fix: close monitoring + deploy gaps from post-incident audit

[buremba]

Why

Post-incident audit after #771 + #772 landed. Prod is healthy but three real gaps remained that would let the next similar incident slip past monitoring or extend its blast radius:

Gap	Observed today	Risk
Sentry has zero coverage of logger errors	1,914 errors / 5 min in stdout, 0 Sentry issues in 24h	Background-job failures invisible to monitoring; today's noise masks tomorrow's signal
'website' connector orphan feeds	~380 error logs/min from CheckDueFeeds	Log spam, hides real errors; not user-facing
Single-replica Recreate strategy	every deploy = ~30s "no available server"	Cloudflare 502s on every rollout

What

1. pino → Sentry forwarding (utils/logger.ts)

Adds a pino destination that mirrors stdout AND forwards level >= error to Sentry. In-process dedupe by (msg, err.type, top stack frame) with a 60s window — Sentry has its own grouping but every captureException still costs an HTTP call, and a repeating error at 380/min would saturate the budget.

2. Orphan-feed cleanup (queue-helpers.ts + 20260517020000_softdelete_orphan_feeds.sql)

• Code: createSyncRunWithClient now warns + skips when no active connector_definition exists for (connector_key, organization_id). Pre-fix it threw, producing the error stream.
• Migration: one-shot soft-delete of feeds matching the orphan criteria (no pinned_version, active connection, no active definition in the org). Conservative criteria — only touches feeds that the current code would also fail on.

3. Graceful drain (charts/lobu/templates/deployment.yaml + values.yaml)

• preStop lifecycle hook: 15s sleep (configurable via app.preStopDelaySeconds). When k8s decides to terminate, this lets Service endpoint deregistration propagate through kube-proxy + Cloudflare LB before the process gets SIGTERM. In-flight requests routed during the deregistration lag still hit a live process.
• terminationGracePeriodSeconds: 45 (configurable). Covers preStop + the graceful shutdown in server.ts (~5s for HTTP server close, task scheduler stop, DB pool drain).
• Strategy stays Recreate (workspaces PVC is RWO). Comment explains the path to RollingUpdate: needs RWX storage or workspaces split off the gateway deployment. Not done here because it's an ops-repo storage-class decision, not in-tree code.

Validation

• make typecheck clean
• make build-packages builds
• Migration applies on a fresh PG (validated locally via docker pgvector/pgvector:pg18)
• db/schema.sql diff is intent-only (one new schema_migrations row)
• Manual: after deploy, send a logger.error(new Error('test'), ...) from a debug endpoint, confirm a Sentry issue appears
• Manual: trigger a rollout, observe whether the "no available server" window shrinks below the prior ~30s

Out of scope (acknowledged)

• True elimination of the deploy gap needs RWX storage for workspaces or moving workspaces off the gateway pod entirely. That's an ops-repo decision (storage class, cost). Current commit reduces the gap but doesn't close it. Tracked for follow-up.
• The orphan-feed migration uses conservative criteria; it should be safe but operators with non-standard feed setups may want to inspect SELECT count(*) FROM feeds WHERE ... before/after.

Summary by CodeRabbit

• New Features

  • Enhanced error monitoring with deduplication to reduce duplicate reports.
  • Improved graceful pod shutdown with optional pre-stop delay and configurable termination timeout.

• Bug Fixes

  • Automatic cleanup (soft-delete) of orphaned feeds when connectors are missing.

• Chores

  • Added a one‑time DB migration and schema update to apply the orphan-feed cleanup.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 3f1ca546-7afa-4e9a-a38e-bf73df7e78d8

📥 Commits

Reviewing files that changed from the base of the PR and between 1636fb0 and 34a977d.

📒 Files selected for processing (1)

• packages/web

---

📝 Walkthrough

Walkthrough

Adds configurable Helm pod termination timing and optional preStop hook, forwards error/fatal logs to Sentry with in-process deduplication and a marker to avoid duplicate reports, and soft-deletes orphan feeds with a migration and runtime orphan-handling change.

Changes

Graceful pod shutdown configuration

Layer / File(s)	Summary
Pod shutdown lifecycle and Helm values charts/lobu/templates/deployment.yaml, charts/lobu/values.yaml	Deployment template emits terminationGracePeriodSeconds templated from Values.app.terminationGracePeriodSeconds and conditionally renders a lifecycle.preStop.exec sleep when app.preStopDelaySeconds > 0. Helm values add app.preStopDelaySeconds (default 0) and app.terminationGracePeriodSeconds (default 45) with explanatory comments.

Sentry error observability

Layer / File(s)	Summary
Sentry forwarding, deduplication, and stream packages/server/src/utils/logger.ts, packages/server/src/server.ts	Logger imports @sentry/node, enforces Pino err serializer, implements an in-memory dedupe map and capture path for parsed error/fatal records via a custom destination stream that still writes to stdout. server.ts marks errors with sentryReported: true when already sent to Sentry.

