triggerdotdev
diff --git a/‎.changeset/trigger-skills-installer.md‎
Lines changed: 11 additions & 0 deletions b/‎.changeset/trigger-skills-installer.md‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎.server-changes/compute-network-labels.md‎
Lines changed: 6 additions & 0 deletions b/‎.server-changes/compute-network-labels.md‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎.server-changes/mollifier-decision-enrolled-org-labels.md‎
Lines changed: 6 additions & 0 deletions b/‎.server-changes/mollifier-decision-enrolled-org-labels.md‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎apps/supervisor/src/index.ts‎
Lines changed: 1 addition & 0 deletions b/‎apps/supervisor/src/index.ts‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎apps/supervisor/src/workloadManager/compute.ts‎
Lines changed: 19 additions & 0 deletions b/‎apps/supervisor/src/workloadManager/compute.ts‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎apps/webapp/app/v3/mollifier/mollifierGate.server.ts‎
Lines changed: 32 additions & 24 deletions b/‎apps/webapp/app/v3/mollifier/mollifierGate.server.ts‎
Lines changed: 32 additions & 24 deletions
diff --git a/‎apps/webapp/app/v3/mollifier/mollifierTelemetry.server.ts‎
Lines changed: 32 additions & 4 deletions b/‎apps/webapp/app/v3/mollifier/mollifierTelemetry.server.ts‎
Lines changed: 32 additions & 4 deletions
diff --git a/‎apps/webapp/test/mollifierDecisionLabels.test.ts‎
Lines changed: 54 additions & 0 deletions b/‎apps/webapp/test/mollifierDecisionLabels.test.ts‎
Lines changed: 54 additions & 0 deletions
@@ -0,0 +1,11 @@
+---
+"trigger.dev": patch
+---
+
+`trigger skills` installs Trigger.dev agent skills into your coding agent so it knows how to write tasks, schedules, realtime, and chat.agent code. The skills ship with the CLI and are copied into each tool's native skills directory (Claude Code, Cursor, GitHub Copilot, and Codex / AGENTS.md), and `trigger dev` offers to install them on first run.
+
+```bash
+trigger skills --target claude-code
+```
+
+Replaces the previous `install-rules` command, which stays as an alias.
@@ -0,0 +1,6 @@
+---
+area: supervisor
+type: feature
+---
+
+Forward per-run identity labels to the compute provider on create and restore, letting network policy select runs (e.g. private link).
@@ -0,0 +1,6 @@
+---
+area: webapp
+type: improvement
+---
+
+Add bounded `enrolled` and `org` labels to the `mollifier.decisions` metric so per-enrolled-org pass-through vs mollify is visible (the `org` label is attached only for the enrolled cohort to keep cardinality bounded).
@@ -376,6 +376,7 @@ class ManagedSupervisor {
                     envId: message.environment.id,
                     orgId: message.organization.id,
                     projectId: message.project.id,
+                    hasPrivateLink: message.organization.hasPrivateLink,
                     dequeuedAt: message.dequeuedAt,
                   });
                   recordPhaseSince("restore", restoreStart, undefined);
 
@@ -133,6 +133,14 @@ export class ComputeWorkloadManager implements WorkloadManager {
     // Strip image digest - resolve by tag, not digest
     const imageRef = stripImageDigest(opts.image);
 
+    // Labels forwarded to the compute provider for network-policy selection;
+    // the provider promotes a configured subset to its network layer. Mirrors
+    // the privatelink label the Kubernetes workload manager sets on the run pod.
+    const labels: Record<string, string> = {};
+    if (opts.hasPrivateLink) {
+      labels.privatelink = opts.orgId;
+    }
+
     // Wide event: single canonical log line emitted in finally
     const event: Record<string, unknown> = {
       // High-cardinality identifiers
@@ -173,6 +181,7 @@ export class ComputeWorkloadManager implements WorkloadManager {
             deploymentVersion: opts.deploymentVersion,
             machine: opts.machine.name,
           },
+          ...(Object.keys(labels).length > 0 ? { labels } : {}),
         })
       );
 
@@ -297,6 +306,7 @@ export class ComputeWorkloadManager implements WorkloadManager {
     envId?: string;
     orgId?: string;
     projectId?: string;
+    hasPrivateLink?: boolean;
     dequeuedAt?: Date;
   }): Promise<boolean> {
     const metadata: Record<string, string> = {
@@ -309,6 +319,14 @@ export class ComputeWorkloadManager implements WorkloadManager {
       TRIGGER_WORKER_INSTANCE_NAME: this.opts.runner.instanceName,
     };
 
