perf(tag inheritance): batch_mode + per-batch bulk during import + reorganize (#14877)

* perf(tags): batch_mode + per-batch bulk inheritance during import (Phase B Stage 2)

Wraps the import / reimport hot loop in `tag_inheritance.batch_mode()` and
bulk-applies inherited Product tags per batch *before* `post_process_findings_batch`
dispatches, so rules / deduplication see inherited tags on `finding.tags`.

Changes:

- `process_findings` (DefaultImporter + DefaultReImporter) now runs its
  finding-creation loop inside `batch_mode()`. Per batch, right after
  `apply_import_tags_for_batch`, calls a new helper
  `apply_inherited_tags_for_findings(batch_findings)` that bulk-syncs
  inherited tags on the batch's Findings plus the Endpoints (V2) / Locations
  (V3) reachable from them via FK chain. Inheritance is therefore applied to
  the persisted children before the post-process task dispatches.
- `inherit_instance_tags` in `dojo/tags_signals.py` now early-returns when
  `tag_inheritance.is_in_batch_mode()`, so the batch wrap transparently
  suppresses per-row inheritance work for any caller — including
  `bulk_create` cleanup paths that invoke it manually. `inherit_tags_on_instance`
  post_save delegates to that helper, so the gate also covers signal-driven
  fires.
- `EndpointManager.get_or_create_endpoints` replaces its per-row
  `inherit_instance_tags(ep)` cleanup loop with a single
  `apply_inherited_tags_for_endpoints(created)` bulk call. Inside the importer
  the per-batch helper already covers these endpoints via
  `Endpoint.status_endpoint.finding`; the bulk call is kept as a defensive
  hook for any non-importer caller.
- `propagate_tags_on_product_sync` (used by the product-tag-toggle Celery
  task) gains an early-exit when neither system-wide nor per-product
  inheritance is enabled, eliminating ~9 wasted reads per call on
  inheritance-off products. State transitions (toggling either flag) still
  trigger a full sweep through their existing signal handlers.
- `Location` gains `iter_related_products()`: a related-manager
  (`self.products` + `self.findings`) implementation of `all_related_products()`
  that returns `list[Product]`. Callers that pre-issue
  `prefetch_related("products__product__tags",
  "findings__finding__test__engagement__product__tags")` get zero extra
  queries per Location. The existing JOIN'd `all_related_products()` is kept
  for the per-instance signal path where prefetching is not possible.
- `_inherited_tag_names_for_location` (the per-Location callback used to
  compute the inherited target set) switches to `iter_related_products()`;
  both call sites (`propagate_tags_on_product_sync` V3 branch and
  `apply_inherited_tags_for_findings` V3 branch) now prefetch the chain.

Query-count impact on `unittests/test_tag_inheritance_perf.py` (pins updated
in this commit):

| Hot path                                | Before  | After  | Δ     |
|-----------------------------------------|--------:|-------:|------:|
| ZAP scan import V2 (19 findings)        |    1385 |    477 |  -908 |
| ZAP scan import V3                      |    1263 |    945 |  -318 |
| ZAP reimport no-change V2               |      69 |     75 |    +6 |
| ZAP reimport no-change V3               |      87 |    102 |   +15 |
| Product tag add → 100 locations (V3)    |     316 |    125 |  -191 |
| Product tag remove → 100 locations (V3) |     266 |     75 |  -191 |

Small reimport-no-change regressions are the unavoidable per-batch helper
read cost (2 reads × Finding + 2 reads × Endpoint/Location + 1 product tags
read). Real-work imports drop significantly because per-row
`_manage_inherited_tags` work no longer fires inside the loop.

* refactor(tags): centralize inheritance helpers in dojo/tag_inheritance

Move scattered tag-inheritance logic into dojo/tag_inheritance.py without
changing runtime behavior:

- _manage_inherited_tags relocated from dojo/models.py (replaced by a
  lazy-import shim to avoid an import cycle through dojo.utils).
- get_products, inherit_product_tags, get_products_to_inherit_tags_from,
  propagate_inheritance, inherit_instance_tags, inherit_linked_instance_tags
  relocated from dojo/tags_signals.py; receivers there now delegate.
- propagate_tags_on_product_sync, apply_inherited_tags_for_endpoints,
  apply_inherited_tags_for_findings, _sync_inheritance_for_qs and
  _inherited_tag_names_for_location relocated from dojo/product/helpers.py;
  the Celery wrapper propagate_tags_on_product stays in product/helpers.py.

