fix(worker): Wave 2 P1s — BugBash 2026-05-20

Eight cross-confirmed P1s from the BugBash 2026-05-20 master report,
all worker-scoped. Each fix ships a CI-run regression test.

MR-P1-16 — forwarder ledger ordering (claim-after-2xx).
  event_email_forwarder.go: the forwarder_sent ledger was claimed BEFORE
  SendEvent. A crash between claim-commit and send-completion left the
  ledger written with no email actually sent → next tick saw claimed=
  false → cursor advanced → silent permanent loss. Re-ordered to
  isSent() BEFORE the send (dedup), markSent() AFTER a confirmed 2xx
  (claim). Trades a crash-loss for an at-most-once duplicate on
  SIGKILL mid-POST (Brevo X-Mailin-Custom absorbs where honored) —
  a duplicate is strictly safer than a loss. Cross-confirmed by T4
  P1-2 + T22 P1-2.
  Test: TestEventForwarder_CrashAfterSendBeforeClaim_NoLoss.

T22 P1-1 — worker email-provider PII leak.
  brevo_provider.go (9 sites) + ses_provider.go (10 sites) logged
  evt.Recipient raw at INFO/WARN/ERROR. The L1 maskEmail fix in api
  4078ca3 never touched the worker. Added worker/internal/email/
  logsafe.go (mirror of api maskEmail) and applied at every site.
  Test: TestWorkerEmailProviders_NoRawRecipientInLogs (registry-style,
  6 sub-tests across both providers + success/permanent/transient
  paths) + TestMaskEmail_BasicShapes.

T6 P0-1 (worker half) — stack namespace teardown leak + PASS 5.
  ExpireStacksWorker carried nsPrefix="instant-apps-" (from
  cfg.KubeNamespaceApps), but real stack namespaces are
  "instant-stack-<id>". The safety guard refused every real stack
  namespace and returned nil-success → DELETE FROM stacks ran anyway
  → orphan namespace + pods + ingress + TLS forever with no DB
  pointer. Fixed by introducing ExpireStacksNamespacePrefix =
  "instant-stack-" and passing it at the wiring. Added PASS 5 to the
  orphan-sweep reconciler (mirror of the PASS 4 customer-NS sweep)
  to catch pre-fix orphans and guard against recurrence.
  Tests: TestExpireStacksNamespacePrefix_MatchesStackProviderContract,
  TestOrphanSweep_Pass5_ReclaimsOrphanedStackNamespace,
  TestOrphanSweep_Pass5_NoStackNamespaces_NoQuery.

T20 P0-2 / P1-3 — Workers.Stop drain-before-cancel.
  Pre-fix order was `cancel(); client.Stop(ctx)` — cancelling
  workerCtx FIRST aborted every in-flight job, wasting the 30s
  graceful drain. River's Stop() is the graceful contract; the
  pre-fix code reimplemented StopAndCancel by accident. Reordered
  to drain first, cancel after.
  Test: TestWorkers_Stop_DrainBeforeCancel.

T20 P1 — process-wide River JobTimeout.
  River's default JobTimeout is no timeout. A hung job (wedged
  provisioner gRPC / Razorpay TCP black-hole / k8s API stall)
  pinned its worker slot for the lifetime of the pod. Added
  globalJobTimeout = 20 minutes (covers the longest legitimate
  single-tick job — billing reconciler ~17min — without pinning
  runaways).
  Test: TestWorkers_GlobalJobTimeout_HasSensibleValue.

T8 P1-1 / MR-P1-21 — entitlement reconciler uses resource.tier.
  shouldRegrade and both regrade paths resolved caps from
  teams.plan_tier — the team's CURRENT tier — instead of
  resources.tier (the per-row snapshot). A pro→hobby downgrade
  silently shrunk the paid customer's existing pro Postgres
  connection cap (and Redis maxmemory) to the hobby cap on the
  next reconciler tick, contradicting the documented "keep their
  tier" courtesy. Switched the source of truth to resources.tier.
  Test: TestEntitlementReconciler_DowngradedTeam_KeepsResourceTierCap.

