD6wgWfEKH6SDzY3bgRByHGOyMCyJB62cHjih/ZShizNTguqA==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
-  '@react-stately/data@3.11.0':
-    resolution: {integrity: sha512-0BlPT58WrAtUvpiEfUuyvIsGFTzp/9vA5y+pk53kGJhOdc5tqBGHi9cg40pYE/i1vdHJGMpyHGRD9nkQb8wN3Q==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
-
-  '@react-stately/datepicker@3.10.2':
-    resolution: {integrity: sha512-pa5IZUw+49AyOnddwu4XwU2kI5eo/1thbiIVNHP8uDpbbBrBkquSk3zVFDAGX1cu/I1U2VUkt64U/dxgkwaMQw==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
-  '@react-stately/datepicker@3.9.1':
-    resolution: {integrity: sha512-o5xLvlZGJyAbTev2yruGlV2fzQyIDuYTgL19TTt0W0WCfjGGr/AAA9GjGXXmyoRA7sZMxqIPnnv7lNrdA38ofA==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
-
-  '@react-stately/dnd@3.2.7':
-    resolution: {integrity: sha512-QqSCvE9Rhp+Mr8Mt/SrByze24BFX1cy7gmXbwoqAYgHNIx3gWCVdBLqxfpfgYIhZdF9H72EWS8lQkfkZla06Ng==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
-
-  '@react-stately/dnd@3.4.2':
-    resolution: {integrity: sha512-VrHmNoNdVGrx5JHdz/zewmN+N8rlZe+vL/iAOLmvQ74RRLEz8KDFnHdlhgKg1AZqaSg3JJ18BlHEkS7oL1n+tA==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
-  '@react-stately/flags@3.0.0':
-    resolution: {integrity: sha512-e3i2ItHbIa0eEwmSXAnPdD7K8syW76JjGe8ENxwFJPW/H1Pu9RJfjkCb/Mq0WSPN/TpxBb54+I9TgrGhbCoZ9w==}
-
-  '@react-stately/flags@3.0.3':
-    resolution: {integrity: sha512-/ha7XFA0RZTQsbzSPwu3KkbNMgbvuM0GuMTYLTBWpgBrovBNTM+QqI/PfZTdHg8PwCYF4H5Y8gjdSpdulCvJFw==}
-
-  '@react-stately/form@3.0.0':
-    resolution: {integrity: sha512-C8wkfFmtx1escizibhdka5JvTy9/Vp173CS9cakjvWTmnjYYC1nOlzwp7BsYWTgerCFbRY/BU/Cf/bJDxPiUKQ==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
-
-  '@react-stately/form@3.0.5':
-    resolution: {integrity: sha512-J3plwJ63HQz109OdmaTqTA8Qhvl3gcYYK7DtgKyNP6mc/Me2Q4tl2avkWoA+22NRuv5m+J8TpBk4AVHUEOwqeQ==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
-  '@react-stately/grid@3.8.4':
-    resolution: {integrity: sha512-rwqV1K4lVhaiaqJkt4TfYqdJoVIyqvSm98rKAYfCNzrKcivVpoiCMJ2EMt6WlYCjDVBdEOQ7fMV1I60IV0pntA==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
-
-  '@react-stately/grid@3.9.2':
-    resolution: {integrity: sha512-2gK//sqAqg2Xaq6UITTFQwFUJnBRgcW+cKBVbFt+F8d152xB6UwwTS/K79E5PUkOotwqZgTEpkrSFs/aVxCLpw==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
-  '@react-stately/list@3.10.2':
-    resolution: {integrity: sha512-INt+zofkIg2KN8B95xPi9pJG7ZFWAm30oIm/lCPBqM3K1Nm03/QaAbiQj2QeJcOsG3lb7oqI6D6iwTolwJkjIQ==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
-
-  '@react-stately/list@3.10.8':
-    resolution: {integrity: sha512-rHCiPLXd+Ry3ztR9DkLA5FPQeH4Zd4/oJAEDWJ77W3oBBOdiMp3ZdHDLP7KBRh17XGNLO/QruYoHWAQTPiMF4g==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
+      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
   '@react-stately/menu@3.6.0':
     resolution: {integrity: sha512-OB6CjNyfOkAuirqx1oTL8z8epS9WDzLyrXjmRnxdiCU9EgRXLGAQNECuO7VIpl58oDry8tgRJiJ8fn8FivWSQA==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-stately/menu@3.8.2':
-    resolution: {integrity: sha512-lt6hIHmSixMzkKx1rKJf3lbAf01EmEvvIlENL20GLiU9cRbpPnPJ1aJMZ5Ad5ygglA7wAemAx+daPhlTQfF2rg==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-stately/numberfield@3.8.0':
     resolution: {integrity: sha512-1XvB8tDOvZKcFnMM6qNLEaTVJcIc0jRFS/9jtS8MzalZvh8DbKi0Ucm1bGU7S5rkCx2QWqZ0rGOIm2h/RlcpkA==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-stately/numberfield@3.9.6':
-    resolution: {integrity: sha512-p2R9admGLI439qZzB39dyANhkruprJJtZwuoGVtxW/VD0ficw6BrPVqAaKG25iwKPkmveleh9p8o+yRqjGedcQ==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
-  '@react-stately/overlays@3.6.10':
-    resolution: {integrity: sha512-XxZ2qScT5JPwGk9qiVJE4dtVh3AXTcYwGRA5RsHzC26oyVVsegPqY2PmNJGblAh6Q57VyodoVUyebE0Eo5CzRw==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-stately/overlays@3.6.4':
     resolution: {integrity: sha512-tHEaoAGpE9dSnsskqLPVKum59yGteoSqsniTopodM+miQozbpPlSjdiQnzGLroy5Afx5OZYClE616muNHUILXA==}
     peerDependencies:
@@ -8915,86 +6675,41 @@ packages:
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-stately/radio@3.10.7':
-    resolution: {integrity: sha512-ZwGzFR+sGd42DxRlDTp3G2vLZyhMVtgHkwv2BxazPHxPMvLO9yYl7+3PPNxAmhMB4tg2u9CrzffpGX2rmEJEXA==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-stately/searchfield@3.5.0':
     resolution: {integrity: sha512-SStjChkn/33pEn40slKQPnBnmQYyxVazVwPjiBkdeVejC42lUVairUTrGJgF0PNoZTbxn0so2/XzjqTC9T8iCw==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-stately/searchfield@3.5.6':
-    resolution: {integrity: sha512-gVzU0FeWiLYD8VOYRgWlk79Qn7b2eirqOnWhtI5VNuGN8WyNaCIuBp6SkXTW2dY8hs2Hzn8HlMbgy1MIc7130Q==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-stately/select@3.6.1':
     resolution: {integrity: sha512-e5ixtLiYLlFWM8z1msDqXWhflF9esIRfroptZsltMn1lt2iImUlDRlOTZlMtPQzUrDWoiHXRX88sSKUM/jXjQQ==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-stately/select@3.6.7':
-    resolution: {integrity: sha512-hCUIddw0mPxVy1OH6jhyaDwgNea9wESjf+MYdnnTG/abRB+OZv/dWScd87OjzVsHTHWcw7CN4ZzlJoXm0FJbKQ==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-stately/selection@3.14.2':
     resolution: {integrity: sha512-mL7OoiUgVWaaF7ks5XSxgbXeShijYmD4G3bkBHhqkpugU600QH6BM2hloCq8KOUupk1y8oTljPtF9EmCv375DA==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-stately/selection@3.16.2':
-    resolution: {integrity: sha512-C4eSKw7BIZHJLPzwqGqCnsyFHiUIEyryVQZTJDt6d0wYBOHU6k1pW+Q4VhrZuzSv+IMiI2RkiXeJKc55f0ZXrg==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-stately/slider@3.5.0':
     resolution: {integrity: sha512-dOVpIxb7XKuiRxgpHt1bUSlsklciFki100tKIyBPR+Okar9iC/CwLYROYgVfLkGe77jEBNkor9tDLjDGEWcc1w==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-stately/slider@3.5.7':
-    resolution: {integrity: sha512-gEIGTcpBLcXixd8LYiLc8HKrBiGQJltrrEGoOvvTP8KVItXQxmeL+JiSsh8qgOoUdRRpzmAoFNUKGEg2/gtN8A==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-stately/table@3.11.4':
     resolution: {integrity: sha512-dWINJIEOKQl4qq3moq+S8xCD3m+yJqBj0dahr+rOkS+t2uqORwzsusTM35D2T/ZHZi49S2GpE7QuDa+edCynPw==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-stately/table@3.12.2':
-    resolution: {integrity: sha512-dUcsrdALylhWz6exqIoqtR/dnrzjIAptMyAUPT378Y/mCYs4PxKkHSvtPEQrZhdQS1ALIIgfeg9KUVIempoXPw==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-stately/tabs@3.6.3':
     resolution: {integrity: sha512-Nj+Gacwa2SIzYIvHW40GsyX4Q6c8kF7GOuXESeQswbCjnwqhrSbDBp+ngPcUPUJxqFh6JhDCVwAS3wMhUoyUwA==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-stately/tabs@3.6.9':
-    resolution: {integrity: sha512-YZDqZng3HrRX+uXmg6u78x73Oi24G5ICpiXVqDKKDkO333XCA5H8MWItiuPZkYB2h3SbaCaLqSobLkvCoWYpNQ==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-stately/toggle@3.7.0':
     resolution: {integrity: sha512-TRksHkCJk/Xogq4181g3CYgJf+EfsJCqX5UZDSw1Z1Kgpvonjmdf6FAfQfCh9QR2OuXUL6hOLUDVLte5OPI+5g==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-stately/toggle@3.7.7':
-    resolution: {integrity: sha512-AS+xB4+hHWa3wzYkbS6pwBkovPfIE02B9SnuYTe0stKcuejpWKo5L3QMptW0ftFYsW3ZPCXuneImfObEw2T01A==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
-  '@react-stately/tooltip@3.4.12':
-    resolution: {integrity: sha512-QKYT/cze7n9qaBsk7o5ais3jRfhYCzcVRfps+iys/W+/9FFbbhjfQG995Lwi6b+vGOHWfXxXpwmyIO2tzM1Iog==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-stately/tooltip@3.4.6':
     resolution: {integrity: sha512-uL93bmsXf+OOgpKLPEKfpDH4z+MK2CuqlqVxx7rshN0vjWOSoezE5nzwgee90+RpDrLNNNWTNa7n+NkDRpI1jA==}
     peerDependencies:
@@ -9005,16 +6720,6 @@ packages:
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-stately/tree@3.8.4':
-    resolution: {integrity: sha512-HFNclIXJ/3QdGQWxXbj+tdlmIX/XwCfzAMB5m26xpJ6HtJhia6dtx3GLfcdyHNjmuRbAsTBsAAnnVKBmNRUdIQ==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
-  '@react-stately/utils@3.10.3':
-    resolution: {integrity: sha512-moClv7MlVSHpbYtQIkm0Cx+on8Pgt1XqtPx6fy9rQFb2DNc9u1G3AUVnqA17buOkH1vLxAtX4MedlxMWyRCYYA==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-stately/utils@3.9.0':
     resolution: {integrity: sha512-yPKFY1F88HxuZ15BG2qwAYxtpE4HnIU0Ofi4CuBE0xC6I8mwo4OQjDzi+DZjxQngM9D6AeTTD6F1V8gkozA0Gw==}
     peerDependencies:
@@ -9030,66 +6735,31 @@ packages:
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-types/breadcrumbs@3.7.7':
-    resolution: {integrity: sha512-ZmhXwD2LLzfEA2OvOCp/QvXu8A/Edsrn5q0qUDGsmOZj9SCVeT82bIv8P+mQnATM13mi2gyoik6102Jc1OscJA==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-types/button@3.9.1':
     resolution: {integrity: sha512-bf9iTar3PtqnyV9rA+wyFyrskZKhwmOuOd/ifYIjPs56YNVXWH5Wfqj6Dx3xdFBgtKx8mEVQxVhoX+WkHX+rtw==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-types/button@3.9.6':
-    resolution: {integrity: sha512-8lA+D5JLbNyQikf8M/cPP2cji91aVTcqjrGpDqI7sQnaLFikM8eFR6l1ZWGtZS5MCcbfooko77ha35SYplSQvw==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-types/calendar@3.4.3':
     resolution: {integrity: sha512-96x57ctX5wNEl+8et3sc2NQm8neOJayEeqOQQpyPtI7jyvst/xBrKCwysf9W/dhgPlUC+KeBAYFWfjd5hFVHYA==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-types/calendar@3.4.9':
-    resolution: {integrity: sha512-O/PS9c21HgO9qzxOyZ7/dTccxabFZdF6tj3UED4DrBw7AN3KZ7JMzwzYbwHinOcO7nUcklGgNoAIHk45UAKR9g==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-types/checkbox@3.6.0':
     resolution: {integrity: sha512-vgbuJzQpVCNT5AZWV0OozXCnihqrXxoZKfJFIw0xro47pT2sn3t5UC4RA9wfjDGMoK4frw1K/4HQLsQIOsPBkw==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-types/checkbox@3.8.3':
-    resolution: {integrity: sha512-f4c1mnLEt0iS1NMkyZXgT3q3AgcxzDk7w6MSONOKydcnh0xG5L2oefY14DhVDLkAuQS7jThlUFwiAs+MxiO3MA==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-types/combobox@3.10.0':
     resolution: {integrity: sha512-1IXSNS02TPbguyYopaW2snU6sZusbClHrEyVr4zPeexTV4kpUUBNXOzFQ+eSQRR0r2XW57Z0yRW4GJ6FGU0yCA==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-types/combobox@3.12.1':
-    resolution: {integrity: sha512-bd5YwHZWtgnJx4jGbplWbYzXj7IbO5w3IY5suNR7r891rx6IktquZ8GQwyYH0pQ/x+X5LdK2xI59i6+QC2PmlA==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-types/datepicker@3.7.1':
     resolution: {integrity: sha512-5juVDULOytNzkotqX8j5mYKJckeIpkgbHqVSGkPgLw0++FceIaSZ6RH56cqLup0pO45paqIt9zHh+QXBYX+syg==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-types/datepicker@3.8.2':
-    resolution: {integrity: sha512-Ih4F0bNVGrEuwCD8XmmBAspuuOBsj/Svn/pDFtC2RyAZjXfWh+sI+n4XLz/sYKjvARh5TUI8GNy9smYS4vYXug==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
-  '@react-types/dialog@3.5.12':
-    resolution: {integrity: sha512-JmpQbSpXltqEyYfEwoqDolABIiojeExkqolHNdQlayIsfFuSxZxNwXZPOpz58Ri/iwv21JP7K3QF0Gb2Ohxl9w==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-types/dialog@3.5.7':
     resolution: {integrity: sha512-geYoqAyQaTLG43AaXdMUVqZXYgkSifrD9cF7lR2kPAT0uGFv0YREi6ieU+aui8XJ83EW0xcxP+EPWd2YkN4D4w==}
     peerDependencies:
@@ -9100,36 +6770,16 @@ packages:
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-types/grid@3.2.8':
-    resolution: {integrity: sha512-6PJrpukwMqlv3IhJSDkJuVbhHM8Oe6hd2supWqd9adMXrlSP7QHt9a8SgFcFblCCTx8JzUaA0PvY5sTudcEtOQ==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-types/link@3.5.2':
     resolution: {integrity: sha512-/s51/WejmpLiyxOgP89s4txgxYoGaPe8pVDItVo1h4+BhU1Puyvgv/Jx8t9dPvo6LUXbraaN+SgKk/QDxaiirw==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-types/link@3.5.7':
-    resolution: {integrity: sha512-2WyaVmm1qr9UrSG3Dq6iz+2ziuVp+DH8CsYZ9CA6aNNb6U18Hxju3LTPb4a5gM0eC7W0mQGNBmrgGlAdDZEJOw==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-types/listbox@3.4.6':
     resolution: {integrity: sha512-XOQvrTqNh5WIPDvKiWiep8T07RAsMfjAXTjDbnjxVlKACUXkcwpts9kFaLnJ9LJRFt6DwItfP+WMkzvmx63/NQ==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-types/listbox@3.5.1':
-    resolution: {integrity: sha512-n5bOgD9lgfK1qaLtag9WPnu151SwXBCNn/OgGY/Br9mWRl+nPUEYtFcPX+2VCld7uThf54kwrTmzlFnaraIlcw==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
-  '@react-types/menu@3.9.11':
-    resolution: {integrity: sha512-IguQVF70d7aHXgWB1Rd2a/PiIuLZ2Nt7lyayJshLcy/NLOYmgpTmTyn2WCtlA5lTfQwmQrNFf4EvnWkeljJXdA==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-types/menu@3.9.6':
     resolution: {integrity: sha512-w/RbFInOf4nNayQDv5c2L8IMJbcFOkBhsT3xvvpTy+CHvJcQdjggwaV1sRiw7eF/PwB81k2CwigmidUzHJhKDg==}
     peerDependencies:
@@ -9140,106 +6790,56 @@ packages:
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-types/meter@3.4.3':
-    resolution: {integrity: sha512-Y2fX5CTAPGRKxVSeepbeyN6/K+wlF9pMRcNxTSU2qDwdoFqNCtTWMcWuCsU/Y2L/zU0jFWu4x0Vo7WkrcsgcMA==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-types/numberfield@3.7.0':
     resolution: {integrity: sha512-gaGi+vqm1Y8LCWRsWYUjcGftPIzl+8W2VOfkgKMLM8y76nnwTPtmAqs+Ap1cg7sEJSfsiKMq93e9yvP3udrC2w==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-types/numberfield@3.8.5':
-    resolution: {integrity: sha512-LVWggkxwd1nyVZomXBPfQA1E4I4/i4PBifjcDs2AfcV7q5RE9D+DVIDXsYucVOBxPlDOxiAq/T9ypobspWSwHw==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-types/overlays@3.8.4':
     resolution: {integrity: sha512-pfgNlQnbF6RB/R2oSxyqAP3Uzz0xE/k5q4n5gUeCDNLjY5qxFHGE8xniZZ503nZYw6VBa9XMN1efDOKQyeiO0w==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-types/overlays@3.8.9':
-    resolution: {integrity: sha512-9ni9upQgXPnR+K9cWmbYWvm3ll9gH8P/XsEZprqIV5zNLMF334jADK48h4jafb1X9RFnj0WbHo6BqcSObzjTig==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-types/progress@3.5.1':
     resolution: {integrity: sha512-CqsUjczUK/SfuFzDcajBBaXRTW0D3G9S/yqLDj9e8E0ii+lGDLt1PHj24t1J7E88U2rVYqmM9VL4NHTt8o3IYA==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-types/progress@3.5.6':
-    resolution: {integrity: sha512-Nh43sjQ5adyN1bTHBPRaIPhXUdBqP0miYeJpeMY3V/KUl4qmouJLwDnccwFG4xLm6gBfYe22lgbbV7nAfNnuTQ==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-types/radio@3.7.0':
     resolution: {integrity: sha512-EcwGAXzSHjSqpFZha7xn3IUrhPiJLj+0yb1Ip0qPmhWz0VVw2DwrkY7q/jfaKroVvQhTo2TbfGhcsAQrt0fRqg==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-types/radio@3.8.3':
-    resolution: {integrity: sha512-fUVJt4Bb6jOReFqnhHVNxWXH7t6c60uSFfoPKuXt/xI9LL1i2jhpur0ggpTfIn3qLIAmNBU6bKBCWAdr4KjeVQ==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-types/searchfield@3.5.2':
     resolution: {integrity: sha512-JAK2/Kg4Dr393FYfbRw0TlXKnJPX77sq1x/ZBxtO6p64+MuuIYKqw0i9PwDlo1PViw2QI5u8GFhKA2TgemY9uA==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-types/searchfield@3.5.8':
-    resolution: {integrity: sha512-EcdqalHNIC6BJoRfmqUhAvXRd3aHkWlV1cFCz57JJKgUEFYyXPNrXd1b73TKLzTXEk+X/D6LKV15ILYpEaxu8w==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-types/select@3.9.1':
     resolution: {integrity: sha512-EpKSxrnh8HdZvOF9dHQkjivAcdIp1K81FaxmvosH8Lygqh0iYXxAdZGtKLMyBoPI8YFhA+rotIzTcOqgCCnqWA==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-types/select@3.9.6':
-    resolution: {integrity: sha512-cVSFR0eJLup/ht1Uto+y8uyLmHO89J6wNh65SIHb3jeVz9oLBAedP3YNI2qB+F9qFMUcA8PBSLXIIuT6gXzLgQ==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-types/shared@3.22.0':
     resolution: {integrity: sha512-yVOekZWbtSmmiThGEIARbBpnmUIuePFlLyctjvCbgJgGhz8JnEJOipLQ/a4anaWfzAgzSceQP8j/K+VOOePleA==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-types/shared@3.24.1':
-    resolution: {integrity: sha512-AUQeGYEm/zDTN6zLzdXolDxz3Jk5dDL7f506F07U8tBwxNNI3WRdhU84G0/AaFikOZzDXhOZDr3MhQMzyE7Ydw==}
+  '@react-types/shared@3.34.0':
+    resolution: {integrity: sha512-gp6xo/s2lX54AlTjOiqwDnxA7UW79BNvI9dB9pr3LZTzRKCd1ZA+ZbgKw/ReIiWuvvVw/8QFJpnqeeFyLocMcQ==}
     peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
+      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0-rc.1
 
   '@react-types/slider@3.7.0':
     resolution: {integrity: sha512-uyQXUVFfqc9SPUW0LZLMan2n232F/OflRafiHXz9viLFa9tVOupVa7GhASRAoHojwkjoJ1LjFlPih7g5dOZ0/Q==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-types/slider@3.7.5':
-    resolution: {integrity: sha512-bRitwQRQjQoOcKEdPMljnvm474dwrmsc6pdsVQDh/qynzr+KO9IHuYc3qPW53WVE2hMQJDohlqtCAWQXWQ5Vcg==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-types/switch@3.5.0':
     resolution: {integrity: sha512-/wNmUGjk69bP6t5k2QkAdrNN5Eb9Rz4dOyp0pCPmoeE+5haW6sV5NmtkvWX1NSc4DQz1xL/a5b+A0vxPCP22Jw==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-types/switch@3.5.5':
-    resolution: {integrity: sha512-SZx1Bd+COhAOs/RTifbZG+uq/llwba7VAKx7XBeX4LeIz1dtguy5bigOBgFTMQi4qsIVCpybSWEEl+daj4XFPw==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
-  '@react-types/table@3.10.1':
-    resolution: {integrity: sha512-xsNh0Gm4GtNeSknZqkMsfGvc94fycmfhspGO+FzQKim2hB5k4yILwd+lHYQ2UKW6New9GVH/zN2Pd3v67IeZ2g==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-types/table@3.9.2':
     resolution: {integrity: sha512-brw5JUANOzBa2rYNpN8AIl9nDZ9RwRZC6G/wTM/JhtirjC1S42oCtf8Ap5rWJBdmMG/5KOfcGNcAl/huyqb3gg==}
     peerDependencies:
@@ -9250,26 +6850,11 @@ packages:
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-types/tabs@3.3.9':
-    resolution: {integrity: sha512-3Q9kRVvg/qDyeJR/W1+C2z2OyvDWQrSLvOCvAezX5UKzww4rBEAA8OqBlyDwn7q3fiwrh/m64l6p+dbln+RdxQ==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-types/textfield@3.9.0':
     resolution: {integrity: sha512-D/DiwzsfkwlAg3uv8hoIfwju+zhB/hWDEdTvxQbPkntDr0kmN/QfI17NMSzbOBCInC4ABX87ViXLGxr940ykGA==}
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  '@react-types/textfield@3.9.6':
-    resolution: {integrity: sha512-0uPqjJh4lYp1aL1HL9IlV8Cgp8eT0PcsNfdoCktfkLytvvBPmox2Pfm57W/d0xTtzZu2CjxhYNTob+JtGAOeXA==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
-  '@react-types/tooltip@3.4.11':
-    resolution: {integrity: sha512-WPikHQxeT5Lb09yJEaW6Ja3ecE0g1YM6ukWYS2v/iZLUPn5YlYrGytspuCYQNSh/u7suCz4zRLEHYCl7OCigjw==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-
   '@react-types/tooltip@3.4.6':
     resolution: {integrity: sha512-RaZewdER7ZcsNL99RhVHs8kSLyzIBkwc0W6eFZrxST2MD9J5GzkVWRhIiqtFOd5U1aYnxdJ6woq72Ef+le6Vfw==}
     peerDependencies:
@@ -9278,23 +6863,29 @@ packages:
   '@remix-run/changelog-github@0.0.5':
     resolution: {integrity: sha512-43tqwUqWqirbv6D9uzo55ASPsCJ61Ein1k/M8qn+Qpros0MmbmuzjLVPmtaxfxfe2ANX0LefLvCD0pAgr1tp4g==}
 
-  '@remix-run/dev@2.1.0':
-    resolution: {integrity: sha512-Hn5lw46F+a48dp5uHKe68ckaHgdStW4+PmLod+LMFEqrMbkF0j4XD1ousebxlv989o0Uy/OLgfRMgMy4cBOvHg==}
+  '@remix-run/dev@2.17.4':
+    resolution: {integrity: sha512-El7r5W6ErX9KIy27+urbc4SIZnIlVDgTOUqzA7Zbv7caKYrsvgj/Z3i/LPy4VNfv0G1EdawPOrygJgIKT4r2FA==}
     engines: {node: '>=18.0.0'}
     hasBin: true
     peerDependencies:
-      '@remix-run/serve': ^2.1.0
+      '@remix-run/react': ^2.17.0
+      '@remix-run/serve': ^2.17.0
       typescript: 5.5.4
+      vite: ^6.4.2
+      wrangler: ^3.28.2
     peerDependenciesMeta:
       '@remix-run/serve':
         optional: true
       typescript:
         optional: true
+      vite:
+        optional: true
+      wrangler:
+        optional: true
 
-  '@remix-run/eslint-config@2.1.0':
-    resolution: {integrity: sha512-yfeUnHpUG+XveujMi6QODKMGhs5CvKWCKzASU397BPXiPWbMv6r2acfODSWK64ZdBMu9hcLbOb42GBFydVQeHA==}
+  '@remix-run/eslint-config@2.17.4':
+    resolution: {integrity: sha512-Hhslms8Kl0fXHDS5UJWwyJ/1YQzJhRLjNZF+IfRLmCHI/zCvJP4dfy9yiT5BHnHb/m6MUz3l1L8EpPItg0dD5Q==}
     engines: {node: '>=18.0.0'}
-    deprecated: Will no longer be maintained in React Router v7
     peerDependencies:
       eslint: ^8.0.0
       react: ^18.0.0
@@ -9303,18 +6894,18 @@ packages:
       typescript:
         optional: true
 
-  '@remix-run/express@2.1.0':
-    resolution: {integrity: sha512-R5myPowQx6LYWY3+EqP42q19MOCT3+ZGwb2f0UKNs9a34R8U3nFpGWL7saXryC+To+EasujEScc8rTQw5Pftog==}
+  '@remix-run/express@2.17.4':
+    resolution: {integrity: sha512-4zZs0L7v2pvAq896zHRLNMhoOKIPXM9qnYdHLbz4mpZUMbNAgQacGazArIrUV3M4g0gRMY0dLrt5CqMNrlBeYg==}
     engines: {node: '>=18.0.0'}
     peerDependencies:
-      express: ^4.17.1
+      express: ^4.20.0
       typescript: 5.5.4
     peerDependenciesMeta:
       typescript:
         optional: true
 
-  '@remix-run/node@2.1.0':
-    resolution: {integrity: sha512-TeSgjXnZUUlmw5FVpBVnXY7MLpracjdnwFNwoJE5NQkiUEFnGD/Yhvk4F2fOCkszqc2Z25KRclc5noweyiFu6Q==}
+  '@remix-run/node@2.17.4':
+    resolution: {integrity: sha512-9A29JaYiGHDEmaiQuD1IlO/TrQxnnkj98GpytihU+Nz6yTt6RwzzyMMqTAoasRd1dPD4OeSaSqbwkcim/eE76Q==}
     engines: {node: '>=18.0.0'}
     peerDependencies:
       typescript: 5.5.4
@@ -9322,8 +6913,8 @@ packages:
       typescript:
         optional: true
 
-  '@remix-run/react@2.1.0':
-    resolution: {integrity: sha512-DeYgfsvNxHqNn29sGA3XsZCciMKo2EFTQ9hHkuVPTsJXC4ipHr6Dja1j6UzZYPe/ZuKppiuTjueWCQlE2jOe1w==}
+  '@remix-run/react@2.17.4':
+    resolution: {integrity: sha512-MeXHacIBoohr9jzec5j/Rmk57xk34korkPDDb0OPHgkdvh20lO5fJoSAcnZfjTIOH+Vsq1ZRQlmvG5PRQ/64Sw==}
     engines: {node: '>=18.0.0'}
     peerDependencies:
       react: ^18.0.0
@@ -9333,21 +6924,17 @@ packages:
       typescript:
         optional: true
 
-  '@remix-run/router@1.10.0':
-    resolution: {integrity: sha512-Lm+fYpMfZoEucJ7cMxgt4dYt8jLfbpwRCzAjm9UgSLOkmlqo9gupxt6YX3DY0Fk155NT9l17d/ydi+964uS9Lw==}
-    engines: {node: '>=14.0.0'}
-
-  '@remix-run/router@1.15.3':
-    resolution: {integrity: sha512-Oy8rmScVrVxWZVOpEF57ovlnhpZ8CCPlnIIumVcV9nFdiSIrus99+Lw78ekXyGvVDlIsFJbSfmSovJUhCWYV3w==}
+  '@remix-run/router@1.23.2':
+    resolution: {integrity: sha512-Ic6m2U/rMjTkhERIa/0ZtXJP17QUi2CbWE7cqx4J58M8aA3QTfW+2UlQ4psvTX9IO1RfNVhK3pcpdjej7L+t2w==}
     engines: {node: '>=14.0.0'}
 
-  '@remix-run/serve@2.1.0':
-    resolution: {integrity: sha512-XHI+vPYz217qrg1QcV38TTPlEBTzMJzAt0SImPutyF0S2IBrZGZIFMEsspI0i0wNvdcdQz1IqmSx+mTghzW8eQ==}
+  '@remix-run/serve@2.17.4':
+    resolution: {integrity: sha512-c632agTDib70cytmxMVqSbBMlhFKawcg5048yZZK/qeP2AmUweM7OY6Ivgcmv/pgjLXYOu17UBKhtGU8T5y8cQ==}
     engines: {node: '>=18.0.0'}
     hasBin: true
 
-  '@remix-run/server-runtime@2.1.0':
-    resolution: {integrity: sha512-Uz69yF4Gu6F3VYQub3JgDo9godN8eDMeZclkadBTAWN7bYLonu0ChR/GlFxS35OLeF7BDgudxOSZob0nE1WHNg==}
+  '@remix-run/server-runtime@2.17.4':
+    resolution: {integrity: sha512-oCsFbPuISgh8KpPKsfBChzjcntvTz5L+ggq9VNYWX8RX3yA7OgQpKspRHOSxb05bw7m0Hx+L1KRHXjf3juKX8w==}
     engines: {node: '>=18.0.0'}
     peerDependencies:
       typescript: 5.5.4
@@ -9355,8 +6942,8 @@ packages:
       typescript:
         optional: true
 
-  '@remix-run/testing@2.1.0':
-    resolution: {integrity: sha512-eLPx4Bmjt243kyRpQTong1eFo6nkvSfCr65bb5PfoF172DKnsSSCYWAmBmB72VwtAPESHxBm3g6AUbhwphkU6A==}
+  '@remix-run/testing@2.17.4':
+    resolution: {integrity: sha512-x+fkFH5RDJzqQcx60gbabYg0lgwSywkuE7svzmlZIbqUbzwiHbvUgvDGD0P6gR4+ZY2Zynvsb0puglosK6gW2g==}
     engines: {node: '>=18.0.0'}
     peerDependencies:
       react: ^18.0.0
@@ -9374,8 +6961,8 @@ packages:
   '@remix-run/web-blob@3.1.0':
     resolution: {integrity: sha512-owGzFLbqPH9PlKb8KvpNJ0NO74HWE2euAn61eEiyCXX/oteoVzTVSN8mpLgDjaxBf2btj5/nUllSUgpyd6IH6g==}
 
-  '@remix-run/web-fetch@4.4.1':
-    resolution: {integrity: sha512-xMceEGn2kvfeWS91nHSOhEQHPGgjFnmDVpWFZrbWPVdiTByMZIn421/tdSF6Kd1RsNsY+5Iwt3JFEKZHAcMQHw==}
+  '@remix-run/web-fetch@4.4.2':
+    resolution: {integrity: sha512-jgKfzA713/4kAW/oZ4bC3MoLWyjModOVDjFPNseVqcJKSafgIscrYL9G50SurEYLswPuoU3HzSbO0jQCMYWHhA==}
     engines: {node: ^10.17 || >=12.3}
 
   '@remix-run/web-file@3.1.0':
@@ -9387,127 +6974,160 @@ packages:
   '@remix-run/web-stream@1.1.0':
     resolution: {integrity: sha512-KRJtwrjRV5Bb+pM7zxcTJkhIqWWSy+MYsIxHK+0m5atcznsf15YwUBWHWulZerV2+vvHH1Lp1DD7pw6qKW8SgA==}
 
-  '@rollup/rollup-android-arm-eabi@4.36.0':
-    resolution: {integrity: sha512-jgrXjjcEwN6XpZXL0HUeOVGfjXhPyxAbbhD0BlXUB+abTOpbPiN5Wb3kOT7yb+uEtATNYF5x5gIfwutmuBA26w==}
+  '@rollup/rollup-android-arm-eabi@4.60.1':
+    resolution: {integrity: sha512-d6FinEBLdIiK+1uACUttJKfgZREXrF0Qc2SmLII7W2AD8FfiZ9Wjd+rD/iRuf5s5dWrr1GgwXCvPqOuDquOowA==}
     cpu: [arm]
     os: [android]
 
-  '@rollup/rollup-android-arm64@4.36.0':
-    resolution: {integrity: sha512-NyfuLvdPdNUfUNeYKUwPwKsE5SXa2J6bCt2LdB/N+AxShnkpiczi3tcLJrm5mA+eqpy0HmaIY9F6XCa32N5yzg==}
+  '@rollup/rollup-android-arm64@4.60.1':
+    resolution: {integrity: sha512-YjG/EwIDvvYI1YvYbHvDz/BYHtkY4ygUIXHnTdLhG+hKIQFBiosfWiACWortsKPKU/+dUwQQCKQM3qrDe8c9BA==}
     cpu: [arm64]
     os: [android]
 
-  '@rollup/rollup-darwin-arm64@4.36.0':
-    resolution: {integrity: sha512-JQ1Jk5G4bGrD4pWJQzWsD8I1n1mgPXq33+/vP4sk8j/z/C2siRuxZtaUA7yMTf71TCZTZl/4e1bfzwUmFb3+rw==}
+  '@rollup/rollup-darwin-arm64@4.53.2':
+    resolution: {integrity: sha512-A6s4gJpomNBtJ2yioj8bflM2oogDwzUiMl2yNJ2v9E7++sHrSrsQ29fOfn5DM/iCzpWcebNYEdXpaK4tr2RhfQ==}
     cpu: [arm64]
     os: [darwin]
 
-  '@rollup/rollup-darwin-arm64@4.53.2':
-    resolution: {integrity: sha512-A6s4gJpomNBtJ2yioj8bflM2oogDwzUiMl2yNJ2v9E7++sHrSrsQ29fOfn5DM/iCzpWcebNYEdXpaK4tr2RhfQ==}
+  '@rollup/rollup-darwin-arm64@4.60.1':
+    resolution: {integrity: sha512-mjCpF7GmkRtSJwon+Rq1N8+pI+8l7w5g9Z3vWj4T7abguC4Czwi3Yu/pFaLvA3TTeMVjnu3ctigusqWUfjZzvw==}
     cpu: [arm64]
     os: [darwin]
 
-  '@rollup/rollup-darwin-x64@4.36.0':
-    resolution: {integrity: sha512-6c6wMZa1lrtiRsbDziCmjE53YbTkxMYhhnWnSW8R/yqsM7a6mSJ3uAVT0t8Y/DGt7gxUWYuFM4bwWk9XCJrFKA==}
+  '@rollup/rollup-darwin-x64@4.60.1':
+    resolution: {integrity: sha512-haZ7hJ1JT4e9hqkoT9R/19XW2QKqjfJVv+i5AGg57S+nLk9lQnJ1F/eZloRO3o9Scy9CM3wQ9l+dkXtcBgN5Ew==}
     cpu: [x64]
     os: [darwin]
 
-  '@rollup/rollup-freebsd-arm64@4.36.0':
-    resolution: {integrity: sha512-KXVsijKeJXOl8QzXTsA+sHVDsFOmMCdBRgFmBb+mfEb/7geR7+C8ypAml4fquUt14ZyVXaw2o1FWhqAfOvA4sg==}
+  '@rollup/rollup-freebsd-arm64@4.60.1':
+    resolution: {integrity: sha512-czw90wpQq3ZsAVBlinZjAYTKduOjTywlG7fEeWKUA7oCmpA8xdTkxZZlwNJKWqILlq0wehoZcJYfBvOyhPTQ6w==}
     cpu: [arm64]
     os: [freebsd]
 
-  '@rollup/rollup-freebsd-x64@4.36.0':
-    resolution: {integrity: sha512-dVeWq1ebbvByI+ndz4IJcD4a09RJgRYmLccwlQ8bPd4olz3Y213uf1iwvc7ZaxNn2ab7bjc08PrtBgMu6nb4pQ==}
+  '@rollup/rollup-freebsd-x64@4.60.1':
+    resolution: {integrity: sha512-KVB2rqsxTHuBtfOeySEyzEOB7ltlB/ux38iu2rBQzkjbwRVlkhAGIEDiiYnO2kFOkJp+Z7pUXKyrRRFuFUKt+g==}
     cpu: [x64]
     os: [freebsd]
 
-  '@rollup/rollup-linux-arm-gnueabihf@4.36.0':
-    resolution: {integrity: sha512-bvXVU42mOVcF4le6XSjscdXjqx8okv4n5vmwgzcmtvFdifQ5U4dXFYaCB87namDRKlUL9ybVtLQ9ztnawaSzvg==}
+  '@rollup/rollup-linux-arm-gnueabihf@4.60.1':
+    resolution: {integrity: sha512-L+34Qqil+v5uC0zEubW7uByo78WOCIrBvci69E7sFASRl0X7b/MB6Cqd1lky/CtcSVTydWa2WZwFuWexjS5o6g==}
     cpu: [arm]
     os: [linux]
     libc: [glibc]
 
-  '@rollup/rollup-linux-arm-musleabihf@4.36.0':
-    resolution: {integrity: sha512-JFIQrDJYrxOnyDQGYkqnNBtjDwTgbasdbUiQvcU8JmGDfValfH1lNpng+4FWlhaVIR4KPkeddYjsVVbmJYvDcg==}
+  '@rollup/rollup-linux-arm-musleabihf@4.60.1':
+    resolution: {integrity: sha512-n83O8rt4v34hgFzlkb1ycniJh7IR5RCIqt6mz1VRJD6pmhRi0CXdmfnLu9dIUS6buzh60IvACM842Ffb3xd6Gg==}
     cpu: [arm]
     os: [linux]
     libc: [musl]
 
-  '@rollup/rollup-linux-arm64-gnu@4.36.0':
-    resolution: {integrity: sha512-KqjYVh3oM1bj//5X7k79PSCZ6CvaVzb7Qs7VMWS+SlWB5M8p3FqufLP9VNp4CazJ0CsPDLwVD9r3vX7Ci4J56A==}
+  '@rollup/rollup-linux-arm64-gnu@4.60.1':
+    resolution: {integrity: sha512-Nql7sTeAzhTAja3QXeAI48+/+GjBJ+QmAH13snn0AJSNL50JsDqotyudHyMbO2RbJkskbMbFJfIJKWA6R1LCJQ==}
     cpu: [arm64]
     os: [linux]
     libc: [glibc]
 
-  '@rollup/rollup-linux-arm64-musl@4.36.0':
-    resolution: {integrity: sha512-QiGnhScND+mAAtfHqeT+cB1S9yFnNQ/EwCg5yE3MzoaZZnIV0RV9O5alJAoJKX/sBONVKeZdMfO8QSaWEygMhw==}
+  '@rollup/rollup-linux-arm64-musl@4.60.1':
+    resolution: {integrity: sha512-+pUymDhd0ys9GcKZPPWlFiZ67sTWV5UU6zOJat02M1+PiuSGDziyRuI/pPue3hoUwm2uGfxdL+trT6Z9rxnlMA==}
     cpu: [arm64]
     os: [linux]
     libc: [musl]
 
-  '@rollup/rollup-linux-loongarch64-gnu@4.36.0':
-    resolution: {integrity: sha512-1ZPyEDWF8phd4FQtTzMh8FQwqzvIjLsl6/84gzUxnMNFBtExBtpL51H67mV9xipuxl1AEAerRBgBwFNpkw8+Lg==}
+  '@rollup/rollup-linux-loong64-gnu@4.60.1':
+    resolution: {integrity: sha512-VSvgvQeIcsEvY4bKDHEDWcpW4Yw7BtlKG1GUT4FzBUlEKQK0rWHYBqQt6Fm2taXS+1bXvJT6kICu5ZwqKCnvlQ==}
     cpu: [loong64]
     os: [linux]
     libc: [glibc]
 
-  '@rollup/rollup-linux-powerpc64le-gnu@4.36.0':
-    resolution: {integrity: sha512-VMPMEIUpPFKpPI9GZMhJrtu8rxnp6mJR3ZzQPykq4xc2GmdHj3Q4cA+7avMyegXy4n1v+Qynr9fR88BmyO74tg==}
+  '@rollup/rollup-linux-loong64-musl@4.60.1':
+    resolution: {integrity: sha512-4LqhUomJqwe641gsPp6xLfhqWMbQV04KtPp7/dIp0nzPxAkNY1AbwL5W0MQpcalLYk07vaW9Kp1PBhdpZYYcEw==}
+    cpu: [loong64]
+    os: [linux]
+    libc: [musl]
+
+  '@rollup/rollup-linux-ppc64-gnu@4.60.1':
+    resolution: {integrity: sha512-tLQQ9aPvkBxOc/EUT6j3pyeMD6Hb8QF2BTBnCQWP/uu1lhc9AIrIjKnLYMEroIz/JvtGYgI9dF3AxHZNaEH0rw==}
     cpu: [ppc64]
     os: [linux]
     libc: [glibc]
 
-  '@rollup/rollup-linux-riscv64-gnu@4.36.0':
-    resolution: {integrity: sha512-ttE6ayb/kHwNRJGYLpuAvB7SMtOeQnVXEIpMtAvx3kepFQeowVED0n1K9nAdraHUPJ5hydEMxBpIR7o4nrm8uA==}
+  '@rollup/rollup-linux-ppc64-musl@4.60.1':
+    resolution: {integrity: sha512-RMxFhJwc9fSXP6PqmAz4cbv3kAyvD1etJFjTx4ONqFP9DkTkXsAMU4v3Vyc5BgzC+anz7nS/9tp4obsKfqkDHg==}
+    cpu: [ppc64]
+    os: [linux]
+    libc: [musl]
+
+  '@rollup/rollup-linux-riscv64-gnu@4.60.1':
+    resolution: {integrity: sha512-QKgFl+Yc1eEk6MmOBfRHYF6lTxiiiV3/z/BRrbSiW2I7AFTXoBFvdMEyglohPj//2mZS4hDOqeB0H1ACh3sBbg==}
     cpu: [riscv64]
     os: [linux]
     libc: [glibc]
 
-  '@rollup/rollup-linux-s390x-gnu@4.36.0':
-    resolution: {integrity: sha512-4a5gf2jpS0AIe7uBjxDeUMNcFmaRTbNv7NxI5xOCs4lhzsVyGR/0qBXduPnoWf6dGC365saTiwag8hP1imTgag==}
+  '@rollup/rollup-linux-riscv64-musl@4.60.1':
+    resolution: {integrity: sha512-RAjXjP/8c6ZtzatZcA1RaQr6O1TRhzC+adn8YZDnChliZHviqIjmvFwHcxi4JKPSDAt6Uhf/7vqcBzQJy0PDJg==}
+    cpu: [riscv64]
+    os: [linux]
+    libc: [musl]
+
+  '@rollup/rollup-linux-s390x-gnu@4.60.1':
+    resolution: {integrity: sha512-wcuocpaOlaL1COBYiA89O6yfjlp3RwKDeTIA0hM7OpmhR1Bjo9j31G1uQVpDlTvwxGn2nQs65fBFL5UFd76FcQ==}
     cpu: [s390x]
     os: [linux]
     libc: [glibc]
 
-  '@rollup/rollup-linux-x64-gnu@4.36.0':
-    resolution: {integrity: sha512-5KtoW8UWmwFKQ96aQL3LlRXX16IMwyzMq/jSSVIIyAANiE1doaQsx/KRyhAvpHlPjPiSU/AYX/8m+lQ9VToxFQ==}
+  '@rollup/rollup-linux-x64-gnu@4.53.2':
+    resolution: {integrity: sha512-yo8d6tdfdeBArzC7T/PnHd7OypfI9cbuZzPnzLJIyKYFhAQ8SvlkKtKBMbXDxe1h03Rcr7u++nFS7tqXz87Gtw==}
     cpu: [x64]
     os: [linux]
     libc: [glibc]
 
-  '@rollup/rollup-linux-x64-gnu@4.53.2':
-    resolution: {integrity: sha512-yo8d6tdfdeBArzC7T/PnHd7OypfI9cbuZzPnzLJIyKYFhAQ8SvlkKtKBMbXDxe1h03Rcr7u++nFS7tqXz87Gtw==}
+  '@rollup/rollup-linux-x64-gnu@4.60.1':
+    resolution: {integrity: sha512-77PpsFQUCOiZR9+LQEFg9GClyfkNXj1MP6wRnzYs0EeWbPcHs02AXu4xuUbM1zhwn3wqaizle3AEYg5aeoohhg==}
     cpu: [x64]
     os: [linux]
     libc: [glibc]
 
-  '@rollup/rollup-linux-x64-musl@4.36.0':
-    resolution: {integrity: sha512-sycrYZPrv2ag4OCvaN5js+f01eoZ2U+RmT5as8vhxiFz+kxwlHrsxOwKPSA8WyS+Wc6Epid9QeI/IkQ9NkgYyQ==}
+  '@rollup/rollup-linux-x64-musl@4.60.1':
+    resolution: {integrity: sha512-5cIATbk5vynAjqqmyBjlciMJl1+R/CwX9oLk/EyiFXDWd95KpHdrOJT//rnUl4cUcskrd0jCCw3wpZnhIHdD9w==}
     cpu: [x64]
     os: [linux]
     libc: [musl]
 
-  '@rollup/rollup-win32-arm64-msvc@4.36.0':
-    resolution: {integrity: sha512-qbqt4N7tokFwwSVlWDsjfoHgviS3n/vZ8LK0h1uLG9TYIRuUTJC88E1xb3LM2iqZ/WTqNQjYrtmtGmrmmawB6A==}
+  '@rollup/rollup-openbsd-x64@4.60.1':
+    resolution: {integrity: sha512-cl0w09WsCi17mcmWqqglez9Gk8isgeWvoUZ3WiJFYSR3zjBQc2J5/ihSjpl+VLjPqjQ/1hJRcqBfLjssREQILw==}
+    cpu: [x64]
+    os: [openbsd]
+
+  '@rollup/rollup-openharmony-arm64@4.60.1':
+    resolution: {integrity: sha512-4Cv23ZrONRbNtbZa37mLSueXUCtN7MXccChtKpUnQNgF010rjrjfHx3QxkS2PI7LqGT5xXyYs1a7LbzAwT0iCA==}
+    cpu: [arm64]
+    os: [openharmony]
+
+  '@rollup/rollup-win32-arm64-msvc@4.60.1':
+    resolution: {integrity: sha512-i1okWYkA4FJICtr7KpYzFpRTHgy5jdDbZiWfvny21iIKky5YExiDXP+zbXzm3dUcFpkEeYNHgQ5fuG236JPq0g==}
     cpu: [arm64]
     os: [win32]
 
-  '@rollup/rollup-win32-ia32-msvc@4.36.0':
-    resolution: {integrity: sha512-t+RY0JuRamIocMuQcfwYSOkmdX9dtkr1PbhKW42AMvaDQa+jOdpUYysroTF/nuPpAaQMWp7ye+ndlmmthieJrQ==}
+  '@rollup/rollup-win32-ia32-msvc@4.60.1':
+    resolution: {integrity: sha512-u09m3CuwLzShA0EYKMNiFgcjjzwqtUMLmuCJLeZWjjOYA3IT2Di09KaxGBTP9xVztWyIWjVdsB2E9goMjZvTQg==}
     cpu: [ia32]
     os: [win32]
 
-  '@rollup/rollup-win32-x64-msvc@4.36.0':
-    resolution: {integrity: sha512-aRXd7tRZkWLqGbChgcMMDEHjOKudo1kChb1Jt1IfR8cY/KIpgNviLeJy5FUb9IpSuQj8dU2fAYNMPW/hLKOSTw==}
+  '@rollup/rollup-win32-x64-gnu@4.60.1':
+    resolution: {integrity: sha512-k+600V9Zl1CM7eZxJgMyTUzmrmhB/0XZnF4pRypKAlAgxmedUA+1v9R+XOFv56W4SlHEzfeMtzujLJD22Uz5zg==}
+    cpu: [x64]
+    os: [win32]
+
+  '@rollup/rollup-win32-x64-msvc@4.60.1':
+    resolution: {integrity: sha512-lWMnixq/QzxyhTV6NjQJ4SFo1J6PvOX8vUx5Wb4bBPsEb+8xZ89Bz6kOXpfXj9ak9AHTQVQzlgzBEc1SyM27xQ==}
     cpu: [x64]
     os: [win32]
 
   '@rushstack/eslint-patch@1.2.0':
     resolution: {integrity: sha512-sXo/qW2/pAcmT43VoRKOJbDOfV3cYpq3szSVfIThQXNt+E4DfKj361vaAt3c88U5tPUxzEswam7GW48PJqtKAg==}
 
-  '@s2-dev/streamstore@0.22.5':
-    resolution: {integrity: sha512-GqdOKIbIoIxT+40fnKzHbrsHB6gBqKdECmFe7D3Ojk4FoN1Hu0LhFzZv6ZmVMjoHHU+55debS1xSWjZwQmbIyQ==}
+  '@s2-dev/streamstore@0.22.10':
+    resolution: {integrity: sha512-dtm+oFHVE8szINwOUoNQdx9xpGSJOrcAEvsxspPFvomjYKGnmhIRmU4OX8o6kxcPoiK76S1tPeU0smjZdmOngA==}
 
   '@sec-ant/readable-stream@0.4.1':
     resolution: {integrity: sha512-831qok9r2t8AlxLko40y2ebgSDhenenCatLVeW/uBtnHPyhHOvG0C7TvfgecV+wHzIm5KUICgzmVpWS+IMEAeg==}
@@ -9633,23 +7253,23 @@ packages:
       '@remix-run/server-runtime': 2.x
       react: 18.x
 
-  '@shikijs/core@3.13.0':
-    resolution: {integrity: sha512-3P8rGsg2Eh2qIHekwuQjzWhKI4jV97PhvYjYUzGqjvJfqdQPz+nMlfWahU24GZAyW1FxFI1sYjyhfh5CoLmIUA==}
+  '@shikijs/core@3.23.0':
+    resolution: {integrity: sha512-NSWQz0riNb67xthdm5br6lAkvpDJRTgB36fxlo37ZzM2yq0PQFFzbd8psqC2XMPgCzo1fW6cVi18+ArJ44wqgA==}
 
-  '@shikijs/engine-javascript@3.13.0':
-    resolution: {integrity: sha512-Ty7xv32XCp8u0eQt8rItpMs6rU9Ki6LJ1dQOW3V/56PKDcpvfHPnYFbsx5FFUP2Yim34m/UkazidamMNVR4vKg==}
+  '@shikijs/engine-javascript@3.23.0':
+    resolution: {integrity: sha512-aHt9eiGFobmWR5uqJUViySI1bHMqrAgamWE1TYSUoftkAeCCAiGawPMwM+VCadylQtF4V3VNOZ5LmfItH5f3yA==}
 
-  '@shikijs/engine-oniguruma@3.13.0':
-    resolution: {integrity: sha512-O42rBGr4UDSlhT2ZFMxqM7QzIU+IcpoTMzb3W7AlziI1ZF7R8eS2M0yt5Ry35nnnTX/LTLXFPUjRFCIW+Operg==}
+  '@shikijs/engine-oniguruma@3.23.0':
+    resolution: {integrity: sha512-1nWINwKXxKKLqPibT5f4pAFLej9oZzQTsby8942OTlsJzOBZ0MWKiwzMsd+jhzu8YPCHAswGnnN1YtQfirL35g==}
 
-  '@shikijs/langs@3.13.0':
-    resolution: {integrity: sha512-672c3WAETDYHwrRP0yLy3W1QYB89Hbpj+pO4KhxK6FzIrDI2FoEXNiNCut6BQmEApYLfuYfpgOZaqbY+E9b8wQ==}
+  '@shikijs/langs@3.23.0':
+    resolution: {integrity: sha512-2Ep4W3Re5aB1/62RSYQInK9mM3HsLeB91cHqznAJMuylqjzNVAVCMnNWRHFtcNHXsoNRayP9z1qj4Sq3nMqYXg==}
 
-  '@shikijs/themes@3.13.0':
-    resolution: {integrity: sha512-Vxw1Nm1/Od8jyA7QuAenaV78BG2nSr3/gCGdBkLpfLscddCkzkL36Q5b67SrLLfvAJTOUzW39x4FHVCFriPVgg==}
+  '@shikijs/themes@3.23.0':
+    resolution: {integrity: sha512-5qySYa1ZgAT18HR/ypENL9cUSGOeI2x+4IvYJu4JgVJdizn6kG4ia5Q1jDEOi7gTbN4RbuYtmHh0W3eccOrjMA==}
 
-  '@shikijs/types@3.13.0':
-    resolution: {integrity: sha512-oM9P+NCFri/mmQ8LoFGVfVyemm5Hi27330zuOBp0annwJdKH1kOLndw3zCtAVDehPLg9fKqoEx3Ht/wNZxolfw==}
+  '@shikijs/types@3.23.0':
+    resolution: {integrity: sha512-3JZ5HXOZfYjsYSk0yPwBrkupyYSLpAE26Qc0HLghhZNGTZg/SKxXIIgoxOpmmeQP0RRSDJTk1/vPfw9tbw+jSQ==}
 
   '@shikijs/vscode-textmate@10.0.2':
     resolution: {integrity: sha512-83yeghZ2xxin3Nj8z1NMd/NCuca+gsYXswywDy5bHvwlWL8tpTQmzGeUuHd9FC3E/SBEMvzJRwWEOz5gGes9Qg==}
@@ -9678,16 +7298,16 @@ packages:
     resolution: {integrity: sha512-tlqY9xq5ukxTUZBmoOp+m61cqwQD5pHJtFY3Mn8CA8ps6yghLH/Hw8UPdqg4OLmFW3IFlcXnQNmo/dh8HzXYIQ==}
     engines: {node: '>=18'}
 
-  '@slack/logger@4.0.0':
-    resolution: {integrity: sha512-Wz7QYfPAlG/DR+DfABddUZeNgoeY7d1J39OCR2jR+v7VBsB8ezulDK5szTnDDPDwLH5IWhLvXIHlCFZV7MSKgA==}
+  '@slack/logger@4.0.1':
+    resolution: {integrity: sha512-6cmdPrV/RYfd2U0mDGiMK8S7OJqpCTm7enMLRR3edccsPX8j7zXTLnaEF4fhxxJJTAIOil6+qZrnUPTuaLvwrQ==}
     engines: {node: '>= 18', npm: '>= 8.6.0'}
 
-  '@slack/types@2.14.0':
-    resolution: {integrity: sha512-n0EGm7ENQRxlXbgKSrQZL69grzg1gHLAVd+GlRVQJ1NSORo0FrApR7wql/gaKdu2n4TO83Sq/AmeUOqD60aXUA==}
+  '@slack/types@2.21.1':
+    resolution: {integrity: sha512-I8vmSjNYWsaxuWPx6dz4yeh0h7vRBWbgAMK14LEmblbZ404BtrPbXs6jDPx4cYgGf8msDGF4A9opLZBu21FViQ==}
     engines: {node: '>= 12.13.0', npm: '>= 6.12.0'}
 
-  '@slack/web-api@7.9.1':
-    resolution: {integrity: sha512-qMcb1oWw3Y/KlUIVJhkI8+NcQXq1lNymwf+ewk93ggZsGd6iuz9ObQsOEbvlqlx1J+wd8DmIm3DORGKs0fcKdg==}
+  '@slack/web-api@7.16.0':
+    resolution: {integrity: sha512-68SAV77uuGKuhyyaRytX8UijVnqSLsTSKslGXw17cjQYXn+jtNl7gbaEjHgC5x2rhCuFdahBrEC2VCLppbzReg==}
     engines: {node: '>= 18', npm: '>= 8.6.0'}
 
   '@smithy/abort-controller@2.0.14':
@@ -10255,6 +7875,11 @@ packages:
   '@standard-schema/spec@1.1.0':
     resolution: {integrity: sha512-l2aFy5jALhniG5HgqrD6jXLi/rUWrKvqN/qJx6yoJsgKhblVd+iqqU4RCXavm/jPityDo5TCvKMnpjKnOriy0w==}
 
+  '@streamdown/code@1.1.1':
+    resolution: {integrity: sha512-i7HTNuDgZWb+VdrNVOam9gQhIc5MSSDXKWXgbUrn/4vSRaSMM+Rtl10MQj4wLWPNpF7p80waJsAqFP8HZfb0Jg==}
+    peerDependencies:
+      react: ^18.0.0 || ^19.0.0
+
   '@stricli/auto-complete@1.2.0':
     resolution: {integrity: sha512-r9/msiloVmTF95mdhe04Uzqei1B0ZofhYRLeiPqpJ1W1RMCC8p9iW7kqBZEbALl2aRL5ZK9OEW3Q1cIejH7KEQ==}
     hasBin: true
@@ -10415,9 +8040,6 @@ packages:
   '@swc/helpers@0.5.2':
     resolution: {integrity: sha512-E4KcWTpoLHqwPHLxidpOqQbcrZVgi0rsmmZXUle1jXmJfuIf/UWpczUJ7MZZ5tlxytgJXyp0w4PGkkeLiuIdZw==}
 
-  '@swc/helpers@0.5.5':
-    resolution: {integrity: sha512-KGYxvIOXcceOAbEk4bi/dVLEK9z8sZ0uBB3Il5b1rhfClSpcX0yfRO0KmTkqR2cnQDymwLB+25ZyMzICg/cm/A==}
-
   '@swc/types@0.1.6':
     resolution: {integrity: sha512-/JLo/l2JsT/LRd80C3HfbmVpxOAJ11FO2RCEslFrgzLltoP9j8XIbsyDcfCt2WWyX+CM96rBoNM+IToAkFOugg==}
 
@@ -10443,86 +8065,6 @@ packages:
     peerDependencies:
       tailwindcss: '>=3.0.0 || >= 3.0.0-alpha.1'
 
-  '@tailwindcss/node@4.0.17':
-    resolution: {integrity: sha512-LIdNwcqyY7578VpofXyqjH6f+3fP4nrz7FBLki5HpzqjYfXdF2m/eW18ZfoKePtDGg90Bvvfpov9d2gy5XVCbg==}
-
-  '@tailwindcss/oxide-android-arm64@4.0.17':
-    resolution: {integrity: sha512-3RfO0ZK64WAhop+EbHeyxGThyDr/fYhxPzDbEQjD2+v7ZhKTb2svTWy+KK+J1PHATus2/CQGAGp7pHY/8M8ugg==}
-    engines: {node: '>= 10'}
-    cpu: [arm64]
-    os: [android]
-
-  '@tailwindcss/oxide-darwin-arm64@4.0.17':
-    resolution: {integrity: sha512-e1uayxFQCCDuzTk9s8q7MC5jFN42IY7nzcr5n0Mw/AcUHwD6JaBkXnATkD924ZsHyPDvddnusIEvkgLd2CiREg==}
-    engines: {node: '>= 10'}
-    cpu: [arm64]
-    os: [darwin]
-
-  '@tailwindcss/oxide-darwin-x64@4.0.17':
-    resolution: {integrity: sha512-d6z7HSdOKfXQ0HPlVx1jduUf/YtBuCCtEDIEFeBCzgRRtDsUuRtofPqxIVaSCUTOk5+OfRLonje6n9dF6AH8wQ==}
-    engines: {node: '>= 10'}
-    cpu: [x64]
-    os: [darwin]
-
-  '@tailwindcss/oxide-freebsd-x64@4.0.17':
-    resolution: {integrity: sha512-EjrVa6lx3wzXz3l5MsdOGtYIsRjgs5Mru6lDv4RuiXpguWeOb3UzGJ7vw7PEzcFadKNvNslEQqoAABeMezprxQ==}
-    engines: {node: '>= 10'}
-    cpu: [x64]
-    os: [freebsd]
-
-  '@tailwindcss/oxide-linux-arm-gnueabihf@4.0.17':
-    resolution: {integrity: sha512-65zXfCOdi8wuaY0Ye6qMR5LAXokHYtrGvo9t/NmxvSZtCCitXV/gzJ/WP5ksXPhff1SV5rov0S+ZIZU+/4eyCQ==}
-    engines: {node: '>= 10'}
-    cpu: [arm]
-    os: [linux]
-
-  '@tailwindcss/oxide-linux-arm64-gnu@4.0.17':
-    resolution: {integrity: sha512-+aaq6hJ8ioTdbJV5IA1WjWgLmun4T7eYLTvJIToiXLHy5JzUERRbIZjAcjgK9qXMwnvuu7rqpxzej+hGoEcG5g==}
-    engines: {node: '>= 10'}
-    cpu: [arm64]
-    os: [linux]
-    libc: [glibc]
-
-  '@tailwindcss/oxide-linux-arm64-musl@4.0.17':
-    resolution: {integrity: sha512-/FhWgZCdUGAeYHYnZKekiOC0aXFiBIoNCA0bwzkICiMYS5Rtx2KxFfMUXQVnl4uZRblG5ypt5vpPhVaXgGk80w==}
-    engines: {node: '>= 10'}
-    cpu: [arm64]
-    os: [linux]
-    libc: [musl]
-
-  '@tailwindcss/oxide-linux-x64-gnu@4.0.17':
-    resolution: {integrity: sha512-gELJzOHK6GDoIpm/539Golvk+QWZjxQcbkKq9eB2kzNkOvrP0xc5UPgO9bIMNt1M48mO8ZeNenCMGt6tfkvVBg==}
-    engines: {node: '>= 10'}
-    cpu: [x64]
-    os: [linux]
-    libc: [glibc]
-
-  '@tailwindcss/oxide-linux-x64-musl@4.0.17':
-    resolution: {integrity: sha512-68NwxcJrZn94IOW4TysMIbYv5AlM6So1luTlbYUDIGnKma1yTFGBRNEJ+SacJ3PZE2rgcTBNRHX1TB4EQ/XEHw==}
-    engines: {node: '>= 10'}
-    cpu: [x64]
-    os: [linux]
-    libc: [musl]
-
-  '@tailwindcss/oxide-win32-arm64-msvc@4.0.17':
-    resolution: {integrity: sha512-AkBO8efP2/7wkEXkNlXzRD4f/7WerqKHlc6PWb5v0jGbbm22DFBLbIM19IJQ3b+tNewQZa+WnPOaGm0SmwMNjw==}
-    engines: {node: '>= 10'}
-    cpu: [arm64]
-    os: [win32]
-
-  '@tailwindcss/oxide-win32-x64-msvc@4.0.17':
-    resolution: {integrity: sha512-7/DTEvXcoWlqX0dAlcN0zlmcEu9xSermuo7VNGX9tJ3nYMdo735SHvbrHDln1+LYfF6NhJ3hjbpbjkMOAGmkDg==}
-    engines: {node: '>= 10'}
-    cpu: [x64]
-    os: [win32]
-
-  '@tailwindcss/oxide@4.0.17':
-    resolution: {integrity: sha512-B4OaUIRD2uVrULpAD1Yksx2+wNarQr2rQh65nXqaqbLY1jCd8fO+3KLh/+TH4Hzh2NTHQvgxVbPdUDOtLk7vAw==}
-    engines: {node: '>= 10'}
-
-  '@tailwindcss/postcss@4.0.17':
-    resolution: {integrity: sha512-qeJbRTB5FMZXmuJF+eePd235EGY6IyJZF0Bh0YM6uMcCI4L9Z7dy+lPuLAhxOJzxnajsbjPoDAKOuAqZRtf1PQ==}
-
   '@tailwindcss/typography@0.5.9':
     resolution: {integrity: sha512-t8Sg3DyynFysV9f4JDOVISGsjazNb48AeIYQwcL+Bsq5uf4RYL75C1giZ43KISjeDGBaTN3Kxh7Xj/vRSMJUUg==}
     peerDependencies:
@@ -10562,27 +8104,21 @@ packages:
 
   '@team-plain/typescript-sdk@3.5.0':
     resolution: {integrity: sha512-9kweiSlYAN31VI7yzILGxdlZqsGJ+FmCEfXyEZ/0/i3r6vOwq45FDqtjadnQJVtFm+rf/8vCFRN+wEYMIEv6Aw==}
+    deprecated: This package is now deprecated. Please use @team-plain/graphql, @team-plain/webhooks and @team-plain/ui-components (https://github.com/team-plain/sdk)
 
-  '@testcontainers/postgresql@10.28.0':
-    resolution: {integrity: sha512-NN25rruG5D4Q7pCNIJuHwB+G85OSeJ3xHZ2fWx0O6sPoPEfCYwvpj8mq99cyn68nxFkFYZeyrZJtSFO+FnydiA==}
+  '@testcontainers/postgresql@11.14.0':
+    resolution: {integrity: sha512-wYbJn8GRTj8qfqzfVubxioYWlHJU/ImIjuzPwyy9C5Qfo6g3GLduPZAj+BifvqTZjgT3gd4gFVLCPhBji7dc1w==}
 
-  '@testcontainers/redis@10.28.0':
-    resolution: {integrity: sha512-xDNKSJTBmQca/3v5sdHmqSCYr68vjvAGSxoHCuWylha77gAYn88g5nUZK0ocNbUZgBq69KhIzj/f9zlHkw34uA==}
+  '@testcontainers/redis@11.14.0':
+    resolution: {integrity: sha512-WX005slz2JMQPw2avbSjf5awVjpmFhOs5xCxeGSYLcV5ia4W1edv/P6MdOw4dZnvDQDuN5LfqNoV/ut3XGb2pA==}
 
   '@testing-library/dom@8.19.1':
     resolution: {integrity: sha512-P6iIPyYQ+qH8CvGauAqanhVnjrnRe0IZFSYCeGkSRW9q3u8bdVn2NPI+lasFyVsEQn1J/IFmp5Aax41+dAP9wg==}
     engines: {node: '>=12'}
 
-  '@testing-library/jest-dom@6.5.0':
-    resolution: {integrity: sha512-xGGHpBXYSHUUr6XsKBfs85TWlYKpTc37cSBBVrXcib2MkHLboWlkClhWF37JKlDb9KEq3dHs+f2xR7XJEWGBxA==}
-    engines: {node: '>=14', npm: '>=6', yarn: '>=1'}
-
   '@tokenizer/token@0.3.0':
     resolution: {integrity: sha512-OvjF+z51L3ov0OyAU0duzsYuvO01PH7x4t6DJx+guahgTnBHkhJdG7soQeTSFLWN3efnHyibZ4Z8l2EuWwJN3A==}
 
-  '@tootallnate/quickjs-emscripten@0.23.0':
-    resolution: {integrity: sha512-C5Mc6rdnsaJDjO3UpGW/CQTHtCKaYlScZTly4JIu97Jxo/odCiH0ITnDXSJPTOrEKk/ycSZ0AOgTmkDtkOsvIA==}
-
   '@total-typescript/ts-reset@0.4.2':
     resolution: {integrity: sha512-vqd7ZUDSrXFVT1n8b2kc3LnklncDQFPvR58yUS1kEP23/nHPAO9l1lMjUfnPrXYYk4Hj54rrLKMW5ipwk7k09A==}
 
@@ -10613,12 +8149,12 @@ packages:
   '@types/btoa-lite@1.0.2':
     resolution: {integrity: sha512-ZYbcE2x7yrvNFJiU7xJGrpF/ihpkM7zKgw8bha3LNJSesvTtUNxbpzaT7WXBIryf6jovisrxTBvymxMeLLj1Mg==}
 
-  '@types/bun@1.1.6':
-    resolution: {integrity: sha512-uJgKjTdX0GkWEHZzQzFsJkWp5+43ZS7HC8sZPFnOwnSo1AsNl2q9o2bFeS23disNDqbggEgyFkKCHl/w8iZsMA==}
-
   '@types/caseless@0.12.5':
     resolution: {integrity: sha512-hWtVTC2q7hc7xZ/RLbxapMvDMgUnDvKvMOpKal4DrMyfGBUfB1oKaZlIRr6mJL+If3bAP6sV/QneGzF6tJjZDg==}
 
+  '@types/chai@5.2.3':
+    resolution: {integrity: sha512-Mw558oeA9fFbv65/y4mHtXDs9bPnFMZAL/jxdPFUpOHHIXX91mcgEHbS5Lahr+pwZFR8A7GQleRWeI6cGFC2UA==}
+
   '@types/compression@1.7.2':
     resolution: {integrity: sha512-lwEL4M/uAGWngWFLSG87ZDr2kLrbuR8p7X+QZB1OQlT+qkHsCPDVFnHPyXf4Vyl4yDDorNY+mAhosxkCvppatg==}
 
@@ -10640,9 +8176,6 @@ packages:
   '@types/cors@2.8.17':
     resolution: {integrity: sha512-8CGDvrBj1zgo2qE+oS3pOCyYNqCPryMWY2bGfwA0dcfopWGgxs+78df0Rs3rc9THP4JkOhLsAa+15VdpAqkcUA==}
 
-  '@types/cross-spawn@6.0.2':
-    resolution: {integrity: sha512-KuwNhp3eza+Rhu8IFI5HUXRP0LIhqH5cAjubUvGXXthh4YYBuP2ntwEX+Cz8GJoZUHlKo247wPWOfA9LYEq4cw==}
-
   '@types/d3-array@3.0.8':
     resolution: {integrity: sha512-2xAVyAUgaXHX9fubjcCbGAUOqYfRJN1em1EKR2HfzWBpObZhwfnZKvofTN4TplMqJdFQao61I+NVSai/vnBvDQ==}
 
@@ -10742,15 +8275,12 @@ packages:
   '@types/debug@4.1.7':
     resolution: {integrity: sha512-9AonUzyTjXXhEOa0DnqpzZi6VHlqKMswga9EXjpXnnqxwLtdvPPtlO8evrI5D9S6asFRCQ6v+wpiUKbw+vKqyg==}
 
-  '@types/debug@4.1.8':
-    resolution: {integrity: sha512-/vPO1EPOs306Cvhwv7KfVfYvOJqA/S/AXjaHQiJboCZzcNDb+TIJFN9/2C9DZ//ijSKWioNyUxD792QmDJ+HKQ==}
-
   '@types/decimal.js@7.4.3':
     resolution: {integrity: sha512-7MpxcJPHqQ637FCZwJLtJMaDZkcD/iyUxj0m8A+m06slFeqRiK9QtgEyuocWNRbEtCrOZOEbZPTSSR88hMZVsg==}
     deprecated: This is a stub types definition. decimal.js provides its own type definitions, so you do not need this installed.
 
-  '@types/diff-match-patch@1.0.36':
-    resolution: {integrity: sha512-xFdR6tkm0MWvBfO8xXCSsinYxHcqkQUlcHeSpMC2ukzOb6lwQAfDmW+Qt0AvlGd8HpsS28qKsB+oPeJn9I39jg==}
+  '@types/deep-eql@4.0.2':
+    resolution: {integrity: sha512-c9h9dVVMigMPc4bwTvC5dxqtqJZwQPePsWjPlpSOnojbor6pGqdk541lfA7AqFQr5pB1BRdq0juY9db81BwyFw==}
 
   '@types/docker-modem@3.0.6':
     resolution: {integrity: sha512-yKpAGEuKRSS8wwx0joknWxsmLha78wNMe9R2S3UNsVOkZded8UqOrV8KoeDXoXsjndxwyF3eIhyClGbO1SEhEg==}
@@ -10758,12 +8288,8 @@ packages:
   '@types/dockerode@3.3.35':
     resolution: {integrity: sha512-P+DCMASlsH+QaKkDpekKrP5pLls767PPs+/LrlVbKnEnY5tMpEUa2C6U4gRsdFZengOqxdCIqy16R22Q3pLB6Q==}
 
-  '@types/dompurify@3.2.0':
-    resolution: {integrity: sha512-Fgg31wv9QbLDA0SpTOXO3MaxySc4DKGLi8sna4/Utjo4r3ZRPdCt4UQee8BWr+Q5z21yifghREPJGYaEOEIACg==}
-    deprecated: This is a stub types definition. dompurify provides its own type definitions, so you do not need this installed.
-
-  '@types/eslint-scope@3.7.4':
-    resolution: {integrity: sha512-9K4zoImiZc3HlIp6AVUDE4CWYx22a+lhSZMYNpbjW04+YF0KWj4pJXnEMjdnFTiQibFFmElcsasJXDbdI/EPhA==}
+  '@types/dockerode@4.0.1':
+    resolution: {integrity: sha512-cmUpB+dPN955PxBEuXE3f6lKO1hHiIGYJA46IVF3BJpNsZGvtBDcRnlrHYHtOH/B6vtDOyl2kZ2ShAu3mgc27Q==}
 
   '@types/eslint-scope@3.7.7':
     resolution: {integrity: sha512-MzMFlSLBqNF2gcHWO0G1vP/YQyfvrxZ0bF+u7mzUdZ1/xK4A4sru+nraZz5i3iEIk1l1uyicaDVTB4QbbEkAYg==}
@@ -10780,12 +8306,12 @@ packages:
   '@types/estree@1.0.0':
     resolution: {integrity: sha512-WulqXMDUTYAXCjZnk6JtIHPigp55cVtDgDrO2gHRwhyJto21+1zbVCtOYB2L1F9w4qCQ0rOGWBnBe0FNTiEJIQ==}
 
-  '@types/estree@1.0.6':
-    resolution: {integrity: sha512-AYnb1nQyY49te+VRAVgmzfcgjYS91mY5P0TKUDCLEM+gNnA+3T6rWITXRLYCpahpqSQbN5cE+gHpnPyXjHWxcw==}
-
   '@types/estree@1.0.8':
     resolution: {integrity: sha512-dWHzHa2WqEXI/O1E9OjrocMTKJl2mSrEolh1Iomrv6U+JuNwaHXsXx9bLu5gG7BUWFIN0skIQJQ/L1rIex4X6w==}
 
+  '@types/estree@1.0.9':
+    resolution: {integrity: sha512-GhdPgy1el4/ImP05X05Uw4cw2/M93BCUmnEvWZNStlCzEKME4Fkk+YpoA5OiHNQmoS7Cafb8Xa3Pya8m1Qrzeg==}
+
   '@types/eventsource@1.1.15':
     resolution: {integrity: sha512-XQmGcbnxUNa06HR3VBVkc9+A2Vpi9ZyLJcdS5dwaQQ/4ZMWFO+5c90FnMUpbtMZwB/FChoYHwuVg8TvkECacTA==}
 
@@ -10816,9 +8342,6 @@ packages:
   '@types/interpret@1.1.3':
     resolution: {integrity: sha512-uBaBhj/BhilG58r64mtDb/BEdH51HIQLgP5bmWzc5qCtFMja8dCk/IOJmk36j0lbi9QHwI6sbtUNGuqXdKCAtQ==}
 
-  '@types/invariant@2.2.37':
-    resolution: {integrity: sha512-IwpIMieE55oGWiXkQPSBY1nw1nFs6bsKXTFskNY8sdS17K24vyEBRQZEwlRS7ZmXCWnJcQtbxWzly+cODWGs2A==}
-
   '@types/is-ci@3.0.0':
     resolution: {integrity: sha512-Q0Op0hdWbYd1iahB+IFNQcWXFq4O0Q5MwQP7uN0souuQ4rPg1vEYcnIOfr1gY+M+6rc8FGoRaBO1mOOvL29sEQ==}
 
@@ -10846,9 +8369,6 @@ packages:
   '@types/jsonwebtoken@9.0.10':
     resolution: {integrity: sha512-asx5hIG9Qmf/1oStypjanR7iKTv0gXQ1Ov/jfrX6kS/EO0OFni8orbmGCn0672NHR3kXHwpAwR+B368ZGN/2rA==}
 
-  '@types/katex@0.16.7':
-    resolution: {integrity: sha512-HMwFiRujE5PjrgwHQ25+bsLJgowjGjm5Z8FVSf0N6PwgJrwxH0QxzHYDcKsTfV3wva0vzrpqMTJS2jXPr5BMEQ==}
-
   '@types/keyv@3.1.4':
     resolution: {integrity: sha512-BQ5aZNSCpj7D6K2ksrRCTmKRLEpnPvWDiLPfoGyhZ++8YtiK9d/3DBKPJgry359X/P1PfruyYwvnvwFjuEiEIg==}
 
@@ -10903,8 +8423,8 @@ packages:
   '@types/node@20.14.14':
     resolution: {integrity: sha512-d64f00982fS9YoOgJkAMolK7MN8Iq3TDdVjchbYHdEmjth/DHowx82GnoA+tVUAN+7vxfYUgAzi+JXbKNd2SDQ==}
 
-  '@types/nodemailer@7.0.4':
-    resolution: {integrity: sha512-ee8fxWqOchH+Hv6MDDNNy028kwvVnLplrStm4Zf/3uHWw5zzo8FoYYeffpJtGs2wWysEumMH0ZIdMGMY1eMAow==}
+  '@types/nodemailer@8.0.0':
+    resolution: {integrity: sha512-fyf8jWULsCo0d0BuoQ75i6IeoHs47qcqxWc7yUdUcV0pOZGjUTTOvwdG1PRXUDqN/8A64yQdQdnA2pZgcdi+cA==}
 
   '@types/normalize-package-data@2.4.1':
     resolution: {integrity: sha512-Gj7cI7z+98M282Tqmp2K5EIsoouUEzbBJhQQzDE3jSIRk6r9gsz0oUokqIUR4u1R3dMHo0pDHM7sNOHyhulypw==}
@@ -10948,11 +8468,6 @@ packages:
   '@types/react-dom@18.2.7':
     resolution: {integrity: sha512-GRaAEriuT4zp9N4p1i8BDBYmEyfo+xQ3yHjJU4eiK5NDa1RmUZG+unZABUTK4/Ox/M+GaHwb6Ow8rUITrtjszA==}
 
-  '@types/react-dom@19.0.4':
-    resolution: {integrity: sha512-4fSQ8vWFkg+TGhePfUzVmat3eC14TXYSsiiDSLI0dVLsrm9gZFABjPy/Qu6TKgl1tq1Bu1yDsuQgY3A3DOjCcg==}
-    peerDependencies:
-      '@types/react': ^19.0.0
-
   '@types/react@18.2.48':
     resolution: {integrity: sha512-qboRCl6Ie70DQQG9hhNREz81jqC1cs9EVNcjQ1AU+jH6NFfSAhVVbrrY/+nSF+Bsk4AOwm9Qa61InvMCyV+H3w==}
 
@@ -10962,9 +8477,6 @@ packages:
   '@types/react@18.3.1':
     resolution: {integrity: sha512-V0kuGBX3+prX+DQ/7r2qsv1NsdfnCLnTgnRJ1pYnxykBhGMz+qj+box5lq7XsO5mtZsBqpjwwTu/7wszPfMBcw==}
 
-  '@types/react@19.0.12':
-    resolution: {integrity: sha512-V6Ar115dBDrjbtXSrS+/Oruobc+qVbbUxDFC1RSbRqLt5SYvxxyIDrSC85RWml54g+jfNeEMZhEj7wW07ONQhA==}
-
   '@types/react@19.2.14':
     resolution: {integrity: sha512-ilcTH/UniCkMdtexkoCN0bI7pMcJDvmQFPvuPvmEaYA/NSfFTAgdUSLAoVjaRJm7+6PvcM+q1zYOwS4wTYMF9w==}
 
@@ -11062,15 +8574,6 @@ packages:
   '@types/unist@3.0.3':
     resolution: {integrity: sha512-ko/gIFJRv177XgZsZcBwnqJN5x/Gien8qNOn0D5bQU/zAzVf9Zt3BlcUiLqhV9y4ARk0GbT3tnUiPNgnTXzc/Q==}
 
-  '@types/uuid@10.0.0':
-    resolution: {integrity: sha512-7gqG38EyHgyP1S+7+xomFtL+ZNHcKv6DwNaCZmJmo1vgMugyF3TCnXVg4t1uk89mLNwnLtnY3TpOpCOyp1/xHQ==}
-
-  '@types/uuid@9.0.0':
-    resolution: {integrity: sha512-kr90f+ERiQtKWMz5rP32ltJ/BtULDI5RVO0uavn1HQUOwjx0R1h0rnDYNL0CepF1zL5bSY6FISAfd9tOdDhU5Q==}
-
-  '@types/webpack@5.28.5':
-    resolution: {integrity: sha512-wR87cgvxj3p6D0Crt1r5avwqffqPXUkNlnQ1mjU93G7gCuFjufZR4I6j8cz5g1F1tTYpfOOFvly+cmIQwL9wvw==}
-
   '@types/ws@8.5.10':
     resolution: {integrity: sha512-vmQSUcfalpIq0R9q7uTo2lXs6eGIpt9wtnLdMv9LVpIjCA/+ufZRozlVoVelIYixx1ugCBKDhn89vnsEGOCx9A==}
 
@@ -11080,9 +8583,6 @@ packages:
   '@types/ws@8.5.4':
     resolution: {integrity: sha512-zdQDHKUgcX/zBc4GrwsE/7dVdAD8JR4EuiAXiiUhhfyIJXXb2+PrGshFyeXWQPMmmZ2XxgaqclgpIC7eTXc1mg==}
 
-  '@types/yauzl@2.10.3':
-    resolution: {integrity: sha512-oJoftv0LSuaDZE3Le4DbKX+KS9G36NzOeSap90UIK0yMA/NhKJhqlSGtNDORNRaIbQfzjXDrQa0ytJ6mNRGz/Q==}
-
   '@typescript-eslint/eslint-plugin@5.59.6':
     resolution: {integrity: sha512-sXtOgJNEuRU5RLwPUb1jxtToZbgvq3M6FPpY4QENxoOggK+UpTxUBpj6tD8+Qh2g46Pi9We87E+eHnUw8YcGsw==}
     engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
@@ -11172,21 +8672,8 @@ packages:
   '@unkey/error@0.2.0':
     resolution: {integrity: sha512-DFGb4A7SrusZPP0FYuRIF0CO+Gi4etLUAEJ6EKc+TKYmscL0nEJ2Pr38FyX9MvjI4Wx5l35Wc9KsBjMm9Ybh7w==}
 
-  '@uploadthing/mime-types@0.3.0':
-    resolution: {integrity: sha512-jN/XFvpKTzcd3MXT/9D9oxx05scnYiSYxAXF/e6hyg377zFducRxivU/kHyYTkpUZPTmOL5q9EQbOkUsXMlSMg==}
-
-  '@uploadthing/react@7.0.3':
-    resolution: {integrity: sha512-dPRO45H1UaXmbrmelU2uZjSmWz0h15F0+SbfAJ+ehxLEU34EBRpOJF55G7yK5X7syFRnedlG4E1+iEcEmKRynw==}
-    peerDependencies:
-      next: '*'
-      react: ^17.0.2 || ^18.0.0
-      uploadthing: 7.1.0
-    peerDependenciesMeta:
-      next:
-        optional: true
-
-  '@uploadthing/shared@7.0.3':
-    resolution: {integrity: sha512-PAT5Jl6bfuVp37PBvaw7bwQYhLeDfIBuGr37mbPBPhtiqm8zf8ip8zubkdm5rXEhqRWfdI64SQpl+7Q+dLoM2Q==}
+  '@upsetjs/venn.js@2.0.0':
+    resolution: {integrity: sha512-WbBhLrooyePuQ1VZxrJjtLvTc4NVfpOyKx0sKqioq9bX1C1m7Jgykkn8gLrtwumBioXIqam8DLxp88Adbue6Hw==}
 
   '@upstash/core-analytics@0.0.8':
     resolution: {integrity: sha512-MCJoF+Y8fkzq4NRLG7kEHjtGyMsZ2DICBdmEdwoK9umoSrfkzgBlYdZiHTIaewyt9PGaMZCHOasz0LAuMpxwxQ==}
@@ -11210,10 +8697,6 @@ packages:
   '@vanilla-extract/private@1.0.3':
     resolution: {integrity: sha512-17kVyLq3ePTKOkveHxXuIJZtGYs+cSoev7BlP+Lf4916qfDhk/HBjvlYDe8egrea7LNPHKwSZJK/bzZC+Q6AwQ==}
 
-  '@vercel/oidc@3.0.3':
-    resolution: {integrity: sha512-yNEQvPcVrK9sIe637+I0jD6leluPxzwJKx/Haw6F4H77CdDsszUn5V3o96LPziXkSNE2B83+Z3mjqGKBK/R6Gg==}
-    engines: {node: '>= 20'}
-
   '@vercel/oidc@3.0.5':
     resolution: {integrity: sha512-fnYhv671l+eTTp48gB4zEsTW/YtRgRPnkI2nT7x6qw5rkI1Lq2hTmQIpHPgyThI0znLK+vX2n9XxKdXZ7BUbbw==}
     engines: {node: '>= 20'}
@@ -11222,164 +8705,97 @@ packages:
     resolution: {integrity: sha512-Fw28YZpRnA3cAHHDlkt7xQHiJ0fcL+NRcIqsocZQUSmbzeIKRpwttJjik5ZGanXP+vlA4SbTg+AbA3bP363l+w==}
     engines: {node: '>= 20'}
 
-  '@vercel/otel@1.13.0':
-    resolution: {integrity: sha512-esRkt470Y2jRK1B1g7S1vkt4Csu44gp83Zpu8rIyPoqy2BKgk4z7ik1uSMswzi45UogLHFl6yR5TauDurBQi4Q==}
-    engines: {node: '>=18'}
-    peerDependencies:
-      '@opentelemetry/api': '>=1.7.0 <2.0.0'
-      '@opentelemetry/api-logs': '>=0.46.0 <0.200.0'
-      '@opentelemetry/instrumentation': '>=0.46.0 <0.200.0'
-      '@opentelemetry/resources': '>=1.19.0 <2.0.0'
-      '@opentelemetry/sdk-logs': '>=0.46.0 <0.200.0'
-      '@opentelemetry/sdk-metrics': '>=1.19.0 <2.0.0'
-      '@opentelemetry/sdk-trace-base': '>=1.19.0 <2.0.0'
-
-  '@vercel/postgres@0.10.0':
-    resolution: {integrity: sha512-fSD23DxGND40IzSkXjcFcxr53t3Tiym59Is0jSYIFpG4/0f0KO9SGtcp1sXiebvPaGe7N/tU05cH4yt2S6/IPg==}
-    engines: {node: '>=18.14'}
-    deprecated: '@vercel/postgres is deprecated. If you are setting up a new database, you can choose an alternate storage solution from the Vercel Marketplace. If you had an existing Vercel Postgres database, it should have been migrated to Neon as a native Vercel integration. You can find more details and the guide to migrate to Neon''s SDKs here: https://neon.com/docs/guides/vercel-postgres-transition-guide'
+  '@vercel/oidc@3.2.0':
+    resolution: {integrity: sha512-UycprH3T6n3jH0k44NHMa7pnFHGu/N05MjojYr+Mc6I7obkoLIJujSWwin1pCvdy/eOxrI/l3uDLQsmcrOb4ug==}
+    engines: {node: '>= 20'}
 
   '@vercel/sdk@1.19.1':
     resolution: {integrity: sha512-K4rmtUT6t1vX06tiY44ot8A7W1FKN7g/tMkE7yZghCgNQ8b30SzljBd4ni8RNp2pJzM/HrZmphRDeIArO7oZuw==}
     hasBin: true
 
-  '@vitest/coverage-v8@3.1.4':
-    resolution: {integrity: sha512-G4p6OtioySL+hPV7Y6JHlhpsODbJzt1ndwHAFkyk6vVjpK03PFsKnauZIzcd0PrK4zAbc5lc+jeZ+eNGiMA+iw==}
+  '@vitest/coverage-v8@4.1.7':
+    resolution: {integrity: sha512-qsYPeXc5Q9dFLd1i8Ap+Bx8sQgcp+rFVQo4R0dDsWNBzl26ldVF1qOO+RL24K7FDrR6pA+50XedRLSoSG24bVQ==}
     peerDependencies:
-      '@vitest/browser': 3.1.4
-      vitest: 3.1.4
+      '@vitest/browser': 4.1.7
+      vitest: 4.1.7
     peerDependenciesMeta:
       '@vitest/browser':
         optional: true
 
-  '@vitest/expect@3.1.4':
-    resolution: {integrity: sha512-xkD/ljeliyaClDYqHPNCiJ0plY5YIcM0OlRiZizLhlPmpXWpxnGMyTZXOHFhFeG7w9P5PBeL4IdtJ/HeQwTbQA==}
+  '@vitest/expect@4.1.7':
+    resolution: {integrity: sha512-1R+tw0ortHEbZDGMymm+pN7/AFQ/RkFFdtd7EN+VBpynKmLbP8A3rpEXdshBJ7+8hQ9zBJh/i1s0yKNtxAnU7w==}
 
-  '@vitest/mocker@3.1.4':
-    resolution: {integrity: sha512-8IJ3CvwtSw/EFXqWFL8aCMu+YyYXG2WUSrQbViOZkWTKTVicVwZ/YiEZDSqD00kX+v/+W+OnxhNWoeVKorHygA==}
+  '@vitest/mocker@4.1.7':
+    resolution: {integrity: sha512-vY7nuamKgfvpA1Koa3oYIw/k7D6kZnpGyNMZW8loow2bsBYla1TFdqTaXncWdRn4pgwNs+90RhnXhJScDwQeJA==}
     peerDependencies:
       msw: ^2.4.9
-      vite: ^5.0.0 || ^6.0.0
+      vite: ^6.4.2
     peerDependenciesMeta:
       msw:
         optional: true
       vite:
         optional: true
 
-  '@vitest/pretty-format@2.1.9':
-    resolution: {integrity: sha512-KhRIdGV2U9HOUzxfiHmY8IFHTdqtOhIzCpd8WRdJiE7D/HUcZVD0EgQCVjm+Q9gkUXWgBvMmTtZgIG48wq7sOQ==}
+  '@vitest/pretty-format@4.1.7':
+    resolution: {integrity: sha512-umgCarTOYQWIaDMvGDRZij+6b9oVeLIyJzfN+AS88e0ZOU3QTgNNSTtjQOpcvWr3np1N0j4WgZj+sb3oYBDscw==}
 
-  '@vitest/pretty-format@3.1.4':
-    resolution: {integrity: sha512-cqv9H9GvAEoTaoq+cYqUTCGscUjKqlJZC7PRwY5FMySVj5J+xOm1KQcCiYHJOEzOKRUhLH4R2pTwvFlWCEScsg==}
+  '@vitest/runner@4.1.7':
+    resolution: {integrity: sha512-BapjmAQ2aI78WdMEfeUWivnfVzB+VPGwWRQcJE0OUq7qEeEcBsCSf+0T5iREBNE5nBb4wA5Ya0W6IA+sghdEFw==}
 
-  '@vitest/runner@2.1.9':
-    resolution: {integrity: sha512-ZXSSqTFIrzduD63btIfEyOmNcBmQvgOVsPNPe0jYtESiXkhd8u2erDLnMxmGrDCwHCCHE7hxwRDCT3pt0esT4g==}
+  '@vitest/snapshot@4.1.7':
+    resolution: {integrity: sha512-ZacLzja+TmJeZ1h14xW2FB/WpeimUD3haBXQPyJqxvo8jQTmfeA8zv58mtjN2C7EHXZDYVcVYdYmAxjkWVvKCw==}
 
-  '@vitest/runner@3.1.4':
-    resolution: {integrity: sha512-djTeF1/vt985I/wpKVFBMWUlk/I7mb5hmD5oP8K9ACRmVXgKTae3TUOtXAEBfslNKPzUQvnKhNd34nnRSYgLNQ==}
+  '@vitest/spy@4.1.7':
+    resolution: {integrity: sha512-kbkI5LMWakyuTIvs6fUJ5qdIVb1XVKsYJAT4OJ938cHMROYMSfmoQdZy0aaAnjbbc8F61vkoTqz/Az+/HiIu5Q==}
 
-  '@vitest/snapshot@3.1.4':
-    resolution: {integrity: sha512-JPHf68DvuO7vilmvwdPr9TS0SuuIzHvxeaCkxYcCD4jTk67XwL45ZhEHFKIuCm8CYstgI6LZ4XbwD6ANrwMpFg==}
-
-  '@vitest/spy@3.1.4':
-    resolution: {integrity: sha512-Xg1bXhu+vtPXIodYN369M86K8shGLouNjoVI78g8iAq2rFoHFdajNvJJ5A/9bPMFcfQqdaCpOgWKEoMQg/s0Yg==}
-
-  '@vitest/utils@2.1.9':
-    resolution: {integrity: sha512-v0psaMSkNJ3A2NMrUEHFRzJtDPFn+/VWZ5WxImB21T9fjucJRmS7xCS3ppEnARb9y11OAzaD+P2Ps+b+BGX5iQ==}
-
-  '@vitest/utils@3.1.4':
-    resolution: {integrity: sha512-yriMuO1cfFhmiGc8ataN51+9ooHRuURdfAZfwFd3usWynjzpLslZdYnRegTv32qdgtJTsj15FoeZe2g15fY1gg==}
+  '@vitest/utils@4.1.7':
+    resolution: {integrity: sha512-T532WBu791cBxJlCl6SO+J14l81DQx6uQHm1bQbmCDY7nqlEIgkza/UFnSBNaUtSf41unldDFjdOBYEQC4b5Hw==}
 
   '@web3-storage/multipart-parser@1.0.0':
     resolution: {integrity: sha512-BEO6al7BYqcnfX15W2cnGR+Q566ACXAT9UQykORCWW80lmkpWsnEob6zJS1ZVBKsSJC8+7vJkHwlp+lXG1UCdw==}
 
-  '@webassemblyjs/ast@1.11.5':
-    resolution: {integrity: sha512-LHY/GSAZZRpsNQH+/oHqhRQ5FT7eoULcBqgfyTB5nQHogFnK3/7QoN7dLnwSE/JkUAF0SrRuclT7ODqMFtWxxQ==}
-
   '@webassemblyjs/ast@1.14.1':
     resolution: {integrity: sha512-nuBEDgQfm1ccRp/8bCQrx1frohyufl4JlbMMZ4P1wpeOfDhF6FQkxZJ1b/e+PLwr6X1Nhw6OLme5usuBWYBvuQ==}
 
-  '@webassemblyjs/floating-point-hex-parser@1.11.5':
-    resolution: {integrity: sha512-1j1zTIC5EZOtCplMBG/IEwLtUojtwFVwdyVMbL/hwWqbzlQoJsWCOavrdnLkemwNoC/EOwtUFch3fuo+cbcXYQ==}
-
   '@webassemblyjs/floating-point-hex-parser@1.13.2':
     resolution: {integrity: sha512-6oXyTOzbKxGH4steLbLNOu71Oj+C8Lg34n6CqRvqfS2O71BxY6ByfMDRhBytzknj9yGUPVJ1qIKhRlAwO1AovA==}
 
-  '@webassemblyjs/helper-api-error@1.11.5':
-    resolution: {integrity: sha512-L65bDPmfpY0+yFrsgz8b6LhXmbbs38OnwDCf6NpnMUYqa+ENfE5Dq9E42ny0qz/PdR0LJyq/T5YijPnU8AXEpA==}
-
   '@webassemblyjs/helper-api-error@1.13.2':
     resolution: {integrity: sha512-U56GMYxy4ZQCbDZd6JuvvNV/WFildOjsaWD3Tzzvmw/mas3cXzRJPMjP83JqEsgSbyrmaGjBfDtV7KDXV9UzFQ==}
 
-  '@webassemblyjs/helper-buffer@1.11.5':
-    resolution: {integrity: sha512-fDKo1gstwFFSfacIeH5KfwzjykIE6ldh1iH9Y/8YkAZrhmu4TctqYjSh7t0K2VyDSXOZJ1MLhht/k9IvYGcIxg==}
-
   '@webassemblyjs/helper-buffer@1.14.1':
     resolution: {integrity: sha512-jyH7wtcHiKssDtFPRB+iQdxlDf96m0E39yb0k5uJVhFGleZFoNw1c4aeIcVUPPbXUVJ94wwnMOAqUHyzoEPVMA==}
 
-  '@webassemblyjs/helper-numbers@1.11.5':
-    resolution: {integrity: sha512-DhykHXM0ZABqfIGYNv93A5KKDw/+ywBFnuWybZZWcuzWHfbp21wUfRkbtz7dMGwGgT4iXjWuhRMA2Mzod6W4WA==}
-
   '@webassemblyjs/helper-numbers@1.13.2':
     resolution: {integrity: sha512-FE8aCmS5Q6eQYcV3gI35O4J789wlQA+7JrqTTpJqn5emA4U2hvwJmvFRC0HODS+3Ye6WioDklgd6scJ3+PLnEA==}
 
-  '@webassemblyjs/helper-wasm-bytecode@1.11.5':
-    resolution: {integrity: sha512-oC4Qa0bNcqnjAowFn7MPCETQgDYytpsfvz4ujZz63Zu/a/v71HeCAAmZsgZ3YVKec3zSPYytG3/PrRCqbtcAvA==}
-
   '@webassemblyjs/helper-wasm-bytecode@1.13.2':
     resolution: {integrity: sha512-3QbLKy93F0EAIXLh0ogEVR6rOubA9AoZ+WRYhNbFyuB70j3dRdwH9g+qXhLAO0kiYGlg3TxDV+I4rQTr/YNXkA==}
 
-  '@webassemblyjs/helper-wasm-section@1.11.5':
-    resolution: {integrity: sha512-uEoThA1LN2NA+K3B9wDo3yKlBfVtC6rh0i4/6hvbz071E8gTNZD/pT0MsBf7MeD6KbApMSkaAK0XeKyOZC7CIA==}
-
   '@webassemblyjs/helper-wasm-section@1.14.1':
     resolution: {integrity: sha512-ds5mXEqTJ6oxRoqjhWDU83OgzAYjwsCV8Lo/N+oRsNDmx/ZDpqalmrtgOMkHwxsG0iI//3BwWAErYRHtgn0dZw==}
 
-  '@webassemblyjs/ieee754@1.11.5':
-    resolution: {integrity: sha512-37aGq6qVL8A8oPbPrSGMBcp38YZFXcHfiROflJn9jxSdSMMM5dS5P/9e2/TpaJuhE+wFrbukN2WI6Hw9MH5acg==}
-
   '@webassemblyjs/ieee754@1.13.2':
     resolution: {integrity: sha512-4LtOzh58S/5lX4ITKxnAK2USuNEvpdVV9AlgGQb8rJDHaLeHciwG4zlGr0j/SNWlr7x3vO1lDEsuePvtcDNCkw==}
 
-  '@webassemblyjs/leb128@1.11.5':
-    resolution: {integrity: sha512-ajqrRSXaTJoPW+xmkfYN6l8VIeNnR4vBOTQO9HzR7IygoCcKWkICbKFbVTNMjMgMREqXEr0+2M6zukzM47ZUfQ==}
-
   '@webassemblyjs/leb128@1.13.2':
     resolution: {integrity: sha512-Lde1oNoIdzVzdkNEAWZ1dZ5orIbff80YPdHx20mrHwHrVNNTjNr8E3xz9BdpcGqRQbAEa+fkrCb+fRFTl/6sQw==}
 
-  '@webassemblyjs/utf8@1.11.5':
-    resolution: {integrity: sha512-WiOhulHKTZU5UPlRl53gHR8OxdGsSOxqfpqWeA2FmcwBMaoEdz6b2x2si3IwC9/fSPLfe8pBMRTHVMk5nlwnFQ==}
-
   '@webassemblyjs/utf8@1.13.2':
     resolution: {integrity: sha512-3NQWGjKTASY1xV5m7Hr0iPeXD9+RDobLll3T9d2AO+g3my8xy5peVyjSag4I50mR1bBSN/Ct12lo+R9tJk0NZQ==}
 
-  '@webassemblyjs/wasm-edit@1.11.5':
-    resolution: {integrity: sha512-C0p9D2fAu3Twwqvygvf42iGCQ4av8MFBLiTb+08SZ4cEdwzWx9QeAHDo1E2k+9s/0w1DM40oflJOpkZ8jW4HCQ==}
-
   '@webassemblyjs/wasm-edit@1.14.1':
     resolution: {integrity: sha512-RNJUIQH/J8iA/1NzlE4N7KtyZNHi3w7at7hDjvRNm5rcUXa00z1vRz3glZoULfJ5mpvYhLybmVcwcjGrC1pRrQ==}
 
-  '@webassemblyjs/wasm-gen@1.11.5':
-    resolution: {integrity: sha512-14vteRlRjxLK9eSyYFvw1K8Vv+iPdZU0Aebk3j6oB8TQiQYuO6hj9s4d7qf6f2HJr2khzvNldAFG13CgdkAIfA==}
-
   '@webassemblyjs/wasm-gen@1.14.1':
     resolution: {integrity: sha512-AmomSIjP8ZbfGQhumkNvgC33AY7qtMCXnN6bL2u2Js4gVCg8fp735aEiMSBbDR7UQIj90n4wKAFUSEd0QN2Ukg==}
 
-  '@webassemblyjs/wasm-opt@1.11.5':
-    resolution: {integrity: sha512-tcKwlIXstBQgbKy1MlbDMlXaxpucn42eb17H29rawYLxm5+MsEmgPzeCP8B1Cl69hCice8LeKgZpRUAPtqYPgw==}
-
   '@webassemblyjs/wasm-opt@1.14.1':
     resolution: {integrity: sha512-PTcKLUNvBqnY2U6E5bdOQcSM+oVP/PmrDY9NzowJjislEjwP/C4an2303MCVS2Mg9d3AJpIGdUFIQQWbPds0Sw==}
 
-  '@webassemblyjs/wasm-parser@1.11.5':
-    resolution: {integrity: sha512-SVXUIwsLQlc8srSD7jejsfTU83g7pIGr2YYNb9oHdtldSxaOhvA5xwvIiWIfcX8PlSakgqMXsLpLfbbJ4cBYew==}
-
   '@webassemblyjs/wasm-parser@1.14.1':
     resolution: {integrity: sha512-JLBl+KZ0R5qB7mCnud/yyX08jWFw5MsoalJ1pQ4EdFlgj9VdXKGuENGsiCIjegI1W7p91rUlcB/LB5yRJKNTcQ==}
 
-  '@webassemblyjs/wast-printer@1.11.5':
-    resolution: {integrity: sha512-f7Pq3wvg3GSPUPzR0F6bmI89Hdb+u9WXrSKc4v+N0aV0q6r42WoF92Jp2jEorBEBRoRNXgjp53nBniDXcqZYPA==}
-
   '@webassemblyjs/wast-printer@1.14.1':
     resolution: {integrity: sha512-kPSSXE6De1XOR820C90RIo2ogvZG+c3KiHzqUoO/F34Y2shGzesfqv7o57xrxovZJH/MetF5UjroJ/R/3isoiw==}
 
@@ -11395,26 +8811,31 @@ packages:
     resolution: {integrity: sha512-q76lDAafvHNGWedNAVHrz/EyYTS8qwRLcwne8SJQdRN5P3HydxU6XROFvJfTML6KZXQX2FDdGY4/SnaNyd7M0Q==}
     engines: {node: '>=16.0.0'}
 
-  '@window-splitter/state@0.4.1':
-    resolution: {integrity: sha512-JbsCYEWFXs79Gxudtv+XTYE2tdidPg8oGoIbUyh9QtdYUNUO/QKI2ORk2WFNIkk2ZzTWMXquI92s1nj4sAhZ+w==}
+  '@window-splitter/interface@1.1.3':
+    resolution: {integrity: sha512-GV7nunGpSqrlbR8pyI65aFMYlyFTO1VgWhT2cFsPkfYwmh5xBNWAWkJJtDMvbfwBHtvTGf4kTztx6e9LZSiSeQ==}
+    engines: {node: '>=18.0.0'}
+
+  '@window-splitter/react@1.1.3':
+    resolution: {integrity: sha512-IDquSVO7WFLlx8NsrINaT+VewZZ1GpIV5E5AzeOBrGVI5UVy/b+jPFCWuUv6s7iuOIarX8wvuSaDDf3L4hqabg==}
+    engines: {node: '>=18.0.0'}
+    peerDependencies:
+      react: '>=16'
+      react-dom: '>=16'
+
+  '@window-splitter/state@1.1.3':
+    resolution: {integrity: sha512-aMm1sbA4P9zeg87tVgqnlkrirjhTi/D08QvgnoSjCihq4vBqVDICrzZ6wwmlmU1E0Rar1hWy3GTpnCcn8tdZqQ==}
     engines: {node: '>=18.0.0'}
 
   '@wolfy1339/lru-cache@11.0.2-patch.1':
     resolution: {integrity: sha512-BgYZfL2ADCXKOw2wJtkM3slhHotawWkgIRRxq4wEybnZQPjvAp71SPX35xepMykTw8gXlzWcWPTY31hlbnRsDA==}
     engines: {node: 18 >=18.20 || 20 || >=22}
 
+  '@workflow/serde@4.1.0':
+    resolution: {integrity: sha512-pav4F2BoirECWR7Nf1TKt+2eETcBj7jj4cBefQ8VXQCA6NPkaKeLfj/zMgi+3zYV5ZIBT4GuUiphsj0/b9hPQQ==}
+
   '@xobotyi/scrollbar-width@1.9.5':
     resolution: {integrity: sha512-N8tkAACJx2ww8vFMneJmaAgmjAG1tnVBZJRLRcx061tmsLRZHSEZSLuGWnwPtunsSLvSqXQ2wfp7Mgqg1I+2dQ==}
 
-  '@xstate/react@4.1.2':
-    resolution: {integrity: sha512-orAidFrKCrU0ZwN5l/ABPlBfW2ziRDT2RrYoktRlZ0WRoLvA2E/uAC1JpZt43mCLtc8jrdwYCgJiqx1V8NvGTw==}
-    peerDependencies:
-      react: ^16.8.0 || ^17.0.0 || ^18.0.0
-      xstate: ^5.18.1
-    peerDependenciesMeta:
-      xstate:
-        optional: true
-
   '@xtuc/ieee754@1.2.0':
     resolution: {integrity: sha512-DX8nKgqcGwsc0eJSqYt5lwP4DH5FlHnmuWWBRy7X0NcaGR0ZtuyeESgMwTYVEtxmsNGY+qit4QYT/MIYTOTPeA==}
 
@@ -11443,12 +8864,6 @@ packages:
     resolution: {integrity: sha512-5cvg6CtKwfgdmVqY1WIiXKc3Q1bkRqGLi+2W/6ao+6Y7gu/RCwRuAhGEzh5B4KlszSuTLgZYuqFqo5bImjNKng==}
     engines: {node: '>= 0.6'}
 
-  acorn-import-assertions@1.9.0:
-    resolution: {integrity: sha512-cmMwop9x+8KFhxvKrKfPYmN6/pKTYYHBqLa0DfvVZcKMJWNyWLnaqND7dx/qn66R7ewM1UX5XMaDVP5wlVTaVA==}
-    deprecated: package has been renamed to acorn-import-attributes
-    peerDependencies:
-      acorn: ^8
-
   acorn-import-attributes@1.9.5:
     resolution: {integrity: sha512-n02Vykv5uA3eHGM/Z2dQrcD56kL8TyDb2p1+0P83PClMnC/nc+anbQRhIOWnSq4Ke/KvDPrY3C9hDtC/A3eHnQ==}
     peerDependencies:
@@ -11472,10 +8887,6 @@ packages:
     resolution: {integrity: sha512-OPdCF6GsMIP+Az+aWfAAOEt2/+iVDKE7oy6lJ098aoe59oAmK76qV6Gw60SbZ8jHuG2wH058GF4pLFbYamYrVA==}
     engines: {node: '>=0.4.0'}
 
-  acorn-walk@8.3.2:
-    resolution: {integrity: sha512-cjkyv4OtNCIeqhHrfS81QWXoCBPExR/J62oyEqepVw8WaQeSqpW2uhuLPh1m9eWhDuOo/jUXVTlifvesOWp/4A==}
-    engines: {node: '>=0.4.0'}
-
   acorn@7.4.1:
     resolution: {integrity: sha512-nQyp0o1/mNdbTO1PO6kHkwSrmgZ0MT/jCCpNiwbUjGoRN4dlBhqJtoQuCnEOKzgTVwg0ZWiCoQy6SxMebQVh8A==}
     engines: {node: '>=0.4.0'}
@@ -11491,8 +8902,8 @@ packages:
     engines: {node: '>=0.4.0'}
     hasBin: true
 
-  acorn@8.15.0:
-    resolution: {integrity: sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==}
+  acorn@8.16.0:
+    resolution: {integrity: sha512-UVJyE9MttOsBQIDKw1skb9nAwQuR5wuGD3+82K6JgJlm/Y+KI92oNsMNGZCYdDsVtRHSak0pcV5Dno5+4jh9sw==}
     engines: {node: '>=0.4.0'}
     hasBin: true
 
@@ -11500,10 +8911,6 @@ packages:
     resolution: {integrity: sha512-RZNwNclF7+MS/8bDg70amg32dyeZGZxiDuQmZxKLAlQjr3jGyLx+4Kkk58UO7D2QdgFIQCovuSuZESne6RG6XQ==}
     engines: {node: '>= 6.0.0'}
 
-  agent-base@7.1.4:
-    resolution: {integrity: sha512-MnA+YT8fwfJPgBx3m60MNqakm30XOkyIoH1y6huTQvC0PwZG7ki8NacLBcrPbNoo8vEZy7Jpuk7+jMO+CUovTQ==}
-    engines: {node: '>= 14'}
-
   agentcrumbs@0.5.0:
     resolution: {integrity: sha512-+1J7w+x9/DP8oF+ZMVkeXilkd81ydygENEVwLJKwhA3uGQ947DFRwld9hGqAocOcuU4DaQKIdxTzKCsFhpV1Eg==}
     engines: {node: '>=18.0.0'}
@@ -11524,66 +8931,40 @@ packages:
   ahocorasick@1.0.2:
     resolution: {integrity: sha512-hCOfMzbFx5IDutmWLAt6MZwOUjIfSM9G9FyVxytmE4Rs/5YDPWQrD/+IR1w+FweD9H2oOZEnv36TmkjhNURBVA==}
 
-  ai@4.0.0:
-    resolution: {integrity: sha512-cqf2GCaXnOPhUU+Ccq6i+5I0jDjnFkzfq7t6mc0SUSibSa1wDPn5J4p8+Joh2fDGDYZOJ44rpTW9hSs40rXNAw==}
-    engines: {node: '>=18'}
-    peerDependencies:
-      react: ^18 || ^19 || ^19.0.0-rc
-      zod: ^3.0.0
-    peerDependenciesMeta:
-      react:
-        optional: true
-      zod:
-        optional: true
-
-  ai@4.2.5:
-    resolution: {integrity: sha512-URJEslI3cgF/atdTJHtz+Sj0W1JTmiGmD3znw9KensL3qV605odktDim+GTazNJFPR4QaIu1lUio5b8RymvOjA==}
-    engines: {node: '>=18'}
-    peerDependencies:
-      react: ^18 || ^19 || ^19.0.0-rc
-      zod: ^3.23.8
-    peerDependenciesMeta:
-      react:
-        optional: true
-
-  ai@4.3.19:
-    resolution: {integrity: sha512-dIE2bfNpqHN3r6IINp9znguYdhIOheKW2LDigAMrgt/upT3B8eBGPSCblENvaZGoq+hxaN9fSMzjWpbqloP+7Q==}
+  ai@6.0.116:
+    resolution: {integrity: sha512-7yM+cTmyRLeNIXwt4Vj+mrrJgVQ9RMIW5WO0ydoLoYkewIvsMcvUmqS4j2RJTUXaF1HphwmSKUMQ/HypNRGOmA==}
     engines: {node: '>=18'}
     peerDependencies:
-      react: ^18 || ^19 || ^19.0.0-rc
-      zod: ^3.23.8
-    peerDependenciesMeta:
-      react:
-        optional: true
+      zod: ^3.25.76 || ^4.1.8
 
-  ai@5.0.14:
-    resolution: {integrity: sha512-xiujFa879skB7YxGzbeHAxepsr6AEaWcHPXrc5a9MRM6p4WdVAwn6mGwVZkBnhqGfZtXFr4LUnU2ayvcjWp5ig==}
+  ai@6.0.168:
+    resolution: {integrity: sha512-2HqCJuO+1V2aV7vfYs5LFEUfxbkGX+5oa54q/gCCTL7KLTdbxcCu5D7TdLA5kwsrs3Szgjah9q6D9tpjHM3hUQ==}
     engines: {node: '>=18'}
     peerDependencies:
-      zod: ^3.25.76 || ^4
+      zod: ^3.25.76 || ^4.1.8
 
-  ai@5.0.76:
-    resolution: {integrity: sha512-ZCxi1vrpyCUnDbtYrO/W8GLvyacV9689f00yshTIQ3mFFphbD7eIv40a2AOZBv3GGRA7SSRYIDnr56wcS/gyQg==}
+  ai@6.0.3:
+    resolution: {integrity: sha512-OOo+/C+sEyscoLnbY3w42vjQDICioVNyS+F+ogwq6O5RJL/vgWGuiLzFwuP7oHTeni/MkmX8tIge48GTdaV7QQ==}
     engines: {node: '>=18'}
     peerDependencies:
       zod: ^3.25.76 || ^4.1.8
 
-  ai@6.0.116:
-    resolution: {integrity: sha512-7yM+cTmyRLeNIXwt4Vj+mrrJgVQ9RMIW5WO0ydoLoYkewIvsMcvUmqS4j2RJTUXaF1HphwmSKUMQ/HypNRGOmA==}
+  ai@7.0.0-beta.60:
+    resolution: {integrity: sha512-grSKE/9kQtElLCnrhwriTLwXlV+5W8Ljco2KzVc5cY9egK1zwSwVyFQo3L3Al+WVxwvVT6fQjLyEdQpqJHLTrA==}
     engines: {node: '>=18'}
     peerDependencies:
       zod: ^3.25.76 || ^4.1.8
 
-  ai@6.0.3:
-    resolution: {integrity: sha512-OOo+/C+sEyscoLnbY3w42vjQDICioVNyS+F+ogwq6O5RJL/vgWGuiLzFwuP7oHTeni/MkmX8tIge48GTdaV7QQ==}
-    engines: {node: '>=18'}
+  ai@7.0.0-canary.159:
+    resolution: {integrity: sha512-9z8OkZdrISDjS3bguQ/mCYsthmr7mNbB1hTa8cRg8aAp31r1HCxVFqmc+ZXTA0FqhGb8aW46UUcjUuJcwxg5Mw==}
+    engines: {node: '>=22'}
     peerDependencies:
       zod: ^3.25.76 || ^4.1.8
 
   ajv-formats@2.1.1:
     resolution: {integrity: sha512-Wx0Kx52hxE7C18hkMEggYlEifqWZtYaRgouJor+WMdPnQyEK13vgEWyVNup7SoeeoLMsr4kf5h6dOW11I15MUA==}
     peerDependencies:
-      ajv: ^8.0.0
+      ajv: ^8.18.0
     peerDependenciesMeta:
       ajv:
         optional: true
@@ -11591,26 +8972,24 @@ packages:
   ajv-formats@3.0.1:
     resolution: {integrity: sha512-8iUql50EUR+uUcdRQ3HDqa6EVyo3docL8g5WJ3FNcWmu62IbkGUue/pEyLBW8VGKKucTPgqeks4fIU1DA4yowQ==}
     peerDependencies:
-      ajv: ^8.0.0
+      ajv: ^8.18.0
     peerDependenciesMeta:
       ajv:
         optional: true
 
-  ajv-keywords@3.5.2:
-    resolution: {integrity: sha512-5p6WTN0DdTGVQk6VjcEju19IgaHudalcfabD7yhDGeA6bcQnmL+CpveLJq/3hvfwd1aof6L386Ougkx6RfyMIQ==}
-    peerDependencies:
-      ajv: ^6.9.1
-
   ajv-keywords@5.1.0:
     resolution: {integrity: sha512-YCS/JNFAUyr5vAuhk1DWm1CBxRHW9LbJ2ozWeemrIqpbsqKjHVxYPyi5GC0rjZIT5JxJ3virVTS8wk4i/Z+krw==}
     peerDependencies:
-      ajv: ^8.8.2
+      ajv: ^8.18.0
 
   ajv@6.12.6:
     resolution: {integrity: sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==}
 
-  ajv@8.17.1:
-    resolution: {integrity: sha512-B/gBuNg5SiMTrPkC+A2+cW0RszwxYmn6VYxB/inlBStS5nx6xHIt/ehKRhIMhqusl7a8LjQoZnjCs5vhwxOQ1g==}
+  ajv@8.18.0:
+    resolution: {integrity: sha512-PlXPeEWMXMZ7sPYOHqmDyCJzcfNrUr3fGNKtezX14ykXOEIvyK81d+qydx89KY5O71FKMPaQ2vBfBFI5NHR63A==}
+
+  ajv@8.20.0:
+    resolution: {integrity: sha512-Thbli+OlOj+iMPYFBVBfJ3OmCAnaSyNn4M1vz9T6Gka5Jt9ba/HIR56joy65tY6kx/FCF5VXNB819Y7/GUrBGA==}
 
   ansi-colors@4.1.3:
     resolution: {integrity: sha512-/6w/C21Pm1A7aZitlI5Ni/2J6FFQN8i1Cvz3kHABAAbw93v/NlvKdVOqz7CCWz/3iv/JplRSEEZ83XION15ovw==}
@@ -11696,10 +9075,6 @@ packages:
   array-flatten@1.1.1:
     resolution: {integrity: sha512-PCVAQswWemu6UdxsDFFX/+gVeYqKAod3D3UVm91jHwynguOwAvYPhx8nNlM++NqRcK6CxxpUafjmhIdKiHibqg==}
 
-  array-includes@3.1.6:
-    resolution: {integrity: sha512-sgTbLvL6cNnw24FnbaDyjmvddQ2ML8arZsgaJhoABMoplz/4QRhtrYS+alr1BUM1Bwp6dhx8vVCBSLG+StwOFw==}
-    engines: {node: '>= 0.4'}
-
   array-includes@3.1.8:
     resolution: {integrity: sha512-itaWrbYbqpGXkGhZPGUulwnhVf5Hpy1xiCFsGqyIGglbBxmG5vSjxQen3/WGOjPpNEv1RtBLKxbmVXm8HpJStQ==}
     engines: {node: '>= 0.4'}
@@ -11720,10 +9095,6 @@ packages:
     resolution: {integrity: sha512-djYB+Zx2vLewY8RWlNCUdHjDXs2XOgm602S9E7P/UpHgfeHL00cRiIF+IN/G/aUJ7kGPb6yO/ErDI5V2s8iycA==}
     engines: {node: '>= 0.4'}
 
-  array.prototype.flatmap@1.3.1:
-    resolution: {integrity: sha512-8UGn9O1FDVvMNB0UlLv4voxRMze7+FpHyF5mSMRjWHUMlpoDViniy05870VlxhfgTnLbpuwTzvD76MTtWxB/mQ==}
-    engines: {node: '>= 0.4'}
-
   array.prototype.flatmap@1.3.2:
     resolution: {integrity: sha512-Ewyx0c9PmpcsByhSW4r+9zDU7sGjFc86qf/kKtuSCRdhfbk0SNLLkaT5qvcHnRGgc5NP/ly/y+qkXkqONX54CQ==}
     engines: {node: '>= 0.4'}
@@ -11763,9 +9134,8 @@ packages:
   ast-types-flow@0.0.7:
     resolution: {integrity: sha512-eBvWn1lvIApYMhzQMsu9ciLfkBY499mFZlNqG+/9WR7PVlroQw0vG30cOQQbaKz3sCEc44TAOu2ykzqXSNnwag==}
 
-  ast-types@0.13.4:
-    resolution: {integrity: sha512-x1FCFnFifvYDDzTaLII71vG5uvDwgtmDTEVWAxrgeiR8VjMONcCXJx7E+USjDtHlwFmt9MysbqgF9b9Vjr6w+w==}
-    engines: {node: '>=4'}
+  ast-v8-to-istanbul@1.0.2:
+    resolution: {integrity: sha512-dKmJxJsGItLmc5CYZKuEjuG6GnBs6PG4gohMhyFOWKaNQoYCuRZJDECaBlHmcG0lv2wc2E0uU8lESmBEumC3DQ==}
 
   astral-regex@2.0.0:
     resolution: {integrity: sha512-Z7tMw1ytTXt5jqMcOP+OQteU1VuNK9Y02uuJtKQ1Sv69jXQKKg5cibLwGJow8yzZP+eAc18EmLGPal0bp36rvQ==}
@@ -11788,6 +9158,9 @@ packages:
     resolution: {integrity: sha512-kNOjDqAh7px0XWNI+4QbzoiR/nTkHAWNud2uvnJquD1/x5a7EQZMJT0AczqK0Qn67oY/TTQ1LbUKajZpp3I9tQ==}
     engines: {node: '>=8.0.0'}
 
+  atomically@2.1.1:
+    resolution: {integrity: sha512-P4w9o2dqARji6P7MHprklbfiArZAWvo07yW7qs3pdljb3BWr12FIB7W+p0zJiuiVsUpRO0iZn1kFFcpPegg0tQ==}
+
   autoevals@0.0.130:
     resolution: {integrity: sha512-JS0T/YCEH13AAOGiWWGJDkIPP8LsDmRBYr3EazTukHxvd0nidOW7fGj0qVPFx2bARrSNO9AfCR6xoTP/5m3Bmw==}
 
@@ -11796,14 +9169,7 @@ packages:
     engines: {node: ^10 || ^12 || >=14}
     hasBin: true
     peerDependencies:
-      postcss: ^8.1.0
-
-  autoprefixer@10.4.14:
-    resolution: {integrity: sha512-FQzyfOsTlwVzjHxKEqRIAdJx9niO6VCBCoEwax/VLSoQF29ggECcPuBqUMZ+u8jCZOPSy8b8/8KnuFbp0SaFZQ==}
-    engines: {node: ^10 || ^12 || >=14}
-    hasBin: true
-    peerDependencies:
-      postcss: ^8.1.0
+      postcss: ^8.5.10
 
   autoprefixer@9.8.8:
     resolution: {integrity: sha512-eM9d/swFopRt5gdJ7jrpCwgvEMIayITpojhkkSMRsFHYuH5bkSQ4p/9qTEHtmNudUZh22Tehu7I6CxAW0IXTKA==}
@@ -11829,8 +9195,8 @@ packages:
     resolution: {integrity: sha512-b1WlTV8+XKLj9gZy2DZXgQiyDp9xkkoe2a6U6UbYccScq2wgH/YwCeI2/Jq2mgo0HzQxqJOjWZBLeA/mqsk5Mg==}
     engines: {node: '>=4'}
 
-  axios@1.12.2:
-    resolution: {integrity: sha512-vMJzPewAlRyOgxV2dU0Cuz2O8zzzx9VYtbJOaBgXFeLc4IV/Eg50n4LowmehOOR61S8ZMpc2K5Sa7g6A4jfkUw==}
+  axios@1.16.1:
+    resolution: {integrity: sha512-caYkukvroVPO8KrzuJEb50Hm07KwfBZPEC3VeFHTsqWHvKTsy54hjJz9BS/cdaypROE2rH6xvm9mHX4fgWkr3A==}
 
   axobject-query@3.2.1:
     resolution: {integrity: sha512-jsyHu61e6N4Vbz/v18DHwWYKK0bSWLqn47eeDSKPB7m8tqMHF9YJ+mhIk2lVteyZrY8tnSj/jHOv4YiTCuCJgg==}
@@ -11838,16 +9204,16 @@ packages:
   b4a@1.6.6:
     resolution: {integrity: sha512-5Tk1HLk6b6ctmjIkAcU/Ujv/1WqiDl0F0JdRCR80VsOcUlHcu7pWeWRlOqQLHfDEsVx9YH/aif5AG4ehoCtTmg==}
 
-  babel-walk@3.0.0:
-    resolution: {integrity: sha512-fdRxJkQ9MUSEi4jH2DcV3FAPFktk0wefilxrwNyUuWpoWawQGN7G7cB+fOYTtFfI6XNkFgwqJ/D3G18BoJJ/jg==}
-    engines: {node: '>= 10.0.0'}
-
   bail@2.0.2:
     resolution: {integrity: sha512-0xO6mYd7JB2YesxDKplafRpsiOzPt9V02ddPCLbY1xYGPOX24NTyN50qnUxgCPcSoYMhKpAuBTjQoRZCAkUDRw==}
 
   balanced-match@1.0.2:
     resolution: {integrity: sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==}
 
+  balanced-match@4.0.4:
+    resolution: {integrity: sha512-BLrgEcRTwX2o6gGxGOCNyMvGSp35YofuYzw9h1IMTRmKqttAZZVU67bdb9Pr2vUHA8+j3i2tJfjO6C6+4myGTA==}
+    engines: {node: 18 || 20 || >=22}
+
   bare-events@2.8.2:
     resolution: {integrity: sha512-riJjyv1/mHLIPX4RwiK+oW9/4c3TEUeORHKefKAKnZ5kyslbN+HXowtbaVEqt4IMUB7OXlfixcs6gsFeo/jhiQ==}
     peerDependencies:
@@ -11893,6 +9259,11 @@ packages:
     resolution: {integrity: sha512-lGe34o6EHj9y3Kts9R4ZYs/Gr+6N7MCaMlIFA3F1R2O5/m7K06AxfSeO5530PEERE6/WyEg3lsuyw4GHlPZHog==}
     engines: {node: ^4.5.0 || >= 5.9}
 
+  baseline-browser-mapping@2.10.11:
+    resolution: {integrity: sha512-DAKrHphkJyiGuau/cFieRYhcTFeK/lBuD++C7cZ6KZHbMhBrisoi+EvhQ5RZrIfV5qwsW8kgQ07JIC+MDJRAhg==}
+    engines: {node: '>=6.0.0'}
+    hasBin: true
+
   baseline-browser-mapping@2.8.28:
     resolution: {integrity: sha512-gYjt7OIqdM0PcttNYP2aVrr2G0bMALkBaoehD4BuRGjAOtipg0b6wHg1yNL+s5zSnLZZrGHOw4IrND8CD+3oIQ==}
     hasBin: true
@@ -11901,11 +9272,6 @@ packages:
     resolution: {integrity: sha512-NF+epuEdnUYVlGuhaxbbq+dvJttwLnGY+YixlXlME5KpQ5W3CnXA5cVTneY3SPbPDRkcjMbifrwmFYcClgOZeg==}
     engines: {node: '>= 0.8'}
 
-  basic-ftp@5.0.3:
-    resolution: {integrity: sha512-QHX8HLlncOLpy54mh+k/sWIFd0ThmRqwe9ZjELybGZK+tZ8rUb9VO0saKJUROTbE+KhzDUT7xziGpGrW8Kmd+g==}
-    engines: {node: '>=10.0.0'}
-    deprecated: Security vulnerability fixed in 5.2.0, please upgrade
-
   bcrypt-pbkdf@1.0.2:
     resolution: {integrity: sha512-qeFIXtP4MSoi6NLqO12WfqARWWuCKi2Rn/9hJLEmtB5yTNr9DqFWkJRCf2qShWzPeAMRnOgCrq0sg/KLv5ES9w==}
 
@@ -11965,6 +9331,10 @@ packages:
   brace-expansion@2.0.1:
     resolution: {integrity: sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==}
 
+  brace-expansion@5.0.5:
+    resolution: {integrity: sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==}
+    engines: {node: 18 || 20 || >=22}
+
   braces@3.0.3:
     resolution: {integrity: sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==}
     engines: {node: '>=8'}
@@ -11990,12 +9360,14 @@ packages:
     engines: {node: ^6 || ^7 || ^8 || ^9 || ^10 || ^11 || ^12 || >=13.7}
     hasBin: true
 
+  browserslist@4.28.1:
+    resolution: {integrity: sha512-ZC5Bd0LgJXgwGqUknZY/vkUQ04r8NXnJZ3yYi4vDmSiZmC/pdSN0NbNRPxZpbtO4uAfDUAFffO8IZoM3Gj8IkA==}
+    engines: {node: ^6 || ^7 || ^8 || ^9 || ^10 || ^11 || ^12 || >=13.7}
+    hasBin: true
+
   btoa-lite@1.0.0:
     resolution: {integrity: sha512-gvW7InbIyF8AicrqWoptdW08pUxuhq8BEgowNajy9RhiE86fmGAGl+bLKo6oB8QP0CkqHLowfN0oJdKC/J6LbA==}
 
-  buffer-crc32@0.2.13:
-    resolution: {integrity: sha512-VO9Ht/+p3SN7SKWqcrgEzjGbRSJYTx+Q1pTQC0wrWqHx0vpJraQ6GtHx8tvcg1rlK1byhU5gccxgOgj7B0TDkQ==}
-
   buffer-crc32@1.0.0:
     resolution: {integrity: sha512-Db1SbgBS/fg/392AblrMJk97KggmvYhr4pB5ZIMTWtaivCPMWLkmb7m21cJvpvgK+J3nsU2CmmixNBZx4vFj/w==}
     engines: {node: '>=8.0.0'}
@@ -12026,9 +9398,6 @@ packages:
   builtins@5.0.1:
     resolution: {integrity: sha512-qwVpFEHNfhYJIzNRBvd2C1kyo6jz3ZSMPyyuR47OPdiKWlbYnZNyDWuyR175qDnAJLiCo5fBBqPb3RiXgWlkOQ==}
 
-  bun-types@1.1.17:
-    resolution: {integrity: sha512-Z4+OplcSd/YZq7ZsrfD00DKJeCwuNY96a1IDJyR73+cTBaFIS7SC6LhpY/W3AMEXO9iYq5NJ58WAwnwL1p5vKg==}
-
   bundle-name@4.1.0:
     resolution: {integrity: sha512-tjwM5exMg6BGRI+kNmTntNsvdZS1X8BFYS6tnJ2hdH0kVxM6/eVZ2xy+FqStSWvYmtfFMDLIxurorHwDKfDz5Q==}
     engines: {node: '>=18'}
@@ -12118,15 +9487,12 @@ packages:
   caniuse-lite@1.0.30001577:
     resolution: {integrity: sha512-rs2ZygrG1PNXMfmncM0B5H1hndY5ZCC9b5TkFaVNfZ+AUlyqcMyVIQtc3fsezi0NUCk5XZfDf9WS6WxMxnfdrg==}
 
-  caniuse-lite@1.0.30001699:
-    resolution: {integrity: sha512-b+uH5BakXZ9Do9iK+CkDmctUSEqZl+SP056vc5usa0PL+ev5OHw003rZXcnjNDv3L8P5j6rwT6C0BPKSikW08w==}
-
-  caniuse-lite@1.0.30001707:
-    resolution: {integrity: sha512-3qtRjw/HQSMlDWf+X79N206fepf4SOOU6SQLMaq/0KkZLmSjPxAkBOQQ+FxbHKfHmYLZFfdWsO3KA90ceHPSnw==}
-
   caniuse-lite@1.0.30001754:
     resolution: {integrity: sha512-x6OeBXueoAceOmotzx3PO4Zpt4rzpeIFsSr6AAePTZxSkXiYDUmpypEl7e2+8NCd9bD7bXjqyef8CJYPC1jfxg==}
 
+  caniuse-lite@1.0.30001793:
+    resolution: {integrity: sha512-iwSsYWaCOoh26cV8NwNRViHlrfUvYsHDfRVcbtmw0Kg6PJIZZXwMkj1442FYLBGkeUf1juAsU3DTfxW579mrPA==}
+
   case-anything@2.1.13:
     resolution: {integrity: sha512-zlOQ80VrQ2Ue+ymH5OuM/DlDq64mEm+B9UTdHULv5osUMD6HalNTblf2b1u/m6QecjsnOkBpqVZ+XPwIVsy7Ng==}
     engines: {node: '>=12.13'}
@@ -12137,18 +9503,14 @@ packages:
   ccount@2.0.1:
     resolution: {integrity: sha512-eyrF0jiFpY+3drT6383f1qhkbGsLSifNAjA61IUjZjmLCWjItY6LB9ft9YhoDgwfmclB2zhu51Lc7+95b8NRAg==}
 
-  chai@5.2.0:
-    resolution: {integrity: sha512-mCuXncKXk5iCLhfhwTc0izo0gtEmpz5CtG2y8GiOINBlMVS6v8TMRc5TaLWKS6692m9+dVVfzgeVxR5UxWHTYw==}
-    engines: {node: '>=12'}
+  chai@6.2.2:
+    resolution: {integrity: sha512-NUPRluOfOiTKBKvWPtSD4PhFvWCqOi0BGStNWs57X9js7XGTprSmFoz5F0tWhR4WPjNeR9jXqdC7/UpSJTnlRg==}
+    engines: {node: '>=18'}
 
   chalk@2.4.2:
     resolution: {integrity: sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==}
     engines: {node: '>=4'}
 
-  chalk@3.0.0:
-    resolution: {integrity: sha512-4D3B6Wf41KOYRFdszmDqMCGq5VV/uMAB273JILmO+3jAlh8X4qDtdtgCR3fxtbLEMzSx22QdhnDcJvu2u1fVwg==}
-    engines: {node: '>=8'}
-
   chalk@4.1.2:
     resolution: {integrity: sha512-oKnbhFyRIXpUuez8iBMmyEa4nbj4IOQyuhc/wy9kY7/WVPcwIO9VA668Pu8RkO7+0G76SLROeyw9CpQ061i4mA==}
     engines: {node: '>=10'}
@@ -12180,24 +9542,17 @@ packages:
   chardet@0.7.0:
     resolution: {integrity: sha512-mT8iDcrh03qDGRRmoA2hmBJnxpllMR+0/0qlzjqZES6NdiWDcZkCNAk4rPFZ9Q85r27unkiNNg8ZOiwZXBHwcA==}
 
-  check-error@2.1.1:
-    resolution: {integrity: sha512-OAlb+T7V4Op9OwdkjmguYRqncdlx5JiofwOAUkmTF+jNdHwzTaTs4sRAGpzLF3oOz5xAyDGrPgeIDFQmDOTiJw==}
-    engines: {node: '>= 16'}
-
   cheminfo-types@1.8.1:
     resolution: {integrity: sha512-FRcpVkox+cRovffgqNdDFQ1eUav+i/Vq/CUd1hcfEl2bevntFlzznL+jE8g4twl6ElB7gZjCko6pYpXyMn+6dA==}
 
-  chevrotain-allstar@0.3.1:
-    resolution: {integrity: sha512-b7g+y9A0v4mxCW1qUhf3BSVPg+/NvGErk/dOkrDaHA0nQIQGAtrOjlX//9OQtRlSCy+x9rfB5N8yC71lH1nvMw==}
+  chevrotain-allstar@0.4.1:
+    resolution: {integrity: sha512-PvVJm3oGqrveUVW2Vt/eZGeiAIsJszYweUcYwcskg9e+IubNYKKD+rHHem7A6XVO22eDAL+inxNIGAzZ/VIWlA==}
     peerDependencies:
-      chevrotain: ^11.0.0
+      chevrotain: ^12.0.0
 
-  chevrotain@11.0.3:
-    resolution: {integrity: sha512-ci2iJH6LeIkvP9eJW6gpueU8cnZhv85ELY8w8WiFtNjMHA5ad6pQLaJo9mEly/9qUyCpvqX8/POVUTf18/HFdw==}
-
-  chokidar@3.5.3:
-    resolution: {integrity: sha512-Dr3sfKRP6oTcjf2JmUmFJfeVMvXBdegxB0iVQ5eb2V10uFJUCAS8OByZdVAyVb8xXNz3GjjTgj9kLWsZTqE6kw==}
-    engines: {node: '>= 8.10.0'}
+  chevrotain@12.0.0:
+    resolution: {integrity: sha512-csJvb+6kEiQaqo1woTdSAuOWdN0WTLIydkKrBnS+V5gZz0oqBrp4kQ35519QgK6TpBThiG3V1vNSHlIkv4AglQ==}
+    engines: {node: '>=22.0.0'}
 
   chokidar@3.6.0:
     resolution: {integrity: sha512-7VT13fmjotKpGipCW9JEQAusEPE+Ei8nl6/g4FBAmIm0GOOLMua9NDDo/DWp0ZAxCr3cPq5ZpBqmPAQgDda2Pw==}
@@ -12218,19 +9573,10 @@ packages:
     resolution: {integrity: sha512-+IxzY9BZOQd/XuYPRmrvEVjF/nqj5kgT4kEq7VofrDoM1MxoRjEWkrCC3EtLi59TVawxTAn+orJwFQcrqEN1+g==}
     engines: {node: '>=18'}
 
-  chrome-trace-event@1.0.3:
-    resolution: {integrity: sha512-p3KULyQg4S7NIHixdwbGX+nFHkoBiA4YQmyWtjb8XngSKV124nJmRysgAeujbUVb15vh+RvFUfCPqU7rXk+hZg==}
-    engines: {node: '>=6.0'}
-
   chrome-trace-event@1.0.4:
     resolution: {integrity: sha512-rNjApaLzuwaOTjCiT8lSDdGN1APCiqkChLMJxJPWLunPAt5fy8xgU9/jNOchV84wfIxrA0lRQB7oCT8jrn/wrQ==}
     engines: {node: '>=6.0'}
 
-  chromium-bidi@7.2.0:
-    resolution: {integrity: sha512-gREyhyBstermK+0RbcJLbFhcQctg92AGgDe/h/taMJEOLRdtSswBAO9KmvltFSQWgM2LrwWu5SIuEUbdm3JsyQ==}
-    peerDependencies:
-      devtools-protocol: '*'
-
   ci-info@3.8.0:
     resolution: {integrity: sha512-eXTggHWSooYhq49F2opQhuHWgzucfF2YgODK4e1566GQs5BIfP30B0oenwBJHfWxAs2fyPB1s7Mg949zLf61Yw==}
     engines: {node: '>=8'}
@@ -12238,8 +9584,14 @@ packages:
   citty@0.1.6:
     resolution: {integrity: sha512-tskPPKEs8D2KPafUypv2gxwJP8h/OaJmC82QQGGDQcHvXX43xF2VDACcJVmZ0EuSxkpO9Kc4MlrA3q0+FG58AQ==}
 
-  cjs-module-lexer@1.2.3:
-    resolution: {integrity: sha512-0TNiGstbQmCFwt4akjjBg5pLRTSyj/PkWQ1ZoO2zntmg9yLqSRxwEa4iCfQLGjqhiqBfOJa7W/E8wfGrTDmlZQ==}
+  citty@0.2.2:
+    resolution: {integrity: sha512-+6vJA3L98yv+IdfKGZHBNiGW5KHn22e/JwID0Strsz8h4S/csAu/OuICwxrg44k5MRiZHWIo8XXuJgQTriRP4w==}
+
+  cjs-module-lexer@1.4.3:
+    resolution: {integrity: sha512-9z8TZaGM1pfswYeXrUpzPrkx8UnWYdhJclsiYMm6x/w5+nN+8Tf/LnAgfLGQCm59qAOxU8WwHEq2vNwF6i4j+Q==}
+
+  cjs-module-lexer@2.2.0:
+    resolution: {integrity: sha512-4bHTS2YuzUvtoLjdy+98ykbNB5jS0+07EvFNXerqZQJ89F7DI6ET7OQo/HJuW6K0aVsKA9hj9/RVb2kQVOrPDQ==}
 
   class-variance-authority@0.5.2:
     resolution: {integrity: sha512-j7Qqw3NPbs4IpO80gvdACWmVvHiLLo5MECacUBLnJG17CrLpWaQ7/4OaWX6P0IO1j2nvZ7AuSfBS/ImtEUZJGA==}
@@ -12249,12 +9601,6 @@ packages:
       typescript:
         optional: true
 
-  class-variance-authority@0.7.0:
-    resolution: {integrity: sha512-jFI8IQw4hczaL4ALINxqLEXQbWcNjoSkloa4IaufXCJr6QawJyw7tuRysRsrE8w2p/4gGaxKIt/hX3qz/IbD1A==}
-
-  class-variance-authority@0.7.1:
-    resolution: {integrity: sha512-Ka+9Trutv7G8M6WT6SeiRWz792K5qEqIGEGzXKhAE6xOWAY6pPH8U+9IY3oCMv6kqTmLsv7Xh/2w2RigkePMsg==}
-
   clean-stack@2.2.0:
     resolution: {integrity: sha512-4diC9HaTE+KRAMWhDhrGOECgWZxoevMc5TlkObMqNSsVU62PYzXZ/SMTjzyGAFF1YusgxGcSWTEXBhp0CPwQ1A==}
     engines: {node: '>=6'}
@@ -12308,14 +9654,6 @@ packages:
     resolution: {integrity: sha512-EcR6r5a8bj6pu3ycsa/E/cKVGuTgZJZdsyUYHOksG/UHIiKfjxzRxYJpyVBwYaQeOvghal9fcc4PidlgzugAQg==}
     engines: {node: '>=6'}
 
-  clsx@2.0.0:
-    resolution: {integrity: sha512-rQ1+kcj+ttHG0MKVGBUXwayCCF1oh39BF5COIpRzuCEv8Mwjv0XucrI2ExNTOn9IlLifGClWQcU9BrZORvtw6Q==}
-    engines: {node: '>=6'}
-
-  clsx@2.1.0:
-    resolution: {integrity: sha512-m3iNNWpd9rl3jvvcBnu70ylMdrXt8Vlq4HYadnU5fwcOtvkSQWPmj7amUcDT2qYI7risszBjI5AUIUox9D16pg==}
-    engines: {node: '>=6'}
-
   clsx@2.1.1:
     resolution: {integrity: sha512-eYm0QWBtUrBWZWG0d386OGAw16Z995PiOVo2B7bjWSbHedGl5e0ZWaq65kOGgUSNesEIDkB9ISbTg/JK9dhCZA==}
     engines: {node: '>=6'}
@@ -12346,10 +9684,6 @@ packages:
   color@3.2.1:
     resolution: {integrity: sha512-aBl7dZI9ENN6fUGC7mWpMTPNHmWUSNan9tuWN6ahh5ZLNk9baLJOnSMlrQkHcrfFgz2/RigjUVAjdx36VcemKA==}
 
-  color@4.2.3:
-    resolution: {integrity: sha512-1rXeuUUiGGrykh+CeBdu5Ie7OJwinCgQY0bc7GCRxy5xVHy+moaqkpL/jqQq0MtQOeYcrqEz4abc5f0KtU7W4A==}
-    engines: {node: '>=12.5.0'}
-
   combined-stream@1.0.8:
     resolution: {integrity: sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==}
     engines: {node: '>= 0.8'}
@@ -12361,9 +9695,9 @@ packages:
     resolution: {integrity: sha512-y4Mg2tXshplEbSGzx7amzPwKKOCGuoSRP/CjEdwwk0FOGlUbq6lKuoyDZTNZkmxHdJtp54hdfY/JUrdL7Xfdug==}
     engines: {node: '>=14'}
 
-  commander@11.1.0:
-    resolution: {integrity: sha512-yPVavfyCcRhmorC7rWlkHn15b4wDVgVmBA7kV4QVBsF7kv/9TKJAbAXVTxvTnwP8HHKjRCJDClKbciiYS7p0DQ==}
-    engines: {node: '>=16'}
+  commander@13.1.0:
+    resolution: {integrity: sha512-/rFeCpNJQbhSZjGVwO9RFV3xPqbnERS8MmIQzCtD/zl6gpJuV/bMLuN92oG3F7d8oDEHHRrujSXNUr8fpjntKw==}
+    engines: {node: '>=18'}
 
   commander@2.20.3:
     resolution: {integrity: sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ==}
@@ -12388,9 +9722,6 @@ packages:
     resolution: {integrity: sha512-KRs7WVDKg86PWiuAqhDrAQnTXZKraVcCc6vFdL14qrZ/DcWwuRo7VoiYXalXO7S5GKpqYiVEwCbgFDfxNHKJBQ==}
     engines: {node: ^12.20.0 || >=14}
 
-  compare-versions@6.1.1:
-    resolution: {integrity: sha512-4hm4VPpIecmlg59CHXnRDnqGplJFrbLG4aFEl5vl6cK1u76ws3LLvX7ikFnTDl5vo39sjWD6AaDPYodJp/NNHg==}
-
   component-emitter@1.3.1:
     resolution: {integrity: sha512-T0+barUSQRTUQASh8bx02dl+DhF54GtIDY13Y3m9oWTklKbb3Wv974meRpeZ3lp1JpLVECWWNHC4vaG2XHXouQ==}
 
@@ -12406,6 +9737,10 @@ packages:
     resolution: {integrity: sha512-jaSIDzP9pZVS4ZfQ+TzvtiWhdpFhE2RDHz8QJkpX9SIpLq88VueF5jJw6t+6CUQcAoA6t+x89MLrWAqpfDE8iQ==}
     engines: {node: '>= 0.8.0'}
 
+  compression@1.8.1:
+    resolution: {integrity: sha512-9mAqGPHLakhCLeNyxPkK4xVo746zQ/czLH1Ky+vkitMnWfWZps8r0qXuwhwizagCRttsL4lfG4pIOvaWLpAP0w==}
+    engines: {node: '>= 0.8.0'}
+
   compute-cosine-similarity@1.1.0:
     resolution: {integrity: sha512-FXhNx0ILLjGi9Z9+lglLzM12+0uoTnYkHm7GiadXDAr0HGVLm25OivUS1B/LPkbzzvlcXz/1EvWg9ZYyJSdhTw==}
 
@@ -12418,6 +9753,10 @@ packages:
   concat-map@0.0.1:
     resolution: {integrity: sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==}
 
+  conf@15.1.0:
+    resolution: {integrity: sha512-Uy5YN9KEu0WWDaZAVJ5FAmZoaJt9rdK6kH+utItPyGsCqCgaTKkrmZx3zoE0/3q6S3bcp3Ihkk+ZqPxWxFK5og==}
+    engines: {node: '>=20'}
+
   confbox@0.1.8:
     resolution: {integrity: sha512-RMtmw0iFkeR4YV+fUOSucriAQNb9g8zFR52MWCtl+cCZOFRNL6zeB395vPzFhEjjn4fMxXudmELnl/KF/WrK6w==}
 
@@ -12446,13 +9785,12 @@ packages:
   convert-source-map@1.9.0:
     resolution: {integrity: sha512-ASFBup0Mz1uyiIjANan1jzLQami9z1PoYSZCiiYW2FczPbenXc45FZdBZLzOT+r6+iciuEModtmCti+hjaAk0A==}
 
+  convert-source-map@2.0.0:
+    resolution: {integrity: sha512-Kvp459HrV2FEJ1CAsi1Ku+MY3kasH19TFykTz2xWmMeq6bk2NU3XXvfJ+Q61m0xktWwt+1HSYf3JZsTms3aRJg==}
+
   cookie-signature@1.0.6:
     resolution: {integrity: sha512-QADzlaHc8icV8I7vbaJXJwod9HWYp8uCqf1xa4OfNu1T7JVxQIrUgOWtHdNDtPiywmFbiS12VjotIXLrKM3orQ==}
 
-  cookie-signature@1.2.0:
-    resolution: {integrity: sha512-R0BOPfLGTitaKhgKROKZQN6iyq2iDQcH1DOF8nJoaWapguX5bC2w+Q/I9NmmM5lfcvEarnLZr+cCvmEYYSXvYA==}
-    engines: {node: '>=6.6.0'}
-
   cookie-signature@1.2.2:
     resolution: {integrity: sha512-D76uU73ulSXrD1UXF4KE2TMxVVwhsnCgfAyTg9k8P6KGZjlXKrOLe4dJQKI3Bxi5wjesZoFXJWElNWBjPZMbhg==}
     engines: {node: '>=6.6.0'}
@@ -12469,6 +9807,10 @@ packages:
     resolution: {integrity: sha512-6DnInpx7SJ2AK3+CTUE/ZM0vWTUboZCegxhC2xiIydHR9jNuTAASBrfEpHhiGOZw/nX51bHt6YQl8jsGo4y/0w==}
     engines: {node: '>= 0.6'}
 
+  cookie@0.7.2:
+    resolution: {integrity: sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==}
+    engines: {node: '>= 0.6'}
+
   cookie@1.0.2:
     resolution: {integrity: sha512-9Kr/j4O16ISv8zBBhJoi4bXOYNTkFLOqSL3UDB0njXxCXNezjeyVrJyGOWtgfs/q2km1gwBcfH8q1yEGoMYunA==}
     engines: {node: '>=18'}
@@ -12604,6 +9946,10 @@ packages:
     resolution: {integrity: sha512-tRpdppF7TRazZrjJ6v3stzv93qxRcSsFmW6cX0Zm2NVKpxE1WV1HblnghVv9TreireHkqI/VDEsfolRF1p6y7Q==}
     engines: {node: '>=8.0.0'}
 
+  css-tree@3.2.1:
+    resolution: {integrity: sha512-X7sjQzceUhu1u7Y/ylrRZFU2FS6LRiFVp6rKLPg23y3x3c3DOKAwuXGDp+PAGjh6CSnCjYeAul8pcT8bAl+lSA==}
+    engines: {node: ^10 || ^12.20.0 || ^14.13.0 || >=15.0.0}
+
   css-unit-converter@1.1.2:
     resolution: {integrity: sha512-IiJwMC8rdZE0+xiEZHeru6YoONC4rfPMqGm2W85jMIbkFvv5nFTwJVFHam2eFrN6txmoUYFAFXiv8ICVeTO0MA==}
 
@@ -12611,9 +9957,6 @@ packages:
     resolution: {integrity: sha512-arSMRWIIFY0hV8pIxZMEfmMI47Wj3R/aWpZDDxWYCPEiOMv6tfOrnpDtgxBYPEQD4V0Y/958+1TdC3iWTFcUPw==}
     engines: {node: '>= 6'}
 
-  css.escape@1.5.1:
-    resolution: {integrity: sha512-YUifsXXuknHlUsmlgyY0PKzgPOr7/FjCePfHNt0jxm83wHZi44VDMQ7/fGNkjY3/jV1MC+1CmZbaHzugyeRtpg==}
-
   cssesc@3.0.0:
     resolution: {integrity: sha512-/Tb/JcjK111nNScGob5MNtsntNM1aCNUDipB/TkwZFhyDrrE47SOx/18wF2bbjgc3ZzCSKW1T5nt5EbFoAz/Vg==}
     engines: {node: '>=4'}
@@ -12625,9 +9968,6 @@ packages:
   csstype@3.1.3:
     resolution: {integrity: sha512-M1uQkMl8rQK/szD0LNhtqxIPLpimGm8sOBwU7lLnCpSbTyY3yeU1Vc7l4KT5zT4s/yOxHH5O7tIuuLOCnLADRw==}
 
-  csstype@3.2.0:
-    resolution: {integrity: sha512-si++xzRAY9iPp60roQiFta7OFbhrgvcthrhlNAGeQptSY25uJjkfUV8OArC3KLocB8JT8ohz+qgxWCmz8RhjIg==}
-
   csstype@3.2.3:
     resolution: {integrity: sha512-z1HGKcYy2xA8AGQfwrn0PAy+PB7X/GSj3UVJW9qKyn43xWa+gl5nXmU4qqLMRzWVLFC8KusUX8T/0kCiOYpAIQ==}
 
@@ -12801,8 +10141,8 @@ packages:
     resolution: {integrity: sha512-e1U46jVP+w7Iut8Jt8ri1YsPOvFpg46k+K8TpCb0P+zjCkjkPnV7WzfDJzMHy1LnA+wj5pLT1wjO901gLXeEhA==}
     engines: {node: '>=12'}
 
-  dagre-d3-es@7.0.11:
-    resolution: {integrity: sha512-tvlJLyQf834SylNKax8Wkzco/1ias1OPw8DcUMDE7oUIoSEW25riQVuiu/0OWEFqT0cxHT3Pa9/D82Jr47IONw==}
+  dagre-d3-es@7.0.14:
+    resolution: {integrity: sha512-P4rFMVq9ESWqmOgK+dlXvOtLwYg0i7u0HBGJER0LZDJT2VHIPAMZ/riPxqJceWMStH5+E61QxFra9kIS3AqdMg==}
 
   damerau-levenshtein@1.0.8:
     resolution: {integrity: sha512-sdQSFB7+llfUcQHUQO3+B8ERRj0Oa4w9POWMI/puGtuf7gFywGmkaLCElnudfTiKZV+NvHqL0ifzdrI8Ro7ESA==}
@@ -12815,10 +10155,6 @@ packages:
     resolution: {integrity: sha512-WboRycPNsVw3B3TL559F7kuBUM4d8CgMEvk6xEJlOp7OBPjt6G7z8WMWlD2rOFZLk6OYfFIUGsCOWzcQH9K2og==}
     engines: {node: '>= 6'}
 
-  data-uri-to-buffer@5.0.1:
-    resolution: {integrity: sha512-a9l6T1qqDogvvnw0nKlfZzqsyikEBZBClF39V3TFoKhDtGBqHu2HkuomJc02j5zft8zrUaXEuoicLeW54RkzPg==}
-    engines: {node: '>= 14'}
-
   data-view-buffer@1.0.1:
     resolution: {integrity: sha512-0lht7OugA5x3iJLOWFhWK/5ehONdprk0ISXqVFn/NFrDu+cuc8iADFrGQz5BnRK7LLU3JmkbXSxaqX+/mXYtUA==}
     engines: {node: '>= 0.4'}
@@ -12840,11 +10176,12 @@ packages:
   date-fns@4.1.0:
     resolution: {integrity: sha512-Ukq0owbQXxa/U3EGtsdVBkR1w7KOQ5gIBqdH2hkvknzZPYvBxb/aa6E8L7tmjFtkwZBu3UXBbjIgPo/Ez4xaNg==}
 
-  dayjs@1.11.18:
-    resolution: {integrity: sha512-zFBQ7WFRvVRhKcWoUh+ZA1g2HVgUbsZm9sbddh8EC5iv93sui8DVVz1Npvz+r6meo9VKfa8NyLWBsQK1VvIKPA==}
+  dayjs@1.11.20:
+    resolution: {integrity: sha512-YbwwqR/uYpeoP4pu043q+LTDLFBLApUP6VxRihdfNTqu4ubqMlGDLd6ErXhEgsyvY0K6nCs7nggYumAN+9uEuQ==}
 
-  debounce@1.2.1:
-    resolution: {integrity: sha512-XRRe6Glud4rd/ZGQfiV1ruXSfbvfJedlV9Y6zOlP+2K04vBYiJEte6stfFkCP03aMnY5tsipamumUjL14fofug==}
+  debounce-fn@6.0.0:
+    resolution: {integrity: sha512-rBMW+F2TXryBwB54Q0d8drNEI+TfoS9JpNTAoVpukbWEhjXQq4rySFYLaqXMFXwdv61Zb2OHtj5bviSoimqxRQ==}
+    engines: {node: '>=18'}
 
   debounce@2.0.0:
     resolution: {integrity: sha512-xRetU6gL1VJbs85Mc4FoEGSjQxzpdxRyFhe3lmWFyy2EzydIcD4xzUvRJMD+NPDfMwKNhxa3PvsIOU32luIWeA==}
@@ -12902,15 +10239,6 @@ packages:
       supports-color:
         optional: true
 
-  debug@4.4.1:
-    resolution: {integrity: sha512-KcKCqiftBJcZr++7ykoDIEwSa3XWowTfNPo92BYxjXiyYEVrUQh2aLyhxBCwww+heortUFxEJYcRzosstTEBYQ==}
-    engines: {node: '>=6.0'}
-    peerDependencies:
-      supports-color: '*'
-    peerDependenciesMeta:
-      supports-color:
-        optional: true
-
   debug@4.4.3:
     resolution: {integrity: sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==}
     engines: {node: '>=6.0'}
@@ -12945,10 +10273,6 @@ packages:
     resolution: {integrity: sha512-aW35yZM6Bb/4oJlZncMH2LCoZtJXTRxES17vE3hoRiowU2kWHaJKFkSBDnDR+cm9J+9QhXmREyIfv0pji9ejCQ==}
     engines: {node: '>=10'}
 
-  deep-eql@5.0.2:
-    resolution: {integrity: sha512-h5k/5U50IJJFpzfL6nO9jaaumfjO/f2NjK/oYB2Djzm4p9L+3T9qWpZqZ2hAbLPuuYq9wrU08WQyBTL5GbPk5Q==}
-    engines: {node: '>=6'}
-
   deep-extend@0.6.0:
     resolution: {integrity: sha512-LOHxIOaPYdHlJRtCQfDIVZtfw/ufM8+rVj649RIHzcm/vGwQRXFt6OPqIFWsm2XEMrNIEtWR64sY1LEKD2vAOA==}
     engines: {node: '>=4.0.0'}
@@ -13004,12 +10328,8 @@ packages:
   defined@1.0.1:
     resolution: {integrity: sha512-hsBd2qSVCRE+5PmNdHt1uzyrFu5d3RwmFDKzyNZMFq/EwDNJF7Ee5+D5oEKF0hU6LhtoUF1macFvOe4AskQC1Q==}
 
-  defu@6.1.4:
-    resolution: {integrity: sha512-mEQCMmwJu317oSz8CwdIOdwf3xMif1ttiM8LTufzc3g6kR+9Pe236twL8j3IYT1F7GfRgGcW6MWxzZjLIkuHIg==}
-
-  degenerator@5.0.1:
-    resolution: {integrity: sha512-TllpMR/t0M5sqCXfj85i4XaAzxmS5tVA16dqvdkMwGmzI+dXLXnw3J+3Vdv7VKw+ThlTMboK6i9rnZ6Nntj5CQ==}
-    engines: {node: '>= 14'}
+  defu@6.1.7:
+    resolution: {integrity: sha512-7z22QmUWiQ/2d0KkdYmANbRUVABpZ9SNYyH5vx6PZ+nE5bcC0l7uFvEfHlyld/HcGBFTL536ClDt3DEcSlEJAQ==}
 
   delaunator@5.0.1:
     resolution: {integrity: sha512-8nvh+XBe96aCESrGOqMp/84b13H9cdKbG5P2ejQCh4d4sK9RL4371qou9drQjMhvnPmhWl5hnmqbEE0fXr9Xnw==}
@@ -13064,18 +10384,12 @@ packages:
   devlop@1.1.0:
     resolution: {integrity: sha512-RWmIqhcFf1lRYBvNmr7qTNuyCt/7/ns2jbpp1+PalgE/rDQcBT0fioSMUpJ93irlUhC5hrg4cYqe6U+0ImW0rA==}
 
-  devtools-protocol@0.0.1464554:
-    resolution: {integrity: sha512-CAoP3lYfwAGQTaAXYvA6JZR0fjGUb7qec1qf4mToyoH2TZgUFeIqYcjh6f9jNuhHfuZiEdH+PONHYrLhRQX6aw==}
-
   dezalgo@1.0.4:
     resolution: {integrity: sha512-rXSP0bf+5n0Qonsb+SVVfNfIsimO4HEtmnIpPHY8Q1UCzKlQrDMfdobr8nJOOsRgWCyMRqeSBQzmWUMq7zvVig==}
 
   didyoumean@1.2.2:
     resolution: {integrity: sha512-gxtyfqMg7GKyhQmb056K7M3xszy/myH8w+B4RT+QXBQsvAOdc3XymqDDPHx1BgPgsdAA5SIifona89YtRATDzw==}
 
-  diff-match-patch@1.0.5:
-    resolution: {integrity: sha512-IayShXAgj/QMXgB0IWmKx+rOPuGMhqm5w6jvFxmVenXKIzRqTAAsbBPT3kWQeGANj3jGgvcvv4yK6SxqYmikgw==}
-
   diff@5.1.0:
     resolution: {integrity: sha512-D+mk+qE8VC/PAUrlAU34N+VfXev0ghe5ywmpqrawphmVZc1bEfn56uo9qpyGp1p4xpzOHkSW4ztBd6L7Xx4ACw==}
     engines: {node: '>=0.3.1'}
@@ -13090,14 +10404,22 @@ packages:
   dlv@1.1.3:
     resolution: {integrity: sha512-+HlytyjlPKnIG8XuRG8WvmBP8xs8P71y+SKKS6ZXWoEgLuePxtDoUEiH7WkdePWrQ5JBpE6aoVqfZfJUQkjXwA==}
 
-  docker-compose@0.24.8:
-    resolution: {integrity: sha512-plizRs/Vf15H+GCVxq2EUvyPK7ei9b/cVesHvjnX4xaXjM9spHe2Ytq0BitndFgvTJ3E3NljPNUEl7BAN43iZw==}
+  docker-compose@1.4.2:
+    resolution: {integrity: sha512-rPHigTKGaEHpkUmfd69QgaOp+Os5vGJwG/Ry8lcr8W/382AmI+z/D7qoa9BybKIkqNppaIbs8RYeHSevdQjWww==}
     engines: {node: '>= 6.0.0'}
 
   docker-modem@5.0.6:
     resolution: {integrity: sha512-ens7BiayssQz/uAxGzH8zGXCtiV24rRWXdjNha5V4zSOcxmAZsfGVm/PPFbwQdqEkDnhG+SyR9E3zSHUbOKXBQ==}
     engines: {node: '>= 8.0'}
 
+  docker-modem@5.0.7:
+    resolution: {integrity: sha512-XJgGhoR/CLpqshm4d3L7rzH6t8NgDFUIIpztYlLHIApeJjMZKYJMz2zxPsYxnejq5h3ELYSw/RBsi3t5h7gNTA==}
+    engines: {node: '>= 8.0'}
+
+  dockerode@4.0.10:
+    resolution: {integrity: sha512-8L/P9JynLBiG7/coiA4FlQXegHltRqS0a+KqI44P1zgQh8QLHTg7FKOwhkBgSJwZTeHsq30WRoVFLuwkfK0YFg==}
+    engines: {node: '>= 8.0'}
+
   dockerode@4.0.6:
     resolution: {integrity: sha512-FbVf3Z8fY/kALB9s+P9epCpWhfi/r0N2DgYYcYpsAUlaTxPjdsitsFobnltb+lyCgAIvf9C+4PSWlTnHlJMf1w==}
     engines: {node: '>= 8.0'}
@@ -13113,9 +10435,6 @@ packages:
   dom-accessibility-api@0.5.15:
     resolution: {integrity: sha512-8o+oVqLQZoruQPYy3uAAQtc6YbtSiRq5aPJBhJ82YTJRHvI6ofhYAkC81WmjFTnfUbqg6T3aCglIpU9p/5e7Cw==}
 
-  dom-accessibility-api@0.6.3:
-    resolution: {integrity: sha512-7ZgogeTnjuHbo+ct10G9Ffp0mif17idi0IyWNVA/wcwcm7NPOD/WEHVP3n7n3MhXqxoIYm8d6MuZohYWIZ4T3w==}
-
   dom-helpers@5.2.1:
     resolution: {integrity: sha512-nRCa7CK3VTrM2NmGkIy4cbK7IZlgBE/PYMn55rrXefr5xXDP0LdtfPnblFDoVdcAfslJ7or6iqAUnx0CCGIWQA==}
 
@@ -13129,12 +10448,16 @@ packages:
     resolution: {integrity: sha512-cgwlv/1iFQiFnU96XXgROh8xTeetsnJiDsTc7TYCLFd9+/WNkIqPTxiM/8pSd8VIrhXGTf1Ny1q1hquVqDJB5w==}
     engines: {node: '>= 4'}
 
-  dompurify@3.2.6:
-    resolution: {integrity: sha512-/2GogDQlohXPZe6D6NOgQvXLPSYBqIWMnZ8zzOhn09REE4eyAzb+Hed3jhoM9OkuaJ8P6ZGTTVWQKAi8ieIzfQ==}
+  dompurify@3.4.1:
+    resolution: {integrity: sha512-JahakDAIg1gyOm7dlgWSDjV4n7Ip2PKR55NIT6jrMfIgLFgWo81vdr1/QGqWtFNRqXP9UV71oVePtjqS2ebnPw==}
 
   domutils@3.0.1:
     resolution: {integrity: sha512-z08c1l761iKhDFtfXO04C7kTdPBLi41zwOZl00WS8b5eiaebNpY00HKbztwBq+e3vyqWNwWF3mP9YLUeqIrF+Q==}
 
+  dot-prop@10.1.0:
+    resolution: {integrity: sha512-MVUtAugQMOff5RnBy2d9N31iG0lNwg1qAoAOn7pOK5wf94WIaE3My2p3uwTQuvS2AcqchkcR3bHByjaM0mmi7Q==}
+    engines: {node: '>=20'}
+
   dotenv@16.0.3:
     resolution: {integrity: sha512-7GO6HghkA5fYG9TYnNxi14/7K9f5occMlp3zXAuSxn7CKCxt9xbNWG7yF8hTCSUchlfWSe3uLmlPfigevRItzQ==}
     engines: {node: '>=12'}
@@ -13155,10 +10478,6 @@ packages:
     resolution: {integrity: sha512-uBq4egWHTcTt33a72vpSG0z3HnPuIl6NqYcTrKEg2azoEyl2hpW0zqlxysq2pK9HlDIHyHyakeYaYnSAwd8bow==}
     engines: {node: '>=12'}
 
-  dotenv@17.2.3:
-    resolution: {integrity: sha512-JVUnt+DUIzu87TABbhPmNfVdBDt18BLOWjMUFJMSi/Qqg7NTYtabbvSNJGOJ7afbRuv9D/lngizHtP7QyLQ+9w==}
-    engines: {node: '>=12'}
-
   dotenv@8.6.0:
     resolution: {integrity: sha512-IrPdXQsk2BbzvCBGBOTmmSH5SodmqZNt4ERAZDmW4CT+tL8VtvinqywuANaFu4bOMWki16nqf0e4oC0QIaDr/g==}
     engines: {node: '>=10'}
@@ -13173,19 +10492,12 @@ packages:
   duplexer3@0.1.5:
     resolution: {integrity: sha512-1A8za6ws41LQgv9HrE/66jyC5yuSjQ3L/KOpFtoBilsAK2iA2wuS5rTt1OCzIvtS2V7nVmedsUU+DGRcjBmOYA==}
 
-  duplexer@0.1.2:
-    resolution: {integrity: sha512-jtD6YG370ZCIi/9GTaJKQxWTZD045+4R4hTk/x1UyoqadyJ9x9CgSi1RlVDQF8U2sxLLSnFkCaMihqljHIWgMg==}
-
   duplexify@3.7.1:
     resolution: {integrity: sha512-07z8uv2wMyS51kKhD1KsdXJg5WQ6t93RneqRxUHnskXVtlYYkLqM0gqStQZ3pj073g687jPCHrqNfCzawLYh5g==}
 
   duplexify@4.1.3:
     resolution: {integrity: sha512-M3BmBhwJRZsSx38lZyhE53Csddgzl5R7xGJNk7CVddZD6CcmwMCH8J+7AprIrQKH7TonKxaCjcv27Qmf+sQ+oA==}
 
-  e2b@1.2.1:
-    resolution: {integrity: sha512-ii/Bw55ecxgORqkArKNbuVTwqLgVZ0rH1X3J/NOe4LMZaVETm3qNpPBjoPkpQAsQjw2ew0Ad2sd54epqm9nLCw==}
-    engines: {node: '>=18'}
-
   eastasianwidth@0.2.0:
     resolution: {integrity: sha512-I88TYZWc9XiYHRQ4/3c5rjjfgkjhLyW2luGIheGERbNQ6OY7yTybanSpDXZa8y7VUP9YmDcYa+eyq4ca7iLqWA==}
 
@@ -13203,9 +10515,6 @@ packages:
   ee-first@1.1.1:
     resolution: {integrity: sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow==}
 
-  effect@3.11.7:
-    resolution: {integrity: sha512-laj+TCxWGn0eOv6jNmS9vavMO01Z4vvRr7v5airaOUfE7Zr5PrHiECpiI5HRvOewxa1im/4EcOvRodOZ1S2Y7Q==}
-
   effect@3.16.12:
     resolution: {integrity: sha512-N39iBk0K71F9nb442TLbTkjl24FLUzuvx2i1I2RsEAQsdAdUTuUoW0vlfUXgkMTUOnYqKnWcFfqw4hK4Pw27hg==}
 
@@ -13215,8 +10524,8 @@ packages:
   effect@3.18.4:
     resolution: {integrity: sha512-b1LXQJLe9D11wfnOKAk3PKxuqYshQ0Heez+y5pnkd3jLj1yx9QhM72zZ9uUrOQyNvrs2GZZd/3maL0ZV18YuDA==}
 
-  effect@3.7.2:
-    resolution: {integrity: sha512-pV7l1+LSZFvVObj4zuy4nYiBaC7qZOfrKV6s/Ef4p3KueiQwZFgamazklwyZ+x7Nyj2etRDFvHE/xkThTfQD1w==}
+  effect@3.21.2:
+    resolution: {integrity: sha512-rXd2FGDM8KdjSIrc+mqEELo7ScW7xTVxEf1iInmPSpIde9/nyGuFM710cjTo7/EreGXiUX2MOonPpprbz2XHCg==}
 
   electron-to-chromium@1.4.433:
     resolution: {integrity: sha512-MGO1k0w1RgrfdbLVwmXcDhHHuxCn2qRgR7dYsJvWFKDttvYPx6FNzCGG0c/fBBvzK2LDh3UV7Tt9awnHnvAAUQ==}
@@ -13224,8 +10533,8 @@ packages:
   electron-to-chromium@1.5.252:
     resolution: {integrity: sha512-53uTpjtRgS7gjIxZ4qCgFdNO2q+wJt/Z8+xAvxbCqXPJrY6h7ighUkadQmNMXH96crtpa6gPFNP7BF4UBGDuaA==}
 
-  electron-to-chromium@1.5.98:
-    resolution: {integrity: sha512-bI/LbtRBxU2GzK7KK5xxFd2y9Lf9XguHooPYbcXWy6wUoT8NMnffsvRhPmSeUHLSDKAEtKuTaEtK4Ms15zkIEA==}
+  electron-to-chromium@1.5.325:
+    resolution: {integrity: sha512-PwfIw7WQSt3xX7yOf5OE/unLzsK9CaN2f/FvV3WjPR1Knoc1T9vePRVV4W1EM301JzzysK51K7FNKcusCr0zYA==}
 
   emoji-regex@8.0.0:
     resolution: {integrity: sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==}
@@ -13254,6 +10563,9 @@ packages:
   end-of-stream@1.4.4:
     resolution: {integrity: sha512-+uw1inIHVPQoaVuHzRyXd21icM+cnt4CzD5rW+NC1wjOUSTOs+Te7FOv7AhN7vS9x/oIyhLP5PR1H+phQAHu5Q==}
 
+  end-of-stream@1.4.5:
+    resolution: {integrity: sha512-ooEGc6HP26xXq/N+GCGOT0JKCLDGrq2bQUZrQ7gyrJiZANJ/8YDTxTpQBXGMn+WbIQXNVpyWymm7KYVICQnyOg==}
+
   engine.io-client@6.5.3:
     resolution: {integrity: sha512-9Z0qLB0NIisTRt1DZ/8U2k12RJn8yls/nXMZLn+/N8hANT3TcYjKFKcwbw5zFQiN4NTde3TSY9zb79e1ij6j9Q==}
 
@@ -13265,9 +10577,9 @@ packages:
     resolution: {integrity: sha512-KdVSDKhVKyOi+r5uEabrDLZw2qXStVvCsEB/LN3mw4WFi6Gx50jTyuxYVCwAAC0U46FdnzP/ScKRBTXb/NiEOg==}
     engines: {node: '>=10.2.0'}
 
-  enhanced-resolve@5.15.0:
-    resolution: {integrity: sha512-LXYT42KJ7lpIKECr2mAXIaMldcNCh/7E0KBKOu4KSfkHmP+mZmSs+8V5gBAqisWBy0OO4W5Oyys0GO1Y8KtdKg==}
-    engines: {node: '>=10.13.0'}
+  engine.io@6.6.8:
+    resolution: {integrity: sha512-2agL3ueZhqxoVrfmntO8yuVj+uNSlIOnhykYHk3Cq0ShYPdUjjUiSJrQvXjq01I9jAuI0Zl2YO8Evv5Mqytm5g==}
+    engines: {node: '>=10.2.0'}
 
   enhanced-resolve@5.18.3:
     resolution: {integrity: sha512-d4lC8xfavMeBjzGr2vECC3fsGXziXZQyJxD868h2M/mBI3PwAuODxAkLkq5HYuvrPYcUtiLzsTo8U3PgX3Ocww==}
@@ -13289,6 +10601,10 @@ packages:
     resolution: {integrity: sha512-+h1lkLKhZMTYjog1VEpJNG7NZJWcuc2DDk/qsqSTRRCOXiLjeQ1d1/udrUGhqMxUgAlwKNZ0cf2uqan5GLuS2A==}
     engines: {node: '>=6'}
 
+  env-paths@3.0.0:
+    resolution: {integrity: sha512-dtJUTepzMW3Lm/NPxRf3wP4642UWhjL2sQxc+ym2YMj1m/H2zDNQOlezafzkHwn6sMstjHTwG6iQQsctDW/b1A==}
+    engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0}
+
   environment@1.1.0:
     resolution: {integrity: sha512-xUtoPkMggbz0MPyPiIWr1Kp4aeWJjDZ6SMvURhimjdZgsRuDplF5/s9hcgGhyXMhs+6vpnuoiZ2kFiu3FMnS8Q==}
     engines: {node: '>=18'}
@@ -13321,9 +10637,8 @@ packages:
   es-module-lexer@1.7.0:
     resolution: {integrity: sha512-jEQoCwk8hyb2AZziIOLhDqpm5+2ww5uIE6lkO/6jcOCusfk6LhMHpXXfBLXTZ7Ydyt0j4VoUQv6uGNYbdW+kBA==}
 
-  es-object-atoms@1.0.0:
-    resolution: {integrity: sha512-MZ4iQ6JwHOBQjahnjwaC1ZtIBH+2ohjamzAO3oaHcXYup7qxjF2fixyH+Q71voWHeOkI2q/TnJao/KfXYIZWbw==}
-    engines: {node: '>= 0.4'}
+  es-module-lexer@2.1.0:
+    resolution: {integrity: sha512-n27zTYMjYu1aj4MjCWzSP7G9r75utsaoc8m61weK+W8JMBGGQybd43GstCXZ3WNmSFtGT9wi59qQTW6mhTR5LQ==}
 
   es-object-atoms@1.1.1:
     resolution: {integrity: sha512-FGgH2h8zKNim9ljj7dankFPcICIK9Cp5bm+c2gQSYePhpaG5+esrLODihIorn+Pe6FGJzWhXQotPv73jTaldXA==}
@@ -13333,17 +10648,10 @@ packages:
     resolution: {integrity: sha512-g3OMbtlwY3QewlqAiMLI47KywjWZoEytKr8pf6iTC8uJq5bIAH52Z9pnQ8pVL6whrCto53JZDuUIsifGeLorTg==}
     engines: {node: '>= 0.4'}
 
-  es-set-tostringtag@2.0.3:
-    resolution: {integrity: sha512-3T8uNMC3OQTHkFUsFq8r/BwAXLHvU/9O9mE0fBc/MY5iq/8H7ncvO947LmYA6ldWw9Uh8Yhf25zu6n7nML5QWQ==}
-    engines: {node: '>= 0.4'}
-
   es-set-tostringtag@2.1.0:
     resolution: {integrity: sha512-j6vWzfrGVfyXxge+O0x5sh6cvxAog0a/4Rdd2K36zCMV5eJ+/+tOAngRO8cODMNWbVRdVlmGZQL2YS3yR8bIUA==}
     engines: {node: '>= 0.4'}
 
-  es-shim-unscopables@1.0.0:
-    resolution: {integrity: sha512-Jm6GPcCdC30eMLbZ2x8z2WuRwAws3zTBBKuusffYVUrNj/GVSUAZ+xKMaUpfNDR5IbyNA5LJbaecoUVbmUcB1w==}
-
   es-shim-unscopables@1.0.2:
     resolution: {integrity: sha512-J3yBRXCzDu4ULnQwxyToo/OjdMx6akgVC7K6few0a7F/0wLtmKKN7I73AH5T2836UuXRqN7Qg+IIUw/+YJksRw==}
 
@@ -13497,11 +10805,6 @@ packages:
     engines: {node: '>=12'}
     hasBin: true
 
-  esbuild@0.21.5:
-    resolution: {integrity: sha512-mg3OPMV4hXywwpoDxu3Qda5xCKQi+vCTZq8S9J/EpkhB2HzKXq4SNFZE3+NK93JYxc8VMSep+lOUSC/RVKaBqw==}
-    engines: {node: '>=12'}
-    hasBin: true
-
   esbuild@0.23.0:
     resolution: {integrity: sha512-1lvV17H2bMYda/WaFb2jLPeHU3zml2k4/yagNMG8Q/YtfMjCwEUZa2eXXMgZTVSL5q1n4H7sQ0X6CdJDqqeCFA==}
     engines: {node: '>=18'}
@@ -13517,6 +10820,11 @@ packages:
     engines: {node: '>=18'}
     hasBin: true
 
+  esbuild@0.28.0:
+    resolution: {integrity: sha512-sNR9MHpXSUV/XB4zmsFKN+QgVG82Cc7+/aaxJ8Adi8hyOac+EXptIp45QBPaVyX3N70664wRbTcLTOemCAnyqw==}
+    engines: {node: '>=18'}
+    hasBin: true
+
   escalade@3.2.0:
     resolution: {integrity: sha512-WUj2qlxaQtO4g6Pq5c29GTcWGDyd8itL8zTlipgECz3JesAiiOKotd8JU6otB3PACgG6xkJUyVhboMS+bje/jA==}
     engines: {node: '>=6'}
@@ -13536,28 +10844,12 @@ packages:
     resolution: {integrity: sha512-/veY75JbMK4j1yjvuUxuVsiS/hr/4iHs9FTT6cgTexxdE0Ly/glccBAkloH/DofkjRbZU3bnoj38mOmhkZ0lHw==}
     engines: {node: '>=12'}
 
-  escodegen@2.1.0:
-    resolution: {integrity: sha512-2NlIDTwUWJN0mRPQOdtQBzbUHvdGY2P1VXSyU83Q3xKxM7WHX2Ql8dKq782Q9TgQUNOLEzEYu9bzLNj1q88I5w==}
-    engines: {node: '>=6.0'}
-    hasBin: true
-
   eslint-config-prettier@8.6.0:
     resolution: {integrity: sha512-bAF0eLpLVqP5oEVUFKpMA+NnRFICwn9X8B5jrR9FcqnYBuPbqWEjTEspPWMj5ye6czoSLDweCzSo3Ko7gGrZaA==}
     hasBin: true
     peerDependencies:
       eslint: '>=7.0.0'
 
-  eslint-config-prettier@9.0.0:
-    resolution: {integrity: sha512-IcJsTkJae2S35pRsRAwoCE+925rJJStOdkKnLVgtE+tEpqU0EVVM7OqrwxqgptKdX29NUwC82I5pXsGFIgSevw==}
-    hasBin: true
-    peerDependencies:
-      eslint: '>=7.0.0'
-
-  eslint-config-turbo@1.10.12:
-    resolution: {integrity: sha512-z3jfh+D7UGYlzMWGh+Kqz++hf8LOE96q3o5R8X4HTjmxaBWlLAWG+0Ounr38h+JLR2TJno0hU9zfzoPNkR9BdA==}
-    peerDependencies:
-      eslint: '>6.6.0'
-
   eslint-import-resolver-node@0.3.7:
     resolution: {integrity: sha512-gozW2blMLJCeFpBwugLTGyvVjNoeo1knonXAcatC6bjPBZitotxdWf7Gimr25N4c0AAOo4eOUfaG82IJPDpqCA==}
 
@@ -13571,27 +10863,6 @@ packages:
       eslint: '*'
       eslint-plugin-import: '*'
 
-  eslint-module-utils@2.7.4:
-    resolution: {integrity: sha512-j4GT+rqzCoRKHwURX7pddtIPGySnX9Si/cgMI5ztrcqOPtk5dDEeZ34CQVPphnqkJytlc97Vuk05Um2mJ3gEQA==}
-    engines: {node: '>=4'}
-    peerDependencies:
-      '@typescript-eslint/parser': '*'
-      eslint: '*'
-      eslint-import-resolver-node: '*'
-      eslint-import-resolver-typescript: '*'
-      eslint-import-resolver-webpack: '*'
-    peerDependenciesMeta:
-      '@typescript-eslint/parser':
-        optional: true
-      eslint:
-        optional: true
-      eslint-import-resolver-node:
-        optional: true
-      eslint-import-resolver-typescript:
-        optional: true
-      eslint-import-resolver-webpack:
-        optional: true
-
   eslint-module-utils@2.8.1:
     resolution: {integrity: sha512-rXDXR3h7cs7dy9RNpUlQf80nX31XWJEyGq1tRMo+6GsO5VmTe4UTwtmonAD4ZkAsrfMVDA2wlGJ3790Ys+D49Q==}
     engines: {node: '>=4'}
@@ -13678,11 +10949,6 @@ packages:
     peerDependencies:
       eslint: ^7.5.0 || ^8.0.0
 
-  eslint-plugin-turbo@1.10.12:
-    resolution: {integrity: sha512-uNbdj+ohZaYo4tFJ6dStRXu2FZigwulR1b3URPXe0Q8YaE7thuekKNP+54CHtZPH9Zey9dmDx5btAQl9mfzGOw==}
-    peerDependencies:
-      eslint: '>6.6.0'
-
   eslint-plugin-turbo@2.0.5:
     resolution: {integrity: sha512-nCTXZdaKmdRybBdjnMrDFG+ppLc9toUqB01Hf0pfhkQw8OoC29oJIVPsCSvuL/W58RKD02CNEUrwnVt57t36IQ==}
     peerDependencies:
@@ -13797,9 +11063,17 @@ packages:
     resolution: {integrity: sha512-o0XUw+5OGkXw4pJZzQoXUk+H87DHuC+7ZE//oSrRGtatTmr12oTnLfg6QOq9DyTt0c/p4TwzgmkKrBzWTSizyQ==}
     engines: {node: '>= 0.8'}
 
-  evalite@0.11.4:
-    resolution: {integrity: sha512-t12sJlfkxo0Hon6MYCwOd2qliAjGObrnGL6hYXP9h8AiNAVQCiyGrFrqtOH8TIhM0kgaGrq3s/DeZ679Sr8ipw==}
+  evalite@1.0.0-beta.16:
+    resolution: {integrity: sha512-14G+Y1Rqi9xOJck1vykPwaRSPSPpSvaklMS9WjJA04KWIOUwrT3jHUyA/6GkMC0twi1vdkssGS5FstNtVqVCWQ==}
     hasBin: true
+    peerDependencies:
+      ai: ^6
+      better-sqlite3: ^11.6.0
+    peerDependenciesMeta:
+      ai:
+        optional: true
+      better-sqlite3:
+        optional: true
 
   event-target-shim@5.0.1:
     resolution: {integrity: sha512-i/2XbnSz/uxRCU6+NdVJgKWDTM427+MqYbkQzD321DuCQJUqOuJKIA0IM2+W2xtYHdKOmZ4dR6fExsd4SXL+WQ==}
@@ -13835,6 +11109,10 @@ packages:
     resolution: {integrity: sha512-Vo1ab+QXPzZ4tCa8SwIHJFaSzy4R6SHf7BY79rFBDf0idraZWAkYrDjDj8uWaSm3S2TK+hJ7/t1CEmZ7jXw+pg==}
     engines: {node: '>=18.0.0'}
 
+  eventsource-parser@3.1.0:
+    resolution: {integrity: sha512-kJezFj9YFAMLeORyi7aCLxLbD5/qWMQnoMVlVPyHIll7lgRJCc3JVln9Vgl9nwQi0YkMnhdGTMNn7CkRRAptMg==}
+    engines: {node: '>=18.0.0'}
+
   eventsource@3.0.5:
     resolution: {integrity: sha512-LT/5J605bx5SNyE+ITBDiM3FxffBiq9un7Vx0EwMDM3vg8sWKx/tO2zC+LMqZ+smAM0F2hblaDZUVZF0te2pSw==}
     engines: {node: '>=18.0.0'}
@@ -13866,8 +11144,8 @@ packages:
     resolution: {integrity: sha512-XYfuKMvj4O35f/pOXLObndIRvyQ+/+6AhODh+OKWj9S9498pHHn/IMszH+gt0fBCRWMNfk1ZSp5x3AifmnI2vg==}
     engines: {node: '>=6'}
 
-  expect-type@1.2.1:
-    resolution: {integrity: sha512-/kP8CAwxzLVEeFrMm4kMmy4CCDlpipyA7MYLVrdJIkV0fYF0UaigQHRsxHiuY/GEea+bh4KSv3TIlgr+2UL6bw==}
+  expect-type@1.3.0:
+    resolution: {integrity: sha512-knvyeauYhqjOYvQ66MznSMs83wmHrCycNEN6Ao+2AeYEfxUIkuiVxdEa1qlGEPK+We3n0THiDciYSsCcgW/DoA==}
     engines: {node: '>=12.0.0'}
 
   express-rate-limit@7.5.0:
@@ -13907,19 +11185,10 @@ packages:
     resolution: {integrity: sha512-hMQ4CX1p1izmuLYyZqLMO/qGNw10wSv9QDCPfzXfyFrOaCSSoRfqE1Kf1s5an66J5JZC62NewG+mK49jOCtQew==}
     engines: {node: '>=4'}
 
-  extract-zip@2.0.1:
-    resolution: {integrity: sha512-GDhU9ntwuKyGXdZBUgTIe+vXnWj0fppUEtMDL0+idd5Sta8TGpHssn/eusA9mrPr9qNDym6SxAYZjNvCn/9RBg==}
-    engines: {node: '>= 10.17.0'}
-    hasBin: true
-
   extsprintf@1.3.0:
     resolution: {integrity: sha512-11Ndz7Nv+mvAC1j0ktTa7fAb0vLyGGX+rMHNBYQviQDGU0Hw7lhctJANqbPhu9nV9/izT/IntTgZ7Im/9LJs9g==}
     engines: {'0': node >=0.6.0}
 
-  fast-check@3.22.0:
-    resolution: {integrity: sha512-8HKz3qXqnHYp/VCNn2qfjHdAdcI8zcSqOyX64GOMukp7SL2bfzfeDKjSd+UyECtejccaZv3LcvZTm9YDD22iCQ==}
-    engines: {node: '>=8.0.0'}
-
   fast-check@3.23.2:
     resolution: {integrity: sha512-h5+1OzzfCC3Ef7VbtKdcv7zsstUQwUDlYpUTvjeUsJAssPgLn7QzbboPtL5ro04Mq0rPOsMzl7q5hIbRs2wD1A==}
     engines: {node: '>=8.0.0'}
@@ -13959,32 +11228,27 @@ packages:
   fast-querystring@1.1.2:
     resolution: {integrity: sha512-g6KuKWmFXc0fID8WWH0jit4g0AGBoJhCkJMb1RmbsSEUNvQ+ZC8D6CUZ+GtF8nMzSPXnhiePyyqqipzNNEnHjg==}
 
-  fast-redact@3.5.0:
-    resolution: {integrity: sha512-dwsoQlS7h9hMeYUq1W++23NDcBLV4KqONnITDV9DjfS3q1SgDGVrBdvvTLUotWtPSD7asWDV9/CmsZPy8Hf70A==}
-    engines: {node: '>=6'}
-
   fast-safe-stringify@2.1.1:
     resolution: {integrity: sha512-W+KJc2dmILlPplD/H4K9l9LcAHAfPtP6BY84uVLXQ6Evcz9Lcg33Y2z1IVblT6xdY54PXYVHEv+0Wpq8Io6zkA==}
 
   fast-shallow-equal@1.0.0:
     resolution: {integrity: sha512-HPtaa38cPgWvaCFmRNhlc6NG7pv6NUHqjPgVAkWGoB9mQMwYB27/K0CvOM5Czy+qpT3e8XJ6Q4aPAnzpNpzNaw==}
 
-  fast-uri@3.0.6:
-    resolution: {integrity: sha512-Atfo14OibSv5wAp4VWNsFYE1AchQRTv9cBGWET4pZWHzYshFSS9NQI6I57rdKn9croWVMbYFbLhJ+yJvmZIIHw==}
+  fast-uri@3.1.2:
+    resolution: {integrity: sha512-rVjf7ArG3LTk+FS6Yw81V1DLuZl1bRbNrev6Tmd/9RaroeeRRJhAt7jg/6YFxbvAQXUCavSoZhPPj6oOx+5KjQ==}
 
   fast-url-parser@1.1.3:
     resolution: {integrity: sha512-5jOCVXADYNuRkKFzNJ0dCCewsZiYo0dz8QNYljkOpFC6r2U4OBmKtvm/Tsuh4w1YYdDqDb31a8TVhBJ2OJKdqQ==}
 
-  fast-xml-parser@4.2.5:
-    resolution: {integrity: sha512-B9/wizE4WngqQftFPmdaMYlXoJlJOYxGQOanC77fq9k8+Z0v5dDSVh+3glErdIROP//s/jgb7ZuxKfB8nVyo0g==}
-    hasBin: true
+  fast-xml-builder@1.2.0:
+    resolution: {integrity: sha512-00aAWieqff+ZJhsXA4g1g7M8k+7AYoMUUHF+/zFb5U6Uv/P0Vl4QZo84/IcufzYalLuEj9928bXN9PbbFzMF0Q==}
 
-  fast-xml-parser@4.4.1:
-    resolution: {integrity: sha512-xkjOecfnKGkSsOwtZ5Pz7Us/T6mrbPQrq0nh+aCO5V9nk5NLWmasAHumTKjiPJPWANe+kAZ84Jc8ooJkzZ88Sw==}
+  fast-xml-parser@4.5.6:
+    resolution: {integrity: sha512-Yd4vkROfJf8AuJrDIVMVmYfULKmIJszVsMv7Vo71aocsKgFxpdlpSHXSaInvyYfgw2PRuObQSW2GFpVMUjxu9A==}
     hasBin: true
 
-  fast-xml-parser@5.2.5:
-    resolution: {integrity: sha512-pfX9uG9Ki0yekDHx2SiuRIyFdyAr1kMIMitPvb0YBo8SUfKvia7w7FIyd/l6av85pFYRhZscS75MwMnbvY+hcQ==}
+  fast-xml-parser@5.7.1:
+    resolution: {integrity: sha512-8Cc3f8GUGUULg34pBch/KGyPLglS+OFs05deyOlY7fL2MTagYPKrVQNmR1fLF/yJ9PH5ZSTd3YDF6pnmeZU+zA==}
     hasBin: true
 
   fastest-stable-stringify@2.0.2:
@@ -13993,8 +11257,8 @@ packages:
   fastify-plugin@5.0.1:
     resolution: {integrity: sha512-HCxs+YnRaWzCl+cWRYFnHmeRFyR5GVnJTAaCJQiYzQSDwK9MgJdyAsuL3nh0EWRCYMgQ5MeziymvmAhUHYHDUQ==}
 
-  fastify@5.4.0:
-    resolution: {integrity: sha512-I4dVlUe+WNQAhKSyv15w+dwUh2EPiEl4X2lGYMmNSgF83WzTMAPKGdWEv5tPsCQOb+SOZwz8Vlta2vF+OeDgRw==}
+  fastify@5.8.5:
+    resolution: {integrity: sha512-Yqptv59pQzPgQUSIm87hMqHJmdkb1+GPxdE6vW6FRyVE9G86mt7rOghitiU4JHRaTyDUk9pfeKmDeu70lAwM4Q==}
 
   fastq@1.15.0:
     resolution: {integrity: sha512-wBrocU2LCXXa+lWBt8RoIRD89Fi8OdABODa/kEnyeyjS5aZO5/GNvI5sEINADqP/h8M29UHTHUb53sUu5Ihqdw==}
@@ -14005,13 +11269,10 @@ packages:
   fault@2.0.1:
     resolution: {integrity: sha512-WtySTkS4OKev5JtpHXnib4Gxiurzh5NCGvWrFaZ34m6JehfTUhKZvn9njTfw48t6JumVQOmrKqpmGcdwxnhqBQ==}
 
-  fd-slicer@1.1.0:
-    resolution: {integrity: sha512-cE1qsB/VwyQozZ+q1dGxR8LBYNZeofhEdUNGSMbQD3Gw2lAzX9Zb3uIU6Ebc/Fmyjo9AWWfnn0AUCHqtevs/8g==}
-
   fdir@6.2.0:
     resolution: {integrity: sha512-9XaWcDl0riOX5j2kYfy0kKdg7skw3IY6kA4LFT8Tk2yF9UdrADUy8D6AJuBLtf7ISm/MksumwAHE3WVbMRyCLw==}
     peerDependencies:
-      picomatch: ^3 || ^4
+      picomatch: ^4.0.4
     peerDependenciesMeta:
       picomatch:
         optional: true
@@ -14019,7 +11280,7 @@ packages:
   fdir@6.4.3:
     resolution: {integrity: sha512-PMXmW2y1hDDfTSRc9gaXIuCCRpuoz3Kaz8cUelp3smouvfT632ozg2vrT6lJsHKKOF59YLbOGfAWGUcKEfRMQw==}
     peerDependencies:
-      picomatch: ^3 || ^4
+      picomatch: ^4.0.4
     peerDependenciesMeta:
       picomatch:
         optional: true
@@ -14027,7 +11288,16 @@ packages:
   fdir@6.4.4:
     resolution: {integrity: sha512-1NZP+GK4GfuAv3PqKvxQRDMjdSRZjnkq7KfhlNrCNNlZ0ygQFpebfrnfnq/W7fpUnAv9aGWmY1zKx7FYL3gwhg==}
     peerDependencies:
-      picomatch: ^3 || ^4
+      picomatch: ^4.0.4
+    peerDependenciesMeta:
+      picomatch:
+        optional: true
+
+  fdir@6.5.0:
+    resolution: {integrity: sha512-tIbYtZbucOs0BRGqPJkshJUYdL+SDH7dVM8gjy+ERp3WAUjLEFJE+02kanyHtwjWOnwrKYBiwAmM0p4kLJAnXg==}
+    engines: {node: '>=12.0.0'}
+    peerDependencies:
+      picomatch: ^4.0.4
     peerDependenciesMeta:
       picomatch:
         optional: true
@@ -14049,10 +11319,6 @@ packages:
     resolution: {integrity: sha512-7Gps/XWymbLk2QLYK4NzpMOrYjMhdIxXuIvy2QBsLE6ljuodKvdkWs/cpyJJ3CVIVpH0Oi1Hvg1ovbMzLdFBBg==}
     engines: {node: ^10.12.0 || >=12.0.0}
 
-  file-selector@0.6.0:
-    resolution: {integrity: sha512-QlZ5yJC0VxHxQQsQhXvBaC7VRJ2uaxTf+Tfpu4Z/OcVQJVpZO+DGU0rkoVW5ce2SccxugvpBJoMvUs59iILYdw==}
-    engines: {node: '>= 12'}
-
   file-type@19.6.0:
     resolution: {integrity: sha512-VZR5I7k5wkD0HgFnMsq5hOsSc710MJMu5Nc5QYsbe38NN5iPV/XTObYLc/cpttRTf6lX538+5uO1ZQRhYibiZQ==}
     engines: {node: '>=18'}
@@ -14072,9 +11338,6 @@ packages:
     resolution: {integrity: sha512-/t88Ty3d5JWQbWYgaOGCCYfXRwV1+be02WqYYlL6h0lEiUAMPM8o8qKGO01YIkOHzka2up08wvgYD0mDiI+q3Q==}
     engines: {node: '>= 0.8'}
 
-  find-my-way-ts@0.1.5:
-    resolution: {integrity: sha512-4GOTMrpGQVzsCH2ruUn2vmwzV/02zF4q+ybhCIrw/Rkt3L8KWcycdC6aJMctJzwN4fXD4SD5F/4B9Sksh5rE0A==}
-
   find-my-way@9.3.0:
     resolution: {integrity: sha512-eRoFWQw+Yv2tuYlK2pjFS2jGXSxSppAs3hSQjfxVKxM5amECzIgYYc1FEI8ZmhSh/Ig+FrKEz43NLRKJjYCZVg==}
     engines: {node: '>=20'}
@@ -14098,11 +11361,11 @@ packages:
     resolution: {integrity: sha512-dm9s5Pw7Jc0GvMYbshN6zchCA9RgQlzzEZX3vylR9IqFfS8XciblUXOKfW6SiuJ0e13eDYZoZV5wdrev7P3Nwg==}
     engines: {node: ^10.12.0 || >=12.0.0}
 
-  flatted@3.2.7:
-    resolution: {integrity: sha512-5nqDSxl8nn5BSNxyR3n4I6eDmbolI6WT+QqR547RwxQapgjQBmtktdP+HTBb/a/zLsbzERTONyUB5pefh5TtjQ==}
+  flatted@3.4.2:
+    resolution: {integrity: sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==}
 
-  follow-redirects@1.15.9:
-    resolution: {integrity: sha512-gew4GsXizNgdoRyqmyfMHyAmXsZDk6mHkSxZFCzW9gwlbtOW44CDtYavM+y+72qD/Vq2l550kMF52DT8fOLJqQ==}
+  follow-redirects@1.16.0:
+    resolution: {integrity: sha512-y5rN/uOsadFT/JfYwhxRS5R7Qce+g3zG97+JrtFZlC9klX/W5hD7iiLzScI4nZqUS7DNUdhPgw4xI8W2LuXlUw==}
     engines: {node: '>=4.0'}
     peerDependencies:
       debug: '*'
@@ -14117,6 +11380,10 @@ packages:
     resolution: {integrity: sha512-TMKDUnIte6bfb5nWv7V/caI169OHgvwjb7V4WkeUvbQQdjr5rWKqHFiKWb/fcOwB+CzBT+qbWjvj+DVwRskpIg==}
     engines: {node: '>=14'}
 
+  foreground-child@3.3.1:
+    resolution: {integrity: sha512-gIXjKqtFuWEgzFRJA9WCQeSJLZDjgJUOMCMzxtvFq/37KojM1BFGufqsCy0r4qSQmYLsZYMeyRqzIWOMup03sw==}
+    engines: {node: '>=14'}
+
   forever-agent@0.6.1:
     resolution: {integrity: sha512-j0KLYPhm6zeac4lz3oJ3o65qvgQCcPubiyotZrXqEaG4hNagNYO8qdlUrX5vwqv9ohqeT/Z3j6+yW067yWWdUw==}
 
@@ -14157,9 +11424,6 @@ packages:
   fraction.js@4.2.0:
     resolution: {integrity: sha512-MhLuK+2gUcnZe8ZHlaaINnQLl0xRIGRfcGk2yl8xoQAfHrSsL3rYu6FCmBdkdbhc9EPlwyGHewaRsvwRMJtAlA==}
 
-  fraction.js@4.3.7:
-    resolution: {integrity: sha512-ZsDfxO51wGAXREY55a7la9LScWpwv9RxIrYABrlvOFBlH/ShPnrtsXeuUIfXKKOVicNxQ+o8JTbJvjS4M89yew==}
-
   framer-motion@10.12.11:
     resolution: {integrity: sha512-uNsJAc/BQZ9V7tYgzRBXSrEdB+YrdJTtRvgn+8lNAQucGKaINJBL8I4aqXxXdw+HzwJZb/uR955jnOrxBy5sTA==}
     peerDependencies:
@@ -14171,17 +11435,6 @@ packages:
       react-dom:
         optional: true
 
-  framer-motion@10.17.4:
-    resolution: {integrity: sha512-CYBSs6cWfzcasAX8aofgKFZootmkQtR4qxbfTOksBLny/lbUfkGbQAFOS3qnl6Uau1N9y8tUpI7mVIrHgkFjLQ==}
-    peerDependencies:
-      react: ^18.0.0
-      react-dom: ^18.0.0
-    peerDependenciesMeta:
-      react:
-        optional: true
-      react-dom:
-        optional: true
-
   fresh@0.5.2:
     resolution: {integrity: sha512-zJ2mQYM18rEFOudeV4GShTGIQ7RbzA7ozbU9I/XBpm7kqgMywgmylMwXHxZJmkVoYkna9d2pVXVXPdYTP9ej8Q==}
     engines: {node: '>= 0.6'}
@@ -14251,10 +11504,6 @@ packages:
     resolution: {integrity: sha512-DyFP3BM/3YHTQOCUL/w0OZHR0lpKeGrxotcHWcqNEdnltqFwXVfhEBQ94eIo34AfQpo0rGki4cyIiftY06h2Fg==}
     engines: {node: 6.* || 8.* || >= 10.*}
 
-  get-intrinsic@1.2.4:
-    resolution: {integrity: sha512-5uYhsJH8VJBTv7oslg4BznJYhDoRI6waYCxMmCdnTrcCrHA/fCFKoTFz2JKKE0HdDFUF7/oQuhzumXJK7paBRQ==}
-    engines: {node: '>= 0.4'}
-
   get-intrinsic@1.3.0:
     resolution: {integrity: sha512-9fSjSaos/fRIVIp+xSJlE6lfwhES7LNtKaCBIamHsjr2na1BiABJPo0mOjjz8GJDURarmCPGqaiVg5mfjb98CQ==}
     engines: {node: '>= 0.4'}
@@ -14267,8 +11516,8 @@ packages:
     resolution: {integrity: sha512-g/Q1aTSDOxFpchXC4i8ZWvxA1lnPqx/JHqcpIw0/LX9T8x/GBbi6YnlN5nhaKIFkT8oFsscUKgDJYxfwfS6QsQ==}
     engines: {node: '>=8'}
 
-  get-port@7.1.0:
-    resolution: {integrity: sha512-QB9NKEeDg3xxVwCCwJQ9+xycaz6pBB6iQ76wiWMl1927n0Kir6alPiP+yuiICLLU4jpMe08dXfpebuQppFA2zw==}
+  get-port@7.2.0:
+    resolution: {integrity: sha512-afP4W205ONCuMoPBqcR6PSXnzX35KTcJygfJfcp+QY+uwm3p20p1YczWXhlICIzGMCxYBQcySEcOgsJcrkyobg==}
     engines: {node: '>=16'}
 
   get-proto@1.0.1:
@@ -14309,10 +11558,6 @@ packages:
   get-tsconfig@4.7.6:
     resolution: {integrity: sha512-ZAqrLlu18NbDdRaHq+AKXzAmqIUPswPWKUchfytdAjiRFnCe5ojG2bstg6mRiZabkKfCoL/e98pbBELIV/YCeA==}
 
-  get-uri@6.0.1:
-    resolution: {integrity: sha512-7ZqONUVqaabogsYNWlYj0t3YZaL6dhuEueZXGF+/YVmf6dHmaFg8/6psJKqhx9QykIDKzpGcy2cn4oV4YC7V/Q==}
-    engines: {node: '>= 14'}
-
   getpass@0.1.7:
     resolution: {integrity: sha512-0fzj9JxOLfJ+XGLhR8ze3unN0KZCgZwiSSDz168VERjK8Wl8kVSdcu2kspd4s4wtAa1y/qrVRiAA0WclVsu0ng==}
 
@@ -14341,18 +11586,6 @@ packages:
   glob-to-regexp@0.4.1:
     resolution: {integrity: sha512-lkX1HJXwyMcprw/5YUZc2s7DrpAiHB21/V+E1rHUrVNokkvB6bqMzT0VfV6/86ZNabt1k14YOIaT7nDvOX3Iiw==}
 
-  glob@10.3.10:
-    resolution: {integrity: sha512-fa46+tv1Ak0UPK1TOy/pZrIybNNt4HCv7SDzwyfiOZkvZLEbjsZkJBPtDHVshZjbecAoAGSC20MjLDG/qr679g==}
-    engines: {node: '>=16 || 14 >=14.17'}
-    deprecated: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
-    hasBin: true
-
-  glob@10.3.4:
-    resolution: {integrity: sha512-6LFElP3A+i/Q8XQKEvZjkEWEOTgAIALR9AO2rwT8bgPhDd1anmqDJDZ6lLddI4ehxxxR1S5RIqKe1uapMQfYaQ==}
-    engines: {node: '>=16 || 14 >=14.17'}
-    deprecated: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
-    hasBin: true
-
   glob@10.4.5:
     resolution: {integrity: sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg==}
     deprecated: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
@@ -14364,13 +11597,18 @@ packages:
     deprecated: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
     hasBin: true
 
-  glob@7.2.3:
-    resolution: {integrity: sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==}
+  glob@11.1.0:
+    resolution: {integrity: sha512-vuNwKSaKiqm7g0THUBu2x7ckSs3XJLXE+2ssL7/MfTGPLLcrJQ/4Uq1CjPTtO5cCIiRxqvN6Twy1qOwhL0Xjcw==}
+    engines: {node: 20 || >=22}
     deprecated: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
+    hasBin: true
 
-  glob@9.3.5:
-    resolution: {integrity: sha512-e1LleDykUz2Iu+MTYdkSsuWX8lvAjAcs0Xef0lNIu0S2wOAzuTxCJtcd9S3cijlwYF18EsU3rzb8jPVobxDh9Q==}
-    engines: {node: '>=16 || 14 >=14.17'}
+  glob@13.0.6:
+    resolution: {integrity: sha512-Wjlyrolmm8uDpm/ogGyXZXb1Z+Ca2B8NbJwqBVg0axK9GbBeoS7yGV6vjXnYdGm6X53iehEuxxbyiKp8QmN4Vw==}
+    engines: {node: 18 || 20 || >=22}
+
+  glob@7.2.3:
+    resolution: {integrity: sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==}
     deprecated: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
 
   globals@11.12.0:
@@ -14438,10 +11676,6 @@ packages:
     resolution: {integrity: sha512-4haO1M4mLO91PW57BMsDFf75UmwoRX0GkdD+Faw+Lr+r/OZrOCS0pIBwOL1xCKQqnQzbNFGgK2V2CpBUPeFNTw==}
     hasBin: true
 
-  gzip-size@6.0.0:
-    resolution: {integrity: sha512-ax7ZYomf6jqPTQ4+XCpUGyXKHk5WweS+e05MBO4/y3WJ5RkmPXNKvX+bx1behVILVwr6JSQvZAku021CHPXG3Q==}
-    engines: {node: '>=10'}
-
   hachure-fill@0.5.2:
     resolution: {integrity: sha512-3GKBOn+m2LX9iq+JC1064cSFprJY4jL1jCXTcpnfER5HYE2l/4EfWSGzkPa/ZDBmYI0ZOEj5VHV/eKnPGkHuOg==}
 
@@ -14500,27 +11734,18 @@ packages:
     resolution: {integrity: sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==}
     engines: {node: '>= 0.4'}
 
-  hast-util-from-dom@5.0.1:
-    resolution: {integrity: sha512-N+LqofjR2zuzTjCPzyDUdSshy4Ma6li7p/c3pA78uTwzFgENbgbUrm2ugwsOdcjI1muO+o6Dgzp9p8WHtn/39Q==}
-
-  hast-util-from-html-isomorphic@2.0.0:
-    resolution: {integrity: sha512-zJfpXq44yff2hmE0XmwEOzdWin5xwH+QIhMLOScpX91e/NSGPsAzNCvLQDIEPyO2TXi+lBmU6hjLIhV8MwP2kw==}
-
-  hast-util-from-html@2.0.3:
-    resolution: {integrity: sha512-CUSRHXyKjzHov8yKsQjGOElXy/3EKpyX56ELnkHH34vDVw1N1XSQ1ZcAvTyAPtGqLTuKP/uxM+aLkSPqF/EtMw==}
-
   hast-util-from-parse5@8.0.3:
     resolution: {integrity: sha512-3kxEVkEKt0zvcZ3hCRYI8rqrgwtlIOFMWkbclACvjlDw8Li9S2hk/d51OI0nr/gIpdMHNepwgOKqZ/sy0Clpyg==}
 
-  hast-util-is-element@3.0.0:
-    resolution: {integrity: sha512-Val9mnv2IWpLbNPqc/pUem+a7Ipj2aHacCwgNfTiK0vJKl0LF+4Ba4+v1oPHFpf3bLYmreq0/l3Gud9S5OH42g==}
-
   hast-util-parse-selector@4.0.0:
     resolution: {integrity: sha512-wkQCkSYoOGCRKERFWcxMVMOcYE2K1AaNLU8DXS9arxnLOUEWbOXKXiJUNzEpqZ3JOKpnha3jkFrumEjVliDe7A==}
 
   hast-util-raw@9.1.0:
     resolution: {integrity: sha512-Y8/SBAHkZGoNkpzqqfCldijcuUKh7/su31kEBp67cFY09Wy0mTRgtsLYsiIxMJxlu0f6AA5SUTbDR8K0rxnbUw==}
 
+  hast-util-sanitize@5.0.2:
+    resolution: {integrity: sha512-3yTWghByc50aGS7JlGhk61SPenfE/p1oaFeNwkOOyrscaOkMGrcW9+Cy/QAIOBpZxP1yqDIzFMR0+Np0i0+usg==}
+
   hast-util-to-estree@2.1.0:
     resolution: {integrity: sha512-Vwch1etMRmm89xGgz+voWXvVHba2iiMdGMKmaMfYt35rbVtFDq8JNwwAIvi8zHMkO6Gvqo9oTMwJTmzVRfXh4g==}
 
@@ -14533,9 +11758,6 @@ packages:
   hast-util-to-parse5@8.0.0:
     resolution: {integrity: sha512-3KKrV5ZVI8if87DVSi1vDeByYrkGzg4mEfeu4alwgmmIeARiBLKCZS2uw5Gb6nU9x9Yufyj3iudm6i7nl52PFw==}
 
-  hast-util-to-text@4.0.2:
-    resolution: {integrity: sha512-KK6y/BN8lbaq654j7JgBydev7wuNMcID54lkRav1P0CaE1e47P72AWWPiGKXTJU271ooYzcvTAn/Zt0REnvc7A==}
-
   hast-util-whitespace@2.0.1:
     resolution: {integrity: sha512-nAxA0v8+vXSBDt3AnRUNjyRIQ0rD+ntpbAp4LnPkumc5M9yUbSMa4XDU9Q6etY4f1Wp4bNgvc1yjiZtsTTrSng==}
 
@@ -14559,6 +11781,10 @@ packages:
     resolution: {integrity: sha512-eVkB/CYCCei7K2WElZW9yYQFWssG0DhaDhVvr7wy5jJ22K+ck8fWW0EsLpB0sITUTvPnc97+rrbQqIr5iqiy9Q==}
     engines: {node: '>=16.9.0'}
 
+  hono@4.12.15:
+    resolution: {integrity: sha512-qM0jDhFEaCBb4TxoW7f53Qrpv9RBiayUHo0S52JudprkhvpjIrGoU1mnnr29Fvd1U335ZFPZQY1wlkqgfGXyLg==}
+    engines: {node: '>=16.9.0'}
+
   hono@4.5.11:
     resolution: {integrity: sha512-62FcjLPtjAFwISVBUshryl+vbHOjg8rE4uIK/dxyR8GpLztunZpwFmfEvmJCUI7xoGh/Sr3CGCDPCmYxVw7wUQ==}
     engines: {node: '>=16.0.0'}
@@ -14601,10 +11827,6 @@ packages:
     resolution: {integrity: sha512-4FbRdAX+bSdmo4AUFuS0WNiPz8NgFt+r8ThgNWmlrjQjt1Q7ZR9+zTlce2859x4KSXrwIsaeTqDoKQmtP8pLmQ==}
     engines: {node: '>= 0.8'}
 
-  http-proxy-agent@7.0.2:
-    resolution: {integrity: sha512-T1gkAiYYDWYx3V5Bmyu7HcfcvL7mUrTWiM6yOfa3PIphViJ/gFPbvidQ+veqSOHci/PxBcDabeUNCzpOODJZig==}
-    engines: {node: '>= 14'}
-
   http-signature@1.2.0:
     resolution: {integrity: sha512-CAbnr6Rz4CYQkLYUtSNXxQPUH2gK8f3iWexVlsnMeD+GjlsQ0Xsy1cOX+mN3dtxYomRy21CiOzU8Uhw6OwncEQ==}
     engines: {node: '>=0.8', npm: '>=1.3.7'}
@@ -14613,10 +11835,6 @@ packages:
     resolution: {integrity: sha512-dFcAjpTQFgoLMzC2VwU+C/CbS7uRL0lWmxDITmqm7C+7F0Odmj6s9l6alZc6AELXhrnggM2CeWSXHGOdX2YtwA==}
     engines: {node: '>= 6'}
 
-  https-proxy-agent@7.0.6:
-    resolution: {integrity: sha512-vK9P5/iUfdl95AI+JVyUuIcVtd4ofvtrOr3HNtM2yxC9bnMbEdp3x01OhQNnjb8IJYi38VlTE3mBXwcfvywuSw==}
-    engines: {node: '>= 14'}
-
   human-id@1.0.2:
     resolution: {integrity: sha512-UNopramDEhHJD+VR+ehk8rOslwSfByxPIZyJRfV739NDhN5LF1fa1MqnzKm2lGTQRjNrjK19Q5fhkgIfjlVUKw==}
 
@@ -14657,7 +11875,7 @@ packages:
     resolution: {integrity: sha512-soFhflCVWLfRNOPU3iv5Z9VUdT44xFRbzjLsEzSr5AQmgqPMTHdU3PMT1Cf1ssx8fLNJDA1juftYl+PUcv3MqA==}
     engines: {node: ^10 || ^12 || >= 14}
     peerDependencies:
-      postcss: ^8.1.0
+      postcss: ^8.5.10
 
   ieee754@1.2.1:
     resolution: {integrity: sha512-dcyqhDvX1C46lXZcVqCpK+FtMRQVdIMN6/Df5js2zouUsqG7I6sFxitIC+7KYK29KdXOLHdu9zL4sFnoVQnqaA==}
@@ -14674,11 +11892,12 @@ packages:
     resolution: {integrity: sha512-veYYhQa+D1QBKznvhUHxb8faxlrwUnxseDAbAp457E0wLNio2bOSKnjYDhMj+YiAq61xrMGhQk9iXVk5FzgQMw==}
     engines: {node: '>=6'}
 
-  import-in-the-middle@1.11.0:
-    resolution: {integrity: sha512-5DimNQGoe0pLUHbR9qK84iWaWjjbsxiqXnw6Qz64+azRgleqv9k2kTt5fw7QsOpmaGYtuxxursnPPsnTKEx10Q==}
+  import-in-the-middle@1.15.0:
+    resolution: {integrity: sha512-bpQy+CrsRmYmoPMAE/0G33iwRqwW4ouqdRg8jgbH3aKuCtOc8lxgmYXg2dMM92CRiGP660EtBcymH/eVUpCSaA==}
 
-  import-in-the-middle@1.14.2:
-    resolution: {integrity: sha512-5tCuY9BV8ujfOpwtAGgsTx9CGUapcFMEEyByLv1B+v2+6DhAcw+Zr0nhQT7uwaZ7DiourxFEscghOR8e1aPLQw==}
+  import-in-the-middle@3.0.1:
+    resolution: {integrity: sha512-pYkiyXVL2Mf3pozdlDGV6NAObxQx13Ae8knZk1UJRJ6uRW/ZRmTGHlQYtrsSl7ubuE5F8CD1z+s1n4RHNuTtuA==}
+    engines: {node: '>=18'}
 
   import-meta-resolve@4.1.0:
     resolution: {integrity: sha512-I6fiaX09Xivtk+THaMfAwnA3MVA5Big1WHF1Dfx9hFuvNIWpXnorlkzhcQf6ehrqQiiZECRt1poOAkPmer3ruw==}
@@ -14743,10 +11962,6 @@ packages:
     resolution: {integrity: sha512-5Hh7Y1wQbvY5ooGgPbDaL5iYLAPzMTUrjMulskHLH6wnv/A+1q5rgEaiuqEjB+oxGXIVZs1FF+R/KPN3ZSQYYg==}
     engines: {node: '>=12'}
 
-  interpret@1.4.0:
-    resolution: {integrity: sha512-agE4QfB2Lkp9uICn7BAqoscw4SZP9kTE2hxiFI3jBPmXJfdqiahTbUuKGsMoN2GtqL9AxhYioAcVvgsb1HvRbA==}
-    engines: {node: '>= 0.10'}
-
   interpret@3.1.1:
     resolution: {integrity: sha512-6xwYfHbajpoF0xLW+iwLkhwgvLoZDfjYfoFNu8ftMoXINzwuymNLd9u/KmwtdT2GbR+/Cz66otEGEVVUHX9QLQ==}
     engines: {node: '>=10.13.0'}
@@ -14758,11 +11973,8 @@ packages:
     resolution: {integrity: sha512-YFMSV91JNBOSjw1cOfw2tup6hDP7mkz+2AUV7W1L1AM6ntgI75qC1ZeFpjPGMrWp+upmBRTX2fJWQ8c7jsUWpA==}
     engines: {node: '>=14'}
 
-  invariant@2.2.4:
-    resolution: {integrity: sha512-phJfQVBuaJM5raOpJjSfkiD6BpbCE4Ns//LaXl6wGYtUBY83nWS6Rf9tXm2e8VaK60JEjYldbPif/A2B1C2gNA==}
-
-  ioredis@5.3.2:
-    resolution: {integrity: sha512-1DKMMzlIHM02eBBVOFQ1+AolGjs6+xEcM4PDL7NqOS6szq7H9jSaEkIUH6/a5Hl241LzW6JLSiAbNvTQjUupUA==}
+  ioredis@5.6.1:
+    resolution: {integrity: sha512-UxC0Yv1Y4WRJiGQxQkP0hfdL0/5/6YvdfOOClRgJ0qppSarkhneSa6UvkMkms0AkdGimSH3Ikqm+6mkMmX7vGA==}
     engines: {node: '>=12.22.0'}
 
   ip-address@10.0.1:
@@ -14773,10 +11985,6 @@ packages:
     resolution: {integrity: sha512-Wz91gZKpNKoXtqvY8ScarKYwhXoK4r/b5QuT+uywe/azv0/nUCo7Bh0IRRI7F9DHR06kJNWtzMGLIbXavngbKA==}
     engines: {node: '>= 12'}
 
-  ip-address@9.0.5:
-    resolution: {integrity: sha512-zHtQzGojZXTwZTHQqra+ETKd4Sn3vgi7uBmlPoXVWZqYvuKmtI0l/VZTjqGmJY9x88GGOaZ9+G9ES8hC4T4X8g==}
-    engines: {node: '>= 12'}
-
   ipaddr.js@1.9.1:
     resolution: {integrity: sha512-0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g==}
     engines: {node: '>= 0.10'}
@@ -14933,10 +12141,6 @@ packages:
     resolution: {integrity: sha512-+Pgi+vMuUNkJyExiMBt5IlFoMyKnr5zhJ4Uspz58WOhBF5QoIZkFyNHIbBAtHwzVAgk5RtndVNsDRN61/mmDqg==}
     engines: {node: '>=12'}
 
-  is-plain-object@5.0.0:
-    resolution: {integrity: sha512-VRSzKkbMm5jMDoKLbltAkFQ5Qr7VDiTFGXxYFXXowVj387GeGNOCsOH6Msy00SGZ3Fp84b1Naa1psqgcCIEP5Q==}
-    engines: {node: '>=0.10.0'}
-
   is-promise@4.0.0:
     resolution: {integrity: sha512-hvpoI6korhJMnej285dSg6nu1+e6uxs7zG3BYAm5byqDsgJNWwxzM6z6iZiAgQR4TJ30JmBTOwqZUw3WlyH3AQ==}
 
@@ -15041,18 +12245,10 @@ packages:
     resolution: {integrity: sha512-GCfE1mtsHGOELCU8e/Z7YWzpmybrx/+dSTfLrvY8qRmaY6zXTKWn6WQIjaAFw069icm6GVMNkgu0NzI4iPZUNw==}
     engines: {node: '>=10'}
 
-  istanbul-lib-source-maps@5.0.6:
-    resolution: {integrity: sha512-yg2d+Em4KizZC5niWhQaIomgf5WlL4vOOjZ5xGCmF8SnPE/mDWWXgvRExdcpCgh9lLRRa1/fSYp2ymmbJ1pI+A==}
-    engines: {node: '>=10'}
-
-  istanbul-reports@3.1.7:
-    resolution: {integrity: sha512-BewmUXImeuRk2YY0PVbxgKAysvhRPUQE0h5QRM++nVWyubKGV0l8qQ5op8+B2DOmwSe63Jivj0BjkPQVf8fP5g==}
+  istanbul-reports@3.2.0:
+    resolution: {integrity: sha512-HGYWWS/ehqTV3xN10i23tkPkpH46MLCIMFNCaaKNavAXTF1RkqxawEPtnjnGZ6XKSInBKkiOA5BKS+aZiY3AvA==}
     engines: {node: '>=8'}
 
-  jackspeak@2.3.6:
-    resolution: {integrity: sha512-N3yCS/NegsOBokc8GAdM8UcmfsKiSS8cipheD/nivzr700H+nsMOxJjQnvwOcRYVuFkdH0wGUvW2WbXGmrZGbQ==}
-    engines: {node: '>=14'}
-
   jackspeak@3.4.3:
     resolution: {integrity: sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw==}
 
@@ -15060,6 +12256,10 @@ packages:
     resolution: {integrity: sha512-cub8rahkh0Q/bw1+GxP7aeSe29hHHn2V4m29nnDlvCdlgU+3UGxkZp7Z53jLUdpX3jdTO0nJZUDl3xvbWc2Xog==}
     engines: {node: 20 || >=22}
 
+  jackspeak@4.2.3:
+    resolution: {integrity: sha512-ykkVRwrYvFm1nb2AJfKKYPr0emF6IiXDYUaFx4Zn9ZuIH7MrzEZ3sD5RlqGXNRpHtvUHJyOnCEFxOlNDtGo7wg==}
+    engines: {node: 20 || >=22}
+
   javascript-stringify@2.1.0:
     resolution: {integrity: sha512-JVAfqNPTvNq3sB/VHQJAFxN/sPgKnsKrCwyRt15zwNCdrMMJDdcEOdubuy+DuJYYdm0ox1J4uzEuYKkN+9yhVg==}
 
@@ -15079,6 +12279,10 @@ packages:
     resolution: {integrity: sha512-rg9zJN+G4n2nfJl5MW3BMygZX56zKPNVEYYqq7adpmMh4Jn2QNEwhvQlFy6jPVdcod7txZtKHWnyZiA3a0zP7A==}
     hasBin: true
 
+  jiti@2.6.1:
+    resolution: {integrity: sha512-ekilCSN1jwRvIbgeg/57YFh8qQDNbwDb9xT/qu2DAHbFFZUicIl4ygVaAvzveMhMVr3LnpSKTNnwt8PoOfmKhQ==}
+    hasBin: true
+
   joi@17.7.0:
     resolution: {integrity: sha512-1/ugc8djfn93rTE3WRKdCzGGt/EtiYKxITMO4Wiv6q5JL1gl9ePt4kBsl1S499nbosspfctIQTpYIhSmHA3WAg==}
 
@@ -15117,6 +12321,9 @@ packages:
   js-sdsl@4.2.0:
     resolution: {integrity: sha512-dyBIzQBDkCqCu+0upx25Y2jGdbTGxE9fshMsCdK0ViOongpV+n5tXRcZY9v7CaVQ79AGS9KA1KHtojxiM7aXSQ==}
 
+  js-tokens@10.0.0:
+    resolution: {integrity: sha512-lM/UBzQmfJRo9ABXbPWemivdCW8V2G8FHaHdypQaIy523snUjog0W71ayWXTjiR+ixeMyVHN2XcpnTd/liPg/Q==}
+
   js-tokens@4.0.0:
     resolution: {integrity: sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ==}
 
@@ -15198,11 +12405,6 @@ packages:
   jsonc-parser@3.2.1:
     resolution: {integrity: sha512-AilxAyFOAcK5wA1+LeaySVBrHsGQvUFCDWXKpZjzaL0PqW+xfBOttn8GNtWKFWqneyMZj41MWF9Kl6iPWLwgOA==}
 
-  jsondiffpatch@0.6.0:
-    resolution: {integrity: sha512-3QItJOXp2AP1uv7waBkao5nCvhEv+QmJAd38Ybq7wNI74Q+BBmnLn4EDKz6yI9xGAIQoUF87qHt+kc1IVxB4zQ==}
-    engines: {node: ^18.0.0 || >=20.0.0}
-    hasBin: true
-
   jsonfile@4.0.0:
     resolution: {integrity: sha512-m6F1R3z8jjlf2imQHS2Qez5sjKWQzbuuhuJ/FKYFRZvPE3PuHcSMVZzfsLhGVOkfd20obL5SWEBew5ShlquNxg==}
 
@@ -15264,6 +12466,10 @@ packages:
     resolution: {integrity: sha512-dcS1ul+9tmeD95T+x28/ehLgd9mENa3LsvDTtzm3vyBEO7RPptvAD+t44WVXaUjTBRcrpFeFlC8WCruUR456hw==}
     engines: {node: '>=0.10.0'}
 
+  kleur@3.0.3:
+    resolution: {integrity: sha512-eTIzlVOSUR+JxdDFepEYcBMtZ9Qqdef+rnzWdRZuMbOywu5tO2w2N7rqjoANZ5k9vywhL6Br1VRjUIgTQx4E8w==}
+    engines: {node: '>=6'}
+
   kleur@4.1.5:
     resolution: {integrity: sha512-o+NO+8WrRiQEE4/7nwRJhN1HWpVmJm511pBHUxPLtp0BUISzlBplORYSmTclCnJvQq2tKu/sgl3xVpkc7ZWuQQ==}
     engines: {node: '>=6'}
@@ -15271,17 +12477,9 @@ packages:
   kolorist@1.8.0:
     resolution: {integrity: sha512-Y+60/zizpJ3HRH8DCss+q95yr6145JXZo46OTpFvDZWLfRCE4qChOyk1b26nMaNpfHHgxagk9dXT5OP0Tfe+dQ==}
 
-  langium@3.3.1:
-    resolution: {integrity: sha512-QJv/h939gDpvT+9SiLVlY7tZC3xB2qK57v0J04Sh9wpMb6MP1q8gB21L3WIo8T5P1MSMg3Ep14L7KkDCFG3y4w==}
-    engines: {node: '>=16.0.0'}
-
-  langsmith@0.2.15:
-    resolution: {integrity: sha512-homtJU41iitqIZVuuLW7iarCzD4f39KcfP9RTBWav9jifhrsDa1Ez89Ejr+4qi72iuBu8Y5xykchsGVgiEZ93w==}
-    peerDependencies:
-      openai: '*'
-    peerDependenciesMeta:
-      openai:
-        optional: true
+  langium@4.2.2:
+    resolution: {integrity: sha512-JUshTRAfHI4/MF9dH2WupvjSXyn8JBuUEWazB8ZVJUtXutT0doDlAv1XKbZ1Pb5sMexa8FF4CFBc0iiul7gbUQ==}
+    engines: {node: '>=20.10.0', npm: '>=10.2.3'}
 
   language-subtag-registry@0.3.22:
     resolution: {integrity: sha512-tN0MCzyWnoz/4nHS6uxdlFWoUZT7ABptwKPQ52Ea7URk6vll88bWBVhodtnlfEuCcKWNGoc+uGbw1cwa9IKh/w==}
@@ -15460,10 +12658,6 @@ packages:
     resolution: {integrity: sha512-OfCBkGEw4nN6JLtgRidPX6QxjBQGQf72q3si2uvqyFEMbycSFFHwAZeXx6cJgFM9wmLrf9zBwCP3Ivqa+LLZPw==}
     engines: {node: '>=6'}
 
-  loader-runner@4.3.0:
-    resolution: {integrity: sha512-3R/1M+yS3j5ou80Me59j7F9IMs4PXs3VqRrm0TU3AbKPxlmpoY1TNscJV/oGJXo8qCatFGTfDbY6W6ipGOYXfg==}
-    engines: {node: '>=6.11.5'}
-
   loader-runner@4.3.1:
     resolution: {integrity: sha512-IWqP2SCPhyVFTBtRcgMHdzlf9ul25NwaFx4wCEH/KjAXuuHY4yNjvPXsBokp8jCB936PyWRaPKUNh8NvylLp2Q==}
     engines: {node: '>=6.11.5'}
@@ -15492,8 +12686,8 @@ packages:
     resolution: {integrity: sha512-gvVijfZvn7R+2qyPX8mAuKcFGDf6Nc61GdvGafQsHL0sBIxfKzA+usWn4GFC/bk+QdwPUD4kWFJLhElipq+0VA==}
     engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0}
 
-  lodash-es@4.17.21:
-    resolution: {integrity: sha512-mKnC+QJ9pWVzv+C4/U3rRsHapFfHvQFoFB92e52xeyGMcX6/OlIl78je1u8vePzYZSkkogMPJ2yjxxsb89cxyw==}
+  lodash-es@4.18.1:
+    resolution: {integrity: sha512-J8xewKD/Gk22OZbhpOVSwcs60zhd95ESDwezOFuA3/099925PdHJ7OFHNTGtajL3AlZkykD32HykiMo+BIBI8A==}
 
   lodash.camelcase@4.3.0:
     resolution: {integrity: sha512-TwuEnCnxbc3rAvhf/LbG7tJUDzhqXyFnv3dtzLOPgCG/hODL7WFnsbwktkD7yUV0RrreP/l1PALq/YSg6VvjlA==}
@@ -15507,12 +12701,6 @@ packages:
   lodash.defaults@4.2.0:
     resolution: {integrity: sha512-qjxPLHd3r5DnsdGacqOMU6pb/avJzdh9tFX2ymgoZE27BmjXrNy/y4LoaiTeAb+O3gL8AfpJGtqfX/ae2leYYQ==}
 
-  lodash.escaperegexp@4.1.2:
-    resolution: {integrity: sha512-TM9YBvyC84ZxE3rgfefxUWiQKLilstD6k7PTGt6wfbtXF8ixIJLOL3VYyV/z+ZiPLsVxAsKAFVwWlWeb2Y8Yyw==}
-
-  lodash.groupby@4.6.0:
-    resolution: {integrity: sha512-5dcWxm23+VAoz+awKmBaiBvzox8+RqMgFhi7UvX9DHZr2HdxHXM/Wrf8cfKpsW37RNrvtPn6hSwNqurSILbmJw==}
-
   lodash.includes@4.3.0:
     resolution: {integrity: sha512-W3Bx6mdkRTGtlJISOvVD/lbqjTlPPUDTMnlXZFnVwi9NKJ6tiAk6LVdlhZMm17VZisqhKcgzpO5Wz91PCt5b0w==}
 
@@ -15522,15 +12710,9 @@ packages:
   lodash.isboolean@3.0.3:
     resolution: {integrity: sha512-Bz5mupy2SVbPHURB98VAcw+aHh4vRV5IPNhILUCsOzRmsTmSQ17jIuqopAentWoehktxGd9e/hbIXq980/1QJg==}
 
-  lodash.isfunction@3.0.9:
-    resolution: {integrity: sha512-AirXNj15uRIMMPihnkInB4i3NHeb4iBtNg9WRWuK2o31S+ePwwNmDPaTL3o7dTJ+VXNZim7rFs4rxN4YU1oUJw==}
-
   lodash.isinteger@4.0.4:
     resolution: {integrity: sha512-DBwtEWN2caHQ9/imiNeEA5ys1JoRtRfY3d7V9wkqtbycnAmTvRRmbHKDV4a0EYc678/dia0jrte4tjYwVBaZUA==}
 
-  lodash.isnil@4.0.0:
-    resolution: {integrity: sha512-up2Mzq3545mwVnMhTDMdfoG1OurpA/s5t88JmQX809eH3C8491iu2sfKhTfhQtKY78oPNhiaHJUpT/dUDAAtng==}
-
   lodash.isnumber@3.0.3:
     resolution: {integrity: sha512-QYqzpfwO3/CWf3XP+Z+tkQsfaLL/EnUlXWVkIk5FUPc4sBdTehEqZONuyRt2P67PXAk+NXmTBcc97zw9t1FQrw==}
 
@@ -15540,9 +12722,6 @@ packages:
   lodash.isstring@4.0.1:
     resolution: {integrity: sha512-0wJxfxH1wgO3GrbuP+dTTk7op+6L41QCXbGINEmD+ny/G/eCqGzxyCsh7159S+mgDDcoarnBw6PC1PS5+wUGgw==}
 
-  lodash.isundefined@3.0.1:
-    resolution: {integrity: sha512-MXB1is3s899/cD8jheYYE2V9qTHwKvt+npCwpD+1Sxm3Q3cECXCiYHjeHWXNwr6Q0SOBPrYUDxendrO6goVTEA==}
-
   lodash.merge@4.6.2:
     resolution: {integrity: sha512-0KpjqXRVvrYyCsX1swR/XTK0va6VQkQM6MNo7PqW77ByjAhoARA8EfrP1N4+KlKj8YS0ZUCtRT/YUuhyYDujIQ==}
 
@@ -15562,19 +12741,23 @@ packages:
   lodash.truncate@4.4.2:
     resolution: {integrity: sha512-jttmRe7bRse52OsWIMDLaXxWqRAmtIUccAQ3garviCqJjafXOfNMO0yMfNpdD6zbGaTU0P5Nz7e7gAT6cKmJRw==}
 
-  lodash.uniq@4.5.0:
-    resolution: {integrity: sha512-xfBaXQd9ryd9dlSDvnvI0lvxfLJlYAZzXomUYzLKtUeOQvOP5piqAWuGtrhWeqaXK9hhoM/iyJc5AV+XfsX3HQ==}
-
-  lodash@4.17.23:
-    resolution: {integrity: sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==}
+  lodash@4.18.1:
+    resolution: {integrity: sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==}
 
   log-symbols@4.1.0:
     resolution: {integrity: sha512-8XPvpAA8uyhfteu8pIvQxpJZ7SYYdpUivZpGy6sFsBuKRY/7rQGavedeB8aK+Zkyq6upMFVL/9AW6vOYzfRyLg==}
     engines: {node: '>=10'}
 
+  log-symbols@7.0.1:
+    resolution: {integrity: sha512-ja1E3yCr9i/0hmBVaM0bfwDjnGy8I/s6PP4DFp+yP+a+mrHO4Rm7DtmnqROTUkHIkqffC84YY7AeqX6oFk0WFg==}
+    engines: {node: '>=18'}
+
   long@5.2.3:
     resolution: {integrity: sha512-lcHwpNoggQTObv5apGNCTdJrO69eHOZMi4BNC+rTLER8iHAqGrUVeLh/irVIM7zTw2bOXA8T6uNPeujwOLg/2Q==}
 
+  long@5.3.2:
+    resolution: {integrity: sha512-mNAgZ1GmyNhD7AuqnTG3/VQ26o760+ZYBPKjPvugO8+nLbYfX6TVpJPseBvopbdY+qpZ/lKUnmEc1LeZYS3QAA==}
+
   longest-streak@3.1.0:
     resolution: {integrity: sha512-9Ri+o0JYgehTaVBBDoMqIl8GXtbWg711O3srftcHhZ0dqnETqLaoIK0x17fUw9rFSlK/0NlsKe0Ahhyl5pXE2g==}
 
