feat: validate sequences with the temporal model before triangulation (#615)

* feat(sequences): add temporal_model_score and is_validated columns

* feat(temporal): add temporal model API client with circuit breaker

* feat(detections): gate triangulation on risk+temporal validation via background task

* test(temporal): cover temporal service and mark seeded sequences validated

* style(detections): order imports and drop redundant casts

* test(temporal): cover validation pipeline and update sequence fixtures

* fix(temporal): validation-first scheduling, scoreless guard, atomic claim

Address review: schedule validation before fallible notification tasks so a
failing webhook can't skip triangulation; raise on temporal call failure to
distinguish it from a scoreless 200 (no longer fails open on uncalibrated
responses); claim is_validated atomically so concurrent tasks can't
double-triangulate; guard the Slack call defensively.

* build: wire TEMPORAL_API_URL and TEMPORAL_MODEL_THRESHOLD into backend env

* fix(temporal): configurable timeout (default 30s) and log real error

The model infers serially, so concurrent validation calls queue and the old
10s timeout tripped the breaker under bursts. Make the timeout a setting
(TEMPORAL_API_TIMEOUT, default 30s) and log the exception repr so timeouts
aren't masked as an empty message.

* fix(temporal): bound in-flight calls with a semaphore so bursts queue

The model infers serially; many concurrent validation calls were piling up and
timing out, tripping the breaker and losing scores. Bound concurrency with a
configurable semaphore (TEMPORAL_API_MAX_CONCURRENCY, default 1) so bursts queue
and every sequence is scored. Fail-open stays only for genuine unavailability.

* refactor(temporal): never hold a DB session across the temporal call

Split validate_sequence into phases (read+gate / temporal call with no session /
persist+triangulate+notify) so queued calls don't hold a DB connection and
exhaust the pool under bursts. Also re-check the breaker inside the semaphore
(it may open while a call waits in the queue), and document the per-process
concurrency caveat for multi-worker deploys.

* fix(temporal): address review - no fail-open resurrection, isolate task failures

- _temporal_verdict drops sequences past MAX_FRAMES before the availability
  check, so a model-declined sequence can't be resurrected by a later fail-open
- wrap validate_sequence in a catch-all so one task's failure doesn't abort
  sibling validation/notification tasks, and a post-claim failure is logged loudly
- note the temporal API is called without credentials (assumes private network)
- test the append path schedules validation, plus the hard-drop regression

* docs(temporal): record sign-off that sub-MIN_FRAMES sequences are intentionally suppressed

* feat(temporal): send bearer token when TEMPORAL_API_TOKEN is set

The temporal API now guards /predict with a shared bearer token
(pyronear/temporal-model#35). Send Authorization: Bearer when configured;
unset matches a server with auth disabled (open /predict).

* fix(temporal): release the validation claim when alert attachment fails

If _attach_sequence_to_alert raised after claim_validation committed, the
catch-all wrapper swallowed the error and the sequence stayed validated-but-
never-alerted forever (the early is_validated check blocks any retry). Roll
the flag back on failure (fresh session) so a later detection retries the
whole pipeline; attachment is idempotent on retry.

* feat(temporal): drop the sliding window, send all frames (4-10)

Send every distinct frame of the sequence instead of the last 6; the model
accepts up to 10 frames and benefits from the full history.

* feat(temporal): scope /predict to the sequence bbox region via roi_xyxyn

Send the union envelope of the sequence's primary bboxes as roi_xyxyn
(pyronear/temporal-model#41) so the verdict can't be polluted by unrelated
activity elsewhere in the frame. Omitted when no bbox parses (full-frame).

* fix(sequences): wildfire label validates and attaches a rejected sequence

A temporal-rejected sequence stays visible in the platform listings but had no
alert, and labeling it wildfire_smoke returned without creating one - manually
correcting a temporal false negative did nothing. Treat the human confirmation
as validation: claim the sequence and run the usual alert attachment.

* Revert "fix(sequences): wildfire label validates and attaches a rejected sequence"

This reverts commit 0e045a0.

