Eject: block ejecting a volume mid-transfer

- Each copy/move/delete records the volume IDs it touches (source and destination); the backend derives a "busy volumes" set as their union (minus `root`) and pushes membership changes via a `volumes-busy-changed` event. Panic-safe: the existing `OperationStateGuard` clears the mark on unwind.
- `eject_volume` refuses a busy volume (the real safety net, since the picker disable is only UX), so a disconnect can't truncate an in-flight file. `get_busy_volume_ids` bootstraps the frontend set.
- The picker's header/row eject buttons and right-click item disable with a "Can't eject while operations are in progress on this device" tooltip; the native breadcrumb menu renders the item disabled with a ` (busy)` suffix.
- New `volume-busy-store.svelte.ts` (subscribe + bootstrap). Covers MTP/SMB/USB/DMG: a local→USB copy goes through the both-local branch, which now also marks the ejectable destination busy.
- Tests: 4 Rust (membership, root-exclusion, overlap-until-last-op, panic-unwind) + 4 frontend store.

Author: vdavid

apps/desktop/src-tauri/src/commands/CLAUDE.md

@@ -14,7 +14,7 @@ immediately to business-logic modules. No significant logic lives here.
 | `volumes_linux.rs` | Volume management (Linux) | Same interface as `volumes.rs`, delegates to `volumes_linux` module |
 | `mtp.rs` | MTP devices | Full MTP command surface (connect, disconnect, list, download, upload, delete, rename, move, scan) |
 | `network.rs` | SMB/network shares | Discovery, share listing, keychain, mounting, direct-connection upgrade, in-place reconnect (`reconnect_smb_volume`: backend single-flighted via `Volume::attempt_reconnect`), per-volume disconnect (`disconnect_smb_volume`: macOS shells out to `diskutil unmount`, Linux drops the smb2 session). Lazy-startup hooks: `ensure_network_discovery_started` (idempotent: kicks off mDNS + manual-server load + smb-mount upgrade on first user network action) and `set_network_enabled` (live-applies the `network.enabled` toggle: stops mDNS and clears discovered hosts when off). Upgrade business logic (address resolution, credential lookup, smb2 connection) lives in `network::smb_upgrade`; commands here are thin wrappers. |
-| `eject.rs` | Volume eject | `eject_volume(volume_id)`: dispatches by kind. MTP → `mtp::connection_manager().disconnect`; SMB → `diskutil unmount` (FSEvents handles smb2 teardown via `on_unmount`); physical/DMG → `diskutil eject`. Pure `decide_eject_action` (unit-tested) keeps the dispatch logic separate from the impure shell-out. |
+| `eject.rs` | Volume eject | `eject_volume(volume_id)`: dispatches by kind. MTP → `mtp::connection_manager().disconnect`; SMB → `diskutil unmount` (FSEvents handles smb2 teardown via `on_unmount`); physical/DMG → `diskutil eject`. Pure `decide_eject_action` (unit-tested) keeps the dispatch logic separate from the impure shell-out. Guards against ejecting a volume with an in-flight write op (`busy_volume_ids().contains(...)` → error) so a transfer can't be truncated. `get_busy_volume_ids()`: bootstrap for the picker's busy set (see `write_operations/CLAUDE.md` § "Busy-volumes set"). |
 | `font_metrics.rs` | Font metrics cache | `store_font_metrics`, `has_font_metrics` |
 | `icons.rs` | File icons | `get_icons`, `get_custom_folder_icon_ids` (visible-range custom-folder detection), `refresh_directory_icons`, cache clear |
 | `rename.rs` | Rename / trash | `move_to_trash` (delegates to `write_operations::trash::move_to_trash_sync`), `check_rename_permission`, `check_rename_validity`, `rename_file`. `rename_file` calls `notify_mutation` after success to update the listing cache (both local and volume-aware paths). |

apps/desktop/src-tauri/src/commands/eject.rs

@@ -109,6 +109,17 @@ pub fn decide_eject_action(ctx: &EjectContext) -> Result<EjectAction, EjectDecis
 pub async fn eject_volume(volume_id: String) -> Result<(), IpcError> {
     use crate::file_system::get_volume_manager;
 