@@ -15582,9 +12765,6 @@ packages:
     resolution: {integrity: sha512-lyuxPGr/Wfhrlem2CL/UcnUc1zcqKAImBDzukY7Y5F/yQiNdko6+fRLevlw1HgMySw7f611UIY408EtxRSoK3Q==}
     hasBin: true
 
-  loupe@3.1.3:
-    resolution: {integrity: sha512-kkIp7XSkP78ZxJEsSxW3712C6teJVoeHHwgo9zJ380de7IYyJ2ISlxojcH2pC5OFLewESmnRi/+XCDIEEVyoug==}
-
   lowercase-keys@1.0.1:
     resolution: {integrity: sha512-G2Lj61tXDnVFFOi8VZds+SoQjtQC3dgokKdDG2mTm1tx4m50NUHBOZSBwQQHyy0V12A0JTG4icfZQH+xPyh8VA==}
     engines: {node: '>=0.10.0'}
@@ -15619,26 +12799,6 @@ packages:
     peerDependencies:
       react: ^16.5.1 || ^17.0.0 || ^18.0.0
 
-  lucide-react@0.451.0:
-    resolution: {integrity: sha512-OwQ3uljZLp2cerj8sboy5rnhtGTCl9UCJIhT1J85/yOuGVlEH+xaUPR7tvNdddPvmV5M5VLdr7cQuWE3hzA4jw==}
-    peerDependencies:
-      react: ^16.5.1 || ^17.0.0 || ^18.0.0 || ^19.0.0-rc
-
-  lucide-react@0.484.0:
-    resolution: {integrity: sha512-oZy8coK9kZzvqhSgfbGkPtTgyjpBvs3ukLgDPv14dSOZtBtboryWF5o8i3qen7QbGg7JhiJBz5mK1p8YoMZTLQ==}
-    peerDependencies:
-      react: ^16.5.1 || ^17.0.0 || ^18.0.0 || ^19.0.0
-
-  lucide-react@0.486.0:
-    resolution: {integrity: sha512-xWop/wMsC1ikiEVLZrxXjPKw4vU/eAip33G2mZHgbWnr4Nr5Rt4Vx4s/q1D3B/rQVbxjOuqASkEZcUxDEKzecw==}
-    peerDependencies:
-      react: ^16.5.1 || ^17.0.0 || ^18.0.0 || ^19.0.0
-
-  lucide-react@0.542.0:
-    resolution: {integrity: sha512-w3hD8/SQB7+lzU2r4VdFyzzOzKnUjTZIF/MQJGSSvni7Llewni4vuViRppfRAa2guOsY5k4jZyxw/i9DQHv+dw==}
-    peerDependencies:
-      react: ^16.5.1 || ^17.0.0 || ^18.0.0 || ^19.0.0
-
   luxon@3.2.1:
     resolution: {integrity: sha512-QrwPArQCNLAKGO/C+ZIilgIuDnEnKx5QYODdDtbFaxzsbZcc/a7WFq7MhsVYgRlwawLtvOUESTlfJ+hc/USqPg==}
     engines: {node: '>=12'}
@@ -15647,9 +12807,6 @@ packages:
     resolution: {integrity: sha512-0ckx7ZHRPqb0oUm8zNr+90mtf9DQB60H1wMCjBtfi62Kl3a7JbHob6gA2bC+xRvZoOL+1hzUK8jeuEIQE8svEQ==}
     hasBin: true
 
-  magic-string@0.30.17:
-    resolution: {integrity: sha512-sNPKHvyjVf7gyjwS4xGTaW/mCnF8wnjtifKBEhxfZ7E/S8tQ0rssrwGNn6q8JH/ohItJfSQp9mBtQYuTlH5QnA==}
-
   magic-string@0.30.21:
     resolution: {integrity: sha512-vd2F4YUyEXKGcLHoq+TEyCjxueSeHnFxyyjNp80yg0XV4vUhnDer/lvvlqM/arB5bXQN5K2/3oinyCRyx8T2CQ==}
 
@@ -15659,6 +12816,9 @@ packages:
   magicast@0.3.5:
     resolution: {integrity: sha512-L0WhttDl+2BOsybvEOLK7fW3UA0OQ0IQ2d6Zl2x/a6vVRs3bAY0ECOSHHeL5jD+SbOpOCUEi0y1DgHEn9Qn1AQ==}
 
+  magicast@0.5.3:
+    resolution: {integrity: sha512-pVKE4UdSQ7DvHzivsCIFx2BJn1mHG6KsyrFcaxFx6tONdneEuThrDx0Cj3AMg58KyN4pzYT+LHOotxDQDjNvkw==}
+
   make-dir@4.0.0:
     resolution: {integrity: sha512-hXdUTZYIVOt1Ex//jAQi+wTZZpUpwBj/0QsOzqegb3rGMMeJiSEu5xLHnYfBrRV4RH2+OCSOO95Is/7x1WJ4bw==}
     engines: {node: '>=10'}
@@ -15684,21 +12844,26 @@ packages:
     peerDependencies:
       marked: '>=1 <14'
 
+  marked@15.0.12:
+    resolution: {integrity: sha512-8dD6FusOQSrpv9Z1rdNMdlSgQOIP880DHqnohobOmYLElGEqAL/JvxvuxZO16r4HtjTlfPRDC1hbvxC9dPN2nA==}
+    engines: {node: '>= 18'}
+    hasBin: true
+
   marked@16.4.1:
     resolution: {integrity: sha512-ntROs7RaN3EvWfy3EZi14H4YxmT6A5YvywfhO+0pm+cH/dnSQRmdAmoFIc3B9aiwTehyk7pESH4ofyBY+V5hZg==}
     engines: {node: '>= 20'}
     hasBin: true
 
+  marked@17.0.6:
+    resolution: {integrity: sha512-gB0gkNafnonOw0obSTEGZTT86IuhILt2Wfx0mWH/1Au83kybTayroZ/V6nS25mN7u8ASy+5fMhgB3XPNrOZdmA==}
+    engines: {node: '>= 20'}
+    hasBin: true
+
   marked@4.2.5:
     resolution: {integrity: sha512-jPueVhumq7idETHkb203WDD4fMA3yV9emQ5vLwop58lu8bTclMghBWcYAavlDqIEMaisADinV1TooIFCfqOsYQ==}
     engines: {node: '>= 12'}
     hasBin: true
 
-  marked@7.0.4:
-    resolution: {integrity: sha512-t8eP0dXRJMtMvBojtkcsA7n48BkauktUKzfkPSCq85ZMTJ0v76Rke4DYz01omYpPTUh4p/f7HePgRo3ebG8+QQ==}
-    engines: {node: '>= 16'}
-    hasBin: true
-
   marked@9.1.6:
     resolution: {integrity: sha512-jcByLnIFkd5gSXZmjNvS1TlmRhCXZjIzHYlaGkPlLIekG55JDR2Z4va9tZwCiP+/RDERiNhMOFu01xd6O5ct1Q==}
     engines: {node: '>= 16'}
@@ -15715,11 +12880,6 @@ packages:
     resolution: {integrity: sha512-/IXtbwEk5HTPyEwyKX6hGkYXxM9nbj64B+ilVJnC/R6B0pH5G4V3b0pVbL7DBj4tkhBAppbQUlf6F6Xl9LHu1g==}
     engines: {node: '>= 0.4'}
 
-  md-to-react-email@5.0.2:
-    resolution: {integrity: sha512-x6kkpdzIzUhecda/yahltfEl53mH26QdWu4abUF9+S0Jgam8P//Ciro8cdhyMHnT5MQUJYrIbO6ORM2UxPiNNA==}
-    peerDependencies:
-      react: 18.x
-
   mdast-util-definitions@5.1.1:
     resolution: {integrity: sha512-rQ+Gv7mHttxHOBx2dkF4HWTg+EE+UR78ptQWDylzPKaQuVGdG4HIoY3SrS/pCp80nZ04greFvXbVFHT+uf0JVQ==}
 
@@ -15753,9 +12913,6 @@ packages:
   mdast-util-gfm@3.1.0:
     resolution: {integrity: sha512-0ulfdQOM3ysHhCJ1p06l0b0VKlhU0wuQs3thxZQagjcjPrlFRqY215uZGHHJan9GEAXd9MbfPjFJz+qMkVR6zQ==}
 
-  mdast-util-math@3.0.0:
-    resolution: {integrity: sha512-Tl9GBNeG/AhJnQM221bJR2HPvLOSnLE/T9cJI9tlc6zwQk2nPk/4f0cHkOdEixQPC/j8UtKDdITswvLAy1OZ1w==}
-
   mdast-util-mdx-expression@1.3.1:
     resolution: {integrity: sha512-TTb6cKyTA1RD+1su1iStZ5PAv3rFfOUKcoU5EstUpv/IZo63uDX03R8+jXjMEhcobXnNOiG6/ccekvVl4eV1zQ==}
 
@@ -15804,6 +12961,9 @@ packages:
   mdn-data@2.0.14:
     resolution: {integrity: sha512-dn6wd0uw5GsdswPFfsgMp5NSB0/aDe6fK94YJV/AJDYXL6HVLWBsxeq7js7Ad+mU2K9LAlwpk6kN2D5mwCPVow==}
 
+  mdn-data@2.27.1:
+    resolution: {integrity: sha512-9Yubnt3e8A0OKwxYSXyhLymGW4sCufcLG6VdiDdUGVkPhpqLxlvP5vl1983gQjJl3tqbrM731mjaZaP68AgosQ==}
+
   media-query-parser@2.0.2:
     resolution: {integrity: sha512-1N4qp+jE0pL5Xv4uEcwVUhIkwdUO3S/9gML90nqKA7v7FcOS5vUtatfzok9S9U1EJU8dHWlcv95WLnKmmxZI9w==}
 
@@ -15841,8 +13001,8 @@ packages:
     resolution: {integrity: sha512-8q7VEgMJW4J8tcfVPy8g09NcQwZdbwFEqhe/WZkoIzjn/3TGDwtOCYtXGxA3O8tPzpczCCDgv+P2P5y00ZJOOg==}
     engines: {node: '>= 8'}
 
-  mermaid@11.12.0:
-    resolution: {integrity: sha512-ZudVx73BwrMJfCFmSSJT84y6u5brEoV8DOItdHomNLz32uBjNrelm7mg95X7g+C6UoQH/W6mBLGDEDv73JdxBg==}
+  mermaid@11.14.0:
+    resolution: {integrity: sha512-GSGloRsBs+JINmmhl0JDwjpuezCsHB4WGI4NASHxL3fHo3o/BRXTxhDLKnln8/Q0lRFRyDdEjmk1/d5Sn1Xz8g==}
 
   methods@1.1.2:
     resolution: {integrity: sha512-iclAHeNqNm68zFtnZ0e+1L2yUIdvzNoauKU4WBA3VvH/vPFieF7qfRlwUZU+DA9P9bPXIS90ulxoUoCH23sV2w==}
@@ -15878,9 +13038,6 @@ packages:
   micromark-extension-gfm@3.0.0:
     resolution: {integrity: sha512-vsKArQsicm7t0z2GugkCKtZehqUm31oeGBV/KVSorWSy8ZlNAv7ytjFhvaryUiCUJYqs+NoE6AFhpQvBTM6Q4w==}
 
-  micromark-extension-math@3.1.0:
-    resolution: {integrity: sha512-lvEqd+fHjATVs+2v/8kg9i5Q0AP2k85H0WUOwpIVvUML8BapsMvh1XAogmQjOCsLpoKRCVQqEkQBB3NhVBcsOg==}
-
   micromark-extension-mdx-expression@1.0.3:
     resolution: {integrity: sha512-TjYtjEMszWze51NJCZmhv7MEBcgYRgb3tJeMAJ+HQCAaZHHRBaDCccqQzGizR/H4ODefP44wRTgOn2vE5I6nZA==}
 
@@ -16073,6 +13230,10 @@ packages:
     resolution: {integrity: sha512-vqiC06CuhBTUdZH+RYl8sFrL096vA45Ok5ISO6sE/Mr1jRbGH4Csnhi8f3wKVl7x8mO4Au7Ir9D3Oyv1VYMFJw==}
     engines: {node: '>=12'}
 
+  mimic-function@5.0.1:
+    resolution: {integrity: sha512-VP79XUPxV2CigYP3jWwAUFSku2aKqBH7uTAapFWCBqutsbmDo96KY5o8uh6U+/YSIn5OxJnXp73beVkpqMIGhA==}
+    engines: {node: '>=18'}
+
   mimic-response@1.0.1:
     resolution: {integrity: sha512-j5EctnkH7amfV/q5Hgmoal1g2QHFJRraOtmx0JpIqkxhBhI/lJSl1nMpQ45hVarwNETOoWEimndZ4QK0RHxuxQ==}
     engines: {node: '>=4'}
@@ -16099,17 +13260,17 @@ packages:
     resolution: {integrity: sha512-ethXTt3SGGR+95gudmqJ1eNhRO7eGEGIgYA9vnPatK4/etz2MEVDno5GMCibdMTuBMyElzIlgxMna3K94XDIDQ==}
     engines: {node: 20 || >=22}
 
-  minimatch@3.1.2:
-    resolution: {integrity: sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==}
+  minimatch@10.2.5:
+    resolution: {integrity: sha512-MULkVLfKGYDFYejP07QOurDLLQpcjk7Fw+7jXS2R2czRQzR56yHRveU5NDJEOviH+hETZKSkIk5c+T23GjFUMg==}
+    engines: {node: 18 || 20 || >=22}
+
+  minimatch@3.1.5:
+    resolution: {integrity: sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==}
 
   minimatch@5.1.6:
     resolution: {integrity: sha512-lKwV/1brpG6mBUFHtb7NUmtABCb2WZZmm2wNiOA5hAb8VdCS4B3dtMWyvcoViccwAW/COERjXLt0zP1zXUN26g==}
     engines: {node: '>=10'}
 
-  minimatch@8.0.4:
-    resolution: {integrity: sha512-W0Wvr9HyFXZRGIDgCicunpQ299OKXs9RgZfaukz4qAW/pJhcpUfupc9c+OObPOFueNy8VSrZgEmDtk6Kh4WzDA==}
-    engines: {node: '>=16 || 14 >=14.17'}
-
   minimatch@9.0.1:
     resolution: {integrity: sha512-0jWhJpD/MdhPXwPuiRkCbfYfSKp2qnn2eOc279qI7f+osl/l+prKSrvhg157zSYvx/1nmgn2NqdT6k2Z7zSH9w==}
     engines: {node: '>=16 || 14 >=14.17'}
@@ -16125,6 +13286,9 @@ packages:
   minimist@1.2.7:
     resolution: {integrity: sha512-bzfL1YUZsP41gmu/qjrEk0Q6i2ix/cVeAhbCbqH9u3zYutS1cLg00qhrD0M2MVdCcx4Sc0UpP2eBWo9rotpq6g==}
 
+  minimist@1.2.8:
+    resolution: {integrity: sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==}
+
   minipass-collect@1.0.2:
     resolution: {integrity: sha512-6T6lH0H8OG9kITm/Jm6tdooIbogG9e0tLgpY6mphXSm/A9u8Nq1ryBG+Qspiub9LjWlBPsPS3tWQ/Botq4FdxA==}
     engines: {node: '>= 8'}
@@ -16157,21 +13321,18 @@ packages:
     resolution: {integrity: sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==}
     engines: {node: '>=16 || 14 >=14.17'}
 
+  minipass@7.1.3:
+    resolution: {integrity: sha512-tEBHqDnIoM/1rXME1zgka9g6Q2lcoCkxHLuc7ODJ5BxbP5d4c2Z5cGgtXAku59200Cx7diuHTOYfSBD8n6mm8A==}
+    engines: {node: '>=16 || 14 >=14.17'}
+
   minizlib@2.1.2:
     resolution: {integrity: sha512-bAxsR8BVfj60DWXHE3u30oHzfl4G7khkSuPW+qvpd7jFRHm7dLxOjUk1EHACJ/hxLY8phGJ0YhYHZo7jil7Qdg==}
     engines: {node: '>= 8'}
 
-  minizlib@3.0.1:
-    resolution: {integrity: sha512-umcy022ILvb5/3Djuu8LWeqUa8D68JaBzlttKeMWen48SjabqS3iY5w/vzeMzMUNhLDifyhbOwKDSznB1vvrwg==}
-    engines: {node: '>= 18'}
-
   minizlib@3.1.0:
     resolution: {integrity: sha512-KZxYo1BUkWD2TVFLr0MQoM8vUUigWD3LlD83a/75BqC+4qE0Hb1Vo5v1FgcfaNXvfXzr+5EhQ6ing/CaBijTlw==}
     engines: {node: '>= 18'}
 
-  mitt@3.0.1:
-    resolution: {integrity: sha512-vKivATfr97l2/QBCYAkXYDbrIWPM2IIKEl7YPhjCvKlG3kE2gm+uBo6nEXK3M5/Ffh/FLpKExzOQ3JJoJGFKBw==}
-
   mixme@0.5.4:
     resolution: {integrity: sha512-3KYa4m4Vlqx98GPdOHghxSdNtTvcP8E0kkaJ5Dlh+h2DRzF7zpuVVcA8B0QpKd11YJeP9QQ7ASkKzOeu195Wzw==}
     engines: {node: '>= 8.0.0'}
@@ -16213,8 +13374,8 @@ packages:
   mlly@1.7.4:
     resolution: {integrity: sha512-qmdSIPC4bDJXgZTCR7XosJiNKySV7O215tsPtDN9iEO/7q/76b/ijtgRu/+epFXSJhijtTCCGp3DWS549P3xKw==}
 
-  module-details-from-path@1.0.3:
-    resolution: {integrity: sha512-ySViT69/76t8VhE1xXHK6Ch4NcDd26gx0MzKXLO+F7NOtnqH68d9zF94nT8ZWSxXh8ELOERsnJO/sWt1xZYw5A==}
+  module-details-from-path@1.0.4:
+    resolution: {integrity: sha512-EGWKgxALGMgzvxYF1UyGTy0HXX/2vHLkw6+NvDKW2jypWbHpjQuj4UMcqQWXHERJhVGKikolT06G3bcKe4fi7w==}
 
   moo@0.5.2:
     resolution: {integrity: sha512-iSAJLHYKnX41mKcJKjqvnAN9sf0LMDTXDEvFv+ffuRR9a1MIuXLjMNL6EsnDHSkKLTWNqQQ5uo61P4EbU4NU+Q==}
@@ -16223,6 +13384,10 @@ packages:
     resolution: {integrity: sha512-AbegBVI4sh6El+1gNwvD5YIck7nSA36weD7xvIxG4in80j/UoK8AEGaWnnz8v1GxonMCltmlNs5ZKbGvl9b1XQ==}
     engines: {node: '>= 0.8.0'}
 
+  morgan@1.10.1:
+    resolution: {integrity: sha512-223dMRJtI/l25dJKWpgij2cMtywuG/WiUKXdvwfbhGKBhy1puASqXwFzmWZ7+K73vUPoR7SS2Qz2cI/g9MKw0A==}
+    engines: {node: '>= 0.8.0'}
+
   mri@1.2.0:
     resolution: {integrity: sha512-tzzskb3bG8LvYGFF/mDTpq3jpI6Q9wc3LEmBaghu+DdCssd1FakN7Bc0hVNmEyGq1bq3RgfkCb3cmQLpNPOroA==}
     engines: {node: '>=4'}
@@ -16231,10 +13396,6 @@ packages:
     resolution: {integrity: sha512-hzzEagAgDyoU1Q6yg5uI+AorQgdvMCur3FcKf7NhMKWsaYg+RnbTyHRa/9IlLF9rf455MOCtcqqrQQ83pPP7Uw==}
     engines: {node: '>=10'}
 
-  mrmime@2.0.0:
-    resolution: {integrity: sha512-eu38+hdgojoyq63s+yTpN4XMBdt5l8HhMhc4VKLO9KM5caLIBvUm4thi7fFaxyTmCKeNnXZ5pAlBwCUnhA09uw==}
-    engines: {node: '>=10'}
-
   ms@2.0.0:
     resolution: {integrity: sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==}
 
@@ -16244,9 +13405,6 @@ packages:
   ms@2.1.3:
     resolution: {integrity: sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==}
 
-  multipasta@0.2.5:
-    resolution: {integrity: sha512-c8eMDb1WwZcE02WVjHoOmUVk7fnKU/RmUcosHACglrWAuPQsEJv+E8430sXj6jNc1jHw0zrS16aCjQh4BcEb4A==}
-
   mustache@4.2.0:
     resolution: {integrity: sha512-71ippSywq5Yb7/tVYyGbkBggbU8H3u5Rz56fH60jGFgr8uHwxs+aSKeqmluIVzM0m0kB7xQjKS6qPfd0b2ZoqQ==}
     hasBin: true
@@ -16283,11 +13441,6 @@ packages:
     engines: {node: ^18 || >=20}
     hasBin: true
 
-  nanoid@5.1.5:
-    resolution: {integrity: sha512-Ir/+ZpE9fDsNH0hQ3C68uyThDXzYcim2EqcZ8zn8Chtt1iylPT9xXJB0kPCnqzgcEGikO9RxSrh63MsmVCU7Fw==}
-    engines: {node: ^18 || >=20}
-    hasBin: true
-
   napi-build-utils@2.0.0:
     resolution: {integrity: sha512-GEbrYkbfF7MoNaoh2iGG84Mnf/WZfB0GdGEsM8wz7Expx/LlWf5U8t9nvJKXSp3qr5IsEbK04cBGhol/KwOsWA==}
 
@@ -16305,6 +13458,10 @@ packages:
     resolution: {integrity: sha512-+EUsqGPLsM+j/zdChZjsnX51g4XrHFOIXwfnCVPGlQk/k5giakcKsuxCObBRu6DSm9opw/O6slWbJdghQM4bBg==}
     engines: {node: '>= 0.6'}
 
+  negotiator@0.6.4:
+    resolution: {integrity: sha512-myRT3DiWPHqho5PrJaIRyaMv2kgYf0mUVgBNOYMuCH5Ki1yEiQaf/ZJuQ62nvpc44wL5WDbTX7yGJi1Neevw8w==}
+    engines: {node: '>= 0.6'}
+
   negotiator@1.0.0:
     resolution: {integrity: sha512-8Ofs/AUQh8MaEcrlq5xOX0CQ9ypTF5dl78mjlMNfOK08fzpgTHQRQPBxcPlEtIw0yRpws+Zo/3r+5WRby7u3Gg==}
     engines: {node: '>= 0.6'}
@@ -16315,120 +13472,15 @@ packages:
   nested-error-stacks@2.1.1:
     resolution: {integrity: sha512-9iN1ka/9zmX1ZvLV9ewJYEk9h7RyRRtqdK0woXcqohu8EWIerfPUjYJPg0ULy0UqP7cslmdGc8xKDJcojlKiaw==}
 
-  netmask@2.0.2:
-    resolution: {integrity: sha512-dBpDMdxv9Irdq66304OLfEmQ9tbNRFnFTuZiLo+bD+r332bBmMJ8GBLXklIXXgxd3+v9+KUnZaUR5PJMa75Gsg==}
-    engines: {node: '>= 0.4.0'}
-
   neverthrow@8.2.0:
     resolution: {integrity: sha512-kOCT/1MCPAxY5iUV3wytNFUMUolzuwd/VF/1KCx7kf6CutrOsTie+84zTGTpgQycjvfLdBBdvBvFLqFD2c0wkQ==}
     engines: {node: '>=18'}
 
-  next@14.1.0:
-    resolution: {integrity: sha512-wlzrsbfeSU48YQBjZhDzOwhWhGsy+uQycR8bHAOt1LY1bn3zZEcDyHQOEoN3aWzQ8LHCAJ1nqrWCc9XF2+O45Q==}
-    engines: {node: '>=18.17.0'}
-    deprecated: This version has a security vulnerability. Please upgrade to a patched version. See https://nextjs.org/blog/security-update-2025-12-11 for more details.
-    hasBin: true
-    peerDependencies:
-      '@opentelemetry/api': ^1.1.0
-      react: ^18.2.0
-      react-dom: ^18.2.0
-      sass: ^1.3.0
-    peerDependenciesMeta:
-      '@opentelemetry/api':
-        optional: true
-      sass:
-        optional: true
-
-  next@14.2.21:
-    resolution: {integrity: sha512-rZmLwucLHr3/zfDMYbJXbw0ZeoBpirxkXuvsJbk7UPorvPYZhP7vq7aHbKnU7dQNCYIimRrbB2pp3xmf+wsYUg==}
-    engines: {node: '>=18.17.0'}
-    deprecated: This version has a security vulnerability. Please upgrade to a patched version. See https://nextjs.org/blog/security-update-2025-12-11 for more details.
-    hasBin: true
-    peerDependencies:
-      '@opentelemetry/api': ^1.1.0
-      '@playwright/test': ^1.41.2
-      react: ^18.2.0
-      react-dom: ^18.2.0
-      sass: ^1.3.0
-    peerDependenciesMeta:
-      '@opentelemetry/api':
-        optional: true
-      '@playwright/test':
-        optional: true
-      sass:
-        optional: true
-
-  next@15.2.4:
-    resolution: {integrity: sha512-VwL+LAaPSxEkd3lU2xWbgEOtrM8oedmyhBqaVNmgKB+GvZlCy9rgaEc+y2on0wv+l0oSFqLtYD6dcC1eAedUaQ==}
-    engines: {node: ^18.18.0 || ^19.8.0 || >= 20.0.0}
-    deprecated: This version has a security vulnerability. Please upgrade to a patched version. See https://nextjs.org/blog/CVE-2025-66478 for more details.
-    hasBin: true
-    peerDependencies:
-      '@opentelemetry/api': ^1.1.0
-      '@playwright/test': ^1.41.2
-      babel-plugin-react-compiler: '*'
-      react: ^18.2.0 || 19.0.0-rc-de68d2f4-20241204 || ^19.0.0
-      react-dom: ^18.2.0 || 19.0.0-rc-de68d2f4-20241204 || ^19.0.0
-      sass: ^1.3.0
-    peerDependenciesMeta:
-      '@opentelemetry/api':
-        optional: true
-      '@playwright/test':
-        optional: true
-      babel-plugin-react-compiler:
-        optional: true
-      sass:
-        optional: true
-
-  next@15.4.8:
-    resolution: {integrity: sha512-jwOXTz/bo0Pvlf20FSb6VXVeWRssA2vbvq9SdrOPEg9x8E1B27C2rQtvriAn600o9hH61kjrVRexEffv3JybuA==}
-    engines: {node: ^18.18.0 || ^19.8.0 || >= 20.0.0}
-    deprecated: This version has a security vulnerability. Please upgrade to a patched version. See https://nextjs.org/blog/security-update-2025-12-11 for more details.
-    hasBin: true
-    peerDependencies:
-      '@opentelemetry/api': ^1.1.0
-      '@playwright/test': ^1.51.1
-      babel-plugin-react-compiler: '*'
-      react: ^18.2.0 || 19.0.0-rc-de68d2f4-20241204 || ^19.0.0
-      react-dom: ^18.2.0 || 19.0.0-rc-de68d2f4-20241204 || ^19.0.0
-      sass: ^1.3.0
-    peerDependenciesMeta:
-      '@opentelemetry/api':
-        optional: true
-      '@playwright/test':
-        optional: true
-      babel-plugin-react-compiler:
-        optional: true
-      sass:
-        optional: true
-
-  next@15.5.6:
-    resolution: {integrity: sha512-zTxsnI3LQo3c9HSdSf91O1jMNsEzIXDShXd4wVdg9y5shwLqBXi4ZtUUJyB86KGVSJLZx0PFONvO54aheGX8QQ==}
-    engines: {node: ^18.18.0 || ^19.8.0 || >= 20.0.0}
-    deprecated: This version has a security vulnerability. Please upgrade to a patched version. See https://nextjs.org/blog/CVE-2025-66478 for more details.
-    hasBin: true
-    peerDependencies:
-      '@opentelemetry/api': ^1.1.0
-      '@playwright/test': ^1.51.1
-      babel-plugin-react-compiler: '*'
-      react: ^18.2.0 || 19.0.0-rc-de68d2f4-20241204 || ^19.0.0
-      react-dom: ^18.2.0 || 19.0.0-rc-de68d2f4-20241204 || ^19.0.0
-      sass: ^1.3.0
-    peerDependenciesMeta:
-      '@opentelemetry/api':
-        optional: true
-      '@playwright/test':
-        optional: true
-      babel-plugin-react-compiler:
-        optional: true
-      sass:
-        optional: true
-
   nice-try@1.0.5:
     resolution: {integrity: sha512-1nh45deeb5olNY7eX82BkPO7SSxR5SSYJiPTrTdFUVYwAl8CKMA5N9PjTYkHiRjisVcxcQ1HXdLhx2qxxJzLNQ==}
 
-  node-abi@3.75.0:
-    resolution: {integrity: sha512-OhYaY5sDsIka7H7AtijtI9jwGYLyl29eQn/W623DiN/MIv5sUqc4g7BIDThX+gb7di9f6xK02nkp8sdfFWZLTg==}
+  node-abi@3.89.0:
+    resolution: {integrity: sha512-6u9UwL0HlAl21+agMN3YAMXcKByMqwGx+pq+P76vii5f7hTPtKDp08/H9py6DY+cfDw7kQNTGEj/rly3IgbNQA==}
     engines: {node: '>=10'}
 
   node-abort-controller@3.1.1:
@@ -16474,14 +13526,14 @@ packages:
   node-releases@2.0.12:
     resolution: {integrity: sha512-QzsYKWhXTWx8h1kIvqfnC++o0pEmpRQA/aenALsL2F4pqNVr7YzcdMlDij5WBnwftRbJCNJL/O7zdKaxKPHqgQ==}
 
-  node-releases@2.0.19:
-    resolution: {integrity: sha512-xxOWJsBKtzAq7DY0J+DTzuz58K8e7sJbdgwkbMWQe8UYB6ekmsQ45q0M/tJDsGaZmbC+l7n57UV8Hl5tHxO9uw==}
-
   node-releases@2.0.27:
     resolution: {integrity: sha512-nmh3lCkYZ3grZvqcCH+fjmQ7X+H0OeZgP40OierEaAptX4XofMh5kwNbWh7lBduUzCcV/8kZ+NDLCwm2iorIlA==}
 
-  nodemailer@7.0.11:
-    resolution: {integrity: sha512-gnXhNRE0FNhD7wPSCGhdNh46Hs6nm+uTyg+Kq0cZukNQiYdnCsoQjodNP9BQVG9XrcK/v6/MgpAPBUFyzh9pvw==}
+  node-releases@2.0.36:
+    resolution: {integrity: sha512-TdC8FSgHz8Mwtw9g5L4gR/Sh9XhSP/0DEkQxfEFXOpiul5IiHgHan2VhYYb6agDSfp4KuvltmGApc8HMgUrIkA==}
+
+  nodemailer@8.0.6:
+    resolution: {integrity: sha512-Nm2XeuDwwy2wi5A+8jPWwQwNzcjNjhWdE3pVLoXEusxJqCnAPAgnBGkSmiLknbnWuOF9qraRpYZjfxqtKZ4tPw==}
     engines: {node: '>=6.0.0'}
 
   non.geist@1.0.2:
@@ -16568,6 +13620,11 @@ packages:
     engines: {node: ^14.16.0 || >=16.10.0}
     hasBin: true
 
+  nypm@0.6.6:
+    resolution: {integrity: sha512-vRyr0r4cbBapw07Xw8xrj9Teq3o7MUD35rSaTcanDbW+aK2XHDgJFiU6ZTj2GBw7Q12ysdsyFss+Vdz4hQ0Y6Q==}
+    engines: {node: '>=18'}
+    hasBin: true
+
   oauth-sign@0.9.0:
     resolution: {integrity: sha512-fexhUFFPTGV8ybAtSIGbV6gOkSv8UtRbDBnAyLQw4QPKkgNlsH2ByPGtMUqdWkos6YCRmAqViwgZrJc/mRDzZQ==}
 
@@ -16602,10 +13659,6 @@ packages:
     resolution: {integrity: sha512-leTPzo4Zvg3pmbQ3rDK69Rl8GQvIqMWubrkxONG9/ojtFE2rD9fjMKfSI5BxW3osRH1m6VdzmqK8oAY9aT4x5w==}
     engines: {node: '>= 0.4'}
 
-  object.fromentries@2.0.6:
-    resolution: {integrity: sha512-VciD13dswC4j1Xt5394WR4MzmAQmlgN72phd/riNp9vtD7tp4QQWJ0R4wvclXcafgcYK8veHRed2W6XeGBvcfg==}
-    engines: {node: '>= 0.4'}
-
   object.fromentries@2.0.8:
     resolution: {integrity: sha512-k6E21FzySsSK5a21KRADBd/NGneRegFO5pLHfdQLpRDETUNJueLXs3WCzyQ3tFRDYgbq3KHGXfTbi2bs8WQ6rQ==}
     engines: {node: '>= 0.4'}
@@ -16617,10 +13670,6 @@ packages:
   object.hasown@1.1.2:
     resolution: {integrity: sha512-B5UIT3J1W+WuWIU55h0mjlwaqxiE5vYENJXIXZ4VFe05pNYrkKuK0U/6aFcb0pKywYJh7IhfoqUfKVmrJJHZHw==}
 
-  object.values@1.1.6:
-    resolution: {integrity: sha512-FVVTkD1vENCsAcwNs9k6jea2uHC/X0+JcjG8YA60FN5CMaJmG95wT9jek/xX9nornqGRrBkKtzuAu2wuHpKqvw==}
-    engines: {node: '>= 0.4'}
-
   object.values@1.2.0:
     resolution: {integrity: sha512-yBYjY9QX2hnRmZHAjG/f13MzmBzxzYgQhFrke06TTyKY5zSTEqkOeukBzIdVA3j3ulu8Qa3MbVFShV7T2RmGtQ==}
     engines: {node: '>= 0.4'}
@@ -16628,6 +13677,9 @@ packages:
   obuf@1.1.2:
     resolution: {integrity: sha512-PX1wu0AmAdPqOL1mWhqmlOd8kOIZQwGZw6rh7uby9fTc5lhaOWFLX3I6R1hrF9k3zUY40e6igsLGkDXK92LJNg==}
 
+  obug@2.1.1:
+    resolution: {integrity: sha512-uTqF9MuPraAQ+IsnPf366RG4cP9RtUi7MLO1N3KEc+wb0a6yKpeL0lmk2IB1jY5KHPAlTc6T/JRdC/YqxHNwkQ==}
+
   octokit@3.2.2:
     resolution: {integrity: sha512-7Abo3nADdja8l/aglU6Y3lpnHSfv0tw7gFPiqzry/yCU+2gTAX7R1roJ8hJrxIK+S1j+7iqRJXtmuHJ/UDsBhQ==}
     engines: {node: '>= 18'}
@@ -16658,6 +13710,10 @@ packages:
     resolution: {integrity: sha512-pZAE+FJLoyITytdqK0U5s+FIpjN0JP3OzFi/u8Rx+EV5/W+JTWGXG8xFzevE7AjBfDqHv/8vL8qQsIhHnqRkrA==}
     engines: {node: '>= 0.8'}
 
+  on-headers@1.1.0:
+    resolution: {integrity: sha512-737ZY3yNnXy37FHkQxPzt4UZ2UWPWiCZWLvFZ4fu5cueciegX0zGPnrlY6bwRg4FdQOe9YU8MkmJwGhoMybl8A==}
+    engines: {node: '>= 0.8'}
+
   once@1.4.0:
     resolution: {integrity: sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==}
 
@@ -16669,11 +13725,11 @@ packages:
     resolution: {integrity: sha512-1FlR+gjXK7X+AsAHso35MnyN5KqGwJRi/31ft6x0M194ht7S+rWAvd7PHss9xSKMzE0asv1pyIHaJYq+BbacAQ==}
     engines: {node: '>=12'}
 
-  oniguruma-parser@0.12.1:
-    resolution: {integrity: sha512-8Unqkvk1RYc6yq2WBYRj4hdnsAxVze8i7iPfQr8e4uSP3tRv0rpZcbGUDvxfQQcdwHt/e9PrMvGCsa8OqG9X3w==}
+  oniguruma-parser@0.12.2:
+    resolution: {integrity: sha512-6HVa5oIrgMC6aA6WF6XyyqbhRPJrKR02L20+2+zpDtO5QAzGHAUGw5TKQvwi5vctNnRHkJYmjAhRVQF2EKdTQw==}
 
-  oniguruma-to-es@4.3.3:
-    resolution: {integrity: sha512-rPiZhzC3wXwE59YQMRDodUwwT9FZ9nNBwQQfsd1wfdtlKEyCdRV0avrTcSZ5xlIvGRVPd/cx6ZN45ECmS39xvg==}
+  oniguruma-to-es@4.3.6:
+    resolution: {integrity: sha512-csuQ9x3Yr0cEIs/Zgx/OEt9iBw9vqIunAPQkx19R/fiMq2oGVTgcMqO/V3Ybqefr1TBvosI6jU539ksaBULJyA==}
 
   open@10.0.3:
     resolution: {integrity: sha512-dtbI5oW7987hwC9qjJTyABldTaa19SuyJse1QboWv3b0qCcrrLNVDqBx1XgELAjh9QTVQaP/C5b1nhQebd1H2A==}
@@ -16687,15 +13743,6 @@ packages:
     resolution: {integrity: sha512-0DH572aSxGTT1JPOXgJQ9mjiuSPg/7scPot8hLc5I1mfQxPxLXTZWJpWerKaIWOuPkR2nrB0SamGDEehH8RuWA==}
     hasBin: true
 
-  openai@4.68.4:
-    resolution: {integrity: sha512-LRinV8iU9VQplkr25oZlyrsYGPGasIwYN8KFMAAFTHHLHjHhejtJ5BALuLFrkGzY4wfbKhOhuT+7lcHZ+F3iEA==}
-    hasBin: true
-    peerDependencies:
-      zod: ^3.23.8
-    peerDependenciesMeta:
-      zod:
-        optional: true
-
   openai@4.97.0:
     resolution: {integrity: sha512-LRoiy0zvEf819ZUEJhgfV8PfsE8G5WpQi4AwA1uCV8SKvvtXQkoWUFkepD6plqyJQRghy2+AEPQ07FrJFKHZ9Q==}
     hasBin: true
@@ -16708,16 +13755,6 @@ packages:
       zod:
         optional: true
 
-  openapi-fetch@0.9.8:
-    resolution: {integrity: sha512-zM6elH0EZStD/gSiNlcPrzXcVQ/pZo3BDvC6CDwRDUt1dDzxlshpmQnpD6cZaJ39THaSmwVCxxRrPKNM1hHrDg==}
-
-  openapi-typescript-helpers@0.0.8:
-    resolution: {integrity: sha512-1eNjQtbfNi5Z/kFhagDIaIRj6qqDzhjNJKz8cmMW0CVdGwT6e1GLbAfgI0d28VTJa1A8jz82jm/4dG8qNoNS8g==}
-
-  opener@1.5.2:
-    resolution: {integrity: sha512-ur5UIdyw5Y7yEj9wLzhqXiy6GZ3Mwx0yGI+5sMn2r0N0v3cKJvUmFH5yPP+WXh9e0xfyzyJX95D8l088DNFj7A==}
-    hasBin: true
-
   openid-client@5.7.1:
     resolution: {integrity: sha512-jDBPgSVfTnkIh71Hg9pRvtJc6wTwqjRkN88+gCFtYWrlP4Yx2Dsrow8uPi3qLr/aeymPF3o2+dS+wOpglK04ew==}
 
@@ -16842,14 +13879,6 @@ packages:
     resolution: {integrity: sha512-R4nPAVTAU0B9D35/Gk3uJf/7XYbQcyohSKdvAxIRSNghFl4e71hVoGnBNQz9cWaXxO2I10KTC+3jMdvvoKw6dQ==}
     engines: {node: '>=6'}
 
-  pac-proxy-agent@7.2.0:
-    resolution: {integrity: sha512-TEB8ESquiLMc0lV8vcd5Ql/JAKAoyzHFXaStwjkzpOpC5Yv+pIzLfHvjTSdf3vpa2bMiUQrg9i6276yn8666aA==}
-    engines: {node: '>= 14'}
-
-  pac-resolver@7.0.1:
-    resolution: {integrity: sha512-5NPgf87AT2STgwa2ntRMr45jTKrYBGkVU36yT0ig/n/GMAa3oPqhZfIQ2kMEimReg0+t9kZViDVZ83qfVUlckg==}
-    engines: {node: '>= 14'}
-
   package-json-from-dist@1.0.0:
     resolution: {integrity: sha512-dATvCeZN/8wQsGywez1mzHtTlP22H8OEfPrVMLNr4/eGa+ijtLn/6M5f0dY8UKNrC2O9UCU6SSoG3qRKnt7STw==}
 
@@ -16927,6 +13956,10 @@ packages:
     resolution: {integrity: sha512-RjhtfwJOxzcFmNOi6ltcbcu4Iu+FL3zEj83dk4kAS+fVpTxXLO1b38RvJgT/0QwvV/L3aY9TAnyv0EOqW4GoMQ==}
     engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0}
 
+  path-expression-matcher@1.5.0:
+    resolution: {integrity: sha512-cbrerZV+6rvdQrrD+iGMcZFEiiSrbv9Tfdkvnusy6y0x0GKBXREFg/Y65GhIfm0tnLntThhzCnfKwp1WRjeCyQ==}
+    engines: {node: '>=14.0.0'}
+
   path-is-absolute@1.0.1:
     resolution: {integrity: sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==}
     engines: {node: '>=0.10.0'}
@@ -16954,8 +13987,12 @@ packages:
     resolution: {integrity: sha512-ypGJsmGtdXUOeM5u93TyeIEfEhM6s+ljAhrk5vAvSx8uyY/02OvrZnA0YNGUrPXfpJMgI1ODd3nwz8Npx4O4cg==}
     engines: {node: 20 || >=22}
 
-  path-to-regexp@0.1.10:
-    resolution: {integrity: sha512-7lf7qcQidTku0Gu3YDPc8DJ1q7OOucfa/BSsIwjuh56VU7katFvuM8hULfkwB3Fns/rsVF7PwPKVw1sl5KQS9w==}
+  path-scurry@2.0.2:
+    resolution: {integrity: sha512-3O/iVVsJAPsOnpwWIeD+d6z/7PmqApyQePUtCndjatj/9I5LylHvt5qluFaBT3I5h3r1ejfR056c+FCv+NnNXg==}
+    engines: {node: 18 || 20 || >=22}
+
+  path-to-regexp@0.1.13:
+    resolution: {integrity: sha512-A/AGNMFN3c8bOlvV9RreMdrv7jsmF9XIfDeCd87+I8RNg6s78BhJxMu69NEMHBSJFxKidViTEdruRwEk/WIKqA==}
 
   path-to-regexp@8.2.0:
     resolution: {integrity: sha512-TdrF7fW9Rphjq4RjrW0Kp2AW0Ahwu9sRGTkS6bvDi0SCwZlEZYmcfDbEsTz8RVk0EHIS/Vd1bv3JhG+1xZuAyQ==}
@@ -16975,10 +14012,6 @@ packages:
   pathe@2.0.3:
     resolution: {integrity: sha512-WUjGcAqP1gQacoQe+OBJsFA7Ld4DyXuUIjZ5cc75cLHvJ7dtNsTugphxIADwspS+AraAUePCKrSVtPLFj/F88w==}
 
-  pathval@2.0.0:
-    resolution: {integrity: sha512-vE7JKRyES09KiunauX7nd2Q9/L7lhok4smP9RZTDeD4MVs72Dp2qNFVz39Nz5a0FVEW0BJR6C0DYrq6unoziZA==}
-    engines: {node: '>= 14.16'}
-
   peberminta@0.9.0:
     resolution: {integrity: sha512-XIxfHpEuSJbITd1H3EeQwpcZbTLHc+VVr8ANI9t5sit565tsI4/xK3KWTUFE2e6QiangUkh3B0jihzmGnNrRsQ==}
 
@@ -16989,18 +14022,12 @@ packages:
   peek-stream@1.1.3:
     resolution: {integrity: sha512-FhJ+YbOSBb9/rIl2ZeE/QHEsWn7PqNYt8ARAY3kIgNGOk13g9FGyIY6JIl/xB/3TFRVoTv5as0l11weORrTekA==}
 
-  pend@1.2.0:
-    resolution: {integrity: sha512-F3asv42UuXchdzt+xXqfW1OGlVBe+mxa2mqI0pg5yAHZPvFmY3Y6drSf/GQ1A86WgWEN9Kzh/WrgKa6iGcHXLg==}
-
   perfect-debounce@1.0.0:
     resolution: {integrity: sha512-xCy9V055GLEqoFaHoC1SoLIaLmWctgCUaBaWxDZ7/Zx4CTyX7cJQLJOok/orfjZAh9kEYpjJa4d0KcJmCbctZA==}
 
   performance-now@2.1.0:
     resolution: {integrity: sha512-7EAHlyLHI56VEIdK57uwHdHKIaAGbnXPiw0yWbarQZOKaKpvUIgW0jWRVLiatnM+XXlSwsanIBH/hzGMJulMow==}
 
-  performant-array-to-tree@1.11.0:
-    resolution: {integrity: sha512-YwCqIDvnaebXaKuKQhI5yJD6ryDc3FxvoeX/5ougXTKDUWb7s5S2BuBgIyftCa4sBe1+ZU5Kmi4RJy+pjjjrpw==}
-
   periscopic@3.1.0:
     resolution: {integrity: sha512-vKiQ8RRtkl9P+r/+oefh25C3fhybptkHKCZSPlcXiJux2tJF55GnEj3BVn4A5gKfq9NWWXXrxkHBwVPUfH0opw==}
 
@@ -17066,15 +14093,6 @@ packages:
       pg-native:
         optional: true
 
-  pg@8.16.3:
-    resolution: {integrity: sha512-enxc1h0jA/aq5oSDMvqyW3q89ra6XIIDZgCX9vkMrnz5DFTw/Ny3Li2lFQ+pt3L6MCgm/5o2o8HW9hiJji+xvw==}
-    engines: {node: '>= 16.0.0'}
-    peerDependencies:
-      pg-native: '>=3.0.1'
-    peerDependenciesMeta:
-      pg-native:
-        optional: true
-
   pgpass@1.0.5:
     resolution: {integrity: sha512-FdW9r/jQZhSeohs1Z3sI1yxFQNFvMcnmfuj4WBMUTxOrAyLMaTcE1aAMBiTlbMNaXvBCQuVi0R7hd8udDSP7ug==}
 
@@ -17087,14 +14105,18 @@ packages:
   picocolors@1.1.1:
     resolution: {integrity: sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==}
 
-  picomatch@2.3.1:
-    resolution: {integrity: sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==}
+  picomatch@2.3.2:
+    resolution: {integrity: sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==}
     engines: {node: '>=8.6'}
 
-  picomatch@4.0.2:
-    resolution: {integrity: sha512-M7BAV6Rlcy5u+m6oPhAPFgJTzAioX/6B0DxyvDlo9l8+T3nLKbrczg2WLUyzd45L8RqfUMyGPzekbMvX2Ldkwg==}
+  picomatch@4.0.4:
+    resolution: {integrity: sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==}
     engines: {node: '>=12'}
 
+  picospinner@3.0.0:
+    resolution: {integrity: sha512-lGA1TNsmy2bxvRsTI2cV01kfTwKzZjnZSDmF9llYNyMHMrU4sP87lQ5taiIKm88L3cbswjl008nwyGc3WpNvzg==}
+    engines: {node: '>=18.0.0'}
+
   pidtree@0.3.1:
     resolution: {integrity: sha512-qQbW94hLHEqCg7nhby4yRC7G2+jYHY4Rguc2bjw7Uug4GIJuu1tvf2uHaZv5Q8zdt+WKJ6qK1FOI6amaWUo5FA==}
     engines: {node: '>=0.10'}
@@ -17117,14 +14139,14 @@ packages:
     resolution: {integrity: sha512-uB80kBFb/tfd68bVleG9T5GGsGPjJrLAUpR5PZIrhBnIaRTQRjqdJSsIKkOP6OAIFbj7GOrcudc5pNjZ+geV2g==}
     engines: {node: '>=6'}
 
-  pino-abstract-transport@2.0.0:
-    resolution: {integrity: sha512-F63x5tizV6WCh4R6RHyi2Ml+M70DNRXt/+HANowMflpgGFMAym/VKm6G7ZOQRjqN7XbGxK1Lg9t6ZrtzOaivMw==}
+  pino-abstract-transport@3.0.0:
+    resolution: {integrity: sha512-wlfUczU+n7Hy/Ha5j9a/gZNy7We5+cXp8YL+X+PG8S0KXxw7n/JXA3c46Y0zQznIJ83URJiwy7Lh56WLokNuxg==}
 
   pino-std-serializers@7.0.0:
     resolution: {integrity: sha512-e906FRY0+tV27iq4juKzSYPbUj2do2X2JX4EzSca1631EB2QJQUqGbDuERal7LCtOpxl6x3+nvo9NPZcmjkiFA==}
 
-  pino@9.7.0:
-    resolution: {integrity: sha512-vnMCM6xZTb1WDmLvtG2lE/2p+t9hDEIvTWJsu6FejkE62vB7gDhvzrpFR4Cw2to+9JNQxVnkAKVPA1KPB98vWg==}
+  pino@10.3.1:
+    resolution: {integrity: sha512-r34yH/GlQpKZbU1BvFFqOjhISRo1MNx1tWYsYvmj6KIRHSPMT2+yHOEb1SG6NMvRoHRF0a07kCOox/9yakl1vg==}
     hasBin: true
 
   pirates@4.0.5:
@@ -17139,6 +14161,10 @@ packages:
     resolution: {integrity: sha512-HRDzbaKjC+AOWVXxAU/x54COGeIv9eb+6CkDSQoNTt4XyWoIJvuPsXizxu/Fr23EiekbtZwmh1IcIG/l/a10GQ==}
     engines: {node: '>=8'}
 
+  pkg-pr-new@0.0.75:
+    resolution: {integrity: sha512-u9mdErTewKSMsr+ceCt8VcNuNP0ro5AXiPXhUVApuEyqr2Zlvt+DdCFBcm+yGWN8mhOdZJ27meIDbnoZgfzpOw==}
+    hasBin: true
+
   pkg-types@1.1.3:
     resolution: {integrity: sha512-+JrgthZG6m3ckicaOB74TwQ+tBWsFl3qVQg7mN8ulwSOElJ7gBhKzj2VkCPnZ4NlF6kEquYU+RIYNVAvzd54UA==}
 
@@ -17148,9 +14174,6 @@ packages:
   pkg-types@2.3.0:
     resolution: {integrity: sha512-SIqCzDRg0s9npO5XQ3tNZioRY1uK06lA41ynBC1YmFTmnY6FjUjVt6s4LoADmwoig1qqD0oK8h1p/8mlMx8Oig==}
 
-  platform@1.3.6:
-    resolution: {integrity: sha512-fnWVljUchTro6RiCFvCXBbNhJc2NijN7oIQxbwsyL0buWJPG85v81ehlHI9fXrJsMNgTofEoWIQeClKpgxFLrg==}
-
   playwright-core@1.37.0:
     resolution: {integrity: sha512-1c46jhTH/myQw6sesrcuHVtLoSNfJv8Pfy9t3rs6subY7kARv0HRw5PpyfPYPpPtQvBOmgbE6K+qgYUpj81LAA==}
     engines: {node: '>=16'}
@@ -17177,7 +14200,7 @@ packages:
     resolution: {integrity: sha512-zmX3IoSI2aoenxHV6C7plngHWWhUOV3sP1T8y2ifzxzbtnuhk1EdPwm0S1bIUNaJ2eNbWeGLEwzw8huPD67aQw==}
     engines: {node: ^10 || ^12 || >=14.0}
     peerDependencies:
-      postcss: ^8.2.15
+      postcss: ^8.5.10
 
   postcss-functions@3.0.0:
     resolution: {integrity: sha512-N5yWXWKA+uhpLQ9ZhBRl2bIAdM6oVJYpDojuI1nF2SzXBimJcdjFwiAouBVbO5VuOF3qA6BSFWFc3wXbbj72XQ==}
@@ -17186,13 +14209,13 @@ packages:
     resolution: {integrity: sha512-hpr+J05B2FVYUAXHeK1YyI267J/dDDhMU6B6civm8hSY1jYJnBXxzKDKDswzJmtLHryrjhnDjqqp/49t8FALew==}
     engines: {node: '>=14.0.0'}
     peerDependencies:
-      postcss: ^8.0.0
+      postcss: ^8.5.10
 
   postcss-import@16.0.1:
     resolution: {integrity: sha512-i2Pci0310NaLHr/5JUFSw1j/8hf1CzwMY13g6ZDxgOavmRHQi2ba3PmUHoihO+sjaum+KmCNzskNsw7JDrg03g==}
     engines: {node: '>=18.0.0'}
     peerDependencies:
-      postcss: ^8.0.0
+      postcss: ^8.5.10
 
   postcss-js@2.0.3:
     resolution: {integrity: sha512-zS59pAk3deu6dVHyrGqmC3oDXBdNdajk4k1RyxeVXCrcEDBUBHoIhE4QTsmhxgzXxsaqFDAkUZfmMa5f/N/79w==}
@@ -17201,13 +14224,13 @@ packages:
     resolution: {integrity: sha512-dDLF8pEO191hJMtlHFPRa8xsizHaM82MLfNkUHdUtVEV3tgTp5oj+8qbEqYM57SLfc74KSbw//4SeJma2LRVIw==}
     engines: {node: ^12 || ^14 || >= 16}
     peerDependencies:
-      postcss: ^8.4.21
+      postcss: ^8.5.10
 
   postcss-load-config@4.0.2:
     resolution: {integrity: sha512-bSVhyJGL00wMVoPUzAVAnbEoWyqRxkjv64tUl427SKnPrENtq6hJwUojroMz2VB+Q1edmi4IfrAPpami5VVgMQ==}
     engines: {node: '>= 14'}
     peerDependencies:
-      postcss: '>=8.0.9'
+      postcss: ^8.5.10
       ts-node: '>=9.0.0'
     peerDependenciesMeta:
       postcss:
@@ -17220,9 +14243,9 @@ packages:
     engines: {node: '>= 18'}
     peerDependencies:
       jiti: '>=1.21.0'
-      postcss: '>=8.0.9'
+      postcss: ^8.5.10
       tsx: ^4.8.1
-      yaml: ^2.4.2
+      yaml: ^2.8.3
     peerDependenciesMeta:
       jiti:
         optional: true
@@ -17238,7 +14261,7 @@ packages:
     engines: {node: '>= 18.12.0'}
     peerDependencies:
       '@rspack/core': 0.x || 1.x
-      postcss: ^7.0.0 || ^8.0.1
+      postcss: ^8.5.10
       webpack: ^5.0.0
     peerDependenciesMeta:
       '@rspack/core':
@@ -17250,30 +14273,30 @@ packages:
     resolution: {integrity: sha512-bdHleFnP3kZ4NYDhuGlVK+CMrQ/pqUm8bx/oGL93K6gVwiclvX5x0n76fYMKuIGKzlABOy13zsvqjb0f92TEXw==}
     engines: {node: ^10 || ^12 || >= 14}
     peerDependencies:
-      postcss: ^8.1.0
+      postcss: ^8.5.10
 
   postcss-modules-local-by-default@4.0.4:
     resolution: {integrity: sha512-L4QzMnOdVwRm1Qb8m4x8jsZzKAaPAgrUF1r/hjDR2Xj7R+8Zsf97jAlSQzWtKx5YNiNGN8QxmPFIc/sh+RQl+Q==}
     engines: {node: ^10 || ^12 || >= 14}
     peerDependencies:
-      postcss: ^8.1.0
+      postcss: ^8.5.10
 
   postcss-modules-scope@3.1.1:
     resolution: {integrity: sha512-uZgqzdTleelWjzJY+Fhti6F3C9iF1JR/dODLs/JDefozYcKTBCdD8BIl6nNPbTbcLnGrk56hzwZC2DaGNvYjzA==}
     engines: {node: ^10 || ^12 || >= 14}
     peerDependencies:
-      postcss: ^8.1.0
+      postcss: ^8.5.10
 
   postcss-modules-values@4.0.0:
     resolution: {integrity: sha512-RDxHkAiEGI78gS2ofyvCsu7iycRv7oqw5xMWn9iMoR0N/7mf9D50ecQqUo5BZ9Zh2vH4bCUR/ktCqbB9m8vJjQ==}
     engines: {node: ^10 || ^12 || >= 14}
     peerDependencies:
-      postcss: ^8.1.0
+      postcss: ^8.5.10
 
   postcss-modules@6.0.0:
     resolution: {integrity: sha512-7DGfnlyi/ju82BRzTIjWS5C4Tafmzl3R79YP/PASiocj+aa6yYphHhhKUOEoXQToId5rgyFgJ88+ccOUydjBXQ==}
     peerDependencies:
-      postcss: ^8.0.0
+      postcss: ^8.5.10
 
   postcss-nested@4.2.3:
     resolution: {integrity: sha512-rOv0W1HquRCamWy2kFl3QazJMMe1ku6rCFoAAH+9AcxdbpDeBr6k968MLWuLjvjMcGEip01ak09hKOEgpK9hvw==}
@@ -17282,7 +14305,7 @@ packages:
     resolution: {integrity: sha512-HQbt28KulC5AJzG+cZtj9kvKB93CFCdLvog1WFLf1D+xmMvPGlBstkpTEZfK5+AN9hfJocyBFCNiqyS48bpgzQ==}
     engines: {node: '>=12.0'}
     peerDependencies:
-      postcss: ^8.2.14
+      postcss: ^8.5.10
 
   postcss-selector-parser@6.0.10:
     resolution: {integrity: sha512-IQ7TZdoaqbT+LCpShg46jnZVlhWD2w6iQYAcYXfHARZ7X1t/UGhhceQDs5X0cGqKvYlHNOuv7Oa1xmb0oQuA3w==}
@@ -17310,24 +14333,8 @@ packages:
     resolution: {integrity: sha512-yioayjNbHn6z1/Bywyb2Y4s3yvDAeXGOyxqD+LnVOinq6Mdmd++SW2wUNVzavyyHxd6+DxzWGIuosg6P1Rj8uA==}
     engines: {node: '>=6.0.0'}
 
-  postcss@8.4.31:
-    resolution: {integrity: sha512-PS08Iboia9mts/2ygV3eLpY5ghnUcfLV/EXTOW1E2qYxJKGGBUtNjN76FYHnMs36RmARn41bC0AZmn+rR0OVpQ==}
-    engines: {node: ^10 || ^12 || >=14}
-
-  postcss@8.4.35:
-    resolution: {integrity: sha512-u5U8qYpBCpN13BsiEB0CbR1Hhh4Gc0zLFuedrHJKMctHCHAGrMdG0PRM/KErzAL3CU6/eckEtmHNB3x6e3c0vA==}
-    engines: {node: ^10 || ^12 || >=14}
-
-  postcss@8.4.44:
-    resolution: {integrity: sha512-Aweb9unOEpQ3ezu4Q00DPvvM2ZTUitJdNKeP/+uQgr1IBIqu574IaZoURId7BKtWMREwzKa9OgzPzezWGPWFQw==}
-    engines: {node: ^10 || ^12 || >=14}
-
-  postcss@8.5.4:
-    resolution: {integrity: sha512-QSa9EBe+uwlGTFmHsPKokv3B/oEMQZxfqW0QqNCyhpa6mB1afzulwn8hihglqAb2pOw+BJgNlmXQ8la2VeHB7w==}
-    engines: {node: ^10 || ^12 || >=14}
-
-  postcss@8.5.6:
-    resolution: {integrity: sha512-3Ybi1tAuwAP9s0r1UQ2J4n5Y0G05bJkpUIO0/bI9MhwmD70S5aTWbXGBwxHrelT+XM1k6dM0pk+SwNkpTRN7Pg==}
+  postcss@8.5.10:
+    resolution: {integrity: sha512-pMMHxBOZKFU6HgAZ4eyGnwXF/EvPGGqUr0MnZ5+99485wwW41kW91A4LOGxSHhgugZmSChL5AlElNdwlNgcnLQ==}
     engines: {node: ^10 || ^12 || >=14}
 
   postgres-array@2.0.0:
@@ -17365,17 +14372,18 @@ packages:
   postgres-range@1.1.4:
     resolution: {integrity: sha512-i/hbxIE9803Alj/6ytL7UHQxRvZkI9O4Sy+J3HGc4F4oo/2eQAjTSNJ0bfxyse3bH0nuVesCk+3IRLaMtG3H6w==}
 
-  postgres@3.4.7:
-    resolution: {integrity: sha512-Jtc2612XINuBjIl/QTWsV5UvE8UHuNblcO3vVADSrKsrc6RqGX6lOW1cEo3CM2v0XG4Nat8nI+YM7/f26VxXLw==}
-    engines: {node: '>=12'}
-
   posthog-js@1.93.3:
     resolution: {integrity: sha512-jEOWwaQpTRbqLPrDLY6eZr7t95h+LyXqN7Yq1/K6u3V0Y1C9xHtYhpuGzYamirVnCDTbVq22RM++OBUaIpp9Wg==}
     deprecated: This version of posthog-js is deprecated, please update posthog-js, and do not use this version! Check out our JS docs at https://posthog.com/docs/libraries/js
 
-  posthog-node@4.17.1:
-    resolution: {integrity: sha512-cVlQPOwOPjakUnrueKRCQe1m2Ku+XzKaOos7Tn/zDZkkZFeBT/byP7tbNf7LiwhaBRWFBRowZZb/MsTtSRaorg==}
-    engines: {node: '>=15.0.0'}
+  posthog-node@5.35.6:
+    resolution: {integrity: sha512-LwoXnR89A0l75jvFrXjtsAs0BbpyCjnwY8YIUkZT91rt1YnIUfBYiLj7qoUYApdNgesgWQQHqLXxLYX59a6ZYw==}
+    engines: {node: ^20.20.0 || >=22.22.0}
+    peerDependencies:
+      rxjs: ^7.0.0
+    peerDependenciesMeta:
+      rxjs:
+        optional: true
 
   prebuild-install@7.1.3:
     resolution: {integrity: sha512-8Mf2cbV7x1cXPUILADGI3wuhfqWvtiLA1iclTDbFRZkgRQS0NqsPZphna9V+HyTEadheuPmjaJMsbzKQFOzLug==}
@@ -17457,6 +14465,11 @@ packages:
     engines: {node: '>=14'}
     hasBin: true
 
+  prettier@3.8.3:
+    resolution: {integrity: sha512-7igPTM53cGHMW8xWuVTydi2KO233VFiTNyF5hLJqpilHfmn8C8gPf+PS7dUT64YcXFbiMGZxS9pCSxL/Dxm/Jw==}
+    engines: {node: '>=14'}
+    hasBin: true
+
   pretty-format@27.5.1:
     resolution: {integrity: sha512-Qb1gy5OrP5+zDf2Bvnzdl3jsTf1qXVMazbvCoKhtKqVs4/YK4ozX4gKQJJVyNe+cajNPn0KoC0MC3FUmaHWEmQ==}
     engines: {node: ^10.13.0 || ^12.13.0 || ^14.15.0 || >=15.0.0}
@@ -17473,19 +14486,11 @@ packages:
     resolution: {integrity: sha512-gjVS5hOP+M3wMm5nmNOucbIrqudzs9v/57bWRHQWLYklXqoXKrVfYW2W9+glfGsqtPgpiz5WwyEEB+ksXIx3gQ==}
     engines: {node: '>=18'}
 
-  prism-react-renderer@2.1.0:
-    resolution: {integrity: sha512-I5cvXHjA1PVGbGm1MsWCpvBCRrYyxEri0MC7/JbfIfYfcXAxHyO5PaUjs3A8H5GW6kJcLhTHxxMaOZZpRZD2iQ==}
-    peerDependencies:
-      react: '>=16.0.0'
-
   prism-react-renderer@2.3.1:
     resolution: {integrity: sha512-Rdf+HzBLR7KYjzpJ1rSoxT9ioO85nZngQEoFIhL07XhtJHlCU3SOz0GJ6+qvMyQe0Se+BV3qpe6Yd/NmQF5Juw==}
     peerDependencies:
       react: '>=16.0.0'
 
-  prisma-generator-ts-enums@1.1.0:
-    resolution: {integrity: sha512-l0LuL8KJNMnYQpOd9bmy0kx+Hwxq75Da7N+aJimpau0S0odgide+DKJiSwYtu5JtgJGWzoyUPmx0MO4u/KDiBQ==}
-
   prisma@6.14.0:
     resolution: {integrity: sha512-QEuCwxu+Uq9BffFw7in8In+WfbSUN0ewnaSUKloLkbJd42w6EyFckux4M0f7VwwHlM3A8ssaz4OyniCXlsn0WA==}
     engines: {node: '>=18.18'}
@@ -17496,40 +14501,6 @@ packages:
       typescript:
         optional: true
 
-  prisma@6.16.0:
-    resolution: {integrity: sha512-TTh+H1Kw8N68KN9cDzdAyMroqMOvdCO/Z+kS2wKEVYR1nuR21qH5Q/Db/bZHsAgw7l/TPHtM/veG5VABcdwPDw==}
-    engines: {node: '>=18.18'}
-    hasBin: true
-    peerDependencies:
-      typescript: 5.5.4
-    peerDependenciesMeta:
-      typescript:
-        optional: true
-
-  prisma@6.19.0:
-    resolution: {integrity: sha512-F3eX7K+tWpkbhl3l4+VkFtrwJlLXbAM+f9jolgoUZbFcm1DgHZ4cq9AgVEgUym2au5Ad/TDLN8lg83D+M10ycw==}
-    engines: {node: '>=18.18'}
-    hasBin: true
-    peerDependencies:
-      typescript: 5.5.4
-    peerDependenciesMeta:
-      typescript:
-        optional: true
-
-  prisma@6.20.0-integration-next.8:
-    resolution: {integrity: sha512-KUVwHRuyvl57CpEU6kZc5eMdbhUogmneo2a7jF1GKEZwPZscAU+FXIDsgCH+U4BCpKlm0NVrRd0YKz9+7zBWFQ==}
-    engines: {node: ^20.19 || ^22.12 || ^24.0}
-    hasBin: true
-    peerDependencies:
-      typescript: 5.5.4
-    peerDependenciesMeta:
-      typescript:
-        optional: true
-
-  prismjs@1.29.0:
-    resolution: {integrity: sha512-Kx/1w86q/epKcmte75LNrEoT+lX8pBpavuAbvJWRXar7Hz8jrtF+e3vY751p0R8H9HdArwaCTNDDzHg/ScJK1Q==}
-    engines: {node: '>=6'}
-
   prismjs@1.30.0:
     resolution: {integrity: sha512-DEvV2ZF2r2/63V+tK8hQvrR2ZGn10srHbXviTlcv7Kpzw8jWiNTqbVgjO3IY8RxrrOUF8VPMQQFysYYYv0YZxw==}
     engines: {node: '>=6'}
@@ -17571,15 +14542,19 @@ packages:
     resolution: {integrity: sha512-y+WKFlBR8BGXnsNlIHFGPZmyDf3DFMoLhaflAnyZgV6rG6xu+JwesTo2Q9R6XwYmtmwAFCkAk3e35jEdoeh/3g==}
     engines: {node: '>=10'}
 
+  prompts@2.4.2:
+    resolution: {integrity: sha512-NxNv/kLguCA7p3jE8oL2aEBsrJWgAakBpgmgK6lpPWV+WuOmY6r2/zbAVnP+T8bQlA0nzHXSJSJW0Hq7ylaD2Q==}
+    engines: {node: '>= 6'}
+
   prop-types@15.8.1:
     resolution: {integrity: sha512-oj87CgZICdulUohogVAR7AjlC0327U4el4L6eAvOqCeudMDVU0NThNaV+b9Df4dXgSP1gXMTnPdhfe/2qDH5cg==}
 
   proper-lockfile@4.1.2:
     resolution: {integrity: sha512-TjNPblN4BwAWMXU8s9AEz4JmQxnD1NNL7bNOY/AKUzyamc379FWASUhc/K1pL2noVb+XmZKLL68cjzLsiOAMaA==}
 
-  properties-reader@2.3.0:
-    resolution: {integrity: sha512-z597WicA7nDZxK12kZqHr2TcvwNU1GCfA5UwfDY/HDp3hXPoPlb5rlEx9bwGTiJnc0OqbBTkU975jDToth8Gxw==}
-    engines: {node: '>=14'}
+  properties-reader@3.0.1:
+    resolution: {integrity: sha512-WPn+h9RGEExOKdu4bsF4HksG/uzd3cFq3MFtq8PsFeExPse5Ha/VOjQNyHhjboBFwGXGev6muJYTSPAOkROq2g==}
+    engines: {node: '>=18'}
 
   property-expr@2.0.6:
     resolution: {integrity: sha512-SVtmxhRE/CGkn3eZY1T6pC8Nln6Fr/lu1mKSgRud0eC73whjGfoAogbn78LkD8aFL0zz3bAFerKSnOl7NlErBA==}
@@ -17593,21 +14568,21 @@ packages:
   proto-list@1.2.4:
     resolution: {integrity: sha512-vtK/94akxsTMhe0/cbfpR+syPuszcuwhqVjJq26CuNDgFGj682oRBXOP5MJpv2r7JtE8MsiepGIqvvOTBwn2vA==}
 
-  protobufjs@7.3.2:
-    resolution: {integrity: sha512-RXyHaACeqXeqAKGLDl68rQKbmObRsTIn4TYVUUug1KfS47YWCo5MacGITEryugIgZqORCvJWEk4l449POg5Txg==}
+  protobufjs@7.6.1:
+    resolution: {integrity: sha512-4K0myLaWL5EteuSAro91EGFgcfVgxb64Jx+7oDAY6GOkXD4M69yuSEljNcInGVCA5sOPxmZ/EqDLj2x0Q0+Ygg==}
     engines: {node: '>=12.0.0'}
 
   proxy-addr@2.0.7:
     resolution: {integrity: sha512-llQsMLSUDUPT44jdrU/O37qlnifitDP+ZwrmmZcoSKyLKvtZxpyV0n2/bD/N4tBAAZ/gJEdZU7KMraoK1+XYAg==}
     engines: {node: '>= 0.10'}
 
-  proxy-agent@6.5.0:
-    resolution: {integrity: sha512-TmatMXdr2KlRiA2CyDu8GqR8EjahTG3aY3nXjdzFyoZbmB8hrBsTyMezhULIXKnC0jpfjlmiZ3+EaCzoInSu/A==}
-    engines: {node: '>= 14'}
-
   proxy-from-env@1.1.0:
     resolution: {integrity: sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==}
 
+  proxy-from-env@2.1.0:
+    resolution: {integrity: sha512-cJ+oHTW1VAEa8cJslgmUZrc+sjRKgAKl3Zyse6+PV38hZe/V6Z14TbCuXcan9F9ghlz4QrFr2c92TNF82UkYHA==}
+    engines: {node: '>=10'}
+
   pseudomap@1.0.2:
     resolution: {integrity: sha512-b/YwNhb8lk1Zz2+bXXpS/LK9OisiZZ1SNsSLxN1x2OXVEhW2Ckr/7mWE5vrC1ZTiJlD9g19jWszTmJsB+oEpFQ==}
 
@@ -17620,6 +14595,9 @@ packages:
   pump@3.0.2:
     resolution: {integrity: sha512-tUPXtzlGM8FE3P0ZL6DVs/3P58k9nk8/jZeQCurTJylQA8qFYzHFfhBJkuqyE0FifOsQ0uKWekiZ5g8wtr28cw==}
 
+  pump@3.0.4:
+    resolution: {integrity: sha512-VS7sjc6KR7e1ukRFhQSY5LM2uBWAUPiOPa/A3mkKmiMwSmRFUITt0xuj+/lesgnCv+dPIEYlkzrcyXgquIHMcA==}
+
   pumpify@1.5.1:
     resolution: {integrity: sha512-oClZI37HvuUJJxSKKrC17bZ9Cu0ZYhEAGPsPUy9KlMUmv9dKX2o77RUmq7f3XjIxbwyGwYzbzQ1L2Ks8sIradQ==}
 
@@ -17630,10 +14608,6 @@ packages:
     resolution: {integrity: sha512-LN6QV1IJ9ZhxWTNdktaPClrNfp8xdSAYS0Zk2ddX7XsXZAxckMHPCBcHRo0cTcEIgYPRiGEkmji3Idkh2yFtYw==}
     engines: {node: '>=6'}
 
-  puppeteer-core@24.15.0:
-    resolution: {integrity: sha512-2iy0iBeWbNyhgiCGd/wvGrDSo73emNFjSxYOcyAqYiagkYt5q4cPfVXaVDKBsukgc2fIIfLAalBZlaxldxdDYg==}
-    engines: {node: '>=18'}
-
   pure-rand@6.1.0:
     resolution: {integrity: sha512-bVWawvoZoBYpp6yIoQtQXHZjmz35RSVHnUOTefl8Vcjr8snTPY1wnpSPMWekcFwbxI6gtmT7rSYPFvz71ldiOA==}
 
@@ -17646,8 +14620,8 @@ packages:
     peerDependencies:
       react: ^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0
 
-  qs@6.14.1:
-    resolution: {integrity: sha512-4EK3+xJl8Ts67nLYNwqw/dsFVnCf+qR7RgXSK9jEEm9unao3njwMDdmsdvoKBKHzxd7tCYz5e5M+SnMjdtXGQQ==}
+  qs@6.15.2:
+    resolution: {integrity: sha512-Rzq0KEyX/w/tEybncDgdkZrJgVUsUMk3xjh3t5bv3S1HTAtg+uOYt72+ZfwiQwKdysThkTBdL/rTi6HDmX9Ddw==}
     engines: {node: '>=0.6'}
 
   quansync@0.2.11:
@@ -17673,9 +14647,6 @@ packages:
   random-words@2.0.0:
     resolution: {integrity: sha512-uqpnDqFnYrZajgmvgjmBrSZL2V1UA/9bNPGrilo12CmBeBszoff/avElutUlwWxG12gvmCk/8dUhvHefYxzYjw==}
 
-  randombytes@2.1.0:
-    resolution: {integrity: sha512-vYl3iOX+4CKUWuxGi9Ukhie6fsqXqS9FE2Zaic4tNFD2N2QQaXOMFbuKK4QmDHC0JO6B1Zp41J0LpT0oR68amQ==}
-
   range-parser@1.2.1:
     resolution: {integrity: sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg==}
     engines: {node: '>= 0.6'}
@@ -17705,11 +14676,11 @@ packages:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
       react-dom: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
-  react-aria@3.34.3:
-    resolution: {integrity: sha512-wSprEI5EojDFCm357MxnKAxJZN68OYIt6UH6N0KCo6MEUAVZMbhMSmGYjw/kLK4rI7KrbJDqGqUMQkwc93W9Ng==}
+  react-aria@3.48.0:
+    resolution: {integrity: sha512-jQjd4rBEIMqecBaAKYJbVGK6EqIHLa5znVQ7jwFyK5vCyljoj6KhgtiahmcIPsG5vG5vEDLw+ba+bEWn6A2P4w==}
     peerDependencies:
-      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
-      react-dom: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0
+      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0-rc.1
+      react-dom: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0-rc.1
 
   react-collapse@5.1.1:
     resolution: {integrity: sha512-k6cd7csF1o9LBhQ4AGBIdxB60SUEUMQDAnL2z1YvYNr9KoKr+nDkhN6FK7uGaBd/rYrYfrMpzpmJEIeHRYogBw==}
@@ -17727,31 +14698,24 @@ packages:
     peerDependencies:
       react: ^18.2.0
 
-  react-dom@19.0.0:
-    resolution: {integrity: sha512-4GV5sHFG0e/0AD4X+ySy6UJd3jVl1iNsNHdpad0qhABJ11twS3TTBnseqsKurKcsNqCEFeGL3uLpVChpIO3QfQ==}
-    peerDependencies:
-      react: ^19.0.0
-
   react-dom@19.0.0-rc.1:
     resolution: {integrity: sha512-k8MfDX+4G+eaa1cXXI9QF4d+pQtYol3nx8vauqRWUEOPqC7NQn2qmEqUsLoSd28rrZUL+R3T2VC+kZ2Hyx1geQ==}
     peerDependencies:
       react: 19.0.0-rc.1
 
-  react-dom@19.1.0:
-    resolution: {integrity: sha512-Xs1hdnE+DyKgeHJeJznQmYMIBG3TKIHJJT95Q58nHLSrElKlGQqDTR2HQ9fx5CN/Gk6Vh/kupBTDLU11/nDk/g==}
-    peerDependencies:
-      react: ^19.1.0
-
   react-draggable@4.5.0:
     resolution: {integrity: sha512-VC+HBLEZ0XJxnOxVAZsdRi8rD04Iz3SiiKOoYzamjylUcju/hP9np/aZdLHf/7WOD268WMoNJMvYfB5yAK45cw==}
     peerDependencies:
       react: '>= 16.3.0'
       react-dom: '>= 16.3.0'
 
-  react-email@2.1.2:
-    resolution: {integrity: sha512-HBHhpzEE5es9YUoo7VSj6qy1omjwndxf3/Sb44UJm/uJ2AjmqALo2yryux0CjW9QAVfitc9rxHkLvIb9H87QQw==}
-    engines: {node: '>=18.0.0'}
+  react-email@6.5.0:
+    resolution: {integrity: sha512-WrJ+XPW87O1dabF4RJNGnTr7VTGsNa+BlMiinAZdH5fg8Kepwk++ZzX+LEieTlk+a3r13TaTJ4DfI9gv++y02g==}
+    engines: {node: '>=20.0.0'}
     hasBin: true
+    peerDependencies:
+      react: ^18.0 || ^19.0 || ^19.0.0-rc
+      react-dom: ^18.0 || ^19.0 || ^19.0.0-rc
 
   react-fast-compare@3.2.2:
     resolution: {integrity: sha512-nsO+KSNgo1SbJqJEYRE9ERzo7YtYbou/OqjSQKxV7jcKox7+usiUVZOAC+XnDOABXggQTno0Y1CpVnuWEc1boQ==}
@@ -17826,15 +14790,15 @@ packages:
       react: '>= 16.3'
       react-dom: '>= 16.3'
 
-  react-router-dom@6.17.0:
-    resolution: {integrity: sha512-qWHkkbXQX+6li0COUUPKAUkxjNNqPJuiBd27dVwQGDNsuFBdMbrS6UZ0CLYc4CsbdLYTckn4oB4tGDuPZpPhaQ==}
+  react-router-dom@6.30.3:
+    resolution: {integrity: sha512-pxPcv1AczD4vso7G4Z3TKcvlxK7g7TNt3/FNGMhfqyntocvYKj+GCatfigGDjbLozC4baguJ0ReCigoDJXb0ag==}
     engines: {node: '>=14.0.0'}
     peerDependencies:
       react: '>=16.8'
       react-dom: '>=16.8'
 
-  react-router@6.17.0:
-    resolution: {integrity: sha512-YJR3OTJzi3zhqeJYADHANCGPUu9J+6fT5GLv82UWRGSxu6oJYCKVmxUcaBQuGm9udpWmPsvpme/CdHumqgsoaA==}
+  react-router@6.30.3:
+    resolution: {integrity: sha512-XRnlbKMTmktBkjCLE8/XcZFlnHvr2Ltdr1eJX4idL55/9BbORzyZEaIkBFDhFGCEWBBItsVrDxwx3gnisMitdw==}
     engines: {node: '>=14.0.0'}
     peerDependencies:
       react: '>=16.8'
@@ -17850,6 +14814,11 @@ packages:
     peerDependencies:
       react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0
 
+  react-stately@3.46.0:
+    resolution: {integrity: sha512-OdxhWvHgs2L4OJGIs7hnuTr5WjjMM6enhNEAMRqiekhF8+ITvA2LRwNftOZwcogaoCslGYq5S2VQTQwnm0GbCA==}
+    peerDependencies:
+      react: ^16.8.0 || ^17.0.0-rc.1 || ^18.0.0 || ^19.0.0-rc.1
+
   react-style-singleton@2.2.3:
     resolution: {integrity: sha512-b6jSvxvVnyptAiLjbkWLE/lOnR4lfTtDAl+eUC7RZy+QQWc6wRzIV2CE6xBuMmDxc2qIihtDCZD5NPOFl7fRBQ==}
     engines: {node: '>=10'}
@@ -17878,14 +14847,6 @@ packages:
       react: '*'
       react-dom: '*'
 
-  react-window-splitter@0.4.1:
-    resolution: {integrity: sha512-7XjNxlsBqOySyPEf32GZXLIA7gIPLWqswnOwM4Aw15qiMChMm8einkz40RbLfvrD11EKHIU35vcUH1RDA+we9w==}
-    engines: {node: '>=18.0.0'}
-    deprecated: This package has moved to @window-splitter/react
-    peerDependencies:
-      react: '>=16'
-      react-dom: '>=16'
-
   react@18.2.0:
     resolution: {integrity: sha512-/3IjMdb2L9QbBdWiW5e3P2/npwMBaU9mHCSCUzNln0ZCYbcfTsGbTJrU/kGemdH2IWmB2ioZ+zkxtmq6g09fGQ==}
     engines: {node: '>=0.10.0'}
@@ -17894,10 +14855,6 @@ packages:
     resolution: {integrity: sha512-wS+hAgJShR0KhEvPJArfuPVN1+Hz1t0Y6n5jLrGQbkb4urgPE/0Rve+1kMB1v/oWgHgm4WIcV+i7F2pTVj+2iQ==}
     engines: {node: '>=0.10.0'}
 
-  react@19.0.0:
-    resolution: {integrity: sha512-V8AVnmPIICiWpGfm6GLzCR/W5FXLchHop40W4nXBmdlEceh16rCN8O8LNWm5bh5XUX91fh7KpA+W0TgMKmgTpQ==}
-    engines: {node: '>=0.10.0'}
-
   react@19.0.0-rc.1:
     resolution: {integrity: sha512-NZKln+uyPuyHchzP07I6GGYFxdAoaKhehgpCa3ltJGzwE31OYumLeshGaitA1R/fS5d9D2qpZVwTFAr6zCLM9w==}
     engines: {node: '>=0.10.0'}
@@ -17955,6 +14912,9 @@ packages:
     resolution: {integrity: sha512-57frrGM/OCTLqLOAh0mhVA9VBMHd+9U7Zb2THMGdBUoZVOtGbJzjxsYGDJ3A9AYYCP4hn6y1TVbaOfzWtm5GFg==}
     engines: {node: '>= 12.13.0'}
 
+  real-require@1.0.0:
+    resolution: {integrity: sha512-P4nbQYQfePJxRSmY+v/KINxVucm4NF3p3s7pJveMTtom52FR4YGltUQLB8idDXwDDWW+eYrWDFbuzUnjoWHF7g==}
+
   recharts-scale@0.4.5:
     resolution: {integrity: sha512-kivNFO+0OcUNu7jQquLXAxz1FIwZj8nrj+YkOKc5694NbjCvcT6aSZiIzNzd2Kul4o4rTto8QVR9lMNtxD4G1w==}
 
@@ -17965,10 +14925,6 @@ packages:
       react: ^16.0.0 || ^17.0.0 || ^18.0.0 || ^19.0.0
       react-dom: ^16.0.0 || ^17.0.0 || ^18.0.0 || ^19.0.0
 
-  rechoir@0.6.2:
-    resolution: {integrity: sha512-HFM8rkZ+i3zrV+4LQjwQ0W+ez98pApMGM3HUrN04j3CqzPOzl9nmP15Y8YXNm8QHGv/eacOVEjqhmWpkRV0NAw==}
-    engines: {node: '>= 0.10'}
-
   redent@3.0.0:
     resolution: {integrity: sha512-6tDA8g98We0zd0GvVeMT9arEOnTw9qM03L9cJXaCjrip1OO764RDBLBfrB4cwzNGDj5OA5ioymC9GkizgWJDUg==}
     engines: {node: '>=8'}
@@ -17988,11 +14944,6 @@ packages:
   reduce-css-calc@2.1.8:
     resolution: {integrity: sha512-8liAVezDmUcH+tdzoEGrhfbGcP7nOV4NkGE3a74+qqvE7nt9i4sKLGBuZNOnpI4WiGksiNPklZxva80061QiPg==}
 
-  reforest@0.13.0:
-    resolution: {integrity: sha512-f0It/s51f1UWCCCni0viULALDBhxWBPFnLmZRYtKcz4zYeNWqeNTdcnU/OpBry9tk+jyMQcH3MLK8UdzsAvA5w==}
-    peerDependencies:
-      react: '>=16.8'
-
   regenerator-runtime@0.13.11:
     resolution: {integrity: sha512-kY1AZVr2Ra+t+piVaJ4gxaFaReZVH40AKNo7UCX6W+dEwBo/2oZJzqfuN1qLq1oL45o56cPaTXELwrTh8Fpggg==}
 
@@ -18005,8 +14956,8 @@ packages:
   regex-utilities@2.3.0:
     resolution: {integrity: sha512-8VhliFJAWRaUiVvREIiW2NXXTmHs4vMNnSzuJVhscgmGav3g9VDxLrQndI3dZZVVdp0ZO/5v0xmX516/7M9cng==}
 
-  regex@6.0.1:
-    resolution: {integrity: sha512-uorlqlzAKjKQZ5P+kTJr3eeJGSVroLKoHmquUj4zHWuR+hEyNqlXsSKlYYF5F4NI6nl7tWCs0apKJ0lmfsXAPA==}
+  regex@6.1.0:
+    resolution: {integrity: sha512-6VwtthbV4o/7+OaAF9I5L5V3llLEsoPyq9P1JVXkedTP33c7MfCG0/5NOPcSJn0TzXcG9YUrR0gQSWioew3LDg==}
 
   regexp.prototype.flags@1.4.3:
     resolution: {integrity: sha512-fjggEOO3slI6Wvgjwflkc4NFRCTZAu5CnNfBd5qOMYhWdn67nJBBu34/TkD++eeFmd8C9r9jfXJ27+nSiRkSUA==}
@@ -18031,24 +14982,21 @@ packages:
   regression@2.0.1:
     resolution: {integrity: sha512-A4XYsc37dsBaNOgEjkJKzfJlE394IMmUPlI/p3TTI9u3T+2a+eox5Pr/CPUqF0eszeWZJPAc6QkroAhuUpWDJQ==}
 
-  rehype-harden@1.1.5:
-    resolution: {integrity: sha512-JrtBj5BVd/5vf3H3/blyJatXJbzQfRT9pJBmjafbTaPouQCAKxHwRyCc7dle9BXQKxv4z1OzZylz/tNamoiG3A==}
-
-  rehype-katex@7.0.1:
-    resolution: {integrity: sha512-OiM2wrZ/wuhKkigASodFoo8wimG3H12LWQaH8qSPVJn9apWKFSH3YOCtbKpBorTVw/eI7cuT21XBbvwEswbIOA==}
+  rehype-harden@1.1.8:
+    resolution: {integrity: sha512-Qn7vR1xrf6fZCrkm9TDWi/AB4ylrHy+jqsNm1EHOAmbARYA6gsnVJBq/sdBh6kmT4NEZxH5vgIjrscefJAOXcw==}
 
   rehype-raw@7.0.0:
     resolution: {integrity: sha512-/aE8hCfKlQeA8LmyeyQvQF3eBiLRGNlfBJEvWH7ivp9sBqs7TNqBL5X3v157rM4IFETqDnIOO+z5M/biZbo9Ww==}
 
+  rehype-sanitize@6.0.0:
+    resolution: {integrity: sha512-CsnhKNsyI8Tub6L4sm5ZFsme4puGfc6pYylvXo1AeqaGbjOYyzNv3qZPwvs0oMJ39eryyeOdmxwUIo94IpEhqg==}
+
   remark-frontmatter@4.0.1:
     resolution: {integrity: sha512-38fJrB0KnmD3E33a5jZC/5+gGAC2WKNiPw1/fdXJvijBlhA7RCsvJklrYJakS0HedninvaCYW8lQGf9C918GfA==}
 
   remark-gfm@4.0.1:
     resolution: {integrity: sha512-1quofZ2RQ9EWdeN34S79+KExV1764+wCUGop5CPL1WGdD0ocPpu91lzPGbwWMECpEpd42kJGQwzRfyov9j4yNg==}
 
-  remark-math@6.0.0:
-    resolution: {integrity: sha512-MMqgnP74Igy+S3WwnhQ7kqGlEerTETXMvJhrUzDikVZ2/uogJCb+WHUg97hK9/jcfc0dkD73s3LN8zU49cTEtA==}
-
   remark-mdx-frontmatter@1.1.1:
     resolution: {integrity: sha512-7teX9DW4tI2WZkXS4DBxneYSY7NHiXl4AKdWDO9LXVweULlCT8OPWsOjLEnMIXViN1j+QcY8mfbq3k0EK6x3uA==}
     engines: {node: '>=12.2.0'}
@@ -18068,9 +15016,15 @@ packages:
   remark-rehype@11.1.1:
     resolution: {integrity: sha512-g/osARvjkBXb6Wo0XvAeXQohVta8i84ACbenPpoSsxTOQH/Ae0/RGP4WZgnMH5pMLpsj4FG7OHmcIcXxpza8eQ==}
 
+  remark-rehype@11.1.2:
+    resolution: {integrity: sha512-Dh7l57ianaEoIpzbp0PC9UKAdCSVklD8E5Rpw7ETfbTl3FqcOOgq5q2LVDhgGCkaBv7p24JXikPdvhhmHvKMsw==}
+
   remark-stringify@11.0.0:
     resolution: {integrity: sha512-1OSmLd3awB/t8qdoEOMazZkNsfVTeY4fTsgzcQFdXNq8ToTN4ZGwrMnlda4K6smTFKD+GRV6O48i6Z4iKgPPpw==}
 
+  remend@1.3.0:
+    resolution: {integrity: sha512-iIhggPkhW3hFImKtB10w0dz4EZbs28mV/dmbcYVonWEJ6UGHHpP+bFZnTh6GNWJONg5m+U56JrL+8IxZRdgWjw==}
+
   remix-auth-email-link@2.0.2:
     resolution: {integrity: sha512-Lze9c50fsqBpixXQKe37wI2Dm4rlYYkNA6Eskxk8erQ7tbyN8xiFXOgo7Y3Al0SSjzkezw8au3uc2vCLJ8A5mQ==}
     peerDependencies:
@@ -18144,10 +15098,6 @@ packages:
   remove-accents@0.5.0:
     resolution: {integrity: sha512-8g3/Otx1eJaVD12e31UbJj1YzdtVvzH85HV7t+9MJYk/u3XmkOUJ5Ys9wQrf9PCPK8+xn4ymzqYCiZl6QWKn+A==}
 
-  replicate@1.0.1:
-    resolution: {integrity: sha512-EY+rK1YR5bKHcM9pd6WyaIbv6m2aRIvHfHDh51j/LahlHTLKemTYXF6ptif2sLa+YospupAsIoxw8Ndt5nI3vg==}
-    engines: {git: '>=2.11.0', node: '>=18.0.0', npm: '>=7.19.0', yarn: '>=1.7.0'}
-
   request@2.88.2:
     resolution: {integrity: sha512-MsvtOrfG9ZcrOwAW+Qi+F6HbD0CWXEh9ou77uOb7FM2WPhwT7smM833PzanhJLsgXjN89Ir6V2PczXNnMpwKhw==}
     engines: {node: '>= 6'}
@@ -18161,10 +15111,14 @@ packages:
     resolution: {integrity: sha512-Xf0nWe6RseziFMu+Ap9biiUbmplq6S9/p+7w7YXP/JBHhrUDDUhwa+vANyubuqfZWTveU//DYVGsDG7RKL/vEw==}
     engines: {node: '>=0.10.0'}
 
-  require-in-the-middle@7.1.1:
-    resolution: {integrity: sha512-OScOjQjrrjhAdFpQmnkE/qbIBGCRFhQB/YaJhcC3CPOlmhe7llnW46Ac1J5+EjcNXOTnDdpF96Erw/yedsGksQ==}
+  require-in-the-middle@7.5.2:
+    resolution: {integrity: sha512-gAZ+kLqBdHarXB64XpAe2VCjB7rIRv+mU8tfRWziHRJ5umKsIHN2tLLv6EtMw7WCdP19S0ERVMldNvxYCHnhSQ==}
     engines: {node: '>=8.6.0'}
 
+  require-in-the-middle@8.0.1:
+    resolution: {integrity: sha512-QT7FVMXfWOYFbeRBF6nu+I6tr2Tf3u0q8RIEjNob/heKY/nh7drD/k7eeMFmSQgnTtCzLDcCu/XEnpW2wk4xCQ==}
+    engines: {node: '>=9.3.0 || >=8.10.0 <9.0.0'}
+
   require-like@0.1.2:
     resolution: {integrity: sha512-oyrU88skkMtDdauHDuKVrgR+zuItqr6/c//FXzvmxRGMexSDc6hNvJInGW3LL46n+8b50RykrvwSUIIQH2LQ5A==}
 
@@ -18247,24 +15201,11 @@ packages:
     deprecated: Rimraf versions prior to v4 are no longer supported
     hasBin: true
 
-  rimraf@4.4.1:
-    resolution: {integrity: sha512-Gk8NlF062+T9CqNGn6h4tls3k6T1+/nXdOcSZVikNVtlRdYpA7wRJJMoXmuvOnLW844rPjdQ7JgXCYM6PPC/og==}
-    engines: {node: '>=14'}
-    hasBin: true
-
-  rimraf@5.0.7:
-    resolution: {integrity: sha512-nV6YcJo5wbLW77m+8KjH8aB/7/rxQy9SZ0HY5shnwULfS+9nmTtVXAJET5NdZmCzA4fPI/Hm1wo/Po/4mopOdg==}
-    engines: {node: '>=14.18'}
-    hasBin: true
-
   rimraf@6.0.1:
     resolution: {integrity: sha512-9dkvaxAsk/xNXSJzMgFqqMCuFgt2+KsOFek3TMLfo8NCPfWpBmqwyNn5Y+NX56QUYfCtsyhF3ayiboEoUmJk/A==}
     engines: {node: 20 || >=22}
     hasBin: true
 
-  robot3@0.4.1:
-    resolution: {integrity: sha512-hzjy826lrxzx8eRgv80idkf8ua1JAepRc9Efdtj03N3KNJuznQCPlyCJ7gnUmDFwZCLQjxy567mQVKmdv2BsXQ==}
-
   robust-predicates@3.0.2:
     resolution: {integrity: sha512-IXgzBWvWQwE6PrDI05OvmXUIruQTcoMDzRsOd5CDvHCVLcLHMTSYvOK5Cm46kWqlV3yAbuSpBZdJ5oP5OUoStg==}
 
@@ -18273,8 +15214,8 @@ packages:
     engines: {node: '>=14.18.0', npm: '>=8.0.0'}
     hasBin: true
 
-  rollup@4.36.0:
-    resolution: {integrity: sha512-zwATAXNQxUcd40zgtQG0ZafcRK4g004WtEl7kbuhTWPvf07PsfohXl39jVUvPF7jvNAIkKPQ2XrsDlWuxBd++Q==}
+  rollup@4.60.1:
+    resolution: {integrity: sha512-VmtB2rFU/GroZ4oL8+ZqXgSA38O6GR8KSIvWmEFv63pQ0G6KaBH9s07PO8XTXP4vI+3UJUEypOfjkGfmSBBR0w==}
     engines: {node: '>=18.0.0', npm: '>=8.0.0'}
     hasBin: true
 
@@ -18345,19 +15286,9 @@ packages:
   scheduler@0.23.0:
     resolution: {integrity: sha512-CtuThmgHNg7zIZWAXi3AsyIzA3n4xx7aNyjwC2VJldO2LMVDhFK+63xGqq6CsJH4rTAt6/M+N4GhZiDYPx9eUw==}
 
-  scheduler@0.25.0:
-    resolution: {integrity: sha512-xFVuu11jh+xcO7JOAGJNOXld8/TcEHK/4CituBUeUb5hqxJLj9YuemAEuvm9gQ/+pgXYfbQuqAkiYu+u7YEsNA==}
-
   scheduler@0.25.0-rc.1:
     resolution: {integrity: sha512-fVinv2lXqYpKConAMdergOl5owd0rY1O4P/QTe0aWKCqGtu7VsCt1iqQFxSJtqK4Lci/upVSBpGwVC7eWcuS9Q==}
 
-  scheduler@0.26.0:
-    resolution: {integrity: sha512-NlHwttCI/l5gCPR3D1nNXtWABUmBwvZpEQiD4IXSbIDq8BzLIK/7Ir5gTFSGZDUu37K5cMNp0hFtzO38sC7gWA==}
-
-  schema-utils@3.3.0:
-    resolution: {integrity: sha512-pN/yOAvcC+5rQ5nERGuwrjLlYvLTbCibnZ1I7B1LaiAz9BRBlE9GMgE/eqV30P7aJQUf7Ddimy/RsbYO/GrVGg==}
-    engines: {node: '>= 10.13.0'}
-
   schema-utils@4.3.3:
     resolution: {integrity: sha512-eflK8wEtyOE6+hsaRVPxvUKYCpRgzLqDTb8krvAsRIwOGlHoSgYLgBXoubGgLd2fT41/OUYdb48v4k4WWHQurA==}
     engines: {node: '>= 10.13.0'}
@@ -18381,8 +15312,8 @@ packages:
   sembear@0.5.2:
     resolution: {integrity: sha512-Ij1vCAdFgWABd7zTg50Xw1/p0JgESNxuLlneEAsmBrKishA06ulTTL/SHGmNy2Zud7+rKrHTKNI6moJsn1ppAQ==}
 
-  semver@5.7.1:
-    resolution: {integrity: sha512-sauaDf/PZdVgrLTNYHRtpXa1iRiKcaebiKQ1BJdpQlWH2lCvexQdX55snPFyK7QzpudqbCI0qXFfOasHdyNDGQ==}
+  semver@5.7.2:
+    resolution: {integrity: sha512-cBznnQ9KjJqU67B52RMC65CMarK2600WFnbkcaiwWq3xy/5haFJlshgnpjovMVJ+Hff49d8GEn0b87C5pDQ10g==}
     hasBin: true
 
   semver@6.3.1:
@@ -18394,13 +15325,13 @@ packages:
     engines: {node: '>=10'}
     hasBin: true
 
-  semver@7.7.2:
-    resolution: {integrity: sha512-RF0Fw+rO5AMf9MAyaRXI4AV0Ulj5lMHqVxxdSgiVbixSCXoEmmX/jk0CuJw4+3SqroYO9VoUh+HcuJivvtJemA==}
+  semver@7.7.3:
+    resolution: {integrity: sha512-SdsKMrI9TdgjdweUSR9MweHA4EJ8YxHn8DFaDisvhVlUOe4BF1tLD7GAj0lIqWVl+dPb/rExr0Btby5loQm20Q==}
     engines: {node: '>=10'}
     hasBin: true
 
-  semver@7.7.3:
-    resolution: {integrity: sha512-SdsKMrI9TdgjdweUSR9MweHA4EJ8YxHn8DFaDisvhVlUOe4BF1tLD7GAj0lIqWVl+dPb/rExr0Btby5loQm20Q==}
+  semver@7.8.1:
+    resolution: {integrity: sha512-rkVq3IXh+4FDGch+KwzX3aV9W3kO54GyEgpvBzSyctDA6Xtd7RJQV1xmXbeQp5v7+VzLOfVqiutSE6GICgPFvg==}
     engines: {node: '>=10'}
     hasBin: true
 
@@ -18420,12 +15351,6 @@ packages:
     resolution: {integrity: sha512-1gnZf7DFcoIcajTjTwjwuDjzuz4PPcY2StKPlsGAQ1+YH20IRVrBaXSWmdjowTJ6u8Rc01PoYOGHXfP1mYcZNQ==}
     engines: {node: '>= 18'}
 
-  serialize-javascript@6.0.1:
-    resolution: {integrity: sha512-owoXEFjWRllis8/M1Q+Cw5k8ZH40e3zhp/ovX+Xr/vi1qj6QesbyXXViFbpNvWvPNAD62SutwEXavefrLJWj7w==}
-
-  serialize-javascript@6.0.2:
-    resolution: {integrity: sha512-Saa1xPByTTq2gdeFZYLLo+RFE35NHZkAbqZeWNd3BpzppeVisAqpDjcp8dyf6uIvEqJRd46jemmyA4iFIeVk8g==}
-
   serve-static@1.16.0:
     resolution: {integrity: sha512-pDLK8zwl2eKaYrs8mrPZBJua4hMplRWJ1tIFksVC3FtBEBnl8dxgeHtsaMS8DhS9i4fLObaon6ABoc4/hQGdPA==}
     engines: {node: '>= 0.8.0'}
@@ -18459,14 +15384,6 @@ packages:
   setprototypeof@1.2.0:
     resolution: {integrity: sha512-E5LDX7Wrp85Kil5bhZv46j8jOeboKq5JMmYM3gVGdGH8xFpPWXUMsNrlODCrkoxMEeNi/XZIwuRvY4XNwYMJpw==}
 
-  sharp@0.33.5:
-    resolution: {integrity: sha512-haPVm1EkS9pgvHrQ/F3Xy+hgcuMV0Wm9vfIBSiwZ05k+xgb0PkBQpGsAA/oWdDobNaZTH5ppvHtzCFbnSEwHVw==}
-    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
-
-  sharp@0.34.5:
-    resolution: {integrity: sha512-Ou9I5Ft9WNcCbXrU9cMgPBcCK8LiwLqcbywW3t4oDV37n1pzpuNLsYiAV8eODnjbtQlSDwZ2cUEeQz4E54Hltg==}
-    engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0}
-
   shebang-command@1.2.0:
     resolution: {integrity: sha512-EV3L1+UQWGor21OmnvojK36mhg+TyIKDh3iFBKBohr5xeXIhNBcx8oWdgkTEEQ+BEFFYdLRuqMfd5L84N1V5Vg==}
     engines: {node: '>=0.10.0'}
@@ -18483,16 +15400,12 @@ packages:
     resolution: {integrity: sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==}
     engines: {node: '>=8'}
 
-  shell-quote@1.8.1:
-    resolution: {integrity: sha512-6j1W9l1iAs/4xYBI1SYOVZyFcCis9b4KCLQ8fgAGG07QvzaRLVVRQvAy85yNmmZSjYjg4MWh4gNvlPujU/5LpA==}
-
-  shelljs@0.8.5:
-    resolution: {integrity: sha512-TiwcRcrkhHvbrZbnRcFYMLl30Dfov3HKqzp5tO5b4pt6G/SezKcYhmDg15zXVBswHmctSAQKznqNW2LO5tTDow==}
-    engines: {node: '>=4'}
-    hasBin: true
+  shell-quote@1.8.4:
+    resolution: {integrity: sha512-VsC6n6vz1ihYYyZZwX7YZSF5l5x36ca17OC+a69h94YqB7X6XLwf+5MOgynYir2SLFUbl8gIYvBo8K8RoNQ6bQ==}
+    engines: {node: '>= 0.4'}
 
-  shiki@3.13.0:
-    resolution: {integrity: sha512-aZW4l8Og16CokuCLf8CF8kq+KK2yOygapU5m3+hoGw0Mdosc6fPitjM+ujYarppj5ZIKGyPDPP1vqmQhr+5/0g==}
+  shiki@3.23.0:
+    resolution: {integrity: sha512-55Dj73uq9ZXL5zyeRPzHQsK7Nbyt6Y10k5s7OjuFZGMhpp4r/rsLBH0o/0fstIzX1Lep9VxefWljK/SKCzygIA==}
 
   shimmer@1.2.1:
     resolution: {integrity: sha512-sQTKC1Re/rM6XyFM6fIAGHRPVGvyXfgzIDvzoq608vM+jeyVD0Tu1E6Np0Kc2zAIFWIj963V2800iF/9LPieQw==}
@@ -18538,10 +15451,6 @@ packages:
   simplur@3.0.1:
     resolution: {integrity: sha512-bBAoTn75tuKh83opmZ1VoyVoQIsvLCKzSxuasAxbnKofrT8eGyOEIaXSuNfhi/hI160+fwsR7ObcbBpOyzDvXg==}
 
-  sirv@2.0.4:
-    resolution: {integrity: sha512-94Bdh3cC2PKrbgSOUqTiGPWVZeSiXfKOVZNJniWoqrWrRkB1CJzBU3NEbiTsPcYy1lDsANA/THzS+9WBiy5nfQ==}
-    engines: {node: '>= 10'}
-
   sisteransi@1.0.5:
     resolution: {integrity: sha512-bLGGlR1QxBcynn2d5YmDX4MGjlZvy2MRBDRNHLJ8VI6l6+9FUiyTFNJ0IveOSP0bcXgVDPRcfGqA0pjaqUpfVg==}
 
@@ -18564,10 +15473,6 @@ packages:
   slug@6.1.0:
     resolution: {integrity: sha512-x6vLHCMasg4DR2LPiyFGI0gJJhywY6DTiGhCrOMzb3SOk/0JVLIaL4UhyFSHu04SD3uAavrKY/K3zZ3i6iRcgA==}
 
-  smart-buffer@4.2.0:
-    resolution: {integrity: sha512-94hK0Hh8rPqQl2xXc3HsaBoOXKV20MToPkcXvwbISWLEs+64sBq5kFgn2kJDHb1Pry9yrP0dxrCI9RRci7RXKg==}
-    engines: {node: '>= 6.0.0', npm: '>= 3.0.0'}
-
   smartwrap@2.0.2:
     resolution: {integrity: sha512-vCsKNQxb7PnCNd2wY1WClWifAc2lwqsG8OaswpJkVJsvMGcnEntdTCDajZCkk93Ay1U3t/9puJmb525Rg5MZBA==}
     engines: {node: '>=6'}
@@ -18576,33 +15481,21 @@ packages:
   socket.io-adapter@2.5.4:
     resolution: {integrity: sha512-wDNHGXGewWAjQPt3pyeYBtpWSq9cLE5UW1ZUPL/2eGK9jtse/FpXib7epSTsz0Q0m+6sg6Y4KtcFTlah1bdOVg==}
 
-  socket.io-client@4.7.3:
-    resolution: {integrity: sha512-nU+ywttCyBitXIl9Xe0RSEfek4LneYkJxCeNnKCuhwoH4jGXO1ipIUw/VA/+Vvv2G1MTym11fzFC0SxkrcfXDw==}
-    engines: {node: '>=10.0.0'}
-
   socket.io-client@4.7.5:
     resolution: {integrity: sha512-sJ/tqHOCe7Z50JCBCXrsY3I2k03iOiUe+tj1OmKeD2lXPiGH/RUCdTZFoqVyN7l1MnpIzPrGtLcijffmeouNlQ==}
     engines: {node: '>=10.0.0'}
 
-  socket.io-parser@4.2.4:
-    resolution: {integrity: sha512-/GbIKmo8ioc+NIWIhwdecY0ge+qVBSMdgxGygevmdHj24bsfgtCmcUUcQ5ZzcylGFHsN3k4HB4Cgkl96KVnuew==}
+  socket.io-parser@4.2.6:
+    resolution: {integrity: sha512-asJqbVBDsBCJx0pTqw3WfesSY0iRX+2xzWEWzrpcH7L6fLzrhyF8WPI8UaeM4YCuDfpwA/cgsdugMsmtz8EJeg==}
     engines: {node: '>=10.0.0'}
 
-  socket.io@4.7.3:
-    resolution: {integrity: sha512-SE+UIQXBQE+GPG2oszWMlsEmWtHVqw/h1VrYJGK5/MC7CH5p58N448HwIrtREcvR4jfdOJAY4ieQfxMr55qbbw==}
-    engines: {node: '>=10.2.0'}
-
   socket.io@4.7.4:
     resolution: {integrity: sha512-DcotgfP1Zg9iP/dH9zvAQcWrE0TtbMVwXmlV4T4mqsvY+gw+LqUGPfx2AoVyRk0FLME+GQhufDMyacFmw7ksqw==}
     engines: {node: '>=10.2.0'}
 
-  socks-proxy-agent@8.0.5:
-    resolution: {integrity: sha512-HehCEsotFqbPW9sJ8WVYB6UbmIMv7kUUORIF2Nncq4VQvBfNBLibW9YZR5dlYCSUhwcD628pRllm7n+E+YTzJw==}
-    engines: {node: '>= 14'}
-
-  socks@2.8.3:
-    resolution: {integrity: sha512-l5x7VUUWbjVFbafGLxPWkYsHIhEvmF85tbIeFZWc8ZPtoMyybuEhL7Jye/ooC4/d48FgOjSJXgsF/AJPYCW8Zw==}
-    engines: {node: '>= 10.0.0', npm: '>= 3.0.0'}
+  socket.io@4.8.3:
+    resolution: {integrity: sha512-2Dd78bqzzjE6KPkD5fHZmDAKRNe3J15q+YHDrIsy9WEkqttc7GY+kT9OBLSMaPbQaEd0x1BjcmtMtXkfpc+T5A==}
+    engines: {node: '>=10.2.0'}
 
   sonic-boom@4.2.0:
     resolution: {integrity: sha512-INb7TM37/mAcsGmc9hyyI6+QR3rR1zVRu36B0NeGXKnOOLiZOfER5SA+N7X7k3yUYRzLWafduTDvJAfDswwEww==}
@@ -18613,16 +15506,6 @@ packages:
       react: ^18.0.0
       react-dom: ^18.0.0
 
-  sonner@1.3.1:
-    resolution: {integrity: sha512-+rOAO56b2eI3q5BtgljERSn2umRk63KFIvgb2ohbZ5X+Eb5u+a/7/0ZgswYqgBMg8dyl7n6OXd9KasA8QF9ToA==}
-    peerDependencies:
-      react: ^18.0.0
-      react-dom: ^18.0.0
-
-  source-map-js@1.0.2:
-    resolution: {integrity: sha512-R0XvVJ9WusLiqTCEiGCmICCMplcCkIwwR11mOSD9CR5u+IXYdiseeEuXCVAjS54zqwkLcPNnmU4OeJ6tUrWhDw==}
-    engines: {node: '>=0.10.0'}
-
   source-map-js@1.2.0:
     resolution: {integrity: sha512-itJW8lvSA0TXEphiRoawsCksnlf8SyvmFzIhltqAHluXd88pkCd+cXJVHTDwdCr0IzwptSm035IHQktUu1QUMg==}
     engines: {node: '>=0.10.0'}
@@ -18682,12 +15565,6 @@ packages:
   sprintf-js@1.1.2:
     resolution: {integrity: sha512-VE0SOVEHCk7Qc8ulkWw3ntAzXuqf7S2lvwQaDLRnUeIEaKNQJzV6BwmLKhOqT61aGhfUMrXeaBk+oDGCzvhcug==}
 
-  sprintf-js@1.1.3:
-    resolution: {integrity: sha512-Oo+0REFV59/rz3gfJNKQiBlwfHaSESl1pcGyABQsnnIfWOFt6JNj5gCog2U6MLZ//IGYD+nA8nI+mTShREReaA==}
-
-  sqids@0.3.0:
-    resolution: {integrity: sha512-lOQK1ucVg+W6n3FhRwwSeUijxe93b51Bfz5PMRMihVf1iVkl82ePQG7V5vwrhzB11v0NtsR25PSZRGiSomJaJw==}
-
   sql-formatter@15.6.12:
     resolution: {integrity: sha512-mkpF+RG402P66VMsnQkWewTRzDBWfu9iLbOfxaW/nAKOS/2A9MheQmcU5cmX0D0At9azrorZwpvcBRNNBozACQ==}
     hasBin: true
@@ -18729,10 +15606,6 @@ packages:
   stacktrace-js@2.0.2:
     resolution: {integrity: sha512-Je5vBeY4S1r/RnLydLl0TBTi3F2qdfWmYsGvtfZgEI+SCprPppaIhQf5nGcal4gI4cGpCV/duLcAzT1np6sQqg==}
 
-  stacktrace-parser@0.1.10:
-    resolution: {integrity: sha512-KJP1OCML99+8fhOHxwwzyWrlUuVX5GQ0ZpJTd1DFXhdkrvg1szxfHhawXUZ3g9TkXORQd4/WG68jMlQZ2p8wlg==}
-    engines: {node: '>=6'}
-
   standard-as-callback@2.1.0:
     resolution: {integrity: sha512-qoRRSyROncaz1z0mvYqIE4lCd9p2R90i6GxW3uZv5ucSu8tU7B5HXUP1gG8pVZsYNVaXjk8ClXHPttLyxAL48A==}
 
@@ -18753,6 +15626,9 @@ packages:
   std-env@3.9.0:
     resolution: {integrity: sha512-UGvjygr6F6tpH7o2qyqR6QYpwraIjKSdtzyBdyytFOHmPZY917kwdwLG0RbOjWOnKmnm3PeHjaoLLMie7kPLQw==}
 
+  std-env@4.1.0:
+    resolution: {integrity: sha512-Rq7ybcX2RuC55r9oaPVEW7/xu3tj8u4GeBYHBWCychFtzMIr86A7e3PPEBPT37sHStKX3+TiX/Fr/ACmJLVlLQ==}
+
   stream-buffers@3.0.2:
     resolution: {integrity: sha512-DQi1h8VEBA/lURbSwFtEHnSTb9s2/pwLEaFuNhXwy1Dx3Sa0lOuYT2yNUr4/j2fs8oCAMANtrZ5OrPZtyVs3MQ==}
     engines: {node: '>= 0.10.0'}
@@ -18766,10 +15642,11 @@ packages:
   stream-transform@2.1.3:
     resolution: {integrity: sha512-9GHUiM5hMiCi6Y03jD2ARC1ettBXkQBoQAe7nJsPknnI0ow10aXjTnew8QtYQmLjzn974BnmWEAJgCY6ZP1DeQ==}
 
-  streamdown@1.4.0:
-    resolution: {integrity: sha512-ylhDSQ4HpK5/nAH9v7OgIIdGJxlJB2HoYrYkJNGrO8lMpnWuKUcrz/A8xAMwA6eILA27469vIavcOTjmxctrKg==}
+  streamdown@2.5.0:
+    resolution: {integrity: sha512-/tTnURfIOxZK/pqJAxsfCvETG/XCJHoWnk3jq9xLcuz6CSpnjjuxSRBTTL4PKGhxiZQf0lqPxGhImdpwcZ2XwA==}
     peerDependencies:
       react: ^18.0.0 || ^19.0.0
+      react-dom: ^18.0.0 || ^19.0.0
 
   streamsearch@1.1.0:
     resolution: {integrity: sha512-Mcc5wHehp9aXz1ax6bZUyY5afg9u2rv5cqQI3mRrYkGC8rW2hM02jWuwjtL++LS5qinSyhj2QfLyNsuc+VsExg==}
@@ -18861,13 +15738,19 @@ packages:
   strnum@1.0.5:
     resolution: {integrity: sha512-J8bbNyKKXl5qYcR36TIO8W3mVGVHrmmxsd5PAItGkmyzwJvybiw2IVq5nqd0i4LSNSkB/sx9VHllbfFdr9k1JA==}
 
-  strnum@2.1.1:
-    resolution: {integrity: sha512-7ZvoFTiCnGxBtDqJ//Cu6fWtZtc7Y3x+QOirG15wztbdngGSkht27o2pyGWrVy0b4WAy3jbKmnoK6g5VlVNUUw==}
+  strnum@2.2.3:
+    resolution: {integrity: sha512-oKx6RUCuHfT3oyVjtnrmn19H1SiCqgJSg+54XqURKp5aCMbrXrhLjRN9TjuwMjiYstZ0MzDrHqkGZ5dFTKd+zg==}
 
   strtok3@9.1.1:
     resolution: {integrity: sha512-FhwotcEqjr241ZbjFzjlIYg6c5/L/s4yBGWSMvJ9UoExiSqL+FnFA/CaeZx17WGaZMS/4SOZp8wH18jSS4R4lw==}
     engines: {node: '>=16'}
 
+  stubborn-fs@2.0.0:
+    resolution: {integrity: sha512-Y0AvSwDw8y+nlSNFXMm2g6L51rBGdAQT20J3YSOqxC53Lo3bjWRtr2BKcfYoAf352WYpsZSTURrA0tqhfgudPA==}
+
+  stubborn-utils@1.0.2:
+    resolution: {integrity: sha512-zOh9jPYI+xrNOyisSelgym4tolKTJCQd5GBhK0+0xJvcYDcwlOoxF/rnFKQ2KRZknXSG9jWAp66fwP6AxN9STg==}
+
   style-loader@3.3.4:
     resolution: {integrity: sha512-0WqXzrsMTyb8yjZJHDqwmnwRJvhALK9LfRtRc6B4UTWe8AijYLZYZ9thuJTZc2VfQWINADW/j+LiJnfy2RoC1w==}
     engines: {node: '>= 12.13.0'}
@@ -18886,32 +15769,6 @@ packages:
   style-to-object@1.0.8:
     resolution: {integrity: sha512-xT47I/Eo0rwJmaXC4oilDGDWLohVhR6o/xAQcPQN8q6QBuZVL8qMYL85kLmST5cPjAorwvqIA4qXTRQoYHaL6g==}
 
-  styled-jsx@5.1.1:
-    resolution: {integrity: sha512-pW7uC1l4mBZ8ugbiZrcIsiIvVx1UmTfw7UkC3Um2tmfUq9Bhk8IiyEIPl6F8agHgjzku6j0xQEZbfA5uSgSaCw==}
-    engines: {node: '>= 12.0.0'}
-    peerDependencies:
-      '@babel/core': '*'
-      babel-plugin-macros: '*'
-      react: '>= 16.8.0 || 17.x.x || ^18.0.0-0'
-    peerDependenciesMeta:
-      '@babel/core':
-        optional: true
-      babel-plugin-macros:
-        optional: true
-
-  styled-jsx@5.1.6:
-    resolution: {integrity: sha512-qSVyDTeMotdvQYoHWLNGwRFJHC+i+ZvdBRYosOFgC+Wg1vx4frN2/RG/NA7SYqqvKNLf39P2LSRA2pu6n0XYZA==}
-    engines: {node: '>= 12.0.0'}
-    peerDependencies:
-      '@babel/core': '*'
-      babel-plugin-macros: '*'
-      react: '>= 16.8.0 || 17.x.x || ^18.0.0-0 || ^19.0.0-0'
-    peerDependenciesMeta:
-      '@babel/core':
-        optional: true
-      babel-plugin-macros:
-        optional: true
-
   stylis@4.3.0:
     resolution: {integrity: sha512-E87pIogpwUsUwXw7dNyU4QDjdgVMy52m+XEOPEKUn161cCzWjjhPSQhByfd1CcNvrOLnXQ6OnnZDwnJrz/Z4YQ==}
 
@@ -18983,8 +15840,8 @@ packages:
     resolution: {integrity: sha512-L1dapNV6vu2s/4Sputv8xGsCdAVlb5nRDMFU/E27D44l5U6cw1g0dGd45uLc+OXjNMmF4ntiMdCimzcjFKQI8Q==}
     engines: {node: ^14.18.0 || >=16.0.0}
 
-  systeminformation@5.27.14:
-    resolution: {integrity: sha512-3DoNDYSZBLxBwaJtQGWNpq0fonga/VZ47HY1+7/G3YoIPaPz93Df6egSzzTKbEMmlzUpy3eQ0nR9REuYIycXGg==}
+  systeminformation@5.31.7:
+    resolution: {integrity: sha512-/8NC53e5nP9nmhn42/ncdOkyJnOoue/Vy+tJOyUGd1Yv66G069wK4rrziwhrqDETgk78CudTQupw5z19S5uoZw==}
     engines: {node: '>=8.0.0'}
     os: [darwin, linux, win32, freebsd, openbsd, netbsd, sunos, android]
     hasBin: true
@@ -18993,23 +15850,15 @@ packages:
     resolution: {integrity: sha512-9kY+CygyYM6j02t5YFHbNz2FN5QmYGv9zAjVp4lCDjlCw7amdckXlEt/bjMhUIfj4ThGRE4gCUH5+yGnNuPo5A==}
     engines: {node: '>=10.0.0'}
 
+  tagged-tag@1.0.0:
+    resolution: {integrity: sha512-yEFYrVhod+hdNyx7g5Bnkkb0G6si8HJurOoOEgC8B/O0uXLHlaey/65KRv6cuWBNhBgHKAROVpc7QyYqE5gFng==}
+    engines: {node: '>=20'}
+
   tailwind-merge@1.12.0:
     resolution: {integrity: sha512-Y17eDp7FtN1+JJ4OY0Bqv9OA41O+MS8c1Iyr3T6JFLnOgLg3EvcyMKZAnQ8AGyvB5Nxm3t9Xb5Mhe139m8QT/g==}
 
-  tailwind-merge@2.2.0:
-    resolution: {integrity: sha512-SqqhhaL0T06SW59+JVNfAqKdqLs0497esifRrZ7jOaefP3o64fdFNDMrAQWZFMxTLJPiHVjRLUywT8uFz1xNWQ==}
-
-  tailwind-merge@2.5.3:
-    resolution: {integrity: sha512-d9ZolCAIzom1nf/5p4LdD5zvjmgSxY0BGgdSvmXIoMYAiPdAW/dSpP7joCDYFY7r/HkEa2qmPtkgsu0xjQeQtw==}
-
-  tailwind-merge@3.0.2:
-    resolution: {integrity: sha512-l7z+OYZ7mu3DTqrL88RiKrKIqO3NcpEO8V/Od04bNpvk0kiIFndGEoqfuzvj4yuhRkHKjRkII2z+KS2HfPcSxw==}
-
-  tailwind-merge@3.1.0:
-    resolution: {integrity: sha512-aV27Oj8B7U/tAOMhJsSGdWqelfmudnGMdXIlMnk1JfsjwSjts6o8HyfN7SFH3EztzH4YH8kk6GbLTHzITJO39Q==}
-
-  tailwind-merge@3.3.1:
-    resolution: {integrity: sha512-gBXpgUm/3rp1lMZZrM/w7D8GKqshif0zAymAhbCyIt8KMe+0v9DQ7cdYLR4FHH/cKpdTXb+A/tKKU3eolfsI+g==}
+  tailwind-merge@3.5.0:
+    resolution: {integrity: sha512-I8K9wewnVDkL1NTGoqWmVEIlUcB9gFriAEkXkfCjX5ib8ezGxtR3xD7iZIxrfArjEsH7F1CHD4RFUtxefdqV/A==}
 
   tailwind-scrollbar-hide@1.1.7:
     resolution: {integrity: sha512-X324n9OtpTmOMqEgDUEA/RgLrNfBF/jwJdctaPZDzB3mppxJk7TLIDmOreEDm1Bq4R9LSPu4Epf8VSdovNU+iA==}
@@ -19025,11 +15874,6 @@ packages:
     peerDependencies:
       tailwindcss: '>=3.0.0 || insiders'
 
-  tailwindcss-animate@1.0.7:
-    resolution: {integrity: sha512-bl6mpH3T7I3UFxuvDEXLxy/VuFxBk5bbzplh7tXI68mwMokNYd1t9qPBHlnyTwfa4JGC4zP516I1hYYtQ/vspA==}
-    peerDependencies:
-      tailwindcss: '>=3.0.0 || insiders'
-
   tailwindcss-textshadow@2.1.3:
     resolution: {integrity: sha512-FGVHfK+xnV879VSQDeRvY61Aa+b0GDiGaFBPwCOKvqIrK57GyepWJL1GydjtGOLHE9qqphFucRNj9fHramCzNg==}
 
@@ -19038,35 +15882,30 @@ packages:
     engines: {node: '>=8.9.0'}
     hasBin: true
 
-  tailwindcss@3.4.0:
-    resolution: {integrity: sha512-VigzymniH77knD1dryXbyxR+ePHihHociZbXnLZHUyzf2MMs2ZVqlUrZ3FvpXP8pno9JzmILt1sZPD19M3IxtA==}
-    engines: {node: '>=14.0.0'}
-    hasBin: true
-
   tailwindcss@3.4.1:
     resolution: {integrity: sha512-qAYmXRfk3ENzuPBakNK0SRrUDipP8NQnEY6772uDhflcQz5EhRdD7JNZxyrFHVQNCwULPBn6FNPp9brpO7ctcA==}
     engines: {node: '>=14.0.0'}
     hasBin: true
 
-  tailwindcss@4.0.17:
-    resolution: {integrity: sha512-OErSiGzRa6rLiOvaipsDZvLMSpsBZ4ysB4f0VKGXUrjw2jfkJRd6kjRKV2+ZmTCNvwtvgdDam5D7w6WXsdLJZw==}
-
-  tapable@2.2.1:
-    resolution: {integrity: sha512-GNzQvQTOIP6RyTfE2Qxb8ZVlNmw0n88vp1szwWRimP02mnTsx3Wtn5qRdqY9w2XduFNUgvOwhNnQsjwCp+kqaQ==}
-    engines: {node: '>=6'}
+  tailwindcss@4.3.0:
+    resolution: {integrity: sha512-y6nxMGB1nMW9R6k96e5gdIFzcfL/gTJRNaqGes1YvkLnPVXzWgbqFF2yLC0T8G774n24cx3Pe8XrKoniCOAH+Q==}
 
   tapable@2.3.0:
     resolution: {integrity: sha512-g9ljZiwki/LfxmQADO3dEY1CbpmXT5Hm2fJ+QaGKwSXUylMybePR7/67YW7jOrrvjEgL1Fmz5kzyAjWVWLlucg==}
     engines: {node: '>=6'}
 
+  tapable@2.3.3:
+    resolution: {integrity: sha512-uxc/zpqFg6x7C8vOE7lh6Lbda8eEL9zmVm/PLeTPBRhh1xCgdWaQ+J1CUieGpIfm2HdtsUpRv+HshiasBMcc6A==}
+    engines: {node: '>=6'}
+
   tar-fs@2.1.3:
     resolution: {integrity: sha512-090nwYJDmlhwFwEW3QQl+vaNnxsO2yVsd45eTKRBzSzu+hlb1w2K9inVq5b0ngXuLVqQ4ApvsUHHnu/zQNkWAg==}
 
-  tar-fs@3.0.9:
-    resolution: {integrity: sha512-XF4w9Xp+ZQgifKakjZYmFdkLoSWd34VGKcsTCwlNWM7QG3ZbaxnTsaBwnjFZqHRf/rROxaR8rXnbtwdvaDI+lA==}
+  tar-fs@2.1.4:
+    resolution: {integrity: sha512-mDAjwmZdh7LTT6pNleZ05Yt65HC3E+NiQzl672vQG38jIrehtJk/J3mNwIg+vShQPcLF/LV7CMnDW6vjj6sfYQ==}
 
-  tar-fs@3.1.0:
-    resolution: {integrity: sha512-5Mty5y/sOF1YWj1J6GiBodjlDc05CUR8PKXrsnFAiSG0xA+GHeWLovaZPYUDXkH/1iKRf2+M5+OrRgzC7O9b7w==}
+  tar-fs@3.1.2:
+    resolution: {integrity: sha512-QGxxTxxyleAdyM3kpFs14ymbYmNFrfY+pHj7Z8FgtbZ7w2//VAgLMac7sT6nRpIHjppXO2AwwEOg0bPFVRcmXw==}
 
   tar-stream@2.2.0:
     resolution: {integrity: sha512-ujeqbceABgwMZxEJnk2HDY2DlnUZ+9oEcb1KzTVfYHio0UE6dG71n60d8D2I4qNvleWrrXpmjpt7vZeF1LnMZQ==}
@@ -19085,15 +15924,9 @@ packages:
     engines: {node: '>=10'}
     deprecated: Old versions of tar are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
 
-  tar@7.4.3:
-    resolution: {integrity: sha512-5S7Va8hKfV7W5U6g3aYxXmlPoZVAwUMy9AOKyF2fVuZa2UD3qZjg578OrLRt8PcNN1PleVaL/5/yYATNL0ICUw==}
+  tar@7.5.13:
+    resolution: {integrity: sha512-tOG/7GyXpFevhXVh8jOPJrmtRpOTsYqUIkVdVooZYJS/z8WhfQUX8RJILmeuJNinGAMSu1veBr4asSHFt5/hng==}
     engines: {node: '>=18'}
-    deprecated: Old versions of tar are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
-
-  tar@7.5.6:
-    resolution: {integrity: sha512-xqUeu2JAIJpXyvskvU3uvQW8PAmHrtXp2KDuMJwQqW8Sqq0CaZBAQ+dKS3RBXVhU4wC5NjAdKrmh84241gO9cA==}
-    engines: {node: '>=18'}
-    deprecated: Old versions of tar are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
 
   tdigest@0.1.2:
     resolution: {integrity: sha512-+G0LLgjjo9BZX2MfdvPfH+MKLCrxlXSYec5DaPYP1fe6Iyhf0/fSmJ0bFiZ1F8BT6cGXl2LpltQptzjXKWEkKA==}
@@ -19102,24 +15935,8 @@ packages:
     resolution: {integrity: sha512-wK0Ri4fOGjv/XPy8SBHZChl8CM7uMc5VML7SqiQ0zG7+J5Vr+RMQDoHa2CNT6KHUnTGIXH34UDMkPzAUyapBZg==}
     engines: {node: '>=8'}
 
-  terser-webpack-plugin@5.3.14:
-    resolution: {integrity: sha512-vkZjpUjb6OMS7dhV+tILUW6BhpDR7P2L/aQSAv+Uwk+m8KATX9EccViHTJR2qDtACKPIYndLGCyl3FMo+r2LMw==}
-    engines: {node: '>= 10.13.0'}
-    peerDependencies:
-      '@swc/core': '*'
-      esbuild: '*'
-      uglify-js: '*'
-      webpack: ^5.1.0
-    peerDependenciesMeta:
-      '@swc/core':
-        optional: true
-      esbuild:
-        optional: true
-      uglify-js:
-        optional: true
-
-  terser-webpack-plugin@5.3.7:
-    resolution: {integrity: sha512-AfKwIktyP7Cu50xNjXF/6Qb5lBNzYaWpU6YfoX3uZicTx0zTy0stDDCsvjDapKsSDvOeWo5MEq4TmdBy2cNoHw==}
+  terser-webpack-plugin@5.4.0:
+    resolution: {integrity: sha512-Bn5vxm48flOIfkdl5CaD2+1CiUVbonWQ3KQPyP7/EuIl9Gbzq/gQFOzaMFUEgVjB1396tcK0SG8XcNJ/2kDH8g==}
     engines: {node: '>= 10.13.0'}
     peerDependencies:
       '@swc/core': '*'
@@ -19134,17 +15951,13 @@ packages:
       uglify-js:
         optional: true
 
-  terser@5.44.1:
-    resolution: {integrity: sha512-t/R3R/n0MSwnnazuPpPNVO60LX0SKL45pyl9YlvxIdkH0Of7D5qM2EVe+yASRIlY5pZ73nclYJfNANGWPwFDZw==}
+  terser@5.46.1:
+    resolution: {integrity: sha512-vzCjQO/rgUuK9sf8VJZvjqiqiHFaZLnOiimmUuOKODxWL8mm/xua7viT7aqX7dgPY60otQjUotzFMmCB4VdmqQ==}
     engines: {node: '>=10'}
     hasBin: true
 
-  test-exclude@7.0.1:
-    resolution: {integrity: sha512-pFYqmTw68LXVjeWJMST4+borgQP2AyMNbg1BpZh9LbyhUeNkeaPF9gzfPGUAnSMV3qPYdWUwDIjjCLiSDOl7vg==}
-    engines: {node: '>=18'}
-
-  testcontainers@10.28.0:
-    resolution: {integrity: sha512-1fKrRRCsgAQNkarjHCMKzBKXSJFmzNTiTbhb5E/j5hflRXChEtHvkefjaHlgkNUjfw92/Dq8LTgwQn6RDBFbMg==}
+  testcontainers@11.14.0:
+    resolution: {integrity: sha512-r9pniwv/iwzyHaI7gwAvAm4Y+IvjJg3vBWdjrUCaDMc2AXIr4jKbq7jJO18Mw2ybs73pZy1Aj7p/4RVBGMRWjg==}
 
   text-decoder@1.2.0:
     resolution: {integrity: sha512-n1yg1mOj9DNpk3NeZOx7T6jchTbyJS3i3cucbNN6FcdPriMZx7NsgrGpWWdWZZGxD7ES1XB+3uoqHMgOKaN+fg==}
@@ -19159,8 +15972,9 @@ packages:
   thenify@3.3.1:
     resolution: {integrity: sha512-RVZSIV5IG10Hk3enotrhvz0T9em6cyHBLkH/YAZuKqd8hRkKhSfCGIcP2KUY0EPxndzANBmNllzWPwak+bheSw==}
 
-  thread-stream@3.1.0:
-    resolution: {integrity: sha512-OqyPZ9u96VohAyMfJykzmivOrY2wfMSf3C5TtFJVgN+Hm6aj+voFhlK+kZEIv2FBh1X6Xp3DlnCOfEQ3B2J86A==}
+  thread-stream@4.2.0:
+    resolution: {integrity: sha512-e2zZ96wSChazBsbENf/Pcm/4swHt2cEKQ92rhUjkL9GCKiTDJIaTBenjE/m9DXi0QBmTMDkFDdOomUy20A1tDQ==}
+    engines: {node: '>=20'}
 
   throttle-debounce@3.0.1:
     resolution: {integrity: sha512-dTEWWNu6JmeVXY0ZYoPuH5cRIwc0MeGbJwah9KUNYSJwommQpCzTySTpEe8Gs1J23aeWEuAobe4Ag7EHVt/LOg==}
@@ -19200,18 +16014,22 @@ packages:
   tinyexec@1.0.1:
     resolution: {integrity: sha512-5uC6DDlmeqiOwCPmK9jMSdOuZTh8bU39Ys6yidB+UTt5hfZUPGAypSgFRiEp+jbi9qH40BLDvy85jIU88wKSqw==}
 
+  tinyexec@1.2.3:
+    resolution: {integrity: sha512-g62dB+w1/OEFnPvmX0yd/HnetYITOL+1nJW7kitOycOeAvmbWC/nu0fwmmQ/kupNojqExzyC/T++pST/jRJ2mQ==}
+    engines: {node: '>=18'}
+
   tinyglobby@0.2.10:
     resolution: {integrity: sha512-Zc+8eJlFMvgatPZTl6A9L/yht8QqdmUNtURHaKZLmKBE12hNPSrqNkUp2cs3M/UKmNVVAMFQYSjYIVHDjW5zew==}
     engines: {node: '>=12.0.0'}
 
-  tinyglobby@0.2.12:
-    resolution: {integrity: sha512-qkf4trmKSIiMTs/E63cxH+ojC2unam7rJ0WrauAzpT3ECNTxGRMlaXxVbfxMUC/w0LaYk6jQ4y/nGR9uBO3tww==}
-    engines: {node: '>=12.0.0'}
-
   tinyglobby@0.2.13:
     resolution: {integrity: sha512-mEwzpUgrLySlveBwEVDMKk5B57bhLPYovRfPAXD5gA/98Opn0rCDj3GtLwFvCvH5RK9uPCExUROW5NjDwvqkxw==}
     engines: {node: '>=12.0.0'}
 
+  tinyglobby@0.2.16:
+    resolution: {integrity: sha512-pn99VhoACYR8nFHhxqix+uvsbXineAasWm5ojXoN8xEwK5Kd3/TrhNn1wByuD52UxWRLy8pu+kRMniEi6Eq9Zg==}
+    engines: {node: '>=12.0.0'}
+
   tinyglobby@0.2.2:
     resolution: {integrity: sha512-mZ2sDMaySvi1PkTp4lTo1In2zjU+cY8OvZsfwrDrx3YGRbXPX1/cbPwCR9zkm3O/Fz9Jo0F1HNgIQ1b8BepqyQ==}
     engines: {node: '>=12.0.0'}
@@ -19219,20 +16037,8 @@ packages:
   tinygradient@1.1.5:
     resolution: {integrity: sha512-8nIfc2vgQ4TeLnk2lFj4tRLvvJwEfQuabdsmvDdQPT0xlk9TaNtpGd6nNRxXoK6vQhN6RSzj+Cnp5tTQmpxmbw==}
 
-  tinypool@1.0.2:
-    resolution: {integrity: sha512-al6n+QEANGFOMf/dmUMsuS5/r9B06uwlyNjZZql/zv8J7ybHCgoihBNORZCY2mzUuAnomQa2JdhyHKzZxPCrFA==}
-    engines: {node: ^18.0.0 || >=20.0.0}
-
-  tinyrainbow@1.2.0:
-    resolution: {integrity: sha512-weEDEq7Z5eTHPDh4xjX789+fHfF+P8boiFB+0vbWzpbnbsEr/GRaohi/uMKxg8RZMXnl1ItAi/IUHWMsjDV7kQ==}
-    engines: {node: '>=14.0.0'}
-
-  tinyrainbow@2.0.0:
-    resolution: {integrity: sha512-op4nsTR47R6p0vMUUoYl/a+ljLFVtlfaXkLQmqfLR1qHma1h/ysYk4hEXZ880bf2CYgTskvTa/e196Vd5dDQXw==}
-    engines: {node: '>=14.0.0'}
-
-  tinyspy@3.0.2:
-    resolution: {integrity: sha512-n1cw8k1k0x4pgA2+9XrOkFydTerNcJ1zWCO5Nn9scWHTD+5tp8dghT2x1uduQePZTZgd3Tupf+x9BxJjeJi77Q==}
+  tinyrainbow@3.1.0:
+    resolution: {integrity: sha512-Bf+ILmBgretUrdJxzXM0SgXLZ3XfiaUuOj/IKQHuTXip+05Xn+uyEYdVg0kYDipTBcLrCVyUzAPz7QmArb0mmw==}
     engines: {node: '>=14.0.0'}
 
   tldts-core@7.0.7:
@@ -19253,6 +16059,10 @@ packages:
     resolution: {integrity: sha512-nZD7m9iCPC5g0pYmcaxogYKggSfLsdxl8of3Q/oIbqCqLLIO9IAF0GWjX1z9NZRHPiXv8Wex4yDCaZsgEw0Y8w==}
     engines: {node: '>=14.14'}
 
+  tmp@0.2.5:
+    resolution: {integrity: sha512-voyz6MApa1rQGUxT3E+BK7/ROe8itEx7vD8/HEvt4xwXucvQ5G5oeEiHkmHZJuBO21RpOf+YYm9MOivj709jow==}
+    engines: {node: '>=14.14'}
+
   to-fast-properties@2.0.0:
     resolution: {integrity: sha512-/OaKK0xYrs3DmxRYqL/yDc+FxFUVYhDlXMhRmv3z915w2HF1tnN1omB354j8VUGO/hbRzyD6Y3sA7v7GS/ceog==}
     engines: {node: '>=4'}
@@ -19286,10 +16096,6 @@ packages:
   toposort@2.0.2:
     resolution: {integrity: sha512-0a5EOkAUp8D4moMi2W8ZF8jcga7BgZd91O/yabJCFY8az+XSzeGyTKs0Aoo897iV1Nj6guFq8orWDS96z91oGg==}
 
-  totalist@3.0.1:
-    resolution: {integrity: sha512-sf4i37nQ2LBx4m3wB74y+ubopq6W/dIzXg0FDGjsYnZHVa1Da8FH853wlL2gtUhg+xJXjfk3kUZS3BRoQeoQBQ==}
-    engines: {node: '>=6'}
-
   tough-cookie@2.5.0:
     resolution: {integrity: sha512-nlLsUzgm1kfLXSXfRZMc1KLAugd4hqJHDTvc2hDIwS3mZAfMEuMbc03SujMF+GEcpaX/qboeycw6iO8JwVv2+g==}
     engines: {node: '>=0.8'}
@@ -19412,7 +16218,7 @@ packages:
     peerDependencies:
       '@microsoft/api-extractor': ^7.36.0
       '@swc/core': ^1
-      postcss: ^8.4.12
+      postcss: ^8.5.10
       typescript: 5.5.4
     peerDependenciesMeta:
       '@microsoft/api-extractor':
@@ -19439,11 +16245,6 @@ packages:
     engines: {node: '>=18.0.0'}
     hasBin: true
 
-  tsx@4.19.3:
-    resolution: {integrity: sha512-4H8vUNGNjQ4V2EOoGw005+c+dGuPSnhpPBPHBtsZdGZBk/iJb4kguGlPWaZTZ3q5nMtFOEsY0nRDlh9PJyd6SQ==}
-    engines: {node: '>=18.0.0'}
-    hasBin: true
-
   tsx@4.20.6:
     resolution: {integrity: sha512-ytQKuwgmrrkDTFP4LjR0ToE2nqgy886GpvRSpU0JAnrdBYppuY5rLkRUYPU1yCryb24SsKBTL/hlDQAEFVwtZg==}
     engines: {node: '>=18.0.0'}
@@ -19482,6 +16283,9 @@ packages:
     cpu: [arm64]
     os: [linux]
 
+  turbo-stream@2.4.1:
+    resolution: {integrity: sha512-v8kOJXpG3WoTN/+at8vK7erSzo6nW6CIaeOvNOkHQVDajfz1ZVeSxCbc6tOH4hrGZW7VUCV0TOXd8CPzYnYkrw==}
+
   turbo-windows-64@1.10.3:
     resolution: {integrity: sha512-rbH9wManURNN8mBnN/ZdkpUuTvyVVEMiUwFUX4GVE5qmV15iHtZfDLUSGGCP2UFBazHcpNHG1OJzgc55GFFrUw==}
     cpu: [x64]
@@ -19496,9 +16300,6 @@ packages:
     resolution: {integrity: sha512-U4gKCWcKgLcCjQd4Pl8KJdfEKumpyWbzRu75A6FCj6Ctea1PIm58W6Ltw1QXKqHrl2pF9e1raAskf/h6dlrPCA==}
     hasBin: true
 
-  tw-animate-css@1.2.4:
-    resolution: {integrity: sha512-yt+HkJB41NAvOffe4NweJU6fLqAlVx/mBX6XmHRp15kq0JxTtOKaIw8pVSWM1Z+n2nXtyi7cW6C9f0WG/F/QAQ==}
-
   tweetnacl@0.14.5:
     resolution: {integrity: sha512-KXXFFdAbFXY4geFIwoyNK+f5Z1b7swfXABfL7HXCmoIWMKU3dmS26672A4EeQtDzLKy7SXmfBu51JolvEKwtGA==}
 
@@ -19518,10 +16319,6 @@ packages:
     resolution: {integrity: sha512-q+MB8nYR1KDLrgr4G5yemftpMC7/QLqVndBmEEdqzmNj5dcFOO4Oo8qlwZE3ULT3+Zim1F8Kq4cBnikNhlCMlg==}
     engines: {node: '>=8'}
 
-  type-fest@0.7.1:
-    resolution: {integrity: sha512-Ne2YiiGN8bmrmJJEuTWTLJR32nh/JdL1+PSicowtNb0WFpn59GK8/lfD61bVtzguz7b3PBt74nxpv/Pw5po5Rg==}
-    engines: {node: '>=8'}
-
   type-fest@0.8.1:
     resolution: {integrity: sha512-4dbzIzqvjtgiM5rw1k5rEHtBANKmdudhGyBEajN01fEyhaAIhsoKNy6y7+IN93IfpFtwY9iqi7kD+xwKhQsNJA==}
     engines: {node: '>=8'}
@@ -19534,6 +16331,10 @@ packages:
     resolution: {integrity: sha512-s6zVrxuyKbbAsSAD5ZPTB77q4YIdRctkTbJ2/Dqlinwz+8ooH2gd+YA7VA6Pa93KML9GockVvoxjZ2vHP+mu8g==}
     engines: {node: '>=16'}
 
+  type-fest@5.6.0:
+    resolution: {integrity: sha512-8ZiHFm91orbSAe2PSAiSVBVko18pbhbiB3U9GglSzF/zCGkR+rxpHx6sEMCUm4kxY4LjDIUGgCfUMtwfZfjfUA==}
+    engines: {node: '>=20'}
+
   type-is@1.6.18:
     resolution: {integrity: sha512-TkRKr9sUTxEH8MdfuCSP7VizJyzRNMjj2J2do2Jr3Kym598JVdEksuzPQCnlFPW4ky9Q+iA+ma9BGm06XQBy8g==}
     engines: {node: '>= 0.6'}
@@ -19568,9 +16369,6 @@ packages:
   typed-emitter@2.1.0:
     resolution: {integrity: sha512-g/KzbYKbH5C2vPkaXGu8DJlHrGKHLsM25Zg9WuC9pMGfuvT+X25tZQWo5fK1BjBm8+UrVE9LDCvaY0CQk+fXDA==}
 
-  typed-query-selector@2.12.0:
-    resolution: {integrity: sha512-SbklCd1F0EiZOyPiW192rrHZzZ5sBijB6xM+cpmrwDqObvdtunOHHIk9fCGsoK5JVIYXoyEp4iEdE3upFH3PAg==}
-
   typescript@5.5.4:
     resolution: {integrity: sha512-Mtq29sKDAEYP7aljRgtPOpTvOfbwRWlS6dPRzwjdE+C0R4brX/GUyhHSecbHMFLNBLcJIPt9nl9yG5TZ1weH+Q==}
     engines: {node: '>=14.17'}
@@ -19590,6 +16388,10 @@ packages:
     resolution: {integrity: sha512-ZPtzy0hu4cZjv3z5NW9gfKnNLjoz4y6uv4HlelAjDK7sY/xOkKZv9xK/WQpcsBB3jEybChz9DPC2U/+cusjJVQ==}
     engines: {node: '>=18'}
 
+  uint8array-extras@1.5.0:
+    resolution: {integrity: sha512-rvKSBiC5zqCCiDZ9kAOszZcDvdAHwwIKJG33Ykj43OKcWsnmcBRL09YTU4nOeHZ8Y2a7l1MgTd08SBe9A8Qj6A==}
+    engines: {node: '>=18'}
+
   ulid@2.3.0:
     resolution: {integrity: sha512-keqHubrlpvT6G2wH0OEfSW4mquYRcbe/J8NMmveoQOjUqmo+hXtO+ORCpWhdbZ7k72UtY61BL7haGxW6enBnjw==}
     hasBin: true
@@ -19611,6 +16413,14 @@ packages:
     resolution: {integrity: sha512-raqeBD6NQK4SkWhQzeYKd1KmIG6dllBOTt55Rmkt4HtI9mwdWtJljnrXjAFUBLTSN67HWrOIZ3EPF4kjUw80Bg==}
     engines: {node: '>=14.0'}
 
+  undici@6.25.0:
+    resolution: {integrity: sha512-ZgpWDC5gmNiuY9CnLVXEH8rl50xhRCuLNA97fAUnKi8RRuV4E6KG31pDTsLVUKnohJE0I3XDrTeEydAXRw47xg==}
+    engines: {node: '>=18.17'}
+
+  undici@7.24.6:
+    resolution: {integrity: sha512-Xi4agocCbRzt0yYMZGMA6ApD7gvtUFaxm4ZmeacWI4cZxaF6C+8I8QfofC20NAePiB/IcvZmzkJ7XPa471AEtA==}
+    engines: {node: '>=20.18.1'}
+
   unicode-emoji-modifier-base@1.0.0:
     resolution: {integrity: sha512-yLSH4py7oFH3oG/9K+XWrz1pSi3dfUrWEnInbxMfArOfc1+33BlGPQtLsOYwvdMy11AwUBetYuaRxSPqgkq+8g==}
     engines: {node: '>=4'}
@@ -19637,9 +16447,6 @@ packages:
     resolution: {integrity: sha512-WrcA6AyEfqDX5bWige/4NQfPZMtASNVxdmWR76WESYQVAACSgWcR6e9i0mofqqBxYFtL4oAxPIptY73/0YE1DQ==}
     engines: {node: ^14.17.0 || ^16.13.0 || >=18.0.0}
 
-  unist-util-find-after@5.0.0:
-    resolution: {integrity: sha512-amQa0Ep2m6hE2g72AugUItjbuM8X8cGQnFoHk0pGfrFeT9GZhzN5SW8nRsiGKK7Aif4CrACPENkA6P/Lw6fHGQ==}
-
   unist-util-generated@2.0.0:
     resolution: {integrity: sha512-TiWE6DVtVe7Ye2QxOVW9kqybs6cZexNwTwSMVgkfjEReqy/xwGpAXb99OxktoWwmL+Z+Epb0Dn8/GNDYP1wnUw==}
 
@@ -19661,9 +16468,6 @@ packages:
   unist-util-remove-position@4.0.1:
     resolution: {integrity: sha512-0yDkppiIhDlPrfHELgB+NLQD5mfjup3a8UYclHruTJWmY74je8g+CIFr79x5f6AkmzSwlvKLbs63hC0meOMowQ==}
 
-  unist-util-remove-position@5.0.0:
-    resolution: {integrity: sha512-Hp5Kh3wLxv0PHj9m2yZhhLt58KzPtEYKQQ4yxfYFEO7EvHwzyDYnduhHnY1mDxoqr7VUwVuHXk9RXKIiYS1N8Q==}
-
   unist-util-stringify-position@3.0.2:
     resolution: {integrity: sha512-7A6eiDCs9UtjcwZOcCpM4aPII3bAAGv13E96IkawkOAW0OhH+yRxtY0lzo8KiHpzEMfH7Q+FizUmwp8Iqy5EWg==}
 
@@ -19682,9 +16486,6 @@ packages:
   unist-util-visit@5.0.0:
     resolution: {integrity: sha512-MR04uvD+07cwl/yhVuVWAtw+3GOR/knlL55Nd/wAdblk27GCVt3lqpTivy/tkJcZoNPzTwS1Y+KMojlLDhoTzg==}
 
-  universal-cookie@7.2.0:
-    resolution: {integrity: sha512-PvcyflJAYACJKr28HABxkGemML5vafHmiL4ICe3e+BEKXRMt0GaFLZhAwgv637kFFnnfiSJ8e6jknrKkMrU+PQ==}
-
   universal-github-app-jwt@1.2.0:
     resolution: {integrity: sha512-dncpMpnsKBk0eetwfN8D8OUHGfiDhhJ+mtsbMl+7PfW7mYjiH8LIcqRmYMtzYLgSh47HjfdBtrBwIQ/gizKR3g==}
 
@@ -19709,38 +16510,17 @@ packages:
     peerDependencies:
       browserslist: '>= 4.21.0'
 
-  update-browserslist-db@1.1.2:
-    resolution: {integrity: sha512-PPypAm5qvlD7XMZC3BujecnaOxwhrtoFR+Dqkk5Aa/6DssiH0ibKoketaj9w8LP7Bont1rYeoV5plxD7RTEPRg==}
-    hasBin: true
-    peerDependencies:
-      browserslist: '>= 4.21.0'
-
   update-browserslist-db@1.1.4:
     resolution: {integrity: sha512-q0SPT4xyU84saUX+tomz1WLkxUbuaJnR1xWt17M7fJtEJigJeWUNGUqrauFXsHnqev9y9JTRGwk13tFBuKby4A==}
     hasBin: true
     peerDependencies:
       browserslist: '>= 4.21.0'
 
-  uploadthing@7.1.0:
-    resolution: {integrity: sha512-l1bRHs+q/YLx3XwBav98t4Bl1wLWaskhPEwopxtYgiRrxX5nW3uUuSP0RJ9eKwx0+6ZhHWxHDvShf7ZLledqmQ==}
-    engines: {node: '>=18.13.0'}
+  update-browserslist-db@1.2.3:
+    resolution: {integrity: sha512-Js0m9cx+qOgDxo0eMiFGEueWztz+d4+M3rGlmKPT+T4IS/jP4ylw3Nwpu6cpTTP8R1MAC1kF4VbdLt3ARf209w==}
+    hasBin: true
     peerDependencies:
-      express: '*'
-      fastify: '*'
-      h3: '*'
-      next: '*'
-      tailwindcss: '*'
-    peerDependenciesMeta:
-      express:
-        optional: true
-      fastify:
-        optional: true
-      h3:
-        optional: true
-      next:
-        optional: true
-      tailwindcss:
-        optional: true
+      browserslist: '>= 4.21.0'
 
   uri-js@4.4.1:
     resolution: {integrity: sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==}
@@ -19786,6 +16566,11 @@ packages:
     peerDependencies:
       react: ^16.8.0 || ^17.0.0 || ^18.0.0
 
+  use-sync-external-store@1.6.0:
+    resolution: {integrity: sha512-Pp6GSwGP/NrPIrxVFAIkOQeyw8lFenOHijQWkUTrDvrF4ALqylP2C/KCkeS9dpUM3KvYRQhna5vt7IL95+ZQ9w==}
+    peerDependencies:
+      react: ^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0
+
   util-deprecate@1.0.2:
     resolution: {integrity: sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==}
 
@@ -19804,6 +16589,10 @@ packages:
     resolution: {integrity: sha512-0/A9rDy9P7cJ+8w1c9WD9V//9Wj15Ce2MPz8Ri6032usz+NfePxx5AcN3bN+r6ZL6jEo066/yNYB3tn4pQEx+A==}
     hasBin: true
 
+  uuid@14.0.0:
+    resolution: {integrity: sha512-Qo+uWgilfSmAhXCMav1uYFynlQO7fMFiMVZsQqZRMIXp0O7rR7qjkj+cPvBHLgBqi960QCoo/PH2/6ZtVqKvrg==}
+    hasBin: true
+
   uuid@3.4.0:
     resolution: {integrity: sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==}
     deprecated: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
@@ -19813,10 +16602,6 @@ packages:
     resolution: {integrity: sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==}
     hasBin: true
 
-  uuid@9.0.0:
-    resolution: {integrity: sha512-MXcSTerfPa4uqyzStbRoTgt5XIe3x5+42+q1sDuy3R5MDk66URdLMOZe5aPX/SQd+kuYAh0FdP/pO28IkQyTeg==}
-    hasBin: true
-
   uuid@9.0.1:
     resolution: {integrity: sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA==}
     hasBin: true
@@ -19834,6 +16619,14 @@ packages:
       typescript:
         optional: true
 
+  valibot@1.3.1:
+    resolution: {integrity: sha512-sfdRir/QFM0JaF22hqTroPc5xy4DimuGQVKFrzF1YfGwaS1nJot3Y8VqMdLO2Lg27fMzat2yD3pY5PbAYO39Gg==}
+    peerDependencies:
+      typescript: 5.5.4
+    peerDependenciesMeta:
+      typescript:
+        optional: true
+
   validate-npm-package-license@3.0.4:
     resolution: {integrity: sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==}
 
@@ -19920,22 +16713,27 @@ packages:
       terser:
         optional: true
 
-  vite@5.4.21:
-    resolution: {integrity: sha512-o5a9xKjbtuhY6Bi5S3+HvbRERmouabWbyUcpXXUA1u+GNUKoROi9byOJ8M0nHbHYHkYICiMlqxkg1KkYmm25Sw==}
-    engines: {node: ^18.0.0 || >=20.0.0}
+  vite@6.4.2:
+    resolution: {integrity: sha512-2N/55r4JDJ4gdrCvGgINMy+HH3iRpNIz8K6SFwVsA+JbQScLiC+clmAxBgwiSPgcG9U15QmvqCGWzMbqda5zGQ==}
+    engines: {node: ^18.0.0 || ^20.0.0 || >=22.0.0}
     hasBin: true
     peerDependencies:
       '@types/node': 20.14.14
+      jiti: '>=1.21.0'
       less: '*'
       lightningcss: ^1.21.0
       sass: '*'
       sass-embedded: '*'
       stylus: '*'
       sugarss: '*'
-      terser: ^5.4.0
+      terser: ^5.16.0
+      tsx: ^4.8.1
+      yaml: ^2.8.3
     peerDependenciesMeta:
       '@types/node':
         optional: true
+      jiti:
+        optional: true
       less:
         optional: true
       lightningcss:
@@ -19950,27 +16748,44 @@ packages:
         optional: true
       terser:
         optional: true
+      tsx:
+        optional: true
+      yaml:
+        optional: true
 
-  vitest@3.1.4:
-    resolution: {integrity: sha512-Ta56rT7uWxCSJXlBtKgIlApJnT6e6IGmTYxYcmxjJ4ujuZDI59GUQgVDObXXJujOmPDBYXHK1qmaGtneu6TNIQ==}
-    engines: {node: ^18.0.0 || ^20.0.0 || >=22.0.0}
+  vitest@4.1.7:
+    resolution: {integrity: sha512-flYyaFd2CgoCoU+0UKt3pxksgC+S02iTDN0n3LtqaMeXsI9SBcdNujc2k0DeFLzUn/0k538yNjOSdwgCqcrwJA==}
+    engines: {node: ^20.0.0 || ^22.0.0 || >=24.0.0}
     hasBin: true
     peerDependencies:
       '@edge-runtime/vm': '*'
-      '@types/debug': ^4.1.12
+      '@opentelemetry/api': ^1.9.0
       '@types/node': 20.14.14
-      '@vitest/browser': 3.1.4
-      '@vitest/ui': 3.1.4
+      '@vitest/browser-playwright': 4.1.7
+      '@vitest/browser-preview': 4.1.7
+      '@vitest/browser-webdriverio': 4.1.7
+      '@vitest/coverage-istanbul': 4.1.7
+      '@vitest/coverage-v8': 4.1.7
+      '@vitest/ui': 4.1.7
       happy-dom: '*'
       jsdom: '*'
+      vite: ^6.4.2
     peerDependenciesMeta:
       '@edge-runtime/vm':
         optional: true
-      '@types/debug':
+      '@opentelemetry/api':
         optional: true
       '@types/node':
         optional: true
-      '@vitest/browser':
+      '@vitest/browser-playwright':
+        optional: true
+      '@vitest/browser-preview':
+        optional: true
+      '@vitest/browser-webdriverio':
+        optional: true
+      '@vitest/coverage-istanbul':
+        optional: true
+      '@vitest/coverage-v8':
         optional: true
       '@vitest/ui':
         optional: true
@@ -19996,8 +16811,8 @@ packages:
     resolution: {integrity: sha512-woByF3PDpkHFUreUa7Hos7+pUWdeWMXRd26+ZX2A8cFx6v/JPTtd4/uN0/jB6XQHYaOlHbio03NTHCqrgG5n7g==}
     hasBin: true
 
-  vscode-uri@3.0.8:
-    resolution: {integrity: sha512-AyFQ0EVmsOZOlAnxoFOGOq1SQDWAB7C6aqMGS23svWAllfOaxbuFvcT8D1i8z3Gyn8fraVeZNNmN6e9bxxXkKw==}
+  vscode-uri@3.1.0:
+    resolution: {integrity: sha512-/BpdSx+yCQGnCvecbyXdxHDkuk55/G3xwnC0GqY4gmQ3j+A+g8kzzgB4Nk/SINjqn6+waqw3EgbVF2QKExkRxQ==}
 
   w3c-keyname@2.2.8:
     resolution: {integrity: sha512-dpojBhNsCNN7T82Tm7k26A6G9ML3NkhDsnw9n/eoxSRlVBB4CEtIQ/KTCLI2Fwf3ataSXRhYFkQi3SlnFwPvPQ==}
@@ -20009,12 +16824,8 @@ packages:
   warning@4.0.3:
     resolution: {integrity: sha512-rpJyN222KWIvHJ/F53XSZv0Zl/accqHR8et1kpaMTD/fLCRxtV8iX8czMzY7sVZupTI3zcUTg8eycS2kNF9l6w==}
 
-  watchpack@2.4.0:
-    resolution: {integrity: sha512-Lcvm7MGST/4fup+ifyKi2hjyIAwcdI4HRgtvTpIUxBRhB+RFtUh8XtDOxUfctVCnhVi+QQj49i91OyvzkJl6cg==}
-    engines: {node: '>=10.13.0'}
-
-  watchpack@2.4.4:
-    resolution: {integrity: sha512-c5EGNOiyxxV5qmTtAB7rbiXxi1ooX1pQKMLX/MIabJjRA0SJBQOjKF+KSVfHkr9U1cADPon0mRiVe/riyaiDUA==}
+  watchpack@2.5.1:
+    resolution: {integrity: sha512-Zn5uXdcFNIA1+1Ei5McRd+iRzfhENPCe7LeABkJtNulSxjma+l7ltNx55BWZkRlwRnpOgHqxnjyaDgJnNXnqzg==}
     engines: {node: '>=10.13.0'}
 
   wcwidth@1.0.1:
@@ -20040,17 +16851,8 @@ packages:
   webidl-conversions@4.0.2:
     resolution: {integrity: sha512-YQ+BmxuTgd6UXZW3+ICGfyqRyHXVlD5GtQr5+qjiNW7bF0cqrzX500HVXPBOvgXb5YnzDd+h0zqyv61KUD7+Sg==}
 
-  webpack-bundle-analyzer@4.10.1:
-    resolution: {integrity: sha512-s3P7pgexgT/HTUSYgxJyn28A+99mmLq4HsJepMPzu0R8ImJc52QNqaFYW1Z2z2uIb1/J3eYgaAWVpaC+v/1aAQ==}
-    engines: {node: '>= 10.13.0'}
-    hasBin: true
-
-  webpack-sources@3.2.3:
-    resolution: {integrity: sha512-/DyMEOrDgLKKIG0fmvtz+4dUX/3Ghozwgm6iPp8KRhvn+eQf9+Q7GWxVNMk3+uCPWfdXYC4ExGBckIXdFEfH1w==}
-    engines: {node: '>=10.13.0'}
-
-  webpack-sources@3.3.3:
-    resolution: {integrity: sha512-yd1RBzSGanHkitROoPFd6qsrxt+oFhg/129YzheDGqeustzX0vTZJZsSsQjVQC4yzBQ56K55XU8gaNCtIzOnTg==}
+  webpack-sources@3.3.4:
+    resolution: {integrity: sha512-7tP1PdV4vF+lYPnkMR0jMY5/la2ub5Fc/8VQrrU+lXkiM6C4TjVfGw7iKfyhnTQOsD+6Q/iKw0eFciziRgD58Q==}
     engines: {node: '>=10.13.0'}
 
   webpack@5.102.1:
@@ -20063,22 +16865,15 @@ packages:
       webpack-cli:
         optional: true
 
-  webpack@5.88.2:
-    resolution: {integrity: sha512-JmcgNZ1iKj+aiR0OvTYtWQqJwq37Pf683dY9bVORwVbUrDhLhdn/PlO2sHsFHPkj7sHNQF3JwaAkp49V+Sq1tQ==}
-    engines: {node: '>=10.13.0'}
-    hasBin: true
-    peerDependencies:
-      webpack-cli: '*'
-    peerDependenciesMeta:
-      webpack-cli:
-        optional: true
-
   whatwg-url@5.0.0:
     resolution: {integrity: sha512-saE57nupxk6v3HY35+jzBwYa0rKSy0XR8JSxZPwgLr7ys0IBzhGviA1/TUGJLmSVqs8pb9AnvICXEuOHLprYTw==}
 
   whatwg-url@7.1.0:
     resolution: {integrity: sha512-WUu7Rg1DroM7oQvGWfOiAK21n74Gg+T4elXEQYkOhtyLeWiJFoOGLXPKI/9gzIie9CtwVLm8wtw6YJdKyxSjeg==}
 
+  when-exit@2.1.5:
+    resolution: {integrity: sha512-VGkKJ564kzt6Ms1dbgPP/yuIoQCrsFAnRbptpC5wOEsDaNsbCB2bnfnaA8i/vRs5tjUSEOtIuvl9/MyVsvQZCg==}
+
   which-boxed-primitive@1.0.2:
     resolution: {integrity: sha512-bwZdv0AKLpplFY2KZRX6TvyuN7ojjr7lwkg6ml0roIy9YeuSr7JS372qlNW18UQYzgYK9ziGcerWqZOmEn9VNg==}
 
@@ -20131,8 +16926,8 @@ packages:
   wrappy@1.0.2:
     resolution: {integrity: sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==}
 
-  ws@7.5.9:
-    resolution: {integrity: sha512-F+P9Jil7UiSKSkppIiD94dN07AwvFixvLIj1Og1Rl9GGMuNipJnV9JzjD6XuqmAeiswGvUmNLjr5cFuXwNS77Q==}
+  ws@7.5.10:
+    resolution: {integrity: sha512-+dbF1tHwZpXcbOJdVOkzLDxZP1ailvSxM6ZweXTegylPny803bFhA+vqBYw4s31NSAk4S2Qz+AKXK9a4wkdjcQ==}
     engines: {node: '>=8.3.0'}
     peerDependencies:
       bufferutil: ^4.0.1
@@ -20203,6 +16998,18 @@ packages:
       utf-8-validate:
         optional: true
 
+  ws@8.20.1:
+    resolution: {integrity: sha512-It4dO0K5v//JtTXuPkfEOaI3uUN87iYPnqo/ZzqCoG3g8uhA66QUMs/SrM0YK7/NAu+r4LMh/9dq2A7k+rHs+w==}
+    engines: {node: '>=10.0.0'}
+    peerDependencies:
+      bufferutil: ^4.0.1
+      utf-8-validate: '>=5.0.2'
+    peerDependenciesMeta:
+      bufferutil:
+        optional: true
+      utf-8-validate:
+        optional: true
+
   xdg-app-paths@8.3.0:
     resolution: {integrity: sha512-mgxlWVZw0TNWHoGmXq+NC3uhCIc55dDpAlDkMQUaIAcQzysb0kxctwv//fvuW61/nAAeUBJMQ8mnZjMmuYwOcQ==}
     engines: {node: '>= 4.0'}
@@ -20211,13 +17018,14 @@ packages:
     resolution: {integrity: sha512-xrcqhWDvtZ7WLmt8G4f3hHy37iK7D2idtosRgkeiSPZEPmBShp0VfmRBLWAPC6zLF48APJ21yfea+RfQMF4/Aw==}
     engines: {node: '>= 4.0'}
 
+  xml-naming@0.1.0:
+    resolution: {integrity: sha512-k8KO9hrMyNk6tUWqUfkTEZbezRRpONVOzUTnc97VnCvyj6Tf9lyUR9EDAIeiVLv56jsMcoXEwjW8Kv5yPY52lw==}
+    engines: {node: '>=16.0.0'}
+
   xmlhttprequest-ssl@2.0.0:
     resolution: {integrity: sha512-QKxVRxiRACQcVuQEYFsI1hhkrMlrXHPegbbd1yn9UHOmRxY+si12nQYzri3vbzt8VdTTRviqcKxcyllFas5z2A==}
     engines: {node: '>=0.4.0'}
 
-  xstate@5.18.1:
-    resolution: {integrity: sha512-m02IqcCQbaE/kBQLunwub/5i8epvkD2mFutnL17Oeg1eXTShe1sRF4D5mhv1dlaFO4vbW5gRGRhraeAD5c938g==}
-
   xtend@4.0.2:
     resolution: {integrity: sha512-LKYU1iAXJXUgAXn9URjiu+MWhyUXHsvfp7mcuYm9dSUKK0/CjtrUwFAxD82/mCWbtLsGjFIad0wIsod4zrTAEQ==}
     engines: {node: '>=0.4'}
@@ -20242,9 +17050,14 @@ packages:
     resolution: {integrity: sha512-YgvUTfwqyc7UXVMrB+SImsVYSmTS8X/tSrtdNZMImM+n7+QTriRXyXim0mBrTXNeqzVF0KWGgHPeiyViFFrNDw==}
     engines: {node: '>=18'}
 
-  yaml@2.7.1:
-    resolution: {integrity: sha512-10ULxpnOCQXxJvBgxsn9ptjq6uviG/htZKk9veJGhlqn3w/DxQ631zFF+nlQXLwmImeS5amR2dl2U8sg6U9jsQ==}
-    engines: {node: '>= 14'}
+  yaml@2.8.3:
+    resolution: {integrity: sha512-AvbaCLOO2Otw/lW5bmh9d/WEdcDFdQp2Z2ZUH3pX9U2ihyUY0nvLv7J6TrWowklRGPYbB/IuIMfYgxaCPg5Bpg==}
+    engines: {node: '>= 14.6'}
+    hasBin: true
+
+  yaml@2.9.0:
+    resolution: {integrity: sha512-2AvhNX3mb8zd6Zy7INTtSpl1F15HW6Wnqj0srWlkKLcpYl/gMIMJiyuGq2KeI2YFxUPjdlB+3Lc10seMLtL4cA==}
+    engines: {node: '>= 14.6'}
     hasBin: true
 
   yargs-parser@18.1.3:
@@ -20271,9 +17084,6 @@ packages:
     resolution: {integrity: sha512-7dSzzRQ++CKnNI/krKnYRV7JKKPUXMEh61soaHKg9mrWEhzFWhFnxPxGl+69cD1Ou63C13NUPCnmIcrvqCuM6w==}
     engines: {node: '>=12'}
 
-  yauzl@2.10.0:
-    resolution: {integrity: sha512-p4a9I6X6nu6IhoGmBqAcbJy1mlC4j27vEPZX9F4L4/vZT3Lyq1VkFHw/V/PUcB9Buo+DG3iHkT0x3Qya58zc3g==}
-
   yocto-queue@0.1.0:
     resolution: {integrity: sha512-rVksvsnNCdJ/ohGc6xgPwyN8eheCxsiLM8mxuE/t/mOVqJewPuO1miLpTHQiRgTKCLexL4MeAFVagts7HmNZ2Q==}
     engines: {node: '>=10'}
@@ -20286,9 +17096,6 @@ packages:
     resolution: {integrity: sha512-CzhO+pFNo8ajLM2d2IW/R93ipy99LWjtwblvC1RsoSUMZgyLbYFr221TnSNT7GjGdYui6P459mw9JH/g/zW2ug==}
     engines: {node: '>=18'}
 
-  yup@1.6.1:
-    resolution: {integrity: sha512-JED8pB50qbA4FOkDol0bYF/p60qSEDQqBD0/qeIrUCG1KbPBIQ776fCUNb9ldbPcSTxA69g/47XTo4TqWiuXOA==}
-
   yup@1.7.0:
     resolution: {integrity: sha512-VJce62dBd+JQvoc+fCVq+KZfPHr+hXaxCcVgotfwWvlR0Ja3ffYKaJBT8rptPOSKOGJDCUnW2C2JWpud7aRP6Q==}
 
@@ -20331,45 +17138,16 @@ packages:
   zod@3.25.76:
     resolution: {integrity: sha512-gzUt/qt81nXsFGKIFcC3YnfEAx5NkunCfnDlvuBSSFS02bcXu4Lmea0AFIUwbLWxWPx3d9p8S5QoaujKcNQxcQ==}
 
-  zustand@4.5.5:
-    resolution: {integrity: sha512-+0PALYNJNgK6hldkgDq2vLrw5f6g/jCInz52n9RTpropGgeAf/ioFUCdtsjCqu4gNhW9D01rUQBROoRjdzyn2Q==}
-    engines: {node: '>=12.7.0'}
-    peerDependencies:
-      '@types/react': '>=16.8'
-      immer: '>=9.0.6'
-      react: '>=16.8'
-    peerDependenciesMeta:
-      '@types/react':
-        optional: true
-      immer:
-        optional: true
-      react:
-        optional: true
-
   zwitch@2.0.4:
     resolution: {integrity: sha512-bXE4cR/kVZhKZX/RjPEflHaKVhUVl85noU3v6b8apfQEc1x4A+zBxjZ4lN8LqGd6WZ3dl98pY4o717VFmoPp+A==}
 
 snapshots:
 
-  '@adobe/css-tools@4.4.0': {}
-
-  '@ai-sdk/anthropic@2.0.4(zod@3.25.76)':
+  '@ai-sdk/gateway@3.0.104(zod@3.25.76)':
     dependencies:
-      '@ai-sdk/provider': 2.0.0
-      '@ai-sdk/provider-utils': 3.0.3(zod@3.25.76)
-      zod: 3.25.76
-
-  '@ai-sdk/gateway@1.0.6(zod@3.25.76)':
-    dependencies:
-      '@ai-sdk/provider': 2.0.0
-      '@ai-sdk/provider-utils': 3.0.3(zod@3.25.76)
-      zod: 3.25.76
-
-  '@ai-sdk/gateway@2.0.0(zod@3.25.76)':
-    dependencies:
-      '@ai-sdk/provider': 2.0.0
-      '@ai-sdk/provider-utils': 3.0.12(zod@3.25.76)
-      '@vercel/oidc': 3.0.3
+      '@ai-sdk/provider': 3.0.8
+      '@ai-sdk/provider-utils': 4.0.23(zod@3.25.76)
+      '@vercel/oidc': 3.2.0
       zod: 3.25.76
 
   '@ai-sdk/gateway@3.0.2(zod@3.25.76)':
@@ -20386,34 +17164,18 @@ snapshots:
       '@vercel/oidc': 3.1.0
       zod: 3.25.76
 
-  '@ai-sdk/openai@1.0.1(zod@3.25.76)':
-    dependencies:
-      '@ai-sdk/provider': 1.0.0
-      '@ai-sdk/provider-utils': 2.0.0(zod@3.25.76)
-      zod: 3.25.76
-
-  '@ai-sdk/openai@1.3.23(zod@3.25.76)':
-    dependencies:
-      '@ai-sdk/provider': 1.1.3
-      '@ai-sdk/provider-utils': 2.2.8(zod@3.25.76)
-      zod: 3.25.76
-
-  '@ai-sdk/openai@1.3.3(zod@3.25.76)':
-    dependencies:
-      '@ai-sdk/provider': 1.1.0
-      '@ai-sdk/provider-utils': 2.2.1(zod@3.25.76)
-      zod: 3.25.76
-
-  '@ai-sdk/openai@2.0.14(zod@3.25.76)':
+  '@ai-sdk/gateway@4.0.0-beta.30(zod@3.25.76)':
     dependencies:
-      '@ai-sdk/provider': 2.0.0
-      '@ai-sdk/provider-utils': 3.0.3(zod@3.25.76)
+      '@ai-sdk/provider': 4.0.0-beta.5
+      '@ai-sdk/provider-utils': 5.0.0-beta.9(zod@3.25.76)
+      '@vercel/oidc': 3.2.0
       zod: 3.25.76
 
-  '@ai-sdk/openai@2.0.53(zod@3.25.76)':
+  '@ai-sdk/gateway@4.0.0-canary.93(zod@3.25.76)':
     dependencies:
-      '@ai-sdk/provider': 2.0.0
-      '@ai-sdk/provider-utils': 3.0.12(zod@3.25.76)
+      '@ai-sdk/provider': 4.0.0-canary.17
+      '@ai-sdk/provider-utils': 5.0.0-canary.44(zod@3.25.76)
+      '@vercel/oidc': 3.2.0
       zod: 3.25.76
 
   '@ai-sdk/openai@3.0.41(zod@3.25.76)':
@@ -20422,6 +17184,14 @@ snapshots:
       '@ai-sdk/provider-utils': 4.0.19(zod@3.25.76)
       zod: 3.25.76
 
+  '@ai-sdk/otel@1.0.0-beta.6(zod@3.25.76)':
+    dependencies:
+      '@ai-sdk/provider': 4.0.0-beta.5
+      '@opentelemetry/api': 1.9.0
+      ai: 7.0.0-beta.60(zod@3.25.76)
+    transitivePeerDependencies:
+      - zod
+
   '@ai-sdk/provider-utils@1.0.22(zod@3.25.76)':
     dependencies:
       '@ai-sdk/provider': 0.0.26
@@ -20431,144 +17201,78 @@ snapshots:
     optionalDependencies:
       zod: 3.25.76
 
-  '@ai-sdk/provider-utils@2.0.0(zod@3.25.76)':
+  '@ai-sdk/provider-utils@4.0.1(zod@3.25.76)':
     dependencies:
-      '@ai-sdk/provider': 1.0.0
+      '@ai-sdk/provider': 3.0.0
+      '@standard-schema/spec': 1.1.0
       eventsource-parser: 3.0.6
-      nanoid: 5.1.5
-      secure-json-parse: 2.7.0
-    optionalDependencies:
       zod: 3.25.76
 
-  '@ai-sdk/provider-utils@2.2.1(zod@3.25.76)':
-    dependencies:
-      '@ai-sdk/provider': 1.1.0
-      nanoid: 3.3.8
-      secure-json-parse: 2.7.0
-      zod: 3.25.76
-
-  '@ai-sdk/provider-utils@2.2.8(zod@3.25.76)':
-    dependencies:
-      '@ai-sdk/provider': 1.1.3
-      nanoid: 3.3.8
-      secure-json-parse: 2.7.0
-      zod: 3.25.76
-
-  '@ai-sdk/provider-utils@3.0.12(zod@3.25.76)':
+  '@ai-sdk/provider-utils@4.0.19(zod@3.25.76)':
     dependencies:
-      '@ai-sdk/provider': 2.0.0
+      '@ai-sdk/provider': 3.0.8
       '@standard-schema/spec': 1.1.0
       eventsource-parser: 3.0.6
       zod: 3.25.76
 
-  '@ai-sdk/provider-utils@3.0.3(zod@3.25.76)':
+  '@ai-sdk/provider-utils@4.0.23(zod@3.25.76)':
     dependencies:
-      '@ai-sdk/provider': 2.0.0
+      '@ai-sdk/provider': 3.0.8
       '@standard-schema/spec': 1.1.0
       eventsource-parser: 3.0.6
       zod: 3.25.76
-      zod-to-json-schema: 3.24.6(zod@3.25.76)
 
-  '@ai-sdk/provider-utils@4.0.1(zod@3.25.76)':
+  '@ai-sdk/provider-utils@5.0.0-beta.9(zod@3.25.76)':
     dependencies:
-      '@ai-sdk/provider': 3.0.0
+      '@ai-sdk/provider': 4.0.0-beta.5
       '@standard-schema/spec': 1.1.0
       eventsource-parser: 3.0.6
       zod: 3.25.76
 
-  '@ai-sdk/provider-utils@4.0.19(zod@3.25.76)':
+  '@ai-sdk/provider-utils@5.0.0-canary.44(zod@3.25.76)':
     dependencies:
-      '@ai-sdk/provider': 3.0.8
+      '@ai-sdk/provider': 4.0.0-canary.17
       '@standard-schema/spec': 1.1.0
-      eventsource-parser: 3.0.6
+      '@workflow/serde': 4.1.0
+      eventsource-parser: 3.1.0
       zod: 3.25.76
 
   '@ai-sdk/provider@0.0.26':
     dependencies:
       json-schema: 0.4.0
 
-  '@ai-sdk/provider@1.0.0':
-    dependencies:
-      json-schema: 0.4.0
-
-  '@ai-sdk/provider@1.1.0':
-    dependencies:
-      json-schema: 0.4.0
-
-  '@ai-sdk/provider@1.1.3':
+  '@ai-sdk/provider@3.0.0':
     dependencies:
       json-schema: 0.4.0
 
-  '@ai-sdk/provider@2.0.0':
+  '@ai-sdk/provider@3.0.8':
     dependencies:
       json-schema: 0.4.0
 
-  '@ai-sdk/provider@3.0.0':
+  '@ai-sdk/provider@4.0.0-beta.5':
     dependencies:
       json-schema: 0.4.0
 
-  '@ai-sdk/provider@3.0.8':
+  '@ai-sdk/provider@4.0.0-canary.17':
     dependencies:
       json-schema: 0.4.0
 
-  '@ai-sdk/react@1.0.0(react@18.3.1)(zod@3.25.76)':
-    dependencies:
-      '@ai-sdk/provider-utils': 2.0.0(zod@3.25.76)
-      '@ai-sdk/ui-utils': 1.0.0(zod@3.25.76)
-      swr: 2.2.5(react@18.3.1)
-      throttleit: 2.1.0
-    optionalDependencies:
-      react: 18.3.1
-      zod: 3.25.76
-
-  '@ai-sdk/react@1.2.12(react@18.2.0)(zod@3.25.76)':
+  '@ai-sdk/react@3.0.170(react@18.2.0)(zod@3.25.76)':
     dependencies:
-      '@ai-sdk/provider-utils': 2.2.8(zod@3.25.76)
-      '@ai-sdk/ui-utils': 1.2.11(zod@3.25.76)
+      '@ai-sdk/provider-utils': 4.0.23(zod@3.25.76)
+      ai: 6.0.168(zod@3.25.76)
       react: 18.2.0
       swr: 2.2.5(react@18.2.0)
       throttleit: 2.1.0
-    optionalDependencies:
-      zod: 3.25.76
-
-  '@ai-sdk/react@1.2.2(react@19.0.0)(zod@3.25.76)':
-    dependencies:
-      '@ai-sdk/provider-utils': 2.2.1(zod@3.25.76)
-      '@ai-sdk/ui-utils': 1.2.1(zod@3.25.76)
-      react: 19.0.0
-      swr: 2.2.5(react@19.0.0)
-      throttleit: 2.1.0
-    optionalDependencies:
-      zod: 3.25.76
-
-  '@ai-sdk/ui-utils@1.0.0(zod@3.25.76)':
-    dependencies:
-      '@ai-sdk/provider': 1.0.0
-      '@ai-sdk/provider-utils': 2.0.0(zod@3.25.76)
-      zod-to-json-schema: 3.24.6(zod@3.25.76)
-    optionalDependencies:
-      zod: 3.25.76
-
-  '@ai-sdk/ui-utils@1.2.1(zod@3.25.76)':
-    dependencies:
-      '@ai-sdk/provider': 1.1.0
-      '@ai-sdk/provider-utils': 2.2.1(zod@3.25.76)
-      zod: 3.25.76
-      zod-to-json-schema: 3.24.6(zod@3.25.76)
-
-  '@ai-sdk/ui-utils@1.2.11(zod@3.25.76)':
-    dependencies:
-      '@ai-sdk/provider': 1.1.3
-      '@ai-sdk/provider-utils': 2.2.8(zod@3.25.76)
-      zod: 3.25.76
-      zod-to-json-schema: 3.24.6(zod@3.25.76)
+    transitivePeerDependencies:
+      - zod
 
   '@alloc/quick-lru@5.2.0': {}
 
   '@ampproject/remapping@2.3.0':
     dependencies:
       '@jridgewell/gen-mapping': 0.3.8
-      '@jridgewell/trace-mapping': 0.3.25
+      '@jridgewell/trace-mapping': 0.3.31
 
   '@andrewbranch/untar.js@1.0.3': {}
 
@@ -21200,7 +17904,7 @@ snapshots:
       '@smithy/util-endpoints': 1.0.5
       '@smithy/util-retry': 2.0.7
       '@smithy/util-utf8': 2.3.0
-      fast-xml-parser: 4.2.5
+      fast-xml-parser: 4.5.6
       tslib: 2.8.1
     transitivePeerDependencies:
       - aws-crt
@@ -21269,7 +17973,7 @@ snapshots:
       '@smithy/util-body-length-browser': 4.0.0
       '@smithy/util-middleware': 4.0.4
       '@smithy/util-utf8': 4.0.0
-      fast-xml-parser: 4.4.1
+      fast-xml-parser: 4.5.6
       tslib: 2.8.1
 
   '@aws-sdk/core@3.840.0':
@@ -21287,7 +17991,7 @@ snapshots:
       '@smithy/util-body-length-browser': 4.2.0
       '@smithy/util-middleware': 4.2.5
       '@smithy/util-utf8': 4.2.0
-      fast-xml-parser: 4.4.1
+      fast-xml-parser: 4.5.6
       tslib: 2.8.1
 
   '@aws-sdk/core@3.931.0':
@@ -22500,39 +19204,40 @@ snapshots:
   '@aws-sdk/xml-builder@3.930.0':
     dependencies:
       '@smithy/types': 4.9.0
-      fast-xml-parser: 5.2.5
+      fast-xml-parser: 5.7.1
       tslib: 2.8.1
 
   '@aws/lambda-invoke-store@0.1.1': {}
 
   '@aws/lambda-invoke-store@0.2.1': {}
 
-  '@babel/code-frame@7.22.13':
-    dependencies:
-      '@babel/highlight': 7.22.13
-      chalk: 2.4.2
-
   '@babel/code-frame@7.24.7':
     dependencies:
       '@babel/highlight': 7.24.7
       picocolors: 1.1.1
 
+  '@babel/code-frame@7.29.7':
+    dependencies:
+      '@babel/helper-validator-identifier': 7.29.7
+      js-tokens: 4.0.0
+      picocolors: 1.1.1
+
   '@babel/compat-data@7.22.9': {}
 
   '@babel/core@7.22.17':
     dependencies:
       '@ampproject/remapping': 2.3.0
-      '@babel/code-frame': 7.22.13
-      '@babel/generator': 7.22.15
+      '@babel/code-frame': 7.24.7
+      '@babel/generator': 7.24.7
       '@babel/helper-compilation-targets': 7.22.15
       '@babel/helper-module-transforms': 7.22.17(@babel/core@7.22.17)
       '@babel/helpers': 7.22.15
-      '@babel/parser': 7.24.7
-      '@babel/template': 7.22.15
+      '@babel/parser': 7.27.5
+      '@babel/template': 7.24.7
       '@babel/traverse': 7.24.7
-      '@babel/types': 7.24.0
+      '@babel/types': 7.27.3
       convert-source-map: 1.9.0
-      debug: 4.4.1
+      debug: 4.4.3(supports-color@10.0.0)
       gensync: 1.0.0-beta.2
       json5: 2.2.3
       semver: 6.3.1
@@ -22547,29 +19252,30 @@ snapshots:
       eslint-visitor-keys: 2.1.0
       semver: 6.3.1
 
-  '@babel/generator@7.22.15':
-    dependencies:
-      '@babel/types': 7.24.0
-      '@jridgewell/gen-mapping': 0.3.2
-      '@jridgewell/trace-mapping': 0.3.19
-      jsesc: 2.5.2
-
   '@babel/generator@7.24.7':
     dependencies:
       '@babel/types': 7.27.3
       '@jridgewell/gen-mapping': 0.3.8
-      '@jridgewell/trace-mapping': 0.3.25
+      '@jridgewell/trace-mapping': 0.3.31
       jsesc: 2.5.2
 
+  '@babel/generator@7.29.7':
+    dependencies:
+      '@babel/parser': 7.29.7
+      '@babel/types': 7.29.7
+      '@jridgewell/gen-mapping': 0.3.13
+      '@jridgewell/trace-mapping': 0.3.31
+      jsesc: 3.0.2
+
   '@babel/helper-annotate-as-pure@7.22.5':
     dependencies:
-      '@babel/types': 7.27.0
+      '@babel/types': 7.27.3
 
   '@babel/helper-compilation-targets@7.22.15':
     dependencies:
       '@babel/compat-data': 7.22.9
       '@babel/helper-validator-option': 7.22.15
-      browserslist: 4.24.4
+      browserslist: 4.28.0
       lru-cache: 5.1.1
       semver: 6.3.1
 
@@ -22586,8 +19292,6 @@ snapshots:
       '@babel/helper-split-export-declaration': 7.24.7
       semver: 6.3.1
 
-  '@babel/helper-environment-visitor@7.22.20': {}
-
   '@babel/helper-environment-visitor@7.24.7':
     dependencies:
       '@babel/types': 7.27.3
@@ -22607,23 +19311,21 @@ snapshots:
 
   '@babel/helper-module-imports@7.22.15':
     dependencies:
-      '@babel/types': 7.27.0
+      '@babel/types': 7.27.3
 
   '@babel/helper-module-transforms@7.22.17(@babel/core@7.22.17)':
     dependencies:
       '@babel/core': 7.22.17
-      '@babel/helper-environment-visitor': 7.22.20
+      '@babel/helper-environment-visitor': 7.24.7
       '@babel/helper-module-imports': 7.22.15
       '@babel/helper-simple-access': 7.22.5
-      '@babel/helper-split-export-declaration': 7.22.6
-      '@babel/helper-validator-identifier': 7.25.9
+      '@babel/helper-split-export-declaration': 7.24.7
+      '@babel/helper-validator-identifier': 7.27.1
 
   '@babel/helper-optimise-call-expression@7.22.5':
     dependencies:
       '@babel/types': 7.27.3
 
-  '@babel/helper-plugin-utils@7.22.5': {}
-
   '@babel/helper-plugin-utils@7.24.0': {}
 
   '@babel/helper-replace-supers@7.22.20(@babel/core@7.22.17)':
@@ -22635,48 +19337,38 @@ snapshots:
 
   '@babel/helper-simple-access@7.22.5':
     dependencies:
-      '@babel/types': 7.27.0
+      '@babel/types': 7.27.3
 
   '@babel/helper-skip-transparent-expression-wrappers@7.22.5':
     dependencies:
       '@babel/types': 7.27.3
 
-  '@babel/helper-split-export-declaration@7.22.6':
-    dependencies:
-      '@babel/types': 7.27.0
-
   '@babel/helper-split-export-declaration@7.24.7':
     dependencies:
       '@babel/types': 7.27.3
 
   '@babel/helper-string-parser@7.24.7': {}
 
-  '@babel/helper-string-parser@7.25.9': {}
-
   '@babel/helper-string-parser@7.27.1': {}
 
-  '@babel/helper-validator-identifier@7.24.7': {}
+  '@babel/helper-string-parser@7.29.7': {}
 
-  '@babel/helper-validator-identifier@7.25.9': {}
+  '@babel/helper-validator-identifier@7.24.7': {}
 
   '@babel/helper-validator-identifier@7.27.1': {}
 
+  '@babel/helper-validator-identifier@7.29.7': {}
+
   '@babel/helper-validator-option@7.22.15': {}
 
   '@babel/helpers@7.22.15':
     dependencies:
-      '@babel/template': 7.22.15
+      '@babel/template': 7.24.7
       '@babel/traverse': 7.24.7
-      '@babel/types': 7.27.0
+      '@babel/types': 7.27.3
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/highlight@7.22.13':
-    dependencies:
-      '@babel/helper-validator-identifier': 7.25.9
-      chalk: 2.4.2
-      js-tokens: 4.0.0
-
   '@babel/highlight@7.24.7':
     dependencies:
       '@babel/helper-validator-identifier': 7.27.1
@@ -22684,22 +19376,22 @@ snapshots:
       js-tokens: 4.0.0
       picocolors: 1.1.1
 
-  '@babel/parser@7.24.1':
-    dependencies:
-      '@babel/types': 7.27.0
-
   '@babel/parser@7.24.7':
     dependencies:
       '@babel/types': 7.24.7
 
   '@babel/parser@7.27.0':
     dependencies:
-      '@babel/types': 7.27.0
+      '@babel/types': 7.29.7
 
   '@babel/parser@7.27.5':
     dependencies:
       '@babel/types': 7.27.3
 
+  '@babel/parser@7.29.7':
+    dependencies:
+      '@babel/types': 7.29.7
+
   '@babel/plugin-syntax-decorators@7.22.10(@babel/core@7.22.17)':
     dependencies:
       '@babel/core': 7.22.17
@@ -22725,7 +19417,7 @@ snapshots:
   '@babel/plugin-transform-react-display-name@7.18.6(@babel/core@7.22.17)':
     dependencies:
       '@babel/core': 7.22.17
-      '@babel/helper-plugin-utils': 7.22.5
+      '@babel/helper-plugin-utils': 7.24.0
 
   '@babel/plugin-transform-react-jsx-development@7.18.6(@babel/core@7.22.17)':
     dependencies:
@@ -22739,7 +19431,7 @@ snapshots:
       '@babel/helper-module-imports': 7.22.15
       '@babel/helper-plugin-utils': 7.24.0
       '@babel/plugin-syntax-jsx': 7.22.5(@babel/core@7.22.17)
-      '@babel/types': 7.27.0
+      '@babel/types': 7.27.3
 
   '@babel/plugin-transform-react-pure-annotations@7.18.6(@babel/core@7.22.17)':
     dependencies:
@@ -22790,26 +19482,22 @@ snapshots:
     dependencies:
       regenerator-runtime: 0.14.1
 
-  '@babel/runtime@7.27.0':
-    dependencies:
-      regenerator-runtime: 0.14.1
-
   '@babel/runtime@7.27.4': {}
 
   '@babel/runtime@7.28.4': {}
 
-  '@babel/template@7.22.15':
-    dependencies:
-      '@babel/code-frame': 7.22.13
-      '@babel/parser': 7.27.0
-      '@babel/types': 7.27.0
-
   '@babel/template@7.24.7':
     dependencies:
       '@babel/code-frame': 7.24.7
       '@babel/parser': 7.27.5
       '@babel/types': 7.27.3
 
+  '@babel/template@7.29.7':
+    dependencies:
+      '@babel/code-frame': 7.29.7
+      '@babel/parser': 7.29.7
+      '@babel/types': 7.29.7
+
   '@babel/traverse@7.24.7':
     dependencies:
       '@babel/code-frame': 7.24.7
@@ -22820,16 +19508,22 @@ snapshots:
       '@babel/helper-split-export-declaration': 7.24.7
       '@babel/parser': 7.27.5
       '@babel/types': 7.27.3
-      debug: 4.4.1
+      debug: 4.4.3(supports-color@10.0.0)
       globals: 11.12.0
     transitivePeerDependencies:
       - supports-color
 
-  '@babel/types@7.24.0':
+  '@babel/traverse@7.27.0':
     dependencies:
-      '@babel/helper-string-parser': 7.25.9
-      '@babel/helper-validator-identifier': 7.25.9
-      to-fast-properties: 2.0.0
+      '@babel/code-frame': 7.29.7
+      '@babel/generator': 7.29.7
+      '@babel/parser': 7.29.7
+      '@babel/template': 7.29.7
+      '@babel/types': 7.29.7
+      debug: 4.4.3(supports-color@10.0.0)
+      globals: 11.12.0
+    transitivePeerDependencies:
+      - supports-color
 
   '@babel/types@7.24.7':
     dependencies:
@@ -22837,16 +19531,16 @@ snapshots:
       '@babel/helper-validator-identifier': 7.24.7
       to-fast-properties: 2.0.0
 
-  '@babel/types@7.27.0':
-    dependencies:
-      '@babel/helper-string-parser': 7.25.9
-      '@babel/helper-validator-identifier': 7.25.9
-
   '@babel/types@7.27.3':
     dependencies:
       '@babel/helper-string-parser': 7.27.1
       '@babel/helper-validator-identifier': 7.27.1
 
+  '@babel/types@7.29.7':
+    dependencies:
+      '@babel/helper-string-parser': 7.29.7
+      '@babel/helper-validator-identifier': 7.29.7
+
   '@balena/dockerignore@1.0.2': {}
 
   '@bcoe/v8-coverage@1.0.2': {}
@@ -22859,13 +19553,11 @@ snapshots:
 
   '@bufbuild/protobuf@1.10.0': {}
 
-  '@bufbuild/protobuf@2.2.5': {}
-
   '@bugsnag/cuid@3.1.1': {}
 
   '@changesets/apply-release-plan@6.1.4':
     dependencies:
-      '@babel/runtime': 7.27.0
+      '@babel/runtime': 7.28.4
       '@changesets/config': 2.3.1
       '@changesets/get-version-range-type': 0.3.2
       '@changesets/git': 2.0.0
@@ -22881,7 +19573,7 @@ snapshots:
 
   '@changesets/assemble-release-plan@5.2.4(patch_hash=a7a12643e8d89a00d5322f750c292e8567b5ee0fc9c613a238a1184c25533e4b)':
     dependencies:
-      '@babel/runtime': 7.27.0
+      '@babel/runtime': 7.28.4
       '@changesets/errors': 0.1.4
       '@changesets/get-dependents-graph': 1.3.6
       '@changesets/types': 5.2.1
@@ -22959,7 +19651,7 @@ snapshots:
 
   '@changesets/get-release-plan@3.0.17':
     dependencies:
-      '@babel/runtime': 7.27.0
+      '@babel/runtime': 7.28.4
       '@changesets/assemble-release-plan': 5.2.4(patch_hash=a7a12643e8d89a00d5322f750c292e8567b5ee0fc9c613a238a1184c25533e4b)
       '@changesets/config': 2.3.1
       '@changesets/pre': 1.0.14
@@ -22971,7 +19663,7 @@ snapshots:
 
   '@changesets/git@2.0.0':
     dependencies:
-      '@babel/runtime': 7.27.0
+      '@babel/runtime': 7.28.4
       '@changesets/errors': 0.1.4
       '@changesets/types': 5.2.1
       '@manypkg/get-packages': 1.1.3
@@ -22990,7 +19682,7 @@ snapshots:
 
   '@changesets/pre@1.0.14':
     dependencies:
-      '@babel/runtime': 7.27.0
+      '@babel/runtime': 7.28.4
       '@changesets/errors': 0.1.4
       '@changesets/types': 5.2.1
       '@manypkg/get-packages': 1.1.3
@@ -22998,7 +19690,7 @@ snapshots:
 
   '@changesets/read@0.5.9':
     dependencies:
-      '@babel/runtime': 7.27.0
+      '@babel/runtime': 7.28.4
       '@changesets/git': 2.0.0
       '@changesets/logger': 0.0.5
       '@changesets/parse': 0.3.16
@@ -23013,28 +19705,26 @@ snapshots:
 
   '@changesets/write@0.2.3':
     dependencies:
-      '@babel/runtime': 7.27.0
+      '@babel/runtime': 7.28.4
       '@changesets/types': 5.2.1
       fs-extra: 7.0.1
       human-id: 1.0.2
       prettier: 2.8.8
 
-  '@chevrotain/cst-dts-gen@11.0.3':
+  '@chevrotain/cst-dts-gen@12.0.0':
     dependencies:
-      '@chevrotain/gast': 11.0.3
-      '@chevrotain/types': 11.0.3
-      lodash-es: 4.17.21
+      '@chevrotain/gast': 12.0.0
+      '@chevrotain/types': 12.0.0
 
-  '@chevrotain/gast@11.0.3':
+  '@chevrotain/gast@12.0.0':
     dependencies:
-      '@chevrotain/types': 11.0.3
-      lodash-es: 4.17.21
+      '@chevrotain/types': 12.0.0
 
-  '@chevrotain/regexp-to-ast@11.0.3': {}
+  '@chevrotain/regexp-to-ast@12.0.0': {}
 
-  '@chevrotain/types@11.0.3': {}
+  '@chevrotain/types@12.0.0': {}
 
-  '@chevrotain/utils@11.0.3': {}
+  '@chevrotain/utils@12.0.0': {}
 
   '@clack/core@0.5.0':
     dependencies:
@@ -23156,19 +19846,10 @@ snapshots:
       '@connectrpc/connect': 1.4.0(@bufbuild/protobuf@1.10.0)
       undici: 5.29.0
 
-  '@connectrpc/connect-web@2.0.0-rc.3(@bufbuild/protobuf@2.2.5)(@connectrpc/connect@2.0.0-rc.3(@bufbuild/protobuf@2.2.5))':
-    dependencies:
-      '@bufbuild/protobuf': 2.2.5
-      '@connectrpc/connect': 2.0.0-rc.3(@bufbuild/protobuf@2.2.5)
-
   '@connectrpc/connect@1.4.0(@bufbuild/protobuf@1.10.0)':
     dependencies:
       '@bufbuild/protobuf': 1.10.0
 
-  '@connectrpc/connect@2.0.0-rc.3(@bufbuild/protobuf@2.2.5)':
-    dependencies:
-      '@bufbuild/protobuf': 2.2.5
-
   '@date-fns/tz@1.4.1': {}
 
   '@depot/cli-darwin-arm64@0.0.1-cli.2.80.0':
@@ -23216,24 +19897,6 @@ snapshots:
       '@connectrpc/connect': 1.4.0(@bufbuild/protobuf@1.10.0)
       '@connectrpc/connect-node': 1.4.0(@bufbuild/protobuf@1.10.0)(@connectrpc/connect@1.4.0(@bufbuild/protobuf@1.10.0))
 
-  '@discoveryjs/json-ext@0.5.7': {}
-
-  '@e2b/code-interpreter@1.1.0':
-    dependencies:
-      e2b: 1.2.1
-
-  '@effect/platform@0.63.2(@effect/schema@0.72.2(effect@3.7.2))(effect@3.7.2)':
-    dependencies:
-      '@effect/schema': 0.72.2(effect@3.7.2)
-      effect: 3.7.2
-      find-my-way-ts: 0.1.5
-      multipasta: 0.2.5
-
-  '@effect/schema@0.72.2(effect@3.7.2)':
-    dependencies:
-      effect: 3.7.2
-      fast-check: 3.23.2
-
   '@electric-sql/client@0.4.0':
     optionalDependencies:
       '@rollup/rollup-darwin-arm64': 4.53.2
@@ -23251,11 +19914,6 @@ snapshots:
     optionalDependencies:
       react: 18.2.0
 
-  '@emnapi/runtime@1.7.1':
-    dependencies:
-      tslib: 2.8.1
-    optional: true
-
   '@emotion/hash@0.9.0': {}
 
   '@emotion/is-prop-valid@0.8.8':
@@ -23268,7 +19926,7 @@ snapshots:
 
   '@epic-web/test-server@0.1.0(bufferutil@4.0.9)':
     dependencies:
-      '@hono/node-server': 1.12.2(hono@4.5.11)
+      '@hono/node-server': 1.12.2(hono@4.12.15)
       '@hono/node-ws': 1.0.4(@hono/node-server@1.12.2(hono@4.5.11))(bufferutil@4.0.9)
       '@open-draft/deferred-promise': 2.2.0
       '@types/ws': 8.5.12
@@ -23296,9 +19954,6 @@ snapshots:
   '@esbuild/aix-ppc64@0.19.11':
     optional: true
 
-  '@esbuild/aix-ppc64@0.21.5':
-    optional: true
-
   '@esbuild/aix-ppc64@0.23.0':
     optional: true
 
@@ -23308,6 +19963,9 @@ snapshots:
   '@esbuild/aix-ppc64@0.25.1':
     optional: true
 
+  '@esbuild/aix-ppc64@0.28.0':
+    optional: true
+
   '@esbuild/android-arm64@0.17.6':
     optional: true
 
@@ -23317,9 +19975,6 @@ snapshots:
   '@esbuild/android-arm64@0.19.11':
     optional: true
 
-  '@esbuild/android-arm64@0.21.5':
-    optional: true
-
   '@esbuild/android-arm64@0.23.0':
     optional: true
 
@@ -23329,6 +19984,9 @@ snapshots:
   '@esbuild/android-arm64@0.25.1':
     optional: true
 
+  '@esbuild/android-arm64@0.28.0':
+    optional: true
+
   '@esbuild/android-arm@0.15.18':
     optional: true
 
@@ -23341,9 +19999,6 @@ snapshots:
   '@esbuild/android-arm@0.19.11':
     optional: true
 
-  '@esbuild/android-arm@0.21.5':
-    optional: true
-
   '@esbuild/android-arm@0.23.0':
     optional: true
 
@@ -23353,6 +20008,9 @@ snapshots:
   '@esbuild/android-arm@0.25.1':
     optional: true
 
+  '@esbuild/android-arm@0.28.0':
+    optional: true
+
   '@esbuild/android-x64@0.17.6':
     optional: true
 
@@ -23362,9 +20020,6 @@ snapshots:
   '@esbuild/android-x64@0.19.11':
     optional: true
 
-  '@esbuild/android-x64@0.21.5':
-    optional: true
-
   '@esbuild/android-x64@0.23.0':
     optional: true
 
@@ -23374,6 +20029,9 @@ snapshots:
   '@esbuild/android-x64@0.25.1':
     optional: true
 
+  '@esbuild/android-x64@0.28.0':
+    optional: true
+
   '@esbuild/darwin-arm64@0.17.6':
     optional: true
 
@@ -23383,9 +20041,6 @@ snapshots:
   '@esbuild/darwin-arm64@0.19.11':
     optional: true
 
-  '@esbuild/darwin-arm64@0.21.5':
-    optional: true
-
   '@esbuild/darwin-arm64@0.23.0':
     optional: true
 
@@ -23395,6 +20050,9 @@ snapshots:
   '@esbuild/darwin-arm64@0.25.1':
     optional: true
 
+  '@esbuild/darwin-arm64@0.28.0':
+    optional: true
+
   '@esbuild/darwin-x64@0.17.6':
     optional: true
 
@@ -23404,9 +20062,6 @@ snapshots:
   '@esbuild/darwin-x64@0.19.11':
     optional: true
 
-  '@esbuild/darwin-x64@0.21.5':
-    optional: true
-
   '@esbuild/darwin-x64@0.23.0':
     optional: true
 
@@ -23416,6 +20071,9 @@ snapshots:
   '@esbuild/darwin-x64@0.25.1':
     optional: true
 
+  '@esbuild/darwin-x64@0.28.0':
+    optional: true
+
   '@esbuild/freebsd-arm64@0.17.6':
     optional: true
 
@@ -23425,9 +20083,6 @@ snapshots:
   '@esbuild/freebsd-arm64@0.19.11':
     optional: true
 
-  '@esbuild/freebsd-arm64@0.21.5':
-    optional: true
-
   '@esbuild/freebsd-arm64@0.23.0':
     optional: true
 
@@ -23437,6 +20092,9 @@ snapshots:
   '@esbuild/freebsd-arm64@0.25.1':
     optional: true
 
+  '@esbuild/freebsd-arm64@0.28.0':
+    optional: true
+
   '@esbuild/freebsd-x64@0.17.6':
     optional: true
 
@@ -23446,9 +20104,6 @@ snapshots:
   '@esbuild/freebsd-x64@0.19.11':
     optional: true
 
-  '@esbuild/freebsd-x64@0.21.5':
-    optional: true
-
   '@esbuild/freebsd-x64@0.23.0':
     optional: true
 
@@ -23458,6 +20113,9 @@ snapshots:
   '@esbuild/freebsd-x64@0.25.1':
     optional: true
 
+  '@esbuild/freebsd-x64@0.28.0':
+    optional: true
+
   '@esbuild/linux-arm64@0.17.6':
     optional: true
 
@@ -23467,9 +20125,6 @@ snapshots:
   '@esbuild/linux-arm64@0.19.11':
     optional: true
 
-  '@esbuild/linux-arm64@0.21.5':
-    optional: true
-
   '@esbuild/linux-arm64@0.23.0':
     optional: true
 
@@ -23479,6 +20134,9 @@ snapshots:
   '@esbuild/linux-arm64@0.25.1':
     optional: true
 
+  '@esbuild/linux-arm64@0.28.0':
+    optional: true
+
   '@esbuild/linux-arm@0.17.6':
     optional: true
 
@@ -23488,9 +20146,6 @@ snapshots:
   '@esbuild/linux-arm@0.19.11':
     optional: true
 
-  '@esbuild/linux-arm@0.21.5':
-    optional: true
-
   '@esbuild/linux-arm@0.23.0':
     optional: true
 
@@ -23500,6 +20155,9 @@ snapshots:
   '@esbuild/linux-arm@0.25.1':
     optional: true
 
+  '@esbuild/linux-arm@0.28.0':
+    optional: true
+
   '@esbuild/linux-ia32@0.17.6':
     optional: true
 
@@ -23509,9 +20167,6 @@ snapshots:
   '@esbuild/linux-ia32@0.19.11':
     optional: true
 
-  '@esbuild/linux-ia32@0.21.5':
-    optional: true
-
   '@esbuild/linux-ia32@0.23.0':
     optional: true
 
@@ -23521,6 +20176,9 @@ snapshots:
   '@esbuild/linux-ia32@0.25.1':
     optional: true
 
+  '@esbuild/linux-ia32@0.28.0':
+    optional: true
+
   '@esbuild/linux-loong64@0.15.18':
     optional: true
 
@@ -23533,9 +20191,6 @@ snapshots:
   '@esbuild/linux-loong64@0.19.11':
     optional: true
 
-  '@esbuild/linux-loong64@0.21.5':
-    optional: true
-
   '@esbuild/linux-loong64@0.23.0':
     optional: true
 
@@ -23545,6 +20200,9 @@ snapshots:
   '@esbuild/linux-loong64@0.25.1':
     optional: true
 
+  '@esbuild/linux-loong64@0.28.0':
+    optional: true
+
   '@esbuild/linux-mips64el@0.17.6':
     optional: true
 
@@ -23554,9 +20212,6 @@ snapshots:
   '@esbuild/linux-mips64el@0.19.11':
     optional: true
 
-  '@esbuild/linux-mips64el@0.21.5':
-    optional: true
-
   '@esbuild/linux-mips64el@0.23.0':
     optional: true
 
@@ -23566,6 +20221,9 @@ snapshots:
   '@esbuild/linux-mips64el@0.25.1':
     optional: true
 
+  '@esbuild/linux-mips64el@0.28.0':
+    optional: true
+
   '@esbuild/linux-ppc64@0.17.6':
     optional: true
 
@@ -23575,9 +20233,6 @@ snapshots:
   '@esbuild/linux-ppc64@0.19.11':
     optional: true
 
-  '@esbuild/linux-ppc64@0.21.5':
-    optional: true
-
   '@esbuild/linux-ppc64@0.23.0':
     optional: true
 
@@ -23587,6 +20242,9 @@ snapshots:
   '@esbuild/linux-ppc64@0.25.1':
     optional: true
 
+  '@esbuild/linux-ppc64@0.28.0':
+    optional: true
+
   '@esbuild/linux-riscv64@0.17.6':
     optional: true
 
@@ -23596,9 +20254,6 @@ snapshots:
   '@esbuild/linux-riscv64@0.19.11':
     optional: true
 
-  '@esbuild/linux-riscv64@0.21.5':
-    optional: true
-
   '@esbuild/linux-riscv64@0.23.0':
     optional: true
 
@@ -23608,6 +20263,9 @@ snapshots:
   '@esbuild/linux-riscv64@0.25.1':
     optional: true
 
+  '@esbuild/linux-riscv64@0.28.0':
+    optional: true
+
   '@esbuild/linux-s390x@0.17.6':
     optional: true
 
@@ -23617,9 +20275,6 @@ snapshots:
   '@esbuild/linux-s390x@0.19.11':
     optional: true
 
-  '@esbuild/linux-s390x@0.21.5':
-    optional: true
-
   '@esbuild/linux-s390x@0.23.0':
     optional: true
 
@@ -23629,6 +20284,9 @@ snapshots:
   '@esbuild/linux-s390x@0.25.1':
     optional: true
 
+  '@esbuild/linux-s390x@0.28.0':
+    optional: true
+
   '@esbuild/linux-x64@0.17.6':
     optional: true
 
@@ -23638,9 +20296,6 @@ snapshots:
   '@esbuild/linux-x64@0.19.11':
     optional: true
 
-  '@esbuild/linux-x64@0.21.5':
-    optional: true
-
   '@esbuild/linux-x64@0.23.0':
     optional: true
 
@@ -23650,12 +20305,18 @@ snapshots:
   '@esbuild/linux-x64@0.25.1':
     optional: true
 
+  '@esbuild/linux-x64@0.28.0':
+    optional: true
+
   '@esbuild/netbsd-arm64@0.24.2':
     optional: true
 
   '@esbuild/netbsd-arm64@0.25.1':
     optional: true
 
+  '@esbuild/netbsd-arm64@0.28.0':
+    optional: true
+
   '@esbuild/netbsd-x64@0.17.6':
     optional: true
 
@@ -23665,9 +20326,6 @@ snapshots:
   '@esbuild/netbsd-x64@0.19.11':
     optional: true
 
-  '@esbuild/netbsd-x64@0.21.5':
-    optional: true
-
   '@esbuild/netbsd-x64@0.23.0':
     optional: true
 
@@ -23677,6 +20335,9 @@ snapshots:
   '@esbuild/netbsd-x64@0.25.1':
     optional: true
 
+  '@esbuild/netbsd-x64@0.28.0':
+    optional: true
+
   '@esbuild/openbsd-arm64@0.23.0':
     optional: true
 
@@ -23686,6 +20347,9 @@ snapshots:
   '@esbuild/openbsd-arm64@0.25.1':
     optional: true
 
+  '@esbuild/openbsd-arm64@0.28.0':
+    optional: true
+
   '@esbuild/openbsd-x64@0.17.6':
     optional: true
 
@@ -23695,9 +20359,6 @@ snapshots:
   '@esbuild/openbsd-x64@0.19.11':
     optional: true
 
-  '@esbuild/openbsd-x64@0.21.5':
-    optional: true
-
   '@esbuild/openbsd-x64@0.23.0':
     optional: true
 
@@ -23707,6 +20368,12 @@ snapshots:
   '@esbuild/openbsd-x64@0.25.1':
     optional: true
 
+  '@esbuild/openbsd-x64@0.28.0':
+    optional: true
+
+  '@esbuild/openharmony-arm64@0.28.0':
+    optional: true
+
   '@esbuild/sunos-x64@0.17.6':
     optional: true
 
@@ -23716,9 +20383,6 @@ snapshots:
   '@esbuild/sunos-x64@0.19.11':
     optional: true
 
-  '@esbuild/sunos-x64@0.21.5':
-    optional: true
-
   '@esbuild/sunos-x64@0.23.0':
     optional: true
 
@@ -23728,6 +20392,9 @@ snapshots:
   '@esbuild/sunos-x64@0.25.1':
     optional: true
 
+  '@esbuild/sunos-x64@0.28.0':
+    optional: true
+
   '@esbuild/win32-arm64@0.17.6':
     optional: true
 
@@ -23737,9 +20404,6 @@ snapshots:
   '@esbuild/win32-arm64@0.19.11':
     optional: true
 
-  '@esbuild/win32-arm64@0.21.5':
-    optional: true
-
   '@esbuild/win32-arm64@0.23.0':
     optional: true
 
@@ -23749,6 +20413,9 @@ snapshots:
   '@esbuild/win32-arm64@0.25.1':
     optional: true
 
+  '@esbuild/win32-arm64@0.28.0':
+    optional: true
+
   '@esbuild/win32-ia32@0.17.6':
     optional: true
 
@@ -23758,9 +20425,6 @@ snapshots:
   '@esbuild/win32-ia32@0.19.11':
     optional: true
 
-  '@esbuild/win32-ia32@0.21.5':
-    optional: true
-
   '@esbuild/win32-ia32@0.23.0':
     optional: true
 
@@ -23770,6 +20434,9 @@ snapshots:
   '@esbuild/win32-ia32@0.25.1':
     optional: true
 
+  '@esbuild/win32-ia32@0.28.0':
+    optional: true
+
   '@esbuild/win32-x64@0.17.6':
     optional: true
 
@@ -23779,9 +20446,6 @@ snapshots:
   '@esbuild/win32-x64@0.19.11':
     optional: true
 
-  '@esbuild/win32-x64@0.21.5':
-    optional: true
-
   '@esbuild/win32-x64@0.23.0':
     optional: true
 
@@ -23791,6 +20455,9 @@ snapshots:
   '@esbuild/win32-x64@0.25.1':
     optional: true
 
+  '@esbuild/win32-x64@0.28.0':
+    optional: true
+
   '@eslint-community/eslint-utils@4.4.0(eslint@8.31.0)':
     dependencies:
       eslint: 8.31.0
@@ -23807,33 +20474,18 @@ snapshots:
       ignore: 5.2.4
       import-fresh: 3.3.0
       js-yaml: 4.1.1
-      minimatch: 3.1.2
+      minimatch: 3.1.5
       strip-json-comments: 3.1.1
     transitivePeerDependencies:
       - supports-color
 
-  '@fal-ai/serverless-client@0.15.0':
-    dependencies:
-      '@msgpack/msgpack': 3.0.0-beta2
-      eventsource-parser: 1.1.2
-      robot3: 0.4.1
-
-  '@fast-csv/parse@5.0.2':
-    dependencies:
-      lodash.escaperegexp: 4.1.2
-      lodash.groupby: 4.6.0
-      lodash.isfunction: 3.0.9
-      lodash.isnil: 4.0.0
-      lodash.isundefined: 3.0.1
-      lodash.uniq: 4.5.0
-
   '@fastify/accept-negotiator@2.0.1': {}
 
-  '@fastify/ajv-compiler@4.0.2':
+  '@fastify/ajv-compiler@4.0.5':
     dependencies:
-      ajv: 8.17.1
-      ajv-formats: 3.0.1(ajv@8.17.1)
-      fast-uri: 3.0.6
+      ajv: 8.18.0
+      ajv-formats: 3.0.1(ajv@8.18.0)
+      fast-uri: 3.1.2
 
   '@fastify/busboy@2.1.1': {}
 
@@ -23859,7 +20511,7 @@ snapshots:
       '@lukeed/ms': 2.0.2
       escape-html: 1.0.3
       fast-decode-uri-component: 1.0.1
-      http-errors: 2.0.0
+      http-errors: 2.0.1
       mime: 3.0.0
 
   '@fastify/static@8.2.0':
@@ -23869,13 +20521,13 @@ snapshots:
       content-disposition: 0.5.4
       fastify-plugin: 5.0.1
       fastq: 1.19.1
-      glob: 11.0.0
+      glob: 11.1.0
 
-  '@fastify/websocket@11.0.1(bufferutil@4.0.9)':
+  '@fastify/websocket@11.2.0(bufferutil@4.0.9)':
     dependencies:
       duplexify: 4.1.3
       fastify-plugin: 5.0.1
-      ws: 8.18.0(bufferutil@4.0.9)
+      ws: 8.18.3(bufferutil@4.0.9)
     transitivePeerDependencies:
       - bufferutil
       - utf-8-validate
@@ -23918,12 +20570,6 @@ snapshots:
     transitivePeerDependencies:
       - '@types/react'
 
-  '@floating-ui/react-dom@2.0.9(react-dom@18.2.0(react@18.3.1))(react@18.3.1)':
-    dependencies:
-      '@floating-ui/dom': 1.6.5
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-
   '@floating-ui/utils@0.2.2': {}
 
   '@formatjs/ecma402-abstract@1.18.0':
@@ -23968,11 +20614,23 @@ snapshots:
       '@grpc/proto-loader': 0.7.13
       '@js-sdsl/ordered-map': 4.4.2
 
+  '@grpc/grpc-js@1.14.3':
+    dependencies:
+      '@grpc/proto-loader': 0.8.0
+      '@js-sdsl/ordered-map': 4.4.2
+
   '@grpc/proto-loader@0.7.13':
     dependencies:
       lodash.camelcase: 4.3.0
       long: 5.2.3
-      protobufjs: 7.3.2
+      protobufjs: 7.6.1
+      yargs: 17.7.2
+
+  '@grpc/proto-loader@0.8.0':
+    dependencies:
+      lodash.camelcase: 4.3.0
+      long: 5.3.2
+      protobufjs: 7.6.1
       yargs: 17.7.2
 
   '@hapi/boom@10.0.1':
@@ -24016,17 +20674,21 @@ snapshots:
     dependencies:
       react: 18.2.0
 
-  '@hono/node-server@1.12.2(hono@4.5.11)':
+  '@hono/node-server@1.12.2(hono@4.12.15)':
     dependencies:
-      hono: 4.5.11
+      hono: 4.12.15
 
   '@hono/node-server@1.19.9(hono@4.11.8)':
     dependencies:
       hono: 4.11.8
 
+  '@hono/node-server@1.19.9(hono@4.12.15)':
+    dependencies:
+      hono: 4.12.15
+
   '@hono/node-ws@1.0.4(@hono/node-server@1.12.2(hono@4.5.11))(bufferutil@4.0.9)':
     dependencies:
-      '@hono/node-server': 1.12.2(hono@4.5.11)
+      '@hono/node-server': 1.12.2(hono@4.12.15)
       ws: 8.18.3(bufferutil@4.0.9)
     transitivePeerDependencies:
       - bufferutil
@@ -24036,7 +20698,7 @@ snapshots:
     dependencies:
       '@humanwhocodes/object-schema': 1.2.1
       debug: 4.4.3(supports-color@10.0.0)
-      minimatch: 3.1.2
+      minimatch: 3.1.5
     transitivePeerDependencies:
       - supports-color
 
@@ -24059,201 +20721,24 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  '@img/colour@1.0.0':
-    optional: true
-
-  '@img/sharp-darwin-arm64@0.33.5':
-    optionalDependencies:
-      '@img/sharp-libvips-darwin-arm64': 1.0.4
-    optional: true
-
-  '@img/sharp-darwin-arm64@0.34.5':
-    optionalDependencies:
-      '@img/sharp-libvips-darwin-arm64': 1.2.4
-    optional: true
-
-  '@img/sharp-darwin-x64@0.33.5':
-    optionalDependencies:
-      '@img/sharp-libvips-darwin-x64': 1.0.4
-    optional: true
-
-  '@img/sharp-darwin-x64@0.34.5':
-    optionalDependencies:
-      '@img/sharp-libvips-darwin-x64': 1.2.4
-    optional: true
-
-  '@img/sharp-libvips-darwin-arm64@1.0.4':
-    optional: true
-
-  '@img/sharp-libvips-darwin-arm64@1.2.4':
-    optional: true
-
-  '@img/sharp-libvips-darwin-x64@1.0.4':
-    optional: true
-
-  '@img/sharp-libvips-darwin-x64@1.2.4':
-    optional: true
-
-  '@img/sharp-libvips-linux-arm64@1.0.4':
-    optional: true
-
-  '@img/sharp-libvips-linux-arm64@1.2.4':
-    optional: true
-
-  '@img/sharp-libvips-linux-arm@1.0.5':
-    optional: true
-
-  '@img/sharp-libvips-linux-arm@1.2.4':
-    optional: true
-
-  '@img/sharp-libvips-linux-ppc64@1.2.4':
-    optional: true
-
-  '@img/sharp-libvips-linux-riscv64@1.2.4':
-    optional: true
-
-  '@img/sharp-libvips-linux-s390x@1.0.4':
-    optional: true
-
-  '@img/sharp-libvips-linux-s390x@1.2.4':
-    optional: true
-
-  '@img/sharp-libvips-linux-x64@1.0.4':
-    optional: true
-
-  '@img/sharp-libvips-linux-x64@1.2.4':
-    optional: true
-
-  '@img/sharp-libvips-linuxmusl-arm64@1.0.4':
-    optional: true
-
-  '@img/sharp-libvips-linuxmusl-arm64@1.2.4':
-    optional: true
-
-  '@img/sharp-libvips-linuxmusl-x64@1.0.4':
-    optional: true
-
-  '@img/sharp-libvips-linuxmusl-x64@1.2.4':
-    optional: true
-
-  '@img/sharp-linux-arm64@0.33.5':
-    optionalDependencies:
-      '@img/sharp-libvips-linux-arm64': 1.0.4
-    optional: true
-
-  '@img/sharp-linux-arm64@0.34.5':
-    optionalDependencies:
-      '@img/sharp-libvips-linux-arm64': 1.2.4
-    optional: true
-
-  '@img/sharp-linux-arm@0.33.5':
-    optionalDependencies:
-      '@img/sharp-libvips-linux-arm': 1.0.5
-    optional: true
-
-  '@img/sharp-linux-arm@0.34.5':
-    optionalDependencies:
-      '@img/sharp-libvips-linux-arm': 1.2.4
-    optional: true
-
-  '@img/sharp-linux-ppc64@0.34.5':
-    optionalDependencies:
-      '@img/sharp-libvips-linux-ppc64': 1.2.4
-    optional: true
-
-  '@img/sharp-linux-riscv64@0.34.5':
-    optionalDependencies:
-      '@img/sharp-libvips-linux-riscv64': 1.2.4
-    optional: true
-
-  '@img/sharp-linux-s390x@0.33.5':
-    optionalDependencies:
-      '@img/sharp-libvips-linux-s390x': 1.0.4
-    optional: true
-
-  '@img/sharp-linux-s390x@0.34.5':
-    optionalDependencies:
-      '@img/sharp-libvips-linux-s390x': 1.2.4
-    optional: true
-
-  '@img/sharp-linux-x64@0.33.5':
-    optionalDependencies:
-      '@img/sharp-libvips-linux-x64': 1.0.4
-    optional: true
-
-  '@img/sharp-linux-x64@0.34.5':
-    optionalDependencies:
-      '@img/sharp-libvips-linux-x64': 1.2.4
-    optional: true
-
-  '@img/sharp-linuxmusl-arm64@0.33.5':
-    optionalDependencies:
-      '@img/sharp-libvips-linuxmusl-arm64': 1.0.4
-    optional: true
-
-  '@img/sharp-linuxmusl-arm64@0.34.5':
-    optionalDependencies:
-      '@img/sharp-libvips-linuxmusl-arm64': 1.2.4
-    optional: true
-
-  '@img/sharp-linuxmusl-x64@0.33.5':
-    optionalDependencies:
-      '@img/sharp-libvips-linuxmusl-x64': 1.0.4
-    optional: true
-
-  '@img/sharp-linuxmusl-x64@0.34.5':
-    optionalDependencies:
-      '@img/sharp-libvips-linuxmusl-x64': 1.2.4
-    optional: true
-
-  '@img/sharp-wasm32@0.33.5':
+  '@internationalized/date@3.12.1':
     dependencies:
-      '@emnapi/runtime': 1.7.1
-    optional: true
-
-  '@img/sharp-wasm32@0.34.5':
-    dependencies:
-      '@emnapi/runtime': 1.7.1
-    optional: true
-
-  '@img/sharp-win32-arm64@0.34.5':
-    optional: true
-
-  '@img/sharp-win32-ia32@0.33.5':
-    optional: true
-
-  '@img/sharp-win32-ia32@0.34.5':
-    optional: true
-
-  '@img/sharp-win32-x64@0.33.5':
-    optional: true
-
-  '@img/sharp-win32-x64@0.34.5':
-    optional: true
+      '@swc/helpers': 0.5.15
 
   '@internationalized/date@3.5.1':
     dependencies:
       '@swc/helpers': 0.5.2
 
-  '@internationalized/date@3.5.5':
-    dependencies:
-      '@swc/helpers': 0.5.15
-
   '@internationalized/message@3.1.1':
     dependencies:
       '@swc/helpers': 0.5.15
       intl-messageformat: 10.5.8
 
-  '@internationalized/message@3.1.4':
-    dependencies:
-      '@swc/helpers': 0.5.15
-      intl-messageformat: 10.5.8
-
   '@internationalized/number@3.5.0':
     dependencies:
       '@swc/helpers': 0.5.15
 
-  '@internationalized/number@3.5.3':
+  '@internationalized/number@3.6.6':
     dependencies:
       '@swc/helpers': 0.5.15
 
@@ -24261,7 +20746,7 @@ snapshots:
     dependencies:
       '@swc/helpers': 0.5.15
 
-  '@internationalized/string@3.2.3':
+  '@internationalized/string@3.2.8':
     dependencies:
       '@swc/helpers': 0.5.15
 
@@ -24276,49 +20761,34 @@ snapshots:
       wrap-ansi: 8.1.0
       wrap-ansi-cjs: wrap-ansi@7.0.0
 
+  '@isaacs/cliui@9.0.0': {}
+
   '@isaacs/fs-minipass@4.0.1':
     dependencies:
       minipass: 7.1.2
 
-  '@istanbuljs/schema@0.1.3': {}
-
-  '@jridgewell/gen-mapping@0.3.2':
+  '@jridgewell/gen-mapping@0.3.13':
     dependencies:
-      '@jridgewell/set-array': 1.2.1
       '@jridgewell/sourcemap-codec': 1.5.5
-      '@jridgewell/trace-mapping': 0.3.25
+      '@jridgewell/trace-mapping': 0.3.31
 
   '@jridgewell/gen-mapping@0.3.8':
     dependencies:
       '@jridgewell/set-array': 1.2.1
       '@jridgewell/sourcemap-codec': 1.5.5
-      '@jridgewell/trace-mapping': 0.3.25
-
-  '@jridgewell/resolve-uri@3.1.0': {}
+      '@jridgewell/trace-mapping': 0.3.31
 
   '@jridgewell/resolve-uri@3.1.2': {}
 
   '@jridgewell/set-array@1.2.1': {}
 
-  '@jridgewell/source-map@0.3.3':
+  '@jridgewell/source-map@0.3.11':
     dependencies:
-      '@jridgewell/gen-mapping': 0.3.8
+      '@jridgewell/gen-mapping': 0.3.13
       '@jridgewell/trace-mapping': 0.3.31
 
-  '@jridgewell/sourcemap-codec@1.5.0': {}
-
   '@jridgewell/sourcemap-codec@1.5.5': {}
 
-  '@jridgewell/trace-mapping@0.3.19':
-    dependencies:
-      '@jridgewell/resolve-uri': 3.1.0
-      '@jridgewell/sourcemap-codec': 1.5.5
-
-  '@jridgewell/trace-mapping@0.3.25':
-    dependencies:
-      '@jridgewell/resolve-uri': 3.1.0
-      '@jridgewell/sourcemap-codec': 1.5.5
-
   '@jridgewell/trace-mapping@0.3.31':
     dependencies:
       '@jridgewell/resolve-uri': 3.1.2
@@ -24406,7 +20876,7 @@ snapshots:
       openid-client: 6.3.3
       rfc4648: 1.5.3
       stream-buffers: 3.0.2
-      tar: 7.4.3
+      tar: 7.5.13
       tmp-promise: 3.0.3
       tslib: 2.6.2
       ws: 8.18.0(bufferutil@4.0.9)
@@ -24415,6 +20885,12 @@ snapshots:
       - encoding
       - utf-8-validate
 
+  '@kwsites/file-exists@1.1.1':
+    dependencies:
+      debug: 4.4.3(supports-color@10.0.0)
+    transitivePeerDependencies:
+      - supports-color
+
   '@lezer/common@1.0.2': {}
 
   '@lezer/common@1.3.0': {}
@@ -24469,7 +20945,7 @@ snapshots:
 
   '@manypkg/get-packages@1.1.3':
     dependencies:
-      '@babel/runtime': 7.27.0
+      '@babel/runtime': 7.28.4
       '@changesets/types': 4.1.0
       '@manypkg/find-root': 1.1.0
       fs-extra: 8.1.0
@@ -24498,17 +20974,17 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  '@mermaid-js/parser@0.6.3':
+  '@mermaid-js/parser@1.1.0':
     dependencies:
-      langium: 3.3.1
+      langium: 4.2.2
 
   '@microsoft/fetch-event-source@2.0.1': {}
 
-  '@modelcontextprotocol/sdk@1.25.2(hono@4.11.8)(supports-color@10.0.0)(zod@3.25.76)':
+  '@modelcontextprotocol/sdk@1.25.2(hono@4.12.15)(supports-color@10.0.0)(zod@3.25.76)':
     dependencies:
-      '@hono/node-server': 1.19.9(hono@4.11.8)
-      ajv: 8.17.1
-      ajv-formats: 3.0.1(ajv@8.17.1)
+      '@hono/node-server': 1.19.9(hono@4.12.15)
+      ajv: 8.18.0
+      ajv-formats: 3.0.1(ajv@8.18.0)
       content-type: 1.0.5
       cors: 2.8.5
       cross-spawn: 7.0.6
@@ -24529,8 +21005,8 @@ snapshots:
   '@modelcontextprotocol/sdk@1.26.0(zod@3.25.76)':
     dependencies:
       '@hono/node-server': 1.19.9(hono@4.11.8)
-      ajv: 8.17.1
-      ajv-formats: 3.0.1(ajv@8.17.1)
+      ajv: 8.18.0
+      ajv-formats: 3.0.1(ajv@8.18.0)
       content-type: 1.0.5
       cors: 2.8.5
       cross-spawn: 7.0.6
@@ -24548,159 +21024,12 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  '@msgpack/msgpack@3.0.0-beta2': {}
-
-  '@neondatabase/serverless@0.9.5':
-    dependencies:
-      '@types/pg': 8.11.6
-
-  '@next/bundle-analyzer@15.0.2(bufferutil@4.0.9)':
-    dependencies:
-      webpack-bundle-analyzer: 4.10.1(bufferutil@4.0.9)
-    transitivePeerDependencies:
-      - bufferutil
-      - utf-8-validate
-
-  '@next/env@14.1.0': {}
-
-  '@next/env@14.2.21': {}
-
-  '@next/env@15.2.4': {}
-
-  '@next/env@15.4.8': {}
-
-  '@next/env@15.5.6': {}
-
-  '@next/swc-darwin-arm64@14.1.0':
-    optional: true
-
-  '@next/swc-darwin-arm64@14.2.21':
-    optional: true
-
-  '@next/swc-darwin-arm64@15.2.4':
-    optional: true
-
-  '@next/swc-darwin-arm64@15.4.8':
-    optional: true
-
-  '@next/swc-darwin-arm64@15.5.6':
-    optional: true
-
-  '@next/swc-darwin-x64@14.1.0':
-    optional: true
-
-  '@next/swc-darwin-x64@14.2.21':
-    optional: true
-
-  '@next/swc-darwin-x64@15.2.4':
-    optional: true
-
-  '@next/swc-darwin-x64@15.4.8':
-    optional: true
-
-  '@next/swc-darwin-x64@15.5.6':
-    optional: true
-
-  '@next/swc-linux-arm64-gnu@14.1.0':
-    optional: true
-
-  '@next/swc-linux-arm64-gnu@14.2.21':
-    optional: true
-
-  '@next/swc-linux-arm64-gnu@15.2.4':
-    optional: true
-
-  '@next/swc-linux-arm64-gnu@15.4.8':
-    optional: true
-
-  '@next/swc-linux-arm64-gnu@15.5.6':
-    optional: true
-
-  '@next/swc-linux-arm64-musl@14.1.0':
-    optional: true
-
-  '@next/swc-linux-arm64-musl@14.2.21':
-    optional: true
-
-  '@next/swc-linux-arm64-musl@15.2.4':
-    optional: true
-
-  '@next/swc-linux-arm64-musl@15.4.8':
-    optional: true
-
-  '@next/swc-linux-arm64-musl@15.5.6':
-    optional: true
-
-  '@next/swc-linux-x64-gnu@14.1.0':
-    optional: true
-
-  '@next/swc-linux-x64-gnu@14.2.21':
-    optional: true
-
-  '@next/swc-linux-x64-gnu@15.2.4':
-    optional: true
-
-  '@next/swc-linux-x64-gnu@15.4.8':
-    optional: true
-
-  '@next/swc-linux-x64-gnu@15.5.6':
-    optional: true
-
-  '@next/swc-linux-x64-musl@14.1.0':
-    optional: true
-
-  '@next/swc-linux-x64-musl@14.2.21':
-    optional: true
-
-  '@next/swc-linux-x64-musl@15.2.4':
-    optional: true
-
-  '@next/swc-linux-x64-musl@15.4.8':
-    optional: true
-
-  '@next/swc-linux-x64-musl@15.5.6':
-    optional: true
-
-  '@next/swc-win32-arm64-msvc@14.1.0':
-    optional: true
-
-  '@next/swc-win32-arm64-msvc@14.2.21':
-    optional: true
-
-  '@next/swc-win32-arm64-msvc@15.2.4':
-    optional: true
-
-  '@next/swc-win32-arm64-msvc@15.4.8':
-    optional: true
-
-  '@next/swc-win32-arm64-msvc@15.5.6':
-    optional: true
-
-  '@next/swc-win32-ia32-msvc@14.1.0':
-    optional: true
-
-  '@next/swc-win32-ia32-msvc@14.2.21':
-    optional: true
-
-  '@next/swc-win32-x64-msvc@14.1.0':
-    optional: true
-
-  '@next/swc-win32-x64-msvc@14.2.21':
-    optional: true
-
-  '@next/swc-win32-x64-msvc@15.2.4':
-    optional: true
-
-  '@next/swc-win32-x64-msvc@15.4.8':
-    optional: true
-
-  '@next/swc-win32-x64-msvc@15.5.6':
-    optional: true
-
   '@nicolo-ribaudo/eslint-scope-5-internals@5.1.1-v1':
     dependencies:
       eslint-scope: 5.1.1
 
+  '@nodable/entities@2.1.0': {}
+
   '@nodelib/fs.scandir@2.1.5':
     dependencies:
       '@nodelib/fs.stat': 2.0.5
@@ -24915,629 +21244,555 @@ snapshots:
 
   '@open-draft/deferred-promise@2.2.0': {}
 
-  '@opentelemetry/api-logs@0.203.0':
-    dependencies:
-      '@opentelemetry/api': 1.9.0
-
-  '@opentelemetry/api-logs@0.52.1':
+  '@opentelemetry/api-logs@0.214.0':
     dependencies:
-      '@opentelemetry/api': 1.9.0
+      '@opentelemetry/api': 1.9.1
 
-  '@opentelemetry/api-logs@0.57.0':
+  '@opentelemetry/api-logs@0.218.0':
     dependencies:
-      '@opentelemetry/api': 1.9.0
+      '@opentelemetry/api': 1.9.1
 
