vdavid
diff --git a/‎apps/desktop/src-tauri/src/commands/CLAUDE.md‎
Lines changed: 1 addition & 0 deletions b/‎apps/desktop/src-tauri/src/commands/CLAUDE.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎apps/desktop/src-tauri/src/commands/favorites.rs‎
Lines changed: 69 additions & 0 deletions b/‎apps/desktop/src-tauri/src/commands/favorites.rs‎
Lines changed: 69 additions & 0 deletions
diff --git a/‎apps/desktop/src-tauri/src/commands/mod.rs‎
Lines changed: 1 addition & 0 deletions b/‎apps/desktop/src-tauri/src/commands/mod.rs‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎apps/desktop/src-tauri/src/favorites/CLAUDE.md‎
Lines changed: 40 additions & 0 deletions b/‎apps/desktop/src-tauri/src/favorites/CLAUDE.md‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎apps/desktop/src-tauri/src/favorites/DETAILS.md‎
Lines changed: 123 additions & 0 deletions b/‎apps/desktop/src-tauri/src/favorites/DETAILS.md‎
Lines changed: 123 additions & 0 deletions
diff --git a/‎apps/desktop/src-tauri/src/favorites/mod.rs‎
Lines changed: 12 additions & 0 deletions b/‎apps/desktop/src-tauri/src/favorites/mod.rs‎
Lines changed: 12 additions & 0 deletions
@@ -15,6 +15,7 @@ immediately to business-logic modules. No significant logic lives here.
 | `mtp.rs` | MTP devices | Full MTP command surface (connect, disconnect, list, download, upload, delete, rename, move, scan) |
 | `network.rs` | SMB/network shares | Discovery, share listing, keychain, mounting, direct-connection upgrade, in-place reconnect (`reconnect_smb_volume`: backend single-flighted via `Volume::attempt_reconnect`; `reconnect_smb_volume_with_credentials`: the "Sign in" path after an auth-failure reconnect give-up, via `Volume::reconnect_with_credentials`), per-volume disconnect (`disconnect_smb_volume`: macOS shells out to `diskutil unmount`, Linux drops the smb2 session). Borrow Finder's saved password (macOS): `system_has_saved_smb_password` (prompt-free probe — does the login keychain hold a password Finder saved for this server?, drives the "Use saved password" offer) and `upgrade_to_smb_volume_using_saved_password` (consent-gated read via `secrets::system_keychain_smb` → direct smb2 → copies the password into Cmdr's own store so future reconnects are silent → `CredentialsNeeded` fallback if absent/denied). User-initiated only. Lazy-startup hooks: `ensure_network_discovery_started` (idempotent: kicks off mDNS + manual-server load + smb-mount upgrade on first user network action) and `set_network_enabled` (live-applies the `network.enabled` toggle: stops mDNS and clears discovered hosts when off). Upgrade business logic (address resolution, credential lookup, smb2 connection) lives in `network::smb_upgrade`; commands here are thin wrappers. |
 | `eject.rs` | Volume eject | `eject_volume(volume_id)`: dispatches by kind. MTP → `mtp::connection_manager().disconnect`; SMB → `diskutil unmount` (FSEvents handles smb2 teardown via `on_unmount`); physical/DMG → `diskutil eject`. Pure `decide_eject_action` (unit-tested) keeps the dispatch logic separate from the impure shell-out. Guards against ejecting a volume with an in-flight write op (`busy_volume_ids().contains(...)` → error) so a transfer can't be truncated. `get_busy_volume_ids()`: bootstrap for the picker's busy set (see `write_operations/DETAILS.md` § "Busy-volumes set"). |
+| `favorites.rs` | User-editable favorites | `add_favorite`, `remove_favorite`, `rename_favorite`, `reorder_favorites`. Thin pass-throughs over `crate::favorites::store`; each persists `favorites.json` (5s write timeout) then re-emits `volumes-changed`. No `list_favorites` (listing rides `list_volumes` / `volumes-changed`). See `favorites/CLAUDE.md`. |
 | `font_metrics.rs` | Font metrics cache | `store_font_metrics`, `has_font_metrics` |
 | `icons.rs` | File icons | `get_icons`, `get_custom_folder_icon_ids` (visible-range custom-folder detection), `refresh_directory_icons`, cache clear |
 | `rename.rs` | Rename / trash | `move_to_trash` (delegates to `write_operations::trash::move_to_trash_sync`), `check_rename_permission`, `check_rename_validity`, `rename_file`. `rename_file` calls `notify_mutation` after success to update the listing cache (both local and volume-aware paths). |
 
@@ -0,0 +1,69 @@
+//! IPC commands for user-editable favorites.
+//!
+//! Thin pass-throughs over the `favorites::store` module. Each mutation persists `favorites.json`
+//! (a filesystem write, so it runs on the blocking pool with a timeout) and then re-emits
+//! `volumes-changed` so both panes' switchers refresh live (subscribe-don't-poll). Listing rides
+//! the existing `list_volumes` / `volumes-changed` path, so there's no `list_favorites` command.
+
+use tokio::time::Duration;
+
+use crate::commands::util::{IpcError, blocking_result_with_timeout};
+use crate::favorites::store;
+
+/// 5s matches the write timeout other persisting commands use. The store write is local-only, but a
+/// hung data-dir mount must never freeze the IPC thread.
+const PERSIST_TIMEOUT: Duration = Duration::from_secs(5);
+
+/// Adds a favorite for `path`, deduping by normalized path. When `name` is omitted, the label
+/// defaults to the path's file name.
+#[tauri::command]
+#[specta::specta]
+pub async fn add_favorite(path: String, name: Option<String>) -> Result<(), IpcError> {
+    blocking_result_with_timeout(PERSIST_TIMEOUT, move || {
+        store::add(&path, name);
+        Ok(())
+    })
+    .await?;
+    crate::volume_broadcast::emit_volumes_changed();
+    Ok(())
+}
+
+/// Removes a favorite by id. No-op when the id isn't present.
+#[tauri::command]
+#[specta::specta]
+pub async fn remove_favorite(id: String) -> Result<(), IpcError> {
+    blocking_result_with_timeout(PERSIST_TIMEOUT, move || {
+        store::remove(&id);
+        Ok(())
+    })
+    .await?;
+    crate::volume_broadcast::emit_volumes_changed();
+    Ok(())
+}
+
+/// Renames a favorite by id. No-op when the id isn't present.
+#[tauri::command]
+#[specta::specta]
+pub async fn rename_favorite(id: String, name: String) -> Result<(), IpcError> {
+    blocking_result_with_timeout(PERSIST_TIMEOUT, move || {
+        store::rename(&id, &name);
+        Ok(())
+    })
+    .await?;
+    crate::volume_broadcast::emit_volumes_changed();
+    Ok(())
+}
+
+/// Reorders the favorites to match `ordered_ids`. Unknown ids are ignored; favorites missing from
+/// the list are appended in their current order, so a stale order never drops an entry.
+#[tauri::command]
+#[specta::specta]
+pub async fn reorder_favorites(ordered_ids: Vec<String>) -> Result<(), IpcError> {
+    blocking_result_with_timeout(PERSIST_TIMEOUT, move || {
+        store::reorder(&ordered_ids);
+        Ok(())
+    })
+    .await?;
+    crate::volume_broadcast::emit_volumes_changed();
+    Ok(())
+}
@@ -9,6 +9,7 @@ pub mod e2e;
 #[cfg(any(target_os = "macos", target_os = "linux"))]
 pub mod eject;
 pub mod error_reporter;
+pub mod favorites;
 pub mod feedback;
 pub mod file_system;
 pub mod file_viewer;
 
@@ -0,0 +1,40 @@
+# Favorites (backend)
+
+User-editable favorites: the ordered `favorites.json` store that backs the volume switcher's
+"Favorites" section. The store is the single source of truth and replaces the previously hardcoded
+four favorites. Full depth in [`DETAILS.md`](DETAILS.md).
+
+## Module map
+
+- `store.rs`: the `favorites.json` store. Pure core (`add`/`remove`/`rename`/`reorder` on a `Vec`,
+  unit-tested) plus disk I/O, the in-memory cache, and seed-once. Public API: `list`, `add`,
+  `remove`, `rename`, `reorder`, and the `Favorite { id, path, name }` type.
+- IPC lives in `commands/favorites.rs` (not here): thin `add_favorite` / `remove_favorite` /
+  `rename_favorite` / `reorder_favorites` pass-throughs. There's no `list_favorites`; listing rides
+  `list_volumes` / `volumes-changed`.
+
+## Must-knows
+
+- **Seed-once via file presence.** File ABSENT means first launch: seed the platform defaults and
+  write them. File PRESENT (even an empty list) means already-initialized: read verbatim, NEVER
+  re-seed. `read_store_from_path` returns `Option` for exactly this: `None` = absent (seed), `Some`
+  = present (don't). A corrupt/version-mismatched file quarantines to `.broken` and reads as
+  `Some(empty)`, NOT `None`, so a stray hand-edit can't silently re-seed over a user who'd cleared
+  their list. Don't "simplify" the `Option` to a plain `Vec`: it would erase the absent-vs-empty
+  distinction the whole contract rests on.
