refactor: move SyncOrchestrator off Dispatchers.Main onto a dedicated IO scope (#220)

* refactor: move SyncOrchestrator off Dispatchers.Main onto a dedicated IO scope

Previously `SyncOrchestrator` inherited the foreground service's Main scope. Two
problems with that:
- A slow Room query or HTTP retry inside a `scope.launch` block runs on Main
  and blocks the UI.
- Any exception escaping a network/DB catch hits Android's default Main-thread
  uncaught handler and kills the foreground service. The fix in #218 widened
  every leaf catch in the network clients, but the underlying architectural
  smell — sync work running on Main — remained.

`SyncOrchestrator` now owns its own `CoroutineScope(SupervisorJob() +
Dispatchers.IO + handler)`, mirroring the pattern in `NightscoutPusher` and
`TidepoolUploader`. The `start()` signature loses its `scope` parameter; the
service no longer leaks its Main scope into background work. `stop()` cancels
the internal scope so a service shutdown propagates correctly.

A `CoroutineExceptionHandler` is installed on the new scope as defense in
depth — independent from the per-scope handlers in #218 (which protect
StrimmaService/Pusher/Uploader scopes; this one protects the new sync scope).

Test plan:
- `./gradlew testDebugUnitTest` — full suite green
- `./gradlew detekt` — clean
- `./gradlew assembleRelease` — clean

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* refactor: extract scopeCrashHandler factory + idempotence guard + tests

Address review feedback for #220 (now that #218 is merged to main):

- Extract `scopeCrashHandler(name)` factory in `receiver/`. Replaces 4
  near-identical `CoroutineExceptionHandler { _, t -> DebugLog.log(...) }`
  blocks across StrimmaService, NightscoutPusher, TidepoolUploader, and
  SyncOrchestrator. One log format, one truncation length, one source.
- Add idempotence guard to `SyncOrchestrator.start()` (mirrors UpdateChecker's
  `if (checkJob != null) return` pattern). Stray double-call no longer
  duplicates the periodic loops or stacks two DataStore collectors. `started`
  is `@VisibleForTesting`-exposed for the new test class.
- Reorder `SyncOrchestrator.stop()` and add a comment explaining why
  `updateChecker.stop()` MUST be called explicitly (its internal `checkJob`
  field needs nulling — `scope.cancel()` cancels the launched coroutine but
  leaves the Job reference live, which breaks the next `start()`).
- Trim redundant `treatmentSyncJob?.cancel()` / `exerciseSyncJob?.cancel()` in
  `stop()` — they're children of `scope` and get cancelled transitively.
  Keep the `= null` reassignments for clarity.
- Add `@Volatile` to `var scope` and `var job` so a future cross-thread caller
  can't observe a torn write.
- Rewrite KDoc to stop overselling — CalendarPoller still runs on Main scope.
  Comment the asymmetry at the call site in StrimmaService.
- Update `@Suppress("LongParameterList")` rationale to acknowledge the
  dispatcher param is plumbing, not a collaborator.

New `SyncOrchestratorTest` covers: idempotent start, scope-rebuild re-entry
after stop, stop-without-start safety. Uses real collaborators across the
graph; `SilentNightscoutClient` returns null/empty so launches exit cleanly
without real HTTP.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

Author: psjostrom

app/src/main/java/com/psjostrom/strimma/network/NightscoutPusher.kt

@@ -6,6 +6,7 @@ import com.psjostrom.strimma.data.SettingsRepository
 import com.psjostrom.strimma.di.IoDispatcher
 import com.psjostrom.strimma.notification.AlertManager
 import com.psjostrom.strimma.receiver.DebugLog
+import com.psjostrom.strimma.receiver.scopeCrashHandler
 import kotlinx.coroutines.*
 import kotlinx.coroutines.flow.MutableStateFlow
 import kotlinx.coroutines.flow.StateFlow
@@ -29,12 +30,8 @@ class NightscoutPusher @Inject constructor(
         private const val PUSH_FAIL_ALERT_MS = 15 * 60 * 1000L // 15 minutes
     }
 