Backward-compat re-exports preserved at every original import site so
external callers (dojo/location, dojo/importers, unittests, pro/) keep
working unchanged.

Adjusts unittests.test_tag_inheritance mock targets to the new module
path. Bumps EXPECTED_ZAP_IMPORT_V2/V3 baselines (477->470, 945->938) to
the actual query counts; the prior pin was already drifting on this
branch before the move.

* refactor(tags): group tag modules under dojo/tags/

Move the three tag-related top-level modules into a dedicated package:

  dojo/tag_inheritance.py -> dojo/tags/inheritance.py
  dojo/tag_utils.py       -> dojo/tags/utils.py
  dojo/tags_signals.py    -> dojo/tags/signals.py

Update all internal call sites to the new canonical paths (apps,
models, importers, finding, product/helpers, utils_cascade_delete,
settings, unittests). No backward-compat shims left at the old paths.

Also drops the unused dojo/tag/ stub directory that only contained
stale .pyc files.

No logic change. All tag inheritance and tag bulk unit tests pass.

* rename batch_mode to suppressed

* perf(tags): check cached system_setting before per-product flag

Tag inheritance is usually enabled system-wide first, then optionally
overridden per product. The system setting is cached, so check it first
and short-circuit the related-product walk / per-product attribute read
when it's already True.

Sites updated:
- dojo/tags/inheritance.py: inherit_product_tags,
  get_products_to_inherit_tags_from, and the three early-return guards
  inside propagate_tags_on_product_sync / apply_inherited_tags_for_*.
- dojo/location/models.py: Location.products_to_inherit_tags_from.
- dojo/importers/location_manager.py: bulk-inherit early-return.

Also picks up the in-flight rename of batch_mode() -> suppress() /
is_in_batch_mode() -> is_suppressed() in the two importers.

Behavior unchanged. All tag inheritance / perf / bulk unit tests pass
(36 + 20 + 29).

* refactor(tags): simplify is_tag_inheritance_enabled, drop linked-instance wrapper

- is_tag_inheritance_enabled now delegates to get_products_to_inherit_tags_from
  (no products eligible -> not enabled). Centralizes the "which products
  contribute inherited tags" decision in one place; the None-product filter
  moves into get_products_to_inherit_tags_from so both call sites get it.
- Drop the inherit_linked_instance_tags wrapper: single signal caller now
  inlines tag_inheritance.inherit_instance_tags(instance.location).
- Trim dead backward-compat re-exports from dojo/tags/signals.py; reroute
  the test imports to dojo.tags.inheritance directly.

Behavior unchanged. test_tag_inheritance (36) and test_tag_inheritance_perf
(20) pass.

* refactor(tags): merge propagate_inheritance into inherit_instance_tags

Combine the two-step gate (propagate_inheritance returning bool, then
caller writing) into a single inherit_instance_tags() with an optional
force=False kwarg that bypasses the suppress() check. The m2m
make_inherited_tags_sticky receiver now also routes through this single
entry point.

Wrap the inner instance.inherit_tags(tag_list) call in
suppress_tag_inheritance() to short-circuit m2m_changed re-entry. The
re-entrant signal previously did a redundant in-sync check using a
stale get_tag_list() cached value; suppressing it both eliminates the
recursion risk and removes per-row redundant queries:

  - test_baseline_zap_scan_import_v2: 470 -> 463
  - test_baseline_zap_scan_import_v3: 938 -> 931
  - test_create_one_finding_v2/v3: 64 -> 61
  - test_create_100_findings_v2/v3: 4024 -> 3724
  - test_finding_add_user_tag_v2/v3: 17 -> 16
  - test_finding_remove_inherited_v2/v3: 44 -> 40

Also picks up the rename of the context manager
suppress() -> suppress_tag_inheritance(). Unit tests for the early-exit
optimization rewritten against the merged function (still 4 cases).