* feat(sequences): DB-backed validation job state (due marker, lease, status)

The validation queue moves into Postgres so it works with any number of
uvicorn workers: validation_due_at is the queue (one entry per sequence,
COALESCE keeps FIFO order), validation_lease_until guards a claimed job
(FOR UPDATE SKIP LOCKED + lease; an expired lease means the worker died
and the job is up for grabs), validation_status traces how validation
concluded (model / fail_open_unavailable / fail_open_stale /
window_exhausted). finish_validation_job only clears the due marker if
the frame set is unchanged, so frames that arrive during scoring trigger
a re-run instead of being lost. Job fields are excluded from API
responses (re-declared on SequenceRead to reset instrumented defaults).

* feat(temporal): breaker with exponential backoff, half-open probe, 4xx exemption

Replaces the fixed 4h blackout: the breaker now opens for 60s doubled on
each re-trip (capped at 1h, with jitter), and once the pause elapses the
next call is a half-open probe — success closes the breaker, failure
re-opens it immediately at the next tier. 4xx responses fail the call
(callers still fail open) but no longer trip the breaker: they signal a
config/input problem, not an outage. The client-side semaphore is gone —
the temporal API serializes inference server-side, and each pyro-api
process runs a single validation worker.

* feat(validation): DB-coordinated worker replaces per-detection background tasks

Each detection now just marks its sequence due (idempotent enqueue); a
per-process worker loop claims due sequences from Postgres and runs the
risk + temporal + triangulation + Slack pipeline. Multi-worker safe by
construction: SKIP LOCKED + lease prevent duplicate model calls, the
queue survives restarts, and a crashed worker's job is reclaimed when
its lease expires.

Frames are read at scoring time, so backlogged sequences are scored with
their freshest frame set. Window rules: past MAX_FRAMES with a prior
score is terminal (window_exhausted, the model declined its chances);
past MAX_FRAMES never scored sends the last 10 — a backlog delays
sequences, never silently drops them. A job queued past
TEMPORAL_VALIDATION_MAX_AGE fails open explicitly (fail_open_stale) to
bound validation latency, and job errors release the lease with a 30s
retry backoff instead of spinning.

New settings: TEMPORAL_VALIDATION_POLL_SECONDS, TEMPORAL_VALIDATION_MAX_AGE,
TEMPORAL_VALIDATION_LEASE_SECONDS; TEMPORAL_API_MAX_CONCURRENCY removed.

* feat(validation): gate webhooks and Telegram behind validation like Slack

All notification channels now sit behind the temporal validation gate
and fire exactly once per sequence (atomic claim), carrying the
sequence's latest detection at validation time. A sequence the model
declines never notifies anyone — no channel bypasses the gate anymore.
create_detection no longer notifies at sequence creation.

* fix(validation): crash-safe post-claim work, score-aware window rule, fresh reads, per-org alert lock

Addresses the final review findings:
- A worker dying after winning the validation claim (deploy cancellation,
  process death) left a validated-but-due row no one would ever reclaim.
  The claim query no longer filters validated rows: a validated sequence
  still due means post-claim work is pending, and the worker resumes it
  (triangulate + notify + finish). The due marker is the completion
  record; notifications become at-least-once (documented).
- A stored above-threshold score could decay into window_exhausted on
  retry past MAX_FRAMES (scored 0.9 -> attach failed -> retried at 11+
  frames -> dropped). The terminal branch now requires the stored score
  to be a decline; an above-threshold score validates without another
  model call.
- The worker re-reads the sequence at the start of the job instead of
  trusting the claim-time snapshot (stale max_conf could mis-apply the
  risk gate; stale score/validated flag broke the rules above).
- Alert attachment is serialized per organization with a Postgres
  advisory lock so two workers validating two sequences of the same
  event can't both create an alert (race pre-existed this PR).
- Doc fixes: at-least-once delivery, risk-gate retry semantics, stale
  overlap.py comment, frame-count-proxy limitation.