   '@opentelemetry/api-logs@0.57.2':
     dependencies:
-      '@opentelemetry/api': 1.9.0
+      '@opentelemetry/api': 1.9.1
 
   '@opentelemetry/api@1.8.0': {}
 
   '@opentelemetry/api@1.9.0': {}
 
-  '@opentelemetry/context-async-hooks@1.30.1(@opentelemetry/api@1.9.0)':
-    dependencies:
-      '@opentelemetry/api': 1.9.0
+  '@opentelemetry/api@1.9.1': {}
 
-  '@opentelemetry/context-async-hooks@2.0.1(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/configuration@0.218.0(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/core': 2.7.1(@opentelemetry/api@1.9.1)
+      yaml: 2.9.0
 
-  '@opentelemetry/core@1.30.0(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/context-async-hooks@1.30.1(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/semantic-conventions': 1.28.0
+      '@opentelemetry/api': 1.9.1
 
-  '@opentelemetry/core@1.30.1(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/context-async-hooks@2.7.1(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/semantic-conventions': 1.28.0
+      '@opentelemetry/api': 1.9.1
 
-  '@opentelemetry/core@2.0.1(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/core@1.30.1(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/semantic-conventions': 1.36.0
-
-  '@opentelemetry/core@2.2.0(@opentelemetry/api@1.9.0)':
-    dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/semantic-conventions': 1.36.0
-
-  '@opentelemetry/exporter-logs-otlp-grpc@0.203.0(@opentelemetry/api@1.9.0)':
-    dependencies:
-      '@grpc/grpc-js': 1.12.6
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/otlp-exporter-base': 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/otlp-grpc-exporter-base': 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/otlp-transformer': 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/sdk-logs': 0.203.0(@opentelemetry/api@1.9.0)
-
-  '@opentelemetry/exporter-logs-otlp-http@0.203.0(@opentelemetry/api@1.9.0)':
-    dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/api-logs': 0.203.0
-      '@opentelemetry/core': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/otlp-exporter-base': 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/otlp-transformer': 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/sdk-logs': 0.203.0(@opentelemetry/api@1.9.0)
-
-  '@opentelemetry/exporter-logs-otlp-proto@0.203.0(@opentelemetry/api@1.9.0)':
-    dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/api-logs': 0.203.0
-      '@opentelemetry/core': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/otlp-exporter-base': 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/otlp-transformer': 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/resources': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/sdk-logs': 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/sdk-trace-base': 2.0.1(@opentelemetry/api@1.9.0)
-
-  '@opentelemetry/exporter-metrics-otlp-grpc@0.203.0(@opentelemetry/api@1.9.0)':
-    dependencies:
-      '@grpc/grpc-js': 1.12.6
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/exporter-metrics-otlp-http': 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/otlp-exporter-base': 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/otlp-grpc-exporter-base': 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/otlp-transformer': 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/resources': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/sdk-metrics': 2.0.1(@opentelemetry/api@1.9.0)
-
-  '@opentelemetry/exporter-metrics-otlp-http@0.203.0(@opentelemetry/api@1.9.0)':
-    dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/otlp-exporter-base': 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/otlp-transformer': 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/resources': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/sdk-metrics': 2.0.1(@opentelemetry/api@1.9.0)
-
-  '@opentelemetry/exporter-metrics-otlp-proto@0.203.0(@opentelemetry/api@1.9.0)':
-    dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/exporter-metrics-otlp-http': 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/otlp-exporter-base': 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/otlp-transformer': 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/resources': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/sdk-metrics': 2.0.1(@opentelemetry/api@1.9.0)
-
-  '@opentelemetry/exporter-prometheus@0.203.0(@opentelemetry/api@1.9.0)':
-    dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/resources': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/sdk-metrics': 2.0.1(@opentelemetry/api@1.9.0)
-
-  '@opentelemetry/exporter-trace-otlp-grpc@0.203.0(@opentelemetry/api@1.9.0)':
-    dependencies:
-      '@grpc/grpc-js': 1.12.6
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/otlp-exporter-base': 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/otlp-grpc-exporter-base': 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/otlp-transformer': 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/resources': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/sdk-trace-base': 2.0.1(@opentelemetry/api@1.9.0)
-
-  '@opentelemetry/exporter-trace-otlp-http@0.203.0(@opentelemetry/api@1.9.0)':
-    dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/otlp-exporter-base': 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/otlp-transformer': 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/resources': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/sdk-trace-base': 2.0.1(@opentelemetry/api@1.9.0)
-
-  '@opentelemetry/exporter-trace-otlp-http@0.57.0(@opentelemetry/api@1.9.0)':
-    dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 1.30.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/otlp-exporter-base': 0.57.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/otlp-transformer': 0.57.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/resources': 1.30.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/sdk-trace-base': 1.30.0(@opentelemetry/api@1.9.0)
-
-  '@opentelemetry/exporter-trace-otlp-proto@0.203.0(@opentelemetry/api@1.9.0)':
-    dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/otlp-exporter-base': 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/otlp-transformer': 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/resources': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/sdk-trace-base': 2.0.1(@opentelemetry/api@1.9.0)
-
-  '@opentelemetry/exporter-zipkin@2.0.1(@opentelemetry/api@1.9.0)':
-    dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/resources': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/sdk-trace-base': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/semantic-conventions': 1.36.0
-
-  '@opentelemetry/host-metrics@0.37.0(@opentelemetry/api@1.9.0)':
-    dependencies:
-      '@opentelemetry/api': 1.9.0
-      systeminformation: 5.27.14
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/semantic-conventions': 1.28.0
 
-  '@opentelemetry/instrumentation-amqplib@0.46.1(@opentelemetry/api@1.9.0)':
-    dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 1.30.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.0)
-      '@opentelemetry/semantic-conventions': 1.36.0
+  '@opentelemetry/core@2.7.1(@opentelemetry/api@1.9.1)':
+    dependencies:
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/semantic-conventions': 1.41.1
+
+  '@opentelemetry/exporter-logs-otlp-grpc@0.218.0(@opentelemetry/api@1.9.1)':
+    dependencies:
+      '@grpc/grpc-js': 1.14.3
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/core': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/otlp-exporter-base': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/otlp-grpc-exporter-base': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/otlp-transformer': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/sdk-logs': 0.218.0(@opentelemetry/api@1.9.1)
+
+  '@opentelemetry/exporter-logs-otlp-http@0.218.0(@opentelemetry/api@1.9.1)':
+    dependencies:
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/api-logs': 0.218.0
+      '@opentelemetry/core': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/otlp-exporter-base': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/otlp-transformer': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/sdk-logs': 0.218.0(@opentelemetry/api@1.9.1)
+
+  '@opentelemetry/exporter-logs-otlp-proto@0.218.0(@opentelemetry/api@1.9.1)':
+    dependencies:
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/api-logs': 0.218.0
+      '@opentelemetry/core': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/otlp-exporter-base': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/otlp-transformer': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/resources': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/sdk-logs': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/sdk-trace-base': 2.7.1(@opentelemetry/api@1.9.1)
+
+  '@opentelemetry/exporter-metrics-otlp-grpc@0.218.0(@opentelemetry/api@1.9.1)':
+    dependencies:
+      '@grpc/grpc-js': 1.14.3
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/core': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/exporter-metrics-otlp-http': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/otlp-exporter-base': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/otlp-grpc-exporter-base': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/otlp-transformer': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/resources': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/sdk-metrics': 2.7.1(@opentelemetry/api@1.9.1)
+
+  '@opentelemetry/exporter-metrics-otlp-http@0.218.0(@opentelemetry/api@1.9.1)':
+    dependencies:
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/core': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/otlp-exporter-base': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/otlp-transformer': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/resources': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/sdk-metrics': 2.7.1(@opentelemetry/api@1.9.1)
+
+  '@opentelemetry/exporter-metrics-otlp-proto@0.218.0(@opentelemetry/api@1.9.1)':
+    dependencies:
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/core': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/exporter-metrics-otlp-http': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/otlp-exporter-base': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/otlp-transformer': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/resources': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/sdk-metrics': 2.7.1(@opentelemetry/api@1.9.1)
+
+  '@opentelemetry/exporter-prometheus@0.218.0(@opentelemetry/api@1.9.1)':
+    dependencies:
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/core': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/resources': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/sdk-metrics': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/semantic-conventions': 1.41.1
+
+  '@opentelemetry/exporter-trace-otlp-grpc@0.218.0(@opentelemetry/api@1.9.1)':
+    dependencies:
+      '@grpc/grpc-js': 1.14.3
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/core': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/otlp-exporter-base': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/otlp-grpc-exporter-base': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/otlp-transformer': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/resources': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/sdk-trace-base': 2.7.1(@opentelemetry/api@1.9.1)
+
+  '@opentelemetry/exporter-trace-otlp-http@0.218.0(@opentelemetry/api@1.9.1)':
+    dependencies:
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/core': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/otlp-exporter-base': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/otlp-transformer': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/resources': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/sdk-trace-base': 2.7.1(@opentelemetry/api@1.9.1)
+
+  '@opentelemetry/exporter-trace-otlp-proto@0.218.0(@opentelemetry/api@1.9.1)':
+    dependencies:
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/core': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/otlp-exporter-base': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/otlp-transformer': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/resources': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/sdk-trace-base': 2.7.1(@opentelemetry/api@1.9.1)
+
+  '@opentelemetry/exporter-zipkin@2.7.1(@opentelemetry/api@1.9.1)':
+    dependencies:
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/core': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/resources': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/sdk-trace-base': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/semantic-conventions': 1.41.1
+
+  '@opentelemetry/host-metrics@0.38.3(@opentelemetry/api@1.9.1)':
+    dependencies:
+      '@opentelemetry/api': 1.9.1
+      systeminformation: 5.31.7
+
+  '@opentelemetry/instrumentation-amqplib@0.46.1(@opentelemetry/api@1.9.1)':
+    dependencies:
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/core': 1.30.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.1)
+      '@opentelemetry/semantic-conventions': 1.41.1
     transitivePeerDependencies:
       - supports-color
 
-  '@opentelemetry/instrumentation-aws-sdk@0.57.0(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/instrumentation-aws-sdk@0.69.0(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation': 0.203.0(@opentelemetry/api@1.9.0)(supports-color@10.0.0)
-      '@opentelemetry/propagation-utils': 0.31.3(@opentelemetry/api@1.9.0)
-      '@opentelemetry/semantic-conventions': 1.36.0
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/core': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation': 0.214.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/semantic-conventions': 1.41.1
     transitivePeerDependencies:
       - supports-color
 
-  '@opentelemetry/instrumentation-connect@0.43.1(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/instrumentation-connect@0.43.1(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 1.30.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.0)
-      '@opentelemetry/semantic-conventions': 1.36.0
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/core': 1.30.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.1)
+      '@opentelemetry/semantic-conventions': 1.41.1
       '@types/connect': 3.4.38
     transitivePeerDependencies:
       - supports-color
 
-  '@opentelemetry/instrumentation-dataloader@0.16.1(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/instrumentation-dataloader@0.16.1(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.0)
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.1)
     transitivePeerDependencies:
       - supports-color
 
-  '@opentelemetry/instrumentation-express@0.47.1(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/instrumentation-express@0.47.1(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 1.30.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.0)
-      '@opentelemetry/semantic-conventions': 1.36.0
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/core': 1.30.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.1)
+      '@opentelemetry/semantic-conventions': 1.41.1
     transitivePeerDependencies:
       - supports-color
 
-  '@opentelemetry/instrumentation-express@0.52.0(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/instrumentation-express@0.62.0(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation': 0.203.0(@opentelemetry/api@1.9.0)(supports-color@10.0.0)
-      '@opentelemetry/semantic-conventions': 1.36.0
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/core': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation': 0.214.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/semantic-conventions': 1.41.1
     transitivePeerDependencies:
       - supports-color
 
-  '@opentelemetry/instrumentation-fetch@0.203.0(@opentelemetry/api@1.9.0)(supports-color@10.0.0)':
+  '@opentelemetry/instrumentation-fetch@0.218.0(@opentelemetry/api@1.9.1)(supports-color@10.0.0)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation': 0.203.0(@opentelemetry/api@1.9.0)(supports-color@10.0.0)
-      '@opentelemetry/sdk-trace-web': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/semantic-conventions': 1.36.0
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/core': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation': 0.218.0(@opentelemetry/api@1.9.1)(supports-color@10.0.0)
+      '@opentelemetry/sdk-trace-web': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/semantic-conventions': 1.41.1
     transitivePeerDependencies:
       - supports-color
 
-  '@opentelemetry/instrumentation-fs@0.19.1(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/instrumentation-fs@0.19.1(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 1.30.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.0)
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/core': 1.30.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.1)
     transitivePeerDependencies:
       - supports-color
 
-  '@opentelemetry/instrumentation-generic-pool@0.43.1(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/instrumentation-generic-pool@0.43.1(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.0)
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.1)
     transitivePeerDependencies:
       - supports-color
 
-  '@opentelemetry/instrumentation-graphql@0.47.1(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/instrumentation-graphql@0.47.1(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.0)
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.1)
     transitivePeerDependencies:
       - supports-color
 
-  '@opentelemetry/instrumentation-hapi@0.45.2(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/instrumentation-hapi@0.45.2(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 1.30.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.0)
-      '@opentelemetry/semantic-conventions': 1.36.0
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/core': 1.30.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.1)
+      '@opentelemetry/semantic-conventions': 1.41.1
     transitivePeerDependencies:
       - supports-color
 
-  '@opentelemetry/instrumentation-http@0.203.0(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/instrumentation-http@0.218.0(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation': 0.203.0(@opentelemetry/api@1.9.0)(supports-color@10.0.0)
-      '@opentelemetry/semantic-conventions': 1.36.0
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/core': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation': 0.218.0(@opentelemetry/api@1.9.1)(supports-color@10.0.0)
+      '@opentelemetry/semantic-conventions': 1.41.1
       forwarded-parse: 2.1.2
     transitivePeerDependencies:
       - supports-color
 
-  '@opentelemetry/instrumentation-http@0.57.2(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/instrumentation-http@0.57.2(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 1.30.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.0)
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/core': 1.30.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.1)
       '@opentelemetry/semantic-conventions': 1.28.0
       forwarded-parse: 2.1.2
       semver: 7.7.3
     transitivePeerDependencies:
       - supports-color
 
-  '@opentelemetry/instrumentation-ioredis@0.47.1(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/instrumentation-ioredis@0.47.1(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.0)
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.1)
       '@opentelemetry/redis-common': 0.36.2
-      '@opentelemetry/semantic-conventions': 1.36.0
+      '@opentelemetry/semantic-conventions': 1.41.1
     transitivePeerDependencies:
       - supports-color
 
-  '@opentelemetry/instrumentation-kafkajs@0.7.1(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/instrumentation-kafkajs@0.7.1(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.0)
-      '@opentelemetry/semantic-conventions': 1.36.0
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.1)
+      '@opentelemetry/semantic-conventions': 1.41.1
     transitivePeerDependencies:
       - supports-color
 
-  '@opentelemetry/instrumentation-knex@0.44.1(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/instrumentation-knex@0.44.1(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.0)
-      '@opentelemetry/semantic-conventions': 1.36.0
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.1)
+      '@opentelemetry/semantic-conventions': 1.41.1
     transitivePeerDependencies:
       - supports-color
 
-  '@opentelemetry/instrumentation-koa@0.47.1(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/instrumentation-koa@0.47.1(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 1.30.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.0)
-      '@opentelemetry/semantic-conventions': 1.36.0
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/core': 1.30.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.1)
+      '@opentelemetry/semantic-conventions': 1.41.1
     transitivePeerDependencies:
       - supports-color
 
-  '@opentelemetry/instrumentation-lru-memoizer@0.44.1(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/instrumentation-lru-memoizer@0.44.1(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.0)
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.1)
     transitivePeerDependencies:
       - supports-color
 
-  '@opentelemetry/instrumentation-mongodb@0.52.0(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/instrumentation-mongodb@0.52.0(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.0)
-      '@opentelemetry/semantic-conventions': 1.36.0
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.1)
+      '@opentelemetry/semantic-conventions': 1.41.1
     transitivePeerDependencies:
       - supports-color
 
-  '@opentelemetry/instrumentation-mongoose@0.46.1(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/instrumentation-mongoose@0.46.1(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 1.30.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.0)
-      '@opentelemetry/semantic-conventions': 1.36.0
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/core': 1.30.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.1)
+      '@opentelemetry/semantic-conventions': 1.41.1
     transitivePeerDependencies:
       - supports-color
 
-  '@opentelemetry/instrumentation-mysql2@0.45.2(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/instrumentation-mysql2@0.45.2(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.0)
-      '@opentelemetry/semantic-conventions': 1.36.0
-      '@opentelemetry/sql-common': 0.40.1(@opentelemetry/api@1.9.0)
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.1)
+      '@opentelemetry/semantic-conventions': 1.41.1
+      '@opentelemetry/sql-common': 0.40.1(@opentelemetry/api@1.9.1)
     transitivePeerDependencies:
       - supports-color
 
-  '@opentelemetry/instrumentation-mysql@0.45.1(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/instrumentation-mysql@0.45.1(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.0)
-      '@opentelemetry/semantic-conventions': 1.36.0
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.1)
+      '@opentelemetry/semantic-conventions': 1.41.1
       '@types/mysql': 2.15.26
     transitivePeerDependencies:
       - supports-color
 
-  '@opentelemetry/instrumentation-pg@0.51.1(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/instrumentation-pg@0.51.1(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 1.30.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.0)
-      '@opentelemetry/semantic-conventions': 1.36.0
-      '@opentelemetry/sql-common': 0.40.1(@opentelemetry/api@1.9.0)
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/core': 1.30.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.1)
+      '@opentelemetry/semantic-conventions': 1.41.1
+      '@opentelemetry/sql-common': 0.40.1(@opentelemetry/api@1.9.1)
       '@types/pg': 8.6.1
       '@types/pg-pool': 2.0.6
     transitivePeerDependencies:
       - supports-color
 
-  '@opentelemetry/instrumentation-redis-4@0.46.1(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/instrumentation-redis-4@0.46.1(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.0)
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.1)
       '@opentelemetry/redis-common': 0.36.2
-      '@opentelemetry/semantic-conventions': 1.36.0
+      '@opentelemetry/semantic-conventions': 1.41.1
     transitivePeerDependencies:
       - supports-color
 
-  '@opentelemetry/instrumentation-tedious@0.18.1(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/instrumentation-tedious@0.18.1(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.0)
-      '@opentelemetry/semantic-conventions': 1.36.0
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.1)
+      '@opentelemetry/semantic-conventions': 1.41.1
       '@types/tedious': 4.0.14
     transitivePeerDependencies:
       - supports-color
 
-  '@opentelemetry/instrumentation-undici@0.10.1(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/instrumentation-undici@0.10.1(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 1.30.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.0)
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/core': 1.30.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.1)
     transitivePeerDependencies:
       - supports-color
 
-  '@opentelemetry/instrumentation-undici@0.14.0(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/instrumentation@0.214.0(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation': 0.203.0(@opentelemetry/api@1.9.0)(supports-color@10.0.0)
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/api-logs': 0.214.0
+      import-in-the-middle: 3.0.1
+      require-in-the-middle: 8.0.1(supports-color@10.0.0)
     transitivePeerDependencies:
       - supports-color
 
-  '@opentelemetry/instrumentation@0.203.0(@opentelemetry/api@1.9.0)(supports-color@10.0.0)':
+  '@opentelemetry/instrumentation@0.218.0(@opentelemetry/api@1.9.1)(supports-color@10.0.0)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/api-logs': 0.203.0
-      import-in-the-middle: 1.11.0
-      require-in-the-middle: 7.1.1(supports-color@10.0.0)
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/api-logs': 0.218.0
+      import-in-the-middle: 3.0.1
+      require-in-the-middle: 8.0.1(supports-color@10.0.0)
     transitivePeerDependencies:
       - supports-color
 
-  '@opentelemetry/instrumentation@0.52.1(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/instrumentation@0.57.2(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/api-logs': 0.52.1
-      '@types/shimmer': 1.2.0
-      import-in-the-middle: 1.11.0
-      require-in-the-middle: 7.1.1(supports-color@10.0.0)
-      semver: 7.7.3
-      shimmer: 1.2.1
-    transitivePeerDependencies:
-      - supports-color
-
-  '@opentelemetry/instrumentation@0.57.2(@opentelemetry/api@1.9.0)':
-    dependencies:
-      '@opentelemetry/api': 1.9.0
+      '@opentelemetry/api': 1.9.1
       '@opentelemetry/api-logs': 0.57.2
       '@types/shimmer': 1.2.0
-      import-in-the-middle: 1.11.0
-      require-in-the-middle: 7.1.1(supports-color@10.0.0)
+      import-in-the-middle: 1.15.0
+      require-in-the-middle: 7.5.2
       semver: 7.7.3
       shimmer: 1.2.1
     transitivePeerDependencies:
       - supports-color
 
-  '@opentelemetry/otlp-exporter-base@0.203.0(@opentelemetry/api@1.9.0)':
-    dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/otlp-transformer': 0.203.0(@opentelemetry/api@1.9.0)
-
-  '@opentelemetry/otlp-exporter-base@0.57.0(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/otlp-exporter-base@0.218.0(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 1.30.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/otlp-transformer': 0.57.0(@opentelemetry/api@1.9.0)
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/core': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/otlp-transformer': 0.218.0(@opentelemetry/api@1.9.1)
 
-  '@opentelemetry/otlp-grpc-exporter-base@0.203.0(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/otlp-grpc-exporter-base@0.218.0(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@grpc/grpc-js': 1.12.6
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/otlp-exporter-base': 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/otlp-transformer': 0.203.0(@opentelemetry/api@1.9.0)
+      '@grpc/grpc-js': 1.14.3
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/core': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/otlp-exporter-base': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/otlp-transformer': 0.218.0(@opentelemetry/api@1.9.1)
 
-  '@opentelemetry/otlp-transformer@0.203.0(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/otlp-transformer@0.218.0(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/api-logs': 0.203.0
-      '@opentelemetry/core': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/resources': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/sdk-logs': 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/sdk-metrics': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/sdk-trace-base': 2.0.1(@opentelemetry/api@1.9.0)
-      protobufjs: 7.3.2
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/api-logs': 0.218.0
+      '@opentelemetry/core': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/resources': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/sdk-logs': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/sdk-metrics': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/sdk-trace-base': 2.7.1(@opentelemetry/api@1.9.1)
 
-  '@opentelemetry/otlp-transformer@0.57.0(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/propagator-b3@2.7.1(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/api-logs': 0.57.0
-      '@opentelemetry/core': 1.30.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/resources': 1.30.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/sdk-logs': 0.57.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/sdk-metrics': 1.30.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/sdk-trace-base': 1.30.0(@opentelemetry/api@1.9.0)
-      protobufjs: 7.3.2
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/core': 2.7.1(@opentelemetry/api@1.9.1)
 
-  '@opentelemetry/propagation-utils@0.31.3(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/propagator-jaeger@2.7.1(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-
-  '@opentelemetry/propagator-b3@2.0.1(@opentelemetry/api@1.9.0)':
-    dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 2.0.1(@opentelemetry/api@1.9.0)
-
-  '@opentelemetry/propagator-jaeger@2.0.1(@opentelemetry/api@1.9.0)':
-    dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 2.0.1(@opentelemetry/api@1.9.0)
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/core': 2.7.1(@opentelemetry/api@1.9.1)
 
   '@opentelemetry/redis-common@0.36.2': {}
 
-  '@opentelemetry/resource-detector-aws@2.3.0(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/resource-detector-aws@2.14.0(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/resources': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/semantic-conventions': 1.36.0
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/core': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/resources': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/semantic-conventions': 1.41.1
 
-  '@opentelemetry/resources@1.30.0(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/resources@1.30.1(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 1.30.0(@opentelemetry/api@1.9.0)
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/core': 1.30.1(@opentelemetry/api@1.9.1)
       '@opentelemetry/semantic-conventions': 1.28.0
 
-  '@opentelemetry/resources@1.30.1(@opentelemetry/api@1.9.0)':
-    dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 1.30.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/semantic-conventions': 1.28.0
-
-  '@opentelemetry/resources@2.0.1(@opentelemetry/api@1.9.0)':
-    dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/semantic-conventions': 1.36.0
-
-  '@opentelemetry/resources@2.2.0(@opentelemetry/api@1.9.0)':
-    dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 2.2.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/semantic-conventions': 1.36.0
-
-  '@opentelemetry/sdk-logs@0.203.0(@opentelemetry/api@1.9.0)':
-    dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/api-logs': 0.203.0
-      '@opentelemetry/core': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/resources': 2.0.1(@opentelemetry/api@1.9.0)
-
-  '@opentelemetry/sdk-logs@0.57.0(@opentelemetry/api@1.9.0)':
-    dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/api-logs': 0.57.0
-      '@opentelemetry/core': 1.30.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/resources': 1.30.0(@opentelemetry/api@1.9.0)
-
-  '@opentelemetry/sdk-metrics@1.30.0(@opentelemetry/api@1.9.0)':
-    dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 1.30.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/resources': 1.30.0(@opentelemetry/api@1.9.0)
-
-  '@opentelemetry/sdk-metrics@2.0.1(@opentelemetry/api@1.9.0)':
-    dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/resources': 2.0.1(@opentelemetry/api@1.9.0)
-
-  '@opentelemetry/sdk-node@0.203.0(@opentelemetry/api@1.9.0)':
-    dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/api-logs': 0.203.0
-      '@opentelemetry/core': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/exporter-logs-otlp-grpc': 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/exporter-logs-otlp-http': 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/exporter-logs-otlp-proto': 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/exporter-metrics-otlp-grpc': 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/exporter-metrics-otlp-http': 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/exporter-metrics-otlp-proto': 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/exporter-prometheus': 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/exporter-trace-otlp-grpc': 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/exporter-trace-otlp-http': 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/exporter-trace-otlp-proto': 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/exporter-zipkin': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation': 0.203.0(@opentelemetry/api@1.9.0)(supports-color@10.0.0)
-      '@opentelemetry/propagator-b3': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/propagator-jaeger': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/resources': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/sdk-logs': 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/sdk-metrics': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/sdk-trace-base': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/sdk-trace-node': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/semantic-conventions': 1.36.0
+  '@opentelemetry/resources@2.7.1(@opentelemetry/api@1.9.1)':
+    dependencies:
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/core': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/semantic-conventions': 1.41.1
+
+  '@opentelemetry/sdk-logs@0.218.0(@opentelemetry/api@1.9.1)':
+    dependencies:
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/api-logs': 0.218.0
+      '@opentelemetry/core': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/resources': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/semantic-conventions': 1.41.1
+
+  '@opentelemetry/sdk-metrics@2.7.1(@opentelemetry/api@1.9.1)':
+    dependencies:
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/core': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/resources': 2.7.1(@opentelemetry/api@1.9.1)
+
+  '@opentelemetry/sdk-node@0.218.0(@opentelemetry/api@1.9.1)':
+    dependencies:
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/api-logs': 0.218.0
+      '@opentelemetry/configuration': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/context-async-hooks': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/core': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/exporter-logs-otlp-grpc': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/exporter-logs-otlp-http': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/exporter-logs-otlp-proto': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/exporter-metrics-otlp-grpc': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/exporter-metrics-otlp-http': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/exporter-metrics-otlp-proto': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/exporter-prometheus': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/exporter-trace-otlp-grpc': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/exporter-trace-otlp-http': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/exporter-trace-otlp-proto': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/exporter-zipkin': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation': 0.218.0(@opentelemetry/api@1.9.1)(supports-color@10.0.0)
+      '@opentelemetry/otlp-exporter-base': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/propagator-b3': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/propagator-jaeger': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/resources': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/sdk-logs': 0.218.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/sdk-metrics': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/sdk-trace-base': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/sdk-trace-node': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/semantic-conventions': 1.41.1
     transitivePeerDependencies:
       - supports-color
 
-  '@opentelemetry/sdk-trace-base@1.30.0(@opentelemetry/api@1.9.0)':
-    dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 1.30.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/resources': 1.30.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/semantic-conventions': 1.28.0
-
-  '@opentelemetry/sdk-trace-base@1.30.1(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/sdk-trace-base@1.30.1(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 1.30.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/resources': 1.30.1(@opentelemetry/api@1.9.0)
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/core': 1.30.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/resources': 1.30.1(@opentelemetry/api@1.9.1)
       '@opentelemetry/semantic-conventions': 1.28.0
 
-  '@opentelemetry/sdk-trace-base@2.0.1(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/sdk-trace-base@2.7.1(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/resources': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/semantic-conventions': 1.36.0
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/core': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/resources': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/semantic-conventions': 1.41.1
 
-  '@opentelemetry/sdk-trace-node@2.0.1(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/sdk-trace-node@2.7.1(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/context-async-hooks': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/core': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/sdk-trace-base': 2.0.1(@opentelemetry/api@1.9.0)
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/context-async-hooks': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/core': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/sdk-trace-base': 2.7.1(@opentelemetry/api@1.9.1)
 
-  '@opentelemetry/sdk-trace-web@2.0.1(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/sdk-trace-web@2.7.1(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/sdk-trace-base': 2.0.1(@opentelemetry/api@1.9.0)
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/core': 2.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/sdk-trace-base': 2.7.1(@opentelemetry/api@1.9.1)
 
   '@opentelemetry/semantic-conventions@1.28.0': {}
 
-  '@opentelemetry/semantic-conventions@1.36.0': {}
+  '@opentelemetry/semantic-conventions@1.41.1': {}
 
-  '@opentelemetry/sql-common@0.40.1(@opentelemetry/api@1.9.0)':
+  '@opentelemetry/sql-common@0.40.1(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/core': 1.30.1(@opentelemetry/api@1.9.0)
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/core': 1.30.1(@opentelemetry/api@1.9.1)
+
+  '@pinojs/redact@0.4.0': {}
 
   '@pkgjs/parseargs@0.11.0':
     optional: true
@@ -25560,56 +21815,19 @@ snapshots:
 
   '@polka/url@0.5.0': {}
 
-  '@polka/url@1.0.0-next.28': {}
-
   '@popperjs/core@2.11.8': {}
 
-  '@prisma/adapter-pg@6.16.0':
+  '@posthog/core@1.29.13':
     dependencies:
-      '@prisma/driver-adapter-utils': 6.16.0
-      pg: 8.16.3
-      postgres-array: 3.0.4
-    transitivePeerDependencies:
-      - pg-native
+      '@posthog/types': 1.376.4
 
-  '@prisma/adapter-pg@6.20.0-integration-next.8':
-    dependencies:
-      '@prisma/driver-adapter-utils': 6.20.0-integration-next.8
-      pg: 8.16.3
-      postgres-array: 3.0.4
-    transitivePeerDependencies:
-      - pg-native
-
-  '@prisma/client-runtime-utils@6.20.0-integration-next.8': {}
-
-  '@prisma/client@4.9.0(prisma@6.14.0(magicast@0.3.5)(typescript@5.5.4))':
-    dependencies:
-      '@prisma/engines-version': 4.9.0-42.ceb5c99003b99c9ee2c1d2e618e359c14aef2ea5
-    optionalDependencies:
-      prisma: 6.14.0(magicast@0.3.5)(typescript@5.5.4)
+  '@posthog/types@1.376.4': {}
 
   '@prisma/client@6.14.0(prisma@6.14.0(magicast@0.3.5)(typescript@5.5.4))(typescript@5.5.4)':
     optionalDependencies:
       prisma: 6.14.0(magicast@0.3.5)(typescript@5.5.4)
       typescript: 5.5.4
 
-  '@prisma/client@6.16.0(prisma@6.16.0(magicast@0.3.5)(typescript@5.5.4))(typescript@5.5.4)':
-    optionalDependencies:
-      prisma: 6.16.0(magicast@0.3.5)(typescript@5.5.4)
-      typescript: 5.5.4
-
-  '@prisma/client@6.19.0(prisma@6.19.0(typescript@5.5.4))(typescript@5.5.4)':
-    optionalDependencies:
-      prisma: 6.19.0(typescript@5.5.4)
-      typescript: 5.5.4
-
-  '@prisma/client@6.20.0-integration-next.8(prisma@6.20.0-integration-next.8(@types/react@19.2.14)(magicast@0.3.5)(react-dom@19.1.0(react@19.1.0))(react@19.1.0)(typescript@5.5.4))(typescript@5.5.4)':
-    dependencies:
-      '@prisma/client-runtime-utils': 6.20.0-integration-next.8
-    optionalDependencies:
-      prisma: 6.20.0-integration-next.8(@types/react@19.2.14)(magicast@0.3.5)(react-dom@19.1.0(react@19.1.0))(react@19.1.0)(typescript@5.5.4)
-      typescript: 5.5.4
-
   '@prisma/config@6.14.0(magicast@0.3.5)':
     dependencies:
       c12: 3.1.0(magicast@0.3.5)
@@ -25619,15 +21837,6 @@ snapshots:
     transitivePeerDependencies:
       - magicast
 
-  '@prisma/config@6.16.0(magicast@0.3.5)':
-    dependencies:
-      c12: 3.1.0(magicast@0.3.5)
-      deepmerge-ts: 7.1.5
-      effect: 3.16.12
-      empathic: 2.0.0
-    transitivePeerDependencies:
-      - magicast
-
   '@prisma/config@6.19.0(magicast@0.3.5)':
     dependencies:
       c12: 3.1.0(magicast@0.3.5)
@@ -25637,49 +21846,10 @@ snapshots:
     transitivePeerDependencies:
       - magicast
 
-  '@prisma/config@6.20.0-integration-next.8(magicast@0.3.5)':
-    dependencies:
-      c12: 3.1.0(magicast@0.3.5)
-      deepmerge-ts: 7.1.5
-      effect: 3.18.4
-      empathic: 2.0.0
-    transitivePeerDependencies:
-      - magicast
-
-  '@prisma/debug@4.16.2':
-    dependencies:
-      '@types/debug': 4.1.8
-      debug: 4.3.4
-      strip-ansi: 6.0.1
-    transitivePeerDependencies:
-      - supports-color
-
   '@prisma/debug@6.14.0': {}
 
-  '@prisma/debug@6.16.0': {}
-
-  '@prisma/debug@6.19.0': {}
-
-  '@prisma/debug@6.20.0-integration-next.8': {}
-
-  '@prisma/driver-adapter-utils@6.16.0':
-    dependencies:
-      '@prisma/debug': 6.16.0
-
-  '@prisma/driver-adapter-utils@6.20.0-integration-next.8':
-    dependencies:
-      '@prisma/debug': 6.20.0-integration-next.8
-
-  '@prisma/engines-version@4.9.0-42.ceb5c99003b99c9ee2c1d2e618e359c14aef2ea5': {}
-
   '@prisma/engines-version@6.14.0-25.717184b7b35ea05dfa71a3236b7af656013e1e49': {}
 
-  '@prisma/engines-version@6.16.0-7.1c57fdcd7e44b29b9313256c76699e91c3ac3c43': {}
-
-  '@prisma/engines-version@6.19.0-26.2ba551f319ab1df4bc874a89965d8b3641056773': {}
-
-  '@prisma/engines-version@6.20.0-11.next-80ee0a44bf5668992b0c909c946a755b86b56c95': {}
-
   '@prisma/engines@6.14.0':
     dependencies:
       '@prisma/debug': 6.14.0
@@ -25687,157 +21857,70 @@ snapshots:
       '@prisma/fetch-engine': 6.14.0
       '@prisma/get-platform': 6.14.0
 
-  '@prisma/engines@6.16.0':
-    dependencies:
-      '@prisma/debug': 6.16.0
-      '@prisma/engines-version': 6.16.0-7.1c57fdcd7e44b29b9313256c76699e91c3ac3c43
-      '@prisma/fetch-engine': 6.16.0
-      '@prisma/get-platform': 6.16.0
-
-  '@prisma/engines@6.19.0':
-    dependencies:
-      '@prisma/debug': 6.19.0
-      '@prisma/engines-version': 6.19.0-26.2ba551f319ab1df4bc874a89965d8b3641056773
-      '@prisma/fetch-engine': 6.19.0
-      '@prisma/get-platform': 6.19.0
-
-  '@prisma/engines@6.20.0-integration-next.8':
-    dependencies:
-      '@prisma/debug': 6.20.0-integration-next.8
-      '@prisma/engines-version': 6.20.0-11.next-80ee0a44bf5668992b0c909c946a755b86b56c95
-      '@prisma/fetch-engine': 6.20.0-integration-next.8
-      '@prisma/get-platform': 6.20.0-integration-next.8
-
   '@prisma/fetch-engine@6.14.0':
     dependencies:
       '@prisma/debug': 6.14.0
       '@prisma/engines-version': 6.14.0-25.717184b7b35ea05dfa71a3236b7af656013e1e49
       '@prisma/get-platform': 6.14.0
 
-  '@prisma/fetch-engine@6.16.0':
-    dependencies:
-      '@prisma/debug': 6.16.0
-      '@prisma/engines-version': 6.16.0-7.1c57fdcd7e44b29b9313256c76699e91c3ac3c43
-      '@prisma/get-platform': 6.16.0
-
-  '@prisma/fetch-engine@6.19.0':
-    dependencies:
-      '@prisma/debug': 6.19.0
-      '@prisma/engines-version': 6.19.0-26.2ba551f319ab1df4bc874a89965d8b3641056773
-      '@prisma/get-platform': 6.19.0
-
-  '@prisma/fetch-engine@6.20.0-integration-next.8':
-    dependencies:
-      '@prisma/debug': 6.20.0-integration-next.8
-      '@prisma/engines-version': 6.20.0-11.next-80ee0a44bf5668992b0c909c946a755b86b56c95
-      '@prisma/get-platform': 6.20.0-integration-next.8
-
-  '@prisma/generator-helper@4.16.2':
-    dependencies:
-      '@prisma/debug': 4.16.2
-      '@types/cross-spawn': 6.0.2
-      cross-spawn: 7.0.3
-      kleur: 4.1.5
-    transitivePeerDependencies:
-      - supports-color
-
   '@prisma/get-platform@6.14.0':
     dependencies:
       '@prisma/debug': 6.14.0
 
-  '@prisma/get-platform@6.16.0':
-    dependencies:
-      '@prisma/debug': 6.16.0
-
-  '@prisma/get-platform@6.19.0':
-    dependencies:
-      '@prisma/debug': 6.19.0
-
-  '@prisma/get-platform@6.20.0-integration-next.8':
-    dependencies:
-      '@prisma/debug': 6.20.0-integration-next.8
-
-  '@prisma/instrumentation@6.11.1(@opentelemetry/api@1.9.0)':
+  '@prisma/instrumentation@6.11.1(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.0)
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.1)
     transitivePeerDependencies:
       - supports-color
 
-  '@prisma/instrumentation@6.14.0(@opentelemetry/api@1.9.0)':
+  '@prisma/instrumentation@6.14.0(@opentelemetry/api@1.9.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/instrumentation': 0.52.1(@opentelemetry/api@1.9.0)
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.1)
     transitivePeerDependencies:
       - supports-color
 
-  '@prisma/studio-core-licensed@0.6.0(@types/react@19.2.14)(react-dom@19.1.0(react@19.1.0))(react@19.1.0)':
-    dependencies:
-      '@types/react': 19.2.14
-      react: 19.1.0
-      react-dom: 19.1.0(react@19.1.0)
-
   '@protobuf-ts/runtime@2.11.1': {}
 
   '@protobufjs/aspromise@1.1.2': {}
 
   '@protobufjs/base64@1.1.2': {}
 
-  '@protobufjs/codegen@2.0.4': {}
+  '@protobufjs/codegen@2.0.5': {}
 
-  '@protobufjs/eventemitter@1.1.0': {}
+  '@protobufjs/eventemitter@1.1.1': {}
 
-  '@protobufjs/fetch@1.1.0':
+  '@protobufjs/fetch@1.1.1':
     dependencies:
       '@protobufjs/aspromise': 1.1.2
-      '@protobufjs/inquire': 1.1.0
 
   '@protobufjs/float@1.0.2': {}
 
-  '@protobufjs/inquire@1.1.0': {}
+  '@protobufjs/inquire@1.1.2': {}
 
   '@protobufjs/path@1.1.2': {}
 
   '@protobufjs/pool@1.1.0': {}
 
-  '@protobufjs/utf8@1.1.0': {}
-
-  '@puppeteer/browsers@2.10.6':
-    dependencies:
-      debug: 4.4.3(supports-color@10.0.0)
-      extract-zip: 2.0.1
-      progress: 2.0.3
-      proxy-agent: 6.5.0
-      semver: 7.7.3
-      tar-fs: 3.1.0
-      yargs: 17.7.2
-    transitivePeerDependencies:
-      - bare-abort-controller
-      - bare-buffer
-      - supports-color
-
-  '@radix-ui/colors@1.0.1': {}
+  '@protobufjs/utf8@1.1.1': {}
 
   '@radix-ui/number@1.0.0':
     dependencies:
-      '@babel/runtime': 7.26.7
+      '@babel/runtime': 7.28.4
 
   '@radix-ui/number@1.0.1':
     dependencies:
-      '@babel/runtime': 7.26.7
-
-  '@radix-ui/number@1.1.0': {}
+      '@babel/runtime': 7.28.4
 
   '@radix-ui/primitive@1.0.0':
     dependencies:
-      '@babel/runtime': 7.26.7
+      '@babel/runtime': 7.28.4
 
   '@radix-ui/primitive@1.0.1':
     dependencies:
       '@babel/runtime': 7.26.7
 
-  '@radix-ui/primitive@1.1.0': {}
-
   '@radix-ui/primitive@1.1.2': {}
 
   '@radix-ui/react-accordion@1.2.11(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
@@ -25879,45 +21962,6 @@ snapshots:
       react: 18.2.0
       react-dom: 18.2.0(react@18.2.0)
 
-  '@radix-ui/react-arrow@1.0.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.28.4
-      '@radix-ui/react-primitive': 1.0.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-    optionalDependencies:
-      '@types/react': 18.2.69
-      '@types/react-dom': 18.2.7
-
-  '@radix-ui/react-avatar@1.1.3(@types/react-dom@19.0.4(@types/react@19.0.12))(@types/react@19.0.12)(react-dom@19.0.0(react@19.0.0))(react@19.0.0)':
-    dependencies:
-      '@radix-ui/react-context': 1.1.1(@types/react@19.0.12)(react@19.0.0)
-      '@radix-ui/react-primitive': 2.0.2(@types/react-dom@19.0.4(@types/react@19.0.12))(@types/react@19.0.12)(react-dom@19.0.0(react@19.0.0))(react@19.0.0)
-      '@radix-ui/react-use-callback-ref': 1.1.0(@types/react@19.0.12)(react@19.0.0)
-      '@radix-ui/react-use-layout-effect': 1.1.0(@types/react@19.0.12)(react@19.0.0)
-      react: 19.0.0
-      react-dom: 19.0.0(react@19.0.0)
-    optionalDependencies:
-      '@types/react': 19.0.12
-      '@types/react-dom': 19.0.4(@types/react@19.0.12)
-
-  '@radix-ui/react-collapsible@1.0.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.28.4
-      '@radix-ui/primitive': 1.0.1
-      '@radix-ui/react-compose-refs': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-context': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-id': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-presence': 1.0.1(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-primitive': 1.0.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-use-controllable-state': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-use-layout-effect': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-    optionalDependencies:
-      '@types/react': 18.2.69
-      '@types/react-dom': 18.2.7
-
   '@radix-ui/react-collapsible@1.1.11(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
       '@radix-ui/primitive': 1.1.2
@@ -25936,7 +21980,7 @@ snapshots:
 
   '@radix-ui/react-collection@1.0.2(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@babel/runtime': 7.26.7
+      '@babel/runtime': 7.28.4
       '@radix-ui/react-compose-refs': 1.0.0(react@18.2.0)
       '@radix-ui/react-context': 1.0.0(react@18.2.0)
       '@radix-ui/react-primitive': 1.0.2(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
@@ -25944,19 +21988,9 @@ snapshots:
       react: 18.2.0
       react-dom: 18.2.0(react@18.2.0)
 
-  '@radix-ui/react-collection@1.0.2(react-dom@18.2.0(react@18.3.1))(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.26.7
-      '@radix-ui/react-compose-refs': 1.0.0(react@18.3.1)
-      '@radix-ui/react-context': 1.0.0(react@18.3.1)
-      '@radix-ui/react-primitive': 1.0.2(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-slot': 1.0.1(react@18.3.1)
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-
   '@radix-ui/react-collection@1.0.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@babel/runtime': 7.26.7
+      '@babel/runtime': 7.28.4
       '@radix-ui/react-compose-refs': 1.0.1(@types/react@18.2.69)(react@18.2.0)
       '@radix-ui/react-context': 1.0.1(@types/react@18.2.69)(react@18.2.0)
       '@radix-ui/react-primitive': 1.0.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
@@ -25967,19 +22001,6 @@ snapshots:
       '@types/react': 18.2.69
       '@types/react-dom': 18.2.7
 
-  '@radix-ui/react-collection@1.0.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.26.7
-      '@radix-ui/react-compose-refs': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-context': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-primitive': 1.0.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-slot': 1.0.2(@types/react@18.2.69)(react@18.3.1)
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-    optionalDependencies:
-      '@types/react': 18.2.69
-      '@types/react-dom': 18.2.7
-
   '@radix-ui/react-collection@1.1.7(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
       '@radix-ui/react-compose-refs': 1.1.2(@types/react@18.2.69)(react@18.2.0)
@@ -25994,14 +22015,9 @@ snapshots:
 
   '@radix-ui/react-compose-refs@1.0.0(react@18.2.0)':
     dependencies:
-      '@babel/runtime': 7.26.7
+      '@babel/runtime': 7.28.4
       react: 18.2.0
 
-  '@radix-ui/react-compose-refs@1.0.0(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.26.7
-      react: 18.3.1
-
   '@radix-ui/react-compose-refs@1.0.1(@types/react@18.2.69)(react@18.2.0)':
     dependencies:
       '@babel/runtime': 7.26.7
@@ -26009,44 +22025,6 @@ snapshots:
     optionalDependencies:
       '@types/react': 18.2.69
 
-  '@radix-ui/react-compose-refs@1.0.1(@types/react@18.2.69)(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.26.7
-      react: 18.3.1
-    optionalDependencies:
-      '@types/react': 18.2.69
-
-  '@radix-ui/react-compose-refs@1.0.1(@types/react@18.3.1)(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.26.7
-      react: 18.3.1
-    optionalDependencies:
-      '@types/react': 18.3.1
-
-  '@radix-ui/react-compose-refs@1.1.0(@types/react@18.2.69)(react@18.2.0)':
-    dependencies:
-      react: 18.2.0
-    optionalDependencies:
-      '@types/react': 18.2.69
-
-  '@radix-ui/react-compose-refs@1.1.0(@types/react@18.3.1)(react@18.3.1)':
-    dependencies:
-      react: 18.3.1
-    optionalDependencies:
-      '@types/react': 18.3.1
-
-  '@radix-ui/react-compose-refs@1.1.1(@types/react@18.3.1)(react@18.3.1)':
-    dependencies:
-      react: 18.3.1
-    optionalDependencies:
-      '@types/react': 18.3.1
-
-  '@radix-ui/react-compose-refs@1.1.1(@types/react@19.0.12)(react@19.0.0)':
-    dependencies:
-      react: 19.0.0
-    optionalDependencies:
-      '@types/react': 19.0.12
-
   '@radix-ui/react-compose-refs@1.1.2(@types/react@18.2.69)(react@18.2.0)':
     dependencies:
       react: 18.2.0
@@ -26055,14 +22033,9 @@ snapshots:
 
   '@radix-ui/react-context@1.0.0(react@18.2.0)':
     dependencies:
-      '@babel/runtime': 7.26.7
+      '@babel/runtime': 7.28.4
       react: 18.2.0
 
-  '@radix-ui/react-context@1.0.0(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.26.7
-      react: 18.3.1
-
   '@radix-ui/react-context@1.0.1(@types/react@18.2.69)(react@18.2.0)':
     dependencies:
       '@babel/runtime': 7.26.7
@@ -26070,32 +22043,6 @@ snapshots:
     optionalDependencies:
       '@types/react': 18.2.69
 
-  '@radix-ui/react-context@1.0.1(@types/react@18.2.69)(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.26.7
-      react: 18.3.1
-    optionalDependencies:
-      '@types/react': 18.2.69
-
-  '@radix-ui/react-context@1.0.1(@types/react@18.3.1)(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.26.7
-      react: 18.3.1
-    optionalDependencies:
-      '@types/react': 18.3.1
-
-  '@radix-ui/react-context@1.1.1(@types/react@18.3.1)(react@18.3.1)':
-    dependencies:
-      react: 18.3.1
-    optionalDependencies:
-      '@types/react': 18.3.1
-
-  '@radix-ui/react-context@1.1.1(@types/react@19.0.12)(react@19.0.0)':
-    dependencies:
-      react: 19.0.0
-    optionalDependencies:
-      '@types/react': 19.0.12
-
   '@radix-ui/react-context@1.1.2(@types/react@18.2.69)(react@18.2.0)':
     dependencies:
       react: 18.2.0
@@ -26147,59 +22094,18 @@ snapshots:
       '@types/react': 18.2.69
       '@types/react-dom': 18.2.7
 
-  '@radix-ui/react-dialog@1.0.4(@types/react-dom@18.2.7)(@types/react@18.3.1)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.24.5
-      '@radix-ui/primitive': 1.0.1
-      '@radix-ui/react-compose-refs': 1.0.1(@types/react@18.3.1)(react@18.3.1)
-      '@radix-ui/react-context': 1.0.1(@types/react@18.3.1)(react@18.3.1)
-      '@radix-ui/react-dismissable-layer': 1.0.4(@types/react-dom@18.2.7)(@types/react@18.3.1)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-focus-guards': 1.0.1(@types/react@18.3.1)(react@18.3.1)
-      '@radix-ui/react-focus-scope': 1.0.3(@types/react-dom@18.2.7)(@types/react@18.3.1)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-id': 1.0.1(@types/react@18.3.1)(react@18.3.1)
-      '@radix-ui/react-portal': 1.0.3(@types/react-dom@18.2.7)(@types/react@18.3.1)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-presence': 1.0.1(@types/react-dom@18.2.7)(@types/react@18.3.1)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-primitive': 1.0.3(@types/react-dom@18.2.7)(@types/react@18.3.1)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-slot': 1.0.2(@types/react@18.3.1)(react@18.3.1)
-      '@radix-ui/react-use-controllable-state': 1.0.1(@types/react@18.3.1)(react@18.3.1)
-      aria-hidden: 1.2.3
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-      react-remove-scroll: 2.5.5(@types/react@18.3.1)(react@18.3.1)
-    optionalDependencies:
-      '@types/react': 18.3.1
-      '@types/react-dom': 18.2.7
-
   '@radix-ui/react-direction@1.0.0(react@18.2.0)':
     dependencies:
-      '@babel/runtime': 7.26.7
+      '@babel/runtime': 7.28.4
       react: 18.2.0
 
-  '@radix-ui/react-direction@1.0.0(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.26.7
-      react: 18.3.1
-
   '@radix-ui/react-direction@1.0.1(@types/react@18.2.69)(react@18.2.0)':
     dependencies:
-      '@babel/runtime': 7.26.7
+      '@babel/runtime': 7.28.4
       react: 18.2.0
     optionalDependencies:
       '@types/react': 18.2.69
 
-  '@radix-ui/react-direction@1.0.1(@types/react@18.2.69)(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.26.7
-      react: 18.3.1
-    optionalDependencies:
-      '@types/react': 18.2.69
-
-  '@radix-ui/react-direction@1.1.0(@types/react@18.3.1)(react@18.3.1)':
-    dependencies:
-      react: 18.3.1
-    optionalDependencies:
-      '@types/react': 18.3.1
-
   '@radix-ui/react-direction@1.1.1(@types/react@18.2.69)(react@18.2.0)':
     dependencies:
       react: 18.2.0
@@ -26208,7 +22114,7 @@ snapshots:
 
   '@radix-ui/react-dismissable-layer@1.0.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@babel/runtime': 7.26.7
+      '@babel/runtime': 7.28.4
       '@radix-ui/primitive': 1.0.0
       '@radix-ui/react-compose-refs': 1.0.0(react@18.2.0)
       '@radix-ui/react-primitive': 1.0.2(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
@@ -26231,51 +22137,9 @@ snapshots:
       '@types/react': 18.2.69
       '@types/react-dom': 18.2.7
 
-  '@radix-ui/react-dismissable-layer@1.0.4(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.28.4
-      '@radix-ui/primitive': 1.0.1
-      '@radix-ui/react-compose-refs': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-primitive': 1.0.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-use-callback-ref': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-use-escape-keydown': 1.0.3(@types/react@18.2.69)(react@18.3.1)
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-    optionalDependencies:
-      '@types/react': 18.2.69
-      '@types/react-dom': 18.2.7
-
-  '@radix-ui/react-dismissable-layer@1.0.4(@types/react-dom@18.2.7)(@types/react@18.3.1)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.28.4
-      '@radix-ui/primitive': 1.0.1
-      '@radix-ui/react-compose-refs': 1.0.1(@types/react@18.3.1)(react@18.3.1)
-      '@radix-ui/react-primitive': 1.0.3(@types/react-dom@18.2.7)(@types/react@18.3.1)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-use-callback-ref': 1.0.1(@types/react@18.3.1)(react@18.3.1)
-      '@radix-ui/react-use-escape-keydown': 1.0.3(@types/react@18.3.1)(react@18.3.1)
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-    optionalDependencies:
-      '@types/react': 18.3.1
-      '@types/react-dom': 18.2.7
-
-  '@radix-ui/react-dismissable-layer@1.0.5(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.28.4
-      '@radix-ui/primitive': 1.0.1
-      '@radix-ui/react-compose-refs': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-primitive': 1.0.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-use-callback-ref': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-use-escape-keydown': 1.0.3(@types/react@18.2.69)(react@18.3.1)
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-    optionalDependencies:
-      '@types/react': 18.2.69
-      '@types/react-dom': 18.2.7
-
   '@radix-ui/react-focus-guards@1.0.0(react@18.2.0)':
     dependencies:
-      '@babel/runtime': 7.26.7
+      '@babel/runtime': 7.28.4
       react: 18.2.0
 
   '@radix-ui/react-focus-guards@1.0.1(@types/react@18.2.69)(react@18.2.0)':
@@ -26285,23 +22149,9 @@ snapshots:
     optionalDependencies:
       '@types/react': 18.2.69
 
-  '@radix-ui/react-focus-guards@1.0.1(@types/react@18.2.69)(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.28.4
-      react: 18.3.1
-    optionalDependencies:
-      '@types/react': 18.2.69
-
-  '@radix-ui/react-focus-guards@1.0.1(@types/react@18.3.1)(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.28.4
-      react: 18.3.1
-    optionalDependencies:
-      '@types/react': 18.3.1
-
   '@radix-ui/react-focus-scope@1.0.2(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@babel/runtime': 7.26.7
+      '@babel/runtime': 7.28.4
       '@radix-ui/react-compose-refs': 1.0.0(react@18.2.0)
       '@radix-ui/react-primitive': 1.0.2(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@radix-ui/react-use-callback-ref': 1.0.0(react@18.2.0)
@@ -26320,46 +22170,12 @@ snapshots:
       '@types/react': 18.2.69
       '@types/react-dom': 18.2.7
 
-  '@radix-ui/react-focus-scope@1.0.3(@types/react-dom@18.2.7)(@types/react@18.3.1)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.28.4
-      '@radix-ui/react-compose-refs': 1.0.1(@types/react@18.3.1)(react@18.3.1)
-      '@radix-ui/react-primitive': 1.0.3(@types/react-dom@18.2.7)(@types/react@18.3.1)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-use-callback-ref': 1.0.1(@types/react@18.3.1)(react@18.3.1)
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-    optionalDependencies:
-      '@types/react': 18.3.1
-      '@types/react-dom': 18.2.7
-
-  '@radix-ui/react-focus-scope@1.0.4(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.28.4
-      '@radix-ui/react-compose-refs': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-primitive': 1.0.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-use-callback-ref': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-    optionalDependencies:
-      '@types/react': 18.2.69
-      '@types/react-dom': 18.2.7
-
-  '@radix-ui/react-icons@1.3.0(react@18.3.1)':
-    dependencies:
-      react: 18.3.1
-
   '@radix-ui/react-id@1.0.0(react@18.2.0)':
     dependencies:
-      '@babel/runtime': 7.26.7
+      '@babel/runtime': 7.28.4
       '@radix-ui/react-use-layout-effect': 1.0.0(react@18.2.0)
       react: 18.2.0
 
-  '@radix-ui/react-id@1.0.0(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.26.7
-      '@radix-ui/react-use-layout-effect': 1.0.0(react@18.3.1)
-      react: 18.3.1
-
   '@radix-ui/react-id@1.0.1(@types/react@18.2.69)(react@18.2.0)':
     dependencies:
       '@babel/runtime': 7.28.4
@@ -26368,22 +22184,6 @@ snapshots:
     optionalDependencies:
       '@types/react': 18.2.69
 
-  '@radix-ui/react-id@1.0.1(@types/react@18.2.69)(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.28.4
-      '@radix-ui/react-use-layout-effect': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      react: 18.3.1
-    optionalDependencies:
-      '@types/react': 18.2.69
-
-  '@radix-ui/react-id@1.0.1(@types/react@18.3.1)(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.28.4
-      '@radix-ui/react-use-layout-effect': 1.0.1(@types/react@18.3.1)(react@18.3.1)
-      react: 18.3.1
-    optionalDependencies:
-      '@types/react': 18.3.1
-
   '@radix-ui/react-id@1.1.1(@types/react@18.2.69)(react@18.2.0)':
     dependencies:
       '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@18.2.69)(react@18.2.0)
@@ -26421,33 +22221,9 @@ snapshots:
     transitivePeerDependencies:
       - '@types/react'
 
-  '@radix-ui/react-popover@1.0.7(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.28.4
-      '@radix-ui/primitive': 1.0.1
-      '@radix-ui/react-compose-refs': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-context': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-dismissable-layer': 1.0.5(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-focus-guards': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-focus-scope': 1.0.4(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-id': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-popper': 1.1.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-portal': 1.0.4(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-presence': 1.0.1(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-primitive': 1.0.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-slot': 1.0.2(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-use-controllable-state': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      aria-hidden: 1.2.4
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-      react-remove-scroll: 2.5.5(@types/react@18.2.69)(react@18.3.1)
-    optionalDependencies:
-      '@types/react': 18.2.69
-      '@types/react-dom': 18.2.7
-
   '@radix-ui/react-popper@1.1.1(@types/react@18.2.69)(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@babel/runtime': 7.26.7
+      '@babel/runtime': 7.28.4
       '@floating-ui/react-dom': 0.7.2(@types/react@18.2.69)(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@radix-ui/react-arrow': 1.0.2(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@radix-ui/react-compose-refs': 1.0.0(react@18.2.0)
@@ -26463,47 +22239,9 @@ snapshots:
     transitivePeerDependencies:
       - '@types/react'
 
-  '@radix-ui/react-popper@1.1.2(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.28.4
-      '@floating-ui/react-dom': 2.0.9(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-arrow': 1.0.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-compose-refs': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-context': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-primitive': 1.0.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-use-callback-ref': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-use-layout-effect': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-use-rect': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-use-size': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/rect': 1.0.1
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-    optionalDependencies:
-      '@types/react': 18.2.69
-      '@types/react-dom': 18.2.7
-
-  '@radix-ui/react-popper@1.1.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.28.4
-      '@floating-ui/react-dom': 2.0.9(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-arrow': 1.0.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-compose-refs': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-context': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-primitive': 1.0.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-use-callback-ref': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-use-layout-effect': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-use-rect': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-use-size': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/rect': 1.0.1
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-    optionalDependencies:
-      '@types/react': 18.2.69
-      '@types/react-dom': 18.2.7
-
   '@radix-ui/react-portal@1.0.2(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@babel/runtime': 7.26.7
+      '@babel/runtime': 7.28.4
       '@radix-ui/react-primitive': 1.0.2(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       react: 18.2.0
       react-dom: 18.2.0(react@18.2.0)
@@ -26518,36 +22256,6 @@ snapshots:
       '@types/react': 18.2.69
       '@types/react-dom': 18.2.7
 
-  '@radix-ui/react-portal@1.0.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.28.4
-      '@radix-ui/react-primitive': 1.0.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-    optionalDependencies:
-      '@types/react': 18.2.69
-      '@types/react-dom': 18.2.7
-
-  '@radix-ui/react-portal@1.0.3(@types/react-dom@18.2.7)(@types/react@18.3.1)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.28.4
-      '@radix-ui/react-primitive': 1.0.3(@types/react-dom@18.2.7)(@types/react@18.3.1)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-    optionalDependencies:
-      '@types/react': 18.3.1
-      '@types/react-dom': 18.2.7
-
-  '@radix-ui/react-portal@1.0.4(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.28.4
-      '@radix-ui/react-primitive': 1.0.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-    optionalDependencies:
-      '@types/react': 18.2.69
-      '@types/react-dom': 18.2.7
-
   '@radix-ui/react-portal@1.1.9(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
       '@radix-ui/react-primitive': 2.1.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
@@ -26560,23 +22268,15 @@ snapshots:
 
   '@radix-ui/react-presence@1.0.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@babel/runtime': 7.26.7
+      '@babel/runtime': 7.28.4
       '@radix-ui/react-compose-refs': 1.0.0(react@18.2.0)
       '@radix-ui/react-use-layout-effect': 1.0.0(react@18.2.0)
       react: 18.2.0
       react-dom: 18.2.0(react@18.2.0)
 
-  '@radix-ui/react-presence@1.0.0(react-dom@18.2.0(react@18.3.1))(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.26.7
-      '@radix-ui/react-compose-refs': 1.0.0(react@18.3.1)
-      '@radix-ui/react-use-layout-effect': 1.0.0(react@18.3.1)
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-
   '@radix-ui/react-presence@1.0.1(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@babel/runtime': 7.26.7
+      '@babel/runtime': 7.28.4
       '@radix-ui/react-compose-refs': 1.0.1(@types/react@18.2.69)(react@18.2.0)
       '@radix-ui/react-use-layout-effect': 1.0.1(@types/react@18.2.69)(react@18.2.0)
       react: 18.2.0
@@ -26585,38 +22285,6 @@ snapshots:
       '@types/react': 18.2.69
       '@types/react-dom': 18.2.7
 
-  '@radix-ui/react-presence@1.0.1(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.26.7
-      '@radix-ui/react-compose-refs': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-use-layout-effect': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-    optionalDependencies:
-      '@types/react': 18.2.69
-      '@types/react-dom': 18.2.7
-
-  '@radix-ui/react-presence@1.0.1(@types/react-dom@18.2.7)(@types/react@18.3.1)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.26.7
-      '@radix-ui/react-compose-refs': 1.0.1(@types/react@18.3.1)(react@18.3.1)
-      '@radix-ui/react-use-layout-effect': 1.0.1(@types/react@18.3.1)(react@18.3.1)
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-    optionalDependencies:
-      '@types/react': 18.3.1
-      '@types/react-dom': 18.2.7
-
-  '@radix-ui/react-presence@1.1.1(@types/react-dom@18.2.7)(@types/react@18.3.1)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)':
-    dependencies:
-      '@radix-ui/react-compose-refs': 1.1.0(@types/react@18.3.1)(react@18.3.1)
-      '@radix-ui/react-use-layout-effect': 1.1.0(@types/react@18.3.1)(react@18.3.1)
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-    optionalDependencies:
-      '@types/react': 18.3.1
-      '@types/react-dom': 18.2.7
-
   '@radix-ui/react-presence@1.1.4(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
       '@radix-ui/react-compose-refs': 1.1.2(@types/react@18.2.69)(react@18.2.0)
@@ -26629,18 +22297,11 @@ snapshots:
 
   '@radix-ui/react-primitive@1.0.2(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@babel/runtime': 7.26.7
+      '@babel/runtime': 7.28.4
       '@radix-ui/react-slot': 1.0.1(react@18.2.0)
       react: 18.2.0
       react-dom: 18.2.0(react@18.2.0)
 
-  '@radix-ui/react-primitive@1.0.2(react-dom@18.2.0(react@18.3.1))(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.26.7
-      '@radix-ui/react-slot': 1.0.1(react@18.3.1)
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-
   '@radix-ui/react-primitive@1.0.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
       '@babel/runtime': 7.26.7
@@ -26651,53 +22312,6 @@ snapshots:
       '@types/react': 18.2.69
       '@types/react-dom': 18.2.7
 
-  '@radix-ui/react-primitive@1.0.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.26.7
-      '@radix-ui/react-slot': 1.0.2(@types/react@18.2.69)(react@18.3.1)
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-    optionalDependencies:
-      '@types/react': 18.2.69
-      '@types/react-dom': 18.2.7
-
-  '@radix-ui/react-primitive@1.0.3(@types/react-dom@18.2.7)(@types/react@18.3.1)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.26.7
-      '@radix-ui/react-slot': 1.0.2(@types/react@18.3.1)(react@18.3.1)
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-    optionalDependencies:
-      '@types/react': 18.3.1
-      '@types/react-dom': 18.2.7
-
-  '@radix-ui/react-primitive@2.0.0(@types/react-dom@18.2.7)(@types/react@18.3.1)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)':
-    dependencies:
-      '@radix-ui/react-slot': 1.1.0(@types/react@18.3.1)(react@18.3.1)
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-    optionalDependencies:
-      '@types/react': 18.3.1
-      '@types/react-dom': 18.2.7
-
-  '@radix-ui/react-primitive@2.0.1(@types/react-dom@18.2.7)(@types/react@18.3.1)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)':
-    dependencies:
-      '@radix-ui/react-slot': 1.1.1(@types/react@18.3.1)(react@18.3.1)
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-    optionalDependencies:
-      '@types/react': 18.3.1
-      '@types/react-dom': 18.2.7
-
-  '@radix-ui/react-primitive@2.0.2(@types/react-dom@19.0.4(@types/react@19.0.12))(@types/react@19.0.12)(react-dom@19.0.0(react@19.0.0))(react@19.0.0)':
-    dependencies:
-      '@radix-ui/react-slot': 1.1.2(@types/react@19.0.12)(react@19.0.0)
-      react: 19.0.0
-      react-dom: 19.0.0(react@19.0.0)
-    optionalDependencies:
-      '@types/react': 19.0.12
-      '@types/react-dom': 19.0.4(@types/react@19.0.12)
-
   '@radix-ui/react-primitive@2.1.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
       '@radix-ui/react-slot': 1.2.3(@types/react@18.2.69)(react@18.2.0)
@@ -26707,16 +22321,6 @@ snapshots:
       '@types/react': 18.2.69
       '@types/react-dom': 18.2.7
 
-  '@radix-ui/react-progress@1.1.1(@types/react-dom@18.2.7)(@types/react@18.3.1)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)':
-    dependencies:
-      '@radix-ui/react-context': 1.1.1(@types/react@18.3.1)(react@18.3.1)
-      '@radix-ui/react-primitive': 2.0.1(@types/react-dom@18.2.7)(@types/react@18.3.1)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-    optionalDependencies:
-      '@types/react': 18.3.1
-      '@types/react-dom': 18.2.7
-
   '@radix-ui/react-radio-group@1.1.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
       '@babel/runtime': 7.20.7
@@ -26751,24 +22355,9 @@ snapshots:
       react: 18.2.0
       react-dom: 18.2.0(react@18.2.0)
 
-  '@radix-ui/react-roving-focus@1.0.3(react-dom@18.2.0(react@18.3.1))(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.26.7
-      '@radix-ui/primitive': 1.0.0
-      '@radix-ui/react-collection': 1.0.2(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-compose-refs': 1.0.0(react@18.3.1)
-      '@radix-ui/react-context': 1.0.0(react@18.3.1)
-      '@radix-ui/react-direction': 1.0.0(react@18.3.1)
-      '@radix-ui/react-id': 1.0.0(react@18.3.1)
-      '@radix-ui/react-primitive': 1.0.2(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-use-callback-ref': 1.0.0(react@18.3.1)
-      '@radix-ui/react-use-controllable-state': 1.0.0(react@18.3.1)
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-
   '@radix-ui/react-roving-focus@1.0.4(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@babel/runtime': 7.26.7
+      '@babel/runtime': 7.28.4
       '@radix-ui/primitive': 1.0.1
       '@radix-ui/react-collection': 1.0.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@radix-ui/react-compose-refs': 1.0.1(@types/react@18.2.69)(react@18.2.0)
@@ -26784,41 +22373,6 @@ snapshots:
       '@types/react': 18.2.69
       '@types/react-dom': 18.2.7
 
-  '@radix-ui/react-roving-focus@1.0.4(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.26.7
-      '@radix-ui/primitive': 1.0.1
-      '@radix-ui/react-collection': 1.0.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-compose-refs': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-context': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-direction': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-id': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-primitive': 1.0.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-use-callback-ref': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-use-controllable-state': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-    optionalDependencies:
-      '@types/react': 18.2.69
-      '@types/react-dom': 18.2.7
-
-  '@radix-ui/react-scroll-area@1.2.0(@types/react-dom@18.2.7)(@types/react@18.3.1)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)':
-    dependencies:
-      '@radix-ui/number': 1.1.0
-      '@radix-ui/primitive': 1.1.0
-      '@radix-ui/react-compose-refs': 1.1.0(@types/react@18.3.1)(react@18.3.1)
-      '@radix-ui/react-context': 1.1.1(@types/react@18.3.1)(react@18.3.1)
-      '@radix-ui/react-direction': 1.1.0(@types/react@18.3.1)(react@18.3.1)
-      '@radix-ui/react-presence': 1.1.1(@types/react-dom@18.2.7)(@types/react@18.3.1)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-primitive': 2.0.0(@types/react-dom@18.2.7)(@types/react@18.3.1)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-use-callback-ref': 1.1.0(@types/react@18.3.1)(react@18.3.1)
-      '@radix-ui/react-use-layout-effect': 1.1.0(@types/react@18.3.1)(react@18.3.1)
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-    optionalDependencies:
-      '@types/react': 18.3.1
-      '@types/react-dom': 18.2.7
-
   '@radix-ui/react-select@1.2.1(@types/react@18.2.69)(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
       '@babel/runtime': 7.20.7
@@ -26870,16 +22424,10 @@ snapshots:
 
   '@radix-ui/react-slot@1.0.1(react@18.2.0)':
     dependencies:
-      '@babel/runtime': 7.27.0
+      '@babel/runtime': 7.28.4
       '@radix-ui/react-compose-refs': 1.0.0(react@18.2.0)
       react: 18.2.0
 
-  '@radix-ui/react-slot@1.0.1(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.27.0
-      '@radix-ui/react-compose-refs': 1.0.0(react@18.3.1)
-      react: 18.3.1
-
   '@radix-ui/react-slot@1.0.2(@types/react@18.2.69)(react@18.2.0)':
     dependencies:
       '@babel/runtime': 7.26.7
@@ -26888,43 +22436,6 @@ snapshots:
     optionalDependencies:
       '@types/react': 18.2.69
 
-  '@radix-ui/react-slot@1.0.2(@types/react@18.2.69)(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.26.7
-      '@radix-ui/react-compose-refs': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      react: 18.3.1
-    optionalDependencies:
-      '@types/react': 18.2.69
-
-  '@radix-ui/react-slot@1.0.2(@types/react@18.3.1)(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.26.7
-      '@radix-ui/react-compose-refs': 1.0.1(@types/react@18.3.1)(react@18.3.1)
-      react: 18.3.1
-    optionalDependencies:
-      '@types/react': 18.3.1
-
-  '@radix-ui/react-slot@1.1.0(@types/react@18.3.1)(react@18.3.1)':
-    dependencies:
-      '@radix-ui/react-compose-refs': 1.1.0(@types/react@18.3.1)(react@18.3.1)
-      react: 18.3.1
-    optionalDependencies:
-      '@types/react': 18.3.1
-
-  '@radix-ui/react-slot@1.1.1(@types/react@18.3.1)(react@18.3.1)':
-    dependencies:
-      '@radix-ui/react-compose-refs': 1.1.1(@types/react@18.3.1)(react@18.3.1)
-      react: 18.3.1
-    optionalDependencies:
-      '@types/react': 18.3.1
-
-  '@radix-ui/react-slot@1.1.2(@types/react@19.0.12)(react@19.0.0)':
-    dependencies:
-      '@radix-ui/react-compose-refs': 1.1.1(@types/react@19.0.12)(react@19.0.0)
-      react: 19.0.0
-    optionalDependencies:
-      '@types/react': 19.0.12
-
   '@radix-ui/react-slot@1.2.3(@types/react@18.2.69)(react@18.2.0)':
     dependencies:
       '@radix-ui/react-compose-refs': 1.1.2(@types/react@18.2.69)(react@18.2.0)
@@ -26962,48 +22473,6 @@ snapshots:
       react: 18.2.0
       react-dom: 18.2.0(react@18.2.0)
 
-  '@radix-ui/react-tabs@1.0.3(react-dom@18.2.0(react@18.3.1))(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.20.7
-      '@radix-ui/primitive': 1.0.0
-      '@radix-ui/react-context': 1.0.0(react@18.3.1)
-      '@radix-ui/react-direction': 1.0.0(react@18.3.1)
-      '@radix-ui/react-id': 1.0.0(react@18.3.1)
-      '@radix-ui/react-presence': 1.0.0(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-primitive': 1.0.2(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-roving-focus': 1.0.3(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-use-controllable-state': 1.0.0(react@18.3.1)
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-
-  '@radix-ui/react-toggle-group@1.0.4(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.28.4
-      '@radix-ui/primitive': 1.0.1
-      '@radix-ui/react-context': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-direction': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-primitive': 1.0.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-roving-focus': 1.0.4(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-toggle': 1.0.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-use-controllable-state': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-    optionalDependencies:
-      '@types/react': 18.2.69
-      '@types/react-dom': 18.2.7
-
-  '@radix-ui/react-toggle@1.0.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.28.4
-      '@radix-ui/primitive': 1.0.1
-      '@radix-ui/react-primitive': 1.0.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-use-controllable-state': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-    optionalDependencies:
-      '@types/react': 18.2.69
-      '@types/react-dom': 18.2.7
-
   '@radix-ui/react-tooltip@1.0.5(@types/react@18.2.69)(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
       '@babel/runtime': 7.20.7
@@ -27024,37 +22493,11 @@ snapshots:
     transitivePeerDependencies:
       - '@types/react'
 
-  '@radix-ui/react-tooltip@1.0.6(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.28.4
-      '@radix-ui/primitive': 1.0.1
-      '@radix-ui/react-compose-refs': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-context': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-dismissable-layer': 1.0.4(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-id': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-popper': 1.1.2(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-portal': 1.0.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-presence': 1.0.1(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-primitive': 1.0.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-slot': 1.0.2(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-use-controllable-state': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-visually-hidden': 1.0.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-    optionalDependencies:
-      '@types/react': 18.2.69
-      '@types/react-dom': 18.2.7
-
   '@radix-ui/react-use-callback-ref@1.0.0(react@18.2.0)':
     dependencies:
-      '@babel/runtime': 7.27.4
+      '@babel/runtime': 7.28.4
       react: 18.2.0
 
-  '@radix-ui/react-use-callback-ref@1.0.0(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.27.4
-      react: 18.3.1
-
   '@radix-ui/react-use-callback-ref@1.0.1(@types/react@18.2.69)(react@18.2.0)':
     dependencies:
       '@babel/runtime': 7.28.4
@@ -27062,68 +22505,20 @@ snapshots:
     optionalDependencies:
       '@types/react': 18.2.69
 
-  '@radix-ui/react-use-callback-ref@1.0.1(@types/react@18.2.69)(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.28.4
-      react: 18.3.1
-    optionalDependencies:
-      '@types/react': 18.2.69
-
-  '@radix-ui/react-use-callback-ref@1.0.1(@types/react@18.3.1)(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.28.4
-      react: 18.3.1
-    optionalDependencies:
-      '@types/react': 18.3.1
-
-  '@radix-ui/react-use-callback-ref@1.1.0(@types/react@18.3.1)(react@18.3.1)':
-    dependencies:
-      react: 18.3.1
-    optionalDependencies:
-      '@types/react': 18.3.1
-
-  '@radix-ui/react-use-callback-ref@1.1.0(@types/react@19.0.12)(react@19.0.0)':
-    dependencies:
-      react: 19.0.0
-    optionalDependencies:
-      '@types/react': 19.0.12
-
   '@radix-ui/react-use-controllable-state@1.0.0(react@18.2.0)':
     dependencies:
-      '@babel/runtime': 7.26.7
+      '@babel/runtime': 7.28.4
       '@radix-ui/react-use-callback-ref': 1.0.0(react@18.2.0)
       react: 18.2.0
 
-  '@radix-ui/react-use-controllable-state@1.0.0(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.26.7
-      '@radix-ui/react-use-callback-ref': 1.0.0(react@18.3.1)
-      react: 18.3.1
-
   '@radix-ui/react-use-controllable-state@1.0.1(@types/react@18.2.69)(react@18.2.0)':
     dependencies:
-      '@babel/runtime': 7.27.4
+      '@babel/runtime': 7.28.4
       '@radix-ui/react-use-callback-ref': 1.0.1(@types/react@18.2.69)(react@18.2.0)
       react: 18.2.0
     optionalDependencies:
       '@types/react': 18.2.69
 
-  '@radix-ui/react-use-controllable-state@1.0.1(@types/react@18.2.69)(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.27.4
-      '@radix-ui/react-use-callback-ref': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      react: 18.3.1
-    optionalDependencies:
-      '@types/react': 18.2.69
-
-  '@radix-ui/react-use-controllable-state@1.0.1(@types/react@18.3.1)(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.27.4
-      '@radix-ui/react-use-callback-ref': 1.0.1(@types/react@18.3.1)(react@18.3.1)
-      react: 18.3.1
-    optionalDependencies:
-      '@types/react': 18.3.1
-
   '@radix-ui/react-use-controllable-state@1.2.2(@types/react@18.2.69)(react@18.2.0)':
     dependencies:
       '@radix-ui/react-use-effect-event': 0.0.2(@types/react@18.2.69)(react@18.2.0)
@@ -27153,65 +22548,18 @@ snapshots:
     optionalDependencies:
       '@types/react': 18.2.69
 
-  '@radix-ui/react-use-escape-keydown@1.0.3(@types/react@18.2.69)(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.28.4
-      '@radix-ui/react-use-callback-ref': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      react: 18.3.1
-    optionalDependencies:
-      '@types/react': 18.2.69
-
-  '@radix-ui/react-use-escape-keydown@1.0.3(@types/react@18.3.1)(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.28.4
-      '@radix-ui/react-use-callback-ref': 1.0.1(@types/react@18.3.1)(react@18.3.1)
-      react: 18.3.1
-    optionalDependencies:
-      '@types/react': 18.3.1
-
   '@radix-ui/react-use-layout-effect@1.0.0(react@18.2.0)':
     dependencies:
-      '@babel/runtime': 7.27.4
+      '@babel/runtime': 7.28.4
       react: 18.2.0
 
-  '@radix-ui/react-use-layout-effect@1.0.0(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.27.4
-      react: 18.3.1
-
   '@radix-ui/react-use-layout-effect@1.0.1(@types/react@18.2.69)(react@18.2.0)':
     dependencies:
-      '@babel/runtime': 7.27.4
+      '@babel/runtime': 7.28.4
       react: 18.2.0
     optionalDependencies:
       '@types/react': 18.2.69
 
-  '@radix-ui/react-use-layout-effect@1.0.1(@types/react@18.2.69)(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.27.4
-      react: 18.3.1
-    optionalDependencies:
-      '@types/react': 18.2.69
-
-  '@radix-ui/react-use-layout-effect@1.0.1(@types/react@18.3.1)(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.27.4
-      react: 18.3.1
-    optionalDependencies:
-      '@types/react': 18.3.1
-
-  '@radix-ui/react-use-layout-effect@1.1.0(@types/react@18.3.1)(react@18.3.1)':
-    dependencies:
-      react: 18.3.1
-    optionalDependencies:
-      '@types/react': 18.3.1
-
-  '@radix-ui/react-use-layout-effect@1.1.0(@types/react@19.0.12)(react@19.0.0)':
-    dependencies:
-      react: 19.0.0
-    optionalDependencies:
-      '@types/react': 19.0.12
-
   '@radix-ui/react-use-layout-effect@1.1.1(@types/react@18.2.69)(react@18.2.0)':
     dependencies:
       react: 18.2.0
@@ -27220,12 +22568,12 @@ snapshots:
 
   '@radix-ui/react-use-previous@1.0.0(react@18.2.0)':
     dependencies:
-      '@babel/runtime': 7.26.7
+      '@babel/runtime': 7.28.4
       react: 18.2.0
 
   '@radix-ui/react-use-previous@1.0.1(@types/react@18.2.69)(react@18.2.0)':
     dependencies:
-      '@babel/runtime': 7.26.7
+      '@babel/runtime': 7.28.4
       react: 18.2.0
     optionalDependencies:
       '@types/react': 18.2.69
@@ -27236,14 +22584,6 @@ snapshots:
       '@radix-ui/rect': 1.0.0
       react: 18.2.0
 
-  '@radix-ui/react-use-rect@1.0.1(@types/react@18.2.69)(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.28.4
-      '@radix-ui/rect': 1.0.1
-      react: 18.3.1
-    optionalDependencies:
-      '@types/react': 18.2.69
-
   '@radix-ui/react-use-size@1.0.0(react@18.2.0)':
     dependencies:
       '@babel/runtime': 7.28.4
@@ -27252,205 +22592,95 @@ snapshots:
 
   '@radix-ui/react-use-size@1.0.1(@types/react@18.2.69)(react@18.2.0)':
     dependencies:
-      '@babel/runtime': 7.26.7
+      '@babel/runtime': 7.28.4
       '@radix-ui/react-use-layout-effect': 1.0.1(@types/react@18.2.69)(react@18.2.0)
       react: 18.2.0
     optionalDependencies:
       '@types/react': 18.2.69
 
-  '@radix-ui/react-use-size@1.0.1(@types/react@18.2.69)(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.26.7
-      '@radix-ui/react-use-layout-effect': 1.0.1(@types/react@18.2.69)(react@18.3.1)
-      react: 18.3.1
-    optionalDependencies:
-      '@types/react': 18.2.69
-
   '@radix-ui/react-visually-hidden@1.0.2(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@babel/runtime': 7.26.7
+      '@babel/runtime': 7.28.4
       '@radix-ui/react-primitive': 1.0.2(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       react: 18.2.0
       react-dom: 18.2.0(react@18.2.0)
 
-  '@radix-ui/react-visually-hidden@1.0.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)':
-    dependencies:
-      '@babel/runtime': 7.28.4
-      '@radix-ui/react-primitive': 1.0.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-    optionalDependencies:
-      '@types/react': 18.2.69
-      '@types/react-dom': 18.2.7
-
   '@radix-ui/rect@1.0.0':
     dependencies:
       '@babel/runtime': 7.28.4
 
-  '@radix-ui/rect@1.0.1':
-    dependencies:
-      '@babel/runtime': 7.28.4
-
-  '@react-aria/breadcrumbs@3.5.16(react@18.2.0)':
-    dependencies:
-      '@react-aria/i18n': 3.12.2(react@18.2.0)
-      '@react-aria/link': 3.7.4(react@18.2.0)
-      '@react-aria/utils': 3.25.2(react@18.2.0)
-      '@react-types/breadcrumbs': 3.7.7(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
-  '@react-aria/breadcrumbs@3.5.9(react@18.2.0)':
+  '@react-aria/breadcrumbs@3.5.9(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@react-aria/i18n': 3.10.0(react@18.2.0)
-      '@react-aria/link': 3.6.3(react@18.2.0)
-      '@react-aria/utils': 3.23.0(react@18.2.0)
+      '@react-aria/i18n': 3.10.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/link': 3.6.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/utils': 3.34.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-types/breadcrumbs': 3.7.2(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
+    transitivePeerDependencies:
+      - react-dom
 
-  '@react-aria/button@3.9.1(react@18.2.0)':
+  '@react-aria/button@3.9.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@react-aria/focus': 3.16.0(react@18.2.0)
-      '@react-aria/interactions': 3.20.1(react@18.2.0)
-      '@react-aria/utils': 3.23.0(react@18.2.0)
+      '@react-aria/focus': 3.16.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/interactions': 3.20.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/utils': 3.34.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-stately/toggle': 3.7.0(react@18.2.0)
       '@react-types/button': 3.9.1(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
-
-  '@react-aria/button@3.9.8(react@18.2.0)':
-    dependencies:
-      '@react-aria/focus': 3.18.2(react@18.2.0)
-      '@react-aria/interactions': 3.22.2(react@18.2.0)
-      '@react-aria/utils': 3.25.2(react@18.2.0)
-      '@react-stately/toggle': 3.7.7(react@18.2.0)
-      '@react-types/button': 3.9.6(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
-  '@react-aria/calendar@3.5.11(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
-    dependencies:
-      '@internationalized/date': 3.5.5
-      '@react-aria/i18n': 3.12.2(react@18.2.0)
-      '@react-aria/interactions': 3.22.2(react@18.2.0)
-      '@react-aria/live-announcer': 3.3.4
-      '@react-aria/utils': 3.25.2(react@18.2.0)
-      '@react-stately/calendar': 3.5.4(react@18.2.0)
-      '@react-types/button': 3.9.6(react@18.2.0)
-      '@react-types/calendar': 3.4.9(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-      react-dom: 18.2.0(react@18.2.0)
+    transitivePeerDependencies:
+      - react-dom
 
   '@react-aria/calendar@3.5.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@internationalized/date': 3.5.1
-      '@react-aria/i18n': 3.10.0(react@18.2.0)
-      '@react-aria/interactions': 3.20.1(react@18.2.0)
+      '@internationalized/date': 3.12.1
+      '@react-aria/i18n': 3.10.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/interactions': 3.20.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/live-announcer': 3.3.1
-      '@react-aria/utils': 3.23.0(react@18.2.0)
+      '@react-aria/utils': 3.34.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-stately/calendar': 3.4.3(react@18.2.0)
       '@react-types/button': 3.9.1(react@18.2.0)
       '@react-types/calendar': 3.4.3(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
       react-dom: 18.2.0(react@18.2.0)
 
-  '@react-aria/checkbox@3.13.0(react@18.2.0)':
+  '@react-aria/checkbox@3.13.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@react-aria/form': 3.0.1(react@18.2.0)
-      '@react-aria/label': 3.7.4(react@18.2.0)
-      '@react-aria/toggle': 3.10.0(react@18.2.0)
-      '@react-aria/utils': 3.23.0(react@18.2.0)
+      '@react-aria/form': 3.0.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/label': 3.7.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/toggle': 3.10.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/utils': 3.34.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-stately/checkbox': 3.6.1(react@18.2.0)
       '@react-stately/form': 3.0.0(react@18.2.0)
       '@react-stately/toggle': 3.7.0(react@18.2.0)
       '@react-types/checkbox': 3.6.0(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
-
-  '@react-aria/checkbox@3.14.6(react@18.2.0)':
-    dependencies:
-      '@react-aria/form': 3.0.8(react@18.2.0)
-      '@react-aria/interactions': 3.22.2(react@18.2.0)
-      '@react-aria/label': 3.7.11(react@18.2.0)
-      '@react-aria/toggle': 3.10.7(react@18.2.0)
-      '@react-aria/utils': 3.25.2(react@18.2.0)
-      '@react-stately/checkbox': 3.6.8(react@18.2.0)
-      '@react-stately/form': 3.0.5(react@18.2.0)
-      '@react-stately/toggle': 3.7.7(react@18.2.0)
-      '@react-types/checkbox': 3.8.3(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
-  '@react-aria/combobox@3.10.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
-    dependencies:
-      '@react-aria/i18n': 3.12.2(react@18.2.0)
-      '@react-aria/listbox': 3.13.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/live-announcer': 3.3.4
-      '@react-aria/menu': 3.15.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/overlays': 3.23.2(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/selection': 3.19.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/textfield': 3.14.8(react@18.2.0)
-      '@react-aria/utils': 3.25.2(react@18.2.0)
-      '@react-stately/collections': 3.10.9(react@18.2.0)
-      '@react-stately/combobox': 3.9.2(react@18.2.0)
-      '@react-stately/form': 3.0.5(react@18.2.0)
-      '@react-types/button': 3.9.6(react@18.2.0)
-      '@react-types/combobox': 3.12.1(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-      react-dom: 18.2.0(react@18.2.0)
+    transitivePeerDependencies:
+      - react-dom
 
   '@react-aria/combobox@3.8.2(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@react-aria/i18n': 3.10.0(react@18.2.0)
+      '@react-aria/i18n': 3.10.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/listbox': 3.11.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/live-announcer': 3.3.1
       '@react-aria/menu': 3.12.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/overlays': 3.20.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/selection': 3.17.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/textfield': 3.14.1(react@18.2.0)
-      '@react-aria/utils': 3.23.0(react@18.2.0)
+      '@react-aria/textfield': 3.14.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/utils': 3.34.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-stately/collections': 3.10.4(react@18.2.0)
       '@react-stately/combobox': 3.8.1(react@18.2.0)
       '@react-stately/form': 3.0.0(react@18.2.0)
       '@react-types/button': 3.9.1(react@18.2.0)
       '@react-types/combobox': 3.10.0(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-      react-dom: 18.2.0(react@18.2.0)
-
-  '@react-aria/datepicker@3.11.2(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
-    dependencies:
-      '@internationalized/date': 3.5.5
-      '@internationalized/number': 3.5.3
-      '@internationalized/string': 3.2.3
-      '@react-aria/focus': 3.18.2(react@18.2.0)
-      '@react-aria/form': 3.0.8(react@18.2.0)
-      '@react-aria/i18n': 3.12.2(react@18.2.0)
-      '@react-aria/interactions': 3.22.2(react@18.2.0)
-      '@react-aria/label': 3.7.11(react@18.2.0)
-      '@react-aria/spinbutton': 3.6.8(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/utils': 3.25.2(react@18.2.0)
-      '@react-stately/datepicker': 3.10.2(react@18.2.0)
-      '@react-stately/form': 3.0.5(react@18.2.0)
-      '@react-types/button': 3.9.6(react@18.2.0)
-      '@react-types/calendar': 3.4.9(react@18.2.0)
-      '@react-types/datepicker': 3.8.2(react@18.2.0)
-      '@react-types/dialog': 3.5.12(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
       react-dom: 18.2.0(react@18.2.0)
@@ -27460,11 +22690,11 @@ snapshots:
       '@internationalized/date': 3.5.1
       '@internationalized/number': 3.5.0
       '@internationalized/string': 3.2.0
-      '@react-aria/focus': 3.16.0(react@18.2.0)
-      '@react-aria/form': 3.0.1(react@18.2.0)
-      '@react-aria/i18n': 3.10.0(react@18.2.0)
-      '@react-aria/interactions': 3.20.1(react@18.2.0)
-      '@react-aria/label': 3.7.4(react@18.2.0)
+      '@react-aria/focus': 3.16.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/form': 3.0.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/i18n': 3.10.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/interactions': 3.20.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/label': 3.7.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/spinbutton': 3.6.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/utils': 3.23.0(react@18.2.0)
       '@react-stately/datepicker': 3.9.1(react@18.2.0)
@@ -27480,257 +22710,140 @@ snapshots:
 
   '@react-aria/dialog@3.5.10(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@react-aria/focus': 3.16.0(react@18.2.0)
+      '@react-aria/focus': 3.16.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/overlays': 3.20.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/utils': 3.23.0(react@18.2.0)
+      '@react-aria/utils': 3.34.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-types/dialog': 3.5.7(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-      react-dom: 18.2.0(react@18.2.0)
-
-  '@react-aria/dialog@3.5.17(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
-    dependencies:
-      '@react-aria/focus': 3.18.2(react@18.2.0)
-      '@react-aria/overlays': 3.23.2(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/utils': 3.25.2(react@18.2.0)
-      '@react-types/dialog': 3.5.12(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
       react-dom: 18.2.0(react@18.2.0)
 
   '@react-aria/dnd@3.5.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@internationalized/string': 3.2.0
-      '@react-aria/i18n': 3.10.0(react@18.2.0)
-      '@react-aria/interactions': 3.20.1(react@18.2.0)
+      '@internationalized/string': 3.2.8
+      '@react-aria/i18n': 3.10.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/interactions': 3.20.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/live-announcer': 3.3.1
       '@react-aria/overlays': 3.20.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/utils': 3.23.0(react@18.2.0)
+      '@react-aria/utils': 3.34.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-stately/dnd': 3.2.7(react@18.2.0)
       '@react-types/button': 3.9.1(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-      react-dom: 18.2.0(react@18.2.0)
-
-  '@react-aria/dnd@3.7.2(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
-    dependencies:
-      '@internationalized/string': 3.2.3
-      '@react-aria/i18n': 3.12.2(react@18.2.0)
-      '@react-aria/interactions': 3.22.2(react@18.2.0)
-      '@react-aria/live-announcer': 3.3.4
-      '@react-aria/overlays': 3.23.2(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/utils': 3.25.2(react@18.2.0)
-      '@react-stately/dnd': 3.4.2(react@18.2.0)
-      '@react-types/button': 3.9.6(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
       react-dom: 18.2.0(react@18.2.0)
 
-  '@react-aria/focus@3.16.0(react@18.2.0)':
+  '@react-aria/focus@3.16.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@react-aria/interactions': 3.20.1(react@18.2.0)
-      '@react-aria/utils': 3.23.0(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      clsx: 2.1.1
-      react: 18.2.0
-
-  '@react-aria/focus@3.18.2(react@18.2.0)':
-    dependencies:
-      '@react-aria/interactions': 3.22.2(react@18.2.0)
-      '@react-aria/utils': 3.25.2(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-aria/interactions': 3.20.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/utils': 3.34.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       clsx: 2.1.1
       react: 18.2.0
+    transitivePeerDependencies:
+      - react-dom
 
-  '@react-aria/form@3.0.1(react@18.2.0)':
+  '@react-aria/form@3.0.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@react-aria/interactions': 3.20.1(react@18.2.0)
-      '@react-aria/utils': 3.23.0(react@18.2.0)
+      '@react-aria/interactions': 3.20.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/utils': 3.34.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-stately/form': 3.0.0(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
-  '@react-aria/form@3.0.8(react@18.2.0)':
-    dependencies:
-      '@react-aria/interactions': 3.22.2(react@18.2.0)
-      '@react-aria/utils': 3.25.2(react@18.2.0)
-      '@react-stately/form': 3.0.5(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
-
-  '@react-aria/grid@3.10.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
-    dependencies:
-      '@react-aria/focus': 3.18.2(react@18.2.0)
-      '@react-aria/i18n': 3.12.2(react@18.2.0)
-      '@react-aria/interactions': 3.22.2(react@18.2.0)
-      '@react-aria/live-announcer': 3.3.4
-      '@react-aria/selection': 3.19.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/utils': 3.25.2(react@18.2.0)
-      '@react-stately/collections': 3.10.9(react@18.2.0)
-      '@react-stately/grid': 3.9.2(react@18.2.0)
-      '@react-stately/selection': 3.16.2(react@18.2.0)
-      '@react-types/checkbox': 3.8.3(react@18.2.0)
-      '@react-types/grid': 3.2.8(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-      react-dom: 18.2.0(react@18.2.0)
+    transitivePeerDependencies:
+      - react-dom
 
   '@react-aria/grid@3.8.6(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@react-aria/focus': 3.16.0(react@18.2.0)
-      '@react-aria/i18n': 3.10.0(react@18.2.0)
-      '@react-aria/interactions': 3.20.1(react@18.2.0)
+      '@react-aria/focus': 3.16.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/i18n': 3.10.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/interactions': 3.20.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/live-announcer': 3.3.1
       '@react-aria/selection': 3.17.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/utils': 3.23.0(react@18.2.0)
+      '@react-aria/utils': 3.34.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-stately/collections': 3.10.4(react@18.2.0)
       '@react-stately/grid': 3.8.4(react@18.2.0)
       '@react-stately/selection': 3.14.2(react@18.2.0)
-      '@react-stately/virtualizer': 3.6.6(react@18.2.0)
+      '@react-stately/virtualizer': 3.6.6(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-types/checkbox': 3.6.0(react@18.2.0)
       '@react-types/grid': 3.2.3(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
       react-dom: 18.2.0(react@18.2.0)
 
   '@react-aria/gridlist@3.7.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@react-aria/focus': 3.16.0(react@18.2.0)
+      '@react-aria/focus': 3.16.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/grid': 3.8.6(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/i18n': 3.10.0(react@18.2.0)
-      '@react-aria/interactions': 3.20.1(react@18.2.0)
+      '@react-aria/i18n': 3.10.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/interactions': 3.20.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/selection': 3.17.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/utils': 3.23.0(react@18.2.0)
+      '@react-aria/utils': 3.34.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-stately/list': 3.10.2(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
       react-dom: 18.2.0(react@18.2.0)
 
-  '@react-aria/gridlist@3.9.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
-    dependencies:
-      '@react-aria/focus': 3.18.2(react@18.2.0)
-      '@react-aria/grid': 3.10.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/i18n': 3.12.2(react@18.2.0)
-      '@react-aria/interactions': 3.22.2(react@18.2.0)
-      '@react-aria/selection': 3.19.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/utils': 3.25.2(react@18.2.0)
-      '@react-stately/collections': 3.10.9(react@18.2.0)
-      '@react-stately/list': 3.10.8(react@18.2.0)
-      '@react-stately/tree': 3.8.4(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-      react-dom: 18.2.0(react@18.2.0)
-
-  '@react-aria/i18n@3.10.0(react@18.2.0)':
+  '@react-aria/i18n@3.10.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@internationalized/date': 3.5.1
+      '@internationalized/date': 3.12.1
       '@internationalized/message': 3.1.1
-      '@internationalized/number': 3.5.0
-      '@internationalized/string': 3.2.0
+      '@internationalized/number': 3.6.6
+      '@internationalized/string': 3.2.8
       '@react-aria/ssr': 3.9.1(react@18.2.0)
-      '@react-aria/utils': 3.23.0(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
-  '@react-aria/i18n@3.12.2(react@18.2.0)':
-    dependencies:
-      '@internationalized/date': 3.5.5
-      '@internationalized/message': 3.1.4
-      '@internationalized/number': 3.5.3
-      '@internationalized/string': 3.2.3
-      '@react-aria/ssr': 3.9.5(react@18.2.0)
-      '@react-aria/utils': 3.25.2(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-aria/utils': 3.34.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
+    transitivePeerDependencies:
+      - react-dom
 
-  '@react-aria/interactions@3.20.1(react@18.2.0)':
+  '@react-aria/interactions@3.20.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
       '@react-aria/ssr': 3.9.1(react@18.2.0)
-      '@react-aria/utils': 3.23.0(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
-  '@react-aria/interactions@3.22.2(react@18.2.0)':
-    dependencies:
-      '@react-aria/ssr': 3.9.5(react@18.2.0)
-      '@react-aria/utils': 3.25.2(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
-  '@react-aria/label@3.7.11(react@18.2.0)':
-    dependencies:
-      '@react-aria/utils': 3.25.2(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-aria/utils': 3.34.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
+    transitivePeerDependencies:
+      - react-dom
 
-  '@react-aria/label@3.7.4(react@18.2.0)':
+  '@react-aria/label@3.7.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@react-aria/utils': 3.23.0(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
+      '@react-aria/utils': 3.34.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
+    transitivePeerDependencies:
+      - react-dom
 
-  '@react-aria/link@3.6.3(react@18.2.0)':
+  '@react-aria/link@3.6.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@react-aria/focus': 3.16.0(react@18.2.0)
-      '@react-aria/interactions': 3.20.1(react@18.2.0)
-      '@react-aria/utils': 3.23.0(react@18.2.0)
+      '@react-aria/focus': 3.16.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/interactions': 3.20.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/utils': 3.34.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-types/link': 3.5.2(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
-  '@react-aria/link@3.7.4(react@18.2.0)':
-    dependencies:
-      '@react-aria/focus': 3.18.2(react@18.2.0)
-      '@react-aria/interactions': 3.22.2(react@18.2.0)
-      '@react-aria/utils': 3.25.2(react@18.2.0)
-      '@react-types/link': 3.5.7(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
+    transitivePeerDependencies:
+      - react-dom
 
   '@react-aria/listbox@3.11.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@react-aria/interactions': 3.20.1(react@18.2.0)
-      '@react-aria/label': 3.7.4(react@18.2.0)
+      '@react-aria/interactions': 3.20.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/label': 3.7.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/selection': 3.17.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/utils': 3.23.0(react@18.2.0)
+      '@react-aria/utils': 3.34.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-stately/collections': 3.10.4(react@18.2.0)
       '@react-stately/list': 3.10.2(react@18.2.0)
       '@react-types/listbox': 3.4.6(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-      react-dom: 18.2.0(react@18.2.0)
-
-  '@react-aria/listbox@3.13.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
-    dependencies:
-      '@react-aria/interactions': 3.22.2(react@18.2.0)
-      '@react-aria/label': 3.7.11(react@18.2.0)
-      '@react-aria/selection': 3.19.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/utils': 3.25.2(react@18.2.0)
-      '@react-stately/collections': 3.10.9(react@18.2.0)
-      '@react-stately/list': 3.10.8(react@18.2.0)
-      '@react-types/listbox': 3.5.1(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
       react-dom: 18.2.0(react@18.2.0)
@@ -27739,318 +22852,170 @@ snapshots:
     dependencies:
       '@swc/helpers': 0.5.15
 
-  '@react-aria/live-announcer@3.3.4':
-    dependencies:
-      '@swc/helpers': 0.5.15
-
   '@react-aria/menu@3.12.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@react-aria/focus': 3.16.0(react@18.2.0)
-      '@react-aria/i18n': 3.10.0(react@18.2.0)
-      '@react-aria/interactions': 3.20.1(react@18.2.0)
+      '@react-aria/focus': 3.16.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/i18n': 3.10.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/interactions': 3.20.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/overlays': 3.20.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/selection': 3.17.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/utils': 3.23.0(react@18.2.0)
+      '@react-aria/utils': 3.34.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-stately/collections': 3.10.4(react@18.2.0)
       '@react-stately/menu': 3.6.0(react@18.2.0)
       '@react-stately/tree': 3.7.5(react@18.2.0)
       '@react-types/button': 3.9.1(react@18.2.0)
       '@react-types/menu': 3.9.6(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
       react-dom: 18.2.0(react@18.2.0)
 
-  '@react-aria/menu@3.15.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
-    dependencies:
-      '@react-aria/focus': 3.18.2(react@18.2.0)
-      '@react-aria/i18n': 3.12.2(react@18.2.0)
-      '@react-aria/interactions': 3.22.2(react@18.2.0)
-      '@react-aria/overlays': 3.23.2(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/selection': 3.19.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/utils': 3.25.2(react@18.2.0)
-      '@react-stately/collections': 3.10.9(react@18.2.0)
-      '@react-stately/menu': 3.8.2(react@18.2.0)
-      '@react-stately/tree': 3.8.4(react@18.2.0)
-      '@react-types/button': 3.9.6(react@18.2.0)
-      '@react-types/menu': 3.9.11(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-      react-dom: 18.2.0(react@18.2.0)
-
-  '@react-aria/meter@3.4.16(react@18.2.0)':
-    dependencies:
-      '@react-aria/progress': 3.4.16(react@18.2.0)
-      '@react-types/meter': 3.4.3(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
-  '@react-aria/meter@3.4.9(react@18.2.0)':
+  '@react-aria/meter@3.4.9(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@react-aria/progress': 3.4.9(react@18.2.0)
+      '@react-aria/progress': 3.4.9(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-types/meter': 3.3.6(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
+    transitivePeerDependencies:
+      - react-dom
 
   '@react-aria/numberfield@3.10.2(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@react-aria/i18n': 3.10.0(react@18.2.0)
-      '@react-aria/interactions': 3.20.1(react@18.2.0)
+      '@react-aria/i18n': 3.10.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/interactions': 3.20.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/spinbutton': 3.6.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/textfield': 3.14.1(react@18.2.0)
-      '@react-aria/utils': 3.23.0(react@18.2.0)
+      '@react-aria/textfield': 3.14.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/utils': 3.34.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-stately/form': 3.0.0(react@18.2.0)
       '@react-stately/numberfield': 3.8.0(react@18.2.0)
       '@react-types/button': 3.9.1(react@18.2.0)
       '@react-types/numberfield': 3.7.0(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-      react-dom: 18.2.0(react@18.2.0)
-
-  '@react-aria/numberfield@3.11.6(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
-    dependencies:
-      '@react-aria/i18n': 3.12.2(react@18.2.0)
-      '@react-aria/interactions': 3.22.2(react@18.2.0)
-      '@react-aria/spinbutton': 3.6.8(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/textfield': 3.14.8(react@18.2.0)
-      '@react-aria/utils': 3.25.2(react@18.2.0)
-      '@react-stately/form': 3.0.5(react@18.2.0)
-      '@react-stately/numberfield': 3.9.6(react@18.2.0)
-      '@react-types/button': 3.9.6(react@18.2.0)
-      '@react-types/numberfield': 3.8.5(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
       react-dom: 18.2.0(react@18.2.0)
 
   '@react-aria/overlays@3.20.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@react-aria/focus': 3.16.0(react@18.2.0)
-      '@react-aria/i18n': 3.10.0(react@18.2.0)
-      '@react-aria/interactions': 3.20.1(react@18.2.0)
+      '@react-aria/focus': 3.16.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/i18n': 3.10.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/interactions': 3.20.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/ssr': 3.9.1(react@18.2.0)
-      '@react-aria/utils': 3.23.0(react@18.2.0)
-      '@react-aria/visually-hidden': 3.8.8(react@18.2.0)
+      '@react-aria/utils': 3.34.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/visually-hidden': 3.8.8(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-stately/overlays': 3.6.4(react@18.2.0)
       '@react-types/button': 3.9.1(react@18.2.0)
       '@react-types/overlays': 3.8.4(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
       react-dom: 18.2.0(react@18.2.0)
 
-  '@react-aria/overlays@3.23.2(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
-    dependencies:
-      '@react-aria/focus': 3.18.2(react@18.2.0)
-      '@react-aria/i18n': 3.12.2(react@18.2.0)
-      '@react-aria/interactions': 3.22.2(react@18.2.0)
-      '@react-aria/ssr': 3.9.5(react@18.2.0)
-      '@react-aria/utils': 3.25.2(react@18.2.0)
-      '@react-aria/visually-hidden': 3.8.15(react@18.2.0)
-      '@react-stately/overlays': 3.6.10(react@18.2.0)
-      '@react-types/button': 3.9.6(react@18.2.0)
-      '@react-types/overlays': 3.8.9(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-      react-dom: 18.2.0(react@18.2.0)
-
-  '@react-aria/progress@3.4.16(react@18.2.0)':
-    dependencies:
-      '@react-aria/i18n': 3.12.2(react@18.2.0)
-      '@react-aria/label': 3.7.11(react@18.2.0)
-      '@react-aria/utils': 3.25.2(react@18.2.0)
-      '@react-types/progress': 3.5.6(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
-  '@react-aria/progress@3.4.9(react@18.2.0)':
+  '@react-aria/progress@3.4.9(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@react-aria/i18n': 3.10.0(react@18.2.0)
-      '@react-aria/label': 3.7.4(react@18.2.0)
-      '@react-aria/utils': 3.23.0(react@18.2.0)
+      '@react-aria/i18n': 3.10.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/label': 3.7.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/utils': 3.34.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-types/progress': 3.5.1(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
+    transitivePeerDependencies:
+      - react-dom
 
-  '@react-aria/radio@3.10.0(react@18.2.0)':
+  '@react-aria/radio@3.10.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@react-aria/focus': 3.16.0(react@18.2.0)
-      '@react-aria/form': 3.0.1(react@18.2.0)
-      '@react-aria/i18n': 3.10.0(react@18.2.0)
-      '@react-aria/interactions': 3.20.1(react@18.2.0)
-      '@react-aria/label': 3.7.4(react@18.2.0)
-      '@react-aria/utils': 3.23.0(react@18.2.0)
+      '@react-aria/focus': 3.16.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/form': 3.0.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/i18n': 3.10.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/interactions': 3.20.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/label': 3.7.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/utils': 3.34.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-stately/radio': 3.10.1(react@18.2.0)
       '@react-types/radio': 3.7.0(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
-  '@react-aria/radio@3.10.7(react@18.2.0)':
-    dependencies:
-      '@react-aria/focus': 3.18.2(react@18.2.0)
-      '@react-aria/form': 3.0.8(react@18.2.0)
-      '@react-aria/i18n': 3.12.2(react@18.2.0)
-      '@react-aria/interactions': 3.22.2(react@18.2.0)
-      '@react-aria/label': 3.7.11(react@18.2.0)
-      '@react-aria/utils': 3.25.2(react@18.2.0)
-      '@react-stately/radio': 3.10.7(react@18.2.0)
-      '@react-types/radio': 3.8.3(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
+    transitivePeerDependencies:
+      - react-dom
 
-  '@react-aria/searchfield@3.7.1(react@18.2.0)':
+  '@react-aria/searchfield@3.7.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@react-aria/i18n': 3.10.0(react@18.2.0)
-      '@react-aria/textfield': 3.14.1(react@18.2.0)
-      '@react-aria/utils': 3.23.0(react@18.2.0)
+      '@react-aria/i18n': 3.10.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/textfield': 3.14.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/utils': 3.34.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-stately/searchfield': 3.5.0(react@18.2.0)
       '@react-types/button': 3.9.1(react@18.2.0)
       '@react-types/searchfield': 3.5.2(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
-  '@react-aria/searchfield@3.7.8(react@18.2.0)':
-    dependencies:
-      '@react-aria/i18n': 3.12.2(react@18.2.0)
-      '@react-aria/textfield': 3.14.8(react@18.2.0)
-      '@react-aria/utils': 3.25.2(react@18.2.0)
-      '@react-stately/searchfield': 3.5.6(react@18.2.0)
-      '@react-types/button': 3.9.6(react@18.2.0)
-      '@react-types/searchfield': 3.5.8(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
+    transitivePeerDependencies:
+      - react-dom
 
   '@react-aria/select@3.14.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@react-aria/form': 3.0.1(react@18.2.0)
-      '@react-aria/i18n': 3.10.0(react@18.2.0)
-      '@react-aria/interactions': 3.20.1(react@18.2.0)
-      '@react-aria/label': 3.7.4(react@18.2.0)
+      '@react-aria/form': 3.0.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/i18n': 3.10.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/interactions': 3.20.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/label': 3.7.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/listbox': 3.11.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/menu': 3.12.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/selection': 3.17.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/utils': 3.23.0(react@18.2.0)
-      '@react-aria/visually-hidden': 3.8.8(react@18.2.0)
+      '@react-aria/utils': 3.34.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/visually-hidden': 3.8.8(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-stately/select': 3.6.1(react@18.2.0)
       '@react-types/button': 3.9.1(react@18.2.0)
       '@react-types/select': 3.9.1(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-      react-dom: 18.2.0(react@18.2.0)
-
-  '@react-aria/select@3.14.9(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
-    dependencies:
-      '@react-aria/form': 3.0.8(react@18.2.0)
-      '@react-aria/i18n': 3.12.2(react@18.2.0)
-      '@react-aria/interactions': 3.22.2(react@18.2.0)
-      '@react-aria/label': 3.7.11(react@18.2.0)
-      '@react-aria/listbox': 3.13.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/menu': 3.15.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/selection': 3.19.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/utils': 3.25.2(react@18.2.0)
-      '@react-aria/visually-hidden': 3.8.15(react@18.2.0)
-      '@react-stately/select': 3.6.7(react@18.2.0)
-      '@react-types/button': 3.9.6(react@18.2.0)
-      '@react-types/select': 3.9.6(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
       react-dom: 18.2.0(react@18.2.0)
 
   '@react-aria/selection@3.17.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@react-aria/focus': 3.16.0(react@18.2.0)
-      '@react-aria/i18n': 3.10.0(react@18.2.0)
-      '@react-aria/interactions': 3.20.1(react@18.2.0)
-      '@react-aria/utils': 3.23.0(react@18.2.0)
+      '@react-aria/focus': 3.16.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/i18n': 3.10.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/interactions': 3.20.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/utils': 3.34.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-stately/selection': 3.14.2(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
       react-dom: 18.2.0(react@18.2.0)
 
-  '@react-aria/selection@3.19.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
+  '@react-aria/separator@3.3.9(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@react-aria/focus': 3.18.2(react@18.2.0)
-      '@react-aria/i18n': 3.12.2(react@18.2.0)
-      '@react-aria/interactions': 3.22.2(react@18.2.0)
-      '@react-aria/utils': 3.25.2(react@18.2.0)
-      '@react-stately/selection': 3.16.2(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-      react-dom: 18.2.0(react@18.2.0)
-
-  '@react-aria/separator@3.3.9(react@18.2.0)':
-    dependencies:
-      '@react-aria/utils': 3.23.0(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
-  '@react-aria/separator@3.4.2(react@18.2.0)':
-    dependencies:
-      '@react-aria/utils': 3.25.2(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
-  '@react-aria/slider@3.7.11(react@18.2.0)':
-    dependencies:
-      '@react-aria/focus': 3.18.2(react@18.2.0)
-      '@react-aria/i18n': 3.12.2(react@18.2.0)
-      '@react-aria/interactions': 3.22.2(react@18.2.0)
-      '@react-aria/label': 3.7.11(react@18.2.0)
-      '@react-aria/utils': 3.25.2(react@18.2.0)
-      '@react-stately/slider': 3.5.7(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
-      '@react-types/slider': 3.7.5(react@18.2.0)
+      '@react-aria/utils': 3.34.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
+    transitivePeerDependencies:
+      - react-dom
 
-  '@react-aria/slider@3.7.4(react@18.2.0)':
+  '@react-aria/slider@3.7.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@react-aria/focus': 3.16.0(react@18.2.0)
-      '@react-aria/i18n': 3.10.0(react@18.2.0)
-      '@react-aria/interactions': 3.20.1(react@18.2.0)
-      '@react-aria/label': 3.7.4(react@18.2.0)
-      '@react-aria/utils': 3.23.0(react@18.2.0)
+      '@react-aria/focus': 3.16.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/i18n': 3.10.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/interactions': 3.20.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/label': 3.7.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/utils': 3.34.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-stately/slider': 3.5.0(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@react-types/slider': 3.7.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
+    transitivePeerDependencies:
+      - react-dom
 
   '@react-aria/spinbutton@3.6.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@react-aria/i18n': 3.10.0(react@18.2.0)
+      '@react-aria/i18n': 3.10.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/live-announcer': 3.3.1
-      '@react-aria/utils': 3.23.0(react@18.2.0)
+      '@react-aria/utils': 3.34.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-types/button': 3.9.1(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-      react-dom: 18.2.0(react@18.2.0)
-
-  '@react-aria/spinbutton@3.6.8(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
-    dependencies:
-      '@react-aria/i18n': 3.12.2(react@18.2.0)
-      '@react-aria/live-announcer': 3.3.4
-      '@react-aria/utils': 3.25.2(react@18.2.0)
-      '@react-types/button': 3.9.6(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
       react-dom: 18.2.0(react@18.2.0)
@@ -28060,407 +23025,217 @@ snapshots:
       '@swc/helpers': 0.5.15
       react: 18.2.0
 
-  '@react-aria/ssr@3.9.5(react@18.2.0)':
-    dependencies:
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
-  '@react-aria/switch@3.6.0(react@18.2.0)':
+  '@react-aria/switch@3.6.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@react-aria/toggle': 3.10.0(react@18.2.0)
+      '@react-aria/toggle': 3.10.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-stately/toggle': 3.7.0(react@18.2.0)
       '@react-types/switch': 3.5.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
-
-  '@react-aria/switch@3.6.7(react@18.2.0)':
-    dependencies:
-      '@react-aria/toggle': 3.10.7(react@18.2.0)
-      '@react-stately/toggle': 3.7.7(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
-      '@react-types/switch': 3.5.5(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
+    transitivePeerDependencies:
+      - react-dom
 
   '@react-aria/table@3.13.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@react-aria/focus': 3.16.0(react@18.2.0)
+      '@react-aria/focus': 3.16.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/grid': 3.8.6(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/i18n': 3.10.0(react@18.2.0)
-      '@react-aria/interactions': 3.20.1(react@18.2.0)
+      '@react-aria/i18n': 3.10.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/interactions': 3.20.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/live-announcer': 3.3.1
-      '@react-aria/utils': 3.23.0(react@18.2.0)
-      '@react-aria/visually-hidden': 3.8.8(react@18.2.0)
+      '@react-aria/utils': 3.34.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/visually-hidden': 3.8.8(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-stately/collections': 3.10.4(react@18.2.0)
       '@react-stately/flags': 3.0.0
       '@react-stately/table': 3.11.4(react@18.2.0)
-      '@react-stately/virtualizer': 3.6.6(react@18.2.0)
+      '@react-stately/virtualizer': 3.6.6(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-types/checkbox': 3.6.0(react@18.2.0)
       '@react-types/grid': 3.2.3(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@react-types/table': 3.9.2(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
       react-dom: 18.2.0(react@18.2.0)
 
-  '@react-aria/table@3.15.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
-    dependencies:
-      '@react-aria/focus': 3.18.2(react@18.2.0)
-      '@react-aria/grid': 3.10.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/i18n': 3.12.2(react@18.2.0)
-      '@react-aria/interactions': 3.22.2(react@18.2.0)
-      '@react-aria/live-announcer': 3.3.4
-      '@react-aria/utils': 3.25.2(react@18.2.0)
-      '@react-aria/visually-hidden': 3.8.15(react@18.2.0)
-      '@react-stately/collections': 3.10.9(react@18.2.0)
-      '@react-stately/flags': 3.0.3
-      '@react-stately/table': 3.12.2(react@18.2.0)
-      '@react-types/checkbox': 3.8.3(react@18.2.0)
-      '@react-types/grid': 3.2.8(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
-      '@react-types/table': 3.10.1(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-      react-dom: 18.2.0(react@18.2.0)
-
   '@react-aria/tabs@3.8.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@react-aria/focus': 3.16.0(react@18.2.0)
-      '@react-aria/i18n': 3.10.0(react@18.2.0)
+      '@react-aria/focus': 3.16.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/i18n': 3.10.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/selection': 3.17.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/utils': 3.23.0(react@18.2.0)
+      '@react-aria/utils': 3.34.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-stately/tabs': 3.6.3(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@react-types/tabs': 3.3.4(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
       react-dom: 18.2.0(react@18.2.0)
 
-  '@react-aria/tabs@3.9.5(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
-    dependencies:
-      '@react-aria/focus': 3.18.2(react@18.2.0)
-      '@react-aria/i18n': 3.12.2(react@18.2.0)
-      '@react-aria/selection': 3.19.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/utils': 3.25.2(react@18.2.0)
-      '@react-stately/tabs': 3.6.9(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
-      '@react-types/tabs': 3.3.9(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-      react-dom: 18.2.0(react@18.2.0)
-
   '@react-aria/tag@3.3.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
       '@react-aria/gridlist': 3.7.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/i18n': 3.10.0(react@18.2.0)
-      '@react-aria/interactions': 3.20.1(react@18.2.0)
-      '@react-aria/label': 3.7.4(react@18.2.0)
+      '@react-aria/i18n': 3.10.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/interactions': 3.20.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/label': 3.7.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/selection': 3.17.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/utils': 3.23.0(react@18.2.0)
+      '@react-aria/utils': 3.34.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-stately/list': 3.10.2(react@18.2.0)
       '@react-types/button': 3.9.1(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-      react-dom: 18.2.0(react@18.2.0)
-
-  '@react-aria/tag@3.4.5(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
-    dependencies:
-      '@react-aria/gridlist': 3.9.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/i18n': 3.12.2(react@18.2.0)
-      '@react-aria/interactions': 3.22.2(react@18.2.0)
-      '@react-aria/label': 3.7.11(react@18.2.0)
-      '@react-aria/selection': 3.19.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/utils': 3.25.2(react@18.2.0)
-      '@react-stately/list': 3.10.8(react@18.2.0)
-      '@react-types/button': 3.9.6(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
       react-dom: 18.2.0(react@18.2.0)
 
-  '@react-aria/textfield@3.14.1(react@18.2.0)':
+  '@react-aria/textfield@3.14.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@react-aria/focus': 3.16.0(react@18.2.0)
-      '@react-aria/form': 3.0.1(react@18.2.0)
-      '@react-aria/label': 3.7.4(react@18.2.0)
-      '@react-aria/utils': 3.23.0(react@18.2.0)
+      '@react-aria/focus': 3.16.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/form': 3.0.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/label': 3.7.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/utils': 3.34.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-stately/form': 3.0.0(react@18.2.0)
       '@react-stately/utils': 3.9.0(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@react-types/textfield': 3.9.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
+    transitivePeerDependencies:
+      - react-dom
 
-  '@react-aria/textfield@3.14.8(react@18.2.0)':
-    dependencies:
-      '@react-aria/focus': 3.18.2(react@18.2.0)
-      '@react-aria/form': 3.0.8(react@18.2.0)
-      '@react-aria/label': 3.7.11(react@18.2.0)
-      '@react-aria/utils': 3.25.2(react@18.2.0)
-      '@react-stately/form': 3.0.5(react@18.2.0)
-      '@react-stately/utils': 3.10.3(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
-      '@react-types/textfield': 3.9.6(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
-  '@react-aria/toggle@3.10.0(react@18.2.0)':
+  '@react-aria/toggle@3.10.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@react-aria/focus': 3.16.0(react@18.2.0)
-      '@react-aria/interactions': 3.20.1(react@18.2.0)
-      '@react-aria/utils': 3.23.0(react@18.2.0)
+      '@react-aria/focus': 3.16.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/interactions': 3.20.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/utils': 3.34.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-stately/toggle': 3.7.0(react@18.2.0)
       '@react-types/checkbox': 3.6.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
+    transitivePeerDependencies:
+      - react-dom
 
-  '@react-aria/toggle@3.10.7(react@18.2.0)':
-    dependencies:
-      '@react-aria/focus': 3.18.2(react@18.2.0)
-      '@react-aria/interactions': 3.22.2(react@18.2.0)
-      '@react-aria/utils': 3.25.2(react@18.2.0)
-      '@react-stately/toggle': 3.7.7(react@18.2.0)
-      '@react-types/checkbox': 3.8.3(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
-  '@react-aria/tooltip@3.7.0(react@18.2.0)':
+  '@react-aria/tooltip@3.7.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@react-aria/focus': 3.16.0(react@18.2.0)
-      '@react-aria/interactions': 3.20.1(react@18.2.0)
-      '@react-aria/utils': 3.23.0(react@18.2.0)
+      '@react-aria/focus': 3.16.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/interactions': 3.20.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/utils': 3.34.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-stately/tooltip': 3.4.6(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@react-types/tooltip': 3.4.6(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
-
-  '@react-aria/tooltip@3.7.7(react@18.2.0)':
-    dependencies:
-      '@react-aria/focus': 3.18.2(react@18.2.0)
-      '@react-aria/interactions': 3.22.2(react@18.2.0)
-      '@react-aria/utils': 3.25.2(react@18.2.0)
-      '@react-stately/tooltip': 3.4.12(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
-      '@react-types/tooltip': 3.4.11(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
+    transitivePeerDependencies:
+      - react-dom
 
   '@react-aria/utils@3.23.0(react@18.2.0)':
     dependencies:
       '@react-aria/ssr': 3.9.1(react@18.2.0)
       '@react-stately/utils': 3.9.0(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      clsx: 2.1.1
-      react: 18.2.0
-
-  '@react-aria/utils@3.25.2(react@18.2.0)':
-    dependencies:
-      '@react-aria/ssr': 3.9.5(react@18.2.0)
-      '@react-stately/utils': 3.10.3(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       clsx: 2.1.1
       react: 18.2.0
 
-  '@react-aria/visually-hidden@3.8.15(react@18.2.0)':
+  '@react-aria/utils@3.34.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@react-aria/interactions': 3.22.2(react@18.2.0)
-      '@react-aria/utils': 3.25.2(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
+      react-aria: 3.48.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      react-dom: 18.2.0(react@18.2.0)
+      react-stately: 3.46.0(react@18.2.0)
 
-  '@react-aria/visually-hidden@3.8.8(react@18.2.0)':
+  '@react-aria/visually-hidden@3.8.8(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@react-aria/interactions': 3.20.1(react@18.2.0)
-      '@react-aria/utils': 3.23.0(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
+      '@react-aria/interactions': 3.20.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/utils': 3.34.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
-
-  '@react-email/body@0.0.7(react@18.3.1)':
-    dependencies:
-      react: 18.3.1
-
-  '@react-email/body@0.0.8(react@18.3.1)':
-    dependencies:
-      react: 18.3.1
-
-  '@react-email/button@0.0.14(react@18.3.1)':
-    dependencies:
-      react: 18.3.1
-
-  '@react-email/button@0.0.15(react@18.3.1)':
-    dependencies:
-      react: 18.3.1
-
-  '@react-email/code-block@0.0.3(react@18.3.1)':
-    dependencies:
-      prismjs: 1.29.0
-      react: 18.3.1
-
-  '@react-email/code-block@0.0.4(react@18.3.1)':
-    dependencies:
-      prismjs: 1.29.0
-      react: 18.3.1
-
-  '@react-email/code-inline@0.0.1(react@18.3.1)':
-    dependencies:
-      react: 18.3.1
-
-  '@react-email/code-inline@0.0.2(react@18.3.1)':
-    dependencies:
-      react: 18.3.1
-
-  '@react-email/column@0.0.10(react@18.3.1)':
-    dependencies:
-      react: 18.3.1
-
-  '@react-email/column@0.0.9(react@18.3.1)':
-    dependencies:
-      react: 18.3.1
-
-  '@react-email/components@0.0.16(@types/react@18.2.69)(react@18.3.1)':
-    dependencies:
-      '@react-email/body': 0.0.7(react@18.3.1)
-      '@react-email/button': 0.0.14(react@18.3.1)
-      '@react-email/code-block': 0.0.3(react@18.3.1)
-      '@react-email/code-inline': 0.0.1(react@18.3.1)
-      '@react-email/column': 0.0.9(react@18.3.1)
-      '@react-email/container': 0.0.11(react@18.3.1)
-      '@react-email/font': 0.0.5(react@18.3.1)
-      '@react-email/head': 0.0.7(react@18.3.1)
-      '@react-email/heading': 0.0.11(@types/react@18.2.69)(react@18.3.1)
-      '@react-email/hr': 0.0.7(react@18.3.1)
-      '@react-email/html': 0.0.7(react@18.3.1)
-      '@react-email/img': 0.0.7(react@18.3.1)
-      '@react-email/link': 0.0.7(react@18.3.1)
-      '@react-email/markdown': 0.0.9(react@18.3.1)
-      '@react-email/preview': 0.0.8(react@18.3.1)
-      '@react-email/render': 0.0.12
-      '@react-email/row': 0.0.7(react@18.3.1)
-      '@react-email/section': 0.0.11(react@18.3.1)
-      '@react-email/tailwind': 0.0.15(react@18.3.1)
-      '@react-email/text': 0.0.7(react@18.3.1)
-      react: 18.3.1
     transitivePeerDependencies:
-      - '@types/react'
-
-  '@react-email/components@0.0.17(@types/react@18.2.69)(react@18.3.1)':
-    dependencies:
-      '@react-email/body': 0.0.8(react@18.3.1)
-      '@react-email/button': 0.0.15(react@18.3.1)
-      '@react-email/code-block': 0.0.4(react@18.3.1)
-      '@react-email/code-inline': 0.0.2(react@18.3.1)
-      '@react-email/column': 0.0.10(react@18.3.1)
-      '@react-email/container': 0.0.12(react@18.3.1)
-      '@react-email/font': 0.0.6(react@18.3.1)
-      '@react-email/head': 0.0.8(react@18.3.1)
-      '@react-email/heading': 0.0.12(@types/react@18.2.69)(react@18.3.1)
-      '@react-email/hr': 0.0.8(react@18.3.1)
-      '@react-email/html': 0.0.8(react@18.3.1)
-      '@react-email/img': 0.0.8(react@18.3.1)
-      '@react-email/link': 0.0.8(react@18.3.1)
-      '@react-email/markdown': 0.0.10(react@18.3.1)
-      '@react-email/preview': 0.0.9(react@18.3.1)
-      '@react-email/render': 0.0.13
-      '@react-email/row': 0.0.8(react@18.3.1)
-      '@react-email/section': 0.0.12(react@18.3.1)
-      '@react-email/tailwind': 0.0.16(react@18.3.1)
-      '@react-email/text': 0.0.8(react@18.3.1)
-      react: 18.3.1
-    transitivePeerDependencies:
-      - '@types/react'
-
-  '@react-email/container@0.0.11(react@18.3.1)':
-    dependencies:
-      react: 18.3.1
-
-  '@react-email/container@0.0.12(react@18.3.1)':
-    dependencies:
-      react: 18.3.1
+      - react-dom
 
-  '@react-email/font@0.0.5(react@18.3.1)':
+  '@react-email/body@0.3.0(react@18.3.1)':
     dependencies:
       react: 18.3.1
 
-  '@react-email/font@0.0.6(react@18.3.1)':
+  '@react-email/button@0.2.1(react@18.3.1)':
     dependencies:
       react: 18.3.1
 
-  '@react-email/head@0.0.7(react@18.3.1)':
+  '@react-email/code-block@0.2.1(react@18.3.1)':
     dependencies:
+      prismjs: 1.30.0
       react: 18.3.1
 
-  '@react-email/head@0.0.8(react@18.3.1)':
+  '@react-email/code-inline@0.0.6(react@18.3.1)':
     dependencies:
       react: 18.3.1
 
-  '@react-email/heading@0.0.11(@types/react@18.2.69)(react@18.3.1)':
+  '@react-email/column@0.0.14(react@18.3.1)':
     dependencies:
-      '@radix-ui/react-slot': 1.0.2(@types/react@18.2.69)(react@18.3.1)
       react: 18.3.1
-    transitivePeerDependencies:
-      - '@types/react'
 
-  '@react-email/heading@0.0.12(@types/react@18.2.69)(react@18.3.1)':
-    dependencies:
-      '@radix-ui/react-slot': 1.0.2(@types/react@18.2.69)(react@18.3.1)
+  '@react-email/components@1.0.12(react-dom@18.2.0(react@18.3.1))(react@18.3.1)':
+    dependencies:
+      '@react-email/body': 0.3.0(react@18.3.1)
+      '@react-email/button': 0.2.1(react@18.3.1)
+      '@react-email/code-block': 0.2.1(react@18.3.1)
+      '@react-email/code-inline': 0.0.6(react@18.3.1)
+      '@react-email/column': 0.0.14(react@18.3.1)
+      '@react-email/container': 0.0.16(react@18.3.1)
+      '@react-email/font': 0.0.10(react@18.3.1)
+      '@react-email/head': 0.0.13(react@18.3.1)
+      '@react-email/heading': 0.0.16(react@18.3.1)
+      '@react-email/hr': 0.0.12(react@18.3.1)
+      '@react-email/html': 0.0.12(react@18.3.1)
+      '@react-email/img': 0.0.12(react@18.3.1)
+      '@react-email/link': 0.0.13(react@18.3.1)
+      '@react-email/markdown': 0.0.18(react@18.3.1)
+      '@react-email/preview': 0.0.14(react@18.3.1)
+      '@react-email/render': 2.0.6(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
+      '@react-email/row': 0.0.13(react@18.3.1)
+      '@react-email/section': 0.0.17(react@18.3.1)
+      '@react-email/tailwind': 2.0.7(@react-email/body@0.3.0(react@18.3.1))(@react-email/button@0.2.1(react@18.3.1))(@react-email/code-block@0.2.1(react@18.3.1))(@react-email/code-inline@0.0.6(react@18.3.1))(@react-email/container@0.0.16(react@18.3.1))(@react-email/heading@0.0.16(react@18.3.1))(@react-email/hr@0.0.12(react@18.3.1))(@react-email/img@0.0.12(react@18.3.1))(@react-email/link@0.0.13(react@18.3.1))(@react-email/preview@0.0.14(react@18.3.1))(@react-email/text@0.1.6(react@18.3.1))(react@18.3.1)
+      '@react-email/text': 0.1.6(react@18.3.1)
       react: 18.3.1
     transitivePeerDependencies:
-      - '@types/react'
-
-  '@react-email/hr@0.0.7(react@18.3.1)':
-    dependencies:
-      react: 18.3.1
-
-  '@react-email/hr@0.0.8(react@18.3.1)':
-    dependencies:
-      react: 18.3.1
+      - react-dom
 
-  '@react-email/html@0.0.7(react@18.3.1)':
+  '@react-email/container@0.0.16(react@18.3.1)':
     dependencies:
       react: 18.3.1
 
-  '@react-email/html@0.0.8(react@18.3.1)':
+  '@react-email/font@0.0.10(react@18.3.1)':
     dependencies:
       react: 18.3.1
 
-  '@react-email/img@0.0.7(react@18.3.1)':
+  '@react-email/head@0.0.13(react@18.3.1)':
     dependencies:
       react: 18.3.1
 
-  '@react-email/img@0.0.8(react@18.3.1)':
+  '@react-email/heading@0.0.16(react@18.3.1)':
     dependencies:
       react: 18.3.1
 
-  '@react-email/link@0.0.7(react@18.3.1)':
+  '@react-email/hr@0.0.12(react@18.3.1)':
     dependencies:
       react: 18.3.1
 
-  '@react-email/link@0.0.8(react@18.3.1)':
+  '@react-email/html@0.0.12(react@18.3.1)':
     dependencies:
       react: 18.3.1
 
-  '@react-email/markdown@0.0.10(react@18.3.1)':
+  '@react-email/img@0.0.12(react@18.3.1)':
     dependencies:
-      md-to-react-email: 5.0.2(react@18.3.1)
       react: 18.3.1
 
-  '@react-email/markdown@0.0.9(react@18.3.1)':
+  '@react-email/link@0.0.13(react@18.3.1)':
     dependencies:
-      md-to-react-email: 5.0.2(react@18.3.1)
       react: 18.3.1
 
-  '@react-email/preview@0.0.8(react@18.3.1)':
+  '@react-email/markdown@0.0.18(react@18.3.1)':
     dependencies:
+      marked: 15.0.12
       react: 18.3.1
 
-  '@react-email/preview@0.0.9(react@18.3.1)':
+  '@react-email/preview@0.0.14(react@18.3.1)':
     dependencies:
       react: 18.3.1
 
@@ -28471,62 +23246,55 @@ snapshots:
       react: 18.2.0
       react-dom: 18.2.0(react@18.2.0)
 
-  '@react-email/render@0.0.13':
+  '@react-email/render@2.0.6(react-dom@18.2.0(react@18.3.1))(react@18.3.1)':
     dependencies:
       html-to-text: 9.0.5
-      js-beautify: 1.15.1
+      prettier: 3.8.3
       react: 18.3.1
       react-dom: 18.2.0(react@18.3.1)
 
-  '@react-email/row@0.0.7(react@18.3.1)':
-    dependencies:
-      react: 18.3.1
-
-  '@react-email/row@0.0.8(react@18.3.1)':
-    dependencies:
-      react: 18.3.1
-
-  '@react-email/section@0.0.11(react@18.3.1)':
-    dependencies:
-      react: 18.3.1
-
-  '@react-email/section@0.0.12(react@18.3.1)':
+  '@react-email/render@2.0.8(react-dom@18.2.0(react@18.3.1))(react@18.3.1)':
     dependencies:
+      html-to-text: 9.0.5
+      prettier: 3.8.3
       react: 18.3.1
+      react-dom: 18.2.0(react@18.3.1)
 
-  '@react-email/tailwind@0.0.15(react@18.3.1)':
+  '@react-email/row@0.0.13(react@18.3.1)':
     dependencies:
       react: 18.3.1
 
-  '@react-email/tailwind@0.0.16(react@18.3.1)':
+  '@react-email/section@0.0.17(react@18.3.1)':
     dependencies:
       react: 18.3.1
 
-  '@react-email/text@0.0.7(react@18.3.1)':
+  '@react-email/tailwind@2.0.7(@react-email/body@0.3.0(react@18.3.1))(@react-email/button@0.2.1(react@18.3.1))(@react-email/code-block@0.2.1(react@18.3.1))(@react-email/code-inline@0.0.6(react@18.3.1))(@react-email/container@0.0.16(react@18.3.1))(@react-email/heading@0.0.16(react@18.3.1))(@react-email/hr@0.0.12(react@18.3.1))(@react-email/img@0.0.12(react@18.3.1))(@react-email/link@0.0.13(react@18.3.1))(@react-email/preview@0.0.14(react@18.3.1))(@react-email/text@0.1.6(react@18.3.1))(react@18.3.1)':
     dependencies:
+      '@react-email/text': 0.1.6(react@18.3.1)
       react: 18.3.1
+      tailwindcss: 4.3.0
+    optionalDependencies:
+      '@react-email/body': 0.3.0(react@18.3.1)
+      '@react-email/button': 0.2.1(react@18.3.1)
+      '@react-email/code-block': 0.2.1(react@18.3.1)
+      '@react-email/code-inline': 0.0.6(react@18.3.1)
+      '@react-email/container': 0.0.16(react@18.3.1)
+      '@react-email/heading': 0.0.16(react@18.3.1)
+      '@react-email/hr': 0.0.12(react@18.3.1)
+      '@react-email/img': 0.0.12(react@18.3.1)
+      '@react-email/link': 0.0.13(react@18.3.1)
+      '@react-email/preview': 0.0.14(react@18.3.1)
 
-  '@react-email/text@0.0.8(react@18.3.1)':
+  '@react-email/text@0.1.6(react@18.3.1)':
     dependencies:
       react: 18.3.1
 
-  '@react-spring/rafz@9.7.4': {}
-
   '@react-stately/calendar@3.4.3(react@18.2.0)':
     dependencies:
-      '@internationalized/date': 3.5.1
+      '@internationalized/date': 3.12.1
       '@react-stately/utils': 3.9.0(react@18.2.0)
       '@react-types/calendar': 3.4.3(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
-  '@react-stately/calendar@3.5.4(react@18.2.0)':
-    dependencies:
-      '@internationalized/date': 3.5.5
-      '@react-stately/utils': 3.10.3(react@18.2.0)
-      '@react-types/calendar': 3.4.9(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
 
@@ -28535,28 +23303,13 @@ snapshots:
       '@react-stately/form': 3.0.0(react@18.2.0)
       '@react-stately/utils': 3.9.0(react@18.2.0)
       '@react-types/checkbox': 3.6.0(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
-  '@react-stately/checkbox@3.6.8(react@18.2.0)':
-    dependencies:
-      '@react-stately/form': 3.0.5(react@18.2.0)
-      '@react-stately/utils': 3.10.3(react@18.2.0)
-      '@react-types/checkbox': 3.8.3(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
 
   '@react-stately/collections@3.10.4(react@18.2.0)':
     dependencies:
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
-  '@react-stately/collections@3.10.9(react@18.2.0)':
-    dependencies:
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
 
@@ -28569,38 +23322,13 @@ snapshots:
       '@react-stately/select': 3.6.1(react@18.2.0)
       '@react-stately/utils': 3.9.0(react@18.2.0)
       '@react-types/combobox': 3.10.0(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
-  '@react-stately/combobox@3.9.2(react@18.2.0)':
-    dependencies:
-      '@react-stately/collections': 3.10.9(react@18.2.0)
-      '@react-stately/form': 3.0.5(react@18.2.0)
-      '@react-stately/list': 3.10.8(react@18.2.0)
-      '@react-stately/overlays': 3.6.10(react@18.2.0)
-      '@react-stately/select': 3.6.7(react@18.2.0)
-      '@react-stately/utils': 3.10.3(react@18.2.0)
-      '@react-types/combobox': 3.12.1(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
 
   '@react-stately/data@3.11.0(react@18.2.0)':
     dependencies:
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
-  '@react-stately/datepicker@3.10.2(react@18.2.0)':
-    dependencies:
-      '@internationalized/date': 3.5.5
-      '@internationalized/string': 3.2.3
-      '@react-stately/form': 3.0.5(react@18.2.0)
-      '@react-stately/overlays': 3.6.10(react@18.2.0)
-      '@react-stately/utils': 3.10.3(react@18.2.0)
-      '@react-types/datepicker': 3.8.2(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
 
@@ -28619,14 +23347,7 @@ snapshots:
   '@react-stately/dnd@3.2.7(react@18.2.0)':
     dependencies:
       '@react-stately/selection': 3.14.2(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
-  '@react-stately/dnd@3.4.2(react@18.2.0)':
-    dependencies:
-      '@react-stately/selection': 3.16.2(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
 
@@ -28634,19 +23355,9 @@ snapshots:
     dependencies:
       '@swc/helpers': 0.4.14
 
-  '@react-stately/flags@3.0.3':
-    dependencies:
-      '@swc/helpers': 0.5.15
-
   '@react-stately/form@3.0.0(react@18.2.0)':
     dependencies:
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
-  '@react-stately/form@3.0.5(react@18.2.0)':
-    dependencies:
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
 
@@ -28655,16 +23366,7 @@ snapshots:
       '@react-stately/collections': 3.10.4(react@18.2.0)
       '@react-stately/selection': 3.14.2(react@18.2.0)
       '@react-types/grid': 3.2.3(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
-  '@react-stately/grid@3.9.2(react@18.2.0)':
-    dependencies:
-      '@react-stately/collections': 3.10.9(react@18.2.0)
-      '@react-stately/selection': 3.16.2(react@18.2.0)
-      '@react-types/grid': 3.2.8(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
 
@@ -28673,16 +23375,7 @@ snapshots:
       '@react-stately/collections': 3.10.4(react@18.2.0)
       '@react-stately/selection': 3.14.2(react@18.2.0)
       '@react-stately/utils': 3.9.0(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
-  '@react-stately/list@3.10.8(react@18.2.0)':
-    dependencies:
-      '@react-stately/collections': 3.10.9(react@18.2.0)
-      '@react-stately/selection': 3.16.2(react@18.2.0)
-      '@react-stately/utils': 3.10.3(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
 
@@ -28690,43 +23383,19 @@ snapshots:
     dependencies:
       '@react-stately/overlays': 3.6.4(react@18.2.0)
       '@react-types/menu': 3.9.6(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
-  '@react-stately/menu@3.8.2(react@18.2.0)':
-    dependencies:
-      '@react-stately/overlays': 3.6.10(react@18.2.0)
-      '@react-types/menu': 3.9.11(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
 
   '@react-stately/numberfield@3.8.0(react@18.2.0)':
     dependencies:
-      '@internationalized/number': 3.5.0
+      '@internationalized/number': 3.6.6
       '@react-stately/form': 3.0.0(react@18.2.0)
       '@react-stately/utils': 3.9.0(react@18.2.0)
       '@react-types/numberfield': 3.7.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
 
-  '@react-stately/numberfield@3.9.6(react@18.2.0)':
-    dependencies:
-      '@internationalized/number': 3.5.3
-      '@react-stately/form': 3.0.5(react@18.2.0)
-      '@react-stately/utils': 3.10.3(react@18.2.0)
-      '@react-types/numberfield': 3.8.5(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
-  '@react-stately/overlays@3.6.10(react@18.2.0)':
-    dependencies:
-      '@react-stately/utils': 3.10.3(react@18.2.0)
-      '@react-types/overlays': 3.8.9(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
   '@react-stately/overlays@3.6.4(react@18.2.0)':
     dependencies:
       '@react-stately/utils': 3.9.0(react@18.2.0)
@@ -28739,16 +23408,7 @@ snapshots:
       '@react-stately/form': 3.0.0(react@18.2.0)
       '@react-stately/utils': 3.9.0(react@18.2.0)
       '@react-types/radio': 3.7.0(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
-  '@react-stately/radio@3.10.7(react@18.2.0)':
-    dependencies:
-      '@react-stately/form': 3.0.5(react@18.2.0)
-      '@react-stately/utils': 3.10.3(react@18.2.0)
-      '@react-types/radio': 3.8.3(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
 
@@ -28759,30 +23419,13 @@ snapshots:
       '@swc/helpers': 0.5.15
       react: 18.2.0
 
-  '@react-stately/searchfield@3.5.6(react@18.2.0)':
-    dependencies:
-      '@react-stately/utils': 3.10.3(react@18.2.0)
-      '@react-types/searchfield': 3.5.8(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
   '@react-stately/select@3.6.1(react@18.2.0)':
     dependencies:
       '@react-stately/form': 3.0.0(react@18.2.0)
       '@react-stately/list': 3.10.2(react@18.2.0)
       '@react-stately/overlays': 3.6.4(react@18.2.0)
       '@react-types/select': 3.9.1(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
-  '@react-stately/select@3.6.7(react@18.2.0)':
-    dependencies:
-      '@react-stately/form': 3.0.5(react@18.2.0)
-      '@react-stately/list': 3.10.8(react@18.2.0)
-      '@react-stately/overlays': 3.6.10(react@18.2.0)
-      '@react-types/select': 3.9.6(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
 
@@ -28790,34 +23433,18 @@ snapshots:
     dependencies:
       '@react-stately/collections': 3.10.4(react@18.2.0)
       '@react-stately/utils': 3.9.0(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
-  '@react-stately/selection@3.16.2(react@18.2.0)':
-    dependencies:
-      '@react-stately/collections': 3.10.9(react@18.2.0)
-      '@react-stately/utils': 3.10.3(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
 
   '@react-stately/slider@3.5.0(react@18.2.0)':
     dependencies:
       '@react-stately/utils': 3.9.0(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@react-types/slider': 3.7.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
 
-  '@react-stately/slider@3.5.7(react@18.2.0)':
-    dependencies:
-      '@react-stately/utils': 3.10.3(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
-      '@react-types/slider': 3.7.5(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
   '@react-stately/table@3.11.4(react@18.2.0)':
     dependencies:
       '@react-stately/collections': 3.10.4(react@18.2.0)
@@ -28826,40 +23453,19 @@ snapshots:
       '@react-stately/selection': 3.14.2(react@18.2.0)
       '@react-stately/utils': 3.9.0(react@18.2.0)
       '@react-types/grid': 3.2.3(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@react-types/table': 3.9.2(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
 
-  '@react-stately/table@3.12.2(react@18.2.0)':
-    dependencies:
-      '@react-stately/collections': 3.10.9(react@18.2.0)
-      '@react-stately/flags': 3.0.3
-      '@react-stately/grid': 3.9.2(react@18.2.0)
-      '@react-stately/selection': 3.16.2(react@18.2.0)
-      '@react-stately/utils': 3.10.3(react@18.2.0)
-      '@react-types/grid': 3.2.8(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
-      '@react-types/table': 3.10.1(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
   '@react-stately/tabs@3.6.3(react@18.2.0)':
     dependencies:
       '@react-stately/list': 3.10.2(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@react-types/tabs': 3.3.4(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
 
-  '@react-stately/tabs@3.6.9(react@18.2.0)':
-    dependencies:
-      '@react-stately/list': 3.10.8(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
-      '@react-types/tabs': 3.3.9(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
   '@react-stately/toggle@3.7.0(react@18.2.0)':
     dependencies:
       '@react-stately/utils': 3.9.0(react@18.2.0)
@@ -28867,20 +23473,6 @@ snapshots:
       '@swc/helpers': 0.5.15
       react: 18.2.0
 
-  '@react-stately/toggle@3.7.7(react@18.2.0)':
-    dependencies:
-      '@react-stately/utils': 3.10.3(react@18.2.0)
-      '@react-types/checkbox': 3.8.3(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
-  '@react-stately/tooltip@3.4.12(react@18.2.0)':
-    dependencies:
-      '@react-stately/overlays': 3.6.10(react@18.2.0)
-      '@react-types/tooltip': 3.4.11(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
   '@react-stately/tooltip@3.4.6(react@18.2.0)':
     dependencies:
       '@react-stately/overlays': 3.6.4(react@18.2.0)
@@ -28893,21 +23485,7 @@ snapshots:
       '@react-stately/collections': 3.10.4(react@18.2.0)
       '@react-stately/selection': 3.14.2(react@18.2.0)
       '@react-stately/utils': 3.9.0(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
-  '@react-stately/tree@3.8.4(react@18.2.0)':
-    dependencies:
-      '@react-stately/collections': 3.10.9(react@18.2.0)
-      '@react-stately/selection': 3.16.2(react@18.2.0)
-      '@react-stately/utils': 3.10.3(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
-      '@swc/helpers': 0.5.15
-      react: 18.2.0
-
-  '@react-stately/utils@3.10.3(react@18.2.0)':
-    dependencies:
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
 
@@ -28916,65 +23494,40 @@ snapshots:
       '@swc/helpers': 0.5.15
       react: 18.2.0
 
-  '@react-stately/virtualizer@3.6.6(react@18.2.0)':
+  '@react-stately/virtualizer@3.6.6(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
     dependencies:
-      '@react-aria/utils': 3.23.0(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
+      '@react-aria/utils': 3.34.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@swc/helpers': 0.5.15
       react: 18.2.0
+    transitivePeerDependencies:
+      - react-dom
 
   '@react-types/breadcrumbs@3.7.2(react@18.2.0)':
     dependencies:
       '@react-types/link': 3.5.2(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      react: 18.2.0
-
-  '@react-types/breadcrumbs@3.7.7(react@18.2.0)':
-    dependencies:
-      '@react-types/link': 3.5.7(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       react: 18.2.0
 
   '@react-types/button@3.9.1(react@18.2.0)':
     dependencies:
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      react: 18.2.0
-
-  '@react-types/button@3.9.6(react@18.2.0)':
-    dependencies:
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       react: 18.2.0
 
   '@react-types/calendar@3.4.3(react@18.2.0)':
     dependencies:
-      '@internationalized/date': 3.5.1
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      react: 18.2.0
-
-  '@react-types/calendar@3.4.9(react@18.2.0)':
-    dependencies:
-      '@internationalized/date': 3.5.5
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@internationalized/date': 3.12.1
+      '@react-types/shared': 3.34.0(react@18.2.0)
       react: 18.2.0
 
   '@react-types/checkbox@3.6.0(react@18.2.0)':
     dependencies:
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      react: 18.2.0
-
-  '@react-types/checkbox@3.8.3(react@18.2.0)':
-    dependencies:
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       react: 18.2.0
 
   '@react-types/combobox@3.10.0(react@18.2.0)':
     dependencies:
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      react: 18.2.0
-
-  '@react-types/combobox@3.12.1(react@18.2.0)':
-    dependencies:
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       react: 18.2.0
 
   '@react-types/datepicker@3.7.1(react@18.2.0)':
@@ -28985,66 +23538,31 @@ snapshots:
       '@react-types/shared': 3.22.0(react@18.2.0)
       react: 18.2.0
 
-  '@react-types/datepicker@3.8.2(react@18.2.0)':
-    dependencies:
-      '@internationalized/date': 3.5.5
-      '@react-types/calendar': 3.4.9(react@18.2.0)
-      '@react-types/overlays': 3.8.9(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
-      react: 18.2.0
-
-  '@react-types/dialog@3.5.12(react@18.2.0)':
-    dependencies:
-      '@react-types/overlays': 3.8.9(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
-      react: 18.2.0
-
   '@react-types/dialog@3.5.7(react@18.2.0)':
     dependencies:
       '@react-types/overlays': 3.8.4(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       react: 18.2.0
 
   '@react-types/grid@3.2.3(react@18.2.0)':
     dependencies:
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      react: 18.2.0
-
-  '@react-types/grid@3.2.8(react@18.2.0)':
-    dependencies:
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       react: 18.2.0
 
   '@react-types/link@3.5.2(react@18.2.0)':
     dependencies:
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      react: 18.2.0
-
-  '@react-types/link@3.5.7(react@18.2.0)':
-    dependencies:
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       react: 18.2.0
 
   '@react-types/listbox@3.4.6(react@18.2.0)':
     dependencies:
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      react: 18.2.0
-
-  '@react-types/listbox@3.5.1(react@18.2.0)':
-    dependencies:
-      '@react-types/shared': 3.24.1(react@18.2.0)
-      react: 18.2.0
-
-  '@react-types/menu@3.9.11(react@18.2.0)':
-    dependencies:
-      '@react-types/overlays': 3.8.9(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       react: 18.2.0
 
   '@react-types/menu@3.9.6(react@18.2.0)':
     dependencies:
       '@react-types/overlays': 3.8.4(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       react: 18.2.0
 
   '@react-types/meter@3.3.6(react@18.2.0)':
@@ -29052,143 +23570,75 @@ snapshots:
       '@react-types/progress': 3.5.1(react@18.2.0)
       react: 18.2.0
 
-  '@react-types/meter@3.4.3(react@18.2.0)':
-    dependencies:
-      '@react-types/progress': 3.5.6(react@18.2.0)
-      react: 18.2.0
-
   '@react-types/numberfield@3.7.0(react@18.2.0)':
     dependencies:
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      react: 18.2.0
-
-  '@react-types/numberfield@3.8.5(react@18.2.0)':
-    dependencies:
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       react: 18.2.0
 
   '@react-types/overlays@3.8.4(react@18.2.0)':
     dependencies:
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      react: 18.2.0
-
-  '@react-types/overlays@3.8.9(react@18.2.0)':
-    dependencies:
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       react: 18.2.0
 
   '@react-types/progress@3.5.1(react@18.2.0)':
     dependencies:
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      react: 18.2.0
-
-  '@react-types/progress@3.5.6(react@18.2.0)':
-    dependencies:
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       react: 18.2.0
 
   '@react-types/radio@3.7.0(react@18.2.0)':
     dependencies:
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      react: 18.2.0
-
-  '@react-types/radio@3.8.3(react@18.2.0)':
-    dependencies:
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       react: 18.2.0
 
   '@react-types/searchfield@3.5.2(react@18.2.0)':
     dependencies:
-      '@react-types/shared': 3.22.0(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       '@react-types/textfield': 3.9.0(react@18.2.0)
       react: 18.2.0
 
-  '@react-types/searchfield@3.5.8(react@18.2.0)':
-    dependencies:
-      '@react-types/shared': 3.24.1(react@18.2.0)
-      '@react-types/textfield': 3.9.6(react@18.2.0)
-      react: 18.2.0
-
   '@react-types/select@3.9.1(react@18.2.0)':
     dependencies:
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      react: 18.2.0
-
-  '@react-types/select@3.9.6(react@18.2.0)':
-    dependencies:
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       react: 18.2.0
 
   '@react-types/shared@3.22.0(react@18.2.0)':
     dependencies:
       react: 18.2.0
 
-  '@react-types/shared@3.24.1(react@18.2.0)':
+  '@react-types/shared@3.34.0(react@18.2.0)':
     dependencies:
       react: 18.2.0
 
   '@react-types/slider@3.7.0(react@18.2.0)':
     dependencies:
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      react: 18.2.0
-
-  '@react-types/slider@3.7.5(react@18.2.0)':
-    dependencies:
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       react: 18.2.0
 
   '@react-types/switch@3.5.0(react@18.2.0)':
     dependencies:
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      react: 18.2.0
-
-  '@react-types/switch@3.5.5(react@18.2.0)':
-    dependencies:
-      '@react-types/shared': 3.24.1(react@18.2.0)
-      react: 18.2.0
-
-  '@react-types/table@3.10.1(react@18.2.0)':
-    dependencies:
-      '@react-types/grid': 3.2.8(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       react: 18.2.0
 
   '@react-types/table@3.9.2(react@18.2.0)':
     dependencies:
       '@react-types/grid': 3.2.3(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       react: 18.2.0
 
   '@react-types/tabs@3.3.4(react@18.2.0)':
     dependencies:
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      react: 18.2.0
-
-  '@react-types/tabs@3.3.9(react@18.2.0)':
-    dependencies:
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       react: 18.2.0
 
   '@react-types/textfield@3.9.0(react@18.2.0)':
     dependencies:
-      '@react-types/shared': 3.22.0(react@18.2.0)
-      react: 18.2.0
-
-  '@react-types/textfield@3.9.6(react@18.2.0)':
-    dependencies:
-      '@react-types/shared': 3.24.1(react@18.2.0)
-      react: 18.2.0
-
-  '@react-types/tooltip@3.4.11(react@18.2.0)':
-    dependencies:
-      '@react-types/overlays': 3.8.9(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       react: 18.2.0
 
   '@react-types/tooltip@3.4.6(react@18.2.0)':
     dependencies:
       '@react-types/overlays': 3.8.4(react@18.2.0)
-      '@react-types/shared': 3.22.0(react@18.2.0)
+      '@react-types/shared': 3.34.0(react@18.2.0)
       react: 18.2.0
 
   '@remix-run/changelog-github@0.0.5(encoding@0.1.13)':
@@ -29200,7 +23650,7 @@ snapshots:
     transitivePeerDependencies:
       - encoding
 
-  '@remix-run/dev@2.1.0(@remix-run/serve@2.1.0(typescript@5.5.4))(@types/node@20.14.14)(bufferutil@4.0.9)(encoding@0.1.13)(lightningcss@1.29.2)(terser@5.44.1)(typescript@5.5.4)':
+  '@remix-run/dev@2.17.4(@remix-run/react@2.17.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/serve@2.17.4(typescript@5.5.4))(@types/node@20.14.14)(bufferutil@4.0.9)(jiti@2.6.1)(lightningcss@1.29.2)(terser@5.46.1)(tsx@4.20.6)(typescript@5.5.4)(vite@6.4.2(@types/node@20.14.14)(jiti@2.6.1)(lightningcss@1.29.2)(terser@5.46.1)(tsx@4.20.6)(yaml@2.9.0))(yaml@2.9.0)':
     dependencies:
       '@babel/core': 7.22.17
       '@babel/generator': 7.24.7
@@ -29209,16 +23659,22 @@ snapshots:
       '@babel/plugin-syntax-jsx': 7.22.5(@babel/core@7.22.17)
       '@babel/preset-typescript': 7.21.5(@babel/core@7.22.17)
       '@babel/traverse': 7.24.7
+      '@babel/types': 7.27.3
       '@mdx-js/mdx': 2.3.0
       '@npmcli/package-json': 4.0.1
-      '@remix-run/server-runtime': 2.1.0(typescript@5.5.4)
+      '@remix-run/node': 2.17.4(typescript@5.5.4)
+      '@remix-run/react': 2.17.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4)
+      '@remix-run/router': 1.23.2(patch_hash=f14fb2af2690628a0164b66d98e8d7cd6a0e8a4a30a51e53cfb1b6caeca6f7c9)
+      '@remix-run/server-runtime': 2.17.4(typescript@5.5.4)
       '@types/mdx': 2.0.5
-      '@vanilla-extract/integration': 6.2.1(@types/node@20.14.14)(lightningcss@1.29.2)(terser@5.44.1)
+      '@vanilla-extract/integration': 6.2.1(@types/node@20.14.14)(lightningcss@1.29.2)(terser@5.46.1)
       arg: 5.0.2
       cacache: 17.1.4
       chalk: 4.1.2
       chokidar: 3.6.0
+      cross-spawn: 7.0.6
       dotenv: 16.4.7
+      es-module-lexer: 1.7.0
       esbuild: 0.17.6
       esbuild-plugins-node-modules-polyfill: 1.6.1(esbuild@0.17.6)
       execa: 5.1.1
@@ -29229,46 +23685,53 @@ snapshots:
       gunzip-maybe: 1.4.2
       jsesc: 3.0.2
       json5: 2.2.3
-      lodash: 4.17.23
+      lodash: 4.18.1
       lodash.debounce: 4.0.8
       minimatch: 9.0.5
-      node-fetch: 2.6.12(encoding@0.1.13)
       ora: 5.4.1
+      pathe: 1.1.2
       picocolors: 1.1.1
-      picomatch: 2.3.1
+      picomatch: 2.3.2
       pidtree: 0.6.0
-      postcss: 8.5.4
-      postcss-discard-duplicates: 5.1.0(postcss@8.5.4)
-      postcss-load-config: 4.0.2(postcss@8.5.4)
-      postcss-modules: 6.0.0(postcss@8.5.4)
+      postcss: 8.5.10
+      postcss-discard-duplicates: 5.1.0(postcss@8.5.10)
+      postcss-load-config: 4.0.2(postcss@8.5.10)
+      postcss-modules: 6.0.0(postcss@8.5.10)
       prettier: 2.8.8
       pretty-ms: 7.0.1
       react-refresh: 0.14.0
       remark-frontmatter: 4.0.1
       remark-mdx-frontmatter: 1.1.1
-      semver: 7.7.2
-      tar-fs: 2.1.3
+      semver: 7.7.3
+      set-cookie-parser: 2.6.0
+      tar-fs: 2.1.4
       tsconfig-paths: 4.2.0
-      ws: 7.5.9(bufferutil@4.0.9)
+      valibot: 1.3.1(typescript@5.5.4)
+      vite-node: 3.1.4(@types/node@20.14.14)(jiti@2.6.1)(lightningcss@1.29.2)(terser@5.46.1)(tsx@4.20.6)(yaml@2.9.0)
+      ws: 7.5.10(bufferutil@4.0.9)
     optionalDependencies:
-      '@remix-run/serve': 2.1.0(typescript@5.5.4)
+      '@remix-run/serve': 2.17.4(typescript@5.5.4)
       typescript: 5.5.4
+      vite: 6.4.2(@types/node@20.14.14)(jiti@2.6.1)(lightningcss@1.29.2)(terser@5.46.1)(tsx@4.20.6)(yaml@2.9.0)
     transitivePeerDependencies:
       - '@types/node'
       - bluebird
       - bufferutil
-      - encoding
+      - jiti
       - less
       - lightningcss
       - sass
+      - sass-embedded
       - stylus
       - sugarss
       - supports-color
       - terser
       - ts-node
+      - tsx
       - utf-8-validate
+      - yaml
 
-  '@remix-run/eslint-config@2.1.0(eslint@8.31.0)(react@18.2.0)(typescript@5.5.4)':
+  '@remix-run/eslint-config@2.17.4(eslint@8.31.0)(react@18.2.0)(typescript@5.5.4)':
     dependencies:
       '@babel/core': 7.22.17
       '@babel/eslint-parser': 7.21.8(@babel/core@7.22.17)(eslint@8.31.0)
@@ -29295,88 +23758,88 @@ snapshots:
       - jest
       - supports-color
 
-  '@remix-run/express@2.1.0(express@4.20.0)(typescript@5.5.4)':
+  '@remix-run/express@2.17.4(express@4.20.0)(typescript@5.5.4)':
     dependencies:
-      '@remix-run/node': 2.1.0(typescript@5.5.4)
+      '@remix-run/node': 2.17.4(typescript@5.5.4)
       express: 4.20.0
     optionalDependencies:
       typescript: 5.5.4
 
-  '@remix-run/node@2.1.0(typescript@5.5.4)':
+  '@remix-run/node@2.17.4(typescript@5.5.4)':
     dependencies:
-      '@remix-run/server-runtime': 2.1.0(typescript@5.5.4)
-      '@remix-run/web-fetch': 4.4.1
-      '@remix-run/web-file': 3.1.0
-      '@remix-run/web-stream': 1.1.0
+      '@remix-run/server-runtime': 2.17.4(typescript@5.5.4)
+      '@remix-run/web-fetch': 4.4.2
       '@web3-storage/multipart-parser': 1.0.0
-      cookie-signature: 1.2.0
+      cookie-signature: 1.2.2
       source-map-support: 0.5.21
       stream-slice: 0.1.2
+      undici: 6.25.0
     optionalDependencies:
       typescript: 5.5.4
 
-  '@remix-run/react@2.1.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4)':
+  '@remix-run/react@2.17.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4)':
     dependencies:
-      '@remix-run/router': 1.10.0
-      '@remix-run/server-runtime': 2.1.0(typescript@5.5.4)
+      '@remix-run/router': 1.23.2(patch_hash=f14fb2af2690628a0164b66d98e8d7cd6a0e8a4a30a51e53cfb1b6caeca6f7c9)
+      '@remix-run/server-runtime': 2.17.4(typescript@5.5.4)
       react: 18.2.0
       react-dom: 18.2.0(react@18.2.0)
-      react-router-dom: 6.17.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      react-router: 6.30.3(react@18.2.0)
+      react-router-dom: 6.30.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      turbo-stream: 2.4.1
     optionalDependencies:
       typescript: 5.5.4
 
-  '@remix-run/router@1.10.0': {}
+  '@remix-run/router@1.23.2(patch_hash=f14fb2af2690628a0164b66d98e8d7cd6a0e8a4a30a51e53cfb1b6caeca6f7c9)': {}
 
-  '@remix-run/router@1.15.3': {}
-
-  '@remix-run/serve@2.1.0(typescript@5.5.4)':
+  '@remix-run/serve@2.17.4(typescript@5.5.4)':
     dependencies:
-      '@remix-run/express': 2.1.0(express@4.20.0)(typescript@5.5.4)
-      '@remix-run/node': 2.1.0(typescript@5.5.4)
+      '@remix-run/express': 2.17.4(express@4.20.0)(typescript@5.5.4)
+      '@remix-run/node': 2.17.4(typescript@5.5.4)
       chokidar: 3.6.0
-      compression: 1.7.4
+      compression: 1.8.1
       express: 4.20.0
       get-port: 5.1.1
-      morgan: 1.10.0
+      morgan: 1.10.1
       source-map-support: 0.5.21
     transitivePeerDependencies:
       - supports-color
       - typescript
 
-  '@remix-run/server-runtime@2.1.0(typescript@5.5.4)':
+  '@remix-run/server-runtime@2.17.4(typescript@5.5.4)':
     dependencies:
-      '@remix-run/router': 1.10.0
-      '@types/cookie': 0.4.1
+      '@remix-run/router': 1.23.2(patch_hash=f14fb2af2690628a0164b66d98e8d7cd6a0e8a4a30a51e53cfb1b6caeca6f7c9)
+      '@types/cookie': 0.6.0
       '@web3-storage/multipart-parser': 1.0.0
-      cookie: 0.4.2
+      cookie: 0.7.2
       set-cookie-parser: 2.6.0
       source-map: 0.7.4
+      turbo-stream: 2.4.1
     optionalDependencies:
       typescript: 5.5.4
 
-  '@remix-run/testing@2.1.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4)':
+  '@remix-run/testing@2.17.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4)':
     dependencies:
-      '@remix-run/node': 2.1.0(typescript@5.5.4)
-      '@remix-run/react': 2.1.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4)
-      '@remix-run/router': 1.10.0
+      '@remix-run/node': 2.17.4(typescript@5.5.4)
+      '@remix-run/react': 2.17.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4)
+      '@remix-run/router': 1.23.2(patch_hash=f14fb2af2690628a0164b66d98e8d7cd6a0e8a4a30a51e53cfb1b6caeca6f7c9)
       react: 18.2.0
-      react-router-dom: 6.17.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      react-router-dom: 6.30.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
     optionalDependencies:
       typescript: 5.5.4
     transitivePeerDependencies:
       - react-dom
 
-  '@remix-run/v1-meta@0.1.3(@remix-run/react@2.1.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.1.0(typescript@5.5.4))':
+  '@remix-run/v1-meta@0.1.3(@remix-run/react@2.17.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.17.4(typescript@5.5.4))':
     dependencies:
-      '@remix-run/react': 2.1.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4)
-      '@remix-run/server-runtime': 2.1.0(typescript@5.5.4)
+      '@remix-run/react': 2.17.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4)
+      '@remix-run/server-runtime': 2.17.4(typescript@5.5.4)
 
   '@remix-run/web-blob@3.1.0':
     dependencies:
       '@remix-run/web-stream': 1.1.0
       web-encoding: 1.1.5
 
-  '@remix-run/web-fetch@4.4.1':
+  '@remix-run/web-fetch@4.4.2':
     dependencies:
       '@remix-run/web-blob': 3.1.0
       '@remix-run/web-file': 3.1.0
@@ -29399,72 +23862,90 @@ snapshots:
     dependencies:
       web-streams-polyfill: 3.2.1
 
-  '@rollup/rollup-android-arm-eabi@4.36.0':
+  '@rollup/rollup-android-arm-eabi@4.60.1':
     optional: true
 
-  '@rollup/rollup-android-arm64@4.36.0':
+  '@rollup/rollup-android-arm64@4.60.1':
     optional: true
 
-  '@rollup/rollup-darwin-arm64@4.36.0':
+  '@rollup/rollup-darwin-arm64@4.53.2':
     optional: true
 
-  '@rollup/rollup-darwin-arm64@4.53.2':
+  '@rollup/rollup-darwin-arm64@4.60.1':
+    optional: true
+
+  '@rollup/rollup-darwin-x64@4.60.1':
     optional: true
 
-  '@rollup/rollup-darwin-x64@4.36.0':
+  '@rollup/rollup-freebsd-arm64@4.60.1':
     optional: true
 
-  '@rollup/rollup-freebsd-arm64@4.36.0':
+  '@rollup/rollup-freebsd-x64@4.60.1':
     optional: true
 
-  '@rollup/rollup-freebsd-x64@4.36.0':
+  '@rollup/rollup-linux-arm-gnueabihf@4.60.1':
     optional: true
 
-  '@rollup/rollup-linux-arm-gnueabihf@4.36.0':
+  '@rollup/rollup-linux-arm-musleabihf@4.60.1':
     optional: true
 
-  '@rollup/rollup-linux-arm-musleabihf@4.36.0':
+  '@rollup/rollup-linux-arm64-gnu@4.60.1':
     optional: true
 
-  '@rollup/rollup-linux-arm64-gnu@4.36.0':
+  '@rollup/rollup-linux-arm64-musl@4.60.1':
     optional: true
 
-  '@rollup/rollup-linux-arm64-musl@4.36.0':
+  '@rollup/rollup-linux-loong64-gnu@4.60.1':
     optional: true
 
-  '@rollup/rollup-linux-loongarch64-gnu@4.36.0':
+  '@rollup/rollup-linux-loong64-musl@4.60.1':
     optional: true
 
-  '@rollup/rollup-linux-powerpc64le-gnu@4.36.0':
+  '@rollup/rollup-linux-ppc64-gnu@4.60.1':
     optional: true
 
-  '@rollup/rollup-linux-riscv64-gnu@4.36.0':
+  '@rollup/rollup-linux-ppc64-musl@4.60.1':
     optional: true
 
-  '@rollup/rollup-linux-s390x-gnu@4.36.0':
+  '@rollup/rollup-linux-riscv64-gnu@4.60.1':
     optional: true
 
-  '@rollup/rollup-linux-x64-gnu@4.36.0':
+  '@rollup/rollup-linux-riscv64-musl@4.60.1':
+    optional: true
+
+  '@rollup/rollup-linux-s390x-gnu@4.60.1':
     optional: true
 
   '@rollup/rollup-linux-x64-gnu@4.53.2':
     optional: true
 
-  '@rollup/rollup-linux-x64-musl@4.36.0':
+  '@rollup/rollup-linux-x64-gnu@4.60.1':
+    optional: true
+
+  '@rollup/rollup-linux-x64-musl@4.60.1':
     optional: true
 
-  '@rollup/rollup-win32-arm64-msvc@4.36.0':
+  '@rollup/rollup-openbsd-x64@4.60.1':
     optional: true
 
-  '@rollup/rollup-win32-ia32-msvc@4.36.0':
+  '@rollup/rollup-openharmony-arm64@4.60.1':
     optional: true
 
-  '@rollup/rollup-win32-x64-msvc@4.36.0':
+  '@rollup/rollup-win32-arm64-msvc@4.60.1':
+    optional: true
+
+  '@rollup/rollup-win32-ia32-msvc@4.60.1':
+    optional: true
+
+  '@rollup/rollup-win32-x64-gnu@4.60.1':
+    optional: true
+
+  '@rollup/rollup-win32-x64-msvc@4.60.1':
     optional: true
 
   '@rushstack/eslint-patch@1.2.0': {}
 
-  '@s2-dev/streamstore@0.22.5(supports-color@10.0.0)':
+  '@s2-dev/streamstore@0.22.10(supports-color@10.0.0)':
     dependencies:
       '@protobuf-ts/runtime': 2.11.1
       debug: 4.4.3(supports-color@10.0.0)
@@ -29550,66 +24031,66 @@ snapshots:
 
   '@sentry/core@9.46.0': {}
 
-  '@sentry/node-core@9.46.0(@opentelemetry/api@1.9.0)(@opentelemetry/context-async-hooks@1.30.1(@opentelemetry/api@1.9.0))(@opentelemetry/core@1.30.1(@opentelemetry/api@1.9.0))(@opentelemetry/instrumentation@0.57.2(@opentelemetry/api@1.9.0))(@opentelemetry/resources@1.30.1(@opentelemetry/api@1.9.0))(@opentelemetry/sdk-trace-base@1.30.1(@opentelemetry/api@1.9.0))(@opentelemetry/semantic-conventions@1.36.0)':
+  '@sentry/node-core@9.46.0(@opentelemetry/api@1.9.1)(@opentelemetry/context-async-hooks@1.30.1(@opentelemetry/api@1.9.1))(@opentelemetry/core@1.30.1(@opentelemetry/api@1.9.1))(@opentelemetry/instrumentation@0.57.2(@opentelemetry/api@1.9.1))(@opentelemetry/resources@1.30.1(@opentelemetry/api@1.9.1))(@opentelemetry/sdk-trace-base@1.30.1(@opentelemetry/api@1.9.1))(@opentelemetry/semantic-conventions@1.41.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/context-async-hooks': 1.30.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/core': 1.30.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.0)
-      '@opentelemetry/resources': 1.30.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/sdk-trace-base': 1.30.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/semantic-conventions': 1.36.0
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/context-async-hooks': 1.30.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/core': 1.30.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.1)
+      '@opentelemetry/resources': 1.30.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/sdk-trace-base': 1.30.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/semantic-conventions': 1.41.1
       '@sentry/core': 9.46.0
-      '@sentry/opentelemetry': 9.46.0(@opentelemetry/api@1.9.0)(@opentelemetry/context-async-hooks@1.30.1(@opentelemetry/api@1.9.0))(@opentelemetry/core@1.30.1(@opentelemetry/api@1.9.0))(@opentelemetry/sdk-trace-base@1.30.1(@opentelemetry/api@1.9.0))(@opentelemetry/semantic-conventions@1.36.0)
-      import-in-the-middle: 1.14.2
+      '@sentry/opentelemetry': 9.46.0(@opentelemetry/api@1.9.1)(@opentelemetry/context-async-hooks@1.30.1(@opentelemetry/api@1.9.1))(@opentelemetry/core@1.30.1(@opentelemetry/api@1.9.1))(@opentelemetry/sdk-trace-base@1.30.1(@opentelemetry/api@1.9.1))(@opentelemetry/semantic-conventions@1.41.1)
+      import-in-the-middle: 1.15.0
 
   '@sentry/node@9.46.0':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/context-async-hooks': 1.30.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/core': 1.30.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation-amqplib': 0.46.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation-connect': 0.43.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation-dataloader': 0.16.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation-express': 0.47.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation-fs': 0.19.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation-generic-pool': 0.43.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation-graphql': 0.47.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation-hapi': 0.45.2(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation-http': 0.57.2(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation-ioredis': 0.47.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation-kafkajs': 0.7.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation-knex': 0.44.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation-koa': 0.47.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation-lru-memoizer': 0.44.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation-mongodb': 0.52.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation-mongoose': 0.46.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation-mysql': 0.45.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation-mysql2': 0.45.2(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation-pg': 0.51.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation-redis-4': 0.46.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation-tedious': 0.18.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/instrumentation-undici': 0.10.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/resources': 1.30.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/sdk-trace-base': 1.30.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/semantic-conventions': 1.36.0
-      '@prisma/instrumentation': 6.11.1(@opentelemetry/api@1.9.0)
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/context-async-hooks': 1.30.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/core': 1.30.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation-amqplib': 0.46.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation-connect': 0.43.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation-dataloader': 0.16.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation-express': 0.47.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation-fs': 0.19.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation-generic-pool': 0.43.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation-graphql': 0.47.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation-hapi': 0.45.2(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation-http': 0.57.2(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation-ioredis': 0.47.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation-kafkajs': 0.7.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation-knex': 0.44.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation-koa': 0.47.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation-lru-memoizer': 0.44.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation-mongodb': 0.52.0(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation-mongoose': 0.46.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation-mysql': 0.45.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation-mysql2': 0.45.2(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation-pg': 0.51.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation-redis-4': 0.46.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation-tedious': 0.18.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/instrumentation-undici': 0.10.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/resources': 1.30.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/sdk-trace-base': 1.30.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/semantic-conventions': 1.41.1
+      '@prisma/instrumentation': 6.11.1(@opentelemetry/api@1.9.1)
       '@sentry/core': 9.46.0
-      '@sentry/node-core': 9.46.0(@opentelemetry/api@1.9.0)(@opentelemetry/context-async-hooks@1.30.1(@opentelemetry/api@1.9.0))(@opentelemetry/core@1.30.1(@opentelemetry/api@1.9.0))(@opentelemetry/instrumentation@0.57.2(@opentelemetry/api@1.9.0))(@opentelemetry/resources@1.30.1(@opentelemetry/api@1.9.0))(@opentelemetry/sdk-trace-base@1.30.1(@opentelemetry/api@1.9.0))(@opentelemetry/semantic-conventions@1.36.0)
-      '@sentry/opentelemetry': 9.46.0(@opentelemetry/api@1.9.0)(@opentelemetry/context-async-hooks@1.30.1(@opentelemetry/api@1.9.0))(@opentelemetry/core@1.30.1(@opentelemetry/api@1.9.0))(@opentelemetry/sdk-trace-base@1.30.1(@opentelemetry/api@1.9.0))(@opentelemetry/semantic-conventions@1.36.0)
-      import-in-the-middle: 1.14.2
+      '@sentry/node-core': 9.46.0(@opentelemetry/api@1.9.1)(@opentelemetry/context-async-hooks@1.30.1(@opentelemetry/api@1.9.1))(@opentelemetry/core@1.30.1(@opentelemetry/api@1.9.1))(@opentelemetry/instrumentation@0.57.2(@opentelemetry/api@1.9.1))(@opentelemetry/resources@1.30.1(@opentelemetry/api@1.9.1))(@opentelemetry/sdk-trace-base@1.30.1(@opentelemetry/api@1.9.1))(@opentelemetry/semantic-conventions@1.41.1)
+      '@sentry/opentelemetry': 9.46.0(@opentelemetry/api@1.9.1)(@opentelemetry/context-async-hooks@1.30.1(@opentelemetry/api@1.9.1))(@opentelemetry/core@1.30.1(@opentelemetry/api@1.9.1))(@opentelemetry/sdk-trace-base@1.30.1(@opentelemetry/api@1.9.1))(@opentelemetry/semantic-conventions@1.41.1)
+      import-in-the-middle: 1.15.0
       minimatch: 9.0.5
     transitivePeerDependencies:
       - supports-color
 
-  '@sentry/opentelemetry@9.46.0(@opentelemetry/api@1.9.0)(@opentelemetry/context-async-hooks@1.30.1(@opentelemetry/api@1.9.0))(@opentelemetry/core@1.30.1(@opentelemetry/api@1.9.0))(@opentelemetry/sdk-trace-base@1.30.1(@opentelemetry/api@1.9.0))(@opentelemetry/semantic-conventions@1.36.0)':
+  '@sentry/opentelemetry@9.46.0(@opentelemetry/api@1.9.1)(@opentelemetry/context-async-hooks@1.30.1(@opentelemetry/api@1.9.1))(@opentelemetry/core@1.30.1(@opentelemetry/api@1.9.1))(@opentelemetry/sdk-trace-base@1.30.1(@opentelemetry/api@1.9.1))(@opentelemetry/semantic-conventions@1.41.1)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/context-async-hooks': 1.30.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/core': 1.30.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/sdk-trace-base': 1.30.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/semantic-conventions': 1.36.0
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/context-async-hooks': 1.30.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/core': 1.30.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/sdk-trace-base': 1.30.1(@opentelemetry/api@1.9.1)
+      '@opentelemetry/semantic-conventions': 1.41.1
       '@sentry/core': 9.46.0
 
   '@sentry/react@9.46.0(react@18.2.0)':
@@ -29619,15 +24100,15 @@ snapshots:
       hoist-non-react-statics: 3.3.2
       react: 18.2.0
 
-  '@sentry/remix@9.46.0(patch_hash=146126b032581925294aaed63ab53ce3f5e0356a755f1763d7a9a76b9846943b)(@remix-run/node@2.1.0(typescript@5.5.4))(@remix-run/react@2.1.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.1.0(typescript@5.5.4))(encoding@0.1.13)(react@18.2.0)':
+  '@sentry/remix@9.46.0(patch_hash=146126b032581925294aaed63ab53ce3f5e0356a755f1763d7a9a76b9846943b)(@remix-run/node@2.17.4(typescript@5.5.4))(@remix-run/react@2.17.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.17.4(typescript@5.5.4))(encoding@0.1.13)(react@18.2.0)':
     dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.0)
-      '@opentelemetry/semantic-conventions': 1.36.0
-      '@remix-run/node': 2.1.0(typescript@5.5.4)
-      '@remix-run/react': 2.1.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4)
-      '@remix-run/router': 1.15.3
-      '@remix-run/server-runtime': 2.1.0(typescript@5.5.4)
+      '@opentelemetry/api': 1.9.1
+      '@opentelemetry/instrumentation': 0.57.2(@opentelemetry/api@1.9.1)
+      '@opentelemetry/semantic-conventions': 1.41.1
+      '@remix-run/node': 2.17.4(typescript@5.5.4)
+      '@remix-run/react': 2.17.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4)
+      '@remix-run/router': 1.23.2(patch_hash=f14fb2af2690628a0164b66d98e8d7cd6a0e8a4a30a51e53cfb1b6caeca6f7c9)
+      '@remix-run/server-runtime': 2.17.4(typescript@5.5.4)
       '@sentry/cli': 2.50.2(encoding@0.1.13)
       '@sentry/core': 9.46.0
       '@sentry/node': 9.46.0
@@ -29639,33 +24120,33 @@ snapshots:
       - encoding
       - supports-color
 
-  '@shikijs/core@3.13.0':
+  '@shikijs/core@3.23.0':
     dependencies:
-      '@shikijs/types': 3.13.0
+      '@shikijs/types': 3.23.0
       '@shikijs/vscode-textmate': 10.0.2
       '@types/hast': 3.0.4
       hast-util-to-html: 9.0.5
 
-  '@shikijs/engine-javascript@3.13.0':
+  '@shikijs/engine-javascript@3.23.0':
     dependencies:
-      '@shikijs/types': 3.13.0
+      '@shikijs/types': 3.23.0
       '@shikijs/vscode-textmate': 10.0.2
-      oniguruma-to-es: 4.3.3
+      oniguruma-to-es: 4.3.6
 
-  '@shikijs/engine-oniguruma@3.13.0':
+  '@shikijs/engine-oniguruma@3.23.0':
     dependencies:
-      '@shikijs/types': 3.13.0
+      '@shikijs/types': 3.23.0
       '@shikijs/vscode-textmate': 10.0.2
 
-  '@shikijs/langs@3.13.0':
+  '@shikijs/langs@3.23.0':
     dependencies:
-      '@shikijs/types': 3.13.0
+      '@shikijs/types': 3.23.0
 
-  '@shikijs/themes@3.13.0':
+  '@shikijs/themes@3.23.0':
     dependencies:
-      '@shikijs/types': 3.13.0
+      '@shikijs/types': 3.23.0
 
-  '@shikijs/types@3.13.0':
+  '@shikijs/types@3.23.0':
     dependencies:
       '@shikijs/vscode-textmate': 10.0.2
       '@types/hast': 3.0.4
@@ -29688,19 +24169,19 @@ snapshots:
 
   '@sindresorhus/merge-streams@4.0.0': {}
 
-  '@slack/logger@4.0.0':
+  '@slack/logger@4.0.1':
     dependencies:
       '@types/node': 20.14.14
 
-  '@slack/types@2.14.0': {}
+  '@slack/types@2.21.1': {}
 
-  '@slack/web-api@7.9.1':
+  '@slack/web-api@7.16.0':
     dependencies:
-      '@slack/logger': 4.0.0
-      '@slack/types': 2.14.0
+      '@slack/logger': 4.0.1
+      '@slack/types': 2.21.1
       '@types/node': 20.14.14
       '@types/retry': 0.12.0
-      axios: 1.12.2
+      axios: 1.16.1
       eventemitter3: 5.0.1
       form-data: 4.0.4
       is-electron: 2.2.2
@@ -29710,6 +24191,7 @@ snapshots:
       retry: 0.13.1
     transitivePeerDependencies:
       - debug
+      - supports-color
 
   '@smithy/abort-controller@2.0.14':
     dependencies:
@@ -30633,6 +25115,11 @@ snapshots:
 
   '@standard-schema/spec@1.1.0': {}
 
+  '@streamdown/code@1.1.1(react@18.2.0)':
+    dependencies:
+      react: 18.2.0
+      shiki: 3.23.0
+
   '@stricli/auto-complete@1.2.0':
     dependencies:
       '@stricli/core': 1.2.0
@@ -30715,6 +25202,7 @@ snapshots:
       '@swc/core-win32-ia32-msvc': 1.3.101
       '@swc/core-win32-x64-msvc': 1.3.101
       '@swc/helpers': 0.5.15
+    optional: true
 
   '@swc/core@1.3.26':
     optionalDependencies:
@@ -30729,7 +25217,8 @@ snapshots:
       '@swc/core-win32-ia32-msvc': 1.3.26
       '@swc/core-win32-x64-msvc': 1.3.26
 
-  '@swc/counter@0.1.3': {}
+  '@swc/counter@0.1.3':
+    optional: true
 
   '@swc/helpers@0.4.14':
     dependencies:
@@ -30743,14 +25232,10 @@ snapshots:
     dependencies:
       tslib: 2.8.1
 
-  '@swc/helpers@0.5.5':
-    dependencies:
-      '@swc/counter': 0.1.3
-      tslib: 2.8.1
-
   '@swc/types@0.1.6':
     dependencies:
       '@swc/counter': 0.1.3
+    optional: true
 
   '@szmarczak/http-timer@1.1.2':
     dependencies:
@@ -30772,68 +25257,6 @@ snapshots:
       mini-svg-data-uri: 1.4.4
       tailwindcss: 3.4.1
 
-  '@tailwindcss/node@4.0.17':
-    dependencies:
-      enhanced-resolve: 5.18.3
-      jiti: 2.4.2
-      tailwindcss: 4.0.17
-
-  '@tailwindcss/oxide-android-arm64@4.0.17':
-    optional: true
-
-  '@tailwindcss/oxide-darwin-arm64@4.0.17':
-    optional: true
-
-  '@tailwindcss/oxide-darwin-x64@4.0.17':
-    optional: true
-
-  '@tailwindcss/oxide-freebsd-x64@4.0.17':
-    optional: true
-
-  '@tailwindcss/oxide-linux-arm-gnueabihf@4.0.17':
-    optional: true
-
-  '@tailwindcss/oxide-linux-arm64-gnu@4.0.17':
-    optional: true
-
-  '@tailwindcss/oxide-linux-arm64-musl@4.0.17':
-    optional: true
-
-  '@tailwindcss/oxide-linux-x64-gnu@4.0.17':
-    optional: true
-
-  '@tailwindcss/oxide-linux-x64-musl@4.0.17':
-    optional: true
-
-  '@tailwindcss/oxide-win32-arm64-msvc@4.0.17':
-    optional: true
-
-  '@tailwindcss/oxide-win32-x64-msvc@4.0.17':
-    optional: true
-
-  '@tailwindcss/oxide@4.0.17':
-    optionalDependencies:
-      '@tailwindcss/oxide-android-arm64': 4.0.17
-      '@tailwindcss/oxide-darwin-arm64': 4.0.17
-      '@tailwindcss/oxide-darwin-x64': 4.0.17
-      '@tailwindcss/oxide-freebsd-x64': 4.0.17
-      '@tailwindcss/oxide-linux-arm-gnueabihf': 4.0.17
-      '@tailwindcss/oxide-linux-arm64-gnu': 4.0.17
-      '@tailwindcss/oxide-linux-arm64-musl': 4.0.17
-      '@tailwindcss/oxide-linux-x64-gnu': 4.0.17
-      '@tailwindcss/oxide-linux-x64-musl': 4.0.17
-      '@tailwindcss/oxide-win32-arm64-msvc': 4.0.17
-      '@tailwindcss/oxide-win32-x64-msvc': 4.0.17
-
-  '@tailwindcss/postcss@4.0.17':
-    dependencies:
-      '@alloc/quick-lru': 5.2.0
-      '@tailwindcss/node': 4.0.17
-      '@tailwindcss/oxide': 4.0.17
-      lightningcss: 1.29.2
-      postcss: 8.5.6
-      tailwindcss: 4.0.17
-
   '@tailwindcss/typography@0.5.9(tailwindcss@3.4.1)':
     dependencies:
       lodash.castarray: 4.4.0
@@ -30842,14 +25265,6 @@ snapshots:
       postcss-selector-parser: 6.0.10
       tailwindcss: 3.4.1
 
-  '@tailwindcss/typography@0.5.9(tailwindcss@4.0.17)':
-    dependencies:
-      lodash.castarray: 4.4.0
-      lodash.isplainobject: 4.0.6
-      lodash.merge: 4.6.2
-      postcss-selector-parser: 6.0.10
-      tailwindcss: 4.0.17
-
   '@tanstack/match-sorter-utils@8.19.4':
     dependencies:
       remove-accents: 0.5.0
@@ -30883,17 +25298,17 @@ snapshots:
       graphql: 16.6.0
       zod: 3.25.76
 
-  '@testcontainers/postgresql@10.28.0':
+  '@testcontainers/postgresql@11.14.0':
     dependencies:
-      testcontainers: 10.28.0
+      testcontainers: 11.14.0
     transitivePeerDependencies:
       - bare-abort-controller
       - bare-buffer
       - supports-color
 
-  '@testcontainers/redis@10.28.0':
+  '@testcontainers/redis@11.14.0':
     dependencies:
-      testcontainers: 10.28.0
+      testcontainers: 11.14.0
     transitivePeerDependencies:
       - bare-abort-controller
       - bare-buffer
@@ -30901,7 +25316,7 @@ snapshots:
 
   '@testing-library/dom@8.19.1':
     dependencies:
-      '@babel/code-frame': 7.22.13
+      '@babel/code-frame': 7.24.7
       '@babel/runtime': 7.28.4
       '@types/aria-query': 5.0.1
       aria-query: 5.3.0
@@ -30910,20 +25325,8 @@ snapshots:
       lz-string: 1.4.4
       pretty-format: 27.5.1
 
-  '@testing-library/jest-dom@6.5.0':
-    dependencies:
-      '@adobe/css-tools': 4.4.0
-      aria-query: 5.3.0
-      chalk: 3.0.0
-      css.escape: 1.5.1
-      dom-accessibility-api: 0.6.3
-      lodash: 4.17.23
-      redent: 3.0.0
-
   '@tokenizer/token@0.3.0': {}
 
-  '@tootallnate/quickjs-emscripten@0.23.0': {}
-
   '@total-typescript/ts-reset@0.4.2': {}
 
   '@trigger.dev/companyicons@1.5.35(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
@@ -30952,12 +25355,13 @@ snapshots:
 
   '@types/btoa-lite@1.0.2': {}
 
-  '@types/bun@1.1.6':
-    dependencies:
-      bun-types: 1.1.17
-
   '@types/caseless@0.12.5': {}
 
+  '@types/chai@5.2.3':
+    dependencies:
+      '@types/deep-eql': 4.0.2
+      assertion-error: 2.0.1
+
   '@types/compression@1.7.2':
     dependencies:
       '@types/express': 4.17.15
@@ -30980,10 +25384,6 @@ snapshots:
     dependencies:
       '@types/node': 20.14.14
 
-  '@types/cross-spawn@6.0.2':
-    dependencies:
-      '@types/node': 20.14.14
-
   '@types/d3-array@3.0.8': {}
 
   '@types/d3-axis@3.0.6':
@@ -31109,15 +25509,11 @@ snapshots:
     dependencies:
       '@types/ms': 0.7.31
 
-  '@types/debug@4.1.8':
-    dependencies:
-      '@types/ms': 0.7.31
-
   '@types/decimal.js@7.4.3':
     dependencies:
       decimal.js: 10.6.0
 
-  '@types/diff-match-patch@1.0.36': {}
+  '@types/deep-eql@4.0.2': {}
 
   '@types/docker-modem@3.0.6':
     dependencies:
@@ -31130,19 +25526,16 @@ snapshots:
       '@types/node': 20.14.14
       '@types/ssh2': 1.15.1
 
-  '@types/dompurify@3.2.0':
-    dependencies:
-      dompurify: 3.2.6
-
-  '@types/eslint-scope@3.7.4':
+  '@types/dockerode@4.0.1':
     dependencies:
-      '@types/eslint': 8.4.10
-      '@types/estree': 1.0.8
+      '@types/docker-modem': 3.0.6
+      '@types/node': 20.14.14
+      '@types/ssh2': 1.15.1
 
   '@types/eslint-scope@3.7.7':
     dependencies:
       '@types/eslint': 8.56.12
-      '@types/estree': 1.0.8
+      '@types/estree': 1.0.9
 
   '@types/eslint@8.4.10':
     dependencies:
@@ -31151,7 +25544,7 @@ snapshots:
 
   '@types/eslint@8.56.12':
     dependencies:
-      '@types/estree': 1.0.8
+      '@types/estree': 1.0.9
       '@types/json-schema': 7.0.15
 
   '@types/estree-jsx@1.0.0':
@@ -31160,10 +25553,10 @@ snapshots:
 
   '@types/estree@1.0.0': {}
 
-  '@types/estree@1.0.6': {}
-
   '@types/estree@1.0.8': {}
 
+  '@types/estree@1.0.9': {}
+
   '@types/eventsource@1.1.15': {}
 
   '@types/express-serve-static-core@4.17.32':
@@ -31201,8 +25594,6 @@ snapshots:
     dependencies:
       '@types/node': 20.14.14
 
-  '@types/invariant@2.2.37': {}
-
   '@types/is-ci@3.0.0':
     dependencies:
       ci-info: 3.8.0
@@ -31226,8 +25617,6 @@ snapshots:
       '@types/ms': 0.7.31
       '@types/node': 20.14.14
 
-  '@types/katex@0.16.7': {}
-
   '@types/keyv@3.1.4':
     dependencies:
       '@types/node': 20.14.14
@@ -31289,12 +25678,9 @@ snapshots:
     dependencies:
       undici-types: 5.26.5
 
-  '@types/nodemailer@7.0.4':
+  '@types/nodemailer@8.0.0':
     dependencies:
-      '@aws-sdk/client-sesv2': 3.940.0
       '@types/node': 20.14.14
-    transitivePeerDependencies:
-      - aws-crt
 
   '@types/normalize-package-data@2.4.1': {}
 
@@ -31351,10 +25737,6 @@ snapshots:
     dependencies:
       '@types/react': 18.2.69
 
-  '@types/react-dom@19.0.4(@types/react@19.0.12)':
-    dependencies:
-      '@types/react': 19.0.12
-
   '@types/react@18.2.48':
     dependencies:
       '@types/prop-types': 15.7.5
@@ -31372,10 +25754,6 @@ snapshots:
       '@types/prop-types': 15.7.5
       csstype: 3.1.3
 
-  '@types/react@19.0.12':
-    dependencies:
-      csstype: 3.2.0
-
   '@types/react@19.2.14':
     dependencies:
       csstype: 3.2.3
@@ -31406,7 +25784,7 @@ snapshots:
 
   '@types/rimraf@4.0.5':
     dependencies:
-      rimraf: 5.0.7
+      rimraf: 6.0.1
 
   '@types/scheduler@0.16.2': {}
 
@@ -31482,21 +25860,6 @@ snapshots:
 
   '@types/unist@3.0.3': {}
 
-  '@types/uuid@10.0.0': {}
-
-  '@types/uuid@9.0.0': {}
-
-  '@types/webpack@5.28.5(@swc/core@1.3.101(@swc/helpers@0.5.15))(esbuild@0.19.11)':
-    dependencies:
-      '@types/node': 20.14.14
-      tapable: 2.2.1
-      webpack: 5.88.2(@swc/core@1.3.101(@swc/helpers@0.5.15))(esbuild@0.19.11)
-    transitivePeerDependencies:
-      - '@swc/core'
-      - esbuild
-      - uglify-js
-      - webpack-cli
-
   '@types/ws@8.5.10':
     dependencies:
       '@types/node': 20.14.14
@@ -31509,11 +25872,6 @@ snapshots:
     dependencies:
       '@types/node': 20.14.14
 
-  '@types/yauzl@2.10.3':
-    dependencies:
-      '@types/node': 20.14.14
-    optional: true
-
   '@typescript-eslint/eslint-plugin@5.59.6(@typescript-eslint/parser@5.59.6(eslint@8.31.0)(typescript@5.5.4))(eslint@8.31.0)(typescript@5.5.4)':
     dependencies:
       '@eslint-community/regexpp': 4.5.1
@@ -31637,22 +25995,10 @@ snapshots:
     dependencies:
       zod: 3.25.76
 
-  '@uploadthing/mime-types@0.3.0': {}
-
-  '@uploadthing/react@7.0.3(next@14.2.21(@opentelemetry/api@1.9.0)(@playwright/test@1.37.0)(react-dom@18.2.0(react@18.3.1))(react@18.3.1))(react@18.3.1)(uploadthing@7.1.0(express@5.2.1)(fastify@5.4.0)(next@14.2.21(@opentelemetry/api@1.9.0)(@playwright/test@1.37.0)(react-dom@18.2.0(react@18.3.1))(react@18.3.1))(tailwindcss@3.4.1))':
-    dependencies:
-      '@uploadthing/shared': 7.0.3
-      file-selector: 0.6.0
-      react: 18.3.1
-      uploadthing: 7.1.0(express@5.2.1)(fastify@5.4.0)(next@14.2.21(@opentelemetry/api@1.9.0)(@playwright/test@1.37.0)(react-dom@18.2.0(react@18.3.1))(react@18.3.1))(tailwindcss@3.4.1)
+  '@upsetjs/venn.js@2.0.0':
     optionalDependencies:
-      next: 14.2.21(@opentelemetry/api@1.9.0)(@playwright/test@1.37.0)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-
-  '@uploadthing/shared@7.0.3':
-    dependencies:
-      '@uploadthing/mime-types': 0.3.0
-      effect: 3.7.2
-      sqids: 0.3.0
+      d3-selection: 3.0.0
+      d3-transition: 3.0.1(d3-selection@3.0.0)
 
   '@upstash/core-analytics@0.0.8':
     dependencies:
@@ -31680,13 +26026,13 @@ snapshots:
       chalk: 4.1.2
       css-what: 5.1.0
       cssesc: 3.0.0
-      csstype: 3.2.0
+      csstype: 3.2.3
       deep-object-diff: 1.1.9
       deepmerge: 4.3.1
       media-query-parser: 2.0.2
       outdent: 0.8.0
 
-  '@vanilla-extract/integration@6.2.1(@types/node@20.14.14)(lightningcss@1.29.2)(terser@5.44.1)':
+  '@vanilla-extract/integration@6.2.1(@types/node@20.14.14)(lightningcss@1.29.2)(terser@5.46.1)':
     dependencies:
       '@babel/core': 7.22.17
       '@babel/plugin-syntax-typescript': 7.21.4(@babel/core@7.22.17)
@@ -31696,11 +26042,11 @@ snapshots:
       eval: 0.1.6
       find-up: 5.0.0
       javascript-stringify: 2.1.0
-      lodash: 4.17.23
+      lodash: 4.18.1
       mlly: 1.7.4
       outdent: 0.8.0
-      vite: 4.4.9(@types/node@20.14.14)(lightningcss@1.29.2)(terser@5.44.1)
-      vite-node: 0.28.5(@types/node@20.14.14)(lightningcss@1.29.2)(terser@5.44.1)
+      vite: 4.4.9(@types/node@20.14.14)(lightningcss@1.29.2)(terser@5.46.1)
+      vite-node: 0.28.5(@types/node@20.14.14)(lightningcss@1.29.2)(terser@5.46.1)
     transitivePeerDependencies:
       - '@types/node'
       - less
@@ -31713,29 +26059,11 @@ snapshots:
 
   '@vanilla-extract/private@1.0.3': {}
 
-  '@vercel/oidc@3.0.3': {}
-
   '@vercel/oidc@3.0.5': {}
 
   '@vercel/oidc@3.1.0': {}
 
-  '@vercel/otel@1.13.0(@opentelemetry/api-logs@0.203.0)(@opentelemetry/api@1.9.0)(@opentelemetry/instrumentation@0.203.0(@opentelemetry/api@1.9.0))(@opentelemetry/resources@2.2.0(@opentelemetry/api@1.9.0))(@opentelemetry/sdk-logs@0.203.0(@opentelemetry/api@1.9.0))(@opentelemetry/sdk-metrics@2.0.1(@opentelemetry/api@1.9.0))(@opentelemetry/sdk-trace-base@2.0.1(@opentelemetry/api@1.9.0))':
-    dependencies:
-      '@opentelemetry/api': 1.9.0
-      '@opentelemetry/api-logs': 0.203.0
-      '@opentelemetry/instrumentation': 0.203.0(@opentelemetry/api@1.9.0)(supports-color@10.0.0)
-      '@opentelemetry/resources': 2.2.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/sdk-logs': 0.203.0(@opentelemetry/api@1.9.0)
-      '@opentelemetry/sdk-metrics': 2.0.1(@opentelemetry/api@1.9.0)
-      '@opentelemetry/sdk-trace-base': 2.0.1(@opentelemetry/api@1.9.0)
-
-  '@vercel/postgres@0.10.0':
-    dependencies:
-      '@neondatabase/serverless': 0.9.5
-      bufferutil: 4.0.9
-      ws: 8.18.0(bufferutil@4.0.9)
-    transitivePeerDependencies:
-      - utf-8-validate
+  '@vercel/oidc@3.2.0': {}
 
   '@vercel/sdk@1.19.1':
     dependencies:
@@ -31745,126 +26073,90 @@ snapshots:
       - '@cfworker/json-schema'
       - supports-color
 
-  '@vitest/coverage-v8@3.1.4(vitest@3.1.4(@types/debug@4.1.12)(@types/node@20.14.14)(lightningcss@1.29.2)(terser@5.44.1))':
+  '@vitest/coverage-v8@4.1.7(vitest@4.1.7)':
     dependencies:
-      '@ampproject/remapping': 2.3.0
       '@bcoe/v8-coverage': 1.0.2
-      debug: 4.4.0
+      '@vitest/utils': 4.1.7
+      ast-v8-to-istanbul: 1.0.2
       istanbul-lib-coverage: 3.2.2
       istanbul-lib-report: 3.0.1
-      istanbul-lib-source-maps: 5.0.6
-      istanbul-reports: 3.1.7
-      magic-string: 0.30.17
-      magicast: 0.3.5
-      std-env: 3.9.0
-      test-exclude: 7.0.1
-      tinyrainbow: 2.0.0
-      vitest: 3.1.4(@types/debug@4.1.12)(@types/node@20.14.14)(lightningcss@1.29.2)(terser@5.44.1)
-    transitivePeerDependencies:
-      - supports-color
+      istanbul-reports: 3.2.0
+      magicast: 0.5.3
+      obug: 2.1.1
+      std-env: 4.1.0
+      tinyrainbow: 3.1.0
+      vitest: 4.1.7(@opentelemetry/api@1.9.1)(@types/node@20.14.14)(@vitest/coverage-v8@4.1.7)(vite@6.4.2(@types/node@20.14.14)(jiti@2.6.1)(lightningcss@1.29.2)(terser@5.46.1)(tsx@3.12.2)(yaml@2.9.0))
 
-  '@vitest/expect@3.1.4':
+  '@vitest/expect@4.1.7':
     dependencies:
-      '@vitest/spy': 3.1.4
-      '@vitest/utils': 3.1.4
-      chai: 5.2.0
-      tinyrainbow: 2.0.0
+      '@standard-schema/spec': 1.1.0
+      '@types/chai': 5.2.3
+      '@vitest/spy': 4.1.7
+      '@vitest/utils': 4.1.7
+      chai: 6.2.2
+      tinyrainbow: 3.1.0
 
-  '@vitest/mocker@3.1.4(vite@5.4.21(@types/node@20.14.14)(lightningcss@1.29.2)(terser@5.44.1))':
+  '@vitest/mocker@4.1.7(vite@6.4.2(@types/node@20.14.14)(jiti@2.6.1)(lightningcss@1.29.2)(terser@5.46.1)(tsx@3.12.2)(yaml@2.9.0))':
     dependencies:
-      '@vitest/spy': 3.1.4
+      '@vitest/spy': 4.1.7
       estree-walker: 3.0.3
       magic-string: 0.30.21
     optionalDependencies:
-      vite: 5.4.21(@types/node@20.14.14)(lightningcss@1.29.2)(terser@5.44.1)
-
-  '@vitest/pretty-format@2.1.9':
-    dependencies:
-      tinyrainbow: 1.2.0
+      vite: 6.4.2(@types/node@20.14.14)(jiti@2.6.1)(lightningcss@1.29.2)(terser@5.46.1)(tsx@3.12.2)(yaml@2.9.0)
 
-  '@vitest/pretty-format@3.1.4':
+  '@vitest/mocker@4.1.7(vite@6.4.2(@types/node@20.14.14)(jiti@2.6.1)(lightningcss@1.29.2)(terser@5.46.1)(tsx@4.20.6)(yaml@2.9.0))':
     dependencies:
-      tinyrainbow: 2.0.0
+      '@vitest/spy': 4.1.7
+      estree-walker: 3.0.3
+      magic-string: 0.30.21
+    optionalDependencies:
+      vite: 6.4.2(@types/node@20.14.14)(jiti@2.6.1)(lightningcss@1.29.2)(terser@5.46.1)(tsx@4.20.6)(yaml@2.9.0)
 
-  '@vitest/runner@2.1.9':
+  '@vitest/pretty-format@4.1.7':
     dependencies:
-      '@vitest/utils': 2.1.9
-      pathe: 1.1.2
+      tinyrainbow: 3.1.0
 
-  '@vitest/runner@3.1.4':
+  '@vitest/runner@4.1.7':
     dependencies:
-      '@vitest/utils': 3.1.4
+      '@vitest/utils': 4.1.7
       pathe: 2.0.3
 
-  '@vitest/snapshot@3.1.4':
+  '@vitest/snapshot@4.1.7':
     dependencies:
-      '@vitest/pretty-format': 3.1.4
+      '@vitest/pretty-format': 4.1.7
+      '@vitest/utils': 4.1.7
       magic-string: 0.30.21
       pathe: 2.0.3
 
-  '@vitest/spy@3.1.4':
-    dependencies:
-      tinyspy: 3.0.2
-
-  '@vitest/utils@2.1.9':
-    dependencies:
-      '@vitest/pretty-format': 2.1.9
-      loupe: 3.1.3
-      tinyrainbow: 1.2.0
+  '@vitest/spy@4.1.7': {}
 
-  '@vitest/utils@3.1.4':
+  '@vitest/utils@4.1.7':
     dependencies:
-      '@vitest/pretty-format': 3.1.4
-      loupe: 3.1.3
-      tinyrainbow: 2.0.0
+      '@vitest/pretty-format': 4.1.7
+      convert-source-map: 2.0.0
+      tinyrainbow: 3.1.0
 
   '@web3-storage/multipart-parser@1.0.0': {}
 
-  '@webassemblyjs/ast@1.11.5':
-    dependencies:
-      '@webassemblyjs/helper-numbers': 1.11.5
-      '@webassemblyjs/helper-wasm-bytecode': 1.11.5
-
   '@webassemblyjs/ast@1.14.1':
     dependencies:
       '@webassemblyjs/helper-numbers': 1.13.2
       '@webassemblyjs/helper-wasm-bytecode': 1.13.2
 
-  '@webassemblyjs/floating-point-hex-parser@1.11.5': {}
-
   '@webassemblyjs/floating-point-hex-parser@1.13.2': {}
 
-  '@webassemblyjs/helper-api-error@1.11.5': {}
-
   '@webassemblyjs/helper-api-error@1.13.2': {}
 
-  '@webassemblyjs/helper-buffer@1.11.5': {}
-
   '@webassemblyjs/helper-buffer@1.14.1': {}
 
-  '@webassemblyjs/helper-numbers@1.11.5':
-    dependencies:
-      '@webassemblyjs/floating-point-hex-parser': 1.11.5
-      '@webassemblyjs/helper-api-error': 1.11.5
-      '@xtuc/long': 4.2.2
-
   '@webassemblyjs/helper-numbers@1.13.2':
     dependencies:
       '@webassemblyjs/floating-point-hex-parser': 1.13.2
       '@webassemblyjs/helper-api-error': 1.13.2
       '@xtuc/long': 4.2.2
 
-  '@webassemblyjs/helper-wasm-bytecode@1.11.5': {}
-
   '@webassemblyjs/helper-wasm-bytecode@1.13.2': {}
 
-  '@webassemblyjs/helper-wasm-section@1.11.5':
-    dependencies:
-      '@webassemblyjs/ast': 1.11.5
-      '@webassemblyjs/helper-buffer': 1.11.5
-      '@webassemblyjs/helper-wasm-bytecode': 1.11.5
-      '@webassemblyjs/wasm-gen': 1.11.5
-
   '@webassemblyjs/helper-wasm-section@1.14.1':
     dependencies:
       '@webassemblyjs/ast': 1.14.1
@@ -31872,37 +26164,16 @@ snapshots:
       '@webassemblyjs/helper-wasm-bytecode': 1.13.2
       '@webassemblyjs/wasm-gen': 1.14.1
 
-  '@webassemblyjs/ieee754@1.11.5':
-    dependencies:
-      '@xtuc/ieee754': 1.2.0
-
   '@webassemblyjs/ieee754@1.13.2':
     dependencies:
       '@xtuc/ieee754': 1.2.0
 
-  '@webassemblyjs/leb128@1.11.5':
-    dependencies:
-      '@xtuc/long': 4.2.2
-
   '@webassemblyjs/leb128@1.13.2':
     dependencies:
       '@xtuc/long': 4.2.2
 
-  '@webassemblyjs/utf8@1.11.5': {}
-
   '@webassemblyjs/utf8@1.13.2': {}
 
-  '@webassemblyjs/wasm-edit@1.11.5':
-    dependencies:
-      '@webassemblyjs/ast': 1.11.5
-      '@webassemblyjs/helper-buffer': 1.11.5
-      '@webassemblyjs/helper-wasm-bytecode': 1.11.5
-      '@webassemblyjs/helper-wasm-section': 1.11.5
-      '@webassemblyjs/wasm-gen': 1.11.5
-      '@webassemblyjs/wasm-opt': 1.11.5
-      '@webassemblyjs/wasm-parser': 1.11.5
-      '@webassemblyjs/wast-printer': 1.11.5
-
   '@webassemblyjs/wasm-edit@1.14.1':
     dependencies:
       '@webassemblyjs/ast': 1.14.1
@@ -31914,14 +26185,6 @@ snapshots:
       '@webassemblyjs/wasm-parser': 1.14.1
       '@webassemblyjs/wast-printer': 1.14.1
 
-  '@webassemblyjs/wasm-gen@1.11.5':
-    dependencies:
-      '@webassemblyjs/ast': 1.11.5
-      '@webassemblyjs/helper-wasm-bytecode': 1.11.5
-      '@webassemblyjs/ieee754': 1.11.5
-      '@webassemblyjs/leb128': 1.11.5
-      '@webassemblyjs/utf8': 1.11.5
-
   '@webassemblyjs/wasm-gen@1.14.1':
     dependencies:
       '@webassemblyjs/ast': 1.14.1
@@ -31930,13 +26193,6 @@ snapshots:
       '@webassemblyjs/leb128': 1.13.2
       '@webassemblyjs/utf8': 1.13.2
 
-  '@webassemblyjs/wasm-opt@1.11.5':
-    dependencies:
-      '@webassemblyjs/ast': 1.11.5
-      '@webassemblyjs/helper-buffer': 1.11.5
-      '@webassemblyjs/wasm-gen': 1.11.5
-      '@webassemblyjs/wasm-parser': 1.11.5
-
   '@webassemblyjs/wasm-opt@1.14.1':
     dependencies:
       '@webassemblyjs/ast': 1.14.1
@@ -31944,15 +26200,6 @@ snapshots:
       '@webassemblyjs/wasm-gen': 1.14.1
       '@webassemblyjs/wasm-parser': 1.14.1
 
-  '@webassemblyjs/wasm-parser@1.11.5':
-    dependencies:
-      '@webassemblyjs/ast': 1.11.5
-      '@webassemblyjs/helper-api-error': 1.11.5
-      '@webassemblyjs/helper-wasm-bytecode': 1.11.5
-      '@webassemblyjs/ieee754': 1.11.5
-      '@webassemblyjs/leb128': 1.11.5
-      '@webassemblyjs/utf8': 1.11.5
-
   '@webassemblyjs/wasm-parser@1.14.1':
     dependencies:
       '@webassemblyjs/ast': 1.14.1
@@ -31962,11 +26209,6 @@ snapshots:
       '@webassemblyjs/leb128': 1.13.2
       '@webassemblyjs/utf8': 1.13.2
 
-  '@webassemblyjs/wast-printer@1.11.5':
-    dependencies:
-      '@webassemblyjs/ast': 1.11.5
-      '@xtuc/long': 4.2.2
-
   '@webassemblyjs/wast-printer@1.14.1':
     dependencies:
       '@webassemblyjs/ast': 1.14.1
@@ -31987,28 +26229,27 @@ snapshots:
       fast-url-parser: 1.1.3
       tslib: 2.8.1
 
-  '@window-splitter/state@0.4.1(patch_hash=da01382a3c0d3f4f66db5b09d6f0833cc21eaf8db00f97e2c1738797673b57c0)':
+  '@window-splitter/interface@1.1.3':
+    dependencies:
+      '@window-splitter/state': 1.1.3(patch_hash=ecf02927f78361c14d8f8347604fd355ba36f2fc4f9ba9a08cd63adc101b7327)
+
+  '@window-splitter/react@1.1.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)':
+    dependencies:
+      '@react-aria/utils': 3.34.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@window-splitter/interface': 1.1.3
+      '@window-splitter/state': 1.1.3(patch_hash=ecf02927f78361c14d8f8347604fd355ba36f2fc4f9ba9a08cd63adc101b7327)
+      react: 18.2.0
+      react-dom: 18.2.0(react@18.2.0)
+
+  '@window-splitter/state@1.1.3(patch_hash=ecf02927f78361c14d8f8347604fd355ba36f2fc4f9ba9a08cd63adc101b7327)':
     dependencies:
-      '@react-spring/rafz': 9.7.4
-      '@types/invariant': 2.2.37
       big.js: 6.2.2
-      invariant: 2.2.4
-      universal-cookie: 7.2.0
-      xstate: 5.18.1
 
   '@wolfy1339/lru-cache@11.0.2-patch.1': {}
 
-  '@xobotyi/scrollbar-width@1.9.5': {}
+  '@workflow/serde@4.1.0': {}
 
-  '@xstate/react@4.1.2(@types/react@18.2.69)(react@18.2.0)(xstate@5.18.1)':
-    dependencies:
-      react: 18.2.0
-      use-isomorphic-layout-effect: 1.1.2(@types/react@18.2.69)(react@18.2.0)
-      use-sync-external-store: 1.2.2(react@18.2.0)
-    optionalDependencies:
-      xstate: 5.18.1
-    transitivePeerDependencies:
-      - '@types/react'
+  '@xobotyi/scrollbar-width@1.9.5': {}
 
   '@xtuc/ieee754@1.2.0': {}
 
@@ -32035,29 +26276,17 @@ snapshots:
       mime-types: 3.0.0
       negotiator: 1.0.0
 
-  acorn-import-assertions@1.9.0(acorn@8.15.0):
+  acorn-import-attributes@1.9.5(acorn@8.16.0):
     dependencies:
-      acorn: 8.15.0
+      acorn: 8.16.0
 
-  acorn-import-attributes@1.9.5(acorn@8.12.1):
+  acorn-import-phases@1.0.4(acorn@8.16.0):
     dependencies:
-      acorn: 8.12.1
-
-  acorn-import-attributes@1.9.5(acorn@8.15.0):
-    dependencies:
-      acorn: 8.15.0
+      acorn: 8.16.0
 
-  acorn-import-phases@1.0.4(acorn@8.15.0):
+  acorn-jsx@5.3.2(acorn@8.16.0):
     dependencies:
-      acorn: 8.15.0
-
-  acorn-jsx@5.3.2(acorn@8.12.1):
-    dependencies:
-      acorn: 8.12.1
-
-  acorn-jsx@5.3.2(acorn@8.15.0):
-    dependencies:
-      acorn: 8.15.0
+      acorn: 8.16.0
 
   acorn-node@1.8.2:
     dependencies:
@@ -32067,15 +26296,13 @@ snapshots:
 
   acorn-walk@7.2.0: {}
 
-  acorn-walk@8.3.2: {}
-
   acorn@7.4.1: {}
 
   acorn@8.12.1: {}
 
   acorn@8.14.1: {}
 
-  acorn@8.15.0: {}
+  acorn@8.16.0: {}
 
   agent-base@6.0.2:
     dependencies:
@@ -32083,8 +26310,6 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  agent-base@7.1.4: {}
-
   agentcrumbs@0.5.0: {}
 
   agentkeepalive@4.5.0:
@@ -32103,90 +26328,59 @@ snapshots:
 
   ahocorasick@1.0.2: {}
 
-  ai@4.0.0(react@18.3.1)(zod@3.25.76):
-    dependencies:
-      '@ai-sdk/provider': 1.0.0
-      '@ai-sdk/provider-utils': 2.0.0(zod@3.25.76)
-      '@ai-sdk/react': 1.0.0(react@18.3.1)(zod@3.25.76)
-      '@ai-sdk/ui-utils': 1.0.0(zod@3.25.76)
-      '@opentelemetry/api': 1.9.0
-      jsondiffpatch: 0.6.0
-      zod-to-json-schema: 3.24.6(zod@3.25.76)
-    optionalDependencies:
-      react: 18.3.1
-      zod: 3.25.76
-
-  ai@4.2.5(react@19.0.0)(zod@3.25.76):
+  ai@6.0.116(zod@3.25.76):
     dependencies:
-      '@ai-sdk/provider': 1.1.0
-      '@ai-sdk/provider-utils': 2.2.1(zod@3.25.76)
-      '@ai-sdk/react': 1.2.2(react@19.0.0)(zod@3.25.76)
-      '@ai-sdk/ui-utils': 1.2.1(zod@3.25.76)
+      '@ai-sdk/gateway': 3.0.66(zod@3.25.76)
+      '@ai-sdk/provider': 3.0.8
+      '@ai-sdk/provider-utils': 4.0.19(zod@3.25.76)
       '@opentelemetry/api': 1.9.0
-      jsondiffpatch: 0.6.0
       zod: 3.25.76
-    optionalDependencies:
-      react: 19.0.0
 
-  ai@4.3.19(react@18.2.0)(zod@3.25.76):
+  ai@6.0.168(zod@3.25.76):
     dependencies:
-      '@ai-sdk/provider': 1.1.3
-      '@ai-sdk/provider-utils': 2.2.8(zod@3.25.76)
-      '@ai-sdk/react': 1.2.12(react@18.2.0)(zod@3.25.76)
-      '@ai-sdk/ui-utils': 1.2.11(zod@3.25.76)
+      '@ai-sdk/gateway': 3.0.104(zod@3.25.76)
+      '@ai-sdk/provider': 3.0.8
+      '@ai-sdk/provider-utils': 4.0.23(zod@3.25.76)
       '@opentelemetry/api': 1.9.0
-      jsondiffpatch: 0.6.0
       zod: 3.25.76
-    optionalDependencies:
-      react: 18.2.0
 
-  ai@5.0.14(zod@3.25.76):
+  ai@6.0.3(zod@3.25.76):
     dependencies:
-      '@ai-sdk/gateway': 1.0.6(zod@3.25.76)
-      '@ai-sdk/provider': 2.0.0
-      '@ai-sdk/provider-utils': 3.0.3(zod@3.25.76)
+      '@ai-sdk/gateway': 3.0.2(zod@3.25.76)
+      '@ai-sdk/provider': 3.0.0
+      '@ai-sdk/provider-utils': 4.0.1(zod@3.25.76)
       '@opentelemetry/api': 1.9.0
       zod: 3.25.76
 
-  ai@5.0.76(zod@3.25.76):
+  ai@7.0.0-beta.60(zod@3.25.76):
     dependencies:
-      '@ai-sdk/gateway': 2.0.0(zod@3.25.76)
-      '@ai-sdk/provider': 2.0.0
-      '@ai-sdk/provider-utils': 3.0.12(zod@3.25.76)
-      '@opentelemetry/api': 1.9.0
+      '@ai-sdk/gateway': 4.0.0-beta.30(zod@3.25.76)
+      '@ai-sdk/provider': 4.0.0-beta.5
+      '@ai-sdk/provider-utils': 5.0.0-beta.9(zod@3.25.76)
       zod: 3.25.76
 
-  ai@6.0.116(zod@3.25.76):
+  ai@7.0.0-canary.159(zod@3.25.76):
     dependencies:
-      '@ai-sdk/gateway': 3.0.66(zod@3.25.76)
-      '@ai-sdk/provider': 3.0.8
-      '@ai-sdk/provider-utils': 4.0.19(zod@3.25.76)
-      '@opentelemetry/api': 1.9.0
+      '@ai-sdk/gateway': 4.0.0-canary.93(zod@3.25.76)
+      '@ai-sdk/provider': 4.0.0-canary.17
+      '@ai-sdk/provider-utils': 5.0.0-canary.44(zod@3.25.76)
       zod: 3.25.76
 
-  ai@6.0.3(zod@3.25.76):
-    dependencies:
-      '@ai-sdk/gateway': 3.0.2(zod@3.25.76)
-      '@ai-sdk/provider': 3.0.0
-      '@ai-sdk/provider-utils': 4.0.1(zod@3.25.76)
-      '@opentelemetry/api': 1.9.0
-      zod: 3.25.76
-
-  ajv-formats@2.1.1(ajv@8.17.1):
+  ajv-formats@2.1.1(ajv@8.20.0):
     optionalDependencies:
-      ajv: 8.17.1
+      ajv: 8.20.0
 
-  ajv-formats@3.0.1(ajv@8.17.1):
+  ajv-formats@3.0.1(ajv@8.18.0):
     optionalDependencies:
-      ajv: 8.17.1
+      ajv: 8.18.0
 
-  ajv-keywords@3.5.2(ajv@6.12.6):
-    dependencies:
-      ajv: 6.12.6
+  ajv-formats@3.0.1(ajv@8.20.0):
+    optionalDependencies:
+      ajv: 8.20.0
 
-  ajv-keywords@5.1.0(ajv@8.17.1):
+  ajv-keywords@5.1.0(ajv@8.20.0):
     dependencies:
-      ajv: 8.17.1
+      ajv: 8.20.0
       fast-deep-equal: 3.1.3
 
   ajv@6.12.6:
@@ -32196,10 +26390,17 @@ snapshots:
       json-schema-traverse: 0.4.1
       uri-js: 4.4.1
 
-  ajv@8.17.1:
+  ajv@8.18.0:
+    dependencies:
+      fast-deep-equal: 3.1.3
+      fast-uri: 3.1.2
+      json-schema-traverse: 1.0.0
+      require-from-string: 2.0.2
+
+  ajv@8.20.0:
     dependencies:
       fast-deep-equal: 3.1.3
-      fast-uri: 3.0.6
+      fast-uri: 3.1.2
       json-schema-traverse: 1.0.0
       require-from-string: 2.0.2
 
@@ -32234,7 +26435,7 @@ snapshots:
   anymatch@3.1.3:
     dependencies:
       normalize-path: 3.0.0
-      picomatch: 2.3.1
+      picomatch: 2.3.2
 
   archiver-utils@5.0.2:
     dependencies:
@@ -32242,7 +26443,7 @@ snapshots:
       graceful-fs: 4.2.11
       is-stream: 2.0.1
       lazystream: 1.0.1
-      lodash: 4.17.23
+      lodash: 4.18.1
       normalize-path: 3.0.0
       readable-stream: 4.7.0
 
@@ -32290,68 +26491,53 @@ snapshots:
 
   array-flatten@1.1.1: {}
 
-  array-includes@3.1.6:
-    dependencies:
-      call-bind: 1.0.8
-      define-properties: 1.2.1
-      es-abstract: 1.21.1
-      get-intrinsic: 1.3.0
-      is-string: 1.0.7
-
   array-includes@3.1.8:
     dependencies:
-      call-bind: 1.0.7
+      call-bind: 1.0.8
       define-properties: 1.2.1
       es-abstract: 1.23.3
-      es-object-atoms: 1.0.0
-      get-intrinsic: 1.2.4
+      es-object-atoms: 1.1.1
+      get-intrinsic: 1.3.0
       is-string: 1.0.7
 
   array-union@2.1.0: {}
 
   array.prototype.findlastindex@1.2.5:
     dependencies:
-      call-bind: 1.0.7
+      call-bind: 1.0.8
       define-properties: 1.2.1
       es-abstract: 1.23.3
       es-errors: 1.3.0
-      es-object-atoms: 1.0.0
+      es-object-atoms: 1.1.1
       es-shim-unscopables: 1.0.2
 
   array.prototype.flat@1.3.1:
     dependencies:
       call-bind: 1.0.8
       define-properties: 1.2.1
-      es-abstract: 1.21.1
-      es-shim-unscopables: 1.0.0
-
-  array.prototype.flat@1.3.2:
-    dependencies:
-      call-bind: 1.0.7
-      define-properties: 1.2.1
       es-abstract: 1.23.3
-      es-shim-unscopables: 1.0.0
+      es-shim-unscopables: 1.0.2
 
-  array.prototype.flatmap@1.3.1:
+  array.prototype.flat@1.3.2:
     dependencies:
       call-bind: 1.0.8
       define-properties: 1.2.1
-      es-abstract: 1.21.1
-      es-shim-unscopables: 1.0.0
+      es-abstract: 1.23.3
+      es-shim-unscopables: 1.0.2
 
   array.prototype.flatmap@1.3.2:
     dependencies:
-      call-bind: 1.0.7
+      call-bind: 1.0.8
       define-properties: 1.2.1
       es-abstract: 1.23.3
-      es-shim-unscopables: 1.0.0
+      es-shim-unscopables: 1.0.2
 
   array.prototype.tosorted@1.1.1:
     dependencies:
       call-bind: 1.0.8
       define-properties: 1.2.1
-      es-abstract: 1.21.1
-      es-shim-unscopables: 1.0.0
+      es-abstract: 1.23.3
+      es-shim-unscopables: 1.0.2
       get-intrinsic: 1.3.0
 
   arraybuffer.prototype.slice@1.0.3:
@@ -32383,9 +26569,11 @@ snapshots:
 
   ast-types-flow@0.0.7: {}
 
-  ast-types@0.13.4:
+  ast-v8-to-istanbul@1.0.2:
     dependencies:
-      tslib: 2.8.1
+      '@jridgewell/trace-mapping': 0.3.31
+      estree-walker: 3.0.3
+      js-tokens: 10.0.0
 
   astral-regex@2.0.0: {}
 
@@ -32399,9 +26587,14 @@ snapshots:
 
   atomic-sleep@1.0.0: {}
 
+  atomically@2.1.1:
+    dependencies:
+      stubborn-fs: 2.0.0
+      when-exit: 2.1.5
+
   autoevals@0.0.130(encoding@0.1.13)(ws@8.12.0(bufferutil@4.0.9)):
     dependencies:
-      ajv: 8.17.1
+      ajv: 8.18.0
       compute-cosine-similarity: 1.1.0
       js-levenshtein: 1.1.6
       js-yaml: 4.1.1
@@ -32414,29 +26607,19 @@ snapshots:
       - encoding
       - ws
 
-  autoprefixer@10.4.13(postcss@8.5.6):
+  autoprefixer@10.4.13(postcss@8.5.10):
     dependencies:
       browserslist: 4.21.4
       caniuse-lite: 1.0.30001577
       fraction.js: 4.2.0
       normalize-range: 0.1.2
       picocolors: 1.0.0
-      postcss: 8.5.6
-      postcss-value-parser: 4.2.0
-
-  autoprefixer@10.4.14(postcss@8.4.35):
-    dependencies:
-      browserslist: 4.24.4
-      caniuse-lite: 1.0.30001754
-      fraction.js: 4.3.7
-      normalize-range: 0.1.2
-      picocolors: 1.1.1
-      postcss: 8.4.35
+      postcss: 8.5.10
       postcss-value-parser: 4.2.0
 
   autoprefixer@9.8.8:
     dependencies:
-      browserslist: 4.24.4
+      browserslist: 4.28.0
       caniuse-lite: 1.0.30001754
       normalize-range: 0.1.2
       num2fraction: 1.2.2
@@ -32461,13 +26644,15 @@ snapshots:
 
   axe-core@4.6.2: {}
 
-  axios@1.12.2:
+  axios@1.16.1:
     dependencies:
-      follow-redirects: 1.15.9
+      follow-redirects: 1.16.0
       form-data: 4.0.4
-      proxy-from-env: 1.1.0
+      https-proxy-agent: 5.0.1
+      proxy-from-env: 2.1.0
     transitivePeerDependencies:
       - debug
+      - supports-color
 
   axobject-query@3.2.1:
     dependencies:
@@ -32475,14 +26660,12 @@ snapshots:
 
   b4a@1.6.6: {}
 
-  babel-walk@3.0.0:
-    dependencies:
-      '@babel/types': 7.27.0
-
   bail@2.0.2: {}
 
   balanced-match@1.0.2: {}
 
+  balanced-match@4.0.4: {}
+
   bare-events@2.8.2:
     optional: true
 
@@ -32523,14 +26706,14 @@ snapshots:
 
   base64id@2.0.0: {}
 
+  baseline-browser-mapping@2.10.11: {}
+
   baseline-browser-mapping@2.8.28: {}
 
   basic-auth@2.0.1:
     dependencies:
       safe-buffer: 5.1.2
 
-  basic-ftp@5.0.3: {}
-
   bcrypt-pbkdf@1.0.2:
     dependencies:
       tweetnacl: 0.14.5
@@ -32545,6 +26728,7 @@ snapshots:
     dependencies:
       bindings: 1.5.0
       prebuild-install: 7.1.3
+    optional: true
 
   big.js@6.2.2: {}
 
@@ -32555,6 +26739,7 @@ snapshots:
   bindings@1.5.0:
     dependencies:
       file-uri-to-path: 1.0.0
+    optional: true
 
   bintrees@1.0.2: {}
 
@@ -32574,7 +26759,7 @@ snapshots:
       http-errors: 2.0.0
       iconv-lite: 0.4.24
       on-finished: 2.4.1
-      qs: 6.14.1
+      qs: 6.15.2
       raw-body: 2.5.2
       type-is: 1.6.18
       unpipe: 1.0.0
@@ -32586,10 +26771,10 @@ snapshots:
       bytes: 3.1.2
       content-type: 1.0.5
       debug: 4.4.3(supports-color@10.0.0)
-      http-errors: 2.0.0
+      http-errors: 2.0.1
       iconv-lite: 0.6.3
       on-finished: 2.4.1
-      qs: 6.14.1
+      qs: 6.15.2
       raw-body: 3.0.0
       type-is: 2.0.0
     transitivePeerDependencies:
@@ -32600,10 +26785,10 @@ snapshots:
       bytes: 3.1.2
       content-type: 1.0.5
       debug: 4.4.3(supports-color@10.0.0)
-      http-errors: 2.0.0
+      http-errors: 2.0.1
       iconv-lite: 0.7.2
       on-finished: 2.4.1
-      qs: 6.14.1
+      qs: 6.15.2
       raw-body: 3.0.2
       type-is: 2.0.1
     transitivePeerDependencies:
@@ -32624,6 +26809,10 @@ snapshots:
     dependencies:
       balanced-match: 1.0.2
 
+  brace-expansion@5.0.5:
+    dependencies:
+      balanced-match: 4.0.4
+
   braces@3.0.3:
     dependencies:
       fill-range: 7.1.1
@@ -32646,9 +26835,9 @@ snapshots:
   browserslist@4.24.4:
     dependencies:
       caniuse-lite: 1.0.30001754
-      electron-to-chromium: 1.5.98
-      node-releases: 2.0.19
-      update-browserslist-db: 1.1.2(browserslist@4.24.4)
+      electron-to-chromium: 1.5.252
+      node-releases: 2.0.27
+      update-browserslist-db: 1.1.4(browserslist@4.24.4)
 
   browserslist@4.28.0:
     dependencies:
@@ -32658,9 +26847,15 @@ snapshots:
       node-releases: 2.0.27
       update-browserslist-db: 1.1.4(browserslist@4.28.0)
 
-  btoa-lite@1.0.0: {}
+  browserslist@4.28.1:
+    dependencies:
+      baseline-browser-mapping: 2.10.11
+      caniuse-lite: 1.0.30001793
+      electron-to-chromium: 1.5.325
+      node-releases: 2.0.36
+      update-browserslist-db: 1.2.3(browserslist@4.28.1)
 
-  buffer-crc32@0.2.13: {}
+  btoa-lite@1.0.0: {}
 
   buffer-crc32@1.0.0: {}
 
@@ -32681,6 +26876,7 @@ snapshots:
   bufferutil@4.0.9:
     dependencies:
       node-gyp-build: 4.8.4
+    optional: true
 
   buildcheck@0.0.6:
     optional: true
@@ -32691,11 +26887,6 @@ snapshots:
     dependencies:
       semver: 7.7.3
 
-  bun-types@1.1.17:
-    dependencies:
-      '@types/node': 20.14.14
-      '@types/ws': 8.5.10
-
   bundle-name@4.1.0:
     dependencies:
       run-applescript: 7.0.0
@@ -32719,7 +26910,7 @@ snapshots:
     dependencies:
       chokidar: 3.6.0
       confbox: 0.1.8
-      defu: 6.1.4
+      defu: 6.1.7
       dotenv: 16.4.7
       giget: 1.2.3
       jiti: 1.21.6
@@ -32736,11 +26927,11 @@ snapshots:
     dependencies:
       chokidar: 4.0.3
       confbox: 0.2.2
-      defu: 6.1.4
+      defu: 6.1.7
       dotenv: 16.6.1
       exsolve: 1.0.7
       giget: 2.0.0
-      jiti: 2.4.2
+      jiti: 2.6.1
       ohash: 2.0.11
       pathe: 2.0.3
       perfect-debounce: 1.0.0
@@ -32815,25 +27006,17 @@ snapshots:
 
   caniuse-lite@1.0.30001577: {}
 
-  caniuse-lite@1.0.30001699: {}
-
-  caniuse-lite@1.0.30001707: {}
-
   caniuse-lite@1.0.30001754: {}
 
+  caniuse-lite@1.0.30001793: {}
+
   case-anything@2.1.13: {}
 
   caseless@0.12.0: {}
 
   ccount@2.0.1: {}
 
-  chai@5.2.0:
-    dependencies:
-      assertion-error: 2.0.1
-      check-error: 2.1.1
-      deep-eql: 5.0.2
-      loupe: 3.1.3
-      pathval: 2.0.0
+  chai@6.2.2: {}
 
   chalk@2.4.2:
     dependencies:
@@ -32841,11 +27024,6 @@ snapshots:
       escape-string-regexp: 1.0.5
       supports-color: 5.5.0
 
