fix: move lock release inside critical section to close TOCTOU window

At two call sites, _release_message_lock was called outside the
async with block, followed by an await (save_query_log). Moving the
pop inside the lock prevents a concurrent coroutine from creating a
new lock for the same msg_id during the yield.

Co-authored-by: Isaac

Author: Rampim

backend/app/api/genie_clone_routes.py

@@ -292,7 +292,7 @@ async def _process_genie_background(
                         "sql_query": sql_query,
                         "result": actual_result,
                     }
-                _release_message_lock(msg_id)
+                    _release_message_lock(msg_id)
 
                 # Save query log
                 try:
@@ -465,7 +465,7 @@ async def _handle_query(
         async with _get_message_lock(msg_id):
             _synthetic_messages[msg_id] = response
             _synthetic_messages[att_id] = {"sql_query": sql_query, "token": token, "space_id": space_id}
-        _release_message_lock(msg_id)
+            _release_message_lock(msg_id)
 
         # Save query log
         try: