feat: batch B — data-loss guards, query timeout, banner mutex

Confirmed-broken behaviors from the deep audit:

- **F5 mid-edit data loss**: refresh on a dirty tab silently dropped
  every pending edit. on_refresh_active_tab now opens a destructive
  AlertDialog (Cancel | Discard and refresh) when the tab tracker
  has pending changes, mirroring the close-with-pending pattern.
- **Disconnect with pending no warn**: clicking Disconnect with any
  tracker dirty silently destroyed the work. on_disconnect now
  prompts; "Discard and disconnect" routes through a new
  AppMsg::ForceDisconnect that calls do_disconnect (the previous
  body, factored out).
- **Query timeout**: editor's Run had no wall-clock cap; runaway
  queries pinned the UI. New `query_timeout_secs` preference
  (default 60s, 0 disables); editor's tokio::select! arm races
  against the timeout and emits ShowTimedOut on expiry. Surfaced
  in Preferences → Editor as a SpinRow with subtitle.
- **Banner stacking**: read-only / no-PK / pending-changes banners
  could all reveal at once, wasting vertical space and dulling user
  attention. New `refresh_banner_visibility` enforces single-banner
  mutual exclusion in priority order (read-only > no-PK > pending);
  every toggle site routes through it.

Triaged as already-fixed and skipped: MySQL tinyint(1) bool
detection (grid.rs:596), Postgres multi-attribute alter
(structure_tracker materialize collapses), hourly history-prune
timer (correct GTK pattern, no leak). ComboBoxText kept
intentionally for free-text type entry.

Author: datlechin

linux/crates/app/src/services/preferences.rs

@@ -9,19 +9,32 @@ pub struct Preferences {
     pub editor_font_size: u32,
     #[serde(default = "default_history_retention_days")]
     pub history_retention_days: u32,
+    /// Wall-clock seconds before the editor's Run cancels a query
+    /// the driver hasn't returned from. `0` disables the timeout.
+    /// Defaults to 60s — long enough for typical OLTP work and
+    /// catalog browsing, short enough that a runaway DDL or
+    /// cross-join doesn't pin the GTK main thread waiting on
+    /// shutdown.
+    #[serde(default = "default_query_timeout_secs")]
+    pub query_timeout_secs: u32,
 }
 
 fn default_history_retention_days() -> u32 {
     30
 }
 
+fn default_query_timeout_secs() -> u32 {
+    60
+}
+
 impl Default for Preferences {
     fn default() -> Self {
         Self {
             default_page_size: 1_000,
             confirm_destructive: true,
             editor_font_size: 12,
             history_retention_days: default_history_retention_days(),
+            query_timeout_secs: default_query_timeout_secs(),
         }
     }
 }

linux/crates/app/src/ui/app/browse.rs

@@ -1,6 +1,6 @@
 use relm4::adw::prelude::*;
 use relm4::gtk::gio;
-use relm4::{ComponentController, ComponentSender, gtk};
+use relm4::{ComponentController, ComponentSender, adw, gtk};
 
 use tablepro_core::{ColumnInfo, QueryResult};
 use uuid::Uuid;
@@ -268,8 +268,39 @@ impl App {
     }
 
     pub(super) fn on_refresh_active_tab(&self) {
-        if let Some(id) = self.selected_browse_tab_id() {
+        let Some(id) = self.selected_browse_tab_id() else {
+            return;
+        };
+        let dirty = crate::services::change_tracker::with_tab_ref(id, |tr| tr.has_pending()).unwrap_or(false);
+        if !dirty {
             self.dispatch_to_tab(id, BrowseTabInput::Refresh);
+            return;
         }
+        // F5 mid-edit: a refetch overwrites the model and silently
+        // drops every pending row edit / insert / delete. Confirm
+        // with a destructive AlertDialog mirroring the close-with-
+        // pending path so the user has to opt in to the data loss.
+        let dialog = adw::AlertDialog::new(
+            Some(&crate::tr!("Discard pending changes?")),
+            Some(&crate::tr!(
+                "Refreshing reloads the table from the database and drops every unsaved edit on this tab."
+            )),
+        );
+        dialog.add_response("cancel", &crate::tr!("Cancel"));
+        dialog.add_response("discard", &crate::tr!("Discard and refresh"));
+        dialog.set_response_appearance("discard", adw::ResponseAppearance::Destructive);
+        dialog.set_default_response(Some("cancel"));
+        dialog.set_close_response("cancel");
+        let workspace_tabs = self.workspace_tabs.clone();
+        dialog.connect_response(None, move |dlg: &adw::AlertDialog, response: &str| {
+            dlg.close();
+            if response == "discard" {
+                crate::services::change_tracker::with_tab(id, |t| t.clear());
+                if let Some(controller) = workspace_tabs.borrow().get(&id).and_then(|t| t.browse_controller()) {
+                    let _ = controller.sender().send(BrowseTabInput::Refresh);
+                }
+            }
+        });
+        dialog.present(Some(&self.window));
     }
 }

