fix(security-agent): make finding upserts race-safe when toggling agent enabled

[jeanduplessis]

Summary

Why this change

A user could trigger duplicate requests from the UI which resulted in a race condition for the upsert statement.

How this is addressed

• Made Security Agent finding upserts deterministic under concurrent first inserts by returning the committed row instead of throwing on empty same-statement snapshots.
• Add a synchronous client-side in-flight guard to reduce duplicate enable/disable mutations from rapid UI events.

Verification

• pnpm --filter web test -- src/lib/security-agent/db/security-findings.test.ts — passed, 19 tests.
• pnpm --filter web test -- src/lib/security-agent/services/sync-service.test.ts — passed, 3 tests.

Visual Changes

N/A

Reviewer Notes

Code review notes

• The SQL intentionally updates only conflicts visible to the statement snapshot; conflicts from concurrent first inserts fall through to a second-statement read to avoid stale overwrites.
• Owner/repo-level cross-instance sync locking is still deferred; the persistence path is race-safe and duplicate UI submissions are reduced.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Files Reviewed (4 files)

• apps/web/src/components/security-agent/SecurityAgentContext.tsx
• apps/web/src/components/security-agent/SecurityAgentPageClient.tsx
• apps/web/src/lib/security-agent/db/security-findings.test.ts
• apps/web/src/lib/security-agent/db/security-findings.ts

---

_{Reviewed by gpt-5.4-20260305 · 751,071 tokens}