Orphan feed cleanup and handling

Layer / File(s)	Summary
Soft-delete orphan feeds and record migration db/migrations/20260517020000_softdelete_orphan_feeds.sql, db/schema.sql	New migration sets deleted_at = now() for active, unpinned feeds whose connection exists but which lack an active connector_definitions entry for (organization_id, connector_key). schema.sql records the new migration version; down migration is a no-op with manual recovery notes.
Queue-helpers graceful orphan treatment packages/server/src/utils/queue-helpers.ts	createSyncRunWithClient now soft-deletes feeds detected as orphans, logs a structured warning including feedId, connector_key, and organization_id, and returns null (skip) instead of throwing.

Sequence Diagram(s)

sequenceDiagram
  participant App as Application (server.ts)
  participant Logger as Pino (sentryAwareStream)
  participant Stdout as Stdout
  participant Sentry as `@sentry/node`
  App->>Logger: log(error/fatal, {err|error, msg}) (may set sentryReported)
  Logger->>Stdout: write JSON line
  Logger->>Logger: parse JSON -> dedupe check
  Logger->>Sentry: captureException / captureMessage (if not deduped && not sentryReported)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• fix(reliability): gate boot on schema, surface err, split readiness #767

Poem

🐰 In charts and logs the small changes creep,

Pods nap before they fall to sleep,
Errors hop to Sentry, once, not twice,
Orphan feeds tuck in, soft-deleted nice,
A rabbit hums: "All systems rest and keep."

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix: close monitoring + deploy gaps from post-incident audit' is concise, clear, and accurately summarizes the main objectives of the changeset: addressing monitoring and deployment gaps identified in a post-incident audit.
Description check	✅ Passed	The pull request description provides comprehensive coverage of all required sections: clear why/what/validation structure, specific test plan checkboxes marked as run, and detailed notes including follow-up considerations and out-of-scope items.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/monitoring-and-deploy-gaps

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b3aefea639

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Sanitize log metadata before sending it to Sentry

When an error log includes application payloads, this forwards the entire parsed log line to Sentry as extra. For example, packages/server/src/tools/admin/manage_classifiers.ts:901 logs { error, args }, where args includes user-provided classification values/reasoning; with this change any failure in that path now exports those fields to Sentry instead of only stdout. Please redact or whitelist metadata before attaching it to Sentry events.

Useful? React with 👍 / 👎.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

packages/server/src/utils/logger.ts (1)

83-88: ⚡ Quick win

Preserve error type for better Sentry grouping.

The reconstructed Error loses its original type (e.g., TypeError, SyntaxError). Sentry uses error.name for grouping, so different error types with similar messages will be incorrectly grouped together.

♻️ Proposed fix

       // Reconstruct an Error so Sentry's grouping works on the stack.
       const reconstructed = new Error(errObj.message);
       if (errObj.stack) reconstructed.stack = errObj.stack;
+      if (errObj.type) reconstructed.name = errObj.type;
       Sentry.captureException(reconstructed, {

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/server/src/utils/logger.ts` around lines 83 - 88, The reconstructed
Error currently loses the original error type/name used by Sentry for grouping;
when building the synthetic error before calling Sentry.captureException (using
variables errObj, reconstructed, parsed, level), set the reconstructed error's
name to the original type (e.g., reconstructed.name = errObj.name ||
reconstructed.name) so Sentry preserves error.name/grouping and include the same
reconstructed.stack and extra/tags as before.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@charts/lobu/templates/deployment.yaml`:
- Line 50: The current use of Helm's default() treats 0 as empty and overrides
explicit zeros; change both occurrences (preStopDelaySeconds and
terminationGracePeriodSeconds) to check presence instead of using default(),
e.g. replace {{ .Values.app.terminationGracePeriodSeconds | default 45 }} and {{
.Values.app.preStopDelaySeconds | default 15 }} with an explicit conditional
using hasKey/.Values.app presence (for example: if hasKey .Values.app
"terminationGracePeriodSeconds" then render
.Values.app.terminationGracePeriodSeconds else render 45) so that a
user-provided 0 is honored.

---

Nitpick comments:
In `@packages/server/src/utils/logger.ts`:
- Around line 83-88: The reconstructed Error currently loses the original error
type/name used by Sentry for grouping; when building the synthetic error before
calling Sentry.captureException (using variables errObj, reconstructed, parsed,
level), set the reconstructed error's name to the original type (e.g.,
reconstructed.name = errObj.name || reconstructed.name) so Sentry preserves
error.name/grouping and include the same reconstructed.stack and extra/tags as
before.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: e8f6fe82-8615-4ea0-84f2-8113bb28f282

📥 Commits

Reviewing files that changed from the base of the PR and between 653566f and b3aefea.