linux/crates/app/src/ui/app/connection.rs

@@ -54,6 +54,43 @@ impl App {
     }
 
     pub(super) fn on_disconnect(&mut self, sender: ComponentSender<Self>) {
+        // Block disconnect when any tab has pending changes. The
+        // teardown below clears all tracker registries, so dropping
+        // the connection mid-edit silently destroys the user's work.
+        // Confirm via an AlertDialog mirroring the window-close-with-
+        // pending and F5-with-pending paths.
+        let has_pending = crate::services::change_tracker::any_pending_globally()
+            || crate::services::structure_tracker::any_pending_globally();
+        if has_pending {
+            let dialog = adw::AlertDialog::new(
+                Some(&crate::tr!("Discard pending changes?")),
+                Some(&crate::tr!(
+                    "Disconnecting will close every tab and drop every unsaved row edit and DDL change."
+                )),
+            );
+            dialog.add_response("cancel", &crate::tr!("Cancel"));
+            dialog.add_response("discard", &crate::tr!("Discard and disconnect"));
+            dialog.set_response_appearance("discard", adw::ResponseAppearance::Destructive);
+            dialog.set_default_response(Some("cancel"));
+            dialog.set_close_response("cancel");
+            let sender_for_resp = sender.clone();
+            dialog.connect_response(None, move |dlg, response| {
+                dlg.close();
+                if response == "discard" {
+                    sender_for_resp.input(AppMsg::ForceDisconnect);
+                }
+            });
+            dialog.present(Some(&self.window));
+            return;
+        }
+        self.do_disconnect(sender);
+    }
+
+    /// Skip the dirty check and tear the connection down. Reachable
+    /// either from the AlertDialog "Discard and disconnect" branch
+    /// or from a clean `Disconnect` when no tracker has pending
+    /// changes.
+    pub(super) fn do_disconnect(&mut self, sender: ComponentSender<Self>) {
         // Persist + tear down workspace tabs before dropping the
         // connection (persist needs the active connection_id).
         self.teardown_workspace_tabs();

linux/crates/app/src/ui/app/mod.rs

@@ -289,6 +289,10 @@ pub enum AppMsg {
     OpenHistoryQuery(String),
     ReplaceActiveTabQuery(String),
     Disconnect,
+    /// Skip the dirty-state confirmation and tear the connection
+    /// down immediately. Fired from the disconnect-with-pending
+    /// AlertDialog's "Discard and disconnect" response.
+    ForceDisconnect,
     PollHealth,
     RefreshPage,
     ShowShortcuts,
@@ -1201,6 +1205,7 @@ impl SimpleComponent for App {
             AppMsg::OpenConnect => self.on_open_connect(sender),
             AppMsg::Connected { tables, driver_id } => self.on_connected(tables, driver_id, sender),
             AppMsg::Disconnect => self.on_disconnect(sender),
+            AppMsg::ForceDisconnect => self.do_disconnect(sender),
             AppMsg::DialogClosed => self.dialog = None,
             AppMsg::SelectTable {
                 schema,