-    // Last-resort safety net for anything that escapes the leaf catches in NightscoutClient.
-    // Without this, an uncaught throwable on the IO scope still kills the process via the
-    // JVM default handler. The leaf catches are still the primary mechanism; this is the belt.
-    private val crashHandler = CoroutineExceptionHandler { _, t ->
-        DebugLog.log("Pusher scope uncaught: ${t.javaClass.simpleName}: ${t.message?.take(80)}")
-    }
+    // Belt for anything that escapes the leaf catches in NightscoutClient.
+    private val crashHandler = scopeCrashHandler("Pusher")
     private var job = SupervisorJob()
     private var scope = CoroutineScope(job + dispatcher + crashHandler)
 

app/src/main/java/com/psjostrom/strimma/receiver/ScopeCrashHandler.kt

@@ -0,0 +1,24 @@
+package com.psjostrom.strimma.receiver
+
+import kotlinx.coroutines.CoroutineExceptionHandler
+
+private const val SCOPE_CRASH_LOG_LENGTH = 80
+
+/**
+ * Coroutine exception handler factory for service-owned scopes. Logs uncaught
+ * throwables to [DebugLog] instead of letting them propagate to the JVM /
+ * Android default uncaught handler — which on Main = process death and a
+ * foreground-service restart loop.
+ *
+ * Use as a context element on every scope a service owns:
+ * ```
+ * CoroutineScope(SupervisorJob() + dispatcher + scopeCrashHandler("Service"))
+ * ```
+ *
+ * The leaf catches in network / DB code remain the primary mechanism — this
+ * is the belt against future code added without one.
+ */
+internal fun scopeCrashHandler(scopeName: String): CoroutineExceptionHandler =
+    CoroutineExceptionHandler { _, t ->
+        DebugLog.log("$scopeName scope uncaught: ${t.javaClass.simpleName}: ${t.message?.take(SCOPE_CRASH_LOG_LENGTH)}")
+    }

app/src/main/java/com/psjostrom/strimma/service/StrimmaService.kt

@@ -31,6 +31,7 @@ import com.psjostrom.strimma.notification.NotificationHelper
 import com.psjostrom.strimma.receiver.DebugLog
 import com.psjostrom.strimma.receiver.GlucoseNotificationListener
 import com.psjostrom.strimma.receiver.XdripBroadcastReceiver
+import com.psjostrom.strimma.receiver.scopeCrashHandler
 import com.psjostrom.strimma.data.calendar.CalendarPoller
 import com.psjostrom.strimma.data.calendar.WorkoutEvent
 import com.psjostrom.strimma.data.workout.WorkoutMode
@@ -96,14 +97,9 @@ class StrimmaService : Service() {
     @Inject lateinit var syncOrchestrator: SyncOrchestrator
     @Inject lateinit var workoutModeManager: WorkoutModeManager
 
-    // Last-resort safety net: if anything escapes the leaf catches in network clients
-    // (or future code added without one), log it instead of letting it propagate to the
-    // Android default handler — which on Main = process death and a foreground-service
-    // restart loop. The leaf catches are still the primary mechanism; this is the belt.
-    private val crashHandler = CoroutineExceptionHandler { _, t ->
-        DebugLog.log("Service scope uncaught: ${t.javaClass.simpleName}: ${t.message?.take(80)}")
-    }
-    private val scope = CoroutineScope(SupervisorJob() + Dispatchers.Main + crashHandler)
+    // Belt for anything that escapes the leaf catches in network clients (or future
+    // code added without one). On Main an uncaught throwable is process death.
+    private val scope = CoroutineScope(SupervisorJob() + Dispatchers.Main + scopeCrashHandler("Service"))
     private var xdripReceiver: XdripBroadcastReceiver? = null
     private var followerJob: Job? = null
     private var lluFollowerJob: Job? = null
@@ -189,7 +185,9 @@ class StrimmaService : Service() {
 
         scope.launch { updateNotification() }
         startStaleCheckLoop()
-        syncOrchestrator.start(scope)
+        syncOrchestrator.start()
+        // CalendarPoller stays on Main scope — its blocking ContentResolver work
+        // uses `withContext(IO)` internally, so the poll loop itself can stay on Main.
         calendarPollJob = calendarPoller.start(scope)
         observeCalendarForAlarms()
         observeWorkoutModeForNotificationRefresh()

