fix: DB readonly-rollback recovery + cooperative import cancellation (#255)

* fix(db): recover readonly-rollback databases on startup

A user who cancelled a large dive-computer import could no longer
launch the app: every startup failed with `SqliteException(776):
attempt to write a readonly database` on `PRAGMA user_version`.

Root cause: `getStoredSchemaVersion` opened the db with
`OpenMode.readOnly`. When a crashed/cancelled transaction had left a
hot journal behind, SQLite's automatic rollback needs write access;
a read-only open throws SQLITE_READONLY_ROLLBACK (extended code 776)
before the first PRAGMA can run.

Fix:
- Open RW in `getStoredSchemaVersion` so SQLite can auto-recover the
  journal during the existence probe.
- Add `recoverHotJournal` + `isRecoverableReadonlyError` helpers as
  defense-in-depth, and an explicit recovery screen on the startup
  page ("Database needs recovery" → "Recover database" button) so
  users who still hit a readonly-family exception get a one-tap path
  instead of the actively-harmful "reinstall or contact support"
  copy.
- Generic-error copy updated to make clear the data is still on disk.

Adds unit tests for the new DatabaseService helpers and widget tests
for all three recovery-UI states (required, recovering, failed).

* fix(import): cooperative cancellation via ImportCancellationToken

Previously, cancelling a large import (e.g. 300-dive Perdix download) showed
a "cannot be cancelled" dialog and the only option was to force-kill the app.
Killing mid-transaction left SQLite with a hot rollback journal, which caused
the next launch to hit SQLITE_READONLY_ROLLBACK (776) on PRAGMA user_version.

The wizard now offers a real Cancel button. Cancellation is polled cooperatively
at per-dive boundaries in DiveComputerAdapter, UddfEntityImporter, and
HealthKitAdapter, so the current dive finishes writing to its own transaction
before the loop breaks. Already-imported dives are kept. The fingerprint
advances only for dives that were actually processed, so the remainder can be
re-imported next session.

* fix(import): address PR #255 review feedback

- Remove dead importedDives variable in DiveComputerAdapter that was
  only appended to, never read.
- Reset isCancellationRequested in the wizard's finally block so a
  second import starts fresh instead of inheriting the stale flag.
- Localize "Cancel import" and "Cancelling..." on the progress step
  via two new l10n keys (settings_import_cancelButton,
  settings_import_cancelling) across all 11 supported locales.

* test: cover import cancel dialog + DB recovery-failed UI

Raise PR #255 patch coverage from 66% toward 85% by adding tests for
the branches introduced by the cancel/recovery work:

- UnifiedImportWizard cancel dialog (4 tests): confirm dialog opens,
  Keep importing dismisses without cancelImport, Cancel import fires
  cancelImport, already-cancelling notice renders instead of the
  confirm dialog.
- ImportProgressStep cancel button wires through to cancelImport.
- StartupPage recoveryFailed UI: catch-block routing, Try again
  re-invokes _runRecovery, Close invokes closeAppOverride.

Adds two @VisibleForTesting hooks to UnifiedImportWizard
(initialPageOverride, notifierFactoryOverride) so tests can jump to
the import-progress page and inject a spy notifier into the widget's
inner ProviderScope without driving the full bundle/import pipeline.

* fix: clear stale error in _runRecovery and show specific message on recover failure

When `DatabaseService.recoverHotJournal` returns false, the recoveryFailed
UI now surfaces a concrete message ("SQLite could not reopen the database
to roll back the interrupted transaction.") instead of leaving whatever
text `_errorMessage` last held. Also clears `_errorMessage` on entry to
the `recovering` state so a second attempt cannot leak text from the
previous failure into the next UI.

Adds a test that writes invalid SQLite bytes (0xAB) to exercise the
!recovered branch: the handle opens but `PRAGMA user_version` throws
SQLITE_NOTADB inside recoverHotJournal, which catches and returns false.

Addresses Copilot review comment on PR #255.