linux/crates/app/src/ui/browse_tab.rs

@@ -472,7 +472,31 @@ impl BrowseTab {
             };
             self.pending_banner.set_title(&banner_title);
         }
-        self.pending_banner.set_revealed(visible);
+        self.refresh_banner_visibility(visible);
+    }
+
+    /// Reveal at most ONE banner at a time. Stacking three banners
+    /// (read-only + no-PK + pending) wastes vertical space and
+    /// creates a wall-of-warnings aesthetic that desensitises the
+    /// user to actual problems. Priority order, most-blocking first:
+    ///
+    /// 1. Read-only — every other state is moot if edits are off.
+    /// 2. No primary key — edits are blocked at row-identity level.
+    /// 3. Pending unsaved changes — informational, only meaningful
+    ///    when the previous two are clear.
+    ///
+    /// `pending_visible` is the caller's intended pending-banner
+    /// state (it carries the per-tab pending-count so this helper
+    /// doesn't need to recompute it).
+    fn refresh_banner_visibility(&self, pending_visible: bool) {
+        let read_only = self.read_only;
+        let no_pk = self.current_columns.iter().any(|c| !c.primary_key)
+            && !self.current_columns.is_empty()
+            && !self.current_columns.iter().any(|c| c.primary_key);
+        self.read_only_banner.set_revealed(read_only);
+        self.no_pk_banner.set_revealed(!read_only && no_pk);
+        self.pending_banner
+            .set_revealed(!read_only && !no_pk && pending_visible);
     }
 
     /// Walk the selection → FilterListModel → ListStore chain to
@@ -931,7 +955,15 @@ impl BrowseTab {
             self.delete_button
                 .set_tooltip_text(Some(&crate::tr!("Delete selected row")));
         }
-        self.no_pk_banner.set_revealed(has_columns && !has_pk);
+        // Banner mutual exclusion lives in `refresh_banner_visibility`;
+        // forward the current pending-banner intent so the no-PK
+        // toggle doesn't override it. The pending banner reveals
+        // when there's an actual count > 0.
+        let pending_visible =
+            crate::services::change_tracker::with_tab_ref(self.tab_id, |tr| tr.pending_count() > 0).unwrap_or(false);
+        self.refresh_banner_visibility(pending_visible);
+        let _ = has_columns;
+        let _ = has_pk;
     }
 
     fn update_paginator_label(&self) {
@@ -1479,7 +1511,10 @@ impl SimpleComponent for BrowseTab {
             }
             BrowseTabInput::SetReadOnly(read_only) => {
                 self.read_only = read_only;
-                self.read_only_banner.set_revealed(read_only);
+                let pending_visible =
+                    crate::services::change_tracker::with_tab_ref(self.tab_id, |tr| tr.pending_count() > 0)
+                        .unwrap_or(false);
+                self.refresh_banner_visibility(pending_visible);
                 self.refresh_crud_buttons();
                 // Force a full grid rebuild so editable labels turn into
                 // read-only labels (or vice versa) without waiting for the

linux/crates/app/src/ui/editor.rs

@@ -67,6 +67,10 @@ pub enum SqlEditorInput {
     /// vs. sub-tabs) based on Vec length.
     ShowOutcomes(Vec<StatementOutcome>),
     ShowCancelled,
+    /// Query exceeded the configured wall-clock timeout. Treated
+    /// like a manual cancel from the user's perspective but with
+    /// a different status / history-record reason.
+    ShowTimedOut(u32),
     ReplaceQuery(String),
 }
 
@@ -311,14 +315,28 @@ impl SimpleComponent for SqlEditor {
                 self.executing_metadata = database_service::instance().active_metadata();
                 self.executing_started_at = Some(SystemTime::now());
 