T8 P1-2 / MR-P1-22 — Mongo arm on the entitlement reconciler.
  The reconciler previously iterated Postgres + Redis only. Mongo
  was silently under-delivered on upgrade (hobby→pro left every
  Mongo resource at hobby caps until re-provision). Added
  sweepMongoEntitlements — iterates active Mongo resources, calls
  RegradeResource with the resource.tier snapshot. The provisioner
  currently returns skip_reason="unsupported resource type for
  regrade" for MONGODB so this is a hooked-up loud no-op (visible
  mongo_skipped counter on .completed), giving a future
  provisioner.regradeMongo implementation an attach point with
  zero worker-side changes (CLAUDE.md rule 22).
  Test: TestEntitlementReconciler_MongoArm_SweepsMongoResources.

T21 P1-1 — remaining idle-tick INFO spam → DEBUG.
  Eight more high-frequency jobs still emitted INFO every 30-60s
  when idle: deploy_status_reconcile, deploy_notify_webhook,
  magic_link_reconciler, pending_deletion_expirer, deployment_expirer,
  provisioner_reconciler, customer_backup_runner, customer_restore_runner.
  Same email-noise fix pattern as 7169493 — idle path → DEBUG, INFO
  only on real work or failures. Cuts ~5,000+ noise lines/day.
  Test: TestIdleTickLogLevel_DemotedToDebug (source-level guard:
  enumerates all 8 files, asserts no `slog.Info(...completed..., 0,`
  shape reappears).

T21 P1-2 — resource bearer tokens logged raw at ~20 sites.
  quota_infra.go (12), quota.go (6), storage.go (3), expire.go (4),
  provisioner_reconciler.go (4), entitlement_reconciler.go (6),
  quota_redis_eviction.go (4), provisioner/client.go (1). Added
  worker/internal/logsafe pkg with Token() (first 8 chars + length
  indicator + ***), applied at every site.
  Test: TestNoRawTokenSlogFields (walks every .go in
  worker/internal/, asserts no `"token", <var>` outside logsafe.Token
  wrap) + TestToken_NoLeakBeyondPrefix.

Build / vet / test all green: `go build ./... && go vet ./... && go
test ./... -count=1` passes locally (worker/internal/jobs 23.4s,
57 packages clean).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: mastermanas805

