feat(replay-vision): add SweepScannerWorkflow for Phase 2 schedule fires

[TueHaulund]

Stacked on #60617.

Problem

Phase 2 needs a Temporal workflow that fires every 5 minutes per scanner, runs ScannerCandidateQuery, dispatches one ApplyScannerWorkflow per candidate, and advances the watermark. The per-scanner schedule lands in the next stacked PR — this is just the workflow.

Changes

• SweepScannerWorkflow: find candidates → ABANDONed children → advance watermark. On full-batch failure raises AllChildStartsFailed and skips the watermark advance so the next fire retries the window.
• find_scanner_candidates_activity: returns candidates + saturated flag (len == DEFAULT_CANDIDATE_LIMIT). Non-retryable on malformed saved query.
• advance_scanner_watermark_activity: bumps last_swept_at and last_seen_session_id via .update() — no scanner_version bump, idempotent.
• Migration 0008: adds last_seen_session_id to ReplayScanner.

How did you test this code?

I'm an agent. 15 new tests pass; 78 existing tests still pass. No manual testing.

Automatic notifications

• Publish to changelog?
• Alert Sales and Marketing teams?

🤖 Agent context

Agent: Claude (Claude Code). Used ALLOW_DUPLICATE for the child reuse policy to match the existing rasterize-recording dispatch — UNIQUE(scanner_id, session_id) is the durable dedup.

[github-actions]

Migration SQL Changes

Hey 👋, we've detected some migrations on this PR. Here's the SQL output for each migration, make sure they make sense:

products/replay_vision/backend/migrations/0010_replayscanner_last_seen_session_id.py

BEGIN;
--
-- Add field last_seen_session_id to replayscanner
--
ALTER TABLE "replay_vision_replayscanner" ADD COLUMN "last_seen_session_id" varchar(200) DEFAULT '' NOT NULL;
COMMIT;

Last updated: 2026-06-01 20:37 UTC (bc5dcea)

[github-actions]

🔍 Migration Risk Analysis

We've analyzed your migrations for potential risks.

Summary: 1 Safe | 0 Needs Review | 0 Blocked

✅ Safe

Brief or no lock, backwards compatible

replay_vision.0010_replayscanner_last_seen_session_id
  └─ #1 ✅ AddField
     Adding NOT NULL field with constant default (safe in PG11+)
     model: replayscanner, field: last_seen_session_id

Last updated: 2026-06-01 20:38 UTC (bc5dcea)

[greptile-apps]

Prompt To Fix All With AI

Fix the following 2 code review issues. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 2
products/replay_vision/backend/tests/test_sweep.py:339-342
Redundant duplicate assertion — the same list-comprehension check appears twice in a row. The inline assert on line 339 and the `advance_calls` assertion on lines 341-342 are identical; one should be removed.

```suggestion
    advance_calls = [call for fn, call in mocks.activity_calls if fn == advance_scanner_watermark_activity]
    assert advance_calls == []
```

### Issue 2 of 2
products/replay_vision/backend/temporal/sweep_workflow.py:56-59
`asyncio.gather` with `return_exceptions=False` (the default) propagates on the **first** non-`WorkflowAlreadyStartedError` failure, not only when every dispatch fails. The comment "if every dispatch fails" misrepresents the actual semantics — even a single unexpected failure in a 100-candidate batch will skip the watermark advance. The behaviour itself is intentional and safe (the next sweep retries, already-started children get `WorkflowAlreadyStartedError`), but the comment makes it sound like partial failures are tolerated.

```suggestion
        # `return_exceptions=False`: if *any* dispatch fails with an error other
        # than WorkflowAlreadyStartedError, the first such exception propagates
        # and the watermark advance is skipped — next sweep retries the same
        # window. Already-started children are deduplicated by Temporal's
        # workflow_id and by `UNIQUE(scanner_id, session_id)` on the row.
```

_{Reviews (1): Last reviewed commit: "refactor(replay-vision): simplify SweepS..." | Re-trigger Greptile}

[veria-ai]

PR overview

This pull request adds the SweepScannerWorkflow for replay-vision Phase 2 scheduled scanner runs, dispatching candidate sweep work through Temporal child workflows. The touched workflow code coordinates scanner-enabled batch execution for observation creation.

There is one open security concern around quota enforcement during sweep fan-out: a user with scanner configuration access could trigger concurrent child workflows that each see available quota and collectively exceed the intended monthly observation limit. Two prior issues have already been addressed, so the remaining risk is focused on bounding or atomically reserving quota before dispatch. The impact appears limited to quota/resource abuse rather than direct data exposure or authorization bypass.

Open issues (1)

• Medium: Observation quota bypass — products/replay_vision/backend/temporal/sweep_workflow.py:49

Fixed/addressed: 2 · PR risk: 5/10

[fasyy612]

LGTM 🙆‍♀️

[veria-ai]

Medium: Observation quota bypass

An authenticated user who can configure a broad enabled scanner can cause a sweep to start up to DEFAULT_CANDIDATE_LIMIT child workflows at once. Each child checks compute_quota_snapshot() independently in create_observation_activity, so concurrent children can all observe quota headroom before any pending rows are visible and create more observations than the monthly quota allows. Reserve quota atomically before dispatching, or cap the dispatch batch to the current remaining quota using a DB-side lock/claim so the sweep cannot fan out past the organization’s remaining allowance.

[deployment-status-posthog]

Deploy status

Environment	Status	Deployed At	Workflow
dev	✅ Deployed	2026-06-01 21:28 UTC	Run
prod-us	✅ Deployed	2026-06-02 10:18 UTC	Run
prod-eu	✅ Deployed	2026-06-01 21:53 UTC	Run