+    // Safety gate: never tear down a volume while a write op is reading from or
+    // writing to it. The picker disables Eject for busy volumes, so reaching
+    // here means a race (or an MCP / automation caller); refuse rather than
+    // disconnect mid-transfer and risk a truncated file. See the volume picker's
+    // `volumes-busy-changed` wiring.
+    if crate::file_system::busy_volume_ids().contains(&volume_id) {
+        return Err(IpcError::from_err(
+            "operations are in progress on this device. Eject again once they finish",
+        ));
+    }
+
     // MTP volumes use ID format `{device_id}:{storage_id}` and aren't
     // registered in VolumeManager; check the live MTP device list first.
     let is_mtp = is_mtp_volume_id(&volume_id).await;
@@ -148,6 +159,16 @@ pub async fn eject_volume(volume_id: String) -> Result<(), IpcError> {
     }
 }
 
+/// Returns the IDs of volumes that currently have a write op (copy / move /
+/// delete) reading from or writing to them. The volume picker bootstraps its
+/// busy set from this once on startup, then keeps it live via the
+/// `volumes-busy-changed` event. Used to disable Eject for a busy device.
+#[tauri::command]
+#[specta::specta]
+pub fn get_busy_volume_ids() -> Vec<String> {
+    crate::file_system::busy_volume_ids()
+}
+
 /// MTP volume IDs are shaped `{device_id}:{storage_id}` (see
 /// `commands/volumes.rs::append_mtp_volumes`). Confirm against the live device
 /// list so we don't false-positive on any future ID containing a colon.

apps/desktop/src-tauri/src/commands/file_system/volume_copy.rs

@@ -39,7 +39,17 @@ pub async fn copy_between_volumes(
     let dest_path = PathBuf::from(dest_path);
     let config = config.unwrap_or_default();
 
-    ops_copy_between_volumes(app, source_volume, source_paths, dest_volume, dest_path, config).await
+    ops_copy_between_volumes(
+        app,
+        source_volume_id,
+        source_volume,
+        source_paths,
+        dest_volume_id,
+        dest_volume,
+        dest_path,
+        config,
+    )
+    .await
 }
 
 /// Unified move across volume types. Same events as `copy_between_volumes`.
@@ -73,7 +83,17 @@ pub async fn move_between_volumes(
     let dest_path = PathBuf::from(dest_path);
     let config = config.unwrap_or_default();
 
-    ops_move_between_volumes(app, source_volume, source_paths, dest_volume, dest_path, config).await
+    ops_move_between_volumes(
+        app,
+        source_volume_id,
+        source_volume,
+        source_paths,
+        dest_volume_id,
+        dest_volume,
+        dest_path,
+        config,
+    )
+    .await
 }
 
 /// Pre-flight scan: total count/bytes, available space, conflicts. Doesn't copy anything.

apps/desktop/src-tauri/src/commands/file_system/write_ops.rs

@@ -186,7 +186,10 @@ pub async fn copy_files(
     let destination = PathBuf::from(expand_tilde(&destination));
     let config = config.unwrap_or_default();
 
-    ops_copy_files_start(app, sources, destination, config).await
+    // The unified transfer dialog routes every cross-device copy through
+    // `copy_between_volumes`; this plain command is the same-`root` local path,
+    // so no ejectable volume is involved (empty busy set).
+    ops_copy_files_start(app, sources, destination, config, vec![]).await
 }
 
 /// Uses rename() for same-filesystem (instant), copy+delete for cross-filesystem.
@@ -203,7 +206,9 @@ pub async fn move_files(
     let destination = PathBuf::from(expand_tilde(&destination));
     let config = config.unwrap_or_default();
 
-    ops_move_files_start(app, sources, destination, config).await
+    // Same-`root` local move (the FE uses `move_between_volumes` whenever the
+    // source and destination volumes differ), so no ejectable volume here.
+    ops_move_files_start(app, sources, destination, config, vec![]).await
 }
 
 /// Recursively deletes files and directories. Same events as `copy_files`.

apps/desktop/src-tauri/src/commands/ui.rs

@@ -127,8 +127,13 @@ pub fn show_breadcrumb_context_menu<R: Runtime>(
 ) -> Result<(), String> {
     let app = window.app_handle();
     let accelerator = frontend_shortcut_to_accelerator(&shortcut).unwrap_or_default();
-    let menu =
-        build_breadcrumb_context_menu(app, &accelerator, eject_volume_name.as_deref()).map_err(|e| e.to_string())?;
+    // Disable the eject item while a write op touches this volume (the picker's
+    // inline eject button is disabled the same way).
+    let eject_busy = eject_volume_id
+        .as_ref()
+        .is_some_and(|id| crate::file_system::busy_volume_ids().contains(id));
+    let menu = build_breadcrumb_context_menu(app, &accelerator, eject_volume_name.as_deref(), eject_busy)
+        .map_err(|e| e.to_string())?;
 