* refactor(tags): diff-based _sync_inherited_tags, drop per-model wrappers

Rewrite the per-row inheritance primitive as a pure diff:

  current_inherited = obj.inherited_tags.all()
  target            = incoming_inherited_tags
  remove (current - target), add (target - current)
  + sticky re-add any target name missing from obj.tags

Drops the "rebuild full tag_list, set() everything" approach and removes
the `existing_tags_hint` parameter entirely. Writes are wrapped in
`suppress_tag_inheritance()` so the m2m_changed signal can't dispatch
make_inherited_tags_sticky back into this function.

Other cleanup:

- Rename `_manage_inherited_tags` -> `_sync_inherited_tags`.
- Drop per-model `inherit_tags(self, existing_tags_hint)` methods on
  Endpoint / Engagement / Test / Finding / Location. The signal path
  (`inherit_instance_tags`) and `LocationManager._bulk_inherit_tags` now
  call `_sync_inherited_tags(instance, incoming)` directly.
- Drop the unused `existing_tags_by_location` dict in
  `LocationManager._bulk_inherit_tags` (one fewer through-table read).
- Unit tests rewritten against the diff primitive (4 cases) plus a
  no-products early-exit test for `inherit_instance_tags`.

Perf baselines (test_tag_inheritance_perf):

  EXPECTED_ZAP_IMPORT_V2:            463 -> 422
  EXPECTED_ZAP_IMPORT_V3:            931 -> 809
  EXPECTED_ZAP_REIMPORT_NO_CHANGE_V3:102 -> 101
  EXPECTED_CREATE_ONE_FINDING_V2/V3:  61 -> 55
  EXPECTED_CREATE_100_FINDINGS_V2/V3: 3724 -> 3124  (-600)
  EXPECTED_FINDING_REMOVE_INHERITED_V2/V3: 40 -> 18
  EXPECTED_FINDING_ADD_USER_TAG_V2/V3:     16 -> 17  (+1)

* add comments

* refactor(tags): consolidate location inheritance, drop dojo/product/helpers.py

- New `apply_inherited_tags_for_locations(locations, *, product)` mirrors the
  endpoint/finding helpers. Replaces `LocationManager._bulk_inherit_tags`;
  callsite delegates. Drops the redundant outer `suppress_tag_inheritance()`
  (writes inside `_sync_inherited_tags` are already wrapped) and the bulk
  pre-fetch of existing inherited tags (the through-table primitive does
  this read once already).
- `_inherited_tag_names_for_location` now filters contributing products by
  their own `enable_product_tag_inheritance` flag. Previously tags from
  flag-off products linked to the same Location could leak in via
  `propagate_tags_on_product_sync` / `apply_inherited_tags_for_findings`.
- Move `propagate_tags_on_product` Celery task into `dojo.tags.inheritance`
  alongside its `_sync` counterpart; delete `dojo/product/helpers.py`. Keep
  a `propagate_tags_on_product_deprecated` alias under the old task name so
  in-flight tasks complete after upgrade.
- Rename `_sync_inheritance_for_qs` kwarg `target_names_per_child` ->
  `target_tag_names_per_child` for clarity.
- Update import sites + perf baseline V3 import: 809 -> 445 queries.

* comments

* comments

* refactor(tags): rename inherit_instance_tags -> auto_inherit_product_tags, move to signals

Renames `inherit_instance_tags` to `auto_inherit_product_tags` and relocates
it from `dojo.tags.inheritance` to `dojo.tags.signals`. The function is the
signal-driven entrypoint that applies a Product's tags to a child instance;
moving it next to the signal receivers (and renaming for clarity) makes the
auto-inheritance flow self-contained.

Of all the inheritance helpers it is the only one that early-returns when
`suppress_tag_inheritance()` is active — the other helpers use the context
manager around their writes for reentrancy. That gate semantic is exclusive
to the signal path, so colocation fits.

Also combines `inherit_tags_on_linked_instance` into `inherit_tags_on_instance`
with sender-based target dispatch and a `created=True` gate. Previously the
ref handler fired on every save, including `set_status` updates that don't
change the Location's related-product set; those now correctly no-op.

Drops the unused `force=` parameter on the function while renaming.