internal/email/brevo_provider.go

@@ -260,7 +260,7 @@ func (p *BrevoProvider) SendEvent(ctx context.Context, evt EventEmail) error {
 		// the row instead of looping on a programmer bug.
 		slog.Error("email.brevo.marshal_failed",
 			"kind", evt.Kind,
-			"recipient", evt.Recipient,
+			"recipient", maskEmail(evt.Recipient),
 			"error", err,
 		)
 		return &SendError{Class: SendClassPermanent, Cause: err, Message: "brevo: marshal payload"}
@@ -310,7 +310,7 @@ func (p *BrevoProvider) sendRaw(ctx context.Context, evt EventEmail) error {
 		// past the row; the caller is supposed to render a subject.
 		slog.Error("email.brevo.raw_missing_subject",
 			"kind", evt.Kind,
-			"recipient", evt.Recipient,
+			"recipient", maskEmail(evt.Recipient),
 		)
 		return &SendError{
 			Class:   SendClassPermanent,
@@ -327,7 +327,7 @@ func (p *BrevoProvider) sendRaw(ctx context.Context, evt EventEmail) error {
 	if err != nil {
 		slog.Error("email.brevo.raw_marshal_failed",
 			"kind", evt.Kind,
-			"recipient", evt.Recipient,
+			"recipient", maskEmail(evt.Recipient),
 			"error", err,
 		)
 		return &SendError{Class: SendClassPermanent, Cause: err, Message: "brevo: raw marshal"}
@@ -363,7 +363,7 @@ func (p *BrevoProvider) doRequest(ctx context.Context, evt EventEmail, body []by
 		// Network error, timeout, dns failure. Transient by definition.
 		slog.Warn("email.brevo.http_failed",
 			"kind", evt.Kind,
-			"recipient", evt.Recipient,
+			"recipient", maskEmail(evt.Recipient),
 			"path", string(path),
 			"error", err,
 		)
@@ -376,7 +376,7 @@ func (p *BrevoProvider) doRequest(ctx context.Context, evt EventEmail, body []by
 	case resp.StatusCode >= 200 && resp.StatusCode < 300:
 		slog.Info("email.brevo.event_sent",
 			"kind", evt.Kind,
-			"recipient", evt.Recipient,
+			"recipient", maskEmail(evt.Recipient),
 			"status", resp.StatusCode,
 			"path", string(path),
 			"template_id", tmplID,
@@ -399,7 +399,7 @@ func (p *BrevoProvider) doRequest(ctx context.Context, evt EventEmail, body []by
 		// payload rejects, not account auth failure.
 		slog.Error("email.brevo.auth_wall",
 			"kind", evt.Kind,
-			"recipient", evt.Recipient,
+			"recipient", maskEmail(evt.Recipient),
 			"status", resp.StatusCode,
 			"path", string(path),
 			"body", string(respBody),
@@ -416,7 +416,7 @@ func (p *BrevoProvider) doRequest(ctx context.Context, evt EventEmail, body []by
 		// the cursor holds and the row retries next tick.
 		slog.Warn("email.brevo.rate_limited",
 			"kind", evt.Kind,
-			"recipient", evt.Recipient,
+			"recipient", maskEmail(evt.Recipient),
 			"status", resp.StatusCode,
 			"path", string(path),
 			"body", string(respBody),
@@ -432,7 +432,7 @@ func (p *BrevoProvider) doRequest(ctx context.Context, evt EventEmail, body []by
 		// correct: holding it pins the whole queue on one bad row.
 		slog.Error("email.brevo.permanent_4xx",
 			"kind", evt.Kind,
-			"recipient", evt.Recipient,
+			"recipient", maskEmail(evt.Recipient),
 			"status", resp.StatusCode,
 			"path", string(path),
 			"body", string(respBody),
@@ -446,7 +446,7 @@ func (p *BrevoProvider) doRequest(ctx context.Context, evt EventEmail, body []by
 		// 5xx — Brevo upstream issue. Hold cursor; retry next tick.
 		slog.Warn("email.brevo.transient_5xx",
 			"kind", evt.Kind,
-			"recipient", evt.Recipient,
+			"recipient", maskEmail(evt.Recipient),
 			"status", resp.StatusCode,
 			"path", string(path),
 			"body", string(respBody),

internal/email/logsafe.go

@@ -0,0 +1,39 @@
+package email
+
+// logsafe.go — privacy-preserving helpers for slog lines in the worker
+// email providers.
+//
+// MR-P1-46 / T22 P1-1 (BugBash 2026-05-20): the L1 PII-masking fix
+// shipped in api `4078ca3` (commit "email.go:maskEmail") masked recipient
+// addresses in api-side slog lines but did NOT touch the worker email
+// providers (brevo_provider.go, ses_provider.go) — which are the
+// higher-volume emitters because every audit-driven lifecycle / quota /
+// expiry email flows through them. Prod logs (worker pod
+// `instant-worker-7f6d77699d-tt7gr`, commit_id=7169493) showed full
+// recipient addresses in cleartext at INFO/WARN/ERROR on every send —
+// PII shipped to New Relic. This file closes that gap with the same
+// algorithm the api uses.
+
+import "strings"
+
+// maskEmail returns a privacy-preserving rendering of a recipient
+// address for slog lines. Mirrors api/internal/email/email.go:maskEmail
+// and api/internal/models/MaskEmail.
+//
+//	"alice@example.com"            → "a***@example.com"
+//	"a@example.com"                → "a@example.com" (1-char local kept)
+//	"" / "no-at-sign" / "@only"    → returned unchanged (defensive)
+//
+// CLAUDE.md feedback memory: "no PII/tokens/secrets in any log line".
+func maskEmail(addr string) string {
+	at := strings.LastIndex(addr, "@")
+	if at <= 0 {
+		return addr
+	}
+	local := addr[:at]
+	domain := addr[at:]
+	if len(local) == 1 {
+		return local + domain
+	}
+	return local[:1] + "***" + domain
+}

