fix(awooop): make ansible cooldown query asyncpg safe

apps/api/src/services/awooop_ansible_check_mode_service.py

@@ -421,11 +421,11 @@ async def recent_ansible_transport_blockers(
                 FROM automation_operation_log
                 WHERE operation_type = 'ansible_check_mode_executed'
                   AND status = 'failed'
-                  AND created_at >= NOW() - CAST(:cooldown AS interval)
+                  AND created_at >= NOW() - (:cooldown_seconds * INTERVAL '1 second')
                 ORDER BY created_at DESC
                 LIMIT 20
             """),
-            {"cooldown": f"{max(60, cooldown)} seconds"},
+            {"cooldown_seconds": max(60, cooldown)},
         )
         blockers: set[str] = set()
         for row in result.mappings().all():

apps/api/tests/test_awooop_truth_chain_service.py

@@ -15,6 +15,7 @@ from src.services.awooop_ansible_check_mode_service import (
     build_ansible_check_mode_command,
     claim_pending_check_modes,
     detect_ansible_transport_blockers,
+    recent_ansible_transport_blockers,
 )
 from src.services.awooop_truth_chain_service import (
     _ansible_playbook_roots,
@@ -90,6 +91,13 @@ def test_ansible_audit_writes_incident_id_column_for_truth_chain_join() -> None:
     assert "NULLIF(:incident_id, '')" in claim_source
 
 
+def test_ansible_transport_cooldown_uses_asyncpg_safe_interval_parameter() -> None:
+    source = inspect.getsource(recent_ansible_transport_blockers)
+
+    assert ":cooldown_seconds * INTERVAL '1 second'" in source
+    assert "CAST(:cooldown AS interval)" not in source
+
+
 def test_fetch_truth_chain_returns_inbound_redacted_envelope_fields() -> None:
     source = inspect.getsource(fetch_truth_chain)