-  chalk@3.0.0:
-    dependencies:
-      ansi-styles: 4.3.0
-      supports-color: 7.2.0
-
   chalk@4.1.2:
     dependencies:
       ansi-styles: 4.3.0
@@ -32867,35 +27045,20 @@ snapshots:
 
   chardet@0.7.0: {}
 
-  check-error@2.1.1: {}
-
   cheminfo-types@1.8.1: {}
 
-  chevrotain-allstar@0.3.1(chevrotain@11.0.3):
-    dependencies:
-      chevrotain: 11.0.3
-      lodash-es: 4.17.21
-
-  chevrotain@11.0.3:
+  chevrotain-allstar@0.4.1(chevrotain@12.0.0):
     dependencies:
-      '@chevrotain/cst-dts-gen': 11.0.3
-      '@chevrotain/gast': 11.0.3
-      '@chevrotain/regexp-to-ast': 11.0.3
-      '@chevrotain/types': 11.0.3
-      '@chevrotain/utils': 11.0.3
-      lodash-es: 4.17.21
+      chevrotain: 12.0.0
+      lodash-es: 4.18.1
 
-  chokidar@3.5.3:
+  chevrotain@12.0.0:
     dependencies:
-      anymatch: 3.1.3
-      braces: 3.0.3
-      glob-parent: 5.1.2
-      is-binary-path: 2.1.0
-      is-glob: 4.0.3
-      normalize-path: 3.0.0
-      readdirp: 3.6.0
-    optionalDependencies:
-      fsevents: 2.3.3
+      '@chevrotain/cst-dts-gen': 12.0.0
+      '@chevrotain/gast': 12.0.0
+      '@chevrotain/regexp-to-ast': 12.0.0
+      '@chevrotain/types': 12.0.0
+      '@chevrotain/utils': 12.0.0
 
   chokidar@3.6.0:
     dependencies:
@@ -32919,36 +27082,24 @@ snapshots:
 
   chownr@3.0.0: {}
 
-  chrome-trace-event@1.0.3: {}
-
   chrome-trace-event@1.0.4: {}
 
-  chromium-bidi@7.2.0(devtools-protocol@0.0.1464554):
-    dependencies:
-      devtools-protocol: 0.0.1464554
-      mitt: 3.0.1
-      zod: 3.25.76
-
   ci-info@3.8.0: {}
 
   citty@0.1.6:
     dependencies:
       consola: 3.4.2
 
-  cjs-module-lexer@1.2.3: {}
+  citty@0.2.2: {}
+
+  cjs-module-lexer@1.4.3: {}
+
+  cjs-module-lexer@2.2.0: {}
 
   class-variance-authority@0.5.2(typescript@5.5.4):
     optionalDependencies:
       typescript: 5.5.4
 
-  class-variance-authority@0.7.0:
-    dependencies:
-      clsx: 2.0.0
-
-  class-variance-authority@0.7.1:
-    dependencies:
-      clsx: 2.1.1
-
   clean-stack@2.2.0: {}
 
   clean-stack@4.2.0:
@@ -33010,10 +27161,6 @@ snapshots:
 
   clsx@1.2.1: {}
 
-  clsx@2.0.0: {}
-
-  clsx@2.1.0: {}
-
   clsx@2.1.1: {}
 
   cluster-key-slot@1.1.2: {}
@@ -33052,12 +27199,6 @@ snapshots:
       color-convert: 1.9.3
       color-string: 1.9.1
 
-  color@4.2.3:
-    dependencies:
-      color-convert: 2.0.1
-      color-string: 1.9.1
-    optional: true
-
   combined-stream@1.0.8:
     dependencies:
       delayed-stream: 1.0.0
@@ -33066,7 +27207,7 @@ snapshots:
 
   commander@10.0.1: {}
 
-  commander@11.1.0: {}
+  commander@13.1.0: {}
 
   commander@2.20.3: {}
 
@@ -33080,8 +27221,6 @@ snapshots:
 
   commander@9.5.0: {}
 
-  compare-versions@6.1.1: {}
-
   component-emitter@1.3.1: {}
 
   compress-commons@6.0.2:
@@ -33108,6 +27247,18 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
+  compression@1.8.1:
+    dependencies:
+      bytes: 3.1.2
+      compressible: 2.0.18
+      debug: 2.6.9
+      negotiator: 0.6.4
+      on-headers: 1.1.0
+      safe-buffer: 5.2.1
+      vary: 1.1.2
+    transitivePeerDependencies:
+      - supports-color
+
   compute-cosine-similarity@1.1.0:
     dependencies:
       compute-dot: 1.1.0
@@ -33127,6 +27278,18 @@ snapshots:
 
   concat-map@0.0.1: {}
 
+  conf@15.1.0:
+    dependencies:
+      ajv: 8.20.0
+      ajv-formats: 3.0.1(ajv@8.20.0)
+      atomically: 2.1.1
+      debounce-fn: 6.0.0
+      dot-prop: 10.1.0
+      env-paths: 3.0.0
+      json-schema-typed: 8.0.2
+      semver: 7.8.1
+      uint8array-extras: 1.5.0
+
   confbox@0.1.8: {}
 
   confbox@0.2.2: {}
@@ -33150,9 +27313,9 @@ snapshots:
 
   convert-source-map@1.9.0: {}
 
-  cookie-signature@1.0.6: {}
+  convert-source-map@2.0.0: {}
 
-  cookie-signature@1.2.0: {}
+  cookie-signature@1.0.6: {}
 
   cookie-signature@1.2.2: {}
 
@@ -33162,6 +27325,8 @@ snapshots:
 
   cookie@0.7.1: {}
 
+  cookie@0.7.2: {}
+
   cookie@1.0.2: {}
 
   cookiejar@2.1.4: {}
@@ -33268,7 +27433,7 @@ snapshots:
     dependencies:
       nice-try: 1.0.5
       path-key: 2.0.1
-      semver: 5.7.1
+      semver: 5.7.2
       shebang-command: 1.2.0
       which: 1.3.1
 
@@ -33294,12 +27459,12 @@ snapshots:
 
   css-loader@6.10.0(webpack@5.102.1(@swc/core@1.3.26)(esbuild@0.15.18)):
     dependencies:
-      icss-utils: 5.1.0(postcss@8.4.35)
-      postcss: 8.4.35
-      postcss-modules-extract-imports: 3.0.0(postcss@8.4.35)
-      postcss-modules-local-by-default: 4.0.4(postcss@8.4.35)
-      postcss-modules-scope: 3.1.1(postcss@8.4.35)
-      postcss-modules-values: 4.0.0(postcss@8.4.35)
+      icss-utils: 5.1.0(postcss@8.5.10)
+      postcss: 8.5.10
+      postcss-modules-extract-imports: 3.0.0(postcss@8.5.10)
+      postcss-modules-local-by-default: 4.0.4(postcss@8.5.10)
+      postcss-modules-scope: 3.1.1(postcss@8.5.10)
+      postcss-modules-values: 4.0.0(postcss@8.5.10)
       postcss-value-parser: 4.2.0
       semver: 7.6.3
     optionalDependencies:
@@ -33310,20 +27475,21 @@ snapshots:
       mdn-data: 2.0.14
       source-map: 0.6.1
 
+  css-tree@3.2.1:
+    dependencies:
+      mdn-data: 2.27.1
+      source-map-js: 1.2.1
+
   css-unit-converter@1.1.2: {}
 
   css-what@5.1.0: {}
 
-  css.escape@1.5.1: {}
-
   cssesc@3.0.0: {}
 
   csstype@3.1.1: {}
 
   csstype@3.1.3: {}
 
-  csstype@3.2.0: {}
-
   csstype@3.2.3: {}
 
   csv-generate@3.4.3: {}
@@ -33520,10 +27686,10 @@ snapshots:
       d3-transition: 3.0.1(d3-selection@3.0.0)
       d3-zoom: 3.0.0
 
-  dagre-d3-es@7.0.11:
+  dagre-d3-es@7.0.14:
     dependencies:
       d3: 7.9.0
-      lodash-es: 4.17.21
+      lodash-es: 4.18.1
 
   damerau-levenshtein@1.0.8: {}
 
@@ -33533,8 +27699,6 @@ snapshots:
 
   data-uri-to-buffer@3.0.1: {}
 
-  data-uri-to-buffer@5.0.1: {}
-
   data-view-buffer@1.0.1:
     dependencies:
       call-bind: 1.0.8
@@ -33559,9 +27723,11 @@ snapshots:
 
   date-fns@4.1.0: {}
 
-  dayjs@1.11.18: {}
+  dayjs@1.11.20: {}
 
-  debounce@1.2.1: {}
+  debounce-fn@6.0.0:
+    dependencies:
+      mimic-function: 5.0.1
 
   debounce@2.0.0: {}
 
@@ -33593,10 +27759,6 @@ snapshots:
     dependencies:
       ms: 2.1.3
 
-  debug@4.4.1:
-    dependencies:
-      ms: 2.1.3
-
   debug@4.4.3(supports-color@10.0.0):
     dependencies:
       ms: 2.1.3
@@ -33625,8 +27787,7 @@ snapshots:
   decompress-response@6.0.0:
     dependencies:
       mimic-response: 3.1.0
-
-  deep-eql@5.0.2: {}
+    optional: true
 
   deep-extend@0.6.0: {}
 
@@ -33674,13 +27835,7 @@ snapshots:
 
   defined@1.0.1: {}
 
-  defu@6.1.4: {}
-
-  degenerator@5.0.1:
-    dependencies:
-      ast-types: 0.13.4
-      escodegen: 2.1.0
-      esprima: 4.0.1
+  defu@6.1.7: {}
 
   delaunator@5.0.1:
     dependencies:
@@ -33704,7 +27859,8 @@ snapshots:
 
   detect-libc@1.0.3: {}
 
-  detect-libc@2.1.2: {}
+  detect-libc@2.1.2:
+    optional: true
 
   detect-node-es@1.1.0: {}
 
@@ -33718,8 +27874,6 @@ snapshots:
     dependencies:
       dequal: 2.0.3
 
-  devtools-protocol@0.0.1464554: {}
-
   dezalgo@1.0.4:
     dependencies:
       asap: 2.0.6
@@ -33727,8 +27881,6 @@ snapshots:
 
   didyoumean@1.2.2: {}
 
-  diff-match-patch@1.0.5: {}
-
   diff@5.1.0: {}
 
   dir-glob@3.0.1:
@@ -33739,26 +27891,47 @@ snapshots:
 
   dlv@1.1.3: {}
 
-  docker-compose@0.24.8:
+  docker-compose@1.4.2:
     dependencies:
-      yaml: 2.7.1
+      yaml: 2.8.3
 
   docker-modem@5.0.6:
     dependencies:
-      debug: 4.4.1
+      debug: 4.4.3(supports-color@10.0.0)
       readable-stream: 3.6.0
       split-ca: 1.0.1
       ssh2: 1.16.0
     transitivePeerDependencies:
       - supports-color
 
+  docker-modem@5.0.7:
+    dependencies:
+      debug: 4.4.3(supports-color@10.0.0)
+      readable-stream: 3.6.2
+      split-ca: 1.0.1
+      ssh2: 1.16.0
+    transitivePeerDependencies:
+      - supports-color
+
+  dockerode@4.0.10:
+    dependencies:
+      '@balena/dockerignore': 1.0.2
+      '@grpc/grpc-js': 1.12.6
+      '@grpc/proto-loader': 0.7.13
+      docker-modem: 5.0.7
+      protobufjs: 7.6.1
+      tar-fs: 2.1.4
+      uuid: 10.0.0
+    transitivePeerDependencies:
+      - supports-color
+
   dockerode@4.0.6:
     dependencies:
       '@balena/dockerignore': 1.0.2
       '@grpc/grpc-js': 1.12.6
       '@grpc/proto-loader': 0.7.13
       docker-modem: 5.0.6
-      protobufjs: 7.3.2
+      protobufjs: 7.6.1
       tar-fs: 2.1.3
       uuid: 10.0.0
     transitivePeerDependencies:
@@ -33774,12 +27947,10 @@ snapshots:
 
   dom-accessibility-api@0.5.15: {}
 
-  dom-accessibility-api@0.6.3: {}
-
   dom-helpers@5.2.1:
     dependencies:
       '@babel/runtime': 7.28.4
-      csstype: 3.2.0
+      csstype: 3.2.3
 
   dom-serializer@2.0.0:
     dependencies:
@@ -33793,7 +27964,7 @@ snapshots:
     dependencies:
       domelementtype: 2.3.0
 
-  dompurify@3.2.6:
+  dompurify@3.4.1:
     optionalDependencies:
       '@types/trusted-types': 2.0.7
 
@@ -33803,6 +27974,10 @@ snapshots:
       domelementtype: 2.3.0
       domhandler: 5.0.3
 
+  dot-prop@10.1.0:
+    dependencies:
+      type-fest: 5.6.0
+
   dotenv@16.0.3: {}
 
   dotenv@16.4.4: {}
@@ -33813,8 +27988,6 @@ snapshots:
 
   dotenv@16.6.1: {}
 
-  dotenv@17.2.3: {}
-
   dotenv@8.6.0: {}
 
   dprint-node@1.0.8:
@@ -33829,8 +28002,6 @@ snapshots:
 
   duplexer3@0.1.5: {}
 
-  duplexer@0.1.2: {}
-
   duplexify@3.7.1:
     dependencies:
       end-of-stream: 1.4.4
@@ -33845,15 +28016,6 @@ snapshots:
       readable-stream: 3.6.2
       stream-shift: 1.0.3
 
-  e2b@1.2.1:
-    dependencies:
-      '@bufbuild/protobuf': 2.2.5
-      '@connectrpc/connect': 2.0.0-rc.3(@bufbuild/protobuf@2.2.5)
-      '@connectrpc/connect-web': 2.0.0-rc.3(@bufbuild/protobuf@2.2.5)(@connectrpc/connect@2.0.0-rc.3(@bufbuild/protobuf@2.2.5))
-      compare-versions: 6.1.1
-      openapi-fetch: 0.9.8
-      platform: 1.3.6
-
   eastasianwidth@0.2.0: {}
 
   ecc-jsbn@0.1.2:
@@ -33874,10 +28036,6 @@ snapshots:
 
   ee-first@1.1.1: {}
 
-  effect@3.11.7:
-    dependencies:
-      fast-check: 3.22.0
-
   effect@3.16.12:
     dependencies:
       '@standard-schema/spec': 1.1.0
@@ -33893,13 +28051,16 @@ snapshots:
       '@standard-schema/spec': 1.1.0
       fast-check: 3.23.2
 
-  effect@3.7.2: {}
+  effect@3.21.2:
+    dependencies:
+      '@standard-schema/spec': 1.1.0
+      fast-check: 3.23.2
 
   electron-to-chromium@1.4.433: {}
 
   electron-to-chromium@1.5.252: {}
 
-  electron-to-chromium@1.5.98: {}
+  electron-to-chromium@1.5.325: {}
 
   emoji-regex@8.0.0: {}
 
@@ -33921,6 +28082,11 @@ snapshots:
     dependencies:
       once: 1.4.0
 
+  end-of-stream@1.4.5:
+    dependencies:
+      once: 1.4.0
+    optional: true
+
   engine.io-client@6.5.3(bufferutil@4.0.9)(supports-color@10.0.0):
     dependencies:
       '@socket.io/component-emitter': 3.1.0
@@ -33952,10 +28118,22 @@ snapshots:
       - supports-color
       - utf-8-validate
 
-  enhanced-resolve@5.15.0:
+  engine.io@6.6.8(bufferutil@4.0.9):
     dependencies:
-      graceful-fs: 4.2.11
-      tapable: 2.3.0
+      '@types/cors': 2.8.17
+      '@types/node': 20.14.14
+      '@types/ws': 8.5.12
+      accepts: 1.3.8
+      base64id: 2.0.0
+      cookie: 0.7.2
+      cors: 2.8.5
+      debug: 4.4.3(supports-color@10.0.0)
+      engine.io-parser: 5.2.2(patch_hash=9011e7e16547017450c9baec0fceff0e070310c20d9e62f8d1383bb1da77104f)
+      ws: 8.20.1(bufferutil@4.0.9)
+    transitivePeerDependencies:
+      - bufferutil
+      - supports-color
+      - utf-8-validate
 
   enhanced-resolve@5.18.3:
     dependencies:
@@ -33972,6 +28150,8 @@ snapshots:
 
   env-paths@2.2.1: {}
 
+  env-paths@3.0.0: {}
+
   environment@1.1.0: {}
 
   err-code@2.0.3: {}
@@ -34032,7 +28212,7 @@ snapshots:
       es-define-property: 1.0.1
       es-errors: 1.3.0
       es-object-atoms: 1.1.1
-      es-set-tostringtag: 2.0.3
+      es-set-tostringtag: 2.1.0
       es-to-primitive: 1.2.1
       function.prototype.name: 1.1.6
       get-intrinsic: 1.3.0
@@ -34075,9 +28255,7 @@ snapshots:
 
   es-module-lexer@1.7.0: {}
 
-  es-object-atoms@1.0.0:
-    dependencies:
-      es-errors: 1.3.0
+  es-module-lexer@2.1.0: {}
 
   es-object-atoms@1.1.1:
     dependencies:
@@ -34089,12 +28267,6 @@ snapshots:
       has: 1.0.3
       has-tostringtag: 1.0.2
 
-  es-set-tostringtag@2.0.3:
-    dependencies:
-      get-intrinsic: 1.3.0
-      has-tostringtag: 1.0.2
-      hasown: 2.0.2
-
   es-set-tostringtag@2.1.0:
     dependencies:
       es-errors: 1.3.0
@@ -34102,10 +28274,6 @@ snapshots:
       has-tostringtag: 1.0.2
       hasown: 2.0.2
 
-  es-shim-unscopables@1.0.0:
-    dependencies:
-      has: 1.0.3
-
   es-shim-unscopables@1.0.2:
     dependencies:
       hasown: 2.0.2
@@ -34284,32 +28452,6 @@ snapshots:
       '@esbuild/win32-ia32': 0.19.11
       '@esbuild/win32-x64': 0.19.11
 
-  esbuild@0.21.5:
-    optionalDependencies:
-      '@esbuild/aix-ppc64': 0.21.5
-      '@esbuild/android-arm': 0.21.5
-      '@esbuild/android-arm64': 0.21.5
-      '@esbuild/android-x64': 0.21.5
-      '@esbuild/darwin-arm64': 0.21.5
-      '@esbuild/darwin-x64': 0.21.5
-      '@esbuild/freebsd-arm64': 0.21.5
-      '@esbuild/freebsd-x64': 0.21.5
-      '@esbuild/linux-arm': 0.21.5
-      '@esbuild/linux-arm64': 0.21.5
-      '@esbuild/linux-ia32': 0.21.5
-      '@esbuild/linux-loong64': 0.21.5
-      '@esbuild/linux-mips64el': 0.21.5
-      '@esbuild/linux-ppc64': 0.21.5
-      '@esbuild/linux-riscv64': 0.21.5
-      '@esbuild/linux-s390x': 0.21.5
-      '@esbuild/linux-x64': 0.21.5
-      '@esbuild/netbsd-x64': 0.21.5
-      '@esbuild/openbsd-x64': 0.21.5
-      '@esbuild/sunos-x64': 0.21.5
-      '@esbuild/win32-arm64': 0.21.5
-      '@esbuild/win32-ia32': 0.21.5
-      '@esbuild/win32-x64': 0.21.5
-
   esbuild@0.23.0:
     optionalDependencies:
       '@esbuild/aix-ppc64': 0.23.0
@@ -34393,6 +28535,35 @@ snapshots:
       '@esbuild/win32-ia32': 0.25.1
       '@esbuild/win32-x64': 0.25.1
 
+  esbuild@0.28.0:
+    optionalDependencies:
+      '@esbuild/aix-ppc64': 0.28.0
+      '@esbuild/android-arm': 0.28.0
+      '@esbuild/android-arm64': 0.28.0
+      '@esbuild/android-x64': 0.28.0
+      '@esbuild/darwin-arm64': 0.28.0
+      '@esbuild/darwin-x64': 0.28.0
+      '@esbuild/freebsd-arm64': 0.28.0
+      '@esbuild/freebsd-x64': 0.28.0
+      '@esbuild/linux-arm': 0.28.0
+      '@esbuild/linux-arm64': 0.28.0
+      '@esbuild/linux-ia32': 0.28.0
+      '@esbuild/linux-loong64': 0.28.0
+      '@esbuild/linux-mips64el': 0.28.0
+      '@esbuild/linux-ppc64': 0.28.0
+      '@esbuild/linux-riscv64': 0.28.0
+      '@esbuild/linux-s390x': 0.28.0
+      '@esbuild/linux-x64': 0.28.0
+      '@esbuild/netbsd-arm64': 0.28.0
+      '@esbuild/netbsd-x64': 0.28.0
+      '@esbuild/openbsd-arm64': 0.28.0
+      '@esbuild/openbsd-x64': 0.28.0
+      '@esbuild/openharmony-arm64': 0.28.0
+      '@esbuild/sunos-x64': 0.28.0
+      '@esbuild/win32-arm64': 0.28.0
+      '@esbuild/win32-ia32': 0.28.0
+      '@esbuild/win32-x64': 0.28.0
+
   escalade@3.2.0: {}
 
   escape-html@1.0.3: {}
@@ -34403,27 +28574,10 @@ snapshots:
 
   escape-string-regexp@5.0.0: {}
 
-  escodegen@2.1.0:
-    dependencies:
-      esprima: 4.0.1
-      estraverse: 5.3.0
-      esutils: 2.0.3
-    optionalDependencies:
-      source-map: 0.6.1
-
   eslint-config-prettier@8.6.0(eslint@8.31.0):
     dependencies:
       eslint: 8.31.0
 
-  eslint-config-prettier@9.0.0(eslint@8.31.0):
-    dependencies:
-      eslint: 8.31.0
-
-  eslint-config-turbo@1.10.12(eslint@8.31.0):
-    dependencies:
-      eslint: 8.31.0
-      eslint-plugin-turbo: 1.10.12(eslint@8.31.0)
-
   eslint-import-resolver-node@0.3.7:
     dependencies:
       debug: 3.2.7
@@ -34442,10 +28596,10 @@ snapshots:
 
   eslint-import-resolver-typescript@3.5.5(@typescript-eslint/parser@5.59.6(eslint@8.31.0)(typescript@5.5.4))(eslint-import-resolver-node@0.3.7)(eslint-plugin-import@2.29.1)(eslint@8.31.0):
     dependencies:
-      debug: 4.4.1
-      enhanced-resolve: 5.15.0
+      debug: 4.4.3(supports-color@10.0.0)
+      enhanced-resolve: 5.18.3
       eslint: 8.31.0
-      eslint-module-utils: 2.7.4(@typescript-eslint/parser@5.59.6(eslint@8.31.0)(typescript@5.5.4))(eslint-import-resolver-node@0.3.7)(eslint-import-resolver-typescript@3.5.5)(eslint@8.31.0)
+      eslint-module-utils: 2.8.1(@typescript-eslint/parser@5.59.6(eslint@8.31.0)(typescript@5.5.4))(eslint-import-resolver-node@0.3.7)(eslint-import-resolver-typescript@3.5.5)(eslint@8.31.0)
       eslint-plugin-import: 2.29.1(@typescript-eslint/parser@5.59.6(eslint@8.31.0)(typescript@5.5.4))(eslint-import-resolver-typescript@3.5.5)(eslint@8.31.0)
       get-tsconfig: 4.7.6
       globby: 13.2.2
@@ -34458,7 +28612,7 @@ snapshots:
       - eslint-import-resolver-webpack
       - supports-color
 
-  eslint-module-utils@2.7.4(@typescript-eslint/parser@5.59.6(eslint@8.31.0)(typescript@5.5.4))(eslint-import-resolver-node@0.3.7)(eslint-import-resolver-typescript@3.5.5)(eslint@8.31.0):
+  eslint-module-utils@2.8.1(@typescript-eslint/parser@5.59.6(eslint@8.31.0)(typescript@5.5.4))(eslint-import-resolver-node@0.3.7)(eslint-import-resolver-typescript@3.5.5)(eslint@8.31.0):
     dependencies:
       debug: 3.2.7
     optionalDependencies:
@@ -34500,7 +28654,7 @@ snapshots:
       hasown: 2.0.2
       is-core-module: 2.14.0
       is-glob: 4.0.3
-      minimatch: 3.1.2
+      minimatch: 3.1.5
       object.fromentries: 2.0.8
       object.groupby: 1.0.3
       object.values: 1.2.0
@@ -34515,7 +28669,7 @@ snapshots:
 
   eslint-plugin-jest-dom@4.0.3(eslint@8.31.0):
     dependencies:
-      '@babel/runtime': 7.24.5
+      '@babel/runtime': 7.28.4
       '@testing-library/dom': 8.19.1
       eslint: 8.31.0
       requireindex: 1.2.0
@@ -34532,10 +28686,10 @@ snapshots:
 
   eslint-plugin-jsx-a11y@6.7.1(eslint@8.31.0):
     dependencies:
-      '@babel/runtime': 7.24.5
+      '@babel/runtime': 7.28.4
       aria-query: 5.3.0
-      array-includes: 3.1.6
-      array.prototype.flatmap: 1.3.1
+      array-includes: 3.1.8
+      array.prototype.flatmap: 1.3.2
       ast-types-flow: 0.0.7
       axe-core: 4.6.2
       axobject-query: 3.2.1
@@ -34545,9 +28699,9 @@ snapshots:
       has: 1.0.3
       jsx-ast-utils: 3.3.3
       language-tags: 1.0.5
-      minimatch: 3.1.2
+      minimatch: 3.1.5
       object.entries: 1.1.6
-      object.fromentries: 2.0.6
+      object.fromentries: 2.0.8
       semver: 6.3.1
 
   eslint-plugin-node@11.1.0(eslint@8.31.0):
@@ -34556,7 +28710,7 @@ snapshots:
       eslint-plugin-es: 3.0.1(eslint@8.31.0)
       eslint-utils: 2.1.0
       ignore: 5.2.4
-      minimatch: 3.1.2
+      minimatch: 3.1.5
       resolve: 1.22.8
       semver: 6.3.1
 
@@ -34566,18 +28720,18 @@ snapshots:
 
   eslint-plugin-react@7.32.2(eslint@8.31.0):
     dependencies:
-      array-includes: 3.1.6
-      array.prototype.flatmap: 1.3.1
+      array-includes: 3.1.8
+      array.prototype.flatmap: 1.3.2
       array.prototype.tosorted: 1.1.1
       doctrine: 2.1.0
       eslint: 8.31.0
       estraverse: 5.3.0
       jsx-ast-utils: 3.3.3
-      minimatch: 3.1.2
+      minimatch: 3.1.5
       object.entries: 1.1.6
-      object.fromentries: 2.0.6
+      object.fromentries: 2.0.8
       object.hasown: 1.1.2
-      object.values: 1.1.6
+      object.values: 1.2.0
       prop-types: 15.8.1
       resolve: 2.0.0-next.4
       semver: 6.3.1
@@ -34591,11 +28745,6 @@ snapshots:
       - supports-color
       - typescript
 
-  eslint-plugin-turbo@1.10.12(eslint@8.31.0):
-    dependencies:
-      dotenv: 16.0.3
-      eslint: 8.31.0
-
   eslint-plugin-turbo@2.0.5(eslint@8.31.0):
     dependencies:
       dotenv: 16.0.3
@@ -34662,7 +28811,7 @@ snapshots:
       json-stable-stringify-without-jsonify: 1.0.1
       levn: 0.4.1
       lodash.merge: 4.6.2
-      minimatch: 3.1.2
+      minimatch: 3.1.5
       natural-compare: 1.4.0
       optionator: 0.9.1
       regexpp: 3.2.0
@@ -34674,14 +28823,14 @@ snapshots:
 
   espree@9.4.1:
     dependencies:
-      acorn: 8.12.1
-      acorn-jsx: 5.3.2(acorn@8.12.1)
+      acorn: 8.16.0
+      acorn-jsx: 5.3.2(acorn@8.16.0)
       eslint-visitor-keys: 3.4.2
 
   espree@9.6.0:
     dependencies:
-      acorn: 8.15.0
-      acorn-jsx: 5.3.2(acorn@8.15.0)
+      acorn: 8.16.0
+      acorn-jsx: 5.3.2(acorn@8.16.0)
       eslint-visitor-keys: 3.4.2
 
   esprima@4.0.1: {}
@@ -34741,18 +28890,25 @@ snapshots:
     dependencies:
       require-like: 0.1.2
 
-  evalite@0.11.4(bufferutil@4.0.9):
+  evalite@1.0.0-beta.16(ai@6.0.168(zod@3.25.76))(better-sqlite3@11.10.0)(bufferutil@4.0.9):
     dependencies:
       '@fastify/static': 8.2.0
-      '@fastify/websocket': 11.0.1(bufferutil@4.0.9)
+      '@fastify/websocket': 11.2.0(bufferutil@4.0.9)
       '@stricli/auto-complete': 1.2.0
       '@stricli/core': 1.2.0
-      '@vitest/runner': 2.1.9
-      better-sqlite3: 11.10.0
-      fastify: 5.4.0
+      '@vitest/runner': 4.1.7
+      '@vitest/utils': 4.1.7
+      dotenv: 16.4.7
+      fastify: 5.8.5
       file-type: 19.6.0
+      get-port: 7.2.0
+      jiti: 2.6.1
+      js-levenshtein: 1.1.6
       table: 6.9.0
-      tinyrainbow: 1.2.0
+      tinyrainbow: 3.1.0
+    optionalDependencies:
+      ai: 6.0.168(zod@3.25.76)
+      better-sqlite3: 11.10.0
     transitivePeerDependencies:
       - bufferutil
       - utf-8-validate
@@ -34775,6 +28931,8 @@ snapshots:
 
   eventsource-parser@3.0.6: {}
 
+  eventsource-parser@3.1.0: {}
+
   eventsource@3.0.5:
     dependencies:
       eventsource-parser: 3.0.0
@@ -34830,9 +28988,10 @@ snapshots:
 
   exit-hook@2.2.1: {}
 
-  expand-template@2.0.3: {}
+  expand-template@2.0.3:
+    optional: true
 
-  expect-type@1.2.1: {}
+  expect-type@1.3.0: {}
 
   express-rate-limit@7.5.0(express@5.0.1(supports-color@10.0.0)):
     dependencies:
@@ -34864,9 +29023,9 @@ snapshots:
       methods: 1.1.2
       on-finished: 2.4.1
       parseurl: 1.3.3
-      path-to-regexp: 0.1.10
+      path-to-regexp: 0.1.13
       proxy-addr: 2.0.7
-      qs: 6.14.1
+      qs: 6.15.2
       range-parser: 1.2.1
       safe-buffer: 5.2.1
       send: 0.19.0
@@ -34902,7 +29061,7 @@ snapshots:
       once: 1.4.0
       parseurl: 1.3.3
       proxy-addr: 2.0.7
-      qs: 6.14.1
+      qs: 6.15.2
       range-parser: 1.2.1
       router: 2.1.0
       safe-buffer: 5.2.1
@@ -34931,19 +29090,19 @@ snapshots:
       etag: 1.8.1
       finalhandler: 2.1.0(supports-color@10.0.0)
       fresh: 2.0.0
-      http-errors: 2.0.0
+      http-errors: 2.0.1
       merge-descriptors: 2.0.0
       mime-types: 3.0.0
       on-finished: 2.4.1
       once: 1.4.0
       parseurl: 1.3.3
       proxy-addr: 2.0.7
-      qs: 6.14.1
+      qs: 6.15.2
       range-parser: 1.2.1
       router: 2.2.0
       send: 1.1.0(supports-color@10.0.0)
       serve-static: 2.2.1
-      statuses: 2.0.1
+      statuses: 2.0.2
       type-is: 2.0.1
       vary: 1.1.2
     transitivePeerDependencies:
@@ -34961,22 +29120,8 @@ snapshots:
       iconv-lite: 0.4.24
       tmp: 0.0.33
 
-  extract-zip@2.0.1:
-    dependencies:
-      debug: 4.4.3(supports-color@10.0.0)
-      get-stream: 5.2.0
-      yauzl: 2.10.0
-    optionalDependencies:
-      '@types/yauzl': 2.10.3
-    transitivePeerDependencies:
-      - supports-color
-
   extsprintf@1.3.0: {}
 
-  fast-check@3.22.0:
-    dependencies:
-      pure-rand: 6.1.0
-
   fast-check@3.23.2:
     dependencies:
       pure-rand: 6.1.0
@@ -35004,9 +29149,9 @@ snapshots:
   fast-json-stringify@6.0.1:
     dependencies:
       '@fastify/merge-json-schemas': 0.2.1
-      ajv: 8.17.1
-      ajv-formats: 3.0.1(ajv@8.17.1)
-      fast-uri: 3.0.6
+      ajv: 8.18.0
+      ajv-formats: 3.0.1(ajv@8.18.0)
+      fast-uri: 3.1.2
       json-schema-ref-resolver: 2.0.1
       rfdc: 1.4.1
 
@@ -35018,37 +29163,39 @@ snapshots:
     dependencies:
       fast-decode-uri-component: 1.0.1
 
-  fast-redact@3.5.0: {}
-
   fast-safe-stringify@2.1.1: {}
 
   fast-shallow-equal@1.0.0: {}
 
-  fast-uri@3.0.6: {}
+  fast-uri@3.1.2: {}
 
   fast-url-parser@1.1.3:
     dependencies:
       punycode: 1.4.1
 
-  fast-xml-parser@4.2.5:
+  fast-xml-builder@1.2.0:
     dependencies:
-      strnum: 1.0.5
+      path-expression-matcher: 1.5.0
+      xml-naming: 0.1.0
 
-  fast-xml-parser@4.4.1:
+  fast-xml-parser@4.5.6:
     dependencies:
       strnum: 1.0.5
 
-  fast-xml-parser@5.2.5:
+  fast-xml-parser@5.7.1:
     dependencies:
-      strnum: 2.1.1
+      '@nodable/entities': 2.1.0
+      fast-xml-builder: 1.2.0
+      path-expression-matcher: 1.5.0
+      strnum: 2.2.3
 
   fastest-stable-stringify@2.0.2: {}
 
   fastify-plugin@5.0.1: {}
 
-  fastify@5.4.0:
+  fastify@5.8.5:
     dependencies:
-      '@fastify/ajv-compiler': 4.0.2
+      '@fastify/ajv-compiler': 4.0.5
       '@fastify/error': 4.2.0
       '@fastify/fast-json-stringify-compiler': 5.0.3
       '@fastify/proxy-addr': 5.0.0
@@ -35057,7 +29204,7 @@ snapshots:
       fast-json-stringify: 6.0.1
       find-my-way: 9.3.0
       light-my-request: 6.6.0
-      pino: 9.7.0
+      pino: 10.3.1
       process-warning: 5.0.0
       rfdc: 1.4.1
       secure-json-parse: 4.0.0
@@ -35076,21 +29223,21 @@ snapshots:
     dependencies:
       format: 0.2.2
 
-  fd-slicer@1.1.0:
-    dependencies:
-      pend: 1.2.0
+  fdir@6.2.0(picomatch@4.0.4):
+    optionalDependencies:
+      picomatch: 4.0.4
 
-  fdir@6.2.0(picomatch@4.0.2):
+  fdir@6.4.3(picomatch@4.0.4):
     optionalDependencies:
-      picomatch: 4.0.2
+      picomatch: 4.0.4
 
-  fdir@6.4.3(picomatch@4.0.2):
+  fdir@6.4.4(picomatch@4.0.4):
     optionalDependencies:
-      picomatch: 4.0.2
+      picomatch: 4.0.4
 
-  fdir@6.4.4(picomatch@4.0.2):
+  fdir@6.5.0(picomatch@4.0.4):
     optionalDependencies:
-      picomatch: 4.0.2
+      picomatch: 4.0.4
 
   fflate@0.4.8: {}
 
@@ -35106,10 +29253,6 @@ snapshots:
     dependencies:
       flat-cache: 3.0.4
 
-  file-selector@0.6.0:
-    dependencies:
-      tslib: 2.8.1
-
   file-type@19.6.0:
     dependencies:
       get-stream: 9.0.1
@@ -35117,7 +29260,8 @@ snapshots:
       token-types: 6.0.3
       uint8array-extras: 1.4.0
 
-  file-uri-to-path@1.0.0: {}
+  file-uri-to-path@1.0.0:
+    optional: true
 
   fill-range@7.1.1:
     dependencies:
@@ -35142,12 +29286,10 @@ snapshots:
       escape-html: 1.0.3
       on-finished: 2.4.1
       parseurl: 1.3.3
-      statuses: 2.0.1
+      statuses: 2.0.2
     transitivePeerDependencies:
       - supports-color
 
-  find-my-way-ts@0.1.5: {}
-
   find-my-way@9.3.0:
     dependencies:
       fast-deep-equal: 3.1.3
@@ -35177,12 +29319,12 @@ snapshots:
 
   flat-cache@3.0.4:
     dependencies:
-      flatted: 3.2.7
+      flatted: 3.4.2
       rimraf: 3.0.2
 
-  flatted@3.2.7: {}
+  flatted@3.4.2: {}
 
-  follow-redirects@1.15.9: {}
+  follow-redirects@1.16.0: {}
 
   for-each@0.3.3:
     dependencies:
@@ -35193,6 +29335,11 @@ snapshots:
       cross-spawn: 7.0.6
       signal-exit: 4.1.0
 
+  foreground-child@3.3.1:
+    dependencies:
+      cross-spawn: 7.0.6
+      signal-exit: 4.1.0
+
   forever-agent@0.6.1: {}
 
   form-data-encoder@1.7.2: {}
@@ -35241,8 +29388,6 @@ snapshots:
 
   fraction.js@4.2.0: {}
 
-  fraction.js@4.3.7: {}
-
   framer-motion@10.12.11(react-dom@18.2.0(react@18.2.0))(react@18.2.0):
     dependencies:
       tslib: 2.5.0
@@ -35251,14 +29396,6 @@ snapshots:
       react: 18.2.0
       react-dom: 18.2.0(react@18.2.0)
 
-  framer-motion@10.17.4(react-dom@18.2.0(react@18.3.1))(react@18.3.1):
-    dependencies:
-      tslib: 2.8.1
-    optionalDependencies:
-      '@emotion/is-prop-valid': 0.8.8
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-
   fresh@0.5.2: {}
 
   fresh@2.0.0: {}
@@ -35305,7 +29442,7 @@ snapshots:
     dependencies:
       call-bind: 1.0.8
       define-properties: 1.2.1
-      es-abstract: 1.21.1
+      es-abstract: 1.23.3
       functions-have-names: 1.2.3
 
   function.prototype.name@1.1.6:
@@ -35325,14 +29462,6 @@ snapshots:
 
   get-caller-file@2.0.5: {}
 
-  get-intrinsic@1.2.4:
-    dependencies:
-      es-errors: 1.3.0
-      function-bind: 1.1.2
-      has-proto: 1.0.3
-      has-symbols: 1.1.0
-      hasown: 2.0.2
-
   get-intrinsic@1.3.0:
     dependencies:
       call-bind-apply-helpers: 1.0.2
@@ -35350,7 +29479,7 @@ snapshots:
 
   get-port@5.1.1: {}
 
-  get-port@7.1.0: {}
+  get-port@7.2.0: {}
 
   get-proto@1.0.1:
     dependencies:
@@ -35393,15 +29522,6 @@ snapshots:
     dependencies:
       resolve-pkg-maps: 1.0.0
 
-  get-uri@6.0.1:
-    dependencies:
-      basic-ftp: 5.0.3
-      data-uri-to-buffer: 5.0.1
-      debug: 4.4.3(supports-color@10.0.0)
-      fs-extra: 8.1.0
-    transitivePeerDependencies:
-      - supports-color
-
   getpass@0.1.7:
     dependencies:
       assert-plus: 1.0.0
@@ -35410,7 +29530,7 @@ snapshots:
     dependencies:
       citty: 0.1.6
       consola: 3.4.2
-      defu: 6.1.4
+      defu: 6.1.7
       node-fetch-native: 1.6.6
       nypm: 0.3.9
       ohash: 1.1.3
@@ -35421,14 +29541,15 @@ snapshots:
     dependencies:
       citty: 0.1.6
       consola: 3.4.2
-      defu: 6.1.4
+      defu: 6.1.7
       node-fetch-native: 1.6.6
       nypm: 0.6.1
       pathe: 2.0.3
 
   git-last-commit@1.0.1: {}
 
-  github-from-package@0.0.0: {}
+  github-from-package@0.0.0:
+    optional: true
 
   glob-parent@5.1.2:
     dependencies:
@@ -35440,22 +29561,6 @@ snapshots:
 
   glob-to-regexp@0.4.1: {}
 
-  glob@10.3.10:
-    dependencies:
-      foreground-child: 3.1.1
-      jackspeak: 2.3.6
-      minimatch: 9.0.5
-      minipass: 7.1.2
-      path-scurry: 1.11.1
-
-  glob@10.3.4:
-    dependencies:
-      foreground-child: 3.1.1
-      jackspeak: 2.3.6
-      minimatch: 9.0.5
-      minipass: 7.1.2
-      path-scurry: 1.11.1
-
   glob@10.4.5:
     dependencies:
       foreground-child: 3.1.1
@@ -35474,22 +29579,30 @@ snapshots:
       package-json-from-dist: 1.0.0
       path-scurry: 2.0.0
 
+  glob@11.1.0:
+    dependencies:
+      foreground-child: 3.3.1
+      jackspeak: 4.2.3
+      minimatch: 10.2.5
+      minipass: 7.1.2
+      package-json-from-dist: 1.0.0
+      path-scurry: 2.0.0
+
+  glob@13.0.6:
+    dependencies:
+      minimatch: 10.2.5
+      minipass: 7.1.3
+      path-scurry: 2.0.2
+
   glob@7.2.3:
     dependencies:
       fs.realpath: 1.0.0
       inflight: 1.0.6
       inherits: 2.0.4
-      minimatch: 3.1.2
+      minimatch: 3.1.5
       once: 1.4.0
       path-is-absolute: 1.0.1
 
-  glob@9.3.5:
-    dependencies:
-      fs.realpath: 1.0.0
-      minimatch: 8.0.4
-      minipass: 4.2.8
-      path-scurry: 1.11.1
-
   globals@11.12.0: {}
 
   globals@13.19.0:
@@ -35591,10 +29704,6 @@ snapshots:
       pumpify: 1.5.1
       through2: 2.0.5
 
-  gzip-size@6.0.0:
-    dependencies:
-      duplexer: 0.1.2
-
   hachure-fill@0.5.2: {}
 
   har-schema@2.0.0: {}
@@ -35636,28 +29745,6 @@ snapshots:
     dependencies:
       function-bind: 1.1.2
 
-  hast-util-from-dom@5.0.1:
-    dependencies:
-      '@types/hast': 3.0.4
-      hastscript: 9.0.1
-      web-namespaces: 2.0.1
-
-  hast-util-from-html-isomorphic@2.0.0:
-    dependencies:
-      '@types/hast': 3.0.4
-      hast-util-from-dom: 5.0.1
-      hast-util-from-html: 2.0.3
-      unist-util-remove-position: 5.0.0
-
-  hast-util-from-html@2.0.3:
-    dependencies:
-      '@types/hast': 3.0.4
-      devlop: 1.1.0
-      hast-util-from-parse5: 8.0.3
-      parse5: 7.3.0
-      vfile: 6.0.3
-      vfile-message: 4.0.2
-
   hast-util-from-parse5@8.0.3:
     dependencies:
       '@types/hast': 3.0.4
@@ -35669,10 +29756,6 @@ snapshots:
       vfile-location: 5.0.3
       web-namespaces: 2.0.1
 
-  hast-util-is-element@3.0.0:
-    dependencies:
-      '@types/hast': 3.0.4
-
   hast-util-parse-selector@4.0.0:
     dependencies:
       '@types/hast': 3.0.4
@@ -35693,6 +29776,12 @@ snapshots:
       web-namespaces: 2.0.1
       zwitch: 2.0.4
 
+  hast-util-sanitize@5.0.2:
+    dependencies:
+      '@types/hast': 3.0.4
+      '@ungap/structured-clone': 1.3.0
+      unist-util-position: 5.0.0
+
   hast-util-to-estree@2.1.0:
     dependencies:
       '@types/estree': 1.0.8
@@ -35757,13 +29846,6 @@ snapshots:
       web-namespaces: 2.0.1
       zwitch: 2.0.4
 
-  hast-util-to-text@4.0.2:
-    dependencies:
-      '@types/hast': 3.0.4
-      '@types/unist': 3.0.3
-      hast-util-is-element: 3.0.0
-      unist-util-find-after: 5.0.0
-
   hast-util-whitespace@2.0.1: {}
 
   hast-util-whitespace@3.0.0:
@@ -35788,6 +29870,8 @@ snapshots:
 
   hono@4.11.8: {}
 
+  hono@4.12.15: {}
+
   hono@4.5.11: {}
 
   hosted-git-info@2.8.9: {}
@@ -35837,13 +29921,6 @@ snapshots:
       statuses: 2.0.2
       toidentifier: 1.0.1
 
-  http-proxy-agent@7.0.2:
-    dependencies:
-      agent-base: 7.1.4
-      debug: 4.4.3(supports-color@10.0.0)
-    transitivePeerDependencies:
-      - supports-color
-
   http-signature@1.2.0:
     dependencies:
       assert-plus: 1.0.0
@@ -35853,13 +29930,6 @@ snapshots:
   https-proxy-agent@5.0.1:
     dependencies:
       agent-base: 6.0.2
-      debug: 4.4.1
-    transitivePeerDependencies:
-      - supports-color
-
-  https-proxy-agent@7.0.6:
-    dependencies:
-      agent-base: 7.1.4
       debug: 4.4.3(supports-color@10.0.0)
     transitivePeerDependencies:
       - supports-color
@@ -35892,13 +29962,9 @@ snapshots:
     dependencies:
       safer-buffer: 2.1.2
 
-  icss-utils@5.1.0(postcss@8.4.35):
-    dependencies:
-      postcss: 8.4.35
-
-  icss-utils@5.1.0(postcss@8.5.4):
+  icss-utils@5.1.0(postcss@8.5.10):
     dependencies:
-      postcss: 8.5.4
+      postcss: 8.5.10
 
   ieee754@1.2.1: {}
 
@@ -35911,19 +29977,19 @@ snapshots:
       parent-module: 1.0.1
       resolve-from: 4.0.0
 
-  import-in-the-middle@1.11.0:
+  import-in-the-middle@1.15.0:
     dependencies:
-      acorn: 8.12.1
-      acorn-import-attributes: 1.9.5(acorn@8.12.1)
-      cjs-module-lexer: 1.2.3
-      module-details-from-path: 1.0.3
+      acorn: 8.16.0
+      acorn-import-attributes: 1.9.5(acorn@8.16.0)
+      cjs-module-lexer: 1.4.3
+      module-details-from-path: 1.0.4
 
-  import-in-the-middle@1.14.2:
+  import-in-the-middle@3.0.1:
     dependencies:
-      acorn: 8.15.0
-      acorn-import-attributes: 1.9.5(acorn@8.15.0)
-      cjs-module-lexer: 1.2.3
-      module-details-from-path: 1.0.3
+      acorn: 8.16.0
+      acorn-import-attributes: 1.9.5(acorn@8.16.0)
+      cjs-module-lexer: 2.2.0
+      module-details-from-path: 1.0.4
 
   import-meta-resolve@4.1.0: {}
 
@@ -35975,8 +30041,6 @@ snapshots:
 
   internmap@2.0.3: {}
 
-  interpret@1.4.0: {}
-
   interpret@3.1.1: {}
 
   intl-messageformat@10.5.8:
@@ -35988,15 +30052,11 @@ snapshots:
 
   intl-parse-accept-language@1.0.0: {}
 
-  invariant@2.2.4:
-    dependencies:
-      loose-envify: 1.4.0
-
-  ioredis@5.3.2:
+  ioredis@5.6.1:
     dependencies:
       '@ioredis/commands': 1.2.0
       cluster-key-slot: 1.1.2
-      debug: 4.3.7(supports-color@10.0.0)
+      debug: 4.4.3(supports-color@10.0.0)
       denque: 2.1.0
       lodash.defaults: 4.2.0
       lodash.isarguments: 3.1.0
@@ -36013,11 +30073,6 @@ snapshots:
       jsbn: 1.1.0
       sprintf-js: 1.1.2
 
-  ip-address@9.0.5:
-    dependencies:
-      jsbn: 1.1.0
-      sprintf-js: 1.1.3
-
   ipaddr.js@1.9.1: {}
 
   ipaddr.js@2.2.0: {}
@@ -36136,8 +30191,6 @@ snapshots:
 
   is-plain-obj@4.1.0: {}
 
-  is-plain-object@5.0.0: {}
-
   is-promise@4.0.0: {}
 
   is-reference@3.0.3:
@@ -36227,25 +30280,11 @@ snapshots:
       make-dir: 4.0.0
       supports-color: 7.2.0
 
-  istanbul-lib-source-maps@5.0.6:
-    dependencies:
-      '@jridgewell/trace-mapping': 0.3.25
-      debug: 4.4.1
-      istanbul-lib-coverage: 3.2.2
-    transitivePeerDependencies:
-      - supports-color
-
-  istanbul-reports@3.1.7:
+  istanbul-reports@3.2.0:
     dependencies:
       html-escaper: 2.0.2
       istanbul-lib-report: 3.0.1
 
-  jackspeak@2.3.6:
-    dependencies:
-      '@isaacs/cliui': 8.0.2
-    optionalDependencies:
-      '@pkgjs/parseargs': 0.11.0
-
   jackspeak@3.4.3:
     dependencies:
       '@isaacs/cliui': 8.0.2
@@ -36258,6 +30297,10 @@ snapshots:
     optionalDependencies:
       '@pkgjs/parseargs': 0.11.0
 
+  jackspeak@4.2.3:
+    dependencies:
+      '@isaacs/cliui': 9.0.0
+
   javascript-stringify@2.1.0: {}
 
   jest-worker@27.5.1:
@@ -36272,6 +30315,8 @@ snapshots:
 
   jiti@2.4.2: {}
 
+  jiti@2.6.1: {}
+
   joi@17.7.0:
     dependencies:
       '@hapi/hoek': 9.3.0
@@ -36307,6 +30352,8 @@ snapshots:
 
   js-sdsl@4.2.0: {}
 
+  js-tokens@10.0.0: {}
+
   js-tokens@4.0.0: {}
 
   js-yaml@3.14.2:
@@ -36368,12 +30415,6 @@ snapshots:
 
   jsonc-parser@3.2.1: {}
 
-  jsondiffpatch@0.6.0:
-    dependencies:
-      '@types/diff-match-patch': 1.0.36
-      chalk: 5.3.0
-      diff-match-patch: 1.0.5
-
   jsonfile@4.0.0:
     optionalDependencies:
       graceful-fs: 4.2.11
@@ -36418,7 +30459,7 @@ snapshots:
 
   jsx-ast-utils@3.3.3:
     dependencies:
-      array-includes: 3.1.6
+      array-includes: 3.1.8
       object.assign: 4.1.5
 
   junk@4.0.1: {}
@@ -36448,28 +30489,20 @@ snapshots:
 
   kind-of@6.0.3: {}
 
+  kleur@3.0.3: {}
+
   kleur@4.1.5: {}
 
   kolorist@1.8.0: {}
 
-  langium@3.3.1:
+  langium@4.2.2:
     dependencies:
-      chevrotain: 11.0.3
-      chevrotain-allstar: 0.3.1(chevrotain@11.0.3)
+      '@chevrotain/regexp-to-ast': 12.0.0
+      chevrotain: 12.0.0
+      chevrotain-allstar: 0.4.1(chevrotain@12.0.0)
       vscode-languageserver: 9.0.1
       vscode-languageserver-textdocument: 1.0.12
-      vscode-uri: 3.0.8
-
-  langsmith@0.2.15(openai@4.68.4(encoding@0.1.13)(zod@3.25.76)):
-    dependencies:
-      '@types/uuid': 10.0.0
-      commander: 10.0.1
-      p-queue: 6.6.2
-      p-retry: 4.6.2
-      semver: 7.6.3
-      uuid: 10.0.0
-    optionalDependencies:
-      openai: 4.68.4(encoding@0.1.13)(zod@3.25.76)
+      vscode-uri: 3.1.0
 
   language-subtag-registry@0.3.22: {}
 
@@ -36587,6 +30620,7 @@ snapshots:
       lightningcss-linux-x64-musl: 1.29.2
       lightningcss-win32-arm64-msvc: 1.29.2
       lightningcss-win32-x64-msvc: 1.29.2
+    optional: true
 
   lilconfig@2.1.0: {}
 
@@ -36617,8 +30651,6 @@ snapshots:
       pify: 4.0.1
       strip-bom: 3.0.0
 
-  loader-runner@4.3.0: {}
-
   loader-runner@4.3.1: {}
 
   loader-utils@3.2.1: {}
@@ -36643,7 +30675,7 @@ snapshots:
     dependencies:
       p-locate: 6.0.0
 
-  lodash-es@4.17.21: {}
+  lodash-es@4.18.1: {}
 
   lodash.camelcase@4.3.0: {}
 
@@ -36653,30 +30685,20 @@ snapshots:
 
   lodash.defaults@4.2.0: {}
 
-  lodash.escaperegexp@4.1.2: {}
-
-  lodash.groupby@4.6.0: {}
-
   lodash.includes@4.3.0: {}
 
   lodash.isarguments@3.1.0: {}
 
   lodash.isboolean@3.0.3: {}
 
-  lodash.isfunction@3.0.9: {}
-
   lodash.isinteger@4.0.4: {}
 
-  lodash.isnil@4.0.0: {}
-
   lodash.isnumber@3.0.3: {}
 
   lodash.isplainobject@4.0.6: {}
 
   lodash.isstring@4.0.1: {}
 
-  lodash.isundefined@3.0.1: {}
-
   lodash.merge@4.6.2: {}
 
   lodash.omit@4.5.0: {}
@@ -36689,25 +30711,28 @@ snapshots:
 
   lodash.truncate@4.4.2: {}
 
-  lodash.uniq@4.5.0: {}
-
-  lodash@4.17.23: {}
+  lodash@4.18.1: {}
 
   log-symbols@4.1.0:
     dependencies:
       chalk: 4.1.2
       is-unicode-supported: 0.1.0
 
+  log-symbols@7.0.1:
+    dependencies:
+      is-unicode-supported: 2.1.0
+      yoctocolors: 2.1.2
+
   long@5.2.3: {}
 
+  long@5.3.2: {}
+
   longest-streak@3.1.0: {}
 
   loose-envify@1.4.0:
     dependencies:
       js-tokens: 4.0.0
 
-  loupe@3.1.3: {}
-
   lowercase-keys@1.0.1: {}
 
   lowercase-keys@2.0.0: {}
@@ -36736,34 +30761,10 @@ snapshots:
     dependencies:
       react: 18.2.0
 
-  lucide-react@0.451.0(react@18.3.1):
-    dependencies:
-      react: 18.3.1
-
-  lucide-react@0.484.0(react@19.0.0):
-    dependencies:
-      react: 19.0.0
-
-  lucide-react@0.486.0(react@19.0.0):
-    dependencies:
-      react: 19.0.0
-
-  lucide-react@0.542.0(react@18.2.0):
-    dependencies:
-      react: 18.2.0
-
-  lucide-react@0.542.0(react@19.1.0):
-    dependencies:
-      react: 19.1.0
-
   luxon@3.2.1: {}
 
   lz-string@1.4.4: {}
 
-  magic-string@0.30.17:
-    dependencies:
-      '@jridgewell/sourcemap-codec': 1.5.0
-
   magic-string@0.30.21:
     dependencies:
       '@jridgewell/sourcemap-codec': 1.5.5
@@ -36776,8 +30777,15 @@ snapshots:
 
   magicast@0.3.5:
     dependencies:
-      '@babel/parser': 7.27.0
-      '@babel/types': 7.27.0
+      '@babel/parser': 7.29.7
+      '@babel/types': 7.29.7
+      source-map-js: 1.2.1
+    optional: true
+
+  magicast@0.5.3:
+    dependencies:
+      '@babel/parser': 7.29.7
+      '@babel/types': 7.29.7
       source-map-js: 1.2.1
 
   make-dir@4.0.0:
@@ -36802,11 +30810,13 @@ snapshots:
       node-emoji: 2.1.3
       supports-hyperlinks: 3.1.0
 
+  marked@15.0.12: {}
+
   marked@16.4.1: {}
 
-  marked@4.2.5: {}
+  marked@17.0.6: {}
 
-  marked@7.0.4: {}
+  marked@4.2.5: {}
 
   marked@9.1.6: {}
 
@@ -36821,11 +30831,6 @@ snapshots:
 
   math-intrinsics@1.1.0: {}
 
-  md-to-react-email@5.0.2(react@18.3.1):
-    dependencies:
-      marked: 7.0.4
-      react: 18.3.1
-
   mdast-util-definitions@5.1.1:
     dependencies:
       '@types/mdast': 3.0.10
@@ -36934,18 +30939,6 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  mdast-util-math@3.0.0:
-    dependencies:
-      '@types/hast': 3.0.4
-      '@types/mdast': 4.0.4
-      devlop: 1.1.0
-      longest-streak: 3.1.0
-      mdast-util-from-markdown: 2.0.2
-      mdast-util-to-markdown: 2.1.2
-      unist-util-remove-position: 5.0.0
-    transitivePeerDependencies:
-      - supports-color
-
   mdast-util-mdx-expression@1.3.1:
     dependencies:
       '@types/estree-jsx': 1.0.0
@@ -37096,6 +31089,8 @@ snapshots:
 
   mdn-data@2.0.14: {}
 
+  mdn-data@2.27.1: {}
+
   media-query-parser@2.0.2:
     dependencies:
       '@babel/runtime': 7.28.4
@@ -37130,23 +31125,24 @@ snapshots:
 
   merge2@1.4.1: {}
 
-  mermaid@11.12.0:
+  mermaid@11.14.0:
     dependencies:
       '@braintree/sanitize-url': 7.1.1
       '@iconify/utils': 3.0.2
-      '@mermaid-js/parser': 0.6.3
+      '@mermaid-js/parser': 1.1.0
       '@types/d3': 7.4.3
+      '@upsetjs/venn.js': 2.0.0
       cytoscape: 3.33.1
       cytoscape-cose-bilkent: 4.1.0(cytoscape@3.33.1)
       cytoscape-fcose: 2.2.0(cytoscape@3.33.1)
       d3: 7.9.0
       d3-sankey: 0.12.3
-      dagre-d3-es: 7.0.11
-      dayjs: 1.11.18
-      dompurify: 3.2.6
+      dagre-d3-es: 7.0.14
+      dayjs: 1.11.20
+      dompurify: 3.4.1
       katex: 0.16.25
       khroma: 2.1.0
-      lodash-es: 4.17.21
+      lodash-es: 4.18.1
       marked: 16.4.1
       roughjs: 4.6.6
       stylis: 4.3.6
@@ -37259,16 +31255,6 @@ snapshots:
       micromark-util-combine-extensions: 2.0.1
       micromark-util-types: 2.0.2
 
-  micromark-extension-math@3.1.0:
-    dependencies:
-      '@types/katex': 0.16.7
-      devlop: 1.1.0
-      katex: 0.16.25
-      micromark-factory-space: 2.0.1
-      micromark-util-character: 2.1.1
-      micromark-util-symbol: 2.0.1
-      micromark-util-types: 2.0.2
-
   micromark-extension-mdx-expression@1.0.3:
     dependencies:
       micromark-factory-mdx-expression: 1.0.6
@@ -37308,8 +31294,8 @@ snapshots:
 
   micromark-extension-mdxjs@1.0.0:
     dependencies:
-      acorn: 8.15.0
-      acorn-jsx: 5.3.2(acorn@8.15.0)
+      acorn: 8.16.0
+      acorn-jsx: 5.3.2(acorn@8.16.0)
       micromark-extension-mdx-expression: 1.0.3
       micromark-extension-mdx-jsx: 1.0.3
       micromark-extension-mdx-md: 1.0.0
@@ -37570,7 +31556,7 @@ snapshots:
   micromatch@4.0.8:
     dependencies:
       braces: 3.0.3
-      picomatch: 2.3.1
+      picomatch: 2.3.2
 
   mime-db@1.52.0: {}
 
@@ -37600,9 +31586,12 @@ snapshots:
 
   mimic-fn@4.0.0: {}
 
+  mimic-function@5.0.1: {}
+
   mimic-response@1.0.1: {}
 
-  mimic-response@3.1.0: {}
+  mimic-response@3.1.0:
+    optional: true
 
   min-indent@1.0.1: {}
 
@@ -37616,15 +31605,15 @@ snapshots:
     dependencies:
       brace-expansion: 2.0.1
 
-  minimatch@3.1.2:
+  minimatch@10.2.5:
     dependencies:
-      brace-expansion: 1.1.11
+      brace-expansion: 5.0.5
 
-  minimatch@5.1.6:
+  minimatch@3.1.5:
     dependencies:
-      brace-expansion: 2.0.1
+      brace-expansion: 1.1.11
 
-  minimatch@8.0.4:
+  minimatch@5.1.6:
     dependencies:
       brace-expansion: 2.0.1
 
@@ -37644,6 +31633,9 @@ snapshots:
 
   minimist@1.2.7: {}
 
+  minimist@1.2.8:
+    optional: true
+
   minipass-collect@1.0.2:
     dependencies:
       minipass: 3.3.6
@@ -37670,22 +31662,17 @@ snapshots:
 
   minipass@7.1.2: {}
 
+  minipass@7.1.3: {}
+
   minizlib@2.1.2:
     dependencies:
       minipass: 3.3.6
       yallist: 4.0.0
 
-  minizlib@3.0.1:
-    dependencies:
-      minipass: 7.1.2
-      rimraf: 5.0.7
-
   minizlib@3.1.0:
     dependencies:
       minipass: 7.1.2
 
-  mitt@3.0.1: {}
-
   mixme@0.5.4: {}
 
   mkdirp-classic@0.5.3: {}
@@ -37738,7 +31725,7 @@ snapshots:
       pkg-types: 1.3.1
       ufo: 1.6.1
 
-  module-details-from-path@1.0.3: {}
+  module-details-from-path@1.0.4: {}
 
   moo@0.5.2: {}
 
@@ -37752,20 +31739,26 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
+  morgan@1.10.1:
+    dependencies:
+      basic-auth: 2.0.1
+      debug: 2.6.9
+      depd: 2.0.0
+      on-finished: 2.3.0
+      on-headers: 1.1.0
+    transitivePeerDependencies:
+      - supports-color
+
   mri@1.2.0: {}
 
   mrmime@1.0.1: {}
 
-  mrmime@2.0.0: {}
-
   ms@2.0.0: {}
 
   ms@2.1.2: {}
 
   ms@2.1.3: {}
 
-  multipasta@0.2.5: {}
-
   mustache@4.2.0: {}
 
   mz@2.7.0:
@@ -37781,7 +31774,7 @@ snapshots:
     dependencies:
       '@jridgewell/sourcemap-codec': 1.5.5
       css-tree: 1.1.3
-      csstype: 3.2.0
+      csstype: 3.2.3
       fastest-stable-stringify: 2.0.2
       inline-style-prefixer: 7.0.1
       react: 18.2.0
@@ -37798,9 +31791,8 @@ snapshots:
 
   nanoid@5.1.2: {}
 
-  nanoid@5.1.5: {}
-
-  napi-build-utils@2.0.0: {}
+  napi-build-utils@2.0.0:
+    optional: true
 
   natural-compare-lite@1.4.0: {}
 
@@ -37815,153 +31807,24 @@ snapshots:
 
   negotiator@0.6.3: {}
 
+  negotiator@0.6.4: {}
+
   negotiator@1.0.0: {}
 
   neo-async@2.6.2: {}
 
   nested-error-stacks@2.1.1: {}
 
-  netmask@2.0.2: {}
-
   neverthrow@8.2.0:
     optionalDependencies:
       '@rollup/rollup-linux-x64-gnu': 4.53.2
 
-  next@14.1.0(@opentelemetry/api@1.9.0)(react-dom@18.2.0(react@18.3.1))(react@18.3.1):
-    dependencies:
-      '@next/env': 14.1.0
-      '@swc/helpers': 0.5.2
-      busboy: 1.6.0
-      caniuse-lite: 1.0.30001754
-      graceful-fs: 4.2.11
-      postcss: 8.4.31
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-      styled-jsx: 5.1.1(react@18.3.1)
-    optionalDependencies:
-      '@next/swc-darwin-arm64': 14.1.0
-      '@next/swc-darwin-x64': 14.1.0
-      '@next/swc-linux-arm64-gnu': 14.1.0
-      '@next/swc-linux-arm64-musl': 14.1.0
-      '@next/swc-linux-x64-gnu': 14.1.0
-      '@next/swc-linux-x64-musl': 14.1.0
-      '@next/swc-win32-arm64-msvc': 14.1.0
-      '@next/swc-win32-ia32-msvc': 14.1.0
-      '@next/swc-win32-x64-msvc': 14.1.0
-      '@opentelemetry/api': 1.9.0
-    transitivePeerDependencies:
-      - '@babel/core'
-      - babel-plugin-macros
-
-  next@14.2.21(@opentelemetry/api@1.9.0)(@playwright/test@1.37.0)(react-dom@18.2.0(react@18.3.1))(react@18.3.1):
-    dependencies:
-      '@next/env': 14.2.21
-      '@swc/helpers': 0.5.5
-      busboy: 1.6.0
-      caniuse-lite: 1.0.30001699
-      graceful-fs: 4.2.11
-      postcss: 8.4.31
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-      styled-jsx: 5.1.1(react@18.3.1)
-    optionalDependencies:
-      '@next/swc-darwin-arm64': 14.2.21
-      '@next/swc-darwin-x64': 14.2.21
-      '@next/swc-linux-arm64-gnu': 14.2.21
-      '@next/swc-linux-arm64-musl': 14.2.21
-      '@next/swc-linux-x64-gnu': 14.2.21
-      '@next/swc-linux-x64-musl': 14.2.21
-      '@next/swc-win32-arm64-msvc': 14.2.21
-      '@next/swc-win32-ia32-msvc': 14.2.21
-      '@next/swc-win32-x64-msvc': 14.2.21
-      '@opentelemetry/api': 1.9.0
-      '@playwright/test': 1.37.0
-    transitivePeerDependencies:
-      - '@babel/core'
-      - babel-plugin-macros
-
-  next@15.2.4(@opentelemetry/api@1.9.0)(@playwright/test@1.37.0)(react-dom@19.0.0(react@19.0.0))(react@19.0.0):
-    dependencies:
-      '@next/env': 15.2.4
-      '@swc/counter': 0.1.3
-      '@swc/helpers': 0.5.15
-      busboy: 1.6.0
-      caniuse-lite: 1.0.30001707
-      postcss: 8.4.31
-      react: 19.0.0
-      react-dom: 19.0.0(react@19.0.0)
-      styled-jsx: 5.1.6(react@19.0.0)
-    optionalDependencies:
-      '@next/swc-darwin-arm64': 15.2.4
-      '@next/swc-darwin-x64': 15.2.4
-      '@next/swc-linux-arm64-gnu': 15.2.4
-      '@next/swc-linux-arm64-musl': 15.2.4
-      '@next/swc-linux-x64-gnu': 15.2.4
-      '@next/swc-linux-x64-musl': 15.2.4
-      '@next/swc-win32-arm64-msvc': 15.2.4
-      '@next/swc-win32-x64-msvc': 15.2.4
-      '@opentelemetry/api': 1.9.0
-      '@playwright/test': 1.37.0
-      sharp: 0.33.5
-    transitivePeerDependencies:
-      - '@babel/core'
-      - babel-plugin-macros
-
-  next@15.4.8(@opentelemetry/api@1.9.0)(@playwright/test@1.37.0)(react-dom@19.0.0(react@19.0.0))(react@19.0.0):
-    dependencies:
-      '@next/env': 15.4.8
-      '@swc/helpers': 0.5.15
-      caniuse-lite: 1.0.30001754
-      postcss: 8.4.31
-      react: 19.0.0
-      react-dom: 19.0.0(react@19.0.0)
-      styled-jsx: 5.1.6(react@19.0.0)
-    optionalDependencies:
-      '@next/swc-darwin-arm64': 15.4.8
-      '@next/swc-darwin-x64': 15.4.8
-      '@next/swc-linux-arm64-gnu': 15.4.8
-      '@next/swc-linux-arm64-musl': 15.4.8
-      '@next/swc-linux-x64-gnu': 15.4.8
-      '@next/swc-linux-x64-musl': 15.4.8
-      '@next/swc-win32-arm64-msvc': 15.4.8
-      '@next/swc-win32-x64-msvc': 15.4.8
-      '@opentelemetry/api': 1.9.0
-      '@playwright/test': 1.37.0
-      sharp: 0.34.5
-    transitivePeerDependencies:
-      - '@babel/core'
-      - babel-plugin-macros
-
-  next@15.5.6(@opentelemetry/api@1.9.0)(@playwright/test@1.37.0)(react-dom@19.1.0(react@19.1.0))(react@19.1.0):
-    dependencies:
-      '@next/env': 15.5.6
-      '@swc/helpers': 0.5.15
-      caniuse-lite: 1.0.30001754
-      postcss: 8.4.31
-      react: 19.1.0
-      react-dom: 19.1.0(react@19.1.0)
-      styled-jsx: 5.1.6(react@19.1.0)
-    optionalDependencies:
-      '@next/swc-darwin-arm64': 15.5.6
-      '@next/swc-darwin-x64': 15.5.6
-      '@next/swc-linux-arm64-gnu': 15.5.6
-      '@next/swc-linux-arm64-musl': 15.5.6
-      '@next/swc-linux-x64-gnu': 15.5.6
-      '@next/swc-linux-x64-musl': 15.5.6
-      '@next/swc-win32-arm64-msvc': 15.5.6
-      '@next/swc-win32-x64-msvc': 15.5.6
-      '@opentelemetry/api': 1.9.0
-      '@playwright/test': 1.37.0
-      sharp: 0.34.5
-    transitivePeerDependencies:
-      - '@babel/core'
-      - babel-plugin-macros
-
   nice-try@1.0.5: {}
 
-  node-abi@3.75.0:
+  node-abi@3.89.0:
     dependencies:
-      semver: 7.7.3
+      semver: 7.8.1
+    optional: true
 
   node-abort-controller@3.1.1: {}
 
@@ -37969,7 +31832,7 @@ snapshots:
 
   node-emoji@1.11.0:
     dependencies:
-      lodash: 4.17.23
+      lodash: 4.18.1
 
   node-emoji@2.1.3:
     dependencies:
@@ -37992,15 +31855,16 @@ snapshots:
     optionalDependencies:
       encoding: 0.1.13
 
-  node-gyp-build@4.8.4: {}
+  node-gyp-build@4.8.4:
+    optional: true
 
   node-releases@2.0.12: {}
 
-  node-releases@2.0.19: {}
-
   node-releases@2.0.27: {}
 
-  nodemailer@7.0.11: {}
+  node-releases@2.0.36: {}
+
+  nodemailer@8.0.6: {}
 
   non.geist@1.0.2: {}
 
@@ -38012,7 +31876,7 @@ snapshots:
     dependencies:
       hosted-git-info: 2.8.9
       resolve: 1.22.8
-      semver: 5.7.1
+      semver: 5.7.2
       validate-npm-package-license: 3.0.4
 
   normalize-package-data@5.0.0:
@@ -38058,10 +31922,10 @@ snapshots:
       chalk: 2.4.2
       cross-spawn: 6.0.5
       memorystream: 0.3.1
-      minimatch: 3.1.2
+      minimatch: 3.1.5
       pidtree: 0.3.1
       read-pkg: 3.0.0
-      shell-quote: 1.8.1
+      shell-quote: 1.8.4
       string.prototype.padend: 3.1.4
 
   npm-run-path@4.0.1:
@@ -38105,6 +31969,12 @@ snapshots:
       pkg-types: 2.3.0
       tinyexec: 1.0.1
 
+  nypm@0.6.6:
+    dependencies:
+      citty: 0.2.2
+      pathe: 2.0.3
+      tinyexec: 1.2.3
+
   oauth-sign@0.9.0: {}
 
   oauth4webapi@3.3.0: {}
@@ -38130,46 +32000,36 @@ snapshots:
     dependencies:
       call-bind: 1.0.8
       define-properties: 1.2.1
-      es-abstract: 1.21.1
-
-  object.fromentries@2.0.6:
-    dependencies:
-      call-bind: 1.0.8
-      define-properties: 1.2.1
-      es-abstract: 1.21.1
+      es-abstract: 1.23.3
 
   object.fromentries@2.0.8:
     dependencies:
-      call-bind: 1.0.7
+      call-bind: 1.0.8
       define-properties: 1.2.1
       es-abstract: 1.23.3
-      es-object-atoms: 1.0.0
+      es-object-atoms: 1.1.1
 
   object.groupby@1.0.3:
     dependencies:
-      call-bind: 1.0.7
+      call-bind: 1.0.8
       define-properties: 1.2.1
       es-abstract: 1.23.3
 
   object.hasown@1.1.2:
     dependencies:
       define-properties: 1.2.1
-      es-abstract: 1.21.1
-
-  object.values@1.1.6:
-    dependencies:
-      call-bind: 1.0.8
-      define-properties: 1.2.1
-      es-abstract: 1.21.1
+      es-abstract: 1.23.3
 
   object.values@1.2.0:
     dependencies:
-      call-bind: 1.0.7
+      call-bind: 1.0.8
       define-properties: 1.2.1
-      es-object-atoms: 1.0.0
+      es-object-atoms: 1.1.1
 
   obuf@1.1.2: {}
 
+  obug@2.1.1: {}
+
   octokit@3.2.2:
     dependencies:
       '@octokit/app': 14.1.0
@@ -38203,6 +32063,8 @@ snapshots:
 
   on-headers@1.0.2: {}
 
+  on-headers@1.1.0: {}
+
   once@1.4.0:
     dependencies:
       wrappy: 1.0.2
@@ -38215,12 +32077,12 @@ snapshots:
     dependencies:
       mimic-fn: 4.0.0
 
-  oniguruma-parser@0.12.1: {}
+  oniguruma-parser@0.12.2: {}
 
-  oniguruma-to-es@4.3.3:
+  oniguruma-to-es@4.3.6:
     dependencies:
-      oniguruma-parser: 0.12.1
-      regex: 6.0.1
+      oniguruma-parser: 0.12.2
+      regex: 6.1.0
       regex-recursion: 6.0.2
 
   open@10.0.3:
@@ -38249,20 +32111,6 @@ snapshots:
     transitivePeerDependencies:
       - encoding
 
-  openai@4.68.4(encoding@0.1.13)(zod@3.25.76):
-    dependencies:
-      '@types/node': 20.14.14
-      '@types/node-fetch': 2.6.4
-      abort-controller: 3.0.0
-      agentkeepalive: 4.5.0
-      form-data-encoder: 1.7.2
-      formdata-node: 4.4.1
-      node-fetch: 2.6.12(encoding@0.1.13)
-    optionalDependencies:
-      zod: 3.25.76
-    transitivePeerDependencies:
-      - encoding
-
   openai@4.97.0(encoding@0.1.13)(ws@8.12.0(bufferutil@4.0.9))(zod@3.25.76):
     dependencies:
       '@types/node': 20.14.14
@@ -38278,29 +32126,6 @@ snapshots:
     transitivePeerDependencies:
       - encoding
 
-  openai@4.97.0(encoding@0.1.13)(ws@8.18.3(bufferutil@4.0.9))(zod@3.25.76):
-    dependencies:
-      '@types/node': 20.14.14
-      '@types/node-fetch': 2.6.12
-      abort-controller: 3.0.0
-      agentkeepalive: 4.5.0
-      form-data-encoder: 1.7.2
-      formdata-node: 4.4.1
-      node-fetch: 2.6.12(encoding@0.1.13)
-    optionalDependencies:
-      ws: 8.18.3(bufferutil@4.0.9)
-      zod: 3.25.76
-    transitivePeerDependencies:
-      - encoding
-
-  openapi-fetch@0.9.8:
-    dependencies:
-      openapi-typescript-helpers: 0.0.8
-
-  openapi-typescript-helpers@0.0.8: {}
-
-  opener@1.5.2: {}
-
   openid-client@5.7.1:
     dependencies:
       jose: 4.15.9
@@ -38432,24 +32257,6 @@ snapshots:
 
   p-try@2.2.0: {}
 
-  pac-proxy-agent@7.2.0:
-    dependencies:
-      '@tootallnate/quickjs-emscripten': 0.23.0
-      agent-base: 7.1.4
-      debug: 4.4.3(supports-color@10.0.0)
-      get-uri: 6.0.1
-      http-proxy-agent: 7.0.2
-      https-proxy-agent: 7.0.6
-      pac-resolver: 7.0.1
-      socks-proxy-agent: 8.0.5
-    transitivePeerDependencies:
-      - supports-color
-
-  pac-resolver@7.0.1:
-    dependencies:
-      degenerator: 5.0.1
-      netmask: 2.0.2
-
   package-json-from-dist@1.0.0: {}
 
   package-json@6.5.0:
@@ -38527,6 +32334,8 @@ snapshots:
 
   path-exists@5.0.0: {}
 
+  path-expression-matcher@1.5.0: {}
+
   path-is-absolute@1.0.1: {}
 
   path-key@2.0.1: {}
@@ -38547,7 +32356,12 @@ snapshots:
       lru-cache: 11.2.4
       minipass: 7.1.2
 
-  path-to-regexp@0.1.10: {}
+  path-scurry@2.0.2:
+    dependencies:
+      lru-cache: 11.2.4
+      minipass: 7.1.3
+
+  path-to-regexp@0.1.13: {}
 
   path-to-regexp@8.2.0: {}
 
@@ -38561,8 +32375,6 @@ snapshots:
 
   pathe@2.0.3: {}
 
-  pathval@2.0.0: {}
-
   peberminta@0.9.0: {}
 
   peek-readable@5.4.2: {}
@@ -38573,14 +32385,10 @@ snapshots:
       duplexify: 3.7.1
       through2: 2.0.5
 
-  pend@1.2.0: {}
-
   perfect-debounce@1.0.0: {}
 
   performance-now@2.1.0: {}
 
-  performant-array-to-tree@1.11.0: {}
-
   periscopic@3.1.0:
     dependencies:
       '@types/estree': 1.0.8
@@ -38602,10 +32410,6 @@ snapshots:
     dependencies:
       pg: 8.11.5
 
-  pg-pool@3.10.1(pg@8.16.3):
-    dependencies:
-      pg: 8.16.3
-
   pg-pool@3.9.6(pg@8.15.6):
     dependencies:
       pg: 8.15.6
@@ -38654,16 +32458,6 @@ snapshots:
     optionalDependencies:
       pg-cloudflare: 1.2.7
 
-  pg@8.16.3:
-    dependencies:
-      pg-connection-string: 2.9.1
-      pg-pool: 3.10.1(pg@8.16.3)
-      pg-protocol: 1.10.3
-      pg-types: 2.2.0
-      pgpass: 1.0.5
-    optionalDependencies:
-      pg-cloudflare: 1.2.7
-
   pgpass@1.0.5:
     dependencies:
       split2: 4.2.0
@@ -38674,9 +32468,11 @@ snapshots:
 
   picocolors@1.1.1: {}
 
-  picomatch@2.3.1: {}
+  picomatch@2.3.2: {}
 
-  picomatch@4.0.2: {}
+  picomatch@4.0.4: {}
+
+  picospinner@3.0.0: {}
 
   pidtree@0.3.1: {}
 
@@ -38688,25 +32484,25 @@ snapshots:
 
   pify@4.0.1: {}
 
-  pino-abstract-transport@2.0.0:
+  pino-abstract-transport@3.0.0:
     dependencies:
       split2: 4.2.0
 
   pino-std-serializers@7.0.0: {}
 
-  pino@9.7.0:
+  pino@10.3.1:
     dependencies:
+      '@pinojs/redact': 0.4.0
       atomic-sleep: 1.0.0
-      fast-redact: 3.5.0
       on-exit-leak-free: 2.1.2
-      pino-abstract-transport: 2.0.0
+      pino-abstract-transport: 3.0.0
       pino-std-serializers: 7.0.0
       process-warning: 5.0.0
       quick-format-unescaped: 4.0.4
       real-require: 0.2.0
       safe-stable-stringify: 2.5.0
       sonic-boom: 4.2.0
-      thread-stream: 3.1.0
+      thread-stream: 4.2.0
 
   pirates@4.0.5: {}
 
@@ -38716,6 +32512,8 @@ snapshots:
     dependencies:
       find-up: 4.1.0
 
+  pkg-pr-new@0.0.75: {}
+
   pkg-types@1.1.3:
     dependencies:
       confbox: 0.1.8
@@ -38734,8 +32532,6 @@ snapshots:
       exsolve: 1.0.7
       pathe: 2.0.3
 
-  platform@1.3.6: {}
-
   playwright-core@1.37.0: {}
 
   points-on-curve@0.2.0: {}
@@ -38754,9 +32550,9 @@ snapshots:
 
   possible-typed-array-names@1.0.0: {}
 
-  postcss-discard-duplicates@5.1.0(postcss@8.5.4):
+  postcss-discard-duplicates@5.1.0(postcss@8.5.10):
     dependencies:
-      postcss: 8.5.4
+      postcss: 8.5.10
 
   postcss-functions@3.0.0:
     dependencies:
@@ -38765,23 +32561,16 @@ snapshots:
       postcss: 6.0.23
       postcss-value-parser: 3.3.1
 
-  postcss-import@15.1.0(postcss@8.5.4):
-    dependencies:
-      postcss: 8.5.4
-      postcss-value-parser: 4.2.0
-      read-cache: 1.0.0
-      resolve: 1.22.8
-
-  postcss-import@15.1.0(postcss@8.5.6):
+  postcss-import@15.1.0(postcss@8.5.10):
     dependencies:
-      postcss: 8.5.6
+      postcss: 8.5.10
       postcss-value-parser: 4.2.0
       read-cache: 1.0.0
       resolve: 1.22.8
 
-  postcss-import@16.0.1(postcss@8.5.6):
+  postcss-import@16.0.1(postcss@8.5.10):
     dependencies:
-      postcss: 8.5.6
+      postcss: 8.5.10
       postcss-value-parser: 4.2.0
       read-cache: 1.0.0
       resolve: 1.22.8
@@ -38791,102 +32580,78 @@ snapshots:
       camelcase-css: 2.0.1
       postcss: 7.0.39
 
-  postcss-js@4.0.1(postcss@8.5.4):
-    dependencies:
-      camelcase-css: 2.0.1
-      postcss: 8.5.4
-
-  postcss-js@4.0.1(postcss@8.5.6):
+  postcss-js@4.0.1(postcss@8.5.10):
     dependencies:
       camelcase-css: 2.0.1
-      postcss: 8.5.6
+      postcss: 8.5.10
 
-  postcss-load-config@4.0.2(postcss@8.5.4):
+  postcss-load-config@4.0.2(postcss@8.5.10):
     dependencies:
       lilconfig: 3.1.3
-      yaml: 2.7.1
+      yaml: 2.8.3
     optionalDependencies:
-      postcss: 8.5.4
+      postcss: 8.5.10
 
-  postcss-load-config@4.0.2(postcss@8.5.6):
+  postcss-load-config@6.0.1(jiti@2.6.1)(postcss@8.5.10)(tsx@4.17.0)(yaml@2.9.0):
     dependencies:
       lilconfig: 3.1.3
-      yaml: 2.7.1
     optionalDependencies:
-      postcss: 8.5.6
+      jiti: 2.6.1
+      postcss: 8.5.10
+      tsx: 4.17.0
+      yaml: 2.9.0
 
-  postcss-load-config@6.0.1(jiti@2.4.2)(postcss@8.5.6)(tsx@4.17.0)(yaml@2.7.1):
+  postcss-load-config@6.0.1(jiti@2.6.1)(postcss@8.5.10)(tsx@4.20.6)(yaml@2.9.0):
     dependencies:
       lilconfig: 3.1.3
     optionalDependencies:
-      jiti: 2.4.2
-      postcss: 8.5.6
-      tsx: 4.17.0
-      yaml: 2.7.1
+      jiti: 2.6.1
+      postcss: 8.5.10
+      tsx: 4.20.6
+      yaml: 2.9.0
 
-  postcss-loader@8.1.1(postcss@8.5.6)(typescript@5.5.4)(webpack@5.102.1(@swc/core@1.3.26)(esbuild@0.15.18)):
+  postcss-loader@8.1.1(postcss@8.5.10)(typescript@5.5.4)(webpack@5.102.1(@swc/core@1.3.26)(esbuild@0.15.18)):
     dependencies:
       cosmiconfig: 9.0.0(typescript@5.5.4)
       jiti: 1.21.0
-      postcss: 8.5.6
+      postcss: 8.5.10
       semver: 7.6.3
     optionalDependencies:
       webpack: 5.102.1(@swc/core@1.3.26)(esbuild@0.15.18)
     transitivePeerDependencies:
       - typescript
 
-  postcss-modules-extract-imports@3.0.0(postcss@8.4.35):
+  postcss-modules-extract-imports@3.0.0(postcss@8.5.10):
     dependencies:
-      postcss: 8.4.35
+      postcss: 8.5.10
 
-  postcss-modules-extract-imports@3.0.0(postcss@8.5.4):
+  postcss-modules-local-by-default@4.0.4(postcss@8.5.10):
     dependencies:
-      postcss: 8.5.4
-
-  postcss-modules-local-by-default@4.0.4(postcss@8.4.35):
-    dependencies:
-      icss-utils: 5.1.0(postcss@8.4.35)
-      postcss: 8.4.35
-      postcss-selector-parser: 6.1.2
-      postcss-value-parser: 4.2.0
-
-  postcss-modules-local-by-default@4.0.4(postcss@8.5.4):
-    dependencies:
-      icss-utils: 5.1.0(postcss@8.5.4)
-      postcss: 8.5.4
+      icss-utils: 5.1.0(postcss@8.5.10)
+      postcss: 8.5.10
       postcss-selector-parser: 6.1.2
       postcss-value-parser: 4.2.0
 
-  postcss-modules-scope@3.1.1(postcss@8.4.35):
-    dependencies:
-      postcss: 8.4.35
-      postcss-selector-parser: 6.1.2
-
-  postcss-modules-scope@3.1.1(postcss@8.5.4):
+  postcss-modules-scope@3.1.1(postcss@8.5.10):
     dependencies:
-      postcss: 8.5.4
+      postcss: 8.5.10
       postcss-selector-parser: 6.1.2
 
-  postcss-modules-values@4.0.0(postcss@8.4.35):
+  postcss-modules-values@4.0.0(postcss@8.5.10):
     dependencies:
-      icss-utils: 5.1.0(postcss@8.4.35)
-      postcss: 8.4.35
+      icss-utils: 5.1.0(postcss@8.5.10)
+      postcss: 8.5.10
 
-  postcss-modules-values@4.0.0(postcss@8.5.4):
-    dependencies:
-      icss-utils: 5.1.0(postcss@8.5.4)
-      postcss: 8.5.4
-
-  postcss-modules@6.0.0(postcss@8.5.4):
+  postcss-modules@6.0.0(postcss@8.5.10):
     dependencies:
       generic-names: 4.0.0
-      icss-utils: 5.1.0(postcss@8.5.4)
+      icss-utils: 5.1.0(postcss@8.5.10)
       lodash.camelcase: 4.3.0
-      postcss: 8.5.4
-      postcss-modules-extract-imports: 3.0.0(postcss@8.5.4)
-      postcss-modules-local-by-default: 4.0.4(postcss@8.5.4)
-      postcss-modules-scope: 3.1.1(postcss@8.5.4)
-      postcss-modules-values: 4.0.0(postcss@8.5.4)
+      postcss: 8.5.10
+      postcss-modules-extract-imports: 3.0.0(postcss@8.5.10)
+      postcss-modules-local-by-default: 4.0.4(postcss@8.5.10)
+      postcss-modules-scope: 3.1.1(postcss@8.5.10)
+      postcss-modules-values: 4.0.0(postcss@8.5.10)
       string-hash: 1.1.3
 
   postcss-nested@4.2.3:
@@ -38894,14 +32659,9 @@ snapshots:
       postcss: 7.0.39
       postcss-selector-parser: 6.1.2
 
-  postcss-nested@6.2.0(postcss@8.5.4):
-    dependencies:
-      postcss: 8.5.4
-      postcss-selector-parser: 6.1.2
-
-  postcss-nested@6.2.0(postcss@8.5.6):
+  postcss-nested@6.2.0(postcss@8.5.10):
     dependencies:
-      postcss: 8.5.6
+      postcss: 8.5.10
       postcss-selector-parser: 6.1.2
 
   postcss-selector-parser@6.0.10:
@@ -38935,31 +32695,7 @@ snapshots:
       picocolors: 0.2.1
       source-map: 0.6.1
 
-  postcss@8.4.31:
-    dependencies:
-      nanoid: 3.3.8
-      picocolors: 1.1.1
-      source-map-js: 1.2.1
-
-  postcss@8.4.35:
-    dependencies:
-      nanoid: 3.3.8
-      picocolors: 1.1.1
-      source-map-js: 1.2.1
-
-  postcss@8.4.44:
-    dependencies:
-      nanoid: 3.3.8
-      picocolors: 1.1.1
-      source-map-js: 1.2.0
-
-  postcss@8.5.4:
-    dependencies:
-      nanoid: 3.3.11
-      picocolors: 1.1.1
-      source-map-js: 1.2.1
-
-  postcss@8.5.6:
+  postcss@8.5.10:
     dependencies:
       nanoid: 3.3.11
       picocolors: 1.1.1
@@ -38987,32 +32723,31 @@ snapshots:
 
   postgres-range@1.1.4: {}
 
-  postgres@3.4.7: {}
-
   posthog-js@1.93.3:
     dependencies:
       fflate: 0.4.8
 
-  posthog-node@4.17.1:
+  posthog-node@5.35.6(rxjs@7.8.2):
     dependencies:
-      axios: 1.12.2
-    transitivePeerDependencies:
-      - debug
+      '@posthog/core': 1.29.13
+    optionalDependencies:
+      rxjs: 7.8.2
 
   prebuild-install@7.1.3:
     dependencies:
       detect-libc: 2.1.2
       expand-template: 2.0.3
       github-from-package: 0.0.0
-      minimist: 1.2.7
+      minimist: 1.2.8
       mkdirp-classic: 0.5.3
       napi-build-utils: 2.0.0
-      node-abi: 3.75.0
-      pump: 3.0.2
+      node-abi: 3.89.0
+      pump: 3.0.4
       rc: 1.2.8
       simple-get: 4.0.1
-      tar-fs: 2.1.3
+      tar-fs: 2.1.4
       tunnel-agent: 0.6.0
+    optional: true
 
   preferred-pm@3.0.3:
     dependencies:
@@ -39033,6 +32768,8 @@ snapshots:
 
   prettier@3.0.0: {}
 
+  prettier@3.8.3: {}
+
   pretty-format@27.5.1:
     dependencies:
       ansi-regex: 5.0.1
@@ -39049,28 +32786,12 @@ snapshots:
     dependencies:
       parse-ms: 4.0.0
 
-  prism-react-renderer@2.1.0(react@18.3.1):
-    dependencies:
-      '@types/prismjs': 1.26.0
-      clsx: 1.2.1
-      react: 18.3.1
-
   prism-react-renderer@2.3.1(react@18.2.0):
     dependencies:
       '@types/prismjs': 1.26.0
       clsx: 2.1.1
       react: 18.2.0
 
-  prisma-generator-ts-enums@1.1.0(prisma@6.14.0(magicast@0.3.5)(typescript@5.5.4)):
-    dependencies:
-      '@prisma/client': 4.9.0(prisma@6.14.0(magicast@0.3.5)(typescript@5.5.4))
-      '@prisma/generator-helper': 4.16.2
-      prettier: 2.8.8
-      rimraf: 4.4.1
-    transitivePeerDependencies:
-      - prisma
-      - supports-color
-
   prisma@6.14.0(magicast@0.3.5)(typescript@5.5.4):
     dependencies:
       '@prisma/config': 6.14.0(magicast@0.3.5)
@@ -39080,40 +32801,6 @@ snapshots:
     transitivePeerDependencies:
       - magicast
 
-  prisma@6.16.0(magicast@0.3.5)(typescript@5.5.4):
-    dependencies:
-      '@prisma/config': 6.16.0(magicast@0.3.5)
-      '@prisma/engines': 6.16.0
-    optionalDependencies:
-      typescript: 5.5.4
-    transitivePeerDependencies:
-      - magicast
-
-  prisma@6.19.0(typescript@5.5.4):
-    dependencies:
-      '@prisma/config': 6.19.0(magicast@0.3.5)
-      '@prisma/engines': 6.19.0
-    optionalDependencies:
-      typescript: 5.5.4
-    transitivePeerDependencies:
-      - magicast
-
-  prisma@6.20.0-integration-next.8(@types/react@19.2.14)(magicast@0.3.5)(react-dom@19.1.0(react@19.1.0))(react@19.1.0)(typescript@5.5.4):
-    dependencies:
-      '@prisma/config': 6.20.0-integration-next.8(magicast@0.3.5)
-      '@prisma/engines': 6.20.0-integration-next.8
-      '@prisma/studio-core-licensed': 0.6.0(@types/react@19.2.14)(react-dom@19.1.0(react@19.1.0))(react@19.1.0)
-      postgres: 3.4.7
-    optionalDependencies:
-      typescript: 5.5.4
-    transitivePeerDependencies:
-      - '@types/react'
-      - magicast
-      - react
-      - react-dom
-
-  prismjs@1.29.0: {}
-
   prismjs@1.30.0: {}
 
   proc-log@3.0.0: {}
@@ -39140,6 +32827,11 @@ snapshots:
       err-code: 2.0.3
       retry: 0.12.0
 
+  prompts@2.4.2:
+    dependencies:
+      kleur: 3.0.3
+      sisteransi: 1.0.5
+
   prop-types@15.8.1:
     dependencies:
       loose-envify: 1.4.0
@@ -39152,9 +32844,12 @@ snapshots:
       retry: 0.12.0
       signal-exit: 3.0.7
 
-  properties-reader@2.3.0:
+  properties-reader@3.0.1:
     dependencies:
-      mkdirp: 1.0.4
+      '@kwsites/file-exists': 1.1.1
+      mkdirp: 3.0.1
+    transitivePeerDependencies:
+      - supports-color
 
   property-expr@2.0.6: {}
 
@@ -39164,41 +32859,30 @@ snapshots:
 
   proto-list@1.2.4: {}
 
-  protobufjs@7.3.2:
+  protobufjs@7.6.1:
     dependencies:
       '@protobufjs/aspromise': 1.1.2
       '@protobufjs/base64': 1.1.2
-      '@protobufjs/codegen': 2.0.4
-      '@protobufjs/eventemitter': 1.1.0
-      '@protobufjs/fetch': 1.1.0
+      '@protobufjs/codegen': 2.0.5
+      '@protobufjs/eventemitter': 1.1.1
+      '@protobufjs/fetch': 1.1.1
       '@protobufjs/float': 1.0.2
-      '@protobufjs/inquire': 1.1.0
+      '@protobufjs/inquire': 1.1.2
       '@protobufjs/path': 1.1.2
       '@protobufjs/pool': 1.1.0
-      '@protobufjs/utf8': 1.1.0
+      '@protobufjs/utf8': 1.1.1
       '@types/node': 20.14.14
-      long: 5.2.3
+      long: 5.3.2
 
   proxy-addr@2.0.7:
     dependencies:
       forwarded: 0.2.0
       ipaddr.js: 1.9.1
 
-  proxy-agent@6.5.0:
-    dependencies:
-      agent-base: 7.1.4
-      debug: 4.4.3(supports-color@10.0.0)
-      http-proxy-agent: 7.0.2
-      https-proxy-agent: 7.0.6
-      lru-cache: 7.18.3
-      pac-proxy-agent: 7.2.0
-      proxy-from-env: 1.1.0
-      socks-proxy-agent: 8.0.5
-    transitivePeerDependencies:
-      - supports-color
-
   proxy-from-env@1.1.0: {}
 
+  proxy-from-env@2.1.0: {}
+
   pseudomap@1.0.2: {}
 
   psl@1.9.0: {}
@@ -39213,6 +32897,12 @@ snapshots:
       end-of-stream: 1.4.4
       once: 1.4.0
 
+  pump@3.0.4:
+    dependencies:
+      end-of-stream: 1.4.5
+      once: 1.4.0
+    optional: true
+
   pumpify@1.5.1:
     dependencies:
       duplexify: 3.7.1
@@ -39223,21 +32913,6 @@ snapshots:
 
   punycode@2.2.0: {}
 
-  puppeteer-core@24.15.0(bufferutil@4.0.9):
-    dependencies:
-      '@puppeteer/browsers': 2.10.6
-      chromium-bidi: 7.2.0(devtools-protocol@0.0.1464554)
-      debug: 4.4.1
-      devtools-protocol: 0.0.1464554
-      typed-query-selector: 2.12.0
-      ws: 8.18.3(bufferutil@4.0.9)
-    transitivePeerDependencies:
-      - bare-abort-controller
-      - bare-buffer
-      - bufferutil
-      - supports-color
-      - utf-8-validate
-
   pure-rand@6.1.0: {}
 
   purgecss@2.3.0:
@@ -39251,7 +32926,7 @@ snapshots:
     dependencies:
       react: 18.2.0
 
-  qs@6.14.1:
+  qs@6.15.2:
     dependencies:
       side-channel: 1.1.0
 
@@ -39274,10 +32949,6 @@ snapshots:
     dependencies:
       seedrandom: 3.0.5
 
-  randombytes@2.1.0:
-    dependencies:
-      safe-buffer: 5.2.1
-
   range-parser@1.2.1: {}
 
   raw-body@2.5.2:
@@ -39303,7 +32974,7 @@ snapshots:
 
   rc9@2.1.2:
     dependencies:
-      defu: 6.1.4
+      defu: 6.1.7
       destr: 2.0.3
 
   rc@1.2.8:
@@ -39316,86 +32987,58 @@ snapshots:
   react-aria@3.31.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0):
     dependencies:
       '@internationalized/string': 3.2.0
-      '@react-aria/breadcrumbs': 3.5.9(react@18.2.0)
-      '@react-aria/button': 3.9.1(react@18.2.0)
+      '@react-aria/breadcrumbs': 3.5.9(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/button': 3.9.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/calendar': 3.5.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/checkbox': 3.13.0(react@18.2.0)
+      '@react-aria/checkbox': 3.13.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/combobox': 3.8.2(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/datepicker': 3.9.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/dialog': 3.5.10(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/dnd': 3.5.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/focus': 3.16.0(react@18.2.0)
+      '@react-aria/focus': 3.16.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/gridlist': 3.7.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/i18n': 3.10.0(react@18.2.0)
-      '@react-aria/interactions': 3.20.1(react@18.2.0)
-      '@react-aria/label': 3.7.4(react@18.2.0)
-      '@react-aria/link': 3.6.3(react@18.2.0)
+      '@react-aria/i18n': 3.10.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/interactions': 3.20.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/label': 3.7.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/link': 3.6.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/listbox': 3.11.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/menu': 3.12.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/meter': 3.4.9(react@18.2.0)
+      '@react-aria/meter': 3.4.9(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/numberfield': 3.10.2(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/overlays': 3.20.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/progress': 3.4.9(react@18.2.0)
-      '@react-aria/radio': 3.10.0(react@18.2.0)
-      '@react-aria/searchfield': 3.7.1(react@18.2.0)
+      '@react-aria/progress': 3.4.9(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/radio': 3.10.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/searchfield': 3.7.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/select': 3.14.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/selection': 3.17.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/separator': 3.3.9(react@18.2.0)
-      '@react-aria/slider': 3.7.4(react@18.2.0)
+      '@react-aria/separator': 3.3.9(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/slider': 3.7.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/ssr': 3.9.1(react@18.2.0)
-      '@react-aria/switch': 3.6.0(react@18.2.0)
+      '@react-aria/switch': 3.6.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/table': 3.13.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/tabs': 3.8.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/tag': 3.3.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/textfield': 3.14.1(react@18.2.0)
-      '@react-aria/tooltip': 3.7.0(react@18.2.0)
+      '@react-aria/textfield': 3.14.1(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
+      '@react-aria/tooltip': 3.7.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-aria/utils': 3.23.0(react@18.2.0)
-      '@react-aria/visually-hidden': 3.8.8(react@18.2.0)
+      '@react-aria/visually-hidden': 3.8.8(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
       '@react-types/shared': 3.22.0(react@18.2.0)
       react: 18.2.0
       react-dom: 18.2.0(react@18.2.0)
 
-  react-aria@3.34.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0):
-    dependencies:
-      '@internationalized/string': 3.2.3
-      '@react-aria/breadcrumbs': 3.5.16(react@18.2.0)
-      '@react-aria/button': 3.9.8(react@18.2.0)
-      '@react-aria/calendar': 3.5.11(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/checkbox': 3.14.6(react@18.2.0)
-      '@react-aria/combobox': 3.10.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/datepicker': 3.11.2(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/dialog': 3.5.17(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/dnd': 3.7.2(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/focus': 3.18.2(react@18.2.0)
-      '@react-aria/gridlist': 3.9.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/i18n': 3.12.2(react@18.2.0)
-      '@react-aria/interactions': 3.22.2(react@18.2.0)
-      '@react-aria/label': 3.7.11(react@18.2.0)
-      '@react-aria/link': 3.7.4(react@18.2.0)
-      '@react-aria/listbox': 3.13.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/menu': 3.15.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/meter': 3.4.16(react@18.2.0)
-      '@react-aria/numberfield': 3.11.6(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/overlays': 3.23.2(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/progress': 3.4.16(react@18.2.0)
-      '@react-aria/radio': 3.10.7(react@18.2.0)
-      '@react-aria/searchfield': 3.7.8(react@18.2.0)
-      '@react-aria/select': 3.14.9(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/selection': 3.19.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/separator': 3.4.2(react@18.2.0)
-      '@react-aria/slider': 3.7.11(react@18.2.0)
-      '@react-aria/ssr': 3.9.5(react@18.2.0)
-      '@react-aria/switch': 3.6.7(react@18.2.0)
-      '@react-aria/table': 3.15.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/tabs': 3.9.5(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/tag': 3.4.5(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      '@react-aria/textfield': 3.14.8(react@18.2.0)
-      '@react-aria/tooltip': 3.7.7(react@18.2.0)
-      '@react-aria/utils': 3.25.2(react@18.2.0)
-      '@react-aria/visually-hidden': 3.8.15(react@18.2.0)
-      '@react-types/shared': 3.24.1(react@18.2.0)
+  react-aria@3.48.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0):
+    dependencies:
+      '@internationalized/date': 3.12.1
+      '@internationalized/number': 3.6.6
+      '@internationalized/string': 3.2.8
+      '@react-types/shared': 3.34.0(react@18.2.0)
+      '@swc/helpers': 0.5.15
+      aria-hidden: 1.2.4
+      clsx: 2.1.1
       react: 18.2.0
       react-dom: 18.2.0(react@18.2.0)
+      react-stately: 3.46.0(react@18.2.0)
+      use-sync-external-store: 1.6.0(react@18.2.0)
 
   react-collapse@5.1.1(react@18.2.0):
     dependencies:
@@ -39420,21 +33063,17 @@ snapshots:
       react: 18.3.1
       scheduler: 0.23.0
 
-  react-dom@19.0.0(react@19.0.0):
+  react-dom@18.2.0(react@19.1.0):
     dependencies:
-      react: 19.0.0
-      scheduler: 0.25.0
+      loose-envify: 1.4.0
+      react: 19.1.0
+      scheduler: 0.23.0
 
   react-dom@19.0.0-rc.1(react@19.0.0-rc.1):
     dependencies:
       react: 19.0.0-rc.1
       scheduler: 0.25.0-rc.1
 
-  react-dom@19.1.0(react@19.1.0):
-    dependencies:
-      react: 19.1.0
-      scheduler: 0.26.0
-
   react-draggable@4.5.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0):
     dependencies:
       clsx: 2.1.1
@@ -39442,64 +33081,36 @@ snapshots:
       react: 18.2.0
       react-dom: 18.2.0(react@18.2.0)
 
-  react-email@2.1.2(@opentelemetry/api@1.9.0)(@swc/helpers@0.5.15)(bufferutil@4.0.9)(eslint@8.31.0):
-    dependencies:
-      '@babel/parser': 7.24.1
-      '@radix-ui/colors': 1.0.1
-      '@radix-ui/react-collapsible': 1.0.3(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-popover': 1.0.7(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-slot': 1.0.2(@types/react@18.2.69)(react@18.3.1)
-      '@radix-ui/react-toggle-group': 1.0.4(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@radix-ui/react-tooltip': 1.0.6(@types/react-dom@18.2.7)(@types/react@18.2.69)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      '@react-email/components': 0.0.17(@types/react@18.2.69)(react@18.3.1)
-      '@react-email/render': 0.0.13
-      '@swc/core': 1.3.101(@swc/helpers@0.5.15)
-      '@types/react': 18.2.69
-      '@types/react-dom': 18.2.7
-      '@types/webpack': 5.28.5(@swc/core@1.3.101(@swc/helpers@0.5.15))(esbuild@0.19.11)
-      autoprefixer: 10.4.14(postcss@8.4.35)
-      babel-walk: 3.0.0
-      chalk: 4.1.2
-      chokidar: 3.5.3
-      clsx: 2.1.0
-      commander: 11.1.0
+  react-email@6.5.0(bufferutil@4.0.9)(react-dom@18.2.0(react@18.3.1))(react@18.3.1):
+    dependencies:
+      '@babel/parser': 7.27.0
+      '@babel/traverse': 7.27.0
+      '@react-email/render': 2.0.8(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
+      chokidar: 4.0.3
+      commander: 13.1.0
+      conf: 15.1.0
+      css-tree: 3.2.1
       debounce: 2.0.0
-      esbuild: 0.19.11
-      eslint-config-prettier: 9.0.0(eslint@8.31.0)
-      eslint-config-turbo: 1.10.12(eslint@8.31.0)
-      framer-motion: 10.17.4(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      glob: 10.3.4
-      log-symbols: 4.1.0
-      mime-types: 2.1.35
-      next: 14.1.0(@opentelemetry/api@1.9.0)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
+      esbuild: 0.28.0
+      glob: 13.0.6
+      jiti: 2.4.2
+      log-symbols: 7.0.1
+      marked: 15.0.12
+      mime-types: 3.0.2
       normalize-path: 3.0.0
-      ora: 5.4.1
-      postcss: 8.4.35
-      prism-react-renderer: 2.1.0(react@18.3.1)
+      nypm: 0.6.6
+      picospinner: 3.0.0
+      prismjs: 1.30.0
+      prompts: 2.4.2
       react: 18.3.1
       react-dom: 18.2.0(react@18.3.1)
-      shelljs: 0.8.5
-      socket.io: 4.7.3(bufferutil@4.0.9)
-      socket.io-client: 4.7.3(bufferutil@4.0.9)
-      sonner: 1.3.1(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      source-map-js: 1.0.2
-      stacktrace-parser: 0.1.10
-      tailwind-merge: 2.2.0
-      tailwindcss: 3.4.0
-      typescript: 5.5.4
+      socket.io: 4.8.3(bufferutil@4.0.9)
+      tailwindcss: 4.3.0
+      tsconfig-paths: 4.2.0
     transitivePeerDependencies:
-      - '@babel/core'
-      - '@opentelemetry/api'
-      - '@swc/helpers'
-      - babel-plugin-macros
       - bufferutil
-      - eslint
-      - sass
       - supports-color
-      - ts-node
-      - uglify-js
       - utf-8-validate
-      - webpack-cli
 
   react-fast-compare@3.2.2: {}
 
@@ -39543,42 +33154,6 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  react-markdown@10.1.0(@types/react@19.0.12)(react@19.0.0):
-    dependencies:
-      '@types/hast': 3.0.4
-      '@types/mdast': 4.0.4
-      '@types/react': 19.0.12
-      devlop: 1.1.0
-      hast-util-to-jsx-runtime: 2.3.6
-      html-url-attributes: 3.0.1
-      mdast-util-to-hast: 13.2.0
-      react: 19.0.0
-      remark-parse: 11.0.0
-      remark-rehype: 11.1.1
-      unified: 11.0.5
-      unist-util-visit: 5.0.0
-      vfile: 6.0.3
-    transitivePeerDependencies:
-      - supports-color
-
-  react-markdown@10.1.0(@types/react@19.0.12)(react@19.1.0):
-    dependencies:
-      '@types/hast': 3.0.4
-      '@types/mdast': 4.0.4
-      '@types/react': 19.0.12
-      devlop: 1.1.0
-      hast-util-to-jsx-runtime: 2.3.6
-      html-url-attributes: 3.0.1
-      mdast-util-to-hast: 13.2.0
-      react: 19.1.0
-      remark-parse: 11.0.0
-      remark-rehype: 11.1.1
-      unified: 11.0.5
-      unist-util-visit: 5.0.0
-      vfile: 6.0.3
-    transitivePeerDependencies:
-      - supports-color
-
   react-popper@2.3.0(@popperjs/core@2.11.8)(react-dom@18.2.0(react@18.2.0))(react@18.2.0):
     dependencies:
       '@popperjs/core': 2.11.8
@@ -39597,22 +33172,6 @@ snapshots:
     optionalDependencies:
       '@types/react': 18.2.69
 
-  react-remove-scroll-bar@2.3.8(@types/react@18.2.69)(react@18.3.1):
-    dependencies:
-      react: 18.3.1
-      react-style-singleton: 2.2.3(@types/react@18.2.69)(react@18.3.1)
-      tslib: 2.8.1
-    optionalDependencies:
-      '@types/react': 18.2.69
-
-  react-remove-scroll-bar@2.3.8(@types/react@18.3.1)(react@18.3.1):
-    dependencies:
-      react: 18.3.1
-      react-style-singleton: 2.2.3(@types/react@18.3.1)(react@18.3.1)
-      tslib: 2.8.1
-    optionalDependencies:
-      '@types/react': 18.3.1
-
   react-remove-scroll@2.5.5(@types/react@18.2.69)(react@18.2.0):
     dependencies:
       react: 18.2.0
@@ -39624,28 +33183,6 @@ snapshots:
     optionalDependencies:
       '@types/react': 18.2.69
 
-  react-remove-scroll@2.5.5(@types/react@18.2.69)(react@18.3.1):
-    dependencies:
-      react: 18.3.1
-      react-remove-scroll-bar: 2.3.8(@types/react@18.2.69)(react@18.3.1)
-      react-style-singleton: 2.2.3(@types/react@18.2.69)(react@18.3.1)
-      tslib: 2.8.1
-      use-callback-ref: 1.3.3(@types/react@18.2.69)(react@18.3.1)
-      use-sidecar: 1.1.3(@types/react@18.2.69)(react@18.3.1)
-    optionalDependencies:
-      '@types/react': 18.2.69
-
-  react-remove-scroll@2.5.5(@types/react@18.3.1)(react@18.3.1):
-    dependencies:
-      react: 18.3.1
-      react-remove-scroll-bar: 2.3.8(@types/react@18.3.1)(react@18.3.1)
-      react-style-singleton: 2.2.3(@types/react@18.3.1)(react@18.3.1)
-      tslib: 2.8.1
-      use-callback-ref: 1.3.3(@types/react@18.3.1)(react@18.3.1)
-      use-sidecar: 1.1.3(@types/react@18.3.1)(react@18.3.1)
-    optionalDependencies:
-      '@types/react': 18.3.1
-
   react-resizable-panels@2.0.9(react-dom@18.2.0(react@18.2.0))(react@18.2.0):
     dependencies:
       react: 18.2.0
@@ -39658,16 +33195,16 @@ snapshots:
       react-dom: 18.2.0(react@18.2.0)
       react-draggable: 4.5.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
 
-  react-router-dom@6.17.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0):
+  react-router-dom@6.30.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0):
     dependencies:
-      '@remix-run/router': 1.10.0
+      '@remix-run/router': 1.23.2(patch_hash=f14fb2af2690628a0164b66d98e8d7cd6a0e8a4a30a51e53cfb1b6caeca6f7c9)
       react: 18.2.0
       react-dom: 18.2.0(react@18.2.0)
-      react-router: 6.17.0(react@18.2.0)
+      react-router: 6.30.3(react@18.2.0)
 
-  react-router@6.17.0(react@18.2.0):
+  react-router@6.30.3(react@18.2.0):
     dependencies:
-      '@remix-run/router': 1.10.0
+      '@remix-run/router': 1.23.2(patch_hash=f14fb2af2690628a0164b66d98e8d7cd6a0e8a4a30a51e53cfb1b6caeca6f7c9)
       react: 18.2.0
 
   react-smooth@4.0.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0):
@@ -39705,30 +33242,24 @@ snapshots:
       '@react-types/shared': 3.22.0(react@18.2.0)
       react: 18.2.0
 
-  react-style-singleton@2.2.3(@types/react@18.2.69)(react@18.2.0):
+  react-stately@3.46.0(react@18.2.0):
     dependencies:
-      get-nonce: 1.0.1
+      '@internationalized/date': 3.12.1
+      '@internationalized/number': 3.6.6
+      '@internationalized/string': 3.2.8
+      '@react-types/shared': 3.34.0(react@18.2.0)
+      '@swc/helpers': 0.5.15
       react: 18.2.0
-      tslib: 2.8.1
-    optionalDependencies:
-      '@types/react': 18.2.69
+      use-sync-external-store: 1.6.0(react@18.2.0)
 
-  react-style-singleton@2.2.3(@types/react@18.2.69)(react@18.3.1):
+  react-style-singleton@2.2.3(@types/react@18.2.69)(react@18.2.0):
     dependencies:
       get-nonce: 1.0.1
-      react: 18.3.1
+      react: 18.2.0
       tslib: 2.8.1
     optionalDependencies:
       '@types/react': 18.2.69
 
-  react-style-singleton@2.2.3(@types/react@18.3.1)(react@18.3.1):
-    dependencies:
-      get-nonce: 1.0.1
-      react: 18.3.1
-      tslib: 2.8.1
-    optionalDependencies:
-      '@types/react': 18.3.1
-
   react-transition-group@4.4.5(react-dom@18.2.0(react@18.2.0))(react@18.2.0):
     dependencies:
       '@babel/runtime': 7.28.4
@@ -39762,22 +33293,6 @@ snapshots:
       ts-easing: 0.2.0
       tslib: 2.8.1
 
-  react-window-splitter@0.4.1(@types/react@18.2.69)(react-dom@18.2.0(react@18.2.0))(react@18.2.0):
-    dependencies:
-      '@radix-ui/react-compose-refs': 1.1.0(@types/react@18.2.69)(react@18.2.0)
-      '@testing-library/jest-dom': 6.5.0
-      '@window-splitter/state': 0.4.1(patch_hash=da01382a3c0d3f4f66db5b09d6f0833cc21eaf8db00f97e2c1738797673b57c0)
-      '@xstate/react': 4.1.2(@types/react@18.2.69)(react@18.2.0)(xstate@5.18.1)
-      invariant: 2.2.4
-      react: 18.2.0
-      react-aria: 3.34.3(react-dom@18.2.0(react@18.2.0))(react@18.2.0)
-      react-dom: 18.2.0(react@18.2.0)
-      reforest: 0.13.0(@types/react@18.2.69)(react@18.2.0)
-      xstate: 5.18.1
-    transitivePeerDependencies:
-      - '@types/react'
-      - immer
-
   react@18.2.0:
     dependencies:
       loose-envify: 1.4.0
@@ -39786,8 +33301,6 @@ snapshots:
     dependencies:
       loose-envify: 1.4.0
 
-  react@19.0.0: {}
-
   react@19.0.0-rc.1: {}
 
   react@19.1.0: {}
@@ -39858,12 +33371,14 @@ snapshots:
 
   readdirp@3.6.0:
     dependencies:
-      picomatch: 2.3.1
+      picomatch: 2.3.2
 
   readdirp@4.1.2: {}
 
   real-require@0.2.0: {}
 
+  real-require@1.0.0: {}
+
   recharts-scale@0.4.5:
     dependencies:
       decimal.js-light: 2.5.1
@@ -39872,7 +33387,7 @@ snapshots:
     dependencies:
       clsx: 2.1.1
       eventemitter3: 4.0.7
-      lodash: 4.17.23
+      lodash: 4.18.1
       react: 18.2.0
       react-dom: 18.2.0(react@18.2.0)
       react-is: 18.3.1
@@ -39881,10 +33396,6 @@ snapshots:
       tiny-invariant: 1.3.1
       victory-vendor: 36.6.11
 
-  rechoir@0.6.2:
-    dependencies:
-      resolve: 1.22.8
-
   redent@3.0.0:
     dependencies:
       indent-string: 4.0.0
@@ -39905,15 +33416,6 @@ snapshots:
       css-unit-converter: 1.1.2
       postcss-value-parser: 3.3.1
 
-  reforest@0.13.0(@types/react@18.2.69)(react@18.2.0):
-    dependencies:
-      performant-array-to-tree: 1.11.0
-      react: 18.2.0
-      zustand: 4.5.5(@types/react@18.2.69)(react@18.2.0)
-    transitivePeerDependencies:
-      - '@types/react'
-      - immer
-
   regenerator-runtime@0.13.11: {}
 
   regenerator-runtime@0.14.1: {}
@@ -39924,7 +33426,7 @@ snapshots:
 
   regex-utilities@2.3.0: {}
 
-  regex@6.0.1:
+  regex@6.1.0:
     dependencies:
       regex-utilities: 2.3.0
 
@@ -39953,17 +33455,9 @@ snapshots:
 
   regression@2.0.1: {}
 
-  rehype-harden@1.1.5: {}
-
-  rehype-katex@7.0.1:
+  rehype-harden@1.1.8:
     dependencies:
-      '@types/hast': 3.0.4
-      '@types/katex': 0.16.7
-      hast-util-from-html-isomorphic: 2.0.0
-      hast-util-to-text: 4.0.2
-      katex: 0.16.25
-      unist-util-visit-parents: 6.0.1
-      vfile: 6.0.3
+      unist-util-visit: 5.0.0
 
   rehype-raw@7.0.0:
     dependencies:
@@ -39971,6 +33465,11 @@ snapshots:
       hast-util-raw: 9.1.0
       vfile: 6.0.3
 
+  rehype-sanitize@6.0.0:
+    dependencies:
+      '@types/hast': 3.0.4
+      hast-util-sanitize: 5.0.2
+
   remark-frontmatter@4.0.1:
     dependencies:
       '@types/mdast': 3.0.10
@@ -39989,15 +33488,6 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  remark-math@6.0.0:
-    dependencies:
-      '@types/mdast': 4.0.4
-      mdast-util-math: 3.0.0
-      micromark-extension-math: 3.1.0
-      unified: 11.0.5
-    transitivePeerDependencies:
-      - supports-color
-
   remark-mdx-frontmatter@1.1.1:
     dependencies:
       estree-util-is-identifier-name: 1.1.0
@@ -40044,61 +33534,71 @@ snapshots:
       unified: 11.0.5
       vfile: 6.0.3
 
+  remark-rehype@11.1.2:
+    dependencies:
+      '@types/hast': 3.0.4
+      '@types/mdast': 4.0.4
+      mdast-util-to-hast: 13.2.0
+      unified: 11.0.5
+      vfile: 6.0.3
+
   remark-stringify@11.0.0:
     dependencies:
       '@types/mdast': 4.0.4
       mdast-util-to-markdown: 2.1.2
       unified: 11.0.5
 
-  remix-auth-email-link@2.0.2(@remix-run/server-runtime@2.1.0(typescript@5.5.4))(remix-auth@3.6.0(@remix-run/react@2.1.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.1.0(typescript@5.5.4))):
+  remend@1.3.0: {}
+
+  remix-auth-email-link@2.0.2(@remix-run/server-runtime@2.17.4(typescript@5.5.4))(remix-auth@3.6.0(@remix-run/react@2.17.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.17.4(typescript@5.5.4))):
     dependencies:
-      '@remix-run/server-runtime': 2.1.0(typescript@5.5.4)
+      '@remix-run/server-runtime': 2.17.4(typescript@5.5.4)
       crypto-js: 4.1.1
-      remix-auth: 3.6.0(@remix-run/react@2.1.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.1.0(typescript@5.5.4))
+      remix-auth: 3.6.0(@remix-run/react@2.17.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.17.4(typescript@5.5.4))
 
-  remix-auth-github@1.6.0(@remix-run/server-runtime@2.1.0(typescript@5.5.4))(remix-auth@3.6.0(@remix-run/react@2.1.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.1.0(typescript@5.5.4))):
+  remix-auth-github@1.6.0(@remix-run/server-runtime@2.17.4(typescript@5.5.4))(remix-auth@3.6.0(@remix-run/react@2.17.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.17.4(typescript@5.5.4))):
     dependencies:
-      '@remix-run/server-runtime': 2.1.0(typescript@5.5.4)
-      remix-auth: 3.6.0(@remix-run/react@2.1.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.1.0(typescript@5.5.4))
-      remix-auth-oauth2: 1.11.0(@remix-run/server-runtime@2.1.0(typescript@5.5.4))(remix-auth@3.6.0(@remix-run/react@2.1.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.1.0(typescript@5.5.4)))
+      '@remix-run/server-runtime': 2.17.4(typescript@5.5.4)
+      remix-auth: 3.6.0(@remix-run/react@2.17.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.17.4(typescript@5.5.4))
+      remix-auth-oauth2: 1.11.0(@remix-run/server-runtime@2.17.4(typescript@5.5.4))(remix-auth@3.6.0(@remix-run/react@2.17.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.17.4(typescript@5.5.4)))
     transitivePeerDependencies:
       - supports-color
 
-  remix-auth-google@2.0.0(@remix-run/server-runtime@2.1.0(typescript@5.5.4))(remix-auth@3.6.0(@remix-run/react@2.1.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.1.0(typescript@5.5.4))):
+  remix-auth-google@2.0.0(@remix-run/server-runtime@2.17.4(typescript@5.5.4))(remix-auth@3.6.0(@remix-run/react@2.17.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.17.4(typescript@5.5.4))):
     dependencies:
-      '@remix-run/server-runtime': 2.1.0(typescript@5.5.4)
-      remix-auth: 3.6.0(@remix-run/react@2.1.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.1.0(typescript@5.5.4))
-      remix-auth-oauth2: 1.11.0(@remix-run/server-runtime@2.1.0(typescript@5.5.4))(remix-auth@3.6.0(@remix-run/react@2.1.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.1.0(typescript@5.5.4)))
+      '@remix-run/server-runtime': 2.17.4(typescript@5.5.4)
+      remix-auth: 3.6.0(@remix-run/react@2.17.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.17.4(typescript@5.5.4))
+      remix-auth-oauth2: 1.11.0(@remix-run/server-runtime@2.17.4(typescript@5.5.4))(remix-auth@3.6.0(@remix-run/react@2.17.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.17.4(typescript@5.5.4)))
     transitivePeerDependencies:
       - supports-color
 
-  remix-auth-oauth2@1.11.0(@remix-run/server-runtime@2.1.0(typescript@5.5.4))(remix-auth@3.6.0(@remix-run/react@2.1.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.1.0(typescript@5.5.4))):
+  remix-auth-oauth2@1.11.0(@remix-run/server-runtime@2.17.4(typescript@5.5.4))(remix-auth@3.6.0(@remix-run/react@2.17.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.17.4(typescript@5.5.4))):
     dependencies:
-      '@remix-run/server-runtime': 2.1.0(typescript@5.5.4)
+      '@remix-run/server-runtime': 2.17.4(typescript@5.5.4)
       debug: 4.4.3(supports-color@10.0.0)
-      remix-auth: 3.6.0(@remix-run/react@2.1.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.1.0(typescript@5.5.4))
+      remix-auth: 3.6.0(@remix-run/react@2.17.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.17.4(typescript@5.5.4))
     transitivePeerDependencies:
       - supports-color
 
-  remix-auth@3.6.0(@remix-run/react@2.1.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.1.0(typescript@5.5.4)):
+  remix-auth@3.6.0(@remix-run/react@2.17.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.17.4(typescript@5.5.4)):
     dependencies:
-      '@remix-run/react': 2.1.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4)
-      '@remix-run/server-runtime': 2.1.0(typescript@5.5.4)
+      '@remix-run/react': 2.17.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4)
+      '@remix-run/server-runtime': 2.17.4(typescript@5.5.4)
       uuid: 8.3.2
 
-  remix-typedjson@0.3.1(@remix-run/react@2.1.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.1.0(typescript@5.5.4))(react@18.2.0):
+  remix-typedjson@0.3.1(@remix-run/react@2.17.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/server-runtime@2.17.4(typescript@5.5.4))(react@18.2.0):
     dependencies:
-      '@remix-run/react': 2.1.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4)
-      '@remix-run/server-runtime': 2.1.0(typescript@5.5.4)
+      '@remix-run/react': 2.17.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4)
+      '@remix-run/server-runtime': 2.17.4(typescript@5.5.4)
       react: 18.2.0
 
-  remix-utils@7.7.0(@remix-run/node@2.1.0(typescript@5.5.4))(@remix-run/react@2.1.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/router@1.15.3)(crypto-js@4.2.0)(intl-parse-accept-language@1.0.0)(react@18.2.0)(zod@3.25.76):
+  remix-utils@7.7.0(@remix-run/node@2.17.4(typescript@5.5.4))(@remix-run/react@2.17.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4))(@remix-run/router@1.23.2(patch_hash=f14fb2af2690628a0164b66d98e8d7cd6a0e8a4a30a51e53cfb1b6caeca6f7c9))(crypto-js@4.2.0)(intl-parse-accept-language@1.0.0)(react@18.2.0)(zod@3.25.76):
     dependencies:
       type-fest: 4.33.0
     optionalDependencies:
-      '@remix-run/node': 2.1.0(typescript@5.5.4)
-      '@remix-run/react': 2.1.0(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4)
-      '@remix-run/router': 1.15.3
+      '@remix-run/node': 2.17.4(typescript@5.5.4)
+      '@remix-run/react': 2.17.4(react-dom@18.2.0(react@18.2.0))(react@18.2.0)(typescript@5.5.4)
+      '@remix-run/router': 1.23.2(patch_hash=f14fb2af2690628a0164b66d98e8d7cd6a0e8a4a30a51e53cfb1b6caeca6f7c9)
       crypto-js: 4.2.0
       intl-parse-accept-language: 1.0.0
       react: 18.2.0
@@ -40106,10 +33606,6 @@ snapshots:
 
   remove-accents@0.5.0: {}
 
-  replicate@1.0.1:
-    optionalDependencies:
-      readable-stream: 4.7.0
-
   request@2.88.2:
     dependencies:
       aws-sign2: 0.7.0
@@ -40127,7 +33623,7 @@ snapshots:
       mime-types: 2.1.35
       oauth-sign: 0.9.0
       performance-now: 2.1.0
-      qs: 6.14.1
+      qs: 6.15.2
       safe-buffer: 5.2.1
       tough-cookie: 2.5.0
       tunnel-agent: 0.6.0
@@ -40137,14 +33633,21 @@ snapshots:
 
   require-from-string@2.0.2: {}
 
-  require-in-the-middle@7.1.1(supports-color@10.0.0):
+  require-in-the-middle@7.5.2:
     dependencies:
       debug: 4.4.3(supports-color@10.0.0)
-      module-details-from-path: 1.0.3
+      module-details-from-path: 1.0.4
       resolve: 1.22.8
     transitivePeerDependencies:
       - supports-color
 
+  require-in-the-middle@8.0.1(supports-color@10.0.0):
+    dependencies:
+      debug: 4.4.3(supports-color@10.0.0)
+      module-details-from-path: 1.0.4
+    transitivePeerDependencies:
+      - supports-color
+
   require-like@0.1.2: {}
 
   require-main-filename@2.0.0: {}
@@ -40209,50 +33712,46 @@ snapshots:
     dependencies:
       glob: 7.2.3
 
-  rimraf@4.4.1:
-    dependencies:
-      glob: 9.3.5
-
-  rimraf@5.0.7:
-    dependencies:
-      glob: 10.3.10
-
   rimraf@6.0.1:
     dependencies:
       glob: 11.0.0
       package-json-from-dist: 1.0.0
 
-  robot3@0.4.1: {}
-
   robust-predicates@3.0.2: {}
 
   rollup@3.29.1:
     optionalDependencies:
       fsevents: 2.3.3
 
-  rollup@4.36.0:
+  rollup@4.60.1:
     dependencies:
-      '@types/estree': 1.0.6
+      '@types/estree': 1.0.8
     optionalDependencies:
-      '@rollup/rollup-android-arm-eabi': 4.36.0
-      '@rollup/rollup-android-arm64': 4.36.0
-      '@rollup/rollup-darwin-arm64': 4.36.0
-      '@rollup/rollup-darwin-x64': 4.36.0
-      '@rollup/rollup-freebsd-arm64': 4.36.0
-      '@rollup/rollup-freebsd-x64': 4.36.0
-      '@rollup/rollup-linux-arm-gnueabihf': 4.36.0
-      '@rollup/rollup-linux-arm-musleabihf': 4.36.0
-      '@rollup/rollup-linux-arm64-gnu': 4.36.0
-      '@rollup/rollup-linux-arm64-musl': 4.36.0
-      '@rollup/rollup-linux-loongarch64-gnu': 4.36.0
-      '@rollup/rollup-linux-powerpc64le-gnu': 4.36.0
-      '@rollup/rollup-linux-riscv64-gnu': 4.36.0
-      '@rollup/rollup-linux-s390x-gnu': 4.36.0
-      '@rollup/rollup-linux-x64-gnu': 4.36.0
-      '@rollup/rollup-linux-x64-musl': 4.36.0
-      '@rollup/rollup-win32-arm64-msvc': 4.36.0
-      '@rollup/rollup-win32-ia32-msvc': 4.36.0
-      '@rollup/rollup-win32-x64-msvc': 4.36.0
+      '@rollup/rollup-android-arm-eabi': 4.60.1
+      '@rollup/rollup-android-arm64': 4.60.1
+      '@rollup/rollup-darwin-arm64': 4.60.1
+      '@rollup/rollup-darwin-x64': 4.60.1
+      '@rollup/rollup-freebsd-arm64': 4.60.1
+      '@rollup/rollup-freebsd-x64': 4.60.1
+      '@rollup/rollup-linux-arm-gnueabihf': 4.60.1
+      '@rollup/rollup-linux-arm-musleabihf': 4.60.1
+      '@rollup/rollup-linux-arm64-gnu': 4.60.1
+      '@rollup/rollup-linux-arm64-musl': 4.60.1
+      '@rollup/rollup-linux-loong64-gnu': 4.60.1
+      '@rollup/rollup-linux-loong64-musl': 4.60.1
+      '@rollup/rollup-linux-ppc64-gnu': 4.60.1
+      '@rollup/rollup-linux-ppc64-musl': 4.60.1
+      '@rollup/rollup-linux-riscv64-gnu': 4.60.1
+      '@rollup/rollup-linux-riscv64-musl': 4.60.1
+      '@rollup/rollup-linux-s390x-gnu': 4.60.1
+      '@rollup/rollup-linux-x64-gnu': 4.60.1
+      '@rollup/rollup-linux-x64-musl': 4.60.1
+      '@rollup/rollup-openbsd-x64': 4.60.1
+      '@rollup/rollup-openharmony-arm64': 4.60.1
+      '@rollup/rollup-win32-arm64-msvc': 4.60.1
+      '@rollup/rollup-win32-ia32-msvc': 4.60.1
+      '@rollup/rollup-win32-x64-gnu': 4.60.1
+      '@rollup/rollup-win32-x64-msvc': 4.60.1
       fsevents: 2.3.3
 
   roughjs@4.6.6:
@@ -40340,24 +33839,14 @@ snapshots:
     dependencies:
       loose-envify: 1.4.0
 
-  scheduler@0.25.0: {}
-
   scheduler@0.25.0-rc.1: {}
 
-  scheduler@0.26.0: {}
-
-  schema-utils@3.3.0:
-    dependencies:
-      '@types/json-schema': 7.0.15
-      ajv: 6.12.6
-      ajv-keywords: 3.5.2(ajv@6.12.6)
-
   schema-utils@4.3.3:
     dependencies:
       '@types/json-schema': 7.0.15
-      ajv: 8.17.1
-      ajv-formats: 2.1.1(ajv@8.17.1)
-      ajv-keywords: 5.1.0(ajv@8.17.1)
+      ajv: 8.20.0
+      ajv-formats: 2.1.1(ajv@8.20.0)
+      ajv-keywords: 5.1.0(ajv@8.20.0)
 
   screenfull@5.2.0: {}
 
@@ -40376,16 +33865,16 @@ snapshots:
       '@types/semver': 6.2.3
       semver: 6.3.1
 
-  semver@5.7.1: {}
+  semver@5.7.2: {}
 
   semver@6.3.1: {}
 
   semver@7.6.3: {}
 
-  semver@7.7.2: {}
-
   semver@7.7.3: {}
 
+  semver@7.8.1: {}
+
   send@0.18.0:
     dependencies:
       debug: 2.6.9
@@ -40430,12 +33919,12 @@ snapshots:
       escape-html: 1.0.3
       etag: 1.8.1
       fresh: 0.5.2
-      http-errors: 2.0.0
+      http-errors: 2.0.1
       mime-types: 2.1.35
       ms: 2.1.3
       on-finished: 2.4.1
       range-parser: 1.2.1
-      statuses: 2.0.1
+      statuses: 2.0.2
     transitivePeerDependencies:
       - supports-color
 
@@ -40455,14 +33944,6 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  serialize-javascript@6.0.1:
-    dependencies:
-      randombytes: 2.1.0
-
-  serialize-javascript@6.0.2:
-    dependencies:
-      randombytes: 2.1.0
-
   serve-static@1.16.0:
     dependencies:
       encodeurl: 1.0.2
@@ -40514,65 +33995,6 @@ snapshots:
 
   setprototypeof@1.2.0: {}
 
-  sharp@0.33.5:
-    dependencies:
-      color: 4.2.3
-      detect-libc: 2.1.2
-      semver: 7.7.3
-    optionalDependencies:
-      '@img/sharp-darwin-arm64': 0.33.5
-      '@img/sharp-darwin-x64': 0.33.5
-      '@img/sharp-libvips-darwin-arm64': 1.0.4
-      '@img/sharp-libvips-darwin-x64': 1.0.4
-      '@img/sharp-libvips-linux-arm': 1.0.5
-      '@img/sharp-libvips-linux-arm64': 1.0.4
-      '@img/sharp-libvips-linux-s390x': 1.0.4
-      '@img/sharp-libvips-linux-x64': 1.0.4
-      '@img/sharp-libvips-linuxmusl-arm64': 1.0.4
-      '@img/sharp-libvips-linuxmusl-x64': 1.0.4
-      '@img/sharp-linux-arm': 0.33.5
-      '@img/sharp-linux-arm64': 0.33.5
-      '@img/sharp-linux-s390x': 0.33.5
-      '@img/sharp-linux-x64': 0.33.5
-      '@img/sharp-linuxmusl-arm64': 0.33.5
-      '@img/sharp-linuxmusl-x64': 0.33.5
-      '@img/sharp-wasm32': 0.33.5
-      '@img/sharp-win32-ia32': 0.33.5
-      '@img/sharp-win32-x64': 0.33.5
-    optional: true
-
-  sharp@0.34.5:
-    dependencies:
-      '@img/colour': 1.0.0
-      detect-libc: 2.1.2
-      semver: 7.7.3
-    optionalDependencies:
-      '@img/sharp-darwin-arm64': 0.34.5
-      '@img/sharp-darwin-x64': 0.34.5
-      '@img/sharp-libvips-darwin-arm64': 1.2.4
-      '@img/sharp-libvips-darwin-x64': 1.2.4
-      '@img/sharp-libvips-linux-arm': 1.2.4
-      '@img/sharp-libvips-linux-arm64': 1.2.4
-      '@img/sharp-libvips-linux-ppc64': 1.2.4
-      '@img/sharp-libvips-linux-riscv64': 1.2.4
-      '@img/sharp-libvips-linux-s390x': 1.2.4
-      '@img/sharp-libvips-linux-x64': 1.2.4
-      '@img/sharp-libvips-linuxmusl-arm64': 1.2.4
-      '@img/sharp-libvips-linuxmusl-x64': 1.2.4
-      '@img/sharp-linux-arm': 0.34.5
-      '@img/sharp-linux-arm64': 0.34.5
-      '@img/sharp-linux-ppc64': 0.34.5
-      '@img/sharp-linux-riscv64': 0.34.5
-      '@img/sharp-linux-s390x': 0.34.5
-      '@img/sharp-linux-x64': 0.34.5
-      '@img/sharp-linuxmusl-arm64': 0.34.5
-      '@img/sharp-linuxmusl-x64': 0.34.5
-      '@img/sharp-wasm32': 0.34.5
-      '@img/sharp-win32-arm64': 0.34.5
-      '@img/sharp-win32-ia32': 0.34.5
-      '@img/sharp-win32-x64': 0.34.5
-    optional: true
-
   shebang-command@1.2.0:
     dependencies:
       shebang-regex: 1.0.0
@@ -40585,22 +34007,16 @@ snapshots:
 
   shebang-regex@3.0.0: {}
 
-  shell-quote@1.8.1: {}
-
-  shelljs@0.8.5:
-    dependencies:
-      glob: 7.2.3
-      interpret: 1.4.0
-      rechoir: 0.6.2
+  shell-quote@1.8.4: {}
 
-  shiki@3.13.0:
+  shiki@3.23.0:
     dependencies:
-      '@shikijs/core': 3.13.0
-      '@shikijs/engine-javascript': 3.13.0
-      '@shikijs/engine-oniguruma': 3.13.0
-      '@shikijs/langs': 3.13.0
-      '@shikijs/themes': 3.13.0
-      '@shikijs/types': 3.13.0
+      '@shikijs/core': 3.23.0
+      '@shikijs/engine-javascript': 3.23.0
+      '@shikijs/engine-oniguruma': 3.23.0
+      '@shikijs/langs': 3.23.0
+      '@shikijs/themes': 3.23.0
+      '@shikijs/types': 3.23.0
       '@shikijs/vscode-textmate': 10.0.2
       '@types/hast': 3.0.4
 
@@ -40640,13 +34056,15 @@ snapshots:
 
   signal-exit@4.1.0: {}
 
-  simple-concat@1.0.1: {}
+  simple-concat@1.0.1:
+    optional: true
 
   simple-get@4.0.1:
     dependencies:
       decompress-response: 6.0.0
       once: 1.4.0
       simple-concat: 1.0.1
+    optional: true
 
   simple-oauth2@5.0.0:
     dependencies:
@@ -40663,12 +34081,6 @@ snapshots:
 
   simplur@3.0.1: {}
 
-  sirv@2.0.4:
-    dependencies:
-      '@polka/url': 1.0.0-next.28
-      mrmime: 2.0.0
-      totalist: 3.0.1
-
   sisteransi@1.0.5: {}
 
   skin-tone@2.0.0:
@@ -40687,8 +34099,6 @@ snapshots:
 
   slug@6.1.0: {}
 
-  smart-buffer@4.2.0: {}
-
   smartwrap@2.0.2:
     dependencies:
       array.prototype.flat: 1.3.1
@@ -40707,36 +34117,25 @@ snapshots:
       - supports-color
       - utf-8-validate
 
-  socket.io-client@4.7.3(bufferutil@4.0.9):
-    dependencies:
-      '@socket.io/component-emitter': 3.1.0
-      debug: 4.3.7(supports-color@10.0.0)
-      engine.io-client: 6.5.3(bufferutil@4.0.9)(supports-color@10.0.0)
-      socket.io-parser: 4.2.4(supports-color@10.0.0)
-    transitivePeerDependencies:
-      - bufferutil
-      - supports-color
-      - utf-8-validate
-
   socket.io-client@4.7.5(bufferutil@4.0.9)(supports-color@10.0.0):
     dependencies:
       '@socket.io/component-emitter': 3.1.0
       debug: 4.3.7(supports-color@10.0.0)
       engine.io-client: 6.5.3(bufferutil@4.0.9)(supports-color@10.0.0)
-      socket.io-parser: 4.2.4(supports-color@10.0.0)
+      socket.io-parser: 4.2.6(supports-color@10.0.0)
     transitivePeerDependencies:
       - bufferutil
       - supports-color
       - utf-8-validate
 
-  socket.io-parser@4.2.4(supports-color@10.0.0):
+  socket.io-parser@4.2.6(supports-color@10.0.0):
     dependencies:
       '@socket.io/component-emitter': 3.1.0
-      debug: 4.3.7(supports-color@10.0.0)
+      debug: 4.4.3(supports-color@10.0.0)
     transitivePeerDependencies:
       - supports-color
 
-  socket.io@4.7.3(bufferutil@4.0.9):
+  socket.io@4.7.4(bufferutil@4.0.9):
     dependencies:
       accepts: 1.3.8
       base64id: 2.0.0
@@ -40744,39 +34143,26 @@ snapshots:
       debug: 4.3.7(supports-color@10.0.0)
       engine.io: 6.5.4(bufferutil@4.0.9)
       socket.io-adapter: 2.5.4(bufferutil@4.0.9)
-      socket.io-parser: 4.2.4(supports-color@10.0.0)
+      socket.io-parser: 4.2.6(supports-color@10.0.0)
     transitivePeerDependencies:
       - bufferutil
       - supports-color
       - utf-8-validate
 
-  socket.io@4.7.4(bufferutil@4.0.9):
+  socket.io@4.8.3(bufferutil@4.0.9):
     dependencies:
       accepts: 1.3.8
       base64id: 2.0.0
       cors: 2.8.5
-      debug: 4.3.7(supports-color@10.0.0)
-      engine.io: 6.5.4(bufferutil@4.0.9)
+      debug: 4.4.3(supports-color@10.0.0)
+      engine.io: 6.6.8(bufferutil@4.0.9)
       socket.io-adapter: 2.5.4(bufferutil@4.0.9)
-      socket.io-parser: 4.2.4(supports-color@10.0.0)
+      socket.io-parser: 4.2.6(supports-color@10.0.0)
     transitivePeerDependencies:
       - bufferutil
       - supports-color
       - utf-8-validate
 
-  socks-proxy-agent@8.0.5:
-    dependencies:
-      agent-base: 7.1.4
-      debug: 4.4.3(supports-color@10.0.0)
-      socks: 2.8.3
-    transitivePeerDependencies:
-      - supports-color
-
-  socks@2.8.3:
-    dependencies:
-      ip-address: 9.0.5
-      smart-buffer: 4.2.0
-
   sonic-boom@4.2.0:
     dependencies:
       atomic-sleep: 1.0.0
@@ -40786,13 +34172,6 @@ snapshots:
       react: 18.2.0
       react-dom: 18.2.0(react@18.2.0)
 
-  sonner@1.3.1(react-dom@18.2.0(react@18.3.1))(react@18.3.1):
-    dependencies:
-      react: 18.3.1
-      react-dom: 18.2.0(react@18.3.1)
-
-  source-map-js@1.0.2: {}
-
   source-map-js@1.2.0: {}
 
   source-map-js@1.2.1: {}
@@ -40841,10 +34220,6 @@ snapshots:
 
   sprintf-js@1.1.2: {}
 
-  sprintf-js@1.1.3: {}
-
-  sqids@0.3.0: {}
-
   sql-formatter@15.6.12:
     dependencies:
       argparse: 2.0.1
@@ -40905,10 +34280,6 @@ snapshots:
       stack-generator: 2.0.10
       stacktrace-gps: 3.1.2
 
-  stacktrace-parser@0.1.10:
-    dependencies:
-      type-fest: 0.7.1
-
   standard-as-callback@2.1.0: {}
 
   statuses@2.0.1: {}
@@ -40921,6 +34292,8 @@ snapshots:
 
   std-env@3.9.0: {}
 
+  std-env@4.1.0: {}
+
   stream-buffers@3.0.2: {}
 
   stream-shift@1.0.3: {}
@@ -40931,44 +34304,27 @@ snapshots:
     dependencies:
       mixme: 0.5.4
 
-  streamdown@1.4.0(@types/react@18.2.69)(react@18.2.0):
+  streamdown@2.5.0(patch_hash=36211d09153a59c880b6a2bce2a0a0f011c99c73c20c8ceca78cc77e47623f06)(react-dom@18.2.0(react@18.2.0))(react@18.2.0):
     dependencies:
       clsx: 2.1.1
-      katex: 0.16.25
-      lucide-react: 0.542.0(react@18.2.0)
-      marked: 16.4.1
-      mermaid: 11.12.0
+      hast-util-to-jsx-runtime: 2.3.6
+      html-url-attributes: 3.0.1
+      marked: 17.0.6
+      mermaid: 11.14.0
       react: 18.2.0
-      react-markdown: 10.1.0(@types/react@18.2.69)(react@18.2.0)
-      rehype-harden: 1.1.5
-      rehype-katex: 7.0.1
-      rehype-raw: 7.0.0
-      remark-gfm: 4.0.1
-      remark-math: 6.0.0
-      shiki: 3.13.0
-      tailwind-merge: 3.3.1
-    transitivePeerDependencies:
-      - '@types/react'
-      - supports-color
-
-  streamdown@1.4.0(@types/react@19.0.12)(react@19.1.0):
-    dependencies:
-      clsx: 2.1.1
-      katex: 0.16.25
-      lucide-react: 0.542.0(react@19.1.0)
-      marked: 16.4.1
-      mermaid: 11.12.0
-      react: 19.1.0
-      react-markdown: 10.1.0(@types/react@19.0.12)(react@19.1.0)
-      rehype-harden: 1.1.5
-      rehype-katex: 7.0.1
+      react-dom: 18.2.0(react@18.2.0)
+      rehype-harden: 1.1.8
       rehype-raw: 7.0.0
+      rehype-sanitize: 6.0.0
       remark-gfm: 4.0.1
-      remark-math: 6.0.0
-      shiki: 3.13.0
-      tailwind-merge: 3.3.1
+      remark-parse: 11.0.0
+      remark-rehype: 11.1.2
+      remend: 1.3.0
+      tailwind-merge: 3.5.0
+      unified: 11.0.5
+      unist-util-visit: 5.0.0
+      unist-util-visit-parents: 6.0.1
     transitivePeerDependencies:
-      - '@types/react'
       - supports-color
 
   streamsearch@1.1.0: {}
@@ -41000,11 +34356,11 @@ snapshots:
     dependencies:
       call-bind: 1.0.8
       define-properties: 1.2.1
-      es-abstract: 1.21.1
+      es-abstract: 1.23.3
       get-intrinsic: 1.3.0
       has-symbols: 1.1.0
-      internal-slot: 1.0.4
-      regexp.prototype.flags: 1.4.3
+      internal-slot: 1.0.7
+      regexp.prototype.flags: 1.5.2
       side-channel: 1.1.0
 
   string.prototype.padend@3.1.4:
@@ -41024,7 +34380,7 @@ snapshots:
     dependencies:
       call-bind: 1.0.8
       define-properties: 1.2.1
-      es-abstract: 1.21.1
+      es-abstract: 1.23.3
 
   string.prototype.trimend@1.0.8:
     dependencies:
@@ -41036,7 +34392,7 @@ snapshots:
     dependencies:
       call-bind: 1.0.8
       define-properties: 1.2.1
-      es-abstract: 1.21.1
+      es-abstract: 1.23.3
 
   string.prototype.trimstart@1.0.8:
     dependencies:
@@ -41083,13 +34439,19 @@ snapshots:
 
   strnum@1.0.5: {}
 
-  strnum@2.1.1: {}
+  strnum@2.2.3: {}
 
   strtok3@9.1.1:
     dependencies:
       '@tokenizer/token': 0.3.0
       peek-readable: 5.4.2
 
+  stubborn-fs@2.0.0:
+    dependencies:
+      stubborn-utils: 1.0.2
+
+  stubborn-utils@1.0.2: {}
+
   style-loader@3.3.4(webpack@5.102.1(@swc/core@1.3.26)(esbuild@0.15.18)):
     dependencies:
       webpack: 5.102.1(@swc/core@1.3.26)(esbuild@0.15.18)
@@ -41108,21 +34470,6 @@ snapshots:
     dependencies:
       inline-style-parser: 0.2.4
 
-  styled-jsx@5.1.1(react@18.3.1):
-    dependencies:
-      client-only: 0.0.1
-      react: 18.3.1
-
-  styled-jsx@5.1.6(react@19.0.0):
-    dependencies:
-      client-only: 0.0.1
-      react: 19.0.0
-
-  styled-jsx@5.1.6(react@19.1.0):
-    dependencies:
-      client-only: 0.0.1
-      react: 19.1.0
-
   stylis@4.3.0: {}
 
   stylis@4.3.6: {}
@@ -41147,7 +34494,7 @@ snapshots:
       formidable: 3.5.1
       methods: 1.1.2
       mime: 2.6.0
-      qs: 6.14.1
+      qs: 6.15.2
     transitivePeerDependencies:
       - supports-color
 
@@ -41195,17 +34542,11 @@ snapshots:
       react: 18.2.0
       use-sync-external-store: 1.2.2(react@18.2.0)
 
-  swr@2.2.5(react@18.3.1):
+  swr@2.2.5(react@19.1.0):
     dependencies:
       client-only: 0.0.1
-      react: 18.3.1
-      use-sync-external-store: 1.2.2(react@18.3.1)
-
-  swr@2.2.5(react@19.0.0):
-    dependencies:
-      client-only: 0.0.1
-      react: 19.0.0
-      use-sync-external-store: 1.2.2(react@19.0.0)
+      react: 19.1.0
+      use-sync-external-store: 1.2.2(react@19.1.0)
 
   sync-content@2.0.1:
     dependencies:
@@ -41220,29 +34561,21 @@ snapshots:
       '@pkgr/utils': 2.3.1
       tslib: 2.8.1
 
-  systeminformation@5.27.14: {}
+  systeminformation@5.31.7: {}
 
   table@6.9.0:
     dependencies:
-      ajv: 8.17.1
+      ajv: 8.18.0
       lodash.truncate: 4.4.2
       slice-ansi: 4.0.0
       string-width: 4.2.3
       strip-ansi: 6.0.1
 
-  tailwind-merge@1.12.0: {}
-
-  tailwind-merge@2.2.0:
-    dependencies:
-      '@babel/runtime': 7.28.4
+  tagged-tag@1.0.0: {}
 
-  tailwind-merge@2.5.3: {}
-
-  tailwind-merge@3.0.2: {}
-
-  tailwind-merge@3.1.0: {}
+  tailwind-merge@1.12.0: {}
 
-  tailwind-merge@3.3.1: {}
+  tailwind-merge@3.5.0: {}
 
   tailwind-scrollbar-hide@1.1.7: {}
 
@@ -41254,10 +34587,6 @@ snapshots:
     dependencies:
       tailwindcss: 3.4.1
 
-  tailwindcss-animate@1.0.7(tailwindcss@3.4.1):
-    dependencies:
-      tailwindcss: 3.4.1
-
   tailwindcss-textshadow@2.1.3:
     dependencies:
       tailwindcss: 1.9.6
@@ -41273,7 +34602,7 @@ snapshots:
       detective: 5.2.1
       fs-extra: 8.1.0
       html-tags: 3.3.1
-      lodash: 4.17.23
+      lodash: 4.18.1
       node-emoji: 1.11.0
       normalize.css: 8.0.1
       object-hash: 2.2.0
@@ -41287,33 +34616,6 @@ snapshots:
       reduce-css-calc: 2.1.8
       resolve: 1.22.8
 
-  tailwindcss@3.4.0:
-    dependencies:
-      '@alloc/quick-lru': 5.2.0
-      arg: 5.0.2
-      chokidar: 3.6.0
-      didyoumean: 1.2.2
-      dlv: 1.1.3
-      fast-glob: 3.3.3
-      glob-parent: 6.0.2
-      is-glob: 4.0.3
-      jiti: 1.21.6
-      lilconfig: 2.1.0
-      micromatch: 4.0.8
-      normalize-path: 3.0.0
-      object-hash: 3.0.0
-      picocolors: 1.1.1
-      postcss: 8.5.6
-      postcss-import: 15.1.0(postcss@8.5.6)
-      postcss-js: 4.0.1(postcss@8.5.6)
-      postcss-load-config: 4.0.2(postcss@8.5.6)
-      postcss-nested: 6.2.0(postcss@8.5.6)
-      postcss-selector-parser: 6.1.2
-      resolve: 1.22.8
-      sucrase: 3.35.0
-    transitivePeerDependencies:
-      - ts-node
-
   tailwindcss@3.4.1:
     dependencies:
       '@alloc/quick-lru': 5.2.0
@@ -41330,23 +34632,23 @@ snapshots:
       normalize-path: 3.0.0
       object-hash: 3.0.0
       picocolors: 1.1.1
-      postcss: 8.5.4
-      postcss-import: 15.1.0(postcss@8.5.4)
-      postcss-js: 4.0.1(postcss@8.5.4)
-      postcss-load-config: 4.0.2(postcss@8.5.4)
-      postcss-nested: 6.2.0(postcss@8.5.4)
+      postcss: 8.5.10
+      postcss-import: 15.1.0(postcss@8.5.10)
+      postcss-js: 4.0.1(postcss@8.5.10)
+      postcss-load-config: 4.0.2(postcss@8.5.10)
+      postcss-nested: 6.2.0(postcss@8.5.10)
       postcss-selector-parser: 6.1.2
       resolve: 1.22.8
       sucrase: 3.35.0
     transitivePeerDependencies:
       - ts-node
 
-  tailwindcss@4.0.17: {}
-
-  tapable@2.2.1: {}
+  tailwindcss@4.3.0: {}
 
   tapable@2.3.0: {}
 
+  tapable@2.3.3: {}
+
   tar-fs@2.1.3:
     dependencies:
       chownr: 1.1.4
@@ -41354,18 +34656,14 @@ snapshots:
       pump: 3.0.2
       tar-stream: 2.2.0
 
-  tar-fs@3.0.9:
+  tar-fs@2.1.4:
     dependencies:
+      chownr: 1.1.4
+      mkdirp-classic: 0.5.3
       pump: 3.0.2
-      tar-stream: 3.1.7
-    optionalDependencies:
-      bare-fs: 4.5.1
-      bare-path: 3.0.0
-    transitivePeerDependencies:
-      - bare-abort-controller
-      - bare-buffer
+      tar-stream: 2.2.0
 
-  tar-fs@3.1.0:
+  tar-fs@3.1.2:
     dependencies:
       pump: 3.0.2
       tar-stream: 3.1.7
@@ -41410,16 +34708,7 @@ snapshots:
       mkdirp: 1.0.4
       yallist: 4.0.0
 
-  tar@7.4.3:
-    dependencies:
-      '@isaacs/fs-minipass': 4.0.1
-      chownr: 3.0.0
-      minipass: 7.1.2
-      minizlib: 3.0.1
-      mkdirp: 3.0.1
-      yallist: 5.0.0
-
-  tar@7.5.6:
+  tar@7.5.13:
     dependencies:
       '@isaacs/fs-minipass': 4.0.1
       chownr: 3.0.0
@@ -41433,60 +34722,41 @@ snapshots:
 
   term-size@2.2.1: {}
 
-  terser-webpack-plugin@5.3.14(@swc/core@1.3.26)(esbuild@0.15.18)(webpack@5.102.1(@swc/core@1.3.26)(esbuild@0.15.18)):
+  terser-webpack-plugin@5.4.0(@swc/core@1.3.26)(esbuild@0.15.18)(webpack@5.102.1(@swc/core@1.3.26)(esbuild@0.15.18)):
     dependencies:
       '@jridgewell/trace-mapping': 0.3.31
       jest-worker: 27.5.1
       schema-utils: 4.3.3
-      serialize-javascript: 6.0.2
-      terser: 5.44.1
+      terser: 5.46.1
       webpack: 5.102.1(@swc/core@1.3.26)(esbuild@0.15.18)
     optionalDependencies:
       '@swc/core': 1.3.26
       esbuild: 0.15.18
 
-  terser-webpack-plugin@5.3.7(@swc/core@1.3.101(@swc/helpers@0.5.15))(esbuild@0.19.11)(webpack@5.88.2):
-    dependencies:
-      '@jridgewell/trace-mapping': 0.3.25
-      jest-worker: 27.5.1
-      schema-utils: 3.3.0
-      serialize-javascript: 6.0.1
-      terser: 5.44.1
-      webpack: 5.88.2(@swc/core@1.3.101(@swc/helpers@0.5.15))(esbuild@0.19.11)
-    optionalDependencies:
-      '@swc/core': 1.3.101(@swc/helpers@0.5.15)
-      esbuild: 0.19.11
-
-  terser@5.44.1:
+  terser@5.46.1:
     dependencies:
-      '@jridgewell/source-map': 0.3.3
-      acorn: 8.15.0
+      '@jridgewell/source-map': 0.3.11
+      acorn: 8.16.0
       commander: 2.20.3
       source-map-support: 0.5.21
 
-  test-exclude@7.0.1:
-    dependencies:
-      '@istanbuljs/schema': 0.1.3
-      glob: 10.4.5
-      minimatch: 9.0.5
-
-  testcontainers@10.28.0:
+  testcontainers@11.14.0:
     dependencies:
       '@balena/dockerignore': 1.0.2
-      '@types/dockerode': 3.3.35
+      '@types/dockerode': 4.0.1
       archiver: 7.0.1
       async-lock: 1.4.1
       byline: 5.0.0
-      debug: 4.4.0
-      docker-compose: 0.24.8
-      dockerode: 4.0.6
-      get-port: 7.1.0
+      debug: 4.4.3(supports-color@10.0.0)
+      docker-compose: 1.4.2
+      dockerode: 4.0.10
+      get-port: 7.2.0
       proper-lockfile: 4.1.2
-      properties-reader: 2.3.0
+      properties-reader: 3.0.1
       ssh-remote-port-forward: 1.0.4
-      tar-fs: 3.0.9
-      tmp: 0.2.3
-      undici: 5.29.0
+      tar-fs: 3.1.2
+      tmp: 0.2.5
+      undici: 7.24.6
     transitivePeerDependencies:
       - bare-abort-controller
       - bare-buffer
@@ -41506,9 +34776,9 @@ snapshots:
     dependencies:
       any-promise: 1.3.0
 
-  thread-stream@3.1.0:
+  thread-stream@4.2.0:
     dependencies:
-      real-require: 0.2.0
+      real-require: 1.0.0
 
   throttle-debounce@3.0.1: {}
 
@@ -41540,38 +34810,34 @@ snapshots:
 
   tinyexec@1.0.1: {}
 
+  tinyexec@1.2.3: {}
+
   tinyglobby@0.2.10:
     dependencies:
-      fdir: 6.4.3(picomatch@4.0.2)
-      picomatch: 4.0.2
+      fdir: 6.4.3(picomatch@4.0.4)
+      picomatch: 4.0.4
 
-  tinyglobby@0.2.12:
+  tinyglobby@0.2.13:
     dependencies:
-      fdir: 6.4.4(picomatch@4.0.2)
-      picomatch: 4.0.2
+      fdir: 6.4.4(picomatch@4.0.4)
+      picomatch: 4.0.4
 
-  tinyglobby@0.2.13:
+  tinyglobby@0.2.16:
     dependencies:
-      fdir: 6.4.4(picomatch@4.0.2)
-      picomatch: 4.0.2
+      fdir: 6.5.0(picomatch@4.0.4)
+      picomatch: 4.0.4
 
   tinyglobby@0.2.2:
     dependencies:
-      fdir: 6.2.0(picomatch@4.0.2)
-      picomatch: 4.0.2
+      fdir: 6.2.0(picomatch@4.0.4)
+      picomatch: 4.0.4
 
   tinygradient@1.1.5:
     dependencies:
       '@types/tinycolor2': 1.4.3
       tinycolor2: 1.6.0
 
-  tinypool@1.0.2: {}
-
-  tinyrainbow@1.2.0: {}
-
-  tinyrainbow@2.0.0: {}
-
-  tinyspy@3.0.2: {}
+  tinyrainbow@3.1.0: {}
 
   tldts-core@7.0.7: {}
 
@@ -41589,6 +34855,8 @@ snapshots:
 
   tmp@0.2.3: {}
 
+  tmp@0.2.5: {}
+
   to-fast-properties@2.0.0: {}
 
   to-readable-stream@1.0.0: {}
@@ -41612,8 +34880,6 @@ snapshots:
 
   toposort@2.0.2: {}
 
-  totalist@3.0.1: {}
-
   tough-cookie@2.5.0:
     dependencies:
       psl: 1.9.0
@@ -41657,13 +34923,13 @@ snapshots:
 
   ts-proto-descriptors@1.15.0:
     dependencies:
-      long: 5.2.3
-      protobufjs: 7.3.2
+      long: 5.3.2
+      protobufjs: 7.6.1
 
   ts-proto@1.167.3:
     dependencies:
       case-anything: 2.1.13
-      protobufjs: 7.3.2
+      protobufjs: 7.6.1
       ts-poet: 6.6.0
       ts-proto-descriptors: 1.15.0
 
@@ -41721,27 +34987,55 @@ snapshots:
 
   tslib@2.8.1: {}
 
-  tsup@8.4.0(@swc/core@1.3.101(@swc/helpers@0.5.15))(jiti@2.4.2)(postcss@8.5.6)(tsx@4.17.0)(typescript@5.5.4)(yaml@2.7.1):
+  tsup@8.4.0(@swc/core@1.3.101(@swc/helpers@0.5.15))(jiti@2.6.1)(postcss@8.5.10)(tsx@4.17.0)(typescript@5.5.4)(yaml@2.9.0):
     dependencies:
       bundle-require: 5.1.0(esbuild@0.25.1)
       cac: 6.7.14
       chokidar: 4.0.3
       consola: 3.4.2
-      debug: 4.4.0
+      debug: 4.4.3(supports-color@10.0.0)
       esbuild: 0.25.1
       joycon: 3.1.1
       picocolors: 1.1.1
-      postcss-load-config: 6.0.1(jiti@2.4.2)(postcss@8.5.6)(tsx@4.17.0)(yaml@2.7.1)
+      postcss-load-config: 6.0.1(jiti@2.6.1)(postcss@8.5.10)(tsx@4.17.0)(yaml@2.9.0)
       resolve-from: 5.0.0
-      rollup: 4.36.0
+      rollup: 4.60.1
       source-map: 0.8.0-beta.0
       sucrase: 3.35.0
       tinyexec: 0.3.2
-      tinyglobby: 0.2.12
+      tinyglobby: 0.2.13
       tree-kill: 1.2.2
     optionalDependencies:
       '@swc/core': 1.3.101(@swc/helpers@0.5.15)
-      postcss: 8.5.6
+      postcss: 8.5.10
+      typescript: 5.5.4
+    transitivePeerDependencies:
+      - jiti
+      - supports-color
+      - tsx
+      - yaml
+
+  tsup@8.4.0(@swc/core@1.3.101(@swc/helpers@0.5.15))(jiti@2.6.1)(postcss@8.5.10)(tsx@4.20.6)(typescript@5.5.4)(yaml@2.9.0):
+    dependencies:
+      bundle-require: 5.1.0(esbuild@0.25.1)
+      cac: 6.7.14
+      chokidar: 4.0.3
+      consola: 3.4.2
+      debug: 4.4.3(supports-color@10.0.0)
+      esbuild: 0.25.1
+      joycon: 3.1.1
+      picocolors: 1.1.1
+      postcss-load-config: 6.0.1(jiti@2.6.1)(postcss@8.5.10)(tsx@4.20.6)(yaml@2.9.0)
+      resolve-from: 5.0.0
+      rollup: 4.60.1
+      source-map: 0.8.0-beta.0
+      sucrase: 3.35.0
+      tinyexec: 0.3.2
+      tinyglobby: 0.2.13
+      tree-kill: 1.2.2
+    optionalDependencies:
+      '@swc/core': 1.3.101(@swc/helpers@0.5.15)
+      postcss: 8.5.10
       typescript: 5.5.4
     transitivePeerDependencies:
       - jiti
@@ -41769,13 +35063,6 @@ snapshots:
     optionalDependencies:
       fsevents: 2.3.3
 
-  tsx@4.19.3:
-    dependencies:
-      esbuild: 0.25.1
-      get-tsconfig: 4.7.6
-    optionalDependencies:
-      fsevents: 2.3.3
-
   tsx@4.20.6:
     dependencies:
       esbuild: 0.25.1
@@ -41816,6 +35103,8 @@ snapshots:
   turbo-linux-arm64@1.10.3:
     optional: true
 
+  turbo-stream@2.4.1: {}
+
   turbo-windows-64@1.10.3:
     optional: true
 
@@ -41831,8 +35120,6 @@ snapshots:
       turbo-windows-64: 1.10.3
       turbo-windows-arm64: 1.10.3
 
-  tw-animate-css@1.2.4: {}
-
   tweetnacl@0.14.5: {}
 
   type-check@0.4.0:
@@ -41845,14 +35132,16 @@ snapshots:
 
   type-fest@0.6.0: {}
 
-  type-fest@0.7.1: {}
-
   type-fest@0.8.1: {}
 
   type-fest@2.19.0: {}
 
   type-fest@4.33.0: {}
 
+  type-fest@5.6.0:
+    dependencies:
+      tagged-tag: 1.0.0
+
   type-is@1.6.18:
     dependencies:
       media-typer: 0.3.0
@@ -41912,8 +35201,6 @@ snapshots:
     optionalDependencies:
       rxjs: 7.8.2
 
-  typed-query-selector@2.12.0: {}
-
   typescript@5.5.4: {}
 
   ufo@1.5.4: {}
@@ -41924,6 +35211,8 @@ snapshots:
 
   uint8array-extras@1.4.0: {}
 
+  uint8array-extras@1.5.0: {}
+
   ulid@2.3.0: {}
 
   ulidx@2.2.1:
@@ -41945,6 +35234,10 @@ snapshots:
     dependencies:
       '@fastify/busboy': 2.1.1
 
+  undici@6.25.0: {}
+
+  undici@7.24.6: {}
+
   unicode-emoji-modifier-base@1.0.0: {}
 
   unicorn-magic@0.1.0: {}
@@ -41979,11 +35272,6 @@ snapshots:
     dependencies:
       imurmurhash: 0.1.4
 
-  unist-util-find-after@5.0.0:
-    dependencies:
-      '@types/unist': 3.0.3
-      unist-util-is: 6.0.0
-
   unist-util-generated@2.0.0: {}
 
   unist-util-is@5.1.1: {}
@@ -42009,11 +35297,6 @@ snapshots:
       '@types/unist': 2.0.6
       unist-util-visit: 4.1.2
 
-  unist-util-remove-position@5.0.0:
-    dependencies:
-      '@types/unist': 3.0.3
-      unist-util-visit: 5.0.0
-
   unist-util-stringify-position@3.0.2:
     dependencies:
       '@types/unist': 2.0.6
@@ -42044,11 +35327,6 @@ snapshots:
       unist-util-is: 6.0.0
       unist-util-visit-parents: 6.0.1
 
-  universal-cookie@7.2.0:
-    dependencies:
-      '@types/cookie': 0.6.0
-      cookie: 0.6.0
-
   universal-github-app-jwt@1.2.0:
     dependencies:
       '@types/jsonwebtoken': 9.0.10
@@ -42068,7 +35346,7 @@ snapshots:
       escalade: 3.2.0
       picocolors: 1.1.1
 
-  update-browserslist-db@1.1.2(browserslist@4.24.4):
+  update-browserslist-db@1.1.4(browserslist@4.24.4):
     dependencies:
       browserslist: 4.24.4
       escalade: 3.2.0
@@ -42080,18 +35358,11 @@ snapshots:
       escalade: 3.2.0
       picocolors: 1.1.1
 
-  uploadthing@7.1.0(express@5.2.1)(fastify@5.4.0)(next@14.2.21(@opentelemetry/api@1.9.0)(@playwright/test@1.37.0)(react-dom@18.2.0(react@18.3.1))(react@18.3.1))(tailwindcss@3.4.1):
+  update-browserslist-db@1.2.3(browserslist@4.28.1):
     dependencies:
-      '@effect/platform': 0.63.2(@effect/schema@0.72.2(effect@3.7.2))(effect@3.7.2)
-      '@effect/schema': 0.72.2(effect@3.7.2)
-      '@uploadthing/mime-types': 0.3.0
-      '@uploadthing/shared': 7.0.3
-      effect: 3.7.2
-    optionalDependencies:
-      express: 5.2.1
-      fastify: 5.4.0
-      next: 14.2.21(@opentelemetry/api@1.9.0)(@playwright/test@1.37.0)(react-dom@18.2.0(react@18.3.1))(react@18.3.1)
-      tailwindcss: 3.4.1
+      browserslist: 4.28.1
+      escalade: 3.2.0
+      picocolors: 1.1.1
 
   uri-js@4.4.1:
     dependencies:
@@ -42110,20 +35381,6 @@ snapshots:
     optionalDependencies:
       '@types/react': 18.2.69
 
-  use-callback-ref@1.3.3(@types/react@18.2.69)(react@18.3.1):
-    dependencies:
-      react: 18.3.1
-      tslib: 2.8.1
-    optionalDependencies:
-      '@types/react': 18.2.69
-
-  use-callback-ref@1.3.3(@types/react@18.3.1)(react@18.3.1):
-    dependencies:
-      react: 18.3.1
-      tslib: 2.8.1
-    optionalDependencies:
-      '@types/react': 18.3.1
-
   use-isomorphic-layout-effect@1.1.2(@types/react@18.2.69)(react@18.2.0):
     dependencies:
       react: 18.2.0
@@ -42138,33 +35395,17 @@ snapshots:
     optionalDependencies:
       '@types/react': 18.2.69
 
-  use-sidecar@1.1.3(@types/react@18.2.69)(react@18.3.1):
-    dependencies:
-      detect-node-es: 1.1.0
-      react: 18.3.1
-      tslib: 2.8.1
-    optionalDependencies:
-      '@types/react': 18.2.69
-
-  use-sidecar@1.1.3(@types/react@18.3.1)(react@18.3.1):
-    dependencies:
-      detect-node-es: 1.1.0
-      react: 18.3.1
-      tslib: 2.8.1
-    optionalDependencies:
-      '@types/react': 18.3.1
-
   use-sync-external-store@1.2.2(react@18.2.0):
     dependencies:
       react: 18.2.0
 
-  use-sync-external-store@1.2.2(react@18.3.1):
+  use-sync-external-store@1.2.2(react@19.1.0):
     dependencies:
-      react: 18.3.1
+      react: 19.1.0
 
-  use-sync-external-store@1.2.2(react@19.0.0):
+  use-sync-external-store@1.6.0(react@18.2.0):
     dependencies:
-      react: 19.0.0
+      react: 18.2.0
 
   util-deprecate@1.0.2: {}
 
@@ -42182,12 +35423,12 @@ snapshots:
 
   uuid@11.1.0: {}
 
+  uuid@14.0.0: {}
+
   uuid@3.4.0: {}
 
   uuid@8.3.2: {}
 
-  uuid@9.0.0: {}
-
   uuid@9.0.1: {}
 
   uvu@0.5.6:
@@ -42201,6 +35442,10 @@ snapshots:
     optionalDependencies:
       typescript: 5.5.4
 
+  valibot@1.3.1(typescript@5.5.4):
+    optionalDependencies:
+      typescript: 5.5.4
+
   validate-npm-package-license@3.0.4:
     dependencies:
       spdx-correct: 3.1.1
@@ -42275,7 +35520,7 @@ snapshots:
       d3-time: 3.1.0
       d3-timer: 3.0.1
 
-  vite-node@0.28.5(@types/node@20.14.14)(lightningcss@1.29.2)(terser@5.44.1):
+  vite-node@0.28.5(@types/node@20.14.14)(lightningcss@1.29.2)(terser@5.46.1):
     dependencies:
       cac: 6.7.14
       debug: 4.4.3(supports-color@10.0.0)
@@ -42284,7 +35529,7 @@ snapshots:
       picocolors: 1.1.1
       source-map: 0.6.1
       source-map-support: 0.5.21
-      vite: 4.4.9(@types/node@20.14.14)(lightningcss@1.29.2)(terser@5.44.1)
+      vite: 4.4.9(@types/node@20.14.14)(lightningcss@1.29.2)(terser@5.46.1)
     transitivePeerDependencies:
       - '@types/node'
       - less
@@ -42295,15 +35540,16 @@ snapshots:
       - supports-color
       - terser
 
-  vite-node@3.1.4(@types/node@20.14.14)(lightningcss@1.29.2)(terser@5.44.1):
+  vite-node@3.1.4(@types/node@20.14.14)(jiti@2.6.1)(lightningcss@1.29.2)(terser@5.46.1)(tsx@4.20.6)(yaml@2.9.0):
     dependencies:
       cac: 6.7.14
       debug: 4.4.3(supports-color@10.0.0)
       es-module-lexer: 1.7.0
       pathe: 2.0.3
-      vite: 5.4.21(@types/node@20.14.14)(lightningcss@1.29.2)(terser@5.44.1)
+      vite: 6.4.2(@types/node@20.14.14)(jiti@2.6.1)(lightningcss@1.29.2)(terser@5.46.1)(tsx@4.20.6)(yaml@2.9.0)
     transitivePeerDependencies:
       - '@types/node'
+      - jiti
       - less
       - lightningcss
       - sass
@@ -42312,6 +35558,8 @@ snapshots:
       - sugarss
       - supports-color
       - terser
+      - tsx
+      - yaml
 
   vite-tsconfig-paths@4.0.5(typescript@5.5.4):
     dependencies:
@@ -42322,64 +35570,108 @@ snapshots:
       - supports-color
       - typescript
 
-  vite@4.4.9(@types/node@20.14.14)(lightningcss@1.29.2)(terser@5.44.1):
+  vite@4.4.9(@types/node@20.14.14)(lightningcss@1.29.2)(terser@5.46.1):
     dependencies:
       esbuild: 0.18.11
-      postcss: 8.5.6
+      postcss: 8.5.10
       rollup: 3.29.1
     optionalDependencies:
       '@types/node': 20.14.14
       fsevents: 2.3.3
       lightningcss: 1.29.2
-      terser: 5.44.1
+      terser: 5.46.1
+
+  vite@6.4.2(@types/node@20.14.14)(jiti@2.6.1)(lightningcss@1.29.2)(terser@5.46.1)(tsx@3.12.2)(yaml@2.9.0):
+    dependencies:
+      esbuild: 0.25.1
+      fdir: 6.4.4(picomatch@4.0.4)
+      picomatch: 4.0.4
+      postcss: 8.5.10
+      rollup: 4.60.1
+      tinyglobby: 0.2.13
+    optionalDependencies:
+      '@types/node': 20.14.14
+      fsevents: 2.3.3
+      jiti: 2.6.1
+      lightningcss: 1.29.2
+      terser: 5.46.1
+      tsx: 3.12.2
+      yaml: 2.9.0
 
-  vite@5.4.21(@types/node@20.14.14)(lightningcss@1.29.2)(terser@5.44.1):
+  vite@6.4.2(@types/node@20.14.14)(jiti@2.6.1)(lightningcss@1.29.2)(terser@5.46.1)(tsx@4.20.6)(yaml@2.9.0):
     dependencies:
-      esbuild: 0.21.5
-      postcss: 8.5.6
-      rollup: 4.36.0
+      esbuild: 0.25.1
+      fdir: 6.4.4(picomatch@4.0.4)
+      picomatch: 4.0.4
+      postcss: 8.5.10
+      rollup: 4.60.1
+      tinyglobby: 0.2.13
     optionalDependencies:
       '@types/node': 20.14.14
       fsevents: 2.3.3
+      jiti: 2.6.1
       lightningcss: 1.29.2
-      terser: 5.44.1
-
-  vitest@3.1.4(@types/debug@4.1.12)(@types/node@20.14.14)(lightningcss@1.29.2)(terser@5.44.1):
-    dependencies:
-      '@vitest/expect': 3.1.4
-      '@vitest/mocker': 3.1.4(vite@5.4.21(@types/node@20.14.14)(lightningcss@1.29.2)(terser@5.44.1))
-      '@vitest/pretty-format': 3.1.4
-      '@vitest/runner': 3.1.4
-      '@vitest/snapshot': 3.1.4
-      '@vitest/spy': 3.1.4
-      '@vitest/utils': 3.1.4
-      chai: 5.2.0
-      debug: 4.4.1
-      expect-type: 1.2.1
+      terser: 5.46.1
+      tsx: 4.20.6
+      yaml: 2.9.0
+
+  vitest@4.1.7(@opentelemetry/api@1.9.1)(@types/node@20.14.14)(@vitest/coverage-v8@4.1.7)(vite@6.4.2(@types/node@20.14.14)(jiti@2.6.1)(lightningcss@1.29.2)(terser@5.46.1)(tsx@3.12.2)(yaml@2.9.0)):
+    dependencies:
+      '@vitest/expect': 4.1.7
+      '@vitest/mocker': 4.1.7(vite@6.4.2(@types/node@20.14.14)(jiti@2.6.1)(lightningcss@1.29.2)(terser@5.46.1)(tsx@3.12.2)(yaml@2.9.0))
+      '@vitest/pretty-format': 4.1.7
+      '@vitest/runner': 4.1.7
+      '@vitest/snapshot': 4.1.7
+      '@vitest/spy': 4.1.7
+      '@vitest/utils': 4.1.7
+      es-module-lexer: 2.1.0
+      expect-type: 1.3.0
       magic-string: 0.30.21
+      obug: 2.1.1
       pathe: 2.0.3
-      std-env: 3.9.0
+      picomatch: 4.0.4
+      std-env: 4.1.0
       tinybench: 2.9.0
-      tinyexec: 0.3.2
-      tinyglobby: 0.2.13
-      tinypool: 1.0.2
-      tinyrainbow: 2.0.0
-      vite: 5.4.21(@types/node@20.14.14)(lightningcss@1.29.2)(terser@5.44.1)
-      vite-node: 3.1.4(@types/node@20.14.14)(lightningcss@1.29.2)(terser@5.44.1)
+      tinyexec: 1.2.3
+      tinyglobby: 0.2.16
+      tinyrainbow: 3.1.0
+      vite: 6.4.2(@types/node@20.14.14)(jiti@2.6.1)(lightningcss@1.29.2)(terser@5.46.1)(tsx@3.12.2)(yaml@2.9.0)
       why-is-node-running: 2.3.0
     optionalDependencies:
-      '@types/debug': 4.1.12
+      '@opentelemetry/api': 1.9.1
       '@types/node': 20.14.14
+      '@vitest/coverage-v8': 4.1.7(vitest@4.1.7)
+    transitivePeerDependencies:
+      - msw
+
+  vitest@4.1.7(@opentelemetry/api@1.9.1)(@types/node@20.14.14)(@vitest/coverage-v8@4.1.7)(vite@6.4.2(@types/node@20.14.14)(jiti@2.6.1)(lightningcss@1.29.2)(terser@5.46.1)(tsx@4.20.6)(yaml@2.9.0)):
+    dependencies:
+      '@vitest/expect': 4.1.7
+      '@vitest/mocker': 4.1.7(vite@6.4.2(@types/node@20.14.14)(jiti@2.6.1)(lightningcss@1.29.2)(terser@5.46.1)(tsx@4.20.6)(yaml@2.9.0))
+      '@vitest/pretty-format': 4.1.7
+      '@vitest/runner': 4.1.7
+      '@vitest/snapshot': 4.1.7
+      '@vitest/spy': 4.1.7
+      '@vitest/utils': 4.1.7
+      es-module-lexer: 2.1.0
+      expect-type: 1.3.0
+      magic-string: 0.30.21
+      obug: 2.1.1
+      pathe: 2.0.3
+      picomatch: 4.0.4
+      std-env: 4.1.0
+      tinybench: 2.9.0
+      tinyexec: 1.2.3
+      tinyglobby: 0.2.16
+      tinyrainbow: 3.1.0
+      vite: 6.4.2(@types/node@20.14.14)(jiti@2.6.1)(lightningcss@1.29.2)(terser@5.46.1)(tsx@4.20.6)(yaml@2.9.0)
+      why-is-node-running: 2.3.0
+    optionalDependencies:
+      '@opentelemetry/api': 1.9.1
+      '@types/node': 20.14.14
+      '@vitest/coverage-v8': 4.1.7(vitest@4.1.7)
     transitivePeerDependencies:
-      - less
-      - lightningcss
       - msw
-      - sass
-      - sass-embedded
-      - stylus
-      - sugarss
-      - supports-color
-      - terser
 
   vscode-jsonrpc@8.2.0: {}
 
@@ -42396,7 +35688,7 @@ snapshots:
     dependencies:
       vscode-languageserver-protocol: 3.17.5
 
-  vscode-uri@3.0.8: {}
+  vscode-uri@3.1.0: {}
 
   w3c-keyname@2.2.8: {}
 
@@ -42406,12 +35698,7 @@ snapshots:
     dependencies:
       loose-envify: 1.4.0
 
-  watchpack@2.4.0:
-    dependencies:
-      glob-to-regexp: 0.4.1
-      graceful-fs: 4.2.11
-
-  watchpack@2.4.4:
+  watchpack@2.5.1:
     dependencies:
       glob-to-regexp: 0.4.1
       graceful-fs: 4.2.11
@@ -42436,40 +35723,19 @@ snapshots:
 
   webidl-conversions@4.0.2: {}
 
-  webpack-bundle-analyzer@4.10.1(bufferutil@4.0.9):
-    dependencies:
-      '@discoveryjs/json-ext': 0.5.7
-      acorn: 8.15.0
-      acorn-walk: 8.3.2
-      commander: 7.2.0
-      debounce: 1.2.1
-      escape-string-regexp: 4.0.0
-      gzip-size: 6.0.0
-      html-escaper: 2.0.2
-      is-plain-object: 5.0.0
-      opener: 1.5.2
-      picocolors: 1.1.1
-      sirv: 2.0.4
-      ws: 7.5.9(bufferutil@4.0.9)
-    transitivePeerDependencies:
-      - bufferutil
-      - utf-8-validate
-
-  webpack-sources@3.2.3: {}
-
-  webpack-sources@3.3.3: {}
+  webpack-sources@3.3.4: {}
 
   webpack@5.102.1(@swc/core@1.3.26)(esbuild@0.15.18):
     dependencies:
       '@types/eslint-scope': 3.7.7
-      '@types/estree': 1.0.8
+      '@types/estree': 1.0.9
       '@types/json-schema': 7.0.15
       '@webassemblyjs/ast': 1.14.1
       '@webassemblyjs/wasm-edit': 1.14.1
       '@webassemblyjs/wasm-parser': 1.14.1
-      acorn: 8.15.0
-      acorn-import-phases: 1.0.4(acorn@8.15.0)
-      browserslist: 4.28.0
+      acorn: 8.16.0
+      acorn-import-phases: 1.0.4(acorn@8.16.0)
+      browserslist: 4.28.1
       chrome-trace-event: 1.0.4
       enhanced-resolve: 5.18.3
       es-module-lexer: 1.7.0
@@ -42482,41 +35748,10 @@ snapshots:
       mime-types: 2.1.35
       neo-async: 2.6.2
       schema-utils: 4.3.3
-      tapable: 2.3.0
-      terser-webpack-plugin: 5.3.14(@swc/core@1.3.26)(esbuild@0.15.18)(webpack@5.102.1(@swc/core@1.3.26)(esbuild@0.15.18))
-      watchpack: 2.4.4
-      webpack-sources: 3.3.3
-    transitivePeerDependencies:
-      - '@swc/core'
-      - esbuild
-      - uglify-js
-
-  webpack@5.88.2(@swc/core@1.3.101(@swc/helpers@0.5.15))(esbuild@0.19.11):
-    dependencies:
-      '@types/eslint-scope': 3.7.4
-      '@types/estree': 1.0.8
-      '@webassemblyjs/ast': 1.11.5
-      '@webassemblyjs/wasm-edit': 1.11.5
-      '@webassemblyjs/wasm-parser': 1.11.5
-      acorn: 8.15.0
-      acorn-import-assertions: 1.9.0(acorn@8.15.0)
-      browserslist: 4.24.4
-      chrome-trace-event: 1.0.3
-      enhanced-resolve: 5.18.3
-      es-module-lexer: 1.7.0
-      eslint-scope: 5.1.1
-      events: 3.3.0
-      glob-to-regexp: 0.4.1
-      graceful-fs: 4.2.11
-      json-parse-even-better-errors: 2.3.1
-      loader-runner: 4.3.0
-      mime-types: 2.1.35
-      neo-async: 2.6.2
-      schema-utils: 3.3.0
-      tapable: 2.3.0
-      terser-webpack-plugin: 5.3.7(@swc/core@1.3.101(@swc/helpers@0.5.15))(esbuild@0.19.11)(webpack@5.88.2)
-      watchpack: 2.4.0
-      webpack-sources: 3.2.3
+      tapable: 2.3.3
+      terser-webpack-plugin: 5.4.0(@swc/core@1.3.26)(esbuild@0.15.18)(webpack@5.102.1(@swc/core@1.3.26)(esbuild@0.15.18))
+      watchpack: 2.5.1
+      webpack-sources: 3.3.4
     transitivePeerDependencies:
       - '@swc/core'
       - esbuild
@@ -42533,6 +35768,8 @@ snapshots:
       tr46: 1.0.1
       webidl-conversions: 4.0.2
 
+  when-exit@2.1.5: {}
+
   which-boxed-primitive@1.0.2:
     dependencies:
       is-bigint: 1.0.4
@@ -42595,7 +35832,7 @@ snapshots:
 
   wrappy@1.0.2: {}
 
-  ws@7.5.9(bufferutil@4.0.9):
+  ws@7.5.10(bufferutil@4.0.9):
     optionalDependencies:
       bufferutil: 4.0.9
 
@@ -42619,6 +35856,10 @@ snapshots:
     optionalDependencies:
       bufferutil: 4.0.9
 
+  ws@8.20.1(bufferutil@4.0.9):
+    optionalDependencies:
+      bufferutil: 4.0.9
+
   xdg-app-paths@8.3.0:
     dependencies:
       xdg-portable: 10.6.0
@@ -42631,9 +35872,9 @@ snapshots:
     optionalDependencies:
       fsevents: 2.3.3
 
-  xmlhttprequest-ssl@2.0.0: {}
+  xml-naming@0.1.0: {}
 
-  xstate@5.18.1: {}
+  xmlhttprequest-ssl@2.0.0: {}
 
   xtend@4.0.2: {}
 
@@ -42649,7 +35890,9 @@ snapshots:
 
   yallist@5.0.0: {}
 
-  yaml@2.7.1: {}
+  yaml@2.8.3: {}
+
+  yaml@2.9.0: {}
 
   yargs-parser@18.1.3:
     dependencies:
@@ -42694,24 +35937,12 @@ snapshots:
       y18n: 5.0.8
       yargs-parser: 21.1.1
 
-  yauzl@2.10.0:
-    dependencies:
-      buffer-crc32: 0.2.13
-      fd-slicer: 1.1.0
-
   yocto-queue@0.1.0: {}
 
   yocto-queue@1.1.1: {}
 
   yoctocolors@2.1.2: {}
 
-  yup@1.6.1:
-    dependencies:
-      property-expr: 2.0.6
-      tiny-case: 1.0.3
-      toposort: 2.0.2
-      type-fest: 2.19.0
-
   yup@1.7.0:
     dependencies:
       property-expr: 2.0.6
@@ -42753,11 +35984,4 @@ snapshots:
 
   zod@3.25.76: {}
 
-  zustand@4.5.5(@types/react@18.2.69)(react@18.2.0):
-    dependencies:
-      use-sync-external-store: 1.2.2(react@18.2.0)
-    optionalDependencies:
-      '@types/react': 18.2.69
-      react: 18.2.0
-
   zwitch@2.0.4: {}
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
index 25f679f6bf0..d083a589e51 100644
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -2,7 +2,6 @@ packages:
   - "packages/*"
   - "internal-packages/*"
   - "apps/**"
-  - "references/*"
   - "docs"
   - "!packages/cli-v3/e2e/**"
 
@@ -12,6 +11,8 @@ minimumReleaseAgeExclude:
   - "next"
   - "@next/*"
   - "agentcrumbs"
+  - "secure-exec"
+  - "@secure-exec/*"
 preferOffline: true
 
