Fix non-atomic blockchain hash chain in create_issue

[Copilot]

The get → compute → set sequence for last_hash in create_issue was not atomic: concurrent requests could read the same prev_hash and fork the integrity chain. Additionally, the cache was updated before the DB write, leaving it inconsistent if the commit failed.

Changes

• backend/routers/issues.py
  • Added import asyncio
  • Added module-level _blockchain_lock = asyncio.Lock() to serialize the blockchain section within a single process
  • Wrapped the full read prev_hash → compute hash → build Issue → DB save → update cache sequence in async with _blockchain_lock:
  • Moved blockchain_last_hash_cache.set(...) to after save_issue_db so the cache only reflects committed state
  • Removed the redundant intermediate cache write on cache miss (single write after commit is sufficient)

# Before: racy – concurrent coroutines read same prev_hash, fork the chain,
# and cache is updated before DB commit
prev_hash = blockchain_last_hash_cache.get("last_hash")  # ← race starts here
...
blockchain_last_hash_cache.set(data=integrity_hash, key="last_hash")  # ← before DB save
await run_in_threadpool(save_issue_db, db, new_issue)

# After: serialised within the process; cache updated only on successful commit
async with _blockchain_lock:
    prev_hash = blockchain_last_hash_cache.get("last_hash")
    ...
    await run_in_threadpool(save_issue_db, db, new_issue)
    blockchain_last_hash_cache.set(data=integrity_hash, key="last_hash")  # ← after commit

Multi-process note: The asyncio.Lock covers single-process concurrency (single Uvicorn worker or threaded workers sharing an event loop). For multi-worker Gunicorn deployments each process carries its own lock and cache; the DB query on cache miss provides cross-process eventual consistency, but a distributed lock (e.g. Redis) would be needed for strict multi-process atomicity.

Type of Change

• 🐛 Bug fix (non-breaking change which fixes an issue)
• ✨ New feature (non-breaking change which adds functionality)
• 💥 Breaking change (fix or feature that would cause existing functionality to not work as expected)
• 📝 Documentation update
• 🎨 Code style update (formatting, renaming)
• ♻️ Refactoring (no functional changes)
• ⚡ Performance improvement
• ✅ Test update

Related Issue

Testing Done

• Tested locally
• Added/updated tests
• All tests passing

Screenshots (if applicable)

Checklist

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• Any dependent changes have been merged and published

Co-Authors

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

---

Summary by cubic

Strengthens blockchain integrity validation and optimizes admin stats to reduce risk of chain corruption and speed up dashboard loads. Prevents concurrent request forks by making hash chain updates atomic.

• Bug Fixes

  • Make prev-hash read→compute→write atomic with an asyncio.Lock, and update the cache only after a successful DB save to avoid forks and cache corruption.
  • Add chain rebuild safeguards to reject malformed or orphaned blocks.

• Refactors

  • Consolidate admin stats queries and add batched aggregations to eliminate N+1 patterns.
  • Introduce short-TTL caching for computed stats and add relevant DB indexes to cut read overhead.

^{Written for commit 344c39c. Summary will update on new commits.}