app/src/main/java/com/psjostrom/strimma/service/SyncOrchestrator.kt

@@ -4,16 +4,22 @@ import com.psjostrom.strimma.data.MS_PER_HOUR
 import com.psjostrom.strimma.data.MS_PER_MINUTE
 import com.psjostrom.strimma.data.ReadingDao
 import com.psjostrom.strimma.data.SettingsRepository
+import androidx.annotation.VisibleForTesting
 import com.psjostrom.strimma.data.health.ExerciseSyncer
+import com.psjostrom.strimma.di.IoDispatcher
 import com.psjostrom.strimma.network.NightscoutPuller
 import com.psjostrom.strimma.network.NightscoutPusher
 import com.psjostrom.strimma.network.TreatmentSyncer
 import com.psjostrom.strimma.receiver.DebugLog
+import com.psjostrom.strimma.receiver.scopeCrashHandler
 import com.psjostrom.strimma.tidepool.TidepoolUploader
 import com.psjostrom.strimma.update.UpdateChecker
 import com.psjostrom.strimma.webserver.LocalWebServer
+import kotlinx.coroutines.CoroutineDispatcher
 import kotlinx.coroutines.CoroutineScope
 import kotlinx.coroutines.Job
+import kotlinx.coroutines.SupervisorJob
+import kotlinx.coroutines.cancel
 import kotlinx.coroutines.delay
 import kotlinx.coroutines.flow.combine
 import kotlinx.coroutines.isActive
@@ -24,8 +30,12 @@ import javax.inject.Singleton
 /**
  * Manages periodic background jobs: push/upload retry, data pruning, treatment sync,
  * web server lifecycle, exercise sync, update checker, and initial push/pull.
+ *
+ * Owns its own IO-backed scope so the orchestrated jobs run off the main thread.
+ * `CalendarPoller` is owned by `StrimmaService` and stays on Main — its blocking
+ * work uses `withContext(IO)` internally — and so is not covered by this scope.
  */
-@Suppress("LongParameterList") // DI constructor — each dependency is a distinct background concern
+@Suppress("LongParameterList") // 9 distinct background collaborators + 1 dispatcher for scope ownership
 @Singleton
 class SyncOrchestrator @Inject constructor(
     private val pusher: NightscoutPusher,
@@ -36,7 +46,8 @@ class SyncOrchestrator @Inject constructor(
     private val localWebServer: LocalWebServer,
     private val exerciseSyncer: ExerciseSyncer,
     private val nightscoutPuller: NightscoutPuller,
-    private val updateChecker: UpdateChecker
+    private val updateChecker: UpdateChecker,
+    @IoDispatcher private val dispatcher: CoroutineDispatcher,
 ) {
     companion object {
         private const val RETRY_INTERVAL_MINUTES = 5
@@ -45,14 +56,34 @@ class SyncOrchestrator @Inject constructor(
         private const val HOURS_PER_DAY = 24
     }
 
+    // Belt for anything that escapes the network/DB catches in this scope's launches.
+    private val crashHandler = scopeCrashHandler("Sync")
+
+    // @Volatile because `start()` and `stop()` are invoked from the service
+    // lifecycle (today: Main thread only), but the scope reference is read from
+    // inside coroutines running on the IO dispatcher. Adds a memory barrier so
+    // a future caller from another thread can't observe a torn write.
+    @Volatile private var job = SupervisorJob()
+    @Volatile private var scope = CoroutineScope(job + dispatcher + crashHandler)
+
     private var treatmentSyncJob: Job? = null
     private var exerciseSyncJob: Job? = null
 
-    fun start(scope: CoroutineScope) {
-        startRetryLoop(scope)
-        startPruneLoop(scope)
-        startTreatmentSyncLifecycle(scope)
-        startWebServerLifecycle(scope)
+    @VisibleForTesting
+    internal var started: Boolean = false
+        private set
+
+    fun start() {
+        // Idempotent: a stray double-call must not duplicate the periodic loops
+        // or stack two DataStore collectors. Mirrors UpdateChecker.start()'s
+        // `if (checkJob != null) return` guard.
+        if (started) return
+        started = true
+
+        startRetryLoop()
+        startPruneLoop()
+        startTreatmentSyncLifecycle()
+        startWebServerLifecycle()
         exerciseSyncJob = exerciseSyncer.start(scope)
         updateChecker.start(scope)
 