 linkWorkspacePackages: false
@@ -19,3 +20,4 @@ publicHoistPattern:
   - "*prisma*"
 preferWorkspacePackages: true
 sideEffectsCache: false
+blockExoticSubdeps: true
diff --git a/references/README.md b/references/README.md
deleted file mode 100644
index 5dba21962a6..00000000000
--- a/references/README.md
+++ /dev/null
@@ -1,129 +0,0 @@
-## Trigger.dev References
-
-Contains code that tests or uses the `@trigger.dev/*` packages in some way, either by using them to test out a framework adapter, an integration, or parts of the main SDK.
-
-All the dependencies to the `@trigger.dev/*` packages will be both referenced in the package.json `dependencies` as `workspace:*`, as well as using a direct path from the tsconfig.json file like so:
-
-```json
-{
-  "extends": "@trigger.dev/tsconfig/node18.json",
-  "include": ["./src/**/*.ts"],
-  "compilerOptions": {
-    "baseUrl": ".",
-    "lib": ["DOM", "DOM.Iterable"],
-    "paths": {
-      "@/*": ["./src/*"],
-      "@trigger.dev/sdk": ["../../packages/trigger-sdk/src/index"],
-      "@trigger.dev/sdk/*": ["../../packages/trigger-sdk/src/*"],
-      "@trigger.dev/express": ["../../packages/express/src/index"],
-      "@trigger.dev/express/*": ["../../packages/express/src/*"],
-      "@trigger.dev/core": ["../../packages/core/src/index"],
-      "@trigger.dev/core/*": ["../../packages/core/src/*"],
-      "@trigger.dev/integration-kit": ["../../packages/integration-kit/src/index"],
-      "@trigger.dev/integration-kit/*": ["../../packages/integration-kit/src/*"],
-      "@trigger.dev/github": ["../../integrations/github/src/index"],
-      "@trigger.dev/github/*": ["../../integrations/github/src/*"],
-      "@trigger.dev/slack": ["../../integrations/slack/src/index"],
-      "@trigger.dev/slack/*": ["../../integrations/slack/src/*"],
-      "@trigger.dev/openai": ["../../integrations/openai/src/index"],
-      "@trigger.dev/openai/*": ["../../integrations/openai/src/*"],
-      "@trigger.dev/resend": ["../../integrations/resend/src/index"],
-      "@trigger.dev/resend/*": ["../../integrations/resend/src/*"],
-      "@trigger.dev/typeform": ["../../integrations/typeform/src/index"],
-      "@trigger.dev/typeform/*": ["../../integrations/typeform/src/*"],
-      "@trigger.dev/plain": ["../../integrations/plain/src/index"],
-      "@trigger.dev/plain/*": ["../../integrations/plain/src/*"],
-      "@trigger.dev/supabase": ["../../integrations/supabase/src/index"],
-      "@trigger.dev/supabase/*": ["../../integrations/supabase/src/*"],
-      "@trigger.dev/stripe": ["../../integrations/stripe/src/index"],
-      "@trigger.dev/stripe/*": ["../../integrations/stripe/src/*"],
-      "@trigger.dev/sendgrid": ["../../integrations/sendgrid/src/index"],
-      "@trigger.dev/sendgrid/*": ["../../integrations/sendgrid/src/*"],
-      "@trigger.dev/airtable": ["../../integrations/airtable/src/index"],
-      "@trigger.dev/airtable/*": ["../../integrations/airtable/src/*"]
-    }
-  }
-}
-```
-
-### Creating a New Reference Project
-
-This guide assumes that you have followed the [Contributing.md](https://github.com/triggerdotdev/trigger.dev/blob/main/CONTRIBUTING.md#setup) instructions to set up a local trigger.dev instance. If not, please complete the setup before continuing.
-
-#### Step-by-Step Instructions
-
-1. **Run an HTTP tunnel**:
-You will need to run an HTTP tunnel to expose your local webapp, it is required for some API calls during building the image to deploy on your local instance. This is *optional* if you do not plan to test deployment on your local instance.
-- Download the ngrok CLI. This can be done by following the instructions on ngrok's [website](https://ngrok.com/docs/getting-started/).
-- Create an account on ngrok to obtain the authtoken and add it to the CLI.
-
-```bash
-ngrok config add-authtoken <your-auth-token>
-```
-Replace the <your-auth-token> with the token you obtain from ngrok.
-- Run the tunnel.
-
-```bash
-ngrok http <your-app-port>
-```
-Replace the <your-app-port> with the webapp port, default is `3030`.
-
-2. **Add your tunnel URL to the env**:
-After running the ngrok tunnel, you will see URL in your terminal, it will look something like `https://<your-tunnel-address>.ngrok-free.app`. 
-Replace the `APP_ORIGIN` variable with this URL in your `.env` file in the root of the trigger.dev project.
-
-3. **Run the webapp on localhost**:
-
-```bash
-pnpm run dev --filter webapp --filter coordinator --filter docker-provider
-```
-
-4. **Build the CLI in a new terminal window**:
-
-```bash
-# Build the CLI
-pnpm run build --filter trigger.dev
-
-# Make it accessible to `pnpm exec`
-pnpm i
-```
-
-5. **Set up a new project in the webapp**:
-- Open the webapp running on `localhost:3030`.
-- Create a new project in the webapp UI.
-- Go to the *Project Settings* page and copy the project reference id from there.
-
-6. **Copy the hello-world project as a template**:
-
-```bash
-cp -r references/hello-world references/<new-project>
-```
-
-Replace `<new-project>` with your desired project name.
-
-7. **Update project details**:
-- Open `<new-project>/package.json` and change the name field.
-*(Tip: Use the same name as in the webapp to avoid confusion.)*
-
-- Open `<new-project>/trigger.config.ts` and update the project field with the project reference you copied from the webapp.
-
-- Run `pnpm i` in your `<new-project>` directory to sync the dependencies.
-
-8. **Authorize the CLI for your project**:
-
-```bash
-pnpm exec trigger login -a http://localhost:3030 --profile local
-```
-
-9. **Run the new project**:
-You can now run your project using the CLI with the following command:
-
-```bash
-pnpm exec trigger dev --profile local
-```
-
-You can also deploy them against your local instance with the following command:
-
-```bash
-pnpm exec trigger deploy --self-hosted --load-image --profile local
-```
diff --git a/references/bun-catalog/.env.example b/references/bun-catalog/.env.example
deleted file mode 100644
index 9001181b669..00000000000
--- a/references/bun-catalog/.env.example
+++ /dev/null
@@ -1,3 +0,0 @@
-TRIGGER_SECRET_KEY=
-TRIGGER_API_URL=
-OPENAI_API_KEY="My API Key"
\ No newline at end of file
diff --git a/references/bun-catalog/.gitignore b/references/bun-catalog/.gitignore
deleted file mode 100644
index 6524f048dcb..00000000000
--- a/references/bun-catalog/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-.trigger
\ No newline at end of file
diff --git a/references/bun-catalog/README.md b/references/bun-catalog/README.md
deleted file mode 100644
index 416b9f07dd4..00000000000
--- a/references/bun-catalog/README.md
+++ /dev/null
@@ -1,57 +0,0 @@
-# The v3 catalog
-
-You can test v3 tasks from inside the app in this project. It's designed to be used for testing features and functionality of the v3 SDK.
-
-## One-time setup
-
-1. Create a v3 project in the UI of the webapp, you should now be able to select it from the dropdown.
-
-2. In Postgres go to the "Projects" table and for the project you create change the `externalRef` to `yubjwjsfkxnylobaqvqz`.
-
-This is so the `trigger.config.ts` file inside the hello-world doesn't keep getting changed by people accidentally pushing this.
-
-## How to use
-
-1. Make sure you're running the main webapp
-
-```bash
-pnpm run dev --filter webapp
-```
-
-2. Build the v3 CLI (this needs to be done everytime a code changes is made to the CLI if you're working on it)
-
-```bash
-pnpm run build --filter trigger.dev
-```
-
-3. CD into the hello-world directory
-
-```bash
-cd references/hello-world
-```
-
-4. If you've never logged in to the CLI you'll see an error telling you to login. Do this:
-
-```bash
-pnpm exec trigger login -a http://localhost:3030
-```
-
-If this fails because you already are logged in you can create a new profile:
-
-```bash
-pnpm exec trigger login -a http://localhost:3030 --profile local
-```
-
-Note: if you use a profile then you'll need to append `--profile local` to all commands, like `dev`.
-
-5. Run the v3 CLI
-
-```bash
-pnpm exec trigger dev
-```
-
-6. You should see the v3 dev command spitting out messages, including that it's started a background worker.
-
-7. Go to the webapp now and inside your project you should see some tasks on the "Tasks" page.
-
-8. Go to the "Test" page in the sidebar and select a task. Then enter a payload and click "Run test". You can tell what the payloads should be by looking at the relevant task file inside the `/references/hello-world/src/trigger` folder. Many of them accept an empty payload.
diff --git a/references/bun-catalog/package.json b/references/bun-catalog/package.json
deleted file mode 100644
index 519296c6cae..00000000000
--- a/references/bun-catalog/package.json
+++ /dev/null
@@ -1,16 +0,0 @@
-{
-  "name": "references-bun-catalog",
-  "private": true,
-  "type": "module",
-  "scripts": {
-    "dev:trigger": "trigger dev",
-    "deploy": "trigger deploy"
-  },
-  "dependencies": {
-    "@trigger.dev/sdk": "workspace:*"
-  },
-  "devDependencies": {
-    "@types/bun": "^1.1.6",
-    "trigger.dev": "workspace:*"
-  }
-}
\ No newline at end of file
diff --git a/references/bun-catalog/src/trigger/bun.ts b/references/bun-catalog/src/trigger/bun.ts
deleted file mode 100644
index 2f3e123c795..00000000000
--- a/references/bun-catalog/src/trigger/bun.ts
+++ /dev/null
@@ -1,18 +0,0 @@
-import { Database } from "bun:sqlite";
-import { task } from "@trigger.dev/sdk";
-
-export const bunTask = task({
-  id: "bun-task",
-  run: async (payload: { query: string }) => {
-    const db = new Database(":memory:");
-    const query = db.query("select 'Hello world' as message;");
-    console.log(query.get()); // => { message: "Hello world" }
-
-    await new Promise((resolve) => setTimeout(resolve, 1000));
-
-    return {
-      message: "Query executed",
-      bunVersion: Bun.version,
-    };
-  },
-});
diff --git a/references/bun-catalog/trigger.config.ts b/references/bun-catalog/trigger.config.ts
deleted file mode 100644
index fa791aa4558..00000000000
--- a/references/bun-catalog/trigger.config.ts
+++ /dev/null
@@ -1,20 +0,0 @@
-import { defineConfig } from "@trigger.dev/sdk";
-
-export default defineConfig({
-  runtime: "bun",
-  project: process.env.TRIGGER_PROJECT_REF!,
-  maxDuration: 3600,
-  machine: "small-2x",
-  retries: {
-    enabledInDev: true,
-    default: {
-      maxAttempts: 4,
-      minTimeoutInMs: 10000,
-      maxTimeoutInMs: 10000,
-      factor: 2,
-      randomize: true,
-    },
-  },
-  enableConsoleLogging: false,
-  logLevel: "info",
-});
diff --git a/references/bun-catalog/tsconfig.json b/references/bun-catalog/tsconfig.json
deleted file mode 100644
index 635ecdb766a..00000000000
--- a/references/bun-catalog/tsconfig.json
+++ /dev/null
@@ -1,20 +0,0 @@
-{
-  "compilerOptions": {
-    "target": "esnext",
-    "module": "NodeNext",
-    "moduleResolution": "NodeNext",
-    "esModuleInterop": true,
-    "strict": true,
-    "outDir": "dist",
-    "skipLibCheck": true,
-    "customConditions": ["@triggerdotdev/source"],
-    "jsx": "preserve",
-    "emitDecoratorMetadata": true,
-    "experimentalDecorators": true,
-    "lib": ["DOM", "DOM.Iterable"],
-    "paths": {
-      "@/*": ["./src/*"]
-    }
-  },
-  "include": ["./src/**/*.ts", "trigger.config.ts"]
-}
diff --git a/references/d3-chat/.gitignore b/references/d3-chat/.gitignore
deleted file mode 100644
index 5ef6a520780..00000000000
--- a/references/d3-chat/.gitignore
+++ /dev/null
@@ -1,41 +0,0 @@
-# See https://help.github.com/articles/ignoring-files/ for more about ignoring files.
-
-# dependencies
-/node_modules
-/.pnp
-.pnp.*
-.yarn/*
-!.yarn/patches
-!.yarn/plugins
-!.yarn/releases
-!.yarn/versions
-
-# testing
-/coverage
-
-# next.js
-/.next/
-/out/
-
-# production
-/build
-
-# misc
-.DS_Store
-*.pem
-
-# debug
-npm-debug.log*
-yarn-debug.log*
-yarn-error.log*
-.pnpm-debug.log*
-
-# env files (can opt-in for committing if needed)
-.env*
-
-# vercel
-.vercel
-
-# typescript
-*.tsbuildinfo
-next-env.d.ts
diff --git a/references/d3-chat/README.md b/references/d3-chat/README.md
deleted file mode 100644
index e215bc4ccf1..00000000000
--- a/references/d3-chat/README.md
+++ /dev/null
@@ -1,36 +0,0 @@
-This is a [Next.js](https://nextjs.org) project bootstrapped with [`create-next-app`](https://nextjs.org/docs/app/api-reference/cli/create-next-app).
-
-## Getting Started
-
-First, run the development server:
-
-```bash
-npm run dev
-# or
-yarn dev
-# or
-pnpm dev
-# or
-bun dev
-```
-
-Open [http://localhost:3000](http://localhost:3000) with your browser to see the result.
-
-You can start editing the page by modifying `app/page.tsx`. The page auto-updates as you edit the file.
-
-This project uses [`next/font`](https://nextjs.org/docs/app/building-your-application/optimizing/fonts) to automatically optimize and load [Geist](https://vercel.com/font), a new font family for Vercel.
-
-## Learn More
-
-To learn more about Next.js, take a look at the following resources:
-
-- [Next.js Documentation](https://nextjs.org/docs) - learn about Next.js features and API.
-- [Learn Next.js](https://nextjs.org/learn) - an interactive Next.js tutorial.
-
-You can check out [the Next.js GitHub repository](https://github.com/vercel/next.js) - your feedback and contributions are welcome!
-
-## Deploy on Vercel
-
-The easiest way to deploy your Next.js app is to use the [Vercel Platform](https://vercel.com/new?utm_medium=default-template&filter=next.js&utm_source=create-next-app&utm_campaign=create-next-app-readme) from the creators of Next.js.
-
-Check out our [Next.js deployment documentation](https://nextjs.org/docs/app/building-your-application/deploying) for more details.
diff --git a/references/d3-chat/components.json b/references/d3-chat/components.json
deleted file mode 100644
index ffe928f5b6d..00000000000
--- a/references/d3-chat/components.json
+++ /dev/null
@@ -1,21 +0,0 @@
-{
-  "$schema": "https://ui.shadcn.com/schema.json",
-  "style": "new-york",
-  "rsc": true,
-  "tsx": true,
-  "tailwind": {
-    "config": "",
-    "css": "src/app/globals.css",
-    "baseColor": "neutral",
-    "cssVariables": true,
-    "prefix": ""
-  },
-  "aliases": {
-    "components": "@/components",
-    "utils": "@/lib/utils",
-    "ui": "@/components/ui",
-    "lib": "@/lib",
-    "hooks": "@/hooks"
-  },
-  "iconLibrary": "lucide"
-}
\ No newline at end of file
diff --git a/references/d3-chat/next.config.ts b/references/d3-chat/next.config.ts
deleted file mode 100644
index e9ffa3083ad..00000000000
--- a/references/d3-chat/next.config.ts
+++ /dev/null
@@ -1,7 +0,0 @@
-import type { NextConfig } from "next";
-
-const nextConfig: NextConfig = {
-  /* config options here */
-};
-
-export default nextConfig;
diff --git a/references/d3-chat/package.json b/references/d3-chat/package.json
deleted file mode 100644
index c14602d4010..00000000000
--- a/references/d3-chat/package.json
+++ /dev/null
@@ -1,66 +0,0 @@
-{
-  "name": "d3-chat",
-  "version": "0.1.0",
-  "private": true,
-  "scripts": {
-    "dev": "next dev",
-    "build": "next build",
-    "start": "next start",
-    "lint": "next lint",
-    "dev:trigger": "trigger dev",
-    "deploy": "trigger deploy",
-    "tunnel": "ngrok http --url=d3-demo.ngrok.dev 3000",
-    "python:install-requirements": "uv pip sync requirements.txt",
-    "python:compile-requirements": "uv pip compile requirements.in -o requirements.txt",
-    "python:install-browsers": "./.venv/bin/playwright install",
-    "python:install": "pnpm run python:compile-requirements && pnpm run python:install-requirements",
-    "python:create-env": "uv venv .venv",
-    "db:migrate": "tsx -r dotenv/config src/lib/migrate.ts up",
-    "db:migrate:down": "tsx -r dotenv/config src/lib/migrate.ts down"
-  },
-  "dependencies": {
-    "@ai-sdk/anthropic": "2.0.4",
-    "@ai-sdk/openai": "2.0.14",
-    "@e2b/code-interpreter": "^1.1.0",
-    "@opentelemetry/api": "^1.9.0",
-    "@opentelemetry/api-logs": "^0.203.0",
-    "@opentelemetry/exporter-logs-otlp-http": "0.203.0",
-    "@opentelemetry/exporter-trace-otlp-http": "0.203.0",
-    "@opentelemetry/instrumentation-http": "0.203.0",
-    "@opentelemetry/instrumentation-undici": "0.14.0",
-    "@opentelemetry/instrumentation": "^0.203.0",
-    "@opentelemetry/sdk-logs": "^0.203.0",
-    "@radix-ui/react-avatar": "^1.1.3",
-    "@slack/web-api": "7.9.1",
-    "@trigger.dev/python": "workspace:*",
-    "@trigger.dev/react-hooks": "workspace:*",
-    "@trigger.dev/sdk": "workspace:*",
-    "@vercel/otel": "^1.13.0",
-    "@vercel/postgres": "^0.10.0",
-    "ai": "5.0.14",
-    "class-variance-authority": "^0.7.1",
-    "clsx": "^2.1.1",
-    "lucide-react": "^0.486.0",
-    "marked": "^4.0.18",
-    "nanoid": "^5.1.5",
-    "next": "15.4.8",
-    "react": "^19.0.0",
-    "react-dom": "^19.0.0",
-    "react-markdown": "^10.1.0",
-    "tailwind-merge": "^3.1.0",
-    "tw-animate-css": "^1.2.4",
-    "zod": "3.25.76"
-  },
-  "devDependencies": {
-    "@tailwindcss/postcss": "^4",
-    "@tailwindcss/typography": "^0.5.9",
-    "@trigger.dev/build": "workspace:*",
-    "@types/marked": "^4.0.3",
-    "@types/node": "^20",
-    "@types/react": "^19",
-    "@types/react-dom": "^19",
-    "tailwindcss": "^4.0.17",
-    "trigger.dev": "workspace:*",
-    "typescript": "^5"
-  }
-}
\ No newline at end of file
diff --git a/references/d3-chat/postcss.config.mjs b/references/d3-chat/postcss.config.mjs
deleted file mode 100644
index c7bcb4b1ee1..00000000000
--- a/references/d3-chat/postcss.config.mjs
+++ /dev/null
@@ -1,5 +0,0 @@
-const config = {
-  plugins: ["@tailwindcss/postcss"],
-};
-
-export default config;
diff --git a/references/d3-chat/public/file.svg b/references/d3-chat/public/file.svg
deleted file mode 100644
index 004145cddf3..00000000000
--- a/references/d3-chat/public/file.svg
+++ /dev/null
@@ -1 +0,0 @@
-<svg fill="none" viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg"><path d="M14.5 13.5V5.41a1 1 0 0 0-.3-.7L9.8.29A1 1 0 0 0 9.08 0H1.5v13.5A2.5 2.5 0 0 0 4 16h8a2.5 2.5 0 0 0 2.5-2.5m-1.5 0v-7H8v-5H3v12a1 1 0 0 0 1 1h8a1 1 0 0 0 1-1M9.5 5V2.12L12.38 5zM5.13 5h-.62v1.25h2.12V5zm-.62 3h7.12v1.25H4.5zm.62 3h-.62v1.25h7.12V11z" clip-rule="evenodd" fill="#666" fill-rule="evenodd"/></svg>
\ No newline at end of file
diff --git a/references/d3-chat/public/globe.svg b/references/d3-chat/public/globe.svg
deleted file mode 100644
index 567f17b0d7c..00000000000
--- a/references/d3-chat/public/globe.svg
+++ /dev/null
@@ -1 +0,0 @@
-<svg fill="none" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16"><g clip-path="url(#a)"><path fill-rule="evenodd" clip-rule="evenodd" d="M10.27 14.1a6.5 6.5 0 0 0 3.67-3.45q-1.24.21-2.7.34-.31 1.83-.97 3.1M8 16A8 8 0 1 0 8 0a8 8 0 0 0 0 16m.48-1.52a7 7 0 0 1-.96 0H7.5a4 4 0 0 1-.84-1.32q-.38-.89-.63-2.08a40 40 0 0 0 3.92 0q-.25 1.2-.63 2.08a4 4 0 0 1-.84 1.31zm2.94-4.76q1.66-.15 2.95-.43a7 7 0 0 0 0-2.58q-1.3-.27-2.95-.43a18 18 0 0 1 0 3.44m-1.27-3.54a17 17 0 0 1 0 3.64 39 39 0 0 1-4.3 0 17 17 0 0 1 0-3.64 39 39 0 0 1 4.3 0m1.1-1.17q1.45.13 2.69.34a6.5 6.5 0 0 0-3.67-3.44q.65 1.26.98 3.1M8.48 1.5l.01.02q.41.37.84 1.31.38.89.63 2.08a40 40 0 0 0-3.92 0q.25-1.2.63-2.08a4 4 0 0 1 .85-1.32 7 7 0 0 1 .96 0m-2.75.4a6.5 6.5 0 0 0-3.67 3.44 29 29 0 0 1 2.7-.34q.31-1.83.97-3.1M4.58 6.28q-1.66.16-2.95.43a7 7 0 0 0 0 2.58q1.3.27 2.95.43a18 18 0 0 1 0-3.44m.17 4.71q-1.45-.12-2.69-.34a6.5 6.5 0 0 0 3.67 3.44q-.65-1.27-.98-3.1" fill="#666"/></g><defs><clipPath id="a"><path fill="#fff" d="M0 0h16v16H0z"/></clipPath></defs></svg>
\ No newline at end of file
diff --git a/references/d3-chat/public/next.svg b/references/d3-chat/public/next.svg
deleted file mode 100644
index 5174b28c565..00000000000
--- a/references/d3-chat/public/next.svg
+++ /dev/null
@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 394 80"><path fill="#000" d="M262 0h68.5v12.7h-27.2v66.6h-13.6V12.7H262V0ZM149 0v12.7H94v20.4h44.3v12.6H94v21h55v12.6H80.5V0h68.7zm34.3 0h-17.8l63.8 79.4h17.9l-32-39.7 32-39.6h-17.9l-23 28.6-23-28.6zm18.3 56.7-9-11-27.1 33.7h17.8l18.3-22.7z"/><path fill="#000" d="M81 79.3 17 0H0v79.3h13.6V17l50.2 62.3H81Zm252.6-.4c-1 0-1.8-.4-2.5-1s-1.1-1.6-1.1-2.6.3-1.8 1-2.5 1.6-1 2.6-1 1.8.3 2.5 1a3.4 3.4 0 0 1 .6 4.3 3.7 3.7 0 0 1-3 1.8zm23.2-33.5h6v23.3c0 2.1-.4 4-1.3 5.5a9.1 9.1 0 0 1-3.8 3.5c-1.6.8-3.5 1.3-5.7 1.3-2 0-3.7-.4-5.3-1s-2.8-1.8-3.7-3.2c-.9-1.3-1.4-3-1.4-5h6c.1.8.3 1.6.7 2.2s1 1.2 1.6 1.5c.7.4 1.5.5 2.4.5 1 0 1.8-.2 2.4-.6a4 4 0 0 0 1.6-1.8c.3-.8.5-1.8.5-3V45.5zm30.9 9.1a4.4 4.4 0 0 0-2-3.3 7.5 7.5 0 0 0-4.3-1.1c-1.3 0-2.4.2-3.3.5-.9.4-1.6 1-2 1.6a3.5 3.5 0 0 0-.3 4c.3.5.7.9 1.3 1.2l1.8 1 2 .5 3.2.8c1.3.3 2.5.7 3.7 1.2a13 13 0 0 1 3.2 1.8 8.1 8.1 0 0 1 3 6.5c0 2-.5 3.7-1.5 5.1a10 10 0 0 1-4.4 3.5c-1.8.8-4.1 1.2-6.8 1.2-2.6 0-4.9-.4-6.8-1.2-2-.8-3.4-2-4.5-3.5a10 10 0 0 1-1.7-5.6h6a5 5 0 0 0 3.5 4.6c1 .4 2.2.6 3.4.6 1.3 0 2.5-.2 3.5-.6 1-.4 1.8-1 2.4-1.7a4 4 0 0 0 .8-2.4c0-.9-.2-1.6-.7-2.2a11 11 0 0 0-2.1-1.4l-3.2-1-3.8-1c-2.8-.7-5-1.7-6.6-3.2a7.2 7.2 0 0 1-2.4-5.7 8 8 0 0 1 1.7-5 10 10 0 0 1 4.3-3.5c2-.8 4-1.2 6.4-1.2 2.3 0 4.4.4 6.2 1.2 1.8.8 3.2 2 4.3 3.4 1 1.4 1.5 3 1.5 5h-5.8z"/></svg>
\ No newline at end of file
diff --git a/references/d3-chat/public/vercel.svg b/references/d3-chat/public/vercel.svg
deleted file mode 100644
index 77053960334..00000000000
--- a/references/d3-chat/public/vercel.svg
+++ /dev/null
@@ -1 +0,0 @@
-<svg fill="none" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1155 1000"><path d="m577.3 0 577.4 1000H0z" fill="#fff"/></svg>
\ No newline at end of file
diff --git a/references/d3-chat/public/window.svg b/references/d3-chat/public/window.svg
deleted file mode 100644
index b2b2a44f6eb..00000000000
--- a/references/d3-chat/public/window.svg
+++ /dev/null
@@ -1 +0,0 @@
-<svg fill="none" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16"><path fill-rule="evenodd" clip-rule="evenodd" d="M1.5 2.5h13v10a1 1 0 0 1-1 1h-11a1 1 0 0 1-1-1zM0 1h16v11.5a2.5 2.5 0 0 1-2.5 2.5h-11A2.5 2.5 0 0 1 0 12.5zm3.75 4.5a.75.75 0 1 0 0-1.5.75.75 0 0 0 0 1.5M7 4.75a.75.75 0 1 1-1.5 0 .75.75 0 0 1 1.5 0m1.75.75a.75.75 0 1 0 0-1.5.75.75 0 0 0 0 1.5" fill="#666"/></svg>
\ No newline at end of file
diff --git a/references/d3-chat/requirements.in b/references/d3-chat/requirements.in
deleted file mode 100644
index dcd47d2526c..00000000000
--- a/references/d3-chat/requirements.in
+++ /dev/null
@@ -1,2 +0,0 @@
-crawl4ai
-playwright
\ No newline at end of file
diff --git a/references/d3-chat/requirements.txt b/references/d3-chat/requirements.txt
deleted file mode 100644
index 30e80bc8ece..00000000000
--- a/references/d3-chat/requirements.txt
+++ /dev/null
@@ -1,218 +0,0 @@
-# This file was autogenerated by uv via the following command:
-#    uv pip compile requirements.in -o requirements.txt
-aiofiles==24.1.0
-    # via crawl4ai
-aiohappyeyeballs==2.6.1
-    # via aiohttp
-aiohttp==3.11.15
-    # via
-    #   crawl4ai
-    #   litellm
-aiosignal==1.3.2
-    # via aiohttp
-aiosqlite==0.21.0
-    # via crawl4ai
-annotated-types==0.7.0
-    # via pydantic
-anyio==4.9.0
-    # via
-    #   httpx
-    #   openai
-attrs==25.3.0
-    # via
-    #   aiohttp
-    #   jsonschema
-    #   referencing
-beautifulsoup4==4.13.3
-    # via crawl4ai
-certifi==2025.1.31
-    # via
-    #   httpcore
-    #   httpx
-    #   requests
-cffi==1.17.1
-    # via cryptography
-charset-normalizer==3.4.1
-    # via requests
-click==8.1.8
-    # via
-    #   crawl4ai
-    #   litellm
-    #   nltk
-colorama==0.4.6
-    # via crawl4ai
-crawl4ai==0.5.0.post8
-    # via -r requirements.in
-cryptography==44.0.2
-    # via pyopenssl
-cssselect==1.3.0
-    # via crawl4ai
-distro==1.9.0
-    # via openai
-fake-http-header==0.3.5
-    # via tf-playwright-stealth
-fake-useragent==2.1.0
-    # via crawl4ai
-faust-cchardet==2.1.19
-    # via crawl4ai
-filelock==3.18.0
-    # via huggingface-hub
-frozenlist==1.5.0
-    # via
-    #   aiohttp
-    #   aiosignal
-fsspec==2025.3.2
-    # via huggingface-hub
-greenlet==3.1.1
-    # via playwright
-h11==0.14.0
-    # via httpcore
-httpcore==1.0.7
-    # via httpx
-httpx==0.28.1
-    # via
-    #   crawl4ai
-    #   litellm
-    #   openai
-huggingface-hub==0.30.1
-    # via tokenizers
-humanize==4.12.2
-    # via crawl4ai
-idna==3.10
-    # via
-    #   anyio
-    #   httpx
-    #   requests
-    #   yarl
-importlib-metadata==8.6.1
-    # via litellm
-jinja2==3.1.6
-    # via litellm
-jiter==0.9.0
-    # via openai
-joblib==1.4.2
-    # via nltk
-jsonschema==4.23.0
-    # via litellm
-jsonschema-specifications==2024.10.1
-    # via jsonschema
-litellm==1.65.1
-    # via crawl4ai
-lxml==5.3.1
-    # via crawl4ai
-markdown-it-py==3.0.0
-    # via rich
-markupsafe==3.0.2
-    # via jinja2
-mdurl==0.1.2
-    # via markdown-it-py
-multidict==6.3.0
-    # via
-    #   aiohttp
-    #   yarl
-nltk==3.9.1
-    # via crawl4ai
-numpy==2.2.4
-    # via
-    #   crawl4ai
-    #   rank-bm25
-openai==1.70.0
-    # via litellm
-packaging==24.2
-    # via huggingface-hub
-pillow==10.4.0
-    # via crawl4ai
-playwright==1.51.0
-    # via
-    #   -r requirements.in
-    #   crawl4ai
-    #   tf-playwright-stealth
-propcache==0.3.1
-    # via
-    #   aiohttp
-    #   yarl
-psutil==7.0.0
-    # via crawl4ai
-pycparser==2.22
-    # via cffi
-pydantic==2.11.1
-    # via
-    #   crawl4ai
-    #   litellm
-    #   openai
-pydantic-core==2.33.0
-    # via pydantic
-pyee==12.1.1
-    # via playwright
-pygments==2.19.1
-    # via rich
-pyopenssl==25.0.0
-    # via crawl4ai
-pyperclip==1.9.0
-    # via crawl4ai
-python-dotenv==1.1.0
-    # via
-    #   crawl4ai
-    #   litellm
-pyyaml==6.0.2
-    # via huggingface-hub
-rank-bm25==0.2.2
-    # via crawl4ai
-referencing==0.36.2
-    # via
-    #   jsonschema
-    #   jsonschema-specifications
-regex==2024.11.6
-    # via
-    #   nltk
-    #   tiktoken
-requests==2.32.3
-    # via
-    #   crawl4ai
-    #   huggingface-hub
-    #   tiktoken
-rich==14.0.0
-    # via crawl4ai
-rpds-py==0.24.0
-    # via
-    #   jsonschema
-    #   referencing
-sniffio==1.3.1
-    # via
-    #   anyio
-    #   openai
-snowballstemmer==2.2.0
-    # via crawl4ai
-soupsieve==2.6
-    # via beautifulsoup4
-tf-playwright-stealth==1.1.2
-    # via crawl4ai
-tiktoken==0.9.0
-    # via litellm
-tokenizers==0.21.1
-    # via litellm
-tqdm==4.67.1
-    # via
-    #   huggingface-hub
-    #   nltk
-    #   openai
-typing-extensions==4.13.0
-    # via
-    #   aiosqlite
-    #   beautifulsoup4
-    #   huggingface-hub
-    #   openai
-    #   pydantic
-    #   pydantic-core
-    #   pyee
-    #   typing-inspection
-typing-inspection==0.4.0
-    # via pydantic
-urllib3==2.3.0
-    # via requests
-xxhash==3.5.0
-    # via crawl4ai
-yarl==1.18.3
-    # via aiohttp
-zipp==3.21.0
-    # via importlib-metadata
diff --git a/references/d3-chat/src/app/api/demo-batch-trigger/route.ts b/references/d3-chat/src/app/api/demo-batch-trigger/route.ts
deleted file mode 100644
index 9342830c329..00000000000
--- a/references/d3-chat/src/app/api/demo-batch-trigger/route.ts
+++ /dev/null
@@ -1,18 +0,0 @@
-import { NextResponse } from "next/server";
-import { tasks } from "@trigger.dev/sdk";
-import type { todoChat } from "@/trigger/chat";
-
-export async function POST(request: Request) {
-  const body = await request.json();
-
-  const handle = await tasks.batchTrigger<typeof todoChat>("todo-chat", [
-    {
-      payload: {
-        input: body.input,
-        userId: "123",
-      },
-    },
-  ]);
-
-  return NextResponse.json({ handle });
-}
diff --git a/references/d3-chat/src/app/api/demo-call-from-trigger/route.ts b/references/d3-chat/src/app/api/demo-call-from-trigger/route.ts
deleted file mode 100644
index 940c844d06d..00000000000
--- a/references/d3-chat/src/app/api/demo-call-from-trigger/route.ts
+++ /dev/null
@@ -1,5 +0,0 @@
-import { NextResponse } from "next/server";
-
-export async function POST(request: Request) {
-  return NextResponse.json({ body: "Hello, world!" });
-}
diff --git a/references/d3-chat/src/app/api/demo-trigger/route.ts b/references/d3-chat/src/app/api/demo-trigger/route.ts
deleted file mode 100644
index f97874f2620..00000000000
--- a/references/d3-chat/src/app/api/demo-trigger/route.ts
+++ /dev/null
@@ -1,14 +0,0 @@
-import { NextResponse } from "next/server";
-import { tasks } from "@trigger.dev/sdk";
-import type { todoChat } from "@/trigger/chat";
-
-export async function POST(request: Request) {
-  const body = await request.json();
-
-  const handle = await tasks.trigger<typeof todoChat>("todo-chat", {
-    input: body.input,
-    userId: "123",
-  });
-
-  return NextResponse.json({ handle });
-}
diff --git a/references/d3-chat/src/app/api/slack/interaction/route.ts b/references/d3-chat/src/app/api/slack/interaction/route.ts
deleted file mode 100644
index a5e18f81b08..00000000000
--- a/references/d3-chat/src/app/api/slack/interaction/route.ts
+++ /dev/null
@@ -1,79 +0,0 @@
-import { NextResponse } from "next/server";
-import { wait, auth } from "@trigger.dev/sdk";
-
-// Verify Slack requests middleware
-function verifySlackRequest(request: Request) {
-  // TODO: Implement Slack request verification using signing secret
-  // https://api.slack.com/authentication/verifying-requests-from-slack
-  return true;
-}
-
-export async function POST(request: Request) {
-  // Verify the request is from Slack
-  if (!verifySlackRequest(request)) {
-    return new NextResponse("Unauthorized", { status: 401 });
-  }
-
-  try {
-    // Parse the urlencoded body from Slack
-    const formData = await request.formData();
-    const payload = JSON.parse(formData.get("payload") as string);
-
-    console.log("Received Slack payload:", JSON.stringify(payload, null, 2));
-
-    // Extract the action and values
-    const action = payload.actions[0];
-    const value = JSON.parse(action.value);
-    const { tokenId, publicAccessToken, action: actionType } = value;
-
-    console.log("Parsed action values:", { tokenId, actionType });
-
-    await auth.withAuth({ accessToken: publicAccessToken }, async () => {
-      // Complete the token based on the action
-      if (actionType === "approve") {
-        console.log("Completing token with approval");
-        await wait.completeToken(tokenId, { approved: true });
-      } else if (actionType === "deny") {
-        console.log("Completing token with denial");
-        await wait.completeToken(tokenId, { approved: false });
-      }
-    });
-
-    // Update the message to show it's been processed
-    const blocks = payload.message.blocks.filter((block: any) => block.type !== "actions");
-    blocks.push({
-      type: "context",
-      elements: [
-        {
-          type: "mrkdwn",
-          text: `✅ ${actionType === "approve" ? "Approved" : "Denied"} by <@${
-            payload.user.id
-          }> at ${new Date().toLocaleTimeString()}`,
-        },
-      ],
-    });
-
-    // Send the update to Slack's response_url
-    const updateResponse = await fetch(payload.response_url, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-      },
-      body: JSON.stringify({
-        replace_original: true,
-        text: actionType === "approve" ? "Query approved" : "Query denied",
-        blocks,
-      }),
-    });
-
-    if (!updateResponse.ok) {
-      console.error("Failed to update Slack message:", await updateResponse.text());
-    }
-
-    // Return an empty 200 OK response
-    return new NextResponse(null, { status: 200 });
-  } catch (error) {
-    console.error("Error processing Slack interaction:", error);
-    return new NextResponse("Internal Server Error", { status: 500 });
-  }
-}
diff --git a/references/d3-chat/src/app/favicon.ico b/references/d3-chat/src/app/favicon.ico
deleted file mode 100644
index 718d6fea483..00000000000
Binary files a/references/d3-chat/src/app/favicon.ico and /dev/null differ
diff --git a/references/d3-chat/src/app/globals.css b/references/d3-chat/src/app/globals.css
deleted file mode 100644
index dc98be74c47..00000000000
--- a/references/d3-chat/src/app/globals.css
+++ /dev/null
@@ -1,122 +0,0 @@
-@import "tailwindcss";
-@import "tw-animate-css";
-
-@custom-variant dark (&:is(.dark *));
-
-@theme inline {
-  --color-background: var(--background);
-  --color-foreground: var(--foreground);
-  --font-sans: var(--font-geist-sans);
-  --font-mono: var(--font-geist-mono);
-  --color-sidebar-ring: var(--sidebar-ring);
-  --color-sidebar-border: var(--sidebar-border);
-  --color-sidebar-accent-foreground: var(--sidebar-accent-foreground);
-  --color-sidebar-accent: var(--sidebar-accent);
-  --color-sidebar-primary-foreground: var(--sidebar-primary-foreground);
-  --color-sidebar-primary: var(--sidebar-primary);
-  --color-sidebar-foreground: var(--sidebar-foreground);
-  --color-sidebar: var(--sidebar);
-  --color-chart-5: var(--chart-5);
-  --color-chart-4: var(--chart-4);
-  --color-chart-3: var(--chart-3);
-  --color-chart-2: var(--chart-2);
-  --color-chart-1: var(--chart-1);
-  --color-ring: var(--ring);
-  --color-input: var(--input);
-  --color-border: var(--border);
-  --color-destructive: var(--destructive);
-  --color-accent-foreground: var(--accent-foreground);
-  --color-accent: var(--accent);
-  --color-muted-foreground: var(--muted-foreground);
-  --color-muted: var(--muted);
-  --color-secondary-foreground: var(--secondary-foreground);
-  --color-secondary: var(--secondary);
-  --color-primary-foreground: var(--primary-foreground);
-  --color-primary: var(--primary);
-  --color-popover-foreground: var(--popover-foreground);
-  --color-popover: var(--popover);
-  --color-card-foreground: var(--card-foreground);
-  --color-card: var(--card);
-  --radius-sm: calc(var(--radius) - 4px);
-  --radius-md: calc(var(--radius) - 2px);
-  --radius-lg: var(--radius);
-  --radius-xl: calc(var(--radius) + 4px);
-}
-
-:root {
-  --radius: 0.625rem;
-  --background: oklch(1 0 0);
-  --foreground: oklch(0.145 0 0);
-  --card: oklch(1 0 0);
-  --card-foreground: oklch(0.145 0 0);
-  --popover: oklch(1 0 0);
-  --popover-foreground: oklch(0.145 0 0);
-  --primary: oklch(0.205 0 0);
-  --primary-foreground: oklch(0.985 0 0);
-  --secondary: oklch(0.97 0 0);
-  --secondary-foreground: oklch(0.205 0 0);
-  --muted: oklch(0.97 0 0);
-  --muted-foreground: oklch(0.556 0 0);
-  --accent: oklch(0.97 0 0);
-  --accent-foreground: oklch(0.205 0 0);
-  --destructive: oklch(0.577 0.245 27.325);
-  --border: oklch(0.922 0 0);
-  --input: oklch(0.922 0 0);
-  --ring: oklch(0.708 0 0);
-  --chart-1: oklch(0.646 0.222 41.116);
-  --chart-2: oklch(0.6 0.118 184.704);
-  --chart-3: oklch(0.398 0.07 227.392);
-  --chart-4: oklch(0.828 0.189 84.429);
-  --chart-5: oklch(0.769 0.188 70.08);
-  --sidebar: oklch(0.985 0 0);
-  --sidebar-foreground: oklch(0.145 0 0);
-  --sidebar-primary: oklch(0.205 0 0);
-  --sidebar-primary-foreground: oklch(0.985 0 0);
-  --sidebar-accent: oklch(0.97 0 0);
-  --sidebar-accent-foreground: oklch(0.205 0 0);
-  --sidebar-border: oklch(0.922 0 0);
-  --sidebar-ring: oklch(0.708 0 0);
-}
-
-.dark {
-  --background: oklch(0.145 0 0);
-  --foreground: oklch(0.985 0 0);
-  --card: oklch(0.205 0 0);
-  --card-foreground: oklch(0.985 0 0);
-  --popover: oklch(0.205 0 0);
-  --popover-foreground: oklch(0.985 0 0);
-  --primary: oklch(0.922 0 0);
-  --primary-foreground: oklch(0.205 0 0);
-  --secondary: oklch(0.269 0 0);
-  --secondary-foreground: oklch(0.985 0 0);
-  --muted: oklch(0.269 0 0);
-  --muted-foreground: oklch(0.708 0 0);
-  --accent: oklch(0.269 0 0);
-  --accent-foreground: oklch(0.985 0 0);
-  --destructive: oklch(0.704 0.191 22.216);
-  --border: oklch(1 0 0 / 10%);
-  --input: oklch(1 0 0 / 15%);
-  --ring: oklch(0.556 0 0);
-  --chart-1: oklch(0.488 0.243 264.376);
-  --chart-2: oklch(0.696 0.17 162.48);
-  --chart-3: oklch(0.769 0.188 70.08);
-  --chart-4: oklch(0.627 0.265 303.9);
-  --chart-5: oklch(0.645 0.246 16.439);
-  --sidebar: oklch(0.205 0 0);
-  --sidebar-foreground: oklch(0.985 0 0);
-  --sidebar-primary: oklch(0.488 0.243 264.376);
-  --sidebar-primary-foreground: oklch(0.985 0 0);
-  --sidebar-accent: oklch(0.269 0 0);
-  --sidebar-accent-foreground: oklch(0.985 0 0);
-  --sidebar-border: oklch(1 0 0 / 10%);
-  --sidebar-ring: oklch(0.556 0 0);
-}
-
-@layer base {
-  * {
-    @apply border-border outline-ring/50;
-  }
-  body {
-    @apply bg-background text-foreground;
-  }
-}
diff --git a/references/d3-chat/src/app/layout.tsx b/references/d3-chat/src/app/layout.tsx
deleted file mode 100644
index e585c88eb2b..00000000000
--- a/references/d3-chat/src/app/layout.tsx
+++ /dev/null
@@ -1,30 +0,0 @@
-import type { Metadata } from "next";
-import { Geist, Geist_Mono } from "next/font/google";
-import "./globals.css";
-
-const geistSans = Geist({
-  variable: "--font-geist-sans",
-  subsets: ["latin"],
-});
-
-const geistMono = Geist_Mono({
-  variable: "--font-geist-mono",
-  subsets: ["latin"],
-});
-
-export const metadata: Metadata = {
-  title: "Todo Chat",
-  description: "Todo Chat",
-};
-
-export default function RootLayout({
-  children,
-}: Readonly<{
-  children: React.ReactNode;
-}>) {
-  return (
-    <html lang="en">
-      <body className={`${geistSans.variable} ${geistMono.variable} antialiased`}>{children}</body>
-    </html>
-  );
-}
diff --git a/references/d3-chat/src/app/page.tsx b/references/d3-chat/src/app/page.tsx
deleted file mode 100644
index 64d1424bb7c..00000000000
--- a/references/d3-chat/src/app/page.tsx
+++ /dev/null
@@ -1,16 +0,0 @@
-import { ChatContainer } from "@/components/chat-container";
-import { Header } from "@/components/header";
-import { auth } from "@trigger.dev/sdk";
-
-export default async function Home() {
-  const triggerToken = await auth.createTriggerPublicToken("todo-chat");
-
-  return (
-    <div className="min-h-screen bg-gray-50">
-      <Header />
-      <main className="container mx-auto px-4 py-6">
-        <ChatContainer triggerToken={triggerToken} />
-      </main>
-    </div>
-  );
-}
diff --git a/references/d3-chat/src/components/chat-container.tsx b/references/d3-chat/src/components/chat-container.tsx
deleted file mode 100644
index b40150e5b30..00000000000
--- a/references/d3-chat/src/components/chat-container.tsx
+++ /dev/null
@@ -1,204 +0,0 @@
-"use client";
-
-import { ChatInput } from "./chat-input";
-import { ChatMessage } from "./chat-message";
-import { ToolCallMessage } from "./tool-call-message";
-import { useRealtimeTaskTriggerWithStreams } from "@trigger.dev/react-hooks";
-import type { todoChat, STREAMS } from "../trigger/chat";
-import { TextStreamPart } from "ai";
-
-type MessageBase = {
-  id: string;
-  role: "user" | "assistant" | "tool";
-};
-
-type UserMessage = MessageBase & {
-  role: "user";
-  content: string;
-};
-
-type AssistantMessage = MessageBase & {
-  role: "assistant";
-  content: string;
-};
-
-type ToolMessage = MessageBase & {
-  role: "tool";
-  name: string;
-  input: any;
-  output?: any;
-};
-
-type Message = UserMessage | AssistantMessage | ToolMessage;
-
-function getMessagesFromRun(
-  run: NonNullable<
-    ReturnType<typeof useRealtimeTaskTriggerWithStreams<typeof todoChat, STREAMS>>["run"]
-  >,
-  fullStream: TextStreamPart<any>[] = []
-): Message[] {
-  const messages: Message[] = [];
-
-  // Add the user message
-  if (run.payload) {
-    messages.push({
-      id: `user-${run.id}`,
-      role: "user",
-      content: run.payload.input,
-    });
-  }
-
-  // Track the current assistant message content
-  let currentAssistantContent = "";
-
-  // Keep track of tool calls and their results
-  const toolCalls = new Map<string, ToolMessage>();
-
-  // Process the stream
-  for (const part of fullStream) {
-    if (part.type === "tool-call") {
-      const toolMessage: ToolMessage = {
-        id: `tool-${part.toolCallId}`,
-        role: "tool",
-        name: part.toolName,
-        input: part.input,
-      };
-      toolCalls.set(part.toolCallId, toolMessage);
-      messages.push(toolMessage);
-    } else if (part.type === "tool-result") {
-      const toolMessage = toolCalls.get(part.toolCallId);
-      if (toolMessage) {
-        toolMessage.output = part.output;
-      }
-    } else if (part.type === "text-delta") {
-      currentAssistantContent += part.text;
-
-      // Find or create the assistant message
-      const lastMessage = messages[messages.length - 1];
-      if (lastMessage?.role === "assistant") {
-        messages[messages.length - 1] = {
-          ...lastMessage,
-          content: currentAssistantContent,
-        };
-      } else {
-        messages.push({
-          id: `assistant-${run.id}-${messages.length}`,
-          role: "assistant",
-          content: currentAssistantContent,
-        });
-      }
-    }
-  }
-
-  return messages;
-}
-
-export function useTodoChat({ accessToken }: { accessToken: string }) {
-  const triggerInstance = useRealtimeTaskTriggerWithStreams<typeof todoChat, STREAMS>("todo-chat", {
-    accessToken,
-    baseURL: process.env.NEXT_PUBLIC_TRIGGER_API_URL,
-    skipColumns: ["isTest"],
-  });
-
-  const messages = triggerInstance.run
-    ? getMessagesFromRun(triggerInstance.run, triggerInstance.streams?.fullStream)
-    : [];
-
-  // Consider it submitting if we have a run but no streams yet
-  const isSubmitting =
-    (triggerInstance.run !== null &&
-      !triggerInstance.streams?.fullStream &&
-      triggerInstance.handle === null) ||
-    triggerInstance.isLoading;
-
-  const dashboardUrl = triggerInstance.run
-    ? `${process.env.NEXT_PUBLIC_DASHBOARD_RUNS_URL}/${triggerInstance.run.id}`
-    : null;
-
-  return {
-    ...triggerInstance,
-    messages,
-    isSubmitting,
-    dashboardUrl,
-  };
-}
-
-export function ChatContainer({ triggerToken }: { triggerToken: string }) {
-  const { messages, submit, isSubmitting, dashboardUrl } = useTodoChat({
-    accessToken: triggerToken,
-  });
-
-  return (
-    <div className="max-w-6xl mx-auto h-[calc(100vh-5rem)] mb-4">
-      <div className="bg-white border-x border-gray-200 h-full flex flex-col">
-        <div className="border-b border-gray-200 px-4 py-2 flex items-center shrink-0">
-          <h2 className="text-sm font-medium text-gray-700">Chat Session</h2>
-          <span className="ml-2 bg-green-100 text-green-800 text-xs px-2 py-0.5 rounded-full">
-            Active
-          </span>
-          {dashboardUrl && (
-            <a
-              href={dashboardUrl}
-              target="_blank"
-              rel="noopener noreferrer"
-              className="ml-2 text-xs text-blue-500 hover:text-blue-700 flex items-center gap-1"
-            >
-              <svg
-                xmlns="http://www.w3.org/2000/svg"
-                className="h-3 w-3"
-                viewBox="0 0 20 20"
-                fill="currentColor"
-              >
-                <path d="M11 3a1 1 0 100 2h2.586l-6.293 6.293a1 1 0 101.414 1.414L15 6.414V9a1 1 0 102 0V4a1 1 0 00-1-1h-5z" />
-                <path d="M5 5a2 2 0 00-2 2v8a2 2 0 002 2h8a2 2 0 002-2v-3a1 1 0 10-2 0v3H5V7h3a1 1 0 000-2H5z" />
-              </svg>
-              View Run
-            </a>
-          )}
-          <div className="ml-auto flex space-x-2">
-            <button className="text-xs text-gray-500 hover:text-gray-700 px-2 py-1 border border-gray-200 rounded">
-              Clear
-            </button>
-            <button className="text-xs text-gray-500 hover:text-gray-700 px-2 py-1 border border-gray-200 rounded">
-              Export
-            </button>
-          </div>
-        </div>
-
-        <div className="flex-1 overflow-y-auto">
-          <div className="p-4 space-y-4">
-            {messages.map((message) =>
-              message.role === "tool" ? (
-                <ToolCallMessage
-                  key={message.id}
-                  name={message.name}
-                  input={message.input}
-                  output={message.output}
-                />
-              ) : (
-                <ChatMessage
-                  key={message.id}
-                  role={message.role}
-                  content={message.content}
-                  id={message.id}
-                />
-              )
-            )}
-          </div>
-        </div>
-
-        <div className="border-t border-gray-200 p-3 shrink-0">
-          <ChatInput
-            isSubmitting={isSubmitting}
-            onSubmit={(input) => {
-              submit({
-                input,
-                userId: "user_1234",
-              });
-            }}
-          />
-        </div>
-      </div>
-    </div>
-  );
-}
diff --git a/references/d3-chat/src/components/chat-input.tsx b/references/d3-chat/src/components/chat-input.tsx
deleted file mode 100644
index ea58b10223c..00000000000
--- a/references/d3-chat/src/components/chat-input.tsx
+++ /dev/null
@@ -1,44 +0,0 @@
-import { useState } from "react";
-
-interface ChatInputProps {
-  onSubmit: (input: string) => void;
-  isSubmitting?: boolean;
-}
-
-export function ChatInput({ onSubmit, isSubmitting = false }: ChatInputProps) {
-  const [input, setInput] = useState("");
-
-  function handleSubmit() {
-    if (!input.trim() || isSubmitting) return;
-    onSubmit(input);
-    setInput("");
-  }
-
-  return (
-    <div className="flex items-center">
-      <div className="flex-grow relative">
-        <input
-          type="text"
-          placeholder="Type your message..."
-          className="w-full px-4 py-2 border border-gray-300 rounded-lg focus:outline-none focus:ring-2 focus:ring-blue-500 focus:border-transparent"
-          value={input}
-          onChange={(e) => setInput(e.target.value)}
-          onKeyDown={(e) => {
-            if (e.key === "Enter" && !e.shiftKey) {
-              e.preventDefault();
-              handleSubmit();
-            }
-          }}
-          disabled={isSubmitting}
-        />
-      </div>
-      <button
-        className="ml-2 px-4 py-2 bg-blue-600 text-white rounded-lg font-medium text-sm disabled:opacity-50 disabled:cursor-not-allowed hover:bg-blue-700 transition-colors"
-        onClick={handleSubmit}
-        disabled={isSubmitting || !input.trim()}
-      >
-        {isSubmitting ? "Sending..." : "Send"}
-      </button>
-    </div>
-  );
-}
diff --git a/references/d3-chat/src/components/chat-message.tsx b/references/d3-chat/src/components/chat-message.tsx
deleted file mode 100644
index 5e85f98cee6..00000000000
--- a/references/d3-chat/src/components/chat-message.tsx
+++ /dev/null
@@ -1,59 +0,0 @@
-import { Avatar } from "@/components/ui/avatar";
-import ReactMarkdown from "react-markdown";
-import { marked } from "marked";
-
-interface ChatMessageProps {
-  role: "user" | "assistant";
-  content: string;
-  id: string;
-}
-
-function parseMarkdownIntoBlocks(markdown: string): string[] {
-  const tokens = marked.lexer(markdown);
-  return tokens.map((token) => token.raw);
-}
-
-const ParsedMarkdown = ({ content, id }: { content: string; id: string }) => {
-  const blocks = parseMarkdownIntoBlocks(content);
-
-  return blocks.map((block, index) => <ReactMarkdown key={index}>{block}</ReactMarkdown>);
-};
-
-export function ChatMessage({ role, content, id }: ChatMessageProps) {
-  return (
-    <div className={`flex ${role === "user" ? "justify-end" : "justify-start"}`}>
-      <div className={`flex max-w-[80%] ${role === "user" ? "flex-row-reverse" : "flex-row"}`}>
-        <div className="flex-shrink-0">
-          <Avatar className="h-8 w-8">
-            <div
-              className={`flex h-full w-full items-center justify-center rounded-full ${
-                role === "user" ? "bg-blue-100 text-blue-600" : "bg-gray-100 text-gray-600"
-              }`}
-            >
-              {role === "user" ? "U" : "A"}
-            </div>
-          </Avatar>
-        </div>
-
-        <div className={`mx-2 ${role === "user" ? "text-right" : "text-left"}`}>
-          <div className="text-xs text-gray-500 mb-1">{role === "user" ? "You" : "Assistant"}</div>
-          <div
-            className={`px-4 py-3 rounded-lg ${
-              role === "user"
-                ? "bg-blue-50 border border-blue-100 text-gray-800"
-                : "bg-white border border-gray-200 text-gray-800"
-            }`}
-          >
-            {role === "assistant" ? (
-              <div className="prose prose-sm max-w-none prose-pre:bg-gray-800 prose-pre:text-gray-100">
-                <ParsedMarkdown content={content} id={id} />
-              </div>
-            ) : (
-              <div className="whitespace-pre-wrap text-sm">{content}</div>
-            )}
-          </div>
-        </div>
-      </div>
-    </div>
-  );
-}
diff --git a/references/d3-chat/src/components/header.tsx b/references/d3-chat/src/components/header.tsx
deleted file mode 100644
index 9cdcdc0eda4..00000000000
--- a/references/d3-chat/src/components/header.tsx
+++ /dev/null
@@ -1,16 +0,0 @@
-export function Header() {
-  return (
-    <header className="border-b border-gray-200 bg-white">
-      <div className="container mx-auto px-4 py-3 flex items-center justify-between">
-        <div className="flex items-center space-x-2">
-          <span className="font-mono text-lg font-semibold">Todo Chat</span>
-          <span className="bg-gray-100 text-gray-600 text-xs px-2 py-1 rounded">v1.0.0</span>
-        </div>
-        <div className="flex items-center space-x-4">
-          <div className="text-sm text-gray-500">user_123456</div>
-        </div>
-      </div>
-    </header>
-  )
-}
-
diff --git a/references/d3-chat/src/components/tool-call-message.tsx b/references/d3-chat/src/components/tool-call-message.tsx
deleted file mode 100644
index 01ba5300fd4..00000000000
--- a/references/d3-chat/src/components/tool-call-message.tsx
+++ /dev/null
@@ -1,71 +0,0 @@
-interface ToolCallMessageProps {
-  name: string;
-  input: any;
-  output?: any;
-}
-
-export function ToolCallMessage({ name, input, output }: ToolCallMessageProps) {
-  const hasOutput = output !== undefined;
-
-  return (
-    <div className="flex justify-start">
-      <div className="w-full max-w-[90%] bg-gray-50 border border-gray-200 rounded-lg overflow-hidden">
-        <div className="bg-gray-100 px-4 py-2 flex items-center">
-          <div className="flex items-center">
-            <span
-              className={`h-3 w-3 rounded-full mr-2 ${
-                hasOutput ? "bg-green-500" : "bg-yellow-500 animate-pulse"
-              }`}
-            ></span>
-            <span className="font-mono text-sm font-medium text-gray-700">{name}</span>
-          </div>
-          <span className="ml-2 text-xs text-gray-500">
-            Tool Call {!hasOutput && "(Running...)"}
-          </span>
-        </div>
-
-        <div className="p-4 space-y-3">
-          <div>
-            <div className="text-xs font-medium text-gray-500 mb-1">Input</div>
-            <pre className="bg-gray-800 text-gray-200 p-3 rounded text-xs overflow-x-auto">
-              {JSON.stringify(input, null, 2)}
-            </pre>
-          </div>
-
-          {hasOutput ? (
-            <div>
-              <div className="text-xs font-medium text-gray-500 mb-1">Output</div>
-              <pre className="bg-gray-800 text-gray-200 p-3 rounded text-xs overflow-x-auto">
-                {JSON.stringify(output, null, 2)}
-              </pre>
-            </div>
-          ) : (
-            <div className="flex items-center space-x-2 text-sm text-gray-500">
-              <svg
-                className="animate-spin h-4 w-4"
-                xmlns="http://www.w3.org/2000/svg"
-                fill="none"
-                viewBox="0 0 24 24"
-              >
-                <circle
-                  className="opacity-25"
-                  cx="12"
-                  cy="12"
-                  r="10"
-                  stroke="currentColor"
-                  strokeWidth="4"
-                ></circle>
-                <path
-                  className="opacity-75"
-                  fill="currentColor"
-                  d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4zm2 5.291A7.962 7.962 0 014 12H0c0 3.042 1.135 5.824 3 7.938l3-2.647z"
-                ></path>
-              </svg>
-              <span>Waiting for result...</span>
-            </div>
-          )}
-        </div>
-      </div>
-    </div>
-  );
-}
diff --git a/references/d3-chat/src/components/ui/avatar.tsx b/references/d3-chat/src/components/ui/avatar.tsx
deleted file mode 100644
index 71e428b4ca6..00000000000
--- a/references/d3-chat/src/components/ui/avatar.tsx
+++ /dev/null
@@ -1,53 +0,0 @@
-"use client"
-
-import * as React from "react"
-import * as AvatarPrimitive from "@radix-ui/react-avatar"
-
-import { cn } from "@/lib/utils"
-
-function Avatar({
-  className,
-  ...props
-}: React.ComponentProps<typeof AvatarPrimitive.Root>) {
-  return (
-    <AvatarPrimitive.Root
-      data-slot="avatar"
-      className={cn(
-        "relative flex size-8 shrink-0 overflow-hidden rounded-full",
-        className
-      )}
-      {...props}
-    />
-  )
-}
-
-function AvatarImage({
-  className,
-  ...props
-}: React.ComponentProps<typeof AvatarPrimitive.Image>) {
-  return (
-    <AvatarPrimitive.Image
-      data-slot="avatar-image"
-      className={cn("aspect-square size-full", className)}
-      {...props}
-    />
-  )
-}
-
-function AvatarFallback({
-  className,
-  ...props
-}: React.ComponentProps<typeof AvatarPrimitive.Fallback>) {
-  return (
-    <AvatarPrimitive.Fallback
-      data-slot="avatar-fallback"
-      className={cn(
-        "bg-muted flex size-full items-center justify-center rounded-full",
-        className
-      )}
-      {...props}
-    />
-  )
-}
-
-export { Avatar, AvatarImage, AvatarFallback }
diff --git a/references/d3-chat/src/extensions/playwright.ts b/references/d3-chat/src/extensions/playwright.ts
deleted file mode 100644
index 178bed23d1d..00000000000
--- a/references/d3-chat/src/extensions/playwright.ts
+++ /dev/null
@@ -1,36 +0,0 @@
-import type { BuildContext, BuildExtension } from "@trigger.dev/build";
-
-// This is a custom build extension to install Playwright and Chromium
-export function installPlaywrightChromium(): BuildExtension {
-  return {
-    name: "InstallPlaywrightChromium",
-    onBuildComplete(context: BuildContext) {
-      const instructions = [
-        // Base and Chromium dependencies
-        `RUN apt-get update && apt-get install -y --no-install-recommends \
-          curl unzip npm libnspr4 libatk1.0-0 libatk-bridge2.0-0 libatspi2.0-0 \
-          libasound2 libnss3 libxcomposite1 libxdamage1 libxfixes3 libxrandr2 \
-          libgbm1 libxkbcommon0 \
-          && apt-get clean && rm -rf /var/lib/apt/lists/*`,
-
-        // Install Playwright and Chromium
-        `RUN npm install -g playwright`,
-        `RUN mkdir -p /ms-playwright`,
-        `RUN PLAYWRIGHT_BROWSERS_PATH=/ms-playwright python -m playwright install --with-deps chromium`,
-      ];
-
-      context.addLayer({
-        id: "playwright",
-        image: { instructions },
-        deploy: {
-          env: {
-            PLAYWRIGHT_BROWSERS_PATH: "/ms-playwright",
-            PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: "1",
-            PLAYWRIGHT_SKIP_BROWSER_VALIDATION: "1",
-          },
-          override: true,
-        },
-      });
-    },
-  };
-}
diff --git a/references/d3-chat/src/instrumentation.ts b/references/d3-chat/src/instrumentation.ts
deleted file mode 100644
index b4ca035bf73..00000000000
--- a/references/d3-chat/src/instrumentation.ts
+++ /dev/null
@@ -1,5 +0,0 @@
-import { registerOTel } from "@vercel/otel";
-
-export function register() {
-  registerOTel({ serviceName: "d3-chat", traceSampler: "traceidratio" });
-}
diff --git a/references/d3-chat/src/lib/migrate.ts b/references/d3-chat/src/lib/migrate.ts
deleted file mode 100644
index 7a32a1bc48d..00000000000
--- a/references/d3-chat/src/lib/migrate.ts
+++ /dev/null
@@ -1,49 +0,0 @@
-import { sql } from "@vercel/postgres";
-
-export async function migrate(direction: "up" | "down") {
-  if (direction === "up") {
-    await migrateUp();
-  } else {
-    await migrateDown();
-  }
-}
-
-export async function migrateUp() {
-  const createTable = await sql`
-    CREATE TABLE IF NOT EXISTS todos (
-      id VARCHAR(255) PRIMARY KEY,
-      user_id VARCHAR(255) NOT NULL,
-      title VARCHAR(255) NOT NULL,
-      description TEXT,
-      status VARCHAR(50) NOT NULL DEFAULT 'pending',
-      priority INTEGER NOT NULL DEFAULT 3,
-      due_date TIMESTAMP WITH TIME ZONE,
-      created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
-      updated_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
-      completed_at TIMESTAMP WITH TIME ZONE,
-      tags TEXT[], -- Array of tags
-      assigned_to VARCHAR(255)
-    );
-  `;
-
-  console.log(`Created "todos" table`);
-
-  return {
-    createTable,
-  };
-}
-
-export async function migrateDown() {
-  const dropTable = await sql`
-    DROP TABLE IF EXISTS todos;
-  `;
-
-  console.log(`Dropped "todos" table`);
-}
-
-async function main() {
-  const direction = process.argv[2];
-  await migrate(direction as "up" | "down");
-}
-
-main().catch(console.error);
diff --git a/references/d3-chat/src/lib/slack.ts b/references/d3-chat/src/lib/slack.ts
deleted file mode 100644
index 3698c700c6f..00000000000
--- a/references/d3-chat/src/lib/slack.ts
+++ /dev/null
@@ -1,114 +0,0 @@
-import { WebClient } from "@slack/web-api";
-import { logger } from "@trigger.dev/sdk";
-
-// Initialize the Slack client
-const slack = new WebClient(process.env.SLACK_BOT_TOKEN);
-
-type SendApprovalMessageParams = {
-  query: string;
-  userId: string;
-  tokenId: string;
-  publicAccessToken: string;
-  input: string;
-};
-
-export async function sendSQLApprovalMessage({
-  query,
-  userId,
-  tokenId,
-  publicAccessToken,
-  input,
-}: SendApprovalMessageParams) {
-  return await logger.trace(
-    "sendSQLApprovalMessage",
-    async (span) => {
-      const response = await slack.chat.postMessage({
-        channel: process.env.SLACK_CHANNEL_ID!,
-        text: `SQL Query Approval Required for user ${userId}`, // Fallback text for notifications
-        blocks: [
-          {
-            type: "header",
-            text: {
-              type: "plain_text",
-              text: "🚨 SQL Query Approval Required",
-              emoji: true,
-            },
-          },
-          {
-            type: "context",
-            elements: [
-              {
-                type: "mrkdwn",
-                text: `*Requested by:* <@${userId}>`,
-              },
-            ],
-          },
-          {
-            type: "section",
-            text: {
-              type: "mrkdwn",
-              text: "*User Request:*\n" + input,
-            },
-          },
-          {
-            type: "section",
-            text: {
-              type: "mrkdwn",
-              text: "*Generated Query:*\n```sql\n" + query + "\n```",
-            },
-          },
-          {
-            type: "actions",
-            block_id: "sql_approval_actions",
-            elements: [
-              {
-                type: "button",
-                text: {
-                  type: "plain_text",
-                  text: "Approve ✅",
-                  emoji: true,
-                },
-                style: "primary",
-                value: JSON.stringify({
-                  tokenId,
-                  publicAccessToken,
-                  action: "approve",
-                }),
-                action_id: "sql_approve",
-              },
-              {
-                type: "button",
-                text: {
-                  type: "plain_text",
-                  text: "Deny ❌",
-                  emoji: true,
-                },
-                style: "danger",
-                value: JSON.stringify({
-                  tokenId,
-                  publicAccessToken,
-                  action: "deny",
-                }),
-                action_id: "sql_deny",
-              },
-            ],
-          },
-          {
-            type: "context",
-            elements: [
-              {
-                type: "mrkdwn",
-                text: "⚠️ This action cannot be undone",
-              },
-            ],
-          },
-        ],
-      });
-
-      return response;
-    },
-    {
-      icon: "tabler-brand-slack",
-    }
-  );
-}
diff --git a/references/d3-chat/src/lib/utils.ts b/references/d3-chat/src/lib/utils.ts
deleted file mode 100644
index bd0c391ddd1..00000000000
--- a/references/d3-chat/src/lib/utils.ts
+++ /dev/null
@@ -1,6 +0,0 @@
-import { clsx, type ClassValue } from "clsx"
-import { twMerge } from "tailwind-merge"
-
-export function cn(...inputs: ClassValue[]) {
-  return twMerge(clsx(inputs))
-}
diff --git a/references/d3-chat/src/trigger/chat.ts b/references/d3-chat/src/trigger/chat.ts
deleted file mode 100644
index da07621046d..00000000000
--- a/references/d3-chat/src/trigger/chat.ts
+++ /dev/null
@@ -1,693 +0,0 @@
-import { anthropic } from "@ai-sdk/anthropic";
-import { openai } from "@ai-sdk/openai";
-import { ai } from "@trigger.dev/sdk/ai";
-import { logger, metadata, runs, schemaTask, tasks, wait, otel, task } from "@trigger.dev/sdk/v3";
-import { sql } from "@vercel/postgres";
-import {
-  ModelMessage,
-  streamText,
-  TextStreamPart,
-  tool,
-  stepCountIs,
-  createUIMessageStream,
-  UIMessageStreamWriter,
-} from "ai";
-import { nanoid } from "nanoid";
-import { z } from "zod";
-import { sendSQLApprovalMessage } from "../lib/slack";
-import { crawler } from "./crawler";
-import { chartTool } from "./sandbox";
-import { QueryApproval } from "./schemas";
-import { context, propagation } from "@opentelemetry/api";
-
-async function callNextjsApp() {
-  return await otel.withExternalTrace(async () => {
-    const headersObject = {};
-
-    propagation.inject(context.active(), headersObject);
-
-    const result = await fetch("http://localhost:3000/api/demo-call-from-trigger", {
-      headers: new Headers(headersObject),
-      method: "POST",
-      body: JSON.stringify({
-        message: "Hello from Trigger.dev",
-      }),
-    });
-
-    return result.json();
-  });
-}
-
-const queryApprovalTask = schemaTask({
-  id: "query-approval",
-  description: "Get approval for a SQL query from an admin",
-  schema: z.object({
-    userId: z.string().describe("The user_id to get approval for"),
-    input: z.string().describe("The input to get approval for"),
-    query: z.string().describe("The SQL query to execute"),
-  }),
-  run: async ({ userId, input, query }) => {
-    logger.info("queryApproval: starting", { projectRef: process.env.TRIGGER_PROJECT_REF });
-
-    await callNextjsApp();
-
-    const token = await wait.createToken({
-      tags: [`user:${userId}`, "approval"],
-      timeout: "5m", // timeout in 5 minutes
-    });
-
-    await sendSQLApprovalMessage({
-      query,
-      userId,
-      tokenId: token.id,
-      publicAccessToken: token.publicAccessToken,
-      input,
-    });
-
-    const result = await wait.forToken<QueryApproval>(token);
-
-    // result.ok === false if the token timed out
-    if (!result.ok) {
-      logger.debug("queryApproval: token timed out");
-
-      return {
-        approved: false,
-      };
-    } else {
-      return result.output;
-    }
-  },
-});
-
-const queryApproval = ai.tool(queryApprovalTask);
-
-// const queryApprovalTask = task({
-//   id: "query-approval",
-//   description: "Get approval for a SQL query from an admin",
-//   jsonSchema: {
-//     type: "object",
-//     properties: {
-//       userId: { type: "string", description: "The user_id to get approval for" },
-//       input: { type: "string", description: "The input to get approval for" },
-//       query: { type: "string", description: "The SQL query to execute" },
-//     },
-//     required: ["userId", "input", "query"],
-//     additionalProperties: false,
-//   },
-//   run: async ({ userId, input, query }: { userId: string; input: string; query: string }) => {
-//     logger.info("queryApproval: starting", { projectRef: process.env.TRIGGER_PROJECT_REF });
-
-//     await callNextjsApp();
-
-//     const token = await wait.createToken({
-//       tags: [`user:${userId}`, "approval"],
-//       timeout: "5m", // timeout in 5 minutes
-//     });
-
-//     await sendSQLApprovalMessage({
-//       query,
-//       userId,
-//       tokenId: token.id,
-//       publicAccessToken: token.publicAccessToken,
-//       input,
-//     });
-
-//     const result = await wait.forToken<QueryApproval>(token);
-
-//     // result.ok === false if the token timed out
-//     if (!result.ok) {
-//       logger.debug("queryApproval: token timed out");
-
-//       return {
-//         approved: false,
-//       };
-//     } else {
-//       return result.output;
-//     }
-//   },
-// });
-
-// const queryApproval = ai.tool(queryApprovalTask);
-
-const executeSql = tool({
-  description: "Use this tool to execute a SQL query",
-  inputSchema: z.object({
-    query: z.string().describe("The SQL query to execute"),
-  }),
-  execute: async ({ query }) => {
-    // DANGER: This is a dangerous tool, it can execute arbitrary SQL queries.
-    const result = await sql.query(query);
-
-    return result.rows;
-  },
-});
-
-const generateId = tool({
-  description: "Use this tool to generate a unique ID for a todo",
-  inputSchema: z.object({
-    prefix: z.string().describe("The prefix for the ID (defaults to 'todo')").default("todo"),
-  }),
-  execute: async ({ prefix }) => {
-    return `${prefix}_${nanoid(12)}`;
-  },
-});
-
-const getUserTodos = tool({
-  description: "Use this tool to get all todos for a user",
-  inputSchema: z.object({
-    userId: z.string().describe("The user_id to get todos for"),
-  }),
-  execute: async ({ userId }) => {
-    const result = await sql`SELECT * FROM todos WHERE user_id = ${userId}`;
-
-    return result.rows;
-  },
-});
-
-const getUserId = tool({
-  description: "Use this tool to get the user_id for the current user",
-  inputSchema: z.object({}),
-  execute: async () => {
-    const userId = metadata.get("user_id");
-
-    if (!userId) {
-      throw new Error("No user_id found");
-    }
-
-    return userId;
-  },
-});
-
-export const todoChat = schemaTask({
-  id: "todo-chat",
-  description: "Chat with the todo app",
-  retry: {
-    maxAttempts: 3,
-    maxTimeoutInMs: 10000,
-  },
-  queue: {
-    concurrencyLimit: 1,
-  },
-  schema: z.object({
-    input: z
-      .string()
-      .describe(
-        "The input to chat with the todo app. Will be a request to read or update the todo list."
-      ),
-    userId: z.string(),
-  }),
-  run: async ({ input, userId }, { signal }) => {
-    metadata.set("user_id", userId);
-
-    const system = `
-      You are a SQL (postgres) expert who can turn natural language descriptions for a todo app 
-      into a SQL query which can then be executed against a SQL database. Here is the schema:
-      
-      CREATE TABLE IF NOT EXISTS todos (
-        id VARCHAR(255) PRIMARY KEY,
-        user_id VARCHAR(255) NOT NULL,
-        title VARCHAR(255) NOT NULL,
-        description TEXT,
-        status VARCHAR(50) NOT NULL DEFAULT 'pending',
-        priority INTEGER NOT NULL DEFAULT 3,
-        due_date TIMESTAMP WITH TIME ZONE,
-        created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
-        updated_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
-        completed_at TIMESTAMP WITH TIME ZONE,
-        tags TEXT[], -- Array of tags
-        assigned_to VARCHAR(255)
-      );
-
-      Only Create, Read, Update, and Delete operations are allowed.
-
-      The output will be a SQL query.
-
-      If the query produced is a mutation, you will need to get approval first from an admin using the queryApproval tool. 
-      If the queryApproval tool returns false, you will need to stop and return an error message.
-      If the queryApproval tool returns true, you will need to execute the query using the executeSql tool.
-
-      The executeSql tool will return the results of the query.
-
-      The current time is ${new Date().toISOString()}.
-
-      When creating a todo, you'll need to generate a unique ID for the todo, using the generateId tool.
-      For updates, you'll need to use the getUserTodos tool to find the todo first.
-
-      IMPORTANT: Don't ask the user to provide any more information to help you generate the SQL query, do your best to generate the query based on the input alone.
-
-      After successfully executing a mutation query, get the latest user todos and summarize them along with what has been updated.
-      After successfully executing a read query, summarize the results in a human readable format.
-
-      If the user specifies a URL, you can use the crawler tool to crawl the URL and return the markdown, helping inform the SQL query.
-    `;
-
-    const prompt = input;
-
-    const chunks: TextStreamPart<TOOLS>[] = [];
-
-    const result = streamText({
-      model: getModel(),
-      system,
-      prompt,
-      stopWhen: stepCountIs(10),
-      tools: {
-        queryApproval,
-        executeSql,
-        generateId,
-        getUserTodos,
-        crawler,
-        getUserId,
-        chart: chartTool,
-      },
-      experimental_telemetry: {
-        isEnabled: true,
-      },
-      abortSignal: signal,
-      onChunk: ({ chunk }) => {
-        chunks.push(chunk);
-      },
-    });
-
-    const stream = await metadata.stream("fullStream", result.fullStream);
-
-    const textParts = [];
-
-    for await (const part of stream) {
-      if (part.type === "text-delta") {
-        textParts.push(part.text);
-      }
-    }
-
-    return textParts.join("");
-  },
-});
-
-export type TOOLS = {
-  queryApproval: typeof queryApproval;
-  executeSql: typeof executeSql;
-  generateId: typeof generateId;
-  getUserTodos: typeof getUserTodos;
-  crawler: typeof crawler;
-  getUserId: typeof getUserId;
-  chart: typeof chartTool;
-};
-
-export type STREAMS = {
-  fullStream: TextStreamPart<TOOLS>;
-};
-
-const CHAT_PROVIDER: "openai" | "anthropic" = "openai";
-
-function getModel() {
-  if (CHAT_PROVIDER === "openai") {
-    return openai("gpt-4o");
-  } else {
-    return anthropic("claude-3-5-sonnet-latest");
-  }
-}
-
-export const interruptibleChat = schemaTask({
-  id: "interruptible-chat",
-  description: "Chat with the AI",
-  schema: z.object({
-    prompt: z.string().describe("The prompt to chat with the AI"),
-  }),
-  run: async ({ prompt }, { signal }) => {
-    logger.info("interruptible-chat: starting", { prompt });
-
-    const chunks: TextStreamPart<{}>[] = [];
-
-    // 👇 This is a global onCancel hook, but it's inside of the run function
-    tasks.onCancel(async () => {
-      // We have access to the chunks here
-      logger.info("interruptible-chat: task cancelled with chunks", { chunks });
-    });
-
-    try {
-      const result = streamText({
-        model: getModel(),
-        prompt,
-        experimental_telemetry: {
-          isEnabled: true,
-        },
-        tools: {},
-        abortSignal: signal,
-        onChunk: ({ chunk }) => {
-          chunks.push(chunk);
-        },
-      });
-
-      const textParts = [];
-
-      for await (const part of result.textStream) {
-        textParts.push(part);
-      }
-
-      return textParts.join("");
-    } catch (error) {
-      if (error instanceof Error && error.name === "AbortError") {
-        // streamText will throw an AbortError if the signal is aborted, so we can handle it here
-      } else {
-        throw error;
-      }
-    }
-  },
-});
-
-async function createStreamWithProvider(params: {
-  model: ReturnType<typeof anthropic> | ReturnType<typeof openai>;
-  messages: ModelMessage[];
-  message_request_id: string;
-  chat_id: string;
-  userId?: string;
-}) {
-  const { model, messages, message_request_id, chat_id, userId } = params;
-
-  return new Promise<string>((resolve, reject) => {
-    const dataStreamResponse = createUIMessageStream({
-      execute: async (dataStream) => {
-        const result = streamText({
-          model,
-          system: "This is the system prompt, please be nice.",
-          messages,
-          stopWhen: stepCountIs(20),
-          onError: (error) => {
-            logger.error("Error in chatStream task (streamText)", {
-              error: error instanceof Error ? error.message : "Unknown error",
-              stack: error instanceof Error ? error.stack : undefined,
-              provider: model.provider,
-            });
-            reject(error);
-          },
-          onChunk: async (chunk) => {
-            console.log("Chunk:", chunk);
-          },
-          onFinish: async ({ response, reasoningText }) => {
-            metadata.flush();
-            logger.info("AI stream finished", {
-              chat_id,
-              userId,
-              messageCount: response.messages.length,
-              provider: model.provider,
-            });
-
-            if (userId) {
-              try {
-                // Pretend to save messages
-                await new Promise((resolve) => setTimeout(resolve, 1000));
-
-                logger.info("Successfully saved AI response messages", {
-                  chat_id,
-                  userId,
-                  messageCount: response.messages.length,
-                  message: JSON.stringify(response.messages, null, 2),
-                  provider: model.provider,
-                });
-              } catch (error) {
-                logger.error("Failed to save AI response messages", {
-                  error: error instanceof Error ? error.message : "Unknown error",
-                  stack: error instanceof Error ? error.stack : undefined,
-                  chat_id,
-                  userId,
-                  provider: model.provider,
-                });
-              }
-            }
-          },
-        });
-
-        result.consumeStream();
-
-        dataStream.writer.merge(result.toUIMessageStream());
-      },
-      onError: (error) => {
-        logger.error("Error in chatStream task (createDataStream)", {
-          error: error instanceof Error ? error.message : "Unknown error",
-          stack: error instanceof Error ? error.stack : undefined,
-          provider: model.provider,
-        });
-        reject(error);
-        return error instanceof Error ? error.message : String(error);
-      },
-    });
-
-    // Process the stream
-    (async () => {
-      try {
-        const stream = await metadata.stream("dataStream", dataStreamResponse);
-        let fullResponse = "";
-
-        for await (const chunk of stream) {
-          fullResponse += chunk;
-        }
-
-        // Only resolve if we haven't rejected due to an error
-        resolve(fullResponse);
-      } catch (error) {
-        reject(error);
-      }
-    })();
-  });
-}
-
-export const chatStream = schemaTask({
-  id: "chat-stream",
-  description: "Stream data from the AI SDK and use tools",
-  schema: z.object({
-    chat_id: z.string().default("chat"),
-    messages: z.array(z.unknown()).describe("Array of chat messages"),
-    message_request_id: z.string().describe("Unique identifier for the message request"),
-    model: z.string().default("claude-3-7-sonnet-20250219"),
-    userId: z.string().optional().describe("User ID for authentication"),
-    existingProject: z.boolean().default(false).describe("Whether the project already exists"),
-  }),
-  machine: "large-2x",
-  run: async ({ chat_id, messages, model, userId, message_request_id }) => {
-    logger.info("Running chat stream", {
-      chat_id,
-      messages,
-      model,
-      userId,
-      message_request_id,
-    });
-
-    try {
-      // First try with Anthropic
-      return await createStreamWithProvider({
-        model: anthropic(model),
-        messages: messages as ModelMessage[],
-        message_request_id,
-        chat_id,
-        userId,
-      });
-    } catch (error) {
-      logger.info("Anthropic stream failed, falling back to OpenAI", {
-        error: error instanceof Error ? error.message : "Unknown error",
-        stack: error instanceof Error ? error.stack : undefined,
-        chat_id,
-        userId,
-        message_request_id,
-      });
-
-      try {
-        // Fallback to OpenAI
-        return await createStreamWithProvider({
-          model: openai("gpt-4"),
-          messages: messages as ModelMessage[],
-          message_request_id,
-          chat_id,
-          userId,
-        });
-      } catch (fallbackError) {
-        logger.error("Both Anthropic and OpenAI streams failed", {
-          error: fallbackError instanceof Error ? fallbackError.message : "Unknown error",
-          stack: fallbackError instanceof Error ? fallbackError.stack : undefined,
-          chat_id,
-          userId,
-          message_request_id,
-        });
-        throw fallbackError;
-      }
-    }
-  },
-});
-
-export const chatStreamCaller = schemaTask({
-  id: "chat-stream-caller",
-  description: "Call the chat stream",
-  schema: z.object({
-    prompt: z.string().describe("The prompt to chat with the AI"),
-  }),
-  run: async ({ prompt }, { ctx }) => {
-    const result = await chatStream.trigger({
-      messages: [
-        {
-          role: "user",
-          content: prompt,
-        },
-      ],
-      message_request_id: ctx.run.id,
-    });
-
-    const stream = await runs.fetchStream(result.id, "dataStream");
-
-    for await (const chunk of stream) {
-      console.log("Chunk:", chunk);
-    }
-
-    return result;
-  },
-});
-
-export const streamFetcher = schemaTask({
-  id: "stream-fetcher",
-  description: "Fetch a stream",
-  schema: z.object({
-    runId: z.string().describe("The run ID to fetch the stream for"),
-    streamId: z.string().describe("The stream ID to fetch"),
-  }),
-  run: async ({ runId, streamId }) => {
-    const result = await runs.fetchStream(runId, streamId);
-
-    for await (const chunk of result) {
-      console.log("Chunk:", chunk);
-    }
-
-    return result;
-  },
-});
-
-export const chatStream2 = schemaTask({
-  id: "chat-stream-2",
-  description: "Stream data from the AI SDK and use tools",
-  schema: z.object({
-    chat_id: z.string().default("chat"),
-    messages: z.array(z.unknown()).describe("Array of chat messages"),
-    message_request_id: z.string().describe("Unique identifier for the message request"),
-    model: z.string().default("claude-3-7-sonnet-20250219"),
-    userId: z.string().optional().describe("User ID for authentication"),
-    existingProject: z.boolean().default(false).describe("Whether the project already exists"),
-  }),
-  machine: "large-2x",
-  run: async ({ chat_id, messages, model, userId, message_request_id }) => {
-    logger.info("Running chat stream", {
-      chat_id,
-      messages,
-      model,
-      userId,
-      message_request_id,
-    });
-
-    const dataStreamResponse = createUIMessageStream({
-      execute: async ({ writer }) => {
-        streamTextWithModel(
-          writer,
-          anthropic(model),
-          messages as ModelMessage[],
-          chat_id,
-          openai("gpt-4"),
-          userId
-        );
-      },
-    });
-
-    const stream = await metadata.stream("dataStream", dataStreamResponse);
-
-    for await (const chunk of stream) {
-      console.log("Chunk:", chunk);
-    }
-  },
-});
-
-function streamTextWithModel(
-  writer: UIMessageStreamWriter,
-  model: ReturnType<typeof anthropic> | ReturnType<typeof openai>,
-  messages: ModelMessage[],
-  chat_id: string,
-  fallbackModel?: ReturnType<typeof anthropic> | ReturnType<typeof openai>,
-  userId?: string
-) {
-  const result = streamText({
-    model,
-    system: "This is the system prompt, please be nice.",
-    messages,
-    stopWhen: stepCountIs(20),
-    onError: (error) => {
-      logger.error("Error in chatStream task (streamText)", {
-        error: error instanceof Error ? error.message : "Unknown error",
-        stack: error instanceof Error ? error.stack : undefined,
-        provider: model.provider,
-      });
-
-      if (fallbackModel) {
-        streamTextWithModel(writer, fallbackModel, messages, chat_id, undefined, userId);
-      }
-    },
-    onChunk: async (chunk) => {
-      console.log("Chunk:", chunk);
-    },
-    onFinish: async ({ response, reasoningText }) => {
-      metadata.flush();
-      logger.info("AI stream finished", {
-        chat_id,
-        userId,
-        messageCount: response.messages.length,
-        provider: model.provider,
-      });
-
-      if (userId) {
-        try {
-          // Pretend to save messages
-          await new Promise((resolve) => setTimeout(resolve, 1000));
-
-          logger.info("Successfully saved AI response messages", {
-            chat_id,
-            userId,
-            messageCount: response.messages.length,
-            message: JSON.stringify(response.messages, null, 2),
-            provider: model.provider,
-          });
-        } catch (error) {
-          logger.error("Failed to save AI response messages", {
-            error: error instanceof Error ? error.message : "Unknown error",
-            stack: error instanceof Error ? error.stack : undefined,
-            chat_id,
-            userId,
-            provider: model.provider,
-          });
-        }
-      }
-    },
-  });
-
-  result.consumeStream();
-
-  writer.merge(result.toUIMessageStream());
-}
-
-export const chatStreamCaller2 = schemaTask({
-  id: "chat-stream-caller-2",
-  description: "Call the chat stream",
-  schema: z.object({
-    prompt: z.string().describe("The prompt to chat with the AI"),
-  }),
-  run: async ({ prompt }, { ctx }) => {
-    const result = await chatStream2.trigger({
-      messages: [
-        {
-          role: "user",
-          content: prompt,
-        },
-      ],
-      message_request_id: ctx.run.id,
-    });
-
-    const stream = await runs.fetchStream(result.id, "dataStream");
-
-    for await (const chunk of stream) {
-      console.log("Chunk:", chunk);
-    }
-
-    return result;
-  },
-});
diff --git a/references/d3-chat/src/trigger/crawler.ts b/references/d3-chat/src/trigger/crawler.ts
deleted file mode 100644
index a077353d65c..00000000000
--- a/references/d3-chat/src/trigger/crawler.ts
+++ /dev/null
@@ -1,19 +0,0 @@
-import { python } from "@trigger.dev/python";
-import { ai } from "@trigger.dev/sdk/ai";
-import { schemaTask } from "@trigger.dev/sdk";
-import { z } from "zod";
-
-const crawlerTask = schemaTask({
-  id: "crawler",
-  description: "Crawl a URL and return the markdown",
-  schema: z.object({
-    url: z.string().describe("The URL to crawl"),
-  }),
-  run: async ({ url }) => {
-    const results = await python.runScript("./src/trigger/python/crawler.py", [url]);
-
-    return results.stdout;
-  },
-});
-
-export const crawler = ai.tool(crawlerTask);
diff --git a/references/d3-chat/src/trigger/python/crawler.py b/references/d3-chat/src/trigger/python/crawler.py
deleted file mode 100644
index 3d2af00e0ad..00000000000
--- a/references/d3-chat/src/trigger/python/crawler.py
+++ /dev/null
@@ -1,25 +0,0 @@
-import asyncio
-import sys
-from crawl4ai import AsyncWebCrawler
-from crawl4ai.async_configs import BrowserConfig
-
-async def main(url: str):
-    # Get proxy configuration from environment variables
-    browser_config = BrowserConfig(
-        browser_type="chrome",
-        headless=True,
-        verbose=False,
-    )
-
-    async with AsyncWebCrawler(config=browser_config) as crawler:
-        result = await crawler.arun(
-            url=url,
-        )
-        print(result.markdown)
-
-if __name__ == "__main__":
-    if len(sys.argv) < 2:
-        print("Usage: python crawler.py <url>")
-        sys.exit(1)
-    url = sys.argv[1]
-    asyncio.run(main(url))
\ No newline at end of file
diff --git a/references/d3-chat/src/trigger/sandbox.ts b/references/d3-chat/src/trigger/sandbox.ts
deleted file mode 100644
index 4a3fb858ac6..00000000000
--- a/references/d3-chat/src/trigger/sandbox.ts
+++ /dev/null
@@ -1,61 +0,0 @@
-import { openai } from "@ai-sdk/openai";
-import { Sandbox } from "@e2b/code-interpreter";
-import { ai } from "@trigger.dev/sdk/ai";
-import { schemaTask } from "@trigger.dev/sdk/v3";
-import { generateObject } from "ai";
-import { z } from "zod";
-
-const chartTask = schemaTask({
-  id: "chart",
-  description: "Generate a chart using natural language",
-  schema: z.object({
-    input: z.string().describe("The chart to generate"),
-  }),
-  run: async ({ input }) => {
-    const code = await generateObject({
-      model: openai("gpt-4o"),
-      schema: z.object({
-        code: z.string().describe("The Python code to execute"),
-      }),
-      system: `
-        You are a helpful assistant that can generate Python code to be executed in a sandbox, using matplotlib.pyplot.
-
-        For example: 
-        
-        import matplotlib.pyplot as plt
-        plt.plot([1, 2, 3, 4])
-        plt.ylabel('some numbers')
-        plt.show()
-        
-        Make sure the code ends with plt.show()
-      `,
-      prompt: input,
-    });
-
-    const sandbox = await Sandbox.create();
-
-    const execution = await sandbox.runCode(code.object.code);
-
-    const firstResult = execution.results[0];
-
-    if (firstResult.png) {
-      return {
-        chart: firstResult.png,
-      };
-    } else {
-      throw new Error("No chart generated");
-    }
-  },
-});
-
-export const chartTool = ai.tool(chartTask, {
-  experimental_toToolResultContent: (result) => {
-    return [
-      {
-        type: "image",
-        data: result.chart,
-        mimeType: "image/png",
-      },
-    ];
-  },
-});
diff --git a/references/d3-chat/src/trigger/schemas.ts b/references/d3-chat/src/trigger/schemas.ts
deleted file mode 100644
index e0a5bebfdd8..00000000000
--- a/references/d3-chat/src/trigger/schemas.ts
+++ /dev/null
@@ -1,16 +0,0 @@
-import { z } from "zod";
-
-export const AgentLoopMetadata = z.object({
-  waitToken: z.object({
-    id: z.string(),
-    publicAccessToken: z.string(),
-  }),
-});
-
-export type AgentLoopMetadata = z.infer<typeof AgentLoopMetadata>;
-
-export const QueryApproval = z.object({
-  approved: z.boolean().describe("Whether the query has been approved"),
-});
-
-export type QueryApproval = z.infer<typeof QueryApproval>;
diff --git a/references/d3-chat/tailwind.config.ts b/references/d3-chat/tailwind.config.ts
deleted file mode 100644
index 7c5882e06fc..00000000000
--- a/references/d3-chat/tailwind.config.ts
+++ /dev/null
@@ -1,112 +0,0 @@
-import type { Config } from "tailwindcss";
-import typography from "@tailwindcss/typography";
-
-const config: Config = {
-  darkMode: ["class"],
-  content: [
-    "./pages/**/*.{js,ts,jsx,tsx,mdx}",
-    "./components/**/*.{js,ts,jsx,tsx,mdx}",
-    "./app/**/*.{js,ts,jsx,tsx,mdx}",
-    "*.{js,ts,jsx,tsx,mdx}",
-  ],
-  theme: {
-    extend: {
-      fontFamily: {
-        mono: ["Menlo", "Monaco", "Consolas", "monospace"],
-      },
-      colors: {
-        gray: {
-          50: "#f9fafb",
-          100: "#f3f4f6",
-          200: "#e5e7eb",
-          300: "#d1d5db",
-          400: "#9ca3af",
-          500: "#6b7280",
-          600: "#4b5563",
-          700: "#374151",
-          800: "#1f2937",
-          900: "#111827",
-        },
-        background: "hsl(var(--background))",
-        foreground: "hsl(var(--foreground))",
-        card: {
-          DEFAULT: "hsl(var(--card))",
-          foreground: "hsl(var(--card-foreground))",
-        },
-        popover: {
-          DEFAULT: "hsl(var(--popover))",
-          foreground: "hsl(var(--popover-foreground))",
-        },
-        primary: {
-          DEFAULT: "hsl(var(--primary))",
-          foreground: "hsl(var(--primary-foreground))",
-        },
-        secondary: {
-          DEFAULT: "hsl(var(--secondary))",
-          foreground: "hsl(var(--secondary-foreground))",
-        },
-        muted: {
-          DEFAULT: "hsl(var(--muted))",
-          foreground: "hsl(var(--muted-foreground))",
-        },
-        accent: {
-          DEFAULT: "hsl(var(--accent))",
-          foreground: "hsl(var(--accent-foreground))",
-        },
-        destructive: {
-          DEFAULT: "hsl(var(--destructive))",
-          foreground: "hsl(var(--destructive-foreground))",
-        },
-        border: "hsl(var(--border))",
-        input: "hsl(var(--input))",
-        ring: "hsl(var(--ring))",
-        chart: {
-          "1": "hsl(var(--chart-1))",
-          "2": "hsl(var(--chart-2))",
-          "3": "hsl(var(--chart-3))",
-          "4": "hsl(var(--chart-4))",
-          "5": "hsl(var(--chart-5))",
-        },
-        sidebar: {
-          DEFAULT: "hsl(var(--sidebar-background))",
-          foreground: "hsl(var(--sidebar-foreground))",
-          primary: "hsl(var(--sidebar-primary))",
-          "primary-foreground": "hsl(var(--sidebar-primary-foreground))",
-          accent: "hsl(var(--sidebar-accent))",
-          "accent-foreground": "hsl(var(--sidebar-accent-foreground))",
-          border: "hsl(var(--sidebar-border))",
-          ring: "hsl(var(--sidebar-ring))",
-        },
-      },
-      borderRadius: {
-        lg: "var(--radius)",
-        md: "calc(var(--radius) - 2px)",
-        sm: "calc(var(--radius) - 4px)",
-      },
-      keyframes: {
-        "accordion-down": {
-          from: {
-            height: "0",
-          },
-          to: {
-            height: "var(--radix-accordion-content-height)",
-          },
-        },
-        "accordion-up": {
-          from: {
-            height: "var(--radix-accordion-content-height)",
-          },
-          to: {
-            height: "0",
-          },
-        },
-      },
-      animation: {
-        "accordion-down": "accordion-down 0.2s ease-out",
-        "accordion-up": "accordion-up 0.2s ease-out",
-      },
-    },
-  },
-  plugins: [typography],
-};
-export default config;
diff --git a/references/d3-chat/trigger.config.ts b/references/d3-chat/trigger.config.ts
deleted file mode 100644
index 528215ac7d4..00000000000
--- a/references/d3-chat/trigger.config.ts
+++ /dev/null
@@ -1,45 +0,0 @@
-import { defineConfig } from "@trigger.dev/sdk";
-import { pythonExtension } from "@trigger.dev/python/extension";
-import { installPlaywrightChromium } from "./src/extensions/playwright";
-import { OTLPLogExporter } from "@opentelemetry/exporter-logs-otlp-http";
-import { OTLPTraceExporter } from "@opentelemetry/exporter-trace-otlp-http";
-import { HttpInstrumentation } from "@opentelemetry/instrumentation-http";
-import { UndiciInstrumentation } from "@opentelemetry/instrumentation-undici";
-
-export default defineConfig({
-  project: process.env.TRIGGER_PROJECT_REF!,
-  dirs: ["./src/trigger"],
-  telemetry: {
-    instrumentations: [new HttpInstrumentation(), new UndiciInstrumentation()],
-    logExporters: [
-      new OTLPLogExporter({
-        url: "https://api.axiom.co/v1/logs",
-        headers: {
-          Authorization: `Bearer ${process.env.AXIOM_TOKEN}`,
-          "X-Axiom-Dataset": "d3-chat-tester",
-        },
-      }),
-    ],
-    exporters: [
-      new OTLPTraceExporter({
-        url: "https://api.axiom.co/v1/traces",
-        headers: {
-          Authorization: `Bearer ${process.env.AXIOM_TOKEN}`,
-          "X-Axiom-Dataset": "d3-chat-tester",
-        },
-      }),
-    ],
-  },
-  maxDuration: 3600,
-  build: {
-    extensions: [
-      // This is required to use the Python extension
-      pythonExtension({
-        requirementsFile: "./requirements.txt", // Optional: Path to your requirements file
-        devPythonBinaryPath: `.venv/bin/python`, // Optional: Custom Python binary path
-        scripts: ["src/trigger/python/**/*.py"], // List of Python scripts to include
-      }),
-      installPlaywrightChromium(),
-    ],
-  },
-});
diff --git a/references/d3-chat/tsconfig.json b/references/d3-chat/tsconfig.json
deleted file mode 100644
index c1334095f87..00000000000
--- a/references/d3-chat/tsconfig.json
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-  "compilerOptions": {
-    "target": "ES2017",
-    "lib": ["dom", "dom.iterable", "esnext"],
-    "allowJs": true,
-    "skipLibCheck": true,
-    "strict": true,
-    "noEmit": true,
-    "esModuleInterop": true,
-    "module": "esnext",
-    "moduleResolution": "bundler",
-    "resolveJsonModule": true,
-    "isolatedModules": true,
-    "jsx": "preserve",
-    "incremental": true,
-    "plugins": [
-      {
-        "name": "next"
-      }
-    ],
-    "paths": {
-      "@/*": ["./src/*"]
-    }
-  },
-  "include": ["next-env.d.ts", "**/*.ts", "**/*.tsx", ".next/types/**/*.ts"],
-  "exclude": ["node_modules"]
-}
diff --git a/references/d3-openai-agents/.gitignore b/references/d3-openai-agents/.gitignore
deleted file mode 100644
index 5ef6a520780..00000000000
--- a/references/d3-openai-agents/.gitignore
+++ /dev/null
@@ -1,41 +0,0 @@
-# See https://help.github.com/articles/ignoring-files/ for more about ignoring files.
-
-# dependencies
-/node_modules
-/.pnp
-.pnp.*
-.yarn/*
-!.yarn/patches
-!.yarn/plugins
-!.yarn/releases
-!.yarn/versions
-
-# testing
-/coverage
-
-# next.js
-/.next/
-/out/
-
-# production
-/build
-
-# misc
-.DS_Store
-*.pem
-
-# debug
-npm-debug.log*
-yarn-debug.log*
-yarn-error.log*
-.pnpm-debug.log*
-
-# env files (can opt-in for committing if needed)
-.env*
-
-# vercel
-.vercel
-
-# typescript
-*.tsbuildinfo
-next-env.d.ts
diff --git a/references/d3-openai-agents/README.md b/references/d3-openai-agents/README.md
deleted file mode 100644
index e215bc4ccf1..00000000000
--- a/references/d3-openai-agents/README.md
+++ /dev/null
@@ -1,36 +0,0 @@
-This is a [Next.js](https://nextjs.org) project bootstrapped with [`create-next-app`](https://nextjs.org/docs/app/api-reference/cli/create-next-app).
-
-## Getting Started
-
-First, run the development server:
-
-```bash
-npm run dev
-# or
-yarn dev
-# or
-pnpm dev
-# or
-bun dev
-```
-
-Open [http://localhost:3000](http://localhost:3000) with your browser to see the result.
-
-You can start editing the page by modifying `app/page.tsx`. The page auto-updates as you edit the file.
-
-This project uses [`next/font`](https://nextjs.org/docs/app/building-your-application/optimizing/fonts) to automatically optimize and load [Geist](https://vercel.com/font), a new font family for Vercel.
-
-## Learn More
-
-To learn more about Next.js, take a look at the following resources:
-
-- [Next.js Documentation](https://nextjs.org/docs) - learn about Next.js features and API.
-- [Learn Next.js](https://nextjs.org/learn) - an interactive Next.js tutorial.
-
-You can check out [the Next.js GitHub repository](https://github.com/vercel/next.js) - your feedback and contributions are welcome!
-
-## Deploy on Vercel
-
-The easiest way to deploy your Next.js app is to use the [Vercel Platform](https://vercel.com/new?utm_medium=default-template&filter=next.js&utm_source=create-next-app&utm_campaign=create-next-app-readme) from the creators of Next.js.
-
-Check out our [Next.js deployment documentation](https://nextjs.org/docs/app/building-your-application/deploying) for more details.
diff --git a/references/d3-openai-agents/components.json b/references/d3-openai-agents/components.json
deleted file mode 100644
index ffe928f5b6d..00000000000
--- a/references/d3-openai-agents/components.json
+++ /dev/null
@@ -1,21 +0,0 @@
-{
-  "$schema": "https://ui.shadcn.com/schema.json",
-  "style": "new-york",
-  "rsc": true,
-  "tsx": true,
-  "tailwind": {
-    "config": "",
-    "css": "src/app/globals.css",
-    "baseColor": "neutral",
-    "cssVariables": true,
-    "prefix": ""
-  },
-  "aliases": {
-    "components": "@/components",
-    "utils": "@/lib/utils",
-    "ui": "@/components/ui",
-    "lib": "@/lib",
-    "hooks": "@/hooks"
-  },
-  "iconLibrary": "lucide"
-}
\ No newline at end of file
diff --git a/references/d3-openai-agents/next.config.ts b/references/d3-openai-agents/next.config.ts
deleted file mode 100644
index e9ffa3083ad..00000000000
--- a/references/d3-openai-agents/next.config.ts
+++ /dev/null
@@ -1,7 +0,0 @@
-import type { NextConfig } from "next";
-
-const nextConfig: NextConfig = {
-  /* config options here */
-};
-
-export default nextConfig;
diff --git a/references/d3-openai-agents/package.json b/references/d3-openai-agents/package.json
deleted file mode 100644
index 91309ea5a30..00000000000
--- a/references/d3-openai-agents/package.json
+++ /dev/null
@@ -1,51 +0,0 @@
-{
-  "name": "references-d3-openai-agents",
-  "version": "0.1.0",
-  "private": true,
-  "scripts": {
-    "dev": "next dev",
-    "build": "next build",
-    "start": "next start",
-    "lint": "next lint",
-    "dev:trigger": "trigger dev",
-    "deploy": "pnpm run python:compile-requirements && trigger deploy",
-    "python:install-requirements": "uv pip sync requirements.txt",
-    "python:compile-requirements": "uv pip compile requirements.in -o requirements.txt",
-    "python:install": "pnpm run python:compile-requirements && pnpm run python:install-requirements",
-    "python:create-env": "uv venv .venv",
-    "db:migrate": "tsx -r dotenv/config src/lib/migrate.ts up",
-    "db:migrate:down": "tsx -r dotenv/config src/lib/migrate.ts down"
-  },
-  "dependencies": {
-    "@ai-sdk/openai": "1.3.3",
-    "@slack/web-api": "7.9.1",
-    "@trigger.dev/python": "workspace:*",
-    "@trigger.dev/react-hooks": "workspace:*",
-    "@trigger.dev/sdk": "workspace:*",
-    "@vercel/postgres": "^0.10.0",
-    "ai": "4.2.5",
-    "class-variance-authority": "^0.7.1",
-    "clsx": "^2.1.1",
-    "lucide-react": "^0.484.0",
-    "nanoid": "^5.1.5",
-    "next": "15.2.4",
-    "react": "^19.0.0",
-    "react-dom": "^19.0.0",
-    "tailwind-merge": "^3.0.2",
-    "tw-animate-css": "^1.2.4",
-    "zod": "3.25.76",
-    "zod-to-json-schema": "^3.24.5"
-  },
-  "devDependencies": {
-    "@tailwindcss/postcss": "^4",
-    "@trigger.dev/build": "workspace:*",
-    "@types/node": "^20",
-    "@types/react": "^19",
-    "@types/react-dom": "^19",
-    "dotenv": "16.4.7",
-    "tailwindcss": "^4.0.17",
-    "trigger.dev": "workspace:*",
-    "tsx": "4.19.3",
-    "typescript": "^5"
-  }
-}
\ No newline at end of file
diff --git a/references/d3-openai-agents/postcss.config.mjs b/references/d3-openai-agents/postcss.config.mjs
deleted file mode 100644
index c7bcb4b1ee1..00000000000
--- a/references/d3-openai-agents/postcss.config.mjs
+++ /dev/null
@@ -1,5 +0,0 @@
-const config = {
-  plugins: ["@tailwindcss/postcss"],
-};
-
-export default config;
diff --git a/references/d3-openai-agents/public/file.svg b/references/d3-openai-agents/public/file.svg
deleted file mode 100644
index 004145cddf3..00000000000
--- a/references/d3-openai-agents/public/file.svg
+++ /dev/null
@@ -1 +0,0 @@
-<svg fill="none" viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg"><path d="M14.5 13.5V5.41a1 1 0 0 0-.3-.7L9.8.29A1 1 0 0 0 9.08 0H1.5v13.5A2.5 2.5 0 0 0 4 16h8a2.5 2.5 0 0 0 2.5-2.5m-1.5 0v-7H8v-5H3v12a1 1 0 0 0 1 1h8a1 1 0 0 0 1-1M9.5 5V2.12L12.38 5zM5.13 5h-.62v1.25h2.12V5zm-.62 3h7.12v1.25H4.5zm.62 3h-.62v1.25h7.12V11z" clip-rule="evenodd" fill="#666" fill-rule="evenodd"/></svg>
\ No newline at end of file
diff --git a/references/d3-openai-agents/public/globe.svg b/references/d3-openai-agents/public/globe.svg
deleted file mode 100644
index 567f17b0d7c..00000000000
--- a/references/d3-openai-agents/public/globe.svg
+++ /dev/null
@@ -1 +0,0 @@
-<svg fill="none" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16"><g clip-path="url(#a)"><path fill-rule="evenodd" clip-rule="evenodd" d="M10.27 14.1a6.5 6.5 0 0 0 3.67-3.45q-1.24.21-2.7.34-.31 1.83-.97 3.1M8 16A8 8 0 1 0 8 0a8 8 0 0 0 0 16m.48-1.52a7 7 0 0 1-.96 0H7.5a4 4 0 0 1-.84-1.32q-.38-.89-.63-2.08a40 40 0 0 0 3.92 0q-.25 1.2-.63 2.08a4 4 0 0 1-.84 1.31zm2.94-4.76q1.66-.15 2.95-.43a7 7 0 0 0 0-2.58q-1.3-.27-2.95-.43a18 18 0 0 1 0 3.44m-1.27-3.54a17 17 0 0 1 0 3.64 39 39 0 0 1-4.3 0 17 17 0 0 1 0-3.64 39 39 0 0 1 4.3 0m1.1-1.17q1.45.13 2.69.34a6.5 6.5 0 0 0-3.67-3.44q.65 1.26.98 3.1M8.48 1.5l.01.02q.41.37.84 1.31.38.89.63 2.08a40 40 0 0 0-3.92 0q.25-1.2.63-2.08a4 4 0 0 1 .85-1.32 7 7 0 0 1 .96 0m-2.75.4a6.5 6.5 0 0 0-3.67 3.44 29 29 0 0 1 2.7-.34q.31-1.83.97-3.1M4.58 6.28q-1.66.16-2.95.43a7 7 0 0 0 0 2.58q1.3.27 2.95.43a18 18 0 0 1 0-3.44m.17 4.71q-1.45-.12-2.69-.34a6.5 6.5 0 0 0 3.67 3.44q-.65-1.27-.98-3.1" fill="#666"/></g><defs><clipPath id="a"><path fill="#fff" d="M0 0h16v16H0z"/></clipPath></defs></svg>
\ No newline at end of file
diff --git a/references/d3-openai-agents/public/next.svg b/references/d3-openai-agents/public/next.svg
deleted file mode 100644
index 5174b28c565..00000000000
--- a/references/d3-openai-agents/public/next.svg
+++ /dev/null
@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 394 80"><path fill="#000" d="M262 0h68.5v12.7h-27.2v66.6h-13.6V12.7H262V0ZM149 0v12.7H94v20.4h44.3v12.6H94v21h55v12.6H80.5V0h68.7zm34.3 0h-17.8l63.8 79.4h17.9l-32-39.7 32-39.6h-17.9l-23 28.6-23-28.6zm18.3 56.7-9-11-27.1 33.7h17.8l18.3-22.7z"/><path fill="#000" d="M81 79.3 17 0H0v79.3h13.6V17l50.2 62.3H81Zm252.6-.4c-1 0-1.8-.4-2.5-1s-1.1-1.6-1.1-2.6.3-1.8 1-2.5 1.6-1 2.6-1 1.8.3 2.5 1a3.4 3.4 0 0 1 .6 4.3 3.7 3.7 0 0 1-3 1.8zm23.2-33.5h6v23.3c0 2.1-.4 4-1.3 5.5a9.1 9.1 0 0 1-3.8 3.5c-1.6.8-3.5 1.3-5.7 1.3-2 0-3.7-.4-5.3-1s-2.8-1.8-3.7-3.2c-.9-1.3-1.4-3-1.4-5h6c.1.8.3 1.6.7 2.2s1 1.2 1.6 1.5c.7.4 1.5.5 2.4.5 1 0 1.8-.2 2.4-.6a4 4 0 0 0 1.6-1.8c.3-.8.5-1.8.5-3V45.5zm30.9 9.1a4.4 4.4 0 0 0-2-3.3 7.5 7.5 0 0 0-4.3-1.1c-1.3 0-2.4.2-3.3.5-.9.4-1.6 1-2 1.6a3.5 3.5 0 0 0-.3 4c.3.5.7.9 1.3 1.2l1.8 1 2 .5 3.2.8c1.3.3 2.5.7 3.7 1.2a13 13 0 0 1 3.2 1.8 8.1 8.1 0 0 1 3 6.5c0 2-.5 3.7-1.5 5.1a10 10 0 0 1-4.4 3.5c-1.8.8-4.1 1.2-6.8 1.2-2.6 0-4.9-.4-6.8-1.2-2-.8-3.4-2-4.5-3.5a10 10 0 0 1-1.7-5.6h6a5 5 0 0 0 3.5 4.6c1 .4 2.2.6 3.4.6 1.3 0 2.5-.2 3.5-.6 1-.4 1.8-1 2.4-1.7a4 4 0 0 0 .8-2.4c0-.9-.2-1.6-.7-2.2a11 11 0 0 0-2.1-1.4l-3.2-1-3.8-1c-2.8-.7-5-1.7-6.6-3.2a7.2 7.2 0 0 1-2.4-5.7 8 8 0 0 1 1.7-5 10 10 0 0 1 4.3-3.5c2-.8 4-1.2 6.4-1.2 2.3 0 4.4.4 6.2 1.2 1.8.8 3.2 2 4.3 3.4 1 1.4 1.5 3 1.5 5h-5.8z"/></svg>
\ No newline at end of file
diff --git a/references/d3-openai-agents/public/vercel.svg b/references/d3-openai-agents/public/vercel.svg
deleted file mode 100644
index 77053960334..00000000000
--- a/references/d3-openai-agents/public/vercel.svg
+++ /dev/null
@@ -1 +0,0 @@
-<svg fill="none" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1155 1000"><path d="m577.3 0 577.4 1000H0z" fill="#fff"/></svg>
\ No newline at end of file
diff --git a/references/d3-openai-agents/public/window.svg b/references/d3-openai-agents/public/window.svg
deleted file mode 100644
index b2b2a44f6eb..00000000000
--- a/references/d3-openai-agents/public/window.svg
+++ /dev/null
@@ -1 +0,0 @@
-<svg fill="none" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16"><path fill-rule="evenodd" clip-rule="evenodd" d="M1.5 2.5h13v10a1 1 0 0 1-1 1h-11a1 1 0 0 1-1-1zM0 1h16v11.5a2.5 2.5 0 0 1-2.5 2.5h-11A2.5 2.5 0 0 1 0 12.5zm3.75 4.5a.75.75 0 1 0 0-1.5.75.75 0 0 0 0 1.5M7 4.75a.75.75 0 1 1-1.5 0 .75.75 0 0 1 1.5 0m1.75.75a.75.75 0 1 0 0-1.5.75.75 0 0 0 0 1.5" fill="#666"/></svg>
\ No newline at end of file
diff --git a/references/d3-openai-agents/requirements.in b/references/d3-openai-agents/requirements.in
deleted file mode 100644
index 0616e8d8d75..00000000000
--- a/references/d3-openai-agents/requirements.in
+++ /dev/null
@@ -1,5 +0,0 @@
-crawl4ai
-playwright
-openai-agents
-urllib3<2.0.0
-logfire
\ No newline at end of file
diff --git a/references/d3-openai-agents/requirements.txt b/references/d3-openai-agents/requirements.txt
deleted file mode 100644
index 5b1cfec6cc9..00000000000
--- a/references/d3-openai-agents/requirements.txt
+++ /dev/null
@@ -1,309 +0,0 @@
-# This file was autogenerated by uv via the following command:
-#    uv pip compile requirements.in -o requirements.txt
-aiofiles==24.1.0
-    # via crawl4ai
-aiohappyeyeballs==2.6.1
-    # via aiohttp
-aiohttp==3.11.14
-    # via
-    #   crawl4ai
-    #   litellm
-aiosignal==1.3.2
-    # via aiohttp
-aiosqlite==0.21.0
-    # via crawl4ai
-annotated-types==0.7.0
-    # via pydantic
-anyio==4.9.0
-    # via
-    #   httpx
-    #   mcp
-    #   openai
-    #   sse-starlette
-    #   starlette
-attrs==25.3.0
-    # via
-    #   aiohttp
-    #   jsonschema
-    #   referencing
-beautifulsoup4==4.13.3
-    # via crawl4ai
-certifi==2025.1.31
-    # via
-    #   httpcore
-    #   httpx
-    #   requests
-cffi==1.17.1
-    # via cryptography
-charset-normalizer==3.4.1
-    # via requests
-click==8.1.8
-    # via
-    #   crawl4ai
-    #   litellm
-    #   nltk
-    #   uvicorn
-colorama==0.4.6
-    # via
-    #   crawl4ai
-    #   griffe
-crawl4ai==0.5.0.post8
-    # via -r requirements.in
-cryptography==44.0.2
-    # via pyopenssl
-cssselect==1.3.0
-    # via crawl4ai
-deprecated==1.2.18
-    # via
-    #   opentelemetry-api
-    #   opentelemetry-exporter-otlp-proto-http
-    #   opentelemetry-semantic-conventions
-distro==1.9.0
-    # via openai
-executing==2.2.0
-    # via logfire
-fake-http-header==0.3.5
-    # via tf-playwright-stealth
-fake-useragent==2.1.0
-    # via crawl4ai
-faust-cchardet==2.1.19
-    # via crawl4ai
-filelock==3.18.0
-    # via huggingface-hub
-frozenlist==1.5.0
-    # via
-    #   aiohttp
-    #   aiosignal
-fsspec==2025.3.0
-    # via huggingface-hub
-googleapis-common-protos==1.69.2
-    # via opentelemetry-exporter-otlp-proto-http
-greenlet==3.1.1
-    # via playwright
-griffe==1.6.3
-    # via openai-agents
-h11==0.14.0
-    # via
-    #   httpcore
-    #   uvicorn
-httpcore==1.0.7
-    # via httpx
-httpx==0.28.1
-    # via
-    #   crawl4ai
-    #   litellm
-    #   mcp
-    #   openai
-httpx-sse==0.4.0
-    # via mcp
-huggingface-hub==0.29.3
-    # via tokenizers
-humanize==4.12.2
-    # via crawl4ai
-idna==3.10
-    # via
-    #   anyio
-    #   httpx
-    #   requests
-    #   yarl
-importlib-metadata==8.6.1
-    # via
-    #   litellm
-    #   opentelemetry-api
-jinja2==3.1.6
-    # via litellm
-jiter==0.9.0
-    # via openai
-joblib==1.4.2
-    # via nltk
-jsonschema==4.23.0
-    # via litellm
-jsonschema-specifications==2024.10.1
-    # via jsonschema
-litellm==1.64.1
-    # via crawl4ai
-logfire==3.11.0
-    # via -r requirements.in
-lxml==5.3.1
-    # via crawl4ai
-markdown-it-py==3.0.0
-    # via rich
-markupsafe==3.0.2
-    # via jinja2
-mcp==1.5.0
-    # via openai-agents
-mdurl==0.1.2
-    # via markdown-it-py
-multidict==6.2.0
-    # via
-    #   aiohttp
-    #   yarl
-nltk==3.9.1
-    # via crawl4ai
-numpy==2.2.4
-    # via
-    #   crawl4ai
-    #   rank-bm25
-openai==1.68.2
-    # via
-    #   litellm
-    #   openai-agents
-openai-agents==0.0.7
-    # via -r requirements.in
-opentelemetry-api==1.31.1
-    # via
-    #   opentelemetry-exporter-otlp-proto-http
-    #   opentelemetry-instrumentation
-    #   opentelemetry-sdk
-    #   opentelemetry-semantic-conventions
-opentelemetry-exporter-otlp-proto-common==1.31.1
-    # via opentelemetry-exporter-otlp-proto-http
-opentelemetry-exporter-otlp-proto-http==1.31.1
-    # via logfire
-opentelemetry-instrumentation==0.52b1
-    # via logfire
-opentelemetry-proto==1.31.1
-    # via
-    #   opentelemetry-exporter-otlp-proto-common
-    #   opentelemetry-exporter-otlp-proto-http
-opentelemetry-sdk==1.31.1
-    # via
-    #   logfire
-    #   opentelemetry-exporter-otlp-proto-http
-opentelemetry-semantic-conventions==0.52b1
-    # via
-    #   opentelemetry-instrumentation
-    #   opentelemetry-sdk
-packaging==24.2
-    # via
-    #   huggingface-hub
-    #   opentelemetry-instrumentation
-pillow==10.4.0
-    # via crawl4ai
-playwright==1.51.0
-    # via
-    #   -r requirements.in
-    #   crawl4ai
-    #   tf-playwright-stealth
-propcache==0.3.1
-    # via
-    #   aiohttp
-    #   yarl
-protobuf==5.29.4
-    # via
-    #   googleapis-common-protos
-    #   logfire
-    #   opentelemetry-proto
-psutil==7.0.0
-    # via crawl4ai
-pycparser==2.22
-    # via cffi
-pydantic==2.10.6
-    # via
-    #   crawl4ai
-    #   litellm
-    #   mcp
-    #   openai
-    #   openai-agents
-    #   pydantic-settings
-pydantic-core==2.27.2
-    # via pydantic
-pydantic-settings==2.8.1
-    # via mcp
-pyee==12.1.1
-    # via playwright
-pygments==2.19.1
-    # via rich
-pyopenssl==25.0.0
-    # via crawl4ai
-pyperclip==1.9.0
-    # via crawl4ai
-python-dotenv==1.1.0
-    # via
-    #   crawl4ai
-    #   litellm
-    #   pydantic-settings
-pyyaml==6.0.2
-    # via huggingface-hub
-rank-bm25==0.2.2
-    # via crawl4ai
-referencing==0.36.2
-    # via
-    #   jsonschema
-    #   jsonschema-specifications
-regex==2024.11.6
-    # via
-    #   nltk
-    #   tiktoken
-requests==2.32.3
-    # via
-    #   crawl4ai
-    #   huggingface-hub
-    #   openai-agents
-    #   opentelemetry-exporter-otlp-proto-http
-    #   tiktoken
-rich==13.9.4
-    # via
-    #   crawl4ai
-    #   logfire
-rpds-py==0.24.0
-    # via
-    #   jsonschema
-    #   referencing
-sniffio==1.3.1
-    # via
-    #   anyio
-    #   openai
-snowballstemmer==2.2.0
-    # via crawl4ai
-soupsieve==2.6
-    # via beautifulsoup4
-sse-starlette==2.2.1
-    # via mcp
-starlette==0.46.1
-    # via
-    #   mcp
-    #   sse-starlette
-tf-playwright-stealth==1.1.2
-    # via crawl4ai
-tiktoken==0.9.0
-    # via litellm
-tokenizers==0.21.1
-    # via litellm
-tqdm==4.67.1
-    # via
-    #   huggingface-hub
-    #   nltk
-    #   openai
-types-requests==2.31.0.6
-    # via openai-agents
-types-urllib3==1.26.25.14
-    # via types-requests
-typing-extensions==4.13.0
-    # via
-    #   aiosqlite
-    #   beautifulsoup4
-    #   huggingface-hub
-    #   logfire
-    #   openai
-    #   openai-agents
-    #   opentelemetry-sdk
-    #   pydantic
-    #   pydantic-core
-    #   pyee
-urllib3==1.26.20
-    # via
-    #   -r requirements.in
-    #   requests
-uvicorn==0.34.0
-    # via mcp
-wrapt==1.17.2
-    # via
-    #   deprecated
-    #   opentelemetry-instrumentation
-xxhash==3.5.0
-    # via crawl4ai
-yarl==1.18.3
-    # via aiohttp
-zipp==3.21.0
-    # via importlib-metadata
diff --git a/references/d3-openai-agents/src/app/api/slack/interaction/route.ts b/references/d3-openai-agents/src/app/api/slack/interaction/route.ts
deleted file mode 100644
index a5e18f81b08..00000000000
--- a/references/d3-openai-agents/src/app/api/slack/interaction/route.ts
+++ /dev/null
@@ -1,79 +0,0 @@
-import { NextResponse } from "next/server";
-import { wait, auth } from "@trigger.dev/sdk";
-
-// Verify Slack requests middleware
-function verifySlackRequest(request: Request) {
-  // TODO: Implement Slack request verification using signing secret
-  // https://api.slack.com/authentication/verifying-requests-from-slack
-  return true;
-}
-
-export async function POST(request: Request) {
-  // Verify the request is from Slack
-  if (!verifySlackRequest(request)) {
-    return new NextResponse("Unauthorized", { status: 401 });
-  }
-
-  try {
-    // Parse the urlencoded body from Slack
-    const formData = await request.formData();
-    const payload = JSON.parse(formData.get("payload") as string);
-
-    console.log("Received Slack payload:", JSON.stringify(payload, null, 2));
-
-    // Extract the action and values
-    const action = payload.actions[0];
-    const value = JSON.parse(action.value);
-    const { tokenId, publicAccessToken, action: actionType } = value;
-
-    console.log("Parsed action values:", { tokenId, actionType });
-
-    await auth.withAuth({ accessToken: publicAccessToken }, async () => {
-      // Complete the token based on the action
-      if (actionType === "approve") {
-        console.log("Completing token with approval");
-        await wait.completeToken(tokenId, { approved: true });
-      } else if (actionType === "deny") {
-        console.log("Completing token with denial");
-        await wait.completeToken(tokenId, { approved: false });
-      }
-    });
-
-    // Update the message to show it's been processed
-    const blocks = payload.message.blocks.filter((block: any) => block.type !== "actions");
-    blocks.push({
-      type: "context",
-      elements: [
-        {
-          type: "mrkdwn",
-          text: `✅ ${actionType === "approve" ? "Approved" : "Denied"} by <@${
-            payload.user.id
-          }> at ${new Date().toLocaleTimeString()}`,
-        },
-      ],
-    });
-
-    // Send the update to Slack's response_url
-    const updateResponse = await fetch(payload.response_url, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-      },
-      body: JSON.stringify({
-        replace_original: true,
-        text: actionType === "approve" ? "Query approved" : "Query denied",
-        blocks,
-      }),
-    });
-
-    if (!updateResponse.ok) {
-      console.error("Failed to update Slack message:", await updateResponse.text());
-    }
-
-    // Return an empty 200 OK response
-    return new NextResponse(null, { status: 200 });
-  } catch (error) {
-    console.error("Error processing Slack interaction:", error);
-    return new NextResponse("Internal Server Error", { status: 500 });
-  }
-}
diff --git a/references/d3-openai-agents/src/app/favicon.ico b/references/d3-openai-agents/src/app/favicon.ico
deleted file mode 100644
index 718d6fea483..00000000000
Binary files a/references/d3-openai-agents/src/app/favicon.ico and /dev/null differ
diff --git a/references/d3-openai-agents/src/app/globals.css b/references/d3-openai-agents/src/app/globals.css
deleted file mode 100644
index dc98be74c47..00000000000
--- a/references/d3-openai-agents/src/app/globals.css
+++ /dev/null
@@ -1,122 +0,0 @@
-@import "tailwindcss";
-@import "tw-animate-css";
-
-@custom-variant dark (&:is(.dark *));
-
-@theme inline {
-  --color-background: var(--background);
-  --color-foreground: var(--foreground);
-  --font-sans: var(--font-geist-sans);
-  --font-mono: var(--font-geist-mono);
-  --color-sidebar-ring: var(--sidebar-ring);
-  --color-sidebar-border: var(--sidebar-border);
-  --color-sidebar-accent-foreground: var(--sidebar-accent-foreground);
-  --color-sidebar-accent: var(--sidebar-accent);
-  --color-sidebar-primary-foreground: var(--sidebar-primary-foreground);
-  --color-sidebar-primary: var(--sidebar-primary);
-  --color-sidebar-foreground: var(--sidebar-foreground);
-  --color-sidebar: var(--sidebar);
-  --color-chart-5: var(--chart-5);
-  --color-chart-4: var(--chart-4);
-  --color-chart-3: var(--chart-3);
-  --color-chart-2: var(--chart-2);
-  --color-chart-1: var(--chart-1);
-  --color-ring: var(--ring);
-  --color-input: var(--input);
-  --color-border: var(--border);
-  --color-destructive: var(--destructive);
-  --color-accent-foreground: var(--accent-foreground);
-  --color-accent: var(--accent);
-  --color-muted-foreground: var(--muted-foreground);
-  --color-muted: var(--muted);
-  --color-secondary-foreground: var(--secondary-foreground);
-  --color-secondary: var(--secondary);
-  --color-primary-foreground: var(--primary-foreground);
-  --color-primary: var(--primary);
-  --color-popover-foreground: var(--popover-foreground);
-  --color-popover: var(--popover);
-  --color-card-foreground: var(--card-foreground);
-  --color-card: var(--card);
-  --radius-sm: calc(var(--radius) - 4px);
-  --radius-md: calc(var(--radius) - 2px);
-  --radius-lg: var(--radius);
-  --radius-xl: calc(var(--radius) + 4px);
-}
-
-:root {
-  --radius: 0.625rem;
-  --background: oklch(1 0 0);
-  --foreground: oklch(0.145 0 0);
-  --card: oklch(1 0 0);
-  --card-foreground: oklch(0.145 0 0);
-  --popover: oklch(1 0 0);
-  --popover-foreground: oklch(0.145 0 0);
-  --primary: oklch(0.205 0 0);
-  --primary-foreground: oklch(0.985 0 0);
-  --secondary: oklch(0.97 0 0);
-  --secondary-foreground: oklch(0.205 0 0);
-  --muted: oklch(0.97 0 0);
-  --muted-foreground: oklch(0.556 0 0);
-  --accent: oklch(0.97 0 0);
-  --accent-foreground: oklch(0.205 0 0);
-  --destructive: oklch(0.577 0.245 27.325);
-  --border: oklch(0.922 0 0);
-  --input: oklch(0.922 0 0);
-  --ring: oklch(0.708 0 0);
-  --chart-1: oklch(0.646 0.222 41.116);
-  --chart-2: oklch(0.6 0.118 184.704);
-  --chart-3: oklch(0.398 0.07 227.392);
-  --chart-4: oklch(0.828 0.189 84.429);
-  --chart-5: oklch(0.769 0.188 70.08);
-  --sidebar: oklch(0.985 0 0);
-  --sidebar-foreground: oklch(0.145 0 0);
-  --sidebar-primary: oklch(0.205 0 0);
-  --sidebar-primary-foreground: oklch(0.985 0 0);
-  --sidebar-accent: oklch(0.97 0 0);
-  --sidebar-accent-foreground: oklch(0.205 0 0);
-  --sidebar-border: oklch(0.922 0 0);
-  --sidebar-ring: oklch(0.708 0 0);
-}
-
-.dark {
-  --background: oklch(0.145 0 0);
-  --foreground: oklch(0.985 0 0);
-  --card: oklch(0.205 0 0);
-  --card-foreground: oklch(0.985 0 0);
-  --popover: oklch(0.205 0 0);
-  --popover-foreground: oklch(0.985 0 0);
-  --primary: oklch(0.922 0 0);
-  --primary-foreground: oklch(0.205 0 0);
-  --secondary: oklch(0.269 0 0);
-  --secondary-foreground: oklch(0.985 0 0);
-  --muted: oklch(0.269 0 0);
-  --muted-foreground: oklch(0.708 0 0);
-  --accent: oklch(0.269 0 0);
-  --accent-foreground: oklch(0.985 0 0);
-  --destructive: oklch(0.704 0.191 22.216);
-  --border: oklch(1 0 0 / 10%);
-  --input: oklch(1 0 0 / 15%);
-  --ring: oklch(0.556 0 0);
-  --chart-1: oklch(0.488 0.243 264.376);
-  --chart-2: oklch(0.696 0.17 162.48);
-  --chart-3: oklch(0.769 0.188 70.08);
-  --chart-4: oklch(0.627 0.265 303.9);
-  --chart-5: oklch(0.645 0.246 16.439);
-  --sidebar: oklch(0.205 0 0);
-  --sidebar-foreground: oklch(0.985 0 0);
-  --sidebar-primary: oklch(0.488 0.243 264.376);
-  --sidebar-primary-foreground: oklch(0.985 0 0);
-  --sidebar-accent: oklch(0.269 0 0);
-  --sidebar-accent-foreground: oklch(0.985 0 0);
-  --sidebar-border: oklch(1 0 0 / 10%);
-  --sidebar-ring: oklch(0.556 0 0);
-}
-
-@layer base {
-  * {
-    @apply border-border outline-ring/50;
-  }
-  body {
-    @apply bg-background text-foreground;
-  }
-}
diff --git a/references/d3-openai-agents/src/app/layout.tsx b/references/d3-openai-agents/src/app/layout.tsx
deleted file mode 100644
index f7fa87eb875..00000000000
--- a/references/d3-openai-agents/src/app/layout.tsx
+++ /dev/null
@@ -1,34 +0,0 @@
-import type { Metadata } from "next";
-import { Geist, Geist_Mono } from "next/font/google";
-import "./globals.css";
-
-const geistSans = Geist({
-  variable: "--font-geist-sans",
-  subsets: ["latin"],
-});
-
-const geistMono = Geist_Mono({
-  variable: "--font-geist-mono",
-  subsets: ["latin"],
-});
-
-export const metadata: Metadata = {
-  title: "Create Next App",
-  description: "Generated by create next app",
-};
-
-export default function RootLayout({
-  children,
-}: Readonly<{
-  children: React.ReactNode;
-}>) {
-  return (
-    <html lang="en">
-      <body
-        className={`${geistSans.variable} ${geistMono.variable} antialiased`}
-      >
-        {children}
-      </body>
-    </html>
-  );
-}
diff --git a/references/d3-openai-agents/src/app/page.tsx b/references/d3-openai-agents/src/app/page.tsx
deleted file mode 100644
index 8bb6d2b9a08..00000000000
--- a/references/d3-openai-agents/src/app/page.tsx
+++ /dev/null
@@ -1,8 +0,0 @@
-import MainApp from "@/components/main-app";
-import { auth } from "@trigger.dev/sdk";
-
-export default async function Home() {
-  const publicAccessToken = await auth.createTriggerPublicToken("chat-example");
-
-  return <MainApp publicAccessToken={publicAccessToken} />;
-}
diff --git a/references/d3-openai-agents/src/components/chat-interface.tsx b/references/d3-openai-agents/src/components/chat-interface.tsx
deleted file mode 100644
index 75f2cc5b357..00000000000
--- a/references/d3-openai-agents/src/components/chat-interface.tsx
+++ /dev/null
@@ -1,32 +0,0 @@
-import { cn } from "@/lib/utils"
-
-interface Message {
-  role: "user" | "assistant"
-  content: string
-}
-
-interface ChatInterfaceProps {
-  messages: Message[]
-}
-
-export default function ChatInterface({ messages }: ChatInterfaceProps) {
-  return (
-    <div className="space-y-4 p-4">
-      {messages.map((message, index) => (
-        <div key={index} className={cn("flex", message.role === "user" ? "justify-end" : "justify-start")}>
-          <div
-            className={cn(
-              "max-w-[80%] rounded-lg p-3",
-              message.role === "user"
-                ? "bg-primary text-primary-foreground rounded-tr-none"
-                : "bg-muted text-muted-foreground rounded-tl-none",
-            )}
-          >
-            {message.content}
-          </div>
-        </div>
-      ))}
-    </div>
-  )
-}
-
diff --git a/references/d3-openai-agents/src/components/initial-prompt.tsx b/references/d3-openai-agents/src/components/initial-prompt.tsx
deleted file mode 100644
index bf76b6ff180..00000000000
--- a/references/d3-openai-agents/src/components/initial-prompt.tsx
+++ /dev/null
@@ -1,15 +0,0 @@
-export default function InitialPrompt() {
-  return (
-    <div className="h-full flex flex-col items-center justify-center text-center p-4">
-      <h1 className="text-2xl font-bold mb-2">Welcome to the Chatbot</h1>
-      <p className="text-muted-foreground mb-6">Start a conversation by typing a message below.</p>
-      <div className="w-16 h-16 rounded-full bg-primary/10 flex items-center justify-center mb-4">
-        <span className="text-2xl">💬</span>
-      </div>
-      <p className="text-sm text-muted-foreground max-w-md">
-        This is a simulated chatbot interface. Your messages will receive automated responses.
-      </p>
-    </div>
-  )
-}
-
diff --git a/references/d3-openai-agents/src/components/main-app.tsx b/references/d3-openai-agents/src/components/main-app.tsx
deleted file mode 100644
index fd10af527c8..00000000000
--- a/references/d3-openai-agents/src/components/main-app.tsx
+++ /dev/null
@@ -1,131 +0,0 @@
-"use client";
-
-import type React from "react";
-
-import { useState } from "react";
-import { Send } from "lucide-react";
-import ChatInterface from "@/components/chat-interface";
-import InitialPrompt from "@/components/initial-prompt";
-import { useRealtimeTaskTriggerWithStreams, useWaitToken } from "@trigger.dev/react-hooks";
-import type { chatExample } from "@/trigger/chat";
-import { AgentLoopMetadata } from "@/trigger/schemas";
-import type { TextStreamPart } from "ai";
-
-type ChatConversation = Array<{ role: "user" | "assistant"; content: string }>;
-
-type ResponseStreams = {
-  [K in `responses.${number | string}`]: TextStreamPart<{}>;
-};
-
-export function useChat({ publicAccessToken }: { publicAccessToken: string }) {
-  const triggerInstance = useRealtimeTaskTriggerWithStreams<typeof chatExample, ResponseStreams>(
-    "chat-example",
-    {
-      accessToken: publicAccessToken,
-      baseURL: process.env.NEXT_PUBLIC_TRIGGER_API_URL,
-    }
-  );
-  const [conversation, setConversation] = useState<ChatConversation>([]);
-  const [isLoading, setIsLoading] = useState(false);
-  const [waitToken, setWaitToken] = useState<AgentLoopMetadata | null>(null);
-
-  const waitTokenInstance = useWaitToken(waitToken?.waitToken.id, {
-    enabled: !!waitToken?.waitToken.id,
-    accessToken: waitToken?.waitToken.publicAccessToken,
-    baseURL: process.env.NEXT_PUBLIC_TRIGGER_API_URL,
-  });
-
-  const waitTokenStream = waitToken?.waitToken.id
-    ? triggerInstance.streams[`responses.${waitToken?.waitToken.id}`]
-    : undefined;
-
-  const textStream = waitTokenStream
-    ?.map((part) => {
-      if (part.type === "text-delta") {
-        return part.textDelta;
-      }
-    })
-    .join("");
-
-  console.log("textStream", textStream);
-
-  if (triggerInstance.run) {
-    console.log("run", triggerInstance.run);
-
-    const metadata = AgentLoopMetadata.safeParse(triggerInstance.run.metadata);
-
-    if (!metadata.success) {
-      console.error("Failed to parse metadata", metadata.error);
-    } else {
-      console.log("metadata", metadata.data);
-
-      setWaitToken(metadata.data);
-    }
-  }
-
-  return {
-    continueConversation: (prompt: string) => {
-      if (waitTokenInstance.isReady) {
-        waitTokenInstance.complete({
-          message: prompt,
-        });
-      } else {
-        const result = triggerInstance.submit({
-          model: "gpt-4o-mini",
-          prompt,
-        });
-
-        setConversation((prev) => [...prev, { role: "user", content: prompt }]);
-
-        return result;
-      }
-    },
-    conversation,
-    isLoading,
-  };
-}
-
-export default function MainApp({ publicAccessToken }: { publicAccessToken: string }) {
-  const { continueConversation, conversation, isLoading } = useChat({ publicAccessToken });
-  const [input, setInput] = useState("");
-
-  const handleSubmit = (e: React.FormEvent) => {
-    e.preventDefault();
-
-    if (!input.trim()) return;
-
-    continueConversation(input);
-    setInput("");
-  };
-
-  return (
-    <main className="flex min-h-screen flex-col items-center justify-between p-4 md:p-24">
-      <div className="w-full max-w-3xl mx-auto h-[80vh] flex flex-col">
-        <div className="flex-1 overflow-y-auto mb-4 rounded-lg">
-          {conversation.length === 0 ? (
-            <InitialPrompt />
-          ) : (
-            <ChatInterface messages={conversation} />
-          )}
-        </div>
-
-        <form onSubmit={handleSubmit} className="flex gap-2">
-          <input
-            type="text"
-            value={input}
-            onChange={(e) => setInput(e.target.value)}
-            placeholder="Type a message..."
-            className="flex-1 p-3 rounded-lg border border-gray-300 focus:outline-none focus:ring-2 focus:ring-primary"
-          />
-          <button
-            type="submit"
-            disabled={isLoading || !input.trim()}
-            className="p-3 rounded-lg bg-primary text-primary-foreground hover:bg-primary/90 disabled:opacity-50"
-          >
-            <Send size={20} />
-          </button>
-        </form>
-      </div>
-    </main>
-  );
-}
diff --git a/references/d3-openai-agents/src/extensions/playwright.ts b/references/d3-openai-agents/src/extensions/playwright.ts
deleted file mode 100644
index 178bed23d1d..00000000000
--- a/references/d3-openai-agents/src/extensions/playwright.ts
+++ /dev/null
@@ -1,36 +0,0 @@
-import type { BuildContext, BuildExtension } from "@trigger.dev/build";
-
-// This is a custom build extension to install Playwright and Chromium
-export function installPlaywrightChromium(): BuildExtension {
-  return {
-    name: "InstallPlaywrightChromium",
-    onBuildComplete(context: BuildContext) {
-      const instructions = [
-        // Base and Chromium dependencies
-        `RUN apt-get update && apt-get install -y --no-install-recommends \
-          curl unzip npm libnspr4 libatk1.0-0 libatk-bridge2.0-0 libatspi2.0-0 \
-          libasound2 libnss3 libxcomposite1 libxdamage1 libxfixes3 libxrandr2 \
-          libgbm1 libxkbcommon0 \
-          && apt-get clean && rm -rf /var/lib/apt/lists/*`,
-
-        // Install Playwright and Chromium
-        `RUN npm install -g playwright`,
-        `RUN mkdir -p /ms-playwright`,
-        `RUN PLAYWRIGHT_BROWSERS_PATH=/ms-playwright python -m playwright install --with-deps chromium`,
-      ];
-
-      context.addLayer({
-        id: "playwright",
-        image: { instructions },
-        deploy: {
-          env: {
-            PLAYWRIGHT_BROWSERS_PATH: "/ms-playwright",
-            PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: "1",
-            PLAYWRIGHT_SKIP_BROWSER_VALIDATION: "1",
-          },
-          override: true,
-        },
-      });
-    },
-  };
-}
diff --git a/references/d3-openai-agents/src/lib/migrate.ts b/references/d3-openai-agents/src/lib/migrate.ts
deleted file mode 100644
index 7a32a1bc48d..00000000000
--- a/references/d3-openai-agents/src/lib/migrate.ts
+++ /dev/null
@@ -1,49 +0,0 @@
-import { sql } from "@vercel/postgres";
-
-export async function migrate(direction: "up" | "down") {
-  if (direction === "up") {
-    await migrateUp();
-  } else {
-    await migrateDown();
-  }
-}
-
-export async function migrateUp() {
-  const createTable = await sql`
-    CREATE TABLE IF NOT EXISTS todos (
-      id VARCHAR(255) PRIMARY KEY,
-      user_id VARCHAR(255) NOT NULL,
-      title VARCHAR(255) NOT NULL,
-      description TEXT,
-      status VARCHAR(50) NOT NULL DEFAULT 'pending',
-      priority INTEGER NOT NULL DEFAULT 3,
-      due_date TIMESTAMP WITH TIME ZONE,
-      created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
-      updated_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
-      completed_at TIMESTAMP WITH TIME ZONE,
-      tags TEXT[], -- Array of tags
-      assigned_to VARCHAR(255)
-    );
-  `;
-
-  console.log(`Created "todos" table`);
-
-  return {
-    createTable,
-  };
-}
-
-export async function migrateDown() {
-  const dropTable = await sql`
-    DROP TABLE IF EXISTS todos;
-  `;
-
-  console.log(`Dropped "todos" table`);
-}
-
-async function main() {
-  const direction = process.argv[2];
-  await migrate(direction as "up" | "down");
-}
-
-main().catch(console.error);
diff --git a/references/d3-openai-agents/src/lib/utils.ts b/references/d3-openai-agents/src/lib/utils.ts
deleted file mode 100644
index bd0c391ddd1..00000000000
--- a/references/d3-openai-agents/src/lib/utils.ts
+++ /dev/null
@@ -1,6 +0,0 @@
-import { clsx, type ClassValue } from "clsx"
-import { twMerge } from "tailwind-merge"
-
-export function cn(...inputs: ClassValue[]) {
-  return twMerge(clsx(inputs))
-}
diff --git a/references/d3-openai-agents/src/trigger/approval.ts b/references/d3-openai-agents/src/trigger/approval.ts
deleted file mode 100644
index ee6be8e2aa6..00000000000
--- a/references/d3-openai-agents/src/trigger/approval.ts
+++ /dev/null
@@ -1,313 +0,0 @@
-import { openai } from "@ai-sdk/openai";
-import { logger, metadata, schemaTask, wait } from "@trigger.dev/sdk/v3";
-import { sql } from "@vercel/postgres";
-import { streamText, TextStreamPart } from "ai";
-import { nanoid } from "nanoid";
-import { z } from "zod";
-import { WebClient } from "@slack/web-api";
-import { QueryApproval } from "./schemas";
-import { tool } from "ai";
-import { ai } from "@trigger.dev/sdk/ai";
-
-const queryApprovalTask = schemaTask({
-  id: "query-approval",
-  description: "Get approval for a SQL query from an admin",
-  schema: z.object({
-    userId: z.string().describe("The user_id to get approval for"),
-    input: z.string().describe("The input to get approval for"),
-    query: z.string().describe("The SQL query to execute"),
-  }),
-  run: async ({ userId, input, query }) => {
-    const toolOptions = ai.currentToolOptions();
-
-    if (toolOptions) {
-      logger.info("tool options", {
-        toolOptions,
-      });
-    }
-
-    const token = await wait.createToken({
-      tags: [`user:${userId}`, "approval"],
-      timeout: "1m",
-    });
-
-    logger.info("waiting for approval", {
-      query,
-    });
-
-    await sendSQLApprovalMessage({
-      query,
-      userId,
-      tokenId: token.id,
-      publicAccessToken: token.publicAccessToken,
-      input,
-    });
-
-    const result = await wait.forToken<QueryApproval>(token);
-
-    if (!result.ok) {
-      return {
-        approved: false,
-      };
-    } else {
-      if (result.output.approved) {
-        logger.info("query approved", {
-          query,
-        });
-      } else {
-        logger.warn("query denied", {
-          query,
-        });
-      }
-
-      return {
-        approved: result.output.approved,
-      };
-    }
-  },
-});
-
-const queryApproval = ai.tool(queryApprovalTask);
-
-const executeSql = tool({
-  description: "Use this tool to execute a SQL query",
-  parameters: z.object({
-    query: z.string().describe("The SQL query to execute"),
-  }),
-  execute: async ({ query }) => {
-    return await sql.query(query);
-  },
-});
-
-const generateId = tool({
-  description: "Use this tool to generate a unique ID for a todo",
-  parameters: z.object({
-    prefix: z.string().describe("The prefix for the ID (defaults to 'todo')").default("todo"),
-  }),
-  execute: async ({ prefix }) => {
-    return `${prefix}_${nanoid(12)}`;
-  },
-});
-
-const getUserTodos = tool({
-  description: "Use this tool to get all todos for a user",
-  parameters: z.object({
-    userId: z.string().describe("The user_id to get todos for"),
-  }),
-  execute: async ({ userId }) => {
-    const result = await sql`SELECT * FROM todos WHERE user_id = ${userId}`;
-
-    return result.rows;
-  },
-});
-
-export type STREAM = {
-  ai: TextStreamPart<{
-    queryApproval: typeof queryApproval;
-    executeSql: typeof executeSql;
-    generateId: typeof generateId;
-    getUserTodos: typeof getUserTodos;
-  }>;
-};
-
-export const generateAndExecuteSQL = schemaTask({
-  id: "generate-and-execute-sql",
-  description: "Generate and execute SQL",
-  schema: z.object({
-    model: z.string().default("gpt-4o"),
-    input: z.string().describe("The input to generate the SQL from"),
-    userId: z.string().describe("The user_id to generate the SQL for"),
-  }),
-  run: async ({ model, input, userId }) => {
-    const system = `
-      You are a SQL (postgres) expert who can turn natural language descriptions for a todo app 
-      into a SQL query which can then be executed against a SQL database. Here is the schema:
-      
-      CREATE TABLE IF NOT EXISTS todos (
-        id VARCHAR(255) PRIMARY KEY,
-        user_id VARCHAR(255) NOT NULL,
-        title VARCHAR(255) NOT NULL,
-        description TEXT,
-        status VARCHAR(50) NOT NULL DEFAULT 'pending',
-        priority INTEGER NOT NULL DEFAULT 3,
-        due_date TIMESTAMP WITH TIME ZONE,
-        created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
-        updated_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
-        completed_at TIMESTAMP WITH TIME ZONE,
-        tags TEXT[], -- Array of tags
-        assigned_to VARCHAR(255)
-      );
-
-      Only Create, Read, Update, and Delete operations are allowed.
-
-      The input will be a user_id and a prompt.
-
-      The output will be a SQL query.
-
-      If the query produced is a mutation, you will need to get approval first from an admin using the queryApproval tool. 
-      If the queryApproval tool returns false, you will need to stop and return an error message.
-      If the queryApproval tool returns true, you will need to execute the query using the executeSql tool.
-
-      The executeSql tool will return the results of the query
-
-      The current time is ${new Date().toISOString()}.
-
-      When creating a todo, you'll need to generate a unique ID for the todo, using the generateId tool.
-      For updates, you'll need to use the getUserTodos tool to find the todo first.
-
-      IMPORTANT: Don't ask the user to provide any more information to help you generate the SQL query, do your best to generate the query based on the input alone.
-
-      After successfully executing a mutation query, get the latest user todos and summarize them along with what has been updated.
-      After successfully executing a read query, summarize the results in a human readable format.
-    `;
-
-    const prompt = `
-      User ${userId} has the following prompt: ${input}
-
-      Generate a SQL query to execute.
-    `;
-
-    const result = streamText({
-      model: openai(model),
-      system,
-      prompt,
-      maxSteps: 10,
-      tools: {
-        queryApproval,
-        executeSql,
-        generateId,
-        getUserTodos,
-      },
-      experimental_telemetry: {
-        isEnabled: true,
-      },
-    });
-
-    const stream = await metadata.stream("ai", result.fullStream);
-
-    const textDeltas: string[] = [];
-
-    for await (const chunk of stream) {
-      switch (chunk.type) {
-        case "text-delta": {
-          textDeltas.push(chunk.textDelta);
-          break;
-        }
-      }
-    }
-
-    return textDeltas.join("");
-  },
-});
-
-// Initialize the Slack client
-const slack = new WebClient(process.env.SLACK_BOT_TOKEN);
-
-type SendApprovalMessageParams = {
-  query: string;
-  userId: string;
-  tokenId: string;
-  publicAccessToken: string;
-  input: string;
-};
-
-export async function sendSQLApprovalMessage({
-  query,
-  userId,
-  tokenId,
-  publicAccessToken,
-  input,
-}: SendApprovalMessageParams) {
-  return await logger.trace(
-    "sendSQLApprovalMessage",
-    async (span) => {
-      const response = await slack.chat.postMessage({
-        channel: process.env.SLACK_CHANNEL_ID!,
-        text: `SQL Query Approval Required for user ${userId}`, // Fallback text for notifications
-        blocks: [
-          {
-            type: "header",
-            text: {
-              type: "plain_text",
-              text: "🚨 SQL Query Approval Required",
-              emoji: true,
-            },
-          },
-          {
-            type: "context",
-            elements: [
-              {
-                type: "mrkdwn",
-                text: `*Requested by:* <@${userId}>`,
-              },
-            ],
-          },
-          {
-            type: "section",
-            text: {
-              type: "mrkdwn",
-              text: "*User Request:*\n" + input,
-            },
-          },
-          {
-            type: "section",
-            text: {
-              type: "mrkdwn",
-              text: "*Generated Query:*\n```sql\n" + query + "\n```",
-            },
-          },
-          {
-            type: "actions",
-            block_id: "sql_approval_actions",
-            elements: [
-              {
-                type: "button",
-                text: {
-                  type: "plain_text",
-                  text: "Approve ✅",
-                  emoji: true,
-                },
-                style: "primary",
-                value: JSON.stringify({
-                  tokenId,
-                  publicAccessToken,
-                  action: "approve",
-                }),
-                action_id: "sql_approve",
-              },
-              {
-                type: "button",
-                text: {
-                  type: "plain_text",
-                  text: "Deny ❌",
-                  emoji: true,
-                },
-                style: "danger",
-                value: JSON.stringify({
-                  tokenId,
-                  publicAccessToken,
-                  action: "deny",
-                }),
-                action_id: "sql_deny",
-              },
-            ],
-          },
-          {
-            type: "context",
-            elements: [
-              {
-                type: "mrkdwn",
-                text: "⚠️ This action cannot be undone",
-              },
-            ],
-          },
-        ],
-      });
-
-      return response;
-    },
-    {
-      icon: "tabler-brand-slack",
-    }
-  );
-}
diff --git a/references/d3-openai-agents/src/trigger/chat.ts b/references/d3-openai-agents/src/trigger/chat.ts
deleted file mode 100644
index c2ca19821e3..00000000000
--- a/references/d3-openai-agents/src/trigger/chat.ts
+++ /dev/null
@@ -1,98 +0,0 @@
-import { openai } from "@ai-sdk/openai";
-import { CompleteTaskWithOutput, logger, metadata, schemaTask, wait } from "@trigger.dev/sdk/v3";
-import { CoreMessage, streamText } from "ai";
-import { z } from "zod";
-
-const MAX_STEPS = 10;
-
-export const chatExample = schemaTask({
-  id: "chat-example",
-  description: "Chat example",
-  schema: z.object({
-    model: z.string().default("chatgpt-4o-latest"),
-    prompt: z.string().default("Hello, how are you?"),
-  }),
-  run: async ({ model, prompt }) => {
-    const aiModel = openai(model);
-
-    let messages: CoreMessage[] = [
-      {
-        role: "system",
-        content:
-          "You are a helpful assistant that can answer questions and help with tasks. Please be very concise and to the point.",
-      },
-      {
-        role: "user",
-        content: prompt,
-      },
-    ];
-
-    let step = 0;
-
-    while (step < MAX_STEPS) {
-      step++;
-
-      await logger.trace(
-        `Step ${step}`,
-        async (span) => {
-          // This token will expire in 1 day
-          const token = await wait.createToken({ timeout: "1d" });
-
-          metadata.set("waitToken", token);
-          await metadata.flush();
-
-          const result = streamText({
-            model: aiModel,
-            messages,
-            experimental_telemetry: {
-              isEnabled: true,
-            },
-          });
-
-          logger.info("Received result from streamText");
-
-          const stream = await metadata.stream(`responses.${token.id}`, result.fullStream);
-
-          logger.info("Gathering the text from the stream");
-
-          let assistantResponse = "";
-
-          for await (const chunk of stream) {
-            if (chunk.type === "text-delta") {
-              assistantResponse += chunk.textDelta;
-            }
-          }
-
-          logger.info("Assistant response", { assistantResponse });
-
-          messages.push({
-            role: "assistant",
-            content: assistantResponse,
-          });
-
-          // Now wait for the next message
-          const nextMessage = await wait.forToken<{ message: string }>(token);
-
-          if (nextMessage.ok) {
-            logger.info("Next message", { nextMessage: nextMessage.output.message });
-
-            messages.push({
-              role: "user",
-              content: nextMessage.output.message,
-            });
-          } else {
-            logger.info("No next message", { nextMessage });
-
-            throw new CompleteTaskWithOutput({ waitpoint: token.id });
-          }
-        },
-        {
-          attributes: {
-            step,
-          },
-          icon: "tabler-repeat",
-        }
-      );
-    }
-  },
-});
diff --git a/references/d3-openai-agents/src/trigger/openaiAgent.ts b/references/d3-openai-agents/src/trigger/openaiAgent.ts
deleted file mode 100644
index 148d8c8d072..00000000000
--- a/references/d3-openai-agents/src/trigger/openaiAgent.ts
+++ /dev/null
@@ -1,197 +0,0 @@
-import { batch, logger, schemaTask, wait } from "@trigger.dev/sdk/v3";
-import { createHash } from "node:crypto";
-import { z } from "zod";
-import { zodToJsonSchema } from "zod-to-json-schema";
-import { CSVRowPayload, RowEnrichmentResult } from "./schemas";
-import { python } from "@trigger.dev/python";
-
-export const d3Demo = schemaTask({
-  id: "d3-demo",
-  description: "D3 Demo - Enriches a CSV dataset using Trigger.dev and the python OpenAI Agent SDK",
-  schema: z.object({
-    url: z.string().url().describe("The URL of the CSV dataset to enrich"),
-  }),
-  run: async ({ url }) => {
-    const response = await fetch(url);
-    const csv = await response.text();
-
-    const header = csv.split("\n")[0];
-    const rows = csv.split("\n").slice(1);
-
-    // Each payload has a header, url, and a single row
-    const payloads = rows.map((row) => ({
-      header,
-      url,
-      row,
-    }));
-
-    const chunkedPayloads = [];
-
-    for (let i = 0; i < payloads.length; i += 500) {
-      chunkedPayloads.push(payloads.slice(i, i + 500));
-    }
-
-    // Process each chunk
-    for (const chunk of chunkedPayloads) {
-      const results = await batch.triggerAndWait<typeof handleCSVRow>(
-        chunk.map((payload) => ({
-          id: "handle-csv-row",
-          payload,
-          options: {
-            idempotencyKey: createIdempotencyKey(payload),
-          },
-        }))
-      );
-
-      for (const result of results.runs) {
-        if (result.ok) {
-          // Pretty print the result of the enrichment
-          logger.log(`Enriched row ${result.output.row}`, result.output);
-        } else {
-          logger.error(`Error enriching row: ${result.error}`);
-        }
-      }
-    }
-  },
-});
-
-const ROW_AGENT_RUNNER_COUNT = 10;
-
-export const handleCSVRow = schemaTask({
-  id: "handle-csv-row",
-  description: "Handles a single row of a CSV dataset",
-  schema: CSVRowPayload,
-  run: async ({ header, row, url }) => {
-    // Batch trigger the rowAgentCoordinator to try 10 different enrichments on the same row
-    const results = await batch.triggerAndWait<typeof rowAgentCoordinator>(
-      Array.from({ length: ROW_AGENT_RUNNER_COUNT }, () => ({
-        id: "row-agent-coordinator" as const,
-        payload: { row: { header, row, url } },
-      }))
-    );
-
-    const outputs = results.runs.filter((result) => result.ok).map((result) => result.output);
-
-    const enrichment = await enrichmentResultsEvaluator
-      .triggerAndWait({
-        results: outputs,
-      })
-      .unwrap();
-
-    return {
-      enrichment,
-      header,
-      row,
-      url,
-    };
-  },
-});
-
-export const rowAgentCoordinator = schemaTask({
-  id: "row-agent-coordinator",
-  description: "Coordinators the row agent",
-  schema: z.object({
-    row: CSVRowPayload,
-  }),
-  run: async ({ row }) => {
-    const waitToken = await wait.createToken({
-      timeout: "2m",
-    });
-
-    const jsonSchema = zodToJsonSchema(RowEnrichmentResult);
-
-    await rowAgentRunner.trigger({
-      row,
-      waitToken,
-      jsonSchema,
-    });
-
-    const result = await wait.forToken<RowEnrichmentResult>(waitToken.id);
-
-    if (!result.ok) {
-      throw result.error;
-    }
-
-    return result.output;
-  },
-});
-
-export const rowAgentRunner = schemaTask({
-  id: "row-agent-runner",
-  description: "Runs the row agent",
-  schema: z.object({
-    row: CSVRowPayload,
-    waitToken: z.object({
-      id: z
-        .string()
-        .describe(
-          "The wait token that the OpenAI Agent SDK will use to signal back to the coordinator"
-        ),
-      publicAccessToken: z
-        .string()
-        .describe(
-          "The public access token that the OpenAI Agent SDK will use to signal back to the coordinator"
-        ),
-    }),
-    jsonSchema: z.any().describe("The JSON schema of the result"),
-    disableWaitTokenCompletion: z
-      .boolean()
-      .default(false)
-      .describe("Whether to disable wait token completion"),
-  }),
-  run: async ({ row, waitToken, jsonSchema, disableWaitTokenCompletion }) => {
-    const inputData = JSON.stringify({
-      row,
-      waitToken,
-      jsonSchema,
-      disableWaitTokenCompletion,
-    });
-
-    logger.info("process.env", {
-      env: process.env,
-    });
-
-    const result = await python.runScript("./src/trigger/python/agent.py", [inputData]);
-
-    logger.debug("row-agent-runner", {
-      result,
-    });
-
-    return {} as unknown as RowEnrichmentResult;
-  },
-  catchError: async ({ error }) => {
-    logger.error("row-agent-runner", {
-      error,
-    });
-  },
-});
-
-export const enrichmentResultsEvaluator = schemaTask({
-  id: "enrichment-results-evaluator",
-  description: "Evaluates the enrichment results",
-  schema: z.object({
-    results: z.array(RowEnrichmentResult),
-  }),
-  run: async ({ results }) => {
-    // Combine the results into a single object (this is a placeholder for a more complex evaluation)
-    const combinedResult = results.reduce(
-      (acc, result) => ({
-        ...acc,
-        ...result,
-      }),
-      {} as RowEnrichmentResult
-    );
-
-    return combinedResult;
-  },
-});
-
-// Create a hash of the payload using Node.js crypto
-// Ideally, you'd do a stable serialization of the payload before hashing, to ensure the same payload always results in the same hash
-function createIdempotencyKey(payload: CSVRowPayload): string {
-  const content = `${payload.header}\n${payload.row}`;
-
-  const hash = createHash("sha256");
-  hash.update(content);
-  return hash.digest("hex");
-}
diff --git a/references/d3-openai-agents/src/trigger/python/agent.py b/references/d3-openai-agents/src/trigger/python/agent.py
deleted file mode 100644
index 7b912964295..00000000000
--- a/references/d3-openai-agents/src/trigger/python/agent.py
+++ /dev/null
@@ -1,171 +0,0 @@
-import asyncio
-import sys
-import os
-import json
-import requests
-from typing import Optional
-from pydantic import BaseModel, Field
-from agents import Agent, Runner, WebSearchTool, trace
-import logfire
-from opentelemetry.trace.propagation.tracecontext import TraceContextTextMapPropagator
-from logfire.propagate import attach_context
-
-logfire.configure(
-    service_name='d3-demo',
-    send_to_logfire="if-token-present",
-    distributed_tracing=True
-)
-logfire.instrument_openai_agents()
-
-class CSVRowPayload(BaseModel):
-    header: str = Field(description="The header of the CSV dataset")
-    row: str = Field(description="The row to handle")
-    url: str = Field(description="The URL of the CSV dataset")
-
-class WaitToken(BaseModel):
-    id: str = Field(description="The wait token ID")
-    publicAccessToken: str = Field(description="The public access token for authorization")
-
-class AgentInput(BaseModel):
-    row: CSVRowPayload
-    waitToken: WaitToken
-    jsonSchema: dict
-    disableWaitTokenCompletion: bool = Field(default=False, description="Whether to disable wait token completion")
-    
-class BasicInfo(BaseModel):
-    name: str = Field(description="The name of the row")
-    email: str = Field(description="The email of the row")
-    firstName: Optional[str] = Field(None, description="The first name of the row")
-    lastName: Optional[str] = Field(None, description="The last name of the row")
-    preferredName: Optional[str] = Field(None, description="The preferred name of the row")
-
-class CompanyInfo(BaseModel):
-    name: str = Field(description="The name of the company")
-    industry: str = Field(description="The industry of the company")
-
-class SocialInfo(BaseModel):
-    twitter: Optional[str] = Field(None, description="The Twitter username of the person")
-    linkedin: Optional[str] = Field(None, description="The LinkedIn username of the person")
-    facebook: Optional[str] = Field(None, description="The Facebook username of the person")
-    instagram: Optional[str] = Field(None, description="The Instagram username of the person")
-
-class RowEnrichmentResult(BaseModel):
-    basicInfo: BasicInfo
-    companyInfo: CompanyInfo
-    socialInfo: SocialInfo
-
-def complete_wait_token(wait_token: WaitToken, result: dict):
-    """Send the enrichment result back to Trigger.dev"""
-    with trace("complete_wait_token"):
-        url = f"{os.environ['TRIGGER_API_URL']}/api/v1/waitpoints/tokens/{wait_token.id}/complete"
-        headers = {
-            "Authorization": f"Bearer {wait_token.publicAccessToken}",
-            "Content-Type": "application/json"
-        }
-        response = requests.post(url, json={"data": result}, headers=headers)
-        response.raise_for_status()
-        return response.json()
-
-basic_info_agent = Agent(
-    name="Basic Info Agent",
-    instructions=f"""You are an expert at extracting basic information from a person's contact details.
-    """,
-    tools=[WebSearchTool()],
-    output_type=BasicInfo
-)
-
-company_info_agent = Agent(
-    name="Company Info Agent",
-    instructions=f"""You are an expert at extracting company information from a person's contact details.
-    """,
-    tools=[WebSearchTool()],
-    output_type=CompanyInfo
-)
-
-social_info_agent = Agent(
-    name="Social Info Agent",
-    instructions=f"""You are an expert at extracting social media information from a person's contact details.
-    """,
-    tools=[WebSearchTool()],
-    output_type=SocialInfo
-)
-
-agent = Agent(
-    name="CSV Row Enrichment Agent",
-    instructions=f"""You are an expert at enriching contact information data.
-    Your task is to use web search to find additional information about a person
-    based on their basic contact details.
-
-    Please find the basic information, company information, and social media information for the person.
-
-    The input data is from an unspecified CSV dataset, but most likely a CSV dump from a CRM or other source like Mailchimp, etc.
-
-    You'll receive the header row and a single row from the dataset to enrich, in their raw form.
-    
-    Only include information you are confident about from reliable sources.
-    Use null for fields where you cannot find reliable information.
-    """,
-    tools=[
-        basic_info_agent.as_tool(
-            tool_name="basic_info_agent", 
-            tool_description="Extract basic information from a person's contact details"
-        ), 
-        company_info_agent.as_tool(
-            tool_name="company_info_agent", 
-            tool_description="Extract company information from a person's contact details"
-        ),
-        social_info_agent.as_tool(
-            tool_name="social_info_agent", 
-            tool_description="Extract social media information from a person's contact details"
-        )
-    ],
-    output_type=RowEnrichmentResult
-)
-
-async def main(agent_input: AgentInput):    
-    # Run the agent
-    result = await Runner.run(
-        agent,
-        f"""
-        Header row: {agent_input.row.header}
-        Row to enrich: {agent_input.row.row}
-        CSV URL: {agent_input.row.url}
-        """
-    )
-
-    enriched_data = result.final_output
-    if isinstance(enriched_data, BaseModel):
-        enriched_data = enriched_data.model_dump()
-
-    print("Final Output:")
-    # Pretty print the final output
-    print(json.dumps(enriched_data, indent=2))
-
-    if not agent_input.disableWaitTokenCompletion:
-        try:        
-            # Send the result back to Trigger.dev
-            complete_wait_token(agent_input.waitToken, enriched_data)
-        
-            print("Successfully enriched data and notified Trigger.dev")
-        
-        except json.JSONDecodeError:  
-          print("Error: Agent output was not valid JSON")
-          sys.exit(1)
-    
-    # Make sure to flush the logfire context
-    logfire.force_flush()
-
-if __name__ == "__main__":
-    # Parse command line input as JSON
-    if len(sys.argv) < 2:
-        print("Usage: python agent.py '<json_input>'")
-        sys.exit(1)
-
-    # Extract the traceparent os.environ['TRACEPARENT']
-    carrier ={'traceparent': os.environ['TRACEPARENT']}
-    ctx = TraceContextTextMapPropagator().extract(carrier=carrier)
-    
-    with attach_context(carrier=carrier, third_party=True):
-        # Parse the input JSON into our Pydantic model
-        input_data = AgentInput.model_validate_json(sys.argv[1])
-        asyncio.run(main(input_data))
\ No newline at end of file
diff --git a/references/d3-openai-agents/src/trigger/schemas.ts b/references/d3-openai-agents/src/trigger/schemas.ts
deleted file mode 100644
index c2e5982a1be..00000000000
--- a/references/d3-openai-agents/src/trigger/schemas.ts
+++ /dev/null
@@ -1,46 +0,0 @@
-import { z } from "zod";
-
-export const AgentLoopMetadata = z.object({
-  waitToken: z.object({
-    id: z.string(),
-    publicAccessToken: z.string(),
-  }),
-});
-
-export type AgentLoopMetadata = z.infer<typeof AgentLoopMetadata>;
-
-export const CSVRowPayload = z.object({
-  header: z.string().describe("The header of the CSV dataset"),
-  row: z.string().describe("The row to handle"),
-  url: z.string().url().describe("The URL of the CSV dataset"),
-});
-
-export type CSVRowPayload = z.infer<typeof CSVRowPayload>;
-
-export const RowEnrichmentResult = z.object({
-  basicInfo: z.object({
-    name: z.string().describe("The name of the row"),
-    email: z.string().email().describe("The email of the row"),
-    firstName: z.string().optional().describe("The first name of the row"),
-    lastName: z.string().optional().describe("The last name of the row"),
-    preferredName: z.string().optional().describe("The preferred name of the row"),
-  }),
-  companyInfo: z.object({
-    name: z.string().describe("The name of the company"),
-    industry: z.string().describe("The industry of the company"),
-  }),
-  socialInfo: z.object({
-    twitter: z.string().url().optional().describe("The Twitter URL of the person"),
-    linkedin: z.string().url().optional().describe("The LinkedIn URL of the person"),
-    facebook: z.string().url().optional().describe("The Facebook URL of the person"),
-    instagram: z.string().url().optional().describe("The Instagram URL of the person"),
-  }),
-});
-
-export type RowEnrichmentResult = z.infer<typeof RowEnrichmentResult>;
-
-export const QueryApproval = z.object({
-  approved: z.boolean().describe("Whether the query has been approved"),
-});
-
-export type QueryApproval = z.infer<typeof QueryApproval>;
diff --git a/references/d3-openai-agents/tailwind.config.ts b/references/d3-openai-agents/tailwind.config.ts
deleted file mode 100644
index 555f65867fb..00000000000
--- a/references/d3-openai-agents/tailwind.config.ts
+++ /dev/null
@@ -1,81 +0,0 @@
-import type { Config } from "tailwindcss"
-
-const config: Config = {
-  darkMode: ["class"],
-  content: [
-    "./pages/**/*.{ts,tsx}",
-    "./components/**/*.{ts,tsx}",
-    "./app/**/*.{ts,tsx}",
-    "./src/**/*.{ts,tsx}",
-    "*.{js,ts,jsx,tsx,mdx}",
-  ],
-  theme: {
-    container: {
-      center: true,
-      padding: "2rem",
-      screens: {
-        "2xl": "1400px",
-      },
-    },
-    extend: {
-      colors: {
-        border: "hsl(var(--border))",
-        input: "hsl(var(--input))",
-        ring: "hsl(var(--ring))",
-        background: "hsl(var(--background))",
-        foreground: "hsl(var(--foreground))",
-        primary: {
-          DEFAULT: "hsl(var(--primary))",
-          foreground: "hsl(var(--primary-foreground))",
-        },
-        secondary: {
-          DEFAULT: "hsl(var(--secondary))",
-          foreground: "hsl(var(--secondary-foreground))",
-        },
-        destructive: {
-          DEFAULT: "hsl(var(--destructive))",
-          foreground: "hsl(var(--destructive-foreground))",
-        },
-        muted: {
-          DEFAULT: "hsl(var(--muted))",
-          foreground: "hsl(var(--muted-foreground))",
-        },
-        accent: {
-          DEFAULT: "hsl(var(--accent))",
-          foreground: "hsl(var(--accent-foreground))",
-        },
-        popover: {
-          DEFAULT: "hsl(var(--popover))",
-          foreground: "hsl(var(--popover-foreground))",
-        },
-        card: {
-          DEFAULT: "hsl(var(--card))",
-          foreground: "hsl(var(--card-foreground))",
-        },
-      },
-      borderRadius: {
-        lg: "var(--radius)",
-        md: "calc(var(--radius) - 2px)",
-        sm: "calc(var(--radius) - 4px)",
-      },
-      keyframes: {
-        "accordion-down": {
-          from: { height: "0" },
-          to: { height: "var(--radix-accordion-content-height)" },
-        },
-        "accordion-up": {
-          from: { height: "var(--radix-accordion-content-height)" },
-          to: { height: "0" },
-        },
-      },
-      animation: {
-        "accordion-down": "accordion-down 0.2s ease-out",
-        "accordion-up": "accordion-up 0.2s ease-out",
-      },
-    },
-  },
-  plugins: [],
-}
-
-export default config
-
diff --git a/references/d3-openai-agents/trigger.config.ts b/references/d3-openai-agents/trigger.config.ts
deleted file mode 100644
index 77bce09ee81..00000000000
--- a/references/d3-openai-agents/trigger.config.ts
+++ /dev/null
@@ -1,20 +0,0 @@
-import { defineConfig } from "@trigger.dev/sdk";
-import { pythonExtension } from "@trigger.dev/python/extension";
-import { installPlaywrightChromium } from "./src/extensions/playwright";
-
-export default defineConfig({
-  project: "proj_wkbbtayxrmeyqhankehb",
-  dirs: ["./src/trigger"],
-  maxDuration: 3600,
-  build: {
-    extensions: [
-      // This is required to use the Python extension
-      pythonExtension({
-        requirementsFile: "./requirements.txt", // Optional: Path to your requirements file
-        devPythonBinaryPath: `.venv/bin/python`, // Optional: Custom Python binary path
-        scripts: ["src/trigger/python/**/*.py"], // List of Python scripts to include
-      }),
-      installPlaywrightChromium(),
-    ],
-  },
-});
diff --git a/references/d3-openai-agents/tsconfig.json b/references/d3-openai-agents/tsconfig.json
deleted file mode 100644
index c1334095f87..00000000000
--- a/references/d3-openai-agents/tsconfig.json
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-  "compilerOptions": {
-    "target": "ES2017",
-    "lib": ["dom", "dom.iterable", "esnext"],
-    "allowJs": true,
-    "skipLibCheck": true,
-    "strict": true,
-    "noEmit": true,
-    "esModuleInterop": true,
-    "module": "esnext",
-    "moduleResolution": "bundler",
-    "resolveJsonModule": true,
-    "isolatedModules": true,
-    "jsx": "preserve",
-    "incremental": true,
-    "plugins": [
-      {
-        "name": "next"
-      }
-    ],
-    "paths": {
-      "@/*": ["./src/*"]
-    }
-  },
-  "include": ["next-env.d.ts", "**/*.ts", "**/*.tsx", ".next/types/**/*.ts"],
-  "exclude": ["node_modules"]
-}
diff --git a/references/effect/.gitignore b/references/effect/.gitignore
deleted file mode 100644
index 6524f048dcb..00000000000
--- a/references/effect/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-.trigger
\ No newline at end of file
diff --git a/references/effect/package.json b/references/effect/package.json
deleted file mode 100644
index 662944ed50e..00000000000
--- a/references/effect/package.json
+++ /dev/null
@@ -1,17 +0,0 @@
-{
-  "name": "references-effect",
-  "private": true,
-  "type": "module",
-  "devDependencies": {
-    "trigger.dev": "workspace:*"
-  },
-  "dependencies": {
-    "@trigger.dev/build": "workspace:*",
-    "@trigger.dev/sdk": "workspace:*",
-    "effect": "3.17.1"
-  },
-  "scripts": {
-    "dev": "trigger dev",
-    "deploy": "trigger deploy"
-  }
-}
\ No newline at end of file
diff --git a/references/effect/src/trigger/effect.ts b/references/effect/src/trigger/effect.ts
deleted file mode 100644
index fafbe9e2e63..00000000000
--- a/references/effect/src/trigger/effect.ts
+++ /dev/null
@@ -1,37 +0,0 @@
-import { logger, task } from "@trigger.dev/sdk";
-
-import { Console, Effect, Schedule } from "effect";
-
-const helloWorldIteration = Effect.gen(function* () {
-  yield* Console.log(`Hello World!`);
-  yield* Effect.sleep("1 second");
-  yield* Console.log(`Done!`);
-  return "Iteration completed";
-});
-
-// Repeat the effect 9 times (plus the initial run = 10 total)
-const helloWorldLoop = helloWorldIteration.pipe(Effect.repeat(Schedule.recurs(9)));
-
-export const effectTask = task({
-  id: "effect",
-  run: async () => {
-    const result = await Effect.runPromise(Effect.scoped(helloWorldLoop));
-
-    return result;
-  },
-  onSuccess: async () => {
-    logger.info("Hello, world from the onSuccess hook");
-  },
-  onFailure: async () => {
-    logger.info("Hello, world from the onFailure hook");
-  },
-  onCancel: async () => {
-    logger.info("Hello, world from the onCancel hook");
-  },
-});
-
-// Prevent SIGTERM from killing the process immediately
-process.on("SIGTERM", () => {
-  console.log("Received SIGTERM signal, but ignoring it...");
-  // Process continues running
-});
diff --git a/references/effect/trigger.config.ts b/references/effect/trigger.config.ts
deleted file mode 100644
index 9873daf22f0..00000000000
--- a/references/effect/trigger.config.ts
+++ /dev/null
@@ -1,22 +0,0 @@
-import { defineConfig } from "@trigger.dev/sdk/v3";
-
-export default defineConfig({
-  project: process.env.TRIGGER_PROJECT_REF!,
-  experimental_processKeepAlive: {
-    enabled: true,
-    maxExecutionsPerProcess: 20,
-  },
-  logLevel: "log",
-  maxDuration: 3600,
-  retries: {
-    enabledInDev: true,
-    default: {
-      maxAttempts: 3,
-      minTimeoutInMs: 1000,
-      maxTimeoutInMs: 10000,
-      factor: 2,
-      randomize: true,
-    },
-  },
-  machine: "small-2x",
-});
diff --git a/references/effect/tsconfig.json b/references/effect/tsconfig.json
deleted file mode 100644
index 9a5ee0b9d68..00000000000
--- a/references/effect/tsconfig.json
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-  "compilerOptions": {
-    "target": "ES2023",
-    "module": "Node16",
-    "moduleResolution": "Node16",
-    "esModuleInterop": true,
-    "strict": true,
-    "skipLibCheck": true,
-    "customConditions": ["@triggerdotdev/source"],
-    "jsx": "preserve",
-    "lib": ["DOM", "DOM.Iterable"],
-    "noEmit": true
-  },
-  "include": ["./src/**/*.ts", "trigger.config.ts"]
-}
diff --git a/references/hello-world/.gitignore b/references/hello-world/.gitignore
deleted file mode 100644
index 6524f048dcb..00000000000
--- a/references/hello-world/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-.trigger
\ No newline at end of file
diff --git a/references/hello-world/package.json b/references/hello-world/package.json
deleted file mode 100644
index dc9bff17310..00000000000
--- a/references/hello-world/package.json
+++ /dev/null
@@ -1,25 +0,0 @@
-{
-  "name": "references-hello-world",
-  "private": true,
-  "type": "module",
-  "devDependencies": {
-    "trigger.dev": "workspace:*"
-  },
-  "dependencies": {
-    "@ai-sdk/openai": "^3.0.41",
-    "@trigger.dev/build": "workspace:*",
-    "@trigger.dev/sdk": "workspace:*",
-    "ai": "^6.0.116",
-    "arktype": "^2.0.0",
-    "openai": "^4.97.0",
-    "puppeteer-core": "^24.15.0",
-    "replicate": "^1.0.1",
-    "yup": "^1.6.1",
-    "zod": "3.25.76",
-    "@sinclair/typebox": "^0.34.3"
-  },
-  "scripts": {
-    "dev": "trigger dev",
-    "deploy": "trigger deploy"
-  }
-}
diff --git a/references/hello-world/src/db.ts b/references/hello-world/src/db.ts
deleted file mode 100644
index 7c2cd12c15e..00000000000
--- a/references/hello-world/src/db.ts
+++ /dev/null
@@ -1,48 +0,0 @@
-import { locals } from "@trigger.dev/sdk";
-import { logger, tasks } from "@trigger.dev/sdk";
-
-const DbLocal = locals.create<{ connect: () => Promise<void>; disconnect: () => Promise<void> }>(
-  "db"
-);
-
-export function getDb() {
-  return locals.getOrThrow(DbLocal);
-}
-
-export function setDb(db: { connect: () => Promise<void> }) {
-  locals.set(DbLocal, db);
-}
-
-tasks.middleware("db", async ({ ctx, payload, next, task }) => {
-  const db = locals.set(DbLocal, {
-    connect: async () => {
-      logger.info("Connecting to the database");
-    },
-    disconnect: async () => {
-      logger.info("Disconnecting from the database");
-    },
-  });
-
-  await db.connect();
-
-  logger.info("Hello, world from BEFORE the next call", { ctx, payload });
-  await next();
-
-  logger.info("Hello, world from AFTER the next call", { ctx, payload });
-
-  await db.disconnect();
-});
-
-tasks.onWait("db", async ({ ctx, payload, task }) => {
-  logger.info("Hello, world from ON WAIT", { ctx, payload });
-
-  const db = getDb();
-  await db.disconnect();
-});
-
-tasks.onResume("db", async ({ ctx, payload, task }) => {
-  logger.info("Hello, world from ON RESUME", { ctx, payload });
-
-  const db = getDb();
-  await db.connect();
-});
diff --git a/references/hello-world/src/index.ts b/references/hello-world/src/index.ts
deleted file mode 100644
index cb0ff5c3b54..00000000000
--- a/references/hello-world/src/index.ts
+++ /dev/null
@@ -1 +0,0 @@
-export {};
diff --git a/references/hello-world/src/resourceMonitor.ts b/references/hello-world/src/resourceMonitor.ts
deleted file mode 100644
index 27f8418d64d..00000000000
--- a/references/hello-world/src/resourceMonitor.ts
+++ /dev/null
@@ -1,767 +0,0 @@
-import { promisify } from "node:util";
-import { exec } from "node:child_process";
-import os from "node:os";
-import { promises as fs } from "node:fs";
-import { type Context, logger } from "@trigger.dev/sdk";
-import { getHeapStatistics } from "node:v8";
-import { PerformanceObserver, constants } from "node:perf_hooks";
-
-const execAsync = promisify(exec);
-
-export type DiskMetrics = {
-  total: number;
-  used: number;
-  free: number;
-  percentUsed: number;
-  warning?: string;
-};
-
-export type MemoryMetrics = {
-  total: number;
-  free: number;
-  used: number;
-  percentUsed: number;
-};
-
-export type NodeProcessMetrics = {
-  memoryUsage: number;
-  memoryUsagePercent: number;
-  heapUsed: number;
-  heapSizeLimit: number;
-  heapUsagePercent: number;
-  availableHeap: number;
-  isNearHeapLimit: boolean;
-};
-
-export type TargetProcessMetrics = {
-  method: string;
-  processName: string;
-  count: number;
-  processes: ProcessInfo[];
-  averages: {
-    cpu: number;
-    memory: number;
-    rss: number;
-    vsz: number;
-  } | null;
-  totals: {
-    cpu: number;
-    memory: number;
-    rss: number;
-    vsz: number;
-  } | null;
-};
-
-export type ProcessMetrics = {
-  node: NodeProcessMetrics;
-  targetProcess: TargetProcessMetrics | null;
-};
-
-type GCSummary = {
-  count: number;
-  totalDuration: number; // ms
-  avgDuration: number; // ms
-  maxDuration: number; // ms
-  kinds: Record<
-    string,
-    {
-      // breakdown by kind
-      count: number;
-      totalDuration: number;
-      avgDuration: number;
-      maxDuration: number;
-    }
-  >;
-};
-
-type ProcessInfo = {
-  user: string;
-  pid: number;
-  cpu: number;
-  mem: number;
-  vsz: number;
-  rss: number;
-  command: string;
-};
-
-export type SystemMetrics = {
-  disk: DiskMetrics;
-  memory: MemoryMetrics;
-};
-
-export type ResourceMonitorConfig = {
-  dirName?: string;
-  processName?: string;
-  ctx: Context;
-  compactLogging?: boolean;
-};
-
-// Constants
-const DISK_LIMIT_GB = 10;
-const DISK_LIMIT_BYTES = DISK_LIMIT_GB * 1024 * 1024 * 1024; // 10Gi in bytes
-
-export class ResourceMonitor {
-  private logInterval: NodeJS.Timeout | null = null;
-  private logger: typeof logger;
-  private dirName: string;
-  private processName: string | undefined;
-  private ctx: Context;
-  private verbose: boolean;
-  private compactLogging: boolean;
-  private gcObserver: PerformanceObserver | null = null;
-  private bufferedGcEntries: PerformanceEntry[] = [];
-
-  constructor(config: ResourceMonitorConfig) {
-    this.logger = logger;
-    this.dirName = config.dirName ?? "/tmp";
-    this.processName = config.processName;
-    this.ctx = config.ctx;
-    this.verbose = true;
-    this.compactLogging = config.compactLogging ?? false;
-  }
-
-  /**
-   * Start periodic resource monitoring
-   * @param intervalMs Monitoring interval in milliseconds
-   */
-  startMonitoring(intervalMs = 10000): void {
-    if (intervalMs < 1000) {
-      intervalMs = 1000;
-      this.logger.warn("ResourceMonitor: intervalMs is less than 1000, setting to 1000");
-    }
-
-    if (this.logInterval) {
-      clearInterval(this.logInterval);
-    }
-
-    this.logInterval = setInterval(this.logResources.bind(this), intervalMs);
-
-    this.gcObserver = new PerformanceObserver((list) => {
-      this.bufferedGcEntries.push(...list.getEntries());
-    });
-
-    this.gcObserver.observe({ entryTypes: ["gc"], buffered: true });
-  }
-
-  /**
-   * Stop resource monitoring
-   */
-  stopMonitoring(): void {
-    if (this.logInterval) {
-      clearInterval(this.logInterval);
-      this.logInterval = null;
-    }
-
-    if (this.gcObserver) {
-      this.gcObserver.disconnect();
-      this.gcObserver = null;
-    }
-  }
-
-  private async logResources() {
-    try {
-      await this.logResourceSnapshot("ResourceMonitor");
-    } catch (error) {
-      this.logger.error(
-        `Resource monitoring error: ${error instanceof Error ? error.message : String(error)}`
-      );
-    }
-  }
-
-  /**
-   * Get combined system metrics (disk and memory)
-   */
-  private async getSystemMetrics(): Promise<SystemMetrics> {
-    const [disk, memory] = await Promise.all([this.getDiskMetrics(), this.getMemoryMetrics()]);
-    return { disk, memory };
-  }
-
-  /**
-   * Get disk space information
-   */
-  private async getDiskMetrics(): Promise<DiskMetrics> {
-    try {
-      // Even with permission errors, du will output a total
-      const { stdout, stderr } = await execAsync(`du -sb ${this.dirName} || true`);
-
-      // Get the last line of stdout which contains the total
-      const lastLine = stdout.split("\n").filter(Boolean).pop() || "";
-      const usedBytes = parseInt(lastLine.split("\t")[0], 10);
-
-      const effectiveTotal = DISK_LIMIT_BYTES;
-      const effectiveUsed = Math.min(usedBytes, DISK_LIMIT_BYTES);
-      const effectiveFree = effectiveTotal - effectiveUsed;
-      const percentUsed = (effectiveUsed / effectiveTotal) * 100;
-
-      const metrics: DiskMetrics = {
-        total: effectiveTotal,
-        used: effectiveUsed,
-        free: effectiveFree,
-        percentUsed,
-      };
-
-      // If we had permission errors, add a warning
-      if (stderr.includes("Permission denied") || stderr.includes("cannot access")) {
-        metrics.warning = "Some directories were not accessible";
-      } else if (stderr.includes("No such file or directory")) {
-        metrics.warning = "The directory does not exist";
-      }
-
-      return metrics;
-    } catch (error) {
-      this.logger.error(
-        `Error getting disk metrics: ${error instanceof Error ? error.message : String(error)}`
-      );
-      return {
-        free: DISK_LIMIT_BYTES,
-        total: DISK_LIMIT_BYTES,
-        used: 0,
-        percentUsed: 0,
-        warning: "Failed to measure disk usage",
-      };
-    }
-  }
-
-  /**
-   * Get memory metrics
-   */
-  private getMemoryMetrics(): MemoryMetrics {
-    const total = os.totalmem();
-    const free = os.freemem();
-    const used = total - free;
-    const percentUsed = (used / total) * 100;
-
-    return { total, free, used, percentUsed };
-  }
-
-  /**
-   * Get process-specific metrics using /proc filesystem
-   */
-  private async getProcMetrics(pids: number[]): Promise<ProcessInfo[]> {
-    return Promise.all(
-      pids.map(async (pid) => {
-        try {
-          // Read process status
-          const status = await fs.readFile(`/proc/${pid}/status`, "utf8");
-          const cmdline = await fs.readFile(`/proc/${pid}/cmdline`, "utf8");
-          const stat = await fs.readFile(`/proc/${pid}/stat`, "utf8");
-
-          // Parse VmRSS (resident set size) from status
-          const rss = parseInt(status.match(/VmRSS:\s+(\d+)/)?.[1] ?? "0", 10);
-          // Parse VmSize (virtual memory size) from status
-          const vsz = parseInt(status.match(/VmSize:\s+(\d+)/)?.[1] ?? "0", 10);
-          // Get process owner
-          const user = (await fs.stat(`/proc/${pid}`)).uid.toString();
-
-          // Parse CPU stats from /proc/[pid]/stat
-          const stats = stat.split(" ");
-          const utime = parseInt(stats[13], 10);
-          const stime = parseInt(stats[14], 10);
-          const starttime = parseInt(stats[21], 10);
-
-          // Calculate CPU percentage
-          const totalTime = utime + stime;
-          const uptime = os.uptime();
-          const hertz = 100; // Usually 100 on Linux
-          const elapsedTime = uptime - starttime / hertz;
-          const cpuUsage = 100 * (totalTime / hertz / elapsedTime);
-
-          // Calculate memory percentage against total system memory
-          const totalMem = os.totalmem();
-          const memoryPercent = (rss * 1024 * 100) / totalMem;
-
-          return {
-            user,
-            pid,
-            cpu: cpuUsage,
-            mem: memoryPercent,
-            vsz,
-            rss,
-            command: cmdline.replace(/\0/g, " ").trim(),
-          };
-        } catch (error) {
-          return null;
-        }
-      })
-    ).then((results) => results.filter((r): r is ProcessInfo => r !== null));
-  }
-
-  /**
-   * Find PIDs for a process name using /proc filesystem
-   */
-  private async findPidsByName(processName?: string): Promise<number[]> {
-    if (!processName) {
-      return [];
-    }
-
-    try {
-      const pids: number[] = [];
-      const procDirs = await fs.readdir("/proc");
-
-      for (const dir of procDirs) {
-        if (!/^\d+$/.test(dir)) continue;
-
-        const processPid = parseInt(dir, 10);
-
-        // Ignore processes that have a lower PID than our own PID
-        if (processPid <= process.pid) {
-          continue;
-        }
-
-        try {
-          const cmdline = await fs.readFile(`/proc/${dir}/cmdline`, "utf8");
-          if (cmdline.includes(processName)) {
-            pids.push(parseInt(dir, 10));
-          }
-        } catch {
-          // Ignore errors reading individual process info
-          continue;
-        }
-      }
-
-      return pids;
-    } catch {
-      return [];
-    }
-  }
-
-  /**
-   * Get process-specific metrics
-   */
-  private async getProcessMetrics(): Promise<ProcessMetrics> {
-    // Get Node.js process metrics
-    const totalMemory = os.totalmem();
-    // Convert GB to bytes (machine.memory is in GB)
-    const machineMemoryBytes = this.ctx.machine
-      ? this.ctx.machine.memory * 1024 * 1024 * 1024
-      : totalMemory;
-    const nodeMemoryUsage = process.memoryUsage();
-
-    // Node process percentage is based on machine memory if available, otherwise system memory
-    const nodeMemoryPercent = (nodeMemoryUsage.rss / machineMemoryBytes) * 100;
-    const heapStats = getHeapStatistics();
-
-    const nodeMetrics: NodeProcessMetrics = {
-      memoryUsage: nodeMemoryUsage.rss,
-      memoryUsagePercent: nodeMemoryPercent,
-      heapUsed: nodeMemoryUsage.heapUsed,
-      heapSizeLimit: heapStats.heap_size_limit,
-      heapUsagePercent: (heapStats.used_heap_size / heapStats.heap_size_limit) * 100,
-      availableHeap: heapStats.total_available_size,
-      isNearHeapLimit: heapStats.used_heap_size / heapStats.heap_size_limit > 0.8,
-    };
-
-    let method = "ps";
-
-    try {
-      let processes: ProcessInfo[] = [];
-
-      // Try ps first, fall back to /proc if it fails
-      try {
-        const { stdout: psOutput } = await execAsync(
-          `ps aux | grep ${this.processName} | grep -v grep`
-        );
-
-        if (psOutput.trim()) {
-          processes = psOutput
-            .trim()
-            .split("\n")
-            .filter((line) => {
-              const parts = line.trim().split(/\s+/);
-              const pid = parseInt(parts[1], 10);
-
-              // Ignore processes that have a lower PID than our own PID
-              return pid > process.pid;
-            })
-            .map((line) => {
-              const parts = line.trim().split(/\s+/);
-              return {
-                user: parts[0],
-                pid: parseInt(parts[1], 10),
-                cpu: parseFloat(parts[2]),
-                mem: parseFloat(parts[3]),
-                vsz: parseInt(parts[4], 10),
-                rss: parseInt(parts[5], 10),
-                command: parts.slice(10).join(" "),
-              };
-            });
-        }
-      } catch {
-        // ps failed, try /proc instead
-        method = "proc";
-        const pids = await this.findPidsByName(this.processName);
-        processes = await this.getProcMetrics(pids);
-      }
-
-      if (processes.length === 0) {
-        return {
-          node: nodeMetrics,
-          targetProcess: this.processName
-            ? {
-                method,
-                processName: this.processName,
-                count: 0,
-                processes: [],
-                averages: null,
-                totals: null,
-              }
-            : null,
-        };
-      }
-
-      // For CPU:
-      // - ps shows CPU percentage per core (e.g., 100% = 1 core)
-      // - machine.cpu is in cores (e.g., 0.5 = half a core)
-      // - we want to show percentage of allocated CPU (e.g., 100% = using all allocated CPU)
-      const availableCpu = this.ctx.machine?.cpu ?? os.cpus().length;
-      const cpuNormalizer = availableCpu * 100; // Convert to basis points for better precision with fractional CPUs
-
-      // For Memory:
-      // - ps 'mem' is already a percentage of system memory
-      // - we need to convert it to a percentage of machine memory
-      // - if machine memory is 0.5GB and system has 16GB, we multiply the percentage by 32
-      const memoryScaleFactor = this.ctx.machine ? totalMemory / machineMemoryBytes : 1;
-
-      const totals = processes.reduce(
-        (acc, proc) => ({
-          cpu: acc.cpu + proc.cpu,
-          // Scale memory percentage to machine memory
-          // TODO: test this
-          memory: acc.memory + proc.mem * memoryScaleFactor,
-          rss: acc.rss + proc.rss,
-          vsz: acc.vsz + proc.vsz,
-        }),
-        { cpu: 0, memory: 0, rss: 0, vsz: 0 }
-      );
-
-      const count = processes.length;
-
-      const averages = {
-        cpu: totals.cpu / (count * cpuNormalizer),
-        memory: totals.memory / count,
-        rss: totals.rss / count,
-        vsz: totals.vsz / count,
-      };
-
-      return {
-        node: nodeMetrics,
-        targetProcess: this.processName
-          ? {
-              method,
-              processName: this.processName,
-              count,
-              processes,
-              averages,
-              totals: {
-                cpu: totals.cpu / cpuNormalizer,
-                memory: totals.memory,
-                rss: totals.rss,
-                vsz: totals.vsz,
-              },
-            }
-          : null,
-      };
-    } catch (error) {
-      return {
-        node: nodeMetrics,
-        targetProcess: this.processName
-          ? {
-              method,
-              processName: this.processName,
-              count: 0,
-              processes: [],
-              averages: null,
-              totals: null,
-            }
-          : null,
-      };
-    }
-  }
-
-  /**
-   * Log a snapshot of current resource usage
-   */
-  async logResourceSnapshot(label = "Resource Snapshot"): Promise<void> {
-    try {
-      const payload = await this.getResourceSnapshotPayload();
-      const enhancedLabel = this.compactLogging
-        ? this.createCompactLabel(payload, label)
-        : this.createEnhancedLabel(payload, label);
-
-      if (payload.process.node.isNearHeapLimit) {
-        this.logger.warn(`${enhancedLabel}: Node is near heap limit`, payload);
-      } else {
-        this.logger.info(enhancedLabel, payload);
-      }
-    } catch (error) {
-      this.logger.error(
-        `Error logging resource snapshot: ${error instanceof Error ? error.message : String(error)}`
-      );
-    }
-  }
-
-  /**
-   * Create an enhanced log label with key metrics for quick scanning
-   */
-  private createEnhancedLabel(payload: any, baseLabel: string): string {
-    const parts: string[] = [baseLabel];
-
-    // System resources with text indicators
-    const diskPercent = parseFloat(payload.system.disk.percentUsed);
-    const memoryPercent = parseFloat(payload.system.memory.percentUsed);
-    const diskIndicator = this.getTextIndicator(diskPercent, 80, 90);
-    const memIndicator = this.getTextIndicator(memoryPercent, 80, 90);
-    parts.push(`Disk:${diskPercent.toFixed(1).padStart(5)}%${diskIndicator}`);
-    parts.push(`Mem:${memoryPercent.toFixed(1).padStart(5)}%${memIndicator}`);
-
-    // Node process metrics with text indicators
-    const nodeMemPercent = parseFloat(payload.process.node.memoryUsagePercent);
-    const heapPercent = parseFloat(payload.process.node.heapUsagePercent);
-    const nodeIndicator = this.getTextIndicator(nodeMemPercent, 70, 85);
-    const heapIndicator = this.getTextIndicator(heapPercent, 70, 85);
-    parts.push(`Node:${nodeMemPercent.toFixed(1).padStart(4)}%${nodeIndicator}`);
-    parts.push(`Heap:${heapPercent.toFixed(1).padStart(4)}%${heapIndicator}`);
-
-    // Target process metrics (if available)
-    if (payload.process.targetProcess && payload.process.targetProcess.count > 0) {
-      const targetCpu = payload.process.targetProcess.totals?.cpuPercent || "0";
-      const targetMem = payload.process.targetProcess.totals?.memoryPercent || "0";
-      const targetCpuNum = parseFloat(targetCpu);
-      const targetMemNum = parseFloat(targetMem);
-      const cpuIndicator = this.getTextIndicator(targetCpuNum, 80, 90);
-      const memIndicator = this.getTextIndicator(targetMemNum, 80, 90);
-      parts.push(
-        `${payload.process.targetProcess.processName}:${targetCpu.padStart(
-          4
-        )}%${cpuIndicator}/${targetMem.padStart(4)}%${memIndicator}`
-      );
-    }
-
-    // GC activity with performance indicators
-    if (payload.gc && payload.gc.count > 0) {
-      const avgDuration = payload.gc.avgDuration;
-      const gcIndicator = this.getTextIndicator(avgDuration, 5, 10, true);
-      parts.push(
-        `GC:${payload.gc.count.toString().padStart(2)}(${avgDuration
-          .toFixed(1)
-          .padStart(4)}ms)${gcIndicator}`
-      );
-    }
-
-    // Machine constraints
-    if (payload.constraints) {
-      parts.push(`[${payload.constraints.cpu}CPU/${payload.constraints.memoryGB}GB]`);
-    }
-
-    // Warning indicators (only show critical ones in the main label)
-    const criticalWarnings: string[] = [];
-    if (payload.process.node.isNearHeapLimit) criticalWarnings.push("HEAP_LIMIT");
-    if (diskPercent > 90) criticalWarnings.push("DISK_CRITICAL");
-    if (memoryPercent > 95) criticalWarnings.push("MEM_CRITICAL");
-    if (payload.system.disk.warning) criticalWarnings.push("DISK_WARN");
-
-    if (criticalWarnings.length > 0) {
-      parts.push(`[${criticalWarnings.join(",")}]`);
-    }
-
-    return parts.join(" | ");
-  }
-
-  /**
-   * Get text-based indicator for percentage values
-   */
-  private getTextIndicator(
-    value: number,
-    warningThreshold: number,
-    criticalThreshold: number,
-    isDuration = false
-  ): string {
-    if (isDuration) {
-      // For duration values, higher is worse
-      if (value >= criticalThreshold) return " [CRIT]";
-      if (value >= warningThreshold) return " [WARN]";
-      return " [OK]";
-    } else {
-      // For percentage values, higher is worse
-      if (value >= criticalThreshold) return " [CRIT]";
-      if (value >= warningThreshold) return " [WARN]";
-      return " [OK]";
-    }
-  }
-
-  /**
-   * Create a compact version of the enhanced label for high-frequency logging
-   */
-  private createCompactLabel(payload: any, baseLabel: string): string {
-    const parts: string[] = [baseLabel];
-
-    // Only show critical metrics in compact mode
-    const diskPercent = parseFloat(payload.system.disk.percentUsed);
-    const memoryPercent = parseFloat(payload.system.memory.percentUsed);
-    const heapPercent = parseFloat(payload.process.node.heapUsagePercent);
-
-    // Use single character indicators for compactness
-    const diskIndicator = diskPercent > 90 ? "!" : diskPercent > 80 ? "?" : ".";
-    const memIndicator = memoryPercent > 95 ? "!" : memoryPercent > 80 ? "?" : ".";
-    const heapIndicator = heapPercent > 85 ? "!" : heapPercent > 70 ? "?" : ".";
-
-    parts.push(`D:${diskPercent.toFixed(0).padStart(2)}%${diskIndicator}`);
-    parts.push(`M:${memoryPercent.toFixed(0).padStart(2)}%${memIndicator}`);
-    parts.push(`H:${heapPercent.toFixed(0).padStart(2)}%${heapIndicator}`);
-
-    // GC activity (only if significant)
-    if (payload.gc && payload.gc.count > 0 && payload.gc.avgDuration > 2) {
-      const gcIndicator =
-        payload.gc.avgDuration > 10 ? "!" : payload.gc.avgDuration > 5 ? "?" : ".";
-      parts.push(`GC:${payload.gc.count}${gcIndicator}`);
-    }
-
-    return parts.join(" ");
-  }
-
-  async getResourceSnapshotPayload() {
-    const [systemMetrics, processMetrics] = await Promise.all([
-      this.getSystemMetrics(),
-      this.getProcessMetrics(),
-    ]);
-
-    const gcSummary = summarizeGCEntries(this.bufferedGcEntries);
-    this.bufferedGcEntries = [];
-
-    const formatBytes = (bytes: number) => (bytes / (1024 * 1024)).toFixed(2);
-    const formatPercent = (value: number) => value.toFixed(1);
-
-    return {
-      system: {
-        disk: {
-          limitGiB: DISK_LIMIT_GB,
-          dirName: this.dirName,
-          usedGiB: (systemMetrics.disk.used / (1024 * 1024 * 1024)).toFixed(2),
-          freeGiB: (systemMetrics.disk.free / (1024 * 1024 * 1024)).toFixed(2),
-          percentUsed: formatPercent(systemMetrics.disk.percentUsed),
-          warning: systemMetrics.disk.warning,
-        },
-        memory: {
-          freeGB: (systemMetrics.memory.free / (1024 * 1024 * 1024)).toFixed(2),
-          percentUsed: formatPercent(systemMetrics.memory.percentUsed),
-        },
-      },
-      gc: gcSummary,
-      constraints: this.ctx.machine
-        ? {
-            cpu: this.ctx.machine.cpu,
-            memoryGB: this.ctx.machine.memory,
-            diskGB: DISK_LIMIT_BYTES / (1024 * 1024 * 1024),
-          }
-        : {
-            cpu: os.cpus().length,
-            memoryGB: Math.floor(os.totalmem() / (1024 * 1024 * 1024)),
-            note: "Using system resources (no machine constraints specified)",
-          },
-      process: {
-        node: {
-          memoryUsageMB: formatBytes(processMetrics.node.memoryUsage),
-          memoryUsagePercent: formatPercent(processMetrics.node.memoryUsagePercent),
-          heapUsedMB: formatBytes(processMetrics.node.heapUsed),
-          heapSizeLimitMB: formatBytes(processMetrics.node.heapSizeLimit),
-          heapUsagePercent: formatPercent(processMetrics.node.heapUsagePercent),
-          availableHeapMB: formatBytes(processMetrics.node.availableHeap),
-          isNearHeapLimit: processMetrics.node.isNearHeapLimit,
-          ...(this.verbose
-            ? {
-                heapStats: getHeapStatistics(),
-              }
-            : {}),
-        },
-        targetProcess: processMetrics.targetProcess
-          ? {
-              method: processMetrics.targetProcess.method,
-              processName: processMetrics.targetProcess.processName,
-              count: processMetrics.targetProcess.count,
-              averages: processMetrics.targetProcess.averages
-                ? {
-                    cpuPercent: formatPercent(processMetrics.targetProcess.averages.cpu * 100),
-                    memoryPercent: formatPercent(processMetrics.targetProcess.averages.memory),
-                    rssMB: formatBytes(processMetrics.targetProcess.averages.rss * 1024),
-                    vszMB: formatBytes(processMetrics.targetProcess.averages.vsz * 1024),
-                  }
-                : null,
-              totals: processMetrics.targetProcess.totals
-                ? {
-                    cpuPercent: formatPercent(processMetrics.targetProcess.totals.cpu * 100),
-                    memoryPercent: formatPercent(processMetrics.targetProcess.totals.memory),
-                    rssMB: formatBytes(processMetrics.targetProcess.totals.rss * 1024),
-                    vszMB: formatBytes(processMetrics.targetProcess.totals.vsz * 1024),
-                  }
-                : null,
-            }
-          : null,
-      },
-      timestamp: new Date().toISOString(),
-    };
-  }
-}
-
-function summarizeGCEntries(entries: PerformanceEntry[]): GCSummary {
-  if (entries.length === 0) {
-    return {
-      count: 0,
-      totalDuration: 0,
-      avgDuration: 0,
-      maxDuration: 0,
-      kinds: {},
-    };
-  }
-
-  let totalDuration = 0;
-  let maxDuration = 0;
-  const kinds: Record<string, { count: number; totalDuration: number; maxDuration: number }> = {};
-
-  for (const e of entries) {
-    const duration = e.duration;
-    totalDuration += duration;
-    if (duration > maxDuration) maxDuration = duration;
-
-    const kind = kindName((e as any)?.detail?.kind ?? "unknown");
-    if (!kinds[kind]) {
-      kinds[kind] = { count: 0, totalDuration: 0, maxDuration: 0 };
-    }
-    kinds[kind].count += 1;
-    kinds[kind].totalDuration += duration;
-    if (duration > kinds[kind].maxDuration) kinds[kind].maxDuration = duration;
-  }
-
-  // finalize averages
-  const avgDuration = totalDuration / entries.length;
-  const kindsWithAvg: GCSummary["kinds"] = {};
-  for (const [kind, stats] of Object.entries(kinds)) {
-    kindsWithAvg[kind] = {
-      count: stats.count,
-      totalDuration: stats.totalDuration,
-      avgDuration: stats.totalDuration / stats.count,
-      maxDuration: stats.maxDuration,
-    };
-  }
-
-  return {
-    count: entries.length,
-    totalDuration,
-    avgDuration,
-    maxDuration,
-    kinds: kindsWithAvg,
-  };
-}
-
-const kindName = (k: number | string) => {
-  if (typeof k === "number") {
-    return (
-      {
-        [constants.NODE_PERFORMANCE_GC_MAJOR]: "major",
-        [constants.NODE_PERFORMANCE_GC_MINOR]: "minor",
-        [constants.NODE_PERFORMANCE_GC_INCREMENTAL]: "incremental",
-        [constants.NODE_PERFORMANCE_GC_WEAKCB]: "weak-cb",
-      }[k] ?? `kind:${k}`
-    );
-  }
-  return k;
-};
diff --git a/references/hello-world/src/trigger/agentRelay.ts b/references/hello-world/src/trigger/agentRelay.ts
deleted file mode 100644
index cead2408e66..00000000000
--- a/references/hello-world/src/trigger/agentRelay.ts
+++ /dev/null
@@ -1,252 +0,0 @@
-import { logger, runs, streams, task, wait } from "@trigger.dev/sdk/v3";
-
-/**
- * Multi-agent coordination via input streams.
- *
- * Demonstrates the pattern from the Agent Relay blog post: instead of a human
- * copy-pasting context between agents, the agents talk to each other directly.
- *
- * Three "agents" (tasks) collaborate to write and review a document:
- *   - Planner: breaks the work into steps and sends them to the worker
- *   - Worker: executes each step, sends results to the reviewer
- *   - Reviewer: checks each result, sends feedback back to the worker
- *
- * The coordinator task wires them together — no human in the loop.
- */
-
-// -- Input streams for inter-agent communication --
-
-/** Coordinator → Agent: tells an agent who its peers are */
-const connect = streams.input<{ workerRunId: string }>({
-  id: "connect",
-});
-
-/** Planner → Worker: steps to execute */
-const planSteps = streams.input<{ step: number; instruction: string }>({
-  id: "plan-steps",
-});
-
-/** Planner → Worker: signal that all steps have been sent */
-const planComplete = streams.input<{ totalSteps: number }>({
-  id: "plan-complete",
-});
-
-/** Worker → Reviewer: completed work for review */
-const workResult = streams.input<{ step: number; output: string }>({
-  id: "work-result",
-});
-
-/** Reviewer → Worker: feedback on completed work */
-const reviewFeedback = streams.input<{
-  step: number;
-  approved: boolean;
-  comment: string;
-}>({
-  id: "review-feedback",
-});
-
-// -- Mock "AI" functions (replace with real LLM calls) --
-
-function mockPlan(topic: string) {
-  return [
-    { step: 1, instruction: `Research the topic: ${topic}` },
-    { step: 2, instruction: `Write an outline for: ${topic}` },
-    { step: 3, instruction: `Draft the introduction for: ${topic}` },
-  ];
-}
-
-function mockWork(instruction: string): string {
-  return `[Completed] ${instruction} — Lorem ipsum dolor sit amet.`;
-}
-
-function mockReview(output: string): { approved: boolean; comment: string } {
-  const approved = !output.includes("outline");
-  return {
-    approved,
-    comment: approved ? "Looks good." : "Needs more detail in the structure.",
-  };
-}
-
-// -- Agent tasks --
-
-/**
- * Planner agent: receives a topic, breaks it into steps, sends them to the worker.
- */
-export const plannerAgent = task({
-  id: "agent-planner",
-  run: async (payload: { topic: string; workerRunId: string }) => {
-    const steps = mockPlan(payload.topic);
-    logger.info("Planner: created plan", { stepCount: steps.length });
-
-    for (const step of steps) {
-      await planSteps.send(payload.workerRunId, step);
-      logger.info("Planner: sent step", { step: step.step });
-      await wait.for({ seconds: 1 });
-    }
-
-    await planComplete.send(payload.workerRunId, { totalSteps: steps.length });
-    logger.info("Planner: all steps sent");
-
-    return { steps: steps.length };
-  },
-});
-
-/**
- * Worker agent: receives steps from the planner, executes them, sends results
- * to the reviewer, and incorporates feedback.
- */
-export const workerAgent = task({
-  id: "agent-worker",
-  run: async (payload: { reviewerRunId: string }) => {
-    const completedSteps: Array<{
-      step: number;
-      output: string;
-      feedback: string;
-    }> = [];
-
-    let totalSteps: number | null = null;
-    let stepsReceived = 0;
-
-    // Listen for plan completion signal
-    planComplete.on((data) => {
-      totalSteps = data.totalSteps;
-      logger.info("Worker: plan complete signal received", { totalSteps });
-    });
-
-    // Listen for review feedback
-    reviewFeedback.on((data) => {
-      logger.info("Worker: received feedback", { step: data.step, approved: data.approved });
-      const entry = completedSteps.find((s) => s.step === data.step);
-      if (entry) {
-        entry.feedback = data.comment;
-      }
-    });
-
-    // Process steps as they arrive
-    planSteps.on(async (data) => {
-      stepsReceived++;
-      logger.info("Worker: received step", { step: data.step, instruction: data.instruction });
-
-      const output = mockWork(data.instruction);
-      completedSteps.push({ step: data.step, output, feedback: "" });
-
-      // Send result to reviewer
-      await workResult.send(payload.reviewerRunId, { step: data.step, output });
-      logger.info("Worker: sent result to reviewer", { step: data.step });
-    });
-
-    // Wait until all steps are received and processed
-    while (totalSteps === null || stepsReceived < totalSteps) {
-      await wait.for({ seconds: 1 });
-    }
-
-    // Give reviewer time to send feedback
-    await wait.for({ seconds: 5 });
-
-    logger.info("Worker: all done", { completedSteps });
-    return { completedSteps };
-  },
-});
-
-/**
- * Reviewer agent: receives work results, reviews them, sends feedback to the
- * worker, and reports final results to the coordinator.
- *
- * The reviewer doesn't know the worker's run ID at spawn time — it receives
- * it via the `connect` input stream once the coordinator has spawned both agents.
- */
-export const reviewerAgent = task({
-  id: "agent-reviewer",
-  run: async (payload: { expectedSteps: number }) => {
-    // Wait for the coordinator to tell us who the worker is
-    const { workerRunId } = await connect.once({ timeoutMs: 30_000 }).unwrap();
-    logger.info("Reviewer: connected to worker", { workerRunId });
-
-    const reviews: Array<{ step: number; approved: boolean; comment: string }> = [];
-
-    // Review each piece of work as it arrives
-    workResult.on(async (data) => {
-      logger.info("Reviewer: checking step", { step: data.step });
-
-      const review = mockReview(data.output);
-      reviews.push({ step: data.step, ...review });
-
-      // Send feedback back to worker
-      await reviewFeedback.send(workerRunId, {
-        step: data.step,
-        ...review,
-      });
-      logger.info("Reviewer: sent feedback", { step: data.step, approved: review.approved });
-    });
-
-    // Wait until all steps are reviewed
-    while (reviews.length < payload.expectedSteps) {
-      await wait.for({ seconds: 1 });
-    }
-
-    const approved = reviews.filter((r) => r.approved).length;
-    const rejected = reviews.filter((r) => !r.approved).length;
-    const summary = `Reviewed ${reviews.length} steps. ${approved} approved, ${rejected} need revision.`;
-
-    logger.info("Reviewer: done", { summary });
-    return { reviews, summary };
-  },
-});
-
-/**
- * Coordinator: wires the agents together and collects results.
- *
- * This is the orchestrator — it spawns the agents, connects them via input
- * streams, and waits for everything to complete. No human in the loop.
- */
-export const agentRelayCoordinator = task({
-  id: "agent-relay-coordinator",
-  run: async (payload: { topic?: string }) => {
-    const topic = payload.topic ?? "The future of multi-agent systems";
-    logger.info("Coordinator: starting multi-agent workflow", { topic });
-
-    // Spawn worker and reviewer (order doesn't matter — they wait for connections)
-    const reviewerHandle = await reviewerAgent.trigger({ expectedSteps: 3 });
-    const workerHandle = await workerAgent.trigger({
-      reviewerRunId: reviewerHandle.id,
-    });
-
-    logger.info("Coordinator: agents spawned", {
-      workerId: workerHandle.id,
-      reviewerId: reviewerHandle.id,
-    });
-
-    // Tell the reviewer who the worker is so it can send feedback
-    await connect.send(reviewerHandle.id, { workerRunId: workerHandle.id });
-
-    // Spawn the planner — it sends steps directly to the worker
-    const plannerHandle = await plannerAgent.trigger({
-      topic,
-      workerRunId: workerHandle.id,
-    });
-
-    logger.info("Coordinator: planner spawned, waiting for completion", {
-      plannerId: plannerHandle.id,
-    });
-
-    // Wait for all agents to complete
-    const [plannerRun, workerRun, reviewerRun] = await Promise.all([
-      runs.poll(plannerHandle, { pollIntervalMs: 2000 }),
-      runs.poll(workerHandle, { pollIntervalMs: 2000 }),
-      runs.poll(reviewerHandle, { pollIntervalMs: 2000 }),
-    ]);
-
-    logger.info("Coordinator: all agents complete", {
-      planner: plannerRun.output,
-      worker: workerRun.output,
-      reviewer: reviewerRun.output,
-    });
-
-    return {
-      topic,
-      planner: plannerRun.output,
-      worker: workerRun.output,
-      reviewer: reviewerRun.output,
-    };
-  },
-});
diff --git a/references/hello-world/src/trigger/attemptFailures.ts b/references/hello-world/src/trigger/attemptFailures.ts
deleted file mode 100644
index b0a33e3f586..00000000000
--- a/references/hello-world/src/trigger/attemptFailures.ts
+++ /dev/null
@@ -1,50 +0,0 @@
-import { task } from "@trigger.dev/sdk";
-import { setTimeout } from "timers/promises";
-
-export const attemptFailures = task({
-  id: "attempt-failures",
-  retry: {
-    maxAttempts: 3,
-    minTimeoutInMs: 500,
-    maxTimeoutInMs: 1000,
-    factor: 1.5,
-  },
-  run: async (payload: any, { ctx }) => {
-    await setTimeout(5);
-
-    await attemptFailureSubtask.triggerAndWait({}).unwrap();
-  },
-});
-
-export const attemptFailureSubtask = task({
-  id: "attempt-failure-subtask",
-  retry: {
-    maxAttempts: 1,
-  },
-  run: async (payload: any, { ctx }) => {
-    await setTimeout(20_000);
-
-    throw new Error("Forced error to cause a retry");
-  },
-});
-
-export const attemptFailures2 = task({
-  id: "attempt-failures-2",
-  retry: {
-    maxAttempts: 3,
-    minTimeoutInMs: 500,
-    maxTimeoutInMs: 1000,
-    factor: 1.5,
-  },
-  run: async (payload: any, { ctx }) => {
-    if (ctx.attempt.number <= 2) {
-      throw new Error("Forced error to cause a retry");
-    }
-
-    await setTimeout(10_000);
-
-    return {
-      success: true,
-    };
-  },
-});
diff --git a/references/hello-world/src/trigger/batches.ts b/references/hello-world/src/trigger/batches.ts
deleted file mode 100644
index b6a3f79e74e..00000000000
--- a/references/hello-world/src/trigger/batches.ts
+++ /dev/null
@@ -1,1382 +0,0 @@
-import { batch, BatchTriggerError, logger, runs, task, tasks } from "@trigger.dev/sdk/v3";
-import { setTimeout } from "timers/promises";
-
-// ============================================================================
-// Toxiproxy-based Retry Testing
-// ============================================================================
-// These tests use Toxiproxy to inject real network failures and verify
-// that the SDK's batch streaming retry logic works correctly.
-//
-// Prerequisites:
-// 1. Run `pnpm run docker` to start services including toxiproxy
-// 2. Toxiproxy proxies localhost:3030 (webapp) on localhost:30303
-// 3. Toxiproxy API is available on localhost:8474
-// ============================================================================
-
-const TOXIPROXY_API = "http://localhost:8474";
-const TOXIPROXY_PROXY_NAME = "trigger_webapp_local";
-const PROXIED_API_URL = "http://localhost:30303"; // Goes through toxiproxy
-
-/**
- * Toxiproxy API helper - adds a toxic to inject failures
- */
-async function addToxic(toxic: {
-  name: string;
-  type: string;
-  stream?: "upstream" | "downstream";
-  toxicity?: number;
-  attributes?: Record<string, unknown>;
-}): Promise<void> {
-  const response = await fetch(`${TOXIPROXY_API}/proxies/${TOXIPROXY_PROXY_NAME}/toxics`, {
-    method: "POST",
-    headers: { "Content-Type": "application/json" },
-    body: JSON.stringify({
-      stream: "downstream", // Server -> Client
-      toxicity: 1.0, // 100% of connections affected
-      ...toxic,
-    }),
-  });
-
-  if (!response.ok) {
-    const text = await response.text();
-    throw new Error(`Failed to add toxic: ${response.status} ${text}`);
-  }
-
-  logger.info(`Added toxic: ${toxic.name}`, { toxic });
-}
-
-/**
- * Toxiproxy API helper - removes a toxic
- */
-async function removeToxic(name: string): Promise<void> {
-  const response = await fetch(`${TOXIPROXY_API}/proxies/${TOXIPROXY_PROXY_NAME}/toxics/${name}`, {
-    method: "DELETE",
-  });
-
-  if (!response.ok && response.status !== 404) {
-    const text = await response.text();
-    throw new Error(`Failed to remove toxic: ${response.status} ${text}`);
-  }
-
-  logger.info(`Removed toxic: ${name}`);
-}
-
-/**
- * Toxiproxy API helper - list all toxics
- */
-async function listToxics(): Promise<unknown[]> {
-  const response = await fetch(`${TOXIPROXY_API}/proxies/${TOXIPROXY_PROXY_NAME}/toxics`);
-  if (!response.ok) {
-    return [];
-  }
-  return response.json();
-}
-
-/**
- * Toxiproxy API helper - clear all toxics
- */
-async function clearAllToxics(): Promise<void> {
-  const toxics = (await listToxics()) as Array<{ name: string }>;
-  for (const toxic of toxics) {
-    await removeToxic(toxic.name);
-  }
-  logger.info("Cleared all toxics");
-}
-
-/**
- * Test: Batch retry with connection reset injection
- *
- * This test:
- * 1. Configures SDK to use the proxied URL (through toxiproxy)
- * 2. Adds a "reset_peer" toxic that will kill connections
- * 3. Triggers a batch - the connection will be reset mid-stream
- * 4. SDK should retry with tee'd stream
- * 5. Removes toxic so retry succeeds
- * 6. Verifies all items were processed exactly once
- *
- * Run with: `npx trigger.dev@latest dev` then trigger this task
- */
-export const batchRetryWithToxiproxy = task({
-  id: "batch-retry-with-toxiproxy",
-  machine: "small-1x",
-  maxDuration: 300,
-  run: async (payload: { count: number; failAfterBytes?: number }) => {
-    const count = payload.count || 50;
-    const failAfterBytes = payload.failAfterBytes || 5000; // Fail after ~5KB sent
-
-    // Clear any existing toxics
-    await clearAllToxics();
-
-    // Generate batch items
-    const items = Array.from({ length: count }, (_, i) => ({
-      payload: { index: i, batchTest: "toxiproxy-retry" },
-    }));
-
-    // Add a toxic that limits data then resets connection
-    // This simulates a connection failure mid-stream
-    await addToxic({
-      name: "limit_and_reset",
-      type: "limit_data",
-      stream: "upstream", // Client -> Server (our stream upload)
-      attributes: {
-        bytes: failAfterBytes, // Allow this many bytes then close
-      },
-    });
-
-    logger.info("Starting batch trigger through toxiproxy", {
-      count,
-      failAfterBytes,
-      apiUrl: PROXIED_API_URL,
-    });
-
-    // Schedule toxic removal after a delay to allow retry to succeed
-    const toxicRemovalPromise = (async () => {
-      await setTimeout(2000); // Wait for first attempt to fail
-      await clearAllToxics();
-      logger.info("Toxic removed - retry should succeed now");
-    })();
-
-    try {
-      // Trigger batch through the proxied URL
-      // The first attempt will fail due to the toxic, retry should succeed
-      const result = await tasks.batchTrigger<typeof retryTrackingTask>(
-        "retry-tracking-task",
-        items,
-        undefined,
-        {
-          // Use the proxied URL that goes through toxiproxy
-          clientConfig: {
-            baseURL: PROXIED_API_URL,
-          },
-        }
-      );
-
-      // Wait for toxic removal to complete
-      await toxicRemovalPromise;
-
-      logger.info("Batch triggered successfully!", {
-        batchId: result.batchId,
-        runCount: result.runCount,
-      });
-
-      // Wait for runs to complete
-      await setTimeout(10000);
-
-      // Retrieve batch to check results
-      const batchResult = await batch.retrieve(result.batchId);
-
-      return {
-        success: true,
-        batchId: result.batchId,
-        runCount: result.runCount,
-        batchStatus: batchResult.status,
-        note: "Check logs to see retry behavior. Items should be deduplicated on server.",
-      };
-    } catch (error) {
-      // Clean up toxics on error
-      await clearAllToxics();
-
-      return {
-        success: false,
-        error: error instanceof Error ? error.message : String(error),
-        note: "Batch failed - check if toxiproxy is running and webapp is accessible",
-      };
-    }
-  },
-});
-
-/**
- * Test: Verify deduplication after retry
- *
- * This test uses a slower toxic (latency + timeout) and verifies
- * that items processed before failure aren't reprocessed after retry.
- */
-export const batchDeduplicationTest = task({
-  id: "batch-deduplication-test",
-  machine: "small-1x",
-  maxDuration: 300,
-  run: async (payload: { count: number }) => {
-    const count = payload.count || 20;
-
-    // Clear any existing toxics
-    await clearAllToxics();
-
-    // Create a unique test ID to track this specific batch
-    const testId = `dedup-${Date.now()}`;
-
-    // Items with tags for easy querying
-    const items = Array.from({ length: count }, (_, i) => ({
-      payload: {
-        index: i,
-        testId,
-      },
-      options: {
-        tags: [`testId:${testId}`, `index:${i}`],
-      },
-    }));
-
-    // Add timeout toxic - connection will timeout mid-stream
-    await addToxic({
-      name: "timeout_test",
-      type: "timeout",
-      stream: "upstream",
-      attributes: {
-        timeout: 1000, // Timeout after 1 second
-      },
-    });
-
-    // Remove toxic after delay so retry succeeds
-    setTimeout(3000).then(() => clearAllToxics());
-
-    try {
-      const result = await tasks.batchTrigger<typeof retryTrackingTask>(
-        "retry-tracking-task",
-        items,
-        undefined,
-        { clientConfig: { baseURL: PROXIED_API_URL } }
-      );
-
-      // Wait for completion
-      await setTimeout(15000);
-
-      // Query all runs with our testId to check for duplicates
-      const allRuns = await runs.list({
-        tag: `testId:${testId}`,
-      });
-
-      // Collect run IDs first (list doesn't include payload)
-      const runIds: string[] = [];
-      for await (const run of allRuns) {
-        runIds.push(run.id);
-      }
-
-      // Retrieve full run details to get payloads
-      const runDetails = await Promise.all(runIds.map((id) => runs.retrieve(id)));
-
-      // Count occurrences of each index
-      const indexCounts = new Map<number, number>();
-      for (const run of runDetails) {
-        const payload = run.payload as { index: number } | undefined;
-        if (payload?.index !== undefined) {
-          indexCounts.set(payload.index, (indexCounts.get(payload.index) || 0) + 1);
-        }
-      }
-
-      const duplicates = Array.from(indexCounts.entries()).filter(([_, count]) => count > 1);
-
-      return {
-        batchId: result.batchId,
-        totalRuns: runIds.length,
-        expectedRuns: count,
-        duplicates: duplicates.length > 0 ? duplicates : "none",
-        success: duplicates.length === 0 && runIds.length === count,
-      };
-    } finally {
-      await clearAllToxics();
-    }
-  },
-});
-
-/**
- * Task that tracks its execution for deduplication verification.
- * Tags are set when triggering via batch options.
- */
-export const retryTrackingTask = task({
-  id: "retry-tracking-task",
-  retry: { maxAttempts: 1 }, // Don't retry the task itself
-  run: async (payload: { index: number; testId?: string; batchTest?: string }) => {
-    logger.info(`Processing item ${payload.index}`, { payload });
-
-    await setTimeout(100);
-
-    return {
-      index: payload.index,
-      processedAt: Date.now(),
-    };
-  },
-});
-
-/**
- * Simple test to verify toxiproxy is working
- */
-export const toxiproxyHealthCheck = task({
-  id: "toxiproxy-health-check",
-  run: async () => {
-    // Check toxiproxy API
-    const apiResponse = await fetch(`${TOXIPROXY_API}/proxies`);
-    const proxies = await apiResponse.json();
-
-    // Check proxied webapp
-    let webappStatus = "unknown";
-    try {
-      const webappResponse = await fetch(`${PROXIED_API_URL}/api/v1/whoami`, {
-        headers: {
-          Authorization: `Bearer ${process.env.TRIGGER_SECRET_KEY}`,
-        },
-      });
-      webappStatus = webappResponse.ok ? "ok" : `error: ${webappResponse.status}`;
-    } catch (e) {
-      webappStatus = `error: ${e instanceof Error ? e.message : String(e)}`;
-    }
-
-    // List current toxics
-    const toxics = await listToxics();
-
-    return {
-      toxiproxyApi: apiResponse.ok ? "ok" : "error",
-      proxies,
-      webappThroughProxy: webappStatus,
-      currentToxics: toxics,
-    };
-  },
-});
-
-export const batchTriggerAndWait = task({
-  id: "batch-trigger-and-wait",
-  maxDuration: 60,
-  run: async (payload: { count: number }, { ctx }) => {
-    const payloads = Array.from({ length: payload.count }, (_, i) => ({
-      payload: { waitSeconds: 1, output: `test${i}` },
-    }));
-
-    // First batch triggerAndWait with idempotency keys
-    const firstResults = await fixedLengthTask.batchTriggerAndWait(payloads);
-  },
-});
-
-// ============================================================================
-// Rate Limit Error Testing
-// ============================================================================
-
-/**
- * Test: Intentionally trigger a rate limit error to verify BatchTriggerError improvements
- *
- * This test triggers many batches in rapid succession to exceed the rate limit.
- * When a rate limit is hit, it verifies that:
- * 1. The error is a BatchTriggerError
- * 2. The error has isRateLimited = true
- * 3. The error message includes rate limit details
- * 4. The retryAfterMs property is set
- *
- * Run this from backend code, not from inside a task (to avoid worker rate limits).
- */
-export const rateLimitErrorTest = task({
-  id: "rate-limit-error-test",
-  maxDuration: 300,
-  run: async (payload: { batchesPerAttempt?: number; itemsPerBatch?: number }) => {
-    const batchesPerAttempt = payload.batchesPerAttempt || 50;
-    const itemsPerBatch = payload.itemsPerBatch || 100;
-
-    logger.info("Starting rate limit error test", {
-      batchesPerAttempt,
-      itemsPerBatch,
-      totalItems: batchesPerAttempt * itemsPerBatch,
-    });
-
-    const results: Array<{
-      batchIndex: number;
-      success: boolean;
-      batchId?: string;
-      error?: {
-        message: string;
-        name: string;
-        isRateLimited?: boolean;
-        retryAfterMs?: number;
-        phase?: string;
-      };
-    }> = [];
-
-    // Try to trigger many batches rapidly
-    const batchPromises = Array.from({ length: batchesPerAttempt }, async (_, batchIndex) => {
-      const items = Array.from({ length: itemsPerBatch }, (_, i) => ({
-        payload: { index: batchIndex * itemsPerBatch + i, testId: `rate-limit-test-${Date.now()}` },
-      }));
-
-      try {
-        const result = await retryTrackingTask.batchTrigger(items);
-        return {
-          batchIndex,
-          success: true as const,
-          batchId: result.batchId,
-        };
-      } catch (error) {
-        // Log the error details for inspection
-        if (error instanceof BatchTriggerError) {
-          logger.info(`BatchTriggerError caught for batch ${batchIndex}`, {
-            message: error.message,
-            name: error.name,
-            isRateLimited: error.isRateLimited,
-            retryAfterMs: error.retryAfterMs,
-            phase: error.phase,
-            batchId: error.batchId,
-            itemCount: error.itemCount,
-            cause: error.cause instanceof Error ? error.cause.message : String(error.cause),
-          });
-
-          return {
-            batchIndex,
-            success: false as const,
-            error: {
-              message: error.message,
-              name: error.name,
-              isRateLimited: error.isRateLimited,
-              retryAfterMs: error.retryAfterMs,
-              phase: error.phase,
-            },
-          };
-        }
-
-        // Non-BatchTriggerError
-        const err = error instanceof Error ? error : new Error(String(error));
-        logger.warn(`Non-BatchTriggerError caught for batch ${batchIndex}`, {
-          message: err.message,
-          name: err.name,
-        });
-
-        return {
-          batchIndex,
-          success: false as const,
-          error: {
-            message: err.message,
-            name: err.name,
-          },
-        };
-      }
-    });
-
-    // Wait for all attempts (use allSettled to capture all results)
-    const settled = await Promise.allSettled(batchPromises);
-
-    for (const result of settled) {
-      if (result.status === "fulfilled") {
-        results.push(result.value);
-      } else {
-        results.push({
-          batchIndex: -1,
-          success: false,
-          error: {
-            message: result.reason?.message || String(result.reason),
-            name: result.reason?.name || "Error",
-          },
-        });
-      }
-    }
-
-    // Analyze results
-    const successCount = results.filter((r) => r.success).length;
-    const rateLimitedCount = results.filter((r) => !r.success && r.error?.isRateLimited).length;
-    const otherErrorCount = results.filter((r) => !r.success && !r.error?.isRateLimited).length;
-
-    // Get a sample rate limit error for inspection
-    const sampleRateLimitError = results.find((r) => r.error?.isRateLimited)?.error;
-
-    return {
-      summary: {
-        totalBatches: batchesPerAttempt,
-        successCount,
-        rateLimitedCount,
-        otherErrorCount,
-      },
-      sampleRateLimitError: sampleRateLimitError || null,
-      allResults: results,
-      testPassed:
-        rateLimitedCount > 0 &&
-        sampleRateLimitError?.isRateLimited === true &&
-        typeof sampleRateLimitError?.retryAfterMs === "number",
-    };
-  },
-});
-
-/**
- * Simpler test: Direct batch trigger that's likely to hit rate limits
- *
- * This test just tries to batch trigger a very large number of items in one call.
- * If the organization has rate limits configured, this should trigger them.
- */
-export const simpleBatchRateLimitTest = task({
-  id: "simple-batch-rate-limit-test",
-  maxDuration: 120,
-  run: async (payload: { itemCount?: number }) => {
-    const itemCount = payload.itemCount || 5000; // Large batch that might hit limits
-
-    logger.info("Starting simple batch rate limit test", { itemCount });
-
-    const items = Array.from({ length: itemCount }, (_, i) => ({
-      payload: { index: i, testId: `simple-rate-test-${Date.now()}` },
-    }));
-
-    try {
-      const result = await retryTrackingTask.batchTrigger(items);
-
-      logger.info("Batch succeeded (no rate limit hit)", {
-        batchId: result.batchId,
-        runCount: result.runCount,
-      });
-
-      return {
-        success: true,
-        batchId: result.batchId,
-        runCount: result.runCount,
-        rateLimitHit: false,
-      };
-    } catch (error) {
-      if (error instanceof BatchTriggerError) {
-        logger.info("BatchTriggerError caught", {
-          fullMessage: error.message,
-          isRateLimited: error.isRateLimited,
-          retryAfterMs: error.retryAfterMs,
-          phase: error.phase,
-          itemCount: error.itemCount,
-          apiErrorType: error.apiError?.constructor.name,
-        });
-
-        return {
-          success: false,
-          rateLimitHit: error.isRateLimited,
-          errorMessage: error.message,
-          errorDetails: {
-            phase: error.phase,
-            itemCount: error.itemCount,
-            isRateLimited: error.isRateLimited,
-            retryAfterMs: error.retryAfterMs,
-            hasApiError: !!error.apiError,
-          },
-        };
-      }
-
-      throw error; // Re-throw unexpected errors
-    }
-  },
-});
-
-// ============================================================================
-// Streaming Batch Examples
-// ============================================================================
-
-/**
- * Example: Streaming batch trigger using an async generator
- *
- * This allows you to stream items to the batch without loading all items into memory.
- * Useful for large batches or when items are generated dynamically.
- */
-export const streamingBatchTrigger = task({
-  id: "streaming-batch-trigger",
-  maxDuration: 120,
-  run: async (payload: { count: number }) => {
-    // Define an async generator that yields batch items
-    async function* generateItems() {
-      for (let i = 0; i < payload.count; i++) {
-        yield {
-          payload: { waitSeconds: 1, output: `streamed-${i}` },
-        };
-      }
-    }
-
-    // Trigger the batch using the generator - items are streamed to the server
-    const result = await fixedLengthTask.batchTrigger(generateItems());
-
-    return {
-      batchId: result.batchId,
-      runCount: result.runCount,
-    };
-  },
-});
-
-/**
- * Example: Streaming batch triggerAndWait using an async generator
- *
- * Similar to streaming trigger, but waits for all runs to complete.
- */
-export const streamingBatchTriggerAndWait = task({
-  id: "streaming-batch-trigger-and-wait",
-  maxDuration: 300,
-  run: async (payload: { count: number }) => {
-    // Async generator for items
-    async function* generateItems() {
-      for (let i = 0; i < payload.count; i++) {
-        yield {
-          payload: { waitSeconds: 1, output: `streamed-wait-${i}` },
-        };
-      }
-    }
-
-    // Trigger and wait - items are streamed, then we wait for all results
-    const results = await fixedLengthTask.batchTriggerAndWait(generateItems());
-
-    // Process results
-    const outputs = results.runs.filter((r) => r.ok).map((r) => (r.ok ? r.output : null));
-
-    return { outputs };
-  },
-});
-
-/**
- * Example: Streaming batch.trigger for multiple task types
- *
- * Use batch.trigger with a stream when triggering different task types.
- */
-export const streamingMultiTaskBatch = task({
-  id: "streaming-multi-task-batch",
-  maxDuration: 120,
-  run: async (payload: { count: number }) => {
-    // Generator that yields items for different tasks
-    async function* generateMultiTaskItems() {
-      for (let i = 0; i < payload.count; i++) {
-        // Alternate between task types
-        if (i % 2 === 0) {
-          yield {
-            id: "fixed-length-lask" as const,
-            payload: { waitSeconds: 1, output: `task1-${i}` },
-          };
-        } else {
-          yield {
-            id: "simple-task" as const,
-            payload: { message: `task2-${i}` },
-          };
-        }
-      }
-    }
-
-    // Use batch.trigger with the stream
-    const result = await batch.trigger<typeof fixedLengthTask | typeof simpleTask>(
-      generateMultiTaskItems()
-    );
-
-    return {
-      batchId: result.batchId,
-      runCount: result.runCount,
-    };
-  },
-});
-
-/**
- * Example: Using a ReadableStream for batch items
- *
- * You can also pass a ReadableStream instead of an AsyncIterable.
- */
-export const readableStreamBatch = task({
-  id: "readable-stream-batch",
-  maxDuration: 120,
-  run: async (payload: { count: number }) => {
-    // Create a ReadableStream of batch items
-    const stream = new ReadableStream<{ payload: Payload }>({
-      async start(controller) {
-        for (let i = 0; i < payload.count; i++) {
-          controller.enqueue({
-            payload: { waitSeconds: 1, output: `stream-${i}` },
-          });
-        }
-        controller.close();
-      },
-    });
-
-    // Trigger with the ReadableStream
-    const result = await fixedLengthTask.batchTrigger(stream);
-
-    return {
-      batchId: result.batchId,
-      runCount: result.runCount,
-    };
-  },
-});
-
-// Simple task for multi-task batch example
-export const simpleTask = task({
-  id: "simple-task",
-  run: async (payload: { message: string }) => {
-    await setTimeout(500);
-    return { received: payload.message };
-  },
-});
-
-// ============================================================================
-// Queue Option Tests
-// ============================================================================
-
-/**
- * Task that runs in a specific queue for testing queue option handling.
- */
-export const queuedTask = task({
-  id: "queued-task",
-  queue: {
-    name: "test-queue-for-batch",
-  },
-  run: async (payload: { index: number; testId: string }) => {
-    logger.info(`Processing queued task ${payload.index}`, { payload });
-    await setTimeout(100);
-    return {
-      index: payload.index,
-      testId: payload.testId,
-      processedAt: Date.now(),
-    };
-  },
-});
-
-/**
- * Test: Batch trigger with queue option as object
- *
- * This test verifies that the queue option works correctly when passed
- * through batch trigger. The SDK passes queue as { name: "queue-name" }
- * which should be handled correctly by the server.
- *
- * This tests the fix for the double-wrapping bug where queue objects
- * like { name: "queue-name", concurrencyLimit: 20 } could get wrapped
- * into { name: { name: "queue-name", concurrencyLimit: 20 } }.
- */
-export const batchTriggerWithQueueOption = task({
-  id: "batch-trigger-with-queue-option",
-  maxDuration: 120,
-  run: async (payload: { count: number; useObjectQueue?: boolean }) => {
-    const count = payload.count || 5;
-    const testId = `queue-test-${Date.now()}`;
-
-    // If useObjectQueue is true, we bypass the SDK types to send queue as an object
-    // This simulates what might happen if someone calls the API directly with wrong format
-    const queueValue = payload.useObjectQueue
-      ? ({ name: "test-queue-for-batch", concurrencyLimit: 20 } as unknown as string)
-      : "test-queue-for-batch";
-
-    // Generate batch items with queue option specified
-    const items = Array.from({ length: count }, (_, i) => ({
-      payload: { index: i, testId },
-      options: {
-        queue: queueValue,
-        // Also test with lockToVersion since the error showed workers.some.id
-        // which only appears in the lockedBackgroundWorker code path
-      },
-    }));
-
-    logger.info("Starting batch trigger with queue option", {
-      count,
-      testId,
-      useObjectQueue: payload.useObjectQueue,
-      queueValue,
-    });
-
-    // Trigger the batch with queue option
-    const result = await queuedTask.batchTrigger(items);
-
-    logger.info("Batch triggered successfully", {
-      batchId: result.batchId,
-      runCount: result.runCount,
-    });
-
-    // Wait for runs to complete
-    await setTimeout(5000);
-
-    // Retrieve batch to check results
-    const batchResult = await batch.retrieve(result.batchId);
-
-    return {
-      success: true,
-      batchId: result.batchId,
-      runCount: result.runCount,
-      batchStatus: batchResult.status,
-      testId,
-    };
-  },
-});
-
-/**
- * Test: Batch triggerAndWait with queue option
- *
- * Similar to above but waits for all runs to complete.
- */
-export const batchTriggerAndWaitWithQueueOption = task({
-  id: "batch-trigger-and-wait-with-queue-option",
-  maxDuration: 120,
-  run: async (payload: { count: number }) => {
-    const count = payload.count || 5;
-    const testId = `queue-wait-test-${Date.now()}`;
-
-    // Generate items with queue option
-    const items = Array.from({ length: count }, (_, i) => ({
-      payload: { index: i, testId },
-      options: {
-        queue: "test-queue-for-batch",
-      },
-    }));
-
-    logger.info("Starting batch triggerAndWait with queue option", { count, testId });
-
-    // Trigger and wait
-    const results = await queuedTask.batchTriggerAndWait(items);
-
-    const successCount = results.runs.filter((r) => r.ok).length;
-    const outputs = results.runs.filter((r) => r.ok).map((r) => (r.ok ? r.output : null));
-
-    return {
-      success: successCount === count,
-      successCount,
-      totalCount: count,
-      outputs,
-      testId,
-    };
-  },
-});
-
-/**
- * Test: Streaming batch trigger with queue option
- *
- * Tests that streaming batches also work correctly with queue options.
- */
-export const streamingBatchWithQueueOption = task({
-  id: "streaming-batch-with-queue-option",
-  maxDuration: 120,
-  run: async (payload: { count: number }) => {
-    const count = payload.count || 10;
-    const testId = `stream-queue-test-${Date.now()}`;
-
-    // Async generator that yields items with queue option
-    async function* generateItems() {
-      for (let i = 0; i < count; i++) {
-        yield {
-          payload: { index: i, testId },
-          options: {
-            queue: "test-queue-for-batch",
-          },
-        };
-      }
-    }
-
-    logger.info("Starting streaming batch with queue option", { count, testId });
-
-    // Trigger using the generator
-    const result = await queuedTask.batchTrigger(generateItems());
-
-    logger.info("Streaming batch triggered", {
-      batchId: result.batchId,
-      runCount: result.runCount,
-    });
-
-    // Wait and check results
-    await setTimeout(5000);
-    const batchResult = await batch.retrieve(result.batchId);
-
-    return {
-      success: true,
-      batchId: result.batchId,
-      runCount: result.runCount,
-      batchStatus: batchResult.status,
-      testId,
-    };
-  },
-});
-
-// ============================================================================
-// Large Payload Examples (R2 Offloading)
-// ============================================================================
-
-/**
- * Helper to generate a large string payload.
- * Default threshold for R2 offloading is 512KB (BATCH_PAYLOAD_OFFLOAD_THRESHOLD).
- *
- * @param sizeInKB - Size of the payload in kilobytes
- */
-function generateLargePayload(sizeInKB: number): string {
-  // Each character is 1 byte in ASCII, so we generate sizeInKB * 1024 characters
-  const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
-  const targetSize = sizeInKB * 1024;
-  let result = "";
-
-  while (result.length < targetSize) {
-    result += chars.charAt(Math.floor(Math.random() * chars.length));
-  }
-
-  return result;
-}
-
-/**
- * Example: Batch trigger with large payloads that get offloaded to R2
- *
- * When a batch item's payload exceeds BATCH_PAYLOAD_OFFLOAD_THRESHOLD (default 512KB),
- * it's automatically uploaded to R2 object storage. Only a reference path is stored
- * in Redis, reducing memory usage and allowing larger payloads.
- *
- * The task receives the full payload - the offloading is transparent.
- */
-export const largePayloadBatch = task({
-  id: "large-payload-batch",
-  maxDuration: 300,
-  machine: "large-2x",
-  run: async (payload: { count: number; payloadSizeKB: number }) => {
-    // Default to 600KB to exceed the 512KB threshold
-    const sizeKB = payload.payloadSizeKB || 600;
-
-    async function* generateLargeItems() {
-      for (let i = 0; i < payload.count; i++) {
-        yield {
-          payload: {
-            index: i,
-            // This large data will be offloaded to R2
-            largeData: generateLargePayload(sizeKB),
-          },
-        };
-      }
-    }
-
-    // Trigger the batch - large payloads are automatically offloaded to R2
-    const result = await largePayloadTask.batchTrigger(generateLargeItems());
-
-    await setTimeout(5000);
-
-    const myBatch = await batch.retrieve(result.batchId);
-
-    logger.info("batch", { myBatch });
-
-    return {
-      batchId: result.batchId,
-      runCount: result.runCount,
-      payloadSizeKB: sizeKB,
-      note: `Each payload was ~${sizeKB}KB. Payloads over 512KB are offloaded to R2.`,
-    };
-  },
-});
-
-/**
- * Example: Batch triggerAndWait with large payloads
- *
- * Same as above but waits for results.
- */
-export const largePayloadBatchAndWait = task({
-  id: "large-payload-batch-and-wait",
-  maxDuration: 600,
-  run: async (payload: { count: number; payloadSizeKB: number }) => {
-    const sizeKB = payload.payloadSizeKB || 600;
-
-    async function* generateLargeItems() {
-      for (let i = 0; i < payload.count; i++) {
-        yield {
-          payload: {
-            index: i,
-            largeData: generateLargePayload(sizeKB),
-          },
-        };
-      }
-    }
-
-    // Trigger and wait - large payloads are offloaded, results are returned
-    const results = await largePayloadTask.batchTriggerAndWait(generateLargeItems());
-
-    const successCount = results.runs.filter((r) => r.ok).length;
-    const outputs = results.runs.filter((r) => r.ok).map((r) => (r.ok ? r.output : null));
-
-    return {
-      successCount,
-      outputs,
-      payloadSizeKB: sizeKB,
-    };
-  },
-});
-
-type LargePayload = {
-  index: number;
-  largeData: string;
-};
-
-/**
- * Task that receives large payloads.
- * The payload is transparently downloaded from R2 if it was offloaded.
- */
-export const largePayloadTask = task({
-  id: "large-payload-task",
-  retry: {
-    maxAttempts: 2,
-  },
-  machine: "small-1x",
-  run: async (payload: LargePayload) => {
-    // The large payload is available here - R2 download is transparent
-    const payloadSizeBytes = payload.largeData.length;
-    const payloadSizeKB = Math.round(payloadSizeBytes / 1024);
-
-    await setTimeout(500);
-
-    return {
-      index: payload.index,
-      receivedSizeKB: payloadSizeKB,
-      preview: payload.largeData.substring(0, 50) + "...",
-    };
-  },
-});
-
-// ============================================================================
-// Oversized Payload Graceful Handling
-// ============================================================================
-
-/**
- * Test: Batch with oversized item should complete gracefully
- *
- * Sends 2 items: one normal, one oversized (~3.2MB).
- * The oversized item should result in a pre-failed run (ok: false)
- * while the normal item processes successfully (ok: true).
- */
-export const batchSealFailureOversizedPayload = task({
-  id: "batch-seal-failure-oversized",
-  maxDuration: 60,
-  retry: {
-    maxAttempts: 1,
-  },
-  run: async () => {
-    const results = await fixedLengthTask.batchTriggerAndWait([
-      { payload: { waitSeconds: 1, output: "normal" } },
-      { payload: { waitSeconds: 1, output: "x".repeat(3_200_000) } }, // ~3.2MB oversized
-    ]);
-
-    const normal = results.runs[0];
-    const oversized = results.runs[1];
-
-    logger.info("Batch results", {
-      normalOk: normal?.ok,
-      oversizedOk: oversized?.ok,
-    });
-
-    return {
-      normalOk: normal?.ok === true,
-      oversizedOk: oversized?.ok === false,
-      oversizedError: !oversized?.ok ? oversized?.error : undefined,
-    };
-  },
-});
-
-type Payload = {
-  waitSeconds: number;
-  error?: string;
-  output?: any;
-};
-
-export const fixedLengthTask = task({
-  id: "fixed-length-lask",
-  retry: {
-    maxAttempts: 2,
-    maxTimeoutInMs: 100,
-  },
-  machine: "micro",
-  run: async ({ waitSeconds = 1, error, output }: Payload) => {
-    await setTimeout(waitSeconds * 1000);
-
-    if (error) {
-      throw new Error(error);
-    }
-
-    return output;
-  },
-});
-
-// ============================================================================
-// Queue Size Limit Testing
-// ============================================================================
-// These tests verify that per-queue size limits are enforced correctly.
-//
-// To test:
-// 1. Set a low queue limit on the organization:
-//    UPDATE "Organization" SET "maximumDeployedQueueSize" = 5 WHERE slug = 'references-9dfd';
-// 2. Run these tasks to verify queue limits are enforced
-// 3. Reset the limit when done:
-//    UPDATE "Organization" SET "maximumDeployedQueueSize" = NULL WHERE slug = 'references-9dfd';
-// ============================================================================
-
-/**
- * Simple task for queue limit testing.
- * Has a dedicated queue so we can test per-queue limits independently.
- */
-export const queueLimitTestTask = task({
-  id: "queue-limit-test-task",
-  queue: {
-    name: "queue-limit-test-queue",
-    concurrencyLimit: 1
-  },
-  run: async (payload: { index: number; testId: string }) => {
-    logger.info(`Processing queue limit test task ${payload.index}`, { payload });
-    // Sleep for a bit so runs stay in queue
-    await setTimeout(5000);
-    return {
-      index: payload.index,
-      testId: payload.testId,
-      processedAt: Date.now(),
-    };
-  },
-});
-
-/**
- * Test: Single trigger that should fail when queue is at limit
- *
- * Steps to test:
- * 1. Set maximumDeployedQueueSize = 5 on the organization
- * 2. Run this task with count = 10
- * 3. First 5 triggers should succeed
- * 4. Remaining triggers should fail with queue limit error
- */
-export const testSingleTriggerQueueLimit = task({
-  id: "test-single-trigger-queue-limit",
-  maxDuration: 120,
-  run: async (payload: { count: number }) => {
-    const count = payload.count || 10;
-    const testId = `single-trigger-limit-${Date.now()}`;
-
-    logger.info("Starting single trigger queue limit test", { count, testId });
-
-    const results: Array<{
-      index: number;
-      success: boolean;
-      runId?: string;
-      error?: string;
-    }> = [];
-
-    // Trigger tasks one by one
-    for (let i = 0; i < count; i++) {