+    // Resupply the same labels on restore (mirror of the create path); the
+    // provider doesn't persist them across a snapshot, so without this a
+    // restored run would lose its policy-based network selection.
+    const labels: Record<string, string> = {};
+    if (opts.hasPrivateLink && opts.orgId) {
+      labels.privatelink = opts.orgId;
+    }
+
     this.logger.verbose("restore request body", {
       snapshotId: opts.snapshotId,
       runnerId: opts.runnerId,
@@ -322,6 +340,7 @@ export class ComputeWorkloadManager implements WorkloadManager {
         metadata,
         cpu: opts.machine.cpu,
         memory_gb: opts.machine.memory,
+        ...(Object.keys(labels).length > 0 ? { labels } : {}),
       })
     );
 
 
@@ -7,6 +7,7 @@ import {
   recordDecision,
   type DecisionOutcome,
   type DecisionReason,
+  type RecordDecisionOptions,
 } from "./mollifierTelemetry.server";
 
 // `count` is the fleet-wide fixed-window counter for the env (INCR with a
@@ -80,7 +81,7 @@ export type GateDependencies = {
     inputs: GateInputs,
     decision: Extract<TripDecision, { divert: true }>,
   ) => void;
-  recordDecision: (outcome: DecisionOutcome, reason?: DecisionReason) => void;
+  recordDecision: (outcome: DecisionOutcome, opts: RecordDecisionOptions) => void;
 };
 
 // `options` is a thunk so env reads happen per-evaluation, not at module load.
@@ -152,52 +153,59 @@ export async function evaluateGate(
 ): Promise<GateOutcome> {
   const d = { ...defaultGateDependencies, ...deps };
 
+  // Resolve the per-org flag up front so every decision below — including
+  // the bypasses — can be labelled enrolled vs not on the
+  // `mollifier.decisions` counter. Fail open: a transient error must not
+  // block triggers. The resolver is purely in-memory (reads
+  // `Organization.featureFlags`); it adds no DB round-trip to the hot path.
+  let orgFlagEnabled: boolean;
+  try {
+    orgFlagEnabled = await d.resolveOrgFlag(inputs);
+  } catch (error) {
+    logger.warn("mollifier.resolve_org_flag_failed", {
+      envId: inputs.envId,
+      orgId: inputs.orgId,
+      taskId: inputs.taskId,
+      error: error instanceof Error ? error.message : String(error),
+    });
+    orgFlagEnabled = false;
+  }
+  // Passed to every `recordDecision`. `org` only becomes a label for the
+  // (operationally capped) enrolled cohort — the guard is in
+  // `decisionLabels`, so passing orgId unconditionally here is safe.
+  const labels: RecordDecisionOptions = { enrolled: orgFlagEnabled, orgId: inputs.orgId };
+
   // Debounce bypass. onDebounced is a closure over webapp state and
   // can't be snapshotted into the buffer for drainer replay. Skip before the
   // trip evaluator so debounce traffic is never counted against the rate.
   if (inputs.options?.debounce) {
-    d.recordDecision("pass_through");
+    d.recordDecision("pass_through", labels);
     return { action: "pass_through" };
   }
   // OneTimeUseToken bypass. OTU is a security feature on the PUBLIC_JWT
   // auth path; its synchronous-rejection contract is materially worse to
   // break than the idempotency-key contract.
   if (inputs.options?.oneTimeUseToken) {
-    d.recordDecision("pass_through");
+    d.recordDecision("pass_through", labels);
     return { action: "pass_through" };
   }
   // Single triggerAndWait bypass. batchTriggerAndWait still funnels
   // through TriggerTaskService.call per item so the dominant burst pattern
   // remains covered.
   if (inputs.options?.parentTaskRunId && inputs.options?.resumeParentOnCompletion) {
-    d.recordDecision("pass_through");
+    d.recordDecision("pass_through", labels);
     return { action: "pass_through" };
   }
 
   if (!d.isMollifierEnabled()) {
-    d.recordDecision("pass_through");
+    d.recordDecision("pass_through", labels);
     return { action: "pass_through" };
   }
 
-  // Fail open: a transient DB error resolving the per-org flag must not
-  // block triggers. Mirror the evaluator's fail-open posture in
-  // `mollifierTripEvaluator.server.ts`.
-  let orgFlagEnabled: boolean;
-  try {
-    orgFlagEnabled = await d.resolveOrgFlag(inputs);
-  } catch (error) {
-    logger.warn("mollifier.resolve_org_flag_failed", {
-      envId: inputs.envId,
-      orgId: inputs.orgId,
-      taskId: inputs.taskId,
-      error: error instanceof Error ? error.message : String(error),
-    });
-    orgFlagEnabled = false;
-  }
   const shadowOn = d.isShadowModeOn();
 
   if (!orgFlagEnabled && !shadowOn) {
-    d.recordDecision("pass_through");
+    d.recordDecision("pass_through", labels);
     return { action: "pass_through" };
   }
 