* refactor(validation): simplify worker plumbing

- The job pipeline takes only the sequence id and reads ALL state fresh
  from the DB, making the stale-snapshot class of bug impossible by
  construction (the claim-time object is no longer passed around).
- validation_status merges into finish_validation_job (one UPDATE
  instead of two); set_validation_status and _conclude_terminal removed.
- A 4xx from the temporal API now closes the breaker outright (the API
  answered, it is reachable) instead of only skipping the failure count.
- enqueue guard uses IS DISTINCT FROM instead of OR/IS NULL.

* fix(validation): attach failure keeps the verdict; status written at claim

A failed alert attachment no longer flips is_validated back: now that
validated-but-due rows are resumed, releasing the claim could erase a
reached verdict (a fail-open or positive-score validation retried later
could be re-decided differently and dropped). The verdict and its
validation_status are written atomically by claim_validation; a failure
in the post-claim work releases only the lease and the retry resumes
attach + notify with the verdict intact. release_validation removed.

Also documents (comment + test) that the stale fail-open deliberately
does not apply below MIN_FRAMES: a short sequence isn't waiting on the
model — if its job went stale, the sequence stopped emitting (noise).

* test(validation): cover failure paths and edge cases (100% on validation.py)

- notification channel failures (webhook, Telegram, Slack) never abort
  the job; no-detection sequences notify nothing
- vanished sequence/camera at processing time complete the job quietly
- in-flight TemporalUnavailableError fails open
- lost claim (concurrent validation) completes without double attach
- unparseable bbox and degenerate (zero-area) ROI fall back to full-frame
- worker loop survives errors, idles between polls, stops on cancellation

* fix(validation): detached notifications, dead-letter cap, shared status constants

Addresses the second review round:
- Notifications (webhooks, Telegram, Slack) now fire as a detached task
  AFTER job completion, off the worker's critical path: a slow or hanging
  channel no longer delays the next sequence's scoring nor eats into the
  lease. Accepted flip side (documented): a crash between completion and
  delivery loses the notification — consistent with the channels being
  best-effort, the durable artifact is the alert row.
- Errored jobs no longer retry forever: validation_attempts counts
  consecutive errors (reset on every completed job) and at
  MAX_VALIDATION_ATTEMPTS (5) the job dead-letters as
  validation_status='failed' (terminal, never re-enqueued) so a poison
  job can't starve the serial worker. The staleness fail-open could not
  bound this since each retry refreshes the due time.
- validation_status values now have a single source of truth in
  app.models (worker and CRUD queue guards import the same constants)
  and are enforced by a DB CHECK constraint.

* fix(validation): close three state-machine races found in final review

- A loser of the validation claim no longer completes the job: the
  winner may have died right after the flip (lease expired mid-model-
  call, sibling reprocessed and crashed), and the due marker is the only
  thing that resumes its attach/notify work. Leaving the row due is
  always safe: a finished winner already cleared it.
- A never-scored sequence past MAX_FRAMES whose first (truncated) score
  declines now lands in window_exhausted immediately, consistent with
  the stored-score rule, instead of lingering unlabeled.
- The risk-gate finish is now conditional on the frame count (read
  before the gate): a max_conf bump landing mid-job keeps the job due
  so the gate re-evaluates immediately instead of losing the bump until
  the next detection.

* feat(validation): store model and serving-code versions with the temporal score

The temporal API now reports a version block ({api, model}) in /predict
responses (pyronear/temporal-model#48). Persist both next to
temporal_model_score so every stored score stays attributable to the
exact model release and serving image after redeploys: combined with
the is_wildfire annotations this enables per-version offline evaluation
and threshold tuning on production traffic.

The triple is written in a single UPDATE (it moves together by
construction); columns are NULL for never-scored sequences and for
unstamped (non-release) serving builds, and older servers without the
version block degrade to NULL.