* make tag accumulator mandatory param

* resolve duplicate task name

* perf(tags): pk-based _sync_inheritance_for_ids; skip full-row fetch

Replaces `_sync_inheritance_for_qs(queryset, target_tag_names_per_child=callable)`
with `_sync_inheritance_for_ids(model_class, child_ids, target_tag_names)`.

The previous implementation called `list(queryset)` to materialize every child
as a full model instance just so the bulk helpers (`bulk_add_tag_mapping`,
`bulk_remove_tags_from_instances`) had an `instance.pk` and `instance.__class__`
to work with. For Finding (70+ columns) this dominated wall-clock time on big
products — a real-world product with ~14000 findings took ~22s for a single
`propagate_tags_on_product_sync`.

The new path:
- Accepts an iterable of pks; constant-target callers pass
  `values_list("pk", flat=True)` directly, skipping all ORM hydration.
- Builds bare `model_class(pk=pid)` stubs (cached per pk) only for the rows
  whose inherited set actually needs to change, not for every row scanned.
- Accepts `target_tag_names` as either a `set[str]` (constant target, hoisted
  out of the loop — no per-row function call for the
  product → engagement/test/finding/endpoint propagation paths) or a
  `Callable[[int], set[str]]` for the Location case, where each row's target
  is the per-row union of its linked Products' tags.
- For Locations, callers materialize the prefetched instances into a
  `{pk: location}` dict and close over it in the callback — the prefetch
  chain still runs once upfront, but the primitive itself only sees pks.
- Adds an `add_map`/`remove_map` skip when `target == old` so rows already
  in sync don't even allocate a stub.

Also adds direct query-count baselines for `propagate_tags_on_product_sync`
in `test_tag_inheritance_perf.py` so future regressions on the sweep path
fail loudly (V2 = 9 queries, V3 = 18 queries on a product with 100 findings
plus 100 endpoints or locations).

ZAP baselines drop slightly as a side effect of the early `target == old`
skip (V2 import 422 → 420, V3 import 445 → 444, V2 reimport-no-change 75 →
74, V3 reimport-no-change 101 → 100). The major wall-clock win is invisible
to query counters — it's the avoided Finding ORM hydration on large
products.

* rename

* perf(tags): skip redundant inheritance on no-change reimport

Two gates eliminate ~14 wasted queries on a reimport that creates no new
findings or location refs (the common "scheduled rescan, nothing changed"
path):

1. `DefaultReImporter.process_findings` now tracks newly-created findings
   in `new_findings_in_batch` (populated in the else branch of the
   matched/unmatched dispatch) and passes ONLY those to
   `apply_inherited_tags_for_findings`. Matched/existing findings already
   had inheritance applied at their original creation, so re-running the
   through-table read + Location prefetch chain on them is pure overhead.

2. `LocationManager._persist_locations` now skips
   `apply_inherited_tags_for_locations` when no new `LocationProductReference`
   rows were created. New `LocationFindingReference`s only add findings
   within `self._product`, so they can't change a Location's Product
   membership; only a new product ref can. When `all_product_refs` is empty,
   the Location's inherited target set is unchanged and the helper would do
   a costly no-op read for nothing.

Net effect on the pinned ZAP reimport-no-change baselines:
- V2: 75 → 69 (matches the pre-Phase-A baseline of 69)
- V3: 101 → 81 (beats the pre-Phase-A baseline of 87)

* test(tags): add reimport-with-new-findings perf baseline

Imports the 10-finding ZAP subset first, then reimports the 19-finding full
report so 9 findings are created during reimport while 10 are matched.
Pins V2 = 169 queries, V3 = 198 queries. Captures the realistic "scheduled
rescan with drift" path that the no-change baseline doesn't exercise.

