refactor: Migrate Allocation API handlers to WithTx transaction helper

[chet]

Applies WithTx (from #462) to the Create/Update/Delete allocation handlers. Used WithTx across the board (and not WithTxResult) since each handler needs multiple values out, which is the case in other handlers too. We could probably change to WithTxResult by putting all values into its own struct, or making a new WithTxResults? That can happen later though. Might be a nice single PR to sweep through cases doing this to introduce multi-value behavior/support?

Also includes using the TerminateWorkflowOnTimeOut helper.

@coderabbitai feedback addressed in advance (I just ran coderabbit CLI locally to save back/forth):

• Log the correct error variable on the GetAllAllocationConstraintsForInstanceType failure path.
• Defensive nil check on ac.DerivedResourceID before dereferencing it.

Signed-off-by: Chet Nichols III chetn@nvidia.com

Description

Type of Change

• Feature - New feature or functionality (feat:)
• Fix - Bug fixes (fix:)
• Chore - Modification or removal of existing functionality (chore:)
• Refactor - Refactoring of existing functionality (refactor:)
• Docs - Changes in documentation or OpenAPI schema (docs:)
• CI - Changes in GitHub workflows. Requires additional scrutiny (ci:)
• Version - Issuing a new release version (version:)

Services Affected

• API - API models or endpoints updated
• Workflow - Workflow service updated
• DB - DB DAOs or migrations updated
• Site Manager - Site Manager updated
• Cert Manager - Cert Manager updated
• Site Agent - Site Agent updated
• RLA - RLA service updated
• Powershelf Manager - Powershelf Manager updated
• NVSwitch Manager - NVSwitch Manager updated

Related Issues (Optional)

Breaking Changes

• This PR contains breaking changes

Testing

• Unit tests added/updated
• Integration tests added/updated
• Manual testing performed
• No testing required (docs, internal refactor, etc.)

Additional Notes

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 75ce4585-2705-45d7-bebd-f7acbf761c4f

📥 Commits

Reviewing files that changed from the base of the PR and between ffb1077 and c65188c.

📒 Files selected for processing (2)

• api/pkg/api/handler/allocation.go
• api/pkg/api/handler/instance.go

🚧 Files skipped from review as they are similar to previous changes (1)

• api/pkg/api/handler/allocation.go

---

Summary by CodeRabbit

• Refactor
  • Improved transaction handling for allocation create/update/delete to ensure atomic, consistent operations and predictable response behavior.
  • Centralized post-transaction timeout handling for instance workflows so cleanup/termination runs reliably after DB work completes.
• Bug Fix
  • Avoided erroneous deletion/cleanup when related parent resources are missing, reducing accidental removals and failures.

Walkthrough

Replaces manual SQL transaction management in Allocation create/update/delete with cdb.WithTx callbacks, moving locks, validations, IPAM/derived-IPBlock handling, constraint persistence/cleanup, and Tenant/Site association workflows into transaction closures. Defers Temporal workflow termination for Instance create/reboot/update/delete until after DB transactions unwind.

Changes

Allocation Handler Transaction Refactor

Layer / File(s)	Summary
Import / Dependencies api/pkg/api/handler/allocation.go	Removed database/sql import; transaction lifecycle now uses cdb.WithTx callbacks.
Create — Transaction Closure api/pkg/api/handler/allocation.go	Replaced manual Begin/Commit/Rollback with cdb.WithTx; advisory lock, locked name-uniqueness recheck, instance-type availability checks under lock, IPBlock child-prefix IPAM allocation and derived IPBlock/status creation, Allocation + status creation, AllocationConstraint persistence, and conditional Tenant/Site association + Temporal workflow trigger executed inside the transaction; response objects populated from closure-scoped variables.
Update — Transaction Closure api/pkg/api/handler/allocation.go	Moved allocation fetch, org/provider validation, optional advisory-lock name conflict check, allocation update, derived IPBlock name update (for IPBlock allocations), and re-fetch of status details and constraints into cdb.WithTx; response built from closure-scoped results.
Delete — Transaction Closure & Safety Guard api/pkg/api/handler/allocation.go	Moved existence/provider validation, advisory locking, dependency checks, constraint cleanup, Allocation deletion, and conditional Tenant/Site association deletion into cdb.WithTx. During IPBlock deletion, IPAM child cleanup is skipped when parent IPBlock is missing to avoid invalid cleanup attempts.
Error Handling / Rollback Behavior api/pkg/api/handler/allocation.go	Handlers now return errors from the WithTx closure (via cutil.NewAPIError(...)); explicit deferred rollback/commit removed and transaction lifecycle is controlled by WithTx.