Author: MateoLostanlen

.env.example

@@ -29,6 +29,15 @@ RISK_API_LOGIN=
 RISK_API_PWD=
 RISK_REFRESH_HOUR_UTC=4
 
+# Temporal model API (validates sequences before triangulation)
+TEMPORAL_API_URL=
+TEMPORAL_API_TOKEN=
+TEMPORAL_MODEL_THRESHOLD=0.45
+TEMPORAL_API_TIMEOUT=30
+TEMPORAL_VALIDATION_POLL_SECONDS=2
+TEMPORAL_VALIDATION_MAX_AGE=300
+TEMPORAL_VALIDATION_LEASE_SECONDS=120
+
 # Production-only
 ACME_EMAIL=
 BACKEND_HOST=

docker-compose.yml

@@ -71,6 +71,13 @@ services:
       - RISK_API_LOGIN=${RISK_API_LOGIN}
       - RISK_API_PWD=${RISK_API_PWD}
       - RISK_REFRESH_HOUR_UTC=${RISK_REFRESH_HOUR_UTC:-4}
+      - TEMPORAL_API_URL=${TEMPORAL_API_URL}
+      - TEMPORAL_API_TOKEN=${TEMPORAL_API_TOKEN}
+      - TEMPORAL_MODEL_THRESHOLD=${TEMPORAL_MODEL_THRESHOLD:-0.45}
+      - TEMPORAL_API_TIMEOUT=${TEMPORAL_API_TIMEOUT:-30}
+      - TEMPORAL_VALIDATION_POLL_SECONDS=${TEMPORAL_VALIDATION_POLL_SECONDS:-2}
+      - TEMPORAL_VALIDATION_MAX_AGE=${TEMPORAL_VALIDATION_MAX_AGE:-300}
+      - TEMPORAL_VALIDATION_LEASE_SECONDS=${TEMPORAL_VALIDATION_LEASE_SECONDS:-120}
     volumes:
       - ./src/:/app/
     command: "sh -c 'alembic upgrade head && python app/db.py && uvicorn app.main:app --reload --host 0.0.0.0 --port 5050 --proxy-headers'"

src/app/api/api_v1/endpoints/detections.py

@@ -4,7 +4,6 @@
 # See LICENSE or go to <https://www.apache.org/licenses/LICENSE-2.0> for full license details.
 
 
-import json
 import logging
 import re
 from ast import literal_eval
@@ -14,7 +13,6 @@
 import pandas as pd
 from fastapi import (
     APIRouter,
-    BackgroundTasks,
     Depends,
     File,
     Form,
@@ -24,25 +22,20 @@
     UploadFile,
     status,
 )
-from fastapi.encoders import jsonable_encoder
 from sqlmodel import select
 from sqlmodel.ext.asyncio.session import AsyncSession
 
 from app.api.dependencies import (
-    dispatch_webhook,
-    get_alert_crud,
     get_camera_crud,
     get_detection_crud,
     get_jwt,
-    get_organization_crud,
     get_pose_crud,
     get_sequence_crud,
-    get_webhook_crud,
 )
 from app.core.config import settings
 from app.core.time import utcnow
-from app.crud import AlertCRUD, CameraCRUD, DetectionCRUD, OrganizationCRUD, PoseCRUD, SequenceCRUD, WebhookCRUD
-from app.models import Alert, AlertSequence, Camera, Detection, Organization, Pose, Role, Sequence, UserRole
+from app.crud import AlertCRUD, CameraCRUD, DetectionCRUD, PoseCRUD, SequenceCRUD
+from app.models import Alert, AlertSequence, Camera, Detection, Pose, Role, Sequence, UserRole
 from app.schemas.alerts import AlertCreate, AlertUpdate
 from app.schemas.detections import (
     BOX_PATTERN,
@@ -57,11 +50,8 @@
 from app.schemas.sequences import SequenceUpdate
 from app.services.cones import resolve_cone
 from app.services.overlap import compute_overlap, haversine_km
-from app.services.risk import risk_service
 from app.services.sequence_confidence import max_conf_from_bboxes
-from app.services.slack import slack_client
 from app.services.storage import s3_service, upload_file
-from app.services.telegram import telegram_client
 from app.services.telemetry import telemetry_client
 
 logger = logging.getLogger("uvicorn.error")
@@ -155,6 +145,9 @@ def _build_overlap_records(
         cam = camera_by_id.get(seq.camera_id)
         if cam is None or seq.sequence_azimuth is None or seq.cone_angle is None:
             continue
+        # Only validated sequences are eligible for triangulation (as target or partner).
+        if not seq.is_validated:
+            continue
         records.append({
             "id": int(seq.id),
             "pose_id": seq.pose_id,
@@ -349,7 +342,6 @@ async def _attach_sequence_to_alert(
 
