Fix blockchain chain continuity: cross-check previous_integrity_hash against DB predecessor

[Copilot]

verify_blockchain_integrity trusted the previous_integrity_hash stored on the Issue record without verifying it against the actual predecessor in the DB. A tampered or cache-stale previous_integrity_hash could cause the endpoint to report is_valid=True even when the chain was broken.

Changes

• backend/routers/issues.py — When previous_integrity_hash is non-NULL, perform an additional scalar query for the actual predecessor's integrity_hash (max id < issue_id). A mismatch sets chain_link_valid = False, short-circuiting is_valid before the hash recomputation matters:

actual_prev = await run_in_threadpool(
    lambda: db.query(Issue.integrity_hash).filter(Issue.id < issue_id).order_by(Issue.id.desc()).first()
)
actual_prev_hash = actual_prev[0] if actual_prev and actual_prev[0] else ""
if prev_hash != actual_prev_hash:
    chain_link_valid = False

# ...
is_valid = chain_link_valid and (computed_hash == current_issue.integrity_hash)

• tests/test_blockchain.py — Added test_blockchain_verification_tampered_previous_hash: creates a record with a forged previous_integrity_hash (correct computed hash, wrong chain link) and asserts is_valid=False.

Type of Change

• 🐛 Bug fix (non-breaking change which fixes an issue)
• ✨ New feature (non-breaking change which adds functionality)
• 💥 Breaking change (fix or feature that would cause existing functionality to not work as expected)
• 📝 Documentation update
• 🎨 Code style update (formatting, renaming)
• ♻️ Refactoring (no functional changes)
• ⚡ Performance improvement
• ✅ Test update

Related Issue

Testing Done

• Tested locally
• Added/updated tests
• All tests passing

Screenshots (if applicable)

Checklist

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• Any dependent changes have been merged and published

Co-Authors

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

---

Summary by cubic

Strengthens blockchain checks by comparing each block’s previous_integrity_hash to the real predecessor in the DB and failing on mismatches. Adds a test for tampered links and fixes admin stats windows to avoid double counting with consistent UTC boundaries.

^{Written for commit 5b28643. Summary will update on new commits.}