@@ -62,17 +93,29 @@ class SyncOrchestrator @Inject constructor(
     }
 
     fun stop() {
-        treatmentSyncJob?.cancel()
-        treatmentSyncJob = null
-        exerciseSyncJob?.cancel()
-        exerciseSyncJob = null
-        localWebServer.stop()
+        started = false
+
+        // updateChecker.stop() MUST be called explicitly — `scope.cancel()` cancels
+        // the launched coroutine but leaves UpdateChecker's internal `checkJob`
+        // reference live (just cancelled). The next `start()` would then early-return
+        // on its `if (checkJob != null) return` guard.
+        updateChecker.stop()
         pusher.stop()
         tidepoolUploader.stop()
-        updateChecker.stop()
+        localWebServer.stop()
+
+        // `treatmentSyncJob` and `exerciseSyncJob` are children of `scope` —
+        // `scope.cancel()` below cancels them transitively. Just null the
+        // references so a re-start() doesn't observe stale Jobs.
+        treatmentSyncJob = null
+        exerciseSyncJob = null
+
+        scope.cancel()
+        job = SupervisorJob()
+        scope = CoroutineScope(job + dispatcher + crashHandler)
     }
 
-    private fun startRetryLoop(scope: CoroutineScope) {
+    private fun startRetryLoop() {
         scope.launch {
             while (isActive) {
                 delay(RETRY_INTERVAL_MINUTES * MS_PER_MINUTE)
@@ -82,7 +125,7 @@ class SyncOrchestrator @Inject constructor(
         }
     }
 
-    private fun startPruneLoop(scope: CoroutineScope) {
+    private fun startPruneLoop() {
         scope.launch {
             while (isActive) {
                 val thirtyDaysAgo = System.currentTimeMillis() - PRUNE_RETENTION_DAYS * HOURS_PER_DAY * MS_PER_HOUR
@@ -92,7 +135,7 @@ class SyncOrchestrator @Inject constructor(
         }
     }
 
-    private fun startTreatmentSyncLifecycle(scope: CoroutineScope) {
+    private fun startTreatmentSyncLifecycle() {
         scope.launch {
             combine(
                 settings.treatmentsSyncEnabled,
@@ -119,7 +162,7 @@ class SyncOrchestrator @Inject constructor(
         }
     }
 
-    private fun startWebServerLifecycle(scope: CoroutineScope) {
+    private fun startWebServerLifecycle() {
         scope.launch {
             settings.webServerEnabled.collect { enabled ->
                 if (enabled) {

app/src/main/java/com/psjostrom/strimma/tidepool/TidepoolUploader.kt

@@ -9,8 +9,8 @@ import androidx.annotation.VisibleForTesting
 import com.psjostrom.strimma.data.ReadingDao
 import com.psjostrom.strimma.data.SettingsRepository
 import com.psjostrom.strimma.receiver.DebugLog
+import com.psjostrom.strimma.receiver.scopeCrashHandler
 import dagger.hilt.android.qualifiers.ApplicationContext
-import kotlinx.coroutines.CoroutineExceptionHandler
 import kotlinx.coroutines.CoroutineScope
 import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.NonCancellable
@@ -67,12 +67,9 @@ class TidepoolUploader @Inject constructor(
         }
     }
 
-    // Last-resort safety net for anything that escapes the leaf catches in TidepoolClient
-    // and the executeUpload outer catch. The leaf catches are still the primary mechanism;
-    // this is the belt against future code added without one.
-    private val crashHandler = CoroutineExceptionHandler { _, t ->
-        DebugLog.log("Uploader scope uncaught: ${t.javaClass.simpleName}: ${t.message?.take(MAX_LOG_ERROR_LENGTH)}")
-    }
+    // Belt for anything that escapes the leaf catches in TidepoolClient and the
+    // executeUpload outer catch.
+    private val crashHandler = scopeCrashHandler("Uploader")
     private var job = SupervisorJob()
     private var scope = CoroutineScope(job + Dispatchers.IO + crashHandler)
     private val uploadMutex = Mutex()