-      try {
-        const handle = await queueLimitTestTask.trigger({
-          index: i,
-          testId,
-        });
-
-        results.push({
-          index: i,
-          success: true,
-          runId: handle.id,
-        });
-
-        logger.info(`Triggered task ${i} successfully`, { runId: handle.id });
-
-        await setTimeout(1000)
-      } catch (error) {
-        const errorMessage = error instanceof Error ? error.message : String(error);
-        results.push({
-          index: i,
-          success: false,
-          error: errorMessage,
-        });
-
-        logger.warn(`Failed to trigger task ${i}`, { error: errorMessage });
-      }
-    }
-
-    const successCount = results.filter((r) => r.success).length;
-    const failCount = results.filter((r) => !r.success).length;
-    const queueLimitErrors = results.filter(
-      (r) => !r.success && r.error?.includes("queue")
-    ).length;
-
-    return {
-      testId,
-      totalAttempts: count,
-      successCount,
-      failCount,
-      queueLimitErrors,
-      results,
-    };
-  },
-});
-
-/**
- * Test: Batch trigger that should fail when queue limit would be exceeded
- *
- * Steps to test:
- * 1. Set maximumDeployedQueueSize = 5 on the organization
- * 2. Run this task with count = 10
- * 3. The batch should be aborted because it would exceed the queue limit
- */
-export const testBatchTriggerQueueLimit = task({
-  id: "test-batch-trigger-queue-limit",
-  maxDuration: 120,
-  run: async (payload: { count: number }) => {
-    const count = payload.count || 10;
-    const testId = `batch-trigger-limit-${Date.now()}`;
-
-    logger.info("Starting batch trigger queue limit test", { count, testId });
-
-    const items = Array.from({ length: count }, (_, i) => ({
-      payload: { index: i, testId },
-    }));
-
-    try {
-      const result = await queueLimitTestTask.batchTrigger(items);
-
-      logger.info("Batch triggered successfully (no limit hit)", {
-        batchId: result.batchId,
-        runCount: result.runCount,
-      });
-
-      // Wait a bit and check batch status
-      await setTimeout(2000);
-      const batchResult = await batch.retrieve(result.batchId);
-
-      return {
-        testId,
-        success: true,
-        batchId: result.batchId,
-        runCount: result.runCount,
-        batchStatus: batchResult.status,
-        queueLimitHit: false,
-      };
-    } catch (error) {
-      const errorMessage = error instanceof Error ? error.message : String(error);
-      const isQueueLimitError = errorMessage.toLowerCase().includes("queue");
-
-      logger.info("Batch trigger failed", {
-        error: errorMessage,
-        isQueueLimitError,
-      });
-
-      return {
-        testId,
-        success: false,
-        error: errorMessage,
-        queueLimitHit: isQueueLimitError,
-      };
-    }
-  },
-});
-
-/**
- * Test: Batch triggerAndWait that should fail when queue limit would be exceeded
- *
- * Same as testBatchTriggerQueueLimit but uses batchTriggerAndWait.
- * This tests the blocking batch path where the parent run is blocked
- * until the batch completes.
- *
- * Steps to test:
- * 1. Set maximumDevQueueSize = 5 on the organization
- * 2. Run this task with count = 10
- * 3. The batch should be aborted because it would exceed the queue limit
- */
-export const testBatchTriggerAndWaitQueueLimit = task({
-  id: "test-batch-trigger-and-wait-queue-limit",
-  maxDuration: 120,
-  run: async (payload: { count: number }) => {
-    const count = payload.count || 10;
-    const testId = `batch-wait-limit-${Date.now()}`;
-
-    logger.info("Starting batch triggerAndWait queue limit test", { count, testId });
-
-    const items = Array.from({ length: count }, (_, i) => ({
-      payload: { index: i, testId },
-    }));
-
-    try {
-      const result = await queueLimitTestTask.batchTriggerAndWait(items);
-
-      logger.info("Batch triggerAndWait completed (no limit hit)", {
-        batchId: result.id,
-        runsCount: result.runs.length,
-      });
-
-      const successCount = result.runs.filter((r) => r.ok).length;
-      const failCount = result.runs.filter((r) => !r.ok).length;
-
-      return {
-        testId,
-        success: true,
-        batchId: result.id,
-        runsCount: result.runs.length,
-        successCount,
-        failCount,
-        queueLimitHit: false,
-      };
-    } catch (error) {
-      const errorMessage = error instanceof Error ? error.message : String(error);
-      const isQueueLimitError = errorMessage.toLowerCase().includes("queue");
-
-      logger.info("Batch triggerAndWait failed", {
-        error: errorMessage,
-        isQueueLimitError,
-      });
-
-      return {
-        testId,
-        success: false,
-        error: errorMessage,
-        queueLimitHit: isQueueLimitError,
-      };
-    }
-  },
-});
-
-/**
- * Test: Batch trigger to multiple queues with different limits
- *
- * This tests that per-queue validation works correctly when batch items
- * go to different queues. Some items may succeed while the queue that
- * exceeds its limit causes the batch to abort.
- */
-export const testMultiQueueBatchLimit = task({
-  id: "test-multi-queue-batch-limit",
-  maxDuration: 120,
-  run: async (payload: { countPerQueue: number }) => {
-    const countPerQueue = payload.countPerQueue || 5;
-    const testId = `multi-queue-limit-${Date.now()}`;
-
-    logger.info("Starting multi-queue batch limit test", { countPerQueue, testId });
-
-    // Create items that go to different queues
-    // queueLimitTestTask goes to "queue-limit-test-queue"
-    // simpleTask goes to its default queue "task/simple-task"
-    const items = [];
-
-    // Add items for the queue-limit-test-queue
-    for (let i = 0; i < countPerQueue; i++) {
-      items.push({
-        id: "queue-limit-test-task" as const,
-        payload: { index: i, testId },
-      });
-    }
-
-    // Add items for a different queue (simple-task uses default queue)
-    for (let i = 0; i < countPerQueue; i++) {
-      items.push({
-        id: "simple-task" as const,
-        payload: { message: `multi-queue-${i}` },
-      });
-    }
-
-    try {
-      const result = await batch.trigger<typeof queueLimitTestTask | typeof simpleTask>(items);
-
-      logger.info("Multi-queue batch triggered successfully", {
-        batchId: result.batchId,
-        runCount: result.runCount,
-      });
-
-      await setTimeout(2000);
-      const batchResult = await batch.retrieve(result.batchId);
-
-      return {
-        testId,
-        success: true,
-        batchId: result.batchId,
-        runCount: result.runCount,
-        batchStatus: batchResult.status,
-        queueLimitHit: false,
-      };
-    } catch (error) {
-      const errorMessage = error instanceof Error ? error.message : String(error);
-      const isQueueLimitError = errorMessage.toLowerCase().includes("queue");
-
-      logger.info("Multi-queue batch trigger failed", {
-        error: errorMessage,
-        isQueueLimitError,
-      });
-
-      return {
-        testId,
-        success: false,
-        error: errorMessage,
-        queueLimitHit: isQueueLimitError,
-      };
-    }
-  },
-});
-
-/**
- * Helper task to check current queue size
- */
-export const checkQueueSize = task({
-  id: "check-queue-size",
-  run: async () => {
-    // This task just reports - actual queue size check is done server-side
-    return {
-      note: "Check the webapp logs or database for queue size information",
-      hint: "Run: SELECT * FROM \"TaskRun\" WHERE queue = 'queue-limit-test-queue' AND status IN ('PENDING', 'EXECUTING');",
-    };
-  },
-});
diff --git a/references/hello-world/src/trigger/circularPayload.ts b/references/hello-world/src/trigger/circularPayload.ts
deleted file mode 100644
index 3e9d0a95452..00000000000
--- a/references/hello-world/src/trigger/circularPayload.ts
+++ /dev/null
@@ -1,149 +0,0 @@
-import { logger, schemaTask, task, tasks } from "@trigger.dev/sdk";
-import { z } from "zod/v3";
-
-export const referentialPayloadParentTask = task({
-  id: "referential-payload-parent",
-  run: async (payload: any) => {
-    // Shared objects
-    const workflowData = {
-      id: "workflow-123",
-      formName: "Contact Form",
-    };
-
-    const response = [
-      {
-        id: "q1_name",
-        answer: "John Doe",
-      },
-      {
-        id: "q2_consent",
-        answer: "yes",
-        leadAttribute: undefined, // Will be marked in meta
-      },
-    ];
-
-    const personAttributes = {
-      ip: "192.168.1.1",
-      visitedForm: 1,
-    };
-
-    // Main object with shared references
-    const originalObject = {
-      workflowData: workflowData, // Root reference
-      workflowContext: {
-        leadId: undefined, // Will be marked in meta
-        workflowJob: {
-          workflowData: workflowData, // Same reference as root
-          createdAt: new Date("2025-08-19T12:13:42.260Z"), // Date object
-        },
-        responseData: {
-          personAttributes: personAttributes, // Same reference as root
-        },
-        response: response, // Same reference as root
-      },
-      personAttributes: personAttributes, // Root reference
-      response: response, // Root reference
-      jobArgs: {
-        response: response, // Same reference as root
-        args: workflowData, // Same reference as root
-      },
-    };
-
-    await tasks.triggerAndWait<typeof referentialPayloadChildTask>(
-      "referential-payload-child",
-      originalObject
-    );
-
-    return {
-      message: "Hello, world!",
-    };
-  },
-});
-
-// Define the circular schema using z.lazy() for the recursive reference
-const WorkflowDataSchema = z.object({
-  id: z.string(),
-  formName: z.string(),
-});
-
-const ResponseItemSchema = z.object({
-  id: z.string(),
-  answer: z.string(),
-  leadAttribute: z.undefined().optional(),
-});
-
-const PersonAttributesSchema = z.object({
-  ip: z.string(),
-  visitedForm: z.number(),
-});
-
-const OriginalObjectSchema = z.object({
-  workflowData: WorkflowDataSchema,
-  workflowContext: z.object({
-    leadId: z.undefined(),
-    workflowJob: z.object({
-      workflowData: WorkflowDataSchema, // Same reference
-      createdAt: z.date(),
-    }),
-    responseData: z.object({
-      personAttributes: PersonAttributesSchema, // Same reference
-    }),
-    response: z.array(ResponseItemSchema), // Same reference
-  }),
-  personAttributes: PersonAttributesSchema, // Root reference
-  response: z.array(ResponseItemSchema), // Root reference
-  jobArgs: z.object({
-    response: z.array(ResponseItemSchema), // Same reference
-    args: WorkflowDataSchema, // Same reference
-  }),
-});
-
-export const referentialPayloadChildTask = schemaTask({
-  id: "referential-payload-child",
-  schema: OriginalObjectSchema,
-  run: async (payload) => {
-    logger.info("Received circular payload", { payload });
-
-    return {
-      message: "Hello, world!",
-    };
-  },
-});
-
-export const circularReferenceParentTask = task({
-  id: "circular-reference-parent",
-  run: async (payload: any) => {
-    const user = {
-      name: "Alice",
-      details: {
-        age: 30,
-        email: "alice@example.com",
-      },
-    };
-    // @ts-expect-error - This is a circular reference
-    user.details.user = user;
-
-    await tasks.triggerAndWait<typeof circularReferenceChildTask>("circular-reference-child", {
-      // @ts-expect-error - This is a circular reference
-      user,
-    });
-  },
-});
-
-type CircularReferencePayload = {
-  user: {
-    name: string;
-    details: {
-      age: number;
-      email: string;
-      user: CircularReferencePayload;
-    };
-  };
-};
-
-export const circularReferenceChildTask = task({
-  id: "circular-reference-child",
-  run: async (payload: CircularReferencePayload) => {
-    logger.info("Received circular payload", { payload });
-  },
-});
diff --git a/references/hello-world/src/trigger/concurrencyKeys.ts b/references/hello-world/src/trigger/concurrencyKeys.ts
deleted file mode 100644
index 7cdaf4847f9..00000000000
--- a/references/hello-world/src/trigger/concurrencyKeys.ts
+++ /dev/null
@@ -1,201 +0,0 @@
-import { batch, logger, queue, task } from "@trigger.dev/sdk";
-import { setTimeout } from "node:timers/promises";
-
-// Queue with concurrency limit for CK tests
-const ckQueue = queue({
-  name: "ck-test-queue",
-  concurrencyLimit: 2,
-});
-
-// Worker task: simulates work with a concurrency key
-export const ckWorkerTask = task({
-  id: "ck-worker-task",
-  queue: ckQueue,
-  retry: { maxAttempts: 1 },
-  run: async (payload: { id: string; waitMs: number }) => {
-    const startedAt = Date.now();
-    logger.info(`CK worker ${payload.id} started`);
-    await setTimeout(payload.waitMs);
-    const completedAt = Date.now();
-    logger.info(`CK worker ${payload.id} completed`);
-    return { id: payload.id, startedAt, completedAt };
-  },
-});
-
-// Test 1: Multiple CKs should each get their own concurrency slot
-export const ckBasicTest = task({
-  id: "ck-basic-test",
-  retry: { maxAttempts: 1 },
-  maxDuration: 120,
-  run: async () => {
-    logger.info("Testing basic CK behavior: multiple CKs run concurrently");
-
-    // Trigger 3 runs with different CKs - all should be able to run
-    // because each CK gets its own concurrency tracking
-    const results = await batch.triggerAndWait([
-      {
-        id: ckWorkerTask.id,
-        payload: { id: "user-1", waitMs: 3000 },
-        options: { concurrencyKey: "user-1" },
-      },
-      {
-        id: ckWorkerTask.id,
-        payload: { id: "user-2", waitMs: 3000 },
-        options: { concurrencyKey: "user-2" },
-      },
-      {
-        id: ckWorkerTask.id,
-        payload: { id: "user-3", waitMs: 3000 },
-        options: { concurrencyKey: "user-3" },
-      },
-    ]);
-
-    if (!results.runs.every((r) => r.ok)) {
-      throw new Error("Not all CK runs completed successfully");
-    }
-
-    const executions = results.runs
-      .map((r) => r.output)
-      .sort((a, b) => a.startedAt - b.startedAt);
-
-    logger.info("CK basic test executions", { executions });
-
-    return { executions };
-  },
-});
-
-// Test 2: Same CK should respect concurrency limit
-export const ckSameConcurrencyTest = task({
-  id: "ck-same-concurrency-test",
-  retry: { maxAttempts: 1 },
-  maxDuration: 120,
-  run: async () => {
-    logger.info("Testing same CK concurrency: runs with same CK respect queue limit");
-
-    // Trigger 4 runs all with the same CK
-    // Queue limit is 2, so at most 2 should run concurrently
-    const results = await batch.triggerAndWait([
-      {
-        id: ckWorkerTask.id,
-        payload: { id: "same-1", waitMs: 4000 },
-        options: { concurrencyKey: "shared-key" },
-      },
-      {
-        id: ckWorkerTask.id,
-        payload: { id: "same-2", waitMs: 4000 },
-        options: { concurrencyKey: "shared-key" },
-      },
-      {
-        id: ckWorkerTask.id,
-        payload: { id: "same-3", waitMs: 4000 },
-        options: { concurrencyKey: "shared-key" },
-      },
-      {
-        id: ckWorkerTask.id,
-        payload: { id: "same-4", waitMs: 4000 },
-        options: { concurrencyKey: "shared-key" },
-      },
-    ]);
-
-    if (!results.runs.every((r) => r.ok)) {
-      throw new Error("Not all same-CK runs completed successfully");
-    }
-
-    const executions = results.runs
-      .map((r) => r.output)
-      .sort((a, b) => a.startedAt - b.startedAt);
-
-    // Check max concurrent: with same CK and limit 2, should be <= 2
-    let maxConcurrent = 0;
-    for (const current of executions) {
-      const concurrent = executions.filter(
-        (e) =>
-          e.startedAt <= current.startedAt &&
-          e.completedAt > current.startedAt
-      ).length;
-      maxConcurrent = Math.max(maxConcurrent, concurrent);
-    }
-
-    logger.info("Same CK concurrency result", { maxConcurrent, executions });
-
-    if (maxConcurrent > 2) {
-      throw new Error(`Expected max 2 concurrent with same CK, got ${maxConcurrent}`);
-    }
-
-    return { executions, maxConcurrent };
-  },
-});
-
-// Test 3: Many CKs - the scenario that motivated the CK index
-export const ckManyKeysTest = task({
-  id: "ck-many-keys-test",
-  retry: { maxAttempts: 1 },
-  maxDuration: 180,
-  run: async () => {
-    logger.info("Testing many CKs: all should complete without starving");
-
-    // Trigger 20 runs each with a different CK
-    const items = Array.from({ length: 20 }, (_, i) => ({
-      id: ckWorkerTask.id,
-      payload: { id: `prospect-${i}`, waitMs: 2000 },
-      options: { concurrencyKey: `prospect-${i}` },
-    }));
-
-    const results = await batch.triggerAndWait(items);
-
-    const succeeded = results.runs.filter((r) => r.ok).length;
-    const failed = results.runs.filter((r) => !r.ok).length;
-
-    logger.info("Many CKs test result", { succeeded, failed, total: results.runs.length });
-
-    if (failed > 0) {
-      throw new Error(`${failed} of ${results.runs.length} runs failed`);
-    }
-
-    return { succeeded, total: results.runs.length };
-  },
-});
-
-// Test 4: Mixed CK and non-CK triggers on same queue
-export const ckMixedTest = task({
-  id: "ck-mixed-test",
-  retry: { maxAttempts: 1 },
-  maxDuration: 120,
-  run: async () => {
-    logger.info("Testing mixed CK and non-CK on same queue");
-
-    const results = await batch.triggerAndWait([
-      // Non-CK runs
-      {
-        id: ckWorkerTask.id,
-        payload: { id: "no-ck-1", waitMs: 2000 },
-      },
-      {
-        id: ckWorkerTask.id,
-        payload: { id: "no-ck-2", waitMs: 2000 },
-      },
-      // CK runs
-      {
-        id: ckWorkerTask.id,
-        payload: { id: "with-ck-1", waitMs: 2000 },
-        options: { concurrencyKey: "tenant-a" },
-      },
-      {
-        id: ckWorkerTask.id,
-        payload: { id: "with-ck-2", waitMs: 2000 },
-        options: { concurrencyKey: "tenant-b" },
-      },
-    ]);
-
-    const succeeded = results.runs.filter((r) => r.ok).length;
-    const failed = results.runs.filter((r) => !r.ok).length;
-
-    logger.info("Mixed test result", { succeeded, failed });
-
-    if (failed > 0) {
-      throw new Error(`${failed} runs failed in mixed CK/non-CK test`);
-    }
-
-    return { succeeded, total: results.runs.length };
-  },
-});
diff --git a/references/hello-world/src/trigger/cpuHeavy.ts b/references/hello-world/src/trigger/cpuHeavy.ts
deleted file mode 100644
index 22b9bb547fd..00000000000
--- a/references/hello-world/src/trigger/cpuHeavy.ts
+++ /dev/null
@@ -1,32 +0,0 @@
-import { task, heartbeats } from "@trigger.dev/sdk";
-import { setTimeout } from "timers/promises";
-
-export const cpuHeavyTask = task({
-  id: "cpu-heavy-task",
-  machine: "small-1x",
-  run: async (
-    {
-      durationInMs = 1000,
-      yieldToHeartbeats = false,
-    }: { durationInMs: number; yieldToHeartbeats: boolean },
-    { ctx }
-  ) => {
-    console.log("🧠 Starting CPU-heavy work");
-
-    // await setTimeout(durationInMs);
-
-    await simulateCpuHeavyWork(durationInMs, yieldToHeartbeats);
-
-    console.log("🧠 CPU-heavy work completed");
-  },
-});
-
-async function simulateCpuHeavyWork(durationInMs: number, yieldToHeartbeats: boolean) {
-  const start = Date.now();
-  while (Date.now() - start < durationInMs) {
-    // Simulate 1 second of CPU-intensive work
-    if (yieldToHeartbeats) {
-      await heartbeats.yield();
-    }
-  }
-}
diff --git a/references/hello-world/src/trigger/deadlocks.ts b/references/hello-world/src/trigger/deadlocks.ts
deleted file mode 100644
index 1fd567f6535..00000000000
--- a/references/hello-world/src/trigger/deadlocks.ts
+++ /dev/null
@@ -1,33 +0,0 @@
-import { task, queue } from "@trigger.dev/sdk";
-
-const deadlockQueue = queue({
-  name: "deadlock-queue",
-  concurrencyLimit: 1,
-});
-
-export const deadlockReleasingQueue = queue({
-  name: "deadlock-releasing-queue",
-});
-
-export const deadlockTester = task({
-  id: "deadlock-tester",
-  run: async (payload: any, { ctx }) => {
-    await deadlockNestedTask.triggerAndWait({
-      message: "Hello, world!",
-    });
-  },
-});
-
-export const deadlockNestedTask = task({
-  id: "deadlock-nested-task",
-  queue: deadlockQueue,
-  run: async (payload: any, { ctx }) => {
-    await deadlockTester.triggerAndWait({
-      message: "Hello, world!",
-    });
-
-    return {
-      message: "Hello, world!",
-    };
-  },
-});
diff --git a/references/hello-world/src/trigger/debounce.ts b/references/hello-world/src/trigger/debounce.ts
deleted file mode 100644
index f0a7e8b6389..00000000000
--- a/references/hello-world/src/trigger/debounce.ts
+++ /dev/null
@@ -1,1214 +0,0 @@
-import { batch, logger, task, wait } from "@trigger.dev/sdk/v3";
-
-/**
- * A simple task that processes data updates.
- * This is the task we'll debounce to demonstrate the feature.
- */
-export const processDataUpdate = task({
-  id: "process-data-update",
-  run: async (payload: { userId: string; data: Record<string, unknown> }) => {
-    logger.info("Processing data update", { payload });
-
-    // Simulate some processing work
-    await wait.for({ seconds: 1 });
-
-    logger.info("Data update processed successfully", { userId: payload.userId });
-
-    return {
-      processed: true,
-      userId: payload.userId,
-      timestamp: new Date().toISOString(),
-    };
-  },
-});
-
-/**
- * Example 1: Basic Debounce
- *
- * This demonstrates how debounce works with rapid triggers.
- * When triggered multiple times with the same key within the delay period,
- * only one run will execute (with the first payload).
- *
- * Trigger this task multiple times rapidly with the same debounceKey to see
- * how only one run is created.
- */
-export const basicDebounceExample = task({
-  id: "basic-debounce-example",
-  run: async (payload: { value: string; debounceKey: string }) => {
-    logger.info("Starting basic debounce example", { payload });
-
-    // Trigger processDataUpdate with debounce
-    // If this task is triggered multiple times within 5 seconds with the same
-    // debounceKey, only one processDataUpdate run will be created
-    const handle = await processDataUpdate.trigger(
-      {
-        userId: payload.debounceKey,
-        data: { value: payload.value, triggeredAt: new Date().toISOString() },
-      },
-      {
-        debounce: {
-          key: payload.debounceKey,
-          delay: "5s",
-        },
-      }
-    );
-
-    logger.info("Triggered processDataUpdate with debounce", {
-      runId: handle.id,
-      debounceKey: payload.debounceKey,
-    });
-
-    return { triggeredRunId: handle.id };
-  },
-});
-
-/**
- * Demonstration: Rapid Debounce Triggering
- *
- * This task demonstrates debounce in action by triggering processDataUpdate
- * multiple times rapidly with the same debounce key. Despite 5 triggers,
- * only ONE processDataUpdate run will be created.
- *
- * Run this task and watch the logs - you'll see:
- * - 5 "Triggering attempt" logs
- * - All 5 return the SAME run ID
- * - Only 1 processDataUpdate run actually executes
- */
-export const demonstrateDebounce = task({
-  id: "demonstrate-debounce",
-  run: async (payload: { debounceKey?: string }) => {
-    const key = payload.debounceKey ?? "demo-key";
-
-    logger.info("Starting debounce demonstration", { debounceKey: key });
-    logger.info("Will trigger processDataUpdate 5 times rapidly with the same debounce key");
-
-    const handles: string[] = [];
-
-    // Trigger 5 times rapidly - all should return the same run
-    for (let i = 1; i <= 5; i++) {
-      logger.info(`Triggering attempt ${i}/5`, { attempt: i });
-
-      const handle = await processDataUpdate.trigger(
-        {
-          userId: key,
-          data: {
-            attempt: i,
-            triggeredAt: new Date().toISOString(),
-            message: `This is trigger attempt ${i}`,
-          },
-        },
-        {
-          debounce: {
-            key: key,
-            delay: "5s",
-          },
-        }
-      );
-
-      handles.push(handle.id);
-      logger.info(`Attempt ${i} returned run ID: ${handle.id}`, {
-        attempt: i,
-        runId: handle.id,
-      });
-
-      // Small delay between triggers (but still within debounce window)
-      await new Promise((resolve) => setTimeout(resolve, 200));
-    }
-
-    // Check if all handles are the same (they should be!)
-    const uniqueHandles = [...new Set(handles)];
-    const allSameRun = uniqueHandles.length === 1;
-
-    logger.info("Debounce demonstration complete", {
-      totalTriggers: 5,
-      uniqueRuns: uniqueHandles.length,
-      allSameRun,
-      runIds: handles,
-    });
-
-    if (allSameRun) {
-      logger.info("SUCCESS: All 5 triggers returned the same run ID - debounce is working!");
-    } else {
-      logger.warn("UNEXPECTED: Multiple runs were created", { uniqueHandles });
-    }
-
-    return {
-      debounceKey: key,
-      totalTriggers: 5,
-      uniqueRunsCreated: uniqueHandles.length,
-      allSameRun,
-      runId: uniqueHandles[0],
-    };
-  },
-});
-
-/**
- * Demonstration: Debounce with triggerAndWait
- *
- * This shows how multiple parent tasks can wait on the same debounced child.
- * Each parent task calls triggerAndWait with the same debounce key.
- * All parents will be blocked by and receive the result from the SAME child run.
- *
- * To test this:
- * 1. Run "demonstrate-debounce-trigger-and-wait-orchestrator"
- * 2. Watch as 3 parent runs are created
- * 3. All 3 parents will wait for the SAME debounced child run
- * 4. When the child completes, all 3 parents complete with the same result
- */
-
-// Parent task that calls triggerAndWait with debounce
-export const debounceTriggerAndWaitParent = task({
-  id: "debounce-trigger-and-wait-parent",
-  run: async (payload: { parentNumber: number; debounceKey: string }) => {
-    logger.info(`Parent ${payload.parentNumber}: Starting`, {
-      parentNumber: payload.parentNumber,
-      debounceKey: payload.debounceKey,
-    });
-
-    logger.info(`Parent ${payload.parentNumber}: Calling triggerAndWait with debounce`);
-
-    // This will be debounced - if another parent calls with the same key,
-    // they'll both wait for the same child run
-    const result = await processDataUpdate.triggerAndWait(
-      {
-        userId: payload.debounceKey,
-        data: {
-          parentNumber: payload.parentNumber,
-          triggeredAt: new Date().toISOString(),
-        },
-      },
-      {
-        debounce: {
-          key: payload.debounceKey,
-          delay: "5s",
-        },
-      }
-    );
-
-    logger.info(`Parent ${payload.parentNumber}: Got result from child`, { result });
-
-    if (result.ok) {
-      return {
-        parentNumber: payload.parentNumber,
-        childOutput: result.output,
-        success: true,
-      };
-    } else {
-      return {
-        parentNumber: payload.parentNumber,
-        error: "Child task failed",
-        success: false,
-      };
-    }
-  },
-});
-
-// Orchestrator that triggers multiple parents (without waiting)
-export const demonstrateDebounceTriggerAndWaitOrchestrator = task({
-  id: "demonstrate-debounce-trigger-and-wait-orchestrator",
-  run: async (payload: { debounceKey?: string; parentCount?: number }) => {
-    const key = payload.debounceKey ?? "wait-demo-key";
-    const count = payload.parentCount ?? 3;
-
-    logger.info("Starting debounce triggerAndWait demonstration", {
-      debounceKey: key,
-      parentCount: count,
-    });
-
-    logger.info(
-      `Triggering ${count} parent tasks - each will call triggerAndWait with the same debounce key`
-    );
-    logger.info("All parents should be blocked by the SAME debounced child run");
-
-    const handles: string[] = [];
-
-    // Trigger multiple parent tasks as fast as possible (no delay) to maximize race condition chance
-    for (let i = 1; i <= count; i++) {
-      const handle = await debounceTriggerAndWaitParent.trigger({
-        parentNumber: i,
-        debounceKey: key,
-      });
-
-      logger.info(`Triggered parent ${i}`, { runId: handle.id });
-      handles.push(handle.id);
-    }
-
-    logger.info("All parent tasks triggered", {
-      parentRunIds: handles,
-      debounceKey: key,
-    });
-
-    logger.info(
-      "Watch the parent runs - they should all complete around the same time when the single debounced child finishes"
-    );
-
-    return {
-      debounceKey: key,
-      parentCount: count,
-      parentRunIds: handles,
-      message: `Triggered ${count} parent tasks. They will all wait for the same debounced child.`,
-    };
-  },
-});
-
-/**
- * Example 2: User Activity Debouncing
- *
- * A real-world use case: debouncing user activity updates.
- * When a user performs multiple actions in quick succession,
- * we only want to process the final state after they've stopped.
- *
- * Common use cases:
- * - Search-as-you-type
- * - Form auto-save
- * - Activity logging
- * - Rate limiting user actions
- */
-export const syncUserActivity = task({
-  id: "sync-user-activity",
-  run: async (payload: {
-    userId: string;
-    activityType: string;
-    details: Record<string, unknown>;
-  }) => {
-    logger.info("Syncing user activity", { payload });
-
-    // Simulate syncing to external service
-    await wait.for({ seconds: 2 });
-
-    logger.info("User activity synced", {
-      userId: payload.userId,
-      activityType: payload.activityType,
-    });
-
-    return {
-      synced: true,
-      syncedAt: new Date().toISOString(),
-    };
-  },
-});
-
-export const trackUserActivity = task({
-  id: "track-user-activity",
-  run: async (payload: { userId: string; action: string; metadata?: Record<string, unknown> }) => {
-    logger.info("Tracking user activity", { payload });
-
-    // Debounce per user - if the same user performs multiple actions,
-    // only sync once after 10 seconds of inactivity
-    const handle = await syncUserActivity.trigger(
-      {
-        userId: payload.userId,
-        activityType: payload.action,
-        details: {
-          ...payload.metadata,
-          lastAction: payload.action,
-          lastActionAt: new Date().toISOString(),
-        },
-      },
-      {
-        debounce: {
-          // Key is scoped to the user, so each user has their own debounce window
-          key: `user-${payload.userId}`,
-          delay: "10s",
-        },
-      }
-    );
-
-    logger.info("User activity tracked (debounced)", {
-      userId: payload.userId,
-      runId: handle.id,
-    });
-
-    return { runId: handle.id };
-  },
-});
-
-/**
- * Example 3: Document Auto-Save with Debounce
- *
- * Simulates a document editing system where saves are debounced
- * to avoid excessive save operations during rapid editing.
- */
-export const saveDocument = task({
-  id: "save-document",
-  run: async (payload: { documentId: string; content: string; version: number }) => {
-    logger.info("Saving document", {
-      documentId: payload.documentId,
-      contentLength: payload.content.length,
-      version: payload.version,
-    });
-
-    // Simulate save operation
-    await wait.for({ seconds: 1 });
-
-    logger.info("Document saved successfully", {
-      documentId: payload.documentId,
-      savedAt: new Date().toISOString(),
-    });
-
-    return {
-      saved: true,
-      documentId: payload.documentId,
-      version: payload.version,
-      savedAt: new Date().toISOString(),
-    };
-  },
-});
-
-export const onDocumentEdit = task({
-  id: "on-document-edit",
-  run: async (payload: { documentId: string; content: string; editorId: string }) => {
-    logger.info("Document edited", {
-      documentId: payload.documentId,
-      editorId: payload.editorId,
-    });
-
-    // Debounce saves per document - save only after 3 seconds of no edits
-    const handle = await saveDocument.trigger(
-      {
-        documentId: payload.documentId,
-        content: payload.content,
-        version: Date.now(),
-      },
-      {
-        debounce: {
-          // Key is scoped to the document, so each document has its own debounce
-          key: `doc-${payload.documentId}`,
-          delay: "3s",
-        },
-      }
-    );
-
-    return {
-      acknowledged: true,
-      pendingSaveRunId: handle.id,
-    };
-  },
-});
-
-/**
- * Example 4: Webhook Consolidation
- *
- * When receiving many webhooks from an external service,
- * debounce to consolidate them into fewer processing runs.
- */
-export const processWebhookBatch = task({
-  id: "process-webhook-batch",
-  run: async (payload: { source: string; eventType: string; data: unknown }) => {
-    logger.info("Processing webhook batch", {
-      source: payload.source,
-      eventType: payload.eventType,
-    });
-
-    // Process the webhook data
-    await wait.for({ seconds: 2 });
-
-    logger.info("Webhook batch processed", {
-      source: payload.source,
-      eventType: payload.eventType,
-    });
-
-    return {
-      processed: true,
-      processedAt: new Date().toISOString(),
-    };
-  },
-});
-
-export const handleWebhook = task({
-  id: "handle-webhook",
-  run: async (payload: { source: string; eventType: string; webhookId: string; data: unknown }) => {
-    logger.info("Received webhook", {
-      source: payload.source,
-      eventType: payload.eventType,
-      webhookId: payload.webhookId,
-    });
-
-    // Debounce webhooks from the same source and event type
-    // This consolidates rapid webhook bursts into single processing runs
-    const handle = await processWebhookBatch.trigger(
-      {
-        source: payload.source,
-        eventType: payload.eventType,
-        data: payload.data,
-      },
-      {
-        debounce: {
-          key: `webhook-${payload.source}-${payload.eventType}`,
-          delay: "2s",
-        },
-      }
-    );
-
-    logger.info("Webhook queued for processing (debounced)", {
-      webhookId: payload.webhookId,
-      runId: handle.id,
-    });
-
-    return {
-      acknowledged: true,
-      processingRunId: handle.id,
-    };
-  },
-});
-
-/**
- * Example 5: Debounce with triggerAndWait
- *
- * When using triggerAndWait with debounce, the parent task will be blocked
- * by the debounced child run. If another parent triggers with the same
- * debounce key, it will also be blocked by the SAME child run.
- */
-export const debouncedChildTask = task({
-  id: "debounced-child-task",
-  run: async (payload: { key: string; value: string }) => {
-    logger.info("Debounced child task executing", { payload });
-
-    await wait.for({ seconds: 3 });
-
-    logger.info("Debounced child task completed", { key: payload.key });
-
-    return {
-      result: `Processed: ${payload.value}`,
-      completedAt: new Date().toISOString(),
-    };
-  },
-});
-
-export const parentWithDebouncedChild = task({
-  id: "parent-with-debounced-child",
-  run: async (payload: { parentId: string; debounceKey: string; data: string }) => {
-    logger.info("Parent task starting", { parentId: payload.parentId });
-
-    // triggerAndWait with debounce - the parent will wait for the debounced child
-    // If another parent triggers with the same debounce key, they'll both wait
-    // for the same child run
-    const result = await debouncedChildTask.triggerAndWait(
-      {
-        key: payload.debounceKey,
-        value: payload.data,
-      },
-      {
-        debounce: {
-          key: payload.debounceKey,
-          delay: "5s",
-        },
-      }
-    );
-
-    logger.info("Parent task completed", {
-      parentId: payload.parentId,
-      childResult: result,
-    });
-
-    if (result.ok) {
-      return {
-        parentId: payload.parentId,
-        childOutput: result.output,
-      };
-    } else {
-      return {
-        parentId: payload.parentId,
-        error: "Child task failed",
-      };
-    }
-  },
-});
-
-/**
- * Example 6: Different Delay Durations
- *
- * Shows various delay duration formats supported by debounce.
- */
-export const shortDebounce = task({
-  id: "short-debounce",
-  run: async (payload: { key: string }) => {
-    logger.info("Short debounce task (1s)", { key: payload.key });
-    return { key: payload.key, delay: "1s" };
-  },
-});
-
-export const mediumDebounce = task({
-  id: "medium-debounce",
-  run: async (payload: { key: string }) => {
-    logger.info("Medium debounce task (5s)", { key: payload.key });
-    return { key: payload.key, delay: "5s" };
-  },
-});
-
-export const longDebounce = task({
-  id: "long-debounce",
-  run: async (payload: { key: string }) => {
-    logger.info("Long debounce task (1m)", { key: payload.key });
-    return { key: payload.key, delay: "1m" };
-  },
-});
-
-export const testDifferentDelays = task({
-  id: "test-different-delays",
-  run: async (payload: { key: string }) => {
-    logger.info("Testing different debounce delays", { key: payload.key });
-
-    // 1 second debounce - good for rapid UI updates
-    await shortDebounce.trigger(
-      { key: `${payload.key}-short` },
-      { debounce: { key: `${payload.key}-short`, delay: "1s" } }
-    );
-
-    // 5 second debounce - good for user input
-    await mediumDebounce.trigger(
-      { key: `${payload.key}-medium` },
-      { debounce: { key: `${payload.key}-medium`, delay: "5s" } }
-    );
-
-    // 1 minute debounce - good for batch processing
-    await longDebounce.trigger(
-      { key: `${payload.key}-long` },
-      { debounce: { key: `${payload.key}-long`, delay: "1m" } }
-    );
-
-    return { triggered: true };
-  },
-});
-
-/**
- * Example 7: Batch Trigger with Debounce
- *
- * Demonstrates using debounce with batchTrigger.
- * Each item in the batch can have its own debounce key and delay.
- * Items with the same debounce key will be consolidated into a single run.
- */
-export const batchItemTask = task({
-  id: "batch-item-task",
-  run: async (payload: { itemId: string; data: string }) => {
-    logger.info("Processing batch item", { payload });
-
-    await wait.for({ seconds: 1 });
-
-    logger.info("Batch item processed", { itemId: payload.itemId });
-
-    return {
-      processed: true,
-      itemId: payload.itemId,
-      processedAt: new Date().toISOString(),
-    };
-  },
-});
-
-/**
- * Demonstrates batch.trigger() with debounce options on individual items.
- *
- * This shows how you can:
- * - Use different debounce keys for different items
- * - Items with the same debounce key will be consolidated
- * - Items with different keys will create separate runs
- *
- * Run this task and watch:
- * - Items 1 and 3 share debounce key "group-a" -> ONE run
- * - Items 2 and 4 share debounce key "group-b" -> ONE run
- * - Item 5 has unique key "group-c" -> ONE run
- * - Total: 3 runs instead of 5 (but batch shows 5 items)
- *
- * Note: The batch itself still reports 5 items, but only 3 actual task runs
- * will execute due to debouncing.
- */
-export const demonstrateBatchDebounce = task({
-  id: "demonstrate-batch-debounce",
-  run: async (payload: { prefix?: string }) => {
-    const prefix = payload.prefix ?? "batch-demo";
-
-    logger.info("Starting batch debounce demonstration");
-    logger.info("Will trigger 5 items with 3 different debounce keys");
-    logger.info(
-      "Items 1&3 share key 'group-a', items 2&4 share key 'group-b', item 5 has key 'group-c'"
-    );
-
-    // Use batch.trigger with debounce options on each item
-    const result = await batch.trigger<typeof batchItemTask>([
-      {
-        id: "batch-item-task",
-        payload: { itemId: `${prefix}-1`, data: "First item in group A" },
-        options: {
-          debounce: { key: `${prefix}-group-a`, delay: "5s" },
-        },
-      },
-      {
-        id: "batch-item-task",
-        payload: { itemId: `${prefix}-2`, data: "First item in group B" },
-        options: {
-          debounce: { key: `${prefix}-group-b`, delay: "5s" },
-        },
-      },
-      {
-        id: "batch-item-task",
-        payload: { itemId: `${prefix}-3`, data: "Second item in group A (debounced)" },
-        options: {
-          debounce: { key: `${prefix}-group-a`, delay: "5s" },
-        },
-      },
-      {
-        id: "batch-item-task",
-        payload: { itemId: `${prefix}-4`, data: "Second item in group B (debounced)" },
-        options: {
-          debounce: { key: `${prefix}-group-b`, delay: "5s" },
-        },
-      },
-      {
-        id: "batch-item-task",
-        payload: { itemId: `${prefix}-5`, data: "Only item in group C" },
-        options: {
-          debounce: { key: `${prefix}-group-c`, delay: "5s" },
-        },
-      },
-    ]);
-
-    logger.info("Batch debounce demonstration complete", {
-      batchId: result.batchId,
-      totalItemsInBatch: result.runCount,
-      note: "Check the dashboard - only 3 actual task runs should execute due to debouncing",
-    });
-
-    return {
-      batchId: result.batchId,
-      totalItemsInBatch: result.runCount,
-      expectedUniqueRuns: 3,
-      message:
-        "5 items submitted, but only 3 runs will execute: group-a (1 run), group-b (1 run), group-c (1 run)",
-    };
-  },
-});
-
-/**
- * Demonstrates batchTrigger on a single task with debounce.
- *
- * Similar to batch.trigger but using myTask.batchTrigger() syntax.
- * Each item can have its own debounce configuration.
- *
- * When all items share the same debounce key, only ONE run will execute.
- */
-export const demonstrateSingleTaskBatchDebounce = task({
-  id: "demonstrate-single-task-batch-debounce",
-  run: async (payload: { debounceKey?: string }) => {
-    const key = payload.debounceKey ?? "single-batch-demo";
-
-    logger.info("Starting single task batch debounce demonstration", { debounceKey: key });
-    logger.info("Triggering 4 items with the SAME debounce key - only 1 run should execute");
-
-    // All items have the same debounce key, so they should all resolve to the same run
-    const result = await batchItemTask.batchTrigger([
-      {
-        payload: { itemId: `${key}-1`, data: "Item 1" },
-        options: { debounce: { key, delay: "5s" } },
-      },
-      {
-        payload: { itemId: `${key}-2`, data: "Item 2" },
-        options: { debounce: { key, delay: "5s" } },
-      },
-      {
-        payload: { itemId: `${key}-3`, data: "Item 3" },
-        options: { debounce: { key, delay: "5s" } },
-      },
-      {
-        payload: { itemId: `${key}-4`, data: "Item 4" },
-        options: { debounce: { key, delay: "5s" } },
-      },
-    ]);
-
-    logger.info("Single task batch debounce complete", {
-      batchId: result.batchId,
-      totalItemsInBatch: result.runCount,
-      debounceKey: key,
-      note: "All items share the same debounce key, so only 1 task run should execute",
-    });
-
-    return {
-      batchId: result.batchId,
-      totalItemsInBatch: result.runCount,
-      debounceKey: key,
-      expectedUniqueRuns: 1,
-      message: "4 items submitted with same debounce key - only 1 run will execute",
-    };
-  },
-});
-
-/**
- * Example 8: Trailing Mode - Process Latest Data
- *
- * Trailing mode updates the run's payload (and other options) with each subsequent trigger.
- * When the debounce window closes, the task runs with the LAST payload instead of the first.
- *
- * This is perfect for scenarios like:
- * - Auto-saving the latest document state
- * - Processing the final search query after typing stops
- * - Aggregating real-time data and processing the latest snapshot
- */
-export const processLatestData = task({
-  id: "process-latest-data",
-  run: async (payload: { version: number; content: string; timestamp: string }) => {
-    logger.info("Processing latest data", { payload });
-
-    await wait.for({ seconds: 1 });
-
-    logger.info("Processed latest data", {
-      version: payload.version,
-      content: payload.content,
-    });
-
-    return {
-      processed: true,
-      version: payload.version,
-      content: payload.content,
-      processedAt: new Date().toISOString(),
-    };
-  },
-});
-
-/**
- * Demonstrates trailing mode in action.
- *
- * This task triggers processLatestData 5 times rapidly with different payloads.
- * With mode: "trailing", the run will execute with version 5 (the LAST payload),
- * not version 1 (the first payload).
- *
- * Compare this to the demonstrateDebounce task which uses the default leading mode.
- */
-export const demonstrateTrailingMode = task({
-  id: "demonstrate-trailing-mode",
-  run: async (payload: { debounceKey?: string }) => {
-    const key = payload.debounceKey ?? "trailing-demo-key";
-
-    logger.info("Starting trailing mode demonstration", { debounceKey: key });
-    logger.info("Will trigger processLatestData 5 times with mode: 'trailing'");
-    logger.info("The run should execute with version 5 (the LAST payload)");
-
-    const handles: string[] = [];
-
-    // Trigger 5 times rapidly - with trailing mode, the LAST payload wins
-    for (let i = 1; i <= 5; i++) {
-      logger.info(`Triggering version ${i}/5`, { version: i });
-
-      const handle = await processLatestData.trigger(
-        {
-          version: i,
-          content: `Content version ${i}`,
-          timestamp: new Date().toISOString(),
-        },
-        {
-          debounce: {
-            key: key,
-            delay: "5s",
-            mode: "trailing", // Use trailing mode - LAST payload wins
-          },
-        }
-      );
-
-      handles.push(handle.id);
-      logger.info(`Version ${i} returned run ID: ${handle.id}`, {
-        version: i,
-        runId: handle.id,
-      });
-
-      // Small delay between triggers
-      await new Promise((resolve) => setTimeout(resolve, 200));
-    }
-
-    // All handles should be the same run
-    const uniqueHandles = [...new Set(handles)];
-    const allSameRun = uniqueHandles.length === 1;
-
-    logger.info("Trailing mode demonstration complete", {
-      totalTriggers: 5,
-      uniqueRuns: uniqueHandles.length,
-      allSameRun,
-      note: "The run should execute with version 5 (the LAST payload)",
-    });
-
-    return {
-      debounceKey: key,
-      totalTriggers: 5,
-      uniqueRunsCreated: uniqueHandles.length,
-      allSameRun,
-      runId: uniqueHandles[0],
-      expectedPayloadVersion: 5,
-      message:
-        "With trailing mode, the run executes with the LAST payload (version 5), not the first",
-    };
-  },
-});
-
-/**
- * Example 9: Document Auto-Save with Trailing Mode
- *
- * A practical example: when editing a document, you want to save the LATEST
- * version after the user stops typing, not the first version.
- *
- * Trailing mode is ideal for this because:
- * - Each keystroke/edit triggers a save
- * - Each trigger updates the pending run's payload to the latest content
- * - When typing stops, the latest content is saved
- */
-export const saveDocumentLatest = task({
-  id: "save-document-latest",
-  run: async (payload: {
-    documentId: string;
-    content: string;
-    editCount: number;
-    lastEditedAt: string;
-  }) => {
-    logger.info("Saving document (latest version)", {
-      documentId: payload.documentId,
-      contentLength: payload.content.length,
-      editCount: payload.editCount,
-    });
-
-    // Simulate save operation
-    await wait.for({ seconds: 1 });
-
-    logger.info("Document saved successfully with latest content", {
-      documentId: payload.documentId,
-      editCount: payload.editCount,
-      savedAt: new Date().toISOString(),
-    });
-
-    return {
-      saved: true,
-      documentId: payload.documentId,
-      editCount: payload.editCount,
-      contentLength: payload.content.length,
-      savedAt: new Date().toISOString(),
-    };
-  },
-});
-
-export const onDocumentEditWithTrailing = task({
-  id: "on-document-edit-with-trailing",
-  run: async (payload: { documentId: string; content: string; editorId: string }) => {
-    // Track how many edits we've made (for demonstration)
-    const editCount = payload.content.length; // Using content length as a simple proxy
-
-    logger.info("Document edited (using trailing mode)", {
-      documentId: payload.documentId,
-      editorId: payload.editorId,
-      editCount,
-    });
-
-    // Use trailing mode - the LATEST content will be saved
-    const handle = await saveDocumentLatest.trigger(
-      {
-        documentId: payload.documentId,
-        content: payload.content,
-        editCount,
-        lastEditedAt: new Date().toISOString(),
-      },
-      {
-        debounce: {
-          key: `doc-${payload.documentId}`,
-          delay: "3s",
-          mode: "trailing", // Save the LATEST content, not the first
-        },
-      }
-    );
-
-    return {
-      acknowledged: true,
-      pendingSaveRunId: handle.id,
-      note: "With trailing mode, the latest content will be saved after 3 seconds of no edits",
-    };
-  },
-});
-
-/**
- * Example 10: Leading vs Trailing Mode Comparison
- *
- * This task demonstrates the difference between leading and trailing modes
- * by triggering two separate debounced tasks with the same data pattern.
- *
- * - Leading mode task: will process version 1 (first payload)
- * - Trailing mode task: will process version 5 (last payload)
- */
-export const processWithLeadingMode = task({
-  id: "process-with-leading-mode",
-  run: async (payload: { version: number }) => {
-    logger.info("Leading mode: Processing data", { version: payload.version });
-    return { mode: "leading", version: payload.version };
-  },
-});
-
-export const processWithTrailingMode = task({
-  id: "process-with-trailing-mode",
-  run: async (payload: { version: number }) => {
-    logger.info("Trailing mode: Processing data", { version: payload.version });
-    return { mode: "trailing", version: payload.version };
-  },
-});
-
-export const compareLeadingAndTrailing = task({
-  id: "compare-leading-and-trailing",
-  run: async (payload: { prefix?: string }) => {
-    const prefix = payload.prefix ?? "compare";
-
-    logger.info("Starting leading vs trailing mode comparison");
-    logger.info("Triggering both modes 5 times with versions 1-5");
-    logger.info("Expected: Leading mode processes v1, Trailing mode processes v5");
-
-    // Trigger both modes 5 times
-    for (let i = 1; i <= 5; i++) {
-      // Leading mode (default) - will keep first payload
-      await processWithLeadingMode.trigger(
-        { version: i },
-        {
-          debounce: {
-            key: `${prefix}-leading`,
-            delay: "5s",
-            // mode: "leading" is the default
-          },
-        }
-      );
-
-      // Trailing mode - will update to latest payload
-      await processWithTrailingMode.trigger(
-        { version: i },
-        {
-          debounce: {
-            key: `${prefix}-trailing`,
-            delay: "5s",
-            mode: "trailing",
-          },
-        }
-      );
-
-      await new Promise((resolve) => setTimeout(resolve, 100));
-    }
-
-    logger.info("Comparison complete", {
-      leadingModeExpected: "version 1 (first payload)",
-      trailingModeExpected: "version 5 (last payload)",
-    });
-
-    return {
-      message: "Check the processWithLeadingMode and processWithTrailingMode runs",
-      leadingModeExpected: { version: 1 },
-      trailingModeExpected: { version: 5 },
-    };
-  },
-});
-
-/**
- * Example 11: Trailing Mode with Metadata Updates
- *
- * Trailing mode also updates metadata, tags, maxAttempts, maxDuration, and machine.
- * This example shows how metadata changes with each trigger.
- */
-export const processWithMetadata = task({
-  id: "process-with-metadata",
-  run: async (payload: { action: string }, { ctx }) => {
-    logger.info("Processing with metadata", { action: payload.action });
-
-    // The metadata will be from the LAST trigger when using trailing mode
-    logger.info("Run metadata reflects the latest trigger");
-
-    return {
-      action: payload.action,
-      processedAt: new Date().toISOString(),
-    };
-  },
-});
-
-export const demonstrateTrailingWithMetadata = task({
-  id: "demonstrate-trailing-with-metadata",
-  run: async (payload: { debounceKey?: string }) => {
-    const key = payload.debounceKey ?? "metadata-trailing-demo";
-
-    logger.info("Demonstrating trailing mode with metadata updates");
-
-    const actions = ["created", "updated", "reviewed", "approved", "published"];
-
-    for (const action of actions) {
-      await processWithMetadata.trigger(
-        { action },
-        {
-          debounce: {
-            key,
-            delay: "5s",
-            mode: "trailing",
-          },
-          metadata: {
-            lastAction: action,
-            actionTimestamp: new Date().toISOString(),
-            actionIndex: actions.indexOf(action) + 1,
-          },
-        }
-      );
-
-      await new Promise((resolve) => setTimeout(resolve, 100));
-    }
-
-    logger.info("Metadata trailing demonstration complete", {
-      expectedAction: "published",
-      expectedMetadata: { lastAction: "published", actionIndex: 5 },
-    });
-
-    return {
-      debounceKey: key,
-      triggeredActions: actions,
-      expectedFinalAction: "published",
-      message: "The run will have metadata from the 'published' trigger (the last one)",
-    };
-  },
-});
-
-/**
- * Example 12: Debounce with maxDelay
- *
- * The maxDelay option limits how long a debounced run can be delayed.
- * Even if triggers keep coming, the run will eventually execute after maxDelay
- * from the first trigger. This is useful for scenarios where you want to
- * debounce but also guarantee execution within a certain time window.
- *
- * Use case: Summarizing AI conversation threads that need to stay relatively
- * up to date. You want to debounce as messages come in, but also guarantee
- * the summary runs at least every 30 minutes.
- */
-export const processConversationSummary = task({
-  id: "process-conversation-summary",
-  run: async (payload: { conversationId: string; messageCount: number }) => {
-    logger.info("Generating conversation summary", { payload });
-
-    // Simulate AI summarization work
-    await wait.for({ seconds: 2 });
-
-    logger.info("Conversation summary generated", {
-      conversationId: payload.conversationId,
-      messageCount: payload.messageCount,
-    });
-
-    return {
-      summarized: true,
-      conversationId: payload.conversationId,
-      messageCount: payload.messageCount,
-      summarizedAt: new Date().toISOString(),
-    };
-  },
-});
-
-/**
- * Demonstrates maxDelay in action.
- *
- * This simulates a chat application where messages come in continuously.
- * With just debounce, the summary task would keep getting delayed forever.
- * With maxDelay: "30s", the summary will run at most 30 seconds after the first trigger,
- * even if messages keep coming.
- *
- * Run this task and observe:
- * - Messages trigger the summary task with debounce
- * - Each trigger extends the delay by 5s
- * - But maxDelay ensures execution happens within 30s of the first trigger
- */
-export const simulateChatWithMaxWait = task({
-  id: "simulate-chat-with-max-wait",
-  run: async (payload: { conversationId?: string; simulateDelay?: number }) => {
-    const conversationId = payload.conversationId ?? "conv-123";
-    const delayBetweenMessages = payload.simulateDelay ?? 3000; // 3 seconds
-
-    logger.info("Starting chat simulation with maxDelay", {
-      conversationId,
-      delayBetweenMessages,
-    });
-
-    logger.info(
-      "Debounce delay is 5s, maxDelay is 30s. Messages arrive every 3s, so debounce would normally keep extending. But maxDelay ensures execution within 30s."
-    );
-
-    const handles: string[] = [];
-
-    // Simulate 15 messages over ~45 seconds
-    // Without maxDelay, the task would never run because each trigger resets the 5s delay
-    // With maxDelay: "30s", the task will run after 30 seconds from the first trigger
-    for (let i = 1; i <= 15; i++) {
-      logger.info(`Message ${i}/15 received`, { messageNumber: i });
-
-      const handle = await processConversationSummary.trigger(
-        {
-          conversationId,
-          messageCount: i,
-        },
-        {
-          debounce: {
-            key: `conversation-${conversationId}`,
-            delay: "5s",
-            mode: "trailing", // Use latest message count
-            maxDelay: "30s", // Ensure execution within 30s of first trigger
-          },
-        }
-      );
-
-      handles.push(handle.id);
-      logger.info(`Message ${i} triggered, run ID: ${handle.id}`, {
-        messageNumber: i,
-        runId: handle.id,
-      });
-
-      // Wait between messages (simulating real chat)
-      if (i < 15) {
-        await new Promise((resolve) => setTimeout(resolve, delayBetweenMessages));
-      }
-    }
-
-    const uniqueHandles = [...new Set(handles)];
-
-    logger.info("Chat simulation complete", {
-      totalMessages: 15,
-      uniqueRuns: uniqueHandles.length,
-      note:
-        "With maxDelay, runs should have been created periodically despite continuous triggering",
-    });
-
-    return {
-      conversationId,
-      totalMessages: 15,
-      uniqueRunsCreated: uniqueHandles.length,
-      runIds: uniqueHandles,
-      message:
-        "Due to maxDelay: '30s', the summary task runs periodically even with continuous triggers",
-    };
-  },
-});
-
-/**
- * A simpler maxDelay example showing the basic usage pattern.
- *
- * This is the recommended pattern for using maxDelay:
- * - delay: How long to wait after each trigger before executing
- * - maxDelay: Maximum total wait time from the first trigger
- */
-export const onNewMessage = task({
-  id: "on-new-message",
-  run: async (payload: { conversationId: string; message: string }) => {
-    logger.info("New message received", {
-      conversationId: payload.conversationId,
-      messagePreview: payload.message.substring(0, 50),
-    });
-
-    // Trigger summarization with debounce and maxDelay
-    const handle = await processConversationSummary.trigger(
-      {
-        conversationId: payload.conversationId,
-        messageCount: 1, // In real code, you'd track actual count
-      },
-      {
-        debounce: {
-          key: `summary-${payload.conversationId}`,
-          delay: "10s", // Wait 10s after last message before summarizing
-          mode: "trailing", // Use latest state
-          maxDelay: "5m", // But always summarize within 5 minutes
-        },
-      }
-    );
-
-    logger.info("Summary task triggered (debounced with maxDelay)", {
-      runId: handle.id,
-    });
-
-    return { summaryRunId: handle.id };
-  },
-});
diff --git a/references/hello-world/src/trigger/envvars.ts b/references/hello-world/src/trigger/envvars.ts
deleted file mode 100644
index efc1dc79cb8..00000000000
--- a/references/hello-world/src/trigger/envvars.ts
+++ /dev/null
@@ -1,48 +0,0 @@
-import { envvars, logger, task } from "@trigger.dev/sdk";
-import assert from "node:assert";
-
-export const secretEnvVar = task({
-  id: "secret-env-var",
-  retry: {
-    maxAttempts: 1,
-  },
-  run: async (_, { ctx }) => {
-    logger.log("ctx", { ctx });
-
-    logger.log("process.env", process.env);
-
-    //list them
-    const vars = await envvars.list(ctx.project.ref, ctx.environment.slug);
-    logger.log("envVars", { vars });
-
-    //get non secret env var
-    const nonSecretEnvVar = vars.find((v) => !v.isSecret);
-    assert.equal(nonSecretEnvVar?.isSecret, false);
-    assert.notEqual(nonSecretEnvVar?.value, "<redacted>");
-
-    //retrieve the non secret env var
-    const retrievedNonSecret = await envvars.retrieve(
-      ctx.project.ref,
-      ctx.environment.slug,
-      nonSecretEnvVar!.name
-    );
-    logger.log("retrievedNonSecret", { retrievedNonSecret });
-    assert.equal(retrievedNonSecret?.isSecret, false);
-    assert.equal(retrievedNonSecret?.value, nonSecretEnvVar!.value);
-
-    //get secret env var
-    const secretEnvVar = vars.find((v) => v.isSecret);
-    assert.equal(secretEnvVar?.isSecret, true, "no secretEnvVar found");
-    assert.equal(secretEnvVar?.value, "<redacted>", "secretEnvVar value should be redacted");
-
-    //retrieve the secret env var
-    const retrievedSecret = await envvars.retrieve(
-      ctx.project.ref,
-      ctx.environment.slug,
-      secretEnvVar!.name
-    );
-    logger.log("retrievedSecret", { retrievedSecret });
-    assert.equal(retrievedSecret?.isSecret, true);
-    assert.equal(retrievedSecret?.value, "<redacted>");
-  },
-});
diff --git a/references/hello-world/src/trigger/example.ts b/references/hello-world/src/trigger/example.ts
deleted file mode 100644
index 5e04f57144f..00000000000
--- a/references/hello-world/src/trigger/example.ts
+++ /dev/null
@@ -1,532 +0,0 @@
-import { batch, logger, task, tasks, timeout, wait } from "@trigger.dev/sdk";
-import { setTimeout } from "timers/promises";
-import { ResourceMonitor } from "../resourceMonitor.js";
-import { fixedLengthTask } from "./batches.js";
-
-export const helloWorldTask = task({
-  id: "hello-world",
-  ttl: "10m",
-  retry: {
-    maxAttempts: 3,
-    minTimeoutInMs: 500,
-    maxTimeoutInMs: 1000,
-    factor: 1.5,
-  },
-  onStart: async ({ payload, ctx, init }) => {
-    logger.info("Hello, world from the onStart hook", { payload, init });
-  },
-  run: async (payload: any, { ctx }) => {
-    logger.info("Hello, world froms the init", { ctx, payload });
-    logger.info("env vars", {
-      env: process.env,
-    });
-
-    logger.debug("debug: Hello, worlds!", { payload });
-    logger.info("info: Hello, world!", { payload });
-    logger.log("log: Hello, world!", { payload });
-    logger.warn("warn: Hello, world!", { payload });
-    logger.error("error: Hello, world!", { payload });
-
-    logger.trace("my trace", async (span) => {
-      logger.debug("some log", { span });
-    });
-
-    await setTimeout(payload.sleepFor ?? 5_000);
-
-    if (payload.throwError) {
-      throw new Error("Forced error to cause a retry");
-    }
-
-    logger.trace(
-      "my trace",
-      async (span) => {
-        logger.debug("some log", { span });
-      },
-      {
-        icon: "tabler-ad-circle",
-      }
-    );
-
-    await wait.for({ seconds: 5 });
-
-    return {
-      message: "Hello, world!",
-    };
-  },
-});
-
-export const parentTask = task({
-  id: "parent",
-  machine: "medium-1x",
-  run: async (payload: any, { ctx }) => {
-    logger.log("Hello, world from the parent", { payload, ctx });
-    await childTask.triggerAndWait({ message: "Hello, world!", aReallyBigInt: BigInt(10000) });
-  },
-});
-
-export const batchParentTask = task({
-  id: "batch-parent",
-  run: async (payload: any, { ctx }) => {
-    logger.log("Hello, world from the parent", { payload });
-
-    const results = await childTask.batchTriggerAndWait([
-      { payload: { message: "Hello, world!" } },
-      { payload: { message: "Hello, world 2!" } },
-    ]);
-    logger.log("Results", { results });
-
-    const results2 = await batch.triggerAndWait<typeof childTask>([
-      { id: "child", payload: { message: "Hello, world !" } },
-      { id: "child", payload: { message: "Hello, world 2!" } },
-    ]);
-    logger.log("Results 2", { results2 });
-
-    const results3 = await batch.triggerByTask([
-      { task: childTask, payload: { message: "Hello, world !" } },
-      { task: childTask, payload: { message: "Hello, world 2!" } },
-    ]);
-    logger.log("Results 3", { results3 });
-
-    const results4 = await batch.triggerByTaskAndWait([
-      {
-        task: childTask,
-        payload: { message: "Hello, world !" },
-      },
-      { task: childTask, payload: { message: "Hello, world 2!" } },
-    ]);
-    logger.log("Results 4", { results4 });
-  },
-});
-
-export const childTask = task({
-  id: "child",
-  run: async (
-    {
-      message,
-      failureChance = 0.3,
-      duration = 3_000,
-      aReallyBigInt,
-    }: { message?: string; failureChance?: number; duration?: number; aReallyBigInt?: bigint },
-    { ctx }
-  ) => {
-    logger.info("Hello, world from the child", { ctx, failureChance, aReallyBigInt });
-
-    if (Math.random() < failureChance) {
-      throw new Error("Random error at start");
-    }
-
-    await setTimeout(duration);
-
-    if (Math.random() < failureChance) {
-      throw new Error("Random error at end");
-    }
-
-    return {
-      message,
-    };
-  },
-});
-
-export const maxDurationTask = task({
-  id: "max-duration",
-  retry: {
-    maxAttempts: 5,
-    minTimeoutInMs: 1_000,
-    maxTimeoutInMs: 2_000,
-    factor: 1.4,
-  },
-  maxDuration: 5,
-  run: async (payload: { sleepFor: number }, { signal, ctx }) => {
-    await setTimeout(payload.sleepFor * 1000, { signal });
-  },
-});
-
-export const maxDurationParentTask = task({
-  id: "max-duration-parent",
-  run: async (payload: { sleepFor?: number; maxDuration?: number }, { ctx, signal }) => {
-    const result = await maxDurationTask.triggerAndWait(
-      { sleepFor: payload.sleepFor ?? 10 },
-      { maxDuration: timeout.None }
-    );
-
-    return result;
-  },
-});
-
-export const batchTask = task({
-  id: "batch",
-  run: async (payload: { count: number }, { ctx }) => {
-    logger.info("Starting batch task", { count: payload.count });
-
-    const items = Array.from({ length: payload.count }, (_, i) => ({
-      payload: { message: `Batch item ${i + 1}` },
-    }));
-
-    const results = await childTask.batchTriggerAndWait(items);
-
-    logger.info("Batch task complete", { results });
-
-    return {
-      batchCount: payload.count,
-      results,
-    };
-  },
-});
-
-const nonExportedTask = task({
-  id: "non-exported",
-  run: async (payload: { message: string }, { ctx }) => {
-    logger.info("Hello, world from the non-exported task", { message: payload.message });
-  },
-});
-
-export const hooksTask = task({
-  id: "hooks",
-  run: async (payload: { message: string }, { ctx }) => {
-    logger.info("Hello, world from the hooks task", { message: payload.message });
-
-    await wait.for({ seconds: 5 });
-
-    return {
-      message: "Hello, world!",
-    };
-  },
-  init: async () => {
-    return {
-      foobar: "baz",
-    };
-  },
-  onWait: async ({ payload, wait, ctx, init }) => {
-    logger.info("Hello, world from the onWait hook", { payload, init, wait });
-  },
-  onResume: async ({ payload, wait, ctx, init }) => {
-    logger.info("Hello, world from the onResume hook", { payload, init, wait });
-  },
-  onStart: async ({ payload, ctx, init }) => {
-    logger.info("Hello, world from the onStart hook", { payload, init });
-  },
-  onSuccess: async ({ payload, output, ctx }) => {
-    logger.info("Hello, world from the onSuccess hook", { payload, output });
-  },
-  onFailure: async ({ payload, error, ctx }) => {
-    logger.info("Hello, world from the onFailure hook", { payload, error });
-  },
-  onComplete: async ({ ctx, payload, result }) => {
-    logger.info("Hello, world from the onComplete hook", { payload, result });
-  },
-  handleError: async ({ payload, error, ctx, retry }) => {
-    logger.info("Hello, world from the handleError hook", { payload, error, retry });
-  },
-  catchError: async ({ ctx, payload, error, retry }) => {
-    logger.info("Hello, world from the catchError hook", { payload, error, retry });
-  },
-  cleanup: async ({ ctx, payload }) => {
-    logger.info("Hello, world from the cleanup hook", { payload });
-  },
-  onCancel: async ({ payload }) => {
-    logger.info("Hello, world from the onCancel hook", { payload });
-  },
-});
-
-export const cancelExampleTask = task({
-  id: "cancel-example",
-  // Signal will be aborted when the task is cancelled 👇
-  run: async (payload: { timeoutInSeconds: number }, { signal }) => {
-    logger.info("Hello, world from the cancel task", {
-      timeoutInSeconds: payload.timeoutInSeconds,
-    });
-
-    // This is a global hook that will be called if the task is cancelled
-    tasks.onCancel(async () => {
-      logger.info("global task onCancel hook but inside of the run function baby!");
-    });
-
-    await logger.trace("timeout", async (span) => {
-      try {
-        // We pass the signal to setTimeout to abort the timeout if the task is cancelled
-        await setTimeout(payload.timeoutInSeconds * 1000, undefined, { signal });
-      } catch (error) {
-        // If the timeout is aborted, this error will be thrown, we can handle it here
-        logger.error("Timeout error", { error });
-      }
-    });
-
-    logger.info("Hello, world from the cancel task after the timeout", {
-      timeoutInSeconds: payload.timeoutInSeconds,
-    });
-
-    return {
-      message: "Hello, world!",
-    };
-  },
-  onCancel: async ({ payload, runPromise }) => {
-    logger.info("Hello, world from the onCancel hook", { payload });
-    // You can await the runPromise to get the output of the task
-    const output = await runPromise;
-
-    logger.info("Hello, world from the onCancel hook after the run", { payload, output });
-
-    // You can do work inside the onCancel hook, up to 30 seconds
-    await setTimeout(10_000);
-
-    logger.info("Hello, world from the onCancel hook after the timeout", { payload });
-  },
-});
-
-export const resourceMonitorTest = task({
-  id: "resource-monitor-test",
-  run: async (payload: { dirName?: string; processName?: string }, { ctx }) => {
-    logger.info("Hello, resources!", { payload });
-
-    const resMon = new ResourceMonitor({
-      ctx,
-      dirName: payload.dirName ?? "/tmp",
-      processName: payload.processName ?? "node",
-    });
-
-    resMon.startMonitoring(1_000);
-
-    await resMon.logResourceSnapshot();
-
-    await wait.for({ seconds: 5 });
-
-    await resMon.logResourceSnapshot();
-
-    resMon.stopMonitoring();
-
-    return {
-      message: "Hello, resources!",
-    };
-  },
-});
-
-export const circularReferenceTask = task({
-  id: "circular-reference",
-  run: async (payload: { message: string }, { ctx }) => {
-    logger.info("Hello, world from the circular reference task", { message: payload.message });
-
-    // Create an object
-    const user = {
-      name: "Alice",
-      details: {
-        age: 30,
-        email: "alice@example.com",
-      },
-    };
-
-    // Create the circular reference
-    // @ts-expect-error - This is a circular reference
-    user.details.user = user;
-
-    // Now user.details.user points back to the user object itself
-    // This creates a circular reference that standard JSON can't handle
-
-    return {
-      user,
-    };
-  },
-});
-
-export const largeAttributesTask = task({
-  id: "large-attributes",
-  machine: "large-1x",
-  run: async ({ length = 100000 }: { length: number }, { signal, ctx }) => {
-    // Create a large deeply nested object/array of objects that have more than 10k attributes when flattened
-    const start = performance.now();
-
-    const largeObject = Array.from({ length }, (_, i) => ({
-      a: i,
-      b: i,
-      c: i,
-    }));
-
-    const end = performance.now();
-
-    console.log(`[${length}] Time taken to create the large object: ${end - start}ms`);
-
-    const start2 = performance.now();
-
-    logger.info("Hello, world from the large attributes task", { largeObject });
-
-    const end2 = performance.now();
-
-    console.log(`[${length}] Time taken to log the large object: ${end2 - start2}ms`);
-
-    class MyClass {
-      constructor(public name: string) {}
-    }
-
-    logger.info("Lets log some weird stuff", {
-      error: new Error("This is an error"),
-      func: () => {
-        logger.info("This is a function");
-      },
-      date: new Date(),
-      bigInt: BigInt(1000000000000000000),
-      symbol: Symbol("symbol"),
-      myClass: new MyClass("MyClass"),
-      file: new File([], "test.txt"),
-      stream: new ReadableStream(),
-      map: new Map([["key", "value"]]),
-      set: new Set([1, 2, 3]),
-      promise: Promise.resolve("Hello, world!"),
-      promiseRejected: Promise.reject(new Error("This is a rejected promise")),
-      promisePending: Promise.resolve("Hello, world!"),
-    });
-  },
-});
-
-export const lotsOfLogsParentTask = task({
-  id: "lots-of-logs-parent",
-  run: async (payload: { count: number }, { ctx }) => {
-    logger.info("Hello, world from the lots of logs parent task", { count: payload.count });
-    await lotsOfLogsTask.batchTriggerAndWait(
-      Array.from({ length: 20 }, (_, i) => ({
-        payload: { count: payload.count },
-      }))
-    );
-  },
-});
-
-export const lotsOfLogsTask = task({
-  id: "lots-of-logs",
-  run: async (payload: { count: number }, { ctx }) => {
-    logger.info("Hello, world from the lots of logs task", { count: payload.count });
-
-    for (let i = 0; i < payload.count; i++) {
-      logger.info("Hello, world from the lots of logs task", { count: i });
-    }
-
-    await setTimeout(1000);
-
-    for (let i = 0; i < payload.count; i++) {
-      logger.info("Hello, world from the lots of logs task", { count: i });
-    }
-
-    await setTimeout(1000);
-
-    for (let i = 0; i < payload.count; i++) {
-      logger.info("Hello, world from the lots of logs task", { count: i });
-    }
-
-    await setTimeout(1000);
-
-    for (let i = 0; i < payload.count; i++) {
-      logger.info("Hello, world from the lots of logs task", { count: i });
-    }
-
-    await setTimeout(1000);
-
-    for (let i = 0; i < payload.count; i++) {
-      logger.info("Hello, world from the lots of logs task", { count: i });
-    }
-
-    await setTimeout(1000);
-
-    for (let i = 0; i < payload.count; i++) {
-      logger.info("Hello, world from the lots of logs task", { count: i });
-    }
-
-    await setTimeout(1000);
-
-    for (let i = 0; i < payload.count; i++) {
-      logger.info("Hello, world from the lots of logs task", { count: i });
-    }
-
-    await setTimeout(1000);
-
-    for (let i = 0; i < payload.count; i++) {
-      logger.info("Hello, world from the lots of logs task", { count: i });
-    }
-  },
-});
-
-export const throwErrorInOnSuccessHookTask = task({
-  id: "throw-error-in-on-success-hook",
-  run: async (payload: { message: string }, { ctx }) => {
-    logger.info("Hello, world from the throw error in on success hook task", {
-      message: payload.message,
-    });
-  },
-  onSuccess: async ({ payload, output, ctx }) => {
-    logger.info("Hello, world from the on success hook", { payload, output });
-    throw new Error("Forced error to cause a retry");
-  },
-});
-
-export const throwErrorInOnStartHookTask = task({
-  id: "throw-error-in-on-start-hook",
-  run: async (payload: { message: string }, { ctx }) => {
-    logger.info("Hello, world from the throw error in on start hook task", {
-      message: payload.message,
-    });
-  },
-  onStart: async ({ payload, ctx }) => {
-    logger.info("Hello, world from the on start hook", { payload });
-    throw new Error("Forced error to cause a retry");
-  },
-});
-
-export const throwErrorInOnCompleteHookTask = task({
-  id: "throw-error-in-on-complete-hook",
-  run: async (payload: { message: string }, { ctx }) => {
-    logger.info("Hello, world from the throw error in on complete hook task", {
-      message: payload.message,
-    });
-  },
-  onComplete: async ({ payload, result, ctx }) => {
-    logger.info("Hello, world from the on complete hook", { payload, result });
-    throw new Error("Forced error to cause a retry");
-  },
-});
-
-export const throwErrorInOnFailureHookTask = task({
-  id: "throw-error-in-on-failure-hook",
-  retry: {
-    maxAttempts: 1,
-  },
-  run: async (payload: { message: string }, { ctx }) => {
-    logger.info("Hello, world from the throw error in on failure hook task", {
-      message: payload.message,
-    });
-    throw new Error("Forced error to cause a retry");
-  },
-  onFailure: async ({ payload, error, ctx }) => {
-    logger.info("Hello, world from the on failure hook", { payload, error });
-    throw new Error("Forced error to cause a retry in on failure hook");
-  },
-});
-
-export const throwErrorInInitHookTask = task({
-  id: "throw-error-in-init-hook",
-  run: async (payload: { message: string }, { ctx }) => {
-    logger.info("Hello, world from the throw error in init hook task", {
-      message: payload.message,
-    });
-  },
-  init: async ({ payload, ctx }) => {
-    logger.info("Hello, world from the init hook", { payload });
-    throw new Error("Forced error to cause a retry");
-  },
-});
-
-export const testStartAttemptHookTask = task({
-  id: "test-start-attempt-hook",
-  retry: {
-    maxAttempts: 3,
-  },
-  run: async (payload: { message: string }, { ctx }) => {
-    logger.info("Hello, world from the test start attempt hook task", { message: payload.message });
-
-    if (ctx.attempt.number === 1) {
-      throw new Error("Forced error to cause a retry so we can test the onStartAttempt hook");
-    }
-  },
-  onStartAttempt: async ({ payload, ctx }) => {
-    console.log(`onStartAttempt hook called ${ctx.attempt.number}`);
-  },
-});
-
-tasks.onStartAttempt(({ payload, ctx }) => {
-  console.log(`global onStartAttempt hook called ${ctx.attempt.number}`);
-});
diff --git a/references/hello-world/src/trigger/idempotency.ts b/references/hello-world/src/trigger/idempotency.ts
deleted file mode 100644
index f45e6af14a2..00000000000
--- a/references/hello-world/src/trigger/idempotency.ts
+++ /dev/null
@@ -1,542 +0,0 @@
-import { batch, idempotencyKeys, logger, runs, task, timeout, usage, wait } from "@trigger.dev/sdk/v3";
-import { setTimeout } from "timers/promises";
-import { childTask } from "./example.js";
-
-export const idempotency = task({
-  id: "idempotency",
-  maxDuration: 60,
-  run: async (payload: any, { ctx }) => {
-    logger.log("Hello, world from the parent", { payload });
-
-    const successfulKey = await idempotencyKeys.create("a", { scope: "global" });
-
-    const child1 = await childTask.triggerAndWait(
-      { message: "Hello, world!", duration: 500, failureChance: 0 },
-      { idempotencyKey: successfulKey, idempotencyKeyTTL: "120s" }
-    );
-    logger.log("Child 1", { child1 });
-    const child2 = await childTask.triggerAndWait(
-      { message: "Hello, world!", duration: 500 },
-      { idempotencyKey: successfulKey, idempotencyKeyTTL: "120s" }
-    );
-    logger.log("Child 2", { child2 });
-    await childTask.trigger(
-      { message: "Hello, world!", duration: 500, failureChance: 0 },
-      { idempotencyKey: successfulKey, idempotencyKeyTTL: "120s" }
-    );
-
-    const failureKey = await idempotencyKeys.create("b", { scope: "global" });
-
-    const child3 = await childTask.triggerAndWait(
-      { message: "Hello, world!", duration: 500, failureChance: 1 },
-      { idempotencyKey: failureKey, idempotencyKeyTTL: "120s" }
-    );
-    logger.log("Child 3", { child3 });
-    const child4 = await childTask.triggerAndWait(
-      { message: "Hello, world!", duration: 500, failureChance: 1 },
-      { idempotencyKey: failureKey, idempotencyKeyTTL: "120s" }
-    );
-    logger.log("Child 4", { child4 });
-
-    const anotherKey = await idempotencyKeys.create("c", { scope: "global" });
-
-    const batch1 = await childTask.batchTriggerAndWait([
-      {
-        payload: { message: "Hello, world!" },
-        options: { idempotencyKey: successfulKey, idempotencyKeyTTL: "120s" },
-      },
-      {
-        payload: { message: "Hello, world 2!" },
-        options: { idempotencyKey: failureKey, idempotencyKeyTTL: "120s" },
-      },
-      {
-        payload: { message: "Hello, world 3", duration: 500, failureChance: 0 },
-        options: { idempotencyKey: anotherKey, idempotencyKeyTTL: "120s" },
-      },
-    ]);
-    logger.log("Batch 1", { batch1 });
-
-    await childTask.batchTrigger([
-      {
-        payload: { message: "Hello, world!" },
-        options: { idempotencyKey: successfulKey, idempotencyKeyTTL: "120s" },
-      },
-      {
-        payload: { message: "Hello, world 2!" },
-        options: { idempotencyKey: failureKey, idempotencyKeyTTL: "120s" },
-      },
-    ]);
-
-    const results2 = await batch.triggerAndWait<typeof childTask>([
-      {
-        id: "child",
-        payload: { message: "Hello, world !" },
-        options: { idempotencyKey: successfulKey, idempotencyKeyTTL: "60s" },
-      },
-      {
-        id: "child",
-        payload: { message: "Hello, world 2!" },
-        options: { idempotencyKey: failureKey, idempotencyKeyTTL: "60s" },
-      },
-    ]);
-    logger.log("Results 2", { results2 });
-
-    const results3 = await batch.triggerByTask([
-      {
-        task: childTask,
-        payload: { message: "Hello, world !" },
-        options: { idempotencyKey: successfulKey, idempotencyKeyTTL: "60s" },
-      },
-      {
-        task: childTask,
-        payload: { message: "Hello, world 2!" },
-        options: { idempotencyKey: failureKey, idempotencyKeyTTL: "60s" },
-      },
-    ]);
-    logger.log("Results 3", { results3 });
-
-    const results4 = await batch.triggerByTaskAndWait([
-      {
-        task: childTask,
-        payload: { message: "Hello, world !" },
-        options: { idempotencyKey: successfulKey, idempotencyKeyTTL: "60s" },
-      },
-      {
-        task: childTask,
-        payload: { message: "Hello, world 2!" },
-        options: { idempotencyKey: failureKey, idempotencyKeyTTL: "60s" },
-      },
-    ]);
-    logger.log("Results 4", { results4 });
-  },
-});
-
-export const idempotencyBatch = task({
-  id: "idempotency-batch",
-  maxDuration: 60,
-  run: async ({ additionalItems }: { additionalItems?: 2 }) => {
-    const successfulKey = await idempotencyKeys.create("a", { scope: "global" });
-    const failureKey = await idempotencyKeys.create("b", { scope: "global" });
-    const anotherKey = await idempotencyKeys.create("c", { scope: "global" });
-    const batchKey = await idempotencyKeys.create("batch", { scope: "global" });
-
-    const moreItems = Array.from({ length: additionalItems ?? 0 }, (_, i) => ({
-      payload: { message: `Hello, world ${i}!` },
-      options: { idempotencyKey: `key-${i}`, idempotencyKeyTTL: "120s" },
-    }));
-
-    const batch1 = await childTask.batchTriggerAndWait(
-      [
-        {
-          payload: { message: "Hello, world!" },
-          options: { idempotencyKey: successfulKey, idempotencyKeyTTL: "120s" },
-        },
-        {
-          payload: { message: "Hello, world 2!" },
-          options: { idempotencyKey: failureKey, idempotencyKeyTTL: "120s" },
-        },
-        {
-          payload: { message: "Hello, world 3", duration: 500, failureChance: 0 },
-        },
-        // Include runs in the same batch with the same idempotencyKeys
-        // I'm sure people will do this, even though it doesn't make sense
-        {
-          payload: { message: "Hello, world!" },
-          options: { idempotencyKey: successfulKey, idempotencyKeyTTL: "120s" },
-        },
-        {
-          payload: { message: "Hello, world 2!" },
-          options: { idempotencyKey: failureKey, idempotencyKeyTTL: "120s" },
-        },
-        ...moreItems,
-      ],
-      {
-        idempotencyKey: batchKey,
-        idempotencyKeyTTL: "120s",
-      }
-    );
-    logger.log("Batch 1", { batch1 });
-
-    const b = await batch.retrieve(batch1.id);
-    logger.log("Batch retrieve", { ...b });
-
-    const batch2 = await childTask.batchTriggerAndWait(
-      [
-        {
-          payload: { message: "Hello, world!" },
-          options: { idempotencyKey: successfulKey, idempotencyKeyTTL: "120s" },
-        },
-        {
-          payload: { message: "Hello, world 2!" },
-          options: { idempotencyKey: failureKey, idempotencyKeyTTL: "120s" },
-        },
-        {
-          payload: { message: "Hello, world 3", duration: 500, failureChance: 0 },
-        },
-        ...moreItems,
-      ],
-      {
-        idempotencyKey: batchKey,
-        idempotencyKeyTTL: "120s",
-      }
-    );
-    logger.log("Batch 1", { batch1 });
-
-    await childTask.batchTrigger([
-      {
-        payload: { message: "Hello, world!" },
-        options: { idempotencyKey: successfulKey, idempotencyKeyTTL: "120s" },
-      },
-      {
-        payload: { message: "Hello, world 2!" },
-        options: { idempotencyKey: failureKey, idempotencyKeyTTL: "120s" },
-      },
-    ]);
-
-    await childTask.batchTrigger([
-      {
-        payload: { message: "Hello, world!" },
-      },
-      {
-        payload: { message: "Hello, world 2!" },
-      },
-    ]);
-
-    const results2 = await batch.triggerAndWait<typeof childTask>([
-      {
-        id: "child",
-        payload: { message: "Hello, world !" },
-        options: { idempotencyKey: successfulKey, idempotencyKeyTTL: "60s" },
-      },
-      {
-        id: "child",
-        payload: { message: "Hello, world 2!" },
-        options: { idempotencyKey: failureKey, idempotencyKeyTTL: "60s" },
-      },
-    ]);
-    logger.log("Results 2", { results2 });
-
-    const results3 = await batch.triggerByTask([
-      {
-        task: childTask,
-        payload: { message: "Hello, world !" },
-        options: { idempotencyKey: successfulKey, idempotencyKeyTTL: "60s" },
-      },
-      {
-        task: childTask,
-        payload: { message: "Hello, world 2!" },
-        options: { idempotencyKey: failureKey, idempotencyKeyTTL: "60s" },
-      },
-    ]);
-    logger.log("Results 3", { results3 });
-
-    const results4 = await batch.triggerByTaskAndWait([
-      {
-        task: childTask,
-        payload: { message: "Hello, world !" },
-        options: { idempotencyKey: successfulKey, idempotencyKeyTTL: "60s" },
-      },
-      {
-        task: childTask,
-        payload: { message: "Hello, world 2!" },
-        options: { idempotencyKey: failureKey, idempotencyKeyTTL: "60s" },
-      },
-    ]);
-    logger.log("Results 4", { results4 });
-  },
-});
-
-export const idempotencyTriggerByTaskAndWait = task({
-  id: "idempotency-trigger-by-task-and-wait",
-  maxDuration: 60,
-  run: async () => {
-    const successfulKey = await idempotencyKeys.create("a", { scope: "global" });
-    const failureKey = await idempotencyKeys.create("b", { scope: "global" });
-
-    const results1 = await batch.triggerByTaskAndWait([
-      {
-        task: childTask,
-        payload: { message: "Hello, world !" },
-        options: { idempotencyKey: successfulKey, idempotencyKeyTTL: "60s" },
-      },
-      {
-        task: childTask,
-        payload: { message: "Hello, world 2!" },
-        options: { idempotencyKey: failureKey, idempotencyKeyTTL: "60s" },
-      },
-    ]);
-    logger.log("Results 1", { results1 });
-
-    const results2 = await batch.triggerByTaskAndWait([
-      {
-        task: childTask,
-        payload: { message: "Hello, world !" },
-        options: { idempotencyKey: successfulKey, idempotencyKeyTTL: "60s" },
-      },
-      {
-        task: childTask,
-        payload: { message: "Hello, world 2!" },
-        options: { idempotencyKey: failureKey, idempotencyKeyTTL: "60s" },
-      },
-    ]);
-    logger.log("Results 2", { results2 });
-  },
-});
-
-export const idempotencyTriggerAndWaitWithInProgressRun = task({
-  id: "idempotency-trigger-and-wait-with-in-progress-run",
-  maxDuration: 60,
-  run: async () => {
-    await childTask.trigger(
-      { message: "Hello, world!", duration: 5000, failureChance: 100 },
-      {
-        idempotencyKey: "b",
-      }
-    );
-    await childTask.triggerAndWait(
-      { message: "Hello, world!", duration: 5000, failureChance: 0 },
-      {
-        idempotencyKey: "b",
-      }
-    );
-  },
-});
-
-// Test task for verifying idempotencyKeyOptions storage (TRI-4352)
-export const idempotencyKeyOptionsChild = task({
-  id: "idempotency-key-options-child",
-  run: async (payload: { message: string }, { ctx }) => {
-    // Log the idempotency key from context - should be the user-provided key, not the hash
-    logger.log("Child task context", {
-      idempotencyKey: ctx.run.idempotencyKey,
-      idempotencyKeyScope: ctx.run.idempotencyKeyScope,
-      runId: ctx.run.id,
-    });
-
-    return {
-      receivedIdempotencyKey: ctx.run.idempotencyKey,
-      receivedIdempotencyKeyScope: ctx.run.idempotencyKeyScope,
-      message: payload.message,
-    };
-  },
-});
-
-
-export const idempotencyKeyOptionsTest = task({
-  id: "idempotency-key-options-test",
-  maxDuration: 60,
-  run: async (payload: any, { ctx }) => {
-    logger.log("Testing idempotencyKeyOptions feature (TRI-4352)");
-
-    // Test 1: Create key with "run" scope (default)
-    const runScopedKey = await idempotencyKeys.create("my-run-scoped-key");
-    logger.log("Created run-scoped key", { key: runScopedKey.toString() });
-
-    const result1 = await idempotencyKeyOptionsChild.triggerAndWait(
-      { message: "Test with run scope" },
-      { idempotencyKey: runScopedKey, idempotencyKeyTTL: "60s" }
-    );
-    logger.log("Result 1 (run scope)", { result: result1 });
-
-    // Test 2: Create key with "global" scope
-    const globalScopedKey = await idempotencyKeys.create("my-global-scoped-key", {
-      scope: "global",
-    });
-    logger.log("Created global-scoped key", { key: globalScopedKey.toString() });
-
-    const result2 = await idempotencyKeyOptionsChild.triggerAndWait(
-      { message: "Test with global scope" },
-      { idempotencyKey: globalScopedKey, idempotencyKeyTTL: "60s" }
-    );
-    logger.log("Result 2 (global scope)", { result: result2 });
-
-    // Test 3: Create key with "attempt" scope
-    const attemptScopedKey = await idempotencyKeys.create("my-attempt-scoped-key", {
-      scope: "attempt",
-    });
-    logger.log("Created attempt-scoped key", { key: attemptScopedKey.toString() });
-
-    const result3 = await idempotencyKeyOptionsChild.triggerAndWait(
-      { message: "Test with attempt scope" },
-      { idempotencyKey: attemptScopedKey, idempotencyKeyTTL: "60s" }
-    );
-    logger.log("Result 3 (attempt scope)", { result: result3 });
-
-    // Test 4: Create key with array input
-    const arrayKey = await idempotencyKeys.create(["user", "123", "action"]);
-    logger.log("Created array key", { key: arrayKey.toString() });
-
-    const result4 = await idempotencyKeyOptionsChild.triggerAndWait(
-      { message: "Test with array key" },
-      { idempotencyKey: arrayKey, idempotencyKeyTTL: "60s" }
-    );
-    logger.log("Result 4 (array key)", { result: result4 });
-
-    return {
-      results: [
-        { scope: "run", idempotencyKey: result1.ok ? result1.output?.receivedIdempotencyKey : null },
-        {
-          scope: "global",
-          idempotencyKey: result2.ok ? result2.output?.receivedIdempotencyKey : null,
-        },
-        {
-          scope: "attempt",
-          idempotencyKey: result3.ok ? result3.output?.receivedIdempotencyKey : null,
-        },
-        { scope: "array", idempotencyKey: result4.ok ? result4.output?.receivedIdempotencyKey : null },
-      ],
-    };
-  },
-});
-
-// Test task for verifying idempotencyKeys.reset works with the new API (TRI-4352)
-export const idempotencyKeyResetTest = task({
-  id: "idempotency-key-reset-test",
-  maxDuration: 120,
-  run: async (payload: any, { ctx }) => {
-    logger.log("Testing idempotencyKeys.reset feature (TRI-4352)");
-
-    const testResults: Array<{
-      test: string;
-      success: boolean;
-      details: Record<string, unknown>;
-    }> = [];
-
-    // Test 1: Reset using IdempotencyKey object (options extracted automatically)
-    {
-      const key = await idempotencyKeys.create("reset-test-key-1", { scope: "global" });
-      logger.log("Test 1: Created global-scoped key", { key: key.toString() });
-
-      // First trigger - should create a new run
-      const result1 = await idempotencyKeyOptionsChild.triggerAndWait(
-        { message: "First trigger" },
-        { idempotencyKey: key, idempotencyKeyTTL: "300s" }
-      );
-      const firstRunId = result1.ok ? result1.id : null;
-      logger.log("Test 1: First trigger", { runId: firstRunId });
-
-      // Second trigger - should be deduplicated (same run ID)
-      const result2 = await idempotencyKeyOptionsChild.triggerAndWait(
-        { message: "Second trigger (should dedupe)" },
-        { idempotencyKey: key, idempotencyKeyTTL: "300s" }
-      );
-      const secondRunId = result2.ok ? result2.id : null;
-      logger.log("Test 1: Second trigger (dedupe check)", { runId: secondRunId });
-
-      const wasDeduplicated = firstRunId === secondRunId;
-
-      // Reset the idempotency key using the IdempotencyKey object
-      logger.log("Test 1: Resetting idempotency key using IdempotencyKey object");
-      await idempotencyKeys.reset("idempotency-key-options-child", key);
-
-      // Third trigger - should create a NEW run after reset
-      const result3 = await idempotencyKeyOptionsChild.triggerAndWait(
-        { message: "Third trigger (after reset)" },
-        { idempotencyKey: key, idempotencyKeyTTL: "300s" }
-      );
-      const thirdRunId = result3.ok ? result3.id : null;
-      logger.log("Test 1: Third trigger (after reset)", { runId: thirdRunId });
-
-      const wasResetSuccessful = thirdRunId !== firstRunId && thirdRunId !== null;
-
-      testResults.push({
-        test: "Reset with IdempotencyKey object (global scope)",
-        success: wasDeduplicated && wasResetSuccessful,
-        details: {
-          firstRunId,
-          secondRunId,
-          thirdRunId,
-          wasDeduplicated,
-          wasResetSuccessful,
-        },
-      });
-    }
-
-    // Test 2: Reset using raw string with scope option
-    {
-      const keyString = "reset-test-key-2";
-      const key = await idempotencyKeys.create(keyString, { scope: "global" });
-      logger.log("Test 2: Created global-scoped key from string", { key: key.toString() });
-
-      // First trigger
-      const result1 = await idempotencyKeyOptionsChild.triggerAndWait(
-        { message: "First trigger (raw string test)" },
-        { idempotencyKey: key, idempotencyKeyTTL: "300s" }
-      );
-      const firstRunId = result1.ok ? result1.id : null;
-      logger.log("Test 2: First trigger", { runId: firstRunId });
-
-      // Reset using raw string + scope option
-      logger.log("Test 2: Resetting idempotency key using raw string + scope");
-      await idempotencyKeys.reset("idempotency-key-options-child", keyString, { scope: "global" });
-
-      // Second trigger - should create a NEW run after reset
-      const result2 = await idempotencyKeyOptionsChild.triggerAndWait(
-        { message: "Second trigger (after reset with raw string)" },
-        { idempotencyKey: key, idempotencyKeyTTL: "300s" }
-      );
-      const secondRunId = result2.ok ? result2.id : null;
-      logger.log("Test 2: Second trigger (after reset)", { runId: secondRunId });
-
-      const wasResetSuccessful = secondRunId !== firstRunId && secondRunId !== null;
-
-      testResults.push({
-        test: "Reset with raw string + scope option (global scope)",
-        success: wasResetSuccessful,
-        details: {
-          firstRunId,
-          secondRunId,
-          wasResetSuccessful,
-        },
-      });
-    }
-
-    // Test 3: Reset with run scope (uses current run context)
-    {
-      const key = await idempotencyKeys.create("reset-test-key-3", { scope: "run" });
-      logger.log("Test 3: Created run-scoped key", { key: key.toString() });
-
-      // First trigger
-      const result1 = await idempotencyKeyOptionsChild.triggerAndWait(
-        { message: "First trigger (run scope)" },
-        { idempotencyKey: key, idempotencyKeyTTL: "300s" }
-      );
-      const firstRunId = result1.ok ? result1.id : null;
-      logger.log("Test 3: First trigger", { runId: firstRunId });
-
-      // Reset using IdempotencyKey (run scope - should use current run context)
-      logger.log("Test 3: Resetting idempotency key with run scope");
-      await idempotencyKeys.reset("idempotency-key-options-child", key);
-
-      // Second trigger - should create a NEW run after reset
-      const result2 = await idempotencyKeyOptionsChild.triggerAndWait(
-        { message: "Second trigger (after reset, run scope)" },
-        { idempotencyKey: key, idempotencyKeyTTL: "300s" }
-      );
-      const secondRunId = result2.ok ? result2.id : null;
-      logger.log("Test 3: Second trigger (after reset)", { runId: secondRunId });
-
-      const wasResetSuccessful = secondRunId !== firstRunId && secondRunId !== null;
-
-      testResults.push({
-        test: "Reset with IdempotencyKey object (run scope)",
-        success: wasResetSuccessful,
-        details: {
-          firstRunId,
-          secondRunId,
-          wasResetSuccessful,
-          parentRunId: ctx.run.id,
-        },
-      });
-    }
-
-    // Summary
-    const allPassed = testResults.every((r) => r.success);
-    logger.log("Test summary", { allPassed, testResults });
-
-    return {
-      allPassed,
-      testResults,
-    };
-  },
-});
diff --git a/references/hello-world/src/trigger/init.ts b/references/hello-world/src/trigger/init.ts
deleted file mode 100644
index 6603befd652..00000000000
--- a/references/hello-world/src/trigger/init.ts
+++ /dev/null
@@ -1,45 +0,0 @@
-import { logger, tasks } from "@trigger.dev/sdk";
-// import { setDb } from "../db.js";
-
-// tasks.middleware("db", ({ ctx, payload, next }) => {
-//   logger.info("Hello, world from the middleware", { ctx, payload });
-//   return next();
-// });
-
-tasks.onCancel(async ({ ctx, payload }) => {
-  logger.info("Hello, world from the global cancel", { ctx, payload });
-});
-
-// tasks.onSuccess(({ ctx, payload, output }) => {
-//   logger.info("Hello, world from the success", { ctx, payload });
-// });
-
-// tasks.onComplete(({ ctx, payload, output, error }) => {
-//   logger.info("Hello, world from the success", { ctx, payload });
-// });
-
-// tasks.handleError(({ ctx, payload, error, retry, retryAt, retryDelayInMs }) => {
-//   logger.info("Hello, world from the success", { ctx, payload });
-// });
-
-// tasks.onFailure(({ ctx, payload }) => {
-//   logger.info("Hello, world from the failure", { ctx, payload });
-// });
-
-// tasks.onStart(({ ctx, payload }) => {
-//   logger.info("Hello, world from the start", { ctx, payload });
-
-//   setDb({
-//     connect: async () => {
-//       logger.info("Connecting to the database");
-//     },
-//   });
-// });
-
-// tasks.onWait(({ ctx, payload }) => {
-//   logger.info("Hello, world from the start", { ctx, payload });
-// });
-
-// tasks.onResume(({ ctx, payload }) => {
-//   logger.info("Hello, world from the start", { ctx, payload });
-// });
diff --git a/references/hello-world/src/trigger/inputStreams.ts b/references/hello-world/src/trigger/inputStreams.ts
deleted file mode 100644
index 567c1738d7a..00000000000
--- a/references/hello-world/src/trigger/inputStreams.ts
+++ /dev/null
@@ -1,149 +0,0 @@
-import { logger, runs, streams, task, wait } from "@trigger.dev/sdk/v3";
-
-// Define typed input streams
-const approvalStream = streams.input<{ approved: boolean; reviewer: string }>({
-  id: "approval",
-});
-
-const messageStream = streams.input<{ text: string }>({ id: "messages" });
-
-/**
- * Coordinator task that exercises all input stream patterns end-to-end.
- *
- * 1a. .once().unwrap() — trigger a child, send data, verify unwrap returns TData
- * 1b. .once() result  — trigger a child, send data, verify result object { ok, output }
- * 2.  .on()            — trigger a child, send it multiple messages, poll until complete
- * 3.  .wait()          — trigger a child, send it data (completes its waitpoint), poll until complete
- * 4.  .wait() race     — send data before child calls .wait(), verify race handling
- */
-export const inputStreamCoordinator = task({
-  id: "input-stream-coordinator",
-  run: async () => {
-    const results: Record<string, unknown> = {};
-
-    // --- Test 1a: .once() with .unwrap() ---
-    logger.info("Test 1a: .once().unwrap()");
-    const onceUnwrapHandle = await inputStreamOnceUnwrap.trigger({});
-    await wait.for({ seconds: 5 });
-    await approvalStream.send(onceUnwrapHandle.id, { approved: true, reviewer: "coordinator-unwrap" });
-    const onceUnwrapRun = await runs.poll(onceUnwrapHandle, { pollIntervalMs: 1000 });
-    results.onceUnwrap = onceUnwrapRun.output;
-    logger.info("Test 1a passed", { output: onceUnwrapRun.output });
-
-    // --- Test 1b: .once() with result object ---
-    logger.info("Test 1b: .once() result object");
-    const onceResultHandle = await inputStreamOnceResult.trigger({});
-    await wait.for({ seconds: 5 });
-    await approvalStream.send(onceResultHandle.id, { approved: true, reviewer: "coordinator-result" });
-    const onceResultRun = await runs.poll(onceResultHandle, { pollIntervalMs: 1000 });
-    results.onceResult = onceResultRun.output;
-    logger.info("Test 1b passed", { output: onceResultRun.output });
-
-    // --- Test 2: .on() with multiple messages ---
-    logger.info("Test 2: .on()");
-    const onHandle = await inputStreamOn.trigger({ messageCount: 3 });
-    await wait.for({ seconds: 5 });
-    for (let i = 0; i < 3; i++) {
-      await messageStream.send(onHandle.id, { text: `message-${i}` });
-      await wait.for({ seconds: 1 });
-    }
-    const onRun = await runs.poll(onHandle, { pollIntervalMs: 1000 });
-    results.on = onRun.output;
-    logger.info("Test 2 passed", { output: onRun.output });
-
-    // --- Test 3: .wait() (waitpoint-based) ---
-    logger.info("Test 3: .wait()");
-    const waitHandle = await inputStreamWait.trigger({ timeout: "1m" });
-    await wait.for({ seconds: 5 });
-    await approvalStream.send(waitHandle.id, { approved: true, reviewer: "coordinator-wait" });
-    const waitRun = await runs.poll(waitHandle, { pollIntervalMs: 1000 });
-    results.wait = waitRun.output;
-    logger.info("Test 3 passed", { output: waitRun.output });
-
-    // --- Test 4: .wait() race condition (send before child calls .wait()) ---
-    logger.info("Test 4: .wait() race");
-    const raceHandle = await inputStreamWait.trigger({ timeout: "1m" });
-    await approvalStream.send(raceHandle.id, { approved: false, reviewer: "race-test" });
-    const raceRun = await runs.poll(raceHandle, { pollIntervalMs: 1000 });
-    results.race = raceRun.output;
-    logger.info("Test 4 passed", { output: raceRun.output });
-
-    logger.info("All input stream tests passed", { results });
-    return results;
-  },
-});
-
-/**
- * Uses .once().unwrap() — returns TData directly, throws InputStreamTimeoutError on timeout.
- */
-export const inputStreamOnceUnwrap = task({
-  id: "input-stream-once-unwrap",
-  run: async (_payload: Record<string, never>) => {
-    logger.info("Waiting for approval via .once().unwrap()");
-
-    const approval = await approvalStream.once({ timeoutMs: 30_000 }).unwrap();
-
-    logger.info("Received approval", { approval });
-    return { approval };
-  },
-});
-
-/**
- * Uses .once() with result object — check result.ok to handle timeout without try/catch.
- */
-export const inputStreamOnceResult = task({
-  id: "input-stream-once-result",
-  run: async (_payload: Record<string, never>) => {
-    logger.info("Waiting for approval via .once() result object");
-
-    const result = await approvalStream.once({ timeoutMs: 30_000 });
-
-    if (!result.ok) {
-      logger.error("Timed out waiting for approval", { error: result.error.message });
-      return { approval: null, timedOut: true };
-    }
-
-    logger.info("Received approval", { approval: result.output });
-    return { approval: result.output };
-  },
-});
-
-/**
- * Uses .on() to subscribe and collect multiple messages.
- */
-export const inputStreamOn = task({
-  id: "input-stream-on",
-  run: async (payload: { messageCount?: number }) => {
-    const expected = payload.messageCount ?? 3;
-    const received: { text: string }[] = [];
-
-    logger.info("Subscribing to messages via .on()", { expected });
-
-    messageStream.on((data) => {
-      logger.info("Received message", { data });
-      received.push(data);
-    });
-
-    while (received.length < expected) {
-      await wait.for({ seconds: 1 });
-    }
-
-    logger.info("Done receiving messages", { count: received.length });
-    return { messages: received };
-  },
-});
-
-/**
- * Uses .wait() to suspend the task via a waitpoint until data arrives.
- */
-export const inputStreamWait = task({
-  id: "input-stream-wait",
-  run: async (payload: { timeout?: string }) => {
-    logger.info("Waiting for approval via .wait()");
-    const approval = await approvalStream.wait({
-      timeout: payload.timeout ?? "5m",
-    });
-    logger.info("Received approval via .wait()", { approval });
-    return { approval };
-  },
-});
diff --git a/references/hello-world/src/trigger/jsonSchema.ts b/references/hello-world/src/trigger/jsonSchema.ts
deleted file mode 100644
index d4da2c783cd..00000000000
--- a/references/hello-world/src/trigger/jsonSchema.ts
+++ /dev/null
@@ -1,446 +0,0 @@
-import { task, schemaTask, logger, type JSONSchema } from "@trigger.dev/sdk/v3";
-import { z } from "zod/v3";
-import * as z4 from "zod/v4";
-import * as y from "yup";
-import { type } from "arktype";
-import { Type, Static } from "@sinclair/typebox";
-
-// ===========================================
-// Example 1: Using schemaTask with Zod
-// ===========================================
-const userSchema = z.object({
-  id: z.string().uuid(),
-  name: z.string().min(1),
-  email: z.string().email(),
-  age: z.number().int().min(0).max(150),
-  preferences: z
-    .object({
-      newsletter: z.boolean().default(false),
-      theme: z.enum(["light", "dark"]).default("light"),
-    })
-    .optional(),
-});
-
-export const processUserWithZod = schemaTask({
-  id: "json-schema-zod-example",
-  schema: userSchema,
-  run: async (payload, { ctx }) => {
-    // payload is fully typed based on the Zod schema
-    logger.info("Processing user with Zod schema", {
-      userId: payload.id,
-      userName: payload.name,
-    });
-
-    // The schema is automatically converted to JSON Schema and synced
-    return {
-      processed: true,
-      userId: payload.id,
-      welcomeMessage: `Welcome ${payload.name}!`,
-    };
-  },
-});
-
-const userSchema4 = z4.object({
-  id: z4.uuid(),
-  name: z4.string().min(1),
-  email: z4.email(),
-  age: z4.number().int().min(0).max(150),
-  preferences: z4
-    .object({
-      newsletter: z4.boolean().default(false),
-      theme: z4.enum(["light", "dark"]).default("light"),
-    })
-    .optional(),
-});
-
-export const processUserWithZod4 = schemaTask({
-  id: "json-schema-zod-example-4",
-  schema: userSchema4,
-  run: async (payload, { ctx }) => {
-    // payload is fully typed based on the Zod schema
-    logger.info("Processing user with Zod schema", {
-      userId: payload.id,
-      userName: payload.name,
-    });
-
-    // The schema is automatically converted to JSON Schema and synced
-    return {
-      processed: true,
-      userId: payload.id,
-      welcomeMessage: `Welcome ${payload.name}!`,
-    };
-  },
-});
-
-// ===========================================
-// Example 2: Using plain task with manual JSON Schema
-// ===========================================
-export const processOrderManualSchema = task({
-  id: "json-schema-manual-example",
-  // Manually provide JSON Schema for the payload
-  jsonSchema: {
-    $schema: "http://json-schema.org/draft-07/schema#",
-    type: "object",
-    title: "Order Processing Request",
-    description: "Schema for processing customer orders",
-    properties: {
-      orderId: {
-        type: "string",
-        pattern: "^ORD-[0-9]+$",
-        description: "Order ID in format ORD-XXXXX",
-      },
-      customerId: {
-        type: "string",
-        format: "uuid",
-      },
-      items: {
-        type: "array",
-        minItems: 1,
-        items: {
-          type: "object",
-          properties: {
-            productId: { type: "string" },
-            quantity: { type: "integer", minimum: 1 },
-            price: { type: "number", minimum: 0, multipleOf: 0.01 },
-          },
-          required: ["productId", "quantity", "price"],
-          additionalProperties: false,
-        },
-      },
-      totalAmount: {
-        type: "number",
-        minimum: 0,
-        multipleOf: 0.01,
-      },
-      status: {
-        type: "string",
-        enum: ["pending", "processing", "shipped", "delivered"],
-        default: "pending",
-      },
-    },
-    required: ["orderId", "customerId", "items", "totalAmount"],
-    additionalProperties: false,
-  } satisfies JSONSchema,
-  run: async (payload, { ctx }) => {
-    logger.info("Processing order with manual JSON Schema", {
-      orderId: payload.orderId,
-    });
-
-    // Note: With plain tasks, the payload is typed as 'any'
-    // The JSON Schema will be used for documentation and validation on the server
-    return {
-      processed: true,
-      orderId: payload.orderId,
-      status: "processing",
-    };
-  },
-});
-
-// ===========================================
-// Example 3: Using schemaTask with Yup
-// ===========================================
-const productSchema = y.object({
-  sku: y
-    .string()
-    .required()
-    .matches(/^[A-Z]{3}-[0-9]{5}$/),
-  name: y.string().required().min(3).max(100),
-  description: y.string().max(500),
-  price: y.number().required().positive(),
-  categories: y.array().of(y.string()).min(1).required(),
-  inStock: y.boolean().default(true),
-});
-
-export const processProductWithYup = schemaTask({
-  id: "json-schema-yup-example",
-  schema: productSchema,
-  run: async (payload, { ctx }) => {
-    logger.info("Processing product with Yup schema", {
-      sku: payload.sku,
-      name: payload.name,
-    });
-
-    return {
-      processed: true,
-      sku: payload.sku,
-      message: `Product ${payload.name} has been processed`,
-    };
-  },
-});
-
-// ===========================================
-// Example 4: Using schemaTask with ArkType
-// ===========================================
-const invoiceSchema = type({
-  invoiceNumber: "string",
-  date: "Date",
-  dueDate: "Date",
-  "discount?": "number",
-  lineItems: [
-    {
-      description: "string",
-      quantity: "number",
-      unitPrice: "number",
-    },
-  ],
-  customer: {
-    id: "string",
-    name: "string",
-    "taxId?": "string",
-  },
-});
-
-export const processInvoiceWithArkType = schemaTask({
-  id: "json-schema-arktype-example",
-  schema: invoiceSchema,
-  run: async (payload, { ctx }) => {
-    logger.info("Processing invoice with ArkType schema", {
-      invoiceNumber: payload.invoiceNumber,
-      customerName: payload.customer.name,
-    });
-
-    const total = payload.lineItems.reduce((sum, item) => sum + item.quantity * item.unitPrice, 0);
-
-    const discount = payload.discount || 0;
-    const finalAmount = total * (1 - discount / 100);
-
-    return {
-      processed: true,
-      invoiceNumber: payload.invoiceNumber,
-      totalAmount: finalAmount,
-    };
-  },
-});
-
-// ===========================================
-// Example 5: Using TypeBox (already JSON Schema)
-// ===========================================
-const eventSchema = Type.Object({
-  eventId: Type.String({ format: "uuid" }),
-  eventType: Type.Union([
-    Type.Literal("user.created"),
-    Type.Literal("user.updated"),
-    Type.Literal("user.deleted"),
-    Type.Literal("order.placed"),
-    Type.Literal("order.shipped"),
-  ]),
-  timestamp: Type.Integer({ minimum: 0 }),
-  userId: Type.String(),
-  metadata: Type.Optional(Type.Record(Type.String(), Type.Unknown())),
-  payload: Type.Unknown(),
-});
-
-type EventType = Static<typeof eventSchema>;
-
-export const processEventWithTypeBox = task({
-  id: "json-schema-typebox-example",
-  // TypeBox schemas are already JSON Schema compliant
-  jsonSchema: eventSchema,
-  run: async (payload: EventType, { ctx }) => {
-    // Cast to get TypeScript type safety
-    const event = payload;
-
-    logger.info("Processing event with TypeBox schema", {
-      eventId: event.eventId,
-      eventType: event.eventType,
-      userId: event.userId,
-    });
-
-    // Handle different event types
-    switch (event.eventType) {
-      case "user.created":
-        logger.info("New user created", { userId: event.userId });
-        break;
-      case "order.placed":
-        logger.info("Order placed", { userId: event.userId });
-        break;
-      default:
-        logger.info("Event processed", { eventType: event.eventType });
-    }
-
-    return {
-      processed: true,
-      eventId: event.eventId,
-      eventType: event.eventType,
-    };
-  },
-});
-
-// ===========================================
-// Example 6: Using plain task with a Zod schema
-// ===========================================
-// If you need to use a plain task but have a Zod schema,
-// you should use schemaTask instead for better DX.
-// This example shows what NOT to do:
-
-const notificationSchema = z.object({
-  recipientId: z.string(),
-  type: z.enum(["email", "sms", "push"]),
-  subject: z.string().optional(),
-  message: z.string(),
-  priority: z.enum(["low", "normal", "high"]).default("normal"),
-  scheduledFor: z.date().optional(),
-  metadata: z.record(z.unknown()).optional(),
-});
-
-// ❌ Don't do this - use schemaTask instead!
-export const sendNotificationBadExample = task({
-  id: "json-schema-dont-do-this",
-  run: async (payload, { ctx }) => {
-    // You'd have to manually validate
-    const notification = notificationSchema.parse(payload);
-
-    logger.info("This is not ideal - use schemaTask instead!");
-
-    return { sent: true };
-  },
-});
-
-// ✅ Do this instead - much better!
-export const sendNotificationGoodExample = schemaTask({
-  id: "json-schema-do-this-instead",
-  schema: notificationSchema,
-  run: async (notification, { ctx }) => {
-    // notification is already validated and typed!
-    logger.info("Sending notification", {
-      recipientId: notification.recipientId,
-      type: notification.type,
-      priority: notification.priority,
-    });
-
-    // Simulate sending notification
-    await new Promise((resolve) => setTimeout(resolve, 1000));
-
-    return {
-      sent: true,
-      notificationId: ctx.run.id,
-      recipientId: notification.recipientId,
-      type: notification.type,
-    };
-  },
-});
-
-// ===========================================
-// Example 7: Complex nested schema with references
-// ===========================================
-const addressSchema = z.object({
-  street: z.string(),
-  city: z.string(),
-  state: z.string().length(2),
-  zipCode: z.string().regex(/^\d{5}(-\d{4})?$/),
-  country: z.string().default("US"),
-});
-
-const companySchema = z.object({
-  companyId: z.string().uuid(),
-  name: z.string(),
-  taxId: z.string().optional(),
-  addresses: z.object({
-    billing: addressSchema,
-    shipping: addressSchema.optional(),
-  }),
-  contacts: z
-    .array(
-      z.object({
-        name: z.string(),
-        email: z.string().email(),
-        phone: z.string().optional(),
-        role: z.enum(["primary", "billing", "technical"]),
-      })
-    )
-    .min(1),
-  settings: z.object({
-    invoicePrefix: z.string().default("INV"),
-    paymentTerms: z.number().int().min(0).max(90).default(30),
-    currency: z.enum(["USD", "EUR", "GBP"]).default("USD"),
-  }),
-});
-
-export const processCompanyWithComplexSchema = schemaTask({
-  id: "json-schema-complex-example",
-  schema: companySchema,
-  maxDuration: 300, // 5 minutes
-  retry: {
-    maxAttempts: 3,
-    factor: 2,
-  },
-  run: async (payload, { ctx }) => {
-    logger.info("Processing company with complex schema", {
-      companyId: payload.companyId,
-      name: payload.name,
-      contactCount: payload.contacts.length,
-    });
-
-    // Process each contact
-    for (const contact of payload.contacts) {
-      logger.info("Processing contact", {
-        name: contact.name,
-        role: contact.role,
-      });
-    }
-
-    return {
-      processed: true,
-      companyId: payload.companyId,
-      name: payload.name,
-      primaryContact: payload.contacts.find((c) => c.role === "primary"),
-    };
-  },
-});
-
-// ===========================================
-// Example 8: Demonstrating schema benefits
-// ===========================================
-export const triggerExamples = task({
-  id: "json-schema-trigger-examples",
-  run: async (_, { ctx }) => {
-    logger.info("Triggering various schema examples");
-
-    // Trigger Zod example - TypeScript will enforce correct payload
-    await processUserWithZod.trigger({
-      id: "550e8400-e29b-41d4-a716-446655440000",
-      name: "John Doe",
-      email: "john@example.com",
-      age: 30,
-      preferences: {
-        newsletter: true,
-        theme: "dark",
-      },
-    });
-
-    // Trigger Yup example
-    await processProductWithYup.trigger({
-      sku: "ABC-12345",
-      name: "Premium Widget",
-      description: "A high-quality widget for all your needs",
-      price: 99.99,
-      categories: ["electronics", "gadgets"],
-      inStock: true,
-    });
-
-    // Trigger manual schema example (no compile-time validation)
-    await processOrderManualSchema.trigger({
-      orderId: "ORD-12345",
-      customerId: "550e8400-e29b-41d4-a716-446655440001",
-      items: [
-        {
-          productId: "PROD-001",
-          quantity: 2,
-          price: 29.99,
-        },
-        {
-          productId: "PROD-002",
-          quantity: 1,
-          price: 49.99,
-        },
-      ],
-      totalAmount: 109.97,
-      status: "pending",
-    });
-
-    return {
-      message: "All examples triggered successfully",
-      timestamp: new Date().toISOString(),
-    };
-  },
-});
\ No newline at end of file
diff --git a/references/hello-world/src/trigger/jsonSchemaApi.ts b/references/hello-world/src/trigger/jsonSchemaApi.ts
deleted file mode 100644
index 9ac121b3698..00000000000
--- a/references/hello-world/src/trigger/jsonSchemaApi.ts
+++ /dev/null
@@ -1,343 +0,0 @@
-import { task, schemaTask, logger, type JSONSchema } from "@trigger.dev/sdk/v3";
-import { z } from "zod";
-
-// ===========================================
-// Example: Webhook Handler with Schema Validation
-// ===========================================
-
-// Define schemas for different webhook event types
-const baseWebhookSchema = z.object({
-  id: z.string(),
-  timestamp: z.string().datetime(),
-  type: z.string(),
-  version: z.literal("1.0"),
-});
-
-// Payment webhook events
-const paymentEventSchema = baseWebhookSchema.extend({
-  type: z.literal("payment"),
-  data: z.object({
-    paymentId: z.string(),
-    amount: z.number().positive(),
-    currency: z.string().length(3),
-    status: z.enum(["pending", "processing", "completed", "failed"]),
-    customerId: z.string(),
-    paymentMethod: z.object({
-      type: z.enum(["card", "bank_transfer", "paypal"]),
-      last4: z.string().optional(),
-    }),
-    metadata: z.record(z.string()).optional(),
-  }),
-});
-
-// Customer webhook events
-const customerEventSchema = baseWebhookSchema.extend({
-  type: z.literal("customer"),
-  data: z.object({
-    customerId: z.string(),
-    action: z.enum(["created", "updated", "deleted"]),
-    email: z.string().email(),
-    name: z.string(),
-    subscription: z.object({
-      status: z.enum(["active", "cancelled", "past_due"]),
-      plan: z.string(),
-    }).optional(),
-  }),
-});
-
-// Union of all webhook types
-const webhookSchema = z.discriminatedUnion("type", [
-  paymentEventSchema,
-  customerEventSchema,
-]);
-
-export const handleWebhook = schemaTask({
-  id: "handle-webhook",
-  schema: webhookSchema,
-  run: async (payload, { ctx }) => {
-    logger.info("Processing webhook", { 
-      id: payload.id,
-      type: payload.type,
-      timestamp: payload.timestamp,
-    });
-
-    // TypeScript knows the exact shape based on the discriminated union
-    switch (payload.type) {
-      case "payment":
-        logger.info("Payment event received", {
-          paymentId: payload.data.paymentId,
-          amount: payload.data.amount,
-          status: payload.data.status,
-        });
-
-        if (payload.data.status === "completed") {
-          // Trigger order fulfillment
-          await fulfillOrder.trigger({
-            customerId: payload.data.customerId,
-            paymentId: payload.data.paymentId,
-            amount: payload.data.amount,
-          });
-        }
-        break;
-
-      case "customer":
-        logger.info("Customer event received", {
-          customerId: payload.data.customerId,
-          action: payload.data.action,
-        });
-
-        if (payload.data.action === "created") {
-          // Send welcome email
-          await sendWelcomeEmail.trigger({
-            email: payload.data.email,
-            name: payload.data.name,
-          });
-        }
-        break;
-    }
-
-    return {
-      processed: true,
-      eventId: payload.id,
-      eventType: payload.type,
-    };
-  },
-});
-
-// ===========================================
-// Example: External API Integration
-// ===========================================
-
-// Schema for making API requests to a third-party service
-const apiRequestSchema = z.object({
-  endpoint: z.enum(["/users", "/products", "/orders"]),
-  method: z.enum(["GET", "POST", "PUT", "DELETE"]),
-  params: z.record(z.string()).optional(),
-  body: z.unknown().optional(),
-  headers: z.record(z.string()).optional(),
-  retryOnError: z.boolean().default(true),
-});
-
-// Response schemas for different endpoints
-const userResponseSchema = z.object({
-  id: z.string(),
-  email: z.string().email(),
-  name: z.string(),
-  createdAt: z.string().datetime(),
-});
-
-const productResponseSchema = z.object({
-  id: z.string(),
-  name: z.string(),
-  price: z.number(),
-  inStock: z.boolean(),
-});
-
-export const callExternalApi = schemaTask({
-  id: "call-external-api",
-  schema: apiRequestSchema,
-  retry: {
-    maxAttempts: 3,
-    factor: 2,
-    minTimeoutInMs: 1000,
-    maxTimeoutInMs: 10000,
-  },
-  run: async (payload, { ctx }) => {
-    logger.info("Making API request", {
-      endpoint: payload.endpoint,
-      method: payload.method,
-    });
-
-    // Simulate API call
-    const response = await makeApiCall(payload);
-
-    // Validate response based on endpoint
-    let validatedResponse;
-    switch (payload.endpoint) {
-      case "/users":
-        validatedResponse = userResponseSchema.parse(response);
-        break;
-      case "/products":
-        validatedResponse = productResponseSchema.parse(response);
-        break;
-      default:
-        validatedResponse = response;
-    }
-
-    return {
-      success: true,
-      endpoint: payload.endpoint,
-      response: validatedResponse,
-    };
-  },
-});
-
-// Helper function to simulate API calls
-async function makeApiCall(request: z.infer<typeof apiRequestSchema>) {
-  // Simulate network delay
-  await new Promise(resolve => setTimeout(resolve, 100));
-
-  // Return mock data based on endpoint
-  switch (request.endpoint) {
-    case "/users":
-      return {
-        id: "user_123",
-        email: "user@example.com",
-        name: "John Doe",
-        createdAt: new Date().toISOString(),
-      };
-    case "/products":
-      return {
-        id: "prod_456",
-        name: "Premium Widget",
-        price: 99.99,
-        inStock: true,
-      };
-    default:
-      return { message: "Success" };
-  }
-}
-
-// ===========================================
-// Example: Batch Processing with Validation
-// ===========================================
-
-const batchItemSchema = z.object({
-  id: z.string(),
-  operation: z.enum(["create", "update", "delete"]),
-  resourceType: z.enum(["user", "product", "order"]),
-  data: z.record(z.unknown()),
-});
-
-const batchRequestSchema = z.object({
-  batchId: z.string(),
-  items: z.array(batchItemSchema).min(1).max(100),
-  options: z.object({
-    stopOnError: z.boolean().default(false),
-    parallel: z.boolean().default(true),
-    maxConcurrency: z.number().int().min(1).max(10).default(5),
-  }).default({}),
-});
-
-export const processBatch = schemaTask({
-  id: "process-batch",
-  schema: batchRequestSchema,
-  maxDuration: 300, // 5 minutes for large batches
-  run: async (payload, { ctx }) => {
-    logger.info("Processing batch", {
-      batchId: payload.batchId,
-      itemCount: payload.items.length,
-      parallel: payload.options.parallel,
-    });
-
-    const results = [];
-    const errors = [];
-
-    if (payload.options.parallel) {
-      // Process items in parallel with concurrency limit
-      const chunks = chunkArray(payload.items, payload.options.maxConcurrency);
-      
-      for (const chunk of chunks) {
-        const chunkResults = await Promise.allSettled(
-          chunk.map(item => processItem(item))
-        );
-
-        chunkResults.forEach((result, index) => {
-          if (result.status === "fulfilled") {
-            results.push(result.value);
-          } else {
-            errors.push({
-              item: chunk[index],
-              error: result.reason,
-            });
-
-            if (payload.options.stopOnError) {
-              throw new Error(`Batch processing stopped due to error in item ${chunk[index].id}`);
-            }
-          }
-        });
-      }
-    } else {
-      // Process items sequentially
-      for (const item of payload.items) {
-        try {
-          const result = await processItem(item);
-          results.push(result);
-        } catch (error) {
-          errors.push({ item, error });
-
-          if (payload.options.stopOnError) {
-            throw new Error(`Batch processing stopped due to error in item ${item.id}`);
-          }
-        }
-      }
-    }
-
-    return {
-      batchId: payload.batchId,
-      processed: results.length,
-      failed: errors.length,
-      results,
-      errors,
-    };
-  },
-});
-
-async function processItem(item: z.infer<typeof batchItemSchema>) {
-  logger.info("Processing batch item", {
-    id: item.id,
-    operation: item.operation,
-    resourceType: item.resourceType,
-  });
-
-  // Simulate processing
-  await new Promise(resolve => setTimeout(resolve, 50));
-
-  return {
-    id: item.id,
-    success: true,
-    operation: item.operation,
-    resourceType: item.resourceType,
-  };
-}
-
-function chunkArray<T>(array: T[], size: number): T[][] {
-  const chunks: T[][] = [];
-  for (let i = 0; i < array.length; i += size) {
-    chunks.push(array.slice(i, i + size));
-  }
-  return chunks;
-}
-
-// ===========================================
-// Helper Tasks
-// ===========================================
-
-const orderSchema = z.object({
-  customerId: z.string(),
-  paymentId: z.string(),
-  amount: z.number(),
-});
-
-export const fulfillOrder = schemaTask({
-  id: "fulfill-order",
-  schema: orderSchema,
-  run: async (payload, { ctx }) => {
-    logger.info("Fulfilling order", payload);
-    return { fulfilled: true };
-  },
-});
-
-const welcomeEmailSchema = z.object({
-  email: z.string().email(),
-  name: z.string(),
-});
-
-export const sendWelcomeEmail = schemaTask({
-  id: "send-welcome-email",
-  schema: welcomeEmailSchema,
-  run: async (payload, { ctx }) => {
-    logger.info("Sending welcome email", payload);
-    return { sent: true };
-  },
-});
\ No newline at end of file
diff --git a/references/hello-world/src/trigger/jsonSchemaSimple.ts b/references/hello-world/src/trigger/jsonSchemaSimple.ts
deleted file mode 100644
index a844b14034f..00000000000
--- a/references/hello-world/src/trigger/jsonSchemaSimple.ts
+++ /dev/null
@@ -1,235 +0,0 @@
-import { task, schemaTask, logger, type JSONSchema } from "@trigger.dev/sdk/v3";
-import { z } from "zod";
-
-// ===========================================
-// The Two Main Approaches
-// ===========================================
-
-// Approach 1: Using schemaTask (Recommended)
-// - Automatic JSON Schema conversion
-// - Full TypeScript type safety
-// - Runtime validation built-in
-const emailSchema = z.object({
-  to: z.string().email(),
-  subject: z.string(),
-  body: z.string(),
-  attachments: z
-    .array(
-      z.object({
-        filename: z.string(),
-        url: z.string().url(),
-      })
-    )
-    .optional(),
-});
-
-export const sendEmailSchemaTask = schemaTask({
-  id: "send-email-schema-task",
-  schema: emailSchema,
-  run: async (payload, { ctx }) => {
-    // payload is fully typed as:
-    // {
-    //   to: string;
-    //   subject: string;
-    //   body: string;
-    //   attachments?: Array<{ filename: string; url: string; }>;
-    // }
-
-    logger.info("Sending email", {
-      to: payload.to,
-      subject: payload.subject,
-      hasAttachments: !!payload.attachments?.length,
-    });
-
-    // Your email sending logic here...
-
-    return {
-      sent: true,
-      messageId: `msg_${ctx.run.id}`,
-      sentAt: new Date().toISOString(),
-    };
-  },
-});
-
-// Approach 2: Using plain task with payloadSchema
-// - Manual JSON Schema definition
-// - No automatic type inference (payload is 'any')
-// - Good for when you already have JSON Schema definitions
-export const sendEmailPlainTask = task({
-  id: "send-email-plain-task",
-  jsonSchema: {
-    type: "object",
-    properties: {
-      to: {
-        type: "string",
-        format: "email",
-        description: "Recipient email address",
-      },
-      subject: {
-        type: "string",
-        maxLength: 200,
-      },
-      body: {
-        type: "string",
-      },
-      attachments: {
-        type: "array",
-        items: {
-          type: "object",
-          properties: {
-            filename: { type: "string" },
-            url: { type: "string", format: "uri" },
-          },
-          required: ["filename", "url"],
-        },
-      },
-    },
-    required: ["to", "subject", "body"],
-  } satisfies JSONSchema, // Use 'satisfies' for type checking
-  run: async (payload, { ctx }) => {
-    // payload is typed as 'any' - you need to validate/cast it yourself
-    logger.info("Sending email", {
-      to: payload.to,
-      subject: payload.subject,
-    });
-
-    // Your email sending logic here...
-
-    return {
-      sent: true,
-      messageId: `msg_${ctx.run.id}`,
-      sentAt: new Date().toISOString(),
-    };
-  },
-});
-
-// ===========================================
-// Benefits of JSON Schema
-// ===========================================
-
-// 1. Documentation - The schema is visible in the Trigger.dev dashboard
-// 2. Validation - Invalid payloads are rejected before execution
-// 3. Type Safety - With schemaTask, you get full TypeScript support
-// 4. OpenAPI Generation - Can be used to generate API documentation
-// 5. Client SDKs - Can generate typed clients for other languages
-
-export const demonstrateBenefits = task({
-  id: "json-schema-benefits-demo",
-  run: async (_, { ctx }) => {
-    logger.info("Demonstrating JSON Schema benefits");
-
-    // With schemaTask, TypeScript prevents invalid payloads at compile time
-    try {
-      await sendEmailSchemaTask.trigger({
-        to: "user@example.com",
-        subject: "Welcome!",
-        body: "Thanks for signing up!",
-        // TypeScript error if you try to add invalid fields
-        // invalidField: "This would cause a TypeScript error",
-      });
-    } catch (error) {
-      logger.error("Failed to send email", { error });
-    }
-
-    // With plain task, validation happens at runtime
-    try {
-      await sendEmailPlainTask.trigger({
-        to: "not-an-email", // This will fail validation at runtime
-        subject: "Test",
-        body: "Test email",
-      });
-    } catch (error) {
-      logger.error("Failed validation", { error });
-    }
-
-    return { demonstrated: true };
-  },
-});
-
-// ===========================================
-// Real-World Example: User Registration Flow
-// ===========================================
-const userRegistrationSchema = z.object({
-  email: z.string().email(),
-  username: z
-    .string()
-    .min(3)
-    .max(20)
-    .regex(/^[a-zA-Z0-9_]+$/),
-  password: z.string().min(8),
-  profile: z.object({
-    firstName: z.string(),
-    lastName: z.string(),
-    dateOfBirth: z.string().optional(), // ISO date string
-    preferences: z
-      .object({
-        newsletter: z.boolean().default(false),
-        notifications: z.boolean().default(true),
-      })
-      .default({}),
-  }),
-  referralCode: z.string().optional(),
-});
-
-export const registerUser = schemaTask({
-  id: "register-user",
-  schema: userRegistrationSchema,
-  retry: {
-    maxAttempts: 3,
-    minTimeoutInMs: 1000,
-    maxTimeoutInMs: 10000,
-  },
-  run: async (payload, { ctx }) => {
-    logger.info("Registering new user", {
-      email: payload.email,
-      username: payload.username,
-    });
-
-    // Step 1: Validate uniqueness
-    logger.info("Checking if user exists");
-    // ... database check logic ...
-
-    // Step 2: Create user account
-    logger.info("Creating user account");
-    const userId = `user_${Date.now()}`;
-    // ... user creation logic ...
-
-    // Step 3: Send welcome email
-    await sendEmailSchemaTask.trigger({
-      to: payload.email,
-      subject: `Welcome to our platform, ${payload.profile.firstName}!`,
-      body: `Hi ${payload.profile.firstName},\n\nThanks for joining us...`,
-    });
-
-    // Step 4: Apply referral code if provided
-    if (payload.referralCode) {
-      logger.info("Processing referral code", { code: payload.referralCode });
-      // ... referral logic ...
-    }
-
-    return {
-      success: true,
-      userId,
-      username: payload.username,
-      welcomeEmailSent: true,
-    };
-  },
-});
-
-// ===========================================
-// When to Use Each Approach
-// ===========================================
-
-/*
-Use schemaTask when:
-- You're already using Zod, Yup, ArkType, etc. in your codebase
-- You want TypeScript type inference
-- You want runtime validation handled automatically
-- You're building new tasks from scratch
-
-Use plain task with payloadSchema when:
-- You have existing JSON Schema definitions
-- You're migrating from another system that uses JSON Schema
-- You need fine-grained control over the schema format
-- You're working with generated schemas from OpenAPI/Swagger
-*/
\ No newline at end of file
diff --git a/references/hello-world/src/trigger/lightpanda.ts b/references/hello-world/src/trigger/lightpanda.ts
deleted file mode 100644
index 830f6391a2e..00000000000
--- a/references/hello-world/src/trigger/lightpanda.ts
+++ /dev/null
@@ -1,149 +0,0 @@
-import { logger, task } from "@trigger.dev/sdk";
-import { execSync, spawn, type ChildProcessWithoutNullStreams } from "node:child_process";
-import puppeteer from "puppeteer-core";
-
-const spawnLightpanda = async (host: string, port: string) =>
-  new Promise<ChildProcessWithoutNullStreams>((resolve, reject) => {
-    const child = spawn("lightpanda", [
-      "serve",
-      "--host",
-      host,
-      "--port",
-      port,
-      "--log_level",
-      "info",
-    ]);
-
-    child.on("spawn", async () => {
-      logger.info("Running Lightpanda's CDP server…", {
-        pid: child.pid,
-      });
-
-      await new Promise((resolve) => setTimeout(resolve, 250));
-      resolve(child);
-    });
-    child.on("error", (e) => reject(e));
-  });
-
-export const lightpandaCdp = task({
-  id: "lightpanda-cdp",
-  machine: {
-    preset: "micro",
-  },
-  run: async (payload: { url: string }, { ctx }) => {
-    logger.log("Lets get a page's links with Lightpanda!", { payload, ctx });
-
-    if (!payload.url) {
-      logger.warn("Please define the payload url");
-      throw new Error("payload.url is undefined");
-    }
-
-    const host = process.env.LIGHTPANDA_CDP_HOST ?? "127.0.0.1";
-    const port = process.env.LIGHTPANDA_CDP_PORT ?? "9222";
-
-    // Launch Lightpanda's CDP server
-    const lpProcess = await spawnLightpanda(host, port);
-
-    const browser = await puppeteer.connect({
-      browserWSEndpoint: `ws://${host}:${port}`,
-    });
-    const context = await browser.createBrowserContext();
-    const page = await context.newPage();
-
-    // Dump all the links from the page.
-    await page.goto(payload.url);
-
-    const links = await page.evaluate(() => {
-      return Array.from(document.querySelectorAll("a")).map((row) => {
-        return row.getAttribute("href");
-      });
-    });
-
-    logger.info("Processing done");
-    logger.info("Shutting down…");
-
-    // Close Puppeteer instance
-    await browser.close();
-
-    // Stop Lightpanda's CDP Server
-    lpProcess.kill();
-
-    logger.info("✅ Completed");
-
-    return {
-      links,
-    };
-  },
-});
-
-export const lightpandaFetch = task({
-  id: "lightpanda-fetch",
-  machine: {
-    preset: "micro",
-  },
-  run: async (payload: { url: string }, { ctx }) => {
-    logger.log("Lets get a page's content with Lightpanda!", { payload, ctx });
-
-    if (!payload.url) {
-      logger.warn("Please define the payload url");
-      throw new Error("payload.url is undefined");
-    }
-
-    const buffer = execSync(`lightpanda fetch --dump ${payload.url}`);
-
-    logger.info("✅ Completed");
-
-    return {
-      message: buffer.toString(),
-    };
-  },
-});
-
-export const lightpandaCloudPuppeteer = task({
-  id: "lightpanda-cloud-puppeteer",
-  machine: {
-    preset: "micro",
-  },
-  run: async (payload: { url: string }, { ctx }) => {
-    logger.log("Lets get a page's links with Lightpanda!", { payload, ctx });
-
-    if (!payload.url) {
-      logger.warn("Please define the payload url");
-      throw new Error("payload.url is undefined");
-    }
-
-    const token = process.env.LIGHTPANDA_TOKEN;
-    if (!token) {
-      logger.warn("Please define the env variable LIGHTPANDA_TOKEN");
-      throw new Error("LIGHTPANDA_TOKEN is undefined");
-    }
-
-    // Connect to Lightpanda's cloud
-    const browser = await puppeteer.connect({
-      browserWSEndpoint: `wss://cloud.lightpanda.io/ws?browser=lightpanda&token=${token}`,
-    });
-    const context = await browser.createBrowserContext();
-    const page = await context.newPage();
-
-    // Dump all the links from the page.
-    await page.goto(payload.url);
-
-    const links = await page.evaluate(() => {
-      return Array.from(document.querySelectorAll("a")).map((row) => {
-        return row.getAttribute("href");
-      });
-    });
-
-    logger.info("Processing done, shutting down…");
-
-    await page.close();
-    await context.close();
-    await browser.disconnect();
-
-    logger.info("✅ Completed");
-
-    return {
-      links,
-    };
-  },
-});
diff --git a/references/hello-world/src/trigger/metadata.ts b/references/hello-world/src/trigger/metadata.ts
deleted file mode 100644
index b0d493b8df2..00000000000
--- a/references/hello-world/src/trigger/metadata.ts
+++ /dev/null
@@ -1,67 +0,0 @@
-import { logger, metadata, task, wait } from "@trigger.dev/sdk";
-import { setTimeout } from "node:timers/promises";
-
-export const metadataTestTask = task({
-  id: "metadata-tester",
-  retry: {
-    maxAttempts: 3,
-    minTimeoutInMs: 500,
-    maxTimeoutInMs: 1000,
-    factor: 1.5,
-  },
-  run: async (payload: any, { ctx, signal }) => {
-    let iteration = 0;
-
-    while (!signal.aborted) {
-      await setTimeout(1000);
-
-      iteration++;
-
-      metadata.set(`test-key-${iteration}`, `test-value-${iteration}`);
-      metadata.append(`test-keys-${iteration}`, `test-value-${iteration}`);
-      metadata.increment(`test-counter-${iteration}`, 1);
-
-      await setTimeout(1000);
-    }
-
-    logger.info("Run completed", { iteration });
-
-    return {
-      success: true,
-    };
-  },
-  onCancel: async ({ runPromise }) => {
-    await metadata.flush();
-    await runPromise;
-  },
-});
-
-export const parentTask = task({
-  id: "metadata-parent-task",
-  run: async (payload: any, { ctx }) => {
-    // will not be set
-    metadata.root.set("test.root.set", true);
-    metadata.parent.set("test.parent.set", true);
-    metadata.set("test.set", "test");
-
-    logger.info("logging metadata.current()", { current: metadata.current() });
-
-    await childTask.triggerAndWait({});
-
-    return {
-      ok: true,
-    };
-  },
-});
-
-export const childTask = task({
-  id: "metadata-child-task",
-  run: async (payload: any, { ctx }) => {
-    // will not be set
-    metadata.root.set("child.root.before", true);
-    await wait.for({ seconds: 15 });
-    // will be set
-    metadata.root.set("child.root.after", true);
-    return { ok: true };
-  },
-});
diff --git a/references/hello-world/src/trigger/metrics.ts b/references/hello-world/src/trigger/metrics.ts
deleted file mode 100644
index fa398186b0b..00000000000
--- a/references/hello-world/src/trigger/metrics.ts
+++ /dev/null
@@ -1,326 +0,0 @@
-import { batch, logger, otel, task } from "@trigger.dev/sdk";
-import { createHash } from "node:crypto";
-import { setTimeout } from "node:timers/promises";
-
-// Custom metrics — instruments are created once at module level
-const meter = otel.metrics.getMeter("hello-world");
-const itemsProcessedCounter = meter.createCounter("items.processed", {
-  description: "Total number of items processed",
-  unit: "items",
-});
-const itemDurationHistogram = meter.createHistogram("item.duration", {
-  description: "Time spent processing each item",
-  unit: "ms",
-});
-const queueDepthGauge = meter.createUpDownCounter("queue.depth", {
-  description: "Current simulated queue depth",
-  unit: "items",
-});
-
-/**
- * Tight computational loop that produces sustained high CPU utilization.
- * Uses repeated SHA-256 hashing to keep the CPU busy.
- */
-export const cpuIntensive = task({
-  id: "cpu-intensive",
-  run: async (
-    {
-      durationSeconds = 60,
-    }: {
-      durationSeconds?: number;
-    },
-    { ctx }
-  ) => {
-    logger.info("Starting CPU-intensive workload", { durationSeconds });
-
-    const deadline = Date.now() + durationSeconds * 1000;
-    let iterations = 0;
-    let data = Buffer.from("seed-data-for-hashing");
-
-    while (Date.now() < deadline) {
-      // Tight hashing loop — ~100ms chunks then yield to event loop
-      const chunkEnd = Date.now() + 100;
-      while (Date.now() < chunkEnd) {
-        data = createHash("sha256").update(data).digest();
-        iterations++;
-      }
-      // Yield to let metrics collection and heartbeats run
-      await setTimeout(1);
-    }
-
-    logger.info("CPU-intensive workload complete", { iterations });
-    return { iterations };
-  },
-});
-
-/**
- * Progressively allocates memory in steps, holds it, then releases.
- * Produces a staircase-shaped memory usage graph.
- */
-export const memoryRamp = task({
-  id: "memory-ramp",
-  run: async (
-    {
-      steps = 6,
-      stepSizeMb = 50,
-      stepIntervalSeconds = 5,
-      holdSeconds = 15,
-    }: {
-      steps?: number;
-      stepSizeMb?: number;
-      stepIntervalSeconds?: number;
-      holdSeconds?: number;
-    },
-    { ctx }
-  ) => {
-    logger.info("Starting memory ramp", { steps, stepSizeMb, stepIntervalSeconds, holdSeconds });
-
-    const allocations: Buffer[] = [];
-
-    // Ramp up — allocate in steps
-    for (let i = 0; i < steps; i++) {
-      const buf = Buffer.alloc(stepSizeMb * 1024 * 1024, 0xff);
-      allocations.push(buf);
-      logger.info(`Allocated step ${i + 1}/${steps}`, {
-        totalAllocatedMb: (i + 1) * stepSizeMb,
-      });
-      await setTimeout(stepIntervalSeconds * 1000);
-    }
-
-    // Hold at peak
-    logger.info("Holding at peak memory", { totalMb: steps * stepSizeMb });
-    await setTimeout(holdSeconds * 1000);
-
-    // Release
-    allocations.length = 0;
-    global.gc?.();
-    logger.info("Released all allocations");
-
-    // Let metrics capture the drop
-    await setTimeout(10_000);
-
-    logger.info("Memory ramp complete");
-    return { peakMb: steps * stepSizeMb };
-  },
-});
-
-/**
- * Alternates between CPU-intensive bursts and idle sleep periods.
- * Produces a sawtooth/square-wave CPU utilization pattern.
- */
-export const burstyWorkload = task({
-  id: "bursty-workload",
-  run: async (
-    {
-      cycles = 5,
-      burstSeconds = 5,
-      idleSeconds = 5,
-    }: {
-      cycles?: number;
-      burstSeconds?: number;
-      idleSeconds?: number;
-    },
-    { ctx }
-  ) => {
-    logger.info("Starting bursty workload", { cycles, burstSeconds, idleSeconds });
-
-    for (let cycle = 0; cycle < cycles; cycle++) {
-      // Burst phase — hash as fast as possible
-      logger.info(`Cycle ${cycle + 1}/${cycles}: burst phase`);
-      const burstDeadline = Date.now() + burstSeconds * 1000;
-      let data = Buffer.from(`burst-cycle-${cycle}`);
-      while (Date.now() < burstDeadline) {
-        const chunkEnd = Date.now() + 100;
-        while (Date.now() < chunkEnd) {
-          data = createHash("sha256").update(data).digest();
-        }
-        await setTimeout(1);
-      }
-
-      // Idle phase
-      logger.info(`Cycle ${cycle + 1}/${cycles}: idle phase`);
-      await setTimeout(idleSeconds * 1000);
-    }
-
-    logger.info("Bursty workload complete", { totalCycles: cycles });
-    return { cycles };
-  },
-});
-
-/**
- * Simulates a data processing pipeline with distinct phases:
- *   1. Read phase — light CPU, growing memory (buffering data)
- *   2. Process phase — high CPU, stable memory (crunching data)
- *   3. Write phase — low CPU, memory drops (streaming out results)
- *
- * Shows clear phase transitions in both CPU and memory graphs.
- */
-export const sustainedWorkload = task({
-  id: "sustained-workload",
-  run: async (
-    {
-      readSeconds = 20,
-      processSeconds = 20,
-      writeSeconds = 20,
-      dataSizeMb = 100,
-    }: {
-      readSeconds?: number;
-      processSeconds?: number;
-      writeSeconds?: number;
-      dataSizeMb?: number;
-    },
-    { ctx }
-  ) => {
-    logger.info("Starting sustained workload — read phase", { readSeconds, dataSizeMb });
-
-    // Phase 1: Read — gradually accumulate buffers (memory ramp, low CPU)
-    const chunks: Buffer[] = [];
-    const chunkCount = 10;
-    const chunkSize = Math.floor((dataSizeMb * 1024 * 1024) / chunkCount);
-    const readInterval = (readSeconds * 1000) / chunkCount;
-
-    for (let i = 0; i < chunkCount; i++) {
-      chunks.push(Buffer.alloc(chunkSize, i));
-      logger.info(`Read ${i + 1}/${chunkCount} chunks`);
-      await setTimeout(readInterval);
-    }
-
-    // Phase 2: Process — hash all chunks repeatedly (high CPU, stable memory)
-    logger.info("Entering process phase", { processSeconds });
-    const processDeadline = Date.now() + processSeconds * 1000;
-    let hashCount = 0;
-
-    while (Date.now() < processDeadline) {
-      const chunkEnd = Date.now() + 100;
-      while (Date.now() < chunkEnd) {
-        for (const chunk of chunks) {
-          createHash("sha256").update(chunk).digest();
-          hashCount++;
-        }
-      }
-      await setTimeout(1);
-    }
-
-    // Phase 3: Write — release memory gradually (low CPU, memory drops)
-    logger.info("Entering write phase", { writeSeconds });
-    const writeInterval = (writeSeconds * 1000) / chunkCount;
-
-    for (let i = chunkCount - 1; i >= 0; i--) {
-      chunks.pop();
-      logger.info(`Wrote and released chunk ${chunkCount - i}/${chunkCount}`);
-      await setTimeout(writeInterval);
-    }
-
-    global.gc?.();
-    await setTimeout(5000);
-
-    logger.info("Sustained workload complete", { hashCount });
-    return { hashCount };
-  },
-});
-
-/**
- * Parent task that fans out multiple child tasks in parallel.
- * Useful for seeing per-run breakdowns in metrics queries grouped by run_id.
- */
-export const concurrentLoad = task({
-  id: "concurrent-load",
-  run: async (
-    {
-      concurrency = 3,
-      taskType = "bursty-workload" as "cpu-intensive" | "bursty-workload",
-      durationSeconds = 30,
-    }: {
-      concurrency?: number;
-      taskType?: "cpu-intensive" | "bursty-workload";
-      durationSeconds?: number;
-    },
-    { ctx }
-  ) => {
-    logger.info("Starting concurrent load", { concurrency, taskType, durationSeconds });
-
-    const items = Array.from({ length: concurrency }, (_, i) => {
-      if (taskType === "cpu-intensive") {
-        return { id: cpuIntensive.id, payload: { durationSeconds } };
-      }
-      return {
-        id: burstyWorkload.id,
-        payload: { cycles: 3, burstSeconds: 5, idleSeconds: 5 },
-      };
-    });
-
-    const results = await batch.triggerAndWait<typeof cpuIntensive | typeof burstyWorkload>(items);
-
-    logger.info("All children completed", {
-      count: results.runs.length,
-    });
-
-    return { childRunIds: results.runs.map((r) => r.id) };
-  },
-});
-
-/**
- * Demonstrates custom OTEL metrics: counter, histogram, and up-down counter.
- * Simulates processing a queue of items with varying processing times.
- */
-export const customMetrics = task({
-  id: "custom-metrics",
-  run: async (
-    {
-      itemCount = 20,
-      minProcessingMs = 50,
-      maxProcessingMs = 500,
-      batchSize = 5,
-    }: {
-      itemCount?: number;
-      minProcessingMs?: number;
-      maxProcessingMs?: number;
-      batchSize?: number;
-    },
-    { ctx }
-  ) => {
-    logger.info("Starting custom metrics demo", { itemCount, batchSize });
-
-    // Simulate items arriving in the queue
-    queueDepthGauge.add(itemCount);
-
-    let totalProcessed = 0;
-
-    for (let i = 0; i < itemCount; i += batchSize) {
-      const currentBatch = Math.min(batchSize, itemCount - i);
-
-      for (let j = 0; j < currentBatch; j++) {
-        const processingTime =
-          minProcessingMs + Math.random() * (maxProcessingMs - minProcessingMs);
-
-        // Simulate work
-        const start = performance.now();
-        let data = Buffer.from(`item-${i + j}`);
-        const deadline = Date.now() + processingTime;
-        while (Date.now() < deadline) {
-          data = createHash("sha256").update(data).digest();
-        }
-        const elapsed = performance.now() - start;
-
-        // Record metrics
-        itemsProcessedCounter.add(1, { "item.type": j % 2 === 0 ? "even" : "odd" });
-        itemDurationHistogram.record(elapsed, { "item.type": j % 2 === 0 ? "even" : "odd" });
-        queueDepthGauge.add(-1);
-
-        totalProcessed++;
-      }
-
-      logger.info(`Processed batch`, {
-        batchNumber: Math.floor(i / batchSize) + 1,
-        totalProcessed,
-        remaining: itemCount - totalProcessed,
-      });
-
-      // Brief pause between batches
-      await setTimeout(1000);
-    }
-
-    logger.info("Custom metrics demo complete", { totalProcessed });
-    return { totalProcessed };
-  },
-});
diff --git a/references/hello-world/src/trigger/nestedDependencies.ts b/references/hello-world/src/trigger/nestedDependencies.ts
deleted file mode 100644
index afd25a4a27f..00000000000
--- a/references/hello-world/src/trigger/nestedDependencies.ts
+++ /dev/null
@@ -1,74 +0,0 @@
-import { logger, task, wait } from "@trigger.dev/sdk";
-
-export const nestedDependencies = task({
-  id: "nested-dependencies",
-  run: async ({
-    depth = 0,
-    maxDepth = 6,
-    batchSize = 4,
-    waitSeconds = 1,
-    failAttemptChance = 0,
-    failParents = false,
-  }: {
-    depth?: number;
-    maxDepth?: number;
-    batchSize?: number;
-    waitSeconds?: number;
-    failAttemptChance?: number;
-    failParents?: boolean;
-  }) => {
-    if (depth >= maxDepth) {
-      return;
-    }
-
-    logger.log(`Started ${depth}/${maxDepth} depth`);
-
-    const shouldFail = Math.random() < failAttemptChance;
-    if (shouldFail) {
-      throw new Error(`Failed at ${depth}/${maxDepth} depth`);
-    }
-
-    await wait.for({ seconds: waitSeconds });
-
-    const triggerOrBatch = depth % 2 === 0;
-
-    if (triggerOrBatch) {
-      for (let i = 0; i < batchSize; i++) {
-        const result = await nestedDependencies.triggerAndWait({
-          depth: depth + 1,
-          maxDepth,
-          waitSeconds,
-          failAttemptChance,
-          batchSize,
-        });
-        logger.log(`Triggered complete ${i + 1}/${batchSize}`);
-
-        if (!result.ok && failParents) {
-          throw new Error(`Failed at ${depth}/${maxDepth} depth`);
-        }
-      }
-    } else {
-      const results = await nestedDependencies.batchTriggerAndWait(
-        Array.from({ length: batchSize }, (_, i) => ({
-          payload: {
-            depth: depth + 1,
-            maxDepth,
-            batchSize,
-            waitSeconds,
-            failAttemptChance,
-          },
-        }))
-      );
-      logger.log(`Batch triggered complete`);
-
-      if (results.runs.some((r) => !r.ok) && failParents) {
-        throw new Error(`Failed at ${depth}/${maxDepth} depth`);
-      }
-    }
-
-    logger.log(`Sleep for ${waitSeconds} seconds`);
-    await new Promise((resolve) => setTimeout(resolve, waitSeconds * 1000));
-
-    logger.log(`Finished ${depth}/${maxDepth} depth`);
-  },
-});
diff --git a/references/hello-world/src/trigger/oom.ts b/references/hello-world/src/trigger/oom.ts
deleted file mode 100644
index 018312adf8d..00000000000
--- a/references/hello-world/src/trigger/oom.ts
+++ /dev/null
@@ -1,87 +0,0 @@
-import { OutOfMemoryError } from "@trigger.dev/sdk/v3";
-import { logger, task } from "@trigger.dev/sdk/v3";
-import { setTimeout } from "timers/promises";
-
-export const oomTask = task({
-  id: "oom-task",
-  machine: "micro",
-  retry: {
-    outOfMemory: {
-      machine: "small-1x",
-    },
-  },
-  run: async (
-    {
-      succeedOnLargerMachine = false,
-      ffmpeg = false,
-      manual = false,
-    }: { succeedOnLargerMachine?: boolean; ffmpeg?: boolean; manual?: boolean },
-    { ctx }
-  ) => {
-    logger.info("running out of memory below this line");
-
-    logger.info(`Running on ${ctx.machine?.name}`);
-
-    await setTimeout(2000);
-
-    if (ctx.machine?.name !== "micro" && succeedOnLargerMachine) {
-      logger.info("Going to succeed now");
-      return {
-        success: true,
-      };
-    }
-
-    if (manual) {
-      throw new OutOfMemoryError();
-    }
-
-    if (ffmpeg) {
-      throw new Error("ffmpeg was killed with signal SIGKILL");
-    }
-
-    let a = "a";
-
-    try {
-      while (true) {
-        a += a;
-      }
-    } catch (error) {
-      logger.error(error instanceof Error ? error.message : "Unknown error", { error });
-
-      let b = [];
-      while (true) {
-        b.push(a.replace(/a/g, "b"));
-      }
-    }
-  },
-});
-
-export const oomTask2 = task({
-  id: "oom-task-2",
-  machine: "micro",
-  run: async (payload: any, { ctx }) => {
-    await runMemoryLeakScenario();
-  },
-});
-
-async function runMemoryLeakScenario() {
-  console.log("🧠 Starting memory leak simulation");
-  const memoryHogs = [];
-  let iteration = 0;
-
-  while (iteration < 1000) {
-    // Allocate large chunks of memory
-    const bigArray = new Array(10000000).fill(`memory-leak-data-${iteration}`);
-    memoryHogs.push(bigArray);
-
-    await setTimeout(200);
-    iteration++;
-
-    const memUsage = process.memoryUsage();
-    console.log(
-      `🧠 Memory leak iteration ${iteration}, RSS: ${Math.round(memUsage.rss / 1024 / 1024)} MB`
-    );
-  }
-
-  console.log("🧠 Memory leak scenario completed");
-}
diff --git a/references/hello-world/src/trigger/parallel-waits.ts b/references/hello-world/src/trigger/parallel-waits.ts
deleted file mode 100644
index 76a8eee0d96..00000000000
--- a/references/hello-world/src/trigger/parallel-waits.ts
+++ /dev/null
@@ -1,24 +0,0 @@
-import { logger, task, wait } from "@trigger.dev/sdk/v3";
-import { childTask } from "./example.js";
-
-/*
- * These aren't currently supported, and so should throw clear errors
- */
-export const parallelWaits = task({
-  id: "parallel-waits",
-  run: async ({ skipDuration = false }: { skipDuration?: boolean }) => {
-    //parallel wait for 5/10 seconds
-    if (!skipDuration) {
-      await Promise.all([
-        wait.for({ seconds: 5 }),
-        wait.until({ date: new Date(Date.now() + 10_000) }),
-      ]);
-    }
-
-    //parallel task call
-    await Promise.all([
-      childTask.triggerAndWait({ message: "Hello, world!" }),
-      childTask.batchTriggerAndWait([{ payload: { message: "Hello, world!" } }]),
-    ]);
-  },
-});
diff --git a/references/hello-world/src/trigger/pendingVersions.ts b/references/hello-world/src/trigger/pendingVersions.ts
deleted file mode 100644
index 8b527e730fe..00000000000
--- a/references/hello-world/src/trigger/pendingVersions.ts
+++ /dev/null
@@ -1,37 +0,0 @@
-import { logger, queue, queues, task, tasks } from "@trigger.dev/sdk/v3";
-
-export const pendingVersionsQueue = queue({
-  name: "pending-version-queue",
-  concurrencyLimit: 1,
-});
-
-export const pendingVersionsTester = task({
-  id: "pending-versions-tester",
-  run: async (payload: any, { ctx }) => {
-    logger.log("Pending versions tester", { payload });
-
-    await tasks.trigger("pending-versions-tester-2", {
-      payload: {
-        message: "Hello, world!",
-      },
-    });
-
-    await tasks.trigger(
-      "pending-versions-tester-3",
-      {
-        message: "Hello, world!",
-      },
-      {
-        queue: "pending-version-queue-2",
-      }
-    );
-  },
-});
-
-export const pendingVersionsTester3 = task({
-  id: "pending-versions-tester-3",
-  queue: pendingVersionsQueue,
-  run: async (payload: any, { ctx }) => {
-    logger.log("Pending versions tester 3", { payload });
-  },
-});
diff --git a/references/hello-world/src/trigger/prioritize-continuing.ts b/references/hello-world/src/trigger/prioritize-continuing.ts
deleted file mode 100644
index 1ae26754a07..00000000000
--- a/references/hello-world/src/trigger/prioritize-continuing.ts
+++ /dev/null
@@ -1,27 +0,0 @@
-import { logger, task, wait } from "@trigger.dev/sdk/v3";
-
-export const prioritizeContinuing = task({
-  id: "prioritize-continuing",
-  run: async ({ count }: { count: number }) => {
-    await prioritizeContinuingChild.batchTrigger(
-      Array.from({ length: count }, (_, i) => ({ payload: {} as any }))
-    );
-  },
-});
-
-export const prioritizeContinuingChild = task({
-  id: "prioritize-continuing-child",
-  queue: {
-    concurrencyLimit: 1,
-  },
-  run: async () => {
-    await fixedLengthTask.triggerAndWait({ waitSeconds: 1 });
-  },
-});
-
-export const fixedLengthTask = task({
-  id: "fixedLengthTask",
-  run: async ({ waitSeconds }: { waitSeconds: number }) => {
-    await new Promise((resolve) => setTimeout(resolve, waitSeconds * 1000));
-  },
-});
diff --git a/references/hello-world/src/trigger/priority.ts b/references/hello-world/src/trigger/priority.ts
deleted file mode 100644
index 8fd9ac9b9ad..00000000000
--- a/references/hello-world/src/trigger/priority.ts
+++ /dev/null
@@ -1,32 +0,0 @@
-import { logger, task } from "@trigger.dev/sdk/v3";
-
-export const priorityParent = task({
-  id: "priority-parent",
-  run: async (payload: any, { ctx }) => {
-    logger.log("Hello, world from the parents", { payload });
-
-    const batch1 = await priorityChild.batchTriggerAndWait([
-      {
-        payload: { order: 1 },
-      },
-      {
-        payload: { order: 2 },
-        options: { priority: 1 },
-      },
-      {
-        payload: { order: 3 },
-        options: { priority: 2 },
-      },
-    ]);
-  },
-});
-
-export const priorityChild = task({
-  id: "priority-child",
-  queue: {
-    concurrencyLimit: 1,
-  },
-  run: async ({ order }: { order: number }, { ctx }) => {
-    logger.log(`Priority ${ctx.run.priority}`);
-  },
-});
diff --git a/references/hello-world/src/trigger/prompts.ts b/references/hello-world/src/trigger/prompts.ts
deleted file mode 100644
index 8d9c223317d..00000000000
--- a/references/hello-world/src/trigger/prompts.ts
+++ /dev/null
@@ -1,349 +0,0 @@
-import { task, logger, prompts } from "@trigger.dev/sdk";
-import { generateText, generateObject, streamText, tool, stepCountIs } from "ai";
-import { openai } from "@ai-sdk/openai";
-import { z } from "zod";
-
-// ─── Prompt definitions ──────────────────────────────────
-
-export const supportPrompt = prompts.define({
-  id: "customer-support",
-  description: "System prompt for great customer support interactions",
-  model: "gpt-4o",
-  config: { temperature: 0.7, maxTokens: 2000 },
-  variables: z.object({
-    customerName: z.string(),
-    plan: z.string(),
-    issue: z.string(),
-    previousMessages: z.string().optional(),
-  }),
-  content: `You are a senior customer support agent for Acme SaaS, a project management platform. You handle billing, account, and technical support inquiries with empathy and precision.
-
-## Customer context
-
-- **Name:** {{customerName}}
-- **Plan:** {{plan}}
-- **Reported issue:** {{issue}}
-
-## Your responsibilities
-
-1. **Diagnose the issue** — Ask clarifying questions if the problem is ambiguous. Do not guess.
-2. **Resolve when possible** — Use the tools provided (lookup_order, check_subscription, reset_password, issue_refund, update_billing) to take direct action.
-3. **Escalate when necessary** — If you cannot resolve the issue within your authority, use the escalate_to_human tool. Always include a summary of what you've already tried.
-
-## Guidelines
-
-### Tone and language
-- Address the customer by their first name.
-- Be concise but warm. Avoid corporate jargon.
-- Never blame the customer. Use phrases like "I can see that..." or "It looks like..." instead of "You did...".
-- If something is our fault, acknowledge it directly: "I'm sorry about that — this shouldn't have happened."
-
-### Billing and refunds
-- Customers on the **Free** plan are not eligible for refunds.
-- Customers on the **Pro** plan can receive refunds for charges within the last 30 days, up to $500, without manager approval.
-- Customers on the **Enterprise** plan: any refund over $200 requires escalation to the billing team.
-- If a customer was double-charged, issue a refund immediately and apologize.
-- Never share internal pricing tiers or discount structures.
-
-### Account and security
-- You can trigger a password reset email but cannot view or change passwords directly.
-- If a customer reports unauthorized access, immediately escalate to the security team using escalate_to_human with priority "urgent".
-- Do not share account details (email, billing info) without first verifying the customer's identity through their registered email.
-
-### Technical issues
-- For issues related to project creation, task boards, or integrations, check our known issues list first.
-- If the issue matches a known bug, share the workaround and let the customer know it's being tracked.
-- For API-related questions, link to the relevant docs page: https://docs.acme-saas.com/api
-- If the issue is not in the known issues list and you cannot diagnose it, escalate to engineering support.
-
-### What you must never do
-- Never make up information about product features, pricing, or policies.
-- Never promise a timeline for bug fixes or feature releases.
-- Never share internal Slack messages, Jira tickets, or employee names.
-- Never ask the customer to "try again later" without a concrete reason.
-
-{{#previousMessages}}
-## Conversation history
-
-{{previousMessages}}
-{{/previousMessages}}
-
-Respond to the customer's issue now. Start by acknowledging their problem, then either resolve it directly or ask the one most important clarifying question.`,
-});
-
-export const summarizerPrompt = prompts.define({
-  id: "summarizer",
-  description: "Summarizes text content",
-  model: "gpt-4o-mini",
-  config: { temperature: 0.3 },
-  variables: z.object({
-    text: z.string(),
-    maxSentences: z.string().optional(),
-  }),
-  content: `Summarize the following text{{#maxSentences}} in {{maxSentences}} sentences or fewer{{/maxSentences}}:
-
-{{text}}`,
-});
-
-// ─── Test task: resolve prompts locally ──────────────────
-
-export const testPromptsTask = task({
-  id: "test-prompts",
-  run: async () => {
-    const support = await supportPrompt.resolve({
-      customerName: "Alice Johnson",
-      plan: "Pro",
-      issue: "Cannot access billing dashboard",
-    });
-
-    logger.info("Support prompt resolved", {
-      version: support.version,
-      model: support.model,
-      text: support.text,
-    });
-
-    const summarizer = await summarizerPrompt.resolve({
-      text: "Trigger.dev is a platform for building and running background tasks. It provides a TypeScript SDK for defining tasks, and a dashboard for monitoring and managing them.",
-      maxSentences: "2",
-    });
-
-    logger.info("Summarizer prompt resolved", {
-      version: summarizer.version,
-      model: summarizer.model,
-      text: summarizer.text,
-    });
-
-    return {
-      supportPrompt: support.text,
-      summarizerText: summarizer.text,
-    };
-  },
-});
-
-// ─── AI SDK integration: generateText with prompt ────────
-
-export const generateWithPromptTask = task({
-  id: "generate-with-prompt",
-  run: async (payload: { customerName: string; plan: string; issue: string }) => {
-    const resolved = await supportPrompt.resolve({
-      customerName: payload.customerName,
-      plan: payload.plan,
-      issue: payload.issue,
-    });
-
-    // Use with generateText — spread toAISDKTelemetry to link the AI span to the prompt
-    const result = await generateText({
-      model: openai(resolved.model ?? "gpt-4o-mini"),
-      system: resolved.text,
-      prompt: `The customer says: "${payload.issue}". Please help them.`,
-      ...resolved.toAISDKTelemetry(),
-    });
-
-    logger.info("AI response generated", {
-      promptVersion: resolved.version,
-      promptLabels: resolved.labels,
-      responseLength: result.text.length,
-    });
-
-    return { response: result.text };
-  },
-});
-
-// ─── AI SDK integration: summarize with prompt ───────────
-
-export const summarizeTask = task({
-  id: "summarize-with-prompt",
-  run: async (payload: { text: string; maxSentences?: string }) => {
-    const resolved = await summarizerPrompt.resolve({
-      text: payload.text,
-      maxSentences: payload.maxSentences,
-    });
-
-    // Use the resolved prompt as the user prompt directly
-    const result = await generateText({
-      model: openai("gpt-4o-mini"),
-      prompt: resolved.text,
-      ...resolved.toAISDKTelemetry({ "task.type": "summarization" }),
-    });
-
-    logger.info("Summary generated", {
-      promptVersion: resolved.version,
-      inputLength: payload.text.length,
-      outputLength: result.text.length,
-    });
-
-    return { summary: result.text };
-  },
-});
-
-// ─── AI SDK integration: streamText with prompt ──────────
-
-export const streamWithPromptTask = task({
-  id: "stream-with-prompt",
-  run: async (payload: { customerName: string; plan: string; issue: string }) => {
-    const resolved = await supportPrompt.resolve({
-      customerName: payload.customerName,
-      plan: payload.plan,
-      issue: payload.issue,
-    });
-
-    const result = streamText({
-      model: openai(resolved.model ?? "gpt-4o-mini"),
-      system: resolved.text,
-      prompt: `The customer says: "${payload.issue}". Please help them.`,
-      tools: {
-        check_subscription: tool({
-          description: "Look up the customer's current subscription status and plan details",
-          inputSchema: z.object({
-            customerName: z.string().describe("The customer's name"),
-          }),
-          execute: async ({ customerName }) => ({
-            plan: payload.plan,
-            status: "active",
-            billingCycle: "monthly",
-            nextBillingDate: "2026-04-01",
-          }),
-        }),
-        escalate_to_human: tool({
-          description: "Escalate the issue to a human support agent",
-          inputSchema: z.object({
-            summary: z.string().describe("Summary of the issue and what has been tried"),
-            priority: z.enum(["low", "medium", "high", "urgent"]).describe("Urgency level"),
-          }),
-          execute: async ({ summary, priority }) => ({
-            ticketId: "ESC-1234",
-            status: "escalated",
-            priority,
-          }),
-        }),
-      },
-      stopWhen: stepCountIs(3),
-      ...resolved.toAISDKTelemetry(),
-    });
-
-    let fullText = "";
-    for await (const chunk of result.textStream) {
-      fullText += chunk;
-    }
-
-    logger.info("Streamed response complete", {
-      promptVersion: resolved.version,
-      responseLength: fullText.length,
-    });
-
-    return { response: fullText };
-  },
-});
-
-// ─── Prompt for structured extraction ────────────────────
-
-export const extractContactPrompt = prompts.define({
-  id: "extract-contact",
-  description: "Extracts structured contact info from freeform text",
-  model: "gpt-4o-mini",
-  config: { temperature: 0 },
-  variables: z.object({
-    text: z.string(),
-  }),
-  content: `Extract the contact information from the following text. If a field is not present, omit it.
-
-Text:
-{{text}}`,
-});
-
-// ─── AI SDK integration: generateObject with prompt ──────
-
-export const generateObjectWithPromptTask = task({
-  id: "generate-object-with-prompt",
-  run: async (payload: { text: string }) => {
-    const resolved = await extractContactPrompt.resolve({
-      text: payload.text,
-    });
-
-    const result = await generateObject({
-      model: openai(resolved.model ?? "gpt-4o-mini"),
-      system: resolved.text,
-      prompt: payload.text,
-      schema: z.object({
-        name: z.string().describe("Full name, or empty string if not found"),
-        email: z.string().describe("Email address, or empty string if not found"),
-        phone: z.string().describe("Phone number, or empty string if not found"),
-        company: z.string().describe("Company name, or empty string if not found"),
-        role: z.string().describe("Job title or role, or empty string if not found"),
-      }),
-      ...resolved.toAISDKTelemetry(),
-    });
-
-    logger.info("Contact extracted", {
-      promptVersion: resolved.version,
-      contact: result.object,
-    });
-
-    return { contact: result.object };
-  },
-});
-
-// ─── Prompt management SDK methods ───────────────────────
-
-export const testPromptManagement = task({
-  id: "test-prompt-management",
-  run: async () => {
-    // List all prompts
-    const allPrompts = await prompts.list();
-    logger.info("Listed prompts", { count: allPrompts.data.length, slugs: allPrompts.data.map((p) => p.slug) });
-
-    if (allPrompts.data.length === 0) {
-      return { success: false, reason: "No prompts found — deploy first" };
-    }
-
-    const slug = allPrompts.data[0].slug;
-
-    // List versions
-    const versions = await prompts.versions(slug);
-    logger.info("Listed versions", { slug, count: versions.data.length });
-
-    // Resolve the prompt (standalone, typesafe via generic)
-    const resolved = await prompts.resolve<typeof supportPrompt>("customer-support", {
-      customerName: "SDK Test",
-      plan: "Enterprise",
-      issue: "Testing management API",
-    });
-    logger.info("Resolved prompt standalone", { version: resolved.version, textLength: resolved.text.length });
-
-    // Create an override
-    const override = await prompts.createOverride(slug, {
-      textContent: "Override from SDK test: Hello {{customerName}} on {{plan}}!",
-      model: "gpt-4o-mini",
-      commitMessage: "SDK test override",
-    });
-    logger.info("Created override", { version: override.version });
-
-    // Resolve again — should get the override
-    const resolvedOverride = await prompts.resolve<typeof supportPrompt>("customer-support", {
-      customerName: "SDK Test",
-      plan: "Enterprise",
-      issue: "Testing override",
-    });
-    logger.info("Resolved with override", { version: resolvedOverride.version, text: resolvedOverride.text });
-
-    // Update the override
-    await prompts.updateOverride(slug, {
-      textContent: "Updated override: Hi {{customerName}} ({{plan}})!",
-      commitMessage: "SDK test update",
-    });
-    logger.info("Updated override");
-
-    // Remove the override
-    await prompts.removeOverride(slug);
-    logger.info("Removed override");
-
-    // Promote the first version to current
-    if (versions.data.length > 0) {
-      const v = versions.data[versions.data.length - 1].version; // oldest version
-      await prompts.promote(slug, v);
-      logger.info("Promoted version", { version: v });
-    }
-
-    return { success: true, slug, versionsCount: versions.data.length };
-  },
-});
diff --git a/references/hello-world/src/trigger/public-access-tokens.ts b/references/hello-world/src/trigger/public-access-tokens.ts
deleted file mode 100644
index ddf1ac485b6..00000000000
--- a/references/hello-world/src/trigger/public-access-tokens.ts
+++ /dev/null
@@ -1,21 +0,0 @@
-import { auth, batch, logger, runs, task, tasks, timeout, wait } from "@trigger.dev/sdk";
-
-export const publicAccessTokensTask = task({
-  id: "public-access-tokens",
-  run: async (payload: any, { ctx }) => {
-    const token = await auth.createPublicToken({
-      scopes: {
-        read: {
-          runs: [ctx.run.id],
-        },
-      },
-    });
-
-    logger.info("Token", { token });
-
-    await auth.withAuth({ accessToken: token }, async () => {
-      const run = await runs.retrieve(ctx.run.id);
-      logger.info("Run", { run });
-    });
-  },
-});
diff --git a/references/hello-world/src/trigger/query.ts b/references/hello-world/src/trigger/query.ts
deleted file mode 100644
index bad268470c2..00000000000
--- a/references/hello-world/src/trigger/query.ts
+++ /dev/null
@@ -1,183 +0,0 @@
-import { logger, query, task } from "@trigger.dev/sdk";
-import type { QueryTable } from "@trigger.dev/sdk";
-
-// Simple query example - tests different from/to formats
-export const simpleQueryTask = task({
-  id: "simple-query",
-  run: async () => {
-    logger.info("Running simple query example");
-
-    // 1. Default: no from/to, uses default period
-    const defaultResult = await query.execute("SELECT * FROM runs LIMIT 5");
-    logger.info("Default (no from/to)", {
-      rowCount: defaultResult.results.length,
-      firstRow: defaultResult.results[0],
-    });
-
-    // 2. Using Date objects for from/to
-    const withDates = await query.execute<
-      QueryTable<"runs", "run_id" | "status" | "triggered_at">
-    >("SELECT run_id, status, triggered_at FROM runs LIMIT 5", {
-      from: new Date("2025-01-01T00:00:00Z"),
-      to: new Date(),
-    });
-    logger.info("With Date objects", {
-      rowCount: withDates.results.length,
-      firstRow: withDates.results[0],
-    });
-
-    // 3. Using Unix timestamps in milliseconds (Date.now() returns ms)
-    const now = Date.now();
-    const sevenDaysAgo = now - 7 * 24 * 60 * 60 * 1000;
-    const withTimestamps = await query.execute<
-      QueryTable<"runs", "run_id" | "status" | "triggered_at">
-    >("SELECT run_id, status, triggered_at FROM runs LIMIT 5", {
-      from: sevenDaysAgo,
-      to: now,
-    });
-    logger.info("With Unix timestamps (ms)", {
-      rowCount: withTimestamps.results.length,
-      firstRow: withTimestamps.results[0],
-    });
-
-    // 4. Mixing Date and number
-    const mixed = await query.execute<
-      QueryTable<"runs", "run_id" | "status" | "triggered_at">
-    >("SELECT run_id, status, triggered_at FROM runs LIMIT 5", {
-      from: new Date("2025-01-01"),
-      to: Date.now(),
-    });
-    logger.info("Mixed Date + timestamp", {
-      rowCount: mixed.results.length,
-      firstRow: mixed.results[0],
-    });
-
-    return {
-      defaultRows: defaultResult.results.length,
-      dateRows: withDates.results.length,
-      timestampRows: withTimestamps.results.length,
-      mixedRows: mixed.results.length,
-    };
-  },
-});
-
-// JSON query with all options - aggregation queries use inline types
-export const fullJsonQueryTask = task({
-  id: "full-json-query",
-  run: async () => {
-    logger.info("Running full JSON query example with all options");
-
-    // For aggregation queries, use inline types since the result shape
-    // doesn't match a table row. For non-aggregated queries, use QueryTable.
-    const result = await query.execute<{
-      status: string;
-      count: number;
-      avg_duration: number;
-    }>(
-      `SELECT
-        status,
-        COUNT(*) as count,
-        AVG(total_duration) as avg_duration
-      FROM runs
-      WHERE status IN ('Completed', 'Failed')
-      GROUP BY status`,
-      {
-        scope: "environment", // Query current environment only
-        period: "30d", // Last 30 days of data
-        // format defaults to "json"
-      }
-    );
-
-    logger.info("Query completed", {
-      format: result.format,
-      rowCount: result.results.length,
-    });
-
-    // Log the aggregated results - now fully type-safe!
-    result.results.forEach((row) => {
-      logger.info("Status breakdown", {
-        status: row.status, // string
-        count: row.count, // number
-        averageDuration: row.avg_duration, // number
-      });
-    });
-
-    return {
-      summary: result.results,
-    };
-  },
-});
-
-// CSV export example
-export const csvQueryTask = task({
-  id: "csv-query",
-  run: async () => {
-    logger.info("Running CSV query example");
-
-    // Query with CSV format - automatically typed as discriminated union!
-    const result = await query.execute(
-      "SELECT run_id, status, triggered_at, total_duration FROM runs LIMIT 10",
-      {
-        scope: "project", // Query all environments in the project
-        period: "7d", // Last 7 days
-        format: "csv", // CSV format
-      }
-    );
-
-    // result.format is "csv" and result.results is automatically typed as string!
-    logger.info("CSV query completed", {
-      format: result.format,
-      dataLength: result.results.length,
-      results: result.results,
-    });
-
-    return {
-      format: result.format,
-      csv: result.results,
-    };
-  },
-});
-
-// Organization-wide query with QueryTable for full row access
-export const orgQueryTask = task({
-  id: "org-query",
-  run: async () => {
-    logger.info("Running organization-wide query");
-
-    // Use QueryTable to get typed rows for specific columns
-    const result = await query.execute<
-      QueryTable<"runs", "run_id" | "project" | "environment" | "status" | "task_identifier" | "machine">
-    >(
-      `SELECT run_id, project, environment, status, task_identifier, machine
-      FROM runs
-      ORDER BY triggered_at DESC
-      LIMIT 50`,
-      {
-        scope: "organization", // Query across all projects
-        from: new Date("2025-02-01T00:00:00Z"), // Custom date range
-        to: new Date("2025-02-11T23:59:59Z"),
-      }
-    );
-
-    logger.info("Organization query completed", {
-      format: result.format,
-      runCount: result.results.length,
-    });
-
-    // Fully typed - status is RunFriendlyStatus, machine is MachinePresetName
-    result.results.forEach((row) => {
-      logger.info("Run info", {
-        runId: row.run_id, // string
-        project: row.project, // string
-        environment: row.environment, // string
-        status: row.status, // "Completed" | "Failed" | "Executing" | ...
-        task: row.task_identifier, // string
-        machine: row.machine, // "micro" | "small-1x" | "small-2x" | ...
-      });
-    });
-
-    return {
-      runs: result.results,
-    };
-  },
-});
diff --git a/references/hello-world/src/trigger/queues.ts b/references/hello-world/src/trigger/queues.ts
deleted file mode 100644
index 69c4216b97b..00000000000
--- a/references/hello-world/src/trigger/queues.ts
+++ /dev/null
@@ -1,333 +0,0 @@
-import { batch, logger, queue, queues, runs, task, tasks } from "@trigger.dev/sdk/v3";
-
-export const queuesTester = task({
-  id: "queues-tester",
-  run: async (payload: any, { ctx }) => {
-    const q = await queues.list();
-
-    for await (const queue of q) {
-      logger.log("Queue", { queue });
-    }
-
-    const retrievedFromId = await queues.retrieve(ctx.queue.id);
-    logger.log("Retrieved from ID", { retrievedFromId });
-
-    const retrievedFromCtxName = await queues.retrieve({
-      type: "task",
-      name: ctx.queue.name,
-    });
-    logger.log("Retrieved from name", { retrievedFromCtxName });
-
-    //pause the queue
-    const pausedQueue = await queues.pause({
-      type: "task",
-      name: "queues-tester",
-    });
-    logger.log("Paused queue", { pausedQueue });
-
-    const retrievedFromName = await queues.retrieve({
-      type: "task",
-      name: "queues-tester",
-    });
-    logger.log("Retrieved from name", { retrievedFromName });
-
-    //resume the queue
-    const resumedQueue = await queues.resume({
-      type: "task",
-      name: "queues-tester",
-    });
-    logger.log("Resumed queue", { resumedQueue });
-
-    const overriddenQueue = await queues.overrideConcurrencyLimit(
-      {
-        type: "task",
-        name: "queues-tester",
-      },
-      10
-    );
-    logger.log("Overridden queue", { overriddenQueue });
-
-    const resetQueue = await queues.resetConcurrencyLimit({
-      type: "task",
-      name: "queues-tester",
-    });
-
-    logger.log("Reset queue", { resetQueue });
-  },
-});
-
-const myCustomQueue = queue({
-  name: "my-custom-queue",
-  concurrencyLimit: 1,
-});
-
-export const otherQueueTask = task({
-  id: "other-queue-task",
-  queue: myCustomQueue,
-  run: async (payload: any, { ctx }) => {
-    logger.log("Other queue task", { payload });
-  },
-});
-
-import { setTimeout } from "node:timers/promises";
-
-type Payload = {
-  id: string;
-  waitSeconds: number;
-};
-
-export const myQueue = queue({
-  name: "shared-queue",
-  concurrencyLimit: 2,
-});
-
-// First task type that uses shared queue
-export const sharedQueueTask1 = task({
-  id: "shared-queue-task-1",
-  queue: myQueue,
-  run: async (payload: Payload) => {
-    const startedAt = Date.now();
-    logger.info(`Task1 ${payload.id} started at ${startedAt}`);
-
-    await setTimeout(payload.waitSeconds * 1000);
-
-    const completedAt = Date.now();
-    logger.info(`Task1 ${payload.id} completed at ${completedAt}`);
-
-    return {
-      id: payload.id,
-      startedAt,
-      completedAt,
-    };
-  },
-});
-
-// Second task type that uses the same queue
-export const sharedQueueTask2 = task({
-  id: "shared-queue-task-2",
-  queue: myQueue,
-  run: async (payload: Payload) => {
-    const startedAt = Date.now();
-    logger.info(`Task2 ${payload.id} started at ${startedAt}`);
-
-    await setTimeout(payload.waitSeconds * 1000);
-
-    const completedAt = Date.now();
-    logger.info(`Task2 ${payload.id} completed at ${completedAt}`);
-
-    return {
-      id: payload.id,
-      startedAt,
-      completedAt,
-    };
-  },
-});
-
-export const sharedQueueTask3 = task({
-  id: "shared-queue-task-3",
-  queue: myQueue,
-  run: async (payload: Payload) => {
-    const startedAt = Date.now();
-    logger.info(`Task2 ${payload.id} started at ${startedAt}`);
-
-    await setTimeout(payload.waitSeconds * 1000);
-
-    const completedAt = Date.now();
-    logger.info(`Task2 ${payload.id} completed at ${completedAt}`);
-
-    return {
-      id: payload.id,
-      startedAt,
-      completedAt,
-    };
-  },
-});
-
-export const sharedQueueTask4 = task({
-  id: "shared-queue-task-4",
-  queue: myQueue,
-  run: async (payload: Payload) => {
-    const startedAt = Date.now();
-    logger.info(`Task2 ${payload.id} started at ${startedAt}`);
-
-    await setTimeout(payload.waitSeconds * 1000);
-
-    const completedAt = Date.now();
-    logger.info(`Task2 ${payload.id} completed at ${completedAt}`);
-
-    return {
-      id: payload.id,
-      startedAt,
-      completedAt,
-    };
-  },
-});
-
-export const sharedQueueTask5 = task({
-  id: "shared-queue-task-5",
-  queue: myQueue,
-  run: async (payload: Payload) => {
-    const startedAt = Date.now();
-    logger.info(`Task2 ${payload.id} started at ${startedAt}`);
-
-    await setTimeout(payload.waitSeconds * 1000);
-
-    const completedAt = Date.now();
-    logger.info(`Task2 ${payload.id} completed at ${completedAt}`);
-
-    return {
-      id: payload.id,
-      startedAt,
-      completedAt,
-    };
-  },
-});
-
-// Test task that verifies shared queue concurrency
-export const sharedQueueTestTask = task({
-  id: "shared-queue-test",
-  retry: {
-    maxAttempts: 1,
-  },
-  // 4 minutes
-  maxDuration: 240,
-  run: async (payload, { ctx }) => {
-    logger.info("Starting shared queue concurrency test");
-
-    // Trigger mix of both task types (5 total tasks)
-    // With concurrencyLimit: 2, we expect only 2 running at once
-    // regardless of task type
-    const results = await batch.triggerAndWait([
-      { id: sharedQueueTask1.id, payload: { id: "t1-1", waitSeconds: 4 } },
-      { id: sharedQueueTask2.id, payload: { id: "t2-1", waitSeconds: 4 } },
-      { id: sharedQueueTask1.id, payload: { id: "t1-2", waitSeconds: 4 } },
-      { id: sharedQueueTask2.id, payload: { id: "t2-2", waitSeconds: 4 } },
-      { id: sharedQueueTask1.id, payload: { id: "t1-3", waitSeconds: 4 } },
-    ]);
-
-    // Verify all tasks completed successfully
-    if (!results.runs.every((r) => r.ok)) {
-      throw new Error("One or more tasks failed");
-    }
-
-    // Get all executions sorted by start time
-    const executions = results.runs.map((r) => r.output).sort((a, b) => a.startedAt - b.startedAt);
-
-    // For each point in time, count how many tasks were running
-    let maxConcurrent = 0;
-    for (let i = 0; i < executions.length; i++) {
-      const current = executions[i];
-      const concurrent =
-        executions.filter(
-          (task) =>
-            task.id !== current.id && // not the same task
-            task.startedAt <= current.startedAt && // started before or at same time
-            task.completedAt >= current.startedAt // hadn't completed yet
-        ).length + 1; // +1 for current task
-
-      maxConcurrent = Math.max(maxConcurrent, concurrent);
-    }
-
-    // Verify we never exceeded the concurrency limit
-    if (maxConcurrent > 2) {
-      throw new Error(`Expected maximum of 2 concurrent tasks, but found ${maxConcurrent}`);
-    }
-
-    // Verify tasks from both types were able to run
-    const task1Runs = executions.filter((e) => e.id.startsWith("t1-")).length;
-    const task2Runs = executions.filter((e) => e.id.startsWith("t2-")).length;
-
-    if (task1Runs === 0 || task2Runs === 0) {
-      throw new Error(
-        `Expected both task types to run, but got ${task1Runs} task1 runs and ${task2Runs} task2 runs`
-      );
-    }
-
-    return {
-      executions,
-      maxConcurrent,
-      task1Count: task1Runs,
-      task2Count: task2Runs,
-    };
-  },
-});
-
-export const lockedQueueTask = task({
-  id: "locked-queue-task",
-  run: async (payload: any) => {
-    logger.log("Locked queue task", { payload });
-
-    await lockedQueueChildTask.trigger({}, { queue: "queue_does_not_exist" });
-    await lockedQueueChildTask.triggerAndWait({}, { queue: "queue_does_not_exist" });
-  },
-});
-
-export const lockedQueueChildTask = task({
-  id: "locked-queue-child-task",
-  run: async (payload: any) => {
-    logger.log("Locked queue child task", { payload });
-  },
-});
-
-export const lockedTaskIdentifierTask = task({
-  id: "locked-task-identifier-task",
-  run: async (payload: any) => {
-    logger.log("Locked task identifier task", { payload });
-
-    await tasks.trigger("task_does_not_exist", {});
-    await tasks.triggerAndWait("task_does_not_exist", {});
-  },
-});
-
-export const testQueuesConcurrencyOverrideTask = task({
-  id: "test-queues-concurrency-override-task",
-  run: async (payload: any) => {
-    logger.log("Test queues concurrency override task", { payload });
-
-    const handle1 = await testQueuesConcurrencyOverrideChildTask.trigger({});
-    const handle2 = await testQueuesConcurrencyOverrideChildTask.trigger({});
-
-    const result1 = await runs.poll(handle1.id);
-    const result2 = await runs.poll(handle2.id);
-
-    logger.log("Test queues concurrency override task results", { result1, result2 });
-
-    const handle3 = await testQueuesConcurrencyOverrideChildTask.trigger({});
-    const handle4 = await testQueuesConcurrencyOverrideChildTask.trigger({});
-
-    const overriddenQueue = await queues.overrideConcurrencyLimit(
-      {
-        type: "custom",
-        name: "test-queues-concurrency-override-queue",
-      },
-      2
-    );
-
-    logger.log("Overridden queue", { overriddenQueue });
-
-    const result3 = await runs.poll(handle3.id);
-    const result4 = await runs.poll(handle4.id);
-
-    logger.log("Test queues concurrency override task results", { result3, result4 });
-
-    const resetQueue = await queues.resetConcurrencyLimit({
-      type: "custom",
-      name: "test-queues-concurrency-override-queue",
-    });
-
-    logger.log("Reset queue", { resetQueue });
-  },
-});
-
-export const testQueuesConcurrencyOverrideChildTask = task({
-  id: "test-queues-concurrency-override-child-task",
-  queue: {
-    name: "test-queues-concurrency-override-queue",
-    concurrencyLimit: 1,
-  },
-  run: async (payload: any) => {
-    logger.log("Test queues concurrency override child task", { payload });
-
-    await setTimeout(10000);
-  },
-});
diff --git a/references/hello-world/src/trigger/rateLimitStress.ts b/references/hello-world/src/trigger/rateLimitStress.ts
deleted file mode 100644
index cb2c20c5798..00000000000
--- a/references/hello-world/src/trigger/rateLimitStress.ts
+++ /dev/null
@@ -1,257 +0,0 @@
-import { logger, task, tasks, RateLimitError } from "@trigger.dev/sdk/v3";
-import { setTimeout } from "timers/promises";
-
-/**
- * A simple no-op task that does minimal work.
- * Used as the target for rate limit stress testing.
- */
-export const noopTask = task({
-  id: "noop-task",
-  retry: { maxAttempts: 1 },
-  run: async (payload: { index: number }) => {
-    return { index: payload.index, timestamp: Date.now() };
-  },
-});
-
-/**
- * Stress test task that triggers many runs rapidly to hit the API rate limit.
- * Fires triggers as fast as possible for a set duration, then stops.
- *
- * Note: Already-triggered runs will continue to execute after the test completes.
- *
- * Default rate limits (per environment API key):
- * - Free: 1,200 runs bucket, refills 100 runs/10 sec
- * - Hobby/Pro: 5,000 runs bucket, refills 500 runs/5 sec
- *
- * Run with: `npx trigger.dev@latest dev` then trigger this task from the dashboard
- */
-export const rateLimitStressTest = task({
-  id: "rate-limit-stress-test",
-  maxDuration: 120,
-  run: async (payload: {
-    /** How long to run the test in seconds (default: 5) */
-    durationSeconds?: number;
-    /** How many triggers to fire in parallel per batch (default: 100) */
-    batchSize?: number;
-  }) => {
-    const durationSeconds = payload.durationSeconds ?? 5;
-    const batchSize = payload.batchSize ?? 100;
-    const durationMs = durationSeconds * 1000;
-
-    logger.info("Starting rate limit stress test", {
-      durationSeconds,
-      batchSize,
-    });
-
-    const start = Date.now();
-    let totalAttempted = 0;
-    let totalSuccess = 0;
-    let totalRateLimited = 0;
-    let totalOtherErrors = 0;
-    let batchCount = 0;
-
-    // Keep firing batches until time runs out
-    while (Date.now() - start < durationMs) {
-      batchCount++;
-      const batchStart = Date.now();
-      const elapsed = batchStart - start;
-      const remaining = durationMs - elapsed;
-
-      logger.info(`Batch ${batchCount} starting`, {
-        elapsedMs: elapsed,
-        remainingMs: remaining,
-        totalAttempted,
-        totalSuccess,
-        totalRateLimited,
-      });
-
-      // Fire a batch of triggers
-      const promises = Array.from({ length: batchSize }, async (_, i) => {
-        // Check if we've exceeded time before each trigger
-        if (Date.now() - start >= durationMs) {
-          return { skipped: true };
-        }
-
-        const index = totalAttempted + i;
-        try {
-          await tasks.trigger<typeof noopTask>("noop-task", { index });
-          return { success: true, rateLimited: false };
-        } catch (error) {
-          if (error instanceof RateLimitError) {
-            return { success: false, rateLimited: true, resetInMs: error.millisecondsUntilReset };
-          }
-          return { success: false, rateLimited: false };
-        }
-      });
-
-      const results = await Promise.all(promises);
-
-      const batchSuccess = results.filter((r) => "success" in r && r.success).length;
-      const batchRateLimited = results.filter((r) => "rateLimited" in r && r.rateLimited).length;
-      const batchOtherErrors = results.filter(
-        (r) => "success" in r && !r.success && !("rateLimited" in r && r.rateLimited)
-      ).length;
-      const batchSkipped = results.filter((r) => "skipped" in r && r.skipped).length;
-
-      totalAttempted += batchSize - batchSkipped;
-      totalSuccess += batchSuccess;
-      totalRateLimited += batchRateLimited;
-      totalOtherErrors += batchOtherErrors;
-
-      // Log rate limit hits
-      const rateLimitedResult = results.find((r) => "rateLimited" in r && r.rateLimited);
-      if (rateLimitedResult && "resetInMs" in rateLimitedResult) {
-        logger.warn("Rate limit hit!", {
-          batch: batchCount,
-          resetInMs: rateLimitedResult.resetInMs,
-          totalRateLimited,
-        });
-      }
-
-      // Small delay between batches to not overwhelm
-      await setTimeout(50);
-    }
-
-    const duration = Date.now() - start;
-
-    logger.info("Stress test completed", {
-      actualDurationMs: duration,
-      totalAttempted,
-      totalSuccess,
-      totalRateLimited,
-      totalOtherErrors,
-      batchCount,
-    });
-
-    return {
-      config: {
-        durationSeconds,
-        batchSize,
-      },
-      results: {
-        actualDurationMs: duration,
-        totalAttempted,
-        totalSuccess,
-        totalRateLimited,
-        totalOtherErrors,
-        batchCount,
-        hitRateLimit: totalRateLimited > 0,
-        triggersPerSecond: Math.round((totalAttempted / duration) * 1000),
-      },
-    };
-  },
-});
-
-/**
- * Sustained load test - maintains a steady rate of triggers over time.
- * Useful for seeing how rate limits behave under sustained load.
- *
- * Note: Successfully triggered runs will continue executing after this test completes.
- */
-export const sustainedLoadTest = task({
-  id: "sustained-load-test",
-  maxDuration: 300,
-  run: async (payload: {
-    /** Triggers per second to attempt (default: 100) */
-    triggersPerSecond?: number;
-    /** Duration in seconds (default: 20) */
-    durationSeconds?: number;
-  }) => {
-    const triggersPerSecond = payload.triggersPerSecond ?? 100;
-    const durationSeconds = payload.durationSeconds ?? 20;
-
-    const intervalMs = 1000 / triggersPerSecond;
-    const totalTriggers = triggersPerSecond * durationSeconds;
-
-    logger.info("Starting sustained load test", {
-      triggersPerSecond,
-      durationSeconds,
-      totalTriggers,
-      intervalMs,
-    });
-
-    const results: Array<{
-      index: number;
-      success: boolean;
-      rateLimited: boolean;
-      timestamp: number;
-    }> = [];
-
-    const start = Date.now();
-    let index = 0;
-
-    while (Date.now() - start < durationSeconds * 1000 && index < totalTriggers) {
-      const triggerStart = Date.now();
-
-      try {
-        await tasks.trigger<typeof noopTask>("noop-task", { index });
-        results.push({
-          index,
-          success: true,
-          rateLimited: false,
-          timestamp: Date.now() - start,
-        });
-      } catch (error) {
-        results.push({
-          index,
-          success: false,
-          rateLimited: error instanceof RateLimitError,
-          timestamp: Date.now() - start,
-        });
-
-        if (error instanceof RateLimitError) {
-          logger.warn("Rate limit hit during sustained load", {
-            index,
-            timestamp: Date.now() - start,
-            resetInMs: error.millisecondsUntilReset,
-          });
-        }
-      }
-
-      index++;
-
-      // Maintain the target rate
-      const elapsed = Date.now() - triggerStart;
-      const sleepTime = Math.max(0, intervalMs - elapsed);
-      if (sleepTime > 0) {
-        await setTimeout(sleepTime);
-      }
-    }
-
-    const duration = Date.now() - start;
-    const successCount = results.filter((r) => r.success).length;
-    const rateLimitedCount = results.filter((r) => r.rateLimited).length;
-
-    // Find when rate limiting started (if at all)
-    const firstRateLimited = results.find((r) => r.rateLimited);
-
-    logger.info("Sustained load test completed", {
-      actualDuration: duration,
-      actualTriggers: results.length,
-      successCount,
-      rateLimitedCount,
-      actualRate: Math.round((results.length / duration) * 1000),
-    });
-
-    return {
-      config: {
-        targetTriggersPerSecond: triggersPerSecond,
-        targetDurationSeconds: durationSeconds,
-      },
-      results: {
-        actualDuration: duration,
-        actualTriggers: results.length,
-        successCount,
-        rateLimitedCount,
-        actualRate: Math.round((results.length / duration) * 1000),
-        hitRateLimit: rateLimitedCount > 0,
-        firstRateLimitedAt: firstRateLimited
-          ? {
-              index: firstRateLimited.index,
-              timestampMs: firstRateLimited.timestamp,
-            }
-          : null,
-      },
-    };
-  },
-});
diff --git a/references/hello-world/src/trigger/realtime.ts b/references/hello-world/src/trigger/realtime.ts
deleted file mode 100644
index 3bd051f6a95..00000000000
--- a/references/hello-world/src/trigger/realtime.ts
+++ /dev/null
@@ -1,128 +0,0 @@
-import { logger, metadata, runs, task } from "@trigger.dev/sdk";
-import { helloWorldTask } from "./example.js";
-import { setTimeout } from "timers/promises";
-
-export const realtimeByTagsTask = task({
-  id: "realtime-by-tags",
-  run: async (payload: any, { ctx, signal }) => {
-    await helloWorldTask.trigger(
-      { hello: "world" },
-      {
-        tags: ["hello-world", "realtime"],
-      }
-    );
-
-    const timeoutSignal = AbortSignal.timeout(10000);
-
-    const $signal = AbortSignal.any([signal, timeoutSignal]);
-
-    $signal.addEventListener("abort", () => {
-      logger.info("signal aborted");
-    });
-
-    for await (const run of runs.subscribeToRunsWithTag(
-      "hello-world",
-      { createdAt: "2m", skipColumns: ["payload", "output", "number"] },
-      { signal: $signal }
-    )) {
-      logger.info("run", { run });
-    }
-
-    return {
-      message: "Hello, world!",
-    };
-  },
-});
-
-export const realtimeUpToDateTask = task({
-  id: "realtime-up-to-date",
-  run: async ({ runId }: { runId?: string }) => {
-    if (!runId) {
-      const handle = await helloWorldTask.trigger(
-        { hello: "world", sleepFor: 1000 },
-        {
-          tags: ["hello-world", "realtime"],
-        }
-      );
-
-      runId = handle.id;
-    }
-
-    logger.info("runId", { runId });
-
-    for await (const run of runs.subscribeToRun(runId, { stopOnCompletion: true })) {
-      logger.info("run", { run });
-    }
-
-    return {
-      message: "Hello, world!",
-    };
-  },
-});
-
-export const realtimeStreamsTask = task({
-  id: "realtime-streams",
-  run: async () => {
-    const mockStream = createStreamFromGenerator(generateMockData(5 * 60 * 1000));
-
-    const stream = await metadata.stream("mock-data", mockStream);
-
-    for await (const chunk of stream) {
-      logger.info("Received chunk", { chunk });
-    }
-
-    return {
-      message: "Hello, world!",
-    };
-  },
-});
-
-export const realtimeStreamsV2Task = task({
-  id: "realtime-streams-v2",
-  run: async () => {
-    const mockStream1 = createStreamFromGenerator(generateMockData(10_000));
-
-    await metadata.stream("mock-data", mockStream1);
-
-    await setTimeout(5000); // Offset by 5 seconds
-
-    const mockStream2 = createStreamFromGenerator(generateMockData(10_000));
-    const stream2 = await metadata.stream("mock-data", mockStream2);
-
-    for await (const chunk of stream2) {
-      logger.info("Received chunk", { chunk });
-    }
-
-    return {
-      message: "Hello, world!",
-    };
-  },
-});
-
-async function* generateMockData(durationMs: number = 5 * 60 * 1000) {
-  const chunkInterval = 1000;
-  const totalChunks = Math.floor(durationMs / chunkInterval);
-
-  for (let i = 0; i < totalChunks; i++) {
-    await setTimeout(chunkInterval);
-
-    yield JSON.stringify({
-      chunk: i + 1,
-      timestamp: new Date().toISOString(),
-      data: `Mock data chunk ${i + 1}`,
-    }) + "\n";
-  }
-}
-
-// Convert to ReadableStream
-function createStreamFromGenerator(generator: AsyncGenerator<string>) {
-  return new ReadableStream({
-    async start(controller) {
-      for await (const chunk of generator) {
-        controller.enqueue(chunk);
-      }
-
-      controller.close();
-    },
-  });
-}
diff --git a/references/hello-world/src/trigger/regions.ts b/references/hello-world/src/trigger/regions.ts
deleted file mode 100644
index 2c31fbb9dc6..00000000000
--- a/references/hello-world/src/trigger/regions.ts
+++ /dev/null
@@ -1,9 +0,0 @@
-import { task } from "@trigger.dev/sdk";
-import { fixedLengthTask } from "./batches.js";
-
-export const regionsTask = task({
-  id: "regions",
-  run: async ({ region }: { region?: string }, { ctx }) => {
-    await fixedLengthTask.triggerAndWait({ waitSeconds: 1 }, { region });
-  },
-});
diff --git a/references/hello-world/src/trigger/release-concurrency.ts b/references/hello-world/src/trigger/release-concurrency.ts
deleted file mode 100644
index 42a22ff9f91..00000000000
--- a/references/hello-world/src/trigger/release-concurrency.ts
+++ /dev/null
@@ -1,168 +0,0 @@
-import { batch, logger, queue, task, wait } from "@trigger.dev/sdk";
-import assert from "node:assert";
-import { setTimeout } from "node:timers/promises";
-
-// Queue with concurrency limit and release enabled
-const releaseEnabledQueue = queue({
-  name: "release-concurrency-test-queue-enabled",
-  concurrencyLimit: 2,
-});
-
-// Queue with concurrency limit but release disabled
-const releaseDisabledQueue = queue({
-  name: "release-concurrency-test-queue-disabled",
-  concurrencyLimit: 2,
-});
-
-// Task that runs on the release-enabled queue
-const releaseEnabledTask = task({
-  id: "release-concurrency-enabled-task",
-  queue: releaseEnabledQueue,
-  retry: {
-    maxAttempts: 1,
-  },
-  run: async (payload: { id: string; waitSeconds: number }, { ctx }) => {
-    const startedAt = Date.now();
-    logger.info(`Run ${payload.id} started at ${startedAt}`);
-
-    // Wait and release concurrency
-    await wait.for({ seconds: payload.waitSeconds });
-
-    const resumedAt = Date.now();
-    await setTimeout(2000); // Additional work after resuming
-    const completedAt = Date.now();
-
-    return { id: payload.id, startedAt, resumedAt, completedAt };
-  },
-});
-
-// Task that runs on the release-disabled queue
-const releaseDisabledTask = task({
-  id: "release-concurrency-disabled-task",
-  queue: releaseDisabledQueue,
-  retry: {
-    maxAttempts: 1,
-  },
-  run: async (payload: { id: string; waitSeconds: number }, { ctx }) => {
-    const startedAt = Date.now();
-    logger.info(`Run ${payload.id} started ${startedAt}`);
-
-    // Wait without releasing concurrency
-    await wait.for({ seconds: payload.waitSeconds });
-
-    const resumedAt = Date.now();
-    await setTimeout(2000);
-    const completedAt = Date.now();
-
-    return { id: payload.id, startedAt, resumedAt, completedAt };
-  },
-});
-
-// Main test task
-export const waitReleaseConcurrencyTestTask = task({
-  id: "wait-release-concurrency-test",
-  retry: {
-    maxAttempts: 1,
-  },
-  run: async (payload, { ctx }) => {
-    logger.info("Starting wait release concurrency test");
-
-    // Test 1: Queue with release enabled
-    logger.info("Testing queue with release enabled");
-    const enabledResults = await batch.triggerAndWait([
-      { id: releaseEnabledTask.id, payload: { id: "e1", waitSeconds: 6 } },
-      { id: releaseEnabledTask.id, payload: { id: "e2", waitSeconds: 6 } },
-      { id: releaseEnabledTask.id, payload: { id: "e3", waitSeconds: 6 } },
-    ]);
-
-    // Verify all tasks completed
-    assert(
-      enabledResults.runs.every((r) => r.ok),
-      "All enabled tasks should complete"
-    );
-
-    // Get executions sorted by start time
-    const enabledExecutions = enabledResults.runs
-      .map((r) => r.output)
-      .sort((a, b) => a.startedAt - b.startedAt);
-
-    // Verify that task e3 could start before e1 and e2 completed
-    // (because concurrency was released during wait)
-    const e3 = enabledExecutions.find((e) => e.id === "e3");
-    const e1e2CompletedAt = Math.max(
-      ...enabledExecutions.filter((e) => ["e1", "e2"].includes(e.id)).map((e) => e.completedAt)
-    );
-
-    assert(
-      e3.startedAt < e1e2CompletedAt,
-      "Task e3 should start before e1/e2 complete due to released concurrency"
-    );
-
-    logger.info("✅ test with release enabled");
-
-    // Test 2: Queue with release disabled
-    logger.info("Testing queue with release disabled");
-    const disabledResults = await batch.triggerAndWait([
-      { id: releaseDisabledTask.id, payload: { id: "d1", waitSeconds: 6 } },
-      { id: releaseDisabledTask.id, payload: { id: "d2", waitSeconds: 6 } },
-      { id: releaseDisabledTask.id, payload: { id: "d3", waitSeconds: 6 } },
-    ]);
-
-    // Verify all tasks completed
-    assert(
-      disabledResults.runs.every((r) => r.ok),
-      "All disabled tasks should complete"
-    );
-
-    // Get executions sorted by start time
-    const disabledExecutions = disabledResults.runs
-      .map((r) => r.output)
-      .sort((a, b) => a.startedAt - b.startedAt);
-
-    // Verify that task d3 could NOT start before d1 or d2 completed
-    // (because concurrency was not released during wait)
-    const d3 = disabledExecutions.find((e) => e.id === "d3");
-    const d1d2CompletedAt = Math.max(
-      ...disabledExecutions.filter((e) => ["d1", "d2"].includes(e.id)).map((e) => e.completedAt)
-    );
-
-    assert(
-      d3.startedAt >= d1d2CompletedAt,
-      "Task d3 should not start before d1/d2 complete when concurrency is not released"
-    );
-
-    logger.info("✅ test with release disabled");
-
-    return {
-      enabledQueueResults: {
-        executions: enabledExecutions,
-        concurrencyReleased: true,
-      },
-      disabledQueueResults: {
-        executions: disabledExecutions,
-        concurrencyReleased: false,
-      },
-    };
-  },
-});
-
-export const batchTriggerAndWaitReleaseConcurrency = task({
-  id: "batch-trigger-and-wait-release-concurrency",
-  retry: {
-    maxAttempts: 1,
-  },
-  run: async (payload, { ctx }) => {
-    return await batch.triggerAndWait([
-      { id: batchTriggerAndWaitChildTask.id, payload: { waitSeconds: 1 } },
-      { id: batchTriggerAndWaitChildTask.id, payload: { waitSeconds: 1 } },
-      { id: batchTriggerAndWaitChildTask.id, payload: { waitSeconds: 1 } },
-    ]);
-  },
-});
-
-const batchTriggerAndWaitChildTask = task({
-  id: "batch-trigger-and-wait-child-task",
-  run: async (payload: { waitSeconds: number }, { ctx }) => {
-    await setTimeout(payload.waitSeconds * 1000);
-  },
-});
diff --git a/references/hello-world/src/trigger/retry.ts b/references/hello-world/src/trigger/retry.ts
deleted file mode 100644
index 02ea019b351..00000000000
--- a/references/hello-world/src/trigger/retry.ts
+++ /dev/null
@@ -1,37 +0,0 @@
-import { logger, task } from "@trigger.dev/sdk";
-
-type RetryPayload = {
-  failCount: number;
-};
-
-export const retryTask = task({
-  id: "retry-task",
-  // Configure 5 retries with exponential backoff
-  retry: {
-    maxAttempts: 5,
-    factor: 1.8,
-    minTimeoutInMs: 20,
-    maxTimeoutInMs: 100,
-    randomize: false,
-  },
-  run: async (payload: RetryPayload, { ctx }) => {
-    const currentAttempt = ctx.attempt.number;
-    logger.info("Running retry task", {
-      currentAttempt,
-      desiredFailCount: payload.failCount,
-    });
-
-    // If we haven't reached the desired number of failures yet, throw an error
-    if (currentAttempt <= payload.failCount) {
-      const error = new Error(`Intentionally failing attempt ${currentAttempt}`);
-      logger.warn("Task failing", { error, currentAttempt });
-      throw error;
-    }
-
-    // If we've made it past the desired fail count, return success
-    logger.info("Task succeeded", { currentAttempt });
-    return {
-      attemptsTaken: currentAttempt,
-    };
-  },
-});
diff --git a/references/hello-world/src/trigger/schedule.ts b/references/hello-world/src/trigger/schedule.ts
deleted file mode 100644
index 46a7d9a18ce..00000000000
--- a/references/hello-world/src/trigger/schedule.ts
+++ /dev/null
@@ -1,12 +0,0 @@
-import { schedules } from "@trigger.dev/sdk/v3";
-
-export const simpleSchedule = schedules.task({
-  id: "simple-schedule",
-  cron: "0 0 * * *",
-  ttl: "30m",
-  run: async (payload, { ctx }) => {
-    return {
-      message: "Hello, world!",
-    };
-  },
-});
diff --git a/references/hello-world/src/trigger/sdk.ts b/references/hello-world/src/trigger/sdk.ts
deleted file mode 100644
index b124aa1452c..00000000000
--- a/references/hello-world/src/trigger/sdk.ts
+++ /dev/null
@@ -1,39 +0,0 @@
-import { logger, runs, task } from "@trigger.dev/sdk";
-
-export const sdkMethods = task({
-  id: "sdk-methods",
-  run: async (payload: any, { ctx }) => {
-    for await (const run of runs.list({
-      status: ["COMPLETED"],
-      from: new Date(Date.now() - 1000 * 60 * 60), // 1 hour ago
-      to: new Date(), // now
-    })) {
-      logger.info("completed run", { run });
-    }
-
-    for await (const run of runs.list({
-      status: ["FAILED"],
-      from: new Date(Date.now() - 1000 * 60 * 60), // 1 hour ago
-      to: new Date(), // now
-      limit: 50,
-    })) {
-      logger.info("failed run", { run });
-    }
-
-    for await (const run of runs.list({
-      queue: { type: "task", name: "sdk-methods" },
-      limit: 5,
-    })) {
-      logger.info("sdk-methods run", { run });
-    }
-
-    for await (const run of runs.list({
-      machine: ["small-1x", "small-2x"],
-      limit: 5,
-    })) {
-      logger.info("small machine run", { run });
-    }
-
-    return runs;
-  },
-});
diff --git a/references/hello-world/src/trigger/statuses.ts b/references/hello-world/src/trigger/statuses.ts
deleted file mode 100644
index 23c1b1f5ea3..00000000000
--- a/references/hello-world/src/trigger/statuses.ts
+++ /dev/null
@@ -1,29 +0,0 @@
-import { logger, runs, task } from "@trigger.dev/sdk";
-
-export const statusesTest = task({
-  id: "statuses-test",
-  run: async () => {
-    console.log("statusesTest");
-  },
-});
-
-export const subscribeToRun = task({
-  id: "subscribe-to-run",
-  run: async (payload: { runId: string }) => {
-    const subscription = runs.subscribeToRun(payload.runId, {
-      stopOnCompletion: false,
-    });
-
-    for await (const event of subscription) {
-      logger.info("run event", { event });
-    }
-  },
-});
-
-export const retrieveRun = task({
-  id: "retrieve-run",
-  run: async (payload: { runId: string }) => {
-    const run = await runs.retrieve(payload.runId);
-    logger.info("run", { run });
-  },
-});
diff --git a/references/hello-world/src/trigger/streams.ts b/references/hello-world/src/trigger/streams.ts
deleted file mode 100644
index 9a10888b532..00000000000
--- a/references/hello-world/src/trigger/streams.ts
+++ /dev/null
@@ -1,17 +0,0 @@
-import { streams, InferStreamType } from "@trigger.dev/sdk";
-
-export const textStream = streams.define<string>({
-  id: "text",
-});
-
-export const progressStream = streams.define<{ step: string; percent: number }>({
-  id: "progress",
-});
-
-export const logStream = streams.define<string>({
-  id: "logs",
-});
-
-export type TextStreamPart = InferStreamType<typeof textStream>;
-export type ProgressStreamPart = InferStreamType<typeof progressStream>;
-export type LogStreamPart = InferStreamType<typeof logStream>;
diff --git a/references/hello-world/src/trigger/streamsV2.ts b/references/hello-world/src/trigger/streamsV2.ts
deleted file mode 100644
index cf51e40e5d3..00000000000
--- a/references/hello-world/src/trigger/streamsV2.ts
+++ /dev/null
@@ -1,229 +0,0 @@
-import { logger, streams, task } from "@trigger.dev/sdk";
-import { setTimeout } from "timers/promises";
-import { textStream, progressStream, logStream } from "./streams.js";
-
-// Test 1: .pipe() then read back from S2 via a coordinator
-export const streamsPipeTask = task({
-  id: "streams-pipe",
-  run: async () => {
-    const source = ReadableStream.from(generateChunks(5));
-    const { waitUntilComplete } = textStream.pipe(source);
-    await waitUntilComplete();
-
-    return { written: 5 };
-  },
-});
-
-export const streamsPipeReadTask = task({
-  id: "streams-pipe-read",
-  run: async () => {
-    const handle = await streamsPipeTask.trigger({});
-
-    const stream = await textStream.read(handle.id);
-    const chunks: string[] = [];
-    for await (const chunk of stream) {
-      logger.info("read chunk from pipe", { chunk });
-      chunks.push(chunk);
-    }
-
-    return { chunks };
-  },
-});
-
-// Test 2: .append() then read back from S2
-export const streamsAppendTask = task({
-  id: "streams-append",
-  run: async () => {
-    await logStream.append("Starting processing");
-    await progressStream.append({ step: "init", percent: 0 });
-
-    await setTimeout(500);
-    await logStream.append("Step 1 complete");
-    await progressStream.append({ step: "step-1", percent: 33 });
-
-    await setTimeout(500);
-    await logStream.append("Step 2 complete");
-    await progressStream.append({ step: "step-2", percent: 66 });
-
-    await setTimeout(500);
-    await logStream.append("All done");
-    await progressStream.append({ step: "done", percent: 100 });
-
-    return { success: true };
-  },
-});
-
-export const streamsAppendReadTask = task({
-  id: "streams-append-read",
-  run: async () => {
-    const handle = await streamsAppendTask.trigger({});
-
-    // Read both log and progress streams from the child
-    const logStreamReader = await logStream.read(handle.id);
-    const logs: string[] = [];
-    for await (const chunk of logStreamReader) {
-      logger.info("read log", { chunk });
-      logs.push(chunk);
-    }
-
-    const progressStreamReader = await progressStream.read(handle.id);
-    const steps: Array<{ step: string; percent: number }> = [];
-    for await (const chunk of progressStreamReader) {
-      logger.info("read progress", { chunk });
-      steps.push(chunk);
-    }
-
-    return { logs, steps };
-  },
-});
-
-// Test 3: .writer() then read back
-export const streamsWriterTask = task({
-  id: "streams-writer",
-  run: async () => {
-    const { waitUntilComplete } = logStream.writer({
-      execute: ({ write, merge }) => {
-        write("Line 1 from write()");
-        write("Line 2 from write()");
-
-        const moreLines = ReadableStream.from(["Line 3 from merge()", "Line 4 from merge()"]);
-        merge(moreLines);
-      },
-    });
-
-    await waitUntilComplete();
-
-    return { written: 4 };
-  },
-});
-
-export const streamsWriterReadTask = task({
-  id: "streams-writer-read",
-  run: async () => {
-    const handle = await streamsWriterTask.trigger({});
-
-    const stream = await logStream.read(handle.id);
-    const lines: string[] = [];
-    for await (const chunk of stream) {
-      logger.info("read writer line", { chunk });
-      lines.push(chunk);
-    }
-
-    return { lines };
-  },
-});
-
-// Test 4: Direct streams.pipe() then read back with streams.read()
-export const streamsDirectPipeTask = task({
-  id: "streams-direct-pipe",
-  run: async () => {
-    const source = ReadableStream.from(generateChunks(3));
-    const { waitUntilComplete } = streams.pipe("direct-output", source);
-    await waitUntilComplete();
-
-    return { written: 3 };
-  },
-});
-
-export const streamsDirectPipeReadTask = task({
-  id: "streams-direct-pipe-read",
-  run: async () => {
-    const handle = await streamsDirectPipeTask.trigger({});
-
-    const stream = await streams.read(handle.id, "direct-output");
-    const chunks: string[] = [];
-    for await (const chunk of stream) {
-      logger.info("read direct pipe chunk", { chunk });
-      chunks.push(chunk as string);
-    }
-
-    return { chunks };
-  },
-});
-
-// Test 5: Direct streams.append() then read back
-export const streamsDirectAppendTask = task({
-  id: "streams-direct-append",
-  run: async () => {
-    await streams.append("direct-logs", "Log entry 1");
-    await setTimeout(300);
-    await streams.append("direct-logs", "Log entry 2");
-    await setTimeout(300);
-    await streams.append("direct-logs", "Log entry 3");
-
-    return { written: 3 };
-  },
-});
-
-export const streamsDirectAppendReadTask = task({
-  id: "streams-direct-append-read",
-  run: async () => {
-    const handle = await streamsDirectAppendTask.trigger({});
-
-    const stream = await streams.read(handle.id, "direct-logs");
-    const entries: string[] = [];
-    for await (const chunk of stream) {
-      logger.info("read direct append entry", { chunk });
-      entries.push(chunk as string);
-    }
-
-    return { entries };
-  },
-});
-
-// Test 6: Multiple streams in one task, read all back
-export const streamsMultiTask = task({
-  id: "streams-multi",
-  run: async () => {
-    await logStream.append("Starting multi-stream test");
-    await progressStream.append({ step: "start", percent: 0 });
-
-    const source = ReadableStream.from(generateChunks(3));
-    const { waitUntilComplete } = textStream.pipe(source);
-
-    await setTimeout(500);
-    await logStream.append("Text stream piped");
-    await progressStream.append({ step: "piped", percent: 50 });
-
-    await waitUntilComplete();
-
-    await logStream.append("Complete");
-    await progressStream.append({ step: "done", percent: 100 });
-
-    return { success: true };
-  },
-});
-
-export const streamsMultiReadTask = task({
-  id: "streams-multi-read",
-  run: async () => {
-    const handle = await streamsMultiTask.trigger({});
-
-    const logReader = await logStream.read(handle.id);
-    const logs: string[] = [];
-    for await (const chunk of logReader) {
-      logs.push(chunk);
-    }
-
-    const progressReader = await progressStream.read(handle.id);
-    const steps: Array<{ step: string; percent: number }> = [];
-    for await (const chunk of progressReader) {
-      steps.push(chunk);
-    }
-
-    const textReader = await textStream.read(handle.id);
-    const texts: string[] = [];
-    for await (const chunk of textReader) {
-      texts.push(chunk);
-    }
-
-    return { logs, steps, texts };
-  },
-});
-
-async function* generateChunks(count: number) {
-  for (let i = 0; i < count; i++) {
-    await setTimeout(200);
-    yield `chunk-${i}`;
-  }
-}
diff --git a/references/hello-world/src/trigger/tags.ts b/references/hello-world/src/trigger/tags.ts
deleted file mode 100644
index 5d13e31597a..00000000000
--- a/references/hello-world/src/trigger/tags.ts
+++ /dev/null
@@ -1,105 +0,0 @@
-import { logger, runs, task, wait } from "@trigger.dev/sdk";
-import assert from "node:assert";
-import { setTimeout } from "node:timers/promises";
-
-export const tagsTester = task({
-  id: "tags-tester",
-  run: async (payload: any, { ctx }) => {
-    await tagsChildTask.trigger(
-      {
-        tags: ["tag1", "tag2"],
-      },
-      {
-        tags: ["user:user1", "org:org1"],
-      }
-    );
-  },
-});
-
-export const tagsChildTask = task({
-  id: "tags-child",
-  run: async (payload: any, { ctx }) => {
-    logger.log("Hello, world from the child", { payload });
-  },
-});
-
-// Task that will be triggered with tags
-export const taggedTask = task({
-  id: "tagged-task",
-  run: async (payload: { waitSeconds: number }, { ctx }) => {
-    logger.info("Running tagged task", { tags: ctx.run.tags });
-
-    // Verify initial tags from trigger
-    const expectedInitialTags = ["test-tag-1", "test-tag-2"];
-    for (const tag of expectedInitialTags) {
-      if (!ctx.run.tags.includes(tag)) {
-        throw new Error(`Expected tag ${tag} to be present initially`);
-      }
-    }
-
-    // Wait a bit to ensure we can query the running task
-    await setTimeout(payload.waitSeconds * 1000);
-
-    return {
-      initialTags: ctx.run.tags,
-    };
-  },
-});
-
-// Test task that verifies tag behavior
-export const tagTestTask = task({
-  id: "tag-test",
-  run: async (payload, { ctx }) => {
-    logger.info("Starting tag verification test");
-
-    // Trigger a task with initial tags
-    const handle = await taggedTask.trigger(
-      { waitSeconds: 3 },
-      {
-        tags: ["test-tag-1", "test-tag-2"],
-      }
-    );
-
-    // Wait a moment to ensure the task is running
-    await setTimeout(3_000);
-
-    // Query for running tasks with our tags
-    const runningTasks = await runs.list({
-      status: "EXECUTING",
-      tag: ["test-tag-1", "test-tag-2"],
-    });
-
-    let foundRun = false;
-    for await (const run of runningTasks) {
-      if (run.id === handle.id) {
-        foundRun = true;
-        break;
-      }
-    }
-
-    if (!foundRun) {
-      throw new Error("Could not find running task with tags test-tag-1 and test-tag-2");
-    }
-
-    logger.info("Found running task with tags test-tag-1 and test-tag-2");
-
-    await wait.for({ seconds: 10 });
-
-    const finalRun = await runs.retrieve<typeof taggedTask>(handle.id);
-
-    logger.info("Final run", { finalRun });
-
-    assert.ok(finalRun.status === "COMPLETED", "Run should be completed");
-    assert.ok(finalRun.output, "Output should be defined");
-
-    // Verify the tags were preserved in the task context
-    const outputTags = finalRun.output.initialTags;
-    if (!outputTags.includes("test-tag-1") || !outputTags.includes("test-tag-2")) {
-      throw new Error(
-        `Expected tags test-tag-1 and test-tag-2 in output, got ${outputTags.join(", ")}`
-      );
-    }
-
-    logger.info("✅ Tag verification test passed");
-  },
-});
diff --git a/references/hello-world/src/trigger/telemetry.ts b/references/hello-world/src/trigger/telemetry.ts
deleted file mode 100644
index 5dbecb89638..00000000000
--- a/references/hello-world/src/trigger/telemetry.ts
+++ /dev/null
@@ -1,1634 +0,0 @@
-import { logger, task } from "@trigger.dev/sdk";
-import { setTimeout } from "timers/promises";
-
-export const simpleSuccessTask = task({
-  id: "otel/simple-success-task",
-  run: async (payload: any, { ctx }) => {
-    logger.log("Hello log 1", { ctx });
-    logger.info("Hello info 1");
-    logger.warn("Hello warn 1");
-    logger.error("Hello error 1");
-
-    await setTimeout(15000);
-
-    logger.log("Hello log 2");
-    logger.info("Hello info 2");
-    logger.warn("Hello warn 2");
-    logger.error("Hello error 2");
-
-    return { message: "Hello, world!" };
-  },
-});
-
-export const simpleFailureTask = task({
-  id: "otel/simple-failure-task",
-  retry: {
-    maxAttempts: 1,
-  },
-  run: async (payload: any, { ctx }) => {
-    await setTimeout(5000);
-
-    throw new Error("Hello error");
-  },
-});
-
-export const failureWithRetries = task({
-  id: "otel/failure-with-retries",
-  retry: {
-    maxAttempts: 3,
-  },
-  run: async (payload: any, { ctx }) => {
-    await setTimeout(15000);
-
-    throw new Error("Hello error");
-  },
-});
-
-export const taskWithChildTasks = task({
-  id: "otel/task-with-child-tasks",
-  run: async (payload: any, { ctx }) => {
-    await simpleSuccessTask.triggerAndWait({});
-  },
-});
-
-export const generateLogsParentTask = task({
-  id: "otel/generate-logs-parent",
-  run: async (payload: any) => {
-    await generateLogsTask.triggerAndWait({});
-    await generateLogsTask.triggerAndWait({});
-    await generateLogsTask.triggerAndWait({});
-    await generateLogsTask.triggerAndWait({});
-    await generateLogsTask.triggerAndWait({});
-    await generateLogsTask.triggerAndWait({});
-    await generateLogsTask.triggerAndWait({});
-    await generateLogsTask.triggerAndWait({});
-    await generateLogsTask.triggerAndWait({});
-    await generateLogsTask.triggerAndWait({});
-    await generateLogsTask.triggerAndWait({});
-    await generateLogsTask.triggerAndWait({});
-  },
-});
-
-export const generateLogsTask = task({
-  id: "otel/generate-logs",
-  run: async (payload: any, { ctx }) => {
-    await generateLogs(101);
-
-    await logger.trace("span 1", async () => {
-      await generateLogs(101);
-    });
-
-    await logger.trace("span 2", async () => {
-      await generateLogs(101);
-
-      await logger.trace("span 2.1", async () => {
-        await generateLogs(101);
-
-        await logger.trace("span 2.1.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 2.1.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-      });
-    });
-
-    await logger.trace("span 3", async () => {
-      await generateLogs(101);
-
-      await logger.trace("span 3.1", async () => {
-        await generateLogs(101);
-
-        await logger.trace("span 3.1.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 3.1.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-
-        await logger.trace("span 3.2.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 3.2.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-      });
-    });
-
-    await logger.trace("span 1", async () => {
-      await generateLogs(101);
-    });
-
-    await logger.trace("span 2", async () => {
-      await generateLogs(101);
-
-      await logger.trace("span 2.1", async () => {
-        await generateLogs(101);
-
-        await logger.trace("span 2.1.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 2.1.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-      });
-    });
-
-    await logger.trace("span 3", async () => {
-      await generateLogs(101);
-
-      await logger.trace("span 3.1", async () => {
-        await generateLogs(101);
-
-        await logger.trace("span 3.1.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 3.1.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-
-        await logger.trace("span 3.2.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 3.2.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-      });
-    });
-
-    await logger.trace("span 1", async () => {
-      await generateLogs(101);
-    });
-
-    await logger.trace("span 2", async () => {
-      await generateLogs(101);
-
-      await logger.trace("span 2.1", async () => {
-        await generateLogs(101);
-
-        await logger.trace("span 2.1.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 2.1.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-      });
-    });
-
-    await logger.trace("span 3", async () => {
-      await generateLogs(101);
-
-      await logger.trace("span 3.1", async () => {
-        await generateLogs(101);
-
-        await logger.trace("span 3.1.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 3.1.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-
-        await logger.trace("span 3.2.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 3.2.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-      });
-    });
-
-    await logger.trace("span 1", async () => {
-      await generateLogs(101);
-    });
-
-    await logger.trace("span 2", async () => {
-      await generateLogs(101);
-
-      await logger.trace("span 2.1", async () => {
-        await generateLogs(101);
-
-        await logger.trace("span 2.1.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 2.1.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-      });
-    });
-
-    await logger.trace("span 3", async () => {
-      await generateLogs(101);
-
-      await logger.trace("span 3.1", async () => {
-        await generateLogs(101);
-
-        await logger.trace("span 3.1.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 3.1.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-
-        await logger.trace("span 3.2.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 3.2.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-      });
-    });
-
-    await logger.trace("span 1", async () => {
-      await generateLogs(101);
-    });
-
-    await logger.trace("span 2", async () => {
-      await generateLogs(101);
-
-      await logger.trace("span 2.1", async () => {
-        await generateLogs(101);
-
-        await logger.trace("span 2.1.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 2.1.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-      });
-    });
-
-    await logger.trace("span 3", async () => {
-      await generateLogs(101);
-
-      await logger.trace("span 3.1", async () => {
-        await generateLogs(101);
-
-        await logger.trace("span 3.1.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 3.1.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-
-        await logger.trace("span 3.2.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 3.2.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-      });
-    });
-
-    await logger.trace("span 1", async () => {
-      await generateLogs(101);
-    });
-
-    await logger.trace("span 2", async () => {
-      await generateLogs(101);
-
-      await logger.trace("span 2.1", async () => {
-        await generateLogs(101);
-
-        await logger.trace("span 2.1.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 2.1.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-      });
-    });
-
-    await logger.trace("span 3", async () => {
-      await generateLogs(101);
-
-      await logger.trace("span 3.1", async () => {
-        await generateLogs(101);
-
-        await logger.trace("span 3.1.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 3.1.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-
-        await logger.trace("span 3.2.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 3.2.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-      });
-    });
-
-    await logger.trace("span 1", async () => {
-      await generateLogs(101);
-    });
-
-    await logger.trace("span 2", async () => {
-      await generateLogs(101);
-
-      await logger.trace("span 2.1", async () => {
-        await generateLogs(101);
-
-        await logger.trace("span 2.1.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 2.1.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-      });
-    });
-
-    await logger.trace("span 3", async () => {
-      await generateLogs(101);
-
-      await logger.trace("span 3.1", async () => {
-        await generateLogs(101);
-
-        await logger.trace("span 3.1.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 3.1.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-
-        await logger.trace("span 3.2.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 3.2.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-      });
-    });
-
-    await logger.trace("span 1", async () => {
-      await generateLogs(101);
-    });
-
-    await logger.trace("span 2", async () => {
-      await generateLogs(101);
-
-      await logger.trace("span 2.1", async () => {
-        await generateLogs(101);
-
-        await logger.trace("span 2.1.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 2.1.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-      });
-    });
-
-    await logger.trace("span 3", async () => {
-      await generateLogs(101);
-
-      await logger.trace("span 3.1", async () => {
-        await generateLogs(101);
-
-        await logger.trace("span 3.1.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 3.1.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-
-        await logger.trace("span 3.2.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 3.2.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-      });
-    });
-
-    await logger.trace("span 1", async () => {
-      await generateLogs(101);
-    });
-
-    await logger.trace("span 2", async () => {
-      await generateLogs(101);
-
-      await logger.trace("span 2.1", async () => {
-        await generateLogs(101);
-
-        await logger.trace("span 2.1.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 2.1.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-      });
-    });
-
-    await logger.trace("span 3", async () => {
-      await generateLogs(101);
-
-      await logger.trace("span 3.1", async () => {
-        await generateLogs(101);
-
-        await logger.trace("span 3.1.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 3.1.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-
-        await logger.trace("span 3.2.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 3.2.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-      });
-    });
-
-    await logger.trace("span 1", async () => {
-      await generateLogs(101);
-    });
-
-    await logger.trace("span 2", async () => {
-      await generateLogs(101);
-
-      await logger.trace("span 2.1", async () => {
-        await generateLogs(101);
-
-        await logger.trace("span 2.1.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 2.1.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-      });
-    });
-
-    await logger.trace("span 3", async () => {
-      await generateLogs(101);
-
-      await logger.trace("span 3.1", async () => {
-        await generateLogs(101);
-
-        await logger.trace("span 3.1.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 3.1.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-
-        await logger.trace("span 3.2.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 3.2.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-      });
-    });
-
-    await logger.trace("span 1", async () => {
-      await generateLogs(101);
-    });
-
-    await logger.trace("span 2", async () => {
-      await generateLogs(101);
-
-      await logger.trace("span 2.1", async () => {
-        await generateLogs(101);
-
-        await logger.trace("span 2.1.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 2.1.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-      });
-    });
-
-    await logger.trace("span 3", async () => {
-      await generateLogs(101);
-
-      await logger.trace("span 3.1", async () => {
-        await generateLogs(101);
-
-        await logger.trace("span 3.1.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 3.1.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-
-        await logger.trace("span 3.2.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 3.2.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-      });
-    });
-
-    await logger.trace("span 1", async () => {
-      await generateLogs(101);
-    });
-
-    await logger.trace("span 2", async () => {
-      await generateLogs(101);
-
-      await logger.trace("span 2.1", async () => {
-        await generateLogs(101);
-
-        await logger.trace("span 2.1.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 2.1.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-      });
-    });
-
-    await logger.trace("span 3", async () => {
-      await generateLogs(101);
-
-      await logger.trace("span 3.1", async () => {
-        await generateLogs(101);
-
-        await logger.trace("span 3.1.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 3.1.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-
-        await logger.trace("span 3.2.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 3.2.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-      });
-    });
-
-    await logger.trace("span 1", async () => {
-      await generateLogs(101);
-    });
-
-    await logger.trace("span 2", async () => {
-      await generateLogs(101);
-
-      await logger.trace("span 2.1", async () => {
-        await generateLogs(101);
-
-        await logger.trace("span 2.1.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 2.1.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-      });
-    });
-
-    await logger.trace("span 3", async () => {
-      await generateLogs(101);
-
-      await logger.trace("span 3.1", async () => {
-        await generateLogs(101);
-
-        await logger.trace("span 3.1.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 3.1.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-
-        await logger.trace("span 3.2.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 3.2.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-      });
-    });
-
-    await logger.trace("span 1", async () => {
-      await generateLogs(101);
-    });
-
-    await logger.trace("span 2", async () => {
-      await generateLogs(101);
-
-      await logger.trace("span 2.1", async () => {
-        await generateLogs(101);
-
-        await logger.trace("span 2.1.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 2.1.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-      });