📒 Files selected for processing (6)

• charts/lobu/templates/deployment.yaml
• charts/lobu/values.yaml
• db/migrations/20260517020000_softdelete_orphan_feeds.sql
• db/schema.sql
• packages/server/src/utils/logger.ts
• packages/server/src/utils/queue-helpers.ts

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

Does Helm's defaultfunction treat numeric0 as empty (therefore returning the fallback value)?

💡 Result:

Yes. Helm’s default function treats the numeric value 0 as “empty”, so it will return the fallback value instead of 0. This comes from Sprig’s default semantics: the definition of “empty” includes numeric 0, and for “non-empty” values the given value is used, otherwise the default is returned [1]. Helm documents default as default DEFAULT_VALUE GIVEN_VALUE and that it returns the default “if [the given value] is empty” [2]. Helm issues report that when a value is set to 0 (integer), default behaves as if it were unset/empty and the fallback is used [3][4]. Practical implication: if 0 is a valid value in your chart, don’t use default directly; instead use an explicit check (for example, distinguish “not set” vs “set to 0”) as suggested by Helm community discussions [3][4].

Citations:

• 1: http://masterminds.github.io/sprig/defaults.html
• 2: https://helm.sh/pt/docs/chart_template_guide/functions_and_pipelines
• 3: default template function treats 0 value as unspecified helm/helm#13036
• 4: Wrong interpretation of Zero in templates files when having a default value helm/helm#3164

---

🏁 Script executed:

fd -type f -name 'values.yaml' charts/

Repository: lobu-ai/lobu

Length of output: 227

---

🏁 Script executed:

# Read the values.yaml to check for terminationGracePeriodSeconds and preStopDelaySeconds
cat -n charts/lobu/values.yaml | grep -A 5 -B 5 "terminationGracePeriodSeconds\|preStopDelaySeconds"

Repository: lobu-ai/lobu

Length of output: 857

---

🏁 Script executed:

cat -n charts/lobu/templates/deployment.yaml | sed -n '45,55p; 118,125p'

Repository: lobu-ai/lobu

Length of output: 1255

---

default here overrides explicit 0 and breaks configurability.

On Line 50 and Line 122, Helm default will treat 0 as empty and fall back to 45/15. That means operators cannot intentionally set preStopDelaySeconds: 0 (disable delay) or terminationGracePeriodSeconds: 0.

Suggested fix

-      terminationGracePeriodSeconds: {{ .Values.app.terminationGracePeriodSeconds | default 45 }}
+      terminationGracePeriodSeconds: {{ .Values.app.terminationGracePeriodSeconds }}
...
-                command: ["sh", "-c", "sleep {{ .Values.app.preStopDelaySeconds | default 15 }}"]
+                command: ["sh", "-c", "sleep {{ .Values.app.preStopDelaySeconds }}"]

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/lobu/templates/deployment.yaml` at line 50, The current use of Helm's
default() treats 0 as empty and overrides explicit zeros; change both
occurrences (preStopDelaySeconds and terminationGracePeriodSeconds) to check
presence instead of using default(), e.g. replace {{
.Values.app.terminationGracePeriodSeconds | default 45 }} and {{
.Values.app.preStopDelaySeconds | default 15 }} with an explicit conditional
using hasKey/.Values.app presence (for example: if hasKey .Values.app
"terminationGracePeriodSeconds" then render
.Values.app.terminationGracePeriodSeconds else render 45) so that a
user-provided 0 is honored.

[buremba]

pi review — 6 findings, all addressed

1636fb0:

1. preStop on Recreate would make the gap WORSE. Pi caught a real reversal. Under `strategy: Recreate` the new pod waits for the old one to terminate, so adding a preStop sleep EXTENDS the no-available-server window. Default `preStopDelaySeconds` is now 0; the lifecycle hook is only emitted when > 0. Operators only set it with RollingUpdate (which needs RWX storage on workspaces — separate ops decision).
2. Migration too broad. Tightened WHERE to require `feeds.status='active' AND connections.status='active'`, matching exactly the set CheckDueFeeds processes. Paused / pending_auth / error feeds untouched.
3. Sentry double-report. `server.ts onError` captures the exception then logs it; the new forwarder would re-send. Added `sentryReported: true` marker on those log lines; forwarder skips when seen.
4. Dedupe fingerprint too coarse. Added `err.message` to the fingerprint so distinct messages from the same catch site don't suppress each other within the 60s window.
5. Existing call sites with stringified errors (`logger.error({ error: errorMessage(err) }, ...)`): pre-existing tech debt, not regressed by this PR. The forwarder handles Error-object payloads cleanly; the string-error sites lose stack/type info but still produce captureMessage events that Sentry can group. Tracked as a follow-up cleanup pass.
6. Warn-skip would leave orphans being polled forever. `createSyncRunWithClient` now soft-deletes the feed in-place when no active definition is found, so CheckDueFeeds stops selecting it. Operators recover by clearing `deleted_at` after reinstalling the definition.

Build + typecheck clean.