ci(railway): address PR review (idempotency, merge intent, robustness)

- railway_call: classify 'up' and 'redeploy' as non-idempotent so an
  ambiguous transient timeout is NOT blind-retried (avoids triggering a
  duplicate/racing deployment). Rate-limit retries still apply. (Two
  reviewers flagged this.)
- railway_call + _railway_graphql: floor RAILWAY_RETRY_MAX at 1 so a '0'
  override can't silently return success without making the call.
- upsert_service_vars: set 'replace: false' explicitly on variableCollection
  Upsert. Verified the API already defaults to merge (set_vars then
  set_optional_vars on the same service rely on accumulation), but pinning it
  guards against a future default change wiping earlier variables. Confirmed
  the field is accepted by the schema.
- upsert_service_vars: if a service name can't be resolved to an id, fall
  back to the CLI variable set instead of hard-failing the deploy.

All verified against a live preview project (references still resolve, '='
in values preserved) and unit/regression suites still pass.

Author: mmabrouk

hosting/railway/oss/scripts/configure.sh

@@ -110,10 +110,18 @@ upsert_service_vars() {
     local svc_id
     svc_id="$(_service_id "$service")"
     if [ -z "$svc_id" ]; then
-        printf "Could not resolve service id for '%s' in environment '%s'\n" "$service" "$ENV_NAME" >&2
-        return 1
+        # Name didn't match the cached status JSON (e.g. unexpected casing). Don't
+        # hard-fail the deploy where the CLI's --service would have worked; fall
+        # back to it.
+        printf "Could not resolve service id for '%s'; falling back to CLI variable set.\n" "$service" >&2
+        railway_call variable set --service "$service" --environment "$ENV_NAME" --skip-deploys "$@" >/dev/null
+        return 0
     fi
 
+    # replace:false makes the merge intent explicit: configure.sh calls set_vars
+    # then set_optional_vars for the same service and relies on accumulation.
+    # (Verified the API already defaults to merge, but pinning it avoids any
+    # future default change silently wiping earlier variables.)
     local vars_json payload
     vars_json="$(_vars_to_json "$@")"
     payload="$(jq -nc \
@@ -122,7 +130,7 @@ upsert_service_vars() {
         --arg s "$svc_id" \
         --argjson vars "$vars_json" \
         '{query: "mutation($input: VariableCollectionUpsertInput!){ variableCollectionUpsert(input: $input) }",
-          variables: {input: {projectId: $p, environmentId: $e, serviceId: $s, skipDeploys: true, variables: $vars}}}')"
+          variables: {input: {projectId: $p, environmentId: $e, serviceId: $s, skipDeploys: true, replace: false, variables: $vars}}}')"
 
     _railway_graphql "$payload" >/dev/null
 }

hosting/railway/oss/scripts/lib.sh

@@ -134,17 +134,21 @@ _railway_redact() {
 #   RAILWAY_RETRY_DELAY   Initial backoff delay in seconds (default: 10)
 railway_call() {
     local max_attempts="${RAILWAY_RETRY_MAX:-5}"
+    [ "$max_attempts" -ge 1 ] 2>/dev/null || max_attempts=1
     local delay="${RAILWAY_RETRY_DELAY:-10}"
     local attempt=1
     local output
     local exit_code
 
-    # Is this a non-idempotent create? If so, an ambiguous timeout must not be
-    # blind-retried (the resource may already exist). Rate-limit retries are
-    # still safe because a 429 is rejected before any work is done.
+    # Is this a non-idempotent / side-effecting command? If so, an ambiguous
+    # timeout must not be blind-retried: the server may have already accepted
+    # the request, so a retry could duplicate the resource (`init`/`add`/
+    # `environment new`/`volume add`) or trigger a second deployment (`up`/
+    # `redeploy`). Rate-limit retries stay safe for all commands because a 429
+    # is rejected before any work is done.
     local idempotent=1
     case "$1" in
-        init | add) idempotent=0 ;;
+        init | add | up | redeploy) idempotent=0 ;;
         environment) [ "${2:-}" = "new" ] && idempotent=0 ;;
         volume) [ "${2:-}" = "add" ] && idempotent=0 ;;
     esac
@@ -217,6 +221,7 @@ _railway_graphql() {
     local endpoint="${RAILWAY_GRAPHQL_URL:-https://backboard.railway.com/graphql/v2}"
     local token="${RAILWAY_API_TOKEN:-${RAILWAY_TOKEN:-}}"
     local max_attempts="${RAILWAY_RETRY_MAX:-5}"
+    [ "$max_attempts" -ge 1 ] 2>/dev/null || max_attempts=1
     local delay="${RAILWAY_RETRY_DELAY:-10}"
     local timeout_s="${RAILWAY_GRAPHQL_TIMEOUT:-90}"
     local attempt=1