 @router.post("/", status_code=status.HTTP_201_CREATED, summary="Register a new wildfire detection")
 async def create_detection(
-    background_tasks: BackgroundTasks,
     bboxes: str = Form(
         ...,
         description="string representation of list of detection localizations, each represented as a tuple of relative coords (max 3 decimals) in order: xmin, ymin, xmax, ymax, conf",
@@ -361,10 +353,7 @@ async def create_detection(
     file: UploadFile = File(..., alias="file"),
     crop_file: Optional[UploadFile] = File(None, alias="crop"),
     detections: DetectionCRUD = Depends(get_detection_crud),
-    webhooks: WebhookCRUD = Depends(get_webhook_crud),
-    organizations: OrganizationCRUD = Depends(get_organization_crud),
     sequences: SequenceCRUD = Depends(get_sequence_crud),
-    alerts: AlertCRUD = Depends(get_alert_crud),
     cameras: CameraCRUD = Depends(get_camera_crud),
     poses: PoseCRUD = Depends(get_pose_crud),
     token_payload: TokenPayload = Security(get_jwt, scopes=[Role.CAMERA]),
@@ -399,6 +388,8 @@ async def create_detection(
 
     created: List[Detection] = []
     camera = cast(Camera, await cameras.get(token_payload.sub, strict=True))
+    # sequences touched by this request, to mark due for validation (DB-backed queue).
+    affected_sequences: Set[int] = set()
 
     for idx, bbox_str in enumerate(bbox_strings):
         single_bboxes = _bbox_list_to_str([bbox_str])
@@ -444,6 +435,7 @@ async def create_detection(
             det_max_conf = max_conf_from_bboxes(det.bbox)
             if det_max_conf is not None:
                 await sequences.bump_max_conf(matched_sequence.id, det_max_conf)
+            affected_sequences.add(matched_sequence.id)
         else:
             det_filters: List[tuple[str, Any]] = [
                 ("camera_id", token_payload.sub),
@@ -489,43 +481,17 @@ async def create_detection(
                     updated = await detections.update(det_.id, DetectionSequence(sequence_id=sequence_.id))
                     if det_.id == det.id:
                         det = updated
-
-                alert_id = await _attach_sequence_to_alert(sequence_, camera, cameras, sequences, alerts)
-
-                # Webhooks
-                whs = await webhooks.fetch_all()
-                if any(whs):
-                    for webhook in await webhooks.fetch_all():
-                        background_tasks.add_task(dispatch_webhook, webhook.url, det)
-
-                org = None
-                # Telegram notifications
-                if telegram_client.is_enabled:
-                    org = cast(Organization, await organizations.get(token_payload.organization_id, strict=True))
-                    if org.telegram_id:
-                        background_tasks.add_task(telegram_client.notify, org.telegram_id, det.model_dump_json())
-
-                if slack_client.is_enabled:
-                    if org is None:
-                        org = cast(Organization, await organizations.get(token_payload.organization_id, strict=True))
-                    if org.slack_hook:
-                        min_conf = risk_service.min_confidence(camera.id)
-                        if min_conf is None or sequence_.max_conf is None or sequence_.max_conf >= min_conf:
-                            slack_payload = jsonable_encoder(det)
-                            slack_payload["sequence_azimuth"] = sequence_.sequence_azimuth
-                            background_tasks.add_task(
-                                slack_client.notify, org.slack_hook, json.dumps(slack_payload), camera.name, alert_id
-                            )
-                        else:
-                            logger.info(
-                                "Skipping Slack notification for camera %s: max conf %.3f < threshold %.3f",
-                                camera.name,
-                                sequence_.max_conf,
-                                min_conf,
-                            )
+                affected_sequences.add(sequence_.id)
 
         created.append(det)
 