Instance Workflow Timeout Termination

Layer / File(s)	Summary
Timeout scaffolding addition api/pkg/api/handler/instance.go	Added a per-request timeoutResp closure variable in Create, Reboot, Update, and Delete handlers to defer workflow-termination actions until after the DB transaction completes.
Synchronous workflow timeout detection api/pkg/api/handler/instance.go	On Temporal synchronous call timeout or context deadline exceeded, handlers now capture the timeout cause and set timeoutResp to a closure invoking common.TerminateWorkflowOnTimeOut(...); handlers return a consistent HTTP 500 indicating the specific Instance workflow timed out.
Post-Transaction termination invocation api/pkg/api/handler/instance.go	After the DB transaction returns (outside the transaction closure), handlers invoke timeoutResp() when set so Temporal workflow termination runs after transaction rollback/commit.
Behavioral intent api/pkg/api/handler/instance.go	Ensure Temporal Site workflows are terminated only after DB transactions have been resolved to avoid trying to terminate workflows while DB state was rolled back.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant API_Handler
    participant Database
    participant Temporal
    participant Site_Workflow

    Client->>API_Handler: Create/Update/Delete/Reboot request
    API_Handler->>Database: Start transaction (cdb.WithTx)
    API_Handler->>Temporal: Start synchronous workflow call
    alt Temporal times out or ctx deadline exceeded
        Temporal-->>API_Handler: Timeout error
        API_Handler->>API_Handler: set timeoutResp (terminate closure)
        API_Handler->>Database: return from WithTx (transaction ends/rolled back)
        API_Handler->>Site_Workflow: invoke timeoutResp -> terminate workflow
        API_Handler-->>Client: HTTP 500 "workflow timed out"
    else Temporal completes
        Temporal-->>API_Handler: Workflow accepted / ID
        API_Handler->>Database: commit transaction (within WithTx)
        API_Handler-->>Client: Success response
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main refactoring work: migrating Allocation API handlers to use the WithTx transaction helper, which is the primary change across both modified files.
Description check	✅ Passed	The description directly addresses the changeset by explaining the WithTx migration for allocation handlers, discusses the rationale for using WithTx over WithTxResult, mentions the TerminateWorkflowOnTimeOut helper integration, and documents pre-addressed coderabbit feedback.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔐 TruffleHog Secret Scan

✅ No secrets or credentials found!

Your code has been scanned for 700+ types of secrets and credentials. All clear! 🎉

🔗 View scan details

_{🕐 Last updated: 2026-05-04 17:24:35 UTC | Commit: 6e8f66e}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@api/pkg/api/handler/allocation.go`:
- Around line 1327-1398: The code can call ipam.DeleteChildIpamEntryFromCidr
with a nil parentIPBlock when ipbDAO.GetByID returned cdb.ErrDoesNotExist; add
an explicit guard after the parentIPBlock lookup (and before any IPAM cleanup)
to check parentIPBlock != nil (or return a clear API error) so
DeleteChildIpamEntryFromCidr is never invoked with a nil parent; locate the
logic around parentIPBlock, childIPBlock, ipbDAO.GetByID and the call to
ipam.DeleteChildIpamEntryFromCidr and either return cutil.NewAPIError(...) or
skip IPAM cleanup when parentIPBlock is nil.
- Around line 1015-1032: The rename check is raceable because aDAO.GetAll()
followed by Update can be interleaved; either wrap the uniqueness check and the
subsequent update in the same tenant/site lock (use a mutex keyed by
existingA.TenantID+existingA.SiteID so both the GetAll and the call to
aDAO.Update happen while holding that lock) or remove the pre-check and instead
detect a DB unique-constraint error returned by aDAO.Update and translate it to
a 409 via cutil.NewAPIError (include the conflicting allocation ID in
validation.Errors like the current code does). Ensure you update the code paths
that call aDAO.Update to map the DB unique-violation error to an HTTP 409 and
keep aDAO.GetAll only for non-racy read-only use.
- Around line 180-188: After acquiring the advisory lock in the cdb.WithTx block
(inside the function using cah.dbSession and tx.TryAcquireAdvisoryLock with
cdb.GetAdvisoryLockIDFromString), re-run the uniqueness/conflict check for an
Allocation with the same tenant, site and name inside this transaction (using
the same repository/query used earlier for the preflight check) and if a record
is found return a 409 Conflict (e.g. return
cutil.NewAPIError(http.StatusConflict, "Allocation with this name already
exists", nil)) instead of proceeding to create; this ensures concurrent requests
that passed the preflight are rejected correctly rather than creating duplicates
or surfacing a 500.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 3ef95bc4-90df-43a8-8000-c7cb2bf436cb

📥 Commits

Reviewing files that changed from the base of the PR and between e02c20b and 6e8f66e.

