Fix blockchain hash chain race conditions and integrity verification gaps

[Copilot]

Description

Three correctness bugs in the blockchain integrity feature: the in-process cache was used as the source of truth for prev_hash (broken under multi-worker deployments), the cache was advanced before the DB commit (stale hash persisted on failure), and verify_blockchain_integrity trusted the stored previous_integrity_hash without cross-checking the actual DB predecessor.

Changes

• Atomic prev_hash derivation: Remove the cache lookup from the issue creation path entirely. Always query the DB for the last integrity_hash within the same transaction — every Gunicorn/Uvicorn worker now sees the same chain tail.

• Cache updated post-commit only: blockchain_last_hash_cache.set() moved to after save_issue_db succeeds. Exception handler calls blockchain_last_hash_cache.invalidate() so a failed commit never leaves a hash in cache that future issues chain off.

• Verification cross-checks DB predecessor: verify_blockchain_integrity now always fetches the actual predecessor from DB and compares it against the stored previous_integrity_hash. A mismatch returns is_valid=False immediately with the computed hash (using the authoritative DB predecessor) so callers can see the expected value.

# Before: trusted stored field, never validated against DB
prev_hash = current_issue.previous_integrity_hash  # could be stale/tampered

# After: DB is authoritative; stored field is validated against it
prev_record = await run_in_threadpool(lambda: db.query(...).filter(Issue.id < issue_id).order_by(Issue.id.desc()).first())
db_prev_hash = prev_record[0] if prev_record and prev_record[0] else ""
if stored_prev_hash is not None and stored_prev_hash != db_prev_hash:
    return BlockchainVerificationResponse(is_valid=False, computed_hash=computed_hash, ...)

Type of Change

• 🐛 Bug fix (non-breaking change which fixes an issue)

Related Issue

Closes #

Testing Done

• Tested locally
• Added/updated tests
• All tests passing

Screenshots (if applicable)

Checklist

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• Any dependent changes have been merged and published

Co-Authors

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

---

Summary by cubic

Fixes multi-worker race conditions in blockchain hashing and strengthens integrity checks, while keeping admin stats fast. Follows up on #516 feedback to improve correctness and responsiveness.

• Bug Fixes
  • Always read previous hash from the DB within the transaction; remove per-process cache as source of truth.
  • Update blockchain_last_hash_cache only after a successful commit; invalidate on error to prevent stale chaining.
  • In verify_blockchain_integrity, always fetch the predecessor from the DB and flag mismatches with the stored previous_integrity_hash to detect tampering or creation races.

^{Written for commit bb24abb. Summary will update on new commits.}