Guard the cancel and signal-handler job-status writes too (fast-follow on #1338)

[mihow]

Summary

A focused fast-follow on #1338 (now merged). #1338 made the result handler's terminal status write safe under concurrency, but the job's status is written from several places. This PR routes the other lock-free terminal writers — cancel() and the two Celery task-signal handlers — through one shared guarded transition, so a stale writer can't resurrect a job another writer already finished.

The motivation is the same lost-update race as #1337: a plain save() of the whole Job row from an out-of-date snapshot can overwrite a status another worker just set. #1338 stopped the result handler; this stops cancel() and the signal handlers doing it from the other direction (e.g. a late task-success signal flipping a just-cancelled job back to SUCCESS).

On main (no longer stacked — #1338 is merged).

List of Changes

1. One guarded helper for the lock-free terminal writers. Added Job._guarded_status_update(to_status, from_statuses, *, set_finished=False): a statement-scope UPDATE ... WHERE status IN (from_statuses) that holds no row lock (so it doesn't reintroduce the contention fix(jobs): fixes for concurrent ML processing jobs #1261 removed) and advances the in-memory instance only when a row actually changes. Default from-set is JobState.finalizable_states().
2. cancel() no longer clobbers a finished job, and async cancel no longer SIGTERMs the bootstrap. CANCELING/REVOKED now go through the guarded helper, so cancelling an already-finished job leaves its terminal status intact. Additionally — folding the one useful change from Improve celery task dispatch and cancellation to prevent stuck jobs #1324 — an ASYNC_API cancel now revokes the local run_job without terminate: that task only queues images and has usually finished, and the remote ADC work is stopped by the NATS/Redis teardown, not by killing the bootstrap. Sync/internal jobs still terminate (that task is the work). Teardown (cleanup_async_job_if_needed) runs unconditionally.
3. The task-success and task-failure signal handlers can no longer resurrect a terminal job. The terminal SUCCESS write in update_job_status and the FAILURE write in update_job_failure go through the guarded helper; their existing pre-checks are unchanged. Minor behaviour change: a FAILURE set via the task-failure signal now also records finished_at, matching _fail_job and the result handler.
4. Tests. TestTerminalTransitionChokepoint covers the guard for each writer; TestCancelCompletionRace reproduces the real concurrent interleave between a cancel and a completing result batch in both directions (mirrors Stop a finished job from being pulled back to running by a slower worker #1338's TestConcurrentStatusRace). 107 pass. Also validated on a dev deployment: cancelling a job mid-flight leaves it REVOKED with no resurrection and full NATS/Redis teardown.

Detailed Description

There are six terminal-status writers (the earlier "five" count missed the reaper). This PR brings the three lock-free ones onto the guarded transition; the two lock-based ones are already safe; the reaper is intentionally left broader:

Writer	Discipline
_update_job_progress (result handler)	guarded conditional UPDATE (#1338)
Job.cancel()	guarded conditional UPDATE (this PR)
update_job_status (task_postrun)	guarded conditional UPDATE (this PR)
update_job_failure (task_failure)	guarded conditional UPDATE (this PR)
_fail_job	select_for_update + terminal/CANCELING precondition (already safe)
check_stale_jobs (reaper)	select_for_update; intentionally keeps a broader from-set so it can force a genuinely stuck CANCELING/UNKNOWN job terminal as last resort

So _guarded_status_update is the chokepoint for the lock-free writers — not a literal "single chokepoint" for all status writes; the two lock-based writers enforce the same no-resurrect invariant under their row lock. (An earlier docstring overclaimed this; corrected here.)

cancel()'s REVOKED transition includes CANCELING in its from-set, since cancel sets CANCELING itself and must complete that progression.

Supersedes the cancel() rewrite in #1324 (its skip-terminate idea is folded in here). #1324's other parts — a no-op CELERY_WORKER_POOL_OPTIMIZATION="fair" setting and a consumer_timeout-sensitive acks_late change — are tracked separately; see the note on #1324.

How to Test the Changes

• pytest ami/jobs/tests/test_tasks.py::TestTerminalTransitionChokepoint
• pytest ami/jobs/tests/test_tasks.py::TestCancelCompletionRace
• Full ami/jobs/tests/test_tasks.py and ami/jobs/tests/test_jobs.py pass locally (107 passed).

Checklist

• I have tested these changes appropriately.
• I have added and/or modified relevant tests.
• I updated relevant documentation or comments.
• I have verified that this PR follows the project's coding standards.
• Any dependent changes have already been merged to main.

Refs #1337. Supersedes the cancel rewrite in #1324.

Summary by CodeRabbit

• Bug Fixes

  • Hardened job status transitions so late completion/failure updates can’t overwrite already-terminal outcomes.
  • Improved job cancellation reliability, including safer revocation behavior for async jobs and ensuring cleanup runs as expected.
  • Completion/failure handlers now only finalize jobs when they’re in a valid pre-terminal state.

• Tests

  • Added regression tests covering terminal transition race conditions and cancellation/completion interleavings to verify terminal states can’t be resurrected.

[netlify]

✅ Deploy Preview for antenna-preview canceled.

Name	Link
🔨 Latest commit	a8bce8d
🔍 Latest deploy log	https://app.netlify.com/projects/antenna-preview/deploys/6a349762e518b20007c62536

[netlify]

✅ Deploy Preview for antenna-preview canceled.