+- **`id` is a random UUID minted on add, never derived from `path`.** Paths repeat across renames
+  and re-adds, so the id must outlive the path. The switcher's `LocationInfo.id` is `format!("fav-{id}")`.
+- **Data dir is resolved WITHOUT an `AppHandle`** (mirrors `install_id.rs`: `CMDR_DATA_DIR` else the
+  OS default for `BUNDLE_ID`). Load-bearing: `get_favorites()` (the read path, in `volumes/mod.rs`
+  and `volumes_linux/mod.rs`) is sync and `AppHandle`-free, so `store::list()` must stay no-arg. Keep
+  `BUNDLE_ID` in sync with `tauri.conf.json`.
+- **FDA-pending skip on the read side.** `volumes::get_favorites` must NOT stat a TCC-protected path
+  while the FDA gate is pending (even `Path::exists()` trips a TCC popup). It skips the existence
+  check for paths where `restricted_paths::tcc_paths::is_potentially_tcc_restricted(path)` is true.
+  This now applies to ANY user-added path, not just the old hardcoded three. Linux has no TCC, so its
+  twin existence-checks everything.
+- **Mutations re-emit `volumes-changed`.** Every command calls `volume_broadcast::emit_volumes_changed()`
+  after persisting, so both panes' switchers update live. Don't add a polling path.
+- **Lock-poison + log compliance.** Uses `IgnorePoison::lock_ignore_poison()` (not `.lock().unwrap()`)
+  and `log::{info,warn}!` with `target: "favorites::store"` (no `println!`). The disk lock is never
+  held across an `.await`.
@@ -0,0 +1,123 @@
+# Favorites (backend) details
+
+User-editable favorites. The volume switcher's "Favorites" section is fully user-owned: add, remove,
+rename, reorder. This module owns the ordered `favorites.json` store; the IPC layer
+(`commands/favorites.rs`) is a thin pass-through. Read [`CLAUDE.md`](CLAUDE.md) first for the
+must-knows.
+
+## What it replaces
+
+Favorites used to be a hardcoded `Vec<LocationInfo>` of four folders, computed fresh on every
+`get_favorites()` call with no write path. Now `get_favorites()` (both the macOS `volumes/mod.rs` and
+the Linux `volumes_linux/mod.rs` twins) reads `favorites::store::list()` and maps each entry to a
+`LocationInfo` with `category: Favorite`. The frontend already tells favorites apart from volumes via
+`category`, so no extra "user-removable" flag is needed: every favorite is now a user favorite.
+
+## On-disk shape
+
+`favorites.json` in the app data dir:
+
+```json
+{
+  "_schemaVersion": 1,
+  "favorites": [
+    { "id": "9f1c…", "path": "/Applications", "name": "Applications" },
+    { "id": "a83e…", "path": "/Users/me/Desktop", "name": "Desktop" }
+  ]
+}
+```
+
+- `id`: a random UUID minted on add, never derived from `path`. The switcher exposes it as
+  `LocationInfo.id = "fav-<id>"`.
+- `path`: the absolute filesystem path.
+- `name`: the display label. Defaults to the path's file name on add; the user can override via
+  rename.
+
+Order in the array is the display order.
+
+## Seed-once contract
+
+`favorites.json` existing means "already initialized." Four states:
+
+- **File absent** (`read_store_from_path` returns `None`): first launch. Seed the platform defaults
+  and write them. This is the only path that ever writes defaults.
+- **File present, non-empty**: read verbatim.
+- **File present, empty list**: the user cleared every favorite. Read verbatim (stays empty). Never
+  re-seed.
+- **File present, corrupt or wrong `_schemaVersion`**: quarantine to `<name>.broken`, then read as
+  `Some(empty)` (NOT `None`). A broken file is "initialized but unreadable," so we must not re-seed
+  the defaults over a user who had intentionally cleared their list.
+
+Existing beta users (data dir present, no `favorites.json` yet) hit the absent branch on the first
+launch after the update and get the platform defaults seeded, so there's no regression from the old
+hardcoded behavior.
+
+Platform defaults (`default_favorites`, platform-native per `design-principles.md`):
+
+- macOS: `/Applications`, `~/Desktop`, `~/Documents`, `~/Downloads` (the previous hardcoded four).
+- Linux: Home, `~/Desktop`, `~/Documents`, `~/Downloads` (matching the old `volumes_linux`
+  favorites).