📒 Files selected for processing (1)

• api/pkg/api/handler/allocation.go

[github-actions]

🔍 Container Scan Summary

Service	Total	Critical	High	Medium	Low	Other
nico-nsm	64	2	20	33	9	0
nico-psm	56	4	29	13	2	8
nico-rest-api	57	4	30	13	2	8
nico-rest-cert-manager	54	4	28	13	1	8
nico-rest-db	55	4	28	13	2	8
nico-rest-site-agent	54	4	28	13	1	8
nico-rest-site-manager	54	4	28	13	1	8
nico-rest-workflow	56	4	29	13	2	8
nico-rla	55	4	28	13	2	8
TOTAL	505	34	248	137	22	64

Per-CVE detail lives in the per-service grype-* artifacts (JSON + SARIF). Severity counts only — no CVE IDs published here.

[coderabbitai]

🧹 Nitpick comments (4)

api/pkg/api/handler/allocation.go (4)

206-209: 💤 Low value

Discarded return values indicate potential dead code.

The call to GetAllAllocationConstraintsForInstanceType discards both the constraints slice and the count. If this invocation serves a side-effect purpose (e.g., cache warming or implicit validation), a brief comment would clarify intent. Otherwise, consider removing this call to reduce unnecessary database round-trips.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@api/pkg/api/handler/allocation.go` around lines 206 - 209, The call to
GetAllAllocationConstraintsForInstanceType currently discards the returned
constraints and count (call located near the allocation handling using variables
tx, cah.dbSession, ip, site, tenant), which looks like dead work; either use the
returned values (constraints slice and count) where needed or remove the call
entirely to avoid an unnecessary DB round-trip—if the call is intentional for
side-effects (validation/cache warming), add a one-line comment above the
GetAllAllocationConstraintsForInstanceType invocation explaining that intent and
why the return values are ignored so future readers know it’s deliberate.

---

1253-1254: ⚡ Quick win

Unused variables imAcDel and imAcUpd constitute dead code.

Similar to the Create handler, these slices are populated but never consumed after the transaction. If post-commit IM interaction was intended, the implementation is incomplete. Otherwise, remove these declarations.

🧹 Proposed cleanup

-		imAcDel := []cdbm.AllocationConstraint{}
-		imAcUpd := []cdbm.AllocationConstraint{}
 
 		ipamStorage := ipam.NewIpamStorage(dah.dbSession.DB, tx.GetBunTx())
 
@@ ... inside the loop ...
-				if acCnt > 1 {
-					imAcUpd = append(imAcUpd, ac)
-				} else if acCnt == 1 {
-					imAcDel = append(imAcDel, ac)
-				}

Also applies to: 1345-1349

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@api/pkg/api/handler/allocation.go` around lines 1253 - 1254, The local slices
imAcDel and imAcUpd in the allocation handler are declared and populated but
never used after the transaction (dead code); either remove their declarations
and any code that appends to them, or implement the missing post-commit IM
interaction that consumes them (mirror the pattern used in the Create handler:
collect constraints during processing, then after tx commit invoke the IM/update
function with imAcDel and imAcUpd). Update or remove all occurrences of imAcDel
and imAcUpd so there are no unused variables left.

---

372-390: ⚡ Quick win

Unused variables imAcAdd and imAcUpd constitute dead code.

These slices are populated within the closure but are never referenced after the transaction commits. If Instance Manager (IM) interaction was intended post-commit, the logic is missing. Otherwise, remove these allocations to improve clarity.

🧹 Proposed cleanup

-		imAcAdd := []cdbm.AllocationConstraint{}
-		imAcUpd := []cdbm.AllocationConstraint{}
 		for _, ac := range dbacs {
 			retac, serr := acDAO.CreateFromParams(ctx, tx, a.ID, ac.ResourceType, ac.ResourceTypeID, ac.ConstraintType, ac.ConstraintValue, ac.DerivedResourceID, dbUser.ID)
 			if serr != nil {
 				logger.Error().Err(serr).Msg("error creating Allocation Constraint DB entry")
 				return cutil.NewAPIError(http.StatusInternalServerError, "Failed to create Allocation Constraint entry for Allocation", nil)
 			}
 			dbacsRet = append(dbacsRet, *retac)
-			_, cnt, derr := common.GetAllAllocationConstraintsForInstanceType(ctx, tx, cah.dbSession, ip, site, tenant, &ac.ResourceTypeID)
-			if derr != nil {
-				logger.Error().Err(derr).Msg("error getting Allocation Constraints")
-				return cutil.NewAPIError(http.StatusInternalServerError, "Failed to create Allocation, db error", nil)
-			}
-			if cnt > 1 {
-				imAcUpd = append(imAcUpd, *retac)
-			} else if cnt == 1 {
-				imAcAdd = append(imAcAdd, *retac)
-			}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@api/pkg/api/handler/allocation.go` around lines 372 - 390, The slices imAcAdd
and imAcUpd are allocated and appended to inside the dbacs loop but never used
after commit (dead code); either remove their declarations and the append logic
around imAcAdd/imAcUpd in the loop, or (if IM interaction was intended) move the
IM-update logic to run after the transaction commits and replace the current
appends with code that enqueues or executes the required IM calls using the
populated slices; locate the loop that iterates over dbacs in allocation.go and
update the code paths around imAcAdd, imAcUpd, and the cnt checks to implement
one of these two fixes.