Author: ericgriffin

lib/core/presentation/pages/startup_page.dart

@@ -4,6 +4,7 @@ import 'package:flutter/material.dart';
 import 'package:flutter/services.dart';
 import 'package:package_info_plus/package_info_plus.dart';
 import 'package:shared_preferences/shared_preferences.dart';
+import 'package:sqlite3/sqlite3.dart' as sqlite3;
 
 import 'package:submersion/core/database/database.dart';
 import 'package:submersion/core/database/database_version_exception.dart';
@@ -43,6 +44,9 @@ enum _StartupState {
   backingUp,
   migrating,
   backupFailed,
+  recoveryRequired,
+  recovering,
+  recoveryFailed,
   ready,
   error,
 }
@@ -99,6 +103,7 @@ class _StartupWrapperState extends State<StartupWrapper>
   int _dbVersion = 0;
   int _appVersion = 0;
   BackupFailedException? _backupError;
+  sqlite3.SqliteException? _readonlyError;
 
   /// Drives the dissolve of the splash layer over the mounted app beneath.
   /// Forward-only; starts when _state first reaches ready.
@@ -199,6 +204,27 @@ class _StartupWrapperState extends State<StartupWrapper>
           _appVersion = e.appVersion;
         });
       }
+    } on sqlite3.SqliteException catch (e) {
+      if (DatabaseService.isRecoverableReadonlyError(e)) {
+        debugPrint(
+          'Startup hit SQLITE_READONLY (code ${e.extendedResultCode}); '
+          'offering hot-journal recovery.',
+        );
+        if (mounted) {
+          setState(() {
+            _state = _StartupState.recoveryRequired;
+            _readonlyError = e;
+          });
+        }
+      } else {
+        debugPrint('FATAL: App initialization failed: $e');
+        if (mounted) {
+          setState(() {
+            _state = _StartupState.error;
+            _errorMessage = '$e';
+          });
+        }
+      }
     } catch (e) {
       debugPrint('FATAL: App initialization failed: $e');
       if (mounted) {
@@ -210,6 +236,42 @@ class _StartupWrapperState extends State<StartupWrapper>
     }
   }
 
+  /// Attempt to recover the database from a hot-journal-readonly error by
+  /// reopening in read-write mode (which forces SQLite to finish the
+  /// rollback), then retry initialization from the top.
+  Future<void> _runRecovery() async {
+    if (!mounted) return;
+    setState(() {
+      _state = _StartupState.recovering;
+      // Clear any stale text from a prior failed attempt so the
+      // recoveryFailed UI reflects only the current reason.
+      _errorMessage = '';
+    });
+    try {
+      final dbPath = await widget.locationService.getDatabasePath();
+      final recovered = DatabaseService.recoverHotJournal(dbPath);
+      if (!recovered) {
+        if (mounted) {
+          setState(() {
+            _state = _StartupState.recoveryFailed;
+            _errorMessage =
+                'SQLite could not reopen the database to roll back the '
+                'interrupted transaction.';
+          });
+        }
+        return;
+      }
+      await _runInitialization();
+    } catch (e) {
+      if (mounted) {
+        setState(() {
+          _state = _StartupState.recoveryFailed;
+          _errorMessage = '$e';
+        });
+      }
+    }
+  }
+
   Future<void> _initializeServices() async {
     void onProgress(int currentStep, int totalSteps) {
       if (mounted) {
@@ -390,7 +452,10 @@ class _StartupWrapperState extends State<StartupWrapper>
                 debugShowCheckedModeBanner: false,
                 home:
                     (_state == _StartupState.error ||
-                        _state == _StartupState.backupFailed)
+                        _state == _StartupState.backupFailed ||
+                        _state == _StartupState.recoveryRequired ||
+                        _state == _StartupState.recovering ||
+                        _state == _StartupState.recoveryFailed)
                     ? Scaffold(
                         key: const ValueKey('error'),
                         backgroundColor: backgroundColor,
@@ -497,6 +562,12 @@ class _StartupWrapperState extends State<StartupWrapper>
       );
     }
 