Author: valentijnscholten

dojo/apps.py

@@ -94,7 +94,7 @@ def ready(self):
         import dojo.product_type.signals  # noqa: PLC0415, F401 raised: AppRegistryNotReady
         import dojo.risk_acceptance.signals  # noqa: PLC0415, F401 raised: AppRegistryNotReady
         import dojo.sla_config.helpers  # noqa: PLC0415, F401 raised: AppRegistryNotReady
-        import dojo.tags_signals  # noqa: PLC0415, F401 raised: AppRegistryNotReady
+        import dojo.tags.signals  # noqa: PLC0415, F401 raised: AppRegistryNotReady
         import dojo.test.signals  # noqa: PLC0415, F401 raised: AppRegistryNotReady
         import dojo.tool_product.signals  # noqa: PLC0415, F401 raised: AppRegistryNotReady
         import dojo.url.signals  # noqa: PLC0415, F401 raised: AppRegistryNotReady

dojo/finding/helper.py

@@ -742,7 +742,7 @@ def bulk_clear_finding_m2m(finding_qs):
     FileUpload.delete() fires and removes files from disk storage.
     Tags are handled via bulk_remove_all_tags to maintain tag counts.
     """
-    from dojo.tag_utils import bulk_remove_all_tags  # noqa: PLC0415 circular import
+    from dojo.tags.utils import bulk_remove_all_tags  # noqa: PLC0415 circular import
 
     finding_ids = finding_qs.values_list("id", flat=True)
 

dojo/finding/views.py

@@ -94,7 +94,7 @@
     User,
 )
 from dojo.notifications.helper import create_notification
-from dojo.tag_utils import bulk_add_tags_to_instances
+from dojo.tags.utils import bulk_add_tags_to_instances
 from dojo.test.queries import get_authorized_tests
 from dojo.tools import tool_issue_updater
 from dojo.utils import (

dojo/importers/base_importer.py

@@ -33,7 +33,7 @@
     Test_Type,
 )
 from dojo.notifications.helper import create_notification
-from dojo.tag_utils import bulk_add_tags_to_instances
+from dojo.tags.utils import bulk_add_tags_to_instances
 from dojo.tools.factory import get_parser
 from dojo.tools.parser_test import ParserTest
 from dojo.utils import max_safe

dojo/importers/default_importer.py

@@ -18,7 +18,9 @@
     Test_Import,
 )
 from dojo.notifications.helper import async_create_notification
-from dojo.tag_utils import bulk_apply_parser_tags
+from dojo.tags import inheritance as tag_inheritance
+from dojo.tags.inheritance import apply_inherited_tags_for_findings
+from dojo.tags.utils import bulk_apply_parser_tags
 from dojo.utils import get_full_url, perform_product_grading
 from dojo.validators import clean_tags
 
@@ -161,6 +163,19 @@ def process_findings(
         self,
         parsed_findings: list[Finding],
         **kwargs: dict,
+    ) -> list[Finding]:
+        # Whole hot loop runs under `batch_mode()`: per-row inheritance signals
+        # for the findings/endpoints/locations created below are suppressed.
+        # Inheritance is then applied in bulk per-batch (right before
+        # `post_process_findings_batch` dispatch) so rules/dedup see inherited
+        # tags on `finding.tags`.
+        with tag_inheritance.suppress_tag_inheritance():
+            return self._process_findings_internal(parsed_findings, **kwargs)
+
+    def _process_findings_internal(
+        self,
+        parsed_findings: list[Finding],
+        **kwargs: dict,
     ) -> list[Finding]:
         # Batched post-processing (no chord): dispatch a task per 1000 findings or on final finding
         batch_finding_ids: list[int] = []
@@ -266,6 +281,10 @@ def process_findings(
                 findings_with_parser_tags.clear()
                 # Apply import-time tags before post-processing so rules/deduplication see them.
                 self.apply_import_tags_for_batch(batch_findings)
+                # Apply inherited Product tags to this batch's findings (and
+                # their endpoints/locations) BEFORE post_process_findings_batch
+                # dispatches, so rules/dedup see inherited tags on .tags.
+                apply_inherited_tags_for_findings(batch_findings)
                 batch_findings.clear()
                 finding_ids_batch = list(batch_finding_ids)
                 batch_finding_ids.clear()

dojo/importers/default_reimporter.py

@@ -24,7 +24,9 @@
     Test,
     Test_Import,
 )
-from dojo.tag_utils import bulk_apply_parser_tags
+from dojo.tags import inheritance as tag_inheritance
+from dojo.tags.inheritance import apply_inherited_tags_for_findings
+from dojo.tags.utils import bulk_apply_parser_tags
 from dojo.utils import perform_product_grading
 from dojo.validators import clean_tags
 