internal/email/logsafe_test.go

@@ -0,0 +1,182 @@
+package email
+
+import (
+	"bytes"
+	"context"
+	"io"
+	"log/slog"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	sestypes "github.com/aws/aws-sdk-go-v2/service/sesv2/types"
+	"github.com/aws/aws-sdk-go-v2/aws"
+)
+
+// TestMaskEmail_BasicShapes pins the masking algorithm — must match the
+// api maskEmail behaviour exactly.
+func TestMaskEmail_BasicShapes(t *testing.T) {
+	cases := []struct {
+		in, want string
+	}{
+		{"alice@example.com", "a***@example.com"},
+		{"a@example.com", "a@example.com"}, // 1-char local preserved
+		{"bb20-t7-1779218881@instanode-test.dev", "b***@instanode-test.dev"},
+		{"mastermanas805@gmail.com", "m***@gmail.com"},
+		{"@onlydomain.com", "@onlydomain.com"}, // empty local — return unchanged (defensive)
+		{"no-at-sign", "no-at-sign"},
+		{"", ""},
+	}
+	for _, c := range cases {
+		if got := maskEmail(c.in); got != c.want {
+			t.Errorf("maskEmail(%q) = %q; want %q", c.in, got, c.want)
+		}
+	}
+}
+
+// captureSlog redirects the default slog logger into the returned buffer
+// for the duration of fn. Returns the captured text. Used by the provider
+// regression tests so they don't have to plumb a logger through.
+func captureSlog(t *testing.T, fn func()) string {
+	t.Helper()
+	var buf bytes.Buffer
+	h := slog.NewTextHandler(&buf, &slog.HandlerOptions{Level: slog.LevelDebug})
+	orig := slog.Default()
+	slog.SetDefault(slog.New(h))
+	defer slog.SetDefault(orig)
+	fn()
+	return buf.String()
+}
+
+// TestWorkerEmailProviders_NoRawRecipientInLogs is the T22 P1-1 / MR-P1-46
+// regression test.
+//
+// BUG (pre-fix): worker brevo_provider.go and ses_provider.go logged
+// `"recipient", evt.Recipient` raw at INFO/WARN/ERROR on every send. The
+// L1 PII-masking fix in api `4078ca3` masked api-side logs but did NOT
+// touch the worker providers — verified live in prod
+// (instant-worker pod commit_id=7169493 emitted full recipient strings
+// into NR Logs on every send).
+//
+// FIX: maskEmail applied at every `"recipient"` slog site in both
+// providers. This test stamps a unique recipient address, drives each
+// provider through a real send path that produces a `"recipient"` slog
+// field, and asserts the raw local part NEVER appears in the captured
+// log output — only the masked form. Registry-style: covers BOTH worker
+// providers in one table, so a future third provider that ships without
+// the maskEmail wrap fails this test.
+func TestWorkerEmailProviders_NoRawRecipientInLogs(t *testing.T) {
+	const (
+		rawRecipient = "regressioncanary12345@instanode-test.dev"
+		rawLocal     = "regressioncanary12345"
+		wantMasked   = "r***@instanode-test.dev"
+		kind         = "subscription.upgraded"
+	)
+
+	t.Run("brevo_success_2xx_sent", func(t *testing.T) {
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			_, _ = io.ReadAll(r.Body)
+			w.WriteHeader(http.StatusCreated)
+			_, _ = w.Write([]byte(`{"messageId":"x"}`))
+		}))
+		defer srv.Close()
+		p, err := NewBrevoProvider(BrevoConfig{APIKey: "k", TemplateIDs: map[string]int{kind: 42}})
+		if err != nil {
+			t.Fatalf("NewBrevoProvider: %v", err)
+		}
+		p.url = srv.URL
+		out := captureSlog(t, func() {
+			_ = p.SendEvent(context.Background(), EventEmail{Kind: kind, Recipient: rawRecipient})
+		})
+		assertNoRawRecipient(t, "brevo:2xx", out, rawLocal, wantMasked)
