fix: address Copilot review findings

- Fix migration comments: status values now match adapter code
  ('unsent', 'sending', 'completed', 'failed')
- Fix poll query example in migration to reflect actual query shape
- Use :timestamptz for locked_at/created_at/updated_at (matches
  pending_since pattern from migration 004)
- Make start() check-and-set atomic under mutex (prevents TOCTOU
  double-spawn)
- Guard from_beef_hex deserialization — corrupt jobs fail immediately
  instead of retrying in a tight loop

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: sgbett

gem/bsv-wallet-postgres/lib/bsv/wallet_postgres/migrations/006_create_broadcast_jobs.rb

@@ -12,7 +12,7 @@
 #                         for the same transaction.
 #
 # * +status+            — TEXT NOT NULL DEFAULT 'unsent'. State machine values:
-#                         'unsent', 'broadcasting', 'sent', 'failed'.
+#                         'unsent', 'sending', 'completed', 'failed'.
 #
 # * +beef_hex+          — TEXT NOT NULL. Serialised BEEF payload to broadcast.
 #
@@ -42,8 +42,11 @@
 # A composite index on +(status, locked_at)+ (named +broadcast_jobs_poll_idx+)
 # supports the hot-path poll query:
 #
-#   WHERE status = 'unsent' AND locked_at IS NULL
+#   WHERE status = 'unsent'
+#      OR (status = 'sending' AND locked_at < NOW() - interval '300 seconds'
+#          AND attempts < 5)
 #   ORDER BY created_at
+#   FOR UPDATE SKIP LOCKED
 Sequel.migration do
   change do
     create_table(:wallet_broadcast_jobs) do
@@ -56,9 +59,9 @@
       String   :fund_ref
       Integer  :attempts,         null: false, default: 0
       String   :last_error,       text: true
-      DateTime :locked_at
-      DateTime :created_at,       null: false, default: Sequel::CURRENT_TIMESTAMP
-      DateTime :updated_at,       null: false, default: Sequel::CURRENT_TIMESTAMP
+      column :locked_at,   :timestamptz
+      column :created_at,  :timestamptz, null: false, default: Sequel::CURRENT_TIMESTAMP
+      column :updated_at,  :timestamptz, null: false, default: Sequel::CURRENT_TIMESTAMP
       index %i[status locked_at], name: :broadcast_jobs_poll_idx
     end
   end

gem/bsv-wallet-postgres/lib/bsv/wallet_postgres/solid_queue_adapter.rb

@@ -131,12 +131,16 @@ def status(txid)
       # Spawns the background worker thread.
       #
       # Safe to call multiple times — returns immediately if already running.
+      # The check-and-set is atomic under the mutex to prevent two concurrent
+      # +start+ calls from spawning duplicate worker threads.
       #
       # @return [void]
       def start
-        return if running?
+        @mutex.synchronize do
+          return if @running || @worker_thread&.alive?
 
-        @mutex.synchronize { @running = true }
+          @running = true
+        end
         @worker_thread = Thread.new { worker_loop }
       end
 
@@ -221,6 +225,9 @@ def poll_once
       # Marks a job as +sending+, broadcasts the transaction, and promotes or
       # rolls back wallet state based on the outcome.
       #
+      # Deserialization failures (corrupt +beef_hex+) are caught and mark the
+      # job as +failed+ immediately to prevent infinite retry loops.
+      #
       # @param job [Hash] row from +wallet_broadcast_jobs+
       # @return [void]
       def process_job(job)
@@ -231,7 +238,16 @@ def process_job(job)
           updated_at: Sequel.lit('NOW()')
         )
 
-        tx = BSV::Transaction::Transaction.from_beef_hex(job[:beef_hex])
+        begin
+          tx = BSV::Transaction::Transaction.from_beef_hex(job[:beef_hex])
+        rescue StandardError => e
+          @db[:wallet_broadcast_jobs].where(id: job[:id]).update(
+            status: 'failed',
+            last_error: "Deserialization failed: #{e.message}",
+            updated_at: Sequel.lit('NOW()')
+          )
+          return
+        end
 
         input_outpoints  = job[:input_outpoints]&.to_a
         change_outpoints = job[:change_outpoints]&.to_a