+    if (_state == _StartupState.recoveryRequired ||
+        _state == _StartupState.recovering ||
+        _state == _StartupState.recoveryFailed) {
+      return _buildRecoveryContent(textColor, subtitleColor);
+    }
+
     if (_isVersionMismatch) {
       return Padding(
         padding: const EdgeInsets.all(24),
@@ -561,7 +632,8 @@ class _StartupWrapperState extends State<StartupWrapper>
           const SizedBox(height: 16),
           Text(
             'Try restarting the app. If this persists, '
-            'reinstall or contact support.',
+            'contact support — your data is still on disk and does not '
+            'require a reinstall.',
             style: TextStyle(fontSize: 14, color: subtitleColor),
             textAlign: TextAlign.center,
           ),
@@ -571,4 +643,147 @@ class _StartupWrapperState extends State<StartupWrapper>
       ),
     );
   }
+
+  Widget _buildRecoveryContent(Color textColor, Color subtitleColor) {
+    if (_state == _StartupState.recovering) {
+      return Padding(
+        padding: const EdgeInsets.all(24),
+        child: Column(
+          mainAxisSize: MainAxisSize.min,
+          children: [
+            const SizedBox(
+              width: 64,
+              height: 64,
+              child: CircularProgressIndicator(),
+            ),
+            const SizedBox(height: 24),
+            Text(
+              'Recovering database...',
+              style: TextStyle(
+                fontSize: 20,
+                fontWeight: FontWeight.bold,
+                color: textColor,
+              ),
+              textAlign: TextAlign.center,
+            ),
+            const SizedBox(height: 16),
+            Text(
+              'Rolling back the interrupted transaction. This usually '
+              'takes a few seconds.',
+              style: TextStyle(fontSize: 14, color: subtitleColor),
+              textAlign: TextAlign.center,
+            ),
+          ],
+        ),
+      );
+    }
+
+    if (_state == _StartupState.recoveryFailed) {
+      final details = _errorMessage.isNotEmpty
+          ? _errorMessage
+          : (_readonlyError?.toString() ?? '');
+      return Padding(
+        padding: const EdgeInsets.all(24),
+        child: Column(
+          mainAxisSize: MainAxisSize.min,
+          children: [
+            const Icon(Icons.error_outline, size: 64, color: Colors.orange),
+            const SizedBox(height: 24),
+            Text(
+              'Recovery did not complete',
+              style: TextStyle(
+                fontSize: 20,
+                fontWeight: FontWeight.bold,
+                color: textColor,
+              ),
+              textAlign: TextAlign.center,
+            ),
+            const SizedBox(height: 16),
+            Text(
+              'The database could not be rolled back automatically. Your '
+              'data is still on disk; contact support before reinstalling '
+              'so we can help you recover it.',
+              style: TextStyle(fontSize: 14, color: subtitleColor),
+              textAlign: TextAlign.center,
+            ),
+            if (details.isNotEmpty) ...[
+              const SizedBox(height: 12),
+              Text(
+                details,
+                style: TextStyle(
+                  fontSize: 12,
+                  color: subtitleColor,
+                  fontFamily: 'monospace',
+                ),
+                textAlign: TextAlign.center,
+              ),
+            ],
+            const SizedBox(height: 24),
+            Wrap(
+              spacing: 12,
+              children: [
+                OutlinedButton(
+                  onPressed: _runRecovery,
+                  child: const Text('Try again'),
+                ),
+                FilledButton(onPressed: _closeApp, child: const Text('Close')),
+              ],
+            ),
+          ],
+        ),
+      );
+    }
+
+    // recoveryRequired
+    final code = _readonlyError?.extendedResultCode;
+    return Padding(
+      padding: const EdgeInsets.all(24),
+      child: Column(
+        mainAxisSize: MainAxisSize.min,
+        children: [
+          const Icon(Icons.build_circle_outlined, size: 64, color: Colors.blue),
+          const SizedBox(height: 24),
+          Text(
+            'Database needs recovery',
+            style: TextStyle(
+              fontSize: 20,
+              fontWeight: FontWeight.bold,
+              color: textColor,
+            ),
+            textAlign: TextAlign.center,
+          ),
+          const SizedBox(height: 16),
+          Text(
+            'A previous session was interrupted while writing to the '
+            'database. Your data is still on disk; we just need to finish '
+            'rolling back the cancelled change before the app can open.',
+            style: TextStyle(fontSize: 14, color: subtitleColor),
+            textAlign: TextAlign.center,
+          ),
+          if (code != null) ...[
+            const SizedBox(height: 12),
+            Text(
+              'SQLite code $code',
+              style: TextStyle(
+                fontSize: 12,
+                color: subtitleColor,
+                fontFamily: 'monospace',
+              ),
+              textAlign: TextAlign.center,
+            ),
+          ],
+          const SizedBox(height: 24),
+          FilledButton(
+            onPressed: _runRecovery,
+            child: const Text('Recover database'),
+          ),
+          const SizedBox(height: 8),
+          TextButton(
+            onPressed: _closeApp,
+            child: const Text('Close without recovering'),
+          ),
+        ],
+      ),
+    );
+  }
 }

lib/core/services/database_service.dart

@@ -196,11 +196,16 @@ class DatabaseService {
   /// Reads the stored schema version from a database file without opening it
   /// through Drift. Returns null if the file does not exist, or the integer
   /// PRAGMA user_version value otherwise.
+  ///
+  /// Opens in read-write mode (not read-only) so SQLite can automatically
+  /// roll back any hot journal left behind by a previous crash. A read-only
+  /// open on a db with a pending rollback throws SQLITE_READONLY_ROLLBACK
+  /// (extended code 776) before even the first PRAGMA can execute.
   static int? getStoredSchemaVersion(String dbPath) {
     final file = File(dbPath);
     if (!file.existsSync()) return null;
 
