fix(escalations): atomic claim + self-claim rejection + queue exclusion

Codex review pass on the escalation wedge. Reworks claim_session from read-then-write to a conditional UPDATE so two seniors racing can't both win, blocks the original engineer from claiming their own handoff, and filters self-escalated sessions out of the dashboard escalation queue. Also preassigns the handoff UUID before flush so the compatibility escalation_package payload carries it. Removes legacy frontend pickup state (claiming, handleStartHere) that broke tsc --noEmit. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-30 16:21:20 -04:00
parent ab5e0deaf7
commit f10649abc2
10 changed files with 248 additions and 134 deletions
--- a/backend/app/api/endpoints/ai_sessions.py
+++ b/backend/app/api/endpoints/ai_sessions.py
@@ -689,6 +689,7 @@ async def get_escalation_queue(
        .where(
            scope_filter,
            AISession.status.in_(("requesting_escalation", "escalated")),
+            AISession.user_id != current_user.id,
        )
        .order_by(AISession.created_at.desc())
    )
--- a/backend/app/api/endpoints/session_handoffs.py
+++ b/backend/app/api/endpoints/session_handoffs.py
@@ -144,6 +144,8 @@ async def claim_handoff(
                "claimed_at": e.claimed_at.isoformat(),
            },
        )
+    except PermissionError as e:
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=str(e))
    except ValueError as e:
        raise HTTPException(status_code=404, detail=str(e))

--- a/backend/app/services/handoff_manager.py
+++ b/backend/app/services/handoff_manager.py
@@ -18,9 +18,9 @@ import json
 import logging
 from datetime import datetime, timezone
 from typing import Any
-from uuid import UUID
+from uuid import UUID, uuid4

-from sqlalchemy import select
+from sqlalchemy import select, update
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy.orm import selectinload

@@ -88,6 +88,10 @@ class HandoffManager:
        to produce), and merges the handoff metadata into it. Self-targeting
        is rejected with ValueError, matching legacy behavior.
        """
+        user_id = UUID(str(user_id))
+        if target_user_id:
+            target_user_id = UUID(str(target_user_id))
+
        # Eager-load steps + user — _build_escalation_package_enhanced and
        # finalize_escalation iterate over session.steps to compose the
        # legacy enriched package and the SessionDocumentation, and the
@@ -125,7 +129,9 @@ class HandoffManager:
        # immediately with `ai_assessment=None`; the magic-moment screen
        # shows "Assessment still computing" until enrich_async finishes
        # and the senior refreshes (or, eventually, polls).
+        handoff_id = uuid4()
        handoff = SessionHandoff(
+            id=handoff_id,
            session_id=session_id,
            account_id=session.account_id,
            handed_off_by=user_id,
@@ -159,7 +165,7 @@ class HandoffManager:
            "snapshot": snapshot,
            "intent": intent,
            "engineer_notes": engineer_notes,
-            "handoff_id": str(handoff.id),
+            "handoff_id": str(handoff_id),
        }

        await self.db.flush()
@@ -432,6 +438,21 @@ class HandoffManager:
        the API can return 409 with the data the loser's toast needs. A
        re-claim by the same user is idempotent.
        """
+        claiming_user_id = UUID(str(claiming_user_id))
+        claimed_at = datetime.now(timezone.utc)
+
+        update_result = await self.db.execute(
+            update(SessionHandoff)
+            .where(
+                SessionHandoff.id == handoff_id,
+                SessionHandoff.claimed_by.is_(None),
+                SessionHandoff.handed_off_by != claiming_user_id,
+            )
+            .values(claimed_by=claiming_user_id, claimed_at=claimed_at)
+            .returning(SessionHandoff.id)
+        )
+        claimed_now = update_result.scalar_one_or_none() is not None
+
        result = await self.db.execute(
            select(SessionHandoff)
            .options(
@@ -444,17 +465,22 @@ class HandoffManager:
        if not handoff:
            raise ValueError(f"Handoff {handoff_id} not found")

-        if handoff.claimed_by is not None and handoff.claimed_by != claiming_user_id:
+        handed_off_by = UUID(str(handoff.handed_off_by))
+        claimed_by = (
+            UUID(str(handoff.claimed_by)) if handoff.claimed_by is not None else None
+        )
+
+        if handed_off_by == claiming_user_id:
+            raise PermissionError("Cannot claim your own handoff")
+
+        if not claimed_now and claimed_by != claiming_user_id:
            claimer = handoff.claimed_by_user
            raise HandoffAlreadyClaimedError(
-                claimed_by_id=handoff.claimed_by,
+                claimed_by_id=claimed_by,
                claimed_by_name=claimer.name if claimer else "another engineer",
                claimed_at=handoff.claimed_at or datetime.now(timezone.utc),
            )

-        handoff.claimed_by = claiming_user_id
-        handoff.claimed_at = datetime.now(timezone.utc)
-
        # Reactivate session
        session_result = await self.db.execute(
            select(AISession).where(AISession.id == handoff.session_id)