+	})
+
+	t.Run("brevo_permanent_4xx_logs_recipient", func(t *testing.T) {
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			_, _ = io.ReadAll(r.Body)
+			w.WriteHeader(http.StatusBadRequest)
+			_, _ = w.Write([]byte(`{"code":"bad_request"}`))
+		}))
+		defer srv.Close()
+		p, err := NewBrevoProvider(BrevoConfig{APIKey: "k", TemplateIDs: map[string]int{kind: 42}})
+		if err != nil {
+			t.Fatalf("NewBrevoProvider: %v", err)
+		}
+		p.url = srv.URL
+		out := captureSlog(t, func() {
+			_ = p.SendEvent(context.Background(), EventEmail{Kind: kind, Recipient: rawRecipient})
+		})
+		assertNoRawRecipient(t, "brevo:4xx", out, rawLocal, wantMasked)
+	})
+
+	t.Run("brevo_auth_wall_401", func(t *testing.T) {
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			_, _ = io.ReadAll(r.Body)
+			w.WriteHeader(http.StatusUnauthorized)
+			_, _ = w.Write([]byte(`{"code":"unauthorized"}`))
+		}))
+		defer srv.Close()
+		p, err := NewBrevoProvider(BrevoConfig{APIKey: "k", TemplateIDs: map[string]int{kind: 42}})
+		if err != nil {
+			t.Fatalf("NewBrevoProvider: %v", err)
+		}
+		p.url = srv.URL
+		out := captureSlog(t, func() {
+			_ = p.SendEvent(context.Background(), EventEmail{Kind: kind, Recipient: rawRecipient})
+		})
+		assertNoRawRecipient(t, "brevo:auth_wall", out, rawLocal, wantMasked)
+	})
+
+	t.Run("ses_success_sent", func(t *testing.T) {
+		fake := &fakeSESClient{}
+		p := &SESProvider{
+			client:    fake,
+			fromEmail: "noreply@example.com",
+			templates: map[string]string{kind: "tmpl-1"},
+		}
+		out := captureSlog(t, func() {
+			_ = p.SendEvent(context.Background(), EventEmail{Kind: kind, Recipient: rawRecipient})
+		})
+		assertNoRawRecipient(t, "ses:success", out, rawLocal, wantMasked)
+	})
+
+	t.Run("ses_permanent_rejected", func(t *testing.T) {
+		fake := &fakeSESClient{err: &sestypes.MessageRejected{Message: aws.String("rejected")}}
+		p := &SESProvider{
+			client:    fake,
+			fromEmail: "noreply@example.com",
+			templates: map[string]string{kind: "tmpl-1"},
+		}
+		out := captureSlog(t, func() {
+			_ = p.SendEvent(context.Background(), EventEmail{Kind: kind, Recipient: rawRecipient})
+		})
+		assertNoRawRecipient(t, "ses:rejected", out, rawLocal, wantMasked)
+	})
+
+	t.Run("ses_transient_throttling", func(t *testing.T) {
+		fake := &fakeSESClient{err: &sestypes.TooManyRequestsException{Message: aws.String("rate")}}
+		p := &SESProvider{
+			client:    fake,
+			fromEmail: "noreply@example.com",
+			templates: map[string]string{kind: "tmpl-1"},
+		}
+		out := captureSlog(t, func() {
+			_ = p.SendEvent(context.Background(), EventEmail{Kind: kind, Recipient: rawRecipient})
+		})
+		assertNoRawRecipient(t, "ses:transient", out, rawLocal, wantMasked)
+	})
+}
+
+func assertNoRawRecipient(t *testing.T, label, out, rawLocal, wantMasked string) {
+	t.Helper()
+	if out == "" {
+		t.Fatalf("%s: provider emitted no log output — cannot verify masking; update the harness so the recipient slog field still fires", label)
+	}
+	if strings.Contains(out, rawLocal) {
+		t.Errorf("%s: provider log contains raw recipient local-part %q — PII leak.\nFull output:\n%s", label, rawLocal, out)
+	}
+	if !strings.Contains(out, wantMasked) {
+		t.Errorf("%s: provider log does not contain masked form %q — masking was not applied.\nFull output:\n%s", label, wantMasked, out)
+	}
+}