@@ -263,6 +265,19 @@ def process_findings(
         the finding may be appended to a new or existing group based upon user selection
         at import time
         """
+        # Whole hot loop runs under `batch_mode()`: per-row inheritance signals
+        # for the findings/endpoints/locations created below are suppressed.
+        # Inheritance is then applied in bulk per-batch (right before
+        # `post_process_findings_batch` dispatch) so rules/dedup see inherited
+        # tags on `finding.tags`.
+        with tag_inheritance.suppress_tag_inheritance():
+            return self._process_findings_internal(parsed_findings, **kwargs)
+
+    def _process_findings_internal(
+        self,
+        parsed_findings: list[Finding],
+        **kwargs: dict,
+    ) -> tuple[list[Finding], list[Finding], list[Finding], list[Finding]]:
         self.deduplication_algorithm = self.determine_deduplication_algorithm()
         # Only process findings with the same service value (or None)
         # Even though the service values is used in the hash_code calculation,
@@ -302,6 +317,11 @@ def process_findings(
 
         batch_finding_ids: list[int] = []
         batch_findings: list[Finding] = []
+        # Findings that were newly created (else branch below) — pass these to
+        # `apply_inherited_tags_for_findings` instead of `batch_findings` so
+        # matched/existing findings (which already have correct inherited tags)
+        # don't trigger a redundant through-table read on no-change reimports.
+        new_findings_in_batch: list[Finding] = []
         findings_with_parser_tags: list[tuple] = []
         # Batch size for deduplication/post-processing (only new findings)
         dedupe_batch_max_size = getattr(settings, "IMPORT_REIMPORT_DEDUPE_BATCH_SIZE", 1000)
@@ -384,6 +404,8 @@ def process_findings(
                         candidates_by_uid,
                         candidates_by_key,
                     )
+                    if finding:
+                        new_findings_in_batch.append(finding)
 
                 # This condition __appears__ to always be true, but am afraid to remove it
                 if finding:
@@ -422,6 +444,14 @@ def process_findings(
                         findings_with_parser_tags.clear()
                         # Apply import-time tags before post-processing so rules/deduplication see them.
                         self.apply_import_tags_for_batch(batch_findings)
+                        # Apply inherited Product tags to NEWLY CREATED findings only
+                        # (and their endpoints/locations) BEFORE post_process_findings_batch
+                        # dispatches, so rules/dedup see inherited tags on .tags.
+                        # Matched/existing findings already have inheritance applied from
+                        # their original creation; re-running it on no-change reimports
+                        # would be ~8 wasted queries per batch.
+                        apply_inherited_tags_for_findings(new_findings_in_batch)
+                        new_findings_in_batch.clear()
                         batch_findings.clear()
                         finding_ids_batch = list(batch_finding_ids)
                         batch_finding_ids.clear()
@@ -949,7 +979,7 @@ def finding_post_processing(
         finding_from_report: Finding,
         *,
         is_matched_finding: bool = False,
-        tag_accumulator: list | None = None,
+        tag_accumulator: list,
     ) -> Finding:
         """
         Save all associated objects to the finding after it has been saved
@@ -971,15 +1001,10 @@ def finding_post_processing(
                 finding_from_report.unsaved_tags = merged_tags
             if finding_from_report.unsaved_tags:
                 cleaned_tags = clean_tags(finding_from_report.unsaved_tags)
-                if tag_accumulator is not None:
-                    if isinstance(cleaned_tags, list):
-                        tag_accumulator.append((finding, cleaned_tags))
-                    elif isinstance(cleaned_tags, str):
-                        tag_accumulator.append((finding, [cleaned_tags]))
-                elif isinstance(cleaned_tags, list):
-                    finding.tags.add(*cleaned_tags)
+                if isinstance(cleaned_tags, list):
+                    tag_accumulator.append((finding, cleaned_tags))
                 elif isinstance(cleaned_tags, str):
-                    finding.tags.add(cleaned_tags)
+                    tag_accumulator.append((finding, [cleaned_tags]))
         # Process any files
         if finding_from_report.unsaved_files:
             finding.unsaved_files = finding_from_report.unsaved_files

dojo/importers/endpoint_manager.py

@@ -14,7 +14,7 @@
     Finding,
     Product,
 )
-from dojo.tags_signals import inherit_instance_tags
+from dojo.tags.inheritance import apply_inherited_tags_for_endpoints
 
 logger = logging.getLogger(__name__)
 