Name	Link
🔨 Latest commit	51b8ec7
🔍 Latest deploy log	https://app.netlify.com/projects/antenna-preview/deploys/6a39c5905fc148000894025c

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 16719398-9696-4c22-aae9-cad5967a4931

📥 Commits

Reviewing files that changed from the base of the PR and between f3cf90a and 51b8ec7.

📒 Files selected for processing (1)

• ami/jobs/models.py

🚧 Files skipped from review as they are similar to previous changes (1)

• ami/jobs/models.py

---

📝 Walkthrough

Walkthrough

Adds Job._guarded_status_update(), a filter-based ORM helper that transitions job status only from an allowed source set and returns whether the transition fired. Job.cancel() and the Celery task_postrun/task_failure signal handlers are rewired to use this helper, preventing concurrent terminal state resurrection or clobbering. New tests cover both static terminal-state protection and synchronized cancel/completion race interleavings.

Changes

Terminal Transition Hardening

Layer / File(s)	Summary
Guarded status update helper ami/jobs/models.py	Adds _guarded_status_update() which performs a conditional ORM filter-based UPDATE guarded by status__in=from_statuses, updates in-memory status, optionally finished_at, and progress.summary.status, and returns the row count (0 or 1) to signal whether the transition fired.
Job.cancel() with guarded transitions ami/jobs/models.py	Rewires Job.cancel() to advance through CANCELING then REVOKED only via guarded transitions, uses termination-free revocation for ASYNC_API jobs, and guarantees cleanup_async_job_if_needed teardown after guarded status updates, preventing resurrection of already-terminal states.
Celery signal handlers with guarded terminal transitions ami/jobs/tasks.py	Routes terminal SUCCESS in update_job_status and terminal FAILURE in update_job_failure through _guarded_status_update constrained to finalizable_states, with conditional field saves only when the guarded update indicates a transition, replacing unconditional update_status + save calls.
Regression and race-condition tests ami/jobs/tests/test_tasks.py	Adds TestTerminalTransitionChokepoint for static scenarios and TestCancelCompletionRace for synchronized thread interleavings, asserting first-writer-wins semantics and that no terminal state can be resurrected or clobbered by a late cancel or completion signal.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related issues

• Saving job progress concurrently is the root of multiple issues related to incorrect job statuses #1337: This PR directly implements the atomic filter-based status__in guarded update pattern proposed in that issue to prevent concurrent terminal state clobbering across cancel, SUCCESS, and FAILURE paths.

Possibly related PRs

• RolnickLab/antenna#1062: Modifies the same update_job_status and update_job_failure Celery signal handlers in ami/jobs/tasks.py that this PR now hardens with guarded transitions.
• RolnickLab/antenna#1114: Adds an earlier guard in update_job_status for premature SUCCESS, directly related to the same terminal SUCCESS handling surface this PR now locks via _guarded_status_update.
• RolnickLab/antenna#1338: Changes the same files (ami/jobs/tasks.py, ami/jobs/tests/test_tasks.py) with the same goal of preventing terminal job state resurrection via conditional update guards.

Suggested labels

PSv2

🐇 Hoppity hop, the states won't collide,
A guarded UPDATE keeps the winners inside.
No REVOKED resurrected by a late SUCCESS ghost,
The first terminal writer wins — that's what matters most!
🌿 Two races now tested, synchronized with care,
The rabbit says: concurrent bugs, beware! 🎉

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 45.45% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the PR's main change: guarding job-status writes in cancel() and signal handlers as a fast-follow to #1338.
Description check	✅ Passed	The description covers all required sections: summary, list of changes, detailed explanation, testing instructions, and completed checklist items matching the repository template.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/1337-terminal-transition-chokepoint

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[netlify]

✅ Deploy Preview for antenna-ssec canceled.

Name	Link
🔨 Latest commit	51b8ec7
🔍 Latest deploy log	https://app.netlify.com/projects/antenna-ssec/deploys/6a39c5902003a100083ef2dc

[Copilot]

Pull request overview

This PR hardens terminal job-status writes against lost-update races by routing previously lock-free terminal writers (job cancel path and Celery task signal handlers) through a shared guarded, conditional UPDATE ... WHERE status IN (...) transition so stale writers can’t resurrect already-finished jobs.

Changes:

• Added Job._guarded_status_update(...) and updated Job.cancel() to use guarded transitions for CANCELING/REVOKED while still performing async resource teardown.
• Updated Celery task_postrun (SUCCESS) and task_failure (FAILURE) handlers to use the guarded transition and set finished_at on FAILURE when the transition fires.
• Added regression and concurrency-interleaving tests covering the guarded chokepoint and cancel-vs-complete races.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
ami/jobs/models.py	Introduces _guarded_status_update and updates cancel() to prevent terminal-status clobbering while preserving teardown behavior.
ami/jobs/tasks.py	Routes terminal SUCCESS/FAILURE writes in Celery signal handlers through the guarded transition to prevent resurrection/clobber.
ami/jobs/tests/test_tasks.py	Adds regression tests for the guarded terminal-writer chokepoint and reproduces the real cancel/completion race via threaded interleavings.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.