Let write-side OSError propagate during backup creation

[agners]

Proposed change

When a write-side OSError (e.g. ENOSPC, host down) occurs during backup creation, the outer tar file is left in a structurally corrupt state. Securetar's create_tar context manager uses a two-phase header write: it writes a placeholder header on enter and seeks back to rewrite it with the actual size on exit. If an OSError occurs mid-write, the inner tar entry has truncated data and a stale placeholder header.

Previously, _folder_save wrapped OSError as BackupError, which store_folders then caught and swallowed -- allowing the backup to continue writing to an already corrupt tar. Similarly, _create_finalize silently swallowed OSError when writing backup.json, and the finally block in create() could raise a secondary OSError from _close_outer_tarfile that replaced the original exception. This secondary exception is what was captured in Sentry as SUPERVISOR-B53 (18k events, 470 users), SUPERVISOR-1FAJ (5.5k events, 595 users), SUPERVISOR-BJ4 (3.7k events), SUPERVISOR-18KS, and SUPERVISOR-1HE6.

This PR introduces BackupFatalError (a BackupError subclass) for write-side I/O errors. Using a dedicated subclass rather than letting raw OSError propagate avoids the job decorator treating it as an unhandled exception (which would send extra events to Sentry and wrap it as JobException). Since BackupFatalError is a HassioError, the job decorator handles it cleanly, and _do_backup catches it via except BackupError to delete the incomplete backup file.

Changes:

• Add BackupFatalError exception for write-side I/O errors
• In create(), use except/else instead of finally so finalization is skipped on error. On the error path, close the tar suppressing errors) to release the file handle; the file is unlinked by the caller
• In _create_finalize, raise BackupFatalError on OSError instead of swallowing it
• In _folder_save and store_supervisor_config, wrap OSError as BackupFatalError instead of BackupError
• In store_folders and store_addons, re-raise BackupFatalError instead of swallowing it like regular BackupError

Type of change

• Dependency upgrade
• Bugfix (non-breaking change which fixes an issue)
• New feature (which adds functionality to the supervisor)
• Breaking change (fix/feature causing existing functionality to break)
• Code quality improvements to existing code or addition of tests

Additional information

• This PR fixes or closes issue: fixes #
• This PR is related to issue:
• Link to documentation pull request:
• Link to cli pull request:
• Link to client library pull request:

Checklist

• The code change is tested and works locally.
• Local tests pass. Your PR cannot be merged unless tests pass
• There is no commented out code in this PR.
• I have followed the development checklist
• The code has been formatted using Ruff (ruff format supervisor tests)
• Tests have been added to verify that the new code works.

If API endpoints or add-on configuration are added/changed:

• Documentation added/updated for developers.home-assistant.io
• CLI updated (if necessary)
• Client library updated (if necessary)

[mdegat01]

The fact that this doesn't cause a linter error requiring an ignore comment seems like something we need to fix 😆

[mdegat01]

Wait we definitely have a too-broad-except rule or something like that, I've had to disable it before. Is something wrong with our linter? This should require a disable rule comment to pass ci...

[agners]

Hm, just checked, so it seems that when the pattern is:

    except Exception:
        ...
        raise

The rule doesn't apply. Which kinda make sense.

[mdegat01]

Makes sense, good catch. Nitpick on the exception name but looks fine.

[mdegat01]

Maybe BackupFatalIOError? The name seems a bit generic compared to the docstring, might get accidentally re-used for unrelated things in the future.