     // Stash eject target so on_menu_event can read it back when the user clicks
     // the "Eject (name)" item. If only one of the two args is present, treat as no

apps/desktop/src-tauri/src/file_system/mod.rs

@@ -63,8 +63,8 @@ pub(crate) use watcher::compute_diff;
 // Re-export write operation types
 pub use write_operations::{
     OperationStatus, OperationSummary, WriteOperationConfig, WriteOperationError, WriteOperationStartResult,
-    cancel_all_write_operations, cancel_write_operation, copy_files_start, delete_files_start, get_operation_status,
-    list_active_operations, move_files_start, trash_files_start,
+    busy_volume_ids, cancel_all_write_operations, cancel_write_operation, copy_files_start, delete_files_start,
+    get_operation_status, init_busy_volume_emitter, list_active_operations, move_files_start, trash_files_start,
 };
 // Re-export volume copy types and functions
 pub use write_operations::{

apps/desktop/src-tauri/src/file_system/write_operations/CLAUDE.md

@@ -153,13 +153,23 @@ See also: [`apps/desktop/src-tauri/src/downloads/CLAUDE.md`](../../downloads/CLA
 | `write-cancelled` | Operation cancelled (includes `rolled_back` flag) |
 | `write-error` | Operation failed. Carries `error: WriteOperationError` (typed) plus `friendly: FriendlyError` (rendered title/explanation/suggestion + category) populated by `WriteErrorEvent::new` via `friendly_from_write_error`. The FE renders the `friendly` payload directly in `TransferErrorDialog` and applies category-based colors. |
 | `write-settled` | Emitted once per op after the spawned background task fully returns. See [Settle contract](#settle-contract). |
+| `volumes-busy-changed` | The set of volume IDs with an in-flight op changed (an op started or finished). Payload is `string[]`. See [Busy-volumes set](#busy-volumes-set). |
 | `write-source-item-done` | All files for a top-level source item processed (for gradual deselection) |
 | `dry-run-complete` | `config.dry_run == true` (returns `DryRunResult`) |
 | `scan-preview-progress` | During `start_scan_preview` |
 | `scan-preview-complete` | Preview scan finished |
 | `scan-preview-error` | Preview scan failed |
 | `scan-preview-cancelled` | Preview scan cancelled |
 
+## Busy-volumes set
+
+Drives "disable Eject while an op reads from / writes to this device" so a disconnect can't truncate an in-flight file. Lives in `state.rs`.
+
+- Each op records the volume IDs it touches via `register_operation_status(op_id, type, volume_ids)`. Source **and** destination go in (a download from a phone is as corruptible as an upload to it). `OperationStateGuard`'s `Drop` clears them on unregister, so a panicking op can't leave a volume stuck busy.
+- The busy set is the union of every active op's `volume_ids`, minus `root` (never ejectable). `recompute_and_emit_busy_volumes` fires `volumes-busy-changed` only when membership changes — progress ticks don't churn it. Membership-by-union means two concurrent transfers to one device keep it busy until both finish, with no manual refcount.
+- **Where `volume_ids` come from**: the cross-volume transfer entry points (`copy_between_volumes`, `move_between_volumes`, `move_within_same_volume`) and the volume-aware `delete_files_start` carry the IDs; `copy_files_start` / `move_files_start` take a `volume_ids` param so the both-local branch of `copy_between_volumes` (which is how a local→USB / DMG copy lands) still marks the ejectable destination. The plain `copy_files` / `move_files` / `trash` commands pass `vec![]` — the unified transfer dialog only routes through them for same-`root` ops, where no ejectable volume is involved.
+- **Consumers**: `busy_volume_ids()` backs the `get_busy_volume_ids` bootstrap command, the `eject_volume` server-side guard (refuses a busy volume — the real safety net, since the picker's disable is only UX), and the native breadcrumb-menu builder (renders the Eject item disabled with a ` (busy)` suffix). The frontend `volume-busy-store.svelte.ts` subscribes to `volumes-busy-changed` and exposes `isVolumeBusy(id)` to disable the picker's eject controls. `init_busy_volume_emitter(app)` wires the emitter at startup (`lib.rs`).
+
 ## Settle contract
 
 `write-settled` fires exactly once per operation, after the spawned background task has fully torn down — including in-flight USB / network teardown that may briefly outlive the `write-cancelled` emit. The FE uses it to gate the "Cancelling…" dialog close so the user can't dispatch a new op against a still-tearing-down volume (the wedge mode that cancel propagation already shortens but doesn't eliminate).