---

1107-1108: 💤 Low value

Redundant acDAO declaration shadows earlier variable.

acDAO is already declared at line 1070 within the same closure scope. The second declaration with := at line 1107 shadows it. While functionally harmless, using assignment (=) or reusing the existing variable would be cleaner.

♻️ Suggested fix

-		acDAO := cdbm.NewAllocationConstraintDAO(uah.dbSession)
-		retAcs, _, derr := acDAO.GetAll(ctx, tx, []uuid.UUID{a.ID}, nil, nil, nil, nil, nil, nil, nil, nil)
+		retAcs, _, derr := acDAO.GetAll(ctx, tx, []uuid.UUID{a.ID}, nil, nil, nil, nil, nil, nil, nil, nil)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@api/pkg/api/handler/allocation.go` around lines 1107 - 1108, The code
re-declares acDAO with := causing a shadow of the earlier acDAO; change the
second declaration to an assignment so the existing acDAO is reused (replace the
:= with =) where you call NewAllocationConstraintDAO(uah.dbSession) and then
call acDAO.GetAll(ctx, tx, []uuid.UUID{a.ID}, ...), keeping retAcs and derr
handling the same; ensure you reference the already-declared acDAO variable
(used around NewAllocationConstraintDAO and GetAll) rather than creating a new
scoped variable.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@api/pkg/api/handler/allocation.go`:
- Around line 206-209: The call to GetAllAllocationConstraintsForInstanceType
currently discards the returned constraints and count (call located near the
allocation handling using variables tx, cah.dbSession, ip, site, tenant), which
looks like dead work; either use the returned values (constraints slice and
count) where needed or remove the call entirely to avoid an unnecessary DB
round-trip—if the call is intentional for side-effects (validation/cache
warming), add a one-line comment above the
GetAllAllocationConstraintsForInstanceType invocation explaining that intent and
why the return values are ignored so future readers know it’s deliberate.
- Around line 1253-1254: The local slices imAcDel and imAcUpd in the allocation
handler are declared and populated but never used after the transaction (dead
code); either remove their declarations and any code that appends to them, or
implement the missing post-commit IM interaction that consumes them (mirror the
pattern used in the Create handler: collect constraints during processing, then
after tx commit invoke the IM/update function with imAcDel and imAcUpd). Update
or remove all occurrences of imAcDel and imAcUpd so there are no unused
variables left.
- Around line 372-390: The slices imAcAdd and imAcUpd are allocated and appended
to inside the dbacs loop but never used after commit (dead code); either remove
their declarations and the append logic around imAcAdd/imAcUpd in the loop, or
(if IM interaction was intended) move the IM-update logic to run after the
transaction commits and replace the current appends with code that enqueues or
executes the required IM calls using the populated slices; locate the loop that
iterates over dbacs in allocation.go and update the code paths around imAcAdd,
imAcUpd, and the cnt checks to implement one of these two fixes.
- Around line 1107-1108: The code re-declares acDAO with := causing a shadow of
the earlier acDAO; change the second declaration to an assignment so the
existing acDAO is reused (replace the := with =) where you call
NewAllocationConstraintDAO(uah.dbSession) and then call acDAO.GetAll(ctx, tx,
[]uuid.UUID{a.ID}, ...), keeping retAcs and derr handling the same; ensure you
reference the already-declared acDAO variable (used around
NewAllocationConstraintDAO and GetAll) rather than creating a new scoped
variable.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c8708791-d04c-4bca-b5f5-6191433c0952

📥 Commits

Reviewing files that changed from the base of the PR and between 6e8f66e and f096543.

📒 Files selected for processing (1)

• api/pkg/api/handler/allocation.go

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@api/pkg/api/handler/instance.go`:
- Around line 1597-1602: The timeout branch closes over the outer err which
later gets reassigned by cdb.WithTx, so capture the original workflow timeout
error into a new local variable before assigning timeoutResp; e.g., store the
current err into something like workflowTimeoutErr and have timeoutResp call
common.TerminateWorkflowOnTimeOut with workflowTimeoutErr (referencing
timeoutResp, err, cdb.WithTx, and common.TerminateWorkflowOnTimeOut to locate
the code).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 8624ae5a-d353-4ffb-b044-1f0f7c7d4166

📥 Commits

Reviewing files that changed from the base of the PR and between f096543 and ffb1077.

📒 Files selected for processing (2)

• api/pkg/api/handler/allocation.go
• api/pkg/api/handler/instance.go