-    final db = sqlite3.sqlite3.open(dbPath, mode: sqlite3.OpenMode.readOnly);
+    final db = sqlite3.sqlite3.open(dbPath, mode: sqlite3.OpenMode.readWrite);
     try {
       final result = db.select('PRAGMA user_version');
       if (result.isEmpty) return null;
@@ -210,6 +215,38 @@ class DatabaseService {
     }
   }
 
+  /// Force SQLite to complete any pending hot-journal rollback on [dbPath].
+  ///
+  /// Opens the file in read-write mode — the very act of opening triggers
+  /// SQLite's automatic recovery of a hot journal. Returns true if the file
+  /// opened cleanly (recovery either wasn't needed or succeeded), false if
+  /// the journal could not be rolled back (file still read-only, on a
+  /// read-only volume, etc.).
+  ///
+  /// Safe to call on a file without a hot journal: it simply no-ops.
+  static bool recoverHotJournal(String dbPath) {
+    final file = File(dbPath);
+    if (!file.existsSync()) return true;
+    try {
+      final db = sqlite3.sqlite3.open(dbPath, mode: sqlite3.OpenMode.readWrite);
+      try {
+        db.select('PRAGMA user_version');
+      } finally {
+        db.dispose();
+      }
+      return true;
+    } on sqlite3.SqliteException {
+      return false;
+    }
+  }
+
+  /// True if [error] is a [sqlite3.SqliteException] in the SQLITE_READONLY
+  /// family (primary result code 8) — typically SQLITE_READONLY_ROLLBACK
+  /// (776) after a cancelled transaction left a hot journal behind.
+  static bool isRecoverableReadonlyError(Object error) {
+    return error is sqlite3.SqliteException && error.resultCode == 8;
+  }
+
   /// Resolve the database path using location service or default
   Future<String> _resolveDatabasePath() async {
     if (_locationService != null) {

lib/features/dive_import/data/services/uddf_entity_importer.dart

@@ -28,6 +28,7 @@ import 'package:submersion/features/equipment/data/repositories/equipment_reposi
 import 'package:submersion/features/equipment/data/repositories/equipment_set_repository_impl.dart';
 import 'package:submersion/features/equipment/domain/entities/equipment_item.dart';
 import 'package:submersion/features/equipment/domain/entities/equipment_set.dart';
+import 'package:submersion/features/import_wizard/domain/models/import_cancellation_token.dart';
 import 'package:submersion/features/import_wizard/domain/models/import_phase.dart';
 import 'package:submersion/features/tags/data/repositories/tag_repository.dart';
 import 'package:submersion/features/tags/domain/entities/tag.dart';
@@ -216,13 +217,18 @@ class UddfEntityImporter {
   ///
   /// Only entities at indices present in [selections] are imported.
   /// Reports progress via [onProgress] callback.
+  ///
+  /// If [cancelToken] is non-null, the dive-import loop polls
+  /// [ImportCancellationToken.isCancelled] between each dive and returns the
+  /// partial result already persisted when cancellation is observed.
   Future<UddfEntityImportResult> import({
     required UddfImportResult data,
     required UddfImportSelections selections,
     required ImportRepositories repositories,
     required String diverId,
     bool retainSourceDiveNumbers = false,
     ImportProgressCallback? onProgress,
+    ImportCancellationToken? cancelToken,
   }) async {
     final now = DateTime.now();
 
@@ -350,6 +356,7 @@ class UddfEntityImporter {
       retainSourceDiveNumbers: retainSourceDiveNumbers,
       now: now,
       onProgress: onProgress,
+      cancelToken: cancelToken,
     );
 
     return UddfEntityImportResult(
@@ -943,6 +950,7 @@ class UddfEntityImporter {
     bool retainSourceDiveNumbers = false,
     required DateTime now,
     ImportProgressCallback? onProgress,
+    ImportCancellationToken? cancelToken,
   }) async {
     if (selected.isEmpty) return const _DiveImportResult(0, 0);
     onProgress?.call(ImportPhase.dives, 0, selected.length);
@@ -965,6 +973,8 @@ class UddfEntityImporter {
         : await repos.diveRepository.getNextDiveNumber(diverId: diverId);
 
     for (final i in sortedSelected) {
+      if (cancelToken?.isCancelled ?? false) break;
+
       final diveData = items[i];
 
       // Build profile (include setpoint/ppO2 sensor readings)