internal/email/ses_provider.go

@@ -157,7 +157,7 @@ func (p *SESProvider) SendEvent(ctx context.Context, evt EventEmail) error {
 		// instead of looping forever on a programmer bug.
 		slog.Error("email.ses.marshal_failed",
 			"kind", evt.Kind,
-			"recipient", evt.Recipient,
+			"recipient", maskEmail(evt.Recipient),
 			"error", err,
 		)
 		return &SendError{Class: SendClassPermanent, Cause: err, Message: "ses: marshal params"}
@@ -183,7 +183,7 @@ func (p *SESProvider) SendEvent(ctx context.Context, evt EventEmail) error {
 
 	slog.Info("email.ses.event_sent",
 		"kind", evt.Kind,
-		"recipient", evt.Recipient,
+		"recipient", maskEmail(evt.Recipient),
 		"template", tmplName,
 	)
 	return nil
@@ -212,7 +212,7 @@ func classifySESError(err error, evt EventEmail, tmplName string) error {
 	if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) {
 		slog.Warn("email.ses.context_canceled",
 			"kind", evt.Kind,
-			"recipient", evt.Recipient,
+			"recipient", maskEmail(evt.Recipient),
 			"error", err,
 		)
 		return &SendError{Class: SendClassTransient, Cause: err, Message: "ses: context canceled"}
@@ -234,7 +234,7 @@ func classifySESError(err error, evt EventEmail, tmplName string) error {
 			"SendingPausedException":
 			slog.Warn("email.ses.transient_throttle",
 				"kind", evt.Kind,
-				"recipient", evt.Recipient,
+				"recipient", maskEmail(evt.Recipient),
 				"code", code,
 				"message", apiErr.ErrorMessage(),
 			)
@@ -253,7 +253,7 @@ func classifySESError(err error, evt EventEmail, tmplName string) error {
 			"SignatureDoesNotMatch", "AccessDeniedException":
 			slog.Error("email.ses.permanent",
 				"kind", evt.Kind,
-				"recipient", evt.Recipient,
+				"recipient", maskEmail(evt.Recipient),
 				"code", code,
 				"template", tmplName,
 				"message", apiErr.ErrorMessage(),
@@ -268,7 +268,7 @@ func classifySESError(err error, evt EventEmail, tmplName string) error {
 		case "InternalServiceErrorException", "ServiceUnavailableException":
 			slog.Warn("email.ses.transient_5xx",
 				"kind", evt.Kind,
-				"recipient", evt.Recipient,
+				"recipient", maskEmail(evt.Recipient),
 				"code", code,
 				"message", apiErr.ErrorMessage(),
 			)
@@ -285,7 +285,7 @@ func classifySESError(err error, evt EventEmail, tmplName string) error {
 		case smithy.FaultServer:
 			slog.Warn("email.ses.transient_server_fault",
 				"kind", evt.Kind,
-				"recipient", evt.Recipient,
+				"recipient", maskEmail(evt.Recipient),
 				"code", code,
 				"message", apiErr.ErrorMessage(),
 			)
@@ -299,7 +299,7 @@ func classifySESError(err error, evt EventEmail, tmplName string) error {
 			// row can't pin the queue forever.
 			slog.Error("email.ses.permanent_client_fault",
 				"kind", evt.Kind,
-				"recipient", evt.Recipient,
+				"recipient", maskEmail(evt.Recipient),
 				"code", code,
 				"template", tmplName,
 				"message", apiErr.ErrorMessage(),
@@ -318,7 +318,7 @@ func classifySESError(err error, evt EventEmail, tmplName string) error {
 	if errors.As(err, &netErr) {
 		slog.Warn("email.ses.network",
 			"kind", evt.Kind,
-			"recipient", evt.Recipient,
+			"recipient", maskEmail(evt.Recipient),
 			"error", err,
 		)
 		return &SendError{Class: SendClassTransient, Cause: err, Message: "ses: network"}
@@ -328,7 +328,7 @@ func classifySESError(err error, evt EventEmail, tmplName string) error {
 	// cursor (mirrors the package-level ClassOf default).
 	slog.Warn("email.ses.unknown_error",
 		"kind", evt.Kind,
-		"recipient", evt.Recipient,
+		"recipient", maskEmail(evt.Recipient),
 		"error", err,
 	)
 	return &SendError{Class: SendClassTransient, Cause: err, Message: "ses: unknown error"}