fix(db): replace FirstOrCreate+Assign with explicit Find→Create/Save in UpsertAlert

mrz1836 · mrz1836 · commit 4c1b2cd0d2ec · 2026-03-02T08:06:07.000-05:00
Root cause: GORM v2's FirstOrCreate+Assign does not reliably update existing
records — Assign attaches attributes before the query but the actual UPDATE is
inconsistently applied. Dismissed/fixed alerts fetched from GitHub were silently
dropped, leaving DB records permanently stuck as state='open'.

Symptom: security_alerts rows had state='open' with dismissed_at or fixed_at
populated — an impossible combination from GitHub's API that indicated the DB
state was never updated after initial creation.

Fix: explicit lookup + create-or-save:
  1. Find by (repository_id, alert_type, alert_number)
  2. If not found: Create (new record)
  3. If found: Save (full UPDATE with current GitHub state, preserving ID/CreatedAt)

Verified: bsv-blockchain/arcade and bsv-blockchain/go-wallet-toolbox now show
0 alerts after sync (were showing 3 and 8 respectively — all dismissed/fixed).
diff --git a/internal/db/repository_analytics.go b/internal/db/repository_analytics.go
@@ -3,6 +3,7 @@ package db
 import (
 	"context"
 	"errors"
+	"fmt"
 	"time"
 
 	"gorm.io/gorm"
@@ -258,12 +259,25 @@ func (r *analyticsRepo) GetSnapshotHistory(ctx context.Context, repoID uint, sin
 // UpsertAlert creates or updates a security alert
 // Matches by repository_id, alert_type, and alert_number
 func (r *analyticsRepo) UpsertAlert(ctx context.Context, alert *SecurityAlert) error {
-	result := r.db.WithContext(ctx).
+	// NOTE: FirstOrCreate+Assign does not reliably update existing records in GORM v2
+	// (Assign only assigns on create in some versions). Use explicit Find→Create/Save instead.
+	var existing SecurityAlert
+	err := r.db.WithContext(ctx).
 		Where("repository_id = ? AND alert_type = ? AND alert_number = ?",
 			alert.RepositoryID, alert.AlertType, alert.AlertNumber).
-		Assign(alert).
-		FirstOrCreate(alert)
-	return result.Error
+		First(&existing).Error
+
+	if errors.Is(err, gorm.ErrRecordNotFound) {
+		return r.db.WithContext(ctx).Create(alert).Error
+	}
+	if err != nil {
+		return fmt.Errorf("lookup alert: %w", err)
+	}
+
+	// Preserve DB-managed fields; overwrite all others with current GitHub state
+	alert.ID = existing.ID
+	alert.CreatedAt = existing.CreatedAt
+	return r.db.WithContext(ctx).Save(alert).Error
 }
 
 // GetOpenAlerts retrieves open alerts for a repository, optionally filtered by severity