@@ -231,10 +231,16 @@ def get_or_create_endpoints(self) -> tuple[dict[EndpointUniqueKey, Endpoint], li
             if to_create:
                 created = Endpoint.objects.bulk_create(to_create, batch_size=1000)
                 endpoints_by_key.update(zip(to_create_keys, created, strict=True))
-                # bulk_create bypasses post_save signals, so manually trigger tag inheritance
-                # this is not ideal, but we need to take a separate look at the tag inheritance feature itself later
-                for ep in created:
-                    inherit_instance_tags(ep)
+                # bulk_create bypasses post_save so per-row inheritance signals never
+                # fire here. The importer hot path already covers these endpoints via
+                # the per-batch `apply_inherited_tags_for_findings` sweep (it picks
+                # them up through `Endpoint.status_finding.finding`), so this call is
+                # redundant for the importer. We keep a bulk call anyway as a defensive
+                # measure: if anything outside the importer ever bulk-creates endpoints
+                # through this manager, they still receive their inherited Product tags
+                # instead of silently missing them. The bulk helper costs ~2 queries
+                # when there's nothing to apply, vs N per-row signal fires.
+                apply_inherited_tags_for_endpoints(created)
 
         self._endpoints_to_create.clear()
         return endpoints_by_key, created

dojo/importers/location_manager.py

@@ -9,19 +9,15 @@
 from django.db import transaction
 from django.utils import timezone
 
-from dojo import tag_inheritance
 from dojo.importers.base_location_manager import BaseLocationManager
 from dojo.location.models import AbstractLocation, Location, LocationFindingReference, LocationProductReference
 from dojo.location.status import FindingLocationStatus, ProductLocationStatus
-from dojo.models import Product, _manage_inherited_tags
+from dojo.tags import inheritance as tag_inheritance
 from dojo.tools.locations import LocationData
 from dojo.url.models import URL
-from dojo.utils import get_system_setting
 
 if TYPE_CHECKING:
-    from tagulous.models import TagField
-
-    from dojo.models import Dojo_User, Finding
+    from dojo.models import Dojo_User, Finding, Product
 
 logger = logging.getLogger(__name__)
 
@@ -214,8 +210,18 @@ def _persist_locations(self) -> None:
                 all_product_refs, batch_size=1000, ignore_conflicts=True,
             )
 
-        # Trigger bulk tag inheritance
-        self._bulk_inherit_tags(loc.location for loc in saved)
+        # Trigger bulk tag inheritance only when the Location's product
+        # membership actually changed. New product refs are the only thing
+        # that can add a Product to a Location's inherited-tags target set
+        # (new finding refs are always to findings in `self._product`, so
+        # they don't introduce a new Product); skipping when `all_product_refs`
+        # is empty avoids the through-table read on no-change reimports.
+        if all_product_refs:
+            new_ref_location_ids = {ref.location_id for ref in all_product_refs}
+            tag_inheritance.apply_inherited_tags_for_locations(
+                [loc.location for loc in saved if loc.location_id in new_ref_location_ids],
+                product=self._product,
+            )
 
