SMB: Fix wrong-password message and stale connection dot

QA follow-ups on the login-flow fix:
- A rejected sign-in now says "Invalid username or password" instead of "Authentication required": the new `classify_authenticated_error` maps auth-class rejections of explicit credentials to `AuthFailed` (`SigningRequired` deliberately stays untouched).
- The volume picker dot now flips to green (direct) right after a sign-in upgrades the connection: `register_replacing_predecessor` emits `volumes-changed` after registering, since the after-sign-in and already-mounted upgrade paths have no FSEvents mount event to ride.

Author: vdavid

apps/desktop/src-tauri/src/network/CLAUDE.md

@@ -172,7 +172,7 @@ When the user mounts an SMB share, we establish a parallel smb2 connection along
 
 Every `NSWorkspaceDidMountNotification` on an SMB share triggers a fresh `register_smb_volume` cycle, and the user can re-trigger the same path via manual "Connect directly" after an unmount/remount cycle. Without explicit cleanup, the new `SmbVolume` simply overwrites the old one's `Arc` slot in `VolumeManager`. The old volume's watcher would still exit eventually — its `watcher_cancel: Mutex<Option<oneshot::Sender<()>>>` drops with the `Arc`, the `Sender` drops, the watcher's `cancel_rx` resolves to `Err(Closed)` and the `select!` branch fires — but timing is non-deterministic ("whenever the last `Arc` ref goes away") and an in-flight `do_attempt_reconnect` on the displaced volume could install a fresh session into a volume that's no longer in the manager.
 
-`register_replacing_predecessor` (in `smb_upgrade.rs`) closes both gaps: it looks up the predecessor via `manager.get(volume_id)`, calls `on_unmount` on it (which sets the `unmounted` flag, transitions state, pings the watcher cancel, and drops the smb2 session), then `register`s the new volume. Both `register_smb_volume` and `try_smb_upgrade` route through this helper.
+`register_replacing_predecessor` (in `smb_upgrade.rs`) closes both gaps: it looks up the predecessor via `manager.get(volume_id)`, calls `on_unmount` on it (which sets the `unmounted` flag, transitions state, pings the watcher cancel, and drops the smb2 session), then `register`s the new volume. Both `register_smb_volume` and `try_smb_upgrade` route through this helper. It also emits `volumes-changed` after registering: the after-sign-in and already-mounted upgrade paths have no FSEvents mount event to ride, so without the explicit broadcast the frontend keeps the stale `os_mount` dot on a volume that's already `direct`.
 
 **Gotcha**: `SmbVolume::on_unmount` uses `blocking_write()` / `blocking_lock()` because the FSEvents-thread call site (`volumes::watcher::handle_volume_unmounted`) is sync. Inside `register_replacing_predecessor` we're in an async context, so calling `on_unmount` directly would panic ("cannot block_on within a runtime"). The helper wraps the call in `tokio::task::spawn_blocking(...).await` so the lock acquisition runs on the blocking-thread pool. Don't switch back to a direct call.
 

apps/desktop/src-tauri/src/network/smb_client.rs

@@ -18,6 +18,10 @@ use super::smb_smbutil::{list_shares_smbutil, list_shares_smbutil_authenticated_
 // argv); only the non-macOS authed fallback (smbclient `-A` authfile) still uses this.
 #[cfg(not(target_os = "macos"))]
 use super::smb_smbutil::list_shares_smbutil_with_auth;
+// Only the macOS arm classifies the raw smb2 failure of an authenticated listing
+// (Linux retries via the smbclient authfile fallback instead).
+#[cfg(target_os = "macos")]
+use super::smb_util::classify_authenticated_error;
 use super::smb_util::{classify_error, convert_shares, is_auth_error};
 
 /// Lists shares on a network host.
@@ -168,7 +172,9 @@ async fn list_shares_smb2(
                                 }),
                                 Err(e) => {
                                     debug!("smb2 authenticated list failed: {}", e);
-                                    Err(classify_error(&e))
+                                    // Authenticated context: a rejected session means
+                                    // wrong credentials, not "authentication required".
+                                    Err(classify_authenticated_error(&e))
                                 }
                             };
                         }

apps/desktop/src-tauri/src/network/smb_upgrade.rs

@@ -89,6 +89,12 @@ async fn register_replacing_predecessor(
         let _ = tokio::task::spawn_blocking(move || prev.on_unmount()).await;
     }
     manager.register(volume_id, new_volume);
+
+    // Tell the frontend the volume's connection state changed (os_mount → direct).
+    // The auto-upgrade paths often coincide with an FSEvents mount event that triggers
+    // a broadcast anyway, but the after-sign-in and already-mounted paths have no
+    // mount event at all: without this, the picker keeps the stale os_mount dot.
+    crate::volume_broadcast::emit_volumes_changed();
 }
 
 /// Tries to establish a direct smb2 connection and register as `SmbVolume`.

apps/desktop/src-tauri/src/network/smb_util.rs

@@ -27,6 +27,25 @@ pub fn classify_error(err: &smb2::Error) -> ShareListError {
     }
 }
 
+/// Classifies an error from an *authenticated* listing attempt.
+///
+/// The caller supplied explicit credentials, so an auth-class rejection
+/// (`AuthRequired` / `AccessDenied`, for example `STATUS_LOGON_FAILURE`) means the
+/// credentials are wrong (`AuthFailed`), not that authentication is required.
+/// `SigningRequired` is deliberately NOT remapped: it's a protocol capability mismatch,
+/// not a credential problem. Everything else falls through to [`classify_error`].
+// Consumed by the macOS arm of `smb_client` today (Linux's authenticated fallback goes
+// through smbclient); the classifier itself is platform-agnostic.
+#[cfg_attr(not(target_os = "macos"), allow(dead_code))]
+pub fn classify_authenticated_error(err: &smb2::Error) -> ShareListError {
+    match err.kind() {
+        ErrorKind::AuthRequired | ErrorKind::AccessDenied => ShareListError::AuthFailed {
+            message: "Invalid username or password".to_string(),
+        },
+        _ => classify_error(err),
+    }
+}
+
 /// Converts smb2 share info to Cmdr's ShareInfo type.
 /// smb2's `list_shares()` already filters to disk shares and strips `$` shares.
 pub fn convert_shares(shares: Vec<smb2::ShareInfo>) -> Vec<ShareInfo> {
@@ -57,6 +76,27 @@ mod tests {
         assert!(!is_auth_error(&smb2::Error::Disconnected));
     }
 
+    /// When the caller supplied explicit credentials, an auth-class rejection means the
+    /// credentials are WRONG, not that authentication is required. Without the
+    /// context-aware classifier, a wrong password surfaced as "Authentication required.
+    /// Please enter your credentials." in the login form (observed in QA against the
+    /// Naspolya NAS) instead of "Invalid username or password."
+    #[test]
+    fn test_classify_authenticated_error_maps_rejection_to_auth_failed() {
+        match classify_authenticated_error(&smb2::Error::Auth {
+            message: "STATUS_LOGON_FAILURE during SessionSetup".to_string(),
+        }) {
+            ShareListError::AuthFailed { .. } => {}
+            e => panic!("Expected AuthFailed for a rejected authenticated session, got {:?}", e),
+        }
+
+        // Non-auth errors keep their regular classification.
+        match classify_authenticated_error(&smb2::Error::Timeout) {
+            ShareListError::Timeout { .. } => {}
+            e => panic!("Expected Timeout, got {:?}", e),
+        }
+    }
+
     #[test]
     fn test_classify_error_timeout() {
         match classify_error(&smb2::Error::Timeout) {