+    # Mark touched sequences due for validation (idempotent: one queue entry per sequence,
+    # whichever uvicorn worker received the detection). The per-process validation worker
+    # claims due sequences from the DB and runs the gated pipeline: triangulation and ALL
+    # notification channels (webhooks, Telegram, Slack) fire only once validated.
+    for seq_id in affected_sequences:
+        await sequences.enqueue_validation(seq_id)
+
     first_det = cast(Detection, await detections.get(created[0].id, strict=True))
     return DetectionRead(**first_det.model_dump())
 

src/app/core/config.py

@@ -77,6 +77,24 @@ def sqlachmey_uri(cls, v: str) -> str:
     TELEGRAM_TOKEN: Union[str, None] = os.environ.get("TELEGRAM_TOKEN")
     PLATFORM_URL: str = os.environ.get("PLATFORM_URL", "")
 
+    # Temporal model API (validates sequences from their frames)
+    TEMPORAL_API_URL: Union[str, None] = os.environ.get("TEMPORAL_API_URL")
+    # Shared bearer token for /predict; empty = server has auth disabled, send no header.
+    TEMPORAL_API_TOKEN: Union[str, None] = os.environ.get("TEMPORAL_API_TOKEN") or None
+    TEMPORAL_MODEL_THRESHOLD: float = float(os.environ.get("TEMPORAL_MODEL_THRESHOLD") or 0.45)
+    # Generous timeout: the temporal API serializes inference server-side, so with N uvicorn
+    # workers a call can wait behind N-1 others; keep N * model latency under this value.
+    TEMPORAL_API_TIMEOUT: float = float(os.environ.get("TEMPORAL_API_TIMEOUT") or 30.0)
+    # Validation worker (one loop per uvicorn process, coordinated through the DB):
+    # idle poll interval for due sequences,
+    TEMPORAL_VALIDATION_POLL_SECONDS: float = float(os.environ.get("TEMPORAL_VALIDATION_POLL_SECONDS") or 2.0)
+    # max time a sequence may wait in the queue before failing open on the risk gate alone
+    # (bounds validation latency under a backlog; traced as validation_status=fail_open_stale),
+    TEMPORAL_VALIDATION_MAX_AGE: float = float(os.environ.get("TEMPORAL_VALIDATION_MAX_AGE") or 300.0)
+    # and how long a claimed job is leased before a sibling worker may retry it (must exceed
+    # TEMPORAL_API_TIMEOUT plus the DB phases).
+    TEMPORAL_VALIDATION_LEASE_SECONDS: float = float(os.environ.get("TEMPORAL_VALIDATION_LEASE_SECONDS") or 120.0)
+
     # Risk API (daily fire-weather index per camera)
     RISK_API_URL: Union[str, None] = os.environ.get("RISK_API_URL")
     RISK_API_LOGIN: Union[str, None] = os.environ.get("RISK_API_LOGIN")

src/app/crud/crud_sequence.py

@@ -4,17 +4,23 @@
 # See LICENSE or go to <https://www.apache.org/licenses/LICENSE-2.0> for full license details.
 
 
+import logging
+from datetime import timedelta
 from typing import Any, Union, cast
 
-from sqlalchemy import case, or_, update
+from sqlalchemy import case, distinct, func, null, or_, select, update
+from sqlmodel import select as select_model
 from sqlmodel.ext.asyncio.session import AsyncSession
 
+from app.core.time import utcnow
 from app.crud.base import BaseCRUD
-from app.models import Sequence
+from app.models import TERMINAL_VALIDATION_STATUSES, VALIDATION_FAILED, Detection, Sequence
 from app.schemas.sequences import SequenceLabel, SequenceUpdate
 