-    });
-
-    await logger.trace("span 3", async () => {
-      await generateLogs(101);
-
-      await logger.trace("span 3.1", async () => {
-        await generateLogs(101);
-
-        await logger.trace("span 3.1.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 3.1.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-
-        await logger.trace("span 3.2.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 3.2.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-      });
-    });
-
-    await logger.trace("span 1", async () => {
-      await generateLogs(101);
-    });
-
-    await logger.trace("span 2", async () => {
-      await generateLogs(101);
-
-      await logger.trace("span 2.1", async () => {
-        await generateLogs(101);
-
-        await logger.trace("span 2.1.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 2.1.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-      });
-    });
-
-    await logger.trace("span 3", async () => {
-      await generateLogs(101);
-
-      await logger.trace("span 3.1", async () => {
-        await generateLogs(101);
-
-        await logger.trace("span 3.1.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 3.1.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-
-        await logger.trace("span 3.2.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 3.2.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-      });
-    });
-
-    await logger.trace("span 1", async () => {
-      await generateLogs(101);
-    });
-
-    await logger.trace("span 2", async () => {
-      await generateLogs(101);
-
-      await logger.trace("span 2.1", async () => {
-        await generateLogs(101);
-
-        await logger.trace("span 2.1.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 2.1.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-      });
-    });
-
-    await logger.trace("span 3", async () => {
-      await generateLogs(101);
-
-      await logger.trace("span 3.1", async () => {
-        await generateLogs(101);
-
-        await logger.trace("span 3.1.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 3.1.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-
-        await logger.trace("span 3.2.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 3.2.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-      });
-    });
-
-    await logger.trace("span 1", async () => {
-      await generateLogs(101);
-    });
-
-    await logger.trace("span 2", async () => {
-      await generateLogs(101);
-
-      await logger.trace("span 2.1", async () => {
-        await generateLogs(101);
-
-        await logger.trace("span 2.1.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 2.1.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-      });
-    });
-
-    await logger.trace("span 3", async () => {
-      await generateLogs(101);
-
-      await logger.trace("span 3.1", async () => {
-        await generateLogs(101);
-
-        await logger.trace("span 3.1.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 3.1.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-
-        await logger.trace("span 3.2.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 3.2.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-      });
-    });
-
-    await logger.trace("span 1", async () => {
-      await generateLogs(101);
-    });
-
-    await logger.trace("span 2", async () => {
-      await generateLogs(101);
-
-      await logger.trace("span 2.1", async () => {
-        await generateLogs(101);
-
-        await logger.trace("span 2.1.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 2.1.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-      });
-    });
-
-    await logger.trace("span 3", async () => {
-      await generateLogs(101);
-
-      await logger.trace("span 3.1", async () => {
-        await generateLogs(101);
-
-        await logger.trace("span 3.1.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 3.1.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-
-        await logger.trace("span 3.2.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 3.2.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-      });
-    });
-
-    await logger.trace("span 1", async () => {
-      await generateLogs(101);
-    });
-
-    await logger.trace("span 2", async () => {
-      await generateLogs(101);
-
-      await logger.trace("span 2.1", async () => {
-        await generateLogs(101);
-
-        await logger.trace("span 2.1.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 2.1.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-      });
-    });
-
-    await logger.trace("span 3", async () => {
-      await generateLogs(101);
-
-      await logger.trace("span 3.1", async () => {
-        await generateLogs(101);
-
-        await logger.trace("span 3.1.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 3.1.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-
-        await logger.trace("span 3.2.1", async () => {
-          await generateLogs(101);
-
-          await logger.trace("span 3.2.1.1", async () => {
-            await generateLogs(101);
-          });
-        });
-      });
-    });
-  },
-});
-
-async function generateLogs(count: number) {
-  await Promise.all(
-    Array.from({ length: count }).map(async () => {
-      await setTimeout(1000);
-
-      const logMessage = generateRandomLogMessage();
-
-      switch (logMessage.level) {
-        case "DEBUG": {
-          logger.debug(logMessage.message, { ...logMessage.metadata, ...generateRandomObject() });
-          break;
-        }
-        case "INFO": {
-          logger.info(logMessage.message, { ...logMessage.metadata, ...generateRandomObject() });
-          break;
-        }
-        case "WARN": {
-          logger.warn(logMessage.message, { ...logMessage.metadata, ...generateRandomObject() });
-          break;
-        }
-        case "FATAL":
-        case "ERROR": {
-          logger.error(logMessage.message, { ...logMessage.metadata, ...generateRandomObject() });
-          break;
-        }
-      }
-    })
-  );
-}
-
-type RandomValue = string | number | boolean | null | RandomObject | RandomValue[];
-
-interface RandomObject {
-  [key: string]: RandomValue;
-}
-
-function generateRandomObject(depth: number = 3, maxKeys: number = 8): RandomObject {
-  const obj: RandomObject = {};
-  const numKeys = Math.floor(Math.random() * maxKeys) + 1;
-
-  for (let i = 0; i < numKeys; i++) {
-    const key = generateRandomKey();
-    obj[key] = generateRandomValue(depth);
-  }
-
-  return obj;
-}
-
-function generateRandomValue(depth: number): RandomValue {
-  if (depth <= 0) {
-    return generatePrimitiveValue();
-  }
-
-  const valueTypes = ["primitive", "object", "array"];
-  const weights = depth > 1 ? [0.6, 0.2, 0.2] : [0.8, 0.1, 0.1];
-  const selectedType = weightedRandomChoice(valueTypes, weights);
-
-  switch (selectedType) {
-    case "primitive":
-      return generatePrimitiveValue();
-    case "object":
-      return generateRandomObject(depth - 1, 5);
-    case "array":
-      return generateRandomArray(depth - 1);
-    default:
-      return generatePrimitiveValue();
-  }
-}
-
-function generatePrimitiveValue(): string | number | boolean | null {
-  const primitiveTypes = ["string", "number", "boolean", "null"];
-  const type = primitiveTypes[Math.floor(Math.random() * primitiveTypes.length)];
-
-  switch (type) {
-    case "string":
-      return generateRandomString();
-    case "number":
-      return generateRandomNumber();
-    case "boolean":
-      return Math.random() > 0.5;
-    case "null":
-      return null;
-    default:
-      return generateRandomString();
-  }
-}
-
-function generateArrayOfPrimitiveValues(length: number): RandomValue[] {
-  const primitiveTypes = ["string", "number", "boolean", "null"];
-  const type = primitiveTypes[Math.floor(Math.random() * primitiveTypes.length)];
-
-  switch (type) {
-    case "string":
-      return Array.from({ length }, () => generateRandomString());
-    case "number":
-      return Array.from({ length }, () => generateRandomNumber());
-    case "boolean":
-      return Array.from({ length }, () => Math.random() > 0.5);
-    case "null":
-      return Array.from({ length }, () => null);
-    default:
-      return Array.from({ length }, () => generateRandomString());
-  }
-}
-
-function generateRandomString(): string {
-  const stringTypes = [
-    "name",
-    "email",
-    "city",
-    "company",
-    "product",
-    "description",
-    "color",
-    "status",
-    "category",
-    "id",
-    "url",
-    "phone",
-  ];
-
-  const type = stringTypes[Math.floor(Math.random() * stringTypes.length)];
-
-  const samples = {
-    name: ["John Smith", "Sarah Johnson", "Michael Brown", "Emma Wilson", "David Lee"],
-    email: ["user@example.com", "admin@company.org", "contact@business.net", "info@service.co.uk"],
-    city: ["London", "Manchester", "Birmingham", "Edinburgh", "Cardiff", "Belfast"],
-    company: [
-      "TechCorp Ltd",
-      "Global Solutions",
-      "Innovation Hub",
-      "Digital Dynamics",
-      "Future Systems",
-    ],
-    product: ["Wireless Headphones", "Smart Watch", "Laptop Stand", "Coffee Maker", "Desk Lamp"],
-    description: [
-      "High-quality product with excellent features",
-      "Reliable and efficient solution",
-      "Modern design meets functionality",
-    ],
-    color: ["red", "blue", "green", "yellow", "purple", "orange", "black", "white"],
-    status: ["active", "inactive", "pending", "completed", "cancelled", "processing"],
-    category: ["electronics", "clothing", "books", "home", "sports", "automotive"],
-    id: () => `${Math.random().toString(36).substr(2, 9)}`,
-    url: ["https://example.com", "https://api.service.com/v1", "https://docs.platform.org"],
-    phone: ["+44 20 7123 4567", "+44 161 234 5678", "+44 121 345 6789"],
-  };
-
-  const sampleArray = samples[type as keyof typeof samples];
-  if (typeof sampleArray === "function") {
-    return sampleArray();
-  }
-  return sampleArray[Math.floor(Math.random() * sampleArray.length)];
-}
-
-function generateRandomNumber(): number {
-  const numberTypes = ["integer", "decimal", "large", "small"];
-  const type = numberTypes[Math.floor(Math.random() * numberTypes.length)];
-
-  switch (type) {
-    case "integer":
-      return Math.floor(Math.random() * 1000);
-    case "decimal":
-      return Math.round(Math.random() * 100 * 100) / 100;
-    case "large":
-      return Math.floor(Math.random() * 1000000);
-    case "small":
-      return Math.floor(Math.random() * 10);
-    default:
-      return Math.floor(Math.random() * 100);
-  }
-}
-
-function generateRandomKey(): string {
-  const commonKeys = [
-    "id",
-    "name",
-    "email",
-    "age",
-    "address",
-    "phone",
-    "company",
-    "title",
-    "description",
-    "price",
-    "quantity",
-    "status",
-    "createdAt",
-    "updatedAt",
-    "isActive",
-    "category",
-    "tags",
-    "metadata",
-    "config",
-    "settings",
-    "userId",
-    "productId",
-    "orderId",
-    "customerId",
-    "location",
-    "type",
-    "value",
-    "label",
-    "color",
-    "size",
-    "weight",
-    "dimensions",
-    "features",
-  ];
-
-  return commonKeys[Math.floor(Math.random() * commonKeys.length)];
-}
-
-function generateRandomArray(depth: number): RandomValue[] {
-  const arrayLength = Math.floor(Math.random() * 5) + 1;
-
-  return generateArrayOfPrimitiveValues(arrayLength);
-}
-
-function weightedRandomChoice<T>(choices: T[], weights: number[]): T {
-  const totalWeight = weights.reduce((sum, weight) => sum + weight, 0);
-  let random = Math.random() * totalWeight;
-
-  for (let i = 0; i < choices.length; i++) {
-    random -= weights[i];
-    if (random <= 0) {
-      return choices[i];
-    }
-  }
-
-  return choices[choices.length - 1];
-}
-
-interface LogMessage {
-  timestamp: string;
-  level: "DEBUG" | "INFO" | "WARN" | "ERROR" | "FATAL";
-  component: string;
-  message: string;
-  metadata?: Record<string, any>;
-}
-
-function generateRandomLogMessage(includeMetadata: boolean = true): LogMessage {
-  const level = generateLogLevel();
-  const component = generateComponent();
-  const message = generateMessage(level, component);
-  const timestamp = generateTimestamp();
-
-  const logMessage: LogMessage = {
-    timestamp,
-    level,
-    component,
-    message,
-  };
-
-  if (includeMetadata && Math.random() > 0.3) {
-    logMessage.metadata = generateMetadata(level);
-  }
-
-  return logMessage;
-}
-
-function generateLogLevel(): LogMessage["level"] {
-  const levels: LogMessage["level"][] = ["DEBUG", "INFO", "WARN", "ERROR", "FATAL"];
-  const weights = [0.3, 0.4, 0.15, 0.13, 0.02]; // INFO and DEBUG most common
-
-  return weightedRandomChoice(levels, weights);
-}
-
-function generateComponent(): string {
-  const components = [
-    "AuthService",
-    "DatabaseManager",
-    "UserController",
-    "PaymentProcessor",
-    "EmailService",
-    "CacheManager",
-    "FileUploader",
-    "APIGateway",
-    "SecurityManager",
-    "NotificationService",
-    "OrderService",
-    "ProductCatalog",
-    "SessionManager",
-    "ConfigLoader",
-    "MetricsCollector",
-    "HealthChecker",
-    "MessageQueue",
-    "SearchEngine",
-    "ReportGenerator",
-    "BackupService",
-    "LoadBalancer",
-    "RateLimiter",
-    "ValidationService",
-    "AuditLogger",
-  ];
-
-  return components[Math.floor(Math.random() * components.length)];
-}
-
-function generateMessage(level: LogMessage["level"], component: string): string {
-  const messageTemplates = {
-    DEBUG: [
-      `Executing method ${generateMethodName()} with parameters: ${generateParameters()}`,
-      `Cache hit for key: ${generateCacheKey()}`,
-      `Processing request with ID: ${generateId()}`,
-      `Database query executed in ${generateDuration()}ms`,
-      `Validating input data for ${generateEntityName()}`,
-      `Loading configuration from ${generateFilePath()}`,
-      `Initializing connection pool with ${generateNumber(5, 20)} connections`,
-      `Parsing JSON payload of size ${generateFileSize()}`,
-      `Applying business rule: ${generateBusinessRule()}`,
-    ],
-    INFO: [
-      `User ${generateUsername()} successfully logged in from ${generateIPAddress()}`,
-      `Order ${generateOrderId()} created successfully for customer ${generateCustomerId()}`,
-      `Email sent to ${generateEmail()} with subject: "${generateEmailSubject()}"`,
-      `File ${generateFileName()} uploaded successfully (${generateFileSize()})`,
-      `Payment of £${generatePrice()} processed for transaction ${generateTransactionId()}`,
-      `New user registered: ${generateUsername()} (${generateEmail()})`,
-      `Service started successfully on port ${generatePort()}`,
-      `Database migration ${generateMigrationName()} completed successfully`,
-      `Report ${generateReportName()} generated in ${generateDuration()}ms`,
-      `Cache cleared for namespace: ${generateNamespace()}`,
-    ],
-    WARN: [
-      `High memory usage detected: ${generatePercentage()}% of available memory`,
-      `Slow query detected: ${generateDuration()}ms execution time`,
-      `Rate limit approaching for user ${generateUsername()}: ${generateNumber(80, 95)}% of limit`,
-      `Deprecated API endpoint accessed: ${generateAPIEndpoint()}`,
-      `Connection pool nearly exhausted: ${generateNumber(18, 20)}/20 connections in use`,
-      `Large file upload detected: ${generateFileSize()} from ${generateIPAddress()}`,
-      `Failed login attempt for user ${generateUsername()} from ${generateIPAddress()}`,
-      `Queue size growing: ${generateNumber(500, 1000)} pending messages`,
-      `SSL certificate expires in ${generateNumber(1, 30)} days`,
-      `Disk space low: ${generatePercentage()}% full on ${generateDiskPath()}`,
-    ],
-    ERROR: [
-      `Failed to connect to database: ${generateErrorMessage()}`,
-      `Payment processing failed for transaction ${generateTransactionId()}: ${generatePaymentError()}`,
-      `Email delivery failed to ${generateEmail()}: ${generateEmailError()}`,
-      `File upload failed: ${generateFileError()}`,
-      `Authentication failed for user ${generateUsername()}: ${generateAuthError()}`,
-      `API request to ${generateAPIEndpoint()} failed: ${generateHTTPError()}`,
-      `Database query failed: ${generateSQLError()}`,
-      `Service unavailable: ${generateServiceError()}`,
-      `Configuration error: ${generateConfigError()}`,
-      `Validation failed for ${generateEntityName()}: ${generateValidationError()}`,
-    ],
-    FATAL: [
-      `Database connection pool exhausted, shutting down service`,
-      `Out of memory error: Unable to allocate ${generateFileSize()}`,
-      `Critical security breach detected from ${generateIPAddress()}`,
-      `System disk full: Unable to write logs or process requests`,
-      `Service dependency ${generateServiceName()} is completely unavailable`,
-      `Unhandled exception caused service crash: ${generateCriticalError()}`,
-      `Configuration file corrupted: Unable to start service`,
-      `License validation failed: Service cannot continue`,
-      `Critical data corruption detected in ${generateTableName()}`,
-      `Network interface failure: All connections lost`,
-    ],
-  };
-
-  const templates = messageTemplates[level];
-  return templates[Math.floor(Math.random() * templates.length)];
-}
-
-function generateTimestamp(): string {
-  const now = new Date();
-  const randomOffset = Math.floor(Math.random() * 86400000); // Random time within last 24 hours
-  const timestamp = new Date(now.getTime() - randomOffset);
-  return timestamp.toISOString();
-}
-
-function generateMetadata(level: LogMessage["level"]): Record<string, any> {
-  const baseMetadata: Record<string, any> = {
-    requestId: generateId(),
-    userId: Math.random() > 0.3 ? generateUserId() : null,
-    sessionId: generateSessionId(),
-    userAgent: generateUserAgent(),
-    ipAddress: generateIPAddress(),
-  };
-
-  // Add level-specific metadata
-  switch (level) {
-    case "ERROR":
-    case "FATAL":
-      baseMetadata.stackTrace = generateStackTrace();
-      baseMetadata.errorCode = generateErrorCode();
-      break;
-    case "WARN":
-      baseMetadata.threshold = generateNumber(70, 95);
-      baseMetadata.currentValue = generateNumber(75, 100);
-      break;
-    case "INFO":
-      baseMetadata.duration = generateDuration();
-      baseMetadata.statusCode = 200;
-      break;
-  }
-
-  return baseMetadata;
-}
-
-// Helper functions for generating realistic data
-function generateMethodName(): string {
-  const prefixes = ["get", "set", "create", "update", "delete", "process", "validate", "calculate"];
-  const suffixes = ["User", "Order", "Payment", "Data", "Config", "Report", "Session", "Token"];
-  return `${prefixes[Math.floor(Math.random() * prefixes.length)]}${
-    suffixes[Math.floor(Math.random() * suffixes.length)]
-  }`;
-}
-
-function generateParameters(): string {
-  const params = [];
-  const numParams = Math.floor(Math.random() * 3) + 1;
-  for (let i = 0; i < numParams; i++) {
-    params.push(
-      `param${i + 1}=${Math.random() > 0.5 ? `"${generateId()}"` : generateNumber(1, 1000)}`
-    );
-  }
-  return `{${params.join(", ")}}`;
-}
-
-function generateId(): string {
-  return Math.random().toString(36).substr(2, 12);
-}
-
-function generateUserId(): string {
-  return `user_${Math.random().toString(36).substr(2, 8)}`;
-}
-
-function generateSessionId(): string {
-  return `sess_${Math.random().toString(36).substr(2, 16)}`;
-}
-
-function generateOrderId(): string {
-  return `ORD-${Date.now()}-${Math.floor(Math.random() * 1000)
-    .toString()
-    .padStart(3, "0")}`;
-}
-
-function generateTransactionId(): string {
-  return `TXN${Math.random().toString(36).substr(2, 10).toUpperCase()}`;
-}
-
-function generateCustomerId(): string {
-  return `CUST${Math.floor(Math.random() * 100000)
-    .toString()
-    .padStart(5, "0")}`;
-}
-
-function generateUsername(): string {
-  const usernames = [
-    "john.smith",
-    "sarah.jones",
-    "mike.brown",
-    "emma.wilson",
-    "david.lee",
-    "admin",
-    "guest",
-    "testuser",
-  ];
-  return usernames[Math.floor(Math.random() * usernames.length)];
-}
-
-function generateEmail(): string {
-  const domains = ["example.com", "company.org", "business.co.uk", "service.net"];
-  const username = generateUsername().replace(".", "");
-  return `${username}@${domains[Math.floor(Math.random() * domains.length)]}`;
-}
-
-function generateIPAddress(): string {
-  return `${Math.floor(Math.random() * 256)}.${Math.floor(Math.random() * 256)}.${Math.floor(
-    Math.random() * 256
-  )}.${Math.floor(Math.random() * 256)}`;
-}
-
-function generateDuration(): number {
-  return Math.floor(Math.random() * 5000) + 10;
-}
-
-function generateNumber(min: number, max: number): number {
-  return Math.floor(Math.random() * (max - min + 1)) + min;
-}
-
-function generatePercentage(): number {
-  return Math.floor(Math.random() * 100) + 1;
-}
-
-function generateFileSize(): string {
-  const size = Math.floor(Math.random() * 1000) + 1;
-  const units = ["KB", "MB", "GB"];
-  const unit = units[Math.floor(Math.random() * units.length)];
-  return `${size}${unit}`;
-}
-
-function generateFileName(): string {
-  const names = ["document", "report", "image", "data", "config", "backup"];
-  const extensions = [".pdf", ".xlsx", ".jpg", ".json", ".xml", ".zip"];
-  return `${names[Math.floor(Math.random() * names.length)]}${Math.floor(Math.random() * 1000)}${
-    extensions[Math.floor(Math.random() * extensions.length)]
-  }`;
-}
-
-function generatePrice(): string {
-  return (Math.random() * 1000 + 10).toFixed(2);
-}
-
-function generatePort(): number {
-  return Math.floor(Math.random() * 9000) + 1000;
-}
-
-function generateCacheKey(): string {
-  return `cache:${generateEntityName()}:${generateId()}`;
-}
-
-function generateEntityName(): string {
-  const entities = ["user", "order", "product", "payment", "session", "config", "report"];
-  return entities[Math.floor(Math.random() * entities.length)];
-}
-
-function generateAPIEndpoint(): string {
-  const versions = ["v1", "v2", "v3"];
-  const resources = ["users", "orders", "products", "payments", "reports"];
-  return `/api/${versions[Math.floor(Math.random() * versions.length)]}/${
-    resources[Math.floor(Math.random() * resources.length)]
-  }`;
-}
-
-function generateErrorMessage(): string {
-  const errors = [
-    "Connection timeout after 30 seconds",
-    "Invalid credentials provided",
-    "Resource not found",
-    "Permission denied",
-    "Service temporarily unavailable",
-    "Invalid request format",
-    "Rate limit exceeded",
-  ];
-  return errors[Math.floor(Math.random() * errors.length)];
-}
-
-function generateUserAgent(): string {
-  const agents = [
-    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
-    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36",
-    "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36",
-    "PostmanRuntime/7.29.2",
-    "curl/7.68.0",
-  ];
-  return agents[Math.floor(Math.random() * agents.length)];
-}
-
-function generateStackTrace(): string {
-  return `at ${generateMethodName()}(${generateFileName()}:${generateNumber(10, 500)})`;
-}
-
-function generateErrorCode(): string {
-  const codes = ["E001", "E404", "E500", "E403", "E401", "E503", "E400"];
-  return codes[Math.floor(Math.random() * codes.length)];
-}
-
-// Additional helper functions for specific error types
-function generatePaymentError(): string {
-  const errors = [
-    "Insufficient funds",
-    "Card expired",
-    "Invalid card number",
-    "Payment gateway timeout",
-  ];
-  return errors[Math.floor(Math.random() * errors.length)];
-}
-
-function generateEmailError(): string {
-  const errors = [
-    "SMTP server unavailable",
-    "Invalid email address",
-    "Message too large",
-    "Recipient blocked",
-  ];
-  return errors[Math.floor(Math.random() * errors.length)];
-}
-
-function generateAuthError(): string {
-  const errors = [
-    "Invalid password",
-    "Account locked",
-    "Token expired",
-    "Two-factor authentication required",
-  ];
-  return errors[Math.floor(Math.random() * errors.length)];
-}
-
-function generateHTTPError(): string {
-  const codes = [400, 401, 403, 404, 500, 502, 503, 504];
-  const code = codes[Math.floor(Math.random() * codes.length)];
-  return `HTTP ${code}`;
-}
-
-function generateSQLError(): string {
-  const errors = [
-    "Syntax error",
-    "Table does not exist",
-    "Duplicate key violation",
-    "Foreign key constraint",
-  ];
-  return errors[Math.floor(Math.random() * errors.length)];
-}
-
-function generateServiceError(): string {
-  const services = ["Redis", "Elasticsearch", "RabbitMQ", "MongoDB"];
-  return `${services[Math.floor(Math.random() * services.length)]} connection refused`;
-}
-
-function generateConfigError(): string {
-  const errors = [
-    "Missing required property",
-    "Invalid configuration format",
-    "Environment variable not set",
-  ];
-  return errors[Math.floor(Math.random() * errors.length)];
-}
-
-function generateValidationError(): string {
-  const errors = [
-    "Required field missing",
-    "Invalid email format",
-    "Value out of range",
-    "Invalid date format",
-  ];
-  return errors[Math.floor(Math.random() * errors.length)];
-}
-
-function generateCriticalError(): string {
-  const errors = [
-    "NullPointerException",
-    "OutOfMemoryError",
-    "StackOverflowError",
-    "SecurityException",
-  ];
-  return errors[Math.floor(Math.random() * errors.length)];
-}
-
-function generateServiceName(): string {
-  const services = ["UserService", "PaymentGateway", "NotificationHub", "DatabaseCluster"];
-  return services[Math.floor(Math.random() * services.length)];
-}
-
-function generateTableName(): string {
-  const tables = ["users", "orders", "payments", "products", "sessions"];
-  return tables[Math.floor(Math.random() * tables.length)];
-}
-
-function generateFilePath(): string {
-  const paths = [
-    "/etc/app/config.yml",
-    "/var/log/app.log",
-    "/opt/app/data.json",
-    "/home/user/.env",
-  ];
-  return paths[Math.floor(Math.random() * paths.length)];
-}
-
-function generateDiskPath(): string {
-  const paths = ["/var/log", "/tmp", "/home", "/opt"];
-  return paths[Math.floor(Math.random() * paths.length)];
-}
-
-function generateMigrationName(): string {
-  return `migration_${Date.now()}_${generateEntityName()}_table`;
-}
-
-function generateReportName(): string {
-  const types = ["daily", "weekly", "monthly", "quarterly"];
-  const subjects = ["sales", "users", "performance", "security"];
-  return `${types[Math.floor(Math.random() * types.length)]}_${
-    subjects[Math.floor(Math.random() * subjects.length)]
-  }_report`;
-}
-
-function generateNamespace(): string {
-  const namespaces = ["user:sessions", "product:catalog", "order:cache", "auth:tokens"];
-  return namespaces[Math.floor(Math.random() * namespaces.length)];
-}
-
-function generateBusinessRule(): string {
-  const rules = [
-    "validate_payment_amount",
-    "check_inventory_levels",
-    "apply_discount_rules",
-    "verify_user_permissions",
-  ];
-  return rules[Math.floor(Math.random() * rules.length)];
-}
-
-function generateEmailSubject(): string {
-  const subjects = [
-    "Order Confirmation",
-    "Password Reset",
-    "Welcome to Our Service",
-    "Monthly Newsletter",
-  ];
-  return subjects[Math.floor(Math.random() * subjects.length)];
-}
-
-function generateFileError(): string {
-  const errors = [
-    "File too large",
-    "Invalid file type",
-    "Disk space insufficient",
-    "Permission denied",
-  ];
-  return errors[Math.floor(Math.random() * errors.length)];
-}
-
-// Utility function to format log message as string
-function formatLogMessage(logMessage: LogMessage): string {
-  const metadataStr = logMessage.metadata ? ` | ${JSON.stringify(logMessage.metadata)}` : "";
-
-  return `${logMessage.timestamp} [${logMessage.level}] ${logMessage.component}: ${logMessage.message}${metadataStr}`;
-}
diff --git a/references/hello-world/src/trigger/usage.ts b/references/hello-world/src/trigger/usage.ts
deleted file mode 100644
index cd5e8dca831..00000000000
--- a/references/hello-world/src/trigger/usage.ts
+++ /dev/null
@@ -1,230 +0,0 @@
-import { logger, task, wait, usage, runs } from "@trigger.dev/sdk";
-import { setTimeout } from "timers/promises";
-import assert from "node:assert";
-
-export const usageExampleTask = task({
-  id: "usage-example",
-  retry: {
-    maxAttempts: 3,
-    minTimeoutInMs: 500,
-    maxTimeoutInMs: 1000,
-    factor: 1.5,
-  },
-  run: async (payload: { throwError: boolean }, { ctx }) => {
-    logger.info("run.ctx", { ctx });
-
-    await setTimeout(1000);
-
-    const currentUsage = usage.getCurrent();
-
-    logger.info("currentUsage", { currentUsage });
-
-    if (payload.throwError && ctx.attempt.number === 1) {
-      throw new Error("Forced error to cause a retry");
-    }
-
-    await setTimeout(5000);
-
-    const currentUsage2 = usage.getCurrent();
-
-    logger.info("currentUsage2", { currentUsage2 });
-
-    return {
-      message: "Hello, world!",
-    };
-  },
-});
-
-/**
- * Test task to verify usage tracking works correctly after moving updates to run engine.
- *
- * Tests:
- * 1. usageDurationMs accumulates across attempts (retries)
- * 2. costInCents is only calculated for non-dev environments
- * 3. Usage is tracked and returned correctly
- *
- * Run with:
- *   - { causeRetry: false } for simple usage test
- *   - { causeRetry: true } for retry accumulation test
- */
-export const usageTrackingTestTask = task({
-  id: "usage-tracking-test",
-  retry: {
-    maxAttempts: 3,
-    minTimeoutInMs: 100,
-    maxTimeoutInMs: 200,
-    factor: 1,
-  },
-  run: async (payload: { causeRetry?: boolean; workDurationMs?: number }, { ctx }) => {
-    const workDuration = payload.workDurationMs ?? 2000;
-    const isDev = ctx.environment.type === "DEVELOPMENT";
-
-    logger.info("Starting usage tracking test", {
-      attemptNumber: ctx.attempt.number,
-      environmentType: ctx.environment.type,
-      isDev,
-      workDuration,
-      causeRetry: payload.causeRetry,
-    });
-
-    // Get usage at start of this attempt
-    const usageAtStart = usage.getCurrent();
-    logger.info("Usage at attempt start", {
-      attemptNumber: ctx.attempt.number,
-      usageAtStart,
-    });
-
-    // Do some "work" to accumulate usage duration
-    const workStart = Date.now();
-    await setTimeout(workDuration);
-    const actualWorkTime = Date.now() - workStart;
-
-    // Get usage after work
-    const usageAfterWork = usage.getCurrent();
-    logger.info("Usage after work", {
-      attemptNumber: ctx.attempt.number,
-      usageAfterWork,
-      actualWorkTimeMs: actualWorkTime,
-      attemptDurationDelta:
-        usageAfterWork.compute.attempt.durationMs - usageAtStart.compute.attempt.durationMs,
-    });
-
-    // Cause a retry on first attempt if requested
-    if (payload.causeRetry && ctx.attempt.number === 1) {
-      logger.info("Throwing error to cause retry - usage from this attempt should accumulate");
-      throw new Error("Intentional error to test usage accumulation across retries");
-    }
-
-    // Log expectations for verification
-    logger.info("Usage tracking test completed", {
-      attemptNumber: ctx.attempt.number,
-      finalUsage: usageAfterWork,
-      environmentType: ctx.environment.type,
-      expectations: {
-        usageDurationMs: "Should be > 0 and reflect actual CPU time",
-        costInCents: isDev
-          ? "Should be 0 (dev environment - no cost tracking)"
-          : "Should be > 0 (calculated from usageDurationMs * machine centsPerMs)",
-        retryAccumulation: payload.causeRetry
-          ? "If this is attempt 2+, usageDurationMs should include time from previous attempts"
-          : "N/A - no retry",
-      },
-    });
-
-    return {
-      success: true,
-      attemptNumber: ctx.attempt.number,
-      environmentType: ctx.environment.type,
-      finalUsage: usageAfterWork,
-      isDev,
-      note: isDev
-        ? "costInCents will be 0 in dev - deploy to staging/prod to test cost calculation"
-        : "costInCents should reflect accumulated usage cost",
-    };
-  },
-});
-
-/**
- * Parent task that triggers usageTrackingTestTask and verifies the usage values
- * are correctly stored in the database via runs.retrieve().
- *
- * This tests the full flow:
- * 1. Trigger child task and wait for completion
- * 2. Use runs.retrieve() to fetch the run from the database
- * 3. Verify usageDurationMs > 0
- * 4. Verify costInCents behavior based on environment type
- */
-export const usageVerificationParentTask = task({
-  id: "usage-verification-parent",
-  run: async (payload: { causeRetry?: boolean; workDurationMs?: number }, { ctx }) => {
-    const isDev = ctx.environment.type === "DEVELOPMENT";
-
-    logger.info("Starting usage verification parent task", {
-      environmentType: ctx.environment.type,
-      isDev,
-      causeRetry: payload.causeRetry,
-      workDurationMs: payload.workDurationMs,
-    });
-
-    // Trigger the child task and wait for it to complete
-    const childResult = await usageTrackingTestTask.triggerAndWait({
-      causeRetry: payload.causeRetry,
-      workDurationMs: payload.workDurationMs ?? 2000,
-    });
-
-    if (!childResult.ok) {
-      throw new Error(`Child task failed: ${JSON.stringify(childResult.error)}`);
-    }
-
-    logger.info("Child task completed", {
-      childRunId: childResult.id,
-      childOutput: childResult.output,
-    });
-
-    // Retrieve the run from the database to verify usage values were stored
-    const retrievedRun = await runs.retrieve(childResult.id);
-
-    logger.info("Retrieved run from database", {
-      runId: retrievedRun.id,
-      status: retrievedRun.status,
-      durationMs: retrievedRun.durationMs,
-      costInCents: retrievedRun.costInCents,
-      baseCostInCents: retrievedRun.baseCostInCents,
-    });
-
-    // Verify usageDurationMs (durationMs in the API response) is greater than 0
-    assert.ok(
-      retrievedRun.durationMs > 0,
-      `Expected durationMs > 0, got ${retrievedRun.durationMs}`
-    );
-
-    // For retry test, verify duration accumulated across attempts
-    if (payload.causeRetry) {
-      // With a retry, we should have at least 2x the work duration (attempt 1 + attempt 2)
-      const minExpectedDuration = (payload.workDurationMs ?? 2000) * 1.5; // Allow some variance
-      assert.ok(
-        retrievedRun.durationMs >= minExpectedDuration,
-        `Expected durationMs >= ${minExpectedDuration} for retry test (got ${retrievedRun.durationMs})`
-      );
-      logger.info("✅ Retry accumulation verified - duration includes time from both attempts");
-    }
-
-    // Verify costInCents based on environment type
-    if (isDev) {
-      // In dev, cost should be 0
-      assert.strictEqual(
-        retrievedRun.costInCents,
-        0,
-        `Expected costInCents to be 0 in dev environment, got ${retrievedRun.costInCents}`
-      );
-      logger.info("✅ Dev environment verified - costInCents is 0 as expected");
-    } else {
-      // In non-dev, cost should be > 0
-      assert.ok(
-        retrievedRun.costInCents > 0,
-        `Expected costInCents > 0 in ${ctx.environment.type} environment, got ${retrievedRun.costInCents}`
-      );
-      logger.info(
-        `✅ ${ctx.environment.type} environment verified - costInCents is ${retrievedRun.costInCents}`
-      );
-    }
-
-    logger.info("✅ All usage verification checks passed!", {
-      durationMs: retrievedRun.durationMs,
-      costInCents: retrievedRun.costInCents,
-      baseCostInCents: retrievedRun.baseCostInCents,
-      environmentType: ctx.environment.type,
-      hadRetry: payload.causeRetry,
-    });
-
-    return {
-      success: true,
-      childRunId: childResult.id,
-      durationMs: retrievedRun.durationMs,
-      costInCents: retrievedRun.costInCents,
-      baseCostInCents: retrievedRun.baseCostInCents,
-      environmentType: ctx.environment.type,
-      hadRetry: payload.causeRetry ?? false,
-    };
-  },
-});
diff --git a/references/hello-world/src/trigger/waits.ts b/references/hello-world/src/trigger/waits.ts
deleted file mode 100644
index 14d1cbccd14..00000000000
--- a/references/hello-world/src/trigger/waits.ts
+++ /dev/null
@@ -1,187 +0,0 @@
-import { auth, idempotencyKeys, logger, retry, task, wait } from "@trigger.dev/sdk/v3";
-import Replicate, { Prediction } from "replicate";
-type Token = {
-  status: "approved" | "pending" | "rejected";
-};
-
-export const waitToken = task({
-  id: "wait-token",
-  run: async ({
-    completeBeforeWaiting = false,
-    completeWithPublicToken = false,
-    idempotencyKey,
-    idempotencyKeyTTL,
-    completionDelay,
-    timeout,
-    tags,
-  }: {
-    completeBeforeWaiting?: boolean;
-    completeWithPublicToken?: boolean;
-    idempotencyKey?: string;
-    idempotencyKeyTTL?: string;
-    completionDelay?: number;
-    timeout?: string;
-    tags?: string[];
-  }) => {
-    logger.log("Hello, world", { completeBeforeWaiting });
-
-    const token = await wait.createToken({
-      idempotencyKey,
-      idempotencyKeyTTL,
-      timeout,
-      tags,
-    });
-    logger.log("Token", token);
-
-    const token2 = await wait.createToken({
-      idempotencyKey,
-      idempotencyKeyTTL,
-      timeout: "10s",
-      tags,
-    });
-    logger.log("Token2", token2);
-
-    const publicAccessToken = await auth.createPublicToken({
-      scopes: {
-        write: {
-          waitpoints: token.id,
-        },
-      },
-      expirationTime: "1h",
-    });
-
-    if (completeBeforeWaiting) {
-      if (completeWithPublicToken) {
-        await auth.withAuth(
-          {
-            accessToken: token.publicAccessToken,
-          },
-          async () => {
-            await wait.completeToken<Token>(token.id, { status: "approved" });
-          }
-        );
-      } else {
-        await wait.completeToken<Token>(token.id, { status: "approved" });
-      }
-
-      await wait.for({ seconds: 5 });
-    } else {
-      await completeWaitToken.trigger({ token: token.id, delay: completionDelay });
-    }
-
-    const tokens = await wait.listTokens();
-    await logger.trace("Tokens", async () => {
-      for await (const token of tokens) {
-        logger.log("Token", token);
-      }
-    });
-
-    const retrievedToken = await wait.retrieveToken(token.id);
-    logger.log("Retrieved token", retrievedToken);
-
-    //wait for the token
-    const result = await wait.forToken<{ foo: string }>(token);
-    if (!result.ok) {
-      logger.log("Token timeout", result);
-    } else {
-      logger.log("Token completed", result);
-    }
-
-    const tokens2 = await wait.listTokens({ tags, status: ["COMPLETED"] });
-    await logger.trace("Tokens2", async () => {
-      for await (const token of tokens2) {
-        logger.log("Token2", token);
-      }
-    });
-
-    const retrievedToken2 = await wait.retrieveToken(token.id);
-    logger.log("Retrieved token2", retrievedToken2);
-  },
-});
-
-export const completeWaitToken = task({
-  id: "wait-token-complete",
-  run: async (payload: { token: string; delay?: number }) => {
-    await wait.for({ seconds: payload.delay ?? 10 });
-    await wait.completeToken<Token>(payload.token, { status: "approved" });
-  },
-});
-
-export const waitForDuration = task({
-  id: "wait-duration",
-  run: async ({
-    duration = 4,
-    idempotencyKey,
-    idempotencyKeyTTL,
-  }: {
-    duration?: number;
-    idempotencyKey?: string;
-    idempotencyKeyTTL?: string;
-  }) => {
-    const idempotency = idempotencyKey ? await idempotencyKeys.create(idempotencyKey) : undefined;
-
-    await wait.for({
-      seconds: duration,
-      idempotencyKey: idempotency,
-      idempotencyKeyTTL,
-    });
-    await wait.until({ date: new Date(Date.now() + duration * 1000) });
-
-    await retry.fetch("https://example.com/404", { method: "GET" });
-
-    await retry.onThrow(
-      async () => {
-        throw new Error("This is an error");
-      },
-      {
-        maxAttempts: 2,
-      }
-    );
-  },
-});
-
-export const waitHttpCallback = task({
-  id: "wait-http-callback",
-  retry: {
-    maxAttempts: 1,
-  },
-  run: async () => {
-    if (process.env.REPLICATE_API_KEY) {
-      const replicate = new Replicate({
-        auth: process.env.REPLICATE_API_KEY,
-      });
-
-      const token = await wait.createToken({
-        timeout: "10m",
-        tags: ["replicate"],
-      });
-      logger.log("Create result", { token });
-
-      const call = await replicate.predictions.create({
-        version: "27b93a2413e7f36cd83da926f3656280b2931564ff050bf9575f1fdf9bcd7478",
-        input: {
-          prompt: "A painting of a cat by Any Warhol",
-        },
-        // pass the provided URL to Replicate's webhook, so they can "callback"
-        webhook: token.url,
-        webhook_events_filter: ["completed"],
-      });
-
-      const prediction = await wait.forToken<Prediction>(token);
-
-      if (!prediction.ok) {
-        throw new Error("Failed to create prediction");
-      }
-
-      logger.log("Prediction", prediction);
-
-      const imageUrl = prediction.output.output;
-      logger.log("Image URL", imageUrl);
-
-      //same again but with unwrapping
-      const result2 = await wait.forToken<Prediction>(token).unwrap();
-
-      logger.log("Result2", { result2 });
-    }
-  },
-});
diff --git a/references/hello-world/trigger.config.ts b/references/hello-world/trigger.config.ts
deleted file mode 100644
index e0b875cd6d1..00000000000
--- a/references/hello-world/trigger.config.ts
+++ /dev/null
@@ -1,57 +0,0 @@
-import { defineConfig } from "@trigger.dev/sdk/v3";
-import { syncEnvVars } from "@trigger.dev/build/extensions/core";
-import { lightpanda } from "@trigger.dev/build/extensions/lightpanda";
-
-export default defineConfig({
-  compatibilityFlags: ["run_engine_v2"],
-  project: "proj_rrkpdguyagvsoktglnod",
-  experimental_processKeepAlive: {
-    enabled: true,
-    maxExecutionsPerProcess: 20,
-  },
-  logLevel: "debug",
-  maxDuration: 3600,
-  ttl: "1h",
-  retries: {
-    enabledInDev: true,
-    default: {
-      maxAttempts: 3,
-      minTimeoutInMs: 1000,
-      maxTimeoutInMs: 10000,
-      factor: 2,
-      randomize: true,
-    },
-  },
-  machine: "small-2x",
-  build: {
-    extensions: [
-      lightpanda(),
-      syncEnvVars(async (ctx) => {
-        return [
-          { name: "SYNC_ENV", value: ctx.environment },
-          { name: "BRANCH", value: ctx.branch ?? "NO_BRANCH" },
-          { name: "BRANCH", value: "PARENT", isParentEnv: true },
-          { name: "SECRET_KEY", value: "secret-value" },
-          { name: "ANOTHER_SECRET", value: "another-secret-value" },
-        ];
-      }),
-      {
-        name: "npm-token",
-        onBuildComplete: async (context, manifest) => {
-          if (context.target === "dev") {
-            return;
-          }
-
-          context.addLayer({
-            id: "npm-token",
-            build: {
-              env: {
-                NPM_TOKEN: manifest.deploy.env?.NPM_TOKEN,
-              },
-            },
-          });
-        },
-      },
-    ],
-  },
-});
diff --git a/references/hello-world/tsconfig.json b/references/hello-world/tsconfig.json
deleted file mode 100644
index 9a5ee0b9d68..00000000000
--- a/references/hello-world/tsconfig.json
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-  "compilerOptions": {
-    "target": "ES2023",
-    "module": "Node16",
-    "moduleResolution": "Node16",
-    "esModuleInterop": true,
-    "strict": true,
-    "skipLibCheck": true,
-    "customConditions": ["@triggerdotdev/source"],
-    "jsx": "preserve",
-    "lib": ["DOM", "DOM.Iterable"],
-    "noEmit": true
-  },
-  "include": ["./src/**/*.ts", "trigger.config.ts"]
-}
diff --git a/references/init-shell-js/.gitignore b/references/init-shell-js/.gitignore
deleted file mode 100644
index 6524f048dcb..00000000000
--- a/references/init-shell-js/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-.trigger
\ No newline at end of file
diff --git a/references/init-shell-js/package.json b/references/init-shell-js/package.json
deleted file mode 100644
index 2e3ed59a1d0..00000000000
--- a/references/init-shell-js/package.json
+++ /dev/null
@@ -1,8 +0,0 @@
-{
-  "name": "references-init-shell-js",
-  "private": true,
-  "type": "module",
-  "devDependencies": {
-    "trigger.dev": "workspace:*"
-  }
-}
\ No newline at end of file
diff --git a/references/init-shell-js/src/index.js b/references/init-shell-js/src/index.js
deleted file mode 100644
index cb0ff5c3b54..00000000000
--- a/references/init-shell-js/src/index.js
+++ /dev/null
@@ -1 +0,0 @@
-export {};
diff --git a/references/init-shell/package.json b/references/init-shell/package.json
deleted file mode 100644
index bf3ef58089f..00000000000
--- a/references/init-shell/package.json
+++ /dev/null
@@ -1,8 +0,0 @@
-{
-  "name": "references-init-shell",
-  "private": true,
-  "type": "module",
-  "devDependencies": {
-    "trigger.dev": "workspace:*"
-  }
-}
\ No newline at end of file
diff --git a/references/init-shell/src/index.ts b/references/init-shell/src/index.ts
deleted file mode 100644
index cb0ff5c3b54..00000000000
--- a/references/init-shell/src/index.ts
+++ /dev/null
@@ -1 +0,0 @@
-export {};
diff --git a/references/init-shell/tsconfig.json b/references/init-shell/tsconfig.json
deleted file mode 100644
index 538d2430732..00000000000
--- a/references/init-shell/tsconfig.json
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-  "compilerOptions": {
-    "target": "ES2023",
-    "module": "Node16",
-    "moduleResolution": "Node16",
-    "esModuleInterop": true,
-    "strict": true,
-    "skipLibCheck": true,
-    "customConditions": ["@triggerdotdev/source"],
-    "jsx": "preserve",
-    "lib": ["DOM", "DOM.Iterable"],
-    "noEmit": true
-  },
-  "include": ["./src/**/*.ts"]
-}
diff --git a/references/issue-2687/.env.example b/references/issue-2687/.env.example
deleted file mode 100644
index bec8f7a1b8d..00000000000
--- a/references/issue-2687/.env.example
+++ /dev/null
@@ -1,3 +0,0 @@
-TRIGGER_SECRET_KEY=tr_dev_...
-TRIGGER_API_URL=https://api.trigger.dev
-TRIGGER_BRANCH=
diff --git a/references/issue-2687/README.md b/references/issue-2687/README.md
deleted file mode 100644
index 3f522e048b3..00000000000
--- a/references/issue-2687/README.md
+++ /dev/null
@@ -1,28 +0,0 @@
-# Issue 2687 Reproduction
-
-This reference project reproduces the issue where `Realtime` returns 401 when using `createTriggerPublicToken`.
-
-## Setup
-
-1. Make sure your Trigger.dev instance is running (webapp).
-2. Copy `.env.example` to `.env` and fill in your details:
-
-```bash
-cp .env.example .env
-```
-
-3. Edit `.env` to set your `TRIGGER_SECRET_KEY` and `TRIGGER_API_URL`.
-
-## Running the reproduction
-
-Run the reproduction script:
-
-```bash
-pnpm run repro
-```
-
-## What it does
-
-1. Generates a `triggerPublicToken` for `issue-2687-task`.
-2. Triggers the task using this token.
-3. Attempts to connect to the Realtime endpoint for the resulting run using the same token.
diff --git a/references/issue-2687/package.json b/references/issue-2687/package.json
deleted file mode 100644
index 53b49cb8eee..00000000000
--- a/references/issue-2687/package.json
+++ /dev/null
@@ -1,19 +0,0 @@
-{
-  "name": "references-issue-2687",
-  "private": true,
-  "type": "module",
-  "devDependencies": {
-    "trigger.dev": "workspace:*"
-  },
-  "dependencies": {
-    "@trigger.dev/sdk": "workspace:*",
-    "dotenv": "^16.4.5",
-    "tsx": "^4.0.0"
-  },
-  "scripts": {
-    "dev": "trigger dev",
-    "deploy": "trigger deploy",
-    "repro": "tsx src/repro.ts"
-  }
-}
-
diff --git a/references/issue-2687/src/repro.ts b/references/issue-2687/src/repro.ts
deleted file mode 100644
index 4c2be6a840e..00000000000
--- a/references/issue-2687/src/repro.ts
+++ /dev/null
@@ -1,81 +0,0 @@
-import "dotenv/config";
-import { auth, tasks, runs, configure } from "@trigger.dev/sdk/v3";
-
-const taskId = "issue-2687-task";
-
-async function main() {
-  if (!process.env.TRIGGER_SECRET_KEY) {
-    console.error("TRIGGER_SECRET_KEY is not set. Please set it to your project's secret key.");
-    process.exit(1);
-  }
-
-  const apiUrl = process.env.TRIGGER_API_URL || "https://api.trigger.dev";
-  const branch = process.env.TRIGGER_PREVIEW_BRANCH;
-  const secretKey = process.env.TRIGGER_SECRET_KEY;
-
-  console.log(`Using API URL: ${apiUrl}`);
-  console.log(`Using Secret Key: ${secretKey}`);
-  if (branch) {
-    console.log(`Using Branch: ${branch}`);
-  }
-
-  // 1. Generate the public token (Server-side)
-  // We need the secret key for this part, so we use the environment variable which the SDK picks up automatically for this call.
-  console.log("Generating public token...");
-  try {
-    // Ensure we are using the correct API URL for the generation as well, if it matters (it validates against the env).
-    configure({ baseURL: apiUrl, accessToken: secretKey, previewBranch: branch });
-
-    const token = await auth.createTriggerPublicToken(taskId);
-    console.log("Token generated.");
-
-    // 2. Trigger the task using the public token
-    console.log(`Triggering task ${taskId}...`);
-
-    // Use auth.withAuth to temporarily scope the SDK to the public token
-    await auth.withAuth(
-      { accessToken: token, baseURL: apiUrl, previewBranch: branch },
-      async () => {
-        const handle = await tasks.trigger(taskId, { foo: "bar" });
-        console.log(`Task triggered. Run ID: ${handle.id}`);
-
-        let tokenToUse = token;
-        if (handle.publicAccessToken) {
-          console.log("Received publicAccessToken in handle, using it for realtime.");
-          console.log(`Public Access Token: ${handle.publicAccessToken}`);
-          tokenToUse = handle.publicAccessToken;
-        } else {
-          console.log("Using initial token for subsequent requests.");
-        }
-
-        // 3. Access Run details (Simulating Realtime/Read access)
-        // If the token changed (which it might if the API returns a specific read-only token), we should use that.
-
-        if (tokenToUse !== token) {
-          await auth.withAuth(
-            { accessToken: tokenToUse, baseURL: apiUrl, previewBranch: branch },
-            async () => {
-              console.log(`Subscribing to run ${handle.id} with new token...`);
-              for await (const run of runs.subscribeToRun(handle.id)) {
-                console.log(`Run update received. Status: ${run.status}`);
-                break;
-              }
-            }
-          );
-        } else {
-          console.log(`Subscribing to run ${handle.id} with initial token...`);
-          for await (const run of runs.subscribeToRun(handle.id)) {
-            console.log(`Run update received. Status: ${run.status}`);
-            break;
-          }
-        }
-
-        console.log("Realtime/Read access verified.");
-      }
-    );
-  } catch (error) {
-    console.error("Error:", error);
-  }
-}
-
-main();
diff --git a/references/issue-2687/src/trigger/task.ts b/references/issue-2687/src/trigger/task.ts
deleted file mode 100644
index 990a1b46b2a..00000000000
--- a/references/issue-2687/src/trigger/task.ts
+++ /dev/null
@@ -1,9 +0,0 @@
-import { task } from "@trigger.dev/sdk/v3";
-
-export const myTask = task({
-  id: "issue-2687-task",
-  run: async (payload: any) => {
-    console.log("Task running with payload:", payload);
-    return { message: "Hello World" };
-  },
-});
diff --git a/references/issue-2687/trigger.config.ts b/references/issue-2687/trigger.config.ts
deleted file mode 100644
index 0a3d35cb36b..00000000000
--- a/references/issue-2687/trigger.config.ts
+++ /dev/null
@@ -1,17 +0,0 @@
-import { defineConfig } from "@trigger.dev/sdk/v3";
-
-export default defineConfig({
-  project: process.env.TRIGGER_PROJECT_REF!,
-  logLevel: "log",
-  maxDuration: 3600,
-  retries: {
-    enabledInDev: true,
-    default: {
-      maxAttempts: 3,
-      minTimeoutInMs: 1000,
-      maxTimeoutInMs: 10000,
-      factor: 2,
-      randomize: true,
-    },
-  },
-});
diff --git a/references/nextjs-realtime/.eslintrc.json b/references/nextjs-realtime/.eslintrc.json
deleted file mode 100644
index 6b10a5b7392..00000000000
--- a/references/nextjs-realtime/.eslintrc.json
+++ /dev/null
@@ -1,6 +0,0 @@
-{
-  "extends": [
-    "next/core-web-vitals",
-    "next/typescript"
-  ]
-}
diff --git a/references/nextjs-realtime/.gitignore b/references/nextjs-realtime/.gitignore
deleted file mode 100644
index fd3dbb571a1..00000000000
--- a/references/nextjs-realtime/.gitignore
+++ /dev/null
@@ -1,36 +0,0 @@
-# See https://help.github.com/articles/ignoring-files/ for more about ignoring files.
-
-# dependencies
-/node_modules
-/.pnp
-.pnp.js
-.yarn/install-state.gz
-
-# testing
-/coverage
-
-# next.js
-/.next/
-/out/
-
-# production
-/build
-
-# misc
-.DS_Store
-*.pem
-
-# debug
-npm-debug.log*
-yarn-debug.log*
-yarn-error.log*
-
-# local env files
-.env*.local
-
-# vercel
-.vercel
-
-# typescript
-*.tsbuildinfo
-next-env.d.ts
diff --git a/references/nextjs-realtime/README.md b/references/nextjs-realtime/README.md
deleted file mode 100644
index e215bc4ccf1..00000000000
--- a/references/nextjs-realtime/README.md
+++ /dev/null
@@ -1,36 +0,0 @@
-This is a [Next.js](https://nextjs.org) project bootstrapped with [`create-next-app`](https://nextjs.org/docs/app/api-reference/cli/create-next-app).
-
-## Getting Started
-
-First, run the development server:
-
-```bash
-npm run dev
-# or
-yarn dev
-# or
-pnpm dev
-# or
-bun dev
-```
-
-Open [http://localhost:3000](http://localhost:3000) with your browser to see the result.
-
-You can start editing the page by modifying `app/page.tsx`. The page auto-updates as you edit the file.
-
-This project uses [`next/font`](https://nextjs.org/docs/app/building-your-application/optimizing/fonts) to automatically optimize and load [Geist](https://vercel.com/font), a new font family for Vercel.
-
-## Learn More
-
-To learn more about Next.js, take a look at the following resources:
-
-- [Next.js Documentation](https://nextjs.org/docs) - learn about Next.js features and API.
-- [Learn Next.js](https://nextjs.org/learn) - an interactive Next.js tutorial.
-
-You can check out [the Next.js GitHub repository](https://github.com/vercel/next.js) - your feedback and contributions are welcome!
-
-## Deploy on Vercel
-
-The easiest way to deploy your Next.js app is to use the [Vercel Platform](https://vercel.com/new?utm_medium=default-template&filter=next.js&utm_source=create-next-app&utm_campaign=create-next-app-readme) from the creators of Next.js.
-
-Check out our [Next.js deployment documentation](https://nextjs.org/docs/app/building-your-application/deploying) for more details.
diff --git a/references/nextjs-realtime/batchinput.jsonl b/references/nextjs-realtime/batchinput.jsonl
deleted file mode 100644
index 70fd3559627..00000000000
--- a/references/nextjs-realtime/batchinput.jsonl
+++ /dev/null
@@ -1,20 +0,0 @@
-{"custom_id":"request-1","method":"POST","url":"/v1/chat/completions","body":{"model":"gpt-3.5-turbo-0125","messages":[{"role":"system","content":"You are a helpful AI assistant specializing in explaining AI and machine learning concepts."},{"role":"user","content":"What is the difference between narrow AI and general AI?"}],"max_tokens":150}}
-{"custom_id":"request-2","method":"POST","url":"/v1/chat/completions","body":{"model":"gpt-3.5-turbo-0125","messages":[{"role":"system","content":"You are a helpful AI assistant specializing in explaining AI and machine learning concepts."},{"role":"user","content":"How do large language models like GPT-3 work?"}],"max_tokens":150}}
-{"custom_id":"request-3","method":"POST","url":"/v1/chat/completions","body":{"model":"gpt-3.5-turbo-0125","messages":[{"role":"system","content":"You are a helpful AI assistant specializing in explaining AI and machine learning concepts."},{"role":"user","content":"What are some ethical concerns surrounding the development of AI?"}],"max_tokens":150}}
-{"custom_id":"request-4","method":"POST","url":"/v1/chat/completions","body":{"model":"gpt-3.5-turbo-0125","messages":[{"role":"system","content":"You are a helpful AI assistant specializing in explaining AI and machine learning concepts."},{"role":"user","content":"Can you explain the concept of transfer learning in AI?"}],"max_tokens":150}}
-{"custom_id":"request-5","method":"POST","url":"/v1/chat/completions","body":{"model":"gpt-3.5-turbo-0125","messages":[{"role":"system","content":"You are a helpful AI assistant specializing in explaining AI and machine learning concepts."},{"role":"user","content":"What is the Turing test, and is it still relevant in modern AI?"}],"max_tokens":150}}
-{"custom_id":"request-6","method":"POST","url":"/v1/chat/completions","body":{"model":"gpt-3.5-turbo-0125","messages":[{"role":"system","content":"You are a helpful AI assistant specializing in explaining AI and machine learning concepts."},{"role":"user","content":"How do neural networks mimic the human brain?"}],"max_tokens":150}}
-{"custom_id":"request-7","method":"POST","url":"/v1/chat/completions","body":{"model":"gpt-3.5-turbo-0125","messages":[{"role":"system","content":"You are a helpful AI assistant specializing in explaining AI and machine learning concepts."},{"role":"user","content":"What are the main challenges in natural language processing?"}],"max_tokens":150}}
-{"custom_id":"request-8","method":"POST","url":"/v1/chat/completions","body":{"model":"gpt-3.5-turbo-0125","messages":[{"role":"system","content":"You are a helpful AI assistant specializing in explaining AI and machine learning concepts."},{"role":"user","content":"How does reinforcement learning differ from supervised learning?"}],"max_tokens":150}}
-{"custom_id":"request-9","method":"POST","url":"/v1/chat/completions","body":{"model":"gpt-3.5-turbo-0125","messages":[{"role":"system","content":"You are a helpful AI assistant specializing in explaining AI and machine learning concepts."},{"role":"user","content":"What is the role of attention mechanisms in transformer models?"}],"max_tokens":150}}
-{"custom_id":"request-10","method":"POST","url":"/v1/chat/completions","body":{"model":"gpt-3.5-turbo-0125","messages":[{"role":"system","content":"You are a helpful AI assistant specializing in explaining AI and machine learning concepts."},{"role":"user","content":"Can AI truly be creative, or is it just mimicking human creativity?"}],"max_tokens":150}}
-{"custom_id":"request-11","method":"POST","url":"/v1/chat/completions","body":{"model":"gpt-3.5-turbo-0125","messages":[{"role":"system","content":"You are a helpful AI assistant specializing in explaining AI and machine learning concepts."},{"role":"user","content":"What are the potential implications of AI on the job market?"}],"max_tokens":150}}
-{"custom_id":"request-12","method":"POST","url":"/v1/chat/completions","body":{"model":"gpt-3.5-turbo-0125","messages":[{"role":"system","content":"You are a helpful AI assistant specializing in explaining AI and machine learning concepts."},{"role":"user","content":"How do self-driving cars use AI to navigate and make decisions?"}],"max_tokens":150}}
-{"custom_id":"request-13","method":"POST","url":"/v1/chat/completions","body":{"model":"gpt-3.5-turbo-0125","messages":[{"role":"system","content":"You are a helpful AI assistant specializing in explaining AI and machine learning concepts."},{"role":"user","content":"What is the difference between strong AI and weak AI?"}],"max_tokens":150}}
-{"custom_id":"request-14","method":"POST","url":"/v1/chat/completions","body":{"model":"gpt-3.5-turbo-0125","messages":[{"role":"system","content":"You are a helpful AI assistant specializing in explaining AI and machine learning concepts."},{"role":"user","content":"How do language models handle context and maintain coherence in long texts?"}],"max_tokens":150}}
-{"custom_id":"request-15","method":"POST","url":"/v1/chat/completions","body":{"model":"gpt-3.5-turbo-0125","messages":[{"role":"system","content":"You are a helpful AI assistant specializing in explaining AI and machine learning concepts."},{"role":"user","content":"What are some applications of AI in healthcare?"}],"max_tokens":150}}
-{"custom_id":"request-16","method":"POST","url":"/v1/chat/completions","body":{"model":"gpt-3.5-turbo-0125","messages":[{"role":"system","content":"You are a helpful AI assistant specializing in explaining AI and machine learning concepts."},{"role":"user","content":"How does federated learning protect user privacy in AI systems?"}],"max_tokens":150}}
-{"custom_id":"request-17","method":"POST","url":"/v1/chat/completions","body":{"model":"gpt-3.5-turbo-0125","messages":[{"role":"system","content":"You are a helpful AI assistant specializing in explaining AI and machine learning concepts."},{"role":"user","content":"What is the role of bias in AI, and how can it be mitigated?"}],"max_tokens":150}}
-{"custom_id":"request-18","method":"POST","url":"/v1/chat/completions","body":{"model":"gpt-3.5-turbo-0125","messages":[{"role":"system","content":"You are a helpful AI assistant specializing in explaining AI and machine learning concepts."},{"role":"user","content":"Can you explain the concept of explainable AI (XAI)?"}],"max_tokens":150}}
-{"custom_id":"request-19","method":"POST","url":"/v1/chat/completions","body":{"model":"gpt-3.5-turbo-0125","messages":[{"role":"system","content":"You are a helpful AI assistant specializing in explaining AI and machine learning concepts."},{"role":"user","content":"How do recommendation systems use AI to personalize content?"}],"max_tokens":150}}
-{"custom_id":"request-20","method":"POST","url":"/v1/chat/completions","body":{"model":"gpt-3.5-turbo-0125","messages":[{"role":"system","content":"You are a helpful AI assistant specializing in explaining AI and machine learning concepts."},{"role":"user","content":"What are the challenges in developing AI systems that can reason like humans?"}],"max_tokens":150}}
\ No newline at end of file
diff --git a/references/nextjs-realtime/components.json b/references/nextjs-realtime/components.json
deleted file mode 100644
index 42f059b56bb..00000000000
--- a/references/nextjs-realtime/components.json
+++ /dev/null
@@ -1,20 +0,0 @@
-{
-  "$schema": "https://ui.shadcn.com/schema.json",
-  "style": "new-york",
-  "rsc": true,
-  "tsx": true,
-  "tailwind": {
-    "config": "tailwind.config.ts",
-    "css": "src/app/globals.css",
-    "baseColor": "neutral",
-    "cssVariables": true,
-    "prefix": ""
-  },
-  "aliases": {
-    "components": "@/components",
-    "utils": "@/lib/utils",
-    "ui": "@/components/ui",
-    "lib": "@/lib",
-    "hooks": "@/hooks"
-  }
-}
\ No newline at end of file
diff --git a/references/nextjs-realtime/next.config.mjs b/references/nextjs-realtime/next.config.mjs
deleted file mode 100644
index e6d93dc1337..00000000000
--- a/references/nextjs-realtime/next.config.mjs
+++ /dev/null
@@ -1,35 +0,0 @@
-/** @type {import('next').NextConfig} */
-import NextBundleAnalyzer from "@next/bundle-analyzer";
-
-const nextConfig = {
-  images: {
-    remotePatterns: [
-      {
-        protocol: "https",
-        hostname: "utfs.io",
-        pathname: "/a/ze1ekrd9t9/*",
-      },
-      {
-        protocol: "https",
-        hostname: "v2.fal.media",
-      },
-      {
-        protocol: "https",
-        hostname: "v3.fal.media",
-      },
-      {
-        protocol: "https",
-        hostname: "fal.media",
-      },
-      {
-        protocol: "https",
-        hostname: "storage.googleapis.com",
-      },
-    ],
-  },
-};
-
-export default NextBundleAnalyzer({
-  enabled: process.env.ANALYZE === "true",
-  openAnalyzer: true,
-})(nextConfig);
diff --git a/references/nextjs-realtime/package.json b/references/nextjs-realtime/package.json
deleted file mode 100644
index 4c2736a020f..00000000000
--- a/references/nextjs-realtime/package.json
+++ /dev/null
@@ -1,51 +0,0 @@
-{
-  "name": "references-nextjs-realtime",
-  "version": "0.1.0",
-  "private": true,
-  "scripts": {
-    "dev": "next dev",
-    "build": "next build",
-    "start": "next start",
-    "lint": "next lint",
-    "dev:trigger": "trigger dev",
-    "deploy": "trigger deploy"
-  },
-  "dependencies": {
-    "@ai-sdk/openai": "^1.0.1",
-    "@fal-ai/serverless-client": "^0.15.0",
-    "@fast-csv/parse": "^5.0.2",
-    "@opentelemetry/exporter-trace-otlp-http": "^0.57.0",
-    "@radix-ui/react-dialog": "^1.0.3",
-    "@radix-ui/react-icons": "^1.3.0",
-    "@radix-ui/react-progress": "^1.1.1",
-    "@radix-ui/react-scroll-area": "^1.2.0",
-    "@radix-ui/react-slot": "^1.1.0",
-    "@radix-ui/react-tabs": "^1.0.3",
-    "@trigger.dev/react-hooks": "workspace:*",
-    "@trigger.dev/sdk": "workspace:*",
-    "@uploadthing/react": "^7.0.3",
-    "ai": "^4.0.0",
-    "class-variance-authority": "^0.7.0",
-    "clsx": "^2.1.1",
-    "date-fns": "^4.1.0",
-    "langsmith": "^0.2.15",
-    "lucide-react": "^0.451.0",
-    "next": "14.2.21",
-    "openai": "^4.68.4",
-    "react": "^18",
-    "react-dom": "^18",
-    "tailwind-merge": "^2.5.3",
-    "tailwindcss-animate": "^1.0.7",
-    "uploadthing": "^7.1.0",
-    "zod": "3.25.76"
-  },
-  "devDependencies": {
-    "@next/bundle-analyzer": "^15.0.2",
-    "@trigger.dev/rsc": "workspace:*",
-    "@types/react": "^18",
-    "@types/react-dom": "^18",
-    "postcss": "^8",
-    "tailwindcss": "^3.4.1",
-    "trigger.dev": "workspace:*"
-  }
-}
diff --git a/references/nextjs-realtime/postcss.config.mjs b/references/nextjs-realtime/postcss.config.mjs
deleted file mode 100644
index 1a69fd2a450..00000000000
--- a/references/nextjs-realtime/postcss.config.mjs
+++ /dev/null
@@ -1,8 +0,0 @@
-/** @type {import('postcss-load-config').Config} */
-const config = {
-  plugins: {
-    tailwindcss: {},
-  },
-};
-
-export default config;
diff --git a/references/nextjs-realtime/src/app/actions.ts b/references/nextjs-realtime/src/app/actions.ts
deleted file mode 100644
index 8321d81bb2d..00000000000
--- a/references/nextjs-realtime/src/app/actions.ts
+++ /dev/null
@@ -1,42 +0,0 @@
-"use server";
-
-import type { exampleTask } from "@/trigger/example";
-import { auth, tasks } from "@trigger.dev/sdk/v3";
-import { cookies } from "next/headers";
-import { redirect } from "next/navigation";
-import { randomUUID } from "node:crypto";
-
-export async function triggerExampleTask() {
-  const handle = await tasks.trigger<typeof exampleTask>("example", {
-    id: randomUUID(),
-  });
-
-  // Set JWT in a secure, HTTP-only cookie
-  cookies().set("run_token", handle.publicAccessToken);
-
-  // Redirect to the details page
-  redirect(`/runs/${handle.id}`);
-}
-
-export async function batchTriggerExampleTask() {
-  console.log("Batch trigger example task");
-
-  const handle = await tasks.batchTrigger<typeof exampleTask>("example", [
-    { payload: { id: randomUUID() } },
-    { payload: { id: randomUUID() } },
-    { payload: { id: randomUUID() } },
-    { payload: { id: randomUUID() } },
-    { payload: { id: randomUUID() } },
-    { payload: { id: randomUUID() } },
-    { payload: { id: randomUUID() } },
-    { payload: { id: randomUUID() } },
-  ]);
-
-  console.log("Setting the run JWT in a cookie", handle.publicAccessToken);
-
-  // Set JWT in a secure, HTTP-only cookie
-  cookies().set("run_token", handle.publicAccessToken);
-
-  // Redirect to the details page
-  redirect(`/batches/${handle.batchId}`);
-}
diff --git a/references/nextjs-realtime/src/app/ai/[id]/ClientAiDetails.tsx b/references/nextjs-realtime/src/app/ai/[id]/ClientAiDetails.tsx
deleted file mode 100644
index a5853a4c81c..00000000000
--- a/references/nextjs-realtime/src/app/ai/[id]/ClientAiDetails.tsx
+++ /dev/null
@@ -1,83 +0,0 @@
-"use client";
-
-import { Card, CardContent, CardFooter } from "@/components/ui/card";
-import type { openaiStreaming, STREAMS } from "@/trigger/ai";
-import { useRealtimeRunWithStreams } from "@trigger.dev/react-hooks";
-
-function AiRunDetailsWrapper({ runId, accessToken }: { runId: string; accessToken: string }) {
-  const { run, streams, error } = useRealtimeRunWithStreams<typeof openaiStreaming, STREAMS>(
-    runId,
-    {
-      accessToken,
-      baseURL: process.env.NEXT_PUBLIC_TRIGGER_API_URL,
-    }
-  );
-
-  if (error) {
-    return (
-      <div className="w-full min-h-screen bg-gray-900 p-4">
-        <Card className="w-full bg-gray-800 shadow-md">
-          <CardContent className="pt-6">
-            <p className="text-red-600">Error: {error.message}</p>
-          </CardContent>
-        </Card>
-      </div>
-    );
-  }
-
-  if (!run) {
-    return (
-      <div className="w-full min-h-screen bg-gray-900 py-4 px-6 grid place-items-center">
-        <Card className="w-fit bg-gray-800 border border-gray-700 shadow-md">
-          <CardContent className="pt-6">
-            <p className="text-gray-200">Loading run details…</p>
-          </CardContent>
-        </Card>
-      </div>
-    );
-  }
-
-  const toolCall = streams.openai?.find(
-    (stream) => stream.type === "tool-call" && stream.toolName === "getWeather"
-  );
-  const toolResult = streams.openai?.find((stream) => stream.type === "tool-result");
-  const textDeltas = streams.openai?.filter((stream) => stream.type === "text-delta");
-
-  const text = textDeltas?.map((delta) => delta.textDelta).join("");
-  const weatherLocation = toolCall ? toolCall.args.location : undefined;
-  const weather = toolResult ? toolResult.result.temperature : undefined;
-
-  return (
-    <div className="flex items-center justify-center min-h-screen bg-gray-100 p-4">
-      <Card className="w-full max-w-3xl">
-        <CardContent className="p-6">
-          <div className="h-[calc(100vh-12rem)] overflow-y-auto">
-            {weather ? (
-              <p className="text-lg leading-relaxed">{text || "Preparing weather report..."}</p>
-            ) : (
-              <p className="text-lg">Fetching weather data...</p>
-            )}
-          </div>
-        </CardContent>
-        {weather && (
-          <CardFooter className="bg-muted p-4">
-            <p className="text-sm">
-              <span className="font-semibold">Tool Call:</span> The current temperature in{" "}
-              {weatherLocation} is {weather}.
-            </p>
-          </CardFooter>
-        )}
-      </Card>
-    </div>
-  );
-}
-
-export default function ClientAiDetails({
-  runId,
-  publicAccessToken,
-}: {
-  runId: string;
-  publicAccessToken: string;
-}) {
-  return <AiRunDetailsWrapper runId={runId} accessToken={publicAccessToken} />;
-}
diff --git a/references/nextjs-realtime/src/app/ai/[id]/page.tsx b/references/nextjs-realtime/src/app/ai/[id]/page.tsx
deleted file mode 100644
index 55f1cb32b7e..00000000000
--- a/references/nextjs-realtime/src/app/ai/[id]/page.tsx
+++ /dev/null
@@ -1,15 +0,0 @@
-import ClientAiDetails from "./ClientAiDetails";
-
-export default async function DetailsPage({
-  params,
-  searchParams,
-}: {
-  params: { id: string };
-  searchParams: { publicAccessToken: string };
-}) {
-  return (
-    <main className="flex min-h-screen items-center justify-center p-4 bg-gray-900">
-      <ClientAiDetails runId={params.id} publicAccessToken={searchParams.publicAccessToken} />
-    </main>
-  );
-}
diff --git a/references/nextjs-realtime/src/app/api/uploadthing/core.ts b/references/nextjs-realtime/src/app/api/uploadthing/core.ts
deleted file mode 100644
index 8aec3e65064..00000000000
--- a/references/nextjs-realtime/src/app/api/uploadthing/core.ts
+++ /dev/null
@@ -1,59 +0,0 @@
-import { randomUUID } from "crypto";
-import { createUploadthing, type FileRouter } from "uploadthing/next";
-import { UploadThingError } from "uploadthing/server";
-import type { handleUpload } from "@/trigger/images";
-import type { handleCSVUpload } from "@/trigger/csv";
-import { auth, tasks } from "@trigger.dev/sdk/v3";
-
-const f = createUploadthing();
-
-const mockAuth = (req: Request) => ({ id: randomUUID() }); // Fake auth function
-
-// FileRouter for your app, can contain multiple FileRoutes
-export const ourFileRouter = {
-  // Define as many FileRoutes as you like, each with a unique routeSlug
-  imageUploader: f({ image: { maxFileSize: "4MB" } })
-    // Set permissions and file types for this FileRoute
-    .middleware(async ({ req }) => {
-      // This code runs on your server before upload
-      const user = await mockAuth(req);
-
-      // If you throw, the user will not be able to upload
-      if (!user) throw new UploadThingError("Unauthorized");
-
-      // Whatever is returned here is accessible in onUploadComplete as `metadata`
-      return { userId: user.id };
-    })
-    .onUploadComplete(async ({ metadata, file }) => {
-      // This code RUNS ON YOUR SERVER after upload
-      console.log("Upload complete for userId:", metadata.userId);
-
-      console.log("file", file);
-
-      const fileTag = `file:${file.key}`;
-
-      await tasks.trigger<typeof handleUpload>("handle-upload", file, {
-        tags: [`user:${metadata.userId}`, fileTag],
-      });
-
-      const publicAccessToken = await auth.createPublicToken({
-        scopes: {
-          read: { tags: fileTag },
-        },
-      });
-
-      console.log("Generated access token:", publicAccessToken);
-
-      // !!! Whatever is returned here is sent to the clientside `onClientUploadComplete` callback
-      return { uploadedBy: metadata.userId, publicAccessToken, fileId: file.key };
-    }),
-  csvUploader: f({ blob: { maxFileSize: "4MB" } }).onUploadComplete(async ({ metadata, file }) => {
-    console.log("file", file);
-
-    const handle = await tasks.trigger<typeof handleCSVUpload>("handle-csv-upload", file);
-
-    return handle;
-  }),
-} satisfies FileRouter;
-
-export type OurFileRouter = typeof ourFileRouter;
diff --git a/references/nextjs-realtime/src/app/api/uploadthing/route.ts b/references/nextjs-realtime/src/app/api/uploadthing/route.ts
deleted file mode 100644
index f8f19127888..00000000000
--- a/references/nextjs-realtime/src/app/api/uploadthing/route.ts
+++ /dev/null
@@ -1,6 +0,0 @@
-import { createRouteHandler } from "uploadthing/next";
-import { ourFileRouter } from "./core";
-
-export const { GET, POST } = createRouteHandler({
-  router: ourFileRouter,
-});
diff --git a/references/nextjs-realtime/src/app/batches/[id]/ClientBatchRunDetails.tsx b/references/nextjs-realtime/src/app/batches/[id]/ClientBatchRunDetails.tsx
deleted file mode 100644
index fbcc9347469..00000000000
--- a/references/nextjs-realtime/src/app/batches/[id]/ClientBatchRunDetails.tsx
+++ /dev/null
@@ -1,153 +0,0 @@
-"use client";
-
-import { Card, CardContent } from "@/components/ui/card";
-import type { exampleTask } from "@/trigger/example";
-import { useRealtimeBatch } from "@trigger.dev/react-hooks";
-
-import { Badge } from "@/components/ui/badge";
-import {
-  Table,
-  TableBody,
-  TableCell,
-  TableHead,
-  TableHeader,
-  TableRow,
-} from "@/components/ui/table";
-import { AnyRunShape, TaskRunShape } from "@trigger.dev/sdk/v3";
-import { z } from "zod";
-
-const MetadataSchema = z.object({
-  status: z.object({
-    type: z.string(),
-    progress: z.number(),
-  }),
-});
-
-const ProgressBar = ({ run }: { run: AnyRunShape }) => {
-  const metadata = run.metadata ? MetadataSchema.parse(run.metadata) : undefined;
-  const progress = metadata?.status.progress || 0;
-
-  return (
-    <div className="w-full">
-      <div className="text-xs text-gray-500 mb-1">
-        {metadata ? metadata.status.type : "waiting..."}
-      </div>
-      <div className="w-full bg-gray-200 rounded-full h-2.5 dark:bg-gray-700">
-        <div
-          className="bg-blue-600 h-2.5 rounded-full transition-all duration-500 ease-in-out"
-          style={{ width: `${progress * 100}%` }}
-        ></div>
-      </div>
-    </div>
-  );
-};
-
-const StatusBadge = ({ run }: { run: AnyRunShape }) => {
-  switch (run.status) {
-    case "WAITING_FOR_DEPLOY": {
-      return <Badge className={`bg-purple-800 text-purple-100 font-semibold`}>{run.status}</Badge>;
-    }
-    case "DELAYED": {
-      return <Badge className={`bg-yellow-800 text-yellow-100 font-semibold`}>{run.status}</Badge>;
-    }
-    case "EXPIRED": {
-      return <Badge className={`bg-red-800 text-red-100 font-semibold`}>{run.status}</Badge>;
-    }
-    case "QUEUED": {
-      return <Badge className={`bg-yellow-800 text-yellow-100 font-semibold`}>{run.status}</Badge>;
-    }
-    case "FROZEN":
-    case "REATTEMPTING":
-    case "EXECUTING": {
-      return <Badge className={`bg-blue-800 text-blue-100 font-semibold`}>{run.status}</Badge>;
-    }
-    case "COMPLETED": {
-      return <Badge className={`bg-green-800 text-green-100 font-semibold`}>{run.status}</Badge>;
-    }
-    case "TIMED_OUT":
-    case "SYSTEM_FAILURE":
-    case "INTERRUPTED":
-    case "CRASHED":
-    case "FAILED": {
-      return <Badge className={`bg-red-800 text-red-100 font-semibold`}>{run.status}</Badge>;
-    }
-    case "CANCELED": {
-      return <Badge className={`bg-gray-800 text-gray-100 font-semibold`}>{run.status}</Badge>;
-    }
-    default: {
-      return <Badge className={`bg-gray-800 text-gray-100 font-semibold`}>{run.status}</Badge>;
-    }
-  }
-};
-
-export function BackgroundRunsTable({ runs }: { runs: TaskRunShape<typeof exampleTask>[] }) {
-  return (
-    <div className="max-w-6xl mx-auto mt-8">
-      <h1 className="text-gray-200 text-2xl font-semibold mb-8">Recent Background Runs</h1>
-      <Table>
-        <TableHeader>
-          <TableRow className="border-b border-gray-700">
-            <TableHead className="w-[150px] text-gray-200 text-base">Run ID / Task</TableHead>
-            <TableHead className="text-gray-200 text-base">Status</TableHead>
-            <TableHead className="text-gray-200 text-base">Payload ID</TableHead>
-            <TableHead className="w-[200px] text-gray-200 text-base">Progress</TableHead>
-          </TableRow>
-        </TableHeader>
-        <TableBody>
-          {runs.map((run) => (
-            <TableRow key={run.id} className="border-b border-gray-700 hover:bg-gray-800">
-              <TableCell>
-                <div className="font-medium">{run.id}</div>
-                <div className="text-sm text-gray-500">{run.taskIdentifier}</div>
-              </TableCell>
-              <TableCell>
-                <StatusBadge run={run} />
-              </TableCell>
-              <TableCell>{run.payload.id}</TableCell>
-              <TableCell>
-                <ProgressBar run={run} />
-              </TableCell>
-            </TableRow>
-          ))}
-        </TableBody>
-      </Table>
-    </div>
-  );
-}
-
-function BatchRunTableWrapper({
-  batchId,
-  publicAccessToken,
-}: {
-  batchId: string;
-  publicAccessToken: string;
-}) {
-  const { runs, error } = useRealtimeBatch<typeof exampleTask>(batchId, {
-    accessToken: publicAccessToken,
-    baseURL: process.env.NEXT_PUBLIC_TRIGGER_API_URL,
-  });
-
-  console.log(runs);
-
-  if (error) {
-    return (
-      <div className="w-full min-h-screen bg-gray-100 p-4">
-        <Card className="w-full bg-white shadow-md">
-          <CardContent className="pt-6">
-            <p className="text-red-600">Error: {error.message}</p>
-          </CardContent>
-        </Card>
-      </div>
-    );
-  }
-
-  return (
-    <div className="w-full min-h-screen bg-gray-900 text-gray-200 p-4 space-y-6">
-      <BackgroundRunsTable runs={runs} />
-    </div>
-  );
-}
-
-export default function ClientBatchRunDetails({ batchId, jwt }: { batchId: string; jwt: string }) {
-  return <BatchRunTableWrapper batchId={batchId} publicAccessToken={jwt} />;
-}
diff --git a/references/nextjs-realtime/src/app/batches/[id]/page.tsx b/references/nextjs-realtime/src/app/batches/[id]/page.tsx
deleted file mode 100644
index b9df3faafe3..00000000000
--- a/references/nextjs-realtime/src/app/batches/[id]/page.tsx
+++ /dev/null
@@ -1,18 +0,0 @@
-import { cookies } from "next/headers";
-import { notFound } from "next/navigation";
-import ClientBatchRunDetails from "./ClientBatchRunDetails";
-
-export default async function DetailsPage({ params }: { params: { id: string } }) {
-  const cookieStore = cookies();
-  const jwt = cookieStore.get("run_token");
-
-  if (!jwt) {
-    notFound();
-  }
-
-  return (
-    <main className="flex min-h-screen items-center justify-center p-4 bg-gray-900">
-      <ClientBatchRunDetails batchId={params.id} jwt={jwt.value} />
-    </main>
-  );
-}
diff --git a/references/nextjs-realtime/src/app/csv/[id]/RealtimeCSVRun.tsx b/references/nextjs-realtime/src/app/csv/[id]/RealtimeCSVRun.tsx
deleted file mode 100644
index 8e70a51c1fd..00000000000
--- a/references/nextjs-realtime/src/app/csv/[id]/RealtimeCSVRun.tsx
+++ /dev/null
@@ -1,176 +0,0 @@
-"use client";
-
-import { Badge } from "@/components/ui/badge";
-import { Card, CardContent, CardDescription, CardHeader, CardTitle } from "@/components/ui/card";
-import { Progress } from "@/components/ui/progress";
-import { handleCSVUpload } from "@/trigger/csv";
-import { CSVUploadMetadataSchema } from "@/trigger/schemas";
-import { useRealtimeRun } from "@trigger.dev/react-hooks";
-import { Terminal } from "lucide-react";
-
-type UseCSVUploadInstance = {
-  status: "loading" | "queued" | "fetching" | "parsing" | "processing" | "complete" | "error";
-  filename?: string;
-  progress: number;
-  message: string;
-  totalRows?: number;
-  inProgressRows?: number;
-  processedRows?: number;
-};
-
-function useCSVUpload(runId: string, accessToken: string): UseCSVUploadInstance {
-  const instance = useRealtimeRun<typeof handleCSVUpload>(runId, {
-    accessToken,
-    baseURL: process.env.NEXT_PUBLIC_TRIGGER_API_URL,
-    onComplete: (run) => {
-      console.log("CSV Upload complete", run);
-    },
-    stopOnCompletion: false,
-  });
-
-  if (!instance.run) {
-    return { status: "loading", progress: 0, message: "Loading..." };
-  }
-
-  console.log("CSV Upload", instance.run);
-
-  if (!instance.run.metadata) {
-    return {
-      status: "queued",
-      progress: 0.05,
-      message: "Queued...",
-      filename: instance.run.payload.name,
-    };
-  }
-
-  const parsedMetadata = CSVUploadMetadataSchema.safeParse(instance.run.metadata);
-
-  if (!parsedMetadata.success) {
-    return {
-      status: "error",
-      progress: 0,
-      message: "Failed to parse metadata",
-      filename: instance.run.payload.name,
-    };
-  }
-
-  switch (parsedMetadata.data.status) {
-    case "fetching": {
-      return {
-        status: "fetching",
-        progress: 0.1,
-        message: "Fetching CSV file...",
-        filename: instance.run.payload.name,
-      };
-    }
-    case "parsing": {
-      return {
-        status: "parsing",
-        progress: 0.2,
-        message: "Parsing CSV file...",
-        filename: instance.run.payload.name,
-      };
-    }
-    case "processing": {
-      // progress will be some number between 0.3 and 0.95
-      // depending on the totalRows and processedRows
-
-      const progress =
-        typeof parsedMetadata.data.processedRows === "number" &&
-        typeof parsedMetadata.data.totalRows === "number"
-          ? 0.3 + (parsedMetadata.data.processedRows / parsedMetadata.data.totalRows) * 0.65
-          : 0.3;
-
-      return {
-        status: "processing",
-        progress: progress,
-        message: "Processing CSV file...",
-        totalRows: parsedMetadata.data.totalRows,
-        inProgressRows: parsedMetadata.data.inProgressRows,
-        processedRows: parsedMetadata.data.processedRows,
-        filename: instance.run.payload.name,
-      };
-    }
-    case "complete": {
-      return {
-        status: "complete",
-        progress: 1,
-        message: "CSV processing complete",
-        totalRows: parsedMetadata.data.totalRows,
-        inProgressRows: parsedMetadata.data.inProgressRows,
-        processedRows: parsedMetadata.data.processedRows,
-        filename: instance.run.payload.name,
-      };
-    }
-  }
-}
-
-export default function RealtimeCSVRun({
-  runId,
-  accessToken,
-}: {
-  runId: string;
-  accessToken: string;
-}) {
-  const csvRun = useCSVUpload(runId, accessToken);
-
-  const progress = Math.round(csvRun.progress * 100);
-  const isComplete = csvRun.status === "complete";
-
-  return (
-    <div className="min-h-screen bg-background text-foreground p-6">
-      <div className="max-w-4xl mx-auto space-y-6">
-        <div className="flex items-center gap-2 mb-8">
-          <Terminal className="h-5 w-5 text-primary" />
-          <h1 className="text-xl font-semibold">CSV Email Validation</h1>
-        </div>
-
-        <Card>
-          <CardHeader>
-            <div className="flex justify-between items-start">
-              <div>
-                <CardTitle>{csvRun.filename ?? "n/a"}</CardTitle>
-                <CardDescription>
-                  {csvRun.totalRows ? `Processing ${csvRun.totalRows} rows` : "Processing CSV file"}
-                </CardDescription>
-              </div>
-              <Badge variant="outline" className={isComplete ? "bg-green-500/10" : "bg-primary/10"}>
-                {isComplete ? "Completed" : "Running"}
-              </Badge>
-            </div>
-          </CardHeader>
-          <CardContent className="space-y-6">
-            <div className="space-y-2">
-              <div className="flex justify-between text-sm">
-                <span className="text-muted-foreground">Overall Progress</span>
-                <span className="font-mono">{progress}%</span>
-              </div>
-              <Progress value={progress} className="h-2" />
-            </div>
-
-            <div className="grid grid-cols-2 gap-4">
-              <Card>
-                <CardContent className="pt-6">
-                  <div className="text-2xl font-bold">
-                    {typeof csvRun.processedRows === "number" ? csvRun.processedRows : "N/A"}
-                  </div>
-                  <div className="text-sm text-muted-foreground">Emails Processed</div>
-                </CardContent>
-              </Card>
-              <Card>
-                <CardContent className="pt-6">
-                  <div className="text-2xl font-bold">
-                    {typeof csvRun.totalRows === "number"
-                      ? csvRun.totalRows - (csvRun.processedRows ?? 0)
-                      : "N/A"}
-                  </div>
-                  <div className="text-sm text-muted-foreground">Remaining</div>
-                </CardContent>
-              </Card>
-            </div>
-          </CardContent>
-        </Card>
-      </div>
-    </div>
-  );
-}
diff --git a/references/nextjs-realtime/src/app/csv/[id]/page.tsx b/references/nextjs-realtime/src/app/csv/[id]/page.tsx
deleted file mode 100644
index 0d4c22f3478..00000000000
--- a/references/nextjs-realtime/src/app/csv/[id]/page.tsx
+++ /dev/null
@@ -1,16 +0,0 @@
-import { notFound } from "next/navigation";
-import RealtimeCSVRun from "./RealtimeCSVRun";
-
-export default function CSVProcessor({
-  params,
-  searchParams,
-}: {
-  params: { id: string };
-  searchParams: { [key: string]: string | string[] | undefined };
-}) {
-  if (typeof searchParams.publicAccessToken !== "string") {
-    notFound();
-  }
-
-  return <RealtimeCSVRun runId={params.id} accessToken={searchParams.publicAccessToken} />;
-}
diff --git a/references/nextjs-realtime/src/app/csv/page.tsx b/references/nextjs-realtime/src/app/csv/page.tsx
deleted file mode 100644
index 00df9415947..00000000000
--- a/references/nextjs-realtime/src/app/csv/page.tsx
+++ /dev/null
@@ -1,14 +0,0 @@
-import { CSVUploadDropzone } from "@/components/ImageUploadButton";
-
-export default async function CSVPage() {
-  return (
-    <main className="grid grid-rows-[1fr_auto] min-h-screen items-center justify-center w-full bg-gray-900">
-      <div className="flex flex-col space-y-8">
-        <h1 className="text-gray-200 text-4xl max-w-xl text-center font-bold">
-          Trigger.dev Realtime + UploadThing + CSV Import
-        </h1>
-        <CSVUploadDropzone />
-      </div>
-    </main>
-  );
-}
diff --git a/references/nextjs-realtime/src/app/favicon.ico b/references/nextjs-realtime/src/app/favicon.ico
deleted file mode 100644
index 718d6fea483..00000000000
Binary files a/references/nextjs-realtime/src/app/favicon.ico and /dev/null differ
diff --git a/references/nextjs-realtime/src/app/fonts/GeistMonoVF.woff b/references/nextjs-realtime/src/app/fonts/GeistMonoVF.woff
deleted file mode 100644
index f2ae185cbfd..00000000000
Binary files a/references/nextjs-realtime/src/app/fonts/GeistMonoVF.woff and /dev/null differ
diff --git a/references/nextjs-realtime/src/app/fonts/GeistVF.woff b/references/nextjs-realtime/src/app/fonts/GeistVF.woff
deleted file mode 100644
index 1b62daacff9..00000000000
Binary files a/references/nextjs-realtime/src/app/fonts/GeistVF.woff and /dev/null differ
diff --git a/references/nextjs-realtime/src/app/globals.css b/references/nextjs-realtime/src/app/globals.css
deleted file mode 100644
index 1dcb0fc6d6c..00000000000
--- a/references/nextjs-realtime/src/app/globals.css
+++ /dev/null
@@ -1,78 +0,0 @@
-@tailwind base;
-@tailwind components;
-@tailwind utilities;
-
-body {
-  font-family: Arial, Helvetica, sans-serif;
-}
-
-@layer utilities {
-  .text-balance {
-    text-wrap: balance;
-  }
-}
-
-@layer base {
-  :root {
-    --background: 0 0% 100%;
-    --foreground: 0 0% 3.9%;
-    --card: 0 0% 100%;
-    --card-foreground: 0 0% 3.9%;
-    --popover: 0 0% 100%;
-    --popover-foreground: 0 0% 3.9%;
-    --primary: 0 0% 9%;
-    --primary-foreground: 0 0% 98%;
-    --secondary: 0 0% 96.1%;
-    --secondary-foreground: 0 0% 9%;
-    --muted: 0 0% 96.1%;
-    --muted-foreground: 0 0% 45.1%;
-    --accent: 0 0% 96.1%;
-    --accent-foreground: 0 0% 9%;
-    --destructive: 0 84.2% 60.2%;
-    --destructive-foreground: 0 0% 98%;
-    --border: 0 0% 89.8%;
-    --input: 0 0% 89.8%;
-    --ring: 0 0% 3.9%;
-    --chart-1: 12 76% 61%;
-    --chart-2: 173 58% 39%;
-    --chart-3: 197 37% 24%;
-    --chart-4: 43 74% 66%;
-    --chart-5: 27 87% 67%;
-    --radius: 0.5rem;
-  }
-  .dark {
-    --background: 0 0% 3.9%;
-    --foreground: 0 0% 98%;
-    --card: 0 0% 3.9%;
-    --card-foreground: 0 0% 98%;
-    --popover: 0 0% 3.9%;
-    --popover-foreground: 0 0% 98%;
-    --primary: 0 0% 98%;
-    --primary-foreground: 0 0% 9%;
-    --secondary: 0 0% 14.9%;
-    --secondary-foreground: 0 0% 98%;
-    --muted: 0 0% 14.9%;
-    --muted-foreground: 0 0% 63.9%;
-    --accent: 0 0% 14.9%;
-    --accent-foreground: 0 0% 98%;
-    --destructive: 0 62.8% 30.6%;
-    --destructive-foreground: 0 0% 98%;
-    --border: 0 0% 14.9%;
-    --input: 0 0% 14.9%;
-    --ring: 0 0% 83.1%;
-    --chart-1: 220 70% 50%;
-    --chart-2: 160 60% 45%;
-    --chart-3: 30 80% 55%;
-    --chart-4: 280 65% 60%;
-    --chart-5: 340 75% 55%;
-  }
-}
-
-@layer base {
-  * {
-    @apply border-border;
-  }
-  body {
-    @apply bg-background text-foreground;
-  }
-}
diff --git a/references/nextjs-realtime/src/app/layout.tsx b/references/nextjs-realtime/src/app/layout.tsx
deleted file mode 100644
index dceb68d9466..00000000000
--- a/references/nextjs-realtime/src/app/layout.tsx
+++ /dev/null
@@ -1,45 +0,0 @@
-import type { Metadata } from "next";
-import localFont from "next/font/local";
-import "./globals.css";
-import { NextSSRPlugin } from "@uploadthing/react/next-ssr-plugin";
-import { extractRouterConfig } from "uploadthing/server";
-import { ourFileRouter } from "@/app/api/uploadthing/core";
-
-const geistSans = localFont({
-  src: "./fonts/GeistVF.woff",
-  variable: "--font-geist-sans",
-  weight: "100 900",
-});
-const geistMono = localFont({
-  src: "./fonts/GeistMonoVF.woff",
-  variable: "--font-geist-mono",
-  weight: "100 900",
-});
-
-export const metadata: Metadata = {
-  title: "Trigger.dev Next.js Realtime Demo",
-  description: "Generated by create next app",
-};
-
-export default function RootLayout({
-  children,
-}: Readonly<{
-  children: React.ReactNode;
-}>) {
-  return (
-    <html lang="en">
-      <body className={`${geistSans.variable} ${geistMono.variable} antialiased bg-gray-900`}>
-        <NextSSRPlugin
-          /**
-           * The `extractRouterConfig` will extract **only** the route configs
-           * from the router to prevent additional information from being
-           * leaked to the client. The data passed to the client is the same
-           * as if you were to fetch `/api/uploadthing` directly.
-           */
-          routerConfig={extractRouterConfig(ourFileRouter)}
-        />
-        {children}
-      </body>
-    </html>
-  );
-}
diff --git a/references/nextjs-realtime/src/app/openai/page.tsx b/references/nextjs-realtime/src/app/openai/page.tsx
deleted file mode 100644
index ddda3d218b9..00000000000
--- a/references/nextjs-realtime/src/app/openai/page.tsx
+++ /dev/null
@@ -1,12 +0,0 @@
-import BatchSubmissionForm from "@/components/BatchSubmissionForm";
-import { auth } from "@trigger.dev/sdk/v3";
-
-export default async function Page() {
-  const accessToken = await auth.createTriggerPublicToken("openai-batch");
-
-  return (
-    <div className="min-h-screen bg-gray-100 flex flex-col items-center justify-center p-4 space-y-8">
-      <BatchSubmissionForm accessToken={accessToken} />
-    </div>
-  );
-}
diff --git a/references/nextjs-realtime/src/app/page.tsx b/references/nextjs-realtime/src/app/page.tsx
deleted file mode 100644
index 4d25c158459..00000000000
--- a/references/nextjs-realtime/src/app/page.tsx
+++ /dev/null
@@ -1,27 +0,0 @@
-import RunButton from "@/components/RunButton";
-import BatchRunButton from "@/components/BatchRunButton";
-import TriggerButton from "@/components/TriggerButton";
-import TriggerButtonWithStreaming from "@/components/TriggerButtonWithStreaming";
-import { ImageUploadDropzone } from "@/components/ImageUploadButton";
-import { auth } from "@trigger.dev/sdk/v3";
-
-export default async function Home() {
-  const publicAccessToken = await auth.createTriggerPublicToken("openai-streaming");
-
-  return (
-    <main className="grid grid-rows-[1fr_auto] min-h-screen items-center justify-center w-full bg-gray-900">
-      <div className="flex flex-col space-y-8">
-        <h1 className="text-gray-200 text-4xl max-w-xl text-center font-bold">
-          Trigger.dev Realtime + UploadThing + fal.ai
-        </h1>
-        <ImageUploadDropzone />
-      </div>
-      <div className="flex items-center space-x-4 justify-center w-full">
-        <RunButton />
-        <BatchRunButton />
-        <TriggerButton accessToken={publicAccessToken} />
-        <TriggerButtonWithStreaming accessToken={publicAccessToken} />
-      </div>
-    </main>
-  );
-}
diff --git a/references/nextjs-realtime/src/app/realtime/[id]/page.tsx b/references/nextjs-realtime/src/app/realtime/[id]/page.tsx
deleted file mode 100644
index cd178367d65..00000000000
--- a/references/nextjs-realtime/src/app/realtime/[id]/page.tsx
+++ /dev/null
@@ -1,18 +0,0 @@
-import RunRealtimeComparison from "@/components/RunRealtimeComparison";
-import { auth } from "@trigger.dev/sdk/v3";
-
-export default async function RunRealtimeComparisonPage({ params }: { params: { id: string } }) {
-  const accessToken = await auth.createPublicToken({
-    scopes: {
-      read: {
-        runs: params.id,
-      },
-    },
-  });
-
-  return (
-    <main className="flex min-h-screen items-center justify-center p-4 bg-gray-900">
-      <RunRealtimeComparison accessToken={accessToken} runId={params.id} />
-    </main>
-  );
-}
diff --git a/references/nextjs-realtime/src/app/realtime/page.tsx b/references/nextjs-realtime/src/app/realtime/page.tsx
deleted file mode 100644
index ab2148eb9db..00000000000
--- a/references/nextjs-realtime/src/app/realtime/page.tsx
+++ /dev/null
@@ -1,12 +0,0 @@
-import RealtimeComparison from "@/components/RealtimeComparison";
-import { auth } from "@trigger.dev/sdk/v3";
-
-export default async function RuntimeComparisonPage() {
-  const accessToken = await auth.createTriggerPublicToken("openai-streaming");
-
-  return (
-    <main className="flex min-h-screen items-center justify-center p-4 bg-gray-900">
-      <RealtimeComparison accessToken={accessToken} />
-    </main>
-  );
-}
diff --git a/references/nextjs-realtime/src/app/runs/[id]/ClientRunDetails.tsx b/references/nextjs-realtime/src/app/runs/[id]/ClientRunDetails.tsx
deleted file mode 100644
index 83edc5a6f9b..00000000000
--- a/references/nextjs-realtime/src/app/runs/[id]/ClientRunDetails.tsx
+++ /dev/null
@@ -1,72 +0,0 @@
-"use client";
-
-import RunDetails from "@/components/RunDetails";
-import { Card, CardContent } from "@/components/ui/card";
-import { TriggerAuthContext, useRealtimeRun } from "@trigger.dev/react-hooks";
-import type { exampleTask } from "@/trigger/example";
-import { useEffect, useState } from "react";
-
-function RunDetailsWrapper({
-  runId,
-  publicAccessToken,
-}: {
-  runId: string;
-  publicAccessToken: string;
-}) {
-  const [accessToken, setAccessToken] = useState<string | undefined>(undefined);
-
-  // call setAccessToken with publicAccessToken after 2 seconds
-  useEffect(() => {
-    const timeout = setTimeout(() => {
-      setAccessToken(publicAccessToken);
-    }, 2000);
-
-    return () => clearTimeout(timeout);
-  }, [publicAccessToken]);
-
-  const { run, error } = useRealtimeRun<typeof exampleTask>(runId, {
-    accessToken,
-    enabled: accessToken !== undefined,
-    onComplete: (run) => {
-      console.log("Run completed!", run);
-    },
-  });
-
-  if (error && !run) {
-    return (
-      <div className="w-full min-h-screen bg-gray-900 p-4">
-        <Card className="w-full bg-gray-800 shadow-md">
-          <CardContent className="pt-6">
-            <p className="text-red-600">Error: {error.message}</p>
-          </CardContent>
-        </Card>
-      </div>
-    );
-  }
-
-  if (!run) {
-    return (
-      <div className="w-full min-h-screen bg-gray-900 py-4 px-6 grid place-items-center">
-        <Card className="w-fit bg-gray-800 border border-gray-700 shadow-md">
-          <CardContent className="pt-6">
-            <p className="text-gray-200">Loading run details…</p>
-          </CardContent>
-        </Card>
-      </div>
-    );
-  }
-
-  return (
-    <div className="w-full min-h-screen bg-gray-900 text-gray-200 p-4 space-y-6">
-      <RunDetails record={run} />
-    </div>
-  );
-}
-
-export default function ClientRunDetails({ runId, jwt }: { runId: string; jwt: string }) {
-  return (
-    <TriggerAuthContext.Provider value={{ baseURL: process.env.NEXT_PUBLIC_TRIGGER_API_URL }}>
-      <RunDetailsWrapper runId={runId} publicAccessToken={jwt} />
-    </TriggerAuthContext.Provider>
-  );
-}
diff --git a/references/nextjs-realtime/src/app/runs/[id]/page.tsx b/references/nextjs-realtime/src/app/runs/[id]/page.tsx
deleted file mode 100644
index 46a41e6a1a3..00000000000
--- a/references/nextjs-realtime/src/app/runs/[id]/page.tsx
+++ /dev/null
@@ -1,18 +0,0 @@
-import { cookies } from "next/headers";
-import { notFound } from "next/navigation";
-import ClientRunDetails from "./ClientRunDetails";
-
-export default async function DetailsPage({ params }: { params: { id: string } }) {
-  const cookieStore = cookies();
-  const jwt = cookieStore.get("run_token");
-
-  if (!jwt) {
-    notFound();
-  }
-
-  return (
-    <main className="flex min-h-screen items-center justify-center p-4 bg-gray-900">
-      <ClientRunDetails runId={params.id} jwt={jwt.value} />
-    </main>
-  );
-}
diff --git a/references/nextjs-realtime/src/app/uploads/[id]/ClientUploadDetails.tsx b/references/nextjs-realtime/src/app/uploads/[id]/ClientUploadDetails.tsx
deleted file mode 100644
index 9191f6861a2..00000000000
--- a/references/nextjs-realtime/src/app/uploads/[id]/ClientUploadDetails.tsx
+++ /dev/null
@@ -1,77 +0,0 @@
-"use client";
-
-import { HandleUploadFooter } from "@/components/HandleUploadFooter";
-import { Card, CardContent } from "@/components/ui/card";
-import ImageDisplay from "@/components/UploadImageDisplay";
-import { useHandleUploadRun } from "@/hooks/useHandleUploadRun";
-import { TriggerAuthContext } from "@trigger.dev/react-hooks";
-
-function UploadDetailsWrapper({ fileId }: { fileId: string }) {
-  const { run, error, images } = useHandleUploadRun(fileId);
-
-  if (error) {
-    return (
-      <div className="w-full min-h-screen bg-gray-900 p-4">
-        <Card className="w-full bg-gray-800 shadow-md">
-          <CardContent className="pt-6">
-            <p className="text-red-600">Error: {error.message}</p>
-          </CardContent>
-        </Card>
-      </div>
-    );
-  }
-
-  if (!run) {
-    return (
-      <div className="w-full min-h-screen bg-gray-900 py-4 px-8 grid place-items-center">
-        <Card className="w-fit bg-gray-800 border border-gray-700 shadow-md">
-          <CardContent className="pt-6">
-            <p className="text-gray-200">Loading run details…</p>
-          </CardContent>
-        </Card>
-      </div>
-    );
-  }
-
-  const gridImages = images.map((image) =>
-    image.data.status === "COMPLETED" && image.data.image
-      ? {
-          status: "completed" as const,
-          src: image.data.image.url,
-          caption: image.data.image.file_name,
-          message: image.model,
-        }
-      : { status: "pending" as const, message: image.model }
-  );
-
-  return (
-    <div className="w-full min-h-screen bg-gray-900 text-gray-200 p-4 space-y-6">
-      <ImageDisplay
-        uploadedImage={run.payload.appUrl}
-        uploadedCaption={run.payload.name}
-        gridImages={gridImages}
-      />
-
-      <HandleUploadFooter
-        run={run}
-        viewRunUrl={`${process.env.NEXT_PUBLIC_TRIGGER_API_URL}/projects/v3/proj_bzhdaqhlymtuhlrcgbqy/runs/${run.id}`}
-      />
-    </div>
-  );
-}
-
-export default function ClientUploadDetails({
-  fileId,
-  publicAccessToken,
-}: {
-  fileId: string;
-  publicAccessToken: string;
-}) {
-  return (
-    <TriggerAuthContext.Provider
-      value={{ accessToken: publicAccessToken, baseURL: process.env.NEXT_PUBLIC_TRIGGER_API_URL }}
-    >
-      <UploadDetailsWrapper fileId={fileId} />
-    </TriggerAuthContext.Provider>
-  );
-}
diff --git a/references/nextjs-realtime/src/app/uploads/[id]/page.tsx b/references/nextjs-realtime/src/app/uploads/[id]/page.tsx
deleted file mode 100644
index f503af2d85b..00000000000
--- a/references/nextjs-realtime/src/app/uploads/[id]/page.tsx
+++ /dev/null
@@ -1,22 +0,0 @@
-import { notFound } from "next/navigation";
-import ClientUploadDetails from "./ClientUploadDetails";
-
-export default async function UploadPage({
-  params,
-  searchParams,
-}: {
-  params: { id: string };
-  searchParams: { [key: string]: string | string[] | undefined };
-}) {
-  const publicAccessToken = searchParams.publicAccessToken;
-
-  if (typeof publicAccessToken !== "string") {
-    notFound();
-  }
-
-  return (
-    <main className="flex min-h-screen items-center justify-center p-4 bg-gray-900">
-      <ClientUploadDetails fileId={params.id} publicAccessToken={publicAccessToken} />
-    </main>
-  );
-}
diff --git a/references/nextjs-realtime/src/components/BatchProgressIndicator.tsx b/references/nextjs-realtime/src/components/BatchProgressIndicator.tsx
deleted file mode 100644
index a96c6d629d8..00000000000
--- a/references/nextjs-realtime/src/components/BatchProgressIndicator.tsx
+++ /dev/null
@@ -1,183 +0,0 @@
-"use client";
-
-import { useState, useEffect } from "react";
-import { Card, CardContent, CardHeader, CardTitle } from "@/components/ui/card";
-import { Progress } from "@/components/ui/progress";
-import { Badge } from "@/components/ui/badge";
-import { Button } from "@/components/ui/button";
-import { AlertCircle, CheckCircle2, Clock, FileText, Loader2, RefreshCw } from "lucide-react";
-
-type BatchStatus = "validating" | "in_progress" | "completed" | "failed" | "expired";
-
-interface BatchInfo {
-  id: string;
-  status: BatchStatus;
-  totalRequests: number;
-  completedRequests: number;
-  failedRequests: number;
-  inputFileName: string;
-  outputFileName: string | null;
-  errorFileName: string | null;
-  createdAt: string;
-  completedAt: string | null;
-}
-
-export default function BatchProgressIndicator() {
-  const [batchInfo, setBatchInfo] = useState<BatchInfo>({
-    id: "batch_abc123",
-    status: "in_progress",
-    totalRequests: 1000,
-    completedRequests: 750,
-    failedRequests: 10,
-    inputFileName: "input.jsonl",
-    outputFileName: null,
-    errorFileName: null,
-    createdAt: "2023-03-15T10:30:00Z",
-    completedAt: null,
-  });
-  const [lastCheckedAt, setLastCheckedAt] = useState<string>(new Date().toISOString());
-
-  useEffect(() => {
-    // Simulate progress
-    const interval = setInterval(() => {
-      setBatchInfo((prev) => ({
-        ...prev,
-        completedRequests: Math.min(prev.completedRequests + 10, prev.totalRequests),
-        status: prev.completedRequests + 10 >= prev.totalRequests ? "completed" : prev.status,
-        completedAt:
-          prev.completedRequests + 10 >= prev.totalRequests ? new Date().toISOString() : null,
-        outputFileName: prev.completedRequests + 10 >= prev.totalRequests ? "output.jsonl" : null,
-      }));
-      setLastCheckedAt(new Date().toISOString());
-    }, 1000);
-
-    return () => clearInterval(interval);
-  }, []);
-
-  const getStatusIcon = (status: BatchStatus) => {
-    switch (status) {
-      case "validating":
-      case "in_progress":
-        return <Loader2 className="w-4 h-4 animate-spin" />;
-      case "completed":
-        return <CheckCircle2 className="w-4 h-4 text-green-600" />;
-      case "failed":
-        return <AlertCircle className="w-4 h-4 text-red-600" />;
-      case "expired":
-        return <Clock className="w-4 h-4 text-yellow-600" />;
-    }
-  };
-
-  const getStatusColor = (status: BatchStatus) => {
-    switch (status) {
-      case "validating":
-      case "in_progress":
-        return "bg-blue-100 text-blue-800 border-blue-300";
-      case "completed":
-        return "bg-green-100 text-green-800 border-green-300";
-      case "failed":
-        return "bg-red-100 text-red-800 border-red-300";
-      case "expired":
-        return "bg-yellow-100 text-yellow-800 border-yellow-300";
-    }
-  };
-
-  return (
-    <Card className="w-full max-w-2xl bg-white text-gray-800 border border-gray-200 shadow-sm font-mono">
-      <CardHeader className="border-b border-gray-200">
-        <CardTitle className="flex items-center justify-between text-lg">
-          <span className="font-bold">Batch Progress: {batchInfo.id}</span>
-          <Badge
-            variant="outline"
-            className={`${getStatusColor(
-              batchInfo.status
-            )} px-2 py-1 text-xs font-semibold rounded border`}
-          >
-            {getStatusIcon(batchInfo.status)}
-            <span className="ml-2 capitalize">{batchInfo.status.replace("_", " ")}</span>
-          </Badge>
-        </CardTitle>
-      </CardHeader>
-      <CardContent className="space-y-4 p-4">
-        <div className="flex justify-between text-sm">
-          <span>Progress</span>
-          <span className="font-bold">
-            {Math.round((batchInfo.completedRequests / batchInfo.totalRequests) * 100)}%
-          </span>
-        </div>
-        <Progress
-          value={(batchInfo.completedRequests / batchInfo.totalRequests) * 100}
-          className="h-2 bg-gray-200"
-        />
-        <div className="grid grid-cols-2 gap-4 text-sm">
-          <div className="bg-gray-50 p-2 rounded">
-            <p className="text-gray-500">Total Requests</p>
-            <p className="font-bold">{batchInfo.totalRequests}</p>
-          </div>
-          <div className="bg-gray-50 p-2 rounded">
-            <p className="text-gray-500">Completed</p>
-            <p className="font-bold">{batchInfo.completedRequests}</p>
-          </div>
-          <div className="bg-gray-50 p-2 rounded">
-            <p className="text-gray-500">Failed</p>
-            <p className="font-bold">{batchInfo.failedRequests}</p>
-          </div>
-          <div className="bg-gray-50 p-2 rounded">
-            <p className="text-gray-500">Created At</p>
-            <p className="font-bold">{new Date(batchInfo.createdAt).toLocaleString()}</p>
-          </div>
-          <div className="bg-gray-50 p-2 rounded col-span-2">
-            <p className="text-gray-500">Last Checked At</p>
-            <p className="font-bold">{new Date(lastCheckedAt).toLocaleString()}</p>
-          </div>
-        </div>
-        <div className="space-y-2 bg-gray-50 p-2 rounded">
-          <div className="flex items-center space-x-2">
-            <FileText className="w-4 h-4 text-gray-500" />
-            <span className="text-sm">
-              Input: <span className="font-bold">{batchInfo.inputFileName}</span>
-            </span>
-          </div>
-          {batchInfo.outputFileName && (
-            <div className="flex items-center space-x-2">
-              <FileText className="w-4 h-4 text-gray-500" />
-              <span className="text-sm">
-                Output: <span className="font-bold">{batchInfo.outputFileName}</span>
-              </span>
-            </div>
-          )}
-          {batchInfo.errorFileName && (
-            <div className="flex items-center space-x-2">
-              <FileText className="w-4 h-4 text-gray-500" />
-              <span className="text-sm">
-                Errors: <span className="font-bold">{batchInfo.errorFileName}</span>
-              </span>
-            </div>
-          )}
-        </div>
-        <div className="flex justify-end space-x-2">
-          <Button
-            variant="outline"
-            size="sm"
-            className="text-blue-600 border-blue-300 hover:bg-blue-50"
-          >
-            <RefreshCw className="w-4 h-4 mr-2" />
-            Refresh
-          </Button>
-          <Button
-            variant="destructive"
-            size="sm"
-            className="bg-red-100 text-red-600 hover:bg-red-200 border border-red-300"
-            disabled={
-              batchInfo.status === "completed" ||
-              batchInfo.status === "failed" ||
-              batchInfo.status === "expired"
-            }
-          >
-            Cancel Batch
-          </Button>
-        </div>
-      </CardContent>
-    </Card>
-  );
-}
diff --git a/references/nextjs-realtime/src/components/BatchRunButton.tsx b/references/nextjs-realtime/src/components/BatchRunButton.tsx
deleted file mode 100644
index 9c10ae06332..00000000000
--- a/references/nextjs-realtime/src/components/BatchRunButton.tsx
+++ /dev/null
@@ -1,28 +0,0 @@
-"use client";
-
-// @ts-ignore
-import { useFormStatus } from "react-dom";
-import { batchTriggerExampleTask } from "@/app/actions";
-import { Button } from "@/components/ui/button";
-
-function SubmitButton() {
-  const { pending } = useFormStatus();
-
-  return (
-    <Button
-      type="submit"
-      disabled={pending}
-      className="p-0 bg-transparent hover:bg-transparent hover:text-gray-200 text-gray-400"
-    >
-      {pending ? "Running..." : "Run Batch Task"}
-    </Button>
-  );
-}
-
-export default function BatchRunTaskForm() {
-  return (
-    <form action={batchTriggerExampleTask}>
-      <SubmitButton />
-    </form>
-  );
-}
diff --git a/references/nextjs-realtime/src/components/BatchSubmissionForm.tsx b/references/nextjs-realtime/src/components/BatchSubmissionForm.tsx
deleted file mode 100644
index a761b182c52..00000000000
--- a/references/nextjs-realtime/src/components/BatchSubmissionForm.tsx
+++ /dev/null
@@ -1,102 +0,0 @@
-"use client";
-
-import { useState } from "react";
-import { Card, CardContent, CardHeader, CardTitle } from "@/components/ui/card";
-import { Button } from "@/components/ui/button";
-import { Textarea } from "@/components/ui/textarea";
-import { Upload, AlertCircle } from "lucide-react";
-import { Alert, AlertDescription } from "@/components/ui/alert";
-import { useRealtimeRun, useTaskTrigger } from "@trigger.dev/react-hooks";
-import type { openaiBatch } from "@/trigger/openaiBatch";
-
-export default function BatchSubmissionForm({ accessToken }: { accessToken: string }) {
-  const trigger = useTaskTrigger<typeof openaiBatch>("openai-batch", {
-    accessToken,
-    baseURL: process.env.NEXT_PUBLIC_TRIGGER_API_URL,
-  });
-
-  const { run } = useRealtimeRun<typeof openaiBatch>(trigger.handle?.id, {
-    accessToken: trigger.handle?.publicAccessToken,
-    enabled: !!trigger.handle,
-    baseURL: process.env.NEXT_PUBLIC_TRIGGER_API_URL,
-  });
-
-  const [jsonlContent, setJsonlContent] = useState("");
-
-  const handleSubmit = async (e: React.FormEvent) => {
-    e.preventDefault();
-
-    trigger.submit({
-      jsonl: jsonlContent,
-    });
-  };
-
-  return (
-    <Card className="w-full max-w-2xl bg-white text-gray-800 border border-gray-200 shadow-sm font-mono">
-      <CardHeader className="border-b border-gray-200">
-        <CardTitle className="text-lg font-bold">Submit Batch Job</CardTitle>
-      </CardHeader>
-      <CardContent className="space-y-4 p-4">
-        <form onSubmit={handleSubmit} className="space-y-4">
-          <div>
-            <label htmlFor="jsonl-input" className="block text-sm font-medium text-gray-700 mb-1">
-              JSONL Content
-            </label>
-            <Textarea
-              id="jsonl-input"
-              value={jsonlContent}
-              onChange={(e) => setJsonlContent(e.target.value)}
-              placeholder="Paste your JSONL content here..."
-              className="w-full h-48 p-2 text-sm bg-gray-50 border border-gray-300 rounded-md focus:ring-blue-500 focus:border-blue-500"
-              required
-            />
-          </div>
-          {trigger.error && (
-            <Alert variant="destructive">
-              <AlertCircle className="h-4 w-4" />
-              <AlertDescription>{trigger.error.message}</AlertDescription>
-            </Alert>
-          )}
-          <div className="flex justify-end">
-            <Button
-              type="submit"
-              disabled={trigger.isLoading || !jsonlContent.trim()}
-              className="bg-blue-600 text-white hover:bg-blue-700 focus:ring-4 focus:ring-blue-300 font-medium rounded-lg text-sm px-5 py-2.5 text-center inline-flex items-center"
-            >
-              {trigger.isLoading ? (
-                <>
-                  <svg
-                    className="animate-spin -ml-1 mr-3 h-5 w-5 text-white"
-                    xmlns="http://www.w3.org/2000/svg"
-                    fill="none"
-                    viewBox="0 0 24 24"
-                  >
-                    <circle
-                      className="opacity-25"
-                      cx="12"
-                      cy="12"
-                      r="10"
-                      stroke="currentColor"
-                      strokeWidth="4"
-                    ></circle>
-                    <path
-                      className="opacity-75"
-                      fill="currentColor"
-                      d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4zm2 5.291A7.962 7.962 0 014 12H0c0 3.042 1.135 5.824 3 7.938l3-2.647z"
-                    ></path>
-                  </svg>
-                  Submitting...
-                </>
-              ) : (
-                <>
-                  <Upload className="w-4 h-4 mr-2" />
-                  Submit Batch
-                </>
-              )}
-            </Button>
-          </div>
-        </form>
-      </CardContent>
-    </Card>
-  );
-}
diff --git a/references/nextjs-realtime/src/components/HandleUploadFooter.tsx b/references/nextjs-realtime/src/components/HandleUploadFooter.tsx
deleted file mode 100644
index 20139adcf78..00000000000
--- a/references/nextjs-realtime/src/components/HandleUploadFooter.tsx
+++ /dev/null
@@ -1,61 +0,0 @@
-"use client";
-
-import { Badge } from "@/components/ui/badge";
-import { Button } from "@/components/ui/button";
-import { AnyRunShape, TaskRunShape } from "@trigger.dev/sdk/v3";
-import { ChevronLeft, ExternalLink } from "lucide-react";
-import type { handleUpload } from "@/trigger/images";
-
-interface HandleUploadFooterProps {
-  run: TaskRunShape<typeof handleUpload>;
-  viewRunUrl: string;
-}
-
-export function HandleUploadFooter({ run, viewRunUrl }: HandleUploadFooterProps) {
-  const getStatusColor = (status: AnyRunShape["status"]) => {
-    switch (status) {
-      case "EXECUTING":
-        return "bg-blue-500";
-      case "COMPLETED":
-        return "bg-green-500";
-      case "FAILED":
-        return "bg-red-500";
-      default:
-        return "bg-gray-500";
-    }
-  };
-
-  return (
-    <div className="fixed flex items-center justify-between bottom-0 left-0 right-0 bg-gray-800 border-t border-gray-700 p-4">
-      <Button variant="outline" size="sm" asChild>
-        <a
-          href="/"
-          rel="noopener noreferrer"
-          className="flex items-center bg-green-700 text-white px-2 py-1 rounded-md border-transparent hover:bg-green-600 hover:text-white"
-        >
-          <ChevronLeft className="mr-1 size-4" />
-          Upload another image
-        </a>
-      </Button>
-      <div className="flex items-center space-x-4">
-        <span className="text-sm font-medium">Run ID: {run.id}</span>
-        <span className="text-gray-400">|</span>
-        <span className="text-sm">Processing {run.payload.name}</span>
-        <Badge variant="secondary" className={`${getStatusColor(run.status)} text-gray-200`}>
-          {run.status}
-        </Badge>
-      </div>
-      <Button variant="outline" size="sm" asChild>
-        <a
-          href={viewRunUrl}
-          target="_blank"
-          rel="noopener noreferrer"
-          className="flex items-center bg-green-700 text-white px-2 py-1 rounded-md border-transparent hover:bg-green-600 hover:text-white"
-        >
-          View Run
-          <ExternalLink className="ml-2 size-4" />
-        </a>
-      </Button>
-    </div>
-  );
-}
diff --git a/references/nextjs-realtime/src/components/ImageUploadButton.tsx b/references/nextjs-realtime/src/components/ImageUploadButton.tsx
deleted file mode 100644
index ff435c633cb..00000000000
--- a/references/nextjs-realtime/src/components/ImageUploadButton.tsx
+++ /dev/null
@@ -1,78 +0,0 @@
-"use client";
-
-import { UploadButton, UploadDropzone } from "@/utils/uploadthing";
-import { useRouter } from "next/navigation";
-
-export function ImageUploadButton() {
-  const router = useRouter();
-
-  return (
-    <UploadButton
-      endpoint="imageUploader"
-      onClientUploadComplete={(res) => {
-        // Do something with the response
-        console.log("Files: ", res);
-
-        const firstFile = res[0];
-
-        router.push(
-          `/uploads/${firstFile.serverData.fileId}?publicAccessToken=${firstFile.serverData.publicAccessToken}`
-        );
-      }}
-      onUploadError={(error: Error) => {
-        // Do something with the error.
-        console.error(`ERROR! ${error.message}`);
-      }}
-    />
-  );
-}
-
-export function ImageUploadDropzone() {
-  const router = useRouter();
-
-  return (
-    <UploadDropzone
-      endpoint="imageUploader"
-      onClientUploadComplete={(res) => {
-        // Do something with the response
-        console.log("Files: ", res);
-
-        const firstFile = res[0];
-
-        router.push(
-          `/uploads/${firstFile.serverData.fileId}?publicAccessToken=${firstFile.serverData.publicAccessToken}`
-        );
-      }}
-      onUploadError={(error: Error) => {
-        // Do something with the error.
-        console.error(`ERROR! ${error.message}`);
-      }}
-      className="border-gray-600"
-    />
-  );
-}
-
-export function CSVUploadDropzone() {
-  const router = useRouter();
-
-  return (
-    <UploadDropzone
-      endpoint="csvUploader"
-      onClientUploadComplete={(res) => {
-        // Do something with the response
-        console.log("Files: ", res);
-
-        const firstFile = res[0];
-
-        router.push(
-          `/csv/${firstFile.serverData.id}?publicAccessToken=${firstFile.serverData.publicAccessToken}`
-        );
-      }}
-      onUploadError={(error: Error) => {
-        // Do something with the error.
-        console.error(`ERROR! ${error.message}`);
-      }}
-      className="border-gray-600"
-    />
-  );
-}
diff --git a/references/nextjs-realtime/src/components/RealtimeComparison.tsx b/references/nextjs-realtime/src/components/RealtimeComparison.tsx
deleted file mode 100644
index 009798eab71..00000000000
--- a/references/nextjs-realtime/src/components/RealtimeComparison.tsx
+++ /dev/null
@@ -1,98 +0,0 @@
-"use client";
-
-import { Button } from "@/components/ui/button";
-import { useRealtimeRunWithStreams, useTaskTrigger } from "@trigger.dev/react-hooks";
-import type { STREAMS, openaiStreaming } from "@/trigger/ai";
-
-export default function RealtimeComparison({ accessToken }: { accessToken: string }) {
-  const trigger = useTaskTrigger<typeof openaiStreaming>("openai-streaming", {
-    accessToken,
-    baseURL: process.env.NEXT_PUBLIC_TRIGGER_API_URL,
-  });
-
-  const { streams, stop, run } = useRealtimeRunWithStreams<typeof openaiStreaming, STREAMS>(
-    trigger.handle?.id,
-    {
-      accessToken: trigger.handle?.publicAccessToken,
-      enabled: !!trigger.handle,
-      baseURL: process.env.NEXT_PUBLIC_TRIGGER_API_URL,
-      onComplete: (...args) => {
-        console.log("Run completed!", args);
-      },
-    }
-  );
-
-  return (
-    <div className="flex flex-col h-screen bg-gray-900 text-gray-200 text-xs">
-      <div className="p-4">
-        <Button
-          className="bg-gray-100 text-gray-900 hover:bg-gray-200 font-semibold text-xs"
-          onClick={() => {
-            trigger.submit({
-              model: "gpt-4o-mini",
-              prompt:
-                "Based on the temperature, will I need to wear extra clothes today in San Fransico? Please be detailed.",
-            });
-          }}
-        >
-          Debug LLM Streaming
-        </Button>
-
-        {run && (
-          <Button
-            className="bg-gray-100 text-gray-900 hover:bg-gray-200 font-semibold text-xs ml-8"
-            onClick={() => {
-              stop();
-            }}
-          >
-            Stop Streaming
-          </Button>
-        )}
-      </div>
-      <div className="flex-grow flex overflow-hidden">
-        <div className="w-1/2 border-r border-gray-700 overflow-auto">
-          <table className="w-full table-fixed">
-            <thead>
-              <tr className="bg-gray-800">
-                <th className="w-16 p-2 text-left">ID</th>
-                <th className="p-2 text-left">Data</th>
-              </tr>
-            </thead>
-            <tbody>
-              {(streams.openai ?? []).map((part, i) => (
-                <tr key={i} className="border-b border-gray-700">
-                  <td className="w-16 p-2 truncate">{i + 1}</td>
-                  <td className="p-2">
-                    <div className="font-mono whitespace-nowrap overflow-x-auto">
-                      {JSON.stringify(part)}
-                    </div>
-                  </td>
-                </tr>
-              ))}
-            </tbody>
-          </table>
-        </div>
-        <div className="w-1/2 overflow-auto">
-          <table className="w-full table-fixed">
-            <thead>
-              <tr className="bg-gray-800">
-                <th className="w-16 p-2 text-left">ID</th>
-                <th className="p-2 text-left">Data</th>
-              </tr>
-            </thead>
-            <tbody>
-              {(streams.openaiText ?? []).map((text, i) => (
-                <tr key={i} className="border-b border-gray-700">
-                  <td className="w-16 p-2 truncate">{i + 1}</td>
-                  <td className="p-2">
-                    <div className="font-mono whitespace-nowrap overflow-x-auto">{text}</div>
-                  </td>
-                </tr>
-              ))}
-            </tbody>
-          </table>
-        </div>
-      </div>
-    </div>
-  );
-}
diff --git a/references/nextjs-realtime/src/components/RunButton.tsx b/references/nextjs-realtime/src/components/RunButton.tsx
deleted file mode 100644
index 59f2223f541..00000000000
--- a/references/nextjs-realtime/src/components/RunButton.tsx
+++ /dev/null
@@ -1,28 +0,0 @@
-"use client";
-
-// @ts-ignore
-import { useFormStatus } from "react-dom";
-import { triggerExampleTask } from "@/app/actions";
-import { Button } from "@/components/ui/button";
-
-function SubmitButton() {
-  const { pending } = useFormStatus();
-
-  return (
-    <Button
-      type="submit"
-      disabled={pending}
-      className="p-0 bg-transparent hover:bg-transparent hover:text-gray-200 text-gray-400"
-    >
-      {pending ? "Running..." : "Run Task"}
-    </Button>
-  );
-}
-
-export default function RunTaskForm() {
-  return (
-    <form action={triggerExampleTask}>
-      <SubmitButton />
-    </form>
-  );
-}
diff --git a/references/nextjs-realtime/src/components/RunDetails.tsx b/references/nextjs-realtime/src/components/RunDetails.tsx
deleted file mode 100644
index 64deb8940af..00000000000
--- a/references/nextjs-realtime/src/components/RunDetails.tsx
+++ /dev/null
@@ -1,151 +0,0 @@
-import { Badge } from "@/components/ui/badge";
-import { Card, CardContent, CardHeader, CardTitle } from "@/components/ui/card";
-import { ScrollArea } from "@/components/ui/scroll-area";
-import { exampleTask } from "@/trigger/example";
-import type { TaskRunShape } from "@trigger.dev/sdk/v3";
-import { AlertTriangleIcon, CheckCheckIcon, XIcon } from "lucide-react";
-
-function formatDate(date: Date | undefined) {
-  return date ? new Date(date).toLocaleString() : "N/A";
-}
-
-function JsonDisplay({ data }: { data: any }) {
-  return (
-    <ScrollArea className="h-[200px] w-full rounded-md border p-4 bg-gray-900 border-gray-700">
-      <pre className="text-sm">{JSON.stringify(data, null, 2)}</pre>
-    </ScrollArea>
-  );
-}
-
-export default function RunDetails({ record }: { record: TaskRunShape<typeof exampleTask> }) {
-  return (
-    <Card className="w-full max-w-4xl mx-auto bg-gray-800 border-gray-700 text-gray-200">
-      <CardHeader>
-        <CardTitle className="text-2xl font-bold">Run Details</CardTitle>
-      </CardHeader>
-      <CardContent className="grid gap-6">
-        <div className="grid grid-cols-2 gap-4">
-          <div>
-            <h3 className="font-semibold mb-1">ID</h3>
-            <p className="text-sm">{record.id}</p>
-          </div>
-          <div>
-            <h3 className="font-semibold mb-1">Task Identifier</h3>
-            <p className="text-sm">{record.taskIdentifier}</p>
-          </div>
-          <div>
-            <h3 className="font-semibold mb-1">Status</h3>
-            <Badge variant={record.status === "COMPLETED" ? "default" : "secondary"}>
-              {record.status}
-            </Badge>
-          </div>
-          <div>
-            <h3 className="font-semibold mb-1">Is Test</h3>
-            {record.isTest ? (
-              <span className="text-gray-200 flex items-center gap-1 text-sm">
-                <CheckCheckIcon className="size-4 text-green-500" />
-                Yes
-              </span>
-            ) : (
-              <span className="text-gray-200 flex items-center gap-1 text-sm">
-                <XIcon className="size-4" /> No
-              </span>
-            )}
-          </div>
-          {record.idempotencyKey && (
-            <div>
-              <h3 className="font-semibold mb-1">Idempotency Key</h3>
-              <p className="text-sm">{record.idempotencyKey}</p>
-            </div>
-          )}
-          {record.ttl && (
-            <div>
-              <h3 className="font-semibold mb-1">TTL</h3>
-              <p className="text-sm">{record.ttl}</p>
-            </div>
-          )}
-        </div>
-
-        <div>
-          <h3 className="font-semibold mb-1">Tags</h3>
-          <div className="flex flex-wrap gap-2">
-            {record.tags.length > 0 ? (
-              record.tags.map((tag, index) => (
-                <Badge key={index} variant="outline">
-                  {tag}
-                </Badge>
-              ))
-            ) : (
-              <span className="text-sm text-muted-foreground">No tags</span>
-            )}
-          </div>
-        </div>
-
-        <div className="grid grid-cols-2 gap-4">
-          <div>
-            <h3 className="font-semibold mb-1">Created At</h3>
-            <p className="text-sm">{formatDate(record.createdAt)}</p>
-          </div>
-          <div>
-            <h3 className="font-semibold mb-1">Updated At</h3>
-            <p className="text-sm">{formatDate(record.updatedAt)}</p>
-          </div>
-          <div>
-            <h3 className="font-semibold mb-1">Started At</h3>
-            <p className="text-sm">{formatDate(record.startedAt)}</p>
-          </div>
-          <div>
-            <h3 className="font-semibold mb-1">Finished At</h3>
-            <p className="text-sm">{formatDate(record.finishedAt)}</p>
-          </div>
-          <div>
-            <h3 className="font-semibold mb-1">Delayed Until</h3>
-            <p className="text-sm">{formatDate(record.delayedUntil)}</p>
-          </div>
-          <div>
-            <h3 className="font-semibold mb-1">Expired At</h3>
-            <p className="text-sm">{formatDate(record.expiredAt)}</p>
-          </div>
-        </div>
-
-        <div>
-          <h3 className="font-semibold mb-1">Payload</h3>
-          <JsonDisplay data={record.payload} />
-        </div>
-
-        {record.output && (
-          <div>
-            <h3 className="font-semibold mb-1">Output</h3>
-            <p className="text-sm">{record.output.message}</p>
-          </div>
-        )}
-
-        {record.metadata && (
-          <div>
-            <h3 className="font-semibold mb-1">Metadata</h3>
-            <JsonDisplay data={record.metadata} />
-          </div>
-        )}
-
-        {record.error && (
-          <div>
-            <h3 className="font-semibold mb-1 flex items-center gap-1 text-rose-500">
-              <AlertTriangleIcon className="size-5" /> Error
-            </h3>
-            <Card className="bg-gray-900 border-rose-500">
-              <CardContent className="pt-6">
-                <p className="font-semibold text-rose-500">{record.error.name}</p>
-                <p className="text-sm text-rose-500">{record.error.message}</p>
-                {record.error.stackTrace && (
-                  <ScrollArea className="h-[100px] w-full mt-2">
-                    <pre className="text-xs text-rose-800">{record.error.stackTrace}</pre>
-                  </ScrollArea>
-                )}
-              </CardContent>
-            </Card>
-          </div>
-        )}
-      </CardContent>
-    </Card>
-  );
-}
diff --git a/references/nextjs-realtime/src/components/RunRealtimeComparison.tsx b/references/nextjs-realtime/src/components/RunRealtimeComparison.tsx
deleted file mode 100644
index d102b1af5ee..00000000000
--- a/references/nextjs-realtime/src/components/RunRealtimeComparison.tsx
+++ /dev/null
@@ -1,91 +0,0 @@
-"use client";
-
-import { Button } from "@/components/ui/button";
-import type { STREAMS, openaiStreaming } from "@/trigger/ai";
-import { useRealtimeRunWithStreams } from "@trigger.dev/react-hooks";
-
-export default function RealtimeComparison({
-  accessToken,
-  runId,
-}: {
-  accessToken: string;
-  runId: string;
-}) {
-  const { streams, stop, run } = useRealtimeRunWithStreams<typeof openaiStreaming, STREAMS>(runId, {
-    accessToken: accessToken,
-    baseURL: process.env.NEXT_PUBLIC_TRIGGER_API_URL,
-    onComplete: (...args) => {
-      console.log("Run completed!", args);
-    },
-  });
-
-  console.log("run", run);
-
-  return (
-    <div className="flex flex-col h-screen bg-gray-900 text-gray-200 text-xs">
-      <div className="p-4">
-        <Button
-          className="bg-gray-100 text-gray-900 hover:bg-gray-200 font-semibold text-xs"
-          disabled={true}
-        >
-          Debug LLM Streaming
-        </Button>
-
-        {run && (
-          <Button
-            className="bg-gray-100 text-gray-900 hover:bg-gray-200 font-semibold text-xs ml-8"
-            onClick={() => {
-              stop();
-            }}
-          >
-            Stop Streaming
-          </Button>
-        )}
-      </div>
-      <div className="flex-grow flex overflow-hidden">
-        <div className="w-1/2 border-r border-gray-700 overflow-auto">
-          <table className="w-full table-fixed">
-            <thead>
-              <tr className="bg-gray-800">
-                <th className="w-16 p-2 text-left">ID</th>
-                <th className="p-2 text-left">Data</th>
-              </tr>
-            </thead>
-            <tbody>
-              {(streams.openai ?? []).map((part, i) => (
-                <tr key={i} className="border-b border-gray-700">
-                  <td className="w-16 p-2 truncate">{i + 1}</td>
-                  <td className="p-2">
-                    <div className="font-mono whitespace-nowrap overflow-x-auto">
-                      {JSON.stringify(part)}
-                    </div>
-                  </td>
-                </tr>
-              ))}
-            </tbody>
-          </table>
-        </div>
-        <div className="w-1/2 overflow-auto">
-          <table className="w-full table-fixed">
-            <thead>
-              <tr className="bg-gray-800">
-                <th className="w-16 p-2 text-left">ID</th>
-                <th className="p-2 text-left">Data</th>
-              </tr>
-            </thead>
-            <tbody>
-              {(streams.openaiText ?? []).map((text, i) => (
-                <tr key={i} className="border-b border-gray-700">
-                  <td className="w-16 p-2 truncate">{i + 1}</td>
-                  <td className="p-2">
-                    <div className="font-mono whitespace-nowrap overflow-x-auto">{text}</div>
-                  </td>
-                </tr>
-              ))}
-            </tbody>
-          </table>
-        </div>
-      </div>
-    </div>
-  );
-}
diff --git a/references/nextjs-realtime/src/components/TriggerButton.tsx b/references/nextjs-realtime/src/components/TriggerButton.tsx
deleted file mode 100644
index dfa844902ce..00000000000
--- a/references/nextjs-realtime/src/components/TriggerButton.tsx
+++ /dev/null
@@ -1,43 +0,0 @@
-"use client";
-
-import { Button } from "@/components/ui/button";
-import { type openaiStreaming } from "@/trigger/ai";
-import { useTaskTrigger } from "@trigger.dev/react-hooks";
-import { useRouter } from "next/navigation";
-import { useEffect } from "react";
-
-export default function TriggerButton({ accessToken }: { accessToken: string }) {
-  const { submit, handle, isLoading } = useTaskTrigger<typeof openaiStreaming>("openai-streaming", {
-    accessToken,
-    baseURL: process.env.NEXT_PUBLIC_TRIGGER_API_URL,
-  });
-  const router = useRouter();
-
-  useEffect(() => {
-    if (handle) {
-      router.push(`/ai/${handle.id}?publicAccessToken=${handle.publicAccessToken}`);
-    }
-  }, [handle]);
-
-  return (
-    <Button
-      type="submit"
-      disabled={isLoading}
-      className="p-0 bg-transparent hover:bg-transparent hover:text-gray-200 text-gray-400"
-      onClick={() => {
-        submit(
-          {
-            model: "gpt-4o-mini",
-            prompt:
-              "Based on the temperature, will I need to wear extra clothes today in San Fransico? Please be detailed.",
-          },
-          {
-            tags: ["user:1234"],
-          }
-        );
-      }}
-    >
-      {isLoading ? "Triggering..." : "Trigger Task"}
-    </Button>
-  );
-}
diff --git a/references/nextjs-realtime/src/components/TriggerButtonWithStreaming.tsx b/references/nextjs-realtime/src/components/TriggerButtonWithStreaming.tsx
deleted file mode 100644
index 38ee6312873..00000000000
--- a/references/nextjs-realtime/src/components/TriggerButtonWithStreaming.tsx
+++ /dev/null
@@ -1,84 +0,0 @@
-"use client";
-
-import { Button } from "@/components/ui/button";
-import type { STREAMS, openaiStreaming } from "@/trigger/ai";
-import { useRealtimeTaskTriggerWithStreams } from "@trigger.dev/react-hooks";
-import { useCallback, useState } from "react";
-import {
-  Dialog,
-  DialogContent,
-  DialogDescription,
-  DialogHeader,
-  DialogTitle,
-  DialogTrigger,
-} from "./ui/dialog";
-import { Card, CardContent, CardFooter } from "./ui/card";
-
-export default function TriggerButton({ accessToken }: { accessToken: string }) {
-  const [isOpen, setIsOpen] = useState(false);
-
-  const { submit, isLoading, run, streams } = useRealtimeTaskTriggerWithStreams<
-    typeof openaiStreaming,
-    STREAMS
-  >("openai-streaming", {
-    accessToken,
-    baseURL: process.env.NEXT_PUBLIC_TRIGGER_API_URL,
-  });
-
-  const openWeatherReport = useCallback(() => {
-    setIsOpen(true);
-    submit({
-      model: "gpt-4o-mini",
-      prompt:
-        "Based on the temperature, will I need to wear extra clothes today in San Fransico? Please be detailed.",
-    });
-  }, []);
-
-  console.log("run", run);
-  console.log("streams", streams);
-
-  const toolCall = streams.openai?.find(
-    (stream) => stream.type === "tool-call" && stream.toolName === "getWeather"
-  );
-  const toolResult = streams.openai?.find((stream) => stream.type === "tool-result");
-  const textDeltas = streams.openai?.filter((stream) => stream.type === "text-delta");
-
-  const text = textDeltas?.map((delta) => delta.textDelta).join("");
-  const weatherLocation = toolCall ? toolCall.args.location : undefined;
-  const weather = toolResult ? toolResult.result.temperature : undefined;
-
-  return (
-    <Dialog open={isOpen} onOpenChange={setIsOpen}>
-      <DialogTrigger asChild>
-        <Button variant="outline" onClick={openWeatherReport}>
-          Open Weather Report
-        </Button>
-      </DialogTrigger>
-      <DialogContent className="sm:max-w-[425px] md:max-w-[700px] lg:max-w-[900px]">
-        <DialogHeader>
-          <DialogTitle>{weatherLocation} Weather Report</DialogTitle>
-          <DialogDescription>Live weather update and city conditions</DialogDescription>
-        </DialogHeader>
-        <Card className="w-full mt-4">
-          <CardContent className="p-6">
-            <div className="h-[60vh] overflow-y-auto">
-              {weather ? (
-                <p className="text-lg leading-relaxed">{text || "Preparing weather report..."}</p>
-              ) : (
-                <p className="text-lg">Fetching weather data...</p>
-              )}
-            </div>
-          </CardContent>
-          {weather && (
-            <CardFooter className="bg-muted p-4">
-              <p className="text-sm">
-                <span className="font-semibold">Tool Call:</span> The current temperature in{" "}
-                {weatherLocation} is {weather}.
-              </p>
-            </CardFooter>
-          )}
-        </Card>
-      </DialogContent>
-    </Dialog>
-  );
-}
diff --git a/references/nextjs-realtime/src/components/UploadImageDisplay.tsx b/references/nextjs-realtime/src/components/UploadImageDisplay.tsx
deleted file mode 100644
index 9aa8fe1618d..00000000000
--- a/references/nextjs-realtime/src/components/UploadImageDisplay.tsx
+++ /dev/null
@@ -1,87 +0,0 @@
-"use client";
-
-import { useState } from "react";
-import Image from "next/image";
-import { Card, CardContent } from "@/components/ui/card";
-import { LoaderCircleIcon, LoaderPinwheel } from "lucide-react";
-
-type PendingGridImage = {
-  status: "pending";
-  src?: undefined;
-  caption?: undefined;
-  message: string;
-};
-
-type CompletedGridImage = {
-  status: "completed";
-  src: string;
-  caption: string;
-  message: string;
-};
-
-type GridImage = PendingGridImage | CompletedGridImage;
-
-export default function ImageDisplay({
-  uploadedImage,
-  uploadedCaption,
-  gridImages = [],
-}: {
-  uploadedImage: string;
-  uploadedCaption: string;
-  gridImages: GridImage[];
-}) {
-  const [isUploadedImageLoaded, setIsUploadedImageLoaded] = useState(false);
-
-  return (
-    <div className="container mx-auto px-4 py-8">
-      {/* Main uploaded image */}
-      <div className="mb-12 max-w-3xl mx-auto">
-        <p className="text-base text-gray-400 mb-2">Original</p>
-        <div className="relative w-full aspect-video border border-gray-700 rounded-lg">
-          <Image
-            src={uploadedImage}
-            alt={uploadedCaption}
-            fill
-            className={`object-cover rounded-lg shadow-lg transition-opacity duration-300 ${
-              isUploadedImageLoaded ? "opacity-100" : "opacity-0"
-            }`}
-            onLoadingComplete={() => setIsUploadedImageLoaded(true)}
-          />
-        </div>
-        <p className="text-center mt-3 text-sm font-medium text-primary">{uploadedCaption}</p>
-      </div>
-
-      {/* Grid of smaller images */}
-      <div className="grid grid-cols-1 sm:grid-cols-2 md:grid-cols-3 lg:grid-cols-3 gap-6">
-        {gridImages.map((image, index) => (
-          <div className="flex flex-col" key={index}>
-            <p className="text-base text-gray-400 mb-2">Style {index + 1}</p>
-            <Card key={index} className="overflow-hidden border border-gray-700 rounded-lg">
-              <CardContent className="p-0">
-                <div
-                  className={`relative aspect-video h-full  ${
-                    image.status === "pending" ? "bg-gray-800" : ""
-                  }`}
-                >
-                  {image.status === "completed" ? (
-                    <Image src={image.src} alt={image.caption} fill className="object-cover" />
-                  ) : (
-                    <div className="absolute inset-0 flex flex-col items-center justify-center p-4">
-                      <LoaderCircleIcon className="size-8 animate-spin text-blue-500 mb-4" />
-                      <p className="text-sm text-white text-center">Model: {image.message}</p>
-                    </div>
-                  )}
-                </div>
-                {image.status === "completed" && (
-                  <p className="p-2 text-center text-xs text-gray-400 bg-gray-800">
-                    {image.caption}
-                  </p>
-                )}
-              </CardContent>
-            </Card>
-          </div>
-        ))}
-      </div>
-    </div>
-  );
-}
diff --git a/references/nextjs-realtime/src/components/ui/alert.tsx b/references/nextjs-realtime/src/components/ui/alert.tsx
deleted file mode 100644
index 5afd41d142c..00000000000
--- a/references/nextjs-realtime/src/components/ui/alert.tsx
+++ /dev/null
@@ -1,59 +0,0 @@
-import * as React from "react"
-import { cva, type VariantProps } from "class-variance-authority"
-
-import { cn } from "@/lib/utils"
-
-const alertVariants = cva(
-  "relative w-full rounded-lg border px-4 py-3 text-sm [&>svg+div]:translate-y-[-3px] [&>svg]:absolute [&>svg]:left-4 [&>svg]:top-4 [&>svg]:text-foreground [&>svg~*]:pl-7",
-  {
-    variants: {
-      variant: {
-        default: "bg-background text-foreground",
-        destructive:
-          "border-destructive/50 text-destructive dark:border-destructive [&>svg]:text-destructive",
-      },
-    },
-    defaultVariants: {
-      variant: "default",
-    },
-  }
-)
-
-const Alert = React.forwardRef<
-  HTMLDivElement,
-  React.HTMLAttributes<HTMLDivElement> & VariantProps<typeof alertVariants>
->(({ className, variant, ...props }, ref) => (
-  <div
-    ref={ref}
-    role="alert"
-    className={cn(alertVariants({ variant }), className)}
-    {...props}
-  />
-))
-Alert.displayName = "Alert"
-
-const AlertTitle = React.forwardRef<
-  HTMLParagraphElement,
-  React.HTMLAttributes<HTMLHeadingElement>
->(({ className, ...props }, ref) => (
-  <h5
-    ref={ref}
-    className={cn("mb-1 font-medium leading-none tracking-tight", className)}
-    {...props}
-  />
-))
-AlertTitle.displayName = "AlertTitle"
-
-const AlertDescription = React.forwardRef<
-  HTMLParagraphElement,
-  React.HTMLAttributes<HTMLParagraphElement>
->(({ className, ...props }, ref) => (
-  <div
-    ref={ref}
-    className={cn("text-sm [&_p]:leading-relaxed", className)}
-    {...props}
-  />
-))
-AlertDescription.displayName = "AlertDescription"
-
-export { Alert, AlertTitle, AlertDescription }
diff --git a/references/nextjs-realtime/src/components/ui/badge.tsx b/references/nextjs-realtime/src/components/ui/badge.tsx
deleted file mode 100644
index e87d62bf1a2..00000000000
--- a/references/nextjs-realtime/src/components/ui/badge.tsx
+++ /dev/null
@@ -1,36 +0,0 @@
-import * as React from "react"
-import { cva, type VariantProps } from "class-variance-authority"
-
-import { cn } from "@/lib/utils"
-
-const badgeVariants = cva(
-  "inline-flex items-center rounded-md border px-2.5 py-0.5 text-xs font-semibold transition-colors focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2",
-  {
-    variants: {
-      variant: {
-        default:
-          "border-transparent bg-primary text-primary-foreground shadow hover:bg-primary/80",
-        secondary:
-          "border-transparent bg-secondary text-secondary-foreground hover:bg-secondary/80",
-        destructive:
-          "border-transparent bg-destructive text-destructive-foreground shadow hover:bg-destructive/80",
-        outline: "text-foreground",
-      },
-    },
-    defaultVariants: {
-      variant: "default",
-    },
-  }
-)
-
-export interface BadgeProps
-  extends React.HTMLAttributes<HTMLDivElement>,
-    VariantProps<typeof badgeVariants> {}
-
-function Badge({ className, variant, ...props }: BadgeProps) {
-  return (
-    <div className={cn(badgeVariants({ variant }), className)} {...props} />
-  )
-}
-
-export { Badge, badgeVariants }
diff --git a/references/nextjs-realtime/src/components/ui/button.tsx b/references/nextjs-realtime/src/components/ui/button.tsx
deleted file mode 100644
index 0270f644a89..00000000000
--- a/references/nextjs-realtime/src/components/ui/button.tsx
+++ /dev/null
@@ -1,57 +0,0 @@
-import * as React from "react"
-import { Slot } from "@radix-ui/react-slot"
-import { cva, type VariantProps } from "class-variance-authority"
-
-import { cn } from "@/lib/utils"
-
-const buttonVariants = cva(
-  "inline-flex items-center justify-center whitespace-nowrap rounded-md text-sm font-medium transition-colors focus-visible:outline-none focus-visible:ring-1 focus-visible:ring-ring disabled:pointer-events-none disabled:opacity-50",
-  {
-    variants: {
-      variant: {
-        default:
-          "bg-primary text-primary-foreground shadow hover:bg-primary/90",
-        destructive:
-          "bg-destructive text-destructive-foreground shadow-sm hover:bg-destructive/90",
-        outline:
-          "border border-input bg-background shadow-sm hover:bg-accent hover:text-accent-foreground",
-        secondary:
-          "bg-secondary text-secondary-foreground shadow-sm hover:bg-secondary/80",
-        ghost: "hover:bg-accent hover:text-accent-foreground",
-        link: "text-primary underline-offset-4 hover:underline",
-      },
-      size: {
-        default: "h-9 px-4 py-2",
-        sm: "h-8 rounded-md px-3 text-xs",
-        lg: "h-10 rounded-md px-8",
-        icon: "h-9 w-9",
-      },
-    },
-    defaultVariants: {
-      variant: "default",
-      size: "default",
-    },
-  }
-)
-
-export interface ButtonProps
-  extends React.ButtonHTMLAttributes<HTMLButtonElement>,
-    VariantProps<typeof buttonVariants> {
-  asChild?: boolean
-}
-
-const Button = React.forwardRef<HTMLButtonElement, ButtonProps>(
-  ({ className, variant, size, asChild = false, ...props }, ref) => {
-    const Comp = asChild ? Slot : "button"
-    return (
-      <Comp
-        className={cn(buttonVariants({ variant, size, className }))}
-        ref={ref}
-        {...props}
-      />
-    )
-  }
-)
-Button.displayName = "Button"
-
-export { Button, buttonVariants }
diff --git a/references/nextjs-realtime/src/components/ui/card.tsx b/references/nextjs-realtime/src/components/ui/card.tsx
deleted file mode 100644
index 77e9fb789bf..00000000000
--- a/references/nextjs-realtime/src/components/ui/card.tsx
+++ /dev/null
@@ -1,76 +0,0 @@
-import * as React from "react"
-
-import { cn } from "@/lib/utils"
-
-const Card = React.forwardRef<
-  HTMLDivElement,
-  React.HTMLAttributes<HTMLDivElement>
->(({ className, ...props }, ref) => (
-  <div
-    ref={ref}
-    className={cn(
-      "rounded-xl border bg-card text-card-foreground shadow",
-      className
-    )}
-    {...props}
-  />
-))
-Card.displayName = "Card"
-
-const CardHeader = React.forwardRef<
-  HTMLDivElement,
-  React.HTMLAttributes<HTMLDivElement>
->(({ className, ...props }, ref) => (
-  <div
-    ref={ref}
-    className={cn("flex flex-col space-y-1.5 p-6", className)}
-    {...props}
-  />
-))
-CardHeader.displayName = "CardHeader"
-
-const CardTitle = React.forwardRef<
-  HTMLParagraphElement,
-  React.HTMLAttributes<HTMLHeadingElement>
->(({ className, ...props }, ref) => (
-  <h3
-    ref={ref}
-    className={cn("font-semibold leading-none tracking-tight", className)}
-    {...props}
-  />
-))
-CardTitle.displayName = "CardTitle"
-
-const CardDescription = React.forwardRef<
-  HTMLParagraphElement,
-  React.HTMLAttributes<HTMLParagraphElement>
->(({ className, ...props }, ref) => (
-  <p
-    ref={ref}
-    className={cn("text-sm text-muted-foreground", className)}
-    {...props}
-  />
-))
-CardDescription.displayName = "CardDescription"
-
-const CardContent = React.forwardRef<
-  HTMLDivElement,
-  React.HTMLAttributes<HTMLDivElement>
->(({ className, ...props }, ref) => (
-  <div ref={ref} className={cn("p-6 pt-0", className)} {...props} />
-))
-CardContent.displayName = "CardContent"
-
-const CardFooter = React.forwardRef<
-  HTMLDivElement,
-  React.HTMLAttributes<HTMLDivElement>
->(({ className, ...props }, ref) => (
-  <div
-    ref={ref}
-    className={cn("flex items-center p-6 pt-0", className)}
-    {...props}
-  />
-))
-CardFooter.displayName = "CardFooter"
-
-export { Card, CardHeader, CardFooter, CardTitle, CardDescription, CardContent }
diff --git a/references/nextjs-realtime/src/components/ui/dialog.tsx b/references/nextjs-realtime/src/components/ui/dialog.tsx
deleted file mode 100644
index b5aaef74440..00000000000
--- a/references/nextjs-realtime/src/components/ui/dialog.tsx
+++ /dev/null
@@ -1,121 +0,0 @@
-"use client"
-
-import * as React from "react"
-import * as DialogPrimitive from "@radix-ui/react-dialog"
-import { cn } from "@/lib/utils"
-import { Cross2Icon } from "@radix-ui/react-icons"
-
-const Dialog = DialogPrimitive.Root
-
-const DialogTrigger = DialogPrimitive.Trigger
-
-const DialogPortal = DialogPrimitive.Portal
-
-const DialogClose = DialogPrimitive.Close
-
-const DialogOverlay = React.forwardRef<
-  React.ElementRef<typeof DialogPrimitive.Overlay>,
-  React.ComponentPropsWithoutRef<typeof DialogPrimitive.Overlay>
->(({ className, ...props }, ref) => (
-  <DialogPrimitive.Overlay
-    ref={ref}
-    className={cn(
-      "fixed inset-0 z-50 bg-black/80  data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0",
-      className
-    )}
-    {...props}
-  />
-))
-DialogOverlay.displayName = DialogPrimitive.Overlay.displayName
-
-const DialogContent = React.forwardRef<
-  React.ElementRef<typeof DialogPrimitive.Content>,
-  React.ComponentPropsWithoutRef<typeof DialogPrimitive.Content>
->(({ className, children, ...props }, ref) => (
-  <DialogPortal>
-    <DialogOverlay />
-    <DialogPrimitive.Content
-      ref={ref}
-      className={cn(
-        "fixed left-[50%] top-[50%] z-50 grid w-full max-w-lg translate-x-[-50%] translate-y-[-50%] gap-4 border bg-background p-6 shadow-lg duration-200 data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0 data-[state=closed]:zoom-out-95 data-[state=open]:zoom-in-95 data-[state=closed]:slide-out-to-left-1/2 data-[state=closed]:slide-out-to-top-[48%] data-[state=open]:slide-in-from-left-1/2 data-[state=open]:slide-in-from-top-[48%] sm:rounded-lg",
-        className
-      )}
-      {...props}
-    >
-      {children}
-      <DialogPrimitive.Close className="absolute right-4 top-4 rounded-sm opacity-70 ring-offset-background transition-opacity hover:opacity-100 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 disabled:pointer-events-none data-[state=open]:bg-accent data-[state=open]:text-muted-foreground">
-        <Cross2Icon className="h-4 w-4" />
-        <span className="sr-only">Close</span>
-      </DialogPrimitive.Close>
-    </DialogPrimitive.Content>
-  </DialogPortal>
-))
-DialogContent.displayName = DialogPrimitive.Content.displayName
-
-const DialogHeader = ({
-  className,
-  ...props
-}: React.HTMLAttributes<HTMLDivElement>) => (
-  <div
-    className={cn(
-      "flex flex-col space-y-1.5 text-center sm:text-left",
-      className
-    )}
-    {...props}
-  />
-)
-DialogHeader.displayName = "DialogHeader"
-
-const DialogFooter = ({
-  className,
-  ...props
-}: React.HTMLAttributes<HTMLDivElement>) => (
-  <div
-    className={cn(
-      "flex flex-col-reverse sm:flex-row sm:justify-end sm:space-x-2",
-      className
-    )}
-    {...props}
-  />
-)
-DialogFooter.displayName = "DialogFooter"
-
-const DialogTitle = React.forwardRef<
-  React.ElementRef<typeof DialogPrimitive.Title>,
-  React.ComponentPropsWithoutRef<typeof DialogPrimitive.Title>
->(({ className, ...props }, ref) => (
-  <DialogPrimitive.Title
-    ref={ref}
-    className={cn(
-      "text-lg font-semibold leading-none tracking-tight",
-      className
-    )}
-    {...props}
-  />
-))
-DialogTitle.displayName = DialogPrimitive.Title.displayName
-
-const DialogDescription = React.forwardRef<
-  React.ElementRef<typeof DialogPrimitive.Description>,
-  React.ComponentPropsWithoutRef<typeof DialogPrimitive.Description>
->(({ className, ...props }, ref) => (
-  <DialogPrimitive.Description
-    ref={ref}
-    className={cn("text-sm text-muted-foreground", className)}
-    {...props}
-  />
-))
-DialogDescription.displayName = DialogPrimitive.Description.displayName
-
-export {
-  Dialog,
-  DialogPortal,
-  DialogOverlay,
-  DialogTrigger,
-  DialogClose,
-  DialogContent,
-  DialogHeader,
-  DialogFooter,
-  DialogTitle,
-  DialogDescription,
-}
diff --git a/references/nextjs-realtime/src/components/ui/progress.tsx b/references/nextjs-realtime/src/components/ui/progress.tsx
deleted file mode 100644
index 4fc3b473e6f..00000000000
--- a/references/nextjs-realtime/src/components/ui/progress.tsx
+++ /dev/null
@@ -1,28 +0,0 @@
-"use client"
-
-import * as React from "react"
-import * as ProgressPrimitive from "@radix-ui/react-progress"
-
-import { cn } from "@/lib/utils"
-
-const Progress = React.forwardRef<
-  React.ElementRef<typeof ProgressPrimitive.Root>,
-  React.ComponentPropsWithoutRef<typeof ProgressPrimitive.Root>
->(({ className, value, ...props }, ref) => (
-  <ProgressPrimitive.Root
-    ref={ref}
-    className={cn(
-      "relative h-2 w-full overflow-hidden rounded-full bg-primary/20",
-      className
-    )}
-    {...props}
-  >
-    <ProgressPrimitive.Indicator
-      className="h-full w-full flex-1 bg-primary transition-all"
-      style={{ transform: `translateX(-${100 - (value || 0)}%)` }}
-    />
-  </ProgressPrimitive.Root>
-))
-Progress.displayName = ProgressPrimitive.Root.displayName
-
-export { Progress }
diff --git a/references/nextjs-realtime/src/components/ui/scroll-area.tsx b/references/nextjs-realtime/src/components/ui/scroll-area.tsx
deleted file mode 100644
index 0b4a48d87fa..00000000000
--- a/references/nextjs-realtime/src/components/ui/scroll-area.tsx
+++ /dev/null
@@ -1,48 +0,0 @@
-"use client"
-
-import * as React from "react"
-import * as ScrollAreaPrimitive from "@radix-ui/react-scroll-area"
-
-import { cn } from "@/lib/utils"
-
-const ScrollArea = React.forwardRef<
-  React.ElementRef<typeof ScrollAreaPrimitive.Root>,
-  React.ComponentPropsWithoutRef<typeof ScrollAreaPrimitive.Root>
->(({ className, children, ...props }, ref) => (
-  <ScrollAreaPrimitive.Root
-    ref={ref}
-    className={cn("relative overflow-hidden", className)}
-    {...props}
-  >
-    <ScrollAreaPrimitive.Viewport className="h-full w-full rounded-[inherit]">
-      {children}
-    </ScrollAreaPrimitive.Viewport>
-    <ScrollBar />
-    <ScrollAreaPrimitive.Corner />
-  </ScrollAreaPrimitive.Root>
-))
-ScrollArea.displayName = ScrollAreaPrimitive.Root.displayName
-
-const ScrollBar = React.forwardRef<
-  React.ElementRef<typeof ScrollAreaPrimitive.ScrollAreaScrollbar>,
-  React.ComponentPropsWithoutRef<typeof ScrollAreaPrimitive.ScrollAreaScrollbar>
->(({ className, orientation = "vertical", ...props }, ref) => (
-  <ScrollAreaPrimitive.ScrollAreaScrollbar
-    ref={ref}
-    orientation={orientation}
-    className={cn(
-      "flex touch-none select-none transition-colors",
-      orientation === "vertical" &&
-        "h-full w-2.5 border-l border-l-transparent p-[1px]",
-      orientation === "horizontal" &&
-        "h-2.5 flex-col border-t border-t-transparent p-[1px]",
-      className
-    )}
-    {...props}
-  >
-    <ScrollAreaPrimitive.ScrollAreaThumb className="relative flex-1 rounded-full bg-border" />
-  </ScrollAreaPrimitive.ScrollAreaScrollbar>
-))
-ScrollBar.displayName = ScrollAreaPrimitive.ScrollAreaScrollbar.displayName
-
-export { ScrollArea, ScrollBar }
diff --git a/references/nextjs-realtime/src/components/ui/table.tsx b/references/nextjs-realtime/src/components/ui/table.tsx
deleted file mode 100644
index c0df655c0bf..00000000000
--- a/references/nextjs-realtime/src/components/ui/table.tsx
+++ /dev/null
@@ -1,120 +0,0 @@
-import * as React from "react"
-
-import { cn } from "@/lib/utils"
-
-const Table = React.forwardRef<
-  HTMLTableElement,
-  React.HTMLAttributes<HTMLTableElement>
->(({ className, ...props }, ref) => (
-  <div className="relative w-full overflow-auto">
-    <table
-      ref={ref}
-      className={cn("w-full caption-bottom text-sm", className)}
-      {...props}
-    />
-  </div>
-))
-Table.displayName = "Table"
-
-const TableHeader = React.forwardRef<
-  HTMLTableSectionElement,
-  React.HTMLAttributes<HTMLTableSectionElement>
->(({ className, ...props }, ref) => (
-  <thead ref={ref} className={cn("[&_tr]:border-b", className)} {...props} />
-))
-TableHeader.displayName = "TableHeader"
-
-const TableBody = React.forwardRef<
-  HTMLTableSectionElement,
-  React.HTMLAttributes<HTMLTableSectionElement>
->(({ className, ...props }, ref) => (
-  <tbody
-    ref={ref}
-    className={cn("[&_tr:last-child]:border-0", className)}
-    {...props}
-  />
-))
-TableBody.displayName = "TableBody"
-
-const TableFooter = React.forwardRef<
-  HTMLTableSectionElement,
-  React.HTMLAttributes<HTMLTableSectionElement>
->(({ className, ...props }, ref) => (
-  <tfoot
-    ref={ref}
-    className={cn(
-      "border-t bg-muted/50 font-medium [&>tr]:last:border-b-0",
-      className
-    )}
-    {...props}
-  />
-))
-TableFooter.displayName = "TableFooter"
-
-const TableRow = React.forwardRef<
-  HTMLTableRowElement,
-  React.HTMLAttributes<HTMLTableRowElement>
->(({ className, ...props }, ref) => (
-  <tr
-    ref={ref}
-    className={cn(
-      "border-b transition-colors hover:bg-muted/50 data-[state=selected]:bg-muted",
-      className
-    )}
-    {...props}
-  />
-))
-TableRow.displayName = "TableRow"
-
-const TableHead = React.forwardRef<
-  HTMLTableCellElement,
-  React.ThHTMLAttributes<HTMLTableCellElement>
->(({ className, ...props }, ref) => (
-  <th
-    ref={ref}
-    className={cn(
-      "h-10 px-2 text-left align-middle font-medium text-muted-foreground [&:has([role=checkbox])]:pr-0 [&>[role=checkbox]]:translate-y-[2px]",
-      className
-    )}
-    {...props}
-  />
-))
-TableHead.displayName = "TableHead"
-
-const TableCell = React.forwardRef<
-  HTMLTableCellElement,
-  React.TdHTMLAttributes<HTMLTableCellElement>
->(({ className, ...props }, ref) => (
-  <td
-    ref={ref}
-    className={cn(
-      "p-2 align-middle [&:has([role=checkbox])]:pr-0 [&>[role=checkbox]]:translate-y-[2px]",
-      className
-    )}
-    {...props}
-  />
-))
-TableCell.displayName = "TableCell"
-
-const TableCaption = React.forwardRef<
-  HTMLTableCaptionElement,
-  React.HTMLAttributes<HTMLTableCaptionElement>
->(({ className, ...props }, ref) => (
-  <caption
-    ref={ref}
-    className={cn("mt-4 text-sm text-muted-foreground", className)}
-    {...props}
-  />
-))
-TableCaption.displayName = "TableCaption"
-
-export {
-  Table,
-  TableHeader,
-  TableBody,
-  TableFooter,
-  TableHead,
-  TableRow,
-  TableCell,
-  TableCaption,
-}
diff --git a/references/nextjs-realtime/src/components/ui/tabs.tsx b/references/nextjs-realtime/src/components/ui/tabs.tsx
deleted file mode 100644
index 0f4caebb117..00000000000
--- a/references/nextjs-realtime/src/components/ui/tabs.tsx
+++ /dev/null
@@ -1,55 +0,0 @@
-"use client"
-
-import * as React from "react"
-import * as TabsPrimitive from "@radix-ui/react-tabs"
-
-import { cn } from "@/lib/utils"
-
-const Tabs = TabsPrimitive.Root
-
-const TabsList = React.forwardRef<
-  React.ElementRef<typeof TabsPrimitive.List>,
-  React.ComponentPropsWithoutRef<typeof TabsPrimitive.List>
->(({ className, ...props }, ref) => (
-  <TabsPrimitive.List
-    ref={ref}
-    className={cn(
-      "inline-flex h-9 items-center justify-center rounded-lg bg-muted p-1 text-muted-foreground",
-      className
-    )}
-    {...props}
-  />
-))
-TabsList.displayName = TabsPrimitive.List.displayName
-
-const TabsTrigger = React.forwardRef<
-  React.ElementRef<typeof TabsPrimitive.Trigger>,
-  React.ComponentPropsWithoutRef<typeof TabsPrimitive.Trigger>
->(({ className, ...props }, ref) => (
-  <TabsPrimitive.Trigger
-    ref={ref}
-    className={cn(
-      "inline-flex items-center justify-center whitespace-nowrap rounded-md px-3 py-1 text-sm font-medium ring-offset-background transition-all focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-ring focus-visible:ring-offset-2 disabled:pointer-events-none disabled:opacity-50 data-[state=active]:bg-background data-[state=active]:text-foreground data-[state=active]:shadow",
-      className
-    )}
-    {...props}
-  />
-))
-TabsTrigger.displayName = TabsPrimitive.Trigger.displayName
-
-const TabsContent = React.forwardRef<
-  React.ElementRef<typeof TabsPrimitive.Content>,
-  React.ComponentPropsWithoutRef<typeof TabsPrimitive.Content>
->(({ className, ...props }, ref) => (
-  <TabsPrimitive.Content
-    ref={ref}
-    className={cn(
-      "mt-2 ring-offset-background focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-ring focus-visible:ring-offset-2",
-      className
-    )}
-    {...props}
-  />
-))
-TabsContent.displayName = TabsPrimitive.Content.displayName
-
-export { Tabs, TabsList, TabsTrigger, TabsContent }
diff --git a/references/nextjs-realtime/src/components/ui/textarea.tsx b/references/nextjs-realtime/src/components/ui/textarea.tsx
deleted file mode 100644
index e56b0affd7e..00000000000
--- a/references/nextjs-realtime/src/components/ui/textarea.tsx
+++ /dev/null
@@ -1,22 +0,0 @@
-import * as React from "react"
-
-import { cn } from "@/lib/utils"
-
-const Textarea = React.forwardRef<
-  HTMLTextAreaElement,
-  React.ComponentProps<"textarea">
->(({ className, ...props }, ref) => {
-  return (
-    <textarea
-      className={cn(
-        "flex min-h-[60px] w-full rounded-md border border-input bg-transparent px-3 py-2 text-base shadow-sm placeholder:text-muted-foreground focus-visible:outline-none focus-visible:ring-1 focus-visible:ring-ring disabled:cursor-not-allowed disabled:opacity-50 md:text-sm",
-        className
-      )}
-      ref={ref}
-      {...props}
-    />
-  )
-})
-Textarea.displayName = "Textarea"
-
-export { Textarea }
diff --git a/references/nextjs-realtime/src/hooks/useHandleUploadRun.ts b/references/nextjs-realtime/src/hooks/useHandleUploadRun.ts
deleted file mode 100644
index b560d896653..00000000000
--- a/references/nextjs-realtime/src/hooks/useHandleUploadRun.ts
+++ /dev/null
@@ -1,26 +0,0 @@
-import type { handleUpload, runFalModel } from "@/trigger/images";
-import { RunFalMetadata } from "@/utils/schemas";
-import { useRealtimeRunsWithTag } from "@trigger.dev/react-hooks";
-
-export function useHandleUploadRun(fileId: string) {
-  const { runs, error } = useRealtimeRunsWithTag<typeof handleUpload | typeof runFalModel>(
-    `file:${fileId}`
-  );
-
-  const images = runs
-    .filter((run) => run.taskIdentifier === "run-fal-model")
-    .map((run) => {
-      const metadata = RunFalMetadata.default({ result: { status: "IN_PROGRESS" } }).parse(
-        run.metadata
-      );
-
-      return {
-        model: run.payload.model,
-        data: metadata?.result,
-      };
-    });
-
-  const run = runs.find((run) => run.taskIdentifier === "handle-upload");
-
-  return { run, error, images };
-}
diff --git a/references/nextjs-realtime/src/lib/utils.ts b/references/nextjs-realtime/src/lib/utils.ts
deleted file mode 100644
index bd0c391ddd1..00000000000
--- a/references/nextjs-realtime/src/lib/utils.ts
+++ /dev/null
@@ -1,6 +0,0 @@
-import { clsx, type ClassValue } from "clsx"
-import { twMerge } from "tailwind-merge"
-
-export function cn(...inputs: ClassValue[]) {
-  return twMerge(clsx(inputs))
-}
diff --git a/references/nextjs-realtime/src/trigger/ai.ts b/references/nextjs-realtime/src/trigger/ai.ts
deleted file mode 100644
index e11524e8238..00000000000
--- a/references/nextjs-realtime/src/trigger/ai.ts
+++ /dev/null
@@ -1,210 +0,0 @@
-import { openai } from "@ai-sdk/openai";
-import { logger, metadata, runs, schemaTask, task, toolTask, wait } from "@trigger.dev/sdk/v3";
-import { streamText, type TextStreamPart } from "ai";
-import { setTimeout } from "node:timers/promises";
-import { z } from "zod";
-import OpenAI from "openai";
-import { AISDKExporter } from "langsmith/vercel";
-
-const openaiSDK = new OpenAI({
-  apiKey: process.env.OPENAI_API_KEY,
-});
-
-export type STREAMS = {
-  openai: TextStreamPart<{ getWeather: typeof weatherTask.tool }>;
-  openaiText: string;
-};
-
-export const openaiConsumer = schemaTask({
-  id: "openai-consumer",
-  schema: z.object({
-    model: z.string().default("gpt-3.5-turbo"),
-    prompt: z.string().default("Hello, how are you?"),
-  }),
-  run: async ({ model, prompt }) => {
-    const handle = await openaiStreaming.trigger({ model, prompt });
-
-    let openaiCompletion = "";
-
-    for await (const part of runs.subscribeToRun(handle).withStreams<STREAMS>()) {
-      switch (part.type) {
-        case "run": {
-          logger.info("Received run chunk", { run: part.run });
-          break;
-        }
-        case "openai": {
-          logger.info("Received OpenAI chunk", { chunk: part.chunk, run: part.run });
-
-          switch (part.chunk.type) {
-            case "text-delta": {
-              openaiCompletion += part.chunk.textDelta;
-              break;
-            }
-            case "tool-call": {
-              switch (part.chunk.toolName) {
-                case "getWeather": {
-                  console.log("Calling getWeather tool with args", { args: part.chunk.args });
-                }
-              }
-              break;
-            }
-            case "tool-result": {
-              switch (part.chunk.toolName) {
-                case "getWeather": {
-                  console.log("Received getWeather tool result", { result: part.chunk.result });
-                }
-              }
-              break;
-            }
-          }
-        }
-      }
-    }
-
-    return { openaiCompletion };
-  },
-});
-
-export const waitUntilExamples = task({
-  id: "wait-until-examples",
-  run: async () => {
-    await setTimeout(30_000);
-  },
-});
-
-export const weatherTask = toolTask({
-  id: "weather",
-  description: "Get the weather for a location",
-  parameters: z.object({
-    location: z.string(),
-  }),
-  run: async ({ location }) => {
-    // Simulate a long-running task
-    await wait.for({ seconds: 5 });
-    // return mock data
-    return {
-      location,
-      temperature: 72 + Math.floor(Math.random() * 21) - 10,
-    };
-  },
-});
-
-export const openaiStreaming = schemaTask({
-  id: "openai-streaming",
-  description: "Stream data from OpenAI to get the weather",
-  schema: z.object({
-    model: z.string().default("chatgpt-4o-latest"),
-    prompt: z.string().default("Hello, how are you?"),
-  }),
-  run: async ({ model, prompt }) => {
-    logger.info("Running OpenAI model", { model, prompt });
-
-    const telemetrySettings = AISDKExporter.getSettings();
-
-    logger.info("Telemetry settings", { telemetrySettings });
-
-    const result = streamText({
-      model: openai(model),
-      prompt,
-      experimental_telemetry: telemetrySettings,
-    });
-
-    const stream = await metadata.stream("openai", result.fullStream);
-
-    for await (const chunk of stream) {
-      logger.log("Received chunk", { chunk });
-    }
-  },
-});
-
-export const openaiO1Model = schemaTask({
-  id: "openai-o1-model",
-  description: "Stream data from OpenAI to get the weather",
-  schema: z.object({
-    model: z.string().default("o1-preview"),
-    prompt: z.string().default("Hello, how are you?"),
-  }),
-  run: async ({ model, prompt }) => {
-    logger.info("Running OpenAI model", { model, prompt });
-
-    const result = await streamText({
-      model: openai(model),
-      prompt,
-      experimental_continueSteps: true,
-    });
-
-    const stream = await metadata.stream("openai", result.textStream);
-
-    let text = "";
-
-    for await (const chunk of stream) {
-      logger.log("Received chunk", { chunk });
-
-      text += chunk;
-    }
-
-    return { text };
-  },
-});
-
-export const fetchStream = schemaTask({
-  id: "fetch-stream",
-  description: "Stream data from fetch",
-  schema: z.object({
-    url: z.string().url(),
-  }),
-  run: async ({ url }) => {
-    logger.info("Streaming response", { url });
-
-    const response = await fetch(url);
-
-    if (!response.body) {
-      throw new Error("Response body is not readable");
-    }
-
-    const stream = await metadata.stream(
-      "fetch",
-      response.body.pipeThrough(new TextDecoderStream())
-    );
-
-    let text = "";
-
-    for await (const chunk of stream) {
-      logger.log("Received chunk", { chunk });
-
-      text += chunk;
-    }
-
-    return { text };
-  },
-});
-
-export const openaiSDKStreaming = schemaTask({
-  id: "openai-sdk-streaming",
-  description: "Stream data from the OpenAI SDK",
-  schema: z.object({
-    model: z.string().default("gpt-3.5-turbo"),
-    prompt: z.string().default("Hello, how are you?"),
-  }),
-  run: async ({ model, prompt }) => {
-    logger.info("Running OpenAI model", { model, prompt });
-
-    const completion = await openaiSDK.chat.completions.create({
-      messages: [{ role: "user", content: prompt }],
-      model: "gpt-3.5-turbo",
-      stream: true,
-    });
-
-    const stream = await metadata.stream("openai", completion);
-
-    let text = "";
-
-    for await (const chunk of stream) {
-      logger.log("Received chunk", { chunk });
-
-      text += chunk.choices.map((choice) => choice.delta?.content).join("");
-    }
-
-    return { text };
-  },
-});
diff --git a/references/nextjs-realtime/src/trigger/csv.ts b/references/nextjs-realtime/src/trigger/csv.ts
deleted file mode 100644
index 9453ae2fdb0..00000000000
--- a/references/nextjs-realtime/src/trigger/csv.ts
+++ /dev/null
@@ -1,88 +0,0 @@
-import { UploadedFileData } from "@/utils/schemas";
-import { parse } from "@fast-csv/parse";
-import { batch, logger, metadata, schemaTask } from "@trigger.dev/sdk/v3";
-import { setTimeout } from "timers/promises";
-import { CSVRow } from "./schemas";
-
-export const handleCSVUpload = schemaTask({
-  id: "handle-csv-upload",
-  schema: UploadedFileData,
-  run: async (file, { ctx }) => {
-    logger.info("Handling uploaded files", { file });
-
-    metadata.set("status", "fetching");
-
-    const response = await fetch(file.url);
-
-    if (!response.ok) {
-      throw new Error(`Failed to fetch file: ${response.statusText}`);
-    }
-
-    const body = await response.text();
-
-    metadata.set("status", "parsing");
-
-    const rows = await new Promise<Array<CSVRow>>((resolve, reject) => {
-      const rows: Array<CSVRow> = [];
-
-      const parser = parse({ headers: true });
-
-      parser.on("data", (row) => {
-        logger.info("Row", { row });
-
-        const parsedRow = CSVRow.safeParse(row);
-
-        if (parsedRow.success) {
-          rows.push(parsedRow.data);
-        } else {
-          logger.warn("Failed to parse row", { row, errors: parsedRow.error });
-        }
-      });
-
-      parser.on("end", () => {
-        logger.info("CSV parsing complete");
-
-        resolve(rows);
-      });
-
-      parser.on("error", reject);
-
-      parser.write(body);
-      parser.end();
-    });
-
-    metadata.set("status", "processing").set("totalRows", rows.length);
-
-    const results = await batch.triggerAndWait<typeof handleCSVRow>(
-      rows.map((row) => ({ id: "handle-csv-row", payload: row }))
-    );
-
-    metadata.set("status", "complete");
-
-    const successfulRows = results.runs.filter((r) => r.ok);
-    const failedRows = results.runs.filter((r) => !r.ok);
-
-    return {
-      file,
-      rows,
-      rowCount: rows.length,
-      successCount: successfulRows.length,
-      failedCount: failedRows.length,
-    };
-  },
-});
-
-export const handleCSVRow = schemaTask({
-  id: "handle-csv-row",
-  schema: CSVRow,
-  run: async (row, { ctx }) => {
-    logger.info("Handling CSV row", { row });
-
-    // Simulate processing time
-    await setTimeout(200 + Math.random() * 1012); // 200ms - 1.2s
-
-    metadata.parent.increment("processedRows", 1).append("rowRuns", ctx.run.id);
-
-    return row;
-  },
-});
diff --git a/references/nextjs-realtime/src/trigger/example.ts b/references/nextjs-realtime/src/trigger/example.ts
deleted file mode 100644
index 031888d1873..00000000000
--- a/references/nextjs-realtime/src/trigger/example.ts
+++ /dev/null
@@ -1,31 +0,0 @@
-import { logger, metadata, schemaTask } from "@trigger.dev/sdk/v3";
-import { setTimeout } from "timers/promises";
-import { z } from "zod";
-
-export const ExampleTaskPayload = z.object({
-  id: z.string(),
-  isAdmin: z.boolean().default(false),
-});
-
-export const exampleTask = schemaTask({
-  id: "example",
-  schema: ExampleTaskPayload,
-  run: async (payload, { ctx }) => {
-    logger.log("Running example task with payload", { payload });
-
-    metadata.set("status", { type: "started", progress: 0.1 });
-
-    await setTimeout(2000);
-
-    metadata.set("status", { type: "processing", progress: 0.5 });
-
-    await setTimeout(2000);
-
-    metadata.set("status", { type: "finished", progress: 1.0 });
-
-    // Generate a return payload that is more than 128KB
-    const bigPayload = new Array(100000).fill("a".repeat(10)).join("");
-
-    return { message: bigPayload };
-  },
-});
diff --git a/references/nextjs-realtime/src/trigger/images.ts b/references/nextjs-realtime/src/trigger/images.ts
deleted file mode 100644
index b3a47e6f53b..00000000000
--- a/references/nextjs-realtime/src/trigger/images.ts
+++ /dev/null
@@ -1,89 +0,0 @@
-import { idempotencyKeys, logger, metadata, schemaTask } from "@trigger.dev/sdk/v3";
-import { FalResult, GridImage, UploadedFileData } from "@/utils/schemas";
-import { z } from "zod";
-
-import * as fal from "@fal-ai/serverless-client";
-
-fal.config({
-  credentials: process.env.FAL_KEY,
-});
-
-export const handleUpload = schemaTask({
-  id: "handle-upload",
-  schema: UploadedFileData,
-  run: async (file, { ctx }) => {
-    logger.info("Handling uploaded file", { file });
-
-    const results = await runFalModel.batchTriggerAndWait([
-      {
-        payload: {
-          model: "fal-ai/image-preprocessors/lineart",
-          url: file.url,
-          input: {},
-        },
-        options: {
-          tags: ctx.run.tags,
-        },
-      },
-      {
-        payload: {
-          model: "fal-ai/omni-zero",
-          url: file.url,
-          input: {
-            prompt: "Turn the image into a cartoon",
-            image_url: file.url,
-            composition_image_url: file.url,
-            style_image_url:
-              "https://storage.googleapis.com/falserverless/model_tests/omni_zero/style.jpg",
-            identity_image_url: file.url,
-          },
-        },
-        options: { tags: ctx.run.tags },
-      },
-      {
-        payload: {
-          model: "fal-ai/imageutils/depth",
-          url: file.url,
-          input: {},
-        },
-        options: { tags: ctx.run.tags },
-      },
-    ]);
-
-    return results;
-  },
-});
-
-const RunFalModelInput = z.object({
-  model: z.string(),
-  url: z.string(),
-  input: z.record(z.any()),
-});
-
-export const runFalModel = schemaTask({
-  id: "run-fal-model",
-  schema: RunFalModelInput,
-  run: async (payload) => {
-    return await internal_runFalModel(payload.model, payload.url, payload.input);
-  },
-});
-
-async function internal_runFalModel(model: string, url: string, input: any) {
-  const result = await fal.subscribe(model, {
-    input: {
-      image_url: url,
-      ...input,
-    },
-    onQueueUpdate: (update) => {
-      logger.info(model, { update });
-
-      metadata.set("result", GridImage.parse(update));
-    },
-  });
-
-  const parsedResult = FalResult.parse(result);
-
-  metadata.set("$.result.image", parsedResult.image);
-
-  return parsedResult.image;
-}
diff --git a/references/nextjs-realtime/src/trigger/openaiBatch.ts b/references/nextjs-realtime/src/trigger/openaiBatch.ts
deleted file mode 100644
index 8d53015e38b..00000000000
--- a/references/nextjs-realtime/src/trigger/openaiBatch.ts
+++ /dev/null
@@ -1,74 +0,0 @@
-import { logger, schemaTask, wait } from "@trigger.dev/sdk/v3";
-import { createReadStream, writeFileSync } from "node:fs";
-import OpenAI from "openai";
-import { z } from "zod";
-
-const openai = new OpenAI({
-  apiKey: process.env.OPENAI_API_KEY,
-});
-
-export const openaiBatch = schemaTask({
-  id: "openai-batch",
-  description: "Run a batch of JSONL prompts through OpenAI",
-  schema: z.object({
-    jsonl: z.string(),
-  }),
-  run: async ({ jsonl }) => {
-    // Write a JSONL file to disk
-    writeFileSync("batchinput.jsonl", jsonl);
-
-    const file = await openai.files.create({
-      file: createReadStream("batchinput.jsonl"),
-      purpose: "batch",
-    });
-
-    logger.log("Created file", { file });
-
-    const batch = await openai.batches.create({
-      input_file_id: file.id,
-      endpoint: "/v1/chat/completions",
-      completion_window: "24h",
-    });
-
-    logger.log("Created batch", { batch });
-
-    const completedBatch = await openaiBatchMonitor
-      .triggerAndWait({
-        batchId: batch.id,
-      })
-      .unwrap();
-
-    return completedBatch;
-  },
-});
-
-export const openaiBatchMonitor = schemaTask({
-  id: "openai-batch-monitor",
-  description: "Monitor the status of an OpenAI batch job",
-  schema: z.object({
-    batchId: z.string(),
-  }),
-  run: async ({ batchId }) => {
-    logger.log("Monitoring batch", { batchId });
-
-    while (true) {
-      const batch = await openai.batches.retrieve(batchId);
-
-      logger.log("Batch status", { batch });
-
-      if (
-        batch.status === "failed" ||
-        batch.status === "completed" ||
-        batch.status === "expired" ||
-        batch.status === "cancelled"
-      ) {
-        logger.log("Batch completed", { batch });
-
-        return batch;
-      }
-
-      // Check every 10 seconds
-      await wait.for({ seconds: 10 });
-    }
-  },
-});
diff --git a/references/nextjs-realtime/src/trigger/rsc.tsx b/references/nextjs-realtime/src/trigger/rsc.tsx
deleted file mode 100644
index 39d570ad86e..00000000000
--- a/references/nextjs-realtime/src/trigger/rsc.tsx
+++ /dev/null
@@ -1,104 +0,0 @@
-import { openai } from "@ai-sdk/openai";
-import { logger, metadata, schemaTask } from "@trigger.dev/sdk/v3";
-import { streamUI } from "ai/rsc";
-import { renderToReadableStream } from "react-dom/server";
-import { z } from "zod";
-
-const LoadingComponent = () => <div className="animate-pulse p-4">getting weather...</div>;
-
-const getWeather = async (location: string) => {
-  await new Promise((resolve) => setTimeout(resolve, 2000));
-  return "82°F️ ☀️";
-};
-
-interface WeatherProps {
-  location: string;
-  weather: string;
-}
-
-const WeatherComponent = (props: WeatherProps) => (
-  <div className="border border-neutral-200 p-4 rounded-lg max-w-fit">
-    The weather in {props.location} is {props.weather}
-  </div>
-);
-
-export const openaiStreamingRSC = schemaTask({
-  id: "openai-streaming-rsc",
-  description: "Stream RSC data from OpenAI to get the weather",
-  schema: z.object({
-    model: z.string().default("chatgpt-4o-latest"),
-    prompt: z.string().default("Hello, how are you?"),
-  }),
-  run: async ({ model, prompt }) => {
-    logger.info("Running OpenAI model", { model, prompt });
-
-    const result = await streamUI({
-      model: openai(model),
-      prompt,
-      text: ({ content }) => <div>{content}</div>,
-      tools: {
-        getWeather: {
-          description: "Get the weather for a location",
-          parameters: z.object({ location: z.string() }),
-          generate: async function* ({ location }) {
-            yield <LoadingComponent />;
-            const weather = await getWeather(location);
-            return <WeatherComponent weather={weather} location={location} />;
-          },
-        },
-      },
-    });
-
-    const stream = await metadata.stream("openai", result.stream);
-
-    let text = "";
-
-    for await (const chunk of stream) {
-      logger.log("Received chunk", { chunk });
-
-      if (chunk.type === "text-delta") {
-        text += chunk.textDelta;
-      }
-    }
-
-    return { text, value: result.value };
-  },
-});
-
-function App() {
-  return (
-    <html>
-      <head>
-        <meta charSet="utf-8" />
-        <meta name="viewport" content="width=device-width, initial-scale=1" />
-        <title>My app</title>
-      </head>
-      <body></body>
-    </html>
-  );
-}
-
-export const weatherUI = schemaTask({
-  id: "weather-ui",
-  description: "Stream weather UI data from this task to the client",
-  schema: z.object({
-    message: z.string(),
-  }),
-  run: async ({ message }) => {
-    logger.info("Running weather UI", { message });
-
-    const readableStream = await renderToReadableStream(<App />);
-
-    const reader = readableStream.getReader();
-
-    while (true) {
-      const { done, value } = await reader.read();
-
-      if (done) {
-        break;
-      }
-
-      logger.log("Received chunk", { value });
-    }
-  },
-});
diff --git a/references/nextjs-realtime/src/trigger/schemas.ts b/references/nextjs-realtime/src/trigger/schemas.ts
deleted file mode 100644
index b99eb8640d1..00000000000
--- a/references/nextjs-realtime/src/trigger/schemas.ts
+++ /dev/null
@@ -1,35 +0,0 @@
-import { z } from "zod";
-
-export const CSVRow = z.object({
-  Date: z.string(),
-  Impressions: z.coerce.number(),
-  Likes: z.coerce.number(),
-  Engagements: z.coerce.number(),
-  Bookmarks: z.coerce.number(),
-  Shares: z.coerce.number(),
-  "New follows": z.coerce.number(),
-  Unfollows: z.coerce.number(),
-  Replies: z.coerce.number(),
-  Reposts: z.coerce.number(),
-  "Profile visits": z.coerce.number(),
-  "Create Post": z.coerce.number(),
-  "Video views": z.coerce.number(),
-  "Media views": z.coerce.number(),
-});
-
-export type CSVRow = z.infer<typeof CSVRow>;
-
-// Status schema for progress updates
-export const CSVStatus = z.enum(["fetching", "parsing", "processing", "complete"]);
-
-export type CSVStatus = z.infer<typeof CSVStatus>;
-
-// The full metadata schema that encompasses all possible metadata fields
-export const CSVUploadMetadataSchema = z.object({
-  status: CSVStatus,
-  totalRows: z.number().int().nonnegative().optional(),
-  inProgressRows: z.number().int().nonnegative().optional(),
-  processedRows: z.number().int().nonnegative().optional(),
-});
-
-export type CSVUploadMetadata = z.infer<typeof CSVUploadMetadataSchema>;
diff --git a/references/nextjs-realtime/src/utils/schemas.ts b/references/nextjs-realtime/src/utils/schemas.ts
deleted file mode 100644
index a5a6e4315cc..00000000000
--- a/references/nextjs-realtime/src/utils/schemas.ts
+++ /dev/null
@@ -1,60 +0,0 @@
-import { z } from "zod";
-
-export const EnqueuedQueueStatus = z.object({
-  status: z.literal("IN_QUEUE"),
-  queue_position: z.number(),
-});
-
-export type EnqueuedQueueStatus = z.infer<typeof EnqueuedQueueStatus>;
-
-export const InProgressGridImage = z.object({
-  status: z.literal("IN_PROGRESS"),
-});
-
-export type InProgressGridImage = z.infer<typeof InProgressGridImage>;
-
-export const ImageDetails = z.object({
-  url: z.string(),
-  file_name: z.string(),
-});
-
-export type ImageDetails = z.infer<typeof ImageDetails>;
-
-export const CompletedGridImage = z.object({
-  status: z.literal("COMPLETED"),
-  metrics: z.object({
-    inference_time: z.number().nullable(),
-  }),
-  image: ImageDetails.optional(),
-});
-
-export type CompletedGridImage = z.infer<typeof CompletedGridImage>;
-
-export const GridImage = z.union([InProgressGridImage, CompletedGridImage, EnqueuedQueueStatus]);
-
-export type GridImage = z.infer<typeof GridImage>;
-
-export const HandleUploadMetadata = z.record(GridImage);
-export type HandleUploadMetadata = z.infer<typeof HandleUploadMetadata>;
-
-export const RunFalMetadata = z.object({ result: GridImage });
-export type RunFalMetadata = z.infer<typeof RunFalMetadata>;
-
-export const UploadedFileData = z.object({
-  name: z.string(),
-  size: z.number(),
-  type: z.string(),
-  key: z.string(),
-  url: z.string(),
-  appUrl: z.string(),
-  fileHash: z.string(),
-  customId: z.string().nullable(),
-});
-
-export type UploadedFileData = z.infer<typeof UploadedFileData>;
-
-export const FalResult = z.object({
-  image: ImageDetails,
-});
-
-export type FalResult = z.infer<typeof FalResult>;
diff --git a/references/nextjs-realtime/src/utils/uploadthing.ts b/references/nextjs-realtime/src/utils/uploadthing.ts
deleted file mode 100644
index fab04f539de..00000000000
--- a/references/nextjs-realtime/src/utils/uploadthing.ts
+++ /dev/null
@@ -1,6 +0,0 @@
-import { generateUploadButton, generateUploadDropzone } from "@uploadthing/react";
-
-import type { OurFileRouter } from "@/app/api/uploadthing/core";
-
-export const UploadButton = generateUploadButton<OurFileRouter>();
-export const UploadDropzone = generateUploadDropzone<OurFileRouter>();
diff --git a/references/nextjs-realtime/tailwind.config.ts b/references/nextjs-realtime/tailwind.config.ts
deleted file mode 100644
index 7ba9baf7e26..00000000000
--- a/references/nextjs-realtime/tailwind.config.ts
+++ /dev/null
@@ -1,64 +0,0 @@
-import type { Config } from "tailwindcss";
-import { withUt } from "uploadthing/tw";
-
-const config: Config = withUt({
-  darkMode: ["class"],
-  content: [
-    "./src/pages/**/*.{js,ts,jsx,tsx,mdx}",
-    "./src/components/**/*.{js,ts,jsx,tsx,mdx}",
-    "./src/app/**/*.{js,ts,jsx,tsx,mdx}",
-  ],
-  theme: {
-    extend: {
-      colors: {
-        background: "hsl(var(--background))",
-        foreground: "hsl(var(--foreground))",
-        card: {
-          DEFAULT: "hsl(var(--card))",
-          foreground: "hsl(var(--card-foreground))",
-        },
-        popover: {
-          DEFAULT: "hsl(var(--popover))",
-          foreground: "hsl(var(--popover-foreground))",
-        },
-        primary: {
-          DEFAULT: "hsl(var(--primary))",
-          foreground: "hsl(var(--primary-foreground))",
-        },
-        secondary: {
-          DEFAULT: "hsl(var(--secondary))",
-          foreground: "hsl(var(--secondary-foreground))",
-        },
-        muted: {
-          DEFAULT: "hsl(var(--muted))",
-          foreground: "hsl(var(--muted-foreground))",
-        },
-        accent: {
-          DEFAULT: "hsl(var(--accent))",
-          foreground: "hsl(var(--accent-foreground))",
-        },
-        destructive: {
-          DEFAULT: "hsl(var(--destructive))",
-          foreground: "hsl(var(--destructive-foreground))",
-        },
-        border: "hsl(var(--border))",
-        input: "hsl(var(--input))",
-        ring: "hsl(var(--ring))",
-        chart: {
-          "1": "hsl(var(--chart-1))",
-          "2": "hsl(var(--chart-2))",
-          "3": "hsl(var(--chart-3))",
-          "4": "hsl(var(--chart-4))",
-          "5": "hsl(var(--chart-5))",
-        },
-      },
-      borderRadius: {
-        lg: "var(--radius)",
-        md: "calc(var(--radius) - 2px)",
-        sm: "calc(var(--radius) - 4px)",
-      },
-    },
-  },
-  plugins: [require("tailwindcss-animate")],
-});
-export default config;
diff --git a/references/nextjs-realtime/trigger.config.ts b/references/nextjs-realtime/trigger.config.ts
deleted file mode 100644
index 080a4dba4b4..00000000000
--- a/references/nextjs-realtime/trigger.config.ts
+++ /dev/null
@@ -1,15 +0,0 @@
-import { defineConfig } from "@trigger.dev/sdk/v3";
-import { rscExtension } from "@trigger.dev/rsc";
-import { AISDKExporter } from "langsmith/vercel";
-
-export default defineConfig({
-  project: "proj_bzhdaqhlymtuhlrcgbqy",
-  dirs: ["./src/trigger"],
-  telemetry: {
-    exporters: [new AISDKExporter()],
-  },
-  build: {
-    extensions: [rscExtension({ reactDomEnvironment: "worker" })],
-  },
-  maxDuration: 3600,
-});
diff --git a/references/nextjs-realtime/tsconfig.json b/references/nextjs-realtime/tsconfig.json
deleted file mode 100644
index 7b285893049..00000000000
--- a/references/nextjs-realtime/tsconfig.json
+++ /dev/null
@@ -1,26 +0,0 @@
-{
-  "compilerOptions": {
-    "lib": ["dom", "dom.iterable", "esnext"],
-    "allowJs": true,
-    "skipLibCheck": true,
-    "strict": true,
-    "noEmit": true,
-    "esModuleInterop": true,
-    "module": "esnext",
-    "moduleResolution": "bundler",
-    "resolveJsonModule": true,
-    "isolatedModules": true,
-    "jsx": "preserve",
-    "incremental": true,
-    "plugins": [
-      {
-        "name": "next"
-      }
-    ],
-    "paths": {
-      "@/*": ["./src/*"]
-    }
-  },
-  "include": ["next-env.d.ts", "**/*.ts", "**/*.tsx", ".next/types/**/*.ts"],
-  "exclude": ["node_modules"]
-}
diff --git a/references/prisma-6-client/.env.example b/references/prisma-6-client/.env.example
deleted file mode 100644
index 6e4ca028ec3..00000000000
--- a/references/prisma-6-client/.env.example
+++ /dev/null
@@ -1,12 +0,0 @@
-# Environment variables declared in this file are automatically made available to Prisma.
-# See the documentation for more detail: https://pris.ly/d/prisma-schema#accessing-environment-variables-from-the-schema
-
-# Prisma supports the native connection string format for PostgreSQL, MySQL, SQLite, SQL Server, MongoDB and CockroachDB.
-# See the documentation for all the connection string options: https://pris.ly/d/connection-strings
-
-DATABASE_URL=postgresql://postgres:postgres@localhost:5432/references-prisma-6-client?schema=public
-DATABASE_URL_UNPOOLED=postgresql://postgres:postgres@localhost:5432/references-prisma-6-client?schema=public
-
-# Trigger.dev env vars, see our guide on API Keys here: https://trigger.dev/docs/apikeys
-TRIGGER_PROJECT_REF="<TRIGGER_PROJECT_REF>"
-
diff --git a/references/prisma-6-client/.gitignore b/references/prisma-6-client/.gitignore
deleted file mode 100644
index e251c562387..00000000000
--- a/references/prisma-6-client/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-/src/generated/prisma
\ No newline at end of file
diff --git a/references/prisma-6-client/package.json b/references/prisma-6-client/package.json
deleted file mode 100644
index 98cccc59edb..00000000000
--- a/references/prisma-6-client/package.json
+++ /dev/null
@@ -1,20 +0,0 @@
-{
-  "name": "references-prisma-6-client",
-  "private": true,
-  "type": "module",
-  "devDependencies": {
-    "trigger.dev": "workspace:*",
-    "prisma": "6.16.0"
-  },
-  "dependencies": {
-    "@trigger.dev/build": "workspace:*",
-    "@trigger.dev/sdk": "workspace:*",
-    "@prisma/client": "6.16.0",
-    "@prisma/adapter-pg": "6.16.0"
-  },
-  "scripts": {
-    "dev": "trigger dev",
-    "deploy": "trigger deploy",
-    "prisma:generate": "prisma generate"
-  }
-}
\ No newline at end of file
diff --git a/references/prisma-6-client/prisma/migrations/20251114141701_add_initial_migration/migration.sql b/references/prisma-6-client/prisma/migrations/20251114141701_add_initial_migration/migration.sql
deleted file mode 100644
index b4933152496..00000000000
--- a/references/prisma-6-client/prisma/migrations/20251114141701_add_initial_migration/migration.sql
+++ /dev/null
@@ -1,14 +0,0 @@
--- CreateTable
-CREATE TABLE "public"."User" (
-    "id" TEXT NOT NULL,
-    "email" TEXT NOT NULL,
-    "name" TEXT,
-    "avatarUrl" TEXT,
-    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    "updatedAt" TIMESTAMP(3) NOT NULL,
-
-    CONSTRAINT "User_pkey" PRIMARY KEY ("id")
-);
-
--- CreateIndex
-CREATE UNIQUE INDEX "User_email_key" ON "public"."User"("email");
diff --git a/references/prisma-6-client/prisma/migrations/20251114143739_add_product_model/migration.sql b/references/prisma-6-client/prisma/migrations/20251114143739_add_product_model/migration.sql
deleted file mode 100644
index 35f0cc2a134..00000000000
--- a/references/prisma-6-client/prisma/migrations/20251114143739_add_product_model/migration.sql
+++ /dev/null
@@ -1,10 +0,0 @@
--- CreateTable
-CREATE TABLE "public"."Product" (
-    "id" SERIAL NOT NULL,
-    "name" TEXT NOT NULL,
-    "price" INTEGER NOT NULL,
-    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    "updatedAt" TIMESTAMP(3) NOT NULL,
-
-    CONSTRAINT "Product_pkey" PRIMARY KEY ("id")
-);
diff --git a/references/prisma-6-client/prisma/migrations/migration_lock.toml b/references/prisma-6-client/prisma/migrations/migration_lock.toml
deleted file mode 100644
index 044d57cdb0d..00000000000
--- a/references/prisma-6-client/prisma/migrations/migration_lock.toml
+++ /dev/null
@@ -1,3 +0,0 @@
-# Please do not edit this file manually
-# It should be added in your version-control system (e.g., Git)
-provider = "postgresql"
diff --git a/references/prisma-6-client/prisma/schema.prisma b/references/prisma-6-client/prisma/schema.prisma
deleted file mode 100644
index 86805822c90..00000000000
--- a/references/prisma-6-client/prisma/schema.prisma
+++ /dev/null
@@ -1,36 +0,0 @@
-// This is your Prisma schema file,
-// learn more about it in the docs: https://pris.ly/d/prisma-schema
-
-// Looking for ways to speed up your queries, or scale easily with your serverless or edge functions?
-// Try Prisma Accelerate: https://pris.ly/cli/accelerate-init
-
-generator client {
-  provider        = "prisma-client"
-  output          = "../src/generated/prisma"
-  engineType      = "client"
-  previewFeatures = ["views"]
-}
-
-datasource db {
-  provider  = "postgresql"
-  url       = env("DATABASE_URL")
-  directUrl = env("DATABASE_URL_UNPOOLED")
-}
-
-model User {
-  id        String  @id @default(cuid())
-  email     String  @unique
-  name      String?
-  avatarUrl String?
-
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-}
-
-model Product {
-  id        Int      @id @default(autoincrement())
-  name      String
-  price     Int
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-}
diff --git a/references/prisma-6-client/src/db.ts b/references/prisma-6-client/src/db.ts
deleted file mode 100644
index 86d879afb81..00000000000
--- a/references/prisma-6-client/src/db.ts
+++ /dev/null
@@ -1,8 +0,0 @@
-import { PrismaClient } from "./generated/prisma/client.js";
-import { PrismaPg } from "@prisma/adapter-pg";
-
-const adapter = new PrismaPg({
-  connectionString: process.env.DATABASE_URL!,
-});
-
-export const db = new PrismaClient({ adapter });
diff --git a/references/prisma-6-client/src/trigger/tasks.ts b/references/prisma-6-client/src/trigger/tasks.ts
deleted file mode 100644
index df93d70f77a..00000000000
--- a/references/prisma-6-client/src/trigger/tasks.ts
+++ /dev/null
@@ -1,12 +0,0 @@
-import { AbortTaskRunError, task } from "@trigger.dev/sdk";
-import { db } from "../db.js";
-
-export const createUserTask = task({
-  id: "create-user",
-  run: async (payload: { email: string; name: string; avatarUrl: string }) => {
-    const user = await db.user.create({
-      data: payload,
-    });
-    return user;
-  },
-});
diff --git a/references/prisma-6-client/trigger.config.ts b/references/prisma-6-client/trigger.config.ts
deleted file mode 100644
index 85bbb265044..00000000000
--- a/references/prisma-6-client/trigger.config.ts
+++ /dev/null
@@ -1,26 +0,0 @@
-import { prismaExtension } from "@trigger.dev/build/extensions/prisma";
-import { defineConfig } from "@trigger.dev/sdk";
-
-export default defineConfig({
-  project: process.env.TRIGGER_PROJECT_REF!,
-  logLevel: "debug",
-  maxDuration: 3600,
-  retries: {
-    enabledInDev: true,
-    default: {
-      maxAttempts: 3,
-      minTimeoutInMs: 1000,
-      maxTimeoutInMs: 10000,
-      factor: 2,
-      randomize: true,
-    },
-  },
-  machine: "small-1x",
-  build: {
-    extensions: [
-      prismaExtension({
-        mode: "modern",
-      }),
-    ],
-  },
-});
diff --git a/references/prisma-6-client/tsconfig.json b/references/prisma-6-client/tsconfig.json
deleted file mode 100644
index 9a5ee0b9d68..00000000000
--- a/references/prisma-6-client/tsconfig.json
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-  "compilerOptions": {
-    "target": "ES2023",
-    "module": "Node16",
-    "moduleResolution": "Node16",
-    "esModuleInterop": true,
-    "strict": true,
-    "skipLibCheck": true,
-    "customConditions": ["@triggerdotdev/source"],
-    "jsx": "preserve",
-    "lib": ["DOM", "DOM.Iterable"],
-    "noEmit": true
-  },
-  "include": ["./src/**/*.ts", "trigger.config.ts"]
-}
diff --git a/references/prisma-6-config/.env.example b/references/prisma-6-config/.env.example
deleted file mode 100644
index a7011cc439b..00000000000
--- a/references/prisma-6-config/.env.example
+++ /dev/null
@@ -1,12 +0,0 @@
-# Environment variables declared in this file are automatically made available to Prisma.
-# See the documentation for more detail: https://pris.ly/d/prisma-schema#accessing-environment-variables-from-the-schema
-
-# Prisma supports the native connection string format for PostgreSQL, MySQL, SQLite, SQL Server, MongoDB and CockroachDB.
-# See the documentation for all the connection string options: https://pris.ly/d/connection-strings
-
-DATABASE_URL=postgresql://postgres:postgres@localhost:5432/references-prisma-6-output?schema=public
-DATABASE_URL_UNPOOLED=postgresql://postgres:postgres@localhost:5432/references-prisma-6-output?schema=public
-
-# Trigger.dev env vars, see our guide on API Keys here: https://trigger.dev/docs/apikeys
-TRIGGER_PROJECT_REF="<TRIGGER_PROJECT_REF>"
-
diff --git a/references/prisma-6-config/.gitignore b/references/prisma-6-config/.gitignore
deleted file mode 100644
index e251c562387..00000000000
--- a/references/prisma-6-config/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-/src/generated/prisma
\ No newline at end of file
diff --git a/references/prisma-6-config/package.json b/references/prisma-6-config/package.json
deleted file mode 100644
index a8e15a4b10c..00000000000
--- a/references/prisma-6-config/package.json
+++ /dev/null
@@ -1,19 +0,0 @@
-{
-  "name": "references-prisma-6-config",
-  "private": true,
-  "type": "module",
-  "devDependencies": {
-    "trigger.dev": "workspace:*",
-    "prisma": "6.19.0"
-  },
-  "dependencies": {
-    "@trigger.dev/build": "workspace:*",
-    "@trigger.dev/sdk": "workspace:*",
-    "@prisma/client": "6.19.0"
-  },
-  "scripts": {
-    "dev": "trigger dev",
-    "deploy": "trigger deploy",
-    "prisma:generate": "prisma generate"
-  }
-}
\ No newline at end of file
diff --git a/references/prisma-6-config/prisma.config.ts b/references/prisma-6-config/prisma.config.ts
deleted file mode 100644
index 8e4e6fd806a..00000000000
--- a/references/prisma-6-config/prisma.config.ts
+++ /dev/null
@@ -1,13 +0,0 @@
-import { defineConfig, env } from "prisma/config";
-import "dotenv/config";
-
-export default defineConfig({
-  schema: "prisma/schema.prisma",
-  migrations: {
-    path: "prisma/migrations",
-  },
-  datasource: {
-    url: env("DATABASE_URL"),
-    directUrl: env("DATABASE_URL_UNPOOLED"),
-  },
-});
diff --git a/references/prisma-6-config/prisma/migrations/20251117171313_add_initial_migration/migration.sql b/references/prisma-6-config/prisma/migrations/20251117171313_add_initial_migration/migration.sql
deleted file mode 100644
index f8f03ea8858..00000000000
--- a/references/prisma-6-config/prisma/migrations/20251117171313_add_initial_migration/migration.sql
+++ /dev/null
@@ -1,14 +0,0 @@
--- CreateTable
-CREATE TABLE "User" (
-    "id" TEXT NOT NULL,
-    "email" TEXT NOT NULL,
-    "name" TEXT,
-    "avatarUrl" TEXT,
-    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    "updatedAt" TIMESTAMP(3) NOT NULL,
-
-    CONSTRAINT "User_pkey" PRIMARY KEY ("id")
-);
-
--- CreateIndex
-CREATE UNIQUE INDEX "User_email_key" ON "User"("email");
diff --git a/references/prisma-6-config/prisma/migrations/migration_lock.toml b/references/prisma-6-config/prisma/migrations/migration_lock.toml
deleted file mode 100644
index 044d57cdb0d..00000000000
--- a/references/prisma-6-config/prisma/migrations/migration_lock.toml
+++ /dev/null
@@ -1,3 +0,0 @@
-# Please do not edit this file manually
-# It should be added in your version-control system (e.g., Git)
-provider = "postgresql"
diff --git a/references/prisma-6-config/prisma/schema.prisma b/references/prisma-6-config/prisma/schema.prisma
deleted file mode 100644
index 7b29b000295..00000000000
--- a/references/prisma-6-config/prisma/schema.prisma
+++ /dev/null
@@ -1,27 +0,0 @@
-// This is your Prisma schema file,
-// learn more about it in the docs: https://pris.ly/d/prisma-schema
-
-// Looking for ways to speed up your queries, or scale easily with your serverless or edge functions?
-// Try Prisma Accelerate: https://pris.ly/cli/accelerate-init
-
-generator client {
-  provider      = "prisma-client-js"
-  output        = "../src/generated/prisma"
-  binaryTargets = ["native", "linux-arm64-openssl-3.0.x", "debian-openssl-3.0.x"]
-}
-
-datasource db {
-  provider  = "postgresql"
-  url       = env("DATABASE_URL")
-  directUrl = env("DATABASE_URL_UNPOOLED")
-}
-
-model User {
-  id        String  @id @default(cuid())
-  email     String  @unique
-  name      String?
-  avatarUrl String?
-
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-}
diff --git a/references/prisma-6-config/src/db.ts b/references/prisma-6-config/src/db.ts
deleted file mode 100644
index 388ebf3e2cc..00000000000
--- a/references/prisma-6-config/src/db.ts
+++ /dev/null
@@ -1,9 +0,0 @@
-import { PrismaClient } from "./generated/prisma/client.js";
-
-export const db = new PrismaClient({
-  datasources: {
-    db: {
-      url: process.env.DATABASE_URL,
-    },
-  },
-});
diff --git a/references/prisma-6-config/src/trigger/tasks.ts b/references/prisma-6-config/src/trigger/tasks.ts
deleted file mode 100644
index ed656c01bda..00000000000
--- a/references/prisma-6-config/src/trigger/tasks.ts
+++ /dev/null
@@ -1,22 +0,0 @@
-import { AbortTaskRunError, task } from "@trigger.dev/sdk";
-import { db } from "../db.js";
-
-export const createUserTask = task({
-  id: "create-user",
-  run: async (payload: { email: string; name: string; avatarUrl: string }) => {
-    const existingUser = await db.user.findUnique({
-      where: {
-        email: payload.email,
-      },
-    });
-
-    if (existingUser) {
-      throw new AbortTaskRunError("User already exists");
-    }
-
-    const user = await db.user.create({
-      data: payload,
-    });
-    return user;
-  },
-});
diff --git a/references/prisma-6-config/trigger.config.ts b/references/prisma-6-config/trigger.config.ts
deleted file mode 100644
index bfbf2aa323f..00000000000
--- a/references/prisma-6-config/trigger.config.ts
+++ /dev/null
@@ -1,29 +0,0 @@
-import { defineConfig } from "@trigger.dev/sdk";
-import { prismaExtension } from "@trigger.dev/build/extensions/prisma";
-
-export default defineConfig({
-  project: process.env.TRIGGER_PROJECT_REF!,
-  logLevel: "debug",
-  maxDuration: 3600,
-  retries: {
-    enabledInDev: true,
-    default: {
-      maxAttempts: 3,
-      minTimeoutInMs: 1000,
-      maxTimeoutInMs: 10000,
-      factor: 2,
-      randomize: true,
-    },
-  },
-  machine: "small-1x",
-  build: {
-    extensions: [
-      prismaExtension({
-        mode: "legacy",
-        configFile: "./prisma.config.ts",
-        directUrlEnvVarName: "DATABASE_URL_UNPOOLED",
-        migrate: true,
-      }),
-    ],
-  },
-});
diff --git a/references/prisma-6-config/tsconfig.json b/references/prisma-6-config/tsconfig.json
deleted file mode 100644
index 9a5ee0b9d68..00000000000
--- a/references/prisma-6-config/tsconfig.json
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-  "compilerOptions": {
-    "target": "ES2023",
-    "module": "Node16",
-    "moduleResolution": "Node16",
-    "esModuleInterop": true,
-    "strict": true,
-    "skipLibCheck": true,
-    "customConditions": ["@triggerdotdev/source"],
-    "jsx": "preserve",
-    "lib": ["DOM", "DOM.Iterable"],
-    "noEmit": true
-  },
-  "include": ["./src/**/*.ts", "trigger.config.ts"]
-}
diff --git a/references/prisma-6-multi-file/.env.example b/references/prisma-6-multi-file/.env.example
deleted file mode 100644
index 7e8fc31772a..00000000000
--- a/references/prisma-6-multi-file/.env.example
+++ /dev/null
@@ -1,12 +0,0 @@
-# Environment variables declared in this file are automatically made available to Prisma.
-# See the documentation for more detail: https://pris.ly/d/prisma-schema#accessing-environment-variables-from-the-schema
-
-# Prisma supports the native connection string format for PostgreSQL, MySQL, SQLite, SQL Server, MongoDB and CockroachDB.
-# See the documentation for all the connection string options: https://pris.ly/d/connection-strings
-
-DATABASE_URL=postgresql://postgres:postgres@localhost:5432/references-prisma-6-multi-file?schema=public
-DATABASE_URL_UNPOOLED=postgresql://postgres:postgres@localhost:5432/references-prisma-6-multi-file?schema=public
-
-# Trigger.dev env vars, see our guide on API Keys here: https://trigger.dev/docs/apikeys
-TRIGGER_PROJECT_REF="<TRIGGER_PROJECT_REF>"
-
diff --git a/references/prisma-6-multi-file/package.json b/references/prisma-6-multi-file/package.json
deleted file mode 100644
index 01e760200bb..00000000000
--- a/references/prisma-6-multi-file/package.json
+++ /dev/null
@@ -1,22 +0,0 @@
-{
-  "name": "references-prisma-6-multi-file",
-  "private": true,
-  "type": "module",
-  "devDependencies": {
-    "trigger.dev": "workspace:*",
-    "prisma": "6.14.0"
-  },
-  "dependencies": {
-    "@trigger.dev/build": "workspace:*",
-    "@trigger.dev/sdk": "workspace:*",
-    "@prisma/client": "6.14.0"
-  },
-  "scripts": {
-    "dev": "trigger dev",
-    "deploy": "trigger deploy",
-    "prisma:generate": "prisma generate --sql"
-  },
-  "prisma": {
-    "schema": "./prisma"
-  }
-}
\ No newline at end of file
diff --git a/references/prisma-6-multi-file/prisma/migrations/20251113161257_add_initial_migration/migration.sql b/references/prisma-6-multi-file/prisma/migrations/20251113161257_add_initial_migration/migration.sql
deleted file mode 100644
index 04378290f00..00000000000
--- a/references/prisma-6-multi-file/prisma/migrations/20251113161257_add_initial_migration/migration.sql
+++ /dev/null
@@ -1,29 +0,0 @@
--- CreateTable
-CREATE TABLE "public"."Post" (
-    "id" TEXT NOT NULL,
-    "title" TEXT NOT NULL,
-    "content" TEXT NOT NULL,
-    "authorId" TEXT NOT NULL,
-    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    "updatedAt" TIMESTAMP(3) NOT NULL,
-
-    CONSTRAINT "Post_pkey" PRIMARY KEY ("id")
-);
-
--- CreateTable
-CREATE TABLE "public"."User" (
-    "id" TEXT NOT NULL,
-    "email" TEXT NOT NULL,
-    "name" TEXT,
-    "avatarUrl" TEXT,
-    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    "updatedAt" TIMESTAMP(3) NOT NULL,
-
-    CONSTRAINT "User_pkey" PRIMARY KEY ("id")
-);
-
--- CreateIndex
-CREATE UNIQUE INDEX "User_email_key" ON "public"."User"("email");
-
--- AddForeignKey
-ALTER TABLE "public"."Post" ADD CONSTRAINT "Post_authorId_fkey" FOREIGN KEY ("authorId") REFERENCES "public"."User"("id") ON DELETE RESTRICT ON UPDATE CASCADE;
diff --git a/references/prisma-6-multi-file/prisma/migrations/migration_lock.toml b/references/prisma-6-multi-file/prisma/migrations/migration_lock.toml
deleted file mode 100644
index 044d57cdb0d..00000000000
--- a/references/prisma-6-multi-file/prisma/migrations/migration_lock.toml
+++ /dev/null
@@ -1,3 +0,0 @@
-# Please do not edit this file manually
-# It should be added in your version-control system (e.g., Git)
-provider = "postgresql"
diff --git a/references/prisma-6-multi-file/prisma/models/posts.prisma b/references/prisma-6-multi-file/prisma/models/posts.prisma
deleted file mode 100644
index dfb0df9cebf..00000000000
--- a/references/prisma-6-multi-file/prisma/models/posts.prisma
+++ /dev/null
@@ -1,9 +0,0 @@
-model Post {
-  id        String   @id @default(cuid())
-  title     String
-  content   String
-  authorId  String
-  author    User     @relation(fields: [authorId], references: [id])
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-}
diff --git a/references/prisma-6-multi-file/prisma/models/users.prisma b/references/prisma-6-multi-file/prisma/models/users.prisma
deleted file mode 100644
index ed1c18a2054..00000000000
--- a/references/prisma-6-multi-file/prisma/models/users.prisma
+++ /dev/null
@@ -1,11 +0,0 @@
-model User {
-  id        String  @id @default(cuid())
-  email     String  @unique
-  name      String?
-  avatarUrl String?
-
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-
-  posts Post[]
-}
diff --git a/references/prisma-6-multi-file/prisma/schema.prisma b/references/prisma-6-multi-file/prisma/schema.prisma
deleted file mode 100644
index 11ef81665f3..00000000000
--- a/references/prisma-6-multi-file/prisma/schema.prisma
+++ /dev/null
@@ -1,16 +0,0 @@
-// This is your Prisma schema file,
-// learn more about it in the docs: https://pris.ly/d/prisma-schema
-
-// Looking for ways to speed up your queries, or scale easily with your serverless or edge functions?
-// Try Prisma Accelerate: https://pris.ly/cli/accelerate-init
-
-generator client {
-  provider        = "prisma-client-js"
-  previewFeatures = ["typedSql"]
-}
-
-datasource db {
-  provider  = "postgresql"
-  url       = env("DATABASE_URL")
-  directUrl = env("DATABASE_URL_UNPOOLED")
-}
diff --git a/references/prisma-6-multi-file/prisma/sql/getUserByEmail.sql b/references/prisma-6-multi-file/prisma/sql/getUserByEmail.sql
deleted file mode 100644
index 579143f33c1..00000000000
--- a/references/prisma-6-multi-file/prisma/sql/getUserByEmail.sql
+++ /dev/null
@@ -1,3 +0,0 @@
-SELECT u.id, u.name
-FROM "User" u
-WHERE u.email = $1
\ No newline at end of file
diff --git a/references/prisma-6-multi-file/src/db.ts b/references/prisma-6-multi-file/src/db.ts
deleted file mode 100644
index 88a4c0f17be..00000000000
--- a/references/prisma-6-multi-file/src/db.ts
+++ /dev/null
@@ -1,10 +0,0 @@
-import { PrismaClient } from "@prisma/client";
-export * as sql from "@prisma/client/sql";
-
-export const db = new PrismaClient({
-  datasources: {
-    db: {
-      url: process.env.DATABASE_URL,
-    },
-  },
-});
diff --git a/references/prisma-6-multi-file/src/trigger/tasks.ts b/references/prisma-6-multi-file/src/trigger/tasks.ts
deleted file mode 100644
index 018cec35a15..00000000000
--- a/references/prisma-6-multi-file/src/trigger/tasks.ts
+++ /dev/null
@@ -1,18 +0,0 @@
-import { AbortTaskRunError, task } from "@trigger.dev/sdk";
-import { db, sql } from "../db.js";
-
-export const createUserTask = task({
-  id: "create-user",
-  run: async (payload: { email: string; name: string; avatarUrl: string }) => {
-    const existingUser = await db.$queryRawTyped(sql.getUserByEmail(payload.email));
-
-    if (existingUser.length > 0) {
-      throw new AbortTaskRunError("User already exists");
-    }
-
-    const user = await db.user.create({
-      data: payload,
-    });
-    return user;
-  },
-});
diff --git a/references/prisma-6-multi-file/trigger.config.ts b/references/prisma-6-multi-file/trigger.config.ts
deleted file mode 100644
index 5bcbc2f48bd..00000000000
--- a/references/prisma-6-multi-file/trigger.config.ts
+++ /dev/null
@@ -1,30 +0,0 @@
-import { defineConfig } from "@trigger.dev/sdk";
-import { prismaExtension } from "@trigger.dev/build/extensions/prisma";
-
-export default defineConfig({
-  project: process.env.TRIGGER_PROJECT_REF!,
-  logLevel: "debug",
-  maxDuration: 3600,
-  retries: {
-    enabledInDev: true,
-    default: {
-      maxAttempts: 3,
-      minTimeoutInMs: 1000,
-      maxTimeoutInMs: 10000,
-      factor: 2,
-      randomize: true,
-    },
-  },
-  machine: "small-1x",
-  build: {
-    extensions: [
-      prismaExtension({
-        mode: "legacy",
-        schema: "./prisma",
-        directUrlEnvVarName: "DATABASE_URL_UNPOOLED",
-        migrate: true,
-        typedSql: true,
-      }),
-    ],
-  },
-});
diff --git a/references/prisma-6-multi-file/tsconfig.json b/references/prisma-6-multi-file/tsconfig.json
deleted file mode 100644
index 9a5ee0b9d68..00000000000
--- a/references/prisma-6-multi-file/tsconfig.json
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-  "compilerOptions": {
-    "target": "ES2023",
-    "module": "Node16",
-    "moduleResolution": "Node16",
-    "esModuleInterop": true,
-    "strict": true,
-    "skipLibCheck": true,
-    "customConditions": ["@triggerdotdev/source"],
-    "jsx": "preserve",
-    "lib": ["DOM", "DOM.Iterable"],
-    "noEmit": true
-  },
-  "include": ["./src/**/*.ts", "trigger.config.ts"]
-}
diff --git a/references/prisma-6-output/.env.example b/references/prisma-6-output/.env.example
deleted file mode 100644
index a7011cc439b..00000000000
--- a/references/prisma-6-output/.env.example
+++ /dev/null
@@ -1,12 +0,0 @@
-# Environment variables declared in this file are automatically made available to Prisma.
-# See the documentation for more detail: https://pris.ly/d/prisma-schema#accessing-environment-variables-from-the-schema
-
-# Prisma supports the native connection string format for PostgreSQL, MySQL, SQLite, SQL Server, MongoDB and CockroachDB.
-# See the documentation for all the connection string options: https://pris.ly/d/connection-strings
-
-DATABASE_URL=postgresql://postgres:postgres@localhost:5432/references-prisma-6-output?schema=public
-DATABASE_URL_UNPOOLED=postgresql://postgres:postgres@localhost:5432/references-prisma-6-output?schema=public
-
-# Trigger.dev env vars, see our guide on API Keys here: https://trigger.dev/docs/apikeys
-TRIGGER_PROJECT_REF="<TRIGGER_PROJECT_REF>"
-
diff --git a/references/prisma-6-output/.gitignore b/references/prisma-6-output/.gitignore
deleted file mode 100644
index e251c562387..00000000000
--- a/references/prisma-6-output/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-/src/generated/prisma
\ No newline at end of file
diff --git a/references/prisma-6-output/package.json b/references/prisma-6-output/package.json
deleted file mode 100644
index fd94cba7a5a..00000000000
--- a/references/prisma-6-output/package.json
+++ /dev/null
@@ -1,19 +0,0 @@
-{
-  "name": "references-prisma-6-output",
-  "private": true,
-  "type": "module",
-  "devDependencies": {
-    "trigger.dev": "workspace:*",
-    "prisma": "6.19.0"
-  },
-  "dependencies": {
-    "@trigger.dev/build": "workspace:*",
-    "@trigger.dev/sdk": "workspace:*",
-    "@prisma/client": "6.19.0"
-  },
-  "scripts": {
-    "dev": "trigger dev",
-    "deploy": "trigger deploy",
-    "prisma:generate": "prisma generate --sql"
-  }
-}
\ No newline at end of file
diff --git a/references/prisma-6-output/prisma/migrations/20251113213202_add_initial_migration/migration.sql b/references/prisma-6-output/prisma/migrations/20251113213202_add_initial_migration/migration.sql
deleted file mode 100644
index b4933152496..00000000000
--- a/references/prisma-6-output/prisma/migrations/20251113213202_add_initial_migration/migration.sql
+++ /dev/null
@@ -1,14 +0,0 @@
--- CreateTable
-CREATE TABLE "public"."User" (
-    "id" TEXT NOT NULL,
-    "email" TEXT NOT NULL,
-    "name" TEXT,
-    "avatarUrl" TEXT,
-    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    "updatedAt" TIMESTAMP(3) NOT NULL,
-
-    CONSTRAINT "User_pkey" PRIMARY KEY ("id")
-);
-
--- CreateIndex
-CREATE UNIQUE INDEX "User_email_key" ON "public"."User"("email");
diff --git a/references/prisma-6-output/prisma/migrations/migration_lock.toml b/references/prisma-6-output/prisma/migrations/migration_lock.toml
deleted file mode 100644
index 044d57cdb0d..00000000000
--- a/references/prisma-6-output/prisma/migrations/migration_lock.toml
+++ /dev/null
@@ -1,3 +0,0 @@
-# Please do not edit this file manually
-# It should be added in your version-control system (e.g., Git)
-provider = "postgresql"
diff --git a/references/prisma-6-output/prisma/schema.prisma b/references/prisma-6-output/prisma/schema.prisma
deleted file mode 100644
index abbff158c1d..00000000000
--- a/references/prisma-6-output/prisma/schema.prisma
+++ /dev/null
@@ -1,28 +0,0 @@
-// This is your Prisma schema file,
-// learn more about it in the docs: https://pris.ly/d/prisma-schema
-
-// Looking for ways to speed up your queries, or scale easily with your serverless or edge functions?
-// Try Prisma Accelerate: https://pris.ly/cli/accelerate-init
-
-generator client {
-  provider        = "prisma-client-js"
-  output          = "../src/generated/prisma"
-  previewFeatures = ["typedSql"]
-  binaryTargets   = ["native", "linux-arm64-openssl-3.0.x"]
-}
-
-datasource db {
-  provider  = "postgresql"
-  url       = env("DATABASE_URL")
-  directUrl = env("DATABASE_URL_UNPOOLED")
-}
-
-model User {
-  id        String  @id @default(cuid())
-  email     String  @unique
-  name      String?
-  avatarUrl String?
-
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-}
diff --git a/references/prisma-6-output/prisma/sql/getUserByEmail.sql b/references/prisma-6-output/prisma/sql/getUserByEmail.sql
deleted file mode 100644
index 579143f33c1..00000000000
--- a/references/prisma-6-output/prisma/sql/getUserByEmail.sql
+++ /dev/null
@@ -1,3 +0,0 @@
-SELECT u.id, u.name
-FROM "User" u
-WHERE u.email = $1
\ No newline at end of file
diff --git a/references/prisma-6-output/src/db.ts b/references/prisma-6-output/src/db.ts
deleted file mode 100644
index 3fa57fb5cf5..00000000000
--- a/references/prisma-6-output/src/db.ts
+++ /dev/null
@@ -1,10 +0,0 @@
-import { PrismaClient } from "./generated/prisma/client.js";
-export * as sql from "./generated/prisma/sql/index.js";
-
-export const db = new PrismaClient({
-  datasources: {
-    db: {
-      url: process.env.DATABASE_URL,
-    },
-  },
-});
diff --git a/references/prisma-6-output/src/trigger/tasks.ts b/references/prisma-6-output/src/trigger/tasks.ts
deleted file mode 100644
index 018cec35a15..00000000000
--- a/references/prisma-6-output/src/trigger/tasks.ts
+++ /dev/null
@@ -1,18 +0,0 @@
-import { AbortTaskRunError, task } from "@trigger.dev/sdk";
-import { db, sql } from "../db.js";
-
-export const createUserTask = task({
-  id: "create-user",
-  run: async (payload: { email: string; name: string; avatarUrl: string }) => {
-    const existingUser = await db.$queryRawTyped(sql.getUserByEmail(payload.email));
-
-    if (existingUser.length > 0) {
-      throw new AbortTaskRunError("User already exists");
-    }
-
-    const user = await db.user.create({
-      data: payload,
-    });
-    return user;
-  },
-});
diff --git a/references/prisma-6-output/trigger.config.ts b/references/prisma-6-output/trigger.config.ts
deleted file mode 100644
index 1f73c6be934..00000000000
--- a/references/prisma-6-output/trigger.config.ts
+++ /dev/null
@@ -1,28 +0,0 @@
-import { defineConfig } from "@trigger.dev/sdk";
-import { prismaExtension } from "@trigger.dev/build/extensions/prisma";
-
-export default defineConfig({
-  project: process.env.TRIGGER_PROJECT_REF!,
-  logLevel: "debug",
-  maxDuration: 3600,
-  retries: {
-    enabledInDev: true,
-    default: {
-      maxAttempts: 3,
-      minTimeoutInMs: 1000,
-      maxTimeoutInMs: 10000,
-      factor: 2,
-      randomize: true,
-    },
-  },
-  machine: "small-1x",
-  build: {
-    extensions: [
-      prismaExtension({
-        mode: "engine-only",
-        version: "6.19.0",
-        binaryTarget: "linux-arm64-openssl-3.0.x",
-      }),
-    ],
-  },
-});
diff --git a/references/prisma-6-output/tsconfig.json b/references/prisma-6-output/tsconfig.json
deleted file mode 100644
index 9a5ee0b9d68..00000000000
--- a/references/prisma-6-output/tsconfig.json
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-  "compilerOptions": {
-    "target": "ES2023",
-    "module": "Node16",
-    "moduleResolution": "Node16",
-    "esModuleInterop": true,
-    "strict": true,
-    "skipLibCheck": true,
-    "customConditions": ["@triggerdotdev/source"],
-    "jsx": "preserve",
-    "lib": ["DOM", "DOM.Iterable"],
-    "noEmit": true
-  },
-  "include": ["./src/**/*.ts", "trigger.config.ts"]
-}
diff --git a/references/prisma-6/.env.example b/references/prisma-6/.env.example
deleted file mode 100644
index 0accda31a81..00000000000
--- a/references/prisma-6/.env.example
+++ /dev/null
@@ -1,12 +0,0 @@
-# Environment variables declared in this file are automatically made available to Prisma.
-# See the documentation for more detail: https://pris.ly/d/prisma-schema#accessing-environment-variables-from-the-schema
-
-# Prisma supports the native connection string format for PostgreSQL, MySQL, SQLite, SQL Server, MongoDB and CockroachDB.
-# See the documentation for all the connection string options: https://pris.ly/d/connection-strings
-
-DATABASE_URL=postgresql://postgres:postgres@localhost:5432/references-prisma-6?schema=public
-DATABASE_URL_UNPOOLED=postgresql://postgres:postgres@localhost:5432/references-prisma-6?schema=public
-
-# Trigger.dev env vars, see our guide on API Keys here: https://trigger.dev/docs/apikeys
-TRIGGER_PROJECT_REF="<TRIGGER_PROJECT_REF>"
-
diff --git a/references/prisma-6/package.json b/references/prisma-6/package.json
deleted file mode 100644
index 2e272859d11..00000000000
--- a/references/prisma-6/package.json
+++ /dev/null
@@ -1,20 +0,0 @@
-{
-  "name": "references-prisma-6",
-  "private": true,
-  "type": "module",
-  "devDependencies": {
-    "prisma": "6.14.0",
-    "prisma-generator-ts-enums": "^1.1.0",
-    "trigger.dev": "workspace:*"
-  },
-  "dependencies": {
-    "@prisma/client": "6.14.0",
-    "@trigger.dev/build": "workspace:*",
-    "@trigger.dev/sdk": "workspace:*"
-  },
-  "scripts": {
-    "dev": "trigger dev",
-    "deploy": "trigger deploy",
-    "prisma:generate": "prisma generate --sql"
-  }
-}
\ No newline at end of file
diff --git a/references/prisma-6/prisma/migrations/20251113155334_add_initial_migration/migration.sql b/references/prisma-6/prisma/migrations/20251113155334_add_initial_migration/migration.sql
deleted file mode 100644
index b4933152496..00000000000
--- a/references/prisma-6/prisma/migrations/20251113155334_add_initial_migration/migration.sql
+++ /dev/null
@@ -1,14 +0,0 @@
--- CreateTable
-CREATE TABLE "public"."User" (
-    "id" TEXT NOT NULL,
-    "email" TEXT NOT NULL,
-    "name" TEXT,
-    "avatarUrl" TEXT,
-    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    "updatedAt" TIMESTAMP(3) NOT NULL,
-
-    CONSTRAINT "User_pkey" PRIMARY KEY ("id")
-);
-
--- CreateIndex
-CREATE UNIQUE INDEX "User_email_key" ON "public"."User"("email");
diff --git a/references/prisma-6/prisma/migrations/20251121153959_add_user_role/migration.sql b/references/prisma-6/prisma/migrations/20251121153959_add_user_role/migration.sql
deleted file mode 100644
index 09f6b793718..00000000000
--- a/references/prisma-6/prisma/migrations/20251121153959_add_user_role/migration.sql
+++ /dev/null
@@ -1,5 +0,0 @@
--- CreateEnum
-CREATE TYPE "public"."UserRole" AS ENUM ('ADMIN', 'USER');
-
--- AlterTable
-ALTER TABLE "public"."User" ADD COLUMN     "role" "public"."UserRole" NOT NULL DEFAULT 'USER';
diff --git a/references/prisma-6/prisma/migrations/migration_lock.toml b/references/prisma-6/prisma/migrations/migration_lock.toml
deleted file mode 100644
index 044d57cdb0d..00000000000
--- a/references/prisma-6/prisma/migrations/migration_lock.toml
+++ /dev/null
@@ -1,3 +0,0 @@
-# Please do not edit this file manually
-# It should be added in your version-control system (e.g., Git)
-provider = "postgresql"
diff --git a/references/prisma-6/prisma/schema.prisma b/references/prisma-6/prisma/schema.prisma
deleted file mode 100644
index 4999af52c15..00000000000
--- a/references/prisma-6/prisma/schema.prisma
+++ /dev/null
@@ -1,38 +0,0 @@
-// This is your Prisma schema file,
-// learn more about it in the docs: https://pris.ly/d/prisma-schema
-
-// Looking for ways to speed up your queries, or scale easily with your serverless or edge functions?
-// Try Prisma Accelerate: https://pris.ly/cli/accelerate-init
-
-generator client {
-  provider        = "prisma-client-js"
-  previewFeatures = ["typedSql"]
-}
-
-datasource db {
-  provider  = "postgresql"
-  url       = env("DATABASE_URL")
-  directUrl = env("DATABASE_URL_UNPOOLED")
-}
-
-generator enum {
-  provider = "node node_modules/prisma-generator-ts-enums" // specify the path to this generator here
-  output   = "../src/types/enums.ts" // optionally, you can specify an output filename here -- default is ./types/enums.d.ts
-}
-
-model User {
-  id        String  @id @default(cuid())
-  email     String  @unique
-  name      String?
-  avatarUrl String?
-
-  role UserRole @default(USER)
-
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-}
-
-enum UserRole {
-  ADMIN
-  USER
-}
diff --git a/references/prisma-6/prisma/sql/getUserByEmail.sql b/references/prisma-6/prisma/sql/getUserByEmail.sql
deleted file mode 100644
index 579143f33c1..00000000000
--- a/references/prisma-6/prisma/sql/getUserByEmail.sql
+++ /dev/null
@@ -1,3 +0,0 @@
-SELECT u.id, u.name
-FROM "User" u
-WHERE u.email = $1
\ No newline at end of file
diff --git a/references/prisma-6/src/db.ts b/references/prisma-6/src/db.ts
deleted file mode 100644
index 88a4c0f17be..00000000000
--- a/references/prisma-6/src/db.ts
+++ /dev/null
@@ -1,10 +0,0 @@
-import { PrismaClient } from "@prisma/client";
-export * as sql from "@prisma/client/sql";
-
-export const db = new PrismaClient({
-  datasources: {
-    db: {
-      url: process.env.DATABASE_URL,
-    },
-  },
-});
diff --git a/references/prisma-6/src/trigger/tasks.ts b/references/prisma-6/src/trigger/tasks.ts
deleted file mode 100644
index 018cec35a15..00000000000
--- a/references/prisma-6/src/trigger/tasks.ts
+++ /dev/null
@@ -1,18 +0,0 @@
-import { AbortTaskRunError, task } from "@trigger.dev/sdk";
-import { db, sql } from "../db.js";
-
-export const createUserTask = task({
-  id: "create-user",
-  run: async (payload: { email: string; name: string; avatarUrl: string }) => {
-    const existingUser = await db.$queryRawTyped(sql.getUserByEmail(payload.email));
-
-    if (existingUser.length > 0) {
-      throw new AbortTaskRunError("User already exists");
-    }
-
-    const user = await db.user.create({
-      data: payload,
-    });
-    return user;
-  },
-});
diff --git a/references/prisma-6/src/types/enums.ts b/references/prisma-6/src/types/enums.ts
deleted file mode 100644
index dfac04536bc..00000000000
--- a/references/prisma-6/src/types/enums.ts
+++ /dev/null
@@ -1,4 +0,0 @@
-export enum UserRole {
-  ADMIN = 'ADMIN',
-  USER = 'USER',
-}
diff --git a/references/prisma-6/trigger.config.ts b/references/prisma-6/trigger.config.ts
deleted file mode 100644
index a9255abf575..00000000000
--- a/references/prisma-6/trigger.config.ts
+++ /dev/null
@@ -1,34 +0,0 @@
-import { defineConfig } from "@trigger.dev/sdk";
-import { prismaExtension } from "@trigger.dev/build/extensions/prisma";
-import { additionalPackages } from "@trigger.dev/build/extensions/core";
-
-export default defineConfig({
-  project: process.env.TRIGGER_PROJECT_REF!,
-  logLevel: "debug",
-  maxDuration: 3600,
-  retries: {
-    enabledInDev: true,
-    default: {
-      maxAttempts: 3,
-      minTimeoutInMs: 1000,
-      maxTimeoutInMs: 10000,
-      factor: 2,
-      randomize: true,
-    },
-  },
-  machine: "small-1x",
-  build: {
-    extensions: [
-      additionalPackages({
-        packages: ["prisma-generator-ts-enums@1.1.0"],
-      }),
-      prismaExtension({
-        mode: "legacy",
-        schema: "prisma/schema.prisma",
-        migrate: true,
-        typedSql: true,
-        directUrlEnvVarName: "DATABASE_URL_UNPOOLED",
-      }),
-    ],
-  },
-});
diff --git a/references/prisma-6/tsconfig.json b/references/prisma-6/tsconfig.json
deleted file mode 100644
index 9a5ee0b9d68..00000000000
--- a/references/prisma-6/tsconfig.json
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-  "compilerOptions": {
-    "target": "ES2023",
-    "module": "Node16",
-    "moduleResolution": "Node16",
-    "esModuleInterop": true,
-    "strict": true,
-    "skipLibCheck": true,
-    "customConditions": ["@triggerdotdev/source"],
-    "jsx": "preserve",
-    "lib": ["DOM", "DOM.Iterable"],
-    "noEmit": true
-  },
-  "include": ["./src/**/*.ts", "trigger.config.ts"]
-}
diff --git a/references/prisma-7/.env.example b/references/prisma-7/.env.example
deleted file mode 100644
index a3195b263a5..00000000000
--- a/references/prisma-7/.env.example
+++ /dev/null
@@ -1,12 +0,0 @@
-# Environment variables declared in this file are automatically made available to Prisma.
-# See the documentation for more detail: https://pris.ly/d/prisma-schema#accessing-environment-variables-from-the-schema
-
-# Prisma supports the native connection string format for PostgreSQL, MySQL, SQLite, SQL Server, MongoDB and CockroachDB.
-# See the documentation for all the connection string options: https://pris.ly/d/connection-strings
-
-DATABASE_URL=postgresql://postgres:postgres@localhost:5432/references-prisma-7?schema=public
-DATABASE_URL_UNPOOLED=postgresql://postgres:postgres@localhost:5432/references-prisma-7?schema=public
-
-# Trigger.dev env vars, see our guide on API Keys here: https://trigger.dev/docs/apikeys
-TRIGGER_PROJECT_REF="<TRIGGER_PROJECT_REF>"
-
diff --git a/references/prisma-7/.gitignore b/references/prisma-7/.gitignore
deleted file mode 100644
index 126419ded64..00000000000
--- a/references/prisma-7/.gitignore
+++ /dev/null
@@ -1,5 +0,0 @@
-node_modules
-# Keep environment variables out of version control
-.env
-
-/src/generated/prisma
diff --git a/references/prisma-7/.nvmrc b/references/prisma-7/.nvmrc
deleted file mode 100644
index 76be14da5c4..00000000000
--- a/references/prisma-7/.nvmrc
+++ /dev/null
@@ -1 +0,0 @@
-20.20.0
\ No newline at end of file
diff --git a/references/prisma-7/package.json b/references/prisma-7/package.json
deleted file mode 100644
index 2fff27d9979..00000000000
--- a/references/prisma-7/package.json
+++ /dev/null
@@ -1,21 +0,0 @@
-{
-  "name": "references-prisma-7",
-  "private": true,
-  "type": "module",
-  "devDependencies": {
-    "prisma": "6.20.0-integration-next.8",
-    "trigger.dev": "workspace:*"
-  },
-  "dependencies": {
-    "@prisma/client": "6.20.0-integration-next.8",
-    "@prisma/adapter-pg": "6.20.0-integration-next.8",
-    "@trigger.dev/build": "workspace:*",
-    "@trigger.dev/sdk": "workspace:*",
-    "dotenv": "^17.2.3"
-  },
-  "scripts": {
-    "dev": "trigger dev",
-    "deploy": "trigger deploy",
-    "prisma:generate": "prisma generate"
-  }
-}
\ No newline at end of file
diff --git a/references/prisma-7/prisma.config.ts b/references/prisma-7/prisma.config.ts
deleted file mode 100644
index fa89f0f3c2d..00000000000
--- a/references/prisma-7/prisma.config.ts
+++ /dev/null
@@ -1,12 +0,0 @@
-import { defineConfig, env } from "prisma/config";
-import "dotenv/config";
-
-export default defineConfig({
-  schema: "prisma/schema.prisma",
-  migrations: {
-    path: "prisma/migrations",
-  },
-  datasource: {
-    url: env("DATABASE_URL"),
-  },
-});
diff --git a/references/prisma-7/prisma/migrations/20251113162106_add_initial_migration/migration.sql b/references/prisma-7/prisma/migrations/20251113162106_add_initial_migration/migration.sql
deleted file mode 100644
index f8f03ea8858..00000000000
--- a/references/prisma-7/prisma/migrations/20251113162106_add_initial_migration/migration.sql
+++ /dev/null
@@ -1,14 +0,0 @@
--- CreateTable
-CREATE TABLE "User" (
-    "id" TEXT NOT NULL,
-    "email" TEXT NOT NULL,
-    "name" TEXT,
-    "avatarUrl" TEXT,
-    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    "updatedAt" TIMESTAMP(3) NOT NULL,
-
-    CONSTRAINT "User_pkey" PRIMARY KEY ("id")
-);
-
--- CreateIndex
-CREATE UNIQUE INDEX "User_email_key" ON "User"("email");
diff --git a/references/prisma-7/prisma/migrations/migration_lock.toml b/references/prisma-7/prisma/migrations/migration_lock.toml
deleted file mode 100644
index 044d57cdb0d..00000000000
--- a/references/prisma-7/prisma/migrations/migration_lock.toml
+++ /dev/null
@@ -1,3 +0,0 @@
-# Please do not edit this file manually
-# It should be added in your version-control system (e.g., Git)
-provider = "postgresql"
diff --git a/references/prisma-7/prisma/schema.prisma b/references/prisma-7/prisma/schema.prisma
deleted file mode 100644
index c47a551bd4f..00000000000
--- a/references/prisma-7/prisma/schema.prisma
+++ /dev/null
@@ -1,24 +0,0 @@
-// This is your Prisma schema file,
-// learn more about it in the docs: https://pris.ly/d/prisma-schema
-
-// Looking for ways to speed up your queries, or scale easily with your serverless or edge functions?
-// Try Prisma Accelerate: https://pris.ly/cli/accelerate-init
-
-generator client {
-  provider = "prisma-client"
-  output   = "../src/generated/prisma"
-}
-
-datasource db {
-  provider = "postgresql"
-}
-
-model User {
-  id        String  @id @default(cuid())
-  email     String  @unique
-  name      String?
-  avatarUrl String?
-
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-}
diff --git a/references/prisma-7/src/db.ts b/references/prisma-7/src/db.ts
deleted file mode 100644
index 86d879afb81..00000000000
--- a/references/prisma-7/src/db.ts
+++ /dev/null
@@ -1,8 +0,0 @@
-import { PrismaClient } from "./generated/prisma/client.js";
-import { PrismaPg } from "@prisma/adapter-pg";
-
-const adapter = new PrismaPg({
-  connectionString: process.env.DATABASE_URL!,
-});
-
-export const db = new PrismaClient({ adapter });
diff --git a/references/prisma-7/src/trigger/tasks.ts b/references/prisma-7/src/trigger/tasks.ts
deleted file mode 100644
index b52b70f0ddb..00000000000
--- a/references/prisma-7/src/trigger/tasks.ts
+++ /dev/null
@@ -1,12 +0,0 @@
-import { task } from "@trigger.dev/sdk";
-import { db } from "../db.js";
-
-export const createUserTask = task({
-  id: "create-user",
-  run: async (payload: { email: string; name: string; avatarUrl: string }) => {
-    const user = await db.user.create({
-      data: payload,
-    });
-    return user;
-  },
-});
diff --git a/references/prisma-7/trigger.config.ts b/references/prisma-7/trigger.config.ts
deleted file mode 100644
index 85bbb265044..00000000000
--- a/references/prisma-7/trigger.config.ts
+++ /dev/null
@@ -1,26 +0,0 @@
-import { prismaExtension } from "@trigger.dev/build/extensions/prisma";
-import { defineConfig } from "@trigger.dev/sdk";
-
-export default defineConfig({
-  project: process.env.TRIGGER_PROJECT_REF!,
-  logLevel: "debug",
-  maxDuration: 3600,
-  retries: {
-    enabledInDev: true,
-    default: {
-      maxAttempts: 3,
-      minTimeoutInMs: 1000,
-      maxTimeoutInMs: 10000,
-      factor: 2,
-      randomize: true,
-    },
-  },
-  machine: "small-1x",
-  build: {
-    extensions: [
-      prismaExtension({
-        mode: "modern",
-      }),
-    ],
-  },
-});
diff --git a/references/prisma-7/tsconfig.json b/references/prisma-7/tsconfig.json
deleted file mode 100644
index 9a5ee0b9d68..00000000000
--- a/references/prisma-7/tsconfig.json
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-  "compilerOptions": {
-    "target": "ES2023",
-    "module": "Node16",
-    "moduleResolution": "Node16",
-    "esModuleInterop": true,
-    "strict": true,
-    "skipLibCheck": true,
-    "customConditions": ["@triggerdotdev/source"],
-    "jsx": "preserve",
-    "lib": ["DOM", "DOM.Iterable"],
-    "noEmit": true
-  },
-  "include": ["./src/**/*.ts", "trigger.config.ts"]
-}
diff --git a/references/python-catalog/package.json b/references/python-catalog/package.json
deleted file mode 100644
index 1c4f5859262..00000000000
--- a/references/python-catalog/package.json
+++ /dev/null
@@ -1,20 +0,0 @@
-{
-  "name": "references-python-catalog",
-  "private": true,
-  "type": "module",
-  "scripts": {
-    "dev": "trigger dev",
-    "deploy": "trigger deploy --self-hosted --load-image",