@@ -226,17 +234,17 @@ export async function evaluateGate(
     decision = { divert: false };
   }
   if (!decision.divert) {
-    d.recordDecision("pass_through");
+    d.recordDecision("pass_through", labels);
     return { action: "pass_through" };
   }
 
   if (orgFlagEnabled) {
     d.logMollified(inputs, decision);
-    d.recordDecision("mollify", decision.reason);
+    d.recordDecision("mollify", { ...labels, reason: decision.reason });
     return { action: "mollify", decision };
   }
 
   d.logShadow(inputs, decision);
-  d.recordDecision("shadow_log", decision.reason);
+  d.recordDecision("shadow_log", { ...labels, reason: decision.reason });
   return { action: "shadow_log", decision };
 }
@@ -9,11 +9,39 @@ export const mollifierDecisionsCounter = meter.createCounter("mollifier.decision
 export type DecisionOutcome = "pass_through" | "shadow_log" | "mollify";
 export type DecisionReason = "per_env_rate";
 
-export function recordDecision(outcome: DecisionOutcome, reason?: DecisionReason): void {
-  mollifierDecisionsCounter.add(1, {
+export type RecordDecisionOptions = {
+  reason?: DecisionReason;
+  // Whether the org has the per-org mollifier flag enabled. Emitted as the
+  // bounded `enrolled` label so we can see how often enrolled orgs pass
+  // through instead of mollifying — the whole point of this instrumentation.
+  enrolled: boolean;
+  // Org id, attached as the `org` label ONLY when `enrolled` is true. The
+  // enrolled cohort is capped operationally (<= 10 orgs), so this stays
+  // low-cardinality. It must NEVER be attached for non-enrolled orgs — that
+  // would fan the metric out across every org id in production (unbounded;
+  // the same high-cardinality ban that keeps envId/orgId off the other
+  // mollifier metrics). The guard lives in `decisionLabels`, so callers can
+  // pass orgId unconditionally.
+  orgId?: string;
+};
+
+// Pure: builds the metric label set for a gate decision. Extracted from
+// `recordDecision` so the org-only-when-enrolled cardinality guard is
+// unit-testable without standing up an OTel meter.
+export function decisionLabels(
+  outcome: DecisionOutcome,
+  opts: RecordDecisionOptions,
+): Record<string, string> {
+  return {
     outcome,
-    ...(reason ? { reason } : {}),
-  });
+    enrolled: opts.enrolled ? "true" : "false",
+    ...(opts.reason ? { reason: opts.reason } : {}),
+    ...(opts.enrolled && opts.orgId ? { org: opts.orgId } : {}),
+  };
+}
+
+export function recordDecision(outcome: DecisionOutcome, opts: RecordDecisionOptions): void {
+  mollifierDecisionsCounter.add(1, decisionLabels(outcome, opts));
 }
 
 // Counts subscriptions hitting `/realtime/v1/runs/<id>` for a run that
 
@@ -0,0 +1,54 @@
+import { describe, expect, it } from "vitest";
+
+import { decisionLabels } from "~/v3/mollifier/mollifierTelemetry.server";
+
+// The cardinality guard. `org` is a bounded label (enrolled cohort is capped
+// at <= 10 orgs operationally), so it may ONLY be attached when the org is
+// enrolled. Attaching it for non-enrolled orgs would fan `mollifier.decisions`
+// out across every org id in production — the high-cardinality blow-up these
+// labels are explicitly designed to avoid.
+describe("decisionLabels", () => {
+  it("always emits a bounded `enrolled` label (true/false)", () => {
+    expect(decisionLabels("pass_through", { enrolled: false })).toEqual({
+      outcome: "pass_through",
+      enrolled: "false",
+    });
+    expect(decisionLabels("pass_through", { enrolled: true, orgId: "org_1" })).toMatchObject({
+      enrolled: "true",
+    });
+  });
+
+  it("attaches the `org` label ONLY when enrolled — never for non-enrolled, even if orgId is passed", () => {
+    // Non-enrolled: orgId passed but MUST be dropped (cardinality guard).
+    expect(decisionLabels("pass_through", { enrolled: false, orgId: "org_unbounded" })).toEqual({
+      outcome: "pass_through",
+      enrolled: "false",
+    });
+
+    // Enrolled: org label present.
+    expect(
+      decisionLabels("mollify", { enrolled: true, orgId: "org_1", reason: "per_env_rate" }),
+    ).toEqual({
+      outcome: "mollify",
+      enrolled: "true",
+      reason: "per_env_rate",
+      org: "org_1",
+    });
+  });
+
+  it("omits `org` when enrolled but no orgId is supplied", () => {
+    expect(decisionLabels("pass_through", { enrolled: true })).toEqual({
+      outcome: "pass_through",
+      enrolled: "true",
+    });
+  });
+
+  it("includes `reason` only when supplied", () => {
+    expect(decisionLabels("pass_through", { enrolled: true, orgId: "org_1" })).not.toHaveProperty(
+      "reason",
+    );
+    expect(
+      decisionLabels("shadow_log", { enrolled: false, reason: "per_env_rate" }),
+    ).toMatchObject({ reason: "per_env_rate" });
+  });
+});