Fix bootstrapping wizard cancellation leaving system in bad state

When a user cancels a bootstrapping wizard part-way through (e.g. the account setup or workspace creation wizard), the system records the wizard as completed. On the next login the wizard does not re-appear, leaving the database in a partially-bootstrapped state with no supported recovery path other than dropping and recreating the entire database. We need to investigate what "bootstrapping complete" state is tracked, how cancellation interacts with it, and design a recovery path — whether that is re-triggering the wizard, a repair CLI command, or a dedicated admin screen.

Partially-bootstrapped databases are practically unrecoverable by end users: the only workaround today is to recreate the database from scratch, which loses all data. Even in development this is disruptive. A sensible cancellation model (e.g. only marking bootstrapping complete when the wizard commits successfully, or providing a "resume bootstrap" entry point) would make the system significantly more robust during initial setup.