apps/desktop/src-tauri/src/file_system/write_operations/mod.rs

@@ -58,8 +58,8 @@ use trash::trash_files_with_progress;
 // Re-export public types
 pub use scan_preview::{cancel_scan_preview, get_scan_preview_totals, start_scan_preview};
 pub use state::{
-    cancel_all_write_operations, cancel_write_operation, get_operation_status, list_active_operations,
-    resolve_write_conflict,
+    busy_volume_ids, cancel_all_write_operations, cancel_write_operation, get_operation_status,
+    init_busy_volume_emitter, list_active_operations, resolve_write_conflict,
 };
 #[allow(unused_imports, reason = "Public API re-exports for consumers of this module")]
 pub use types::{
@@ -109,6 +109,7 @@ async fn start_write_operation<F>(
     app: tauri::AppHandle,
     operation_type: WriteOperationType,
     progress_interval_ms: u64,
+    volume_ids: Vec<String>,
     handler: F,
 ) -> Result<WriteOperationStartResult, WriteOperationError>
 where
@@ -120,7 +121,7 @@ where
     if let Ok(mut cache) = WRITE_OPERATION_STATE.write() {
         cache.insert(operation_id.clone(), Arc::clone(&state));
     }
-    register_operation_status(&operation_id, operation_type);
+    register_operation_status(&operation_id, operation_type, volume_ids);
 
     let operation_id_for_spawn = operation_id.clone();
 
@@ -185,11 +186,16 @@ where
 }
 
 /// Starts a copy operation in the background.
+///
+/// `volume_ids` lists the volumes this copy touches (source + destination), so
+/// an ejectable USB / DMG / SMB volume is marked busy while the copy runs. Pass
+/// an empty `Vec` for a same-`root` local copy (root is never ejectable).
 pub async fn copy_files_start(
     app: tauri::AppHandle,
     sources: Vec<PathBuf>,
     destination: PathBuf,
     config: WriteOperationConfig,
+    volume_ids: Vec<String>,
 ) -> Result<WriteOperationStartResult, WriteOperationError> {
     log::info!(
         "copy_files_start: sources={:?}, destination={:?}, dry_run={}",
@@ -202,6 +208,7 @@ pub async fn copy_files_start(
         app,
         WriteOperationType::Copy,
         config.progress_interval_ms,
+        volume_ids,
         move |app, op_id, state| {
             validate_sources(&sources)?;
             validate_destination(&destination)?;
@@ -224,6 +231,7 @@ pub async fn move_files_start(
     sources: Vec<PathBuf>,
     destination: PathBuf,
     config: WriteOperationConfig,
+    volume_ids: Vec<String>,
 ) -> Result<WriteOperationStartResult, WriteOperationError> {
     log::info!(
         "move_files_start: sources={:?}, destination={:?}, dry_run={}",
@@ -236,6 +244,7 @@ pub async fn move_files_start(
         app,
         WriteOperationType::Move,
         config.progress_interval_ms,
+        volume_ids,
         move |app, op_id, state| {
             validate_sources(&sources)?;
             validate_destination(&destination)?;
@@ -278,7 +287,7 @@ pub async fn delete_files_start(
         if let Ok(mut cache) = WRITE_OPERATION_STATE.write() {
             cache.insert(operation_id.clone(), Arc::clone(&state));
         }
-        register_operation_status(&operation_id, WriteOperationType::Delete);
+        register_operation_status(&operation_id, WriteOperationType::Delete, vec![volume_id_str.clone()]);
 
         let operation_id_for_spawn = operation_id.clone();
         tokio::spawn(async move {
@@ -351,10 +360,12 @@ pub async fn delete_files_start(
             operation_type: WriteOperationType::Delete,
         })
     } else {
+        // Local same-`root` delete: no ejectable volume involved.
         start_write_operation(
             app,
             WriteOperationType::Delete,
             config.progress_interval_ms,
+            vec![],
             move |app, op_id, state| {
                 validate_sources(&sources)?;
                 delete_files_with_progress(&app, &op_id, &state, &sources, &config)
@@ -377,10 +388,12 @@ pub async fn trash_files_start(
 ) -> Result<WriteOperationStartResult, WriteOperationError> {
     log::info!("trash_files_start: sources={:?}", sources);
 
+    // Trash always targets the local macOS Trash; no ejectable volume involved.
     start_write_operation(
         app,
         WriteOperationType::Trash,
         config.progress_interval_ms,
+        vec![],
         move |app, op_id, state| {
             validate_sources(&sources)?;
             let events: Arc<dyn types::OperationEventSink> = Arc::new(types::TauriEventSink::new(app));