 __all__ = ["SequenceCRUD"]
 
+logger = logging.getLogger("uvicorn.error")
+
 
 class SequenceCRUD(BaseCRUD[Sequence, Sequence, Union[SequenceUpdate, SequenceLabel]]):
     def __init__(self, session: AsyncSession) -> None:
@@ -33,3 +39,162 @@ async def bump_max_conf(self, sequence_id: int, candidate: float) -> None:
         stmt: Any = update(Sequence).where(cast(Any, Sequence.id) == sequence_id).values(max_conf=bumped)
         await self.session.exec(stmt)
         await self.session.commit()
+
+    async def set_temporal_score(
+        self,
+        sequence_id: int,
+        score: float,
+        model_version: Union[str, None] = None,
+        api_version: Union[str, None] = None,
+    ) -> None:
+        """Persist the latest temporal-model score with its provenance.
+
+        The versions are written unconditionally in the same UPDATE: they describe the
+        stored score, so the triple always moves together (a re-score by a newer release
+        overwrites all three).
+        """
+        stmt: Any = (
+            update(Sequence)
+            .where(cast(Any, Sequence.id) == sequence_id)
+            .values(
+                temporal_model_score=score,
+                temporal_model_version=model_version,
+                temporal_api_version=api_version,
+            )
+        )
+        await self.session.exec(stmt)
+        await self.session.commit()
+
+    async def claim_validation(self, sequence_id: int, validation_status: Union[str, None] = None) -> bool:
+        """Atomically flip ``is_validated`` from False to True, recording how it concluded.
+
+        Returns True only for the caller that won the flip, so concurrent workers for the
+        same sequence don't both triangulate and notify. ``validation_status`` is written in
+        the same UPDATE so the verdict and its label are durable together: post-claim work
+        (triangulation, notifications) that fails or dies is resumed without re-deciding.
+        """
+        id_col = cast(Any, Sequence.id)
+        validated_col = cast(Any, Sequence.is_validated)
+        values: dict = {"is_validated": True}
+        if validation_status is not None:
+            values["validation_status"] = validation_status
+        stmt: Any = update(Sequence).where(id_col == sequence_id).where(validated_col.is_(False)).values(**values)
+        result = await self.session.exec(stmt)
+        await self.session.commit()
+        return bool(getattr(result, "rowcount", 0))
+
+    async def enqueue_validation(self, sequence_id: int) -> None:
+        """Mark the sequence as due for temporal validation (the DB-backed queue).
+
+        Idempotent and FIFO-preserving: ``COALESCE`` keeps the oldest due timestamp, so a
+        sequence already queued is NOT re-queued (one entry per sequence, whichever worker
+        receives the detection). No-op for validated sequences and terminal states
+        (window-exhausted, failed).
+        """
+        status_col = cast(Any, Sequence.validation_status)
+        due_col = cast(Any, Sequence.validation_due_at)
+        stmt: Any = (
+            update(Sequence)
+            .where(cast(Any, Sequence.id) == sequence_id)
+            .where(cast(Any, Sequence.is_validated).is_(False))
+            .where(or_(status_col.is_(None), status_col.not_in(TERMINAL_VALIDATION_STATUSES)))
+            .values(validation_due_at=func.coalesce(due_col, utcnow()))
+        )
+        await self.session.exec(stmt)
+        await self.session.commit()
+
+    async def claim_due_validation(self, lease_seconds: float) -> Union[Sequence, None]:
+        """Claim the oldest due sequence for validation, or None when nothing is due.
+
+        ``FOR UPDATE SKIP LOCKED`` keeps concurrent workers (multi-worker uvicorn) off the
+        same row; the lease keeps them off for the duration of the model call, which runs
+        long after this transaction commits. ``validation_due_at`` is intentionally NOT
+        cleared here: a worker dying mid-job leaves a due row whose lease expires, so the
+        job is picked up again instead of being lost. Validated rows are NOT filtered out:
+        a still-due validated row means a worker died after winning the validation claim
+        but before triangulating/notifying, and the job must be resumed.
+        """
+        now = utcnow()
+        due_col = cast(Any, Sequence.validation_due_at)