         # Clear accumulators
         self._locations_by_finding.clear()
@@ -477,105 +483,3 @@ def type_id(x: tuple[int, AbstractLocation]) -> int:
         # Restore the original input ordering
         saved.sort(key=itemgetter(0))
         return [loc for _, loc in saved]
-
-    # ------------------------------------------------------------------
-    # Tag inheritance
-    # ------------------------------------------------------------------
-
-    def _bulk_inherit_tags(self, locations):
-        """
-        Bulk equivalent of calling inherit_instance_tags(loc) for many Locations. Actually persisting updates is handled
-        by a per-location call to _manage_inherited_tags(), but at least determining what the tags are is more efficient
-        (plus we can skip locations that don't need an update at all).
-
-        When tag inheritance is enabled, computes the target inherited tags for each location from all related products
-        and updates only locations that are out of sync.
-        """
-        locations = list(locations)
-        if not locations:
-            return
-
-        # Check whether tag inheritance is enabled at either the product level or system-wide; quit early if neither
-        product_inherit = getattr(self._product, "enable_product_tag_inheritance", False)
-        system_wide_inherit = bool(get_system_setting("enable_product_tag_inheritance"))
-        if not system_wide_inherit and not product_inherit:
-            return
-
-        # A location can be shared across multiple products. Its inherited tags should be the union of
-        # tags from ALL contributing products, not just the one running this import.
-        location_ids = [loc.id for loc in locations]
-        product_ids_by_location: dict[int, set[int]] = {loc.id: set() for loc in locations}
-
-        # Find associations through LocationProductReference entries
-        for loc_id, prod_id in LocationProductReference.objects.filter(
-            location_id__in=location_ids,
-        ).values_list("location_id", "product_id"):
-            product_ids_by_location[loc_id].add(prod_id)
-
-        # Find associations through LocationFindingReference entries and the finding.test.engagement.product chain.
-        # This shouldn't add anything new, but just in case.
-        for loc_id, prod_id in (
-            LocationFindingReference.objects
-            .filter(location_id__in=location_ids)
-            .values_list("location_id", "finding__test__engagement__product_id")
-        ):
-            product_ids_by_location[loc_id].add(prod_id)
-
-        # Fetch all products that will contribute to tag inheritance, and their tags
-        all_product_ids = {pid for pids in product_ids_by_location.values() for pid in pids}
-        product_qs = Product.objects.filter(id__in=all_product_ids).prefetch_related("tags")
-        if not system_wide_inherit:
-            # Product-level inheritance only
-            product_qs = product_qs.filter(enable_product_tag_inheritance=True)
-        # Materialize into a dict for ease of use
-        products: dict[int, Product] = {p.id: p for p in product_qs}
-        # Get distinct tags, per-product
-        tags_by_product: dict[int, set[str]] = {
-            pid: {t.name for t in p.tags.all()}
-            for pid, p in products.items()
-        }
-
-        # Helper method for getting all tags from the given TagField
-        def _get_tags(tags_field: TagField) -> dict[int, set[str]]:
-            through_model = tags_field.through
-            fk_name = tags_field.field.m2m_reverse_field_name()
-            tags_by_location: dict[int, set[str]] = {loc.id: set() for loc in locations}
-            for l_id, t_name in through_model.objects.filter(
-                location_id__in=location_ids,
-            ).values_list("location_id", f"{fk_name}__name"):
-                tags_by_location[l_id].add(t_name)
-            return tags_by_location
-
-        # Gather inherited and 'regular' tags per location
-        existing_inherited_by_location: dict[int, set[str]] = _get_tags(Location.inherited_tags)
-        existing_tags_by_location: dict[int, set[str]] = _get_tags(Location.tags)
-
-        # Perform the bulk updates inside a `tag_inheritance.batch()` context.
-        # While the batch is active, signal handlers in `dojo/tags_signals.py`
-        # short-circuit per-row inheritance work that would otherwise fire on
-        # every `(inherited_)tags.set()` and defeat the bulk update.
-        #
-        # This replaces a previous `signals.m2m_changed.disconnect(...)` /
-        # `connect(...)` dance which was process-global and therefore unsafe
-        # under threaded gunicorn / Celery thread pools / ASGI threadpools:
-        # while disconnected, every thread in the process lost sticky
-        # enforcement. Thread-local batch state avoids that hazard.
-        with tag_inheritance.batch_mode():
-            for location in locations:
-                target_tag_names: set[str] = set()
-                for pid in product_ids_by_location[location.id]:
-                    # product_ids_by_location may contain products that shouldn't to contribute to tag inheritance (we
-                    # didn't filter either location ref lookups to check), so do a last-minute check here
-                    if pid in products:
-                        target_tag_names |= tags_by_product[pid]
-
-                if target_tag_names == existing_inherited_by_location[location.id]:
-                    # The existing set matches the expected set, so nothing more to do for this location
-                    continue
-
-                # Update tags for this location
-                _manage_inherited_tags(
-                    location,
-                    list(target_tag_names),
-                    potentially_existing_tags=existing_tags_by_location[location.id],
-                )