Fix invalid data: Multiple default tracked contexts per project in Security::ProjectTrackedContext

Summary

While the immediate ingestion errors have been stopped by removing the is_default uniqueness validation in !214197 (merged), we still need to identify and fix the root cause of invalid data where multiple default tracked contexts exist per project.

Background

The validation error "Validation failed: Is default There is already a default tracked context" was introduced in !213720 (merged) and started failing in production approximately 10 hours after deployment (around 2025-11-26 00:00 UTC).

The validation was added to Security::ProjectTrackedContext to ensure only one default tracked context exists per project:

validates :is_default,
  uniqueness: { scope: [:project_id], message: 'There is already a default tracked context' },
  if: :is_default?

Problem

The ingestion process in !210505 (merged) was supposed to check for an existing default context before attempting to create one, but this check appears to have failed in some cases, resulting in multiple default contexts being created for the same project.

Hypothesis: The default branch may have changed for affected projects, causing the ingestion process to create a new default tracked context instead of updating the existing one.

Impact

• SBOM ingestion was breaking for affected projects
• Invalid data now exists in production with multiple default tracked contexts per project
• This data will need to be cleaned up as part of the larger data migration planned for when all services are set up

Tasks

• Identify projects with multiple default tracked contexts
• Validate the hypothesis that default branch changes are the root cause
• Determine the scope of affected projects and data
• Implement proper handling for default branch changes:
  • Update ingestion logic to select records with is_default: true and update them if the ref name is mismatched
  • Hook into default branch change events to update the security tracked context if it exists
• Create data repair script to consolidate duplicate default contexts
• Reintroduce the is_default uniqueness validation with proper safeguards

Related

• Validation introduced: !213720 (merged)
• Ingestion process updated: !210505 (merged)
• Temporary fix (validation removed): !214197 (merged)
• Parent issue: #555981
• Slack thread: threat_insights_sbom_ingest_report_workers (2025-11-26)