-    "install-python-deps": "uv pip sync requirements.txt"
-  },
-  "dependencies": {
-    "@trigger.dev/sdk": "workspace:*",
-    "@trigger.dev/python": "workspace:*",
-    "zod": "3.25.76"
-  },
-  "devDependencies": {
-    "@trigger.dev/build": "workspace:*",
-    "trigger.dev": "workspace:*",
-    "typescript": "^5.5.4"
-  }
-}
\ No newline at end of file
diff --git a/references/python-catalog/requirements.txt b/references/python-catalog/requirements.txt
deleted file mode 100644
index 412b45058b0..00000000000
--- a/references/python-catalog/requirements.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-html2text==2024.2.26
-requests==2.32.3
-urllib3==2.3.0
-idna==3.10
-certifi==2025.1.31
\ No newline at end of file
diff --git a/references/python-catalog/src/python/html2text_url.py b/references/python-catalog/src/python/html2text_url.py
deleted file mode 100644
index df56672e060..00000000000
--- a/references/python-catalog/src/python/html2text_url.py
+++ /dev/null
@@ -1,37 +0,0 @@
-import html2text
-import requests
-import argparse
-import sys
-
-def fetch_html(url):
-    """Fetch HTML content from a URL."""
-    try:
-        response = requests.get(url)
-        response.raise_for_status()  # Raise an exception for HTTP errors
-        return response.text
-    except requests.exceptions.RequestException as e:
-        print(f"Error fetching URL: {e}", file=sys.stderr)
-        sys.exit(1)
-
-def main():
-    # Set up command line argument parsing
-    parser = argparse.ArgumentParser(description='Convert HTML from a URL to plain text.')
-    parser.add_argument('url', help='The URL to fetch HTML from')
-    parser.add_argument('--ignore-links', action='store_true', 
-                        help='Ignore converting links from HTML')
-    
-    args = parser.parse_args()
-    
-    # Fetch HTML from the URL
-    html_content = fetch_html(args.url)
-    
-    # Configure html2text
-    h = html2text.HTML2Text()
-    h.ignore_links = args.ignore_links
-    
-    # Convert HTML to text and print
-    text_content = h.handle(html_content)
-    print(text_content)
-
-if __name__ == "__main__":
-    main()
diff --git a/references/python-catalog/src/trigger/pythonTasks.ts b/references/python-catalog/src/trigger/pythonTasks.ts
deleted file mode 100644
index a358c4be5d4..00000000000
--- a/references/python-catalog/src/trigger/pythonTasks.ts
+++ /dev/null
@@ -1,68 +0,0 @@
-import { logger, schemaTask, task } from "@trigger.dev/sdk/v3";
-import { python } from "@trigger.dev/python";
-import { z } from "zod";
-
-export const convertUrlToMarkdown = schemaTask({
-  id: "convert-url-to-markdown",
-  schema: z.object({
-    url: z.string().url(),
-  }),
-  run: async (payload) => {
-    const result = await python.runScript("./src/python/html2text_url.py", [payload.url]);
-
-    logger.debug("convert-url-to-markdown", {
-      url: payload.url,
-      output: result.stdout,
-    });
-
-    const streamingResult = python.stream.runScript("./src/python/html2text_url.py", [payload.url]);
-
-    for await (const chunk of streamingResult) {
-      logger.debug("convert-url-to-markdown", {
-        url: payload.url,
-        chunk,
-      });
-    }
-  },
-});
-
-export const pythonRunInlineTask = task({
-  id: "python-run-inline",
-  run: async () => {
-    const result = await python.runInline(
-      `
-import os
-import html2text as h2t
-
-h = h2t.HTML2Text()
-
-print(h.handle("<p>Hello, <a href='https://www.google.com/earth/'>world</a>!"))
-print(f"API Key: {os.environ['OPENAI_API_KEY']}")
-`,
-      {
-        env: {
-          OPENAI_API_KEY: "sk-1234567890",
-        },
-      }
-    );
-
-    console.log(result.stdout);
-
-    const streamingResult = python.stream.runInline(`
-import html2text as h2t
-
-h = h2t.HTML2Text()
-
-print(h.handle("<p>Hello, <a href='https://www.google.com/earth/'>world</a>!"))
-print(h.handle("<p>Hello, <a href='https://www.google.com/earth/'>world</a>!"))
-`);
-
-    for await (const chunk of streamingResult) {
-      logger.debug("python-run-inline", {
-        chunk,
-      });
-    }
-
-    return result.stdout;
-  },
-});
diff --git a/references/python-catalog/trigger.config.ts b/references/python-catalog/trigger.config.ts
deleted file mode 100644
index 5d2e9e05f25..00000000000
--- a/references/python-catalog/trigger.config.ts
+++ /dev/null
@@ -1,29 +0,0 @@
-import { defineConfig } from "@trigger.dev/sdk/v3";
-import { pythonExtension } from "@trigger.dev/python/extension";
-
-export default defineConfig({
-  runtime: "node",
-  project: "proj_hbsqkjxevkyuklehrgrp",
-  machine: "small-1x",
-  maxDuration: 3600,
-  dirs: ["./src/trigger"],
-  build: {
-    extensions: [
-      pythonExtension({
-        requirementsFile: "./requirements.txt", // Optional: Path to your requirements file
-        devPythonBinaryPath: `.venv/bin/python`, // Optional: Custom Python binary path
-        scripts: ["src/python/**/*.py"], // List of Python scripts to include
-      }),
-    ],
-  },
-  retries: {
-    enabledInDev: true,
-    default: {
-      maxAttempts: 3,
-      minTimeoutInMs: 1_000,
-      maxTimeoutInMs: 5_000,
-      factor: 1.6,
-      randomize: true,
-    },
-  },
-});
diff --git a/references/python-catalog/tsconfig.json b/references/python-catalog/tsconfig.json
deleted file mode 100644
index 635ecdb766a..00000000000
--- a/references/python-catalog/tsconfig.json
+++ /dev/null
@@ -1,20 +0,0 @@
-{
-  "compilerOptions": {
-    "target": "esnext",
-    "module": "NodeNext",
-    "moduleResolution": "NodeNext",
-    "esModuleInterop": true,
-    "strict": true,
-    "outDir": "dist",
-    "skipLibCheck": true,
-    "customConditions": ["@triggerdotdev/source"],
-    "jsx": "preserve",
-    "emitDecoratorMetadata": true,
-    "experimentalDecorators": true,
-    "lib": ["DOM", "DOM.Iterable"],
-    "paths": {
-      "@/*": ["./src/*"]
-    }
-  },
-  "include": ["./src/**/*.ts", "trigger.config.ts"]
-}
diff --git a/references/realtime-hooks-test/.eslintrc.json b/references/realtime-hooks-test/.eslintrc.json
deleted file mode 100644
index f18272b83b2..00000000000
--- a/references/realtime-hooks-test/.eslintrc.json
+++ /dev/null
@@ -1,4 +0,0 @@
-{
-  "extends": "next/core-web-vitals"
-}
-
diff --git a/references/realtime-hooks-test/.gitignore b/references/realtime-hooks-test/.gitignore
deleted file mode 100644
index db870b36d38..00000000000
--- a/references/realtime-hooks-test/.gitignore
+++ /dev/null
@@ -1,41 +0,0 @@
-# See https://help.github.com/articles/ignoring-files/ for more about ignoring files.
-
-# dependencies
-/node_modules
-/.pnp
-.pnp.js
-.yarn/install-state.gz
-
-# testing
-/coverage
-
-# next.js
-/.next/
-/out/
-
-# production
-/build
-
-# misc
-.DS_Store
-*.pem
-
-# debug
-npm-debug.log*
-yarn-debug.log*
-yarn-error.log*
-
-# local env files
-.env*.local
-.env
-
-# vercel
-.vercel
-
-# typescript
-*.tsbuildinfo
-next-env.d.ts
-
-# Trigger.dev
-.trigger
-
diff --git a/references/realtime-hooks-test/README.md b/references/realtime-hooks-test/README.md
deleted file mode 100644
index 2f57eee6c8c..00000000000
--- a/references/realtime-hooks-test/README.md
+++ /dev/null
@@ -1,109 +0,0 @@
-# Realtime Hooks Test Reference Project
-
-This is a comprehensive testing reference project for the `@trigger.dev/react-hooks` package. It demonstrates all the realtime hooks available in `useRealtime.ts`.
-
-## Hooks Tested
-
-This project includes examples for:
-
-- ✅ `useRealtimeRun` - Subscribe to a single task run
-- ✅ `useRealtimeRunWithStreams` - Subscribe to a run with stream data
-- ✅ `useRealtimeRunsWithTag` - Subscribe to multiple runs by tag
-- ✅ `useRealtimeBatch` - Subscribe to a batch of runs
-- ✅ `useRealtimeStream` - Subscribe to a specific stream
-
-## Getting Started
-
-### 1. Install dependencies
-
-From the repository root:
-
-```bash
-pnpm install
-```
-
-### 2. Set up environment variables
-
-Create a `.env.local` file:
-
-```bash
-TRIGGER_SECRET_KEY=your_secret_key
-TRIGGER_PROJECT_REF=your_project_ref
-NEXT_PUBLIC_TRIGGER_PUBLIC_KEY=your_public_key
-NEXT_PUBLIC_TRIGGER_API_URL=http://localhost:3030
-```
-
-### 3. Run the development servers
-
-In one terminal, run the Trigger.dev dev server:
-
-```bash
-pnpm run dev:trigger
-```
-
-In another terminal, run the Next.js dev server:
-
-```bash
-pnpm run dev
-```
-
-### 4. Open the app
-
-Visit [http://localhost:3000](http://localhost:3000) to see the examples.
-
-## Project Structure
-
-```
-src/
-├── app/
-│   ├── page.tsx                    # Home page with navigation
-│   ├── actions.ts                  # Server actions for triggering tasks
-│   ├── run/[id]/page.tsx          # useRealtimeRun example
-│   ├── run-with-streams/[id]/page.tsx  # useRealtimeRunWithStreams example
-│   ├── runs-with-tag/[tag]/page.tsx    # useRealtimeRunsWithTag example
-│   ├── batch/[id]/page.tsx        # useRealtimeBatch example
-│   └── stream/[id]/page.tsx       # useRealtimeStream example
-├── components/
-│   ├── run-viewer.tsx             # Component using useRealtimeRun
-│   ├── run-with-streams-viewer.tsx # Component using useRealtimeRunWithStreams
-│   ├── runs-with-tag-viewer.tsx   # Component using useRealtimeRunsWithTag
-│   ├── batch-viewer.tsx           # Component using useRealtimeBatch
-│   └── stream-viewer.tsx          # Component using useRealtimeStream
-└── trigger/
-    ├── simple-task.ts             # Simple task for useRealtimeRun
-    ├── stream-task.ts             # Task with streams for useRealtimeRunWithStreams
-    ├── tagged-task.ts             # Tasks that use tags
-    └── batch-task.ts              # Tasks for batch operations
-```
-
-## Testing Scenarios
-
-Each page demonstrates different aspects of the hooks:
-
-### 1. Single Run (`/run/[id]`)
-- Basic subscription to a single run
-- onComplete callback
-- stopOnCompletion option
-- Error handling
-
-### 2. Run with Streams (`/run-with-streams/[id]`)
-- Subscribe to run updates and multiple streams
-- Throttling stream updates
-- Type-safe stream data
-
-### 3. Runs with Tag (`/runs-with-tag/[tag]`)
-- Subscribe to multiple runs by tag
-- Real-time updates as new runs are created
-- createdAt filtering
-
-### 4. Batch (`/batch/[id]`)
-- Subscribe to all runs in a batch
-- Track batch progress
-- Individual run statuses
-
-### 5. Stream (`/stream/[id]`)
-- Subscribe to a specific stream
-- Start from specific index
-- onData callback for each chunk
-- Timeout handling
-
diff --git a/references/realtime-hooks-test/next.config.ts b/references/realtime-hooks-test/next.config.ts
deleted file mode 100644
index 7443abb6744..00000000000
--- a/references/realtime-hooks-test/next.config.ts
+++ /dev/null
@@ -1,8 +0,0 @@
-import type { NextConfig } from "next";
-
-const nextConfig: NextConfig = {
-  /* config options here */
-};
-
-export default nextConfig;
-
diff --git a/references/realtime-hooks-test/package.json b/references/realtime-hooks-test/package.json
deleted file mode 100644
index 2128609f3a0..00000000000
--- a/references/realtime-hooks-test/package.json
+++ /dev/null
@@ -1,30 +0,0 @@
-{
-  "name": "references-realtime-hooks-test",
-  "version": "0.1.0",
-  "private": true,
-  "scripts": {
-    "dev": "next dev --turbopack",
-    "build": "next build --turbopack",
-    "start": "next start",
-    "dev:trigger": "trigger dev",
-    "deploy": "trigger deploy"
-  },
-  "dependencies": {
-    "@trigger.dev/react-hooks": "workspace:*",
-    "@trigger.dev/sdk": "workspace:*",
-    "next": "15.5.6",
-    "react": "19.1.0",
-    "react-dom": "19.1.0",
-    "zod": "3.25.76"
-  },
-  "devDependencies": {
-    "@tailwindcss/postcss": "^4",
-    "@types/node": "^20",
-    "@types/react": "^19",
-    "@types/react-dom": "^19",
-    "tailwindcss": "^4",
-    "trigger.dev": "workspace:*",
-    "typescript": "^5"
-  }
-}
-
diff --git a/references/realtime-hooks-test/postcss.config.mjs b/references/realtime-hooks-test/postcss.config.mjs
deleted file mode 100644
index fa4a1da8b5d..00000000000
--- a/references/realtime-hooks-test/postcss.config.mjs
+++ /dev/null
@@ -1,6 +0,0 @@
-export default {
-  plugins: {
-    "@tailwindcss/postcss": {},
-  },
-};
-
diff --git a/references/realtime-hooks-test/public/.gitkeep b/references/realtime-hooks-test/public/.gitkeep
deleted file mode 100644
index 0b805298961..00000000000
--- a/references/realtime-hooks-test/public/.gitkeep
+++ /dev/null
@@ -1,2 +0,0 @@
-# This file ensures the public directory is tracked by git
-
diff --git a/references/realtime-hooks-test/src/app/actions.ts b/references/realtime-hooks-test/src/app/actions.ts
deleted file mode 100644
index 9989d3d1963..00000000000
--- a/references/realtime-hooks-test/src/app/actions.ts
+++ /dev/null
@@ -1,73 +0,0 @@
-"use server";
-
-import { tasks, batch, auth } from "@trigger.dev/sdk";
-import type { simpleTask } from "@/trigger/simple-task";
-import type { streamTask } from "@/trigger/stream-task";
-import type { taggedTask } from "@/trigger/tagged-task";
-import type { batchItemTask } from "@/trigger/batch-task";
-import { redirect } from "next/navigation";
-
-export async function triggerSimpleTask(message: string, duration?: number) {
-  const handle = await tasks.trigger<typeof simpleTask>("simple-task", {
-    message,
-    duration,
-  });
-
-  redirect(`/run/${handle.id}?accessToken=${handle.publicAccessToken}`);
-}
-
-export async function triggerStreamTask(scenario: "text" | "json" | "mixed", count?: number) {
-  const handle = await tasks.trigger<typeof streamTask>("stream-task", {
-    scenario,
-    count,
-  });
-
-  redirect(`/run-with-streams/${handle.id}?accessToken=${handle.publicAccessToken}`);
-}
-
-export async function triggerTaggedTask(userId: string, action: string, tags: string[]) {
-  const handle = await tasks.trigger<typeof taggedTask>(
-    "tagged-task",
-    {
-      userId,
-      action,
-    },
-    {
-      tags,
-    }
-  );
-
-  const publicAccessToken = await auth.createPublicToken({
-    scopes: {
-      read: {
-        tags: tags,
-      },
-    },
-  });
-
-  // Redirect to the tag page for the first tag
-  const tag = tags[0] || "test";
-  redirect(`/runs-with-tag/${tag}?accessToken=${publicAccessToken}`);
-}
-
-export async function triggerBatchTasks(itemCount: number) {
-  const items = Array.from({ length: itemCount }, (_, i) => ({
-    payload: {
-      itemId: `item-${i + 1}`,
-      value: Math.floor(Math.random() * 100) + 1,
-    },
-  }));
-
-  const batchHandle = await tasks.batchTrigger<typeof batchItemTask>("batch-item-task", items);
-
-  redirect(`/batch/${batchHandle.batchId}?accessToken=${batchHandle.publicAccessToken}`);
-}
-
-export async function triggerStreamOnlyTask() {
-  const handle = await tasks.trigger<typeof streamTask>("stream-task", {
-    scenario: "text",
-    count: 30,
-  });
-
-  redirect(`/stream/${handle.id}?accessToken=${handle.publicAccessToken}`);
-}
diff --git a/references/realtime-hooks-test/src/app/batch/[id]/page.tsx b/references/realtime-hooks-test/src/app/batch/[id]/page.tsx
deleted file mode 100644
index 5a61a01cf72..00000000000
--- a/references/realtime-hooks-test/src/app/batch/[id]/page.tsx
+++ /dev/null
@@ -1,28 +0,0 @@
-import { BatchViewer } from "@/components/batch-viewer";
-
-type PageProps = {
-  params: Promise<{ id: string }>;
-  searchParams: Promise<{ accessToken: string }>;
-};
-
-export default async function BatchPage({ params, searchParams }: PageProps) {
-  const { id } = await params;
-  const { accessToken } = await searchParams;
-
-  return (
-    <div className="space-y-6">
-      <div>
-        <a href="/" className="text-blue-500 hover:text-blue-600 text-sm mb-4 inline-block">
-          ← Back to Home
-        </a>
-        <h1 className="text-3xl font-bold mb-2">useRealtimeBatch Test</h1>
-        <p className="text-gray-600">
-          Monitoring all runs in a batch with real-time progress tracking
-        </p>
-      </div>
-
-      <BatchViewer batchId={id} accessToken={accessToken} />
-    </div>
-  );
-}
-
diff --git a/references/realtime-hooks-test/src/app/globals.css b/references/realtime-hooks-test/src/app/globals.css
deleted file mode 100644
index 62546ef3f29..00000000000
--- a/references/realtime-hooks-test/src/app/globals.css
+++ /dev/null
@@ -1,80 +0,0 @@
-@import "tailwindcss";
-
-:root {
-  --background: #09090b; /* Zinc 950 */
-  --foreground: #fafafa; /* Zinc 50 */
-  --card: #18181b; /* Zinc 900 */
-  --card-foreground: #fafafa;
-  --popover: #18181b;
-  --popover-foreground: #fafafa;
-  --primary: #fafafa;
-  --primary-foreground: #18181b;
-  --secondary: #27272a; /* Zinc 800 */
-  --secondary-foreground: #fafafa;
-  --muted: #27272a;
-  --muted-foreground: #a1a1aa; /* Zinc 400 */
-  --accent: #27272a;
-  --accent-foreground: #fafafa;
-  --destructive: #7f1d1d;
-  --destructive-foreground: #fafafa;
-  --border: #27272a;
-  --input: #27272a;
-  --ring: #d4d4d8;
-}
-
-@theme inline {
-  --color-background: var(--background);
-  --color-foreground: var(--foreground);
-  --color-card: var(--card);
-  --color-card-foreground: var(--card-foreground);
-  --color-popover: var(--popover);
-  --color-popover-foreground: var(--popover-foreground);
-  --color-primary: var(--primary);
-  --color-primary-foreground: var(--primary-foreground);
-  --color-secondary: var(--secondary);
-  --color-secondary-foreground: var(--secondary-foreground);
-  --color-muted: var(--muted);
-  --color-muted-foreground: var(--muted-foreground);
-  --color-accent: var(--accent);
-  --color-accent-foreground: var(--accent-foreground);
-  --color-destructive: var(--destructive);
-  --color-destructive-foreground: var(--destructive-foreground);
-  --color-border: var(--border);
-  --color-input: var(--input);
-  --color-ring: var(--ring);
-  
-  --font-mono: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", monospace;
-  --font-sans: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, sans-serif;
-}
-
-body {
-  background-color: var(--background);
-  color: var(--foreground);
-  font-family: var(--font-sans);
-  -webkit-font-smoothing: antialiased;
-  -moz-osx-font-smoothing: grayscale;
-}
-
-/* Scrollbar styling */
-::-webkit-scrollbar {
-  width: 8px;
-  height: 8px;
-}
-
-::-webkit-scrollbar-track {
-  background: var(--background);
-}
-
-::-webkit-scrollbar-thumb {
-  background: var(--secondary);
-  border-radius: 4px;
-}
-
-::-webkit-scrollbar-thumb:hover {
-  background: var(--muted-foreground);
-}
-
-/* Syntax highlighting */
-pre {
-  font-family: var(--font-mono);
-}
diff --git a/references/realtime-hooks-test/src/app/layout.tsx b/references/realtime-hooks-test/src/app/layout.tsx
deleted file mode 100644
index dd6672498eb..00000000000
--- a/references/realtime-hooks-test/src/app/layout.tsx
+++ /dev/null
@@ -1,33 +0,0 @@
-import type { Metadata } from "next";
-import "./globals.css";
-
-export const metadata: Metadata = {
-  title: "Trigger.dev Hooks",
-  description: "Realtime hooks testing workbench",
-};
-
-export default function RootLayout({
-  children,
-}: Readonly<{
-  children: React.ReactNode;
-}>) {
-  return (
-    <html lang="en" className="dark">
-      <body className="min-h-screen bg-background font-sans antialiased selection:bg-white/10">
-        <div className="flex min-h-screen flex-col">
-          <header className="sticky top-0 z-50 w-full border-b border-border/50 bg-background/95 backdrop-blur supports-[backdrop-filter]:bg-background/60">
-            <div className="container flex h-14 max-w-screen-2xl items-center px-6">
-              <a href="/" className="mr-6 flex items-center space-x-2">
-                <span className="font-bold inline-block">⚡ Trigger.dev</span>
-                <span className="text-muted-foreground px-2 py-0.5 rounded-full bg-secondary text-xs font-mono">Hooks Workbench</span>
-              </a>
-            </div>
-          </header>
-          <main className="flex-1 container max-w-screen-2xl py-6 px-6">
-            {children}
-          </main>
-        </div>
-      </body>
-    </html>
-  );
-}
diff --git a/references/realtime-hooks-test/src/app/page.tsx b/references/realtime-hooks-test/src/app/page.tsx
deleted file mode 100644
index 59aa721f50f..00000000000
--- a/references/realtime-hooks-test/src/app/page.tsx
+++ /dev/null
@@ -1,140 +0,0 @@
-import {
-  triggerSimpleTask,
-  triggerStreamTask,
-  triggerTaggedTask,
-  triggerBatchTasks,
-  triggerStreamOnlyTask,
-} from "./actions";
-
-function Card({ title, description, children }: { title: string; description: string; children: React.ReactNode }) {
-  return (
-    <div className="rounded-lg border border-border bg-card text-card-foreground shadow-sm">
-      <div className="flex flex-col space-y-1.5 p-6">
-        <h3 className="font-semibold leading-none tracking-tight">{title}</h3>
-        <p className="text-sm text-muted-foreground">{description}</p>
-      </div>
-      <div className="p-6 pt-0 space-y-4">
-        {children}
-      </div>
-    </div>
-  );
-}
-
-function Button({ children, variant = "default", ...props }: React.ButtonHTMLAttributes<HTMLButtonElement> & { variant?: "default" | "secondary" | "outline" }) {
-  const variants = {
-    default: "bg-primary text-primary-foreground hover:bg-primary/90",
-    secondary: "bg-secondary text-secondary-foreground hover:bg-secondary/80",
-    outline: "border border-input bg-background hover:bg-accent hover:text-accent-foreground"
-  };
-  
-  return (
-    <button 
-      className={`inline-flex w-full items-center justify-center whitespace-nowrap rounded-md text-sm font-medium ring-offset-background transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-ring focus-visible:ring-offset-2 disabled:pointer-events-none disabled:opacity-50 h-9 px-4 py-2 ${variants[variant]}`}
-      {...props}
-    >
-      {children}
-    </button>
-  );
-}
-
-export default function Home() {
-  return (
-    <div className="space-y-8">
-      <div className="grid gap-6 md:grid-cols-2 lg:grid-cols-3">
-        {/* useRealtimeRun */}
-        <Card title="useRealtimeRun" description="Single task run subscription">
-          <form action={async () => {
-            "use server";
-            await triggerSimpleTask("Quick test run", 5);
-          }}>
-            <Button type="submit">Run (5s)</Button>
-          </form>
-          <form action={async () => {
-            "use server";
-            await triggerSimpleTask("Longer test run", 15);
-          }}>
-            <Button type="submit" variant="secondary">Run (15s)</Button>
-          </form>
-        </Card>
-
-        {/* useRealtimeRunWithStreams */}
-        <Card title="useRealtimeRunWithStreams" description="Run subscription with streams">
-          <div className="grid grid-cols-1 gap-2">
-            <form action={async () => {
-              "use server";
-              await triggerStreamTask("text", 20);
-            }}>
-              <Button type="submit" variant="outline">Text Stream</Button>
-            </form>
-            <form action={async () => {
-              "use server";
-              await triggerStreamTask("json", 20);
-            }}>
-              <Button type="submit" variant="outline">JSON Stream</Button>
-            </form>
-            <form action={async () => {
-              "use server";
-              await triggerStreamTask("mixed", 30);
-            }}>
-              <Button type="submit" variant="outline">Mixed Streams</Button>
-            </form>
-          </div>
-        </Card>
-
-        {/* useRealtimeRunsWithTag */}
-        <Card title="useRealtimeRunsWithTag" description="Subscribe to runs by tag">
-          <form action={async () => {
-            "use server";
-            await triggerTaggedTask("user-123", "process-order", ["order-processing", "user-123"]);
-          }}>
-            <Button type="submit" className="border-l-4 border-l-emerald-500">Tag: order-processing</Button>
-          </form>
-          <form action={async () => {
-            "use server";
-            await triggerTaggedTask("user-456", "send-email", ["notifications", "user-456"]);
-          }}>
-            <Button type="submit" className="border-l-4 border-l-blue-500" variant="secondary">Tag: notifications</Button>
-          </form>
-        </Card>
-
-        {/* useRealtimeBatch */}
-        <Card title="useRealtimeBatch" description="Batch run monitoring">
-          <div className="grid grid-cols-3 gap-2">
-            <form action={async () => {
-              "use server";
-              await triggerBatchTasks(5);
-            }}>
-              <Button type="submit" variant="outline">5</Button>
-            </form>
-            <form action={async () => {
-              "use server";
-              await triggerBatchTasks(10);
-            }}>
-              <Button type="submit" variant="outline">10</Button>
-            </form>
-            <form action={async () => {
-              "use server";
-              await triggerBatchTasks(20);
-            }}>
-              <Button type="submit" variant="outline">20</Button>
-            </form>
-          </div>
-        </Card>
-
-        {/* useRealtimeStream */}
-        <Card title="useRealtimeStream" description="Direct stream subscription">
-          <form action={async () => {
-            "use server";
-            await triggerStreamOnlyTask();
-          }}>
-            <Button type="submit" className="bg-indigo-600 hover:bg-indigo-700 text-white">Start Stream</Button>
-          </form>
-        </Card>
-      </div>
-
-      <div className="rounded-lg bg-secondary/50 p-4 text-sm text-muted-foreground font-mono">
-        <p>Test environment ready. Click any trigger to start a session.</p>
-      </div>
-    </div>
-  );
-}
diff --git a/references/realtime-hooks-test/src/app/run-with-streams/[id]/page.tsx b/references/realtime-hooks-test/src/app/run-with-streams/[id]/page.tsx
deleted file mode 100644
index b3c9d8f94b2..00000000000
--- a/references/realtime-hooks-test/src/app/run-with-streams/[id]/page.tsx
+++ /dev/null
@@ -1,28 +0,0 @@
-import { RunWithStreamsViewer } from "@/components/run-with-streams-viewer";
-
-type PageProps = {
-  params: Promise<{ id: string }>;
-  searchParams: Promise<{ accessToken: string }>;
-};
-
-export default async function RunWithStreamsPage({ params, searchParams }: PageProps) {
-  const { id } = await params;
-  const { accessToken } = await searchParams;
-
-  return (
-    <div className="space-y-6">
-      <div>
-        <a href="/" className="text-blue-500 hover:text-blue-600 text-sm mb-4 inline-block">
-          ← Back to Home
-        </a>
-        <h1 className="text-3xl font-bold mb-2">useRealtimeRunWithStreams Test</h1>
-        <p className="text-gray-600">
-          Monitoring a task run with multiple real-time streams
-        </p>
-      </div>
-
-      <RunWithStreamsViewer runId={id} accessToken={accessToken} />
-    </div>
-  );
-}
-
diff --git a/references/realtime-hooks-test/src/app/run/[id]/page.tsx b/references/realtime-hooks-test/src/app/run/[id]/page.tsx
deleted file mode 100644
index 06ec1e05cdc..00000000000
--- a/references/realtime-hooks-test/src/app/run/[id]/page.tsx
+++ /dev/null
@@ -1,28 +0,0 @@
-import { RunViewer } from "@/components/run-viewer";
-
-type PageProps = {
-  params: Promise<{ id: string }>;
-  searchParams: Promise<{ accessToken: string }>;
-};
-
-export default async function RunPage({ params, searchParams }: PageProps) {
-  const { id } = await params;
-  const { accessToken } = await searchParams;
-
-  return (
-    <div className="space-y-6">
-      <div>
-        <a href="/" className="text-blue-500 hover:text-blue-600 text-sm mb-4 inline-block">
-          ← Back to Home
-        </a>
-        <h1 className="text-3xl font-bold mb-2">useRealtimeRun Test</h1>
-        <p className="text-gray-600">
-          Monitoring a single task run with real-time updates
-        </p>
-      </div>
-
-      <RunViewer runId={id} accessToken={accessToken} />
-    </div>
-  );
-}
-
diff --git a/references/realtime-hooks-test/src/app/runs-with-tag/[tag]/page.tsx b/references/realtime-hooks-test/src/app/runs-with-tag/[tag]/page.tsx
deleted file mode 100644
index 41be79162b9..00000000000
--- a/references/realtime-hooks-test/src/app/runs-with-tag/[tag]/page.tsx
+++ /dev/null
@@ -1,34 +0,0 @@
-import { RunsWithTagViewer } from "@/components/runs-with-tag-viewer";
-
-type PageProps = {
-  params: Promise<{ tag: string }>;
-  searchParams: Promise<{ accessToken: string }>;
-};
-
-export default async function RunsWithTagPage({ params, searchParams }: PageProps) {
-  const { tag } = await params;
-  const { accessToken } = await searchParams;
-
-  return (
-    <div className="space-y-6">
-      <div>
-        <a href="/" className="text-blue-500 hover:text-blue-600 text-sm mb-4 inline-block">
-          ← Back to Home
-        </a>
-        <h1 className="text-3xl font-bold mb-2">useRealtimeRunsWithTag Test</h1>
-        <p className="text-gray-600">
-          Monitoring all runs with tag: <code className="bg-gray-100 px-2 py-1 rounded">{tag}</code>
-        </p>
-      </div>
-
-      <RunsWithTagViewer tag={tag} accessToken={accessToken} />
-
-      <div className="bg-blue-50 border border-blue-200 rounded-lg p-4">
-        <p className="text-sm text-blue-800">
-          <strong>Tip:</strong> Trigger more tasks with this tag from the home page to see them appear here in real-time!
-        </p>
-      </div>
-    </div>
-  );
-}
-
diff --git a/references/realtime-hooks-test/src/app/stream/[id]/page.tsx b/references/realtime-hooks-test/src/app/stream/[id]/page.tsx
deleted file mode 100644
index bbdf929e605..00000000000
--- a/references/realtime-hooks-test/src/app/stream/[id]/page.tsx
+++ /dev/null
@@ -1,28 +0,0 @@
-import { StreamViewer } from "@/components/stream-viewer";
-
-type PageProps = {
-  params: Promise<{ id: string }>;
-  searchParams: Promise<{ accessToken: string }>;
-};
-
-export default async function StreamPage({ params, searchParams }: PageProps) {
-  const { id } = await params;
-  const { accessToken } = await searchParams;
-
-  return (
-    <div className="space-y-6">
-      <div>
-        <a href="/" className="text-blue-500 hover:text-blue-600 text-sm mb-4 inline-block">
-          ← Back to Home
-        </a>
-        <h1 className="text-3xl font-bold mb-2">useRealtimeStream Test</h1>
-        <p className="text-gray-600">
-          Subscribing to a specific stream with real-time chunk delivery
-        </p>
-      </div>
-
-      <StreamViewer runId={id} accessToken={accessToken} />
-    </div>
-  );
-}
-
diff --git a/references/realtime-hooks-test/src/components/batch-viewer.tsx b/references/realtime-hooks-test/src/components/batch-viewer.tsx
deleted file mode 100644
index 3967a47b2ec..00000000000
--- a/references/realtime-hooks-test/src/components/batch-viewer.tsx
+++ /dev/null
@@ -1,125 +0,0 @@
-"use client";
-
-import { useRealtimeBatch } from "@trigger.dev/react-hooks";
-import type { batchItemTask } from "@/trigger/batch-task";
-
-type BatchViewerProps = {
-  batchId: string;
-  accessToken: string;
-};
-
-function StatusDot({ status }: { status: string }) {
-    const colors = {
-      COMPLETED: "bg-emerald-500",
-      EXECUTING: "bg-blue-500 animate-pulse",
-      FAILED: "bg-red-500",
-      PENDING: "bg-zinc-500",
-      QUEUED: "bg-yellow-500",
-    };
-    const color = colors[status as keyof typeof colors] || colors.PENDING;
-    return <div className={`w-2 h-2 rounded-full ${color}`} title={status} />;
-  }
-
-export function BatchViewer({ batchId, accessToken }: BatchViewerProps) {
-  const { runs, error, stop } = useRealtimeBatch<typeof batchItemTask>(batchId, {
-    accessToken,
-    baseURL: process.env.NEXT_PUBLIC_TRIGGER_API_URL,
-  });
-
-  if (error) {
-    return (
-      <div className="rounded-md bg-destructive/15 p-4 text-sm text-destructive border border-destructive/20">
-        <div className="font-semibold">Connection Error</div>
-        <div>{error.message}</div>
-      </div>
-    );
-  }
-
-  const totalRuns = runs.length;
-  const completedRuns = runs.filter((r) => r.status === "COMPLETED").length;
-  const batchProgress = totalRuns > 0 ? completedRuns / totalRuns : 0;
-
-  return (
-    <div className="space-y-6">
-      {/* Header */}
-      <div className="bg-card border border-border rounded-lg p-6 space-y-6">
-        <div className="flex justify-between items-start">
-           <div>
-             <h2 className="text-lg font-semibold mb-1">Batch Progress</h2>
-             <p className="text-sm text-muted-foreground font-mono">{batchId}</p>
-           </div>
-           <button
-            onClick={() => stop()}
-            className="px-3 py-1 text-xs font-medium bg-secondary hover:bg-secondary/80 text-secondary-foreground rounded-md transition-colors"
-            >
-            Stop Subscription
-            </button>
-        </div>
-
-        <div className="space-y-2">
-           <div className="flex justify-between text-sm">
-              <span className="text-muted-foreground">Completion</span>
-              <span className="font-mono font-medium">{completedRuns} / {totalRuns}</span>
-           </div>
-           <div className="h-2 bg-secondary rounded-full overflow-hidden">
-              <div 
-                className="h-full bg-primary transition-all duration-300 ease-out"
-                style={{ width: `${batchProgress * 100}%` }}
-              />
-           </div>
-        </div>
-      </div>
-
-      {/* Runs Grid */}
-      <div className="bg-card border border-border rounded-lg overflow-hidden">
-         <div className="px-4 py-3 border-b border-border bg-secondary/30 text-xs font-medium text-muted-foreground uppercase tracking-wider flex justify-between items-center">
-            <span>Items</span>
-            <span className="font-mono">{runs.length} Tasks</span>
-         </div>
-         <div className="divide-y divide-border/50 max-h-[600px] overflow-y-auto">
-            {runs.length === 0 ? (
-                <div className="p-8 text-center text-muted-foreground text-sm">
-                  Waiting for batch runs...
-                </div>
-            ) : (
-                runs.map((run) => {
-                    const progress = (run.metadata as any)?.progress || 0;
-                    const itemId = (run.metadata as any)?.itemId || "Item";
-                    const inputValue = (run.metadata as any)?.inputValue;
-                    const result = (run.output as any)?.result;
-
-                    return (
-                        <div key={run.id} className="p-4 hover:bg-secondary/20 transition-colors grid grid-cols-12 gap-4 items-center">
-                            <div className="col-span-1 flex justify-center">
-                                <StatusDot status={run.status} />
-                            </div>
-                            <div className="col-span-3">
-                                <div className="font-medium text-sm">{itemId}</div>
-                                <div className="text-xs text-muted-foreground font-mono">{run.id.slice(-8)}</div>
-                            </div>
-                            <div className="col-span-4">
-                                <div className="flex items-center gap-2">
-                                    <div className="flex-1 h-1.5 bg-secondary rounded-full overflow-hidden">
-                                        <div 
-                                            className={`h-full rounded-full transition-all duration-300 ${run.status === 'FAILED' ? 'bg-destructive' : 'bg-primary'}`}
-                                            style={{ width: `${(run.status === 'COMPLETED' ? 1 : progress) * 100}%` }}
-                                        />
-                                    </div>
-                                </div>
-                            </div>
-                            <div className="col-span-4 text-right font-mono text-sm">
-                                {result !== undefined ? (
-                                    <span className="text-emerald-500">Result: {result}</span>
-                                ) : (
-                                    <span className="text-muted-foreground">Input: {inputValue}</span>
-                                )}
-                            </div>
-                        </div>
-                    )
-                })
-            )}
-         </div>
-      </div>
-    </div>
-  );
-}
diff --git a/references/realtime-hooks-test/src/components/run-viewer.tsx b/references/realtime-hooks-test/src/components/run-viewer.tsx
deleted file mode 100644
index 3844d615422..00000000000
--- a/references/realtime-hooks-test/src/components/run-viewer.tsx
+++ /dev/null
@@ -1,150 +0,0 @@
-"use client";
-
-import { useRealtimeRun } from "@trigger.dev/react-hooks";
-import type { simpleTask } from "@/trigger/simple-task";
-import { useState } from "react";
-
-type RunViewerProps = {
-  runId: string;
-  accessToken: string;
-};
-
-function StatusBadge({ status }: { status: string }) {
-  const colors = {
-    COMPLETED: "bg-emerald-500/15 text-emerald-500 border-emerald-500/20",
-    EXECUTING: "bg-blue-500/15 text-blue-500 border-blue-500/20",
-    FAILED: "bg-red-500/15 text-red-500 border-red-500/20",
-    PENDING: "bg-zinc-500/15 text-zinc-500 border-zinc-500/20",
-    QUEUED: "bg-yellow-500/15 text-yellow-500 border-yellow-500/20",
-  };
-  
-  const colorClass = colors[status as keyof typeof colors] || colors.PENDING;
-  
-  return (
-    <span className={`px-2.5 py-0.5 rounded-full text-xs font-medium border ${colorClass}`}>
-      {status}
-    </span>
-  );
-}
-
-function CodeBlock({ label, data }: { label: string, data: any }) {
-  if (!data) return null;
-  return (
-    <div className="space-y-1">
-      <p className="text-xs font-medium text-muted-foreground uppercase tracking-wider">{label}</p>
-      <pre className="bg-secondary/50 border border-border rounded-md p-3 text-xs overflow-x-auto font-mono text-foreground/90">
-        {JSON.stringify(data, null, 2)}
-      </pre>
-    </div>
-  );
-}
-
-export function RunViewer({ runId, accessToken }: RunViewerProps) {
-  const [stopOnCompletion, setStopOnCompletion] = useState(true);
-
-  const { run, error, stop } = useRealtimeRun<typeof simpleTask>(runId, {
-    accessToken,
-    baseURL: process.env.NEXT_PUBLIC_TRIGGER_API_URL,
-    stopOnCompletion,
-  });
-
-  if (error) {
-    return (
-      <div className="rounded-md bg-destructive/15 p-4 text-sm text-destructive border border-destructive/20">
-        <div className="font-semibold">Connection Error</div>
-        <div>{error.message}</div>
-      </div>
-    );
-  }
-
-  if (!run) {
-    return (
-      <div className="animate-pulse space-y-4">
-        <div className="h-8 bg-secondary rounded w-1/3"></div>
-        <div className="h-32 bg-secondary rounded"></div>
-      </div>
-    );
-  }
-
-  const progress = (run.metadata as any)?.progress || 0;
-  const currentStep = (run.metadata as any)?.currentStep || 0;
-  const totalSteps = (run.metadata as any)?.totalSteps || 0;
-
-  return (
-    <div className="space-y-6">
-      {/* Header Bar */}
-      <div className="flex items-center justify-between p-4 bg-card border border-border rounded-lg">
-        <div className="flex items-center gap-4">
-          <StatusBadge status={run.status} />
-          <div className="font-mono text-sm text-muted-foreground">{run.id}</div>
-        </div>
-        <div className="flex items-center gap-3">
-          <label className="flex items-center gap-2 text-sm text-muted-foreground cursor-pointer hover:text-foreground transition-colors">
-            <input
-              type="checkbox"
-              checked={stopOnCompletion}
-              onChange={(e) => setStopOnCompletion(e.target.checked)}
-              className="rounded border-input bg-background text-primary focus:ring-ring"
-            />
-            <span>Stop on completion</span>
-          </label>
-          <button
-            onClick={() => stop()}
-            className="px-3 py-1 text-xs font-medium bg-secondary hover:bg-secondary/80 text-secondary-foreground rounded-md transition-colors"
-          >
-            Disconnect
-          </button>
-        </div>
-      </div>
-
-      {/* Progress Section */}
-      <div className="bg-card border border-border rounded-lg p-6 space-y-4">
-        <div className="flex justify-between items-end">
-          <div>
-            <h3 className="text-lg font-semibold">Task Progress</h3>
-            <p className="text-sm text-muted-foreground">
-              Step {currentStep} of {totalSteps}
-            </p>
-          </div>
-          <div className="text-2xl font-mono font-bold text-primary">
-            {Math.round(progress * 100)}%
-          </div>
-        </div>
-        <div className="h-2 bg-secondary rounded-full overflow-hidden">
-          <div
-            className="h-full bg-primary transition-all duration-500 ease-out"
-            style={{ width: `${progress * 100}%` }}
-          />
-        </div>
-      </div>
-
-      {/* Data Grid */}
-      <div className="grid grid-cols-1 md:grid-cols-2 gap-6">
-        <div className="bg-card border border-border rounded-lg p-6 space-y-4">
-          <h3 className="font-semibold">Metadata</h3>
-          <div className="space-y-3">
-            {Object.entries(run.metadata || {}).map(([key, value]) => (
-              <div key={key} className="flex justify-between items-center py-2 border-b border-border/50 last:border-0">
-                <span className="text-sm text-muted-foreground font-mono">{key}</span>
-                <span className="text-sm font-medium font-mono">
-                   {typeof value === 'object' ? JSON.stringify(value) : String(value)}
-                </span>
-              </div>
-            ))}
-          </div>
-        </div>
-
-        <div className="space-y-6">
-          <CodeBlock label="Payload" data={run.payload} />
-          <CodeBlock label="Output" data={run.output} />
-          {run.error && (
-            <div className="rounded-md bg-destructive/10 border border-destructive/20 p-4">
-               <p className="text-sm font-medium text-destructive mb-2">Error: {run.error.name}</p>
-               <p className="text-sm text-destructive/90 font-mono whitespace-pre-wrap">{run.error.message}</p>
-            </div>
-          )}
-        </div>
-      </div>
-    </div>
-  );
-}
diff --git a/references/realtime-hooks-test/src/components/run-with-streams-viewer.tsx b/references/realtime-hooks-test/src/components/run-with-streams-viewer.tsx
deleted file mode 100644
index bb4022bf99c..00000000000
--- a/references/realtime-hooks-test/src/components/run-with-streams-viewer.tsx
+++ /dev/null
@@ -1,133 +0,0 @@
-"use client";
-
-import { useRealtimeRunWithStreams } from "@trigger.dev/react-hooks";
-import type { streamTask } from "@/trigger/stream-task";
-import { useState } from "react";
-
-type StreamResults = {
-  text: string[];
-  data: Array<{ step: number; data: string; timestamp: number }>;
-};
-
-type RunWithStreamsViewerProps = {
-  runId: string;
-  accessToken: string;
-};
-
-export function RunWithStreamsViewer({ runId, accessToken }: RunWithStreamsViewerProps) {
-  const { run, streams, error, stop } = useRealtimeRunWithStreams<
-    typeof streamTask,
-    StreamResults
-  >(runId, {
-    accessToken,
-    baseURL: process.env.NEXT_PUBLIC_TRIGGER_API_URL,
-    throttleInMs: 50,
-  });
-
-  if (error) {
-    return (
-      <div className="rounded-md bg-destructive/15 p-4 text-sm text-destructive border border-destructive/20">
-        <div className="font-semibold">Connection Error</div>
-        <div>{error.message}</div>
-      </div>
-    );
-  }
-
-  if (!run) {
-    return (
-      <div className="animate-pulse space-y-4">
-        <div className="h-8 bg-secondary rounded w-1/3"></div>
-        <div className="grid grid-cols-2 gap-4">
-           <div className="h-64 bg-secondary rounded"></div>
-           <div className="h-64 bg-secondary rounded"></div>
-        </div>
-      </div>
-    );
-  }
-
-  const textStream = streams.text || [];
-  const dataStream = streams.data || [];
-
-  return (
-    <div className="space-y-6 h-[calc(100vh-120px)] flex flex-col">
-      {/* Header */}
-      <div className="flex items-center justify-between p-4 bg-card border border-border rounded-lg flex-shrink-0">
-        <div className="flex items-center gap-4">
-          <div className="flex flex-col">
-            <span className="text-xs text-muted-foreground uppercase tracking-wider">Status</span>
-            <span className={`font-mono text-sm font-medium ${
-              run.status === 'COMPLETED' ? 'text-emerald-500' : 
-              run.status === 'EXECUTING' ? 'text-blue-500' : 'text-zinc-500'
-            }`}>
-              {run.status}
-            </span>
-          </div>
-          <div className="w-px h-8 bg-border"></div>
-          <div className="flex flex-col">
-             <span className="text-xs text-muted-foreground uppercase tracking-wider">Run ID</span>
-             <span className="font-mono text-sm">{run.id}</span>
-          </div>
-        </div>
-        <button
-          onClick={() => stop()}
-          className="px-3 py-1 text-xs font-medium bg-secondary hover:bg-secondary/80 text-secondary-foreground rounded-md transition-colors"
-        >
-          Stop Subscription
-        </button>
-      </div>
-
-      {/* Streams Split View */}
-      <div className="grid grid-cols-1 md:grid-cols-2 gap-6 flex-1 min-h-0">
-        {/* Text Stream Panel */}
-        <div className="bg-card border border-border rounded-lg flex flex-col overflow-hidden">
-          <div className="px-4 py-3 border-b border-border bg-secondary/30 flex justify-between items-center">
-            <h3 className="font-medium text-sm flex items-center gap-2">
-              <span className="w-2 h-2 rounded-full bg-blue-500"></span>
-              Text Stream
-            </h3>
-            <span className="text-xs text-muted-foreground font-mono">{textStream.length} chunks</span>
-          </div>
-          <div className="flex-1 p-4 overflow-y-auto bg-background/50 font-mono text-sm whitespace-pre-wrap">
-            {textStream.join("") || <span className="text-muted-foreground italic">Waiting for data...</span>}
-          </div>
-        </div>
-
-        {/* Data Stream Panel */}
-        <div className="bg-card border border-border rounded-lg flex flex-col overflow-hidden">
-          <div className="px-4 py-3 border-b border-border bg-secondary/30 flex justify-between items-center">
-            <h3 className="font-medium text-sm flex items-center gap-2">
-              <span className="w-2 h-2 rounded-full bg-purple-500"></span>
-              Data Stream
-            </h3>
-            <span className="text-xs text-muted-foreground font-mono">{dataStream.length} items</span>
-          </div>
-          <div className="flex-1 p-0 overflow-y-auto bg-background/50">
-            <div className="divide-y divide-border/50">
-              {dataStream.length === 0 && (
-                <div className="p-4 text-muted-foreground italic text-sm">Waiting for data...</div>
-              )}
-              {dataStream.map((item, index) => (
-                <div key={index} className="p-3 hover:bg-secondary/30 transition-colors font-mono text-xs">
-                  <div className="flex justify-between text-muted-foreground mb-1">
-                    <span>Step {item.step}</span>
-                    <span>{new Date(item.timestamp).toLocaleTimeString()}</span>
-                  </div>
-                  <div className="text-foreground">{item.data}</div>
-                </div>
-              ))}
-            </div>
-          </div>
-        </div>
-      </div>
-      
-      {run.output && (
-        <div className="bg-card border border-border rounded-lg p-4 flex-shrink-0">
-          <div className="text-xs font-medium text-muted-foreground mb-2 uppercase tracking-wider">Task Output</div>
-          <pre className="text-xs font-mono overflow-x-auto">
-            {JSON.stringify(run.output, null, 2)}
-          </pre>
-        </div>
-      )}
-    </div>
-  );
-}
diff --git a/references/realtime-hooks-test/src/components/runs-with-tag-viewer.tsx b/references/realtime-hooks-test/src/components/runs-with-tag-viewer.tsx
deleted file mode 100644
index c37bae704f8..00000000000
--- a/references/realtime-hooks-test/src/components/runs-with-tag-viewer.tsx
+++ /dev/null
@@ -1,156 +0,0 @@
-"use client";
-
-import { useRealtimeRunsWithTag } from "@trigger.dev/react-hooks";
-import type { taggedTask } from "@/trigger/tagged-task";
-
-type RunsWithTagViewerProps = {
-  tag: string;
-  accessToken: string;
-};
-
-function StatusDot({ status }: { status: string }) {
-  const colors = {
-    COMPLETED: "bg-emerald-500",
-    EXECUTING: "bg-blue-500 animate-pulse",
-    FAILED: "bg-red-500",
-    PENDING: "bg-zinc-500",
-    QUEUED: "bg-yellow-500",
-  };
-  const color = colors[status as keyof typeof colors] || colors.PENDING;
-  return <div className={`w-2 h-2 rounded-full ${color}`} title={status} />;
-}
-
-export function RunsWithTagViewer({ tag, accessToken }: RunsWithTagViewerProps) {
-  const { runs, error, stop } = useRealtimeRunsWithTag<typeof taggedTask>([tag], {
-    accessToken,
-    baseURL: process.env.NEXT_PUBLIC_TRIGGER_API_URL,
-    createdAt: "1h",
-  });
-
-  if (error) {
-    return (
-      <div className="rounded-md bg-destructive/15 p-4 text-sm text-destructive border border-destructive/20">
-        <div className="font-semibold">Connection Error</div>
-        <div>{error.message}</div>
-      </div>
-    );
-  }
-
-  const stats = {
-    total: runs.length,
-    executing: runs.filter((r) => r.status === "EXECUTING").length,
-    completed: runs.filter((r) => r.status === "COMPLETED").length,
-    failed: runs.filter((r) => r.status === "FAILED").length,
-  };
-
-  return (
-    <div className="space-y-6">
-      {/* Header & Stats */}
-      <div className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-4 gap-4">
-        <div className="bg-card border border-border p-4 rounded-lg">
-          <div className="text-xs text-muted-foreground uppercase tracking-wider mb-1">
-            Total Runs
-          </div>
-          <div className="text-2xl font-mono font-bold">{stats.total}</div>
-        </div>
-        <div className="bg-card border border-border p-4 rounded-lg">
-          <div className="text-xs text-muted-foreground uppercase tracking-wider mb-1 text-blue-500">
-            Executing
-          </div>
-          <div className="text-2xl font-mono font-bold text-blue-500">{stats.executing}</div>
-        </div>
-        <div className="bg-card border border-border p-4 rounded-lg">
-          <div className="text-xs text-muted-foreground uppercase tracking-wider mb-1 text-emerald-500">
-            Completed
-          </div>
-          <div className="text-2xl font-mono font-bold text-emerald-500">{stats.completed}</div>
-        </div>
-        <div className="bg-card border border-border p-4 rounded-lg">
-          <div className="text-xs text-muted-foreground uppercase tracking-wider mb-1 text-red-500">
-            Failed
-          </div>
-          <div className="text-2xl font-mono font-bold text-red-500">{stats.failed}</div>
-        </div>
-      </div>
-
-      {/* Controls */}
-      <div className="flex justify-between items-center">
-        <div className="flex items-center gap-2 text-sm text-muted-foreground">
-          <span>Watching tag:</span>
-          <span className="px-2 py-0.5 bg-secondary text-secondary-foreground rounded font-mono text-xs">
-            {tag}
-          </span>
-        </div>
-        <button
-          onClick={() => stop()}
-          className="px-3 py-1 text-xs font-medium bg-secondary hover:bg-secondary/80 text-secondary-foreground rounded-md transition-colors"
-        >
-          Stop Subscription
-        </button>
-      </div>
-
-      {/* Runs List */}
-      <div className="bg-card border border-border rounded-lg overflow-hidden">
-        <div className="grid grid-cols-12 gap-4 px-4 py-3 border-b border-border bg-secondary/30 text-xs font-medium text-muted-foreground uppercase tracking-wider">
-          <div className="col-span-1 text-center">Status</div>
-          <div className="col-span-4">Run ID</div>
-          <div className="col-span-3">User / Action</div>
-          <div className="col-span-2">Progress</div>
-          <div className="col-span-2 text-right">Age</div>
-        </div>
-
-        <div className="divide-y divide-border/50 max-h-[600px] overflow-y-auto">
-          {runs.length === 0 ? (
-            <div className="p-8 text-center text-muted-foreground text-sm">
-              No runs found with tag "{tag}" in the last hour
-            </div>
-          ) : (
-            runs.map((run) => {
-              const progress = (run.metadata as any)?.progress || 0;
-              const userId = (run.metadata as any)?.userId || "-";
-              const action = (run.metadata as any)?.action || "-";
-
-              return (
-                <div
-                  key={run.id}
-                  className="grid grid-cols-12 gap-4 px-4 py-3 text-sm hover:bg-secondary/20 transition-colors items-center"
-                >
-                  <div className="col-span-1 flex justify-center">
-                    <StatusDot status={run.status} />
-                  </div>
-                  <div
-                    className="col-span-4 font-mono text-xs text-muted-foreground truncate"
-                    title={run.id}
-                  >
-                    {run.id}
-                  </div>
-                  <div className="col-span-3 truncate text-xs">
-                    <span className="text-foreground font-medium">{userId}</span>
-                    <span className="text-muted-foreground mx-1">/</span>
-                    <span className="text-muted-foreground">{action}</span>
-                  </div>
-                  <div className="col-span-2">
-                    <div className="flex items-center gap-2">
-                      <div className="flex-1 h-1.5 bg-secondary rounded-full overflow-hidden">
-                        <div
-                          className="h-full bg-primary rounded-full transition-all duration-500"
-                          style={{ width: `${progress * 100}%` }}
-                        />
-                      </div>
-                      <span className="text-xs font-mono w-8 text-right">
-                        {Math.round(progress * 100)}%
-                      </span>
-                    </div>
-                  </div>
-                  <div className="col-span-2 text-right font-mono text-xs text-muted-foreground">
-                    {run.createdAt ? new Date(run.createdAt).toLocaleTimeString() : "-"}
-                  </div>
-                </div>
-              );
-            })
-          )}
-        </div>
-      </div>
-    </div>
-  );
-}
diff --git a/references/realtime-hooks-test/src/components/stream-viewer.tsx b/references/realtime-hooks-test/src/components/stream-viewer.tsx
deleted file mode 100644
index cad46a9c5ce..00000000000
--- a/references/realtime-hooks-test/src/components/stream-viewer.tsx
+++ /dev/null
@@ -1,136 +0,0 @@
-"use client";
-
-import { useRealtimeStream } from "@trigger.dev/react-hooks";
-import { textStream } from "@/trigger/streams";
-import { useState, useEffect, useRef } from "react";
-
-type StreamViewerProps = {
-  runId: string;
-  accessToken: string;
-};
-
-export function StreamViewer({ runId, accessToken }: StreamViewerProps) {
-  const [chunkLog, setChunkLog] = useState<Array<{ chunk: string; timestamp: number }>>([]);
-  const scrollRef = useRef<HTMLDivElement>(null);
-
-  const { parts, error, stop } = useRealtimeStream(textStream, runId, {
-    accessToken,
-    baseURL: process.env.NEXT_PUBLIC_TRIGGER_API_URL,
-    throttleInMs: 50,
-    timeoutInSeconds: 120,
-    onData: (chunk) => {
-      setChunkLog((prev) => [...prev, { chunk, timestamp: Date.now() }]);
-    },
-  });
-
-  // Auto-scroll to bottom
-  useEffect(() => {
-    if (scrollRef.current) {
-      scrollRef.current.scrollTop = scrollRef.current.scrollHeight;
-    }
-  }, [parts]);
-
-  if (error) {
-    return (
-      <div className="rounded-md bg-destructive/15 p-4 text-sm text-destructive border border-destructive/20">
-        <div className="font-semibold">Connection Error</div>
-        <div>{error.message}</div>
-      </div>
-    );
-  }
-
-  const fullText = parts.join("");
-
-  return (
-    <div className="space-y-6 h-[calc(100vh-120px)] flex flex-col">
-      {/* Header */}
-      <div className="flex items-center justify-between p-4 bg-card border border-border rounded-lg flex-shrink-0">
-        <div className="space-y-1">
-          <h2 className="text-sm font-semibold">Stream Monitor</h2>
-          <div className="flex items-center gap-2 text-xs text-muted-foreground">
-            <span className="font-mono bg-secondary px-1.5 py-0.5 rounded text-secondary-foreground">
-              {runId}
-            </span>
-            <span>•</span>
-            <span>{parts.length} chunks</span>
-            <span>•</span>
-            <span>{fullText.length} chars</span>
-          </div>
-        </div>
-        <button
-          onClick={() => stop()}
-          className="px-3 py-1 text-xs font-medium bg-secondary hover:bg-secondary/80 text-secondary-foreground rounded-md transition-colors"
-        >
-          Stop Stream
-        </button>
-      </div>
-
-      <div className="grid grid-cols-1 lg:grid-cols-2 gap-6 flex-1 min-h-0">
-        {/* Main Output Console */}
-        <div className="bg-card border border-border rounded-lg flex flex-col overflow-hidden shadow-inner bg-[#0d0d0d]">
-          <div className="px-4 py-2 border-b border-border bg-secondary/20 text-xs font-mono text-muted-foreground flex justify-between">
-            <span>OUTPUT</span>
-            <span>UTF-8</span>
-          </div>
-          <div
-            ref={scrollRef}
-            className="flex-1 p-4 overflow-y-auto font-mono text-sm whitespace-pre-wrap text-foreground/90 leading-relaxed"
-          >
-            {fullText || (
-              <span className="text-muted-foreground/50 italic">Waiting for stream output...</span>
-            )}
-            {/* Cursor blink effect */}
-            <span className="inline-block w-2 h-4 ml-1 align-middle bg-primary animate-pulse"></span>
-          </div>
-        </div>
-
-        {/* Chunk Log Table */}
-        <div className="bg-card border border-border rounded-lg flex flex-col overflow-hidden">
-          <div className="px-4 py-2 border-b border-border bg-secondary/30 text-xs font-medium text-muted-foreground uppercase tracking-wider">
-            Packet Log
-          </div>
-          <div className="flex-1 overflow-y-auto">
-            <table className="w-full text-xs font-mono">
-              <thead className="bg-secondary/10 text-muted-foreground sticky top-0">
-                <tr>
-                  <th className="px-4 py-2 text-left font-medium w-24">Time</th>
-                  <th className="px-4 py-2 text-left font-medium">Chunk Preview</th>
-                  <th className="px-4 py-2 text-right font-medium w-16">Size</th>
-                </tr>
-              </thead>
-              <tbody className="divide-y divide-border/30">
-                {chunkLog.length === 0 ? (
-                  <tr>
-                    <td colSpan={3} className="px-4 py-8 text-center text-muted-foreground italic">
-                      No packets received
-                    </td>
-                  </tr>
-                ) : (
-                  chunkLog.map((log, i) => (
-                    <tr key={i} className="hover:bg-secondary/20 transition-colors">
-                      <td className="px-4 py-2 text-muted-foreground whitespace-nowrap">
-                        {new Date(log.timestamp).toLocaleTimeString().split(" ")[0]}.
-                        <span className="text-muted-foreground/60">
-                          {String(log.timestamp % 1000).padStart(3, "0")}
-                        </span>
-                      </td>
-                      <td
-                        className="px-4 py-2 text-primary/80 truncate max-w-[200px]"
-                        title={log.chunk}
-                      >
-                        {log.chunk.replace(/\n/g, "↵")}
-                      </td>
-                      <td className="px-4 py-2 text-right text-muted-foreground">
-                        {log.chunk.length}B
-                      </td>
-                    </tr>
-                  ))
-                )}
-              </tbody>
-            </table>
-          </div>
-        </div>
-      </div>
-    </div>
-  );
-}
diff --git a/references/realtime-hooks-test/src/trigger/batch-task.ts b/references/realtime-hooks-test/src/trigger/batch-task.ts
deleted file mode 100644
index fc44a6f24fc..00000000000
--- a/references/realtime-hooks-test/src/trigger/batch-task.ts
+++ /dev/null
@@ -1,48 +0,0 @@
-import { task, logger, metadata } from "@trigger.dev/sdk";
-import { setTimeout } from "timers/promises";
-
-export type BatchItemPayload = {
-  itemId: string;
-  value: number;
-};
-
-export type BatchItemOutput = {
-  itemId: string;
-  result: number;
-  processedAt: string;
-};
-
-export const batchItemTask = task({
-  id: "batch-item-task",
-  run: async (payload: BatchItemPayload) => {
-    logger.info("Processing batch item", payload);
-    
-    metadata.set("status", "processing");
-    metadata.set("itemId", payload.itemId);
-    metadata.set("inputValue", payload.value);
-
-    // Simulate processing with varying duration based on value
-    const duration = Math.floor(payload.value / 10) + 2; // 2-12 seconds
-    
-    for (let i = 0; i < duration; i++) {
-      await setTimeout(1000);
-      metadata.set("progress", (i + 1) / duration);
-    }
-
-    metadata.set("status", "completed");
-
-    // Calculate some result
-    const result = payload.value * 2;
-
-    const output: BatchItemOutput = {
-      itemId: payload.itemId,
-      result,
-      processedAt: new Date().toISOString(),
-    };
-
-    logger.info("Batch item completed", output);
-
-    return output;
-  },
-});
-
diff --git a/references/realtime-hooks-test/src/trigger/simple-task.ts b/references/realtime-hooks-test/src/trigger/simple-task.ts
deleted file mode 100644
index ccdaf7fe820..00000000000
--- a/references/realtime-hooks-test/src/trigger/simple-task.ts
+++ /dev/null
@@ -1,53 +0,0 @@
-import { task, logger, metadata } from "@trigger.dev/sdk";
-import { setTimeout } from "timers/promises";
-
-export type SimpleTaskPayload = {
-  message: string;
-  duration?: number;
-};
-
-export type SimpleTaskOutput = {
-  message: string;
-  completedAt: string;
-};
-
-export const simpleTask = task({
-  id: "simple-task",
-  run: async (payload: SimpleTaskPayload) => {
-    const duration = payload.duration || 10;
-    
-    logger.info("Starting simple task", { message: payload.message, duration });
-    
-    // Update metadata to track progress
-    metadata.set("status", "initializing");
-    metadata.set("progress", 0);
-
-    await setTimeout(1000);
-    metadata.set("status", "processing");
-    metadata.set("progress", 0.25);
-
-    // Simulate work
-    for (let i = 0; i < duration; i++) {
-      await setTimeout(1000);
-      const progress = ((i + 1) / duration) * 0.75 + 0.25;
-      metadata.set("progress", progress);
-      metadata.set("currentStep", i + 1);
-      metadata.set("totalSteps", duration);
-      
-      logger.info(`Processing step ${i + 1}/${duration}`);
-    }
-
-    metadata.set("status", "completed");
-    metadata.set("progress", 1);
-
-    const output: SimpleTaskOutput = {
-      message: `Processed: ${payload.message}`,
-      completedAt: new Date().toISOString(),
-    };
-
-    logger.info("Simple task completed", output);
-
-    return output;
-  },
-});
-
diff --git a/references/realtime-hooks-test/src/trigger/stream-task.ts b/references/realtime-hooks-test/src/trigger/stream-task.ts
deleted file mode 100644
index 355f0e51a9e..00000000000
--- a/references/realtime-hooks-test/src/trigger/stream-task.ts
+++ /dev/null
@@ -1,106 +0,0 @@
-import { task, logger, metadata, streams } from "@trigger.dev/sdk";
-import { setTimeout } from "timers/promises";
-import { dataStream, textStream } from "./streams";
-
-export type StreamTaskPayload = {
-  scenario: "text" | "json" | "mixed";
-  count?: number;
-};
-
-export type StreamTaskOutput = {
-  scenario: string;
-  totalChunks: number;
-};
-
-export const streamTask = task({
-  id: "stream-task",
-  run: async (payload: StreamTaskPayload) => {
-    const count = payload.count || 20;
-
-    logger.info("Starting stream task", { scenario: payload.scenario, count });
-
-    metadata.set("status", "streaming");
-    metadata.set("scenario", payload.scenario);
-
-    switch (payload.scenario) {
-      case "text": {
-        // Stream text chunks
-        const words = [
-          "The",
-          "quick",
-          "brown",
-          "fox",
-          "jumps",
-          "over",
-          "the",
-          "lazy",
-          "dog",
-          "while",
-          "demonstrating",
-          "real-time",
-          "streaming",
-          "capabilities",
-        ];
-
-        for (let i = 0; i < count; i++) {
-          await setTimeout(100);
-          await textStream.append(words[i % words.length] + " ");
-          metadata.set("progress", (i + 1) / count);
-        }
-
-        break;
-      }
-
-      case "json": {
-        // Stream structured data
-        for (let i = 0; i < count; i++) {
-          await setTimeout(100);
-          await dataStream.append({
-            step: i + 1,
-            data: `Processing item ${i + 1}`,
-            timestamp: Date.now(),
-          });
-          metadata.set("progress", (i + 1) / count);
-        }
-
-        break;
-      }
-
-      case "mixed": {
-        // Stream to both streams
-        const words = ["Alpha", "Beta", "Gamma", "Delta", "Epsilon"];
-
-        for (let i = 0; i < count; i++) {
-          await setTimeout(100);
-
-          // Alternate between streams
-          if (i % 2 === 0) {
-            await textStream.append(words[i % words.length] + " ");
-          } else {
-            await dataStream.append({
-              step: i + 1,
-              data: `Data point ${i + 1}`,
-              timestamp: Date.now(),
-            });
-          }
-
-          metadata.set("progress", (i + 1) / count);
-        }
-
-        break;
-      }
-    }
-
-    metadata.set("status", "completed");
-    metadata.set("progress", 1);
-
-    const output: StreamTaskOutput = {
-      scenario: payload.scenario,
-      totalChunks: count,
-    };
-
-    logger.info("Stream task completed", output);
-
-    return output;
-  },
-});
diff --git a/references/realtime-hooks-test/src/trigger/streams.ts b/references/realtime-hooks-test/src/trigger/streams.ts
deleted file mode 100644
index a0b46cfb203..00000000000
--- a/references/realtime-hooks-test/src/trigger/streams.ts
+++ /dev/null
@@ -1,9 +0,0 @@
-import { streams } from "@trigger.dev/sdk";
-
-export const textStream = streams.define<string>({
-  id: "text",
-});
-
-export const dataStream = streams.define<{ step: number; data: string; timestamp: number }>({
-  id: "data",
-});
diff --git a/references/realtime-hooks-test/src/trigger/tagged-task.ts b/references/realtime-hooks-test/src/trigger/tagged-task.ts
deleted file mode 100644
index e9f30f522fb..00000000000
--- a/references/realtime-hooks-test/src/trigger/tagged-task.ts
+++ /dev/null
@@ -1,45 +0,0 @@
-import { task, logger, metadata } from "@trigger.dev/sdk";
-import { setTimeout } from "timers/promises";
-
-export type TaggedTaskPayload = {
-  userId: string;
-  action: string;
-};
-
-export type TaggedTaskOutput = {
-  userId: string;
-  action: string;
-  processedAt: string;
-};
-
-export const taggedTask = task({
-  id: "tagged-task",
-  run: async (payload: TaggedTaskPayload) => {
-    logger.info("Starting tagged task", payload);
-    
-    metadata.set("status", "processing");
-    metadata.set("userId", payload.userId);
-    metadata.set("action", payload.action);
-
-    // Simulate some work
-    const steps = 5;
-    for (let i = 0; i < steps; i++) {
-      await setTimeout(1000);
-      metadata.set("progress", (i + 1) / steps);
-      logger.info(`Processing step ${i + 1}/${steps} for user ${payload.userId}`);
-    }
-
-    metadata.set("status", "completed");
-
-    const output: TaggedTaskOutput = {
-      userId: payload.userId,
-      action: payload.action,
-      processedAt: new Date().toISOString(),
-    };
-
-    logger.info("Tagged task completed", output);
-
-    return output;
-  },
-});
-
diff --git a/references/realtime-hooks-test/tailwind.config.ts b/references/realtime-hooks-test/tailwind.config.ts
deleted file mode 100644
index 91ca64310da..00000000000
--- a/references/realtime-hooks-test/tailwind.config.ts
+++ /dev/null
@@ -1,14 +0,0 @@
-import type { Config } from "tailwindcss";
-
-export default {
-  content: [
-    "./src/pages/**/*.{js,ts,jsx,tsx,mdx}",
-    "./src/components/**/*.{js,ts,jsx,tsx,mdx}",
-    "./src/app/**/*.{js,ts,jsx,tsx,mdx}",
-  ],
-  theme: {
-    extend: {},
-  },
-  plugins: [],
-} satisfies Config;
-
diff --git a/references/realtime-hooks-test/trigger.config.ts b/references/realtime-hooks-test/trigger.config.ts
deleted file mode 100644
index 7346fbeec01..00000000000
--- a/references/realtime-hooks-test/trigger.config.ts
+++ /dev/null
@@ -1,7 +0,0 @@
-import { defineConfig } from "@trigger.dev/sdk";
-
-export default defineConfig({
-  project: process.env.TRIGGER_PROJECT_REF!,
-  dirs: ["./src/trigger"],
-  maxDuration: 3600,
-});
diff --git a/references/realtime-hooks-test/tsconfig.json b/references/realtime-hooks-test/tsconfig.json
deleted file mode 100644
index 7f64e8882ae..00000000000
--- a/references/realtime-hooks-test/tsconfig.json
+++ /dev/null
@@ -1,28 +0,0 @@
-{
-  "compilerOptions": {
-    "target": "ES2017",
-    "lib": ["dom", "dom.iterable", "esnext"],
-    "allowJs": true,
-    "skipLibCheck": true,
-    "strict": true,
-    "noEmit": true,
-    "esModuleInterop": true,
-    "module": "esnext",
-    "moduleResolution": "bundler",
-    "resolveJsonModule": true,
-    "isolatedModules": true,
-    "jsx": "preserve",
-    "incremental": true,
-    "plugins": [
-      {
-        "name": "next"
-      }
-    ],
-    "paths": {
-      "@/*": ["./src/*"]
-    }
-  },
-  "include": ["next-env.d.ts", "**/*.ts", "**/*.tsx", ".next/types/**/*.ts"],
-  "exclude": ["node_modules"]
-}
-
diff --git a/references/realtime-streams/.gitignore b/references/realtime-streams/.gitignore
deleted file mode 100644
index 5ef6a520780..00000000000
--- a/references/realtime-streams/.gitignore
+++ /dev/null
@@ -1,41 +0,0 @@
-# See https://help.github.com/articles/ignoring-files/ for more about ignoring files.
-
-# dependencies
-/node_modules
-/.pnp
-.pnp.*
-.yarn/*
-!.yarn/patches
-!.yarn/plugins
-!.yarn/releases
-!.yarn/versions
-
-# testing
-/coverage
-
-# next.js
-/.next/
-/out/
-
-# production
-/build
-
-# misc
-.DS_Store
-*.pem
-
-# debug
-npm-debug.log*
-yarn-debug.log*
-yarn-error.log*
-.pnpm-debug.log*
-
-# env files (can opt-in for committing if needed)
-.env*
-
-# vercel
-.vercel
-
-# typescript
-*.tsbuildinfo
-next-env.d.ts
diff --git a/references/realtime-streams/README.md b/references/realtime-streams/README.md
deleted file mode 100644
index e215bc4ccf1..00000000000
--- a/references/realtime-streams/README.md
+++ /dev/null
@@ -1,36 +0,0 @@
-This is a [Next.js](https://nextjs.org) project bootstrapped with [`create-next-app`](https://nextjs.org/docs/app/api-reference/cli/create-next-app).
-
-## Getting Started
-
-First, run the development server:
-
-```bash
-npm run dev
-# or
-yarn dev
-# or
-pnpm dev
-# or
-bun dev
-```
-
-Open [http://localhost:3000](http://localhost:3000) with your browser to see the result.
-
-You can start editing the page by modifying `app/page.tsx`. The page auto-updates as you edit the file.
-
-This project uses [`next/font`](https://nextjs.org/docs/app/building-your-application/optimizing/fonts) to automatically optimize and load [Geist](https://vercel.com/font), a new font family for Vercel.
-
-## Learn More
-
-To learn more about Next.js, take a look at the following resources:
-
-- [Next.js Documentation](https://nextjs.org/docs) - learn about Next.js features and API.
-- [Learn Next.js](https://nextjs.org/learn) - an interactive Next.js tutorial.
-
-You can check out [the Next.js GitHub repository](https://github.com/vercel/next.js) - your feedback and contributions are welcome!
-
-## Deploy on Vercel
-
-The easiest way to deploy your Next.js app is to use the [Vercel Platform](https://vercel.com/new?utm_medium=default-template&filter=next.js&utm_source=create-next-app&utm_campaign=create-next-app-readme) from the creators of Next.js.
-
-Check out our [Next.js deployment documentation](https://nextjs.org/docs/app/building-your-application/deploying) for more details.
diff --git a/references/realtime-streams/TESTING.md b/references/realtime-streams/TESTING.md
deleted file mode 100644
index 369ba36f3b9..00000000000
--- a/references/realtime-streams/TESTING.md
+++ /dev/null
@@ -1,74 +0,0 @@
-# Realtime Streams Testing Guide
-
-## Overview
-
-This app is set up to test Trigger.dev realtime streams with resume/reconnection functionality.
-
-## How It Works
-
-### 1. Home Page (`/`)
-
-- Displays buttons for different stream scenarios
-- Each button triggers a server action that:
-  1. Starts a new task run
-  2. Redirects to `/runs/[runId]?accessToken=xxx`
-
-### 2. Run Page (`/runs/[runId]`)
-
-- Displays the live stream for a specific run
-- Receives `runId` from URL path parameter
-- Receives `accessToken` from URL query parameter
-- Shows real-time streaming content using `useRealtimeRunWithStreams`
-
-## Testing Resume/Reconnection
-
-### Test Scenario 1: Page Refresh
-
-1. Click any stream button (e.g., "Markdown Stream")
-2. Watch the stream start
-3. **Refresh the page** (Cmd/Ctrl + R)
-4. The stream should reconnect and continue from where it left off
-
-### Test Scenario 2: Network Interruption
-
-1. Start a long-running stream (e.g., "Stall Stream")
-2. Open DevTools → Network tab
-3. Throttle to "Offline" briefly
-4. Return to "Online"
-5. Stream should recover and resume
-
-### Test Scenario 3: URL Navigation
-
-1. Start a stream
-2. Copy the URL
-3. Open in a new tab
-4. Both tabs should show the same stream state
-
-## Available Stream Scenarios
-
-- **Markdown Stream**: Fast streaming of formatted markdown (good for quick tests)
-- **Continuous Stream**: 45 seconds of continuous word streaming
-- **Burst Stream**: 10 bursts of rapid tokens with pauses
-- **Stall Stream**: 3-minute test with long pauses (tests timeout handling)
-- **Slow Steady Stream**: 5-minute slow stream (tests long connections)
-
-## What to Watch For
-
-1. **Resume functionality**: After refresh, does the stream continue or restart?
-2. **No duplicate data**: Reconnection should not repeat already-seen chunks
-3. **Console logs**: Check for `[MetadataStream]` logs showing resume behavior
-4. **Run status**: Status should update correctly (EXECUTING → COMPLETED)
-5. **Token count**: Final token count should be accurate (no missing chunks)
-
-## Debugging
-
-Check browser console for:
-
-- `[MetadataStream]` logs showing HEAD requests and resume logic
-- Network requests to `/realtime/v1/streams/...`
-- Any errors or warnings
-
-Check server logs for:
-
-- Stream ingestion logs
-- Resume header values (`X-Resume-From-Chunk`, `X-Last-Chunk-Index`)
diff --git a/references/realtime-streams/next.config.ts b/references/realtime-streams/next.config.ts
deleted file mode 100644
index e9ffa3083ad..00000000000
--- a/references/realtime-streams/next.config.ts
+++ /dev/null
@@ -1,7 +0,0 @@
-import type { NextConfig } from "next";
-
-const nextConfig: NextConfig = {
-  /* config options here */
-};
-
-export default nextConfig;
diff --git a/references/realtime-streams/package.json b/references/realtime-streams/package.json
deleted file mode 100644
index 965443153f3..00000000000
--- a/references/realtime-streams/package.json
+++ /dev/null
@@ -1,33 +0,0 @@
-{
-  "name": "references-realtime-streams",
-  "version": "0.1.0",
-  "private": true,
-  "scripts": {
-    "dev": "next dev --turbopack",
-    "build": "next build --turbopack",
-    "start": "next start",
-    "dev:trigger": "trigger dev",
-    "deploy": "trigger deploy"
-  },
-  "dependencies": {
-    "@ai-sdk/openai": "^2.0.53",
-    "@trigger.dev/react-hooks": "workspace:*",
-    "@trigger.dev/sdk": "workspace:*",
-    "ai": "^5.0.76",
-    "next": "15.5.6",
-    "react": "19.1.0",
-    "react-dom": "19.1.0",
-    "shiki": "^3.13.0",
-    "streamdown": "^1.4.0",
-    "zod": "3.25.76"
-  },
-  "devDependencies": {
-    "@tailwindcss/postcss": "^4",
-    "@types/node": "^20",
-    "@types/react": "^19",
-    "@types/react-dom": "^19",
-    "tailwindcss": "^4",
-    "trigger.dev": "workspace:*",
-    "typescript": "^5"
-  }
-}
\ No newline at end of file
diff --git a/references/realtime-streams/postcss.config.mjs b/references/realtime-streams/postcss.config.mjs
deleted file mode 100644
index c7bcb4b1ee1..00000000000
--- a/references/realtime-streams/postcss.config.mjs
+++ /dev/null
@@ -1,5 +0,0 @@
-const config = {
-  plugins: ["@tailwindcss/postcss"],
-};
-
-export default config;
diff --git a/references/realtime-streams/public/file.svg b/references/realtime-streams/public/file.svg
deleted file mode 100644
index 004145cddf3..00000000000
--- a/references/realtime-streams/public/file.svg
+++ /dev/null
@@ -1 +0,0 @@
-<svg fill="none" viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg"><path d="M14.5 13.5V5.41a1 1 0 0 0-.3-.7L9.8.29A1 1 0 0 0 9.08 0H1.5v13.5A2.5 2.5 0 0 0 4 16h8a2.5 2.5 0 0 0 2.5-2.5m-1.5 0v-7H8v-5H3v12a1 1 0 0 0 1 1h8a1 1 0 0 0 1-1M9.5 5V2.12L12.38 5zM5.13 5h-.62v1.25h2.12V5zm-.62 3h7.12v1.25H4.5zm.62 3h-.62v1.25h7.12V11z" clip-rule="evenodd" fill="#666" fill-rule="evenodd"/></svg>
\ No newline at end of file
diff --git a/references/realtime-streams/public/globe.svg b/references/realtime-streams/public/globe.svg
deleted file mode 100644
index 567f17b0d7c..00000000000
--- a/references/realtime-streams/public/globe.svg
+++ /dev/null
@@ -1 +0,0 @@
-<svg fill="none" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16"><g clip-path="url(#a)"><path fill-rule="evenodd" clip-rule="evenodd" d="M10.27 14.1a6.5 6.5 0 0 0 3.67-3.45q-1.24.21-2.7.34-.31 1.83-.97 3.1M8 16A8 8 0 1 0 8 0a8 8 0 0 0 0 16m.48-1.52a7 7 0 0 1-.96 0H7.5a4 4 0 0 1-.84-1.32q-.38-.89-.63-2.08a40 40 0 0 0 3.92 0q-.25 1.2-.63 2.08a4 4 0 0 1-.84 1.31zm2.94-4.76q1.66-.15 2.95-.43a7 7 0 0 0 0-2.58q-1.3-.27-2.95-.43a18 18 0 0 1 0 3.44m-1.27-3.54a17 17 0 0 1 0 3.64 39 39 0 0 1-4.3 0 17 17 0 0 1 0-3.64 39 39 0 0 1 4.3 0m1.1-1.17q1.45.13 2.69.34a6.5 6.5 0 0 0-3.67-3.44q.65 1.26.98 3.1M8.48 1.5l.01.02q.41.37.84 1.31.38.89.63 2.08a40 40 0 0 0-3.92 0q.25-1.2.63-2.08a4 4 0 0 1 .85-1.32 7 7 0 0 1 .96 0m-2.75.4a6.5 6.5 0 0 0-3.67 3.44 29 29 0 0 1 2.7-.34q.31-1.83.97-3.1M4.58 6.28q-1.66.16-2.95.43a7 7 0 0 0 0 2.58q1.3.27 2.95.43a18 18 0 0 1 0-3.44m.17 4.71q-1.45-.12-2.69-.34a6.5 6.5 0 0 0 3.67 3.44q-.65-1.27-.98-3.1" fill="#666"/></g><defs><clipPath id="a"><path fill="#fff" d="M0 0h16v16H0z"/></clipPath></defs></svg>
\ No newline at end of file
diff --git a/references/realtime-streams/public/next.svg b/references/realtime-streams/public/next.svg
deleted file mode 100644
index 5174b28c565..00000000000
--- a/references/realtime-streams/public/next.svg
+++ /dev/null
@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 394 80"><path fill="#000" d="M262 0h68.5v12.7h-27.2v66.6h-13.6V12.7H262V0ZM149 0v12.7H94v20.4h44.3v12.6H94v21h55v12.6H80.5V0h68.7zm34.3 0h-17.8l63.8 79.4h17.9l-32-39.7 32-39.6h-17.9l-23 28.6-23-28.6zm18.3 56.7-9-11-27.1 33.7h17.8l18.3-22.7z"/><path fill="#000" d="M81 79.3 17 0H0v79.3h13.6V17l50.2 62.3H81Zm252.6-.4c-1 0-1.8-.4-2.5-1s-1.1-1.6-1.1-2.6.3-1.8 1-2.5 1.6-1 2.6-1 1.8.3 2.5 1a3.4 3.4 0 0 1 .6 4.3 3.7 3.7 0 0 1-3 1.8zm23.2-33.5h6v23.3c0 2.1-.4 4-1.3 5.5a9.1 9.1 0 0 1-3.8 3.5c-1.6.8-3.5 1.3-5.7 1.3-2 0-3.7-.4-5.3-1s-2.8-1.8-3.7-3.2c-.9-1.3-1.4-3-1.4-5h6c.1.8.3 1.6.7 2.2s1 1.2 1.6 1.5c.7.4 1.5.5 2.4.5 1 0 1.8-.2 2.4-.6a4 4 0 0 0 1.6-1.8c.3-.8.5-1.8.5-3V45.5zm30.9 9.1a4.4 4.4 0 0 0-2-3.3 7.5 7.5 0 0 0-4.3-1.1c-1.3 0-2.4.2-3.3.5-.9.4-1.6 1-2 1.6a3.5 3.5 0 0 0-.3 4c.3.5.7.9 1.3 1.2l1.8 1 2 .5 3.2.8c1.3.3 2.5.7 3.7 1.2a13 13 0 0 1 3.2 1.8 8.1 8.1 0 0 1 3 6.5c0 2-.5 3.7-1.5 5.1a10 10 0 0 1-4.4 3.5c-1.8.8-4.1 1.2-6.8 1.2-2.6 0-4.9-.4-6.8-1.2-2-.8-3.4-2-4.5-3.5a10 10 0 0 1-1.7-5.6h6a5 5 0 0 0 3.5 4.6c1 .4 2.2.6 3.4.6 1.3 0 2.5-.2 3.5-.6 1-.4 1.8-1 2.4-1.7a4 4 0 0 0 .8-2.4c0-.9-.2-1.6-.7-2.2a11 11 0 0 0-2.1-1.4l-3.2-1-3.8-1c-2.8-.7-5-1.7-6.6-3.2a7.2 7.2 0 0 1-2.4-5.7 8 8 0 0 1 1.7-5 10 10 0 0 1 4.3-3.5c2-.8 4-1.2 6.4-1.2 2.3 0 4.4.4 6.2 1.2 1.8.8 3.2 2 4.3 3.4 1 1.4 1.5 3 1.5 5h-5.8z"/></svg>
\ No newline at end of file
diff --git a/references/realtime-streams/public/vercel.svg b/references/realtime-streams/public/vercel.svg
deleted file mode 100644
index 77053960334..00000000000
--- a/references/realtime-streams/public/vercel.svg
+++ /dev/null
@@ -1 +0,0 @@
-<svg fill="none" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1155 1000"><path d="m577.3 0 577.4 1000H0z" fill="#fff"/></svg>
\ No newline at end of file
diff --git a/references/realtime-streams/public/window.svg b/references/realtime-streams/public/window.svg
deleted file mode 100644
index b2b2a44f6eb..00000000000
--- a/references/realtime-streams/public/window.svg
+++ /dev/null
@@ -1 +0,0 @@
-<svg fill="none" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16"><path fill-rule="evenodd" clip-rule="evenodd" d="M1.5 2.5h13v10a1 1 0 0 1-1 1h-11a1 1 0 0 1-1-1zM0 1h16v11.5a2.5 2.5 0 0 1-2.5 2.5h-11A2.5 2.5 0 0 1 0 12.5zm3.75 4.5a.75.75 0 1 0 0-1.5.75.75 0 0 0 0 1.5M7 4.75a.75.75 0 1 1-1.5 0 .75.75 0 0 1 1.5 0m1.75.75a.75.75 0 1 0 0-1.5.75.75 0 0 0 0 1.5" fill="#666"/></svg>
\ No newline at end of file
diff --git a/references/realtime-streams/src/app/actions.ts b/references/realtime-streams/src/app/actions.ts
deleted file mode 100644
index b411dadc2c2..00000000000
--- a/references/realtime-streams/src/app/actions.ts
+++ /dev/null
@@ -1,68 +0,0 @@
-"use server";
-
-import { tasks, auth } from "@trigger.dev/sdk";
-import type { streamsTask } from "@/trigger/streams";
-import type { aiChatTask } from "@/trigger/ai-chat";
-import type { approvalTask } from "@/trigger/approval";
-import type { messagesTask } from "@/trigger/messages";
-import { redirect } from "next/navigation";
-import type { UIMessage } from "ai";
-
-export async function triggerStreamTask(
-  scenario: string,
-  redirectPath?: string,
-  useDurableStreams?: boolean
-) {
-  const config = !useDurableStreams
-    ? {
-        future: {
-          v2RealtimeStreams: false,
-        },
-      }
-    : undefined;
-
-  // Trigger the streams task
-  const handle = await tasks.trigger<typeof streamsTask>(
-    "streams",
-    {
-      scenario: scenario as any,
-    },
-    {},
-    {
-      clientConfig: config,
-    }
-  );
-
-  // Redirect to custom path or default run page
-  const path = redirectPath
-    ? `${redirectPath}/${handle.id}?accessToken=${handle.publicAccessToken}&isMarkdown=${
-        scenario === "markdown" ? "true" : "false"
-      }`
-    : `/runs/${handle.id}?accessToken=${handle.publicAccessToken}&isMarkdown=${
-        scenario === "markdown" ? "true" : "false"
-      }`;
-
-  redirect(path);
-}
-
-export async function triggerApprovalTask() {
-  const handle = await tasks.trigger<typeof approvalTask>("approval-flow", {});
-  redirect(`/approval/${handle.id}?accessToken=${handle.publicAccessToken}`);
-}
-
-export async function triggerMessagesTask() {
-  const handle = await tasks.trigger<typeof messagesTask>("messages-flow", { messageCount: 5 });
-  redirect(`/messages/${handle.id}?accessToken=${handle.publicAccessToken}`);
-}
-
-export async function triggerAIChatTask(messages: UIMessage[]) {
-  // Trigger the AI chat task
-  const handle = await tasks.trigger<typeof aiChatTask>("ai-chat", {
-    messages,
-  });
-
-  console.log("Triggered AI chat run:", handle.id);
-
-  // Redirect to chat page
-  redirect(`/chat/${handle.id}?accessToken=${handle.publicAccessToken}`);
-}
diff --git a/references/realtime-streams/src/app/approval/[runId]/page.tsx b/references/realtime-streams/src/app/approval/[runId]/page.tsx
deleted file mode 100644
index b35d2cbef0b..00000000000
--- a/references/realtime-streams/src/app/approval/[runId]/page.tsx
+++ /dev/null
@@ -1,54 +0,0 @@
-import { ApprovalFlow } from "@/components/approval-flow";
-import Link from "next/link";
-
-export default function ApprovalPage({
-  params,
-  searchParams,
-}: {
-  params: { runId: string };
-  searchParams: { accessToken?: string };
-}) {
-  const { runId } = params;
-  const accessToken = searchParams.accessToken;
-
-  if (!accessToken) {
-    return (
-      <div className="font-sans grid grid-rows-[20px_1fr_20px] items-center justify-items-center min-h-screen p-8 pb-20 gap-16 sm:p-20">
-        <main className="flex flex-col gap-8 row-start-2 items-center">
-          <h1 className="text-2xl font-bold text-red-600">Missing Access Token</h1>
-          <p className="text-gray-600">This page requires an access token.</p>
-          <Link href="/" className="text-blue-600 hover:underline">
-            Go back home
-          </Link>
-        </main>
-      </div>
-    );
-  }
-
-  return (
-    <div className="font-sans grid grid-rows-[20px_1fr_20px] items-center justify-items-center min-h-screen p-8 pb-20 gap-16 sm:p-20">
-      <main className="flex flex-col gap-8 row-start-2 items-start w-full max-w-4xl">
-        <div className="flex items-center justify-between w-full">
-          <h1 className="text-2xl font-bold">Approval Flow: {runId}</h1>
-          <Link
-            href="/"
-            className="px-4 py-2 bg-gray-200 text-gray-800 rounded-lg hover:bg-gray-300 transition-colors"
-          >
-            &larr; Back to Home
-          </Link>
-        </div>
-
-        <div className="w-full bg-gray-50 p-4 rounded-lg">
-          <p className="text-sm text-gray-600">
-            This task is waiting for your approval. Click Approve or Reject to send input to the
-            running task via <code className="bg-gray-200 px-1 rounded">useInputStreamSend</code>.
-          </p>
-        </div>
-
-        <div className="w-full border border-gray-200 rounded-lg p-6 bg-white">
-          <ApprovalFlow accessToken={accessToken} runId={runId} />
-        </div>
-      </main>
-    </div>
-  );
-}
diff --git a/references/realtime-streams/src/app/chat/[runId]/page.tsx b/references/realtime-streams/src/app/chat/[runId]/page.tsx
deleted file mode 100644
index 39c05d2312d..00000000000
--- a/references/realtime-streams/src/app/chat/[runId]/page.tsx
+++ /dev/null
@@ -1,57 +0,0 @@
-import { AIChat } from "@/components/ai-chat";
-import Link from "next/link";
-
-export default function ChatPage({
-  params,
-  searchParams,
-}: {
-  params: { runId: string };
-  searchParams: { accessToken?: string };
-}) {
-  const { runId } = params;
-  const accessToken = searchParams.accessToken;
-
-  if (!accessToken) {
-    return (
-      <div className="font-sans grid grid-rows-[20px_1fr_20px] items-center justify-items-center min-h-screen p-8 pb-20 gap-16 sm:p-20">
-        <main className="flex flex-col gap-8 row-start-2 items-center">
-          <h1 className="text-2xl font-bold text-red-600">Missing Access Token</h1>
-          <p className="text-gray-600">This page requires an access token to view the stream.</p>
-          <Link href="/" className="text-blue-600 hover:underline">
-            Go back home
-          </Link>
-        </main>
-      </div>
-    );
-  }
-
-  return (
-    <div className="font-sans grid grid-rows-[20px_1fr_20px] items-center justify-items-center min-h-screen p-8 pb-20 gap-16 sm:p-20">
-      <main className="flex flex-col gap-8 row-start-2 items-start w-full max-w-4xl">
-        <div className="flex items-center justify-between w-full">
-          <h1 className="text-2xl font-bold">AI Chat Stream: {runId}</h1>
-          <Link
-            href="/"
-            className="px-4 py-2 bg-gray-200 text-gray-800 rounded-lg hover:bg-gray-300 transition-colors"
-          >
-            ← Back to Home
-          </Link>
-        </div>
-
-        <div className="w-full bg-purple-50 p-4 rounded-lg">
-          <p className="text-sm text-purple-900 mb-2">
-            🤖 <strong>AI SDK v5:</strong> This stream uses AI SDK&apos;s streamText with
-            toUIMessageStream()
-          </p>
-          <p className="text-xs text-purple-700">
-            Try refreshing to test stream reconnection - it should resume where it left off.
-          </p>
-        </div>
-
-        <div className="w-full border border-gray-200 rounded-lg p-6 bg-white">
-          <AIChat accessToken={accessToken} runId={runId} />
-        </div>
-      </main>
-    </div>
-  );
-}
diff --git a/references/realtime-streams/src/app/favicon.ico b/references/realtime-streams/src/app/favicon.ico
deleted file mode 100644
index 718d6fea483..00000000000
Binary files a/references/realtime-streams/src/app/favicon.ico and /dev/null differ
diff --git a/references/realtime-streams/src/app/globals.css b/references/realtime-streams/src/app/globals.css
deleted file mode 100644
index ddf2db1b8b0..00000000000
--- a/references/realtime-streams/src/app/globals.css
+++ /dev/null
@@ -1,28 +0,0 @@
-@import "tailwindcss";
-
-@source "../node_modules/streamdown/dist/index.js";
-
-:root {
-  --background: #ffffff;
-  --foreground: #171717;
-}
-
-@theme inline {
-  --color-background: var(--background);
-  --color-foreground: var(--foreground);
-  --font-sans: var(--font-geist-sans);
-  --font-mono: var(--font-geist-mono);
-}
-
-@media (prefers-color-scheme: dark) {
-  :root {
-    --background: #0a0a0a;
-    --foreground: #ededed;
-  }
-}
-
-body {
-  background: var(--background);
-  color: var(--foreground);
-  font-family: Arial, Helvetica, sans-serif;
-}
diff --git a/references/realtime-streams/src/app/layout.tsx b/references/realtime-streams/src/app/layout.tsx
deleted file mode 100644
index 3afae75ee03..00000000000
--- a/references/realtime-streams/src/app/layout.tsx
+++ /dev/null
@@ -1,33 +0,0 @@
-import type { Metadata } from "next";
-import { Geist, Geist_Mono } from "next/font/google";
-import "./globals.css";
-
-const geistSans = Geist({
-  variable: "--font-geist-sans",
-  subsets: ["latin"],
-});
-
-const geistMono = Geist_Mono({
-  variable: "--font-geist-mono",
-  subsets: ["latin"],
-});
-
-export const metadata: Metadata = {
-  title: "Create Next App",
-  description: "Generated by create next app",
-};
-
-export default function RootLayout({
-  children,
-}: Readonly<{
-  children: React.ReactNode;
-}>) {
-  return (
-    <html lang="en">
-      <head>
-        <script crossOrigin="anonymous" src="//unpkg.com/react-scan/dist/auto.global.js" />
-      </head>
-      <body className={`${geistSans.variable} ${geistMono.variable} antialiased`}>{children}</body>
-    </html>
-  );
-}
diff --git a/references/realtime-streams/src/app/messages/[runId]/page.tsx b/references/realtime-streams/src/app/messages/[runId]/page.tsx
deleted file mode 100644
index 040337fe411..00000000000
--- a/references/realtime-streams/src/app/messages/[runId]/page.tsx
+++ /dev/null
@@ -1,56 +0,0 @@
-import { MessagesFlow } from "@/components/messages-flow";
-import Link from "next/link";
-
-export default function MessagesPage({
-  params,
-  searchParams,
-}: {
-  params: { runId: string };
-  searchParams: { accessToken?: string };
-}) {
-  const { runId } = params;
-  const accessToken = searchParams.accessToken;
-
-  if (!accessToken) {
-    return (
-      <div className="font-sans grid grid-rows-[20px_1fr_20px] items-center justify-items-center min-h-screen p-8 pb-20 gap-16 sm:p-20">
-        <main className="flex flex-col gap-8 row-start-2 items-center">
-          <h1 className="text-2xl font-bold text-red-600">Missing Access Token</h1>
-          <p className="text-gray-600">This page requires an access token.</p>
-          <Link href="/" className="text-blue-600 hover:underline">
-            Go back home
-          </Link>
-        </main>
-      </div>
-    );
-  }
-
-  return (
-    <div className="font-sans grid grid-rows-[20px_1fr_20px] items-center justify-items-center min-h-screen p-8 pb-20 gap-16 sm:p-20">
-      <main className="flex flex-col gap-8 row-start-2 items-start w-full max-w-4xl">
-        <div className="flex items-center justify-between w-full">
-          <h1 className="text-2xl font-bold">Messages Flow: {runId}</h1>
-          <Link
-            href="/"
-            className="px-4 py-2 bg-gray-200 text-gray-800 rounded-lg hover:bg-gray-300 transition-colors"
-          >
-            &larr; Back to Home
-          </Link>
-        </div>
-
-        <div className="w-full bg-gray-50 p-4 rounded-lg">
-          <p className="text-sm text-gray-600">
-            Send messages to the running task using{" "}
-            <code className="bg-gray-200 px-1 rounded">useInputStreamSend</code>. The task
-            subscribes via <code className="bg-gray-200 px-1 rounded">.on()</code> and logs each
-            message as it arrives. Send 5 messages to complete the task.
-          </p>
-        </div>
-
-        <div className="w-full border border-gray-200 rounded-lg p-6 bg-white">
-          <MessagesFlow accessToken={accessToken} runId={runId} />
-        </div>
-      </main>
-    </div>
-  );
-}
diff --git a/references/realtime-streams/src/app/page.tsx b/references/realtime-streams/src/app/page.tsx
deleted file mode 100644
index 63b22909e97..00000000000
--- a/references/realtime-streams/src/app/page.tsx
+++ /dev/null
@@ -1,87 +0,0 @@
-import { TriggerButton } from "@/components/trigger-button";
-import { AIChatButton } from "@/components/ai-chat-button";
-import { triggerApprovalTask, triggerMessagesTask } from "./actions";
-
-export default function Home() {
-  return (
-    <div className="font-sans grid grid-rows-[20px_1fr_20px] items-center justify-items-center min-h-screen p-8 pb-20 gap-16 sm:p-20">
-      <main className="flex flex-col gap-[32px] row-start-2 items-center sm:items-start">
-        <h1 className="text-3xl font-bold mb-4">Realtime Streams Test</h1>
-        <p className="text-gray-600 mb-8">
-          Click a button below to trigger a streaming task and watch it in real-time. You can
-          refresh the page to test stream reconnection.
-        </p>
-
-        <div className="mt-8 pt-8 border-t border-gray-300 w-full">
-          <h2 className="text-xl font-semibold mb-4">AI Chat Stream (AI SDK v5)</h2>
-          <p className="text-sm text-gray-600 mb-4">
-            Test AI SDK v5&apos;s streamText with toUIMessageStream()
-          </p>
-          <AIChatButton />
-        </div>
-
-        <div className="flex flex-col gap-4">
-          <TriggerButton scenario="markdown">Markdown Stream</TriggerButton>
-          <TriggerButton scenario="continuous">Continuous Stream</TriggerButton>
-          <TriggerButton scenario="burst">Burst Stream</TriggerButton>
-          <TriggerButton scenario="stall">Stall Stream (3 min)</TriggerButton>
-          <TriggerButton scenario="slow-steady">Slow Steady Stream (5 min)</TriggerButton>
-        </div>
-
-        <div className="flex flex-col gap-4">
-          <TriggerButton useDurableStreams={true} scenario="markdown">
-            Markdown Stream (Durable)
-          </TriggerButton>
-          <TriggerButton useDurableStreams={true} scenario="continuous">
-            Continuous Stream (Durable)
-          </TriggerButton>
-          <TriggerButton useDurableStreams={true} scenario="burst">
-            Burst Stream (Durable)
-          </TriggerButton>
-          <TriggerButton useDurableStreams={true} scenario="stall">
-            Stall Stream (3 min) (Durable)
-          </TriggerButton>
-          <TriggerButton useDurableStreams={true} scenario="slow-steady">
-            Slow Steady Stream (5 min) (Durable)
-          </TriggerButton>
-        </div>
-
-        <div className="mt-8 pt-8 border-t border-gray-300 w-full">
-          <h2 className="text-xl font-semibold mb-4">Input Streams</h2>
-          <p className="text-sm text-gray-600 mb-4">
-            Test sending data from the UI to a running task via useInputStreamSend
-          </p>
-          <div className="flex gap-3">
-            <form action={triggerApprovalTask}>
-              <button
-                type="submit"
-                className="px-4 py-2 bg-purple-600 text-white rounded-lg hover:bg-purple-700 transition-colors"
-              >
-                Approval Flow (.wait)
-              </button>
-            </form>
-            <form action={triggerMessagesTask}>
-              <button
-                type="submit"
-                className="px-4 py-2 bg-blue-600 text-white rounded-lg hover:bg-blue-700 transition-colors"
-              >
-                Messages Flow (.on)
-              </button>
-            </form>
-          </div>
-        </div>
-
-        <div className="mt-8 pt-8 border-t border-gray-300">
-          <h2 className="text-xl font-semibold mb-4">Performance Testing</h2>
-          <TriggerButton scenario="performance" redirect="/performance">
-            📊 Performance Test V1 (Latency Monitoring)
-          </TriggerButton>
-
-          <TriggerButton scenario="performance" redirect="/performance" useDurableStreams={true}>
-            📊 Performance Test V2 (Latency Monitoring)
-          </TriggerButton>
-        </div>
-      </main>
-    </div>
-  );
-}
diff --git a/references/realtime-streams/src/app/performance/[runId]/page.tsx b/references/realtime-streams/src/app/performance/[runId]/page.tsx
deleted file mode 100644
index 1563bf731e6..00000000000
--- a/references/realtime-streams/src/app/performance/[runId]/page.tsx
+++ /dev/null
@@ -1,56 +0,0 @@
-import { PerformanceMonitor } from "@/components/performance-monitor";
-import Link from "next/link";
-
-export default function PerformancePage({
-  params,
-  searchParams,
-}: {
-  params: { runId: string };
-  searchParams: { accessToken?: string };
-}) {
-  const { runId } = params;
-  const accessToken = searchParams.accessToken;
-
-  if (!accessToken) {
-    return (
-      <div className="font-sans grid grid-rows-[20px_1fr_20px] items-center justify-items-center min-h-screen p-8 pb-20 gap-16 sm:p-20">
-        <main className="flex flex-col gap-8 row-start-2 items-center">
-          <h1 className="text-2xl font-bold text-red-600">Missing Access Token</h1>
-          <p className="text-gray-600">This page requires an access token to view the stream.</p>
-          <Link href="/" className="text-blue-600 hover:underline">
-            Go back home
-          </Link>
-        </main>
-      </div>
-    );
-  }
-
-  return (
-    <div className="font-sans min-h-screen p-8 bg-gray-50">
-      <div className="max-w-7xl mx-auto">
-        <div className="flex items-center justify-between mb-8">
-          <div>
-            <h1 className="text-3xl font-bold text-gray-900">Performance Monitor</h1>
-            <p className="text-sm text-gray-600 mt-1">Run: {runId}</p>
-          </div>
-          <Link
-            href="/"
-            className="px-4 py-2 bg-white border border-gray-300 text-gray-800 rounded-lg hover:bg-gray-50 transition-colors"
-          >
-            ← Back to Home
-          </Link>
-        </div>
-
-        <div className="bg-blue-50 border border-blue-200 rounded-lg p-4 mb-6">
-          <p className="text-sm text-blue-900">
-            <strong>📊 Real-time Latency Monitoring:</strong> This page measures the time it takes
-            for each chunk to travel from the task to your browser. Lower latency = better
-            performance!
-          </p>
-        </div>
-
-        <PerformanceMonitor accessToken={accessToken} runId={runId} />
-      </div>
-    </div>
-  );
-}
diff --git a/references/realtime-streams/src/app/runs/[runId]/page.tsx b/references/realtime-streams/src/app/runs/[runId]/page.tsx
deleted file mode 100644
index 54854dfe750..00000000000
--- a/references/realtime-streams/src/app/runs/[runId]/page.tsx
+++ /dev/null
@@ -1,58 +0,0 @@
-import { Streams } from "@/components/streams";
-import Link from "next/link";
-
-export default function RunPage({
-  params,
-  searchParams,
-}: {
-  params: { runId: string };
-  searchParams: { accessToken?: string; isMarkdown?: string };
-}) {
-  const { runId } = params;
-  const accessToken = searchParams.accessToken;
-  const isMarkdown = searchParams.isMarkdown === "true";
-
-  if (!accessToken) {
-    return (
-      <div className="font-sans grid grid-rows-[20px_1fr_20px] items-center justify-items-center min-h-screen p-8 pb-20 gap-16 sm:p-20">
-        <main className="flex flex-col gap-8 row-start-2 items-center">
-          <h1 className="text-2xl font-bold text-red-600">Missing Access Token</h1>
-          <p className="text-gray-600">This page requires an access token to view the stream.</p>
-          <Link href="/" className="text-blue-600 hover:underline">
-            Go back home
-          </Link>
-        </main>
-      </div>
-    );
-  }
-
-  return (
-    <div className="font-sans grid grid-rows-[20px_1fr_20px] items-center justify-items-center min-h-screen p-8 pb-20 gap-16 sm:p-20">
-      <main className="flex flex-col gap-8 row-start-2 items-start w-full max-w-4xl">
-        <div className="flex items-center justify-between w-full">
-          <h1 className="text-2xl font-bold">Stream Run: {runId}</h1>
-          <Link
-            href="/"
-            className="px-4 py-2 bg-gray-200 text-gray-800 rounded-lg hover:bg-gray-300 transition-colors"
-          >
-            ← Back to Home
-          </Link>
-        </div>
-
-        <div className="w-full bg-gray-50 p-4 rounded-lg">
-          <p className="text-sm text-gray-600 mb-2">
-            💡 <strong>Tip:</strong> Try refreshing this page to test stream reconnection and resume
-            functionality.
-          </p>
-          <p className="text-xs text-gray-500">
-            The stream should continue from where it left off after a refresh.
-          </p>
-        </div>
-
-        <div className="w-full border border-gray-200 rounded-lg p-6 bg-white">
-          <Streams accessToken={accessToken} runId={runId} isMarkdown={isMarkdown} />
-        </div>
-      </main>
-    </div>
-  );
-}
diff --git a/references/realtime-streams/src/app/streams.ts b/references/realtime-streams/src/app/streams.ts
deleted file mode 100644
index decbea455a5..00000000000
--- a/references/realtime-streams/src/app/streams.ts
+++ /dev/null
@@ -1,20 +0,0 @@
-import { InferStreamType, streams } from "@trigger.dev/sdk";
-import { UIMessageChunk } from "ai";
-
-export const demoStream = streams.define<string>({
-  id: "demo",
-});
-
-export type DemoStreamPart = InferStreamType<typeof demoStream>;
-
-export const aiStream = streams.define<UIMessageChunk>({
-  id: "ai",
-});
-
-export const approvalInputStream = streams.input<{ approved: boolean; reviewer: string }>({
-  id: "approval",
-});
-
-export const messageInputStream = streams.input<{ text: string }>({
-  id: "messages",
-});
diff --git a/references/realtime-streams/src/components/ai-chat-button.tsx b/references/realtime-streams/src/components/ai-chat-button.tsx
deleted file mode 100644
index 373a8c8b581..00000000000
--- a/references/realtime-streams/src/components/ai-chat-button.tsx
+++ /dev/null
@@ -1,39 +0,0 @@
-"use client";
-
-import { triggerAIChatTask } from "@/app/actions";
-import { useTransition } from "react";
-import type { UIMessage } from "ai";
-
-export function AIChatButton() {
-  const [isPending, startTransition] = useTransition();
-
-  function handleClick() {
-    startTransition(async () => {
-      // Create a sample conversation to trigger
-      const messages: UIMessage[] = [
-        {
-          id: "1",
-          role: "user",
-          parts: [
-            {
-              type: "text",
-              text: "Write a detailed explanation of how streaming works in modern web applications, including the benefits and common use cases.",
-            },
-          ],
-        },
-      ];
-
-      await triggerAIChatTask(messages);
-    });
-  }
-
-  return (
-    <button
-      onClick={handleClick}
-      disabled={isPending}
-      className="px-6 py-3 bg-purple-600 text-white rounded-lg hover:bg-purple-700 disabled:bg-gray-400 disabled:cursor-not-allowed transition-colors"
-    >
-      {isPending ? "Starting AI Chat..." : "🤖 Start AI Chat Stream"}
-    </button>
-  );
-}
diff --git a/references/realtime-streams/src/components/ai-chat.tsx b/references/realtime-streams/src/components/ai-chat.tsx
deleted file mode 100644
index d0d8559caa5..00000000000
--- a/references/realtime-streams/src/components/ai-chat.tsx
+++ /dev/null
@@ -1,219 +0,0 @@
-"use client";
-
-import { aiStream } from "@/app/streams";
-import { useRealtimeStream } from "@trigger.dev/react-hooks";
-import type { UIMessage } from "ai";
-import { Streamdown } from "streamdown";
-
-export function AIChat({ accessToken, runId }: { accessToken: string; runId: string }) {
-  return (
-    <div className="space-y-8">
-      <AIChatStats accessToken={accessToken} runId={runId} />
-      <AIChatFull accessToken={accessToken} runId={runId} />
-    </div>
-  );
-}
-
-function AIChatStats({ accessToken, runId }: { accessToken: string; runId: string }) {
-  const { parts, error } = useRealtimeStream(aiStream, runId, {
-    accessToken,
-    baseURL: process.env.NEXT_PUBLIC_TRIGGER_API_URL,
-    timeoutInSeconds: 600,
-  });
-
-  if (error) return <div className="text-red-600 font-semibold">Error: {error.message}</div>;
-
-  if (!parts || parts.length === 0) {
-    return (
-      <div className="p-4 rounded-lg bg-blue-50 border-l-4 border-blue-500">
-        <div className="text-sm font-semibold text-blue-900 mb-2">📊 Stream Statistics</div>
-        <div className="text-xs text-blue-700">Waiting for stream data...</div>
-      </div>
-    );
-  }
-
-  console.log(parts);
-
-  // Calculate statistics
-  const stats = {
-    totalChunks: parts.length,
-    textStartChunks: 0,
-    textDeltaChunks: 0,
-    textEndChunks: 0,
-    errorChunks: 0,
-    otherChunks: 0,
-    totalCharacters: 0,
-    averageChunkSize: 0,
-  };
-
-  const chunkTimings: number[] = [];
-  let firstChunkTime: number | null = null;
-  let lastChunkTime: number | null = null;
-
-  for (const chunk of parts) {
-    switch (chunk.type) {
-      case "text-start":
-        stats.textStartChunks++;
-        break;
-      case "text-delta":
-        stats.textDeltaChunks++;
-        stats.totalCharacters += chunk.delta.length;
-        break;
-      case "text-end":
-        stats.textEndChunks++;
-        break;
-      case "error":
-        stats.errorChunks++;
-        break;
-      default:
-        stats.otherChunks++;
-    }
-  }
-
-  stats.averageChunkSize =
-    stats.textDeltaChunks > 0 ? Math.round(stats.totalCharacters / stats.textDeltaChunks) : 0;
-
-  const isStreaming = stats.textEndChunks === 0;
-
-  return (
-    <div className="p-4 rounded-lg bg-blue-50 border-l-4 border-blue-500">
-      <div className="text-sm font-semibold text-blue-900 mb-3">
-        📊 Stream Statistics {isStreaming && <span className="text-blue-600">(live)</span>}
-      </div>
-
-      <div className="grid grid-cols-2 md:grid-cols-4 gap-4 text-xs">
-        <div>
-          <div className="text-blue-600 font-semibold">Total Chunks</div>
-          <div className="text-blue-900 text-lg font-bold">{stats.totalChunks}</div>
-        </div>
-        <div>
-          <div className="text-blue-600 font-semibold">Text Deltas</div>
-          <div className="text-blue-900 text-lg font-bold">{stats.textDeltaChunks}</div>
-        </div>
-        <div>
-          <div className="text-blue-600 font-semibold">Total Characters</div>
-          <div className="text-blue-900 text-lg font-bold">{stats.totalCharacters}</div>
-        </div>
-        <div>
-          <div className="text-blue-600 font-semibold">Avg Chunk Size</div>
-          <div className="text-blue-900 text-lg font-bold">{stats.averageChunkSize} chars</div>
-        </div>
-      </div>
-
-      <div className="mt-3 pt-3 border-t border-blue-200 grid grid-cols-2 md:grid-cols-5 gap-2 text-xs">
-        <div>
-          <span className="text-blue-600">text-start:</span>{" "}
-          <span className="text-blue-900 font-semibold">{stats.textStartChunks}</span>
-        </div>
-        <div>
-          <span className="text-blue-600">text-delta:</span>{" "}
-          <span className="text-blue-900 font-semibold">{stats.textDeltaChunks}</span>
-        </div>
-        <div>
-          <span className="text-blue-600">text-end:</span>{" "}
-          <span className="text-blue-900 font-semibold">{stats.textEndChunks}</span>
-        </div>
-        <div>
-          <span className="text-blue-600">errors:</span>{" "}
-          <span className="text-blue-900 font-semibold">{stats.errorChunks}</span>
-        </div>
-        <div>
-          <span className="text-blue-600">other:</span>{" "}
-          <span className="text-blue-900 font-semibold">{stats.otherChunks}</span>
-        </div>
-      </div>
-    </div>
-  );
-}
-
-function AIChatFull({ accessToken, runId }: { accessToken: string; runId: string }) {
-  const { parts, error } = useRealtimeStream(aiStream, runId, {
-    accessToken,
-    baseURL: process.env.NEXT_PUBLIC_TRIGGER_API_URL,
-    timeoutInSeconds: 600,
-  });
-
-  if (error) return <div className="text-red-600 font-semibold">Error: {error.message}</div>;
-
-  if (!parts) return <div className="text-gray-600">Loading...</div>;
-
-  // Compute derived state directly from parts
-  let accumulatedText = "";
-  let currentId: string | null = null;
-  let isComplete = false;
-
-  for (const chunk of parts) {
-    switch (chunk.type) {
-      case "text-start":
-        if (!currentId) {
-          currentId = chunk.id;
-        }
-        break;
-      case "text-delta":
-        accumulatedText += chunk.delta;
-        break;
-      case "text-end":
-        isComplete = true;
-        break;
-      case "error":
-        console.error("Stream error:", chunk.errorText);
-        break;
-    }
-  }
-
-  // Determine what to render
-  const messages: UIMessage[] = [];
-  let currentText = "";
-  let currentMessageId: string | null = null;
-  let currentRole: "assistant" | null = null;
-
-  if (isComplete && currentId && accumulatedText) {
-    // Streaming is complete, show as completed message
-    messages.push({
-      id: currentId,
-      role: "assistant",
-      parts: [{ type: "text", text: accumulatedText }],
-    });
-  } else if (currentId) {
-    // Still streaming
-    currentText = accumulatedText;
-    currentMessageId = currentId;
-    currentRole = "assistant";
-  }
-
-  return (
-    <div className="space-y-6">
-      <div className="text-sm font-medium text-gray-700 mb-4">
-        <span className="font-semibold">Run:</span> {runId}
-      </div>
-
-      {/* Render completed messages */}
-      {messages.map((message) => (
-        <div key={message.id} className="p-4 rounded-lg bg-gray-50 border-l-4 border-purple-500">
-          <div className="text-xs font-semibold text-gray-500 uppercase mb-2">{message.role}</div>
-          <div className="prose prose-sm max-w-none text-gray-900">
-            {message.parts.map((part, idx) =>
-              part.type === "text" ? (
-                <Streamdown key={idx} isAnimating={false}>
-                  {part.text}
-                </Streamdown>
-              ) : null
-            )}
-          </div>
-        </div>
-      ))}
-
-      {/* Render current streaming message */}
-      {currentMessageId && currentRole && (
-        <div className="p-4 rounded-lg bg-gray-50 border-l-4 border-purple-500">
-          <div className="text-xs font-semibold text-gray-500 uppercase mb-2">
-            {currentRole} <span className="text-purple-600">(streaming...)</span>
-          </div>
-          <div className="prose prose-sm max-w-none text-gray-900">
-            <Streamdown isAnimating={true}>{currentText}</Streamdown>
-          </div>
-        </div>
-      )}
-    </div>
-  );
-}
diff --git a/references/realtime-streams/src/components/approval-flow.tsx b/references/realtime-streams/src/components/approval-flow.tsx
deleted file mode 100644
index a108735fd48..00000000000
--- a/references/realtime-streams/src/components/approval-flow.tsx
+++ /dev/null
@@ -1,92 +0,0 @@
-"use client";
-
-import { useRealtimeRun, useInputStreamSend } from "@trigger.dev/react-hooks";
-import type { approvalTask } from "@/trigger/approval";
-
-export function ApprovalFlow({
-  runId,
-  accessToken,
-}: {
-  runId: string;
-  accessToken: string;
-}) {
-  const { run, error: runError } = useRealtimeRun<typeof approvalTask>(runId, {
-    accessToken,
-    baseURL: process.env.NEXT_PUBLIC_TRIGGER_API_URL,
-  });
-  const {
-    send,
-    isLoading: isSending,
-    error: sendError,
-  } = useInputStreamSend<{ approved: boolean; reviewer: string }>("approval", runId, {
-    accessToken,
-    baseURL: process.env.NEXT_PUBLIC_TRIGGER_API_URL,
-  });
-
-  const status = run?.metadata?.status as string | undefined;
-  const reviewer = run?.metadata?.reviewer as string | undefined;
-  const isWaiting = status === "waiting-for-approval";
-  const isCompleted = run?.status === "COMPLETED";
-  const isFailed = run?.status === "FAILED" || run?.status === "CANCELED";
-
-  return (
-    <div className="flex flex-col gap-6">
-      <div className="flex items-center gap-3">
-        <div
-          className={`w-3 h-3 rounded-full ${
-            isWaiting
-              ? "bg-yellow-400 animate-pulse"
-              : status === "approved"
-                ? "bg-green-400"
-                : status === "rejected"
-                  ? "bg-red-400"
-                  : status === "timed-out"
-                    ? "bg-gray-400"
-                    : "bg-blue-400 animate-pulse"
-          }`}
-        />
-        <span className="text-sm text-gray-600">
-          {!run
-            ? "Loading..."
-            : isWaiting
-              ? "Waiting for approval"
-              : status === "approved"
-                ? `Approved by ${reviewer}`
-                : status === "rejected"
-                  ? `Rejected by ${reviewer}`
-                  : status === "timed-out"
-                    ? "Timed out"
-                    : `Status: ${run?.status ?? "unknown"}`}
-        </span>
-      </div>
-
-      {isWaiting && (
-        <div className="flex gap-3">
-          <button
-            onClick={() => send({ approved: true, reviewer: "You" })}
-            disabled={isSending}
-            className="px-6 py-3 bg-green-600 text-white rounded-lg hover:bg-green-700 disabled:opacity-50 transition-colors font-medium"
-          >
-            {isSending ? "Sending..." : "Approve"}
-          </button>
-          <button
-            onClick={() => send({ approved: false, reviewer: "You" })}
-            disabled={isSending}
-            className="px-6 py-3 bg-red-600 text-white rounded-lg hover:bg-red-700 disabled:opacity-50 transition-colors font-medium"
-          >
-            {isSending ? "Sending..." : "Reject"}
-          </button>
-        </div>
-      )}
-
-      {runError && <p className="text-red-500 text-sm">Run error: {runError.message}</p>}
-      {sendError && <p className="text-red-500 text-sm">Send error: {sendError.message}</p>}
-
-      {(isCompleted || isFailed) && run?.output && (
-        <pre className="bg-gray-100 p-4 rounded-lg text-sm overflow-auto">
-          {JSON.stringify(run.output, null, 2)}
-        </pre>
-      )}
-    </div>
-  );
-}
diff --git a/references/realtime-streams/src/components/messages-flow.tsx b/references/realtime-streams/src/components/messages-flow.tsx
deleted file mode 100644
index 6065f2bc99c..00000000000
--- a/references/realtime-streams/src/components/messages-flow.tsx
+++ /dev/null
@@ -1,97 +0,0 @@
-"use client";
-
-import { useState } from "react";
-import { useRealtimeRun, useInputStreamSend } from "@trigger.dev/react-hooks";
-import type { messagesTask } from "@/trigger/messages";
-
-export function MessagesFlow({
-  runId,
-  accessToken,
-}: {
-  runId: string;
-  accessToken: string;
-}) {
-  const [inputText, setInputText] = useState("");
-  const { run, error: runError } = useRealtimeRun<typeof messagesTask>(runId, {
-    accessToken,
-    baseURL: process.env.NEXT_PUBLIC_TRIGGER_API_URL,
-  });
-  const {
-    send,
-    isLoading: isSending,
-    error: sendError,
-  } = useInputStreamSend<{ text: string }>("messages", runId, {
-    accessToken,
-    baseURL: process.env.NEXT_PUBLIC_TRIGGER_API_URL,
-  });
-
-  const status = run?.metadata?.status as string | undefined;
-  const received = (run?.metadata?.received as number) ?? 0;
-  const expected = (run?.metadata?.expected as number) ?? 0;
-  const isListening = status === "listening";
-  const isDone = status === "done";
-  const isCompleted = run?.status === "COMPLETED";
-
-  function handleSend() {
-    if (!inputText.trim()) return;
-    send({ text: inputText.trim() });
-    setInputText("");
-  }
-
-  return (
-    <div className="flex flex-col gap-6">
-      <div className="flex items-center gap-3">
-        <div
-          className={`w-3 h-3 rounded-full ${
-            isListening
-              ? "bg-yellow-400 animate-pulse"
-              : isDone
-                ? "bg-green-400"
-                : "bg-blue-400 animate-pulse"
-          }`}
-        />
-        <span className="text-sm text-gray-600">
-          {!run
-            ? "Loading..."
-            : isListening
-              ? `Listening for messages (${received}/${expected})`
-              : isDone
-                ? `Received all ${received} messages`
-                : `Status: ${run?.status ?? "unknown"}`}
-        </span>
-      </div>
-
-      {isListening && (
-        <div className="flex gap-3">
-          <input
-            type="text"
-            value={inputText}
-            onChange={(e) => setInputText(e.target.value)}
-            onKeyDown={(e) => e.key === "Enter" && handleSend()}
-            placeholder="Type a message..."
-            className="flex-1 px-4 py-2 border border-gray-300 rounded-lg focus:outline-none focus:ring-2 focus:ring-blue-500"
-          />
-          <button
-            onClick={handleSend}
-            disabled={isSending || !inputText.trim()}
-            className="px-6 py-2 bg-blue-600 text-white rounded-lg hover:bg-blue-700 disabled:opacity-50 transition-colors font-medium"
-          >
-            {isSending ? "Sending..." : "Send"}
-          </button>
-        </div>
-      )}
-
-      {runError && <p className="text-red-500 text-sm">Run error: {runError.message}</p>}
-      {sendError && <p className="text-red-500 text-sm">Send error: {sendError.message}</p>}
-
-      {isCompleted && run?.output && (
-        <div className="bg-gray-50 p-4 rounded-lg">
-          <h3 className="text-sm font-semibold mb-2">Task output:</h3>
-          <pre className="text-sm overflow-auto">
-            {JSON.stringify(run.output, null, 2)}
-          </pre>
-        </div>
-      )}
-    </div>
-  );
-}
diff --git a/references/realtime-streams/src/components/performance-monitor.tsx b/references/realtime-streams/src/components/performance-monitor.tsx
deleted file mode 100644
index f3ecaf4e2f2..00000000000
--- a/references/realtime-streams/src/components/performance-monitor.tsx
+++ /dev/null
@@ -1,240 +0,0 @@
-"use client";
-
-import { demoStream } from "@/app/streams";
-import type { PerformanceChunk } from "@/trigger/streams";
-import { useRealtimeStream } from "@trigger.dev/react-hooks";
-import { useEffect, useMemo, useRef, useState } from "react";
-
-type ChunkLatency = {
-  chunkIndex: number;
-  sentAt: number;
-  receivedAt: number;
-  latency: number;
-  data: string;
-};
-
-export function PerformanceMonitor({ accessToken, runId }: { accessToken: string; runId: string }) {
-  const { parts, error } = useRealtimeStream(demoStream, runId, {
-    accessToken,
-    baseURL: process.env.NEXT_PUBLIC_TRIGGER_API_URL,
-  });
-
-  const [firstChunkTime, setFirstChunkTime] = useState<number | null>(null);
-  const [startTime] = useState<number>(Date.now());
-  const [chunkLatencies, setChunkLatencies] = useState<ChunkLatency[]>([]);
-  const processedCountRef = useRef<number>(0);
-
-  // Process new chunks only (append-only pattern)
-  useEffect(() => {
-    if (!parts || parts.length === 0) return;
-
-    // Only process chunks we haven't seen yet
-    const newChunks = parts.slice(processedCountRef.current);
-    if (newChunks.length === 0) return;
-
-    const now = Date.now();
-    const newLatencies: ChunkLatency[] = [];
-
-    for (const rawChunk of newChunks) {
-      try {
-        const chunk: PerformanceChunk = JSON.parse(rawChunk);
-
-        if (chunkLatencies.length === 0 && firstChunkTime === null) {
-          setFirstChunkTime(now);
-        }
-
-        newLatencies.push({
-          chunkIndex: chunk.chunkIndex,
-          sentAt: chunk.timestamp,
-          receivedAt: now,
-          latency: now - chunk.timestamp,
-          data: chunk.data,
-        });
-      } catch (e) {
-        // Skip non-JSON chunks
-        console.error("Failed to parse chunk:", rawChunk, e);
-      }
-    }
-
-    if (newLatencies.length > 0) {
-      setChunkLatencies((prev) => [...prev, ...newLatencies]);
-      processedCountRef.current = parts.length;
-    }
-  }, [parts, chunkLatencies.length, firstChunkTime]);
-
-  // Calculate statistics
-  const stats = useMemo(() => {
-    if (chunkLatencies.length === 0) {
-      return {
-        count: 0,
-        avgLatency: 0,
-        minLatency: 0,
-        maxLatency: 0,
-        p50: 0,
-        p95: 0,
-        p99: 0,
-        timeToFirstChunk: null,
-      };
-    }
-
-    // Create sorted copy for percentile calculations
-    const sortedLatencies = [...chunkLatencies.map((c) => c.latency)].sort((a, b) => a - b);
-    const sum = sortedLatencies.reduce((acc, val) => acc + val, 0);
-
-    // Correct percentile calculation
-    const percentile = (p: number) => {
-      if (sortedLatencies.length === 0) return 0;
-
-      // Use standard percentile formula: position = (p/100) * (n-1)
-      const position = (p / 100) * (sortedLatencies.length - 1);
-      const lower = Math.floor(position);
-      const upper = Math.ceil(position);
-
-      // Interpolate between values if needed
-      if (lower === upper) {
-        return sortedLatencies[lower];
-      }
-
-      const weight = position - lower;
-      return sortedLatencies[lower] * (1 - weight) + sortedLatencies[upper] * weight;
-    };
-
-    return {
-      count: chunkLatencies.length,
-      avgLatency: sum / sortedLatencies.length,
-      minLatency: sortedLatencies[0] || 0,
-      maxLatency: sortedLatencies[sortedLatencies.length - 1] || 0,
-      p50: percentile(50),
-      p95: percentile(95),
-      p99: percentile(99),
-      timeToFirstChunk: firstChunkTime ? firstChunkTime - startTime : null,
-    };
-  }, [chunkLatencies, firstChunkTime, startTime]);
-
-  if (error) {
-    return (
-      <div className="bg-red-50 border border-red-200 rounded-lg p-6">
-        <p className="text-red-600 font-semibold">Error: {error.message}</p>
-      </div>
-    );
-  }
-
-  return (
-    <div className="space-y-6">
-      {/* Metrics Grid */}
-      <div className="grid grid-cols-2 md:grid-cols-4 gap-4">
-        <MetricCard label="Chunks Received" value={stats.count.toString()} suffix="chunks" />
-        <MetricCard label="Avg Latency" value={stats.avgLatency.toFixed(0)} suffix="ms" highlight />
-        <MetricCard label="P95 Latency" value={stats.p95.toFixed(0)} suffix="ms" />
-        <MetricCard label="P99 Latency" value={stats.p99.toFixed(0)} suffix="ms" />
-      </div>
-
-      {/* Additional Stats */}
-      <div className="bg-white rounded-lg shadow p-6">
-        <h3 className="text-lg font-semibold text-gray-900 mb-4">Detailed Statistics</h3>
-        <div className="grid grid-cols-2 md:grid-cols-3 gap-6">
-          <StatItem
-            label="Time to First Chunk"
-            value={
-              stats.timeToFirstChunk !== null
-                ? `${stats.timeToFirstChunk.toFixed(0)} ms`
-                : "Waiting..."
-            }
-          />
-          <StatItem label="Min Latency" value={`${stats.minLatency.toFixed(0)} ms`} />
-          <StatItem label="Max Latency" value={`${stats.maxLatency.toFixed(0)} ms`} />
-          <StatItem label="P50 (Median)" value={`${stats.p50.toFixed(0)} ms`} />
-          <StatItem label="Total Chunks" value={stats.count.toString()} />
-        </div>
-      </div>
-
-      {/* All Chunks Table */}
-      {chunkLatencies.length > 0 && (
-        <div className="bg-white rounded-lg shadow p-6">
-          <h3 className="text-lg font-semibold text-gray-900 mb-4">
-            All Chunks ({chunkLatencies.length} total)
-          </h3>
-          <div className="overflow-x-auto max-h-[600px] overflow-y-auto">
-            <table className="min-w-full divide-y divide-gray-200">
-              <thead className="bg-gray-50 sticky top-0">
-                <tr>
-                  <th className="px-4 py-3 text-left text-xs font-medium text-gray-500 uppercase">
-                    Index
-                  </th>
-                  <th className="px-4 py-3 text-left text-xs font-medium text-gray-500 uppercase">
-                    Data
-                  </th>
-                  <th className="px-4 py-3 text-right text-xs font-medium text-gray-500 uppercase">
-                    Latency
-                  </th>
-                  <th className="px-4 py-3 text-right text-xs font-medium text-gray-500 uppercase">
-                    Sent At
-                  </th>
-                </tr>
-              </thead>
-              <tbody className="bg-white divide-y divide-gray-200">
-                {chunkLatencies.map((chunk, index) => (
-                  <tr key={`${chunk.chunkIndex}-${index}`} className="hover:bg-gray-50">
-                    <td className="px-4 py-3 text-sm text-gray-900">#{chunk.chunkIndex}</td>
-                    <td className="px-4 py-3 text-sm text-gray-600">{chunk.data}</td>
-                    <td className="px-4 py-3 text-sm text-right">
-                      <span
-                        className={`inline-block px-2 py-1 rounded text-xs font-semibold ${
-                          chunk.latency > stats.p95
-                            ? "bg-red-100 text-red-800"
-                            : chunk.latency > stats.p50
-                            ? "bg-yellow-100 text-yellow-800"
-                            : "bg-green-100 text-green-800"
-                        }`}
-                      >
-                        {chunk.latency.toFixed(0)} ms
-                      </span>
-                    </td>
-                    <td className="px-4 py-3 text-sm text-gray-500 text-right">
-                      {new Date(chunk.sentAt).toLocaleTimeString()}
-                    </td>
-                  </tr>
-                ))}
-              </tbody>
-            </table>
-          </div>
-        </div>
-      )}
-    </div>
-  );
-}
-
-function MetricCard({
-  label,
-  value,
-  suffix,
-  highlight = false,
-}: {
-  label: string;
-  value: string;
-  suffix: string;
-  highlight?: boolean;
-}) {
-  return (
-    <div
-      className={`rounded-lg shadow p-4 ${
-        highlight ? "bg-blue-50 border-2 border-blue-200" : "bg-white"
-      }`}
-    >
-      <p className="text-xs font-medium text-gray-600 uppercase mb-1">{label}</p>
-      <p className={`text-2xl font-bold ${highlight ? "text-blue-900" : "text-gray-900"}`}>
-        {value}
-      </p>
-      <p className="text-xs text-gray-500 mt-1">{suffix}</p>
-    </div>
-  );
-}
-
-function StatItem({ label, value }: { label: string; value: string }) {
-  return (
-    <div>
-      <p className="text-sm text-gray-600">{label}</p>
-      <p className="text-lg font-semibold text-gray-900 mt-1">{value}</p>
-    </div>
-  );
-}
diff --git a/references/realtime-streams/src/components/streams.tsx b/references/realtime-streams/src/components/streams.tsx
deleted file mode 100644
index 131c430a150..00000000000
--- a/references/realtime-streams/src/components/streams.tsx
+++ /dev/null
@@ -1,41 +0,0 @@
-"use client";
-
-import { useRealtimeStream } from "@trigger.dev/react-hooks";
-import { Streamdown } from "streamdown";
-import { demoStream } from "@/app/streams";
-
-export function Streams({
-  accessToken,
-  runId,
-  isMarkdown,
-}: {
-  accessToken: string;
-  runId: string;
-  isMarkdown: boolean;
-}) {
-  const { parts, error } = useRealtimeStream(demoStream, runId, {
-    accessToken,
-    baseURL: process.env.NEXT_PUBLIC_TRIGGER_API_URL,
-    onData: (data) => {
-      // console.log(data);
-    },
-    timeoutInSeconds: 600,
-  });
-
-  if (error) return <div className="text-red-600 font-semibold">Error: {error.message}</div>;
-
-  if (!parts) return <div className="text-gray-600">Loading...</div>;
-
-  const stream = parts.join("");
-
-  return (
-    <div className="space-y-4">
-      <div className="text-sm font-medium text-gray-700">
-        <span className="font-semibold">Run:</span> {runId}
-      </div>
-      <div className="prose prose-sm max-w-none text-gray-900">
-        {isMarkdown ? <Streamdown isAnimating={true}>{stream}</Streamdown> : stream}
-      </div>
-    </div>
-  );
-}
diff --git a/references/realtime-streams/src/components/trigger-button.tsx b/references/realtime-streams/src/components/trigger-button.tsx
deleted file mode 100644
index 3ceefb41357..00000000000
--- a/references/realtime-streams/src/components/trigger-button.tsx
+++ /dev/null
@@ -1,34 +0,0 @@
-"use client";
-
-import { triggerStreamTask } from "@/app/actions";
-import { useTransition } from "react";
-
-export function TriggerButton({
-  scenario,
-  useDurableStreams,
-  children,
-  redirect,
-}: {
-  scenario: string;
-  useDurableStreams?: boolean;
-  children: React.ReactNode;
-  redirect?: string;
-}) {
-  const [isPending, startTransition] = useTransition();
-
-  function handleClick() {
-    startTransition(async () => {
-      await triggerStreamTask(scenario, redirect, useDurableStreams);
-    });
-  }
-
-  return (
-    <button
-      onClick={handleClick}
-      disabled={isPending}
-      className="px-6 py-3 bg-blue-600 text-white rounded-lg hover:bg-blue-700 disabled:bg-gray-400 disabled:cursor-not-allowed transition-colors"
-    >
-      {isPending ? "Triggering..." : children}
-    </button>
-  );
-}
diff --git a/references/realtime-streams/src/trigger/ai-chat.ts b/references/realtime-streams/src/trigger/ai-chat.ts
deleted file mode 100644
index d5c681d07ba..00000000000
--- a/references/realtime-streams/src/trigger/ai-chat.ts
+++ /dev/null
@@ -1,79 +0,0 @@
-import { aiStream } from "@/app/streams";
-import { openai } from "@ai-sdk/openai";
-import { logger, streams, task } from "@trigger.dev/sdk";
-import {
-  convertToModelMessages,
-  readUIMessageStream,
-  stepCountIs,
-  streamText,
-  tool,
-  UIMessage,
-} from "ai";
-import { z } from "zod/v4";
-
-export type AIChatPayload = {
-  messages: UIMessage[];
-};
-
-export const aiChatTask = task({
-  id: "ai-chat",
-  run: async (payload: AIChatPayload) => {
-    logger.info("Starting AI chat stream", {
-      messageCount: payload.messages.length,
-    });
-
-    // Stream text from OpenAI
-    const result = streamText({
-      model: openai("gpt-4o"),
-      system: "You are a helpful assistant.",
-      messages: convertToModelMessages(payload.messages),
-      stopWhen: stepCountIs(20),
-      tools: {
-        getCommonUseCases: tool({
-          description: "Get common use cases",
-          inputSchema: z.object({
-            useCase: z.string().describe("The use case to get common use cases for"),
-          }),
-          execute: async ({ useCase }) => {
-            return {
-              useCase,
-              commonUseCases: [
-                "Streaming data to a client",
-                "Streaming data to a server",
-                "Streaming data to a database",
-                "Streaming data to a file",
-                "Streaming data to a socket",
-                "Streaming data to a queue",
-                "Streaming data to a message broker",
-                "Streaming data to a message queue",
-                "Streaming data to a message broker",
-              ],
-            };
-          },
-        }),
-      },
-    });
-
-    // Get the UI message stream
-    const uiMessageStream = result.toUIMessageStream();
-
-    // Append the stream to metadata
-    const { waitUntilComplete, stream } = aiStream.pipe(uiMessageStream);
-
-    for await (const uiMessage of readUIMessageStream({
-      stream: stream,
-    })) {
-      logger.log("Current message state", { uiMessage });
-    }
-
-    // Wait for the stream to complete
-    await waitUntilComplete();
-
-    logger.info("AI chat stream completed");
-
-    return {
-      message: "AI chat stream completed successfully",
-      messageCount: payload.messages.length,
-    };
-  },
-});
diff --git a/references/realtime-streams/src/trigger/approval.ts b/references/realtime-streams/src/trigger/approval.ts
deleted file mode 100644
index 11692820da1..00000000000
--- a/references/realtime-streams/src/trigger/approval.ts
+++ /dev/null
@@ -1,20 +0,0 @@
-import { task, metadata } from "@trigger.dev/sdk";
-import { approvalInputStream } from "../app/streams";
-
-export const approvalTask = task({
-  id: "approval-flow",
-  run: async () => {
-    metadata.set("status", "waiting-for-approval");
-
-    const result = await approvalInputStream.wait({ timeout: "5m" });
-
-    if (result.ok) {
-      metadata.set("status", result.output.approved ? "approved" : "rejected");
-      metadata.set("reviewer", result.output.reviewer);
-    } else {
-      metadata.set("status", "timed-out");
-    }
-
-    return { approval: result };
-  },
-});
diff --git a/references/realtime-streams/src/trigger/messages.ts b/references/realtime-streams/src/trigger/messages.ts
deleted file mode 100644
index 2dfea5e660a..00000000000
--- a/references/realtime-streams/src/trigger/messages.ts
+++ /dev/null
@@ -1,33 +0,0 @@
-import { task, logger, metadata, wait } from "@trigger.dev/sdk";
-import { messageInputStream } from "../app/streams";
-
-export const messagesTask = task({
-  id: "messages-flow",
-  run: async (payload: { messageCount?: number }) => {
-    const expected = payload.messageCount ?? 5;
-    const received: { text: string }[] = [];
-
-    metadata.set("status", "listening");
-    metadata.set("received", 0);
-    metadata.set("expected", expected);
-
-    logger.info("Subscribing to messages via .on()", { expected });
-
-    const { off } = messageInputStream.on((data) => {
-      logger.info("Received message", { data });
-      received.push(data);
-      metadata.set("received", received.length);
-    });
-
-    while (received.length < expected) {
-      await wait.for({ seconds: 1 });
-    }
-
-    off();
-
-    metadata.set("status", "done");
-    logger.info("Done receiving messages", { count: received.length });
-
-    return { messages: received };
-  },
-});
diff --git a/references/realtime-streams/src/trigger/streams.ts b/references/realtime-streams/src/trigger/streams.ts
deleted file mode 100644
index 388ff960aac..00000000000
--- a/references/realtime-streams/src/trigger/streams.ts
+++ /dev/null
@@ -1,1169 +0,0 @@
-import { demoStream } from "@/app/streams";
-import { logger, metadata, streams, task } from "@trigger.dev/sdk";
-import assert from "assert";
-import { setTimeout } from "timers/promises";
-
-export type STREAMS = {
-  demo: string;
-};
-
-export type PerformanceChunk = {
-  timestamp: number; // When the chunk was sent from the task
-  chunkIndex: number;
-  data: string;
-};
-
-export type StreamScenario =
-  | "stall"
-  | "continuous"
-  | "burst"
-  | "slow-steady"
-  | "markdown"
-  | "performance";
-
-export type StreamPayload = {
-  scenario?: StreamScenario;
-  // Stall scenario options
-  stallDurationMs?: number;
-  includePing?: boolean;
-  // Continuous scenario options
-  durationSec?: number;
-  intervalMs?: number;
-  // Burst scenario options
-  burstCount?: number;
-  tokensPerBurst?: number;
-  burstIntervalMs?: number;
-  pauseBetweenBurstsMs?: number;
-  // Slow steady scenario options
-  durationMin?: number;
-  tokenIntervalSec?: number;
-  // Markdown scenario options
-  tokenDelayMs?: number;
-  // Performance scenario options
-  chunkCount?: number;
-  chunkIntervalMs?: number;
-};
-
-export const streamsTask = task({
-  id: "streams",
-  run: async (payload: StreamPayload = {}, { ctx }) => {
-    const scenario = payload.scenario ?? "continuous";
-    logger.info("Starting stream scenario", { scenario });
-
-    let generator: AsyncGenerator<string>;
-    let scenarioDescription: string;
-
-    switch (scenario) {
-      case "stall": {
-        const stallDurationMs = payload.stallDurationMs ?? 3 * 60 * 1000; // Default 3 minutes
-        const includePing = payload.includePing ?? false;
-        generator = generateLLMTokenStream(includePing, stallDurationMs);
-        scenarioDescription = `Stall scenario: ${stallDurationMs / 1000}s with ${
-          includePing ? "ping tokens" : "no pings"
-        }`;
-        break;
-      }
-      case "continuous": {
-        const durationSec = payload.durationSec ?? 45;
-        const intervalMs = payload.intervalMs ?? 10;
-        generator = generateContinuousTokenStream(durationSec, intervalMs);
-        scenarioDescription = `Continuous scenario: ${durationSec}s with ${intervalMs}ms intervals`;
-        break;
-      }
-      case "burst": {
-        const burstCount = payload.burstCount ?? 10;
-        const tokensPerBurst = payload.tokensPerBurst ?? 20;
-        const burstIntervalMs = payload.burstIntervalMs ?? 5;
-        const pauseBetweenBurstsMs = payload.pauseBetweenBurstsMs ?? 2000;
-        generator = generateBurstTokenStream(
-          burstCount,
-          tokensPerBurst,
-          burstIntervalMs,
-          pauseBetweenBurstsMs
-        );
-        scenarioDescription = `Burst scenario: ${burstCount} bursts of ${tokensPerBurst} tokens`;
-        break;
-      }
-      case "slow-steady": {
-        const durationMin = payload.durationMin ?? 5;
-        const tokenIntervalSec = payload.tokenIntervalSec ?? 5;
-        generator = generateSlowSteadyTokenStream(durationMin, tokenIntervalSec);
-        scenarioDescription = `Slow steady scenario: ${durationMin}min with ${tokenIntervalSec}s intervals`;
-        break;
-      }
-      case "markdown": {
-        const tokenDelayMs = payload.tokenDelayMs ?? 15;
-        generator = generateMarkdownTokenStream(tokenDelayMs);
-        scenarioDescription = `Markdown scenario: generating formatted content with ${tokenDelayMs}ms delays`;
-        break;
-      }
-      case "performance": {
-        const chunkCount = payload.chunkCount ?? 500;
-        const chunkIntervalMs = payload.chunkIntervalMs ?? 10;
-        generator = generatePerformanceStream(chunkCount, chunkIntervalMs);
-        scenarioDescription = `Performance scenario: ${chunkCount} chunks with ${chunkIntervalMs}ms intervals`;
-        break;
-      }
-      default: {
-        throw new Error(`Unknown scenario: ${scenario}`);
-      }
-    }
-
-    logger.info("Starting stream", { scenarioDescription });
-
-    const mockStream = createStreamFromGenerator(generator);
-
-    const { waitUntilComplete } = demoStream.pipe(mockStream);
-
-    await waitUntilComplete();
-
-    logger.info("Stream completed", { scenario });
-
-    return {
-      scenario,
-      scenarioDescription,
-    };
-  },
-});
-
-export const streamsChildTask = task({
-  id: "streams-child",
-  run: async (payload: any, { ctx }) => {
-    demoStream.writer({
-      execute: ({ write, merge }) => {
-        write(JSON.stringify({ step: "one" }));
-        write(JSON.stringify({ step: "two" }));
-        write(JSON.stringify({ step: "three" }));
-        merge(
-          new ReadableStream({
-            start(controller) {
-              controller.enqueue(JSON.stringify({ step: "four" }));
-              controller.enqueue(JSON.stringify({ step: "five" }));
-              controller.close();
-            },
-          })
-        );
-      },
-      target: ctx.run.rootTaskRunId,
-    });
-  },
-});
-
-export const streamsTesterTask = task({
-  id: "streams-tester",
-  run: async (payload: any, { ctx }) => {
-    logger.info("Starting multiple source streams tester task");
-
-    await multipleSourceStreamsTesterTask
-      .triggerAndWait(
-        {},
-        {},
-        {
-          clientConfig: {
-            future: {
-              v2RealtimeStreams: false,
-            },
-          },
-        }
-      )
-      .unwrap();
-
-    await multipleSourceStreamsTesterTask
-      .triggerAndWait(
-        {},
-        {},
-        {
-          clientConfig: {
-            future: {
-              v2RealtimeStreams: true,
-            },
-          },
-        }
-      )
-      .unwrap();
-
-    logger.info("✅ Multiple source streams tester tasks completed");
-
-    logger.info("Starting stream append tester task");
-
-    await streamAppendTesterTask
-      .triggerAndWait(
-        {},
-        {},
-        {
-          clientConfig: {
-            future: {
-              v2RealtimeStreams: false,
-            },
-          },
-        }
-      )
-      .unwrap();
-
-    await streamAppendTesterTask
-      .triggerAndWait(
-        {},
-        {},
-        {
-          clientConfig: {
-            future: {
-              v2RealtimeStreams: true,
-            },
-          },
-        }
-      )
-      .unwrap();
-
-    logger.info("✅ Stream append tester task completed");
-
-    logger.info("Starting stream pipe tester task");
-
-    await streamPipeTesterTask
-      .triggerAndWait({}, {}, { clientConfig: { future: { v2RealtimeStreams: true } } })
-      .unwrap();
-
-    logger.info("✅ Stream pipe tester task completed");
-
-    await streamPipeTesterTask
-      .triggerAndWait({}, {}, { clientConfig: { future: { v2RealtimeStreams: false } } })
-      .unwrap();
-
-    logger.info("✅ Stream pipe tester task completed");
-
-    logger.info("Starting stream writer tester task");
-
-    await streamWriterTesterTask
-      .triggerAndWait({}, {}, { clientConfig: { future: { v2RealtimeStreams: true } } })
-      .unwrap();
-
-    logger.info("✅ Stream writer tester task completed");
-
-    await streamWriterTesterTask
-      .triggerAndWait({}, {}, { clientConfig: { future: { v2RealtimeStreams: false } } })
-      .unwrap();
-
-    logger.info("✅ Stream writer tester task completed");
-
-    logger.info("Starting stream wait until tester task");
-
-    await streamWaitUntilTesterTask
-      .triggerAndWait({}, {}, { clientConfig: { future: { v2RealtimeStreams: true } } })
-      .unwrap();
-
-    logger.info("✅ Stream wait until tester task completed");
-
-    await streamWaitUntilTesterTask
-      .triggerAndWait({}, {}, { clientConfig: { future: { v2RealtimeStreams: false } } })
-      .unwrap();
-
-    logger.info("✅ Stream wait until tester task completed");
-
-    logger.info("Starting metadata tester task");
-
-    await metadataTesterTask
-      .triggerAndWait({}, {}, { clientConfig: { future: { v2RealtimeStreams: true } } })
-      .unwrap();
-
-    logger.info("✅ Metadata tester task completed");
-
-    await metadataTesterTask
-      .triggerAndWait({}, {}, { clientConfig: { future: { v2RealtimeStreams: false } } })
-      .unwrap();
-
-    logger.info("✅ Metadata tester task completed");
-
-    logger.info("Starting stream read tester task");
-
-    await streamReadTesterTask
-      .triggerAndWait({}, {}, { clientConfig: { future: { v2RealtimeStreams: true } } })
-      .unwrap();
-
-    logger.info("✅ Stream read tester task completed");
-
-    logger.info("Starting streams stress tester task");
-
-    await streamsStressTesterTask
-      .triggerAndWait(
-        { streamsVersion: "v1" },
-        {},
-        { clientConfig: { future: { v2RealtimeStreams: false } } }
-      )
-      .unwrap();
-
-    logger.info("✅ Streams stress tester task completed");
-
-    await streamsStressTesterTask
-      .triggerAndWait(
-        { streamsVersion: "v2" },
-        {},
-        { clientConfig: { future: { v2RealtimeStreams: true } } }
-      )
-      .unwrap();
-
-    logger.info("✅ Streams stress tester task completed");
-
-    logger.info("Starting end to end latency tester task");
-
-    await endToEndLatencyTesterTask
-      .triggerAndWait(
-        { streamsVersion: "v1" },
-        {},
-        { clientConfig: { future: { v2RealtimeStreams: false } } }
-      )
-      .unwrap();
-
-    logger.info("✅ End to end latency tester task completed");
-
-    await endToEndLatencyTesterTask
-      .triggerAndWait(
-        { streamsVersion: "v2" },
-        {},
-        { clientConfig: { future: { v2RealtimeStreams: true } } }
-      )
-      .unwrap();
-
-    logger.info("✅ End to end latency tester task completed");
-
-    return {
-      message: "Multiple source streams tester tasks completed",
-    };
-  },
-});
-
-const testStream = streams.define<string>({
-  id: "test",
-});
-
-const multipleSourceStreamsTesterTask = task({
-  id: "multiple-source-streams-tester",
-  run: async (payload: any, { ctx }) => {
-    const stream1 = new ReadableStream<string>({
-      start(controller) {
-        controller.enqueue("stream 1 chunk 1");
-        controller.enqueue("stream 1 chunk 2");
-        controller.enqueue("stream 1 chunk 3");
-        controller.close();
-      },
-    });
-
-    const stream2 = new ReadableStream<string>({
-      start(controller) {
-        controller.enqueue("stream 2 chunk 1");
-        controller.enqueue("stream 2 chunk 2");
-        controller.enqueue("stream 2 chunk 3");
-        controller.close();
-      },
-    });
-
-    const { waitUntilComplete: waitUntilComplete1, stream: stream1Stream } = streams.pipe(stream1);
-    const { waitUntilComplete: waitUntilComplete2, stream: stream2Stream } = streams.pipe(stream2);
-
-    await Promise.all([waitUntilComplete1(), waitUntilComplete2()]);
-
-    const stream1Chunks = await convertReadableStreamToArray(stream1Stream);
-    const stream2Chunks = await convertReadableStreamToArray(stream2Stream);
-
-    assert.strictEqual(stream1Chunks.length, 3, "Expected 3 chunks");
-    assert.ok(stream1Chunks.includes("stream 1 chunk 1"), "Expected stream 1 chunk 1");
-    assert.ok(stream1Chunks.includes("stream 1 chunk 2"), "Expected stream 1 chunk 2");
-    assert.ok(stream1Chunks.includes("stream 1 chunk 3"), "Expected stream 1 chunk 3");
-    assert.strictEqual(stream2Chunks.length, 3, "Expected 3 chunks");
-    assert.ok(stream2Chunks.includes("stream 2 chunk 1"), "Expected stream 2 chunk 1");
-    assert.ok(stream2Chunks.includes("stream 2 chunk 2"), "Expected stream 2 chunk 2");
-    assert.ok(stream2Chunks.includes("stream 2 chunk 3"), "Expected stream 2 chunk 3");
-
-    const chunks = [];
-
-    for await (const chunk of await streams.read(ctx.run.id, { timeoutInSeconds: 5 })) {
-      chunks.push(chunk);
-    }
-
-    assert.strictEqual(chunks.length, 6, "Expected 6 chunks");
-    assert.ok(chunks.includes("stream 1 chunk 1"), "Expected stream 1 chunk 1");
-    assert.ok(chunks.includes("stream 1 chunk 2"), "Expected stream 1 chunk 2");
-    assert.ok(chunks.includes("stream 1 chunk 3"), "Expected stream 1 chunk 3");
-    assert.ok(chunks.includes("stream 2 chunk 1"), "Expected stream 2 chunk 1");
-    assert.ok(chunks.includes("stream 2 chunk 2"), "Expected stream 2 chunk 2");
-    assert.ok(chunks.includes("stream 2 chunk 3"), "Expected stream 2 chunk 3");
-
-    return {
-      message: "Streams completed",
-    };
-  },
-});
-
-const streamAppendTesterTask = task({
-  id: "stream-append-tester",
-  run: async (payload: any, { ctx }) => {
-    await streams.append("chunk 1");
-    await streams.append("chunk 2");
-    await streams.append("chunk 3");
-
-    const chunks = [];
-
-    for await (const chunk of await streams.read(ctx.run.id, { timeoutInSeconds: 5 })) {
-      chunks.push(chunk);
-    }
-
-    assert.strictEqual(chunks.length, 3, "Expected 3 chunks");
-    assert.ok(chunks.includes("chunk 1"), "Expected chunk 1");
-    assert.ok(chunks.includes("chunk 2"), "Expected chunk 2");
-    assert.ok(chunks.includes("chunk 3"), "Expected chunk 3");
-
-    await streams.append("named", "chunk 1");
-    await streams.append("named", "chunk 2");
-    await streams.append("named", "chunk 3");
-
-    const namedChunks = [];
-
-    for await (const chunk of await streams.read(ctx.run.id, "named", { timeoutInSeconds: 5 })) {
-      namedChunks.push(chunk);
-    }
-
-    assert.strictEqual(namedChunks.length, 3, "Expected 3 chunks");
-    assert.ok(namedChunks.includes("chunk 1"), "Expected chunk 1");
-    assert.ok(namedChunks.includes("chunk 2"), "Expected chunk 2");
-    assert.ok(namedChunks.includes("chunk 3"), "Expected chunk 3");
-
-    await testStream.append("chunk 1");
-    await testStream.append("chunk 2");
-    await testStream.append("chunk 3");
-
-    const testChunks = [];
-
-    for await (const chunk of await testStream.read(ctx.run.id, { timeoutInSeconds: 5 })) {
-      testChunks.push(chunk);
-    }
-
-    assert.strictEqual(testChunks.length, 3, "Expected 3 chunks");
-    assert.ok(testChunks.includes("chunk 1"), "Expected chunk 1");
-    assert.ok(testChunks.includes("chunk 2"), "Expected chunk 2");
-    assert.ok(testChunks.includes("chunk 3"), "Expected chunk 3");
-
-    await streamAppendChildTask.triggerAndWait(
-      {},
-      {},
-      { clientConfig: { future: { v2RealtimeStreams: true } } }
-    );
-
-    const childChunks = [];
-
-    for await (const chunk of await streams.read(ctx.run.id, "child", { timeoutInSeconds: 5 })) {
-      childChunks.push(chunk);
-    }
-
-    assert.strictEqual(childChunks.length, 3, "Expected 3 chunks");
-    assert.ok(childChunks.includes("child chunk 1"), "Expected child chunk 1");
-    assert.ok(childChunks.includes("child chunk 2"), "Expected child chunk 2");
-    assert.ok(childChunks.includes("child chunk 3"), "Expected child chunk 3");
-
-    return {
-      message: "Stream append completed",
-    };
-  },
-});
-
-const streamAppendChildTask = task({
-  id: "stream-append-child",
-  run: async (payload: any, { ctx }) => {
-    await streams.append("child", "child chunk 1", { target: ctx.run.parentTaskRunId });
-    await streams.append("child", "child chunk 2", { target: "parent" });
-    await streams.append("child", "child chunk 3", { target: "parent" });
-  },
-});
-
-const streamPipeTesterTask = task({
-  id: "stream-pipe-tester",
-  run: async (payload: any, { ctx }) => {
-    const { waitUntilComplete } = streams.pipe(
-      new ReadableStream({
-        start(controller) {
-          controller.enqueue("chunk 1");
-          controller.enqueue("chunk 2");
-          controller.enqueue("chunk 3");
-          controller.close();
-        },
-      })
-    );
-
-    await waitUntilComplete();
-
-    const chunks = [];
-
-    for await (const chunk of await streams.read(ctx.run.id, { timeoutInSeconds: 5 })) {
-      chunks.push(chunk);
-    }
-
-    assert.strictEqual(chunks.length, 3, "Expected 3 chunks");
-    assert.ok(chunks.includes("chunk 1"), "Expected chunk 1");
-    assert.ok(chunks.includes("chunk 2"), "Expected chunk 2");
-    assert.ok(chunks.includes("chunk 3"), "Expected chunk 3");
-
-    const { waitUntilComplete: waitUntilComplete2 } = streams.pipe(
-      "named",
-      new ReadableStream({
-        start(controller) {
-          controller.enqueue("chunk 1");
-          controller.enqueue("chunk 2");
-          controller.enqueue("chunk 3");
-          controller.close();
-        },
-      })
-    );
-
-    await waitUntilComplete2();
-
-    const namedChunks = [];
-
-    for await (const chunk of await streams.read(ctx.run.id, "named", { timeoutInSeconds: 5 })) {
-      namedChunks.push(chunk);
-    }
-
-    assert.strictEqual(namedChunks.length, 3, "Expected 3 chunks");
-    assert.ok(namedChunks.includes("chunk 1"), "Expected chunk 1");
-    assert.ok(namedChunks.includes("chunk 2"), "Expected chunk 2");
-    assert.ok(namedChunks.includes("chunk 3"), "Expected chunk 3");
-
-    const { waitUntilComplete: waitUntilComplete3 } = testStream.pipe(
-      new ReadableStream({
-        start(controller) {
-          controller.enqueue("chunk 1");
-          controller.enqueue("chunk 2");
-          controller.enqueue("chunk 3");
-          controller.close();
-        },
-      })
-    );
-
-    await waitUntilComplete3();
-
-    const testChunks = [];
-
-    for await (const chunk of await testStream.read(ctx.run.id, { timeoutInSeconds: 5 })) {
-      testChunks.push(chunk);
-    }
-
-    assert.strictEqual(testChunks.length, 3, "Expected 3 chunks");
-    assert.ok(testChunks.includes("chunk 1"), "Expected chunk 1");
-    assert.ok(testChunks.includes("chunk 2"), "Expected chunk 2");
-    assert.ok(testChunks.includes("chunk 3"), "Expected chunk 3");
-
-    return {
-      message: "Stream pipe completed",
-    };
-  },
-});
-
-const streamWriterTesterTask = task({
-  id: "stream-writer-tester",
-  run: async (payload: any, { ctx }) => {
-    const { waitUntilComplete, stream } = streams.writer({
-      execute: async ({ write, merge }) => {
-        write("chunk 1");
-        write("chunk 2");
-        write("chunk 3");
-      },
-    });
-
-    await waitUntilComplete();
-
-    const chunks = [];
-
-    for await (const chunk of await streams.read<string>(ctx.run.id, { timeoutInSeconds: 5 })) {
-      chunks.push(chunk);
-    }
-
-    assert.strictEqual(chunks.length, 3, "Expected 3 chunks");
-    assert.ok(chunks.includes("chunk 1"), "Expected chunk 1");
-    assert.ok(chunks.includes("chunk 2"), "Expected chunk 2");
-    assert.ok(chunks.includes("chunk 3"), "Expected chunk 3");
-
-    const { waitUntilComplete: waitUntilComplete2 } = streams.writer("named", {
-      execute: async ({ write, merge }) => {
-        write("chunk 1");
-        write("chunk 2");
-        write("chunk 3");
-      },
-    });
-
-    await waitUntilComplete2();
-
-    const namedChunks = [];
-
-    for await (const chunk of await streams.read(ctx.run.id, "named", { timeoutInSeconds: 5 })) {
-      namedChunks.push(chunk);
-    }
-
-    assert.strictEqual(namedChunks.length, 3, "Expected 3 chunks");
-    assert.ok(namedChunks.includes("chunk 1"), "Expected chunk 1");
-    assert.ok(namedChunks.includes("chunk 2"), "Expected chunk 2");
-    assert.ok(namedChunks.includes("chunk 3"), "Expected chunk 3");
-
-    const { waitUntilComplete: waitUntilComplete3 } = testStream.writer({
-      execute: async ({ write, merge }) => {
-        write("chunk 1");
-        write("chunk 2");
-        write("chunk 3");
-      },
-    });
-
-    await waitUntilComplete3();
-
-    const testChunks = [];
-
-    for await (const chunk of await testStream.read(ctx.run.id, { timeoutInSeconds: 5 })) {
-      testChunks.push(chunk);
-    }
-
-    assert.strictEqual(testChunks.length, 3, "Expected 3 chunks");
-    assert.ok(testChunks.includes("chunk 1"), "Expected chunk 1");
-    assert.ok(testChunks.includes("chunk 2"), "Expected chunk 2");
-    assert.ok(testChunks.includes("chunk 3"), "Expected chunk 3");
-
-    const { waitUntilComplete: waitUntilComplete4 } = streams.writer("merging", {
-      execute: async ({ write, merge }) => {
-        merge(
-          new ReadableStream({
-            start(controller) {
-              controller.enqueue("chunk 1");
-              controller.enqueue("chunk 2");
-              controller.enqueue("chunk 3");
-              controller.close();
-            },
-          })
-        );
-      },
-    });
-
-    await waitUntilComplete4();
-
-    const mergingChunks = [];
-
-    for await (const chunk of await streams.read(ctx.run.id, "merging", { timeoutInSeconds: 5 })) {
-      mergingChunks.push(chunk);
-    }
-
-    assert.strictEqual(mergingChunks.length, 3, "Expected 3 chunks");
-    assert.ok(mergingChunks.includes("chunk 1"), "Expected chunk 1");
-    assert.ok(mergingChunks.includes("chunk 2"), "Expected chunk 2");
-    assert.ok(mergingChunks.includes("chunk 3"), "Expected chunk 3");
-
-    return {
-      message: "Stream writer completed",
-    };
-  },
-});
-
-const streamWaitUntilTesterTask = task({
-  id: "stream-wait-until-tester",
-  run: async (payload: any, { ctx }) => {
-    const result = await streamWaitUntilTesterChildTask.triggerAndWait(
-      {},
-      {},
-      { clientConfig: { future: { v2RealtimeStreams: true } } }
-    );
-
-    const chunks = [];
-
-    for await (const chunk of await streams.read(result.id, { timeoutInSeconds: 5 })) {
-      chunks.push(chunk);
-    }
-
-    const generator = generateContinuousTokenStream(10, 100);
-    const stream = createStreamFromGenerator(generator);
-
-    const expectedChunks = await convertReadableStreamToArray(stream);
-
-    assert.strictEqual(chunks.length, expectedChunks.length, "Expected chunks to be the same");
-    assert.deepStrictEqual(chunks, expectedChunks, "Expected chunks to be the same");
-
-    return {
-      message: "Stream wait until tester completed",
-    };
-  },
-});
-
-const streamWaitUntilTesterChildTask = task({
-  id: "stream-wait-until-tester",
-  run: async (payload: any, { ctx }) => {
-    const generator = generateContinuousTokenStream(10, 100);
-    const stream = createStreamFromGenerator(generator);
-
-    streams.pipe(stream); // This should register with the waitUntil system
-
-    return;
-  },
-});
-
-const metadataTesterTask = task({
-  id: "metadata-tester",
-  run: async (payload: { parentId?: string }, { ctx }) => {
-    await metadata.stream(
-      "default",
-      new ReadableStream({
-        start(controller) {
-          controller.enqueue("chunk 1");
-          controller.enqueue("chunk 2");
-          controller.enqueue("chunk 3");
-          controller.close();
-        },
-      })
-    );
-
-    const chunks = [];
-
-    for await (const chunk of await streams.read(ctx.run.id, "default", { timeoutInSeconds: 5 })) {
-      chunks.push(chunk);
-    }
-
-    assert.strictEqual(chunks.length, 3, "Expected 3 chunks");
-    assert.ok(chunks.includes("chunk 1"), "Expected chunk 1");
-    assert.ok(chunks.includes("chunk 2"), "Expected chunk 2");
-    assert.ok(chunks.includes("chunk 3"), "Expected chunk 3");
-
-    if (payload.parentId) {
-      await metadata.parent.stream(
-        "parent",
-        new ReadableStream({
-          start(controller) {
-            controller.enqueue("chunk 1");
-            controller.enqueue("chunk 2");
-            controller.enqueue("chunk 3");
-            controller.close();
-          },
-        })
-      );
-
-      const parentChunks = [];
-
-      for await (const chunk of await streams.read(payload.parentId, "parent", {
-        timeoutInSeconds: 5,
-      })) {
-        parentChunks.push(chunk);
-      }
-
-      assert.strictEqual(parentChunks.length, 3, "Expected 3 chunks");
-      assert.ok(parentChunks.includes("chunk 1"), "Expected chunk 1");
-      assert.ok(parentChunks.includes("chunk 2"), "Expected chunk 2");
-      assert.ok(parentChunks.includes("chunk 3"), "Expected chunk 3");
-    } else {
-      await metadataTesterTask.triggerAndWait(
-        { parentId: ctx.run.id },
-        {},
-        { clientConfig: { future: { v2RealtimeStreams: true } } }
-      );
-    }
-  },
-});
-
-const streamReadTesterTask = task({
-  id: "stream-read-tester",
-  run: async (payload: any, { ctx }) => {
-    const { waitUntilComplete } = streams.pipe(
-      new ReadableStream({
-        start(controller) {
-          controller.enqueue("chunk 1");
-          controller.enqueue("chunk 2");
-          controller.enqueue("chunk 3");
-          controller.enqueue("chunk 4");
-          controller.enqueue("chunk 5");
-          controller.enqueue("chunk 6");
-          controller.close();
-        },
-      })
-    );
-
-    await waitUntilComplete();
-
-    const chunks = [];
-    for await (const chunk of await streams.read(ctx.run.id, { timeoutInSeconds: 5 })) {
-      chunks.push(chunk);
-    }
-
-    assert.strictEqual(chunks.length, 6, "Expected 6 chunks");
-
-    // Now read starting from the 4th chunk
-    // This only properly works with v2 realtime streams
-    const chunks2 = [];
-    for await (const chunk of await streams.read(ctx.run.id, {
-      timeoutInSeconds: 5,
-      startIndex: 3,
-    })) {
-      chunks2.push(chunk);
-    }
-
-    assert.strictEqual(chunks2.length, 3, "Expected 3 chunks");
-
-    return {
-      message: "Stream read tester completed",
-    };
-  },
-});
-
-const streamsStressTesterTask = task({
-  id: "streams-stress-tester",
-  run: async (payload: { streamsVersion: "v1" | "v2" }, { ctx }) => {
-    const stream = createStreamFromGenerator(generateContinuousTokenStream(60, 5));
-
-    const { waitUntilComplete } = streams.pipe(stream);
-
-    await waitUntilComplete();
-
-    const chunks = [];
-
-    for await (const chunk of await streams.read(ctx.run.id, { timeoutInSeconds: 10 })) {
-      chunks.push(chunk);
-    }
-
-    logger.info("Received chunks", {
-      chunks: chunks.length,
-      streamsVersion: payload.streamsVersion,
-    });
-
-    switch (payload.streamsVersion) {
-      case "v1": {
-        break;
-      }
-      case "v2": {
-        assert.ok(chunks.length > 2000, "Expected more than 2000 chunks");
-        break;
-      }
-    }
-
-    return {
-      message: "Streams stress tester completed",
-    };
-  },
-});
-
-const endToEndLatencyTesterTask = task({
-  id: "end-to-end-latency-tester",
-  run: async (payload: any, { ctx }) => {
-    console.log(
-      `Starting end to end latency tester task for ${payload.streamsVersion} streams version`
-    );
-
-    const stream = createStreamFromGenerator(generatePerformanceStream(1000, 10));
-
-    const { waitUntilComplete } = streams.pipe(stream);
-
-    const latencies = [];
-
-    const abortController = new AbortController();
-
-    for await (const chunk of await streams.read(ctx.run.id, {
-      timeoutInSeconds: 120,
-      signal: abortController.signal,
-    })) {
-      const performanceChunk = JSON.parse(chunk as any) as PerformanceChunk;
-
-      // Calculate the latency
-      const latency = Date.now() - performanceChunk.timestamp;
-
-      latencies.push({ latency, index: performanceChunk.chunkIndex });
-
-      if (latencies.length === 1000) {
-        console.log("1000 chunks received, aborting");
-        abortController.abort();
-      }
-    }
-
-    await waitUntilComplete();
-
-    // Calculate the min, max, p50 and p95 latencies
-    const minLatency = Math.min(...latencies.map((l) => l.latency));
-    const maxLatency = Math.max(...latencies.map((l) => l.latency));
-    const p50Latency = latencies.sort((a, b) => a.latency - b.latency)[
-      Math.floor(latencies.length * 0.5)
-    ];
-    const p95Latency = latencies.sort((a, b) => a.latency - b.latency)[
-      Math.floor(latencies.length * 0.95)
-    ];
-
-    const p50LatencyValue = p50Latency.latency;
-    const p95LatencyValue = p95Latency.latency;
-
-    console.log(`Min latency: ${minLatency}ms`);
-    console.log(`Max latency: ${maxLatency}ms`);
-    console.log(`P50 latency: ${p50LatencyValue}ms`);
-    console.log(`P95 latency: ${p95LatencyValue}ms`);
-
-    return {
-      message: "End to end latency tester completed",
-    };
-  },
-});
-
-async function* generateLLMTokenStream(
-  includePing: boolean = false,
-  stallDurationMs: number = 10 * 60 * 1000
-) {
-  // Simulate initial LLM tokens (faster, like a real LLM)
-  const initialTokens = [
-    "Hello",
-    " there",
-    "!",
-    " I'm",
-    " going",
-    " to",
-    " tell",
-    " you",
-    " a",
-    " story",
-    ".",
-    "\n",
-    " Once",
-    " upon",
-    " a",
-    " time",
-  ];
-
-  // Stream initial tokens with realistic LLM timing
-  for (const token of initialTokens) {
-    await setTimeout(Math.random() * 10 + 5); // 5-15ms delay
-    yield token;
-  }
-
-  // "Stall" window - emit a token every 30 seconds
-  const stallIntervalMs = 30 * 1000; // 30 seconds
-  const stallTokenCount = Math.floor(stallDurationMs / stallIntervalMs);
-  logger.info(
-    `Entering stall window for ${stallDurationMs}ms (${
-      stallDurationMs / 1000 / 60
-    } minutes) - emitting ${stallTokenCount} tokens`
-  );
-
-  for (let i = 0; i < stallTokenCount; i++) {
-    await setTimeout(stallIntervalMs);
-    if (includePing) {
-      yield "."; // Emit a single period token every 30 seconds
-    }
-  }
-
-  logger.info("Resuming normal stream after stall window");
-
-  // Continue with more LLM tokens after stall
-  const continuationTokens = [
-    " there",
-    " was",
-    " a",
-    " developer",
-    " who",
-    " needed",
-    " to",
-    " test",
-    " streaming",
-    ".",
-    " They",
-    " used",
-    " Trigger",
-    ".dev",
-    " and",
-    " it",
-    " worked",
-    " perfectly",
-    "!",
-  ];
-
-  for (const token of continuationTokens) {
-    await setTimeout(Math.random() * 10 + 5); // 5-15ms delay
-    yield token;
-  }
-}
-
-// Continuous stream: emit tokens at regular intervals for a specified duration
-async function* generateContinuousTokenStream(durationSec: number, intervalMs: number) {
-  const words = [
-    "The",
-    "quick",
-    "brown",
-    "fox",
-    "jumps",
-    "over",
-    "the",
-    "lazy",
-    "dog",
-    "while",
-    "streaming",
-    "tokens",
-    "continuously",
-    "at",
-    "regular",
-    "intervals",
-    "to",
-    "test",
-    "real-time",
-    "data",
-    "flow",
-  ];
-
-  const endTime = Date.now() + durationSec * 1000;
-  let wordIndex = 0;
-
-  while (Date.now() < endTime) {
-    await setTimeout(intervalMs);
-    yield words[wordIndex % words.length] + " ";
-    wordIndex++;
-  }
-
-  yield "\n[Stream completed]";
-}
-
-// Burst stream: emit rapid bursts of tokens with pauses between bursts
-async function* generateBurstTokenStream(
-  burstCount: number,
-  tokensPerBurst: number,
-  burstIntervalMs: number,
-  pauseBetweenBurstsMs: number
-) {
-  const tokens = "abcdefghijklmnopqrstuvwxyz".split("");
-
-  for (let burst = 0; burst < burstCount; burst++) {
-    yield `\n[Burst ${burst + 1}/${burstCount}] `;
-
-    // Emit tokens rapidly in this burst
-    for (let token = 0; token < tokensPerBurst; token++) {
-      await setTimeout(burstIntervalMs);
-      yield tokens[token % tokens.length];
-    }
-
-    // Pause between bursts (except after the last burst)
-    if (burst < burstCount - 1) {
-      await setTimeout(pauseBetweenBurstsMs);
-    }
-  }
-
-  yield "\n[All bursts completed]";
-}
-
-// Slow steady stream: emit tokens at longer intervals over many minutes
-async function* generateSlowSteadyTokenStream(durationMin: number, tokenIntervalSec: number) {
-  const sentences = [
-    "This is a slow and steady stream.",
-    "Each token arrives after several seconds.",
-    "Perfect for testing long-running connections.",
-    "The stream maintains a consistent pace.",
-    "Patience is key when testing reliability.",
-    "Connections should remain stable throughout.",
-    "This helps verify timeout handling.",
-    "Real-world streams often have variable timing.",
-    "Testing edge cases is important.",
-    "Almost done with the slow stream test.",
-  ];
-
-  const endTime = Date.now() + durationMin * 60 * 1000;
-  let sentenceIndex = 0;
-
-  while (Date.now() < endTime) {
-    const sentence = sentences[sentenceIndex % sentences.length];
-    yield `${sentence} `;
-
-    sentenceIndex++;
-    await setTimeout(tokenIntervalSec * 1000);
-  }
-
-  yield "\n[Long stream completed successfully]";
-}
-
-// Markdown stream: emit realistic markdown content as tokens (8 characters at a time)
-async function* generateMarkdownTokenStream(tokenDelayMs: number) {
-  const markdownContent =
-    "# Streaming Markdown Example\n\n" +
-    "This is a demonstration of **streaming markdown** content in real-time. The content is being generated *token by token*, simulating how an LLM might generate formatted text.\n\n" +
-    "## Features\n\n" +
-    "Here are some key features being tested:\n\n" +
-    "- **Bold text** for emphasis\n" +
-    "- *Italic text* for subtle highlighting\n" +
-    "- `inline code` for technical terms\n" +
-    "- [Links](https://trigger.dev) to external resources\n\n" +
-    "### Code Examples\n\n" +
-    "You can also stream code blocks:\n\n" +
-    "```typescript\n" +
-    'import { task, metadata } from "@trigger.dev/sdk";\n\n' +
-    "export const myTask = task({\n" +
-    '  id: "example-task",\n' +
-    "  run: async (payload) => {\n" +
-    '    const stream = await metadata.stream("output", myStream);\n' +
-    "    \n" +
-    "    for await (const chunk of stream) {\n" +
-    "      console.log(chunk);\n" +
-    "    }\n" +
-    "    \n" +
-    "    return { success: true };\n" +
-    "  },\n" +
-    "});\n" +
-    "```\n\n" +
-    "### Lists and Structure\n\n" +
-    "Numbered lists work great too:\n\n" +
-    "1. First item with important details\n" +
-    "2. Second item with more context\n" +
-    "3. Third item completing the sequence\n\n" +
-    "#### Nested Content\n\n" +
-    "> Blockquotes are useful for highlighting important information or quoting external sources.\n\n" +
-    "You can combine **_bold and italic_** text, or use ~~strikethrough~~ for corrections.\n\n" +
-    "## Technical Details\n\n" +
-    "| Feature | Status | Notes |\n" +
-    "|---------|--------|-------|\n" +
-    "| Streaming | ✓ | Working perfectly |\n" +
-    "| Markdown | ✓ | Full support |\n" +
-    "| Realtime | ✓ | Sub-second latency |\n\n" +
-    "### Conclusion\n\n" +
-    "This markdown streaming scenario demonstrates how formatted content can be transmitted in real-time, maintaining proper structure and formatting throughout the stream.\n\n" +
-    "---\n\n" +
-    "*Generated with Trigger.dev realtime streams* 🚀\n";
-
-  // Stream tokens of 8 characters at a time with 5ms delay
-  // Use Array.from() to properly handle Unicode characters
-  const CHARACTERS_PER_TOKEN = 8;
-  const DELAY_MS = 5;
-
-  const characters = Array.from(markdownContent);
-
-  for (let i = 0; i < characters.length; i += CHARACTERS_PER_TOKEN) {
-    await setTimeout(DELAY_MS);
-    yield characters.slice(i, i + CHARACTERS_PER_TOKEN).join("");
-  }
-}
-
-// Performance stream: emit JSON chunks with timestamps for latency measurement
-async function* generatePerformanceStream(chunkCount: number, chunkIntervalMs: number) {
-  for (let i = 0; i < chunkCount; i++) {
-    await setTimeout(chunkIntervalMs);
-
-    const chunk: PerformanceChunk = {
-      timestamp: Date.now(),
-      chunkIndex: i,
-      data: `Chunk ${i + 1}/${chunkCount}`,
-    };
-
-    yield JSON.stringify(chunk);
-  }
-}
-
-// Convert to ReadableStream
-function createStreamFromGenerator(generator: AsyncGenerator<string>) {
-  return new ReadableStream({
-    async start(controller) {
-      for await (const chunk of generator) {
-        controller.enqueue(chunk);
-      }
-
-      controller.close();
-    },
-  });
-}
-
-async function convertReadableStreamToArray<TPart>(
-  stream: ReadableStream<TPart>
-): Promise<TPart[]> {
-  const chunks: TPart[] = [];
-  const reader = stream.getReader();
-  while (true) {
-    const { done, value } = await reader.read();
-    if (done) break;
-    chunks.push(value);
-  }
-
-  reader.releaseLock();
-  return chunks;
-}
diff --git a/references/realtime-streams/trigger.config.ts b/references/realtime-streams/trigger.config.ts
deleted file mode 100644
index 7346fbeec01..00000000000
--- a/references/realtime-streams/trigger.config.ts
+++ /dev/null
@@ -1,7 +0,0 @@
-import { defineConfig } from "@trigger.dev/sdk";
-
-export default defineConfig({
-  project: process.env.TRIGGER_PROJECT_REF!,
-  dirs: ["./src/trigger"],
-  maxDuration: 3600,
-});
diff --git a/references/realtime-streams/tsconfig.json b/references/realtime-streams/tsconfig.json
deleted file mode 100644
index c1334095f87..00000000000
--- a/references/realtime-streams/tsconfig.json
+++ /dev/null
@@ -1,27 +0,0 @@
-{
-  "compilerOptions": {
-    "target": "ES2017",
-    "lib": ["dom", "dom.iterable", "esnext"],
-    "allowJs": true,
-    "skipLibCheck": true,
-    "strict": true,
-    "noEmit": true,
-    "esModuleInterop": true,
-    "module": "esnext",
-    "moduleResolution": "bundler",
-    "resolveJsonModule": true,
-    "isolatedModules": true,
-    "jsx": "preserve",
-    "incremental": true,
-    "plugins": [
-      {
-        "name": "next"
-      }
-    ],
-    "paths": {
-      "@/*": ["./src/*"]
-    }
-  },
-  "include": ["next-env.d.ts", "**/*.ts", "**/*.tsx", ".next/types/**/*.ts"],
-  "exclude": ["node_modules"]
-}
diff --git a/references/seed/.gitignore b/references/seed/.gitignore
deleted file mode 100644
index 6524f048dcb..00000000000
--- a/references/seed/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-.trigger
\ No newline at end of file
diff --git a/references/seed/package.json b/references/seed/package.json
deleted file mode 100644
index aa788c467a1..00000000000
--- a/references/seed/package.json
+++ /dev/null
@@ -1,23 +0,0 @@
-{
-  "name": "references-seed",
-  "private": true,
-  "type": "module",
-  "devDependencies": {
-    "trigger.dev": "workspace:*"
-  },
-  "dependencies": {
-    "@trigger.dev/build": "workspace:*",
-    "@trigger.dev/sdk": "workspace:*",
-    "arktype": "^2.0.0",
-    "openai": "^4.97.0",
-    "puppeteer-core": "^24.15.0",
-    "replicate": "^1.0.1",
-    "yup": "^1.6.1",
-    "zod": "3.25.76",
-    "@sinclair/typebox": "^0.34.3"
-  },
-  "scripts": {
-    "dev": "trigger dev",
-    "deploy": "trigger deploy"
-  }
-}
diff --git a/references/seed/src/index.ts b/references/seed/src/index.ts
deleted file mode 100644
index cb0ff5c3b54..00000000000
--- a/references/seed/src/index.ts
+++ /dev/null
@@ -1 +0,0 @@
-export {};
diff --git a/references/seed/src/trigger/logSpammer.ts b/references/seed/src/trigger/logSpammer.ts
deleted file mode 100644
index 7156b556020..00000000000
--- a/references/seed/src/trigger/logSpammer.ts
+++ /dev/null
@@ -1,109 +0,0 @@
-import { logger, task, wait } from "@trigger.dev/sdk/v3";
-
-const LONG_TEXT = `Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.`;
-
-const SEARCHABLE_TERMS = [
-  "authentication_failed",
-  "database_connection_error",
-  "payment_processed",
-  "user_registration_complete",
-  "api_rate_limit_exceeded",
-  "cache_invalidation",
-  "webhook_delivery_success",
-  "session_expired",
-  "file_upload_complete",
-  "email_sent_successfully",
-];
-
-function generateLargeJson(index: number) {
-  return {
-    requestId: `req_${Date.now()}_${index}`,
-    timestamp: new Date().toISOString(),
-    metadata: {
-      source: "log-spammer-task",
-      environment: "development",
-      version: "1.0.0",
-      region: ["us-east-1", "eu-west-1", "ap-southeast-1"][index % 3],
-    },
-    user: {
-      id: `user_${1000 + index}`,
-      email: `testuser${index}@example.com`,
-      name: `Test User ${index}`,
-      preferences: {
-        theme: index % 2 === 0 ? "dark" : "light",
-        notifications: { email: true, push: false, sms: index % 3 === 0 },
-        language: ["en", "es", "fr", "de"][index % 4],
-      },
-    },
-    payload: {
-      items: Array.from({ length: 5 }, (_, i) => ({
-        itemId: `item_${index}_${i}`,
-        name: `Product ${i}`,
-        price: Math.random() * 100,
-        quantity: Math.floor(Math.random() * 10) + 1,
-        tags: ["electronics", "sale", "featured"].slice(0, (i % 3) + 1),
-      })),
-      totals: {
-        subtotal: Math.random() * 500,
-        tax: Math.random() * 50,
-        shipping: Math.random() * 20,
-        discount: Math.random() * 30,
-      },
-    },
-    debugInfo: {
-      stackTrace: `Error: ${SEARCHABLE_TERMS[index % SEARCHABLE_TERMS.length]}\n    at processRequest (/app/src/handlers/main.ts:${100 + index}:15)\n    at handleEvent (/app/src/events/processor.ts:${50 + index}:8)\n    at async Runtime.handler (/app/src/index.ts:25:3)`,
-      memoryUsage: { heapUsed: 45000000 + index * 1000, heapTotal: 90000000 },
-      cpuTime: Math.random() * 1000,
-    },
-    longDescription: LONG_TEXT.repeat(2),
-  };
-}
-
-export const logSpammerTask = task({
-  id: "log-spammer",
-  maxDuration: 300,
-  run: async () => {
-    logger.info("Starting log spammer task for search testing");
-
-    for (let i = 0; i < 50; i++) {
-      const term = SEARCHABLE_TERMS[i % SEARCHABLE_TERMS.length];
-      const jsonPayload = generateLargeJson(i);
-
-      logger.log(`Processing event: ${term}`, { data: jsonPayload });
-
-      if (i % 5 === 0) {
-        logger.warn(`Warning triggered for ${term}`, {
-          warningCode: `WARN_${i}`,
-          details: jsonPayload,
-          longMessage: LONG_TEXT,
-        });
-      }
-
-      if (i % 10 === 0) {
-        logger.error(`Error encountered: ${term}`, {
-          errorCode: `ERR_${i}`,
-          stack: jsonPayload.debugInfo.stackTrace,
-          context: jsonPayload,
-        });
-      }
-
-      logger.debug(`Debug info for iteration ${i}`, {
-        iteration: i,
-        searchTerm: term,
-        fullPayload: jsonPayload,
-        additionalText: `${LONG_TEXT} --- Iteration ${i} complete with term ${term}`,
-      });
-
-      if (i % 10 === 0) {
-        await wait.for({ seconds: 0.5 });
-      }
-    }
-
-    logger.info("Log spammer task completed", {
-      totalLogs: 50 * 4,
-      searchableTerms: SEARCHABLE_TERMS,
-    });
-
-    return { success: true, logsGenerated: 200 };
-  },
-});
diff --git a/references/seed/src/trigger/seedTask.ts b/references/seed/src/trigger/seedTask.ts
deleted file mode 100644
index 2fb43054924..00000000000
--- a/references/seed/src/trigger/seedTask.ts
+++ /dev/null
@@ -1,32 +0,0 @@
-import { task, batch } from "@trigger.dev/sdk/v3";
-import { ErrorTask } from "./throwError.js";
-import { SpanSpammerTask } from "./spanSpammer.js";
-import { logSpammerTask } from "./logSpammer.js";
-
-export const seedTask = task({
-  id: "seed-task",
-  run: async (payload: any, { ctx }) => {
-    let tasksToRun = [];
-
-    for (let i = 0; i < 10; i++) {
-      tasksToRun.push({
-        id: "simple-throw-error",
-        payload: {},
-        options: { delay: `${i}s` },
-      });
-    }
-
-    tasksToRun.push({
-      id: "span-spammer",
-      payload: {},
-    });
-
-    tasksToRun.push({
-      id: "log-spammer",
-      payload: {},
-    });
-
-    await batch.triggerAndWait(tasksToRun);
-    return;
-  },
-});
diff --git a/references/seed/src/trigger/spanSpammer.ts b/references/seed/src/trigger/spanSpammer.ts
deleted file mode 100644
index dc79ce93bf0..00000000000
--- a/references/seed/src/trigger/spanSpammer.ts
+++ /dev/null
@@ -1,66 +0,0 @@
-import { logger, task, wait, metadata } from "@trigger.dev/sdk/v3";
-
-const CONFIG = {
-  delayBetweenBatchesSeconds: 0.2,
-  logsPerBatch: 30,
-  totalBatches: 100,
-  initialDelaySeconds: 5,
-} as const;
-
-export const SpanSpammerTask = task({
-  id: "span-spammer",
-  maxDuration: 300,
-  run: async (payload: any, { ctx }) => {
-    const context = { payload, ctx };
-    let logCount = 0;
-
-    // 30s trace with events every 5s
-    await logger.trace("10s-span", async () => {
-      const totalSeconds = 10;
-      const intervalSeconds = 2;
-      const totalEvents = totalSeconds / intervalSeconds;
-
-      logger.info("Starting 30s span", context);
-
-      for (let i = 1; i <= totalEvents; i++) {
-        await wait.for({ seconds: intervalSeconds });
-        logger.info(`Inner event ${i}/${totalEvents} at ${i * intervalSeconds}s`, context);
-      }
-
-      logger.info("Completed 30s span", context);
-    });
-
-    logger.info("Starting span spammer task", context);
-    logger.warn("This will generate a lot of logs", context);
-
-
-    const emitBatch = (prefix: string) => {
-      logger.debug("Started spam batch emit!", context);
-
-      for (let i = 0; i < CONFIG.logsPerBatch; i++) {
-        logger.log(`${prefix} ${++logCount}`, context);
-      }
-
-      logger.debug('Completed spam batch emit!', context);
-    };
-
-    emitBatch("Log number");
-    await wait.for({ seconds: CONFIG.initialDelaySeconds });
-
-    for (let batch = 0; batch < CONFIG.totalBatches; batch++) {
-      await wait.for({ seconds: CONFIG.delayBetweenBatchesSeconds });
-      emitBatch("This is a test log!!! Log number: ");
-    }
-
-    metadata.parent.set("childStatus", "running");
-    metadata.parent.increment("completedChildren", 1);
-
-    // Update the root run's metadata (top-level run in the chain)
-    metadata.root.set("deepChildStatus", "done");
-    metadata.root.append("completedTasks", "child-task");
-
-
-    logger.info("Completed span spammer task", context);
-    return { message: `Created ${logCount} logs` };
-  },
-});
diff --git a/references/seed/src/trigger/throwError.ts b/references/seed/src/trigger/throwError.ts
deleted file mode 100644
index 5f2d623a015..00000000000
--- a/references/seed/src/trigger/throwError.ts
+++ /dev/null
@@ -1,16 +0,0 @@
-import { logger, task, wait } from "@trigger.dev/sdk/v3";
-
-
-export const ErrorTask = task({
-  id: "simple-throw-error",
-  maxDuration: 60,
-  run: async (payload: any, { ctx }) => {
-    logger.log("This task is about to throw an error!", { payload, ctx });
-
-    await wait.for({ seconds: 9 });
-    throw new Error("This is an expected test error from ErrorTask!");
-  },
-  onFailure: async ({ payload, error, ctx }) => {
-    logger.warn("ErrorTask failed!", { payload, error, ctx });
-  }
-});
diff --git a/references/seed/trigger.config.ts b/references/seed/trigger.config.ts
deleted file mode 100644
index f87620cd780..00000000000
--- a/references/seed/trigger.config.ts
+++ /dev/null
@@ -1,56 +0,0 @@
-import { defineConfig } from "@trigger.dev/sdk/v3";
-import { syncEnvVars } from "@trigger.dev/build/extensions/core";
-import { lightpanda } from "@trigger.dev/build/extensions/lightpanda";
-
-export default defineConfig({
-  compatibilityFlags: ["run_engine_v2"],
-  project: process.env.TRIGGER_PROJECT_REF!,
-  experimental_processKeepAlive: {
-    enabled: true,
-    maxExecutionsPerProcess: 20,
-  },
-  logLevel: "debug",
-  maxDuration: 3600,
-  retries: {
-    enabledInDev: true,
-    default: {
-      maxAttempts: 3,
-      minTimeoutInMs: 1000,
-      maxTimeoutInMs: 10000,
-      factor: 2,
-      randomize: true,
-    },
-  },
-  machine: "small-2x",
-  build: {
-    extensions: [
-      lightpanda(),
-      syncEnvVars(async (ctx) => {
-        return [
-          { name: "SYNC_ENV", value: ctx.environment },
-          { name: "BRANCH", value: ctx.branch ?? "NO_BRANCH" },
-          { name: "BRANCH", value: "PARENT", isParentEnv: true },
-          { name: "SECRET_KEY", value: "secret-value" },
-          { name: "ANOTHER_SECRET", value: "another-secret-value" },
-        ];
-      }),
-      {
-        name: "npm-token",
-        onBuildComplete: async (context, manifest) => {
-          if (context.target === "dev") {
-            return;
-          }
-
-          context.addLayer({
-            id: "npm-token",
-            build: {
-              env: {
-                NPM_TOKEN: manifest.deploy.env?.NPM_TOKEN,
-              },
-            },
-          });
-        },
-      },
-    ],
-  },
-});
diff --git a/references/seed/tsconfig.json b/references/seed/tsconfig.json
deleted file mode 100644
index 9a5ee0b9d68..00000000000
--- a/references/seed/tsconfig.json
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-  "compilerOptions": {
-    "target": "ES2023",
-    "module": "Node16",
-    "moduleResolution": "Node16",
-    "esModuleInterop": true,
-    "strict": true,
-    "skipLibCheck": true,
-    "customConditions": ["@triggerdotdev/source"],
-    "jsx": "preserve",
-    "lib": ["DOM", "DOM.Iterable"],
-    "noEmit": true
-  },
-  "include": ["./src/**/*.ts", "trigger.config.ts"]
-}
diff --git a/references/telemetry/package.json b/references/telemetry/package.json
deleted file mode 100644
index cb9bff620f6..00000000000
--- a/references/telemetry/package.json
+++ /dev/null
@@ -1,18 +0,0 @@
-{
-  "name": "references-telemetry",
-  "version": "0.1.0",
-  "private": true,
-  "scripts": {
-    "dev": "trigger dev",
-    "deploy": "trigger deploy"
-  },
-  "dependencies": {
-    "@trigger.dev/sdk": "workspace:*",
-    "@opentelemetry/resources": "2.2.0"
-  },
-  "devDependencies": {
-    "@types/node": "^20",
-    "trigger.dev": "workspace:*",
-    "typescript": "^5"
-  }
-}
\ No newline at end of file
diff --git a/references/telemetry/src/trigger/tasks.ts b/references/telemetry/src/trigger/tasks.ts
deleted file mode 100644
index d1a85ec166f..00000000000
--- a/references/telemetry/src/trigger/tasks.ts
+++ /dev/null
@@ -1,9 +0,0 @@
-import { logger, task } from "@trigger.dev/sdk";
-
-export const telemetryTestTask = task({
-  id: "telemetry-test",
-  run: async (payload: any, { ctx }) => {
-    logger.info("Hello, world!", { payload, ctx });
-    return { message: "Hello, world!" };
-  },
-});
diff --git a/references/telemetry/trigger.config.ts b/references/telemetry/trigger.config.ts
deleted file mode 100644
index 48e6a877ac1..00000000000
--- a/references/telemetry/trigger.config.ts
+++ /dev/null
@@ -1,14 +0,0 @@
-import { defineConfig } from "@trigger.dev/sdk";
-import { resourceFromAttributes } from "@opentelemetry/resources";
-
-export default defineConfig({
-  project: process.env.TRIGGER_PROJECT_REF!,
-  dirs: ["./src/trigger"],
-  maxDuration: 3600,
-  telemetry: {
-    resource: resourceFromAttributes({
-      "foo.bar": "telemetry-test",
-      "foo.baz": "1.0.0",
-    }),
-  },
-});
diff --git a/references/telemetry/tsconfig.json b/references/telemetry/tsconfig.json
deleted file mode 100644
index 9a5ee0b9d68..00000000000
--- a/references/telemetry/tsconfig.json
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-  "compilerOptions": {
-    "target": "ES2023",
-    "module": "Node16",
-    "moduleResolution": "Node16",
-    "esModuleInterop": true,
-    "strict": true,
-    "skipLibCheck": true,
-    "customConditions": ["@triggerdotdev/source"],
-    "jsx": "preserve",
-    "lib": ["DOM", "DOM.Iterable"],
-    "noEmit": true
-  },
-  "include": ["./src/**/*.ts", "trigger.config.ts"]
-}
diff --git a/references/test-tasks/package.json b/references/test-tasks/package.json
deleted file mode 100644
index 9ed2635da1a..00000000000
--- a/references/test-tasks/package.json
+++ /dev/null
@@ -1,18 +0,0 @@
-{
-  "name": "references-test-tasks",
-  "private": true,
-  "type": "module",
-  "scripts": {
-    "dev": "trigger dev",
-    "deploy": "trigger deploy --self-hosted --load-image"
-  },
-  "dependencies": {
-    "@trigger.dev/sdk": "workspace:*",
-    "zod": "3.25.76"
-  },
-  "devDependencies": {
-    "@trigger.dev/build": "workspace:*",
-    "trigger.dev": "workspace:*",
-    "typescript": "^5.5.4"
-  }
-}
\ No newline at end of file
diff --git a/references/test-tasks/src/trigger/helpers.ts b/references/test-tasks/src/trigger/helpers.ts
deleted file mode 100644
index ed47c198a1d..00000000000
--- a/references/test-tasks/src/trigger/helpers.ts
+++ /dev/null
@@ -1,205 +0,0 @@
-import { BatchResult, logger, queue, task, wait } from "@trigger.dev/sdk/v3";
-
-export const recursiveTask = task({
-  id: "recursive-task",
-  queue: {
-    concurrencyLimit: 1,
-  },
-  retry: {
-    maxAttempts: 1,
-  },
-  run: async (
-    { delayMs, depth, useBatch = false }: { delayMs: number; depth: number; useBatch: boolean },
-    { ctx }
-  ) => {
-    if (depth === 0) {
-      return;
-    }
-
-    await new Promise((resolve) => setTimeout(resolve, delayMs));
-
-    if (useBatch) {
-      const batchResult = await recursiveTask.batchTriggerAndWait([
-        {
-          payload: { delayMs, depth: depth - 1, useBatch },
-          options: { tags: ["recursive"] },
-        },
-      ]);
-
-      const firstRun = batchResult.runs[0] as any;
-
-      return {
-        ok: firstRun.ok,
-      };
-    } else {
-      const result = (await recursiveTask.triggerAndWait({
-        delayMs,
-        depth: depth - 1,
-        useBatch,
-      })) as any;
-
-      return {
-        ok: result.ok,
-      };
-    }
-  },
-});
-
-export const singleQueue = queue({
-  name: "single-queue",
-  concurrencyLimit: 1,
-});
-
-export const delayTask = task({
-  id: "delay-task",
-  retry: {
-    maxAttempts: 1,
-  },
-  run: async (payload: { delayMs: number }, { ctx }) => {
-    await new Promise((resolve) => setTimeout(resolve, payload.delayMs));
-  },
-});
-
-export const retryTask = task({
-  id: "retry-task",
-  queue: singleQueue,
-  retry: {
-    maxAttempts: 2,
-  },
-  run: async (
-    payload: { delayMs: number; throwError: boolean; failureCount: number; retryDelayMs?: number },
-    { ctx }
-  ) => {
-    await new Promise((resolve) => setTimeout(resolve, payload.delayMs));
-
-    if (payload.throwError && ctx.attempt.number <= payload.failureCount) {
-      throw new Error("Error");
-    }
-  },
-  handleError: async ({ ctx, payload, error }) => {
-    if (!payload.throwError) {
-      return {
-        skipRetrying: true,
-      };
-    } else {
-      return {
-        retryDelayInMs: payload.retryDelayMs,
-      };
-    }
-  },
-});
-
-export const durationWaitTask = task({
-  id: "duration-wait-task",
-  queue: {
-    concurrencyLimit: 1,
-  },
-  run: async (
-    {
-      waitDurationInSeconds = 5,
-      doWait = true,
-    }: { waitDurationInSeconds: number; doWait: boolean },
-    { ctx }
-  ) => {
-    if (doWait) {
-      await wait.for({ seconds: waitDurationInSeconds });
-    } else {
-      await new Promise((resolve) => setTimeout(resolve, waitDurationInSeconds * 1000));
-    }
-  },
-});
-
-export const resumeParentTask = task({
-  id: "resume-parent-task",
-  queue: {
-    concurrencyLimit: 1,
-  },
-  run: async (
-    {
-      delayMs = 5_000,
-      triggerChildTask,
-      useBatch = false,
-    }: { delayMs: number; triggerChildTask: boolean; useBatch: boolean },
-    { ctx }
-  ) => {
-    if (triggerChildTask) {
-      if (useBatch) {
-        const batchResult = await resumeChildTask.batchTriggerAndWait([
-          {
-            payload: { delayMs },
-            options: { tags: ["resume-child"] },
-          },
-        ]);
-
-        unwrapBatchResult(batchResult);
-      } else {
-        await resumeChildTask.triggerAndWait({ delayMs }, { tags: ["resume-child"] }).unwrap();
-      }
-    } else {
-      await new Promise((resolve) => setTimeout(resolve, delayMs));
-    }
-  },
-});
-
-export const resumeChildTask = task({
-  id: "resume-child-task",
-  run: async (payload: { delayMs: number }, { ctx }) => {
-    await new Promise((resolve) => setTimeout(resolve, payload.delayMs));
-  },
-});
-
-export const genericParentTask = task({
-  id: "generic-parent-task",
-  run: async (
-    {
-      delayMs = 5_000,
-      triggerChildTask,
-      useBatch = false,
-    }: { delayMs: number; triggerChildTask: boolean; useBatch: boolean },
-    { ctx }
-  ) => {
-    if (triggerChildTask) {
-      if (useBatch) {
-        const batchResult = await genericChildTask.batchTriggerAndWait([
-          {
-            payload: { delayMs },
-            options: { tags: ["resume-child"] },
-          },
-        ]);
-
-        return unwrapBatchResult(batchResult);
-      } else {
-        await genericChildTask.triggerAndWait({ delayMs }, { tags: ["resume-child"] }).unwrap();
-      }
-    } else {
-      await new Promise((resolve) => setTimeout(resolve, delayMs));
-    }
-  },
-});
-
-function unwrapBatchResult(batchResult: BatchResult<string, any>) {
-  if (batchResult.runs.some((run) => !run.ok)) {
-    throw new Error(`Child task failed: ${batchResult.runs.find((run) => !run.ok)?.error}`);
-  }
-
-  return batchResult.runs;
-}
-
-export const genericChildTask = task({
-  id: "generic-child-task",
-  run: async (payload: { delayMs: number }, { ctx }) => {
-    logger.debug("Running generic child task");
-
-    await new Promise((resolve) => setTimeout(resolve, payload.delayMs));
-  },
-});
-
-export const eventLoopLagTask = task({
-  id: "event-loop-lag-task",
-  run: async ({ delayMs }: { delayMs: number }, { ctx }) => {
-    const start = Date.now();
-    while (Date.now() - start < delayMs) {
-      // Do nothing
-    }
-  },
-});
diff --git a/references/test-tasks/src/trigger/test-heartbeats.ts b/references/test-tasks/src/trigger/test-heartbeats.ts
deleted file mode 100644
index c62dcc438e9..00000000000
--- a/references/test-tasks/src/trigger/test-heartbeats.ts
+++ /dev/null
@@ -1,47 +0,0 @@
-import { waitForRunStatus } from "@/utils.js";
-import { logger, task } from "@trigger.dev/sdk/v3";
-import assert from "assert";
-import { genericChildTask } from "./helpers.js";
-
-export const describeHeartbeats = task({
-  id: "describe/heartbeats",
-  retry: {
-    maxAttempts: 1,
-  },
-  run: async (
-    { visibilityTimeoutSeconds = 100 }: { visibilityTimeoutSeconds?: number },
-    { ctx }
-  ) => {
-    await testHeartbeats.triggerAndWait({ visibilityTimeoutSeconds }).unwrap();
-  },
-});
-
-export const testHeartbeats = task({
-  id: "test/heartbeats",
-  retry: {
-    maxAttempts: 1,
-  },
-  run: async (
-    { visibilityTimeoutSeconds = 100 }: { visibilityTimeoutSeconds?: number },
-    { ctx }
-  ) => {
-    const run = await genericChildTask.trigger({
-      delayMs: visibilityTimeoutSeconds * 1_000 + 5 * 1000,
-    });
-
-    await waitForRunStatus(run.id, ["EXECUTING"]);
-
-    logger.info("Heartbeat test: run is executing");
-
-    const completedRun = await waitForRunStatus(
-      run.id,
-      ["COMPLETED", "FAILED", "SYSTEM_FAILURE", "CRASHED"],
-      visibilityTimeoutSeconds + 30,
-      5_000
-    );
-
-    assert(completedRun.status === "COMPLETED", `Run failed with status ${completedRun.status}`);
-
-    logger.info("Heartbeat test: run is completed");
-  },
-});
diff --git a/references/test-tasks/src/trigger/test-reserve-concurrency-system.ts b/references/test-tasks/src/trigger/test-reserve-concurrency-system.ts
deleted file mode 100644
index 4a0b0447913..00000000000
--- a/references/test-tasks/src/trigger/test-reserve-concurrency-system.ts
+++ /dev/null
@@ -1,400 +0,0 @@
-import { batch, logger, task } from "@trigger.dev/sdk/v3";
-import assert from "assert";
-import {
-  getEnvironmentStats,
-  updateEnvironmentConcurrencyLimit,
-  waitForRunStatus,
-} from "../utils.js";
-import {
-  retryTask,
-  resumeParentTask,
-  durationWaitTask,
-  delayTask,
-  genericParentTask,
-  recursiveTask,
-} from "./helpers.js";
-
-export const describeReserveConcurrencySystem = task({
-  id: "describe/reserve-concurrency-system",
-  retry: {
-    maxAttempts: 1,
-  },
-  run: async (payload: any, { ctx }) => {
-    await testRetryPriority.triggerAndWait({}).unwrap();
-
-    logger.info("✅ Tested retry priority, now testing resume priority");
-
-    await testResumePriority.triggerAndWait({ initialDelayMs: 5_000, useBatch: false }).unwrap();
-    await testResumePriority.triggerAndWait({ initialDelayMs: 30_000, useBatch: false }).unwrap();
-
-    logger.info("✅ Tested resume priority with triggerAndWait");
-
-    await testResumePriority.triggerAndWait({ initialDelayMs: 5_000, useBatch: true }).unwrap();
-    await testResumePriority.triggerAndWait({ initialDelayMs: 30_000, useBatch: true }).unwrap();
-
-    logger.info("✅ Tested resume priority with batchTriggerAndWait");
-
-    await testResumeDurationPriority.triggerAndWait({ waitDurationInSeconds: 30 }).unwrap();
-    await testResumeDurationPriority.triggerAndWait({ waitDurationInSeconds: 65 }).unwrap();
-
-    logger.info("✅ Tested resume duration priority with wait.for");
-
-    await testEnvReserveConcurrency
-      .triggerAndWait({ envConcurrencyLimit: 4, holdTaskCount: 1, useBatch: false })
-      .unwrap();
-
-    logger.info("✅ Tested env reserve concurrency system with triggerAndWait");
-
-    await testEnvReserveConcurrency
-      .triggerAndWait({ envConcurrencyLimit: 4, holdTaskCount: 1, useBatch: true })
-      .unwrap();
-
-    logger.info("✅ Tested env reserve concurrency system with batchTriggerAndWait");
-
-    await testQueueReserveConcurrency.triggerAndWait({ useBatch: false }).unwrap();
-
-    logger.info("✅ Tested queue reserve concurrency system with triggerAndWait");
-
-    await testQueueReserveConcurrency.triggerAndWait({ useBatch: true }).unwrap();
-
-    logger.info("✅ Tested queue reserve concurrency system with batchTriggerAndWait");
-  },
-});
-
-export const testRetryPriority = task({
-  id: "test/retry-priority",
-  retry: {
-    maxAttempts: 1,
-  },
-  run: async (payload: any, { ctx }) => {
-    const startEnvStats = await getEnvironmentStats(ctx.environment.id);
-
-    const retryDelayMs = ctx.environment.type === "DEVELOPMENT" ? 10_000 : 61_000;
-
-    // We need to test the reserve concurrency system
-    // 1. Retries are prioritized over new runs
-    //    Setup: Trigger a run that fails and will re-attempt in 5 seconds
-    //           Trigger another run that uses the same concurrency, and hits the max concurrency of that queue
-    //           Trigger a run on that same queue before the retry is attempted
-    //           The "hold" run will then complete and the retry should be dequeued
-    //           Once the retry completes successfully, the 3rd run should be dequeued
-
-    const failureRun = await retryTask.trigger(
-      { delayMs: 0, throwError: true, failureCount: 1, retryDelayMs },
-      { tags: ["failure"] }
-    );
-    await waitForRunStatus(failureRun.id, ["EXECUTING", "REATTEMPTING"]);
-
-    logger.info("Failure run is executing, triggering a run that will hit the concurrency limit");
-
-    const holdRun = await retryTask.trigger(
-      { delayMs: retryDelayMs + 2_000, throwError: false, failureCount: 0 },
-      { tags: ["hold"] }
-    );
-    await waitForRunStatus(holdRun.id, ["EXECUTING"]);
-
-    logger.info("Hold run is executing, triggering a run that will be queued");
-
-    const queuedRun = await retryTask.trigger(
-      { delayMs: 0, throwError: false, failureCount: 0 },
-      { tags: ["queued"] }
-    );
-
-    logger.info("Queued run is queued, waiting for the hold run to complete");
-
-    const completedFailureRun = await waitForRunStatus(failureRun.id, ["COMPLETED"]);
-    const completedQueuedRun = await waitForRunStatus(queuedRun.id, ["COMPLETED"]);
-    const completedHoldRun = await waitForRunStatus(holdRun.id, ["COMPLETED"]);
-
-    logger.info("Runs completed", {
-      completedFailureRun,
-      completedQueuedRun,
-      completedHoldRun,
-    });
-
-    // Now we need to assert the completedFailureRun.completedAt is before completedQueuedRun.completedAt
-    assert(
-      completedFailureRun.finishedAt! < completedQueuedRun.finishedAt!,
-      "Failure run should complete before queued run"
-    );
-
-    // Lets also make sure the completedFailureRun.finishedAt is AFTER the completedHoldRun.finishedAt
-    assert(
-      completedFailureRun.finishedAt! > completedHoldRun.finishedAt!,
-      "Failure run should complete after hold run"
-    );
-
-    // Now lets make sure all the runs are completed
-    await waitForRunStatus(holdRun.id, ["COMPLETED"]);
-
-    const envStats = await getEnvironmentStats(ctx.environment.id);
-
-    logger.info("Environment stats", envStats);
-
-    assert(
-      startEnvStats.reserveConcurrency - envStats.reserveConcurrency === 0,
-      "Reserve concurrency should be 0"
-    );
-
-    logger.info("✅ Failure run completed before queued run");
-  },
-});
-
-export const testResumePriority = task({
-  id: "test/resume-priority",
-  retry: {
-    maxAttempts: 1,
-  },
-  run: async (
-    { initialDelayMs = 5_000, useBatch = false }: { initialDelayMs: number; useBatch: boolean },
-    { ctx }
-  ) => {
-    const startEnvStats = await getEnvironmentStats(ctx.environment.id);
-
-    // 2. Resumed runs are prioritized over new runs
-    const resumeRun = await resumeParentTask.trigger(
-      { delayMs: initialDelayMs, triggerChildTask: true, useBatch },
-      { tags: ["resume"] }
-    );
-    await waitForRunStatus(resumeRun.id, ["EXECUTING", "FROZEN"]);
-
-    logger.info("Resume run is executing, triggering a run that should be queued");
-    const queuedRun = await resumeParentTask.trigger(
-      { delayMs: 1_000, triggerChildTask: false, useBatch },
-      { tags: ["queued"] }
-    );
-    await waitForRunStatus(queuedRun.id, ["QUEUED"]);
-
-    const completedResumeRun = await waitForRunStatus(resumeRun.id, ["COMPLETED"]);
-    const completedQueuedRun = await waitForRunStatus(queuedRun.id, ["COMPLETED"]);
-
-    logger.info("Runs completed", {
-      completedResumeRun,
-      completedQueuedRun,
-    });
-
-    // Now we need to assert the completedResumeRun.completedAt is before completedQueuedRun.completedAt
-    assert(
-      completedResumeRun.finishedAt! < completedQueuedRun.finishedAt!,
-      "Resume run should complete before queued run"
-    );
-
-    const envStats = await getEnvironmentStats(ctx.environment.id);
-
-    assert(
-      startEnvStats.reserveConcurrency - envStats.reserveConcurrency === 0,
-      "Reserve concurrency should be 0"
-    );
-
-    logger.info("✅ Resume run completed before queued run");
-  },
-});
-
-export const testResumeDurationPriority = task({
-  id: "test/resume-duration-priority",
-  retry: {
-    maxAttempts: 1,
-  },
-  run: async ({ waitDurationInSeconds = 5 }: { waitDurationInSeconds: number }, { ctx }) => {
-    const startEnvStats = await getEnvironmentStats(ctx.environment.id);
-
-    // 2. Resumed runs are prioritized over new runs
-    const resumeRun = await durationWaitTask.trigger(
-      { waitDurationInSeconds, doWait: true },
-      { tags: ["resume"] }
-    );
-    await waitForRunStatus(resumeRun.id, ["EXECUTING", "FROZEN"]);
-
-    logger.info(
-      "Resume run is executing, triggering a run that will hold the concurrency until both the resume run and the queued run are in the queue"
-    );
-
-    let holdRunId: string | undefined;
-
-    if (ctx.environment.type !== "DEVELOPMENT") {
-      const holdRun = await durationWaitTask.trigger(
-        { waitDurationInSeconds: waitDurationInSeconds + 10, doWait: false },
-        { tags: ["hold"] }
-      );
-
-      holdRunId = holdRun.id;
-
-      await waitForRunStatus(holdRun.id, ["EXECUTING"]);
-
-      logger.info("Hold run is executing, triggering a run that should be queued");
-    }
-
-    const queuedRun = await durationWaitTask.trigger(
-      { waitDurationInSeconds: 1, doWait: false },
-      { tags: ["queued"] }
-    );
-    await waitForRunStatus(queuedRun.id, ["QUEUED"]);
-
-    const completedResumeRun = await waitForRunStatus(resumeRun.id, ["COMPLETED"]);
-    const completedQueuedRun = await waitForRunStatus(queuedRun.id, ["COMPLETED"]);
-
-    logger.info("Runs completed", {
-      completedResumeRun,
-      completedQueuedRun,
-    });
-
-    // Now we need to assert the completedResumeRun.completedAt is before completedQueuedRun.completedAt
-    assert(
-      completedResumeRun.finishedAt! < completedQueuedRun.finishedAt!,
-      "Resume run should complete before queued run"
-    );
-
-    if (holdRunId) {
-      const completedHoldRun = await waitForRunStatus(holdRunId, ["COMPLETED"]);
-
-      // Lets also make sure the completedResumeRun.finishedAt is AFTER the completedHoldRun.finishedAt
-      assert(
-        completedResumeRun.finishedAt! > completedHoldRun.finishedAt!,
-        "Resume run should complete after hold run"
-      );
-    }
-
-    const envStats = await getEnvironmentStats(ctx.environment.id);
-
-    assert(
-      startEnvStats.reserveConcurrency - envStats.reserveConcurrency === 0,
-      "Reserve concurrency should be 0"
-    );
-
-    logger.info("✅ Resume run completed before queued run");
-  },
-});
-
-export const testEnvReserveConcurrency = task({
-  id: "test/env-reserve-concurrency",
-  retry: {
-    maxAttempts: 1,
-  },
-  run: async (
-    {
-      envConcurrencyLimit = 3,
-      holdTaskCount = 1,
-      useBatch = false,
-    }: { envConcurrencyLimit: number; holdTaskCount: number; useBatch: boolean },
-    { ctx }
-  ) => {
-    const startEnvStats = await getEnvironmentStats(ctx.environment.id);
-
-    // 3. When a task triggerAndWaits another task, the parent run should be added to the envs reserve concurrency
-    //    Giving the environment "back" another concurrency slot. Another task (not the parent task) can then be dequeued
-    //    We need to be able to "fill" the env concurrency (sans 1), then trigger the parent task. The parent task then triggerAndWaits
-    //    a child task. We need to make sure the child task executes
-    await updateEnvironmentConcurrencyLimit(ctx.environment.id, envConcurrencyLimit);
-
-    const holdBatch = await delayTask.batchTrigger(
-      Array.from({ length: holdTaskCount }, (_, i) => ({
-        payload: { delayMs: 30_000 },
-        options: { tags: ["hold"] },
-      }))
-    );
-
-    const retrievedHoldBatch = await batch.retrieve(holdBatch.batchId);
-
-    // Wait for the hold tasks to be executing
-    await Promise.all(retrievedHoldBatch.runs.map((run) => waitForRunStatus(run, ["EXECUTING"])));
-
-    // Now we will trigger a parent task that will trigger a child task
-    const parentRun = await genericParentTask.trigger(
-      { delayMs: 1_000, triggerChildTask: true, useBatch },
-      { tags: ["parent"] }
-    );
-
-    // Once the parentRun starts executing, we will be at the max concurrency limit
-    await waitForRunStatus(parentRun.id, ["EXECUTING"], 5); // timeout after 5 seconds, to ensure the parent task is executing
-
-    // But because the parent task triggers a child task, the env reserve concurrency will allow the child task to execute
-    logger.info("Parent task is executing, waiting for child task to complete");
-
-    await waitForRunStatus(parentRun.id, ["COMPLETED"], 20); // timeout after 10 seconds, to ensure the child task finished before the delay runs
-
-    logger.info(
-      "Parent task completed, which means the child task completed. Now waiting for the hold tasks to complete"
-    );
-
-    const envStats = await getEnvironmentStats(ctx.environment.id, "task/generic-parent-task");
-
-    assert(
-      startEnvStats.reserveConcurrency - envStats.reserveConcurrency === 0,
-      "Reserve concurrency should be 0"
-    );
-    assert(
-      envStats.queueCurrentConcurrency === 0,
-      "generic-parent-task current concurrency should be 0"
-    );
-    assert(
-      envStats.queueReserveConcurrency === 0,
-      "generic-parent-task reserve concurrency should be 0"
-    );
-
-    const childStats = await getEnvironmentStats(ctx.environment.id, "task/generic-child-task");
-
-    assert(
-      childStats.queueReserveConcurrency === 0,
-      "generic-child-task reserve concurrency should be 0"
-    );
-    assert(
-      childStats.queueCurrentConcurrency === 0,
-      "generic-child-task current concurrency should be 0"
-    );
-
-    // Wait for the hold tasks to be completed
-    await Promise.all(retrievedHoldBatch.runs.map((run) => waitForRunStatus(run, ["COMPLETED"])));
-
-    await updateEnvironmentConcurrencyLimit(ctx.environment.id, 100);
-
-    logger.info("✅ Environment reserve concurrency system is working as expected");
-  },
-});
-
-export const testQueueReserveConcurrency = task({
-  id: "test/queue-reserve-concurrency",
-  retry: {
-    maxAttempts: 1,
-  },
-  run: async ({ useBatch = false }: { useBatch: boolean }, { ctx }) => {
-    const startEnvStats = await getEnvironmentStats(ctx.environment.id);
-    // This test ensures that when triggerAndWait is called where the parent and the child share a queue,
-    // the queue reserve concurrency is used to allow the child to execute.
-    // We also want to test that the queue can only "reserve" at most up to the concurrency limit, and if
-    // the reservation fails, the child task will fail
-    const rootRecursiveRun = await recursiveTask.trigger(
-      { delayMs: 1_000, depth: 1, useBatch },
-      { tags: ["root"] }
-    );
-
-    const completedRootRun = await waitForRunStatus(rootRecursiveRun.id, ["COMPLETED"]);
-
-    assert(completedRootRun.status === "COMPLETED", "Root recursive run should be completed");
-
-    const failingRootRecursiveRun = await recursiveTask.trigger(
-      { delayMs: 1_000, depth: 2, useBatch },
-      { tags: ["failing-root"] }
-    );
-
-    const failedRootRun = await waitForRunStatus(failingRootRecursiveRun.id, ["COMPLETED"]);
-
-    assert(!failedRootRun.output?.ok, "Child of failing root run should fail");
-
-    const envStats = await getEnvironmentStats(ctx.environment.id, "task/recursive-task");
-
-    logger.info("Environment stats", envStats);
-
-    assert(
-      startEnvStats.reserveConcurrency - envStats.reserveConcurrency === 0,
-      "Env reserve concurrency should be 0"
-    );
-    assert(
-      envStats.queueCurrentConcurrency === 0,
-      "queue-reserve-concurrency current concurrency should be 0"
-    );
-    assert(
-      envStats.queueReserveConcurrency === 0,
-      "queue-reserve-concurrency reserve concurrency should be 0"
-    );
-  },
-});
diff --git a/references/test-tasks/src/utils.ts b/references/test-tasks/src/utils.ts
deleted file mode 100644
index 5fa43866d78..00000000000
--- a/references/test-tasks/src/utils.ts
+++ /dev/null
@@ -1,108 +0,0 @@
-import { runs } from "@trigger.dev/sdk/v3";
-import { z } from "zod";
-
-export type RunStatus = Awaited<ReturnType<typeof runs.retrieve>>["status"];
-
-export async function waitForRunStatus(
-  id: string,
-  statuses: RunStatus[],
-  timeoutInSeconds?: number,
-  pollIntervalMs = 1_000
-) {
-  const run = await runs.retrieve(id);
-
-  if (statuses.includes(run.status)) {
-    return run;
-  }
-
-  const start = Date.now();
-
-  while (Date.now() - start < (timeoutInSeconds ?? 300) * 1_000) {
-    const run = await runs.retrieve(id);
-
-    if (statuses.includes(run.status)) {
-      return run;
-    }
-
-    await new Promise((resolve) => setTimeout(resolve, pollIntervalMs));
-  }
-
-  throw new Error(
-    `Run did not reach status ${statuses.join(" or ")} within ${timeoutInSeconds ?? 300} seconds`
-  );
-}
-
-export async function updateEnvironmentConcurrencyLimit(
-  environmentId: string,
-  concurrencyLimit: number
-) {
-  if (!process.env.TRIGGER_API_URL) {
-    throw new Error("TRIGGER_API_URL is not set");
-  }
-
-  if (!process.env.TRIGGER_ACCESS_TOKEN) {
-    throw new Error("TRIGGER_ACCESS_TOKEN is not set");
-  }
-
-  // We need to make a request to baseURL + `/admin/api/v1/environments/${environmentId}` with a POST request
-  // The body needs to be a JSON object with the key `envMaximumConcurrencyLimit` and the value `concurrencyLimit`, and the key `orgMaximumConcurrencyLimit` with the value `concurrencyLimit`
-  // we also need a Authorization header that has the personal access token from process.env.TRIGGER_ACCESS_TOKEN
-
-  const response = await fetch(
-    `${process.env.TRIGGER_API_URL}/admin/api/v1/environments/${environmentId}`,
-    {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        Authorization: `Bearer ${process.env.TRIGGER_ACCESS_TOKEN}`,
-      },
-      body: JSON.stringify({
-        envMaximumConcurrencyLimit: concurrencyLimit,
-        orgMaximumConcurrencyLimit: concurrencyLimit,
-      }),
-    }
-  );
-
-  if (!response.ok) {
-    throw new Error(`Failed to update environment concurrency limit: ${response.statusText}`);
-  }
-
-  return response.json();
-}
-
-const EnvironmentStatsResponseBody = z.object({
-  id: z.string(),
-  concurrencyLimit: z.number(),
-  currentConcurrency: z.number(),
-  queueConcurrency: z.number().optional(),
-  queueCurrentConcurrency: z.number().optional(),
-});
-
-export type EnvironmentStatsResponseBody = z.infer<typeof EnvironmentStatsResponseBody>;
-
-export async function getEnvironmentStats(
-  environmentId: string,
-  queue?: string
-): Promise<EnvironmentStatsResponseBody> {
-  const url = new URL(`${process.env.TRIGGER_API_URL}/admin/api/v1/environments/${environmentId}`);
-
-  if (queue) {
-    url.searchParams.set("queue", queue);
-  }
-
-  const response = await fetch(url.toString(), {
-    method: "GET",
-    headers: {
-      Accept: "application/json",
-      Authorization: `Bearer ${process.env.TRIGGER_ACCESS_TOKEN}`,
-    },
-  });
-
-  if (!response.ok) {
-    throw new Error(`Failed to fetch environment stats: ${response.statusText}`);
-  }
-
-  const responseBody = await response.json();
-
-  return EnvironmentStatsResponseBody.parse(responseBody);
-}
diff --git a/references/test-tasks/trigger.config.ts b/references/test-tasks/trigger.config.ts
deleted file mode 100644
index b515908f412..00000000000
--- a/references/test-tasks/trigger.config.ts
+++ /dev/null
@@ -1,19 +0,0 @@
-import { defineConfig } from "@trigger.dev/sdk/v3";
-
-export default defineConfig({
-  runtime: "node",
-  project: "proj_qwdshjjnuoepcuupfuvo",
-  machine: "small-1x",
-  maxDuration: 3600,
-  dirs: ["./src/trigger"],
-  retries: {
-    enabledInDev: true,
-    default: {
-      maxAttempts: 10,
-      minTimeoutInMs: 5_000,
-      maxTimeoutInMs: 30_000,
-      factor: 2,
-      randomize: true,
-    },
-  },
-});
diff --git a/references/test-tasks/tsconfig.json b/references/test-tasks/tsconfig.json
deleted file mode 100644
index 635ecdb766a..00000000000
--- a/references/test-tasks/tsconfig.json
+++ /dev/null
@@ -1,20 +0,0 @@
-{
-  "compilerOptions": {
-    "target": "esnext",
-    "module": "NodeNext",
-    "moduleResolution": "NodeNext",
-    "esModuleInterop": true,
-    "strict": true,
-    "outDir": "dist",
-    "skipLibCheck": true,
-    "customConditions": ["@triggerdotdev/source"],
-    "jsx": "preserve",
-    "emitDecoratorMetadata": true,
-    "experimentalDecorators": true,
-    "lib": ["DOM", "DOM.Iterable"],
-    "paths": {
-      "@/*": ["./src/*"]
-    }
-  },
-  "include": ["./src/**/*.ts", "trigger.config.ts"]
-}
diff --git a/scripts/bump-helm-chart.mjs b/scripts/bump-helm-chart.mjs
new file mode 100644
index 00000000000..c296977dc3a
--- /dev/null
+++ b/scripts/bump-helm-chart.mjs
@@ -0,0 +1,31 @@
+import { readFileSync, writeFileSync } from "node:fs";
+
+const VERSION_SOURCE = "packages/cli-v3/package.json";
+const CHART_PATH = "hosting/k8s/helm/Chart.yaml";
+
+const { version } = JSON.parse(readFileSync(VERSION_SOURCE, "utf8"));
+const desiredVersion = `version: ${version}`;
+const desiredAppVersion = `appVersion: v${version}`;
+
+const original = readFileSync(CHART_PATH, "utf8");
+
+const versionMatch = original.match(/^version:.*$/m);
+const appVersionMatch = original.match(/^appVersion:.*$/m);
+
+if (!versionMatch || !appVersionMatch) {
+  const missing = [!versionMatch && "version:", !appVersionMatch && "appVersion:"]
+    .filter(Boolean)
+    .join(", ");
+  console.error(`${CHART_PATH} is missing required key(s): ${missing}`);
+  process.exit(1);
+}
+
+if (versionMatch[0] === desiredVersion && appVersionMatch[0] === desiredAppVersion) {
+  console.log(`${CHART_PATH} already at ${version} (from ${VERSION_SOURCE}), no changes`);
+} else {
+  const updated = original
+    .replace(/^version:.*/m, desiredVersion)
+    .replace(/^appVersion:.*/m, desiredAppVersion);
+  writeFileSync(CHART_PATH, updated);
+  console.log(`${CHART_PATH} bumped to ${version} (from ${VERSION_SOURCE})`);
+}
diff --git a/scripts/cleanup-server-changes.mjs b/scripts/cleanup-server-changes.mjs
new file mode 100644
index 00000000000..5e35edc801b
--- /dev/null
+++ b/scripts/cleanup-server-changes.mjs
@@ -0,0 +1,18 @@
+import { readdirSync, unlinkSync } from "node:fs";
+
+const DIR = ".server-changes";
+const KEEP = new Set(["README.md"]);
+
+const removed = [];
+for (const file of readdirSync(DIR)) {
+  if (!file.endsWith(".md") || KEEP.has(file)) continue;
+  unlinkSync(`${DIR}/${file}`);
+  removed.push(file);
+}
+
+if (removed.length === 0) {
+  console.log(`${DIR} already clean, no changes`);
+} else {
+  console.log(`${DIR} cleaned, removed ${removed.length} consumed file(s):`);
+  removed.forEach((f) => console.log(`  - ${f}`));
+}
diff --git a/scripts/docker.mjs b/scripts/docker.mjs
new file mode 100644
index 00000000000..9c38e9718ee
--- /dev/null
+++ b/scripts/docker.mjs
@@ -0,0 +1,27 @@
+#!/usr/bin/env node
+// Cross-platform wrapper for `docker compose` that conditionally passes
+// `--env-file <repo-root>/.env` when the file exists. Replaces an earlier
+// inline `$([ -f .env ] && echo --env-file .env)` shell substitution that
+// only worked in POSIX shells, breaking native Windows `cmd.exe` runs.
+//
+// Used by the root `pnpm run docker` / `docker:full` scripts and by the
+// clickhouse package's `db:migrate` script. Always runs compose with cwd
+// set to the repo root, so callers can pass `-f docker/docker-compose.yml`
+// from anywhere in the workspace.
+import { existsSync } from "node:fs";
+import { execFileSync } from "node:child_process";
+import { resolve, dirname } from "node:path";
+import { fileURLToPath } from "node:url";
+
+const repoRoot = resolve(dirname(fileURLToPath(import.meta.url)), "..");
+const envPath = resolve(repoRoot, ".env");
+const envArgs = existsSync(envPath) ? ["--env-file", envPath] : [];
+
+try {
+  execFileSync("docker", ["compose", ...envArgs, ...process.argv.slice(2)], {
+    stdio: "inherit",
+    cwd: repoRoot,
+  });
+} catch (err) {
+  process.exit(err.status ?? 1);
+}
diff --git a/scripts/stamp-preview-version.mjs b/scripts/stamp-preview-version.mjs
new file mode 100644
index 00000000000..a6b21d10777
--- /dev/null
+++ b/scripts/stamp-preview-version.mjs
@@ -0,0 +1,92 @@
+// Rewrites the version of every public packages/* package to a unique,
+// preview-only semver (0.0.0-preview-<sha>) BEFORE the build runs.
+//
+// Why this exists:
+//   pkg.pr.new serves preview builds by commit SHA but does NOT change the
+//   package.json "version" field (as of 0.0.75). If a preview is published
+//   while package.json still says e.g. 4.5.0-rc.4, a consumer who installs the
+//   preview pins 4.5.0-rc.4 to the pkg.pr.new tarball in their lockfile/cache,
+//   and a later `npm i @trigger.dev/sdk@4.5.0-rc.4` from npm can resolve to the
+//   stale preview. See stackblitz-labs/pkg.pr.new#250 and #390.
+//
+//   A 0.0.0- prefix can never satisfy a real semver range, so the collision
+//   becomes structurally impossible (the same convention React/Next canaries
+//   use).
+//
+//   Running BEFORE the build also means scripts/updateVersion.ts bakes this
+//   same preview version into the runtime VERSION constant, so previews are
+//   self-identifying (trigger --version, the x-trigger-cli-version header, the
+//   MCP server version, etc.) rather than all reporting the RC version.
+//
+//   Sibling workspace: specifiers are relaxed to workspace:* so `pnpm pack`
+//   resolves them against the rewritten versions without range-validation
+//   errors. packages/python pins peerDependencies as workspace:^4.5.0-rc.4,
+//   which would otherwise be unsatisfiable once the sibling version changes.
+//
+// Note: pkg.pr.new PR #525 adds a built-in --previewVersion flag. Once that
+// ships we could drop the version-rewrite half here, but we still want a
+// pre-build stamp so updateVersion.ts picks up the preview version (the flag
+// rewrites at pack time, which is too late for the baked VERSION constant).
+
+import { readdirSync, readFileSync, writeFileSync, existsSync } from "node:fs";
+import { join } from "node:path";
+import { execSync } from "node:child_process";
+
+const PACKAGES_DIR = "packages";
+const DEP_SECTIONS = [
+  "dependencies",
+  "devDependencies",
+  "peerDependencies",
+  "optionalDependencies",
+];
+
+function resolveSha() {
+  const sha = process.argv[2] || process.env.GITHUB_SHA;
+  if (sha) return sha;
+  try {
+    return execSync("git rev-parse HEAD", { encoding: "utf8" }).trim();
+  } catch {
+    throw new Error(
+      "Could not determine commit SHA (pass as the first argument or set GITHUB_SHA)"
+    );
+  }
+}
+
+const sha = resolveSha().slice(0, 7);
+const previewVersion = `0.0.0-preview-${sha}`;
+
+const dirs = readdirSync(PACKAGES_DIR, { withFileTypes: true }).filter((e) =>
+  e.isDirectory()
+);
+
+// First pass: collect every public package name so we know which workspace
+// specifiers point at a sibling whose version we are about to change.
+const publicNames = new Set();
+const manifests = [];
+for (const dir of dirs) {
+  const pkgPath = join(PACKAGES_DIR, dir.name, "package.json");
+  if (!existsSync(pkgPath)) continue;
+  const json = JSON.parse(readFileSync(pkgPath, "utf8"));
+  manifests.push({ pkgPath, json });
+  if (!json.private && json.name) publicNames.add(json.name);
+}
+
+// Second pass: stamp the version and relax sibling workspace specifiers.
+let stamped = 0;
+for (const { pkgPath, json } of manifests) {
+  if (json.private) continue;
+  json.version = previewVersion;
+  for (const section of DEP_SECTIONS) {
+    const deps = json[section];
+    if (!deps) continue;
+    for (const [name, spec] of Object.entries(deps)) {
+      if (publicNames.has(name) && String(spec).startsWith("workspace:")) {
+        deps[name] = "workspace:*";
+      }
+    }
+  }
+  writeFileSync(pkgPath, `${JSON.stringify(json, null, 2)}\n`);
+  stamped++;
+}
+
+console.log(`Stamped ${stamped} public package(s) to ${previewVersion}`);
diff --git a/test-timings.json b/test-timings.json
new file mode 100644
index 00000000000..1c1504c029d
--- /dev/null
+++ b/test-timings.json
@@ -0,0 +1,222 @@
+{
+  "apps/webapp/test/EnvironmentVariablesPresenter.test.ts": 10249,
+  "apps/webapp/test/GCRARateLimiter.test.ts": 4984,
+  "apps/webapp/test/authorizationRateLimitMiddleware.test.ts": 1,
+  "apps/webapp/test/bufferedTriggerPayload.test.ts": 3,
+  "apps/webapp/test/calculateNextSchedule.test.ts": 345,
+  "apps/webapp/test/chat-snapshot-integration.test.ts": 2326,
+  "apps/webapp/test/clickhouseFactory.test.ts": 13885,
+  "apps/webapp/test/concurrentFlushScheduler.test.ts": 361,
+  "apps/webapp/test/createDeploymentWithNextVersion.test.ts": 17889,
+  "apps/webapp/test/detectbadJsonStrings.test.ts": 98,
+  "apps/webapp/test/environmentVariableDeduplication.test.ts": 3,
+  "apps/webapp/test/environmentVariableRules.test.ts": 3,
+  "apps/webapp/test/environmentVariablesEnvironments.test.ts": 10355,
+  "apps/webapp/test/environmentVariablesRepository.test.ts": 18320,
+  "apps/webapp/test/errorFingerprinting.test.ts": 16,
+  "apps/webapp/test/errorGroupWebhook.test.ts": 7,
+  "apps/webapp/test/fairDequeuingStrategy.test.ts": 5705,
+  "apps/webapp/test/findOrCreateBackgroundWorker.test.ts": 17442,
+  "apps/webapp/test/getDeploymentImageRef.test.ts": 7,
+  "apps/webapp/test/httpErrors.test.ts": 25,
+  "apps/webapp/test/marqsKeyProducer.test.ts": 7,
+  "apps/webapp/test/metadataRouteOperationsLogging.test.ts": 6,
+  "apps/webapp/test/mollifierApplyMetadataMutation.test.ts": 497,
+  "apps/webapp/test/mollifierClaimResolution.test.ts": 6,
+  "apps/webapp/test/mollifierDrainerHandler.test.ts": 21,
+  "apps/webapp/test/mollifierDrainerWorker.test.ts": 5,
+  "apps/webapp/test/mollifierDrainingGauge.test.ts": 449,
+  "apps/webapp/test/mollifierGate.test.ts": 16,
+  "apps/webapp/test/mollifierIdempotencyClaim.test.ts": 13,
+  "apps/webapp/test/mollifierMollify.test.ts": 5,
+  "apps/webapp/test/mollifierMutateWithFallback.test.ts": 18,
+  "apps/webapp/test/mollifierReadFallback.test.ts": 15,
+  "apps/webapp/test/mollifierReplayPayloadShape.test.ts": 2,
+  "apps/webapp/test/mollifierResetIdempotencyKey.test.ts": 9,
+  "apps/webapp/test/mollifierResolveRunForMutation.test.ts": 7,
+  "apps/webapp/test/mollifierStaleSweep.test.ts": 969,
+  "apps/webapp/test/mollifierSynthesiseFoundRun.test.ts": 5,
+  "apps/webapp/test/mollifierSyntheticApiResponses.test.ts": 5,
+  "apps/webapp/test/mollifierSyntheticRedirectInfo.test.ts": 805,
+  "apps/webapp/test/mollifierSyntheticReplayTaskRun.test.ts": 2,
+  "apps/webapp/test/mollifierSyntheticRunHeader.test.ts": 4,
+  "apps/webapp/test/mollifierSyntheticSpanRun.test.ts": 8,
+  "apps/webapp/test/mollifierSyntheticTrace.test.ts": 6,
+  "apps/webapp/test/mollifierTripEvaluator.test.ts": 621,
+  "apps/webapp/test/objectStore.test.ts": 15979,
+  "apps/webapp/test/organizationDataStoresRegistry.test.ts": 16732,
+  "apps/webapp/test/otlpExporter.test.ts": 13,
+  "apps/webapp/test/otlpUtf16Sanitization.integration.test.ts": 6540,
+  "apps/webapp/test/realtimeClient.test.ts": 1,
+  "apps/webapp/test/redisRealtimeStreams.test.ts": 6214,
+  "apps/webapp/test/registryConfig.test.ts": 652,
+  "apps/webapp/test/replay-after-crash.test.ts": 2233,
+  "apps/webapp/test/runsBackfiller.test.ts": 15478,
+  "apps/webapp/test/runsReplicationBenchmark.test.ts": 0,
+  "apps/webapp/test/runsRepository.part1.test.ts": 53000,
+  "apps/webapp/test/runsRepository.part2.test.ts": 57000,
+  "apps/webapp/test/sanitizeRowsOnParseError.test.ts": 8,
+  "apps/webapp/test/sentryTenantContext.test.ts": 5,
+  "apps/webapp/test/sentryTraceContext.server.test.ts": 12,
+  "apps/webapp/test/sessionDuration.test.ts": 18416,
+  "apps/webapp/test/sessionsReplicationService.test.ts": 30000,
+  "apps/webapp/test/shouldRevalidateRunsList.test.ts": 5,
+  "apps/webapp/test/slackErrorAlerts.test.ts": 0,
+  "apps/webapp/test/tenantContext.test.ts": 26,
+  "apps/webapp/test/tenantContextFromAuthEnvironment.test.ts": 2,
+  "apps/webapp/test/tenantContextResolver.test.ts": 19,
+  "apps/webapp/test/timeGranularity.test.ts": 3,
+  "apps/webapp/test/timelineSpanEvents.test.ts": 6,
+  "apps/webapp/test/updateMetadata.test.ts": 26380,
+  "apps/webapp/test/validateGitBranchName.test.ts": 7,
+  "apps/webapp/test/vercelUrls.test.ts": 3,
+  "apps/webapp/test/webhookErrorAlerts.test.ts": 5,
+  "apps/webapp/test/workerQueueSplit.test.ts": 3,
+  "apps/webapp/test/components/DateTime.test.ts": 24,
+  "apps/webapp/test/engine/batchPayloads.test.ts": 5018,
+  "apps/webapp/test/engine/streamBatchItems.test.ts": 45000,
+  "apps/webapp/test/engine/taskIdentifierRegistry.test.ts": 13152,
+  "apps/webapp/test/engine/triggerTask.test.ts": 31630,
+  "apps/webapp/test/presenters/mapRunToLiveFields.test.ts": 3,
+  "apps/webapp/test/services/organizationAccessToken.test.ts": 9,
+  "apps/webapp/test/services/personalAccessToken.test.ts": 8,
+  "apps/webapp/test/components/code/tsql/tsqlCompletion.test.ts": 10,
+  "apps/webapp/test/components/code/tsql/tsqlLinter.test.ts": 237,
+  "apps/webapp/test/components/runs/v3/RunTag.test.ts": 5,
+  "packages/trigger-sdk/test/chat-snapshot.test.ts": 22,
+  "packages/trigger-sdk/test/chatHandover.test.ts": 1658,
+  "packages/trigger-sdk/test/merge-by-id.test.ts": 9,
+  "packages/trigger-sdk/test/mockChatAgent.test.ts": 2254,
+  "packages/trigger-sdk/test/recovery-boot.test.ts": 671,
+  "packages/trigger-sdk/test/replay-session-in.test.ts": 12,
+  "packages/trigger-sdk/test/replay-session-out.test.ts": 40,
+  "packages/trigger-sdk/test/skill.test.ts": 16,
+  "packages/trigger-sdk/test/skillsRuntime.test.ts": 131,
+  "packages/trigger-sdk/test/wire-shape.test.ts": 15,
+  "packages/trigger-sdk/src/v3/chat-server.test.ts": 185,
+  "packages/trigger-sdk/src/v3/chat-tab-coordinator.test.ts": 14,
+  "packages/trigger-sdk/src/v3/chat.test.ts": 77,
+  "packages/trigger-sdk/src/v3/createStartSessionAction.test.ts": 5,
+  "packages/trigger-sdk/src/v3/sessions.test.ts": 31,
+  "packages/trigger-sdk/src/v3/shared.test.ts": 68,
+  "packages/trigger-sdk/src/v3/streams.test.ts": 6,
+  "packages/trigger-sdk/src/v3/triggerClient.test.ts": 66,
+  "packages/trigger-sdk/src/v3/triggerClient.types.test.ts": 11,
+  "packages/redis-worker/src/cron.test.ts": 27371,
+  "packages/redis-worker/src/queue.test.ts": 3435,
+  "packages/redis-worker/src/worker.test.ts": 32870,
+  "packages/redis-worker/src/mollifier/buffer.test.ts": 3091,
+  "packages/redis-worker/src/mollifier/drainer.test.ts": 8403,
+  "packages/redis-worker/src/fair-queue/tests/concurrency.test.ts": 1341,
+  "packages/redis-worker/src/fair-queue/tests/drr.test.ts": 1203,
+  "packages/redis-worker/src/fair-queue/tests/fairQueue.test.ts": 7728,
+  "packages/redis-worker/src/fair-queue/tests/raceConditions.test.ts": 14961,
+  "packages/redis-worker/src/fair-queue/tests/retry.test.ts": 10,
+  "packages/redis-worker/src/fair-queue/tests/tenantDispatch.test.ts": 5769,
+  "packages/redis-worker/src/fair-queue/tests/visibility.test.ts": 3783,
+  "packages/redis-worker/src/fair-queue/tests/workerQueue.test.ts": 1116,
+  "packages/core/test/duration.test.ts": 42,
+  "packages/core/test/errors.test.ts": 51,
+  "packages/core/test/eventFilterMatches.test.ts": 38,
+  "packages/core/test/externalSpanExporterWrapper.test.ts": 13,
+  "packages/core/test/flattenAttributes.test.ts": 59,
+  "packages/core/test/ioSerialization.test.ts": 306,
+  "packages/core/test/jumpHash.test.ts": 385,
+  "packages/core/test/mockTaskContext.test.ts": 61,
+  "packages/core/test/recordSpanException.test.ts": 65,
+  "packages/core/test/resourceCatalog.test.ts": 71,
+  "packages/core/test/runStream.test.ts": 245,
+  "packages/core/test/skillCatalog.test.ts": 17,
+  "packages/core/test/standardMetadataManager.test.ts": 456,
+  "packages/core/test/streamsWriterV1.test.ts": 84112,
+  "packages/core/test/taskExecutor.test.ts": 364,
+  "packages/core/test/utils.test.ts": 15,
+  "packages/core/src/v3/apiClient/runStream.test.ts": 1893,
+  "packages/core/src/v3/apiClient/streamBatchItems.test.ts": 278,
+  "packages/core/src/v3/build/flags.test.ts": 12,
+  "packages/core/src/v3/idempotency-key-catalog/lruIdempotencyKeyCatalog.test.ts": 21,
+  "packages/core/src/v3/machines/max-old-space.test.ts": 18,
+  "packages/core/src/v3/realtimeStreams/manager.test.ts": 28,
+  "packages/core/src/v3/realtimeStreams/streamsWriterV2.test.ts": 91,
+  "packages/core/src/v3/schemas/api-type.test.ts": 33,
+  "packages/core/src/v3/schemas/batchItemNDJSON.test.ts": 15,
+  "packages/core/src/v3/schemas/idempotencyKey.test.ts": 68,
+  "packages/core/src/v3/sessionStreams/manager.test.ts": 126,
+  "packages/core/src/v3/serverOnly/shutdownManager.test.ts": 57,
+  "packages/core/src/v3/taskContext/index.test.ts": 23,
+  "packages/core/src/v3/utils/reconnectBackoff.test.ts": 45,
+  "packages/core/src/v3/runEngineWorker/supervisor/consumerPool.test.ts": 123,
+  "packages/core/src/v3/runEngineWorker/supervisor/queueMetricsProcessor.test.ts": 98,
+  "packages/core/src/v3/runEngineWorker/supervisor/scalingStrategies.test.ts": 92,
+  "packages/schema-to-json/tests/index.test.ts": 17,
+  "internal-packages/run-engine/src/run-queue/index.test.ts": 82296,
+  "internal-packages/run-engine/src/batch-queue/tests/index.test.ts": 5462,
+  "internal-packages/run-engine/src/engine/tests/attemptFailures.test.ts": 35471,
+  "internal-packages/run-engine/src/engine/tests/batchTrigger.test.ts": 33127,
+  "internal-packages/run-engine/src/engine/tests/batchTriggerAndWait.test.ts": 33681,
+  "internal-packages/run-engine/src/engine/tests/batchTwoPhase.test.ts": 28159,
+  "internal-packages/run-engine/src/engine/tests/cancelling.test.ts": 26240,
+  "internal-packages/run-engine/src/engine/tests/checkpoints.test.ts": 29420,
+  "internal-packages/run-engine/src/engine/tests/createCancelledRun.test.ts": 31807,
+  "internal-packages/run-engine/src/engine/tests/createFailedTaskRun.test.ts": 23573,
+  "internal-packages/run-engine/src/engine/tests/debounce.test.ts": 58554,
+  "internal-packages/run-engine/src/engine/tests/delays.test.ts": 42748,
+  "internal-packages/run-engine/src/engine/tests/dequeuing.test.ts": 25542,
+  "internal-packages/run-engine/src/engine/tests/getSnapshotsSince.test.ts": 32158,
+  "internal-packages/run-engine/src/engine/tests/heartbeats.test.ts": 39634,
+  "internal-packages/run-engine/src/engine/tests/lazyWaitpoint.test.ts": 34757,
+  "internal-packages/run-engine/src/engine/tests/locking.test.ts": 51090,
+  "internal-packages/run-engine/src/engine/tests/pendingVersion.test.ts": 28762,
+  "internal-packages/run-engine/src/engine/tests/priority.test.ts": 28808,
+  "internal-packages/run-engine/src/engine/tests/trigger.test.ts": 30601,
+  "internal-packages/run-engine/src/engine/tests/triggerAndWait.test.ts": 28893,
+  "internal-packages/run-engine/src/engine/tests/ttl.test.ts": 61981,
+  "internal-packages/run-engine/src/engine/tests/waitpointRace.test.ts": 22855,
+  "internal-packages/run-engine/src/engine/tests/waitpoints.test.ts": 39521,
+  "internal-packages/run-engine/src/run-queue/tests/ack.test.ts": 3156,
+  "internal-packages/run-engine/src/run-queue/tests/ckCounters.test.ts": 16715,
+  "internal-packages/run-engine/src/run-queue/tests/ckIndex.test.ts": 8916,
+  "internal-packages/run-engine/src/run-queue/tests/concurrencySweeper.test.ts": 6379,
+  "internal-packages/run-engine/src/run-queue/tests/dequeueMessageFromWorkerQueue.test.ts": 66701,
+  "internal-packages/run-engine/src/run-queue/tests/enqueueMessage.test.ts": 9108,
+  "internal-packages/run-engine/src/run-queue/tests/fairQueueSelectionStrategy.test.ts": 7997,
+  "internal-packages/run-engine/src/run-queue/tests/keyProducer.test.ts": 19,
+  "internal-packages/run-engine/src/run-queue/tests/migrateLegacyMasterQueue.test.ts": 1728,
+  "internal-packages/run-engine/src/run-queue/tests/nack.test.ts": 6184,
+  "internal-packages/run-engine/src/run-queue/tests/releaseConcurrency.test.ts": 3018,
+  "internal-packages/run-engine/src/run-queue/tests/workerQueueResolver.test.ts": 38,
+  "internal-packages/cache/src/stores/lruMemory.test.ts": 44,
+  "internal-packages/schedule-engine/test/scheduleEngine.test.ts": 43000,
+  "internal-packages/schedule-engine/test/scheduleRecovery.test.ts": 17396,
+  "internal-packages/replication/src/client.test.ts": 31306,
+  "internal-packages/tsql/src/index.test.ts": 246,
+  "internal-packages/tsql/src/grammar/parser.test.ts": 150,
+  "internal-packages/tsql/src/query/escape.test.ts": 9,
+  "internal-packages/tsql/src/query/parser.test.ts": 368,
+  "internal-packages/tsql/src/query/printer.test.ts": 942,
+  "internal-packages/tsql/src/query/results.test.ts": 4,
+  "internal-packages/tsql/src/query/schema.test.ts": 18,
+  "internal-packages/tsql/src/query/security.test.ts": 487,
+  "internal-packages/tsql/src/query/time_buckets.test.ts": 5,
+  "internal-packages/tsql/src/query/validator.test.ts": 250,
+  "internal-packages/rbac/src/ability.test.ts": 6,
+  "internal-packages/rbac/src/loader.test.ts": 3,
+  "internal-packages/llm-model-catalog/src/registry.test.ts": 15,
+  "internal-packages/llm-model-catalog/src/sync.test.ts": 15852,
+  "internal-packages/clickhouse/src/taskRuns.test.ts": 6813,
+  "internal-packages/clickhouse/src/tsql.test.ts": 9021,
+  "internal-packages/clickhouse/src/tsqlFunctions.test.ts": 12971,
+  "internal-packages/clickhouse/src/client/client.test.ts": 9138,
+  "internal-packages/sdk-compat-tests/src/tests/bundler.test.ts": 348,
+  "internal-packages/sdk-compat-tests/src/tests/import.test.ts": 4742,
+  "apps/webapp/test/runsReplicationService.part1.test.ts": 74000,
+  "apps/webapp/test/runsReplicationService.part2.test.ts": 64000,
+  "apps/webapp/test/runsReplicationService.part3.test.ts": 30000,
+  "apps/webapp/test/runsReplicationService.part4.test.ts": 70000,
+  "apps/webapp/test/runsReplicationService.part5.test.ts": 43000,
+  "apps/webapp/test/runsReplicationService.part6.test.ts": 32000,
+  "apps/webapp/test/runsRepository.part3.test.ts": 43000,
+  "apps/webapp/test/runsRepository.part4.test.ts": 57000,
+  "apps/webapp/test/runsReplicationService.part7.test.ts": 43000,
+  "internal-packages/schedule-engine/test/scheduleEngine2.test.ts": 43000
+}
diff --git a/tests/global.setup.ts b/tests/global.setup.ts
index dfc04c671ed..ce79aef2ed0 100644
--- a/tests/global.setup.ts
+++ b/tests/global.setup.ts
@@ -54,7 +54,7 @@ const setup = async () => {
     await prisma.runtimeEnvironment.create({
       data: {
         slug: "dev",
-        // Defined in @references/nextjs-test
+        // Fixed e2e test API key
         apiKey: "tr_dev_test-api-key",
         pkApiKey: "tr_dev_pk_test-api-key",
         autoEnableInternalSources: false,
@@ -77,7 +77,7 @@ const setup = async () => {
     await prisma.runtimeEnvironment.create({
       data: {
         slug: "prod",
-        // Defined in @references/nextjs-test
+        // Fixed e2e test API key
         apiKey: "tr_prod_test-api-key",
         pkApiKey: "tr_prod_pk_test-api-key",
         autoEnableInternalSources: false,
diff --git a/turbo.json b/turbo.json
index 025a7226472..8f2c862d030 100644
--- a/turbo.json
+++ b/turbo.json
@@ -35,10 +35,10 @@
     "db:migrate:deploy": {
       "cache": false
     },
-    "db:seed": {
+    "webapp#db:seed": {
       "cache": false,
       "dependsOn": [
-        "build"
+        "webapp#build"
       ]
     },
     "db:studio": {