+                let timeout_secs = crate::services::preferences::load().query_timeout_secs;
                 let sender_clone = sender.clone();
                 sender.command(move |_, shutdown| {
                     shutdown
                         .register(async move {
                             let statements = split_sql_statements(&trimmed);
+                            // A `query_timeout_secs == 0` user opt-out
+                            // turns the timeout branch off by holding a
+                            // future that never resolves. Otherwise the
+                            // tokio sleep races against `cancelled()`
+                            // and `run_statements()`; first to finish
+                            // wins.
+                            let timeout: std::pin::Pin<Box<dyn std::future::Future<Output = ()> + Send>> =
+                                if timeout_secs > 0 {
+                                    Box::pin(tokio::time::sleep(std::time::Duration::from_secs(timeout_secs as u64)))
+                                } else {
+                                    Box::pin(std::future::pending::<()>())
+                                };
                             let msg = tokio::select! {
                                 biased;
                                 _ = token.cancelled() => SqlEditorInput::ShowCancelled,
+                                _ = timeout => SqlEditorInput::ShowTimedOut(timeout_secs),
                                 outcomes = run_statements(conn, statements) => {
                                     let total_ms: u128 = outcomes.iter().map(|o| o.elapsed_ms).sum();
                                     let n_ok = outcomes
@@ -409,6 +427,32 @@ impl SimpleComponent for SqlEditor {
                 self.results_holder.append(&cancelled_page);
             }
 
+            SqlEditorInput::ShowTimedOut(secs) => {
+                self.cancel_token = None;
+                self.run_button.set_sensitive(true);
+                self.cancel_button.set_visible(false);
+                self.running_spinner.set_visible(false);
+                let _ = sender.output(SqlEditorOutput::RunStateChanged(false));
+                let elapsed = self
+                    .executing_started_at
+                    .and_then(|t| SystemTime::now().duration_since(t).ok())
+                    .map(|d| d.as_millis() as i64)
+                    .unwrap_or(0);
+                let secs_str = secs.to_string();
+                let reason =
+                    crate::tr!("Query exceeded the {n}s timeout configured in Preferences.").replace("{n}", &secs_str);
+                self.record_history(elapsed, None, Outcome::Error(reason.clone()));
+                self.status.set_label(&crate::tr!("timed out"));
+                clear_box(&self.results_holder);
+                let page = adw::StatusPage::builder()
+                    .title(crate::tr!("Query timed out"))
+                    .description(&reason)
+                    .icon_name("appointment-soon-symbolic")
+                    .vexpand(true)
+                    .build();
+                self.results_holder.append(&page);
+            }
+
             SqlEditorInput::ReplaceQuery(text) => {
                 self.source_view.buffer().set_text(&text);
             }

linux/crates/app/src/ui/preferences.rs

@@ -126,8 +126,19 @@ pub fn present(parent: &impl IsA<gtk::Widget>) {
     let font_size_row = adw::SpinRow::with_range(8.0, 32.0, 1.0);
     font_size_row.set_title(&crate::tr!("Editor font size"));
     font_size_row.set_value(current.editor_font_size as f64);
-
     editor_group.add(&font_size_row);
+
+    // 0 disables, 1..=3600s allowed range. Subtitle exposes the
+    // disable-via-zero contract so power users editing long-running
+    // analytical queries can opt out without spelunking the JSON.
+    let timeout_row = adw::SpinRow::with_range(0.0, 3600.0, 5.0);
+    timeout_row.set_title(&crate::tr!("Query timeout (seconds)"));
+    timeout_row.set_subtitle(&crate::tr!(
+        "Cancel long-running queries automatically. Set to 0 to disable."
+    ));
+    timeout_row.set_value(current.query_timeout_secs as f64);
+    editor_group.add(&timeout_row);
+
     editor.add(&editor_group);
 
     window.add(&general);
@@ -142,12 +153,14 @@ pub fn present(parent: &impl IsA<gtk::Widget>) {
         let confirm = confirm_row.clone();
         let font = font_size_row.clone();
         let retention = retention_row.clone();
+        let timeout = timeout_row.clone();
         std::rc::Rc::new(move || {
             preferences::save(&Preferences {
                 default_page_size: page_size.value() as u64,
                 confirm_destructive: confirm.is_active(),
                 editor_font_size: font.value() as u32,
                 history_retention_days: retention.value() as u32,
+                query_timeout_secs: timeout.value() as u32,
             });
         })
     };
@@ -163,6 +176,10 @@ pub fn present(parent: &impl IsA<gtk::Widget>) {
         let s = save_all.clone();
         move |_| s()
     });
+    timeout_row.connect_value_notify({
+        let s = save_all.clone();
+        move |_| s()
+    });
     confirm_row.connect_active_notify({
         let s = save_all.clone();
         move |_| s()