+        lease_col = cast(Any, Sequence.validation_lease_until)
+        stmt: Any = (
+            select_model(Sequence)
+            .where(due_col.is_not(None))
+            .where(due_col <= now)
+            .where(or_(lease_col.is_(None), lease_col < now))
+            .order_by(due_col)
+            .limit(1)
+            .with_for_update(skip_locked=True)
+        )
+        res = await self.session.exec(stmt)
+        sequence_ = res.first()
+        if sequence_ is None:
+            await self.session.commit()
+            return None
+        sequence_.validation_lease_until = now + timedelta(seconds=lease_seconds)
+        self.session.add(sequence_)
+        await self.session.commit()
+        await self.session.refresh(sequence_)
+        return sequence_
+
+    async def finish_validation_job(
+        self,
+        sequence_id: int,
+        frame_count: Union[int, None] = None,
+        validation_status: Union[str, None] = None,
+    ) -> None:
+        """Release the lease and clear the due marker, completing the job.
+
+        With ``frame_count`` set, the due marker is only cleared if the sequence still has
+        exactly that many distinct frames — frames that arrived while the model was scoring
+        keep the job due, so the worker re-runs it with the fresh frame set instead of
+        waiting for (or losing, if the sequence just ended) the next detection. The
+        comparison runs inside the UPDATE so it can't race a concurrent enqueue.
+        ``validation_status`` records how validation concluded (observability, incl.
+        explicit fail-open reasons) in the same UPDATE.
+
+        Known limitation: the count is a frame-set *proxy*. A detection landing on an
+        already-seen bucket_key (changing the ROI but not the count) is not detected; the
+        next detection re-enqueues within the camera cadence, which is good enough at the
+        expected volume.
+        """
+        due_col = cast(Any, Sequence.validation_due_at)
+        if frame_count is None:
+            new_due: Any = null()
+        else:
+            count_select: Any = select(func.count(distinct(cast(Any, Detection.bucket_key)))).where(
+                cast(Any, Detection.sequence_id) == sequence_id
+            )
+            count_sq = count_select.scalar_subquery()
+            new_due = cast(Any, case)((count_sq == frame_count, null()), else_=due_col)
+        # Completing a job also resets the consecutive-error counter, so the dead-letter
+        # cap counts consecutive failures, not lifetime ones.
+        values: dict = {"validation_due_at": new_due, "validation_lease_until": None, "validation_attempts": 0}
+        if validation_status is not None:
+            values["validation_status"] = validation_status
+        stmt: Any = update(Sequence).where(cast(Any, Sequence.id) == sequence_id).values(**values)
+        await self.session.exec(stmt)
+        await self.session.commit()
+
+    async def fail_or_retry_validation(self, sequence_id: int, *, max_attempts: int, retry_in_seconds: float) -> None:
+        """Error path: release the lease and either back off the retry or dead-letter.
+
+        Increments the consecutive-error counter; below ``max_attempts`` the job stays due,
+        pushed ``retry_in_seconds`` into the future (no tight retry loop). At the cap the
+        job dead-letters: terminal ``validation_status='failed'``, due cleared, never
+        retried nor re-enqueued — a poison job must not starve the serial worker forever.
+        Note the staleness fail-open can't bound this (each retry refreshes the due time),
+        hence the explicit attempts cap.
+        """
+        sequence_ = cast(Sequence, await self.get(sequence_id, strict=True))
+        attempts = (sequence_.validation_attempts or 0) + 1
+        values: dict = {"validation_attempts": attempts, "validation_lease_until": None}
+        if attempts >= max_attempts:
+            values["validation_status"] = VALIDATION_FAILED
+            values["validation_due_at"] = None
+            logger.error("Sequence %s failed validation %d times; giving up", sequence_id, attempts)
+        else:
+            values["validation_due_at"] = utcnow() + timedelta(seconds=retry_in_seconds)
+        stmt: Any = update(Sequence).where(cast(Any, Sequence.id) == sequence_id).values(**values)
+        await self.session.exec(stmt)
+        await self.session.commit()