+
+## Operations (pure core)
+
+All in `store.rs`, unit-tested without disk or an `AppHandle`:
+
+- `add(path, name?)`: dedups by normalized path. A re-add moves the existing entry to the end and
+  keeps its id (applying a `name` override if given). A fresh add appends with a UUID id and a label
+  defaulting to the path's file name. Move-to-end (not move-to-top) because favorites are a curated,
+  ordered list, not a recency stack: a re-add shouldn't reshuffle the user's deliberate ordering more
+  than necessary.
+- `remove(id)`: drops by id. No-op if absent.
+- `rename(id, name)`: updates the label by id. No-op if absent.
+- `reorder(ordered_ids)`: reorders to match the given id list. Unknown ids are ignored; favorites
+  whose ids are missing from the list are appended in their current relative order, so a partial or
+  stale order from the frontend never drops an entry.
+
+`normalize_for_dedup` strips a single trailing `/` (but keeps root `/`). Case-sensitivity is a known
+limitation, same as `go_to_path/history.rs`: on case-insensitive APFS `/Users/x/Foo` and
+`/Users/x/foo` compare unequal (worst case: a duplicate-looking row). We don't `canonicalize()` (it
+would resolve symlinks and require the path to exist).
+
+## Persistence and concurrency
+
+- In-memory cache: `OnceLock<Mutex<Option<FavoritesStore>>>`. `None` until first access loads (and
+  lazily seeds) from disk.
+- `DISK_LOCK` (a separate `Mutex<()>`) serializes the read-modify-write cycle so concurrent commands
+  can't clobber each other. `load_or_seed` re-checks the cache under the disk lock so two concurrent
+  first-access callers can't both seed.
+- Atomic writes via `config::durable_write_json` (write-tmp + fsync + rename + parent-dir fsync),
+  the same data-loss-class discipline the rest of the app uses.
+- The disk lock is never held across an `.await`; the in-memory guard is always dropped before any
+  `fs` call. (The commands themselves run the store calls inside `spawn_blocking`, so even the
+  synchronous store API never blocks the IPC thread.)
+
+## IPC contract (`commands/favorites.rs`)
+
+Thin async pass-throughs, each `blocking_result_with_timeout` (5s, the write tier) since the store
+write touches the filesystem. After persisting, each re-emits `volumes-changed` via
+`volume_broadcast::emit_volumes_changed()` so both panes' switchers refresh live
+(subscribe-don't-poll). Listing rides the existing `list_volumes` / `volumes-changed` path, so
+there's no `list_favorites` command.
+
+- `add_favorite(path: String, name: Option<String>) -> Result<(), IpcError>`
+- `remove_favorite(id: String) -> Result<(), IpcError>`
+- `rename_favorite(id: String, name: String) -> Result<(), IpcError>`
+- `reorder_favorites(ordered_ids: Vec<String>) -> Result<(), IpcError>`
+
+Registered in both `ipc.rs` (runtime `generate_handler`) and `ipc_collectors.rs` (specta types).
+
+## FDA-pending skip (macOS)
+
+`volumes::get_favorites` must not stat a TCC-protected path while the FDA gate is pending: even
+`Path::exists()` trips a macOS TCC popup for the protected-folder service once the bundle is
+registered with tccd, which is exactly the onboarding-flood the FDA modal exists to prevent. The read
+maps each favorite, skipping the existence check when the FDA gate is pending AND
+`restricted_paths::tcc_paths::is_potentially_tcc_restricted(path)` is true (and assuming such a
+protected favorite exists). Non-protected paths are still checked (for example `/Applications` can be
+absent on slim systems). This now applies to ANY user-added path, not just the old hardcoded three.
+Linux has no TCC, so its twin existence-checks everything and there's no gate.
+
+## Local-filesystem paths only (v1)
+
+Favorites are local filesystem paths for now. Network and MTP favorites are deferred (mount-state
+complexity). The store doesn't enforce this; the add surfaces in the frontend gate it.
@@ -0,0 +1,12 @@
+//! User-editable favorites.
+//!
+//! Owns the ordered `favorites.json` store that backs the volume switcher's "Favorites" section.
+//! The store is the single source of truth; it replaces the previously hardcoded four favorites.
+//! `volumes::get_favorites` (macOS) and `volumes_linux::get_favorites` (Linux) read this store and
+//! map each entry to a `LocationInfo` with `category: Favorite`. Mutations go through the IPC
+//! commands in `commands/favorites.rs`, which re-emit `volumes-changed` so both panes' switchers
+//! update live.
+//!
+//! See `favorites/CLAUDE.md` for the seed-once contract and the FDA-pending skip.
+
+pub mod store;