fix: race condition hardening across auth, counters, and data fetching (#102)

* fix: prevent race conditions in token operations and auth flows

Backend:
- Refresh token rotation: use atomic UPDATE...WHERE revoked_at IS NULL
  to prevent concurrent refresh requests from both succeeding
- Account invite codes: SELECT FOR UPDATE to prevent double-spend
- Platform invite codes: SELECT FOR UPDATE to prevent double-spend
- Password reset tokens: SELECT FOR UPDATE to prevent double-use
- Email verification tokens: SELECT FOR UPDATE to prevent double-use

Frontend:
- Token refresh subscriber arrays: swap before iterating so a throwing
  callback doesn't leave the queue in a dirty state

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: atomic counters, plan limit re-check, and double-submit guard

Backend:
- Tree usage_count: use SQL-level UPDATE (Tree.usage_count + 1) instead
  of Python-level increment to prevent lost updates under concurrency
- Tag usage_count: same SQL-level atomic increment/decrement in both
  create_tree and update_tree (delete_tree already used this pattern)
- Plan tree limit: re-check count after db.flush() to close the TOCTOU
  window where two concurrent creates could both pass the pre-check

Frontend:
- TreeEditorPage: add isSaving early-return guard inside handleSaveDraft
  and handlePublish callbacks so Ctrl+S can't bypass the button disabled
  prop and fire duplicate save requests

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: prevent stale API responses from overwriting newer data

- SessionHistoryPage: move loadSessions into effect with cancelled flag
  so rapid filter/tab changes discard outdated responses
- TreeLibraryPage: add request ID ref to loadTrees so stale responses
  from previous filter selections are discarded
- QuickStartPage: add request ID ref to debounced search so out-of-order
  responses don't overwrite newer search results

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: add flexible intake design — deferred variables + prepared sessions

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

backend/app/api/endpoints/trees.py

@@ -25,7 +25,7 @@ from app.models.user_pinned_tree import UserPinnedTree
 from app.api.deps import get_current_active_user, require_engineer_or_admin, require_admin, get_service_account_id
 from app.core.permissions import can_edit_tree, can_access_tree
 from app.core.filters import build_tree_access_filter
-from app.core.subscriptions import check_tree_limit
+from app.core.subscriptions import check_tree_limit, get_account_subscription, get_plan_limits
 from app.core.audit import log_audit
 from app.core.config import settings
 from app.core.tree_validation import can_publish_tree
@@ -487,6 +487,26 @@ async def create_tree(
     db.add(new_tree)
     await db.flush()  # Get the ID
 
+    # Re-check tree limit after flush to close the TOCTOU race window:
+    # two concurrent creates could both pass the pre-check, but only one
+    # should succeed when the limit is exactly reached.
+    if not is_default and current_user.account_id:
+        post_count = await db.scalar(
+            select(func.count(Tree.id)).where(
+                Tree.account_id == current_user.account_id,
+                Tree.deleted_at.is_(None),
+            )
+        )
+        sub = await get_account_subscription(current_user.account_id, db)
+        if sub:
+            limits = await get_plan_limits(sub.plan, db)
+            if limits and limits.max_trees and (post_count or 0) > limits.max_trees:
+                await db.rollback()
+                raise HTTPException(
+                    status_code=status.HTTP_402_PAYMENT_REQUIRED,
+                    detail=f"Tree limit reached ({limits.max_trees}/{limits.max_trees}). Upgrade your plan to create more trees."
+                )
+
     # Handle tags
     if tree_data.tags:
         tree_account_id = new_tree.account_id or (current_user.account_id if not current_user.is_super_admin else None)
@@ -519,7 +539,6 @@ async def create_tree(
                 await db.flush()
 
             tags_to_add.append(tag)
-            tag.usage_count += 1
 
         # Use direct SQL insert for the junction table to avoid lazy load issues
         from app.models.tag import tree_tag_assignments
@@ -531,6 +550,10 @@ async def create_tree(
                     assigned_by=current_user.id
                 )
             )
+            # Atomically increment (SQL-level to avoid lost updates from concurrent requests)
+            await db.execute(
+                update(TreeTag).where(TreeTag.id == tag.id).values(usage_count=TreeTag.usage_count + 1)
+            )
 
     await db.commit()
 
@@ -673,9 +696,14 @@ async def update_tree(
     if tags_data is not None:
         from app.models.tag import tree_tag_assignments
 
-        # Decrement usage count for old tags (already eagerly loaded)
-        for tag in tree.tags:
-            tag.usage_count = max(0, tag.usage_count - 1)
+        # Atomically decrement usage count for old tags
+        old_tag_ids = [tag.id for tag in tree.tags]
+        if old_tag_ids:
+            await db.execute(
+                update(TreeTag)
+                .where(TreeTag.id.in_(old_tag_ids))
+                .values(usage_count=func.greatest(TreeTag.usage_count - 1, 0))
+            )
 
         # Delete existing tag assignments using direct SQL
         await db.execute(
@@ -720,7 +748,10 @@ async def update_tree(
                     )
                 )
                 added_tag_ids.add(tag.id)
-                tag.usage_count += 1
+                # Atomically increment (SQL-level to avoid lost updates)
+                await db.execute(
+                    update(TreeTag).where(TreeTag.id == tag.id).values(usage_count=TreeTag.usage_count + 1)
+                )
 
     await db.commit()