Segment update race condition causes unexpected evaluations #6946
Description
When a segment is updated, there is a brief window during which the /api/v1/identities endpoint returns true for flags that should be disabled — regardless of the flag's default value. This affects both the Core API and the Edge API, and is triggered by both PATCH and PUT operations on segments.
Root cause
The segment update endpoint in segments/serializers.py deletes and recreates nested rules and conditions one-by-one rather than atomically. During this window, the database contains a top-level rule with no conditions and no child rules. In context_matches_rule (flag_engine/segments/evaluator.py), a rule with an empty conditions list defaults matches_conditions = True (since all([]) evaluates to True in Python). As a result, every identity briefly matches the segment unconditionally, and any associated flag override is applied — even for identities whose traits don't satisfy the segment rules.
Observed behaviour
/api/v1/identities intermittently returns true for a flag during or shortly after a segment update, for identities that should not match the segment.
Expected behaviour
Segment rule updates should be atomic; partial/intermediate rule states should never be visible to flag evaluation.